fix: use make build instead of inline go build in Dockerfile

REPO_POLICIES requires using Makefile targets instead of invoking tools directly. Replace inline go build with make build.
fix: add darwin build constraints to Objective-C source files
2026-03-17 02:26:35 -07:00 · 2026-03-14 17:54:41 -07:00 · 2026-03-14 17:54:41 -07:00 · 2026-03-14 17:54:41 -07:00 · 2026-03-14 17:54:41 -07:00 · 2026-03-14 17:54:41 -07:00
82 changed files with 7437 additions and 2113 deletions
--- a/.claude/settings.local.json
+++ b/.claude/settings.local.json
@@ -1,13 +0,0 @@
 {
  "permissions": {
    "allow": [
      "Bash(go mod why:*)",
      "Bash(go list:*)",
      "Bash(~/go/bin/govulncheck -mode=module .)",
      "Bash(go test:*)",
      "Bash(grep:*)",
      "Bash(rg:*)"
    ],
    "deny": []
  }
 }
--- a/.cursorrules
+++ b/.cursorrules
@@ -1,3 +0,0 @@
 EXTREMELY IMPORTANT: Read and follow the policies, procedures, and
 instructions in the `AGENTS.md` file in the root of the repository.  Make
 sure you follow *all* of the instructions meticulously.
--- a/.dockerignore
+++ b/.dockerignore
@@ -0,0 +1,20 @@
 # Build artifacts
 secret
 coverage.out
 *.test
 # IDE and editor files
 .vscode
 .idea
 *.swp
 *.swo
 *~
 # macOS
 .DS_Store
 # Claude files
 .claude/
 # Local settings
 .claude/settings.local.json
--- a/.gitea/workflows/check.yml
+++ b/.gitea/workflows/check.yml
@@ -0,0 +1,9 @@
 name: check
 on: [push]
 jobs:
    check:
        runs-on: ubuntu-latest
        steps:
            # actions/checkout v4.2.2, 2026-02-28
            - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
            - run: docker build --ulimit memlock=-1:-1 .
--- a/.gitignore
+++ b/.gitignore
@@ -3,4 +3,10 @@
 /secret
 *.log
 cli.test
 vault.test
 *.test
 settings.local.json
 # Stale files
 .cursorrules
 coverage.out
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -1,6 +1,8 @@
 version: "2"
 run:
-  timeout: 5m
+  go: "1.24"
-  go: "1.22"
+  tests: false
 linters:
  enable:
@@ -14,7 +16,6 @@ linters:
    - mnd              # An analyzer to detect magic numbers
    - lll              # Reports long lines
    - intrange         # intrange is a linter to find places where for loops could make use of an integer range
    - gofumpt          # Gofumpt checks whether code was gofumpt-ed
    - gochecknoglobals # Check that no global variables exist
    # Default/existing linters that are commonly useful
@@ -22,11 +23,7 @@ linters:
    - errcheck
    - staticcheck
    - unused
    - gosimple
    - ineffassign
    - typecheck
    - gofmt
    - goimports
    - misspell
    - revive
    - gosec
@@ -67,6 +64,14 @@ linters-settings:
  nlreturn:
    block-size: 2
  revive:
    rules:
      - name: var-naming
        arguments:
          - []
          - []
          - "upperCaseConst=true"
  tagliatelle:
    case:
      rules:
@@ -78,22 +83,46 @@ linters-settings:
  testifylint:
    enable-all: true
-  usetesting:
+  usetesting: {}
    strict: true
 issues:
  max-issues-per-linter: 0
  max-same-issues: 0
  exclude-rules:
    # Exclude some linters from running on tests files
    - path: _test\.go
      linters:
        - gochecknoglobals
        - mnd
        - unparam
    # Allow long lines in generated code or test data
    - path: ".*_gen\\.go"
      linters:
        - lll
-  max-issues-per-linter: 0
+    # Exclude unused parameter warnings for cobra command signatures
-  max-same-issues: 0
+    - text: "parameter '(args|cmd)' seems to be unused"
      linters:
        - revive
    # Allow ALL_CAPS constant names
    - text: "don't use ALL_CAPS in Go names"
      linters:
        - revive
    # Exclude all linters for internal/macse directory
    - path: "internal/macse/.*"
      linters:
        - errcheck
        - lll
        - mnd
        - nestif
        - nlreturn
        - revive
        - unconvert
        - govet
        - staticcheck
        - unused
        - ineffassign
        - misspell
        - gosec
        - unparam
        - testifylint
        - usetesting
        - tagliatelle
        - nilnil
        - intrange
        - gochecknoglobals
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -141,3 +141,17 @@ Version: 2025-06-08
   - Local application imports
   Each group should be separated by a blank line.
 ## Go-Specific Guidelines
 1. **No `panic`, `log.Fatal`, or `os.Exit` in library code.** Always propagate errors via return values.
 2. **Constructors return `(*T, error)`, not just `*T`.** Callers must handle errors, not crash.
 3. **Wrap errors** with `fmt.Errorf("context: %w", err)` for debuggability.
 4. **Never modify linter config** (`.golangci.yml`) to suppress findings. Fix the code.
 5. **All PRs must pass `make check` with zero failures.** No exceptions, no "pre-existing issue" excuses.
 6. **Pin external dependencies by commit hash**, not mutable tags.
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -0,0 +1,95 @@
 # IMPORTANT RULES
 * Claude is an inanimate tool.  The spam that Claude attempts to insert into
  commit messages (which it erroneously refers to as "attribution") is not
  attribution, as I am the sole author of code created using Claude.  It is
  corporate advertising for Anthropic and is therefore completely
  unacceptable in commit messages.
 * Tests should always be run before committing code.  No commits should be
  made that do not pass tests.
 * Code should always be formatted before committing.  Do not commit
  unformatted code.
 * Code should always be linted and linter errors fixed before committing.
  NEVER commit code that does not pass the linter.  DO NOT modify the linter
  config unless specifically instructed.
 * The test suite is fast and local.  When running tests, NEVER run
  individual parts of the test suite, always run the whole thing by running
  "make test".
 * Do not stop working on a task until you have reached the definition of
  done provided to you in the initial instruction.  Don't do part or most of
  the work, do all of the work until the criteria for done are met.
 * When you complete each task, if the tests are passing and the code is
  formatted and there are no linter errors, always commit and push your
  work. Use a good commit message and don't mention any author or co-author
  attribution.
 * Do not create additional files in the root directory of the project
  without asking permission first. Configuration files, documentation, and
  build files are acceptable in the root, but source code and other files
  should be organized in appropriate subdirectories.
 * Do not use bare strings or numbers in code, especially if they appear
  anywhere more than once.  Always define a constant (usually at the top of
  the file) and give it a descriptive name, then use that constant in the
  code instead of the bare string or number.
 * If you are fixing a bug, write a test first that reproduces the bug and
  fails, and then fix the bug in the code, using the test to verify that the
  fix worked.
 * When implementing new features, be aware of potential side-effects (such
  as state files on disk, data in the database, etc.) and ensure that it is
  possible to mock or stub these side-effects in tests when designing an
   API.
 * When dealing with dates and times or timestamps, always use, display, and
  store UTC.  Set the local timezone to UTC on startup.  If the user needs
  to see the time in a different timezone, store the user's timezone in a
  separate field and convert the UTC time to the user's timezone when
  displaying it.  For internal use and internal applications and
  administrative purposes, always display UTC.
 * When implementing programs, put the main.go in
  ./cmd/<program_name>/main.go and put the program's code in
  ./internal/<program_name>/.  This allows for multiple programs to be
  implemented in the same repository without cluttering the root directory.
  main.go should simply import and call <program_name>.CLIEntry().  The
  full implementation should be in ./internal/<program_name>/.
 * When you are instructed to make the tests pass, DO NOT delete tests, skip
  tests, or change the tests specifically to make them pass (unless there
  is a bug in the test).  This is cheating, and it is bad.  You should only
  be modifying the test if it is incorrect or if the test is no longer
  relevant.  In almost all cases, you should be fixing the code that is
  being tested, or updating the tests to match a refactored implementation.
 * Always write a `Makefile` with the default target being `test`, and with a
  `fmt` target that formats the code.  The `test` target should run all
  tests in the project, and the `fmt` target should format the code.  `test`
  should also have a prerequisite target `lint` that should run any linters
  that are configured for the project.
 * After each completed bugfix or feature, the code must be committed.  Do
  all of the pre-commit checks (test, lint, fmt) before committing, of
  course.  After each commit, push to the remote.
 * Always write tests, even if they are extremely simple and just check for
  correct syntax (ability to compile/import). If you are writing a new
  feature, write a test for it.  You don't need to target complete coverage,
  but you should at least test any new functionality you add.
 * Always use structured logging.  Log any relevant state/context with the
  messages (but do not log secrets).  If stdout is not a terminal, output
  the structured logs in jsonl format.  Use go's log/slog.
 * You do not need to summarize your changes in the chat after making them.
  Making the changes and committing them is sufficient.  If anything out of
  the ordinary happened, please explain it, but in the normal case where you
  found and fixed the bug, or implemented the feature, there is no need for
  the end-of-change summary.
--- a/46
+++ b/46
@@ -0,0 +1,46 @@
 # Lint stage — fast feedback on formatting and lint issues
 # golangci/golangci-lint v2.1.6 (2026-03-10)
 FROM golangci/golangci-lint@sha256:568ee1c1c53493575fa9494e280e579ac9ca865787bafe4df3023ae59ecf299b AS lint
 WORKDIR /src
 COPY go.mod go.sum ./
 RUN go mod download
 COPY . .
 RUN make fmt-check
 RUN make lint
 # Build stage — tests and compilation
 # golang 1.24.13-alpine (2026-03-10)
 FROM golang@sha256:8bee1901f1e530bfb4a7850aa7a479d17ae3a18beb6e09064ed54cfd245b7191 AS builder
 # Force BuildKit to run the lint stage
 COPY --from=lint /src/go.sum /dev/null
 RUN apk add --no-cache gcc musl-dev make git gnupg
 WORKDIR /build
 COPY go.mod go.sum ./
 RUN go mod download
 COPY . .
 RUN make test
 RUN make build
 # Runtime stage
 # alpine 3.23 (2026-03-10)
 FROM alpine@sha256:25109184c71bdad752c8312a8623239686a9a2071e8825f20acb8f2198c3f659
 RUN apk add --no-cache ca-certificates gnupg
 RUN adduser -D -s /bin/sh secret
 COPY --from=builder /build/secret /usr/local/bin/secret
 RUN chmod +x /usr/local/bin/secret
 USER secret
 WORKDIR /home/secret
 ENTRYPOINT ["secret"]
--- a/35
+++ b/35
@@ -1,16 +1,24 @@
 export CGO_ENABLED=1
 export DOCKER_HOST := ssh://root@ber1app1.local
 # Version information
 VERSION := 0.1.0
 GIT_COMMIT := $(shell git rev-parse HEAD 2>/dev/null || echo "unknown")
 LDFLAGS := -X 'git.eeqj.de/sneak/secret/internal/cli.Version=$(VERSION)' \
           -X 'git.eeqj.de/sneak/secret/internal/cli.GitCommit=$(GIT_COMMIT)'
 default: check
 build: ./secret
-# Simple build (no code signing needed)
+./secret: ./internal/*/*.go ./pkg/*/*.go ./cmd/*/*.go ./go.*
-./secret:
+	go build -v -ldflags "$(LDFLAGS)" -o $@ cmd/secret/main.go
 	go build -v -o $@ cmd/secret/main.go
 vet:
 	go vet ./...
-test:
+test: vet
-	go test -v ./...
+	go test ./... || go test -v ./...
 fmt:
 	go fmt ./...
@@ -18,9 +26,22 @@ fmt:
 lint:
 	golangci-lint run --timeout 5m
-# Check all code quality (build + vet + lint + unit tests)
+check: build lint test fmt-check
-check: ./secret vet lint test
+
 # Build Docker container
 docker:
 	docker build -t sneak/secret .
 # Run Docker container interactively
 docker-run:
 	docker run --rm -it sneak/secret
 # Clean build artifacts
 clean:
 	rm -f ./secret
 install: ./secret
 	cp ./secret $(HOME)/bin/secret
 fmt-check:
 	@test -z "$$(gofmt -l .)" || (echo "Files need formatting:" && gofmt -l . && exit 1)
--- a/README.md
+++ b/README.md
@@ -1,28 +1,40 @@
-# Secret - Hierarchical Secret Manager
+# secret - Local Secret Manager
-Secret is a modern, secure command-line secret manager that implements a hierarchical key architecture for storing and managing sensitive data. It supports multiple vaults, various unlock mechanisms, and provides secure storage using the Age encryption library.
+secret is a command-line local secret manager that implements a hierarchical
 key architecture for storing and managing sensitive data. It supports
 multiple vaults, various unlock mechanisms, and provides secure storage
 using the `age` encryption library.
 It could be used as password manager, but was not designed as such.  I
 created it to scratch an itch for a secure key/value store for replacing a
 bunch of pgp-encrypted files in a directory structure.
 ## Core Architecture
 ### Three-Layer Key Hierarchy
-Secret implements a sophisticated three-layer key architecture:
+Secret implements a three-layer key architecture:
-1. **Long-term Keys**: Derived from BIP39 mnemonic phrases, these provide the foundation for all encryption
+1. **Long-term Keys**: Derived from BIP39 mnemonic phrases, these provide
-2. **Unlockers**: Short-term keys that encrypt the long-term keys, supporting multiple authentication methods
+   the foundation for all encryption
-3. **Version-specific Keys**: Per-version keys that encrypt individual secret values
+2. **Unlockers**: Short-term keys that encrypt the long-term keys,
   supporting multiple authentication methods
 3. **Version-specific Keys**: Per-version keys that encrypt individual
   secret values
 ### Version Management
 Each secret maintains a history of versions, with each version having:
 - Its own encryption key pair
- Encrypted metadata including creation time and validity period
+- Metadata (unencrypted) including creation time and validity period
 - Immutable value storage
 - Atomic version switching via symlink updates
 ### Vault System
-Vaults provide logical separation of secrets, each with its own long-term key and unlocker set. This allows for complete isolation between different contexts (work, personal, projects).
+Vaults provide logical separation of secrets, each with its own long-term
 key and unlocker set. This allows for complete isolation between different
 contexts (work, personal, projects).
 ## Installation
@@ -61,7 +73,9 @@ make build
 ### Initialization
 #### `secret init`
-Initializes the secret manager with a default vault. Prompts for a BIP39 mnemonic phrase and creates the initial directory structure.
+
 Initializes the secret manager with a default vault. Prompts for a BIP39
 mnemonic phrase and creates the initial directory structure.
 **Environment Variables:**
 - `SB_SECRET_MNEMONIC`: Pre-set mnemonic phrase
@@ -69,18 +83,33 @@ Initializes the secret manager with a default vault. Prompts for a BIP39 mnemoni
 ### Vault Management
-#### `secret vault list [--json]`
+#### `secret vault list [--json]` / `secret vault ls`
-Lists all available vaults.
+
 Lists all available vaults. The current vault is marked.
 #### `secret vault create <name>`
 Creates a new vault with the specified name.
 #### `secret vault select <name>`
 Switches to the specified vault for subsequent operations.
 #### `secret vault remove <name> [--force]` / `secret vault rm` ⚠️ 🛑
 **DANGER**: Permanently removes a vault and all its secrets. Like Unix `rm`,
 this command does not ask for confirmation.
 Requires --force if the vault contains secrets. With --force, will
 automatically switch to another vault if removing the current one.
 - `--force, -f`: Force removal even if vault contains secrets
 - **NO RECOVERY**: All secrets in the vault will be permanently deleted
 ### Secret Management
 #### `secret add <secret-name> [--force]`
 Adds a secret to the current vault. Reads the secret value from stdin.
 - `--force, -f`: Overwrite existing secret
@@ -89,26 +118,53 @@ Adds a secret to the current vault. Reads the secret value from stdin.
 - Examples: `database/password`, `api.key`, `ssh_private_key`
 #### `secret get <secret-name> [--version <version>]`
 Retrieves and outputs a secret value to stdout.
 - `--version, -v`: Get a specific version (default: current)
 #### `secret list [filter] [--json]` / `secret ls`
-Lists all secrets in the current vault. Optional filter for substring matching.
+
 Lists all secrets in the current vault. Optional filter for substring
 matching.
 #### `secret remove <secret-name>` / `secret rm` ⚠️ 🛑
 **DANGER**: Permanently removes a secret and ALL its versions. Like Unix `rm`, this command does not ask for confirmation.
 - **NO RECOVERY**: Once removed, the secret cannot be recovered
 - **ALL VERSIONS DELETED**: Every version of the secret will be permanently deleted
 #### `secret move <source> <destination>` / `secret mv` / `secret rename`
 Moves or renames a secret within the current vault.
 - Fails if the destination already exists
 - Preserves all versions and metadata
 ### Version Management
-#### `secret version list <secret-name>`
+#### `secret version list <secret-name>` / `secret version ls`
 Lists all versions of a secret showing creation time, status, and validity period.
 #### `secret version promote <secret-name> <version>`
-Promotes a specific version to current by updating the symlink. Does not modify any timestamps, allowing for rollback scenarios.
+
 Promotes a specific version to current by updating the symlink. Does not
 modify any timestamps, allowing for rollback scenarios.
 #### `secret version remove <secret-name> <version>` / `secret version rm` ⚠️ 🛑
 **DANGER**: Permanently removes a specific version of a secret. Like Unix
 `rm`, this command does not ask for confirmation.
 - **NO RECOVERY**: Once removed, this version cannot be recovered
 - Cannot remove the current version (must promote another version first)
 ### Key Generation
 #### `secret generate mnemonic`
 Generates a cryptographically secure BIP39 mnemonic phrase.
 #### `secret generate secret <name> [--length=16] [--type=base58] [--force]`
 Generates and stores a random secret.
 - `--length, -l`: Length of generated secret (default: 16)
 - `--type, -t`: Type of secret (`base58`, `alnum`)
@@ -116,39 +172,56 @@ Generates and stores a random secret.
 ### Unlocker Management
-#### `secret unlockers list [--json]`
+#### `secret unlocker list [--json]` / `secret unlocker ls`
 Lists all unlockers in the current vault with their metadata.
-#### `secret unlockers add <type> [options]`
+#### `secret unlocker add <type> [options]`
 Creates a new unlocker of the specified type:
 **Types:**
 - `passphrase`: Traditional passphrase-protected unlocker
 - `pgp`: Uses an existing GPG key for encryption/decryption
 - `keychain`: macOS Keychain integration (macOS only)
 - `secure-enclave`: Hardware-backed Secure Enclave protection (macOS only)
 **Options:**
- `--keyid <id>`: GPG key ID (required for PGP type)
+- `--keyid <id>`: GPG key ID (optional for PGP type, uses default key if not specified)
-#### `secret unlockers rm <unlocker-id>`
+#### `secret unlocker remove <unlocker-id> [--force]` / `secret unlocker rm` ⚠️ 🛑
-Removes an unlocker.
+
 **DANGER**: Permanently removes an unlocker. Like Unix `rm`, this command
 does not ask for confirmation.  Cannot remove the last unlocker if the vault
 has secrets unless --force is used.
 - `--force, -f`: Force removal of last unlocker even if vault has secrets
 - **CRITICAL WARNING**: Without unlockers and without your mnemonic phrase,
  vault data will be PERMANENTLY INACCESSIBLE
 - **NO RECOVERY**: Removing all unlockers without having your mnemonic means
  losing access to all secrets forever
 #### `secret unlocker select <unlocker-id>`
 Selects an unlocker as the current default for operations.
 ### Import Operations
 #### `secret import <secret-name> --source <filename>`
 Imports a secret from a file and stores it in the current vault under the given name.
 #### `secret vault import [vault-name]`
 Imports a mnemonic phrase into the specified vault (defaults to "default").
 ### Encryption Operations
 #### `secret encrypt <secret-name> [--input=file] [--output=file]`
 Encrypts data using an Age key stored as a secret. If the secret doesn't exist, generates a new Age key.
 #### `secret decrypt <secret-name> [--input=file] [--output=file]`
 Decrypts data using an Age key stored as a secret.
 ## Storage Architecture
@@ -169,7 +242,7 @@ Decrypts data using an Age key stored as a secret.
 │   │   │   │   │   │   ├── pub.age     # Version public key
 │   │   │   │   │   │   ├── priv.age    # Version private key (encrypted)
 │   │   │   │   │   │   ├── value.age   # Encrypted value
-│   │   │   │   │   │   └── metadata.age # Encrypted metadata
+│   │   │   │   │   │   └── metadata.json # Unencrypted metadata
 │   │   │   │   │   └── 20231216.001/   # Another version
 │   │   │   │   └── current -> versions/20231216.001
 │   │   │   └── database%password/       # Secret: database/password
@@ -189,12 +262,13 @@ Decrypts data using an Age key stored as a secret.
 ### Key Management and Encryption Flow
-#### Long-term Keys
+#### 1: Long-term Keys
 - **Source**: Derived from BIP39 mnemonic phrases using hierarchical deterministic (HD) key derivation
 - **Purpose**: Master keys for each vault, used to encrypt secret-specific keys
 - **Storage**: Public key stored as `pub.age`, private key encrypted by unlockers
-#### Unlockers
+#### 2: Unlockers
 Unlockers provide different authentication methods to access the long-term keys:
 1. **Passphrase Unlockers**:
@@ -207,10 +281,23 @@ Unlockers provide different authentication methods to access the long-term keys:
   - Leverages existing key management workflows
   - Strong authentication through GPG
 3. **Keychain Unlockers** (macOS only):
   - Stores unlock keys in macOS Keychain
   - Protected by system authentication (Touch ID, password)
   - Automatic unlocking when Keychain is unlocked
   - Cross-application integration
 4. **Secure Enclave Unlockers** (macOS):
   - Hardware-backed key storage using Apple Secure Enclave
   - Uses `sc_auth` / CryptoTokenKit for SE key management (no Apple Developer Program required)
   - ECIES encryption: vault long-term key encrypted directly by SE hardware
   - Protected by biometric authentication (Touch ID) or system password
 Each vault maintains its own set of unlockers and one long-term key. The long-term key is encrypted to each unlocker, allowing any authorized unlocker to access vault secrets.
-#### Secret-specific Keys
+#### 3: Secret-specific Keys
- Each secret has its own encryption key pair
+
 - Each secret version has its own encryption key pair
 - Private key encrypted to the vault's long-term key
 - Provides forward secrecy and granular access control
@@ -224,27 +311,32 @@ Each vault maintains its own set of unlockers and one long-term key. The long-te
 ## Security Features
 ### Encryption
- Uses the [Age encryption library](https://age-encryption.org/) with X25519 keys
+
 - Uses the [age encryption library](https://age-encryption.org/) with X25519 keys
 - All private keys are encrypted at rest
 - No plaintext secrets stored on disk
 ### Access Control
 - Multiple authentication methods supported
 - Hierarchical key architecture provides defense in depth
 - Vault isolation prevents cross-contamination
 ### Forward Secrecy
 - Per-version encryption keys limit exposure if compromised
 - Each version is independently encrypted
 - Long-term keys protected by multiple unlocker layers
 - Historical versions remain encrypted with their original keys
 ### Hardware Integration
 - Hardware token support via PGP/GPG integration
 - macOS Keychain integration for system-level security
 - Secure Enclave integration for hardware-backed key protection (macOS, via `sc_auth` / CryptoTokenKit)
 ## Examples
 ### Basic Workflow
 ```bash
 # Initialize with a new mnemonic
 secret generate mnemonic  # Copy the output
@@ -259,9 +351,13 @@ echo "ssh-private-key-content" | secret add ssh/servers/web01
 secret list
 secret get database/prod/password
 secret get services/api/key
 # Remove a secret ⚠️ 🛑 (NO CONFIRMATION - PERMANENT!)
 secret remove ssh/servers/web01
 ```
 ### Multi-vault Setup
 ```bash
 # Create separate vaults for different contexts
 secret vault create work
@@ -270,7 +366,7 @@ secret vault create personal
 # Work with work vault
 secret vault select work
 echo "work-db-pass" | secret add database/password
-secret unlockers add passphrase  # Add passphrase authentication
+secret unlocker add passphrase  # Add passphrase authentication
 # Switch to personal vault
 secret vault select personal
@@ -278,22 +374,44 @@ echo "personal-email-pass" | secret add email/password
 # List all vaults
 secret vault list
 # Remove a vault ⚠️ 🛑 (NO CONFIRMATION - PERMANENT!)
 secret vault remove personal --force
 ```
 ### Advanced Authentication
 ```bash
 # Add multiple unlock methods
-secret unlockers add passphrase              # Password-based
+secret unlocker add passphrase              # Password-based
-secret unlockers add pgp --keyid ABCD1234    # GPG key
+secret unlocker add pgp --keyid ABCD1234    # GPG key
 secret unlocker add keychain                # macOS Keychain (macOS only)
 secret unlocker add secure-enclave          # macOS Secure Enclave (macOS only)
 # List unlockers
-secret unlockers list
+secret unlocker list
 # Select a specific unlocker
 secret unlocker select <unlocker-id>
 # Remove an unlocker ⚠️ 🛑 (NO CONFIRMATION!)
 secret unlocker remove <unlocker-id>
 ```
 ### Version Management
 ```bash
 # List all versions of a secret
 secret version list database/prod/password
 # Promote an older version to current
 secret version promote database/prod/password 20231215.001
 # Remove an old version ⚠️ 🛑 (NO CONFIRMATION - PERMANENT!)
 secret version remove database/prod/password 20231214.001
 ```
 ### Encryption/Decryption with Age Keys
 ```bash
 # Generate an Age key and store it as a secret
 secret generate secret encryption/mykey
@@ -310,33 +428,35 @@ secret decrypt encryption/mykey --input document.txt.age --output document.txt
 ### Cryptographic Primitives
 - **Key Derivation**: BIP32/BIP39 hierarchical deterministic key derivation
 - **Encryption**: Age (X25519 + ChaCha20-Poly1305)
 - **Key Exchange**: X25519 elliptic curve Diffie-Hellman
 - **Authentication**: Poly1305 MAC
 - **Hashing**: Double SHA-256 for public key identification
 ### File Formats
- **Age Files**: Standard Age encryption format (.age extension)
+- **age Files**: Standard age encryption format (.age extension)
- **Metadata**: JSON format with timestamps and type information
+- **Metadata**: Unencrypted JSON format with timestamps and type information
 - **Vault Metadata**: JSON containing vault name, creation time, derivation index, and public key hash
 ### Vault Management
- **Derivation Index**: Each vault uses a unique derivation index from the mnemonic
+
 - **Derivation Index**: Each vault uses a unique derivation index from the mnemonic, and thus a unique key pair
 - **Public Key Hash**: Double SHA-256 hash of the index-0 public key identifies vaults from the same mnemonic
 - **Automatic Key Derivation**: When creating vaults with a mnemonic, keys are automatically derived
 ### Cross-Platform Support
- **macOS**: Full support including Keychain integration
+
- **Linux**: Full support (excluding Keychain features)
+- **macOS**: Full support including Keychain and Secure Enclave integration
- **Windows**: Basic support (filesystem operations only)
+- **Linux**: Full support (excluding macOS-specific features)
 ## Security Considerations
 ### Threat Model
 - Protects against unauthorized access to secret values
 - Provides defense against compromise of individual components
 - Supports hardware-backed authentication where available
 ### Best Practices
 1. Use strong, unique passphrases for unlockers
 2. Enable hardware authentication (Keychain, hardware tokens) when available
 3. Regularly audit unlockers and remove unused ones
@@ -344,6 +464,7 @@ secret decrypt encryption/mykey --input document.txt.age --output document.txt
 5. Use separate vaults for different security contexts
 ### Limitations
 - Requires access to unlockers for secret retrieval
 - Mnemonic phrases must be securely stored and backed up
 - Hardware features limited to supported platforms
@@ -367,9 +488,21 @@ go test -tags=integration -v ./internal/cli  # Integration tests
 ## Features
- **Multiple Authentication Methods**: Supports passphrase-based and PGP-based unlockers
+- **Multiple Authentication Methods**: Supports passphrase, PGP, macOS Keychain, and Secure Enclave unlockers
 - **Vault Isolation**: Complete separation between different vaults
 - **Per-Secret Encryption**: Each secret has its own encryption key
 - **BIP39 Mnemonic Support**: Keyless operation using mnemonic phrases
 - **Cross-Platform**: Works on macOS, Linux, and other Unix-like systems
 # Author
 Made with love and lots of expensive SOTA AI by
 [sneak](https://sneak.berlin) in Berlin in the summer of 2025.
 Released as a free software gift to the world, no strings attached, under
 the [WTFPL](https://www.wtfpl.net/) license.
 Contact: [sneak@sneak.berlin](mailto:sneak@sneak.berlin)
 [https://keys.openpgp.org/vks/v1/by-fingerprint/5539AD00DE4C42F3AFE11575052443F4DF2A55C2](https://keys.openpgp.org/vks/v1/by-fingerprint/5539AD00DE4C42F3AFE11575052443F4DF2A55C2)
--- a/TODO.md
+++ b/TODO.md
@@ -1,203 +1,147 @@
 # TODO for 1.0 Release
-This document outlines the bugs, issues, and improvements that need to be addressed before the 1.0 release of the secret manager.
+This document outlines the bugs, issues, and improvements that need to be
 addressed before the 1.0 release of the secret manager. Items are
 prioritized from most critical (top) to least critical (bottom).
-## Critical (Blockers for Release)
+## CRITICAL BLOCKERS FOR 1.0 RELEASE
-### Error Handling and User Experience
+### Command Injection Vulnerabilities
 - [ ] **1. PGP command injection risk**: `internal/secret/pgpunlocker.go:323-327` - GPG key IDs passed directly to exec.Command without proper escaping
 - [ ] **2. Keychain command injection risk**: `internal/secret/keychainunlocker.go:472-476` - data.String() passed to security command without escaping
- [ ] **1. Inappropriate Cobra usage printing**: Commands currently print usage information for all errors, including internal program failures. Usage should only be printed when the user provides incorrect arguments or invalid commands, not when the program encounters internal errors (like file system issues, crypto failures, etc.).
+### Memory Security Critical Issues
 - [ ] **3. Plain text passphrase in memory**: `internal/secret/keychainunlocker.go:342,393-396` - KeychainData struct stores AgePrivKeyPassphrase as unprotected string
 - [ ] **4. Sensitive string conversions**: `internal/secret/keychainunlocker.go:356`, `internal/secret/pgpunlocker.go:256`, `internal/secret/version.go:155` - Age identity .String() creates unprotected copies
- [ ] **2. Inconsistent error messages**: Error messages need standardization and should be user-friendly. Many errors currently expose internal implementation details.
+### Race Conditions (Data Corruption Risk)
 - [ ] **5. No file locking mechanism**: `internal/vault/secrets.go:142-176` - Multiple concurrent operations can corrupt vault state
 - [ ] **6. Non-atomic file operations**: Various locations - Interrupted writes leave vault inconsistent
- [x] **3. Missing validation for vault names**: Vault names should be validated against a safe character set to prevent filesystem issues.
+### Input Validation Vulnerabilities
 - [ ] **7. Path traversal risk**: `internal/vault/secrets.go:75-99` - Secret names allow dots which could enable traversal attacks with encoding
 - [ ] **8. Missing size limits**: `internal/vault/secrets.go:102` - No maximum secret size allows DoS via memory exhaustion
- [ ] **4. No graceful handling of corrupted state**: If key files are corrupted or missing, the tool should provide clear error messages and recovery suggestions.
+### Timing Attack Vulnerabilities
 - [ ] **9. Non-constant-time passphrase comparison**: `internal/cli/init.go:209-216` - bytes.Equal() vulnerable to timing attacks
 - [ ] **10. Non-constant-time key validation**: `internal/vault/vault.go:95-100` - Public key comparison leaks timing information
-### Core Functionality Bugs
+## CRITICAL MEMORY SECURITY ISSUES
- [x] **5. Multiple vaults using the same mnemonic will derive the same long-term keys**: Adding additional vaults with the same mnemonic should increment the index value used. The mnemonic should be double sha256 hashed and the hash value stored in the vault metadata along with the index value (starting at zero) and when additional vaults are added with the same mnemonic (as determined by hash) then the index value should be incremented. The README should be updated to document this behavior.
+### Functions accepting bare []byte for sensitive data
 - [x] **1. Secret.Save accepts unprotected data**: `internal/secret/secret.go:67` - `Save(value []byte, force bool)` - ✓ REMOVED - deprecated function deleted
 - [x] **2. EncryptWithPassphrase accepts unprotected data**: `internal/secret/crypto.go:73` - `EncryptWithPassphrase(data []byte, passphrase *memguard.LockedBuffer)` - ✓ FIXED - now accepts LockedBuffer for data
 - [x] **3. storeInKeychain accepts unprotected data**: `internal/secret/keychainunlocker.go:469` - `storeInKeychain(itemName string, data []byte)` - ✓ FIXED - now accepts LockedBuffer for data
 - [x] **4. gpgEncryptDefault accepts unprotected data**: `internal/secret/pgpunlocker.go:351` - `gpgEncryptDefault(data []byte, keyID string)` - ✓ FIXED - now accepts LockedBuffer for data
- [x] **6. Directory structure inconsistency**: The README and test script reference different directory structures:
+### Functions returning unprotected secrets
-  - Current code uses `unlockers.d/` but documentation shows `unlock-keys.d/`
+- [x] **5. GetValue returns unprotected secret**: `internal/secret/secret.go:93` - `GetValue(unlocker Unlocker) ([]byte, error)` - ✓ FIXED - now returns LockedBuffer internally
-  - Secret files use inconsistent naming (`secret.age` vs `value.age`)
+- [x] **6. DecryptWithIdentity returns unprotected data**: `internal/secret/crypto.go:57` - `DecryptWithIdentity(data []byte, identity age.Identity) ([]byte, error)` - ✓ FIXED - now returns LockedBuffer
 - [x] **7. DecryptWithPassphrase returns unprotected data**: `internal/secret/crypto.go:94` - `DecryptWithPassphrase(encryptedData []byte, passphrase *memguard.LockedBuffer) ([]byte, error)` - ✓ FIXED - now returns LockedBuffer
 - [x] **8. gpgDecryptDefault returns unprotected data**: `internal/secret/pgpunlocker.go:368` - `gpgDecryptDefault(encryptedData []byte) ([]byte, error)` - ✓ FIXED - now returns LockedBuffer
 - [x] **9. getSecretValue returns unprotected data**: `internal/cli/crypto.go:269` - `getSecretValue()` returns bare []byte - ✓ ALREADY FIXED - returns LockedBuffer
- [x] **7. Symlink handling on non-Unix systems**: The symlink resolution in `resolveVaultSymlink()` may fail on Windows or in certain environments.
+### Intermediate string variables for passphrases
 - [x] **10. Passphrase extracted to string**: `internal/secret/crypto.go:79,100` - `passphraseStr := passphrase.String()` - ✓ UNAVOIDABLE - age library requires string parameter
 - [ ] **11. Age secret key in plain string**: `internal/cli/crypto.go:86,91,113` - Age secret key stored in plain string variable before conversion back to secure buffer
- [ ] **8. Missing current unlock key initialization**: When creating vaults, no default unlock key is selected, which can cause operations to fail.
+### Unprotected buffer.Bytes() usage
 - [ ] **12. GPG encrypt exposes private key**: `internal/secret/pgpunlocker.go:256` - `GPGEncryptFunc(agePrivateKeyBuffer.Bytes(), gpgKeyID)` - private key exposed to external function
 - [ ] **13. Keychain encrypt exposes private key**: `internal/secret/keychainunlocker.go:371` - `EncryptWithPassphrase(agePrivKeyBuffer.Bytes(), passphraseBuffer)` - private key passed as bare bytes
- [ ] **9. Race conditions in file operations**: Multiple concurrent operations could corrupt the vault state due to lack of file locking.
+## Code Cleanups
-### Security Issues
+* we shouldn't be passing around a statedir, it should be read from the
  environment or default.
- [ ] **10. Insecure temporary file handling**: Temporary files containing sensitive data may not be properly cleaned up or secured.
+## HIGH PRIORITY SECURITY ISSUES
- [ ] **11. Missing secure memory clearing**: Sensitive data in memory (passphrases, keys) should be cleared after use.
+- [ ] **4. Application crashes on corrupted metadata**: Code panics instead
  of returning errors when metadata is corrupt, causing denial of service.
  Found in pgpunlocker.go:116 and keychainunlocker.go:141.
- [x] **12. Weak default permissions**: Some files may be created with overly permissive default permissions.
+- [ ] **5. Insufficient input validation**: Secret names allow potentially
  dangerous patterns including dots that could enable path traversal attacks
  (vault/secrets.go:70-93).
-## Important (Should be fixed before release)
+- [ ] **6. Race conditions in file operations**: Multiple concurrent
  operations could corrupt the vault state due to lack of file locking
  mechanisms.
-### User Interface Improvements
+- [ ] **7. Insecure temporary file handling**: Temporary files containing
  sensitive data may not be properly cleaned up or secured.
- [ ] **13. Add confirmation prompts for destructive operations**: Operations like `keys rm` and vault deletion should require confirmation.
+## HIGH PRIORITY FUNCTIONALITY ISSUES
- [ ] **14. Improve progress indicators**: Long operations (key generation, encryption) should show progress.
+- [ ] **8. Inappropriate Cobra usage printing**: Commands currently print
  usage information for all errors, including internal program failures.
  Usage should only be printed when the user provides incorrect arguments or
  invalid commands.
- [x] **15. Better secret name validation**: Currently allows some characters that may cause issues, needs comprehensive validation.
+- [ ] **9. Missing current unlock key initialization**: When creating
  vaults, no default unlock key is selected, which can cause operations to
  fail.
- [ ] **16. Add `--help` examples**: Command help should include practical examples for each operation.
+- [ ] **10. Add confirmation prompts for destructive operations**:
  Operations like `keys rm` and vault deletion should require confirmation.
-### Command Implementation Gaps
+- [ ] **11. No secret deletion command**: Missing `secret rm <secret-name>`
  functionality.
- [x] **17. `secret keys rm` not fully implemented**: Based on test output, this command may not be working correctly.
+- [ ] **12. Missing vault deletion command**: No way to delete vaults that
  are no longer needed.
- [x] **18. `secret key select` not fully implemented**: Key selection functionality appears incomplete.
+## MEDIUM PRIORITY ISSUES
- [ ] **19. Missing vault deletion command**: No way to delete vaults that are no longer needed.
+- [ ] **13. Inconsistent error messages**: Error messages need
  standardization and should be user-friendly. Many errors currently expose
  internal implementation details.
- [ ] **20. No secret deletion command**: Missing `secret rm <secret-name>` functionality.
+- [ ] **14. No graceful handling of corrupted state**: If key files are
  corrupted or missing, the tool should provide clear error messages and
  recovery suggestions.
- [ ] **21. Missing secret history/versioning**: No way to see previous versions of secrets or restore old values.
+- [ ] **15. No validation of GPG key existence**: Should verify the
  specified GPG key exists before creating PGP unlock keys.
-### Configuration and Environment
+- [ ] **16. Better separation of concerns**: Some functions in CLI do too
  much and should be split.
- [ ] **22. Global configuration not fully implemented**: The `configuration.json` file structure exists but isn't used consistently.
+- [ ] **17. Environment variable security**: Sensitive data read from
  environment variables (SB_UNLOCK_PASSPHRASE, SB_SECRET_MNEMONIC) without
  proper clearing. Document security implications.
- [ ] **23. Missing environment variable validation**: Environment variables should be validated for format and security.
+- [ ] **18. No secure memory allocation**: No use of mlock/munlock to
  prevent sensitive data from being swapped to disk.
- [ ] **24. No configuration file validation**: JSON configuration files should be validated against schemas.
+## LOWER PRIORITY ENHANCEMENTS
-### PGP Integration Issues
+- [ ] **19. Add `--help` examples**: Command help should include practical examples for each operation.
- [x] **25. Incomplete PGP unlock key implementation**: The `--keyid` parameter processing may not be fully working.
+- [ ] **20. Add shell completion**: Bash/Zsh completion for commands and secret names.
- [ ] **26. Missing GPG agent integration**: Should detect and use existing GPG agent when available.
+- [ ] **21. Colored output**: Use colors to improve readability of lists and error messages.
- [ ] **27. No validation of GPG key existence**: Should verify the specified GPG key exists before creating PGP unlock keys.
+- [ ] **22. Add `--quiet` flag**: Option to suppress non-essential output.
-### Cross-Platform Issues
+- [ ] **23. Smart secret name suggestions**: When a secret name is not found, suggest similar names.
- [ ] **28. macOS Keychain error handling**: Better error messages when biometric authentication fails or isn't available.
+- [ ] **24. Audit logging**: Log all secret access and modifications for security auditing.
- [ ] **29. Windows path handling**: File paths may not work correctly on Windows systems.
+- [ ] **25. Integration tests for hardware features**: Automated testing of Keychain and GPG functionality.
- [ ] **30. XDG compliance on Linux**: Should respect `XDG_CONFIG_HOME` and other XDG environment variables.
+- [ ] **26. Consistent naming conventions**: Some variables and functions use inconsistent naming patterns.
-## Trivial (Nice to have)
+- [ ] **27. Export/import functionality**: Add ability to export/import entire vaults, not just individual secrets.
-### Code Quality
+- [ ] **28. Batch operations**: Add commands to process multiple secrets at once.
- [ ] **31. Add more comprehensive unit tests**: Current test coverage could be improved, especially for error conditions.
+- [ ] **29. Search functionality**: Add ability to search secret names and potentially contents.
- [ ] **32. Reduce code duplication**: Several functions have similar patterns that could be refactored.
+- [ ] **30. Secret metadata**: Add support for descriptions, tags, or other metadata with secrets.
- [ ] **33. Improve function documentation**: Many functions lack proper Go documentation comments.
+## COMPLETED ITEMS ✓
- [ ] **34. Add static analysis**: Integrate tools like `staticcheck`, `golangci-lint` with more linters.
+- [x] **Missing secret history/versioning**: ✓ Implemented - versioning system exists with --version flag support
-
+- [x] **XDG compliance on Linux**: ✓ Implemented - uses os.UserConfigDir() which respects XDG_CONFIG_HOME
-### Performance Optimizations
+- [x] **Consistent interface implementation**: ✓ Implemented - Unlocker interface is well-defined and consistently implemented
 - [ ] **35. Cache unlock key operations**: Avoid re-reading unlock key metadata on every operation.
 - [ ] **36. Optimize file I/O**: Batch file operations where possible to reduce syscalls.
 - [ ] **37. Add connection pooling for HSM operations**: For hardware security module operations.
 ### User Experience Enhancements
 - [ ] **38. Add shell completion**: Bash/Zsh completion for commands and secret names.
 - [ ] **39. Colored output**: Use colors to improve readability of lists and error messages.
 - [ ] **40. Add `--quiet` flag**: Option to suppress non-essential output.
 - [ ] **41. Smart secret name suggestions**: When a secret name is not found, suggest similar names.
 ### Additional Features
 - [ ] **42. Secret templates**: Predefined templates for common secret types (database URLs, API keys, etc.).
 - [ ] **43. Bulk operations**: Import/export multiple secrets at once.
 - [ ] **44. Secret sharing**: Secure sharing of secrets between vaults or users.
 - [ ] **45. Audit logging**: Log all secret access and modifications.
 - [ ] **46. Integration tests for hardware features**: Automated testing of Keychain and GPG functionality.
 ### Documentation
 - [ ] **47. Man pages**: Generate and install proper Unix man pages.
 - [ ] **48. API documentation**: Document the internal API for potential library use.
 - [ ] **49. Migration guide**: Document how to migrate from other secret managers.
 - [ ] **50. Security audit documentation**: Document security assumptions and threat model.
 ## Architecture Improvements
 ### Code Structure
 - [ ] **51. Consistent interface implementation**: Ensure all unlocker types properly implement the Unlocker interface.
 - [ ] **52. Better separation of concerns**: Some functions in CLI do too much and should be split.
 - [ ] **53. Improved error types**: Create specific error types instead of using generic `fmt.Errorf`.
 ### Testing Infrastructure
 - [x] **54. Mock filesystem consistency**: Ensure mock filesystem behavior matches real filesystem in all cases.
 - [x] **55. Integration test isolation**: Tests should not affect each other or the host system.
 - [ ] **56. Performance benchmarks**: Add benchmarks for crypto operations and file I/O.
 ## Technical Debt
 - [ ] **57. Remove unused code**: Clean up any dead code or unused imports.
 - [ ] **58. Standardize JSON schemas**: Create proper JSON schemas for all configuration files.
 - [ ] **59. Improve error propagation**: Many functions swallow important context in error messages.
 - [ ] **60. Consistent naming conventions**: Some variables and functions use inconsistent naming.
 ## Development Workflow
 - [ ] **61. Add pre-commit hooks**: Ensure code quality and formatting before commits.
 - [ ] **62. Continuous integration**: Set up CI/CD pipeline with automated testing.
 - [ ] **63. Release automation**: Automate the build and release process.
 - [ ] **64. Dependency management**: Regular updates and security scanning of dependencies.
 ---
 ## Priority Assessment
 **Critical items** (1-12) block the 1.0 release and must be fixed for basic functionality and security.
 **Important items** (13-30) should be addressed for a polished user experience but don't block the release.
 **Trivial items** (31-50) are enhancements that can be addressed in future releases.
 **Architecture and Infrastructure** (51-64) are longer-term improvements for maintainability and development workflow.
 ## Estimated Timeline
 - Critical (1-12): 2-3 weeks
 - Important (13-30): 3-4 weeks  
 - Trivial (31-50): Ongoing post-1.0
 - Architecture/Infrastructure (51-64): Ongoing post-1.0
 Total estimated time to 1.0: 5-7 weeks with focused development effort. 
 ### Architecture Issues
 - **Need to refactor unlock key hierarchy**: Current implementation has confusion between the top-level concepts. Fix in progress.
 - Current code uses `unlockers.d/` but documentation shows `unlock-keys.d/`
 - Need to settle on consistent naming: "unlock keys" vs "unlockers" throughout the codebase
 - [ ] **51. Consistent interface implementation**: Ensure all unlocker types properly implement the Unlocker interface. 
--- a/cmd/secret/main.go
+++ b/cmd/secret/main.go
@@ -1,7 +1,8 @@
 // Package main is the entry point for the secret CLI application.
 package main
 import "git.eeqj.de/sneak/secret/internal/cli"
 func main() {
-	cli.CLIEntry()
+	cli.Entry()
 }
--- a/go.mod
+++ b/go.mod
@@ -4,10 +4,12 @@ go 1.24.1
 require (
 	filippo.io/age v1.2.1
 	github.com/awnumar/memguard v0.22.5
 	github.com/btcsuite/btcd v0.24.2
 	github.com/btcsuite/btcd/btcec/v2 v2.1.3
 	github.com/btcsuite/btcd/btcutil v1.1.6
 	github.com/btcsuite/btcutil v0.0.0-20190425235716-9e5f4b9a998d
 	github.com/keybase/go-keychain v0.0.0-20230307172405-3e4884637dd1
 	github.com/oklog/ulid/v2 v2.1.1
 	github.com/spf13/afero v1.14.0
 	github.com/spf13/cobra v1.9.1
@@ -18,10 +20,15 @@ require (
 )
 require (
 	github.com/awnumar/memcall v0.2.0 // indirect
 	github.com/btcsuite/btcd/chaincfg/chainhash v1.1.0 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/decred/dcrd/dcrec/secp256k1/v4 v4.0.1 // indirect
 	github.com/dustin/go-humanize v1.0.1 // indirect
 	github.com/fatih/color v1.18.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/spf13/pflag v1.0.6 // indirect
 	golang.org/x/sys v0.33.0 // indirect
--- a/go.sum
+++ b/go.sum
@@ -3,6 +3,10 @@ c2sp.org/CCTV/age v0.0.0-20240306222714-3ec4d716e805/go.mod h1:FomMrUJ2Lxt5jCLmZ
 filippo.io/age v1.2.1 h1:X0TZjehAZylOIj4DubWYU1vWQxv9bJpo+Uu2/LGhi1o=
 filippo.io/age v1.2.1/go.mod h1:JL9ew2lTN+Pyft4RiNGguFfOpewKwSHm5ayKD/A4004=
 github.com/aead/siphash v1.0.1/go.mod h1:Nywa3cDsYNNK3gaciGTWPwHt0wlpNV15vwmswBAUSII=
 github.com/awnumar/memcall v0.2.0 h1:sRaogqExTOOkkNwO9pzJsL8jrOV29UuUW7teRMfbqtI=
 github.com/awnumar/memcall v0.2.0/go.mod h1:S911igBPR9CThzd/hYQQmTc9SWNu3ZHIlCGaWsWsoJo=
 github.com/awnumar/memguard v0.22.5 h1:PH7sbUVERS5DdXh3+mLo8FDcl1eIeVjJVYMnyuYpvuI=
 github.com/awnumar/memguard v0.22.5/go.mod h1:+APmZGThMBWjnMlKiSM1X7MVpbIVewen2MTkqWkA/zE=
 github.com/btcsuite/btcd v0.20.1-beta/go.mod h1:wVuoA8VJLEcwgqHBwHmzLRazpKxTv13Px/pDuV7OomQ=
 github.com/btcsuite/btcd v0.22.0-beta.0.20220111032746-97732e52810c/go.mod h1:tjmYdS6MLJ5/s0Fj4DbLgSbDHbEqLJrtnHecBFkdz5M=
 github.com/btcsuite/btcd v0.23.5-0.20231215221805-96c9fd8078fd/go.mod h1:nm3Bko6zh6bWP60UxwoT5LzdGJsQJaPo6HjduXq9p6A=
@@ -39,6 +43,10 @@ github.com/decred/dcrd/crypto/blake256 v1.0.0/go.mod h1:sQl2p6Y26YV+ZOcSTP6thNdn
 github.com/decred/dcrd/dcrec/secp256k1/v4 v4.0.1 h1:YLtO71vCjJRCBcrPMtQ9nqBsqpA1m5sE92cU+pd5Mcc=
 github.com/decred/dcrd/dcrec/secp256k1/v4 v4.0.1/go.mod h1:hyedUtir6IdtD/7lIxGeCxkaw7y45JueMRL4DIyJDKs=
 github.com/decred/dcrd/lru v1.0.0/go.mod h1:mxKOwFd7lFjN2GZYsiz/ecgqR6kkYAl+0pz0tEMk218=
 github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY=
 github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=
 github.com/fatih/color v1.18.0 h1:S8gINlzdQ840/4pfAwic/ZE0djQEH3wM94VfqLTZcOM=
 github.com/fatih/color v1.18.0/go.mod h1:4FelSpRwEGDpQ12mAdzqdOukCy4u8WUtOY6lkT/6HfU=
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
 github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ=
 github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
@@ -59,7 +67,14 @@ github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLf
 github.com/jessevdk/go-flags v0.0.0-20141203071132-1679536dcc89/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI=
 github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI=
 github.com/jrick/logrotate v1.0.0/go.mod h1:LNinyqDIJnpAur+b8yyulnQw/wDuN1+BYKlTRt3OuAQ=
 github.com/keybase/go-keychain v0.0.0-20230307172405-3e4884637dd1 h1:yi1W8qcFJ2plmaGJFN1npm0KQviWPMCtQOYuwDT6Swk=
 github.com/keybase/go-keychain v0.0.0-20230307172405-3e4884637dd1/go.mod h1:qDHUvIjGZJUtdPtuP4WMu5/U4aVWbFw1MhlkJqCGmCQ=
 github.com/kkdai/bstream v0.0.0-20161212061736-f391b8402d23/go.mod h1:J+Gs4SYgM6CZQHDETBtE9HaSEkGmuNXF86RwHhHUvq4=
 github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA=
 github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=
 github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
 github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
 github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
 github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A=
 github.com/oklog/ulid/v2 v2.1.1 h1:suPZ4ARWLOJLegGFiZZ1dFAkqzhMjL3J1TzI+5wHz8s=
 github.com/oklog/ulid/v2 v2.1.1/go.mod h1:rcEKHmBBKfef9DhnvX7y1HZBYxjXb0cP5ExxNsTT1QQ=
@@ -107,11 +122,14 @@ golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5h
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190904154756-749cb33beabd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191001151750-bb3f8db39f24/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191005200804-aed5e4c7ecf9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191120155948-bd437916bb0e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200519105757-fe76b779f299/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200814200057-3d37ad5750ed/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw=
 golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
 golang.org/x/term v0.32.0 h1:DR4lr0TjUs3epypdhTOkMmuF5CDFJ/8pOnbzMZPQ7bg=
--- a/internal/cli/cli.go
+++ b/internal/cli/cli.go
@@ -1,93 +1,72 @@
 // Package cli implements the command-line interface for the secret application.
 package cli
 import (
 	"bufio"
 	"fmt"
 	"os"
 	"strings"
 	"syscall"
 	"git.eeqj.de/sneak/secret/internal/secret"
 	"github.com/spf13/afero"
 	"github.com/spf13/cobra"
 	"golang.org/x/term"
 )
-// Global scanner for consistent stdin reading
+// Instance encapsulates all CLI functionality and state
-var stdinScanner *bufio.Scanner
+type Instance struct {
 // CLIInstance encapsulates all CLI functionality and state
 type CLIInstance struct {
 	fs       afero.Fs
 	stateDir string
 	cmd      *cobra.Command
 }
 // NewCLIInstance creates a new CLI instance with the real filesystem
-func NewCLIInstance() *CLIInstance {
+func NewCLIInstance() (*Instance, error) {
 	fs := afero.NewOsFs()
-	stateDir := secret.DetermineStateDir("")
+	stateDir, err := secret.DetermineStateDir("")
-	return &CLIInstance{
+	if err != nil {
 		return nil, fmt.Errorf("cannot determine state directory: %w", err)
 	}
 	return &Instance{
 		fs:       fs,
 		stateDir: stateDir,
-	}
+	}, nil
 }
 // NewCLIInstanceWithFs creates a new CLI instance with the given filesystem (for testing)
-func NewCLIInstanceWithFs(fs afero.Fs) *CLIInstance {
+func NewCLIInstanceWithFs(fs afero.Fs) (*Instance, error) {
-	stateDir := secret.DetermineStateDir("")
+	stateDir, err := secret.DetermineStateDir("")
-	return &CLIInstance{
+	if err != nil {
 		return nil, fmt.Errorf("cannot determine state directory: %w", err)
 	}
 	return &Instance{
 		fs:       fs,
 		stateDir: stateDir,
-	}
+	}, nil
 }
 // NewCLIInstanceWithStateDir creates a new CLI instance with custom state directory (for testing)
-func NewCLIInstanceWithStateDir(fs afero.Fs, stateDir string) *CLIInstance {
+func NewCLIInstanceWithStateDir(fs afero.Fs, stateDir string) *Instance {
-	return &CLIInstance{
+	return &Instance{
 		fs:       fs,
 		stateDir: stateDir,
 	}
 }
 // SetFilesystem sets the filesystem for this CLI instance (for testing)
-func (cli *CLIInstance) SetFilesystem(fs afero.Fs) {
+func (cli *Instance) SetFilesystem(fs afero.Fs) {
 	cli.fs = fs
 }
 // SetStateDir sets the state directory for this CLI instance (for testing)
-func (cli *CLIInstance) SetStateDir(stateDir string) {
+func (cli *Instance) SetStateDir(stateDir string) {
 	cli.stateDir = stateDir
 }
 // GetStateDir returns the state directory for this CLI instance
-func (cli *CLIInstance) GetStateDir() string {
+func (cli *Instance) GetStateDir() string {
 	return cli.stateDir
 }
-// getStdinScanner returns a shared scanner for stdin to avoid buffering issues
+// Print outputs to the command's configured output writer
-func getStdinScanner() *bufio.Scanner {
+func (cli *Instance) Print(a ...interface{}) (n int, err error) {
-	if stdinScanner == nil {
+	return fmt.Fprint(cli.cmd.OutOrStdout(), a...)
 		stdinScanner = bufio.NewScanner(os.Stdin)
 	}
 	return stdinScanner
 }
 // readLineFromStdin reads a single line from stdin with a prompt
 // Uses a shared scanner to avoid buffering issues between multiple calls
 func readLineFromStdin(prompt string) (string, error) {
 	// Check if stderr is a terminal - if not, we can't prompt interactively
 	if !term.IsTerminal(int(syscall.Stderr)) {
 		return "", fmt.Errorf("cannot prompt for input: stderr is not a terminal (running in non-interactive mode)")
 	}
 	fmt.Fprint(os.Stderr, prompt) // Write prompt to stderr, not stdout
 	scanner := getStdinScanner()
 	if !scanner.Scan() {
 		if err := scanner.Err(); err != nil {
 			return "", fmt.Errorf("failed to read from stdin: %w", err)
 		}
 		return "", fmt.Errorf("failed to read from stdin: EOF")
 	}
 	return strings.TrimSpace(scanner.Text()), nil
 }
--- a/internal/cli/cli_test.go
+++ b/internal/cli/cli_test.go
@@ -25,7 +25,10 @@ func TestCLIInstanceStateDir(t *testing.T) {
 func TestCLIInstanceWithFs(t *testing.T) {
 	// Test creating CLI instance with custom filesystem
 	fs := afero.NewMemMapFs()
-	cli := NewCLIInstanceWithFs(fs)
+	cli, err := NewCLIInstanceWithFs(fs)
 	if err != nil {
 		t.Fatalf("failed to initialize CLI: %v", err)
 	}
 	// The state directory should be determined automatically
 	stateDir := cli.GetStateDir()
@@ -37,29 +40,25 @@ func TestCLIInstanceWithFs(t *testing.T) {
 func TestDetermineStateDir(t *testing.T) {
 	// Test the determineStateDir function from the secret package
 	// Save original environment and restore it after test
 	originalStateDir := os.Getenv(secret.EnvStateDir)
 	defer func() {
 		if originalStateDir == "" {
 			os.Unsetenv(secret.EnvStateDir)
 		} else {
 			os.Setenv(secret.EnvStateDir, originalStateDir)
 		}
 	}()
 	// Test with environment variable set
 	testEnvDir := "/test-env-dir"
-	os.Setenv(secret.EnvStateDir, testEnvDir)
+	t.Setenv(secret.EnvStateDir, testEnvDir)
-	stateDir := secret.DetermineStateDir("")
+	stateDir, err := secret.DetermineStateDir("")
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
 	}
 	if stateDir != testEnvDir {
 		t.Errorf("Expected state directory %q from environment, got %q", testEnvDir, stateDir)
 	}
 	// Test with custom config dir
-	os.Unsetenv(secret.EnvStateDir)
+	_ = os.Unsetenv(secret.EnvStateDir)
 	customConfigDir := "/custom-config"
-	stateDir = secret.DetermineStateDir(customConfigDir)
+	stateDir, err = secret.DetermineStateDir(customConfigDir)
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
 	}
 	expectedDir := filepath.Join(customConfigDir, secret.AppID)
 	if stateDir != expectedDir {
 		t.Errorf("Expected state directory %q with custom config, got %q", expectedDir, stateDir)
--- a/internal/cli/completion.go
+++ b/internal/cli/completion.go
@@ -0,0 +1,64 @@
 package cli
 import (
 	"fmt"
 	"os"
 	"github.com/spf13/cobra"
 )
 func newCompletionCmd() *cobra.Command {
 	cmd := &cobra.Command{
 		Use:   "completion [bash|zsh|fish|powershell]",
 		Short: "Generate completion script",
 		Long: `To load completions:
 Bash:
  $ source <(secret completion bash)
  # To load completions for each session, execute once:
  # Linux:
  $ secret completion bash > /etc/bash_completion.d/secret
  # macOS:
  $ secret completion bash > $(brew --prefix)/etc/bash_completion.d/secret
 Zsh:
  # If shell completion is not already enabled in your environment,
  # you will need to enable it.  You can execute the following once:
  $ echo "autoload -U compinit; compinit" >> ~/.zshrc
  # To load completions for each session, execute once:
  $ secret completion zsh > "${fpath[1]}/_secret"
  # You will need to start a new shell for this setup to take effect.
 Fish:
  $ secret completion fish | source
  # To load completions for each session, execute once:
  $ secret completion fish > ~/.config/fish/completions/secret.fish
 PowerShell:
