feat: add cross-invocation passphrase caching via Linux keyring (v0.3.0)

Use keyctl (keyutils) to cache the master passphrase in the kernel keyring
with a configurable TTL (default 5 min). New unlock/lock subcommands for
manual cache control. keyctl is optional — silently skipped if not installed.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

README.md

@@ -8,6 +8,7 @@ A Bash CLI tool to manage Docker Registry images remotely. Supports Docker Hub a
 - **curl**
 - **jq**
 - **openssl** *(optional — required only when using encrypted config values)*
+- **keyctl** *(optional — from `keyutils`; enables passphrase caching across invocations)*
 
 ## Installation
 
@@ -107,6 +108,33 @@ The `enc:` prefix also works for named alias passwords (`REGISTRY_<ALIAS>_PASSWO
 On every command that reads the config, the master passphrase is prompted once and cached
 for the duration of the session.
 
+### Passphrase caching across invocations
+
+If `keyctl` (from the `keyutils` package) is installed, the master passphrase is
+automatically cached in the Linux kernel keyring for 5 minutes. Subsequent commands
+within that window will not re-prompt.
+
+```bash
+# First command prompts for passphrase, caches it for 5 min
+hubmanager list
+
+# Runs without prompting (within cache window)
+hubmanager tags myuser/myapp
+
+# Pre-cache before a scripted batch
+hubmanager unlock
+hubmanager list && hubmanager tags myuser/myapp && hubmanager inspect myuser/myapp:latest
+
+# Clear cache immediately
+hubmanager lock
+
+# Custom timeout (10 minutes)
+hubmanager unlock --cache-timeout 600
+```
+
+If `keyctl` is not installed, passphrase caching is silently skipped — each invocation
+prompts as before.
+
 ## Global Options
 
 ```text
@@ -117,6 +145,7 @@ hubmanager [OPTIONS] <command> [COMMAND OPTIONS]
   -u, --user <username>   Username (overrides config file)
   -p, --password <pass>   Password or token (overrides config file)
       --config <file>     Config file path (default: ~/.config/hubmanager.conf)
+      --cache-timeout <s> Passphrase cache TTL in seconds (default: 300)
       --json              Output raw JSON (pipe-friendly)
       --no-color          Disable ANSI color
   -v, --verbose           Show HTTP request details (with auth redacted)
@@ -147,6 +176,42 @@ hubmanager login --registry https://registry.example.com \
 
 ---
 
+### `unlock` — Cache master passphrase
+
+```text
+hubmanager unlock [--cache-timeout SECONDS]
+```
+
+Prompts for the master passphrase and stores it in the Linux kernel keyring
+for the configured timeout (default: 300 seconds / 5 minutes). Useful before
+running a batch of commands. Requires `keyctl` (keyutils package).
+
+```bash
+hubmanager unlock
+# hubmanager master passphrase: ****
+# Passphrase cached for 300s.
+
+# Custom timeout
+hubmanager unlock --cache-timeout 600
+```
+
+---
+
+### `lock` — Clear cached passphrase
+
+```text
+hubmanager lock
+```
+
+Immediately revokes the cached passphrase from the kernel keyring.
+
+```bash
+hubmanager lock
+# Passphrase cache cleared.
+```
+
+---
+
 ### `list` — List repositories
 
 ```text
@@ -442,6 +507,7 @@ hubmanager copy myuser/myapp:staging myuser/myapp:production
 | `REGISTRY` | Default registry URL |
 | `USERNAME` | Default username |
 | `PASSWORD` | Default password or token; prefix with `enc:` for encrypted values |
+| `CACHE_TIMEOUT` | Passphrase keyring cache TTL in seconds (default: 300) |
 | `REGISTRY_<ALIAS>_URL` | URL for a named registry alias |
 | `REGISTRY_<ALIAS>_USERNAME` | Username for a named alias |
 | `REGISTRY_<ALIAS>_PASSWORD` | Password for a named alias (supports `enc:` prefix) |