passes tests now!

internal/vault/management.go

@@ -207,6 +207,7 @@ func CreateVault(fs afero.Fs, stateDir string, name string) (*Vault, error) {
 	mnemonic := os.Getenv(secret.EnvMnemonic)
 	var derivationIndex uint32
 	var publicKeyHash string
+	var familyHash string
 
 	if mnemonic != "" {
 		secret.Debug("Mnemonic found in environment, deriving long-term key", "vault", name)
@@ -232,13 +233,16 @@ func CreateVault(fs afero.Fs, stateDir string, name string) (*Vault, error) {
 		}
 		secret.Debug("Wrote long-term public key", "path", ltPubKeyPath)
 
-		// Compute public key hash from index 0 (same for all vaults with this mnemonic)
+		// Compute verification hash from actual derivation index
+		publicKeyHash = ComputeDoubleSHA256([]byte(ltIdentity.Recipient().String()))
+
+		// Compute family hash from index 0 (same for all vaults with this mnemonic)
 		// This is used to identify which vaults belong to the same mnemonic family
 		identity0, err := agehd.DeriveIdentity(mnemonic, 0)
 		if err != nil {
 			return nil, fmt.Errorf("failed to derive identity for index 0: %w", err)
 		}
-		publicKeyHash = ComputeDoubleSHA256([]byte(identity0.Recipient().String()))
+		familyHash = ComputeDoubleSHA256([]byte(identity0.Recipient().String()))
 	} else {
 		secret.Debug("No mnemonic in environment, vault created without long-term key", "vault", name)
 		// Use 0 for derivation index when no mnemonic is provided
@@ -247,9 +251,10 @@ func CreateVault(fs afero.Fs, stateDir string, name string) (*Vault, error) {
 
 	// Save vault metadata
 	metadata := &VaultMetadata{
-		CreatedAt:       time.Now(),
-		DerivationIndex: derivationIndex,
-		PublicKeyHash:   publicKeyHash,
+		CreatedAt:          time.Now(),
+		DerivationIndex:    derivationIndex,
+		PublicKeyHash:      publicKeyHash,
+		MnemonicFamilyHash: familyHash,
 	}
 	if err := SaveVaultMetadata(fs, vaultDir, metadata); err != nil {
 		return nil, fmt.Errorf("failed to save vault metadata: %w", err)