Merge branch 'main' into secure-enclave-unlocker

Adds a new "secure-enclave" unlocker type that stores the vault's
long-term private key encrypted by a non-exportable P-256 key held
in the Secure Enclave hardware. Decryption (ECDH) is performed
inside the SE; the key never leaves the hardware.

Uses CryptoTokenKit identities created via sc_auth, which allows
SE access from unsigned binaries without Apple Developer Program
membership. ECIES (X963SHA256 + AES-GCM) handles encryption and
decryption through Security.framework.

New package internal/macse/ provides the CGo bridge to
Security.framework for SE key creation, ECIES encrypt/decrypt,
and key deletion. The SE unlocker directly encrypts the vault
long-term key (no intermediate age keypair).

.dockerignore

@@ -17,4 +17,5 @@ coverage.out
 .claude/
 
 # Local settings
+.golangci.yml
 .claude/settings.local.json

.gitea/workflows/check.yml

@@ -1,9 +0,0 @@
-name: check
-on: [push]
-jobs:
-    check:
-        runs-on: ubuntu-latest
-        steps:
-            # actions/checkout v4.2.2, 2026-02-28
-            - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
-            - run: docker build --ulimit memlock=-1:-1 .

Dockerfile

@@ -1,46 +1,50 @@
-# Lint stage — fast feedback on formatting and lint issues
+# Build stage
-# golangci/golangci-lint v2.1.6 (2026-03-10)
+FROM golang:1.24-alpine AS builder
-FROM golangci/golangci-lint@sha256:568ee1c1c53493575fa9494e280e579ac9ca865787bafe4df3023ae59ecf299b AS lint
 
-WORKDIR /src
+# Install build dependencies
-COPY go.mod go.sum ./
+RUN apk add --no-cache \
-RUN go mod download
+    gcc \
-
+    musl-dev \
-COPY . .
+    make \
-
+    git
-RUN make fmt-check
-RUN make lint
-
-# Build stage — tests and compilation
-# golang 1.24.13-alpine (2026-03-10)
-FROM golang@sha256:8bee1901f1e530bfb4a7850aa7a479d17ae3a18beb6e09064ed54cfd245b7191 AS builder
-
-# Force BuildKit to run the lint stage
-COPY --from=lint /src/go.sum /dev/null
-
-RUN apk add --no-cache gcc musl-dev make git gnupg
 
+# Set working directory
 WORKDIR /build
+
+# Copy go mod files
 COPY go.mod go.sum ./
+
+# Download dependencies
 RUN go mod download
 
+# Copy source code
 COPY . .
 
-RUN make test
+# Build the binary
-RUN make build
+RUN CGO_ENABLED=1 go build -v -o secret cmd/secret/main.go
 
 # Runtime stage
-# alpine 3.23 (2026-03-10)
+FROM alpine:latest
-FROM alpine@sha256:25109184c71bdad752c8312a8623239686a9a2071e8825f20acb8f2198c3f659
 
-RUN apk add --no-cache ca-certificates gnupg
+# Install runtime dependencies
+RUN apk add --no-cache \
+    ca-certificates \
+    gnupg
 
+# Create non-root user
 RUN adduser -D -s /bin/sh secret
 
+# Copy binary from builder
 COPY --from=builder /build/secret /usr/local/bin/secret
+
+# Ensure binary is executable
 RUN chmod +x /usr/local/bin/secret
 
+# Switch to non-root user
 USER secret
+
+# Set working directory
 WORKDIR /home/secret
 
+# Set entrypoint
 ENTRYPOINT ["secret"]

Makefile

@@ -17,7 +17,7 @@ build: ./secret
 vet:
 	go vet ./...
 
-test: vet
+test: lint vet
 	go test ./... || go test -v ./...
 
 fmt:
@@ -26,7 +26,7 @@ fmt:
 lint:
 	golangci-lint run --timeout 5m
 
-check: build lint test fmt-check
+check: build test
 
 # Build Docker container
 docker:
@@ -42,6 +42,3 @@ clean:
 
 install: ./secret
 	cp ./secret $(HOME)/bin/secret
-
-fmt-check:
-	@test -z "$$(gofmt -l .)" || (echo "Files need formatting:" && gofmt -l . && exit 1)

README.md

@@ -184,7 +184,6 @@ Creates a new unlocker of the specified type:
 - `passphrase`: Traditional passphrase-protected unlocker
 - `pgp`: Uses an existing GPG key for encryption/decryption
 - `keychain`: macOS Keychain integration (macOS only)
-- `secure-enclave`: Hardware-backed Secure Enclave protection (macOS only)
 
 **Options:**
 - `--keyid <id>`: GPG key ID (optional for PGP type, uses default key if not specified)
@@ -287,11 +286,11 @@ Unlockers provide different authentication methods to access the long-term keys:
    - Automatic unlocking when Keychain is unlocked
    - Cross-application integration
 
-4. **Secure Enclave Unlockers** (macOS):
+4. **Secure Enclave Unlockers** (macOS - planned):
    - Hardware-backed key storage using Apple Secure Enclave
-   - Uses `sc_auth` / CryptoTokenKit for SE key management (no Apple Developer Program required)
+   - Currently partially implemented but non-functional
-   - ECIES encryption: vault long-term key encrypted directly by SE hardware
+   - Requires Apple Developer Program membership and code signing entitlements
-   - Protected by biometric authentication (Touch ID) or system password
+   - Full implementation blocked by entitlement requirements
 
 Each vault maintains its own set of unlockers and one long-term key. The long-term key is encrypted to each unlocker, allowing any authorized unlocker to access vault secrets.
 
