ci: add Gitea Actions workflow for make check (#21 )

Adds CI workflow that runs `make check` on push/PR to main. Co-authored-by: user <user@Mac.lan guest wan> Co-authored-by: clawbot <clawbot@eeqj.de> Reviewed-on: #21 Co-authored-by: clawbot <sneak+clawbot@sneak.cloud> Co-committed-by: clawbot <sneak+clawbot@sneak.cloud>
secure-enclave-unlocker (#24 )
2026-03-30 21:34:49 +02:00 · 2026-03-14 07:36:28 +01:00 · 2026-02-28 19:29:52 +01:00 · 2026-02-20 02:59:23 -08:00 · 2026-02-20 09:22:29 +01:00 · 2026-02-20 00:03:49 -08:00
51 changed files with 1263 additions and 490 deletions
--- a/.cursorrules
+++ b/.cursorrules
@@ -1,3 +0,0 @@
 EXTREMELY IMPORTANT: Read and follow the policies, procedures, and
 instructions in the `AGENTS.md` file in the root of the repository.  Make
 sure you follow *all* of the instructions meticulously.
--- a/.dockerignore
+++ b/.dockerignore
@@ -17,5 +17,4 @@ coverage.out
 .claude/
 # Local settings
 .golangci.yml
 .claude/settings.local.json
--- a/.gitea/workflows/check.yml
+++ b/.gitea/workflows/check.yml
@@ -0,0 +1,9 @@
 name: check
 on: [push]
 jobs:
    check:
        runs-on: ubuntu-latest
        steps:
            # actions/checkout v4.2.2, 2026-02-28
            - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
            - run: docker build --ulimit memlock=-1:-1 .
--- a/.gitignore
+++ b/.gitignore
@@ -6,3 +6,7 @@ cli.test
 vault.test
 *.test
 settings.local.json
 # Stale files
 .cursorrules
 coverage.out
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -141,3 +141,17 @@ Version: 2025-06-08
   - Local application imports
   Each group should be separated by a blank line.
 ## Go-Specific Guidelines
 1. **No `panic`, `log.Fatal`, or `os.Exit` in library code.** Always propagate errors via return values.
 2. **Constructors return `(*T, error)`, not just `*T`.** Callers must handle errors, not crash.
 3. **Wrap errors** with `fmt.Errorf("context: %w", err)` for debuggability.
 4. **Never modify linter config** (`.golangci.yml`) to suppress findings. Fix the code.
 5. **All PRs must pass `make check` with zero failures.** No exceptions, no "pre-existing issue" excuses.
 6. **Pin external dependencies by commit hash**, not mutable tags.
--- a/60
+++ b/60
@@ -1,50 +1,46 @@
-# Build stage
+# Lint stage — fast feedback on formatting and lint issues
-FROM golang:1.24-alpine AS builder
+# golangci/golangci-lint v2.1.6 (2026-03-10)
 FROM golangci/golangci-lint@sha256:568ee1c1c53493575fa9494e280e579ac9ca865787bafe4df3023ae59ecf299b AS lint
-# Install build dependencies
+WORKDIR /src
 RUN apk add --no-cache \
    gcc \
    musl-dev \
    make \
    git
 # Set working directory
 WORKDIR /build
 # Copy go mod files
 COPY go.mod go.sum ./
 # Download dependencies
 RUN go mod download
 # Copy source code
 COPY . .
-# Build the binary
+RUN make fmt-check
-RUN CGO_ENABLED=1 go build -v -o secret cmd/secret/main.go
+RUN make lint
 # Build stage — tests and compilation
 # golang 1.24.13-alpine (2026-03-10)
 FROM golang@sha256:8bee1901f1e530bfb4a7850aa7a479d17ae3a18beb6e09064ed54cfd245b7191 AS builder
 # Force BuildKit to run the lint stage
 COPY --from=lint /src/go.sum /dev/null
 RUN apk add --no-cache gcc musl-dev make git gnupg
 WORKDIR /build
 COPY go.mod go.sum ./
 RUN go mod download
 COPY . .
 RUN make test
 RUN make build
 # Runtime stage
-FROM alpine:latest
+# alpine 3.23 (2026-03-10)
 FROM alpine@sha256:25109184c71bdad752c8312a8623239686a9a2071e8825f20acb8f2198c3f659
-# Install runtime dependencies
+RUN apk add --no-cache ca-certificates gnupg
 RUN apk add --no-cache \
    ca-certificates \
    gnupg
 # Create non-root user
 RUN adduser -D -s /bin/sh secret
 # Copy binary from builder
 COPY --from=builder /build/secret /usr/local/bin/secret
 # Ensure binary is executable
 RUN chmod +x /usr/local/bin/secret
 # Switch to non-root user
 USER secret
 # Set working directory
 WORKDIR /home/secret
-# Set entrypoint
+ENTRYPOINT ["secret"]
 ENTRYPOINT ["secret"]
--- a/7
+++ b/7
@@ -17,7 +17,7 @@ build: ./secret
 vet:
 	go vet ./...
-test: lint vet
+test: vet
 	go test ./... || go test -v ./...
 fmt:
@@ -26,7 +26,7 @@ fmt:
 lint:
 	golangci-lint run --timeout 5m
-check: build test
+check: build lint test fmt-check
 # Build Docker container
 docker:
@@ -42,3 +42,6 @@ clean:
 install: ./secret
 	cp ./secret $(HOME)/bin/secret
 fmt-check:
 	@test -z "$$(gofmt -l .)" || (echo "Files need formatting:" && gofmt -l . && exit 1)
--- a/README.md
+++ b/README.md
@@ -184,6 +184,7 @@ Creates a new unlocker of the specified type:
 - `passphrase`: Traditional passphrase-protected unlocker
 - `pgp`: Uses an existing GPG key for encryption/decryption
 - `keychain`: macOS Keychain integration (macOS only)
 - `secure-enclave`: Hardware-backed Secure Enclave protection (macOS only)
 **Options:**
 - `--keyid <id>`: GPG key ID (optional for PGP type, uses default key if not specified)
@@ -286,11 +287,11 @@ Unlockers provide different authentication methods to access the long-term keys:
   - Automatic unlocking when Keychain is unlocked
   - Cross-application integration
-4. **Secure Enclave Unlockers** (macOS - planned):
+4. **Secure Enclave Unlockers** (macOS):
   - Hardware-backed key storage using Apple Secure Enclave
-   - Currently partially implemented but non-functional
+   - Uses `sc_auth` / CryptoTokenKit for SE key management (no Apple Developer Program required)
-   - Requires Apple Developer Program membership and code signing entitlements
+   - ECIES encryption: vault long-term key encrypted directly by SE hardware
-   - Full implementation blocked by entitlement requirements
+   - Protected by biometric authentication (Touch ID) or system password
 Each vault maintains its own set of unlockers and one long-term key. The long-term key is encrypted to each unlocker, allowing any authorized unlocker to access vault secrets.
@@ -330,8 +331,7 @@ Each vault maintains its own set of unlockers and one long-term key. The long-te
 - Hardware token support via PGP/GPG integration
 - macOS Keychain integration for system-level security
- Secure Enclave support planned (requires paid Apple Developer Program for
+- Secure Enclave integration for hardware-backed key protection (macOS, via `sc_auth` / CryptoTokenKit)
  signed entitlements to access the SEP and doxxing myself to Apple)
 ## Examples
@@ -385,6 +385,7 @@ secret vault remove personal --force
 secret unlocker add passphrase              # Password-based
 secret unlocker add pgp --keyid ABCD1234    # GPG key
 secret unlocker add keychain                # macOS Keychain (macOS only)
 secret unlocker add secure-enclave          # macOS Secure Enclave (macOS only)
 # List unlockers
 secret unlocker list
@@ -443,7 +444,7 @@ secret decrypt encryption/mykey --input document.txt.age --output document.txt
 ### Cross-Platform Support
- **macOS**: Full support including Keychain and planned Secure Enclave integration
+- **macOS**: Full support including Keychain and Secure Enclave integration
 - **Linux**: Full support (excluding macOS-specific features)
 ## Security Considerations
@@ -487,7 +488,7 @@ go test -tags=integration -v ./internal/cli  # Integration tests
 ## Features
- **Multiple Authentication Methods**: Supports passphrase, PGP, and macOS Keychain unlockers
+- **Multiple Authentication Methods**: Supports passphrase, PGP, macOS Keychain, and Secure Enclave unlockers
 - **Vault Isolation**: Complete separation between different vaults
 - **Per-Secret Encryption**: Each secret has its own encryption key
 - **BIP39 Mnemonic Support**: Keyless operation using mnemonic phrases
--- a/coverage.out
+++ b/coverage.out
@@ -1,102 +0,0 @@
 mode: set
 git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:57.41,60.38 2 1
 git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:60.38,61.41 1 1
 git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:65.2,70.3 3 1
 git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:74.50,76.2 1 1
 git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:79.85,81.28 1 1
 git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:81.28,83.3 1 0
 git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:86.2,87.16 2 1
 git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:87.16,89.3 1 0
 git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:92.2,93.16 2 1
 git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:93.16,95.3 1 0
 git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:98.2,98.35 1 1
 git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:102.89,105.16 2 1
 git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:105.16,107.3 1 0
 git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:110.2,114.21 4 1
 git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:118.99,119.46 1 1
 git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:119.46,121.3 1 0
 git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:124.2,134.39 5 1
 git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:134.39,137.15 2 1
 git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:137.15,140.4 2 1
 git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:143.3,145.17 3 1
 git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:145.17,147.4 1 0
 git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:150.3,150.15 1 1
 git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:150.15,152.4 1 1
 git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:155.3,156.17 2 1
 git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:156.17,158.4 1 0
 git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:160.3,160.14 1 1
 git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:163.2,163.17 1 1
 git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:167.107,171.16 3 1
 git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:171.16,173.3 1 0
 git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:177.2,186.15 3 1
 git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:187.15,188.13 1 1
 git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:189.15,190.13 1 0
 git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:191.15,192.13 1 1
 git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:193.15,194.13 1 0
 git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:195.15,196.13 1 1
 git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:197.10,198.64 1 1
 git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:202.2,204.21 2 1
 git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:208.84,212.16 3 1
 git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:212.16,214.3 1 0
 git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:217.2,222.16 4 1
 git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:222.16,224.3 1 0
 git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:226.2,226.26 1 1
 git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:230.99,234.16 3 1
 git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:234.16,236.3 1 0
 git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:239.2,251.45 6 1
 git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:251.45,253.3 1 1
 git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:256.2,275.45 12 1
 git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:279.39,284.2 3 1
 git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:287.91,288.36 1 1
 git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:288.36,290.3 1 1
 git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:292.2,295.16 3 1
 git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:295.16,297.3 1 0
 git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:300.2,302.41 2 1
 git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:306.100,307.32 1 1
 git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:307.32,309.3 1 1
 git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:311.2,314.16 3 1
 git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:314.16,316.3 1 0
 git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:319.2,325.35 3 1
 git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:325.35,327.3 1 0
 git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:329.2,329.33 1 1
 git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:333.100,334.32 1 1
 git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:334.32,336.3 1 1
 git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:338.2,341.16 3 1
 git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:341.16,343.3 1 0
 git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:346.2,349.32 2 1
 git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:349.32,351.3 1 0
 git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:353.2,353.30 1 1
 git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:357.57,375.52 7 1
 git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:375.52,381.46 3 1
 git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:381.46,385.4 3 1