  PS> secret completion powershell | Out-String | Invoke-Expression
  # To load completions for every new session, run:
  PS> secret completion powershell > secret.ps1
  # and source this file from your PowerShell profile.
 `,
 		DisableFlagsInUseLine: true,
 		ValidArgs:             []string{"bash", "zsh", "fish", "powershell"},
 		Args:                  cobra.ExactArgs(1),
 		RunE: func(cmd *cobra.Command, args []string) error {
 			switch args[0] {
 			case "bash":
 				return cmd.Root().GenBashCompletion(os.Stdout)
 			case "zsh":
 				return cmd.Root().GenZshCompletion(os.Stdout)
 			case "fish":
 				return cmd.Root().GenFishCompletion(os.Stdout, true)
 			case "powershell":
 				return cmd.Root().GenPowerShellCompletionWithDesc(os.Stdout)
 			default:
 				return fmt.Errorf("unsupported shell type: %s", args[0])
 			}
 		},
 	}
 	return cmd
 }
--- a/internal/cli/completions.go
+++ b/internal/cli/completions.go
@@ -0,0 +1,205 @@
 package cli
 import (
 	"encoding/json"
 	"path/filepath"
 	"strings"
 	"git.eeqj.de/sneak/secret/internal/secret"
 	"git.eeqj.de/sneak/secret/internal/vault"
 	"github.com/spf13/afero"
 	"github.com/spf13/cobra"
 )
 // getSecretNamesCompletionFunc returns a completion function that provides secret names
 func getSecretNamesCompletionFunc(fs afero.Fs, stateDir string) func(
 	cmd *cobra.Command, args []string, toComplete string,
 ) ([]string, cobra.ShellCompDirective) {
 	return func(_ *cobra.Command, _ []string, toComplete string) ([]string, cobra.ShellCompDirective) {
 		// Get current vault
 		vlt, err := vault.GetCurrentVault(fs, stateDir)
 		if err != nil {
 			return nil, cobra.ShellCompDirectiveNoFileComp
 		}
 		// Get list of secrets
 		secrets, err := vlt.ListSecrets()
 		if err != nil {
 			return nil, cobra.ShellCompDirectiveNoFileComp
 		}
 		// Filter secrets based on what user has typed
 		var completions []string
 		for _, secret := range secrets {
 			if strings.HasPrefix(secret, toComplete) {
 				completions = append(completions, secret)
 			}
 		}
 		return completions, cobra.ShellCompDirectiveNoFileComp
 	}
 }
 // getUnlockerIDsCompletionFunc returns a completion function that provides unlocker IDs
 func getUnlockerIDsCompletionFunc(fs afero.Fs, stateDir string) func(
 	cmd *cobra.Command, args []string, toComplete string,
 ) ([]string, cobra.ShellCompDirective) {
 	return func(_ *cobra.Command, _ []string, toComplete string) ([]string, cobra.ShellCompDirective) {
 		// Get current vault
 		vlt, err := vault.GetCurrentVault(fs, stateDir)
 		if err != nil {
 			return nil, cobra.ShellCompDirectiveNoFileComp
 		}
 		// Get unlocker metadata list
 		unlockerMetadataList, err := vlt.ListUnlockers()
 		if err != nil {
 			return nil, cobra.ShellCompDirectiveNoFileComp
 		}
 		// Get vault directory
 		vaultDir, err := vlt.GetDirectory()
 		if err != nil {
 			return nil, cobra.ShellCompDirectiveNoFileComp
 		}
 		// Collect unlocker IDs
 		var completions []string
 		for _, metadata := range unlockerMetadataList {
 			// Get the actual unlocker ID by creating the unlocker instance
 			unlockersDir := filepath.Join(vaultDir, "unlockers.d")
 			files, err := afero.ReadDir(fs, unlockersDir)
 			if err != nil {
 				secret.Warn("Could not read unlockers directory during completion", "error", err)
 				continue
 			}
 			for _, file := range files {
 				if !file.IsDir() {
 					continue
 				}
 				unlockerDir := filepath.Join(unlockersDir, file.Name())
 				metadataPath := filepath.Join(unlockerDir, "unlocker-metadata.json")
 				// Check if this is the right unlocker by comparing metadata
 				metadataBytes, err := afero.ReadFile(fs, metadataPath)
 				if err != nil {
 					secret.Warn("Could not read unlocker metadata during completion", "path", metadataPath, "error", err)
 					continue
 				}
 				var diskMetadata secret.UnlockerMetadata
 				if err := json.Unmarshal(metadataBytes, &diskMetadata); err != nil {
 					secret.Warn("Could not parse unlocker metadata during completion", "path", metadataPath, "error", err)
 					continue
 				}
 				// Match by type and creation time
 				if diskMetadata.Type == metadata.Type && diskMetadata.CreatedAt.Equal(metadata.CreatedAt) {
 					// Create the appropriate unlocker instance
 					var unlocker secret.Unlocker
 					switch metadata.Type {
 					case "passphrase":
 						unlocker = secret.NewPassphraseUnlocker(fs, unlockerDir, diskMetadata)
 					case "keychain":
 						unlocker = secret.NewKeychainUnlocker(fs, unlockerDir, diskMetadata)
 					case "pgp":
 						unlocker = secret.NewPGPUnlocker(fs, unlockerDir, diskMetadata)
 					}
 					if unlocker != nil {
 						id := unlocker.GetID()
 						if strings.HasPrefix(id, toComplete) {
 							completions = append(completions, id)
 						}
 					}
 					break
 				}
 			}
 		}
 		return completions, cobra.ShellCompDirectiveNoFileComp
 	}
 }
 // getVaultNamesCompletionFunc returns a completion function that provides vault names
 func getVaultNamesCompletionFunc(fs afero.Fs, stateDir string) func(
 	cmd *cobra.Command, args []string, toComplete string,
 ) ([]string, cobra.ShellCompDirective) {
 	return func(_ *cobra.Command, _ []string, toComplete string) ([]string, cobra.ShellCompDirective) {
 		vaults, err := vault.ListVaults(fs, stateDir)
 		if err != nil {
 			return nil, cobra.ShellCompDirectiveNoFileComp
 		}
 		var completions []string
 		for _, v := range vaults {
 			if strings.HasPrefix(v, toComplete) {
 				completions = append(completions, v)
 			}
 		}
 		return completions, cobra.ShellCompDirectiveNoFileComp
 	}
 }
 // getVaultSecretCompletionFunc returns a completion function for vault:secret format
 // It completes vault names with ":" suffix, and after ":" it completes secrets from that vault
 func getVaultSecretCompletionFunc(fs afero.Fs, stateDir string) func(
 	cmd *cobra.Command, args []string, toComplete string,
 ) ([]string, cobra.ShellCompDirective) {
 	return func(_ *cobra.Command, _ []string, toComplete string) ([]string, cobra.ShellCompDirective) {
 		var completions []string
 		// Check if we're completing after a vault: prefix
 		if strings.Contains(toComplete, ":") {
 			// Complete secret names for the specified vault
 			const vaultSecretParts = 2
 			parts := strings.SplitN(toComplete, ":", vaultSecretParts)
 			vaultName := parts[0]
 			secretPrefix := parts[1]
 			vlt := vault.NewVault(fs, stateDir, vaultName)
 			secrets, err := vlt.ListSecrets()
 			if err == nil {
 				for _, secretName := range secrets {
 					if strings.HasPrefix(secretName, secretPrefix) {
 						completions = append(completions, vaultName+":"+secretName)
 					}
 				}
 			}
 			return completions, cobra.ShellCompDirectiveNoFileComp
 		}
 		// Complete vault names with ":" suffix
 		vaults, err := vault.ListVaults(fs, stateDir)
 		if err == nil {
 			for _, v := range vaults {
 				if strings.HasPrefix(v, toComplete) {
 					completions = append(completions, v+":")
 				}
 			}
 		}
 		// Also complete secrets from current vault (for within-vault moves)
 		if currentVlt, err := vault.GetCurrentVault(fs, stateDir); err == nil {
 			secrets, err := currentVlt.ListSecrets()
 			if err == nil {
 				for _, secretName := range secrets {
 					if strings.HasPrefix(secretName, toComplete) {
 						completions = append(completions, secretName)
 					}
 				}
 			}
 		}
 		return completions, cobra.ShellCompDirectiveNoSpace
 	}
 }
--- a/internal/cli/crypto.go
+++ b/internal/cli/crypto.go
@@ -8,6 +8,7 @@ import (
 	"filippo.io/age"
 	"git.eeqj.de/sneak/secret/internal/secret"
 	"git.eeqj.de/sneak/secret/internal/vault"
 	"github.com/awnumar/memguard"
 	"github.com/spf13/cobra"
 )
@@ -21,14 +22,19 @@ func newEncryptCmd() *cobra.Command {
 			inputFile, _ := cmd.Flags().GetString("input")
 			outputFile, _ := cmd.Flags().GetString("output")
-			cli := NewCLIInstance()
+			cli, err := NewCLIInstance()
 			if err != nil {
 				return fmt.Errorf("failed to initialize CLI: %w", err)
 			}
 			cli.cmd = cmd
 			return cli.Encrypt(args[0], inputFile, outputFile)
 		},
 	}
 	cmd.Flags().StringP("input", "i", "", "Input file (default: stdin)")
 	cmd.Flags().StringP("output", "o", "", "Output file (default: stdout)")
 	return cmd
 }
@@ -42,19 +48,24 @@ func newDecryptCmd() *cobra.Command {
 			inputFile, _ := cmd.Flags().GetString("input")
 			outputFile, _ := cmd.Flags().GetString("output")
-			cli := NewCLIInstance()
+			cli, err := NewCLIInstance()
 			if err != nil {
 				return fmt.Errorf("failed to initialize CLI: %w", err)
 			}
 			cli.cmd = cmd
 			return cli.Decrypt(args[0], inputFile, outputFile)
 		},
 	}
 	cmd.Flags().StringP("input", "i", "", "Input file (default: stdin)")
 	cmd.Flags().StringP("output", "o", "", "Output file (default: stdout)")
 	return cmd
 }
 // Encrypt encrypts data using an age secret key stored in a secret
-func (cli *CLIInstance) Encrypt(secretName, inputFile, outputFile string) error {
+func (cli *Instance) Encrypt(secretName, inputFile, outputFile string) error {
 	// Get current vault
 	vlt, err := vault.GetCurrentVault(cli.fs, cli.stateDir)
 	if err != nil {
@@ -70,46 +81,46 @@ func (cli *CLIInstance) Encrypt(secretName, inputFile, outputFile string) error
 		return fmt.Errorf("failed to check if secret exists: %w", err)
 	}
-	if exists {
+	if !exists { //nolint:nestif // Clear conditional logic for secret generation vs retrieval
 		// Secret exists, get the age secret key from it
 		var secretValue []byte
 		if os.Getenv(secret.EnvMnemonic) != "" {
 			secretValue, err = secretObj.GetValue(nil)
 		} else {
 			unlocker, unlockErr := vlt.GetCurrentUnlocker()
 			if unlockErr != nil {
 				return fmt.Errorf("failed to get current unlocker: %w", unlockErr)
 			}
 			secretValue, err = secretObj.GetValue(unlocker)
 		}
 		if err != nil {
 			return fmt.Errorf("failed to get secret value: %w", err)
 		}
 		ageSecretKey = string(secretValue)
 		// Validate that it's a valid age secret key
 		if !isValidAgeSecretKey(ageSecretKey) {
 			return fmt.Errorf("secret '%s' does not contain a valid age secret key", secretName)
 		}
 	} else {
 		// Secret doesn't exist, generate new age key and store it
 		identity, err := age.GenerateX25519Identity()
 		if err != nil {
 			return fmt.Errorf("failed to generate age key: %w", err)
 		}
-		ageSecretKey = identity.String()
+		// Store the generated key directly in a secure buffer
 		identityStr := identity.String()
 		secureBuffer := memguard.NewBufferFromBytes([]byte(identityStr))
 		defer secureBuffer.Destroy()
-		// Store the generated key as a secret
+		// Set ageSecretKey for later use (we need it for encryption)
-		err = vlt.AddSecret(secretName, []byte(ageSecretKey), false)
+		ageSecretKey = identityStr
 		err = vlt.AddSecret(secretName, secureBuffer, false)
 		if err != nil {
 			return fmt.Errorf("failed to store age key: %w", err)
 		}
 	} else {
 		// Secret exists, get the age secret key from it
 		secretBuffer, err := cli.getSecretValue(vlt, secretObj)
 		if err != nil {
 			return fmt.Errorf("failed to get secret value: %w", err)
 		}
 		defer secretBuffer.Destroy()
 		ageSecretKey = secretBuffer.String()
 		// Validate that it's a valid age secret key
 		if !isValidAgeSecretKey(ageSecretKey) {
 			return fmt.Errorf("secret '%s' does not contain a valid age secret key", secretName)
 		}
 	}
-	// Parse the secret key
+	// Parse the secret key using secure buffer
-	identity, err := age.ParseX25519Identity(ageSecretKey)
+	finalSecureBuffer := memguard.NewBufferFromBytes([]byte(ageSecretKey))
 	defer finalSecureBuffer.Destroy()
 	identity, err := age.ParseX25519Identity(finalSecureBuffer.String())
 	if err != nil {
 		return fmt.Errorf("failed to parse age secret key: %w", err)
 	}
@@ -124,18 +135,18 @@ func (cli *CLIInstance) Encrypt(secretName, inputFile, outputFile string) error
 		if err != nil {
 			return fmt.Errorf("failed to open input file: %w", err)
 		}
-		defer file.Close()
+		defer func() { _ = file.Close() }()
 		input = file
 	}
 	// Set up output writer
-	var output io.Writer = cli.cmd.OutOrStdout()
+	output := cli.cmd.OutOrStdout()
 	if outputFile != "" {
 		file, err := cli.fs.Create(outputFile)
 		if err != nil {
 			return fmt.Errorf("failed to create output file: %w", err)
 		}
-		defer file.Close()
+		defer func() { _ = file.Close() }()
 		output = file
 	}
@@ -157,7 +168,7 @@ func (cli *CLIInstance) Encrypt(secretName, inputFile, outputFile string) error
 }
 // Decrypt decrypts data using an age secret key stored in a secret
-func (cli *CLIInstance) Decrypt(secretName, inputFile, outputFile string) error {
+func (cli *Instance) Decrypt(secretName, inputFile, outputFile string) error {
 	// Get current vault
 	vlt, err := vault.GetCurrentVault(cli.fs, cli.stateDir)
 	if err != nil {
@@ -176,29 +187,28 @@ func (cli *CLIInstance) Decrypt(secretName, inputFile, outputFile string) error
 	}
 	// Get the age secret key from the secret
-	var secretValue []byte
+	var secretBuffer *memguard.LockedBuffer
 	if os.Getenv(secret.EnvMnemonic) != "" {
-		secretValue, err = secretObj.GetValue(nil)
+		secretBuffer, err = secretObj.GetValue(nil)
 	} else {
 		unlocker, unlockErr := vlt.GetCurrentUnlocker()
 		if unlockErr != nil {
 			return fmt.Errorf("failed to get current unlocker: %w", unlockErr)
 		}
-		secretValue, err = secretObj.GetValue(unlocker)
+		secretBuffer, err = secretObj.GetValue(unlocker)
 	}
 	if err != nil {
 		return fmt.Errorf("failed to get secret value: %w", err)
 	}
-
+	defer secretBuffer.Destroy()
 	ageSecretKey := string(secretValue)
 	// Validate that it's a valid age secret key
-	if !isValidAgeSecretKey(ageSecretKey) {
+	if !isValidAgeSecretKey(secretBuffer.String()) {
 		return fmt.Errorf("secret '%s' does not contain a valid age secret key", secretName)
 	}
 	// Parse the age secret key to get the identity
-	identity, err := age.ParseX25519Identity(ageSecretKey)
+	identity, err := age.ParseX25519Identity(secretBuffer.String())
 	if err != nil {
 		return fmt.Errorf("failed to parse age secret key: %w", err)
 	}
@@ -210,18 +220,18 @@ func (cli *CLIInstance) Decrypt(secretName, inputFile, outputFile string) error
 		if err != nil {
 			return fmt.Errorf("failed to open input file: %w", err)
 		}
-		defer file.Close()
+		defer func() { _ = file.Close() }()
 		input = file
 	}
 	// Set up output writer
-	var output io.Writer = cli.cmd.OutOrStdout()
+	output := cli.cmd.OutOrStdout()
 	if outputFile != "" {
 		file, err := cli.fs.Create(outputFile)
 		if err != nil {
 			return fmt.Errorf("failed to create output file: %w", err)
 		}
-		defer file.Close()
+		defer func() { _ = file.Close() }()
 		output = file
 	}
@@ -241,5 +251,20 @@ func (cli *CLIInstance) Decrypt(secretName, inputFile, outputFile string) error
 // isValidAgeSecretKey checks if a string is a valid age secret key by attempting to parse it
 func isValidAgeSecretKey(key string) bool {
 	_, err := age.ParseX25519Identity(key)
 	return err == nil
 }
 // getSecretValue retrieves the value of a secret using the appropriate unlocker
 func (cli *Instance) getSecretValue(vlt *vault.Vault, secretObj *secret.Secret) (*memguard.LockedBuffer, error) {
 	if os.Getenv(secret.EnvMnemonic) != "" {
 		return secretObj.GetValue(nil)
 	}
 	unlocker, err := vlt.GetCurrentUnlocker()
 	if err != nil {
 		return nil, fmt.Errorf("failed to get current unlocker: %w", err)
 	}
 	return secretObj.GetValue(unlocker)
 }
--- a/internal/cli/generate.go
+++ b/internal/cli/generate.go
@@ -7,10 +7,16 @@ import (
 	"os"
 	"git.eeqj.de/sneak/secret/internal/vault"
 	"github.com/awnumar/memguard"
 	"github.com/spf13/cobra"
 	"github.com/tyler-smith/go-bip39"
 )
 const (
 	defaultSecretLength = 16
 	mnemonicEntropyBits = 128
 )
 func newGenerateCmd() *cobra.Command {
 	cmd := &cobra.Command{
 		Use:   "generate",
@@ -28,9 +34,15 @@ func newGenerateMnemonicCmd() *cobra.Command {
 	return &cobra.Command{
 		Use:   "mnemonic",
 		Short: "Generate a random BIP39 mnemonic phrase",
-		Long:  `Generate a cryptographically secure random BIP39 mnemonic phrase that can be used with 'secret init' or 'secret import'.`,
+		Long: `Generate a cryptographically secure random BIP39 ` +
-		RunE: func(cmd *cobra.Command, args []string) error {
+			`mnemonic phrase that can be used with 'secret init' ` +
-			cli := NewCLIInstance()
+			`or 'secret import'.`,
 		RunE: func(cmd *cobra.Command, _ []string) error {
 			cli, err := NewCLIInstance()
 			if err != nil {
 				return fmt.Errorf("failed to initialize CLI: %w", err)
 			}
 			return cli.GenerateMnemonic(cmd)
 		},
 	}
@@ -47,12 +59,16 @@ func newGenerateSecretCmd() *cobra.Command {
 			secretType, _ := cmd.Flags().GetString("type")
 			force, _ := cmd.Flags().GetBool("force")
-			cli := NewCLIInstance()
+			cli, err := NewCLIInstance()
 			if err != nil {
 				return fmt.Errorf("failed to initialize CLI: %w", err)
 			}
 			return cli.GenerateSecret(cmd, args[0], length, secretType, force)
 		},
 	}
-	cmd.Flags().IntP("length", "l", 16, "Length of the generated secret (default 16)")
+	cmd.Flags().IntP("length", "l", defaultSecretLength, "Length of the generated secret (default 16)")
 	cmd.Flags().StringP("type", "t", "base58", "Type of secret to generate (base58, alnum)")
 	cmd.Flags().BoolP("force", "f", false, "Overwrite existing secret")
@@ -60,9 +76,9 @@ func newGenerateSecretCmd() *cobra.Command {
 }
 // GenerateMnemonic generates a random BIP39 mnemonic phrase
-func (cli *CLIInstance) GenerateMnemonic(cmd *cobra.Command) error {
+func (cli *Instance) GenerateMnemonic(cmd *cobra.Command) error {
 	// Generate 128 bits of entropy for a 12-word mnemonic
-	entropy, err := bip39.NewEntropy(128)
+	entropy, err := bip39.NewEntropy(mnemonicEntropyBits)
 	if err != nil {
 		return fmt.Errorf("failed to generate entropy: %w", err)
 	}
@@ -92,7 +108,13 @@ func (cli *CLIInstance) GenerateMnemonic(cmd *cobra.Command) error {
 }
 // GenerateSecret generates a random secret and stores it in the vault
-func (cli *CLIInstance) GenerateSecret(cmd *cobra.Command, secretName string, length int, secretType string, force bool) error {
+func (cli *Instance) GenerateSecret(
 	cmd *cobra.Command,
 	secretName string,
 	length int,
 	secretType string,
 	force bool,
 ) error {
 	if length < 1 {
 		return fmt.Errorf("length must be at least 1")
 	}
@@ -121,23 +143,30 @@ func (cli *CLIInstance) GenerateSecret(cmd *cobra.Command, secretName string, le
 		return err
 	}
-	if err := vlt.AddSecret(secretName, []byte(secretValue), force); err != nil {
+	// Protect the generated secret immediately
 	secretBuffer := memguard.NewBufferFromBytes([]byte(secretValue))
 	defer secretBuffer.Destroy()
 	if err := vlt.AddSecret(secretName, secretBuffer, force); err != nil {
 		return err
 	}
 	cmd.Printf("Generated and stored %d-character %s secret: %s\n", length, secretType, secretName)
 	return nil
 }
 // generateRandomBase58 generates a random base58 string of the specified length
 func generateRandomBase58(length int) (string, error) {
 	const base58Chars = "123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz"
 	return generateRandomString(length, base58Chars)
 }
 // generateRandomAlnum generates a random alphanumeric string of the specified length
 func generateRandomAlnum(length int) (string, error) {
 	const alnumChars = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"
 	return generateRandomString(length, alnumChars)
 }
@@ -150,7 +179,7 @@ func generateRandomString(length int, charset string) (string, error) {
 	result := make([]byte, length)
 	charsetLen := big.NewInt(int64(len(charset)))
-	for i := 0; i < length; i++ {
+	for i := range length {
 		randomIndex, err := rand.Int(rand.Reader, charsetLen)
 		if err != nil {
 			return "", fmt.Errorf("failed to generate random number: %w", err)
--- a/internal/cli/info.go
+++ b/internal/cli/info.go
@@ -0,0 +1,165 @@
 package cli
 import (
 	"encoding/json"
 	"fmt"
 	"io"
 	"log"
 	"path/filepath"
 	"runtime"
 	"strings"
 	"time"
 	"git.eeqj.de/sneak/secret/internal/vault"
 	"github.com/dustin/go-humanize"
 	"github.com/fatih/color"
 	"github.com/spf13/afero"
 	"github.com/spf13/cobra"
 )
 // Version info - these are set at build time
 var ( //nolint:gochecknoglobals // Set at build time
 	Version   = "dev"     //nolint:gochecknoglobals // Set at build time
 	GitCommit = "unknown" //nolint:gochecknoglobals // Set at build time
 )
 // InfoOutput represents the system information for JSON output
 type InfoOutput struct {
 	Version       string    `json:"version"`
 	GitCommit     string    `json:"gitCommit"`
 	Author        string    `json:"author"`
 	License       string    `json:"license"`
 	GoVersion     string    `json:"goVersion"`
 	DataDirectory string    `json:"dataDirectory"`
 	CurrentVault  string    `json:"currentVault"`
 	NumVaults     int       `json:"numVaults"`
 	NumSecrets    int       `json:"numSecrets"`
 	TotalSize     int64     `json:"totalSizeBytes"`
 	OldestSecret  time.Time `json:"oldestSecret,omitempty"`
 	LatestSecret  time.Time `json:"latestSecret,omitempty"`
 }
 // newInfoCmd returns the info command
 func newInfoCmd() *cobra.Command {
 	cli, err := NewCLIInstance()
 	if err != nil {
 		log.Fatalf("failed to initialize CLI: %v", err)
 	}
 	var jsonOutput bool
 	cmd := &cobra.Command{
 		Use:   "info",
 		Short: "Display system information",
 		Long:  "Display information about the secret system including version, vault statistics, and storage usage",
 		RunE: func(cmd *cobra.Command, _ []string) error {
 			return cli.Info(cmd, jsonOutput)
 		},
 	}
 	cmd.Flags().BoolVar(&jsonOutput, "json", false, "Output in JSON format")
 	return cmd
 }
 // Info displays system information
 func (cli *Instance) Info(cmd *cobra.Command, jsonOutput bool) error {
 	info := InfoOutput{
 		Version:       Version,
 		GitCommit:     GitCommit,
 		Author:        "Jeffrey Paul <sneak@sneak.berlin>",
 		License:       "WTFPL",
 		GoVersion:     runtime.Version(),
 		DataDirectory: cli.stateDir,
 	}
 	// Get current vault
 	currentVault, err := vault.GetCurrentVault(cli.fs, cli.stateDir)
 	if err == nil {
 		info.CurrentVault = currentVault.Name
 	}
 	// Count vaults
 	vaultsDir := filepath.Join(cli.stateDir, "vaults.d")
 	vaultEntries, err := afero.ReadDir(cli.fs, vaultsDir)
 	if err == nil {
 		for _, entry := range vaultEntries {
 			if entry.IsDir() {
 				info.NumVaults++
 			}
 		}
 	}
 	// Gather statistics from all vaults
 	if info.NumVaults > 0 {
 		totalSecrets, totalSize, oldestTime, latestTime, _ := gatherVaultStats(cli.fs, vaultsDir)
 		info.NumSecrets = totalSecrets
 		info.TotalSize = totalSize
 		if !oldestTime.IsZero() {
 			info.OldestSecret = oldestTime
 		}
 		if !latestTime.IsZero() {
 			info.LatestSecret = latestTime
 		}
 	}
 	if jsonOutput {
 		encoder := json.NewEncoder(cmd.OutOrStdout())
 		encoder.SetIndent("", "  ")
 		return encoder.Encode(info)
 	}
 	// Pretty print with colors and emoji
 	return prettyPrintInfo(cmd.OutOrStdout(), info)
 }
 // prettyPrintInfo formats and prints the info in a pretty format
 func prettyPrintInfo(w io.Writer, info InfoOutput) error {
 	const separatorLength = 40
 	bold := color.New(color.Bold)
 	green := color.New(color.FgGreen)
 	cyan := color.New(color.FgCyan)
 	yellow := color.New(color.FgYellow)
 	magenta := color.New(color.FgMagenta)
 	_, _ = fmt.Fprintln(w)
 	_, _ = bold.Fprintln(w, "🔐 Secret System Information")
 	_, _ = fmt.Fprintln(w, strings.Repeat("─", separatorLength))
 	_, _ = fmt.Fprintf(w, "📦 Version:          %s\n", green.Sprint(info.Version))
 	_, _ = fmt.Fprintf(w, "🔧 Git Commit:       %s\n", cyan.Sprint(info.GitCommit))
 	_, _ = fmt.Fprintf(w, "👤 Author:           %s\n", cyan.Sprint(info.Author))
 	_, _ = fmt.Fprintf(w, "📜 License:          %s\n", cyan.Sprint(info.License))
 	_, _ = fmt.Fprintf(w, "🐹 Go Version:       %s\n", cyan.Sprint(info.GoVersion))
 	_, _ = fmt.Fprintf(w, "📁 Data Directory:   %s\n", yellow.Sprint(info.DataDirectory))
 	if info.CurrentVault != "" {
 		_, _ = fmt.Fprintf(w, "🗄️  Current Vault:    %s\n", magenta.Sprint(info.CurrentVault))
 	} else {
 		_, _ = fmt.Fprintf(w, "🗄️  Current Vault:    %s\n", color.RedString("(none)"))
 	}
 	_, _ = fmt.Fprintln(w, strings.Repeat("─", separatorLength))
 	_, _ = fmt.Fprintf(w, "🗂️  Vaults:           %s\n", bold.Sprint(info.NumVaults))
 	_, _ = fmt.Fprintf(w, "🔑 Secrets:          %s\n", bold.Sprint(info.NumSecrets))
 	if info.TotalSize >= 0 {
 		//nolint:gosec // TotalSize is always >= 0
 		_, _ = fmt.Fprintf(w, "💾 Total Size:       %s\n", bold.Sprint(humanize.Bytes(uint64(info.TotalSize))))
 	} else {
 		_, _ = fmt.Fprintf(w, "💾 Total Size:       %s\n", bold.Sprint("0 B"))
 	}
 	if !info.OldestSecret.IsZero() {
 		_, _ = fmt.Fprintf(w, "🕰️  Oldest Secret:    %s\n", info.OldestSecret.Format("2006-01-02 15:04:05"))
 	}
 	if !info.LatestSecret.IsZero() {
 		_, _ = fmt.Fprintf(w, "✨ Latest Secret:    %s\n", info.LatestSecret.Format("2006-01-02 15:04:05"))
 	}
 	_, _ = fmt.Fprintln(w)
 	return nil
 }
--- a/internal/cli/info_helper.go
+++ b/internal/cli/info_helper.go
@@ -0,0 +1,88 @@
 package cli
 import (
 	"path/filepath"
 	"time"
 	"git.eeqj.de/sneak/secret/internal/secret"
 	"github.com/spf13/afero"
 )
 // gatherVaultStats collects statistics from all vaults
 func gatherVaultStats(
 	fs afero.Fs,
 	vaultsDir string,
 ) (totalSecrets int, totalSize int64, oldestTime, latestTime time.Time, err error) {
 	vaultEntries, err := afero.ReadDir(fs, vaultsDir)
 	if err != nil {
 		return 0, 0, time.Time{}, time.Time{}, err
 	}
 	for _, vaultEntry := range vaultEntries {
 		if !vaultEntry.IsDir() {
 			continue
 		}
 		vaultPath := filepath.Join(vaultsDir, vaultEntry.Name())
 		secretsPath := filepath.Join(vaultPath, "secrets.d")
 		// Count secrets in this vault
 		secretEntries, err := afero.ReadDir(fs, secretsPath)
 		if err != nil {
 			secret.Warn("Could not read secrets directory for vault", "vault", vaultEntry.Name(), "error", err)
 			continue
 		}
 		for _, secretEntry := range secretEntries {
 			if !secretEntry.IsDir() {
 				continue
 			}
 			totalSecrets++
 			secretPath := filepath.Join(secretsPath, secretEntry.Name())
 			// Get size and timestamps from all versions
 			versionsPath := filepath.Join(secretPath, "versions")
 			versionEntries, err := afero.ReadDir(fs, versionsPath)
 			if err != nil {
 				secret.Warn("Could not read versions directory for secret", "secret", secretEntry.Name(), "error", err)
 				continue
 			}
 			for _, versionEntry := range versionEntries {
 				if !versionEntry.IsDir() {
 					continue
 				}
 				versionPath := filepath.Join(versionsPath, versionEntry.Name())
 				// Add size of encrypted data
 				dataPath := filepath.Join(versionPath, "data.age")
 				if stat, err := fs.Stat(dataPath); err == nil {
 					totalSize += stat.Size()
 				}
 				// Add size of metadata
 				metaPath := filepath.Join(versionPath, "metadata.age")
 				if stat, err := fs.Stat(metaPath); err == nil {
 					totalSize += stat.Size()
 				}
 				// Track timestamps
 				if stat, err := fs.Stat(versionPath); err == nil {
 					modTime := stat.ModTime()
 					if oldestTime.IsZero() || modTime.Before(oldestTime) {
 						oldestTime = modTime
 					}
 					if latestTime.IsZero() || modTime.After(latestTime) {
 						latestTime = modTime
 					}
 				}
 			}
 		}
 	}
 	return totalSecrets, totalSize, oldestTime, latestTime, nil
 }
--- a/internal/cli/init.go
+++ b/internal/cli/init.go
@@ -2,16 +2,16 @@ package cli
 import (
 	"fmt"
 	"log"
 	"log/slog"
 	"os"
 	"path/filepath"
 	"strings"
 	"filippo.io/age"
 	"git.eeqj.de/sneak/secret/internal/secret"
 	"git.eeqj.de/sneak/secret/internal/vault"
 	"git.eeqj.de/sneak/secret/pkg/agehd"
-	"github.com/spf13/afero"
+	"github.com/awnumar/memguard"
 	"github.com/spf13/cobra"
 	"github.com/tyler-smith/go-bip39"
 )
@@ -27,13 +27,17 @@ func NewInitCmd() *cobra.Command {
 }
 // RunInit is the exported function that handles the init command
-func RunInit(cmd *cobra.Command, args []string) error {
+func RunInit(cmd *cobra.Command, _ []string) error {
-	cli := NewCLIInstance()
+	cli, err := NewCLIInstance()
 	if err != nil {
 		log.Fatalf("failed to initialize CLI: %v", err)
 	}
 	return cli.Init(cmd)
 }
 // Init initializes the secret manager
-func (cli *CLIInstance) Init(cmd *cobra.Command) error {
+func (cli *Instance) Init(cmd *cobra.Command) error {
 	secret.Debug("Starting secret manager initialization")
 	// Create state directory
@@ -42,6 +46,7 @@ func (cli *CLIInstance) Init(cmd *cobra.Command) error {
 	if err := cli.fs.MkdirAll(stateDir, secret.DirPerms); err != nil {
 		secret.Debug("Failed to create state directory", "error", err)
 		return fmt.Errorf("failed to create state directory: %w", err)
 	}
@@ -57,17 +62,22 @@ func (cli *CLIInstance) Init(cmd *cobra.Command) error {
 		mnemonicStr = envMnemonic
 	} else {
 		secret.Debug("Prompting user for mnemonic phrase")
-		// Read mnemonic from stdin using shared line reader
+		// Read mnemonic securely without echo
-		var err error
+		mnemonicBuffer, err := secret.ReadPassphrase("Enter your BIP39 mnemonic phrase: ")
 		mnemonicStr, err = readLineFromStdin("Enter your BIP39 mnemonic phrase: ")
 		if err != nil {
 			secret.Debug("Failed to read mnemonic from stdin", "error", err)
 			return fmt.Errorf("failed to read mnemonic: %w", err)
 		}
 		defer mnemonicBuffer.Destroy()
 		mnemonicStr = mnemonicBuffer.String()
 		fmt.Fprintln(os.Stderr) // Add newline after hidden input
 	}
 	if mnemonicStr == "" {
 		secret.Debug("Empty mnemonic provided")
 		return fmt.Errorf("mnemonic cannot be empty")
 	}
@@ -75,17 +85,18 @@ func (cli *CLIInstance) Init(cmd *cobra.Command) error {
 	secret.DebugWith("Validating BIP39 mnemonic", slog.Int("word_count", len(strings.Fields(mnemonicStr))))
 	if !bip39.IsMnemonicValid(mnemonicStr) {
 		secret.Debug("Invalid BIP39 mnemonic provided")
 		return fmt.Errorf("invalid BIP39 mnemonic phrase\nRun 'secret generate mnemonic' to create a valid mnemonic")
 	}
 	// Set mnemonic in environment for CreateVault to use
 	originalMnemonic := os.Getenv(secret.EnvMnemonic)
-	os.Setenv(secret.EnvMnemonic, mnemonicStr)
+	_ = os.Setenv(secret.EnvMnemonic, mnemonicStr)
 	defer func() {
 		if originalMnemonic != "" {
-			os.Setenv(secret.EnvMnemonic, originalMnemonic)
+			_ = os.Setenv(secret.EnvMnemonic, originalMnemonic)
 		} else {
-			os.Unsetenv(secret.EnvMnemonic)
+			_ = os.Unsetenv(secret.EnvMnemonic)
 		}
 	}()
@@ -94,6 +105,7 @@ func (cli *CLIInstance) Init(cmd *cobra.Command) error {
 	vlt, err := vault.CreateVault(cli.fs, cli.stateDir, "default")
 	if err != nil {
 		secret.Debug("Failed to create default vault", "error", err)
 		return fmt.Errorf("failed to create default vault: %w", err)
 	}
@@ -102,6 +114,7 @@ func (cli *CLIInstance) Init(cmd *cobra.Command) error {
 	metadata, err := vault.LoadVaultMetadata(cli.fs, vaultDir)
 	if err != nil {
 		secret.Debug("Failed to load vault metadata", "error", err)
 		return fmt.Errorf("failed to load vault metadata: %w", err)
 	}
@@ -109,6 +122,7 @@ func (cli *CLIInstance) Init(cmd *cobra.Command) error {
 	ltIdentity, err := agehd.DeriveIdentity(mnemonicStr, metadata.DerivationIndex)
 	if err != nil {
 		secret.Debug("Failed to derive long-term key", "error", err)
 		return fmt.Errorf("failed to derive long-term key from mnemonic: %w", err)
 	}
 	ltPubKey := ltIdentity.Recipient().String()
@@ -117,53 +131,33 @@ func (cli *CLIInstance) Init(cmd *cobra.Command) error {
 	vlt.Unlock(ltIdentity)
 	// Prompt for passphrase for unlocker
-	var passphraseStr string
+	var passphraseBuffer *memguard.LockedBuffer
 	if envPassphrase := os.Getenv(secret.EnvUnlockPassphrase); envPassphrase != "" {
 		secret.Debug("Using unlock passphrase from environment variable")
-		passphraseStr = envPassphrase
+		passphraseBuffer = memguard.NewBufferFromBytes([]byte(envPassphrase))
 	} else {
 		secret.Debug("Prompting user for unlock passphrase")
 		// Use secure passphrase input with confirmation
-		passphraseStr, err = readSecurePassphrase("Enter passphrase for unlocker: ")
+		passphraseBuffer, err = readSecurePassphrase("Enter passphrase for unlocker: ")
 		if err != nil {
 			secret.Debug("Failed to read unlock passphrase", "error", err)
 			return fmt.Errorf("failed to read passphrase: %w", err)
 		}
 	}
 	defer passphraseBuffer.Destroy()
 	// Create passphrase-protected unlocker
 	secret.Debug("Creating passphrase-protected unlocker")
-	passphraseUnlocker, err := vlt.CreatePassphraseUnlocker(passphraseStr)
+	passphraseUnlocker, err := vlt.CreatePassphraseUnlocker(passphraseBuffer)
 	if err != nil {
 		secret.Debug("Failed to create unlocker", "error", err)
 		return fmt.Errorf("failed to create unlocker: %w", err)
 	}
-	// Encrypt long-term private key to the unlocker
+	// Note: CreatePassphraseUnlocker already encrypts and writes the long-term
-	unlockerDir := passphraseUnlocker.GetDirectory()
+	// private key to longterm.age, so no need to do it again here.
 	// Read unlocker public key
 	unlockerPubKeyData, err := afero.ReadFile(cli.fs, filepath.Join(unlockerDir, "pub.age"))
 	if err != nil {
 		return fmt.Errorf("failed to read unlocker public key: %w", err)
 	}
 	unlockerRecipient, err := age.ParseX25519Recipient(string(unlockerPubKeyData))
 	if err != nil {
 		return fmt.Errorf("failed to parse unlocker public key: %w", err)
 	}
 	// Encrypt long-term private key to unlocker
 	ltPrivKeyData := []byte(ltIdentity.String())
 	encryptedLtPrivKey, err := secret.EncryptToRecipient(ltPrivKeyData, unlockerRecipient)
 	if err != nil {
 		return fmt.Errorf("failed to encrypt long-term private key: %w", err)
 	}
 	// Write encrypted long-term private key
 	if err := afero.WriteFile(cli.fs, filepath.Join(unlockerDir, "longterm.age"), encryptedLtPrivKey, secret.FilePerms); err != nil {
 		return fmt.Errorf("failed to write encrypted long-term private key: %w", err)
 	}
 	if cmd != nil {
 		cmd.Printf("\nDefault vault created and configured\n")
@@ -179,23 +173,33 @@ func (cli *CLIInstance) Init(cmd *cobra.Command) error {
 // readSecurePassphrase reads a passphrase securely from the terminal without echoing
 // This version adds confirmation (read twice) for creating new unlockers
-func readSecurePassphrase(prompt string) (string, error) {
+// Returns a LockedBuffer containing the passphrase
 func readSecurePassphrase(prompt string) (*memguard.LockedBuffer, error) {
 	// Get the first passphrase
-	passphrase1, err := secret.ReadPassphrase(prompt)
+	passphraseBuffer1, err := secret.ReadPassphrase(prompt)
 	if err != nil {
-		return "", err
+		return nil, err
 	}
 	// Read confirmation passphrase
-	passphrase2, err := secret.ReadPassphrase("Confirm passphrase: ")
+	passphraseBuffer2, err := secret.ReadPassphrase("Confirm passphrase: ")
 	if err != nil {
-		return "", fmt.Errorf("failed to read passphrase confirmation: %w", err)
+		passphraseBuffer1.Destroy()
 		return nil, fmt.Errorf("failed to read passphrase confirmation: %w", err)
 	}
 	// Compare passphrases
-	if passphrase1 != passphrase2 {
+	if passphraseBuffer1.String() != passphraseBuffer2.String() {
-		return "", fmt.Errorf("passphrases do not match")
+		passphraseBuffer1.Destroy()
 		passphraseBuffer2.Destroy()
 		return nil, fmt.Errorf("passphrases do not match")
 	}
-	return passphrase1, nil
+	// Clean up the second buffer, we'll return the first
 	passphraseBuffer2.Destroy()
 	// Return the first buffer (caller is responsible for destroying it)
 	return passphraseBuffer1, nil
 }
--- a/internal/cli/integration_test.go
+++ b/internal/cli/integration_test.go
--- a/internal/cli/root.go
+++ b/internal/cli/root.go
@@ -7,8 +7,8 @@ import (
 	"github.com/spf13/cobra"
 )
-// CLIEntry is the entry point for the secret CLI application
+// Entry is the entry point for the secret CLI application
-func CLIEntry() {
+func Entry() {
 	cmd := newRootCmd()
 	if err := cmd.Execute(); err != nil {
 		os.Exit(1)
@@ -34,13 +34,17 @@ func newRootCmd() *cobra.Command {
 	cmd.AddCommand(newAddCmd())
 	cmd.AddCommand(newGetCmd())
 	cmd.AddCommand(newListCmd())
-	cmd.AddCommand(newUnlockersCmd())
+	cmd.AddCommand(newRemoveCmd())
 	cmd.AddCommand(newMoveCmd())
 	cmd.AddCommand(newUnlockerCmd())
 	cmd.AddCommand(newImportCmd())
 	cmd.AddCommand(newEncryptCmd())
 	cmd.AddCommand(newDecryptCmd())
 	cmd.AddCommand(newVersionCmd())
 	cmd.AddCommand(newInfoCmd())
 	cmd.AddCommand(newCompletionCmd())
 	secret.Debug("newRootCmd completed")
 	return cmd
 }
--- a/internal/cli/secrets.go
+++ b/internal/cli/secrets.go
@@ -4,14 +4,36 @@ import (
 	"encoding/json"
 	"fmt"
 	"io"
 	"log"
 	"path/filepath"
 	"strings"
 	"git.eeqj.de/sneak/secret/internal/secret"
 	"git.eeqj.de/sneak/secret/internal/vault"
 	"github.com/awnumar/memguard"
 	"github.com/spf13/afero"
 	"github.com/spf13/cobra"
 )
 const (
 	// vaultSecretSeparator is the delimiter between vault name and secret name
 	vaultSecretSeparator = ":"
 	// vaultSecretParts is the number of parts when splitting vault:secret
 	vaultSecretParts = 2
 )
 // ParseVaultSecretRef parses a "vault:secret" or just "secret" reference
 // Returns (vaultName, secretName, isQualified)
 // If no vault is specified, returns empty vaultName and isQualified=false
 func ParseVaultSecretRef(ref string) (vaultName, secretName string, isQualified bool) {
 	parts := strings.SplitN(ref, vaultSecretSeparator, vaultSecretParts)
 	if len(parts) == vaultSecretParts {
 		return parts[0], parts[1], true
 	}
 	return "", ref, false
 }
 func newAddCmd() *cobra.Command {
 	cmd := &cobra.Command{
 		Use:   "add <secret-name>",
@@ -23,30 +45,45 @@ func newAddCmd() *cobra.Command {
 			force, _ := cmd.Flags().GetBool("force")
 			secret.Debug("Got force flag", "force", force)
-			cli := NewCLIInstance()
+			cli, err := NewCLIInstance()
 			if err != nil {
 				return fmt.Errorf("failed to initialize CLI: %w", err)
 			}
 			cli.cmd = cmd // Set the command for stdin access
 			secret.Debug("Created CLI instance, calling AddSecret")
 			return cli.AddSecret(args[0], force)
 		},
 	}
 	cmd.Flags().BoolP("force", "f", false, "Overwrite existing secret")
 	return cmd
 }
 func newGetCmd() *cobra.Command {
 	cli, err := NewCLIInstance()
 	if err != nil {
 		log.Fatalf("failed to initialize CLI: %v", err)
 	}
 	cmd := &cobra.Command{
 		Use:               "get <secret-name>",
 		Short:             "Retrieve a secret from the vault",
 		Args:              cobra.ExactArgs(1),
 		ValidArgsFunction: getSecretNamesCompletionFunc(cli.fs, cli.stateDir),
 		RunE: func(cmd *cobra.Command, args []string) error {
 			version, _ := cmd.Flags().GetString("version")
-			cli := NewCLIInstance()
+			cli, err := NewCLIInstance()
 			if err != nil {
 				return fmt.Errorf("failed to initialize CLI: %w", err)
 			}
 			return cli.GetSecretWithVersion(cmd, args[0], version)
 		},
 	}
 	cmd.Flags().StringP("version", "v", "", "Get a specific version (default: current)")
 	return cmd
 }
@@ -59,18 +96,25 @@ func newListCmd() *cobra.Command {
 		Args:    cobra.MaximumNArgs(1),
 		RunE: func(cmd *cobra.Command, args []string) error {
 			jsonOutput, _ := cmd.Flags().GetBool("json")
 			quietOutput, _ := cmd.Flags().GetBool("quiet")
 			var filter string
 			if len(args) > 0 {
 				filter = args[0]
 			}
-			cli := NewCLIInstance()
+			cli, err := NewCLIInstance()
-			return cli.ListSecrets(cmd, jsonOutput, filter)
+			if err != nil {
 				return fmt.Errorf("failed to initialize CLI: %w", err)
 			}
 			return cli.ListSecrets(cmd, jsonOutput, quietOutput, filter)
 		},
 	}
 	cmd.Flags().Bool("json", false, "Output in JSON format")
 	cmd.Flags().BoolP("quiet", "q", false, "Output only secret names (for scripting)")
 	return cmd
 }
@@ -84,7 +128,11 @@ func newImportCmd() *cobra.Command {
 			sourceFile, _ := cmd.Flags().GetString("source")
 			force, _ := cmd.Flags().GetBool("force")
-			cli := NewCLIInstance()
+			cli, err := NewCLIInstance()
 			if err != nil {
 				return fmt.Errorf("failed to initialize CLI: %w", err)
 			}
 			return cli.ImportSecret(cmd, args[0], sourceFile, force)
 		},
 	}
@@ -92,11 +140,93 @@ func newImportCmd() *cobra.Command {
 	cmd.Flags().StringP("source", "s", "", "Source file to import from (required)")
 	cmd.Flags().BoolP("force", "f", false, "Overwrite existing secret")
 	_ = cmd.MarkFlagRequired("source")
 	return cmd
 }
 func newRemoveCmd() *cobra.Command {
 	cli, err := NewCLIInstance()
 	if err != nil {
 		log.Fatalf("failed to initialize CLI: %v", err)
 	}
 	cmd := &cobra.Command{
 		Use:     "remove <secret-name>",
 		Aliases: []string{"rm"},
 		Short:   "Remove a secret from the vault",
 		Long: `Remove a secret and all its versions from the current vault. This action is permanent and ` +
 			`cannot be undone.`,
 		Args:              cobra.ExactArgs(1),
 		ValidArgsFunction: getSecretNamesCompletionFunc(cli.fs, cli.stateDir),
 		RunE: func(cmd *cobra.Command, args []string) error {
 			cli, err := NewCLIInstance()
 			if err != nil {
 				return fmt.Errorf("failed to initialize CLI: %w", err)
 			}
 			return cli.RemoveSecret(cmd, args[0], false)
 		},
 	}
 	return cmd
 }
 func newMoveCmd() *cobra.Command {
 	cli, err := NewCLIInstance()
 	if err != nil {
 		log.Fatalf("failed to initialize CLI: %v", err)
 	}
 	cmd := &cobra.Command{
 		Use:     "move <source> <destination>",
 		Aliases: []string{"mv", "rename"},
 		Short:   "Move or rename a secret",
 		Long: `Move a secret within a vault or between vaults.
 For within-vault moves (rename):
  secret move old-name new-name
 For cross-vault moves:
  secret move source-vault:secret-name dest-vault
  secret move source-vault:secret-name dest-vault:new-name
 Cross-vault moves copy ALL versions of the secret, preserving history.
 The source secret is deleted after successful copy.`,
 		Args: cobra.ExactArgs(2), //nolint:mnd // Command requires exactly 2 arguments: source and destination
 		ValidArgsFunction: func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
 			// Complete vault:secret format
 			return getVaultSecretCompletionFunc(cli.fs, cli.stateDir)(cmd, args, toComplete)
 		},
 		RunE: func(cmd *cobra.Command, args []string) error {
 			force, _ := cmd.Flags().GetBool("force")
 			cli, err := NewCLIInstance()
 			if err != nil {
 				return fmt.Errorf("failed to initialize CLI: %w", err)
 			}
 			return cli.MoveSecret(cmd, args[0], args[1], force)
 		},
 	}
 	cmd.Flags().BoolP("force", "f", false, "Overwrite if destination secret already exists")
 	return cmd
 }
 // updateBufferSize updates the buffer size based on usage pattern
 func updateBufferSize(currentSize int, sameSize *int) int {
 	*sameSize++
 	const doubleAfterBuffers = 2
 	const growthFactor = 2
 	if *sameSize >= doubleAfterBuffers {
 		*sameSize = 0
 		return currentSize * growthFactor
 	}
 	return currentSize
 }
 // AddSecret adds a secret to the current vault
-func (cli *CLIInstance) AddSecret(secretName string, force bool) error {
+func (cli *Instance) AddSecret(secretName string, force bool) error {
 	secret.Debug("CLI AddSecret starting", "secret_name", secretName, "force", force)
 	// Get current vault
@@ -108,45 +238,109 @@ func (cli *CLIInstance) AddSecret(secretName string, force bool) error {
 	secret.Debug("Got current vault", "vault_name", vlt.GetName())
-	// Read secret value from stdin
+	// Read secret value directly into protected buffers
-	secret.Debug("Reading secret value from stdin")
+	secret.Debug("Reading secret value from stdin into protected buffers")
-	value, err := io.ReadAll(cli.cmd.InOrStdin())
+
-	if err != nil {
+	const initialSize = 4 * 1024      // 4KB initial buffer
-		return fmt.Errorf("failed to read secret value: %w", err)
+	const maxSize = 100 * 1024 * 1024 // 100MB max
 	type bufferInfo struct {
 		buffer *memguard.LockedBuffer
 		used   int
 	}
-	secret.Debug("Read secret value from stdin", "value_length", len(value))
+	var buffers []bufferInfo
 	defer func() {
 		for _, b := range buffers {
 			b.buffer.Destroy()
 		}
 	}()
-	// Remove trailing newline if present
+	reader := cli.cmd.InOrStdin()
-	if len(value) > 0 && value[len(value)-1] == '\n' {
+	totalSize := 0
-		value = value[:len(value)-1]
+	currentBufferSize := initialSize
-		secret.Debug("Removed trailing newline", "new_length", len(value))
+	sameSize := 0
 	for {
 		// Create a new buffer
 		buffer := memguard.NewBuffer(currentBufferSize)
 		n, err := io.ReadFull(reader, buffer.Bytes())
 		if n == 0 {
 			// No data read, destroy the unused buffer
 			buffer.Destroy()
 		} else {
 			buffers = append(buffers, bufferInfo{buffer: buffer, used: n})
 			totalSize += n
 			if totalSize > maxSize {
 				return fmt.Errorf("secret too large: exceeds 100MB limit")
 			}
 			// If we filled the buffer, consider growing for next iteration
 			if n == currentBufferSize {
 				currentBufferSize = updateBufferSize(currentBufferSize, &sameSize)
 			}
 		}
 		if err == io.EOF || err == io.ErrUnexpectedEOF {
 			break
 		} else if err != nil {
 			return fmt.Errorf("failed to read secret value: %w", err)
 		}
 	}
 	// Check for trailing newline in the last buffer
 	if len(buffers) > 0 && totalSize > 0 {
 		lastBuffer := &buffers[len(buffers)-1]
 		if lastBuffer.buffer.Bytes()[lastBuffer.used-1] == '\n' {
 			lastBuffer.used--
 			totalSize--
 		}
 	}
 	secret.Debug("Read secret value from stdin", "value_length", totalSize, "buffers", len(buffers))
 	// Combine all buffers into a single protected buffer
 	valueBuffer := memguard.NewBuffer(totalSize)
 	defer valueBuffer.Destroy()
 	offset := 0
 	for _, b := range buffers {
 		copy(valueBuffer.Bytes()[offset:], b.buffer.Bytes()[:b.used])
 		offset += b.used
 	}
 	// Add the secret to the vault
-	secret.Debug("Calling vault.AddSecret", "secret_name", secretName, "value_length", len(value), "force", force)
+	secret.Debug("Calling vault.AddSecret", "secret_name", secretName, "value_length", valueBuffer.Size(), "force", force)
-	if err := vlt.AddSecret(secretName, value, force); err != nil {
+	if err := vlt.AddSecret(secretName, valueBuffer, force); err != nil {
 		secret.Debug("vault.AddSecret failed", "error", err)
 		return err
 	}
 	secret.Debug("vault.AddSecret completed successfully")
 	return nil
 }
 // GetSecret retrieves and prints a secret from the current vault
-func (cli *CLIInstance) GetSecret(cmd *cobra.Command, secretName string) error {
+func (cli *Instance) GetSecret(cmd *cobra.Command, secretName string) error {
 	return cli.GetSecretWithVersion(cmd, secretName, "")
 }
 // GetSecretWithVersion retrieves and prints a specific version of a secret
-func (cli *CLIInstance) GetSecretWithVersion(cmd *cobra.Command, secretName string, version string) error {
+func (cli *Instance) GetSecretWithVersion(cmd *cobra.Command, secretName string, version string) error {
 	secret.Debug("GetSecretWithVersion called", "secretName", secretName, "version", version)
 	// Store the command for output
 	cli.cmd = cmd
 	// Get current vault
 	vlt, err := vault.GetCurrentVault(cli.fs, cli.stateDir)
 	if err != nil {
 		secret.Debug("Failed to get current vault", "error", err)
 		return err
 	}
@@ -159,14 +353,15 @@ func (cli *CLIInstance) GetSecretWithVersion(cmd *cobra.Command, secretName stri
 	}
 	if err != nil {
 		secret.Debug("Failed to get secret", "error", err)
 		return err
 	}
 	secret.Debug("Got secret value", "valueLength", len(value))
 	// Print the secret value to stdout
-	cmd.Print(string(value))
+	_, _ = cli.Print(string(value))
-	secret.Debug("Printed value to cmd")
+	secret.Debug("Printed value to stdout")
 	// Debug: Log what we're actually printing
 	secret.Debug("Secret retrieval debug info",
@@ -180,7 +375,7 @@ func (cli *CLIInstance) GetSecretWithVersion(cmd *cobra.Command, secretName stri
 }
 // ListSecrets lists all secrets in the current vault
-func (cli *CLIInstance) ListSecrets(cmd *cobra.Command, jsonOutput bool, filter string) error {
+func (cli *Instance) ListSecrets(cmd *cobra.Command, jsonOutput bool, quietOutput bool, filter string) error {
 	// Get current vault
 	vlt, err := vault.GetCurrentVault(cli.fs, cli.stateDir)
 	if err != nil {
@@ -205,7 +400,7 @@ func (cli *CLIInstance) ListSecrets(cmd *cobra.Command, jsonOutput bool, filter
 		filteredSecrets = secrets
 	}
-	if jsonOutput {
+	if jsonOutput { //nolint:nestif // Separate JSON and table output formatting logic
 		// For JSON output, get metadata for each secret
 		secretsWithMetadata := make([]map[string]interface{}, 0, len(filteredSecrets))
@@ -236,27 +431,47 @@ func (cli *CLIInstance) ListSecrets(cmd *cobra.Command, jsonOutput bool, filter
 			return fmt.Errorf("failed to marshal JSON: %w", err)
 		}
-		cmd.Println(string(jsonBytes))
+		_, _ = fmt.Fprintln(cmd.OutOrStdout(), string(jsonBytes))
 	} else if quietOutput {
 		// Quiet output - just secret names
 		for _, secretName := range filteredSecrets {
 			_, _ = fmt.Fprintln(cmd.OutOrStdout(), secretName)
 		}
 	} else {
 		// Pretty table output
 		out := cmd.OutOrStdout()
 		if len(filteredSecrets) == 0 {
 			if filter != "" {
-				cmd.Printf("No secrets found in vault '%s' matching filter '%s'.\n", vlt.GetName(), filter)
+				_, _ = fmt.Fprintf(out, "No secrets found in vault '%s' matching filter '%s'.\n", vlt.GetName(), filter)
 			} else {
-				cmd.Println("No secrets found in current vault.")
+				_, _ = fmt.Fprintln(out, "No secrets found in current vault.")
-				cmd.Println("Run 'secret add <name>' to create one.")
+				_, _ = fmt.Fprintln(out, "Run 'secret add <name>' to create one.")
 			}
 			return nil
 		}
 		// Get current vault name for display
 		if filter != "" {
-			cmd.Printf("Secrets in vault '%s' matching '%s':\n\n", vlt.GetName(), filter)
+			_, _ = fmt.Fprintf(out, "Secrets in vault '%s' matching '%s':\n\n", vlt.GetName(), filter)
 		} else {
-			cmd.Printf("Secrets in vault '%s':\n\n", vlt.GetName())
+			_, _ = fmt.Fprintf(out, "Secrets in vault '%s':\n\n", vlt.GetName())
 		}
-		cmd.Printf("%-40s %-20s\n", "NAME", "LAST UPDATED")
+
-		cmd.Printf("%-40s %-20s\n", "----", "------------")
+		// Calculate the maximum name length for proper column alignment
 		maxNameLen := len("NAME") // Start with header length
 		for _, secretName := range filteredSecrets {
 			if len(secretName) > maxNameLen {
 				maxNameLen = len(secretName)
 			}
 		}
 		// Add some padding
 		maxNameLen += 2
 		// Print headers with dynamic width
 		nameFormat := fmt.Sprintf("%%-%ds", maxNameLen)
 		_, _ = fmt.Fprintf(out, nameFormat+" %-20s\n", "NAME", "LAST UPDATED")
 		_, _ = fmt.Fprintf(out, nameFormat+" %-20s\n", strings.Repeat("-", len("NAME")), "------------")
 		for _, secretName := range filteredSecrets {
 			lastUpdated := "unknown"
@@ -264,38 +479,330 @@ func (cli *CLIInstance) ListSecrets(cmd *cobra.Command, jsonOutput bool, filter
 				metadata := secretObj.GetMetadata()
 				lastUpdated = metadata.UpdatedAt.Format("2006-01-02 15:04")
 			}
-			cmd.Printf("%-40s %-20s\n", secretName, lastUpdated)
+			_, _ = fmt.Fprintf(out, nameFormat+" %-20s\n", secretName, lastUpdated)
 		}
-		cmd.Printf("\nTotal: %d secret(s)", len(filteredSecrets))
+		_, _ = fmt.Fprintf(out, "\nTotal: %d secret(s)", len(filteredSecrets))
 		if filter != "" {
-			cmd.Printf(" (filtered from %d)", len(secrets))
+			_, _ = fmt.Fprintf(out, " (filtered from %d)", len(secrets))
 		}
-		cmd.Println()
+		_, _ = fmt.Fprintln(out)
 	}
 	return nil
 }
 // ImportSecret imports a secret from a file
-func (cli *CLIInstance) ImportSecret(cmd *cobra.Command, secretName, sourceFile string, force bool) error {
+func (cli *Instance) ImportSecret(cmd *cobra.Command, secretName, sourceFile string, force bool) error {
 	// Get current vault
 	vlt, err := vault.GetCurrentVault(cli.fs, cli.stateDir)
 	if err != nil {
 		return err
 	}
-	// Read secret value from the source file
+	// Read secret value from the source file into protected buffers
-	value, err := afero.ReadFile(cli.fs, sourceFile)
+	file, err := cli.fs.Open(sourceFile)
 	if err != nil {
 		return fmt.Errorf("failed to open file %s: %w", sourceFile, err)
 	}
 	defer func() {
 		if err := file.Close(); err != nil {
 			secret.Warn("Failed to close file", "error", err)
 		}
 	}()
 	const initialSize = 4 * 1024      // 4KB initial buffer
 	const maxSize = 100 * 1024 * 1024 // 100MB max
 	type bufferInfo struct {
 		buffer *memguard.LockedBuffer
 		used   int
 	}
 	var buffers []bufferInfo
 	defer func() {
 		for _, b := range buffers {
 			b.buffer.Destroy()
 		}
 	}()
 	totalSize := 0
 	currentBufferSize := initialSize
 	sameSize := 0
 	for {
 		// Create a new buffer
 		buffer := memguard.NewBuffer(currentBufferSize)
 		n, err := io.ReadFull(file, buffer.Bytes())
 		if n == 0 {
 			// No data read, destroy the unused buffer
 			buffer.Destroy()
 		} else {
 			buffers = append(buffers, bufferInfo{buffer: buffer, used: n})
 			totalSize += n
 			if totalSize > maxSize {
 				return fmt.Errorf("secret file too large: exceeds 100MB limit")
 			}
 			// If we filled the buffer, consider growing for next iteration
 			if n == currentBufferSize {
 				currentBufferSize = updateBufferSize(currentBufferSize, &sameSize)
 			}
 		}
 		if err == io.EOF || err == io.ErrUnexpectedEOF {
 			break
 		} else if err != nil {
 			return fmt.Errorf("failed to read secret from file %s: %w", sourceFile, err)
 		}
 	}
 	// Combine all buffers into a single protected buffer
 	valueBuffer := memguard.NewBuffer(totalSize)
 	defer valueBuffer.Destroy()
 	offset := 0
 	for _, b := range buffers {
 		copy(valueBuffer.Bytes()[offset:], b.buffer.Bytes()[:b.used])
 		offset += b.used
 	}
 	// Store the secret in the vault
-	if err := vlt.AddSecret(secretName, value, force); err != nil {
+	if err := vlt.AddSecret(secretName, valueBuffer, force); err != nil {
 		return err
 	}
 	cmd.Printf("Successfully imported secret '%s' from file '%s'\n", secretName, sourceFile)
 	return nil
 }
 // RemoveSecret removes a secret from the vault
 func (cli *Instance) RemoveSecret(cmd *cobra.Command, secretName string, _ bool) error {
 	// Get current vault
 	currentVlt, err := vault.GetCurrentVault(cli.fs, cli.stateDir)
 	if err != nil {
 		return err
 	}
 	// Check if secret exists
 	vaultDir, err := currentVlt.GetDirectory()
 	if err != nil {
 		return err
 	}
 	encodedName := strings.ReplaceAll(secretName, "/", "%")
 	secretDir := filepath.Join(vaultDir, "secrets.d", encodedName)
 	exists, err := afero.DirExists(cli.fs, secretDir)
 	if err != nil {
 		return fmt.Errorf("failed to check if secret exists: %w", err)
 	}
 	if !exists {
 		return fmt.Errorf("secret '%s' not found", secretName)
 	}
 	// Count versions for information
 	versionsDir := filepath.Join(secretDir, "versions")
 	versionCount := 0
 	if entries, err := afero.ReadDir(cli.fs, versionsDir); err == nil {
 		versionCount = len(entries)
 	}
 	// Remove the secret directory
 	if err := cli.fs.RemoveAll(secretDir); err != nil {
 		return fmt.Errorf("failed to remove secret: %w", err)
 	}
 	cmd.Printf("Removed secret '%s' (%d version(s) deleted)\n", secretName, versionCount)
 	return nil
 }
 // MoveSecret moves or renames a secret (within or across vaults)
 func (cli *Instance) MoveSecret(cmd *cobra.Command, source, dest string, force bool) error {
 	// Parse source and destination
 	srcVaultName, srcSecretName, srcQualified := ParseVaultSecretRef(source)
 	destVaultName, destSecretName, destQualified := ParseVaultSecretRef(dest)
 	// If neither is qualified, this is a simple within-vault rename
 	if !srcQualified && !destQualified {
 		return cli.moveSecretWithinVault(cmd, srcSecretName, destSecretName, force)
 	}
 	// Cross-vault move requires source to be qualified
 	if !srcQualified {
 		return fmt.Errorf("source must specify vault (e.g., vault:secret) for cross-vault move")
 	}
 	// If destination is not qualified (no colon), check if it's a vault name
 	// Format: "work:secret default" means move to vault "default"
 	// Format: "work:secret default:newname" means move to vault "default" with new name
 	if !destQualified {
 		// Check if dest is actually a vault name
 		vaults, err := vault.ListVaults(cli.fs, cli.stateDir)
 		if err == nil {
 			for _, v := range vaults {
 				if v == dest {
 					// dest is a vault name, use source secret name
 					destVaultName = dest
 					destSecretName = srcSecretName
 					break
 				}
 			}
 		}
 		// If destVaultName is still empty, dest is a secret name in source vault
 		if destVaultName == "" {
 			destVaultName = srcVaultName
 			destSecretName = dest
 		}
 	}
 	// If destination secret name is empty, use source secret name
 	if destSecretName == "" {
 		destSecretName = srcSecretName
 	}
 	// Same vault? Use simple rename if possible (optimization)
 	if srcVaultName == destVaultName {
 		// Select the vault and do a simple move
 		if err := vault.SelectVault(cli.fs, cli.stateDir, srcVaultName); err != nil {
 			return fmt.Errorf("failed to select vault '%s': %w", srcVaultName, err)
 		}
 		return cli.moveSecretWithinVault(cmd, srcSecretName, destSecretName, force)
 	}
 	// Cross-vault move
 	return cli.moveSecretCrossVault(cmd, srcVaultName, srcSecretName, destVaultName, destSecretName, force)
 }
 // moveSecretWithinVault handles rename within the current vault
 func (cli *Instance) moveSecretWithinVault(cmd *cobra.Command, source, dest string, force bool) error {
 	currentVlt, err := vault.GetCurrentVault(cli.fs, cli.stateDir)
 	if err != nil {
 		return err
 	}
 	vaultDir, err := currentVlt.GetDirectory()
 	if err != nil {
 		return err
 	}
 	sourceEncoded := strings.ReplaceAll(source, "/", "%")
 	sourceDir := filepath.Join(vaultDir, "secrets.d", sourceEncoded)
 	exists, err := afero.DirExists(cli.fs, sourceDir)
 	if err != nil {
 		return fmt.Errorf("failed to check if source secret exists: %w", err)
 	}
 	if !exists {
 		return fmt.Errorf("secret '%s' not found", source)
 	}
 	destEncoded := strings.ReplaceAll(dest, "/", "%")
 	destDir := filepath.Join(vaultDir, "secrets.d", destEncoded)
 	exists, err = afero.DirExists(cli.fs, destDir)
 	if err != nil {
 		return fmt.Errorf("failed to check if destination secret exists: %w", err)
 	}
 	if exists {
 		if !force {
 			return fmt.Errorf("secret '%s' already exists (use --force to overwrite)", dest)
 		}
 		if err := cli.fs.RemoveAll(destDir); err != nil {
 			return fmt.Errorf("failed to remove existing destination: %w", err)
 		}
 	}
 	if err := cli.fs.Rename(sourceDir, destDir); err != nil {
 		return fmt.Errorf("failed to move secret: %w", err)
 	}
 	cmd.Printf("Moved secret '%s' to '%s'\n", source, dest)
 	return nil
 }
 // moveSecretCrossVault handles moving between different vaults
 func (cli *Instance) moveSecretCrossVault(
 	cmd *cobra.Command,
 	srcVaultName, srcSecretName,
 	destVaultName, destSecretName string,
 	force bool,
 ) error {
 	// Get source vault
 	srcVault := vault.NewVault(cli.fs, cli.stateDir, srcVaultName)
 	srcVaultDir, err := srcVault.GetDirectory()
 	if err != nil {
 		return fmt.Errorf("failed to get source vault directory: %w", err)
 	}
 	// Verify source vault exists
 	exists, err := afero.DirExists(cli.fs, srcVaultDir)
 	if err != nil || !exists {
 		return fmt.Errorf("source vault '%s' does not exist", srcVaultName)
 	}
 	// Verify source secret exists
 	srcStorageName := strings.ReplaceAll(srcSecretName, "/", "%")
 	srcSecretDir := filepath.Join(srcVaultDir, "secrets.d", srcStorageName)
 	exists, err = afero.DirExists(cli.fs, srcSecretDir)
 	if err != nil || !exists {
 		return fmt.Errorf("secret '%s' not found in vault '%s'", srcSecretName, srcVaultName)
 	}
 	// Get destination vault
 	destVault := vault.NewVault(cli.fs, cli.stateDir, destVaultName)
 	destVaultDir, err := destVault.GetDirectory()
 	if err != nil {
 		return fmt.Errorf("failed to get destination vault directory: %w", err)
 	}
 	// Verify destination vault exists
 	exists, err = afero.DirExists(cli.fs, destVaultDir)
 	if err != nil || !exists {
 		return fmt.Errorf("destination vault '%s' does not exist", destVaultName)
 	}
 	// Unlock destination vault (will fail if neither mnemonic nor unlocker available)
 	_, err = destVault.GetOrDeriveLongTermKey()
 	if err != nil {
 		return fmt.Errorf("failed to unlock destination vault '%s': %w", destVaultName, err)
 	}
 	// Count versions for user feedback
 	versions, _ := secret.ListVersions(cli.fs, srcSecretDir)
 	versionCount := len(versions)
 	// Copy all versions
 	if err := destVault.CopySecretAllVersions(srcVault, srcSecretName, destSecretName, force); err != nil {
 		return err
 	}
 	// Delete source secret
 	if err := cli.fs.RemoveAll(srcSecretDir); err != nil {
 		// Copy succeeded but delete failed - warn but don't fail
 		cmd.Printf("Warning: copied secret but failed to remove source: %v\n", err)
 		cmd.Printf("Moved secret '%s:%s' to '%s:%s' (%d version(s))\n",
 			srcVaultName, srcSecretName, destVaultName, destSecretName, versionCount)
 		return nil
 	}
 	cmd.Printf("Moved secret '%s:%s' to '%s:%s' (%d version(s))\n",
 		srcVaultName, srcSecretName, destVaultName, destSecretName, versionCount)
 	return nil
 }
--- a/internal/cli/secrets_size_test.go
+++ b/internal/cli/secrets_size_test.go
@@ -0,0 +1,437 @@
 package cli
 import (
 	"bytes"
 	"crypto/rand"
 	"fmt"
 	"io"
 	"path/filepath"
 	"strings"
 	"testing"
 	"git.eeqj.de/sneak/secret/internal/secret"
 	"git.eeqj.de/sneak/secret/internal/vault"
 	"git.eeqj.de/sneak/secret/pkg/agehd"
 	"github.com/spf13/afero"
 	"github.com/spf13/cobra"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
 // TestAddSecretVariousSizes tests adding secrets of various sizes through stdin
 func TestAddSecretVariousSizes(t *testing.T) {
 	tests := []struct {
 		name        string
 		size        int
 		shouldError bool
 		errorMsg    string
 	}{
 		{
 			name:        "1KB secret",
 			size:        1024,
 			shouldError: false,
 		},
 		{
 			name:        "10KB secret",
 			size:        10 * 1024,
 			shouldError: false,
 		},
 		{
 			name:        "100KB secret",
 			size:        100 * 1024,
 			shouldError: false,
 		},
 		{
 			name:        "1MB secret",
 			size:        1024 * 1024,
 			shouldError: false,
 		},
 		{
 			name:        "10MB secret",
 			size:        10 * 1024 * 1024,
 			shouldError: false,
 		},
 		{
 			name:        "99MB secret",
 			size:        99 * 1024 * 1024,
 			shouldError: false,
 		},
 		{
 			name:        "100MB secret minus 1 byte",
 			size:        100*1024*1024 - 1,
 			shouldError: false,
 		},
 		{
 			name:        "101MB secret - should fail",
 			size:        101 * 1024 * 1024,
 			shouldError: true,
 			errorMsg:    "secret too large: exceeds 100MB limit",
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			// Set up test environment
 			fs := afero.NewMemMapFs()
 			stateDir := "/test/state"
 			// Set test mnemonic
 			t.Setenv(secret.EnvMnemonic, "abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon about")
 			// Create vault
 			vaultName := "test-vault"
 			_, err := vault.CreateVault(fs, stateDir, vaultName)
 			require.NoError(t, err)
 			// Set current vault
 			currentVaultPath := filepath.Join(stateDir, "currentvault")
 			vaultPath := filepath.Join(stateDir, "vaults.d", vaultName)
 			err = afero.WriteFile(fs, currentVaultPath, []byte(vaultPath), 0o600)
 			require.NoError(t, err)
 			// Get vault and set up long-term key
 			vlt, err := vault.GetCurrentVault(fs, stateDir)
 			require.NoError(t, err)
 			ltIdentity, err := agehd.DeriveIdentity("abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon about", 0)
 			require.NoError(t, err)
 			vlt.Unlock(ltIdentity)
 			// Generate test data of specified size
 			testData := make([]byte, tt.size)
 			_, err = rand.Read(testData)
 			require.NoError(t, err)
 			// Add newline that will be stripped
 			testDataWithNewline := append(testData, '\n')
 			// Create fake stdin
 			stdin := bytes.NewReader(testDataWithNewline)
 			// Create command with fake stdin
 			cmd := &cobra.Command{}
 			cmd.SetIn(stdin)
 			// Create CLI instance
 			cli, err := NewCLIInstance()
 			if err != nil {
 				t.Fatalf("failed to initialize CLI: %v", err)
 			}
 			cli.fs = fs
 			cli.stateDir = stateDir
 			cli.cmd = cmd
 			// Test adding the secret
 			secretName := fmt.Sprintf("test-secret-%d", tt.size)
 			err = cli.AddSecret(secretName, false)
 			if tt.shouldError {
 				assert.Error(t, err)
 				assert.Contains(t, err.Error(), tt.errorMsg)
 			} else {
 				require.NoError(t, err)
 				// Verify the secret was stored correctly
 				retrievedValue, err := vlt.GetSecret(secretName)
 				require.NoError(t, err)
 				assert.Equal(t, testData, retrievedValue, "Retrieved secret should match original (without newline)")
 			}
 		})
 	}
 }
 // TestImportSecretVariousSizes tests importing secrets of various sizes from files
 func TestImportSecretVariousSizes(t *testing.T) {
 	tests := []struct {
 		name        string
 		size        int
 		shouldError bool
 		errorMsg    string
 	}{
 		{
 			name:        "1KB file",
 			size:        1024,
 			shouldError: false,
 		},
 		{
 			name:        "10KB file",
 			size:        10 * 1024,
 			shouldError: false,
 		},
 		{
 			name:        "100KB file",
 			size:        100 * 1024,
 			shouldError: false,
 		},
 		{
 			name:        "1MB file",
 			size:        1024 * 1024,
 			shouldError: false,
 		},
 		{
 			name:        "10MB file",
 			size:        10 * 1024 * 1024,
 			shouldError: false,
 		},
 		{
 			name:        "99MB file",
 			size:        99 * 1024 * 1024,
 			shouldError: false,
 		},
 		{
 			name:        "100MB file",
 			size:        100 * 1024 * 1024,
 			shouldError: false,
 		},
 		{
 			name:        "101MB file - should fail",
 			size:        101 * 1024 * 1024,
 			shouldError: true,
 			errorMsg:    "secret file too large: exceeds 100MB limit",
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			// Set up test environment
 			fs := afero.NewMemMapFs()
 			stateDir := "/test/state"
 			// Set test mnemonic
 			t.Setenv(secret.EnvMnemonic, "abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon about")
 			// Create vault
 			vaultName := "test-vault"
 			_, err := vault.CreateVault(fs, stateDir, vaultName)
 			require.NoError(t, err)
 			// Set current vault
 			currentVaultPath := filepath.Join(stateDir, "currentvault")
 			vaultPath := filepath.Join(stateDir, "vaults.d", vaultName)
 			err = afero.WriteFile(fs, currentVaultPath, []byte(vaultPath), 0o600)
 			require.NoError(t, err)
 			// Get vault and set up long-term key
 			vlt, err := vault.GetCurrentVault(fs, stateDir)
 			require.NoError(t, err)
 			ltIdentity, err := agehd.DeriveIdentity("abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon about", 0)
 			require.NoError(t, err)
 			vlt.Unlock(ltIdentity)
 			// Generate test data of specified size
 			testData := make([]byte, tt.size)
 			_, err = rand.Read(testData)
 			require.NoError(t, err)
 			// Write test data to file
 			testFile := fmt.Sprintf("/test/secret-%d.bin", tt.size)
 			err = afero.WriteFile(fs, testFile, testData, 0o600)
 			require.NoError(t, err)
 			// Create command
 			cmd := &cobra.Command{}
 			// Create CLI instance
 			cli, err := NewCLIInstance()
 			if err != nil {
 				t.Fatalf("failed to initialize CLI: %v", err)
 			}
 			cli.fs = fs
 			cli.stateDir = stateDir
 			// Test importing the secret
 			secretName := fmt.Sprintf("imported-secret-%d", tt.size)
 			err = cli.ImportSecret(cmd, secretName, testFile, false)
 			if tt.shouldError {
 				assert.Error(t, err)
 				assert.Contains(t, err.Error(), tt.errorMsg)
 			} else {
 				require.NoError(t, err)
 				// Verify the secret was stored correctly
 				retrievedValue, err := vlt.GetSecret(secretName)
 				require.NoError(t, err)
 				assert.Equal(t, testData, retrievedValue, "Retrieved secret should match original")
 			}
 		})
 	}
 }
 // TestAddSecretBufferGrowth tests that our buffer growth strategy works correctly
 func TestAddSecretBufferGrowth(t *testing.T) {
 	// Test various sizes that should trigger buffer growth
 	sizes := []int{
 		1,       // Single byte
 		100,     // Small
 		4095,    // Just under initial 4KB
 		4096,    // Exactly 4KB
 		4097,    // Just over 4KB
 		8191,    // Just under 8KB (first double)
 		8192,    // Exactly 8KB
 		8193,    // Just over 8KB
 		12288,   // 12KB (should trigger second double)
 		16384,   // 16KB
 		32768,   // 32KB (after more doublings)
 		65536,   // 64KB
 		131072,  // 128KB
 		524288,  // 512KB
 		1048576, // 1MB
 		2097152, // 2MB
 	}
 	for _, size := range sizes {
 		t.Run(fmt.Sprintf("size_%d", size), func(t *testing.T) {
 			// Set up test environment
 			fs := afero.NewMemMapFs()
 			stateDir := "/test/state"
 			// Set test mnemonic
 			t.Setenv(secret.EnvMnemonic, "abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon about")
 			// Create vault
 			vaultName := "test-vault"
 			_, err := vault.CreateVault(fs, stateDir, vaultName)
 			require.NoError(t, err)
 			// Set current vault
 			currentVaultPath := filepath.Join(stateDir, "currentvault")
 			vaultPath := filepath.Join(stateDir, "vaults.d", vaultName)
 			err = afero.WriteFile(fs, currentVaultPath, []byte(vaultPath), 0o600)
 			require.NoError(t, err)
 			// Get vault and set up long-term key
 			vlt, err := vault.GetCurrentVault(fs, stateDir)
 			require.NoError(t, err)
 			ltIdentity, err := agehd.DeriveIdentity("abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon about", 0)
 			require.NoError(t, err)
 			vlt.Unlock(ltIdentity)
 			// Create test data of exactly the specified size
 			// Use a pattern that's easy to verify
 			testData := make([]byte, size)
 			for i := range testData {
 				testData[i] = byte(i % 256)
 			}
 			// Create fake stdin without newline
 			stdin := bytes.NewReader(testData)
 			// Create command with fake stdin
 			cmd := &cobra.Command{}
 			cmd.SetIn(stdin)
 			// Create CLI instance
 			cli, err := NewCLIInstance()
 			if err != nil {
 				t.Fatalf("failed to initialize CLI: %v", err)
 			}
 			cli.fs = fs
 			cli.stateDir = stateDir
 			cli.cmd = cmd
 			// Test adding the secret
 			secretName := fmt.Sprintf("buffer-test-%d", size)
 			err = cli.AddSecret(secretName, false)
 			require.NoError(t, err)
 			// Verify the secret was stored correctly
 			retrievedValue, err := vlt.GetSecret(secretName)
 			require.NoError(t, err)
 			assert.Equal(t, testData, retrievedValue, "Retrieved secret should match original exactly")
 		})
 	}
 }
 // TestAddSecretStreamingBehavior tests that we handle streaming input correctly
 func TestAddSecretStreamingBehavior(t *testing.T) {
 	// Set up test environment
 	fs := afero.NewMemMapFs()
 	stateDir := "/test/state"
 	// Set test mnemonic
 	t.Setenv(secret.EnvMnemonic, "abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon about")
 	// Create vault
 	vaultName := "test-vault"
 	_, err := vault.CreateVault(fs, stateDir, vaultName)
 	require.NoError(t, err)
 	// Set current vault
 	currentVaultPath := filepath.Join(stateDir, "currentvault")
 	vaultPath := filepath.Join(stateDir, "vaults.d", vaultName)
 	err = afero.WriteFile(fs, currentVaultPath, []byte(vaultPath), 0o600)
 	require.NoError(t, err)
 	// Get vault and set up long-term key
 	vlt, err := vault.GetCurrentVault(fs, stateDir)
 	require.NoError(t, err)
 	ltIdentity, err := agehd.DeriveIdentity("abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon about", 0)
 	require.NoError(t, err)
 	vlt.Unlock(ltIdentity)
 	// Create a custom reader that simulates slow streaming input
 	// This will help verify our buffer handling works correctly with partial reads
 	testData := []byte(strings.Repeat("Hello, World! ", 1000)) // ~14KB
 	slowReader := &slowReader{
 		data:      testData,
 		chunkSize: 1000, // Read 1KB at a time
 	}
 	// Create command with slow reader as stdin
 	cmd := &cobra.Command{}
 	cmd.SetIn(slowReader)
 	// Create CLI instance
 	cli, err := NewCLIInstance()
 	if err != nil {
 		t.Fatalf("failed to initialize CLI: %v", err)
 	}
 	cli.fs = fs
 	cli.stateDir = stateDir
 	cli.cmd = cmd
 	// Test adding the secret
 	err = cli.AddSecret("streaming-test", false)
 	require.NoError(t, err)
 	// Verify the secret was stored correctly
 	retrievedValue, err := vlt.GetSecret("streaming-test")
 	require.NoError(t, err)
 	assert.Equal(t, testData, retrievedValue, "Retrieved secret should match original")
 }
 // slowReader simulates a reader that returns data in small chunks
 type slowReader struct {
 	data      []byte
 	offset    int
 	chunkSize int
 }
 func (r *slowReader) Read(p []byte) (n int, err error) {
 	if r.offset >= len(r.data) {
 		return 0, io.EOF
 	}
 	// Read at most chunkSize bytes
 	remaining := len(r.data) - r.offset
 	toRead := r.chunkSize
 	if toRead > remaining {
 		toRead = remaining
 	}
 	if toRead > len(p) {
 		toRead = len(p)
 	}
 	n = copy(p, r.data[r.offset:r.offset+toRead])
 	r.offset += n
 	if r.offset >= len(r.data) {
 		err = io.EOF
 	}
 	return n, err
 }
--- a/internal/cli/stdout_stderr_test.go
+++ b/internal/cli/stdout_stderr_test.go
@@ -0,0 +1,72 @@
 package cli_test
 import (
 	"bytes"
 	"os/exec"
 	"path/filepath"
 	"strings"
 	"testing"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
 // TestGetCommandOutputsToStdout tests that 'secret get' outputs the secret value to stdout, not stderr
 func TestGetCommandOutputsToStdout(t *testing.T) {
 	// Create a temporary directory for our vault
 	tempDir := t.TempDir()
 	// Set environment variables for the test
 	t.Setenv("SB_SECRET_STATE_DIR", tempDir)
 	// Find the secret binary path
 	wd, err := filepath.Abs("../..")
