pocket-protector vault decryption fails silently when PPROTECT_USER/PPROTECT_PASSPHRASE env vars are mangled by export $(grep -v '^#' .env | xargs) shell pattern. Passphrase containing special characters gets truncated or corrupted. The CryptoError from nacl gives no hint that the input credentials were wrong vs the vault being corrupt.
Never use export $(grep | xargs) for env files containing passwords with special characters. Use env parameter in subprocess calls or source the file properly with set -a && source .env && set +a. For programmatic access, read the .env file directly in Python and set os.environ explicitly. The nacl.exceptions.CryptoError is always a credentials problem, not vault corruption.