Remove deprecated Secret.Save function

- Removed unused deprecated Save(value []byte, force bool) function
- This function accepted unprotected secret data which was a security issue
- All code now uses vault.AddSecret directly with LockedBuffer
- Updated TODO.md to reflect completion of this security fix

internal/secret/secret.go

@@ -62,32 +62,6 @@ func NewSecret(vault VaultInterface, name string) *Secret {
 	}
 }
 
-// Save is deprecated - use vault.AddSecret directly which creates versions
-// Kept for backward compatibility
-func (s *Secret) Save(value []byte, force bool) error {
-	DebugWith("Saving secret (deprecated method)",
-		slog.String("secret_name", s.Name),
-		slog.String("vault_name", s.vault.GetName()),
-		slog.Int("value_length", len(value)),
-		slog.Bool("force", force),
-	)
-
-	// Create a secure buffer for the value - note that the caller
-	// should ideally pass a LockedBuffer directly to vault.AddSecret
-	valueBuffer := memguard.NewBufferFromBytes(value)
-	defer valueBuffer.Destroy()
-
-	err := s.vault.AddSecret(s.Name, valueBuffer, force)
-	if err != nil {
-		Debug("Failed to save secret", "error", err, "secret_name", s.Name)
-
-		return err
-	}
-
-	Debug("Successfully saved secret", "secret_name", s.Name)
-
-	return nil
-}
 
 // GetValue retrieves and decrypts the current version's value using the provided unlocker
 func (s *Secret) GetValue(unlocker Unlocker) ([]byte, error) {