@@ -331,7 +330,8 @@ Each vault maintains its own set of unlockers and one long-term key. The long-te
 
 - Hardware token support via PGP/GPG integration
 - macOS Keychain integration for system-level security
-- Secure Enclave integration for hardware-backed key protection (macOS, via `sc_auth` / CryptoTokenKit)
+- Secure Enclave support planned (requires paid Apple Developer Program for
+  signed entitlements to access the SEP and doxxing myself to Apple)
 
 ## Examples
 
@@ -385,7 +385,6 @@ secret vault remove personal --force
 secret unlocker add passphrase              # Password-based
 secret unlocker add pgp --keyid ABCD1234    # GPG key
 secret unlocker add keychain                # macOS Keychain (macOS only)
-secret unlocker add secure-enclave          # macOS Secure Enclave (macOS only)
 
 # List unlockers
 secret unlocker list
@@ -444,7 +443,7 @@ secret decrypt encryption/mykey --input document.txt.age --output document.txt
 
 ### Cross-Platform Support
 
-- **macOS**: Full support including Keychain and Secure Enclave integration
+- **macOS**: Full support including Keychain and planned Secure Enclave integration
 - **Linux**: Full support (excluding macOS-specific features)
 
 ## Security Considerations
@@ -488,7 +487,7 @@ go test -tags=integration -v ./internal/cli  # Integration tests
 
 ## Features
 
-- **Multiple Authentication Methods**: Supports passphrase, PGP, macOS Keychain, and Secure Enclave unlockers
+- **Multiple Authentication Methods**: Supports passphrase, PGP, and macOS Keychain unlockers
 - **Vault Isolation**: Complete separation between different vaults
 - **Per-Secret Encryption**: Each secret has its own encryption key
 - **BIP39 Mnemonic Support**: Keyless operation using mnemonic phrases

internal/cli/info.go

@@ -1,10 +1,10 @@
 package cli
 
 import (
+	"log"
 	"encoding/json"
 	"fmt"
 	"io"
-	"log"
 	"path/filepath"
 	"runtime"
 	"strings"

internal/cli/init.go

@@ -1,8 +1,8 @@
 package cli
 
 import (
-	"fmt"
 	"log"
+	"fmt"
 	"log/slog"
 	"os"
 	"path/filepath"

internal/cli/integration_test.go

@@ -48,7 +48,7 @@ func TestMain(m *testing.M) {
 	code := m.Run()
 
 	// Clean up the binary
-	_ = os.Remove(filepath.Join(projectRoot, "secret"))
+	os.Remove(filepath.Join(projectRoot, "secret"))
 
 	os.Exit(code)
 }
@@ -450,10 +450,10 @@ func test02ListVaults(t *testing.T, runSecret func(...string) (string, error)) {
 
 func test03CreateVault(t *testing.T, tempDir string, runSecret func(...string) (string, error)) {
 	// Set environment variables for vault creation
-	_ = os.Setenv("SB_SECRET_MNEMONIC", testMnemonic)
+	os.Setenv("SB_SECRET_MNEMONIC", testMnemonic)
-	_ = os.Setenv("SB_UNLOCK_PASSPHRASE", "test-passphrase")
+	os.Setenv("SB_UNLOCK_PASSPHRASE", "test-passphrase")
-	defer func() { _ = os.Unsetenv("SB_SECRET_MNEMONIC") }()
+	defer os.Unsetenv("SB_SECRET_MNEMONIC")
-	defer func() { _ = os.Unsetenv("SB_UNLOCK_PASSPHRASE") }()
+	defer os.Unsetenv("SB_UNLOCK_PASSPHRASE")
 
 	// Create work vault
 	output, err := runSecret("vault", "create", "work")
@@ -489,7 +489,6 @@ func test03CreateVault(t *testing.T, tempDir string, runSecret func(...string) (
 	assert.Contains(t, output, "work", "should list work vault")
 }
 
-//nolint:unused // TODO: re-enable when vault import is implemented
 func test04ImportMnemonic(t *testing.T, tempDir, testMnemonic, testPassphrase string, runSecretWithEnv func(map[string]string, ...string) (string, error)) {
 	// Import mnemonic into work vault
 	output, err := runSecretWithEnv(map[string]string{
@@ -1668,9 +1667,9 @@ func test19DisasterRecovery(t *testing.T, tempDir, secretPath, testMnemonic stri
 	assert.Equal(t, testSecretValue, strings.TrimSpace(toolOutput), "tool output should match original")
 
 	// Clean up temporary files
-	_ = os.Remove(ltPrivKeyPath)
+	os.Remove(ltPrivKeyPath)
-	_ = os.Remove(versionPrivKeyPath)
+	os.Remove(versionPrivKeyPath)
-	_ = os.Remove(decryptedValuePath)
+	os.Remove(decryptedValuePath)
 }
 
 func test20VersionTimestamps(t *testing.T, tempDir, secretPath, testMnemonic string, runSecretWithEnv func(map[string]string, ...string) (string, error)) {
@@ -1789,7 +1788,7 @@ func test23ErrorHandling(t *testing.T, tempDir, secretPath, testMnemonic string,
 
 	// Add secret without mnemonic or unlocker
 	unsetMnemonic := os.Getenv("SB_SECRET_MNEMONIC")
-	_ = os.Unsetenv("SB_SECRET_MNEMONIC")
+	os.Unsetenv("SB_SECRET_MNEMONIC")
 	cmd := exec.Command(secretPath, "add", "test/nomnemonic")
 	cmd.Env = []string{
 		fmt.Sprintf("SB_SECRET_STATE_DIR=%s", tempDir),
@@ -2129,7 +2128,7 @@ func test30BackupRestore(t *testing.T, tempDir, secretPath, testMnemonic string,
 						versionsPath := filepath.Join(secretPath, "versions")
 						if _, err := os.Stat(versionsPath); os.IsNotExist(err) {
 							// This is a malformed secret directory, remove it
-							_ = os.RemoveAll(secretPath)
+							os.RemoveAll(secretPath)
 						}
 					}
 				}
@@ -2179,7 +2178,7 @@ func test30BackupRestore(t *testing.T, tempDir, secretPath, testMnemonic string,
 	require.NoError(t, err, "restore vaults should succeed")
 
