From 729ad75d6f985cf9ed081017cb7313ec16b68326 Mon Sep 17 00:00:00 2001
From: Claude <developers@lethean.io>
Date: Thu, 2 Apr 2026 10:22:18 +0100
Subject: [PATCH] ax(ueps): rename signature to hmacSignature for AX Principle
 1 compliance
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The variable name `signature` is ambiguous — any cryptographic operation
produces a signature. `hmacSignature` is unambiguous and self-describing,
consistent with the TagHMAC comment that already used `hmacSignature` as
the example parameter name.

Co-Authored-By: Charon <charon@lethean.io>
---
 pkg/ueps/packet.go | 6 +++---
 pkg/ueps/reader.go | 8 ++++----
 2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/pkg/ueps/packet.go b/pkg/ueps/packet.go
index 802fa8b..786ad43 100644
--- a/pkg/ueps/packet.go
+++ b/pkg/ueps/packet.go
@@ -88,10 +88,10 @@ func (builder *PacketBuilder) MarshalAndSign(sharedSecret []byte) ([]byte, error
 	messageAuthCode := hmac.New(sha256.New, sharedSecret)
 	messageAuthCode.Write(frameBuffer.Bytes())
 	messageAuthCode.Write(builder.Payload)
-	signature := messageAuthCode.Sum(nil)
+	hmacSignature := messageAuthCode.Sum(nil)
 
-	// writeTLV(frameBuffer, TagHMAC, signature) → [0x06, 0x20, <32 bytes>]
-	if err := writeTLV(frameBuffer, TagHMAC, signature); err != nil {
+	// writeTLV(frameBuffer, TagHMAC, hmacSignature) → [0x06, 0x20, <32 bytes>]
+	if err := writeTLV(frameBuffer, TagHMAC, hmacSignature); err != nil {
 		return nil, err
 	}
 
diff --git a/pkg/ueps/reader.go b/pkg/ueps/reader.go
index 6c6faad..185a1fc 100644
--- a/pkg/ueps/reader.go
+++ b/pkg/ueps/reader.go
@@ -29,7 +29,7 @@ type ParsedPacket struct {
 func ReadAndVerify(reader *bufio.Reader, sharedSecret []byte) (*ParsedPacket, error) {
 	var signedData bytes.Buffer
 	header := UEPSHeader{}
-	var signature []byte
+	var hmacSignature []byte
 	var payload []byte
 
 	for {
@@ -85,7 +85,7 @@ func ReadAndVerify(reader *bufio.Reader, sharedSecret []byte) (*ParsedPacket, er
 			signedData.WriteByte(byte(tagLength))
 			signedData.Write(tagValue)
 		case TagHMAC:
-			signature = tagValue
+			hmacSignature = tagValue
 		default:
 			// signedData.WriteByte(unknownTag); signedData.Write(tagValue) — unknown tags contribute to HMAC, blocking injection
 			signedData.WriteByte(tagByte)
@@ -94,7 +94,7 @@ func ReadAndVerify(reader *bufio.Reader, sharedSecret []byte) (*ParsedPacket, er
 		}
 	}
 
-	if len(signature) == 0 {
+	if len(hmacSignature) == 0 {
 		return nil, errMissingHMAC
 	}
 
@@ -103,7 +103,7 @@ func ReadAndVerify(reader *bufio.Reader, sharedSecret []byte) (*ParsedPacket, er
 	messageAuthCode.Write(payload)
 	expectedMessageAuthCode := messageAuthCode.Sum(nil)
 
-	if !hmac.Equal(signature, expectedMessageAuthCode) {
+	if !hmac.Equal(hmacSignature, expectedMessageAuthCode) {
 		return nil, errIntegrityViolation
 	}