Fix nlreturn lint errors in macse CGo bindings

Adds a new "secure-enclave" unlocker type that stores the vault's
long-term private key encrypted by a non-exportable P-256 key held
in the Secure Enclave hardware. Decryption (ECDH) is performed
inside the SE; the key never leaves the hardware.

Uses CryptoTokenKit identities created via sc_auth, which allows
SE access from unsigned binaries without Apple Developer Program
membership. ECIES (X963SHA256 + AES-GCM) handles encryption and
decryption through Security.framework.

New package internal/macse/ provides the CGo bridge to
Security.framework for SE key creation, ECIES encrypt/decrypt,
and key deletion. The SE unlocker directly encrypts the vault
long-term key (no intermediate age keypair).

.cursorrules

@@ -0,0 +1,3 @@
+EXTREMELY IMPORTANT: Read and follow the policies, procedures, and
+instructions in the `AGENTS.md` file in the root of the repository.  Make
+sure you follow *all* of the instructions meticulously.

.dockerignore

@@ -17,4 +17,5 @@ coverage.out
 .claude/
 
 # Local settings
+.golangci.yml
 .claude/settings.local.json

.gitea/workflows/check.yml

@@ -1,9 +0,0 @@
-name: check
-on: [push]
-jobs:
-    check:
-        runs-on: ubuntu-latest
-        steps:
-            # actions/checkout v4.2.2, 2026-02-28
-            - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
-            - run: docker build --ulimit memlock=-1:-1 .

.gitignore

@@ -6,7 +6,3 @@ cli.test
 vault.test
 *.test
 settings.local.json
-
-# Stale files
-.cursorrules
-coverage.out

AGENTS.md

@@ -141,17 +141,3 @@ Version: 2025-06-08
    - Local application imports
    
    Each group should be separated by a blank line.
-
-## Go-Specific Guidelines
-
-1. **No `panic`, `log.Fatal`, or `os.Exit` in library code.** Always propagate errors via return values.
-
-2. **Constructors return `(*T, error)`, not just `*T`.** Callers must handle errors, not crash.
-
-3. **Wrap errors** with `fmt.Errorf("context: %w", err)` for debuggability.
-
-4. **Never modify linter config** (`.golangci.yml`) to suppress findings. Fix the code.
-
-5. **All PRs must pass `make check` with zero failures.** No exceptions, no "pre-existing issue" excuses.
-
-6. **Pin external dependencies by commit hash**, not mutable tags.

Dockerfile

@@ -1,46 +1,50 @@
-# Lint stage — fast feedback on formatting and lint issues
+# Build stage
-# golangci/golangci-lint v2.1.6 (2026-03-10)
+FROM golang:1.24-alpine AS builder
-FROM golangci/golangci-lint@sha256:568ee1c1c53493575fa9494e280e579ac9ca865787bafe4df3023ae59ecf299b AS lint
 
-WORKDIR /src
+# Install build dependencies
-COPY go.mod go.sum ./
+RUN apk add --no-cache \
-RUN go mod download
+    gcc \
-
+    musl-dev \
-COPY . .
+    make \
-
+    git
-RUN make fmt-check
-RUN make lint
-
-# Build stage — tests and compilation
-# golang 1.24.13-alpine (2026-03-10)
-FROM golang@sha256:8bee1901f1e530bfb4a7850aa7a479d17ae3a18beb6e09064ed54cfd245b7191 AS builder
-
-# Force BuildKit to run the lint stage
-COPY --from=lint /src/go.sum /dev/null
-
-RUN apk add --no-cache gcc musl-dev make git gnupg
 
+# Set working directory
 WORKDIR /build
+
+# Copy go mod files
 COPY go.mod go.sum ./
+
+# Download dependencies
 RUN go mod download
 
+# Copy source code
 COPY . .
 
-RUN make test
+# Build the binary
-RUN make build
+RUN CGO_ENABLED=1 go build -v -o secret cmd/secret/main.go
 
 # Runtime stage
-# alpine 3.23 (2026-03-10)
+FROM alpine:latest
-FROM alpine@sha256:25109184c71bdad752c8312a8623239686a9a2071e8825f20acb8f2198c3f659
 
-RUN apk add --no-cache ca-certificates gnupg
+# Install runtime dependencies
+RUN apk add --no-cache \
+    ca-certificates \
+    gnupg
 
+# Create non-root user
 RUN adduser -D -s /bin/sh secret
 
+# Copy binary from builder
 COPY --from=builder /build/secret /usr/local/bin/secret
+
+# Ensure binary is executable
 RUN chmod +x /usr/local/bin/secret
 
+# Switch to non-root user
 USER secret
+
+# Set working directory
 WORKDIR /home/secret
 
-ENTRYPOINT ["secret"]
+# Set entrypoint
+ENTRYPOINT ["secret"]

Makefile

@@ -17,7 +17,7 @@ build: ./secret
 vet:
 	go vet ./...
 
-test: vet
+test: lint vet
 	go test ./... || go test -v ./...
 
 fmt:
@@ -26,7 +26,7 @@ fmt:
 lint:
 	golangci-lint run --timeout 5m
 
-check: build lint test fmt-check
+check: build test
 
 # Build Docker container
 docker:
@@ -42,6 +42,3 @@ clean:
 
 install: ./secret
 	cp ./secret $(HOME)/bin/secret
-
-fmt-check:
-	@test -z "$$(gofmt -l .)" || (echo "Files need formatting:" && gofmt -l . && exit 1)

README.md

@@ -184,7 +184,6 @@ Creates a new unlocker of the specified type:
 - `passphrase`: Traditional passphrase-protected unlocker
 - `pgp`: Uses an existing GPG key for encryption/decryption
 - `keychain`: macOS Keychain integration (macOS only)
-- `secure-enclave`: Hardware-backed Secure Enclave protection (macOS only)
 
 **Options:**
 - `--keyid <id>`: GPG key ID (optional for PGP type, uses default key if not specified)
@@ -287,11 +286,11 @@ Unlockers provide different authentication methods to access the long-term keys:
    - Automatic unlocking when Keychain is unlocked
    - Cross-application integration
 
-4. **Secure Enclave Unlockers** (macOS):
+4. **Secure Enclave Unlockers** (macOS - planned):
    - Hardware-backed key storage using Apple Secure Enclave
-   - Uses `sc_auth` / CryptoTokenKit for SE key management (no Apple Developer Program required)
+   - Currently partially implemented but non-functional
-   - ECIES encryption: vault long-term key encrypted directly by SE hardware
+   - Requires Apple Developer Program membership and code signing entitlements
-   - Protected by biometric authentication (Touch ID) or system password
+   - Full implementation blocked by entitlement requirements
 
 Each vault maintains its own set of unlockers and one long-term key. The long-term key is encrypted to each unlocker, allowing any authorized unlocker to access vault secrets.
 
@@ -331,7 +330,8 @@ Each vault maintains its own set of unlockers and one long-term key. The long-te
 
 - Hardware token support via PGP/GPG integration
 - macOS Keychain integration for system-level security
-- Secure Enclave integration for hardware-backed key protection (macOS, via `sc_auth` / CryptoTokenKit)
+- Secure Enclave support planned (requires paid Apple Developer Program for
+  signed entitlements to access the SEP and doxxing myself to Apple)
 
 ## Examples
 
@@ -385,7 +385,6 @@ secret vault remove personal --force
 secret unlocker add passphrase              # Password-based
 secret unlocker add pgp --keyid ABCD1234    # GPG key
 secret unlocker add keychain                # macOS Keychain (macOS only)
-secret unlocker add secure-enclave          # macOS Secure Enclave (macOS only)
 
 # List unlockers
 secret unlocker list
@@ -444,7 +443,7 @@ secret decrypt encryption/mykey --input document.txt.age --output document.txt
 
 ### Cross-Platform Support
 
-- **macOS**: Full support including Keychain and Secure Enclave integration
+- **macOS**: Full support including Keychain and planned Secure Enclave integration
 - **Linux**: Full support (excluding macOS-specific features)
 
 ## Security Considerations
@@ -488,7 +487,7 @@ go test -tags=integration -v ./internal/cli  # Integration tests
 
 ## Features
 
-- **Multiple Authentication Methods**: Supports passphrase, PGP, macOS Keychain, and Secure Enclave unlockers
+- **Multiple Authentication Methods**: Supports passphrase, PGP, and macOS Keychain unlockers
 - **Vault Isolation**: Complete separation between different vaults
 - **Per-Secret Encryption**: Each secret has its own encryption key
 - **BIP39 Mnemonic Support**: Keyless operation using mnemonic phrases

coverage.out

@@ -0,0 +1,102 @@
+mode: set
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:57.41,60.38 2 1
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:60.38,61.41 1 1
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:65.2,70.3 3 1
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:74.50,76.2 1 1
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:79.85,81.28 1 1
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:81.28,83.3 1 0
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:86.2,87.16 2 1
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:87.16,89.3 1 0
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:92.2,93.16 2 1
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:93.16,95.3 1 0
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:98.2,98.35 1 1
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:102.89,105.16 2 1
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:105.16,107.3 1 0
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:110.2,114.21 4 1
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:118.99,119.46 1 1
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:119.46,121.3 1 0
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:124.2,134.39 5 1
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:134.39,137.15 2 1
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:137.15,140.4 2 1
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:143.3,145.17 3 1
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:145.17,147.4 1 0
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:150.3,150.15 1 1
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:150.15,152.4 1 1
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:155.3,156.17 2 1
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:156.17,158.4 1 0
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:160.3,160.14 1 1
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:163.2,163.17 1 1
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:167.107,171.16 3 1
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:171.16,173.3 1 0
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:177.2,186.15 3 1
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:187.15,188.13 1 1
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:189.15,190.13 1 0
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:191.15,192.13 1 1
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:193.15,194.13 1 0
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:195.15,196.13 1 1
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:197.10,198.64 1 1
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:202.2,204.21 2 1
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:208.84,212.16 3 1
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:212.16,214.3 1 0
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:217.2,222.16 4 1
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:222.16,224.3 1 0
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:226.2,226.26 1 1
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:230.99,234.16 3 1
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:234.16,236.3 1 0
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:239.2,251.45 6 1
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:251.45,253.3 1 1
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:256.2,275.45 12 1
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:279.39,284.2 3 1
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:287.91,288.36 1 1
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:288.36,290.3 1 1
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:292.2,295.16 3 1
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:295.16,297.3 1 0
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:300.2,302.41 2 1
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:306.100,307.32 1 1
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:307.32,309.3 1 1
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:311.2,314.16 3 1
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:314.16,316.3 1 0
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:319.2,325.35 3 1
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:325.35,327.3 1 0
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:329.2,329.33 1 1
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:333.100,334.32 1 1
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:334.32,336.3 1 1
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:338.2,341.16 3 1
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:341.16,343.3 1 0
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:346.2,349.32 2 1
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:349.32,351.3 1 0
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:353.2,353.30 1 1
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:357.57,375.52 7 1
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:375.52,381.46 3 1
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:381.46,385.4 3 1
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:387.3,387.20 1 1
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:390.2,390.21 1 1
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:394.67,396.2 1 1
+git.eeqj.de/sneak/secret/pkg/agehd/agehd.go:32.22,36.2 3 1
+git.eeqj.de/sneak/secret/pkg/agehd/agehd.go:40.67,41.31 1 1
+git.eeqj.de/sneak/secret/pkg/agehd/agehd.go:41.31,43.3 1 1
+git.eeqj.de/sneak/secret/pkg/agehd/agehd.go:46.2,55.16 6 1
+git.eeqj.de/sneak/secret/pkg/agehd/agehd.go:55.16,57.3 1 0
+git.eeqj.de/sneak/secret/pkg/agehd/agehd.go:58.2,59.16 2 1
+git.eeqj.de/sneak/secret/pkg/agehd/agehd.go:59.16,61.3 1 0
+git.eeqj.de/sneak/secret/pkg/agehd/agehd.go:63.2,63.52 1 1
+git.eeqj.de/sneak/secret/pkg/agehd/agehd.go:68.63,74.16 3 1
+git.eeqj.de/sneak/secret/pkg/agehd/agehd.go:74.16,76.3 1 0
+git.eeqj.de/sneak/secret/pkg/agehd/agehd.go:79.2,83.16 3 1
+git.eeqj.de/sneak/secret/pkg/agehd/agehd.go:83.16,85.3 1 0
+git.eeqj.de/sneak/secret/pkg/agehd/agehd.go:88.2,91.16 4 1
+git.eeqj.de/sneak/secret/pkg/agehd/agehd.go:91.16,93.3 1 0
+git.eeqj.de/sneak/secret/pkg/agehd/agehd.go:95.2,95.17 1 1
+git.eeqj.de/sneak/secret/pkg/agehd/agehd.go:100.67,103.16 2 1
+git.eeqj.de/sneak/secret/pkg/agehd/agehd.go:103.16,105.3 1 1
+git.eeqj.de/sneak/secret/pkg/agehd/agehd.go:108.2,112.16 3 1
+git.eeqj.de/sneak/secret/pkg/agehd/agehd.go:112.16,114.3 1 1
+git.eeqj.de/sneak/secret/pkg/agehd/agehd.go:117.2,120.16 4 1
+git.eeqj.de/sneak/secret/pkg/agehd/agehd.go:120.16,122.3 1 0
+git.eeqj.de/sneak/secret/pkg/agehd/agehd.go:124.2,124.17 1 1
+git.eeqj.de/sneak/secret/pkg/agehd/agehd.go:129.77,131.16 2 1
+git.eeqj.de/sneak/secret/pkg/agehd/agehd.go:131.16,133.3 1 0
+git.eeqj.de/sneak/secret/pkg/agehd/agehd.go:135.2,135.33 1 1
+git.eeqj.de/sneak/secret/pkg/agehd/agehd.go:140.81,142.16 2 1
+git.eeqj.de/sneak/secret/pkg/agehd/agehd.go:142.16,144.3 1 1
+git.eeqj.de/sneak/secret/pkg/agehd/agehd.go:146.2,146.33 1 1

