Use keyctl (keyutils) to cache the master passphrase in the kernel keyring
with a configurable TTL (default 5 min). New unlock/lock subcommands for
manual cache control. keyctl is optional — silently skipped if not installed.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Global flags (--user, --registry, --password) now work after subcommand name
- Fix raw_http variables lost in subshells by persisting to temp files
- Remove config inline-comment stripping that truncated base64 ciphertext
- Add trailing newline to openssl decrypt pipe input
- Move config path to ~/.config/hubmanager.conf
- Add "Cleaning up empty repositories" section to README
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add `login --save --encrypt` flag: passwords are encrypted with
openssl AES-256-CBC (PBKDF2) and stored as `enc:<base64>` in the
config file. A master passphrase is prompted once per session and
cached in memory. Both load_config() and resolve_registry_alias()
detect the enc: prefix and decrypt transparently. The passphrase is
passed to openssl via a temp file to avoid argv/env exposure.
openssl is an optional dependency, checked on demand.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
