add README

2025-05-11 18:42:51 -06:00 · 2025-05-11 18:42:51 -06:00 · dac1a06e1a
commit dac1a06e1a
parent 7d1becbb71
7 changed files with 444 additions and 216 deletions
--- a/README.md
+++ b/README.md
@ -0,0 +1,129 @@
+# EnvVault 🔐
+
+EnvVault is a secure environment variable management tool that helps you store, retrieve, and share sensitive environment variables safely. It uses strong encryption to protect your secrets while providing a simple command-line interface for everyday use.
+
+## Features
+
+- 🔒 **Secure Storage**: All environment variables are encrypted with NaCl secretbox using a master password
+- 🔑 **Password Caching**: Background daemon caches your master password in-memory temporarily for convenience
+- 🧩 **Simple CLI**: Intuitive commands for managing your environment variables
+- 🚀 **Command Execution**: Run commands with your secret environment variables injected
+- 🔄 **Key Rotation**: Change your master password while preserving your stored variables
+
+## Installation
+
+```bash
+go install git.jrop.me/jonathan/envvault@latest
+```
+
+Make sure your Go bin directory is in your PATH.
+
+## Quick Start
+
+### Initialize the Vault
+
+First, create your encrypted vault:
+
+```bash
+envvault init
+```
+
+You'll be prompted to create a master password. Choose a strong one!
+
+### Adding Environment Variables
+
+Add variables to your vault:
+
+```bash
+# Prompt for value (doesn't show in terminal or history)
+envvault add API_KEY
+
+# Provide value directly (will show in shell history)
+envvault add DATABASE_URL "postgres://user:pass@localhost:5432/mydb"
+```
+
+### Listing Variables
+
+View your stored variables:
+
+```bash
+# List only variable names
+envvault list
+
+# List names and values
+envvault list -v
+```
+
+### Running Commands with Environment Variables
+
+Execute commands with your secret variables injected:
+
+```bash
+# Run with all environment variables
+envvault exec -- node server.js
+
+# Run with only specific variables
+envvault exec -e API_KEY -e DATABASE_URL -- node server.js
+```
+
+### Removing Variables
+
+Remove variables you no longer need:
+
+```bash
+envvault rm API_KEY
+```
+
+### Changing Your Master Password
+
+Update your master password while preserving your variables:
+
+```bash
+envvault rekey
+```
+
+## How It Works
+
+EnvVault uses a two-layer encryption approach:
+
+1. A random 32-byte master key is generated and used to encrypt your environment variables
+2. The master key is encrypted with your password using scrypt for key derivation
+3. When needed, the master key is decrypted using your password
+4. The daemon temporarily caches your password in memory for convenience
+
+This approach means your environment variables remain secure even if your vault file is compromised.
+
+## Password Daemon
+
+EnvVault includes a daemon that caches your master password temporarily:
+
+```bash
+# Start daemon with default 5-minute timeout
+envvault daemon
+
+# Start daemon with custom timeout (in minutes)
+envvault daemon --timeout 10
+```
+
+The daemon is automatically started when needed and stores your password securely in memory.
+
+## Security Considerations
+
+- Your master password is never stored on disk
+- The daemon caches your password in memory only for the specified timeout period
+- All encryption uses industry-standard algorithms (NaCl secretbox, scrypt)
+- The vault file and key file are stored with 0600 permissions
+
+## License
+
+Copyright (c) 2025 Jonathan Apodaca <jrapodaca@gmail.com>
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+## Contributing
+
+Contributions are welcome! Feel free to open issues or submit pull requests.
--- a/cmd/envvault/main.go
+++ b/cmd/envvault/main.go
@ -18,6 +18,7 @@ import (
 	"slices"

 	"git.jrop.me/jonathan/envvault/internal"
+	"git.jrop.me/jonathan/envvault/internal/config"
 	"git.jrop.me/jonathan/envvault/internal/daemon"
 )

@ -108,7 +109,7 @@ func main() {
 	internal.Log.Printf("Command completed: %s", command)
 }

-func subcommandInitVault() {
+func subcommandInitVault() { // {{{
 	internal.Log.Println("Initializing vault")

 	if _, err := os.Stat(keyFilePath); os.IsNotExist(err) {
@ -174,7 +175,9 @@ func subcommandInitVault() {
 	}
 }