internal/cli/cli.go

@@ -17,30 +17,24 @@ type Instance struct {
 }
 
 // NewCLIInstance creates a new CLI instance with the real filesystem
-func NewCLIInstance() (*Instance, error) {
+func NewCLIInstance() *Instance {
 	fs := afero.NewOsFs()
-	stateDir, err := secret.DetermineStateDir("")
+	stateDir := secret.DetermineStateDir("")
-	if err != nil {
-		return nil, fmt.Errorf("cannot determine state directory: %w", err)
-	}
 
 	return &Instance{
 		fs:       fs,
 		stateDir: stateDir,
-	}, nil
+	}
 }
 
 // NewCLIInstanceWithFs creates a new CLI instance with the given filesystem (for testing)
-func NewCLIInstanceWithFs(fs afero.Fs) (*Instance, error) {
+func NewCLIInstanceWithFs(fs afero.Fs) *Instance {
-	stateDir, err := secret.DetermineStateDir("")
+	stateDir := secret.DetermineStateDir("")
-	if err != nil {
-		return nil, fmt.Errorf("cannot determine state directory: %w", err)
-	}
 
 	return &Instance{
 		fs:       fs,
 		stateDir: stateDir,
-	}, nil
+	}
 }
 
 // NewCLIInstanceWithStateDir creates a new CLI instance with custom state directory (for testing)

internal/cli/cli_test.go

@@ -25,10 +25,7 @@ func TestCLIInstanceStateDir(t *testing.T) {
 func TestCLIInstanceWithFs(t *testing.T) {
 	// Test creating CLI instance with custom filesystem
 	fs := afero.NewMemMapFs()
-	cli, err := NewCLIInstanceWithFs(fs)
+	cli := NewCLIInstanceWithFs(fs)
-	if err != nil {
-		t.Fatalf("failed to initialize CLI: %v", err)
-	}
 
 	// The state directory should be determined automatically
 	stateDir := cli.GetStateDir()
@@ -44,10 +41,7 @@ func TestDetermineStateDir(t *testing.T) {
 	testEnvDir := "/test-env-dir"
 	t.Setenv(secret.EnvStateDir, testEnvDir)
 
-	stateDir, err := secret.DetermineStateDir("")
+	stateDir := secret.DetermineStateDir("")
-	if err != nil {
-		t.Fatalf("unexpected error: %v", err)
-	}
 	if stateDir != testEnvDir {
 		t.Errorf("Expected state directory %q from environment, got %q", testEnvDir, stateDir)
 	}
@@ -55,10 +49,7 @@ func TestDetermineStateDir(t *testing.T) {
 	// Test with custom config dir
 	_ = os.Unsetenv(secret.EnvStateDir)
 	customConfigDir := "/custom-config"
-	stateDir, err = secret.DetermineStateDir(customConfigDir)
+	stateDir = secret.DetermineStateDir(customConfigDir)
-	if err != nil {
-		t.Fatalf("unexpected error: %v", err)
-	}
 	expectedDir := filepath.Join(customConfigDir, secret.AppID)
 	if stateDir != expectedDir {
 		t.Errorf("Expected state directory %q with custom config, got %q", expectedDir, stateDir)

internal/cli/completions.go

@@ -71,8 +71,6 @@ func getUnlockerIDsCompletionFunc(fs afero.Fs, stateDir string) func(
 			unlockersDir := filepath.Join(vaultDir, "unlockers.d")
 			files, err := afero.ReadDir(fs, unlockersDir)
 			if err != nil {
-				secret.Warn("Could not read unlockers directory during completion", "error", err)
-
 				continue
 			}
 
@@ -87,15 +85,11 @@ func getUnlockerIDsCompletionFunc(fs afero.Fs, stateDir string) func(
 				// Check if this is the right unlocker by comparing metadata
 				metadataBytes, err := afero.ReadFile(fs, metadataPath)
 				if err != nil {
-					secret.Warn("Could not read unlocker metadata during completion", "path", metadataPath, "error", err)
-
 					continue
 				}
 
 				var diskMetadata secret.UnlockerMetadata
 				if err := json.Unmarshal(metadataBytes, &diskMetadata); err != nil {
-					secret.Warn("Could not parse unlocker metadata during completion", "path", metadataPath, "error", err)
-
 					continue
 				}
 

internal/cli/crypto.go

@@ -22,10 +22,7 @@ func newEncryptCmd() *cobra.Command {
 			inputFile, _ := cmd.Flags().GetString("input")
 			outputFile, _ := cmd.Flags().GetString("output")
 
-			cli, err := NewCLIInstance()
+			cli := NewCLIInstance()
-			if err != nil {
-				return fmt.Errorf("failed to initialize CLI: %w", err)
-			}
 			cli.cmd = cmd
 
 			return cli.Encrypt(args[0], inputFile, outputFile)
@@ -48,10 +45,7 @@ func newDecryptCmd() *cobra.Command {
 			inputFile, _ := cmd.Flags().GetString("input")
 			outputFile, _ := cmd.Flags().GetString("output")
 
-			cli, err := NewCLIInstance()
+			cli := NewCLIInstance()
-			if err != nil {
-				return fmt.Errorf("failed to initialize CLI: %w", err)
-			}
 			cli.cmd = cmd
 
 			return cli.Decrypt(args[0], inputFile, outputFile)

internal/cli/generate.go

@@ -38,10 +38,7 @@ func newGenerateMnemonicCmd() *cobra.Command {
 			`mnemonic phrase that can be used with 'secret init' ` +
 			`or 'secret import'.`,
 		RunE: func(cmd *cobra.Command, _ []string) error {
-			cli, err := NewCLIInstance()
+			cli := NewCLIInstance()
-			if err != nil {
-				return fmt.Errorf("failed to initialize CLI: %w", err)
-			}
 
 			return cli.GenerateMnemonic(cmd)
 		},
@@ -59,10 +56,7 @@ func newGenerateSecretCmd() *cobra.Command {
 			secretType, _ := cmd.Flags().GetString("type")
 			force, _ := cmd.Flags().GetBool("force")
 
-			cli, err := NewCLIInstance()
+			cli := NewCLIInstance()
-			if err != nil {
-				return fmt.Errorf("failed to initialize CLI: %w", err)
-			}
 
 			return cli.GenerateSecret(cmd, args[0], length, secretType, force)
 		},

internal/cli/info.go

@@ -4,7 +4,6 @@ import (
 	"encoding/json"
 	"fmt"
 	"io"
-	"log"
 	"path/filepath"
 	"runtime"
 	"strings"
@@ -41,10 +40,7 @@ type InfoOutput struct {
 
 // newInfoCmd returns the info command
 func newInfoCmd() *cobra.Command {
-	cli, err := NewCLIInstance()
+	cli := NewCLIInstance()
-	if err != nil {
-		log.Fatalf("failed to initialize CLI: %v", err)
-	}
 
 	var jsonOutput bool
 

internal/cli/info_helper.go

@@ -4,7 +4,6 @@ import (
 	"path/filepath"
 	"time"
 
-	"git.eeqj.de/sneak/secret/internal/secret"
 	"github.com/spf13/afero"
 )
 
@@ -29,8 +28,6 @@ func gatherVaultStats(
 		// Count secrets in this vault
 		secretEntries, err := afero.ReadDir(fs, secretsPath)
 		if err != nil {
-			secret.Warn("Could not read secrets directory for vault", "vault", vaultEntry.Name(), "error", err)
-
 			continue
 		}
 
@@ -46,8 +43,6 @@ func gatherVaultStats(
 			versionsPath := filepath.Join(secretPath, "versions")
 			versionEntries, err := afero.ReadDir(fs, versionsPath)
 			if err != nil {
-				secret.Warn("Could not read versions directory for secret", "secret", secretEntry.Name(), "error", err)
-
 				continue
 			}
 

internal/cli/init.go

@@ -2,16 +2,17 @@ package cli
 
 import (
 	"fmt"
-	"log"
 	"log/slog"
 	"os"
 	"path/filepath"
 	"strings"
 
+	"filippo.io/age"
 	"git.eeqj.de/sneak/secret/internal/secret"
 	"git.eeqj.de/sneak/secret/internal/vault"
 	"git.eeqj.de/sneak/secret/pkg/agehd"
 	"github.com/awnumar/memguard"
+	"github.com/spf13/afero"
 	"github.com/spf13/cobra"
 	"github.com/tyler-smith/go-bip39"
 )
@@ -28,10 +29,7 @@ func NewInitCmd() *cobra.Command {
 
 // RunInit is the exported function that handles the init command
 func RunInit(cmd *cobra.Command, _ []string) error {
-	cli, err := NewCLIInstance()
+	cli := NewCLIInstance()
-	if err != nil {
-		log.Fatalf("failed to initialize CLI: %v", err)
-	}
 
 	return cli.Init(cmd)
 }
@@ -156,8 +154,35 @@ func (cli *Instance) Init(cmd *cobra.Command) error {
 		return fmt.Errorf("failed to create unlocker: %w", err)
 	}
 
-	// Note: CreatePassphraseUnlocker already encrypts and writes the long-term
+	// Encrypt long-term private key to the unlocker
-	// private key to longterm.age, so no need to do it again here.
+	unlockerDir := passphraseUnlocker.GetDirectory()
+
+	// Read unlocker public key
+	unlockerPubKeyData, err := afero.ReadFile(cli.fs, filepath.Join(unlockerDir, "pub.age"))
+	if err != nil {
+		return fmt.Errorf("failed to read unlocker public key: %w", err)
+	}
+
+	unlockerRecipient, err := age.ParseX25519Recipient(string(unlockerPubKeyData))
+	if err != nil {
+		return fmt.Errorf("failed to parse unlocker public key: %w", err)
+	}
+
+	// Encrypt long-term private key to unlocker
+	// Use memguard to protect the private key in memory
+	ltPrivKeyBuffer := memguard.NewBufferFromBytes([]byte(ltIdentity.String()))
+	defer ltPrivKeyBuffer.Destroy()
+
+	encryptedLtPrivKey, err := secret.EncryptToRecipient(ltPrivKeyBuffer, unlockerRecipient)
+	if err != nil {
+		return fmt.Errorf("failed to encrypt long-term private key: %w", err)
+	}
+
+	// Write encrypted long-term private key
+	ltPrivKeyPath := filepath.Join(unlockerDir, "longterm.age")
+	if err := afero.WriteFile(cli.fs, ltPrivKeyPath, encryptedLtPrivKey, secret.FilePerms); err != nil {
+		return fmt.Errorf("failed to write encrypted long-term private key: %w", err)
+	}
 
 	if cmd != nil {
 		cmd.Printf("\nDefault vault created and configured\n")

internal/cli/integration_test.go

@@ -48,7 +48,7 @@ func TestMain(m *testing.M) {
 	code := m.Run()
 
 	// Clean up the binary
-	_ = os.Remove(filepath.Join(projectRoot, "secret"))
+	os.Remove(filepath.Join(projectRoot, "secret"))
 
 	os.Exit(code)
 }
@@ -450,10 +450,10 @@ func test02ListVaults(t *testing.T, runSecret func(...string) (string, error)) {
 
 func test03CreateVault(t *testing.T, tempDir string, runSecret func(...string) (string, error)) {
 	// Set environment variables for vault creation
-	_ = os.Setenv("SB_SECRET_MNEMONIC", testMnemonic)
+	os.Setenv("SB_SECRET_MNEMONIC", testMnemonic)
-	_ = os.Setenv("SB_UNLOCK_PASSPHRASE", "test-passphrase")
+	os.Setenv("SB_UNLOCK_PASSPHRASE", "test-passphrase")
-	defer func() { _ = os.Unsetenv("SB_SECRET_MNEMONIC") }()
+	defer os.Unsetenv("SB_SECRET_MNEMONIC")
-	defer func() { _ = os.Unsetenv("SB_UNLOCK_PASSPHRASE") }()
+	defer os.Unsetenv("SB_UNLOCK_PASSPHRASE")
 
 	// Create work vault
 	output, err := runSecret("vault", "create", "work")
@@ -489,7 +489,6 @@ func test03CreateVault(t *testing.T, tempDir string, runSecret func(...string) (
 	assert.Contains(t, output, "work", "should list work vault")
 }
 
-//nolint:unused // TODO: re-enable when vault import is implemented
 func test04ImportMnemonic(t *testing.T, tempDir, testMnemonic, testPassphrase string, runSecretWithEnv func(map[string]string, ...string) (string, error)) {
 	// Import mnemonic into work vault
 	output, err := runSecretWithEnv(map[string]string{
@@ -1048,6 +1047,7 @@ func test12SecretNameFormats(t *testing.T, tempDir, testMnemonic string, runSecr
 	// Test invalid secret names
 	invalidNames := []string{
 		"",                // empty
+		"UPPERCASE",       // uppercase not allowed
 		"with space",      // spaces not allowed
 		"with@symbol",     // special characters not allowed
 		"with#hash",       // special characters not allowed
@@ -1073,7 +1073,7 @@ func test12SecretNameFormats(t *testing.T, tempDir, testMnemonic string, runSecr
 
