fix: resolve all nlreturn linter errors

Add blank lines before return statements in all files to satisfy
the nlreturn linter. This improves code readability by providing
visual separation before return statements.

Changes made across 24 files:
- internal/cli/*.go
- internal/secret/*.go
- internal/vault/*.go
- pkg/agehd/agehd.go
- pkg/bip85/bip85.go

All 143 nlreturn issues have been resolved.

internal/vault/management.go

@@ -54,6 +54,7 @@ func resolveRelativeSymlink(symlinkPath, target string) (string, error) {
 	if err != nil {
 		// Try to restore original directory before returning error
 		_ = os.Chdir(originalDir)
+
 		return "", fmt.Errorf("failed to get absolute path: %w", err)
 	}
 	secret.Debug("Got absolute path", "absolute_path", absolutePath)
@@ -79,6 +80,7 @@ func ResolveVaultSymlink(fs afero.Fs, symlinkPath string) (string, error) {
 		target, err := tryResolveOsSymlink(symlinkPath)
 		if err == nil {
 			secret.Debug("resolveVaultSymlink completed successfully", "result", target)
+
 			return target, nil
 		}
 		// Fall through to fallback if symlink resolution failed
@@ -92,6 +94,7 @@ func ResolveVaultSymlink(fs afero.Fs, symlinkPath string) (string, error) {
 	fileData, err := afero.ReadFile(fs, symlinkPath)
 	if err != nil {
 		secret.Debug("Failed to read target path file", "error", err)
+
 		return "", fmt.Errorf("failed to read vault symlink: %w", err)
 	}
 
@@ -106,14 +109,14 @@ func ResolveVaultSymlink(fs afero.Fs, symlinkPath string) (string, error) {
 // tryResolveOsSymlink attempts to resolve a symlink on OS filesystems
 func tryResolveOsSymlink(symlinkPath string) (string, error) {
 	secret.Debug("Using real filesystem symlink resolution")
-	
+
 	// Check if the symlink exists
 	secret.Debug("Checking symlink target", "symlink_path", symlinkPath)
 	target, err := os.Readlink(symlinkPath)
 	if err != nil {
 		return "", err
 	}
-	
+
 	secret.Debug("Symlink points to", "target", target)
 
 	// On real filesystem, we need to handle relative symlinks
@@ -136,6 +139,7 @@ func GetCurrentVault(fs afero.Fs, stateDir string) (*Vault, error) {
 	_, err := fs.Stat(currentVaultPath)
 	if err != nil {
 		secret.Debug("Failed to stat current vault symlink", "error", err, "path", currentVaultPath)
+
 		return nil, fmt.Errorf("failed to read current vault symlink: %w", err)
 	}
 
@@ -195,7 +199,7 @@ func ListVaults(fs afero.Fs, stateDir string) ([]string, error) {
 func processMnemonicForVault(fs afero.Fs, stateDir, vaultDir, vaultName string) (derivationIndex uint32, publicKeyHash string, familyHash string, err error) {
 	// Check if mnemonic is available in environment
 	mnemonic := os.Getenv(secret.EnvMnemonic)
-	
+
 	if mnemonic == "" {
 		secret.Debug("No mnemonic in environment, vault created without long-term key", "vault", vaultName)
 		// Use 0 for derivation index when no mnemonic is provided
@@ -245,6 +249,7 @@ func CreateVault(fs afero.Fs, stateDir string, name string) (*Vault, error) {
 	// Validate vault name
 	if !isValidVaultName(name) {
 		secret.Debug("Invalid vault name provided", "vault_name", name)
+
 		return nil, fmt.Errorf("invalid vault name '%s': must match pattern [a-z0-9.\\-_]+", name)
 	}
 	secret.Debug("Vault name validation passed", "vault_name", name)
@@ -306,6 +311,7 @@ func SelectVault(fs afero.Fs, stateDir string, name string) error {
 	// Validate vault name
 	if !isValidVaultName(name) {
 		secret.Debug("Invalid vault name provided", "vault_name", name)
+
 		return fmt.Errorf("invalid vault name '%s': must match pattern [a-z0-9.\\-_]+", name)
 	}
 	secret.Debug("Vault name validation passed", "vault_name", name)
@@ -337,6 +343,7 @@ func SelectVault(fs afero.Fs, stateDir string, name string) error {
 		secret.Debug("Creating vault symlink", "target", targetPath, "link", currentVaultPath)
 		if err := os.Symlink(targetPath, currentVaultPath); err == nil {
 			secret.Debug("Successfully selected vault", "vault_name", name)
+
 			return nil
 		}
 		// If symlink creation fails, fall back to regular file

internal/vault/secrets.go

@@ -21,6 +21,7 @@ func (v *Vault) ListSecrets() ([]string, error) {
 	vaultDir, err := v.GetDirectory()
 	if err != nil {
 		secret.Debug("Failed to get vault directory for secret listing", "error", err, "vault_name", v.Name)
+
 		return nil, err
 	}
 
