Fix CI errors: remove unused imports and fix type annotations

- Remove unused Zeroizing import from keymanagement.rs
- Remove unused Mac import from keyderivation.rs
- Prefix unused variable with underscore in tests
- Add type annotations to fix array size mismatches in examples
- Remove unnecessary to_string() and dereference in examples

Author: guardsarm

examples/file_encryption.rs

@@ -28,24 +28,34 @@ Transaction History:
     println!("   ✓ Generated 256-bit encryption key");
 
     // Encrypt the data
-    let encrypted_data = encryption::encrypt(&encryption_key, financial_data)
-        .expect("Encryption failed");
+    let encrypted_data =
+        encryption::encrypt(&encryption_key, financial_data).expect("Encryption failed");
 
     println!("   ✓ Data encrypted with AES-256-GCM");
-    println!("   Encrypted size: {} bytes", encrypted_data.ciphertext.len());
-    println!("   Nonce (12 bytes): {}", hex::encode(&encrypted_data.nonce));
-    println!("   First 32 bytes of ciphertext: {}...",
-             hex::encode(&encrypted_data.ciphertext[..32.min(encrypted_data.ciphertext.len())]));
+    println!(
+        "   Encrypted size: {} bytes",
+        encrypted_data.ciphertext.len()
+    );
+    println!(
+        "   Nonce (12 bytes): {}",
+        hex::encode(encrypted_data.nonce)
+    );
+    println!(
+        "   First 32 bytes of ciphertext: {}...",
+        hex::encode(&encrypted_data.ciphertext[..32.min(encrypted_data.ciphertext.len())])
+    );
 
     // Decrypt the data
     println!("\n2. Decrypting Data with Correct Key");
-    let decrypted_data = encryption::decrypt(&encryption_key, &encrypted_data)
-        .expect("Decryption failed");
+    let decrypted_data =
+        encryption::decrypt(&encryption_key, &encrypted_data).expect("Decryption failed");
 
     let decrypted_text = String::from_utf8(decrypted_data.clone()).unwrap();
     println!("   ✓ Decryption successful!");
-    println!("   Decrypted data matches original: {}",
-             decrypted_data == financial_data);
+    println!(
+        "   Decrypted data matches original: {}",
+        decrypted_data == financial_data
+    );
     println!("\n   Decrypted content:");
     println!("{}", decrypted_text);
 
@@ -60,30 +70,40 @@ Transaction History:
     // Encrypt multiple files
     println!("\n4. Encrypting Multiple Financial Records");
 
-    let records = vec![
-        ("customer_001.txt", b"Customer: Alice Johnson, Account: ACC-001, Balance: $50,000"),
-        ("customer_002.txt", b"Customer: Bob Williams, Account: ACC-002, Balance: $75,250"),
-        ("customer_003.txt", b"Customer: Carol Davis, Account: ACC-003, Balance: $100,500"),
+    let records: Vec<(&str, &[u8])> = vec![
+        (
+            "customer_001.txt",
+            b"Customer: Alice Johnson, Account: ACC-001, Balance: $50,000",
+        ),
+        (
+            "customer_002.txt",
+            b"Customer: Bob Williams, Account: ACC-002, Balance: $75,250",
+        ),
+        (
+            "customer_003.txt",
+            b"Customer: Carol Davis, Account: ACC-003, Balance: $100,500",
+        ),
     ];
 
     let mut encrypted_records = Vec::new();
 
     for (filename, data) in &records {
-        let encrypted = encryption::encrypt(&encryption_key, data)
-            .expect("Encryption failed");
+        let encrypted = encryption::encrypt(&encryption_key, data).expect("Encryption failed");
         encrypted_records.push((filename, encrypted));
         println!("   ✓ Encrypted {}", filename);
     }
 
     // Decrypt and verify all records
     println!("\n5. Decrypting All Records");
-    for ((filename, original_data), (_, encrypted)) in records.iter().zip(encrypted_records.iter()) {
-        let decrypted = encryption::decrypt(&encryption_key, encrypted)
-            .expect("Decryption failed");
+    for ((filename, original_data), (_, encrypted)) in records.iter().zip(encrypted_records.iter())
+    {
+        let decrypted = encryption::decrypt(&encryption_key, encrypted).expect("Decryption failed");
         let matches = &decrypted == original_data;
-        println!("   {} - Decryption: {}",
-                 filename,
-                 if matches { "✓ Success" } else { "✗ Failed" });
+        println!(
+            "   {} - Decryption: {}",
+            filename,
+            if matches { "✓ Success" } else { "✗ Failed" }
+        );
     }
 
