uses protected memory buffers now for all secrets in ram

internal/secret/secret_test.go

@@ -26,7 +26,7 @@ func (m *MockVault) GetDirectory() (string, error) {
 	return m.directory, nil
 }
 
-func (m *MockVault) AddSecret(name string, value []byte, _ bool) error {
+func (m *MockVault) AddSecret(name string, value *memguard.LockedBuffer, _ bool) error {
 	// Create secret directory with proper storage name conversion
 	storageName := strings.ReplaceAll(name, "/", "%")
 	secretDir := filepath.Join(m.directory, "secrets.d", storageName)
@@ -75,7 +75,7 @@ func (m *MockVault) AddSecret(name string, value []byte, _ bool) error {
 		return err
 	}
 
-	// Encrypt value to version's public key
+	// Encrypt value to version's public key (value is already a LockedBuffer)
 	encryptedValue, err := EncryptToRecipient(value, versionIdentity.Recipient())
 	if err != nil {
 		return err
@@ -88,7 +88,9 @@ func (m *MockVault) AddSecret(name string, value []byte, _ bool) error {
 	}
 
 	// Encrypt version private key to long-term public key
-	encryptedPrivKey, err := EncryptToRecipient([]byte(versionIdentity.String()), ltIdentity.Recipient())
+	versionPrivKeyBuffer := memguard.NewBufferFromBytes([]byte(versionIdentity.String()))
+	defer versionPrivKeyBuffer.Destroy()
+	encryptedPrivKey, err := EncryptToRecipient(versionPrivKeyBuffer, ltIdentity.Recipient())
 	if err != nil {
 		return err
 	}
@@ -180,9 +182,13 @@ func TestPerSecretKeyFunctionality(t *testing.T) {
 	secretName := "test-secret"
 	secretValue := []byte("this is a test secret value")
 
+	// Create a secure buffer for the test value
+	valueBuffer := memguard.NewBufferFromBytes(secretValue)
+	defer valueBuffer.Destroy()
+
 	// Test AddSecret
 	t.Run("AddSecret", func(t *testing.T) {
-		err := vault.AddSecret(secretName, secretValue, false)
+		err := vault.AddSecret(secretName, valueBuffer, false)
 		if err != nil {
 			t.Fatalf("AddSecret failed: %v", err)
 		}