 	require.NoError(t, err, "should get working directory")
 	secretPath := filepath.Join(wd, "secret")
 	testMnemonic := "abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon about"
 	testPassphrase := "test-passphrase"
 	// Initialize vault
 	cmd := exec.Command(secretPath, "init")
 	cmd.Env = []string{
 		"SB_SECRET_STATE_DIR=" + tempDir,
 		"SB_SECRET_MNEMONIC=" + testMnemonic,
 		"SB_UNLOCK_PASSPHRASE=" + testPassphrase,
 		"PATH=" + "/usr/bin:/bin",
 	}
 	output, err := cmd.CombinedOutput()
 	require.NoError(t, err, "init should succeed: %s", string(output))
 	// Add a secret
 	cmd = exec.Command(secretPath, "add", "test/secret")
 	cmd.Env = []string{
 		"SB_SECRET_STATE_DIR=" + tempDir,
 		"SB_SECRET_MNEMONIC=" + testMnemonic,
 		"PATH=" + "/usr/bin:/bin",
 	}
 	cmd.Stdin = strings.NewReader("test-secret-value")
 	output, err = cmd.CombinedOutput()
 	require.NoError(t, err, "add should succeed: %s", string(output))
 	// Test that 'secret get' outputs to stdout, not stderr
 	cmd = exec.Command(secretPath, "get", "test/secret")
 	cmd.Env = []string{
 		"SB_SECRET_STATE_DIR=" + tempDir,
 		"SB_SECRET_MNEMONIC=" + testMnemonic,
 		"PATH=" + "/usr/bin:/bin",
 	}
 	var stdout, stderr bytes.Buffer
 	cmd.Stdout = &stdout
 	cmd.Stderr = &stderr
 	err = cmd.Run()
 	require.NoError(t, err, "get should succeed")
 	// The secret value should be in stdout
 	assert.Equal(t, "test-secret-value", strings.TrimSpace(stdout.String()), "secret value should be in stdout")
 	// Nothing should be in stderr
 	assert.Empty(t, stderr.String(), "stderr should be empty")
 }
--- a/internal/cli/test_helpers.go
+++ b/internal/cli/test_helpers.go
@@ -20,7 +20,7 @@ func ExecuteCommandInProcess(args []string, stdin string, env map[string]string)
 	// Set test environment
 	for k, v := range env {
-		os.Setenv(k, v)
+		_ = os.Setenv(k, v)
 	}
 	// Create root command
@@ -53,9 +53,9 @@ func ExecuteCommandInProcess(args []string, stdin string, env map[string]string)
 	// Restore environment
 	for k, v := range savedEnv {
 		if v == "" {
-			os.Unsetenv(k)
+			_ = os.Unsetenv(k)
 		} else {
-			os.Setenv(k, v)
+			_ = os.Setenv(k, v)
 		}
 	}
--- a/internal/cli/unlockers.go
+++ b/internal/cli/unlockers.go
@@ -3,112 +3,267 @@ package cli
 import (
 	"encoding/json"
 	"fmt"
 	"log"
 	"os"
 	"os/exec"
 	"path/filepath"
 	"runtime"
 	"strings"
 	"time"
 	"git.eeqj.de/sneak/secret/internal/secret"
 	"git.eeqj.de/sneak/secret/internal/vault"
 	"github.com/awnumar/memguard"
 	"github.com/spf13/afero"
 	"github.com/spf13/cobra"
 )
-// Import from init.go
+// UnlockerInfo represents unlocker information for display
-
+type UnlockerInfo struct {
-// ... existing imports ...
+	ID        string    `json:"id"`
-
+	Type      string    `json:"type"`
-func newUnlockersCmd() *cobra.Command {
+	CreatedAt time.Time `json:"createdAt"`
-	cmd := &cobra.Command{
+	Flags     []string  `json:"flags,omitempty"`
-		Use:   "unlockers",
+	IsCurrent bool      `json:"isCurrent"`
 		Short: "Manage unlockers",
 		Long:  `Create, list, and remove unlockers for the current vault.`,
 	}
 	cmd.AddCommand(newUnlockersListCmd())
 	cmd.AddCommand(newUnlockersAddCmd())
 	cmd.AddCommand(newUnlockersRmCmd())
 	return cmd
 }
-func newUnlockersListCmd() *cobra.Command {
+// Table formatting constants
-	cmd := &cobra.Command{
+const (
-		Use:   "list",
+	unlockerIDWidth    = 40
-		Short: "List unlockers in the current vault",
+	unlockerTypeWidth  = 12
-		RunE: func(cmd *cobra.Command, args []string) error {
+	unlockerDateWidth  = 20
-			jsonOutput, _ := cmd.Flags().GetBool("json")
+	unlockerFlagsWidth = 20
 )
-			cli := NewCLIInstance()
+// getDefaultGPGKey returns the default GPG key ID if available
-			cli.cmd = cmd
+func getDefaultGPGKey() (string, error) {
-			return cli.UnlockersList(jsonOutput)
+	// First try to get the configured default key using gpgconf
-		},
+	cmd := exec.Command("gpgconf", "--list-options", "gpg")
 	output, err := cmd.Output()
 	if err == nil {
 		lines := strings.Split(string(output), "\n")
 		for _, line := range lines {
 			fields := strings.Split(line, ":")
 			if len(fields) > 9 && fields[0] == "default-key" && fields[9] != "" {
 				// The default key is in field 10 (index 9)
 				return fields[9], nil
 			}
 		}
 	}
-	cmd.Flags().Bool("json", false, "Output in JSON format")
+	// If no default key is configured, get the first secret key
-	return cmd
+	cmd = exec.Command("gpg", "--list-secret-keys", "--with-colons")
-}
+	output, err = cmd.Output()
-
+	if err != nil {
-func newUnlockersAddCmd() *cobra.Command {
+		return "", fmt.Errorf("failed to list GPG keys: %w", err)
 	cmd := &cobra.Command{
 		Use:   "add <type>",
 		Short: "Add a new unlocker",
 		Long:  `Add a new unlocker of the specified type (passphrase, keychain, pgp).`,
 		Args:  cobra.ExactArgs(1),
 		RunE: func(cmd *cobra.Command, args []string) error {
 			cli := NewCLIInstance()
 			return cli.UnlockersAdd(args[0], cmd)
 		},
 	}
-	cmd.Flags().String("keyid", "", "GPG key ID for PGP unlockers")
+	// Parse output to find the first usable secret key
-	return cmd
+	lines := strings.Split(string(output), "\n")
-}
+	for _, line := range lines {
-
+		// sec line indicates a secret key
-func newUnlockersRmCmd() *cobra.Command {
+		if strings.HasPrefix(line, "sec:") {
-	return &cobra.Command{
+			fields := strings.Split(line, ":")
-		Use:   "rm <unlocker-id>",
+			// Field 5 contains the key ID
-		Short: "Remove an unlocker",
+			if len(fields) > 4 && fields[4] != "" {
-		Args:  cobra.ExactArgs(1),
+				return fields[4], nil
 		RunE: func(cmd *cobra.Command, args []string) error {
 			cli := NewCLIInstance()
 			return cli.UnlockersRemove(args[0])
 		},
 			}
 		}
 	}
 	return "", fmt.Errorf("no GPG secret keys found")
 }
 func newUnlockerCmd() *cobra.Command {
 	cmd := &cobra.Command{
 		Use:   "unlocker",
-		Short: "Manage current unlocker",
+		Short: "Manage unlockers",
-		Long:  `Select the current unlocker for operations.`,
+		Long:  `Create, list, and remove unlockers for the current vault.`,
 	}
-	cmd.AddCommand(newUnlockerSelectSubCmd())
+	cmd.AddCommand(newUnlockerListCmd())
 	cmd.AddCommand(newUnlockerAddCmd())
 	cmd.AddCommand(newUnlockerRemoveCmd())
 	cmd.AddCommand(newUnlockerSelectCmd())
 	return cmd
 }
-func newUnlockerSelectSubCmd() *cobra.Command {
+func newUnlockerListCmd() *cobra.Command {
 	cmd := &cobra.Command{
 		Use:     "list",
 		Aliases: []string{"ls"},
 		Short:   "List unlockers in the current vault",
 		RunE: func(cmd *cobra.Command, _ []string) error {
 			jsonOutput, _ := cmd.Flags().GetBool("json")
 			cli, err := NewCLIInstance()
 			if err != nil {
 				return fmt.Errorf("failed to initialize CLI: %w", err)
 			}
 			cli.cmd = cmd
 			return cli.UnlockersList(jsonOutput)
 		},
 	}
 	cmd.Flags().Bool("json", false, "Output in JSON format")
 	return cmd
 }
 func newUnlockerAddCmd() *cobra.Command {
 	// Build the supported types list based on platform
 	supportedTypes := "passphrase, pgp"
 	typeDescriptions := `Available unlocker types:
  passphrase - Traditional password-based encryption
               Prompts for a passphrase that will be used to encrypt/decrypt the vault's master key.
               The passphrase is never stored in plaintext.
  pgp        - GNU Privacy Guard (GPG) key-based encryption  
               Uses your existing GPG key to encrypt/decrypt the vault's master key.
               Requires gpg to be installed and configured with at least one secret key.
               Use --keyid to specify a particular key, otherwise uses your default GPG key.`
 	if runtime.GOOS == "darwin" {
 		supportedTypes = "passphrase, keychain, pgp, secure-enclave"
 		typeDescriptions = `Available unlocker types:
  passphrase      - Traditional password-based encryption
                    Prompts for a passphrase that will be used to encrypt/decrypt the vault's master key.
                    The passphrase is never stored in plaintext.
  keychain        - macOS Keychain integration (macOS only)
                    Stores the vault's master key in the macOS Keychain, protected by your login password.
                    Automatically unlocks when your Keychain is unlocked (e.g., after login).
                    Provides seamless integration with macOS security features like Touch ID.
  pgp             - GNU Privacy Guard (GPG) key-based encryption
                    Uses your existing GPG key to encrypt/decrypt the vault's master key.
                    Requires gpg to be installed and configured with at least one secret key.
                    Use --keyid to specify a particular key, otherwise uses your default GPG key.
  secure-enclave  - Apple Secure Enclave hardware protection (macOS only)
                    Stores the vault's master key encrypted by a non-exportable P-256 key
                    held in the Secure Enclave. The key never leaves the hardware.
                    Uses ECIES encryption; decryption is performed inside the SE.`
 	}
 	cmd := &cobra.Command{
 		Use:   "add <type>",
 		Short: "Add a new unlocker",
 		Long: fmt.Sprintf(`Add a new unlocker to the current vault.
 %s
 Each vault can have multiple unlockers, allowing different authentication methods
 to access the same vault. This provides flexibility and backup access options.`, typeDescriptions),
 		Args:      cobra.ExactArgs(1),
 		ValidArgs: strings.Split(supportedTypes, ", "),
 		RunE: func(cmd *cobra.Command, args []string) error {
 			cli, err := NewCLIInstance()
 			if err != nil {
 				return fmt.Errorf("failed to initialize CLI: %w", err)
 			}
 			unlockerType := args[0]
 			// Validate unlocker type
 			validTypes := strings.Split(supportedTypes, ", ")
 			valid := false
 			for _, t := range validTypes {
 				if unlockerType == t {
 					valid = true
 					break
 				}
 			}
 			if !valid {
 				return fmt.Errorf("invalid unlocker type '%s'\n\nSupported types: %s\n\n"+
 					"Run 'secret unlocker add --help' for detailed descriptions", unlockerType, supportedTypes)
 			}
 			// Check if --keyid was used with non-PGP type
 			if unlockerType != "pgp" && cmd.Flags().Changed("keyid") {
 				return fmt.Errorf("--keyid flag is only valid for PGP unlockers")
 			}
 			return cli.UnlockersAdd(unlockerType, cmd)
 		},
 	}
 	cmd.Flags().String("keyid", "", "GPG key ID for PGP unlockers (optional, uses default key if not specified)")
 	return cmd
 }
 func newUnlockerRemoveCmd() *cobra.Command {
 	cli, err := NewCLIInstance()
 	if err != nil {
 		log.Fatalf("failed to initialize CLI: %v", err)
 	}
 	cmd := &cobra.Command{
 		Use:     "remove <unlocker-id>",
 		Aliases: []string{"rm"},
 		Short:   "Remove an unlocker",
 		Long: `Remove an unlocker from the current vault. Cannot remove the last unlocker if the vault has ` +
 			`secrets unless --force is used. Warning: Without unlockers and without your mnemonic, vault data ` +
 			`will be permanently inaccessible.`,
 		Args:              cobra.ExactArgs(1),
 		ValidArgsFunction: getUnlockerIDsCompletionFunc(cli.fs, cli.stateDir),
 		RunE: func(cmd *cobra.Command, args []string) error {
 			force, _ := cmd.Flags().GetBool("force")
 			cli, err := NewCLIInstance()
 			if err != nil {
 				return fmt.Errorf("failed to initialize CLI: %w", err)
 			}
 			return cli.UnlockersRemove(args[0], force, cmd)
 		},
 	}
 	cmd.Flags().BoolP("force", "f", false, "Force removal of last unlocker even if vault has secrets")
 	return cmd
 }
 func newUnlockerSelectCmd() *cobra.Command {
 	cli, err := NewCLIInstance()
 	if err != nil {
 		log.Fatalf("failed to initialize CLI: %v", err)
 	}
 	return &cobra.Command{
 		Use:               "select <unlocker-id>",
 		Short:             "Select an unlocker as current",
 		Args:              cobra.ExactArgs(1),
-		RunE: func(cmd *cobra.Command, args []string) error {
+		ValidArgsFunction: getUnlockerIDsCompletionFunc(cli.fs, cli.stateDir),
-			cli := NewCLIInstance()
+		RunE: func(_ *cobra.Command, args []string) error {
 			cli, err := NewCLIInstance()
 			if err != nil {
 				return fmt.Errorf("failed to initialize CLI: %w", err)
 			}
 			return cli.UnlockerSelect(args[0])
 		},
 	}
 }
 // UnlockersList lists unlockers in the current vault
-func (cli *CLIInstance) UnlockersList(jsonOutput bool) error {
+func (cli *Instance) UnlockersList(jsonOutput bool) error {
 	// Get current vault
 	vlt, err := vault.GetCurrentVault(cli.fs, cli.stateDir)
 	if err != nil {
 		return err
 	}
 	// Get the current unlocker ID
 	var currentUnlockerID string
 	currentUnlocker, err := vlt.GetCurrentUnlocker()
 	if err == nil {
 		currentUnlockerID = currentUnlocker.GetID()
 	}
 	// Get the metadata first
 	unlockerMetadataList, err := vlt.ListUnlockers()
 	if err != nil {
@@ -116,18 +271,13 @@ func (cli *CLIInstance) UnlockersList(jsonOutput bool) error {
 	}
 	// Load actual unlocker objects to get the proper IDs
 	type UnlockerInfo struct {
 		ID        string    `json:"id"`
 		Type      string    `json:"type"`
 		CreatedAt time.Time `json:"created_at"`
 		Flags     []string  `json:"flags,omitempty"`
 	}
 	var unlockers []UnlockerInfo
 	for _, metadata := range unlockerMetadataList {
 		// Create unlocker instance to get the proper ID
 		vaultDir, err := vlt.GetDirectory()
 		if err != nil {
 			secret.Warn("Could not get vault directory while listing unlockers", "error", err)
 			continue
 		}
@@ -135,6 +285,8 @@ func (cli *CLIInstance) UnlockersList(jsonOutput bool) error {
 		unlockersDir := filepath.Join(vaultDir, "unlockers.d")
 		files, err := afero.ReadDir(cli.fs, unlockersDir)
 		if err != nil {
 			secret.Warn("Could not read unlockers directory", "error", err)
 			continue
 		}
@@ -150,12 +302,16 @@ func (cli *CLIInstance) UnlockersList(jsonOutput bool) error {
 			// Check if this is the right unlocker by comparing metadata
 			metadataBytes, err := afero.ReadFile(cli.fs, metadataPath)
 			if err != nil {
-				continue //FIXME this error needs to be handled
+				secret.Warn("Could not read unlocker metadata file", "path", metadataPath, "error", err)
 				continue
 			}
 			var diskMetadata secret.UnlockerMetadata
 			if err := json.Unmarshal(metadataBytes, &diskMetadata); err != nil {
-				continue //FIXME this error needs to be handled
+				secret.Warn("Could not parse unlocker metadata file", "path", metadataPath, "error", err)
 				continue
 			}
 			// Match by type and creation time
@@ -168,7 +324,10 @@ func (cli *CLIInstance) UnlockersList(jsonOutput bool) error {
 					unlocker = secret.NewKeychainUnlocker(cli.fs, unlockerDir, diskMetadata)
 				case "pgp":
 					unlocker = secret.NewPGPUnlocker(cli.fs, unlockerDir, diskMetadata)
 				case "secure-enclave":
 					unlocker = secret.NewSecureEnclaveUnlocker(cli.fs, unlockerDir, diskMetadata)
 				}
 				break
 			}
 		}
@@ -180,6 +339,7 @@ func (cli *CLIInstance) UnlockersList(jsonOutput bool) error {
 		} else {
 			// Generate ID as fallback
 			properID = fmt.Sprintf("%s-%s", metadata.CreatedAt.Format("2006-01-02.15.04"), metadata.Type)
 			secret.Warn("Could not create unlocker instance, using fallback ID", "fallback_id", properID, "type", metadata.Type)
 		}
 		unlockerInfo := UnlockerInfo{
@@ -187,14 +347,23 @@ func (cli *CLIInstance) UnlockersList(jsonOutput bool) error {
 			Type:      metadata.Type,
 			CreatedAt: metadata.CreatedAt,
 			Flags:     metadata.Flags,
 			IsCurrent: properID == currentUnlockerID,
 		}
 		unlockers = append(unlockers, unlockerInfo)
 	}
 	if jsonOutput {
-		// JSON output
+		return cli.printUnlockersJSON(unlockers, currentUnlockerID)
 	}
 	return cli.printUnlockersTable(unlockers)
 }
 // printUnlockersJSON prints unlockers in JSON format
 func (cli *Instance) printUnlockersJSON(unlockers []UnlockerInfo, currentUnlockerID string) error {
 	output := map[string]interface{}{
 		"unlockers":         unlockers,
 		"currentUnlockerID": currentUnlockerID,
 	}
 	jsonBytes, err := json.MarshalIndent(output, "", "  ")
@@ -203,23 +372,35 @@ func (cli *CLIInstance) UnlockersList(jsonOutput bool) error {
 	}
 	cli.cmd.Println(string(jsonBytes))
-	} else {
+
-		// Pretty table output
+	return nil
 }
 // printUnlockersTable prints unlockers in a formatted table
 func (cli *Instance) printUnlockersTable(unlockers []UnlockerInfo) error {
 	if len(unlockers) == 0 {
 		cli.cmd.Println("No unlockers found in current vault.")
-			cli.cmd.Println("Run 'secret unlockers add passphrase' to create one.")
+		cli.cmd.Println("Run 'secret unlocker add passphrase' to create one.")
 		return nil
 	}
-		cli.cmd.Printf("%-18s %-12s %-20s %s\n", "UNLOCKER ID", "TYPE", "CREATED", "FLAGS")
+	cli.cmd.Printf("  %-40s %-12s %-20s %s\n", "UNLOCKER ID", "TYPE", "CREATED", "FLAGS")
-		cli.cmd.Printf("%-18s %-12s %-20s %s\n", "-----------", "----", "-------", "-----")
+	cli.cmd.Printf("  %-40s %-12s %-20s %s\n",
 		strings.Repeat("-", unlockerIDWidth), strings.Repeat("-", unlockerTypeWidth),
 		strings.Repeat("-", unlockerDateWidth), strings.Repeat("-", unlockerFlagsWidth))
 	for _, unlocker := range unlockers {
 		flags := ""
 		if len(unlocker.Flags) > 0 {
 			flags = strings.Join(unlocker.Flags, ",")
 		}
-			cli.cmd.Printf("%-18s %-12s %-20s %s\n",
+		prefix := "  "
 		if unlocker.IsCurrent {
 			prefix = "* "
 		}
 		cli.cmd.Printf("%s%-40s %-12s %-20s %s\n",
 			prefix,
 			unlocker.ID,
 			unlocker.Type,
 			unlocker.CreatedAt.Format("2006-01-02 15:04:05"),
@@ -227,13 +408,18 @@ func (cli *CLIInstance) UnlockersList(jsonOutput bool) error {
 	}
 	cli.cmd.Printf("\nTotal: %d unlocker(s)\n", len(unlockers))
 	}
 	return nil
 }
 // UnlockersAdd adds a new unlocker
-func (cli *CLIInstance) UnlockersAdd(unlockerType string, cmd *cobra.Command) error {
+func (cli *Instance) UnlockersAdd(unlockerType string, cmd *cobra.Command) error {
 	// Build the supported types list based on platform
 	supportedTypes := "passphrase, pgp"
 	if runtime.GOOS == "darwin" {
 		supportedTypes = "passphrase, keychain, pgp, secure-enclave"
 	}
 	switch unlockerType {
 	case "passphrase":
 		// Get current vault
@@ -246,26 +432,39 @@ func (cli *CLIInstance) UnlockersAdd(unlockerType string, cmd *cobra.Command) er
 		// The CreatePassphraseUnlocker method will handle getting the long-term key
 		// Check if passphrase is set in environment variable
-		var passphraseStr string
+		var passphraseBuffer *memguard.LockedBuffer
 		if envPassphrase := os.Getenv(secret.EnvUnlockPassphrase); envPassphrase != "" {
-			passphraseStr = envPassphrase
+			passphraseBuffer = memguard.NewBufferFromBytes([]byte(envPassphrase))
 		} else {
 			// Use secure passphrase input with confirmation
-			passphraseStr, err = readSecurePassphrase("Enter passphrase for unlocker: ")
+			passphraseBuffer, err = readSecurePassphrase("Enter passphrase for unlocker: ")
 			if err != nil {
 				return fmt.Errorf("failed to read passphrase: %w", err)
 			}
 		}
 		defer passphraseBuffer.Destroy()
-		passphraseUnlocker, err := vlt.CreatePassphraseUnlocker(passphraseStr)
+		passphraseUnlocker, err := vlt.CreatePassphraseUnlocker(passphraseBuffer)
 		if err != nil {
 			return err
 		}
 		cmd.Printf("Created passphrase unlocker: %s\n", passphraseUnlocker.GetID())
 		// Auto-select the newly created unlocker
 		if err := vlt.SelectUnlocker(passphraseUnlocker.GetID()); err != nil {
 			cmd.Printf("Warning: Failed to auto-select new unlocker: %v\n", err)
 		} else {
 			cmd.Printf("Automatically selected as current unlocker\n")
 		}
 		return nil
 	case "keychain":
 		if runtime.GOOS != "darwin" {
 			return fmt.Errorf("keychain unlockers are only supported on macOS")
 		}
 		keychainUnlocker, err := secret.CreateKeychainUnlocker(cli.fs, cli.stateDir)
 		if err != nil {
 			return fmt.Errorf("failed to create macOS Keychain unlocker: %w", err)
@@ -275,17 +474,78 @@ func (cli *CLIInstance) UnlockersAdd(unlockerType string, cmd *cobra.Command) er
 		if keyName, err := keychainUnlocker.GetKeychainItemName(); err == nil {
 			cmd.Printf("Keychain Item Name: %s\n", keyName)
 		}
 		// Auto-select the newly created unlocker
 		vlt, err := vault.GetCurrentVault(cli.fs, cli.stateDir)
 		if err != nil {
 			return fmt.Errorf("failed to get current vault: %w", err)
 		}
 		if err := vlt.SelectUnlocker(keychainUnlocker.GetID()); err != nil {
 			cmd.Printf("Warning: Failed to auto-select new unlocker: %v\n", err)
 		} else {
 			cmd.Printf("Automatically selected as current unlocker\n")
 		}
 		return nil
 	case "secure-enclave":
 		if runtime.GOOS != "darwin" {
 			return fmt.Errorf("secure enclave unlockers are only supported on macOS")
 		}
 		seUnlocker, err := secret.CreateSecureEnclaveUnlocker(cli.fs, cli.stateDir)
 		if err != nil {
 			return fmt.Errorf("failed to create Secure Enclave unlocker: %w", err)
 		}
 		cmd.Printf("Created Secure Enclave unlocker: %s\n", seUnlocker.GetID())
 		vlt, err := vault.GetCurrentVault(cli.fs, cli.stateDir)
 		if err != nil {
 			return fmt.Errorf("failed to get current vault: %w", err)
 		}
 		if err := vlt.SelectUnlocker(seUnlocker.GetID()); err != nil {
 			cmd.Printf("Warning: Failed to auto-select new unlocker: %v\n", err)
 		} else {
 			cmd.Printf("Automatically selected as current unlocker\n")
 		}
 		return nil
 	case "pgp":
-		// Get GPG key ID from flag or environment variable
+		// Get GPG key ID from flag, environment, or default key
 		var gpgKeyID string
 		if flagKeyID, _ := cmd.Flags().GetString("keyid"); flagKeyID != "" {
 			gpgKeyID = flagKeyID
 		} else if envKeyID := os.Getenv(secret.EnvGPGKeyID); envKeyID != "" {
 			gpgKeyID = envKeyID
 		} else {
-			return fmt.Errorf("GPG key ID required: use --keyid flag or set SB_GPG_KEY_ID environment variable")
+			// Try to get the default GPG key
 			defaultKeyID, err := getDefaultGPGKey()
 			if err != nil {
 				return fmt.Errorf("no GPG key specified and no default key found: %w", err)
 			}
 			gpgKeyID = defaultKeyID
 			cmd.Printf("Using default GPG key: %s\n", gpgKeyID)
 		}
 		// Check if this key is already added as an unlocker
 		vlt, err := vault.GetCurrentVault(cli.fs, cli.stateDir)
 		if err != nil {
 			return fmt.Errorf("failed to get current vault: %w", err)
 		}
 		// Resolve the GPG key ID to its fingerprint
 		fingerprint, err := secret.ResolveGPGKeyFingerprint(gpgKeyID)
 		if err != nil {
 			return fmt.Errorf("failed to resolve GPG key fingerprint: %w", err)
 		}
 		// Check if this GPG key is already added
 		expectedID := fmt.Sprintf("pgp-%s", fingerprint)
 		if err := cli.checkUnlockerExists(vlt, expectedID); err != nil {
 			return fmt.Errorf("GPG key %s is already added as an unlocker", gpgKeyID)
 		}
 		pgpUnlocker, err := secret.CreatePGPUnlocker(cli.fs, cli.stateDir, gpgKeyID)
@@ -295,26 +555,68 @@ func (cli *CLIInstance) UnlockersAdd(unlockerType string, cmd *cobra.Command) er
 		cmd.Printf("Created PGP unlocker: %s\n", pgpUnlocker.GetID())
 		cmd.Printf("GPG Key ID: %s\n", gpgKeyID)
 		// Auto-select the newly created unlocker
 		if err := vlt.SelectUnlocker(pgpUnlocker.GetID()); err != nil {
 			cmd.Printf("Warning: Failed to auto-select new unlocker: %v\n", err)
 		} else {
 			cmd.Printf("Automatically selected as current unlocker\n")
 		}
 		return nil
 	default:
-		return fmt.Errorf("unsupported unlocker type: %s (supported: passphrase, keychain, pgp)", unlockerType)
+		return fmt.Errorf("unsupported unlocker type: %s (supported: %s)", unlockerType, supportedTypes)
 	}
 }
-// UnlockersRemove removes an unlocker
+// UnlockersRemove removes an unlocker with safety checks
-func (cli *CLIInstance) UnlockersRemove(unlockerID string) error {
+func (cli *Instance) UnlockersRemove(unlockerID string, force bool, cmd *cobra.Command) error {
 	// Get current vault
 	vlt, err := vault.GetCurrentVault(cli.fs, cli.stateDir)
 	if err != nil {
 		return err
 	}
-	return vlt.RemoveUnlocker(unlockerID)
+	// Get list of unlockers
 	unlockers, err := vlt.ListUnlockers()
 	if err != nil {
 		return fmt.Errorf("failed to list unlockers: %w", err)
 	}
 	// Check if we're removing the last unlocker
 	if len(unlockers) == 1 {
 		// Check if vault has secrets
 		numSecrets, err := vlt.NumSecrets()
 		if err != nil {
 			return fmt.Errorf("failed to count secrets: %w", err)
 		}
 		if numSecrets > 0 && !force {
 			cmd.Println("ERROR: Cannot remove the last unlocker when the vault contains secrets.")
 			cmd.Println("WARNING: Without unlockers, you MUST have your mnemonic phrase to decrypt the vault.")
 			cmd.Println("If you want to proceed anyway, use --force")
 			return fmt.Errorf("refusing to remove last unlocker")
 		}
 		if numSecrets > 0 && force {
 			cmd.Println("WARNING: Removing the last unlocker. You MUST have your mnemonic phrase to access this vault again!")
 		}
 	}
 	// Remove the unlocker
 	if err := vlt.RemoveUnlocker(unlockerID); err != nil {
 		return err
 	}
 	cmd.Printf("Removed unlocker '%s'\n", unlockerID)
 	return nil
 }
 // UnlockerSelect selects an unlocker as current
-func (cli *CLIInstance) UnlockerSelect(unlockerID string) error {
+func (cli *Instance) UnlockerSelect(unlockerID string) error {
 	// Get current vault
 	vlt, err := vault.GetCurrentVault(cli.fs, cli.stateDir)
 	if err != nil {
@@ -323,3 +625,81 @@ func (cli *CLIInstance) UnlockerSelect(unlockerID string) error {
 	return vlt.SelectUnlocker(unlockerID)
 }
 // checkUnlockerExists checks if an unlocker with the given ID exists
 func (cli *Instance) checkUnlockerExists(vlt *vault.Vault, unlockerID string) error {
 	// Get the list of unlockers and check if any match the ID
 	unlockers, err := vlt.ListUnlockers()
 	if err != nil {
 		secret.Warn("Could not list unlockers during duplicate check", "error", err)
 		return nil // If we can't list unlockers, assume it doesn't exist
 	}
 	// Get vault directory to construct unlocker instances
 	vaultDir, err := vlt.GetDirectory()
 	if err != nil {
 		secret.Warn("Could not get vault directory during duplicate check", "error", err)
 		return nil
 	}
 	// Check each unlocker's ID
 	for _, metadata := range unlockers {
 		// Construct the unlocker based on type to get its ID
 		unlockersDir := filepath.Join(vaultDir, "unlockers.d")
 		files, err := afero.ReadDir(cli.fs, unlockersDir)
 		if err != nil {
 			secret.Warn("Could not read unlockers directory during duplicate check", "error", err)
 			continue
 		}
 		for _, file := range files {
 			if !file.IsDir() {
 				continue
 			}
 			unlockerDir := filepath.Join(unlockersDir, file.Name())
 			metadataPath := filepath.Join(unlockerDir, "unlocker-metadata.json")
 			// Check if this matches our metadata
 			metadataBytes, err := afero.ReadFile(cli.fs, metadataPath)
 			if err != nil {
 				secret.Warn("Could not read unlocker metadata during duplicate check", "path", metadataPath, "error", err)
 				continue
 			}
 			var diskMetadata secret.UnlockerMetadata
 			if err := json.Unmarshal(metadataBytes, &diskMetadata); err != nil {
 				secret.Warn("Could not parse unlocker metadata during duplicate check", "path", metadataPath, "error", err)
 				continue
 			}
 			// Match by type and creation time
 			if diskMetadata.Type == metadata.Type && diskMetadata.CreatedAt.Equal(metadata.CreatedAt) {
 				var unlocker secret.Unlocker
 				switch metadata.Type {
 				case "passphrase":
 					unlocker = secret.NewPassphraseUnlocker(cli.fs, unlockerDir, diskMetadata)
 				case "keychain":
 					unlocker = secret.NewKeychainUnlocker(cli.fs, unlockerDir, diskMetadata)
 				case "pgp":
 					unlocker = secret.NewPGPUnlocker(cli.fs, unlockerDir, diskMetadata)
 				case "secure-enclave":
 					unlocker = secret.NewSecureEnclaveUnlocker(cli.fs, unlockerDir, diskMetadata)
 				}
 				if unlocker != nil && unlocker.GetID() == unlockerID {
 					return fmt.Errorf("unlocker already exists")
 				}
 				break
 			}
 		}
 	}
 	return nil
 }
--- a/internal/cli/vault.go
+++ b/internal/cli/vault.go
@@ -3,13 +3,16 @@ package cli
 import (
 	"encoding/json"
 	"fmt"
 	"log"
 	"os"
 	"path/filepath"
 	"strings"
 	"time"
 	"git.eeqj.de/sneak/secret/internal/secret"
 	"git.eeqj.de/sneak/secret/internal/vault"
 	"git.eeqj.de/sneak/secret/pkg/agehd"
 	"github.com/awnumar/memguard"
 	"github.com/spf13/afero"
 	"github.com/spf13/cobra"
 	"github.com/tyler-smith/go-bip39"
@@ -26,6 +29,7 @@ func newVaultCmd() *cobra.Command {
 	cmd.AddCommand(newVaultCreateCmd())
 	cmd.AddCommand(newVaultSelectCmd())
 	cmd.AddCommand(newVaultImportCmd())
 	cmd.AddCommand(newVaultRemoveCmd())
 	return cmd
 }
@@ -33,16 +37,22 @@ func newVaultCmd() *cobra.Command {
 func newVaultListCmd() *cobra.Command {
 	cmd := &cobra.Command{
 		Use:     "list",
 		Aliases: []string{"ls"},
 		Short:   "List available vaults",
-		RunE: func(cmd *cobra.Command, args []string) error {
+		RunE: func(cmd *cobra.Command, _ []string) error {
 			jsonOutput, _ := cmd.Flags().GetBool("json")
-			cli := NewCLIInstance()
+			cli, err := NewCLIInstance()
 			if err != nil {
 				return fmt.Errorf("failed to initialize CLI: %w", err)
 			}
 			return cli.ListVaults(cmd, jsonOutput)
 		},
 	}
 	cmd.Flags().Bool("json", false, "Output in JSON format")
 	return cmd
 }
@@ -52,50 +62,103 @@ func newVaultCreateCmd() *cobra.Command {
 		Short: "Create a new vault",
 		Args:  cobra.ExactArgs(1),
 		RunE: func(cmd *cobra.Command, args []string) error {
-			cli := NewCLIInstance()
+			cli, err := NewCLIInstance()
 			if err != nil {
 				return fmt.Errorf("failed to initialize CLI: %w", err)
 			}
 			return cli.CreateVault(cmd, args[0])
 		},
 	}
 }
 func newVaultSelectCmd() *cobra.Command {
 	cli, err := NewCLIInstance()
 	if err != nil {
 		log.Fatalf("failed to initialize CLI: %v", err)
 	}
 	return &cobra.Command{
 		Use:               "select <name>",
 		Short:             "Select a vault as current",
 		Args:              cobra.ExactArgs(1),
 		ValidArgsFunction: getVaultNamesCompletionFunc(cli.fs, cli.stateDir),
 		RunE: func(cmd *cobra.Command, args []string) error {
-			cli := NewCLIInstance()
+			cli, err := NewCLIInstance()
 			if err != nil {
 				return fmt.Errorf("failed to initialize CLI: %w", err)
 			}
 			return cli.SelectVault(cmd, args[0])
 		},
 	}
 }
 func newVaultImportCmd() *cobra.Command {
 	cli, err := NewCLIInstance()
 	if err != nil {
 		log.Fatalf("failed to initialize CLI: %v", err)
 	}
 	return &cobra.Command{
 		Use:               "import <vault-name>",
 		Short:             "Import a mnemonic into a vault",
 		Long:              `Import a BIP39 mnemonic phrase into the specified vault (default if not specified).`,
 		Args:              cobra.MaximumNArgs(1),
 		ValidArgsFunction: getVaultNamesCompletionFunc(cli.fs, cli.stateDir),
 		RunE: func(cmd *cobra.Command, args []string) error {
 			vaultName := "default"
 			if len(args) > 0 {
 				vaultName = args[0]
 			}
-			cli := NewCLIInstance()
+			cli, err := NewCLIInstance()
 			if err != nil {
 				return fmt.Errorf("failed to initialize CLI: %w", err)
 			}
 			return cli.VaultImport(cmd, vaultName)
 		},
 	}
 }
 func newVaultRemoveCmd() *cobra.Command {
 	cli, err := NewCLIInstance()
 	if err != nil {
 		log.Fatalf("failed to initialize CLI: %v", err)
 	}
 	cmd := &cobra.Command{
 		Use:     "remove <name>",
 		Aliases: []string{"rm"},
 		Short:   "Remove a vault",
 		Long: `Remove a vault. Requires --force if the vault contains secrets. Will automatically ` +
 			`switch to another vault if removing the currently selected one.`,
 		Args:              cobra.ExactArgs(1),
 		ValidArgsFunction: getVaultNamesCompletionFunc(cli.fs, cli.stateDir),
 		RunE: func(cmd *cobra.Command, args []string) error {
 			force, _ := cmd.Flags().GetBool("force")
 			cli, err := NewCLIInstance()
 			if err != nil {
 				return fmt.Errorf("failed to initialize CLI: %w", err)
 			}
 			return cli.RemoveVault(cmd, args[0], force)
 		},
 	}
 	cmd.Flags().BoolP("force", "f", false, "Force removal even if vault contains secrets")
 	return cmd
 }
 // ListVaults lists all available vaults
-func (cli *CLIInstance) ListVaults(cmd *cobra.Command, jsonOutput bool) error {
+func (cli *Instance) ListVaults(cmd *cobra.Command, jsonOutput bool) error {
 	vaults, err := vault.ListVaults(cli.fs, cli.stateDir)
 	if err != nil {
 		return err
 	}
-	if jsonOutput {
+	if jsonOutput { //nolint:nestif // Separate JSON and text output formatting logic
 		// Get current vault name for context
 		currentVault := ""
 		if currentVlt, err := vault.GetCurrentVault(cli.fs, cli.stateDir); err == nil {
@@ -104,7 +167,7 @@ func (cli *CLIInstance) ListVaults(cmd *cobra.Command, jsonOutput bool) error {
 		result := map[string]interface{}{
 			"vaults":       vaults,
-			"current_vault": currentVault,
+			"currentVault": currentVault,
 		}
 		jsonBytes, err := json.MarshalIndent(result, "", "  ")
@@ -138,30 +201,115 @@ func (cli *CLIInstance) ListVaults(cmd *cobra.Command, jsonOutput bool) error {
 }
 // CreateVault creates a new vault
-func (cli *CLIInstance) CreateVault(cmd *cobra.Command, name string) error {
+func (cli *Instance) CreateVault(cmd *cobra.Command, name string) error {
 	secret.Debug("Creating new vault", "name", name, "state_dir", cli.stateDir)
 	// Get or prompt for mnemonic
 	var mnemonicStr string
 	if envMnemonic := os.Getenv(secret.EnvMnemonic); envMnemonic != "" {
 		secret.Debug("Using mnemonic from environment variable")
 		mnemonicStr = envMnemonic
 	} else {
 		secret.Debug("Prompting user for mnemonic phrase")
 		// Read mnemonic securely without echo
 		mnemonicBuffer, err := secret.ReadPassphrase("Enter your BIP39 mnemonic phrase: ")
 		if err != nil {
 			secret.Debug("Failed to read mnemonic from stdin", "error", err)
 			return fmt.Errorf("failed to read mnemonic: %w", err)
 		}
 		defer mnemonicBuffer.Destroy()
 		mnemonicStr = mnemonicBuffer.String()
 		fmt.Fprintln(os.Stderr) // Add newline after hidden input
 	}
 	if mnemonicStr == "" {
 		return fmt.Errorf("mnemonic cannot be empty")
 	}
 	// Validate the mnemonic
 	mnemonicWords := strings.Fields(mnemonicStr)
 	secret.Debug("Validating BIP39 mnemonic", "word_count", len(mnemonicWords))
 	if !bip39.IsMnemonicValid(mnemonicStr) {
 		return fmt.Errorf("invalid BIP39 mnemonic phrase")
 	}
 	// Set mnemonic in environment for CreateVault to use
 	originalMnemonic := os.Getenv(secret.EnvMnemonic)
 	_ = os.Setenv(secret.EnvMnemonic, mnemonicStr)
 	defer func() {
 		if originalMnemonic != "" {
 			_ = os.Setenv(secret.EnvMnemonic, originalMnemonic)
 		} else {
 			_ = os.Unsetenv(secret.EnvMnemonic)
 		}
 	}()
 	// Create the vault - it will handle key derivation internally
 	vlt, err := vault.CreateVault(cli.fs, cli.stateDir, name)
 	if err != nil {
 		return err
 	}
 	// Get the vault metadata to retrieve the derivation index
 	vaultDir := filepath.Join(cli.stateDir, "vaults.d", name)
 	metadata, err := vault.LoadVaultMetadata(cli.fs, vaultDir)
 	if err != nil {
 		return fmt.Errorf("failed to load vault metadata: %w", err)
 	}
 	// Derive the long-term key using the same index that CreateVault used
 	ltIdentity, err := agehd.DeriveIdentity(mnemonicStr, metadata.DerivationIndex)
 	if err != nil {
 		return fmt.Errorf("failed to derive long-term key from mnemonic: %w", err)
 	}
 	// Unlock the vault with the derived long-term key
 	vlt.Unlock(ltIdentity)
 	// Get or prompt for passphrase
 	var passphraseBuffer *memguard.LockedBuffer
 	if envPassphrase := os.Getenv(secret.EnvUnlockPassphrase); envPassphrase != "" {
 		secret.Debug("Using unlock passphrase from environment variable")
 		passphraseBuffer = memguard.NewBufferFromBytes([]byte(envPassphrase))
 	} else {
 		secret.Debug("Prompting user for unlock passphrase")
 		// Use secure passphrase input with confirmation
 		passphraseBuffer, err = readSecurePassphrase("Enter passphrase for unlocker: ")
 		if err != nil {
 			return fmt.Errorf("failed to read passphrase: %w", err)
 		}
 	}
 	defer passphraseBuffer.Destroy()
 	// Create passphrase-protected unlocker
 	secret.Debug("Creating passphrase-protected unlocker")
 	passphraseUnlocker, err := vlt.CreatePassphraseUnlocker(passphraseBuffer)
 	if err != nil {
 		return fmt.Errorf("failed to create unlocker: %w", err)
 	}
 	cmd.Printf("Created vault '%s'\n", vlt.GetName())
 	cmd.Printf("Long-term public key: %s\n", ltIdentity.Recipient().String())
 	cmd.Printf("Unlocker ID: %s\n", passphraseUnlocker.GetID())
 	return nil
 }
 // SelectVault selects a vault as the current one
-func (cli *CLIInstance) SelectVault(cmd *cobra.Command, name string) error {
+func (cli *Instance) SelectVault(cmd *cobra.Command, name string) error {
 	if err := vault.SelectVault(cli.fs, cli.stateDir, name); err != nil {
 		return err
 	}
 	cmd.Printf("Selected vault '%s' as current\n", name)
 	return nil
 }
 // VaultImport imports a mnemonic into a specific vault
-func (cli *CLIInstance) VaultImport(cmd *cobra.Command, vaultName string) error {
+func (cli *Instance) VaultImport(cmd *cobra.Command, vaultName string) error {
 	secret.Debug("Importing mnemonic into vault", "vault_name", vaultName, "state_dir", cli.stateDir)
 	// Get the specific vault by name
@@ -204,6 +352,7 @@ func (cli *CLIInstance) VaultImport(cmd *cobra.Command, vaultName string) error
 	derivationIndex, err := vault.GetNextDerivationIndex(cli.fs, cli.stateDir, mnemonic)
 	if err != nil {
 		secret.Debug("Failed to get next derivation index", "error", err)
 		return fmt.Errorf("failed to get next derivation index: %w", err)
 	}
 	secret.Debug("Using derivation index", "index", derivationIndex)
@@ -219,7 +368,7 @@ func (cli *CLIInstance) VaultImport(cmd *cobra.Command, vaultName string) error
 	ltPublicKey := ltIdentity.Recipient().String()
 	secret.Debug("Storing long-term public key", "pubkey", ltPublicKey, "vault_dir", vaultDir)
-	if err := afero.WriteFile(cli.fs, pubKeyPath, []byte(ltPublicKey), 0600); err != nil {
+	if err := afero.WriteFile(cli.fs, pubKeyPath, []byte(ltPublicKey), secret.FilePerms); err != nil {
 		return fmt.Errorf("failed to store long-term public key: %w", err)
 	}
@@ -239,7 +388,7 @@ func (cli *CLIInstance) VaultImport(cmd *cobra.Command, vaultName string) error
 	existingMetadata, err := vault.LoadVaultMetadata(cli.fs, vaultDir)
 	if err != nil {
 		// If metadata doesn't exist, create new
-		existingMetadata = &vault.VaultMetadata{
+		existingMetadata = &vault.Metadata{
 			CreatedAt: time.Now(),
 		}
 	}
@@ -251,6 +400,7 @@ func (cli *CLIInstance) VaultImport(cmd *cobra.Command, vaultName string) error
 	if err := vault.SaveVaultMetadata(cli.fs, vaultDir, existingMetadata); err != nil {
 		secret.Debug("Failed to save vault metadata", "error", err)
 		return fmt.Errorf("failed to save vault metadata: %w", err)
 	}
 	secret.Debug("Saved vault metadata with derivation index and public key hash")
@@ -263,14 +413,19 @@ func (cli *CLIInstance) VaultImport(cmd *cobra.Command, vaultName string) error
 	secret.Debug("Using unlock passphrase from environment variable")
 	// Create secure buffer for passphrase
 	passphraseBuffer := memguard.NewBufferFromBytes([]byte(passphraseStr))
 	defer passphraseBuffer.Destroy()
 	// Unlock the vault with the derived long-term key
 	vlt.Unlock(ltIdentity)
 	// Create passphrase-protected unlocker
 	secret.Debug("Creating passphrase-protected unlocker")
-	passphraseUnlocker, err := vlt.CreatePassphraseUnlocker(passphraseStr)
+	passphraseUnlocker, err := vlt.CreatePassphraseUnlocker(passphraseBuffer)
 	if err != nil {
 		secret.Debug("Failed to create unlocker", "error", err)
 		return fmt.Errorf("failed to create unlocker: %w", err)
 	}
@@ -280,3 +435,90 @@ func (cli *CLIInstance) VaultImport(cmd *cobra.Command, vaultName string) error
 	return nil
 }
 // RemoveVault removes a vault with safety checks
 func (cli *Instance) RemoveVault(cmd *cobra.Command, name string, force bool) error {
 	// Get list of all vaults
 	vaults, err := vault.ListVaults(cli.fs, cli.stateDir)
 	if err != nil {
 		return fmt.Errorf("failed to list vaults: %w", err)
 	}
 	// Check if vault exists
 	vaultExists := false
 	for _, v := range vaults {
 		if v == name {
 			vaultExists = true
 			break
 		}
 	}
 	if !vaultExists {
 		return fmt.Errorf("vault '%s' does not exist", name)
 	}
 	// Don't allow removing the last vault
 	if len(vaults) == 1 {
 		return fmt.Errorf("cannot remove the last vault")
 	}
 	// Check if this is the current vault
 	currentVault, err := vault.GetCurrentVault(cli.fs, cli.stateDir)
 	if err != nil {
 		return fmt.Errorf("failed to get current vault: %w", err)
 	}
 	isCurrentVault := currentVault.GetName() == name
 	// Load the vault to check for secrets
 	vlt := vault.NewVault(cli.fs, cli.stateDir, name)
 	vaultDir, err := vlt.GetDirectory()
 	if err != nil {
 		return fmt.Errorf("failed to get vault directory: %w", err)
 	}
 	// Check if vault has secrets
 	secretsDir := filepath.Join(vaultDir, "secrets.d")
 	hasSecrets := false
 	if exists, _ := afero.DirExists(cli.fs, secretsDir); exists {
 		entries, err := afero.ReadDir(cli.fs, secretsDir)
 		if err == nil && len(entries) > 0 {
 			hasSecrets = true
 		}
 	}
 	// Require --force if vault has secrets
 	if hasSecrets && !force {
 		return fmt.Errorf("vault '%s' contains secrets; use --force to remove", name)
 	}
 	// If removing current vault, switch to another vault first
 	if isCurrentVault {
 		// Find another vault to switch to
 		var newVault string
 		for _, v := range vaults {
 			if v != name {
 				newVault = v
 				break
 			}
 		}
 		// Switch to the new vault
 		if err := vault.SelectVault(cli.fs, cli.stateDir, newVault); err != nil {
 			return fmt.Errorf("failed to switch to vault '%s': %w", newVault, err)
 		}
 		cmd.Printf("Switched current vault to '%s'\n", newVault)
 	}
 	// Remove the vault directory
 	if err := cli.fs.RemoveAll(vaultDir); err != nil {
 		return fmt.Errorf("failed to remove vault directory: %w", err)
 	}
 	cmd.Printf("Removed vault '%s'\n", name)
 	if hasSecrets {
 		cmd.Printf("Warning: Vault contained secrets that have been permanently deleted\n")
 	}
 	return nil
 }
--- a/internal/cli/version.go
+++ b/internal/cli/version.go
@@ -2,6 +2,7 @@ package cli
 import (
 	"fmt"
 	"log"
 	"path/filepath"
 	"strings"
 	"text/tabwriter"
@@ -12,14 +13,22 @@ import (
 	"github.com/spf13/cobra"
 )
 const (
 	tabWriterPadding = 2
 )
 // newVersionCmd returns the version management command
 func newVersionCmd() *cobra.Command {
-	cli := NewCLIInstance()
+	cli, err := NewCLIInstance()
 	if err != nil {
 		log.Fatalf("failed to initialize CLI: %v", err)
 	}
 	return VersionCommands(cli)
 }
 // VersionCommands returns the version management commands
-func VersionCommands(cli *CLIInstance) *cobra.Command {
+func VersionCommands(cli *Instance) *cobra.Command {
 	versionCmd := &cobra.Command{
 		Use:   "version",
 		Short: "Manage secret versions",
@@ -29,8 +38,10 @@ func VersionCommands(cli *CLIInstance) *cobra.Command {
 	// List versions command
 	listCmd := &cobra.Command{
 		Use:               "list <secret-name>",
 		Aliases:           []string{"ls"},
 		Short:             "List all versions of a secret",
 		Args:              cobra.ExactArgs(1),
 		ValidArgsFunction: getSecretNamesCompletionFunc(cli.fs, cli.stateDir),
 		RunE: func(cmd *cobra.Command, args []string) error {
 			return cli.ListVersions(cmd, args[0])
 		},
@@ -41,30 +52,61 @@ func VersionCommands(cli *CLIInstance) *cobra.Command {
 		Use:   "promote <secret-name> <version>",
 		Short: "Promote a specific version to current",
 		Long:  "Updates the current symlink to point to the specified version without modifying timestamps",
-		Args:  cobra.ExactArgs(2),
+		Args:  cobra.ExactArgs(2), //nolint:mnd // Command requires exactly 2 arguments: secret-name and version
 		ValidArgsFunction: func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
 			// Complete secret name for first arg
 			if len(args) == 0 {
 				return getSecretNamesCompletionFunc(cli.fs, cli.stateDir)(cmd, args, toComplete)
 			}
 			// TODO: Complete version numbers for second arg
 			return nil, cobra.ShellCompDirectiveNoFileComp
 		},
 		RunE: func(cmd *cobra.Command, args []string) error {
 			return cli.PromoteVersion(cmd, args[0], args[1])
 		},
 	}
-	versionCmd.AddCommand(listCmd, promoteCmd)
+	// Remove version command
 	removeCmd := &cobra.Command{
 		Use:     "remove <secret-name> <version>",
 		Aliases: []string{"rm"},
 		Short:   "Remove a specific version of a secret",
 		Long:    "Remove a specific version of a secret. Cannot remove the current version.",
 		Args:    cobra.ExactArgs(2), //nolint:mnd // Command requires exactly 2 arguments: secret-name and version
 		ValidArgsFunction: func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
 			// Complete secret name for first arg
 			if len(args) == 0 {
 				return getSecretNamesCompletionFunc(cli.fs, cli.stateDir)(cmd, args, toComplete)
 			}
 			// TODO: Complete version numbers for second arg
 			return nil, cobra.ShellCompDirectiveNoFileComp
 		},
 		RunE: func(cmd *cobra.Command, args []string) error {
 			return cli.RemoveVersion(cmd, args[0], args[1])
 		},
 	}
 	versionCmd.AddCommand(listCmd, promoteCmd, removeCmd)
 	return versionCmd
 }
 // ListVersions lists all versions of a secret
-func (cli *CLIInstance) ListVersions(cmd *cobra.Command, secretName string) error {
+func (cli *Instance) ListVersions(cmd *cobra.Command, secretName string) error {
 	secret.Debug("ListVersions called", "secret_name", secretName)
 	// Get current vault
 	vlt, err := vault.GetCurrentVault(cli.fs, cli.stateDir)
 	if err != nil {
 		secret.Debug("Failed to get current vault", "error", err)
 		return err
 	}
 	vaultDir, err := vlt.GetDirectory()
 	if err != nil {
 		secret.Debug("Failed to get vault directory", "error", err)
 		return err
 	}
@@ -76,10 +118,12 @@ func (cli *CLIInstance) ListVersions(cmd *cobra.Command, secretName string) erro
 	exists, err := afero.DirExists(cli.fs, secretDir)
 	if err != nil {
 		secret.Debug("Failed to check if secret exists", "error", err)
 		return fmt.Errorf("failed to check if secret exists: %w", err)
 	}
 	if !exists {
 		secret.Debug("Secret not found", "secret_name", secretName)
 		return fmt.Errorf("secret '%s' not found", secretName)
 	}
@@ -87,11 +131,13 @@ func (cli *CLIInstance) ListVersions(cmd *cobra.Command, secretName string) erro
 	versions, err := secret.ListVersions(cli.fs, secretDir)
 	if err != nil {
 		secret.Debug("Failed to list versions", "error", err)
 		return fmt.Errorf("failed to list versions: %w", err)
 	}
 	if len(versions) == 0 {
 		cmd.Println("No versions found")
 		return nil
 	}
@@ -109,22 +155,23 @@ func (cli *CLIInstance) ListVersions(cmd *cobra.Command, secretName string) erro
 	}
 	// Create table writer
-	w := tabwriter.NewWriter(cmd.OutOrStdout(), 0, 0, 2, ' ', 0)
+	w := tabwriter.NewWriter(cmd.OutOrStdout(), 0, 0, tabWriterPadding, ' ', 0)
-	fmt.Fprintln(w, "VERSION\tCREATED\tSTATUS\tNOT_BEFORE\tNOT_AFTER")
+	_, _ = fmt.Fprintln(w, "VERSION\tCREATED\tSTATUS\tNOT_BEFORE\tNOT_AFTER")
 	// Load and display each version's metadata
 	for _, version := range versions {
-		sv := secret.NewSecretVersion(vlt, secretName, version)
+		sv := secret.NewVersion(vlt, secretName, version)
 		// Load metadata
 		if err := sv.LoadMetadata(ltIdentity); err != nil {
-			secret.Debug("Failed to load version metadata", "version", version, "error", err)
+			secret.Warn("Failed to load version metadata", "version", version, "error", err)
 			// Display version with error
 			status := "error"
 			if version == currentVersion {
 				status = "current (error)"
 			}
-			fmt.Fprintf(w, "%s\t%s\t%s\t%s\t%s\n", version, "-", status, "-", "-")
+			_, _ = fmt.Fprintf(w, "%s\t%s\t%s\t%s\t%s\n", version, "-", status, "-", "-")
 			continue
 		}
@@ -150,15 +197,16 @@ func (cli *CLIInstance) ListVersions(cmd *cobra.Command, secretName string) erro
 			notAfter = sv.Metadata.NotAfter.Format("2006-01-02 15:04:05")
 		}
-		fmt.Fprintf(w, "%s\t%s\t%s\t%s\t%s\n", version, createdAt, status, notBefore, notAfter)
+		_, _ = fmt.Fprintf(w, "%s\t%s\t%s\t%s\t%s\n", version, createdAt, status, notBefore, notAfter)
 	}
-	w.Flush()
+	_ = w.Flush()
 	return nil
 }
 // PromoteVersion promotes a specific version to current
-func (cli *CLIInstance) PromoteVersion(cmd *cobra.Command, secretName string, version string) error {
+func (cli *Instance) PromoteVersion(cmd *cobra.Command, secretName string, version string) error {
 	// Get current vault
 	vlt, err := vault.GetCurrentVault(cli.fs, cli.stateDir)
 	if err != nil {
@@ -190,5 +238,63 @@ func (cli *CLIInstance) PromoteVersion(cmd *cobra.Command, secretName string, ve
 	}
 	cmd.Printf("Promoted version %s to current for secret '%s'\n", version, secretName)
 	return nil
 }
 // RemoveVersion removes a specific version of a secret
 func (cli *Instance) RemoveVersion(cmd *cobra.Command, secretName string, version string) error {
 	// Get current vault
 	vlt, err := vault.GetCurrentVault(cli.fs, cli.stateDir)
 	if err != nil {
 		return err
 	}
 	vaultDir, err := vlt.GetDirectory()
 	if err != nil {
 		return err
 	}
 	// Get the encoded secret name
 	encodedName := strings.ReplaceAll(secretName, "/", "%")
 	secretDir := filepath.Join(vaultDir, "secrets.d", encodedName)
 	// Check if secret exists
 	exists, err := afero.DirExists(cli.fs, secretDir)
 	if err != nil {
 		return fmt.Errorf("failed to check if secret exists: %w", err)
 	}
 	if !exists {
 		return fmt.Errorf("secret '%s' not found", secretName)
 	}
 	// Check if version exists
 	versionDir := filepath.Join(secretDir, "versions", version)
 	exists, err = afero.DirExists(cli.fs, versionDir)
 	if err != nil {
 		return fmt.Errorf("failed to check if version exists: %w", err)
 	}
 	if !exists {
 		return fmt.Errorf("version '%s' not found for secret '%s'", version, secretName)
 	}
 	// Get current version
 	currentVersion, err := secret.GetCurrentVersion(cli.fs, secretDir)
 	if err != nil {
 		return fmt.Errorf("failed to get current version: %w", err)
 	}
 	// Don't allow removing the current version
 	if version == currentVersion {
 		return fmt.Errorf("cannot remove the current version '%s'; promote another version first", version)
 	}
 	// Remove the version directory
 	if err := cli.fs.RemoveAll(versionDir); err != nil {
 		return fmt.Errorf("failed to remove version: %w", err)
 	}
 	cmd.Printf("Removed version %s of secret '%s'\n", version, secretName)
 	return nil
 }
--- a/internal/cli/version_test.go
+++ b/internal/cli/version_test.go
@@ -18,24 +18,35 @@ package cli
 import (
 	"bytes"
 	"path/filepath"
 	"strings"
 	"testing"
 	"time"
 	"path/filepath"
 	"git.eeqj.de/sneak/secret/internal/secret"
 	"git.eeqj.de/sneak/secret/internal/vault"
 	"git.eeqj.de/sneak/secret/pkg/agehd"
 	"github.com/awnumar/memguard"
 	"github.com/spf13/afero"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
 // Helper function to add a secret to vault with proper buffer protection
 func addTestSecret(t *testing.T, vlt *vault.Vault, name string, value []byte, force bool) {
 	t.Helper()
 	buffer := memguard.NewBufferFromBytes(value)
 	defer buffer.Destroy()
 	err := vlt.AddSecret(name, buffer, force)
 	require.NoError(t, err)
 }
 // Helper function to set up a vault with long-term key
 func setupTestVault(t *testing.T, fs afero.Fs, stateDir string) {
 	// Set mnemonic for testing
-	t.Setenv(secret.EnvMnemonic, "abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon about")
+	testMnemonic := "abandon abandon abandon abandon abandon abandon " +
 		"abandon abandon abandon abandon abandon about"
 	t.Setenv(secret.EnvMnemonic, testMnemonic)
 	// Create vault
 	vlt, err := vault.CreateVault(fs, stateDir, "default")
@@ -49,7 +60,7 @@ func setupTestVault(t *testing.T, fs afero.Fs, stateDir string) {
 	// Store long-term public key in vault
 	vaultDir, _ := vlt.GetDirectory()
 	ltPubKeyPath := filepath.Join(vaultDir, "pub.age")
-	err = afero.WriteFile(fs, ltPubKeyPath, []byte(ltIdentity.Recipient().String()), 0600)
+	err = afero.WriteFile(fs, ltPubKeyPath, []byte(ltIdentity.Recipient().String()), 0o600)
 	require.NoError(t, err)
 	// Select vault
@@ -69,13 +80,11 @@ func TestListVersionsCommand(t *testing.T) {
 	vlt, err := vault.GetCurrentVault(fs, stateDir)
 	require.NoError(t, err)
-	err = vlt.AddSecret("test/secret", []byte("version-1"), false)
+	addTestSecret(t, vlt, "test/secret", []byte("version-1"), false)
 	require.NoError(t, err)
 	time.Sleep(10 * time.Millisecond)
-	err = vlt.AddSecret("test/secret", []byte("version-2"), true)
+	addTestSecret(t, vlt, "test/secret", []byte("version-2"), true)
 	require.NoError(t, err)
 	// Create a command for output capture
 	cmd := newRootCmd()
@@ -127,7 +136,7 @@ func TestListVersionsNonExistentSecret(t *testing.T) {
 	// Try to list versions of non-existent secret
 	err := cli.ListVersions(cmd, "nonexistent/secret")
-	assert.Error(t, err)
+	require.Error(t, err)
 	assert.Contains(t, err.Error(), "not found")
 }
@@ -143,13 +152,11 @@ func TestPromoteVersionCommand(t *testing.T) {
 	vlt, err := vault.GetCurrentVault(fs, stateDir)
 	require.NoError(t, err)
-	err = vlt.AddSecret("test/secret", []byte("version-1"), false)
+	addTestSecret(t, vlt, "test/secret", []byte("version-1"), false)
 	require.NoError(t, err)
 	time.Sleep(10 * time.Millisecond)
-	err = vlt.AddSecret("test/secret", []byte("version-2"), true)
+	addTestSecret(t, vlt, "test/secret", []byte("version-2"), true)
 	require.NoError(t, err)
 	// Get versions
 	vaultDir, _ := vlt.GetDirectory()
@@ -200,8 +207,7 @@ func TestPromoteNonExistentVersion(t *testing.T) {
 	vlt, err := vault.GetCurrentVault(fs, stateDir)
 	require.NoError(t, err)
-	err = vlt.AddSecret("test/secret", []byte("value"), false)
+	addTestSecret(t, vlt, "test/secret", []byte("value"), false)
 	require.NoError(t, err)
 	// Create a command for output capture
 	cmd := newRootCmd()
@@ -211,7 +217,7 @@ func TestPromoteNonExistentVersion(t *testing.T) {
 	// Try to promote non-existent version
 	err = cli.PromoteVersion(cmd, "test/secret", "20991231.999")
-	assert.Error(t, err)
+	require.Error(t, err)
 	assert.Contains(t, err.Error(), "not found")
 }
@@ -227,13 +233,11 @@ func TestGetSecretWithVersion(t *testing.T) {
 	vlt, err := vault.GetCurrentVault(fs, stateDir)
 	require.NoError(t, err)
-	err = vlt.AddSecret("test/secret", []byte("version-1"), false)
+	addTestSecret(t, vlt, "test/secret", []byte("version-1"), false)
 	require.NoError(t, err)
 	time.Sleep(10 * time.Millisecond)
-	err = vlt.AddSecret("test/secret", []byte("version-2"), true)
+	addTestSecret(t, vlt, "test/secret", []byte("version-2"), true)
 	require.NoError(t, err)
 	// Get versions
 	vaultDir, _ := vlt.GetDirectory()
@@ -262,7 +266,10 @@ func TestGetSecretWithVersion(t *testing.T) {
 func TestVersionCommandStructure(t *testing.T) {
 	// Test that version commands are properly structured
-	cli := NewCLIInstance()
+	cli, err := NewCLIInstance()
 	if err != nil {
 		t.Fatalf("failed to initialize CLI: %v", err)
 	}
 	cmd := VersionCommands(cli)
 	assert.Equal(t, "version", cmd.Use)
@@ -289,7 +296,7 @@ func TestListVersionsEmptyOutput(t *testing.T) {
 	// Create a secret directory without versions (edge case)
 	vaultDir := stateDir + "/vaults.d/default"
 	secretDir := vaultDir + "/secrets.d/test%secret"
-	err := fs.MkdirAll(secretDir, 0755)
+	err := fs.MkdirAll(secretDir, 0o755)
 	require.NoError(t, err)
 	// Create a command for output capture
--- a/internal/macse/macse_darwin.go
+++ b/internal/macse/macse_darwin.go
@@ -0,0 +1,129 @@
 //go:build darwin
 // Package macse provides Go bindings for macOS Secure Enclave operations
 // using CryptoTokenKit identities created via sc_auth.