 			// Some of these might not be invalid after all (e.g., leading/trailing slashes might be stripped, .hidden might be allowed)
 			// For now, just check the ones we know should definitely fail
-			definitelyInvalid := []string{"", "with space", "with@symbol", "with#hash", "with$dollar"}
+			definitelyInvalid := []string{"", "UPPERCASE", "with space", "with@symbol", "with#hash", "with$dollar"}
 			shouldFail := false
 			for _, invalid := range definitelyInvalid {
 				if invalidName == invalid {
@@ -1668,9 +1668,9 @@ func test19DisasterRecovery(t *testing.T, tempDir, secretPath, testMnemonic stri
 	assert.Equal(t, testSecretValue, strings.TrimSpace(toolOutput), "tool output should match original")
 
 	// Clean up temporary files
-	_ = os.Remove(ltPrivKeyPath)
+	os.Remove(ltPrivKeyPath)
-	_ = os.Remove(versionPrivKeyPath)
+	os.Remove(versionPrivKeyPath)
-	_ = os.Remove(decryptedValuePath)
+	os.Remove(decryptedValuePath)
 }
 
 func test20VersionTimestamps(t *testing.T, tempDir, secretPath, testMnemonic string, runSecretWithEnv func(map[string]string, ...string) (string, error)) {
@@ -1789,7 +1789,7 @@ func test23ErrorHandling(t *testing.T, tempDir, secretPath, testMnemonic string,
 
 	// Add secret without mnemonic or unlocker
 	unsetMnemonic := os.Getenv("SB_SECRET_MNEMONIC")
-	_ = os.Unsetenv("SB_SECRET_MNEMONIC")
+	os.Unsetenv("SB_SECRET_MNEMONIC")
 	cmd := exec.Command(secretPath, "add", "test/nomnemonic")
 	cmd.Env = []string{
 		fmt.Sprintf("SB_SECRET_STATE_DIR=%s", tempDir),
@@ -2129,7 +2129,7 @@ func test30BackupRestore(t *testing.T, tempDir, secretPath, testMnemonic string,
 						versionsPath := filepath.Join(secretPath, "versions")
 						if _, err := os.Stat(versionsPath); os.IsNotExist(err) {
 							// This is a malformed secret directory, remove it
-							_ = os.RemoveAll(secretPath)
+							os.RemoveAll(secretPath)
 						}
 					}
 				}
@@ -2179,7 +2179,7 @@ func test30BackupRestore(t *testing.T, tempDir, secretPath, testMnemonic string,
 	require.NoError(t, err, "restore vaults should succeed")
 
 	// Restore currentvault
-	_ = os.Remove(currentVaultSrc)
+	os.Remove(currentVaultSrc)
 	restoredData := readFile(t, currentVaultDst)
 	writeFile(t, currentVaultSrc, restoredData)
 
@@ -2285,8 +2285,6 @@ func verifyFileExists(t *testing.T, path string) {
 }
 
 // verifyFileNotExists checks if a file does not exist at the given path
-//
-//nolint:unused // kept for future use
 func verifyFileNotExists(t *testing.T, path string) {
 	t.Helper()
 	_, err := os.Stat(path)

internal/cli/secrets.go

@@ -4,7 +4,6 @@ import (
 	"encoding/json"
 	"fmt"
 	"io"
-	"log"
 	"path/filepath"
 	"strings"
 
@@ -45,10 +44,7 @@ func newAddCmd() *cobra.Command {
 			force, _ := cmd.Flags().GetBool("force")
 			secret.Debug("Got force flag", "force", force)
 
-			cli, err := NewCLIInstance()
+			cli := NewCLIInstance()
-			if err != nil {
-				return fmt.Errorf("failed to initialize CLI: %w", err)
-			}
 			cli.cmd = cmd // Set the command for stdin access
 			secret.Debug("Created CLI instance, calling AddSecret")
 
@@ -62,10 +58,7 @@ func newAddCmd() *cobra.Command {
 }
 
 func newGetCmd() *cobra.Command {
-	cli, err := NewCLIInstance()
+	cli := NewCLIInstance()
-	if err != nil {
-		log.Fatalf("failed to initialize CLI: %v", err)
-	}
 	cmd := &cobra.Command{
 		Use:               "get <secret-name>",
 		Short:             "Retrieve a secret from the vault",
@@ -73,10 +66,7 @@ func newGetCmd() *cobra.Command {
 		ValidArgsFunction: getSecretNamesCompletionFunc(cli.fs, cli.stateDir),
 		RunE: func(cmd *cobra.Command, args []string) error {
 			version, _ := cmd.Flags().GetString("version")
-			cli, err := NewCLIInstance()
+			cli := NewCLIInstance()
-			if err != nil {
-				return fmt.Errorf("failed to initialize CLI: %w", err)
-			}
 
 			return cli.GetSecretWithVersion(cmd, args[0], version)
 		},
@@ -103,10 +93,7 @@ func newListCmd() *cobra.Command {
 				filter = args[0]
 			}
 
-			cli, err := NewCLIInstance()
+			cli := NewCLIInstance()
-			if err != nil {
-				return fmt.Errorf("failed to initialize CLI: %w", err)
-			}
 
 			return cli.ListSecrets(cmd, jsonOutput, quietOutput, filter)
 		},
@@ -128,10 +115,7 @@ func newImportCmd() *cobra.Command {
 			sourceFile, _ := cmd.Flags().GetString("source")
 			force, _ := cmd.Flags().GetBool("force")
 
-			cli, err := NewCLIInstance()
+			cli := NewCLIInstance()
-			if err != nil {
-				return fmt.Errorf("failed to initialize CLI: %w", err)
-			}
 
 			return cli.ImportSecret(cmd, args[0], sourceFile, force)
 		},
@@ -145,10 +129,7 @@ func newImportCmd() *cobra.Command {
 }
 
 func newRemoveCmd() *cobra.Command {
-	cli, err := NewCLIInstance()
+	cli := NewCLIInstance()
-	if err != nil {
-		log.Fatalf("failed to initialize CLI: %v", err)
-	}
 	cmd := &cobra.Command{
 		Use:     "remove <secret-name>",
 		Aliases: []string{"rm"},
@@ -158,10 +139,7 @@ func newRemoveCmd() *cobra.Command {
 		Args:              cobra.ExactArgs(1),
 		ValidArgsFunction: getSecretNamesCompletionFunc(cli.fs, cli.stateDir),
 		RunE: func(cmd *cobra.Command, args []string) error {
-			cli, err := NewCLIInstance()
+			cli := NewCLIInstance()
-			if err != nil {
-				return fmt.Errorf("failed to initialize CLI: %w", err)
-			}
 
 			return cli.RemoveSecret(cmd, args[0], false)
 		},
@@ -171,10 +149,7 @@ func newRemoveCmd() *cobra.Command {
 }
 
 func newMoveCmd() *cobra.Command {
-	cli, err := NewCLIInstance()
+	cli := NewCLIInstance()
-	if err != nil {
-		log.Fatalf("failed to initialize CLI: %v", err)
-	}
 	cmd := &cobra.Command{
 		Use:     "move <source> <destination>",
 		Aliases: []string{"mv", "rename"},
@@ -197,10 +172,7 @@ The source secret is deleted after successful copy.`,
 		},
 		RunE: func(cmd *cobra.Command, args []string) error {
 			force, _ := cmd.Flags().GetBool("force")
-			cli, err := NewCLIInstance()
+			cli := NewCLIInstance()
-			if err != nil {
-				return fmt.Errorf("failed to initialize CLI: %w", err)
-			}
 
 			return cli.MoveSecret(cmd, args[0], args[1], force)
 		},
@@ -507,7 +479,7 @@ func (cli *Instance) ImportSecret(cmd *cobra.Command, secretName, sourceFile str
 	}
 	defer func() {
 		if err := file.Close(); err != nil {
-			secret.Warn("Failed to close file", "error", err)
+			secret.Debug("Failed to close file", "error", err)
 		}
 	}()
 

internal/cli/secrets_size_test.go

@@ -113,10 +113,7 @@ func TestAddSecretVariousSizes(t *testing.T) {
 			cmd.SetIn(stdin)
 
 			// Create CLI instance
-			cli, err := NewCLIInstance()
+			cli := NewCLIInstance()
-			if err != nil {
-				t.Fatalf("failed to initialize CLI: %v", err)
-			}
 			cli.fs = fs
 			cli.stateDir = stateDir
 			cli.cmd = cmd
@@ -233,10 +230,7 @@ func TestImportSecretVariousSizes(t *testing.T) {
 			cmd := &cobra.Command{}
 
 			// Create CLI instance
-			cli, err := NewCLIInstance()
+			cli := NewCLIInstance()
-			if err != nil {
-				t.Fatalf("failed to initialize CLI: %v", err)
-			}
 			cli.fs = fs
 			cli.stateDir = stateDir
 
@@ -324,10 +318,7 @@ func TestAddSecretBufferGrowth(t *testing.T) {
 			cmd.SetIn(stdin)
 
 			// Create CLI instance
-			cli, err := NewCLIInstance()
+			cli := NewCLIInstance()
-			if err != nil {
-				t.Fatalf("failed to initialize CLI: %v", err)
-			}
 			cli.fs = fs
 			cli.stateDir = stateDir
 			cli.cmd = cmd
@@ -386,10 +377,7 @@ func TestAddSecretStreamingBehavior(t *testing.T) {
 	cmd.SetIn(slowReader)
 
 	// Create CLI instance
-	cli, err := NewCLIInstance()
+	cli := NewCLIInstance()
-	if err != nil {
-		t.Fatalf("failed to initialize CLI: %v", err)
-	}
 	cli.fs = fs
 	cli.stateDir = stateDir
 	cli.cmd = cmd

internal/cli/unlockers.go

@@ -3,7 +3,6 @@ package cli
 import (
 	"encoding/json"
 	"fmt"
-	"log"
 	"os"
 	"os/exec"
 	"path/filepath"
@@ -97,10 +96,7 @@ func newUnlockerListCmd() *cobra.Command {
 		RunE: func(cmd *cobra.Command, _ []string) error {
 			jsonOutput, _ := cmd.Flags().GetBool("json")
 
-			cli, err := NewCLIInstance()
+			cli := NewCLIInstance()
-			if err != nil {
-				return fmt.Errorf("failed to initialize CLI: %w", err)
-			}
 			cli.cmd = cmd
 
 			return cli.UnlockersList(jsonOutput)
@@ -162,10 +158,7 @@ to access the same vault. This provides flexibility and backup access options.`,
 		Args:      cobra.ExactArgs(1),
 		ValidArgs: strings.Split(supportedTypes, ", "),
 		RunE: func(cmd *cobra.Command, args []string) error {
-			cli, err := NewCLIInstance()
+			cli := NewCLIInstance()
-			if err != nil {
-				return fmt.Errorf("failed to initialize CLI: %w", err)
-			}
 			unlockerType := args[0]
 
 			// Validate unlocker type
@@ -198,10 +191,7 @@ to access the same vault. This provides flexibility and backup access options.`,
 }
 
 func newUnlockerRemoveCmd() *cobra.Command {
-	cli, err := NewCLIInstance()
+	cli := NewCLIInstance()
-	if err != nil {
-		log.Fatalf("failed to initialize CLI: %v", err)
-	}
 	cmd := &cobra.Command{
 		Use:     "remove <unlocker-id>",
 		Aliases: []string{"rm"},
@@ -213,10 +203,7 @@ func newUnlockerRemoveCmd() *cobra.Command {
 		ValidArgsFunction: getUnlockerIDsCompletionFunc(cli.fs, cli.stateDir),
 		RunE: func(cmd *cobra.Command, args []string) error {
 			force, _ := cmd.Flags().GetBool("force")
-			cli, err := NewCLIInstance()
+			cli := NewCLIInstance()
-			if err != nil {
-				return fmt.Errorf("failed to initialize CLI: %w", err)
-			}
 
 			return cli.UnlockersRemove(args[0], force, cmd)
 		},
@@ -228,10 +215,7 @@ func newUnlockerRemoveCmd() *cobra.Command {
 }
 
 func newUnlockerSelectCmd() *cobra.Command {
-	cli, err := NewCLIInstance()
+	cli := NewCLIInstance()
-	if err != nil {
-		log.Fatalf("failed to initialize CLI: %v", err)
-	}
 
 	return &cobra.Command{
 		Use:               "select <unlocker-id>",
@@ -239,10 +223,7 @@ func newUnlockerSelectCmd() *cobra.Command {
 		Args:              cobra.ExactArgs(1),
 		ValidArgsFunction: getUnlockerIDsCompletionFunc(cli.fs, cli.stateDir),
 		RunE: func(_ *cobra.Command, args []string) error {
-			cli, err := NewCLIInstance()
+			cli := NewCLIInstance()
-			if err != nil {
-				return fmt.Errorf("failed to initialize CLI: %w", err)
-			}
 
 			return cli.UnlockerSelect(args[0])
 		},
@@ -276,8 +257,6 @@ func (cli *Instance) UnlockersList(jsonOutput bool) error {
 		// Create unlocker instance to get the proper ID
 		vaultDir, err := vlt.GetDirectory()
 		if err != nil {
-			secret.Warn("Could not get vault directory while listing unlockers", "error", err)
-
 			continue
 		}
 
