passes tests now!

internal/secret/debug.go

@@ -18,11 +18,11 @@ var (
 )
 
 func init() {
-	initDebugLogging()
+	InitDebugLogging()
 }
 
-// initDebugLogging initializes the debug logging system based on GODEBUG environment variable
-func initDebugLogging() {
+// InitDebugLogging initializes the debug logging system based on current GODEBUG environment variable
+func InitDebugLogging() {
 	godebug := os.Getenv("GODEBUG")
 	debugEnabled = strings.Contains(godebug, "berlin.sneak.pkg.secret")
 

internal/secret/debug_test.go

@@ -21,7 +21,7 @@ func TestDebugLogging(t *testing.T) {
 			os.Setenv("GODEBUG", originalGodebug)
 		}
 		// Re-initialize debug system with original setting
-		initDebugLogging()
+		InitDebugLogging()
 	}()
 
 	tests := []struct {
@@ -61,7 +61,7 @@ func TestDebugLogging(t *testing.T) {
 			}
 
 			// Re-initialize debug system
-			initDebugLogging()
+			InitDebugLogging()
 
 			// Test if debug is enabled
 			enabled := IsDebugEnabled()
@@ -112,10 +112,10 @@ func TestDebugFunctions(t *testing.T) {
 		} else {
 			os.Setenv("GODEBUG", originalGodebug)
 		}
-		initDebugLogging()
+		InitDebugLogging()
 	}()
 
-	initDebugLogging()
+	InitDebugLogging()
 
 	if !IsDebugEnabled() {
 		t.Log("Debug not enabled, but continuing with debug function tests anyway")

internal/secret/metadata.go

@@ -6,10 +6,11 @@ import (
 
 // VaultMetadata contains information about a vault
 type VaultMetadata struct {
-	CreatedAt       time.Time `json:"createdAt"`
-	Description     string    `json:"description,omitempty"`
-	DerivationIndex uint32    `json:"derivation_index"`
-	PublicKeyHash   string    `json:"public_key_hash,omitempty"` // Double SHA256 hash of the long-term public key
+	CreatedAt          time.Time `json:"createdAt"`
+	Description        string    `json:"description,omitempty"`
+	DerivationIndex    uint32    `json:"derivation_index"`
+	PublicKeyHash      string    `json:"public_key_hash,omitempty"`      // Double SHA256 hash of the actual long-term public key
+	MnemonicFamilyHash string    `json:"mnemonic_family_hash,omitempty"` // Double SHA256 hash of index-0 key (for grouping vaults from same mnemonic)
 }
 
 // UnlockerMetadata contains information about an unlocker

internal/secret/version.go

@@ -287,22 +287,33 @@ func (sv *SecretVersion) GetValue(ltIdentity *age.X25519Identity) ([]byte, error
 		slog.String("version", sv.Version),
 	)
 
+	// Debug: Log the directory and long-term key info
+	Debug("SecretVersion GetValue debug info",
+		"secret_name", sv.SecretName,
+		"version", sv.Version,
+		"directory", sv.Directory,
+		"lt_identity_public_key", ltIdentity.Recipient().String())
+
 	fs := sv.vault.GetFilesystem()
 
 	// Step 1: Read encrypted version private key
 	encryptedPrivKeyPath := filepath.Join(sv.Directory, "priv.age")
+	Debug("Reading encrypted version private key", "path", encryptedPrivKeyPath)
 	encryptedPrivKey, err := afero.ReadFile(fs, encryptedPrivKeyPath)
 	if err != nil {
 		Debug("Failed to read encrypted version private key", "error", err, "path", encryptedPrivKeyPath)
 		return nil, fmt.Errorf("failed to read encrypted version private key: %w", err)
 	}
+	Debug("Successfully read encrypted version private key", "path", encryptedPrivKeyPath, "size", len(encryptedPrivKey))
 
 	// Step 2: Decrypt version private key using long-term key
+	Debug("Decrypting version private key with long-term identity", "version", sv.Version)
 	versionPrivKeyData, err := DecryptWithIdentity(encryptedPrivKey, ltIdentity)
 	if err != nil {
 		Debug("Failed to decrypt version private key", "error", err, "version", sv.Version)
 		return nil, fmt.Errorf("failed to decrypt version private key: %w", err)
 	}
+	Debug("Successfully decrypted version private key", "version", sv.Version, "size", len(versionPrivKeyData))
 
 	// Step 3: Parse version private key
 	versionIdentity, err := age.ParseX25519Identity(string(versionPrivKeyData))
@@ -313,20 +324,27 @@ func (sv *SecretVersion) GetValue(ltIdentity *age.X25519Identity) ([]byte, error
 
 	// Step 4: Read encrypted value
 	encryptedValuePath := filepath.Join(sv.Directory, "value.age")
+	Debug("Reading encrypted value", "path", encryptedValuePath)
 	encryptedValue, err := afero.ReadFile(fs, encryptedValuePath)
 	if err != nil {
 		Debug("Failed to read encrypted version value", "error", err, "path", encryptedValuePath)
 		return nil, fmt.Errorf("failed to read encrypted version value: %w", err)
 	}
+	Debug("Successfully read encrypted value", "path", encryptedValuePath, "size", len(encryptedValue))
 
 	// Step 5: Decrypt value using version key
+	Debug("Decrypting value with version identity", "version", sv.Version)
 	value, err := DecryptWithIdentity(encryptedValue, versionIdentity)
 	if err != nil {
 		Debug("Failed to decrypt version value", "error", err, "version", sv.Version)
 		return nil, fmt.Errorf("failed to decrypt version value: %w", err)
 	}
 
-	Debug("Successfully retrieved version value", "version", sv.Version, "value_length", len(value))
+	Debug("Successfully retrieved version value",
+		"version", sv.Version,
+		"value_length", len(value),
+		"value_as_string", string(value),
+		"is_empty", len(value) == 0)
 	return value, nil
 }