danieljustus · danieljustus · May 22, 2026 · May 22, 2026 · May 22, 2026 · May 22, 2026
@@ -255,7 +255,7 @@ func TestUnlockVaultWithEnvVar(t *testing.T) {
 		vaultFlag.Changed = false
 	}
 
-	_, err := unlockVault(vaultDir, false)
+	_, err := cli.UnlockVault(vaultDir, false)
 	if err != nil {
 		t.Errorf("unlockVault with env var failed: %v", err)
 	}
@@ -285,7 +285,7 @@ func TestUnlockVaultNoPassphrase(t *testing.T) {
 		vaultFlag.Changed = false
 	}
 
-	_, err := unlockVault(vaultDir, false)
+	_, err := cli.UnlockVault(vaultDir, false)
 	if err == nil {
 		t.Error("expected error when no passphrase available")
 	}
@@ -317,7 +317,7 @@ func TestUnlockVaultWrongPassphrase(t *testing.T) {
 		vaultFlag.Changed = false
 	}
 
-	_, err := unlockVault(vaultDir, false)
+	_, err := cli.UnlockVault(vaultDir, false)
 	if err == nil {
 		t.Error("expected error for wrong passphrase")
 	}
@@ -336,12 +336,12 @@ func TestVaultPathWithEnvVarOpenPassVault(t *testing.T) {
 	defer func() { vault = origVault }()
 	vault = "~/should-not-be-used"
 
-	path, err := vaultPath()
+	path, err := cli.VaultPath()
 	if err != nil {
-		t.Fatalf("vaultPath() error = %v", err)
+		t.Fatalf("cli.VaultPath() error = %v", err)
 	}
 	if path != "/test/vault" {
-		t.Errorf("vaultPath() = %q, want %q", path, "/test/vault")
+		t.Errorf("cli.VaultPath() = %q, want %q", path, "/test/vault")
 	}
 }
 
@@ -371,7 +371,7 @@ func TestUnlockVaultSavesToKeyring(t *testing.T) {
 		vaultFlag.Changed = false
 	}
 
-	v, err := unlockVault(vaultDir, false)
+	v, err := cli.UnlockVault(vaultDir, false)
 	if err != nil {
 		t.Fatalf("unlockVault failed: %v", err)
 	}

@@ -37,13 +37,13 @@ func TestExpandVaultDir(t *testing.T) {
 
 	for _, tt := range tests {
 		t.Run(tt.input, func(t *testing.T) {
-			got, err := expandVaultDir(tt.input)
+			got, err := cli.ExpandVaultDir(tt.input)
 			if (err != nil) != tt.wantErr {
-				t.Errorf("expandVaultDir() error = %v, wantErr %v", err, tt.wantErr)
+				t.Errorf("cli.ExpandVaultDir() error = %v, wantErr %v", err, tt.wantErr)
 				return
 			}
 			if got != tt.expected {
-				t.Errorf("expandVaultDir() = %q, want %q", got, tt.expected)
+				t.Errorf("cli.ExpandVaultDir() = %q, want %q", got, tt.expected)
 			}
 		})
 	}
@@ -147,12 +147,12 @@ func TestVaultPathWithTilde(t *testing.T) {
 	_ = os.Setenv("HOME", "/custom/home")
 
 	cli.Vault = "~/my-vault"
-	got, _ := vaultPath()
+	got, _ := cli.VaultPath()
 
 	home, _ := os.UserHomeDir()
 	expected := filepath.Join(home, "my-vault")
 	if got != expected {
-		t.Errorf("vaultPath() = %q, want %q", got, expected)
+		t.Errorf("cli.VaultPath() = %q, want %q", got, expected)
 	}
 }
 