@@ -285,8 +264,6 @@ func (cli *Instance) UnlockersList(jsonOutput bool) error {
 		unlockersDir := filepath.Join(vaultDir, "unlockers.d")
 		files, err := afero.ReadDir(cli.fs, unlockersDir)
 		if err != nil {
-			secret.Warn("Could not read unlockers directory", "error", err)
-
 			continue
 		}
 
@@ -302,16 +279,12 @@ func (cli *Instance) UnlockersList(jsonOutput bool) error {
 			// Check if this is the right unlocker by comparing metadata
 			metadataBytes, err := afero.ReadFile(cli.fs, metadataPath)
 			if err != nil {
-				secret.Warn("Could not read unlocker metadata file", "path", metadataPath, "error", err)
+				continue // FIXME this error needs to be handled
-
-				continue
 			}
 
 			var diskMetadata secret.UnlockerMetadata
 			if err := json.Unmarshal(metadataBytes, &diskMetadata); err != nil {
-				secret.Warn("Could not parse unlocker metadata file", "path", metadataPath, "error", err)
+				continue // FIXME this error needs to be handled
-
-				continue
 			}
 
 			// Match by type and creation time
@@ -339,7 +312,6 @@ func (cli *Instance) UnlockersList(jsonOutput bool) error {
 		} else {
 			// Generate ID as fallback
 			properID = fmt.Sprintf("%s-%s", metadata.CreatedAt.Format("2006-01-02.15.04"), metadata.Type)
-			secret.Warn("Could not create unlocker instance, using fallback ID", "fallback_id", properID, "type", metadata.Type)
 		}
 
 		unlockerInfo := UnlockerInfo{
@@ -631,16 +603,12 @@ func (cli *Instance) checkUnlockerExists(vlt *vault.Vault, unlockerID string) er
 	// Get the list of unlockers and check if any match the ID
 	unlockers, err := vlt.ListUnlockers()
 	if err != nil {
-		secret.Warn("Could not list unlockers during duplicate check", "error", err)
-
 		return nil // If we can't list unlockers, assume it doesn't exist
 	}
 
 	// Get vault directory to construct unlocker instances
 	vaultDir, err := vlt.GetDirectory()
 	if err != nil {
-		secret.Warn("Could not get vault directory during duplicate check", "error", err)
-
 		return nil
 	}
 
@@ -650,8 +618,6 @@ func (cli *Instance) checkUnlockerExists(vlt *vault.Vault, unlockerID string) er
 		unlockersDir := filepath.Join(vaultDir, "unlockers.d")
 		files, err := afero.ReadDir(cli.fs, unlockersDir)
 		if err != nil {
-			secret.Warn("Could not read unlockers directory during duplicate check", "error", err)
-
 			continue
 		}
 
@@ -666,15 +632,11 @@ func (cli *Instance) checkUnlockerExists(vlt *vault.Vault, unlockerID string) er
 			// Check if this matches our metadata
 			metadataBytes, err := afero.ReadFile(cli.fs, metadataPath)
 			if err != nil {
-				secret.Warn("Could not read unlocker metadata during duplicate check", "path", metadataPath, "error", err)
-
 				continue
 			}
 
 			var diskMetadata secret.UnlockerMetadata
 			if err := json.Unmarshal(metadataBytes, &diskMetadata); err != nil {
-				secret.Warn("Could not parse unlocker metadata during duplicate check", "path", metadataPath, "error", err)
-
 				continue
 			}
 

internal/cli/vault.go

@@ -3,7 +3,6 @@ package cli
 import (
 	"encoding/json"
 	"fmt"
-	"log"
 	"os"
 	"path/filepath"
 	"strings"
@@ -42,10 +41,7 @@ func newVaultListCmd() *cobra.Command {
 		RunE: func(cmd *cobra.Command, _ []string) error {
 			jsonOutput, _ := cmd.Flags().GetBool("json")
 
-			cli, err := NewCLIInstance()
+			cli := NewCLIInstance()
-			if err != nil {
-				return fmt.Errorf("failed to initialize CLI: %w", err)
-			}
 
 			return cli.ListVaults(cmd, jsonOutput)
 		},
@@ -62,10 +58,7 @@ func newVaultCreateCmd() *cobra.Command {
 		Short: "Create a new vault",
 		Args:  cobra.ExactArgs(1),
 		RunE: func(cmd *cobra.Command, args []string) error {
-			cli, err := NewCLIInstance()
+			cli := NewCLIInstance()
-			if err != nil {
-				return fmt.Errorf("failed to initialize CLI: %w", err)
-			}
 
 			return cli.CreateVault(cmd, args[0])
 		},
@@ -73,10 +66,7 @@ func newVaultCreateCmd() *cobra.Command {
 }
 
 func newVaultSelectCmd() *cobra.Command {
-	cli, err := NewCLIInstance()
+	cli := NewCLIInstance()
-	if err != nil {
-		log.Fatalf("failed to initialize CLI: %v", err)
-	}
 
 	return &cobra.Command{
 		Use:               "select <name>",
@@ -84,10 +74,7 @@ func newVaultSelectCmd() *cobra.Command {
 		Args:              cobra.ExactArgs(1),
 		ValidArgsFunction: getVaultNamesCompletionFunc(cli.fs, cli.stateDir),
 		RunE: func(cmd *cobra.Command, args []string) error {
-			cli, err := NewCLIInstance()
+			cli := NewCLIInstance()
-			if err != nil {
-				return fmt.Errorf("failed to initialize CLI: %w", err)
-			}
 
 			return cli.SelectVault(cmd, args[0])
 		},
@@ -95,10 +82,7 @@ func newVaultSelectCmd() *cobra.Command {
 }
 
 func newVaultImportCmd() *cobra.Command {
-	cli, err := NewCLIInstance()
+	cli := NewCLIInstance()
-	if err != nil {
-		log.Fatalf("failed to initialize CLI: %v", err)
-	}
 
 	return &cobra.Command{
 		Use:               "import <vault-name>",
@@ -112,10 +96,7 @@ func newVaultImportCmd() *cobra.Command {
 				vaultName = args[0]
 			}
 
-			cli, err := NewCLIInstance()
+			cli := NewCLIInstance()
-			if err != nil {
-				return fmt.Errorf("failed to initialize CLI: %w", err)
-			}
 
 			return cli.VaultImport(cmd, vaultName)
 		},
@@ -123,10 +104,7 @@ func newVaultImportCmd() *cobra.Command {
 }
 
 func newVaultRemoveCmd() *cobra.Command {
-	cli, err := NewCLIInstance()
+	cli := NewCLIInstance()
-	if err != nil {
-		log.Fatalf("failed to initialize CLI: %v", err)
-	}
 	cmd := &cobra.Command{
 		Use:     "remove <name>",
 		Aliases: []string{"rm"},
@@ -137,10 +115,7 @@ func newVaultRemoveCmd() *cobra.Command {
 		ValidArgsFunction: getVaultNamesCompletionFunc(cli.fs, cli.stateDir),
 		RunE: func(cmd *cobra.Command, args []string) error {
 			force, _ := cmd.Flags().GetBool("force")
-			cli, err := NewCLIInstance()
+			cli := NewCLIInstance()
-			if err != nil {
-				return fmt.Errorf("failed to initialize CLI: %w", err)
-			}
 
 			return cli.RemoveVault(cmd, args[0], force)
 		},

internal/cli/version.go

@@ -2,7 +2,6 @@ package cli
 
 import (
 	"fmt"
-	"log"
 	"path/filepath"
 	"strings"
 	"text/tabwriter"
@@ -19,10 +18,7 @@ const (
 
 // newVersionCmd returns the version management command
 func newVersionCmd() *cobra.Command {
-	cli, err := NewCLIInstance()
+	cli := NewCLIInstance()
-	if err != nil {
-		log.Fatalf("failed to initialize CLI: %v", err)
-	}
 
 	return VersionCommands(cli)
 }
@@ -164,7 +160,7 @@ func (cli *Instance) ListVersions(cmd *cobra.Command, secretName string) error {
 
 		// Load metadata
 		if err := sv.LoadMetadata(ltIdentity); err != nil {
-			secret.Warn("Failed to load version metadata", "version", version, "error", err)
+			secret.Debug("Failed to load version metadata", "version", version, "error", err)
 			// Display version with error
 			status := "error"
 			if version == currentVersion {

internal/cli/version_test.go

@@ -266,10 +266,7 @@ func TestGetSecretWithVersion(t *testing.T) {
 
 func TestVersionCommandStructure(t *testing.T) {
 	// Test that version commands are properly structured
-	cli, err := NewCLIInstance()
+	cli := NewCLIInstance()
-	if err != nil {
-		t.Fatalf("failed to initialize CLI: %v", err)
-	}
 	cmd := VersionCommands(cli)
 
 	assert.Equal(t, "version", cmd.Use)

internal/macse/secure_enclave.h

@@ -1,5 +1,3 @@
-//go:build darwin
-
 #ifndef SECURE_ENCLAVE_H
 #define SECURE_ENCLAVE_H
 

internal/macse/secure_enclave.m

@@ -1,5 +1,3 @@
-//go:build darwin
-
 #import <Foundation/Foundation.h>
 #import <Security/Security.h>
 #include "secure_enclave.h"

internal/secret/crypto.go

@@ -68,11 +68,6 @@ func DecryptWithIdentity(data []byte, identity age.Identity) (*memguard.LockedBu
 	// Create a secure buffer for the decrypted data
 	resultBuffer := memguard.NewBufferFromBytes(result)
 
-	// Zero out the original slice to prevent plaintext from lingering in unprotected memory
-	for i := range result {
-		result[i] = 0
-	}
-
 	return resultBuffer, nil
 }
 

internal/secret/debug.go

@@ -58,16 +58,6 @@ func IsDebugEnabled() bool {
 	return debugEnabled
 }
 
-// Warn logs a warning message to stderr unconditionally (visible without --verbose or debug flags)
-func Warn(msg string, args ...any) {
-	output := fmt.Sprintf("WARNING: %s", msg)
-	for i := 0; i+1 < len(args); i += 2 {
-		output += fmt.Sprintf(" %s=%v", args[i], args[i+1])
-	}
-	output += "\n"
-	fmt.Fprint(os.Stderr, output)
-}
-
 // Debug logs a debug message with optional attributes
 func Debug(msg string, args ...any) {
 	if !debugEnabled {

internal/secret/derivation_index_test.go

@@ -1,84 +0,0 @@
-//go:build darwin
-
-package secret
-
-import (
-	"encoding/json"
-	"path/filepath"
-	"testing"
-	"time"
-
-	"git.eeqj.de/sneak/secret/pkg/agehd"
-	"github.com/awnumar/memguard"
-	"github.com/spf13/afero"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-)
-
-// realVault is a minimal VaultInterface backed by a real afero filesystem,
-// using the same directory layout as vault.Vault.
-type realVault struct {
-	name     string
-	stateDir string
-	fs       afero.Fs
-}
-
-func (v *realVault) GetDirectory() (string, error) {
-	return filepath.Join(v.stateDir, "vaults.d", v.name), nil
-}
-func (v *realVault) GetName() string         { return v.name }
-func (v *realVault) GetFilesystem() afero.Fs { return v.fs }
-
-// Unused by getLongTermPrivateKey — these satisfy VaultInterface.
-func (v *realVault) AddSecret(string, *memguard.LockedBuffer, bool) error { panic("not used") }
-func (v *realVault) GetCurrentUnlocker() (Unlocker, error)                { panic("not used") }
-func (v *realVault) CreatePassphraseUnlocker(*memguard.LockedBuffer) (*PassphraseUnlocker, error) {
-	panic("not used")
-}
-
-// createRealVault sets up a complete vault directory structure on an in-memory
-// filesystem, identical to what vault.CreateVault produces.
-func createRealVault(t *testing.T, fs afero.Fs, stateDir, name string, derivationIndex uint32) *realVault {
-	t.Helper()
-
-	vaultDir := filepath.Join(stateDir, "vaults.d", name)
-	require.NoError(t, fs.MkdirAll(filepath.Join(vaultDir, "secrets.d"), DirPerms))
-	require.NoError(t, fs.MkdirAll(filepath.Join(vaultDir, "unlockers.d"), DirPerms))
-
-	metadata := VaultMetadata{
-		CreatedAt:       time.Now(),
-		DerivationIndex: derivationIndex,
-	}
-	metaBytes, err := json.Marshal(metadata)
-	require.NoError(t, err)
-	require.NoError(t, afero.WriteFile(fs, filepath.Join(vaultDir, "vault-metadata.json"), metaBytes, FilePerms))
-
-	return &realVault{name: name, stateDir: stateDir, fs: fs}
-}
-
-func TestGetLongTermPrivateKeyUsesVaultDerivationIndex(t *testing.T) {
-	const testMnemonic = "abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon about"
-
-	// Derive expected keys at two different indices to prove they differ.
-	key0, err := agehd.DeriveIdentity(testMnemonic, 0)
-	require.NoError(t, err)
-	key5, err := agehd.DeriveIdentity(testMnemonic, 5)
-	require.NoError(t, err)
-	require.NotEqual(t, key0.String(), key5.String(),
-		"sanity check: different derivation indices must produce different keys")
-
-	// Build a real vault with DerivationIndex=5 on an in-memory filesystem.
-	fs := afero.NewMemMapFs()
-	vault := createRealVault(t, fs, "/state", "test-vault", 5)
-
-	t.Setenv(EnvMnemonic, testMnemonic)
-
-	result, err := getLongTermPrivateKey(fs, vault)
-	require.NoError(t, err)
-	defer result.Destroy()
-
-	assert.Equal(t, key5.String(), string(result.Bytes()),
-		"getLongTermPrivateKey should derive at vault's DerivationIndex (5)")
-	assert.NotEqual(t, key0.String(), string(result.Bytes()),
-		"getLongTermPrivateKey must not use hardcoded index 0")
-}

internal/secret/helpers.go

@@ -1,22 +1,43 @@
 package secret
 
 import (
+	"crypto/rand"
 	"fmt"
+	"math/big"
 	"os"
 	"path/filepath"
 )
 
