Snider
39643ddba0
fix: replace fmt.Errorf and errors.New with coreerr.E()
...
Security Scan / security (push) Failing after 8s
Test / test (push) Failing after 6m20s
Replace all fmt.Errorf/errors.New calls in auth/auth.go,
crypt/pgp/pgp.go, crypt/rsa/rsa.go, crypt/chachapoly/chachapoly.go,
and trust/trust.go with coreerr.E(op, msg, err) from go-log.
No stale pkg/framework imports found.
Co-Authored-By: Virgil <virgil@lethean.io>
2026-03-16 18:19:51 +00:00
Snider
e561e1ee1f
security: use constant-time comparison for auth credentials
...
Security Scan / security (push) Failing after 8s
Test / test (push) Failing after 21s
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-09 08:27:38 +00:00
Snider
c7959ecfef
refactor: swap pkg/framework imports to pkg/core
...
Security Scan / security (push) Failing after 7s
Test / test (push) Failing after 19s
Co-Authored-By: Virgil <virgil@lethean.io>
2026-03-06 14:11:09 +00:00
Snider
7468c38906
refactor: swap pkg/{io,log,i18n} imports to go-io/go-log/go-i18n
...
Security Scan / security (push) Failing after 6s
Test / test (push) Failing after 15s
Co-Authored-By: Virgil <virgil@lethean.io>
2026-03-06 12:35:41 +00:00
Claude
9e7a19243f
chore: fmt.Errorf(static) → errors.New
...
Security Scan / security (pull_request) Failing after 15s
Test / test (pull_request) Failing after 10m43s
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-24 16:30:08 +00:00
Snider
ee58e790a0
feat: modernise to Go 1.26 iterators and stdlib helpers
...
Security Scan / security (push) Failing after 11s
Test / test (push) Failing after 29s
Add iter.Seq iterators for trust registry (ListSeq), audit log
(EventsSeq, QuerySeq), and approval store (PendingSeq). Use
slices.DeleteFunc in session store, slices.SortFunc in testcmd,
range-over-int in benchmarks.
Co-Authored-By: Gemini <noreply@google.com>
Co-Authored-By: Virgil <virgil@lethean.io>
2026-02-23 05:47:13 +00:00
Claude
5ea42689d3
chore: migrate Snider deps from github.com to forge.lthn.ai
...
Update Enchantrix reference in comment and dependency versions.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-22 21:41:49 +00:00
Snider
d6aa25c5bf
refactor: apply go fix modernizers for Go 1.26
...
Automated fixes: interface{} → any, range-over-int, t.Context(),
wg.Go(), strings.SplitSeq, strings.Builder, slices.Contains,
maps helpers, min/max builtins.
Co-Authored-By: Virgil <virgil@lethean.io>
2026-02-22 21:00:16 +00:00
Snider
9331fc6eac
test(phase0): expand test coverage, security audit, and benchmarks
...
Add 29 new tests across auth/, crypt/, and trust/ packages:
- auth: concurrent sessions, token uniqueness, challenge expiry boundary,
empty password, long/unicode usernames, air-gapped round-trip, expired refresh
- crypt: wrong passphrase, empty/large plaintext, KDF determinism, HKDF info
separation, checksum edge cases
- trust: concurrent registry operations, tier validation, token expiry boundary,
empty ScopedRepos behaviour, unknown capabilities
Add benchmark suites:
- crypt: Argon2, ChaCha20, AES-GCM, HMAC (1KB/1MB payloads)
- trust: PolicyEvaluate (100 agents), RegistryGet, RegistryRegister
Security audit documented in FINDINGS.md:
- F1: LTHN hash used for password verification (medium)
- F2: PGP private keys not zeroed after use (low, upstream limitation)
- F3: Empty ScopedRepos bypasses repo scope check (medium)
- F4: go vet clean, no math/rand, no secrets in error messages
All tests pass with -race. go vet clean.
Co-Authored-By: Virgil <virgil@lethean.io>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-20 01:14:41 +00:00
Claude
8498ecf890
feat: extract crypto/security packages from core/go
...
ChaCha20-Poly1305, AES-256-GCM, Argon2 key derivation, OpenPGP
challenge-response auth, and trust tier policy engine.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-16 15:25:54 +00:00
