cli/pkg/crypt/symmetric.go

package crypt

import (
	"crypto/aes"
	"crypto/cipher"
	"crypto/rand"

	core "github.com/host-uk/core/pkg/framework/core"
	"golang.org/x/crypto/chacha20poly1305"
)

// ChaCha20Encrypt encrypts plaintext using ChaCha20-Poly1305.
// The key must be 32 bytes. The nonce is randomly generated and prepended
// to the ciphertext.
func ChaCha20Encrypt(plaintext, key []byte) ([]byte, error) {
	aead, err := chacha20poly1305.NewX(key)
	if err != nil {
		return nil, core.E("crypt.ChaCha20Encrypt", "failed to create cipher", err)
	}

	nonce := make([]byte, aead.NonceSize())
	if _, err := rand.Read(nonce); err != nil {
		return nil, core.E("crypt.ChaCha20Encrypt", "failed to generate nonce", err)
	}

	ciphertext := aead.Seal(nonce, nonce, plaintext, nil)
	return ciphertext, nil
}

// ChaCha20Decrypt decrypts ciphertext encrypted with ChaCha20Encrypt.
// The key must be 32 bytes. Expects the nonce prepended to the ciphertext.
func ChaCha20Decrypt(ciphertext, key []byte) ([]byte, error) {
	aead, err := chacha20poly1305.NewX(key)
	if err != nil {
		return nil, core.E("crypt.ChaCha20Decrypt", "failed to create cipher", err)
	}

	nonceSize := aead.NonceSize()
	if len(ciphertext) < nonceSize {
		return nil, core.E("crypt.ChaCha20Decrypt", "ciphertext too short", nil)
	}

	nonce, encrypted := ciphertext[:nonceSize], ciphertext[nonceSize:]
	plaintext, err := aead.Open(nil, nonce, encrypted, nil)
	if err != nil {
		return nil, core.E("crypt.ChaCha20Decrypt", "failed to decrypt", err)
	}

	return plaintext, nil
}

// AESGCMEncrypt encrypts plaintext using AES-256-GCM.
// The key must be 32 bytes. The nonce is randomly generated and prepended
// to the ciphertext.
func AESGCMEncrypt(plaintext, key []byte) ([]byte, error) {
	block, err := aes.NewCipher(key)
	if err != nil {
		return nil, core.E("crypt.AESGCMEncrypt", "failed to create cipher", err)
	}

	aead, err := cipher.NewGCM(block)
	if err != nil {
		return nil, core.E("crypt.AESGCMEncrypt", "failed to create GCM", err)
	}

	nonce := make([]byte, aead.NonceSize())
	if _, err := rand.Read(nonce); err != nil {
		return nil, core.E("crypt.AESGCMEncrypt", "failed to generate nonce", err)
	}

	ciphertext := aead.Seal(nonce, nonce, plaintext, nil)
	return ciphertext, nil
}

// AESGCMDecrypt decrypts ciphertext encrypted with AESGCMEncrypt.
// The key must be 32 bytes. Expects the nonce prepended to the ciphertext.
func AESGCMDecrypt(ciphertext, key []byte) ([]byte, error) {
	block, err := aes.NewCipher(key)
	if err != nil {
		return nil, core.E("crypt.AESGCMDecrypt", "failed to create cipher", err)
	}

	aead, err := cipher.NewGCM(block)
	if err != nil {
		return nil, core.E("crypt.AESGCMDecrypt", "failed to create GCM", err)
	}

	nonceSize := aead.NonceSize()
	if len(ciphertext) < nonceSize {
		return nil, core.E("crypt.AESGCMDecrypt", "ciphertext too short", nil)
	}

	nonce, encrypted := ciphertext[:nonceSize], ciphertext[nonceSize:]
	plaintext, err := aead.Open(nil, nonce, encrypted, nil)
	if err != nil {
		return nil, core.E("crypt.AESGCMDecrypt", "failed to decrypt", err)
	}

	return plaintext, nil
}
feat: infrastructure packages and lint cleanup (#281) * ci: consolidate duplicate workflows and merge CodeQL configs Remove 17 duplicate workflow files that were split copies of the combined originals. Each family (CI, CodeQL, Coverage, PR Build, Alpha Release) had the same job duplicated across separate push/pull_request/schedule/manual trigger files. Merge codeql.yml and codescan.yml into a single codeql.yml with a language matrix covering go, javascript-typescript, python, and actions — matching the previous default setup coverage. Remaining workflows (one per family): - ci.yml (push + PR + manual) - codeql.yml (push + PR + schedule, all languages) - coverage.yml (push + PR + manual) - alpha-release.yml (push + manual) - pr-build.yml (PR + manual) - release.yml (tag push) - agent-verify.yml, auto-label.yml, auto-project.yml Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * feat: add collect, config, crypt, plugin packages and fix all lint issues Add four new infrastructure packages with CLI commands: - pkg/config: layered configuration (defaults → file → env → flags) - pkg/crypt: crypto primitives (Argon2id, AES-GCM, ChaCha20, HMAC, checksums) - pkg/plugin: plugin system with GitHub-based install/update/remove - pkg/collect: collection subsystem (GitHub, BitcoinTalk, market, papers, excavate) Fix all golangci-lint issues across the entire codebase (~100 errcheck, staticcheck SA1012/SA1019/ST1005, unused, ineffassign fixes) so that `core go qa` passes with 0 issues. Closes #167, #168, #170, #250, #251, #252, #253, #254, #255, #256 Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com> 2026-02-04 11:34:43 +00:00			`package crypt`

