ci: add Forgejo Actions test and security scan workflows

Uses reusable workflows from core/go-devops for Go testing
(with race detector and coverage) and security scanning
(govulncheck, gitleaks, trivy).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

.forgejo/workflows/security-scan.yml

@@ -0,0 +1,12 @@
+name: Security Scan
+
+on:
+  push:
+    branches: [main, dev, 'feat/*']
+  pull_request:
+    branches: [main]
+
+jobs:
+  security:
+    uses: core/go-devops/.forgejo/workflows/security-scan.yml@main
+    secrets: inherit

.forgejo/workflows/test.yml

@@ -0,0 +1,14 @@
+name: Test
+
+on:
+  push:
+    branches: [main, dev]
+  pull_request:
+    branches: [main]
+
+jobs:
+  test:
+    uses: core/go-devops/.forgejo/workflows/go-test.yml@main
+    with:
+      race: true
+      coverage: true

AUDIT-ERROR-HANDLING.md

@@ -1,97 +0,0 @@
-# Error Handling & Logging Audit
-
-This document details the findings of an audit of the error handling and logging practices within the codebase.
-
-## Error Handling
-
-### Exception Handling
-
-- **Are exceptions caught appropriately?**
-  - Yes, in the Go sense, errors are generally handled and propagated up the call stack. The `pkg/` libraries correctly return errors to the caller. The `cmd/trix` application handles the final error in the `main` function.
-
-- **Generic catches hiding bugs?**
-  - No evidence of this. Error handling is explicit.
-
-- **Error information leakage?**
-  - The `pkg/` libraries are safe and do not leak sensitive information. However, the `cmd/trix` CLI prints raw error messages directly to the user, which could expose internal implementation details (e.g., function names, variable types) that are not user-friendly.
-
-### Error Recovery
-
-- **Graceful degradation?**
-  - Not applicable in the current context. The CLI tool is designed to succeed or fail.
-
-- **Retry logic with backoff?**
-  - Not implemented, and not necessary for the current functionality.
-
-- **Circuit breaker patterns?**
-  - Not implemented, and not necessary for the current functionality.
-
-### User-Facing Errors
-
-- **Helpful without exposing internals?**
-  - This is an area for improvement. The CLI prints raw errors from the underlying libraries, which is not ideal for the end-user. Errors should be caught, and user-friendly messages should be displayed, while the technical details are logged for debugging.
-
-- **Consistent error format?**
-  - The format is consistent in that it's whatever Go's `error.Error()` method returns. There is no structured error format for users.
-
-- **Localization support?**
-  - There is no support for localization of error messages.
-
-### API Errors
-
-- **Standard error response format?**
-  - Not applicable. The project is a CLI tool, not a web API.
-
-- **Appropriate HTTP status codes?**
-  - Not applicable.
-
-- **Error codes for clients?**
-  - Not applicable.
-
-## Logging
-
-### What is Logged
-
-- **Security events (auth, access)?**
-  - Nothing is currently logged.
-
-- **Errors with context?**
-  - Errors are not logged; they are printed to `stderr`. Some errors have context (e.g., `trix.Decode` wraps `ErrInvalidMagicNumber`), but this is inconsistent. The `fmt.Errorf("%w: message", err)` pattern should be used more widely to provide better context.
-
-- **Performance metrics?**
-  - Nothing is currently logged.
-
-### What Should NOT be Logged
-
-The application currently does not log anything, so there is no risk of logging sensitive information. If logging is implemented, care must be taken to avoid logging:
-- Passwords/tokens
-- Personally Identifiable Information (PII)
-- Cryptographic keys or sensitive material
-
-### Log Quality
-
-- **Structured logging (JSON)?**
-  - No logging is implemented. Structured logging would be a significant improvement for machine-parsability and analysis.
-
-- **Correlation IDs?**
-  - Not applicable for a single-run CLI tool.
-
-- **Log levels used correctly?**
-  - No logging is implemented.
-
-### Log Security
-
-- **Injection-safe?**
-  - Not applicable as there is no logging.
-
-- **Tamper-evident?**
-  - Not applicable as there is no logging.
-
-- **Retention policy?**
-  - Not applicable as there is no logging.
-
-## Summary & Recommendations
-
-- **Error Handling:** The libraries in `pkg/` follow good practices by returning errors. `cmd/trix` should be improved to intercept these errors, log the technical details, and present a clear, user-friendly message instead of the raw error string. Error wrapping should be used more consistently to add context.
-
-- **Logging:** The complete absence of logging is a major gap. A structured logging library (like `logrus` or the standard library's `slog`) should be introduced in `cmd/trix`. This would allow for different log levels (e.g., controlled by a `--verbose` flag) and provide better insight into the application's behavior, especially during failures.

