Add test suite and CI workflow

Add tests for secure memory zeroing, file operations, shredding,
key file parsing/validation, key generation, and QR code encoding.
Add GitHub Actions CI with test, lint, and Docker build jobs.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: pike00

.github/workflows/ci.yml

@@ -0,0 +1,50 @@
+name: CI
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+permissions:
+  contents: read
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+
+      - name: Vet
+        run: go vet ./...
+
+      - name: Test
+        run: go test -race -count=1 ./...
+
+      - name: Build
+        run: CGO_ENABLED=0 go build -trimpath -ldflags="-s -w" -o coldkey ./cmd/coldkey
+
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+
+      - uses: golangci/golangci-lint-action@v6
+        with:
+          version: latest
+
+  docker:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Build Docker image
+        run: docker build -t coldkey:ci .

internal/backup/qr_test.go

@@ -0,0 +1,52 @@
+package backup
+
+import (
+	"strings"
+	"testing"
+)
+
+func TestGenerateQRCodesSingleChunk(t *testing.T) {
+	data := []byte("short data for QR code")
+
+	chunks, err := GenerateQRCodes(data)
+	if err != nil {
+		t.Fatalf("GenerateQRCodes: %v", err)
+	}
+	if len(chunks) != 1 {
+		t.Fatalf("expected 1 chunk, got %d", len(chunks))
+	}
+	if chunks[0].Part != 1 || chunks[0].Total != 1 {
+		t.Errorf("chunk = %d/%d, want 1/1", chunks[0].Part, chunks[0].Total)
+	}
+	if chunks[0].DataLen != len(data) {
+		t.Errorf("DataLen = %d, want %d", chunks[0].DataLen, len(data))
+	}
+	svg := string(chunks[0].SVG)
+	if !strings.Contains(svg, "<svg") {
+		t.Error("SVG output should contain <svg element")
+	}
+}
+
+func TestGenerateQRCodesMultiChunk(t *testing.T) {
+	// Create data larger than maxPayload to force multi-QR
+	data := make([]byte, maxPayload+500)
+	for i := range data {
+		data[i] = byte('A' + (i % 26))
+	}
+
+	chunks, err := GenerateQRCodes(data)
+	if err != nil {
+		t.Fatalf("GenerateQRCodes: %v", err)
+	}
+	if len(chunks) < 2 {
+		t.Fatalf("expected multiple chunks, got %d", len(chunks))
+	}
+	for i, c := range chunks {
+		if c.Part != i+1 {
+			t.Errorf("chunk %d: Part = %d, want %d", i, c.Part, i+1)
+		}
+		if c.Total != len(chunks) {
+			t.Errorf("chunk %d: Total = %d, want %d", i, c.Total, len(chunks))
+		}
+	}
+}

internal/keyfile/keyfile_test.go

@@ -0,0 +1,80 @@
+package keyfile
+
+import (
+	"os"
+	"path/filepath"
+	"testing"
+)
+
+const validPQKey = `# created: 2026-01-15T10:30:00Z
+# public key: age1pq1example-public-key
+AGE-SECRET-KEY-PQ-1EXAMPLEKEYDATA
+`
+
+const classicKey = `# created: 2026-01-15T10:30:00Z
+# public key: age1examplepublickey
+AGE-SECRET-KEY-1EXAMPLEKEYDATA
+`
+
+func TestParseValidPQKey(t *testing.T) {
+	ki, err := Parse([]byte(validPQKey))
+	if err != nil {
+		t.Fatalf("Parse: %v", err)
+	}
+	if ki.SecretKey != "AGE-SECRET-KEY-PQ-1EXAMPLEKEYDATA" {
+		t.Errorf("SecretKey = %q, want AGE-SECRET-KEY-PQ-1EXAMPLEKEYDATA", ki.SecretKey)
+	}
+	if ki.PublicKey != "age1pq1example-public-key" {
+		t.Errorf("PublicKey = %q, want age1pq1example-public-key", ki.PublicKey)
+	}
+	if ki.CreatedAt.IsZero() {
+		t.Error("CreatedAt should be parsed")
+	}
+	if ki.SHA256 == "" {
+		t.Error("SHA256 should be set")
+	}
+}
+
+func TestParseRejectsClassicKey(t *testing.T) {
+	_, err := Parse([]byte(classicKey))
+	if err == nil {
+		t.Fatal("Parse should reject classic X25519 keys")
+	}
+}
+
+func TestParseRejectsEmptyFile(t *testing.T) {
+	_, err := Parse([]byte(""))
+	if err == nil {
+		t.Fatal("Parse should reject empty file")
+	}
+}
+
+func TestParseRejectsNoKey(t *testing.T) {
+	_, err := Parse([]byte("# just a comment\n"))
+	if err == nil {
+		t.Fatal("Parse should reject file with no key")
+	}
+}
+
+func TestReadFileSizeLimit(t *testing.T) {
+	dir := t.TempDir()
+	path := filepath.Join(dir, "big.key")
+
+	// Create a file larger than maxKeyFileSize
+	data := make([]byte, maxKeyFileSize+1)
+	if err := os.WriteFile(path, data, 0600); err != nil {
+		t.Fatalf("setup: %v", err)
+	}
+
+	_, err := Read(path)
+	if err == nil {
+		t.Fatal("Read should reject files larger than maxKeyFileSize")
+	}
+}
+
+func TestReadNonexistent(t *testing.T) {
+	_, err := Read("/nonexistent/key.txt")
+	if err == nil {
+		t.Fatal("Read should return error for nonexistent file")
+	}
+}

