security: zero PEM bytearray after loading private keys

Three call sites read PEM key material from disk as immutable bytes; change to bytearray so the sensitive bytes can be wiped after the key object is created:

- keypair.py::load_private_key: bytearray(path.read_bytes()), zero after load - identity.py::_load_private_key_from_path: same pattern - sign.py: bytearray(path.read_bytes()), zero after load_private_key_from_pem

The original bytes from read_bytes() still linger (Python immutable return), but this zeroes the only mutable copy the caller holds.

sha256:5aa8df0b76d5a6c3bec992b68cd9aed8a364b358359fe3d2e47024ded16574ea sha

sha256:c44cbb64fc0de98cd78382790a8db82180b17f17f37b9fbd4eabe9ff3b24f2da parent

sha256:d5805f5bedf50a24e2bd7f0b44ea466e8e805ba5b0ff940f39e177987ba1360f snapshot

← Older Oldest on dev

All commits

Newer → Latest on dev

0 comments

No comments yet. Be the first to start the discussion.

To add a comment, use the Muse CLI: muse hub commit comment sha256:5aa8df0b76d5a6c3bec992b68cd9aed8a364b358359fe3d2e47024ded16574ea --body "your comment"

Provenance signed

AI Agent

claude-sonnet-4-6

Bump patch

Agent claude-code

Signature Cryptographically verified

Snapshot

ID sha256:d5805f5bedf50a24e2bd7f0b44ea466e8e805ba5b0ff940f39e177987ba1360f

Files 0

Browse tree at this commit →

Commit

SHA sha256:5aa8df0b76d5a6c3bec992b68cd9aed8a364b358359fe3d2e47024ded16574ea

Parent

sha256:c44cbb64fc0de98cd78382790a8db82180b17f17f37b9fbd4eabe9ff3b24f2da

Branch dev