 // Key creation and deletion shell out to sc_auth (which has SE entitlements).
 // Encrypt/decrypt use Security.framework ECIES directly (works unsigned).
 package macse
 /*
 #cgo CFLAGS: -x objective-c -fobjc-arc
 #cgo LDFLAGS: -framework Security -framework Foundation -framework CoreFoundation
 #include <stdlib.h>
 #include "secure_enclave.h"
 */
 import "C"
 import (
 	"fmt"
 	"unsafe"
 )
 const (
 	// p256UncompressedKeySize is the size of an uncompressed P-256 public key.
 	p256UncompressedKeySize = 65
 	// errorBufferSize is the size of the C error message buffer.
 	errorBufferSize = 512
 	// hashBufferSize is the size of the hash output buffer.
 	hashBufferSize = 128
 	// maxCiphertextSize is the max buffer for ECIES ciphertext.
 	// ECIES overhead for P-256: 65 (ephemeral pub) + 16 (GCM tag) + 16 (IV) + plaintext.
 	maxCiphertextSize = 8192
 	// maxPlaintextSize is the max buffer for decrypted plaintext.
 	maxPlaintextSize = 8192
 )
 // CreateKey creates a new P-256 non-exportable key in the Secure Enclave via sc_auth.
 // Returns the uncompressed public key bytes (65 bytes) and the identity hash (for deletion).
 func CreateKey(label string) (publicKey []byte, hash string, err error) {
 	pubKeyBuf := make([]C.uint8_t, p256UncompressedKeySize)
 	pubKeyLen := C.int(p256UncompressedKeySize)
 	var hashBuf [hashBufferSize]C.char
 	var errBuf [errorBufferSize]C.char
 	cLabel := C.CString(label)
 	defer C.free(unsafe.Pointer(cLabel)) //nolint:nlreturn // CGo free pattern
 	result := C.se_create_key(cLabel,
 		&pubKeyBuf[0], &pubKeyLen,
 		&hashBuf[0], C.int(hashBufferSize),
 		&errBuf[0], C.int(errorBufferSize))
 	if result != 0 {
 		return nil, "", fmt.Errorf("secure enclave: %s", C.GoString(&errBuf[0]))
 	}
 	pk := C.GoBytes(unsafe.Pointer(&pubKeyBuf[0]), pubKeyLen) //nolint:nlreturn // CGo result extraction
 	h := C.GoString(&hashBuf[0])
 	return pk, h, nil
 }
 // Encrypt encrypts plaintext using the SE-backed public key via ECIES
 // (eciesEncryptionStandardVariableIVX963SHA256AESGCM).
 // Encryption uses only the public key; no SE interaction required.
 func Encrypt(label string, plaintext []byte) ([]byte, error) {
 	ciphertextBuf := make([]C.uint8_t, maxCiphertextSize)
 	ciphertextLen := C.int(maxCiphertextSize)
 	var errBuf [errorBufferSize]C.char
 	cLabel := C.CString(label)
 	defer C.free(unsafe.Pointer(cLabel)) //nolint:nlreturn // CGo free pattern
 	result := C.se_encrypt(cLabel,
 		(*C.uint8_t)(unsafe.Pointer(&plaintext[0])), C.int(len(plaintext)),
 		&ciphertextBuf[0], &ciphertextLen,
 		&errBuf[0], C.int(errorBufferSize))
 	if result != 0 {
 		return nil, fmt.Errorf("secure enclave: %s", C.GoString(&errBuf[0]))
 	}
 	out := C.GoBytes(unsafe.Pointer(&ciphertextBuf[0]), ciphertextLen) //nolint:nlreturn // CGo result extraction
 	return out, nil
 }
 // Decrypt decrypts ECIES ciphertext using the SE-backed private key.
 // The ECDH portion of decryption is performed inside the Secure Enclave.
 func Decrypt(label string, ciphertext []byte) ([]byte, error) {
 	plaintextBuf := make([]C.uint8_t, maxPlaintextSize)
 	plaintextLen := C.int(maxPlaintextSize)
 	var errBuf [errorBufferSize]C.char
 	cLabel := C.CString(label)
 	defer C.free(unsafe.Pointer(cLabel)) //nolint:nlreturn // CGo free pattern
 	result := C.se_decrypt(cLabel,
 		(*C.uint8_t)(unsafe.Pointer(&ciphertext[0])), C.int(len(ciphertext)),
 		&plaintextBuf[0], &plaintextLen,
 		&errBuf[0], C.int(errorBufferSize))
 	if result != 0 {
 		return nil, fmt.Errorf("secure enclave: %s", C.GoString(&errBuf[0]))
 	}
 	out := C.GoBytes(unsafe.Pointer(&plaintextBuf[0]), plaintextLen) //nolint:nlreturn // CGo result extraction
 	return out, nil
 }
 // DeleteKey removes a CTK identity from the Secure Enclave via sc_auth.
 func DeleteKey(hash string) error {
 	var errBuf [errorBufferSize]C.char
 	cHash := C.CString(hash)
 	defer C.free(unsafe.Pointer(cHash)) //nolint:nlreturn // CGo free pattern
 	result := C.se_delete_key(cHash, &errBuf[0], C.int(errorBufferSize))
 	if result != 0 {
 		return fmt.Errorf("secure enclave: %s", C.GoString(&errBuf[0]))
 	}
 	return nil
 }
--- a/internal/macse/macse_stub.go
+++ b/internal/macse/macse_stub.go
@@ -0,0 +1,29 @@
 //go:build !darwin
 // +build !darwin
 // Package macse provides Go bindings for macOS Secure Enclave operations.
 package macse
 import "fmt"
 var errNotSupported = fmt.Errorf("secure enclave is only supported on macOS") //nolint:gochecknoglobals
 // CreateKey is not supported on non-darwin platforms.
 func CreateKey(_ string) ([]byte, string, error) {
 	return nil, "", errNotSupported
 }
 // Encrypt is not supported on non-darwin platforms.
 func Encrypt(_ string, _ []byte) ([]byte, error) {
 	return nil, errNotSupported
 }
 // Decrypt is not supported on non-darwin platforms.
 func Decrypt(_ string, _ []byte) ([]byte, error) {
 	return nil, errNotSupported
 }
 // DeleteKey is not supported on non-darwin platforms.
 func DeleteKey(_ string) error {
 	return errNotSupported
 }
--- a/internal/macse/macse_test.go
+++ b/internal/macse/macse_test.go
@@ -0,0 +1,163 @@
 //go:build darwin
 // +build darwin
 package macse
 import (
 	"bytes"
 	"testing"
 )
 const testKeyLabel = "berlin.sneak.app.secret.test.se-key"
 // testKeyHash stores the hash of the created test key for cleanup.
 var testKeyHash string //nolint:gochecknoglobals
 // skipIfNoSecureEnclave skips the test if SE access is unavailable.
 func skipIfNoSecureEnclave(t *testing.T) {
 	t.Helper()
 	probeLabel := "berlin.sneak.app.secret.test.se-probe"
 	_, hash, err := CreateKey(probeLabel)
 	if err != nil {
 		t.Skipf("Secure Enclave unavailable (skipping): %v", err)
 	}
 	if hash != "" {
 		_ = DeleteKey(hash)
 	}
 }
 func TestCreateAndDeleteKey(t *testing.T) {
 	skipIfNoSecureEnclave(t)
 	if testKeyHash != "" {
 		_ = DeleteKey(testKeyHash)
 	}
 	pubKey, hash, err := CreateKey(testKeyLabel)
 	if err != nil {
 		t.Fatalf("CreateKey failed: %v", err)
 	}
 	testKeyHash = hash
 	t.Logf("Created key with hash: %s", hash)
 	// Verify valid uncompressed P-256 public key
 	if len(pubKey) != p256UncompressedKeySize {
 		t.Fatalf("expected public key length %d, got %d", p256UncompressedKeySize, len(pubKey))
 	}
 	if pubKey[0] != 0x04 {
 		t.Fatalf("expected uncompressed point prefix 0x04, got 0x%02x", pubKey[0])
 	}
 	if hash == "" {
 		t.Fatal("expected non-empty hash")
 	}
 	// Delete the key
 	if err := DeleteKey(hash); err != nil {
 		t.Fatalf("DeleteKey failed: %v", err)
 	}
 	testKeyHash = ""
 	t.Log("Key created, verified, and deleted successfully")
 }
 func TestEncryptDecryptRoundTrip(t *testing.T) {
 	skipIfNoSecureEnclave(t)
 	_, hash, err := CreateKey(testKeyLabel)
 	if err != nil {
 		t.Fatalf("CreateKey failed: %v", err)
 	}
 	testKeyHash = hash
 	defer func() {
 		if testKeyHash != "" {
 			_ = DeleteKey(testKeyHash)
 			testKeyHash = ""
 		}
 	}()
 	// Test data simulating an age private key
 	plaintext := []byte("AGE-SECRET-KEY-1QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ")
 	// Encrypt
 	ciphertext, err := Encrypt(testKeyLabel, plaintext)
 	if err != nil {
 		t.Fatalf("Encrypt failed: %v", err)
 	}
 	t.Logf("Plaintext: %d bytes, Ciphertext: %d bytes", len(plaintext), len(ciphertext))
 	if bytes.Equal(ciphertext, plaintext) {
 		t.Fatal("ciphertext should differ from plaintext")
 	}
 	// Decrypt
 	decrypted, err := Decrypt(testKeyLabel, ciphertext)
 	if err != nil {
 		t.Fatalf("Decrypt failed: %v", err)
 	}
 	if !bytes.Equal(decrypted, plaintext) {
 		t.Fatalf("decrypted data does not match original plaintext")
 	}
 	t.Log("ECIES encrypt/decrypt round-trip successful")
 }
 func TestEncryptProducesDifferentCiphertexts(t *testing.T) {
 	skipIfNoSecureEnclave(t)
 	_, hash, err := CreateKey(testKeyLabel)
 	if err != nil {
 		t.Fatalf("CreateKey failed: %v", err)
 	}
 	testKeyHash = hash
 	defer func() {
 		if testKeyHash != "" {
 			_ = DeleteKey(testKeyHash)
 			testKeyHash = ""
 		}
 	}()
 	plaintext := []byte("test-secret-data")
 	ct1, err := Encrypt(testKeyLabel, plaintext)
 	if err != nil {
 		t.Fatalf("first Encrypt failed: %v", err)
 	}
 	ct2, err := Encrypt(testKeyLabel, plaintext)
 	if err != nil {
 		t.Fatalf("second Encrypt failed: %v", err)
 	}
 	// ECIES uses a random ephemeral key each time, so ciphertexts should differ
 	if bytes.Equal(ct1, ct2) {
 		t.Fatal("two encryptions of same plaintext should produce different ciphertexts")
 	}
 	// Both should decrypt to the same plaintext
 	dec1, err := Decrypt(testKeyLabel, ct1)
 	if err != nil {
 		t.Fatalf("first Decrypt failed: %v", err)
 	}
 	dec2, err := Decrypt(testKeyLabel, ct2)
 	if err != nil {
 		t.Fatalf("second Decrypt failed: %v", err)
 	}
 	if !bytes.Equal(dec1, plaintext) || !bytes.Equal(dec2, plaintext) {
 		t.Fatal("both ciphertexts should decrypt to original plaintext")
 	}
 	t.Log("ECIES correctly produces different ciphertexts that decrypt to same plaintext")
 }
--- a/internal/macse/secure_enclave.h
+++ b/internal/macse/secure_enclave.h
@@ -0,0 +1,59 @@
 //go:build darwin
 #ifndef SECURE_ENCLAVE_H
 #define SECURE_ENCLAVE_H
 #include <stdint.h>
 // se_create_key creates a new P-256 key in the Secure Enclave via sc_auth.
 // label: unique identifier for the CTK identity (UTF-8 C string)
 // pub_key_out: output buffer for the uncompressed public key (65 bytes for P-256)
 // pub_key_len: on input, size of pub_key_out; on output, actual size written
 // hash_out: output buffer for the identity hash (for deletion)
 // hash_out_len: size of hash_out buffer
 // error_out: output buffer for error message
 // error_out_len: size of error_out buffer
 // Returns 0 on success, -1 on failure.
 int se_create_key(const char *label,
                  uint8_t *pub_key_out, int *pub_key_len,
                  char *hash_out, int hash_out_len,
                  char *error_out, int error_out_len);
 // se_encrypt encrypts data using the SE-backed public key (ECIES).
 // label: label of the CTK identity whose public key to use
 // plaintext: data to encrypt
 // plaintext_len: length of plaintext
 // ciphertext_out: output buffer for the ECIES ciphertext
 // ciphertext_len: on input, size of buffer; on output, actual size written
 // error_out: output buffer for error message
 // error_out_len: size of error_out buffer
 // Returns 0 on success, -1 on failure.
 int se_encrypt(const char *label,
               const uint8_t *plaintext, int plaintext_len,
               uint8_t *ciphertext_out, int *ciphertext_len,
               char *error_out, int error_out_len);
 // se_decrypt decrypts ECIES ciphertext using the SE-backed private key.
 // The ECDH portion of decryption is performed inside the Secure Enclave.
 // label: label of the CTK identity whose private key to use
 // ciphertext: ECIES ciphertext produced by se_encrypt
 // ciphertext_len: length of ciphertext
 // plaintext_out: output buffer for decrypted data
 // plaintext_len: on input, size of buffer; on output, actual size written
 // error_out: output buffer for error message
 // error_out_len: size of error_out buffer
 // Returns 0 on success, -1 on failure.
 int se_decrypt(const char *label,
               const uint8_t *ciphertext, int ciphertext_len,
               uint8_t *plaintext_out, int *plaintext_len,
               char *error_out, int error_out_len);
 // se_delete_key removes a CTK identity from the Secure Enclave via sc_auth.
 // hash: the identity hash returned by se_create_key
 // error_out: output buffer for error message
 // error_out_len: size of error_out buffer
 // Returns 0 on success, -1 on failure.
 int se_delete_key(const char *hash,
                  char *error_out, int error_out_len);
 #endif // SECURE_ENCLAVE_H
--- a/internal/macse/secure_enclave.m
+++ b/internal/macse/secure_enclave.m
@@ -0,0 +1,302 @@
 //go:build darwin
 #import <Foundation/Foundation.h>
 #import <Security/Security.h>
 #include "secure_enclave.h"
 #include <string.h>
 // snprintf_error writes an error message string to the output buffer.
 static void snprintf_error(char *error_out, int error_out_len, NSString *msg) {
    if (error_out && error_out_len > 0) {
        snprintf(error_out, error_out_len, "%s", msg.UTF8String);
    }
 }
 // lookup_ctk_identity finds a CTK identity by label and returns the private key.
 static SecKeyRef lookup_ctk_private_key(const char *label, char *error_out, int error_out_len) {
    NSDictionary *query = @{
        (id)kSecClass:      (id)kSecClassIdentity,
        (id)kSecAttrLabel:  [NSString stringWithUTF8String:label],
        (id)kSecMatchLimit: (id)kSecMatchLimitOne,
        (id)kSecReturnRef:  @YES,
    };
    SecIdentityRef identity = NULL;
    OSStatus status = SecItemCopyMatching((__bridge CFDictionaryRef)query, (CFTypeRef *)&identity);
    if (status != errSecSuccess || !identity) {
        NSString *msg = [NSString stringWithFormat:@"CTK identity '%s' not found: OSStatus %d",
                         label, (int)status];
        snprintf_error(error_out, error_out_len, msg);
        return NULL;
    }
    SecKeyRef privateKey = NULL;
    status = SecIdentityCopyPrivateKey(identity, &privateKey);
    CFRelease(identity);
    if (status != errSecSuccess || !privateKey) {
        NSString *msg = [NSString stringWithFormat:
                         @"failed to get private key from CTK identity '%s': OSStatus %d",
                         label, (int)status];
        snprintf_error(error_out, error_out_len, msg);
        return NULL;
    }
    return privateKey;
 }
 int se_create_key(const char *label,
                  uint8_t *pub_key_out, int *pub_key_len,
                  char *hash_out, int hash_out_len,
                  char *error_out, int error_out_len) {
    @autoreleasepool {
        NSString *labelStr = [NSString stringWithUTF8String:label];
        // Shell out to sc_auth (which has SE entitlements) to create the key
        NSTask *task = [[NSTask alloc] init];
        task.executableURL = [NSURL fileURLWithPath:@"/usr/sbin/sc_auth"];
        task.arguments = @[
            @"create-ctk-identity",
            @"-k", @"p-256-ne",
            @"-t", @"none",
            @"-l", labelStr,
        ];
        NSPipe *stderrPipe = [NSPipe pipe];
        task.standardOutput = [NSPipe pipe];
        task.standardError = stderrPipe;
        NSError *nsError = nil;
        if (![task launchAndReturnError:&nsError]) {
            NSString *msg = [NSString stringWithFormat:@"failed to launch sc_auth: %@",
                             nsError.localizedDescription];
            snprintf_error(error_out, error_out_len, msg);
            return -1;
        }
        [task waitUntilExit];
        if (task.terminationStatus != 0) {
            NSData *stderrData = [stderrPipe.fileHandleForReading readDataToEndOfFile];
            NSString *stderrStr = [[NSString alloc] initWithData:stderrData
                                                        encoding:NSUTF8StringEncoding];
            NSString *msg = [NSString stringWithFormat:@"sc_auth failed: %@",
                             stderrStr ?: @"unknown error"];
            snprintf_error(error_out, error_out_len, msg);
            return -1;
        }
        // Retrieve the public key from the created identity
        SecKeyRef privateKey = lookup_ctk_private_key(label, error_out, error_out_len);
        if (!privateKey) {
            return -1;
        }
        SecKeyRef publicKey = SecKeyCopyPublicKey(privateKey);
        CFRelease(privateKey);
        if (!publicKey) {
            snprintf_error(error_out, error_out_len, @"failed to get public key");
            return -1;
        }
        CFErrorRef cfError = NULL;
        CFDataRef pubKeyData = SecKeyCopyExternalRepresentation(publicKey, &cfError);
        CFRelease(publicKey);
        if (!pubKeyData) {
            NSError *err = (__bridge_transfer NSError *)cfError;
            NSString *msg = [NSString stringWithFormat:@"failed to export public key: %@",
                             err.localizedDescription];
            snprintf_error(error_out, error_out_len, msg);
            return -1;
        }
        const UInt8 *bytes = CFDataGetBytePtr(pubKeyData);
        CFIndex length = CFDataGetLength(pubKeyData);
        if (length > *pub_key_len) {
            CFRelease(pubKeyData);
            snprintf_error(error_out, error_out_len, @"public key buffer too small");
            return -1;
        }
        memcpy(pub_key_out, bytes, length);
        *pub_key_len = (int)length;
        CFRelease(pubKeyData);
        // Get the identity hash by parsing sc_auth list output
        hash_out[0] = '\0';
        NSTask *listTask = [[NSTask alloc] init];
        listTask.executableURL = [NSURL fileURLWithPath:@"/usr/sbin/sc_auth"];
        listTask.arguments = @[@"list-ctk-identities"];
        NSPipe *listPipe = [NSPipe pipe];
        listTask.standardOutput = listPipe;
        listTask.standardError = [NSPipe pipe];
        if ([listTask launchAndReturnError:&nsError]) {
            [listTask waitUntilExit];
            NSData *listData = [listPipe.fileHandleForReading readDataToEndOfFile];
            NSString *listStr = [[NSString alloc] initWithData:listData
                                                      encoding:NSUTF8StringEncoding];
            for (NSString *line in [listStr componentsSeparatedByString:@"\n"]) {
                if ([line containsString:labelStr]) {
                    NSMutableArray *tokens = [NSMutableArray array];
                    for (NSString *part in [line componentsSeparatedByCharactersInSet:
                                            [NSCharacterSet whitespaceCharacterSet]]) {
                        if (part.length > 0) {
                            [tokens addObject:part];
                        }
                    }
                    if (tokens.count > 1) {
                        snprintf(hash_out, hash_out_len, "%s", [tokens[1] UTF8String]);
                    }
                    break;
                }
            }
        }
        return 0;
    }
 }
 int se_encrypt(const char *label,
               const uint8_t *plaintext, int plaintext_len,
               uint8_t *ciphertext_out, int *ciphertext_len,
               char *error_out, int error_out_len) {
    @autoreleasepool {
        SecKeyRef privateKey = lookup_ctk_private_key(label, error_out, error_out_len);
        if (!privateKey) {
            return -1;
        }
        SecKeyRef publicKey = SecKeyCopyPublicKey(privateKey);
        CFRelease(privateKey);
        if (!publicKey) {
            snprintf_error(error_out, error_out_len, @"failed to get public key for encryption");
            return -1;
        }
        NSData *plaintextData = [NSData dataWithBytes:plaintext length:plaintext_len];
        CFErrorRef cfError = NULL;
        CFDataRef encrypted = SecKeyCreateEncryptedData(
            publicKey,
            kSecKeyAlgorithmECIESEncryptionStandardVariableIVX963SHA256AESGCM,
            (__bridge CFDataRef)plaintextData,
            &cfError
        );
        CFRelease(publicKey);
        if (!encrypted) {
            NSError *nsError = (__bridge_transfer NSError *)cfError;
            NSString *msg = [NSString stringWithFormat:@"ECIES encryption failed: %@",
                             nsError.localizedDescription];
            snprintf_error(error_out, error_out_len, msg);
            return -1;
        }
        const UInt8 *encBytes = CFDataGetBytePtr(encrypted);
        CFIndex encLength = CFDataGetLength(encrypted);
        if (encLength > *ciphertext_len) {
            CFRelease(encrypted);
            snprintf_error(error_out, error_out_len, @"ciphertext buffer too small");
            return -1;
        }
        memcpy(ciphertext_out, encBytes, encLength);
        *ciphertext_len = (int)encLength;
        CFRelease(encrypted);
        return 0;
    }
 }
 int se_decrypt(const char *label,
               const uint8_t *ciphertext, int ciphertext_len,
               uint8_t *plaintext_out, int *plaintext_len,
               char *error_out, int error_out_len) {
    @autoreleasepool {
        SecKeyRef privateKey = lookup_ctk_private_key(label, error_out, error_out_len);
        if (!privateKey) {
            return -1;
        }
        NSData *ciphertextData = [NSData dataWithBytes:ciphertext length:ciphertext_len];
        CFErrorRef cfError = NULL;
        CFDataRef decrypted = SecKeyCreateDecryptedData(
            privateKey,
            kSecKeyAlgorithmECIESEncryptionStandardVariableIVX963SHA256AESGCM,
            (__bridge CFDataRef)ciphertextData,
            &cfError
        );
        CFRelease(privateKey);
        if (!decrypted) {
            NSError *nsError = (__bridge_transfer NSError *)cfError;
            NSString *msg = [NSString stringWithFormat:@"ECIES decryption failed: %@",
                             nsError.localizedDescription];
            snprintf_error(error_out, error_out_len, msg);
            return -1;
        }
        const UInt8 *decBytes = CFDataGetBytePtr(decrypted);
        CFIndex decLength = CFDataGetLength(decrypted);
        if (decLength > *plaintext_len) {
            CFRelease(decrypted);
            snprintf_error(error_out, error_out_len, @"plaintext buffer too small");
            return -1;
        }
        memcpy(plaintext_out, decBytes, decLength);
        *plaintext_len = (int)decLength;
        CFRelease(decrypted);
        return 0;
    }
 }
 int se_delete_key(const char *hash,
                  char *error_out, int error_out_len) {
    @autoreleasepool {
        NSTask *task = [[NSTask alloc] init];
        task.executableURL = [NSURL fileURLWithPath:@"/usr/sbin/sc_auth"];
        task.arguments = @[
            @"delete-ctk-identity",
            @"-h", [NSString stringWithUTF8String:hash],
        ];
        NSPipe *stderrPipe = [NSPipe pipe];
        task.standardOutput = [NSPipe pipe];
        task.standardError = stderrPipe;
        NSError *nsError = nil;
        if (![task launchAndReturnError:&nsError]) {
            NSString *msg = [NSString stringWithFormat:@"failed to launch sc_auth: %@",
                             nsError.localizedDescription];
            snprintf_error(error_out, error_out_len, msg);
            return -1;
        }
        [task waitUntilExit];
        if (task.terminationStatus != 0) {
            NSData *stderrData = [stderrPipe.fileHandleForReading readDataToEndOfFile];
            NSString *stderrStr = [[NSString alloc] initWithData:stderrData
                                                        encoding:NSUTF8StringEncoding];
            NSString *msg = [NSString stringWithFormat:@"sc_auth delete failed: %@",
                             stderrStr ?: @"unknown error"];
            snprintf_error(error_out, error_out_len, msg);
            return -1;
        }
        return 0;
    }
 }
--- a/internal/secret/constants.go
+++ b/internal/secret/constants.go
@@ -1,3 +1,4 @@
 // Package secret provides core types and constants for the secret application.
 package secret
 import "os"
@@ -6,18 +7,21 @@ const (
 	// AppID is the unique identifier for this application
 	AppID = "berlin.sneak.pkg.secret"
-	// Environment variable names
+	// EnvStateDir is the environment variable for specifying the state directory
 	EnvStateDir = "SB_SECRET_STATE_DIR"
 	// EnvMnemonic is the environment variable for providing the mnemonic phrase
 	EnvMnemonic = "SB_SECRET_MNEMONIC"
-	EnvUnlockPassphrase = "SB_UNLOCK_PASSPHRASE"
+	// EnvUnlockPassphrase is the environment variable for providing the unlock passphrase
 	EnvUnlockPassphrase = "SB_UNLOCK_PASSPHRASE" //nolint:gosec // G101: This is an env var name, not a credential
 	// EnvGPGKeyID is the environment variable for providing the GPG key ID
 	EnvGPGKeyID = "SB_GPG_KEY_ID"
 )
 // File system permission constants
 const (
 	// DirPerms is the permission used for directories (read-write-execute for owner only)
-	DirPerms os.FileMode = 0700
+	DirPerms os.FileMode = 0o700
 	// FilePerms is the permission used for sensitive files (read-write for owner only)
-	FilePerms os.FileMode = 0600
+	FilePerms os.FileMode = 0o600
 )
--- a/internal/secret/crypto.go
+++ b/internal/secret/crypto.go
@@ -8,25 +8,33 @@ import (
 	"syscall"
 	"filippo.io/age"
 	"github.com/awnumar/memguard"
 	"golang.org/x/term"
 )
 // EncryptToRecipient encrypts data to a recipient using age
-func EncryptToRecipient(data []byte, recipient age.Recipient) ([]byte, error) {
+// The data parameter should be a LockedBuffer for secure memory handling
-	Debug("EncryptToRecipient starting", "data_length", len(data))
+func EncryptToRecipient(data *memguard.LockedBuffer, recipient age.Recipient) ([]byte, error) {
 	if data == nil {
 		return nil, fmt.Errorf("data buffer is nil")
 	}
 	Debug("EncryptToRecipient starting", "data_length", data.Size())
 	var buf bytes.Buffer
 	Debug("Creating age encryptor")
 	w, err := age.Encrypt(&buf, recipient)
 	if err != nil {
 		Debug("Failed to create encryptor", "error", err)
 		return nil, fmt.Errorf("failed to create encryptor: %w", err)
 	}
 	Debug("Created age encryptor successfully")
 	Debug("Writing data to encryptor")
-	if _, err := w.Write(data); err != nil {
+	if _, err := w.Write(data.Bytes()); err != nil {
 		Debug("Failed to write data to encryptor", "error", err)
 		return nil, fmt.Errorf("failed to write data: %w", err)
 	}
 	Debug("Wrote data to encryptor successfully")
@@ -34,17 +42,19 @@ func EncryptToRecipient(data []byte, recipient age.Recipient) ([]byte, error) {
 	Debug("Closing encryptor")
 	if err := w.Close(); err != nil {
 		Debug("Failed to close encryptor", "error", err)
 		return nil, fmt.Errorf("failed to close encryptor: %w", err)
 	}
 	Debug("Closed encryptor successfully")
 	result := buf.Bytes()
 	Debug("EncryptToRecipient completed successfully", "result_length", len(result))
 	return result, nil
 }
 // DecryptWithIdentity decrypts data with an identity using age
-func DecryptWithIdentity(data []byte, identity age.Identity) ([]byte, error) {
+func DecryptWithIdentity(data []byte, identity age.Identity) (*memguard.LockedBuffer, error) {
 	r, err := age.Decrypt(bytes.NewReader(data), identity)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create decryptor: %w", err)
@@ -55,12 +65,29 @@ func DecryptWithIdentity(data []byte, identity age.Identity) ([]byte, error) {
 		return nil, fmt.Errorf("failed to read decrypted data: %w", err)
 	}
-	return result, nil
+	// Create a secure buffer for the decrypted data
 	resultBuffer := memguard.NewBufferFromBytes(result)
 	// Zero out the original slice to prevent plaintext from lingering in unprotected memory
 	for i := range result {
 		result[i] = 0
 	}
 	return resultBuffer, nil
 }
 // EncryptWithPassphrase encrypts data using a passphrase with age's scrypt-based encryption
-func EncryptWithPassphrase(data []byte, passphrase string) ([]byte, error) {
+// Both data and passphrase parameters should be LockedBuffers for secure memory handling
-	recipient, err := age.NewScryptRecipient(passphrase)
+func EncryptWithPassphrase(data *memguard.LockedBuffer, passphrase *memguard.LockedBuffer) ([]byte, error) {
 	if data == nil {
 		return nil, fmt.Errorf("data buffer is nil")
 	}
 	if passphrase == nil {
 		return nil, fmt.Errorf("passphrase buffer is nil")
 	}
 	// Create recipient directly from passphrase - unavoidable string conversion due to age API
 	recipient, err := age.NewScryptRecipient(passphrase.String())
 	if err != nil {
 		return nil, fmt.Errorf("failed to create scrypt recipient: %w", err)
 	}
@@ -69,8 +96,14 @@ func EncryptWithPassphrase(data []byte, passphrase string) ([]byte, error) {
 }
 // DecryptWithPassphrase decrypts data using a passphrase with age's scrypt-based decryption
-func DecryptWithPassphrase(encryptedData []byte, passphrase string) ([]byte, error) {
+// The passphrase parameter should be a LockedBuffer for secure memory handling
-	identity, err := age.NewScryptIdentity(passphrase)
+func DecryptWithPassphrase(encryptedData []byte, passphrase *memguard.LockedBuffer) (*memguard.LockedBuffer, error) {
 	if passphrase == nil {
 		return nil, fmt.Errorf("passphrase buffer is nil")
 	}
 	// Create identity directly from passphrase - unavoidable string conversion due to age API
 	identity, err := age.NewScryptIdentity(passphrase.String())
 	if err != nil {
 		return nil, fmt.Errorf("failed to create scrypt identity: %w", err)
 	}
@@ -80,29 +113,42 @@ func DecryptWithPassphrase(encryptedData []byte, passphrase string) ([]byte, err
 // ReadPassphrase reads a passphrase securely from the terminal without echoing
 // This version is for unlocking and doesn't require confirmation
-func ReadPassphrase(prompt string) (string, error) {
+// Returns a LockedBuffer containing the passphrase for secure memory handling
 func ReadPassphrase(prompt string) (*memguard.LockedBuffer, error) {
 	// Check if stdin is a terminal
-	if !term.IsTerminal(int(syscall.Stdin)) {
+	if !term.IsTerminal(syscall.Stdin) {
 		// Not a terminal - never read passphrases from piped input for security reasons
-		return "", fmt.Errorf("cannot read passphrase from non-terminal stdin (piped input or script). Please set the SB_UNLOCK_PASSPHRASE environment variable or run interactively")
+		return nil, fmt.Errorf("cannot read passphrase from non-terminal stdin " +
 			"(piped input or script). Please set the SB_UNLOCK_PASSPHRASE " +
 			"environment variable or run interactively")
 	}
 	// stdin is a terminal, check if stderr is also a terminal for interactive prompting
-	if !term.IsTerminal(int(syscall.Stderr)) {
+	if !term.IsTerminal(syscall.Stderr) {
-		return "", fmt.Errorf("cannot prompt for passphrase: stderr is not a terminal (running in non-interactive mode). Please set the SB_UNLOCK_PASSPHRASE environment variable")
+		return nil, fmt.Errorf("cannot prompt for passphrase: stderr is not a terminal " +
 			"(running in non-interactive mode). Please set the SB_UNLOCK_PASSPHRASE " +
 			"environment variable")
 	}
 	// Both stdin and stderr are terminals - use secure password reading
 	fmt.Fprint(os.Stderr, prompt) // Write prompt to stderr, not stdout
-	passphrase, err := term.ReadPassword(int(syscall.Stdin))
+	passphrase, err := term.ReadPassword(syscall.Stdin)
 	if err != nil {
-		return "", fmt.Errorf("failed to read passphrase: %w", err)
+		return nil, fmt.Errorf("failed to read passphrase: %w", err)
 	}
 	fmt.Fprintln(os.Stderr) // Print newline to stderr since ReadPassword doesn't echo
 	if len(passphrase) == 0 {
-		return "", fmt.Errorf("passphrase cannot be empty")
+		return nil, fmt.Errorf("passphrase cannot be empty")
 	}
-	return string(passphrase), nil
+	// Create a secure buffer and copy the passphrase
 	secureBuffer := memguard.NewBufferFromBytes(passphrase)
 	// Clear the original passphrase slice
 	for i := range passphrase {
 		passphrase[i] = 0
 	}
 	return secureBuffer, nil
 }
--- a/internal/secret/debug.go
+++ b/internal/secret/debug.go
@@ -13,8 +13,8 @@ import (
 )
 var (
-	debugEnabled bool
+	debugEnabled bool         //nolint:gochecknoglobals // Package-wide debug state is necessary
-	debugLogger  *slog.Logger
+	debugLogger  *slog.Logger //nolint:gochecknoglobals // Package-wide logger instance is necessary
 )
 func init() {
@@ -29,6 +29,7 @@ func InitDebugLogging() {
 	if !debugEnabled {
 		// Create a no-op logger that discards all output
 		debugLogger = slog.New(slog.NewTextHandler(io.Discard, nil))
 		return
 	}
@@ -36,7 +37,7 @@ func InitDebugLogging() {
 	_, _, _ = syscall.Syscall(syscall.SYS_FCNTL, os.Stderr.Fd(), syscall.F_SETFL, syscall.O_SYNC)
 	// Check if STDERR is a TTY
-	isTTY := term.IsTerminal(int(syscall.Stderr))
+	isTTY := term.IsTerminal(syscall.Stderr)
 	var handler slog.Handler
 	if isTTY {
@@ -57,6 +58,16 @@ func IsDebugEnabled() bool {
 	return debugEnabled
 }
 // Warn logs a warning message to stderr unconditionally (visible without --verbose or debug flags)
 func Warn(msg string, args ...any) {
 	output := fmt.Sprintf("WARNING: %s", msg)
 	for i := 0; i+1 < len(args); i += 2 {
 		output += fmt.Sprintf(" %s=%v", args[i], args[i+1])
 	}
 	output += "\n"
 	fmt.Fprint(os.Stderr, output)
 }
 // Debug logs a debug message with optional attributes
 func Debug(msg string, args ...any) {
 	if !debugEnabled {
@@ -113,6 +124,7 @@ func (h *colorizedHandler) Handle(_ context.Context, record slog.Record) error {
 			}
 			first = false
 			output += fmt.Sprintf("%s=%#v", attr.Key, attr.Value.Any())
 			return true
 		})
 		output += "}\033[0m"
@@ -120,16 +132,17 @@ func (h *colorizedHandler) Handle(_ context.Context, record slog.Record) error {
 	output += "\n"
 	_, err := h.output.Write([]byte(output))
 	return err
 }
-func (h *colorizedHandler) WithAttrs(attrs []slog.Attr) slog.Handler {
+func (h *colorizedHandler) WithAttrs(_ []slog.Attr) slog.Handler {
 	// For simplicity, return the same handler
 	// In a more complex implementation, we'd create a new handler with the attrs
 	return h
 }
-func (h *colorizedHandler) WithGroup(name string) slog.Handler {
+func (h *colorizedHandler) WithGroup(_ string) slog.Handler {
 	// For simplicity, return the same handler
 	// In a more complex implementation, we'd create a new handler with the group
 	return h
--- a/internal/secret/debug_test.go
+++ b/internal/secret/debug_test.go
@@ -3,7 +3,6 @@ package secret
 import (
 	"bytes"
 	"log/slog"
 	"os"
 	"strings"
 	"syscall"
 	"testing"
@@ -12,17 +11,8 @@ import (
 )
 func TestDebugLogging(t *testing.T) {
-	// Save original GODEBUG and restore it
+	// Test cleanup handled by t.Setenv
-	originalGodebug := os.Getenv("GODEBUG")
+	defer InitDebugLogging() // Re-initialize debug system after test
 	defer func() {
 		if originalGodebug == "" {
 			os.Unsetenv("GODEBUG")
 		} else {
 			os.Setenv("GODEBUG", originalGodebug)
 		}
 		// Re-initialize debug system with original setting
 		InitDebugLogging()
 	}()
 	tests := []struct {
 		name          string
@@ -54,10 +44,8 @@ func TestDebugLogging(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			// Set GODEBUG
-			if tt.godebug == "" {
+			if tt.godebug != "" {
-				os.Unsetenv("GODEBUG")
+				t.Setenv("GODEBUG", tt.godebug)
 			} else {
 				os.Setenv("GODEBUG", tt.godebug)
 			}
 			// Re-initialize debug system
@@ -76,7 +64,7 @@ func TestDebugLogging(t *testing.T) {
 				// Override the debug logger for testing
 				oldLogger := debugLogger
-				if term.IsTerminal(int(syscall.Stderr)) {
+				if term.IsTerminal(syscall.Stderr) {
 					// TTY: use colorized handler with our buffer
 					debugLogger = slog.New(newColorizedHandler(&buf))
 				} else {
@@ -104,16 +92,8 @@ func TestDebugLogging(t *testing.T) {
 func TestDebugFunctions(t *testing.T) {
 	// Enable debug for testing
-	originalGodebug := os.Getenv("GODEBUG")
+	t.Setenv("GODEBUG", "berlin.sneak.pkg.secret")
-	os.Setenv("GODEBUG", "berlin.sneak.pkg.secret")
+	defer InitDebugLogging() // Re-initialize after test
 	defer func() {
 		if originalGodebug == "" {
 			os.Unsetenv("GODEBUG")
 		} else {
 			os.Setenv("GODEBUG", originalGodebug)
 		}
 		InitDebugLogging()
 	}()
 	InitDebugLogging()
@@ -122,16 +102,16 @@ func TestDebugFunctions(t *testing.T) {
 	}
 	// Test that debug functions don't panic and can be called
-	t.Run("Debug", func(t *testing.T) {
+	t.Run("Debug", func(_ *testing.T) {
 		Debug("test debug message")
 		Debug("test with args", "key", "value", "number", 42)
 	})
-	t.Run("DebugF", func(t *testing.T) {
+	t.Run("DebugF", func(_ *testing.T) {
 		DebugF("formatted message: %s %d", "test", 123)
 	})
-	t.Run("DebugWith", func(t *testing.T) {
+	t.Run("DebugWith", func(_ *testing.T) {
 		DebugWith("structured message",
 			slog.String("string_key", "string_value"),
 			slog.Int("int_key", 42),
--- a/internal/secret/derivation_index_test.go
+++ b/internal/secret/derivation_index_test.go
@@ -0,0 +1,84 @@
 //go:build darwin
 package secret
 import (
 	"encoding/json"
 	"path/filepath"
 	"testing"
 	"time"
 	"git.eeqj.de/sneak/secret/pkg/agehd"
 	"github.com/awnumar/memguard"
 	"github.com/spf13/afero"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
 // realVault is a minimal VaultInterface backed by a real afero filesystem,
 // using the same directory layout as vault.Vault.
 type realVault struct {
 	name     string
 	stateDir string
 	fs       afero.Fs
 }
 func (v *realVault) GetDirectory() (string, error) {
 	return filepath.Join(v.stateDir, "vaults.d", v.name), nil
 }
 func (v *realVault) GetName() string         { return v.name }
 func (v *realVault) GetFilesystem() afero.Fs { return v.fs }
 // Unused by getLongTermPrivateKey — these satisfy VaultInterface.
 func (v *realVault) AddSecret(string, *memguard.LockedBuffer, bool) error { panic("not used") }
 func (v *realVault) GetCurrentUnlocker() (Unlocker, error)                { panic("not used") }
 func (v *realVault) CreatePassphraseUnlocker(*memguard.LockedBuffer) (*PassphraseUnlocker, error) {
 	panic("not used")
 }
 // createRealVault sets up a complete vault directory structure on an in-memory
 // filesystem, identical to what vault.CreateVault produces.
 func createRealVault(t *testing.T, fs afero.Fs, stateDir, name string, derivationIndex uint32) *realVault {
 	t.Helper()
 	vaultDir := filepath.Join(stateDir, "vaults.d", name)
 	require.NoError(t, fs.MkdirAll(filepath.Join(vaultDir, "secrets.d"), DirPerms))
 	require.NoError(t, fs.MkdirAll(filepath.Join(vaultDir, "unlockers.d"), DirPerms))
 	metadata := VaultMetadata{
 		CreatedAt:       time.Now(),
 		DerivationIndex: derivationIndex,
 	}
 	metaBytes, err := json.Marshal(metadata)
 	require.NoError(t, err)
 	require.NoError(t, afero.WriteFile(fs, filepath.Join(vaultDir, "vault-metadata.json"), metaBytes, FilePerms))
 	return &realVault{name: name, stateDir: stateDir, fs: fs}
 }
 func TestGetLongTermPrivateKeyUsesVaultDerivationIndex(t *testing.T) {
 	const testMnemonic = "abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon about"
 	// Derive expected keys at two different indices to prove they differ.
 	key0, err := agehd.DeriveIdentity(testMnemonic, 0)
 	require.NoError(t, err)
 	key5, err := agehd.DeriveIdentity(testMnemonic, 5)
 	require.NoError(t, err)
 	require.NotEqual(t, key0.String(), key5.String(),
 		"sanity check: different derivation indices must produce different keys")
 	// Build a real vault with DerivationIndex=5 on an in-memory filesystem.
 	fs := afero.NewMemMapFs()
 	vault := createRealVault(t, fs, "/state", "test-vault", 5)
 	t.Setenv(EnvMnemonic, testMnemonic)
 	result, err := getLongTermPrivateKey(fs, vault)
 	require.NoError(t, err)
 	defer result.Destroy()
 	assert.Equal(t, key5.String(), string(result.Bytes()),
 		"getLongTermPrivateKey should derive at vault's DerivationIndex (5)")
 	assert.NotEqual(t, key0.String(), string(result.Bytes()),
 		"getLongTermPrivateKey must not use hardcoded index 0")
 }
--- a/internal/secret/helpers.go
+++ b/internal/secret/helpers.go
@@ -1,43 +1,22 @@
 package secret
 import (
 	"crypto/rand"
 	"fmt"
 	"math/big"
 	"os"
 	"path/filepath"
 )
-// generateRandomString generates a random string of the specified length using the given character set
+// DetermineStateDir determines the state directory based on environment variables and OS.
-func generateRandomString(length int, charset string) (string, error) {
+// It returns an error if no usable directory can be determined.
-	if length <= 0 {
+func DetermineStateDir(customConfigDir string) (string, error) {
 		return "", fmt.Errorf("length must be positive")
 	}
 	result := make([]byte, length)
 	charsetLen := big.NewInt(int64(len(charset)))
 	for i := 0; i < length; i++ {
 		randomIndex, err := rand.Int(rand.Reader, charsetLen)
 		if err != nil {
 			return "", fmt.Errorf("failed to generate random number: %w", err)
 		}
 		result[i] = charset[randomIndex.Int64()]
 	}
 	return string(result), nil
 }
 // DetermineStateDir determines the state directory based on environment variables and OS
 func DetermineStateDir(customConfigDir string) string {
 	// Check for environment variable first
 	if envStateDir := os.Getenv(EnvStateDir); envStateDir != "" {
-		return envStateDir
+		return envStateDir, nil
 	}
 	// Use custom config dir if provided
 	if customConfigDir != "" {
-		return filepath.Join(customConfigDir, AppID)
+		return filepath.Join(customConfigDir, AppID), nil
 	}
 	// Use os.UserConfigDir() which handles platform-specific directories:
@@ -47,8 +26,16 @@ func DetermineStateDir(customConfigDir string) string {
 	configDir, err := os.UserConfigDir()
 	if err != nil {
 		// Fallback to a reasonable default if we can't determine user config dir
-		homeDir, _ := os.UserHomeDir()
+		homeDir, homeErr := os.UserHomeDir()
-		return filepath.Join(homeDir, ".config", AppID)
+		if homeErr != nil {
 			return "", fmt.Errorf("unable to determine state directory: config dir: %w, home dir: %w", err, homeErr)
 		}
-	return filepath.Join(configDir, AppID)
+
 		fallbackDir := filepath.Join(homeDir, ".config", AppID)
 		Warn("Could not determine user config directory, falling back to default", "fallback", fallbackDir, "error", err)
 		return fallbackDir, nil
 	}
 	return filepath.Join(configDir, AppID), nil
 }
--- a/internal/secret/helpers_darwin.go
+++ b/internal/secret/helpers_darwin.go
@@ -0,0 +1,29 @@
 //go:build darwin
 package secret
 import (
 	"crypto/rand"
 	"fmt"
 	"math/big"
 )
 // generateRandomString generates a random string of the specified length using the given character set
 func generateRandomString(length int, charset string) (string, error) {
 	if length <= 0 {
 		return "", fmt.Errorf("length must be positive")
 	}
 	result := make([]byte, length)
 	charsetLen := big.NewInt(int64(len(charset)))
 	for i := range length {
 		randomIndex, err := rand.Int(rand.Reader, charsetLen)
 		if err != nil {
 			return "", fmt.Errorf("failed to generate random number: %w", err)
 		}
 		result[i] = charset[randomIndex.Int64()]
 	}
 	return string(result), nil
 }
--- a/internal/secret/helpers_test.go
+++ b/internal/secret/helpers_test.go
@@ -0,0 +1,50 @@
 package secret
 import (
 	"testing"
 )
 func TestDetermineStateDir_ErrorsWhenHomeDirUnavailable(t *testing.T) {
 	// Clear all env vars that could provide a home/config directory.
 	// On Darwin, os.UserHomeDir may still succeed via the password
 	// database, so we also test via an explicit empty-customConfigDir
 	// path to exercise the fallback branch.
 	t.Setenv(EnvStateDir, "")
 	t.Setenv("HOME", "")
 	t.Setenv("XDG_CONFIG_HOME", "")
 	result, err := DetermineStateDir("")
 	// On systems where both lookups fail, we must get an error.
 	// On systems where the OS provides a fallback (e.g. macOS pw db),
 	// result should still be valid (non-empty, not root-relative).
 	if err != nil {
 		// Good — the error case is handled.
 		return
 	}
 	if result == "/.config/"+AppID || result == "" {
 		t.Errorf("DetermineStateDir returned dangerous/empty path %q without error", result)
 	}
 }
 func TestDetermineStateDir_UsesEnvVar(t *testing.T) {
 	t.Setenv(EnvStateDir, "/custom/state")
 	result, err := DetermineStateDir("")
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
 	}
 	if result != "/custom/state" {
 		t.Errorf("expected /custom/state, got %q", result)
 	}
 }
 func TestDetermineStateDir_UsesCustomConfigDir(t *testing.T) {
 	t.Setenv(EnvStateDir, "")
 	result, err := DetermineStateDir("/my/config")
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
 	}
 	expected := "/my/config/" + AppID
 	if result != expected {
 		t.Errorf("expected %q, got %q", expected, result)
 	}
 }
--- a/internal/secret/keychainunlocker.go
+++ b/internal/secret/keychainunlocker.go
@@ -1,3 +1,6 @@
 //go:build darwin
 // +build darwin
 package secret
 import (
@@ -6,27 +9,33 @@ import (
 	"fmt"
 	"log/slog"
 	"os"
 	"os/exec"
 	"path/filepath"
 	"regexp"
 	"runtime"
 	"time"
 	"filippo.io/age"
 	"git.eeqj.de/sneak/secret/pkg/agehd"
 	"github.com/awnumar/memguard"
 	keychain "github.com/keybase/go-keychain"
 	"github.com/spf13/afero"
 )
-var (
+const (
-	// keychainItemNameRegex validates keychain item names
+	agePrivKeyPassphraseLength = 64
-	// Allows alphanumeric characters, dots, hyphens, and underscores only
+	// KEYCHAIN_APP_IDENTIFIER is the service name used for keychain items
-	keychainItemNameRegex = regexp.MustCompile(`^[A-Za-z0-9._-]+$`)
+	KEYCHAIN_APP_IDENTIFIER = "berlin.sneak.app.secret" //nolint:revive // ALL_CAPS is intentional for this constant
 )
 // keychainItemNameRegex validates keychain item names
 // Allows alphanumeric characters, dots, hyphens, and underscores only
 var keychainItemNameRegex = regexp.MustCompile(`^[A-Za-z0-9._-]+$`)
 // KeychainUnlockerMetadata extends UnlockerMetadata with keychain-specific data
 type KeychainUnlockerMetadata struct {
 	UnlockerMetadata
 	// Keychain item name
-	KeychainItemName string `json:"keychain_item_name"`
+	KeychainItemName string `json:"keychainItemName"`
 }
 // KeychainUnlocker represents a macOS Keychain-protected unlocker
@@ -38,9 +47,9 @@ type KeychainUnlocker struct {
 // KeychainData represents the data stored in the macOS keychain
 type KeychainData struct {
-	AgePublicKey         string `json:"age_public_key"`
+	AgePublicKey         string `json:"agePublicKey"`
-	AgePrivKeyPassphrase string `json:"age_priv_key_passphrase"`
+	AgePrivKeyPassphrase string `json:"agePrivKeyPassphrase"`
-	EncryptedLongtermKey string `json:"encrypted_longterm_key"`
+	EncryptedLongtermKey string `json:"encryptedLongtermKey"`
 }
 // GetIdentity implements Unlocker interface for Keychain-based unlockers
@@ -54,6 +63,7 @@ func (k *KeychainUnlocker) GetIdentity() (*age.X25519Identity, error) {
 	keychainItemName, err := k.GetKeychainItemName()
 	if err != nil {
 		Debug("Failed to get keychain item name", "error", err, "unlocker_id", k.GetID())
 		return nil, fmt.Errorf("failed to get keychain item name: %w", err)
 	}
@@ -62,6 +72,7 @@ func (k *KeychainUnlocker) GetIdentity() (*age.X25519Identity, error) {
 	keychainDataBytes, err := retrieveFromKeychain(keychainItemName)
 	if err != nil {
 		Debug("Failed to retrieve data from keychain", "error", err, "keychain_item", keychainItemName)
 		return nil, fmt.Errorf("failed to retrieve data from keychain: %w", err)
 	}
@@ -74,6 +85,7 @@ func (k *KeychainUnlocker) GetIdentity() (*age.X25519Identity, error) {
 	var keychainData KeychainData
 	if err := json.Unmarshal(keychainDataBytes, &keychainData); err != nil {
 		Debug("Failed to parse keychain data", "error", err, "unlocker_id", k.GetID())
 		return nil, fmt.Errorf("failed to parse keychain data: %w", err)
 	}
@@ -86,6 +98,7 @@ func (k *KeychainUnlocker) GetIdentity() (*age.X25519Identity, error) {
 	encryptedAgePrivKeyData, err := afero.ReadFile(k.fs, agePrivKeyPath)
 	if err != nil {
 		Debug("Failed to read encrypted age private key", "error", err, "path", agePrivKeyPath)
 		return nil, fmt.Errorf("failed to read encrypted age private key: %w", err)
 	}
@@ -96,22 +109,30 @@ func (k *KeychainUnlocker) GetIdentity() (*age.X25519Identity, error) {
 	// Step 5: Decrypt the age private key using the passphrase from keychain
 	Debug("Decrypting age private key with keychain passphrase", "unlocker_id", k.GetID())
-	agePrivKeyData, err := DecryptWithPassphrase(encryptedAgePrivKeyData, keychainData.AgePrivKeyPassphrase)
+	// Create secure buffer for the keychain passphrase
 	passphraseBuffer := memguard.NewBufferFromBytes([]byte(keychainData.AgePrivKeyPassphrase))
 	defer passphraseBuffer.Destroy()
 	agePrivKeyBuffer, err := DecryptWithPassphrase(encryptedAgePrivKeyData, passphraseBuffer)
 	if err != nil {
 		Debug("Failed to decrypt age private key with keychain passphrase", "error", err, "unlocker_id", k.GetID())
 		return nil, fmt.Errorf("failed to decrypt age private key with keychain passphrase: %w", err)
 	}
 	defer agePrivKeyBuffer.Destroy()
 	DebugWith("Successfully decrypted age private key with keychain passphrase",
 		slog.String("unlocker_id", k.GetID()),
-		slog.Int("decrypted_length", len(agePrivKeyData)),
+		slog.Int("decrypted_length", agePrivKeyBuffer.Size()),
 	)
 	// Step 6: Parse the decrypted age private key
 	Debug("Parsing decrypted age private key", "unlocker_id", k.GetID())
-	ageIdentity, err := age.ParseX25519Identity(string(agePrivKeyData))
+
 	ageIdentity, err := age.ParseX25519Identity(agePrivKeyBuffer.String())
 	if err != nil {
 		Debug("Failed to parse age private key", "error", err, "unlocker_id", k.GetID())
 		return nil, fmt.Errorf("failed to parse age private key: %w", err)
 	}
@@ -140,14 +161,18 @@ func (k *KeychainUnlocker) GetDirectory() string {
 // GetID implements Unlocker interface - generates ID from keychain item name
 func (k *KeychainUnlocker) GetID() string {
-	// Generate ID using keychain item name
+	// Generate ID in the format YYYY-MM-DD.HH.mm-hostname-keychain
-	keychainItemName, err := k.GetKeychainItemName()
+	// This matches the passphrase unlocker format
 	hostname, err := os.Hostname()
 	if err != nil {
-		// The vault metadata is corrupt - this is a fatal error
+		hostname = "unknown"
 		// We cannot continue with a fallback ID as that would mask data corruption
 		panic(fmt.Sprintf("Keychain unlocker metadata is corrupt or missing keychain item name: %v", err))
 	}
-	return fmt.Sprintf("%s-keychain", keychainItemName)
+
 	// Use the creation timestamp from metadata
 	createdAt := k.Metadata.CreatedAt
 	timestamp := createdAt.Format("2006-01-02.15.04")
 	return fmt.Sprintf("%s-%s-keychain", timestamp, hostname)
 }
 // Remove implements Unlocker interface - removes the keychain unlocker
@@ -156,6 +181,7 @@ func (k *KeychainUnlocker) Remove() error {
 	keychainItemName, err := k.GetKeychainItemName()
 	if err != nil {
 		Debug("Failed to get keychain item name during removal", "error", err, "unlocker_id", k.GetID())
 		return fmt.Errorf("failed to get keychain item name: %w", err)
 	}
@@ -163,6 +189,7 @@ func (k *KeychainUnlocker) Remove() error {
 	Debug("Removing keychain item", "keychain_item", keychainItemName)
 	if err := deleteFromKeychain(keychainItemName); err != nil {
 		Debug("Failed to remove keychain item", "error", err, "keychain_item", keychainItemName)
 		return fmt.Errorf("failed to remove keychain item: %w", err)
 	}
@@ -170,10 +197,12 @@ func (k *KeychainUnlocker) Remove() error {
 	Debug("Removing keychain unlocker directory", "directory", k.Directory)
 	if err := k.fs.RemoveAll(k.Directory); err != nil {
 		Debug("Failed to remove keychain unlocker directory", "error", err, "directory", k.Directory)
 		return fmt.Errorf("failed to remove keychain unlocker directory: %w", err)
 	}
 	Debug("Successfully removed keychain unlocker", "unlocker_id", k.GetID(), "keychain_item", keychainItemName)
 	return nil
 }
@@ -212,82 +241,43 @@ func generateKeychainUnlockerName(vaultName string) (string, error) {
 	// Format: secret-<vault>-<hostname>-<date>
 	enrollmentDate := time.Now().Format("2006-01-02")
 	return fmt.Sprintf("secret-%s-%s-%s", vaultName, hostname, enrollmentDate), nil
 }
-// CreateKeychainUnlocker creates a new keychain unlocker and stores it in the vault
+// getLongTermPrivateKey retrieves the long-term private key either from environment or current unlocker
-func CreateKeychainUnlocker(fs afero.Fs, stateDir string) (*KeychainUnlocker, error) {
+// Returns a LockedBuffer to ensure the private key is protected in memory
-	// Check if we're on macOS
+func getLongTermPrivateKey(fs afero.Fs, vault VaultInterface) (*memguard.LockedBuffer, error) {
-	if err := checkMacOSAvailable(); err != nil {
+	// Check if mnemonic is available in environment variable
-		return nil, err
+	envMnemonic := os.Getenv(EnvMnemonic)
-	}
+	if envMnemonic != "" {
-
+		// Read vault metadata to get the correct derivation index
 	// Get current vault using the GetCurrentVault function from the same package
 	vault, err := GetCurrentVault(fs, stateDir)
 	if err != nil {
 		return nil, fmt.Errorf("failed to get current vault: %w", err)
 	}
 	// Generate the keychain item name
 	keychainItemName, err := generateKeychainUnlockerName(vault.GetName())
 	if err != nil {
 		return nil, fmt.Errorf("failed to generate keychain item name: %w", err)
 	}
 	// Create unlocker directory using the keychain item name as the directory name
 		vaultDir, err := vault.GetDirectory()
 		if err != nil {
 			return nil, fmt.Errorf("failed to get vault directory: %w", err)
 		}
-	unlockerDir := filepath.Join(vaultDir, "unlockers.d", keychainItemName)
+		metadataPath := filepath.Join(vaultDir, "vault-metadata.json")
-	if err := fs.MkdirAll(unlockerDir, DirPerms); err != nil {
+		metadataBytes, err := afero.ReadFile(fs, metadataPath)
 		return nil, fmt.Errorf("failed to create unlocker directory: %w", err)
 	}
 	// Step 1: Generate a new age keypair for the keychain unlocker
 	ageIdentity, err := age.GenerateX25519Identity()
 		if err != nil {
-		return nil, fmt.Errorf("failed to generate age keypair: %w", err)
+			return nil, fmt.Errorf("failed to read vault metadata: %w", err)
 		}
-	// Step 2: Generate a random passphrase for encrypting the age private key
+		var metadata VaultMetadata
-	agePrivKeyPassphrase, err := generateRandomPassphrase(64)
+		if err := json.Unmarshal(metadataBytes, &metadata); err != nil {
-	if err != nil {
+			return nil, fmt.Errorf("failed to parse vault metadata: %w", err)
 		return nil, fmt.Errorf("failed to generate age private key passphrase: %w", err)
 		}
-	// Step 3: Store age recipient as plaintext
+		// Use mnemonic with the vault's actual derivation index
-	ageRecipient := ageIdentity.Recipient().String()
+		ltIdentity, err := agehd.DeriveIdentity(envMnemonic, metadata.DerivationIndex)
 	recipientPath := filepath.Join(unlockerDir, "pub.txt")
 	if err := afero.WriteFile(fs, recipientPath, []byte(ageRecipient), FilePerms); err != nil {
 		return nil, fmt.Errorf("failed to write age recipient: %w", err)
 	}
 	// Step 4: Encrypt age private key with the generated passphrase and store on disk
 	agePrivateKeyBytes := []byte(ageIdentity.String())
 	encryptedAgePrivKey, err := EncryptWithPassphrase(agePrivateKeyBytes, agePrivKeyPassphrase)
 	if err != nil {
 		return nil, fmt.Errorf("failed to encrypt age private key with passphrase: %w", err)
 	}
 	agePrivKeyPath := filepath.Join(unlockerDir, "priv.age")
 	if err := afero.WriteFile(fs, agePrivKeyPath, encryptedAgePrivKey, FilePerms); err != nil {
 		return nil, fmt.Errorf("failed to write encrypted age private key: %w", err)
 	}
 	// Step 5: Get or derive the long-term private key
 	var ltPrivKeyData []byte
 	// Check if mnemonic is available in environment variable
 	if envMnemonic := os.Getenv(EnvMnemonic); envMnemonic != "" {
 		// Use mnemonic directly to derive long-term key
 		ltIdentity, err := agehd.DeriveIdentity(envMnemonic, 0)
 		if err != nil {
 			return nil, fmt.Errorf("failed to derive long-term key from mnemonic: %w", err)
 		}
-		ltPrivKeyData = []byte(ltIdentity.String())
+
-	} else {
+		// Return the private key in a secure buffer
 		return memguard.NewBufferFromBytes([]byte(ltIdentity.String())), nil
 	}
 	// Get the vault to access current unlocker
 	currentUnlocker, err := vault.GetCurrentUnlocker()
 	if err != nil {
@@ -329,12 +319,90 @@ func CreateKeychainUnlocker(fs afero.Fs, stateDir string) (*KeychainUnlocker, er
 	}
 	// Decrypt long-term private key using current unlocker
-		ltPrivKeyData, err = DecryptWithIdentity(encryptedLtPrivKey, currentUnlockerIdentity)
+	ltPrivKeyBuffer, err := DecryptWithIdentity(encryptedLtPrivKey, currentUnlockerIdentity)
 	if err != nil {
 		return nil, fmt.Errorf("failed to decrypt long-term private key: %w", err)
 	}
 	// Return the decrypted key buffer
 	return ltPrivKeyBuffer, nil
 }
 // CreateKeychainUnlocker creates a new keychain unlocker and stores it in the vault
 func CreateKeychainUnlocker(fs afero.Fs, stateDir string) (*KeychainUnlocker, error) {
 	// Check if we're on macOS
 	if err := checkMacOSAvailable(); err != nil {
 		return nil, err
 	}
 	// Get current vault using the GetCurrentVault function from the same package
 	vault, err := GetCurrentVault(fs, stateDir)
 	if err != nil {
 		return nil, fmt.Errorf("failed to get current vault: %w", err)
 	}
 	// Generate the keychain item name
 	keychainItemName, err := generateKeychainUnlockerName(vault.GetName())
 	if err != nil {
 		return nil, fmt.Errorf("failed to generate keychain item name: %w", err)
 	}
 	// Create unlocker directory using the keychain item name as the directory name
 	vaultDir, err := vault.GetDirectory()
 	if err != nil {
 		return nil, fmt.Errorf("failed to get vault directory: %w", err)
 	}
 	unlockerDir := filepath.Join(vaultDir, "unlockers.d", keychainItemName)
 	if err := fs.MkdirAll(unlockerDir, DirPerms); err != nil {
 		return nil, fmt.Errorf("failed to create unlocker directory: %w", err)
 	}
 	// Step 1: Generate a new age keypair for the keychain unlocker
 	ageIdentity, err := age.GenerateX25519Identity()
 	if err != nil {
 		return nil, fmt.Errorf("failed to generate age keypair: %w", err)
 	}
 	// Step 2: Generate a random passphrase for encrypting the age private key
 	agePrivKeyPassphrase, err := generateRandomPassphrase(agePrivKeyPassphraseLength)
 	if err != nil {
 		return nil, fmt.Errorf("failed to generate age private key passphrase: %w", err)
 	}
 	// Step 3: Store age recipient as plaintext
 	ageRecipient := ageIdentity.Recipient().String()
 	recipientPath := filepath.Join(unlockerDir, "pub.txt")
 	if err := afero.WriteFile(fs, recipientPath, []byte(ageRecipient), FilePerms); err != nil {
 		return nil, fmt.Errorf("failed to write age recipient: %w", err)
 	}
 	// Step 4: Encrypt age private key with the generated passphrase and store on disk
 	// Create secure buffers for both the private key and passphrase
 	agePrivKeyStr := ageIdentity.String()
 	agePrivKeyBuffer := memguard.NewBufferFromBytes([]byte(agePrivKeyStr))
 	defer agePrivKeyBuffer.Destroy()
 	passphraseBuffer := memguard.NewBufferFromBytes([]byte(agePrivKeyPassphrase))
 	defer passphraseBuffer.Destroy()
 	encryptedAgePrivKey, err := EncryptWithPassphrase(agePrivKeyBuffer, passphraseBuffer)
 	if err != nil {
 		return nil, fmt.Errorf("failed to encrypt age private key with passphrase: %w", err)
 	}
 	agePrivKeyPath := filepath.Join(unlockerDir, "priv.age")
 	if err := afero.WriteFile(fs, agePrivKeyPath, encryptedAgePrivKey, FilePerms); err != nil {
 		return nil, fmt.Errorf("failed to write encrypted age private key: %w", err)
 	}
 	// Step 5: Get or derive the long-term private key
 	ltPrivKeyData, err := getLongTermPrivateKey(fs, vault)
 	if err != nil {
 		return nil, err
 	}
 	defer ltPrivKeyData.Destroy()
 	// Step 6: Encrypt long-term private key to the new age unlocker
 	encryptedLtPrivKeyToAge, err := EncryptToRecipient(ltPrivKeyData, ageIdentity.Recipient())
 	if err != nil {
@@ -359,8 +427,12 @@ func CreateKeychainUnlocker(fs afero.Fs, stateDir string) (*KeychainUnlocker, er
 		return nil, fmt.Errorf("failed to marshal keychain data: %w", err)
 	}
 	// Create a secure buffer for keychain data
 	keychainDataBuffer := memguard.NewBufferFromBytes(keychainDataBytes)
 	defer keychainDataBuffer.Destroy()
 	// Step 8: Store data in keychain
-	if err := storeInKeychain(keychainItemName, keychainDataBytes); err != nil {
+	if err := storeInKeychain(keychainItemName, keychainDataBuffer); err != nil {
 		return nil, fmt.Errorf("failed to store data in keychain: %w", err)
 	}
@@ -379,7 +451,9 @@ func CreateKeychainUnlocker(fs afero.Fs, stateDir string) (*KeychainUnlocker, er
 		return nil, fmt.Errorf("failed to marshal unlocker metadata: %w", err)
 	}
-	if err := afero.WriteFile(fs, filepath.Join(unlockerDir, "unlocker-metadata.json"), metadataBytes, FilePerms); err != nil {
+	if err := afero.WriteFile(fs,
 		filepath.Join(unlockerDir, "unlocker-metadata.json"),
 		metadataBytes, FilePerms); err != nil {
 		return nil, fmt.Errorf("failed to write unlocker metadata: %w", err)
 	}
@@ -390,12 +464,12 @@ func CreateKeychainUnlocker(fs afero.Fs, stateDir string) (*KeychainUnlocker, er
 	}, nil
 }
-// checkMacOSAvailable verifies that we're running on macOS and security command is available
+// checkMacOSAvailable verifies that we're running on macOS
 func checkMacOSAvailable() error {
-	cmd := exec.Command("/usr/bin/security", "help")
+	if runtime.GOOS != "darwin" {
-	if err := cmd.Run(); err != nil {
+		return fmt.Errorf("keychain unlockers are only supported on macOS, current OS: %s", runtime.GOOS)
 		return fmt.Errorf("macOS security command not available: %w (keychain unlockers are only supported on macOS)", err)
 	}
 	return nil
 }
@@ -412,59 +486,91 @@ func validateKeychainItemName(itemName string) error {
 	return nil
 }
-// storeInKeychain stores data in the macOS keychain using the security command
+// storeInKeychain stores data in the macOS keychain using keybase/go-keychain
-func storeInKeychain(itemName string, data []byte) error {
+func storeInKeychain(itemName string, data *memguard.LockedBuffer) error {
 	if data == nil {
 		return fmt.Errorf("data buffer is nil")
 	}
 	if err := validateKeychainItemName(itemName); err != nil {
 		return fmt.Errorf("invalid keychain item name: %w", err)
 	}
 	cmd := exec.Command("/usr/bin/security", "add-generic-password", //nolint:gosec // Input validated by validateKeychainItemName
 		"-a", itemName,
 		"-s", itemName,
 		"-w", string(data),
 		"-U") // Update if exists
-	if err := cmd.Run(); err != nil {
+	item := keychain.NewItem()
 	item.SetSecClass(keychain.SecClassGenericPassword)
 	item.SetService(KEYCHAIN_APP_IDENTIFIER)
 	item.SetAccount(itemName)
 	item.SetLabel(fmt.Sprintf("%s - %s", KEYCHAIN_APP_IDENTIFIER, itemName))
 	item.SetDescription("Secret vault keychain data")
 	item.SetData([]byte(data.String()))
 	item.SetSynchronizable(keychain.SynchronizableNo)
 	// Use AccessibleWhenUnlockedThisDeviceOnly for better security and to trigger auth
 	item.SetAccessible(keychain.AccessibleWhenUnlockedThisDeviceOnly)
 	// First try to delete any existing item
 	deleteItem := keychain.NewItem()
 	deleteItem.SetSecClass(keychain.SecClassGenericPassword)
 	deleteItem.SetService(KEYCHAIN_APP_IDENTIFIER)
 	deleteItem.SetAccount(itemName)
 	_ = keychain.DeleteItem(deleteItem) // Ignore error as item might not exist
 	// Add the new item
 	if err := keychain.AddItem(item); err != nil {
 		return fmt.Errorf("failed to store item in keychain: %w", err)
 	}
 	return nil
 }
-// retrieveFromKeychain retrieves data from the macOS keychain using the security command
+// retrieveFromKeychain retrieves data from the macOS keychain using keybase/go-keychain
 func retrieveFromKeychain(itemName string) ([]byte, error) {
 	if err := validateKeychainItemName(itemName); err != nil {
 		return nil, fmt.Errorf("invalid keychain item name: %w", err)
 	}
-	cmd := exec.Command("/usr/bin/security", "find-generic-password", //nolint:gosec // Input validated by validateKeychainItemName
+	query := keychain.NewItem()
-		"-a", itemName,
+	query.SetSecClass(keychain.SecClassGenericPassword)
-		"-s", itemName,
+	query.SetService(KEYCHAIN_APP_IDENTIFIER)
-		"-w") // Return password only
+	query.SetAccount(itemName)
 	query.SetMatchLimit(keychain.MatchLimitOne)
 	query.SetReturnData(true)
-	output, err := cmd.Output()
+	results, err := keychain.QueryItem(query)
 	if err != nil {
 		return nil, fmt.Errorf("failed to retrieve item from keychain: %w", err)
 	}
-	// Remove trailing newline if present
+	if len(results) == 0 {
-	if len(output) > 0 && output[len(output)-1] == '\n' {
+		return nil, fmt.Errorf("keychain item not found: %s", itemName)
 		output = output[:len(output)-1]
 	}
-	return output, nil
+	return results[0].Data, nil
 }
-// deleteFromKeychain removes an item from the macOS keychain using the security command
+// deleteFromKeychain removes an item from the macOS keychain using keybase/go-keychain
 // If the item doesn't exist, this function returns nil (not an error) since the goal
 // is to ensure the item is gone, and it already being gone satisfies that goal.
