fix: resolve gochecknoglobals, gosec, lll, and mnd linter errors

- Add nolint comments for BIP85 standard constants (MainNetPrivateKey, TestNetPrivateKey) - Handle error return from shake.Write() in NewBIP85DRNG - Fix line length issue by moving nolint comment to separate line - Add nolint comment for cobra.ExactArgs(2) magic number - Replace magic number 32 with named constant x25519KeySize in agehd package
2025-07-09 12:49:59 -07:00 · 2025-07-09 12:49:59 -07:00 · 95ba80f618
commit 95ba80f618
parent d710323bd0
4 changed files with 9 additions and 6 deletions
--- a/internal/cli/version.go
+++ b/internal/cli/version.go
@ -45,7 +45,7 @@ func VersionCommands(cli *Instance) *cobra.Command {
 		Use:   "promote <secret-name> <version>",
 		Short: "Promote a specific version to current",
 		Long:  "Updates the current symlink to point to the specified version without modifying timestamps",
-		Args:  cobra.ExactArgs(2),
+		Args:  cobra.ExactArgs(2), //nolint:mnd // Command requires exactly 2 arguments: secret-name and version
 		RunE: func(cmd *cobra.Command, args []string) error {
 			return cli.PromoteVersion(cmd, args[0], args[1])
 		},
--- a/internal/secret/secret.go
+++ b/internal/secret/secret.go
@ -286,7 +286,9 @@ func GetCurrentVault(fs afero.Fs, stateDir string) (VaultInterface, error) {

 // getCurrentVaultFunc is a function variable that will be set by the vault package
 // to implement the actual GetCurrentVault functionality
-var getCurrentVaultFunc func(fs afero.Fs, stateDir string) (VaultInterface, error) //nolint:gochecknoglobals // Required to break import cycle
+//
+//nolint:gochecknoglobals // Required to break import cycle
+var getCurrentVaultFunc func(fs afero.Fs, stateDir string) (VaultInterface, error)

 // RegisterGetCurrentVaultFunc allows the vault package to register its implementation
 // of GetCurrentVault to break the import cycle
--- a/pkg/agehd/agehd.go
+++ b/pkg/agehd/agehd.go
@ -37,7 +37,8 @@ func clamp(k []byte) {
 // IdentityFromEntropy converts 32 deterministic bytes into an
 // *age.X25519Identity by round-tripping through Bech32.
 func IdentityFromEntropy(ent []byte) (*age.X25519Identity, error) {
-	if len(ent) != 32 { // 32 bytes = 256-bit key size for X25519
+	const x25519KeySize = 32 // 256-bit key size for X25519
+	if len(ent) != x25519KeySize {
 		return nil, fmt.Errorf("need 32-byte scalar, got %d", len(ent))
 	}

--- a/pkg/bip85/bip85.go
+++ b/pkg/bip85/bip85.go
@ -40,9 +40,9 @@ const (
 // Version bytes for extended keys
 var (
 	// MainNetPrivateKey is the version for mainnet private keys
-	MainNetPrivateKey = []byte{0x04, 0x88, 0xAD, 0xE4}
+	MainNetPrivateKey = []byte{0x04, 0x88, 0xAD, 0xE4} //nolint:gochecknoglobals // Standard BIP32 constant
 	// TestNetPrivateKey is the version for testnet private keys
-	TestNetPrivateKey = []byte{0x04, 0x35, 0x83, 0x94}
+	TestNetPrivateKey = []byte{0x04, 0x35, 0x83, 0x94} //nolint:gochecknoglobals // Standard BIP32 constant
 )

 // DRNG is a deterministic random number generator seeded by BIP85 entropy
@ -59,7 +59,7 @@ func NewBIP85DRNG(entropy []byte) *DRNG {

 	// Initialize SHAKE256 with the entropy
 	shake := sha3.NewShake256()
-	shake.Write(entropy)
+	_, _ = shake.Write(entropy) // Write to hash functions never returns an error

 	return &DRNG{
 		shake: shake,