uses protected memory buffers now for all secrets in ram

Merge branch 'main' into fix-memory-security
Merge branch 'fix-test-json-fields'
2025-07-15 08:32:33 +02:00 · 2025-07-15 07:36:13 +02:00 · 2025-07-15 07:35:58 +02:00 · 2025-07-15 07:35:48 +02:00 · 2025-07-15 07:24:15 +02:00 · 2025-07-15 07:23:58 +02:00
65 changed files with 9517 additions and 5131 deletions
--- a/.claude/settings.local.json
+++ b/.claude/settings.local.json
@@ -0,0 +1,30 @@
 {
  "permissions": {
    "allow": [
      "Bash(go mod why:*)",
      "Bash(go list:*)",
      "Bash(~/go/bin/govulncheck -mode=module .)",
      "Bash(go test:*)",
      "Bash(grep:*)",
      "Bash(rg:*)",
      "Bash(find:*)",
      "Bash(make test:*)",
      "Bash(go doc:*)",
      "Bash(make fmt:*)",
      "Bash(make:*)",
      "Bash(golangci-lint run:*)",
      "Bash(git add:*)",
      "Bash(gofumpt:*)",
      "Bash(git stash:*)",
      "Bash(git commit:*)",
      "Bash(git push:*)",
      "Bash(golangci-lint:*)",
      "Bash(git checkout:*)",
      "Bash(ls:*)",
      "WebFetch(domain:golangci-lint.run)",
      "Bash(go:*)",
      "WebFetch(domain:pkg.go.dev)"
    ],
    "deny": []
  }
 }
--- a/.cursorrules
+++ b/.cursorrules
@@ -0,0 +1,3 @@
 EXTREMELY IMPORTANT: Read and follow the policies, procedures, and
 instructions in the `AGENTS.md` file in the root of the repository.  Make
 sure you follow *all* of the instructions meticulously.
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,7 @@
 .DS_Store
 **/.DS_Store
 /secret
 *.log
 cli.test
 vault.test
 *.test
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -0,0 +1,91 @@
 version: "2"
 run:
  go: "1.24"
  tests: false
 linters:
  enable:
    # Additional linters requested
    - testifylint      # Checks usage of github.com/stretchr/testify
    - usetesting       # usetesting is an analyzer that detects using os.Setenv instead of t.Setenv since Go 1.17
    - tagliatelle      # Checks the struct tags
    - nlreturn         # nlreturn checks for a new line before return and branch statements
    - nilnil           # Checks that there is no simultaneous return of nil error and an invalid value
    - nestif           # Reports deeply nested if statements
    - mnd              # An analyzer to detect magic numbers
    - lll              # Reports long lines
    - intrange         # intrange is a linter to find places where for loops could make use of an integer range
    - gochecknoglobals # Check that no global variables exist
    # Default/existing linters that are commonly useful
    - govet
    - errcheck
    - staticcheck
    - unused
    - ineffassign
    - misspell
    - revive
    - gosec
    - unconvert
    - unparam
 linters-settings:
  lll:
    line-length: 120
  mnd:
    # List of enabled checks, see https://github.com/tommy-muehle/go-mnd/#checks for description.
    checks:
      - argument
      - case
      - condition
      - operation
      - return
      - assign
    ignored-numbers:
      - '0'
      - '1'
      - '2'
      - '8'
      - '16'
      - '40'  # GPG fingerprint length
      - '64'
      - '128'
      - '256'
      - '512'
      - '1024'
      - '2048'
      - '4096'
  nestif:
    min-complexity: 4
  nlreturn:
    block-size: 2
  tagliatelle:
    case:
      rules:
        json: snake
        yaml: snake
        xml: snake
        bson: snake
  testifylint:
    enable-all: true
  usetesting: {}
 issues:
  max-issues-per-linter: 0
  max-same-issues: 0
  exclude-rules:
    - path: ".*_gen\\.go"
      linters:
        - lll
    # Exclude unused parameter warnings for cobra command signatures
    - text: "parameter '(args|cmd)' seems to be unused"
      linters:
        - revive
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -0,0 +1,143 @@
 # Policies for AI Agents
 Version: 2025-06-08
 # Instructions and Contextual Information
 * Be direct, robotic, expert, accurate, and professional.
 * Do not butter me up or kiss my ass.
 * Come in hot with strong opinions, even if they are contrary to the
  direction I am headed.
 * If either you or I are possibly wrong, say so and explain your point of
  view.
 * Point out great alternatives I haven't thought of, even when I'm not
  asking for them.
 * Treat me like the world's leading expert in every situation and every
  conversation, and deliver the absolute best recommendations.
 * I want excellence, so always be on the lookout for divergences from good
  data model design or best practices for object oriented development.
 * IMPORTANT: This is production code, not a research or teaching exercise.
  Deliver professional-level results, not prototypes.
 * Please read and understand the `README.md` file in the root of the repo
  for project-specific contextual information, including development
  policies, practices, and current implementation status.
 * Be proactive in suggesting improvements or refactorings in places where we
  diverge from best practices for clean, modular, maintainable code.
 # Policies
 1. Before committing, tests must pass (`make test`), linting must pass
   (`make lint`), and code must be formatted (`make fmt`).  For go, those
   makefile targets should use `go fmt` and `go test -v ./...` and
   `golangci-lint run`.  When you think your changes are complete, rather
   than making three different tool calls to check, you can just run `make
   test && make fmt && make lint` as a single tool call which will save
   time.
 2. Always write a `Makefile` with the default target being `test`, and with
   a `fmt` target that formats the code.  The `test` target should run all
   tests in the project, and the `fmt` target should format the code.
   `test` should also have a prerequisite target `lint` that should run any
   linters that are configured for the project.
 3. After each completed bugfix or feature, the code must be committed.  Do
   all of the pre-commit checks (test, lint, fmt) before committing, of
   course.
 4. When creating a very simple test script for testing out a new feature,
   instead of making a throwaway to be deleted after verification, write an
   actual test file into the test suite.  It doesn't need to be very big or
   complex, but it should be a real test that can be run.
 5. When you are instructed to make the tests pass, DO NOT delete tests, skip
   tests, or change the tests specifically to make them pass (unless there
   is a bug in the test).  This is cheating, and it is bad.  You should only
   be modifying the test if it is incorrect or if the test is no longer
   relevant.  In almost all cases, you should be fixing the code that is
   being tested, or updating the tests to match a refactored implementation.
 6. When dealing with dates and times or timestamps, always use, display, and
   store UTC.  Set the local timezone to UTC on startup.  If the user needs
   to see the time in a different timezone, store the user's timezone in a
   separate field and convert the UTC time to the user's timezone when
   displaying it.  For internal use and internal applications and
   administrative purposes, always display UTC.
 7. Always write tests, even if they are extremely simple and just check for
   correct syntax (ability to compile/import). If you are writing a new
   feature, write a test for it.  You don't need to target complete
   coverage, but you should at least test any new functionality you add.  If
   you are fixing a bug, write a test first that reproduces the bug, and
   then fix the bug in the code.
 8. When implementing new features, be aware of potential side-effects (such
   as state files on disk, data in the database, etc.) and ensure that it is
   possible to mock or stub these side-effects in tests.
 9. Always use structured logging.  Log any relevant state/context with the
   messages (but do not log secrets).  If stdout is not a terminal, output
   the structured logs in jsonl format.
 10. Avoid using bare strings or numbers in code, especially if they appear
    anywhere more than once.  Always define a constant (usually at the top
    of the file) and give it a descriptive name, then use that constant in
    the code instead of the bare string or number.
 11. You do not need to summarize your changes in the chat after making them.
    Making the changes and committing them is sufficient.  If anything out
    of the ordinary happened, please explain it, but in the normal case
    where you found and fixed the bug, or implemented the feature, there is
    no need for the end-of-change summary.
 12. Do not create additional files in the root directory of the project
    without asking permission first. Configuration files, documentation, and
    build files are acceptable in the root, but source code and other files
    should be organized in appropriate subdirectories.
 ## Python-Specific Guidelines
 1. **Type Annotations (UP006)**: Use built-in collection types directly for type annotations instead of importing from `typing`. This avoids the UP006 linter error.
   **Good (modern Python 3.9+):**
   ```python
   def process_items(items: list[str]) -> dict[str, int]:
       counts: dict[str, int] = {}
       return counts
   ```
   **Avoid (triggers UP006):**
   ```python
   from typing import List, Dict
   def process_items(items: List[str]) -> Dict[str, int]:
       counts: Dict[str, int] = {}
       return counts
   ```
   For optional types, use the `|` operator instead of `Union`:
   ```python
   # Good
   def get_value(key: str) -> str | None:
       return None
   # Avoid
   from typing import Optional, Union
   def get_value(key: str) -> Optional[str]:
       return None
   ```
 2. **Import Organization**: Follow the standard Python import order:
   - Standard library imports
   - Third-party imports
   - Local application imports
   Each group should be separated by a blank line.
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -0,0 +1,28 @@
 # Rules
 Read the rules in AGENTS.md and follow them.
 # Memory
 * Claude is an inanimate tool.  The spam that Claude attempts to insert into
  commit messages (which it erroneously refers to as "attribution") is not
  attribution, as I am the sole author of code created using Claude.  It is
  corporate advertising for Anthropic and is therefore completely
  unacceptable in commit messages.
 * Tests should always be run before committing code.  No commits should be
  made that do not pass tests.
 * Code should always be formatted before committing.  Do not commit
  unformatted code.
 * Code should always be linted before committing.  Do not commit
  unlinted code.
 * The test suite is fast and local.  When running tests, don't run
  individual parts of the test suite, always run the whole thing by running
  "make test".
 * Do not stop working on a task until you have reached the definition of
  done provided to you in the initial instruction.  Don't do part or most of
  the work, do all of the work until the criteria for done are met.
--- a/8
+++ b/8
@@ -1,5 +1,7 @@
 default: check
 build: ./secret
 # Simple build (no code signing needed)
 ./secret:
 	go build -v -o $@ cmd/secret/main.go
@@ -8,8 +10,10 @@ vet:
 	go vet ./...
 test:
-	go test -v ./...
+	go test ./... || go test -v ./...
-	bash test_secret_manager.sh
+
 fmt:
 	go fmt ./...
 lint:
 	golangci-lint run --timeout 5m
--- a/README.md
+++ b/README.md
@@ -9,12 +9,20 @@ Secret is a modern, secure command-line secret manager that implements a hierarc
 Secret implements a sophisticated three-layer key architecture:
 1. **Long-term Keys**: Derived from BIP39 mnemonic phrases, these provide the foundation for all encryption
-2. **Unlock Keys**: Short-term keys that encrypt the long-term keys, supporting multiple authentication methods
+2. **Unlockers**: Short-term keys that encrypt the long-term keys, supporting multiple authentication methods
-3. **Secret-specific Keys**: Per-secret keys that encrypt individual secret values
+3. **Version-specific Keys**: Per-version keys that encrypt individual secret values
 ### Version Management
 Each secret maintains a history of versions, with each version having:
 - Its own encryption key pair
 - Encrypted metadata including creation time and validity period
 - Immutable value storage
 - Atomic version switching via symlink updates
 ### Vault System
-Vaults provide logical separation of secrets, each with its own long-term key and unlock key set. This allows for complete isolation between different contexts (work, personal, projects).
+Vaults provide logical separation of secrets, each with its own long-term key and unlocker set. This allows for complete isolation between different contexts (work, personal, projects).
 ## Installation
@@ -80,12 +88,21 @@ Adds a secret to the current vault. Reads the secret value from stdin.
 - Forward slashes (`/`) are converted to percent signs (`%`) for storage
 - Examples: `database/password`, `api.key`, `ssh_private_key`
-#### `secret get <secret-name>`
+#### `secret get <secret-name> [--version <version>]`
 Retrieves and outputs a secret value to stdout.
 - `--version, -v`: Get a specific version (default: current)
 #### `secret list [filter] [--json]` / `secret ls`
 Lists all secrets in the current vault. Optional filter for substring matching.
 ### Version Management
 #### `secret version list <secret-name>`
 Lists all versions of a secret showing creation time, status, and validity period.
 #### `secret version promote <secret-name> <version>`
 Promotes a specific version to current by updating the symlink. Does not modify any timestamps, allowing for rollback scenarios.
 ### Key Generation
 #### `secret generate mnemonic`
@@ -97,26 +114,26 @@ Generates and stores a random secret.
 - `--type, -t`: Type of secret (`base58`, `alnum`)
 - `--force, -f`: Overwrite existing secret
-### Unlock Key Management
+### Unlocker Management
-#### `secret keys list [--json]`
+#### `secret unlockers list [--json]`
-Lists all unlock keys in the current vault with their metadata.
+Lists all unlockers in the current vault with their metadata.
-#### `secret keys add <type> [options]`
+#### `secret unlockers add <type> [options]`
-Creates a new unlock key of the specified type:
+Creates a new unlocker of the specified type:
 **Types:**
- `passphrase`: Traditional passphrase-protected unlock key
+- `passphrase`: Traditional passphrase-protected unlocker
 - `pgp`: Uses an existing GPG key for encryption/decryption
 **Options:**
 - `--keyid <id>`: GPG key ID (required for PGP type)
-#### `secret keys rm <key-id>`
+#### `secret unlockers rm <unlocker-id>`
-Removes an unlock key.
+Removes an unlocker.
-#### `secret key select <key-id>`
+#### `secret unlocker select <unlocker-id>`
-Selects an unlock key as the current default for operations.
+Selects an unlocker as the current default for operations.
 ### Import Operations
@@ -142,19 +159,32 @@ Decrypts data using an Age key stored as a secret.
 ~/.local/share/secret/
 ├── vaults.d/
 │   ├── default/
-│   │   ├── unlock.d/
+│   │   ├── unlockers.d/
-│   │   │   ├── passphrase/              # Passphrase unlock key
+│   │   │   ├── passphrase/              # Passphrase unlocker
-│   │   │   └── pgp/                     # PGP unlock key
+│   │   │   └── pgp/                     # PGP unlocker
 │   │   ├── secrets.d/
 │   │   │   ├── api%key/                 # Secret: api/key
 │   │   │   │   ├── versions/
 │   │   │   │   │   ├── 20231215.001/   # Version directory
 │   │   │   │   │   │   ├── pub.age     # Version public key
 │   │   │   │   │   │   ├── priv.age    # Version private key (encrypted)
 │   │   │   │   │   │   ├── value.age   # Encrypted value
 │   │   │   │   │   │   └── metadata.age # Encrypted metadata
 │   │   │   │   │   └── 20231216.001/   # Another version
 │   │   │   │   └── current -> versions/20231216.001
 │   │   │   └── database%password/       # Secret: database/password
-│   │   └── current-unlock-key -> ../unlock.d/passphrase
+│   │   │       ├── versions/
 │   │   │       └── current -> versions/20231215.001
 │   │   ├── vault-metadata.json          # Vault metadata
 │   │   ├── pub.age                      # Long-term public key
 │   │   └── current-unlocker -> ../unlockers.d/passphrase
 │   └── work/
-│       ├── unlock.d/
+│       ├── unlockers.d/
 │       ├── secrets.d/
-│       └── current-unlock-key
+│       ├── vault-metadata.json
-├── currentvault -> vaults.d/default
+│       ├── pub.age
-└── configuration.json
+│       └── current-unlocker
 └── currentvault -> vaults.d/default
 ```
 ### Key Management and Encryption Flow
@@ -162,22 +192,22 @@ Decrypts data using an Age key stored as a secret.
 #### Long-term Keys
 - **Source**: Derived from BIP39 mnemonic phrases using hierarchical deterministic (HD) key derivation
 - **Purpose**: Master keys for each vault, used to encrypt secret-specific keys
- **Storage**: Public key stored as `pub.age`, private key encrypted by unlock keys
+- **Storage**: Public key stored as `pub.age`, private key encrypted by unlockers
-#### Unlock Keys
+#### Unlockers
-Unlock keys provide different authentication methods to access the long-term keys:
+Unlockers provide different authentication methods to access the long-term keys:
-1. **Passphrase Keys**:
+1. **Passphrase Unlockers**:
   - Encrypted with user-provided passphrase
   - Stored as encrypted Age keys
   - Cross-platform compatible
-2. **PGP Keys**:
+2. **PGP Unlockers**:
   - Uses existing GPG key infrastructure
   - Leverages existing key management workflows
   - Strong authentication through GPG
-Each vault maintains its own set of unlock keys and one long-term key. The long-term key is encrypted to each unlock key, allowing any authorized unlock key to access vault secrets.
+Each vault maintains its own set of unlockers and one long-term key. The long-term key is encrypted to each unlocker, allowing any authorized unlocker to access vault secrets.
 #### Secret-specific Keys
 - Each secret has its own encryption key pair
@@ -189,7 +219,7 @@ Each vault maintains its own set of unlock keys and one long-term key. The long-
 - `SB_SECRET_STATE_DIR`: Custom state directory location
 - `SB_SECRET_MNEMONIC`: Pre-set mnemonic phrase (avoids interactive prompt)
 - `SB_UNLOCK_PASSPHRASE`: Pre-set unlock passphrase (avoids interactive prompt)
- `SB_GPG_KEY_ID`: GPG key ID for PGP unlock keys
+- `SB_GPG_KEY_ID`: GPG key ID for PGP unlockers
 ## Security Features
@@ -204,8 +234,10 @@ Each vault maintains its own set of unlock keys and one long-term key. The long-
 - Vault isolation prevents cross-contamination
 ### Forward Secrecy
- Per-secret encryption keys limit exposure if compromised
+- Per-version encryption keys limit exposure if compromised
- Long-term keys protected by multiple unlock key layers
+- Each version is independently encrypted
 - Long-term keys protected by multiple unlocker layers
 - Historical versions remain encrypted with their original keys
 ### Hardware Integration
 - Hardware token support via PGP/GPG integration
@@ -238,7 +270,7 @@ secret vault create personal
 # Work with work vault
 secret vault select work
 echo "work-db-pass" | secret add database/password
-secret keys add passphrase  # Add passphrase authentication
+secret unlockers add passphrase  # Add passphrase authentication
 # Switch to personal vault
 secret vault select personal
@@ -251,14 +283,14 @@ secret vault list
 ### Advanced Authentication
 ```bash
 # Add multiple unlock methods
-secret keys add passphrase              # Password-based
+secret unlockers add passphrase              # Password-based
-secret keys add pgp --keyid ABCD1234    # GPG key
+secret unlockers add pgp --keyid ABCD1234    # GPG key
-# List unlock keys
+# List unlockers
-secret keys list
+secret unlockers list
-# Select a specific unlock key
+# Select a specific unlocker
-secret key select <key-id>
+secret unlocker select <unlocker-id>
 ```
 ### Encryption/Decryption with Age Keys
@@ -280,11 +312,17 @@ secret decrypt encryption/mykey --input document.txt.age --output document.txt
 - **Encryption**: Age (X25519 + ChaCha20-Poly1305)
 - **Key Exchange**: X25519 elliptic curve Diffie-Hellman
 - **Authentication**: Poly1305 MAC
 - **Hashing**: Double SHA-256 for public key identification
 ### File Formats
 - **Age Files**: Standard Age encryption format (.age extension)
 - **Metadata**: JSON format with timestamps and type information
- **Configuration**: JSON configuration files
+- **Vault Metadata**: JSON containing vault name, creation time, derivation index, and public key hash
 ### Vault Management
 - **Derivation Index**: Each vault uses a unique derivation index from the mnemonic
 - **Public Key Hash**: Double SHA-256 hash of the index-0 public key identifies vaults from the same mnemonic
 - **Automatic Key Derivation**: When creating vaults with a mnemonic, keys are automatically derived
 ### Cross-Platform Support
 - **macOS**: Full support including Keychain integration
@@ -299,14 +337,14 @@ secret decrypt encryption/mykey --input document.txt.age --output document.txt
 - Supports hardware-backed authentication where available
 ### Best Practices
-1. Use strong, unique passphrases for unlock keys
+1. Use strong, unique passphrases for unlockers
 2. Enable hardware authentication (Keychain, hardware tokens) when available
-3. Regularly audit unlock keys and remove unused ones
+3. Regularly audit unlockers and remove unused ones
 4. Keep mnemonic phrases securely backed up offline
 5. Use separate vaults for different security contexts
 ### Limitations
- Requires access to unlock keys for secret retrieval
+- Requires access to unlockers for secret retrieval
 - Mnemonic phrases must be securely stored and backed up
 - Hardware features limited to supported platforms
@@ -322,13 +360,14 @@ make lint     # Run linter
 ### Testing
 The project includes comprehensive tests:
 ```bash
-./test_secret_manager.sh  # Full integration test suite
+make test     # Run all tests
-go test ./...             # Unit tests
+go test ./... # Unit tests
 go test -tags=integration -v ./internal/cli  # Integration tests
 ```
 ## Features
- **Multiple Authentication Methods**: Supports passphrase-based and PGP-based unlock keys
+- **Multiple Authentication Methods**: Supports passphrase-based and PGP-based unlockers
 - **Vault Isolation**: Complete separation between different vaults
 - **Per-Secret Encryption**: Each secret has its own encryption key
 - **BIP39 Mnemonic Support**: Keyless operation using mnemonic phrases
--- a/TODO.md
+++ b/TODO.md
@@ -1,196 +1,102 @@
 # TODO for 1.0 Release
-This document outlines the bugs, issues, and improvements that need to be addressed before the 1.0 release of the secret manager.
+This document outlines the bugs, issues, and improvements that need to be
 addressed before the 1.0 release of the secret manager. Items are
 prioritized from most critical (top) to least critical (bottom).
-## Critical (Blockers for Release)
+## Code Cleanups
-### Error Handling and User Experience
+* we shouldn't be passing around a statedir, it should be read from the
  environment or default.
- [ ] **1. Inappropriate Cobra usage printing**: Commands currently print usage information for all errors, including internal program failures. Usage should only be printed when the user provides incorrect arguments or invalid commands, not when the program encounters internal errors (like file system issues, crypto failures, etc.).
+## HIGH PRIORITY SECURITY ISSUES
- [ ] **2. Inconsistent error messages**: Error messages need standardization and should be user-friendly. Many errors currently expose internal implementation details.
+- [ ] **4. Application crashes on corrupted metadata**: Code panics instead
  of returning errors when metadata is corrupt, causing denial of service.
  Found in pgpunlocker.go:116 and keychainunlocker.go:141.
- [x] **3. Missing validation for vault names**: Vault names should be validated against a safe character set to prevent filesystem issues.
+- [ ] **5. Insufficient input validation**: Secret names allow potentially
  dangerous patterns including dots that could enable path traversal attacks
  (vault/secrets.go:70-93).
- [ ] **4. No graceful handling of corrupted state**: If key files are corrupted or missing, the tool should provide clear error messages and recovery suggestions.
+- [ ] **6. Race conditions in file operations**: Multiple concurrent
  operations could corrupt the vault state due to lack of file locking
  mechanisms.
-### Core Functionality Bugs
+- [ ] **7. Insecure temporary file handling**: Temporary files containing
  sensitive data may not be properly cleaned up or secured.
- [x] **5. Multiple vaults using the same mnemonic will derive the same long-term keys**: Adding additional vaults with the same mnemonic should increment the index value used. The mnemonic should be double sha256 hashed and the hash value stored in the vault metadata along with the index value (starting at zero) and when additional vaults are added with the same mnemonic (as determined by hash) then the index value should be incremented. The README should be updated to document this behavior.
+## HIGH PRIORITY FUNCTIONALITY ISSUES
- [x] **6. Directory structure inconsistency**: The README and test script reference different directory structures:
+- [ ] **8. Inappropriate Cobra usage printing**: Commands currently print
-  - Current code uses `unlock.d/` but documentation shows `unlock-keys.d/`
+  usage information for all errors, including internal program failures.
-  - Secret files use inconsistent naming (`secret.age` vs `value.age`)
+  Usage should only be printed when the user provides incorrect arguments or
  invalid commands.
- [x] **7. Symlink handling on non-Unix systems**: The symlink resolution in `resolveVaultSymlink()` may fail on Windows or in certain environments.
+- [ ] **9. Missing current unlock key initialization**: When creating
  vaults, no default unlock key is selected, which can cause operations to
  fail.
- [ ] **8. Missing current unlock key initialization**: When creating vaults, no default unlock key is selected, which can cause operations to fail.
+- [ ] **10. Add confirmation prompts for destructive operations**:
  Operations like `keys rm` and vault deletion should require confirmation.
- [ ] **9. Race conditions in file operations**: Multiple concurrent operations could corrupt the vault state due to lack of file locking.
+- [ ] **11. No secret deletion command**: Missing `secret rm <secret-name>`
  functionality.
-### Security Issues
+- [ ] **12. Missing vault deletion command**: No way to delete vaults that
  are no longer needed.
- [ ] **10. Insecure temporary file handling**: Temporary files containing sensitive data may not be properly cleaned up or secured.
+## MEDIUM PRIORITY ISSUES
- [ ] **11. Missing secure memory clearing**: Sensitive data in memory (passphrases, keys) should be cleared after use.
+- [ ] **13. Inconsistent error messages**: Error messages need
  standardization and should be user-friendly. Many errors currently expose
  internal implementation details.
- [x] **12. Weak default permissions**: Some files may be created with overly permissive default permissions.
+- [ ] **14. No graceful handling of corrupted state**: If key files are
  corrupted or missing, the tool should provide clear error messages and
  recovery suggestions.
-## Important (Should be fixed before release)
+- [ ] **15. No validation of GPG key existence**: Should verify the
  specified GPG key exists before creating PGP unlock keys.
-### User Interface Improvements
+- [ ] **16. Better separation of concerns**: Some functions in CLI do too
  much and should be split.
- [ ] **13. Add confirmation prompts for destructive operations**: Operations like `keys rm` and vault deletion should require confirmation.
+- [ ] **17. Environment variable security**: Sensitive data read from
  environment variables (SB_UNLOCK_PASSPHRASE, SB_SECRET_MNEMONIC) without
  proper clearing. Document security implications.
- [ ] **14. Improve progress indicators**: Long operations (key generation, encryption) should show progress.
+- [ ] **18. No secure memory allocation**: No use of mlock/munlock to
  prevent sensitive data from being swapped to disk.
- [x] **15. Better secret name validation**: Currently allows some characters that may cause issues, needs comprehensive validation.
+## LOWER PRIORITY ENHANCEMENTS
- [ ] **16. Add `--help` examples**: Command help should include practical examples for each operation.
+- [ ] **19. Add `--help` examples**: Command help should include practical examples for each operation.
-### Command Implementation Gaps
+- [ ] **20. Add shell completion**: Bash/Zsh completion for commands and secret names.
- [x] **17. `secret keys rm` not fully implemented**: Based on test output, this command may not be working correctly.
+- [ ] **21. Colored output**: Use colors to improve readability of lists and error messages.
- [x] **18. `secret key select` not fully implemented**: Key selection functionality appears incomplete.
+- [ ] **22. Add `--quiet` flag**: Option to suppress non-essential output.
- [ ] **19. Missing vault deletion command**: No way to delete vaults that are no longer needed.
+- [ ] **23. Smart secret name suggestions**: When a secret name is not found, suggest similar names.
- [ ] **20. No secret deletion command**: Missing `secret rm <secret-name>` functionality.
+- [ ] **24. Audit logging**: Log all secret access and modifications for security auditing.
- [ ] **21. Missing secret history/versioning**: No way to see previous versions of secrets or restore old values.
+- [ ] **25. Integration tests for hardware features**: Automated testing of Keychain and GPG functionality.
-### Configuration and Environment
+- [ ] **26. Consistent naming conventions**: Some variables and functions use inconsistent naming patterns.
- [ ] **22. Global configuration not fully implemented**: The `configuration.json` file structure exists but isn't used consistently.
+- [ ] **27. Export/import functionality**: Add ability to export/import entire vaults, not just individual secrets.
- [ ] **23. Missing environment variable validation**: Environment variables should be validated for format and security.
+- [ ] **28. Batch operations**: Add commands to process multiple secrets at once.
- [ ] **24. No configuration file validation**: JSON configuration files should be validated against schemas.
+- [ ] **29. Search functionality**: Add ability to search secret names and potentially contents.
-### PGP Integration Issues
+- [ ] **30. Secret metadata**: Add support for descriptions, tags, or other metadata with secrets.
- [x] **25. Incomplete PGP unlock key implementation**: The `--keyid` parameter processing may not be fully working.
+## COMPLETED ITEMS ✓
- [ ] **26. Missing GPG agent integration**: Should detect and use existing GPG agent when available.
+- [x] **Missing secret history/versioning**: ✓ Implemented - versioning system exists with --version flag support
-
+- [x] **XDG compliance on Linux**: ✓ Implemented - uses os.UserConfigDir() which respects XDG_CONFIG_HOME
- [ ] **27. No validation of GPG key existence**: Should verify the specified GPG key exists before creating PGP unlock keys.
+- [x] **Consistent interface implementation**: ✓ Implemented - Unlocker interface is well-defined and consistently implemented
 ### Cross-Platform Issues
 - [ ] **28. macOS Keychain error handling**: Better error messages when biometric authentication fails or isn't available.
 - [ ] **29. Windows path handling**: File paths may not work correctly on Windows systems.
 - [ ] **30. XDG compliance on Linux**: Should respect `XDG_CONFIG_HOME` and other XDG environment variables.
 ## Trivial (Nice to have)
 ### Code Quality
 - [ ] **31. Add more comprehensive unit tests**: Current test coverage could be improved, especially for error conditions.
 - [ ] **32. Reduce code duplication**: Several functions have similar patterns that could be refactored.
 - [ ] **33. Improve function documentation**: Many functions lack proper Go documentation comments.
 - [ ] **34. Add static analysis**: Integrate tools like `staticcheck`, `golangci-lint` with more linters.
 ### Performance Optimizations
 - [ ] **35. Cache unlock key operations**: Avoid re-reading unlock key metadata on every operation.
 - [ ] **36. Optimize file I/O**: Batch file operations where possible to reduce syscalls.
 - [ ] **37. Add connection pooling for HSM operations**: For hardware security module operations.
 ### User Experience Enhancements
 - [ ] **38. Add shell completion**: Bash/Zsh completion for commands and secret names.
 - [ ] **39. Colored output**: Use colors to improve readability of lists and error messages.
 - [ ] **40. Add `--quiet` flag**: Option to suppress non-essential output.
 - [ ] **41. Smart secret name suggestions**: When a secret name is not found, suggest similar names.
 ### Additional Features
 - [ ] **42. Secret templates**: Predefined templates for common secret types (database URLs, API keys, etc.).
 - [ ] **43. Bulk operations**: Import/export multiple secrets at once.
 - [ ] **44. Secret sharing**: Secure sharing of secrets between vaults or users.
 - [ ] **45. Audit logging**: Log all secret access and modifications.
 - [ ] **46. Integration tests for hardware features**: Automated testing of Keychain and GPG functionality.
 ### Documentation
 - [ ] **47. Man pages**: Generate and install proper Unix man pages.
 - [ ] **48. API documentation**: Document the internal API for potential library use.
 - [ ] **49. Migration guide**: Document how to migrate from other secret managers.
 - [ ] **50. Security audit documentation**: Document security assumptions and threat model.
 ## Architecture Improvements
 ### Code Structure
 - [ ] **51. Consistent interface implementation**: Ensure all unlock key types properly implement the UnlockKey interface.
 - [ ] **52. Better separation of concerns**: Some functions in CLI do too much and should be split.
 - [ ] **53. Improved error types**: Create specific error types instead of using generic `fmt.Errorf`.
 ### Testing Infrastructure
 - [x] **54. Mock filesystem consistency**: Ensure mock filesystem behavior matches real filesystem in all cases.
 - [x] **55. Integration test isolation**: Tests should not affect each other or the host system.
 - [ ] **56. Performance benchmarks**: Add benchmarks for crypto operations and file I/O.
 ## Technical Debt
 - [ ] **57. Remove unused code**: Clean up any dead code or unused imports.
 - [ ] **58. Standardize JSON schemas**: Create proper JSON schemas for all configuration files.
 - [ ] **59. Improve error propagation**: Many functions swallow important context in error messages.
 - [ ] **60. Consistent naming conventions**: Some variables and functions use inconsistent naming.
 ## Development Workflow
 - [ ] **61. Add pre-commit hooks**: Ensure code quality and formatting before commits.
 - [ ] **62. Continuous integration**: Set up CI/CD pipeline with automated testing.
 - [ ] **63. Release automation**: Automate the build and release process.
 - [ ] **64. Dependency management**: Regular updates and security scanning of dependencies.
 ---
 ## Priority Assessment
 **Critical items** (1-12) block the 1.0 release and must be fixed for basic functionality and security.
 **Important items** (13-30) should be addressed for a polished user experience but don't block the release.
 **Trivial items** (31-50) are enhancements that can be addressed in future releases.
 **Architecture and Infrastructure** (51-64) are longer-term improvements for maintainability and development workflow.
 ## Estimated Timeline
 - Critical (1-12): 2-3 weeks
 - Important (13-30): 3-4 weeks  
 - Trivial (31-50): Ongoing post-1.0
 - Architecture/Infrastructure (51-64): Ongoing post-1.0
 Total estimated time to 1.0: 5-7 weeks with focused development effort. 
--- a/cmd/secret/main.go
+++ b/cmd/secret/main.go
@@ -1,7 +1,8 @@
 // Package main is the entry point for the secret CLI application.
 package main
 import "git.eeqj.de/sneak/secret/internal/cli"
 func main() {
-	cli.CLIEntry()
+	cli.Entry()
 }
--- a/go.mod
+++ b/go.mod
@@ -4,38 +4,29 @@ go 1.24.1
 require (
 	filippo.io/age v1.2.1
 	github.com/awnumar/memguard v0.22.5
 	github.com/btcsuite/btcd v0.24.2
 	github.com/btcsuite/btcd/btcec/v2 v2.1.3
 	github.com/btcsuite/btcd/btcutil v1.1.6
 	github.com/btcsuite/btcutil v0.0.0-20190425235716-9e5f4b9a998d
 	github.com/oklog/ulid/v2 v2.1.1
 	github.com/spf13/afero v1.14.0
 	github.com/spf13/cobra v1.9.1
 	github.com/stretchr/testify v1.8.4
 	github.com/tyler-smith/go-bip39 v1.1.0
 	golang.org/x/crypto v0.38.0
 	golang.org/x/term v0.32.0
 )
 require (
-	github.com/StackExchange/wmi v1.2.1 // indirect
+	github.com/awnumar/memcall v0.2.0 // indirect
 	github.com/btcsuite/btcd/chaincfg/chainhash v1.1.0 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/decred/dcrd/dcrec/secp256k1/v4 v4.0.1 // indirect
 	github.com/facebookincubator/flog v0.0.0-20190930132826-d2511d0ce33c // indirect
 	github.com/facebookincubator/sks v0.0.0-20250508161834-9be892919529 // indirect
 	github.com/go-ole/go-ole v1.2.5 // indirect
 	github.com/google/btree v1.0.1 // indirect
 	github.com/google/certificate-transparency-go v1.1.2 // indirect
 	github.com/google/certtostore v1.0.3-0.20230404221207-8d01647071cc // indirect
 	github.com/google/deck v0.0.0-20230104221208-105ad94aa8ae // indirect
 	github.com/google/go-attestation v0.5.1 // indirect
 	github.com/google/go-tpm v0.9.0 // indirect
 	github.com/google/go-tspi v0.3.0 // indirect
 	github.com/hashicorp/errwrap v1.0.0 // indirect
 	github.com/hashicorp/go-multierror v1.1.1 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
-	github.com/jgoguen/go-utils v0.0.0-20200211015258-b42ad41486fd // indirect
+	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/peterbourgon/diskv v2.0.1+incompatible // indirect
 	github.com/spf13/pflag v1.0.6 // indirect
 	golang.org/x/sys v0.33.0 // indirect
 	golang.org/x/term v0.32.0 // indirect
 	golang.org/x/text v0.25.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
--- a/go.sum
+++ b/go.sum
--- a/internal/cli/cli.go
+++ b/internal/cli/cli.go
@@ -1,3 +1,4 @@
 // Package cli implements the command-line interface for the secret application.
 package cli
 import (
@@ -9,57 +10,61 @@ import (
 	"git.eeqj.de/sneak/secret/internal/secret"
 	"github.com/spf13/afero"
 	"github.com/spf13/cobra"
 	"golang.org/x/term"
 )
 // Global scanner for consistent stdin reading
-var stdinScanner *bufio.Scanner
+var stdinScanner *bufio.Scanner //nolint:gochecknoglobals // Needed for consistent stdin handling
-// CLIInstance encapsulates all CLI functionality and state
+// Instance encapsulates all CLI functionality and state
-type CLIInstance struct {
+type Instance struct {
 	fs       afero.Fs
 	stateDir string
 	cmd      *cobra.Command
 }
 // NewCLIInstance creates a new CLI instance with the real filesystem
-func NewCLIInstance() *CLIInstance {
+func NewCLIInstance() *Instance {
 	fs := afero.NewOsFs()
 	stateDir := secret.DetermineStateDir("")
-	return &CLIInstance{
+
 	return &Instance{
 		fs:       fs,
 		stateDir: stateDir,
 	}
 }
 // NewCLIInstanceWithFs creates a new CLI instance with the given filesystem (for testing)
-func NewCLIInstanceWithFs(fs afero.Fs) *CLIInstance {
+func NewCLIInstanceWithFs(fs afero.Fs) *Instance {
 	stateDir := secret.DetermineStateDir("")
-	return &CLIInstance{
+
 	return &Instance{
 		fs:       fs,
 		stateDir: stateDir,
 	}
 }
 // NewCLIInstanceWithStateDir creates a new CLI instance with custom state directory (for testing)
-func NewCLIInstanceWithStateDir(fs afero.Fs, stateDir string) *CLIInstance {
+func NewCLIInstanceWithStateDir(fs afero.Fs, stateDir string) *Instance {
-	return &CLIInstance{
+	return &Instance{
 		fs:       fs,
 		stateDir: stateDir,
 	}
 }
 // SetFilesystem sets the filesystem for this CLI instance (for testing)
-func (cli *CLIInstance) SetFilesystem(fs afero.Fs) {
+func (cli *Instance) SetFilesystem(fs afero.Fs) {
 	cli.fs = fs
 }
 // SetStateDir sets the state directory for this CLI instance (for testing)
-func (cli *CLIInstance) SetStateDir(stateDir string) {
+func (cli *Instance) SetStateDir(stateDir string) {
 	cli.stateDir = stateDir
 }
 // GetStateDir returns the state directory for this CLI instance
-func (cli *CLIInstance) GetStateDir() string {
+func (cli *Instance) GetStateDir() string {
 	return cli.stateDir
 }
@@ -68,6 +73,7 @@ func getStdinScanner() *bufio.Scanner {
 	if stdinScanner == nil {
 		stdinScanner = bufio.NewScanner(os.Stdin)
 	}
 	return stdinScanner
 }
@@ -75,7 +81,7 @@ func getStdinScanner() *bufio.Scanner {
 // Uses a shared scanner to avoid buffering issues between multiple calls
 func readLineFromStdin(prompt string) (string, error) {
 	// Check if stderr is a terminal - if not, we can't prompt interactively
-	if !term.IsTerminal(int(syscall.Stderr)) {
+	if !term.IsTerminal(syscall.Stderr) {
 		return "", fmt.Errorf("cannot prompt for input: stderr is not a terminal (running in non-interactive mode)")
 	}
@@ -85,7 +91,9 @@ func readLineFromStdin(prompt string) (string, error) {
 		if err := scanner.Err(); err != nil {
 			return "", fmt.Errorf("failed to read from stdin: %w", err)
 		}
 		return "", fmt.Errorf("failed to read from stdin: EOF")
 	}
 	return strings.TrimSpace(scanner.Text()), nil
 }
--- a/internal/cli/cli_test.go
+++ b/internal/cli/cli_test.go
@@ -37,19 +37,9 @@ func TestCLIInstanceWithFs(t *testing.T) {
 func TestDetermineStateDir(t *testing.T) {
 	// Test the determineStateDir function from the secret package
 	// Save original environment and restore it after test
 	originalStateDir := os.Getenv(secret.EnvStateDir)
 	defer func() {
 		if originalStateDir == "" {
 			os.Unsetenv(secret.EnvStateDir)
 		} else {
 			os.Setenv(secret.EnvStateDir, originalStateDir)
 		}
 	}()
 	// Test with environment variable set
 	testEnvDir := "/test-env-dir"
-	os.Setenv(secret.EnvStateDir, testEnvDir)
+	t.Setenv(secret.EnvStateDir, testEnvDir)
 	stateDir := secret.DetermineStateDir("")
 	if stateDir != testEnvDir {
@@ -57,7 +47,7 @@ func TestDetermineStateDir(t *testing.T) {
 	}
 	// Test with custom config dir
-	os.Unsetenv(secret.EnvStateDir)
+	_ = os.Unsetenv(secret.EnvStateDir)
 	customConfigDir := "/custom-config"
 	stateDir = secret.DetermineStateDir(customConfigDir)
 	expectedDir := filepath.Join(customConfigDir, secret.AppID)
--- a/internal/cli/crypto.go
+++ b/internal/cli/crypto.go
@@ -8,6 +8,7 @@ import (
 	"filippo.io/age"
 	"git.eeqj.de/sneak/secret/internal/secret"
 	"git.eeqj.de/sneak/secret/internal/vault"
 	"github.com/awnumar/memguard"
 	"github.com/spf13/cobra"
 )
@@ -22,12 +23,15 @@ func newEncryptCmd() *cobra.Command {
 			outputFile, _ := cmd.Flags().GetString("output")
 			cli := NewCLIInstance()
 			cli.cmd = cmd
 			return cli.Encrypt(args[0], inputFile, outputFile)
 		},
 	}
 	cmd.Flags().StringP("input", "i", "", "Input file (default: stdin)")
 	cmd.Flags().StringP("output", "o", "", "Output file (default: stdout)")
 	return cmd
 }
@@ -42,17 +46,20 @@ func newDecryptCmd() *cobra.Command {
 			outputFile, _ := cmd.Flags().GetString("output")
 			cli := NewCLIInstance()
 			cli.cmd = cmd
 			return cli.Decrypt(args[0], inputFile, outputFile)
 		},
 	}
 	cmd.Flags().StringP("input", "i", "", "Input file (default: stdin)")
 	cmd.Flags().StringP("output", "o", "", "Output file (default: stdout)")
 	return cmd
 }
 // Encrypt encrypts data using an age secret key stored in a secret
-func (cli *CLIInstance) Encrypt(secretName, inputFile, outputFile string) error {
+func (cli *Instance) Encrypt(secretName, inputFile, outputFile string) error {
 	// Get current vault
 	vlt, err := vault.GetCurrentVault(cli.fs, cli.stateDir)
 	if err != nil {
@@ -68,46 +75,54 @@ func (cli *CLIInstance) Encrypt(secretName, inputFile, outputFile string) error
 		return fmt.Errorf("failed to check if secret exists: %w", err)
 	}
-	if exists {
+	if !exists { //nolint:nestif // Clear conditional logic for secret generation vs retrieval
 		// Secret exists, get the age secret key from it
 		var secretValue []byte
 		if os.Getenv(secret.EnvMnemonic) != "" {
 			secretValue, err = secretObj.GetValue(nil)
 		} else {
 			unlockKey, unlockErr := vlt.GetCurrentUnlockKey()
 			if unlockErr != nil {
 				return fmt.Errorf("failed to get current unlock key: %w", unlockErr)
 			}
 			secretValue, err = secretObj.GetValue(unlockKey)
 		}
 		if err != nil {
 			return fmt.Errorf("failed to get secret value: %w", err)
 		}
 		ageSecretKey = string(secretValue)
 		// Validate that it's a valid age secret key
 		if !isValidAgeSecretKey(ageSecretKey) {
 			return fmt.Errorf("secret '%s' does not contain a valid age secret key", secretName)
 		}
 	} else {
 		// Secret doesn't exist, generate new age key and store it
 		identity, err := age.GenerateX25519Identity()
 		if err != nil {
 			return fmt.Errorf("failed to generate age key: %w", err)
 		}
-		ageSecretKey = identity.String()
+		// Store the generated key directly in a secure buffer
 		identityStr := identity.String()
 		secureBuffer := memguard.NewBufferFromBytes([]byte(identityStr))
 		defer secureBuffer.Destroy()
-		// Store the generated key as a secret
+		// Set ageSecretKey for later use (we need it for encryption)
-		err = vlt.AddSecret(secretName, []byte(ageSecretKey), false)
+		ageSecretKey = identityStr
 		err = vlt.AddSecret(secretName, secureBuffer, false)
 		if err != nil {
 			return fmt.Errorf("failed to store age key: %w", err)
 		}
 	} else {
 		// Secret exists, get the age secret key from it
 		secretValue, err := cli.getSecretValue(vlt, secretObj)
 		if err != nil {
 			return fmt.Errorf("failed to get secret value: %w", err)
 		}
 		// Create secure buffer for the secret value
 		secureBuffer := memguard.NewBufferFromBytes(secretValue)
 		defer secureBuffer.Destroy()
 		// Clear the original secret value
 		for i := range secretValue {
 			secretValue[i] = 0
 		}
 		ageSecretKey = secureBuffer.String()
 		// Validate that it's a valid age secret key
 		if !isValidAgeSecretKey(ageSecretKey) {
 			return fmt.Errorf("secret '%s' does not contain a valid age secret key", secretName)
 		}
 	}
-	// Parse the secret key
+	// Parse the secret key using secure buffer
-	identity, err := age.ParseX25519Identity(ageSecretKey)
+	finalSecureBuffer := memguard.NewBufferFromBytes([]byte(ageSecretKey))
 	defer finalSecureBuffer.Destroy()
 	identity, err := age.ParseX25519Identity(finalSecureBuffer.String())
 	if err != nil {
 		return fmt.Errorf("failed to parse age secret key: %w", err)
 	}
@@ -122,18 +137,18 @@ func (cli *CLIInstance) Encrypt(secretName, inputFile, outputFile string) error
 		if err != nil {
 			return fmt.Errorf("failed to open input file: %w", err)
 		}
-		defer file.Close()
+		defer func() { _ = file.Close() }()
 		input = file
 	}
 	// Set up output writer
-	var output io.Writer = os.Stdout
+	output := cli.cmd.OutOrStdout()
 	if outputFile != "" {
 		file, err := cli.fs.Create(outputFile)
 		if err != nil {
 			return fmt.Errorf("failed to create output file: %w", err)
 		}
-		defer file.Close()
+		defer func() { _ = file.Close() }()
 		output = file
 	}
@@ -155,7 +170,7 @@ func (cli *CLIInstance) Encrypt(secretName, inputFile, outputFile string) error
 }
 // Decrypt decrypts data using an age secret key stored in a secret
-func (cli *CLIInstance) Decrypt(secretName, inputFile, outputFile string) error {
+func (cli *Instance) Decrypt(secretName, inputFile, outputFile string) error {
 	// Get current vault
 	vlt, err := vault.GetCurrentVault(cli.fs, cli.stateDir)
 	if err != nil {
@@ -178,25 +193,32 @@ func (cli *CLIInstance) Decrypt(secretName, inputFile, outputFile string) error
 	if os.Getenv(secret.EnvMnemonic) != "" {
 		secretValue, err = secretObj.GetValue(nil)
 	} else {
-		unlockKey, unlockErr := vlt.GetCurrentUnlockKey()
+		unlocker, unlockErr := vlt.GetCurrentUnlocker()
 		if unlockErr != nil {
-			return fmt.Errorf("failed to get current unlock key: %w", unlockErr)
+			return fmt.Errorf("failed to get current unlocker: %w", unlockErr)
 		}
-		secretValue, err = secretObj.GetValue(unlockKey)
+		secretValue, err = secretObj.GetValue(unlocker)
 	}
 	if err != nil {
 		return fmt.Errorf("failed to get secret value: %w", err)
 	}
-	ageSecretKey := string(secretValue)
+	// Create secure buffer for the secret value
 	secureBuffer := memguard.NewBufferFromBytes(secretValue)
 	defer secureBuffer.Destroy()
 	// Clear the original secret value
 	for i := range secretValue {
 		secretValue[i] = 0
 	}
 	// Validate that it's a valid age secret key
-	if !isValidAgeSecretKey(ageSecretKey) {
+	if !isValidAgeSecretKey(secureBuffer.String()) {
 		return fmt.Errorf("secret '%s' does not contain a valid age secret key", secretName)
 	}
 	// Parse the age secret key to get the identity
-	identity, err := age.ParseX25519Identity(ageSecretKey)
+	identity, err := age.ParseX25519Identity(secureBuffer.String())
 	if err != nil {
 		return fmt.Errorf("failed to parse age secret key: %w", err)
 	}
@@ -208,18 +230,18 @@ func (cli *CLIInstance) Decrypt(secretName, inputFile, outputFile string) error
 		if err != nil {
 			return fmt.Errorf("failed to open input file: %w", err)
 		}
-		defer file.Close()
+		defer func() { _ = file.Close() }()
 		input = file
 	}
 	// Set up output writer
-	var output io.Writer = os.Stdout
+	output := cli.cmd.OutOrStdout()
 	if outputFile != "" {
 		file, err := cli.fs.Create(outputFile)
 		if err != nil {
 			return fmt.Errorf("failed to create output file: %w", err)
 		}
-		defer file.Close()
+		defer func() { _ = file.Close() }()
 		output = file
 	}
@@ -239,5 +261,20 @@ func (cli *CLIInstance) Decrypt(secretName, inputFile, outputFile string) error
 // isValidAgeSecretKey checks if a string is a valid age secret key by attempting to parse it
 func isValidAgeSecretKey(key string) bool {
 	_, err := age.ParseX25519Identity(key)
 	return err == nil
 }
 // getSecretValue retrieves the value of a secret using the appropriate unlocker
 func (cli *Instance) getSecretValue(vlt *vault.Vault, secretObj *secret.Secret) ([]byte, error) {
 	if os.Getenv(secret.EnvMnemonic) != "" {
 		return secretObj.GetValue(nil)
 	}
 	unlocker, err := vlt.GetCurrentUnlocker()
 	if err != nil {
 		return nil, fmt.Errorf("failed to get current unlocker: %w", err)
 	}
 	return secretObj.GetValue(unlocker)
 }
--- a/internal/cli/generate.go
+++ b/internal/cli/generate.go
@@ -6,11 +6,17 @@ import (
 	"math/big"
 	"os"
-	"git.eeqj.de/sneak/secret/internal/secret"
+	"git.eeqj.de/sneak/secret/internal/vault"
 	"github.com/awnumar/memguard"
 	"github.com/spf13/cobra"
 	"github.com/tyler-smith/go-bip39"
 )
 const (
 	defaultSecretLength = 16
 	mnemonicEntropyBits = 128
 )
 func newGenerateCmd() *cobra.Command {
 	cmd := &cobra.Command{
 		Use:   "generate",
@@ -28,10 +34,13 @@ func newGenerateMnemonicCmd() *cobra.Command {
 	return &cobra.Command{
 		Use:   "mnemonic",
 		Short: "Generate a random BIP39 mnemonic phrase",
-		Long:  `Generate a cryptographically secure random BIP39 mnemonic phrase that can be used with 'secret init' or 'secret import'.`,
+		Long: `Generate a cryptographically secure random BIP39 ` +
-		RunE: func(cmd *cobra.Command, args []string) error {
+			`mnemonic phrase that can be used with 'secret init' ` +
 			`or 'secret import'.`,
 		RunE: func(cmd *cobra.Command, _ []string) error {
 			cli := NewCLIInstance()
-			return cli.GenerateMnemonic()
+
 			return cli.GenerateMnemonic(cmd)
 		},
 	}
 }
@@ -48,11 +57,12 @@ func newGenerateSecretCmd() *cobra.Command {
 			force, _ := cmd.Flags().GetBool("force")
 			cli := NewCLIInstance()
-			return cli.GenerateSecret(args[0], length, secretType, force)
+
 			return cli.GenerateSecret(cmd, args[0], length, secretType, force)
 		},
 	}
-	cmd.Flags().IntP("length", "l", 16, "Length of the generated secret (default 16)")
+	cmd.Flags().IntP("length", "l", defaultSecretLength, "Length of the generated secret (default 16)")
 	cmd.Flags().StringP("type", "t", "base58", "Type of secret to generate (base58, alnum)")
 	cmd.Flags().BoolP("force", "f", false, "Overwrite existing secret")
@@ -60,9 +70,9 @@ func newGenerateSecretCmd() *cobra.Command {
 }
 // GenerateMnemonic generates a random BIP39 mnemonic phrase
-func (cli *CLIInstance) GenerateMnemonic() error {
+func (cli *Instance) GenerateMnemonic(cmd *cobra.Command) error {
 	// Generate 128 bits of entropy for a 12-word mnemonic
-	entropy, err := bip39.NewEntropy(128)
+	entropy, err := bip39.NewEntropy(mnemonicEntropyBits)
 	if err != nil {
 		return fmt.Errorf("failed to generate entropy: %w", err)
 	}
@@ -74,7 +84,7 @@ func (cli *CLIInstance) GenerateMnemonic() error {
 	}
 	// Output mnemonic to stdout
-	fmt.Println(mnemonic)
+	cmd.Println(mnemonic)
 	// Output helpful information to stderr
 	fmt.Fprintln(os.Stderr, "")
@@ -92,7 +102,13 @@ func (cli *CLIInstance) GenerateMnemonic() error {
 }
 // GenerateSecret generates a random secret and stores it in the vault
-func (cli *CLIInstance) GenerateSecret(secretName string, length int, secretType string, force bool) error {
+func (cli *Instance) GenerateSecret(
 	cmd *cobra.Command,
 	secretName string,
 	length int,
 	secretType string,
 	force bool,
 ) error {
 	if length < 1 {
 		return fmt.Errorf("length must be at least 1")
 	}
@@ -116,28 +132,35 @@ func (cli *CLIInstance) GenerateSecret(secretName string, length int, secretType
 	}
 	// Store the secret in the vault
-	vault, err := secret.GetCurrentVault(cli.fs, cli.stateDir)
+	vlt, err := vault.GetCurrentVault(cli.fs, cli.stateDir)
 	if err != nil {
 		return err
 	}
-	if err := vault.AddSecret(secretName, []byte(secretValue), force); err != nil {
+	// Protect the generated secret immediately
 	secretBuffer := memguard.NewBufferFromBytes([]byte(secretValue))
 	defer secretBuffer.Destroy()
 	if err := vlt.AddSecret(secretName, secretBuffer, force); err != nil {
 		return err
 	}
-	fmt.Printf("Generated and stored %d-character %s secret: %s\n", length, secretType, secretName)
+	cmd.Printf("Generated and stored %d-character %s secret: %s\n", length, secretType, secretName)
 	return nil
 }
 // generateRandomBase58 generates a random base58 string of the specified length
 func generateRandomBase58(length int) (string, error) {
 	const base58Chars = "123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz"
 	return generateRandomString(length, base58Chars)
 }
 // generateRandomAlnum generates a random alphanumeric string of the specified length
 func generateRandomAlnum(length int) (string, error) {
 	const alnumChars = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"
 	return generateRandomString(length, alnumChars)
 }
@@ -150,7 +173,7 @@ func generateRandomString(length int, charset string) (string, error) {
 	result := make([]byte, length)
 	charsetLen := big.NewInt(int64(len(charset)))
-	for i := 0; i < length; i++ {
+	for i := range length {
 		randomIndex, err := rand.Int(rand.Reader, charsetLen)
 		if err != nil {
 			return "", fmt.Errorf("failed to generate random number: %w", err)
--- a/internal/cli/init.go
+++ b/internal/cli/init.go
@@ -6,31 +6,36 @@ import (
 	"os"
 	"path/filepath"
 	"strings"
 	"time"
 	"filippo.io/age"
 	"git.eeqj.de/sneak/secret/internal/secret"
 	"git.eeqj.de/sneak/secret/internal/vault"
 	"git.eeqj.de/sneak/secret/pkg/agehd"
 	"github.com/awnumar/memguard"
 	"github.com/spf13/afero"
 	"github.com/spf13/cobra"
 	"github.com/tyler-smith/go-bip39"
 )
-func newInitCmd() *cobra.Command {
+// NewInitCmd creates the init command
 func NewInitCmd() *cobra.Command {
 	return &cobra.Command{
 		Use:   "init",
 		Short: "Initialize the secrets manager",
 		Long:  `Create the necessary directory structure for storing secrets and generate encryption keys.`,
-		RunE: func(cmd *cobra.Command, args []string) error {
+		RunE:  RunInit,
 			cli := NewCLIInstance()
 			return cli.Init(cmd)
 		},
 	}
 }
-// Init initializes the secrets manager
+// RunInit is the exported function that handles the init command
-func (cli *CLIInstance) Init(cmd *cobra.Command) error {
+func RunInit(cmd *cobra.Command, _ []string) error {
 	cli := NewCLIInstance()
 	return cli.Init(cmd)
 }
 // Init initializes the secret manager
 func (cli *Instance) Init(cmd *cobra.Command) error {
 	secret.Debug("Starting secret manager initialization")
 	// Create state directory
@@ -39,6 +44,7 @@ func (cli *CLIInstance) Init(cmd *cobra.Command) error {
 	if err := cli.fs.MkdirAll(stateDir, secret.DirPerms); err != nil {
 		secret.Debug("Failed to create state directory", "error", err)
 		return fmt.Errorf("failed to create state directory: %w", err)
 	}
@@ -59,12 +65,14 @@ func (cli *CLIInstance) Init(cmd *cobra.Command) error {
 		mnemonicStr, err = readLineFromStdin("Enter your BIP39 mnemonic phrase: ")
 		if err != nil {
 			secret.Debug("Failed to read mnemonic from stdin", "error", err)
 			return fmt.Errorf("failed to read mnemonic: %w", err)
 		}
 	}
 	if mnemonicStr == "" {
 		secret.Debug("Empty mnemonic provided")
 		return fmt.Errorf("mnemonic cannot be empty")
 	}
@@ -72,154 +80,142 @@ func (cli *CLIInstance) Init(cmd *cobra.Command) error {
 	secret.DebugWith("Validating BIP39 mnemonic", slog.Int("word_count", len(strings.Fields(mnemonicStr))))
 	if !bip39.IsMnemonicValid(mnemonicStr) {
 		secret.Debug("Invalid BIP39 mnemonic provided")
 		return fmt.Errorf("invalid BIP39 mnemonic phrase\nRun 'secret generate mnemonic' to create a valid mnemonic")
 	}
-	// Calculate mnemonic hash for index tracking
+	// Set mnemonic in environment for CreateVault to use
-	mnemonicHash := vault.ComputeDoubleSHA256([]byte(mnemonicStr))
+	originalMnemonic := os.Getenv(secret.EnvMnemonic)
-	secret.DebugWith("Calculated mnemonic hash", slog.String("hash", mnemonicHash))
+	_ = os.Setenv(secret.EnvMnemonic, mnemonicStr)
 	defer func() {
 		if originalMnemonic != "" {
 			_ = os.Setenv(secret.EnvMnemonic, originalMnemonic)
 		} else {
 			_ = os.Unsetenv(secret.EnvMnemonic)
 		}
 	}()
-	// Get the next available derivation index for this mnemonic
+	// Create the default vault - it will handle key derivation internally
 	derivationIndex, err := vault.GetNextDerivationIndex(cli.fs, cli.stateDir, mnemonicHash)
 	if err != nil {
 		secret.Debug("Failed to get next derivation index", "error", err)
 		return fmt.Errorf("failed to get next derivation index: %w", err)
 	}
 	secret.DebugWith("Using derivation index", slog.Uint64("index", uint64(derivationIndex)))
 	// Derive long-term keypair from mnemonic with the appropriate index
 	secret.DebugWith("Deriving long-term key from mnemonic", slog.Uint64("index", uint64(derivationIndex)))
 	ltIdentity, err := agehd.DeriveIdentity(mnemonicStr, derivationIndex)
 	if err != nil {
 		secret.Debug("Failed to derive long-term key", "error", err)
 		return fmt.Errorf("failed to derive long-term key from mnemonic: %w", err)
 	}
 	// Calculate the long-term key hash
 	ltKeyHash := vault.ComputeDoubleSHA256([]byte(ltIdentity.String()))
 	secret.DebugWith("Calculated long-term key hash", slog.String("hash", ltKeyHash))
 	// Create the default vault
 	secret.Debug("Creating default vault")
 	vlt, err := vault.CreateVault(cli.fs, cli.stateDir, "default")
 	if err != nil {
 		secret.Debug("Failed to create default vault", "error", err)
 		return fmt.Errorf("failed to create default vault: %w", err)
 	}
-	// Set as current vault
+	// Get the vault metadata to retrieve the derivation index
 	secret.Debug("Setting default vault as current")
 	if err := vault.SelectVault(cli.fs, cli.stateDir, "default"); err != nil {
 		secret.Debug("Failed to select default vault", "error", err)
 		return fmt.Errorf("failed to select default vault: %w", err)
 	}
 	// Store long-term public key in vault
 	vaultDir := filepath.Join(stateDir, "vaults.d", "default")
-	ltPubKey := ltIdentity.Recipient().String()
+	metadata, err := vault.LoadVaultMetadata(cli.fs, vaultDir)
-	secret.DebugWith("Storing long-term public key", slog.String("pubkey", ltPubKey), slog.String("vault_dir", vaultDir))
+	if err != nil {
-	if err := afero.WriteFile(cli.fs, filepath.Join(vaultDir, "pub.age"), []byte(ltPubKey), secret.FilePerms); err != nil {
+		secret.Debug("Failed to load vault metadata", "error", err)
-		secret.Debug("Failed to write long-term public key", "error", err)
+
-		return fmt.Errorf("failed to write long-term public key: %w", err)
+		return fmt.Errorf("failed to load vault metadata: %w", err)
 	}
-	// Save vault metadata
+	// Derive the long-term key using the same index that CreateVault used
-	metadata := &vault.VaultMetadata{
+	ltIdentity, err := agehd.DeriveIdentity(mnemonicStr, metadata.DerivationIndex)
-		Name:            "default",
+	if err != nil {
-		CreatedAt:       time.Now(),
+		secret.Debug("Failed to derive long-term key", "error", err)
-		DerivationIndex: derivationIndex,
+
-		LongTermKeyHash: ltKeyHash,
+		return fmt.Errorf("failed to derive long-term key from mnemonic: %w", err)
 		MnemonicHash:    mnemonicHash,
 	}
-	if err := vault.SaveVaultMetadata(cli.fs, vaultDir, metadata); err != nil {
+	ltPubKey := ltIdentity.Recipient().String()
 		secret.Debug("Failed to save vault metadata", "error", err)
 		return fmt.Errorf("failed to save vault metadata: %w", err)
 	}
 	secret.Debug("Saved vault metadata with derivation index and key hash")
 	// Unlock the vault with the derived long-term key
 	vlt.Unlock(ltIdentity)
-	// Prompt for passphrase for unlock key
+	// Prompt for passphrase for unlocker
-	var passphraseStr string
+	var passphraseBuffer *memguard.LockedBuffer
 	if envPassphrase := os.Getenv(secret.EnvUnlockPassphrase); envPassphrase != "" {
 		secret.Debug("Using unlock passphrase from environment variable")
-		passphraseStr = envPassphrase
+		passphraseBuffer = memguard.NewBufferFromBytes([]byte(envPassphrase))
 	} else {
 		secret.Debug("Prompting user for unlock passphrase")
 		// Use secure passphrase input with confirmation
-		passphraseStr, err = readSecurePassphrase("Enter passphrase for unlock key: ")
+		passphraseBuffer, err = readSecurePassphrase("Enter passphrase for unlocker: ")
 		if err != nil {
 			secret.Debug("Failed to read unlock passphrase", "error", err)
 			return fmt.Errorf("failed to read passphrase: %w", err)
 		}
 	}
 	defer passphraseBuffer.Destroy()
-	// Create passphrase-protected unlock key
+	// Create passphrase-protected unlocker
-	secret.Debug("Creating passphrase-protected unlock key")
+	secret.Debug("Creating passphrase-protected unlocker")
-	passphraseKey, err := vlt.CreatePassphraseKey(passphraseStr)
+	passphraseUnlocker, err := vlt.CreatePassphraseUnlocker(passphraseBuffer)
 	if err != nil {
-		secret.Debug("Failed to create unlock key", "error", err)
+		secret.Debug("Failed to create unlocker", "error", err)
-		return fmt.Errorf("failed to create unlock key: %w", err)
+
 		return fmt.Errorf("failed to create unlocker: %w", err)
 	}
-	// Encrypt long-term private key to the unlock key
+	// Encrypt long-term private key to the unlocker
-	unlockKeyDir := passphraseKey.GetDirectory()
+	unlockerDir := passphraseUnlocker.GetDirectory()
-	// Read unlock key public key
+	// Read unlocker public key
-	unlockPubKeyData, err := afero.ReadFile(cli.fs, filepath.Join(unlockKeyDir, "pub.age"))
+	unlockerPubKeyData, err := afero.ReadFile(cli.fs, filepath.Join(unlockerDir, "pub.age"))
 	if err != nil {
-		return fmt.Errorf("failed to read unlock key public key: %w", err)
+		return fmt.Errorf("failed to read unlocker public key: %w", err)
 	}
-	unlockRecipient, err := age.ParseX25519Recipient(string(unlockPubKeyData))
+	unlockerRecipient, err := age.ParseX25519Recipient(string(unlockerPubKeyData))
 	if err != nil {
-		return fmt.Errorf("failed to parse unlock key public key: %w", err)
+		return fmt.Errorf("failed to parse unlocker public key: %w", err)
 	}
-	// Encrypt long-term private key to unlock key
+	// Encrypt long-term private key to unlocker
-	ltPrivKeyData := []byte(ltIdentity.String())
+	// Use memguard to protect the private key in memory
-	encryptedLtPrivKey, err := secret.EncryptToRecipient(ltPrivKeyData, unlockRecipient)
+	ltPrivKeyBuffer := memguard.NewBufferFromBytes([]byte(ltIdentity.String()))
 	defer ltPrivKeyBuffer.Destroy()
 	encryptedLtPrivKey, err := secret.EncryptToRecipient(ltPrivKeyBuffer, unlockerRecipient)
 	if err != nil {
 		return fmt.Errorf("failed to encrypt long-term private key: %w", err)
 	}
 	// Write encrypted long-term private key
-	if err := afero.WriteFile(cli.fs, filepath.Join(unlockKeyDir, "longterm.age"), encryptedLtPrivKey, secret.FilePerms); err != nil {
+	ltPrivKeyPath := filepath.Join(unlockerDir, "longterm.age")
 	if err := afero.WriteFile(cli.fs, ltPrivKeyPath, encryptedLtPrivKey, secret.FilePerms); err != nil {
 		return fmt.Errorf("failed to write encrypted long-term private key: %w", err)
 	}
 	if cmd != nil {
 		cmd.Printf("\nDefault vault created and configured\n")
 		cmd.Printf("Long-term public key: %s\n", ltPubKey)
-		cmd.Printf("Unlock key ID: %s\n", passphraseKey.GetID())
+		cmd.Printf("Unlocker ID: %s\n", passphraseUnlocker.GetID())
 		cmd.Println("\nYour secret manager is ready to use!")
 		cmd.Println("Note: When using SB_SECRET_MNEMONIC environment variable,")
-		cmd.Println("unlock keys are not required for secret operations.")
+		cmd.Println("unlockers are not required for secret operations.")
