go-crypt

core/go-crypt

Fork 0

Commit graph

Author	SHA1	Message	Date
Snider	fc21d01a71	docs(findings): document Phase 2 key management decisions Covers F1 resolution (Argon2id migration), dual-path password verification, revocation JSON design, key rotation flow, and HardwareKey interface rationale. Co-Authored-By: Virgil <virgil@lethean.io>	2026-02-20 02:29:17 +00:00
Snider	9331fc6eac	test(phase0): expand test coverage, security audit, and benchmarks Add 29 new tests across auth/, crypt/, and trust/ packages: - auth: concurrent sessions, token uniqueness, challenge expiry boundary, empty password, long/unicode usernames, air-gapped round-trip, expired refresh - crypt: wrong passphrase, empty/large plaintext, KDF determinism, HKDF info separation, checksum edge cases - trust: concurrent registry operations, tier validation, token expiry boundary, empty ScopedRepos behaviour, unknown capabilities Add benchmark suites: - crypt: Argon2, ChaCha20, AES-GCM, HMAC (1KB/1MB payloads) - trust: PolicyEvaluate (100 agents), RegistryGet, RegistryRegister Security audit documented in FINDINGS.md: - F1: LTHN hash used for password verification (medium) - F2: PGP private keys not zeroed after use (low, upstream limitation) - F3: Empty ScopedRepos bypasses repo scope check (medium) - F4: go vet clean, no math/rand, no secrets in error messages All tests pass with -race. go vet clean. Co-Authored-By: Virgil <virgil@lethean.io> Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-02-20 01:14:41 +00:00
Snider	5087f710c6	docs: add domain expert guide, task queue, and research notes CLAUDE.md: architecture guide for auth/crypt/trust with algorithm reference TODO.md: 4-phase task queue (hardening, sessions, key mgmt, policy) FINDINGS.md: package inventory, security review flags, integration points Co-Authored-By: Virgil <virgil@lethean.io>	2026-02-20 00:58:58 +00:00

Author

SHA1

Message

Date

Snider

fc21d01a71

docs(findings): document Phase 2 key management decisions

Covers F1 resolution (Argon2id migration), dual-path password
verification, revocation JSON design, key rotation flow, and
HardwareKey interface rationale.

Co-Authored-By: Virgil <virgil@lethean.io>

2026-02-20 02:29:17 +00:00

Snider

9331fc6eac

test(phase0): expand test coverage, security audit, and benchmarks

Add 29 new tests across auth/, crypt/, and trust/ packages:
- auth: concurrent sessions, token uniqueness, challenge expiry boundary,
  empty password, long/unicode usernames, air-gapped round-trip, expired refresh
- crypt: wrong passphrase, empty/large plaintext, KDF determinism, HKDF info
  separation, checksum edge cases
- trust: concurrent registry operations, tier validation, token expiry boundary,
  empty ScopedRepos behaviour, unknown capabilities

Add benchmark suites:
- crypt: Argon2, ChaCha20, AES-GCM, HMAC (1KB/1MB payloads)
- trust: PolicyEvaluate (100 agents), RegistryGet, RegistryRegister

Security audit documented in FINDINGS.md:
- F1: LTHN hash used for password verification (medium)
- F2: PGP private keys not zeroed after use (low, upstream limitation)
- F3: Empty ScopedRepos bypasses repo scope check (medium)
- F4: go vet clean, no math/rand, no secrets in error messages

All tests pass with -race. go vet clean.

Co-Authored-By: Virgil <virgil@lethean.io>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

2026-02-20 01:14:41 +00:00

Snider

5087f710c6

docs: add domain expert guide, task queue, and research notes

CLAUDE.md: architecture guide for auth/crypt/trust with algorithm reference
TODO.md: 4-phase task queue (hardening, sessions, key mgmt, policy)
FINDINGS.md: package inventory, security review flags, integration points

Co-Authored-By: Virgil <virgil@lethean.io>

2026-02-20 00:58:58 +00:00

3 commits