chore: fmt.Errorf(static) → errors.New

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

auth/auth.go

@@ -30,6 +30,7 @@ import (
 	"crypto/rand"
 	"encoding/hex"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"strings"
 	"sync"
@@ -647,10 +648,10 @@ func (a *Authenticator) verifyPassword(userID, password string) error {
 		if err == nil && strings.HasPrefix(storedHash, "$argon2id$") {
 			valid, verr := crypt.VerifyPassword(password, storedHash)
 			if verr != nil {
-				return fmt.Errorf("failed to verify password")
+				return errors.New("failed to verify password")
 			}
 			if !valid {
-				return fmt.Errorf("invalid password")
+				return errors.New("invalid password")
 			}
 			return nil
 		}
@@ -659,10 +660,10 @@ func (a *Authenticator) verifyPassword(userID, password string) error {
 	// Fall back to legacy LTHN hash (.lthn file)
 	storedHash, err := a.medium.Read(userPath(userID, ".lthn"))
 	if err != nil {
-		return fmt.Errorf("user not found")
+		return errors.New("user not found")
 	}
 	if !lthn.Verify(password, storedHash) {
-		return fmt.Errorf("invalid password")
+		return errors.New("invalid password")
 	}
 	return nil
 }

crypt/pgp/pgp.go

@@ -6,6 +6,7 @@ package pgp
 
 import (
 	"bytes"
+	"errors"
 	"fmt"
 	"io"
 
@@ -194,7 +195,7 @@ func Sign(data []byte, privateKeyArmor, password string) ([]byte, error) {
 
 	signer := keyring[0]
 	if signer.PrivateKey == nil {
-		return nil, fmt.Errorf("pgp: private key not found in keyring")
+		return nil, errors.New("pgp: private key not found in keyring")
 	}
 
 	if signer.PrivateKey.Encrypted {

crypt/rsa/rsa.go

@@ -6,6 +6,7 @@ import (
 	"crypto/sha256"
 	"crypto/x509"
 	"encoding/pem"
+	"errors"
 	"fmt"
 )
 
@@ -49,7 +50,7 @@ func (s *Service) GenerateKeyPair(bits int) (publicKey, privateKey []byte, err e
 func (s *Service) Encrypt(publicKey, data, label []byte) ([]byte, error) {
 	block, _ := pem.Decode(publicKey)
 	if block == nil {
-		return nil, fmt.Errorf("failed to decode public key")
+		return nil, errors.New("failed to decode public key")
 	}
 
 	pub, err := x509.ParsePKIXPublicKey(block.Bytes)
@@ -59,7 +60,7 @@ func (s *Service) Encrypt(publicKey, data, label []byte) ([]byte, error) {
 
 	rsaPub, ok := pub.(*rsa.PublicKey)
 	if !ok {
-		return nil, fmt.Errorf("not an RSA public key")
+		return nil, errors.New("not an RSA public key")
 	}
 
 	ciphertext, err := rsa.EncryptOAEP(sha256.New(), rand.Reader, rsaPub, data, label)
@@ -74,7 +75,7 @@ func (s *Service) Encrypt(publicKey, data, label []byte) ([]byte, error) {
 func (s *Service) Decrypt(privateKey, ciphertext, label []byte) ([]byte, error) {
 	block, _ := pem.Decode(privateKey)
 	if block == nil {
-		return nil, fmt.Errorf("failed to decode private key")
+		return nil, errors.New("failed to decode private key")
 	}
 
 	priv, err := x509.ParsePKCS1PrivateKey(block.Bytes)

trust/approval.go

@@ -1,6 +1,7 @@
 package trust
 
 import (
+	"errors"
 	"fmt"
 	"iter"
 	"sync"
@@ -73,10 +74,10 @@ func NewApprovalQueue() *ApprovalQueue {
 // Returns an error if the agent name or capability is empty.
 func (q *ApprovalQueue) Submit(agent string, cap Capability, repo string) (string, error) {
 	if agent == "" {
-		return "", fmt.Errorf("trust.ApprovalQueue.Submit: agent name is required")
+		return "", errors.New("trust.ApprovalQueue.Submit: agent name is required")
 	}
 	if cap == "" {
-		return "", fmt.Errorf("trust.ApprovalQueue.Submit: capability is required")
+		return "", errors.New("trust.ApprovalQueue.Submit: capability is required")
 	}
 
 	q.mu.Lock()

trust/trust.go

@@ -11,6 +11,7 @@
 package trust
 
 import (
+	"errors"
 	"fmt"
 	"iter"
 	"sync"
@@ -97,7 +98,7 @@ func NewRegistry() *Registry {
 // Returns an error if the agent name is empty or the tier is invalid.
 func (r *Registry) Register(agent Agent) error {
 	if agent.Name == "" {
-		return fmt.Errorf("trust.Register: agent name is required")
+		return errors.New("trust.Register: agent name is required")
 	}
 	if !agent.Tier.Valid() {
 		return fmt.Errorf("trust.Register: invalid tier %d for agent %q", agent.Tier, agent.Name)