cmd/trix/main.go

@@ -5,9 +5,9 @@ import (
 	"io/ioutil"
 	"os"
 
-	"github.com/Snider/Enchantrix/pkg/crypt"
-	"github.com/Snider/Enchantrix/pkg/enchantrix"
-	"github.com/Snider/Enchantrix/pkg/trix"
+	"forge.lthn.ai/Snider/Enchantrix/pkg/crypt"
+	"forge.lthn.ai/Snider/Enchantrix/pkg/enchantrix"
+	"forge.lthn.ai/Snider/Enchantrix/pkg/trix"
 	"github.com/spf13/cobra"
 )
 

examples/checksums/main.go

@@ -9,7 +9,7 @@ package main
 import (
 	"fmt"
 
-	"github.com/Snider/Enchantrix/pkg/crypt"
+	"forge.lthn.ai/Snider/Enchantrix/pkg/crypt"
 )
 
 func main() {

examples/hash/main.go

@@ -9,7 +9,7 @@ package main
 import (
 	"fmt"
 
-	"github.com/Snider/Enchantrix/pkg/crypt"
+	"forge.lthn.ai/Snider/Enchantrix/pkg/crypt"
 )
 
 func main() {

examples/pgp_encrypt_decrypt/main.go

@@ -11,7 +11,7 @@ import (
 	"fmt"
 	"log"
 
-	"github.com/Snider/Enchantrix/pkg/crypt"
+	"forge.lthn.ai/Snider/Enchantrix/pkg/crypt"
 )
 
 func main() {

examples/pgp_generate_keys/main.go

@@ -11,7 +11,7 @@ import (
 	"fmt"
 	"log"
 
-	"github.com/Snider/Enchantrix/pkg/crypt"
+	"forge.lthn.ai/Snider/Enchantrix/pkg/crypt"
 )
 
 func main() {

examples/pgp_sign_verify/main.go

@@ -11,7 +11,7 @@ import (
 	"fmt"
 	"log"
 
-	"github.com/Snider/Enchantrix/pkg/crypt"
+	"forge.lthn.ai/Snider/Enchantrix/pkg/crypt"
 )
 
 func main() {

examples/pgp_symmetric_encrypt/main.go

@@ -11,7 +11,7 @@ import (
 	"fmt"
 	"log"
 
-	"github.com/Snider/Enchantrix/pkg/crypt"
+	"forge.lthn.ai/Snider/Enchantrix/pkg/crypt"
 )
 
 func main() {

examples/rsa/main.go

@@ -12,7 +12,7 @@ import (
 	"fmt"
 	"log"
 
-	"github.com/Snider/Enchantrix/pkg/crypt"
+	"forge.lthn.ai/Snider/Enchantrix/pkg/crypt"
 )
 
 func main() {

examples/sigils/main.go

@@ -11,7 +11,7 @@ import (
 	"fmt"
 	"log"
 
-	"github.com/Snider/Enchantrix/pkg/enchantrix"
+	"forge.lthn.ai/Snider/Enchantrix/pkg/enchantrix"
 )
 
 func main() {

examples/trix_container/main.go

@@ -12,8 +12,8 @@ import (
 	"log"
 	"time"
 
