From 9e7a19243f2a1a2da187fd9121e0ca05454d8a64 Mon Sep 17 00:00:00 2001
From: Claude <developers@lethean.io>
Date: Tue, 24 Feb 2026 16:30:08 +0000
Subject: [PATCH] =?UTF-8?q?chore:=20fmt.Errorf(static)=20=E2=86=92=20error?=
 =?UTF-8?q?s.New?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 auth/auth.go      | 9 +++++----
 crypt/pgp/pgp.go  | 3 ++-
 crypt/rsa/rsa.go  | 7 ++++---
 trust/approval.go | 5 +++--
 trust/trust.go    | 3 ++-
 5 files changed, 16 insertions(+), 11 deletions(-)

diff --git a/auth/auth.go b/auth/auth.go
index 97da488..81b14c2 100644
--- a/auth/auth.go
+++ b/auth/auth.go
@@ -30,6 +30,7 @@ import (
 	"crypto/rand"
 	"encoding/hex"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"strings"
 	"sync"
@@ -647,10 +648,10 @@ func (a *Authenticator) verifyPassword(userID, password string) error {
 		if err == nil && strings.HasPrefix(storedHash, "$argon2id$") {
 			valid, verr := crypt.VerifyPassword(password, storedHash)
 			if verr != nil {
-				return fmt.Errorf("failed to verify password")
+				return errors.New("failed to verify password")
 			}
 			if !valid {
-				return fmt.Errorf("invalid password")
+				return errors.New("invalid password")
 			}
 			return nil
 		}
@@ -659,10 +660,10 @@ func (a *Authenticator) verifyPassword(userID, password string) error {
 	// Fall back to legacy LTHN hash (.lthn file)
 	storedHash, err := a.medium.Read(userPath(userID, ".lthn"))
 	if err != nil {
-		return fmt.Errorf("user not found")
+		return errors.New("user not found")
 	}
 	if !lthn.Verify(password, storedHash) {
-		return fmt.Errorf("invalid password")
+		return errors.New("invalid password")
 	}
 	return nil
 }
diff --git a/crypt/pgp/pgp.go b/crypt/pgp/pgp.go
index 7fa5bd0..67170d5 100644
--- a/crypt/pgp/pgp.go
+++ b/crypt/pgp/pgp.go
@@ -6,6 +6,7 @@ package pgp
 
 import (
 	"bytes"
+	"errors"
 	"fmt"
 	"io"
 
@@ -194,7 +195,7 @@ func Sign(data []byte, privateKeyArmor, password string) ([]byte, error) {
 
 	signer := keyring[0]
 	if signer.PrivateKey == nil {
-		return nil, fmt.Errorf("pgp: private key not found in keyring")
+		return nil, errors.New("pgp: private key not found in keyring")
 	}
 
 	if signer.PrivateKey.Encrypted {
diff --git a/crypt/rsa/rsa.go b/crypt/rsa/rsa.go
index 5470ea8..9f1cd0c 100644
--- a/crypt/rsa/rsa.go
+++ b/crypt/rsa/rsa.go
@@ -6,6 +6,7 @@ import (
 	"crypto/sha256"
 	"crypto/x509"
 	"encoding/pem"
+	"errors"
 	"fmt"
 )
 
@@ -49,7 +50,7 @@ func (s *Service) GenerateKeyPair(bits int) (publicKey, privateKey []byte, err e
 func (s *Service) Encrypt(publicKey, data, label []byte) ([]byte, error) {
 	block, _ := pem.Decode(publicKey)
 	if block == nil {
-		return nil, fmt.Errorf("failed to decode public key")
+		return nil, errors.New("failed to decode public key")
 	}
 
 	pub, err := x509.ParsePKIXPublicKey(block.Bytes)
@@ -59,7 +60,7 @@ func (s *Service) Encrypt(publicKey, data, label []byte) ([]byte, error) {
 
 	rsaPub, ok := pub.(*rsa.PublicKey)
 	if !ok {
-		return nil, fmt.Errorf("not an RSA public key")
+		return nil, errors.New("not an RSA public key")
 	}
 
 	ciphertext, err := rsa.EncryptOAEP(sha256.New(), rand.Reader, rsaPub, data, label)
@@ -74,7 +75,7 @@ func (s *Service) Encrypt(publicKey, data, label []byte) ([]byte, error) {
 func (s *Service) Decrypt(privateKey, ciphertext, label []byte) ([]byte, error) {
 	block, _ := pem.Decode(privateKey)
 	if block == nil {
-		return nil, fmt.Errorf("failed to decode private key")
+		return nil, errors.New("failed to decode private key")
 	}
 
 	priv, err := x509.ParsePKCS1PrivateKey(block.Bytes)
diff --git a/trust/approval.go b/trust/approval.go
index 0f5608a..a6aafca 100644
--- a/trust/approval.go
+++ b/trust/approval.go
@@ -1,6 +1,7 @@
 package trust
 
 import (
+	"errors"
 	"fmt"
 	"iter"
 	"sync"
@@ -73,10 +74,10 @@ func NewApprovalQueue() *ApprovalQueue {
 // Returns an error if the agent name or capability is empty.
 func (q *ApprovalQueue) Submit(agent string, cap Capability, repo string) (string, error) {
 	if agent == "" {
-		return "", fmt.Errorf("trust.ApprovalQueue.Submit: agent name is required")
+		return "", errors.New("trust.ApprovalQueue.Submit: agent name is required")
 	}
 	if cap == "" {
-		return "", fmt.Errorf("trust.ApprovalQueue.Submit: capability is required")
+		return "", errors.New("trust.ApprovalQueue.Submit: capability is required")
 	}
 
 	q.mu.Lock()
diff --git a/trust/trust.go b/trust/trust.go
index 3b2a28d..69e4a24 100644
--- a/trust/trust.go
+++ b/trust/trust.go
@@ -11,6 +11,7 @@
 package trust
 
 import (
+	"errors"
 	"fmt"
 	"iter"
 	"sync"
@@ -97,7 +98,7 @@ func NewRegistry() *Registry {
 // Returns an error if the agent name is empty or the tier is invalid.
 func (r *Registry) Register(agent Agent) error {
 	if agent.Name == "" {
-		return fmt.Errorf("trust.Register: agent name is required")
+		return errors.New("trust.Register: agent name is required")
 	}
 	if !agent.Tier.Valid() {
 		return fmt.Errorf("trust.Register: invalid tier %d for agent %q", agent.Tier, agent.Name)