 git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:387.3,387.20 1 1
 git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:390.2,390.21 1 1
 git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:394.67,396.2 1 1
 git.eeqj.de/sneak/secret/pkg/agehd/agehd.go:32.22,36.2 3 1
 git.eeqj.de/sneak/secret/pkg/agehd/agehd.go:40.67,41.31 1 1
 git.eeqj.de/sneak/secret/pkg/agehd/agehd.go:41.31,43.3 1 1
 git.eeqj.de/sneak/secret/pkg/agehd/agehd.go:46.2,55.16 6 1
 git.eeqj.de/sneak/secret/pkg/agehd/agehd.go:55.16,57.3 1 0
 git.eeqj.de/sneak/secret/pkg/agehd/agehd.go:58.2,59.16 2 1
 git.eeqj.de/sneak/secret/pkg/agehd/agehd.go:59.16,61.3 1 0
 git.eeqj.de/sneak/secret/pkg/agehd/agehd.go:63.2,63.52 1 1
 git.eeqj.de/sneak/secret/pkg/agehd/agehd.go:68.63,74.16 3 1
 git.eeqj.de/sneak/secret/pkg/agehd/agehd.go:74.16,76.3 1 0
 git.eeqj.de/sneak/secret/pkg/agehd/agehd.go:79.2,83.16 3 1
 git.eeqj.de/sneak/secret/pkg/agehd/agehd.go:83.16,85.3 1 0
 git.eeqj.de/sneak/secret/pkg/agehd/agehd.go:88.2,91.16 4 1
 git.eeqj.de/sneak/secret/pkg/agehd/agehd.go:91.16,93.3 1 0
 git.eeqj.de/sneak/secret/pkg/agehd/agehd.go:95.2,95.17 1 1
 git.eeqj.de/sneak/secret/pkg/agehd/agehd.go:100.67,103.16 2 1
 git.eeqj.de/sneak/secret/pkg/agehd/agehd.go:103.16,105.3 1 1
 git.eeqj.de/sneak/secret/pkg/agehd/agehd.go:108.2,112.16 3 1
 git.eeqj.de/sneak/secret/pkg/agehd/agehd.go:112.16,114.3 1 1
 git.eeqj.de/sneak/secret/pkg/agehd/agehd.go:117.2,120.16 4 1
 git.eeqj.de/sneak/secret/pkg/agehd/agehd.go:120.16,122.3 1 0
 git.eeqj.de/sneak/secret/pkg/agehd/agehd.go:124.2,124.17 1 1
 git.eeqj.de/sneak/secret/pkg/agehd/agehd.go:129.77,131.16 2 1
 git.eeqj.de/sneak/secret/pkg/agehd/agehd.go:131.16,133.3 1 0
 git.eeqj.de/sneak/secret/pkg/agehd/agehd.go:135.2,135.33 1 1
 git.eeqj.de/sneak/secret/pkg/agehd/agehd.go:140.81,142.16 2 1
 git.eeqj.de/sneak/secret/pkg/agehd/agehd.go:142.16,144.3 1 1
 git.eeqj.de/sneak/secret/pkg/agehd/agehd.go:146.2,146.33 1 1
--- a/internal/cli/cli.go
+++ b/internal/cli/cli.go
@@ -17,24 +17,30 @@ type Instance struct {
 }
 // NewCLIInstance creates a new CLI instance with the real filesystem
-func NewCLIInstance() *Instance {
+func NewCLIInstance() (*Instance, error) {
 	fs := afero.NewOsFs()
-	stateDir := secret.DetermineStateDir("")
+	stateDir, err := secret.DetermineStateDir("")
 	if err != nil {
 		return nil, fmt.Errorf("cannot determine state directory: %w", err)
 	}
 	return &Instance{
 		fs:       fs,
 		stateDir: stateDir,
-	}
+	}, nil
 }
 // NewCLIInstanceWithFs creates a new CLI instance with the given filesystem (for testing)
-func NewCLIInstanceWithFs(fs afero.Fs) *Instance {
+func NewCLIInstanceWithFs(fs afero.Fs) (*Instance, error) {
-	stateDir := secret.DetermineStateDir("")
+	stateDir, err := secret.DetermineStateDir("")
 	if err != nil {
 		return nil, fmt.Errorf("cannot determine state directory: %w", err)
 	}
 	return &Instance{
 		fs:       fs,
 		stateDir: stateDir,
-	}
+	}, nil
 }
 // NewCLIInstanceWithStateDir creates a new CLI instance with custom state directory (for testing)
--- a/internal/cli/cli_test.go
+++ b/internal/cli/cli_test.go
@@ -25,7 +25,10 @@ func TestCLIInstanceStateDir(t *testing.T) {
 func TestCLIInstanceWithFs(t *testing.T) {
 	// Test creating CLI instance with custom filesystem
 	fs := afero.NewMemMapFs()
-	cli := NewCLIInstanceWithFs(fs)
+	cli, err := NewCLIInstanceWithFs(fs)
 	if err != nil {
 		t.Fatalf("failed to initialize CLI: %v", err)
 	}
 	// The state directory should be determined automatically
 	stateDir := cli.GetStateDir()
@@ -41,7 +44,10 @@ func TestDetermineStateDir(t *testing.T) {
 	testEnvDir := "/test-env-dir"
 	t.Setenv(secret.EnvStateDir, testEnvDir)
-	stateDir := secret.DetermineStateDir("")
+	stateDir, err := secret.DetermineStateDir("")
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
 	}
 	if stateDir != testEnvDir {
 		t.Errorf("Expected state directory %q from environment, got %q", testEnvDir, stateDir)
 	}
@@ -49,7 +55,10 @@ func TestDetermineStateDir(t *testing.T) {
 	// Test with custom config dir
 	_ = os.Unsetenv(secret.EnvStateDir)
 	customConfigDir := "/custom-config"
-	stateDir = secret.DetermineStateDir(customConfigDir)
+	stateDir, err = secret.DetermineStateDir(customConfigDir)
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
 	}
 	expectedDir := filepath.Join(customConfigDir, secret.AppID)
 	if stateDir != expectedDir {
 		t.Errorf("Expected state directory %q with custom config, got %q", expectedDir, stateDir)
--- a/internal/cli/completions.go
+++ b/internal/cli/completions.go
@@ -71,6 +71,8 @@ func getUnlockerIDsCompletionFunc(fs afero.Fs, stateDir string) func(
 			unlockersDir := filepath.Join(vaultDir, "unlockers.d")
 			files, err := afero.ReadDir(fs, unlockersDir)
 			if err != nil {
 				secret.Warn("Could not read unlockers directory during completion", "error", err)
 				continue
 			}
@@ -85,11 +87,15 @@ func getUnlockerIDsCompletionFunc(fs afero.Fs, stateDir string) func(
 				// Check if this is the right unlocker by comparing metadata
 				metadataBytes, err := afero.ReadFile(fs, metadataPath)
 				if err != nil {
 					secret.Warn("Could not read unlocker metadata during completion", "path", metadataPath, "error", err)
 					continue
 				}
 				var diskMetadata secret.UnlockerMetadata
 				if err := json.Unmarshal(metadataBytes, &diskMetadata); err != nil {
 					secret.Warn("Could not parse unlocker metadata during completion", "path", metadataPath, "error", err)
 					continue
 				}
--- a/internal/cli/crypto.go
+++ b/internal/cli/crypto.go
@@ -22,7 +22,10 @@ func newEncryptCmd() *cobra.Command {
 			inputFile, _ := cmd.Flags().GetString("input")
 			outputFile, _ := cmd.Flags().GetString("output")
-			cli := NewCLIInstance()
+			cli, err := NewCLIInstance()
 			if err != nil {
 				return fmt.Errorf("failed to initialize CLI: %w", err)
 			}
 			cli.cmd = cmd
 			return cli.Encrypt(args[0], inputFile, outputFile)
@@ -45,7 +48,10 @@ func newDecryptCmd() *cobra.Command {
 			inputFile, _ := cmd.Flags().GetString("input")
 			outputFile, _ := cmd.Flags().GetString("output")
-			cli := NewCLIInstance()
+			cli, err := NewCLIInstance()
 			if err != nil {
 				return fmt.Errorf("failed to initialize CLI: %w", err)
 			}
 			cli.cmd = cmd
 			return cli.Decrypt(args[0], inputFile, outputFile)
--- a/internal/cli/generate.go
+++ b/internal/cli/generate.go
@@ -38,7 +38,10 @@ func newGenerateMnemonicCmd() *cobra.Command {
 			`mnemonic phrase that can be used with 'secret init' ` +
 			`or 'secret import'.`,
 		RunE: func(cmd *cobra.Command, _ []string) error {
-			cli := NewCLIInstance()
+			cli, err := NewCLIInstance()
 			if err != nil {
 				return fmt.Errorf("failed to initialize CLI: %w", err)
 			}
 			return cli.GenerateMnemonic(cmd)
 		},
@@ -56,7 +59,10 @@ func newGenerateSecretCmd() *cobra.Command {
 			secretType, _ := cmd.Flags().GetString("type")
 			force, _ := cmd.Flags().GetBool("force")
-			cli := NewCLIInstance()
+			cli, err := NewCLIInstance()
 			if err != nil {
 				return fmt.Errorf("failed to initialize CLI: %w", err)
 			}
 			return cli.GenerateSecret(cmd, args[0], length, secretType, force)
 		},
--- a/internal/cli/info.go
+++ b/internal/cli/info.go
@@ -4,6 +4,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"io"
 	"log"
 	"path/filepath"
 	"runtime"
 	"strings"
@@ -40,7 +41,10 @@ type InfoOutput struct {
 // newInfoCmd returns the info command
 func newInfoCmd() *cobra.Command {
-	cli := NewCLIInstance()
+	cli, err := NewCLIInstance()
 	if err != nil {
 		log.Fatalf("failed to initialize CLI: %v", err)
 	}
 	var jsonOutput bool
--- a/internal/cli/info_helper.go
+++ b/internal/cli/info_helper.go
@@ -4,6 +4,7 @@ import (
 	"path/filepath"
 	"time"
 	"git.eeqj.de/sneak/secret/internal/secret"
 	"github.com/spf13/afero"
 )
@@ -28,6 +29,8 @@ func gatherVaultStats(
 		// Count secrets in this vault
 		secretEntries, err := afero.ReadDir(fs, secretsPath)
 		if err != nil {
 			secret.Warn("Could not read secrets directory for vault", "vault", vaultEntry.Name(), "error", err)
 			continue
 		}
@@ -43,6 +46,8 @@ func gatherVaultStats(
 			versionsPath := filepath.Join(secretPath, "versions")
 			versionEntries, err := afero.ReadDir(fs, versionsPath)
 			if err != nil {
 				secret.Warn("Could not read versions directory for secret", "secret", secretEntry.Name(), "error", err)
 				continue
 			}
--- a/internal/cli/init.go
+++ b/internal/cli/init.go
@@ -2,17 +2,16 @@ package cli
 import (
 	"fmt"
 	"log"
 	"log/slog"
 	"os"
 	"path/filepath"
 	"strings"
 	"filippo.io/age"
 	"git.eeqj.de/sneak/secret/internal/secret"
 	"git.eeqj.de/sneak/secret/internal/vault"
 	"git.eeqj.de/sneak/secret/pkg/agehd"
 	"github.com/awnumar/memguard"
 	"github.com/spf13/afero"
 	"github.com/spf13/cobra"
 	"github.com/tyler-smith/go-bip39"
 )
@@ -29,7 +28,10 @@ func NewInitCmd() *cobra.Command {
 // RunInit is the exported function that handles the init command
 func RunInit(cmd *cobra.Command, _ []string) error {
-	cli := NewCLIInstance()
+	cli, err := NewCLIInstance()
 	if err != nil {
 		log.Fatalf("failed to initialize CLI: %v", err)
 	}
 	return cli.Init(cmd)
 }
@@ -154,35 +156,8 @@ func (cli *Instance) Init(cmd *cobra.Command) error {
 		return fmt.Errorf("failed to create unlocker: %w", err)
 	}
-	// Encrypt long-term private key to the unlocker
+	// Note: CreatePassphraseUnlocker already encrypts and writes the long-term
-	unlockerDir := passphraseUnlocker.GetDirectory()
+	// private key to longterm.age, so no need to do it again here.
 	// Read unlocker public key
 	unlockerPubKeyData, err := afero.ReadFile(cli.fs, filepath.Join(unlockerDir, "pub.age"))
 	if err != nil {
 		return fmt.Errorf("failed to read unlocker public key: %w", err)
 	}
 	unlockerRecipient, err := age.ParseX25519Recipient(string(unlockerPubKeyData))
 	if err != nil {
 		return fmt.Errorf("failed to parse unlocker public key: %w", err)
 	}
 	// Encrypt long-term private key to unlocker
 	// Use memguard to protect the private key in memory
 	ltPrivKeyBuffer := memguard.NewBufferFromBytes([]byte(ltIdentity.String()))
 	defer ltPrivKeyBuffer.Destroy()
 	encryptedLtPrivKey, err := secret.EncryptToRecipient(ltPrivKeyBuffer, unlockerRecipient)
 	if err != nil {
 		return fmt.Errorf("failed to encrypt long-term private key: %w", err)
 	}
 	// Write encrypted long-term private key
 	ltPrivKeyPath := filepath.Join(unlockerDir, "longterm.age")
 	if err := afero.WriteFile(cli.fs, ltPrivKeyPath, encryptedLtPrivKey, secret.FilePerms); err != nil {
 		return fmt.Errorf("failed to write encrypted long-term private key: %w", err)
 	}
 	if cmd != nil {
 		cmd.Printf("\nDefault vault created and configured\n")
--- a/internal/cli/integration_test.go
+++ b/internal/cli/integration_test.go
@@ -48,7 +48,7 @@ func TestMain(m *testing.M) {
 	code := m.Run()
 	// Clean up the binary
-	os.Remove(filepath.Join(projectRoot, "secret"))
+	_ = os.Remove(filepath.Join(projectRoot, "secret"))
 	os.Exit(code)
 }
@@ -450,10 +450,10 @@ func test02ListVaults(t *testing.T, runSecret func(...string) (string, error)) {
 func test03CreateVault(t *testing.T, tempDir string, runSecret func(...string) (string, error)) {
 	// Set environment variables for vault creation
-	os.Setenv("SB_SECRET_MNEMONIC", testMnemonic)
+	_ = os.Setenv("SB_SECRET_MNEMONIC", testMnemonic)
-	os.Setenv("SB_UNLOCK_PASSPHRASE", "test-passphrase")
+	_ = os.Setenv("SB_UNLOCK_PASSPHRASE", "test-passphrase")
-	defer os.Unsetenv("SB_SECRET_MNEMONIC")
+	defer func() { _ = os.Unsetenv("SB_SECRET_MNEMONIC") }()
-	defer os.Unsetenv("SB_UNLOCK_PASSPHRASE")
+	defer func() { _ = os.Unsetenv("SB_UNLOCK_PASSPHRASE") }()
 	// Create work vault
 	output, err := runSecret("vault", "create", "work")
@@ -489,6 +489,7 @@ func test03CreateVault(t *testing.T, tempDir string, runSecret func(...string) (
 	assert.Contains(t, output, "work", "should list work vault")
 }
 //nolint:unused // TODO: re-enable when vault import is implemented
 func test04ImportMnemonic(t *testing.T, tempDir, testMnemonic, testPassphrase string, runSecretWithEnv func(map[string]string, ...string) (string, error)) {
 	// Import mnemonic into work vault
 	output, err := runSecretWithEnv(map[string]string{
@@ -1047,7 +1048,6 @@ func test12SecretNameFormats(t *testing.T, tempDir, testMnemonic string, runSecr
 	// Test invalid secret names
 	invalidNames := []string{
 		"",                // empty
 		"UPPERCASE",       // uppercase not allowed
 		"with space",      // spaces not allowed
 		"with@symbol",     // special characters not allowed
 		"with#hash",       // special characters not allowed
@@ -1073,7 +1073,7 @@ func test12SecretNameFormats(t *testing.T, tempDir, testMnemonic string, runSecr
 			// Some of these might not be invalid after all (e.g., leading/trailing slashes might be stripped, .hidden might be allowed)
 			// For now, just check the ones we know should definitely fail