-func subcommandAddEnvVar(name, value string) {
+// }}}
+
+func subcommandAddEnvVar(name, value string) { // {{{
 	store := loadEnvStore()
 	if value == "" {
 		fmt.Fprintf(os.Stderr, "Enter value for %s: ", name)
@ -187,9 +190,9 @@ func subcommandAddEnvVar(name, value string) {
 	}
 	store.Vars[name] = value
 	saveEnvStore(store)
-}
+} // }}}

-func subcommandRmEnvVar(name string) {
+func subcommandRmEnvVar(name string) { // {{{
 	store := loadEnvStore()
 	if _, exists := store.Vars[name]; exists {
 		delete(store.Vars, name)
@ -198,9 +201,9 @@ func subcommandRmEnvVar(name string) {
 	} else {
 		fmt.Fprintf(os.Stderr, "Environment variable '%s' not found.\n", name)
 	}
-}
+} // }}}

-func subcommandListEnvVars(cmdArgs ListCmd) {
+func subcommandListEnvVars(cmdArgs ListCmd) { // {{{
 	store := loadEnvStore()
 	for k, v := range store.Vars {
 		if cmdArgs.Values {
@ -209,9 +212,9 @@ func subcommandListEnvVars(cmdArgs ListCmd) {
 			fmt.Printf("%s\n", k)
 		}
 	}
-}
+} // }}}

-func subcommandExecCommand(cmdArgs ExecCmd) {
+func subcommandExecCommand(cmdArgs ExecCmd) { // {{{
 	store := loadEnvStore()
 	envVars := os.Environ()
 	for candidateEnvName, candidateEnvValue := range store.Vars {
@ -234,195 +237,13 @@ func subcommandExecCommand(cmdArgs ExecCmd) {
 	if err := cmd.Run(); err != nil {
 		log.Fatal(err)
 	}
-}
+} // }}}

-func loadEnvStore() *EnvStore {
-	key := loadKey()
-	if err := os.MkdirAll(filepath.Dir(dbFilePath), 0700); err != nil {
-		log.Fatal(err)
-	}
-	data, err := os.ReadFile(dbFilePath)
-	if err != nil {
-		if os.IsNotExist(err) {
-			return &EnvStore{Vars: make(map[string]string)}
-		}
-		log.Fatal(err)
-	}
+func subcommandStartDaemon(timeoutMinutes int) { // {{{
+	internal.Log.Printf("Starting daemon with default timeout: %d minutes", timeoutMinutes)