 	}
 	return nil
 }
 // readSecurePassphrase reads a passphrase securely from the terminal without echoing
-// This version adds confirmation (read twice) for creating new unlock keys
+// This version adds confirmation (read twice) for creating new unlockers
-func readSecurePassphrase(prompt string) (string, error) {
+// Returns a LockedBuffer containing the passphrase
 func readSecurePassphrase(prompt string) (*memguard.LockedBuffer, error) {
 	// Get the first passphrase
-	passphrase1, err := secret.ReadPassphrase(prompt)
+	passphraseBuffer1, err := secret.ReadPassphrase(prompt)
 	if err != nil {
-		return "", err
+		return nil, err
 	}
 	defer passphraseBuffer1.Destroy()
 	// Read confirmation passphrase
-	passphrase2, err := secret.ReadPassphrase("Confirm passphrase: ")
+	passphraseBuffer2, err := secret.ReadPassphrase("Confirm passphrase: ")
 	if err != nil {
-		return "", fmt.Errorf("failed to read passphrase confirmation: %w", err)
+		return nil, fmt.Errorf("failed to read passphrase confirmation: %w", err)
 	}
 	defer passphraseBuffer2.Destroy()
 	// Compare passphrases
-	if passphrase1 != passphrase2 {
+	if passphraseBuffer1.String() != passphraseBuffer2.String() {
-		return "", fmt.Errorf("passphrases do not match")
+		return nil, fmt.Errorf("passphrases do not match")
 	}
-	return passphrase1, nil
+	// Create a new buffer with the confirmed passphrase
 	return memguard.NewBufferFromBytes(passphraseBuffer1.Bytes()), nil
 }
--- a/internal/cli/integration_test.go
+++ b/internal/cli/integration_test.go
--- a/internal/cli/keys.go
+++ b/internal/cli/keys.go
@@ -1,328 +0,0 @@
 package cli
 import (
 	"encoding/json"
 	"fmt"
 	"os"
 	"path/filepath"
 	"strings"
 	"time"
 	"git.eeqj.de/sneak/secret/internal/secret"
 	"git.eeqj.de/sneak/secret/internal/vault"
 	"github.com/spf13/afero"
 	"github.com/spf13/cobra"
 )
 // Import from init.go
 // ... existing imports ...
 func newKeysCmd() *cobra.Command {
 	cmd := &cobra.Command{
 		Use:   "keys",
 		Short: "Manage unlock keys",
 		Long:  `Create, list, and remove unlock keys for the current vault.`,
 	}
 	cmd.AddCommand(newKeysListCmd())
 	cmd.AddCommand(newKeysAddCmd())
 	cmd.AddCommand(newKeysRmCmd())
 	return cmd
 }
 func newKeysListCmd() *cobra.Command {
 	cmd := &cobra.Command{
 		Use:   "list",
 		Short: "List unlock keys in the current vault",
 		RunE: func(cmd *cobra.Command, args []string) error {
 			jsonOutput, _ := cmd.Flags().GetBool("json")
 			cli := NewCLIInstance()
 			return cli.KeysList(jsonOutput)
 		},
 	}
 	cmd.Flags().Bool("json", false, "Output in JSON format")
 	return cmd
 }
 func newKeysAddCmd() *cobra.Command {
 	cmd := &cobra.Command{
 		Use:   "add <type>",
 		Short: "Add a new unlock key",
 		Long:  `Add a new unlock key of the specified type (passphrase, keychain, pgp).`,
 		Args:  cobra.ExactArgs(1),
 		RunE: func(cmd *cobra.Command, args []string) error {
 			cli := NewCLIInstance()
 			return cli.KeysAdd(args[0], cmd)
 		},
 	}
 	cmd.Flags().String("keyid", "", "GPG key ID for PGP unlock keys")
 	return cmd
 }
 func newKeysRmCmd() *cobra.Command {
 	return &cobra.Command{
 		Use:   "rm <key-id>",
 		Short: "Remove an unlock key",
 		Args:  cobra.ExactArgs(1),
 		RunE: func(cmd *cobra.Command, args []string) error {
 			cli := NewCLIInstance()
 			return cli.KeysRemove(args[0])
 		},
 	}
 }
 func newKeyCmd() *cobra.Command {
 	cmd := &cobra.Command{
 		Use:   "key",
 		Short: "Manage current unlock key",
 		Long:  `Select the current unlock key for operations.`,
 	}
 	cmd.AddCommand(newKeySelectSubCmd())
 	return cmd
 }
 func newKeySelectSubCmd() *cobra.Command {
 	return &cobra.Command{
 		Use:   "select <key-id>",
 		Short: "Select an unlock key as current",
 		Args:  cobra.ExactArgs(1),
 		RunE: func(cmd *cobra.Command, args []string) error {
 			cli := NewCLIInstance()
 			return cli.KeySelect(args[0])
 		},
 	}
 }
 // KeysList lists unlock keys in the current vault
 func (cli *CLIInstance) KeysList(jsonOutput bool) error {
 	// Get current vault
 	vlt, err := vault.GetCurrentVault(cli.fs, cli.stateDir)
 	if err != nil {
 		return err
 	}
 	// Get the metadata first
 	keyMetadataList, err := vlt.ListUnlockKeys()
 	if err != nil {
 		return err
 	}
 	// Load actual unlock key objects to get the proper IDs
 	type KeyInfo struct {
 		ID        string    `json:"id"`
 		Type      string    `json:"type"`
 		CreatedAt time.Time `json:"created_at"`
 		Flags     []string  `json:"flags,omitempty"`
 	}
 	var keys []KeyInfo
 	for _, metadata := range keyMetadataList {
 		// Create unlock key instance to get the proper ID
 		vaultDir, err := vlt.GetDirectory()
 		if err != nil {
 			continue
 		}
 		// Find the key directory by type and created time
 		unlockKeysDir := filepath.Join(vaultDir, "unlock.d")
 		files, err := afero.ReadDir(cli.fs, unlockKeysDir)
 		if err != nil {
 			continue
 		}
 		var unlockKey secret.UnlockKey
 		for _, file := range files {
 			if !file.IsDir() {
 				continue
 			}
 			keyDir := filepath.Join(unlockKeysDir, file.Name())
 			metadataPath := filepath.Join(keyDir, "unlock-metadata.json")
 			// Check if this is the right key by comparing metadata
 			metadataBytes, err := afero.ReadFile(cli.fs, metadataPath)
 			if err != nil {
 				continue
 			}
 			var diskMetadata secret.UnlockKeyMetadata
 			if err := json.Unmarshal(metadataBytes, &diskMetadata); err != nil {
 				continue
 			}
 			// Match by type and creation time
 			if diskMetadata.Type == metadata.Type && diskMetadata.CreatedAt.Equal(metadata.CreatedAt) {
 				// Create the appropriate unlock key instance
 				switch metadata.Type {
 				case "passphrase":
 					unlockKey = secret.NewPassphraseUnlockKey(cli.fs, keyDir, diskMetadata)
 				case "keychain":
 					unlockKey = secret.NewKeychainUnlockKey(cli.fs, keyDir, diskMetadata)
 				case "pgp":
 					unlockKey = secret.NewPGPUnlockKey(cli.fs, keyDir, diskMetadata)
 				}
 				break
 			}
 		}
 		// Get the proper ID using the unlock key's ID() method
 		var properID string
 		if unlockKey != nil {
 			properID = unlockKey.GetID()
 		} else {
 			properID = metadata.ID // fallback to metadata ID
 		}
 		keyInfo := KeyInfo{
 			ID:        properID,
 			Type:      metadata.Type,
 			CreatedAt: metadata.CreatedAt,
 			Flags:     metadata.Flags,
 		}
 		keys = append(keys, keyInfo)
 	}
 	if jsonOutput {
 		// JSON output
 		output := map[string]interface{}{
 			"keys": keys,
 		}
 		jsonBytes, err := json.MarshalIndent(output, "", "  ")
 		if err != nil {
 			return fmt.Errorf("failed to marshal JSON: %w", err)
 		}
 		fmt.Println(string(jsonBytes))
 	} else {
 		// Pretty table output
 		if len(keys) == 0 {
 			fmt.Println("No unlock keys found in current vault.")
 			fmt.Println("Run 'secret keys add passphrase' to create one.")
 			return nil
 		}
 		fmt.Printf("%-18s %-12s %-20s %s\n", "KEY ID", "TYPE", "CREATED", "FLAGS")
 		fmt.Printf("%-18s %-12s %-20s %s\n", "------", "----", "-------", "-----")
 		for _, key := range keys {
 			flags := ""
 			if len(key.Flags) > 0 {
 				flags = strings.Join(key.Flags, ",")
 			}
 			fmt.Printf("%-18s %-12s %-20s %s\n",
 				key.ID,
 				key.Type,
 				key.CreatedAt.Format("2006-01-02 15:04:05"),
 				flags)
 		}
 		fmt.Printf("\nTotal: %d unlock key(s)\n", len(keys))
 	}
 	return nil
 }
 // KeysAdd adds a new unlock key
 func (cli *CLIInstance) KeysAdd(keyType string, cmd *cobra.Command) error {
 	switch keyType {
 	case "passphrase":
 		// Get current vault
 		vlt, err := vault.GetCurrentVault(cli.fs, cli.stateDir)
 		if err != nil {
 			return fmt.Errorf("failed to get current vault: %w", err)
 		}
 		// Try to unlock the vault if not already unlocked
 		if vlt.Locked() {
 			_, err := vlt.UnlockVault()
 			if err != nil {
 				return fmt.Errorf("failed to unlock vault: %w", err)
 			}
 		}
 		// Check if passphrase is set in environment variable
 		var passphraseStr string
 		if envPassphrase := os.Getenv(secret.EnvUnlockPassphrase); envPassphrase != "" {
 			passphraseStr = envPassphrase
 		} else {
 			// Use secure passphrase input with confirmation
 			passphraseStr, err = readSecurePassphrase("Enter passphrase for unlock key: ")
 			if err != nil {
 				return fmt.Errorf("failed to read passphrase: %w", err)
 			}
 		}
 		passphraseKey, err := vlt.CreatePassphraseKey(passphraseStr)
 		if err != nil {
 			return err
 		}
 		cmd.Printf("Created passphrase unlock key: %s\n", passphraseKey.GetID())
 		return nil
 	case "keychain":
 		keychainKey, err := secret.CreateKeychainUnlockKey(cli.fs, cli.stateDir)
 		if err != nil {
 			return fmt.Errorf("failed to create macOS Keychain unlock key: %w", err)
 		}
 		cmd.Printf("Created macOS Keychain unlock key: %s\n", keychainKey.GetID())
 		if keyName, err := keychainKey.GetKeychainItemName(); err == nil {
 			cmd.Printf("Keychain Item Name: %s\n", keyName)
 		}
 		return nil
 	case "pgp":
 		// Get GPG key ID from flag or environment variable
 		var gpgKeyID string
 		if flagKeyID, _ := cmd.Flags().GetString("keyid"); flagKeyID != "" {
 			gpgKeyID = flagKeyID
 		} else if envKeyID := os.Getenv(secret.EnvGPGKeyID); envKeyID != "" {
 			gpgKeyID = envKeyID
 		} else {
 			return fmt.Errorf("GPG key ID required: use --keyid flag or set SB_GPG_KEY_ID environment variable")
 		}
 		pgpKey, err := secret.CreatePGPUnlockKey(cli.fs, cli.stateDir, gpgKeyID)
 		if err != nil {
 			return err
 		}
 		cmd.Printf("Created PGP unlock key: %s\n", pgpKey.GetID())
 		cmd.Printf("GPG Key ID: %s\n", gpgKeyID)
 		return nil
 	default:
 		return fmt.Errorf("unsupported key type: %s (supported: passphrase, keychain, pgp)", keyType)
 	}
 }
 // KeysRemove removes an unlock key
 func (cli *CLIInstance) KeysRemove(keyID string) error {
 	// Get current vault
 	vlt, err := vault.GetCurrentVault(cli.fs, cli.stateDir)
 	if err != nil {
 		return err
 	}
 	return vlt.RemoveUnlockKey(keyID)
 }
 // KeySelect selects an unlock key as current
 func (cli *CLIInstance) KeySelect(keyID string) error {
 	// Get current vault
 	vlt, err := vault.GetCurrentVault(cli.fs, cli.stateDir)
 	if err != nil {
 		return err
 	}
 	return vlt.SelectUnlockKey(keyID)
 }
--- a/internal/cli/root.go
+++ b/internal/cli/root.go
@@ -7,9 +7,8 @@ import (
 	"github.com/spf13/cobra"
 )
-// CLIEntry is the entry point for the secret CLI application
+// Entry is the entry point for the secret CLI application
-func CLIEntry() {
+func Entry() {
 	secret.Debug("CLIEntry starting - debug output is working")
 	cmd := newRootCmd()
 	if err := cmd.Execute(); err != nil {
 		os.Exit(1)
@@ -29,18 +28,20 @@ func newRootCmd() *cobra.Command {
 	secret.Debug("Adding subcommands to root command")
 	// Add subcommands
-	cmd.AddCommand(newInitCmd())
+	cmd.AddCommand(NewInitCmd())
 	cmd.AddCommand(newGenerateCmd())
 	cmd.AddCommand(newVaultCmd())
 	cmd.AddCommand(newAddCmd())
 	cmd.AddCommand(newGetCmd())
 	cmd.AddCommand(newListCmd())
-	cmd.AddCommand(newKeysCmd())
+	cmd.AddCommand(newUnlockersCmd())
-	cmd.AddCommand(newKeyCmd())
+	cmd.AddCommand(newUnlockerCmd())
 	cmd.AddCommand(newImportCmd())
 	cmd.AddCommand(newEncryptCmd())
 	cmd.AddCommand(newDecryptCmd())
 	cmd.AddCommand(newVersionCmd())
 	secret.Debug("newRootCmd completed")
 	return cmd
 }
--- a/internal/cli/secrets.go
+++ b/internal/cli/secrets.go
@@ -4,12 +4,11 @@ import (
 	"encoding/json"
 	"fmt"
 	"io"
 	"os"
 	"strings"
 	"git.eeqj.de/sneak/secret/internal/secret"
 	"git.eeqj.de/sneak/secret/internal/vault"
-	"github.com/spf13/afero"
+	"github.com/awnumar/memguard"
 	"github.com/spf13/cobra"
 )
@@ -25,25 +24,34 @@ func newAddCmd() *cobra.Command {
 			secret.Debug("Got force flag", "force", force)
 			cli := NewCLIInstance()
 			cli.cmd = cmd // Set the command for stdin access
 			secret.Debug("Created CLI instance, calling AddSecret")
 			return cli.AddSecret(args[0], force)
 		},
 	}
 	cmd.Flags().BoolP("force", "f", false, "Overwrite existing secret")
 	return cmd
 }
 func newGetCmd() *cobra.Command {
-	return &cobra.Command{
+	cmd := &cobra.Command{
 		Use:   "get <secret-name>",
 		Short: "Retrieve a secret from the vault",
 		Args:  cobra.ExactArgs(1),
 		RunE: func(cmd *cobra.Command, args []string) error {
 			version, _ := cmd.Flags().GetString("version")
 			cli := NewCLIInstance()
-			return cli.GetSecret(args[0])
+
 			return cli.GetSecretWithVersion(cmd, args[0], version)
 		},
 	}
 	cmd.Flags().StringP("version", "v", "", "Get a specific version (default: current)")
 	return cmd
 }
 func newListCmd() *cobra.Command {
@@ -62,11 +70,13 @@ func newListCmd() *cobra.Command {
 			}
 			cli := NewCLIInstance()
-			return cli.ListSecrets(jsonOutput, filter)
+
 			return cli.ListSecrets(cmd, jsonOutput, filter)
 		},
 	}
 	cmd.Flags().Bool("json", false, "Output in JSON format")
 	return cmd
 }
@@ -81,18 +91,34 @@ func newImportCmd() *cobra.Command {
 			force, _ := cmd.Flags().GetBool("force")
 			cli := NewCLIInstance()
-			return cli.ImportSecret(args[0], sourceFile, force)
+
 			return cli.ImportSecret(cmd, args[0], sourceFile, force)
 		},
 	}
 	cmd.Flags().StringP("source", "s", "", "Source file to import from (required)")
 	cmd.Flags().BoolP("force", "f", false, "Overwrite existing secret")
 	_ = cmd.MarkFlagRequired("source")
 	return cmd
 }
 // updateBufferSize updates the buffer size based on usage pattern
 func updateBufferSize(currentSize int, sameSize *int) int {
 	*sameSize++
 	const doubleAfterBuffers = 2
 	const growthFactor = 2
 	if *sameSize >= doubleAfterBuffers {
 		*sameSize = 0
 		return currentSize * growthFactor
 	}
 	return currentSize
 }
 // AddSecret adds a secret to the current vault
-func (cli *CLIInstance) AddSecret(secretName string, force bool) error {
+func (cli *Instance) AddSecret(secretName string, force bool) error {
 	secret.Debug("CLI AddSecret starting", "secret_name", secretName, "force", force)
 	// Get current vault
@@ -104,53 +130,141 @@ func (cli *CLIInstance) AddSecret(secretName string, force bool) error {
 	secret.Debug("Got current vault", "vault_name", vlt.GetName())
-	// Read secret value from stdin
+	// Read secret value directly into protected buffers
-	secret.Debug("Reading secret value from stdin")
+	secret.Debug("Reading secret value from stdin into protected buffers")
-	value, err := io.ReadAll(os.Stdin)
+
-	if err != nil {
+	const initialSize = 4 * 1024      // 4KB initial buffer
-		return fmt.Errorf("failed to read secret value: %w", err)
+	const maxSize = 100 * 1024 * 1024 // 100MB max
 	type bufferInfo struct {
 		buffer *memguard.LockedBuffer
 		used   int
 	}
-	secret.Debug("Read secret value from stdin", "value_length", len(value))
+	var buffers []bufferInfo
 	defer func() {
 		for _, b := range buffers {
 			b.buffer.Destroy()
 		}
 	}()
-	// Remove trailing newline if present
+	reader := cli.cmd.InOrStdin()
-	if len(value) > 0 && value[len(value)-1] == '\n' {
+	totalSize := 0
-		value = value[:len(value)-1]
+	currentBufferSize := initialSize
-		secret.Debug("Removed trailing newline", "new_length", len(value))
+	sameSize := 0
 	for {
 		// Create a new buffer
 		buffer := memguard.NewBuffer(currentBufferSize)
 		n, err := io.ReadFull(reader, buffer.Bytes())
 		if n == 0 {
 			// No data read, destroy the unused buffer
 			buffer.Destroy()
 		} else {
 			buffers = append(buffers, bufferInfo{buffer: buffer, used: n})
 			totalSize += n
 			if totalSize > maxSize {
 				return fmt.Errorf("secret too large: exceeds 100MB limit")
 			}
 			// If we filled the buffer, consider growing for next iteration
 			if n == currentBufferSize {
 				currentBufferSize = updateBufferSize(currentBufferSize, &sameSize)
 			}
 		}
 		if err == io.EOF || err == io.ErrUnexpectedEOF {
 			break
 		} else if err != nil {
 			return fmt.Errorf("failed to read secret value: %w", err)
 		}
 	}
 	// Check for trailing newline in the last buffer
 	if len(buffers) > 0 && totalSize > 0 {
 		lastBuffer := &buffers[len(buffers)-1]
 		if lastBuffer.buffer.Bytes()[lastBuffer.used-1] == '\n' {
 			lastBuffer.used--
 			totalSize--
 		}
 	}
 	secret.Debug("Read secret value from stdin", "value_length", totalSize, "buffers", len(buffers))
 	// Combine all buffers into a single protected buffer
 	valueBuffer := memguard.NewBuffer(totalSize)
 	defer valueBuffer.Destroy()
 	offset := 0
 	for _, b := range buffers {
 		copy(valueBuffer.Bytes()[offset:], b.buffer.Bytes()[:b.used])
 		offset += b.used
 	}
 	// Add the secret to the vault
-	secret.Debug("Calling vault.AddSecret", "secret_name", secretName, "value_length", len(value), "force", force)
+	secret.Debug("Calling vault.AddSecret", "secret_name", secretName, "value_length", valueBuffer.Size(), "force", force)
-	if err := vlt.AddSecret(secretName, value, force); err != nil {
+	if err := vlt.AddSecret(secretName, valueBuffer, force); err != nil {
 		secret.Debug("vault.AddSecret failed", "error", err)
 		return err
 	}
 	secret.Debug("vault.AddSecret completed successfully")
 	return nil
 }
 // GetSecret retrieves and prints a secret from the current vault
-func (cli *CLIInstance) GetSecret(secretName string) error {
+func (cli *Instance) GetSecret(cmd *cobra.Command, secretName string) error {
 	return cli.GetSecretWithVersion(cmd, secretName, "")
 }
 // GetSecretWithVersion retrieves and prints a specific version of a secret
 func (cli *Instance) GetSecretWithVersion(cmd *cobra.Command, secretName string, version string) error {
 	secret.Debug("GetSecretWithVersion called", "secretName", secretName, "version", version)
 	// Get current vault
 	vlt, err := vault.GetCurrentVault(cli.fs, cli.stateDir)
 	if err != nil {
 		secret.Debug("Failed to get current vault", "error", err)
 		return err
 	}
 	// Get the secret value
-	value, err := vlt.GetSecret(secretName)
+	var value []byte
 	if version == "" {
 		value, err = vlt.GetSecret(secretName)
 	} else {
 		value, err = vlt.GetSecretVersion(secretName, version)
 	}
 	if err != nil {
 		secret.Debug("Failed to get secret", "error", err)
 		return err
 	}
 	secret.Debug("Got secret value", "valueLength", len(value))
 	// Print the secret value to stdout
-	fmt.Print(string(value))
+	cmd.Print(string(value))
 	secret.Debug("Printed value to cmd")
 	// Debug: Log what we're actually printing
 	secret.Debug("Secret retrieval debug info",
 		"secretName", secretName,
 		"version", version,
 		"valueLength", len(value),
 		"valueAsString", string(value),
 		"isEmpty", len(value) == 0)
 	return nil
 }
 // ListSecrets lists all secrets in the current vault
-func (cli *CLIInstance) ListSecrets(jsonOutput bool, filter string) error {
+func (cli *Instance) ListSecrets(cmd *cobra.Command, jsonOutput bool, filter string) error {
 	// Get current vault
 	vlt, err := vault.GetCurrentVault(cli.fs, cli.stateDir)
 	if err != nil {
@@ -175,7 +289,7 @@ func (cli *CLIInstance) ListSecrets(jsonOutput bool, filter string) error {
 		filteredSecrets = secrets
 	}
-	if jsonOutput {
+	if jsonOutput { //nolint:nestif // Separate JSON and table output formatting logic
 		// For JSON output, get metadata for each secret
 		secretsWithMetadata := make([]map[string]interface{}, 0, len(filteredSecrets))
@@ -206,27 +320,28 @@ func (cli *CLIInstance) ListSecrets(jsonOutput bool, filter string) error {
 			return fmt.Errorf("failed to marshal JSON: %w", err)
 		}
-		fmt.Println(string(jsonBytes))
+		cmd.Println(string(jsonBytes))
 	} else {
 		// Pretty table output
 		if len(filteredSecrets) == 0 {
 			if filter != "" {
-				fmt.Printf("No secrets found in vault '%s' matching filter '%s'.\n", vlt.GetName(), filter)
+				cmd.Printf("No secrets found in vault '%s' matching filter '%s'.\n", vlt.GetName(), filter)
 			} else {
-				fmt.Println("No secrets found in current vault.")
+				cmd.Println("No secrets found in current vault.")
-				fmt.Println("Run 'secret add <name>' to create one.")
+				cmd.Println("Run 'secret add <name>' to create one.")
 			}
 			return nil
 		}
 		// Get current vault name for display
 		if filter != "" {
-			fmt.Printf("Secrets in vault '%s' matching '%s':\n\n", vlt.GetName(), filter)
+			cmd.Printf("Secrets in vault '%s' matching '%s':\n\n", vlt.GetName(), filter)
 		} else {
-			fmt.Printf("Secrets in vault '%s':\n\n", vlt.GetName())
+			cmd.Printf("Secrets in vault '%s':\n\n", vlt.GetName())
 		}
-		fmt.Printf("%-40s %-20s\n", "NAME", "LAST UPDATED")
+		cmd.Printf("%-40s %-20s\n", "NAME", "LAST UPDATED")
-		fmt.Printf("%-40s %-20s\n", "----", "------------")
+		cmd.Printf("%-40s %-20s\n", "----", "------------")
 		for _, secretName := range filteredSecrets {
 			lastUpdated := "unknown"
@@ -234,38 +349,102 @@ func (cli *CLIInstance) ListSecrets(jsonOutput bool, filter string) error {
 				metadata := secretObj.GetMetadata()
 				lastUpdated = metadata.UpdatedAt.Format("2006-01-02 15:04")
 			}
-			fmt.Printf("%-40s %-20s\n", secretName, lastUpdated)
+			cmd.Printf("%-40s %-20s\n", secretName, lastUpdated)
 		}
-		fmt.Printf("\nTotal: %d secret(s)", len(filteredSecrets))
+		cmd.Printf("\nTotal: %d secret(s)", len(filteredSecrets))
 		if filter != "" {
-			fmt.Printf(" (filtered from %d)", len(secrets))
+			cmd.Printf(" (filtered from %d)", len(secrets))
 		}
-		fmt.Println()
+		cmd.Println()
 	}
 	return nil
 }
 // ImportSecret imports a secret from a file
-func (cli *CLIInstance) ImportSecret(secretName, sourceFile string, force bool) error {
+func (cli *Instance) ImportSecret(cmd *cobra.Command, secretName, sourceFile string, force bool) error {
 	// Get current vault
 	vlt, err := vault.GetCurrentVault(cli.fs, cli.stateDir)
 	if err != nil {
 		return err
 	}
-	// Read secret value from the source file
+	// Read secret value from the source file into protected buffers
-	value, err := afero.ReadFile(cli.fs, sourceFile)
+	file, err := cli.fs.Open(sourceFile)
 	if err != nil {
-		return fmt.Errorf("failed to read secret from file %s: %w", sourceFile, err)
+		return fmt.Errorf("failed to open file %s: %w", sourceFile, err)
 	}
 	defer func() {
 		if err := file.Close(); err != nil {
 			secret.Debug("Failed to close file", "error", err)
 		}
 	}()
 	const initialSize = 4 * 1024      // 4KB initial buffer
 	const maxSize = 100 * 1024 * 1024 // 100MB max
 	type bufferInfo struct {
 		buffer *memguard.LockedBuffer
 		used   int
 	}
 	var buffers []bufferInfo
 	defer func() {
 		for _, b := range buffers {
 			b.buffer.Destroy()
 		}
 	}()
 	totalSize := 0
 	currentBufferSize := initialSize
 	sameSize := 0
 	for {
 		// Create a new buffer
 		buffer := memguard.NewBuffer(currentBufferSize)
 		n, err := io.ReadFull(file, buffer.Bytes())
 		if n == 0 {
 			// No data read, destroy the unused buffer
 			buffer.Destroy()
 		} else {
 			buffers = append(buffers, bufferInfo{buffer: buffer, used: n})
 			totalSize += n
 			if totalSize > maxSize {
 				return fmt.Errorf("secret file too large: exceeds 100MB limit")
 			}
 			// If we filled the buffer, consider growing for next iteration
 			if n == currentBufferSize {
 				currentBufferSize = updateBufferSize(currentBufferSize, &sameSize)
 			}
 		}
 		if err == io.EOF || err == io.ErrUnexpectedEOF {
 			break
 		} else if err != nil {
 			return fmt.Errorf("failed to read secret from file %s: %w", sourceFile, err)
 		}
 	}
 	// Combine all buffers into a single protected buffer
 	valueBuffer := memguard.NewBuffer(totalSize)
 	defer valueBuffer.Destroy()
 	offset := 0
 	for _, b := range buffers {
 		copy(valueBuffer.Bytes()[offset:], b.buffer.Bytes()[:b.used])
 		offset += b.used
 	}
 	// Store the secret in the vault
-	if err := vlt.AddSecret(secretName, value, force); err != nil {
+	if err := vlt.AddSecret(secretName, valueBuffer, force); err != nil {
 		return err
 	}
-	fmt.Printf("Successfully imported secret '%s' from file '%s'\n", secretName, sourceFile)
+	cmd.Printf("Successfully imported secret '%s' from file '%s'\n", secretName, sourceFile)
 	return nil
 }
--- a/internal/cli/secrets_size_test.go
+++ b/internal/cli/secrets_size_test.go
@@ -0,0 +1,425 @@
 package cli
 import (
 	"bytes"
 	"crypto/rand"
 	"fmt"
 	"io"
 	"path/filepath"
 	"strings"
 	"testing"
 	"git.eeqj.de/sneak/secret/internal/secret"
 	"git.eeqj.de/sneak/secret/internal/vault"
 	"git.eeqj.de/sneak/secret/pkg/agehd"
 	"github.com/spf13/afero"
 	"github.com/spf13/cobra"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
 // TestAddSecretVariousSizes tests adding secrets of various sizes through stdin
 func TestAddSecretVariousSizes(t *testing.T) {
 	tests := []struct {
 		name        string
 		size        int
 		shouldError bool
 		errorMsg    string
 	}{
 		{
 			name:        "1KB secret",
 			size:        1024,
 			shouldError: false,
 		},
 		{
 			name:        "10KB secret",
 			size:        10 * 1024,
 			shouldError: false,
 		},
 		{
 			name:        "100KB secret",
 			size:        100 * 1024,
 			shouldError: false,
 		},
 		{
 			name:        "1MB secret",
 			size:        1024 * 1024,
 			shouldError: false,
 		},
 		{
 			name:        "10MB secret",
 			size:        10 * 1024 * 1024,
 			shouldError: false,
 		},
 		{
 			name:        "99MB secret",
 			size:        99 * 1024 * 1024,
 			shouldError: false,
 		},
 		{
 			name:        "100MB secret minus 1 byte",
 			size:        100*1024*1024 - 1,
 			shouldError: false,
 		},
 		{
 			name:        "101MB secret - should fail",
 			size:        101 * 1024 * 1024,
 			shouldError: true,
 			errorMsg:    "secret too large: exceeds 100MB limit",
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			// Set up test environment
 			fs := afero.NewMemMapFs()
 			stateDir := "/test/state"
 			// Set test mnemonic
 			t.Setenv(secret.EnvMnemonic, "abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon about")
 			// Create vault
 			vaultName := "test-vault"
 			_, err := vault.CreateVault(fs, stateDir, vaultName)
 			require.NoError(t, err)
 			// Set current vault
 			currentVaultPath := filepath.Join(stateDir, "currentvault")
 			vaultPath := filepath.Join(stateDir, "vaults.d", vaultName)
 			err = afero.WriteFile(fs, currentVaultPath, []byte(vaultPath), 0o600)
 			require.NoError(t, err)
 			// Get vault and set up long-term key
 			vlt, err := vault.GetCurrentVault(fs, stateDir)
 			require.NoError(t, err)
 			ltIdentity, err := agehd.DeriveIdentity("abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon about", 0)
 			require.NoError(t, err)
 			vlt.Unlock(ltIdentity)
 			// Generate test data of specified size
 			testData := make([]byte, tt.size)
 			_, err = rand.Read(testData)
 			require.NoError(t, err)
 			// Add newline that will be stripped
 			testDataWithNewline := append(testData, '\n')
 			// Create fake stdin
 			stdin := bytes.NewReader(testDataWithNewline)
 			// Create command with fake stdin
 			cmd := &cobra.Command{}
 			cmd.SetIn(stdin)
 			// Create CLI instance
 			cli := NewCLIInstance()
 			cli.fs = fs
 			cli.stateDir = stateDir
 			cli.cmd = cmd
 			// Test adding the secret
 			secretName := fmt.Sprintf("test-secret-%d", tt.size)
 			err = cli.AddSecret(secretName, false)
 			if tt.shouldError {
 				assert.Error(t, err)
 				assert.Contains(t, err.Error(), tt.errorMsg)
 			} else {
 				require.NoError(t, err)
 				// Verify the secret was stored correctly
 				retrievedValue, err := vlt.GetSecret(secretName)
 				require.NoError(t, err)
 				assert.Equal(t, testData, retrievedValue, "Retrieved secret should match original (without newline)")
 			}
 		})
 	}
 }
 // TestImportSecretVariousSizes tests importing secrets of various sizes from files
 func TestImportSecretVariousSizes(t *testing.T) {
 	tests := []struct {
 		name        string
 		size        int
 		shouldError bool
 		errorMsg    string
 	}{
 		{
 			name:        "1KB file",
 			size:        1024,
 			shouldError: false,
 		},
 		{
 			name:        "10KB file",
 			size:        10 * 1024,
 			shouldError: false,
 		},
 		{
 			name:        "100KB file",
 			size:        100 * 1024,
 			shouldError: false,
 		},
 		{
 			name:        "1MB file",
 			size:        1024 * 1024,
 			shouldError: false,
 		},
 		{
 			name:        "10MB file",
 			size:        10 * 1024 * 1024,
 			shouldError: false,
 		},
 		{
 			name:        "99MB file",
 			size:        99 * 1024 * 1024,
 			shouldError: false,
 		},
 		{
 			name:        "100MB file",
 			size:        100 * 1024 * 1024,
 			shouldError: false,
 		},
 		{
 			name:        "101MB file - should fail",
 			size:        101 * 1024 * 1024,
 			shouldError: true,
 			errorMsg:    "secret file too large: exceeds 100MB limit",
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			// Set up test environment
 			fs := afero.NewMemMapFs()
 			stateDir := "/test/state"
 			// Set test mnemonic
 			t.Setenv(secret.EnvMnemonic, "abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon about")
 			// Create vault
 			vaultName := "test-vault"
 			_, err := vault.CreateVault(fs, stateDir, vaultName)
 			require.NoError(t, err)
 			// Set current vault
 			currentVaultPath := filepath.Join(stateDir, "currentvault")
 			vaultPath := filepath.Join(stateDir, "vaults.d", vaultName)
 			err = afero.WriteFile(fs, currentVaultPath, []byte(vaultPath), 0o600)
 			require.NoError(t, err)
 			// Get vault and set up long-term key
 			vlt, err := vault.GetCurrentVault(fs, stateDir)
 			require.NoError(t, err)
 			ltIdentity, err := agehd.DeriveIdentity("abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon about", 0)
 			require.NoError(t, err)
 			vlt.Unlock(ltIdentity)
 			// Generate test data of specified size
 			testData := make([]byte, tt.size)
 			_, err = rand.Read(testData)
 			require.NoError(t, err)
 			// Write test data to file
 			testFile := fmt.Sprintf("/test/secret-%d.bin", tt.size)
 			err = afero.WriteFile(fs, testFile, testData, 0o600)
 			require.NoError(t, err)
 			// Create command
 			cmd := &cobra.Command{}
 			// Create CLI instance
 			cli := NewCLIInstance()
 			cli.fs = fs
 			cli.stateDir = stateDir
 			// Test importing the secret
 			secretName := fmt.Sprintf("imported-secret-%d", tt.size)
 			err = cli.ImportSecret(cmd, secretName, testFile, false)
 			if tt.shouldError {
 				assert.Error(t, err)
 				assert.Contains(t, err.Error(), tt.errorMsg)
 			} else {
 				require.NoError(t, err)
 				// Verify the secret was stored correctly
 				retrievedValue, err := vlt.GetSecret(secretName)
 				require.NoError(t, err)
 				assert.Equal(t, testData, retrievedValue, "Retrieved secret should match original")
 			}
 		})
 	}
 }
 // TestAddSecretBufferGrowth tests that our buffer growth strategy works correctly
 func TestAddSecretBufferGrowth(t *testing.T) {
 	// Test various sizes that should trigger buffer growth
 	sizes := []int{
 		1,        // Single byte
 		100,      // Small
 		4095,     // Just under initial 4KB
 		4096,     // Exactly 4KB
 		4097,     // Just over 4KB
 		8191,     // Just under 8KB (first double)
 		8192,     // Exactly 8KB
 		8193,     // Just over 8KB
 		12288,    // 12KB (should trigger second double)
 		16384,    // 16KB
 		32768,    // 32KB (after more doublings)
 		65536,    // 64KB
 		131072,   // 128KB
 		524288,   // 512KB
 		1048576,  // 1MB
 		2097152,  // 2MB
 	}
 	for _, size := range sizes {
 		t.Run(fmt.Sprintf("size_%d", size), func(t *testing.T) {
 			// Set up test environment
 			fs := afero.NewMemMapFs()
 			stateDir := "/test/state"
 			// Set test mnemonic
 			t.Setenv(secret.EnvMnemonic, "abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon about")
 			// Create vault
 			vaultName := "test-vault"
 			_, err := vault.CreateVault(fs, stateDir, vaultName)
 			require.NoError(t, err)
 			// Set current vault
 			currentVaultPath := filepath.Join(stateDir, "currentvault")
 			vaultPath := filepath.Join(stateDir, "vaults.d", vaultName)
 			err = afero.WriteFile(fs, currentVaultPath, []byte(vaultPath), 0o600)
 			require.NoError(t, err)
 			// Get vault and set up long-term key
 			vlt, err := vault.GetCurrentVault(fs, stateDir)
 			require.NoError(t, err)
 			ltIdentity, err := agehd.DeriveIdentity("abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon about", 0)
 			require.NoError(t, err)
 			vlt.Unlock(ltIdentity)
 			// Create test data of exactly the specified size
 			// Use a pattern that's easy to verify
 			testData := make([]byte, size)
 			for i := range testData {
 				testData[i] = byte(i % 256)
 			}
 			// Create fake stdin without newline
 			stdin := bytes.NewReader(testData)
 			// Create command with fake stdin
 			cmd := &cobra.Command{}
 			cmd.SetIn(stdin)
 			// Create CLI instance
 			cli := NewCLIInstance()
 			cli.fs = fs
 			cli.stateDir = stateDir
 			cli.cmd = cmd
 			// Test adding the secret
 			secretName := fmt.Sprintf("buffer-test-%d", size)
 			err = cli.AddSecret(secretName, false)
 			require.NoError(t, err)
 			// Verify the secret was stored correctly
 			retrievedValue, err := vlt.GetSecret(secretName)
 			require.NoError(t, err)
 			assert.Equal(t, testData, retrievedValue, "Retrieved secret should match original exactly")
 		})
 	}
 }
 // TestAddSecretStreamingBehavior tests that we handle streaming input correctly
 func TestAddSecretStreamingBehavior(t *testing.T) {
 	// Set up test environment
 	fs := afero.NewMemMapFs()
 	stateDir := "/test/state"
 	// Set test mnemonic
 	t.Setenv(secret.EnvMnemonic, "abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon about")
 	// Create vault
 	vaultName := "test-vault"
 	_, err := vault.CreateVault(fs, stateDir, vaultName)
 	require.NoError(t, err)
 	// Set current vault
 	currentVaultPath := filepath.Join(stateDir, "currentvault")
 	vaultPath := filepath.Join(stateDir, "vaults.d", vaultName)
 	err = afero.WriteFile(fs, currentVaultPath, []byte(vaultPath), 0o600)
 	require.NoError(t, err)
 	// Get vault and set up long-term key
 	vlt, err := vault.GetCurrentVault(fs, stateDir)
 	require.NoError(t, err)
 	ltIdentity, err := agehd.DeriveIdentity("abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon about", 0)
 	require.NoError(t, err)
 	vlt.Unlock(ltIdentity)
 	// Create a custom reader that simulates slow streaming input
 	// This will help verify our buffer handling works correctly with partial reads
 	testData := []byte(strings.Repeat("Hello, World! ", 1000)) // ~14KB
 	slowReader := &slowReader{
 		data:      testData,
 		chunkSize: 1000, // Read 1KB at a time
 	}
 	// Create command with slow reader as stdin
 	cmd := &cobra.Command{}
 	cmd.SetIn(slowReader)
 	// Create CLI instance
 	cli := NewCLIInstance()
 	cli.fs = fs
 	cli.stateDir = stateDir
 	cli.cmd = cmd
 	// Test adding the secret
 	err = cli.AddSecret("streaming-test", false)
 	require.NoError(t, err)
 	// Verify the secret was stored correctly
 	retrievedValue, err := vlt.GetSecret("streaming-test")
 	require.NoError(t, err)
 	assert.Equal(t, testData, retrievedValue, "Retrieved secret should match original")
 }
 // slowReader simulates a reader that returns data in small chunks
 type slowReader struct {
 	data      []byte
 	offset    int
 	chunkSize int
 }
 func (r *slowReader) Read(p []byte) (n int, err error) {
 	if r.offset >= len(r.data) {
 		return 0, io.EOF
 	}
 	// Read at most chunkSize bytes
 	remaining := len(r.data) - r.offset
 	toRead := r.chunkSize
 	if toRead > remaining {
 		toRead = remaining
 	}
 	if toRead > len(p) {
 		toRead = len(p)
 	}
 	n = copy(p, r.data[r.offset:r.offset+toRead])
 	r.offset += n
 	if r.offset >= len(r.data) {
 		err = io.EOF
 	}
 	return n, err
 }
--- a/internal/cli/test_helpers.go
+++ b/internal/cli/test_helpers.go
@@ -0,0 +1,63 @@
 package cli
 import (
 	"bytes"
 	"os"
 	"strings"
 	"git.eeqj.de/sneak/secret/internal/secret"
 )
 // ExecuteCommandInProcess executes a CLI command in-process for testing
 func ExecuteCommandInProcess(args []string, stdin string, env map[string]string) (string, error) {
 	secret.Debug("ExecuteCommandInProcess called", "args", args)
 	// Save current environment
 	savedEnv := make(map[string]string)
 	for k := range env {
 		savedEnv[k] = os.Getenv(k)
 	}
 	// Set test environment
 	for k, v := range env {
 		_ = os.Setenv(k, v)
 	}
 	// Create root command
 	rootCmd := newRootCmd()
 	// Capture output
 	var buf bytes.Buffer
 	rootCmd.SetOut(&buf)
 	rootCmd.SetErr(&buf)
 	// Set stdin if provided
 	if stdin != "" {
 		rootCmd.SetIn(strings.NewReader(stdin))
 	}
 	// Set args
 	rootCmd.SetArgs(args)
 	// Execute command
 	err := rootCmd.Execute()
 	output := buf.String()
 	secret.Debug("Command execution completed", "error", err, "outputLength", len(output), "output", output)
 	// Add debug info for troubleshooting
 	if len(output) == 0 && err == nil {
 		secret.Debug("Warning: Command executed successfully but produced no output", "args", args)
 	}
 	// Restore environment
 	for k, v := range savedEnv {
 		if v == "" {
 			_ = os.Unsetenv(k)
 		} else {
 			_ = os.Setenv(k, v)
 		}
 	}
 	return output, err
 }
--- a/internal/cli/test_output_test.go
+++ b/internal/cli/test_output_test.go
@@ -0,0 +1,22 @@
 package cli
 import (
 	"testing"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
 func TestOutputCapture(t *testing.T) {
 	// Test vault list command which we fixed
 	output, err := ExecuteCommandInProcess([]string{"vault", "list"}, "", nil)
 	require.NoError(t, err)
 	assert.Contains(t, output, "Available vaults", "should capture vault list output")
 	t.Logf("vault list output: %q", output)
 	// Test help command
 	output, err = ExecuteCommandInProcess([]string{"--help"}, "", nil)
 	require.NoError(t, err)
 	assert.NotEmpty(t, output, "help output should not be empty")
 	t.Logf("help output length: %d", len(output))
 }
--- a/internal/cli/unlockers.go
+++ b/internal/cli/unlockers.go
@@ -0,0 +1,338 @@
 package cli
 import (
 	"encoding/json"
 	"fmt"
 	"os"
 	"path/filepath"
 	"strings"
 	"time"
 	"git.eeqj.de/sneak/secret/internal/secret"
 	"git.eeqj.de/sneak/secret/internal/vault"
 	"github.com/awnumar/memguard"
 	"github.com/spf13/afero"
 	"github.com/spf13/cobra"
 )
 // Import from init.go
 // ... existing imports ...
 func newUnlockersCmd() *cobra.Command {
 	cmd := &cobra.Command{
 		Use:   "unlockers",
 		Short: "Manage unlockers",
 		Long:  `Create, list, and remove unlockers for the current vault.`,
 	}
 	cmd.AddCommand(newUnlockersListCmd())
 	cmd.AddCommand(newUnlockersAddCmd())
 	cmd.AddCommand(newUnlockersRmCmd())
 	return cmd
 }
 func newUnlockersListCmd() *cobra.Command {
 	cmd := &cobra.Command{
 		Use:   "list",
 		Short: "List unlockers in the current vault",
 		RunE: func(cmd *cobra.Command, _ []string) error {
 			jsonOutput, _ := cmd.Flags().GetBool("json")
 			cli := NewCLIInstance()
 			cli.cmd = cmd
 			return cli.UnlockersList(jsonOutput)
 		},
 	}
 	cmd.Flags().Bool("json", false, "Output in JSON format")
 	return cmd
 }
 func newUnlockersAddCmd() *cobra.Command {
 	cmd := &cobra.Command{
 		Use:   "add <type>",
 		Short: "Add a new unlocker",
 		Long:  `Add a new unlocker of the specified type (passphrase, keychain, pgp).`,
 		Args:  cobra.ExactArgs(1),
 		RunE: func(cmd *cobra.Command, args []string) error {
 			cli := NewCLIInstance()
 			return cli.UnlockersAdd(args[0], cmd)
 		},
 	}
 	cmd.Flags().String("keyid", "", "GPG key ID for PGP unlockers")
 	return cmd
 }
 func newUnlockersRmCmd() *cobra.Command {
 	return &cobra.Command{
 		Use:   "rm <unlocker-id>",
 		Short: "Remove an unlocker",
 		Args:  cobra.ExactArgs(1),
 		RunE: func(_ *cobra.Command, args []string) error {
 			cli := NewCLIInstance()
 			return cli.UnlockersRemove(args[0])
 		},
 	}
 }
 func newUnlockerCmd() *cobra.Command {
 	cmd := &cobra.Command{
 		Use:   "unlocker",
 		Short: "Manage current unlocker",
 		Long:  `Select the current unlocker for operations.`,
 	}
 	cmd.AddCommand(newUnlockerSelectSubCmd())
 	return cmd
 }
 func newUnlockerSelectSubCmd() *cobra.Command {
 	return &cobra.Command{
 		Use:   "select <unlocker-id>",
 		Short: "Select an unlocker as current",
 		Args:  cobra.ExactArgs(1),
 		RunE: func(_ *cobra.Command, args []string) error {
 			cli := NewCLIInstance()
 			return cli.UnlockerSelect(args[0])
 		},
 	}
 }
 // UnlockersList lists unlockers in the current vault
 func (cli *Instance) UnlockersList(jsonOutput bool) error {
 	// Get current vault
 	vlt, err := vault.GetCurrentVault(cli.fs, cli.stateDir)
 	if err != nil {
 		return err
 	}
 	// Get the metadata first
 	unlockerMetadataList, err := vlt.ListUnlockers()
 	if err != nil {
 		return err
 	}
 	// Load actual unlocker objects to get the proper IDs
 	type UnlockerInfo struct {
 		ID        string    `json:"id"`
 		Type      string    `json:"type"`
 		CreatedAt time.Time `json:"createdAt"`
 		Flags     []string  `json:"flags,omitempty"`
 	}
 	var unlockers []UnlockerInfo
 	for _, metadata := range unlockerMetadataList {
 		// Create unlocker instance to get the proper ID
 		vaultDir, err := vlt.GetDirectory()
 		if err != nil {
 			continue
 		}
 		// Find the unlocker directory by type and created time
 		unlockersDir := filepath.Join(vaultDir, "unlockers.d")
 		files, err := afero.ReadDir(cli.fs, unlockersDir)
 		if err != nil {
 			continue
 		}
 		var unlocker secret.Unlocker
 		for _, file := range files {
 			if !file.IsDir() {
 				continue
 			}
 			unlockerDir := filepath.Join(unlockersDir, file.Name())
 			metadataPath := filepath.Join(unlockerDir, "unlocker-metadata.json")
 			// Check if this is the right unlocker by comparing metadata
 			metadataBytes, err := afero.ReadFile(cli.fs, metadataPath)
 			if err != nil {
 				continue // FIXME this error needs to be handled
 			}
 			var diskMetadata secret.UnlockerMetadata
 			if err := json.Unmarshal(metadataBytes, &diskMetadata); err != nil {
 				continue // FIXME this error needs to be handled
 			}
 			// Match by type and creation time
 			if diskMetadata.Type == metadata.Type && diskMetadata.CreatedAt.Equal(metadata.CreatedAt) {
 				// Create the appropriate unlocker instance
 				switch metadata.Type {
 				case "passphrase":
 					unlocker = secret.NewPassphraseUnlocker(cli.fs, unlockerDir, diskMetadata)
 				case "keychain":
 					unlocker = secret.NewKeychainUnlocker(cli.fs, unlockerDir, diskMetadata)
 				case "pgp":
 					unlocker = secret.NewPGPUnlocker(cli.fs, unlockerDir, diskMetadata)
 				}
 				break
 			}
 		}
 		// Get the proper ID using the unlocker's ID() method
 		var properID string
 		if unlocker != nil {
 			properID = unlocker.GetID()
 		} else {
 			// Generate ID as fallback
 			properID = fmt.Sprintf("%s-%s", metadata.CreatedAt.Format("2006-01-02.15.04"), metadata.Type)
 		}
 		unlockerInfo := UnlockerInfo{
 			ID:        properID,
 			Type:      metadata.Type,
 			CreatedAt: metadata.CreatedAt,
 			Flags:     metadata.Flags,
 		}
 		unlockers = append(unlockers, unlockerInfo)
 	}
 	if jsonOutput {
 		// JSON output
 		output := map[string]interface{}{
 			"unlockers": unlockers,
 		}
 		jsonBytes, err := json.MarshalIndent(output, "", "  ")
 		if err != nil {
 			return fmt.Errorf("failed to marshal JSON: %w", err)
 		}
 		cli.cmd.Println(string(jsonBytes))
 	} else {
 		// Pretty table output
 		if len(unlockers) == 0 {
 			cli.cmd.Println("No unlockers found in current vault.")
 			cli.cmd.Println("Run 'secret unlockers add passphrase' to create one.")
 			return nil
 		}
 		cli.cmd.Printf("%-18s %-12s %-20s %s\n", "UNLOCKER ID", "TYPE", "CREATED", "FLAGS")
 		cli.cmd.Printf("%-18s %-12s %-20s %s\n", "-----------", "----", "-------", "-----")
 		for _, unlocker := range unlockers {
 			flags := ""
 			if len(unlocker.Flags) > 0 {
 				flags = strings.Join(unlocker.Flags, ",")
 			}
 			cli.cmd.Printf("%-18s %-12s %-20s %s\n",
 				unlocker.ID,
 				unlocker.Type,
 				unlocker.CreatedAt.Format("2006-01-02 15:04:05"),
 				flags)
 		}
 		cli.cmd.Printf("\nTotal: %d unlocker(s)\n", len(unlockers))
 	}
 	return nil
 }
 // UnlockersAdd adds a new unlocker
 func (cli *Instance) UnlockersAdd(unlockerType string, cmd *cobra.Command) error {
 	switch unlockerType {
 	case "passphrase":
 		// Get current vault
 		vlt, err := vault.GetCurrentVault(cli.fs, cli.stateDir)
 		if err != nil {
 			return fmt.Errorf("failed to get current vault: %w", err)
 		}
 		// For passphrase unlockers, we don't need the vault to be unlocked
 		// The CreatePassphraseUnlocker method will handle getting the long-term key
 		// Check if passphrase is set in environment variable
 		var passphraseBuffer *memguard.LockedBuffer
 		if envPassphrase := os.Getenv(secret.EnvUnlockPassphrase); envPassphrase != "" {
 			passphraseBuffer = memguard.NewBufferFromBytes([]byte(envPassphrase))
 		} else {
 			// Use secure passphrase input with confirmation
 			passphraseBuffer, err = readSecurePassphrase("Enter passphrase for unlocker: ")
 			if err != nil {
 				return fmt.Errorf("failed to read passphrase: %w", err)
 			}
 		}
 		defer passphraseBuffer.Destroy()
 		passphraseUnlocker, err := vlt.CreatePassphraseUnlocker(passphraseBuffer)
 		if err != nil {
 			return err
 		}
 		cmd.Printf("Created passphrase unlocker: %s\n", passphraseUnlocker.GetID())
 		return nil
 	case "keychain":
 		keychainUnlocker, err := secret.CreateKeychainUnlocker(cli.fs, cli.stateDir)
 		if err != nil {
 			return fmt.Errorf("failed to create macOS Keychain unlocker: %w", err)
 		}
 		cmd.Printf("Created macOS Keychain unlocker: %s\n", keychainUnlocker.GetID())
 		if keyName, err := keychainUnlocker.GetKeychainItemName(); err == nil {
 			cmd.Printf("Keychain Item Name: %s\n", keyName)
 		}
 		return nil
 	case "pgp":
 		// Get GPG key ID from flag or environment variable
 		var gpgKeyID string
 		if flagKeyID, _ := cmd.Flags().GetString("keyid"); flagKeyID != "" {
 			gpgKeyID = flagKeyID
 		} else if envKeyID := os.Getenv(secret.EnvGPGKeyID); envKeyID != "" {
 			gpgKeyID = envKeyID
 		} else {
 			return fmt.Errorf("GPG key ID required: use --keyid flag or set SB_GPG_KEY_ID environment variable")
 		}
 		pgpUnlocker, err := secret.CreatePGPUnlocker(cli.fs, cli.stateDir, gpgKeyID)
 		if err != nil {
 			return err
 		}
 		cmd.Printf("Created PGP unlocker: %s\n", pgpUnlocker.GetID())
 		cmd.Printf("GPG Key ID: %s\n", gpgKeyID)
 		return nil
 	default:
 		return fmt.Errorf("unsupported unlocker type: %s (supported: passphrase, keychain, pgp)", unlockerType)
 	}
 }
 // UnlockersRemove removes an unlocker
 func (cli *Instance) UnlockersRemove(unlockerID string) error {
 	// Get current vault
 	vlt, err := vault.GetCurrentVault(cli.fs, cli.stateDir)
 	if err != nil {
 		return err
 	}
 	return vlt.RemoveUnlocker(unlockerID)
 }
 // UnlockerSelect selects an unlocker as current
 func (cli *Instance) UnlockerSelect(unlockerID string) error {
 	// Get current vault
 	vlt, err := vault.GetCurrentVault(cli.fs, cli.stateDir)
 	if err != nil {
 		return err
 	}
 	return vlt.SelectUnlocker(unlockerID)
 }
--- a/internal/cli/vault.go
+++ b/internal/cli/vault.go
@@ -10,6 +10,7 @@ import (
 	"git.eeqj.de/sneak/secret/internal/secret"
 	"git.eeqj.de/sneak/secret/internal/vault"
 	"git.eeqj.de/sneak/secret/pkg/agehd"
 	"github.com/awnumar/memguard"
 	"github.com/spf13/afero"
 	"github.com/spf13/cobra"
 	"github.com/tyler-smith/go-bip39"
@@ -34,15 +35,17 @@ func newVaultListCmd() *cobra.Command {
 	cmd := &cobra.Command{
 		Use:   "list",
 		Short: "List available vaults",
-		RunE: func(cmd *cobra.Command, args []string) error {
+		RunE: func(cmd *cobra.Command, _ []string) error {
 			jsonOutput, _ := cmd.Flags().GetBool("json")
 			cli := NewCLIInstance()
-			return cli.ListVaults(jsonOutput)
+
 			return cli.ListVaults(cmd, jsonOutput)
 		},
 	}
 	cmd.Flags().Bool("json", false, "Output in JSON format")
 	return cmd
 }
@@ -53,7 +56,8 @@ func newVaultCreateCmd() *cobra.Command {
 		Args:  cobra.ExactArgs(1),
 		RunE: func(cmd *cobra.Command, args []string) error {
 			cli := NewCLIInstance()
-			return cli.CreateVault(args[0])
+
 			return cli.CreateVault(cmd, args[0])
 		},
 	}
 }
@@ -65,7 +69,8 @@ func newVaultSelectCmd() *cobra.Command {
 		Args:  cobra.ExactArgs(1),
 		RunE: func(cmd *cobra.Command, args []string) error {
 			cli := NewCLIInstance()
-			return cli.SelectVault(args[0])
+
 			return cli.SelectVault(cmd, args[0])
 		},
 	}
 }
@@ -83,19 +88,20 @@ func newVaultImportCmd() *cobra.Command {
 			}
 			cli := NewCLIInstance()
-			return cli.VaultImport(vaultName)
+
 			return cli.VaultImport(cmd, vaultName)
 		},
 	}
 }
 // ListVaults lists all available vaults
-func (cli *CLIInstance) ListVaults(jsonOutput bool) error {
+func (cli *Instance) ListVaults(cmd *cobra.Command, jsonOutput bool) error {
 	vaults, err := vault.ListVaults(cli.fs, cli.stateDir)
 	if err != nil {
 		return err
 	}
-	if jsonOutput {
+	if jsonOutput { //nolint:nestif // Separate JSON and text output formatting logic
 		// Get current vault name for context
 		currentVault := ""
 		if currentVlt, err := vault.GetCurrentVault(cli.fs, cli.stateDir); err == nil {
@@ -103,20 +109,20 @@ func (cli *CLIInstance) ListVaults(jsonOutput bool) error {
 		}
 		result := map[string]interface{}{
-			"vaults":        vaults,
+			"vaults":       vaults,
-			"current_vault": currentVault,
+			"currentVault": currentVault,
 		}
 		jsonBytes, err := json.MarshalIndent(result, "", "  ")
 		if err != nil {
 			return err
 		}
-		fmt.Println(string(jsonBytes))
+		cmd.Println(string(jsonBytes))
 	} else {
 		// Text output
-		fmt.Println("Available vaults:")
+		cmd.Println("Available vaults:")
 		if len(vaults) == 0 {
-			fmt.Println("  (none)")
+			cmd.Println("  (none)")
 		} else {
 			// Try to get current vault for marking
 			currentVault := ""
@@ -126,9 +132,9 @@ func (cli *CLIInstance) ListVaults(jsonOutput bool) error {
 			for _, vaultName := range vaults {
 				if vaultName == currentVault {
-					fmt.Printf("  %s (current)\n", vaultName)
+					cmd.Printf("  %s (current)\n", vaultName)
 				} else {
-					fmt.Printf("  %s\n", vaultName)
+					cmd.Printf("  %s\n", vaultName)
 				}
 			}
 		}
@@ -138,7 +144,7 @@ func (cli *CLIInstance) ListVaults(jsonOutput bool) error {
 }
 // CreateVault creates a new vault
-func (cli *CLIInstance) CreateVault(name string) error {
+func (cli *Instance) CreateVault(cmd *cobra.Command, name string) error {
 	secret.Debug("Creating new vault", "name", name, "state_dir", cli.stateDir)
 	vlt, err := vault.CreateVault(cli.fs, cli.stateDir, name)
@@ -146,22 +152,24 @@ func (cli *CLIInstance) CreateVault(name string) error {
 		return err
 	}
-	fmt.Printf("Created vault '%s'\n", vlt.GetName())
+	cmd.Printf("Created vault '%s'\n", vlt.GetName())
 	return nil
 }
 // SelectVault selects a vault as the current one
-func (cli *CLIInstance) SelectVault(name string) error {
+func (cli *Instance) SelectVault(cmd *cobra.Command, name string) error {
 	if err := vault.SelectVault(cli.fs, cli.stateDir, name); err != nil {
 		return err
 	}
-	fmt.Printf("Selected vault '%s' as current\n", name)
+	cmd.Printf("Selected vault '%s' as current\n", name)
 	return nil
 }
 // VaultImport imports a mnemonic into a specific vault
-func (cli *CLIInstance) VaultImport(vaultName string) error {
+func (cli *Instance) VaultImport(cmd *cobra.Command, vaultName string) error {
 	secret.Debug("Importing mnemonic into vault", "vault_name", vaultName, "state_dir", cli.stateDir)
 	// Get the specific vault by name
@@ -181,6 +189,12 @@ func (cli *CLIInstance) VaultImport(vaultName string) error {
 		return fmt.Errorf("vault '%s' does not exist", vaultName)
 	}
 	// Check if vault already has a public key
 	pubKeyPath := fmt.Sprintf("%s/pub.age", vaultDir)
 	if _, err := cli.fs.Stat(pubKeyPath); err == nil {
 		return fmt.Errorf("vault '%s' already has a long-term key configured", vaultName)
 	}
 	// Get mnemonic from environment
 	mnemonic := os.Getenv(secret.EnvMnemonic)
 	if mnemonic == "" {
@@ -194,14 +208,11 @@ func (cli *CLIInstance) VaultImport(vaultName string) error {
 		return fmt.Errorf("invalid BIP39 mnemonic")
 	}
 	// Calculate mnemonic hash for index tracking
 	mnemonicHash := vault.ComputeDoubleSHA256([]byte(mnemonic))
 	secret.Debug("Calculated mnemonic hash", "hash", mnemonicHash)
 	// Get the next available derivation index for this mnemonic
-	derivationIndex, err := vault.GetNextDerivationIndex(cli.fs, cli.stateDir, mnemonicHash)
+	derivationIndex, err := vault.GetNextDerivationIndex(cli.fs, cli.stateDir, mnemonic)
 	if err != nil {
 		secret.Debug("Failed to get next derivation index", "error", err)
 		return fmt.Errorf("failed to get next derivation index: %w", err)
 	}
 	secret.Debug("Using derivation index", "index", derivationIndex)
@@ -213,32 +224,46 @@ func (cli *CLIInstance) VaultImport(vaultName string) error {
 		return fmt.Errorf("failed to derive long-term key: %w", err)
 	}
 	// Calculate the long-term key hash
 	ltKeyHash := vault.ComputeDoubleSHA256([]byte(ltIdentity.String()))
 	secret.Debug("Calculated long-term key hash", "hash", ltKeyHash)
 	// Store long-term public key in vault
 	ltPublicKey := ltIdentity.Recipient().String()
 	secret.Debug("Storing long-term public key", "pubkey", ltPublicKey, "vault_dir", vaultDir)
-	pubKeyPath := fmt.Sprintf("%s/pub.age", vaultDir)
+	if err := afero.WriteFile(cli.fs, pubKeyPath, []byte(ltPublicKey), secret.FilePerms); err != nil {
 	if err := afero.WriteFile(cli.fs, pubKeyPath, []byte(ltPublicKey), 0600); err != nil {
 		return fmt.Errorf("failed to store long-term public key: %w", err)
 	}
-	// Save vault metadata
+	// Calculate public key hash from the actual derivation index being used
-	metadata := &vault.VaultMetadata{
+	// This is used to verify that the derived key matches what was stored
-		Name:            vaultName,
+	publicKeyHash := vault.ComputeDoubleSHA256([]byte(ltIdentity.Recipient().String()))
-		CreatedAt:       time.Now(),
+
-		DerivationIndex: derivationIndex,
+	// Calculate family hash from index 0 (same for all vaults with this mnemonic)
-		LongTermKeyHash: ltKeyHash,
+	// This is used to identify which vaults belong to the same mnemonic family
-		MnemonicHash:    mnemonicHash,
+	identity0, err := agehd.DeriveIdentity(mnemonic, 0)
 	if err != nil {
 		return fmt.Errorf("failed to derive identity for index 0: %w", err)
 	}
-	if err := vault.SaveVaultMetadata(cli.fs, vaultDir, metadata); err != nil {
+	familyHash := vault.ComputeDoubleSHA256([]byte(identity0.Recipient().String()))
 	// Load existing metadata
 	existingMetadata, err := vault.LoadVaultMetadata(cli.fs, vaultDir)
 	if err != nil {
 		// If metadata doesn't exist, create new
 		existingMetadata = &vault.Metadata{
 			CreatedAt: time.Now(),
 		}
 	}
 	// Update metadata with new derivation info
 	existingMetadata.DerivationIndex = derivationIndex
 	existingMetadata.PublicKeyHash = publicKeyHash
 	existingMetadata.MnemonicFamilyHash = familyHash
 	if err := vault.SaveVaultMetadata(cli.fs, vaultDir, existingMetadata); err != nil {
 		secret.Debug("Failed to save vault metadata", "error", err)
 		return fmt.Errorf("failed to save vault metadata: %w", err)
 	}
-	secret.Debug("Saved vault metadata with derivation index and key hash")
+	secret.Debug("Saved vault metadata with derivation index and public key hash")
 	// Get passphrase from environment variable
 	passphraseStr := os.Getenv(secret.EnvUnlockPassphrase)
@@ -248,20 +273,25 @@ func (cli *CLIInstance) VaultImport(vaultName string) error {
 	secret.Debug("Using unlock passphrase from environment variable")
 	// Create secure buffer for passphrase
 	passphraseBuffer := memguard.NewBufferFromBytes([]byte(passphraseStr))
 	defer passphraseBuffer.Destroy()
 	// Unlock the vault with the derived long-term key
 	vlt.Unlock(ltIdentity)
-	// Create passphrase-protected unlock key
+	// Create passphrase-protected unlocker
-	secret.Debug("Creating passphrase-protected unlock key")
+	secret.Debug("Creating passphrase-protected unlocker")
-	passphraseKey, err := vlt.CreatePassphraseKey(passphraseStr)
+	passphraseUnlocker, err := vlt.CreatePassphraseUnlocker(passphraseBuffer)
 	if err != nil {
-		secret.Debug("Failed to create unlock key", "error", err)
+		secret.Debug("Failed to create unlocker", "error", err)
-		return fmt.Errorf("failed to create unlock key: %w", err)
+
 		return fmt.Errorf("failed to create unlocker: %w", err)
 	}
-	fmt.Printf("Successfully imported mnemonic into vault '%s'\n", vaultName)
+	cmd.Printf("Successfully imported mnemonic into vault '%s'\n", vaultName)
-	fmt.Printf("Long-term public key: %s\n", ltPublicKey)
+	cmd.Printf("Long-term public key: %s\n", ltPublicKey)
-	fmt.Printf("Unlock key ID: %s\n", passphraseKey.GetID())
+	cmd.Printf("Unlocker ID: %s\n", passphraseUnlocker.GetID())
 	return nil
 }
--- a/internal/cli/version.go
+++ b/internal/cli/version.go
@@ -0,0 +1,209 @@
 package cli
 import (
 	"fmt"
 	"path/filepath"
 	"strings"
 	"text/tabwriter"
 	"git.eeqj.de/sneak/secret/internal/secret"
 	"git.eeqj.de/sneak/secret/internal/vault"
 	"github.com/spf13/afero"
 	"github.com/spf13/cobra"
 )
 const (
 	tabWriterPadding = 2
 )
 // newVersionCmd returns the version management command
 func newVersionCmd() *cobra.Command {
 	cli := NewCLIInstance()
 	return VersionCommands(cli)
 }
 // VersionCommands returns the version management commands
 func VersionCommands(cli *Instance) *cobra.Command {
 	versionCmd := &cobra.Command{
 		Use:   "version",
 		Short: "Manage secret versions",
 		Long:  "Commands for managing secret versions including listing, promoting, and retrieving specific versions",
 	}
 	// List versions command
 	listCmd := &cobra.Command{
 		Use:   "list <secret-name>",
 		Short: "List all versions of a secret",
 		Args:  cobra.ExactArgs(1),
 		RunE: func(cmd *cobra.Command, args []string) error {
 			return cli.ListVersions(cmd, args[0])
 		},
 	}
 	// Promote version command
 	promoteCmd := &cobra.Command{
 		Use:   "promote <secret-name> <version>",
 		Short: "Promote a specific version to current",
 		Long:  "Updates the current symlink to point to the specified version without modifying timestamps",
 		Args:  cobra.ExactArgs(2), //nolint:mnd // Command requires exactly 2 arguments: secret-name and version
 		RunE: func(cmd *cobra.Command, args []string) error {
 			return cli.PromoteVersion(cmd, args[0], args[1])
 		},
 	}
 	versionCmd.AddCommand(listCmd, promoteCmd)
 	return versionCmd
 }
 // ListVersions lists all versions of a secret
 func (cli *Instance) ListVersions(cmd *cobra.Command, secretName string) error {
 	secret.Debug("ListVersions called", "secret_name", secretName)
 	// Get current vault
 	vlt, err := vault.GetCurrentVault(cli.fs, cli.stateDir)
 	if err != nil {
 		secret.Debug("Failed to get current vault", "error", err)
 		return err
 	}
 	vaultDir, err := vlt.GetDirectory()
 	if err != nil {
 		secret.Debug("Failed to get vault directory", "error", err)
 		return err
 	}
 	// Get the encoded secret name
 	encodedName := strings.ReplaceAll(secretName, "/", "%")
 	secretDir := filepath.Join(vaultDir, "secrets.d", encodedName)
 	// Check if secret exists
 	exists, err := afero.DirExists(cli.fs, secretDir)
 	if err != nil {
 		secret.Debug("Failed to check if secret exists", "error", err)
 		return fmt.Errorf("failed to check if secret exists: %w", err)
 	}
 	if !exists {
 		secret.Debug("Secret not found", "secret_name", secretName)
 		return fmt.Errorf("secret '%s' not found", secretName)
 	}
 	// List all versions
 	versions, err := secret.ListVersions(cli.fs, secretDir)
 	if err != nil {
 		secret.Debug("Failed to list versions", "error", err)
 		return fmt.Errorf("failed to list versions: %w", err)
 	}
 	if len(versions) == 0 {
 		cmd.Println("No versions found")
 		return nil
 	}
 	// Get current version
 	currentVersion, err := secret.GetCurrentVersion(cli.fs, secretDir)
 	if err != nil {
 		secret.Debug("Failed to get current version", "error", err)
 		currentVersion = ""
 	}
 	// Get long-term key for decrypting metadata
 	ltIdentity, err := vlt.GetOrDeriveLongTermKey()
 	if err != nil {
 		return fmt.Errorf("failed to get long-term key: %w", err)
 	}
 	// Create table writer
 	w := tabwriter.NewWriter(cmd.OutOrStdout(), 0, 0, tabWriterPadding, ' ', 0)
 	_, _ = fmt.Fprintln(w, "VERSION\tCREATED\tSTATUS\tNOT_BEFORE\tNOT_AFTER")
 	// Load and display each version's metadata
 	for _, version := range versions {
 		sv := secret.NewVersion(vlt, secretName, version)
 		// Load metadata
 		if err := sv.LoadMetadata(ltIdentity); err != nil {
 			secret.Debug("Failed to load version metadata", "version", version, "error", err)
 			// Display version with error
 			status := "error"
 			if version == currentVersion {
 				status = "current (error)"
 			}
 			_, _ = fmt.Fprintf(w, "%s\t%s\t%s\t%s\t%s\n", version, "-", status, "-", "-")
 			continue
 		}
 		// Determine status
 		status := "expired"
 		if version == currentVersion {
 			status = "current"
 		}
 		// Format timestamps
 		createdAt := "-"
 		if sv.Metadata.CreatedAt != nil {
 			createdAt = sv.Metadata.CreatedAt.Format("2006-01-02 15:04:05")
 		}
 		notBefore := "-"
 		if sv.Metadata.NotBefore != nil {
 			notBefore = sv.Metadata.NotBefore.Format("2006-01-02 15:04:05")
 		}
 		notAfter := "-"
 		if sv.Metadata.NotAfter != nil {
 			notAfter = sv.Metadata.NotAfter.Format("2006-01-02 15:04:05")
 		}
 		_, _ = fmt.Fprintf(w, "%s\t%s\t%s\t%s\t%s\n", version, createdAt, status, notBefore, notAfter)
 	}
 	_ = w.Flush()
 	return nil
 }
 // PromoteVersion promotes a specific version to current
 func (cli *Instance) PromoteVersion(cmd *cobra.Command, secretName string, version string) error {
 	// Get current vault
 	vlt, err := vault.GetCurrentVault(cli.fs, cli.stateDir)
 	if err != nil {
 		return err
 	}
 	vaultDir, err := vlt.GetDirectory()
 	if err != nil {
 		return err
 	}
 	// Get the encoded secret name
 	encodedName := strings.ReplaceAll(secretName, "/", "%")
 	secretDir := filepath.Join(vaultDir, "secrets.d", encodedName)
 	// Check if version exists
 	versionDir := filepath.Join(secretDir, "versions", version)
 	exists, err := afero.DirExists(cli.fs, versionDir)
 	if err != nil {
 		return fmt.Errorf("failed to check if version exists: %w", err)
 	}
 	if !exists {
 		return fmt.Errorf("version '%s' not found for secret '%s'", version, secretName)
 	}
 	// Update the current symlink using the proper function
 	if err := secret.SetCurrentVersion(cli.fs, secretDir, version); err != nil {
 		return fmt.Errorf("failed to update current version: %w", err)
 	}
 	cmd.Printf("Promoted version %s to current for secret '%s'\n", version, secretName)
 	return nil
 }
--- a/internal/cli/version_test.go
+++ b/internal/cli/version_test.go
@@ -0,0 +1,310 @@
 // Version CLI Command Tests
 //
 // Tests for version-related CLI commands:
 //
 // - TestListVersionsCommand: Tests `secret version list` command output
 // - TestListVersionsNonExistentSecret: Tests error handling for missing secrets
 // - TestPromoteVersionCommand: Tests `secret version promote` command
 // - TestPromoteNonExistentVersion: Tests error handling for invalid promotion
 // - TestGetSecretWithVersion: Tests `secret get --version` flag functionality
 // - TestVersionCommandStructure: Tests command structure and help text
 // - TestListVersionsEmptyOutput: Tests edge case with no versions
 //
 // Test Utilities:
 // - setupTestVault(): CLI test helper for vault initialization
 // - Uses consistent test mnemonic for reproducible testing
 package cli
 import (
 	"bytes"
 	"path/filepath"
 	"strings"
 	"testing"
 	"time"
 	"git.eeqj.de/sneak/secret/internal/secret"
 	"git.eeqj.de/sneak/secret/internal/vault"
 	"git.eeqj.de/sneak/secret/pkg/agehd"
 	"github.com/awnumar/memguard"
 	"github.com/spf13/afero"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
 // Helper function to add a secret to vault with proper buffer protection
 func addTestSecret(t *testing.T, vlt *vault.Vault, name string, value []byte, force bool) {
 	t.Helper()
 	buffer := memguard.NewBufferFromBytes(value)
 	defer buffer.Destroy()
 	err := vlt.AddSecret(name, buffer, force)
 	require.NoError(t, err)
 }
 // Helper function to set up a vault with long-term key
 func setupTestVault(t *testing.T, fs afero.Fs, stateDir string) {
 	// Set mnemonic for testing
 	testMnemonic := "abandon abandon abandon abandon abandon abandon " +
 		"abandon abandon abandon abandon abandon about"
 	t.Setenv(secret.EnvMnemonic, testMnemonic)
 	// Create vault
 	vlt, err := vault.CreateVault(fs, stateDir, "default")
 	require.NoError(t, err)
 	// Derive and store long-term key from mnemonic
 	mnemonic := "abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon about"
 	ltIdentity, err := agehd.DeriveIdentity(mnemonic, 0)
 	require.NoError(t, err)
 	// Store long-term public key in vault
 	vaultDir, _ := vlt.GetDirectory()
 	ltPubKeyPath := filepath.Join(vaultDir, "pub.age")
 	err = afero.WriteFile(fs, ltPubKeyPath, []byte(ltIdentity.Recipient().String()), 0o600)
 	require.NoError(t, err)
 	// Select vault
 	err = vault.SelectVault(fs, stateDir, "default")
 	require.NoError(t, err)
 }
 func TestListVersionsCommand(t *testing.T) {
 	fs := afero.NewMemMapFs()
 	stateDir := "/test/state"
 	cli := NewCLIInstanceWithStateDir(fs, stateDir)
 	// Set up vault with long-term key
 	setupTestVault(t, fs, stateDir)
 	// Add a secret with multiple versions
 	vlt, err := vault.GetCurrentVault(fs, stateDir)
 	require.NoError(t, err)
 	addTestSecret(t, vlt, "test/secret", []byte("version-1"), false)
 	time.Sleep(10 * time.Millisecond)
 	addTestSecret(t, vlt, "test/secret", []byte("version-2"), true)
 	// Create a command for output capture
 	cmd := newRootCmd()
 	var buf bytes.Buffer
 	cmd.SetOut(&buf)
 	cmd.SetErr(&buf)
 	// List versions
 	err = cli.ListVersions(cmd, "test/secret")
 	require.NoError(t, err)
 	// Read output
 	outputStr := buf.String()
 	// Verify output contains version headers
 	assert.Contains(t, outputStr, "VERSION")
 	assert.Contains(t, outputStr, "CREATED")
 	assert.Contains(t, outputStr, "STATUS")
 	assert.Contains(t, outputStr, "NOT_BEFORE")
 	assert.Contains(t, outputStr, "NOT_AFTER")
 	// Should have current status for latest version
 	assert.Contains(t, outputStr, "current")
 	// Should have two version entries
 	lines := strings.Split(outputStr, "\n")
 	versionLines := 0
 	for _, line := range lines {
 		if strings.Contains(line, ".001") || strings.Contains(line, ".002") {
 			versionLines++
 		}
 	}
 	assert.Equal(t, 2, versionLines)
 }
 func TestListVersionsNonExistentSecret(t *testing.T) {
 	fs := afero.NewMemMapFs()
 	stateDir := "/test/state"
 	cli := NewCLIInstanceWithStateDir(fs, stateDir)
 	// Set up vault with long-term key
 	setupTestVault(t, fs, stateDir)
 	// Create a command for output capture
 	cmd := newRootCmd()
 	var buf bytes.Buffer
 	cmd.SetOut(&buf)
 	cmd.SetErr(&buf)
 	// Try to list versions of non-existent secret
 	err := cli.ListVersions(cmd, "nonexistent/secret")
 	require.Error(t, err)
 	assert.Contains(t, err.Error(), "not found")
 }
 func TestPromoteVersionCommand(t *testing.T) {
 	fs := afero.NewMemMapFs()
 	stateDir := "/test/state"
 	cli := NewCLIInstanceWithStateDir(fs, stateDir)
 	// Set up vault with long-term key
 	setupTestVault(t, fs, stateDir)
 	// Add a secret with multiple versions
 	vlt, err := vault.GetCurrentVault(fs, stateDir)
 	require.NoError(t, err)
 	addTestSecret(t, vlt, "test/secret", []byte("version-1"), false)
 	time.Sleep(10 * time.Millisecond)
 	addTestSecret(t, vlt, "test/secret", []byte("version-2"), true)
 	// Get versions
 	vaultDir, _ := vlt.GetDirectory()
 	secretDir := vaultDir + "/secrets.d/test%secret"
 	versions, err := secret.ListVersions(fs, secretDir)
 	require.NoError(t, err)
 	require.Len(t, versions, 2)
 	// Current should be version-2
 	value, err := vlt.GetSecret("test/secret")
 	require.NoError(t, err)
 	assert.Equal(t, []byte("version-2"), value)
 	// Promote first version
 	firstVersion := versions[1] // Older version
 	// Create a command for output capture
 	cmd := newRootCmd()
 	var buf bytes.Buffer
 	cmd.SetOut(&buf)
 	cmd.SetErr(&buf)
 	err = cli.PromoteVersion(cmd, "test/secret", firstVersion)
 	require.NoError(t, err)
 	// Read output
 	outputStr := buf.String()
 	// Verify success message
 	assert.Contains(t, outputStr, "Promoted version")
 	assert.Contains(t, outputStr, firstVersion)
 	// Verify current is now version-1
 	value, err = vlt.GetSecret("test/secret")
 	require.NoError(t, err)
 	assert.Equal(t, []byte("version-1"), value)
 }
 func TestPromoteNonExistentVersion(t *testing.T) {
 	fs := afero.NewMemMapFs()
 	stateDir := "/test/state"
 	cli := NewCLIInstanceWithStateDir(fs, stateDir)
 	// Set up vault with long-term key
 	setupTestVault(t, fs, stateDir)
 	// Add a secret
 	vlt, err := vault.GetCurrentVault(fs, stateDir)
 	require.NoError(t, err)
 	addTestSecret(t, vlt, "test/secret", []byte("value"), false)
 	// Create a command for output capture
 	cmd := newRootCmd()
 	var buf bytes.Buffer
 	cmd.SetOut(&buf)
 	cmd.SetErr(&buf)
 	// Try to promote non-existent version
 	err = cli.PromoteVersion(cmd, "test/secret", "20991231.999")
 	require.Error(t, err)
 	assert.Contains(t, err.Error(), "not found")
 }
 func TestGetSecretWithVersion(t *testing.T) {
 	fs := afero.NewMemMapFs()
 	stateDir := "/test/state"
 	cli := NewCLIInstanceWithStateDir(fs, stateDir)
 	// Set up vault with long-term key
 	setupTestVault(t, fs, stateDir)
 	// Add a secret with multiple versions
 	vlt, err := vault.GetCurrentVault(fs, stateDir)
 	require.NoError(t, err)
 	addTestSecret(t, vlt, "test/secret", []byte("version-1"), false)
 	time.Sleep(10 * time.Millisecond)
 	addTestSecret(t, vlt, "test/secret", []byte("version-2"), true)
 	// Get versions
 	vaultDir, _ := vlt.GetDirectory()
 	secretDir := vaultDir + "/secrets.d/test%secret"
 	versions, err := secret.ListVersions(fs, secretDir)
 	require.NoError(t, err)
 	require.Len(t, versions, 2)
 	// Create a command for output capture
 	cmd := newRootCmd()
 	var buf bytes.Buffer
 	cmd.SetOut(&buf)
 	// Test getting current version (empty version string)
 	err = cli.GetSecretWithVersion(cmd, "test/secret", "")
 	require.NoError(t, err)
 	assert.Equal(t, "version-2", buf.String())
 	// Test getting specific version
 	buf.Reset()
 	firstVersion := versions[1] // Older version
 	err = cli.GetSecretWithVersion(cmd, "test/secret", firstVersion)
 	require.NoError(t, err)
 	assert.Equal(t, "version-1", buf.String())
 }
 func TestVersionCommandStructure(t *testing.T) {
 	// Test that version commands are properly structured
 	cli := NewCLIInstance()
 	cmd := VersionCommands(cli)
 	assert.Equal(t, "version", cmd.Use)
 	assert.Equal(t, "Manage secret versions", cmd.Short)
 	// Check subcommands
 	listCmd := cmd.Commands()[0]
 	assert.Equal(t, "list <secret-name>", listCmd.Use)
 	assert.Equal(t, "List all versions of a secret", listCmd.Short)
 	promoteCmd := cmd.Commands()[1]
 	assert.Equal(t, "promote <secret-name> <version>", promoteCmd.Use)
 	assert.Equal(t, "Promote a specific version to current", promoteCmd.Short)
 }
 func TestListVersionsEmptyOutput(t *testing.T) {
 	fs := afero.NewMemMapFs()
 	stateDir := "/test/state"
 	cli := NewCLIInstanceWithStateDir(fs, stateDir)
 	// Set up vault with long-term key
 	setupTestVault(t, fs, stateDir)
 	// Create a secret directory without versions (edge case)
 	vaultDir := stateDir + "/vaults.d/default"
 	secretDir := vaultDir + "/secrets.d/test%secret"
 	err := fs.MkdirAll(secretDir, 0o755)
 	require.NoError(t, err)
 	// Create a command for output capture
 	cmd := newRootCmd()
 	var buf bytes.Buffer
 	cmd.SetOut(&buf)
 	cmd.SetErr(&buf)
 	// List versions - should show "No versions found"
 	err = cli.ListVersions(cmd, "test/secret")
 	// Should succeed even with no versions
 	assert.NoError(t, err)
 }
--- a/internal/secret/constants.go
+++ b/internal/secret/constants.go
@@ -1,3 +1,4 @@
 // Package secret provides core types and constants for the secret application.
