Fix review findings: stub panics, derivation index, tests, README

- Replace panic() calls in seunlocker_stub.go with error returns,
  following the existing keychainunlocker_stub.go pattern
- Fix hardcoded derivation index 0 in getLongTermKeyForSE: now reads
  vault metadata to use the correct DerivationIndex (matching
  getLongTermPrivateKey in keychainunlocker.go)
- Add tests for SE unlocker exports in secret package (both darwin
  and non-darwin stub tests)
- Update README to reflect SE implementation: remove 'planned' labels,
  update Apple Developer Program references, add secure-enclave to
  unlocker type lists and examples
- Run go fmt on files with import ordering issues

README.md

@@ -184,6 +184,7 @@ Creates a new unlocker of the specified type:
 - `passphrase`: Traditional passphrase-protected unlocker
 - `pgp`: Uses an existing GPG key for encryption/decryption
 - `keychain`: macOS Keychain integration (macOS only)
+- `secure-enclave`: Hardware-backed Secure Enclave protection (macOS only)
 
 **Options:**
 - `--keyid <id>`: GPG key ID (optional for PGP type, uses default key if not specified)
@@ -286,11 +287,11 @@ Unlockers provide different authentication methods to access the long-term keys:
    - Automatic unlocking when Keychain is unlocked
    - Cross-application integration
 
-4. **Secure Enclave Unlockers** (macOS - planned):
+4. **Secure Enclave Unlockers** (macOS):
    - Hardware-backed key storage using Apple Secure Enclave
-   - Currently partially implemented but non-functional
-   - Requires Apple Developer Program membership and code signing entitlements
-   - Full implementation blocked by entitlement requirements
+   - Uses `sc_auth` / CryptoTokenKit for SE key management (no Apple Developer Program required)
+   - ECIES encryption: vault long-term key encrypted directly by SE hardware
+   - Protected by biometric authentication (Touch ID) or system password
 
 Each vault maintains its own set of unlockers and one long-term key. The long-term key is encrypted to each unlocker, allowing any authorized unlocker to access vault secrets.
 
@@ -330,8 +331,7 @@ Each vault maintains its own set of unlockers and one long-term key. The long-te
 
 - Hardware token support via PGP/GPG integration
 - macOS Keychain integration for system-level security
-- Secure Enclave support planned (requires paid Apple Developer Program for
-  signed entitlements to access the SEP and doxxing myself to Apple)
+- Secure Enclave integration for hardware-backed key protection (macOS, via `sc_auth` / CryptoTokenKit)
 
 ## Examples
 
@@ -385,6 +385,7 @@ secret vault remove personal --force
 secret unlocker add passphrase              # Password-based
 secret unlocker add pgp --keyid ABCD1234    # GPG key
 secret unlocker add keychain                # macOS Keychain (macOS only)
+secret unlocker add secure-enclave          # macOS Secure Enclave (macOS only)
 
 # List unlockers
 secret unlocker list
@@ -443,7 +444,7 @@ secret decrypt encryption/mykey --input document.txt.age --output document.txt
 
 ### Cross-Platform Support
 
-- **macOS**: Full support including Keychain and planned Secure Enclave integration
+- **macOS**: Full support including Keychain and Secure Enclave integration
 - **Linux**: Full support (excluding macOS-specific features)
 
 ## Security Considerations
@@ -487,7 +488,7 @@ go test -tags=integration -v ./internal/cli  # Integration tests
 
 ## Features
 
-- **Multiple Authentication Methods**: Supports passphrase, PGP, and macOS Keychain unlockers
+- **Multiple Authentication Methods**: Supports passphrase, PGP, macOS Keychain, and Secure Enclave unlockers
 - **Vault Isolation**: Complete separation between different vaults
 - **Per-Secret Encryption**: Each secret has its own encryption key
 - **BIP39 Mnemonic Support**: Keyless operation using mnemonic phrases