-	"github.com/Snider/Enchantrix/pkg/crypt"
-	"github.com/Snider/Enchantrix/pkg/trix"
+	"forge.lthn.ai/Snider/Enchantrix/pkg/crypt"
+	"forge.lthn.ai/Snider/Enchantrix/pkg/trix"
 )
 
 func main() {

go.mod

@@ -1,20 +1,23 @@
-module github.com/Snider/Enchantrix
+module forge.lthn.ai/Snider/Enchantrix
 
 go 1.25
 
 require (
 	github.com/ProtonMail/go-crypto v1.3.0
-	github.com/spf13/cobra v1.10.1
+	github.com/spf13/cobra v1.10.2
 	github.com/stretchr/testify v1.11.1
-	golang.org/x/crypto v0.43.0
+	golang.org/x/crypto v0.48.0
 )
 
 require (
-	github.com/cloudflare/circl v1.6.0 // indirect
-	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/cloudflare/circl v1.6.3 // indirect
+	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
-	github.com/pmezard/go-difflib v1.0.0 // indirect
-	github.com/spf13/pflag v1.0.9 // indirect
-	golang.org/x/sys v0.37.0 // indirect
+	github.com/kr/pretty v0.3.1 // indirect
+	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
+	github.com/rogpeppe/go-internal v1.14.1 // indirect
+	github.com/spf13/pflag v1.0.10 // indirect
+	golang.org/x/sys v0.41.0 // indirect
+	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )

go.sum

@@ -1,26 +1,23 @@
 github.com/ProtonMail/go-crypto v1.3.0 h1:ILq8+Sf5If5DCpHQp4PbZdS1J7HDFRXz/+xKBiRGFrw=
 github.com/ProtonMail/go-crypto v1.3.0/go.mod h1:9whxjD8Rbs29b4XWbB8irEcE8KHMqaR2e7GWU1R+/PE=
-github.com/cloudflare/circl v1.6.0 h1:cr5JKic4HI+LkINy2lg3W2jF8sHCVTBncJr5gIIq7qk=
-github.com/cloudflare/circl v1.6.0/go.mod h1:uddAzsPgqdMAYatqJ0lsjX1oECcQLIlRpzZh3pJrofs=
+github.com/cloudflare/circl v1.6.3 h1:9GPOhQGF9MCYUeXyMYlqTR6a5gTrgR/fBLXvUgtVcg8=
 github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
-github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
-github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
-github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
-github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
+github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
+github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
+github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
-github.com/spf13/cobra v1.10.1 h1:lJeBwCfmrnXthfAupyUTzJ/J4Nc1RsHC/mSRU2dll/s=
-github.com/spf13/cobra v1.10.1/go.mod h1:7SmJGaTHFVBY0jW4NXGluQoLvhqFQM+6XSKD+P4XaB0=
-github.com/spf13/pflag v1.0.9 h1:9exaQaMOCwffKiiiYk6/BndUBv+iRViNW+4lEMi0PvY=
+github.com/spf13/cobra v1.10.2 h1:DMTTonx5m65Ic0GOoRY2c16WCbHxOOw6xxezuLaBpcU=
 github.com/spf13/pflag v1.0.9/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spf13/pflag v1.0.10 h1:4EBh2KAYBwaONj6b2Ye1GiHfwjqyROoF4RwYO+vPwFk=
 github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
 github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
-golang.org/x/crypto v0.43.0 h1:dduJYIi3A3KOfdGOHX8AVZ/jGiyPa3IbBozJ5kNuE04=
-golang.org/x/crypto v0.43.0/go.mod h1:BFbav4mRNlXJL4wNeejLpWxB7wMbc79PdRGhWKncxR0=
-golang.org/x/sys v0.37.0 h1:fdNQudmxPjkdUTPnLn5mdQv7Zwvbvpaxqs831goi9kQ=
-golang.org/x/sys v0.37.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
-gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
+golang.org/x/crypto v0.48.0 h1:/VRzVqiRSggnhY7gNRxPauEQ5Drw9haKdM0jqfcCFts=
+golang.org/x/sys v0.41.0 h1:Ivj+2Cp/ylzLiEU89QhWblYnOE9zerudt9Ftecq2C6k=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

pkg/crypt/crypt.go

@@ -11,9 +11,9 @@ import (
 	"strconv"
 	"strings"
 