     // Generate secure tokens

examples/password_hashing.rs

@@ -13,8 +13,7 @@ fn main() {
     let user_password = SecurePassword::new(b"MySecurePassword123!".to_vec());
 
     println!("   Hashing password with Argon2id...");
-    let password_hash = password::hash_password(&user_password)
-        .expect("Failed to hash password");
+    let password_hash = password::hash_password(&user_password).expect("Failed to hash password");
 
     println!("   Password hash: {}...", &password_hash[..50]);
     println!("   ✓ Hash stored in database\n");
@@ -44,7 +43,7 @@ fn main() {
     // Demonstrate multiple users with different passwords
     println!("4. Multiple User Accounts");
 
-    let users = vec![
+    let users: Vec<(&str, &[u8])> = vec![
         ("alice", b"AlicePass123!"),
         ("bob", b"BobSecure456@"),
         ("charlie", b"Charlie789#Pwd"),
@@ -65,19 +64,40 @@ fn main() {
     let alice_pwd = SecurePassword::new(b"AlicePass123!".to_vec());
     let (_, alice_hash) = &hashes[0];
     let is_valid = password::verify_password(&alice_pwd, alice_hash).unwrap();
-    println!("   Alice authentication: {}", if is_valid { "✓ Success" } else { "✗ Failed" });
+    println!(
+        "   Alice authentication: {}",
+        if is_valid {
+            "✓ Success"
+        } else {
+            "✗ Failed"
+        }
+    );
 
     // Try to authenticate Bob with wrong password
     let wrong_bob_pwd = SecurePassword::new(b"WrongPassword".to_vec());
     let (_, bob_hash) = &hashes[1];
     let is_valid = password::verify_password(&wrong_bob_pwd, bob_hash).unwrap();
-    println!("   Bob authentication (wrong pwd): {}", if is_valid { "✓ Success" } else { "✗ Failed" });
+    println!(
+        "   Bob authentication (wrong pwd): {}",
+        if is_valid {
+            "✓ Success"
+        } else {
+            "✗ Failed"
+        }
+    );
 
     // Authenticate Charlie correctly
     let charlie_pwd = SecurePassword::new(b"Charlie789#Pwd".to_vec());
     let (_, charlie_hash) = &hashes[2];
     let is_valid = password::verify_password(&charlie_pwd, charlie_hash).unwrap();
-    println!("   Charlie authentication: {}", if is_valid { "✓ Success" } else { "✗ Failed" });
+    println!(
+        "   Charlie authentication: {}",
+        if is_valid {
+            "✓ Success"
+        } else {
+            "✗ Failed"
+        }
+    );
 
     println!("\n=== Security Features ===");
     println!("✓ Argon2id algorithm (resistant to GPU attacks)");

src/keyderivation.rs

@@ -1,6 +1,6 @@
 //! Key derivation functions (PBKDF2, HKDF)
 
-use hmac::{Hmac, Mac};
+use hmac::Hmac;
 use sha2::{Sha256, Sha512};
 use zeroize::{Zeroize, ZeroizeOnDrop};
 
@@ -93,8 +93,7 @@ impl Hkdf {
 
         let hk = HkdfImpl::<Sha256>::new(Some(salt), input_key_material);
         let mut okm = vec![0u8; output_length];
-        hk.expand(info, &mut okm)
-            .expect("HKDF expand failed");
+        hk.expand(info, &mut okm).expect("HKDF expand failed");
 
         DerivedKey::from_bytes(okm)
     }
@@ -160,10 +159,13 @@ impl PasswordStrength {
 
         // Common password check (basic)
         let common_passwords = [
-            "password", "123456", "qwerty", "admin", "letmein", "welcome",
-            "monkey", "dragon", "master", "sunshine", "princess", "football"
+            "password", "123456", "qwerty", "admin", "letmein", "welcome", "monkey", "dragon",
+            "master", "sunshine", "princess", "football",
         ];
-        if common_passwords.iter().any(|&common| password.to_lowercase().contains(common)) {
+        if common_passwords
+            .iter()
+            .any(|&common| password.to_lowercase().contains(common))
+        {
             score = score.saturating_sub(2);
             feedback.push("Avoid common passwords".to_string());
         }
@@ -276,7 +278,7 @@ mod tests {
 
