Merge pull request #2 from markrai/fix/error-sentinel-unification

markrai · web-flow · commit f5001103b6a3 · 2026-03-23T17:45:57.000-04:00
fix(errors): unify sentinel errors to preserve identity across packages
diff --git a/.github/workflows/dco.yml b/.github/workflows/dco.yml
@@ -2,10 +2,18 @@ name: DCO Check
 
 on:
   pull_request:
+    branches: [main, master]
 
 jobs:
   dco:
     runs-on: ubuntu-latest
     steps:
-      - name: DCO Check
-        uses: tim-actions/dco@v1
+      - name: Get PR commits
+        id: get-pr-commits
+        uses: tim-actions/get-pr-commits@v1.3.1
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+      - name: DCO check
+        uses: tim-actions/dco@v1.1.0
+        with:
+          commits: ${{ steps.get-pr-commits.outputs.commits }}
diff --git a/.gitignore b/.gitignore
@@ -37,3 +37,8 @@ Thumbs.db
 coverage.out
 *.cover
 *.test
+
+# Development related
+f.bat
+a.bat
+*.pem
diff --git a/internal/auth/password_validation.go b/internal/auth/password_validation.go
@@ -1,26 +1,24 @@
 package auth
 
 import (
-	"errors"
 	"fmt"
 	"strings"
-)
 
-// ErrValidation is returned when password validation fails.
-var ErrValidation = errors.New("validation")
+	"scrumboy/internal/errs"
+)
 
 const minPasswordLength = 8
 
 // ValidatePassword validates a password for signup or reset.
 // Rules: min length 8, trim whitespace, reject empty.
-// Returns ErrValidation on failure.
+// Returns errs.ErrValidation on failure.
 func ValidatePassword(password string) error {
 	p := strings.TrimSpace(password)
 	if p == "" {
-		return fmt.Errorf("%w: password required", ErrValidation)
+		return fmt.Errorf("%w: password required", errs.ErrValidation)
 	}
 	if len(p) < minPasswordLength {
-		return fmt.Errorf("%w: password too short", ErrValidation)
+		return fmt.Errorf("%w: password too short", errs.ErrValidation)
 	}
 	return nil
 }
diff --git a/internal/config/config.go b/internal/config/config.go
@@ -5,6 +5,7 @@ import (
 	"os"
 	"path/filepath"
 	"strconv"
+	"strings"
 )
 
 type Config struct {
@@ -51,8 +52,9 @@ func FromEnv() Config {
 		SQLiteJournalMode: getenv("SQLITE_JOURNAL_MODE", "WAL"),
 		SQLiteSynchronous: getenv("SQLITE_SYNCHRONOUS", "FULL"),
 
-		ScrumboyMode:           mode,
-		TwoFactorEncryptionKey: getenv("SCRUMBOY_ENCRYPTION_KEY", ""),
+		ScrumboyMode: mode,
+		// Trim whitespace so keys from .env / copy-paste decode (base64 is sensitive to newlines).
+		TwoFactorEncryptionKey: strings.TrimSpace(os.Getenv("SCRUMBOY_ENCRYPTION_KEY")),
 
 		TLSCertFile: getenv("SCRUMBOY_TLS_CERT", "./cert.pem"),
 		TLSKeyFile:  getenv("SCRUMBOY_TLS_KEY", "./key.pem"),
diff --git a/internal/crypto/totpenc.go b/internal/crypto/totpenc.go
@@ -81,6 +81,7 @@ func DecryptTOTPSecret(key []byte, encrypted string) ([]byte, error) {
 
 // DecodeKey decodes a base64-encoded 32-byte key. Returns error if wrong length.
 func DecodeKey(b64 string) ([]byte, error) {
+	b64 = strings.TrimSpace(b64)
 	key, err := base64.StdEncoding.DecodeString(b64)
 	if err != nil {
 		key, err = base64.RawURLEncoding.DecodeString(b64)
diff --git a/internal/errs/errs.go b/internal/errs/errs.go
@@ -0,0 +1,15 @@
+package errs
+
+import "errors"
+
+// NOTE: All shared sentinel errors MUST be defined here.
+// Do not redefine errors.New(...) for these concepts elsewhere.
+// Use errs.ErrX (or store re-exports that alias errs.ErrX) to preserve identity across packages.
+var (
+	ErrValidation                 = errors.New("validation")
+	ErrUnauthorized               = errors.New("unauthorized")
+	ErrNotFound                   = errors.New("not found")
+	ErrConflict                   = errors.New("conflict")
+	ErrTooManyAttempts            = errors.New("too many attempts")
+	Err2FAEncryptionNotConfigured = errors.New("2FA encryption not configured")
+)
diff --git a/internal/store/types.go b/internal/store/types.go
@@ -1,17 +1,18 @@
 package store
 
 import (
-	"errors"
 	"time"
+
+	"scrumboy/internal/errs"
 )
 
 var (
-	ErrNotFound                   = errors.New("not found")
-	ErrConflict                   = errors.New("conflict")
-	ErrValidation                 = errors.New("validation")
-	ErrUnauthorized               = errors.New("unauthorized")
-	ErrTooManyAttempts            = errors.New("too many attempts")
-	Err2FAEncryptionNotConfigured = errors.New("2FA encryption not configured")
+	ErrNotFound                   = errs.ErrNotFound
+	ErrConflict                   = errs.ErrConflict
+	ErrValidation                 = errs.ErrValidation
+	ErrUnauthorized               = errs.ErrUnauthorized
+	ErrTooManyAttempts            = errs.ErrTooManyAttempts
+	Err2FAEncryptionNotConfigured = errs.Err2FAEncryptionNotConfigured
 )
 
 const (