-	var store EnvStore
-	if len(data) > 0 {
-		var nonce [24]byte
-		copy(nonce[:], data[:24])
-		decrypted, ok := secretbox.Open(nil, data[24:], &nonce, &key)
-		if !ok {
-			log.Fatal("Decryption failed")
-		}
-		if err := json.Unmarshal(decrypted, &store); err != nil {
-			log.Fatal(err)
-		}
-	} else {
-		return &EnvStore{Vars: make(map[string]string)}
-	}
-	return &store
-}
-
-func saveEnvStore(store *EnvStore) {
-	key := loadKey()
-	data, err := json.Marshal(store)
-	if err != nil {
-		log.Fatal(err)
-	}
-
-	var nonce [24]byte
-	if _, err := rand.Read(nonce[:]); err != nil {
-		log.Fatal(err)
-	}
-	encrypted := secretbox.Seal(nonce[:], data, &nonce, &key)
-
-	if err := os.WriteFile(dbFilePath, encrypted, 0600); err != nil {
-		log.Fatal(err)
-	}
-}
-
-func loadPassword() []byte {
-	internal.Log.Println("Loading password")
-
-	// 1. Check for globally cached password
-	if cachedPassword != nil {
-		internal.Log.Println("Using cached password from memory")
-		return cachedPassword
-	}
-
-	internal.Log.Println("No cached password in memory, trying daemon")
-
-	// 2. Try to get password from daemon
-	socketPath := daemon.GetSocketPath()
-	internal.Log.Printf("Using socket path: %s", socketPath)
-	client := daemon.NewClient(socketPath)
-
-	// Check if daemon is running
-	if !client.IsRunning() {
-		internal.Log.Println("Daemon not running, attempting to start it")
-		// Spawn daemon in background
-		cmd := exec.Command(os.Args[0], "daemon")
-		cmd.Stdout = nil
-		cmd.Stderr = nil
-		if err := cmd.Start(); err != nil {
-			internal.Log.Printf("Failed to start daemon: %v", err)
-			log.Printf("Failed to start daemon: %v", err)
-		} else {
-			internal.Log.Printf("Started daemon process with PID: %d", cmd.Process.Pid)
-			// Detach the process
-			cmd.Process.Release()
-
-			// Give daemon time to start
-			internal.Log.Println("Waiting for daemon to initialize")
-			time.Sleep(100 * time.Millisecond)
-		}
-	} else {
-		internal.Log.Println("Daemon is already running")
-	}
-
-	// Try to retrieve password from daemon if it's running
-	if client.IsRunning() {
-		internal.Log.Println("Attempting to retrieve password from daemon")
-		password, err := client.RetrievePassword()
-		if err == nil {
-			internal.Log.Println("Successfully retrieved password from daemon")
-			// Cache the password
-			cachedPassword = password
-			return password
-		}
-		internal.Log.Printf("Failed to retrieve password from daemon: %v", err)
-	} else {
-		internal.Log.Println("Daemon still not running after attempt to start it")
-	}
-
-	internal.Log.Println("Falling back to terminal input for password")
-	// 3. Fall back to terminal input
-	fmt.Fprint(os.Stderr, "Enter master password: ")
-	password, err := term.ReadPassword(int(os.Stdin.Fd()))
-	if err != nil {
-		internal.Log.Printf("Failed to read password from terminal: %v", err)
-		log.Fatal(err)
-	}
-	fmt.Fprintln(os.Stderr) // Ensure newline after password input
-
-	internal.Log.Println("Password read from terminal, caching in memory")
-	// Cache the password
-	cachedPassword = password
-
-	// Store in daemon if it's running
-	if client.IsRunning() {
-		internal.Log.Println("Storing password in daemon")
-		if err := client.StorePassword(password); err != nil {
-			internal.Log.Printf("Failed to store password in daemon: %v", err)
-			log.Printf("Failed to store password in daemon: %v", err)
-		} else {
-			internal.Log.Println("Successfully stored password in daemon")
-		}
-	}
-
-	return password
-}
-
-func loadKey() [32]byte {
-	password := loadPassword()
-
-	encryptedKey, err := os.ReadFile(keyFilePath)
-	if err != nil {
-		log.Fatal(err)
-	}
-
-	decryptedKey, err := decryptKeyWithPassword(encryptedKey, password)
-	if err != nil {
-		// Clear cached password on error
-		cachedPassword = nil
-		log.Fatal("Invalid password or corrupted key file")
-	}
-
-	var key [32]byte
-	copy(key[:], decryptedKey)
-	return key
-}
-
-func encryptKeyWithPassword(key, password []byte) []byte {
-	var nonce [24]byte
-	if _, err := rand.Read(nonce[:]); err != nil {
-		log.Fatal(err)
-	}
-
-	passwordDerivedKey, err := scrypt.Key(password, nonce[:], 32768, 8, 1, 32)
-	if err != nil {
-		log.Fatal(err)
-	}
-
-	encrypted := secretbox.Seal(nonce[:], key, &nonce, (*[32]byte)(passwordDerivedKey))
-	return encrypted
-}
-
-func decryptKeyWithPassword(encryptedKey, password []byte) ([]byte, error) {
-	var nonce [24]byte
-	copy(nonce[:], encryptedKey[:24])
-	encrypted := encryptedKey[24:]
-
-	passwordDerivedKey, err := scrypt.Key(password, nonce[:], 32768, 8, 1, 32)
-	if err != nil {
-		return nil, err
-	}
-
-	decrypted, ok := secretbox.Open(nil, encrypted, &nonce, (*[32]byte)(passwordDerivedKey))
-	if !ok {
-		return nil, fmt.Errorf("decryption failed")
-	}
-
-	return decrypted, nil
-}
-
-func subcommandStartDaemon(timeoutMinutes int) {
-	internal.Log.Printf("Starting daemon with timeout: %d minutes", timeoutMinutes)
-
-	timeout := time.Duration(timeoutMinutes) * time.Minute
+	defaultTimeout := time.Duration(timeoutMinutes) * time.Minute
+	timeout := config.GetDaemonTimeout(defaultTimeout)
 	socketPath := daemon.GetSocketPath()
 	internal.Log.Printf("Using socket path: %s", socketPath)

@ -443,9 +264,9 @@ func subcommandStartDaemon(timeoutMinutes int) {
 		internal.Log.Printf("Failed to start daemon: %v", err)
 		log.Fatalf("Failed to start daemon: %v", err)
 	}
-}
+} // }}}