 	// Restore currentvault
-	_ = os.Remove(currentVaultSrc)
+	os.Remove(currentVaultSrc)
 	restoredData := readFile(t, currentVaultDst)
 	writeFile(t, currentVaultSrc, restoredData)
 
@@ -2285,8 +2284,6 @@ func verifyFileExists(t *testing.T, path string) {
 }
 
 // verifyFileNotExists checks if a file does not exist at the given path
-//
-//nolint:unused // kept for future use
 func verifyFileNotExists(t *testing.T, path string) {
 	t.Helper()
 	_, err := os.Stat(path)

internal/cli/secrets.go

@@ -1,10 +1,10 @@
 package cli
 
 import (
+	"log"
 	"encoding/json"
 	"fmt"
 	"io"
-	"log"
 	"path/filepath"
 	"strings"
 

internal/cli/unlockers.go

@@ -1,9 +1,9 @@
 package cli
 
 import (
+	"log"
 	"encoding/json"
 	"fmt"
-	"log"
 	"os"
 	"os/exec"
 	"path/filepath"

internal/cli/vault.go

@@ -1,9 +1,9 @@
 package cli
 
 import (
+	"log"
 	"encoding/json"
 	"fmt"
-	"log"
 	"os"
 	"path/filepath"
 	"strings"

internal/cli/version.go

@@ -1,8 +1,8 @@
 package cli
 
 import (
-	"fmt"
 	"log"
+	"fmt"
 	"path/filepath"
 	"strings"
 	"text/tabwriter"

internal/macse/secure_enclave.h

@@ -1,5 +1,3 @@
-//go:build darwin
-
 #ifndef SECURE_ENCLAVE_H
 #define SECURE_ENCLAVE_H
 

internal/macse/secure_enclave.m

@@ -1,5 +1,3 @@
-//go:build darwin
-
 #import <Foundation/Foundation.h>
 #import <Security/Security.h>
 #include "secure_enclave.h"

internal/secret/derivation_index_test.go

@@ -1,5 +1,3 @@
-//go:build darwin
-
 package secret
 
 import (
@@ -26,12 +24,12 @@ type realVault struct {
 func (v *realVault) GetDirectory() (string, error) {
 	return filepath.Join(v.stateDir, "vaults.d", v.name), nil
 }
-func (v *realVault) GetName() string         { return v.name }
+func (v *realVault) GetName() string        { return v.name }
 func (v *realVault) GetFilesystem() afero.Fs { return v.fs }
 
 // Unused by getLongTermPrivateKey — these satisfy VaultInterface.
 func (v *realVault) AddSecret(string, *memguard.LockedBuffer, bool) error { panic("not used") }
-func (v *realVault) GetCurrentUnlocker() (Unlocker, error)                { panic("not used") }
+func (v *realVault) GetCurrentUnlocker() (Unlocker, error)               { panic("not used") }
 func (v *realVault) CreatePassphraseUnlocker(*memguard.LockedBuffer) (*PassphraseUnlocker, error) {
 	panic("not used")
 }

internal/secret/helpers.go

@@ -1,11 +1,33 @@
 package secret
 
 import (
+	"crypto/rand"
 	"fmt"
+	"math/big"
 	"os"
 	"path/filepath"
 )
 
+// generateRandomString generates a random string of the specified length using the given character set
+func generateRandomString(length int, charset string) (string, error) {
+	if length <= 0 {
+		return "", fmt.Errorf("length must be positive")
+	}
+
+	result := make([]byte, length)
+	charsetLen := big.NewInt(int64(len(charset)))
+
+	for i := range length {
+		randomIndex, err := rand.Int(rand.Reader, charsetLen)
+		if err != nil {
+			return "", fmt.Errorf("failed to generate random number: %w", err)
+		}
+		result[i] = charset[randomIndex.Int64()]
+	}
+
+	return string(result), nil
+}
+
 // DetermineStateDir determines the state directory based on environment variables and OS.
 // It returns an error if no usable directory can be determined.
 func DetermineStateDir(customConfigDir string) (string, error) {

internal/secret/helpers_darwin.go

@@ -1,29 +0,0 @@
-//go:build darwin
-
-package secret
-
-import (
-	"crypto/rand"
-	"fmt"
-	"math/big"
-)
-
-// generateRandomString generates a random string of the specified length using the given character set
-func generateRandomString(length int, charset string) (string, error) {
-	if length <= 0 {
-		return "", fmt.Errorf("length must be positive")
-	}
-
-	result := make([]byte, length)
-	charsetLen := big.NewInt(int64(len(charset)))
-
-	for i := range length {
-		randomIndex, err := rand.Int(rand.Reader, charsetLen)
-		if err != nil {
-			return "", fmt.Errorf("failed to generate random number: %w", err)
-		}
-		result[i] = charset[randomIndex.Int64()]
-	}
-
-	return string(result), nil
-}

internal/secret/passphrase_test.go

@@ -24,7 +24,7 @@ func TestPassphraseUnlockerWithRealFS(t *testing.T) {
 	if err != nil {
 		t.Fatalf("Failed to create temp dir: %v", err)
 	}
-	defer func() { _ = os.RemoveAll(tempDir) }() // Clean up after test
+	defer os.RemoveAll(tempDir) // Clean up after test
 
 	// Use the real filesystem
 	fs := afero.NewOsFs()
@@ -155,7 +155,7 @@ func TestPassphraseUnlockerWithRealFS(t *testing.T) {
 	})
 