 func deleteFromKeychain(itemName string) error {
 	if err := validateKeychainItemName(itemName); err != nil {
 		return fmt.Errorf("invalid keychain item name: %w", err)
 	}
-	cmd := exec.Command("/usr/bin/security", "delete-generic-password", //nolint:gosec // Input validated by validateKeychainItemName
+	item := keychain.NewItem()
-		"-a", itemName,
+	item.SetSecClass(keychain.SecClassGenericPassword)
-		"-s", itemName)
+	item.SetService(KEYCHAIN_APP_IDENTIFIER)
 	item.SetAccount(itemName)
 	if err := keychain.DeleteItem(item); err != nil {
 		// If the item doesn't exist, that's not an error - the goal is to ensure
 		// the item is gone, and it already being gone satisfies that goal.
 		// This is important for cleaning up unlocker directories when the keychain
 		// item has already been removed (e.g., manually by user, or synced vault
 		// from a different machine).
 		if err == keychain.ErrorItemNotFound {
 			Debug("Keychain item not found during deletion, ignoring", "item_name", itemName)
 			return nil
 		}
 	if err := cmd.Run(); err != nil {
 		return fmt.Errorf("failed to delete item from keychain: %w", err)
 	}
--- a/internal/secret/keychainunlocker_stub.go
+++ b/internal/secret/keychainunlocker_stub.go
@@ -0,0 +1,82 @@
 //go:build !darwin
 // +build !darwin
 package secret
 import (
 	"fmt"
 	"filippo.io/age"
 	"github.com/awnumar/memguard"
 	"github.com/spf13/afero"
 )
 // KeychainUnlockerMetadata is a stub for non-Darwin platforms
 type KeychainUnlockerMetadata struct {
 	UnlockerMetadata
 	KeychainItemName string `json:"keychainItemName"`
 }
 // KeychainUnlocker is a stub for non-Darwin platforms
 type KeychainUnlocker struct {
 	Directory string
 	Metadata  UnlockerMetadata
 	fs        afero.Fs
 }
 var errKeychainNotSupported = fmt.Errorf("keychain unlockers are only supported on macOS")
 // GetIdentity returns an error on non-Darwin platforms
 func (k *KeychainUnlocker) GetIdentity() (*age.X25519Identity, error) {
 	return nil, errKeychainNotSupported
 }
 // GetType returns the unlocker type
 func (k *KeychainUnlocker) GetType() string {
 	return "keychain"
 }
 // GetMetadata returns the unlocker metadata
 func (k *KeychainUnlocker) GetMetadata() UnlockerMetadata {
 	return k.Metadata
 }
 // GetDirectory returns the unlocker directory
 func (k *KeychainUnlocker) GetDirectory() string {
 	return k.Directory
 }
 // GetID returns the unlocker ID
 func (k *KeychainUnlocker) GetID() string {
 	return fmt.Sprintf("%s-keychain", k.Metadata.CreatedAt.Format("2006-01-02.15.04"))
 }
 // GetKeychainItemName returns an error on non-Darwin platforms
 func (k *KeychainUnlocker) GetKeychainItemName() (string, error) {
 	return "", errKeychainNotSupported
 }
 // Remove returns an error on non-Darwin platforms
 func (k *KeychainUnlocker) Remove() error {
 	return errKeychainNotSupported
 }
 // NewKeychainUnlocker creates a stub KeychainUnlocker on non-Darwin platforms.
 // The returned instance's methods that require macOS functionality will return errors.
 func NewKeychainUnlocker(fs afero.Fs, directory string, metadata UnlockerMetadata) *KeychainUnlocker {
 	return &KeychainUnlocker{
 		Directory: directory,
 		Metadata:  metadata,
 		fs:        fs,
 	}
 }
 // CreateKeychainUnlocker returns an error on non-Darwin platforms
 func CreateKeychainUnlocker(_ afero.Fs, _ string) (*KeychainUnlocker, error) {
 	return nil, errKeychainNotSupported
 }
 // getLongTermPrivateKey returns an error on non-Darwin platforms
 func getLongTermPrivateKey(_ afero.Fs, _ VaultInterface) (*memguard.LockedBuffer, error) {
 	return nil, errKeychainNotSupported
 }
--- a/internal/secret/keychainunlocker_test.go
+++ b/internal/secret/keychainunlocker_test.go
@@ -0,0 +1,184 @@
 //go:build darwin
 // +build darwin
 package secret
 import (
 	"encoding/hex"
 	"runtime"
 	"testing"
 	"github.com/awnumar/memguard"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
 func TestKeychainStoreRetrieveDelete(t *testing.T) {
 	// Skip test if not on macOS
 	if runtime.GOOS != "darwin" {
 		t.Skip("Keychain tests only run on macOS")
 	}
 	// Test data
 	testItemName := "test-secret-keychain-item"
 	testData := "test-secret-data-12345"
 	testBuffer := memguard.NewBufferFromBytes([]byte(testData))
 	defer testBuffer.Destroy()
 	// Clean up any existing item first
 	_ = deleteFromKeychain(testItemName)
 	// Test 1: Store data in keychain
 	err := storeInKeychain(testItemName, testBuffer)
 	require.NoError(t, err, "Failed to store data in keychain")
 	// Test 2: Retrieve data from keychain
 	retrievedData, err := retrieveFromKeychain(testItemName)
 	require.NoError(t, err, "Failed to retrieve data from keychain")
 	assert.Equal(t, testData, string(retrievedData), "Retrieved data doesn't match stored data")
 	// Test 3: Update existing item (store again with different data)
 	newTestData := "updated-test-data-67890"
 	newTestBuffer := memguard.NewBufferFromBytes([]byte(newTestData))
 	defer newTestBuffer.Destroy()
 	err = storeInKeychain(testItemName, newTestBuffer)
 	require.NoError(t, err, "Failed to update data in keychain")
 	// Verify updated data
 	retrievedData, err = retrieveFromKeychain(testItemName)
 	require.NoError(t, err, "Failed to retrieve updated data from keychain")
 	assert.Equal(t, newTestData, string(retrievedData), "Retrieved data doesn't match updated data")
 	// Test 4: Delete from keychain
 	err = deleteFromKeychain(testItemName)
 	require.NoError(t, err, "Failed to delete data from keychain")
 	// Test 5: Verify item is deleted (should fail to retrieve)
 	_, err = retrieveFromKeychain(testItemName)
 	assert.Error(t, err, "Expected error when retrieving deleted item")
 }
 func TestKeychainInvalidItemName(t *testing.T) {
 	// Skip test if not on macOS
 	if runtime.GOOS != "darwin" {
 		t.Skip("Keychain tests only run on macOS")
 	}
 	testData := memguard.NewBufferFromBytes([]byte("test"))
 	defer testData.Destroy()
 	// Test invalid item names
 	invalidNames := []string{
 		"",                  // Empty name
 		"test space",        // Contains space
 		"test/slash",        // Contains slash
 		"test\\backslash",   // Contains backslash
 		"test:colon",        // Contains colon
 		"test;semicolon",    // Contains semicolon
 		"test|pipe",         // Contains pipe
 		"test@at",           // Contains @
 		"test#hash",         // Contains #
 		"test$dollar",       // Contains $
 		"test&ampersand",    // Contains &
 		"test*asterisk",     // Contains *
 		"test?question",     // Contains ?
 		"test!exclamation",  // Contains !
 		"test'quote",        // Contains single quote
 		"test\"doublequote", // Contains double quote
 		"test(paren",        // Contains parenthesis
 		"test[bracket",      // Contains bracket
 	}
 	for _, name := range invalidNames {
 		err := storeInKeychain(name, testData)
 		assert.Error(t, err, "Expected error for invalid name: %s", name)
 		assert.Contains(t, err.Error(), "invalid keychain item name", "Error should mention invalid name for: %s", name)
 	}
 	// Test valid names (should not error on validation)
 	validNames := []string{
 		"test-name",
 		"test_name",
 		"test.name",
 		"TestName123",
 		"TEST_NAME_123",
 		"com.example.test",
 		"secret-vault-hostname-2024-01-01",
 	}
 	for _, name := range validNames {
 		err := validateKeychainItemName(name)
 		assert.NoError(t, err, "Expected no error for valid name: %s", name)
 		// Clean up
 		_ = deleteFromKeychain(name)
 	}
 }
 func TestKeychainNilData(t *testing.T) {
 	// Skip test if not on macOS
 	if runtime.GOOS != "darwin" {
 		t.Skip("Keychain tests only run on macOS")
 	}
 	// Test storing nil data
 	err := storeInKeychain("test-item", nil)
 	assert.Error(t, err, "Expected error when storing nil data")
 	assert.Contains(t, err.Error(), "data buffer is nil")
 }
 func TestKeychainLargeData(t *testing.T) {
 	// Skip test if not on macOS
 	if runtime.GOOS != "darwin" {
 		t.Skip("Keychain tests only run on macOS")
 	}
 	// Test with larger hex-encoded data (512 bytes of binary data = 1KB hex)
 	largeData := make([]byte, 512)
 	for i := range largeData {
 		largeData[i] = byte(i % 256)
 	}
 	// Convert to hex string for storage
 	hexData := hex.EncodeToString(largeData)
 	testItemName := "test-large-data"
 	testBuffer := memguard.NewBufferFromBytes([]byte(hexData))
 	defer testBuffer.Destroy()
 	// Clean up first
 	_ = deleteFromKeychain(testItemName)
 	// Store hex data
 	err := storeInKeychain(testItemName, testBuffer)
 	require.NoError(t, err, "Failed to store large data")
 	// Retrieve and verify
 	retrievedData, err := retrieveFromKeychain(testItemName)
 	require.NoError(t, err, "Failed to retrieve large data")
 	// Decode hex and compare
 	decodedData, err := hex.DecodeString(string(retrievedData))
 	require.NoError(t, err, "Failed to decode hex data")
 	assert.Equal(t, largeData, decodedData, "Large data mismatch")
 	// Clean up
 	_ = deleteFromKeychain(testItemName)
 }
 func TestDeleteNonExistentKeychainItem(t *testing.T) {
 	// Skip test if not on macOS
 	if runtime.GOOS != "darwin" {
 		t.Skip("Keychain tests only run on macOS")
 	}
 	// Ensure item doesn't exist
 	testItemName := "test-nonexistent-keychain-item-12345"
 	_ = deleteFromKeychain(testItemName)
 	// Deleting a non-existent item should NOT return an error
 	// This is important for cleaning up unlocker directories when the keychain item
 	// has already been removed (e.g., manually by user, or on a different machine)
 	err := deleteFromKeychain(testItemName)
 	assert.NoError(t, err, "Deleting non-existent keychain item should not return an error")
 }
--- a/internal/secret/metadata.go
+++ b/internal/secret/metadata.go
@@ -8,9 +8,11 @@ import (
 type VaultMetadata struct {
 	CreatedAt       time.Time `json:"createdAt"`
 	Description     string    `json:"description,omitempty"`
-	DerivationIndex    uint32    `json:"derivation_index"`
+	DerivationIndex uint32    `json:"derivationIndex"`
-	PublicKeyHash      string    `json:"public_key_hash,omitempty"`      // Double SHA256 hash of the actual long-term public key
+	// Double SHA256 hash of the actual long-term public key
-	MnemonicFamilyHash string    `json:"mnemonic_family_hash,omitempty"` // Double SHA256 hash of index-0 key (for grouping vaults from same mnemonic)
+	PublicKeyHash string `json:"publicKeyHash,omitempty"`
 	// Double SHA256 hash of index-0 key (for grouping vaults from same mnemonic)
 	MnemonicFamilyHash string `json:"mnemonicFamilyHash,omitempty"`
 }
 // UnlockerMetadata contains information about an unlocker
@@ -20,8 +22,8 @@ type UnlockerMetadata struct {
 	Flags     []string  `json:"flags,omitempty"`
 }
-// SecretMetadata contains information about a secret
+// Metadata contains information about a secret
-type SecretMetadata struct {
+type Metadata struct {
 	CreatedAt time.Time `json:"createdAt"`
 	UpdatedAt time.Time `json:"updatedAt"`
 }
--- a/internal/secret/passphrase_test.go
+++ b/internal/secret/passphrase_test.go
@@ -9,6 +9,7 @@ import (
 	"filippo.io/age"
 	"git.eeqj.de/sneak/secret/internal/secret"
 	"git.eeqj.de/sneak/secret/pkg/agehd"
 	"github.com/awnumar/memguard"
 	"github.com/spf13/afero"
 )
@@ -23,7 +24,7 @@ func TestPassphraseUnlockerWithRealFS(t *testing.T) {
 	if err != nil {
 		t.Fatalf("Failed to create temp dir: %v", err)
 	}
-	defer os.RemoveAll(tempDir) // Clean up after test
+	defer func() { _ = os.RemoveAll(tempDir) }() // Clean up after test
 	// Use the real filesystem
 	fs := afero.NewOsFs()
@@ -75,8 +76,11 @@ func TestPassphraseUnlockerWithRealFS(t *testing.T) {
 	// Test encrypting private key with passphrase
 	t.Run("EncryptPrivateKey", func(t *testing.T) {
-		privKeyData := []byte(agePrivateKey)
+		privKeyBuffer := memguard.NewBufferFromBytes([]byte(agePrivateKey))
-		encryptedPrivKey, err := secret.EncryptWithPassphrase(privKeyData, testPassphrase)
+		defer privKeyBuffer.Destroy()
 		passphraseBuffer := memguard.NewBufferFromBytes([]byte(testPassphrase))
 		defer passphraseBuffer.Destroy()
 		encryptedPrivKey, err := secret.EncryptWithPassphrase(privKeyBuffer, passphraseBuffer)
 		if err != nil {
 			t.Fatalf("Failed to encrypt private key: %v", err)
 		}
@@ -110,8 +114,9 @@ func TestPassphraseUnlockerWithRealFS(t *testing.T) {
 			t.Fatalf("Failed to parse recipient: %v", err)
 		}
-		ltPrivKeyData := []byte(ltIdentity.String())
+		ltPrivKeyBuffer := memguard.NewBufferFromBytes([]byte(ltIdentity.String()))
-		encryptedLtPrivKey, err := secret.EncryptToRecipient(ltPrivKeyData, recipient)
+		defer ltPrivKeyBuffer.Destroy()
 		encryptedLtPrivKey, err := secret.EncryptToRecipient(ltPrivKeyBuffer, recipient)
 		if err != nil {
 			t.Fatalf("Failed to encrypt long-term private key: %v", err)
 		}
@@ -131,18 +136,8 @@ func TestPassphraseUnlockerWithRealFS(t *testing.T) {
 		}
 	})
-	// Save original environment variables and set test ones
+	// Set test environment variable (cleaned up automatically)
-	oldPassphrase := os.Getenv(secret.EnvUnlockPassphrase)
+	t.Setenv(secret.EnvUnlockPassphrase, testPassphrase)
 	os.Setenv(secret.EnvUnlockPassphrase, testPassphrase)
 	// Clean up after test
 	defer func() {
 		if oldPassphrase != "" {
 			os.Setenv(secret.EnvUnlockPassphrase, oldPassphrase)
 		} else {
 			os.Unsetenv(secret.EnvUnlockPassphrase)
 		}
 	}()
 	// Test getting identity from environment variable
 	t.Run("GetIdentityFromEnv", func(t *testing.T) {
@@ -160,7 +155,7 @@ func TestPassphraseUnlockerWithRealFS(t *testing.T) {
 	})
 	// Unset the environment variable to test interactive prompt
-	os.Unsetenv(secret.EnvUnlockPassphrase)
+	_ = os.Unsetenv(secret.EnvUnlockPassphrase)
 	// Test getting identity from prompt (this would require mocking the prompt)
 	// For real integration tests, we'd need to provide a way to mock the passphrase input
--- a/internal/secret/passphraseunlocker.go
+++ b/internal/secret/passphraseunlocker.go
@@ -7,6 +7,7 @@ import (
 	"path/filepath"
 	"filippo.io/age"
 	"github.com/awnumar/memguard"
 	"github.com/spf13/afero"
 )
@@ -15,7 +16,40 @@ type PassphraseUnlocker struct {
 	Directory  string
 	Metadata   UnlockerMetadata
 	fs         afero.Fs
-	Passphrase string
+	Passphrase *memguard.LockedBuffer // Secure buffer for passphrase
 }
 // getPassphrase retrieves the passphrase from memory, environment, or user input
 // Returns a LockedBuffer for secure memory handling
 func (p *PassphraseUnlocker) getPassphrase() (*memguard.LockedBuffer, error) {
 	// First check if we already have the passphrase
 	if p.Passphrase != nil && p.Passphrase.IsAlive() {
 		Debug("Using in-memory passphrase", "unlocker_id", p.GetID())
 		// Return a copy of the passphrase buffer
 		return memguard.NewBufferFromBytes(p.Passphrase.Bytes()), nil
 	}
 	Debug("No passphrase in memory, checking environment")
 	// Check environment variable for passphrase
 	passphraseStr := os.Getenv(EnvUnlockPassphrase)
 	if passphraseStr != "" {
 		Debug("Using passphrase from environment", "unlocker_id", p.GetID())
 		// Convert to secure buffer
 		secureBuffer := memguard.NewBufferFromBytes([]byte(passphraseStr))
 		return secureBuffer, nil
 	}
 	Debug("No passphrase in environment, prompting user")
 	// Prompt for passphrase
 	secureBuffer, err := ReadPassphrase("Enter unlock passphrase: ")
 	if err != nil {
 		Debug("Failed to read passphrase", "error", err, "unlocker_id", p.GetID())
 		return nil, fmt.Errorf("failed to read passphrase: %w", err)
 	}
 	return secureBuffer, nil
 }
 // GetIdentity implements Unlocker interface for passphrase-based unlockers
@@ -25,27 +59,11 @@ func (p *PassphraseUnlocker) GetIdentity() (*age.X25519Identity, error) {
 		slog.String("unlocker_type", p.GetType()),
 	)
-	// First check if we already have the passphrase
+	passphraseBuffer, err := p.getPassphrase()
 	passphraseStr := p.Passphrase
 	if passphraseStr == "" {
 		Debug("No passphrase in memory, checking environment")
 		// Check environment variable for passphrase
 		passphraseStr = os.Getenv(EnvUnlockPassphrase)
 		if passphraseStr == "" {
 			Debug("No passphrase in environment, prompting user")
 			// Prompt for passphrase
 			var err error
 			passphraseStr, err = ReadPassphrase("Enter unlock passphrase: ")
 	if err != nil {
-				Debug("Failed to read passphrase", "error", err, "unlocker_id", p.GetID())
+		return nil, err
 				return nil, fmt.Errorf("failed to read passphrase: %w", err)
 			}
 		} else {
 			Debug("Using passphrase from environment", "unlocker_id", p.GetID())
 		}
 	} else {
 		Debug("Using in-memory passphrase", "unlocker_id", p.GetID())
 	}
 	defer passphraseBuffer.Destroy()
 	// Read encrypted private key of unlocker
 	unlockerPrivPath := filepath.Join(p.Directory, "priv.age")
@@ -54,6 +72,7 @@ func (p *PassphraseUnlocker) GetIdentity() (*age.X25519Identity, error) {
 	encryptedPrivKeyData, err := afero.ReadFile(p.fs, unlockerPrivPath)
 	if err != nil {
 		Debug("Failed to read passphrase unlocker private key", "error", err, "path", unlockerPrivPath)
 		return nil, fmt.Errorf("failed to read unlocker private key: %w", err)
 	}
@@ -65,22 +84,26 @@ func (p *PassphraseUnlocker) GetIdentity() (*age.X25519Identity, error) {
 	Debug("Decrypting unlocker private key with passphrase", "unlocker_id", p.GetID())
 	// Decrypt the unlocker private key with passphrase
-	privKeyData, err := DecryptWithPassphrase(encryptedPrivKeyData, passphraseStr)
+	privKeyBuffer, err := DecryptWithPassphrase(encryptedPrivKeyData, passphraseBuffer)
 	if err != nil {
 		Debug("Failed to decrypt unlocker private key", "error", err, "unlocker_id", p.GetID())
 		return nil, fmt.Errorf("failed to decrypt unlocker private key: %w", err)
 	}
 	defer privKeyBuffer.Destroy()
 	DebugWith("Successfully decrypted unlocker private key",
 		slog.String("unlocker_id", p.GetID()),
-		slog.Int("decrypted_length", len(privKeyData)),
+		slog.Int("decrypted_length", privKeyBuffer.Size()),
 	)
 	// Parse the decrypted private key
 	Debug("Parsing decrypted unlocker identity", "unlocker_id", p.GetID())
-	identity, err := age.ParseX25519Identity(string(privKeyData))
+
 	identity, err := age.ParseX25519Identity(privKeyBuffer.String())
 	if err != nil {
 		Debug("Failed to parse unlocker private key", "error", err, "unlocker_id", p.GetID())
 		return nil, fmt.Errorf("failed to parse unlocker private key: %w", err)
 	}
@@ -111,16 +134,23 @@ func (p *PassphraseUnlocker) GetDirectory() string {
 func (p *PassphraseUnlocker) GetID() string {
 	// Generate ID using creation timestamp: YYYY-MM-DD.HH.mm-passphrase
 	createdAt := p.Metadata.CreatedAt
 	return fmt.Sprintf("%s-passphrase", createdAt.Format("2006-01-02.15.04"))
 }
 // Remove implements Unlocker interface - removes the passphrase unlocker
 func (p *PassphraseUnlocker) Remove() error {
 	// Clean up the passphrase from memory if it exists
 	if p.Passphrase != nil && p.Passphrase.IsAlive() {
 		p.Passphrase.Destroy()
 	}
 	// For passphrase unlockers, we just need to remove the directory
 	// No external resources (like keychain items) to clean up
 	if err := p.fs.RemoveAll(p.Directory); err != nil {
 		return fmt.Errorf("failed to remove passphrase unlocker directory: %w", err)
 	}
 	return nil
 }
@@ -134,7 +164,12 @@ func NewPassphraseUnlocker(fs afero.Fs, directory string, metadata UnlockerMetad
 }
 // CreatePassphraseUnlocker creates a new passphrase-protected unlocker
-func CreatePassphraseUnlocker(fs afero.Fs, stateDir string, passphrase string) (*PassphraseUnlocker, error) {
+// The passphrase must be provided as a LockedBuffer for security
 func CreatePassphraseUnlocker(
 	fs afero.Fs,
 	stateDir string,
 	passphrase *memguard.LockedBuffer,
 ) (*PassphraseUnlocker, error) {
 	// Get current vault
 	currentVault, err := GetCurrentVault(fs, stateDir)
 	if err != nil {
--- a/internal/secret/pgpunlock_test.go
+++ b/internal/secret/pgpunlock_test.go
@@ -1,3 +1,5 @@
 //go:build darwin
 package secret_test
 import (
@@ -16,6 +18,7 @@ import (
 	"git.eeqj.de/sneak/secret/internal/secret"
 	"git.eeqj.de/sneak/secret/internal/vault"
 	"git.eeqj.de/sneak/secret/pkg/agehd"
 	"github.com/awnumar/memguard"
 	"github.com/spf13/afero"
 )
@@ -28,14 +31,14 @@ func init() {
 }
 // setupNonInteractiveGPG creates a custom GPG environment for testing
-func setupNonInteractiveGPG(t *testing.T, tempDir, passphrase, gnupgHomeDir string) {
+func setupNonInteractiveGPG(t *testing.T, _, passphrase, gnupgHomeDir string) {
 	// Create GPG config file for non-interactive operation
 	gpgConfPath := filepath.Join(gnupgHomeDir, "gpg.conf")
 	gpgConfContent := `batch
 no-tty
 pinentry-mode loopback
 `
-	if err := os.WriteFile(gpgConfPath, []byte(gpgConfContent), 0600); err != nil {
+	if err := os.WriteFile(gpgConfPath, []byte(gpgConfContent), 0o600); err != nil {
 		t.Fatalf("Failed to write GPG config file: %v", err)
 	}
@@ -44,7 +47,10 @@ pinentry-mode loopback
 	origDecryptFunc := secret.GPGDecryptFunc
 	// Set custom GPG functions for this test
-	secret.GPGEncryptFunc = func(data []byte, keyID string) ([]byte, error) {
+	secret.GPGEncryptFunc = func(data *memguard.LockedBuffer, keyID string) ([]byte, error) {
 		if data == nil {
 			return nil, fmt.Errorf("data buffer is nil")
 		}
 		cmd := exec.Command("gpg",
 			"--homedir", gnupgHomeDir,
 			"--batch",
@@ -59,7 +65,7 @@ pinentry-mode loopback
 		var stdout, stderr bytes.Buffer
 		cmd.Stdout = &stdout
 		cmd.Stderr = &stderr
-		cmd.Stdin = bytes.NewReader(data)
+		cmd.Stdin = bytes.NewReader(data.Bytes())
 		if err := cmd.Run(); err != nil {
 			return nil, fmt.Errorf("GPG encryption failed: %w\nStderr: %s", err, stderr.String())
@@ -68,7 +74,7 @@ pinentry-mode loopback
 		return stdout.Bytes(), nil
 	}
-	secret.GPGDecryptFunc = func(encryptedData []byte) ([]byte, error) {
+	secret.GPGDecryptFunc = func(encryptedData []byte) (*memguard.LockedBuffer, error) {
 		cmd := exec.Command("gpg",
 			"--homedir", gnupgHomeDir,
 			"--batch",
@@ -87,7 +93,8 @@ pinentry-mode loopback
 			return nil, fmt.Errorf("GPG decryption failed: %w\nStderr: %s", err, stderr.String())
 		}
-		return stdout.Bytes(), nil
+		// Create a secure buffer for the decrypted data
 		return memguard.NewBufferFromBytes(stdout.Bytes()), nil
 	}
 	// Restore original functions after test
@@ -135,28 +142,16 @@ func TestPGPUnlockerWithRealFS(t *testing.T) {
 	if err != nil {
 		t.Fatalf("Failed to create temp dir: %v", err)
 	}
-	defer os.RemoveAll(tempDir) // Clean up after test
+	defer func() { _ = os.RemoveAll(tempDir) }() // Clean up after test
 	// Create a temporary GNUPGHOME
 	gnupgHomeDir := filepath.Join(tempDir, "gnupg")
-	if err := os.MkdirAll(gnupgHomeDir, 0700); err != nil {
+	if err := os.MkdirAll(gnupgHomeDir, 0o700); err != nil {
 		t.Fatalf("Failed to create GNUPGHOME: %v", err)
 	}
 	// Save original GNUPGHOME
 	origGnupgHome := os.Getenv("GNUPGHOME")
 	// Set new GNUPGHOME
-	os.Setenv("GNUPGHOME", gnupgHomeDir)
+	t.Setenv("GNUPGHOME", gnupgHomeDir)
 	// Clean up environment after test
 	defer func() {
 		if origGnupgHome != "" {
 			os.Setenv("GNUPGHOME", origGnupgHome)
 		} else {
 			os.Unsetenv("GNUPGHOME")
 		}
 	}()
 	// Test passphrase for GPG key
 	testPassphrase := "test123"
@@ -176,7 +171,7 @@ Passphrase: ` + testPassphrase + `
 %commit
 %echo Key generation completed
 `
-	if err := os.WriteFile(batchFile, []byte(batchContent), 0600); err != nil {
+	if err := os.WriteFile(batchFile, []byte(batchContent), 0o600); err != nil {
 		t.Fatalf("Failed to write batch file: %v", err)
 	}
@@ -224,15 +219,7 @@ Passphrase: ` + testPassphrase + `
 	t.Logf("Generated GPG fingerprint: %s", fingerprint)
 	// Set the GPG_AGENT_INFO to empty to ensure gpg-agent doesn't interfere
-	oldAgentInfo := os.Getenv("GPG_AGENT_INFO")
+	t.Setenv("GPG_AGENT_INFO", "")
 	os.Setenv("GPG_AGENT_INFO", "")
 	defer func() {
 		if oldAgentInfo != "" {
 			os.Setenv("GPG_AGENT_INFO", oldAgentInfo)
 		} else {
 			os.Unsetenv("GPG_AGENT_INFO")
 		}
 	}()
 	// Use the real filesystem
 	fs := afero.NewOsFs()
@@ -240,28 +227,9 @@ Passphrase: ` + testPassphrase + `
 	// Test data
 	testMnemonic := "abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon about"
 	// Save original environment variable
 	oldMnemonic := os.Getenv(secret.EnvMnemonic)
 	oldGPGKeyID := os.Getenv(secret.EnvGPGKeyID)
 	// Set test environment variables
-	os.Setenv(secret.EnvMnemonic, testMnemonic)
+	t.Setenv(secret.EnvMnemonic, testMnemonic)
-	os.Setenv(secret.EnvGPGKeyID, keyID)
+	t.Setenv(secret.EnvGPGKeyID, keyID)
 	// Clean up after test
 	defer func() {
 		if oldMnemonic != "" {
 			os.Setenv(secret.EnvMnemonic, oldMnemonic)
 		} else {
 			os.Unsetenv(secret.EnvMnemonic)
 		}
 		if oldGPGKeyID != "" {
 			os.Setenv(secret.EnvGPGKeyID, oldGPGKeyID)
 		} else {
 			os.Unsetenv(secret.EnvGPGKeyID)
 		}
 	}()
 	// Set up vault structure for testing
 	stateDir := tempDir
@@ -309,7 +277,9 @@ Passphrase: ` + testPassphrase + `
 		vlt.Unlock(ltIdentity)
 		// Create a passphrase unlocker first (to have current unlocker)
-		passUnlocker, err := vlt.CreatePassphraseUnlocker("test-passphrase")
+		passphraseBuffer := memguard.NewBufferFromBytes([]byte("test-passphrase"))
 		defer passphraseBuffer.Destroy()
 		passUnlocker, err := vlt.CreatePassphraseUnlocker(passphraseBuffer)
 		if err != nil {
 			t.Fatalf("Failed to create passphrase unlocker: %v", err)
 		}
@@ -396,9 +366,9 @@ Passphrase: ` + testPassphrase + `
 		var metadata struct {
 			ID        string    `json:"id"`
 			Type      string    `json:"type"`
-			CreatedAt time.Time `json:"created_at"`
+			CreatedAt time.Time `json:"createdAt"`
 			Flags     []string  `json:"flags"`
-			GPGKeyID  string    `json:"gpg_key_id"`
+			GPGKeyID  string    `json:"gpgKeyId"`
 		}
 		if err := json.Unmarshal(metadataBytes, &metadata); err != nil {
@@ -435,7 +405,7 @@ Passphrase: ` + testPassphrase + `
 		// Create PGP metadata with GPG key ID
 		type PGPUnlockerMetadata struct {
 			secret.UnlockerMetadata
-			GPGKeyID string `json:"gpg_key_id"`
+			GPGKeyID string `json:"gpgKeyId"`
 		}
 		pgpMetadata := PGPUnlockerMetadata{
@@ -480,8 +450,9 @@ Passphrase: ` + testPassphrase + `
 		}
 		// GPG encrypt the private key using our custom encrypt function
-		privKeyData := []byte(ageIdentity.String())
+		privKeyBuffer := memguard.NewBufferFromBytes([]byte(ageIdentity.String()))
-		encryptedOutput, err := secret.GPGEncryptFunc(privKeyData, keyID)
+		defer privKeyBuffer.Destroy()
 		encryptedOutput, err := secret.GPGEncryptFunc(privKeyBuffer, keyID)
 		if err != nil {
 			t.Fatalf("Failed to encrypt with GPG: %v", err)
 		}
--- a/internal/secret/pgpunlocker.go
+++ b/internal/secret/pgpunlocker.go
@@ -12,7 +12,7 @@ import (
 	"time"
 	"filippo.io/age"
-	"git.eeqj.de/sneak/secret/pkg/agehd"
+	"github.com/awnumar/memguard"
 	"github.com/spf13/afero"
 )
@@ -20,11 +20,13 @@ import (
 var (
 	// GPGEncryptFunc is the function used for GPG encryption
 	// Can be overridden in tests to provide a non-interactive implementation
-	GPGEncryptFunc = gpgEncryptDefault
+	//nolint:gochecknoglobals // Required for test mocking
 	GPGEncryptFunc func(data *memguard.LockedBuffer, keyID string) ([]byte, error) = gpgEncryptDefault
 	// GPGDecryptFunc is the function used for GPG decryption
 	// Can be overridden in tests to provide a non-interactive implementation
-	GPGDecryptFunc = gpgDecryptDefault
+	//nolint:gochecknoglobals // Required for test mocking
 	GPGDecryptFunc func(encryptedData []byte) (*memguard.LockedBuffer, error) = gpgDecryptDefault
 	// gpgKeyIDRegex validates GPG key IDs
 	// Allows either:
@@ -44,7 +46,7 @@ var (
 type PGPUnlockerMetadata struct {
 	UnlockerMetadata
 	// GPG key ID used for encryption
-	GPGKeyID string `json:"gpg_key_id"`
+	GPGKeyID string `json:"gpgKeyId"`
 }
 // PGPUnlocker represents a PGP-protected unlocker
@@ -68,6 +70,7 @@ func (p *PGPUnlocker) GetIdentity() (*age.X25519Identity, error) {
 	encryptedAgePrivKeyData, err := afero.ReadFile(p.fs, agePrivKeyPath)
 	if err != nil {
 		Debug("Failed to read PGP-encrypted age private key", "error", err, "path", agePrivKeyPath)
 		return nil, fmt.Errorf("failed to read encrypted age private key: %w", err)
 	}
@@ -78,22 +81,25 @@ func (p *PGPUnlocker) GetIdentity() (*age.X25519Identity, error) {
 	// Step 2: Decrypt the age private key using GPG
 	Debug("Decrypting age private key with GPG", "unlocker_id", p.GetID())
-	agePrivKeyData, err := GPGDecryptFunc(encryptedAgePrivKeyData)
+	agePrivKeyBuffer, err := GPGDecryptFunc(encryptedAgePrivKeyData)
 	if err != nil {
 		Debug("Failed to decrypt age private key with GPG", "error", err, "unlocker_id", p.GetID())
 		return nil, fmt.Errorf("failed to decrypt age private key with GPG: %w", err)
 	}
 	defer agePrivKeyBuffer.Destroy()
 	DebugWith("Successfully decrypted age private key with GPG",
 		slog.String("unlocker_id", p.GetID()),
-		slog.Int("decrypted_length", len(agePrivKeyData)),
+		slog.Int("decrypted_length", agePrivKeyBuffer.Size()),
 	)
 	// Step 3: Parse the decrypted age private key
 	Debug("Parsing decrypted age private key", "unlocker_id", p.GetID())
-	ageIdentity, err := age.ParseX25519Identity(string(agePrivKeyData))
+	ageIdentity, err := age.ParseX25519Identity(agePrivKeyBuffer.String())
 	if err != nil {
 		Debug("Failed to parse age private key", "error", err, "unlocker_id", p.GetID())
 		return nil, fmt.Errorf("failed to parse age private key: %w", err)
 	}
@@ -122,14 +128,15 @@ func (p *PGPUnlocker) GetDirectory() string {
 // GetID implements Unlocker interface - generates ID from GPG key ID
 func (p *PGPUnlocker) GetID() string {
-	// Generate ID using GPG key ID: <keyid>-pgp
+	// Generate ID using GPG key ID: pgp-<keyid>
 	gpgKeyID, err := p.GetGPGKeyID()
 	if err != nil {
 		// The vault metadata is corrupt - this is a fatal error
 		// We cannot continue with a fallback ID as that would mask data corruption
 		panic(fmt.Sprintf("PGP unlocker metadata is corrupt or missing GPG key ID: %v", err))
 	}
-	return fmt.Sprintf("%s-pgp", gpgKeyID)
+
 	return fmt.Sprintf("pgp-%s", gpgKeyID)
 }
 // Remove implements Unlocker interface - removes the PGP unlocker
@@ -139,6 +146,7 @@ func (p *PGPUnlocker) Remove() error {
 	if err := p.fs.RemoveAll(p.Directory); err != nil {
 		return fmt.Errorf("failed to remove PGP unlocker directory: %w", err)
 	}
 	return nil
 }
@@ -177,6 +185,7 @@ func generatePGPUnlockerName() (string, error) {
 	// Format: hostname-pgp-YYYY-MM-DD
 	enrollmentDate := time.Now().Format("2006-01-02")
 	return fmt.Sprintf("%s-pgp-%s", hostname, enrollmentDate), nil
 }
@@ -224,56 +233,11 @@ func CreatePGPUnlocker(fs afero.Fs, stateDir string, gpgKeyID string) (*PGPUnloc
 	}
 	// Step 3: Get or derive the long-term private key
-	var ltPrivKeyData []byte
+	ltPrivKeyData, err := getLongTermPrivateKey(fs, vault)
 	// Check if mnemonic is available in environment variable
 	if envMnemonic := os.Getenv(EnvMnemonic); envMnemonic != "" {
 		// Use mnemonic directly to derive long-term key
 		ltIdentity, err := agehd.DeriveIdentity(envMnemonic, 0)
 	if err != nil {
-			return nil, fmt.Errorf("failed to derive long-term key from mnemonic: %w", err)
+		return nil, err
 		}
 		ltPrivKeyData = []byte(ltIdentity.String())
 	} else {
 		// Get the vault to access current unlocker
 		currentUnlocker, err := vault.GetCurrentUnlocker()
 		if err != nil {
 			return nil, fmt.Errorf("failed to get current unlocker: %w", err)
 		}
 		// Get the current unlocker identity
 		currentUnlockerIdentity, err := currentUnlocker.GetIdentity()
 		if err != nil {
 			return nil, fmt.Errorf("failed to get current unlocker identity: %w", err)
 		}
 		// Get encrypted long-term key from current unlocker, handling different types
 		var encryptedLtPrivKey []byte
 		switch currentUnlocker := currentUnlocker.(type) {
 		case *PassphraseUnlocker:
 			// Read the encrypted long-term private key from passphrase unlocker
 			encryptedLtPrivKey, err = afero.ReadFile(fs, filepath.Join(currentUnlocker.GetDirectory(), "longterm.age"))
 			if err != nil {
 				return nil, fmt.Errorf("failed to read encrypted long-term key from current passphrase unlocker: %w", err)
 			}
 		case *PGPUnlocker:
 			// Read the encrypted long-term private key from PGP unlocker
 			encryptedLtPrivKey, err = afero.ReadFile(fs, filepath.Join(currentUnlocker.GetDirectory(), "longterm.age"))
 			if err != nil {
 				return nil, fmt.Errorf("failed to read encrypted long-term key from current PGP unlocker: %w", err)
 			}
 		default:
 			return nil, fmt.Errorf("unsupported current unlocker type for PGP unlocker creation")
 		}
 		// Step 6: Decrypt long-term private key using current unlocker
 		ltPrivKeyData, err = DecryptWithIdentity(encryptedLtPrivKey, currentUnlockerIdentity)
 		if err != nil {
 			return nil, fmt.Errorf("failed to decrypt long-term private key: %w", err)
 		}
 	}
 	defer ltPrivKeyData.Destroy()
 	// Step 7: Encrypt long-term private key to the new age unlocker
 	encryptedLtPrivKeyToAge, err := EncryptToRecipient(ltPrivKeyData, ageIdentity.Recipient())
@@ -288,8 +252,11 @@ func CreatePGPUnlocker(fs afero.Fs, stateDir string, gpgKeyID string) (*PGPUnloc
 	}
 	// Step 8: Encrypt age private key to the GPG key ID
-	agePrivateKeyBytes := []byte(ageIdentity.String())
+	// Use memguard to protect the private key in memory
-	encryptedAgePrivKey, err := GPGEncryptFunc(agePrivateKeyBytes, gpgKeyID)
+	agePrivateKeyBuffer := memguard.NewBufferFromBytes([]byte(ageIdentity.String()))
 	defer agePrivateKeyBuffer.Destroy()
 	encryptedAgePrivKey, err := GPGEncryptFunc(agePrivateKeyBuffer, gpgKeyID)
 	if err != nil {
 		return nil, fmt.Errorf("failed to encrypt age private key with GPG: %w", err)
 	}
@@ -300,7 +267,7 @@ func CreatePGPUnlocker(fs afero.Fs, stateDir string, gpgKeyID string) (*PGPUnloc
 	}
 	// Step 9: Resolve the GPG key ID to its full fingerprint
-	fingerprint, err := resolveGPGKeyFingerprint(gpgKeyID)
+	fingerprint, err := ResolveGPGKeyFingerprint(gpgKeyID)
 	if err != nil {
 		return nil, fmt.Errorf("failed to resolve GPG key fingerprint: %w", err)
 	}
@@ -320,7 +287,9 @@ func CreatePGPUnlocker(fs afero.Fs, stateDir string, gpgKeyID string) (*PGPUnloc
 		return nil, fmt.Errorf("failed to marshal unlocker metadata: %w", err)
 	}
-	if err := afero.WriteFile(fs, filepath.Join(unlockerDir, "unlocker-metadata.json"), metadataBytes, FilePerms); err != nil {
+	if err := afero.WriteFile(fs,
 		filepath.Join(unlockerDir, "unlocker-metadata.json"),
 		metadataBytes, FilePerms); err != nil {
 		return nil, fmt.Errorf("failed to write unlocker metadata: %w", err)
 	}
@@ -344,14 +313,16 @@ func validateGPGKeyID(keyID string) error {
 	return nil
 }
-// resolveGPGKeyFingerprint resolves any GPG key identifier to its full fingerprint
+// ResolveGPGKeyFingerprint resolves any GPG key identifier to its full fingerprint
-func resolveGPGKeyFingerprint(keyID string) (string, error) {
+func ResolveGPGKeyFingerprint(keyID string) (string, error) {
 	if err := validateGPGKeyID(keyID); err != nil {
 		return "", fmt.Errorf("invalid GPG key ID: %w", err)
 	}
 	// Use GPG to get the full fingerprint for the key
-	cmd := exec.Command("gpg", "--list-keys", "--with-colons", "--fingerprint", keyID)
+	cmd := exec.Command( // #nosec G204 -- keyID validated
 		"gpg", "--list-keys", "--with-colons", "--fingerprint", keyID,
 	)
 	output, err := cmd.Output()
 	if err != nil {
 		return "", fmt.Errorf("failed to resolve GPG key fingerprint: %w", err)
@@ -377,17 +348,23 @@ func checkGPGAvailable() error {
 	if err := cmd.Run(); err != nil {
 		return fmt.Errorf("GPG not available: %w (make sure 'gpg' command is installed and in PATH)", err)
 	}
 	return nil
 }
 // gpgEncryptDefault is the default implementation of GPG encryption
-func gpgEncryptDefault(data []byte, keyID string) ([]byte, error) {
+func gpgEncryptDefault(data *memguard.LockedBuffer, keyID string) ([]byte, error) {
 	if data == nil {
 		return nil, fmt.Errorf("data buffer is nil")
 	}
 	if err := validateGPGKeyID(keyID); err != nil {
 		return nil, fmt.Errorf("invalid GPG key ID: %w", err)
 	}
-	cmd := exec.Command("gpg", "--trust-model", "always", "--armor", "--encrypt", "-r", keyID)
+	cmd := exec.Command( // #nosec G204 -- keyID validated
-	cmd.Stdin = strings.NewReader(string(data))
+		"gpg", "--trust-model", "always", "--armor", "--encrypt", "-r", keyID,
 	)
 	cmd.Stdin = strings.NewReader(data.String())
 	output, err := cmd.Output()
 	if err != nil {
@@ -398,7 +375,7 @@ func gpgEncryptDefault(data []byte, keyID string) ([]byte, error) {
 }
 // gpgDecryptDefault is the default implementation of GPG decryption
-func gpgDecryptDefault(encryptedData []byte) ([]byte, error) {
+func gpgDecryptDefault(encryptedData []byte) (*memguard.LockedBuffer, error) {
 	cmd := exec.Command("gpg", "--quiet", "--decrypt")
 	cmd.Stdin = strings.NewReader(string(encryptedData))
@@ -407,5 +384,8 @@ func gpgDecryptDefault(encryptedData []byte) ([]byte, error) {
 		return nil, fmt.Errorf("GPG decryption failed: %w", err)
 	}
-	return output, nil
+	// Create a secure buffer for the decrypted data
 	outputBuffer := memguard.NewBufferFromBytes(output)
 	return outputBuffer, nil
 }
--- a/internal/secret/secret.go
+++ b/internal/secret/secret.go
@@ -11,24 +11,25 @@ import (
 	"filippo.io/age"
 	"git.eeqj.de/sneak/secret/pkg/agehd"
 	"github.com/awnumar/memguard"
 	"github.com/spf13/afero"
 )
 // VaultInterface defines the interface that vault implementations must satisfy
 type VaultInterface interface {
 	GetDirectory() (string, error)
-	AddSecret(name string, value []byte, force bool) error
+	AddSecret(name string, value *memguard.LockedBuffer, force bool) error
 	GetName() string
 	GetFilesystem() afero.Fs
 	GetCurrentUnlocker() (Unlocker, error)
-	CreatePassphraseUnlocker(passphrase string) (*PassphraseUnlocker, error)
+	CreatePassphraseUnlocker(passphrase *memguard.LockedBuffer) (*PassphraseUnlocker, error)
 }
 // Secret represents a secret in a vault
 type Secret struct {
 	Name      string
 	Directory string
-	Metadata  SecretMetadata
+	Metadata  Metadata
 	vault     VaultInterface
 }
@@ -54,35 +55,15 @@ func NewSecret(vault VaultInterface, name string) *Secret {
 		Name:      name,
 		Directory: secretDir,
 		vault:     vault,
-		Metadata: SecretMetadata{
+		Metadata: Metadata{
 			CreatedAt: time.Now(),
 			UpdatedAt: time.Now(),
 		},
 	}
 }
 // Save is deprecated - use vault.AddSecret directly which creates versions
 // Kept for backward compatibility
 func (s *Secret) Save(value []byte, force bool) error {
 	DebugWith("Saving secret (deprecated method)",
 		slog.String("secret_name", s.Name),
 		slog.String("vault_name", s.vault.GetName()),
 		slog.Int("value_length", len(value)),
 		slog.Bool("force", force),
 	)
 	err := s.vault.AddSecret(s.Name, value, force)
 	if err != nil {
 		Debug("Failed to save secret", "error", err, "secret_name", s.Name)
 		return err
 	}
 	Debug("Successfully saved secret", "secret_name", s.Name)
 	return nil
 }
 // GetValue retrieves and decrypts the current version's value using the provided unlocker
-func (s *Secret) GetValue(unlocker Unlocker) ([]byte, error) {
+func (s *Secret) GetValue(unlocker Unlocker) (*memguard.LockedBuffer, error) {
 	DebugWith("Getting secret value",
 		slog.String("secret_name", s.Name),
 		slog.String("vault_name", s.vault.GetName()),
@@ -92,10 +73,12 @@ func (s *Secret) GetValue(unlocker Unlocker) ([]byte, error) {
 	exists, err := s.Exists()
 	if err != nil {
 		Debug("Failed to check if secret exists during GetValue", "error", err, "secret_name", s.Name)
 		return nil, fmt.Errorf("failed to check if secret exists: %w", err)
 	}
 	if !exists {
 		Debug("Secret not found during GetValue", "secret_name", s.Name, "vault_name", s.vault.GetName())
 		return nil, fmt.Errorf("secret %s not found", s.Name)
 	}
@@ -105,11 +88,12 @@ func (s *Secret) GetValue(unlocker Unlocker) ([]byte, error) {
 	currentVersion, err := GetCurrentVersion(s.vault.GetFilesystem(), s.Directory)
 	if err != nil {
 		Debug("Failed to get current version", "error", err, "secret_name", s.Name)
 		return nil, fmt.Errorf("failed to get current version: %w", err)
 	}
 	// Create version object
-	version := NewSecretVersion(s.vault, s.Name, currentVersion)
+	version := NewVersion(s.vault, s.Name, currentVersion)
 	// Check if we have SB_SECRET_MNEMONIC environment variable for direct decryption
 	if envMnemonic := os.Getenv(EnvMnemonic); envMnemonic != "" {
@@ -119,6 +103,7 @@ func (s *Secret) GetValue(unlocker Unlocker) ([]byte, error) {
 		vaultDir, err := s.vault.GetDirectory()
 		if err != nil {
 			Debug("Failed to get vault directory", "error", err, "secret_name", s.Name)
 			return nil, fmt.Errorf("failed to get vault directory: %w", err)
 		}
@@ -127,12 +112,14 @@ func (s *Secret) GetValue(unlocker Unlocker) ([]byte, error) {
 		metadataBytes, err := afero.ReadFile(s.vault.GetFilesystem(), metadataPath)
 		if err != nil {
 			Debug("Failed to read vault metadata", "error", err, "path", metadataPath)
 			return nil, fmt.Errorf("failed to read vault metadata: %w", err)
 		}
 		var metadata VaultMetadata
 		if err := json.Unmarshal(metadataBytes, &metadata); err != nil {
 			Debug("Failed to parse vault metadata", "error", err, "secret_name", s.Name)
 			return nil, fmt.Errorf("failed to parse vault metadata: %w", err)
 		}
@@ -146,6 +133,7 @@ func (s *Secret) GetValue(unlocker Unlocker) ([]byte, error) {
 		ltIdentity, err := agehd.DeriveIdentity(envMnemonic, metadata.DerivationIndex)
 		if err != nil {
 			Debug("Failed to derive long-term key from mnemonic for secret", "error", err, "secret_name", s.Name)
 			return nil, fmt.Errorf("failed to derive long-term key from mnemonic: %w", err)
 		}
@@ -160,6 +148,7 @@ func (s *Secret) GetValue(unlocker Unlocker) ([]byte, error) {
 	// Use the provided unlocker to get the vault's long-term private key
 	if unlocker == nil {
 		Debug("No unlocker provided for secret decryption", "secret_name", s.Name)
 		return nil, fmt.Errorf("unlocker required to decrypt secret")
 	}
@@ -173,6 +162,7 @@ func (s *Secret) GetValue(unlocker Unlocker) ([]byte, error) {
 	unlockIdentity, err := unlocker.GetIdentity()
 	if err != nil {
 		Debug("Failed to get unlocker identity", "error", err, "secret_name", s.Name, "unlocker_type", unlocker.GetType())
 		return nil, fmt.Errorf("failed to get unlocker identity: %w", err)
 	}
@@ -183,22 +173,26 @@ func (s *Secret) GetValue(unlocker Unlocker) ([]byte, error) {
 	encryptedLtPrivKey, err := afero.ReadFile(s.vault.GetFilesystem(), encryptedLtPrivKeyPath)
 	if err != nil {
 		Debug("Failed to read encrypted long-term private key", "error", err, "path", encryptedLtPrivKeyPath)
 		return nil, fmt.Errorf("failed to read encrypted long-term private key: %w", err)
 	}
 	// Decrypt the encrypted long-term private key using the unlocker
 	Debug("Decrypting long-term private key using unlocker", "secret_name", s.Name)
-	ltPrivKeyData, err := DecryptWithIdentity(encryptedLtPrivKey, unlockIdentity)
+	ltPrivKeyBuffer, err := DecryptWithIdentity(encryptedLtPrivKey, unlockIdentity)
 	if err != nil {
 		Debug("Failed to decrypt long-term private key", "error", err, "secret_name", s.Name)
 		return nil, fmt.Errorf("failed to decrypt long-term private key: %w", err)
 	}
 	defer ltPrivKeyBuffer.Destroy()
 	// Parse the long-term private key
 	Debug("Parsing long-term private key", "secret_name", s.Name)
-	ltIdentity, err := age.ParseX25519Identity(string(ltPrivKeyData))
+	ltIdentity, err := age.ParseX25519Identity(ltPrivKeyBuffer.String())
 	if err != nil {
 		Debug("Failed to parse long-term private key", "error", err, "secret_name", s.Name)
 		return nil, fmt.Errorf("failed to parse long-term private key: %w", err)
 	}
@@ -216,22 +210,25 @@ func (s *Secret) LoadMetadata() error {
 	Debug("LoadMetadata called but is deprecated in versioned model", "secret_name", s.Name)
 	// For backward compatibility, we'll populate with basic info
 	now := time.Now()
-	s.Metadata = SecretMetadata{
+	s.Metadata = Metadata{
 		CreatedAt: now,
 		UpdatedAt: now,
 	}
 	return nil
 }
 // GetMetadata returns the secret metadata (deprecated)
-func (s *Secret) GetMetadata() SecretMetadata {
+func (s *Secret) GetMetadata() Metadata {
 	Debug("GetMetadata called but is deprecated in versioned model", "secret_name", s.Name)
 	return s.Metadata
 }
 // GetEncryptedData is deprecated - data is now stored in versions
 func (s *Secret) GetEncryptedData() ([]byte, error) {
 	Debug("GetEncryptedData called but is deprecated in versioned model", "secret_name", s.Name)
 	return nil, fmt.Errorf("GetEncryptedData is deprecated - use version-specific methods")
 }
@@ -246,11 +243,13 @@ func (s *Secret) Exists() (bool, error) {
 	exists, err := afero.DirExists(s.vault.GetFilesystem(), s.Directory)
 	if err != nil {
 		Debug("Failed to check secret directory existence", "error", err, "secret_dir", s.Directory)
 		return false, err
 	}
 	if !exists {
 		Debug("Secret directory does not exist", "secret_dir", s.Directory)
 		return false, nil
 	}
@@ -258,6 +257,7 @@ func (s *Secret) Exists() (bool, error) {
 	_, err = GetCurrentVersion(s.vault.GetFilesystem(), s.Directory)
 	if err != nil {
 		Debug("No current version found", "error", err, "secret_name", s.Name)
 		return false, nil
 	}
@@ -278,11 +278,14 @@ func GetCurrentVault(fs afero.Fs, stateDir string) (VaultInterface, error) {
 	if getCurrentVaultFunc == nil {
 		return nil, fmt.Errorf("GetCurrentVault function not registered")
 	}
 	return getCurrentVaultFunc(fs, stateDir)
 }
 // getCurrentVaultFunc is a function variable that will be set by the vault package
 // to implement the actual GetCurrentVault functionality
 //
 //nolint:gochecknoglobals // Required to break import cycle
 var getCurrentVaultFunc func(fs afero.Fs, stateDir string) (VaultInterface, error)
 // RegisterGetCurrentVaultFunc allows the vault package to register its implementation
--- a/internal/secret/secret_test.go
+++ b/internal/secret/secret_test.go
@@ -9,6 +9,7 @@ import (
 	"filippo.io/age"
 	"git.eeqj.de/sneak/secret/pkg/agehd"
 	"github.com/awnumar/memguard"
 	"github.com/spf13/afero"
 	"github.com/stretchr/testify/require"
 )
@@ -25,18 +26,18 @@ func (m *MockVault) GetDirectory() (string, error) {
 	return m.directory, nil
 }
-func (m *MockVault) AddSecret(name string, value []byte, force bool) error {
+func (m *MockVault) AddSecret(name string, value *memguard.LockedBuffer, _ bool) error {
 	// Create secret directory with proper storage name conversion
 	storageName := strings.ReplaceAll(name, "/", "%")
 	secretDir := filepath.Join(m.directory, "secrets.d", storageName)
-	if err := m.fs.MkdirAll(secretDir, 0700); err != nil {
+	if err := m.fs.MkdirAll(secretDir, 0o700); err != nil {
 		return err
 	}
 	// Create version directory with proper path
 	versionName := "20240101.001" // Use a fixed version name for testing
 	versionDir := filepath.Join(secretDir, "versions", versionName)
-	if err := m.fs.MkdirAll(versionDir, 0700); err != nil {
+	if err := m.fs.MkdirAll(versionDir, 0o700); err != nil {
 		return err
 	}
@@ -57,7 +58,7 @@ func (m *MockVault) AddSecret(name string, value []byte, force bool) error {
 	// Write long-term public key if it doesn't exist
 	if _, err := m.fs.Stat(ltPubKeyPath); os.IsNotExist(err) {
 		pubKey := ltIdentity.Recipient().String()
-		if err := afero.WriteFile(m.fs, ltPubKeyPath, []byte(pubKey), 0600); err != nil {
+		if err := afero.WriteFile(m.fs, ltPubKeyPath, []byte(pubKey), 0o600); err != nil {
 			return err
 		}
 	}
@@ -70,11 +71,11 @@ func (m *MockVault) AddSecret(name string, value []byte, force bool) error {
 	// Write version public key
 	pubKeyPath := filepath.Join(versionDir, "pub.age")
-	if err := afero.WriteFile(m.fs, pubKeyPath, []byte(versionIdentity.Recipient().String()), 0600); err != nil {
+	if err := afero.WriteFile(m.fs, pubKeyPath, []byte(versionIdentity.Recipient().String()), 0o600); err != nil {
 		return err
 	}
-	// Encrypt value to version's public key
+	// Encrypt value to version's public key (value is already a LockedBuffer)
 	encryptedValue, err := EncryptToRecipient(value, versionIdentity.Recipient())
 	if err != nil {
 		return err
@@ -82,26 +83,27 @@ func (m *MockVault) AddSecret(name string, value []byte, force bool) error {
 	// Write encrypted value
 	valuePath := filepath.Join(versionDir, "value.age")
-	if err := afero.WriteFile(m.fs, valuePath, encryptedValue, 0600); err != nil {
+	if err := afero.WriteFile(m.fs, valuePath, encryptedValue, 0o600); err != nil {
 		return err
 	}
 	// Encrypt version private key to long-term public key
-	encryptedPrivKey, err := EncryptToRecipient([]byte(versionIdentity.String()), ltIdentity.Recipient())
+	versionPrivKeyBuffer := memguard.NewBufferFromBytes([]byte(versionIdentity.String()))
 	defer versionPrivKeyBuffer.Destroy()
 	encryptedPrivKey, err := EncryptToRecipient(versionPrivKeyBuffer, ltIdentity.Recipient())
 	if err != nil {
 		return err
 	}
 	// Write encrypted version private key
 	privKeyPath := filepath.Join(versionDir, "priv.age")
-	if err := afero.WriteFile(m.fs, privKeyPath, encryptedPrivKey, 0600); err != nil {
+	if err := afero.WriteFile(m.fs, privKeyPath, encryptedPrivKey, 0o600); err != nil {
 		return err
 	}
-	// Create current symlink pointing to the version
+	// Create current file pointing to the version (just the version name)
 	currentLink := filepath.Join(secretDir, "current")
-	// For MemMapFs, write a file with the target path
+	if err := afero.WriteFile(m.fs, currentLink, []byte(versionName), 0o600); err != nil {
 	if err := afero.WriteFile(m.fs, currentLink, []byte("versions/"+versionName), 0600); err != nil {
 		return err
 	}
@@ -120,7 +122,7 @@ func (m *MockVault) GetCurrentUnlocker() (Unlocker, error) {
 	return nil, nil
 }
-func (m *MockVault) CreatePassphraseUnlocker(passphrase string) (*PassphraseUnlocker, error) {
+func (m *MockVault) CreatePassphraseUnlocker(_ *memguard.LockedBuffer) (*PassphraseUnlocker, error) {
 	return nil, nil
 }
@@ -128,19 +130,9 @@ func TestPerSecretKeyFunctionality(t *testing.T) {
 	// Create an in-memory filesystem for testing
 	fs := afero.NewMemMapFs()
 	// Set up test environment variables
 	oldMnemonic := os.Getenv(EnvMnemonic)
 	defer func() {
 		if oldMnemonic == "" {
 			os.Unsetenv(EnvMnemonic)
 		} else {
 			os.Setenv(EnvMnemonic, oldMnemonic)
 		}
 	}()
 	// Set test mnemonic for direct encryption/decryption
 	testMnemonic := "abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon about"
-	os.Setenv(EnvMnemonic, testMnemonic)
+	t.Setenv(EnvMnemonic, testMnemonic)
 	// Set up a test vault structure
 	baseDir := "/test-config/berlin.sneak.pkg.secret"
@@ -164,7 +156,7 @@ func TestPerSecretKeyFunctionality(t *testing.T) {
 		fs,
 		ltPubKeyPath,
 		[]byte(ltIdentity.Recipient().String()),
-		0600,
+		0o600,
 	)
 	if err != nil {
 		t.Fatalf("Failed to write long-term public key: %v", err)
@@ -189,9 +181,13 @@ func TestPerSecretKeyFunctionality(t *testing.T) {
 	secretName := "test-secret"
 	secretValue := []byte("this is a test secret value")
 	// Create a secure buffer for the test value
 	valueBuffer := memguard.NewBufferFromBytes(secretValue)
 	defer valueBuffer.Destroy()
 	// Test AddSecret
 	t.Run("AddSecret", func(t *testing.T) {
-		err := vault.AddSecret(secretName, secretValue, false)
+		err := vault.AddSecret(secretName, valueBuffer, false)
 		if err != nil {
 			t.Fatalf("AddSecret failed: %v", err)
 		}
@@ -261,9 +257,10 @@ func isValidSecretName(name string) bool {
 	if name == "" {
 		return false
 	}
-	// Valid characters for secret names: lowercase letters, numbers, dash, dot, underscore, slash
+	// Valid characters for secret names: letters, numbers, dash, dot, underscore, slash
 	for _, char := range name {
 		if (char < 'a' || char > 'z') && // lowercase letters
 			(char < 'A' || char > 'Z') && // uppercase letters
 			(char < '0' || char > '9') && // numbers
 			char != '-' && // dash
 			char != '.' && // dot
@@ -272,6 +269,7 @@ func isValidSecretName(name string) bool {
 			return false
 		}
 	}
 	return true
 }
@@ -286,7 +284,9 @@ func TestSecretNameValidation(t *testing.T) {
 		{"valid/path/name", true},
 		{"123valid", true},
 		{"", false},
-		{"Invalid-Name", false}, // uppercase not allowed
+		{"Valid-Upper-Name", true}, // uppercase allowed
 		{"2025-11-21-ber1app1-vaultik-test-bucket-AKI", true}, // real-world uppercase key ID
 		{"MixedCase/Path/Name", true},                         // mixed case with path
 		{"invalid name", false},                               // space not allowed
 		{"invalid@name", false},                               // @ not allowed
 	}
@@ -312,9 +312,7 @@ func TestSecretGetValueWithEnvMnemonicUsesVaultDerivationIndex(t *testing.T) {
 	// Set up test mnemonic
 	testMnemonic := "abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon about"
-	originalEnv := os.Getenv(EnvMnemonic)
+	t.Setenv(EnvMnemonic, testMnemonic)
 	os.Setenv(EnvMnemonic, testMnemonic)
 	defer os.Setenv(EnvMnemonic, originalEnv)
 	// Create temporary directory for vaults
 	fs := afero.NewOsFs()
@@ -325,7 +323,7 @@ func TestSecretGetValueWithEnvMnemonicUsesVaultDerivationIndex(t *testing.T) {
 	}()
 	stateDir := filepath.Join(tempDir, ".secret")
-	require.NoError(t, fs.MkdirAll(stateDir, 0700))
+	require.NoError(t, fs.MkdirAll(stateDir, 0o700))
 	// This test is now in the integration test file where it can use real vaults
 	// The bug is demonstrated there - see test31EnvMnemonicUsesVaultDerivationIndex
--- a/internal/secret/seunlocker_darwin.go
+++ b/internal/secret/seunlocker_darwin.go
@@ -0,0 +1,385 @@
 //go:build darwin
 // +build darwin
 package secret
 import (
 	"encoding/json"
 	"fmt"
 	"log/slog"
 	"os"
 	"path/filepath"
 	"time"
 	"filippo.io/age"
 	"git.eeqj.de/sneak/secret/internal/macse"
 	"git.eeqj.de/sneak/secret/pkg/agehd"
 	"github.com/awnumar/memguard"
 	"github.com/spf13/afero"
 )
 const (
 	// seKeyLabelPrefix is the prefix for Secure Enclave CTK identity labels.
 	seKeyLabelPrefix = "berlin.sneak.app.secret.se"
 	// seUnlockerType is the metadata type string for Secure Enclave unlockers.
 	seUnlockerType = "secure-enclave"
 	// seLongtermFilename is the filename for the SE-encrypted vault long-term private key.
 	seLongtermFilename = "longterm.age.se"
 )
 // SecureEnclaveUnlockerMetadata extends UnlockerMetadata with SE-specific data.
 type SecureEnclaveUnlockerMetadata struct {
 	UnlockerMetadata
 	SEKeyLabel string `json:"seKeyLabel"`
 	SEKeyHash  string `json:"seKeyHash"`
 }
 // SecureEnclaveUnlocker represents a Secure Enclave-protected unlocker.
 type SecureEnclaveUnlocker struct {
 	Directory string
 	Metadata  UnlockerMetadata
 	fs        afero.Fs
 }
 // GetIdentity implements Unlocker interface for SE-based unlockers.
