EmberVault 0.6: SSH key unlock and git-friendly storage

EmberVault 0.6 replaces the previous passphrase-only unlock model with SSH key support and switches the on-disk format to something git-friendly.

SSH key unlock

Typing a passphrase for every ember get was the main complaint from the two people besides me who were using EmberVault. With 0.6, if you pass --key ~/.ssh/id_ed25519 during vault initialisation, EmberVault uses age's SSH recipient mode. If your ssh-agent is running, unlock is instant and transparent.

I briefly considered implementing a per-session agent similar to gpg-agent, but decided that leveraging the existing ssh-agent infrastructure was simpler and more auditable.

Git-friendly storage format

The old binary format made diffs useless. Version 0.6 stores each secret as a separate age-encrypted file named by the truncated SHA-256 of its namespace path. The vault directory is now a regular filesystem tree you can git add and diff at the envelope level (filenames and modification times leak, content does not).

Migration from the old format is handled automatically on first run with 0.6; it writes a backup of the old vault before converting.