refactor: migrate cobra → cli.Command, update CLAUDE.md

Co-Authored-By: Virgil <virgil@lethean.io>

CLAUDE.md

@@ -1,4 +1,6 @@
-# CLAUDE.md — go-crypt
+# CLAUDE.md
+
+This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
 
 You are a dedicated domain expert for `forge.lthn.ai/core/go-crypt`. Virgil (in
 core/go) orchestrates your work. Pick up tasks in phase order, mark `[x]` when
@@ -7,14 +9,19 @@ done, commit and push.
 ## What This Package Does
 
 Cryptographic primitives, authentication, and trust policy engine for the
-Lethean agent platform. Provides:
+Lethean agent platform. Three independent top-level packages:
 
-- Symmetric encryption — ChaCha20-Poly1305 and AES-256-GCM with Argon2id KDF
-- OpenPGP authentication — challenge-response (online + air-gapped courier mode)
-- Password hashing — Argon2id (primary) + Bcrypt (fallback)
-- Trust policy engine — 3-tier agent access control with capability evaluation
-- RSA — OAEP-SHA256 key generation and encryption (2048+ bit)
-- LTHN hash — RFC-0004 quasi-salted deterministic hash (content IDs, NOT passwords)
+- **`crypt/`** — Symmetric encryption (ChaCha20-Poly1305, AES-256-GCM), Argon2id
+  KDF, password hashing, HMAC, checksums. Sub-packages: `chachapoly/`, `lthn/`,
+  `pgp/`, `rsa/`, `openpgp/`.
+- **`auth/`** — OpenPGP challenge-response authentication (online + air-gapped
+  courier mode), password-based login with Argon2id→LTHN migration, session
+  management via `SessionStore` interface, key rotation and revocation.
+- **`trust/`** — 3-tier agent access control (`Registry`, `PolicyEngine`,
+  `ApprovalQueue`, `AuditLog`), capability evaluation with repo scope matching.
+
+Each package can be imported independently. Only `crypt/openpgp/` integrates
+with the Core framework's IPC system (`core.Crypt` interface).
 
 For architecture details see `docs/architecture.md`. For history and findings
 see `docs/history.md`.
@@ -22,21 +29,29 @@ see `docs/history.md`.
 ## Commands
 
 ```bash
-go test ./...                    # Run all tests
-go test -race ./...              # Race detector (required before committing)
-go test -v -run TestName ./...   # Single test
-go vet ./...                     # Static analysis (must be clean)
+go test ./...                        # Run all tests
+go test -race ./...                  # Race detector (required before committing)
+go test -v -run TestName ./...       # Single test
+go test ./auth/...                   # Single package
+go vet ./...                         # Static analysis (must be clean)
+go test -bench=. -benchmem ./crypt/... # Benchmarks
 ```
 
 ## Local Dependencies
 
-| Module | Local Path | Notes |
-|--------|-----------|-------|
-| `forge.lthn.ai/core/go` | `../go` | Framework (core.E, core.Crypt, io.Medium) |
-| `forge.lthn.ai/core/go-store` | `../go-store` | SQLite KV store (session persistence) |
+All `forge.lthn.ai/core/*` modules are resolved through the Go workspace
+(`~/Code/go.work`). Do not add replace directives to `go.mod` — use the
+workspace file instead.
 
-Do not change the replace directive paths. Use a `go.work` for local resolution
-if working outside the full monorepo.
+| Module | Local Path | Purpose |
+|--------|-----------|---------|
+| `forge.lthn.ai/core/go` | `../go` | Framework: `core.Crypt` interface, `io.Medium` |
+| `forge.lthn.ai/core/go-store` | `../go-store` | SQLite KV store (session persistence) |
+| `forge.lthn.ai/core/go-io` | `../go-io` | `io.Medium` storage abstraction |
+| `forge.lthn.ai/core/go-log` | `../go-log` | `core.E()` contextual error wrapping |
+| `forge.lthn.ai/core/cli` | `../cli` | CLI framework for `cmd/crypt` commands |
+
+No C toolchain or CGo required — all crypto uses pure Go implementations.
 
 ## Coding Standards
 
@@ -44,10 +59,12 @@ if working outside the full monorepo.
 - **Tests**: testify assert/require, `_Good`/`_Bad`/`_Ugly` naming convention
 - **Concurrency tests**: 10 goroutines via WaitGroup; must pass `-race`
 - **Imports**: stdlib → forge.lthn.ai → third-party, separated by blank lines
-- **Errors**: use `core.E("package.Function", "lowercase message", err)`; never
-  include secrets in error strings
+- **Errors**: use `core.E("package.Function", "lowercase message", err)` (imported
+  from `forge.lthn.ai/core/go-log`); never include secrets in error strings
 - **Randomness**: `crypto/rand` only; never `math/rand`
 - **Conventional commits**: `feat(auth):`, `fix(crypt):`, `refactor(trust):`
+  Scopes match package names: `auth`, `crypt`, `trust`, `pgp`, `lthn`, `rsa`,
+  `openpgp`, `chachapoly`
 - **Co-Author**: `Co-Authored-By: Virgil <virgil@lethean.io>`
 - **Licence**: EUPL-1.2
 

cmd/testcmd/cmd_main.go

@@ -6,7 +6,6 @@ package testcmd
 import (
 	"forge.lthn.ai/core/cli/pkg/cli"
 	"forge.lthn.ai/core/go-i18n"
-	"github.com/spf13/cobra"
 )
 
 // Style aliases from shared
@@ -32,11 +31,11 @@ var (
 	testJSON     bool
 )
 
-var testCmd = &cobra.Command{
+var testCmd = &cli.Command{
 	Use:   "test",
 	Short: i18n.T("cmd.test.short"),
 	Long:  i18n.T("cmd.test.long"),
-	RunE: func(cmd *cobra.Command, args []string) error {
+	RunE: func(cmd *cli.Command, args []string) error {
 		return runTest(testVerbose, testCoverage, testShort, testPkg, testRun, testRace, testJSON)
 	},
 }
@@ -52,7 +51,7 @@ func initTestFlags() {
 }
 
 // AddTestCommands registers the 'test' command and all subcommands.
-func AddTestCommands(root *cobra.Command) {
+func AddTestCommands(root *cli.Command) {
 	initTestFlags()
 	root.AddCommand(testCmd)
 }