 package secret
 import "os"
@@ -6,18 +7,21 @@ const (
 	// AppID is the unique identifier for this application
 	AppID = "berlin.sneak.pkg.secret"
-	// Environment variable names
+	// EnvStateDir is the environment variable for specifying the state directory
-	EnvStateDir         = "SB_SECRET_STATE_DIR"
+	EnvStateDir = "SB_SECRET_STATE_DIR"
-	EnvMnemonic         = "SB_SECRET_MNEMONIC"
+	// EnvMnemonic is the environment variable for providing the mnemonic phrase
-	EnvUnlockPassphrase = "SB_UNLOCK_PASSPHRASE"
+	EnvMnemonic = "SB_SECRET_MNEMONIC"
-	EnvGPGKeyID         = "SB_GPG_KEY_ID"
+	// EnvUnlockPassphrase is the environment variable for providing the unlock passphrase
 	EnvUnlockPassphrase = "SB_UNLOCK_PASSPHRASE" //nolint:gosec // G101: This is an env var name, not a credential
 	// EnvGPGKeyID is the environment variable for providing the GPG key ID
 	EnvGPGKeyID = "SB_GPG_KEY_ID"
 )
 // File system permission constants
 const (
 	// DirPerms is the permission used for directories (read-write-execute for owner only)
-	DirPerms os.FileMode = 0700
+	DirPerms os.FileMode = 0o700
 	// FilePerms is the permission used for sensitive files (read-write for owner only)
-	FilePerms os.FileMode = 0600
+	FilePerms os.FileMode = 0o600
 )
--- a/internal/secret/crypto.go
+++ b/internal/secret/crypto.go
@@ -8,25 +8,33 @@ import (
 	"syscall"
 	"filippo.io/age"
 	"github.com/awnumar/memguard"
 	"golang.org/x/term"
 )
 // EncryptToRecipient encrypts data to a recipient using age
-func EncryptToRecipient(data []byte, recipient age.Recipient) ([]byte, error) {
+// The data parameter should be a LockedBuffer for secure memory handling
-	Debug("EncryptToRecipient starting", "data_length", len(data))
+func EncryptToRecipient(data *memguard.LockedBuffer, recipient age.Recipient) ([]byte, error) {
 	if data == nil {
 		return nil, fmt.Errorf("data buffer is nil")
 	}
 	Debug("EncryptToRecipient starting", "data_length", data.Size())
 	var buf bytes.Buffer
 	Debug("Creating age encryptor")
 	w, err := age.Encrypt(&buf, recipient)
 	if err != nil {
 		Debug("Failed to create encryptor", "error", err)
 		return nil, fmt.Errorf("failed to create encryptor: %w", err)
 	}
 	Debug("Created age encryptor successfully")
 	Debug("Writing data to encryptor")
-	if _, err := w.Write(data); err != nil {
+	if _, err := w.Write(data.Bytes()); err != nil {
 		Debug("Failed to write data to encryptor", "error", err)
 		return nil, fmt.Errorf("failed to write data: %w", err)
 	}
 	Debug("Wrote data to encryptor successfully")
@@ -34,12 +42,14 @@ func EncryptToRecipient(data []byte, recipient age.Recipient) ([]byte, error) {
 	Debug("Closing encryptor")
 	if err := w.Close(); err != nil {
 		Debug("Failed to close encryptor", "error", err)
 		return nil, fmt.Errorf("failed to close encryptor: %w", err)
 	}
 	Debug("Closed encryptor successfully")
 	result := buf.Bytes()
 	Debug("EncryptToRecipient completed successfully", "result_length", len(result))
 	return result, nil
 }
@@ -59,18 +69,36 @@ func DecryptWithIdentity(data []byte, identity age.Identity) ([]byte, error) {
 }
 // EncryptWithPassphrase encrypts data using a passphrase with age's scrypt-based encryption
-func EncryptWithPassphrase(data []byte, passphrase string) ([]byte, error) {
+// The passphrase parameter should be a LockedBuffer for secure memory handling
-	recipient, err := age.NewScryptRecipient(passphrase)
+func EncryptWithPassphrase(data []byte, passphrase *memguard.LockedBuffer) ([]byte, error) {
 	if passphrase == nil {
 		return nil, fmt.Errorf("passphrase buffer is nil")
 	}
 	// Get the passphrase string temporarily
 	passphraseStr := passphrase.String()
 	recipient, err := age.NewScryptRecipient(passphraseStr)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create scrypt recipient: %w", err)
 	}
-	return EncryptToRecipient(data, recipient)
+	// Create a secure buffer for the data
 	dataBuffer := memguard.NewBufferFromBytes(data)
 	defer dataBuffer.Destroy()
 	return EncryptToRecipient(dataBuffer, recipient)
 }
 // DecryptWithPassphrase decrypts data using a passphrase with age's scrypt-based decryption
-func DecryptWithPassphrase(encryptedData []byte, passphrase string) ([]byte, error) {
+// The passphrase parameter should be a LockedBuffer for secure memory handling
-	identity, err := age.NewScryptIdentity(passphrase)
+func DecryptWithPassphrase(encryptedData []byte, passphrase *memguard.LockedBuffer) ([]byte, error) {
 	if passphrase == nil {
 		return nil, fmt.Errorf("passphrase buffer is nil")
 	}
 	// Get the passphrase string temporarily
 	passphraseStr := passphrase.String()
 	identity, err := age.NewScryptIdentity(passphraseStr)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create scrypt identity: %w", err)
 	}
@@ -80,29 +108,42 @@ func DecryptWithPassphrase(encryptedData []byte, passphrase string) ([]byte, err
 // ReadPassphrase reads a passphrase securely from the terminal without echoing
 // This version is for unlocking and doesn't require confirmation
-func ReadPassphrase(prompt string) (string, error) {
+// Returns a LockedBuffer containing the passphrase for secure memory handling
 func ReadPassphrase(prompt string) (*memguard.LockedBuffer, error) {
 	// Check if stdin is a terminal
-	if !term.IsTerminal(int(syscall.Stdin)) {
+	if !term.IsTerminal(syscall.Stdin) {
 		// Not a terminal - never read passphrases from piped input for security reasons
-		return "", fmt.Errorf("cannot read passphrase from non-terminal stdin (piped input or script). Please set the SB_UNLOCK_PASSPHRASE environment variable or run interactively")
+		return nil, fmt.Errorf("cannot read passphrase from non-terminal stdin " +
 			"(piped input or script). Please set the SB_UNLOCK_PASSPHRASE " +
 			"environment variable or run interactively")
 	}
 	// stdin is a terminal, check if stderr is also a terminal for interactive prompting
-	if !term.IsTerminal(int(syscall.Stderr)) {
+	if !term.IsTerminal(syscall.Stderr) {
-		return "", fmt.Errorf("cannot prompt for passphrase: stderr is not a terminal (running in non-interactive mode). Please set the SB_UNLOCK_PASSPHRASE environment variable")
+		return nil, fmt.Errorf("cannot prompt for passphrase: stderr is not a terminal " +
 			"(running in non-interactive mode). Please set the SB_UNLOCK_PASSPHRASE " +
 			"environment variable")
 	}
 	// Both stdin and stderr are terminals - use secure password reading
 	fmt.Fprint(os.Stderr, prompt) // Write prompt to stderr, not stdout
-	passphrase, err := term.ReadPassword(int(syscall.Stdin))
+	passphrase, err := term.ReadPassword(syscall.Stdin)
 	if err != nil {
-		return "", fmt.Errorf("failed to read passphrase: %w", err)
+		return nil, fmt.Errorf("failed to read passphrase: %w", err)
 	}
 	fmt.Fprintln(os.Stderr) // Print newline to stderr since ReadPassword doesn't echo
 	if len(passphrase) == 0 {
-		return "", fmt.Errorf("passphrase cannot be empty")
+		return nil, fmt.Errorf("passphrase cannot be empty")
 	}
-	return string(passphrase), nil
+	// Create a secure buffer and copy the passphrase
 	secureBuffer := memguard.NewBufferFromBytes(passphrase)
 	// Clear the original passphrase slice
 	for i := range passphrase {
 		passphrase[i] = 0
 	}
 	return secureBuffer, nil
 }
--- a/internal/secret/debug.go
+++ b/internal/secret/debug.go
@@ -13,22 +13,23 @@ import (
 )
 var (
-	debugEnabled bool
+	debugEnabled bool         //nolint:gochecknoglobals // Package-wide debug state is necessary
-	debugLogger  *slog.Logger
+	debugLogger  *slog.Logger //nolint:gochecknoglobals // Package-wide logger instance is necessary
 )
 func init() {
-	initDebugLogging()
+	InitDebugLogging()
 }
-// initDebugLogging initializes the debug logging system based on GODEBUG environment variable
+// InitDebugLogging initializes the debug logging system based on current GODEBUG environment variable
-func initDebugLogging() {
+func InitDebugLogging() {
 	godebug := os.Getenv("GODEBUG")
 	debugEnabled = strings.Contains(godebug, "berlin.sneak.pkg.secret")
 	if !debugEnabled {
 		// Create a no-op logger that discards all output
 		debugLogger = slog.New(slog.NewTextHandler(io.Discard, nil))
 		return
 	}
@@ -36,7 +37,7 @@ func initDebugLogging() {
 	_, _, _ = syscall.Syscall(syscall.SYS_FCNTL, os.Stderr.Fd(), syscall.F_SETFL, syscall.O_SYNC)
 	// Check if STDERR is a TTY
-	isTTY := term.IsTerminal(int(syscall.Stderr))
+	isTTY := term.IsTerminal(syscall.Stderr)
 	var handler slog.Handler
 	if isTTY {
@@ -113,6 +114,7 @@ func (h *colorizedHandler) Handle(_ context.Context, record slog.Record) error {
 			}
 			first = false
 			output += fmt.Sprintf("%s=%#v", attr.Key, attr.Value.Any())
 			return true
 		})
 		output += "}\033[0m"
@@ -120,16 +122,17 @@ func (h *colorizedHandler) Handle(_ context.Context, record slog.Record) error {
 	output += "\n"
 	_, err := h.output.Write([]byte(output))
 	return err
 }
-func (h *colorizedHandler) WithAttrs(attrs []slog.Attr) slog.Handler {
+func (h *colorizedHandler) WithAttrs(_ []slog.Attr) slog.Handler {
 	// For simplicity, return the same handler
 	// In a more complex implementation, we'd create a new handler with the attrs
 	return h
 }
-func (h *colorizedHandler) WithGroup(name string) slog.Handler {
+func (h *colorizedHandler) WithGroup(_ string) slog.Handler {
 	// For simplicity, return the same handler
 	// In a more complex implementation, we'd create a new handler with the group
 	return h
--- a/internal/secret/debug_test.go
+++ b/internal/secret/debug_test.go
@@ -3,7 +3,6 @@ package secret
 import (
 	"bytes"
 	"log/slog"
 	"os"
 	"strings"
 	"syscall"
 	"testing"
@@ -12,17 +11,8 @@ import (
 )
 func TestDebugLogging(t *testing.T) {
-	// Save original GODEBUG and restore it
+	// Test cleanup handled by t.Setenv
-	originalGodebug := os.Getenv("GODEBUG")
+	defer InitDebugLogging() // Re-initialize debug system after test
 	defer func() {
 		if originalGodebug == "" {
 			os.Unsetenv("GODEBUG")
 		} else {
 			os.Setenv("GODEBUG", originalGodebug)
 		}
 		// Re-initialize debug system with original setting
 		initDebugLogging()
 	}()
 	tests := []struct {
 		name          string
@@ -54,14 +44,12 @@ func TestDebugLogging(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			// Set GODEBUG
-			if tt.godebug == "" {
+			if tt.godebug != "" {
-				os.Unsetenv("GODEBUG")
+				t.Setenv("GODEBUG", tt.godebug)
 			} else {
 				os.Setenv("GODEBUG", tt.godebug)
 			}
 			// Re-initialize debug system
-			initDebugLogging()
+			InitDebugLogging()
 			// Test if debug is enabled
 			enabled := IsDebugEnabled()
@@ -76,7 +64,7 @@ func TestDebugLogging(t *testing.T) {
 				// Override the debug logger for testing
 				oldLogger := debugLogger
-				if term.IsTerminal(int(syscall.Stderr)) {
+				if term.IsTerminal(syscall.Stderr) {
 					// TTY: use colorized handler with our buffer
 					debugLogger = slog.New(newColorizedHandler(&buf))
 				} else {
@@ -104,34 +92,26 @@ func TestDebugLogging(t *testing.T) {
 func TestDebugFunctions(t *testing.T) {
 	// Enable debug for testing
-	originalGodebug := os.Getenv("GODEBUG")
+	t.Setenv("GODEBUG", "berlin.sneak.pkg.secret")
-	os.Setenv("GODEBUG", "berlin.sneak.pkg.secret")
+	defer InitDebugLogging() // Re-initialize after test
 	defer func() {
 		if originalGodebug == "" {
 			os.Unsetenv("GODEBUG")
 		} else {
 			os.Setenv("GODEBUG", originalGodebug)
 		}
 		initDebugLogging()
 	}()
-	initDebugLogging()
+	InitDebugLogging()
 	if !IsDebugEnabled() {
-		t.Skip("Debug not enabled, skipping debug function tests")
+		t.Log("Debug not enabled, but continuing with debug function tests anyway")
 	}
 	// Test that debug functions don't panic and can be called
-	t.Run("Debug", func(t *testing.T) {
+	t.Run("Debug", func(_ *testing.T) {
 		Debug("test debug message")
 		Debug("test with args", "key", "value", "number", 42)
 	})
-	t.Run("DebugF", func(t *testing.T) {
+	t.Run("DebugF", func(_ *testing.T) {
 		DebugF("formatted message: %s %d", "test", 123)
 	})
-	t.Run("DebugWith", func(t *testing.T) {
+	t.Run("DebugWith", func(_ *testing.T) {
 		DebugWith("structured message",
 			slog.String("string_key", "string_value"),
 			slog.Int("int_key", 42),
--- a/internal/secret/helpers.go
+++ b/internal/secret/helpers.go
@@ -17,7 +17,7 @@ func generateRandomString(length int, charset string) (string, error) {
 	result := make([]byte, length)
 	charsetLen := big.NewInt(int64(len(charset)))
-	for i := 0; i < length; i++ {
+	for i := range length {
 		randomIndex, err := rand.Int(rand.Reader, charsetLen)
 		if err != nil {
 			return "", fmt.Errorf("failed to generate random number: %w", err)
@@ -48,7 +48,9 @@ func DetermineStateDir(customConfigDir string) string {
 	if err != nil {
 		// Fallback to a reasonable default if we can't determine user config dir
 		homeDir, _ := os.UserHomeDir()
 		return filepath.Join(homeDir, ".config", AppID)
 	}
 	return filepath.Join(configDir, AppID)
 }
--- a/internal/secret/keychainunlock.go
+++ b/internal/secret/keychainunlock.go
@@ -1,457 +0,0 @@
 package secret
 import (
 	"encoding/hex"
 	"encoding/json"
 	"fmt"
 	"log/slog"
 	"os"
 	"os/exec"
 	"path/filepath"
 	"time"
 	"filippo.io/age"
 	"git.eeqj.de/sneak/secret/pkg/agehd"
 	"github.com/spf13/afero"
 )
 // KeychainUnlockKeyMetadata extends UnlockKeyMetadata with keychain-specific data
 type KeychainUnlockKeyMetadata struct {
 	UnlockKeyMetadata
 	// Age keypair information
 	AgePublicKey string `json:"age_public_key"`
 	// Keychain item name
 	KeychainItemName string `json:"keychain_item_name"`
 }
 // KeychainUnlockKey represents a macOS Keychain-protected unlock key
 type KeychainUnlockKey struct {
 	Directory string
 	Metadata  UnlockKeyMetadata
 	fs        afero.Fs
 }
 // KeychainData represents the data stored in the macOS keychain
 type KeychainData struct {
 	AgePublicKey         string `json:"age_public_key"`
 	AgePrivKeyPassphrase string `json:"age_priv_key_passphrase"`
 	EncryptedLongtermKey string `json:"encrypted_longterm_key"`
 }
 // GetIdentity implements UnlockKey interface for Keychain-based unlock keys
 func (k *KeychainUnlockKey) GetIdentity() (*age.X25519Identity, error) {
 	DebugWith("Getting keychain unlock key identity",
 		slog.String("key_id", k.GetID()),
 		slog.String("key_type", k.GetType()),
 	)
 	// Step 1: Get keychain item name
 	keychainItemName, err := k.GetKeychainItemName()
 	if err != nil {
 		Debug("Failed to get keychain item name", "error", err, "key_id", k.GetID())
 		return nil, fmt.Errorf("failed to get keychain item name: %w", err)
 	}
 	// Step 2: Retrieve data from keychain
 	Debug("Retrieving data from macOS keychain", "keychain_item", keychainItemName)
 	keychainDataBytes, err := retrieveFromKeychain(keychainItemName)
 	if err != nil {
 		Debug("Failed to retrieve data from keychain", "error", err, "keychain_item", keychainItemName)
 		return nil, fmt.Errorf("failed to retrieve data from keychain: %w", err)
 	}
 	DebugWith("Retrieved data from keychain",
 		slog.String("key_id", k.GetID()),
 		slog.Int("data_length", len(keychainDataBytes)),
 	)
 	// Step 3: Parse keychain data
 	var keychainData KeychainData
 	if err := json.Unmarshal(keychainDataBytes, &keychainData); err != nil {
 		Debug("Failed to parse keychain data", "error", err, "key_id", k.GetID())
 		return nil, fmt.Errorf("failed to parse keychain data: %w", err)
 	}
 	Debug("Parsed keychain data successfully", "key_id", k.GetID())
 	// Step 4: Read the encrypted age private key from filesystem
 	agePrivKeyPath := filepath.Join(k.Directory, "priv.age")
 	Debug("Reading encrypted age private key", "path", agePrivKeyPath)
 	encryptedAgePrivKeyData, err := afero.ReadFile(k.fs, agePrivKeyPath)
 	if err != nil {
 		Debug("Failed to read encrypted age private key", "error", err, "path", agePrivKeyPath)
 		return nil, fmt.Errorf("failed to read encrypted age private key: %w", err)
 	}
 	DebugWith("Read encrypted age private key",
 		slog.String("key_id", k.GetID()),
 		slog.Int("encrypted_length", len(encryptedAgePrivKeyData)),
 	)
 	// Step 5: Decrypt the age private key using the passphrase from keychain
 	Debug("Decrypting age private key with keychain passphrase", "key_id", k.GetID())
 	agePrivKeyData, err := DecryptWithPassphrase(encryptedAgePrivKeyData, keychainData.AgePrivKeyPassphrase)
 	if err != nil {
 		Debug("Failed to decrypt age private key with keychain passphrase", "error", err, "key_id", k.GetID())
 		return nil, fmt.Errorf("failed to decrypt age private key with keychain passphrase: %w", err)
 	}
 	DebugWith("Successfully decrypted age private key with keychain passphrase",
 		slog.String("key_id", k.GetID()),
 		slog.Int("decrypted_length", len(agePrivKeyData)),
 	)
 	// Step 6: Parse the decrypted age private key
 	Debug("Parsing decrypted age private key", "key_id", k.GetID())
 	ageIdentity, err := age.ParseX25519Identity(string(agePrivKeyData))
 	if err != nil {
 		Debug("Failed to parse age private key", "error", err, "key_id", k.GetID())
 		return nil, fmt.Errorf("failed to parse age private key: %w", err)
 	}
 	DebugWith("Successfully parsed keychain age identity",
 		slog.String("key_id", k.GetID()),
 		slog.String("public_key", ageIdentity.Recipient().String()),
 	)
 	return ageIdentity, nil
 }
 // GetType implements UnlockKey interface
 func (k *KeychainUnlockKey) GetType() string {
 	return "keychain"
 }
 // GetMetadata implements UnlockKey interface
 func (k *KeychainUnlockKey) GetMetadata() UnlockKeyMetadata {
 	return k.Metadata
 }
 // GetDirectory implements UnlockKey interface
 func (k *KeychainUnlockKey) GetDirectory() string {
 	return k.Directory
 }
 // GetID implements UnlockKey interface
 func (k *KeychainUnlockKey) GetID() string {
 	return k.Metadata.ID
 }
 // ID implements UnlockKey interface - generates ID from keychain item name
 func (k *KeychainUnlockKey) ID() string {
 	// Generate ID using keychain item name
 	keychainItemName, err := k.GetKeychainItemName()
 	if err != nil {
 		// Fallback to metadata ID if we can't read the keychain item name
 		return k.Metadata.ID
 	}
 	return fmt.Sprintf("%s-keychain", keychainItemName)
 }
 // Remove implements UnlockKey interface - removes the keychain unlock key
 func (k *KeychainUnlockKey) Remove() error {
 	// Step 1: Get keychain item name
 	keychainItemName, err := k.GetKeychainItemName()
 	if err != nil {
 		Debug("Failed to get keychain item name during removal", "error", err, "key_id", k.GetID())
 		return fmt.Errorf("failed to get keychain item name: %w", err)
 	}
 	// Step 2: Remove from keychain
 	Debug("Removing keychain item", "keychain_item", keychainItemName)
 	if err := deleteFromKeychain(keychainItemName); err != nil {
 		Debug("Failed to remove keychain item", "error", err, "keychain_item", keychainItemName)
 		return fmt.Errorf("failed to remove keychain item: %w", err)
 	}
 	// Step 3: Remove directory
 	Debug("Removing keychain unlock key directory", "directory", k.Directory)
 	if err := k.fs.RemoveAll(k.Directory); err != nil {
 		Debug("Failed to remove keychain unlock key directory", "error", err, "directory", k.Directory)
 		return fmt.Errorf("failed to remove keychain unlock key directory: %w", err)
 	}
 	Debug("Successfully removed keychain unlock key", "key_id", k.GetID(), "keychain_item", keychainItemName)
 	return nil
 }
 // NewKeychainUnlockKey creates a new KeychainUnlockKey instance
 func NewKeychainUnlockKey(fs afero.Fs, directory string, metadata UnlockKeyMetadata) *KeychainUnlockKey {
 	return &KeychainUnlockKey{
 		Directory: directory,
 		Metadata:  metadata,
 		fs:        fs,
 	}
 }
 // GetKeychainItemName returns the keychain item name from metadata
 func (k *KeychainUnlockKey) GetKeychainItemName() (string, error) {
 	// Load the metadata
 	metadataPath := filepath.Join(k.Directory, "unlock-metadata.json")
 	metadataData, err := afero.ReadFile(k.fs, metadataPath)
 	if err != nil {
 		return "", fmt.Errorf("failed to read keychain metadata: %w", err)
 	}
 	var keychainMetadata KeychainUnlockKeyMetadata
 	if err := json.Unmarshal(metadataData, &keychainMetadata); err != nil {
 		return "", fmt.Errorf("failed to parse keychain metadata: %w", err)
 	}
 	return keychainMetadata.KeychainItemName, nil
 }
 // generateKeychainUnlockKeyName generates a unique name for the keychain unlock key
 func generateKeychainUnlockKeyName(vaultName string) (string, error) {
 	hostname, err := os.Hostname()
 	if err != nil {
 		return "", fmt.Errorf("failed to get hostname: %w", err)
 	}
 	// Format: secret-<vault>-<hostname>-<date>
 	enrollmentDate := time.Now().Format("2006-01-02")
 	return fmt.Sprintf("secret-%s-%s-%s", vaultName, hostname, enrollmentDate), nil
 }
 // CreateKeychainUnlockKey creates a new keychain unlock key and stores it in the vault
 func CreateKeychainUnlockKey(fs afero.Fs, stateDir string) (*KeychainUnlockKey, error) {
 	// Check if we're on macOS
 	if err := checkMacOSAvailable(); err != nil {
 		return nil, err
 	}
 	// Get current vault using the GetCurrentVault function from the same package
 	vault, err := GetCurrentVault(fs, stateDir)
 	if err != nil {
 		return nil, fmt.Errorf("failed to get current vault: %w", err)
 	}
 	// Generate the keychain item name
 	keychainItemName, err := generateKeychainUnlockKeyName(vault.GetName())
 	if err != nil {
 		return nil, fmt.Errorf("failed to generate keychain item name: %w", err)
 	}
 	// Create unlock key directory using the keychain item name as the directory name
 	vaultDir, err := vault.GetDirectory()
 	if err != nil {
 		return nil, fmt.Errorf("failed to get vault directory: %w", err)
 	}
 	unlockKeyDir := filepath.Join(vaultDir, "unlock.d", keychainItemName)
 	if err := fs.MkdirAll(unlockKeyDir, DirPerms); err != nil {
 		return nil, fmt.Errorf("failed to create unlock key directory: %w", err)
 	}
 	// Step 1: Generate a new age keypair for the keychain unlock key
 	ageIdentity, err := age.GenerateX25519Identity()
 	if err != nil {
 		return nil, fmt.Errorf("failed to generate age keypair: %w", err)
 	}
 	// Step 2: Generate a random passphrase for encrypting the age private key
 	agePrivKeyPassphrase, err := generateRandomPassphrase(64)
 	if err != nil {
 		return nil, fmt.Errorf("failed to generate age private key passphrase: %w", err)
 	}
 	// Step 3: Store age public key as plaintext
 	agePublicKeyString := ageIdentity.Recipient().String()
 	agePubKeyPath := filepath.Join(unlockKeyDir, "pub.age")
 	if err := afero.WriteFile(fs, agePubKeyPath, []byte(agePublicKeyString), FilePerms); err != nil {
 		return nil, fmt.Errorf("failed to write age public key: %w", err)
 	}
 	// Step 4: Encrypt age private key with the generated passphrase and store on disk
 	agePrivateKeyBytes := []byte(ageIdentity.String())
 	encryptedAgePrivKey, err := EncryptWithPassphrase(agePrivateKeyBytes, agePrivKeyPassphrase)
 	if err != nil {
 		return nil, fmt.Errorf("failed to encrypt age private key with passphrase: %w", err)
 	}
 	agePrivKeyPath := filepath.Join(unlockKeyDir, "priv.age")
 	if err := afero.WriteFile(fs, agePrivKeyPath, encryptedAgePrivKey, FilePerms); err != nil {
 		return nil, fmt.Errorf("failed to write encrypted age private key: %w", err)
 	}
 	// Step 5: Get or derive the long-term private key
 	var ltPrivKeyData []byte
 	// Check if mnemonic is available in environment variable
 	if envMnemonic := os.Getenv(EnvMnemonic); envMnemonic != "" {
 		// Use mnemonic directly to derive long-term key
 		ltIdentity, err := agehd.DeriveIdentity(envMnemonic, 0)
 		if err != nil {
 			return nil, fmt.Errorf("failed to derive long-term key from mnemonic: %w", err)
 		}
 		ltPrivKeyData = []byte(ltIdentity.String())
 	} else {
 		// Get the vault to access current unlock key
 		currentUnlockKey, err := vault.GetCurrentUnlockKey()
 		if err != nil {
 			return nil, fmt.Errorf("failed to get current unlock key: %w", err)
 		}
 		// Get the current unlock key identity
 		currentUnlockIdentity, err := currentUnlockKey.GetIdentity()
 		if err != nil {
 			return nil, fmt.Errorf("failed to get current unlock key identity: %w", err)
 		}
 		// Get encrypted long-term key from current unlock key, handling different types
 		var encryptedLtPrivKey []byte
 		switch currentUnlockKey := currentUnlockKey.(type) {
 		case *PassphraseUnlockKey:
 			// Read the encrypted long-term private key from passphrase unlock key
 			encryptedLtPrivKey, err = afero.ReadFile(fs, filepath.Join(currentUnlockKey.GetDirectory(), "longterm.age"))
 			if err != nil {
 				return nil, fmt.Errorf("failed to read encrypted long-term key from current passphrase unlock key: %w", err)
 			}
 		case *PGPUnlockKey:
 			// Read the encrypted long-term private key from PGP unlock key
 			encryptedLtPrivKey, err = afero.ReadFile(fs, filepath.Join(currentUnlockKey.GetDirectory(), "longterm.age"))
 			if err != nil {
 				return nil, fmt.Errorf("failed to read encrypted long-term key from current PGP unlock key: %w", err)
 			}
 		case *KeychainUnlockKey:
 			// Read the encrypted long-term private key from another keychain unlock key
 			encryptedLtPrivKey, err = afero.ReadFile(fs, filepath.Join(currentUnlockKey.GetDirectory(), "longterm.age"))
 			if err != nil {
 				return nil, fmt.Errorf("failed to read encrypted long-term key from current keychain unlock key: %w", err)
 			}
 		default:
 			return nil, fmt.Errorf("unsupported current unlock key type for keychain unlock key creation")
 		}
 		// Decrypt long-term private key using current unlock key
 		ltPrivKeyData, err = DecryptWithIdentity(encryptedLtPrivKey, currentUnlockIdentity)
 		if err != nil {
 			return nil, fmt.Errorf("failed to decrypt long-term private key: %w", err)
 		}
 	}
 	// Step 6: Encrypt long-term private key to the new age unlock key
 	encryptedLtPrivKeyToAge, err := EncryptToRecipient(ltPrivKeyData, ageIdentity.Recipient())
 	if err != nil {
 		return nil, fmt.Errorf("failed to encrypt long-term private key to age unlock key: %w", err)
 	}
 	// Write encrypted long-term private key
 	ltPrivKeyPath := filepath.Join(unlockKeyDir, "longterm.age")
 	if err := afero.WriteFile(fs, ltPrivKeyPath, encryptedLtPrivKeyToAge, FilePerms); err != nil {
 		return nil, fmt.Errorf("failed to write encrypted long-term private key: %w", err)
 	}
 	// Step 7: Prepare keychain data
 	keychainData := KeychainData{
 		AgePublicKey:         agePublicKeyString,
 		AgePrivKeyPassphrase: agePrivKeyPassphrase,
 		EncryptedLongtermKey: hex.EncodeToString(encryptedLtPrivKeyToAge),
 	}
 	keychainDataBytes, err := json.Marshal(keychainData)
 	if err != nil {
 		return nil, fmt.Errorf("failed to marshal keychain data: %w", err)
 	}
 	// Step 8: Store data in keychain
 	if err := storeInKeychain(keychainItemName, keychainDataBytes); err != nil {
 		return nil, fmt.Errorf("failed to store data in keychain: %w", err)
 	}
 	// Step 9: Create and write enhanced metadata
 	// Generate the key ID directly using the keychain item name
 	keyID := fmt.Sprintf("%s-keychain", keychainItemName)
 	keychainMetadata := KeychainUnlockKeyMetadata{
 		UnlockKeyMetadata: UnlockKeyMetadata{
 			ID:        keyID,
 			Type:      "keychain",
 			CreatedAt: time.Now(),
 			Flags:     []string{"keychain", "macos"},
 		},
 		AgePublicKey:     agePublicKeyString,
 		KeychainItemName: keychainItemName,
 	}
 	metadataBytes, err := json.MarshalIndent(keychainMetadata, "", "  ")
 	if err != nil {
 		return nil, fmt.Errorf("failed to marshal unlock key metadata: %w", err)
 	}
 	if err := afero.WriteFile(fs, filepath.Join(unlockKeyDir, "unlock-metadata.json"), metadataBytes, FilePerms); err != nil {
 		return nil, fmt.Errorf("failed to write unlock key metadata: %w", err)
 	}
 	return &KeychainUnlockKey{
 		Directory: unlockKeyDir,
 		Metadata:  keychainMetadata.UnlockKeyMetadata,
 		fs:        fs,
 	}, nil
 }
 // checkMacOSAvailable verifies that we're running on macOS and security command is available
 func checkMacOSAvailable() error {
 	cmd := exec.Command("/usr/bin/security", "help")
 	if err := cmd.Run(); err != nil {
 		return fmt.Errorf("macOS security command not available: %w (keychain unlock keys are only supported on macOS)", err)
 	}
 	return nil
 }
 // storeInKeychain stores data in the macOS keychain using the security command
 func storeInKeychain(itemName string, data []byte) error {
 	cmd := exec.Command("/usr/bin/security", "add-generic-password",
 		"-a", itemName,
 		"-s", itemName,
 		"-w", string(data),
 		"-U") // Update if exists
 	if err := cmd.Run(); err != nil {
 		return fmt.Errorf("failed to store item in keychain: %w", err)
 	}
 	return nil
 }
 // retrieveFromKeychain retrieves data from the macOS keychain using the security command
 func retrieveFromKeychain(itemName string) ([]byte, error) {
 	cmd := exec.Command("/usr/bin/security", "find-generic-password",
 		"-a", itemName,
 		"-s", itemName,
 		"-w") // Return password only
 	output, err := cmd.Output()
 	if err != nil {
 		return nil, fmt.Errorf("failed to retrieve item from keychain: %w", err)
 	}
 	// Remove trailing newline if present
 	if len(output) > 0 && output[len(output)-1] == '\n' {
 		output = output[:len(output)-1]
 	}
 	return output, nil
 }
 // deleteFromKeychain removes an item from the macOS keychain using the security command
 func deleteFromKeychain(itemName string) error {
 	cmd := exec.Command("/usr/bin/security", "delete-generic-password",
 		"-a", itemName,
 		"-s", itemName)
 	if err := cmd.Run(); err != nil {
 		return fmt.Errorf("failed to delete item from keychain: %w", err)
 	}
 	return nil
 }
 // generateRandomPassphrase generates a random passphrase for encrypting the age private key
 func generateRandomPassphrase(length int) (string, error) {
 	return generateRandomString(length, "0123456789abcdef")
 }
--- a/internal/secret/keychainunlocker.go
+++ b/internal/secret/keychainunlocker.go
@@ -0,0 +1,530 @@
 package secret
 import (
 	"encoding/hex"
 	"encoding/json"
 	"fmt"
 	"log/slog"
 	"os"
 	"os/exec"
 	"path/filepath"
 	"regexp"
 	"time"
 	"filippo.io/age"
 	"git.eeqj.de/sneak/secret/pkg/agehd"
 	"github.com/awnumar/memguard"
 	"github.com/spf13/afero"
 )
 const (
 	agePrivKeyPassphraseLength = 64
 )
 // keychainItemNameRegex validates keychain item names
 // Allows alphanumeric characters, dots, hyphens, and underscores only
 var keychainItemNameRegex = regexp.MustCompile(`^[A-Za-z0-9._-]+$`)
 // KeychainUnlockerMetadata extends UnlockerMetadata with keychain-specific data
 type KeychainUnlockerMetadata struct {
 	UnlockerMetadata
 	// Keychain item name
 	KeychainItemName string `json:"keychainItemName"`
 }
 // KeychainUnlocker represents a macOS Keychain-protected unlocker
 type KeychainUnlocker struct {
 	Directory string
 	Metadata  UnlockerMetadata
 	fs        afero.Fs
 }
 // KeychainData represents the data stored in the macOS keychain
 type KeychainData struct {
 	AgePublicKey         string `json:"agePublicKey"`
 	AgePrivKeyPassphrase string `json:"agePrivKeyPassphrase"`
 	EncryptedLongtermKey string `json:"encryptedLongtermKey"`
 }
 // GetIdentity implements Unlocker interface for Keychain-based unlockers
 func (k *KeychainUnlocker) GetIdentity() (*age.X25519Identity, error) {
 	DebugWith("Getting keychain unlocker identity",
 		slog.String("unlocker_id", k.GetID()),
 		slog.String("unlocker_type", k.GetType()),
 	)
 	// Step 1: Get keychain item name
 	keychainItemName, err := k.GetKeychainItemName()
 	if err != nil {
 		Debug("Failed to get keychain item name", "error", err, "unlocker_id", k.GetID())
 		return nil, fmt.Errorf("failed to get keychain item name: %w", err)
 	}
 	// Step 2: Retrieve data from keychain
 	Debug("Retrieving data from macOS keychain", "keychain_item", keychainItemName)
 	keychainDataBytes, err := retrieveFromKeychain(keychainItemName)
 	if err != nil {
 		Debug("Failed to retrieve data from keychain", "error", err, "keychain_item", keychainItemName)
 		return nil, fmt.Errorf("failed to retrieve data from keychain: %w", err)
 	}
 	DebugWith("Retrieved data from keychain",
 		slog.String("unlocker_id", k.GetID()),
 		slog.Int("data_length", len(keychainDataBytes)),
 	)
 	// Step 3: Parse keychain data
 	var keychainData KeychainData
 	if err := json.Unmarshal(keychainDataBytes, &keychainData); err != nil {
 		Debug("Failed to parse keychain data", "error", err, "unlocker_id", k.GetID())
 		return nil, fmt.Errorf("failed to parse keychain data: %w", err)
 	}
 	Debug("Parsed keychain data successfully", "unlocker_id", k.GetID())
 	// Step 4: Read the encrypted age private key from filesystem
 	agePrivKeyPath := filepath.Join(k.Directory, "priv.age")
 	Debug("Reading encrypted age private key", "path", agePrivKeyPath)
 	encryptedAgePrivKeyData, err := afero.ReadFile(k.fs, agePrivKeyPath)
 	if err != nil {
 		Debug("Failed to read encrypted age private key", "error", err, "path", agePrivKeyPath)
 		return nil, fmt.Errorf("failed to read encrypted age private key: %w", err)
 	}
 	DebugWith("Read encrypted age private key",
 		slog.String("unlocker_id", k.GetID()),
 		slog.Int("encrypted_length", len(encryptedAgePrivKeyData)),
 	)
 	// Step 5: Decrypt the age private key using the passphrase from keychain
 	Debug("Decrypting age private key with keychain passphrase", "unlocker_id", k.GetID())
 	// Create secure buffer for the keychain passphrase
 	passphraseBuffer := memguard.NewBufferFromBytes([]byte(keychainData.AgePrivKeyPassphrase))
 	defer passphraseBuffer.Destroy()
 	agePrivKeyData, err := DecryptWithPassphrase(encryptedAgePrivKeyData, passphraseBuffer)
 	if err != nil {
 		Debug("Failed to decrypt age private key with keychain passphrase", "error", err, "unlocker_id", k.GetID())
 		return nil, fmt.Errorf("failed to decrypt age private key with keychain passphrase: %w", err)
 	}
 	DebugWith("Successfully decrypted age private key with keychain passphrase",
 		slog.String("unlocker_id", k.GetID()),
 		slog.Int("decrypted_length", len(agePrivKeyData)),
 	)
 	// Step 6: Parse the decrypted age private key
 	Debug("Parsing decrypted age private key", "unlocker_id", k.GetID())
 	// Create a secure buffer for the private key data
 	agePrivKeyBuffer := memguard.NewBufferFromBytes(agePrivKeyData)
 	defer agePrivKeyBuffer.Destroy()
 	// Clear the original private key data
 	for i := range agePrivKeyData {
 		agePrivKeyData[i] = 0
 	}
 	ageIdentity, err := age.ParseX25519Identity(agePrivKeyBuffer.String())
 	if err != nil {
 		Debug("Failed to parse age private key", "error", err, "unlocker_id", k.GetID())
 		return nil, fmt.Errorf("failed to parse age private key: %w", err)
 	}
 	DebugWith("Successfully parsed keychain age identity",
 		slog.String("unlocker_id", k.GetID()),
 		slog.String("public_key", ageIdentity.Recipient().String()),
 	)
 	return ageIdentity, nil
 }
 // GetType implements Unlocker interface
 func (k *KeychainUnlocker) GetType() string {
 	return "keychain"
 }
 // GetMetadata implements Unlocker interface
 func (k *KeychainUnlocker) GetMetadata() UnlockerMetadata {
 	return k.Metadata
 }
 // GetDirectory implements Unlocker interface
 func (k *KeychainUnlocker) GetDirectory() string {
 	return k.Directory
 }
 // GetID implements Unlocker interface - generates ID from keychain item name
 func (k *KeychainUnlocker) GetID() string {
 	// Generate ID using keychain item name
 	keychainItemName, err := k.GetKeychainItemName()
 	if err != nil {
 		// The vault metadata is corrupt - this is a fatal error
 		// We cannot continue with a fallback ID as that would mask data corruption
 		panic(fmt.Sprintf("Keychain unlocker metadata is corrupt or missing keychain item name: %v", err))
 	}
 	return fmt.Sprintf("%s-keychain", keychainItemName)
 }
 // Remove implements Unlocker interface - removes the keychain unlocker
 func (k *KeychainUnlocker) Remove() error {
 	// Step 1: Get keychain item name
 	keychainItemName, err := k.GetKeychainItemName()
 	if err != nil {
 		Debug("Failed to get keychain item name during removal", "error", err, "unlocker_id", k.GetID())
 		return fmt.Errorf("failed to get keychain item name: %w", err)
 	}
 	// Step 2: Remove from keychain
 	Debug("Removing keychain item", "keychain_item", keychainItemName)
 	if err := deleteFromKeychain(keychainItemName); err != nil {
 		Debug("Failed to remove keychain item", "error", err, "keychain_item", keychainItemName)
 		return fmt.Errorf("failed to remove keychain item: %w", err)
 	}
 	// Step 3: Remove directory
 	Debug("Removing keychain unlocker directory", "directory", k.Directory)
 	if err := k.fs.RemoveAll(k.Directory); err != nil {
 		Debug("Failed to remove keychain unlocker directory", "error", err, "directory", k.Directory)
 		return fmt.Errorf("failed to remove keychain unlocker directory: %w", err)
 	}
 	Debug("Successfully removed keychain unlocker", "unlocker_id", k.GetID(), "keychain_item", keychainItemName)
 	return nil
 }
 // NewKeychainUnlocker creates a new KeychainUnlocker instance
 func NewKeychainUnlocker(fs afero.Fs, directory string, metadata UnlockerMetadata) *KeychainUnlocker {
 	return &KeychainUnlocker{
 		Directory: directory,
 		Metadata:  metadata,
 		fs:        fs,
 	}
 }
 // GetKeychainItemName returns the keychain item name from metadata
 func (k *KeychainUnlocker) GetKeychainItemName() (string, error) {
 	// Load the metadata
 	metadataPath := filepath.Join(k.Directory, "unlocker-metadata.json")
 	metadataData, err := afero.ReadFile(k.fs, metadataPath)
 	if err != nil {
 		return "", fmt.Errorf("failed to read keychain metadata: %w", err)
 	}
 	var keychainMetadata KeychainUnlockerMetadata
 	if err := json.Unmarshal(metadataData, &keychainMetadata); err != nil {
 		return "", fmt.Errorf("failed to parse keychain metadata: %w", err)
 	}
 	return keychainMetadata.KeychainItemName, nil
 }
 // generateKeychainUnlockerName generates a unique name for the keychain unlocker
 func generateKeychainUnlockerName(vaultName string) (string, error) {
 	hostname, err := os.Hostname()
 	if err != nil {
 		return "", fmt.Errorf("failed to get hostname: %w", err)
 	}
 	// Format: secret-<vault>-<hostname>-<date>
 	enrollmentDate := time.Now().Format("2006-01-02")
 	return fmt.Sprintf("secret-%s-%s-%s", vaultName, hostname, enrollmentDate), nil
 }
 // getLongTermPrivateKey retrieves the long-term private key either from environment or current unlocker
 // Returns a LockedBuffer to ensure the private key is protected in memory
 func getLongTermPrivateKey(fs afero.Fs, vault VaultInterface) (*memguard.LockedBuffer, error) {
 	// Check if mnemonic is available in environment variable
 	envMnemonic := os.Getenv(EnvMnemonic)
 	if envMnemonic != "" {
 		// Use mnemonic directly to derive long-term key
 		ltIdentity, err := agehd.DeriveIdentity(envMnemonic, 0)
 		if err != nil {
 			return nil, fmt.Errorf("failed to derive long-term key from mnemonic: %w", err)
 		}
 		// Return the private key in a secure buffer
 		return memguard.NewBufferFromBytes([]byte(ltIdentity.String())), nil
 	}
 	// Get the vault to access current unlocker
 	currentUnlocker, err := vault.GetCurrentUnlocker()
 	if err != nil {
 		return nil, fmt.Errorf("failed to get current unlocker: %w", err)
 	}
 	// Get the current unlocker identity
 	currentUnlockerIdentity, err := currentUnlocker.GetIdentity()
 	if err != nil {
 		return nil, fmt.Errorf("failed to get current unlocker identity: %w", err)
 	}
 	// Get encrypted long-term key from current unlocker, handling different types
 	var encryptedLtPrivKey []byte
 	switch currentUnlocker := currentUnlocker.(type) {
 	case *PassphraseUnlocker:
 		// Read the encrypted long-term private key from passphrase unlocker
 		encryptedLtPrivKey, err = afero.ReadFile(fs, filepath.Join(currentUnlocker.GetDirectory(), "longterm.age"))
 		if err != nil {
 			return nil, fmt.Errorf("failed to read encrypted long-term key from current passphrase unlocker: %w", err)
 		}
 	case *PGPUnlocker:
 		// Read the encrypted long-term private key from PGP unlocker
 		encryptedLtPrivKey, err = afero.ReadFile(fs, filepath.Join(currentUnlocker.GetDirectory(), "longterm.age"))
 		if err != nil {
 			return nil, fmt.Errorf("failed to read encrypted long-term key from current PGP unlocker: %w", err)
 		}
 	case *KeychainUnlocker:
 		// Read the encrypted long-term private key from another keychain unlocker
 		encryptedLtPrivKey, err = afero.ReadFile(fs, filepath.Join(currentUnlocker.GetDirectory(), "longterm.age"))
 		if err != nil {
 			return nil, fmt.Errorf("failed to read encrypted long-term key from current keychain unlocker: %w", err)
 		}
 	default:
 		return nil, fmt.Errorf("unsupported current unlocker type for keychain unlocker creation")
 	}
 	// Decrypt long-term private key using current unlocker
 	ltPrivKeyData, err := DecryptWithIdentity(encryptedLtPrivKey, currentUnlockerIdentity)
 	if err != nil {
 		return nil, fmt.Errorf("failed to decrypt long-term private key: %w", err)
 	}
 	// Return the decrypted key in a secure buffer
 	return memguard.NewBufferFromBytes(ltPrivKeyData), nil
 }
 // CreateKeychainUnlocker creates a new keychain unlocker and stores it in the vault
 func CreateKeychainUnlocker(fs afero.Fs, stateDir string) (*KeychainUnlocker, error) {
 	// Check if we're on macOS
 	if err := checkMacOSAvailable(); err != nil {
 		return nil, err
 	}
 	// Get current vault using the GetCurrentVault function from the same package
 	vault, err := GetCurrentVault(fs, stateDir)
 	if err != nil {
 		return nil, fmt.Errorf("failed to get current vault: %w", err)
 	}
 	// Generate the keychain item name
 	keychainItemName, err := generateKeychainUnlockerName(vault.GetName())
 	if err != nil {
 		return nil, fmt.Errorf("failed to generate keychain item name: %w", err)
 	}
 	// Create unlocker directory using the keychain item name as the directory name
 	vaultDir, err := vault.GetDirectory()
 	if err != nil {
 		return nil, fmt.Errorf("failed to get vault directory: %w", err)
 	}
 	unlockerDir := filepath.Join(vaultDir, "unlockers.d", keychainItemName)
 	if err := fs.MkdirAll(unlockerDir, DirPerms); err != nil {
 		return nil, fmt.Errorf("failed to create unlocker directory: %w", err)
 	}
 	// Step 1: Generate a new age keypair for the keychain unlocker
 	ageIdentity, err := age.GenerateX25519Identity()
 	if err != nil {
 		return nil, fmt.Errorf("failed to generate age keypair: %w", err)
 	}
 	// Step 2: Generate a random passphrase for encrypting the age private key
 	agePrivKeyPassphrase, err := generateRandomPassphrase(agePrivKeyPassphraseLength)
 	if err != nil {
 		return nil, fmt.Errorf("failed to generate age private key passphrase: %w", err)
 	}
 	// Step 3: Store age recipient as plaintext
 	ageRecipient := ageIdentity.Recipient().String()
 	recipientPath := filepath.Join(unlockerDir, "pub.txt")
 	if err := afero.WriteFile(fs, recipientPath, []byte(ageRecipient), FilePerms); err != nil {
 		return nil, fmt.Errorf("failed to write age recipient: %w", err)
 	}
 	// Step 4: Encrypt age private key with the generated passphrase and store on disk
 	// Create secure buffers for both the private key and passphrase
 	agePrivKeyStr := ageIdentity.String()
 	agePrivKeyBuffer := memguard.NewBufferFromBytes([]byte(agePrivKeyStr))
 	defer agePrivKeyBuffer.Destroy()
 	passphraseBuffer := memguard.NewBufferFromBytes([]byte(agePrivKeyPassphrase))
 	defer passphraseBuffer.Destroy()
 	encryptedAgePrivKey, err := EncryptWithPassphrase(agePrivKeyBuffer.Bytes(), passphraseBuffer)
 	if err != nil {
 		return nil, fmt.Errorf("failed to encrypt age private key with passphrase: %w", err)
 	}
 	agePrivKeyPath := filepath.Join(unlockerDir, "priv.age")
 	if err := afero.WriteFile(fs, agePrivKeyPath, encryptedAgePrivKey, FilePerms); err != nil {
 		return nil, fmt.Errorf("failed to write encrypted age private key: %w", err)
 	}
 	// Step 5: Get or derive the long-term private key
 	ltPrivKeyData, err := getLongTermPrivateKey(fs, vault)
 	if err != nil {
 		return nil, err
 	}
 	defer ltPrivKeyData.Destroy()
 	// Step 6: Encrypt long-term private key to the new age unlocker
 	encryptedLtPrivKeyToAge, err := EncryptToRecipient(ltPrivKeyData, ageIdentity.Recipient())
 	if err != nil {
 		return nil, fmt.Errorf("failed to encrypt long-term private key to age unlocker: %w", err)
 	}
 	// Write encrypted long-term private key
 	ltPrivKeyPath := filepath.Join(unlockerDir, "longterm.age")
 	if err := afero.WriteFile(fs, ltPrivKeyPath, encryptedLtPrivKeyToAge, FilePerms); err != nil {
 		return nil, fmt.Errorf("failed to write encrypted long-term private key: %w", err)
 	}
 	// Step 7: Prepare keychain data
 	keychainData := KeychainData{
 		AgePublicKey:         ageRecipient,
 		AgePrivKeyPassphrase: agePrivKeyPassphrase,
 		EncryptedLongtermKey: hex.EncodeToString(encryptedLtPrivKeyToAge),
 	}
 	keychainDataBytes, err := json.Marshal(keychainData)
 	if err != nil {
 		return nil, fmt.Errorf("failed to marshal keychain data: %w", err)
 	}
 	// Step 8: Store data in keychain
 	if err := storeInKeychain(keychainItemName, keychainDataBytes); err != nil {
 		return nil, fmt.Errorf("failed to store data in keychain: %w", err)
 	}
 	// Step 9: Create and write enhanced metadata
 	keychainMetadata := KeychainUnlockerMetadata{
 		UnlockerMetadata: UnlockerMetadata{
 			Type:      "keychain",
 			CreatedAt: time.Now(),
 			Flags:     []string{"keychain", "macos"},
 		},
 		KeychainItemName: keychainItemName,
 	}
 	metadataBytes, err := json.MarshalIndent(keychainMetadata, "", "  ")
 	if err != nil {
 		return nil, fmt.Errorf("failed to marshal unlocker metadata: %w", err)
 	}
 	if err := afero.WriteFile(fs,
 		filepath.Join(unlockerDir, "unlocker-metadata.json"),
 		metadataBytes, FilePerms); err != nil {
 		return nil, fmt.Errorf("failed to write unlocker metadata: %w", err)
 	}
 	return &KeychainUnlocker{
 		Directory: unlockerDir,
 		Metadata:  keychainMetadata.UnlockerMetadata,
 		fs:        fs,
 	}, nil
 }
 // checkMacOSAvailable verifies that we're running on macOS and security command is available
 func checkMacOSAvailable() error {
 	cmd := exec.Command("/usr/bin/security", "help")
 	if err := cmd.Run(); err != nil {
 		return fmt.Errorf("macOS security command not available: %w (keychain unlockers are only supported on macOS)", err)
 	}
 	return nil
 }
 // validateKeychainItemName validates that a keychain item name is safe for command execution
 func validateKeychainItemName(itemName string) error {
 	if itemName == "" {
 		return fmt.Errorf("keychain item name cannot be empty")
 	}
 	if !keychainItemNameRegex.MatchString(itemName) {
 		return fmt.Errorf("invalid keychain item name format: %s", itemName)
 	}
 	return nil
 }
 // storeInKeychain stores data in the macOS keychain using the security command
 func storeInKeychain(itemName string, data []byte) error {
 	if err := validateKeychainItemName(itemName); err != nil {
 		return fmt.Errorf("invalid keychain item name: %w", err)
 	}
 	cmd := exec.Command("/usr/bin/security", "add-generic-password", //nolint:gosec
 		"-a", itemName,
 		"-s", itemName,
 		"-w", string(data),
 		"-U") // Update if exists
 	if err := cmd.Run(); err != nil {
 		return fmt.Errorf("failed to store item in keychain: %w", err)
 	}
 	return nil
 }
 // retrieveFromKeychain retrieves data from the macOS keychain using the security command
 func retrieveFromKeychain(itemName string) ([]byte, error) {
 	if err := validateKeychainItemName(itemName); err != nil {
 		return nil, fmt.Errorf("invalid keychain item name: %w", err)
 	}
 	cmd := exec.Command("/usr/bin/security", "find-generic-password", //nolint:gosec
 		"-a", itemName,
 		"-s", itemName,
 		"-w") // Return password only
 	output, err := cmd.Output()
 	if err != nil {
 		return nil, fmt.Errorf("failed to retrieve item from keychain: %w", err)
 	}
 	// Remove trailing newline if present
 	if len(output) > 0 && output[len(output)-1] == '\n' {
 		output = output[:len(output)-1]
 	}
 	return output, nil
 }
 // deleteFromKeychain removes an item from the macOS keychain using the security command
 func deleteFromKeychain(itemName string) error {
 	if err := validateKeychainItemName(itemName); err != nil {
 		return fmt.Errorf("invalid keychain item name: %w", err)
 	}
 	cmd := exec.Command("/usr/bin/security", "delete-generic-password", //nolint:gosec
 		"-a", itemName,
 		"-s", itemName)
 	if err := cmd.Run(); err != nil {
 		return fmt.Errorf("failed to delete item from keychain: %w", err)
 	}
 	return nil
 }
 // generateRandomPassphrase generates a random passphrase for encrypting the age private key
 func generateRandomPassphrase(length int) (string, error) {
 	return generateRandomString(length, "0123456789abcdef")
 }
--- a/internal/secret/metadata.go
+++ b/internal/secret/metadata.go
@@ -6,25 +6,24 @@ import (
 // VaultMetadata contains information about a vault
 type VaultMetadata struct {
 	Name            string    `json:"name"`
 	CreatedAt       time.Time `json:"createdAt"`
 	Description     string    `json:"description,omitempty"`
-	DerivationIndex uint32    `json:"derivation_index"`
+	DerivationIndex uint32    `json:"derivationIndex"`
-	LongTermKeyHash string    `json:"long_term_key_hash"` // Double SHA256 hash of derived long-term private key
+	// Double SHA256 hash of the actual long-term public key
-	MnemonicHash    string    `json:"mnemonic_hash"`      // Double SHA256 hash of mnemonic for index tracking
+	PublicKeyHash string `json:"publicKeyHash,omitempty"`
 	// Double SHA256 hash of index-0 key (for grouping vaults from same mnemonic)
 	MnemonicFamilyHash string `json:"mnemonicFamilyHash,omitempty"`
 }
-// UnlockKeyMetadata contains information about an unlock key
+// UnlockerMetadata contains information about an unlocker
-type UnlockKeyMetadata struct {
+type UnlockerMetadata struct {
 	ID        string    `json:"id"`
 	Type      string    `json:"type"` // passphrase, pgp, keychain
 	CreatedAt time.Time `json:"createdAt"`
 	Flags     []string  `json:"flags,omitempty"`
 }
-// SecretMetadata contains information about a secret
+// Metadata contains information about a secret
-type SecretMetadata struct {
+type Metadata struct {
 	Name      string    `json:"name"`
 	CreatedAt time.Time `json:"createdAt"`
 	UpdatedAt time.Time `json:"updatedAt"`
 }
--- a/internal/secret/passphrase_test.go
+++ b/internal/secret/passphrase_test.go
@@ -9,13 +9,14 @@ import (
 	"filippo.io/age"
 	"git.eeqj.de/sneak/secret/internal/secret"
 	"git.eeqj.de/sneak/secret/pkg/agehd"
 	"github.com/awnumar/memguard"
 	"github.com/spf13/afero"
 )
-func TestPassphraseUnlockKeyWithRealFS(t *testing.T) {
+func TestPassphraseUnlockerWithRealFS(t *testing.T) {
-	// Skip this test if CI=true is set, as it uses real filesystem
+	// This test uses real filesystem
 	if os.Getenv("CI") == "true" {
-		t.Skip("Skipping test with real filesystem in CI environment")
+		t.Log("Running in CI environment with real filesystem")
 	}
 	// Create a temporary directory for our tests
@@ -33,21 +34,20 @@ func TestPassphraseUnlockKeyWithRealFS(t *testing.T) {
 	testPassphrase := "test-passphrase-123"
 	// Create the directory structure
-	keyDir := filepath.Join(tempDir, "unlock-key")
+	unlockerDir := filepath.Join(tempDir, "unlocker")
-	if err := os.MkdirAll(keyDir, secret.DirPerms); err != nil {
+	if err := os.MkdirAll(unlockerDir, secret.DirPerms); err != nil {
-		t.Fatalf("Failed to create key directory: %v", err)
+		t.Fatalf("Failed to create unlocker directory: %v", err)
 	}
 	// Set up test metadata
-	metadata := secret.UnlockKeyMetadata{
+	metadata := secret.UnlockerMetadata{
 		ID:        "test-passphrase",
 		Type:      "passphrase",
 		CreatedAt: time.Now(),
 		Flags:     []string{},
 	}
-	// Create passphrase unlock key
+	// Create passphrase unlocker
-	unlockKey := secret.NewPassphraseUnlockKey(fs, keyDir, metadata)
+	unlocker := secret.NewPassphraseUnlocker(fs, unlockerDir, metadata)
 	// Generate a test age identity
 	ageIdentity, err := age.GenerateX25519Identity()
@@ -59,7 +59,7 @@ func TestPassphraseUnlockKeyWithRealFS(t *testing.T) {
 	// Test writing public key
 	t.Run("WritePublicKey", func(t *testing.T) {
-		pubKeyPath := filepath.Join(keyDir, "pub.age")
+		pubKeyPath := filepath.Join(unlockerDir, "pub.age")
 		if err := afero.WriteFile(fs, pubKeyPath, []byte(agePublicKey), secret.FilePerms); err != nil {
 			t.Fatalf("Failed to write public key: %v", err)
 		}
@@ -77,12 +77,14 @@ func TestPassphraseUnlockKeyWithRealFS(t *testing.T) {
 	// Test encrypting private key with passphrase
 	t.Run("EncryptPrivateKey", func(t *testing.T) {
 		privKeyData := []byte(agePrivateKey)
-		encryptedPrivKey, err := secret.EncryptWithPassphrase(privKeyData, testPassphrase)
+		passphraseBuffer := memguard.NewBufferFromBytes([]byte(testPassphrase))
 		defer passphraseBuffer.Destroy()
 		encryptedPrivKey, err := secret.EncryptWithPassphrase(privKeyData, passphraseBuffer)
 		if err != nil {
 			t.Fatalf("Failed to encrypt private key: %v", err)
 		}
-		privKeyPath := filepath.Join(keyDir, "priv.age")
+		privKeyPath := filepath.Join(unlockerDir, "priv.age")
 		if err := afero.WriteFile(fs, privKeyPath, encryptedPrivKey, secret.FilePerms); err != nil {
 			t.Fatalf("Failed to write encrypted private key: %v", err)
 		}
@@ -105,19 +107,20 @@ func TestPassphraseUnlockKeyWithRealFS(t *testing.T) {
 			t.Fatalf("Failed to derive long-term identity: %v", err)
 		}
-		// Encrypt long-term private key to the unlock key's recipient
+		// Encrypt long-term private key to the unlocker's recipient
 		recipient, err := age.ParseX25519Recipient(agePublicKey)
 		if err != nil {
 			t.Fatalf("Failed to parse recipient: %v", err)
 		}
-		ltPrivKeyData := []byte(ltIdentity.String())
+		ltPrivKeyBuffer := memguard.NewBufferFromBytes([]byte(ltIdentity.String()))
-		encryptedLtPrivKey, err := secret.EncryptToRecipient(ltPrivKeyData, recipient)
+		defer ltPrivKeyBuffer.Destroy()
 		encryptedLtPrivKey, err := secret.EncryptToRecipient(ltPrivKeyBuffer, recipient)
 		if err != nil {
 			t.Fatalf("Failed to encrypt long-term private key: %v", err)
 		}
-		ltPrivKeyPath := filepath.Join(keyDir, "longterm.age")
+		ltPrivKeyPath := filepath.Join(unlockerDir, "longterm.age")
 		if err := afero.WriteFile(fs, ltPrivKeyPath, encryptedLtPrivKey, secret.FilePerms); err != nil {
 			t.Fatalf("Failed to write encrypted long-term private key: %v", err)
 		}
@@ -132,22 +135,12 @@ func TestPassphraseUnlockKeyWithRealFS(t *testing.T) {
 		}
 	})
-	// Save original environment variables and set test ones
+	// Set test environment variable (cleaned up automatically)
-	oldPassphrase := os.Getenv(secret.EnvUnlockPassphrase)
+	t.Setenv(secret.EnvUnlockPassphrase, testPassphrase)
 	os.Setenv(secret.EnvUnlockPassphrase, testPassphrase)
 	// Clean up after test
 	defer func() {
 		if oldPassphrase != "" {
 			os.Setenv(secret.EnvUnlockPassphrase, oldPassphrase)
 		} else {
 			os.Unsetenv(secret.EnvUnlockPassphrase)
 		}
 	}()
 	// Test getting identity from environment variable
 	t.Run("GetIdentityFromEnv", func(t *testing.T) {
-		identity, err := unlockKey.GetIdentity()
+		identity, err := unlocker.GetIdentity()
 		if err != nil {
 			t.Fatalf("Failed to get identity from env: %v", err)
 		}
@@ -168,26 +161,26 @@ func TestPassphraseUnlockKeyWithRealFS(t *testing.T) {
 	// Here we'll just verify the error is what we expect when no passphrase is available
 	t.Run("GetIdentityWithoutEnv", func(t *testing.T) {
 		// This should fail since we're not in an interactive terminal
-		_, err := unlockKey.GetIdentity()
+		_, err := unlocker.GetIdentity()
 		if err == nil {
 			t.Errorf("Should have failed to get identity without passphrase env var")
 		}
 	})
-	// Test removing the unlock key
+	// Test removing the unlocker
-	t.Run("RemoveUnlockKey", func(t *testing.T) {
+	t.Run("RemoveUnlocker", func(t *testing.T) {
-		err := unlockKey.Remove()
+		err := unlocker.Remove()
 		if err != nil {
-			t.Fatalf("Failed to remove unlock key: %v", err)
+			t.Fatalf("Failed to remove unlocker: %v", err)
 		}
 		// Verify the directory is gone
-		exists, err := afero.DirExists(fs, keyDir)
+		exists, err := afero.DirExists(fs, unlockerDir)
 		if err != nil {
-			t.Fatalf("Failed to check if key directory exists: %v", err)
+			t.Fatalf("Failed to check if unlocker directory exists: %v", err)
 		}
 		if exists {
-			t.Errorf("Key directory should not exist after removal")
+			t.Errorf("Unlocker directory should not exist after removal")
 		}
 	})
 }
--- a/internal/secret/passphraseunlock.go
+++ b/internal/secret/passphraseunlock.go
@@ -1,150 +0,0 @@
 package secret
 import (
 	"fmt"
 	"log/slog"
 	"os"
 	"path/filepath"
 	"filippo.io/age"
 	"github.com/spf13/afero"
 )
 // PassphraseUnlockKey represents a passphrase-protected unlock key
 type PassphraseUnlockKey struct {
 	Directory  string
 	Metadata   UnlockKeyMetadata
 	fs         afero.Fs
 	Passphrase string
 }
 // GetIdentity implements UnlockKey interface for passphrase-based unlock keys
 func (p *PassphraseUnlockKey) GetIdentity() (*age.X25519Identity, error) {
 	DebugWith("Getting passphrase unlock key identity",
 		slog.String("key_id", p.GetID()),
 		slog.String("key_type", p.GetType()),
 	)
 	// First check if we already have the passphrase
 	passphraseStr := p.Passphrase
 	if passphraseStr == "" {
 		Debug("No passphrase in memory, checking environment")
 		// Check environment variable for passphrase
 		passphraseStr = os.Getenv(EnvUnlockPassphrase)
 		if passphraseStr == "" {
 			Debug("No passphrase in environment, prompting user")
 			// Prompt for passphrase
 			var err error
 			passphraseStr, err = ReadPassphrase("Enter unlock passphrase: ")
 			if err != nil {
 				Debug("Failed to read passphrase", "error", err, "key_id", p.GetID())
 				return nil, fmt.Errorf("failed to read passphrase: %w", err)
 			}
 		} else {
 			Debug("Using passphrase from environment", "key_id", p.GetID())
 		}
 	} else {
 		Debug("Using in-memory passphrase", "key_id", p.GetID())
 	}
 	// Read encrypted private key of unlock key
 	unlockKeyPrivPath := filepath.Join(p.Directory, "priv.age")
 	Debug("Reading encrypted passphrase unlock key", "path", unlockKeyPrivPath)
 	encryptedPrivKeyData, err := afero.ReadFile(p.fs, unlockKeyPrivPath)
 	if err != nil {
 		Debug("Failed to read passphrase unlock key private key", "error", err, "path", unlockKeyPrivPath)
 		return nil, fmt.Errorf("failed to read unlock key private key: %w", err)
 	}
 	DebugWith("Read encrypted passphrase unlock key",
 		slog.String("key_id", p.GetID()),
 		slog.Int("encrypted_length", len(encryptedPrivKeyData)),
 	)
 	Debug("Decrypting unlock key private key with passphrase", "key_id", p.GetID())
 	// Decrypt the unlock key private key with passphrase
 	privKeyData, err := DecryptWithPassphrase(encryptedPrivKeyData, passphraseStr)
 	if err != nil {
 		Debug("Failed to decrypt unlock key private key", "error", err, "key_id", p.GetID())
 		return nil, fmt.Errorf("failed to decrypt unlock key private key: %w", err)
 	}
 	DebugWith("Successfully decrypted unlock key private key",
 		slog.String("key_id", p.GetID()),
 		slog.Int("decrypted_length", len(privKeyData)),
 	)
 	// Parse the decrypted private key
 	Debug("Parsing decrypted unlock key identity", "key_id", p.GetID())
 	identity, err := age.ParseX25519Identity(string(privKeyData))
 	if err != nil {
 		Debug("Failed to parse unlock key private key", "error", err, "key_id", p.GetID())
 		return nil, fmt.Errorf("failed to parse unlock key private key: %w", err)
 	}
 	DebugWith("Successfully parsed passphrase unlock key identity",
 		slog.String("key_id", p.GetID()),
 		slog.String("public_key", identity.Recipient().String()),
 	)
 	return identity, nil
 }
 // GetType implements UnlockKey interface
 func (p *PassphraseUnlockKey) GetType() string {
 	return "passphrase"
 }
 // GetMetadata implements UnlockKey interface
 func (p *PassphraseUnlockKey) GetMetadata() UnlockKeyMetadata {
 	return p.Metadata
 }
 // GetDirectory implements UnlockKey interface
 func (p *PassphraseUnlockKey) GetDirectory() string {
 	return p.Directory
 }
 // GetID implements UnlockKey interface
 func (p *PassphraseUnlockKey) GetID() string {
 	return p.Metadata.ID
 }
 // ID implements UnlockKey interface - generates ID from creation timestamp
 func (p *PassphraseUnlockKey) ID() string {
 	// Generate ID using creation timestamp: YYYY-MM-DD.HH.mm-passphrase
 	createdAt := p.Metadata.CreatedAt
 	return fmt.Sprintf("%s-passphrase", createdAt.Format("2006-01-02.15.04"))
 }
 // Remove implements UnlockKey interface - removes the passphrase unlock key
 func (p *PassphraseUnlockKey) Remove() error {
 	// For passphrase keys, we just need to remove the directory
 	// No external resources (like keychain items) to clean up
 	if err := p.fs.RemoveAll(p.Directory); err != nil {
 		return fmt.Errorf("failed to remove passphrase unlock key directory: %w", err)
 	}
 	return nil
 }
 // NewPassphraseUnlockKey creates a new PassphraseUnlockKey instance
 func NewPassphraseUnlockKey(fs afero.Fs, directory string, metadata UnlockKeyMetadata) *PassphraseUnlockKey {
 	return &PassphraseUnlockKey{
 		Directory: directory,
 		Metadata:  metadata,
 		fs:        fs,
 	}
 }
 // CreatePassphraseKey creates a new passphrase-protected unlock key
 func CreatePassphraseKey(fs afero.Fs, stateDir string, passphrase string) (*PassphraseUnlockKey, error) {
 	// Get current vault
 	currentVault, err := GetCurrentVault(fs, stateDir)
 	if err != nil {
 		return nil, fmt.Errorf("failed to get current vault: %w", err)
 	}
 	return currentVault.CreatePassphraseKey(passphrase)
 }
--- a/internal/secret/passphraseunlocker.go
+++ b/internal/secret/passphraseunlocker.go
@@ -0,0 +1,188 @@
 package secret
 import (
 	"fmt"
 	"log/slog"
 	"os"
 	"path/filepath"
 	"filippo.io/age"
 	"github.com/awnumar/memguard"
 	"github.com/spf13/afero"
 )
 // PassphraseUnlocker represents a passphrase-protected unlocker
 type PassphraseUnlocker struct {
 	Directory  string
 	Metadata   UnlockerMetadata
 	fs         afero.Fs
 	Passphrase *memguard.LockedBuffer // Secure buffer for passphrase
 }
 // getPassphrase retrieves the passphrase from memory, environment, or user input
 // Returns a LockedBuffer for secure memory handling
 func (p *PassphraseUnlocker) getPassphrase() (*memguard.LockedBuffer, error) {
 	// First check if we already have the passphrase
 	if p.Passphrase != nil && p.Passphrase.IsAlive() {
 		Debug("Using in-memory passphrase", "unlocker_id", p.GetID())
 		// Return a copy of the passphrase buffer
 		return memguard.NewBufferFromBytes(p.Passphrase.Bytes()), nil
 	}
 	Debug("No passphrase in memory, checking environment")
 	// Check environment variable for passphrase
 	passphraseStr := os.Getenv(EnvUnlockPassphrase)
 	if passphraseStr != "" {
 		Debug("Using passphrase from environment", "unlocker_id", p.GetID())
 		// Convert to secure buffer
 		secureBuffer := memguard.NewBufferFromBytes([]byte(passphraseStr))
 		return secureBuffer, nil
 	}
 	Debug("No passphrase in environment, prompting user")
 	// Prompt for passphrase
 	secureBuffer, err := ReadPassphrase("Enter unlock passphrase: ")
 	if err != nil {
 		Debug("Failed to read passphrase", "error", err, "unlocker_id", p.GetID())
 		return nil, fmt.Errorf("failed to read passphrase: %w", err)
 	}
 	return secureBuffer, nil
 }
 // GetIdentity implements Unlocker interface for passphrase-based unlockers
 func (p *PassphraseUnlocker) GetIdentity() (*age.X25519Identity, error) {
 	DebugWith("Getting passphrase unlocker identity",
 		slog.String("unlocker_id", p.GetID()),
 		slog.String("unlocker_type", p.GetType()),
 	)
 	passphraseBuffer, err := p.getPassphrase()
 	if err != nil {
 		return nil, err
 	}
 	defer passphraseBuffer.Destroy()
 	// Read encrypted private key of unlocker
 	unlockerPrivPath := filepath.Join(p.Directory, "priv.age")
 	Debug("Reading encrypted passphrase unlocker", "path", unlockerPrivPath)
 	encryptedPrivKeyData, err := afero.ReadFile(p.fs, unlockerPrivPath)
 	if err != nil {
 		Debug("Failed to read passphrase unlocker private key", "error", err, "path", unlockerPrivPath)
 		return nil, fmt.Errorf("failed to read unlocker private key: %w", err)
 	}
 	DebugWith("Read encrypted passphrase unlocker",
 		slog.String("unlocker_id", p.GetID()),
 		slog.Int("encrypted_length", len(encryptedPrivKeyData)),