@@ -161,21 +161,21 @@ func TestVaultPathWithAbsolute(t *testing.T) {
 		t.Skip("skipping on windows: path format differs")
 	}
 	cli.Vault = "/absolute/path"
-	got, _ := vaultPath()
+	got, _ := cli.VaultPath()
 
 	if got != "/absolute/path" {
-		t.Errorf("vaultPath() = %q, want %q", got, "/absolute/path")
+		t.Errorf("cli.VaultPath() = %q, want %q", got, "/absolute/path")
 	}
 }
 
 func TestVaultPathWithTildeOnly(t *testing.T) {
 	home, _ := os.UserHomeDir()
 	cli.Vault = "~"
-	got, _ := vaultPath()
+	got, _ := cli.VaultPath()
 
 	expected := home
 	if got != expected {
-		t.Errorf("vaultPath() = %q, want %q", got, expected)
+		t.Errorf("cli.VaultPath() = %q, want %q", got, expected)
 	}
 }
 
@@ -207,7 +207,7 @@ func TestUnlockVaultLocked(t *testing.T) {
 	_ = os.Setenv("OPENPASS_VAULT", vaultDir)
 	defer func() { _ = os.Unsetenv("OPENPASS_VAULT") }()
 
-	_, err := unlockVault(vaultDir, false)
+	_, err := cli.UnlockVault(vaultDir, false)
 	if err == nil {
 		t.Error("expected error for locked vault")
 	}

@@ -54,12 +54,12 @@ you must run 'openpass device accept <token>' to re-encrypt all entries
 for the new device.`,
 	Example: `  openpass device pair`,
 	RunE: func(cmd *cobra.Command, args []string) error {
-		vaultDir, err := vaultPath()
+		vaultDir, err := cli.VaultPath()
 		if err != nil {
 			return err
 		}
 
-		v, err := unlockVault(vaultDir, true)
+		v, err := cli.UnlockVault(vaultDir, true)
 		if err != nil {
 			return err
 		}
@@ -114,7 +114,7 @@ to re-encrypt all entries for this new device.`,
 		remoteURL := args[0]
 		token := strings.TrimSpace(args[1])
 
-		vaultDir, err := vaultPath()
+		vaultDir, err := cli.VaultPath()
 		if err != nil {
 			return err
 		}
@@ -144,7 +144,7 @@ to re-encrypt all entries for this new device.`,
 
 		fmt.Fprintf(os.Stderr, "Pairing with device (public key: %s)\n", truncatePubkey(pf.PublicKey))
 
-		passphrase, err := readHiddenInput("Enter passphrase for this device (minimum 12 characters): ", nil)
+		passphrase, err := cli.ReadHiddenInput("Enter passphrase for this device (minimum 12 characters): ", nil)
 		if err != nil {
 			return fmt.Errorf("read passphrase: %w", err)
 		}
@@ -243,12 +243,12 @@ can decrypt them.`,
 	RunE: func(cmd *cobra.Command, args []string) error {
 		token := strings.TrimSpace(args[0])
 
-		vaultDir, err := vaultPath()
+		vaultDir, err := cli.VaultPath()
 		if err != nil {
 			return err
 		}
 
-		v, err := unlockVault(vaultDir, true)
+		v, err := cli.UnlockVault(vaultDir, true)
 		if err != nil {
 			return err
 		}
@@ -306,7 +306,7 @@ any registered device (unmanaged recipients).`,
 	Example: `  openpass device list
   openpass device list --output json`,
 	RunE: func(cmd *cobra.Command, args []string) error {
-		vaultDir, err := vaultPath()
+		vaultDir, err := cli.VaultPath()
 		if err != nil {
 			return err
 		}
@@ -426,7 +426,7 @@ request so the first device can accept it.`,
 
 		raw := strings.TrimSpace(args[0])
 
-		vaultDir, err := vaultPath()
+		vaultDir, err := cli.VaultPath()
 		if err != nil {
 			return err
 		}
@@ -448,7 +448,7 @@ request so the first device can accept it.`,
 			return fmt.Errorf("invalid public key in pairing data: expected age1... format")
 		}
 