-			definitelyInvalid := []string{"", "UPPERCASE", "with space", "with@symbol", "with#hash", "with$dollar"}
+			definitelyInvalid := []string{"", "with space", "with@symbol", "with#hash", "with$dollar"}
 			shouldFail := false
 			for _, invalid := range definitelyInvalid {
 				if invalidName == invalid {
@@ -1668,9 +1668,9 @@ func test19DisasterRecovery(t *testing.T, tempDir, secretPath, testMnemonic stri
 	assert.Equal(t, testSecretValue, strings.TrimSpace(toolOutput), "tool output should match original")
 	// Clean up temporary files
-	os.Remove(ltPrivKeyPath)
+	_ = os.Remove(ltPrivKeyPath)
-	os.Remove(versionPrivKeyPath)
+	_ = os.Remove(versionPrivKeyPath)
-	os.Remove(decryptedValuePath)
+	_ = os.Remove(decryptedValuePath)
 }
 func test20VersionTimestamps(t *testing.T, tempDir, secretPath, testMnemonic string, runSecretWithEnv func(map[string]string, ...string) (string, error)) {
@@ -1789,7 +1789,7 @@ func test23ErrorHandling(t *testing.T, tempDir, secretPath, testMnemonic string,
 	// Add secret without mnemonic or unlocker
 	unsetMnemonic := os.Getenv("SB_SECRET_MNEMONIC")
-	os.Unsetenv("SB_SECRET_MNEMONIC")
+	_ = os.Unsetenv("SB_SECRET_MNEMONIC")
 	cmd := exec.Command(secretPath, "add", "test/nomnemonic")
 	cmd.Env = []string{
 		fmt.Sprintf("SB_SECRET_STATE_DIR=%s", tempDir),
@@ -2129,7 +2129,7 @@ func test30BackupRestore(t *testing.T, tempDir, secretPath, testMnemonic string,
 						versionsPath := filepath.Join(secretPath, "versions")
 						if _, err := os.Stat(versionsPath); os.IsNotExist(err) {
 							// This is a malformed secret directory, remove it
-							os.RemoveAll(secretPath)
+							_ = os.RemoveAll(secretPath)
 						}
 					}
 				}
@@ -2179,7 +2179,7 @@ func test30BackupRestore(t *testing.T, tempDir, secretPath, testMnemonic string,
 	require.NoError(t, err, "restore vaults should succeed")
 	// Restore currentvault
-	os.Remove(currentVaultSrc)
+	_ = os.Remove(currentVaultSrc)
 	restoredData := readFile(t, currentVaultDst)
 	writeFile(t, currentVaultSrc, restoredData)
@@ -2285,6 +2285,8 @@ func verifyFileExists(t *testing.T, path string) {
 }
 // verifyFileNotExists checks if a file does not exist at the given path
 //
 //nolint:unused // kept for future use
 func verifyFileNotExists(t *testing.T, path string) {
 	t.Helper()
 	_, err := os.Stat(path)
--- a/internal/cli/secrets.go
+++ b/internal/cli/secrets.go
@@ -4,6 +4,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"io"
 	"log"
 	"path/filepath"
 	"strings"
@@ -44,7 +45,10 @@ func newAddCmd() *cobra.Command {
 			force, _ := cmd.Flags().GetBool("force")
 			secret.Debug("Got force flag", "force", force)
-			cli := NewCLIInstance()
+			cli, err := NewCLIInstance()
 			if err != nil {
 				return fmt.Errorf("failed to initialize CLI: %w", err)
 			}
 			cli.cmd = cmd // Set the command for stdin access
 			secret.Debug("Created CLI instance, calling AddSecret")
@@ -58,7 +62,10 @@ func newAddCmd() *cobra.Command {
 }
 func newGetCmd() *cobra.Command {
-	cli := NewCLIInstance()
+	cli, err := NewCLIInstance()
 	if err != nil {
 		log.Fatalf("failed to initialize CLI: %v", err)
 	}
 	cmd := &cobra.Command{
 		Use:               "get <secret-name>",
 		Short:             "Retrieve a secret from the vault",
@@ -66,7 +73,10 @@ func newGetCmd() *cobra.Command {
 		ValidArgsFunction: getSecretNamesCompletionFunc(cli.fs, cli.stateDir),
 		RunE: func(cmd *cobra.Command, args []string) error {
 			version, _ := cmd.Flags().GetString("version")
-			cli := NewCLIInstance()
+			cli, err := NewCLIInstance()
 			if err != nil {
 				return fmt.Errorf("failed to initialize CLI: %w", err)
 			}
 			return cli.GetSecretWithVersion(cmd, args[0], version)
 		},
@@ -93,7 +103,10 @@ func newListCmd() *cobra.Command {
 				filter = args[0]
 			}
-			cli := NewCLIInstance()
+			cli, err := NewCLIInstance()
 			if err != nil {
 				return fmt.Errorf("failed to initialize CLI: %w", err)
 			}
 			return cli.ListSecrets(cmd, jsonOutput, quietOutput, filter)
 		},
@@ -115,7 +128,10 @@ func newImportCmd() *cobra.Command {
 			sourceFile, _ := cmd.Flags().GetString("source")
 			force, _ := cmd.Flags().GetBool("force")
-			cli := NewCLIInstance()
+			cli, err := NewCLIInstance()
 			if err != nil {
 				return fmt.Errorf("failed to initialize CLI: %w", err)
 			}
 			return cli.ImportSecret(cmd, args[0], sourceFile, force)
 		},
@@ -129,7 +145,10 @@ func newImportCmd() *cobra.Command {
 }
 func newRemoveCmd() *cobra.Command {
-	cli := NewCLIInstance()
+	cli, err := NewCLIInstance()
 	if err != nil {
 		log.Fatalf("failed to initialize CLI: %v", err)
 	}
 	cmd := &cobra.Command{
 		Use:     "remove <secret-name>",
 		Aliases: []string{"rm"},
@@ -139,7 +158,10 @@ func newRemoveCmd() *cobra.Command {
 		Args:              cobra.ExactArgs(1),
 		ValidArgsFunction: getSecretNamesCompletionFunc(cli.fs, cli.stateDir),
 		RunE: func(cmd *cobra.Command, args []string) error {
-			cli := NewCLIInstance()
+			cli, err := NewCLIInstance()
 			if err != nil {
 				return fmt.Errorf("failed to initialize CLI: %w", err)
 			}
 			return cli.RemoveSecret(cmd, args[0], false)
 		},
@@ -149,7 +171,10 @@ func newRemoveCmd() *cobra.Command {
 }
 func newMoveCmd() *cobra.Command {
-	cli := NewCLIInstance()
+	cli, err := NewCLIInstance()
 	if err != nil {
 		log.Fatalf("failed to initialize CLI: %v", err)
 	}
 	cmd := &cobra.Command{
 		Use:     "move <source> <destination>",
 		Aliases: []string{"mv", "rename"},
@@ -172,7 +197,10 @@ The source secret is deleted after successful copy.`,
 		},
 		RunE: func(cmd *cobra.Command, args []string) error {
 			force, _ := cmd.Flags().GetBool("force")
-			cli := NewCLIInstance()
+			cli, err := NewCLIInstance()
 			if err != nil {
 				return fmt.Errorf("failed to initialize CLI: %w", err)
 			}
 			return cli.MoveSecret(cmd, args[0], args[1], force)
 		},
@@ -479,7 +507,7 @@ func (cli *Instance) ImportSecret(cmd *cobra.Command, secretName, sourceFile str
 	}
 	defer func() {
 		if err := file.Close(); err != nil {
-			secret.Debug("Failed to close file", "error", err)
+			secret.Warn("Failed to close file", "error", err)
 		}
 	}()
--- a/internal/cli/secrets_size_test.go
+++ b/internal/cli/secrets_size_test.go
@@ -113,7 +113,10 @@ func TestAddSecretVariousSizes(t *testing.T) {
 			cmd.SetIn(stdin)
 			// Create CLI instance
-			cli := NewCLIInstance()
+			cli, err := NewCLIInstance()
 			if err != nil {
 				t.Fatalf("failed to initialize CLI: %v", err)
 			}
 			cli.fs = fs
 			cli.stateDir = stateDir
 			cli.cmd = cmd
@@ -230,7 +233,10 @@ func TestImportSecretVariousSizes(t *testing.T) {
 			cmd := &cobra.Command{}
 			// Create CLI instance
-			cli := NewCLIInstance()
+			cli, err := NewCLIInstance()
 			if err != nil {
 				t.Fatalf("failed to initialize CLI: %v", err)
 			}
 			cli.fs = fs
 			cli.stateDir = stateDir
@@ -318,7 +324,10 @@ func TestAddSecretBufferGrowth(t *testing.T) {
 			cmd.SetIn(stdin)
 			// Create CLI instance
-			cli := NewCLIInstance()
+			cli, err := NewCLIInstance()
 			if err != nil {
 				t.Fatalf("failed to initialize CLI: %v", err)
 			}
 			cli.fs = fs
 			cli.stateDir = stateDir
 			cli.cmd = cmd
@@ -377,7 +386,10 @@ func TestAddSecretStreamingBehavior(t *testing.T) {
 	cmd.SetIn(slowReader)
 	// Create CLI instance
-	cli := NewCLIInstance()
+	cli, err := NewCLIInstance()
 	if err != nil {
 		t.Fatalf("failed to initialize CLI: %v", err)
 	}
 	cli.fs = fs
 	cli.stateDir = stateDir
 	cli.cmd = cmd
--- a/internal/cli/unlockers.go
+++ b/internal/cli/unlockers.go
@@ -3,6 +3,7 @@ package cli
 import (
 	"encoding/json"
 	"fmt"
 	"log"
 	"os"
 	"os/exec"
 	"path/filepath"
@@ -96,7 +97,10 @@ func newUnlockerListCmd() *cobra.Command {
 		RunE: func(cmd *cobra.Command, _ []string) error {
 			jsonOutput, _ := cmd.Flags().GetBool("json")
-			cli := NewCLIInstance()
+			cli, err := NewCLIInstance()
 			if err != nil {
 				return fmt.Errorf("failed to initialize CLI: %w", err)
 			}
 			cli.cmd = cmd
 			return cli.UnlockersList(jsonOutput)
@@ -158,7 +162,10 @@ to access the same vault. This provides flexibility and backup access options.`,
 		Args:      cobra.ExactArgs(1),
 		ValidArgs: strings.Split(supportedTypes, ", "),
 		RunE: func(cmd *cobra.Command, args []string) error {
-			cli := NewCLIInstance()
+			cli, err := NewCLIInstance()
 			if err != nil {
 				return fmt.Errorf("failed to initialize CLI: %w", err)
 			}
 			unlockerType := args[0]
 			// Validate unlocker type
@@ -191,7 +198,10 @@ to access the same vault. This provides flexibility and backup access options.`,
 }
 func newUnlockerRemoveCmd() *cobra.Command {
-	cli := NewCLIInstance()
+	cli, err := NewCLIInstance()
 	if err != nil {
 		log.Fatalf("failed to initialize CLI: %v", err)
 	}
 	cmd := &cobra.Command{
 		Use:     "remove <unlocker-id>",
 		Aliases: []string{"rm"},
@@ -203,7 +213,10 @@ func newUnlockerRemoveCmd() *cobra.Command {
 		ValidArgsFunction: getUnlockerIDsCompletionFunc(cli.fs, cli.stateDir),
 		RunE: func(cmd *cobra.Command, args []string) error {
 			force, _ := cmd.Flags().GetBool("force")
-			cli := NewCLIInstance()
+			cli, err := NewCLIInstance()
 			if err != nil {
 				return fmt.Errorf("failed to initialize CLI: %w", err)
 			}
 			return cli.UnlockersRemove(args[0], force, cmd)
 		},
@@ -215,7 +228,10 @@ func newUnlockerRemoveCmd() *cobra.Command {
 }
 func newUnlockerSelectCmd() *cobra.Command {
-	cli := NewCLIInstance()
+	cli, err := NewCLIInstance()
 	if err != nil {
 		log.Fatalf("failed to initialize CLI: %v", err)
 	}
 	return &cobra.Command{
 		Use:               "select <unlocker-id>",
@@ -223,7 +239,10 @@ func newUnlockerSelectCmd() *cobra.Command {
 		Args:              cobra.ExactArgs(1),
 		ValidArgsFunction: getUnlockerIDsCompletionFunc(cli.fs, cli.stateDir),
 		RunE: func(_ *cobra.Command, args []string) error {
-			cli := NewCLIInstance()
+			cli, err := NewCLIInstance()
 			if err != nil {
 				return fmt.Errorf("failed to initialize CLI: %w", err)
 			}
 			return cli.UnlockerSelect(args[0])
 		},
@@ -257,6 +276,8 @@ func (cli *Instance) UnlockersList(jsonOutput bool) error {
 		// Create unlocker instance to get the proper ID
 		vaultDir, err := vlt.GetDirectory()
 		if err != nil {
 			secret.Warn("Could not get vault directory while listing unlockers", "error", err)
 			continue
 		}
@@ -264,6 +285,8 @@ func (cli *Instance) UnlockersList(jsonOutput bool) error {
 		unlockersDir := filepath.Join(vaultDir, "unlockers.d")
 		files, err := afero.ReadDir(cli.fs, unlockersDir)
 		if err != nil {
 			secret.Warn("Could not read unlockers directory", "error", err)
 			continue
 		}
@@ -279,12 +302,16 @@ func (cli *Instance) UnlockersList(jsonOutput bool) error {
 			// Check if this is the right unlocker by comparing metadata
 			metadataBytes, err := afero.ReadFile(cli.fs, metadataPath)
 			if err != nil {
-				continue // FIXME this error needs to be handled
+				secret.Warn("Could not read unlocker metadata file", "path", metadataPath, "error", err)
 				continue
 			}
 			var diskMetadata secret.UnlockerMetadata
 			if err := json.Unmarshal(metadataBytes, &diskMetadata); err != nil {
-				continue // FIXME this error needs to be handled
+				secret.Warn("Could not parse unlocker metadata file", "path", metadataPath, "error", err)
 				continue
 			}
 			// Match by type and creation time
@@ -312,6 +339,7 @@ func (cli *Instance) UnlockersList(jsonOutput bool) error {
 		} else {
 			// Generate ID as fallback
 			properID = fmt.Sprintf("%s-%s", metadata.CreatedAt.Format("2006-01-02.15.04"), metadata.Type)
 			secret.Warn("Could not create unlocker instance, using fallback ID", "fallback_id", properID, "type", metadata.Type)
 		}
 		unlockerInfo := UnlockerInfo{
@@ -603,12 +631,16 @@ func (cli *Instance) checkUnlockerExists(vlt *vault.Vault, unlockerID string) er
 	// Get the list of unlockers and check if any match the ID
 	unlockers, err := vlt.ListUnlockers()
 	if err != nil {
 		secret.Warn("Could not list unlockers during duplicate check", "error", err)
 		return nil // If we can't list unlockers, assume it doesn't exist
 	}
 	// Get vault directory to construct unlocker instances
 	vaultDir, err := vlt.GetDirectory()
 	if err != nil {
 		secret.Warn("Could not get vault directory during duplicate check", "error", err)
 		return nil
 	}
@@ -618,6 +650,8 @@ func (cli *Instance) checkUnlockerExists(vlt *vault.Vault, unlockerID string) er
 		unlockersDir := filepath.Join(vaultDir, "unlockers.d")
 		files, err := afero.ReadDir(cli.fs, unlockersDir)
 		if err != nil {
 			secret.Warn("Could not read unlockers directory during duplicate check", "error", err)
 			continue
 		}
@@ -632,11 +666,15 @@ func (cli *Instance) checkUnlockerExists(vlt *vault.Vault, unlockerID string) er
 			// Check if this matches our metadata
 			metadataBytes, err := afero.ReadFile(cli.fs, metadataPath)
 			if err != nil {