-// DetermineStateDir determines the state directory based on environment variables and OS.
+// generateRandomString generates a random string of the specified length using the given character set
-// It returns an error if no usable directory can be determined.
+func generateRandomString(length int, charset string) (string, error) {
-func DetermineStateDir(customConfigDir string) (string, error) {
+	if length <= 0 {
+		return "", fmt.Errorf("length must be positive")
+	}
+
+	result := make([]byte, length)
+	charsetLen := big.NewInt(int64(len(charset)))
+
+	for i := range length {
+		randomIndex, err := rand.Int(rand.Reader, charsetLen)
+		if err != nil {
+			return "", fmt.Errorf("failed to generate random number: %w", err)
+		}
+		result[i] = charset[randomIndex.Int64()]
+	}
+
+	return string(result), nil
+}
+
+// DetermineStateDir determines the state directory based on environment variables and OS
+func DetermineStateDir(customConfigDir string) string {
 	// Check for environment variable first
 	if envStateDir := os.Getenv(EnvStateDir); envStateDir != "" {
-		return envStateDir, nil
+		return envStateDir
 	}
 
 	// Use custom config dir if provided
 	if customConfigDir != "" {
-		return filepath.Join(customConfigDir, AppID), nil
+		return filepath.Join(customConfigDir, AppID)
 	}
 
 	// Use os.UserConfigDir() which handles platform-specific directories:
@@ -26,16 +47,10 @@ func DetermineStateDir(customConfigDir string) (string, error) {
 	configDir, err := os.UserConfigDir()
 	if err != nil {
 		// Fallback to a reasonable default if we can't determine user config dir
-		homeDir, homeErr := os.UserHomeDir()
+		homeDir, _ := os.UserHomeDir()
-		if homeErr != nil {
-			return "", fmt.Errorf("unable to determine state directory: config dir: %w, home dir: %w", err, homeErr)
-		}
 
-		fallbackDir := filepath.Join(homeDir, ".config", AppID)
+		return filepath.Join(homeDir, ".config", AppID)
-		Warn("Could not determine user config directory, falling back to default", "fallback", fallbackDir, "error", err)
-
-		return fallbackDir, nil
 	}
 
-	return filepath.Join(configDir, AppID), nil
+	return filepath.Join(configDir, AppID)
 }

internal/secret/helpers_darwin.go

@@ -1,29 +0,0 @@
-//go:build darwin
-
-package secret
-
-import (
-	"crypto/rand"
-	"fmt"
-	"math/big"
-)
-
-// generateRandomString generates a random string of the specified length using the given character set
-func generateRandomString(length int, charset string) (string, error) {
-	if length <= 0 {
-		return "", fmt.Errorf("length must be positive")
-	}
-
-	result := make([]byte, length)
-	charsetLen := big.NewInt(int64(len(charset)))
-
-	for i := range length {
-		randomIndex, err := rand.Int(rand.Reader, charsetLen)
-		if err != nil {
-			return "", fmt.Errorf("failed to generate random number: %w", err)
-		}
-		result[i] = charset[randomIndex.Int64()]
-	}
-
-	return string(result), nil
-}

internal/secret/helpers_test.go

@@ -1,50 +0,0 @@
-package secret
-
-import (
-	"testing"
-)
-
-func TestDetermineStateDir_ErrorsWhenHomeDirUnavailable(t *testing.T) {
-	// Clear all env vars that could provide a home/config directory.
-	// On Darwin, os.UserHomeDir may still succeed via the password
-	// database, so we also test via an explicit empty-customConfigDir
-	// path to exercise the fallback branch.
-	t.Setenv(EnvStateDir, "")
-	t.Setenv("HOME", "")
-	t.Setenv("XDG_CONFIG_HOME", "")
-
-	result, err := DetermineStateDir("")
-	// On systems where both lookups fail, we must get an error.
-	// On systems where the OS provides a fallback (e.g. macOS pw db),
-	// result should still be valid (non-empty, not root-relative).
-	if err != nil {
-		// Good — the error case is handled.
-		return
-	}
-	if result == "/.config/"+AppID || result == "" {
-		t.Errorf("DetermineStateDir returned dangerous/empty path %q without error", result)
-	}
-}
-
-func TestDetermineStateDir_UsesEnvVar(t *testing.T) {
-	t.Setenv(EnvStateDir, "/custom/state")
-	result, err := DetermineStateDir("")
-	if err != nil {
-		t.Fatalf("unexpected error: %v", err)
-	}
-	if result != "/custom/state" {
-		t.Errorf("expected /custom/state, got %q", result)
-	}
-}
-
-func TestDetermineStateDir_UsesCustomConfigDir(t *testing.T) {
-	t.Setenv(EnvStateDir, "")
-	result, err := DetermineStateDir("/my/config")
-	if err != nil {
-		t.Fatalf("unexpected error: %v", err)
-	}
-	expected := "/my/config/" + AppID
-	if result != expected {
-		t.Errorf("expected %q, got %q", expected, result)
-	}
-}

internal/secret/keychainunlocker.go

@@ -251,25 +251,8 @@ func getLongTermPrivateKey(fs afero.Fs, vault VaultInterface) (*memguard.LockedB
 	// Check if mnemonic is available in environment variable
 	envMnemonic := os.Getenv(EnvMnemonic)
 	if envMnemonic != "" {
-		// Read vault metadata to get the correct derivation index
+		// Use mnemonic directly to derive long-term key
-		vaultDir, err := vault.GetDirectory()
+		ltIdentity, err := agehd.DeriveIdentity(envMnemonic, 0)
-		if err != nil {
-			return nil, fmt.Errorf("failed to get vault directory: %w", err)
-		}
-
-		metadataPath := filepath.Join(vaultDir, "vault-metadata.json")
-		metadataBytes, err := afero.ReadFile(fs, metadataPath)
-		if err != nil {
-			return nil, fmt.Errorf("failed to read vault metadata: %w", err)
-		}
-
-		var metadata VaultMetadata
-		if err := json.Unmarshal(metadataBytes, &metadata); err != nil {
-			return nil, fmt.Errorf("failed to parse vault metadata: %w", err)
-		}
-
-		// Use mnemonic with the vault's actual derivation index
-		ltIdentity, err := agehd.DeriveIdentity(envMnemonic, metadata.DerivationIndex)
 		if err != nil {
 			return nil, fmt.Errorf("failed to derive long-term key from mnemonic: %w", err)
 		}

internal/secret/keychainunlocker_stub.go

@@ -4,8 +4,6 @@
 package secret
 
 import (
-	"fmt"
-
 	"filippo.io/age"
 	"github.com/awnumar/memguard"
 	"github.com/spf13/afero"
@@ -24,59 +22,52 @@ type KeychainUnlocker struct {
 	fs        afero.Fs
 }
 
-var errKeychainNotSupported = fmt.Errorf("keychain unlockers are only supported on macOS")
+// GetIdentity panics on non-Darwin platforms
-
-// GetIdentity returns an error on non-Darwin platforms
 func (k *KeychainUnlocker) GetIdentity() (*age.X25519Identity, error) {
-	return nil, errKeychainNotSupported
+	panic("keychain unlockers are only supported on macOS")
 }
 
-// GetType returns the unlocker type
+// GetType panics on non-Darwin platforms
 func (k *KeychainUnlocker) GetType() string {
-	return "keychain"
+	panic("keychain unlockers are only supported on macOS")
 }
 
-// GetMetadata returns the unlocker metadata
+// GetMetadata panics on non-Darwin platforms
 func (k *KeychainUnlocker) GetMetadata() UnlockerMetadata {
-	return k.Metadata
+	panic("keychain unlockers are only supported on macOS")
 }
 
-// GetDirectory returns the unlocker directory
+// GetDirectory panics on non-Darwin platforms
 func (k *KeychainUnlocker) GetDirectory() string {
-	return k.Directory
+	panic("keychain unlockers are only supported on macOS")
 }
 
 // GetID returns the unlocker ID
 func (k *KeychainUnlocker) GetID() string {
-	return fmt.Sprintf("%s-keychain", k.Metadata.CreatedAt.Format("2006-01-02.15.04"))
+	panic("keychain unlockers are only supported on macOS")
 }
 
-// GetKeychainItemName returns an error on non-Darwin platforms
+// GetKeychainItemName panics on non-Darwin platforms
 func (k *KeychainUnlocker) GetKeychainItemName() (string, error) {
-	return "", errKeychainNotSupported
+	panic("keychain unlockers are only supported on macOS")
 }
 
-// Remove returns an error on non-Darwin platforms
+// Remove panics on non-Darwin platforms
 func (k *KeychainUnlocker) Remove() error {
-	return errKeychainNotSupported
+	panic("keychain unlockers are only supported on macOS")
 }
 
-// NewKeychainUnlocker creates a stub KeychainUnlocker on non-Darwin platforms.
+// NewKeychainUnlocker panics on non-Darwin platforms
-// The returned instance's methods that require macOS functionality will return errors.
 func NewKeychainUnlocker(fs afero.Fs, directory string, metadata UnlockerMetadata) *KeychainUnlocker {
-	return &KeychainUnlocker{
+	panic("keychain unlockers are only supported on macOS")
-		Directory: directory,
-		Metadata:  metadata,
-		fs:        fs,
-	}
 }
 
-// CreateKeychainUnlocker returns an error on non-Darwin platforms
+// CreateKeychainUnlocker panics on non-Darwin platforms
-func CreateKeychainUnlocker(_ afero.Fs, _ string) (*KeychainUnlocker, error) {
+func CreateKeychainUnlocker(fs afero.Fs, stateDir string) (*KeychainUnlocker, error) {
-	return nil, errKeychainNotSupported
+	panic("keychain unlockers are only supported on macOS")
 }
 
-// getLongTermPrivateKey returns an error on non-Darwin platforms
+// getLongTermPrivateKey panics on non-Darwin platforms
-func getLongTermPrivateKey(_ afero.Fs, _ VaultInterface) (*memguard.LockedBuffer, error) {
+func getLongTermPrivateKey(fs afero.Fs, vault VaultInterface) (*memguard.LockedBuffer, error) {
-	return nil, errKeychainNotSupported
+	panic("keychain unlockers are only supported on macOS")
 }

internal/secret/passphrase_test.go

@@ -24,7 +24,7 @@ func TestPassphraseUnlockerWithRealFS(t *testing.T) {
 	if err != nil {
 		t.Fatalf("Failed to create temp dir: %v", err)
 	}
-	defer func() { _ = os.RemoveAll(tempDir) }() // Clean up after test
+	defer os.RemoveAll(tempDir) // Clean up after test
 
 	// Use the real filesystem
 	fs := afero.NewOsFs()
@@ -155,7 +155,7 @@ func TestPassphraseUnlockerWithRealFS(t *testing.T) {
 	})
 
 	// Unset the environment variable to test interactive prompt
-	_ = os.Unsetenv(secret.EnvUnlockPassphrase)
+	os.Unsetenv(secret.EnvUnlockPassphrase)
 
 	// Test getting identity from prompt (this would require mocking the prompt)
 	// For real integration tests, we'd need to provide a way to mock the passphrase input

internal/secret/pgpunlock_test.go

@@ -1,5 +1,3 @@
-//go:build darwin
-
 package secret_test
 
 import (
@@ -142,7 +140,7 @@ func TestPGPUnlockerWithRealFS(t *testing.T) {
 	if err != nil {
 		t.Fatalf("Failed to create temp dir: %v", err)
 	}
-	defer func() { _ = os.RemoveAll(tempDir) }() // Clean up after test
+	defer os.RemoveAll(tempDir) // Clean up after test
 
 	// Create a temporary GNUPGHOME
 	gnupgHomeDir := filepath.Join(tempDir, "gnupg")

internal/secret/pgpunlocker.go

@@ -320,9 +320,7 @@ func ResolveGPGKeyFingerprint(keyID string) (string, error) {
 	}
 
 	// Use GPG to get the full fingerprint for the key
-	cmd := exec.Command( // #nosec G204 -- keyID validated
+	cmd := exec.Command("gpg", "--list-keys", "--with-colons", "--fingerprint", keyID)
-		"gpg", "--list-keys", "--with-colons", "--fingerprint", keyID,
-	)
 	output, err := cmd.Output()
 	if err != nil {
 		return "", fmt.Errorf("failed to resolve GPG key fingerprint: %w", err)
@@ -361,9 +359,7 @@ func gpgEncryptDefault(data *memguard.LockedBuffer, keyID string) ([]byte, error
 		return nil, fmt.Errorf("invalid GPG key ID: %w", err)
 	}
 