 	// Unset the environment variable to test interactive prompt
-	_ = os.Unsetenv(secret.EnvUnlockPassphrase)
+	os.Unsetenv(secret.EnvUnlockPassphrase)
 
 	// Test getting identity from prompt (this would require mocking the prompt)
 	// For real integration tests, we'd need to provide a way to mock the passphrase input

internal/secret/pgpunlock_test.go

@@ -1,5 +1,3 @@
-//go:build darwin
-
 package secret_test
 
 import (
@@ -142,7 +140,7 @@ func TestPGPUnlockerWithRealFS(t *testing.T) {
 	if err != nil {
 		t.Fatalf("Failed to create temp dir: %v", err)
 	}
-	defer func() { _ = os.RemoveAll(tempDir) }() // Clean up after test
+	defer os.RemoveAll(tempDir) // Clean up after test
 
 	// Create a temporary GNUPGHOME
 	gnupgHomeDir := filepath.Join(tempDir, "gnupg")

internal/secret/secret_test.go

@@ -284,11 +284,11 @@ func TestSecretNameValidation(t *testing.T) {
 		{"valid/path/name", true},
 		{"123valid", true},
 		{"", false},
-		{"Valid-Upper-Name", true}, // uppercase allowed
+		{"Valid-Upper-Name", true},                             // uppercase allowed
-		{"2025-11-21-ber1app1-vaultik-test-bucket-AKI", true}, // real-world uppercase key ID
+		{"2025-11-21-ber1app1-vaultik-test-bucket-AKI", true},  // real-world uppercase key ID
-		{"MixedCase/Path/Name", true},                         // mixed case with path
+		{"MixedCase/Path/Name", true},                          // mixed case with path
-		{"invalid name", false},                               // space not allowed
+		{"invalid name", false}, // space not allowed
-		{"invalid@name", false},                               // @ not allowed
+		{"invalid@name", false}, // @ not allowed
 	}
 
 	for _, test := range tests {

internal/secret/seunlocker_darwin.go

@@ -60,10 +60,7 @@ func (s *SecureEnclaveUnlocker) GetIdentity() (*age.X25519Identity, error) {
 	encryptedPath := filepath.Join(s.Directory, seLongtermFilename)
 	encryptedData, err := afero.ReadFile(s.fs, encryptedPath)
 	if err != nil {
-		return nil, fmt.Errorf(
+		return nil, fmt.Errorf("failed to read SE-encrypted long-term key: %w", err)
-			"failed to read SE-encrypted long-term key: %w",
-			err,
-		)
 	}
 
 	DebugWith("Read SE-encrypted long-term key",
@@ -73,10 +70,7 @@ func (s *SecureEnclaveUnlocker) GetIdentity() (*age.X25519Identity, error) {
 	// Decrypt using the Secure Enclave (ECDH happens inside SE hardware)
 	decryptedData, err := macse.Decrypt(seKeyLabel, encryptedData)
 	if err != nil {
-		return nil, fmt.Errorf(
+		return nil, fmt.Errorf("failed to decrypt long-term key with SE: %w", err)
-			"failed to decrypt long-term key with SE: %w",
-			err,
-		)
 	}
 
 	// Parse the decrypted long-term private key
@@ -88,10 +82,7 @@ func (s *SecureEnclaveUnlocker) GetIdentity() (*age.X25519Identity, error) {
 	}
 
 	if err != nil {
-		return nil, fmt.Errorf(
+		return nil, fmt.Errorf("failed to parse long-term private key: %w", err)
-			"failed to parse long-term private key: %w",
-			err,
-		)
 	}
 
 	DebugWith("Successfully decrypted long-term key via SE",
@@ -174,11 +165,7 @@ func (s *SecureEnclaveUnlocker) getSEKeyInfo() (label string, hash string, err e
 }
 
 // NewSecureEnclaveUnlocker creates a new SecureEnclaveUnlocker instance.
-func NewSecureEnclaveUnlocker(
+func NewSecureEnclaveUnlocker(fs afero.Fs, directory string, metadata UnlockerMetadata) *SecureEnclaveUnlocker {
-	fs afero.Fs,
-	directory string,
-	metadata UnlockerMetadata,
-) *SecureEnclaveUnlocker {
 	return &SecureEnclaveUnlocker{
 		Directory: directory,
 		Metadata:  metadata,
@@ -195,22 +182,13 @@ func generateSEKeyLabel(vaultName string) (string, error) {
 
 	enrollmentDate := time.Now().UTC().Format("2006-01-02")
 
-	return fmt.Sprintf(
+	return fmt.Sprintf("%s.%s-%s-%s", seKeyLabelPrefix, vaultName, hostname, enrollmentDate), nil
-		"%s.%s-%s-%s",
-		seKeyLabelPrefix,
-		vaultName,
-		hostname,
-		enrollmentDate,
-	), nil
 }
 
 // CreateSecureEnclaveUnlocker creates a new SE unlocker.
 // The vault's long-term private key is encrypted directly by the Secure Enclave
 // using ECIES. No intermediate age keypair is used.
-func CreateSecureEnclaveUnlocker(
+func CreateSecureEnclaveUnlocker(fs afero.Fs, stateDir string) (*SecureEnclaveUnlocker, error) {
-	fs afero.Fs,
-	stateDir string,
-) (*SecureEnclaveUnlocker, error) {
 	if err := checkMacOSAvailable(); err != nil {
 		return nil, err
 	}
@@ -238,20 +216,14 @@ func CreateSecureEnclaveUnlocker(
 	// Step 2: Get the vault's long-term private key
 	ltPrivKeyData, err := getLongTermKeyForSE(fs, vault)
 	if err != nil {
-		return nil, fmt.Errorf(
+		return nil, fmt.Errorf("failed to get long-term private key: %w", err)
-			"failed to get long-term private key: %w",
-			err,
-		)
 	}
 	defer ltPrivKeyData.Destroy()
 