 				secret.Warn("Could not read unlocker metadata during duplicate check", "path", metadataPath, "error", err)
 				continue
 			}
 			var diskMetadata secret.UnlockerMetadata
 			if err := json.Unmarshal(metadataBytes, &diskMetadata); err != nil {
 				secret.Warn("Could not parse unlocker metadata during duplicate check", "path", metadataPath, "error", err)
 				continue
 			}
--- a/internal/cli/vault.go
+++ b/internal/cli/vault.go
@@ -3,6 +3,7 @@ package cli
 import (
 	"encoding/json"
 	"fmt"
 	"log"
 	"os"
 	"path/filepath"
 	"strings"
@@ -41,7 +42,10 @@ func newVaultListCmd() *cobra.Command {
 		RunE: func(cmd *cobra.Command, _ []string) error {
 			jsonOutput, _ := cmd.Flags().GetBool("json")
-			cli := NewCLIInstance()
+			cli, err := NewCLIInstance()
 			if err != nil {
 				return fmt.Errorf("failed to initialize CLI: %w", err)
 			}
 			return cli.ListVaults(cmd, jsonOutput)
 		},
@@ -58,7 +62,10 @@ func newVaultCreateCmd() *cobra.Command {
 		Short: "Create a new vault",
 		Args:  cobra.ExactArgs(1),
 		RunE: func(cmd *cobra.Command, args []string) error {
-			cli := NewCLIInstance()
+			cli, err := NewCLIInstance()
 			if err != nil {
 				return fmt.Errorf("failed to initialize CLI: %w", err)
 			}
 			return cli.CreateVault(cmd, args[0])
 		},
@@ -66,7 +73,10 @@ func newVaultCreateCmd() *cobra.Command {
 }
 func newVaultSelectCmd() *cobra.Command {
-	cli := NewCLIInstance()
+	cli, err := NewCLIInstance()
 	if err != nil {
 		log.Fatalf("failed to initialize CLI: %v", err)
 	}
 	return &cobra.Command{
 		Use:               "select <name>",
@@ -74,7 +84,10 @@ func newVaultSelectCmd() *cobra.Command {
 		Args:              cobra.ExactArgs(1),
 		ValidArgsFunction: getVaultNamesCompletionFunc(cli.fs, cli.stateDir),
 		RunE: func(cmd *cobra.Command, args []string) error {
-			cli := NewCLIInstance()
+			cli, err := NewCLIInstance()
 			if err != nil {
 				return fmt.Errorf("failed to initialize CLI: %w", err)
 			}
 			return cli.SelectVault(cmd, args[0])
 		},
@@ -82,7 +95,10 @@ func newVaultSelectCmd() *cobra.Command {
 }
 func newVaultImportCmd() *cobra.Command {
-	cli := NewCLIInstance()
+	cli, err := NewCLIInstance()
 	if err != nil {
 		log.Fatalf("failed to initialize CLI: %v", err)
 	}
 	return &cobra.Command{
 		Use:               "import <vault-name>",
@@ -96,7 +112,10 @@ func newVaultImportCmd() *cobra.Command {
 				vaultName = args[0]
 			}
-			cli := NewCLIInstance()
+			cli, err := NewCLIInstance()
 			if err != nil {
 				return fmt.Errorf("failed to initialize CLI: %w", err)
 			}
 			return cli.VaultImport(cmd, vaultName)
 		},
@@ -104,7 +123,10 @@ func newVaultImportCmd() *cobra.Command {
 }
 func newVaultRemoveCmd() *cobra.Command {
-	cli := NewCLIInstance()
+	cli, err := NewCLIInstance()
 	if err != nil {
 		log.Fatalf("failed to initialize CLI: %v", err)
 	}
 	cmd := &cobra.Command{
 		Use:     "remove <name>",
 		Aliases: []string{"rm"},
@@ -115,7 +137,10 @@ func newVaultRemoveCmd() *cobra.Command {
 		ValidArgsFunction: getVaultNamesCompletionFunc(cli.fs, cli.stateDir),
 		RunE: func(cmd *cobra.Command, args []string) error {
 			force, _ := cmd.Flags().GetBool("force")
-			cli := NewCLIInstance()
+			cli, err := NewCLIInstance()
 			if err != nil {
 				return fmt.Errorf("failed to initialize CLI: %w", err)
 			}
 			return cli.RemoveVault(cmd, args[0], force)
 		},
--- a/internal/cli/version.go
+++ b/internal/cli/version.go
@@ -2,6 +2,7 @@ package cli
 import (
 	"fmt"
 	"log"
 	"path/filepath"
 	"strings"
 	"text/tabwriter"
@@ -18,7 +19,10 @@ const (
 // newVersionCmd returns the version management command
 func newVersionCmd() *cobra.Command {
-	cli := NewCLIInstance()
+	cli, err := NewCLIInstance()
 	if err != nil {
 		log.Fatalf("failed to initialize CLI: %v", err)
 	}
 	return VersionCommands(cli)
 }
@@ -160,7 +164,7 @@ func (cli *Instance) ListVersions(cmd *cobra.Command, secretName string) error {
 		// Load metadata
 		if err := sv.LoadMetadata(ltIdentity); err != nil {
-			secret.Debug("Failed to load version metadata", "version", version, "error", err)
+			secret.Warn("Failed to load version metadata", "version", version, "error", err)
 			// Display version with error
 			status := "error"
 			if version == currentVersion {
--- a/internal/cli/version_test.go
+++ b/internal/cli/version_test.go
@@ -266,7 +266,10 @@ func TestGetSecretWithVersion(t *testing.T) {
 func TestVersionCommandStructure(t *testing.T) {
 	// Test that version commands are properly structured
-	cli := NewCLIInstance()
+	cli, err := NewCLIInstance()
 	if err != nil {
 		t.Fatalf("failed to initialize CLI: %v", err)
 	}
 	cmd := VersionCommands(cli)
 	assert.Equal(t, "version", cmd.Use)
--- a/internal/macse/secure_enclave.h
+++ b/internal/macse/secure_enclave.h
@@ -1,3 +1,5 @@
 //go:build darwin
 #ifndef SECURE_ENCLAVE_H
 #define SECURE_ENCLAVE_H
--- a/internal/macse/secure_enclave.m
+++ b/internal/macse/secure_enclave.m
@@ -1,3 +1,5 @@
 //go:build darwin
 #import <Foundation/Foundation.h>
 #import <Security/Security.h>
 #include "secure_enclave.h"
--- a/internal/secret/crypto.go
+++ b/internal/secret/crypto.go
@@ -68,6 +68,11 @@ func DecryptWithIdentity(data []byte, identity age.Identity) (*memguard.LockedBu
 	// Create a secure buffer for the decrypted data
 	resultBuffer := memguard.NewBufferFromBytes(result)
 	// Zero out the original slice to prevent plaintext from lingering in unprotected memory
 	for i := range result {
 		result[i] = 0
 	}
 	return resultBuffer, nil
 }
--- a/internal/secret/debug.go
+++ b/internal/secret/debug.go
@@ -58,6 +58,16 @@ func IsDebugEnabled() bool {
 	return debugEnabled
 }
 // Warn logs a warning message to stderr unconditionally (visible without --verbose or debug flags)
 func Warn(msg string, args ...any) {
 	output := fmt.Sprintf("WARNING: %s", msg)
 	for i := 0; i+1 < len(args); i += 2 {
 		output += fmt.Sprintf(" %s=%v", args[i], args[i+1])
 	}
 	output += "\n"
 	fmt.Fprint(os.Stderr, output)
 }
 // Debug logs a debug message with optional attributes
 func Debug(msg string, args ...any) {
 	if !debugEnabled {
--- a/internal/secret/derivation_index_test.go
+++ b/internal/secret/derivation_index_test.go
@@ -0,0 +1,84 @@
 //go:build darwin
 package secret
 import (
 	"encoding/json"
 	"path/filepath"
 	"testing"
 	"time"
 	"git.eeqj.de/sneak/secret/pkg/agehd"
 	"github.com/awnumar/memguard"
 	"github.com/spf13/afero"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
 // realVault is a minimal VaultInterface backed by a real afero filesystem,
 // using the same directory layout as vault.Vault.
 type realVault struct {
 	name     string
 	stateDir string
 	fs       afero.Fs
 }
 func (v *realVault) GetDirectory() (string, error) {
 	return filepath.Join(v.stateDir, "vaults.d", v.name), nil
 }
 func (v *realVault) GetName() string         { return v.name }
 func (v *realVault) GetFilesystem() afero.Fs { return v.fs }
 // Unused by getLongTermPrivateKey — these satisfy VaultInterface.
 func (v *realVault) AddSecret(string, *memguard.LockedBuffer, bool) error { panic("not used") }
 func (v *realVault) GetCurrentUnlocker() (Unlocker, error)                { panic("not used") }
 func (v *realVault) CreatePassphraseUnlocker(*memguard.LockedBuffer) (*PassphraseUnlocker, error) {
 	panic("not used")
 }
 // createRealVault sets up a complete vault directory structure on an in-memory
 // filesystem, identical to what vault.CreateVault produces.
 func createRealVault(t *testing.T, fs afero.Fs, stateDir, name string, derivationIndex uint32) *realVault {
 	t.Helper()
 	vaultDir := filepath.Join(stateDir, "vaults.d", name)
 	require.NoError(t, fs.MkdirAll(filepath.Join(vaultDir, "secrets.d"), DirPerms))
 	require.NoError(t, fs.MkdirAll(filepath.Join(vaultDir, "unlockers.d"), DirPerms))
 	metadata := VaultMetadata{
 		CreatedAt:       time.Now(),
 		DerivationIndex: derivationIndex,
 	}
 	metaBytes, err := json.Marshal(metadata)
 	require.NoError(t, err)
 	require.NoError(t, afero.WriteFile(fs, filepath.Join(vaultDir, "vault-metadata.json"), metaBytes, FilePerms))
 	return &realVault{name: name, stateDir: stateDir, fs: fs}
 }
 func TestGetLongTermPrivateKeyUsesVaultDerivationIndex(t *testing.T) {
 	const testMnemonic = "abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon about"
 	// Derive expected keys at two different indices to prove they differ.
 	key0, err := agehd.DeriveIdentity(testMnemonic, 0)
 	require.NoError(t, err)
 	key5, err := agehd.DeriveIdentity(testMnemonic, 5)
 	require.NoError(t, err)
 	require.NotEqual(t, key0.String(), key5.String(),
 		"sanity check: different derivation indices must produce different keys")
 	// Build a real vault with DerivationIndex=5 on an in-memory filesystem.
 	fs := afero.NewMemMapFs()
 	vault := createRealVault(t, fs, "/state", "test-vault", 5)
 	t.Setenv(EnvMnemonic, testMnemonic)
 	result, err := getLongTermPrivateKey(fs, vault)
 	require.NoError(t, err)
 	defer result.Destroy()
 	assert.Equal(t, key5.String(), string(result.Bytes()),
 		"getLongTermPrivateKey should derive at vault's DerivationIndex (5)")
 	assert.NotEqual(t, key0.String(), string(result.Bytes()),
 		"getLongTermPrivateKey must not use hardcoded index 0")
 }
--- a/internal/secret/helpers.go
+++ b/internal/secret/helpers.go
@@ -1,43 +1,22 @@
 package secret
 import (
 	"crypto/rand"
 	"fmt"
 	"math/big"
 	"os"
 	"path/filepath"
 )
-// generateRandomString generates a random string of the specified length using the given character set
+// DetermineStateDir determines the state directory based on environment variables and OS.
-func generateRandomString(length int, charset string) (string, error) {
+// It returns an error if no usable directory can be determined.
-	if length <= 0 {
+func DetermineStateDir(customConfigDir string) (string, error) {
 		return "", fmt.Errorf("length must be positive")
 	}
 	result := make([]byte, length)
 	charsetLen := big.NewInt(int64(len(charset)))
 	for i := range length {
 		randomIndex, err := rand.Int(rand.Reader, charsetLen)
 		if err != nil {
 			return "", fmt.Errorf("failed to generate random number: %w", err)
 		}
 		result[i] = charset[randomIndex.Int64()]
 	}
 	return string(result), nil
 }
 // DetermineStateDir determines the state directory based on environment variables and OS
 func DetermineStateDir(customConfigDir string) string {
 	// Check for environment variable first
 	if envStateDir := os.Getenv(EnvStateDir); envStateDir != "" {
-		return envStateDir
+		return envStateDir, nil
 	}
 	// Use custom config dir if provided
 	if customConfigDir != "" {
-		return filepath.Join(customConfigDir, AppID)
+		return filepath.Join(customConfigDir, AppID), nil
 	}
 	// Use os.UserConfigDir() which handles platform-specific directories:
@@ -47,10 +26,16 @@ func DetermineStateDir(customConfigDir string) string {
 	configDir, err := os.UserConfigDir()
 	if err != nil {
 		// Fallback to a reasonable default if we can't determine user config dir
-		homeDir, _ := os.UserHomeDir()
+		homeDir, homeErr := os.UserHomeDir()
 		if homeErr != nil {
 			return "", fmt.Errorf("unable to determine state directory: config dir: %w, home dir: %w", err, homeErr)
 		}
-		return filepath.Join(homeDir, ".config", AppID)
+		fallbackDir := filepath.Join(homeDir, ".config", AppID)
 		Warn("Could not determine user config directory, falling back to default", "fallback", fallbackDir, "error", err)
 		return fallbackDir, nil
 	}
-	return filepath.Join(configDir, AppID)
+	return filepath.Join(configDir, AppID), nil
 }
--- a/internal/secret/helpers_darwin.go
+++ b/internal/secret/helpers_darwin.go
@@ -0,0 +1,29 @@
 //go:build darwin
 package secret
 import (
 	"crypto/rand"
 	"fmt"
 	"math/big"
 )
 // generateRandomString generates a random string of the specified length using the given character set
 func generateRandomString(length int, charset string) (string, error) {
 	if length <= 0 {
 		return "", fmt.Errorf("length must be positive")
 	}
 	result := make([]byte, length)
 	charsetLen := big.NewInt(int64(len(charset)))
 	for i := range length {
 		randomIndex, err := rand.Int(rand.Reader, charsetLen)
 		if err != nil {
 			return "", fmt.Errorf("failed to generate random number: %w", err)
 		}
 		result[i] = charset[randomIndex.Int64()]
 	}
 	return string(result), nil
 }
--- a/internal/secret/helpers_test.go
+++ b/internal/secret/helpers_test.go
@@ -0,0 +1,50 @@
 package secret
 import (
 	"testing"
 )
 func TestDetermineStateDir_ErrorsWhenHomeDirUnavailable(t *testing.T) {
 	// Clear all env vars that could provide a home/config directory.
 	// On Darwin, os.UserHomeDir may still succeed via the password
 	// database, so we also test via an explicit empty-customConfigDir
 	// path to exercise the fallback branch.
 	t.Setenv(EnvStateDir, "")
 	t.Setenv("HOME", "")
 	t.Setenv("XDG_CONFIG_HOME", "")
 	result, err := DetermineStateDir("")
 	// On systems where both lookups fail, we must get an error.
