Skip unlocker directories with missing metadata instead of failing

When an unlocker directory exists but is missing unlocker-metadata.json, log a debug warning and skip it instead of returning a hard error that crashes the entire 'unlocker ls' command. Closes #1
2026-02-15 14:04:37 -08:00 · 2026-02-15 14:04:37 -08:00 · 1a96360f6a
commit 1a96360f6a
parent 4f5d2126d6
2 changed files with 57 additions and 1 deletions
--- a/internal/vault/unlockers.go
+++ b/internal/vault/unlockers.go
@ -213,7 +213,9 @@ func (v *Vault) ListUnlockers() ([]UnlockerMetadata, error) {
 				return nil, fmt.Errorf("failed to check if metadata exists for unlocker %s: %w", file.Name(), err)
 			}
 			if !exists {
-				return nil, fmt.Errorf("unlocker directory %s is missing metadata file", file.Name())
+				secret.Debug("Skipping unlocker directory with missing metadata file", "directory", file.Name())
+
+				continue
 			}

 			metadataBytes, err := afero.ReadFile(v.fs, metadataPath)
--- a/internal/vault/vault_test.go
+++ b/internal/vault/vault_test.go
@ -243,3 +243,57 @@ func TestVaultOperations(t *testing.T) {
 		}
 	})
 }
+
+func TestListUnlockers_SkipsMissingMetadata(t *testing.T) {
+	// Set test environment variables
+	testMnemonic := "abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon about"
+	t.Setenv(secret.EnvMnemonic, testMnemonic)
+	t.Setenv(secret.EnvUnlockPassphrase, "test-passphrase")
+
+	// Use in-memory filesystem
+	fs := afero.NewMemMapFs()
+	stateDir := "/test/state"
+
+	// Create vault
+	vlt, err := CreateVault(fs, stateDir, "test-vault")
+	if err != nil {
+		t.Fatalf("Failed to create vault: %v", err)
+	}
+
+	// Create a passphrase unlocker so we have at least one valid unlocker
+	passphraseBuffer := memguard.NewBufferFromBytes([]byte("test-passphrase"))
+	defer passphraseBuffer.Destroy()
+	_, err = vlt.CreatePassphraseUnlocker(passphraseBuffer)
+	if err != nil {
+		t.Fatalf("Failed to create passphrase unlocker: %v", err)
+	}
+
+	// Create a bogus unlocker directory with no metadata file
+	vaultDir, err := vlt.GetDirectory()
+	if err != nil {
+		t.Fatalf("Failed to get vault directory: %v", err)
+	}
+	bogusDir := filepath.Join(vaultDir, "unlockers.d", "bogus-no-metadata")
+	err = fs.MkdirAll(bogusDir, 0o700)
+	if err != nil {
+		t.Fatalf("Failed to create bogus directory: %v", err)
+	}
+
+	// ListUnlockers should succeed, skipping the bogus directory
+	unlockers, err := vlt.ListUnlockers()
+	if err != nil {
+		t.Fatalf("ListUnlockers returned error when it should have skipped bad directory: %v", err)
+	}
+
+	// Should still have the valid passphrase unlocker
+	if len(unlockers) == 0 {
+		t.Errorf("Expected at least one unlocker, got none")
+	}
+
+	// Verify we only got the valid unlocker(s), not the bogus one
+	for _, u := range unlockers {
+		if u.Type == "" {
+			t.Errorf("Got unlocker with empty type, likely from bogus directory")
+		}
+	}
+}