-func subcommandRekeyVault() {
+func subcommandRekeyVault() { // {{{
 	// Ask for current master password
 	fmt.Fprint(os.Stderr, "Enter current master password: ")
 	currentPassword, err := term.ReadPassword(int(os.Stdin.Fd()))
@ -505,4 +326,184 @@ func subcommandRekeyVault() {
 	cachedPassword = newPassword

 	fmt.Fprintln(os.Stderr, "Master password changed successfully.")
-}
+} // }}}
+
+////////////////////////////////////////////////////////////////////////////////
+//
+// Utilities:
+//
+////////////////////////////////////////////////////////////////////////////////
+
+func loadPassword() []byte { // {{{
+	internal.Log.Println("Getting password without caching")
+
+	// 1. Check for globally cached password
+	if cachedPassword != nil {
+		internal.Log.Println("Using cached password from memory")
+		return cachedPassword
+	}
+
+	internal.Log.Println("No cached password in this process' memory, trying daemon")
+
+	// 2. Try to get password from daemon
+	socketPath := daemon.GetSocketPath()
+	internal.Log.Printf("Using socket path: %s", socketPath)
+	client := daemon.NewClient(socketPath)
+
+	err := client.EnsureRunning()
+	if err != nil {
+		internal.Log.Printf("Failed to spawn daemon: %v", err)
+		log.Fatal(err)
+	}
+
+	// Check if daemon is running
+	internal.Log.Println("Attempting to retrieve password from daemon")
+	password, err := client.RetrievePassword()
+	if err == nil {
+		internal.Log.Println("Successfully retrieved password from daemon")
+		return password
+	}
+	internal.Log.Printf("Failed to retrieve password from daemon: %v", err)
+
+	// 3. Fall back to terminal input
+	internal.Log.Println("Falling back to terminal input for password")
+	fmt.Fprint(os.Stderr, "Enter master password: ")
+	password, err = term.ReadPassword(int(os.Stdin.Fd()))
+	if err != nil {
+		internal.Log.Printf("Failed to read password from terminal: %v", err)
+		log.Fatal(err)
+	}
+	fmt.Fprintln(os.Stderr) // Ensure newline after password input
+
+	return password
+} // }}}
+
+func loadKey() [32]byte { // {{{
+	// Get password but don't cache it yet
+	password := loadPassword()
+
+	encryptedKey, err := os.ReadFile(keyFilePath)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	decryptedKey, err := decryptKeyWithPassword(encryptedKey, password)
+	if err != nil {
+		log.Fatal("Invalid password or corrupted key file")
+	}
+
+	var key [32]byte
+	copy(key[:], decryptedKey)
+
+	// Only cache the password after we've verified it works
+
+	internal.Log.Println("Caching validated password")
+
+	// Cache in memory
+	cachedPassword = password
+
+	// Try to start daemon if not running
+	socketPath := daemon.GetSocketPath()
+	client := daemon.NewClient(socketPath)
+
+	err = client.EnsureRunning()
+	if err != nil {
+		internal.Log.Printf("Failed to spawn daemon: %v", err)
+		// If the daemon doesn't start, we don't need to stop the current process
+		return key
+	}
+
+	// Store in daemon if it's running
+	internal.Log.Println("Storing password in daemon")
+	if err := client.StorePassword(password); err != nil {
+		internal.Log.Printf("Failed to store password in daemon: %v", err)
+		log.Printf("Failed to store password in daemon: %v", err)
+		// Even if we have an error, we still want to return the key
+		return key
+	}
+
+	internal.Log.Println("Successfully stored password in daemon")
+
+	return key
+} // }}}
+
+func encryptKeyWithPassword(key, password []byte) []byte { // {{{
+	var nonce [24]byte
+	if _, err := rand.Read(nonce[:]); err != nil {
+		log.Fatal(err)
+	}
+
+	passwordDerivedKey, err := scrypt.Key(password, nonce[:], 32768, 8, 1, 32)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	encrypted := secretbox.Seal(nonce[:], key, &nonce, (*[32]byte)(passwordDerivedKey))
+	return encrypted
+} // }}}
+
+func decryptKeyWithPassword(encryptedKey, password []byte) ([]byte, error) { // {{{
+	var nonce [24]byte
+	copy(nonce[:], encryptedKey[:24])
+	encrypted := encryptedKey[24:]
+
+	passwordDerivedKey, err := scrypt.Key(password, nonce[:], 32768, 8, 1, 32)
+	if err != nil {
+		return nil, err
+	}
+
+	decrypted, ok := secretbox.Open(nil, encrypted, &nonce, (*[32]byte)(passwordDerivedKey))
+	if !ok {
+		return nil, fmt.Errorf("decryption failed")
+	}
+
+	return decrypted, nil
+} // }}}
+
+func loadEnvStore() *EnvStore { // {{{
+	key := loadKey()
+	if err := os.MkdirAll(filepath.Dir(dbFilePath), 0700); err != nil {
+		log.Fatal(err)
+	}
+	data, err := os.ReadFile(dbFilePath)
+	if err != nil {
+		if os.IsNotExist(err) {
+			return &EnvStore{Vars: make(map[string]string)}
+		}
+		log.Fatal(err)
+	}
+
+	var store EnvStore
+	if len(data) > 0 {
+		var nonce [24]byte
+		copy(nonce[:], data[:24])
+		decrypted, ok := secretbox.Open(nil, data[24:], &nonce, &key)
+		if !ok {
+			log.Fatal("Decryption failed")
+		}
+		if err := json.Unmarshal(decrypted, &store); err != nil {
+			log.Fatal(err)
+		}
+	} else {
+		return &EnvStore{Vars: make(map[string]string)}
+	}
+	return &store
+} // }}}
+
+func saveEnvStore(store *EnvStore) { // {{{
+	key := loadKey()
+	data, err := json.Marshal(store)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	var nonce [24]byte
+	if _, err := rand.Read(nonce[:]); err != nil {
+		log.Fatal(err)
+	}
+	encrypted := secretbox.Seal(nonce[:], data, &nonce, &key)
+
+	if err := os.WriteFile(dbFilePath, encrypted, 0600); err != nil {
+		log.Fatal(err)
+	}
+} // }}}
--- a/go.mod
+++ b/go.mod
@ -3,6 +3,7 @@ module git.jrop.me/jonathan/envvault
 go 1.24.3

