uses protected memory buffers now for all secrets in ram

internal/vault/secrets.go

@@ -11,6 +11,7 @@ import (
 
 	"filippo.io/age"
 	"git.eeqj.de/sneak/secret/internal/secret"
+	"github.com/awnumar/memguard"
 	"github.com/spf13/afero"
 )
 
@@ -98,11 +99,15 @@ func isValidSecretName(name string) bool {
 }
 
 // AddSecret adds a secret to this vault
-func (v *Vault) AddSecret(name string, value []byte, force bool) error {
+func (v *Vault) AddSecret(name string, value *memguard.LockedBuffer, force bool) error {
+	if value == nil {
+		return fmt.Errorf("value buffer is nil")
+	}
+
 	secret.DebugWith("Adding secret to vault",
 		slog.String("vault_name", v.Name),
 		slog.String("secret_name", name),
-		slog.Int("value_length", len(value)),
+		slog.Int("value_length", value.Size()),
 		slog.Bool("force", force),
 	)
 
@@ -195,7 +200,7 @@ func (v *Vault) AddSecret(name string, value []byte, force bool) error {
 		// We'll update the previous version's notAfter after we save the new version
 	}
 
-	// Save the new version
+	// Save the new version - pass the LockedBuffer directly
 	if err := newVersion.Save(value); err != nil {
 		secret.Debug("Failed to save new version", "error", err, "version", versionName)
 
@@ -272,7 +277,10 @@ func updateVersionMetadata(fs afero.Fs, version *secret.Version, ltIdentity *age
 	}
 
 	// Encrypt metadata to the version's public key
-	encryptedMetadata, err := secret.EncryptToRecipient(metadataBytes, versionIdentity.Recipient())
+	metadataBuffer := memguard.NewBufferFromBytes(metadataBytes)
+	defer metadataBuffer.Destroy()
+
+	encryptedMetadata, err := secret.EncryptToRecipient(metadataBuffer, versionIdentity.Recipient())
 	if err != nil {
 		return fmt.Errorf("failed to encrypt version metadata: %w", err)
 	}