-	cmd := exec.Command( // #nosec G204 -- keyID validated
+	cmd := exec.Command("gpg", "--trust-model", "always", "--armor", "--encrypt", "-r", keyID)
-		"gpg", "--trust-model", "always", "--armor", "--encrypt", "-r", keyID,
-	)
 	cmd.Stdin = strings.NewReader(data.String())
 
 	output, err := cmd.Output()

internal/secret/secret_test.go

@@ -257,10 +257,9 @@ func isValidSecretName(name string) bool {
 	if name == "" {
 		return false
 	}
-	// Valid characters for secret names: letters, numbers, dash, dot, underscore, slash
+	// Valid characters for secret names: lowercase letters, numbers, dash, dot, underscore, slash
 	for _, char := range name {
 		if (char < 'a' || char > 'z') && // lowercase letters
-			(char < 'A' || char > 'Z') && // uppercase letters
 			(char < '0' || char > '9') && // numbers
 			char != '-' && // dash
 			char != '.' && // dot
@@ -284,11 +283,9 @@ func TestSecretNameValidation(t *testing.T) {
 		{"valid/path/name", true},
 		{"123valid", true},
 		{"", false},
-		{"Valid-Upper-Name", true}, // uppercase allowed
+		{"Invalid-Name", false}, // uppercase not allowed
-		{"2025-11-21-ber1app1-vaultik-test-bucket-AKI", true}, // real-world uppercase key ID
+		{"invalid name", false}, // space not allowed
-		{"MixedCase/Path/Name", true},                         // mixed case with path
+		{"invalid@name", false}, // @ not allowed
-		{"invalid name", false},                               // space not allowed
-		{"invalid@name", false},                               // @ not allowed
 	}
 
 	for _, test := range tests {

internal/secret/seunlocker_darwin.go

@@ -60,10 +60,7 @@ func (s *SecureEnclaveUnlocker) GetIdentity() (*age.X25519Identity, error) {
 	encryptedPath := filepath.Join(s.Directory, seLongtermFilename)
 	encryptedData, err := afero.ReadFile(s.fs, encryptedPath)
 	if err != nil {
-		return nil, fmt.Errorf(
+		return nil, fmt.Errorf("failed to read SE-encrypted long-term key: %w", err)
-			"failed to read SE-encrypted long-term key: %w",
-			err,
-		)
 	}
 
 	DebugWith("Read SE-encrypted long-term key",
@@ -73,10 +70,7 @@ func (s *SecureEnclaveUnlocker) GetIdentity() (*age.X25519Identity, error) {
 	// Decrypt using the Secure Enclave (ECDH happens inside SE hardware)
 	decryptedData, err := macse.Decrypt(seKeyLabel, encryptedData)
 	if err != nil {
-		return nil, fmt.Errorf(
+		return nil, fmt.Errorf("failed to decrypt long-term key with SE: %w", err)
-			"failed to decrypt long-term key with SE: %w",
-			err,
-		)
 	}
 
 	// Parse the decrypted long-term private key
@@ -88,10 +82,7 @@ func (s *SecureEnclaveUnlocker) GetIdentity() (*age.X25519Identity, error) {
 	}
 
 	if err != nil {
-		return nil, fmt.Errorf(
+		return nil, fmt.Errorf("failed to parse long-term private key: %w", err)
-			"failed to parse long-term private key: %w",
-			err,
-		)
 	}
 
 	DebugWith("Successfully decrypted long-term key via SE",
@@ -174,11 +165,7 @@ func (s *SecureEnclaveUnlocker) getSEKeyInfo() (label string, hash string, err e
 }
 
 // NewSecureEnclaveUnlocker creates a new SecureEnclaveUnlocker instance.
-func NewSecureEnclaveUnlocker(
+func NewSecureEnclaveUnlocker(fs afero.Fs, directory string, metadata UnlockerMetadata) *SecureEnclaveUnlocker {
-	fs afero.Fs,
-	directory string,
-	metadata UnlockerMetadata,
-) *SecureEnclaveUnlocker {
 	return &SecureEnclaveUnlocker{
 		Directory: directory,
 		Metadata:  metadata,
@@ -195,22 +182,13 @@ func generateSEKeyLabel(vaultName string) (string, error) {
 
 	enrollmentDate := time.Now().UTC().Format("2006-01-02")
 
-	return fmt.Sprintf(
+	return fmt.Sprintf("%s.%s-%s-%s", seKeyLabelPrefix, vaultName, hostname, enrollmentDate), nil
-		"%s.%s-%s-%s",
-		seKeyLabelPrefix,
-		vaultName,
-		hostname,
-		enrollmentDate,
-	), nil
 }
 
 // CreateSecureEnclaveUnlocker creates a new SE unlocker.
 // The vault's long-term private key is encrypted directly by the Secure Enclave
 // using ECIES. No intermediate age keypair is used.
-func CreateSecureEnclaveUnlocker(
+func CreateSecureEnclaveUnlocker(fs afero.Fs, stateDir string) (*SecureEnclaveUnlocker, error) {
-	fs afero.Fs,
-	stateDir string,
-) (*SecureEnclaveUnlocker, error) {
 	if err := checkMacOSAvailable(); err != nil {
 		return nil, err
 	}
@@ -238,20 +216,14 @@ func CreateSecureEnclaveUnlocker(
 	// Step 2: Get the vault's long-term private key
 	ltPrivKeyData, err := getLongTermKeyForSE(fs, vault)
 	if err != nil {
-		return nil, fmt.Errorf(
+		return nil, fmt.Errorf("failed to get long-term private key: %w", err)
-			"failed to get long-term private key: %w",
-			err,
-		)
 	}
 	defer ltPrivKeyData.Destroy()
 
 	// Step 3: Encrypt the long-term key directly with the SE (ECIES)
 	encryptedLtKey, err := macse.Encrypt(seKeyLabel, ltPrivKeyData.Bytes())
 	if err != nil {
-		return nil, fmt.Errorf(
+		return nil, fmt.Errorf("failed to encrypt long-term key with SE: %w", err)
-			"failed to encrypt long-term key with SE: %w",
-			err,
-		)
 	}
 
 	// Step 4: Create unlocker directory and write files
@@ -263,19 +235,13 @@ func CreateSecureEnclaveUnlocker(
 	unlockerDirName := fmt.Sprintf("se-%s", filepath.Base(seKeyLabel))
 	unlockerDir := filepath.Join(vaultDir, "unlockers.d", unlockerDirName)
 	if err := fs.MkdirAll(unlockerDir, DirPerms); err != nil {
-		return nil, fmt.Errorf(
+		return nil, fmt.Errorf("failed to create unlocker directory: %w", err)
-			"failed to create unlocker directory: %w",
-			err,
-		)
 	}
 
 	// Write SE-encrypted long-term key
 	ltKeyPath := filepath.Join(unlockerDir, seLongtermFilename)
 	if err := afero.WriteFile(fs, ltKeyPath, encryptedLtKey, FilePerms); err != nil {
-		return nil, fmt.Errorf(
+		return nil, fmt.Errorf("failed to write SE-encrypted long-term key: %w", err)
-			"failed to write SE-encrypted long-term key: %w",
-			err,
-		)
 	}
 
 	// Write metadata
@@ -308,40 +274,12 @@ func CreateSecureEnclaveUnlocker(
 
 // getLongTermKeyForSE retrieves the vault's long-term private key
 // either from the mnemonic env var or by unlocking via the current unlocker.
-func getLongTermKeyForSE(
+func getLongTermKeyForSE(fs afero.Fs, vault VaultInterface) (*memguard.LockedBuffer, error) {
-	fs afero.Fs,
-	vault VaultInterface,
-) (*memguard.LockedBuffer, error) {
 	envMnemonic := os.Getenv(EnvMnemonic)
 	if envMnemonic != "" {
-		// Read vault metadata to get the correct derivation index
+		ltIdentity, err := agehd.DeriveIdentity(envMnemonic, 0)
-		vaultDir, err := vault.GetDirectory()
 		if err != nil {
-			return nil, fmt.Errorf("failed to get vault directory: %w", err)
+			return nil, fmt.Errorf("failed to derive long-term key from mnemonic: %w", err)
-		}
-
-		metadataPath := filepath.Join(vaultDir, "vault-metadata.json")
-		metadataBytes, err := afero.ReadFile(fs, metadataPath)
-		if err != nil {
-			return nil, fmt.Errorf("failed to read vault metadata: %w", err)
-		}
-
-		var metadata VaultMetadata
-		if err := json.Unmarshal(metadataBytes, &metadata); err != nil {
-			return nil, fmt.Errorf("failed to parse vault metadata: %w", err)
-		}
-
-		// Use mnemonic with the vault's actual derivation index
-		ltIdentity, err := agehd.DeriveIdentity(
-			envMnemonic,
-			metadata.DerivationIndex,
-		)
-
-		if err != nil {
-			return nil, fmt.Errorf(
-				"failed to derive long-term key from mnemonic: %w",
-				err,
-			)
 		}
 
 		return memguard.NewBufferFromBytes([]byte(ltIdentity.String())), nil
@@ -354,29 +292,17 @@ func getLongTermKeyForSE(
 
 	currentIdentity, err := currentUnlocker.GetIdentity()
 	if err != nil {
-		return nil, fmt.Errorf(
+		return nil, fmt.Errorf("failed to get current unlocker identity: %w", err)
-			"failed to get current unlocker identity: %w",
-			err,
-		)
 	}
 
 	// All unlocker types store longterm.age in their directory
-	longtermPath := filepath.Join(
+	longtermPath := filepath.Join(currentUnlocker.GetDirectory(), "longterm.age")
-		currentUnlocker.GetDirectory(),
-		"longterm.age",
-	)
 	encryptedLtKey, err := afero.ReadFile(fs, longtermPath)
 	if err != nil {
-		return nil, fmt.Errorf(
+		return nil, fmt.Errorf("failed to read encrypted long-term key: %w", err)
-			"failed to read encrypted long-term key: %w",
-			err,
-		)
 	}
 
-	ltPrivKeyBuffer, err := DecryptWithIdentity(
+	ltPrivKeyBuffer, err := DecryptWithIdentity(encryptedLtKey, currentIdentity)
-		encryptedLtKey,
-		currentIdentity,
-	)
 	if err != nil {
 		return nil, fmt.Errorf("failed to decrypt long-term key: %w", err)
 	}

internal/secret/seunlocker_stub.go

@@ -4,16 +4,10 @@
 package secret
 
 import (
-	"fmt"
-
 	"filippo.io/age"
 	"github.com/spf13/afero"
 )
 
-var errSENotSupported = fmt.Errorf(
-	"secure enclave unlockers are only supported on macOS",
-)
-
 // SecureEnclaveUnlockerMetadata is a stub for non-Darwin platforms.
 type SecureEnclaveUnlockerMetadata struct {
 	UnlockerMetadata
@@ -28,57 +22,42 @@ type SecureEnclaveUnlocker struct {
 	fs        afero.Fs
 }
 
-// GetIdentity returns an error on non-Darwin platforms.
+// GetIdentity panics on non-Darwin platforms.
 func (s *SecureEnclaveUnlocker) GetIdentity() (*age.X25519Identity, error) {
-	return nil, errSENotSupported
+	panic("secure enclave unlockers are only supported on macOS")
 }
 
-// GetType returns the unlocker type.
+// GetType panics on non-Darwin platforms.
 func (s *SecureEnclaveUnlocker) GetType() string {
-	return "secure-enclave"
+	panic("secure enclave unlockers are only supported on macOS")
 }
 
-// GetMetadata returns the unlocker metadata.
+// GetMetadata panics on non-Darwin platforms.
 func (s *SecureEnclaveUnlocker) GetMetadata() UnlockerMetadata {
-	return s.Metadata
+	panic("secure enclave unlockers are only supported on macOS")
 }
 
-// GetDirectory returns the unlocker directory.
+// GetDirectory panics on non-Darwin platforms.
 func (s *SecureEnclaveUnlocker) GetDirectory() string {
-	return s.Directory
+	panic("secure enclave unlockers are only supported on macOS")
 }
 
-// GetID returns the unlocker ID.
+// GetID panics on non-Darwin platforms.
 func (s *SecureEnclaveUnlocker) GetID() string {
-	return fmt.Sprintf(
+	panic("secure enclave unlockers are only supported on macOS")
-		"%s-secure-enclave",
-		s.Metadata.CreatedAt.Format("2006-01-02.15.04"),
-	)
 }
 
-// Remove returns an error on non-Darwin platforms.
+// Remove panics on non-Darwin platforms.
 func (s *SecureEnclaveUnlocker) Remove() error {
-	return errSENotSupported
+	panic("secure enclave unlockers are only supported on macOS")
 }
 
-// NewSecureEnclaveUnlocker creates a stub SecureEnclaveUnlocker on non-Darwin platforms.
+// NewSecureEnclaveUnlocker panics on non-Darwin platforms.
-// The returned instance's methods that require macOS functionality will return errors.
+func NewSecureEnclaveUnlocker(_ afero.Fs, _ string, _ UnlockerMetadata) *SecureEnclaveUnlocker {
-func NewSecureEnclaveUnlocker(
+	panic("secure enclave unlockers are only supported on macOS")
-	fs afero.Fs,
-	directory string,
-	metadata UnlockerMetadata,
-) *SecureEnclaveUnlocker {
-	return &SecureEnclaveUnlocker{
-		Directory: directory,
-		Metadata:  metadata,
-		fs:        fs,
-	}
 }
 
