feat: infrastructure packages and lint cleanup (#281)
* ci: consolidate duplicate workflows and merge CodeQL configs
Remove 17 duplicate workflow files that were split copies of the
combined originals. Each family (CI, CodeQL, Coverage, PR Build,
Alpha Release) had the same job duplicated across separate
push/pull_request/schedule/manual trigger files.
Merge codeql.yml and codescan.yml into a single codeql.yml with
a language matrix covering go, javascript-typescript, python,
and actions — matching the previous default setup coverage.
Remaining workflows (one per family):
- ci.yml (push + PR + manual)
- codeql.yml (push + PR + schedule, all languages)
- coverage.yml (push + PR + manual)
- alpha-release.yml (push + manual)
- pr-build.yml (PR + manual)
- release.yml (tag push)
- agent-verify.yml, auto-label.yml, auto-project.yml
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* feat: add collect, config, crypt, plugin packages and fix all lint issues
Add four new infrastructure packages with CLI commands:
- pkg/config: layered configuration (defaults → file → env → flags)
- pkg/crypt: crypto primitives (Argon2id, AES-GCM, ChaCha20, HMAC, checksums)
- pkg/plugin: plugin system with GitHub-based install/update/remove
- pkg/collect: collection subsystem (GitHub, BitcoinTalk, market, papers, excavate)
Fix all golangci-lint issues across the entire codebase (~100 errcheck,
staticcheck SA1012/SA1019/ST1005, unused, ineffassign fixes) so that
`core go qa` passes with 0 issues.
Closes #167, #168, #170, #250, #251, #252, #253, #254, #255, #256
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-04 11:34:43 +00:00
|
|
|
package crypt
|
|
|
|
|
|
|
|
|
|
import (
|
2026-02-16 00:30:41 +00:00
|
|
|
core "forge.lthn.ai/core/cli/pkg/framework/core"
|
feat: infrastructure packages and lint cleanup (#281)
* ci: consolidate duplicate workflows and merge CodeQL configs
Remove 17 duplicate workflow files that were split copies of the
combined originals. Each family (CI, CodeQL, Coverage, PR Build,
Alpha Release) had the same job duplicated across separate
push/pull_request/schedule/manual trigger files.
Merge codeql.yml and codescan.yml into a single codeql.yml with
a language matrix covering go, javascript-typescript, python,
and actions — matching the previous default setup coverage.
Remaining workflows (one per family):
- ci.yml (push + PR + manual)
- codeql.yml (push + PR + schedule, all languages)
- coverage.yml (push + PR + manual)
- alpha-release.yml (push + manual)
- pr-build.yml (PR + manual)
- release.yml (tag push)
- agent-verify.yml, auto-label.yml, auto-project.yml
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* feat: add collect, config, crypt, plugin packages and fix all lint issues
Add four new infrastructure packages with CLI commands:
- pkg/config: layered configuration (defaults → file → env → flags)
- pkg/crypt: crypto primitives (Argon2id, AES-GCM, ChaCha20, HMAC, checksums)
- pkg/plugin: plugin system with GitHub-based install/update/remove
- pkg/collect: collection subsystem (GitHub, BitcoinTalk, market, papers, excavate)
Fix all golangci-lint issues across the entire codebase (~100 errcheck,
staticcheck SA1012/SA1019/ST1005, unused, ineffassign fixes) so that
`core go qa` passes with 0 issues.
Closes #167, #168, #170, #250, #251, #252, #253, #254, #255, #256
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-04 11:34:43 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
|
|
// Encrypt encrypts data with a passphrase using ChaCha20-Poly1305.
|
|
|
|
|
// A random salt is generated and prepended to the output.
|
|
|
|
|
// Format: salt (16 bytes) + nonce (24 bytes) + ciphertext.
|
|
|
|
|
func Encrypt(plaintext, passphrase []byte) ([]byte, error) {
|
|
|
|
|
salt, err := generateSalt(argon2SaltLen)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, core.E("crypt.Encrypt", "failed to generate salt", err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
key := DeriveKey(passphrase, salt, argon2KeyLen)
|
|
|
|
|
|
|
|
|
|
encrypted, err := ChaCha20Encrypt(plaintext, key)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, core.E("crypt.Encrypt", "failed to encrypt", err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Prepend salt to the encrypted data (which already has nonce prepended)
|
|
|
|
|
result := make([]byte, 0, len(salt)+len(encrypted))
|
|
|
|
|
result = append(result, salt...)
|
|
|
|
|
result = append(result, encrypted...)
|
|
|
|
|
return result, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Decrypt decrypts data encrypted with Encrypt.
|
|
|
|
|
// Expects format: salt (16 bytes) + nonce (24 bytes) + ciphertext.
|
|
|
|
|
func Decrypt(ciphertext, passphrase []byte) ([]byte, error) {
|
|
|
|
|
if len(ciphertext) < argon2SaltLen {
|
|
|
|
|
return nil, core.E("crypt.Decrypt", "ciphertext too short", nil)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
salt := ciphertext[:argon2SaltLen]
|
|
|
|
|
encrypted := ciphertext[argon2SaltLen:]
|
|
|
|
|
|
|
|
|
|
key := DeriveKey(passphrase, salt, argon2KeyLen)
|
|
|
|
|
|
|
|
|
|
plaintext, err := ChaCha20Decrypt(encrypted, key)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, core.E("crypt.Decrypt", "failed to decrypt", err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return plaintext, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// EncryptAES encrypts data using AES-256-GCM with a passphrase.
|
|
|
|
|
// A random salt is generated and prepended to the output.
|
|
|
|
|
// Format: salt (16 bytes) + nonce (12 bytes) + ciphertext.
|
|
|
|
|
func EncryptAES(plaintext, passphrase []byte) ([]byte, error) {
|
|
|
|
|
salt, err := generateSalt(argon2SaltLen)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, core.E("crypt.EncryptAES", "failed to generate salt", err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
key := DeriveKey(passphrase, salt, argon2KeyLen)
|
|
|
|
|
|
|
|
|
|
encrypted, err := AESGCMEncrypt(plaintext, key)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, core.E("crypt.EncryptAES", "failed to encrypt", err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
result := make([]byte, 0, len(salt)+len(encrypted))
|
|
|
|
|
result = append(result, salt...)
|
|
|
|
|
result = append(result, encrypted...)
|
|
|
|
|
return result, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// DecryptAES decrypts data encrypted with EncryptAES.
|
|
|
|
|
// Expects format: salt (16 bytes) + nonce (12 bytes) + ciphertext.
|
|
|
|
|
func DecryptAES(ciphertext, passphrase []byte) ([]byte, error) {
|
|
|
|
|
if len(ciphertext) < argon2SaltLen {
|
|
|
|
|
return nil, core.E("crypt.DecryptAES", "ciphertext too short", nil)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
salt := ciphertext[:argon2SaltLen]
|
|
|
|
|
encrypted := ciphertext[argon2SaltLen:]
|
|
|
|
|
|
|
|
|
|
key := DeriveKey(passphrase, salt, argon2KeyLen)
|
|
|
|
|
|
|
|
|
|
plaintext, err := AESGCMDecrypt(encrypted, key)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, core.E("crypt.DecryptAES", "failed to decrypt", err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return plaintext, nil
|
|
|
|
|
}
|