 	)
 	Debug("Decrypting unlocker private key with passphrase", "unlocker_id", p.GetID())
 	// Decrypt the unlocker private key with passphrase
 	privKeyData, err := DecryptWithPassphrase(encryptedPrivKeyData, passphraseBuffer)
 	if err != nil {
 		Debug("Failed to decrypt unlocker private key", "error", err, "unlocker_id", p.GetID())
 		return nil, fmt.Errorf("failed to decrypt unlocker private key: %w", err)
 	}
 	DebugWith("Successfully decrypted unlocker private key",
 		slog.String("unlocker_id", p.GetID()),
 		slog.Int("decrypted_length", len(privKeyData)),
 	)
 	// Parse the decrypted private key
 	Debug("Parsing decrypted unlocker identity", "unlocker_id", p.GetID())
 	// Create a secure buffer for the private key data
 	privKeyBuffer := memguard.NewBufferFromBytes(privKeyData)
 	defer privKeyBuffer.Destroy()
 	// Clear the original private key data
 	for i := range privKeyData {
 		privKeyData[i] = 0
 	}
 	identity, err := age.ParseX25519Identity(privKeyBuffer.String())
 	if err != nil {
 		Debug("Failed to parse unlocker private key", "error", err, "unlocker_id", p.GetID())
 		return nil, fmt.Errorf("failed to parse unlocker private key: %w", err)
 	}
 	DebugWith("Successfully parsed passphrase unlocker identity",
 		slog.String("unlocker_id", p.GetID()),
 		slog.String("public_key", identity.Recipient().String()),
 	)
 	return identity, nil
 }
 // GetType implements Unlocker interface
 func (p *PassphraseUnlocker) GetType() string {
 	return "passphrase"
 }
 // GetMetadata implements Unlocker interface
 func (p *PassphraseUnlocker) GetMetadata() UnlockerMetadata {
 	return p.Metadata
 }
 // GetDirectory implements Unlocker interface
 func (p *PassphraseUnlocker) GetDirectory() string {
 	return p.Directory
 }
 // GetID implements Unlocker interface - generates ID from creation timestamp
 func (p *PassphraseUnlocker) GetID() string {
 	// Generate ID using creation timestamp: YYYY-MM-DD.HH.mm-passphrase
 	createdAt := p.Metadata.CreatedAt
 	return fmt.Sprintf("%s-passphrase", createdAt.Format("2006-01-02.15.04"))
 }
 // Remove implements Unlocker interface - removes the passphrase unlocker
 func (p *PassphraseUnlocker) Remove() error {
 	// Clean up the passphrase from memory if it exists
 	if p.Passphrase != nil && p.Passphrase.IsAlive() {
 		p.Passphrase.Destroy()
 	}
 	// For passphrase unlockers, we just need to remove the directory
 	// No external resources (like keychain items) to clean up
 	if err := p.fs.RemoveAll(p.Directory); err != nil {
 		return fmt.Errorf("failed to remove passphrase unlocker directory: %w", err)
 	}
 	return nil
 }
 // NewPassphraseUnlocker creates a new PassphraseUnlocker instance
 func NewPassphraseUnlocker(fs afero.Fs, directory string, metadata UnlockerMetadata) *PassphraseUnlocker {
 	return &PassphraseUnlocker{
 		Directory: directory,
 		Metadata:  metadata,
 		fs:        fs,
 	}
 }
 // CreatePassphraseUnlocker creates a new passphrase-protected unlocker
 // The passphrase must be provided as a LockedBuffer for security
 func CreatePassphraseUnlocker(
 	fs afero.Fs,
 	stateDir string,
 	passphrase *memguard.LockedBuffer,
 ) (*PassphraseUnlocker, error) {
 	// Get current vault
 	currentVault, err := GetCurrentVault(fs, stateDir)
 	if err != nil {
 		return nil, fmt.Errorf("failed to get current vault: %w", err)
 	}
 	return currentVault.CreatePassphraseUnlocker(passphrase)
 }
--- a/internal/secret/pgpunlock.go
+++ b/internal/secret/pgpunlock.go
@@ -1,360 +0,0 @@
 package secret
 import (
 	"encoding/json"
 	"fmt"
 	"log/slog"
 	"os"
 	"os/exec"
 	"path/filepath"
 	"strings"
 	"time"
 	"filippo.io/age"
 	"git.eeqj.de/sneak/secret/pkg/agehd"
 	"github.com/spf13/afero"
 )
 // Variables to allow overriding in tests
 var (
 	// GPGEncryptFunc is the function used for GPG encryption
 	// Can be overridden in tests to provide a non-interactive implementation
 	GPGEncryptFunc = gpgEncryptDefault
 	// GPGDecryptFunc is the function used for GPG decryption
 	// Can be overridden in tests to provide a non-interactive implementation
 	GPGDecryptFunc = gpgDecryptDefault
 )
 // PGPUnlockKeyMetadata extends UnlockKeyMetadata with PGP-specific data
 type PGPUnlockKeyMetadata struct {
 	UnlockKeyMetadata
 	// GPG key ID used for encryption
 	GPGKeyID string `json:"gpg_key_id"`
 	// Age keypair information
 	AgePublicKey string `json:"age_public_key"`
 	AgeRecipient string `json:"age_recipient"`
 }
 // PGPUnlockKey represents a PGP-protected unlock key
 type PGPUnlockKey struct {
 	Directory string
 	Metadata  UnlockKeyMetadata
 	fs        afero.Fs
 }
 // GetIdentity implements UnlockKey interface for PGP-based unlock keys
 func (p *PGPUnlockKey) GetIdentity() (*age.X25519Identity, error) {
 	DebugWith("Getting PGP unlock key identity",
 		slog.String("key_id", p.GetID()),
 		slog.String("key_type", p.GetType()),
 	)
 	// Step 1: Read the encrypted age private key from filesystem
 	agePrivKeyPath := filepath.Join(p.Directory, "priv.age.gpg")
 	Debug("Reading PGP-encrypted age private key", "path", agePrivKeyPath)
 	encryptedAgePrivKeyData, err := afero.ReadFile(p.fs, agePrivKeyPath)
 	if err != nil {
 		Debug("Failed to read PGP-encrypted age private key", "error", err, "path", agePrivKeyPath)
 		return nil, fmt.Errorf("failed to read encrypted age private key: %w", err)
 	}
 	DebugWith("Read PGP-encrypted age private key",
 		slog.String("key_id", p.GetID()),
 		slog.Int("encrypted_length", len(encryptedAgePrivKeyData)),
 	)
 	// Step 2: Decrypt the age private key using GPG
 	Debug("Decrypting age private key with GPG", "key_id", p.GetID())
 	agePrivKeyData, err := GPGDecryptFunc(encryptedAgePrivKeyData)
 	if err != nil {
 		Debug("Failed to decrypt age private key with GPG", "error", err, "key_id", p.GetID())
 		return nil, fmt.Errorf("failed to decrypt age private key with GPG: %w", err)
 	}
 	DebugWith("Successfully decrypted age private key with GPG",
 		slog.String("key_id", p.GetID()),
 		slog.Int("decrypted_length", len(agePrivKeyData)),
 	)
 	// Step 3: Parse the decrypted age private key
 	Debug("Parsing decrypted age private key", "key_id", p.GetID())
 	ageIdentity, err := age.ParseX25519Identity(string(agePrivKeyData))
 	if err != nil {
 		Debug("Failed to parse age private key", "error", err, "key_id", p.GetID())
 		return nil, fmt.Errorf("failed to parse age private key: %w", err)
 	}
 	DebugWith("Successfully parsed PGP age identity",
 		slog.String("key_id", p.GetID()),
 		slog.String("public_key", ageIdentity.Recipient().String()),
 	)
 	return ageIdentity, nil
 }
 // GetType implements UnlockKey interface
 func (p *PGPUnlockKey) GetType() string {
 	return "pgp"
 }
 // GetMetadata implements UnlockKey interface
 func (p *PGPUnlockKey) GetMetadata() UnlockKeyMetadata {
 	return p.Metadata
 }
 // GetDirectory implements UnlockKey interface
 func (p *PGPUnlockKey) GetDirectory() string {
 	return p.Directory
 }
 // GetID implements UnlockKey interface
 func (p *PGPUnlockKey) GetID() string {
 	return p.Metadata.ID
 }
 // ID implements UnlockKey interface - generates ID from GPG key ID
 func (p *PGPUnlockKey) ID() string {
 	// Generate ID using GPG key ID: <keyid>-pgp
 	gpgKeyID, err := p.GetGPGKeyID()
 	if err != nil {
 		// Fallback to metadata ID if we can't read the GPG key ID
 		return p.Metadata.ID
 	}
 	return fmt.Sprintf("%s-pgp", gpgKeyID)
 }
 // Remove implements UnlockKey interface - removes the PGP unlock key
 func (p *PGPUnlockKey) Remove() error {
 	// For PGP keys, we just need to remove the directory
 	// No external resources (like keychain items) to clean up
 	if err := p.fs.RemoveAll(p.Directory); err != nil {
 		return fmt.Errorf("failed to remove PGP unlock key directory: %w", err)
 	}
 	return nil
 }
 // NewPGPUnlockKey creates a new PGPUnlockKey instance
 func NewPGPUnlockKey(fs afero.Fs, directory string, metadata UnlockKeyMetadata) *PGPUnlockKey {
 	return &PGPUnlockKey{
 		Directory: directory,
 		Metadata:  metadata,
 		fs:        fs,
 	}
 }
 // GetGPGKeyID returns the GPG key ID from metadata
 func (p *PGPUnlockKey) GetGPGKeyID() (string, error) {
 	// Load the metadata
 	metadataPath := filepath.Join(p.Directory, "unlock-metadata.json")
 	metadataData, err := afero.ReadFile(p.fs, metadataPath)
 	if err != nil {
 		return "", fmt.Errorf("failed to read PGP metadata: %w", err)
 	}
 	var pgpMetadata PGPUnlockKeyMetadata
 	if err := json.Unmarshal(metadataData, &pgpMetadata); err != nil {
 		return "", fmt.Errorf("failed to parse PGP metadata: %w", err)
 	}
 	return pgpMetadata.GPGKeyID, nil
 }
 // generatePGPUnlockKeyName generates a unique name for the PGP unlock key based on hostname and date
 func generatePGPUnlockKeyName() (string, error) {
 	hostname, err := os.Hostname()
 	if err != nil {
 		return "", fmt.Errorf("failed to get hostname: %w", err)
 	}
 	// Format: hostname-pgp-YYYY-MM-DD
 	enrollmentDate := time.Now().Format("2006-01-02")
 	return fmt.Sprintf("%s-pgp-%s", hostname, enrollmentDate), nil
 }
 // CreatePGPUnlockKey creates a new PGP unlock key and stores it in the vault
 func CreatePGPUnlockKey(fs afero.Fs, stateDir string, gpgKeyID string) (*PGPUnlockKey, error) {
 	// Check if GPG is available
 	if err := checkGPGAvailable(); err != nil {
 		return nil, err
 	}
 	// Get current vault
 	vault, err := GetCurrentVault(fs, stateDir)
 	if err != nil {
 		return nil, fmt.Errorf("failed to get current vault: %w", err)
 	}
 	// Generate the unlock key name based on hostname and date
 	unlockKeyName, err := generatePGPUnlockKeyName()
 	if err != nil {
 		return nil, fmt.Errorf("failed to generate unlock key name: %w", err)
 	}
 	// Create unlock key directory using the generated name
 	vaultDir, err := vault.GetDirectory()
 	if err != nil {
 		return nil, fmt.Errorf("failed to get vault directory: %w", err)
 	}
 	unlockKeyDir := filepath.Join(vaultDir, "unlock.d", unlockKeyName)
 	if err := fs.MkdirAll(unlockKeyDir, DirPerms); err != nil {
 		return nil, fmt.Errorf("failed to create unlock key directory: %w", err)
 	}
 	// Step 1: Generate a new age keypair for the PGP unlock key
 	ageIdentity, err := age.GenerateX25519Identity()
 	if err != nil {
 		return nil, fmt.Errorf("failed to generate age keypair: %w", err)
 	}
 	// Step 2: Store age public key as plaintext
 	agePublicKeyString := ageIdentity.Recipient().String()
 	agePubKeyPath := filepath.Join(unlockKeyDir, "pub.age")
 	if err := afero.WriteFile(fs, agePubKeyPath, []byte(agePublicKeyString), FilePerms); err != nil {
 		return nil, fmt.Errorf("failed to write age public key: %w", err)
 	}
 	// Step 3: Get or derive the long-term private key
 	var ltPrivKeyData []byte
 	// Check if mnemonic is available in environment variable
 	if envMnemonic := os.Getenv(EnvMnemonic); envMnemonic != "" {
 		// Use mnemonic directly to derive long-term key
 		ltIdentity, err := agehd.DeriveIdentity(envMnemonic, 0)
 		if err != nil {
 			return nil, fmt.Errorf("failed to derive long-term key from mnemonic: %w", err)
 		}
 		ltPrivKeyData = []byte(ltIdentity.String())
 	} else {
 		// Get the vault to access current unlock key
 		currentUnlockKey, err := vault.GetCurrentUnlockKey()
 		if err != nil {
 			return nil, fmt.Errorf("failed to get current unlock key: %w", err)
 		}
 		// Get the current unlock key identity
 		currentUnlockIdentity, err := currentUnlockKey.GetIdentity()
 		if err != nil {
 			return nil, fmt.Errorf("failed to get current unlock key identity: %w", err)
 		}
 		// Get encrypted long-term key from current unlock key, handling different types
 		var encryptedLtPrivKey []byte
 		switch currentUnlockKey := currentUnlockKey.(type) {
 		case *PassphraseUnlockKey:
 			// Read the encrypted long-term private key from passphrase unlock key
 			encryptedLtPrivKey, err = afero.ReadFile(fs, filepath.Join(currentUnlockKey.GetDirectory(), "longterm.age"))
 			if err != nil {
 				return nil, fmt.Errorf("failed to read encrypted long-term key from current passphrase unlock key: %w", err)
 			}
 		case *PGPUnlockKey:
 			// Read the encrypted long-term private key from PGP unlock key
 			encryptedLtPrivKey, err = afero.ReadFile(fs, filepath.Join(currentUnlockKey.GetDirectory(), "longterm.age"))
 			if err != nil {
 				return nil, fmt.Errorf("failed to read encrypted long-term key from current PGP unlock key: %w", err)
 			}
 		default:
 			return nil, fmt.Errorf("unsupported current unlock key type for PGP unlock key creation")
 		}
 		// Step 6: Decrypt long-term private key using current unlock key
 		ltPrivKeyData, err = DecryptWithIdentity(encryptedLtPrivKey, currentUnlockIdentity)
 		if err != nil {
 			return nil, fmt.Errorf("failed to decrypt long-term private key: %w", err)
 		}
 	}
 	// Step 7: Encrypt long-term private key to the new age unlock key
 	encryptedLtPrivKeyToAge, err := EncryptToRecipient(ltPrivKeyData, ageIdentity.Recipient())
 	if err != nil {
 		return nil, fmt.Errorf("failed to encrypt long-term private key to age unlock key: %w", err)
 	}
 	// Write encrypted long-term private key
 	ltPrivKeyPath := filepath.Join(unlockKeyDir, "longterm.age")
 	if err := afero.WriteFile(fs, ltPrivKeyPath, encryptedLtPrivKeyToAge, FilePerms); err != nil {
 		return nil, fmt.Errorf("failed to write encrypted long-term private key: %w", err)
 	}
 	// Step 8: Encrypt age private key to the GPG key ID
 	agePrivateKeyBytes := []byte(ageIdentity.String())
 	encryptedAgePrivKey, err := GPGEncryptFunc(agePrivateKeyBytes, gpgKeyID)
 	if err != nil {
 		return nil, fmt.Errorf("failed to encrypt age private key with GPG: %w", err)
 	}
 	agePrivKeyPath := filepath.Join(unlockKeyDir, "priv.age.gpg")
 	if err := afero.WriteFile(fs, agePrivKeyPath, encryptedAgePrivKey, FilePerms); err != nil {
 		return nil, fmt.Errorf("failed to write encrypted age private key: %w", err)
 	}
 	// Step 9: Create and write enhanced metadata
 	// Generate the key ID directly using the GPG key ID
 	keyID := fmt.Sprintf("%s-pgp", gpgKeyID)
 	pgpMetadata := PGPUnlockKeyMetadata{
 		UnlockKeyMetadata: UnlockKeyMetadata{
 			ID:        keyID,
 			Type:      "pgp",
 			CreatedAt: time.Now(),
 			Flags:     []string{"gpg", "encrypted"},
 		},
 		GPGKeyID:     gpgKeyID,
 		AgePublicKey: agePublicKeyString,
 		AgeRecipient: ageIdentity.Recipient().String(),
 	}
 	metadataBytes, err := json.MarshalIndent(pgpMetadata, "", "  ")
 	if err != nil {
 		return nil, fmt.Errorf("failed to marshal unlock key metadata: %w", err)
 	}
 	if err := afero.WriteFile(fs, filepath.Join(unlockKeyDir, "unlock-metadata.json"), metadataBytes, FilePerms); err != nil {
 		return nil, fmt.Errorf("failed to write unlock key metadata: %w", err)
 	}
 	return &PGPUnlockKey{
 		Directory: unlockKeyDir,
 		Metadata:  pgpMetadata.UnlockKeyMetadata,
 		fs:        fs,
 	}, nil
 }
 // checkGPGAvailable verifies that GPG is available
 func checkGPGAvailable() error {
 	cmd := exec.Command("gpg", "--version")
 	if err := cmd.Run(); err != nil {
 		return fmt.Errorf("GPG not available: %w (make sure 'gpg' command is installed and in PATH)", err)
 	}
 	return nil
 }
 // gpgEncryptDefault is the default implementation of GPG encryption
 func gpgEncryptDefault(data []byte, keyID string) ([]byte, error) {
 	cmd := exec.Command("gpg", "--trust-model", "always", "--armor", "--encrypt", "-r", keyID)
 	cmd.Stdin = strings.NewReader(string(data))
 	output, err := cmd.Output()
 	if err != nil {
 		return nil, fmt.Errorf("GPG encryption failed: %w", err)
 	}
 	return output, nil
 }
 // gpgDecryptDefault is the default implementation of GPG decryption
 func gpgDecryptDefault(encryptedData []byte) ([]byte, error) {
 	cmd := exec.Command("gpg", "--quiet", "--decrypt")
 	cmd.Stdin = strings.NewReader(string(encryptedData))
 	output, err := cmd.Output()
 	if err != nil {
 		return nil, fmt.Errorf("GPG decryption failed: %w", err)
 	}
 	return output, nil
 }
--- a/internal/secret/pgpunlock_test.go
+++ b/internal/secret/pgpunlock_test.go
@@ -16,6 +16,7 @@ import (
 	"git.eeqj.de/sneak/secret/internal/secret"
 	"git.eeqj.de/sneak/secret/internal/vault"
 	"git.eeqj.de/sneak/secret/pkg/agehd"
 	"github.com/awnumar/memguard"
 	"github.com/spf13/afero"
 )
@@ -28,14 +29,14 @@ func init() {
 }
 // setupNonInteractiveGPG creates a custom GPG environment for testing
-func setupNonInteractiveGPG(t *testing.T, tempDir, passphrase, gnupgHomeDir string) {
+func setupNonInteractiveGPG(t *testing.T, _, passphrase, gnupgHomeDir string) {
 	// Create GPG config file for non-interactive operation
 	gpgConfPath := filepath.Join(gnupgHomeDir, "gpg.conf")
 	gpgConfContent := `batch
 no-tty
 pinentry-mode loopback
 `
-	if err := os.WriteFile(gpgConfPath, []byte(gpgConfContent), 0600); err != nil {
+	if err := os.WriteFile(gpgConfPath, []byte(gpgConfContent), 0o600); err != nil {
 		t.Fatalf("Failed to write GPG config file: %v", err)
 	}
@@ -123,10 +124,11 @@ func runGPGWithPassphrase(gnupgHome, passphrase string, args []string, input io.
 	return stdout.Bytes(), nil
 }
-func TestPGPUnlockKeyWithRealFS(t *testing.T) {
+func TestPGPUnlockerWithRealFS(t *testing.T) {
-	// Skip tests if gpg is not available
+	// Check if gpg is available
 	if _, err := exec.LookPath("gpg"); err != nil {
-		t.Skip("GPG not available, skipping PGP unlock key tests")
+		t.Log("GPG not available, PGP unlock key tests may not fully function")
 		// Continue anyway to test what we can
 	}
 	// Create a temporary directory for our tests
@@ -138,24 +140,12 @@ func TestPGPUnlockKeyWithRealFS(t *testing.T) {
 	// Create a temporary GNUPGHOME
 	gnupgHomeDir := filepath.Join(tempDir, "gnupg")
-	if err := os.MkdirAll(gnupgHomeDir, 0700); err != nil {
+	if err := os.MkdirAll(gnupgHomeDir, 0o700); err != nil {
 		t.Fatalf("Failed to create GNUPGHOME: %v", err)
 	}
 	// Save original GNUPGHOME
 	origGnupgHome := os.Getenv("GNUPGHOME")
 	// Set new GNUPGHOME
-	os.Setenv("GNUPGHOME", gnupgHomeDir)
+	t.Setenv("GNUPGHOME", gnupgHomeDir)
 	// Clean up environment after test
 	defer func() {
 		if origGnupgHome != "" {
 			os.Setenv("GNUPGHOME", origGnupgHome)
 		} else {
 			os.Unsetenv("GNUPGHOME")
 		}
 	}()
 	// Test passphrase for GPG key
 	testPassphrase := "test123"
@@ -175,7 +165,7 @@ Passphrase: ` + testPassphrase + `
 %commit
 %echo Key generation completed
 `
-	if err := os.WriteFile(batchFile, []byte(batchContent), 0600); err != nil {
+	if err := os.WriteFile(batchFile, []byte(batchContent), 0o600); err != nil {
 		t.Fatalf("Failed to write batch file: %v", err)
 	}
@@ -188,21 +178,26 @@ Passphrase: ` + testPassphrase + `
 	}
 	t.Log("GPG key generated successfully")
-	// Get the key ID
+	// Get the key ID and fingerprint
 	output, err := runGPGWithPassphrase(gnupgHomeDir, testPassphrase,
-		[]string{"--list-secret-keys", "--with-colons"}, nil)
+		[]string{"--list-secret-keys", "--with-colons", "--fingerprint"}, nil)
 	if err != nil {
 		t.Fatalf("Failed to list GPG keys: %v", err)
 	}
-	// Parse output to get key ID
+	// Parse output to get key ID and fingerprint
-	var keyID string
+	var keyID, fingerprint string
 	lines := strings.Split(string(output), "\n")
 	for _, line := range lines {
 		if strings.HasPrefix(line, "sec:") {
 			fields := strings.Split(line, ":")
 			if len(fields) >= 5 {
 				keyID = fields[4]
 			}
 		} else if strings.HasPrefix(line, "fpr:") {
 			fields := strings.Split(line, ":")
 			if len(fields) >= 10 && fields[9] != "" {
 				fingerprint = fields[9]
 				break
 			}
 		}
@@ -211,18 +206,14 @@ Passphrase: ` + testPassphrase + `
 	if keyID == "" {
 		t.Fatalf("Failed to find GPG key ID in output: %s", output)
 	}
 	if fingerprint == "" {
 		t.Fatalf("Failed to find GPG fingerprint in output: %s", output)
 	}
 	t.Logf("Generated GPG key ID: %s", keyID)
 	t.Logf("Generated GPG fingerprint: %s", fingerprint)
 	// Set the GPG_AGENT_INFO to empty to ensure gpg-agent doesn't interfere
-	oldAgentInfo := os.Getenv("GPG_AGENT_INFO")
+	t.Setenv("GPG_AGENT_INFO", "")
 	os.Setenv("GPG_AGENT_INFO", "")
 	defer func() {
 		if oldAgentInfo != "" {
 			os.Setenv("GPG_AGENT_INFO", oldAgentInfo)
 		} else {
 			os.Unsetenv("GPG_AGENT_INFO")
 		}
 	}()
 	// Use the real filesystem
 	fs := afero.NewOsFs()
@@ -230,35 +221,16 @@ Passphrase: ` + testPassphrase + `
 	// Test data
 	testMnemonic := "abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon about"
 	// Save original environment variable
 	oldMnemonic := os.Getenv(secret.EnvMnemonic)
 	oldGPGKeyID := os.Getenv(secret.EnvGPGKeyID)
 	// Set test environment variables
-	os.Setenv(secret.EnvMnemonic, testMnemonic)
+	t.Setenv(secret.EnvMnemonic, testMnemonic)
-	os.Setenv(secret.EnvGPGKeyID, keyID)
+	t.Setenv(secret.EnvGPGKeyID, keyID)
 	// Clean up after test
 	defer func() {
 		if oldMnemonic != "" {
 			os.Setenv(secret.EnvMnemonic, oldMnemonic)
 		} else {
 			os.Unsetenv(secret.EnvMnemonic)
 		}
 		if oldGPGKeyID != "" {
 			os.Setenv(secret.EnvGPGKeyID, oldGPGKeyID)
 		} else {
 			os.Unsetenv(secret.EnvGPGKeyID)
 		}
 	}()
 	// Set up vault structure for testing
 	stateDir := tempDir
 	vaultName := "test-vault"
 	// Test creation of a PGP unlock key through a vault
-	t.Run("CreatePGPUnlockKey", func(t *testing.T) {
+	t.Run("CreatePGPUnlocker", func(t *testing.T) {
 		// Set a limited test timeout to avoid hanging
 		timer := time.AfterFunc(30*time.Second, func() {
 			t.Fatalf("Test timed out after 30 seconds")
@@ -298,59 +270,61 @@ Passphrase: ` + testPassphrase + `
 		// Unlock the vault
 		vlt.Unlock(ltIdentity)
-		// Create a passphrase unlock key first (to have current unlock key)
+		// Create a passphrase unlocker first (to have current unlocker)
-		passKey, err := vlt.CreatePassphraseKey("test-passphrase")
+		passphraseBuffer := memguard.NewBufferFromBytes([]byte("test-passphrase"))
 		defer passphraseBuffer.Destroy()
 		passUnlocker, err := vlt.CreatePassphraseUnlocker(passphraseBuffer)
 		if err != nil {
-			t.Fatalf("Failed to create passphrase key: %v", err)
+			t.Fatalf("Failed to create passphrase unlocker: %v", err)
 		}
-		// Verify passphrase key was created
+		// Verify passphrase unlocker was created
-		if passKey == nil {
+		if passUnlocker == nil {
-			t.Fatal("Passphrase key is nil")
+			t.Fatal("Passphrase unlocker is nil")
 		}
 		// Now create a PGP unlock key (this will use our custom GPGEncryptFunc)
-		pgpKey, err := secret.CreatePGPUnlockKey(fs, stateDir, keyID)
+		pgpUnlocker, err := secret.CreatePGPUnlocker(fs, stateDir, keyID)
 		if err != nil {
 			t.Fatalf("Failed to create PGP unlock key: %v", err)
 		}
 		// Verify the PGP unlock key was created
-		if pgpKey == nil {
+		if pgpUnlocker == nil {
 			t.Fatal("PGP unlock key is nil")
 		}
 		// Check if the key has the correct type
-		if pgpKey.GetType() != "pgp" {
+		if pgpUnlocker.GetType() != "pgp" {
-			t.Errorf("Expected PGP unlock key type 'pgp', got '%s'", pgpKey.GetType())
+			t.Errorf("Expected PGP unlock key type 'pgp', got '%s'", pgpUnlocker.GetType())
 		}
-		// Check if the key ID includes the GPG key ID
+		// Check if the key ID includes the GPG fingerprint
-		if !strings.Contains(pgpKey.GetID(), keyID) {
+		if !strings.Contains(pgpUnlocker.GetID(), fingerprint) {
-			t.Errorf("PGP unlock key ID '%s' does not contain GPG key ID '%s'", pgpKey.GetID(), keyID)
+			t.Errorf("PGP unlock key ID '%s' does not contain GPG fingerprint '%s'", pgpUnlocker.GetID(), fingerprint)
 		}
 		// Check if the key directory exists
-		keyDir := pgpKey.GetDirectory()
+		unlockerDir := pgpUnlocker.GetDirectory()
-		keyExists, err := afero.DirExists(fs, keyDir)
+		keyExists, err := afero.DirExists(fs, unlockerDir)
 		if err != nil {
 			t.Fatalf("Failed to check if PGP key directory exists: %v", err)
 		}
 		if !keyExists {
-			t.Errorf("PGP unlock key directory does not exist: %s", keyDir)
+			t.Errorf("PGP unlock key directory does not exist: %s", unlockerDir)
 		}
 		// Check if required files exist
-		pubKeyPath := filepath.Join(keyDir, "pub.age")
+		recipientPath := filepath.Join(unlockerDir, "pub.txt")
-		pubKeyExists, err := afero.Exists(fs, pubKeyPath)
+		recipientExists, err := afero.Exists(fs, recipientPath)
 		if err != nil {
-			t.Fatalf("Failed to check if public key file exists: %v", err)
+			t.Fatalf("Failed to check if recipient file exists: %v", err)
 		}
-		if !pubKeyExists {
+		if !recipientExists {
-			t.Errorf("PGP unlock key public key file does not exist: %s", pubKeyPath)
+			t.Errorf("PGP unlock key recipient file does not exist: %s", recipientPath)
 		}
-		privKeyPath := filepath.Join(keyDir, "priv.age.gpg")
+		privKeyPath := filepath.Join(unlockerDir, "priv.age.gpg")
 		privKeyExists, err := afero.Exists(fs, privKeyPath)
 		if err != nil {
 			t.Fatalf("Failed to check if private key file exists: %v", err)
@@ -359,7 +333,7 @@ Passphrase: ` + testPassphrase + `
 			t.Errorf("PGP unlock key private key file does not exist: %s", privKeyPath)
 		}
-		metadataPath := filepath.Join(keyDir, "unlock-metadata.json")
+		metadataPath := filepath.Join(unlockerDir, "unlocker-metadata.json")
 		metadataExists, err := afero.Exists(fs, metadataPath)
 		if err != nil {
 			t.Fatalf("Failed to check if metadata file exists: %v", err)
@@ -368,7 +342,7 @@ Passphrase: ` + testPassphrase + `
 			t.Errorf("PGP unlock key metadata file does not exist: %s", metadataPath)
 		}
-		longtermPath := filepath.Join(keyDir, "longterm.age")
+		longtermPath := filepath.Join(unlockerDir, "longterm.age")
 		longtermExists, err := afero.Exists(fs, longtermPath)
 		if err != nil {
 			t.Fatalf("Failed to check if longterm key file exists: %v", err)
@@ -386,9 +360,9 @@ Passphrase: ` + testPassphrase + `
 		var metadata struct {
 			ID        string    `json:"id"`
 			Type      string    `json:"type"`
-			CreatedAt time.Time `json:"created_at"`
+			CreatedAt time.Time `json:"createdAt"`
 			Flags     []string  `json:"flags"`
-			GPGKeyID  string    `json:"gpg_key_id"`
+			GPGKeyID  string    `json:"gpgKeyId"`
 		}
 		if err := json.Unmarshal(metadataBytes, &metadata); err != nil {
@@ -399,43 +373,42 @@ Passphrase: ` + testPassphrase + `
 			t.Errorf("Expected metadata type 'pgp', got '%s'", metadata.Type)
 		}
-		if metadata.GPGKeyID != keyID {
+		if metadata.GPGKeyID != fingerprint {
-			t.Errorf("Expected GPG key ID '%s', got '%s'", keyID, metadata.GPGKeyID)
+			t.Errorf("Expected GPG fingerprint '%s', got '%s'", fingerprint, metadata.GPGKeyID)
 		}
 	})
 	// Set up key directory for individual tests
-	keyDir := filepath.Join(tempDir, "unlock-key")
+	unlockerDir := filepath.Join(tempDir, "unlocker")
-	if err := os.MkdirAll(keyDir, secret.DirPerms); err != nil {
+	if err := os.MkdirAll(unlockerDir, secret.DirPerms); err != nil {
-		t.Fatalf("Failed to create key directory: %v", err)
+		t.Fatalf("Failed to create unlocker directory: %v", err)
 	}
 	// Set up test metadata
-	metadata := secret.UnlockKeyMetadata{
+	metadata := secret.UnlockerMetadata{
 		ID:        fmt.Sprintf("%s-pgp", keyID),
 		Type:      "pgp",
 		CreatedAt: time.Now(),
 		Flags:     []string{"gpg", "encrypted"},
 	}
-	// Create a PGP unlock key for the remaining tests
+	// Create a PGP unlocker for the remaining tests
-	unlockKey := secret.NewPGPUnlockKey(fs, keyDir, metadata)
+	unlocker := secret.NewPGPUnlocker(fs, unlockerDir, metadata)
 	// Test getting GPG key ID
 	t.Run("GetGPGKeyID", func(t *testing.T) {
 		// Create PGP metadata with GPG key ID
-		type PGPUnlockKeyMetadata struct {
+		type PGPUnlockerMetadata struct {
-			secret.UnlockKeyMetadata
+			secret.UnlockerMetadata
-			GPGKeyID string `json:"gpg_key_id"`
+			GPGKeyID string `json:"gpgKeyId"`
 		}
-		pgpMetadata := PGPUnlockKeyMetadata{
+		pgpMetadata := PGPUnlockerMetadata{
-			UnlockKeyMetadata: metadata,
+			UnlockerMetadata: metadata,
-			GPGKeyID:          keyID,
+			GPGKeyID:         fingerprint,
 		}
 		// Write metadata file
-		metadataPath := filepath.Join(keyDir, "unlock-metadata.json")
+		metadataPath := filepath.Join(unlockerDir, "unlocker-metadata.json")
 		metadataBytes, err := json.MarshalIndent(pgpMetadata, "", "  ")
 		if err != nil {
 			t.Fatalf("Failed to marshal metadata: %v", err)
@@ -445,18 +418,18 @@ Passphrase: ` + testPassphrase + `
 		}
 		// Get GPG key ID
-		retrievedKeyID, err := unlockKey.GetGPGKeyID()
+		retrievedKeyID, err := unlocker.GetGPGKeyID()
 		if err != nil {
 			t.Fatalf("Failed to get GPG key ID: %v", err)
 		}
-		// Verify key ID
+		// Verify key ID (should be the fingerprint)
-		if retrievedKeyID != keyID {
+		if retrievedKeyID != fingerprint {
-			t.Errorf("Expected GPG key ID '%s', got '%s'", keyID, retrievedKeyID)
+			t.Errorf("Expected GPG fingerprint '%s', got '%s'", fingerprint, retrievedKeyID)
 		}
 	})
-	// Test getting identity from PGP unlock key
+	// Test getting identity from PGP unlocker
 	t.Run("GetIdentity", func(t *testing.T) {
 		// Generate an age identity for testing
 		ageIdentity, err := age.GenerateX25519Identity()
@@ -464,10 +437,10 @@ Passphrase: ` + testPassphrase + `
 			t.Fatalf("Failed to generate age identity: %v", err)
 		}
-		// Write the public key
+		// Write the recipient
-		pubKeyPath := filepath.Join(keyDir, "pub.age")
+		recipientPath := filepath.Join(unlockerDir, "pub.txt")
-		if err := afero.WriteFile(fs, pubKeyPath, []byte(ageIdentity.Recipient().String()), secret.FilePerms); err != nil {
+		if err := afero.WriteFile(fs, recipientPath, []byte(ageIdentity.Recipient().String()), secret.FilePerms); err != nil {
-			t.Fatalf("Failed to write public key: %v", err)
+			t.Fatalf("Failed to write recipient: %v", err)
 		}
 		// GPG encrypt the private key using our custom encrypt function
@@ -478,13 +451,13 @@ Passphrase: ` + testPassphrase + `
 		}
 		// Write the encrypted data to a file
-		encryptedPath := filepath.Join(keyDir, "priv.age.gpg")
+		encryptedPath := filepath.Join(unlockerDir, "priv.age.gpg")
 		if err := afero.WriteFile(fs, encryptedPath, encryptedOutput, secret.FilePerms); err != nil {
 			t.Fatalf("Failed to write encrypted private key: %v", err)
 		}
 		// Now try to get the identity - this will use our custom GPGDecryptFunc
-		identity, err := unlockKey.GetIdentity()
+		identity, err := unlocker.GetIdentity()
 		if err != nil {
 			t.Fatalf("Failed to get identity: %v", err)
 		}
@@ -497,30 +470,30 @@ Passphrase: ` + testPassphrase + `
 		}
 	})
-	// Test removing the unlock key
+	// Test removing the unlocker
-	t.Run("RemoveUnlockKey", func(t *testing.T) {
+	t.Run("RemoveUnlocker", func(t *testing.T) {
-		// Ensure key directory exists before removal
+		// Ensure unlocker directory exists before removal
-		keyExists, err := afero.DirExists(fs, keyDir)
+		keyExists, err := afero.DirExists(fs, unlockerDir)
 		if err != nil {
-			t.Fatalf("Failed to check if key directory exists: %v", err)
+			t.Fatalf("Failed to check if unlocker directory exists: %v", err)
 		}
 		if !keyExists {
-			t.Fatalf("Key directory does not exist: %s", keyDir)
+			t.Fatalf("Unlocker directory does not exist: %s", unlockerDir)
 		}
-		// Remove unlock key
+		// Remove unlocker
-		err = unlockKey.Remove()
+		err = unlocker.Remove()
 		if err != nil {
-			t.Fatalf("Failed to remove unlock key: %v", err)
+			t.Fatalf("Failed to remove unlocker: %v", err)
 		}
 		// Verify directory is gone
-		keyExists, err = afero.DirExists(fs, keyDir)
+		keyExists, err = afero.DirExists(fs, unlockerDir)
 		if err != nil {
-			t.Fatalf("Failed to check if key directory exists: %v", err)
+			t.Fatalf("Failed to check if unlocker directory exists: %v", err)
 		}
 		if keyExists {
-			t.Errorf("Key directory still exists after removal: %s", keyDir)
+			t.Errorf("Unlocker directory still exists after removal: %s", unlockerDir)
 		}
 	})
 }
--- a/internal/secret/pgpunlocker.go
+++ b/internal/secret/pgpunlocker.go
@@ -0,0 +1,378 @@
 package secret
 import (
 	"encoding/json"
 	"fmt"
 	"log/slog"
 	"os"
 	"os/exec"
 	"path/filepath"
 	"regexp"
 	"strings"
 	"time"
 	"filippo.io/age"
 	"github.com/awnumar/memguard"
 	"github.com/spf13/afero"
 )
 // Variables to allow overriding in tests
 var (
 	// GPGEncryptFunc is the function used for GPG encryption
 	// Can be overridden in tests to provide a non-interactive implementation
 	GPGEncryptFunc = gpgEncryptDefault //nolint:gochecknoglobals // Required for test mocking
 	// GPGDecryptFunc is the function used for GPG decryption
 	// Can be overridden in tests to provide a non-interactive implementation
 	GPGDecryptFunc = gpgDecryptDefault //nolint:gochecknoglobals // Required for test mocking
 	// gpgKeyIDRegex validates GPG key IDs
 	// Allows either:
 	// 1. Email addresses (user@domain.tld format)
 	// 2. Short key IDs (8 hex characters)
 	// 3. Long key IDs (16 hex characters)
 	// 4. Full fingerprints (40 hex characters)
 	gpgKeyIDRegex = regexp.MustCompile(
 		`^[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}$|` +
 			`^[A-Fa-f0-9]{8}$|` +
 			`^[A-Fa-f0-9]{16}$|` +
 			`^[A-Fa-f0-9]{40}$`,
 	)
 )
 // PGPUnlockerMetadata extends UnlockerMetadata with PGP-specific data
 type PGPUnlockerMetadata struct {
 	UnlockerMetadata
 	// GPG key ID used for encryption
 	GPGKeyID string `json:"gpgKeyId"`
 }
 // PGPUnlocker represents a PGP-protected unlocker
 type PGPUnlocker struct {
 	Directory string
 	Metadata  UnlockerMetadata
 	fs        afero.Fs
 }
 // GetIdentity implements Unlocker interface for PGP-based unlockers
 func (p *PGPUnlocker) GetIdentity() (*age.X25519Identity, error) {
 	DebugWith("Getting PGP unlocker identity",
 		slog.String("unlocker_id", p.GetID()),
 		slog.String("unlocker_type", p.GetType()),
 	)
 	// Step 1: Read the encrypted age private key from filesystem
 	agePrivKeyPath := filepath.Join(p.Directory, "priv.age.gpg")
 	Debug("Reading PGP-encrypted age private key", "path", agePrivKeyPath)
 	encryptedAgePrivKeyData, err := afero.ReadFile(p.fs, agePrivKeyPath)
 	if err != nil {
 		Debug("Failed to read PGP-encrypted age private key", "error", err, "path", agePrivKeyPath)
 		return nil, fmt.Errorf("failed to read encrypted age private key: %w", err)
 	}
 	DebugWith("Read PGP-encrypted age private key",
 		slog.String("unlocker_id", p.GetID()),
 		slog.Int("encrypted_length", len(encryptedAgePrivKeyData)),
 	)
 	// Step 2: Decrypt the age private key using GPG
 	Debug("Decrypting age private key with GPG", "unlocker_id", p.GetID())
 	agePrivKeyData, err := GPGDecryptFunc(encryptedAgePrivKeyData)
 	if err != nil {
 		Debug("Failed to decrypt age private key with GPG", "error", err, "unlocker_id", p.GetID())
 		return nil, fmt.Errorf("failed to decrypt age private key with GPG: %w", err)
 	}
 	DebugWith("Successfully decrypted age private key with GPG",
 		slog.String("unlocker_id", p.GetID()),
 		slog.Int("decrypted_length", len(agePrivKeyData)),
 	)
 	// Step 3: Parse the decrypted age private key
 	Debug("Parsing decrypted age private key", "unlocker_id", p.GetID())
 	ageIdentity, err := age.ParseX25519Identity(string(agePrivKeyData))
 	if err != nil {
 		Debug("Failed to parse age private key", "error", err, "unlocker_id", p.GetID())
 		return nil, fmt.Errorf("failed to parse age private key: %w", err)
 	}
 	DebugWith("Successfully parsed PGP age identity",
 		slog.String("unlocker_id", p.GetID()),
 		slog.String("public_key", ageIdentity.Recipient().String()),
 	)
 	return ageIdentity, nil
 }
 // GetType implements Unlocker interface
 func (p *PGPUnlocker) GetType() string {
 	return "pgp"
 }
 // GetMetadata implements Unlocker interface
 func (p *PGPUnlocker) GetMetadata() UnlockerMetadata {
 	return p.Metadata
 }
 // GetDirectory implements Unlocker interface
 func (p *PGPUnlocker) GetDirectory() string {
 	return p.Directory
 }
 // GetID implements Unlocker interface - generates ID from GPG key ID
 func (p *PGPUnlocker) GetID() string {
 	// Generate ID using GPG key ID: <keyid>-pgp
 	gpgKeyID, err := p.GetGPGKeyID()
 	if err != nil {
 		// The vault metadata is corrupt - this is a fatal error
 		// We cannot continue with a fallback ID as that would mask data corruption
 		panic(fmt.Sprintf("PGP unlocker metadata is corrupt or missing GPG key ID: %v", err))
 	}
 	return fmt.Sprintf("%s-pgp", gpgKeyID)
 }
 // Remove implements Unlocker interface - removes the PGP unlocker
 func (p *PGPUnlocker) Remove() error {
 	// For PGP unlockers, we just need to remove the directory
 	// No external resources (like keychain items) to clean up
 	if err := p.fs.RemoveAll(p.Directory); err != nil {
 		return fmt.Errorf("failed to remove PGP unlocker directory: %w", err)
 	}
 	return nil
 }
 // NewPGPUnlocker creates a new PGPUnlocker instance
 func NewPGPUnlocker(fs afero.Fs, directory string, metadata UnlockerMetadata) *PGPUnlocker {
 	return &PGPUnlocker{
 		Directory: directory,
 		Metadata:  metadata,
 		fs:        fs,
 	}
 }
 // GetGPGKeyID returns the GPG key ID from metadata
 func (p *PGPUnlocker) GetGPGKeyID() (string, error) {
 	// Load the metadata
 	metadataPath := filepath.Join(p.Directory, "unlocker-metadata.json")
 	metadataData, err := afero.ReadFile(p.fs, metadataPath)
 	if err != nil {
 		return "", fmt.Errorf("failed to read PGP metadata: %w", err)
 	}
 	var pgpMetadata PGPUnlockerMetadata
 	if err := json.Unmarshal(metadataData, &pgpMetadata); err != nil {
 		return "", fmt.Errorf("failed to parse PGP metadata: %w", err)
 	}
 	return pgpMetadata.GPGKeyID, nil
 }
 // generatePGPUnlockerName generates a unique name for the PGP unlocker based on hostname and date
 func generatePGPUnlockerName() (string, error) {
 	hostname, err := os.Hostname()
 	if err != nil {
 		return "", fmt.Errorf("failed to get hostname: %w", err)
 	}
 	// Format: hostname-pgp-YYYY-MM-DD
 	enrollmentDate := time.Now().Format("2006-01-02")
 	return fmt.Sprintf("%s-pgp-%s", hostname, enrollmentDate), nil
 }
 // CreatePGPUnlocker creates a new PGP unlocker and stores it in the vault
 func CreatePGPUnlocker(fs afero.Fs, stateDir string, gpgKeyID string) (*PGPUnlocker, error) {
 	// Check if GPG is available
 	if err := checkGPGAvailable(); err != nil {
 		return nil, err
 	}
 	// Get current vault
 	vault, err := GetCurrentVault(fs, stateDir)
 	if err != nil {
 		return nil, fmt.Errorf("failed to get current vault: %w", err)
 	}
 	// Generate the unlocker name based on hostname and date
 	unlockerName, err := generatePGPUnlockerName()
 	if err != nil {
 		return nil, fmt.Errorf("failed to generate unlocker name: %w", err)
 	}
 	// Create unlocker directory using the generated name
 	vaultDir, err := vault.GetDirectory()
 	if err != nil {
 		return nil, fmt.Errorf("failed to get vault directory: %w", err)
 	}
 	unlockerDir := filepath.Join(vaultDir, "unlockers.d", unlockerName)
 	if err := fs.MkdirAll(unlockerDir, DirPerms); err != nil {
 		return nil, fmt.Errorf("failed to create unlocker directory: %w", err)
 	}
 	// Step 1: Generate a new age keypair for the PGP unlocker
 	ageIdentity, err := age.GenerateX25519Identity()
 	if err != nil {
 		return nil, fmt.Errorf("failed to generate age keypair: %w", err)
 	}
 	// Step 2: Store age recipient as plaintext
 	ageRecipient := ageIdentity.Recipient().String()
 	recipientPath := filepath.Join(unlockerDir, "pub.txt")
 	if err := afero.WriteFile(fs, recipientPath, []byte(ageRecipient), FilePerms); err != nil {
 		return nil, fmt.Errorf("failed to write age recipient: %w", err)
 	}
 	// Step 3: Get or derive the long-term private key
 	ltPrivKeyData, err := getLongTermPrivateKey(fs, vault)
 	if err != nil {
 		return nil, err
 	}
 	defer ltPrivKeyData.Destroy()
 	// Step 7: Encrypt long-term private key to the new age unlocker
 	encryptedLtPrivKeyToAge, err := EncryptToRecipient(ltPrivKeyData, ageIdentity.Recipient())
 	if err != nil {
 		return nil, fmt.Errorf("failed to encrypt long-term private key to age unlocker: %w", err)
 	}
 	// Write encrypted long-term private key
 	ltPrivKeyPath := filepath.Join(unlockerDir, "longterm.age")
 	if err := afero.WriteFile(fs, ltPrivKeyPath, encryptedLtPrivKeyToAge, FilePerms); err != nil {
 		return nil, fmt.Errorf("failed to write encrypted long-term private key: %w", err)
 	}
 	// Step 8: Encrypt age private key to the GPG key ID
 	// Use memguard to protect the private key in memory
 	agePrivateKeyBuffer := memguard.NewBufferFromBytes([]byte(ageIdentity.String()))
 	defer agePrivateKeyBuffer.Destroy()
 	encryptedAgePrivKey, err := GPGEncryptFunc(agePrivateKeyBuffer.Bytes(), gpgKeyID)
 	if err != nil {
 		return nil, fmt.Errorf("failed to encrypt age private key with GPG: %w", err)
 	}
 	agePrivKeyPath := filepath.Join(unlockerDir, "priv.age.gpg")
 	if err := afero.WriteFile(fs, agePrivKeyPath, encryptedAgePrivKey, FilePerms); err != nil {
 		return nil, fmt.Errorf("failed to write encrypted age private key: %w", err)
 	}
 	// Step 9: Resolve the GPG key ID to its full fingerprint
 	fingerprint, err := resolveGPGKeyFingerprint(gpgKeyID)
 	if err != nil {
 		return nil, fmt.Errorf("failed to resolve GPG key fingerprint: %w", err)
 	}
 	// Step 10: Create and write enhanced metadata with full fingerprint
 	pgpMetadata := PGPUnlockerMetadata{
 		UnlockerMetadata: UnlockerMetadata{
 			Type:      "pgp",
 			CreatedAt: time.Now(),
 			Flags:     []string{"gpg", "encrypted"},
 		},
 		GPGKeyID: fingerprint,
 	}
 	metadataBytes, err := json.MarshalIndent(pgpMetadata, "", "  ")
 	if err != nil {
 		return nil, fmt.Errorf("failed to marshal unlocker metadata: %w", err)
 	}
 	if err := afero.WriteFile(fs,
 		filepath.Join(unlockerDir, "unlocker-metadata.json"),
 		metadataBytes, FilePerms); err != nil {
 		return nil, fmt.Errorf("failed to write unlocker metadata: %w", err)
 	}
 	return &PGPUnlocker{
 		Directory: unlockerDir,
 		Metadata:  pgpMetadata.UnlockerMetadata,
 		fs:        fs,
 	}, nil
 }
 // validateGPGKeyID validates that a GPG key ID is safe for command execution
 func validateGPGKeyID(keyID string) error {
 	if keyID == "" {
 		return fmt.Errorf("GPG key ID cannot be empty")
 	}
 	if !gpgKeyIDRegex.MatchString(keyID) {
 		return fmt.Errorf("invalid GPG key ID format: %s", keyID)
 	}
 	return nil
 }
 // resolveGPGKeyFingerprint resolves any GPG key identifier to its full fingerprint
 func resolveGPGKeyFingerprint(keyID string) (string, error) {
 	if err := validateGPGKeyID(keyID); err != nil {
 		return "", fmt.Errorf("invalid GPG key ID: %w", err)
 	}
 	// Use GPG to get the full fingerprint for the key
 	cmd := exec.Command("gpg", "--list-keys", "--with-colons", "--fingerprint", keyID)
 	output, err := cmd.Output()
 	if err != nil {
 		return "", fmt.Errorf("failed to resolve GPG key fingerprint: %w", err)
 	}
 	// Parse the output to extract the fingerprint
 	lines := strings.Split(string(output), "\n")
 	for _, line := range lines {
 		if strings.HasPrefix(line, "fpr:") {
 			fields := strings.Split(line, ":")
 			if len(fields) >= 10 && fields[9] != "" {
 				return fields[9], nil
 			}
 		}
 	}
 	return "", fmt.Errorf("could not find fingerprint for GPG key: %s", keyID)
 }
 // checkGPGAvailable verifies that GPG is available
 func checkGPGAvailable() error {
 	cmd := exec.Command("gpg", "--version")
 	if err := cmd.Run(); err != nil {
 		return fmt.Errorf("GPG not available: %w (make sure 'gpg' command is installed and in PATH)", err)
 	}
 	return nil
 }
 // gpgEncryptDefault is the default implementation of GPG encryption
 func gpgEncryptDefault(data []byte, keyID string) ([]byte, error) {
 	if err := validateGPGKeyID(keyID); err != nil {
 		return nil, fmt.Errorf("invalid GPG key ID: %w", err)
 	}
 	cmd := exec.Command("gpg", "--trust-model", "always", "--armor", "--encrypt", "-r", keyID)
 	cmd.Stdin = strings.NewReader(string(data))
 	output, err := cmd.Output()
 	if err != nil {
 		return nil, fmt.Errorf("GPG encryption failed: %w", err)
 	}
 	return output, nil
 }
 // gpgDecryptDefault is the default implementation of GPG decryption
 func gpgDecryptDefault(encryptedData []byte) ([]byte, error) {
 	cmd := exec.Command("gpg", "--quiet", "--decrypt")
 	cmd.Stdin = strings.NewReader(string(encryptedData))
 	output, err := cmd.Output()
 	if err != nil {
 		return nil, fmt.Errorf("GPG decryption failed: %w", err)
 	}
 	return output, nil
 }
--- a/internal/secret/secret.go
+++ b/internal/secret/secret.go
@@ -11,24 +11,25 @@ import (
 	"filippo.io/age"
 	"git.eeqj.de/sneak/secret/pkg/agehd"
 	"github.com/awnumar/memguard"
 	"github.com/spf13/afero"
 )
 // VaultInterface defines the interface that vault implementations must satisfy
 type VaultInterface interface {
 	GetDirectory() (string, error)
-	AddSecret(name string, value []byte, force bool) error
+	AddSecret(name string, value *memguard.LockedBuffer, force bool) error
 	GetName() string
 	GetFilesystem() afero.Fs
-	GetCurrentUnlockKey() (UnlockKey, error)
+	GetCurrentUnlocker() (Unlocker, error)
-	CreatePassphraseKey(passphrase string) (*PassphraseUnlockKey, error)
+	CreatePassphraseUnlocker(passphrase *memguard.LockedBuffer) (*PassphraseUnlocker, error)
 }
 // Secret represents a secret in a vault
 type Secret struct {
 	Name      string
 	Directory string
-	Metadata  SecretMetadata
+	Metadata  Metadata
 	vault     VaultInterface
 }
@@ -54,35 +55,42 @@ func NewSecret(vault VaultInterface, name string) *Secret {
 		Name:      name,
 		Directory: secretDir,
 		vault:     vault,
-		Metadata: SecretMetadata{
+		Metadata: Metadata{
 			Name:      name,
 			CreatedAt: time.Now(),
 			UpdatedAt: time.Now(),
 		},
 	}
 }
-// Save saves a secret value to the vault
+// Save is deprecated - use vault.AddSecret directly which creates versions
 // Kept for backward compatibility
 func (s *Secret) Save(value []byte, force bool) error {
-	DebugWith("Saving secret",
+	DebugWith("Saving secret (deprecated method)",
 		slog.String("secret_name", s.Name),
 		slog.String("vault_name", s.vault.GetName()),
 		slog.Int("value_length", len(value)),
 		slog.Bool("force", force),
 	)
-	err := s.vault.AddSecret(s.Name, value, force)
+	// Create a secure buffer for the value - note that the caller
 	// should ideally pass a LockedBuffer directly to vault.AddSecret
 	valueBuffer := memguard.NewBufferFromBytes(value)
 	defer valueBuffer.Destroy()
 	err := s.vault.AddSecret(s.Name, valueBuffer, force)
 	if err != nil {
 		Debug("Failed to save secret", "error", err, "secret_name", s.Name)
 		return err
 	}
 	Debug("Successfully saved secret", "secret_name", s.Name)
 	return nil
 }
-// GetValue retrieves and decrypts the secret value using the provided unlock key
+// GetValue retrieves and decrypts the current version's value using the provided unlocker
-func (s *Secret) GetValue(unlockKey UnlockKey) ([]byte, error) {
+func (s *Secret) GetValue(unlocker Unlocker) ([]byte, error) {
 	DebugWith("Getting secret value",
 		slog.String("secret_name", s.Name),
 		slog.String("vault_name", s.vault.GetName()),
@@ -92,68 +100,116 @@ func (s *Secret) GetValue(unlockKey UnlockKey) ([]byte, error) {
 	exists, err := s.Exists()
 	if err != nil {
 		Debug("Failed to check if secret exists during GetValue", "error", err, "secret_name", s.Name)
 		return nil, fmt.Errorf("failed to check if secret exists: %w", err)
 	}
 	if !exists {
 		Debug("Secret not found during GetValue", "secret_name", s.Name, "vault_name", s.vault.GetName())
 		return nil, fmt.Errorf("secret %s not found", s.Name)
 	}
-	Debug("Secret exists, proceeding with decryption", "secret_name", s.Name)
+	Debug("Secret exists, getting current version", "secret_name", s.Name)
 	// Get current version
 	currentVersion, err := GetCurrentVersion(s.vault.GetFilesystem(), s.Directory)
 	if err != nil {
 		Debug("Failed to get current version", "error", err, "secret_name", s.Name)
 		return nil, fmt.Errorf("failed to get current version: %w", err)
 	}
 	// Create version object
 	version := NewVersion(s.vault, s.Name, currentVersion)
 	// Check if we have SB_SECRET_MNEMONIC environment variable for direct decryption
 	if envMnemonic := os.Getenv(EnvMnemonic); envMnemonic != "" {
 		Debug("Using mnemonic from environment for direct long-term key derivation", "secret_name", s.Name)
-		// Use mnemonic directly to derive long-term key
+		// Get vault directory to read metadata
-		ltIdentity, err := agehd.DeriveIdentity(envMnemonic, 0)
+		vaultDir, err := s.vault.GetDirectory()
 		if err != nil {
 			Debug("Failed to get vault directory", "error", err, "secret_name", s.Name)
 			return nil, fmt.Errorf("failed to get vault directory: %w", err)
 		}
 		// Load vault metadata to get the correct derivation index
 		metadataPath := filepath.Join(vaultDir, "vault-metadata.json")
 		metadataBytes, err := afero.ReadFile(s.vault.GetFilesystem(), metadataPath)
 		if err != nil {
 			Debug("Failed to read vault metadata", "error", err, "path", metadataPath)
 			return nil, fmt.Errorf("failed to read vault metadata: %w", err)
 		}
 		var metadata VaultMetadata
 		if err := json.Unmarshal(metadataBytes, &metadata); err != nil {
 			Debug("Failed to parse vault metadata", "error", err, "secret_name", s.Name)
 			return nil, fmt.Errorf("failed to parse vault metadata: %w", err)
 		}
 		DebugWith("Using vault derivation index from metadata",
 			slog.String("secret_name", s.Name),
 			slog.String("vault_name", s.vault.GetName()),
 			slog.Uint64("derivation_index", uint64(metadata.DerivationIndex)),
 		)
 		// Use mnemonic with the vault's derivation index from metadata
 		ltIdentity, err := agehd.DeriveIdentity(envMnemonic, metadata.DerivationIndex)
 		if err != nil {
 			Debug("Failed to derive long-term key from mnemonic for secret", "error", err, "secret_name", s.Name)
 			return nil, fmt.Errorf("failed to derive long-term key from mnemonic: %w", err)
 		}
 		Debug("Successfully derived long-term key from mnemonic", "secret_name", s.Name)
-		// Use the long-term key to decrypt the secret using per-secret architecture
+		// Use the long-term key to decrypt the version
-		return s.decryptWithLongTermKey(ltIdentity)
+		return version.GetValue(ltIdentity)
 	}
-	Debug("Using unlock key for vault access", "secret_name", s.Name)
+	Debug("Using unlocker for vault access", "secret_name", s.Name)
-	// Use the provided unlock key to get the vault's long-term private key
+	// Use the provided unlocker to get the vault's long-term private key
-	if unlockKey == nil {
+	if unlocker == nil {
-		Debug("No unlock key provided for secret decryption", "secret_name", s.Name)
+		Debug("No unlocker provided for secret decryption", "secret_name", s.Name)
-		return nil, fmt.Errorf("unlock key required to decrypt secret")
+
 		return nil, fmt.Errorf("unlocker required to decrypt secret")
 	}
-	DebugWith("Getting vault's long-term key using unlock key",
+	DebugWith("Getting vault's long-term key using unlocker",
 		slog.String("secret_name", s.Name),
-		slog.String("unlock_key_type", unlockKey.GetType()),
+		slog.String("unlocker_type", unlocker.GetType()),
-		slog.String("unlock_key_id", unlockKey.GetID()),
+		slog.String("unlocker_id", unlocker.GetID()),
 	)
-	// Step 1: Use the unlock key to get the vault's long-term private key
+	// Step 1: Use the unlocker to get the vault's long-term private key
-	unlockIdentity, err := unlockKey.GetIdentity()
+	unlockIdentity, err := unlocker.GetIdentity()
 	if err != nil {
-		Debug("Failed to get unlock key identity", "error", err, "secret_name", s.Name, "unlock_key_type", unlockKey.GetType())
+		Debug("Failed to get unlocker identity", "error", err, "secret_name", s.Name, "unlocker_type", unlocker.GetType())
-		return nil, fmt.Errorf("failed to get unlock key identity: %w", err)
+
 		return nil, fmt.Errorf("failed to get unlocker identity: %w", err)
 	}
-	// Read the encrypted long-term private key from the unlock key directory
+	// Read the encrypted long-term private key from the unlocker directory
-	encryptedLtPrivKeyPath := filepath.Join(unlockKey.GetDirectory(), "longterm.age")
+	encryptedLtPrivKeyPath := filepath.Join(unlocker.GetDirectory(), "longterm.age")
 	Debug("Reading encrypted long-term private key", "path", encryptedLtPrivKeyPath)
 	encryptedLtPrivKey, err := afero.ReadFile(s.vault.GetFilesystem(), encryptedLtPrivKeyPath)
 	if err != nil {
 		Debug("Failed to read encrypted long-term private key", "error", err, "path", encryptedLtPrivKeyPath)
 		return nil, fmt.Errorf("failed to read encrypted long-term private key: %w", err)
 	}
-	// Decrypt the encrypted long-term private key using the unlock key
+	// Decrypt the encrypted long-term private key using the unlocker
-	Debug("Decrypting long-term private key using unlock key", "secret_name", s.Name)
+	Debug("Decrypting long-term private key using unlocker", "secret_name", s.Name)
 	ltPrivKeyData, err := DecryptWithIdentity(encryptedLtPrivKey, unlockIdentity)
 	if err != nil {
 		Debug("Failed to decrypt long-term private key", "error", err, "secret_name", s.Name)
 		return nil, fmt.Errorf("failed to decrypt long-term private key: %w", err)
 	}
@@ -162,6 +218,7 @@ func (s *Secret) GetValue(unlockKey UnlockKey) ([]byte, error) {
 	ltIdentity, err := age.ParseX25519Identity(string(ltPrivKeyData))
 	if err != nil {
 		Debug("Failed to parse long-term private key", "error", err, "secret_name", s.Name)
 		return nil, fmt.Errorf("failed to parse long-term private key: %w", err)
 	}
@@ -170,165 +227,35 @@ func (s *Secret) GetValue(unlockKey UnlockKey) ([]byte, error) {
 		slog.String("public_key", ltIdentity.Recipient().String()),
 	)
-	// Use the long-term key to decrypt the secret using per-secret architecture
+	// Use the long-term key to decrypt the version
-	return s.decryptWithLongTermKey(ltIdentity)
+	return version.GetValue(ltIdentity)
 }
-// decryptWithLongTermKey decrypts the secret using the vault's long-term private key
+// LoadMetadata is deprecated - metadata is now per-version and encrypted
 // This implements the per-secret key architecture: longterm -> secret private key -> secret value
 func (s *Secret) decryptWithLongTermKey(ltIdentity *age.X25519Identity) ([]byte, error) {
 	DebugWith("Decrypting secret with long-term key using per-secret architecture",
 		slog.String("secret_name", s.Name),
 		slog.String("vault_name", s.vault.GetName()),
 	)
 	// Step 1: Read the secret's encrypted private key from priv.age
 	encryptedSecretPrivKeyPath := filepath.Join(s.Directory, "priv.age")
 	Debug("Reading encrypted secret private key", "path", encryptedSecretPrivKeyPath)
 	encryptedSecretPrivKey, err := afero.ReadFile(s.vault.GetFilesystem(), encryptedSecretPrivKeyPath)
 	if err != nil {
 		Debug("Failed to read encrypted secret private key", "error", err, "path", encryptedSecretPrivKeyPath)
 		return nil, fmt.Errorf("failed to read encrypted secret private key: %w", err)
 	}
 	DebugWith("Read encrypted secret private key",
 		slog.String("secret_name", s.Name),
 		slog.Int("encrypted_length", len(encryptedSecretPrivKey)),
 	)
 	// Step 2: Decrypt the secret's private key using the vault's long-term private key
 	Debug("Decrypting secret private key using long-term key", "secret_name", s.Name)
 	secretPrivKeyData, err := DecryptWithIdentity(encryptedSecretPrivKey, ltIdentity)
 	if err != nil {
 		Debug("Failed to decrypt secret private key", "error", err, "secret_name", s.Name)
 		return nil, fmt.Errorf("failed to decrypt secret private key: %w", err)
 	}
 	// Parse the secret's private key
 	Debug("Parsing secret's private key", "secret_name", s.Name)
 	secretIdentity, err := age.ParseX25519Identity(string(secretPrivKeyData))
 	if err != nil {
 		Debug("Failed to parse secret's private key", "error", err, "secret_name", s.Name)
 		return nil, fmt.Errorf("failed to parse secret's private key: %w", err)
 	}
 	DebugWith("Successfully decrypted and parsed secret's identity",
 		slog.String("secret_name", s.Name),
 		slog.String("secret_public_key", secretIdentity.Recipient().String()),
 	)
 	// Step 3: Read the secret's encrypted value from value.age
 	encryptedValuePath := filepath.Join(s.Directory, "value.age")
 	Debug("Reading encrypted secret value", "path", encryptedValuePath)
 	encryptedValue, err := afero.ReadFile(s.vault.GetFilesystem(), encryptedValuePath)
 	if err != nil {
 		Debug("Failed to read encrypted secret value", "error", err, "path", encryptedValuePath)
 		return nil, fmt.Errorf("failed to read encrypted secret value: %w", err)
 	}
 	DebugWith("Read encrypted secret value",
 		slog.String("secret_name", s.Name),
 		slog.Int("encrypted_length", len(encryptedValue)),
 	)
 	// Step 4: Decrypt the secret's value using the secret's private key
 	Debug("Decrypting value using secret key", "secret_name", s.Name)
 	decryptedValue, err := DecryptWithIdentity(encryptedValue, secretIdentity)
 	if err != nil {
 		Debug("Failed to decrypt secret value", "error", err, "secret_name", s.Name)
 		return nil, fmt.Errorf("failed to decrypt secret value: %w", err)
 	}
 	DebugWith("Successfully decrypted secret value using per-secret key architecture",
 		slog.String("secret_name", s.Name),
 		slog.Int("decrypted_length", len(decryptedValue)),
 	)
 	return decryptedValue, nil
 }
 // LoadMetadata loads the secret metadata from disk
 func (s *Secret) LoadMetadata() error {
-	DebugWith("Loading secret metadata",
+	Debug("LoadMetadata called but is deprecated in versioned model", "secret_name", s.Name)
-		slog.String("secret_name", s.Name),
+	// For backward compatibility, we'll populate with basic info
-		slog.String("vault_name", s.vault.GetName()),
+	now := time.Now()
-	)
+	s.Metadata = Metadata{
-
+		CreatedAt: now,
-	vaultDir, err := s.vault.GetDirectory()
+		UpdatedAt: now,
 	if err != nil {
 		Debug("Failed to get vault directory for metadata loading", "error", err, "secret_name", s.Name)
 		return err
 	}
 	// Convert slashes to percent signs for storage
 	storageName := strings.ReplaceAll(s.Name, "/", "%")
 	metadataPath := filepath.Join(vaultDir, "secrets.d", storageName, "secret-metadata.json")
 	DebugWith("Reading secret metadata",
 		slog.String("secret_name", s.Name),
 		slog.String("metadata_path", metadataPath),
 	)
 	// Read metadata file
 	metadataBytes, err := afero.ReadFile(s.vault.GetFilesystem(), metadataPath)
 	if err != nil {
 		Debug("Failed to read secret metadata file", "error", err, "metadata_path", metadataPath)
 		return fmt.Errorf("failed to read metadata: %w", err)
 	}
 	DebugWith("Read secret metadata file",
 		slog.String("secret_name", s.Name),
 		slog.Int("metadata_size", len(metadataBytes)),
 	)
 	var metadata SecretMetadata
 	if err := json.Unmarshal(metadataBytes, &metadata); err != nil {
 		Debug("Failed to parse secret metadata JSON", "error", err, "secret_name", s.Name)
 		return fmt.Errorf("failed to parse metadata: %w", err)
 	}
 	DebugWith("Parsed secret metadata",
 		slog.String("secret_name", metadata.Name),
 		slog.Time("created_at", metadata.CreatedAt),
 		slog.Time("updated_at", metadata.UpdatedAt),
 	)
 	s.Metadata = metadata
 	Debug("Successfully loaded secret metadata", "secret_name", s.Name)
 	return nil
 }
-// GetMetadata returns the secret metadata
+// GetMetadata returns the secret metadata (deprecated)
-func (s *Secret) GetMetadata() SecretMetadata {
+func (s *Secret) GetMetadata() Metadata {
-	Debug("Returning secret metadata", "secret_name", s.Name)
+	Debug("GetMetadata called but is deprecated in versioned model", "secret_name", s.Name)
 	return s.Metadata
 }
-// GetEncryptedData reads and returns the encrypted secret data
+// GetEncryptedData is deprecated - data is now stored in versions
 func (s *Secret) GetEncryptedData() ([]byte, error) {
-	DebugWith("Getting encrypted secret data",
+	Debug("GetEncryptedData called but is deprecated in versioned model", "secret_name", s.Name)
 		slog.String("secret_name", s.Name),
 		slog.String("vault_name", s.vault.GetName()),
 	)
-	secretPath := filepath.Join(s.Directory, "value.age")
+	return nil, fmt.Errorf("GetEncryptedData is deprecated - use version-specific methods")
 	Debug("Reading encrypted secret file", "secret_path", secretPath)
 	encryptedData, err := afero.ReadFile(s.vault.GetFilesystem(), secretPath)
 	if err != nil {
 		Debug("Failed to read encrypted secret file", "error", err, "secret_path", secretPath)
 		return nil, fmt.Errorf("failed to read encrypted secret: %w", err)
 	}
 	DebugWith("Successfully read encrypted secret data",
 		slog.String("secret_name", s.Name),
 		slog.Int("encrypted_length", len(encryptedData)),
 	)
 	return encryptedData, nil
 }
 // Exists checks if the secret exists on disk
@@ -338,22 +265,34 @@ func (s *Secret) Exists() (bool, error) {
 		slog.String("vault_name", s.vault.GetName()),
 	)
-	secretPath := filepath.Join(s.Directory, "value.age")
+	// Check if the secret directory exists and has a current symlink
-
+	exists, err := afero.DirExists(s.vault.GetFilesystem(), s.Directory)
 	Debug("Checking secret file existence", "secret_path", secretPath)
 	exists, err := afero.Exists(s.vault.GetFilesystem(), secretPath)
 	if err != nil {
-		Debug("Failed to check secret file existence", "error", err, "secret_path", secretPath)
+		Debug("Failed to check secret directory existence", "error", err, "secret_dir", s.Directory)
 		return false, err
 	}
 	if !exists {
 		Debug("Secret directory does not exist", "secret_dir", s.Directory)
 		return false, nil
 	}
 	// Check if current symlink exists
 	_, err = GetCurrentVersion(s.vault.GetFilesystem(), s.Directory)
 	if err != nil {
 		Debug("No current version found", "error", err, "secret_name", s.Name)
 		return false, nil
 	}
 	DebugWith("Secret existence check result",
 		slog.String("secret_name", s.Name),
-		slog.Bool("exists", exists),
+		slog.Bool("exists", true),
 	)
-	return exists, nil
+	return true, nil
 }
 // GetCurrentVault gets the current vault from the file system
@@ -365,11 +304,14 @@ func GetCurrentVault(fs afero.Fs, stateDir string) (VaultInterface, error) {
 	if getCurrentVaultFunc == nil {
 		return nil, fmt.Errorf("GetCurrentVault function not registered")
 	}
 	return getCurrentVaultFunc(fs, stateDir)
 }
 // getCurrentVaultFunc is a function variable that will be set by the vault package
 // to implement the actual GetCurrentVault functionality
 //
 //nolint:gochecknoglobals // Required to break import cycle
 var getCurrentVaultFunc func(fs afero.Fs, stateDir string) (VaultInterface, error)
 // RegisterGetCurrentVaultFunc allows the vault package to register its implementation
--- a/internal/secret/secret_test.go
+++ b/internal/secret/secret_test.go
@@ -1,34 +1,114 @@
 package secret
 import (
 	"fmt"
 	"os"
 	"path/filepath"
 	"strings"
 	"testing"
 	"filippo.io/age"
 	"git.eeqj.de/sneak/secret/pkg/agehd"
 	"github.com/awnumar/memguard"
 	"github.com/spf13/afero"
 	"github.com/stretchr/testify/require"
 )
 // MockVault is a test implementation of the VaultInterface
 type MockVault struct {
-	name       string
+	name            string
-	fs         afero.Fs
+	fs              afero.Fs
-	directory  string
+	directory       string
-	longTermID *age.X25519Identity
+	derivationIndex uint32
 }
 func (m *MockVault) GetDirectory() (string, error) {
 	return m.directory, nil
 }
-func (m *MockVault) AddSecret(name string, value []byte, force bool) error {
+func (m *MockVault) AddSecret(name string, value *memguard.LockedBuffer, _ bool) error {
-	// Simplified implementation for testing
+	// Create secret directory with proper storage name conversion
-	secretDir := filepath.Join(m.directory, "secrets.d", name)
+	storageName := strings.ReplaceAll(name, "/", "%")
-	if err := m.fs.MkdirAll(secretDir, DirPerms); err != nil {
+	secretDir := filepath.Join(m.directory, "secrets.d", storageName)
 	if err := m.fs.MkdirAll(secretDir, 0o700); err != nil {
 		return err
 	}
-	return afero.WriteFile(m.fs, filepath.Join(secretDir, "value.age"), value, FilePerms)
+
 	// Create version directory with proper path
 	versionName := "20240101.001" // Use a fixed version name for testing
 	versionDir := filepath.Join(secretDir, "versions", versionName)
 	if err := m.fs.MkdirAll(versionDir, 0o700); err != nil {
 		return err
 	}
 	// Read the vault's long-term public key
 	ltPubKeyPath := filepath.Join(m.directory, "pub.age")
 	// Derive long-term key using the vault's derivation index
 	mnemonic := os.Getenv(EnvMnemonic)
 	if mnemonic == "" {
 		return fmt.Errorf("SB_SECRET_MNEMONIC not set")
 	}
 	ltIdentity, err := agehd.DeriveIdentity(mnemonic, m.derivationIndex)
 	if err != nil {
 		return err
 	}
 	// Write long-term public key if it doesn't exist
