Fix storeInKeychain to accept LockedBuffer for data parameter

- Changed storeInKeychain to accept *memguard.LockedBuffer instead of []byte
- Updated caller in CreateKeychainUnlocker to create LockedBuffer before storing
- This ensures keychain data is protected in memory before being stored
- Added proper buffer cleanup with defer Destroy()

internal/secret/keychainunlocker.go

@@ -409,8 +409,12 @@ func CreateKeychainUnlocker(fs afero.Fs, stateDir string) (*KeychainUnlocker, er
 		return nil, fmt.Errorf("failed to marshal keychain data: %w", err)
 	}
 
+	// Create a secure buffer for keychain data
+	keychainDataBuffer := memguard.NewBufferFromBytes(keychainDataBytes)
+	defer keychainDataBuffer.Destroy()
+
 	// Step 8: Store data in keychain
-	if err := storeInKeychain(keychainItemName, keychainDataBytes); err != nil {
+	if err := storeInKeychain(keychainItemName, keychainDataBuffer); err != nil {
 		return nil, fmt.Errorf("failed to store data in keychain: %w", err)
 	}
 
@@ -466,14 +470,17 @@ func validateKeychainItemName(itemName string) error {
 }
 
 // storeInKeychain stores data in the macOS keychain using the security command
-func storeInKeychain(itemName string, data []byte) error {
+func storeInKeychain(itemName string, data *memguard.LockedBuffer) error {
+	if data == nil {
+		return fmt.Errorf("data buffer is nil")
+	}
 	if err := validateKeychainItemName(itemName); err != nil {
 		return fmt.Errorf("invalid keychain item name: %w", err)
 	}
 	cmd := exec.Command("/usr/bin/security", "add-generic-password", //nolint:gosec
 		"-a", itemName,
 		"-s", itemName,
-		"-w", string(data),
+		"-w", data.String(),
 		"-U") // Update if exists
 
 	if err := cmd.Run(); err != nil {