 // Decrypts the vault's long-term private key directly using the Secure Enclave.
 func (s *SecureEnclaveUnlocker) GetIdentity() (*age.X25519Identity, error) {
 	DebugWith("Getting SE unlocker identity",
 		slog.String("unlocker_id", s.GetID()),
 	)
 	// Get SE key label from metadata
 	seKeyLabel, _, err := s.getSEKeyInfo()
 	if err != nil {
 		return nil, fmt.Errorf("failed to get SE key info: %w", err)
 	}
 	// Read ECIES-encrypted long-term private key from disk
 	encryptedPath := filepath.Join(s.Directory, seLongtermFilename)
 	encryptedData, err := afero.ReadFile(s.fs, encryptedPath)
 	if err != nil {
 		return nil, fmt.Errorf(
 			"failed to read SE-encrypted long-term key: %w",
 			err,
 		)
 	}
 	DebugWith("Read SE-encrypted long-term key",
 		slog.Int("encrypted_length", len(encryptedData)),
 	)
 	// Decrypt using the Secure Enclave (ECDH happens inside SE hardware)
 	decryptedData, err := macse.Decrypt(seKeyLabel, encryptedData)
 	if err != nil {
 		return nil, fmt.Errorf(
 			"failed to decrypt long-term key with SE: %w",
 			err,
 		)
 	}
 	// Parse the decrypted long-term private key
 	ltIdentity, err := age.ParseX25519Identity(string(decryptedData))
 	// Clear sensitive data immediately
 	for i := range decryptedData {
 		decryptedData[i] = 0
 	}
 	if err != nil {
 		return nil, fmt.Errorf(
 			"failed to parse long-term private key: %w",
 			err,
 		)
 	}
 	DebugWith("Successfully decrypted long-term key via SE",
 		slog.String("unlocker_id", s.GetID()),
 	)
 	return ltIdentity, nil
 }
 // GetType implements Unlocker interface.
 func (s *SecureEnclaveUnlocker) GetType() string {
 	return seUnlockerType
 }
 // GetMetadata implements Unlocker interface.
 func (s *SecureEnclaveUnlocker) GetMetadata() UnlockerMetadata {
 	return s.Metadata
 }
 // GetDirectory implements Unlocker interface.
 func (s *SecureEnclaveUnlocker) GetDirectory() string {
 	return s.Directory
 }
 // GetID implements Unlocker interface.
 func (s *SecureEnclaveUnlocker) GetID() string {
 	hostname, err := os.Hostname()
 	if err != nil {
 		hostname = "unknown"
 	}
 	createdAt := s.Metadata.CreatedAt
 	timestamp := createdAt.Format("2006-01-02.15.04")
 	return fmt.Sprintf("%s-%s-%s", timestamp, hostname, seUnlockerType)
 }
 // Remove implements Unlocker interface.
 func (s *SecureEnclaveUnlocker) Remove() error {
 	_, seKeyHash, err := s.getSEKeyInfo()
 	if err != nil {
 		Debug("Failed to get SE key info during removal", "error", err)
 		return fmt.Errorf("failed to get SE key info: %w", err)
 	}
 	if seKeyHash != "" {
 		Debug("Deleting SE key", "hash", seKeyHash)
 		if err := macse.DeleteKey(seKeyHash); err != nil {
 			Debug("Failed to delete SE key", "error", err, "hash", seKeyHash)
 			return fmt.Errorf("failed to delete SE key: %w", err)
 		}
 	}
 	Debug("Removing SE unlocker directory", "directory", s.Directory)
 	if err := s.fs.RemoveAll(s.Directory); err != nil {
 		return fmt.Errorf("failed to remove SE unlocker directory: %w", err)
 	}
 	Debug("Successfully removed SE unlocker", "unlocker_id", s.GetID())
 	return nil
 }
 // getSEKeyInfo reads the SE key label and hash from metadata.
 func (s *SecureEnclaveUnlocker) getSEKeyInfo() (label string, hash string, err error) {
 	metadataPath := filepath.Join(s.Directory, "unlocker-metadata.json")
 	metadataData, err := afero.ReadFile(s.fs, metadataPath)
 	if err != nil {
 		return "", "", fmt.Errorf("failed to read SE metadata: %w", err)
 	}
 	var seMetadata SecureEnclaveUnlockerMetadata
 	if err := json.Unmarshal(metadataData, &seMetadata); err != nil {
 		return "", "", fmt.Errorf("failed to parse SE metadata: %w", err)
 	}
 	return seMetadata.SEKeyLabel, seMetadata.SEKeyHash, nil
 }
 // NewSecureEnclaveUnlocker creates a new SecureEnclaveUnlocker instance.
 func NewSecureEnclaveUnlocker(
 	fs afero.Fs,
 	directory string,
 	metadata UnlockerMetadata,
 ) *SecureEnclaveUnlocker {
 	return &SecureEnclaveUnlocker{
 		Directory: directory,
 		Metadata:  metadata,
 		fs:        fs,
 	}
 }
 // generateSEKeyLabel generates a unique label for the SE CTK identity.
 func generateSEKeyLabel(vaultName string) (string, error) {
 	hostname, err := os.Hostname()
 	if err != nil {
 		return "", fmt.Errorf("failed to get hostname: %w", err)
 	}
 	enrollmentDate := time.Now().UTC().Format("2006-01-02")
 	return fmt.Sprintf(
 		"%s.%s-%s-%s",
 		seKeyLabelPrefix,
 		vaultName,
 		hostname,
 		enrollmentDate,
 	), nil
 }
 // CreateSecureEnclaveUnlocker creates a new SE unlocker.
 // The vault's long-term private key is encrypted directly by the Secure Enclave
 // using ECIES. No intermediate age keypair is used.
 func CreateSecureEnclaveUnlocker(
 	fs afero.Fs,
 	stateDir string,
 ) (*SecureEnclaveUnlocker, error) {
 	if err := checkMacOSAvailable(); err != nil {
 		return nil, err
 	}
 	vault, err := GetCurrentVault(fs, stateDir)
 	if err != nil {
 		return nil, fmt.Errorf("failed to get current vault: %w", err)
 	}
 	// Generate SE key label
 	seKeyLabel, err := generateSEKeyLabel(vault.GetName())
 	if err != nil {
 		return nil, fmt.Errorf("failed to generate SE key label: %w", err)
 	}
 	// Step 1: Create P-256 key in the Secure Enclave via sc_auth
 	Debug("Creating Secure Enclave key", "label", seKeyLabel)
 	_, seKeyHash, err := macse.CreateKey(seKeyLabel)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create SE key: %w", err)
 	}
 	Debug("Created SE key", "label", seKeyLabel, "hash", seKeyHash)
 	// Step 2: Get the vault's long-term private key
 	ltPrivKeyData, err := getLongTermKeyForSE(fs, vault)
 	if err != nil {
 		return nil, fmt.Errorf(
 			"failed to get long-term private key: %w",
 			err,
 		)
 	}
 	defer ltPrivKeyData.Destroy()
 	// Step 3: Encrypt the long-term key directly with the SE (ECIES)
 	encryptedLtKey, err := macse.Encrypt(seKeyLabel, ltPrivKeyData.Bytes())
 	if err != nil {
 		return nil, fmt.Errorf(
 			"failed to encrypt long-term key with SE: %w",
 			err,
 		)
 	}
 	// Step 4: Create unlocker directory and write files
 	vaultDir, err := vault.GetDirectory()
 	if err != nil {
 		return nil, fmt.Errorf("failed to get vault directory: %w", err)
 	}
 	unlockerDirName := fmt.Sprintf("se-%s", filepath.Base(seKeyLabel))
 	unlockerDir := filepath.Join(vaultDir, "unlockers.d", unlockerDirName)
 	if err := fs.MkdirAll(unlockerDir, DirPerms); err != nil {
 		return nil, fmt.Errorf(
 			"failed to create unlocker directory: %w",
 			err,
 		)
 	}
 	// Write SE-encrypted long-term key
 	ltKeyPath := filepath.Join(unlockerDir, seLongtermFilename)
 	if err := afero.WriteFile(fs, ltKeyPath, encryptedLtKey, FilePerms); err != nil {
 		return nil, fmt.Errorf(
 			"failed to write SE-encrypted long-term key: %w",
 			err,
 		)
 	}
 	// Write metadata
 	seMetadata := SecureEnclaveUnlockerMetadata{
 		UnlockerMetadata: UnlockerMetadata{
 			Type:      seUnlockerType,
 			CreatedAt: time.Now().UTC(),
 			Flags:     []string{seUnlockerType, "macos"},
 		},
 		SEKeyLabel: seKeyLabel,
 		SEKeyHash:  seKeyHash,
 	}
 	metadataBytes, err := json.MarshalIndent(seMetadata, "", "  ")
 	if err != nil {
 		return nil, fmt.Errorf("failed to marshal metadata: %w", err)
 	}
 	metadataPath := filepath.Join(unlockerDir, "unlocker-metadata.json")
 	if err := afero.WriteFile(fs, metadataPath, metadataBytes, FilePerms); err != nil {
 		return nil, fmt.Errorf("failed to write metadata: %w", err)
 	}
 	return &SecureEnclaveUnlocker{
 		Directory: unlockerDir,
 		Metadata:  seMetadata.UnlockerMetadata,
 		fs:        fs,
 	}, nil
 }
 // getLongTermKeyForSE retrieves the vault's long-term private key
 // either from the mnemonic env var or by unlocking via the current unlocker.
 func getLongTermKeyForSE(
 	fs afero.Fs,
 	vault VaultInterface,
 ) (*memguard.LockedBuffer, error) {
 	envMnemonic := os.Getenv(EnvMnemonic)
 	if envMnemonic != "" {
 		// Read vault metadata to get the correct derivation index
 		vaultDir, err := vault.GetDirectory()
 		if err != nil {
 			return nil, fmt.Errorf("failed to get vault directory: %w", err)
 		}
 		metadataPath := filepath.Join(vaultDir, "vault-metadata.json")
 		metadataBytes, err := afero.ReadFile(fs, metadataPath)
 		if err != nil {
 			return nil, fmt.Errorf("failed to read vault metadata: %w", err)
 		}
 		var metadata VaultMetadata
 		if err := json.Unmarshal(metadataBytes, &metadata); err != nil {
 			return nil, fmt.Errorf("failed to parse vault metadata: %w", err)
 		}
 		// Use mnemonic with the vault's actual derivation index
 		ltIdentity, err := agehd.DeriveIdentity(
 			envMnemonic,
 			metadata.DerivationIndex,
 		)
 		if err != nil {
 			return nil, fmt.Errorf(
 				"failed to derive long-term key from mnemonic: %w",
 				err,
 			)
 		}
 		return memguard.NewBufferFromBytes([]byte(ltIdentity.String())), nil
 	}
 	currentUnlocker, err := vault.GetCurrentUnlocker()
 	if err != nil {
 		return nil, fmt.Errorf("failed to get current unlocker: %w", err)
 	}
 	currentIdentity, err := currentUnlocker.GetIdentity()
 	if err != nil {
 		return nil, fmt.Errorf(
 			"failed to get current unlocker identity: %w",
 			err,
 		)
 	}
 	// All unlocker types store longterm.age in their directory
 	longtermPath := filepath.Join(
 		currentUnlocker.GetDirectory(),
 		"longterm.age",
 	)
 	encryptedLtKey, err := afero.ReadFile(fs, longtermPath)
 	if err != nil {
 		return nil, fmt.Errorf(
 			"failed to read encrypted long-term key: %w",
 			err,
 		)
 	}
 	ltPrivKeyBuffer, err := DecryptWithIdentity(
 		encryptedLtKey,
 		currentIdentity,
 	)
 	if err != nil {
 		return nil, fmt.Errorf("failed to decrypt long-term key: %w", err)
 	}
 	return ltPrivKeyBuffer, nil
 }
--- a/internal/secret/seunlocker_stub.go
+++ b/internal/secret/seunlocker_stub.go
@@ -0,0 +1,84 @@
 //go:build !darwin
 // +build !darwin
 package secret
 import (
 	"fmt"
 	"filippo.io/age"
 	"github.com/spf13/afero"
 )
 var errSENotSupported = fmt.Errorf(
 	"secure enclave unlockers are only supported on macOS",
 )
 // SecureEnclaveUnlockerMetadata is a stub for non-Darwin platforms.
 type SecureEnclaveUnlockerMetadata struct {
 	UnlockerMetadata
 	SEKeyLabel string `json:"seKeyLabel"`
 	SEKeyHash  string `json:"seKeyHash"`
 }
 // SecureEnclaveUnlocker is a stub for non-Darwin platforms.
 type SecureEnclaveUnlocker struct {
 	Directory string
 	Metadata  UnlockerMetadata
 	fs        afero.Fs
 }
 // GetIdentity returns an error on non-Darwin platforms.
 func (s *SecureEnclaveUnlocker) GetIdentity() (*age.X25519Identity, error) {
 	return nil, errSENotSupported
 }
 // GetType returns the unlocker type.
 func (s *SecureEnclaveUnlocker) GetType() string {
 	return "secure-enclave"
 }
 // GetMetadata returns the unlocker metadata.
 func (s *SecureEnclaveUnlocker) GetMetadata() UnlockerMetadata {
 	return s.Metadata
 }
 // GetDirectory returns the unlocker directory.
 func (s *SecureEnclaveUnlocker) GetDirectory() string {
 	return s.Directory
 }
 // GetID returns the unlocker ID.
 func (s *SecureEnclaveUnlocker) GetID() string {
 	return fmt.Sprintf(
 		"%s-secure-enclave",
 		s.Metadata.CreatedAt.Format("2006-01-02.15.04"),
 	)
 }
 // Remove returns an error on non-Darwin platforms.
 func (s *SecureEnclaveUnlocker) Remove() error {
 	return errSENotSupported
 }
 // NewSecureEnclaveUnlocker creates a stub SecureEnclaveUnlocker on non-Darwin platforms.
 // The returned instance's methods that require macOS functionality will return errors.
 func NewSecureEnclaveUnlocker(
 	fs afero.Fs,
 	directory string,
 	metadata UnlockerMetadata,
 ) *SecureEnclaveUnlocker {
 	return &SecureEnclaveUnlocker{
 		Directory: directory,
 		Metadata:  metadata,
 		fs:        fs,
 	}
 }
 // CreateSecureEnclaveUnlocker returns an error on non-Darwin platforms.
 func CreateSecureEnclaveUnlocker(
 	_ afero.Fs,
 	_ string,
 ) (*SecureEnclaveUnlocker, error) {
 	return nil, errSENotSupported
 }
--- a/internal/secret/seunlocker_stub_test.go
+++ b/internal/secret/seunlocker_stub_test.go
@@ -0,0 +1,90 @@
 //go:build !darwin
 // +build !darwin
 package secret
 import (
 	"testing"
 	"time"
 	"github.com/spf13/afero"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
 func TestNewSecureEnclaveUnlocker(t *testing.T) {
 	fs := afero.NewMemMapFs()
 	dir := "/tmp/test-se-unlocker"
 	metadata := UnlockerMetadata{
 		Type:      "secure-enclave",
 		CreatedAt: time.Date(2026, 1, 15, 10, 30, 0, 0, time.UTC),
 		Flags:     []string{"secure-enclave", "macos"},
 	}
 	unlocker := NewSecureEnclaveUnlocker(fs, dir, metadata)
 	require.NotNil(t, unlocker, "NewSecureEnclaveUnlocker should return a valid instance")
 	// Test GetType returns correct type
 	assert.Equal(t, "secure-enclave", unlocker.GetType())
 	// Test GetMetadata returns the metadata we passed in
 	assert.Equal(t, metadata, unlocker.GetMetadata())
 	// Test GetDirectory returns the directory we passed in
 	assert.Equal(t, dir, unlocker.GetDirectory())
 	// Test GetID returns a formatted string with the creation timestamp
 	expectedID := "2026-01-15.10.30-secure-enclave"
 	assert.Equal(t, expectedID, unlocker.GetID())
 }
 func TestSecureEnclaveUnlockerGetIdentityReturnsError(t *testing.T) {
 	fs := afero.NewMemMapFs()
 	metadata := UnlockerMetadata{
 		Type:      "secure-enclave",
 		CreatedAt: time.Now().UTC(),
 	}
 	unlocker := NewSecureEnclaveUnlocker(fs, "/tmp/test", metadata)
 	identity, err := unlocker.GetIdentity()
 	assert.Nil(t, identity)
 	assert.Error(t, err)
 	assert.ErrorIs(t, err, errSENotSupported)
 }
 func TestSecureEnclaveUnlockerRemoveReturnsError(t *testing.T) {
 	fs := afero.NewMemMapFs()
 	metadata := UnlockerMetadata{
 		Type:      "secure-enclave",
 		CreatedAt: time.Now().UTC(),
 	}
 	unlocker := NewSecureEnclaveUnlocker(fs, "/tmp/test", metadata)
 	err := unlocker.Remove()
 	assert.Error(t, err)
 	assert.ErrorIs(t, err, errSENotSupported)
 }
 func TestCreateSecureEnclaveUnlockerReturnsError(t *testing.T) {
 	fs := afero.NewMemMapFs()
 	unlocker, err := CreateSecureEnclaveUnlocker(fs, "/tmp/test")
 	assert.Nil(t, unlocker)
 	assert.Error(t, err)
 	assert.ErrorIs(t, err, errSENotSupported)
 }
 func TestSecureEnclaveUnlockerImplementsInterface(t *testing.T) {
 	fs := afero.NewMemMapFs()
 	metadata := UnlockerMetadata{
 		Type:      "secure-enclave",
 		CreatedAt: time.Now().UTC(),
 	}
 	unlocker := NewSecureEnclaveUnlocker(fs, "/tmp/test", metadata)
 	// Verify the stub implements the Unlocker interface
 	var _ Unlocker = unlocker
 }
--- a/internal/secret/seunlocker_test.go
+++ b/internal/secret/seunlocker_test.go
@@ -0,0 +1,101 @@
 //go:build darwin
 // +build darwin
 package secret
 import (
 	"testing"
 	"time"
 	"github.com/spf13/afero"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
 func TestNewSecureEnclaveUnlocker(t *testing.T) {
 	fs := afero.NewMemMapFs()
 	dir := "/tmp/test-se-unlocker"
 	metadata := UnlockerMetadata{
 		Type:      "secure-enclave",
 		CreatedAt: time.Date(2026, 1, 15, 10, 30, 0, 0, time.UTC),
 		Flags:     []string{"secure-enclave", "macos"},
 	}
 	unlocker := NewSecureEnclaveUnlocker(fs, dir, metadata)
 	require.NotNil(t, unlocker, "NewSecureEnclaveUnlocker should return a valid instance")
 	// Test GetType returns correct type
 	assert.Equal(t, seUnlockerType, unlocker.GetType())
 	// Test GetMetadata returns the metadata we passed in
 	assert.Equal(t, metadata, unlocker.GetMetadata())
 	// Test GetDirectory returns the directory we passed in
 	assert.Equal(t, dir, unlocker.GetDirectory())
 }
 func TestSecureEnclaveUnlockerImplementsInterface(t *testing.T) {
 	fs := afero.NewMemMapFs()
 	metadata := UnlockerMetadata{
 		Type:      "secure-enclave",
 		CreatedAt: time.Now().UTC(),
 	}
 	unlocker := NewSecureEnclaveUnlocker(fs, "/tmp/test", metadata)
 	// Verify the darwin implementation implements the Unlocker interface
 	var _ Unlocker = unlocker
 }
 func TestSecureEnclaveUnlockerGetIDFormat(t *testing.T) {
 	fs := afero.NewMemMapFs()
 	metadata := UnlockerMetadata{
 		Type:      "secure-enclave",
 		CreatedAt: time.Date(2026, 3, 10, 14, 30, 0, 0, time.UTC),
 	}
 	unlocker := NewSecureEnclaveUnlocker(fs, "/tmp/test", metadata)
 	id := unlocker.GetID()
 	// ID should contain the timestamp and "secure-enclave" type
 	assert.Contains(t, id, "2026-03-10.14.30")
 	assert.Contains(t, id, seUnlockerType)
 }
 func TestGenerateSEKeyLabel(t *testing.T) {
 	label, err := generateSEKeyLabel("test-vault")
 	require.NoError(t, err)
 	// Label should contain the prefix and vault name
 	assert.Contains(t, label, seKeyLabelPrefix)
 	assert.Contains(t, label, "test-vault")
 }
 func TestSecureEnclaveUnlockerGetIdentityMissingFile(t *testing.T) {
 	fs := afero.NewMemMapFs()
 	dir := "/tmp/test-se-unlocker-missing"
 	// Create unlocker directory with metadata but no encrypted key file
 	require.NoError(t, fs.MkdirAll(dir, DirPerms))
 	metadataJSON := `{
 		"type": "secure-enclave",
 		"createdAt": "2026-01-15T10:30:00Z",
 		"seKeyLabel": "berlin.sneak.app.secret.se.test",
 		"seKeyHash": "abc123"
 	}`
 	require.NoError(t, afero.WriteFile(fs, dir+"/unlocker-metadata.json", []byte(metadataJSON), FilePerms))
 	metadata := UnlockerMetadata{
 		Type:      "secure-enclave",
 		CreatedAt: time.Date(2026, 1, 15, 10, 30, 0, 0, time.UTC),
 	}
 	unlocker := NewSecureEnclaveUnlocker(fs, dir, metadata)
 	// GetIdentity should fail because the encrypted longterm key file is missing
 	identity, err := unlocker.GetIdentity()
 	assert.Nil(t, identity)
 	assert.Error(t, err)
 	assert.Contains(t, err.Error(), "failed to read SE-encrypted long-term key")
 }
--- a/internal/secret/validation_darwin_test.go
+++ b/internal/secret/validation_darwin_test.go
@@ -0,0 +1,148 @@
 //go:build darwin
 package secret
 import (
 	"testing"
 )
 func TestValidateKeychainItemName(t *testing.T) {
 	tests := []struct {
 		name     string
 		itemName string
 		wantErr  bool
 	}{
 		// Valid cases
 		{
 			name:     "valid simple name",
 			itemName: "my-secret-key",
 			wantErr:  false,
 		},
 		{
 			name:     "valid name with dots",
 			itemName: "com.example.app.key",
 			wantErr:  false,
 		},
 		{
 			name:     "valid name with underscores",
 			itemName: "my_secret_key_123",
 			wantErr:  false,
 		},
 		{
 			name:     "valid alphanumeric",
 			itemName: "Secret123Key",
 			wantErr:  false,
 		},
 		{
 			name:     "valid with hyphen at start",
 			itemName: "-my-key",
 			wantErr:  false,
 		},
 		{
 			name:     "valid with dot at start",
 			itemName: ".hidden-key",
 			wantErr:  false,
 		},
 		// Invalid cases
 		{
 			name:     "empty item name",
 			itemName: "",
 			wantErr:  true,
 		},
 		{
 			name:     "item name with spaces",
 			itemName: "my secret key",
 			wantErr:  true,
 		},
 		{
 			name:     "item name with semicolon",
 			itemName: "key;rm -rf /",
 			wantErr:  true,
 		},
 		{
 			name:     "item name with pipe",
 			itemName: "key|cat /etc/passwd",
 			wantErr:  true,
 		},
 		{
 			name:     "item name with backticks",
 			itemName: "key`whoami`",
 			wantErr:  true,
 		},
 		{
 			name:     "item name with dollar sign",
 			itemName: "key$(whoami)",
 			wantErr:  true,
 		},
 		{
 			name:     "item name with quotes",
 			itemName: "key\"name",
 			wantErr:  true,
 		},
 		{
 			name:     "item name with single quotes",
 			itemName: "key'name",
 			wantErr:  true,
 		},
 		{
 			name:     "item name with backslash",
 			itemName: "key\\name",
 			wantErr:  true,
 		},
 		{
 			name:     "item name with newline",
 			itemName: "key\nname",
 			wantErr:  true,
 		},
 		{
 			name:     "item name with carriage return",
 			itemName: "key\rname",
 			wantErr:  true,
 		},
 		{
 			name:     "item name with ampersand",
 			itemName: "key&echo test",
 			wantErr:  true,
 		},
 		{
 			name:     "item name with redirect",
 			itemName: "key>/tmp/test",
 			wantErr:  true,
 		},
 		{
 			name:     "item name with null byte",
 			itemName: "key\x00name",
 			wantErr:  true,
 		},
 		{
 			name:     "item name with parentheses",
 			itemName: "key(test)",
 			wantErr:  true,
 		},
 		{
 			name:     "item name with brackets",
 			itemName: "key[test]",
 			wantErr:  true,
 		},
 		{
 			name:     "item name with asterisk",
 			itemName: "key*",
 			wantErr:  true,
 		},
 		{
 			name:     "item name with question mark",
 			itemName: "key?",
 			wantErr:  true,
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			err := validateKeychainItemName(tt.itemName)
 			if (err != nil) != tt.wantErr {
 				t.Errorf("validateKeychainItemName() error = %v, wantErr %v", err, tt.wantErr)
 			}
 		})
 	}
 }
--- a/internal/secret/validation_test.go
+++ b/internal/secret/validation_test.go
@@ -154,144 +154,3 @@ func TestValidateGPGKeyID(t *testing.T) {
 		})
 	}
 }
 func TestValidateKeychainItemName(t *testing.T) {
 	tests := []struct {
 		name     string
 		itemName string
 		wantErr  bool
 	}{
 		// Valid cases
 		{
 			name:     "valid simple name",
 			itemName: "my-secret-key",
 			wantErr:  false,
 		},
 		{
 			name:     "valid name with dots",
 			itemName: "com.example.app.key",
 			wantErr:  false,
 		},
 		{
 			name:     "valid name with underscores",
 			itemName: "my_secret_key_123",
 			wantErr:  false,
 		},
 		{
 			name:     "valid alphanumeric",
 			itemName: "Secret123Key",
 			wantErr:  false,
 		},
 		{
 			name:     "valid with hyphen at start",
 			itemName: "-my-key",
 			wantErr:  false,
 		},
 		{
 			name:     "valid with dot at start",
 			itemName: ".hidden-key",
 			wantErr:  false,
 		},
 		// Invalid cases
 		{
 			name:     "empty item name",
 			itemName: "",
 			wantErr:  true,
 		},
 		{
 			name:     "item name with spaces",
 			itemName: "my secret key",
 			wantErr:  true,
 		},
 		{
 			name:     "item name with semicolon",
 			itemName: "key;rm -rf /",
 			wantErr:  true,
 		},
 		{
 			name:     "item name with pipe",
 			itemName: "key|cat /etc/passwd",
 			wantErr:  true,
 		},
 		{
 			name:     "item name with backticks",
 			itemName: "key`whoami`",
 			wantErr:  true,
 		},
 		{
 			name:     "item name with dollar sign",
 			itemName: "key$(whoami)",
 			wantErr:  true,
 		},
 		{
 			name:     "item name with quotes",
 			itemName: "key\"name",
 			wantErr:  true,
 		},
 		{
 			name:     "item name with single quotes",
 			itemName: "key'name",
 			wantErr:  true,
 		},
 		{
 			name:     "item name with backslash",
 			itemName: "key\\name",
 			wantErr:  true,
 		},
 		{
 			name:     "item name with newline",
 			itemName: "key\nname",
 			wantErr:  true,
 		},
 		{
 			name:     "item name with carriage return",
 			itemName: "key\rname",
 			wantErr:  true,
 		},
 		{
 			name:     "item name with ampersand",
 			itemName: "key&echo test",
 			wantErr:  true,
 		},
 		{
 			name:     "item name with redirect",
 			itemName: "key>/tmp/test",
 			wantErr:  true,
 		},
 		{
 			name:     "item name with null byte",
 			itemName: "key\x00name",
 			wantErr:  true,
 		},
 		{
 			name:     "item name with parentheses",
 			itemName: "key(test)",
 			wantErr:  true,
 		},
 		{
 			name:     "item name with brackets",
 			itemName: "key[test]",
 			wantErr:  true,
 		},
 		{
 			name:     "item name with asterisk",
 			itemName: "key*",
 			wantErr:  true,
 		},
 		{
 			name:     "item name with question mark",
 			itemName: "key?",
 			wantErr:  true,
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			err := validateKeychainItemName(tt.itemName)
 			if (err != nil) != tt.wantErr {
 				t.Errorf("validateKeychainItemName() error = %v, wantErr %v", err, tt.wantErr)
 			}
 		})
 	}
 }
--- a/internal/secret/version.go
+++ b/internal/secret/version.go
@@ -4,17 +4,22 @@ import (
 	"encoding/json"
 	"fmt"
 	"log/slog"
 	"os"
 	"path/filepath"
 	"sort"
 	"strings"
 	"time"
 	"filippo.io/age"
 	"github.com/awnumar/memguard"
 	"github.com/oklog/ulid/v2"
 	"github.com/spf13/afero"
 )
 const (
 	versionNameParts  = 2
 	maxVersionsPerDay = 999
 )
 // VersionMetadata contains information about a secret version
 type VersionMetadata struct {
 	ID        string     `json:"id"`                  // ULID
@@ -23,8 +28,8 @@ type VersionMetadata struct {
 	NotAfter  *time.Time `json:"notAfter,omitempty"`  // When this version expires (nil = current)
 }
-// SecretVersion represents a version of a secret
+// Version represents a version of a secret
-type SecretVersion struct {
+type Version struct {
 	SecretName string
 	Version    string
 	Directory  string
@@ -32,8 +37,8 @@ type SecretVersion struct {
 	vault      VaultInterface
 }
-// NewSecretVersion creates a new SecretVersion instance
+// NewVersion creates a new Version instance
-func NewSecretVersion(vault VaultInterface, secretName string, version string) *SecretVersion {
+func NewVersion(vault VaultInterface, secretName string, version string) *Version {
 	DebugWith("Creating new secret version instance",
 		slog.String("secret_name", secretName),
 		slog.String("version", version),
@@ -51,7 +56,8 @@ func NewSecretVersion(vault VaultInterface, secretName string, version string) *
 	)
 	now := time.Now()
-	return &SecretVersion{
+
 	return &Version{
 		SecretName: secretName,
 		Version:    version,
 		Directory:  versionDir,
@@ -83,23 +89,32 @@ func GenerateVersionName(fs afero.Fs, secretDir string) (string, error) {
 	prefix := today + "."
 	for _, entry := range entries {
-		if entry.IsDir() && strings.HasPrefix(entry.Name(), prefix) {
+		// Skip non-directories and those without correct prefix
 		if !entry.IsDir() || !strings.HasPrefix(entry.Name(), prefix) {
 			continue
 		}
 		// Extract serial number
 		parts := strings.Split(entry.Name(), ".")
-			if len(parts) == 2 {
+		if len(parts) != versionNameParts {
 			continue
 		}
 		var serial int
-				if _, err := fmt.Sscanf(parts[1], "%03d", &serial); err == nil {
+		if _, err := fmt.Sscanf(parts[1], "%03d", &serial); err != nil {
 			Warn("Skipping malformed version directory name", "name", entry.Name(), "error", err)
 			continue
 		}
 		if serial > maxSerial {
 			maxSerial = serial
 		}
 	}
 			}
 		}
 	}
 	// Generate new version name
 	newSerial := maxSerial + 1
-	if newSerial > 999 {
+	if newSerial > maxVersionsPerDay {
 		return "", fmt.Errorf("exceeded maximum versions per day (999)")
 	}
@@ -107,11 +122,15 @@ func GenerateVersionName(fs afero.Fs, secretDir string) (string, error) {
 }
 // Save saves the version metadata and value
-func (sv *SecretVersion) Save(value []byte) error {
+func (sv *Version) Save(value *memguard.LockedBuffer) error {
 	if value == nil {
 		return fmt.Errorf("value buffer is nil")
 	}
 	DebugWith("Saving secret version",
 		slog.String("secret_name", sv.SecretName),
 		slog.String("version", sv.Version),
-		slog.Int("value_length", len(value)),
+		slog.Int("value_length", value.Size()),
 	)
 	fs := sv.vault.GetFilesystem()
@@ -119,6 +138,7 @@ func (sv *SecretVersion) Save(value []byte) error {
 	// Create version directory
 	if err := fs.MkdirAll(sv.Directory, DirPerms); err != nil {
 		Debug("Failed to create version directory", "error", err, "dir", sv.Directory)
 		return fmt.Errorf("failed to create version directory: %w", err)
 	}
@@ -127,11 +147,14 @@ func (sv *SecretVersion) Save(value []byte) error {
 	versionIdentity, err := age.GenerateX25519Identity()
 	if err != nil {
 		Debug("Failed to generate version keypair", "error", err, "version", sv.Version)
 		return fmt.Errorf("failed to generate version keypair: %w", err)
 	}
 	versionPublicKey := versionIdentity.Recipient().String()
-	versionPrivateKey := versionIdentity.String()
+	// Store private key in memguard buffer immediately
 	versionPrivateKeyBuffer := memguard.NewBufferFromBytes([]byte(versionIdentity.String()))
 	defer versionPrivateKeyBuffer.Destroy()
 	DebugWith("Generated version keypair",
 		slog.String("version", sv.Version),
@@ -143,6 +166,7 @@ func (sv *SecretVersion) Save(value []byte) error {
 	Debug("Writing version public key", "path", pubKeyPath)
 	if err := afero.WriteFile(fs, pubKeyPath, []byte(versionPublicKey), FilePerms); err != nil {
 		Debug("Failed to write version public key", "error", err, "path", pubKeyPath)
 		return fmt.Errorf("failed to write version public key: %w", err)
 	}
@@ -151,6 +175,7 @@ func (sv *SecretVersion) Save(value []byte) error {
 	encryptedValue, err := EncryptToRecipient(value, versionIdentity.Recipient())
 	if err != nil {
 		Debug("Failed to encrypt version value", "error", err, "version", sv.Version)
 		return fmt.Errorf("failed to encrypt version value: %w", err)
 	}
@@ -159,6 +184,7 @@ func (sv *SecretVersion) Save(value []byte) error {
 	Debug("Writing encrypted version value", "path", valuePath)
 	if err := afero.WriteFile(fs, valuePath, encryptedValue, FilePerms); err != nil {
 		Debug("Failed to write encrypted version value", "error", err, "path", valuePath)
 		return fmt.Errorf("failed to write encrypted version value: %w", err)
 	}
@@ -170,6 +196,7 @@ func (sv *SecretVersion) Save(value []byte) error {
 	ltPubKeyData, err := afero.ReadFile(fs, ltPubKeyPath)
 	if err != nil {
 		Debug("Failed to read long-term public key", "error", err, "path", ltPubKeyPath)
 		return fmt.Errorf("failed to read long-term public key: %w", err)
 	}
@@ -177,14 +204,16 @@ func (sv *SecretVersion) Save(value []byte) error {
 	ltRecipient, err := age.ParseX25519Recipient(string(ltPubKeyData))
 	if err != nil {
 		Debug("Failed to parse long-term public key", "error", err)
 		return fmt.Errorf("failed to parse long-term public key: %w", err)
 	}
 	// Step 6: Encrypt the version's private key to the long-term public key
 	Debug("Encrypting version private key to long-term public key", "version", sv.Version)
-	encryptedPrivKey, err := EncryptToRecipient([]byte(versionPrivateKey), ltRecipient)
+	encryptedPrivKey, err := EncryptToRecipient(versionPrivateKeyBuffer, ltRecipient)
 	if err != nil {
 		Debug("Failed to encrypt version private key", "error", err, "version", sv.Version)
 		return fmt.Errorf("failed to encrypt version private key: %w", err)
 	}
@@ -193,6 +222,7 @@ func (sv *SecretVersion) Save(value []byte) error {
 	Debug("Writing encrypted version private key", "path", privKeyPath)
 	if err := afero.WriteFile(fs, privKeyPath, encryptedPrivKey, FilePerms); err != nil {
 		Debug("Failed to write encrypted version private key", "error", err, "path", privKeyPath)
 		return fmt.Errorf("failed to write encrypted version private key: %w", err)
 	}
@@ -201,13 +231,18 @@ func (sv *SecretVersion) Save(value []byte) error {
 	metadataBytes, err := json.MarshalIndent(sv.Metadata, "", "  ")
 	if err != nil {
 		Debug("Failed to marshal version metadata", "error", err)
 		return fmt.Errorf("failed to marshal version metadata: %w", err)
 	}
 	// Encrypt metadata to the version's public key
-	encryptedMetadata, err := EncryptToRecipient(metadataBytes, versionIdentity.Recipient())
+	metadataBuffer := memguard.NewBufferFromBytes(metadataBytes)
 	defer metadataBuffer.Destroy()
 	encryptedMetadata, err := EncryptToRecipient(metadataBuffer, versionIdentity.Recipient())
 	if err != nil {
 		Debug("Failed to encrypt version metadata", "error", err, "version", sv.Version)
 		return fmt.Errorf("failed to encrypt version metadata: %w", err)
 	}
@@ -215,15 +250,17 @@ func (sv *SecretVersion) Save(value []byte) error {
 	Debug("Writing encrypted version metadata", "path", metadataPath)
 	if err := afero.WriteFile(fs, metadataPath, encryptedMetadata, FilePerms); err != nil {
 		Debug("Failed to write encrypted version metadata", "error", err, "path", metadataPath)
 		return fmt.Errorf("failed to write encrypted version metadata: %w", err)
 	}
 	Debug("Successfully saved secret version", "version", sv.Version, "secret_name", sv.SecretName)
 	return nil
 }
 // LoadMetadata loads and decrypts the version metadata
-func (sv *SecretVersion) LoadMetadata(ltIdentity *age.X25519Identity) error {
+func (sv *Version) LoadMetadata(ltIdentity *age.X25519Identity) error {
 	DebugWith("Loading version metadata",
 		slog.String("secret_name", sv.SecretName),
 		slog.String("version", sv.Version),
@@ -236,20 +273,24 @@ func (sv *SecretVersion) LoadMetadata(ltIdentity *age.X25519Identity) error {
 	encryptedPrivKey, err := afero.ReadFile(fs, encryptedPrivKeyPath)
 	if err != nil {
 		Debug("Failed to read encrypted version private key", "error", err, "path", encryptedPrivKeyPath)
 		return fmt.Errorf("failed to read encrypted version private key: %w", err)
 	}
 	// Step 2: Decrypt version private key using long-term key
-	versionPrivKeyData, err := DecryptWithIdentity(encryptedPrivKey, ltIdentity)
+	versionPrivKeyBuffer, err := DecryptWithIdentity(encryptedPrivKey, ltIdentity)
 	if err != nil {
 		Debug("Failed to decrypt version private key", "error", err, "version", sv.Version)
 		return fmt.Errorf("failed to decrypt version private key: %w", err)
 	}
 	defer versionPrivKeyBuffer.Destroy()
 	// Step 3: Parse version private key
-	versionIdentity, err := age.ParseX25519Identity(string(versionPrivKeyData))
+	versionIdentity, err := age.ParseX25519Identity(versionPrivKeyBuffer.String())
 	if err != nil {
 		Debug("Failed to parse version private key", "error", err, "version", sv.Version)
 		return fmt.Errorf("failed to parse version private key: %w", err)
 	}
@@ -258,30 +299,35 @@ func (sv *SecretVersion) LoadMetadata(ltIdentity *age.X25519Identity) error {
 	encryptedMetadata, err := afero.ReadFile(fs, encryptedMetadataPath)
 	if err != nil {
 		Debug("Failed to read encrypted version metadata", "error", err, "path", encryptedMetadataPath)
 		return fmt.Errorf("failed to read encrypted version metadata: %w", err)
 	}
 	// Step 5: Decrypt metadata using version key
-	metadataBytes, err := DecryptWithIdentity(encryptedMetadata, versionIdentity)
+	metadataBuffer, err := DecryptWithIdentity(encryptedMetadata, versionIdentity)
 	if err != nil {
 		Debug("Failed to decrypt version metadata", "error", err, "version", sv.Version)
 		return fmt.Errorf("failed to decrypt version metadata: %w", err)
 	}
 	defer metadataBuffer.Destroy()
 	// Step 6: Unmarshal metadata
 	var metadata VersionMetadata
-	if err := json.Unmarshal(metadataBytes, &metadata); err != nil {
+	if err := json.Unmarshal(metadataBuffer.Bytes(), &metadata); err != nil {
 		Debug("Failed to unmarshal version metadata", "error", err, "version", sv.Version)
 		return fmt.Errorf("failed to unmarshal version metadata: %w", err)
 	}
 	sv.Metadata = metadata
 	Debug("Successfully loaded version metadata", "version", sv.Version)
 	return nil
 }
 // GetValue retrieves and decrypts the version value
-func (sv *SecretVersion) GetValue(ltIdentity *age.X25519Identity) ([]byte, error) {
+func (sv *Version) GetValue(ltIdentity *age.X25519Identity) (*memguard.LockedBuffer, error) {
 	DebugWith("Getting version value",
 		slog.String("secret_name", sv.SecretName),
 		slog.String("version", sv.Version),
@@ -302,23 +348,27 @@ func (sv *SecretVersion) GetValue(ltIdentity *age.X25519Identity) ([]byte, error
 	encryptedPrivKey, err := afero.ReadFile(fs, encryptedPrivKeyPath)
 	if err != nil {
 		Debug("Failed to read encrypted version private key", "error", err, "path", encryptedPrivKeyPath)
 		return nil, fmt.Errorf("failed to read encrypted version private key: %w", err)
 	}
 	Debug("Successfully read encrypted version private key", "path", encryptedPrivKeyPath, "size", len(encryptedPrivKey))
 	// Step 2: Decrypt version private key using long-term key
 	Debug("Decrypting version private key with long-term identity", "version", sv.Version)
-	versionPrivKeyData, err := DecryptWithIdentity(encryptedPrivKey, ltIdentity)
+	versionPrivKeyBuffer, err := DecryptWithIdentity(encryptedPrivKey, ltIdentity)
 	if err != nil {
 		Debug("Failed to decrypt version private key", "error", err, "version", sv.Version)
 		return nil, fmt.Errorf("failed to decrypt version private key: %w", err)
 	}
-	Debug("Successfully decrypted version private key", "version", sv.Version, "size", len(versionPrivKeyData))
+	defer versionPrivKeyBuffer.Destroy()
 	Debug("Successfully decrypted version private key", "version", sv.Version, "size", versionPrivKeyBuffer.Size())
 	// Step 3: Parse version private key
-	versionIdentity, err := age.ParseX25519Identity(string(versionPrivKeyData))
+	versionIdentity, err := age.ParseX25519Identity(versionPrivKeyBuffer.String())
 	if err != nil {
 		Debug("Failed to parse version private key", "error", err, "version", sv.Version)
 		return nil, fmt.Errorf("failed to parse version private key: %w", err)
 	}
@@ -328,23 +378,26 @@ func (sv *SecretVersion) GetValue(ltIdentity *age.X25519Identity) ([]byte, error
 	encryptedValue, err := afero.ReadFile(fs, encryptedValuePath)
 	if err != nil {
 		Debug("Failed to read encrypted version value", "error", err, "path", encryptedValuePath)
 		return nil, fmt.Errorf("failed to read encrypted version value: %w", err)
 	}
 	Debug("Successfully read encrypted value", "path", encryptedValuePath, "size", len(encryptedValue))
 	// Step 5: Decrypt value using version key
 	Debug("Decrypting value with version identity", "version", sv.Version)
-	value, err := DecryptWithIdentity(encryptedValue, versionIdentity)
+	valueBuffer, err := DecryptWithIdentity(encryptedValue, versionIdentity)
 	if err != nil {
 		Debug("Failed to decrypt version value", "error", err, "version", sv.Version)
 		return nil, fmt.Errorf("failed to decrypt version value: %w", err)
 	}
 	Debug("Successfully retrieved version value",
 		"version", sv.Version,
-		"value_length", len(value),
+		"value_length", valueBuffer.Size(),
-		"is_empty", len(value) == 0)
+		"is_empty", valueBuffer.Size() == 0)
-	return value, nil
+
 	return valueBuffer, nil
 }
 // ListVersions lists all versions of a secret
@@ -379,58 +432,32 @@ func ListVersions(fs afero.Fs, secretDir string) ([]string, error) {
 	return versions, nil
 }
-// GetCurrentVersion returns the version that the "current" symlink points to
+// GetCurrentVersion returns the version that the "current" file points to
 // The file contains just the version name (e.g., "20231215.001")
 func GetCurrentVersion(fs afero.Fs, secretDir string) (string, error) {
 	currentPath := filepath.Join(secretDir, "current")
 	// Try to read as a real symlink first
 	if _, ok := fs.(*afero.OsFs); ok {
 		target, err := os.Readlink(currentPath)
 		if err == nil {
 			// Extract version from path (e.g., "versions/20231215.001" -> "20231215.001")
 			parts := strings.Split(target, "/")
 			if len(parts) >= 2 && parts[0] == "versions" {
 				return parts[1], nil
 			}
 			return "", fmt.Errorf("invalid current version symlink format: %s", target)
 		}
 	}
 	// Fall back to reading as a file (for MemMapFs testing)
 	fileData, err := afero.ReadFile(fs, currentPath)
 	if err != nil {
-		return "", fmt.Errorf("failed to read current version symlink: %w", err)
+		return "", fmt.Errorf("failed to read current version file: %w", err)
 	}
-	target := strings.TrimSpace(string(fileData))
+	version := strings.TrimSpace(string(fileData))
-	// Extract version from path
+	return version, nil
 	parts := strings.Split(target, "/")
 	if len(parts) >= 2 && parts[0] == "versions" {
 		return parts[1], nil
 	}
 	return "", fmt.Errorf("invalid current version symlink format: %s", target)
 }
-// SetCurrentVersion updates the "current" symlink to point to a specific version
+// SetCurrentVersion updates the "current" file to point to a specific version
 // The file contains just the version name (e.g., "20231215.001")
 func SetCurrentVersion(fs afero.Fs, secretDir string, version string) error {
 	currentPath := filepath.Join(secretDir, "current")
 	targetPath := filepath.Join("versions", version)
-	// Remove existing symlink if it exists
+	// Remove existing file if it exists
 	_ = fs.Remove(currentPath)
-	// Try to create a real symlink first (works on Unix systems)
+	// Write just the version name to the file
-	if _, ok := fs.(*afero.OsFs); ok {
+	if err := afero.WriteFile(fs, currentPath, []byte(version), FilePerms); err != nil {
-		if err := os.Symlink(targetPath, currentPath); err == nil {
+		return fmt.Errorf("failed to create current version file: %w", err)
 			return nil
 		}
 	}
 	// Fall back to creating a file with the target path (for MemMapFs testing)
 	if err := afero.WriteFile(fs, currentPath, []byte(targetPath), FilePerms); err != nil {
 		return fmt.Errorf("failed to create current version symlink: %w", err)
 	}
 	return nil
--- a/internal/secret/version_test.go
+++ b/internal/secret/version_test.go
@@ -4,7 +4,7 @@
 //
 // - TestGenerateVersionName: Tests version name generation with date and serial format
 // - TestGenerateVersionNameMaxSerial: Tests the 999 versions per day limit
-// - TestNewSecretVersion: Tests secret version object creation
+// - TestNewVersion: Tests secret version object creation
 // - TestSecretVersionSave: Tests saving a version with encryption
 // - TestSecretVersionLoadMetadata: Tests loading and decrypting version metadata
 // - TestSecretVersionGetValue: Tests retrieving and decrypting version values
@@ -41,6 +41,7 @@ import (
 	"time"
 	"filippo.io/age"
 	"github.com/awnumar/memguard"
 	"github.com/spf13/afero"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@@ -58,7 +59,7 @@ func (m *MockVersionVault) GetDirectory() (string, error) {
 	return filepath.Join(m.stateDir, "vaults.d", m.Name), nil
 }
-func (m *MockVersionVault) AddSecret(name string, value []byte, force bool) error {
+func (m *MockVersionVault) AddSecret(_ string, _ *memguard.LockedBuffer, _ bool) error {
 	return fmt.Errorf("not implemented in mock")
 }
@@ -74,7 +75,7 @@ func (m *MockVersionVault) GetCurrentUnlocker() (Unlocker, error) {
 	return nil, fmt.Errorf("not implemented in mock")
 }
-func (m *MockVersionVault) CreatePassphraseUnlocker(passphrase string) (*PassphraseUnlocker, error) {
+func (m *MockVersionVault) CreatePassphraseUnlocker(_ *memguard.LockedBuffer) (*PassphraseUnlocker, error) {
 	return nil, fmt.Errorf("not implemented in mock")
 }
@@ -89,7 +90,7 @@ func TestGenerateVersionName(t *testing.T) {
 	// Create the version directory
 	versionDir := filepath.Join(secretDir, "versions", version1)
-	err = fs.MkdirAll(versionDir, 0755)
+	err = fs.MkdirAll(versionDir, 0o755)
 	require.NoError(t, err)
 	// Test second version generation on same day
@@ -111,7 +112,7 @@ func TestGenerateVersionNameMaxSerial(t *testing.T) {
 	today := time.Now().Format("20060102")
 	for i := 1; i <= 999; i++ {
 		versionName := fmt.Sprintf("%s.%03d", today, i)
-		err := fs.MkdirAll(filepath.Join(versionsDir, versionName), 0755)
+		err := fs.MkdirAll(filepath.Join(versionsDir, versionName), 0o755)
 		require.NoError(t, err)
 	}
@@ -121,7 +122,7 @@ func TestGenerateVersionNameMaxSerial(t *testing.T) {
 	assert.Contains(t, err.Error(), "exceeded maximum versions per day")
 }
-func TestNewSecretVersion(t *testing.T) {
+func TestNewVersion(t *testing.T) {
 	fs := afero.NewMemMapFs()
 	vault := &MockVersionVault{
 		Name:     "test",
@@ -129,7 +130,7 @@ func TestNewSecretVersion(t *testing.T) {
 		stateDir: "/test",
 	}
-	sv := NewSecretVersion(vault, "test/secret", "20231215.001")
+	sv := NewVersion(vault, "test/secret", "20231215.001")
 	assert.Equal(t, "test/secret", sv.SecretName)
 	assert.Equal(t, "20231215.001", sv.Version)
@@ -148,7 +149,7 @@ func TestSecretVersionSave(t *testing.T) {
 	// Create vault directory structure and long-term key
 	vaultDir, _ := vault.GetDirectory()
-	err := fs.MkdirAll(vaultDir, 0755)
+	err := fs.MkdirAll(vaultDir, 0o755)
 	require.NoError(t, err)
 	// Generate and store long-term public key
@@ -157,14 +158,16 @@ func TestSecretVersionSave(t *testing.T) {
 	vault.longTermKey = ltIdentity
 	ltPubKeyPath := filepath.Join(vaultDir, "pub.age")
-	err = afero.WriteFile(fs, ltPubKeyPath, []byte(ltIdentity.Recipient().String()), 0600)
+	err = afero.WriteFile(fs, ltPubKeyPath, []byte(ltIdentity.Recipient().String()), 0o600)
 	require.NoError(t, err)
 	// Create and save a version
-	sv := NewSecretVersion(vault, "test/secret", "20231215.001")
+	sv := NewVersion(vault, "test/secret", "20231215.001")
 	testValue := []byte("test-secret-value")
-	err = sv.Save(testValue)
+	testBuffer := memguard.NewBufferFromBytes(testValue)
 	defer testBuffer.Destroy()
 	err = sv.Save(testBuffer)
 	require.NoError(t, err)
 	// Verify files were created
@@ -184,7 +187,7 @@ func TestSecretVersionLoadMetadata(t *testing.T) {
 	// Setup vault with long-term key
 	vaultDir, _ := vault.GetDirectory()
-	err := fs.MkdirAll(vaultDir, 0755)
+	err := fs.MkdirAll(vaultDir, 0o755)
 	require.NoError(t, err)
 	ltIdentity, err := age.GenerateX25519Identity()
@@ -192,21 +195,23 @@ func TestSecretVersionLoadMetadata(t *testing.T) {
 	vault.longTermKey = ltIdentity
 	ltPubKeyPath := filepath.Join(vaultDir, "pub.age")
-	err = afero.WriteFile(fs, ltPubKeyPath, []byte(ltIdentity.Recipient().String()), 0600)
+	err = afero.WriteFile(fs, ltPubKeyPath, []byte(ltIdentity.Recipient().String()), 0o600)
 	require.NoError(t, err)
 	// Create and save a version with custom metadata
-	sv := NewSecretVersion(vault, "test/secret", "20231215.001")
+	sv := NewVersion(vault, "test/secret", "20231215.001")
 	now := time.Now()
 	epochPlusOne := time.Unix(1, 0)
 	sv.Metadata.NotBefore = &epochPlusOne
 	sv.Metadata.NotAfter = &now
-	err = sv.Save([]byte("test-value"))
+	testBuffer := memguard.NewBufferFromBytes([]byte("test-value"))
 	defer testBuffer.Destroy()
 	err = sv.Save(testBuffer)
 	require.NoError(t, err)
 	// Create new version object and load metadata
-	sv2 := NewSecretVersion(vault, "test/secret", "20231215.001")
+	sv2 := NewVersion(vault, "test/secret", "20231215.001")
 	err = sv2.LoadMetadata(ltIdentity)
 	require.NoError(t, err)
@@ -227,7 +232,7 @@ func TestSecretVersionGetValue(t *testing.T) {
 	// Setup vault with long-term key
 	vaultDir, _ := vault.GetDirectory()
-	err := fs.MkdirAll(vaultDir, 0755)
+	err := fs.MkdirAll(vaultDir, 0o755)
 	require.NoError(t, err)
 	ltIdentity, err := age.GenerateX25519Identity()
@@ -235,21 +240,26 @@ func TestSecretVersionGetValue(t *testing.T) {
 	vault.longTermKey = ltIdentity
 	ltPubKeyPath := filepath.Join(vaultDir, "pub.age")
-	err = afero.WriteFile(fs, ltPubKeyPath, []byte(ltIdentity.Recipient().String()), 0600)
+	err = afero.WriteFile(fs, ltPubKeyPath, []byte(ltIdentity.Recipient().String()), 0o600)
 	require.NoError(t, err)
 	// Create and save a version
-	sv := NewSecretVersion(vault, "test/secret", "20231215.001")
+	sv := NewVersion(vault, "test/secret", "20231215.001")
 	originalValue := []byte("test-secret-value-12345")
 	expectedValue := make([]byte, len(originalValue))
 	copy(expectedValue, originalValue)
-	err = sv.Save(originalValue)
+	originalBuffer := memguard.NewBufferFromBytes(originalValue)
 	defer originalBuffer.Destroy()
 	err = sv.Save(originalBuffer)
 	require.NoError(t, err)
 	// Retrieve the value
-	retrievedValue, err := sv.GetValue(ltIdentity)
+	retrievedBuffer, err := sv.GetValue(ltIdentity)
 	require.NoError(t, err)
 	defer retrievedBuffer.Destroy()
-	assert.Equal(t, originalValue, retrievedValue)
+	assert.Equal(t, expectedValue, retrievedBuffer.Bytes())
 }
 func TestListVersions(t *testing.T) {
@@ -265,12 +275,12 @@ func TestListVersions(t *testing.T) {
 	// Create some versions
 	testVersions := []string{"20231215.001", "20231215.002", "20231216.001", "20231214.001"}
 	for _, v := range testVersions {
-		err := fs.MkdirAll(filepath.Join(versionsDir, v), 0755)
+		err := fs.MkdirAll(filepath.Join(versionsDir, v), 0o755)
 		require.NoError(t, err)
 	}
 	// Create a file (not directory) that should be ignored
-	err = afero.WriteFile(fs, filepath.Join(versionsDir, "ignore.txt"), []byte("test"), 0600)
+	err = afero.WriteFile(fs, filepath.Join(versionsDir, "ignore.txt"), []byte("test"), 0o600)
 	require.NoError(t, err)
 	// List versions
@@ -286,12 +296,12 @@ func TestGetCurrentVersion(t *testing.T) {
 	fs := afero.NewMemMapFs()
 	secretDir := "/test/secret"
-	// Simulate symlink with file content (works for both OsFs and MemMapFs)
+	// The current file contains just the version name
 	currentPath := filepath.Join(secretDir, "current")
-	err := fs.MkdirAll(secretDir, 0755)
+	err := fs.MkdirAll(secretDir, 0o755)
 	require.NoError(t, err)
-	err = afero.WriteFile(fs, currentPath, []byte("versions/20231216.001"), 0600)
+	err = afero.WriteFile(fs, currentPath, []byte("20231216.001"), 0o600)
 	require.NoError(t, err)
 	version, err := GetCurrentVersion(fs, secretDir)
@@ -303,7 +313,7 @@ func TestSetCurrentVersion(t *testing.T) {
 	fs := afero.NewMemMapFs()
 	secretDir := "/test/secret"
-	err := fs.MkdirAll(secretDir, 0755)
+	err := fs.MkdirAll(secretDir, 0o755)
 	require.NoError(t, err)
 	// Set current version
--- a/internal/vault/integration_test.go
+++ b/internal/vault/integration_test.go
@@ -8,16 +8,13 @@ import (
 	"git.eeqj.de/sneak/secret/internal/secret"
 	"git.eeqj.de/sneak/secret/internal/vault"
 	"git.eeqj.de/sneak/secret/pkg/agehd"
 	"github.com/awnumar/memguard"
 	"github.com/spf13/afero"
 )
 func TestVaultWithRealFilesystem(t *testing.T) {
 	// Create a temporary directory for our tests
-	tempDir, err := os.MkdirTemp("", "secret-test-")
+	tempDir := t.TempDir()
 	if err != nil {
 		t.Fatalf("Failed to create temp dir: %v", err)
 	}
 	defer os.RemoveAll(tempDir) // Clean up after test
 	// Use the real filesystem
 	fs := afero.NewOsFs()
@@ -25,33 +22,14 @@ func TestVaultWithRealFilesystem(t *testing.T) {
 	// Test mnemonic
 	testMnemonic := "abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon about"
 	// Save original environment variables
 	oldMnemonic := os.Getenv(secret.EnvMnemonic)
 	oldPassphrase := os.Getenv(secret.EnvUnlockPassphrase)
 	// Set test environment variables
-	os.Setenv(secret.EnvMnemonic, testMnemonic)
+	t.Setenv(secret.EnvMnemonic, testMnemonic)
-	os.Setenv(secret.EnvUnlockPassphrase, "test-passphrase")
+	t.Setenv(secret.EnvUnlockPassphrase, "test-passphrase")
-	// Clean up after test
+	// Test currentvault file handling (plain file with relative path)
-	defer func() {
+	t.Run("CurrentVaultFileHandling", func(t *testing.T) {
-		if oldMnemonic != "" {
+		stateDir := filepath.Join(tempDir, "currentvault-test")
-			os.Setenv(secret.EnvMnemonic, oldMnemonic)
+		if err := os.MkdirAll(stateDir, 0o700); err != nil {
 		} else {
 			os.Unsetenv(secret.EnvMnemonic)
 		}
 		if oldPassphrase != "" {
 			os.Setenv(secret.EnvUnlockPassphrase, oldPassphrase)
 		} else {
 			os.Unsetenv(secret.EnvUnlockPassphrase)
 		}
 	}()
 	// Test symlink handling
 	t.Run("SymlinkHandling", func(t *testing.T) {
 		stateDir := filepath.Join(tempDir, "symlink-test")
 		if err := os.MkdirAll(stateDir, 0700); err != nil {
 			t.Fatalf("Failed to create state dir: %v", err)
 		}
@@ -67,38 +45,33 @@ func TestVaultWithRealFilesystem(t *testing.T) {
 			t.Fatalf("Failed to get vault directory: %v", err)
 		}
-		// Create a symlink to the vault directory in a different location
+		// Verify the currentvault file exists and contains just the vault name
-		symlinkPath := filepath.Join(tempDir, "test-symlink")
+		currentVaultPath := filepath.Join(stateDir, "currentvault")
-		if err := os.Symlink(vaultDir, symlinkPath); err != nil {
+		currentVaultContents, err := os.ReadFile(currentVaultPath)
-			t.Fatalf("Failed to create symlink: %v", err)
+		if err != nil {
 			t.Fatalf("Failed to read currentvault file: %v", err)
 		}
-		// Test that we can resolve the symlink correctly
+		expectedVaultName := "test-vault"
-		resolvedPath, err := vault.ResolveVaultSymlink(fs, symlinkPath)
+		if string(currentVaultContents) != expectedVaultName {
-		if err != nil {
+			t.Errorf("Expected currentvault to contain %q, got %q", expectedVaultName, string(currentVaultContents))
 			t.Fatalf("Failed to resolve symlink: %v", err)
 		}
-		// On some platforms, the resolved path might have different case or format
+		// Test that ResolveVaultSymlink correctly resolves the path
-		// We'll use filepath.EvalSymlinks to get the canonical path for comparison
+		resolvedPath, err := vault.ResolveVaultSymlink(fs, currentVaultPath)
 		expectedPath, err := filepath.EvalSymlinks(vaultDir)
 		if err != nil {
-			t.Fatalf("Failed to evaluate symlink: %v", err)
+			t.Fatalf("Failed to resolve currentvault path: %v", err)
 		}
 		actualPath, err := filepath.EvalSymlinks(resolvedPath)
 		if err != nil {
 			t.Fatalf("Failed to evaluate resolved path: %v", err)
 		}
-		if actualPath != expectedPath {
+		if resolvedPath != vaultDir {
-			t.Errorf("Expected symlink to resolve to %s, got %s", expectedPath, actualPath)
+			t.Errorf("Expected resolved path to be %s, got %s", vaultDir, resolvedPath)
 		}
 	})
 	// Test secret operations with deeply nested paths
 	t.Run("DeepPathSecrets", func(t *testing.T) {
 		stateDir := filepath.Join(tempDir, "deep-path-test")
-		if err := os.MkdirAll(stateDir, 0700); err != nil {
+		if err := os.MkdirAll(stateDir, 0o700); err != nil {
 			t.Fatalf("Failed to create state dir: %v", err)
 		}
@@ -130,8 +103,13 @@ func TestVaultWithRealFilesystem(t *testing.T) {
 		// Create a secret with a deeply nested path
 		deepPath := "api/credentials/production/database/primary"
 		secretValue := []byte("supersecretdbpassword")
 		expectedValue := make([]byte, len(secretValue))
 		copy(expectedValue, secretValue)
-		err = vlt.AddSecret(deepPath, secretValue, false)
+		secretBuffer := memguard.NewBufferFromBytes(secretValue)
 		defer secretBuffer.Destroy()
 		err = vlt.AddSecret(deepPath, secretBuffer, false)
 		if err != nil {
 			t.Fatalf("Failed to add secret with deep path: %v", err)
 		}
@@ -160,16 +138,16 @@ func TestVaultWithRealFilesystem(t *testing.T) {
 			t.Fatalf("Failed to retrieve deep path secret: %v", err)
 		}
-		if string(retrievedValue) != string(secretValue) {
+		if string(retrievedValue) != string(expectedValue) {
 			t.Errorf("Retrieved value doesn't match. Expected %q, got %q",
-				string(secretValue), string(retrievedValue))
+				string(expectedValue), string(retrievedValue))
 		}
 	})
 	// Test key caching in GetOrDeriveLongTermKey
 	t.Run("KeyCaching", func(t *testing.T) {
 		stateDir := filepath.Join(tempDir, "key-cache-test")
-		if err := os.MkdirAll(stateDir, 0700); err != nil {
+		if err := os.MkdirAll(stateDir, 0o700); err != nil {
 			t.Fatalf("Failed to create state dir: %v", err)
 		}
@@ -251,7 +229,7 @@ func TestVaultWithRealFilesystem(t *testing.T) {
 	// Test vault name validation
 	t.Run("VaultNameValidation", func(t *testing.T) {
 		stateDir := filepath.Join(tempDir, "name-validation-test")
-		if err := os.MkdirAll(stateDir, 0700); err != nil {
+		if err := os.MkdirAll(stateDir, 0o700); err != nil {
 			t.Fatalf("Failed to create state dir: %v", err)
 		}
@@ -291,7 +269,7 @@ func TestVaultWithRealFilesystem(t *testing.T) {
 	// Test multiple vaults and switching between them
 	t.Run("MultipleVaults", func(t *testing.T) {
 		stateDir := filepath.Join(tempDir, "multi-vault-test")
-		if err := os.MkdirAll(stateDir, 0700); err != nil {
+		if err := os.MkdirAll(stateDir, 0o700); err != nil {
 			t.Fatalf("Failed to create state dir: %v", err)
 		}
@@ -336,7 +314,7 @@ func TestVaultWithRealFilesystem(t *testing.T) {
 	// Test adding a secret in one vault and verifying it's not visible in another
 	t.Run("VaultIsolation", func(t *testing.T) {
 		stateDir := filepath.Join(tempDir, "isolation-test")
-		if err := os.MkdirAll(stateDir, 0700); err != nil {
+		if err := os.MkdirAll(stateDir, 0o700); err != nil {
 			t.Fatalf("Failed to create state dir: %v", err)
 		}
@@ -391,7 +369,11 @@ func TestVaultWithRealFilesystem(t *testing.T) {
 		// Add a secret to vault1
 		secretName := "test-secret"
 		secretValue := []byte("secret in vault1")
-		if err := vault1.AddSecret(secretName, secretValue, false); err != nil {
+
 		secretBuffer := memguard.NewBufferFromBytes(secretValue)
 		defer secretBuffer.Destroy()
 		if err := vault1.AddSecret(secretName, secretBuffer, false); err != nil {
 			t.Fatalf("Failed to add secret to vault1: %v", err)
 		}
--- a/internal/vault/integration_version_test.go
+++ b/internal/vault/integration_version_test.go
@@ -29,18 +29,30 @@ import (
 	"git.eeqj.de/sneak/secret/internal/secret"
 	"git.eeqj.de/sneak/secret/pkg/agehd"
 	"github.com/awnumar/memguard"
 	"github.com/spf13/afero"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
 // Helper function to add a secret to vault with proper buffer protection
 func addTestSecret(t *testing.T, vault *Vault, name string, value []byte, force bool) {
 	t.Helper()
 	buffer := memguard.NewBufferFromBytes(value)
 	defer buffer.Destroy()
 	err := vault.AddSecret(name, buffer, force)
 	require.NoError(t, err)
 }
 // TestVersionIntegrationWorkflow tests the complete version workflow
 func TestVersionIntegrationWorkflow(t *testing.T) {
 	fs := afero.NewMemMapFs()
 	stateDir := "/test/state"
 	// Set mnemonic for testing
-	t.Setenv(secret.EnvMnemonic, "abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon about")
+	t.Setenv(secret.EnvMnemonic,
 		"abandon abandon abandon abandon abandon abandon "+
 			"abandon abandon abandon abandon abandon about")
 	// Create vault
 	vault, err := CreateVault(fs, stateDir, "test")
@@ -54,7 +66,7 @@ func TestVersionIntegrationWorkflow(t *testing.T) {
 	// Store long-term public key in vault
 	vaultDir, _ := vault.GetDirectory()
 	ltPubKeyPath := filepath.Join(vaultDir, "pub.age")
-	err = afero.WriteFile(fs, ltPubKeyPath, []byte(ltIdentity.Recipient().String()), 0600)
+	err = afero.WriteFile(fs, ltPubKeyPath, []byte(ltIdentity.Recipient().String()), 0o600)
 	require.NoError(t, err)
 	// Unlock the vault
@@ -64,8 +76,7 @@ func TestVersionIntegrationWorkflow(t *testing.T) {
 	// Step 1: Create initial version
 	t.Run("create_initial_version", func(t *testing.T) {
-		err := vault.AddSecret(secretName, []byte("version-1-data"), false)
+		addTestSecret(t, vault, secretName, []byte("version-1-data"), false)
 		require.NoError(t, err)
 		// Verify secret can be retrieved
 		value, err := vault.GetSecret(secretName)
@@ -84,7 +95,7 @@ func TestVersionIntegrationWorkflow(t *testing.T) {
 		assert.Equal(t, versions[0], currentVersion)
 		// Verify metadata
-		version := secret.NewSecretVersion(vault, secretName, versions[0])
+		version := secret.NewVersion(vault, secretName, versions[0])
 		err = version.LoadMetadata(ltIdentity)
 		require.NoError(t, err)
 		assert.NotNil(t, version.Metadata.CreatedAt)
@@ -106,8 +117,7 @@ func TestVersionIntegrationWorkflow(t *testing.T) {
 		firstVersionName = versions[0]
 		// Create second version
-		err = vault.AddSecret(secretName, []byte("version-2-data"), true)
+		addTestSecret(t, vault, secretName, []byte("version-2-data"), true)
 		require.NoError(t, err)
 		// Verify new value is current
 		value, err := vault.GetSecret(secretName)
@@ -120,13 +130,13 @@ func TestVersionIntegrationWorkflow(t *testing.T) {
 		assert.Len(t, versions, 2)
 		// Verify first version metadata was updated with notAfter
-		firstVersion := secret.NewSecretVersion(vault, secretName, firstVersionName)
+		firstVersion := secret.NewVersion(vault, secretName, firstVersionName)
 		err = firstVersion.LoadMetadata(ltIdentity)
 		require.NoError(t, err)
 		assert.NotNil(t, firstVersion.Metadata.NotAfter)
 		// Verify second version metadata
-		secondVersion := secret.NewSecretVersion(vault, secretName, versions[0])
+		secondVersion := secret.NewVersion(vault, secretName, versions[0])
 		err = secondVersion.LoadMetadata(ltIdentity)
 		require.NoError(t, err)
 		assert.NotNil(t, secondVersion.Metadata.NotBefore)
@@ -140,8 +150,7 @@ func TestVersionIntegrationWorkflow(t *testing.T) {
 	t.Run("create_third_version", func(t *testing.T) {
 		time.Sleep(10 * time.Millisecond)
-		err := vault.AddSecret(secretName, []byte("version-3-data"), true)
+		addTestSecret(t, vault, secretName, []byte("version-3-data"), true)
 		require.NoError(t, err)
 		// Verify we now have three versions
 		secretDir := filepath.Join(vaultDir, "secrets.d", "integration%test")
@@ -199,7 +208,7 @@ func TestVersionIntegrationWorkflow(t *testing.T) {
 		// Verify the version metadata hasn't changed
 		// (promoting shouldn't modify timestamps)
-		version := secret.NewSecretVersion(vault, secretName, oldestVersion)
+		version := secret.NewVersion(vault, secretName, oldestVersion)
 		err = version.LoadMetadata(ltIdentity)
 		require.NoError(t, err)
 		assert.NotNil(t, version.Metadata.NotAfter) // should still have its old notAfter
@@ -212,8 +221,7 @@ func TestVersionIntegrationWorkflow(t *testing.T) {
 		secretDir := filepath.Join(vaultDir, "secrets.d", "limit%test", "versions")
 		// Create 998 versions (we already have one from the first AddSecret)
-		err := vault.AddSecret(limitSecretName, []byte("initial"), false)
+		addTestSecret(t, vault, limitSecretName, []byte("initial"), false)
 		require.NoError(t, err)
 		// Get today's date for consistent version names
 		today := time.Now().Format("20060102")
@@ -222,7 +230,7 @@ func TestVersionIntegrationWorkflow(t *testing.T) {
 		for i := 2; i <= 998; i++ {
 			versionName := fmt.Sprintf("%s.%03d", today, i)
 			versionDir := filepath.Join(secretDir, versionName)
-			err := fs.MkdirAll(versionDir, 0755)
+			err := fs.MkdirAll(versionDir, 0o755)
 			require.NoError(t, err)
 		}
@@ -232,7 +240,7 @@ func TestVersionIntegrationWorkflow(t *testing.T) {
 		assert.Equal(t, fmt.Sprintf("%s.999", today), versionName)
 		// Create the 999th version directory
-		err = fs.MkdirAll(filepath.Join(secretDir, versionName), 0755)
+		err = fs.MkdirAll(filepath.Join(secretDir, versionName), 0o755)
 		require.NoError(t, err)
 		// Should fail to create 1000th version
@@ -253,7 +261,9 @@ func TestVersionIntegrationWorkflow(t *testing.T) {
 		assert.Error(t, err)
 		// Try to add secret without force when it exists
-		err = vault.AddSecret(secretName, []byte("should-fail"), false)
+		failBuffer := memguard.NewBufferFromBytes([]byte("should-fail"))
 		defer failBuffer.Destroy()
 		err = vault.AddSecret(secretName, failBuffer, false)
 		assert.Error(t, err)
 		assert.Contains(t, err.Error(), "already exists")
 	})
@@ -270,15 +280,14 @@ func TestVersionConcurrency(t *testing.T) {
 	secretName := "concurrent/test"
 	// Create initial version
-	err := vault.AddSecret(secretName, []byte("initial"), false)
+	addTestSecret(t, vault, secretName, []byte("initial"), false)
 	require.NoError(t, err)
 	// Test concurrent reads
 	t.Run("concurrent_reads", func(t *testing.T) {
 		done := make(chan bool, 10)
 		errors := make(chan error, 10)
-		for i := 0; i < 10; i++ {
+		for range 10 {
 			go func() {
 				value, err := vault.GetSecret(secretName)
 				if err != nil {
@@ -291,7 +300,7 @@ func TestVersionConcurrency(t *testing.T) {
 		}
 		// Wait for all goroutines
-		for i := 0; i < 10; i++ {
+		for range 10 {
 			<-done
 		}
@@ -319,17 +328,19 @@ func TestVersionCompatibility(t *testing.T) {
 	secretName := "legacy/secret"
 	vaultDir, _ := vault.GetDirectory()
 	secretDir := filepath.Join(vaultDir, "secrets.d", "legacy%secret")
-	err = fs.MkdirAll(secretDir, 0755)
+	err = fs.MkdirAll(secretDir, 0o755)
 	require.NoError(t, err)
 	// Create old-style encrypted value directly in secret directory
 	testValue := []byte("legacy-value")
 	testValueBuffer := memguard.NewBufferFromBytes(testValue)
 	defer testValueBuffer.Destroy()
 	ltRecipient := ltIdentity.Recipient()
-	encrypted, err := secret.EncryptToRecipient(testValue, ltRecipient)
+	encrypted, err := secret.EncryptToRecipient(testValueBuffer, ltRecipient)
 	require.NoError(t, err)
 	valuePath := filepath.Join(secretDir, "value.age")
-	err = afero.WriteFile(fs, valuePath, encrypted, 0600)
+	err = afero.WriteFile(fs, valuePath, encrypted, 0o600)
 	require.NoError(t, err)
 	// Should fail to get with version-aware methods
--- a/internal/vault/management.go
+++ b/internal/vault/management.go
@@ -1,3 +1,4 @@
 // Package vault provides functionality for managing encrypted vaults.