 	if _, err := m.fs.Stat(ltPubKeyPath); os.IsNotExist(err) {
 		pubKey := ltIdentity.Recipient().String()
 		if err := afero.WriteFile(m.fs, ltPubKeyPath, []byte(pubKey), 0o600); err != nil {
 			return err
 		}
 	}
 	// Generate version-specific keypair
 	versionIdentity, err := age.GenerateX25519Identity()
 	if err != nil {
 		return err
 	}
 	// Write version public key
 	pubKeyPath := filepath.Join(versionDir, "pub.age")
 	if err := afero.WriteFile(m.fs, pubKeyPath, []byte(versionIdentity.Recipient().String()), 0o600); err != nil {
 		return err
 	}
 	// Encrypt value to version's public key (value is already a LockedBuffer)
 	encryptedValue, err := EncryptToRecipient(value, versionIdentity.Recipient())
 	if err != nil {
 		return err
 	}
 	// Write encrypted value
 	valuePath := filepath.Join(versionDir, "value.age")
 	if err := afero.WriteFile(m.fs, valuePath, encryptedValue, 0o600); err != nil {
 		return err
 	}
 	// Encrypt version private key to long-term public key
 	versionPrivKeyBuffer := memguard.NewBufferFromBytes([]byte(versionIdentity.String()))
 	defer versionPrivKeyBuffer.Destroy()
 	encryptedPrivKey, err := EncryptToRecipient(versionPrivKeyBuffer, ltIdentity.Recipient())
 	if err != nil {
 		return err
 	}
 	// Write encrypted version private key
 	privKeyPath := filepath.Join(versionDir, "priv.age")
 	if err := afero.WriteFile(m.fs, privKeyPath, encryptedPrivKey, 0o600); err != nil {
 		return err
 	}
 	// Create current symlink pointing to the version
 	currentLink := filepath.Join(secretDir, "current")
 	// For MemMapFs, write a file with the target path
 	if err := afero.WriteFile(m.fs, currentLink, []byte("versions/"+versionName), 0o600); err != nil {
 		return err
 	}
 	return nil
 }
 func (m *MockVault) GetName() string {
@@ -39,31 +119,21 @@ func (m *MockVault) GetFilesystem() afero.Fs {
 	return m.fs
 }
-func (m *MockVault) GetCurrentUnlockKey() (UnlockKey, error) {
+func (m *MockVault) GetCurrentUnlocker() (Unlocker, error) {
-	return nil, nil // Not needed for this test
+	return nil, nil
 }
-func (m *MockVault) CreatePassphraseKey(passphrase string) (*PassphraseUnlockKey, error) {
+func (m *MockVault) CreatePassphraseUnlocker(_ *memguard.LockedBuffer) (*PassphraseUnlocker, error) {
-	return nil, nil // Not needed for this test
+	return nil, nil
 }
 func TestPerSecretKeyFunctionality(t *testing.T) {
 	// Create an in-memory filesystem for testing
 	fs := afero.NewMemMapFs()
 	// Set up test environment variables
 	oldMnemonic := os.Getenv(EnvMnemonic)
 	defer func() {
 		if oldMnemonic == "" {
 			os.Unsetenv(EnvMnemonic)
 		} else {
 			os.Setenv(EnvMnemonic, oldMnemonic)
 		}
 	}()
 	// Set test mnemonic for direct encryption/decryption
 	testMnemonic := "abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon about"
-	os.Setenv(EnvMnemonic, testMnemonic)
+	t.Setenv(EnvMnemonic, testMnemonic)
 	// Set up a test vault structure
 	baseDir := "/test-config/berlin.sneak.pkg.secret"
@@ -87,7 +157,7 @@ func TestPerSecretKeyFunctionality(t *testing.T) {
 		fs,
 		ltPubKeyPath,
 		[]byte(ltIdentity.Recipient().String()),
-		0600,
+		0o600,
 	)
 	if err != nil {
 		t.Fatalf("Failed to write long-term public key: %v", err)
@@ -102,19 +172,23 @@ func TestPerSecretKeyFunctionality(t *testing.T) {
 	// Create vault instance using the mock vault
 	vault := &MockVault{
-		name:       "test-vault",
+		name:            "test-vault",
-		fs:         fs,
+		fs:              fs,
-		directory:  vaultDir,
+		directory:       vaultDir,
-		longTermID: ltIdentity,
+		derivationIndex: 0,
 	}
 	// Test data
 	secretName := "test-secret"
 	secretValue := []byte("this is a test secret value")
 	// Create a secure buffer for the test value
 	valueBuffer := memguard.NewBufferFromBytes(secretValue)
 	defer valueBuffer.Destroy()
 	// Test AddSecret
 	t.Run("AddSecret", func(t *testing.T) {
-		err := vault.AddSecret(secretName, secretValue, false)
+		err := vault.AddSecret(secretName, valueBuffer, false)
 		if err != nil {
 			t.Fatalf("AddSecret failed: %v", err)
 		}
@@ -122,16 +196,30 @@ func TestPerSecretKeyFunctionality(t *testing.T) {
 		// Verify that all expected files were created
 		secretDir := filepath.Join(vaultDir, "secrets.d", secretName)
-		// Check value.age exists (the new per-secret key architecture format)
+		// Check versions directory exists
-		secretExists, err := afero.Exists(
+		versionsDir := filepath.Join(secretDir, "versions")
-			fs,
+		versionsDirExists, err := afero.DirExists(fs, versionsDir)
-			filepath.Join(secretDir, "value.age"),
+		if err != nil || !versionsDirExists {
-		)
+			t.Fatalf("versions directory was not created")
 		if err != nil || !secretExists {
 			t.Fatalf("value.age file was not created")
 		}
-		t.Logf("All expected files created successfully")
+		// Check current symlink exists
 		currentVersion, err := GetCurrentVersion(fs, secretDir)
 		if err != nil {
 			t.Fatalf("Failed to get current version: %v", err)
 		}
 		// Check value.age exists in the version directory
 		versionDir := filepath.Join(versionsDir, currentVersion)
 		valueExists, err := afero.Exists(
 			fs,
 			filepath.Join(versionDir, "value.age"),
 		)
 		if err != nil || !valueExists {
 			t.Fatalf("value.age file was not created in version directory")
 		}
 		t.Logf("All expected files created successfully with versioning")
 	})
 	// Create a Secret object to test with
@@ -181,6 +269,7 @@ func isValidSecretName(name string) bool {
 			return false
 		}
 	}
 	return true
 }
@@ -214,3 +303,27 @@ func TestSecretNameValidation(t *testing.T) {
 		})
 	}
 }
 func TestSecretGetValueWithEnvMnemonicUsesVaultDerivationIndex(t *testing.T) {
 	// This test demonstrates the bug where GetValue uses hardcoded index 0
 	// instead of the vault's actual derivation index when using environment mnemonic
 	// Set up test mnemonic
 	testMnemonic := "abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon about"
 	t.Setenv(EnvMnemonic, testMnemonic)
 	// Create temporary directory for vaults
 	fs := afero.NewOsFs()
 	tempDir, err := afero.TempDir(fs, "", "secret-test-")
 	require.NoError(t, err)
 	defer func() {
 		_ = fs.RemoveAll(tempDir)
 	}()
 	stateDir := filepath.Join(tempDir, ".secret")
 	require.NoError(t, fs.MkdirAll(stateDir, 0o700))
 	// This test is now in the integration test file where it can use real vaults
 	// The bug is demonstrated there - see test31EnvMnemonicUsesVaultDerivationIndex
 	t.Log("This test demonstrates the bug in the integration test file")
 }
--- a/internal/secret/unlock.go
+++ b/internal/secret/unlock.go
@@ -1,16 +0,0 @@
 package secret
 import (
 	"filippo.io/age"
 )
 // UnlockKey interface defines the methods all unlock key types must implement
 type UnlockKey interface {
 	GetIdentity() (*age.X25519Identity, error)
 	GetType() string
 	GetMetadata() UnlockKeyMetadata
 	GetDirectory() string
 	GetID() string
 	ID() string    // Generate ID from the key's public key
 	Remove() error // Remove the unlock key and any associated resources
 }
--- a/internal/secret/unlocker.go
+++ b/internal/secret/unlocker.go
@@ -0,0 +1,15 @@
 package secret
 import (
 	"filippo.io/age"
 )
 // Unlocker interface defines the methods all unlocker types must implement
 type Unlocker interface {
 	GetIdentity() (*age.X25519Identity, error)
 	GetType() string
 	GetMetadata() UnlockerMetadata
 	GetDirectory() string
 	GetID() string // Generate ID based on unlocker type and data
 	Remove() error // Remove the unlocker and any associated resources
 }
--- a/internal/secret/validation_test.go
+++ b/internal/secret/validation_test.go
@@ -0,0 +1,297 @@
 package secret
 import (
 	"testing"
 )
 func TestValidateGPGKeyID(t *testing.T) {
 	tests := []struct {
 		name    string
 		keyID   string
 		wantErr bool
 	}{
 		// Valid cases
 		{
 			name:    "valid email address",
 			keyID:   "test@example.com",
 			wantErr: false,
 		},
 		{
 			name:    "valid email with dots and hyphens",
 			keyID:   "test.user-name@example-domain.co.uk",
 			wantErr: false,
 		},
 		{
 			name:    "valid email with plus",
 			keyID:   "test+tag@example.com",
 			wantErr: false,
 		},
 		{
 			name:    "valid short key ID (8 hex chars)",
 			keyID:   "ABCDEF12",
 			wantErr: false,
 		},
 		{
 			name:    "valid long key ID (16 hex chars)",
 			keyID:   "ABCDEF1234567890",
 			wantErr: false,
 		},
 		{
 			name:    "valid fingerprint (40 hex chars)",
 			keyID:   "ABCDEF1234567890ABCDEF1234567890ABCDEF12",
 			wantErr: false,
 		},
 		{
 			name:    "valid lowercase hex fingerprint",
 			keyID:   "abcdef1234567890abcdef1234567890abcdef12",
 			wantErr: false,
 		},
 		{
 			name:    "valid mixed case hex",
 			keyID:   "AbCdEf1234567890",
 			wantErr: false,
 		},
 		// Invalid cases
 		{
 			name:    "empty key ID",
 			keyID:   "",
 			wantErr: true,
 		},
 		{
 			name:    "key ID with spaces",
 			keyID:   "test user@example.com",
 			wantErr: true,
 		},
 		{
 			name:    "key ID with semicolon (command injection)",
 			keyID:   "test@example.com; rm -rf /",
 			wantErr: true,
 		},
 		{
 			name:    "key ID with pipe (command injection)",
 			keyID:   "test@example.com | cat /etc/passwd",
 			wantErr: true,
 		},
 		{
 			name:    "key ID with backticks (command injection)",
 			keyID:   "test@example.com`whoami`",
 			wantErr: true,
 		},
 		{
 			name:    "key ID with dollar sign (command injection)",
 			keyID:   "test@example.com$(whoami)",
 			wantErr: true,
 		},
 		{
 			name:    "key ID with quotes",
 			keyID:   "test\"@example.com",
 			wantErr: true,
 		},
 		{
 			name:    "key ID with single quotes",
 			keyID:   "test'@example.com",
 			wantErr: true,
 		},
 		{
 			name:    "key ID with backslash",
 			keyID:   "test\\@example.com",
 			wantErr: true,
 		},
 		{
 			name:    "key ID with newline",
 			keyID:   "test@example.com\nrm -rf /",
 			wantErr: true,
 		},
 		{
 			name:    "key ID with carriage return",
 			keyID:   "test@example.com\rrm -rf /",
 			wantErr: true,
 		},
 		{
 			name:    "hex with invalid length (7 chars)",
 			keyID:   "ABCDEF1",
 			wantErr: true,
 		},
 		{
 			name:    "hex with invalid length (9 chars)",
 			keyID:   "ABCDEF123",
 			wantErr: true,
 		},
 		{
 			name:    "hex with non-hex characters",
 			keyID:   "ABCDEFGH",
 			wantErr: true,
 		},
 		{
 			name:    "mixed format (email with hex)",
 			keyID:   "test@ABCDEF12",
 			wantErr: true,
 		},
 		{
 			name:    "key ID with ampersand",
 			keyID:   "test@example.com & echo test",
 			wantErr: true,
 		},
 		{
 			name:    "key ID with redirect",
 			keyID:   "test@example.com > /tmp/test",
 			wantErr: true,
 		},
 		{
 			name:    "key ID with null byte",
 			keyID:   "test@example.com\x00",
 			wantErr: true,
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			err := validateGPGKeyID(tt.keyID)
 			if (err != nil) != tt.wantErr {
 				t.Errorf("validateGPGKeyID() error = %v, wantErr %v", err, tt.wantErr)
 			}
 		})
 	}
 }
 func TestValidateKeychainItemName(t *testing.T) {
 	tests := []struct {
 		name     string
 		itemName string
 		wantErr  bool
 	}{
 		// Valid cases
 		{
 			name:     "valid simple name",
 			itemName: "my-secret-key",
 			wantErr:  false,
 		},
 		{
 			name:     "valid name with dots",
 			itemName: "com.example.app.key",
 			wantErr:  false,
 		},
 		{
 			name:     "valid name with underscores",
 			itemName: "my_secret_key_123",
 			wantErr:  false,
 		},
 		{
 			name:     "valid alphanumeric",
 			itemName: "Secret123Key",
 			wantErr:  false,
 		},
 		{
 			name:     "valid with hyphen at start",
 			itemName: "-my-key",
 			wantErr:  false,
 		},
 		{
 			name:     "valid with dot at start",
 			itemName: ".hidden-key",
 			wantErr:  false,
 		},
 		// Invalid cases
 		{
 			name:     "empty item name",
 			itemName: "",
 			wantErr:  true,
 		},
 		{
 			name:     "item name with spaces",
 			itemName: "my secret key",
 			wantErr:  true,
 		},
 		{
 			name:     "item name with semicolon",
 			itemName: "key;rm -rf /",
 			wantErr:  true,
 		},
 		{
 			name:     "item name with pipe",
 			itemName: "key|cat /etc/passwd",
 			wantErr:  true,
 		},
 		{
 			name:     "item name with backticks",
 			itemName: "key`whoami`",
 			wantErr:  true,
 		},
 		{
 			name:     "item name with dollar sign",
 			itemName: "key$(whoami)",
 			wantErr:  true,
 		},
 		{
 			name:     "item name with quotes",
 			itemName: "key\"name",
 			wantErr:  true,
 		},
 		{
 			name:     "item name with single quotes",
 			itemName: "key'name",
 			wantErr:  true,
 		},
 		{
 			name:     "item name with backslash",
 			itemName: "key\\name",
 			wantErr:  true,
 		},
 		{
 			name:     "item name with newline",
 			itemName: "key\nname",
 			wantErr:  true,
 		},
 		{
 			name:     "item name with carriage return",
 			itemName: "key\rname",
 			wantErr:  true,
 		},
 		{
 			name:     "item name with ampersand",
 			itemName: "key&echo test",
 			wantErr:  true,
 		},
 		{
 			name:     "item name with redirect",
 			itemName: "key>/tmp/test",
 			wantErr:  true,
 		},
 		{
 			name:     "item name with null byte",
 			itemName: "key\x00name",
 			wantErr:  true,
 		},
 		{
 			name:     "item name with parentheses",
 			itemName: "key(test)",
 			wantErr:  true,
 		},
 		{
 			name:     "item name with brackets",
 			itemName: "key[test]",
 			wantErr:  true,
 		},
 		{
 			name:     "item name with asterisk",
 			itemName: "key*",
 			wantErr:  true,
 		},
 		{
 			name:     "item name with question mark",
 			itemName: "key?",
 			wantErr:  true,
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			err := validateKeychainItemName(tt.itemName)
 			if (err != nil) != tt.wantErr {
 				t.Errorf("validateKeychainItemName() error = %v, wantErr %v", err, tt.wantErr)
 			}
 		})
 	}
 }
--- a/internal/secret/version.go
+++ b/internal/secret/version.go
@@ -0,0 +1,487 @@
 package secret
 import (
 	"encoding/json"
 	"fmt"
 	"log/slog"
 	"os"
 	"path/filepath"
 	"sort"
 	"strings"
 	"time"
 	"filippo.io/age"
 	"github.com/awnumar/memguard"
 	"github.com/oklog/ulid/v2"
 	"github.com/spf13/afero"
 )
 const (
 	versionNameParts  = 2
 	maxVersionsPerDay = 999
 )
 // VersionMetadata contains information about a secret version
 type VersionMetadata struct {
 	ID        string     `json:"id"`                  // ULID
 	CreatedAt *time.Time `json:"createdAt,omitempty"` // When version was created
 	NotBefore *time.Time `json:"notBefore,omitempty"` // When this version becomes active
 	NotAfter  *time.Time `json:"notAfter,omitempty"`  // When this version expires (nil = current)
 }
 // Version represents a version of a secret
 type Version struct {
 	SecretName string
 	Version    string
 	Directory  string
 	Metadata   VersionMetadata
 	vault      VaultInterface
 }
 // NewVersion creates a new Version instance
 func NewVersion(vault VaultInterface, secretName string, version string) *Version {
 	DebugWith("Creating new secret version instance",
 		slog.String("secret_name", secretName),
 		slog.String("version", version),
 		slog.String("vault_name", vault.GetName()),
 	)
 	vaultDir, _ := vault.GetDirectory()
 	storageName := strings.ReplaceAll(secretName, "/", "%")
 	versionDir := filepath.Join(vaultDir, "secrets.d", storageName, "versions", version)
 	DebugWith("Secret version storage details",
 		slog.String("secret_name", secretName),
 		slog.String("version", version),
 		slog.String("version_dir", versionDir),
 	)
 	now := time.Now()
 	return &Version{
 		SecretName: secretName,
 		Version:    version,
 		Directory:  versionDir,
 		vault:      vault,
 		Metadata: VersionMetadata{
 			ID:        ulid.Make().String(),
 			CreatedAt: &now,
 		},
 	}
 }
 // GenerateVersionName generates a new version name in YYYYMMDD.NNN format
 func GenerateVersionName(fs afero.Fs, secretDir string) (string, error) {
 	today := time.Now().Format("20060102")
 	versionsDir := filepath.Join(secretDir, "versions")
 	// Ensure versions directory exists
 	if err := fs.MkdirAll(versionsDir, DirPerms); err != nil {
 		return "", fmt.Errorf("failed to create versions directory: %w", err)
 	}
 	// Find the highest serial number for today
 	entries, err := afero.ReadDir(fs, versionsDir)
 	if err != nil {
 		return "", fmt.Errorf("failed to read versions directory: %w", err)
 	}
 	maxSerial := 0
 	prefix := today + "."
 	for _, entry := range entries {
 		// Skip non-directories and those without correct prefix
 		if !entry.IsDir() || !strings.HasPrefix(entry.Name(), prefix) {
 			continue
 		}
 		// Extract serial number
 		parts := strings.Split(entry.Name(), ".")
 		if len(parts) != versionNameParts {
 			continue
 		}
 		var serial int
 		if _, err := fmt.Sscanf(parts[1], "%03d", &serial); err != nil {
 			continue
 		}
 		if serial > maxSerial {
 			maxSerial = serial
 		}
 	}
 	// Generate new version name
 	newSerial := maxSerial + 1
 	if newSerial > maxVersionsPerDay {
 		return "", fmt.Errorf("exceeded maximum versions per day (999)")
 	}
 	return fmt.Sprintf("%s.%03d", today, newSerial), nil
 }
 // Save saves the version metadata and value
 func (sv *Version) Save(value *memguard.LockedBuffer) error {
 	if value == nil {
 		return fmt.Errorf("value buffer is nil")
 	}
 	DebugWith("Saving secret version",
 		slog.String("secret_name", sv.SecretName),
 		slog.String("version", sv.Version),
 		slog.Int("value_length", value.Size()),
 	)
 	fs := sv.vault.GetFilesystem()
 	// Create version directory
 	if err := fs.MkdirAll(sv.Directory, DirPerms); err != nil {
 		Debug("Failed to create version directory", "error", err, "dir", sv.Directory)
 		return fmt.Errorf("failed to create version directory: %w", err)
 	}
 	// Step 1: Generate a new keypair for this version
 	Debug("Generating version-specific keypair", "version", sv.Version)
 	versionIdentity, err := age.GenerateX25519Identity()
 	if err != nil {
 		Debug("Failed to generate version keypair", "error", err, "version", sv.Version)
 		return fmt.Errorf("failed to generate version keypair: %w", err)
 	}
 	versionPublicKey := versionIdentity.Recipient().String()
 	// Store private key in memguard buffer immediately
 	versionPrivateKeyBuffer := memguard.NewBufferFromBytes([]byte(versionIdentity.String()))
 	defer versionPrivateKeyBuffer.Destroy()
 	DebugWith("Generated version keypair",
 		slog.String("version", sv.Version),
 		slog.String("public_key", versionPublicKey),
 	)
 	// Step 2: Store the version's public key
 	pubKeyPath := filepath.Join(sv.Directory, "pub.age")
 	Debug("Writing version public key", "path", pubKeyPath)
 	if err := afero.WriteFile(fs, pubKeyPath, []byte(versionPublicKey), FilePerms); err != nil {
 		Debug("Failed to write version public key", "error", err, "path", pubKeyPath)
 		return fmt.Errorf("failed to write version public key: %w", err)
 	}
 	// Step 3: Encrypt the value to the version's public key
 	Debug("Encrypting value to version's public key", "version", sv.Version)
 	encryptedValue, err := EncryptToRecipient(value, versionIdentity.Recipient())
 	if err != nil {
 		Debug("Failed to encrypt version value", "error", err, "version", sv.Version)
 		return fmt.Errorf("failed to encrypt version value: %w", err)
 	}
 	// Step 4: Store the encrypted value
 	valuePath := filepath.Join(sv.Directory, "value.age")
 	Debug("Writing encrypted version value", "path", valuePath)
 	if err := afero.WriteFile(fs, valuePath, encryptedValue, FilePerms); err != nil {
 		Debug("Failed to write encrypted version value", "error", err, "path", valuePath)
 		return fmt.Errorf("failed to write encrypted version value: %w", err)
 	}
 	// Step 5: Get vault's long-term public key for encrypting the version's private key
 	vaultDir, _ := sv.vault.GetDirectory()
 	ltPubKeyPath := filepath.Join(vaultDir, "pub.age")
 	Debug("Reading long-term public key", "path", ltPubKeyPath)
 	ltPubKeyData, err := afero.ReadFile(fs, ltPubKeyPath)
 	if err != nil {
 		Debug("Failed to read long-term public key", "error", err, "path", ltPubKeyPath)
 		return fmt.Errorf("failed to read long-term public key: %w", err)
 	}
 	Debug("Parsing long-term public key")
 	ltRecipient, err := age.ParseX25519Recipient(string(ltPubKeyData))
 	if err != nil {
 		Debug("Failed to parse long-term public key", "error", err)
 		return fmt.Errorf("failed to parse long-term public key: %w", err)
 	}
 	// Step 6: Encrypt the version's private key to the long-term public key
 	Debug("Encrypting version private key to long-term public key", "version", sv.Version)
 	encryptedPrivKey, err := EncryptToRecipient(versionPrivateKeyBuffer, ltRecipient)
 	if err != nil {
 		Debug("Failed to encrypt version private key", "error", err, "version", sv.Version)
 		return fmt.Errorf("failed to encrypt version private key: %w", err)
 	}
 	// Step 7: Store the encrypted private key
 	privKeyPath := filepath.Join(sv.Directory, "priv.age")
 	Debug("Writing encrypted version private key", "path", privKeyPath)
 	if err := afero.WriteFile(fs, privKeyPath, encryptedPrivKey, FilePerms); err != nil {
 		Debug("Failed to write encrypted version private key", "error", err, "path", privKeyPath)
 		return fmt.Errorf("failed to write encrypted version private key: %w", err)
 	}
 	// Step 8: Encrypt and store metadata
 	Debug("Encrypting version metadata", "version", sv.Version)
 	metadataBytes, err := json.MarshalIndent(sv.Metadata, "", "  ")
 	if err != nil {
 		Debug("Failed to marshal version metadata", "error", err)
 		return fmt.Errorf("failed to marshal version metadata: %w", err)
 	}
 	// Encrypt metadata to the version's public key
 	metadataBuffer := memguard.NewBufferFromBytes(metadataBytes)
 	defer metadataBuffer.Destroy()
 	encryptedMetadata, err := EncryptToRecipient(metadataBuffer, versionIdentity.Recipient())
 	if err != nil {
 		Debug("Failed to encrypt version metadata", "error", err, "version", sv.Version)
 		return fmt.Errorf("failed to encrypt version metadata: %w", err)
 	}
 	metadataPath := filepath.Join(sv.Directory, "metadata.age")
 	Debug("Writing encrypted version metadata", "path", metadataPath)
 	if err := afero.WriteFile(fs, metadataPath, encryptedMetadata, FilePerms); err != nil {
 		Debug("Failed to write encrypted version metadata", "error", err, "path", metadataPath)
 		return fmt.Errorf("failed to write encrypted version metadata: %w", err)
 	}
 	Debug("Successfully saved secret version", "version", sv.Version, "secret_name", sv.SecretName)
 	return nil
 }
 // LoadMetadata loads and decrypts the version metadata
 func (sv *Version) LoadMetadata(ltIdentity *age.X25519Identity) error {
 	DebugWith("Loading version metadata",
 		slog.String("secret_name", sv.SecretName),
 		slog.String("version", sv.Version),
 	)
 	fs := sv.vault.GetFilesystem()
 	// Step 1: Read encrypted version private key
 	encryptedPrivKeyPath := filepath.Join(sv.Directory, "priv.age")
 	encryptedPrivKey, err := afero.ReadFile(fs, encryptedPrivKeyPath)
 	if err != nil {
 		Debug("Failed to read encrypted version private key", "error", err, "path", encryptedPrivKeyPath)
 		return fmt.Errorf("failed to read encrypted version private key: %w", err)
 	}
 	// Step 2: Decrypt version private key using long-term key
 	versionPrivKeyData, err := DecryptWithIdentity(encryptedPrivKey, ltIdentity)
 	if err != nil {
 		Debug("Failed to decrypt version private key", "error", err, "version", sv.Version)
 		return fmt.Errorf("failed to decrypt version private key: %w", err)
 	}
 	// Step 3: Parse version private key
 	versionIdentity, err := age.ParseX25519Identity(string(versionPrivKeyData))
 	if err != nil {
 		Debug("Failed to parse version private key", "error", err, "version", sv.Version)
 		return fmt.Errorf("failed to parse version private key: %w", err)
 	}
 	// Step 4: Read encrypted metadata
 	encryptedMetadataPath := filepath.Join(sv.Directory, "metadata.age")
 	encryptedMetadata, err := afero.ReadFile(fs, encryptedMetadataPath)
 	if err != nil {
 		Debug("Failed to read encrypted version metadata", "error", err, "path", encryptedMetadataPath)
 		return fmt.Errorf("failed to read encrypted version metadata: %w", err)
 	}
 	// Step 5: Decrypt metadata using version key
 	metadataBytes, err := DecryptWithIdentity(encryptedMetadata, versionIdentity)
 	if err != nil {
 		Debug("Failed to decrypt version metadata", "error", err, "version", sv.Version)
 		return fmt.Errorf("failed to decrypt version metadata: %w", err)
 	}
 	// Step 6: Unmarshal metadata
 	var metadata VersionMetadata
 	if err := json.Unmarshal(metadataBytes, &metadata); err != nil {
 		Debug("Failed to unmarshal version metadata", "error", err, "version", sv.Version)
 		return fmt.Errorf("failed to unmarshal version metadata: %w", err)
 	}
 	sv.Metadata = metadata
 	Debug("Successfully loaded version metadata", "version", sv.Version)
 	return nil
 }
 // GetValue retrieves and decrypts the version value
 func (sv *Version) GetValue(ltIdentity *age.X25519Identity) ([]byte, error) {
 	DebugWith("Getting version value",
 		slog.String("secret_name", sv.SecretName),
 		slog.String("version", sv.Version),
 	)
 	// Debug: Log the directory and long-term key info
 	Debug("SecretVersion GetValue debug info",
 		"secret_name", sv.SecretName,
 		"version", sv.Version,
 		"directory", sv.Directory,
 		"lt_identity_public_key", ltIdentity.Recipient().String())
 	fs := sv.vault.GetFilesystem()
 	// Step 1: Read encrypted version private key
 	encryptedPrivKeyPath := filepath.Join(sv.Directory, "priv.age")
 	Debug("Reading encrypted version private key", "path", encryptedPrivKeyPath)
 	encryptedPrivKey, err := afero.ReadFile(fs, encryptedPrivKeyPath)
 	if err != nil {
 		Debug("Failed to read encrypted version private key", "error", err, "path", encryptedPrivKeyPath)
 		return nil, fmt.Errorf("failed to read encrypted version private key: %w", err)
 	}
 	Debug("Successfully read encrypted version private key", "path", encryptedPrivKeyPath, "size", len(encryptedPrivKey))
 	// Step 2: Decrypt version private key using long-term key
 	Debug("Decrypting version private key with long-term identity", "version", sv.Version)
 	versionPrivKeyData, err := DecryptWithIdentity(encryptedPrivKey, ltIdentity)
 	if err != nil {
 		Debug("Failed to decrypt version private key", "error", err, "version", sv.Version)
 		return nil, fmt.Errorf("failed to decrypt version private key: %w", err)
 	}
 	Debug("Successfully decrypted version private key", "version", sv.Version, "size", len(versionPrivKeyData))
 	// Step 3: Parse version private key
 	versionIdentity, err := age.ParseX25519Identity(string(versionPrivKeyData))
 	if err != nil {
 		Debug("Failed to parse version private key", "error", err, "version", sv.Version)
 		return nil, fmt.Errorf("failed to parse version private key: %w", err)
 	}
 	// Step 4: Read encrypted value
 	encryptedValuePath := filepath.Join(sv.Directory, "value.age")
 	Debug("Reading encrypted value", "path", encryptedValuePath)
 	encryptedValue, err := afero.ReadFile(fs, encryptedValuePath)
 	if err != nil {
 		Debug("Failed to read encrypted version value", "error", err, "path", encryptedValuePath)
 		return nil, fmt.Errorf("failed to read encrypted version value: %w", err)
 	}
 	Debug("Successfully read encrypted value", "path", encryptedValuePath, "size", len(encryptedValue))
 	// Step 5: Decrypt value using version key
 	Debug("Decrypting value with version identity", "version", sv.Version)
 	value, err := DecryptWithIdentity(encryptedValue, versionIdentity)
 	if err != nil {
 		Debug("Failed to decrypt version value", "error", err, "version", sv.Version)
 		return nil, fmt.Errorf("failed to decrypt version value: %w", err)
 	}
 	Debug("Successfully retrieved version value",
 		"version", sv.Version,
 		"value_length", len(value),
 		"is_empty", len(value) == 0)
 	return value, nil
 }
 // ListVersions lists all versions of a secret
 func ListVersions(fs afero.Fs, secretDir string) ([]string, error) {
 	versionsDir := filepath.Join(secretDir, "versions")
 	// Check if versions directory exists
 	exists, err := afero.DirExists(fs, versionsDir)
 	if err != nil {
 		return nil, fmt.Errorf("failed to check versions directory: %w", err)
 	}
 	if !exists {
 		return []string{}, nil
 	}
 	// List all version directories
 	entries, err := afero.ReadDir(fs, versionsDir)
 	if err != nil {
 		return nil, fmt.Errorf("failed to read versions directory: %w", err)
 	}
 	var versions []string
 	for _, entry := range entries {
 		if entry.IsDir() {
 			versions = append(versions, entry.Name())
 		}
 	}
 	// Sort versions in reverse chronological order
 	sort.Sort(sort.Reverse(sort.StringSlice(versions)))
 	return versions, nil
 }
 // GetCurrentVersion returns the version that the "current" symlink points to
 func GetCurrentVersion(fs afero.Fs, secretDir string) (string, error) {
 	currentPath := filepath.Join(secretDir, "current")
 	// Try to read as a real symlink first
 	if _, ok := fs.(*afero.OsFs); ok {
 		target, err := os.Readlink(currentPath)
 		if err == nil {
 			// Extract version from path (e.g., "versions/20231215.001" -> "20231215.001")
 			parts := strings.Split(target, "/")
 			if len(parts) >= 2 && parts[0] == "versions" {
 				return parts[1], nil
 			}
 			return "", fmt.Errorf("invalid current version symlink format: %s", target)
 		}
 	}
 	// Fall back to reading as a file (for MemMapFs testing)
 	fileData, err := afero.ReadFile(fs, currentPath)
 	if err != nil {
 		return "", fmt.Errorf("failed to read current version symlink: %w", err)
 	}
 	target := strings.TrimSpace(string(fileData))
 	// Extract version from path
 	parts := strings.Split(target, "/")
 	if len(parts) >= 2 && parts[0] == "versions" {
 		return parts[1], nil
 	}
 	return "", fmt.Errorf("invalid current version symlink format: %s", target)
 }
 // SetCurrentVersion updates the "current" symlink to point to a specific version
 func SetCurrentVersion(fs afero.Fs, secretDir string, version string) error {
 	currentPath := filepath.Join(secretDir, "current")
 	targetPath := filepath.Join("versions", version)
 	// Remove existing symlink if it exists
 	_ = fs.Remove(currentPath)
 	// Try to create a real symlink first (works on Unix systems)
 	if _, ok := fs.(*afero.OsFs); ok {
 		if err := os.Symlink(targetPath, currentPath); err == nil {
 			return nil
 		}
 	}
 	// Fall back to creating a file with the target path (for MemMapFs testing)
 	if err := afero.WriteFile(fs, currentPath, []byte(targetPath), FilePerms); err != nil {
 		return fmt.Errorf("failed to create current version symlink: %w", err)
 	}
 	return nil
 }
--- a/internal/secret/version_test.go
+++ b/internal/secret/version_test.go
@@ -0,0 +1,371 @@
 // Version Support Test Suite Documentation
 //
 // This file contains core unit tests for version functionality:
 //
 // - TestGenerateVersionName: Tests version name generation with date and serial format
 // - TestGenerateVersionNameMaxSerial: Tests the 999 versions per day limit
 // - TestNewVersion: Tests secret version object creation
 // - TestSecretVersionSave: Tests saving a version with encryption
 // - TestSecretVersionLoadMetadata: Tests loading and decrypting version metadata
 // - TestSecretVersionGetValue: Tests retrieving and decrypting version values
 // - TestListVersions: Tests listing versions in reverse chronological order
 // - TestGetCurrentVersion: Tests retrieving the current version via symlink
 // - TestSetCurrentVersion: Tests updating the current version symlink
 // - TestVersionMetadataTimestamps: Tests timestamp pointer consistency
 //
 // Key Test Scenarios:
 // - Version Creation: First version gets notBefore = epoch + 1 second
 // - Subsequent versions update previous version's notAfter timestamp
 // - New version's notBefore equals previous version's notAfter
 // - Version names follow YYYYMMDD.NNN format
 // - Maximum 999 versions per day enforced
 //
 // Version Retrieval:
 // - Get current version via symlink
 // - Get specific version by name
 // - Empty version parameter returns current
 // - Non-existent versions return appropriate errors
 //
 // Data Integrity:
 // - Each version has independent encryption keys
 // - Metadata encryption protects version history
 // - Long-term key required for all operations
 // - Concurrent reads handled safely
 package secret
 import (
 	"fmt"
 	"path/filepath"
 	"testing"
 	"time"
 	"filippo.io/age"
 	"github.com/awnumar/memguard"
 	"github.com/spf13/afero"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
 // MockVault implements VaultInterface for testing
 type MockVersionVault struct {
 	Name        string
 	fs          afero.Fs
 	stateDir    string
 	longTermKey *age.X25519Identity
 }
 func (m *MockVersionVault) GetDirectory() (string, error) {
 	return filepath.Join(m.stateDir, "vaults.d", m.Name), nil
 }
 func (m *MockVersionVault) AddSecret(_ string, _ *memguard.LockedBuffer, _ bool) error {
 	return fmt.Errorf("not implemented in mock")
 }
 func (m *MockVersionVault) GetName() string {
 	return m.Name
 }
 func (m *MockVersionVault) GetFilesystem() afero.Fs {
 	return m.fs
 }
 func (m *MockVersionVault) GetCurrentUnlocker() (Unlocker, error) {
 	return nil, fmt.Errorf("not implemented in mock")
 }
 func (m *MockVersionVault) CreatePassphraseUnlocker(_ *memguard.LockedBuffer) (*PassphraseUnlocker, error) {
 	return nil, fmt.Errorf("not implemented in mock")
 }
 func TestGenerateVersionName(t *testing.T) {
 	fs := afero.NewMemMapFs()
 	secretDir := "/test/secret"
 	// Test first version generation
 	version1, err := GenerateVersionName(fs, secretDir)
 	require.NoError(t, err)
 	assert.Regexp(t, `^\d{8}\.001$`, version1)
 	// Create the version directory
 	versionDir := filepath.Join(secretDir, "versions", version1)
 	err = fs.MkdirAll(versionDir, 0o755)
 	require.NoError(t, err)
 	// Test second version generation on same day
 	version2, err := GenerateVersionName(fs, secretDir)
 	require.NoError(t, err)
 	assert.Regexp(t, `^\d{8}\.002$`, version2)
 	// Verify they have the same date prefix
 	assert.Equal(t, version1[:8], version2[:8])
 	assert.NotEqual(t, version1, version2)
 }
 func TestGenerateVersionNameMaxSerial(t *testing.T) {
 	fs := afero.NewMemMapFs()
 	secretDir := "/test/secret"
 	versionsDir := filepath.Join(secretDir, "versions")
 	// Create 999 versions
 	today := time.Now().Format("20060102")
 	for i := 1; i <= 999; i++ {
 		versionName := fmt.Sprintf("%s.%03d", today, i)
 		err := fs.MkdirAll(filepath.Join(versionsDir, versionName), 0o755)
 		require.NoError(t, err)
 	}
 	// Try to create one more - should fail
 	_, err := GenerateVersionName(fs, secretDir)
 	assert.Error(t, err)
 	assert.Contains(t, err.Error(), "exceeded maximum versions per day")
 }
 func TestNewVersion(t *testing.T) {
 	fs := afero.NewMemMapFs()
 	vault := &MockVersionVault{
 		Name:     "test",
 		fs:       fs,
 		stateDir: "/test",
 	}
 	sv := NewVersion(vault, "test/secret", "20231215.001")
 	assert.Equal(t, "test/secret", sv.SecretName)
 	assert.Equal(t, "20231215.001", sv.Version)
 	assert.Contains(t, sv.Directory, "test%secret/versions/20231215.001")
 	assert.NotEmpty(t, sv.Metadata.ID)
 	assert.NotNil(t, sv.Metadata.CreatedAt)
 }
 func TestSecretVersionSave(t *testing.T) {
 	fs := afero.NewMemMapFs()
 	vault := &MockVersionVault{
 		Name:     "test",
 		fs:       fs,
 		stateDir: "/test",
 	}
 	// Create vault directory structure and long-term key
 	vaultDir, _ := vault.GetDirectory()
 	err := fs.MkdirAll(vaultDir, 0o755)
 	require.NoError(t, err)
 	// Generate and store long-term public key
 	ltIdentity, err := age.GenerateX25519Identity()
 	require.NoError(t, err)
 	vault.longTermKey = ltIdentity
 	ltPubKeyPath := filepath.Join(vaultDir, "pub.age")
 	err = afero.WriteFile(fs, ltPubKeyPath, []byte(ltIdentity.Recipient().String()), 0o600)
 	require.NoError(t, err)
 	// Create and save a version
 	sv := NewVersion(vault, "test/secret", "20231215.001")
 	testValue := []byte("test-secret-value")
 	testBuffer := memguard.NewBufferFromBytes(testValue)
 	defer testBuffer.Destroy()
 	err = sv.Save(testBuffer)
 	require.NoError(t, err)
 	// Verify files were created
 	assert.True(t, fileExists(fs, filepath.Join(sv.Directory, "pub.age")))
 	assert.True(t, fileExists(fs, filepath.Join(sv.Directory, "priv.age")))
 	assert.True(t, fileExists(fs, filepath.Join(sv.Directory, "value.age")))
 	assert.True(t, fileExists(fs, filepath.Join(sv.Directory, "metadata.age")))
 }
 func TestSecretVersionLoadMetadata(t *testing.T) {
 	fs := afero.NewMemMapFs()
 	vault := &MockVersionVault{
 		Name:     "test",
 		fs:       fs,
 		stateDir: "/test",
 	}
 	// Setup vault with long-term key
 	vaultDir, _ := vault.GetDirectory()
 	err := fs.MkdirAll(vaultDir, 0o755)
 	require.NoError(t, err)
 	ltIdentity, err := age.GenerateX25519Identity()
 	require.NoError(t, err)
 	vault.longTermKey = ltIdentity
 	ltPubKeyPath := filepath.Join(vaultDir, "pub.age")
 	err = afero.WriteFile(fs, ltPubKeyPath, []byte(ltIdentity.Recipient().String()), 0o600)
 	require.NoError(t, err)
 	// Create and save a version with custom metadata
 	sv := NewVersion(vault, "test/secret", "20231215.001")
 	now := time.Now()
 	epochPlusOne := time.Unix(1, 0)
 	sv.Metadata.NotBefore = &epochPlusOne
 	sv.Metadata.NotAfter = &now
 	testBuffer := memguard.NewBufferFromBytes([]byte("test-value"))
 	defer testBuffer.Destroy()
 	err = sv.Save(testBuffer)
 	require.NoError(t, err)
 	// Create new version object and load metadata
 	sv2 := NewVersion(vault, "test/secret", "20231215.001")
 	err = sv2.LoadMetadata(ltIdentity)
 	require.NoError(t, err)
 	// Verify loaded metadata
 	assert.Equal(t, sv.Metadata.ID, sv2.Metadata.ID)
 	assert.NotNil(t, sv2.Metadata.NotBefore)
 	assert.Equal(t, epochPlusOne.Unix(), sv2.Metadata.NotBefore.Unix())
 	assert.NotNil(t, sv2.Metadata.NotAfter)
 }
 func TestSecretVersionGetValue(t *testing.T) {
 	fs := afero.NewMemMapFs()
 	vault := &MockVersionVault{
 		Name:     "test",
 		fs:       fs,
 		stateDir: "/test",
 	}
 	// Setup vault with long-term key
 	vaultDir, _ := vault.GetDirectory()
 	err := fs.MkdirAll(vaultDir, 0o755)
 	require.NoError(t, err)
 	ltIdentity, err := age.GenerateX25519Identity()
 	require.NoError(t, err)
 	vault.longTermKey = ltIdentity
 	ltPubKeyPath := filepath.Join(vaultDir, "pub.age")
 	err = afero.WriteFile(fs, ltPubKeyPath, []byte(ltIdentity.Recipient().String()), 0o600)
 	require.NoError(t, err)
 	// Create and save a version
 	sv := NewVersion(vault, "test/secret", "20231215.001")
 	originalValue := []byte("test-secret-value-12345")
 	expectedValue := make([]byte, len(originalValue))
 	copy(expectedValue, originalValue)
 	originalBuffer := memguard.NewBufferFromBytes(originalValue)
 	defer originalBuffer.Destroy()
 	err = sv.Save(originalBuffer)
 	require.NoError(t, err)
 	// Retrieve the value
 	retrievedValue, err := sv.GetValue(ltIdentity)
 	require.NoError(t, err)
 	assert.Equal(t, expectedValue, retrievedValue)
 }
 func TestListVersions(t *testing.T) {
 	fs := afero.NewMemMapFs()
 	secretDir := "/test/secret"
 	versionsDir := filepath.Join(secretDir, "versions")
 	// No versions directory
 	versions, err := ListVersions(fs, secretDir)
 	require.NoError(t, err)
 	assert.Empty(t, versions)
 	// Create some versions
 	testVersions := []string{"20231215.001", "20231215.002", "20231216.001", "20231214.001"}
 	for _, v := range testVersions {
 		err := fs.MkdirAll(filepath.Join(versionsDir, v), 0o755)
 		require.NoError(t, err)
 	}
 	// Create a file (not directory) that should be ignored
 	err = afero.WriteFile(fs, filepath.Join(versionsDir, "ignore.txt"), []byte("test"), 0o600)
 	require.NoError(t, err)
 	// List versions
 	versions, err = ListVersions(fs, secretDir)
 	require.NoError(t, err)
 	// Should be sorted in reverse chronological order
 	expected := []string{"20231216.001", "20231215.002", "20231215.001", "20231214.001"}
 	assert.Equal(t, expected, versions)
 }
 func TestGetCurrentVersion(t *testing.T) {
 	fs := afero.NewMemMapFs()
 	secretDir := "/test/secret"
 	// Simulate symlink with file content (works for both OsFs and MemMapFs)
 	currentPath := filepath.Join(secretDir, "current")
 	err := fs.MkdirAll(secretDir, 0o755)
 	require.NoError(t, err)
 	err = afero.WriteFile(fs, currentPath, []byte("versions/20231216.001"), 0o600)
 	require.NoError(t, err)
 	version, err := GetCurrentVersion(fs, secretDir)
 	require.NoError(t, err)
 	assert.Equal(t, "20231216.001", version)
 }
 func TestSetCurrentVersion(t *testing.T) {
 	fs := afero.NewMemMapFs()
 	secretDir := "/test/secret"
 	err := fs.MkdirAll(secretDir, 0o755)
 	require.NoError(t, err)
 	// Set current version
 	err = SetCurrentVersion(fs, secretDir, "20231216.002")
 	require.NoError(t, err)
 	// Verify it was set
 	version, err := GetCurrentVersion(fs, secretDir)
 	require.NoError(t, err)
 	assert.Equal(t, "20231216.002", version)
 	// Update to different version
 	err = SetCurrentVersion(fs, secretDir, "20231217.001")
 	require.NoError(t, err)
 	version, err = GetCurrentVersion(fs, secretDir)
 	require.NoError(t, err)
 	assert.Equal(t, "20231217.001", version)
 }
 func TestVersionMetadataTimestamps(t *testing.T) {
 	// Test that all timestamp fields behave consistently as pointers
 	vm := VersionMetadata{
 		ID: "test-id",
 	}
 	// All should be nil initially
 	assert.Nil(t, vm.CreatedAt)
 	assert.Nil(t, vm.NotBefore)
 	assert.Nil(t, vm.NotAfter)
 	// Set timestamps
 	now := time.Now()
 	epoch := time.Unix(1, 0)
 	future := now.Add(time.Hour)
 	vm.CreatedAt = &now
 	vm.NotBefore = &epoch
 	vm.NotAfter = &future
 	// All should be non-nil
 	assert.NotNil(t, vm.CreatedAt)
 	assert.NotNil(t, vm.NotBefore)
 	assert.NotNil(t, vm.NotAfter)
 	// Values should match
 	assert.Equal(t, now.Unix(), vm.CreatedAt.Unix())
 	assert.Equal(t, int64(1), vm.NotBefore.Unix())
 	assert.Equal(t, future.Unix(), vm.NotAfter.Unix())
 }
 // Helper function
 func fileExists(fs afero.Fs, path string) bool {
 	exists, _ := afero.Exists(fs, path)
 	return exists
 }
--- a/internal/vault/integration_test.go
+++ b/internal/vault/integration_test.go
@@ -8,16 +8,13 @@ import (
 	"git.eeqj.de/sneak/secret/internal/secret"
 	"git.eeqj.de/sneak/secret/internal/vault"
 	"git.eeqj.de/sneak/secret/pkg/agehd"
 	"github.com/awnumar/memguard"
 	"github.com/spf13/afero"
 )
 func TestVaultWithRealFilesystem(t *testing.T) {
 	// Create a temporary directory for our tests
-	tempDir, err := os.MkdirTemp("", "secret-test-")
+	tempDir := t.TempDir()
 	if err != nil {
 		t.Fatalf("Failed to create temp dir: %v", err)
 	}
 	defer os.RemoveAll(tempDir) // Clean up after test
 	// Use the real filesystem
 	fs := afero.NewOsFs()
@@ -25,33 +22,14 @@ func TestVaultWithRealFilesystem(t *testing.T) {
 	// Test mnemonic
 	testMnemonic := "abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon about"
 	// Save original environment variables
 	oldMnemonic := os.Getenv(secret.EnvMnemonic)
 	oldPassphrase := os.Getenv(secret.EnvUnlockPassphrase)
 	// Set test environment variables
-	os.Setenv(secret.EnvMnemonic, testMnemonic)
+	t.Setenv(secret.EnvMnemonic, testMnemonic)
-	os.Setenv(secret.EnvUnlockPassphrase, "test-passphrase")
+	t.Setenv(secret.EnvUnlockPassphrase, "test-passphrase")
 	// Clean up after test
 	defer func() {
 		if oldMnemonic != "" {
 			os.Setenv(secret.EnvMnemonic, oldMnemonic)
 		} else {
 			os.Unsetenv(secret.EnvMnemonic)
 		}
 		if oldPassphrase != "" {
 			os.Setenv(secret.EnvUnlockPassphrase, oldPassphrase)
 		} else {
 			os.Unsetenv(secret.EnvUnlockPassphrase)
 		}
 	}()
 	// Test symlink handling
 	t.Run("SymlinkHandling", func(t *testing.T) {
 		stateDir := filepath.Join(tempDir, "symlink-test")
-		if err := os.MkdirAll(stateDir, 0700); err != nil {
+		if err := os.MkdirAll(stateDir, 0o700); err != nil {
 			t.Fatalf("Failed to create state dir: %v", err)
 		}
@@ -98,33 +76,30 @@ func TestVaultWithRealFilesystem(t *testing.T) {
 	// Test secret operations with deeply nested paths
 	t.Run("DeepPathSecrets", func(t *testing.T) {
 		stateDir := filepath.Join(tempDir, "deep-path-test")
-		if err := os.MkdirAll(stateDir, 0700); err != nil {
+		if err := os.MkdirAll(stateDir, 0o700); err != nil {
 			t.Fatalf("Failed to create state dir: %v", err)
 		}
-		// Create a test vault
+		// Create a test vault - CreateVault now handles public key when mnemonic is in env
 		vlt, err := vault.CreateVault(fs, stateDir, "test-vault")
 		if err != nil {
 			t.Fatalf("Failed to create vault: %v", err)
 		}
-		// Derive long-term key from mnemonic
+		// Load vault metadata to get its derivation index
 		ltIdentity, err := agehd.DeriveIdentity(testMnemonic, 0)
 		if err != nil {
 			t.Fatalf("Failed to derive long-term key: %v", err)
 		}
 		// Get the vault directory
 		vaultDir, err := vlt.GetDirectory()
 		if err != nil {
 			t.Fatalf("Failed to get vault directory: %v", err)
 		}
 		vaultMetadata, err := vault.LoadVaultMetadata(fs, vaultDir)
 		if err != nil {
 			t.Fatalf("Failed to load vault metadata: %v", err)
 		}
-		// Write long-term public key
+		// Derive long-term key from mnemonic using the vault's derivation index
-		ltPubKeyPath := filepath.Join(vaultDir, "pub.age")
+		ltIdentity, err := agehd.DeriveIdentity(testMnemonic, vaultMetadata.DerivationIndex)
-		pubKey := ltIdentity.Recipient().String()
+		if err != nil {
-		if err := afero.WriteFile(fs, ltPubKeyPath, []byte(pubKey), secret.FilePerms); err != nil {
+			t.Fatalf("Failed to derive long-term key: %v", err)
 			t.Fatalf("Failed to write long-term public key: %v", err)
 		}
 		// Unlock the vault
@@ -133,8 +108,13 @@ func TestVaultWithRealFilesystem(t *testing.T) {
 		// Create a secret with a deeply nested path
 		deepPath := "api/credentials/production/database/primary"
 		secretValue := []byte("supersecretdbpassword")
 		expectedValue := make([]byte, len(secretValue))
 		copy(expectedValue, secretValue)
-		err = vlt.AddSecret(deepPath, secretValue, false)
+		secretBuffer := memguard.NewBufferFromBytes(secretValue)
 		defer secretBuffer.Destroy()
 		err = vlt.AddSecret(deepPath, secretBuffer, false)
 		if err != nil {
 			t.Fatalf("Failed to add secret with deep path: %v", err)
 		}
@@ -163,42 +143,39 @@ func TestVaultWithRealFilesystem(t *testing.T) {
 			t.Fatalf("Failed to retrieve deep path secret: %v", err)
 		}
-		if string(retrievedValue) != string(secretValue) {
+		if string(retrievedValue) != string(expectedValue) {
 			t.Errorf("Retrieved value doesn't match. Expected %q, got %q",
-				string(secretValue), string(retrievedValue))
+				string(expectedValue), string(retrievedValue))
 		}
 	})
 	// Test key caching in GetOrDeriveLongTermKey
 	t.Run("KeyCaching", func(t *testing.T) {
 		stateDir := filepath.Join(tempDir, "key-cache-test")
-		if err := os.MkdirAll(stateDir, 0700); err != nil {
+		if err := os.MkdirAll(stateDir, 0o700); err != nil {
 			t.Fatalf("Failed to create state dir: %v", err)
 		}
-		// Create a test vault
+		// Create a test vault - CreateVault now handles public key when mnemonic is in env
 		vlt, err := vault.CreateVault(fs, stateDir, "test-vault")
 		if err != nil {
 			t.Fatalf("Failed to create vault: %v", err)
 		}
-		// Derive long-term key from mnemonic
+		// Load vault metadata to get its derivation index
 		ltIdentity, err := agehd.DeriveIdentity(testMnemonic, 0)
 		if err != nil {
 			t.Fatalf("Failed to derive long-term key: %v", err)
 		}
 		// Get the vault directory
 		vaultDir, err := vlt.GetDirectory()
 		if err != nil {
 			t.Fatalf("Failed to get vault directory: %v", err)
 		}
 		vaultMetadata, err := vault.LoadVaultMetadata(fs, vaultDir)
 		if err != nil {
 			t.Fatalf("Failed to load vault metadata: %v", err)
 		}
-		// Write long-term public key
+		// Derive long-term key from mnemonic for verification using the vault's derivation index
-		ltPubKeyPath := filepath.Join(vaultDir, "pub.age")
+		ltIdentity, err := agehd.DeriveIdentity(testMnemonic, vaultMetadata.DerivationIndex)
-		pubKey := ltIdentity.Recipient().String()
+		if err != nil {
-		if err := afero.WriteFile(fs, ltPubKeyPath, []byte(pubKey), secret.FilePerms); err != nil {
+			t.Fatalf("Failed to derive long-term key: %v", err)
 			t.Fatalf("Failed to write long-term public key: %v", err)
 		}
 		// Verify the vault is locked initially
@@ -257,7 +234,7 @@ func TestVaultWithRealFilesystem(t *testing.T) {
 	// Test vault name validation
 	t.Run("VaultNameValidation", func(t *testing.T) {
 		stateDir := filepath.Join(tempDir, "name-validation-test")
-		if err := os.MkdirAll(stateDir, 0700); err != nil {
+		if err := os.MkdirAll(stateDir, 0o700); err != nil {
 			t.Fatalf("Failed to create state dir: %v", err)
 		}
@@ -297,7 +274,7 @@ func TestVaultWithRealFilesystem(t *testing.T) {
 	// Test multiple vaults and switching between them
 	t.Run("MultipleVaults", func(t *testing.T) {
 		stateDir := filepath.Join(tempDir, "multi-vault-test")
-		if err := os.MkdirAll(stateDir, 0700); err != nil {
+		if err := os.MkdirAll(stateDir, 0o700); err != nil {
 			t.Fatalf("Failed to create state dir: %v", err)
 		}
@@ -342,11 +319,11 @@ func TestVaultWithRealFilesystem(t *testing.T) {
 	// Test adding a secret in one vault and verifying it's not visible in another
 	t.Run("VaultIsolation", func(t *testing.T) {
 		stateDir := filepath.Join(tempDir, "isolation-test")
-		if err := os.MkdirAll(stateDir, 0700); err != nil {
+		if err := os.MkdirAll(stateDir, 0o700); err != nil {
 			t.Fatalf("Failed to create state dir: %v", err)
 		}
-		// Create two vaults
+		// Create two vaults - CreateVault now handles public key when mnemonic is in env
 		vault1, err := vault.CreateVault(fs, stateDir, "vault1")
 		if err != nil {
 			t.Fatalf("Failed to create vault1: %v", err)
@@ -358,31 +335,50 @@ func TestVaultWithRealFilesystem(t *testing.T) {
 		}
 		// Derive long-term key from mnemonic
-		ltIdentity, err := agehd.DeriveIdentity(testMnemonic, 0)
+		// Note: Both vaults will have different derivation indexes due to GetNextDerivationIndex
 		// Load vault1 metadata to get its derivation index
 		vault1Dir, err := vault1.GetDirectory()
 		if err != nil {
-			t.Fatalf("Failed to derive long-term key: %v", err)
+			t.Fatalf("Failed to get vault1 directory: %v", err)
 		}
 		vault1Metadata, err := vault.LoadVaultMetadata(fs, vault1Dir)
 		if err != nil {
 			t.Fatalf("Failed to load vault1 metadata: %v", err)
 		}
-		// Setup both vaults with the same long-term key
+		ltIdentity1, err := agehd.DeriveIdentity(testMnemonic, vault1Metadata.DerivationIndex)
-		for _, vlt := range []*vault.Vault{vault1, vault2} {
+		if err != nil {
-			vaultDir, err := vlt.GetDirectory()
+			t.Fatalf("Failed to derive long-term key for vault1: %v", err)
 			if err != nil {
 				t.Fatalf("Failed to get vault directory: %v", err)
 			}
 			ltPubKeyPath := filepath.Join(vaultDir, "pub.age")
 			pubKey := ltIdentity.Recipient().String()
 			if err := afero.WriteFile(fs, ltPubKeyPath, []byte(pubKey), secret.FilePerms); err != nil {
 				t.Fatalf("Failed to write long-term public key: %v", err)
 			}
 			vlt.Unlock(ltIdentity)
 		}
 		// Load vault2 metadata to get its derivation index
 		vault2Dir, err := vault2.GetDirectory()
 		if err != nil {
 			t.Fatalf("Failed to get vault2 directory: %v", err)
 		}
 		vault2Metadata, err := vault.LoadVaultMetadata(fs, vault2Dir)
 		if err != nil {
 			t.Fatalf("Failed to load vault2 metadata: %v", err)
 		}
 		ltIdentity2, err := agehd.DeriveIdentity(testMnemonic, vault2Metadata.DerivationIndex)
 		if err != nil {
 			t.Fatalf("Failed to derive long-term key for vault2: %v", err)
 		}
 		// Unlock the vaults with their respective keys
 		vault1.Unlock(ltIdentity1)
 		vault2.Unlock(ltIdentity2)
 		// Add a secret to vault1
 		secretName := "test-secret"
 		secretValue := []byte("secret in vault1")
-		if err := vault1.AddSecret(secretName, secretValue, false); err != nil {
+
 		secretBuffer := memguard.NewBufferFromBytes(secretValue)
 		defer secretBuffer.Destroy()
 		if err := vault1.AddSecret(secretName, secretBuffer, false); err != nil {
 			t.Fatalf("Failed to add secret to vault1: %v", err)
 		}
--- a/internal/vault/integration_version_test.go
+++ b/internal/vault/integration_version_test.go
@@ -0,0 +1,354 @@
 // Version Support Integration Tests
 //
 // Comprehensive integration tests for version functionality:
 //
 // - TestVersionIntegrationWorkflow: End-to-end workflow testing
 //   - Creating initial version with proper metadata
 //   - Creating multiple versions with timestamp updates
 //   - Retrieving specific versions by name
 //   - Promoting old versions to current
 //   - Testing version serial number limits (999/day)
 //   - Error cases and edge conditions
 //
 // - TestVersionConcurrency: Tests concurrent read operations
 //
 // - TestVersionCompatibility: Tests handling of legacy non-versioned secrets
 //
 // Test Environment:
 // - Uses in-memory filesystem (afero.MemMapFs)
 // - Consistent test mnemonic for reproducible keys
 // - Proper cleanup and isolation between tests
 package vault
 import (
 	"fmt"
 	"path/filepath"
 	"testing"
 	"time"
 	"git.eeqj.de/sneak/secret/internal/secret"
 	"git.eeqj.de/sneak/secret/pkg/agehd"
 	"github.com/awnumar/memguard"
 	"github.com/spf13/afero"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
 // Helper function to add a secret to vault with proper buffer protection
 func addTestSecret(t *testing.T, vault *Vault, name string, value []byte, force bool) {
 	t.Helper()
 	buffer := memguard.NewBufferFromBytes(value)
 	defer buffer.Destroy()
 	err := vault.AddSecret(name, buffer, force)
 	require.NoError(t, err)
 }
 // TestVersionIntegrationWorkflow tests the complete version workflow
 func TestVersionIntegrationWorkflow(t *testing.T) {
 	fs := afero.NewMemMapFs()
 	stateDir := "/test/state"
 	// Set mnemonic for testing
 	t.Setenv(secret.EnvMnemonic,
 		"abandon abandon abandon abandon abandon abandon "+
 			"abandon abandon abandon abandon abandon about")
 	// Create vault
 	vault, err := CreateVault(fs, stateDir, "test")
 	require.NoError(t, err)
 	// Derive and store long-term key from mnemonic
 	mnemonic := "abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon about"
 	ltIdentity, err := agehd.DeriveIdentity(mnemonic, 0)
 	require.NoError(t, err)
 	// Store long-term public key in vault
 	vaultDir, _ := vault.GetDirectory()
 	ltPubKeyPath := filepath.Join(vaultDir, "pub.age")
 	err = afero.WriteFile(fs, ltPubKeyPath, []byte(ltIdentity.Recipient().String()), 0o600)
 	require.NoError(t, err)
 	// Unlock the vault
 	vault.Unlock(ltIdentity)
 	secretName := "integration/test"
 	// Step 1: Create initial version
 	t.Run("create_initial_version", func(t *testing.T) {
 		addTestSecret(t, vault, secretName, []byte("version-1-data"), false)
 		// Verify secret can be retrieved
 		value, err := vault.GetSecret(secretName)
 		require.NoError(t, err)
 		assert.Equal(t, []byte("version-1-data"), value)
 		// Verify version directory structure
 		secretDir := filepath.Join(vaultDir, "secrets.d", "integration%test")
 		versions, err := secret.ListVersions(fs, secretDir)
 		require.NoError(t, err)
 		assert.Len(t, versions, 1)
 		// Verify current symlink exists
 		currentVersion, err := secret.GetCurrentVersion(fs, secretDir)
 		require.NoError(t, err)
 		assert.Equal(t, versions[0], currentVersion)
 		// Verify metadata
 		version := secret.NewVersion(vault, secretName, versions[0])
 		err = version.LoadMetadata(ltIdentity)
 		require.NoError(t, err)
 		assert.NotNil(t, version.Metadata.CreatedAt)
 		assert.NotNil(t, version.Metadata.NotBefore)
 		assert.Equal(t, int64(1), version.Metadata.NotBefore.Unix()) // epoch + 1
 		assert.Nil(t, version.Metadata.NotAfter)                     // should be nil for current version
 	})
 	// Step 2: Create second version
 	var firstVersionName string
 	t.Run("create_second_version", func(t *testing.T) {
 		// Small delay to ensure different timestamps
 		time.Sleep(10 * time.Millisecond)
 		// Get first version name before creating second
 		secretDir := filepath.Join(vaultDir, "secrets.d", "integration%test")
 		versions, err := secret.ListVersions(fs, secretDir)
 		require.NoError(t, err)
 		firstVersionName = versions[0]
 		// Create second version
 		addTestSecret(t, vault, secretName, []byte("version-2-data"), true)
 		// Verify new value is current
 		value, err := vault.GetSecret(secretName)
 		require.NoError(t, err)
 		assert.Equal(t, []byte("version-2-data"), value)
 		// Verify we now have two versions
 		versions, err = secret.ListVersions(fs, secretDir)
 		require.NoError(t, err)
 		assert.Len(t, versions, 2)
 		// Verify first version metadata was updated with notAfter
 		firstVersion := secret.NewVersion(vault, secretName, firstVersionName)
 		err = firstVersion.LoadMetadata(ltIdentity)
 		require.NoError(t, err)
 		assert.NotNil(t, firstVersion.Metadata.NotAfter)
 		// Verify second version metadata
 		secondVersion := secret.NewVersion(vault, secretName, versions[0])
 		err = secondVersion.LoadMetadata(ltIdentity)
 		require.NoError(t, err)
 		assert.NotNil(t, secondVersion.Metadata.NotBefore)
 		assert.Nil(t, secondVersion.Metadata.NotAfter)
 		// NotBefore of second should equal NotAfter of first
 		assert.Equal(t, firstVersion.Metadata.NotAfter.Unix(), secondVersion.Metadata.NotBefore.Unix())
 	})
 	// Step 3: Create third version
 	t.Run("create_third_version", func(t *testing.T) {
 		time.Sleep(10 * time.Millisecond)
 		addTestSecret(t, vault, secretName, []byte("version-3-data"), true)
 		// Verify we now have three versions
 		secretDir := filepath.Join(vaultDir, "secrets.d", "integration%test")
 		versions, err := secret.ListVersions(fs, secretDir)
 		require.NoError(t, err)
 		assert.Len(t, versions, 3)
 		// Current should be version-3
 		value, err := vault.GetSecret(secretName)
 		require.NoError(t, err)
 		assert.Equal(t, []byte("version-3-data"), value)
 	})
 	// Step 4: Retrieve specific versions
 	t.Run("retrieve_specific_versions", func(t *testing.T) {
 		secretDir := filepath.Join(vaultDir, "secrets.d", "integration%test")
 		versions, err := secret.ListVersions(fs, secretDir)
 		require.NoError(t, err)
 		require.Len(t, versions, 3)
 		// Get each version by its name
 		value1, err := vault.GetSecretVersion(secretName, versions[2]) // oldest
 		require.NoError(t, err)
 		assert.Equal(t, []byte("version-1-data"), value1)
 		value2, err := vault.GetSecretVersion(secretName, versions[1]) // middle
 		require.NoError(t, err)
 		assert.Equal(t, []byte("version-2-data"), value2)
 		value3, err := vault.GetSecretVersion(secretName, versions[0]) // newest
 		require.NoError(t, err)
 		assert.Equal(t, []byte("version-3-data"), value3)
 		// Empty version should return current
 		valueCurrent, err := vault.GetSecretVersion(secretName, "")
 		require.NoError(t, err)
 		assert.Equal(t, []byte("version-3-data"), valueCurrent)
 	})
 	// Step 5: Promote old version to current
 	t.Run("promote_old_version", func(t *testing.T) {
 		secretDir := filepath.Join(vaultDir, "secrets.d", "integration%test")
 		versions, err := secret.ListVersions(fs, secretDir)
 		require.NoError(t, err)
 		// Promote the first version (oldest) to current
 		oldestVersion := versions[2]
 		err = secret.SetCurrentVersion(fs, secretDir, oldestVersion)
 		require.NoError(t, err)
 		// Verify current now returns the old version's value
 		value, err := vault.GetSecret(secretName)
 		require.NoError(t, err)
 		assert.Equal(t, []byte("version-1-data"), value)
 		// Verify the version metadata hasn't changed
 		// (promoting shouldn't modify timestamps)
 		version := secret.NewVersion(vault, secretName, oldestVersion)
 		err = version.LoadMetadata(ltIdentity)
 		require.NoError(t, err)
 		assert.NotNil(t, version.Metadata.NotAfter) // should still have its old notAfter
 	})
 	// Step 6: Test version limits
 	t.Run("version_serial_limits", func(t *testing.T) {
 		// Create a new secret for this test
 		limitSecretName := "limit/test"
 		secretDir := filepath.Join(vaultDir, "secrets.d", "limit%test", "versions")
 		// Create 998 versions (we already have one from the first AddSecret)
 		addTestSecret(t, vault, limitSecretName, []byte("initial"), false)
 		// Get today's date for consistent version names
 		today := time.Now().Format("20060102")
 		// Manually create many versions with same date
 		for i := 2; i <= 998; i++ {
 			versionName := fmt.Sprintf("%s.%03d", today, i)
 			versionDir := filepath.Join(secretDir, versionName)
 			err := fs.MkdirAll(versionDir, 0o755)
 			require.NoError(t, err)
 		}
 		// Should be able to create one more (999)
 		versionName, err := secret.GenerateVersionName(fs, filepath.Dir(secretDir))
 		require.NoError(t, err)
 		assert.Equal(t, fmt.Sprintf("%s.999", today), versionName)
 		// Create the 999th version directory
 		err = fs.MkdirAll(filepath.Join(secretDir, versionName), 0o755)
 		require.NoError(t, err)
 		// Should fail to create 1000th version
 		_, err = secret.GenerateVersionName(fs, filepath.Dir(secretDir))
 		assert.Error(t, err)
 		assert.Contains(t, err.Error(), "exceeded maximum versions per day")
 	})
 	// Step 7: Test error cases
 	t.Run("error_cases", func(t *testing.T) {
 		// Try to get non-existent version
 		_, err := vault.GetSecretVersion(secretName, "99991231.999")
 		assert.Error(t, err)
 		assert.Contains(t, err.Error(), "not found")
 		// Try to get version of non-existent secret
 		_, err = vault.GetSecretVersion("nonexistent/secret", "")
 		assert.Error(t, err)
 		// Try to add secret without force when it exists
 		failBuffer := memguard.NewBufferFromBytes([]byte("should-fail"))
 		defer failBuffer.Destroy()
 		err = vault.AddSecret(secretName, failBuffer, false)
 		assert.Error(t, err)
 		assert.Contains(t, err.Error(), "already exists")
 	})
 }
 // TestVersionConcurrency tests concurrent version operations
 func TestVersionConcurrency(t *testing.T) {
 	fs := afero.NewMemMapFs()
 	stateDir := "/test/state"
 	// Set up vault
 	vault := createTestVaultWithKey(t, fs, stateDir, "test")
 	secretName := "concurrent/test"
 	// Create initial version
 	addTestSecret(t, vault, secretName, []byte("initial"), false)
 	// Test concurrent reads
 	t.Run("concurrent_reads", func(t *testing.T) {
 		done := make(chan bool, 10)
 		errors := make(chan error, 10)
 		for range 10 {
 			go func() {
 				value, err := vault.GetSecret(secretName)
 				if err != nil {
 					errors <- err
 				} else if string(value) != "initial" {
 					errors <- fmt.Errorf("unexpected value: %s", value)
 				}
 				done <- true
 			}()
 		}
 		// Wait for all goroutines
 		for range 10 {
 			<-done
 		}
 		// Check for errors
 		select {
 		case err := <-errors:
 			t.Fatalf("concurrent read failed: %v", err)
 		default:
 			// No errors
 		}
 	})
 }
 // TestVersionCompatibility tests that old secrets without versions still work
 func TestVersionCompatibility(t *testing.T) {
 	fs := afero.NewMemMapFs()
 	stateDir := "/test/state"
 	// Set up vault
 	vault := createTestVaultWithKey(t, fs, stateDir, "test")
 	ltIdentity, err := vault.GetOrDeriveLongTermKey()
 	require.NoError(t, err)
 	// Manually create an old-style secret (no versions)
 	secretName := "legacy/secret"
 	vaultDir, _ := vault.GetDirectory()
 	secretDir := filepath.Join(vaultDir, "secrets.d", "legacy%secret")
 	err = fs.MkdirAll(secretDir, 0o755)
 	require.NoError(t, err)
 	// Create old-style encrypted value directly in secret directory
 	testValue := []byte("legacy-value")
 	testValueBuffer := memguard.NewBufferFromBytes(testValue)
 	defer testValueBuffer.Destroy()
 	ltRecipient := ltIdentity.Recipient()
 	encrypted, err := secret.EncryptToRecipient(testValueBuffer, ltRecipient)
 	require.NoError(t, err)
 	valuePath := filepath.Join(secretDir, "value.age")
 	err = afero.WriteFile(fs, valuePath, encrypted, 0o600)
 	require.NoError(t, err)
 	// Should fail to get with version-aware methods
 	_, err = vault.GetSecret(secretName)
 	assert.Error(t, err)
 	// List versions should return empty
 	versions, err := secret.ListVersions(fs, secretDir)
 	require.NoError(t, err)
 	assert.Empty(t, versions)
 }
--- a/internal/vault/management.go
+++ b/internal/vault/management.go
@@ -1,3 +1,4 @@
 // Package vault provides functionality for managing encrypted vaults.