 	// Step 3: Encrypt the long-term key directly with the SE (ECIES)
 	encryptedLtKey, err := macse.Encrypt(seKeyLabel, ltPrivKeyData.Bytes())
 	if err != nil {
-		return nil, fmt.Errorf(
+		return nil, fmt.Errorf("failed to encrypt long-term key with SE: %w", err)
-			"failed to encrypt long-term key with SE: %w",
-			err,
-		)
 	}
 
 	// Step 4: Create unlocker directory and write files
@@ -263,19 +235,13 @@ func CreateSecureEnclaveUnlocker(
 	unlockerDirName := fmt.Sprintf("se-%s", filepath.Base(seKeyLabel))
 	unlockerDir := filepath.Join(vaultDir, "unlockers.d", unlockerDirName)
 	if err := fs.MkdirAll(unlockerDir, DirPerms); err != nil {
-		return nil, fmt.Errorf(
+		return nil, fmt.Errorf("failed to create unlocker directory: %w", err)
-			"failed to create unlocker directory: %w",
-			err,
-		)
 	}
 
 	// Write SE-encrypted long-term key
 	ltKeyPath := filepath.Join(unlockerDir, seLongtermFilename)
 	if err := afero.WriteFile(fs, ltKeyPath, encryptedLtKey, FilePerms); err != nil {
-		return nil, fmt.Errorf(
+		return nil, fmt.Errorf("failed to write SE-encrypted long-term key: %w", err)
-			"failed to write SE-encrypted long-term key: %w",
-			err,
-		)
 	}
 
 	// Write metadata
@@ -308,40 +274,12 @@ func CreateSecureEnclaveUnlocker(
 
 // getLongTermKeyForSE retrieves the vault's long-term private key
 // either from the mnemonic env var or by unlocking via the current unlocker.
-func getLongTermKeyForSE(
+func getLongTermKeyForSE(fs afero.Fs, vault VaultInterface) (*memguard.LockedBuffer, error) {
-	fs afero.Fs,
-	vault VaultInterface,
-) (*memguard.LockedBuffer, error) {
 	envMnemonic := os.Getenv(EnvMnemonic)
 	if envMnemonic != "" {
-		// Read vault metadata to get the correct derivation index
+		ltIdentity, err := agehd.DeriveIdentity(envMnemonic, 0)
-		vaultDir, err := vault.GetDirectory()
 		if err != nil {
-			return nil, fmt.Errorf("failed to get vault directory: %w", err)
+			return nil, fmt.Errorf("failed to derive long-term key from mnemonic: %w", err)
-		}
-
-		metadataPath := filepath.Join(vaultDir, "vault-metadata.json")
-		metadataBytes, err := afero.ReadFile(fs, metadataPath)
-		if err != nil {
-			return nil, fmt.Errorf("failed to read vault metadata: %w", err)
-		}
-
-		var metadata VaultMetadata
-		if err := json.Unmarshal(metadataBytes, &metadata); err != nil {
-			return nil, fmt.Errorf("failed to parse vault metadata: %w", err)
-		}
-
-		// Use mnemonic with the vault's actual derivation index
-		ltIdentity, err := agehd.DeriveIdentity(
-			envMnemonic,
-			metadata.DerivationIndex,
-		)
-
-		if err != nil {
-			return nil, fmt.Errorf(
-				"failed to derive long-term key from mnemonic: %w",
-				err,
-			)
 		}
 
 		return memguard.NewBufferFromBytes([]byte(ltIdentity.String())), nil
@@ -354,29 +292,17 @@ func getLongTermKeyForSE(
 
 	currentIdentity, err := currentUnlocker.GetIdentity()
 	if err != nil {
-		return nil, fmt.Errorf(
+		return nil, fmt.Errorf("failed to get current unlocker identity: %w", err)
-			"failed to get current unlocker identity: %w",
-			err,
-		)
 	}
 
 	// All unlocker types store longterm.age in their directory
-	longtermPath := filepath.Join(
+	longtermPath := filepath.Join(currentUnlocker.GetDirectory(), "longterm.age")
-		currentUnlocker.GetDirectory(),
-		"longterm.age",
-	)
 	encryptedLtKey, err := afero.ReadFile(fs, longtermPath)
 	if err != nil {
-		return nil, fmt.Errorf(
+		return nil, fmt.Errorf("failed to read encrypted long-term key: %w", err)
-			"failed to read encrypted long-term key: %w",
-			err,
-		)
 	}
 
-	ltPrivKeyBuffer, err := DecryptWithIdentity(
+	ltPrivKeyBuffer, err := DecryptWithIdentity(encryptedLtKey, currentIdentity)
-		encryptedLtKey,
-		currentIdentity,
-	)
 	if err != nil {
 		return nil, fmt.Errorf("failed to decrypt long-term key: %w", err)
 	}

internal/secret/seunlocker_stub.go

@@ -4,16 +4,10 @@
 package secret
 
 import (
-	"fmt"
-
 	"filippo.io/age"
 	"github.com/spf13/afero"
 )
 
-var errSENotSupported = fmt.Errorf(
-	"secure enclave unlockers are only supported on macOS",
-)
-
 // SecureEnclaveUnlockerMetadata is a stub for non-Darwin platforms.
 type SecureEnclaveUnlockerMetadata struct {
 	UnlockerMetadata
@@ -28,57 +22,42 @@ type SecureEnclaveUnlocker struct {
 	fs        afero.Fs
 }
 
-// GetIdentity returns an error on non-Darwin platforms.
+// GetIdentity panics on non-Darwin platforms.
 func (s *SecureEnclaveUnlocker) GetIdentity() (*age.X25519Identity, error) {
-	return nil, errSENotSupported
+	panic("secure enclave unlockers are only supported on macOS")
 }
 