@@ -30,10 +31,12 @@ func (v *Vault) ListSecrets() ([]string, error) {
 	exists, err := afero.DirExists(v.fs, secretsDir)
 	if err != nil {
 		secret.Debug("Failed to check secrets directory", "error", err, "secrets_dir", secretsDir)
+
 		return nil, fmt.Errorf("failed to check if secrets directory exists: %w", err)
 	}
 	if !exists {
 		secret.Debug("Secrets directory does not exist", "secrets_dir", secretsDir, "vault_name", v.Name)
+
 		return []string{}, nil
 	}
 
@@ -41,6 +44,7 @@ func (v *Vault) ListSecrets() ([]string, error) {
 	files, err := afero.ReadDir(v.fs, secretsDir)
 	if err != nil {
 		secret.Debug("Failed to read secrets directory", "error", err, "secrets_dir", secretsDir)
+
 		return nil, fmt.Errorf("failed to read secrets directory: %w", err)
 	}
 
@@ -105,6 +109,7 @@ func (v *Vault) AddSecret(name string, value []byte, force bool) error {
 	// Validate secret name
 	if !isValidSecretName(name) {
 		secret.Debug("Invalid secret name provided", "secret_name", name)
+
 		return fmt.Errorf("invalid secret name '%s': must match pattern [a-z0-9.\\-_/]+", name)
 	}
 	secret.Debug("Secret name validation passed", "secret_name", name)
@@ -113,6 +118,7 @@ func (v *Vault) AddSecret(name string, value []byte, force bool) error {
 	vaultDir, err := v.GetDirectory()
 	if err != nil {
 		secret.Debug("Failed to get vault directory for secret addition", "error", err, "vault_name", v.Name)
+
 		return err
 	}
 	secret.Debug("Got vault directory", "vault_dir", vaultDir)
@@ -131,6 +137,7 @@ func (v *Vault) AddSecret(name string, value []byte, force bool) error {
 	exists, err := afero.DirExists(v.fs, secretDir)
 	if err != nil {
 		secret.Debug("Failed to check if secret exists", "error", err, "secret_dir", secretDir)
+
 		return fmt.Errorf("failed to check if secret exists: %w", err)
 	}
 	secret.Debug("Secret existence check complete", "exists", exists)
@@ -142,6 +149,7 @@ func (v *Vault) AddSecret(name string, value []byte, force bool) error {
 	if exists {
 		if !force {
 			secret.Debug("Secret already exists and force not specified", "secret_name", name, "secret_dir", secretDir)
+
 			return fmt.Errorf("secret %s already exists (use --force to overwrite)", name)
 		}
 
@@ -156,6 +164,7 @@ func (v *Vault) AddSecret(name string, value []byte, force bool) error {
 		secret.Debug("Creating secret directory", "secret_dir", secretDir)
 		if err := v.fs.MkdirAll(secretDir, secret.DirPerms); err != nil {
 			secret.Debug("Failed to create secret directory", "error", err, "secret_dir", secretDir)
+
 			return fmt.Errorf("failed to create secret directory: %w", err)
 		}
 		secret.Debug("Created secret directory successfully")
@@ -165,6 +174,7 @@ func (v *Vault) AddSecret(name string, value []byte, force bool) error {
 	versionName, err := secret.GenerateVersionName(v.fs, secretDir)
 	if err != nil {
 		secret.Debug("Failed to generate version name", "error", err, "secret_name", name)
+
 		return fmt.Errorf("failed to generate version name: %w", err)
 	}
 
@@ -188,6 +198,7 @@ func (v *Vault) AddSecret(name string, value []byte, force bool) error {
 	// Save the new version
 	if err := newVersion.Save(value); err != nil {
 		secret.Debug("Failed to save new version", "error", err, "version", versionName)
+
 		return fmt.Errorf("failed to save version: %w", err)
 	}
 
@@ -197,12 +208,14 @@ func (v *Vault) AddSecret(name string, value []byte, force bool) error {
 		ltIdentity, err := v.GetOrDeriveLongTermKey()
 		if err != nil {
 			secret.Debug("Failed to get long-term key for metadata update", "error", err)
+
 			return fmt.Errorf("failed to get long-term key: %w", err)
 		}
 
 		// Load previous version metadata
 		if err := previousVersion.LoadMetadata(ltIdentity); err != nil {
 			secret.Debug("Failed to load previous version metadata", "error", err)
+
 			return fmt.Errorf("failed to load previous version metadata: %w", err)
 		}
 
