store/cli: deduplicate shred helper (task 400)

3 files changed, 8 insertions, 23 deletions

diff --git a/internal/cli/cli.go b/internal/cli/cli.go
index 7152496..b6d47fc 100644
--- a/internal/cli/cli.go
+++ b/internal/cli/cli.go
@@ -565,7 +565,7 @@ func (c *CLI) makeActionFn(ctx context.Context, action store.Action) func(contex
 			}
 			// Shred the exported file immediately after opening — mirrors Ruby's
 			// `shred_file(file: open_exported(...), delay: 0)` call.
-			return shredFile(ctx, path)
+			return store.ShredFile(ctx, path)
 		}
 
 	case store.ActionEdit:
@@ -665,21 +665,6 @@ func externalEdit(ctx context.Context, exportDir, editCmd, file string) error {
 	return nil
 }
 
-// shredFile destroys a single file using shred(1) if available, or rm -Pfv.
-// Used after ActionOpen to ensure exported secrets do not linger on disk.
-func shredFile(ctx context.Context, path string) error {
-	if _, err := exec.LookPath("shred"); err == nil {
-		cmd := exec.CommandContext(ctx, "shred", "-vu", path)
-		cmd.Stdout = io.Discard
-		cmd.Stderr = io.Discard
-		return cmd.Run()
-	}
-	cmd := exec.CommandContext(ctx, "rm", "-Pfv", path)
-	cmd.Stdout = io.Discard
-	cmd.Stderr = io.Discard
-	return cmd.Run()
-}
-
 // printHelp prints a brief usage summary, mirroring the Ruby CLI#help output.
 func printHelp() {
 	logMsg(`ls
diff --git a/internal/cli/cli_test.go b/internal/cli/cli_test.go
index 2ad52db..39c79aa 100644
--- a/internal/cli/cli_test.go
+++ b/internal/cli/cli_test.go
@@ -134,7 +134,7 @@ func TestPrintHelp(t *testing.T) {
 	}
 }
 
-// TestShredFileCli verifies that shredFile removes a temporary file.
+// TestShredFileCli verifies that store.ShredFile removes a temporary file.
 // It uses a temp file so no live data is affected.
 func TestShredFileCli(t *testing.T) {
 	dir := t.TempDir()
@@ -144,12 +144,12 @@ func TestShredFileCli(t *testing.T) {
 	}
 
 	ctx := t.Context()
-	if err := shredFile(ctx, target); err != nil {
-		t.Fatalf("shredFile: %v", err)
+	if err := store.ShredFile(ctx, target); err != nil {
+		t.Fatalf("ShredFile: %v", err)
 	}
 
 	if _, err := os.Stat(target); err == nil {
-		t.Errorf("file %q still exists after shredFile", target)
+		t.Errorf("file %q still exists after ShredFile", target)
 	}
 }
 
diff --git a/internal/store/store.go b/internal/store/store.go
index 9acb52d..b92f011 100644
--- a/internal/store/store.go
+++ b/internal/store/store.go
@@ -555,7 +555,7 @@ func (s *Store) ShredAllExported(ctx context.Context) error {
 		if err != nil || !info.Mode().IsRegular() {
 			continue
 		}
-		if err := shredFile(ctx, entry); err != nil {
+		if err := ShredFile(ctx, entry); err != nil {
 			// Record the error but keep shredding — security demands best-effort
 			// destruction of all exported secrets even if one fails.
 			lastErr = err
@@ -564,9 +564,9 @@ func (s *Store) ShredAllExported(ctx context.Context) error {
 	return lastErr
 }
 
-// shredFile destroys a single file using shred(1) if available, or rm -Pfv.
+// ShredFile destroys a single file using shred(1) if available, or rm -Pfv.
 // This mirrors Ruby's Geheim#shred_file method.
-func shredFile(ctx context.Context, filePath string) error {
+func ShredFile(ctx context.Context, filePath string) error {
 	if _, err := exec.LookPath("shred"); err == nil {
 		cmd := exec.CommandContext(ctx, "shred", "-vu", filePath)
 		cmd.Stdout = io.Discard