-		passphrase, err := readHiddenInput("Enter passphrase for this device (minimum 12 characters): ", nil)
+		passphrase, err := cli.ReadHiddenInput("Enter passphrase for this device (minimum 12 characters): ", nil)
 		if err != nil {
 			return fmt.Errorf("read passphrase: %w", err)
 		}
@@ -547,7 +547,7 @@ access to all vault entries.`,
 	RunE: func(cmd *cobra.Command, args []string) error {
 		deviceName := args[0]
 
-		vaultDir, err := vaultPath()
+		vaultDir, err := cli.VaultPath()
 		if err != nil {
 			return err
 		}
@@ -558,7 +558,7 @@ access to all vault entries.`,
 				errorspkg.ErrVaultNotInitialized)
 		}
 
-		v, err := unlockVault(vaultDir, true)
+		v, err := cli.UnlockVault(vaultDir, true)
 		if err != nil {
 			return err
 		}

@@ -7,6 +7,7 @@ import (
 
 	"github.com/spf13/cobra"
 
+	cli "github.com/danieljustus/OpenPass/internal/cli"
 	"github.com/danieljustus/OpenPass/internal/dynamicsecret"
 	vaultsvc "github.com/danieljustus/OpenPass/internal/vaultsvc"
 )
@@ -41,7 +42,7 @@ var dynamicGenerateCmd = &cobra.Command{
   # Generate AWS STS credentials for a specific role
   openpass dynamic generate --engine aws-sts --role arn:aws:iam::123456789012:role/MyRole --ttl 30m`,
 	RunE: func(cmd *cobra.Command, args []string) error {
-		return withVault(func(svc vaultsvc.Service) error {
+		return cli.WithVault(func(svc vaultsvc.Service) error {
 			ctx := context.Background()
 			mgr := dynamicsecret.NewManager(svc)
 

@@ -41,7 +41,7 @@ var generateCmd = &cobra.Command{
 		}
 
 		if genStore != "" {
-			return withVaultRaw(func(v *vaultpkg.Vault) error {
+			return cli.WithVaultRaw(func(v *vaultpkg.Vault) error {
 				entryPath := vaultpkg.EntryPath(v, genStore)
 				if _, err := vaultpkg.ReadEntry(v.Dir, genStore, v.Identity); err == nil {
 					if _, err := vaultpkg.MergeEntryWithRecipients(v.Dir, genStore, map[string]any{"password": password}, v.Identity); err != nil {

@@ -5,6 +5,7 @@ import (
 
 	"github.com/spf13/cobra"
 
+	cli "github.com/danieljustus/OpenPass/internal/cli"
 	errorspkg "github.com/danieljustus/OpenPass/internal/errors"
 	"github.com/danieljustus/OpenPass/internal/git"
 	vaultpkg "github.com/danieljustus/OpenPass/internal/vault"
@@ -24,7 +25,7 @@ var gitCmd = &cobra.Command{
 		action := args[0]
 
 		if action == "log" {
-			return withVaultRaw(func(v *vaultpkg.Vault) error {
+			return cli.WithVaultRaw(func(v *vaultpkg.Vault) error {
 				path := ""
 				if len(args) > 1 {
 					path = args[1]
@@ -41,7 +42,7 @@ var gitCmd = &cobra.Command{
 			})
 		}
 
-		vaultDir, err := vaultPath()
+		vaultDir, err := cli.VaultPath()
 		if err != nil {
 			return err
 		}

@@ -7,6 +7,7 @@ import (
 
 	"github.com/spf13/cobra"
 
+	cli "github.com/danieljustus/OpenPass/internal/cli"
 	"github.com/danieljustus/OpenPass/internal/policy"
 )
 
@@ -105,7 +106,7 @@ Example:
 			return err
 		}
 
-		vaultDir, _ := vaultPath()
+		vaultDir, _ := cli.VaultPath()
 		policiesDir := filepath.Join(vaultDir, "policies")
 		_ = os.MkdirAll(policiesDir, 0750)
 