 package vault
 import (
@@ -8,6 +9,7 @@ import (
 	"time"
 	"git.eeqj.de/sneak/secret/internal/secret"
 	"git.eeqj.de/sneak/secret/pkg/agehd"
 	"github.com/spf13/afero"
 )
@@ -25,67 +27,66 @@ func isValidVaultName(name string) bool {
 		return false
 	}
 	matched, _ := regexp.MatchString(`^[a-z0-9\.\-\_]+$`, name)
 	return matched
 }
 // resolveRelativeSymlink resolves a relative symlink target to an absolute path
 func resolveRelativeSymlink(symlinkPath, _ string) (string, error) {
 	// Get the current directory before changing
 	originalDir, err := os.Getwd()
 	if err != nil {
 		return "", fmt.Errorf("failed to get current directory: %w", err)
 	}
 	secret.Debug("Got current directory", "original_dir", originalDir)
 	// Change to the symlink's directory
 	symlinkDir := filepath.Dir(symlinkPath)
 	secret.Debug("Changing to symlink directory", "symlink_path", symlinkDir)
 	secret.Debug("About to call os.Chdir - this might hang if symlink is broken")
 	if err := os.Chdir(symlinkDir); err != nil {
 		return "", fmt.Errorf("failed to change to symlink directory: %w", err)
 	}
 	secret.Debug("Changed to symlink directory successfully - os.Chdir completed")
 	// Get the absolute path of the target
 	secret.Debug("Getting absolute path of current directory")
 	absolutePath, err := os.Getwd()
 	if err != nil {
 		// Try to restore original directory before returning error
 		_ = os.Chdir(originalDir)
 		return "", fmt.Errorf("failed to get absolute path: %w", err)
 	}
 	secret.Debug("Got absolute path", "absolute_path", absolutePath)
 	// Restore the original directory
 	secret.Debug("Restoring original directory", "original_dir", originalDir)
 	if err := os.Chdir(originalDir); err != nil {
 		return "", fmt.Errorf("failed to restore original directory: %w", err)
 	}
 	secret.Debug("Restored original directory successfully")
 	return absolutePath, nil
 }
 // ResolveVaultSymlink resolves the currentvault symlink by reading either the symlink target or file contents
 // This function is designed to work on both Unix and Windows systems, as well as with in-memory filesystems
 func ResolveVaultSymlink(fs afero.Fs, symlinkPath string) (string, error) {
 	secret.Debug("resolveVaultSymlink starting", "symlink_path", symlinkPath)
 	// First try to handle the path as a real symlink (works on Unix systems)
-	if _, ok := fs.(*afero.OsFs); ok {
+	_, isOsFs := fs.(*afero.OsFs)
-		secret.Debug("Using real filesystem symlink resolution")
+	if isOsFs {
-
+		target, err := tryResolveOsSymlink(symlinkPath)
 		// Check if the symlink exists
 		secret.Debug("Checking symlink target", "symlink_path", symlinkPath)
 		target, err := os.Readlink(symlinkPath)
 		if err == nil {
 			secret.Debug("Symlink points to", "target", target)
 			// On real filesystem, we need to handle relative symlinks
 			// by resolving them relative to the symlink's directory
 			if !filepath.IsAbs(target) {
 				// Get the current directory before changing
 				originalDir, err := os.Getwd()
 				if err != nil {
 					return "", fmt.Errorf("failed to get current directory: %w", err)
 				}
 				secret.Debug("Got current directory", "original_dir", originalDir)
 				// Change to the symlink's directory
 				symlinkDir := filepath.Dir(symlinkPath)
 				secret.Debug("Changing to symlink directory", "symlink_path", symlinkDir)
 				secret.Debug("About to call os.Chdir - this might hang if symlink is broken")
 				if err := os.Chdir(symlinkDir); err != nil {
 					return "", fmt.Errorf("failed to change to symlink directory: %w", err)
 				}
 				secret.Debug("Changed to symlink directory successfully - os.Chdir completed")
 				// Get the absolute path of the target
 				secret.Debug("Getting absolute path of current directory")
 				absolutePath, err := os.Getwd()
 				if err != nil {
 					// Try to restore original directory before returning error
 					_ = os.Chdir(originalDir)
 					return "", fmt.Errorf("failed to get absolute path: %w", err)
 				}
 				secret.Debug("Got absolute path", "absolute_path", absolutePath)
 				// Restore the original directory
 				secret.Debug("Restoring original directory", "original_dir", originalDir)
 				if err := os.Chdir(originalDir); err != nil {
 					return "", fmt.Errorf("failed to restore original directory: %w", err)
 				}
 				secret.Debug("Restored original directory successfully")
 				// Use the absolute path of the target
 				target = absolutePath
 			}
 			secret.Debug("resolveVaultSymlink completed successfully", "result", target)
 			return target, nil
 		}
 		// Fall through to fallback if symlink resolution failed
 	} else {
 		secret.Debug("Not using OS filesystem, skipping symlink resolution")
 	}
 	// Fallback: treat it as a regular file containing the target path
@@ -94,6 +95,7 @@ func ResolveVaultSymlink(fs afero.Fs, symlinkPath string) (string, error) {
 	fileData, err := afero.ReadFile(fs, symlinkPath)
 	if err != nil {
 		secret.Debug("Failed to read target path file", "error", err)
 		return "", fmt.Errorf("failed to read vault symlink: %w", err)
 	}
@@ -101,6 +103,29 @@ func ResolveVaultSymlink(fs afero.Fs, symlinkPath string) (string, error) {
 	secret.Debug("Read target path from file", "target", target)
 	secret.Debug("resolveVaultSymlink completed via fallback", "result", target)
 	return target, nil
 }
 // tryResolveOsSymlink attempts to resolve a symlink on OS filesystems
 func tryResolveOsSymlink(symlinkPath string) (string, error) {
 	secret.Debug("Using real filesystem symlink resolution")
 	// Check if the symlink exists
 	secret.Debug("Checking symlink target", "symlink_path", symlinkPath)
 	target, err := os.Readlink(symlinkPath)
 	if err != nil {
 		return "", err
 	}
 	secret.Debug("Symlink points to", "target", target)
 	// On real filesystem, we need to handle relative symlinks
 	// by resolving them relative to the symlink's directory
 	if !filepath.IsAbs(target) {
 		return resolveRelativeSymlink(symlinkPath, target)
 	}
 	return target, nil
 }
@@ -115,6 +140,7 @@ func GetCurrentVault(fs afero.Fs, stateDir string) (*Vault, error) {
 	_, err := fs.Stat(currentVaultPath)
 	if err != nil {
 		secret.Debug("Failed to stat current vault symlink", "error", err, "path", currentVaultPath)
 		return nil, fmt.Errorf("failed to read current vault symlink: %w", err)
 	}
@@ -170,6 +196,54 @@ func ListVaults(fs afero.Fs, stateDir string) ([]string, error) {
 	return vaults, nil
 }
 // processMnemonicForVault handles mnemonic processing for vault creation
 func processMnemonicForVault(fs afero.Fs, stateDir, vaultDir, vaultName string) (
 	derivationIndex uint32, publicKeyHash string, familyHash string, err error) {
 	// Check if mnemonic is available in environment
 	mnemonic := os.Getenv(secret.EnvMnemonic)
 	if mnemonic == "" {
 		secret.Debug("No mnemonic in environment, vault created without long-term key", "vault", vaultName)
 		// Use 0 for derivation index when no mnemonic is provided
 		return 0, "", "", nil
 	}
 	secret.Debug("Mnemonic found in environment, deriving long-term key", "vault", vaultName)
 	// Get the next available derivation index for this mnemonic
 	derivationIndex, err = GetNextDerivationIndex(fs, stateDir, mnemonic)
 	if err != nil {
 		return 0, "", "", fmt.Errorf("failed to get next derivation index: %w", err)
 	}
 	// Derive the long-term key using the actual derivation index
 	ltIdentity, err := agehd.DeriveIdentity(mnemonic, derivationIndex)
 	if err != nil {
 		return 0, "", "", fmt.Errorf("failed to derive long-term key: %w", err)
 	}
 	// Write the public key
 	ltPubKey := ltIdentity.Recipient().String()
 	ltPubKeyPath := filepath.Join(vaultDir, "pub.age")
 	if err := afero.WriteFile(fs, ltPubKeyPath, []byte(ltPubKey), secret.FilePerms); err != nil {
 		return 0, "", "", fmt.Errorf("failed to write long-term public key: %w", err)
 	}
 	secret.Debug("Wrote long-term public key", "path", ltPubKeyPath)
 	// Compute verification hash from actual derivation index
 	publicKeyHash = ComputeDoubleSHA256([]byte(ltIdentity.Recipient().String()))
 	// Compute family hash from index 0 (same for all vaults with this mnemonic)
 	// This is used to identify which vaults belong to the same mnemonic family
 	identity0, err := agehd.DeriveIdentity(mnemonic, 0)
 	if err != nil {
 		return 0, "", "", fmt.Errorf("failed to derive identity for index 0: %w", err)
 	}
 	familyHash = ComputeDoubleSHA256([]byte(identity0.Recipient().String()))
 	return derivationIndex, publicKeyHash, familyHash, nil
 }
 // CreateVault creates a new vault
 func CreateVault(fs afero.Fs, stateDir string, name string) (*Vault, error) {
 	secret.Debug("Creating new vault", "name", name, "state_dir", stateDir)
@@ -177,6 +251,7 @@ func CreateVault(fs afero.Fs, stateDir string, name string) (*Vault, error) {
 	// Validate vault name
 	if !isValidVaultName(name) {
 		secret.Debug("Invalid vault name provided", "vault_name", name)
 		return nil, fmt.Errorf("invalid vault name '%s': must match pattern [a-z0-9.\\-_]+", name)
 	}
 	secret.Debug("Vault name validation passed", "vault_name", name)
@@ -196,19 +271,24 @@ func CreateVault(fs afero.Fs, stateDir string, name string) (*Vault, error) {
 		return nil, fmt.Errorf("failed to create secrets directory: %w", err)
 	}
-	// Create unlock keys directory
+	// Create unlockers directory
-	unlockKeysDir := filepath.Join(vaultDir, "unlock.d")
+	unlockersDir := filepath.Join(vaultDir, "unlockers.d")
-	if err := fs.MkdirAll(unlockKeysDir, secret.DirPerms); err != nil {
+	if err := fs.MkdirAll(unlockersDir, secret.DirPerms); err != nil {
-		return nil, fmt.Errorf("failed to create unlock keys directory: %w", err)
+		return nil, fmt.Errorf("failed to create unlockers directory: %w", err)
 	}
-	// Save initial vault metadata (without derivation info until a mnemonic is imported)
+	// Process mnemonic if available
-	metadata := &VaultMetadata{
+	derivationIndex, publicKeyHash, familyHash, err := processMnemonicForVault(fs, stateDir, vaultDir, name)
-		Name:            name,
+	if err != nil {
-		CreatedAt:       time.Now(),
+		return nil, err
-		DerivationIndex: 0,
+	}
-		LongTermKeyHash: "", // Will be set when mnemonic is imported
+
-		MnemonicHash:    "", // Will be set when mnemonic is imported
+	// Save vault metadata
 	metadata := &Metadata{
 		CreatedAt:          time.Now(),
 		DerivationIndex:    derivationIndex,
 		PublicKeyHash:      publicKeyHash,
 		MnemonicFamilyHash: familyHash,
 	}
 	if err := SaveVaultMetadata(fs, vaultDir, metadata); err != nil {
 		return nil, fmt.Errorf("failed to save vault metadata: %w", err)
@@ -222,6 +302,7 @@ func CreateVault(fs afero.Fs, stateDir string, name string) (*Vault, error) {
 	// Create and return the vault
 	secret.Debug("Successfully created vault", "name", name)
 	return NewVault(fs, stateDir, name), nil
 }
@@ -232,6 +313,7 @@ func SelectVault(fs afero.Fs, stateDir string, name string) error {
 	// Validate vault name
 	if !isValidVaultName(name) {
 		secret.Debug("Invalid vault name provided", "vault_name", name)
 		return fmt.Errorf("invalid vault name '%s': must match pattern [a-z0-9.\\-_]+", name)
 	}
 	secret.Debug("Vault name validation passed", "vault_name", name)
@@ -263,6 +345,7 @@ func SelectVault(fs afero.Fs, stateDir string, name string) error {
 		secret.Debug("Creating vault symlink", "target", targetPath, "link", currentVaultPath)
 		if err := os.Symlink(targetPath, currentVaultPath); err == nil {
 			secret.Debug("Successfully selected vault", "vault_name", name)
 			return nil
 		}
 		// If symlink creation fails, fall back to regular file
@@ -275,5 +358,6 @@ func SelectVault(fs afero.Fs, stateDir string, name string) error {
 	}
 	secret.Debug("Successfully selected vault", "vault_name", name)
 	return nil
 }
--- a/internal/vault/metadata.go
+++ b/internal/vault/metadata.go
@@ -8,24 +8,40 @@ import (
 	"path/filepath"
 	"git.eeqj.de/sneak/secret/internal/secret"
 	"git.eeqj.de/sneak/secret/pkg/agehd"
 	"github.com/spf13/afero"
 )
-// Alias the metadata types from secret package for convenience
+// Metadata is an alias for secret.VaultMetadata
-type VaultMetadata = secret.VaultMetadata
+type Metadata = secret.VaultMetadata
-type UnlockKeyMetadata = secret.UnlockKeyMetadata
+
-type SecretMetadata = secret.SecretMetadata
+// UnlockerMetadata is an alias for secret.UnlockerMetadata
 type UnlockerMetadata = secret.UnlockerMetadata
 // SecretMetadata is an alias for secret.Metadata
 type SecretMetadata = secret.Metadata
 // Configuration is an alias for secret.Configuration
 type Configuration = secret.Configuration
 // ComputeDoubleSHA256 computes the double SHA256 hash of data and returns it as hex
 func ComputeDoubleSHA256(data []byte) string {
 	firstHash := sha256.Sum256(data)
 	secondHash := sha256.Sum256(firstHash[:])
 	return hex.EncodeToString(secondHash[:])
 }
-// GetNextDerivationIndex finds the next available derivation index for a given mnemonic hash
+// GetNextDerivationIndex finds the next available derivation index for a given mnemonic
-func GetNextDerivationIndex(fs afero.Fs, stateDir string, mnemonicHash string) (uint32, error) {
+// by deriving the public key for index 0 and using its hash to identify related vaults
 func GetNextDerivationIndex(fs afero.Fs, stateDir string, mnemonic string) (uint32, error) {
 	// First, derive the public key for index 0 to get our identifier
 	identity0, err := agehd.DeriveIdentity(mnemonic, 0)
 	if err != nil {
 		return 0, fmt.Errorf("failed to derive identity for index 0: %w", err)
 	}
 	pubKeyHash := ComputeDoubleSHA256([]byte(identity0.Recipient().String()))
 	vaultsDir := filepath.Join(stateDir, "vaults.d")
 	// Check if vaults directory exists
@@ -44,9 +60,8 @@ func GetNextDerivationIndex(fs afero.Fs, stateDir string, mnemonicHash string) (
 		return 0, fmt.Errorf("failed to read vaults directory: %w", err)
 	}
-	// Track the highest index for this mnemonic
+	// Track which indices are in use for this mnemonic
-	var highestIndex uint32 = 0
+	usedIndices := make(map[uint32]bool)
 	foundMatch := false
 	for _, entry := range entries {
 		if !entry.IsDir() {
@@ -61,32 +76,29 @@ func GetNextDerivationIndex(fs afero.Fs, stateDir string, mnemonicHash string) (
 			continue
 		}
-		var metadata VaultMetadata
+		var metadata Metadata
 		if err := json.Unmarshal(metadataBytes, &metadata); err != nil {
 			// Skip vaults with invalid metadata
 			continue
 		}
-		// Check if this vault uses the same mnemonic
+		// Check if this vault uses the same mnemonic by comparing family hashes
-		if metadata.MnemonicHash == mnemonicHash {
+		if metadata.MnemonicFamilyHash == pubKeyHash {
-			foundMatch = true
+			usedIndices[metadata.DerivationIndex] = true
 			if metadata.DerivationIndex >= highestIndex {
 				highestIndex = metadata.DerivationIndex
 			}
 		}
 	}
-	// If we found a match, use the next index
+	// Find the first available index
-	if foundMatch {
+	var index uint32
-		return highestIndex + 1, nil
+	for usedIndices[index] {
 		index++
 	}
-	// No existing vault with this mnemonic, start at 0
+	return index, nil
 	return 0, nil
 }
 // SaveVaultMetadata saves vault metadata to the vault directory
-func SaveVaultMetadata(fs afero.Fs, vaultDir string, metadata *VaultMetadata) error {
+func SaveVaultMetadata(fs afero.Fs, vaultDir string, metadata *Metadata) error {
 	metadataPath := filepath.Join(vaultDir, "vault-metadata.json")
 	metadataBytes, err := json.MarshalIndent(metadata, "", "  ")
@@ -102,7 +114,7 @@ func SaveVaultMetadata(fs afero.Fs, vaultDir string, metadata *VaultMetadata) er
 }
 // LoadVaultMetadata loads vault metadata from the vault directory
-func LoadVaultMetadata(fs afero.Fs, vaultDir string) (*VaultMetadata, error) {
+func LoadVaultMetadata(fs afero.Fs, vaultDir string) (*Metadata, error) {
 	metadataPath := filepath.Join(vaultDir, "vault-metadata.json")
 	metadataBytes, err := afero.ReadFile(fs, metadataPath)
@@ -110,7 +122,7 @@ func LoadVaultMetadata(fs afero.Fs, vaultDir string) (*VaultMetadata, error) {
 		return nil, fmt.Errorf("failed to read vault metadata: %w", err)
 	}
-	var metadata VaultMetadata
+	var metadata Metadata
 	if err := json.Unmarshal(metadataBytes, &metadata); err != nil {
 		return nil, fmt.Errorf("failed to unmarshal vault metadata: %w", err)
 	}
--- a/internal/vault/metadata_test.go
+++ b/internal/vault/metadata_test.go
@@ -1,9 +1,9 @@
 package vault
 import (
 	"testing"
 	"path/filepath"
 	"strings"
 	"testing"
 	"git.eeqj.de/sneak/secret/pkg/agehd"
 	"github.com/spf13/afero"
@@ -13,6 +13,9 @@ func TestVaultMetadata(t *testing.T) {
 	fs := afero.NewMemMapFs()
 	stateDir := "/test/state"
 	// Test mnemonic for consistent testing
 	testMnemonic := "abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon about"
 	t.Run("ComputeDoubleSHA256", func(t *testing.T) {
 		// Test data
 		data := []byte("test data")
@@ -38,7 +41,7 @@ func TestVaultMetadata(t *testing.T) {
 	t.Run("GetNextDerivationIndex", func(t *testing.T) {
 		// Test with no existing vaults
-		index, err := GetNextDerivationIndex(fs, stateDir, "mnemonic-hash-1")
+		index, err := GetNextDerivationIndex(fs, stateDir, testMnemonic)
 		if err != nil {
 			t.Fatalf("Failed to get derivation index: %v", err)
 		}
@@ -46,24 +49,36 @@ func TestVaultMetadata(t *testing.T) {
 			t.Errorf("Expected index 0 for first vault, got %d", index)
 		}
-		// Create a vault with metadata
+		// Create a vault with metadata and matching public key
 		vaultDir := filepath.Join(stateDir, "vaults.d", "vault1")
-		if err := fs.MkdirAll(vaultDir, 0700); err != nil {
+		if err := fs.MkdirAll(vaultDir, 0o700); err != nil {
 			t.Fatalf("Failed to create vault directory: %v", err)
 		}
-		metadata1 := &VaultMetadata{
+		// Derive identity for index 0
-			Name:            "vault1",
+		identity0, err := agehd.DeriveIdentity(testMnemonic, 0)
-			DerivationIndex: 0,
+		if err != nil {
-			MnemonicHash:    "mnemonic-hash-1",
+			t.Fatalf("Failed to derive identity: %v", err)
-			LongTermKeyHash: "key-hash-1",
+		}
 		pubKey0 := identity0.Recipient().String()
 		pubKeyHash0 := ComputeDoubleSHA256([]byte(pubKey0))
 		// Write public key
 		if err := afero.WriteFile(fs, filepath.Join(vaultDir, "pub.age"), []byte(pubKey0), 0o600); err != nil {
 			t.Fatalf("Failed to write public key: %v", err)
 		}
 		metadata1 := &Metadata{
 			DerivationIndex:    0,
 			PublicKeyHash:      pubKeyHash0, // Hash of the actual key (index 0)
 			MnemonicFamilyHash: pubKeyHash0, // Hash of index 0 key (for family identification)
 		}
 		if err := SaveVaultMetadata(fs, vaultDir, metadata1); err != nil {
 			t.Fatalf("Failed to save metadata: %v", err)
 		}
 		// Next index for same mnemonic should be 1
-		index, err = GetNextDerivationIndex(fs, stateDir, "mnemonic-hash-1")
+		index, err = GetNextDerivationIndex(fs, stateDir, testMnemonic)
 		if err != nil {
 			t.Fatalf("Failed to get derivation index: %v", err)
 		}
@@ -72,7 +87,8 @@ func TestVaultMetadata(t *testing.T) {
 		}
 		// Different mnemonic should start at 0
-		index, err = GetNextDerivationIndex(fs, stateDir, "mnemonic-hash-2")
+		differentMnemonic := "zoo zoo zoo zoo zoo zoo zoo zoo zoo zoo zoo wrong"
 		index, err = GetNextDerivationIndex(fs, stateDir, differentMnemonic)
 		if err != nil {
 			t.Fatalf("Failed to get derivation index: %v", err)
 		}
@@ -82,42 +98,54 @@ func TestVaultMetadata(t *testing.T) {
 		// Add another vault with same mnemonic but higher index
 		vaultDir2 := filepath.Join(stateDir, "vaults.d", "vault2")
-		if err := fs.MkdirAll(vaultDir2, 0700); err != nil {
+		if err := fs.MkdirAll(vaultDir2, 0o700); err != nil {
 			t.Fatalf("Failed to create vault directory: %v", err)
 		}
-		metadata2 := &VaultMetadata{
+		// Derive identity for index 5
-			Name:            "vault2",
+		identity5, err := agehd.DeriveIdentity(testMnemonic, 5)
-			DerivationIndex: 5,
+		if err != nil {
-			MnemonicHash:    "mnemonic-hash-1",
+			t.Fatalf("Failed to derive identity: %v", err)
-			LongTermKeyHash: "key-hash-2",
+		}
 		pubKey5 := identity5.Recipient().String()
 		// Write public key
 		if err := afero.WriteFile(fs, filepath.Join(vaultDir2, "pub.age"), []byte(pubKey5), 0o600); err != nil {
 			t.Fatalf("Failed to write public key: %v", err)
 		}
 		// Compute the hash for index 5 key
 		pubKeyHash5 := ComputeDoubleSHA256([]byte(pubKey5))
 		metadata2 := &Metadata{
 			DerivationIndex:    5,
 			PublicKeyHash:      pubKeyHash5, // Hash of the actual key (index 5)
 			MnemonicFamilyHash: pubKeyHash0, // Same family hash since it's from the same mnemonic
 		}
 		if err := SaveVaultMetadata(fs, vaultDir2, metadata2); err != nil {
 			t.Fatalf("Failed to save metadata: %v", err)
 		}
-		// Next index should be 6
+		// Next index should be 1 (not 6) because we look for the first available slot
-		index, err = GetNextDerivationIndex(fs, stateDir, "mnemonic-hash-1")
+		index, err = GetNextDerivationIndex(fs, stateDir, testMnemonic)
 		if err != nil {
 			t.Fatalf("Failed to get derivation index: %v", err)
 		}
-		if index != 6 {
+		if index != 1 {
-			t.Errorf("Expected index 6 after vault with index 5, got %d", index)
+			t.Errorf("Expected index 1 (first available), got %d", index)
 		}
 	})
 	t.Run("MetadataPersistence", func(t *testing.T) {
 		vaultDir := filepath.Join(stateDir, "vaults.d", "test-vault")
-		if err := fs.MkdirAll(vaultDir, 0700); err != nil {
+		if err := fs.MkdirAll(vaultDir, 0o700); err != nil {
 			t.Fatalf("Failed to create vault directory: %v", err)
 		}
 		// Create and save metadata
-		metadata := &VaultMetadata{
+		metadata := &Metadata{
 			Name:            "test-vault",
 			DerivationIndex: 3,
-			MnemonicHash:    "test-mnemonic-hash",
+			PublicKeyHash:   "test-public-key-hash",
 			LongTermKeyHash: "test-key-hash",
 		}
 		if err := SaveVaultMetadata(fs, vaultDir, metadata); err != nil {
@@ -130,23 +158,15 @@ func TestVaultMetadata(t *testing.T) {
 			t.Fatalf("Failed to load metadata: %v", err)
 		}
 		if loaded.Name != metadata.Name {
 			t.Errorf("Name mismatch: expected %s, got %s", metadata.Name, loaded.Name)
 		}
 		if loaded.DerivationIndex != metadata.DerivationIndex {
 			t.Errorf("DerivationIndex mismatch: expected %d, got %d", metadata.DerivationIndex, loaded.DerivationIndex)
 		}
-		if loaded.MnemonicHash != metadata.MnemonicHash {
+		if loaded.PublicKeyHash != metadata.PublicKeyHash {
-			t.Errorf("MnemonicHash mismatch: expected %s, got %s", metadata.MnemonicHash, loaded.MnemonicHash)
+			t.Errorf("PublicKeyHash mismatch: expected %s, got %s", metadata.PublicKeyHash, loaded.PublicKeyHash)
 		}
 		if loaded.LongTermKeyHash != metadata.LongTermKeyHash {
 			t.Errorf("LongTermKeyHash mismatch: expected %s, got %s", metadata.LongTermKeyHash, loaded.LongTermKeyHash)
 		}
 	})
 	t.Run("DifferentKeysForDifferentIndices", func(t *testing.T) {
 		testMnemonic := "abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon about"
 		// Derive keys with different indices
 		identity0, err := agehd.DeriveIdentity(testMnemonic, 0)
 		if err != nil {
@@ -158,18 +178,237 @@ func TestVaultMetadata(t *testing.T) {
 			t.Fatalf("Failed to derive identity with index 1: %v", err)
 		}
-		// Compute hashes
+		// Compute public key hashes
-		hash0 := ComputeDoubleSHA256([]byte(identity0.String()))
+		pubKey0 := identity0.Recipient().String()
-		hash1 := ComputeDoubleSHA256([]byte(identity1.String()))
+		pubKey1 := identity1.Recipient().String()
 		hash0 := ComputeDoubleSHA256([]byte(pubKey0))
-		// Verify different indices produce different keys
+		// Verify different indices produce different public keys
-		if hash0 == hash1 {
+		if pubKey0 == pubKey1 {
-			t.Errorf("Different derivation indices should produce different keys")
+			t.Errorf("Different derivation indices should produce different public keys")
 		}
-		// Verify public keys are also different
+		// But the hash of index 0's public key should be the same for the same mnemonic
-		if identity0.Recipient().String() == identity1.Recipient().String() {
+		// This is what we use as the identifier
-			t.Errorf("Different derivation indices should produce different public keys")
+		identity0Again, _ := agehd.DeriveIdentity(testMnemonic, 0)
 		pubKey0Again := identity0Again.Recipient().String()
 		hash0Again := ComputeDoubleSHA256([]byte(pubKey0Again))
 		if hash0 != hash0Again {
 			t.Errorf("Same mnemonic should produce same public key hash for index 0")
 		}
 	})
 }
 func TestPublicKeyHashConsistency(t *testing.T) {
 	// Use the same test mnemonic that the integration test uses
 	testMnemonic := "abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon about"
 	// Derive identity from index 0 multiple times
 	identity1, err := agehd.DeriveIdentity(testMnemonic, 0)
 	if err != nil {
 		t.Fatalf("Failed to derive first identity: %v", err)
 	}
 	identity2, err := agehd.DeriveIdentity(testMnemonic, 0)
 	if err != nil {
 		t.Fatalf("Failed to derive second identity: %v", err)
 	}
 	// Verify identities are the same
 	if identity1.Recipient().String() != identity2.Recipient().String() {
 		t.Errorf("Identity derivation is not deterministic")
 		t.Logf("First:  %s", identity1.Recipient().String())
 		t.Logf("Second: %s", identity2.Recipient().String())
 	}
 	// Compute public key hashes
 	hash1 := ComputeDoubleSHA256([]byte(identity1.Recipient().String()))
 	hash2 := ComputeDoubleSHA256([]byte(identity2.Recipient().String()))
 	// Verify hashes are the same
 	if hash1 != hash2 {
 		t.Errorf("Public key hash computation is not deterministic")
 		t.Logf("First hash:  %s", hash1)
 		t.Logf("Second hash: %s", hash2)
 	}
 	t.Logf("Test mnemonic public key hash (index 0): %s", hash1)
 }
 func TestSampleHashCalculation(t *testing.T) {
 	// Test with the exact mnemonic from integration test if available
 	// We'll also test with a few different mnemonics to make sure they produce different hashes
 	mnemonics := []string{
 		"abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon about",
 		"legal winner thank year wave sausage worth useful legal winner thank yellow",
 		"zoo zoo zoo zoo zoo zoo zoo zoo zoo zoo zoo wrong",
 	}
 	for i, mnemonic := range mnemonics {
 		identity, err := agehd.DeriveIdentity(mnemonic, 0)
 		if err != nil {
 			t.Fatalf("Failed to derive identity for mnemonic %d: %v", i, err)
 		}
 		hash := ComputeDoubleSHA256([]byte(identity.Recipient().String()))
 		t.Logf("Mnemonic %d hash (index 0): %s", i, hash)
 		t.Logf("  Recipient: %s", identity.Recipient().String())
 	}
 }
 func TestWorkflowMismatch(t *testing.T) {
 	testMnemonic := "abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon about"
 	// Create a temporary directory for testing
 	tempDir := t.TempDir()
 	fs := afero.NewOsFs()
 	// Test Case 1: Create vault WITH mnemonic (like init command)
 	t.Setenv("SB_SECRET_MNEMONIC", testMnemonic)
 	_, err := CreateVault(fs, tempDir, "default")
 	if err != nil {
 		t.Fatalf("Failed to create vault with mnemonic: %v", err)
 	}
 	// Load metadata for vault1
 	vault1Dir := filepath.Join(tempDir, "vaults.d", "default")
 	metadata1, err := LoadVaultMetadata(fs, vault1Dir)
 	if err != nil {
 		t.Fatalf("Failed to load vault1 metadata: %v", err)
 	}
 	t.Logf("Vault1 (with mnemonic) - DerivationIndex: %d, PublicKeyHash: %s",
 		metadata1.DerivationIndex, metadata1.PublicKeyHash)
 	// Test Case 2: Create vault WITHOUT mnemonic, then import (like work vault)
 	t.Setenv("SB_SECRET_MNEMONIC", "")
 	_, err = CreateVault(fs, tempDir, "work")
 	if err != nil {
 		t.Fatalf("Failed to create vault without mnemonic: %v", err)
 	}
 	vault2Dir := filepath.Join(tempDir, "vaults.d", "work")
 	// Simulate the vault import process
 	t.Setenv("SB_SECRET_MNEMONIC", testMnemonic)
 	// Get the next available derivation index for this mnemonic
 	derivationIndex, err := GetNextDerivationIndex(fs, tempDir, testMnemonic)
 	if err != nil {
 		t.Fatalf("Failed to get next derivation index: %v", err)
 	}
 	t.Logf("Next derivation index for import: %d", derivationIndex)
 	// Calculate public key hash from index 0 (same as in VaultImport)
 	identity0, err := agehd.DeriveIdentity(testMnemonic, 0)
 	if err != nil {
 		t.Fatalf("Failed to derive identity for index 0: %v", err)
 	}
 	publicKeyHash := ComputeDoubleSHA256([]byte(identity0.Recipient().String()))
 	// Load existing metadata and update it (same as in VaultImport)
 	existingMetadata, err := LoadVaultMetadata(fs, vault2Dir)
 	if err != nil {
 		t.Fatalf("Failed to load existing metadata: %v", err)
 	}
 	// Update metadata with new derivation info
 	existingMetadata.DerivationIndex = derivationIndex
 	existingMetadata.PublicKeyHash = publicKeyHash
 	if err := SaveVaultMetadata(fs, vault2Dir, existingMetadata); err != nil {
 		t.Fatalf("Failed to save vault metadata: %v", err)
 	}
 	// Load updated metadata for vault2
 	metadata2, err := LoadVaultMetadata(fs, vault2Dir)
 	if err != nil {
 		t.Fatalf("Failed to load vault2 metadata: %v", err)
 	}
 	t.Logf("Vault2 (imported mnemonic) - DerivationIndex: %d, PublicKeyHash: %s",
 		metadata2.DerivationIndex, metadata2.PublicKeyHash)
 	// Verify that both vaults have the same public key hash
 	if metadata1.PublicKeyHash != metadata2.PublicKeyHash {
 		t.Errorf("Public key hashes don't match!")
 		t.Logf("Vault1 hash: %s", metadata1.PublicKeyHash)
 		t.Logf("Vault2 hash: %s", metadata2.PublicKeyHash)
 	} else {
 		t.Logf("SUCCESS: Both vaults have the same public key hash: %s", metadata1.PublicKeyHash)
 	}
 }
 func TestReverseEngineerHash(t *testing.T) {
 	// This is the hash that the work vault is getting in the failing test
 	wrongHash := "e34a2f500e395d8934a90a99ee9311edcfffd68cb701079575e50cbac7bb9417"
 	correctHash := "992552b00b3879dfae461fab9a084b47784a032771c7a9accaebdde05ec7a7d1"
 	// Test mnemonic from integration test
 	testMnemonic := "abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon about"
 	// Calculate hash for test mnemonic
 	identity, err := agehd.DeriveIdentity(testMnemonic, 0)
 	if err != nil {
 		t.Fatalf("Failed to derive identity: %v", err)
 	}
 	calculatedHash := ComputeDoubleSHA256([]byte(identity.Recipient().String()))
 	t.Logf("Test mnemonic hash: %s", calculatedHash)
 	if calculatedHash == correctHash {
 		t.Logf("✓ Test mnemonic produces the correct hash")
 	} else {
 		t.Errorf("✗ Test mnemonic does not produce the correct hash")
 	}
 	if calculatedHash == wrongHash {
 		t.Logf("✗ Test mnemonic unexpectedly produces the wrong hash")
 	}
 	// Let's try some other possibilities - maybe there's a string normalization issue?
 	variations := []string{
 		"abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon about",
 		" abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon about ",
 		"abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon about\n",
 		strings.TrimSpace("abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon about"),
 	}
 	for i, variation := range variations {
 		identity, err := agehd.DeriveIdentity(variation, 0)
 		if err != nil {
 			t.Logf("Variation %d failed: %v", i, err)
 			continue
 		}
 		hash := ComputeDoubleSHA256([]byte(identity.Recipient().String()))
 		t.Logf("Variation %d hash: %s", i, hash)
 		if hash == wrongHash {
 			t.Logf("✗ Found variation that produces wrong hash: '%s'", variation)
 		}
 	}
 	// Maybe let's try an empty mnemonic or something else?
 	emptyMnemonics := []string{
 		"",
 		" ",
 	}
 	for i, emptyMnemonic := range emptyMnemonics {
 		identity, err := agehd.DeriveIdentity(emptyMnemonic, 0)
 		if err != nil {
 			t.Logf("Empty mnemonic %d failed (expected): %v", i, err)
 			continue
 		}
 		hash := ComputeDoubleSHA256([]byte(identity.Recipient().String()))
 		t.Logf("Empty mnemonic %d hash: %s", i, hash)
 		if hash == wrongHash {
 			t.Logf("✗ Empty mnemonic produces wrong hash!")
 		}
 	}
 }
--- a/internal/vault/secrets.go
+++ b/internal/vault/secrets.go
@@ -11,6 +11,7 @@ import (
 	"filippo.io/age"
 	"git.eeqj.de/sneak/secret/internal/secret"
 	"github.com/awnumar/memguard"
 	"github.com/spf13/afero"
 )
@@ -21,6 +22,7 @@ func (v *Vault) ListSecrets() ([]string, error) {
 	vaultDir, err := v.GetDirectory()
 	if err != nil {
 		secret.Debug("Failed to get vault directory for secret listing", "error", err, "vault_name", v.Name)
 		return nil, err
 	}
@@ -30,10 +32,12 @@ func (v *Vault) ListSecrets() ([]string, error) {
 	exists, err := afero.DirExists(v.fs, secretsDir)
 	if err != nil {
 		secret.Debug("Failed to check secrets directory", "error", err, "secrets_dir", secretsDir)
 		return nil, fmt.Errorf("failed to check if secrets directory exists: %w", err)
 	}
 	if !exists {
 		secret.Debug("Secrets directory does not exist", "secrets_dir", secretsDir, "vault_name", v.Name)
 		return []string{}, nil
 	}
@@ -41,6 +45,7 @@ func (v *Vault) ListSecrets() ([]string, error) {
 	files, err := afero.ReadDir(v.fs, secretsDir)
 	if err != nil {
 		secret.Debug("Failed to read secrets directory", "error", err, "secrets_dir", secretsDir)
 		return nil, fmt.Errorf("failed to read secrets directory: %w", err)
 	}
@@ -63,26 +68,53 @@ func (v *Vault) ListSecrets() ([]string, error) {
 }
 // isValidSecretName validates secret names according to the format [a-z0-9\.\-\_\/]+
 // but with additional restrictions:
 // - No leading or trailing slashes
 // - No double slashes
 // - No names starting with dots
 func isValidSecretName(name string) bool {
 	if name == "" {
 		return false
 	}
 	// Check for leading/trailing slashes
 	if strings.HasPrefix(name, "/") || strings.HasSuffix(name, "/") {
 		return false
 	}
 	// Check for double slashes
 	if strings.Contains(name, "//") {
 		return false
 	}
 	// Check for names starting with dot
 	if strings.HasPrefix(name, ".") {
 		return false
 	}
 	// Check the basic pattern
 	matched, _ := regexp.MatchString(`^[a-z0-9\.\-\_\/]+$`, name)
 	return matched
 }
 // AddSecret adds a secret to this vault
-func (v *Vault) AddSecret(name string, value []byte, force bool) error {
+func (v *Vault) AddSecret(name string, value *memguard.LockedBuffer, force bool) error {
 	if value == nil {
 		return fmt.Errorf("value buffer is nil")
 	}
 	secret.DebugWith("Adding secret to vault",
 		slog.String("vault_name", v.Name),
 		slog.String("secret_name", name),
-		slog.Int("value_length", len(value)),
+		slog.Int("value_length", value.Size()),
 		slog.Bool("force", force),
 	)
 	// Validate secret name
 	if !isValidSecretName(name) {
 		secret.Debug("Invalid secret name provided", "secret_name", name)
 		return fmt.Errorf("invalid secret name '%s': must match pattern [a-z0-9.\\-_/]+", name)
 	}
 	secret.Debug("Secret name validation passed", "secret_name", name)
@@ -91,6 +123,7 @@ func (v *Vault) AddSecret(name string, value []byte, force bool) error {
 	vaultDir, err := v.GetDirectory()
 	if err != nil {
 		secret.Debug("Failed to get vault directory for secret addition", "error", err, "vault_name", v.Name)
 		return err
 	}
 	secret.Debug("Got vault directory", "vault_dir", vaultDir)
@@ -109,144 +142,155 @@ func (v *Vault) AddSecret(name string, value []byte, force bool) error {
 	exists, err := afero.DirExists(v.fs, secretDir)
 	if err != nil {
 		secret.Debug("Failed to check if secret exists", "error", err, "secret_dir", secretDir)
 		return fmt.Errorf("failed to check if secret exists: %w", err)
 	}
 	secret.Debug("Secret existence check complete", "exists", exists)
-	if exists && !force {
+	// Handle existing secret case
 		secret.Debug("Secret already exists and force not specified", "secret_name", name, "secret_dir", secretDir)
 		return fmt.Errorf("secret %s already exists (use --force to overwrite)", name)
 	}
 	// Create secret directory
 	secret.Debug("Creating secret directory", "secret_dir", secretDir)
 	if err := v.fs.MkdirAll(secretDir, secret.DirPerms); err != nil {
 		secret.Debug("Failed to create secret directory", "error", err, "secret_dir", secretDir)
 		return fmt.Errorf("failed to create secret directory: %w", err)
 	}
 	secret.Debug("Created secret directory successfully")
 	// Step 1: Generate a new keypair for this secret
 	secret.Debug("Generating secret-specific keypair", "secret_name", name)
 	secretIdentity, err := age.GenerateX25519Identity()
 	if err != nil {
 		secret.Debug("Failed to generate secret keypair", "error", err, "secret_name", name)
 		return fmt.Errorf("failed to generate secret keypair: %w", err)
 	}
 	secretPublicKey := secretIdentity.Recipient().String()
 	secretPrivateKey := secretIdentity.String()
 	secret.DebugWith("Generated secret keypair",
 		slog.String("secret_name", name),
 		slog.String("public_key", secretPublicKey),
 	)
 	// Step 2: Store the secret's public key
 	pubKeyPath := filepath.Join(secretDir, "pub.age")
 	secret.Debug("Writing secret public key", "path", pubKeyPath)
 	if err := afero.WriteFile(v.fs, pubKeyPath, []byte(secretPublicKey), secret.FilePerms); err != nil {
 		secret.Debug("Failed to write secret public key", "error", err, "path", pubKeyPath)
 		return fmt.Errorf("failed to write secret public key: %w", err)
 	}
 	secret.Debug("Wrote secret public key successfully")
 	// Step 3: Encrypt the secret value to the secret's public key
 	secret.Debug("Encrypting secret value to secret's public key", "secret_name", name)
 	encryptedValue, err := secret.EncryptToRecipient(value, secretIdentity.Recipient())
 	if err != nil {
 		secret.Debug("Failed to encrypt secret value", "error", err, "secret_name", name)
 		return fmt.Errorf("failed to encrypt secret value: %w", err)
 	}
 	secret.DebugWith("Secret value encrypted",
 		slog.String("secret_name", name),
 		slog.Int("encrypted_length", len(encryptedValue)),
 	)
 	// Step 4: Store the encrypted secret value as value.age
 	valuePath := filepath.Join(secretDir, "value.age")
 	secret.Debug("Writing encrypted secret value", "path", valuePath)
 	if err := afero.WriteFile(v.fs, valuePath, encryptedValue, secret.FilePerms); err != nil {
 		secret.Debug("Failed to write encrypted secret value", "error", err, "path", valuePath)
 		return fmt.Errorf("failed to write encrypted secret value: %w", err)
 	}
 	secret.Debug("Wrote encrypted secret value successfully")
 	// Step 5: Get long-term public key for encrypting the secret's private key
 	ltPubKeyPath := filepath.Join(vaultDir, "pub.age")
 	secret.Debug("Reading long-term public key", "path", ltPubKeyPath)
 	ltPubKeyData, err := afero.ReadFile(v.fs, ltPubKeyPath)
 	if err != nil {
 		secret.Debug("Failed to read long-term public key", "error", err, "path", ltPubKeyPath)
 		return fmt.Errorf("failed to read long-term public key: %w", err)
 	}
 	secret.Debug("Read long-term public key successfully", "key_length", len(ltPubKeyData))
 	secret.Debug("Parsing long-term public key")
 	ltRecipient, err := age.ParseX25519Recipient(string(ltPubKeyData))
 	if err != nil {
 		secret.Debug("Failed to parse long-term public key", "error", err)
 		return fmt.Errorf("failed to parse long-term public key: %w", err)
 	}
 	secret.DebugWith("Parsed long-term public key", slog.String("recipient", ltRecipient.String()))
 	// Step 6: Encrypt the secret's private key to the long-term public key
 	secret.Debug("Encrypting secret private key to long-term public key", "secret_name", name)
 	encryptedPrivKey, err := secret.EncryptToRecipient([]byte(secretPrivateKey), ltRecipient)
 	if err != nil {
 		secret.Debug("Failed to encrypt secret private key", "error", err, "secret_name", name)
 		return fmt.Errorf("failed to encrypt secret private key: %w", err)
 	}
 	secret.DebugWith("Secret private key encrypted",
 		slog.String("secret_name", name),
 		slog.Int("encrypted_length", len(encryptedPrivKey)),
 	)
 	// Step 7: Store the encrypted secret private key as priv.age
 	privKeyPath := filepath.Join(secretDir, "priv.age")
 	secret.Debug("Writing encrypted secret private key", "path", privKeyPath)
 	if err := afero.WriteFile(v.fs, privKeyPath, encryptedPrivKey, secret.FilePerms); err != nil {
 		secret.Debug("Failed to write encrypted secret private key", "error", err, "path", privKeyPath)
 		return fmt.Errorf("failed to write encrypted secret private key: %w", err)
 	}
 	secret.Debug("Wrote encrypted secret private key successfully")
 	// Step 8: Create and write metadata
 	secret.Debug("Creating secret metadata")
 	now := time.Now()
-	metadata := SecretMetadata{
+	var previousVersion *secret.Version
-		Name:      name,
+
-		CreatedAt: now,
+	if exists {
-		UpdatedAt: now,
+		if !force {
 			secret.Debug("Secret already exists and force not specified", "secret_name", name, "secret_dir", secretDir)
 			return fmt.Errorf("secret %s already exists (use --force to overwrite)", name)
 		}
 		// Get the current version to update its notAfter timestamp
 		currentVersionName, err := secret.GetCurrentVersion(v.fs, secretDir)
 		if err == nil && currentVersionName != "" {
 			previousVersion = secret.NewVersion(v, name, currentVersionName)
 			// We'll need to load and update its metadata after we unlock the vault
 		}
 	} else {
 		// Create secret directory for new secret
 		secret.Debug("Creating secret directory", "secret_dir", secretDir)
 		if err := v.fs.MkdirAll(secretDir, secret.DirPerms); err != nil {
 			secret.Debug("Failed to create secret directory", "error", err, "secret_dir", secretDir)
 			return fmt.Errorf("failed to create secret directory: %w", err)
 		}
 		secret.Debug("Created secret directory successfully")
 	}
-	secret.DebugWith("Creating secret metadata",
+	// Generate new version name
-		slog.String("secret_name", metadata.Name),
+	versionName, err := secret.GenerateVersionName(v.fs, secretDir)
 		slog.Time("created_at", metadata.CreatedAt),
 		slog.Time("updated_at", metadata.UpdatedAt),
 	)
 	secret.Debug("Marshaling secret metadata")
 	metadataBytes, err := json.MarshalIndent(metadata, "", "  ")
 	if err != nil {
-		secret.Debug("Failed to marshal secret metadata", "error", err)
+		secret.Debug("Failed to generate version name", "error", err, "secret_name", name)
 		return fmt.Errorf("failed to marshal secret metadata: %w", err)
 	}
 	secret.Debug("Marshaled secret metadata successfully")
-	metadataPath := filepath.Join(secretDir, "secret-metadata.json")
+		return fmt.Errorf("failed to generate version name: %w", err)
-	secret.Debug("Writing secret metadata", "path", metadataPath)
+	}
-	if err := afero.WriteFile(v.fs, metadataPath, metadataBytes, secret.FilePerms); err != nil {
+
-		secret.Debug("Failed to write secret metadata", "error", err, "path", metadataPath)
+	secret.Debug("Generated new version name", "version", versionName, "secret_name", name)
-		return fmt.Errorf("failed to write secret metadata: %w", err)
+
 	// Create new version
 	newVersion := secret.NewVersion(v, name, versionName)
 	// Set version timestamps
 	if previousVersion == nil {
 		// First version: notBefore = epoch + 1 second
 		epochPlusOne := time.Unix(1, 0)
 		newVersion.Metadata.NotBefore = &epochPlusOne
 	} else {
 		// New version: notBefore = now
 		newVersion.Metadata.NotBefore = &now
 		// We'll update the previous version's notAfter after we save the new version
 	}
 	// Save the new version - pass the LockedBuffer directly
 	if err := newVersion.Save(value); err != nil {
 		secret.Debug("Failed to save new version", "error", err, "version", versionName)
 		return fmt.Errorf("failed to save version: %w", err)
 	}
 	// Update previous version if it exists
 	if previousVersion != nil {
 		// Get long-term key to decrypt/encrypt metadata
 		ltIdentity, err := v.GetOrDeriveLongTermKey()
 		if err != nil {
 			secret.Debug("Failed to get long-term key for metadata update", "error", err)
 			return fmt.Errorf("failed to get long-term key: %w", err)
 		}
 		// Load previous version metadata
 		if err := previousVersion.LoadMetadata(ltIdentity); err != nil {
 			secret.Debug("Failed to load previous version metadata", "error", err)
 			return fmt.Errorf("failed to load previous version metadata: %w", err)
 		}
 		// Update notAfter timestamp
 		previousVersion.Metadata.NotAfter = &now
 		// Re-save the metadata (we need to implement an update method)
 		if err := updateVersionMetadata(v.fs, previousVersion, ltIdentity); err != nil {
 			secret.Debug("Failed to update previous version metadata", "error", err)
 			return fmt.Errorf("failed to update previous version metadata: %w", err)
 		}
 	}
 	// Set current symlink to new version
 	if err := secret.SetCurrentVersion(v.fs, secretDir, versionName); err != nil {
 		secret.Debug("Failed to set current version", "error", err, "version", versionName)
 		return fmt.Errorf("failed to set current version: %w", err)
 	}
 	secret.Debug("Successfully added secret version to vault",
 		"secret_name", name, "version", versionName,
 		"vault_name", v.Name)
 	return nil
 }
 // updateVersionMetadata updates the metadata of an existing version
 func updateVersionMetadata(fs afero.Fs, version *secret.Version, ltIdentity *age.X25519Identity) error {
 	// Read the version's encrypted private key
 	encryptedPrivKeyPath := filepath.Join(version.Directory, "priv.age")
 	encryptedPrivKey, err := afero.ReadFile(fs, encryptedPrivKeyPath)
 	if err != nil {
 		return fmt.Errorf("failed to read encrypted version private key: %w", err)
 	}
 	// Decrypt version private key using long-term key
 	versionPrivKeyData, err := secret.DecryptWithIdentity(encryptedPrivKey, ltIdentity)
 	if err != nil {
 		return fmt.Errorf("failed to decrypt version private key: %w", err)
 	}
 	// Parse version private key
 	versionIdentity, err := age.ParseX25519Identity(string(versionPrivKeyData))
 	if err != nil {
 		return fmt.Errorf("failed to parse version private key: %w", err)
 	}
 	// Marshal updated metadata
 	metadataBytes, err := json.MarshalIndent(version.Metadata, "", "  ")
 	if err != nil {
 		return fmt.Errorf("failed to marshal version metadata: %w", err)
 	}
 	// Encrypt metadata to the version's public key
 	metadataBuffer := memguard.NewBufferFromBytes(metadataBytes)
 	defer metadataBuffer.Destroy()
 	encryptedMetadata, err := secret.EncryptToRecipient(metadataBuffer, versionIdentity.Recipient())
 	if err != nil {
 		return fmt.Errorf("failed to encrypt version metadata: %w", err)
 	}
 	// Write encrypted metadata
 	metadataPath := filepath.Join(version.Directory, "metadata.age")
 	if err := afero.WriteFile(fs, metadataPath, encryptedMetadata, secret.FilePerms); err != nil {
 		return fmt.Errorf("failed to write encrypted version metadata: %w", err)
 	}
 	secret.Debug("Wrote secret metadata successfully")
 	secret.Debug("Successfully added secret to vault with per-secret key architecture", "secret_name", name, "vault_name", v.Name)
 	return nil
 }
@@ -257,48 +301,112 @@ func (v *Vault) GetSecret(name string) ([]byte, error) {
 		slog.String("secret_name", name),
 	)
-	// Create a secret object to handle file access
+	return v.GetSecretVersion(name, "")
-	secretObj := secret.NewSecret(v, name)
+}
 // GetSecretVersion retrieves a specific version of a secret (empty version means current)
 func (v *Vault) GetSecretVersion(name string, version string) ([]byte, error) {
 	secret.DebugWith("Getting secret version from vault",
 		slog.String("vault_name", v.Name),
 		slog.String("secret_name", name),
 		slog.String("version", version),
 	)
 	// Get vault directory
 	vaultDir, err := v.GetDirectory()
 	if err != nil {
 		secret.Debug("Failed to get vault directory", "error", err, "vault_name", v.Name)
 		return nil, err
 	}
 	// Convert slashes to percent signs for storage
 	storageName := strings.ReplaceAll(name, "/", "%")
 	secretDir := filepath.Join(vaultDir, "secrets.d", storageName)
 	// Check if secret exists
-	exists, err := secretObj.Exists()
+	exists, err := afero.DirExists(v.fs, secretDir)
 	if err != nil {
 		secret.Debug("Failed to check if secret exists", "error", err, "secret_name", name)
 		return nil, fmt.Errorf("failed to check if secret exists: %w", err)
 	}
 	if !exists {
 		secret.Debug("Secret not found in vault", "secret_name", name, "vault_name", v.Name)
 		return nil, fmt.Errorf("secret %s not found", name)
 	}
-	secret.Debug("Secret exists, proceeding with vault unlock and decryption", "secret_name", name)
+	// Determine which version to get
 	if version == "" {
 		// Get current version
 		currentVersion, err := secret.GetCurrentVersion(v.fs, secretDir)
 		if err != nil {
 			secret.Debug("Failed to get current version", "error", err, "secret_name", name)
-	// Step 1: Unlock the vault (get long-term key in memory)
+			return nil, fmt.Errorf("failed to get current version: %w", err)
 		}
 		version = currentVersion
 		secret.Debug("Using current version", "version", version, "secret_name", name)
 	}
 	// Create version object
 	secretVersion := secret.NewVersion(v, name, version)
 	// Check if version exists
 	versionPath := filepath.Join(secretDir, "versions", version)
 	exists, err = afero.DirExists(v.fs, versionPath)
 	if err != nil {
 		secret.Debug("Failed to check if version exists", "error", err, "version", version)
 		return nil, fmt.Errorf("failed to check if version exists: %w", err)
 	}
 	if !exists {
 		secret.Debug("Version not found", "version", version, "secret_name", name)
 		return nil, fmt.Errorf("version %s not found for secret %s", version, name)
 	}
 	secret.Debug("Version exists, proceeding with vault unlock and decryption", "version", version, "secret_name", name)
 	// Unlock the vault (get long-term key in memory)
 	longTermIdentity, err := v.UnlockVault()
 	if err != nil {
 		secret.Debug("Failed to unlock vault", "error", err, "vault_name", v.Name)
 		return nil, fmt.Errorf("failed to unlock vault: %w", err)
 	}
 	secret.DebugWith("Successfully unlocked vault",
 		slog.String("vault_name", v.Name),
 		slog.String("secret_name", name),
 		slog.String("version", version),
 		slog.String("long_term_public_key", longTermIdentity.Recipient().String()),
 	)
-	// Step 2: Use the unlocked vault to decrypt the secret
+	// Get the version's value
-	decryptedValue, err := v.decryptSecretWithLongTermKey(name, longTermIdentity)
+	secret.Debug("About to call secretVersion.GetValue", "version", version, "secret_name", name)
 	decryptedValue, err := secretVersion.GetValue(longTermIdentity)
 	if err != nil {
-		secret.Debug("Failed to decrypt secret with long-term key", "error", err, "secret_name", name)
+		secret.Debug("Failed to decrypt version value", "error", err, "version", version, "secret_name", name)
-		return nil, fmt.Errorf("failed to decrypt secret: %w", err)
+
 		return nil, fmt.Errorf("failed to decrypt version: %w", err)
 	}
-	secret.DebugWith("Successfully decrypted secret with per-secret key architecture",
+	secret.DebugWith("Successfully decrypted secret version",
 		slog.String("secret_name", name),
 		slog.String("version", version),
 		slog.String("vault_name", v.Name),
 		slog.Int("decrypted_length", len(decryptedValue)),
 	)
 	// Debug: Log metadata about the decrypted value without exposing the actual secret
 	secret.Debug("Vault secret decryption debug info",
 		"secret_name", name,
 		"version", version,
 		"decrypted_value_length", len(decryptedValue),
 		"is_empty", len(decryptedValue) == 0)
 	return decryptedValue, nil
 }
@@ -309,6 +417,7 @@ func (v *Vault) UnlockVault() (*age.X25519Identity, error) {
 	// If vault is already unlocked, return the cached key
 	if !v.Locked() {
 		secret.Debug("Vault already unlocked, returning cached long-term key", "vault_name", v.Name)
 		return v.longTermKey, nil
 	}
@@ -316,6 +425,7 @@ func (v *Vault) UnlockVault() (*age.X25519Identity, error) {
 	longTermIdentity, err := v.GetOrDeriveLongTermKey()
 	if err != nil {
 		secret.Debug("Failed to get or derive long-term key", "error", err, "vault_name", v.Name)
 		return nil, fmt.Errorf("failed to get long-term key: %w", err)
 	}
@@ -330,90 +440,6 @@ func (v *Vault) UnlockVault() (*age.X25519Identity, error) {
 	return longTermIdentity, nil
 }
 // decryptSecretWithLongTermKey decrypts a secret using the provided long-term key
 func (v *Vault) decryptSecretWithLongTermKey(name string, longTermIdentity *age.X25519Identity) ([]byte, error) {
 	secret.DebugWith("Decrypting secret with long-term key",
 		slog.String("secret_name", name),
 		slog.String("vault_name", v.Name),
 	)
 	// Get vault and secret directories
 	vaultDir, err := v.GetDirectory()
 	if err != nil {
 		secret.Debug("Failed to get vault directory", "error", err, "vault_name", v.Name)
 		return nil, err
 	}
 	storageName := strings.ReplaceAll(name, "/", "%")
 	secretDir := filepath.Join(vaultDir, "secrets.d", storageName)
 	// Step 1: Read the encrypted secret private key from priv.age
 	encryptedSecretPrivKeyPath := filepath.Join(secretDir, "priv.age")
 	secret.Debug("Reading encrypted secret private key", "path", encryptedSecretPrivKeyPath)
 	encryptedSecretPrivKey, err := afero.ReadFile(v.fs, encryptedSecretPrivKeyPath)
 	if err != nil {
 		secret.Debug("Failed to read encrypted secret private key", "error", err, "path", encryptedSecretPrivKeyPath)
 		return nil, fmt.Errorf("failed to read encrypted secret private key: %w", err)
 	}
 	secret.DebugWith("Read encrypted secret private key",
 		slog.String("secret_name", name),
 		slog.Int("encrypted_length", len(encryptedSecretPrivKey)),
 	)
 	// Step 2: Decrypt the secret's private key using the long-term private key
 	secret.Debug("Decrypting secret private key with long-term key", "secret_name", name)
 	secretPrivKeyData, err := secret.DecryptWithIdentity(encryptedSecretPrivKey, longTermIdentity)
 	if err != nil {
 		secret.Debug("Failed to decrypt secret private key", "error", err, "secret_name", name)
 		return nil, fmt.Errorf("failed to decrypt secret private key: %w", err)
 	}
 	// Step 3: Parse the secret's private key
 	secret.Debug("Parsing secret private key", "secret_name", name)
 	secretIdentity, err := age.ParseX25519Identity(string(secretPrivKeyData))
 	if err != nil {
 		secret.Debug("Failed to parse secret private key", "error", err, "secret_name", name)
 		return nil, fmt.Errorf("failed to parse secret private key: %w", err)
 	}
 	secret.DebugWith("Successfully parsed secret identity",
 		slog.String("secret_name", name),
 		slog.String("public_key", secretIdentity.Recipient().String()),
 	)
 	// Step 4: Read the encrypted secret value from value.age
 	encryptedValuePath := filepath.Join(secretDir, "value.age")
 	secret.Debug("Reading encrypted secret value", "path", encryptedValuePath)