@@ -212,6 +225,7 @@ func (v *Vault) AddSecret(name string, value []byte, force bool) error {
 		// Re-save the metadata (we need to implement an update method)
 		if err := updateVersionMetadata(v.fs, previousVersion, ltIdentity); err != nil {
 			secret.Debug("Failed to update previous version metadata", "error", err)
+
 			return fmt.Errorf("failed to update previous version metadata: %w", err)
 		}
 	}
@@ -219,6 +233,7 @@ func (v *Vault) AddSecret(name string, value []byte, force bool) error {
 	// Set current symlink to new version
 	if err := secret.SetCurrentVersion(v.fs, secretDir, versionName); err != nil {
 		secret.Debug("Failed to set current version", "error", err, "version", versionName)
+
 		return fmt.Errorf("failed to set current version: %w", err)
 	}
 
@@ -293,6 +308,7 @@ func (v *Vault) GetSecretVersion(name string, version string) ([]byte, error) {
 	vaultDir, err := v.GetDirectory()
 	if err != nil {
 		secret.Debug("Failed to get vault directory", "error", err, "vault_name", v.Name)
+
 		return nil, err
 	}
 
@@ -304,10 +320,12 @@ func (v *Vault) GetSecretVersion(name string, version string) ([]byte, error) {
 	exists, err := afero.DirExists(v.fs, secretDir)
 	if err != nil {
 		secret.Debug("Failed to check if secret exists", "error", err, "secret_name", name)
+
 		return nil, fmt.Errorf("failed to check if secret exists: %w", err)
 	}
 	if !exists {
 		secret.Debug("Secret not found in vault", "secret_name", name, "vault_name", v.Name)
+
 		return nil, fmt.Errorf("secret %s not found", name)
 	}
 
@@ -317,6 +335,7 @@ func (v *Vault) GetSecretVersion(name string, version string) ([]byte, error) {
 		currentVersion, err := secret.GetCurrentVersion(v.fs, secretDir)
 		if err != nil {
 			secret.Debug("Failed to get current version", "error", err, "secret_name", name)
+
 			return nil, fmt.Errorf("failed to get current version: %w", err)
 		}
 		version = currentVersion
@@ -331,10 +350,12 @@ func (v *Vault) GetSecretVersion(name string, version string) ([]byte, error) {
 	exists, err = afero.DirExists(v.fs, versionPath)
 	if err != nil {
 		secret.Debug("Failed to check if version exists", "error", err, "version", version)
+
 		return nil, fmt.Errorf("failed to check if version exists: %w", err)
 	}
 	if !exists {
 		secret.Debug("Version not found", "version", version, "secret_name", name)
+
 		return nil, fmt.Errorf("version %s not found for secret %s", version, name)
 	}
 
@@ -344,6 +365,7 @@ func (v *Vault) GetSecretVersion(name string, version string) ([]byte, error) {
 	longTermIdentity, err := v.UnlockVault()
 	if err != nil {
 		secret.Debug("Failed to unlock vault", "error", err, "vault_name", v.Name)
+
 		return nil, fmt.Errorf("failed to unlock vault: %w", err)
 	}
 
@@ -359,6 +381,7 @@ func (v *Vault) GetSecretVersion(name string, version string) ([]byte, error) {
 	decryptedValue, err := secretVersion.GetValue(longTermIdentity)
 	if err != nil {
 		secret.Debug("Failed to decrypt version value", "error", err, "version", version, "secret_name", name)
+
 		return nil, fmt.Errorf("failed to decrypt version: %w", err)
 	}
 
@@ -386,6 +409,7 @@ func (v *Vault) UnlockVault() (*age.X25519Identity, error) {
 	// If vault is already unlocked, return the cached key
 	if !v.Locked() {
 		secret.Debug("Vault already unlocked, returning cached long-term key", "vault_name", v.Name)
+
 		return v.longTermKey, nil
 	}
 
@@ -393,6 +417,7 @@ func (v *Vault) UnlockVault() (*age.X25519Identity, error) {
 	longTermIdentity, err := v.GetOrDeriveLongTermKey()
 	if err != nil {
 		secret.Debug("Failed to get or derive long-term key", "error", err, "vault_name", v.Name)
+
 		return nil, fmt.Errorf("failed to get long-term key: %w", err)
 	}
 

internal/vault/unlockers.go

@@ -20,6 +20,7 @@ func (v *Vault) GetCurrentUnlocker() (secret.Unlocker, error) {
 	vaultDir, err := v.GetDirectory()
 	if err != nil {
 		secret.Debug("Failed to get vault directory for unlocker", "error", err, "vault_name", v.Name)
+
 		return nil, err
 	}
 
@@ -29,6 +30,7 @@ func (v *Vault) GetCurrentUnlocker() (secret.Unlocker, error) {
 	_, err = v.fs.Stat(currentUnlockerPath)
 	if err != nil {
 		secret.Debug("Failed to stat current unlocker symlink", "error", err, "path", currentUnlockerPath)
+
 		return nil, fmt.Errorf("failed to read current unlocker: %w", err)
 	}
 