@@ -133,7 +134,7 @@ var policyListCmd = &cobra.Command{
 		requiresVaultAnnotation: "false",
 	},
 	RunE: func(cmd *cobra.Command, args []string) error {
-		vaultDir, _ := vaultPath()
+		vaultDir, _ := cli.VaultPath()
 		policiesDir := filepath.Join(vaultDir, "policies")
 
 		entries, err := os.ReadDir(policiesDir)
@@ -169,7 +170,7 @@ var policyRemoveCmd = &cobra.Command{
 		requiresVaultAnnotation: "false",
 	},
 	RunE: func(cmd *cobra.Command, args []string) error {
-		vaultDir, _ := vaultPath()
+		vaultDir, _ := cli.VaultPath()
 		policiesDir := filepath.Join(vaultDir, "policies")
 		policyPath := filepath.Join(policiesDir, args[0])
 

@@ -35,7 +35,7 @@ var recipientsListCmd = &cobra.Command{
 	Long:    `List all recipients from the recipients.txt file.`,
 	Example: `  openpass recipients list`,
 	RunE: func(cmd *cobra.Command, args []string) error {
-		vaultDir, err := vaultPath()
+		vaultDir, err := cli.VaultPath()
 		if err != nil {
 			return err
 		}
@@ -98,7 +98,7 @@ Once added, all new entries will be encrypted for this recipient.`,
 	Example: `  openpass recipients add age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p`,
 	Args:    cobra.ExactArgs(1),
 	RunE: func(cmd *cobra.Command, args []string) error {
-		return withVaultRaw(func(v *vaultpkg.Vault) error {
+		return cli.WithVaultRaw(func(v *vaultpkg.Vault) error {
 			recipient := args[0]
 
 			rm := vaultpkg.NewRecipientsManager(v.Dir)
@@ -130,7 +130,7 @@ Use --yes to skip confirmation (useful for scripts).`,
 	Example: `  openpass recipients remove age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p`,
 	Args:    cobra.ExactArgs(1),
 	RunE: func(cmd *cobra.Command, args []string) error {
-		return withVaultRaw(func(v *vaultpkg.Vault) error {
+		return cli.WithVaultRaw(func(v *vaultpkg.Vault) error {
 			recipient := args[0]
 
 			confirmed, err := confirmInteractive(fmt.Sprintf("Remove recipient %s", recipient), confirmRemove)

@@ -92,7 +92,7 @@ func runRemoteInit(cmd *cobra.Command, args []string) error {
 		return errorspkg.NewCLIError(errorspkg.ExitGeneralError, "ssh-target must not be empty", nil)
 	}
 
-	vaultDir, err := vaultPath()
+	vaultDir, err := cli.VaultPath()
 	if err != nil {
 		return err
 	}
@@ -157,7 +157,7 @@ func runRemoteInit(cmd *cobra.Command, args []string) error {
 }
 
 func runRemoteStatus(cmd *cobra.Command, args []string) error {
-	vaultDir, err := vaultPath()
+	vaultDir, err := cli.VaultPath()
 	if err != nil {
 		return err
 	}

@@ -30,18 +30,6 @@ var (
 
 var rootCmd = cli.RootCmd
 
-// Aliases for functions that moved to internal/cli/ but are still used by staying cmd/ files
-var (
-	vaultPath         = cli.VaultPath
-	unlockVault       = cli.UnlockVault
-	readHiddenInput   = cli.ReadHiddenInput
-	expandVaultDir    = cli.ExpandVaultDir
-	defaultSessionTTL = cli.DefaultSessionTTL
-	withVault         = cli.WithVault
-	withVaultRaw      = cli.WithVaultRaw
-	Version           = cli.AppVersion
-)
-
 func Execute() {
 	cli.Execute()
 }