 require (
+	github.com/BurntSushi/toml v1.5.0
 	github.com/alecthomas/kong v1.10.0
 	golang.org/x/crypto v0.38.0
 	golang.org/x/term v0.32.0
--- a/go.sum
+++ b/go.sum
@ -1,3 +1,5 @@
+github.com/BurntSushi/toml v1.5.0 h1:W5quZX/G/csjUnuI8SUYlsHs9M38FC7znL0lIO+DvMg=
+github.com/BurntSushi/toml v1.5.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho=
 github.com/alecthomas/assert/v2 v2.11.0 h1:2Q9r3ki8+JYXvGsDyBXwH3LcJ+WK5D0gc5E8vS6K3D0=
 github.com/alecthomas/assert/v2 v2.11.0/go.mod h1:Bze95FyfUr7x34QZrjL+XP+0qgp/zg8yS+TtBj1WA3k=
 github.com/alecthomas/kong v1.10.0 h1:8K4rGDpT7Iu+jEXCIJUeKqvpwZHbsFRoebLbnzlmrpw=
--- a/internal/config/config.go
+++ b/internal/config/config.go
@ -0,0 +1,66 @@
+package config
+
+import (
+	"os"
+	"path/filepath"
+	"time"
+
+	"git.jrop.me/jonathan/envvault/internal"
+	"github.com/BurntSushi/toml"
+)
+
+// Config represents the application configuration
+type Config struct {
+	Daemon DaemonConfig `toml:"daemon"`
+}
+
+// DaemonConfig contains daemon-specific configuration
+type DaemonConfig struct {
+	Timeout string `toml:"timeout"`
+}
+
+// GetDaemonTimeout returns the daemon timeout from config or the default value
+func GetDaemonTimeout(defaultTimeout time.Duration) time.Duration {
+	config := loadConfig()
+
+	if config.Daemon.Timeout == "" {
+		internal.Log.Printf("No daemon timeout in config, using default: %s", defaultTimeout)
+		return defaultTimeout
+	}
+
+	duration, err := time.ParseDuration(config.Daemon.Timeout)
+	if err != nil {
+		internal.Log.Printf("Invalid timeout format in config: %s, using default: %s",
+			config.Daemon.Timeout, defaultTimeout)
+		return defaultTimeout
+	}
+
+	internal.Log.Printf("Using daemon timeout from config: %s", duration)
+	return duration
+}
+
+// loadConfig loads the configuration from the config file
+func loadConfig() Config {
+	homeDir, err := os.UserHomeDir()
+	if err != nil {
+		internal.Log.Printf("Failed to get user home directory: %v", err)
+		return Config{}
+	}
+
+	configPath := filepath.Join(homeDir, ".config/envvault/envvault.toml")
+
+	// Check if config file exists
+	if _, err := os.Stat(configPath); os.IsNotExist(err) {
+		internal.Log.Printf("🔍 Config file not found at %s", configPath)
+		return Config{}
+	}
+
+	internal.Log.Printf("📂 Loading config from %s", configPath)
+	var config Config
+	if _, err := toml.DecodeFile(configPath, &config); err != nil {
+		internal.Log.Printf("Failed to decode config file: %v", err)
+		return Config{}
+	}
+
+	return config
+}
--- a/internal/daemon/client.go
+++ b/internal/daemon/client.go
@ -5,7 +5,9 @@ import (
 	"fmt"
 	"net"
 	"os"
+	"os/exec"
 	"path/filepath"
+	"time"