-// CreateSecureEnclaveUnlocker returns an error on non-Darwin platforms.
+// CreateSecureEnclaveUnlocker panics on non-Darwin platforms.
-func CreateSecureEnclaveUnlocker(
+func CreateSecureEnclaveUnlocker(_ afero.Fs, _ string) (*SecureEnclaveUnlocker, error) {
-	_ afero.Fs,
+	panic("secure enclave unlockers are only supported on macOS")
-	_ string,
-) (*SecureEnclaveUnlocker, error) {
-	return nil, errSENotSupported
 }

internal/secret/seunlocker_stub_test.go

@@ -1,90 +0,0 @@
-//go:build !darwin
-// +build !darwin
-
-package secret
-
-import (
-	"testing"
-	"time"
-
-	"github.com/spf13/afero"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-)
-
-func TestNewSecureEnclaveUnlocker(t *testing.T) {
-	fs := afero.NewMemMapFs()
-	dir := "/tmp/test-se-unlocker"
-	metadata := UnlockerMetadata{
-		Type:      "secure-enclave",
-		CreatedAt: time.Date(2026, 1, 15, 10, 30, 0, 0, time.UTC),
-		Flags:     []string{"secure-enclave", "macos"},
-	}
-
-	unlocker := NewSecureEnclaveUnlocker(fs, dir, metadata)
-	require.NotNil(t, unlocker, "NewSecureEnclaveUnlocker should return a valid instance")
-
-	// Test GetType returns correct type
-	assert.Equal(t, "secure-enclave", unlocker.GetType())
-
-	// Test GetMetadata returns the metadata we passed in
-	assert.Equal(t, metadata, unlocker.GetMetadata())
-
-	// Test GetDirectory returns the directory we passed in
-	assert.Equal(t, dir, unlocker.GetDirectory())
-
-	// Test GetID returns a formatted string with the creation timestamp
-	expectedID := "2026-01-15.10.30-secure-enclave"
-	assert.Equal(t, expectedID, unlocker.GetID())
-}
-
-func TestSecureEnclaveUnlockerGetIdentityReturnsError(t *testing.T) {
-	fs := afero.NewMemMapFs()
-	metadata := UnlockerMetadata{
-		Type:      "secure-enclave",
-		CreatedAt: time.Now().UTC(),
-	}
-
-	unlocker := NewSecureEnclaveUnlocker(fs, "/tmp/test", metadata)
-
-	identity, err := unlocker.GetIdentity()
-	assert.Nil(t, identity)
-	assert.Error(t, err)
-	assert.ErrorIs(t, err, errSENotSupported)
-}
-
-func TestSecureEnclaveUnlockerRemoveReturnsError(t *testing.T) {
-	fs := afero.NewMemMapFs()
-	metadata := UnlockerMetadata{
-		Type:      "secure-enclave",
-		CreatedAt: time.Now().UTC(),
-	}
-
-	unlocker := NewSecureEnclaveUnlocker(fs, "/tmp/test", metadata)
-
-	err := unlocker.Remove()
-	assert.Error(t, err)
-	assert.ErrorIs(t, err, errSENotSupported)
-}
-
-func TestCreateSecureEnclaveUnlockerReturnsError(t *testing.T) {
-	fs := afero.NewMemMapFs()
-
-	unlocker, err := CreateSecureEnclaveUnlocker(fs, "/tmp/test")
-	assert.Nil(t, unlocker)
-	assert.Error(t, err)
-	assert.ErrorIs(t, err, errSENotSupported)
-}
-
-func TestSecureEnclaveUnlockerImplementsInterface(t *testing.T) {
-	fs := afero.NewMemMapFs()
-	metadata := UnlockerMetadata{
-		Type:      "secure-enclave",
-		CreatedAt: time.Now().UTC(),
-	}
-
-	unlocker := NewSecureEnclaveUnlocker(fs, "/tmp/test", metadata)
-
-	// Verify the stub implements the Unlocker interface
-	var _ Unlocker = unlocker
-}

internal/secret/seunlocker_test.go

@@ -1,101 +0,0 @@
-//go:build darwin
-// +build darwin
-
-package secret
-
-import (
-	"testing"
-	"time"
-
-	"github.com/spf13/afero"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-)
-
-func TestNewSecureEnclaveUnlocker(t *testing.T) {
-	fs := afero.NewMemMapFs()
-	dir := "/tmp/test-se-unlocker"
-	metadata := UnlockerMetadata{
-		Type:      "secure-enclave",
-		CreatedAt: time.Date(2026, 1, 15, 10, 30, 0, 0, time.UTC),
-		Flags:     []string{"secure-enclave", "macos"},
-	}
-
-	unlocker := NewSecureEnclaveUnlocker(fs, dir, metadata)
-	require.NotNil(t, unlocker, "NewSecureEnclaveUnlocker should return a valid instance")
-
-	// Test GetType returns correct type
-	assert.Equal(t, seUnlockerType, unlocker.GetType())
-
-	// Test GetMetadata returns the metadata we passed in
-	assert.Equal(t, metadata, unlocker.GetMetadata())
-
-	// Test GetDirectory returns the directory we passed in
-	assert.Equal(t, dir, unlocker.GetDirectory())
-}
-
-func TestSecureEnclaveUnlockerImplementsInterface(t *testing.T) {
-	fs := afero.NewMemMapFs()
-	metadata := UnlockerMetadata{
-		Type:      "secure-enclave",
-		CreatedAt: time.Now().UTC(),
-	}
-
-	unlocker := NewSecureEnclaveUnlocker(fs, "/tmp/test", metadata)
-
-	// Verify the darwin implementation implements the Unlocker interface
-	var _ Unlocker = unlocker
-}
-
-func TestSecureEnclaveUnlockerGetIDFormat(t *testing.T) {
-	fs := afero.NewMemMapFs()
-	metadata := UnlockerMetadata{
-		Type:      "secure-enclave",
-		CreatedAt: time.Date(2026, 3, 10, 14, 30, 0, 0, time.UTC),
-	}
-
-	unlocker := NewSecureEnclaveUnlocker(fs, "/tmp/test", metadata)
-	id := unlocker.GetID()
-
-	// ID should contain the timestamp and "secure-enclave" type
-	assert.Contains(t, id, "2026-03-10.14.30")
-	assert.Contains(t, id, seUnlockerType)
-}
-
-func TestGenerateSEKeyLabel(t *testing.T) {
-	label, err := generateSEKeyLabel("test-vault")
-	require.NoError(t, err)
-
-	// Label should contain the prefix and vault name
-	assert.Contains(t, label, seKeyLabelPrefix)
-	assert.Contains(t, label, "test-vault")
-}
-
-func TestSecureEnclaveUnlockerGetIdentityMissingFile(t *testing.T) {
-	fs := afero.NewMemMapFs()
-	dir := "/tmp/test-se-unlocker-missing"
-
-	// Create unlocker directory with metadata but no encrypted key file
-	require.NoError(t, fs.MkdirAll(dir, DirPerms))
-
-	metadataJSON := `{
-		"type": "secure-enclave",
-		"createdAt": "2026-01-15T10:30:00Z",
-		"seKeyLabel": "berlin.sneak.app.secret.se.test",
-		"seKeyHash": "abc123"
-	}`
-	require.NoError(t, afero.WriteFile(fs, dir+"/unlocker-metadata.json", []byte(metadataJSON), FilePerms))
-
-	metadata := UnlockerMetadata{
-		Type:      "secure-enclave",
-		CreatedAt: time.Date(2026, 1, 15, 10, 30, 0, 0, time.UTC),
-	}
-
-	unlocker := NewSecureEnclaveUnlocker(fs, dir, metadata)
-
-	// GetIdentity should fail because the encrypted longterm key file is missing
-	identity, err := unlocker.GetIdentity()
-	assert.Nil(t, identity)
-	assert.Error(t, err)
-	assert.Contains(t, err.Error(), "failed to read SE-encrypted long-term key")
-}

internal/secret/validation_darwin_test.go

@@ -1,148 +0,0 @@
-//go:build darwin
-
-package secret
-
-import (
-	"testing"
-)
-
-func TestValidateKeychainItemName(t *testing.T) {
-	tests := []struct {
-		name     string
-		itemName string
-		wantErr  bool
-	}{
-		// Valid cases
-		{
-			name:     "valid simple name",
-			itemName: "my-secret-key",
-			wantErr:  false,
-		},
-		{
-			name:     "valid name with dots",
-			itemName: "com.example.app.key",
-			wantErr:  false,
-		},
-		{
-			name:     "valid name with underscores",
-			itemName: "my_secret_key_123",
-			wantErr:  false,
-		},
-		{
-			name:     "valid alphanumeric",
-			itemName: "Secret123Key",
-			wantErr:  false,
-		},
-		{
-			name:     "valid with hyphen at start",
-			itemName: "-my-key",
-			wantErr:  false,
-		},
-		{
-			name:     "valid with dot at start",
-			itemName: ".hidden-key",
-			wantErr:  false,
-		},
-
-		// Invalid cases
-		{
-			name:     "empty item name",
-			itemName: "",
-			wantErr:  true,
-		},
-		{
-			name:     "item name with spaces",
-			itemName: "my secret key",
-			wantErr:  true,
-		},
-		{
-			name:     "item name with semicolon",
-			itemName: "key;rm -rf /",
-			wantErr:  true,
-		},
-		{
-			name:     "item name with pipe",
-			itemName: "key|cat /etc/passwd",
-			wantErr:  true,
-		},
-		{
-			name:     "item name with backticks",
-			itemName: "key`whoami`",
-			wantErr:  true,
-		},
-		{
-			name:     "item name with dollar sign",
-			itemName: "key$(whoami)",
-			wantErr:  true,
-		},
-		{
-			name:     "item name with quotes",
-			itemName: "key\"name",
-			wantErr:  true,
-		},
-		{
-			name:     "item name with single quotes",
-			itemName: "key'name",
-			wantErr:  true,
-		},
-		{
-			name:     "item name with backslash",
-			itemName: "key\\name",
-			wantErr:  true,
-		},
-		{
-			name:     "item name with newline",
-			itemName: "key\nname",
-			wantErr:  true,
-		},
-		{
-			name:     "item name with carriage return",
-			itemName: "key\rname",
-			wantErr:  true,
-		},
-		{
-			name:     "item name with ampersand",
-			itemName: "key&echo test",
-			wantErr:  true,
-		},
-		{
-			name:     "item name with redirect",
-			itemName: "key>/tmp/test",
-			wantErr:  true,
-		},
-		{
-			name:     "item name with null byte",
-			itemName: "key\x00name",
-			wantErr:  true,
-		},
-		{
-			name:     "item name with parentheses",
-			itemName: "key(test)",
-			wantErr:  true,
-		},
-		{
-			name:     "item name with brackets",
-			itemName: "key[test]",
-			wantErr:  true,
-		},
-		{
-			name:     "item name with asterisk",
-			itemName: "key*",
-			wantErr:  true,
-		},
-		{
-			name:     "item name with question mark",
-			itemName: "key?",
-			wantErr:  true,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			err := validateKeychainItemName(tt.itemName)
-			if (err != nil) != tt.wantErr {
-				t.Errorf("validateKeychainItemName() error = %v, wantErr %v", err, tt.wantErr)
-			}
-		})
-	}
-}

internal/secret/validation_test.go

@@ -154,3 +154,144 @@ func TestValidateGPGKeyID(t *testing.T) {
 		})
 	}
 }
+
+func TestValidateKeychainItemName(t *testing.T) {
+	tests := []struct {
+		name     string
+		itemName string
+		wantErr  bool
+	}{
+		// Valid cases
+		{
+			name:     "valid simple name",
+			itemName: "my-secret-key",
+			wantErr:  false,
+		},
+		{
+			name:     "valid name with dots",
+			itemName: "com.example.app.key",
+			wantErr:  false,
+		},
+		{
+			name:     "valid name with underscores",
+			itemName: "my_secret_key_123",
+			wantErr:  false,
+		},
+		{
+			name:     "valid alphanumeric",
+			itemName: "Secret123Key",
+			wantErr:  false,
+		},
+		{
+			name:     "valid with hyphen at start",
+			itemName: "-my-key",
+			wantErr:  false,
+		},
+		{
+			name:     "valid with dot at start",
+			itemName: ".hidden-key",
+			wantErr:  false,
+		},
+
+		// Invalid cases
+		{
+			name:     "empty item name",
+			itemName: "",
+			wantErr:  true,
+		},
+		{
+			name:     "item name with spaces",
+			itemName: "my secret key",
+			wantErr:  true,
+		},
+		{
+			name:     "item name with semicolon",
+			itemName: "key;rm -rf /",
+			wantErr:  true,
+		},
+		{
+			name:     "item name with pipe",
+			itemName: "key|cat /etc/passwd",
+			wantErr:  true,
+		},
+		{
+			name:     "item name with backticks",
+			itemName: "key`whoami`",
+			wantErr:  true,
+		},
+		{
+			name:     "item name with dollar sign",
+			itemName: "key$(whoami)",
+			wantErr:  true,
+		},
+		{
+			name:     "item name with quotes",
+			itemName: "key\"name",
+			wantErr:  true,
+		},
+		{
+			name:     "item name with single quotes",
+			itemName: "key'name",
+			wantErr:  true,
+		},
+		{
+			name:     "item name with backslash",
+			itemName: "key\\name",
+			wantErr:  true,
+		},
+		{
+			name:     "item name with newline",
+			itemName: "key\nname",
+			wantErr:  true,
+		},
+		{
+			name:     "item name with carriage return",
+			itemName: "key\rname",
+			wantErr:  true,
+		},
+		{
+			name:     "item name with ampersand",
+			itemName: "key&echo test",
+			wantErr:  true,
+		},
+		{
+			name:     "item name with redirect",
+			itemName: "key>/tmp/test",
+			wantErr:  true,
+		},
+		{
+			name:     "item name with null byte",
+			itemName: "key\x00name",
+			wantErr:  true,
+		},
+		{
+			name:     "item name with parentheses",
+			itemName: "key(test)",
+			wantErr:  true,
+		},
+		{
+			name:     "item name with brackets",
+			itemName: "key[test]",
+			wantErr:  true,
+		},
+		{
+			name:     "item name with asterisk",
+			itemName: "key*",
+			wantErr:  true,
+		},
+		{
+			name:     "item name with question mark",
+			itemName: "key?",
+			wantErr:  true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			err := validateKeychainItemName(tt.itemName)
+			if (err != nil) != tt.wantErr {
+				t.Errorf("validateKeychainItemName() error = %v, wantErr %v", err, tt.wantErr)
+			}
+		})
+	}
+}