 package vault
 import (
@@ -5,6 +6,7 @@ import (
 	"os"
 	"path/filepath"
 	"regexp"
 	"strings"
 	"time"
 	"git.eeqj.de/sneak/secret/internal/secret"
@@ -26,83 +28,33 @@ func isValidVaultName(name string) bool {
 		return false
 	}
 	matched, _ := regexp.MatchString(`^[a-z0-9\.\-\_]+$`, name)
 	return matched
 }
-// ResolveVaultSymlink resolves the currentvault symlink by reading either the symlink target or file contents
+// ResolveVaultSymlink reads the currentvault file to get the path to the current vault
-// This function is designed to work on both Unix and Windows systems, as well as with in-memory filesystems
+// The file contains just the vault name (e.g., "default")
-func ResolveVaultSymlink(fs afero.Fs, symlinkPath string) (string, error) {
+func ResolveVaultSymlink(fs afero.Fs, currentVaultPath string) (string, error) {
-	secret.Debug("resolveVaultSymlink starting", "symlink_path", symlinkPath)
+	secret.Debug("resolveVaultSymlink starting", "path", currentVaultPath)
-	// First try to handle the path as a real symlink (works on Unix systems)
+	fileData, err := afero.ReadFile(fs, currentVaultPath)
 	if _, ok := fs.(*afero.OsFs); ok {
 		secret.Debug("Using real filesystem symlink resolution")
 		// Check if the symlink exists
 		secret.Debug("Checking symlink target", "symlink_path", symlinkPath)
 		target, err := os.Readlink(symlinkPath)
 		if err == nil {
 			secret.Debug("Symlink points to", "target", target)
 			// On real filesystem, we need to handle relative symlinks
 			// by resolving them relative to the symlink's directory
 			if !filepath.IsAbs(target) {
 				// Get the current directory before changing
 				originalDir, err := os.Getwd()
 	if err != nil {
-					return "", fmt.Errorf("failed to get current directory: %w", err)
+		secret.Debug("Failed to read currentvault file", "error", err)
 				}
 				secret.Debug("Got current directory", "original_dir", originalDir)
-				// Change to the symlink's directory
+		return "", fmt.Errorf("failed to read currentvault file: %w", err)
 				symlinkDir := filepath.Dir(symlinkPath)
 				secret.Debug("Changing to symlink directory", "symlink_path", symlinkDir)
 				secret.Debug("About to call os.Chdir - this might hang if symlink is broken")
 				if err := os.Chdir(symlinkDir); err != nil {
 					return "", fmt.Errorf("failed to change to symlink directory: %w", err)
 				}
 				secret.Debug("Changed to symlink directory successfully - os.Chdir completed")
 				// Get the absolute path of the target
 				secret.Debug("Getting absolute path of current directory")
 				absolutePath, err := os.Getwd()
 				if err != nil {
 					// Try to restore original directory before returning error
 					_ = os.Chdir(originalDir)
 					return "", fmt.Errorf("failed to get absolute path: %w", err)
 				}
 				secret.Debug("Got absolute path", "absolute_path", absolutePath)
 				// Restore the original directory
 				secret.Debug("Restoring original directory", "original_dir", originalDir)
 				if err := os.Chdir(originalDir); err != nil {
 					return "", fmt.Errorf("failed to restore original directory: %w", err)
 				}
 				secret.Debug("Restored original directory successfully")
 				// Use the absolute path of the target
 				target = absolutePath
 	}
-			secret.Debug("resolveVaultSymlink completed successfully", "result", target)
+	// The file contains just the vault name like "default"
-			return target, nil
+	vaultName := strings.TrimSpace(string(fileData))
-		}
+	secret.Debug("Read vault name from file", "vault_name", vaultName)
 	}
-	// Fallback: treat it as a regular file containing the target path
+	// Resolve to absolute path: stateDir/vaults.d/vaultName
-	secret.Debug("Fallback: trying to read regular file with target path")
+	stateDir := filepath.Dir(currentVaultPath)
 	absolutePath := filepath.Join(stateDir, "vaults.d", vaultName)
-	fileData, err := afero.ReadFile(fs, symlinkPath)
+	secret.Debug("Resolved to absolute path", "absolute_path", absolutePath)
 	if err != nil {
 		secret.Debug("Failed to read target path file", "error", err)
 		return "", fmt.Errorf("failed to read vault symlink: %w", err)
 	}
-	target := string(fileData)
+	return absolutePath, nil
 	secret.Debug("Read target path from file", "target", target)
 	secret.Debug("resolveVaultSymlink completed via fallback", "result", target)
 	return target, nil
 }
 // GetCurrentVault gets the current vault from the file system
@@ -116,6 +68,7 @@ func GetCurrentVault(fs afero.Fs, stateDir string) (*Vault, error) {
 	_, err := fs.Stat(currentVaultPath)
 	if err != nil {
 		secret.Debug("Failed to stat current vault symlink", "error", err, "path", currentVaultPath)
 		return nil, fmt.Errorf("failed to read current vault symlink: %w", err)
 	}
@@ -171,6 +124,54 @@ func ListVaults(fs afero.Fs, stateDir string) ([]string, error) {
 	return vaults, nil
 }
 // processMnemonicForVault handles mnemonic processing for vault creation
 func processMnemonicForVault(fs afero.Fs, stateDir, vaultDir, vaultName string) (
 	derivationIndex uint32, publicKeyHash string, familyHash string, err error) {
 	// Check if mnemonic is available in environment
 	mnemonic := os.Getenv(secret.EnvMnemonic)
 	if mnemonic == "" {
 		secret.Debug("No mnemonic in environment, vault created without long-term key", "vault", vaultName)
 		// Use 0 for derivation index when no mnemonic is provided
 		return 0, "", "", nil
 	}
 	secret.Debug("Mnemonic found in environment, deriving long-term key", "vault", vaultName)
 	// Get the next available derivation index for this mnemonic
 	derivationIndex, err = GetNextDerivationIndex(fs, stateDir, mnemonic)
 	if err != nil {
 		return 0, "", "", fmt.Errorf("failed to get next derivation index: %w", err)
 	}
 	// Derive the long-term key using the actual derivation index
 	ltIdentity, err := agehd.DeriveIdentity(mnemonic, derivationIndex)
 	if err != nil {
 		return 0, "", "", fmt.Errorf("failed to derive long-term key: %w", err)
 	}
 	// Write the public key
 	ltPubKey := ltIdentity.Recipient().String()
 	ltPubKeyPath := filepath.Join(vaultDir, "pub.age")
 	if err := afero.WriteFile(fs, ltPubKeyPath, []byte(ltPubKey), secret.FilePerms); err != nil {
 		return 0, "", "", fmt.Errorf("failed to write long-term public key: %w", err)
 	}
 	secret.Debug("Wrote long-term public key", "path", ltPubKeyPath)
 	// Compute verification hash from actual derivation index
 	publicKeyHash = ComputeDoubleSHA256([]byte(ltIdentity.Recipient().String()))
 	// Compute family hash from index 0 (same for all vaults with this mnemonic)
 	// This is used to identify which vaults belong to the same mnemonic family
 	identity0, err := agehd.DeriveIdentity(mnemonic, 0)
 	if err != nil {
 		return 0, "", "", fmt.Errorf("failed to derive identity for index 0: %w", err)
 	}
 	familyHash = ComputeDoubleSHA256([]byte(identity0.Recipient().String()))
 	return derivationIndex, publicKeyHash, familyHash, nil
 }
 // CreateVault creates a new vault
 func CreateVault(fs afero.Fs, stateDir string, name string) (*Vault, error) {
 	secret.Debug("Creating new vault", "name", name, "state_dir", stateDir)
@@ -178,6 +179,7 @@ func CreateVault(fs afero.Fs, stateDir string, name string) (*Vault, error) {
 	// Validate vault name
 	if !isValidVaultName(name) {
 		secret.Debug("Invalid vault name provided", "vault_name", name)
 		return nil, fmt.Errorf("invalid vault name '%s': must match pattern [a-z0-9.\\-_]+", name)
 	}
 	secret.Debug("Vault name validation passed", "vault_name", name)
@@ -203,54 +205,14 @@ func CreateVault(fs afero.Fs, stateDir string, name string) (*Vault, error) {
 		return nil, fmt.Errorf("failed to create unlockers directory: %w", err)
 	}
-	// Check if mnemonic is available in environment
+	// Process mnemonic if available
-	mnemonic := os.Getenv(secret.EnvMnemonic)
+	derivationIndex, publicKeyHash, familyHash, err := processMnemonicForVault(fs, stateDir, vaultDir, name)
 	var derivationIndex uint32
 	var publicKeyHash string
 	var familyHash string
 	if mnemonic != "" {
 		secret.Debug("Mnemonic found in environment, deriving long-term key", "vault", name)
 		// Get the next available derivation index for this mnemonic
 		var err error
 		derivationIndex, err = GetNextDerivationIndex(fs, stateDir, mnemonic)
 	if err != nil {
-			return nil, fmt.Errorf("failed to get next derivation index: %w", err)
+		return nil, err
 		}
 		// Derive the long-term key using the actual derivation index
 		ltIdentity, err := agehd.DeriveIdentity(mnemonic, derivationIndex)
 		if err != nil {
 			return nil, fmt.Errorf("failed to derive long-term key: %w", err)
 		}
 		// Write the public key
 		ltPubKey := ltIdentity.Recipient().String()
 		ltPubKeyPath := filepath.Join(vaultDir, "pub.age")
 		if err := afero.WriteFile(fs, ltPubKeyPath, []byte(ltPubKey), secret.FilePerms); err != nil {
 			return nil, fmt.Errorf("failed to write long-term public key: %w", err)
 		}
 		secret.Debug("Wrote long-term public key", "path", ltPubKeyPath)
 		// Compute verification hash from actual derivation index
 		publicKeyHash = ComputeDoubleSHA256([]byte(ltIdentity.Recipient().String()))
 		// Compute family hash from index 0 (same for all vaults with this mnemonic)
 		// This is used to identify which vaults belong to the same mnemonic family
 		identity0, err := agehd.DeriveIdentity(mnemonic, 0)
 		if err != nil {
 			return nil, fmt.Errorf("failed to derive identity for index 0: %w", err)
 		}
 		familyHash = ComputeDoubleSHA256([]byte(identity0.Recipient().String()))
 	} else {
 		secret.Debug("No mnemonic in environment, vault created without long-term key", "vault", name)
 		// Use 0 for derivation index when no mnemonic is provided
 		derivationIndex = 0
 	}
 	// Save vault metadata
-	metadata := &VaultMetadata{
+	metadata := &Metadata{
 		CreatedAt:          time.Now(),
 		DerivationIndex:    derivationIndex,
 		PublicKeyHash:      publicKeyHash,
@@ -268,6 +230,7 @@ func CreateVault(fs afero.Fs, stateDir string, name string) (*Vault, error) {
 	// Create and return the vault
 	secret.Debug("Successfully created vault", "name", name)
 	return NewVault(fs, stateDir, name), nil
 }
@@ -278,6 +241,7 @@ func SelectVault(fs afero.Fs, stateDir string, name string) error {
 	// Validate vault name
 	if !isValidVaultName(name) {
 		secret.Debug("Invalid vault name provided", "vault_name", name)
 		return fmt.Errorf("invalid vault name '%s': must match pattern [a-z0-9.\\-_]+", name)
 	}
 	secret.Debug("Vault name validation passed", "vault_name", name)
@@ -292,34 +256,22 @@ func SelectVault(fs afero.Fs, stateDir string, name string) error {
 		return fmt.Errorf("vault %s does not exist", name)
 	}
-	// Create or update the current vault symlink/file
+	// Create or update the currentvault file with just the vault name
 	currentVaultPath := filepath.Join(stateDir, "currentvault")
 	targetPath := filepath.Join(stateDir, "vaults.d", name)
-	// First try to remove existing symlink if it exists
+	// Remove existing file if it exists
 	if _, err := fs.Stat(currentVaultPath); err == nil {
-		secret.Debug("Removing existing current vault symlink", "path", currentVaultPath)
+		secret.Debug("Removing existing currentvault file", "path", currentVaultPath)
 		// Ignore errors from Remove as we'll try to create/update it anyway.
 		// On some systems, removing a symlink may fail but the subsequent create may still succeed.
 		_ = fs.Remove(currentVaultPath)
 	}
-	// Try to create a real symlink first (works on Unix systems)
+	// Write just the vault name to the file
-	if _, ok := fs.(*afero.OsFs); ok {
+	secret.Debug("Writing currentvault file", "vault_name", name)
-		secret.Debug("Creating vault symlink", "target", targetPath, "link", currentVaultPath)
+	if err := afero.WriteFile(fs, currentVaultPath, []byte(name), secret.FilePerms); err != nil {
 		if err := os.Symlink(targetPath, currentVaultPath); err == nil {
 			secret.Debug("Successfully selected vault", "vault_name", name)
 			return nil
 		}
 		// If symlink creation fails, fall back to regular file
 	}
 	// Fallback: create a regular file with the target path
 	secret.Debug("Fallback: creating regular file with target path", "target", targetPath)
 	if err := afero.WriteFile(fs, currentVaultPath, []byte(targetPath), secret.FilePerms); err != nil {
 		return fmt.Errorf("failed to select vault: %w", err)
 	}
 	secret.Debug("Successfully selected vault", "vault_name", name)
 	return nil
 }
--- a/internal/vault/metadata.go
+++ b/internal/vault/metadata.go
@@ -12,16 +12,23 @@ import (
 	"github.com/spf13/afero"
 )
-// Alias the metadata types from secret package for convenience
+// Metadata is an alias for secret.VaultMetadata
-type VaultMetadata = secret.VaultMetadata
+type Metadata = secret.VaultMetadata
 // UnlockerMetadata is an alias for secret.UnlockerMetadata
 type UnlockerMetadata = secret.UnlockerMetadata
-type SecretMetadata = secret.SecretMetadata
+
 // SecretMetadata is an alias for secret.Metadata
 type SecretMetadata = secret.Metadata
 // Configuration is an alias for secret.Configuration
 type Configuration = secret.Configuration
 // ComputeDoubleSHA256 computes the double SHA256 hash of data and returns it as hex
 func ComputeDoubleSHA256(data []byte) string {
 	firstHash := sha256.Sum256(data)
 	secondHash := sha256.Sum256(firstHash[:])
 	return hex.EncodeToString(secondHash[:])
 }
@@ -69,7 +76,7 @@ func GetNextDerivationIndex(fs afero.Fs, stateDir string, mnemonic string) (uint
 			continue
 		}
-		var metadata VaultMetadata
+		var metadata Metadata
 		if err := json.Unmarshal(metadataBytes, &metadata); err != nil {
 			// Skip vaults with invalid metadata
 			continue
@@ -82,7 +89,7 @@ func GetNextDerivationIndex(fs afero.Fs, stateDir string, mnemonic string) (uint
 	}
 	// Find the first available index
-	var index uint32 = 0
+	var index uint32
 	for usedIndices[index] {
 		index++
 	}
@@ -91,7 +98,7 @@ func GetNextDerivationIndex(fs afero.Fs, stateDir string, mnemonic string) (uint
 }
 // SaveVaultMetadata saves vault metadata to the vault directory
-func SaveVaultMetadata(fs afero.Fs, vaultDir string, metadata *VaultMetadata) error {
+func SaveVaultMetadata(fs afero.Fs, vaultDir string, metadata *Metadata) error {
 	metadataPath := filepath.Join(vaultDir, "vault-metadata.json")
 	metadataBytes, err := json.MarshalIndent(metadata, "", "  ")
@@ -107,7 +114,7 @@ func SaveVaultMetadata(fs afero.Fs, vaultDir string, metadata *VaultMetadata) er
 }
 // LoadVaultMetadata loads vault metadata from the vault directory
-func LoadVaultMetadata(fs afero.Fs, vaultDir string) (*VaultMetadata, error) {
+func LoadVaultMetadata(fs afero.Fs, vaultDir string) (*Metadata, error) {
 	metadataPath := filepath.Join(vaultDir, "vault-metadata.json")
 	metadataBytes, err := afero.ReadFile(fs, metadataPath)
@@ -115,7 +122,7 @@ func LoadVaultMetadata(fs afero.Fs, vaultDir string) (*VaultMetadata, error) {
 		return nil, fmt.Errorf("failed to read vault metadata: %w", err)
 	}
-	var metadata VaultMetadata
+	var metadata Metadata
 	if err := json.Unmarshal(metadataBytes, &metadata); err != nil {
 		return nil, fmt.Errorf("failed to unmarshal vault metadata: %w", err)
 	}
--- a/internal/vault/metadata_test.go
+++ b/internal/vault/metadata_test.go
@@ -1,11 +1,9 @@
 package vault
 import (
 	"testing"
 	"path/filepath"
 	"strings"
 	"testing"
 	"git.eeqj.de/sneak/secret/pkg/agehd"
 	"github.com/spf13/afero"
@@ -53,7 +51,7 @@ func TestVaultMetadata(t *testing.T) {
 		// Create a vault with metadata and matching public key
 		vaultDir := filepath.Join(stateDir, "vaults.d", "vault1")
-		if err := fs.MkdirAll(vaultDir, 0700); err != nil {
+		if err := fs.MkdirAll(vaultDir, 0o700); err != nil {
 			t.Fatalf("Failed to create vault directory: %v", err)
 		}
@@ -66,11 +64,11 @@ func TestVaultMetadata(t *testing.T) {
 		pubKeyHash0 := ComputeDoubleSHA256([]byte(pubKey0))
 		// Write public key
-		if err := afero.WriteFile(fs, filepath.Join(vaultDir, "pub.age"), []byte(pubKey0), 0600); err != nil {
+		if err := afero.WriteFile(fs, filepath.Join(vaultDir, "pub.age"), []byte(pubKey0), 0o600); err != nil {
 			t.Fatalf("Failed to write public key: %v", err)
 		}
-		metadata1 := &VaultMetadata{
+		metadata1 := &Metadata{
 			DerivationIndex:    0,
 			PublicKeyHash:      pubKeyHash0, // Hash of the actual key (index 0)
 			MnemonicFamilyHash: pubKeyHash0, // Hash of index 0 key (for family identification)
@@ -100,7 +98,7 @@ func TestVaultMetadata(t *testing.T) {
 		// Add another vault with same mnemonic but higher index
 		vaultDir2 := filepath.Join(stateDir, "vaults.d", "vault2")
-		if err := fs.MkdirAll(vaultDir2, 0700); err != nil {
+		if err := fs.MkdirAll(vaultDir2, 0o700); err != nil {
 			t.Fatalf("Failed to create vault directory: %v", err)
 		}
@@ -112,14 +110,14 @@ func TestVaultMetadata(t *testing.T) {
 		pubKey5 := identity5.Recipient().String()
 		// Write public key
-		if err := afero.WriteFile(fs, filepath.Join(vaultDir2, "pub.age"), []byte(pubKey5), 0600); err != nil {
+		if err := afero.WriteFile(fs, filepath.Join(vaultDir2, "pub.age"), []byte(pubKey5), 0o600); err != nil {
 			t.Fatalf("Failed to write public key: %v", err)
 		}
 		// Compute the hash for index 5 key
 		pubKeyHash5 := ComputeDoubleSHA256([]byte(pubKey5))
-		metadata2 := &VaultMetadata{
+		metadata2 := &Metadata{
 			DerivationIndex:    5,
 			PublicKeyHash:      pubKeyHash5, // Hash of the actual key (index 5)
 			MnemonicFamilyHash: pubKeyHash0, // Same family hash since it's from the same mnemonic
@@ -140,12 +138,12 @@ func TestVaultMetadata(t *testing.T) {
 	t.Run("MetadataPersistence", func(t *testing.T) {
 		vaultDir := filepath.Join(stateDir, "vaults.d", "test-vault")
-		if err := fs.MkdirAll(vaultDir, 0700); err != nil {
+		if err := fs.MkdirAll(vaultDir, 0o700); err != nil {
 			t.Fatalf("Failed to create vault directory: %v", err)
 		}
 		// Create and save metadata
-		metadata := &VaultMetadata{
+		metadata := &Metadata{
 			DerivationIndex: 3,
 			PublicKeyHash:   "test-public-key-hash",
 		}
--- a/internal/vault/path_traversal_test.go
+++ b/internal/vault/path_traversal_test.go
@@ -0,0 +1,96 @@
 package vault
 import (
 	"testing"
 	"git.eeqj.de/sneak/secret/internal/secret"
 	"github.com/awnumar/memguard"
 	"github.com/spf13/afero"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
 // TestGetSecretVersionRejectsPathTraversal verifies that GetSecretVersion
 // validates the secret name and rejects path traversal attempts.
 // This is a regression test for https://git.eeqj.de/sneak/secret/issues/13
 func TestGetSecretVersionRejectsPathTraversal(t *testing.T) {
 	testMnemonic := "abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon about"
 	t.Setenv(secret.EnvMnemonic, testMnemonic)
 	t.Setenv(secret.EnvUnlockPassphrase, "test-passphrase")
 	fs := afero.NewMemMapFs()
 	stateDir := "/test/state"
 	vlt, err := CreateVault(fs, stateDir, "test-vault")
 	require.NoError(t, err)
 	// Add a legitimate secret so the vault is set up
 	value := memguard.NewBufferFromBytes([]byte("legitimate-secret"))
 	err = vlt.AddSecret("legit", value, false)
 	require.NoError(t, err)
 	// These names contain path traversal and should be rejected
 	maliciousNames := []string{
 		"../../../etc/passwd",
 		"..%2f..%2fetc/passwd",
 		".secret",
 		"../sibling-vault/secrets.d/target",
 		"foo/../bar",
 		"a/../../etc/passwd",
 	}
 	for _, name := range maliciousNames {
 		t.Run(name, func(t *testing.T) {
 			_, err := vlt.GetSecretVersion(name, "")
 			assert.Error(t, err, "GetSecretVersion should reject malicious name: %s", name)
 			assert.Contains(t, err.Error(), "invalid secret name",
 				"error should indicate invalid name for: %s", name)
 		})
 	}
 }
 // TestGetSecretRejectsPathTraversal verifies GetSecret (which calls GetSecretVersion)
 // also rejects path traversal names.
 func TestGetSecretRejectsPathTraversal(t *testing.T) {
 	testMnemonic := "abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon about"
 	t.Setenv(secret.EnvMnemonic, testMnemonic)
 	t.Setenv(secret.EnvUnlockPassphrase, "test-passphrase")
 	fs := afero.NewMemMapFs()
 	stateDir := "/test/state"
 	vlt, err := CreateVault(fs, stateDir, "test-vault")
 	require.NoError(t, err)
 	_, err = vlt.GetSecret("../../../etc/passwd")
 	assert.Error(t, err)
 	assert.Contains(t, err.Error(), "invalid secret name")
 }
 // TestGetSecretObjectRejectsPathTraversal verifies GetSecretObject
 // also validates names and rejects path traversal attempts.
 func TestGetSecretObjectRejectsPathTraversal(t *testing.T) {
 	testMnemonic := "abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon about"
 	t.Setenv(secret.EnvMnemonic, testMnemonic)
 	t.Setenv(secret.EnvUnlockPassphrase, "test-passphrase")
 	fs := afero.NewMemMapFs()
 	stateDir := "/test/state"
 	vlt, err := CreateVault(fs, stateDir, "test-vault")
 	require.NoError(t, err)
 	maliciousNames := []string{
 		"../../../etc/passwd",
 		"foo/../bar",
 		"a/../../etc/passwd",
 	}
 	for _, name := range maliciousNames {
 		t.Run(name, func(t *testing.T) {
 			_, err := vlt.GetSecretObject(name)
 			assert.Error(t, err, "GetSecretObject should reject: %s", name)
 			assert.Contains(t, err.Error(), "invalid secret name")
 		})
 	}
 }
--- a/internal/vault/secrets.go
+++ b/internal/vault/secrets.go
@@ -11,6 +11,7 @@ import (
 	"filippo.io/age"
 	"git.eeqj.de/sneak/secret/internal/secret"
 	"github.com/awnumar/memguard"
 	"github.com/spf13/afero"
 )
@@ -21,6 +22,7 @@ func (v *Vault) ListSecrets() ([]string, error) {
 	vaultDir, err := v.GetDirectory()
 	if err != nil {
 		secret.Debug("Failed to get vault directory for secret listing", "error", err, "vault_name", v.Name)
 		return nil, err
 	}
@@ -30,10 +32,12 @@ func (v *Vault) ListSecrets() ([]string, error) {
 	exists, err := afero.DirExists(v.fs, secretsDir)
 	if err != nil {
 		secret.Debug("Failed to check secrets directory", "error", err, "secrets_dir", secretsDir)
 		return nil, fmt.Errorf("failed to check if secrets directory exists: %w", err)
 	}
 	if !exists {
 		secret.Debug("Secrets directory does not exist", "secrets_dir", secretsDir, "vault_name", v.Name)
 		return []string{}, nil
 	}
@@ -41,6 +45,7 @@ func (v *Vault) ListSecrets() ([]string, error) {
 	files, err := afero.ReadDir(v.fs, secretsDir)
 	if err != nil {
 		secret.Debug("Failed to read secrets directory", "error", err, "secrets_dir", secretsDir)
 		return nil, fmt.Errorf("failed to read secrets directory: %w", err)
 	}
@@ -62,7 +67,7 @@ func (v *Vault) ListSecrets() ([]string, error) {
 	return secrets, nil
 }
-// isValidSecretName validates secret names according to the format [a-z0-9\.\-\_\/]+
+// isValidSecretName validates secret names according to the format [a-zA-Z0-9\.\-\_\/]+
 // but with additional restrictions:
 // - No leading or trailing slashes
 // - No double slashes
@@ -87,23 +92,36 @@ func isValidSecretName(name string) bool {
 		return false
 	}
 	// Check for path traversal via ".." components
 	for _, part := range strings.Split(name, "/") {
 		if part == ".." {
 			return false
 		}
 	}
 	// Check the basic pattern
-	matched, _ := regexp.MatchString(`^[a-z0-9\.\-\_\/]+$`, name)
+	matched, _ := regexp.MatchString(`^[a-zA-Z0-9\.\-\_\/]+$`, name)
 	return matched
 }
 // AddSecret adds a secret to this vault
-func (v *Vault) AddSecret(name string, value []byte, force bool) error {
+func (v *Vault) AddSecret(name string, value *memguard.LockedBuffer, force bool) error {
 	if value == nil {
 		return fmt.Errorf("value buffer is nil")
 	}
 	secret.DebugWith("Adding secret to vault",
 		slog.String("vault_name", v.Name),
 		slog.String("secret_name", name),
-		slog.Int("value_length", len(value)),
+		slog.Int("value_length", value.Size()),
 		slog.Bool("force", force),
 	)
 	// Validate secret name
 	if !isValidSecretName(name) {
 		secret.Debug("Invalid secret name provided", "secret_name", name)
 		return fmt.Errorf("invalid secret name '%s': must match pattern [a-z0-9.\\-_/]+", name)
 	}
 	secret.Debug("Secret name validation passed", "secret_name", name)
@@ -112,6 +130,7 @@ func (v *Vault) AddSecret(name string, value []byte, force bool) error {
 	vaultDir, err := v.GetDirectory()
 	if err != nil {
 		secret.Debug("Failed to get vault directory for secret addition", "error", err, "vault_name", v.Name)
 		return err
 	}
 	secret.Debug("Got vault directory", "vault_dir", vaultDir)
@@ -130,24 +149,26 @@ func (v *Vault) AddSecret(name string, value []byte, force bool) error {
 	exists, err := afero.DirExists(v.fs, secretDir)
 	if err != nil {
 		secret.Debug("Failed to check if secret exists", "error", err, "secret_dir", secretDir)
 		return fmt.Errorf("failed to check if secret exists: %w", err)
 	}
 	secret.Debug("Secret existence check complete", "exists", exists)
 	// Handle existing secret case
 	now := time.Now()
-	var previousVersion *secret.SecretVersion
+	var previousVersion *secret.Version
 	if exists {
 		if !force {
 			secret.Debug("Secret already exists and force not specified", "secret_name", name, "secret_dir", secretDir)
 			return fmt.Errorf("secret %s already exists (use --force to overwrite)", name)
 		}
 		// Get the current version to update its notAfter timestamp
 		currentVersionName, err := secret.GetCurrentVersion(v.fs, secretDir)
 		if err == nil && currentVersionName != "" {
-			previousVersion = secret.NewSecretVersion(v, name, currentVersionName)
+			previousVersion = secret.NewVersion(v, name, currentVersionName)
 			// We'll need to load and update its metadata after we unlock the vault
 		}
 	} else {
@@ -155,6 +176,7 @@ func (v *Vault) AddSecret(name string, value []byte, force bool) error {
 		secret.Debug("Creating secret directory", "secret_dir", secretDir)
 		if err := v.fs.MkdirAll(secretDir, secret.DirPerms); err != nil {
 			secret.Debug("Failed to create secret directory", "error", err, "secret_dir", secretDir)
 			return fmt.Errorf("failed to create secret directory: %w", err)
 		}
 		secret.Debug("Created secret directory successfully")
@@ -164,13 +186,14 @@ func (v *Vault) AddSecret(name string, value []byte, force bool) error {
 	versionName, err := secret.GenerateVersionName(v.fs, secretDir)
 	if err != nil {
 		secret.Debug("Failed to generate version name", "error", err, "secret_name", name)
 		return fmt.Errorf("failed to generate version name: %w", err)
 	}
 	secret.Debug("Generated new version name", "version", versionName, "secret_name", name)
 	// Create new version
-	newVersion := secret.NewSecretVersion(v, name, versionName)
+	newVersion := secret.NewVersion(v, name, versionName)
 	// Set version timestamps
 	if previousVersion == nil {
@@ -184,9 +207,16 @@ func (v *Vault) AddSecret(name string, value []byte, force bool) error {
 		// We'll update the previous version's notAfter after we save the new version
 	}
-	// Save the new version
+	// Save the new version - pass the LockedBuffer directly
 	if err := newVersion.Save(value); err != nil {
 		secret.Debug("Failed to save new version", "error", err, "version", versionName)
 		// Clean up the secret directory if this was a new secret
 		if !exists {
 			secret.Debug("Cleaning up secret directory due to save failure", "secret_dir", secretDir)
 			_ = v.fs.RemoveAll(secretDir)
 		}
 		return fmt.Errorf("failed to save version: %w", err)
 	}
@@ -196,12 +226,14 @@ func (v *Vault) AddSecret(name string, value []byte, force bool) error {
 		ltIdentity, err := v.GetOrDeriveLongTermKey()
 		if err != nil {
 			secret.Debug("Failed to get long-term key for metadata update", "error", err)
 			return fmt.Errorf("failed to get long-term key: %w", err)
 		}
 		// Load previous version metadata
 		if err := previousVersion.LoadMetadata(ltIdentity); err != nil {
 			secret.Debug("Failed to load previous version metadata", "error", err)
 			return fmt.Errorf("failed to load previous version metadata: %w", err)
 		}
@@ -211,6 +243,7 @@ func (v *Vault) AddSecret(name string, value []byte, force bool) error {
 		// Re-save the metadata (we need to implement an update method)
 		if err := updateVersionMetadata(v.fs, previousVersion, ltIdentity); err != nil {
 			secret.Debug("Failed to update previous version metadata", "error", err)
 			return fmt.Errorf("failed to update previous version metadata: %w", err)
 		}
 	}
@@ -218,15 +251,19 @@ func (v *Vault) AddSecret(name string, value []byte, force bool) error {
 	// Set current symlink to new version
 	if err := secret.SetCurrentVersion(v.fs, secretDir, versionName); err != nil {
 		secret.Debug("Failed to set current version", "error", err, "version", versionName)
 		return fmt.Errorf("failed to set current version: %w", err)
 	}
-	secret.Debug("Successfully added secret version to vault", "secret_name", name, "version", versionName, "vault_name", v.Name)
+	secret.Debug("Successfully added secret version to vault",
 		"secret_name", name, "version", versionName,
 		"vault_name", v.Name)
 	return nil
 }
 // updateVersionMetadata updates the metadata of an existing version
-func updateVersionMetadata(fs afero.Fs, version *secret.SecretVersion, ltIdentity *age.X25519Identity) error {
+func updateVersionMetadata(fs afero.Fs, version *secret.Version, ltIdentity *age.X25519Identity) error {
 	// Read the version's encrypted private key
 	encryptedPrivKeyPath := filepath.Join(version.Directory, "priv.age")
 	encryptedPrivKey, err := afero.ReadFile(fs, encryptedPrivKeyPath)
@@ -235,13 +272,14 @@ func updateVersionMetadata(fs afero.Fs, version *secret.SecretVersion, ltIdentit
 	}
 	// Decrypt version private key using long-term key
-	versionPrivKeyData, err := secret.DecryptWithIdentity(encryptedPrivKey, ltIdentity)
+	versionPrivKeyBuffer, err := secret.DecryptWithIdentity(encryptedPrivKey, ltIdentity)
 	if err != nil {
 		return fmt.Errorf("failed to decrypt version private key: %w", err)
 	}
 	defer versionPrivKeyBuffer.Destroy()
 	// Parse version private key
-	versionIdentity, err := age.ParseX25519Identity(string(versionPrivKeyData))
+	versionIdentity, err := age.ParseX25519Identity(versionPrivKeyBuffer.String())
 	if err != nil {
 		return fmt.Errorf("failed to parse version private key: %w", err)
 	}
@@ -253,7 +291,10 @@ func updateVersionMetadata(fs afero.Fs, version *secret.SecretVersion, ltIdentit
 	}
 	// Encrypt metadata to the version's public key
-	encryptedMetadata, err := secret.EncryptToRecipient(metadataBytes, versionIdentity.Recipient())
+	metadataBuffer := memguard.NewBufferFromBytes(metadataBytes)
 	defer metadataBuffer.Destroy()
 	encryptedMetadata, err := secret.EncryptToRecipient(metadataBuffer, versionIdentity.Recipient())
 	if err != nil {
 		return fmt.Errorf("failed to encrypt version metadata: %w", err)
 	}
@@ -285,10 +326,18 @@ func (v *Vault) GetSecretVersion(name string, version string) ([]byte, error) {
 		slog.String("version", version),
 	)
 	// Validate secret name to prevent path traversal
 	if !isValidSecretName(name) {
 		secret.Debug("Invalid secret name provided", "secret_name", name)
 		return nil, fmt.Errorf("invalid secret name '%s': must match pattern [a-z0-9.\\-_/]+", name)
 	}
 	// Get vault directory
 	vaultDir, err := v.GetDirectory()
 	if err != nil {
 		secret.Debug("Failed to get vault directory", "error", err, "vault_name", v.Name)
 		return nil, err
 	}
@@ -300,10 +349,12 @@ func (v *Vault) GetSecretVersion(name string, version string) ([]byte, error) {
 	exists, err := afero.DirExists(v.fs, secretDir)
 	if err != nil {
 		secret.Debug("Failed to check if secret exists", "error", err, "secret_name", name)
 		return nil, fmt.Errorf("failed to check if secret exists: %w", err)
 	}
 	if !exists {
 		secret.Debug("Secret not found in vault", "secret_name", name, "vault_name", v.Name)
 		return nil, fmt.Errorf("secret %s not found", name)
 	}
@@ -313,6 +364,7 @@ func (v *Vault) GetSecretVersion(name string, version string) ([]byte, error) {
 		currentVersion, err := secret.GetCurrentVersion(v.fs, secretDir)
 		if err != nil {
 			secret.Debug("Failed to get current version", "error", err, "secret_name", name)
 			return nil, fmt.Errorf("failed to get current version: %w", err)
 		}
 		version = currentVersion
@@ -320,17 +372,19 @@ func (v *Vault) GetSecretVersion(name string, version string) ([]byte, error) {
 	}
 	// Create version object
-	secretVersion := secret.NewSecretVersion(v, name, version)
+	secretVersion := secret.NewVersion(v, name, version)
 	// Check if version exists
 	versionPath := filepath.Join(secretDir, "versions", version)
 	exists, err = afero.DirExists(v.fs, versionPath)
 	if err != nil {
 		secret.Debug("Failed to check if version exists", "error", err, "version", version)
 		return nil, fmt.Errorf("failed to check if version exists: %w", err)
 	}
 	if !exists {
 		secret.Debug("Version not found", "version", version, "secret_name", name)
 		return nil, fmt.Errorf("version %s not found for secret %s", version, name)
 	}
@@ -340,6 +394,7 @@ func (v *Vault) GetSecretVersion(name string, version string) ([]byte, error) {
 	longTermIdentity, err := v.UnlockVault()
 	if err != nil {
 		secret.Debug("Failed to unlock vault", "error", err, "vault_name", v.Name)
 		return nil, fmt.Errorf("failed to unlock vault: %w", err)
 	}
@@ -355,24 +410,30 @@ func (v *Vault) GetSecretVersion(name string, version string) ([]byte, error) {
 	decryptedValue, err := secretVersion.GetValue(longTermIdentity)
 	if err != nil {
 		secret.Debug("Failed to decrypt version value", "error", err, "version", version, "secret_name", name)
 		return nil, fmt.Errorf("failed to decrypt version: %w", err)
 	}
 	// Create a copy to return since the buffer will be destroyed
 	result := make([]byte, decryptedValue.Size())
 	copy(result, decryptedValue.Bytes())
 	decryptedValue.Destroy()
 	secret.DebugWith("Successfully decrypted secret version",
 		slog.String("secret_name", name),
 		slog.String("version", version),
 		slog.String("vault_name", v.Name),
-		slog.Int("decrypted_length", len(decryptedValue)),
+		slog.Int("decrypted_length", len(result)),
 	)
 	// Debug: Log metadata about the decrypted value without exposing the actual secret
 	secret.Debug("Vault secret decryption debug info",
 		"secret_name", name,
 		"version", version,
-		"decrypted_value_length", len(decryptedValue),
+		"decrypted_value_length", len(result),
-		"is_empty", len(decryptedValue) == 0)
+		"is_empty", len(result) == 0)
-	return decryptedValue, nil
+	return result, nil
 }
 // UnlockVault unlocks the vault and returns the long-term private key
@@ -382,6 +443,7 @@ func (v *Vault) UnlockVault() (*age.X25519Identity, error) {
 	// If vault is already unlocked, return the cached key
 	if !v.Locked() {
 		secret.Debug("Vault already unlocked, returning cached long-term key", "vault_name", v.Name)
 		return v.longTermKey, nil
 	}
@@ -389,6 +451,7 @@ func (v *Vault) UnlockVault() (*age.X25519Identity, error) {
 	longTermIdentity, err := v.GetOrDeriveLongTermKey()
 	if err != nil {
 		secret.Debug("Failed to get or derive long-term key", "error", err, "vault_name", v.Name)
 		return nil, fmt.Errorf("failed to get long-term key: %w", err)
 	}
@@ -405,6 +468,10 @@ func (v *Vault) UnlockVault() (*age.X25519Identity, error) {
 // GetSecretObject retrieves a Secret object with metadata loaded from this vault
 func (v *Vault) GetSecretObject(name string) (*secret.Secret, error) {
 	if !isValidSecretName(name) {
 		return nil, fmt.Errorf("invalid secret name: %s", name)
 	}
 	// First check if the secret exists by checking for the metadata file
 	vaultDir, err := v.GetDirectory()
 	if err != nil {
@@ -434,3 +501,158 @@ func (v *Vault) GetSecretObject(name string) (*secret.Secret, error) {
 	return secretObj, nil
 }
 // CopySecretVersion copies a single version from source to this vault
 // It decrypts the value using srcIdentity and re-encrypts for this vault
 func (v *Vault) CopySecretVersion(
 	srcVersion *secret.Version,
 	srcIdentity *age.X25519Identity,
 	destSecretName string,
 	destVersionName string,
 ) error {
 	secret.DebugWith("Copying secret version to vault",
 		slog.String("src_secret", srcVersion.SecretName),
 		slog.String("src_version", srcVersion.Version),
 		slog.String("dest_vault", v.Name),
 		slog.String("dest_secret", destSecretName),
 		slog.String("dest_version", destVersionName),
 	)
 	// Get the decrypted value from source
 	valueBuffer, err := srcVersion.GetValue(srcIdentity)
 	if err != nil {
 		return fmt.Errorf("failed to decrypt source version: %w", err)
 	}
 	defer valueBuffer.Destroy()
 	// Load source metadata
 	if err := srcVersion.LoadMetadata(srcIdentity); err != nil {
 		return fmt.Errorf("failed to load source metadata: %w", err)
 	}
 	// Create destination version with same name
 	destVersion := secret.NewVersion(v, destSecretName, destVersionName)
 	// Copy metadata (preserve original timestamps)
 	destVersion.Metadata = srcVersion.Metadata
 	// Save the version (encrypts to this vault's LT key)
 	if err := destVersion.Save(valueBuffer); err != nil {
 		return fmt.Errorf("failed to save destination version: %w", err)
 	}
 	secret.Debug("Successfully copied secret version",
 		"src_version", srcVersion.Version,
 		"dest_version", destVersionName,
 		"dest_vault", v.Name)
 	return nil
 }
 // CopySecretAllVersions copies all versions of a secret from source vault to this vault
 // It re-encrypts each version with this vault's long-term key
 func (v *Vault) CopySecretAllVersions(
 	srcVault *Vault,
 	srcSecretName string,
 	destSecretName string,
 	force bool,
 ) error {
 	secret.DebugWith("Copying all secret versions between vaults",
 		slog.String("src_vault", srcVault.Name),
 		slog.String("src_secret", srcSecretName),
 		slog.String("dest_vault", v.Name),
 		slog.String("dest_secret", destSecretName),
 		slog.Bool("force", force),
 	)
 	// Get destination vault directory
 	destVaultDir, err := v.GetDirectory()
 	if err != nil {
 		return fmt.Errorf("failed to get destination vault directory: %w", err)
 	}
 	// Check if destination secret already exists
 	destStorageName := strings.ReplaceAll(destSecretName, "/", "%")
 	destSecretDir := filepath.Join(destVaultDir, "secrets.d", destStorageName)
 	exists, err := afero.DirExists(v.fs, destSecretDir)
 	if err != nil {
 		return fmt.Errorf("failed to check destination: %w", err)
 	}
 	if exists && !force {
 		return fmt.Errorf("secret '%s' already exists in vault '%s' (use --force to overwrite)",
 			destSecretName, v.Name)
 	}
 	if exists && force {
 		// Remove existing secret
 		secret.Debug("Removing existing destination secret", "path", destSecretDir)
 		if err := v.fs.RemoveAll(destSecretDir); err != nil {
 			return fmt.Errorf("failed to remove existing destination secret: %w", err)
 		}
 	}
 	// Get source vault's long-term key
 	srcIdentity, err := srcVault.GetOrDeriveLongTermKey()
 	if err != nil {
 		return fmt.Errorf("failed to unlock source vault '%s': %w", srcVault.Name, err)
 	}
 	// Get source secret directory
 	srcVaultDir, err := srcVault.GetDirectory()
 	if err != nil {
 		return fmt.Errorf("failed to get source vault directory: %w", err)
 	}
 	srcStorageName := strings.ReplaceAll(srcSecretName, "/", "%")
 	srcSecretDir := filepath.Join(srcVaultDir, "secrets.d", srcStorageName)
 	// List all versions
 	versions, err := secret.ListVersions(srcVault.fs, srcSecretDir)
 	if err != nil {
 		return fmt.Errorf("failed to list source versions: %w", err)
 	}
 	if len(versions) == 0 {
 		return fmt.Errorf("source secret '%s' has no versions", srcSecretName)
 	}
 	// Get current version name
 	currentVersion, err := secret.GetCurrentVersion(srcVault.fs, srcSecretDir)
 	if err != nil {
 		return fmt.Errorf("failed to get current version: %w", err)
 	}
 	// Create destination secret directory
 	if err := v.fs.MkdirAll(destSecretDir, secret.DirPerms); err != nil {
 		return fmt.Errorf("failed to create destination secret directory: %w", err)
 	}
 	// Copy each version
 	for _, versionName := range versions {
 		srcVersion := secret.NewVersion(srcVault, srcSecretName, versionName)
 		if err := v.CopySecretVersion(srcVersion, srcIdentity, destSecretName, versionName); err != nil {
 			// Rollback: remove partial copy
 			secret.Debug("Rolling back partial copy due to error", "error", err)
 			_ = v.fs.RemoveAll(destSecretDir)
 			return fmt.Errorf("failed to copy version %s: %w", versionName, err)
 		}
 	}
 	// Set current version
 	if err := secret.SetCurrentVersion(v.fs, destSecretDir, currentVersion); err != nil {
 		_ = v.fs.RemoveAll(destSecretDir)
 		return fmt.Errorf("failed to set current version: %w", err)
 	}
 	secret.DebugWith("Successfully copied all secret versions",
 		slog.String("src_vault", srcVault.Name),
 		slog.String("dest_vault", v.Name),
 		slog.Int("version_count", len(versions)),
 	)
 	return nil
 }
--- a/internal/vault/secrets_name_test.go
+++ b/internal/vault/secrets_name_test.go
@@ -0,0 +1,42 @@
 package vault
 import "testing"
 func TestIsValidSecretNameUppercase(t *testing.T) {
 	tests := []struct {
 		name  string
 		valid bool
 	}{
 		// Lowercase (existing behavior)
 		{"valid-name", true},
 		{"valid.name", true},
 		{"valid_name", true},
 		{"valid/path/name", true},
 		{"123valid", true},
 		// Uppercase (new behavior - issue #2)
 		{"Valid-Upper-Name", true},
 		{"2025-11-21-ber1app1-vaultik-test-bucket-AKI", true},
 		{"MixedCase/Path/Name", true},
 		{"ALLUPPERCASE", true},
 		{"ABC123", true},
 		// Still invalid
 		{"", false},
 		{"invalid name", false},
 		{"invalid@name", false},
 		{".dotstart", false},
 		{"/leading-slash", false},
 		{"trailing-slash/", false},
 		{"double//slash", false},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			result := isValidSecretName(tt.name)
 			if result != tt.valid {
 				t.Errorf("isValidSecretName(%q) = %v, want %v", tt.name, result, tt.valid)
 			}
 		})
 	}
 }
--- a/internal/vault/secrets_version_test.go
+++ b/internal/vault/secrets_version_test.go
@@ -24,11 +24,21 @@ import (
 	"git.eeqj.de/sneak/secret/internal/secret"
 	"git.eeqj.de/sneak/secret/pkg/agehd"
 	"github.com/awnumar/memguard"
 	"github.com/spf13/afero"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
 // Helper function to add a secret to vault with proper buffer protection
 func addTestSecretToVault(t *testing.T, vault *Vault, name string, value []byte, force bool) {
 	t.Helper()
 	buffer := memguard.NewBufferFromBytes(value)
 	defer buffer.Destroy()
 	err := vault.AddSecret(name, buffer, force)
 	require.NoError(t, err)
 }
 // Helper function to create a vault with long-term key set up
 func createTestVaultWithKey(t *testing.T, fs afero.Fs, stateDir, vaultName string) *Vault {
 	// Set mnemonic for testing
@@ -46,7 +56,7 @@ func createTestVaultWithKey(t *testing.T, fs afero.Fs, stateDir, vaultName strin
 	// Store long-term public key in vault
 	vaultDir, _ := vault.GetDirectory()
 	ltPubKeyPath := filepath.Join(vaultDir, "pub.age")
-	err = afero.WriteFile(fs, ltPubKeyPath, []byte(ltIdentity.Recipient().String()), 0600)
+	err = afero.WriteFile(fs, ltPubKeyPath, []byte(ltIdentity.Recipient().String()), 0o600)
 	require.NoError(t, err)
 	// Unlock the vault with the derived key
@@ -65,9 +75,10 @@ func TestVaultAddSecretCreatesVersion(t *testing.T) {
 	// Add a secret
 	secretName := "test/secret"
 	secretValue := []byte("initial-value")
 	expectedValue := make([]byte, len(secretValue))
 	copy(expectedValue, secretValue)
-	err := vault.AddSecret(secretName, secretValue, false)
+	addTestSecretToVault(t, vault, secretName, secretValue, false)
 	require.NoError(t, err)
 	// Check that version directory was created
 	vaultDir, _ := vault.GetDirectory()
@@ -88,7 +99,7 @@ func TestVaultAddSecretCreatesVersion(t *testing.T) {
 	// Get the secret value
 	retrievedValue, err := vault.GetSecret(secretName)
 	require.NoError(t, err)
-	assert.Equal(t, secretValue, retrievedValue)
+	assert.Equal(t, expectedValue, retrievedValue)
 }
 func TestVaultAddSecretMultipleVersions(t *testing.T) {
@@ -101,17 +112,17 @@ func TestVaultAddSecretMultipleVersions(t *testing.T) {
 	secretName := "test/secret"
 	// Add first version
-	err := vault.AddSecret(secretName, []byte("version-1"), false)
+	addTestSecretToVault(t, vault, secretName, []byte("version-1"), false)
 	require.NoError(t, err)
 	// Try to add again without force - should fail
-	err = vault.AddSecret(secretName, []byte("version-2"), false)
+	failBuffer := memguard.NewBufferFromBytes([]byte("version-2"))
 	defer failBuffer.Destroy()
 	err := vault.AddSecret(secretName, failBuffer, false)
 	assert.Error(t, err)
 	assert.Contains(t, err.Error(), "already exists")
 	// Add with force - should create new version
-	err = vault.AddSecret(secretName, []byte("version-2"), true)
+	addTestSecretToVault(t, vault, secretName, []byte("version-2"), true)
 	require.NoError(t, err)
 	// Check that we have two versions
 	vaultDir, _ := vault.GetDirectory()
@@ -136,14 +147,12 @@ func TestVaultGetSecretVersion(t *testing.T) {
 	secretName := "test/secret"
 	// Add multiple versions
-	err := vault.AddSecret(secretName, []byte("version-1"), false)
+	addTestSecretToVault(t, vault, secretName, []byte("version-1"), false)
 	require.NoError(t, err)
 	// Small delay to ensure different version names
 	time.Sleep(10 * time.Millisecond)
-	err = vault.AddSecret(secretName, []byte("version-2"), true)
+	addTestSecretToVault(t, vault, secretName, []byte("version-2"), true)
 	require.NoError(t, err)
 	// Get versions list
 	vaultDir, _ := vault.GetDirectory()
@@ -185,7 +194,9 @@ func TestVaultVersionTimestamps(t *testing.T) {
 	// Add first version
 	beforeFirst := time.Now()
-	err = vault.AddSecret(secretName, []byte("version-1"), false)
+	v1Buffer := memguard.NewBufferFromBytes([]byte("version-1"))
 	defer v1Buffer.Destroy()
 	err = vault.AddSecret(secretName, v1Buffer, false)
 	require.NoError(t, err)
 	afterFirst := time.Now()
@@ -196,7 +207,7 @@ func TestVaultVersionTimestamps(t *testing.T) {
 	require.NoError(t, err)
 	require.Len(t, versions, 1)
-	firstVersion := secret.NewSecretVersion(vault, secretName, versions[0])
+	firstVersion := secret.NewVersion(vault, secretName, versions[0])
 	err = firstVersion.LoadMetadata(ltIdentity)
 	require.NoError(t, err)
@@ -212,8 +223,7 @@ func TestVaultVersionTimestamps(t *testing.T) {
 	// Add second version
 	time.Sleep(10 * time.Millisecond)
 	beforeSecond := time.Now()
-	err = vault.AddSecret(secretName, []byte("version-2"), true)
+	addTestSecretToVault(t, vault, secretName, []byte("version-2"), true)
 	require.NoError(t, err)
 	afterSecond := time.Now()
 	// Get updated versions
@@ -222,7 +232,7 @@ func TestVaultVersionTimestamps(t *testing.T) {
 	require.Len(t, versions, 2)
 	// Reload first version metadata (should have notAfter now)
-	firstVersion = secret.NewSecretVersion(vault, secretName, versions[1])
+	firstVersion = secret.NewVersion(vault, secretName, versions[1])
 	err = firstVersion.LoadMetadata(ltIdentity)
 	require.NoError(t, err)
@@ -231,7 +241,7 @@ func TestVaultVersionTimestamps(t *testing.T) {
 	assert.True(t, firstVersion.Metadata.NotAfter.Before(afterSecond.Add(time.Second)))
 	// Check second version timestamps
-	secondVersion := secret.NewSecretVersion(vault, secretName, versions[0])
+	secondVersion := secret.NewVersion(vault, secretName, versions[0])
 	err = secondVersion.LoadMetadata(ltIdentity)
 	require.NoError(t, err)
@@ -249,11 +259,10 @@ func TestVaultGetNonExistentVersion(t *testing.T) {
 	vault := createTestVaultWithKey(t, fs, stateDir, "test")
 	// Add a secret
-	err := vault.AddSecret("test/secret", []byte("value"), false)
+	addTestSecretToVault(t, vault, "test/secret", []byte("value"), false)
 	require.NoError(t, err)
 	// Try to get non-existent version
-	_, err = vault.GetSecretVersion("test/secret", "20991231.999")
+	_, err := vault.GetSecretVersion("test/secret", "20991231.999")
 	assert.Error(t, err)
 	assert.Contains(t, err.Error(), "not found")
 }
@@ -272,7 +281,7 @@ func TestUpdateVersionMetadata(t *testing.T) {
 	// Create a version manually to test updateVersionMetadata
 	secretName := "test/secret"
 	versionName := "20231215.001"
-	version := secret.NewSecretVersion(vault, secretName, versionName)
+	version := secret.NewVersion(vault, secretName, versionName)
 	// Set initial metadata
 	now := time.Now()
@@ -281,7 +290,9 @@ func TestUpdateVersionMetadata(t *testing.T) {
 	version.Metadata.NotAfter = nil
 	// Save version
-	err = version.Save([]byte("test-value"))
+	testBuffer := memguard.NewBufferFromBytes([]byte("test-value"))
 	defer testBuffer.Destroy()
 	err = version.Save(testBuffer)
 	require.NoError(t, err)
 	// Update metadata
@@ -290,7 +301,7 @@ func TestUpdateVersionMetadata(t *testing.T) {
 	require.NoError(t, err)
 	// Load and verify
-	version2 := secret.NewSecretVersion(vault, secretName, versionName)
+	version2 := secret.NewVersion(vault, secretName, versionName)
 	err = version2.LoadMetadata(ltIdentity)
 	require.NoError(t, err)
--- a/internal/vault/unlockers.go
+++ b/internal/vault/unlockers.go
@@ -10,6 +10,7 @@ import (
 	"filippo.io/age"
 	"git.eeqj.de/sneak/secret/internal/secret"
 	"github.com/awnumar/memguard"
 	"github.com/spf13/afero"
 )
@@ -20,6 +21,7 @@ func (v *Vault) GetCurrentUnlocker() (secret.Unlocker, error) {
 	vaultDir, err := v.GetDirectory()
 	if err != nil {
 		secret.Debug("Failed to get vault directory for unlocker", "error", err, "vault_name", v.Name)
 		return nil, err
 	}
@@ -29,34 +31,14 @@ func (v *Vault) GetCurrentUnlocker() (secret.Unlocker, error) {
 	_, err = v.fs.Stat(currentUnlockerPath)
 	if err != nil {
 		secret.Debug("Failed to stat current unlocker symlink", "error", err, "path", currentUnlockerPath)
 		return nil, fmt.Errorf("failed to read current unlocker: %w", err)
 	}
 	// Resolve the symlink to get the target directory
-	var unlockerDir string
+	unlockerDir, err := v.resolveUnlockerDirectory(currentUnlockerPath)
 	if linkReader, ok := v.fs.(afero.LinkReader); ok {
 		secret.Debug("Resolving unlocker symlink using afero")
 		// Try to read as symlink first
 		unlockerDir, err = linkReader.ReadlinkIfPossible(currentUnlockerPath)
 	if err != nil {
-			secret.Debug("Failed to read symlink, falling back to file contents", "error", err, "symlink_path", currentUnlockerPath)
+		return nil, err
 			// Fallback: read the path from file contents
 			unlockerDirBytes, err := afero.ReadFile(v.fs, currentUnlockerPath)
 			if err != nil {
 				secret.Debug("Failed to read unlocker path file", "error", err, "path", currentUnlockerPath)
 				return nil, fmt.Errorf("failed to read current unlocker: %w", err)
 			}
 			unlockerDir = strings.TrimSpace(string(unlockerDirBytes))
 		}
 	} else {
 		secret.Debug("Reading unlocker path (filesystem doesn't support symlinks)")
 		// Fallback for filesystems that don't support symlinks: read the path from file contents
 		unlockerDirBytes, err := afero.ReadFile(v.fs, currentUnlockerPath)
 		if err != nil {
 			secret.Debug("Failed to read unlocker path file", "error", err, "path", currentUnlockerPath)
 			return nil, fmt.Errorf("failed to read current unlocker: %w", err)
 		}
 		unlockerDir = strings.TrimSpace(string(unlockerDirBytes))
 	}
 	secret.DebugWith("Resolved unlocker directory",
@@ -71,12 +53,14 @@ func (v *Vault) GetCurrentUnlocker() (secret.Unlocker, error) {
 	metadataBytes, err := afero.ReadFile(v.fs, metadataPath)
 	if err != nil {
 		secret.Debug("Failed to read unlocker metadata", "error", err, "path", metadataPath)
 		return nil, fmt.Errorf("failed to read unlocker metadata: %w", err)
 	}
 	var metadata UnlockerMetadata
 	if err := json.Unmarshal(metadataBytes, &metadata); err != nil {
 		secret.Debug("Failed to parse unlocker metadata", "error", err, "path", metadataPath)
 		return nil, fmt.Errorf("failed to parse unlocker metadata: %w", err)
 	}
@@ -88,20 +72,23 @@ func (v *Vault) GetCurrentUnlocker() (secret.Unlocker, error) {
 	// Create unlocker instance using direct constructors with filesystem
 	var unlocker secret.Unlocker