 	"git.jrop.me/jonathan/envvault/internal"
 )
@ -35,6 +37,33 @@ func (c *Client) IsRunning() bool {
 	return true
 }

+func (c *Client) EnsureRunning() error {
+	if c.IsRunning() {
+		internal.DaemonLog.Printf("Daemon is already running")
+		return nil
+	}
+
+	internal.Log.Println("Daemon not running, attempting to start it")
+	// Spawn daemon in background
+	cmd := exec.Command(os.Args[0], "daemon")
+	cmd.Stdout = nil
+	cmd.Stderr = nil
+	if err := cmd.Start(); err != nil {
+		internal.Log.Printf("Failed to start daemon: %v", err)
+		internal.DaemonLog.Printf("Failed to start daemon: %v", err)
+	} else {
+		internal.Log.Printf("Started daemon process with PID: %d", cmd.Process.Pid)
+		// Detach the process
+		cmd.Process.Release()
+
+		// Give daemon time to start
+		internal.Log.Println("Waiting for daemon to initialize")
+		time.Sleep(100 * time.Millisecond)
+	}
+
+	return nil
+}
+
 // StorePassword sends the password to the daemon for caching
 func (c *Client) StorePassword(password []byte) error {
 	internal.DaemonLog.Printf("Storing password in daemon")
--- a/internal/daemon/daemon.go
+++ b/internal/daemon/daemon.go
@ -86,29 +86,29 @@ func (pc *PasswordCache) Get() ([]byte, bool) {
 	result := make([]byte, len(pc.password))
 	copy(result, pc.password)

-	internal.DaemonLog.Println("Returning valid password, expires at: %s",
+	internal.DaemonLog.Printf("Returning valid password, expires at: %s",
 		pc.freshAccessTime.Add(pc.timeout).Format(time.RFC3339))
 	return result, true
 }

 // StartDaemon starts the password caching daemon
 func StartDaemon(socketPath string, timeout time.Duration) error {
-	internal.DaemonLog.Println("Starting daemon with socket path: %s and timeout: %s",
+	internal.DaemonLog.Printf("Starting daemon with socket path: %s and timeout: %s",
 		socketPath, timeout)

 	// Ensure socket directory exists
 	socketDir := filepath.Dir(socketPath)
-	internal.DaemonLog.Println("Creating socket directory: %s", socketDir)
+	internal.DaemonLog.Printf("Creating socket directory: %s", socketDir)
 	if err := os.MkdirAll(socketDir, 0700); err != nil {
-		internal.DaemonLog.Println("Failed to create socket directory: %v", err)
+		internal.DaemonLog.Printf("Failed to create socket directory: %v", err)
 		return fmt.Errorf("failed to create socket directory: %w", err)
 	}