 	// On systems where the OS provides a fallback (e.g. macOS pw db),
 	// result should still be valid (non-empty, not root-relative).
 	if err != nil {
 		// Good — the error case is handled.
 		return
 	}
 	if result == "/.config/"+AppID || result == "" {
 		t.Errorf("DetermineStateDir returned dangerous/empty path %q without error", result)
 	}
 }
 func TestDetermineStateDir_UsesEnvVar(t *testing.T) {
 	t.Setenv(EnvStateDir, "/custom/state")
 	result, err := DetermineStateDir("")
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
 	}
 	if result != "/custom/state" {
 		t.Errorf("expected /custom/state, got %q", result)
 	}
 }
 func TestDetermineStateDir_UsesCustomConfigDir(t *testing.T) {
 	t.Setenv(EnvStateDir, "")
 	result, err := DetermineStateDir("/my/config")
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
 	}
 	expected := "/my/config/" + AppID
 	if result != expected {
 		t.Errorf("expected %q, got %q", expected, result)
 	}
 }
--- a/internal/secret/keychainunlocker.go
+++ b/internal/secret/keychainunlocker.go
@@ -251,8 +251,25 @@ func getLongTermPrivateKey(fs afero.Fs, vault VaultInterface) (*memguard.LockedB
 	// Check if mnemonic is available in environment variable
 	envMnemonic := os.Getenv(EnvMnemonic)
 	if envMnemonic != "" {
-		// Use mnemonic directly to derive long-term key
+		// Read vault metadata to get the correct derivation index
-		ltIdentity, err := agehd.DeriveIdentity(envMnemonic, 0)
+		vaultDir, err := vault.GetDirectory()
 		if err != nil {
 			return nil, fmt.Errorf("failed to get vault directory: %w", err)
 		}
 		metadataPath := filepath.Join(vaultDir, "vault-metadata.json")
 		metadataBytes, err := afero.ReadFile(fs, metadataPath)
 		if err != nil {
 			return nil, fmt.Errorf("failed to read vault metadata: %w", err)
 		}
 		var metadata VaultMetadata
 		if err := json.Unmarshal(metadataBytes, &metadata); err != nil {
 			return nil, fmt.Errorf("failed to parse vault metadata: %w", err)
 		}
 		// Use mnemonic with the vault's actual derivation index
 		ltIdentity, err := agehd.DeriveIdentity(envMnemonic, metadata.DerivationIndex)
 		if err != nil {
 			return nil, fmt.Errorf("failed to derive long-term key from mnemonic: %w", err)
 		}
--- a/internal/secret/keychainunlocker_stub.go
+++ b/internal/secret/keychainunlocker_stub.go
@@ -4,6 +4,8 @@
 package secret
 import (
 	"fmt"
 	"filippo.io/age"
 	"github.com/awnumar/memguard"
 	"github.com/spf13/afero"
@@ -22,52 +24,59 @@ type KeychainUnlocker struct {
 	fs        afero.Fs
 }
-// GetIdentity panics on non-Darwin platforms
+var errKeychainNotSupported = fmt.Errorf("keychain unlockers are only supported on macOS")
 // GetIdentity returns an error on non-Darwin platforms
 func (k *KeychainUnlocker) GetIdentity() (*age.X25519Identity, error) {
-	panic("keychain unlockers are only supported on macOS")
+	return nil, errKeychainNotSupported
 }
-// GetType panics on non-Darwin platforms
+// GetType returns the unlocker type
 func (k *KeychainUnlocker) GetType() string {
-	panic("keychain unlockers are only supported on macOS")
+	return "keychain"
 }
-// GetMetadata panics on non-Darwin platforms
+// GetMetadata returns the unlocker metadata
 func (k *KeychainUnlocker) GetMetadata() UnlockerMetadata {
-	panic("keychain unlockers are only supported on macOS")
+	return k.Metadata
 }
-// GetDirectory panics on non-Darwin platforms
+// GetDirectory returns the unlocker directory
 func (k *KeychainUnlocker) GetDirectory() string {
-	panic("keychain unlockers are only supported on macOS")
+	return k.Directory
 }
 // GetID returns the unlocker ID
 func (k *KeychainUnlocker) GetID() string {
-	panic("keychain unlockers are only supported on macOS")
+	return fmt.Sprintf("%s-keychain", k.Metadata.CreatedAt.Format("2006-01-02.15.04"))
 }
-// GetKeychainItemName panics on non-Darwin platforms
+// GetKeychainItemName returns an error on non-Darwin platforms
 func (k *KeychainUnlocker) GetKeychainItemName() (string, error) {
-	panic("keychain unlockers are only supported on macOS")
+	return "", errKeychainNotSupported
 }
-// Remove panics on non-Darwin platforms
+// Remove returns an error on non-Darwin platforms
 func (k *KeychainUnlocker) Remove() error {
-	panic("keychain unlockers are only supported on macOS")
+	return errKeychainNotSupported
 }
-// NewKeychainUnlocker panics on non-Darwin platforms
+// NewKeychainUnlocker creates a stub KeychainUnlocker on non-Darwin platforms.
 // The returned instance's methods that require macOS functionality will return errors.
 func NewKeychainUnlocker(fs afero.Fs, directory string, metadata UnlockerMetadata) *KeychainUnlocker {
-	panic("keychain unlockers are only supported on macOS")
+	return &KeychainUnlocker{
 		Directory: directory,
 		Metadata:  metadata,
 		fs:        fs,
 	}
 }
-// CreateKeychainUnlocker panics on non-Darwin platforms
+// CreateKeychainUnlocker returns an error on non-Darwin platforms
-func CreateKeychainUnlocker(fs afero.Fs, stateDir string) (*KeychainUnlocker, error) {
+func CreateKeychainUnlocker(_ afero.Fs, _ string) (*KeychainUnlocker, error) {
-	panic("keychain unlockers are only supported on macOS")
+	return nil, errKeychainNotSupported
 }
-// getLongTermPrivateKey panics on non-Darwin platforms
+// getLongTermPrivateKey returns an error on non-Darwin platforms
-func getLongTermPrivateKey(fs afero.Fs, vault VaultInterface) (*memguard.LockedBuffer, error) {
+func getLongTermPrivateKey(_ afero.Fs, _ VaultInterface) (*memguard.LockedBuffer, error) {
-	panic("keychain unlockers are only supported on macOS")
+	return nil, errKeychainNotSupported
 }
--- a/internal/secret/passphrase_test.go
+++ b/internal/secret/passphrase_test.go
@@ -24,7 +24,7 @@ func TestPassphraseUnlockerWithRealFS(t *testing.T) {
 	if err != nil {
 		t.Fatalf("Failed to create temp dir: %v", err)
 	}
-	defer os.RemoveAll(tempDir) // Clean up after test
+	defer func() { _ = os.RemoveAll(tempDir) }() // Clean up after test
 	// Use the real filesystem
 	fs := afero.NewOsFs()
@@ -155,7 +155,7 @@ func TestPassphraseUnlockerWithRealFS(t *testing.T) {
 	})
 	// Unset the environment variable to test interactive prompt
-	os.Unsetenv(secret.EnvUnlockPassphrase)
+	_ = os.Unsetenv(secret.EnvUnlockPassphrase)
 	// Test getting identity from prompt (this would require mocking the prompt)
 	// For real integration tests, we'd need to provide a way to mock the passphrase input
--- a/internal/secret/pgpunlock_test.go
+++ b/internal/secret/pgpunlock_test.go
@@ -1,3 +1,5 @@
 //go:build darwin
 package secret_test
 import (
@@ -140,7 +142,7 @@ func TestPGPUnlockerWithRealFS(t *testing.T) {
 	if err != nil {
 		t.Fatalf("Failed to create temp dir: %v", err)
 	}
-	defer os.RemoveAll(tempDir) // Clean up after test
+	defer func() { _ = os.RemoveAll(tempDir) }() // Clean up after test
 	// Create a temporary GNUPGHOME
 	gnupgHomeDir := filepath.Join(tempDir, "gnupg")
--- a/internal/secret/pgpunlocker.go
+++ b/internal/secret/pgpunlocker.go
@@ -320,7 +320,9 @@ func ResolveGPGKeyFingerprint(keyID string) (string, error) {
 	}
 	// Use GPG to get the full fingerprint for the key
-	cmd := exec.Command("gpg", "--list-keys", "--with-colons", "--fingerprint", keyID)
+	cmd := exec.Command( // #nosec G204 -- keyID validated
 		"gpg", "--list-keys", "--with-colons", "--fingerprint", keyID,
 	)
 	output, err := cmd.Output()
 	if err != nil {
 		return "", fmt.Errorf("failed to resolve GPG key fingerprint: %w", err)
@@ -359,7 +361,9 @@ func gpgEncryptDefault(data *memguard.LockedBuffer, keyID string) ([]byte, error
 		return nil, fmt.Errorf("invalid GPG key ID: %w", err)
 	}
-	cmd := exec.Command("gpg", "--trust-model", "always", "--armor", "--encrypt", "-r", keyID)
+	cmd := exec.Command( // #nosec G204 -- keyID validated
 		"gpg", "--trust-model", "always", "--armor", "--encrypt", "-r", keyID,
 	)
 	cmd.Stdin = strings.NewReader(data.String())
 	output, err := cmd.Output()
--- a/internal/secret/secret_test.go
+++ b/internal/secret/secret_test.go
@@ -257,9 +257,10 @@ func isValidSecretName(name string) bool {
 	if name == "" {
 		return false
 	}
-	// Valid characters for secret names: lowercase letters, numbers, dash, dot, underscore, slash
+	// Valid characters for secret names: letters, numbers, dash, dot, underscore, slash
 	for _, char := range name {
 		if (char < 'a' || char > 'z') && // lowercase letters
 			(char < 'A' || char > 'Z') && // uppercase letters
 			(char < '0' || char > '9') && // numbers
 			char != '-' && // dash
 			char != '.' && // dot
@@ -283,9 +284,11 @@ func TestSecretNameValidation(t *testing.T) {
 		{"valid/path/name", true},
 		{"123valid", true},
 		{"", false},
-		{"Invalid-Name", false}, // uppercase not allowed
+		{"Valid-Upper-Name", true}, // uppercase allowed
-		{"invalid name", false}, // space not allowed
+		{"2025-11-21-ber1app1-vaultik-test-bucket-AKI", true}, // real-world uppercase key ID
-		{"invalid@name", false}, // @ not allowed
+		{"MixedCase/Path/Name", true},                         // mixed case with path
 		{"invalid name", false},                               // space not allowed
 		{"invalid@name", false},                               // @ not allowed
 	}
 	for _, test := range tests {
--- a/internal/secret/seunlocker_darwin.go
+++ b/internal/secret/seunlocker_darwin.go
@@ -60,7 +60,10 @@ func (s *SecureEnclaveUnlocker) GetIdentity() (*age.X25519Identity, error) {
 	encryptedPath := filepath.Join(s.Directory, seLongtermFilename)
 	encryptedData, err := afero.ReadFile(s.fs, encryptedPath)
 	if err != nil {
-		return nil, fmt.Errorf("failed to read SE-encrypted long-term key: %w", err)
+		return nil, fmt.Errorf(
 			"failed to read SE-encrypted long-term key: %w",
 			err,
 		)
 	}
 	DebugWith("Read SE-encrypted long-term key",
@@ -70,7 +73,10 @@ func (s *SecureEnclaveUnlocker) GetIdentity() (*age.X25519Identity, error) {
 	// Decrypt using the Secure Enclave (ECDH happens inside SE hardware)
 	decryptedData, err := macse.Decrypt(seKeyLabel, encryptedData)
 	if err != nil {
-		return nil, fmt.Errorf("failed to decrypt long-term key with SE: %w", err)
+		return nil, fmt.Errorf(
 			"failed to decrypt long-term key with SE: %w",
 			err,
 		)
 	}
 	// Parse the decrypted long-term private key
@@ -82,7 +88,10 @@ func (s *SecureEnclaveUnlocker) GetIdentity() (*age.X25519Identity, error) {
 	}
 	if err != nil {
-		return nil, fmt.Errorf("failed to parse long-term private key: %w", err)
+		return nil, fmt.Errorf(
 			"failed to parse long-term private key: %w",
 			err,
 		)
 	}
 	DebugWith("Successfully decrypted long-term key via SE",
@@ -165,7 +174,11 @@ func (s *SecureEnclaveUnlocker) getSEKeyInfo() (label string, hash string, err e
 }
 // NewSecureEnclaveUnlocker creates a new SecureEnclaveUnlocker instance.
-func NewSecureEnclaveUnlocker(fs afero.Fs, directory string, metadata UnlockerMetadata) *SecureEnclaveUnlocker {
+func NewSecureEnclaveUnlocker(
 	fs afero.Fs,
 	directory string,
 	metadata UnlockerMetadata,
 ) *SecureEnclaveUnlocker {
 	return &SecureEnclaveUnlocker{
 		Directory: directory,
 		Metadata:  metadata,
@@ -182,13 +195,22 @@ func generateSEKeyLabel(vaultName string) (string, error) {
 	enrollmentDate := time.Now().UTC().Format("2006-01-02")
-	return fmt.Sprintf("%s.%s-%s-%s", seKeyLabelPrefix, vaultName, hostname, enrollmentDate), nil
+	return fmt.Sprintf(
 		"%s.%s-%s-%s",
 		seKeyLabelPrefix,
 		vaultName,
 		hostname,
 		enrollmentDate,
 	), nil
 }
 // CreateSecureEnclaveUnlocker creates a new SE unlocker.
 // The vault's long-term private key is encrypted directly by the Secure Enclave
 // using ECIES. No intermediate age keypair is used.
-func CreateSecureEnclaveUnlocker(fs afero.Fs, stateDir string) (*SecureEnclaveUnlocker, error) {
+func CreateSecureEnclaveUnlocker(
 	fs afero.Fs,
 	stateDir string,
 ) (*SecureEnclaveUnlocker, error) {
 	if err := checkMacOSAvailable(); err != nil {
 		return nil, err
 	}
@@ -216,14 +238,20 @@ func CreateSecureEnclaveUnlocker(fs afero.Fs, stateDir string) (*SecureEnclaveUn
 	// Step 2: Get the vault's long-term private key
 	ltPrivKeyData, err := getLongTermKeyForSE(fs, vault)
 	if err != nil {
-		return nil, fmt.Errorf("failed to get long-term private key: %w", err)
+		return nil, fmt.Errorf(
 			"failed to get long-term private key: %w",
 			err,
 		)
 	}
 	defer ltPrivKeyData.Destroy()
 	// Step 3: Encrypt the long-term key directly with the SE (ECIES)
 	encryptedLtKey, err := macse.Encrypt(seKeyLabel, ltPrivKeyData.Bytes())
 	if err != nil {
-		return nil, fmt.Errorf("failed to encrypt long-term key with SE: %w", err)
+		return nil, fmt.Errorf(
 			"failed to encrypt long-term key with SE: %w",
 			err,
 		)
 	}
 	// Step 4: Create unlocker directory and write files
@@ -235,13 +263,19 @@ func CreateSecureEnclaveUnlocker(fs afero.Fs, stateDir string) (*SecureEnclaveUn
 	unlockerDirName := fmt.Sprintf("se-%s", filepath.Base(seKeyLabel))
 	unlockerDir := filepath.Join(vaultDir, "unlockers.d", unlockerDirName)
 	if err := fs.MkdirAll(unlockerDir, DirPerms); err != nil {
-		return nil, fmt.Errorf("failed to create unlocker directory: %w", err)
+		return nil, fmt.Errorf(
 			"failed to create unlocker directory: %w",
 			err,
 		)
 	}
 	// Write SE-encrypted long-term key
 	ltKeyPath := filepath.Join(unlockerDir, seLongtermFilename)
 	if err := afero.WriteFile(fs, ltKeyPath, encryptedLtKey, FilePerms); err != nil {
-		return nil, fmt.Errorf("failed to write SE-encrypted long-term key: %w", err)
+		return nil, fmt.Errorf(
 			"failed to write SE-encrypted long-term key: %w",
 			err,
 		)
 	}
 	// Write metadata
@@ -274,12 +308,40 @@ func CreateSecureEnclaveUnlocker(fs afero.Fs, stateDir string) (*SecureEnclaveUn
 // getLongTermKeyForSE retrieves the vault's long-term private key
 // either from the mnemonic env var or by unlocking via the current unlocker.
