fix: add nil checks to Sign/SignEnvelope, atomic keypair write

gcmsg · claude · gcmsg · commit 8d93a504b760 · 2026-03-15T15:05:04.000+08:00
- Sign() now returns (string, error) with nil private key check
- SignEnvelope() now returns error with nil envelope check
- SaveKeypair() uses write-then-rename for atomic file operations

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/envelope/envelope_test.go b/envelope/envelope_test.go
@@ -143,7 +143,9 @@ func TestSignEnvelope_VerifyEnvelope_RoundTrip(t *testing.T) {
 
 	env := New("alice", "bob", protocol.ProtocolA2A, []byte("hello"))
 	env.Nonce = "test-nonce"
-	identity.SignEnvelope(env, kp.PrivateKey)
+	if err := identity.SignEnvelope(env, kp.PrivateKey); err != nil {
+		t.Fatalf("SignEnvelope: %v", err)
+	}
 
 	if env.Signature == "" {
 		t.Fatal("expected non-empty signature")
diff --git a/identity/keypair.go b/identity/keypair.go
@@ -39,10 +39,19 @@ func (kp *Keypair) PublicKeyString() string {
 }
 
 // SaveKeypair writes the private key seed to a file (32 bytes, base64-encoded).
+// Uses atomic write-then-rename to prevent corruption from interrupted writes.
 func SaveKeypair(kp *Keypair, path string) error {
 	seed := kp.PrivateKey.Seed()
 	encoded := base64.StdEncoding.EncodeToString(seed)
-	return os.WriteFile(path, []byte(encoded), 0600)
+	tmpPath := path + ".tmp"
+	if err := os.WriteFile(tmpPath, []byte(encoded), 0600); err != nil {
+		return fmt.Errorf("write keypair temp file: %w", err)
+	}
+	if err := os.Rename(tmpPath, path); err != nil {
+		_ = os.Remove(tmpPath)
+		return fmt.Errorf("rename keypair file: %w", err)
+	}
+	return nil
 }
 
 // LoadKeypair reads a keypair from a seed file.
diff --git a/identity/sign.go b/identity/sign.go
@@ -7,9 +7,12 @@ import (
 )
 
 // Sign creates an Ed25519 signature over the data.
-func Sign(privKey ed25519.PrivateKey, data []byte) string {
+func Sign(privKey ed25519.PrivateKey, data []byte) (string, error) {
+	if privKey == nil {
+		return "", fmt.Errorf("private key is nil")
+	}
 	sig := ed25519.Sign(privKey, data)
-	return base64.StdEncoding.EncodeToString(sig)
+	return base64.StdEncoding.EncodeToString(sig), nil
 }
 
 // Verify checks an Ed25519 signature.
@@ -33,9 +36,16 @@ type SignableEnvelope interface {
 }
 
 // SignEnvelope signs the envelope's payload and sets the signature field.
-func SignEnvelope(env SignableEnvelope, privKey ed25519.PrivateKey) {
-	sig := Sign(privKey, env.SigningPayload())
+func SignEnvelope(env SignableEnvelope, privKey ed25519.PrivateKey) error {
+	if env == nil {
+		return fmt.Errorf("envelope is nil")
+	}
+	sig, err := Sign(privKey, env.SigningPayload())
+	if err != nil {
+		return fmt.Errorf("sign envelope: %w", err)
+	}
 	env.SetSignature(sig)
+	return nil
 }
 
 // VerifyEnvelope verifies the envelope's signature.