-// GetType returns the unlocker type.
+// GetType panics on non-Darwin platforms.
 func (s *SecureEnclaveUnlocker) GetType() string {
-	return "secure-enclave"
+	panic("secure enclave unlockers are only supported on macOS")
 }
 
-// GetMetadata returns the unlocker metadata.
+// GetMetadata panics on non-Darwin platforms.
 func (s *SecureEnclaveUnlocker) GetMetadata() UnlockerMetadata {
-	return s.Metadata
+	panic("secure enclave unlockers are only supported on macOS")
 }
 
-// GetDirectory returns the unlocker directory.
+// GetDirectory panics on non-Darwin platforms.
 func (s *SecureEnclaveUnlocker) GetDirectory() string {
-	return s.Directory
+	panic("secure enclave unlockers are only supported on macOS")
 }
 
-// GetID returns the unlocker ID.
+// GetID panics on non-Darwin platforms.
 func (s *SecureEnclaveUnlocker) GetID() string {
-	return fmt.Sprintf(
+	panic("secure enclave unlockers are only supported on macOS")
-		"%s-secure-enclave",
-		s.Metadata.CreatedAt.Format("2006-01-02.15.04"),
-	)
 }
 
-// Remove returns an error on non-Darwin platforms.
+// Remove panics on non-Darwin platforms.
 func (s *SecureEnclaveUnlocker) Remove() error {
-	return errSENotSupported
+	panic("secure enclave unlockers are only supported on macOS")
 }
 
-// NewSecureEnclaveUnlocker creates a stub SecureEnclaveUnlocker on non-Darwin platforms.
+// NewSecureEnclaveUnlocker panics on non-Darwin platforms.
-// The returned instance's methods that require macOS functionality will return errors.
+func NewSecureEnclaveUnlocker(_ afero.Fs, _ string, _ UnlockerMetadata) *SecureEnclaveUnlocker {
-func NewSecureEnclaveUnlocker(
+	panic("secure enclave unlockers are only supported on macOS")
-	fs afero.Fs,
-	directory string,
-	metadata UnlockerMetadata,
-) *SecureEnclaveUnlocker {
-	return &SecureEnclaveUnlocker{
-		Directory: directory,
-		Metadata:  metadata,
-		fs:        fs,
-	}
 }
 
-// CreateSecureEnclaveUnlocker returns an error on non-Darwin platforms.
+// CreateSecureEnclaveUnlocker panics on non-Darwin platforms.
-func CreateSecureEnclaveUnlocker(
+func CreateSecureEnclaveUnlocker(_ afero.Fs, _ string) (*SecureEnclaveUnlocker, error) {
-	_ afero.Fs,
+	panic("secure enclave unlockers are only supported on macOS")
-	_ string,
-) (*SecureEnclaveUnlocker, error) {
-	return nil, errSENotSupported
 }

internal/secret/seunlocker_stub_test.go

@@ -1,90 +0,0 @@
-//go:build !darwin
-// +build !darwin
-
-package secret
-
-import (
-	"testing"
-	"time"
-
-	"github.com/spf13/afero"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-)
-
-func TestNewSecureEnclaveUnlocker(t *testing.T) {
-	fs := afero.NewMemMapFs()
-	dir := "/tmp/test-se-unlocker"
-	metadata := UnlockerMetadata{
-		Type:      "secure-enclave",
-		CreatedAt: time.Date(2026, 1, 15, 10, 30, 0, 0, time.UTC),
-		Flags:     []string{"secure-enclave", "macos"},
-	}
-
-	unlocker := NewSecureEnclaveUnlocker(fs, dir, metadata)
-	require.NotNil(t, unlocker, "NewSecureEnclaveUnlocker should return a valid instance")
-
-	// Test GetType returns correct type
-	assert.Equal(t, "secure-enclave", unlocker.GetType())
-
-	// Test GetMetadata returns the metadata we passed in
-	assert.Equal(t, metadata, unlocker.GetMetadata())
-
-	// Test GetDirectory returns the directory we passed in
-	assert.Equal(t, dir, unlocker.GetDirectory())
-
-	// Test GetID returns a formatted string with the creation timestamp
-	expectedID := "2026-01-15.10.30-secure-enclave"
-	assert.Equal(t, expectedID, unlocker.GetID())
-}
-
-func TestSecureEnclaveUnlockerGetIdentityReturnsError(t *testing.T) {
-	fs := afero.NewMemMapFs()
-	metadata := UnlockerMetadata{
-		Type:      "secure-enclave",
-		CreatedAt: time.Now().UTC(),
-	}
-
-	unlocker := NewSecureEnclaveUnlocker(fs, "/tmp/test", metadata)
-
-	identity, err := unlocker.GetIdentity()
-	assert.Nil(t, identity)
-	assert.Error(t, err)
-	assert.ErrorIs(t, err, errSENotSupported)
-}
-
-func TestSecureEnclaveUnlockerRemoveReturnsError(t *testing.T) {
-	fs := afero.NewMemMapFs()
-	metadata := UnlockerMetadata{
-		Type:      "secure-enclave",
-		CreatedAt: time.Now().UTC(),
-	}
-
-	unlocker := NewSecureEnclaveUnlocker(fs, "/tmp/test", metadata)
-
-	err := unlocker.Remove()
-	assert.Error(t, err)
-	assert.ErrorIs(t, err, errSENotSupported)
-}
-
-func TestCreateSecureEnclaveUnlockerReturnsError(t *testing.T) {
-	fs := afero.NewMemMapFs()
-
-	unlocker, err := CreateSecureEnclaveUnlocker(fs, "/tmp/test")
-	assert.Nil(t, unlocker)
-	assert.Error(t, err)
-	assert.ErrorIs(t, err, errSENotSupported)
-}
-
-func TestSecureEnclaveUnlockerImplementsInterface(t *testing.T) {
-	fs := afero.NewMemMapFs()
-	metadata := UnlockerMetadata{
-		Type:      "secure-enclave",
-		CreatedAt: time.Now().UTC(),
-	}
-
-	unlocker := NewSecureEnclaveUnlocker(fs, "/tmp/test", metadata)
-
-	// Verify the stub implements the Unlocker interface
-	var _ Unlocker = unlocker
-}

