feat: add derivation index to vault metadata for unique keys - Add VaultMetadata fields: DerivationIndex, LongTermKeyHash, MnemonicHash - Implement GetNextDerivationIndex() to track and increment indices for same mnemonics - Update init and import commands to use proper derivation indices - Add ComputeDoubleSHA256() for hash calculations - Save vault metadata on creation with all derivation information - Add comprehensive tests for metadata functionality. This ensures multiple vaults using the same mnemonic will derive different long-term keys by using incremented derivation indices. The mnemonic is double SHA256 hashed and stored to track which vaults share mnemonics. Fixes TODO item #5

internal/vault/metadata.go

@@ -1,7 +1,14 @@
 package vault
 
 import (
+	"crypto/sha256"
+	"encoding/hex"
+	"encoding/json"
+	"fmt"
+	"path/filepath"
+
 	"git.eeqj.de/sneak/secret/internal/secret"
+	"github.com/spf13/afero"
 )
 
 // Alias the metadata types from secret package for convenience
@@ -9,3 +16,104 @@ type VaultMetadata = secret.VaultMetadata
 type UnlockKeyMetadata = secret.UnlockKeyMetadata
 type SecretMetadata = secret.SecretMetadata
 type Configuration = secret.Configuration
+
+// ComputeDoubleSHA256 computes the double SHA256 hash of data and returns it as hex
+func ComputeDoubleSHA256(data []byte) string {
+	firstHash := sha256.Sum256(data)
+	secondHash := sha256.Sum256(firstHash[:])
+	return hex.EncodeToString(secondHash[:])
+}
+
+// GetNextDerivationIndex finds the next available derivation index for a given mnemonic hash
+func GetNextDerivationIndex(fs afero.Fs, stateDir string, mnemonicHash string) (uint32, error) {
+	vaultsDir := filepath.Join(stateDir, "vaults.d")
+
+	// Check if vaults directory exists
+	exists, err := afero.DirExists(fs, vaultsDir)
+	if err != nil {
+		return 0, fmt.Errorf("failed to check if vaults directory exists: %w", err)
+	}
+	if !exists {
+		// No vaults yet, start with index 0
+		return 0, nil
+	}
+
+	// Read all vault directories
+	entries, err := afero.ReadDir(fs, vaultsDir)
+	if err != nil {
+		return 0, fmt.Errorf("failed to read vaults directory: %w", err)
+	}
+
+	// Track the highest index for this mnemonic
+	var highestIndex uint32 = 0
+	foundMatch := false
+
+	for _, entry := range entries {
+		if !entry.IsDir() {
+			continue
+		}
+
+		// Try to read vault metadata
+		metadataPath := filepath.Join(vaultsDir, entry.Name(), "vault-metadata.json")
+		metadataBytes, err := afero.ReadFile(fs, metadataPath)
+		if err != nil {
+			// Skip vaults without metadata
+			continue
+		}
+
+		var metadata VaultMetadata
+		if err := json.Unmarshal(metadataBytes, &metadata); err != nil {
+			// Skip vaults with invalid metadata
+			continue
+		}
+
+		// Check if this vault uses the same mnemonic
+		if metadata.MnemonicHash == mnemonicHash {
+			foundMatch = true
+			if metadata.DerivationIndex >= highestIndex {
+				highestIndex = metadata.DerivationIndex
+			}
+		}
+	}
+
+	// If we found a match, use the next index
+	if foundMatch {
+		return highestIndex + 1, nil
+	}
+
+	// No existing vault with this mnemonic, start at 0
+	return 0, nil
+}
+
+// SaveVaultMetadata saves vault metadata to the vault directory
+func SaveVaultMetadata(fs afero.Fs, vaultDir string, metadata *VaultMetadata) error {
+	metadataPath := filepath.Join(vaultDir, "vault-metadata.json")
+
+	metadataBytes, err := json.MarshalIndent(metadata, "", "  ")
+	if err != nil {
+		return fmt.Errorf("failed to marshal vault metadata: %w", err)
+	}
+
+	if err := afero.WriteFile(fs, metadataPath, metadataBytes, secret.FilePerms); err != nil {
+		return fmt.Errorf("failed to write vault metadata: %w", err)
+	}
+
+	return nil
+}
+
+// LoadVaultMetadata loads vault metadata from the vault directory
+func LoadVaultMetadata(fs afero.Fs, vaultDir string) (*VaultMetadata, error) {
+	metadataPath := filepath.Join(vaultDir, "vault-metadata.json")
+
+	metadataBytes, err := afero.ReadFile(fs, metadataPath)
+	if err != nil {
+		return nil, fmt.Errorf("failed to read vault metadata: %w", err)
+	}
+
+	var metadata VaultMetadata
+	if err := json.Unmarshal(metadataBytes, &metadata); err != nil {
+		return nil, fmt.Errorf("failed to unmarshal vault metadata: %w", err)
+	}
+
+	return &metadata, nil
+}