@@ -50,12 +52,14 @@ func (v *Vault) GetCurrentUnlocker() (secret.Unlocker, error) {
 	metadataBytes, err := afero.ReadFile(v.fs, metadataPath)
 	if err != nil {
 		secret.Debug("Failed to read unlocker metadata", "error", err, "path", metadataPath)
+
 		return nil, fmt.Errorf("failed to read unlocker metadata: %w", err)
 	}
 
 	var metadata UnlockerMetadata
 	if err := json.Unmarshal(metadataBytes, &metadata); err != nil {
 		secret.Debug("Failed to parse unlocker metadata", "error", err, "path", metadataPath)
+
 		return nil, fmt.Errorf("failed to parse unlocker metadata: %w", err)
 	}
 
@@ -80,6 +84,7 @@ func (v *Vault) GetCurrentUnlocker() (secret.Unlocker, error) {
 		unlocker = secret.NewKeychainUnlocker(v.fs, unlockerDir, metadata)
 	default:
 		secret.Debug("Unsupported unlocker type", "type", metadata.Type)
+
 		return nil, fmt.Errorf("unsupported unlocker type: %s", metadata.Type)
 	}
 
@@ -119,8 +124,10 @@ func (v *Vault) readUnlockerPathFromFile(path string) (string, error) {
 	unlockerDirBytes, err := afero.ReadFile(v.fs, path)
 	if err != nil {
 		secret.Debug("Failed to read unlocker path file", "error", err, "path", path)
+
 		return "", fmt.Errorf("failed to read current unlocker: %w", err)
 	}
+
 	return strings.TrimSpace(string(unlockerDirBytes)), nil
 }
 

internal/vault/vault.go

@@ -76,12 +76,14 @@ func (v *Vault) GetOrDeriveLongTermKey() (*age.X25519Identity, error) {
 		metadata, err := LoadVaultMetadata(v.fs, vaultDir)
 		if err != nil {
 			secret.Debug("Failed to load vault metadata", "error", err, "vault_name", v.Name)
+
 			return nil, fmt.Errorf("failed to load vault metadata: %w", err)
 		}
 
 		ltIdentity, err := agehd.DeriveIdentity(envMnemonic, metadata.DerivationIndex)
 		if err != nil {
 			secret.Debug("Failed to derive long-term key from mnemonic", "error", err, "vault_name", v.Name)
+
 			return nil, fmt.Errorf("failed to derive long-term key from mnemonic: %w", err)
 		}
 
@@ -117,6 +119,7 @@ func (v *Vault) GetOrDeriveLongTermKey() (*age.X25519Identity, error) {
 	unlocker, err := v.GetCurrentUnlocker()
 	if err != nil {
 		secret.Debug("Failed to get current unlocker", "error", err, "vault_name", v.Name)
+
 		return nil, fmt.Errorf("failed to get current unlocker: %w", err)
 	}
 
@@ -130,6 +133,7 @@ func (v *Vault) GetOrDeriveLongTermKey() (*age.X25519Identity, error) {
 	unlockerIdentity, err := unlocker.GetIdentity()
 	if err != nil {
 		secret.Debug("Failed to get unlocker identity", "error", err, "unlocker_type", unlocker.GetType())
+
 		return nil, fmt.Errorf("failed to get unlocker identity: %w", err)
 	}
 
@@ -141,6 +145,7 @@ func (v *Vault) GetOrDeriveLongTermKey() (*age.X25519Identity, error) {
 	encryptedLtPrivKey, err := afero.ReadFile(v.fs, encryptedLtPrivKeyPath)
 	if err != nil {
 		secret.Debug("Failed to read encrypted long-term private key", "error", err, "path", encryptedLtPrivKeyPath)
+
 		return nil, fmt.Errorf("failed to read encrypted long-term private key: %w", err)
 	}
 
@@ -155,6 +160,7 @@ func (v *Vault) GetOrDeriveLongTermKey() (*age.X25519Identity, error) {
 	ltPrivKeyData, err := secret.DecryptWithIdentity(encryptedLtPrivKey, unlockerIdentity)
 	if err != nil {
 		secret.Debug("Failed to decrypt long-term private key", "error", err, "unlocker_type", unlocker.GetType())
+
 		return nil, fmt.Errorf("failed to decrypt long-term private key: %w", err)
 	}
 
@@ -169,6 +175,7 @@ func (v *Vault) GetOrDeriveLongTermKey() (*age.X25519Identity, error) {
 	ltIdentity, err := age.ParseX25519Identity(string(ltPrivKeyData))
 	if err != nil {
 		secret.Debug("Failed to parse long-term private key", "error", err, "vault_name", v.Name)
+
 		return nil, fmt.Errorf("failed to parse long-term private key: %w", err)
 	}