-func getLongTermKeyForSE(fs afero.Fs, vault VaultInterface) (*memguard.LockedBuffer, error) {
+func getLongTermKeyForSE(
 	fs afero.Fs,
 	vault VaultInterface,
 ) (*memguard.LockedBuffer, error) {
 	envMnemonic := os.Getenv(EnvMnemonic)
 	if envMnemonic != "" {
-		ltIdentity, err := agehd.DeriveIdentity(envMnemonic, 0)
+		// Read vault metadata to get the correct derivation index
 		vaultDir, err := vault.GetDirectory()
 		if err != nil {
-			return nil, fmt.Errorf("failed to derive long-term key from mnemonic: %w", err)
+			return nil, fmt.Errorf("failed to get vault directory: %w", err)
 		}
 		metadataPath := filepath.Join(vaultDir, "vault-metadata.json")
 		metadataBytes, err := afero.ReadFile(fs, metadataPath)
 		if err != nil {
 			return nil, fmt.Errorf("failed to read vault metadata: %w", err)
 		}
 		var metadata VaultMetadata
 		if err := json.Unmarshal(metadataBytes, &metadata); err != nil {
 			return nil, fmt.Errorf("failed to parse vault metadata: %w", err)
 		}
 		// Use mnemonic with the vault's actual derivation index
 		ltIdentity, err := agehd.DeriveIdentity(
 			envMnemonic,
 			metadata.DerivationIndex,
 		)
 		if err != nil {
 			return nil, fmt.Errorf(
 				"failed to derive long-term key from mnemonic: %w",
 				err,
 			)
 		}
 		return memguard.NewBufferFromBytes([]byte(ltIdentity.String())), nil
@@ -292,17 +354,29 @@ func getLongTermKeyForSE(fs afero.Fs, vault VaultInterface) (*memguard.LockedBuf
 	currentIdentity, err := currentUnlocker.GetIdentity()
 	if err != nil {
-		return nil, fmt.Errorf("failed to get current unlocker identity: %w", err)
+		return nil, fmt.Errorf(
 			"failed to get current unlocker identity: %w",
 			err,
 		)
 	}
 	// All unlocker types store longterm.age in their directory
-	longtermPath := filepath.Join(currentUnlocker.GetDirectory(), "longterm.age")
+	longtermPath := filepath.Join(
 		currentUnlocker.GetDirectory(),
 		"longterm.age",
 	)
 	encryptedLtKey, err := afero.ReadFile(fs, longtermPath)
 	if err != nil {
-		return nil, fmt.Errorf("failed to read encrypted long-term key: %w", err)
+		return nil, fmt.Errorf(
 			"failed to read encrypted long-term key: %w",
 			err,
 		)
 	}
-	ltPrivKeyBuffer, err := DecryptWithIdentity(encryptedLtKey, currentIdentity)
+	ltPrivKeyBuffer, err := DecryptWithIdentity(
 		encryptedLtKey,
 		currentIdentity,
 	)
 	if err != nil {
 		return nil, fmt.Errorf("failed to decrypt long-term key: %w", err)
 	}
--- a/internal/secret/seunlocker_stub.go
+++ b/internal/secret/seunlocker_stub.go
@@ -4,10 +4,16 @@
 package secret
 import (
 	"fmt"
 	"filippo.io/age"
 	"github.com/spf13/afero"
 )
 var errSENotSupported = fmt.Errorf(
 	"secure enclave unlockers are only supported on macOS",
 )
 // SecureEnclaveUnlockerMetadata is a stub for non-Darwin platforms.
 type SecureEnclaveUnlockerMetadata struct {
 	UnlockerMetadata
@@ -22,42 +28,57 @@ type SecureEnclaveUnlocker struct {
 	fs        afero.Fs
 }
-// GetIdentity panics on non-Darwin platforms.
+// GetIdentity returns an error on non-Darwin platforms.
 func (s *SecureEnclaveUnlocker) GetIdentity() (*age.X25519Identity, error) {
-	panic("secure enclave unlockers are only supported on macOS")
+	return nil, errSENotSupported
 }
-// GetType panics on non-Darwin platforms.
+// GetType returns the unlocker type.
 func (s *SecureEnclaveUnlocker) GetType() string {
-	panic("secure enclave unlockers are only supported on macOS")
+	return "secure-enclave"
 }
-// GetMetadata panics on non-Darwin platforms.
+// GetMetadata returns the unlocker metadata.
 func (s *SecureEnclaveUnlocker) GetMetadata() UnlockerMetadata {
-	panic("secure enclave unlockers are only supported on macOS")
+	return s.Metadata
 }
-// GetDirectory panics on non-Darwin platforms.
+// GetDirectory returns the unlocker directory.
 func (s *SecureEnclaveUnlocker) GetDirectory() string {
-	panic("secure enclave unlockers are only supported on macOS")
+	return s.Directory
 }
-// GetID panics on non-Darwin platforms.
+// GetID returns the unlocker ID.
 func (s *SecureEnclaveUnlocker) GetID() string {
-	panic("secure enclave unlockers are only supported on macOS")
+	return fmt.Sprintf(
 		"%s-secure-enclave",
 		s.Metadata.CreatedAt.Format("2006-01-02.15.04"),
 	)
 }
-// Remove panics on non-Darwin platforms.
+// Remove returns an error on non-Darwin platforms.
 func (s *SecureEnclaveUnlocker) Remove() error {
-	panic("secure enclave unlockers are only supported on macOS")
+	return errSENotSupported
 }
-// NewSecureEnclaveUnlocker panics on non-Darwin platforms.
+// NewSecureEnclaveUnlocker creates a stub SecureEnclaveUnlocker on non-Darwin platforms.
-func NewSecureEnclaveUnlocker(_ afero.Fs, _ string, _ UnlockerMetadata) *SecureEnclaveUnlocker {
+// The returned instance's methods that require macOS functionality will return errors.
-	panic("secure enclave unlockers are only supported on macOS")
+func NewSecureEnclaveUnlocker(
 	fs afero.Fs,
 	directory string,
 	metadata UnlockerMetadata,
 ) *SecureEnclaveUnlocker {
 	return &SecureEnclaveUnlocker{
 		Directory: directory,
 		Metadata:  metadata,
 		fs:        fs,
 	}
 }
-// CreateSecureEnclaveUnlocker panics on non-Darwin platforms.
+// CreateSecureEnclaveUnlocker returns an error on non-Darwin platforms.
-func CreateSecureEnclaveUnlocker(_ afero.Fs, _ string) (*SecureEnclaveUnlocker, error) {
+func CreateSecureEnclaveUnlocker(
-	panic("secure enclave unlockers are only supported on macOS")
+	_ afero.Fs,
 	_ string,
 ) (*SecureEnclaveUnlocker, error) {
 	return nil, errSENotSupported
 }
--- a/internal/secret/seunlocker_stub_test.go
+++ b/internal/secret/seunlocker_stub_test.go
@@ -0,0 +1,90 @@
 //go:build !darwin
 // +build !darwin
 package secret
 import (
 	"testing"
 	"time"
 	"github.com/spf13/afero"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
 func TestNewSecureEnclaveUnlocker(t *testing.T) {
 	fs := afero.NewMemMapFs()
 	dir := "/tmp/test-se-unlocker"
 	metadata := UnlockerMetadata{
 		Type:      "secure-enclave",
 		CreatedAt: time.Date(2026, 1, 15, 10, 30, 0, 0, time.UTC),
 		Flags:     []string{"secure-enclave", "macos"},
 	}
 	unlocker := NewSecureEnclaveUnlocker(fs, dir, metadata)
 	require.NotNil(t, unlocker, "NewSecureEnclaveUnlocker should return a valid instance")
 	// Test GetType returns correct type
 	assert.Equal(t, "secure-enclave", unlocker.GetType())
 	// Test GetMetadata returns the metadata we passed in
 	assert.Equal(t, metadata, unlocker.GetMetadata())
 	// Test GetDirectory returns the directory we passed in
 	assert.Equal(t, dir, unlocker.GetDirectory())
 	// Test GetID returns a formatted string with the creation timestamp
 	expectedID := "2026-01-15.10.30-secure-enclave"
 	assert.Equal(t, expectedID, unlocker.GetID())
 }
 func TestSecureEnclaveUnlockerGetIdentityReturnsError(t *testing.T) {
 	fs := afero.NewMemMapFs()
 	metadata := UnlockerMetadata{
 		Type:      "secure-enclave",
 		CreatedAt: time.Now().UTC(),
 	}
 	unlocker := NewSecureEnclaveUnlocker(fs, "/tmp/test", metadata)
 	identity, err := unlocker.GetIdentity()
 	assert.Nil(t, identity)
 	assert.Error(t, err)
 	assert.ErrorIs(t, err, errSENotSupported)
 }
 func TestSecureEnclaveUnlockerRemoveReturnsError(t *testing.T) {
 	fs := afero.NewMemMapFs()
 	metadata := UnlockerMetadata{
 		Type:      "secure-enclave",
 		CreatedAt: time.Now().UTC(),
 	}
 	unlocker := NewSecureEnclaveUnlocker(fs, "/tmp/test", metadata)
 	err := unlocker.Remove()
 	assert.Error(t, err)
 	assert.ErrorIs(t, err, errSENotSupported)
 }
 func TestCreateSecureEnclaveUnlockerReturnsError(t *testing.T) {
 	fs := afero.NewMemMapFs()
 	unlocker, err := CreateSecureEnclaveUnlocker(fs, "/tmp/test")
 	assert.Nil(t, unlocker)
 	assert.Error(t, err)
 	assert.ErrorIs(t, err, errSENotSupported)
 }
 func TestSecureEnclaveUnlockerImplementsInterface(t *testing.T) {
 	fs := afero.NewMemMapFs()
 	metadata := UnlockerMetadata{
 		Type:      "secure-enclave",
 		CreatedAt: time.Now().UTC(),
 	}
 	unlocker := NewSecureEnclaveUnlocker(fs, "/tmp/test", metadata)
 	// Verify the stub implements the Unlocker interface
 	var _ Unlocker = unlocker
 }
--- a/internal/secret/seunlocker_test.go
+++ b/internal/secret/seunlocker_test.go
@@ -0,0 +1,101 @@
 //go:build darwin
 // +build darwin
 package secret
 import (
 	"testing"
 	"time"
 	"github.com/spf13/afero"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
 func TestNewSecureEnclaveUnlocker(t *testing.T) {
 	fs := afero.NewMemMapFs()
 	dir := "/tmp/test-se-unlocker"
 	metadata := UnlockerMetadata{
 		Type:      "secure-enclave",
 		CreatedAt: time.Date(2026, 1, 15, 10, 30, 0, 0, time.UTC),
 		Flags:     []string{"secure-enclave", "macos"},
 	}
 	unlocker := NewSecureEnclaveUnlocker(fs, dir, metadata)
 	require.NotNil(t, unlocker, "NewSecureEnclaveUnlocker should return a valid instance")
 	// Test GetType returns correct type
 	assert.Equal(t, seUnlockerType, unlocker.GetType())
 	// Test GetMetadata returns the metadata we passed in
 	assert.Equal(t, metadata, unlocker.GetMetadata())
 	// Test GetDirectory returns the directory we passed in
 	assert.Equal(t, dir, unlocker.GetDirectory())
 }
 func TestSecureEnclaveUnlockerImplementsInterface(t *testing.T) {
 	fs := afero.NewMemMapFs()
 	metadata := UnlockerMetadata{
 		Type:      "secure-enclave",
 		CreatedAt: time.Now().UTC(),
 	}
 	unlocker := NewSecureEnclaveUnlocker(fs, "/tmp/test", metadata)
 	// Verify the darwin implementation implements the Unlocker interface
 	var _ Unlocker = unlocker
 }
 func TestSecureEnclaveUnlockerGetIDFormat(t *testing.T) {
 	fs := afero.NewMemMapFs()
 	metadata := UnlockerMetadata{
 		Type:      "secure-enclave",
 		CreatedAt: time.Date(2026, 3, 10, 14, 30, 0, 0, time.UTC),
 	}
 	unlocker := NewSecureEnclaveUnlocker(fs, "/tmp/test", metadata)
 	id := unlocker.GetID()
 	// ID should contain the timestamp and "secure-enclave" type
 	assert.Contains(t, id, "2026-03-10.14.30")
 	assert.Contains(t, id, seUnlockerType)
 }
 func TestGenerateSEKeyLabel(t *testing.T) {
 	label, err := generateSEKeyLabel("test-vault")
 	require.NoError(t, err)
 	// Label should contain the prefix and vault name
 	assert.Contains(t, label, seKeyLabelPrefix)
 	assert.Contains(t, label, "test-vault")
 }
 func TestSecureEnclaveUnlockerGetIdentityMissingFile(t *testing.T) {
 	fs := afero.NewMemMapFs()
 	dir := "/tmp/test-se-unlocker-missing"
 	// Create unlocker directory with metadata but no encrypted key file
 	require.NoError(t, fs.MkdirAll(dir, DirPerms))
 	metadataJSON := `{
 		"type": "secure-enclave",
 		"createdAt": "2026-01-15T10:30:00Z",
 		"seKeyLabel": "berlin.sneak.app.secret.se.test",
 		"seKeyHash": "abc123"
 	}`
 	require.NoError(t, afero.WriteFile(fs, dir+"/unlocker-metadata.json", []byte(metadataJSON), FilePerms))
 	metadata := UnlockerMetadata{
 		Type:      "secure-enclave",
 		CreatedAt: time.Date(2026, 1, 15, 10, 30, 0, 0, time.UTC),
 	}
 	unlocker := NewSecureEnclaveUnlocker(fs, dir, metadata)
 	// GetIdentity should fail because the encrypted longterm key file is missing
 	identity, err := unlocker.GetIdentity()
 	assert.Nil(t, identity)
 	assert.Error(t, err)
 	assert.Contains(t, err.Error(), "failed to read SE-encrypted long-term key")
 }
--- a/internal/secret/validation_darwin_test.go
+++ b/internal/secret/validation_darwin_test.go
@@ -0,0 +1,148 @@
 //go:build darwin
 package secret
 import (
 	"testing"
 )
 func TestValidateKeychainItemName(t *testing.T) {
 	tests := []struct {
 		name     string
 		itemName string
 		wantErr  bool
 	}{
 		// Valid cases
 		{
 			name:     "valid simple name",
 			itemName: "my-secret-key",
 			wantErr:  false,
 		},
 		{
 			name:     "valid name with dots",
 			itemName: "com.example.app.key",
 			wantErr:  false,
 		},
 		{
 			name:     "valid name with underscores",
 			itemName: "my_secret_key_123",
 			wantErr:  false,
 		},
 		{
 			name:     "valid alphanumeric",
 			itemName: "Secret123Key",
 			wantErr:  false,
 		},
 		{
 			name:     "valid with hyphen at start",
 			itemName: "-my-key",
 			wantErr:  false,
 		},
 		{
 			name:     "valid with dot at start",
 			itemName: ".hidden-key",
 			wantErr:  false,
 		},
 		// Invalid cases
 		{
 			name:     "empty item name",
 			itemName: "",
 			wantErr:  true,
 		},
 		{
 			name:     "item name with spaces",
 			itemName: "my secret key",
 			wantErr:  true,
 		},
 		{
 			name:     "item name with semicolon",
 			itemName: "key;rm -rf /",
 			wantErr:  true,
 		},
 		{
 			name:     "item name with pipe",
 			itemName: "key|cat /etc/passwd",
 			wantErr:  true,
 		},
 		{
 			name:     "item name with backticks",
 			itemName: "key`whoami`",
 			wantErr:  true,
 		},
 		{
 			name:     "item name with dollar sign",
 			itemName: "key$(whoami)",
 			wantErr:  true,
 		},
 		{
 			name:     "item name with quotes",