     #[test]
     fn test_password_strength_sequential() {
-        let (score, feedback) = PasswordStrength::check("abc123xyz");
+        let (_score, feedback) = PasswordStrength::check("abc123xyz");
         assert!(feedback.iter().any(|f| f.contains("sequential")));
     }
 

src/keymanagement.rs

@@ -4,7 +4,6 @@ use crate::{CryptoError, SecureKey};
 use serde::{Deserialize, Serialize};
 use std::collections::HashMap;
 use std::time::{SystemTime, UNIX_EPOCH};
-use zeroize::Zeroizing;
 
 /// Key metadata
 #[derive(Debug, Clone, Serialize, Deserialize)]
@@ -99,9 +98,7 @@ impl KeyStore {
 
     /// Retrieve a key (returns clone of metadata but reference to key)
     pub fn get_key(&self, key_id: &str) -> Option<(&SecureKey, KeyMetadata)> {
-        self.keys
-            .get(key_id)
-            .map(|(key, meta)| (key, meta.clone()))
+        self.keys.get(key_id).map(|(key, meta)| (key, meta.clone()))
     }
 
     /// Remove a key
@@ -137,15 +134,16 @@ impl KeyStore {
 
     /// Rotate a key (generate new key, increment rotation counter)
     pub fn rotate_key(&mut self, key_id: &str) -> Result<(), CryptoError> {
-        if let Some((_, meta)) = self.keys.get_mut(key_id) {
+        if let Some((_, meta)) = self.keys.get(key_id) {
             let new_key = SecureKey::generate();
-            meta.rotation_count += 1;
-            meta.created_at = SystemTime::now()
+            let mut new_meta = meta.clone();
+            new_meta.rotation_count += 1;
+            new_meta.created_at = SystemTime::now()
                 .duration_since(UNIX_EPOCH)
                 .unwrap()
                 .as_secs();
 
-            self.keys.insert(key_id.to_string(), (new_key, meta.clone()));
+            self.keys.insert(key_id.to_string(), (new_key, new_meta));
             Ok(())
         } else {
             Err(CryptoError::HashingError("Key not found".to_string()))
@@ -307,11 +305,7 @@ mod tests {
         )
         .with_expiration(1);
         store
-            .store_key(
-                "expired".to_string(),
-                SecureKey::generate(),
-                meta_expired,
-            )
+            .store_key("expired".to_string(), SecureKey::generate(), meta_expired)
             .unwrap();
 
         // Add non-expired key

src/lib.rs

@@ -18,22 +18,22 @@
 //! 2024 CISA/FBI guidance for memory-safe cryptographic implementations.
 
 pub mod keyderivation;
-pub mod signatures;
 pub mod keymanagement;
+pub mod signatures;
 
-pub use keyderivation::{DerivedKey, Hkdf, Pbkdf2, PasswordStrength};
-pub use signatures::{Ed25519KeyPair, Ed25519PublicKey, HmacKey, SignatureSuite};
+pub use keyderivation::{DerivedKey, Hkdf, PasswordStrength, Pbkdf2};
 pub use keymanagement::{KeyMetadata, KeyStore, RotationPolicy};
+pub use signatures::{Ed25519KeyPair, Ed25519PublicKey, HmacKey, SignatureSuite};
 
 use aes_gcm::{
     aead::{Aead, KeyInit, OsRng},
     Aes256Gcm, Nonce,
 };
 use argon2::{
     password_hash::{PasswordHash, PasswordHasher, PasswordVerifier, SaltString},
-    Argon2, Algorithm, Version, Params,
+    Algorithm, Argon2, Params, Version,
 };
-use hmac::{Hmac, Mac};
+use hmac::Hmac;
 use rand::RngCore;
 use sha2::Sha256;
 use thiserror::Error;
@@ -272,10 +272,7 @@ pub mod encryption {
     }
 