internal/secret/version.go

@@ -102,8 +102,6 @@ func GenerateVersionName(fs afero.Fs, secretDir string) (string, error) {
 
 		var serial int
 		if _, err := fmt.Sscanf(parts[1], "%03d", &serial); err != nil {
-			Warn("Skipping malformed version directory name", "name", entry.Name(), "error", err)
-
 			continue
 		}
 

internal/vault/path_traversal_test.go

@@ -1,96 +0,0 @@
-package vault
-
-import (
-	"testing"
-
-	"git.eeqj.de/sneak/secret/internal/secret"
-	"github.com/awnumar/memguard"
-	"github.com/spf13/afero"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-)
-
-// TestGetSecretVersionRejectsPathTraversal verifies that GetSecretVersion
-// validates the secret name and rejects path traversal attempts.
-// This is a regression test for https://git.eeqj.de/sneak/secret/issues/13
-func TestGetSecretVersionRejectsPathTraversal(t *testing.T) {
-	testMnemonic := "abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon about"
-	t.Setenv(secret.EnvMnemonic, testMnemonic)
-	t.Setenv(secret.EnvUnlockPassphrase, "test-passphrase")
-
-	fs := afero.NewMemMapFs()
-	stateDir := "/test/state"
-
-	vlt, err := CreateVault(fs, stateDir, "test-vault")
-	require.NoError(t, err)
-
-	// Add a legitimate secret so the vault is set up
-	value := memguard.NewBufferFromBytes([]byte("legitimate-secret"))
-	err = vlt.AddSecret("legit", value, false)
-	require.NoError(t, err)
-
-	// These names contain path traversal and should be rejected
-	maliciousNames := []string{
-		"../../../etc/passwd",
-		"..%2f..%2fetc/passwd",
-		".secret",
-		"../sibling-vault/secrets.d/target",
-		"foo/../bar",
-		"a/../../etc/passwd",
-	}
-
-	for _, name := range maliciousNames {
-		t.Run(name, func(t *testing.T) {
-			_, err := vlt.GetSecretVersion(name, "")
-			assert.Error(t, err, "GetSecretVersion should reject malicious name: %s", name)
-			assert.Contains(t, err.Error(), "invalid secret name",
-				"error should indicate invalid name for: %s", name)
-		})
-	}
-}
-
-// TestGetSecretRejectsPathTraversal verifies GetSecret (which calls GetSecretVersion)
-// also rejects path traversal names.
-func TestGetSecretRejectsPathTraversal(t *testing.T) {
-	testMnemonic := "abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon about"
-	t.Setenv(secret.EnvMnemonic, testMnemonic)
-	t.Setenv(secret.EnvUnlockPassphrase, "test-passphrase")
-
-	fs := afero.NewMemMapFs()
-	stateDir := "/test/state"
-
-	vlt, err := CreateVault(fs, stateDir, "test-vault")
-	require.NoError(t, err)
-
-	_, err = vlt.GetSecret("../../../etc/passwd")
-	assert.Error(t, err)
-	assert.Contains(t, err.Error(), "invalid secret name")
-}
-
-// TestGetSecretObjectRejectsPathTraversal verifies GetSecretObject
-// also validates names and rejects path traversal attempts.
-func TestGetSecretObjectRejectsPathTraversal(t *testing.T) {
-	testMnemonic := "abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon about"
-	t.Setenv(secret.EnvMnemonic, testMnemonic)
-	t.Setenv(secret.EnvUnlockPassphrase, "test-passphrase")
-
-	fs := afero.NewMemMapFs()
-	stateDir := "/test/state"
-
-	vlt, err := CreateVault(fs, stateDir, "test-vault")
-	require.NoError(t, err)
-
-	maliciousNames := []string{
-		"../../../etc/passwd",
-		"foo/../bar",
-		"a/../../etc/passwd",
-	}
-
-	for _, name := range maliciousNames {
-		t.Run(name, func(t *testing.T) {
-			_, err := vlt.GetSecretObject(name)
-			assert.Error(t, err, "GetSecretObject should reject: %s", name)
-			assert.Contains(t, err.Error(), "invalid secret name")
-		})
-	}
-}

internal/vault/secrets.go

@@ -67,7 +67,7 @@ func (v *Vault) ListSecrets() ([]string, error) {
 	return secrets, nil
 }
 
-// isValidSecretName validates secret names according to the format [a-zA-Z0-9\.\-\_\/]+
+// isValidSecretName validates secret names according to the format [a-z0-9\.\-\_\/]+
 // but with additional restrictions:
 // - No leading or trailing slashes
 // - No double slashes
@@ -92,15 +92,8 @@ func isValidSecretName(name string) bool {
 		return false
 	}
 
-	// Check for path traversal via ".." components
-	for _, part := range strings.Split(name, "/") {
-		if part == ".." {
-			return false
-		}
-	}
-
 	// Check the basic pattern
-	matched, _ := regexp.MatchString(`^[a-zA-Z0-9\.\-\_\/]+$`, name)
+	matched, _ := regexp.MatchString(`^[a-z0-9\.\-\_\/]+$`, name)
 
 	return matched
 }
@@ -326,13 +319,6 @@ func (v *Vault) GetSecretVersion(name string, version string) ([]byte, error) {
 		slog.String("version", version),
 	)
 
-	// Validate secret name to prevent path traversal
-	if !isValidSecretName(name) {
-		secret.Debug("Invalid secret name provided", "secret_name", name)
-
-		return nil, fmt.Errorf("invalid secret name '%s': must match pattern [a-z0-9.\\-_/]+", name)
-	}
-
 	// Get vault directory
 	vaultDir, err := v.GetDirectory()
 	if err != nil {
@@ -468,10 +454,6 @@ func (v *Vault) UnlockVault() (*age.X25519Identity, error) {
 
 // GetSecretObject retrieves a Secret object with metadata loaded from this vault
 func (v *Vault) GetSecretObject(name string) (*secret.Secret, error) {
-	if !isValidSecretName(name) {
-		return nil, fmt.Errorf("invalid secret name: %s", name)
-	}
-
 	// First check if the secret exists by checking for the metadata file
 	vaultDir, err := v.GetDirectory()
 	if err != nil {

internal/vault/secrets_name_test.go

@@ -1,42 +0,0 @@
-package vault
-
-import "testing"
-
-func TestIsValidSecretNameUppercase(t *testing.T) {
-	tests := []struct {
-		name  string
-		valid bool
-	}{
-		// Lowercase (existing behavior)
-		{"valid-name", true},
-		{"valid.name", true},
-		{"valid_name", true},
-		{"valid/path/name", true},
-		{"123valid", true},
-
-		// Uppercase (new behavior - issue #2)
-		{"Valid-Upper-Name", true},
-		{"2025-11-21-ber1app1-vaultik-test-bucket-AKI", true},
-		{"MixedCase/Path/Name", true},
-		{"ALLUPPERCASE", true},
-		{"ABC123", true},
-
-		// Still invalid
-		{"", false},
-		{"invalid name", false},
-		{"invalid@name", false},
-		{".dotstart", false},
-		{"/leading-slash", false},
-		{"trailing-slash/", false},
-		{"double//slash", false},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			result := isValidSecretName(tt.name)
-			if result != tt.valid {
-				t.Errorf("isValidSecretName(%q) = %v, want %v", tt.name, result, tt.valid)
-			}
-		})
-	}
-}

internal/vault/unlockers.go

@@ -218,9 +218,7 @@ func (v *Vault) ListUnlockers() ([]UnlockerMetadata, error) {
 				return nil, fmt.Errorf("failed to check if metadata exists for unlocker %s: %w", file.Name(), err)
 			}
 			if !exists {
-				secret.Warn("Skipping unlocker directory with missing metadata file", "directory", file.Name())
+				return nil, fmt.Errorf("unlocker directory %s is missing metadata file", file.Name())
-
-				continue
 			}
 
 			metadataBytes, err := afero.ReadFile(v.fs, metadataPath)

internal/vault/vault.go

@@ -225,23 +225,27 @@ func (v *Vault) NumSecrets() (int, error) {
 		return 0, fmt.Errorf("failed to read secrets directory: %w", err)
 	}
 
-	// Count only directories that have a "current" version pointer file
+	// Count only directories that contain at least one version file
 	count := 0
 	for _, entry := range entries {
 		if !entry.IsDir() {
 			continue
 		}
 
-		// A valid secret has a "current" file pointing to the active version
+		// Check if this secret directory contains any version files
 		secretDir := filepath.Join(secretsDir, entry.Name())
-		currentFile := filepath.Join(secretDir, "current")
+		versionFiles, err := afero.ReadDir(v.fs, secretDir)
-		exists, err := afero.Exists(v.fs, currentFile)
 		if err != nil {
 			continue // Skip directories we can't read
 		}
 
-		if exists {
+		// Look for at least one version file (excluding "current" symlink)
-			count++
+		for _, vFile := range versionFiles {
+			if !vFile.IsDir() && vFile.Name() != "current" {
+				count++
+
+				break // Found at least one version, count this secret
+			}
 		}
 	}
 

internal/vault/vault_test.go

@@ -162,24 +162,6 @@ func TestVaultOperations(t *testing.T) {
 		}
 	})
 
-	// Test NumSecrets
-	t.Run("NumSecrets", func(t *testing.T) {
-		vlt, err := GetCurrentVault(fs, stateDir)
-		if err != nil {
-			t.Fatalf("Failed to get current vault: %v", err)
-		}
-
-		numSecrets, err := vlt.NumSecrets()
-		if err != nil {
-			t.Fatalf("Failed to count secrets: %v", err)
-		}
-
-		// We added one secret in SecretOperations
-		if numSecrets != 1 {
-			t.Errorf("Expected 1 secret, got %d", numSecrets)
-		}
-	})
-
 	// Test unlocker operations
 	t.Run("UnlockerOperations", func(t *testing.T) {
 		vlt, err := GetCurrentVault(fs, stateDir)
@@ -243,57 +225,3 @@ func TestVaultOperations(t *testing.T) {
 		}
 	})
 }
-
-func TestListUnlockers_SkipsMissingMetadata(t *testing.T) {
-	// Set test environment variables
-	testMnemonic := "abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon about"
-	t.Setenv(secret.EnvMnemonic, testMnemonic)
-	t.Setenv(secret.EnvUnlockPassphrase, "test-passphrase")
-
-	// Use in-memory filesystem
-	fs := afero.NewMemMapFs()
-	stateDir := "/test/state"
-
-	// Create vault
-	vlt, err := CreateVault(fs, stateDir, "test-vault")
-	if err != nil {
-		t.Fatalf("Failed to create vault: %v", err)
-	}
-
-	// Create a passphrase unlocker so we have at least one valid unlocker
-	passphraseBuffer := memguard.NewBufferFromBytes([]byte("test-passphrase"))
-	defer passphraseBuffer.Destroy()
-	_, err = vlt.CreatePassphraseUnlocker(passphraseBuffer)
-	if err != nil {
-		t.Fatalf("Failed to create passphrase unlocker: %v", err)
-	}
-
-	// Create a bogus unlocker directory with no metadata file
-	vaultDir, err := vlt.GetDirectory()
-	if err != nil {
-		t.Fatalf("Failed to get vault directory: %v", err)
-	}
-	bogusDir := filepath.Join(vaultDir, "unlockers.d", "bogus-no-metadata")
-	err = fs.MkdirAll(bogusDir, 0o700)
-	if err != nil {
-		t.Fatalf("Failed to create bogus directory: %v", err)
-	}
-
-	// ListUnlockers should succeed, skipping the bogus directory
-	unlockers, err := vlt.ListUnlockers()
-	if err != nil {
-		t.Fatalf("ListUnlockers returned error when it should have skipped bad directory: %v", err)
-	}
-
-	// Should still have the valid passphrase unlocker
-	if len(unlockers) == 0 {
-		t.Errorf("Expected at least one unlocker, got none")
-	}
-
-	// Verify we only got the valid unlocker(s), not the bogus one
-	for _, u := range unlockers {
-		if u.Type == "" {
-			t.Errorf("Got unlocker with empty type, likely from bogus directory")
-		}
-	}
-}