 			itemName: "key\"name",
 			wantErr:  true,
 		},
 		{
 			name:     "item name with single quotes",
 			itemName: "key'name",
 			wantErr:  true,
 		},
 		{
 			name:     "item name with backslash",
 			itemName: "key\\name",
 			wantErr:  true,
 		},
 		{
 			name:     "item name with newline",
 			itemName: "key\nname",
 			wantErr:  true,
 		},
 		{
 			name:     "item name with carriage return",
 			itemName: "key\rname",
 			wantErr:  true,
 		},
 		{
 			name:     "item name with ampersand",
 			itemName: "key&echo test",
 			wantErr:  true,
 		},
 		{
 			name:     "item name with redirect",
 			itemName: "key>/tmp/test",
 			wantErr:  true,
 		},
 		{
 			name:     "item name with null byte",
 			itemName: "key\x00name",
 			wantErr:  true,
 		},
 		{
 			name:     "item name with parentheses",
 			itemName: "key(test)",
 			wantErr:  true,
 		},
 		{
 			name:     "item name with brackets",
 			itemName: "key[test]",
 			wantErr:  true,
 		},
 		{
 			name:     "item name with asterisk",
 			itemName: "key*",
 			wantErr:  true,
 		},
 		{
 			name:     "item name with question mark",
 			itemName: "key?",
 			wantErr:  true,
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			err := validateKeychainItemName(tt.itemName)
 			if (err != nil) != tt.wantErr {
 				t.Errorf("validateKeychainItemName() error = %v, wantErr %v", err, tt.wantErr)
 			}
 		})
 	}
 }
--- a/internal/secret/validation_test.go
+++ b/internal/secret/validation_test.go
@@ -154,144 +154,3 @@ func TestValidateGPGKeyID(t *testing.T) {
 		})
 	}
 }
 func TestValidateKeychainItemName(t *testing.T) {
 	tests := []struct {
 		name     string
 		itemName string
 		wantErr  bool
 	}{
 		// Valid cases
 		{
 			name:     "valid simple name",
 			itemName: "my-secret-key",
 			wantErr:  false,
 		},
 		{
 			name:     "valid name with dots",
 			itemName: "com.example.app.key",
 			wantErr:  false,
 		},
 		{
 			name:     "valid name with underscores",
 			itemName: "my_secret_key_123",
 			wantErr:  false,
 		},
 		{
 			name:     "valid alphanumeric",
 			itemName: "Secret123Key",
 			wantErr:  false,
 		},
 		{
 			name:     "valid with hyphen at start",
 			itemName: "-my-key",
 			wantErr:  false,
 		},
 		{
 			name:     "valid with dot at start",
 			itemName: ".hidden-key",
 			wantErr:  false,
 		},
 		// Invalid cases
 		{
 			name:     "empty item name",
 			itemName: "",
 			wantErr:  true,
 		},
 		{
 			name:     "item name with spaces",
 			itemName: "my secret key",
 			wantErr:  true,
 		},
 		{
 			name:     "item name with semicolon",
 			itemName: "key;rm -rf /",
 			wantErr:  true,
 		},
 		{
 			name:     "item name with pipe",
 			itemName: "key|cat /etc/passwd",
 			wantErr:  true,
 		},
 		{
 			name:     "item name with backticks",
 			itemName: "key`whoami`",
 			wantErr:  true,
 		},
 		{
 			name:     "item name with dollar sign",
 			itemName: "key$(whoami)",
 			wantErr:  true,
 		},
 		{
 			name:     "item name with quotes",
 			itemName: "key\"name",
 			wantErr:  true,
 		},
 		{
 			name:     "item name with single quotes",
 			itemName: "key'name",
 			wantErr:  true,
 		},
 		{
 			name:     "item name with backslash",
 			itemName: "key\\name",
 			wantErr:  true,
 		},
 		{
 			name:     "item name with newline",
 			itemName: "key\nname",
 			wantErr:  true,
 		},
 		{
 			name:     "item name with carriage return",
 			itemName: "key\rname",
 			wantErr:  true,
 		},
 		{
 			name:     "item name with ampersand",
 			itemName: "key&echo test",
 			wantErr:  true,
 		},
 		{
 			name:     "item name with redirect",
 			itemName: "key>/tmp/test",
 			wantErr:  true,
 		},
 		{
 			name:     "item name with null byte",
 			itemName: "key\x00name",
 			wantErr:  true,
 		},
 		{
 			name:     "item name with parentheses",
 			itemName: "key(test)",
 			wantErr:  true,
 		},
 		{
 			name:     "item name with brackets",
 			itemName: "key[test]",
 			wantErr:  true,
 		},
 		{
 			name:     "item name with asterisk",
 			itemName: "key*",
 			wantErr:  true,
 		},
 		{
 			name:     "item name with question mark",
 			itemName: "key?",
 			wantErr:  true,
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			err := validateKeychainItemName(tt.itemName)
 			if (err != nil) != tt.wantErr {
 				t.Errorf("validateKeychainItemName() error = %v, wantErr %v", err, tt.wantErr)
 			}
 		})
 	}
 }
--- a/internal/secret/version.go
+++ b/internal/secret/version.go
@@ -102,6 +102,8 @@ func GenerateVersionName(fs afero.Fs, secretDir string) (string, error) {
 		var serial int
 		if _, err := fmt.Sscanf(parts[1], "%03d", &serial); err != nil {
 			Warn("Skipping malformed version directory name", "name", entry.Name(), "error", err)
 			continue
 		}
--- a/internal/vault/path_traversal_test.go
+++ b/internal/vault/path_traversal_test.go
@@ -0,0 +1,96 @@
 package vault
 import (
 	"testing"
 	"git.eeqj.de/sneak/secret/internal/secret"
 	"github.com/awnumar/memguard"
 	"github.com/spf13/afero"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
 // TestGetSecretVersionRejectsPathTraversal verifies that GetSecretVersion
 // validates the secret name and rejects path traversal attempts.
 // This is a regression test for https://git.eeqj.de/sneak/secret/issues/13
 func TestGetSecretVersionRejectsPathTraversal(t *testing.T) {
 	testMnemonic := "abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon about"
 	t.Setenv(secret.EnvMnemonic, testMnemonic)
 	t.Setenv(secret.EnvUnlockPassphrase, "test-passphrase")
 	fs := afero.NewMemMapFs()
 	stateDir := "/test/state"
 	vlt, err := CreateVault(fs, stateDir, "test-vault")
 	require.NoError(t, err)
 	// Add a legitimate secret so the vault is set up
 	value := memguard.NewBufferFromBytes([]byte("legitimate-secret"))
 	err = vlt.AddSecret("legit", value, false)
 	require.NoError(t, err)
 	// These names contain path traversal and should be rejected
 	maliciousNames := []string{
 		"../../../etc/passwd",
 		"..%2f..%2fetc/passwd",
 		".secret",
 		"../sibling-vault/secrets.d/target",
 		"foo/../bar",
 		"a/../../etc/passwd",
 	}
 	for _, name := range maliciousNames {
 		t.Run(name, func(t *testing.T) {
 			_, err := vlt.GetSecretVersion(name, "")
 			assert.Error(t, err, "GetSecretVersion should reject malicious name: %s", name)
 			assert.Contains(t, err.Error(), "invalid secret name",
 				"error should indicate invalid name for: %s", name)
 		})
 	}
 }
 // TestGetSecretRejectsPathTraversal verifies GetSecret (which calls GetSecretVersion)
 // also rejects path traversal names.
 func TestGetSecretRejectsPathTraversal(t *testing.T) {
 	testMnemonic := "abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon about"
 	t.Setenv(secret.EnvMnemonic, testMnemonic)
 	t.Setenv(secret.EnvUnlockPassphrase, "test-passphrase")
 	fs := afero.NewMemMapFs()
 	stateDir := "/test/state"
 	vlt, err := CreateVault(fs, stateDir, "test-vault")
 	require.NoError(t, err)
 	_, err = vlt.GetSecret("../../../etc/passwd")
 	assert.Error(t, err)
 	assert.Contains(t, err.Error(), "invalid secret name")
 }
 // TestGetSecretObjectRejectsPathTraversal verifies GetSecretObject
 // also validates names and rejects path traversal attempts.
 func TestGetSecretObjectRejectsPathTraversal(t *testing.T) {
 	testMnemonic := "abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon about"
 	t.Setenv(secret.EnvMnemonic, testMnemonic)
 	t.Setenv(secret.EnvUnlockPassphrase, "test-passphrase")
 	fs := afero.NewMemMapFs()
 	stateDir := "/test/state"
 	vlt, err := CreateVault(fs, stateDir, "test-vault")
 	require.NoError(t, err)
 	maliciousNames := []string{
 		"../../../etc/passwd",
 		"foo/../bar",
 		"a/../../etc/passwd",
 	}
 	for _, name := range maliciousNames {
 		t.Run(name, func(t *testing.T) {
 			_, err := vlt.GetSecretObject(name)
 			assert.Error(t, err, "GetSecretObject should reject: %s", name)
 			assert.Contains(t, err.Error(), "invalid secret name")
 		})
 	}
 }
--- a/internal/vault/secrets.go
+++ b/internal/vault/secrets.go
@@ -67,7 +67,7 @@ func (v *Vault) ListSecrets() ([]string, error) {
 	return secrets, nil
 }
-// isValidSecretName validates secret names according to the format [a-z0-9\.\-\_\/]+
+// isValidSecretName validates secret names according to the format [a-zA-Z0-9\.\-\_\/]+
 // but with additional restrictions:
 // - No leading or trailing slashes
 // - No double slashes
@@ -92,8 +92,15 @@ func isValidSecretName(name string) bool {
 		return false
 	}
 	// Check for path traversal via ".." components
 	for _, part := range strings.Split(name, "/") {
 		if part == ".." {
 			return false
 		}
 	}
 	// Check the basic pattern
-	matched, _ := regexp.MatchString(`^[a-z0-9\.\-\_\/]+$`, name)
+	matched, _ := regexp.MatchString(`^[a-zA-Z0-9\.\-\_\/]+$`, name)
 	return matched
 }
@@ -319,6 +326,13 @@ func (v *Vault) GetSecretVersion(name string, version string) ([]byte, error) {
 		slog.String("version", version),
 	)
 	// Validate secret name to prevent path traversal
 	if !isValidSecretName(name) {
 		secret.Debug("Invalid secret name provided", "secret_name", name)
 		return nil, fmt.Errorf("invalid secret name '%s': must match pattern [a-z0-9.\\-_/]+", name)
 	}
 	// Get vault directory
 	vaultDir, err := v.GetDirectory()
 	if err != nil {
@@ -454,6 +468,10 @@ func (v *Vault) UnlockVault() (*age.X25519Identity, error) {
 // GetSecretObject retrieves a Secret object with metadata loaded from this vault
 func (v *Vault) GetSecretObject(name string) (*secret.Secret, error) {
 	if !isValidSecretName(name) {
 		return nil, fmt.Errorf("invalid secret name: %s", name)
 	}
 	// First check if the secret exists by checking for the metadata file
 	vaultDir, err := v.GetDirectory()
 	if err != nil {
--- a/internal/vault/secrets_name_test.go
+++ b/internal/vault/secrets_name_test.go
@@ -0,0 +1,42 @@
 package vault
 import "testing"
 func TestIsValidSecretNameUppercase(t *testing.T) {
 	tests := []struct {
 		name  string
 		valid bool
 	}{
 		// Lowercase (existing behavior)
 		{"valid-name", true},
 		{"valid.name", true},
 		{"valid_name", true},
 		{"valid/path/name", true},
 		{"123valid", true},
 		// Uppercase (new behavior - issue #2)
 		{"Valid-Upper-Name", true},
 		{"2025-11-21-ber1app1-vaultik-test-bucket-AKI", true},
 		{"MixedCase/Path/Name", true},
 		{"ALLUPPERCASE", true},
 		{"ABC123", true},
 		// Still invalid
 		{"", false},
 		{"invalid name", false},
 		{"invalid@name", false},
 		{".dotstart", false},
 		{"/leading-slash", false},
 		{"trailing-slash/", false},
 		{"double//slash", false},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			result := isValidSecretName(tt.name)
 			if result != tt.valid {
 				t.Errorf("isValidSecretName(%q) = %v, want %v", tt.name, result, tt.valid)
 			}
 		})
 	}
 }
--- a/internal/vault/unlockers.go
+++ b/internal/vault/unlockers.go
@@ -218,7 +218,9 @@ func (v *Vault) ListUnlockers() ([]UnlockerMetadata, error) {
 				return nil, fmt.Errorf("failed to check if metadata exists for unlocker %s: %w", file.Name(), err)
 			}
 			if !exists {
-				return nil, fmt.Errorf("unlocker directory %s is missing metadata file", file.Name())
+				secret.Warn("Skipping unlocker directory with missing metadata file", "directory", file.Name())
 				continue
 			}
 			metadataBytes, err := afero.ReadFile(v.fs, metadataPath)
--- a/internal/vault/vault.go
+++ b/internal/vault/vault.go
@@ -225,27 +225,23 @@ func (v *Vault) NumSecrets() (int, error) {
 		return 0, fmt.Errorf("failed to read secrets directory: %w", err)
 	}
-	// Count only directories that contain at least one version file
+	// Count only directories that have a "current" version pointer file
 	count := 0
 	for _, entry := range entries {
 		if !entry.IsDir() {
 			continue
 		}
-		// Check if this secret directory contains any version files
+		// A valid secret has a "current" file pointing to the active version
 		secretDir := filepath.Join(secretsDir, entry.Name())
-		versionFiles, err := afero.ReadDir(v.fs, secretDir)
+		currentFile := filepath.Join(secretDir, "current")
 		exists, err := afero.Exists(v.fs, currentFile)
 		if err != nil {
 			continue // Skip directories we can't read
 		}
-		// Look for at least one version file (excluding "current" symlink)
+		if exists {
-		for _, vFile := range versionFiles {
+			count++
 			if !vFile.IsDir() && vFile.Name() != "current" {
 				count++
 				break // Found at least one version, count this secret
 			}
 		}
 	}
--- a/internal/vault/vault_test.go
+++ b/internal/vault/vault_test.go
@@ -162,6 +162,24 @@ func TestVaultOperations(t *testing.T) {
 		}
 	})
 	// Test NumSecrets
 	t.Run("NumSecrets", func(t *testing.T) {
 		vlt, err := GetCurrentVault(fs, stateDir)
 		if err != nil {
 			t.Fatalf("Failed to get current vault: %v", err)
 		}
 		numSecrets, err := vlt.NumSecrets()
