uses protected memory buffers now for all secrets in ram

internal/vault/integration_version_test.go

@@ -29,11 +29,21 @@ import (
 
 	"git.eeqj.de/sneak/secret/internal/secret"
 	"git.eeqj.de/sneak/secret/pkg/agehd"
+	"github.com/awnumar/memguard"
 	"github.com/spf13/afero"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
 
+// Helper function to add a secret to vault with proper buffer protection
+func addTestSecret(t *testing.T, vault *Vault, name string, value []byte, force bool) {
+	t.Helper()
+	buffer := memguard.NewBufferFromBytes(value)
+	defer buffer.Destroy()
+	err := vault.AddSecret(name, buffer, force)
+	require.NoError(t, err)
+}
+
 // TestVersionIntegrationWorkflow tests the complete version workflow
 func TestVersionIntegrationWorkflow(t *testing.T) {
 	fs := afero.NewMemMapFs()
@@ -66,8 +76,7 @@ func TestVersionIntegrationWorkflow(t *testing.T) {
 
 	// Step 1: Create initial version
 	t.Run("create_initial_version", func(t *testing.T) {
-		err := vault.AddSecret(secretName, []byte("version-1-data"), false)
-		require.NoError(t, err)
+		addTestSecret(t, vault, secretName, []byte("version-1-data"), false)
 
 		// Verify secret can be retrieved
 		value, err := vault.GetSecret(secretName)
@@ -108,8 +117,7 @@ func TestVersionIntegrationWorkflow(t *testing.T) {
 		firstVersionName = versions[0]
 
 		// Create second version
-		err = vault.AddSecret(secretName, []byte("version-2-data"), true)
-		require.NoError(t, err)
+		addTestSecret(t, vault, secretName, []byte("version-2-data"), true)
 
 		// Verify new value is current
 		value, err := vault.GetSecret(secretName)
@@ -142,8 +150,7 @@ func TestVersionIntegrationWorkflow(t *testing.T) {
 	t.Run("create_third_version", func(t *testing.T) {
 		time.Sleep(10 * time.Millisecond)
 
-		err := vault.AddSecret(secretName, []byte("version-3-data"), true)
-		require.NoError(t, err)
+		addTestSecret(t, vault, secretName, []byte("version-3-data"), true)
 
 		// Verify we now have three versions
 		secretDir := filepath.Join(vaultDir, "secrets.d", "integration%test")
@@ -214,8 +221,7 @@ func TestVersionIntegrationWorkflow(t *testing.T) {
 		secretDir := filepath.Join(vaultDir, "secrets.d", "limit%test", "versions")
 
 		// Create 998 versions (we already have one from the first AddSecret)
-		err := vault.AddSecret(limitSecretName, []byte("initial"), false)
-		require.NoError(t, err)
+		addTestSecret(t, vault, limitSecretName, []byte("initial"), false)
 
 		// Get today's date for consistent version names
 		today := time.Now().Format("20060102")
@@ -255,7 +261,9 @@ func TestVersionIntegrationWorkflow(t *testing.T) {
 		assert.Error(t, err)
 
 		// Try to add secret without force when it exists
-		err = vault.AddSecret(secretName, []byte("should-fail"), false)
+		failBuffer := memguard.NewBufferFromBytes([]byte("should-fail"))
+		defer failBuffer.Destroy()
+		err = vault.AddSecret(secretName, failBuffer, false)
 		assert.Error(t, err)
 		assert.Contains(t, err.Error(), "already exists")
 	})
@@ -272,8 +280,7 @@ func TestVersionConcurrency(t *testing.T) {
 	secretName := "concurrent/test"
 
 	// Create initial version
-	err := vault.AddSecret(secretName, []byte("initial"), false)
-	require.NoError(t, err)
+	addTestSecret(t, vault, secretName, []byte("initial"), false)
 
 	// Test concurrent reads
 	t.Run("concurrent_reads", func(t *testing.T) {
@@ -326,8 +333,10 @@ func TestVersionCompatibility(t *testing.T) {
 
 	// Create old-style encrypted value directly in secret directory
 	testValue := []byte("legacy-value")
+	testValueBuffer := memguard.NewBufferFromBytes(testValue)
+	defer testValueBuffer.Destroy()
 	ltRecipient := ltIdentity.Recipient()
-	encrypted, err := secret.EncryptToRecipient(testValue, ltRecipient)
+	encrypted, err := secret.EncryptToRecipient(testValueBuffer, ltRecipient)
 	require.NoError(t, err)
 
 	valuePath := filepath.Join(secretDir, "value.age")