security: zero PEM bytearray in _write_private_key_pem after disk write

private_key.private_bytes() returns immutable bytes (library constraint). Create a bytearray copy and zero it in a finally block after os.replace() completes — the copy is the only mutable PEM buffer we hold, and it is wiped regardless of whether the write succeeds or raises.

sha256:5772b447d25a5ef6fef6ba0fd4ad118916d41e298d8789fc9a8a924f994eb4a8 sha

sha256:5aa8df0b76d5a6c3bec992b68cd9aed8a364b358359fe3d2e47024ded16574ea parent

sha256:927dbf4cdc638932e3ea8bd528ac841732ee19d442384615d204c6c52a7e5ca9 snapshot

← Older Oldest on dev

All commits

Newer → Latest on dev

0 comments

No comments yet. Be the first to start the discussion.

To add a comment, use the Muse CLI: muse hub commit comment sha256:5772b447d25a5ef6fef6ba0fd4ad118916d41e298d8789fc9a8a924f994eb4a8 --body "your comment"

Provenance signed

AI Agent

claude-sonnet-4-6

Agent claude-code

Signature Cryptographically verified

Snapshot

ID sha256:927dbf4cdc638932e3ea8bd528ac841732ee19d442384615d204c6c52a7e5ca9

Files 0

Browse tree at this commit →

Commit

SHA sha256:5772b447d25a5ef6fef6ba0fd4ad118916d41e298d8789fc9a8a924f994eb4a8

Parent

sha256:5aa8df0b76d5a6c3bec992b68cd9aed8a364b358359fe3d2e47024ded16574ea

Branch dev