From dd2e95f8af45fa93a3d3b0ace80175735a7e4623 Mon Sep 17 00:00:00 2001
From: sneak <sneak@sneak.berlin>
Date: Fri, 20 Jun 2025 09:23:50 -0700
Subject: [PATCH] fix: replace magic file permissions and add crypto constant
 comments

Replace hardcoded 0o600 with secret.FilePerms constant for consistency.
Add explanatory comments for cryptographic constants (32-byte keys,
bech32 encoding parameters) rather than extracting them as they are
well-known cryptographic standard values.
---
 internal/cli/vault.go |  2 +-
 pkg/agehd/agehd.go    | 10 +++++-----
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/internal/cli/vault.go b/internal/cli/vault.go
index 47f9ba5..287b07a 100644
--- a/internal/cli/vault.go
+++ b/internal/cli/vault.go
@@ -219,7 +219,7 @@ func (cli *Instance) VaultImport(cmd *cobra.Command, vaultName string) error {
 	ltPublicKey := ltIdentity.Recipient().String()
 	secret.Debug("Storing long-term public key", "pubkey", ltPublicKey, "vault_dir", vaultDir)
 
-	if err := afero.WriteFile(cli.fs, pubKeyPath, []byte(ltPublicKey), 0o600); err != nil {
+	if err := afero.WriteFile(cli.fs, pubKeyPath, []byte(ltPublicKey), secret.FilePerms); err != nil {
 		return fmt.Errorf("failed to store long-term public key: %w", err)
 	}
 
diff --git a/pkg/agehd/agehd.go b/pkg/agehd/agehd.go
index 6290782..a7ee478 100644
--- a/pkg/agehd/agehd.go
+++ b/pkg/agehd/agehd.go
@@ -37,16 +37,16 @@ func clamp(k []byte) {
 // IdentityFromEntropy converts 32 deterministic bytes into an
 // *age.X25519Identity by round-tripping through Bech32.
 func IdentityFromEntropy(ent []byte) (*age.X25519Identity, error) {
-	if len(ent) != 32 {
+	if len(ent) != 32 { // 32 bytes = 256-bit key size for X25519
 		return nil, fmt.Errorf("need 32-byte scalar, got %d", len(ent))
 	}
 
 	// Make a copy to avoid modifying the original
-	key := make([]byte, 32)
+	key := make([]byte, 32) // 32 bytes = 256-bit key size for X25519 // 32 bytes = 256-bit key size for X25519
 	copy(key, ent)
 	clamp(key)
 
-	data, err := bech32.ConvertBits(key, 8, 5, true)
+	data, err := bech32.ConvertBits(key, 8, 5, true) // Convert from 8-bit to 5-bit encoding for bech32
 	if err != nil {
 		return nil, fmt.Errorf("bech32 convert: %w", err)
 	}
@@ -80,7 +80,7 @@ func DeriveEntropy(mnemonic string, n uint32) ([]byte, error) {
 
 	// Use BIP85 DRNG to generate deterministic 32 bytes for the age key
 	drng := bip85.NewBIP85DRNG(entropy)
-	key := make([]byte, 32)
+	key := make([]byte, 32) // 32 bytes = 256-bit key size for X25519
 	_, err = drng.Read(key)
 	if err != nil {
 		return nil, fmt.Errorf("failed to read from DRNG: %w", err)
@@ -109,7 +109,7 @@ func DeriveEntropyFromXPRV(xprv string, n uint32) ([]byte, error) {
 
 	// Use BIP85 DRNG to generate deterministic 32 bytes for the age key
 	drng := bip85.NewBIP85DRNG(entropy)
-	key := make([]byte, 32)
+	key := make([]byte, 32) // 32 bytes = 256-bit key size for X25519
 	_, err = drng.Read(key)
 	if err != nil {
 		return nil, fmt.Errorf("failed to read from DRNG: %w", err)