cli/pkg/crypt/kdf.go

// Package crypt provides cryptographic utilities including encryption,
// hashing, key derivation, HMAC, and checksum functions.
package crypt

import (
	"crypto/rand"
	"crypto/sha256"
	"io"

	core "github.com/host-uk/core/pkg/framework/core"
	"golang.org/x/crypto/argon2"
	"golang.org/x/crypto/hkdf"
	"golang.org/x/crypto/scrypt"
)

// Argon2id default parameters.
const (
	argon2Memory      = 64 * 1024 // 64 MB
	argon2Time        = 3
	argon2Parallelism = 4
	argon2KeyLen      = 32
	argon2SaltLen     = 16
)

// DeriveKey derives a key from a passphrase using Argon2id with default parameters.
// The salt must be argon2SaltLen bytes. keyLen specifies the desired key length.
func DeriveKey(passphrase, salt []byte, keyLen uint32) []byte {
	return argon2.IDKey(passphrase, salt, argon2Time, argon2Memory, argon2Parallelism, keyLen)
}

// DeriveKeyScrypt derives a key from a passphrase using scrypt.
// Uses recommended parameters: N=32768, r=8, p=1.
func DeriveKeyScrypt(passphrase, salt []byte, keyLen int) ([]byte, error) {
	key, err := scrypt.Key(passphrase, salt, 32768, 8, 1, keyLen)
	if err != nil {
		return nil, core.E("crypt.DeriveKeyScrypt", "failed to derive key", err)
	}
	return key, nil
}

// HKDF derives a key using HKDF-SHA256.
// secret is the input keying material, salt is optional (can be nil),
// info is optional context, and keyLen is the desired output length.
func HKDF(secret, salt, info []byte, keyLen int) ([]byte, error) {
	reader := hkdf.New(sha256.New, secret, salt, info)
	key := make([]byte, keyLen)
	if _, err := io.ReadFull(reader, key); err != nil {
		return nil, core.E("crypt.HKDF", "failed to derive key", err)
	}
	return key, nil
}

// generateSalt creates a random salt of the given length.
func generateSalt(length int) ([]byte, error) {
	salt := make([]byte, length)
	if _, err := rand.Read(salt); err != nil {
		return nil, core.E("crypt.generateSalt", "failed to generate random salt", err)
	}
	return salt, nil
}
feat: infrastructure packages and lint cleanup (#281) * ci: consolidate duplicate workflows and merge CodeQL configs Remove 17 duplicate workflow files that were split copies of the combined originals. Each family (CI, CodeQL, Coverage, PR Build, Alpha Release) had the same job duplicated across separate push/pull_request/schedule/manual trigger files. Merge codeql.yml and codescan.yml into a single codeql.yml with a language matrix covering go, javascript-typescript, python, and actions — matching the previous default setup coverage. Remaining workflows (one per family): - ci.yml (push + PR + manual) - codeql.yml (push + PR + schedule, all languages) - coverage.yml (push + PR + manual) - alpha-release.yml (push + manual) - pr-build.yml (PR + manual) - release.yml (tag push) - agent-verify.yml, auto-label.yml, auto-project.yml Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * feat: add collect, config, crypt, plugin packages and fix all lint issues Add four new infrastructure packages with CLI commands: - pkg/config: layered configuration (defaults → file → env → flags) - pkg/crypt: crypto primitives (Argon2id, AES-GCM, ChaCha20, HMAC, checksums) - pkg/plugin: plugin system with GitHub-based install/update/remove - pkg/collect: collection subsystem (GitHub, BitcoinTalk, market, papers, excavate) Fix all golangci-lint issues across the entire codebase (~100 errcheck, staticcheck SA1012/SA1019/ST1005, unused, ineffassign fixes) so that `core go qa` passes with 0 issues. Closes #167, #168, #170, #250, #251, #252, #253, #254, #255, #256 Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com> 2026-02-04 11:34:43 +00:00			`// Package crypt provides cryptographic utilities including encryption,`
			`// hashing, key derivation, HMAC, and checksum functions.`
			`package crypt`

			`import (`
			`"crypto/rand"`
			`"crypto/sha256"`
			`"io"`

			`core "github.com/host-uk/core/pkg/framework/core"`
			`"golang.org/x/crypto/argon2"`
			`"golang.org/x/crypto/hkdf"`
			`"golang.org/x/crypto/scrypt"`
			`)`

			`// Argon2id default parameters.`
			`const (`
			`argon2Memory = 64 * 1024 // 64 MB`
			`argon2Time = 3`
			`argon2Parallelism = 4`
			`argon2KeyLen = 32`
			`argon2SaltLen = 16`
			`)`

			`// DeriveKey derives a key from a passphrase using Argon2id with default parameters.`
			`// The salt must be argon2SaltLen bytes. keyLen specifies the desired key length.`
			`func DeriveKey(passphrase, salt []byte, keyLen uint32) []byte {`
			`return argon2.IDKey(passphrase, salt, argon2Time, argon2Memory, argon2Parallelism, keyLen)`
			`}`

			`// DeriveKeyScrypt derives a key from a passphrase using scrypt.`
			`// Uses recommended parameters: N=32768, r=8, p=1.`
			`func DeriveKeyScrypt(passphrase, salt []byte, keyLen int) ([]byte, error) {`
			`key, err := scrypt.Key(passphrase, salt, 32768, 8, 1, keyLen)`
			`if err != nil {`
			`return nil, core.E("crypt.DeriveKeyScrypt", "failed to derive key", err)`
			`}`
			`return key, nil`
			`}`

			`// HKDF derives a key using HKDF-SHA256.`
			`// secret is the input keying material, salt is optional (can be nil),`
			`// info is optional context, and keyLen is the desired output length.`
			`func HKDF(secret, salt, info []byte, keyLen int) ([]byte, error) {`
			`reader := hkdf.New(sha256.New, secret, salt, info)`
			`key := make([]byte, keyLen)`
			`if _, err := io.ReadFull(reader, key); err != nil {`
			`return nil, core.E("crypt.HKDF", "failed to derive key", err)`
			`}`
			`return key, nil`
			`}`

			`// generateSalt creates a random salt of the given length.`
			`func generateSalt(length int) ([]byte, error) {`
			`salt := make([]byte, length)`
			`if _, err := rand.Read(salt); err != nil {`
			`return nil, core.E("crypt.generateSalt", "failed to generate random salt", err)`
			`}`
			`return salt, nil`
			`}`