 	encryptedValue, err := afero.ReadFile(v.fs, encryptedValuePath)
 	if err != nil {
 		secret.Debug("Failed to read encrypted secret value", "error", err, "path", encryptedValuePath)
 		return nil, fmt.Errorf("failed to read encrypted secret value: %w", err)
 	}
 	secret.DebugWith("Read encrypted secret value",
 		slog.String("secret_name", name),
 		slog.Int("encrypted_length", len(encryptedValue)),
 	)
 	// Step 5: Decrypt the secret value using the secret's private key
 	secret.Debug("Decrypting secret value with secret's private key", "secret_name", name)
 	decryptedValue, err := secret.DecryptWithIdentity(encryptedValue, secretIdentity)
 	if err != nil {
 		secret.Debug("Failed to decrypt secret value", "error", err, "secret_name", name)
 		return nil, fmt.Errorf("failed to decrypt secret value: %w", err)
 	}
 	secret.DebugWith("Successfully decrypted secret value",
 		slog.String("secret_name", name),
 		slog.Int("decrypted_length", len(decryptedValue)),
 	)
 	return decryptedValue, nil
 }
 // GetSecretObject retrieves a Secret object with metadata loaded from this vault
 func (v *Vault) GetSecretObject(name string) (*secret.Secret, error) {
 	// First check if the secret exists by checking for the metadata file
--- a/internal/vault/secrets_version_test.go
+++ b/internal/vault/secrets_version_test.go
@@ -0,0 +1,310 @@
 // Vault-Level Version Operation Tests
 //
 // Integration tests for vault-level version operations:
 //
 // - TestVaultAddSecretCreatesVersion: Tests that AddSecret creates proper version structure
 // - TestVaultAddSecretMultipleVersions: Tests creating multiple versions with force flag
 // - TestVaultGetSecretVersion: Tests retrieving specific versions and current version
 // - TestVaultVersionTimestamps: Tests timestamp logic (notBefore/notAfter) across versions
 // - TestVaultGetNonExistentVersion: Tests error handling for invalid versions
 // - TestUpdateVersionMetadata: Tests metadata update functionality
 //
 // Version Management:
 // - List versions in reverse chronological order
 // - Promote any version to current
 // - Promotion doesn't modify timestamps
 // - Metadata remains encrypted and intact
 package vault
 import (
 	"path/filepath"
 	"testing"
 	"time"
 	"git.eeqj.de/sneak/secret/internal/secret"
 	"git.eeqj.de/sneak/secret/pkg/agehd"
 	"github.com/awnumar/memguard"
 	"github.com/spf13/afero"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
 // Helper function to add a secret to vault with proper buffer protection
 func addTestSecretToVault(t *testing.T, vault *Vault, name string, value []byte, force bool) {
 	t.Helper()
 	buffer := memguard.NewBufferFromBytes(value)
 	defer buffer.Destroy()
 	err := vault.AddSecret(name, buffer, force)
 	require.NoError(t, err)
 }
 // Helper function to create a vault with long-term key set up
 func createTestVaultWithKey(t *testing.T, fs afero.Fs, stateDir, vaultName string) *Vault {
 	// Set mnemonic for testing
 	t.Setenv(secret.EnvMnemonic, "abandon abandon abandon abandon abandon abandon abandon abandon abandon about")
 	// Create vault
 	vault, err := CreateVault(fs, stateDir, vaultName)
 	require.NoError(t, err)
 	// Derive and store long-term key from mnemonic
 	mnemonic := "abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon about"
 	ltIdentity, err := agehd.DeriveIdentity(mnemonic, 0)
 	require.NoError(t, err)
 	// Store long-term public key in vault
 	vaultDir, _ := vault.GetDirectory()
 	ltPubKeyPath := filepath.Join(vaultDir, "pub.age")
 	err = afero.WriteFile(fs, ltPubKeyPath, []byte(ltIdentity.Recipient().String()), 0o600)
 	require.NoError(t, err)
 	// Unlock the vault with the derived key
 	vault.Unlock(ltIdentity)
 	return vault
 }
 func TestVaultAddSecretCreatesVersion(t *testing.T) {
 	fs := afero.NewMemMapFs()
 	stateDir := "/test/state"
 	// Create vault with long-term key
 	vault := createTestVaultWithKey(t, fs, stateDir, "test")
 	// Add a secret
 	secretName := "test/secret"
 	secretValue := []byte("initial-value")
 	expectedValue := make([]byte, len(secretValue))
 	copy(expectedValue, secretValue)
 	addTestSecretToVault(t, vault, secretName, secretValue, false)
 	// Check that version directory was created
 	vaultDir, _ := vault.GetDirectory()
 	secretDir := vaultDir + "/secrets.d/test%secret"
 	versionsDir := secretDir + "/versions"
 	// Should have one version
 	entries, err := afero.ReadDir(fs, versionsDir)
 	require.NoError(t, err)
 	assert.Len(t, entries, 1)
 	// Should have current symlink
 	currentPath := secretDir + "/current"
 	exists, err := afero.Exists(fs, currentPath)
 	require.NoError(t, err)
 	assert.True(t, exists)
 	// Get the secret value
 	retrievedValue, err := vault.GetSecret(secretName)
 	require.NoError(t, err)
 	assert.Equal(t, expectedValue, retrievedValue)
 }
 func TestVaultAddSecretMultipleVersions(t *testing.T) {
 	fs := afero.NewMemMapFs()
 	stateDir := "/test/state"
 	// Create vault with long-term key
 	vault := createTestVaultWithKey(t, fs, stateDir, "test")
 	secretName := "test/secret"
 	// Add first version
 	addTestSecretToVault(t, vault, secretName, []byte("version-1"), false)
 	// Try to add again without force - should fail
 	failBuffer := memguard.NewBufferFromBytes([]byte("version-2"))
 	defer failBuffer.Destroy()
 	err := vault.AddSecret(secretName, failBuffer, false)
 	assert.Error(t, err)
 	assert.Contains(t, err.Error(), "already exists")
 	// Add with force - should create new version
 	addTestSecretToVault(t, vault, secretName, []byte("version-2"), true)
 	// Check that we have two versions
 	vaultDir, _ := vault.GetDirectory()
 	versionsDir := vaultDir + "/secrets.d/test%secret/versions"
 	entries, err := afero.ReadDir(fs, versionsDir)
 	require.NoError(t, err)
 	assert.Len(t, entries, 2)
 	// Current value should be version-2
 	value, err := vault.GetSecret(secretName)
 	require.NoError(t, err)
 	assert.Equal(t, []byte("version-2"), value)
 }
 func TestVaultGetSecretVersion(t *testing.T) {
 	fs := afero.NewMemMapFs()
 	stateDir := "/test/state"
 	// Create vault with long-term key
 	vault := createTestVaultWithKey(t, fs, stateDir, "test")
 	secretName := "test/secret"
 	// Add multiple versions
 	addTestSecretToVault(t, vault, secretName, []byte("version-1"), false)
 	// Small delay to ensure different version names
 	time.Sleep(10 * time.Millisecond)
 	addTestSecretToVault(t, vault, secretName, []byte("version-2"), true)
 	// Get versions list
 	vaultDir, _ := vault.GetDirectory()
 	secretDir := vaultDir + "/secrets.d/test%secret"
 	versions, err := secret.ListVersions(fs, secretDir)
 	require.NoError(t, err)
 	require.Len(t, versions, 2)
 	// Get specific version (first one)
 	firstVersion := versions[1] // Last in list is first created
 	value, err := vault.GetSecretVersion(secretName, firstVersion)
 	require.NoError(t, err)
 	assert.Equal(t, []byte("version-1"), value)
 	// Get specific version (second one)
 	secondVersion := versions[0] // First in list is most recent
 	value, err = vault.GetSecretVersion(secretName, secondVersion)
 	require.NoError(t, err)
 	assert.Equal(t, []byte("version-2"), value)
 	// Get current (empty version)
 	value, err = vault.GetSecretVersion(secretName, "")
 	require.NoError(t, err)
 	assert.Equal(t, []byte("version-2"), value)
 }
 func TestVaultVersionTimestamps(t *testing.T) {
 	fs := afero.NewMemMapFs()
 	stateDir := "/test/state"
 	// Create vault with long-term key
 	vault := createTestVaultWithKey(t, fs, stateDir, "test")
 	// Get long-term key
 	ltIdentity, err := vault.GetOrDeriveLongTermKey()
 	require.NoError(t, err)
 	secretName := "test/secret"
 	// Add first version
 	beforeFirst := time.Now()
 	v1Buffer := memguard.NewBufferFromBytes([]byte("version-1"))
 	defer v1Buffer.Destroy()
 	err = vault.AddSecret(secretName, v1Buffer, false)
 	require.NoError(t, err)
 	afterFirst := time.Now()
 	// Get first version metadata
 	vaultDir, _ := vault.GetDirectory()
 	secretDir := vaultDir + "/secrets.d/test%secret"
 	versions, err := secret.ListVersions(fs, secretDir)
 	require.NoError(t, err)
 	require.Len(t, versions, 1)
 	firstVersion := secret.NewVersion(vault, secretName, versions[0])
 	err = firstVersion.LoadMetadata(ltIdentity)
 	require.NoError(t, err)
 	// Check first version timestamps
 	assert.NotNil(t, firstVersion.Metadata.CreatedAt)
 	assert.True(t, firstVersion.Metadata.CreatedAt.After(beforeFirst.Add(-time.Second)))
 	assert.True(t, firstVersion.Metadata.CreatedAt.Before(afterFirst.Add(time.Second)))
 	assert.NotNil(t, firstVersion.Metadata.NotBefore)
 	assert.Equal(t, int64(1), firstVersion.Metadata.NotBefore.Unix()) // Epoch + 1
 	assert.Nil(t, firstVersion.Metadata.NotAfter)                     // Still current
 	// Add second version
 	time.Sleep(10 * time.Millisecond)
 	beforeSecond := time.Now()
 	addTestSecretToVault(t, vault, secretName, []byte("version-2"), true)
 	afterSecond := time.Now()
 	// Get updated versions
 	versions, err = secret.ListVersions(fs, secretDir)
 	require.NoError(t, err)
 	require.Len(t, versions, 2)
 	// Reload first version metadata (should have notAfter now)
 	firstVersion = secret.NewVersion(vault, secretName, versions[1])
 	err = firstVersion.LoadMetadata(ltIdentity)
 	require.NoError(t, err)
 	assert.NotNil(t, firstVersion.Metadata.NotAfter)
 	assert.True(t, firstVersion.Metadata.NotAfter.After(beforeSecond.Add(-time.Second)))
 	assert.True(t, firstVersion.Metadata.NotAfter.Before(afterSecond.Add(time.Second)))
 	// Check second version timestamps
 	secondVersion := secret.NewVersion(vault, secretName, versions[0])
 	err = secondVersion.LoadMetadata(ltIdentity)
 	require.NoError(t, err)
 	assert.NotNil(t, secondVersion.Metadata.NotBefore)
 	assert.True(t, secondVersion.Metadata.NotBefore.After(beforeSecond.Add(-time.Second)))
 	assert.True(t, secondVersion.Metadata.NotBefore.Before(afterSecond.Add(time.Second)))
 	assert.Nil(t, secondVersion.Metadata.NotAfter) // Current version
 }
 func TestVaultGetNonExistentVersion(t *testing.T) {
 	fs := afero.NewMemMapFs()
 	stateDir := "/test/state"
 	// Create vault with long-term key
 	vault := createTestVaultWithKey(t, fs, stateDir, "test")
 	// Add a secret
 	addTestSecretToVault(t, vault, "test/secret", []byte("value"), false)
 	// Try to get non-existent version
 	_, err := vault.GetSecretVersion("test/secret", "20991231.999")
 	assert.Error(t, err)
 	assert.Contains(t, err.Error(), "not found")
 }
 func TestUpdateVersionMetadata(t *testing.T) {
 	fs := afero.NewMemMapFs()
 	stateDir := "/test/state"
 	// Create vault with long-term key
 	vault := createTestVaultWithKey(t, fs, stateDir, "test")
 	// Get long-term key
 	ltIdentity, err := vault.GetOrDeriveLongTermKey()
 	require.NoError(t, err)
 	// Create a version manually to test updateVersionMetadata
 	secretName := "test/secret"
 	versionName := "20231215.001"
 	version := secret.NewVersion(vault, secretName, versionName)
 	// Set initial metadata
 	now := time.Now()
 	epochPlusOne := time.Unix(1, 0)
 	version.Metadata.NotBefore = &epochPlusOne
 	version.Metadata.NotAfter = nil
 	// Save version
 	testBuffer := memguard.NewBufferFromBytes([]byte("test-value"))
 	defer testBuffer.Destroy()
 	err = version.Save(testBuffer)
 	require.NoError(t, err)
 	// Update metadata
 	version.Metadata.NotAfter = &now
 	err = updateVersionMetadata(fs, version, ltIdentity)
 	require.NoError(t, err)
 	// Load and verify
 	version2 := secret.NewVersion(vault, secretName, versionName)
 	err = version2.LoadMetadata(ltIdentity)
 	require.NoError(t, err)
 	assert.NotNil(t, version2.Metadata.NotAfter)
 	assert.Equal(t, now.Unix(), version2.Metadata.NotAfter.Unix())
 }
--- a/internal/vault/unlock_keys.go
+++ b/internal/vault/unlock_keys.go
@@ -1,376 +0,0 @@
 package vault
 import (
 	"encoding/json"
 	"fmt"
 	"log/slog"
 	"path/filepath"
 	"strings"
 	"time"
 	"filippo.io/age"
 	"git.eeqj.de/sneak/secret/internal/secret"
 	"github.com/spf13/afero"
 )
 // GetCurrentUnlockKey returns the current unlock key for this vault
 func (v *Vault) GetCurrentUnlockKey() (secret.UnlockKey, error) {
 	secret.DebugWith("Getting current unlock key", slog.String("vault_name", v.Name))
 	vaultDir, err := v.GetDirectory()
 	if err != nil {
 		secret.Debug("Failed to get vault directory for unlock key", "error", err, "vault_name", v.Name)
 		return nil, err
 	}
 	currentUnlockKeyPath := filepath.Join(vaultDir, "current-unlock-key")
 	// Check if the symlink exists
 	_, err = v.fs.Stat(currentUnlockKeyPath)
 	if err != nil {
 		secret.Debug("Failed to stat current unlock key symlink", "error", err, "path", currentUnlockKeyPath)
 		return nil, fmt.Errorf("failed to read current unlock key: %w", err)
 	}
 	// Resolve the symlink to get the target directory
 	var unlockKeyDir string
 	if _, ok := v.fs.(*afero.OsFs); ok {
 		secret.Debug("Resolving unlock key symlink (real filesystem)")
 		// For real filesystems, resolve the symlink properly
 		unlockKeyDir, err = ResolveVaultSymlink(v.fs, currentUnlockKeyPath)
 		if err != nil {
 			secret.Debug("Failed to resolve unlock key symlink", "error", err, "symlink_path", currentUnlockKeyPath)
 			return nil, fmt.Errorf("failed to resolve current unlock key symlink: %w", err)
 		}
 	} else {
 		secret.Debug("Reading unlock key path (mock filesystem)")
 		// Fallback for mock filesystems: read the path from file contents
 		unlockKeyDirBytes, err := afero.ReadFile(v.fs, currentUnlockKeyPath)
 		if err != nil {
 			secret.Debug("Failed to read unlock key path file", "error", err, "path", currentUnlockKeyPath)
 			return nil, fmt.Errorf("failed to read current unlock key: %w", err)
 		}
 		unlockKeyDir = strings.TrimSpace(string(unlockKeyDirBytes))
 	}
 	secret.DebugWith("Resolved unlock key directory",
 		slog.String("unlock_key_dir", unlockKeyDir),
 		slog.String("vault_name", v.Name),
 	)
 	// Read unlock key metadata
 	metadataPath := filepath.Join(unlockKeyDir, "unlock-metadata.json")
 	secret.Debug("Reading unlock key metadata", "path", metadataPath)
 	metadataBytes, err := afero.ReadFile(v.fs, metadataPath)
 	if err != nil {
 		secret.Debug("Failed to read unlock key metadata", "error", err, "path", metadataPath)
 		return nil, fmt.Errorf("failed to read unlock key metadata: %w", err)
 	}
 	var metadata UnlockKeyMetadata
 	if err := json.Unmarshal(metadataBytes, &metadata); err != nil {
 		secret.Debug("Failed to parse unlock key metadata", "error", err, "path", metadataPath)
 		return nil, fmt.Errorf("failed to parse unlock key metadata: %w", err)
 	}
 	secret.DebugWith("Parsed unlock key metadata",
 		slog.String("key_id", metadata.ID),
 		slog.String("key_type", metadata.Type),
 		slog.Time("created_at", metadata.CreatedAt),
 		slog.Any("flags", metadata.Flags),
 	)
 	// Create unlock key instance using direct constructors with filesystem
 	var unlockKey secret.UnlockKey
 	// Convert our metadata to secret.UnlockKeyMetadata
 	secretMetadata := secret.UnlockKeyMetadata(metadata)
 	switch metadata.Type {
 	case "passphrase":
 		secret.Debug("Creating passphrase unlock key instance", "key_id", metadata.ID)
 		unlockKey = secret.NewPassphraseUnlockKey(v.fs, unlockKeyDir, secretMetadata)
 	case "pgp":
 		secret.Debug("Creating PGP unlock key instance", "key_id", metadata.ID)
 		unlockKey = secret.NewPGPUnlockKey(v.fs, unlockKeyDir, secretMetadata)
 	case "keychain":
 		secret.Debug("Creating keychain unlock key instance", "key_id", metadata.ID)
 		unlockKey = secret.NewKeychainUnlockKey(v.fs, unlockKeyDir, secretMetadata)
 	default:
 		secret.Debug("Unsupported unlock key type", "type", metadata.Type, "key_id", metadata.ID)
 		return nil, fmt.Errorf("unsupported unlock key type: %s", metadata.Type)
 	}
 	secret.DebugWith("Successfully created unlock key instance",
 		slog.String("key_type", unlockKey.GetType()),
 		slog.String("key_id", unlockKey.GetID()),
 		slog.String("vault_name", v.Name),
 	)
 	return unlockKey, nil
 }
 // ListUnlockKeys returns a list of available unlock keys for this vault
 func (v *Vault) ListUnlockKeys() ([]UnlockKeyMetadata, error) {
 	vaultDir, err := v.GetDirectory()
 	if err != nil {
 		return nil, err
 	}
 	unlockKeysDir := filepath.Join(vaultDir, "unlock.d")
 	// Check if unlock keys directory exists
 	exists, err := afero.DirExists(v.fs, unlockKeysDir)
 	if err != nil {
 		return nil, fmt.Errorf("failed to check if unlock keys directory exists: %w", err)
 	}
 	if !exists {
 		return []UnlockKeyMetadata{}, nil
 	}
 	// List directories in unlock.d
 	files, err := afero.ReadDir(v.fs, unlockKeysDir)
 	if err != nil {
 		return nil, fmt.Errorf("failed to read unlock keys directory: %w", err)
 	}
 	var keys []UnlockKeyMetadata
 	for _, file := range files {
 		if file.IsDir() {
 			// Read metadata file
 			metadataPath := filepath.Join(unlockKeysDir, file.Name(), "unlock-metadata.json")
 			exists, err := afero.Exists(v.fs, metadataPath)
 			if err != nil {
 				continue
 			}
 			if !exists {
 				continue
 			}
 			metadataBytes, err := afero.ReadFile(v.fs, metadataPath)
 			if err != nil {
 				continue
 			}
 			var metadata UnlockKeyMetadata
 			if err := json.Unmarshal(metadataBytes, &metadata); err != nil {
 				continue
 			}
 			keys = append(keys, metadata)
 		}
 	}
 	return keys, nil
 }
 // RemoveUnlockKey removes an unlock key from this vault
 func (v *Vault) RemoveUnlockKey(keyID string) error {
 	vaultDir, err := v.GetDirectory()
 	if err != nil {
 		return err
 	}
 	// Find the key directory and create the unlock key instance
 	unlockKeysDir := filepath.Join(vaultDir, "unlock.d")
 	// List directories in unlock.d
 	files, err := afero.ReadDir(v.fs, unlockKeysDir)
 	if err != nil {
 		return fmt.Errorf("failed to read unlock keys directory: %w", err)
 	}
 	var unlockKey secret.UnlockKey
 	var keyDir string
 	for _, file := range files {
 		if file.IsDir() {
 			// Read metadata file
 			metadataPath := filepath.Join(unlockKeysDir, file.Name(), "unlock-metadata.json")
 			exists, err := afero.Exists(v.fs, metadataPath)
 			if err != nil || !exists {
 				continue
 			}
 			metadataBytes, err := afero.ReadFile(v.fs, metadataPath)
 			if err != nil {
 				continue
 			}
 			var metadata UnlockKeyMetadata
 			if err := json.Unmarshal(metadataBytes, &metadata); err != nil {
 				continue
 			}
 			if metadata.ID == keyID {
 				keyDir = filepath.Join(unlockKeysDir, file.Name())
 				// Convert our metadata to secret.UnlockKeyMetadata
 				secretMetadata := secret.UnlockKeyMetadata(metadata)
 				// Create the appropriate unlock key instance
 				switch metadata.Type {
 				case "passphrase":
 					unlockKey = secret.NewPassphraseUnlockKey(v.fs, keyDir, secretMetadata)
 				case "pgp":
 					unlockKey = secret.NewPGPUnlockKey(v.fs, keyDir, secretMetadata)
 				case "keychain":
 					unlockKey = secret.NewKeychainUnlockKey(v.fs, keyDir, secretMetadata)
 				default:
 					return fmt.Errorf("unsupported unlock key type: %s", metadata.Type)
 				}
 				break
 			}
 		}
 	}
 	if unlockKey == nil {
 		return fmt.Errorf("unlock key with ID %s not found", keyID)
 	}
 	// Use the unlock key's Remove method
 	return unlockKey.Remove()
 }
 // SelectUnlockKey selects an unlock key as current for this vault
 func (v *Vault) SelectUnlockKey(keyID string) error {
 	vaultDir, err := v.GetDirectory()
 	if err != nil {
 		return err
 	}
 	// Find the unlock key directory by ID
 	unlockKeysDir := filepath.Join(vaultDir, "unlock.d")
 	// List directories in unlock.d to find the key
 	files, err := afero.ReadDir(v.fs, unlockKeysDir)
 	if err != nil {
 		return fmt.Errorf("failed to read unlock keys directory: %w", err)
 	}
 	var targetKeyDir string
 	for _, file := range files {
 		if file.IsDir() {
 			// Read metadata file
 			metadataPath := filepath.Join(unlockKeysDir, file.Name(), "unlock-metadata.json")
 			exists, err := afero.Exists(v.fs, metadataPath)
 			if err != nil || !exists {
 				continue
 			}
 			metadataBytes, err := afero.ReadFile(v.fs, metadataPath)
 			if err != nil {
 				continue
 			}
 			var metadata UnlockKeyMetadata
 			if err := json.Unmarshal(metadataBytes, &metadata); err != nil {
 				continue
 			}
 			if metadata.ID == keyID {
 				targetKeyDir = filepath.Join(unlockKeysDir, file.Name())
 				break
 			}
 		}
 	}
 	if targetKeyDir == "" {
 		return fmt.Errorf("unlock key with ID %s not found", keyID)
 	}
 	// Create/update current unlock key symlink
 	currentUnlockKeyPath := filepath.Join(vaultDir, "current-unlock-key")
 	// Remove existing symlink if it exists
 	if exists, _ := afero.Exists(v.fs, currentUnlockKeyPath); exists {
 		if err := v.fs.Remove(currentUnlockKeyPath); err != nil {
 			secret.Debug("Failed to remove existing unlock key symlink", "error", err, "path", currentUnlockKeyPath)
 		}
 	}
 	// Create new symlink
 	return afero.WriteFile(v.fs, currentUnlockKeyPath, []byte(targetKeyDir), secret.FilePerms)
 }
 // CreatePassphraseKey creates a new passphrase-protected unlock key
 func (v *Vault) CreatePassphraseKey(passphrase string) (*secret.PassphraseUnlockKey, error) {
 	vaultDir, err := v.GetDirectory()
 	if err != nil {
 		return nil, fmt.Errorf("failed to get vault directory: %w", err)
 	}
 	// Create unlock key directory with timestamp
 	timestamp := time.Now().Format("2006-01-02.15.04")
 	unlockKeyDir := filepath.Join(vaultDir, "unlock.d", "passphrase")
 	if err := v.fs.MkdirAll(unlockKeyDir, secret.DirPerms); err != nil {
 		return nil, fmt.Errorf("failed to create unlock key directory: %w", err)
 	}
 	// Generate new age keypair for unlock key
 	unlockIdentity, err := age.GenerateX25519Identity()
 	if err != nil {
 		return nil, fmt.Errorf("failed to generate unlock key: %w", err)
 	}
 	// Write public key
 	pubKeyPath := filepath.Join(unlockKeyDir, "pub.age")
 	if err := afero.WriteFile(v.fs, pubKeyPath, []byte(unlockIdentity.Recipient().String()), secret.FilePerms); err != nil {
 		return nil, fmt.Errorf("failed to write unlock key public key: %w", err)
 	}
 	// Encrypt private key with passphrase
 	privKeyData := []byte(unlockIdentity.String())
 	encryptedPrivKey, err := secret.EncryptWithPassphrase(privKeyData, passphrase)
 	if err != nil {
 		return nil, fmt.Errorf("failed to encrypt unlock key private key: %w", err)
 	}
 	// Write encrypted private key
 	privKeyPath := filepath.Join(unlockKeyDir, "priv.age")
 	if err := afero.WriteFile(v.fs, privKeyPath, encryptedPrivKey, secret.FilePerms); err != nil {
 		return nil, fmt.Errorf("failed to write encrypted unlock key private key: %w", err)
 	}
 	// Create metadata
 	keyID := fmt.Sprintf("%s-passphrase", timestamp)
 	metadata := UnlockKeyMetadata{
 		ID:        keyID,
 		Type:      "passphrase",
 		CreatedAt: time.Now(),
 		Flags:     []string{},
 	}
 	// Write metadata
 	metadataBytes, err := json.MarshalIndent(metadata, "", "  ")
 	if err != nil {
 		return nil, fmt.Errorf("failed to marshal metadata: %w", err)
 	}
 	metadataPath := filepath.Join(unlockKeyDir, "unlock-metadata.json")
 	if err := afero.WriteFile(v.fs, metadataPath, metadataBytes, secret.FilePerms); err != nil {
 		return nil, fmt.Errorf("failed to write unlock key metadata: %w", err)
 	}
 	// Encrypt long-term private key to this unlock key if vault is unlocked
 	if !v.Locked() {
 		ltPrivKey := []byte(v.GetLongTermKey().String())
 		encryptedLtPrivKey, err := secret.EncryptToRecipient(ltPrivKey, unlockIdentity.Recipient())
 		if err != nil {
 			return nil, fmt.Errorf("failed to encrypt long-term private key: %w", err)
 		}
 		ltPrivKeyPath := filepath.Join(unlockKeyDir, "longterm.age")
 		if err := afero.WriteFile(v.fs, ltPrivKeyPath, encryptedLtPrivKey, secret.FilePerms); err != nil {
 			return nil, fmt.Errorf("failed to write encrypted long-term private key: %w", err)
 		}
 	}
 	// Select this unlock key as current
 	if err := v.SelectUnlockKey(keyID); err != nil {
 		return nil, fmt.Errorf("failed to select new unlock key: %w", err)
 	}
 	// Convert our metadata to secret.UnlockKeyMetadata for the constructor
 	secretMetadata := secret.UnlockKeyMetadata(metadata)
 	return secret.NewPassphraseUnlockKey(v.fs, unlockKeyDir, secretMetadata), nil
 }
--- a/internal/vault/unlockers.go
+++ b/internal/vault/unlockers.go
@@ -0,0 +1,407 @@
 package vault
 import (
 	"encoding/json"
 	"fmt"
 	"log/slog"
 	"path/filepath"
 	"strings"
 	"time"
 	"filippo.io/age"
 	"git.eeqj.de/sneak/secret/internal/secret"
 	"github.com/awnumar/memguard"
 	"github.com/spf13/afero"
 )
 // GetCurrentUnlocker returns the current unlocker for this vault
 func (v *Vault) GetCurrentUnlocker() (secret.Unlocker, error) {
 	secret.DebugWith("Getting current unlocker", slog.String("vault_name", v.Name))
 	vaultDir, err := v.GetDirectory()
 	if err != nil {
 		secret.Debug("Failed to get vault directory for unlocker", "error", err, "vault_name", v.Name)
 		return nil, err
 	}
 	currentUnlockerPath := filepath.Join(vaultDir, "current-unlocker")
 	// Check if the symlink exists
 	_, err = v.fs.Stat(currentUnlockerPath)
 	if err != nil {
 		secret.Debug("Failed to stat current unlocker symlink", "error", err, "path", currentUnlockerPath)
 		return nil, fmt.Errorf("failed to read current unlocker: %w", err)
 	}
 	// Resolve the symlink to get the target directory
 	unlockerDir, err := v.resolveUnlockerDirectory(currentUnlockerPath)
 	if err != nil {
 		return nil, err
 	}
 	secret.DebugWith("Resolved unlocker directory",
 		slog.String("unlocker_dir", unlockerDir),
 		slog.String("vault_name", v.Name),
 	)
 	// Read unlocker metadata
 	metadataPath := filepath.Join(unlockerDir, "unlocker-metadata.json")
 	secret.Debug("Reading unlocker metadata", "path", metadataPath)
 	metadataBytes, err := afero.ReadFile(v.fs, metadataPath)
 	if err != nil {
 		secret.Debug("Failed to read unlocker metadata", "error", err, "path", metadataPath)
 		return nil, fmt.Errorf("failed to read unlocker metadata: %w", err)
 	}
 	var metadata UnlockerMetadata
 	if err := json.Unmarshal(metadataBytes, &metadata); err != nil {
 		secret.Debug("Failed to parse unlocker metadata", "error", err, "path", metadataPath)
 		return nil, fmt.Errorf("failed to parse unlocker metadata: %w", err)
 	}
 	secret.DebugWith("Parsed unlocker metadata",
 		slog.String("unlocker_type", metadata.Type),
 		slog.Time("created_at", metadata.CreatedAt),
 		slog.Any("flags", metadata.Flags),
 	)
 	// Create unlocker instance using direct constructors with filesystem
 	var unlocker secret.Unlocker
 	// Use metadata directly as it's already the correct type
 	switch metadata.Type {
 	case "passphrase":
 		secret.Debug("Creating passphrase unlocker instance", "unlocker_type", metadata.Type)
 		unlocker = secret.NewPassphraseUnlocker(v.fs, unlockerDir, metadata)
 	case "pgp":
 		secret.Debug("Creating PGP unlocker instance", "unlocker_type", metadata.Type)
 		unlocker = secret.NewPGPUnlocker(v.fs, unlockerDir, metadata)
 	case "keychain":
 		secret.Debug("Creating keychain unlocker instance", "unlocker_type", metadata.Type)
 		unlocker = secret.NewKeychainUnlocker(v.fs, unlockerDir, metadata)
 	default:
 		secret.Debug("Unsupported unlocker type", "type", metadata.Type)
 		return nil, fmt.Errorf("unsupported unlocker type: %s", metadata.Type)
 	}
 	secret.DebugWith("Successfully created unlocker instance",
 		slog.String("unlocker_type", unlocker.GetType()),
 		slog.String("unlocker_id", unlocker.GetID()),
 		slog.String("vault_name", v.Name),
 	)
 	return unlocker, nil
 }
 // resolveUnlockerDirectory resolves the unlocker directory from a symlink or file
 func (v *Vault) resolveUnlockerDirectory(currentUnlockerPath string) (string, error) {
 	linkReader, ok := v.fs.(afero.LinkReader)
 	if !ok {
 		// Fallback for filesystems that don't support symlinks
 		return v.readUnlockerPathFromFile(currentUnlockerPath)
 	}
 	secret.Debug("Resolving unlocker symlink using afero")
 	// Try to read as symlink first
 	unlockerDir, err := linkReader.ReadlinkIfPossible(currentUnlockerPath)
 	if err == nil {
 		return unlockerDir, nil
 	}
 	secret.Debug("Failed to read symlink, falling back to file contents",
 		"error", err, "symlink_path", currentUnlockerPath)
 	// Fallback: read the path from file contents
 	return v.readUnlockerPathFromFile(currentUnlockerPath)
 }
 // readUnlockerPathFromFile reads the unlocker directory path from a file
 func (v *Vault) readUnlockerPathFromFile(path string) (string, error) {
 	secret.Debug("Reading unlocker path from file", "path", path)
 	unlockerDirBytes, err := afero.ReadFile(v.fs, path)
 	if err != nil {
 		secret.Debug("Failed to read unlocker path file", "error", err, "path", path)
 		return "", fmt.Errorf("failed to read current unlocker: %w", err)
 	}
 	return strings.TrimSpace(string(unlockerDirBytes)), nil
 }
 // findUnlockerByID finds an unlocker by its ID and returns the unlocker instance and its directory path
 func (v *Vault) findUnlockerByID(unlockersDir, unlockerID string) (secret.Unlocker, string, error) {
 	files, err := afero.ReadDir(v.fs, unlockersDir)
 	if err != nil {
 		return nil, "", fmt.Errorf("failed to read unlockers directory: %w", err)
 	}
 	for _, file := range files {
 		if !file.IsDir() {
 			continue
 		}
 		// Read metadata file
 		metadataPath := filepath.Join(unlockersDir, file.Name(), "unlocker-metadata.json")
 		exists, err := afero.Exists(v.fs, metadataPath)
 		if err != nil {
 			return nil, "", fmt.Errorf("failed to check if metadata exists for unlocker %s: %w", file.Name(), err)
 		}
 		if !exists {
 			// Skip directories without metadata - they might not be unlockers
 			continue
 		}
 		metadataBytes, err := afero.ReadFile(v.fs, metadataPath)
 		if err != nil {
 			return nil, "", fmt.Errorf("failed to read metadata for unlocker %s: %w", file.Name(), err)
 		}
 		var metadata UnlockerMetadata
 		if err := json.Unmarshal(metadataBytes, &metadata); err != nil {
 			return nil, "", fmt.Errorf("failed to parse metadata for unlocker %s: %w", file.Name(), err)
 		}
 		unlockerDirPath := filepath.Join(unlockersDir, file.Name())
 		// Create the appropriate unlocker instance
 		var tempUnlocker secret.Unlocker
 		switch metadata.Type {
 		case "passphrase":
 			tempUnlocker = secret.NewPassphraseUnlocker(v.fs, unlockerDirPath, metadata)
 		case "pgp":
 			tempUnlocker = secret.NewPGPUnlocker(v.fs, unlockerDirPath, metadata)
 		case "keychain":
 			tempUnlocker = secret.NewKeychainUnlocker(v.fs, unlockerDirPath, metadata)
 		default:
 			continue
 		}
 		// Check if this unlocker's ID matches
 		if tempUnlocker.GetID() == unlockerID {
 			return tempUnlocker, unlockerDirPath, nil
 		}
 	}
 	return nil, "", nil
 }
 // ListUnlockers returns a list of available unlockers for this vault
 func (v *Vault) ListUnlockers() ([]UnlockerMetadata, error) {
 	vaultDir, err := v.GetDirectory()
 	if err != nil {
 		return nil, err
 	}
 	unlockersDir := filepath.Join(vaultDir, "unlockers.d")
 	// Check if unlockers directory exists
 	exists, err := afero.DirExists(v.fs, unlockersDir)
 	if err != nil {
 		return nil, fmt.Errorf("failed to check if unlockers directory exists: %w", err)
 	}
 	if !exists {
 		return []UnlockerMetadata{}, nil
 	}
 	// List directories in unlockers.d
 	files, err := afero.ReadDir(v.fs, unlockersDir)
 	if err != nil {
 		return nil, fmt.Errorf("failed to read unlockers directory: %w", err)
 	}
 	var unlockers []UnlockerMetadata
 	for _, file := range files {
 		if file.IsDir() {
 			// Read metadata file
 			metadataPath := filepath.Join(unlockersDir, file.Name(), "unlocker-metadata.json")
 			exists, err := afero.Exists(v.fs, metadataPath)
 			if err != nil {
 				return nil, fmt.Errorf("failed to check if metadata exists for unlocker %s: %w", file.Name(), err)
 			}
 			if !exists {
 				return nil, fmt.Errorf("unlocker directory %s is missing metadata file", file.Name())
 			}
 			metadataBytes, err := afero.ReadFile(v.fs, metadataPath)
 			if err != nil {
 				return nil, fmt.Errorf("failed to read metadata for unlocker %s: %w", file.Name(), err)
 			}
 			var metadata UnlockerMetadata
 			if err := json.Unmarshal(metadataBytes, &metadata); err != nil {
 				return nil, fmt.Errorf("failed to parse metadata for unlocker %s: %w", file.Name(), err)
 			}
 			unlockers = append(unlockers, metadata)
 		}
 	}
 	return unlockers, nil
 }
 // RemoveUnlocker removes an unlocker from this vault
 func (v *Vault) RemoveUnlocker(unlockerID string) error {
 	vaultDir, err := v.GetDirectory()
 	if err != nil {
 		return err
 	}
 	// Find the unlocker directory and create the unlocker instance
 	unlockersDir := filepath.Join(vaultDir, "unlockers.d")
 	// Find the unlocker by ID
 	unlocker, _, err := v.findUnlockerByID(unlockersDir, unlockerID)
 	if err != nil {
 		return err
 	}
 	if unlocker == nil {
 		return fmt.Errorf("unlocker with ID %s not found", unlockerID)
 	}
 	// Use the unlocker's Remove method
 	return unlocker.Remove()
 }
 // SelectUnlocker selects an unlocker as current for this vault
 func (v *Vault) SelectUnlocker(unlockerID string) error {
 	vaultDir, err := v.GetDirectory()
 	if err != nil {
 		return err
 	}
 	// Find the unlocker directory by ID
 	unlockersDir := filepath.Join(vaultDir, "unlockers.d")
 	// Find the unlocker by ID
 	_, targetUnlockerDir, err := v.findUnlockerByID(unlockersDir, unlockerID)
 	if err != nil {
 		return err
 	}
 	if targetUnlockerDir == "" {
 		return fmt.Errorf("unlocker with ID %s not found", unlockerID)
 	}
 	// Create/update current unlocker symlink
 	currentUnlockerPath := filepath.Join(vaultDir, "current-unlocker")
 	// Remove existing symlink if it exists
 	if exists, err := afero.Exists(v.fs, currentUnlockerPath); err != nil {
 		return fmt.Errorf("failed to check if current unlocker symlink exists: %w", err)
 	} else if exists {
 		if err := v.fs.Remove(currentUnlockerPath); err != nil {
 			return fmt.Errorf("failed to remove existing unlocker symlink: %w", err)
 		}
 	}
 	// Create new symlink using afero's SymlinkIfPossible
 	if linker, ok := v.fs.(afero.Linker); ok {
 		secret.Debug("Creating unlocker symlink", "target", targetUnlockerDir, "link", currentUnlockerPath)
 		if err := linker.SymlinkIfPossible(targetUnlockerDir, currentUnlockerPath); err != nil {
 			return fmt.Errorf("failed to create unlocker symlink: %w", err)
 		}
 	} else {
 		// Fallback: create a regular file with the target path for filesystems that don't support symlinks
 		secret.Debug("Fallback: creating regular file with target path", "target", targetUnlockerDir)
 		if err := afero.WriteFile(v.fs, currentUnlockerPath, []byte(targetUnlockerDir), secret.FilePerms); err != nil {
 			return fmt.Errorf("failed to create unlocker symlink file: %w", err)
 		}
 	}
 	return nil
 }
 // CreatePassphraseUnlocker creates a new passphrase-protected unlocker
 // The passphrase must be provided as a LockedBuffer for security
 func (v *Vault) CreatePassphraseUnlocker(passphrase *memguard.LockedBuffer) (*secret.PassphraseUnlocker, error) {
 	vaultDir, err := v.GetDirectory()
 	if err != nil {
 		return nil, fmt.Errorf("failed to get vault directory: %w", err)
 	}
 	// Create unlocker directory
 	unlockerDir := filepath.Join(vaultDir, "unlockers.d", "passphrase")
 	if err := v.fs.MkdirAll(unlockerDir, secret.DirPerms); err != nil {
 		return nil, fmt.Errorf("failed to create unlocker directory: %w", err)
 	}
 	// Generate new age keypair for unlocker
 	unlockerIdentity, err := age.GenerateX25519Identity()
 	if err != nil {
 		return nil, fmt.Errorf("failed to generate unlocker: %w", err)
 	}
 	// Write public key
 	pubKeyPath := filepath.Join(unlockerDir, "pub.age")
 	if err := afero.WriteFile(v.fs, pubKeyPath,
 		[]byte(unlockerIdentity.Recipient().String()),
 		secret.FilePerms); err != nil {
 		return nil, fmt.Errorf("failed to write unlocker public key: %w", err)
 	}
 	// Encrypt private key with passphrase
 	privKeyStr := unlockerIdentity.String()
 	encryptedPrivKey, err := secret.EncryptWithPassphrase([]byte(privKeyStr), passphrase)
 	if err != nil {
 		return nil, fmt.Errorf("failed to encrypt unlocker private key: %w", err)
 	}
 	// Write encrypted private key
 	privKeyPath := filepath.Join(unlockerDir, "priv.age")
 	if err := afero.WriteFile(v.fs, privKeyPath, encryptedPrivKey, secret.FilePerms); err != nil {
 		return nil, fmt.Errorf("failed to write encrypted unlocker private key: %w", err)
 	}
 	// Create metadata
 	metadata := UnlockerMetadata{
 		Type:      "passphrase",
 		CreatedAt: time.Now(),
 		Flags:     []string{},
 	}
 	// Write metadata
 	metadataBytes, err := json.MarshalIndent(metadata, "", "  ")
 	if err != nil {
 		return nil, fmt.Errorf("failed to marshal metadata: %w", err)
 	}
 	metadataPath := filepath.Join(unlockerDir, "unlocker-metadata.json")
 	if err := afero.WriteFile(v.fs, metadataPath, metadataBytes, secret.FilePerms); err != nil {
 		return nil, fmt.Errorf("failed to write unlocker metadata: %w", err)
 	}
 	// Encrypt long-term private key to this unlocker
 	// We need to get the long-term key (either from memory if unlocked, or derive it)
 	ltIdentity, err := v.GetOrDeriveLongTermKey()
 	if err != nil {
 		return nil, fmt.Errorf("failed to get long-term key: %w", err)
 	}
 	ltPrivKeyBuffer := memguard.NewBufferFromBytes([]byte(ltIdentity.String()))
 	defer ltPrivKeyBuffer.Destroy()
 	encryptedLtPrivKey, err := secret.EncryptToRecipient(ltPrivKeyBuffer, unlockerIdentity.Recipient())
 	if err != nil {
 		return nil, fmt.Errorf("failed to encrypt long-term private key: %w", err)
 	}
 	ltPrivKeyPath := filepath.Join(unlockerDir, "longterm.age")
 	if err := afero.WriteFile(v.fs, ltPrivKeyPath, encryptedLtPrivKey, secret.FilePerms); err != nil {
 		return nil, fmt.Errorf("failed to write encrypted long-term private key: %w", err)
 	}
 	// Create the unlocker instance
 	unlocker := secret.NewPassphraseUnlocker(v.fs, unlockerDir, metadata)
 	// Select this unlocker as current
 	if err := v.SelectUnlocker(unlocker.GetID()); err != nil {
 		return nil, fmt.Errorf("failed to select new unlocker: %w", err)
 	}
 	return unlocker, nil
 }
--- a/internal/vault/vault.go
+++ b/internal/vault/vault.go
@@ -30,6 +30,7 @@ func NewVault(fs afero.Fs, stateDir string, name string) *Vault {
 		longTermKey: nil,
 	}
 	secret.Debug("Created NewVault instance successfully")
 	return v
 }
@@ -65,15 +66,43 @@ func (v *Vault) GetOrDeriveLongTermKey() (*age.X25519Identity, error) {
 	// Try to derive from environment mnemonic first
 	if envMnemonic := os.Getenv(secret.EnvMnemonic); envMnemonic != "" {
 		secret.Debug("Using mnemonic from environment for long-term key derivation", "vault_name", v.Name)
-		ltIdentity, err := agehd.DeriveIdentity(envMnemonic, 0)
+
 		// Load vault metadata to get the derivation index
 		vaultDir, err := v.GetDirectory()
 		if err != nil {
 			return nil, fmt.Errorf("failed to get vault directory: %w", err)
 		}
 		metadata, err := LoadVaultMetadata(v.fs, vaultDir)
 		if err != nil {
 			secret.Debug("Failed to load vault metadata", "error", err, "vault_name", v.Name)
 			return nil, fmt.Errorf("failed to load vault metadata: %w", err)
 		}
 		ltIdentity, err := agehd.DeriveIdentity(envMnemonic, metadata.DerivationIndex)
 		if err != nil {
 			secret.Debug("Failed to derive long-term key from mnemonic", "error", err, "vault_name", v.Name)
 			return nil, fmt.Errorf("failed to derive long-term key from mnemonic: %w", err)
 		}
 		// Verify that the derived key matches the stored public key hash
 		derivedPubKeyHash := ComputeDoubleSHA256([]byte(ltIdentity.Recipient().String()))
 		if derivedPubKeyHash != metadata.PublicKeyHash {
 			secret.Debug("Derived public key hash does not match stored hash",
 				"vault_name", v.Name,
 				"derived_hash", derivedPubKeyHash,
 				"stored_hash", metadata.PublicKeyHash,
 				"derivation_index", metadata.DerivationIndex)
 			return nil, fmt.Errorf("derived public key does not match vault: mnemonic may be incorrect")
 		}
 		secret.DebugWith("Successfully derived long-term key from mnemonic",
 			slog.String("vault_name", v.Name),
 			slog.String("public_key", ltIdentity.Recipient().String()),
 			slog.Uint64("derivation_index", uint64(metadata.DerivationIndex)),
 		)
 		// Cache the derived key by unlocking the vault
@@ -83,57 +112,61 @@ func (v *Vault) GetOrDeriveLongTermKey() (*age.X25519Identity, error) {
 		return ltIdentity, nil
 	}
-	// No mnemonic available, try to use current unlock key
+	// No mnemonic available, try to use current unlocker
-	secret.Debug("No mnemonic available, using current unlock key to unlock vault", "vault_name", v.Name)
+	secret.Debug("No mnemonic available, using current unlocker to unlock vault", "vault_name", v.Name)
-	// Get current unlock key
+	// Get current unlocker
-	unlockKey, err := v.GetCurrentUnlockKey()
+	unlocker, err := v.GetCurrentUnlocker()
 	if err != nil {
-		secret.Debug("Failed to get current unlock key", "error", err, "vault_name", v.Name)
+		secret.Debug("Failed to get current unlocker", "error", err, "vault_name", v.Name)
-		return nil, fmt.Errorf("failed to get current unlock key: %w", err)
+
 		return nil, fmt.Errorf("failed to get current unlocker: %w", err)
 	}
-	secret.DebugWith("Retrieved current unlock key for vault unlock",
+	secret.DebugWith("Retrieved current unlocker for vault unlock",
 		slog.String("vault_name", v.Name),
-		slog.String("unlock_key_type", unlockKey.GetType()),
+		slog.String("unlocker_type", unlocker.GetType()),
-		slog.String("unlock_key_id", unlockKey.GetID()),
+		slog.String("unlocker_id", unlocker.GetID()),
 	)
-	// Get unlock key identity
+	// Get unlocker identity
-	unlockIdentity, err := unlockKey.GetIdentity()
+	unlockerIdentity, err := unlocker.GetIdentity()
 	if err != nil {
-		secret.Debug("Failed to get unlock key identity", "error", err, "unlock_key_type", unlockKey.GetType())
+		secret.Debug("Failed to get unlocker identity", "error", err, "unlocker_type", unlocker.GetType())
-		return nil, fmt.Errorf("failed to get unlock key identity: %w", err)
+
 		return nil, fmt.Errorf("failed to get unlocker identity: %w", err)
 	}
-	// Read encrypted long-term private key from unlock key directory
+	// Read encrypted long-term private key from unlocker directory
-	unlockKeyDir := unlockKey.GetDirectory()
+	unlockerDir := unlocker.GetDirectory()
-	encryptedLtPrivKeyPath := filepath.Join(unlockKeyDir, "longterm.age")
+	encryptedLtPrivKeyPath := filepath.Join(unlockerDir, "longterm.age")
 	secret.Debug("Reading encrypted long-term private key", "path", encryptedLtPrivKeyPath)
 	encryptedLtPrivKey, err := afero.ReadFile(v.fs, encryptedLtPrivKeyPath)
 	if err != nil {
 		secret.Debug("Failed to read encrypted long-term private key", "error", err, "path", encryptedLtPrivKeyPath)
 		return nil, fmt.Errorf("failed to read encrypted long-term private key: %w", err)
 	}
 	secret.DebugWith("Read encrypted long-term private key",
 		slog.String("vault_name", v.Name),
-		slog.String("unlock_key_type", unlockKey.GetType()),
+		slog.String("unlocker_type", unlocker.GetType()),
 		slog.Int("encrypted_length", len(encryptedLtPrivKey)),
 	)
-	// Decrypt long-term private key using unlock key
+	// Decrypt long-term private key using unlocker
-	secret.Debug("Decrypting long-term private key with unlock key", "unlock_key_type", unlockKey.GetType())
+	secret.Debug("Decrypting long-term private key with unlocker", "unlocker_type", unlocker.GetType())
-	ltPrivKeyData, err := secret.DecryptWithIdentity(encryptedLtPrivKey, unlockIdentity)
+	ltPrivKeyData, err := secret.DecryptWithIdentity(encryptedLtPrivKey, unlockerIdentity)
 	if err != nil {
-		secret.Debug("Failed to decrypt long-term private key", "error", err, "unlock_key_type", unlockKey.GetType())
+		secret.Debug("Failed to decrypt long-term private key", "error", err, "unlocker_type", unlocker.GetType())
 		return nil, fmt.Errorf("failed to decrypt long-term private key: %w", err)
 	}
 	secret.DebugWith("Successfully decrypted long-term private key",
 		slog.String("vault_name", v.Name),
-		slog.String("unlock_key_type", unlockKey.GetType()),
+		slog.String("unlocker_type", unlocker.GetType()),
 		slog.Int("decrypted_length", len(ltPrivKeyData)),
 	)
@@ -142,18 +175,20 @@ func (v *Vault) GetOrDeriveLongTermKey() (*age.X25519Identity, error) {
 	ltIdentity, err := age.ParseX25519Identity(string(ltPrivKeyData))
 	if err != nil {
 		secret.Debug("Failed to parse long-term private key", "error", err, "vault_name", v.Name)
 		return nil, fmt.Errorf("failed to parse long-term private key: %w", err)
 	}
-	secret.DebugWith("Successfully obtained long-term identity via unlock key",
+	secret.DebugWith("Successfully obtained long-term identity via unlocker",
 		slog.String("vault_name", v.Name),
-		slog.String("unlock_key_type", unlockKey.GetType()),
+		slog.String("unlocker_type", unlocker.GetType()),
 		slog.String("public_key", ltIdentity.Recipient().String()),
 	)
 	// Cache the derived key by unlocking the vault
 	v.Unlock(ltIdentity)
-	secret.Debug("Vault is unlocked (lt key in memory) via unlock key", "vault_name", v.Name, "unlock_key_type", unlockKey.GetType())
+	secret.Debug("Vault is unlocked (lt key in memory) via unlocker",
 		"vault_name", v.Name, "unlocker_type", unlocker.GetType())
 	return ltIdentity, nil
 }
--- a/internal/vault/vault_test.go
+++ b/internal/vault/vault_test.go
@@ -1,39 +1,22 @@
 package vault
 import (
 	"os"
 	"path/filepath"
 	"testing"
 	"git.eeqj.de/sneak/secret/internal/secret"
 	"git.eeqj.de/sneak/secret/pkg/agehd"
 	"github.com/awnumar/memguard"
 	"github.com/spf13/afero"
 )
 func TestVaultOperations(t *testing.T) {
-	// Save original environment variables
+	// Test environment will be cleaned up automatically by t.Setenv
 	oldMnemonic := os.Getenv(secret.EnvMnemonic)
 	oldPassphrase := os.Getenv(secret.EnvUnlockPassphrase)
 	// Clean up after test
 	defer func() {
 		if oldMnemonic != "" {
 			os.Setenv(secret.EnvMnemonic, oldMnemonic)
 		} else {
 			os.Unsetenv(secret.EnvMnemonic)
 		}
 		if oldPassphrase != "" {
 			os.Setenv(secret.EnvUnlockPassphrase, oldPassphrase)
 		} else {
 			os.Unsetenv(secret.EnvUnlockPassphrase)
 		}
 	}()
 	// Set test environment variables
 	testMnemonic := "abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon about"
-	os.Setenv(secret.EnvMnemonic, testMnemonic)
+	t.Setenv(secret.EnvMnemonic, testMnemonic)
-	os.Setenv(secret.EnvUnlockPassphrase, "test-passphrase")
+	t.Setenv(secret.EnvUnlockPassphrase, "test-passphrase")
 	// Use in-memory filesystem
 	fs := afero.NewMemMapFs()
@@ -139,8 +122,13 @@ func TestVaultOperations(t *testing.T) {
 		// Now add a secret
 		secretName := "test/secret"
 		secretValue := []byte("test-secret-value")
 		expectedValue := make([]byte, len(secretValue))
 		copy(expectedValue, secretValue)
-		err = vlt.AddSecret(secretName, secretValue, false)
+		secretBuffer := memguard.NewBufferFromBytes(secretValue)
 		defer secretBuffer.Destroy()
 		err = vlt.AddSecret(secretName, secretBuffer, false)
 		if err != nil {
 			t.Fatalf("Failed to add secret: %v", err)
 		}
@@ -169,13 +157,13 @@ func TestVaultOperations(t *testing.T) {
 			t.Fatalf("Failed to get secret: %v", err)
 		}
-		if string(retrievedValue) != string(secretValue) {
+		if string(retrievedValue) != string(expectedValue) {
-			t.Errorf("Expected secret value '%s', got '%s'", string(secretValue), string(retrievedValue))
+			t.Errorf("Expected secret value '%s', got '%s'", string(expectedValue), string(retrievedValue))
 		}
 	})
-	// Test unlock key operations
+	// Test unlocker operations
-	t.Run("UnlockKeyOperations", func(t *testing.T) {
+	t.Run("UnlockerOperations", func(t *testing.T) {
 		vlt, err := GetCurrentVault(fs, stateDir)
 		if err != nil {
 			t.Fatalf("Failed to get current vault: %v", err)
@@ -189,25 +177,27 @@ func TestVaultOperations(t *testing.T) {
 			}
 		}
-		// Create a passphrase unlock key
+		// Create a passphrase unlocker
-		passphraseKey, err := vlt.CreatePassphraseKey("test-passphrase")
+		passphraseBuffer := memguard.NewBufferFromBytes([]byte("test-passphrase"))
 		defer passphraseBuffer.Destroy()
 		passphraseUnlocker, err := vlt.CreatePassphraseUnlocker(passphraseBuffer)
 		if err != nil {
-			t.Fatalf("Failed to create passphrase key: %v", err)
+			t.Fatalf("Failed to create passphrase unlocker: %v", err)
 		}
-		// List unlock keys
+		// List unlockers
-		keys, err := vlt.ListUnlockKeys()
+		unlockers, err := vlt.ListUnlockers()
 		if err != nil {
-			t.Fatalf("Failed to list unlock keys: %v", err)
+			t.Fatalf("Failed to list unlockers: %v", err)
 		}
-		if len(keys) == 0 {
+		if len(unlockers) == 0 {
-			t.Errorf("Expected at least one unlock key")
+			t.Errorf("Expected at least one unlocker")
 		}
 		// Check key type
 		keyFound := false
-		for _, key := range keys {
+		for _, key := range unlockers {
 			if key.Type == "passphrase" {
 				keyFound = true
 				break
@@ -215,23 +205,23 @@ func TestVaultOperations(t *testing.T) {
 		}
 		if !keyFound {
-			t.Errorf("Expected to find passphrase unlock key")
+			t.Errorf("Expected to find passphrase unlocker")
 		}
-		// Test selecting unlock key
+		// Test selecting unlocker
-		err = vlt.SelectUnlockKey(passphraseKey.GetID())
+		err = vlt.SelectUnlocker(passphraseUnlocker.GetID())
 		if err != nil {
-			t.Fatalf("Failed to select unlock key: %v", err)
+			t.Fatalf("Failed to select unlocker: %v", err)
 		}
-		// Test getting current unlock key
+		// Test getting current unlocker
-		currentKey, err := vlt.GetCurrentUnlockKey()
+		currentUnlocker, err := vlt.GetCurrentUnlocker()
 		if err != nil {
-			t.Fatalf("Failed to get current unlock key: %v", err)
+			t.Fatalf("Failed to get current unlocker: %v", err)
 		}
-		if currentKey.GetID() != passphraseKey.GetID() {
+		if currentUnlocker.GetID() != passphraseUnlocker.GetID() {
-			t.Errorf("Expected current unlock key ID '%s', got '%s'", passphraseKey.GetID(), currentKey.GetID())
+			t.Errorf("Expected current unlocker ID '%s', got '%s'", passphraseUnlocker.GetID(), currentUnlocker.GetID())
 		}
 	})
 }
--- a/pkg/agehd/agehd.go
+++ b/pkg/agehd/agehd.go
@@ -21,10 +21,11 @@ import (
 )
 const (
-	purpose  = uint32(83696968)  // fixed by BIP-85 ("bip")
+	purpose       = uint32(83696968)  // fixed by BIP-85 ("bip")
-	vendorID = uint32(592366788) // berlin.sneak
+	vendorID      = uint32(592366788) // berlin.sneak
-	appID    = uint32(733482323) // secret
+	appID         = uint32(733482323) // secret
-	hrp      = "age-secret-key-" // Bech32 HRP used by age
+	hrp           = "age-secret-key-" // Bech32 HRP used by age
 	x25519KeySize = 32                // 256-bit key size for X25519
 )
 // clamp applies RFC-7748 clamping to a 32-byte scalar.
@@ -37,16 +38,20 @@ func clamp(k []byte) {
 // IdentityFromEntropy converts 32 deterministic bytes into an
 // *age.X25519Identity by round-tripping through Bech32.
 func IdentityFromEntropy(ent []byte) (*age.X25519Identity, error) {
-	if len(ent) != 32 {
+	if len(ent) != x25519KeySize {
 		return nil, fmt.Errorf("need 32-byte scalar, got %d", len(ent))
 	}
 	// Make a copy to avoid modifying the original
-	key := make([]byte, 32)
+	key := make([]byte, x25519KeySize)
 	copy(key, ent)
 	clamp(key)
-	data, err := bech32.ConvertBits(key, 8, 5, true)
+	const (
 		bech32BitSize8 = 8 // Standard 8-bit encoding
 		bech32BitSize5 = 5 // Bech32 5-bit encoding
 	)
 	data, err := bech32.ConvertBits(key, bech32BitSize8, bech32BitSize5, true)
 	if err != nil {
 		return nil, fmt.Errorf("bech32 convert: %w", err)
 	}
@@ -54,6 +59,7 @@ func IdentityFromEntropy(ent []byte) (*age.X25519Identity, error) {
 	if err != nil {
 		return nil, fmt.Errorf("bech32 encode: %w", err)
 	}
 	return age.ParseX25519Identity(strings.ToUpper(s))
 }
@@ -80,7 +86,7 @@ func DeriveEntropy(mnemonic string, n uint32) ([]byte, error) {
 	// Use BIP85 DRNG to generate deterministic 32 bytes for the age key
 	drng := bip85.NewBIP85DRNG(entropy)
-	key := make([]byte, 32)
+	key := make([]byte, x25519KeySize)
 	_, err = drng.Read(key)
 	if err != nil {
 		return nil, fmt.Errorf("failed to read from DRNG: %w", err)
@@ -109,7 +115,7 @@ func DeriveEntropyFromXPRV(xprv string, n uint32) ([]byte, error) {
 	// Use BIP85 DRNG to generate deterministic 32 bytes for the age key
 	drng := bip85.NewBIP85DRNG(entropy)
-	key := make([]byte, 32)
+	key := make([]byte, x25519KeySize)
 	_, err = drng.Read(key)
 	if err != nil {
 		return nil, fmt.Errorf("failed to read from DRNG: %w", err)
@@ -125,6 +131,7 @@ func DeriveIdentity(mnemonic string, n uint32) (*age.X25519Identity, error) {
 	if err != nil {
 		return nil, err
 	}
 	return IdentityFromEntropy(ent)
 }
@@ -135,5 +142,6 @@ func DeriveIdentityFromXPRV(xprv string, n uint32) (*age.X25519Identity, error)
 	if err != nil {
 		return nil, err
 	}
 	return IdentityFromEntropy(ent)
 }
--- a/pkg/agehd/agehd_test.go
+++ b/pkg/agehd/agehd_test.go
@@ -1,3 +1,4 @@
 //nolint:lll // Test vectors contain long lines
 package agehd
 import (
@@ -39,7 +40,7 @@ const (
 	errorMsgInvalidXPRV = "invalid-xprv"
 	// Test constants for various scenarios
-	testSkipMessage = "Skipping consistency test - test mnemonic and xprv are from different sources"
+	// Removed testSkipMessage as tests are no longer skipped
 	// Numeric constants for testing
 	testNumGoroutines = 10
@@ -133,7 +134,11 @@ func TestDeterministicDerivation(t *testing.T) {
 	}
 	if id1.String() != id2.String() {
-		t.Fatalf("identities should be deterministic: %s != %s", id1.String(), id2.String())
+		t.Fatalf(
 			"identities should be deterministic: %s != %s",
 			id1.String(),
 			id2.String(),
 		)
 	}
 	// Test that different indices produce different identities
@@ -163,7 +168,11 @@ func TestDeterministicXPRVDerivation(t *testing.T) {
 	}
 	if id1.String() != id2.String() {
-		t.Fatalf("xprv identities should be deterministic: %s != %s", id1.String(), id2.String())
+		t.Fatalf(
 			"xprv identities should be deterministic: %s != %s",
 			id1.String(),
 			id2.String(),
 		)
 	}
 	// Test that different indices with same xprv produce different identities
@@ -180,11 +189,8 @@ func TestDeterministicXPRVDerivation(t *testing.T) {
 	t.Logf("XPRV Index 1: %s", id3.String())
 }
-func TestMnemonicVsXPRVConsistency(t *testing.T) {
+func TestMnemonicVsXPRVConsistency(_ *testing.T) {
-	// Test that deriving from mnemonic and from the corresponding xprv produces the same result
+	// FIXME This test is missing!