internal/secret/seunlocker_test.go

@@ -1,101 +0,0 @@
-//go:build darwin
-// +build darwin
-
-package secret
-
-import (
-	"testing"
-	"time"
-
-	"github.com/spf13/afero"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-)
-
-func TestNewSecureEnclaveUnlocker(t *testing.T) {
-	fs := afero.NewMemMapFs()
-	dir := "/tmp/test-se-unlocker"
-	metadata := UnlockerMetadata{
-		Type:      "secure-enclave",
-		CreatedAt: time.Date(2026, 1, 15, 10, 30, 0, 0, time.UTC),
-		Flags:     []string{"secure-enclave", "macos"},
-	}
-
-	unlocker := NewSecureEnclaveUnlocker(fs, dir, metadata)
-	require.NotNil(t, unlocker, "NewSecureEnclaveUnlocker should return a valid instance")
-
-	// Test GetType returns correct type
-	assert.Equal(t, seUnlockerType, unlocker.GetType())
-
-	// Test GetMetadata returns the metadata we passed in
-	assert.Equal(t, metadata, unlocker.GetMetadata())
-
-	// Test GetDirectory returns the directory we passed in
-	assert.Equal(t, dir, unlocker.GetDirectory())
-}
-
-func TestSecureEnclaveUnlockerImplementsInterface(t *testing.T) {
-	fs := afero.NewMemMapFs()
-	metadata := UnlockerMetadata{
-		Type:      "secure-enclave",
-		CreatedAt: time.Now().UTC(),
-	}
-
-	unlocker := NewSecureEnclaveUnlocker(fs, "/tmp/test", metadata)
-
-	// Verify the darwin implementation implements the Unlocker interface
-	var _ Unlocker = unlocker
-}
-
-func TestSecureEnclaveUnlockerGetIDFormat(t *testing.T) {
-	fs := afero.NewMemMapFs()
-	metadata := UnlockerMetadata{
-		Type:      "secure-enclave",
-		CreatedAt: time.Date(2026, 3, 10, 14, 30, 0, 0, time.UTC),
-	}
-
-	unlocker := NewSecureEnclaveUnlocker(fs, "/tmp/test", metadata)
-	id := unlocker.GetID()
-
-	// ID should contain the timestamp and "secure-enclave" type
-	assert.Contains(t, id, "2026-03-10.14.30")
-	assert.Contains(t, id, seUnlockerType)
-}
-
-func TestGenerateSEKeyLabel(t *testing.T) {
-	label, err := generateSEKeyLabel("test-vault")
-	require.NoError(t, err)
-
-	// Label should contain the prefix and vault name
-	assert.Contains(t, label, seKeyLabelPrefix)
-	assert.Contains(t, label, "test-vault")
-}
-
-func TestSecureEnclaveUnlockerGetIdentityMissingFile(t *testing.T) {
-	fs := afero.NewMemMapFs()
-	dir := "/tmp/test-se-unlocker-missing"
-
-	// Create unlocker directory with metadata but no encrypted key file
-	require.NoError(t, fs.MkdirAll(dir, DirPerms))
-
-	metadataJSON := `{
-		"type": "secure-enclave",
-		"createdAt": "2026-01-15T10:30:00Z",
-		"seKeyLabel": "berlin.sneak.app.secret.se.test",
-		"seKeyHash": "abc123"
-	}`
-	require.NoError(t, afero.WriteFile(fs, dir+"/unlocker-metadata.json", []byte(metadataJSON), FilePerms))
-
-	metadata := UnlockerMetadata{
-		Type:      "secure-enclave",
-		CreatedAt: time.Date(2026, 1, 15, 10, 30, 0, 0, time.UTC),
-	}
-
-	unlocker := NewSecureEnclaveUnlocker(fs, dir, metadata)
-
-	// GetIdentity should fail because the encrypted longterm key file is missing
-	identity, err := unlocker.GetIdentity()
-	assert.Nil(t, identity)
-	assert.Error(t, err)
-	assert.Contains(t, err.Error(), "failed to read SE-encrypted long-term key")
-}