 	// Remove existing socket if it exists
 	if _, err := os.Stat(socketPath); err == nil {
-		internal.DaemonLog.Println("Removing existing socket: %s", socketPath)
+		internal.DaemonLog.Printf("Removing existing socket: %s", socketPath)
 		if err := os.RemoveAll(socketPath); err != nil {
-			internal.DaemonLog.Println("Failed to remove existing socket: %v", err)
+			internal.DaemonLog.Printf("Failed to remove existing socket: %v", err)
 			return fmt.Errorf("failed to remove existing socket: %w", err)
 		}
 	}
@ -117,7 +117,7 @@ func StartDaemon(socketPath string, timeout time.Duration) error {
 	internal.DaemonLog.Println("Creating Unix domain socket")
 	listener, err := net.Listen("unix", socketPath)
 	if err != nil {
-		internal.DaemonLog.Println("Failed to listen on socket: %v", err)
+		internal.DaemonLog.Printf("Failed to listen on socket: %v", err)
 		return fmt.Errorf("failed to listen on socket: %w", err)
 	}
 	defer listener.Close()
@ -125,12 +125,12 @@ func StartDaemon(socketPath string, timeout time.Duration) error {
 	// Set socket permissions to only allow current user
 	internal.DaemonLog.Println("Setting socket permissions to 0600")
 	if err := os.Chmod(socketPath, 0600); err != nil {
-		internal.DaemonLog.Println("Failed to set socket permissions: %v", err)
+		internal.DaemonLog.Printf("Failed to set socket permissions: %v", err)
 		return fmt.Errorf("failed to set socket permissions: %w", err)
 	}

 	// Create password cache
-	internal.DaemonLog.Println("Creating password cache with timeout: %s", timeout)
+	internal.DaemonLog.Printf("Creating password cache with timeout: %s", timeout)
 	cache := NewPasswordCache(timeout)

 	// Handle signals for graceful shutdown
@ -140,22 +140,22 @@ func StartDaemon(socketPath string, timeout time.Duration) error {

 	go func() {
 		sig := <-sigChan
-		internal.DaemonLog.Println("Received signal: %s, shutting down", sig)
+		internal.DaemonLog.Printf("Received signal: %s, shutting down", sig)
 		os.RemoveAll(socketPath)
 		os.Exit(0)
 	}()

 	// Start cleanup goroutine to periodically check for expired passwords
-	internal.DaemonLog.Println("Starting cleanup goroutine with interval: %s", timeout/2)
+	internal.DaemonLog.Printf("Starting cleanup goroutine with interval: %s", timeout/2)
 	go func() {
 		ticker := time.NewTicker(timeout / 2)
 		defer ticker.Stop()

 		for t := range ticker.C {
-			internal.DaemonLog.Println("Cleanup tick at %s", t.Format(time.RFC3339))
+			internal.DaemonLog.Printf("Cleanup tick at %s", t.Format(time.RFC3339))
 			// This will trigger cleanup of expired password
 			_, ok := cache.Get()
-			internal.DaemonLog.Println("Cleanup check result: password exists=%v", ok)
+			internal.DaemonLog.Printf("Cleanup check result: password exists=%v", ok)
 		}
 	}()

@ -168,12 +168,12 @@ func StartDaemon(socketPath string, timeout time.Duration) error {
 		internal.DaemonLog.Println("Waiting for connections")
 		conn, err := listener.Accept()
 		if err != nil {
-			internal.DaemonLog.Println("Error accepting connection: %v", err)
+			internal.DaemonLog.Printf("Error accepting connection: %v", err)
 			log.Printf("Error accepting connection: %v", err)
 			continue
 		}

-		internal.DaemonLog.Println("Accepted connection from: %s", conn.RemoteAddr())
+		internal.DaemonLog.Printf("Accepted connection from: %s", conn.RemoteAddr())
 		go handleConnection(conn, cache)
 	}
 }
@ -188,12 +188,12 @@ func handleConnection(conn net.Conn, cache *PasswordCache) {

 	var msg Message
 	if err := decoder.Decode(&msg); err != nil {
-		internal.DaemonLog.Println("Failed to decode message: %v", err)
+		internal.DaemonLog.Printf("Failed to decode message: %v", err)
 		encoder.Encode(Response{Success: false, Error: "Invalid message format"})
 		return
 	}

-	internal.DaemonLog.Println("Received command: %s", msg.Command)
+	internal.DaemonLog.Printf("Received command: %s", msg.Command)
 	switch msg.Command {
 	case "store":
 		if msg.Password == "" {
@ -218,7 +218,7 @@ func handleConnection(conn net.Conn, cache *PasswordCache) {
 		encoder.Encode(Response{Success: true, Data: string(password)})

 	default:
-		internal.DaemonLog.Println("Unknown command received: %s", msg.Command)
+		internal.DaemonLog.Printf("Unknown command received: %s", msg.Command)
 		encoder.Encode(Response{Success: false, Error: "Unknown command"})
 	}