1 files changed, 79 insertions, 3 deletions
diff --git a/modules/auth-config.el b/modules/auth-config.el
index 6b8a8ddb..2b52087e 100644
--- a/modules/auth-config.el
+++ b/modules/auth-config.el
@@ -24,9 +24,11 @@
   :ensure nil                           ;; built in
   :demand t                             ;; load this package immediately
   :config
-  (setenv "GPG_AGENT_INFO" nil)         ;; disassociate with external gpg agent
-  (setq auth-sources `(,authinfo-file)) ;; use authinfo.gpg (see user-constants.el)
-  (setq auth-source-debug t))           ;; echo debug info to Messages
+  ;; USE gpg-agent for passphrase caching (400-day cache from gpg-agent.conf)
+  ;; (setenv "GPG_AGENT_INFO" nil)      ;; DISABLED: was preventing gpg-agent cache
+  (setq auth-sources `(,authinfo-file))  ;; use authinfo.gpg (see user-constants.el)
+  (setq auth-source-debug t)             ;; echo debug info to Messages
+  (setq auth-source-cache-expiry 86400)) ;; cache decrypted credentials for 24 hours
 
 ;; ----------------------------- Easy PG Assistant -----------------------------
 ;; Key management, cryptographic operations on regions and files, dired
@@ -40,5 +42,79 @@
   ;; (setq epa-pinentry-mode 'loopback)  ;; emacs request passwords in minibuffer
   (setq epg-gpg-program "gpg2"))  ;; force use gpg2 (not gpg v.1)
 
+;; ---------------------------------- Plstore ----------------------------------
+;; Encrypted storage used by oauth2-auto for Google Calendar tokens.
+;; CRITICAL: Enable passphrase caching to prevent password prompts every 10 min.
+
+(use-package plstore
+  :ensure nil ;; built-in
+  :demand t
+  :config
+  ;; Cache passphrase indefinitely (relies on gpg-agent for actual caching)
+  (setq plstore-cache-passphrase-for-symmetric-encryption t)
+  ;; Allow gpg-agent to cache the passphrase (400 days per gpg-agent.conf)
+  (setq plstore-encrypt-to nil)) ;; Use symmetric encryption, not key-based
+
+;; ------------------------ Authentication Reset Utility -----------------------
+
+(defun cj/reset-auth-cache (&optional include-gpg-agent)
+  "Reset authentication caches when wrong password was entered.
+
+By default, only clears Emacs-side caches (auth-source, EPA file
+handler) and leaves gpg-agent's long-term cache intact.  This preserves
+your 400-day cache for GPG and SSH passphrases.
+
+With prefix argument INCLUDE-GPG-AGENT (\\[universal-argument]), also
+clears gpg-agent's password cache.  Use this when gpg-agent itself has
+cached an incorrect password.
+
+Clears:
+1. auth-source cache (Emacs-level credential cache)
+2. EPA file handler cache (encrypted file cache)
+3. gpg-agent cache (only if INCLUDE-GPG-AGENT is non-nil)
+
+Use this when you see errors like:
+  - \"Bad session key\"
+  - \"Decryption failed\"
+  - GPG repeatedly using wrong cached password"
+  (interactive "P")
+  (message "Resetting authentication caches...")
+
+  ;; Clear auth-source cache (Emacs credential cache)
+  (auth-source-forget-all-cached)
+
+  ;; Clear EPA file handler cache
+  (when (fboundp 'epa-file-clear-cache)
+    (epa-file-clear-cache))
+
+  ;; Only clear gpg-agent cache if explicitly requested
+  (if include-gpg-agent
+      (let ((result (shell-command "echo RELOADAGENT | gpg-connect-agent")))
+        (if (zerop result)
+            (message "✓ Emacs and gpg-agent caches cleared. Next access will prompt for password.")
+          (message "⚠ Warning: Failed to clear gpg-agent cache")))
+    (message "✓ Emacs caches cleared. GPG/SSH passphrases preserved for session.")))
+
+(defun cj/kill-gpg-agent ()
+  "Force kill gpg-agent (it will restart automatically on next use).
+
+This is a more aggressive reset than `cj/reset-auth-cache'.  Use this
+when gpg-agent is stuck or behaving incorrectly.
+
+The gpg-agent will automatically restart on the next GPG operation."
+  (interactive)
+  (let ((result (shell-command "gpgconf --kill gpg-agent")))
+    (if (zerop result)
+        (message "✓ gpg-agent killed. It will restart automatically on next use.")
+      (message "⚠ Warning: Failed to kill gpg-agent"))))
+
+;; Keybindings
+(with-eval-after-load 'keybindings
+  (keymap-set cj/custom-keymap "A" #'cj/reset-auth-cache))
+
+(with-eval-after-load 'which-key
+  (which-key-add-key-based-replacements
+    "C-; A" "reset auth cache"))
+
 (provide 'auth-config)
 ;;; auth-config.el ends here.