     /// Decrypt data using AES-256-GCM
-    pub fn decrypt(
-        key: &SecureKey,
-        encrypted: &EncryptedData,
-    ) -> Result<Vec<u8>, CryptoError> {
+    pub fn decrypt(key: &SecureKey, encrypted: &EncryptedData) -> Result<Vec<u8>, CryptoError> {
         let cipher = Aes256Gcm::new_from_slice(key.as_bytes())
             .map_err(|e| CryptoError::DecryptionError(e.to_string()))?;
 
@@ -313,12 +310,13 @@ pub mod random {
 }
 
 /// HMAC-SHA256 utilities for message authentication
-pub mod hmac {
+pub mod hmac_ops {
     use super::*;
+    use hmac::Mac;
 
     /// Compute HMAC-SHA256 for a message
     pub fn compute_hmac(key: &SecureKey, message: &[u8]) -> Result<Vec<u8>, CryptoError> {
-        let mut mac = HmacSha256::new_from_slice(key.as_bytes())
+        let mut mac = <HmacSha256 as Mac>::new_from_slice(key.as_bytes())
             .map_err(|e| CryptoError::HmacError(e.to_string()))?;
 
         mac.update(message);
@@ -331,7 +329,7 @@ pub mod hmac {
         message: &[u8],
         expected_hmac: &[u8],
     ) -> Result<bool, CryptoError> {
-        let mut mac = HmacSha256::new_from_slice(key.as_bytes())
+        let mut mac = <HmacSha256 as Mac>::new_from_slice(key.as_bytes())
             .map_err(|e| CryptoError::HmacError(e.to_string()))?;
 
         mac.update(message);
@@ -482,19 +480,19 @@ mod tests {
         let key = SecureKey::generate();
         let message = b"Important financial transaction data";
 
-        let hmac_result = hmac::compute_hmac(&key, message).unwrap();
+        let hmac_result = hmac_ops::compute_hmac(&key, message).unwrap();
         assert_eq!(hmac_result.len(), 32); // SHA-256 produces 32 bytes
 
         // Verify correct HMAC
-        assert!(hmac::verify_hmac(&key, message, &hmac_result).unwrap());
+        assert!(hmac_ops::verify_hmac(&key, message, &hmac_result).unwrap());
 
         // Verify fails with wrong key
         let wrong_key = SecureKey::generate();
-        assert!(!hmac::verify_hmac(&wrong_key, message, &hmac_result).unwrap());
+        assert!(!hmac_ops::verify_hmac(&wrong_key, message, &hmac_result).unwrap());
 
         // Verify fails with modified message
         let modified_message = b"Modified transaction data";
-        assert!(!hmac::verify_hmac(&key, modified_message, &hmac_result).unwrap());
+        assert!(!hmac_ops::verify_hmac(&key, modified_message, &hmac_result).unwrap());
     }
 
     #[test]
@@ -549,19 +547,19 @@ mod tests {
         let message1 = b"Message 1";
         let message2 = b"Message 2";
 
-        let hmac1 = hmac::compute_hmac(&key, message1).unwrap();
-        let hmac2 = hmac::compute_hmac(&key, message2).unwrap();
+        let hmac1 = hmac_ops::compute_hmac(&key, message1).unwrap();
+        let hmac2 = hmac_ops::compute_hmac(&key, message2).unwrap();
 
         // Different messages should produce different HMACs
         assert_ne!(hmac1, hmac2);
 
         // Each HMAC should verify against its own message
-        assert!(hmac::verify_hmac(&key, message1, &hmac1).unwrap());
-        assert!(hmac::verify_hmac(&key, message2, &hmac2).unwrap());
+        assert!(hmac_ops::verify_hmac(&key, message1, &hmac1).unwrap());
+        assert!(hmac_ops::verify_hmac(&key, message2, &hmac2).unwrap());
 
         // HMACs should not cross-verify
-        assert!(!hmac::verify_hmac(&key, message1, &hmac2).unwrap());
-        assert!(!hmac::verify_hmac(&key, message2, &hmac1).unwrap());
+        assert!(!hmac_ops::verify_hmac(&key, message1, &hmac2).unwrap());
+        assert!(!hmac_ops::verify_hmac(&key, message2, &hmac1).unwrap());
     }
 
     #[test]