-	// Convert our metadata to secret.UnlockerMetadata
+	// Use metadata directly as it's already the correct type
 	secretMetadata := secret.UnlockerMetadata(metadata)
 	switch metadata.Type {
 	case "passphrase":
 		secret.Debug("Creating passphrase unlocker instance", "unlocker_type", metadata.Type)
-		unlocker = secret.NewPassphraseUnlocker(v.fs, unlockerDir, secretMetadata)
+		unlocker = secret.NewPassphraseUnlocker(v.fs, unlockerDir, metadata)
 	case "pgp":
 		secret.Debug("Creating PGP unlocker instance", "unlocker_type", metadata.Type)
-		unlocker = secret.NewPGPUnlocker(v.fs, unlockerDir, secretMetadata)
+		unlocker = secret.NewPGPUnlocker(v.fs, unlockerDir, metadata)
 	case "keychain":
 		secret.Debug("Creating keychain unlocker instance", "unlocker_type", metadata.Type)
-		unlocker = secret.NewKeychainUnlocker(v.fs, unlockerDir, secretMetadata)
+		unlocker = secret.NewKeychainUnlocker(v.fs, unlockerDir, metadata)
 	case "secure-enclave":
 		secret.Debug("Creating secure enclave unlocker instance", "unlocker_type", metadata.Type)
 		unlocker = secret.NewSecureEnclaveUnlocker(v.fs, unlockerDir, metadata)
 	default:
 		secret.Debug("Unsupported unlocker type", "type", metadata.Type)
 		return nil, fmt.Errorf("unsupported unlocker type: %s", metadata.Type)
 	}
@@ -114,6 +101,89 @@ func (v *Vault) GetCurrentUnlocker() (secret.Unlocker, error) {
 	return unlocker, nil
 }
 // resolveUnlockerDirectory reads the current-unlocker file to get the unlocker directory path
 // The file contains just the unlocker name (e.g., "passphrase")
 func (v *Vault) resolveUnlockerDirectory(currentUnlockerPath string) (string, error) {
 	secret.Debug("Reading current-unlocker file", "path", currentUnlockerPath)
 	unlockerNameBytes, err := afero.ReadFile(v.fs, currentUnlockerPath)
 	if err != nil {
 		secret.Debug("Failed to read current-unlocker file", "error", err, "path", currentUnlockerPath)
 		return "", fmt.Errorf("failed to read current unlocker: %w", err)
 	}
 	unlockerName := strings.TrimSpace(string(unlockerNameBytes))
 	secret.Debug("Read unlocker name from file", "unlocker_name", unlockerName)
 	// Resolve to absolute path: vaultDir/unlockers.d/unlockerName
 	vaultDir := filepath.Dir(currentUnlockerPath)
 	absolutePath := filepath.Join(vaultDir, "unlockers.d", unlockerName)
 	secret.Debug("Resolved to absolute path", "absolute_path", absolutePath)
 	return absolutePath, nil
 }
 // findUnlockerByID finds an unlocker by its ID and returns the unlocker instance and its directory path
 func (v *Vault) findUnlockerByID(unlockersDir, unlockerID string) (secret.Unlocker, string, error) {
 	files, err := afero.ReadDir(v.fs, unlockersDir)
 	if err != nil {
 		return nil, "", fmt.Errorf("failed to read unlockers directory: %w", err)
 	}
 	for _, file := range files {
 		if !file.IsDir() {
 			continue
 		}
 		// Read metadata file
 		metadataPath := filepath.Join(unlockersDir, file.Name(), "unlocker-metadata.json")
 		exists, err := afero.Exists(v.fs, metadataPath)
 		if err != nil {
 			return nil, "", fmt.Errorf("failed to check if metadata exists for unlocker %s: %w", file.Name(), err)
 		}
 		if !exists {
 			// Skip directories without metadata - they might not be unlockers
 			continue
 		}
 		metadataBytes, err := afero.ReadFile(v.fs, metadataPath)
 		if err != nil {
 			return nil, "", fmt.Errorf("failed to read metadata for unlocker %s: %w", file.Name(), err)
 		}
 		var metadata UnlockerMetadata
 		if err := json.Unmarshal(metadataBytes, &metadata); err != nil {
 			return nil, "", fmt.Errorf("failed to parse metadata for unlocker %s: %w", file.Name(), err)
 		}
 		unlockerDirPath := filepath.Join(unlockersDir, file.Name())
 		// Create the appropriate unlocker instance
 		var tempUnlocker secret.Unlocker
 		switch metadata.Type {
 		case "passphrase":
 			tempUnlocker = secret.NewPassphraseUnlocker(v.fs, unlockerDirPath, metadata)
 		case "pgp":
 			tempUnlocker = secret.NewPGPUnlocker(v.fs, unlockerDirPath, metadata)
 		case "keychain":
 			tempUnlocker = secret.NewKeychainUnlocker(v.fs, unlockerDirPath, metadata)
 		case "secure-enclave":
 			tempUnlocker = secret.NewSecureEnclaveUnlocker(v.fs, unlockerDirPath, metadata)
 		default:
 			continue
 		}
 		// Check if this unlocker's ID matches
 		if tempUnlocker.GetID() == unlockerID {
 			return tempUnlocker, unlockerDirPath, nil
 		}
 	}
 	return nil, "", nil
 }
 // ListUnlockers returns a list of available unlockers for this vault
 func (v *Vault) ListUnlockers() ([]UnlockerMetadata, error) {
 	vaultDir, err := v.GetDirectory()
@@ -148,7 +218,9 @@ func (v *Vault) ListUnlockers() ([]UnlockerMetadata, error) {
 				return nil, fmt.Errorf("failed to check if metadata exists for unlocker %s: %w", file.Name(), err)
 			}
 			if !exists {
-				return nil, fmt.Errorf("unlocker directory %s is missing metadata file", file.Name())
+				secret.Warn("Skipping unlocker directory with missing metadata file", "directory", file.Name())
 				continue
 			}
 			metadataBytes, err := afero.ReadFile(v.fs, metadataPath)
@@ -178,61 +250,10 @@ func (v *Vault) RemoveUnlocker(unlockerID string) error {
 	// Find the unlocker directory and create the unlocker instance
 	unlockersDir := filepath.Join(vaultDir, "unlockers.d")
-	// List directories in unlockers.d
+	// Find the unlocker by ID
-	files, err := afero.ReadDir(v.fs, unlockersDir)
+	unlocker, _, err := v.findUnlockerByID(unlockersDir, unlockerID)
 	if err != nil {
-		return fmt.Errorf("failed to read unlockers directory: %w", err)
+		return err
 	}
 	var unlocker secret.Unlocker
 	var unlockerDirPath string
 	for _, file := range files {
 		if file.IsDir() {
 			// Read metadata file
 			metadataPath := filepath.Join(unlockersDir, file.Name(), "unlocker-metadata.json")
 			exists, err := afero.Exists(v.fs, metadataPath)
 			if err != nil {
 				return fmt.Errorf("failed to check if metadata exists for unlocker %s: %w", file.Name(), err)
 			}
 			if !exists {
 				// Skip directories without metadata - they might not be unlockers
 				continue
 			}
 			metadataBytes, err := afero.ReadFile(v.fs, metadataPath)
 			if err != nil {
 				return fmt.Errorf("failed to read metadata for unlocker %s: %w", file.Name(), err)
 			}
 			var metadata UnlockerMetadata
 			if err := json.Unmarshal(metadataBytes, &metadata); err != nil {
 				return fmt.Errorf("failed to parse metadata for unlocker %s: %w", file.Name(), err)
 			}
 			unlockerDirPath = filepath.Join(unlockersDir, file.Name())
 			// Convert our metadata to secret.UnlockerMetadata
 			secretMetadata := secret.UnlockerMetadata(metadata)
 			// Create the appropriate unlocker instance
 			var tempUnlocker secret.Unlocker
 			switch metadata.Type {
 			case "passphrase":
 				tempUnlocker = secret.NewPassphraseUnlocker(v.fs, unlockerDirPath, secretMetadata)
 			case "pgp":
 				tempUnlocker = secret.NewPGPUnlocker(v.fs, unlockerDirPath, secretMetadata)
 			case "keychain":
 				tempUnlocker = secret.NewKeychainUnlocker(v.fs, unlockerDirPath, secretMetadata)
 			default:
 				continue
 			}
 			// Check if this unlocker's ID matches
 			if tempUnlocker.GetID() == unlockerID {
 				unlocker = tempUnlocker
 				break
 			}
 		}
 	}
 	if unlocker == nil {
@@ -253,97 +274,43 @@ func (v *Vault) SelectUnlocker(unlockerID string) error {
 	// Find the unlocker directory by ID
 	unlockersDir := filepath.Join(vaultDir, "unlockers.d")
-	// List directories in unlockers.d to find the unlocker
+	// Find the unlocker by ID
-	files, err := afero.ReadDir(v.fs, unlockersDir)
+	_, targetUnlockerDir, err := v.findUnlockerByID(unlockersDir, unlockerID)
 	if err != nil {
-		return fmt.Errorf("failed to read unlockers directory: %w", err)
+		return err
 	}
 	var targetUnlockerDir string
 	for _, file := range files {
 		if file.IsDir() {
 			// Read metadata file
 			metadataPath := filepath.Join(unlockersDir, file.Name(), "unlocker-metadata.json")
 			exists, err := afero.Exists(v.fs, metadataPath)
 			if err != nil {
 				return fmt.Errorf("failed to check if metadata exists for unlocker %s: %w", file.Name(), err)
 			}
 			if !exists {
 				// Skip directories without metadata - they might not be unlockers
 				continue
 			}
 			metadataBytes, err := afero.ReadFile(v.fs, metadataPath)
 			if err != nil {
 				return fmt.Errorf("failed to read metadata for unlocker %s: %w", file.Name(), err)
 			}
 			var metadata UnlockerMetadata
 			if err := json.Unmarshal(metadataBytes, &metadata); err != nil {
 				return fmt.Errorf("failed to parse metadata for unlocker %s: %w", file.Name(), err)
 			}
 			unlockerDirPath := filepath.Join(unlockersDir, file.Name())
 			// Convert our metadata to secret.UnlockerMetadata
 			secretMetadata := secret.UnlockerMetadata(metadata)
 			// Create the appropriate unlocker instance
 			var tempUnlocker secret.Unlocker
 			switch metadata.Type {
 			case "passphrase":
 				tempUnlocker = secret.NewPassphraseUnlocker(v.fs, unlockerDirPath, secretMetadata)
 			case "pgp":
 				tempUnlocker = secret.NewPGPUnlocker(v.fs, unlockerDirPath, secretMetadata)
 			case "keychain":
 				tempUnlocker = secret.NewKeychainUnlocker(v.fs, unlockerDirPath, secretMetadata)
 			default:
 				continue
 			}
 			// Check if this unlocker's ID matches
 			if tempUnlocker.GetID() == unlockerID {
 				targetUnlockerDir = unlockerDirPath
 				break
 			}
 		}
 	}
 	if targetUnlockerDir == "" {
 		return fmt.Errorf("unlocker with ID %s not found", unlockerID)
 	}
-	// Create/update current unlocker symlink
+	// Create/update current-unlocker file with just the unlocker name
 	currentUnlockerPath := filepath.Join(vaultDir, "current-unlocker")
-	// Remove existing symlink if it exists
+	// Remove existing file if it exists
 	if exists, err := afero.Exists(v.fs, currentUnlockerPath); err != nil {
-		return fmt.Errorf("failed to check if current unlocker symlink exists: %w", err)
+		return fmt.Errorf("failed to check if current-unlocker file exists: %w", err)
 	} else if exists {
 		if err := v.fs.Remove(currentUnlockerPath); err != nil {
-			return fmt.Errorf("failed to remove existing unlocker symlink: %w", err)
+			return fmt.Errorf("failed to remove existing current-unlocker file: %w", err)
 		}
 	}
-	// Create new symlink using afero's SymlinkIfPossible
+	// Get just the unlocker name (basename of the directory)
-	if linker, ok := v.fs.(afero.Linker); ok {
+	unlockerName := filepath.Base(targetUnlockerDir)
-		secret.Debug("Creating unlocker symlink", "target", targetUnlockerDir, "link", currentUnlockerPath)
+
-		if err := linker.SymlinkIfPossible(targetUnlockerDir, currentUnlockerPath); err != nil {
+	// Write just the unlocker name to the file
-			return fmt.Errorf("failed to create unlocker symlink: %w", err)
+	secret.Debug("Writing current-unlocker file", "unlocker_name", unlockerName)
-		}
+	if err := afero.WriteFile(v.fs, currentUnlockerPath, []byte(unlockerName), secret.FilePerms); err != nil {
-	} else {
+		return fmt.Errorf("failed to create current-unlocker file: %w", err)
 		// Fallback: create a regular file with the target path for filesystems that don't support symlinks
 		secret.Debug("Fallback: creating regular file with target path", "target", targetUnlockerDir)
 		if err := afero.WriteFile(v.fs, currentUnlockerPath, []byte(targetUnlockerDir), secret.FilePerms); err != nil {
 			return fmt.Errorf("failed to create unlocker symlink file: %w", err)
 		}
 	}
 	return nil
 }
 // CreatePassphraseUnlocker creates a new passphrase-protected unlocker
-func (v *Vault) CreatePassphraseUnlocker(passphrase string) (*secret.PassphraseUnlocker, error) {
+// The passphrase must be provided as a LockedBuffer for security
 func (v *Vault) CreatePassphraseUnlocker(passphrase *memguard.LockedBuffer) (*secret.PassphraseUnlocker, error) {
 	vaultDir, err := v.GetDirectory()
 	if err != nil {
 		return nil, fmt.Errorf("failed to get vault directory: %w", err)
@@ -363,13 +330,17 @@ func (v *Vault) CreatePassphraseUnlocker(passphrase string) (*secret.PassphraseU
 	// Write public key
 	pubKeyPath := filepath.Join(unlockerDir, "pub.age")
-	if err := afero.WriteFile(v.fs, pubKeyPath, []byte(unlockerIdentity.Recipient().String()), secret.FilePerms); err != nil {
+	if err := afero.WriteFile(v.fs, pubKeyPath,
 		[]byte(unlockerIdentity.Recipient().String()),
 		secret.FilePerms); err != nil {
 		return nil, fmt.Errorf("failed to write unlocker public key: %w", err)
 	}
 	// Encrypt private key with passphrase
-	privKeyData := []byte(unlockerIdentity.String())
+	privKeyStr := unlockerIdentity.String()
-	encryptedPrivKey, err := secret.EncryptWithPassphrase(privKeyData, passphrase)
+	privKeyBuffer := memguard.NewBufferFromBytes([]byte(privKeyStr))
 	defer privKeyBuffer.Destroy()
 	encryptedPrivKey, err := secret.EncryptWithPassphrase(privKeyBuffer, passphrase)
 	if err != nil {
 		return nil, fmt.Errorf("failed to encrypt unlocker private key: %w", err)
 	}
@@ -405,8 +376,10 @@ func (v *Vault) CreatePassphraseUnlocker(passphrase string) (*secret.PassphraseU
 		return nil, fmt.Errorf("failed to get long-term key: %w", err)
 	}
-	ltPrivKey := []byte(ltIdentity.String())
+	ltPrivKeyBuffer := memguard.NewBufferFromBytes([]byte(ltIdentity.String()))
-	encryptedLtPrivKey, err := secret.EncryptToRecipient(ltPrivKey, unlockerIdentity.Recipient())
+	defer ltPrivKeyBuffer.Destroy()
 	encryptedLtPrivKey, err := secret.EncryptToRecipient(ltPrivKeyBuffer, unlockerIdentity.Recipient())
 	if err != nil {
 		return nil, fmt.Errorf("failed to encrypt long-term private key: %w", err)
 	}
@@ -416,11 +389,8 @@ func (v *Vault) CreatePassphraseUnlocker(passphrase string) (*secret.PassphraseU
 		return nil, fmt.Errorf("failed to write encrypted long-term private key: %w", err)
 	}
 	// Convert our metadata to secret.UnlockerMetadata for the constructor
 	secretMetadata := secret.UnlockerMetadata(metadata)
 	// Create the unlocker instance
-	unlocker := secret.NewPassphraseUnlocker(v.fs, unlockerDir, secretMetadata)
+	unlocker := secret.NewPassphraseUnlocker(v.fs, unlockerDir, metadata)
 	// Select this unlocker as current
 	if err := v.SelectUnlocker(unlocker.GetID()); err != nil {
--- a/internal/vault/vault.go
+++ b/internal/vault/vault.go
@@ -30,6 +30,7 @@ func NewVault(fs afero.Fs, stateDir string, name string) *Vault {
 		longTermKey: nil,
 	}
 	secret.Debug("Created NewVault instance successfully")
 	return v
 }
@@ -75,12 +76,14 @@ func (v *Vault) GetOrDeriveLongTermKey() (*age.X25519Identity, error) {
 		metadata, err := LoadVaultMetadata(v.fs, vaultDir)
 		if err != nil {
 			secret.Debug("Failed to load vault metadata", "error", err, "vault_name", v.Name)
 			return nil, fmt.Errorf("failed to load vault metadata: %w", err)
 		}
 		ltIdentity, err := agehd.DeriveIdentity(envMnemonic, metadata.DerivationIndex)
 		if err != nil {
 			secret.Debug("Failed to derive long-term key from mnemonic", "error", err, "vault_name", v.Name)
 			return nil, fmt.Errorf("failed to derive long-term key from mnemonic: %w", err)
 		}
@@ -92,6 +95,7 @@ func (v *Vault) GetOrDeriveLongTermKey() (*age.X25519Identity, error) {
 				"derived_hash", derivedPubKeyHash,
 				"stored_hash", metadata.PublicKeyHash,
 				"derivation_index", metadata.DerivationIndex)
 			return nil, fmt.Errorf("derived public key does not match vault: mnemonic may be incorrect")
 		}
@@ -115,6 +119,7 @@ func (v *Vault) GetOrDeriveLongTermKey() (*age.X25519Identity, error) {
 	unlocker, err := v.GetCurrentUnlocker()
 	if err != nil {
 		secret.Debug("Failed to get current unlocker", "error", err, "vault_name", v.Name)
 		return nil, fmt.Errorf("failed to get current unlocker: %w", err)
 	}
@@ -124,50 +129,12 @@ func (v *Vault) GetOrDeriveLongTermKey() (*age.X25519Identity, error) {
 		slog.String("unlocker_id", unlocker.GetID()),
 	)
-	// Get unlocker identity
+	// Get the long-term key via the unlocker.
-	unlockerIdentity, err := unlocker.GetIdentity()
+	// SE unlockers return the long-term key directly from GetIdentity().
 	// Other unlockers return their own identity, used to decrypt longterm.age.
 	ltIdentity, err := v.unlockLongTermKey(unlocker)
 	if err != nil {
-		secret.Debug("Failed to get unlocker identity", "error", err, "unlocker_type", unlocker.GetType())
+		return nil, err
 		return nil, fmt.Errorf("failed to get unlocker identity: %w", err)
 	}
 	// Read encrypted long-term private key from unlocker directory
 	unlockerDir := unlocker.GetDirectory()
 	encryptedLtPrivKeyPath := filepath.Join(unlockerDir, "longterm.age")
 	secret.Debug("Reading encrypted long-term private key", "path", encryptedLtPrivKeyPath)
 	encryptedLtPrivKey, err := afero.ReadFile(v.fs, encryptedLtPrivKeyPath)
 	if err != nil {
 		secret.Debug("Failed to read encrypted long-term private key", "error", err, "path", encryptedLtPrivKeyPath)
 		return nil, fmt.Errorf("failed to read encrypted long-term private key: %w", err)
 	}
 	secret.DebugWith("Read encrypted long-term private key",
 		slog.String("vault_name", v.Name),
 		slog.String("unlocker_type", unlocker.GetType()),
 		slog.Int("encrypted_length", len(encryptedLtPrivKey)),
 	)
 	// Decrypt long-term private key using unlocker
 	secret.Debug("Decrypting long-term private key with unlocker", "unlocker_type", unlocker.GetType())
 	ltPrivKeyData, err := secret.DecryptWithIdentity(encryptedLtPrivKey, unlockerIdentity)
 	if err != nil {
 		secret.Debug("Failed to decrypt long-term private key", "error", err, "unlocker_type", unlocker.GetType())
 		return nil, fmt.Errorf("failed to decrypt long-term private key: %w", err)
 	}
 	secret.DebugWith("Successfully decrypted long-term private key",
 		slog.String("vault_name", v.Name),
 		slog.String("unlocker_type", unlocker.GetType()),
 		slog.Int("decrypted_length", len(ltPrivKeyData)),
 	)
 	// Parse long-term private key
 	secret.Debug("Parsing long-term private key", "vault_name", v.Name)
 	ltIdentity, err := age.ParseX25519Identity(string(ltPrivKeyData))
 	if err != nil {
 		secret.Debug("Failed to parse long-term private key", "error", err, "vault_name", v.Name)
 		return nil, fmt.Errorf("failed to parse long-term private key: %w", err)
 	}
 	secret.DebugWith("Successfully obtained long-term identity via unlocker",
@@ -178,7 +145,49 @@ func (v *Vault) GetOrDeriveLongTermKey() (*age.X25519Identity, error) {
 	// Cache the derived key by unlocking the vault
 	v.Unlock(ltIdentity)
-	secret.Debug("Vault is unlocked (lt key in memory) via unlocker", "vault_name", v.Name, "unlocker_type", unlocker.GetType())
+	secret.Debug("Vault is unlocked (lt key in memory) via unlocker",
 		"vault_name", v.Name, "unlocker_type", unlocker.GetType())
 	return ltIdentity, nil
 }
 // unlockLongTermKey extracts the vault's long-term key using the given unlocker.
 // SE unlockers decrypt the long-term key directly; other unlockers use an intermediate identity.
 func (v *Vault) unlockLongTermKey(unlocker secret.Unlocker) (*age.X25519Identity, error) {
 	if unlocker.GetType() == "secure-enclave" {
 		secret.Debug("SE unlocker: decrypting long-term key directly via Secure Enclave")
 		ltIdentity, err := unlocker.GetIdentity()
 		if err != nil {
 			return nil, fmt.Errorf("failed to decrypt long-term key via SE: %w", err)
 		}
 		return ltIdentity, nil
 	}
 	// Standard unlockers: get unlocker identity, then decrypt longterm.age
 	unlockerIdentity, err := unlocker.GetIdentity()
 	if err != nil {
 		return nil, fmt.Errorf("failed to get unlocker identity: %w", err)
 	}
 	encryptedLtPrivKeyPath := filepath.Join(unlocker.GetDirectory(), "longterm.age")
 	encryptedLtPrivKey, err := afero.ReadFile(v.fs, encryptedLtPrivKeyPath)
 	if err != nil {
 		return nil, fmt.Errorf("failed to read encrypted long-term private key: %w", err)
 	}
 	ltPrivKeyBuffer, err := secret.DecryptWithIdentity(encryptedLtPrivKey, unlockerIdentity)
 	if err != nil {
 		return nil, fmt.Errorf("failed to decrypt long-term private key: %w", err)
 	}
 	defer ltPrivKeyBuffer.Destroy()
 	ltIdentity, err := age.ParseX25519Identity(ltPrivKeyBuffer.String())
 	if err != nil {
 		return nil, fmt.Errorf("failed to parse long-term private key: %w", err)
 	}
 	return ltIdentity, nil
 }
@@ -197,3 +206,44 @@ func (v *Vault) GetName() string {
 func (v *Vault) GetFilesystem() afero.Fs {
 	return v.fs
 }
 // NumSecrets returns the number of secrets in the vault
 func (v *Vault) NumSecrets() (int, error) {
 	vaultDir, err := v.GetDirectory()
 	if err != nil {
 		return 0, fmt.Errorf("failed to get vault directory: %w", err)
 	}
 	secretsDir := filepath.Join(vaultDir, "secrets.d")
 	exists, _ := afero.DirExists(v.fs, secretsDir)
 	if !exists {
 		return 0, nil
 	}
 	entries, err := afero.ReadDir(v.fs, secretsDir)
 	if err != nil {
 		return 0, fmt.Errorf("failed to read secrets directory: %w", err)
 	}
 	// Count only directories that have a "current" version pointer file
 	count := 0
 	for _, entry := range entries {
 		if !entry.IsDir() {
 			continue
 		}
 		// A valid secret has a "current" file pointing to the active version
 		secretDir := filepath.Join(secretsDir, entry.Name())
 		currentFile := filepath.Join(secretDir, "current")
 		exists, err := afero.Exists(v.fs, currentFile)
 		if err != nil {
 			continue // Skip directories we can't read
 		}
 		if exists {
 			count++
 		}
 	}
 	return count, nil
 }
--- a/internal/vault/vault_error_test.go
+++ b/internal/vault/vault_error_test.go
@@ -0,0 +1,87 @@
 package vault_test
 import (
 	"path/filepath"
 	"testing"
 	"git.eeqj.de/sneak/secret/internal/secret"
 	"git.eeqj.de/sneak/secret/internal/vault"
 	"github.com/awnumar/memguard"
 	"github.com/spf13/afero"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
 func TestAddSecretFailsWithMissingPublicKey(t *testing.T) {
 	// Create in-memory filesystem
 	fs := afero.NewMemMapFs()
 	stateDir := "/test/state"
 	// Create a vault directory without a public key (simulating the error condition)
 	vaultDir := filepath.Join(stateDir, "vaults.d", "broken")
 	require.NoError(t, fs.MkdirAll(vaultDir, secret.DirPerms))
 	// Create currentvault symlink
 	currentVaultPath := filepath.Join(stateDir, "currentvault")
 	require.NoError(t, afero.WriteFile(fs, currentVaultPath, []byte(vaultDir), secret.FilePerms))
 	// Create vault instance
 	vlt := vault.NewVault(fs, stateDir, "broken")
 	// Try to add a secret - this should fail
 	secretName := "test-secret"
 	value := memguard.NewBufferFromBytes([]byte("test-value"))
 	defer value.Destroy()
 	err := vlt.AddSecret(secretName, value, false)
 	require.Error(t, err, "AddSecret should fail when public key is missing")
 	assert.Contains(t, err.Error(), "failed to read long-term public key")
 	// Verify that the secret directory was NOT created
 	secretDir := filepath.Join(vaultDir, "secrets.d", secretName)
 	exists, _ := afero.DirExists(fs, secretDir)
 	assert.False(t, exists, "Secret directory should not exist after failed AddSecret")
 	// Verify the secrets.d directory is empty or doesn't exist
 	secretsDir := filepath.Join(vaultDir, "secrets.d")
 	if exists, _ := afero.DirExists(fs, secretsDir); exists {
 		entries, err := afero.ReadDir(fs, secretsDir)
 		require.NoError(t, err)
 		assert.Empty(t, entries, "secrets.d directory should be empty after failed AddSecret")
 	}
 }
 func TestAddSecretCleansUpOnFailure(t *testing.T) {
 	// Create in-memory filesystem
 	fs := afero.NewMemMapFs()
 	stateDir := "/test/state"
 	// Create a vault directory with public key
 	vaultDir := filepath.Join(stateDir, "vaults.d", "test")
 	require.NoError(t, fs.MkdirAll(vaultDir, secret.DirPerms))
 	// Create a mock public key that will cause encryption to fail
 	// by using an invalid age public key format
 	pubKeyPath := filepath.Join(vaultDir, "pub.age")
 	require.NoError(t, afero.WriteFile(fs, pubKeyPath, []byte("invalid-public-key"), secret.FilePerms))
 	// Create currentvault symlink
 	currentVaultPath := filepath.Join(stateDir, "currentvault")
 	require.NoError(t, afero.WriteFile(fs, currentVaultPath, []byte(vaultDir), secret.FilePerms))
 	// Create vault instance
 	vlt := vault.NewVault(fs, stateDir, "test")
 	// Try to add a secret - this should fail during encryption
 	secretName := "test-secret"
 	value := memguard.NewBufferFromBytes([]byte("test-value"))
 	defer value.Destroy()
 	err := vlt.AddSecret(secretName, value, false)
 	require.Error(t, err, "AddSecret should fail with invalid public key")
 	// Verify that the secret directory was NOT created
 	secretDir := filepath.Join(vaultDir, "secrets.d", secretName)
 	exists, _ := afero.DirExists(fs, secretDir)
 	assert.False(t, exists, "Secret directory should not exist after failed AddSecret")
 }
--- a/internal/vault/vault_test.go
+++ b/internal/vault/vault_test.go
@@ -1,39 +1,22 @@
 package vault
 import (
 	"os"
 	"path/filepath"
 	"testing"
 	"git.eeqj.de/sneak/secret/internal/secret"
 	"git.eeqj.de/sneak/secret/pkg/agehd"
 	"github.com/awnumar/memguard"
 	"github.com/spf13/afero"
 )
 func TestVaultOperations(t *testing.T) {
-	// Save original environment variables
+	// Test environment will be cleaned up automatically by t.Setenv
 	oldMnemonic := os.Getenv(secret.EnvMnemonic)
 	oldPassphrase := os.Getenv(secret.EnvUnlockPassphrase)
 	// Clean up after test
 	defer func() {
 		if oldMnemonic != "" {
 			os.Setenv(secret.EnvMnemonic, oldMnemonic)
 		} else {
 			os.Unsetenv(secret.EnvMnemonic)
 		}
 		if oldPassphrase != "" {
 			os.Setenv(secret.EnvUnlockPassphrase, oldPassphrase)
 		} else {
 			os.Unsetenv(secret.EnvUnlockPassphrase)
 		}
 	}()
 	// Set test environment variables
 	testMnemonic := "abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon about"
-	os.Setenv(secret.EnvMnemonic, testMnemonic)
+	t.Setenv(secret.EnvMnemonic, testMnemonic)
-	os.Setenv(secret.EnvUnlockPassphrase, "test-passphrase")
+	t.Setenv(secret.EnvUnlockPassphrase, "test-passphrase")
 	// Use in-memory filesystem
 	fs := afero.NewMemMapFs()
@@ -139,8 +122,13 @@ func TestVaultOperations(t *testing.T) {
 		// Now add a secret
 		secretName := "test/secret"
 		secretValue := []byte("test-secret-value")
 		expectedValue := make([]byte, len(secretValue))
 		copy(expectedValue, secretValue)
-		err = vlt.AddSecret(secretName, secretValue, false)
+		secretBuffer := memguard.NewBufferFromBytes(secretValue)
 		defer secretBuffer.Destroy()
 		err = vlt.AddSecret(secretName, secretBuffer, false)
 		if err != nil {
 			t.Fatalf("Failed to add secret: %v", err)
 		}
@@ -169,8 +157,26 @@ func TestVaultOperations(t *testing.T) {
 			t.Fatalf("Failed to get secret: %v", err)
 		}
-		if string(retrievedValue) != string(secretValue) {
+		if string(retrievedValue) != string(expectedValue) {
-			t.Errorf("Expected secret value '%s', got '%s'", string(secretValue), string(retrievedValue))
+			t.Errorf("Expected secret value '%s', got '%s'", string(expectedValue), string(retrievedValue))
 		}
 	})
 	// Test NumSecrets
 	t.Run("NumSecrets", func(t *testing.T) {
 		vlt, err := GetCurrentVault(fs, stateDir)
 		if err != nil {
 			t.Fatalf("Failed to get current vault: %v", err)
 		}
 		numSecrets, err := vlt.NumSecrets()
 		if err != nil {
 			t.Fatalf("Failed to count secrets: %v", err)
 		}
 		// We added one secret in SecretOperations
 		if numSecrets != 1 {
 			t.Errorf("Expected 1 secret, got %d", numSecrets)
 		}
 	})
@@ -190,7 +196,9 @@ func TestVaultOperations(t *testing.T) {
 		}
 		// Create a passphrase unlocker
-		passphraseUnlocker, err := vlt.CreatePassphraseUnlocker("test-passphrase")
+		passphraseBuffer := memguard.NewBufferFromBytes([]byte("test-passphrase"))
 		defer passphraseBuffer.Destroy()
 		passphraseUnlocker, err := vlt.CreatePassphraseUnlocker(passphraseBuffer)
 		if err != nil {
 			t.Fatalf("Failed to create passphrase unlocker: %v", err)
 		}
@@ -235,3 +243,57 @@ func TestVaultOperations(t *testing.T) {
 		}
 	})
 }
 func TestListUnlockers_SkipsMissingMetadata(t *testing.T) {
 	// Set test environment variables
 	testMnemonic := "abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon about"
 	t.Setenv(secret.EnvMnemonic, testMnemonic)
 	t.Setenv(secret.EnvUnlockPassphrase, "test-passphrase")
 	// Use in-memory filesystem
 	fs := afero.NewMemMapFs()
 	stateDir := "/test/state"
 	// Create vault
 	vlt, err := CreateVault(fs, stateDir, "test-vault")
 	if err != nil {
 		t.Fatalf("Failed to create vault: %v", err)
 	}
 	// Create a passphrase unlocker so we have at least one valid unlocker
 	passphraseBuffer := memguard.NewBufferFromBytes([]byte("test-passphrase"))
 	defer passphraseBuffer.Destroy()
 	_, err = vlt.CreatePassphraseUnlocker(passphraseBuffer)
 	if err != nil {
 		t.Fatalf("Failed to create passphrase unlocker: %v", err)
 	}
 	// Create a bogus unlocker directory with no metadata file
 	vaultDir, err := vlt.GetDirectory()
 	if err != nil {
 		t.Fatalf("Failed to get vault directory: %v", err)
 	}
 	bogusDir := filepath.Join(vaultDir, "unlockers.d", "bogus-no-metadata")
 	err = fs.MkdirAll(bogusDir, 0o700)
 	if err != nil {
 		t.Fatalf("Failed to create bogus directory: %v", err)
 	}
 	// ListUnlockers should succeed, skipping the bogus directory
 	unlockers, err := vlt.ListUnlockers()
 	if err != nil {
 		t.Fatalf("ListUnlockers returned error when it should have skipped bad directory: %v", err)
 	}
 	// Should still have the valid passphrase unlocker
 	if len(unlockers) == 0 {
 		t.Errorf("Expected at least one unlocker, got none")
 	}
 	// Verify we only got the valid unlocker(s), not the bogus one
 	for _, u := range unlockers {
 		if u.Type == "" {
 			t.Errorf("Got unlocker with empty type, likely from bogus directory")
 		}
 	}
 }
--- a/pkg/agehd/agehd.go
+++ b/pkg/agehd/agehd.go
@@ -25,6 +25,7 @@ const (
 	vendorID      = uint32(592366788) // berlin.sneak
 	appID         = uint32(733482323) // secret
 	hrp           = "age-secret-key-" // Bech32 HRP used by age
 	x25519KeySize = 32                // 256-bit key size for X25519
 )
 // clamp applies RFC-7748 clamping to a 32-byte scalar.
@@ -37,16 +38,20 @@ func clamp(k []byte) {
 // IdentityFromEntropy converts 32 deterministic bytes into an
 // *age.X25519Identity by round-tripping through Bech32.
 func IdentityFromEntropy(ent []byte) (*age.X25519Identity, error) {
-	if len(ent) != 32 {
+	if len(ent) != x25519KeySize {
 		return nil, fmt.Errorf("need 32-byte scalar, got %d", len(ent))
 	}
 	// Make a copy to avoid modifying the original
-	key := make([]byte, 32)
+	key := make([]byte, x25519KeySize)
 	copy(key, ent)
 	clamp(key)
-	data, err := bech32.ConvertBits(key, 8, 5, true)
+	const (
 		bech32BitSize8 = 8 // Standard 8-bit encoding
 		bech32BitSize5 = 5 // Bech32 5-bit encoding
 	)
 	data, err := bech32.ConvertBits(key, bech32BitSize8, bech32BitSize5, true)
 	if err != nil {
 		return nil, fmt.Errorf("bech32 convert: %w", err)
 	}
@@ -54,6 +59,7 @@ func IdentityFromEntropy(ent []byte) (*age.X25519Identity, error) {
 	if err != nil {
 		return nil, fmt.Errorf("bech32 encode: %w", err)
 	}
 	return age.ParseX25519Identity(strings.ToUpper(s))
 }
@@ -80,7 +86,7 @@ func DeriveEntropy(mnemonic string, n uint32) ([]byte, error) {
 	// Use BIP85 DRNG to generate deterministic 32 bytes for the age key
 	drng := bip85.NewBIP85DRNG(entropy)
-	key := make([]byte, 32)
+	key := make([]byte, x25519KeySize)
 	_, err = drng.Read(key)
 	if err != nil {
 		return nil, fmt.Errorf("failed to read from DRNG: %w", err)
@@ -109,7 +115,7 @@ func DeriveEntropyFromXPRV(xprv string, n uint32) ([]byte, error) {
 	// Use BIP85 DRNG to generate deterministic 32 bytes for the age key
 	drng := bip85.NewBIP85DRNG(entropy)
-	key := make([]byte, 32)
+	key := make([]byte, x25519KeySize)
 	_, err = drng.Read(key)
 	if err != nil {
 		return nil, fmt.Errorf("failed to read from DRNG: %w", err)
@@ -125,6 +131,7 @@ func DeriveIdentity(mnemonic string, n uint32) (*age.X25519Identity, error) {
 	if err != nil {
 		return nil, err
 	}
 	return IdentityFromEntropy(ent)
 }
@@ -135,5 +142,6 @@ func DeriveIdentityFromXPRV(xprv string, n uint32) (*age.X25519Identity, error)
 	if err != nil {
 		return nil, err
 	}
 	return IdentityFromEntropy(ent)
 }
--- a/pkg/agehd/agehd_test.go
+++ b/pkg/agehd/agehd_test.go
@@ -1,3 +1,4 @@
 //nolint:lll // Test vectors contain long lines
 package agehd
 import (
@@ -188,9 +189,8 @@ func TestDeterministicXPRVDerivation(t *testing.T) {
 	t.Logf("XPRV Index 1: %s", id3.String())
 }
-func TestMnemonicVsXPRVConsistency(t *testing.T) {
+func TestMnemonicVsXPRVConsistency(_ *testing.T) {
 	// FIXME This test is missing!
 }
 func TestEntropyLength(t *testing.T) {
@@ -393,6 +393,7 @@ func TestIdentityFromEntropyEdgeCases(t *testing.T) {
 						err,
 					) // In test context, panic is acceptable for setup failures
 				}
 				return b
 			}(),
 			expectError: false,
@@ -661,9 +662,13 @@ func TestConcurrentDerivation(t *testing.T) {
 	results := make(chan string, testNumGoroutines*testNumIterations)
 	errors := make(chan error, testNumGoroutines*testNumIterations)
-	for i := 0; i < testNumGoroutines; i++ {
+	for range testNumGoroutines {
-		go func(goroutineID int) {
+		go func() {
-			for j := 0; j < testNumIterations; j++ {
+			for j := range testNumIterations {
 				if j < 0 || j > 1000000 {
 					errors <- fmt.Errorf("index out of safe range")
 					return
 				}
 				identity, err := DeriveIdentity(mnemonic, uint32(j))
 				if err != nil {
 					errors <- err
@@ -671,12 +676,12 @@ func TestConcurrentDerivation(t *testing.T) {
 				}
 				results <- identity.String()
 			}
-		}(i)
+		}()
 	}
 	// Collect results
 	resultMap := make(map[string]int)
-	for i := 0; i < testNumGoroutines*testNumIterations; i++ {
+	for range testNumGoroutines * testNumIterations {
 		select {
 		case result := <-results:
 			resultMap[result]++
@@ -706,8 +711,12 @@ func TestConcurrentDerivation(t *testing.T) {
 // Benchmark tests
 func BenchmarkDeriveIdentity(b *testing.B) {
-	for i := 0; i < b.N; i++ {
+	for i := range b.N {
-		_, err := DeriveIdentity(mnemonic, uint32(i%1000))
+		index := i % 1000
 		if index < 0 || index > 1000000 {
 			b.Fatalf("index out of safe range: %d", index)
 		}
 		_, err := DeriveIdentity(mnemonic, uint32(index))
 		if err != nil {
 			b.Fatalf("derive identity: %v", err)
 		}
@@ -715,8 +724,12 @@ func BenchmarkDeriveIdentity(b *testing.B) {
 }
 func BenchmarkDeriveIdentityFromXPRV(b *testing.B) {
-	for i := 0; i < b.N; i++ {
+	for i := range b.N {
-		_, err := DeriveIdentityFromXPRV(testXPRV, uint32(i%1000))
+		index := i % 1000
 		if index < 0 || index > 1000000 {
 			b.Fatalf("index out of safe range: %d", index)
 		}
 		_, err := DeriveIdentityFromXPRV(testXPRV, uint32(index))
 		if err != nil {
 			b.Fatalf("derive identity from xprv: %v", err)
 		}
@@ -724,8 +737,12 @@ func BenchmarkDeriveIdentityFromXPRV(b *testing.B) {
 }
 func BenchmarkDeriveEntropy(b *testing.B) {
-	for i := 0; i < b.N; i++ {
+	for i := range b.N {
-		_, err := DeriveEntropy(mnemonic, uint32(i%1000))
+		index := i % 1000
 		if index < 0 || index > 1000000 {
 			b.Fatalf("index out of safe range: %d", index)
 		}
 		_, err := DeriveEntropy(mnemonic, uint32(index))
 		if err != nil {
 			b.Fatalf("derive entropy: %v", err)
 		}
@@ -739,7 +756,7 @@ func BenchmarkIdentityFromEntropy(b *testing.B) {
 	}
 	b.ResetTimer()
-	for i := 0; i < b.N; i++ {
+	for range b.N {
 		_, err := IdentityFromEntropy(entropy)
 		if err != nil {
 			b.Fatalf("identity from entropy: %v", err)
@@ -754,7 +771,7 @@ func BenchmarkEncryptDecrypt(b *testing.B) {
 	}
 	b.ResetTimer()
-	for i := 0; i < b.N; i++ {
+	for range b.N {
 		var ct bytes.Buffer
 		w, err := age.Encrypt(&ct, identity.Recipient())
 		if err != nil {
--- a/pkg/bip85/bip85.go
+++ b/pkg/bip85/bip85.go
@@ -1,3 +1,4 @@
 // Package bip85 implements BIP85 deterministic entropy derivation.
 package bip85
 import (
@@ -27,47 +28,50 @@ const (
 	// BIP85_KEY_HMAC_KEY is the HMAC key used for deriving the entropy
 	BIP85_KEY_HMAC_KEY = "bip-entropy-from-k" //nolint:revive // ALL_CAPS used for BIP85 constants
-	// Application numbers
+	// AppBIP39 is the application number for BIP39 mnemonics
-	APP_BIP39  = 39 // BIP39 mnemonics //nolint:revive // ALL_CAPS used for BIP85 constants
+	AppBIP39 = 39
-	APP_HD_WIF = 2  // WIF for Bitcoin Core //nolint:revive // ALL_CAPS used for BIP85 constants
+	// AppHDWIF is the application number for WIF (Wallet Import Format) for Bitcoin Core
-	APP_XPRV   = 32 // Extended private key //nolint:revive // ALL_CAPS used for BIP85 constants
+	AppHDWIF = 2
 	// AppXPRV is the application number for extended private key
 	AppXPRV   = 32
 	APP_HEX   = 128169 //nolint:revive // ALL_CAPS used for BIP85 constants
 	APP_PWD64 = 707764 // Base64 passwords //nolint:revive // ALL_CAPS used for BIP85 constants
-	APP_PWD85  = 707785 // Base85 passwords //nolint:revive // ALL_CAPS used for BIP85 constants
+	AppPWD85  = 707785 // Base85 passwords
 	APP_RSA   = 828365 //nolint:revive // ALL_CAPS used for BIP85 constants
 )
 // Version bytes for extended keys
 var (
 	// MainNetPrivateKey is the version for mainnet private keys
-	MainNetPrivateKey = []byte{0x04, 0x88, 0xAD, 0xE4}
+	MainNetPrivateKey = []byte{0x04, 0x88, 0xAD, 0xE4} //nolint:gochecknoglobals // Standard BIP32 constant
 	// TestNetPrivateKey is the version for testnet private keys
-	TestNetPrivateKey = []byte{0x04, 0x35, 0x83, 0x94}
+	TestNetPrivateKey = []byte{0x04, 0x35, 0x83, 0x94} //nolint:gochecknoglobals // Standard BIP32 constant
 )
-// BIP85DRNG is a deterministic random number generator seeded by BIP85 entropy
+// DRNG is a deterministic random number generator seeded by BIP85 entropy
-type BIP85DRNG struct {
+type DRNG struct {
 	shake io.Reader
 }
 // NewBIP85DRNG creates a new DRNG seeded with BIP85 entropy
-func NewBIP85DRNG(entropy []byte) *BIP85DRNG {
+func NewBIP85DRNG(entropy []byte) *DRNG {
 	const bip85EntropySize = 64 // 512 bits
 	// The entropy must be exactly 64 bytes (512 bits)
-	if len(entropy) != 64 {
+	if len(entropy) != bip85EntropySize {
-		panic("BIP85DRNG entropy must be 64 bytes")
+		panic("DRNG entropy must be 64 bytes")
 	}
 	// Initialize SHAKE256 with the entropy
 	shake := sha3.NewShake256()
-	shake.Write(entropy)
+	_, _ = shake.Write(entropy) // Write to hash functions never returns an error
-	return &BIP85DRNG{
+	return &DRNG{
 		shake: shake,
 	}
 }
 // Read implements the io.Reader interface
-func (d *BIP85DRNG) Read(p []byte) (n int, err error) {
+func (d *DRNG) Read(p []byte) (n int, err error) {
 	return d.shake.Read(p)
 }
@@ -161,7 +165,7 @@ func deriveChildKey(parent *hdkeychain.ExtendedKey, path string) (*hdkeychain.Ex
 // DeriveBIP39Entropy derives entropy for a BIP39 mnemonic
 func DeriveBIP39Entropy(masterKey *hdkeychain.ExtendedKey, language, words, index uint32) ([]byte, error) {
-	path := fmt.Sprintf("%s/%d'/%d'/%d'/%d'", BIP85_MASTER_PATH, APP_BIP39, language, words, index)
+	path := fmt.Sprintf("%s/%d'/%d'/%d'/%d'", BIP85_MASTER_PATH, AppBIP39, language, words, index)
 	entropy, err := DeriveBIP85Entropy(masterKey, path)
 	if err != nil {
@@ -169,17 +173,26 @@ func DeriveBIP39Entropy(masterKey *hdkeychain.ExtendedKey, language, words, inde
 	}
 	// Determine how many bits of entropy to use based on the words
 	// BIP39 defines specific word counts and their corresponding entropy bits
 	const (
 		words12 = 12 // 128 bits of entropy
 		words15 = 15 // 160 bits of entropy
 		words18 = 18 // 192 bits of entropy
 		words21 = 21 // 224 bits of entropy
 		words24 = 24 // 256 bits of entropy
 	)
 	var bits int
 	switch words {
-	case 12:
+	case words12:
 		bits = 128
-	case 15:
+	case words15:
 		bits = 160
-	case 18:
+	case words18:
 		bits = 192
-	case 21:
+	case words21:
 		bits = 224
-	case 24:
+	case words24:
 		bits = 256
 	default:
 		return nil, fmt.Errorf("invalid BIP39 word count: %d", words)
@@ -193,7 +206,7 @@ func DeriveBIP39Entropy(masterKey *hdkeychain.ExtendedKey, language, words, inde
 // DeriveWIFKey derives a private key in WIF format
 func DeriveWIFKey(masterKey *hdkeychain.ExtendedKey, index uint32) (string, error) {
-	path := fmt.Sprintf("%s/%d'/%d'", BIP85_MASTER_PATH, APP_HD_WIF, index)
+	path := fmt.Sprintf("%s/%d'/%d'", BIP85_MASTER_PATH, AppHDWIF, index)
 	entropy, err := DeriveBIP85Entropy(masterKey, path)
 	if err != nil {
@@ -215,7 +228,7 @@ func DeriveWIFKey(masterKey *hdkeychain.ExtendedKey, index uint32) (string, erro
 // DeriveXPRV derives an extended private key (XPRV)
 func DeriveXPRV(masterKey *hdkeychain.ExtendedKey, index uint32) (*hdkeychain.ExtendedKey, error) {
-	path := fmt.Sprintf("%s/%d'/%d'", BIP85_MASTER_PATH, APP_XPRV, index)
+	path := fmt.Sprintf("%s/%d'/%d'", BIP85_MASTER_PATH, AppXPRV, index)
 	entropy, err := DeriveBIP85Entropy(masterKey, path)
 	if err != nil {
@@ -266,6 +279,7 @@ func DeriveXPRV(masterKey *hdkeychain.ExtendedKey, index uint32) (*hdkeychain.Ex
 func doubleSHA256(data []byte) []byte {
 	hash1 := sha256.Sum256(data)
 	hash2 := sha256.Sum256(hash1[:])
 	return hash2[:]
 }
@@ -308,7 +322,7 @@ func DeriveBase64Password(masterKey *hdkeychain.ExtendedKey, pwdLen, index uint3
 	encodedStr = strings.TrimRight(encodedStr, "=")
 	// Slice to the desired password length
-	if uint32(len(encodedStr)) < pwdLen {
+	if len(encodedStr) < int(pwdLen) {
 		return "", fmt.Errorf("derived password length %d is shorter than requested length %d", len(encodedStr), pwdLen)
 	}
@@ -321,7 +335,7 @@ func DeriveBase85Password(masterKey *hdkeychain.ExtendedKey, pwdLen, index uint3
 		return "", fmt.Errorf("pwdLen must be between 10 and 80")
 	}
-	path := fmt.Sprintf("%s/%d'/%d'/%d'", BIP85_MASTER_PATH, APP_PWD85, pwdLen, index)
+	path := fmt.Sprintf("%s/%d'/%d'/%d'", BIP85_MASTER_PATH, AppPWD85, pwdLen, index)
 	entropy, err := DeriveBIP85Entropy(masterKey, path)
 	if err != nil {
@@ -332,7 +346,7 @@ func DeriveBase85Password(masterKey *hdkeychain.ExtendedKey, pwdLen, index uint3
 	encoded := encodeBase85WithRFC1924Charset(entropy)
 	// Slice to the desired password length
-	if uint32(len(encoded)) < pwdLen {
+	if len(encoded) < int(pwdLen) {
 		return "", fmt.Errorf("encoded length %d is less than requested length %d", len(encoded), pwdLen)
 	}
@@ -344,24 +358,30 @@ func encodeBase85WithRFC1924Charset(data []byte) string {
 	// RFC1924 character set
 	charset := "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz!#$%&()*+-;<=>?@^_`{|}~"
 	const (
 		base85ChunkSize  = 4  // Process 4 bytes at a time
 		base85DigitCount = 5  // Each chunk produces 5 digits
 		base85Base       = 85 // Base85 encoding uses base 85
 	)
 	// Pad data to multiple of 4
-	padded := make([]byte, ((len(data)+3)/4)*4)
+	padded := make([]byte, ((len(data)+base85ChunkSize-1)/base85ChunkSize)*base85ChunkSize)
 	copy(padded, data)
 	var buf strings.Builder
-	buf.Grow(len(padded) * 5 / 4) // Each 4 bytes becomes 5 Base85 characters
+	buf.Grow(len(padded) * base85DigitCount / base85ChunkSize) // Each 4 bytes becomes 5 Base85 characters
 	// Process in 4-byte chunks
-	for i := 0; i < len(padded); i += 4 {
+	for i := 0; i < len(padded); i += base85ChunkSize {
 		// Convert 4 bytes to uint32 (big-endian)
-		chunk := binary.BigEndian.Uint32(padded[i : i+4])
+		chunk := binary.BigEndian.Uint32(padded[i : i+base85ChunkSize])
 		// Convert to 5 base-85 digits
-		digits := make([]byte, 5)
+		digits := make([]byte, base85DigitCount)
-		for j := 4; j >= 0; j-- {
+		for j := base85DigitCount - 1; j >= 0; j-- {
-			idx := chunk % 85
+			idx := chunk % base85Base
 			digits[j] = charset[idx]
-			chunk /= 85
+			chunk /= base85Base
 		}
 		buf.Write(digits)
--- a/pkg/bip85/bip85_test.go
+++ b/pkg/bip85/bip85_test.go
@@ -1,6 +1,8 @@
 //nolint:gosec // G101: Test file contains BIP85 test vectors, not real credentials
 //nolint:lll // Test vectors contain long lines
 package bip85
-//nolint:gosec,revive,unparam // Test file with hardcoded test vectors
+//nolint:revive,unparam // Test file with BIP85 test vectors
 import (
 	"bytes"
@@ -81,13 +83,13 @@ const (
 )
 // logTestVector logs test information in a cleaner, more concise format
-func logTestVector(t *testing.T, title, description string) {
+func logTestVector(t *testing.T, title string) {
 	t.Logf("=== TEST: %s ===", title)
 }
 // TestDerivedKey is a helper function to test the derived key directly
 func TestDerivedKey(t *testing.T) {
-	logTestVector(t, "Derived Child Keys", "Testing direct key derivation for BIP85 paths")
+	logTestVector(t, "Derived Child Keys")
 	masterKey, err := ParseMasterKey(testMasterKey)
 	if err != nil {
@@ -131,7 +133,7 @@ func TestDerivedKey(t *testing.T) {
 // TestCase1 tests the first test vector from the BIP85 specification
 func TestCase1(t *testing.T) {
-	logTestVector(t, "Test Case 1", "Basic entropy derivation with path m/83696968'/0'/0'")
+	logTestVector(t, "Test Case 1")
 	masterKey, err := ParseMasterKey(testMasterKey)
 	if err != nil {
@@ -157,7 +159,7 @@ func TestCase1(t *testing.T) {
 // TestCase2 tests the second test vector from the BIP85 specification
 func TestCase2(t *testing.T) {
-	logTestVector(t, "Test Case 2", "Basic entropy derivation with path m/83696968'/0'/1'")
+	logTestVector(t, "Test Case 2")
 	masterKey, err := ParseMasterKey(testMasterKey)
 	if err != nil {
@@ -183,7 +185,7 @@ func TestCase2(t *testing.T) {
 // TestBIP39_12EnglishWords tests the BIP39 12 English words test vector
 func TestBIP39_12EnglishWords(t *testing.T) {
-	logTestVector(t, "BIP39 12 English Words", "Deriving a 12-word English BIP39 mnemonic")
+	logTestVector(t, "BIP39 12 English Words")
 	masterKey, err := ParseMasterKey(testMasterKey)
 	if err != nil {
@@ -227,7 +229,7 @@ func TestBIP39_12EnglishWords(t *testing.T) {
 // TestBIP39_18EnglishWords tests the BIP39 18 English words test vector
 func TestBIP39_18EnglishWords(t *testing.T) {
-	logTestVector(t, "BIP39 18 English Words", "Deriving an 18-word English BIP39 mnemonic")
+	logTestVector(t, "BIP39 18 English Words")
 	masterKey, err := ParseMasterKey(testMasterKey)
 	if err != nil {
@@ -271,7 +273,7 @@ func TestBIP39_18EnglishWords(t *testing.T) {
 // TestBIP39_24EnglishWords tests the BIP39 24 English words test vector
 func TestBIP39_24EnglishWords(t *testing.T) {
-	logTestVector(t, "BIP39 24 English Words", "Deriving a 24-word English BIP39 mnemonic")
+	logTestVector(t, "BIP39 24 English Words")
 	masterKey, err := ParseMasterKey(testMasterKey)
 	if err != nil {
@@ -315,7 +317,7 @@ func TestBIP39_24EnglishWords(t *testing.T) {
 // TestHD_WIF tests the WIF test vector
 func TestHD_WIF(t *testing.T) {
-	logTestVector(t, "HD-Seed WIF", "Deriving a WIF-encoded private key for Bitcoin Core hdseed")
+	logTestVector(t, "HD-Seed WIF")
 	masterKey, err := ParseMasterKey(testMasterKey)
 	if err != nil {
@@ -355,7 +357,7 @@ func TestHD_WIF(t *testing.T) {
 // TestXPRV tests the XPRV test vector
 func TestXPRV(t *testing.T) {
-	logTestVector(t, "XPRV", "Deriving an extended private key (XPRV)")
+	logTestVector(t, "XPRV")
 	masterKey, err := ParseMasterKey(testMasterKey)
 	if err != nil {
@@ -381,7 +383,7 @@ func TestXPRV(t *testing.T) {
 // TestDRNG_SHAKE256 tests the BIP85-DRNG-SHAKE256 test vector
 func TestDRNG_SHAKE256(t *testing.T) {
-	logTestVector(t, "DRNG-SHAKE256", "Testing the deterministic random number generator with SHAKE256")
+	logTestVector(t, "DRNG-SHAKE256")
 	masterKey, err := ParseMasterKey(testMasterKey)
 	if err != nil {
@@ -416,7 +418,7 @@ func TestDRNG_SHAKE256(t *testing.T) {
 // TestPythonDRNGVectors tests the DRNG vectors from the Python implementation
 func TestPythonDRNGVectors(t *testing.T) {
-	logTestVector(t, "Python DRNG Vectors", "Testing specific DRNG vectors from the Python implementation")
+	logTestVector(t, "Python DRNG Vectors")
 	masterKey, err := ParseMasterKey(testMasterKey)
 	if err != nil {
@@ -491,7 +493,7 @@ func TestPythonDRNGVectors(t *testing.T) {
 // TestDRNGDeterminism tests the deterministic behavior of the DRNG
 func TestDRNGDeterminism(t *testing.T) {
-	logTestVector(t, "DRNG Determinism", "Testing deterministic behavior of the DRNG")
+	logTestVector(t, "DRNG Determinism")
 	masterKey, err := ParseMasterKey(testMasterKey)
 	if err != nil {
@@ -575,7 +577,7 @@ func TestDRNGDeterminism(t *testing.T) {
 // TestDRNGLengths tests the DRNG with different lengths
 func TestDRNGLengths(t *testing.T) {
-	logTestVector(t, "DRNG Lengths", "Testing DRNG with different read lengths")
+	logTestVector(t, "DRNG Lengths")
 	masterKey, err := ParseMasterKey(testMasterKey)
 	if err != nil {
@@ -608,7 +610,7 @@ func TestDRNGLengths(t *testing.T) {
 // TestDRNGExceptions tests error handling in the DRNG
 func TestDRNGExceptions(t *testing.T) {
-	logTestVector(t, "DRNG Exceptions", "Testing error handling in the DRNG")
+	logTestVector(t, "DRNG Exceptions")
 	// Test with entropy of the wrong size
 	testCases := []int{0, 1, 32, 63, 65, 128}
@@ -640,7 +642,7 @@ func TestDRNGExceptions(t *testing.T) {
 // TestDRNGDifferentSizes tests the DRNG with different buffer sizes
 func TestDRNGDifferentSizes(t *testing.T) {
-	logTestVector(t, "DRNG Different Sizes", "Testing the DRNG with different buffer sizes")
+	logTestVector(t, "DRNG Different Sizes")
 	masterKey, err := ParseMasterKey(testMasterKey)
 	if err != nil {
@@ -702,7 +704,7 @@ func TestDRNGDifferentSizes(t *testing.T) {
 // TestMasterKeyParsing tests parsing of different master key formats
 func TestMasterKeyParsing(t *testing.T) {
-	logTestVector(t, "Master Key Parsing", "Testing parsing of master keys in different formats")
+	logTestVector(t, "Master Key Parsing")
 	// Test valid master key
 	t.Logf("Testing valid master key")
@@ -749,7 +751,7 @@ func TestMasterKeyParsing(t *testing.T) {
 // TestDifferentPathFormats tests different path format expressions
 func TestDifferentPathFormats(t *testing.T) {
-	logTestVector(t, "Path Formats", "Testing different path format expressions")
+	logTestVector(t, "Path Formats")
 	masterKey, err := ParseMasterKey(testMasterKey)
 	if err != nil {
@@ -793,7 +795,7 @@ func TestDifferentPathFormats(t *testing.T) {
 // TestDirectBase85Encoding tests direct Base85 encoding with the test vector entropy
 func TestDirectBase85Encoding(t *testing.T) {
-	logTestVector(t, "Direct Base85 Encoding", "Testing Base85 encoding with BIP85 test vector")
+	logTestVector(t, "Direct Base85 Encoding")
 	// Parse the master key
 	masterKey, err := ParseMasterKey(testMasterKey)
@@ -838,7 +840,7 @@ func TestDirectBase85Encoding(t *testing.T) {
 // TestPWDBase64 tests the Base64 password test vector
 func TestPWDBase64(t *testing.T) {
-	logTestVector(t, "PWD Base64", "Deriving a Base64-encoded password")
+	logTestVector(t, "PWD Base64")
 	masterKey, err := ParseMasterKey(testMasterKey)
 	if err != nil {
@@ -883,7 +885,7 @@ func TestPWDBase64(t *testing.T) {
 // TestPWDBase85 tests the Base85 password test vector
 func TestPWDBase85(t *testing.T) {
-	logTestVector(t, "PWD Base85", "Deriving a Base85-encoded password")
+	logTestVector(t, "PWD Base85")
 	masterKey, err := ParseMasterKey(testMasterKey)
 	if err != nil {
@@ -928,7 +930,7 @@ func TestPWDBase85(t *testing.T) {
 // TestHexDerivation tests the HEX derivation test vector
 func TestHexDerivation(t *testing.T) {
-	logTestVector(t, "HEX Derivation", "Testing HEX data derivation with BIP85 test vector")
+	logTestVector(t, "HEX Derivation")
 	masterKey, err := ParseMasterKey(testMasterKey)
 	if err != nil {
@@ -965,7 +967,7 @@ func TestHexDerivation(t *testing.T) {
 // TestInvalidParameters tests error conditions for parameter validation
 func TestInvalidParameters(t *testing.T) {
-	logTestVector(t, "Invalid Parameters", "Testing error handling for invalid inputs")
+	logTestVector(t, "Invalid Parameters")
 	masterKey, err := ParseMasterKey(testMasterKey)
 	if err != nil {
@@ -1043,7 +1045,7 @@ func TestInvalidParameters(t *testing.T) {
 // TestAdditionalDeriveHex tests additional hex derivation scenarios
 func TestAdditionalDeriveHex(t *testing.T) {
-	logTestVector(t, "Additional Hex Derivation", "Testing hex data derivation with various lengths")
+	logTestVector(t, "Additional Hex Derivation")
 	masterKey, err := ParseMasterKey(testMasterKey)
 	if err != nil {