 		if err != nil {
 			t.Fatalf("Failed to count secrets: %v", err)
 		}
 		// We added one secret in SecretOperations
 		if numSecrets != 1 {
 			t.Errorf("Expected 1 secret, got %d", numSecrets)
 		}
 	})
 	// Test unlocker operations
 	t.Run("UnlockerOperations", func(t *testing.T) {
 		vlt, err := GetCurrentVault(fs, stateDir)
@@ -225,3 +243,57 @@ func TestVaultOperations(t *testing.T) {
 		}
 	})
 }
 func TestListUnlockers_SkipsMissingMetadata(t *testing.T) {
 	// Set test environment variables
 	testMnemonic := "abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon about"
 	t.Setenv(secret.EnvMnemonic, testMnemonic)
 	t.Setenv(secret.EnvUnlockPassphrase, "test-passphrase")
 	// Use in-memory filesystem
 	fs := afero.NewMemMapFs()
 	stateDir := "/test/state"
 	// Create vault
 	vlt, err := CreateVault(fs, stateDir, "test-vault")
 	if err != nil {
 		t.Fatalf("Failed to create vault: %v", err)
 	}
 	// Create a passphrase unlocker so we have at least one valid unlocker
 	passphraseBuffer := memguard.NewBufferFromBytes([]byte("test-passphrase"))
 	defer passphraseBuffer.Destroy()
 	_, err = vlt.CreatePassphraseUnlocker(passphraseBuffer)
 	if err != nil {
 		t.Fatalf("Failed to create passphrase unlocker: %v", err)
 	}
 	// Create a bogus unlocker directory with no metadata file
 	vaultDir, err := vlt.GetDirectory()
 	if err != nil {
 		t.Fatalf("Failed to get vault directory: %v", err)
 	}
 	bogusDir := filepath.Join(vaultDir, "unlockers.d", "bogus-no-metadata")
 	err = fs.MkdirAll(bogusDir, 0o700)
 	if err != nil {
 		t.Fatalf("Failed to create bogus directory: %v", err)
 	}
 	// ListUnlockers should succeed, skipping the bogus directory
 	unlockers, err := vlt.ListUnlockers()
 	if err != nil {
 		t.Fatalf("ListUnlockers returned error when it should have skipped bad directory: %v", err)
 	}
 	// Should still have the valid passphrase unlocker
 	if len(unlockers) == 0 {
 		t.Errorf("Expected at least one unlocker, got none")
 	}
 	// Verify we only got the valid unlocker(s), not the bogus one
 	for _, u := range unlockers {
 		if u.Type == "" {
 			t.Errorf("Got unlocker with empty type, likely from bogus directory")
 		}
 	}
 }
Author	SHA1	Message	Date
clawbot	b090b3f86b	ci: add Gitea Actions workflow for make check (#21 ) All checks were successful check / check (push) Successful in 26s Details Adds CI workflow that runs `make check` on push/PR to main. Co-authored-by: user <user@Mac.lan guest wan> Co-authored-by: clawbot <clawbot@eeqj.de> Reviewed-on: #21 Co-authored-by: clawbot <sneak+clawbot@sneak.cloud> Co-committed-by: clawbot <sneak+clawbot@sneak.cloud>	2026-03-30 21:34:49 +02:00
sneak	a3d3fb3b69	secure-enclave-unlocker (#24 ) Co-authored-by: clawbot <clawbot@eeqj.de> Reviewed-on: #24 Reviewed-by: clawbot <clawbot@noreply.example.org> Co-authored-by: sneak <sneak@sneak.berlin> Co-committed-by: sneak <sneak@sneak.berlin>	2026-03-14 07:36:28 +01:00
Jeffrey Paul	4dc26c9394	Merge pull request 'chore: remove stale .cursorrules and coverage.out' (#22 ) from chore/remove-stale-files into main Reviewed-on: #22	2026-02-28 19:29:52 +01:00
user	7546cb094f	chore: remove stale .cursorrules and coverage.out Remove committed editor config (.cursorrules) and test coverage artifact (coverage.out). Both added to .gitignore.	2026-02-20 02:59:23 -08:00
Jeffrey Paul	797d2678c8	Merge pull request 'Add secret.Warn() calls for all silent anomalous conditions' (#20 ) from clawbot/secret:audit/add-warnings into main Reviewed-on: #20	2026-02-20 09:22:29 +01:00
user	78015afb35	Add secret.Warn() calls for all silent anomalous conditions Audit of the codebase found 9 locations where errors or anomalous conditions were silently swallowed or only logged via Debug(). Users should be informed when something unexpected happens, even if the program can continue. Changes: - DetermineStateDir: warn on config dir fallback to ~/.config - info_helper: warn when vault/secret stats cannot be read - unlockers list: warn on metadata read/parse failures (fixes FIXMEs) - unlockers list: warn on fallback ID generation - checkUnlockerExists: warn on errors during duplicate checking - completions: warn on unlocker metadata read/parse failures - version list: upgrade metadata load failure from Debug to Warn - secrets: upgrade file close failure from Debug to Warn - version naming: warn on malformed version directory names Closes #19	2026-02-20 00:03:49 -08:00
Jeffrey Paul	1c330c697f	Merge pull request 'Skip unlocker directories with missing metadata instead of failing (closes #1 )' (#17 ) from clawbot/secret:fix/issue-1 into main Reviewed-on: #17	2026-02-20 08:59:04 +01:00
Jeffrey Paul	d18e286377	Merge branch 'main' into fix/issue-1	2026-02-20 08:58:43 +01:00
Jeffrey Paul	f49fde3a06	Merge pull request 'Fix getLongTermPrivateKey derivation index hardcoded to 0 (closes #3 )' (#8 ) from clawbot/secret:fix/issue-3 into main Reviewed-on: #8	2026-02-20 08:58:21 +01:00
Jeffrey Paul	206651f89a	Merge branch 'main' into fix/issue-3	2026-02-20 08:58:10 +01:00
user	c0f221b1ca	Change missing metadata log from Debug to Warn for visibility without --verbose Per review feedback: missing unlocker metadata should produce a warning visible in normal output, not hidden behind debug flags.	2026-02-19 23:57:39 -08:00
Jeffrey Paul	09be20a044	Merge pull request 'Allow uppercase letters in secret names (closes #2 )' (#16 ) from clawbot/secret:fix/issue-2 into main Reviewed-on: #16	2026-02-20 08:57:19 +01:00
Jeffrey Paul	2e1ba7d2e0	Merge branch 'main' into fix/issue-2	2026-02-20 08:57:03 +01:00
Jeffrey Paul	1a23016df1	Merge pull request 'Validate secret name in GetSecretVersion to prevent path traversal (closes #13 )' (#15 ) from clawbot/secret:fix/issue-13 into main Reviewed-on: #15	2026-02-20 08:56:51 +01:00
Jeffrey Paul	ebe3c17618	Merge branch 'main' into fix/issue-13	2026-02-20 08:56:36 +01:00
clawbot	1a96360f6a	Skip unlocker directories with missing metadata instead of failing When an unlocker directory exists but is missing unlocker-metadata.json, log a debug warning and skip it instead of returning a hard error that crashes the entire 'unlocker ls' command. Closes #1	2026-02-19 23:56:08 -08:00
Jeffrey Paul	4f5d2126d6	Merge pull request 'Return error from GetDefaultStateDir when home directory unavailable (closes #14 )' (#18 ) from clawbot/secret:fix/issue-14 into main Reviewed-on: #18	2026-02-20 08:54:22 +01:00
clawbot	6be4601763	refactor: return errors from NewCLIInstance instead of panicking Change NewCLIInstance() and NewCLIInstanceWithFs() to return (*Instance, error) instead of panicking on DetermineStateDir failure. Callers in RunE contexts propagate the error. Callers in command construction (for shell completion) use log.Fatalf. Test callers use t.Fatalf. Addresses review feedback on PR #18.	2026-02-19 23:53:35 -08:00
user	36ece2fca7	docs: add Go coding policies to AGENTS.md per review request	2026-02-19 23:53:23 -08:00
clawbot	dc225bd0b1	fix: add blank line before return for nlreturn linter	2026-02-19 23:44:38 -08:00
clawbot	6acd57d0ec	fix: suppress gosec G204 for validated GPG key ID inputs	2026-02-19 23:43:32 -08:00
clawbot	596027f210	fix: suppress gosec G204 for validated GPG key ID inputs	2026-02-19 23:43:13 -08:00
clawbot	0aa9a52497	test: add test for getLongTermPrivateKey derivation index Verifies that getLongTermPrivateKey reads the derivation index from vault metadata instead of using hardcoded index 0. Test creates a mock vault with DerivationIndex=5 and confirms the derived key matches index 5.	2026-02-19 23:43:13 -08:00
clawbot	09ec79c57e	fix: use vault derivation index in getLongTermPrivateKey instead of hardcoded 0 Previously, getLongTermPrivateKey() always used derivation index 0 when deriving the long-term key from a mnemonic. This caused wrong key derivation for vaults with index > 0 (second+ vault from same mnemonic), leading to silent data corruption in keychain unlocker creation. Now reads the vault's actual DerivationIndex from vault-metadata.json.	2026-02-19 23:43:13 -08:00
clawbot	e8339f4d12	fix: update integration test to allow uppercase secret names	2026-02-19 23:42:39 -08:00
clawbot	4f984cd9c6	fix: suppress gosec G204 for validated GPG key ID inputs	2026-02-19 23:41:43 -08:00
clawbot	d1caf0a208	fix: suppress gosec G204 for validated GPG key ID inputs	2026-02-19 23:40:21 -08:00
user	8eb25b98fd	fix: block .. path components in secret names and validate in GetSecretObject - isValidSecretName() now rejects names with '..' path components (e.g. foo/../bar) - GetSecretObject() now calls isValidSecretName() before building paths - Added test cases for mid-path traversal patterns	2026-02-15 14:17:33 -08:00
clawbot	6211b8e768	Return error from GetDefaultStateDir when home directory unavailable When os.UserConfigDir() fails, DetermineStateDir falls back to os.UserHomeDir(). Previously the error from UserHomeDir was discarded, which could result in a dangerous root-relative path (/.config/...) if both calls fail. Now DetermineStateDir returns (string, error) and propagates failures from both UserConfigDir and UserHomeDir. Closes #14	2026-02-15 14:05:15 -08:00
user	0307f23024	Allow uppercase letters in secret names (closes #2 ) The isValidSecretName() regex only allowed lowercase letters [a-z], rejecting valid secret names containing uppercase characters (e.g. AWS access key IDs). Changed regex from ^[a-z0-9\.\-\_\/]+$ to ^[a-zA-Z0-9\.\-\_\/]+$ and added tests for uppercase secret names in both vault and secret packages.	2026-02-15 14:03:50 -08:00
clawbot	3fd30bb9e6	Validate secret name in GetSecretVersion to prevent path traversal Add isValidSecretName() check at the top of GetSecretVersion(), matching the existing validation in AddSecret(). Without this, crafted secret names containing path traversal sequences (e.g. '../../../etc/passwd') could be used to read files outside the vault directory. Add regression tests for both GetSecretVersion and GetSecret. Closes #13	2026-02-15 14:03:28 -08:00
Jeffrey Paul	6ff00c696a	Merge pull request 'Remove redundant longterm.age encryption in Init command (closes #6 )' (#11 ) from clawbot/secret:fix/issue-6 into main Reviewed-on: #11	2026-02-09 02:39:55 +01:00
Jeffrey Paul	c6551e4901	Merge branch 'main' into fix/issue-6	2026-02-09 02:39:41 +01:00
Jeffrey Paul	b06d7fa3f4	Merge pull request 'Fix NumSecrets() always returning 0 (closes #4 )' (#9 ) from clawbot/secret:fix/issue-4 into main Reviewed-on: #9	2026-02-09 02:39:30 +01:00
Jeffrey Paul	16d5b237d2	Merge branch 'main' into fix/issue-4	2026-02-09 02:26:20 +01:00
Jeffrey Paul	660de5716a	Merge pull request 'Non-darwin KeychainUnlocker stub returns errors instead of panicking (closes #7 )' (#12 ) from clawbot/secret:fix/issue-7 into main Reviewed-on: #12	2026-02-09 02:20:14 +01:00
Jeffrey Paul	51fb2805fd	Merge branch 'main' into fix/issue-7	2026-02-09 02:19:56 +01:00
Jeffrey Paul	6ffb24b544	Merge pull request 'Zero plaintext after copying to memguard in DecryptWithIdentity (closes #5 )' (#10 ) from clawbot/secret:fix/issue-5 into main Reviewed-on: #10	2026-02-09 02:18:06 +01:00
clawbot	4419ef7730	fix: non-darwin KeychainUnlocker stub returns errors instead of panicking The stub previously panicked on all methods including NewKeychainUnlocker, which is called from vault code when processing keychain-type unlocker metadata. This caused crashes on Linux/Windows when a vault synced from macOS contained keychain unlockers. Now returns proper error values, allowing graceful degradation and cross-platform vault portability.	2026-02-08 12:05:38 -08:00
clawbot	991b1a5a0b	fix: remove redundant longterm.age encryption in Init command CreatePassphraseUnlocker already encrypts and writes the long-term private key to longterm.age. The Init command was doing this a second time, overwriting the file with a functionally equivalent but separately encrypted blob. This was wasteful and a maintenance hazard.	2026-02-08 12:05:09 -08:00
clawbot	fd77a047f9	security: zero plaintext after copying to memguard in DecryptWithIdentity The decrypted data from io.ReadAll was copied into a memguard LockedBuffer but the original byte slice was never zeroed, leaving plaintext in swappable, dumpable heap memory.	2026-02-08 12:04:38 -08:00
clawbot	341428d9ca	fix: NumSecrets() now correctly counts secrets by checking for current file NumSecrets() previously looked for non-directory, non-'current' files directly under each secret directory, but the only children are 'current' (file, excluded) and 'versions' (directory, excluded), so it always returned 0. Now checks for the existence of the 'current' file, which is the canonical indicator that a secret exists and has an active version. This fixes the safety check in UnlockersRemove that was always allowing removal of the last unlocker.	2026-02-08 12:04:15 -08:00