fix(posixage): zero sensitive byte slices after use

Clear decryption key material and plaintext secret bytes immediately
after use via defer clear(), so they don't linger in the heap longer
than necessary.

Signed-off-by: Alano Terblanche <18033717+Benehiko@users.noreply.github.com>

Author: Benehiko

store/posixage/prompt.go

@@ -105,6 +105,7 @@ func promptForEncryptionKeys(ctx context.Context, funcs []promptCaller) (map[sec
 			return nil, err
 		}
 		raw = bytes.TrimSpace(raw)
+		defer clear(raw)
 		if len(raw) == 0 {
 			return nil, errors.New("empty key provided on registered callback function")
 		}

store/posixage/store.go

@@ -138,6 +138,7 @@ func (f *fileStore[T]) decryptSecret(ctx context.Context, encryptedSecrets []sec
 		if err != nil {
 			return nil, err
 		}
+		defer clear(decryptionKey)
 
 		identity, err := secretfile.GetIdentity(keyType, string(decryptionKey))
 		if err != nil {
@@ -214,6 +215,7 @@ func (f *fileStore[T]) Filter(ctx context.Context, pattern store.Pattern) (map[s
 		if err != nil {
 			return err
 		}
+		defer clear(decryptedSecret)
 
 		secret := f.factory(ctx, id)
 		if err := secret.SetMetadata(metadata); err != nil {
@@ -254,6 +256,7 @@ func (f *fileStore[T]) Get(ctx context.Context, id store.ID) (store.Secret, erro
 	if err != nil {
 		return nil, err
 	}
+	defer clear(decryptedSecret)
 
 	secret := f.factory(ctx, id)
 	if err := secret.SetMetadata(metadata); err != nil {
@@ -339,6 +342,7 @@ func (f *fileStore[T]) Save(ctx context.Context, id store.ID, s store.Secret) er
 	if err != nil {
 		return err
 	}
+	defer clear(secret)
 	metadata := s.Metadata()
 
 	var secrets []secretfile.EncryptedSecret