			`import (`
			`"crypto/aes"`
			`"crypto/cipher"`
			`"crypto/rand"`

			`core "github.com/host-uk/core/pkg/framework/core"`
			`"golang.org/x/crypto/chacha20poly1305"`
			`)`

			`// ChaCha20Encrypt encrypts plaintext using ChaCha20-Poly1305.`
			`// The key must be 32 bytes. The nonce is randomly generated and prepended`
			`// to the ciphertext.`
			`func ChaCha20Encrypt(plaintext, key []byte) ([]byte, error) {`
			`aead, err := chacha20poly1305.NewX(key)`
			`if err != nil {`
			`return nil, core.E("crypt.ChaCha20Encrypt", "failed to create cipher", err)`
			`}`

			`nonce := make([]byte, aead.NonceSize())`
			`if _, err := rand.Read(nonce); err != nil {`
			`return nil, core.E("crypt.ChaCha20Encrypt", "failed to generate nonce", err)`
			`}`

			`ciphertext := aead.Seal(nonce, nonce, plaintext, nil)`
			`return ciphertext, nil`
			`}`

			`// ChaCha20Decrypt decrypts ciphertext encrypted with ChaCha20Encrypt.`
			`// The key must be 32 bytes. Expects the nonce prepended to the ciphertext.`
			`func ChaCha20Decrypt(ciphertext, key []byte) ([]byte, error) {`
			`aead, err := chacha20poly1305.NewX(key)`
			`if err != nil {`
			`return nil, core.E("crypt.ChaCha20Decrypt", "failed to create cipher", err)`
			`}`

			`nonceSize := aead.NonceSize()`
			`if len(ciphertext) < nonceSize {`
			`return nil, core.E("crypt.ChaCha20Decrypt", "ciphertext too short", nil)`
			`}`

			`nonce, encrypted := ciphertext[:nonceSize], ciphertext[nonceSize:]`
			`plaintext, err := aead.Open(nil, nonce, encrypted, nil)`
			`if err != nil {`
			`return nil, core.E("crypt.ChaCha20Decrypt", "failed to decrypt", err)`
			`}`

			`return plaintext, nil`
			`}`

			`// AESGCMEncrypt encrypts plaintext using AES-256-GCM.`
			`// The key must be 32 bytes. The nonce is randomly generated and prepended`
			`// to the ciphertext.`
			`func AESGCMEncrypt(plaintext, key []byte) ([]byte, error) {`
			`block, err := aes.NewCipher(key)`
			`if err != nil {`
			`return nil, core.E("crypt.AESGCMEncrypt", "failed to create cipher", err)`
			`}`

			`aead, err := cipher.NewGCM(block)`
			`if err != nil {`
			`return nil, core.E("crypt.AESGCMEncrypt", "failed to create GCM", err)`
			`}`

			`nonce := make([]byte, aead.NonceSize())`
			`if _, err := rand.Read(nonce); err != nil {`
			`return nil, core.E("crypt.AESGCMEncrypt", "failed to generate nonce", err)`
			`}`

			`ciphertext := aead.Seal(nonce, nonce, plaintext, nil)`
			`return ciphertext, nil`
			`}`

			`// AESGCMDecrypt decrypts ciphertext encrypted with AESGCMEncrypt.`
			`// The key must be 32 bytes. Expects the nonce prepended to the ciphertext.`
			`func AESGCMDecrypt(ciphertext, key []byte) ([]byte, error) {`
			`block, err := aes.NewCipher(key)`
			`if err != nil {`
			`return nil, core.E("crypt.AESGCMDecrypt", "failed to create cipher", err)`
			`}`

			`aead, err := cipher.NewGCM(block)`
			`if err != nil {`
			`return nil, core.E("crypt.AESGCMDecrypt", "failed to create GCM", err)`
			`}`

			`nonceSize := aead.NonceSize()`
			`if len(ciphertext) < nonceSize {`
			`return nil, core.E("crypt.AESGCMDecrypt", "ciphertext too short", nil)`
			`}`

			`nonce, encrypted := ciphertext[:nonceSize], ciphertext[nonceSize:]`
			`plaintext, err := aead.Open(nil, nonce, encrypted, nil)`
			`if err != nil {`
			`return nil, core.E("crypt.AESGCMDecrypt", "failed to decrypt", err)`
			`}`

			`return plaintext, nil`
			`}`