WIP: refactor to use memguard for secure memory handling

- Add memguard dependency
- Update ReadPassphrase to return LockedBuffer
- Update EncryptWithPassphrase/DecryptWithPassphrase to accept LockedBuffer
- Remove string wrapper functions
- Update all callers to create LockedBuffers at entry points
- Update interfaces and mock implementations

internal/cli/vault.go

@@ -10,6 +10,7 @@ import (
 	"git.eeqj.de/sneak/secret/internal/secret"
 	"git.eeqj.de/sneak/secret/internal/vault"
 	"git.eeqj.de/sneak/secret/pkg/agehd"
+	"github.com/awnumar/memguard"
 	"github.com/spf13/afero"
 	"github.com/spf13/cobra"
 	"github.com/tyler-smith/go-bip39"
@@ -272,12 +273,16 @@ func (cli *Instance) VaultImport(cmd *cobra.Command, vaultName string) error {
 
 	secret.Debug("Using unlock passphrase from environment variable")
 
+	// Create secure buffer for passphrase
+	passphraseBuffer := memguard.NewBufferFromBytes([]byte(passphraseStr))
+	defer passphraseBuffer.Destroy()
+
 	// Unlock the vault with the derived long-term key
 	vlt.Unlock(ltIdentity)
 
 	// Create passphrase-protected unlocker
 	secret.Debug("Creating passphrase-protected unlocker")
-	passphraseUnlocker, err := vlt.CreatePassphraseUnlocker(passphraseStr)
+	passphraseUnlocker, err := vlt.CreatePassphraseUnlocker(passphraseBuffer)
 	if err != nil {
 		secret.Debug("Failed to create unlocker", "error", err)