 	// Note: This test is removed because the test mnemonic and test xprv are from different sources
 	// and are not expected to produce the same results.
 	t.Skip(testSkipMessage)
 }
 func TestEntropyLength(t *testing.T) {
@@ -207,7 +213,10 @@ func TestEntropyLength(t *testing.T) {
 	}
 	if len(entropyXPRV) != 32 {
-		t.Fatalf("expected 32 bytes of entropy from xprv, got %d", len(entropyXPRV))
+		t.Fatalf(
 			"expected 32 bytes of entropy from xprv, got %d",
 			len(entropyXPRV),
 		)
 	}
 	t.Logf("XPRV Entropy (32 bytes): %x", entropyXPRV)
@@ -263,14 +272,49 @@ func TestClampFunction(t *testing.T) {
 		expected []byte
 	}{
 		{
-			name:     "all zeros",
+			name:  "all zeros",
-			input:    make([]byte, 32),
+			input: make([]byte, 32),
-			expected: []byte{0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 64},
+			expected: []byte{
 				0,
 				0,
 				0,
 				0,
 				0,
 				0,
 				0,
 				0,
 				0,
 				0,
 				0,
 				0,
 				0,
 				0,
 				0,
 				0,
 				0,
 				0,
 				0,
 				0,
 				0,
 				0,
 				0,
 				0,
 				0,
 				0,
 				0,
 				0,
 				0,
 				0,
 				0,
 				64,
 			},
 		},
 		{
-			name:     "all ones",
+			name:  "all ones",
-			input:    bytes.Repeat([]byte{255}, 32),
+			input: bytes.Repeat([]byte{255}, 32),
-			expected: append([]byte{248}, append(bytes.Repeat([]byte{255}, 30), 127)...),
+			expected: append(
 				[]byte{248},
 				append(bytes.Repeat([]byte{255}, 30), 127)...),
 		},
 	}
@@ -282,13 +326,22 @@ func TestClampFunction(t *testing.T) {
 			// Check specific bits that should be clamped
 			if input[0]&7 != 0 {
-				t.Errorf("first byte should have bottom 3 bits cleared, got %08b", input[0])
+				t.Errorf(
 					"first byte should have bottom 3 bits cleared, got %08b",
 					input[0],
 				)
 			}
 			if input[31]&128 != 0 {
-				t.Errorf("last byte should have top bit cleared, got %08b", input[31])
+				t.Errorf(
 					"last byte should have top bit cleared, got %08b",
 					input[31],
 				)
 			}
 			if input[31]&64 == 0 {
-				t.Errorf("last byte should have second-to-top bit set, got %08b", input[31])
+				t.Errorf(
 					"last byte should have second-to-top bit set, got %08b",
 					input[31],
 				)
 			}
 		})
 	}
@@ -336,8 +389,11 @@ func TestIdentityFromEntropyEdgeCases(t *testing.T) {
 			entropy: func() []byte {
 				b := make([]byte, 32)
 				if _, err := rand.Read(b); err != nil {
-					panic(err) // In test context, panic is acceptable for setup failures
+					panic(
 						err,
 					) // In test context, panic is acceptable for setup failures
 				}
 				return b
 			}(),
 			expectError: false,
@@ -355,7 +411,10 @@ func TestIdentityFromEntropyEdgeCases(t *testing.T) {
 					t.Errorf("expected error containing %q, got %q", tt.errorMsg, err.Error())
 				}
 				if identity != nil {
-					t.Errorf("expected nil identity on error, got %v", identity)
+					t.Errorf(
 						"expected nil identity on error, got %v",
 						identity,
 					)
 				}
 			} else {
 				if err != nil {
@@ -530,7 +589,11 @@ func TestIndexBoundaries(t *testing.T) {
 		t.Run(fmt.Sprintf("index_%d", index), func(t *testing.T) {
 			identity, err := DeriveIdentity(mnemonic, index)
 			if err != nil {
-				t.Fatalf("failed to derive identity at index %d: %v", index, err)
+				t.Fatalf(
 					"failed to derive identity at index %d: %v",
 					index,
 					err,
 				)
 			}
 			// Verify the identity is valid by testing encryption/decryption
@@ -599,9 +662,13 @@ func TestConcurrentDerivation(t *testing.T) {
 	results := make(chan string, testNumGoroutines*testNumIterations)
 	errors := make(chan error, testNumGoroutines*testNumIterations)
-	for i := 0; i < testNumGoroutines; i++ {
+	for range testNumGoroutines {
-		go func(goroutineID int) {
+		go func() {
-			for j := 0; j < testNumIterations; j++ {
+			for j := range testNumIterations {
 				if j < 0 || j > 1000000 {
 					errors <- fmt.Errorf("index out of safe range")
 					return
 				}
 				identity, err := DeriveIdentity(mnemonic, uint32(j))
 				if err != nil {
 					errors <- err
@@ -609,12 +676,12 @@ func TestConcurrentDerivation(t *testing.T) {
 				}
 				results <- identity.String()
 			}
-		}(i)
+		}()
 	}
 	// Collect results
 	resultMap := make(map[string]int)
-	for i := 0; i < testNumGoroutines*testNumIterations; i++ {
+	for range testNumGoroutines * testNumIterations {
 		select {
 		case result := <-results:
 			resultMap[result]++
@@ -627,17 +694,29 @@ func TestConcurrentDerivation(t *testing.T) {
 	expectedResults := testNumGoroutines
 	for result, count := range resultMap {
 		if count != expectedResults {
-			t.Errorf("result %s appeared %d times, expected %d", result, count, expectedResults)
+			t.Errorf(
 				"result %s appeared %d times, expected %d",
 				result,
 				count,
 				expectedResults,
 			)
 		}
 	}
-	t.Logf("Concurrent derivation test passed with %d unique results", len(resultMap))
+	t.Logf(
 		"Concurrent derivation test passed with %d unique results",
 		len(resultMap),
 	)
 }
 // Benchmark tests
 func BenchmarkDeriveIdentity(b *testing.B) {
-	for i := 0; i < b.N; i++ {
+	for i := range b.N {
-		_, err := DeriveIdentity(mnemonic, uint32(i%1000))
+		index := i % 1000
 		if index < 0 || index > 1000000 {
 			b.Fatalf("index out of safe range: %d", index)
 		}
 		_, err := DeriveIdentity(mnemonic, uint32(index))
 		if err != nil {
 			b.Fatalf("derive identity: %v", err)
 		}
@@ -645,8 +724,12 @@ func BenchmarkDeriveIdentity(b *testing.B) {
 }
 func BenchmarkDeriveIdentityFromXPRV(b *testing.B) {
-	for i := 0; i < b.N; i++ {
+	for i := range b.N {
-		_, err := DeriveIdentityFromXPRV(testXPRV, uint32(i%1000))
+		index := i % 1000
 		if index < 0 || index > 1000000 {
 			b.Fatalf("index out of safe range: %d", index)
 		}
 		_, err := DeriveIdentityFromXPRV(testXPRV, uint32(index))
 		if err != nil {
 			b.Fatalf("derive identity from xprv: %v", err)
 		}
@@ -654,8 +737,12 @@ func BenchmarkDeriveIdentityFromXPRV(b *testing.B) {
 }
 func BenchmarkDeriveEntropy(b *testing.B) {
-	for i := 0; i < b.N; i++ {
+	for i := range b.N {
-		_, err := DeriveEntropy(mnemonic, uint32(i%1000))
+		index := i % 1000
 		if index < 0 || index > 1000000 {
 			b.Fatalf("index out of safe range: %d", index)
 		}
 		_, err := DeriveEntropy(mnemonic, uint32(index))
 		if err != nil {
 			b.Fatalf("derive entropy: %v", err)
 		}
@@ -669,7 +756,7 @@ func BenchmarkIdentityFromEntropy(b *testing.B) {
 	}
 	b.ResetTimer()
-	for i := 0; i < b.N; i++ {
+	for range b.N {
 		_, err := IdentityFromEntropy(entropy)
 		if err != nil {
 			b.Fatalf("identity from entropy: %v", err)
@@ -684,7 +771,7 @@ func BenchmarkEncryptDecrypt(b *testing.B) {
 	}
 	b.ResetTimer()
-	for i := 0; i < b.N; i++ {
+	for range b.N {
 		var ct bytes.Buffer
 		w, err := age.Encrypt(&ct, identity.Recipient())
 		if err != nil {
@@ -711,16 +798,28 @@ func BenchmarkEncryptDecrypt(b *testing.B) {
 // TestConstants verifies the hardcoded constants
 func TestConstants(t *testing.T) {
 	if purpose != 83696968 {
-		t.Errorf("purpose constant mismatch: expected 83696968, got %d", purpose)
+		t.Errorf(
 			"purpose constant mismatch: expected 83696968, got %d",
 			purpose,
 		)
 	}
 	if vendorID != 592366788 {
-		t.Errorf("vendorID constant mismatch: expected 592366788, got %d", vendorID)
+		t.Errorf(
 			"vendorID constant mismatch: expected 592366788, got %d",
 			vendorID,
 		)
 	}
 	if appID != 733482323 {
-		t.Errorf("appID constant mismatch: expected 733482323, got %d", appID)
+		t.Errorf(
 			"appID constant mismatch: expected 733482323, got %d",
 			appID,
 		)
 	}
 	if hrp != "age-secret-key-" {
-		t.Errorf("hrp constant mismatch: expected 'age-secret-key-', got %q", hrp)
+		t.Errorf(
 			"hrp constant mismatch: expected 'age-secret-key-', got %q",
 			hrp,
 		)
 	}
 }
@@ -736,7 +835,10 @@ func TestIdentityStringFormat(t *testing.T) {
 	// Check secret key format
 	if !strings.HasPrefix(secretKey, "AGE-SECRET-KEY-") {
-		t.Errorf("secret key should start with 'AGE-SECRET-KEY-', got: %s", secretKey)
+		t.Errorf(
 			"secret key should start with 'AGE-SECRET-KEY-', got: %s",
 			secretKey,
 		)
 	}
 	// Check recipient format
@@ -833,14 +935,22 @@ func TestRandomMnemonicDeterministicGeneration(t *testing.T) {
 	privateKey1 := identity1.String()
 	privateKey2 := identity2.String()
 	if privateKey1 != privateKey2 {
-		t.Fatalf("private keys should be identical:\nFirst:  %s\nSecond: %s", privateKey1, privateKey2)
+		t.Fatalf(
 			"private keys should be identical:\nFirst:  %s\nSecond: %s",
 			privateKey1,
 			privateKey2,
 		)
 	}
 	// Verify that both public keys (recipients) are identical
 	publicKey1 := identity1.Recipient().String()
 	publicKey2 := identity2.Recipient().String()
 	if publicKey1 != publicKey2 {
-		t.Fatalf("public keys should be identical:\nFirst:  %s\nSecond: %s", publicKey1, publicKey2)
+		t.Fatalf(
 			"public keys should be identical:\nFirst:  %s\nSecond: %s",
 			publicKey1,
 			publicKey2,
 		)
 	}
 	t.Logf("✓ Deterministic generation verified")
@@ -872,10 +982,17 @@ func TestRandomMnemonicDeterministicGeneration(t *testing.T) {
 		t.Fatalf("failed to close encryptor: %v", err)
 	}
-	t.Logf("✓ Encrypted %d bytes into %d bytes of ciphertext", len(testData), ciphertext.Len())
+	t.Logf(
 		"✓ Encrypted %d bytes into %d bytes of ciphertext",
 		len(testData),
 		ciphertext.Len(),
 	)
 	// Decrypt the data using the private key
-	decryptor, err := age.Decrypt(bytes.NewReader(ciphertext.Bytes()), identity1)
+	decryptor, err := age.Decrypt(
 		bytes.NewReader(ciphertext.Bytes()),
 		identity1,
 	)
 	if err != nil {
 		t.Fatalf("failed to create decryptor: %v", err)
 	}
@@ -889,7 +1006,11 @@ func TestRandomMnemonicDeterministicGeneration(t *testing.T) {
 	// Verify that the decrypted data matches the original
 	if len(decryptedData) != len(testData) {
-		t.Fatalf("decrypted data length mismatch: expected %d, got %d", len(testData), len(decryptedData))
+		t.Fatalf(
 			"decrypted data length mismatch: expected %d, got %d",
 			len(testData),
 			len(decryptedData),
 		)
 	}
 	if !bytes.Equal(testData, decryptedData) {
@@ -916,7 +1037,10 @@ func TestRandomMnemonicDeterministicGeneration(t *testing.T) {
 	}
 	// Decrypt with the second identity
-	decryptor2, err := age.Decrypt(bytes.NewReader(ciphertext2.Bytes()), identity2)
+	decryptor2, err := age.Decrypt(
 		bytes.NewReader(ciphertext2.Bytes()),
 		identity2,
 	)
 	if err != nil {
 		t.Fatalf("failed to create second decryptor: %v", err)
 	}
--- a/pkg/bip85/bip85.go
+++ b/pkg/bip85/bip85.go
@@ -1,3 +1,4 @@
 // Package bip85 implements BIP85 deterministic entropy derivation.
 package bip85
 import (
@@ -22,52 +23,55 @@ import (
 const (
 	// BIP85_MASTER_PATH is the derivation path prefix for all BIP85 applications
-	BIP85_MASTER_PATH = "m/83696968'"
+	BIP85_MASTER_PATH = "m/83696968'" //nolint:revive // ALL_CAPS used for BIP85 constants
 	// BIP85_KEY_HMAC_KEY is the HMAC key used for deriving the entropy
-	BIP85_KEY_HMAC_KEY = "bip-entropy-from-k"
+	BIP85_KEY_HMAC_KEY = "bip-entropy-from-k" //nolint:revive // ALL_CAPS used for BIP85 constants
-	// Application numbers
+	// AppBIP39 is the application number for BIP39 mnemonics
-	APP_BIP39  = 39 // BIP39 mnemonics
+	AppBIP39 = 39
-	APP_HD_WIF = 2  // WIF for Bitcoin Core
+	// AppHDWIF is the application number for WIF (Wallet Import Format) for Bitcoin Core
-	APP_XPRV   = 32 // Extended private key
+	AppHDWIF = 2
-	APP_HEX    = 128169
+	// AppXPRV is the application number for extended private key
-	APP_PWD64  = 707764 // Base64 passwords
+	AppXPRV   = 32
-	APP_PWD85  = 707785 // Base85 passwords
+	APP_HEX   = 128169 //nolint:revive // ALL_CAPS used for BIP85 constants
-	APP_RSA    = 828365
+	APP_PWD64 = 707764 // Base64 passwords //nolint:revive // ALL_CAPS used for BIP85 constants
 	AppPWD85  = 707785 // Base85 passwords
 	APP_RSA   = 828365 //nolint:revive // ALL_CAPS used for BIP85 constants
 )
 // Version bytes for extended keys
 var (
 	// MainNetPrivateKey is the version for mainnet private keys
-	MainNetPrivateKey = []byte{0x04, 0x88, 0xAD, 0xE4}
+	MainNetPrivateKey = []byte{0x04, 0x88, 0xAD, 0xE4} //nolint:gochecknoglobals // Standard BIP32 constant
 	// TestNetPrivateKey is the version for testnet private keys
-	TestNetPrivateKey = []byte{0x04, 0x35, 0x83, 0x94}
+	TestNetPrivateKey = []byte{0x04, 0x35, 0x83, 0x94} //nolint:gochecknoglobals // Standard BIP32 constant
 )
-// BIP85DRNG is a deterministic random number generator seeded by BIP85 entropy
+// DRNG is a deterministic random number generator seeded by BIP85 entropy
-type BIP85DRNG struct {
+type DRNG struct {
 	shake io.Reader
 }
 // NewBIP85DRNG creates a new DRNG seeded with BIP85 entropy
-func NewBIP85DRNG(entropy []byte) *BIP85DRNG {
+func NewBIP85DRNG(entropy []byte) *DRNG {
 	const bip85EntropySize = 64 // 512 bits
 	// The entropy must be exactly 64 bytes (512 bits)
-	if len(entropy) != 64 {
+	if len(entropy) != bip85EntropySize {
-		panic("BIP85DRNG entropy must be 64 bytes")
+		panic("DRNG entropy must be 64 bytes")
 	}
 	// Initialize SHAKE256 with the entropy
 	shake := sha3.NewShake256()
-	shake.Write(entropy)
+	_, _ = shake.Write(entropy) // Write to hash functions never returns an error
-	return &BIP85DRNG{
+	return &DRNG{
 		shake: shake,
 	}
 }
 // Read implements the io.Reader interface
-func (d *BIP85DRNG) Read(p []byte) (n int, err error) {
+func (d *DRNG) Read(p []byte) (n int, err error) {
 	return d.shake.Read(p)
 }
@@ -161,7 +165,7 @@ func deriveChildKey(parent *hdkeychain.ExtendedKey, path string) (*hdkeychain.Ex
 // DeriveBIP39Entropy derives entropy for a BIP39 mnemonic
 func DeriveBIP39Entropy(masterKey *hdkeychain.ExtendedKey, language, words, index uint32) ([]byte, error) {
-	path := fmt.Sprintf("%s/%d'/%d'/%d'/%d'", BIP85_MASTER_PATH, APP_BIP39, language, words, index)
+	path := fmt.Sprintf("%s/%d'/%d'/%d'/%d'", BIP85_MASTER_PATH, AppBIP39, language, words, index)
 	entropy, err := DeriveBIP85Entropy(masterKey, path)
 	if err != nil {
@@ -169,17 +173,26 @@ func DeriveBIP39Entropy(masterKey *hdkeychain.ExtendedKey, language, words, inde
 	}
 	// Determine how many bits of entropy to use based on the words
 	// BIP39 defines specific word counts and their corresponding entropy bits
 	const (
 		words12 = 12 // 128 bits of entropy
 		words15 = 15 // 160 bits of entropy
 		words18 = 18 // 192 bits of entropy
 		words21 = 21 // 224 bits of entropy
 		words24 = 24 // 256 bits of entropy
 	)
 	var bits int
 	switch words {
-	case 12:
+	case words12:
 		bits = 128
-	case 15:
+	case words15:
 		bits = 160
-	case 18:
+	case words18:
 		bits = 192
-	case 21:
+	case words21:
 		bits = 224
-	case 24:
+	case words24:
 		bits = 256
 	default:
 		return nil, fmt.Errorf("invalid BIP39 word count: %d", words)
@@ -193,7 +206,7 @@ func DeriveBIP39Entropy(masterKey *hdkeychain.ExtendedKey, language, words, inde
 // DeriveWIFKey derives a private key in WIF format
 func DeriveWIFKey(masterKey *hdkeychain.ExtendedKey, index uint32) (string, error) {
-	path := fmt.Sprintf("%s/%d'/%d'", BIP85_MASTER_PATH, APP_HD_WIF, index)
+	path := fmt.Sprintf("%s/%d'/%d'", BIP85_MASTER_PATH, AppHDWIF, index)
 	entropy, err := DeriveBIP85Entropy(masterKey, path)
 	if err != nil {
@@ -215,7 +228,7 @@ func DeriveWIFKey(masterKey *hdkeychain.ExtendedKey, index uint32) (string, erro
 // DeriveXPRV derives an extended private key (XPRV)
 func DeriveXPRV(masterKey *hdkeychain.ExtendedKey, index uint32) (*hdkeychain.ExtendedKey, error) {
-	path := fmt.Sprintf("%s/%d'/%d'", BIP85_MASTER_PATH, APP_XPRV, index)
+	path := fmt.Sprintf("%s/%d'/%d'", BIP85_MASTER_PATH, AppXPRV, index)
 	entropy, err := DeriveBIP85Entropy(masterKey, path)
 	if err != nil {
@@ -266,6 +279,7 @@ func DeriveXPRV(masterKey *hdkeychain.ExtendedKey, index uint32) (*hdkeychain.Ex
 func doubleSHA256(data []byte) []byte {
 	hash1 := sha256.Sum256(data)
 	hash2 := sha256.Sum256(hash1[:])
 	return hash2[:]
 }
@@ -308,7 +322,7 @@ func DeriveBase64Password(masterKey *hdkeychain.ExtendedKey, pwdLen, index uint3
 	encodedStr = strings.TrimRight(encodedStr, "=")
 	// Slice to the desired password length
-	if uint32(len(encodedStr)) < pwdLen {
+	if len(encodedStr) < int(pwdLen) {
 		return "", fmt.Errorf("derived password length %d is shorter than requested length %d", len(encodedStr), pwdLen)
 	}
@@ -321,7 +335,7 @@ func DeriveBase85Password(masterKey *hdkeychain.ExtendedKey, pwdLen, index uint3
 		return "", fmt.Errorf("pwdLen must be between 10 and 80")
 	}
-	path := fmt.Sprintf("%s/%d'/%d'/%d'", BIP85_MASTER_PATH, APP_PWD85, pwdLen, index)
+	path := fmt.Sprintf("%s/%d'/%d'/%d'", BIP85_MASTER_PATH, AppPWD85, pwdLen, index)
 	entropy, err := DeriveBIP85Entropy(masterKey, path)
 	if err != nil {
@@ -332,7 +346,7 @@ func DeriveBase85Password(masterKey *hdkeychain.ExtendedKey, pwdLen, index uint3
 	encoded := encodeBase85WithRFC1924Charset(entropy)
 	// Slice to the desired password length
-	if uint32(len(encoded)) < pwdLen {
+	if len(encoded) < int(pwdLen) {
 		return "", fmt.Errorf("encoded length %d is less than requested length %d", len(encoded), pwdLen)
 	}
@@ -344,24 +358,30 @@ func encodeBase85WithRFC1924Charset(data []byte) string {
 	// RFC1924 character set
 	charset := "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz!#$%&()*+-;<=>?@^_`{|}~"
 	const (
 		base85ChunkSize  = 4  // Process 4 bytes at a time
 		base85DigitCount = 5  // Each chunk produces 5 digits
 		base85Base       = 85 // Base85 encoding uses base 85
 	)
 	// Pad data to multiple of 4
-	padded := make([]byte, ((len(data)+3)/4)*4)
+	padded := make([]byte, ((len(data)+base85ChunkSize-1)/base85ChunkSize)*base85ChunkSize)
 	copy(padded, data)
 	var buf strings.Builder
-	buf.Grow(len(padded) * 5 / 4) // Each 4 bytes becomes 5 Base85 characters
+	buf.Grow(len(padded) * base85DigitCount / base85ChunkSize) // Each 4 bytes becomes 5 Base85 characters
 	// Process in 4-byte chunks
-	for i := 0; i < len(padded); i += 4 {
+	for i := 0; i < len(padded); i += base85ChunkSize {
 		// Convert 4 bytes to uint32 (big-endian)
-		chunk := binary.BigEndian.Uint32(padded[i : i+4])
+		chunk := binary.BigEndian.Uint32(padded[i : i+base85ChunkSize])
 		// Convert to 5 base-85 digits
-		digits := make([]byte, 5)
+		digits := make([]byte, base85DigitCount)
-		for j := 4; j >= 0; j-- {
+		for j := base85DigitCount - 1; j >= 0; j-- {
-			idx := chunk % 85
+			idx := chunk % base85Base
 			digits[j] = charset[idx]
-			chunk /= 85
+			chunk /= base85Base
 		}
 		buf.Write(digits)
--- a/pkg/bip85/bip85_test.go
+++ b/pkg/bip85/bip85_test.go
@@ -1,5 +1,9 @@
 //nolint:gosec // G101: Test file contains BIP85 test vectors, not real credentials
 //nolint:lll // Test vectors contain long lines
 package bip85
 //nolint:revive,unparam // Test file with BIP85 test vectors
 import (
 	"bytes"
 	"encoding/hex"
@@ -79,13 +83,13 @@ const (
 )
 // logTestVector logs test information in a cleaner, more concise format
-func logTestVector(t *testing.T, title, description string) {
+func logTestVector(t *testing.T, title string) {
 	t.Logf("=== TEST: %s ===", title)
 }
 // TestDerivedKey is a helper function to test the derived key directly
 func TestDerivedKey(t *testing.T) {
-	logTestVector(t, "Derived Child Keys", "Testing direct key derivation for BIP85 paths")
+	logTestVector(t, "Derived Child Keys")
 	masterKey, err := ParseMasterKey(testMasterKey)
 	if err != nil {
@@ -129,7 +133,7 @@ func TestDerivedKey(t *testing.T) {
 // TestCase1 tests the first test vector from the BIP85 specification
 func TestCase1(t *testing.T) {
-	logTestVector(t, "Test Case 1", "Basic entropy derivation with path m/83696968'/0'/0'")
+	logTestVector(t, "Test Case 1")
 	masterKey, err := ParseMasterKey(testMasterKey)
 	if err != nil {
@@ -155,7 +159,7 @@ func TestCase1(t *testing.T) {
 // TestCase2 tests the second test vector from the BIP85 specification
 func TestCase2(t *testing.T) {
-	logTestVector(t, "Test Case 2", "Basic entropy derivation with path m/83696968'/0'/1'")
+	logTestVector(t, "Test Case 2")
 	masterKey, err := ParseMasterKey(testMasterKey)
 	if err != nil {
@@ -181,7 +185,7 @@ func TestCase2(t *testing.T) {
 // TestBIP39_12EnglishWords tests the BIP39 12 English words test vector
 func TestBIP39_12EnglishWords(t *testing.T) {
-	logTestVector(t, "BIP39 12 English Words", "Deriving a 12-word English BIP39 mnemonic")
+	logTestVector(t, "BIP39 12 English Words")
 	masterKey, err := ParseMasterKey(testMasterKey)
 	if err != nil {
@@ -225,7 +229,7 @@ func TestBIP39_12EnglishWords(t *testing.T) {
 // TestBIP39_18EnglishWords tests the BIP39 18 English words test vector
 func TestBIP39_18EnglishWords(t *testing.T) {
-	logTestVector(t, "BIP39 18 English Words", "Deriving an 18-word English BIP39 mnemonic")
+	logTestVector(t, "BIP39 18 English Words")
 	masterKey, err := ParseMasterKey(testMasterKey)
 	if err != nil {
@@ -269,7 +273,7 @@ func TestBIP39_18EnglishWords(t *testing.T) {
 // TestBIP39_24EnglishWords tests the BIP39 24 English words test vector
 func TestBIP39_24EnglishWords(t *testing.T) {
-	logTestVector(t, "BIP39 24 English Words", "Deriving a 24-word English BIP39 mnemonic")
+	logTestVector(t, "BIP39 24 English Words")
 	masterKey, err := ParseMasterKey(testMasterKey)
 	if err != nil {
@@ -313,7 +317,7 @@ func TestBIP39_24EnglishWords(t *testing.T) {
 // TestHD_WIF tests the WIF test vector
 func TestHD_WIF(t *testing.T) {
-	logTestVector(t, "HD-Seed WIF", "Deriving a WIF-encoded private key for Bitcoin Core hdseed")
+	logTestVector(t, "HD-Seed WIF")
 	masterKey, err := ParseMasterKey(testMasterKey)
 	if err != nil {
@@ -353,7 +357,7 @@ func TestHD_WIF(t *testing.T) {
 // TestXPRV tests the XPRV test vector
 func TestXPRV(t *testing.T) {
-	logTestVector(t, "XPRV", "Deriving an extended private key (XPRV)")
+	logTestVector(t, "XPRV")
 	masterKey, err := ParseMasterKey(testMasterKey)
 	if err != nil {
@@ -379,7 +383,7 @@ func TestXPRV(t *testing.T) {
 // TestDRNG_SHAKE256 tests the BIP85-DRNG-SHAKE256 test vector
 func TestDRNG_SHAKE256(t *testing.T) {
-	logTestVector(t, "DRNG-SHAKE256", "Testing the deterministic random number generator with SHAKE256")
+	logTestVector(t, "DRNG-SHAKE256")
 	masterKey, err := ParseMasterKey(testMasterKey)
 	if err != nil {
@@ -414,7 +418,7 @@ func TestDRNG_SHAKE256(t *testing.T) {
 // TestPythonDRNGVectors tests the DRNG vectors from the Python implementation
 func TestPythonDRNGVectors(t *testing.T) {
-	logTestVector(t, "Python DRNG Vectors", "Testing specific DRNG vectors from the Python implementation")
+	logTestVector(t, "Python DRNG Vectors")
 	masterKey, err := ParseMasterKey(testMasterKey)
 	if err != nil {
@@ -489,7 +493,7 @@ func TestPythonDRNGVectors(t *testing.T) {
 // TestDRNGDeterminism tests the deterministic behavior of the DRNG
 func TestDRNGDeterminism(t *testing.T) {
-	logTestVector(t, "DRNG Determinism", "Testing deterministic behavior of the DRNG")
+	logTestVector(t, "DRNG Determinism")
 	masterKey, err := ParseMasterKey(testMasterKey)
 	if err != nil {
@@ -573,7 +577,7 @@ func TestDRNGDeterminism(t *testing.T) {
 // TestDRNGLengths tests the DRNG with different lengths
 func TestDRNGLengths(t *testing.T) {
-	logTestVector(t, "DRNG Lengths", "Testing DRNG with different read lengths")
+	logTestVector(t, "DRNG Lengths")
 	masterKey, err := ParseMasterKey(testMasterKey)
 	if err != nil {
@@ -606,7 +610,7 @@ func TestDRNGLengths(t *testing.T) {
 // TestDRNGExceptions tests error handling in the DRNG
 func TestDRNGExceptions(t *testing.T) {
-	logTestVector(t, "DRNG Exceptions", "Testing error handling in the DRNG")
+	logTestVector(t, "DRNG Exceptions")
 	// Test with entropy of the wrong size
 	testCases := []int{0, 1, 32, 63, 65, 128}
@@ -638,7 +642,7 @@ func TestDRNGExceptions(t *testing.T) {
 // TestDRNGDifferentSizes tests the DRNG with different buffer sizes
 func TestDRNGDifferentSizes(t *testing.T) {
-	logTestVector(t, "DRNG Different Sizes", "Testing the DRNG with different buffer sizes")
+	logTestVector(t, "DRNG Different Sizes")
 	masterKey, err := ParseMasterKey(testMasterKey)
 	if err != nil {
@@ -700,7 +704,7 @@ func TestDRNGDifferentSizes(t *testing.T) {
 // TestMasterKeyParsing tests parsing of different master key formats
 func TestMasterKeyParsing(t *testing.T) {
-	logTestVector(t, "Master Key Parsing", "Testing parsing of master keys in different formats")
+	logTestVector(t, "Master Key Parsing")
 	// Test valid master key
 	t.Logf("Testing valid master key")
@@ -747,7 +751,7 @@ func TestMasterKeyParsing(t *testing.T) {
 // TestDifferentPathFormats tests different path format expressions
 func TestDifferentPathFormats(t *testing.T) {
-	logTestVector(t, "Path Formats", "Testing different path format expressions")
+	logTestVector(t, "Path Formats")
 	masterKey, err := ParseMasterKey(testMasterKey)
 	if err != nil {
@@ -791,7 +795,7 @@ func TestDifferentPathFormats(t *testing.T) {
 // TestDirectBase85Encoding tests direct Base85 encoding with the test vector entropy
 func TestDirectBase85Encoding(t *testing.T) {
-	logTestVector(t, "Direct Base85 Encoding", "Testing Base85 encoding with BIP85 test vector")
+	logTestVector(t, "Direct Base85 Encoding")
 	// Parse the master key
 	masterKey, err := ParseMasterKey(testMasterKey)
@@ -836,7 +840,7 @@ func TestDirectBase85Encoding(t *testing.T) {
 // TestPWDBase64 tests the Base64 password test vector
 func TestPWDBase64(t *testing.T) {
-	logTestVector(t, "PWD Base64", "Deriving a Base64-encoded password")
+	logTestVector(t, "PWD Base64")
 	masterKey, err := ParseMasterKey(testMasterKey)
 	if err != nil {
@@ -881,7 +885,7 @@ func TestPWDBase64(t *testing.T) {
 // TestPWDBase85 tests the Base85 password test vector
 func TestPWDBase85(t *testing.T) {
-	logTestVector(t, "PWD Base85", "Deriving a Base85-encoded password")
+	logTestVector(t, "PWD Base85")
 	masterKey, err := ParseMasterKey(testMasterKey)
 	if err != nil {
@@ -926,7 +930,7 @@ func TestPWDBase85(t *testing.T) {
 // TestHexDerivation tests the HEX derivation test vector
 func TestHexDerivation(t *testing.T) {
-	logTestVector(t, "HEX Derivation", "Testing HEX data derivation with BIP85 test vector")
+	logTestVector(t, "HEX Derivation")
 	masterKey, err := ParseMasterKey(testMasterKey)
 	if err != nil {
@@ -963,7 +967,7 @@ func TestHexDerivation(t *testing.T) {
 // TestInvalidParameters tests error conditions for parameter validation
 func TestInvalidParameters(t *testing.T) {
-	logTestVector(t, "Invalid Parameters", "Testing error handling for invalid inputs")
+	logTestVector(t, "Invalid Parameters")
 	masterKey, err := ParseMasterKey(testMasterKey)
 	if err != nil {
@@ -1041,7 +1045,7 @@ func TestInvalidParameters(t *testing.T) {
 // TestAdditionalDeriveHex tests additional hex derivation scenarios
 func TestAdditionalDeriveHex(t *testing.T) {
-	logTestVector(t, "Additional Hex Derivation", "Testing hex data derivation with various lengths")
+	logTestVector(t, "Additional Hex Derivation")
 	masterKey, err := ParseMasterKey(testMasterKey)
 	if err != nil {
--- a/test_secret_manager.sh
+++ b/test_secret_manager.sh
@@ -1,683 +0,0 @@
 #!/bin/bash
 set -e  # Exit on any error
 # Colors for output
 RED='\033[0;31m'
 GREEN='\033[0;32m'
 YELLOW='\033[1;33m'
 BLUE='\033[0;34m'
 NC='\033[0m' # No Color
 # Test configuration
 TEST_MNEMONIC="abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon about"
 TEST_PASSPHRASE="test-passphrase-123"
 TEMP_DIR="$(mktemp -d)"
 SECRET_BINARY="./secret"
 # Enable debug output from the secret program
 export GODEBUG="berlin.sneak.pkg.secret"
 echo -e "${BLUE}=== Secret Manager Comprehensive Test Script ===${NC}"
 echo -e "${YELLOW}Using temporary directory: $TEMP_DIR${NC}"
 echo -e "${YELLOW}Debug output enabled: GODEBUG=$GODEBUG${NC}"
 echo -e "${YELLOW}Note: All tests use environment variables (no manual input)${NC}"
 # Function to print test steps
 print_step() {
    echo -e "\n${BLUE}Step $1: $2${NC}"
 }
 # Function to print success
 print_success() {
    echo -e "${GREEN}✓ $1${NC}"
 }
 # Function to print error and exit
 print_error() {
    echo -e "${RED}✗ $1${NC}"
    exit 1
 }
 # Function to print warning (for expected failures)
 print_warning() {
    echo -e "${YELLOW}⚠ $1${NC}"
 }
 # Function to clear state directory and reset environment
 reset_state() {
    echo -e "${YELLOW}Resetting state directory...${NC}"
    # Safety checks before removing anything
    if [ -z "$TEMP_DIR" ]; then
        print_error "TEMP_DIR is not set, cannot reset state safely"
    fi
    if [ ! -d "$TEMP_DIR" ]; then
        print_error "TEMP_DIR ($TEMP_DIR) is not a directory, cannot reset state safely"
    fi
    # Additional safety: ensure TEMP_DIR looks like a temp directory
    case "$TEMP_DIR" in
        /tmp/* | /var/folders/* | */tmp/*)
            # Looks like a reasonable temp directory path
            ;;
        *)
            print_error "TEMP_DIR ($TEMP_DIR) does not look like a safe temporary directory path"
            ;;
    esac
    # Now it's safe to remove contents - use find to avoid glob expansion issues
    find "${TEMP_DIR:?}" -mindepth 1 -delete 2>/dev/null || true
    unset SB_SECRET_MNEMONIC
    unset SB_UNLOCK_PASSPHRASE
    export SB_SECRET_STATE_DIR="$TEMP_DIR"
 }
 # Cleanup function
 cleanup() {
    echo -e "\n${YELLOW}Cleaning up...${NC}"
    rm -rf "$TEMP_DIR"
    unset SB_SECRET_STATE_DIR
    unset SB_SECRET_MNEMONIC
    unset SB_UNLOCK_PASSPHRASE
    unset GODEBUG
    echo -e "${GREEN}Cleanup complete${NC}"
 }
 # Set cleanup trap
 trap cleanup EXIT
 # Check that the secret binary exists
 if [ ! -f "$SECRET_BINARY" ]; then
    print_error "Secret binary not found at $SECRET_BINARY. Please run 'make build' first."
 fi
 # Test 1: Set up environment variables
 print_step "1" "Setting up environment variables"
 export SB_SECRET_STATE_DIR="$TEMP_DIR"
 export SB_SECRET_MNEMONIC="$TEST_MNEMONIC"
 print_success "Environment variables set"
 echo "  SB_SECRET_STATE_DIR=$SB_SECRET_STATE_DIR"
 echo "  SB_SECRET_MNEMONIC=$TEST_MNEMONIC"
 # Test 2: Initialize the secret manager (should create default vault)
 print_step "2" "Initializing secret manager (creates default vault)"
 export SB_UNLOCK_PASSPHRASE="$TEST_PASSPHRASE"
 echo "Running: $SECRET_BINARY init"
 if $SECRET_BINARY init; then
    print_success "Secret manager initialized with default vault"
 else
    print_error "Failed to initialize secret manager"
 fi
 unset SB_UNLOCK_PASSPHRASE
 # Verify directory structure was created
 if [ -d "$TEMP_DIR" ]; then
    print_success "State directory created: $TEMP_DIR"
 else
    print_error "State directory was not created"
 fi
 # Test 3: Vault management
 print_step "3" "Testing vault management"
 # List vaults (should show default)
 echo "Listing vaults..."
 echo "Running: $SECRET_BINARY vault list"
 if $SECRET_BINARY vault list; then
    VAULTS=$($SECRET_BINARY vault list)
    echo "Available vaults: $VAULTS"
    print_success "Listed vaults successfully"
 else
    print_error "Failed to list vaults"
 fi
 # Create a new vault
 echo "Creating new vault 'work'..."
 echo "Running: $SECRET_BINARY vault create work"
 if $SECRET_BINARY vault create work; then
    print_success "Created vault 'work'"
 else
    print_error "Failed to create vault 'work'"
 fi
 # Create another vault
 echo "Creating new vault 'personal'..."
 echo "Running: $SECRET_BINARY vault create personal"
 if $SECRET_BINARY vault create personal; then
    print_success "Created vault 'personal'"
 else
    print_error "Failed to create vault 'personal'"
 fi
 # List vaults again (should show default, work, personal)
 echo "Listing vaults after creation..."
 echo "Running: $SECRET_BINARY vault list"
 if $SECRET_BINARY vault list; then
    VAULTS=$($SECRET_BINARY vault list)
    echo "Available vaults: $VAULTS"
    print_success "Listed vaults after creation"
 else
    print_error "Failed to list vaults after creation"
 fi
 # Switch to work vault
 echo "Switching to 'work' vault..."
 echo "Running: $SECRET_BINARY vault select work"
 if $SECRET_BINARY vault select work; then
    print_success "Switched to 'work' vault"
 else
    print_error "Failed to switch to 'work' vault"
 fi
 # Test 4: Import functionality with environment variable combinations
 print_step "4" "Testing import functionality with environment variable combinations"
 # Test 4a: Import with both env vars set (typical usage)
 echo -e "\n${YELLOW}Test 4a: Import with both SB_SECRET_MNEMONIC and SB_UNLOCK_PASSPHRASE set${NC}"
 reset_state
 export SB_SECRET_MNEMONIC="$TEST_MNEMONIC"
 export SB_UNLOCK_PASSPHRASE="$TEST_PASSPHRASE"
 # Create a vault first
 echo "Running: $SECRET_BINARY vault create test-vault"
 if $SECRET_BINARY vault create test-vault; then
    print_success "Created test-vault for import testing"
 else
    print_error "Failed to create test-vault"
 fi
 # Import should work without prompts
 echo "Importing with both env vars set (automated)..."
 echo "Running: $SECRET_BINARY vault import test-vault"
 if $SECRET_BINARY vault import test-vault; then
    print_success "Import succeeded with both env vars (automated)"
 else
    print_error "Import failed with both env vars"
 fi
 # Test 4b: Import into non-existent vault (should fail)
 echo -e "\n${YELLOW}Test 4b: Import into non-existent vault (should fail)${NC}"
 echo "Importing into non-existent vault (should fail)..."
 if $SECRET_BINARY vault import nonexistent-vault; then
    print_error "Import should have failed for non-existent vault"
 else
    print_success "Import correctly failed for non-existent vault"
 fi
 # Test 4c: Import with invalid mnemonic (should fail)
 echo -e "\n${YELLOW}Test 4c: Import with invalid mnemonic (should fail)${NC}"
 export SB_SECRET_MNEMONIC="invalid mnemonic phrase that should not work"
 # Create a vault first
 echo "Running: $SECRET_BINARY vault create test-vault2"
 if $SECRET_BINARY vault create test-vault2; then
    print_success "Created test-vault2 for invalid mnemonic testing"
 else
    print_error "Failed to create test-vault2"
 fi
 echo "Importing with invalid mnemonic (should fail)..."
 if $SECRET_BINARY vault import test-vault2; then
    print_error "Import should have failed with invalid mnemonic"
 else
    print_success "Import correctly failed with invalid mnemonic"
 fi
 # Reset state for remaining tests
 reset_state
 export SB_SECRET_MNEMONIC="$TEST_MNEMONIC"
 # Test 5: Unlock key management
 print_step "5" "Testing unlock key management"
 # Initialize to create default vault
 export SB_UNLOCK_PASSPHRASE="$TEST_PASSPHRASE"
 if $SECRET_BINARY init; then
    print_success "Initialized for unlock key testing"
 else
    print_error "Failed to initialize for unlock key testing"
 fi
 # Create passphrase-protected unlock key
 echo "Creating passphrase-protected unlock key..."
 echo "Running: $SECRET_BINARY keys add passphrase (with SB_UNLOCK_PASSPHRASE set)"
 if $SECRET_BINARY keys add passphrase; then
    print_success "Created passphrase-protected unlock key"
 else
    print_error "Failed to create passphrase-protected unlock key"
 fi
 unset SB_UNLOCK_PASSPHRASE
 # List unlock keys
 echo "Listing unlock keys..."
 echo "Running: $SECRET_BINARY keys list"
 if $SECRET_BINARY keys list; then
    KEYS=$($SECRET_BINARY keys list)
    echo "Available unlock keys: $KEYS"
    print_success "Listed unlock keys"
 else
    print_error "Failed to list unlock keys"
 fi
 # Test 6: Secret management with mnemonic (keyless operation)
 print_step "6" "Testing mnemonic-based secret operations (keyless)"
 # Add secrets using mnemonic (no unlock key required)
 echo "Adding secrets using mnemonic-based long-term key..."
 # Test secret 1
 echo "Running: echo \"my-super-secret-password\" | $SECRET_BINARY add \"database/password\""
 if echo "my-super-secret-password" | $SECRET_BINARY add "database/password"; then
    print_success "Added secret: database/password"
 else
    print_error "Failed to add secret: database/password"
 fi
 # Test secret 2
 echo "Running: echo \"api-key-12345\" | $SECRET_BINARY add \"api/key\""
 if echo "api-key-12345" | $SECRET_BINARY add "api/key"; then
    print_success "Added secret: api/key"
 else
    print_error "Failed to add secret: api/key"
 fi
 # Test secret 3 (with path)
 echo "Running: echo \"ssh-private-key-content\" | $SECRET_BINARY add \"ssh/private-key\""
 if echo "ssh-private-key-content" | $SECRET_BINARY add "ssh/private-key"; then
    print_success "Added secret: ssh/private-key"
 else
    print_error "Failed to add secret: ssh/private-key"
 fi
 # Test secret 4 (with dots and underscores)
 echo "Running: echo \"jwt-secret-token\" | $SECRET_BINARY add \"app.config_jwt_secret\""
 if echo "jwt-secret-token" | $SECRET_BINARY add "app.config_jwt_secret"; then
    print_success "Added secret: app.config_jwt_secret"
 else
    print_error "Failed to add secret: app.config_jwt_secret"
 fi
 # Retrieve secrets using mnemonic
 echo "Retrieving secrets using mnemonic-based long-term key..."
 # Retrieve and verify secret 1
 RETRIEVED_SECRET1=$($SECRET_BINARY get "database/password" 2>/dev/null)
 if [ "$RETRIEVED_SECRET1" = "my-super-secret-password" ]; then
    print_success "Retrieved and verified secret: database/password"
 else
    print_error "Failed to retrieve or verify secret: database/password"
 fi
 # Retrieve and verify secret 2
 RETRIEVED_SECRET2=$($SECRET_BINARY get "api/key" 2>/dev/null)
 if [ "$RETRIEVED_SECRET2" = "api-key-12345" ]; then
    print_success "Retrieved and verified secret: api/key"
 else
    print_error "Failed to retrieve or verify secret: api/key"
 fi
 # Retrieve and verify secret 3
 RETRIEVED_SECRET3=$($SECRET_BINARY get "ssh/private-key" 2>/dev/null)
 if [ "$RETRIEVED_SECRET3" = "ssh-private-key-content" ]; then
    print_success "Retrieved and verified secret: ssh/private-key"
 else
    print_error "Failed to retrieve or verify secret: ssh/private-key"
 fi
 # List all secrets
 echo "Listing all secrets..."
 echo "Running: $SECRET_BINARY list"
 if $SECRET_BINARY list; then
    SECRETS=$($SECRET_BINARY list)
    echo "Secrets in current vault:"
    echo "$SECRETS" | while read -r secret; do
        echo "  - $secret"
    done
    print_success "Listed all secrets"
 else
    print_error "Failed to list secrets"
 fi
 # Test 7: Secret management without mnemonic (traditional unlock key approach)
 print_step "7" "Testing traditional unlock key approach"
 # Temporarily unset mnemonic to test traditional approach
 unset SB_SECRET_MNEMONIC
 # Add a secret using traditional unlock key approach
 echo "Adding secret using traditional unlock key..."
 echo "Running: echo \"traditional-secret-value\" | $SECRET_BINARY add \"traditional/secret\""
 if echo "traditional-secret-value" | $SECRET_BINARY add "traditional/secret"; then
    print_success "Added secret using traditional approach: traditional/secret"
 else
    print_error "Failed to add secret using traditional approach"
 fi
 # Retrieve secret using traditional unlock key approach
 echo "Retrieving secret using traditional unlock key approach..."
 export SB_UNLOCK_PASSPHRASE="$TEST_PASSPHRASE"
 RETRIEVED_TRADITIONAL=$($SECRET_BINARY get "traditional/secret" 2>/dev/null)
 unset SB_UNLOCK_PASSPHRASE
 if [ "$RETRIEVED_TRADITIONAL" = "traditional-secret-value" ]; then
    print_success "Retrieved and verified traditional secret: traditional/secret"
 else
    print_error "Failed to retrieve or verify traditional secret"
 fi
 # Re-enable mnemonic for remaining tests
 export SB_SECRET_MNEMONIC="$TEST_MNEMONIC"
 # Test 8: Advanced unlock key management
 print_step "8" "Testing advanced unlock key management"
 # Test Secure Enclave (macOS only)
 if [[ "$OSTYPE" == "darwin"* ]]; then
    echo "Testing Secure Enclave unlock key creation..."
    echo "Running: $SECRET_BINARY enroll sep"
    if $SECRET_BINARY enroll sep; then
        print_success "Created Secure Enclave unlock key"
    else
        print_warning "Secure Enclave unlock key creation not yet implemented"
    fi
 else
    print_warning "Secure Enclave only available on macOS"
 fi
 # Get current unlock key ID for testing
 echo "Getting current unlock key for testing..."
 echo "Running: $SECRET_BINARY keys list"
 if $SECRET_BINARY keys list; then
    CURRENT_KEY_ID=$($SECRET_BINARY keys list | head -n1 | awk '{print $1}')
    if [ -n "$CURRENT_KEY_ID" ]; then
        print_success "Found unlock key ID: $CURRENT_KEY_ID"
        # Test key selection
        echo "Testing unlock key selection..."
        echo "Running: $SECRET_BINARY key select $CURRENT_KEY_ID"
        if $SECRET_BINARY key select "$CURRENT_KEY_ID"; then
            print_success "Selected unlock key: $CURRENT_KEY_ID"
        else
            print_warning "Unlock key selection not yet implemented"
        fi
    fi
 fi
 # Test 9: Secret name validation and edge cases
 print_step "9" "Testing secret name validation and edge cases"
 # Test valid names
 VALID_NAMES=("valid-name" "valid.name" "valid_name" "valid/path/name" "123valid" "a" "very-long-name-with-many-parts/and/paths")
 for name in "${VALID_NAMES[@]}"; do
    echo "Running: echo \"test-value\" | $SECRET_BINARY add $name --force"
    if echo "test-value" | $SECRET_BINARY add "$name" --force; then
        print_success "Valid name accepted: $name"
    else
        print_error "Valid name rejected: $name"
    fi
 done
 # Test invalid names (these should fail)
 echo "Testing invalid names (should fail)..."
 INVALID_NAMES=("Invalid-Name" "invalid name" "invalid@name" "invalid#name" "invalid%name" "")
 for name in "${INVALID_NAMES[@]}"; do
    echo "Running: echo \"test-value\" | $SECRET_BINARY add $name"
    if echo "test-value" | $SECRET_BINARY add "$name"; then
        print_error "Invalid name accepted (should have been rejected): '$name'"
    else
        print_success "Invalid name correctly rejected: '$name'"
    fi
 done
 # Test 10: Overwrite protection and force flag
 print_step "10" "Testing overwrite protection and force flag"
 # Try to add existing secret without --force (should fail)
 echo "Running: echo \"new-value\" | $SECRET_BINARY add \"database/password\""
 if echo "new-value" | $SECRET_BINARY add "database/password"; then
    print_error "Overwrite protection failed - secret was overwritten without --force"
 else
    print_success "Overwrite protection working - secret not overwritten without --force"
 fi
 # Try to add existing secret with --force (should succeed)
 echo "Running: echo \"new-password-value\" | $SECRET_BINARY add \"database/password\" --force"
 if echo "new-password-value" | $SECRET_BINARY add "database/password" --force; then
    print_success "Force overwrite working - secret overwritten with --force"
    # Verify the new value
    RETRIEVED_NEW=$($SECRET_BINARY get "database/password" 2>/dev/null)
    if [ "$RETRIEVED_NEW" = "new-password-value" ]; then
        print_success "Overwritten secret has correct new value"
    else
        print_error "Overwritten secret has incorrect value"
    fi
 else
    print_error "Force overwrite failed - secret not overwritten with --force"
 fi
 # Test 11: Cross-vault operations
 print_step "11" "Testing cross-vault operations"
 # First create and import mnemonic into work vault since it was destroyed by reset_state
 echo "Creating work vault for cross-vault testing..."
 echo "Running: $SECRET_BINARY vault create work"
 if $SECRET_BINARY vault create work; then
    print_success "Created work vault for cross-vault testing"
 else
    print_error "Failed to create work vault for cross-vault testing"
 fi
 # Import mnemonic into work vault so it can store secrets
 echo "Importing mnemonic into work vault..."
 export SB_UNLOCK_PASSPHRASE="$TEST_PASSPHRASE"
 echo "Running: $SECRET_BINARY vault import work"
 if $SECRET_BINARY vault import work; then
    print_success "Imported mnemonic into work vault"
 else
    print_error "Failed to import mnemonic into work vault"
 fi
 unset SB_UNLOCK_PASSPHRASE
 # Switch to work vault and add secrets there
 echo "Switching to 'work' vault for cross-vault testing..."
 echo "Running: $SECRET_BINARY vault select work"
 if $SECRET_BINARY vault select work; then
    print_success "Switched to 'work' vault"
    # Add work-specific secrets
    echo "Running: echo \"work-database-password\" | $SECRET_BINARY add \"work/database\""
    if echo "work-database-password" | $SECRET_BINARY add "work/database"; then
        print_success "Added work-specific secret"
    else
        print_error "Failed to add work-specific secret"
    fi
    # List secrets in work vault
    echo "Running: $SECRET_BINARY list"
    if $SECRET_BINARY list; then
        WORK_SECRETS=$($SECRET_BINARY list)
        echo "Secrets in work vault: $WORK_SECRETS"
        print_success "Listed work vault secrets"
    else
        print_error "Failed to list work vault secrets"
    fi
 else
    print_error "Failed to switch to 'work' vault"
 fi
 # Switch back to default vault
 echo "Switching back to 'default' vault..."
 echo "Running: $SECRET_BINARY vault select default"
 if $SECRET_BINARY vault select default; then
    print_success "Switched back to 'default' vault"
    # Verify default vault secrets are still there
    echo "Running: $SECRET_BINARY get \"database/password\""
    if $SECRET_BINARY get "database/password"; then
        print_success "Default vault secrets still accessible"
    else
        print_error "Default vault secrets not accessible"
    fi
 else
    print_error "Failed to switch back to 'default' vault"
 fi
 # Test 12: File structure verification
 print_step "12" "Verifying file structure"
 echo "Checking file structure in $TEMP_DIR..."
 if [ -d "$TEMP_DIR/vaults.d/default/secrets.d" ]; then
    print_success "Default vault structure exists"
    # Check a specific secret's file structure
    SECRET_DIR="$TEMP_DIR/vaults.d/default/secrets.d/database%password"
    if [ -d "$SECRET_DIR" ]; then
        print_success "Secret directory exists: database%password"
        # Check required files for per-secret key architecture
        FILES=("value.age" "pub.age" "priv.age" "secret-metadata.json")
        for file in "${FILES[@]}"; do
            if [ -f "$SECRET_DIR/$file" ]; then
                print_success "Required file exists: $file"
            else
                print_error "Required file missing: $file"
            fi
        done
    else
        print_error "Secret directory not found"
    fi
 else
    print_error "Default vault structure not found"
 fi
 # Check work vault structure
 if [ -d "$TEMP_DIR/vaults.d/work" ]; then
    print_success "Work vault structure exists"
 else
    print_error "Work vault structure not found"
 fi
 # Check configuration files
 if [ -f "$TEMP_DIR/configuration.json" ]; then
    print_success "Global configuration file exists"
 else
    print_warning "Global configuration file not found (may not be implemented yet)"
 fi
 # Check current vault symlink
 if [ -L "$TEMP_DIR/currentvault" ] || [ -f "$TEMP_DIR/currentvault" ]; then
    print_success "Current vault link exists"
 else
    print_error "Current vault link not found"
 fi
 # Test 13: Environment variable error handling
 print_step "13" "Testing environment variable error handling"
 # Test with non-existent state directory
 export SB_SECRET_STATE_DIR="$TEMP_DIR/nonexistent/directory"
 echo "Running: $SECRET_BINARY get \"database/password\""
 if $SECRET_BINARY get "database/password"; then
    print_error "Should have failed with non-existent state directory"
 else
    print_success "Correctly failed with non-existent state directory"
 fi
 # Test init with non-existent directory (should work)
 echo "Running: $SECRET_BINARY init (with SB_UNLOCK_PASSPHRASE set)"
 export SB_UNLOCK_PASSPHRASE="$TEST_PASSPHRASE"
 if $SECRET_BINARY init; then
    print_success "Init works with non-existent state directory"
 else
    print_error "Init should work with non-existent state directory"
 fi
 unset SB_UNLOCK_PASSPHRASE
 # Reset to working directory
 export SB_SECRET_STATE_DIR="$TEMP_DIR"
 # Test 14: Mixed approach compatibility
 print_step "14" "Testing mixed approach compatibility"
 # Verify mnemonic can access traditional secrets
 RETRIEVED_MIXED=$($SECRET_BINARY get "traditional/secret" 2>/dev/null)
 if [ "$RETRIEVED_MIXED" = "traditional-secret-value" ]; then
    print_success "Mnemonic can access traditional secrets"
 else
    print_error "Mnemonic cannot access traditional secrets"
 fi
 # Test without mnemonic but with unlock key
 unset SB_SECRET_MNEMONIC
 echo "Testing traditional unlock key access to mnemonic-created secrets..."
 echo "Running: $SECRET_BINARY get \"database/password\" (with SB_UNLOCK_PASSPHRASE set)"
 export SB_UNLOCK_PASSPHRASE="$TEST_PASSPHRASE"
 if $SECRET_BINARY get "database/password"; then
    print_success "Traditional unlock key can access mnemonic-created secrets"
 else
    print_warning "Traditional unlock key cannot access mnemonic-created secrets (may need implementation)"
 fi
 unset SB_UNLOCK_PASSPHRASE
 # Re-enable mnemonic for final tests
 export SB_SECRET_MNEMONIC="$TEST_MNEMONIC"
 # Final summary
 echo -e "\n${GREEN}=== Test Summary ===${NC}"
 echo -e "${GREEN}✓ Environment variable support (SB_SECRET_STATE_DIR, SB_SECRET_MNEMONIC)${NC}"
 echo -e "${GREEN}✓ Secret manager initialization${NC}"
 echo -e "${GREEN}✓ Vault management (create, list, select)${NC}"
 echo -e "${GREEN}✓ Import functionality with environment variable combinations${NC}"
 echo -e "${GREEN}✓ Import error handling (non-existent vault, invalid mnemonic)${NC}"
 echo -e "${GREEN}✓ Unlock key management (passphrase, PGP, SEP)${NC}"
 echo -e "${GREEN}✓ Mnemonic-based secret operations (keyless)${NC}"
 echo -e "${GREEN}✓ Traditional unlock key operations${NC}"
 echo -e "${GREEN}✓ Secret name validation${NC}"
 echo -e "${GREEN}✓ Overwrite protection and force flag${NC}"
 echo -e "${GREEN}✓ Cross-vault operations${NC}"
 echo -e "${GREEN}✓ Per-secret key file structure${NC}"
 echo -e "${GREEN}✓ Mixed approach compatibility${NC}"
 echo -e "${GREEN}✓ Error handling${NC}"
 echo -e "\n${GREEN}🎉 Comprehensive test completed with environment variable automation!${NC}"
 # Show usage examples for all implemented functionality
 echo -e "\n${BLUE}=== Complete Usage Examples ===${NC}"
 echo -e "${YELLOW}# Environment setup:${NC}"
 echo "export SB_SECRET_STATE_DIR=\"/path/to/your/secrets\""
 echo "export SB_SECRET_MNEMONIC=\"your twelve word mnemonic phrase here\""
 echo ""
 echo -e "${YELLOW}# Initialization:${NC}"
 echo "secret init"
 echo ""
 echo -e "${YELLOW}# Vault management:${NC}"
 echo "secret vault list"
 echo "secret vault create work"
 echo "secret vault select work"
 echo ""
 echo -e "${YELLOW}# Import mnemonic (automated with environment variables):${NC}"
 echo "export SB_SECRET_MNEMONIC=\"abandon abandon...\""
 echo "export SB_UNLOCK_PASSPHRASE=\"passphrase\""
 echo "secret vault import work"
 echo ""
 echo -e "${YELLOW}# Unlock key management:${NC}"
 echo "export SB_UNLOCK_PASSPHRASE=\"passphrase\""
 echo "secret keys add passphrase"
 echo "secret keys add pgp <gpg-key-id>"
 echo "secret enroll sep  # macOS only"
 echo "secret keys list"
 echo "secret key select <key-id>"
 echo "secret keys rm <key-id>"
 echo ""
 echo -e "${YELLOW}# Secret management:${NC}"
 echo "echo \"my-secret\" | secret add \"app/password\""
 echo "echo \"my-secret\" | secret add \"app/password\" --force"
 echo "secret get \"app/password\""
 echo "secret list"
 echo ""
 echo -e "${YELLOW}# Cross-vault operations:${NC}"
 echo "secret vault select work"
 echo "echo \"work-secret\" | secret add \"work/database\""
 echo "secret vault select default"
Author	SHA1	Message	Date
sneak	7596049828	uses protected memory buffers now for all secrets in ram	2025-07-15 08:32:33 +02:00
sneak	d3ca006886	Merge branch 'main' into fix-memory-security	2025-07-15 07:36:13 +02:00
sneak	f91281e991	Merge branch 'fix-test-json-fields'	2025-07-15 07:35:58 +02:00
sneak	7c5e78db17	fix: update JSON fields from snake_case to camelCase and make tests quiet by default - Update all JSON field references in tests from snake_case to camelCase - Update vault list JSON output to use currentVault instead of current_vault - Make integration tests quiet by default unless run with -v flag - Fix tests that were using exec.Command to use in-process execution helpers - Tests now only show debug output when explicitly requested or on failure	2025-07-15 07:35:48 +02:00
sneak	8e374b3d24	add test binaries to gitignore	2025-07-15 07:24:15 +02:00
sneak	c9774e89e0	WIP: refactor to use memguard for secure memory handling - Add memguard dependency - Update ReadPassphrase to return LockedBuffer - Update EncryptWithPassphrase/DecryptWithPassphrase to accept LockedBuffer - Remove string wrapper functions - Update all callers to create LockedBuffers at entry points - Update interfaces and mock implementations	2025-07-15 07:23:58 +02:00
sneak	f9938135c6	fix: resolve all remaining linter issues (staticcheck, tagliatelle, lll) - Fix staticcheck QF1011: Remove explicit type declaration for io.Writer variables - Fix tagliatelle: Change all JSON tags from snake_case to camelCase - created_at → createdAt - keychain_item_name → keychainItemName - age_public_key → agePublicKey - age_priv_key_passphrase → agePrivKeyPassphrase - encrypted_longterm_key → encryptedLongtermKey - derivation_index → derivationIndex - public_key_hash → publicKeyHash - mnemonic_family_hash → mnemonicFamilyHash - gpg_key_id → gpgKeyId - Fix lll: Break long function signature line to stay under 120 character limit All linter issues have been resolved. The codebase now passes all linter checks.	2025-07-15 06:33:25 +02:00
sneak	386a27c0b6	fix: resolve all revive linter issues Added missing package comments: - cmd/secret/main.go - internal/cli/cli.go - internal/secret/constants.go - internal/vault/management.go - pkg/bip85/bip85.go Fixed comment format issues for exported items: - EnvStateDir, EnvMnemonic, EnvUnlockPassphrase, EnvGPGKeyID in constants.go - Metadata, UnlockerMetadata, SecretMetadata, Configuration in metadata.go - AppBIP39, AppHDWIF, AppXPRV in bip85.go Replaced unused parameters with underscore (_): - generate.go:39 - parameter 'args' - init.go:30 - parameter 'args' - unlockers.go:39,77,102 - parameter 'args' or 'cmd' - vault.go:37 - parameter 'args' - management.go:34 - parameter 'target'	2025-07-15 06:06:48 +02:00
sneak	080a3dc253	fix: resolve all nlreturn linter errors Add blank lines before return statements in all files to satisfy the nlreturn linter. This improves code readability by providing visual separation before return statements. Changes made across 24 files: - internal/cli/.go - internal/secret/.go - internal/vault/*.go - pkg/agehd/agehd.go - pkg/bip85/bip85.go All 143 nlreturn issues have been resolved.	2025-07-15 06:00:32 +02:00
sneak	811ddee3b7	fix: resolve all nestif linter errors - Extract getLongTermPrivateKey helper function to reduce nesting in keychainunlocker.go and pgpunlocker.go - Add getPassphrase helper method to reduce nesting in passphraseunlocker.go - Refactor version serial extraction to use early returns in version.go - Extract resolveRelativeSymlink and tryResolveOsSymlink helpers in management.go - Add processMnemonicForVault helper to reduce nesting in vault creation - Extract resolveUnlockerDirectory and readUnlockerPathFromFile helpers in unlockers.go - Add findUnlockerByID helper to reduce duplicate code in RemoveUnlocker and SelectUnlocker All tests pass after refactoring.	2025-07-15 05:47:16 +02:00
sneak	4e242c3491	go 1.24	2025-07-09 16:09:59 -07:00
sneak	54fce0f187	fix: resolve mnd and nestif linter errors - Define base85 constants (base85ChunkSize, base85DigitCount, base85Base) - Replace magic numbers in base85 encoding logic with named constants - Add nolint:nestif comments for legitimate nested conditionals: - crypto.go: Clear separation between secret generation vs retrieval - secrets.go: Separate JSON and table output formatting logic - vault.go: Separate JSON and text output formatting logic	2025-07-09 12:54:59 -07:00
sneak	93a32217e0	fix: resolve mnd (magic number) linter errors in agehd and bip85 packages - Define x25519KeySize constant (32) at package level in agehd - Replace all magic number 32 uses with x25519KeySize constant - Define bech32BitSize8 and bech32BitSize5 constants for bit conversions - Define bip85EntropySize constant (64) for entropy validation - Define BIP39 word count constants (words12-24) with descriptive names	2025-07-09 12:52:46 -07:00
sneak	95ba80f618	fix: resolve gochecknoglobals, gosec, lll, and mnd linter errors - Add nolint comments for BIP85 standard constants (MainNetPrivateKey, TestNetPrivateKey) - Handle error return from shake.Write() in NewBIP85DRNG - Fix line length issue by moving nolint comment to separate line - Add nolint comment for cobra.ExactArgs(2) magic number - Replace magic number 32 with named constant x25519KeySize in agehd package	2025-07-09 12:49:59 -07:00
sneak	d710323bd0	fix: add nolint comments for necessary global variables in internal/secret Add nolint:gochecknoglobals comments for legitimate global variables: - debugEnabled and debugLogger: Package-wide debug state management - GPGEncryptFunc and GPGDecryptFunc: Required for test mocking - getCurrentVaultFunc: Required to break import cycle between packages	2025-07-09 12:47:51 -07:00
sneak	38b450cbcf	fix: resolve mnd and nestif linter errors - Added constants to replace magic numbers: - agePrivKeyPassphraseLength = 64 - versionNameParts = 2 - maxVersionsPerDay = 999 - Refactored crypto.go to reduce nesting complexity: - Inverted if condition to handle non-existent secret first - Extracted getSecretValue helper method	2025-07-09 07:05:07 -07:00
sneak	6fe49344e2	fix: resolve errcheck, gosec, and mnd linter errors - Fixed unhandled errors in init.go (os.Setenv/Unsetenv) - Fixed unhandled errors in test_helpers.go (os.Setenv/Unsetenv) - Replaced magic numbers with named constants: - defaultSecretLength = 16 - mnemonicEntropyBits = 128 - tabWriterPadding = 2	2025-07-09 06:59:01 -07:00
sneak	6e01ae6002	chore: exclude errcheck linter from test files Test files often ignore error returns for brevity and clarity, especially for cleanup operations that don't affect test outcomes.	2025-07-09 06:18:52 -07:00
sneak	11e43542cf	fix: handle error returns from os.Unsetenv and file.Close (errcheck) Fixed the first five errcheck linter errors: - Added error handling for os.Unsetenv in cli_test.go - Added error handling for file.Close() in crypto.go (4 instances)	2025-07-09 06:16:13 -07:00
sneak	2256a37b72	Update golangci-lint configuration to v2.2.1 format - Add version field set to "2" for golangci-lint v2.2.1 - Remove formatters (gofmt, gofumpt, goimports) from linters list - Remove unsupported linters (gosimple, typecheck) - Simplify usetesting configuration - Move max-issues settings to proper location in issues section - Remove timeout field from run section	2025-07-09 06:11:48 -07:00
sneak	533133486c	fix: remove unnecessary type conversions (unconvert) - Remove unnecessary conversions of UnlockerMetadata in vault/unlockers.go - The metadata variable is already of the correct type due to type aliasing	2025-06-20 12:52:19 -07:00
sneak	eb19fa4b97	fix: replace unused parameters with underscores (revive) - Replace unused function parameters with _ in test files - Affects version_test.go, debug_test.go, and pgpunlock_test.go	2025-06-20 12:50:16 -07:00
sneak	5ed850196b	fix: convert ALL_CAPS constants to CamelCase (revive) - Rename APP_BIP39 to AppBIP39 - Rename APP_HD_WIF to AppHDWIF - Rename APP_XPRV to AppXPRV - Rename APP_PWD85 to AppPWD85 - Update all references in the code	2025-06-20 12:49:01 -07:00
sneak	be1f323a09	fix: remove unnecessary zero value initialization (revive) - Remove explicit = 0 from uint32 declaration as it's the default zero value	2025-06-20 12:47:58 -07:00
sneak	bdcddadf90	fix: resolve exported type stuttering issues (revive) - Rename VaultMetadata to Metadata in internal/vault package to avoid stuttering - Rename BIP85DRNG to DRNG in pkg/bip85 package to avoid stuttering - Update all references in code and tests	2025-06-20 12:47:06 -07:00
sneak	4062242063	fix: break long error messages to meet line length limits Split long error messages at logical points to comply with 120 character line length limit while maintaining readability.	2025-06-20 09:51:26 -07:00
sneak	abcc7b6c3a	fix: resolve gosec integer overflow and unconvert issues - Fix G115 integer overflow by converting uint32 to int comparison - Remove unnecessary int() conversions for syscall constants - syscall.Stdin/Stderr/Stdout are already int type	2025-06-20 09:50:00 -07:00
sneak	9e35bf21a3	fix: more nlreturn and testifylint issues - Add blank lines before return statements - Use require.Error instead of assert.Error for error assertions - Keep exact float64 comparisons as-is (they are integers from JSON)	2025-06-20 09:40:17 -07:00
sneak	2a1e0337fd	fix: add blank lines before return statements (nlreturn) Fix nlreturn linting issues by adding blank lines before return statements in cli and secret packages.	2025-06-20 09:37:56 -07:00
sneak	dcc15008cd	add instructions to keep going	2025-06-20 09:37:01 -07:00
sneak	dd2e95f8af	fix: replace magic file permissions and add crypto constant comments Replace hardcoded 0o600 with secret.FilePerms constant for consistency. Add explanatory comments for cryptographic constants (32-byte keys, bech32 encoding parameters) rather than extracting them as they are well-known cryptographic standard values.	2025-06-20 09:23:50 -07:00
sneak	c450e1c13d	fix: replace remaining os.Setenv with t.Setenv in tests Replace all os.Setenv calls with t.Setenv in test functions to ensure proper test environment cleanup and better test isolation. This leaves only legitimate application code and helper functions using os.Setenv.	2025-06-20 09:22:01 -07:00
sneak	c6935d8f0f	add rules for claude	2025-06-20 09:20:52 -07:00
sneak	5d973f76ec	fix: break long lines to 77 characters in non-test files Break long lines in function signatures and strings to comply with 77 character preference by using multi-line formatting and extracting variables where appropriate.	2025-06-20 09:17:45 -07:00
sneak	fd125c5fe1	fix: disable line length checks for test files with test vectors Add nolint:lll directives to test files containing long test vectors and function signatures to avoid unnecessary line breaking.	2025-06-20 09:16:40 -07:00
sneak	08a42b16dd	fix: replace os.Setenv with t.Setenv in tests (usetesting) Replace os.Setenv calls with t.Setenv in test functions to ensure proper test environment cleanup and better test isolation.	2025-06-20 09:13:01 -07:00
sneak	b736789ecb	fix: adjust line lengths to 77 characters Break long lines in function signatures and strings to comply with 77 character preference for better readability.	2025-06-20 09:10:28 -07:00
sneak	f569bc55ea	fix: convert for loops to Go 1.22+ integer range syntax (intrange) Convert traditional for loops to use the new Go 1.22+ integer range syntax: - for i := 0; i < n; i++ → for i := range n (when index is used) - for i := 0; i < n; i++ → for range n (when index is not used) 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>	2025-06-20 09:05:49 -07:00
sneak	9231409c5c	fix: remove unnecessary string conversions (unconvert) Remove redundant string() conversions on output variables that are already strings in test assertions and logging. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>	2025-06-20 09:02:56 -07:00
sneak	0d140b4636	fix: correct file permissions in integration test (gosec G306) Change WriteFile permissions from 0o644 to 0o600 to address security linting issue about file permissions being too permissive. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>	2025-06-20 09:02:01 -07:00
sneak	9e74b34b5d	Fix remaining usetesting errors in vault integration test Replace os.MkdirTemp() with t.TempDir() and os.Setenv() with t.Setenv() Remove manual environment cleanup as t.Setenv handles it automatically	2025-06-20 08:58:29 -07:00
sneak	47afe117f4	Fix unused parameter errors in agehd and bip85 tests - Remove unused goroutineID parameter from agehd concurrent test - Remove unused description parameter from bip85 logTestVector function - Update all call sites to match new signatures	2025-06-20 08:55:42 -07:00
sneak	4fe49ca8d0	Fix unused parameter errors in secret test mock implementations Rename unused force and passphrase parameters to _ in MockVault interface implementations as they are required by the interface	2025-06-20 08:52:19 -07:00
sneak	8ca7796d04	Fix unused parameter errors in debug.go slog.Handler interface Rename unused parameters to _ in WithAttrs and WithGroup methods as these are required by the slog.Handler interface	2025-06-20 08:51:13 -07:00
sneak	dcab84249f	Fix unused parameter errors in CLI integration tests Remove unused tempDir parameter from test11ListSecrets and test15VaultIsolation Remove unused runSecretWithStdin parameter from test17ImportFromFile Update call sites to match new signatures	2025-06-20 08:50:34 -07:00
sneak	e5b18202f3	Fix revive package stuttering errors - Rename SecretMetadata to Metadata in secret package - Rename SecretVersion to Version in secret package - Update NewSecretVersion to NewVersion function - Update all references across the codebase including: - vault package aliases - CLI usage - test files - method receivers and signatures	2025-06-20 08:48:17 -07:00
sneak	efc9456948	Fix G115 integer overflow warnings in agehd tests Add bounds checking before converting int to uint32 to prevent potential integer overflow in benchmark and concurrent test functions	2025-06-20 08:27:41 -07:00
sneak	c52430554a	Fix usetesting errors in CLI integration test Replace os.Setenv() with t.Setenv() for GODEBUG and SB_SECRET_STATE_DIR environment variables in TestSecretManagerIntegration and test23ErrorHandling	2025-06-20 08:24:54 -07:00
sneak	fd7ab06fb1	Modify test target to re-run in verbose mode only on failure	2025-06-20 08:12:06 -07:00
sneak	434b73d834	Fix intrange and G101 linting issues - Convert for loops to use Go 1.22+ integer ranges in generate.go and helpers.go - Disable G101 false positives for test vectors and environment variable names - Add file-level gosec disable for bip85_test.go containing BIP85 test vectors - Add targeted nolint comments for legitimate test data and constants	2025-06-20 08:08:01 -07:00
sneak	985d79d3c0	fix: resolve critical security vulnerabilities in debug logging and command execution - Remove sensitive data from debug logs (vault/secrets.go, secret/version.go) - Add input validation for GPG key IDs and keychain item names - Resolve GPG key IDs to full fingerprints before storing in metadata - Add comprehensive test coverage for validation functions - Add golangci-lint configuration with additional linters Security improvements: - Debug logs no longer expose decrypted secret values or private keys - GPG and keychain commands now validate input to prevent injection attacks - All validation uses precompiled regex patterns for performance	2025-06-20 07:50:26 -07:00
sneak	004dce5472	passes tests now!	2025-06-20 07:24:48 -07:00
sneak	0b31fba663	latest from ai, it broke the tests	2025-06-20 05:40:20 -07:00
sneak	6958b2a6e2	ignore *.log files	2025-06-11 15:29:20 -07:00
sneak	fd4194503c	removed file erroneously committed	2025-06-11 15:29:02 -07:00
sneak	a1800a8e88	removed binary erroneously committed by LLM :/	2025-06-11 15:28:14 -07:00
sneak	03e0ee2f95	refactor: remove confusing dual ID method pattern from Unlocker interface - Removed redundant ID() method from Unlocker interface - Removed ID field from UnlockerMetadata struct - Modified GetID() to generate IDs dynamically based on unlocker type and data - Updated vault package to create unlocker instances when searching by ID - Fixed all tests and CLI code to remove ID field references - IDs are now consistently generated from unlocker data, preventing redundancy	2025-06-11 15:21:20 -07:00
sneak	9adf0c0803	refactor: fix redundant metadata fields across the codebase - Removed VaultMetadata.Name (redundant with directory structure) - Removed SecretMetadata.Name (redundant with Secret.Name field) - Removed AgePublicKey and AgeRecipient from PGPUnlockerMetadata - Removed AgePublicKey from KeychainUnlockerMetadata - Changed PGP and Keychain unlockers to store recipient in pub.txt instead of pub.age - Fixed all tests to reflect these changes - Follows DRY principle and prevents data inconsistency	2025-06-09 17:44:10 -07:00
sneak	e9d03987f9	refactor: remove redundant SecretName and Version fields from VersionMetadata - Removed SecretName and Version fields that were redundant with directory structure and parent SecretVersion struct - Updated tests to remove references to deleted fields - Follows DRY principle and prevents potential data inconsistency	2025-06-09 17:26:57 -07:00
sneak	b0e3cdd3d0	fix: Restore fmt target to Makefile	2025-06-09 17:22:44 -07:00
sneak	2e3fc475cf	fix: Use vault metadata derivation index for environment mnemonic - Fixed bug where GetValue() used hardcoded index 0 instead of vault metadata - Added test31 to verify environment mnemonic respects vault derivation index - Rewrote test19DisasterRecovery to actually test manual recovery process - Removed all test skip statements as requested	2025-06-09 17:21:02 -07:00
sneak	1f89fce21b	latest	2025-06-09 05:59:26 -07:00
sneak	512b742c46	latest agent instructions	2025-06-09 05:59:17 -07:00
sneak	02be4b2a55	Fix integration tests: correct vault derivation index and debug test failures	2025-06-09 04:54:45 -07:00
sneak	e036d280c0	tests pass now, not sure if they are any good	2025-06-08 22:29:55 -07:00
sneak	ac81023ea0	add LLM instructions	2025-06-08 22:19:13 -07:00
sneak	d76a4cbf4d	fix tests	2025-06-08 22:13:22 -07:00
sneak	fbda2d91af	add secret versioning support	2025-06-08 22:07:19 -07:00
sneak	f59ee4d2d6	'unlock keys' renamed to 'unlockers'	2025-05-30 07:29:02 -07:00