internal/keygen/keygen_test.go

@@ -0,0 +1,46 @@
+package keygen
+
+import (
+	"strings"
+	"testing"
+)
+
+func TestGenerate(t *testing.T) {
+	kp, err := Generate()
+	if err != nil {
+		t.Fatalf("Generate: %v", err)
+	}
+
+	if !strings.HasPrefix(kp.SecretKey, "AGE-SECRET-KEY-PQ-") {
+		t.Errorf("SecretKey should start with AGE-SECRET-KEY-PQ-, got prefix %q", kp.SecretKey[:20])
+	}
+	if kp.PublicKey == "" {
+		t.Error("PublicKey should not be empty")
+	}
+	if kp.CreatedAt.IsZero() {
+		t.Error("CreatedAt should be set")
+	}
+}
+
+func TestFormatKeyFile(t *testing.T) {
+	kp, err := Generate()
+	if err != nil {
+		t.Fatalf("Generate: %v", err)
+	}
+
+	data := FormatKeyFile(kp)
+	content := string(data)
+
+	if !strings.Contains(content, "# created: ") {
+		t.Error("FormatKeyFile should contain created timestamp")
+	}
+	if !strings.Contains(content, "# public key: ") {
+		t.Error("FormatKeyFile should contain public key")
+	}
+	if !strings.Contains(content, "AGE-SECRET-KEY-PQ-") {
+		t.Error("FormatKeyFile should contain the secret key")
+	}
+	if !strings.HasSuffix(content, "\n") {
+		t.Error("FormatKeyFile should end with newline")
+	}
+}

internal/secure/file_test.go

@@ -0,0 +1,91 @@
+package secure
+
+import (
+	"os"
+	"path/filepath"
+	"testing"
+)
+
+func TestWriteFileCreatesWithRestrictedPerms(t *testing.T) {
+	dir := t.TempDir()
+	path := filepath.Join(dir, "test.key")
+	data := []byte("secret-key-data")
+
+	if err := WriteFile(path, data); err != nil {
+		t.Fatalf("WriteFile: %v", err)
+	}
+
+	info, err := os.Stat(path)
+	if err != nil {
+		t.Fatalf("Stat: %v", err)
+	}
+	if perm := info.Mode().Perm(); perm != 0600 {
+		t.Errorf("permissions = %o, want 0600", perm)
+	}
+
+	got, err := os.ReadFile(path)
+	if err != nil {
+		t.Fatalf("ReadFile: %v", err)
+	}
+	if string(got) != string(data) {
+		t.Errorf("content = %q, want %q", got, data)
+	}
+}
+
+func TestWriteFileRefusesOverwrite(t *testing.T) {
+	dir := t.TempDir()
+	path := filepath.Join(dir, "test.key")
+
+	if err := WriteFile(path, []byte("first")); err != nil {
+		t.Fatalf("WriteFile: %v", err)
+	}
+
+	err := WriteFile(path, []byte("second"))
+	if err == nil {
+		t.Fatal("WriteFile should refuse to overwrite existing file")
+	}
+}
+
+func TestWriteFileForceOverwrites(t *testing.T) {
+	dir := t.TempDir()
+	path := filepath.Join(dir, "test.key")
+
+	if err := WriteFile(path, []byte("first")); err != nil {
+		t.Fatalf("WriteFile: %v", err)
+	}
+	if err := WriteFileForce(path, []byte("second")); err != nil {
+		t.Fatalf("WriteFileForce: %v", err)
+	}
+
+	got, err := os.ReadFile(path)
+	if err != nil {
+		t.Fatalf("ReadFile: %v", err)
+	}
+	if string(got) != "second" {
+		t.Errorf("content = %q, want %q", got, "second")
+	}
+}
+
+func TestShred(t *testing.T) {
+	dir := t.TempDir()
+	path := filepath.Join(dir, "shred-me")
+
+	if err := os.WriteFile(path, []byte("sensitive data here"), 0600); err != nil {
+		t.Fatalf("setup: %v", err)
+	}
+
+	if err := Shred(path); err != nil {
+		t.Fatalf("Shred: %v", err)
+	}
+
+	if _, err := os.Stat(path); !os.IsNotExist(err) {
+		t.Error("Shred should remove the file")
+	}
+}
+
+func TestShredNonexistent(t *testing.T) {
+	err := Shred("/nonexistent/path/to/file")
+	if err == nil {
+		t.Fatal("Shred should return error for nonexistent file")
+	}
+}

internal/secure/memory_test.go

@@ -0,0 +1,22 @@
+package secure
+
+import "testing"
+
+func TestZero(t *testing.T) {
+	b := []byte{0xff, 0xfe, 0xfd, 0xfc, 0xfb}
+	Zero(b)
+	for i, v := range b {
+		if v != 0 {
+			t.Errorf("Zero: byte %d = %#x, want 0", i, v)
+		}
+	}
+}
+
+func TestZeroEmpty(t *testing.T) {
+	b := []byte{}
+	Zero(b) // should not panic
+}
+
+func TestZeroNil(t *testing.T) {
+	Zero(nil) // should not panic
+}