2 files changed, 20 insertions, 6 deletions

diff --git a/modules/auth-config.el b/modules/auth-config.el
index 6b8a8ddb..8376a2c0 100644
--- a/modules/auth-config.el
+++ b/modules/auth-config.el
@@ -24,9 +24,11 @@
   :ensure nil                           ;; built in
   :demand t                             ;; load this package immediately
   :config
-  (setenv "GPG_AGENT_INFO" nil)         ;; disassociate with external gpg agent
-  (setq auth-sources `(,authinfo-file)) ;; use authinfo.gpg (see user-constants.el)
-  (setq auth-source-debug t))           ;; echo debug info to Messages
+  ;; USE gpg-agent for passphrase caching (400-day cache from gpg-agent.conf)
+  ;; (setenv "GPG_AGENT_INFO" nil)      ;; DISABLED: was preventing gpg-agent cache
+  (setq auth-sources `(,authinfo-file))  ;; use authinfo.gpg (see user-constants.el)
+  (setq auth-source-debug t)             ;; echo debug info to Messages
+  (setq auth-source-cache-expiry 86400)) ;; cache decrypted credentials for 24 hours
 
 ;; ----------------------------- Easy PG Assistant -----------------------------
 ;; Key management, cryptographic operations on regions and files, dired
@@ -40,5 +42,18 @@
   ;; (setq epa-pinentry-mode 'loopback)  ;; emacs request passwords in minibuffer
   (setq epg-gpg-program "gpg2"))  ;; force use gpg2 (not gpg v.1)
 
+;; ---------------------------------- Plstore ----------------------------------
+;; Encrypted storage used by oauth2-auto for Google Calendar tokens.
+;; CRITICAL: Enable passphrase caching to prevent password prompts every 10 min.
+
+(use-package plstore
+  :ensure nil ;; built-in
+  :demand t
+  :config
+  ;; Cache passphrase indefinitely (relies on gpg-agent for actual caching)
+  (setq plstore-cache-passphrase-for-symmetric-encryption t)
+  ;; Allow gpg-agent to cache the passphrase (400 days per gpg-agent.conf)
+  (setq plstore-encrypt-to nil)) ;; Use symmetric encryption, not key-based
+
 (provide 'auth-config)
 ;;; auth-config.el ends here.
diff --git a/modules/org-gcal-config.el b/modules/org-gcal-config.el
index 28cc1933..97e8446a 100644
--- a/modules/org-gcal-config.el
+++ b/modules/org-gcal-config.el
@@ -165,9 +165,8 @@ Useful after changing `cj/org-gcal-sync-interval-minutes'."
   (setq org-gcal-managed-update-existing-mode "gcal")  ;; GCal wins on conflicts
 
   :config
-  ;; Enable plstore passphrase caching after org-gcal loads
-  (require 'plstore)
-  (setq plstore-cache-passphrase-for-symmetric-encryption t)
+  ;; Plstore caching is now configured globally in auth-config.el
+  ;; to ensure it loads before org-gcal needs it
 
   ;; set org-gcal timezone based on system timezone
   (setq org-gcal-local-timezone (cj/detect-system-timezone))