internal/secret/validation_darwin_test.go

@@ -1,148 +0,0 @@
-//go:build darwin
-
-package secret
-
-import (
-	"testing"
-)
-
-func TestValidateKeychainItemName(t *testing.T) {
-	tests := []struct {
-		name     string
-		itemName string
-		wantErr  bool
-	}{
-		// Valid cases
-		{
-			name:     "valid simple name",
-			itemName: "my-secret-key",
-			wantErr:  false,
-		},
-		{
-			name:     "valid name with dots",
-			itemName: "com.example.app.key",
-			wantErr:  false,
-		},
-		{
-			name:     "valid name with underscores",
-			itemName: "my_secret_key_123",
-			wantErr:  false,
-		},
-		{
-			name:     "valid alphanumeric",
-			itemName: "Secret123Key",
-			wantErr:  false,
-		},
-		{
-			name:     "valid with hyphen at start",
-			itemName: "-my-key",
-			wantErr:  false,
-		},
-		{
-			name:     "valid with dot at start",
-			itemName: ".hidden-key",
-			wantErr:  false,
-		},
-
-		// Invalid cases
-		{
-			name:     "empty item name",
-			itemName: "",
-			wantErr:  true,
-		},
-		{
-			name:     "item name with spaces",
-			itemName: "my secret key",
-			wantErr:  true,
-		},
-		{
-			name:     "item name with semicolon",
-			itemName: "key;rm -rf /",
-			wantErr:  true,
-		},
-		{
-			name:     "item name with pipe",
-			itemName: "key|cat /etc/passwd",
-			wantErr:  true,
-		},
-		{
-			name:     "item name with backticks",
-			itemName: "key`whoami`",
-			wantErr:  true,
-		},
-		{
-			name:     "item name with dollar sign",
-			itemName: "key$(whoami)",
-			wantErr:  true,
-		},
-		{
-			name:     "item name with quotes",
-			itemName: "key\"name",
-			wantErr:  true,
-		},
-		{
-			name:     "item name with single quotes",
-			itemName: "key'name",
-			wantErr:  true,
-		},
-		{
-			name:     "item name with backslash",
-			itemName: "key\\name",
-			wantErr:  true,
-		},
-		{
-			name:     "item name with newline",
-			itemName: "key\nname",
-			wantErr:  true,
-		},
-		{
-			name:     "item name with carriage return",
-			itemName: "key\rname",
-			wantErr:  true,
-		},
-		{
-			name:     "item name with ampersand",
-			itemName: "key&echo test",
-			wantErr:  true,
-		},
-		{
-			name:     "item name with redirect",
-			itemName: "key>/tmp/test",
-			wantErr:  true,
-		},
-		{
-			name:     "item name with null byte",
-			itemName: "key\x00name",
-			wantErr:  true,
-		},
-		{
-			name:     "item name with parentheses",
-			itemName: "key(test)",
-			wantErr:  true,
-		},
-		{
-			name:     "item name with brackets",
-			itemName: "key[test]",
-			wantErr:  true,
-		},
-		{
-			name:     "item name with asterisk",
-			itemName: "key*",
-			wantErr:  true,
-		},
-		{
-			name:     "item name with question mark",
-			itemName: "key?",
-			wantErr:  true,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			err := validateKeychainItemName(tt.itemName)
-			if (err != nil) != tt.wantErr {
-				t.Errorf("validateKeychainItemName() error = %v, wantErr %v", err, tt.wantErr)
-			}
-		})
-	}
-}

internal/secret/validation_test.go

@@ -154,3 +154,144 @@ func TestValidateGPGKeyID(t *testing.T) {
 		})
 	}
 }
+
+func TestValidateKeychainItemName(t *testing.T) {
+	tests := []struct {
+		name     string
+		itemName string
+		wantErr  bool
+	}{
+		// Valid cases
+		{
+			name:     "valid simple name",
+			itemName: "my-secret-key",
+			wantErr:  false,
+		},
+		{
+			name:     "valid name with dots",
+			itemName: "com.example.app.key",
+			wantErr:  false,
+		},
+		{
+			name:     "valid name with underscores",
+			itemName: "my_secret_key_123",
+			wantErr:  false,
+		},
+		{
+			name:     "valid alphanumeric",
+			itemName: "Secret123Key",
+			wantErr:  false,
+		},
+		{
+			name:     "valid with hyphen at start",
+			itemName: "-my-key",
+			wantErr:  false,
+		},
+		{
+			name:     "valid with dot at start",
+			itemName: ".hidden-key",
+			wantErr:  false,
+		},
+
+		// Invalid cases
+		{
+			name:     "empty item name",
+			itemName: "",
+			wantErr:  true,
+		},
+		{
+			name:     "item name with spaces",
+			itemName: "my secret key",
+			wantErr:  true,
+		},
+		{
+			name:     "item name with semicolon",
+			itemName: "key;rm -rf /",
+			wantErr:  true,
+		},
+		{
+			name:     "item name with pipe",
+			itemName: "key|cat /etc/passwd",
+			wantErr:  true,
+		},
+		{
+			name:     "item name with backticks",
+			itemName: "key`whoami`",
+			wantErr:  true,
+		},
+		{
+			name:     "item name with dollar sign",
+			itemName: "key$(whoami)",
+			wantErr:  true,
+		},
+		{
+			name:     "item name with quotes",
+			itemName: "key\"name",
+			wantErr:  true,
+		},
+		{
+			name:     "item name with single quotes",
+			itemName: "key'name",
+			wantErr:  true,
+		},
+		{
+			name:     "item name with backslash",
+			itemName: "key\\name",
+			wantErr:  true,
+		},
+		{
+			name:     "item name with newline",
+			itemName: "key\nname",
+			wantErr:  true,
+		},
+		{
+			name:     "item name with carriage return",
+			itemName: "key\rname",
+			wantErr:  true,
+		},
+		{
+			name:     "item name with ampersand",
+			itemName: "key&echo test",
+			wantErr:  true,
+		},
+		{
+			name:     "item name with redirect",
+			itemName: "key>/tmp/test",
+			wantErr:  true,
+		},
+		{
+			name:     "item name with null byte",
+			itemName: "key\x00name",
+			wantErr:  true,
+		},
+		{
+			name:     "item name with parentheses",
+			itemName: "key(test)",
+			wantErr:  true,
+		},
+		{
+			name:     "item name with brackets",
+			itemName: "key[test]",
+			wantErr:  true,
+		},
+		{
+			name:     "item name with asterisk",
+			itemName: "key*",
+			wantErr:  true,
+		},
+		{
+			name:     "item name with question mark",
+			itemName: "key?",
+			wantErr:  true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			err := validateKeychainItemName(tt.itemName)
+			if (err != nil) != tt.wantErr {
+				t.Errorf("validateKeychainItemName() error = %v, wantErr %v", err, tt.wantErr)
+			}
+		})
+	}
+}