-	"github.com/Snider/Enchantrix/pkg/crypt/std/lthn"
-	"github.com/Snider/Enchantrix/pkg/crypt/std/pgp"
-	"github.com/Snider/Enchantrix/pkg/crypt/std/rsa"
+	"forge.lthn.ai/Snider/Enchantrix/pkg/crypt/std/lthn"
+	"forge.lthn.ai/Snider/Enchantrix/pkg/crypt/std/pgp"
+	"forge.lthn.ai/Snider/Enchantrix/pkg/crypt/std/rsa"
 )
 
 // Service is the main struct for the crypt service.

pkg/crypt/crypt_test.go

@@ -4,7 +4,7 @@ import (
 	"strings"
 	"testing"
 
-	"github.com/Snider/Enchantrix/pkg/crypt"
+	"forge.lthn.ai/Snider/Enchantrix/pkg/crypt"
 	"github.com/stretchr/testify/assert"
 )
 

pkg/crypt/examples_test.go

@@ -4,7 +4,7 @@ import (
 	"fmt"
 	"log"
 
-	"github.com/Snider/Enchantrix/pkg/crypt"
+	"forge.lthn.ai/Snider/Enchantrix/pkg/crypt"
 )
 
 func ExampleService_Hash() {

pkg/enchantrix/enchantrix_test.go

@@ -4,7 +4,7 @@ import (
 	"errors"
 	"testing"
 
-	"github.com/Snider/Enchantrix/pkg/enchantrix"
+	"forge.lthn.ai/Snider/Enchantrix/pkg/enchantrix"
 	"github.com/stretchr/testify/assert"
 )
 

pkg/enchantrix/examples_test.go

@@ -4,7 +4,7 @@ import (
 	"fmt"
 	"log"
 
-	"github.com/Snider/Enchantrix/pkg/enchantrix"
+	"forge.lthn.ai/Snider/Enchantrix/pkg/enchantrix"
 )
 
 func ExampleTransmute() {

pkg/trix/crypto.go

@@ -4,7 +4,7 @@ import (
 	"errors"
 	"time"
 
-	"github.com/Snider/Enchantrix/pkg/enchantrix"
+	"forge.lthn.ai/Snider/Enchantrix/pkg/enchantrix"
 )
 
 var (

pkg/trix/crypto_test.go

@@ -4,7 +4,7 @@ import (
 	"bytes"
 	"testing"
 
-	"github.com/Snider/Enchantrix/pkg/trix"
+	"forge.lthn.ai/Snider/Enchantrix/pkg/trix"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )

pkg/trix/examples_test.go

@@ -4,8 +4,8 @@ import (
 	"fmt"
 	"log"
 
-	"github.com/Snider/Enchantrix/pkg/crypt"
-	"github.com/Snider/Enchantrix/pkg/trix"
+	"forge.lthn.ai/Snider/Enchantrix/pkg/crypt"
+	"forge.lthn.ai/Snider/Enchantrix/pkg/trix"
 )
 
 func ExampleEncode() {

pkg/trix/trix.go

@@ -28,8 +28,8 @@ import (
 	"fmt"
 	"io"
 
-	"github.com/Snider/Enchantrix/pkg/crypt"
-	"github.com/Snider/Enchantrix/pkg/enchantrix"
+	"forge.lthn.ai/Snider/Enchantrix/pkg/crypt"
+	"forge.lthn.ai/Snider/Enchantrix/pkg/enchantrix"
 )
 
 const (

pkg/trix/trix_test.go

@@ -8,8 +8,8 @@ import (
 	"reflect"
 	"testing"
 
-	"github.com/Snider/Enchantrix/pkg/crypt"
-	"github.com/Snider/Enchantrix/pkg/trix"
+	"forge.lthn.ai/Snider/Enchantrix/pkg/crypt"
+	"forge.lthn.ai/Snider/Enchantrix/pkg/trix"
 	"github.com/stretchr/testify/assert"
 )