refactor config and security to simplified the structure (#2068)

pkg/credential/credential.go

@@ -75,12 +75,13 @@ const SSHKeyPathEnvVar = "PICOCLAW_SSH_KEY_PATH"
 const picoclawHome = "PICOCLAW_HOME"
 
 const (
-	fileScheme = "file://"
-	encScheme  = "enc://"
-	hkdfInfo   = "picoclaw-credential-v1"
-	saltLen    = 16
-	nonceLen   = 12
-	keyLen     = 32
+	FileScheme = "file://"
+	EncScheme  = "enc://"
+
+	hkdfInfo = "picoclaw-credential-v1"
+	saltLen  = 16
+	nonceLen = 12
+	keyLen   = 32
 )
 
 // Resolver resolves raw credential strings for model_list api_key fields.
@@ -112,8 +113,8 @@ func (r *Resolver) Resolve(raw string) (string, error) {
 		return "", nil
 	}
 
-	if strings.HasPrefix(raw, fileScheme) {
-		fileName := strings.TrimSpace(strings.TrimPrefix(raw, fileScheme))
+	if strings.HasPrefix(raw, FileScheme) {
+		fileName := strings.TrimSpace(strings.TrimPrefix(raw, FileScheme))
 		if fileName == "" {
 			return "", fmt.Errorf("credential: file:// reference has no filename")
 		}
@@ -144,7 +145,7 @@ func (r *Resolver) Resolve(raw string) (string, error) {
 		return value, nil
 	}
 
-	if strings.HasPrefix(raw, encScheme) {
+	if strings.HasPrefix(raw, EncScheme) {
 		return resolveEncrypted(raw)
 	}
 
@@ -161,7 +162,7 @@ func resolveEncrypted(raw string) (string, error) {
 
 	sshKeyPath := pickSSHKeyPath("") // override="": consult env then auto-detect
 
-	b64 := strings.TrimPrefix(raw, encScheme)
+	b64 := strings.TrimPrefix(raw, EncScheme)
 	blob, err := base64.StdEncoding.DecodeString(b64)
 	if err != nil {
 		return "", fmt.Errorf("credential: enc:// invalid base64: %w", err)
@@ -234,7 +235,7 @@ func Encrypt(passphrase, sshKeyPath, plaintext string) (string, error) {
 	blob = append(blob, salt...)
 	blob = append(blob, nonce...)
 	blob = append(blob, ciphertext...)
-	return encScheme + base64.StdEncoding.EncodeToString(blob), nil
+	return EncScheme + base64.StdEncoding.EncodeToString(blob), nil
 }
 
 // isWithinDir reports whether path is contained within (or equal to) dir.