Minor changes.

Signed-off-by: Volkan Özçelik <me@volkan.io>

api/entity/v1/reqres/operator.go

@@ -6,18 +6,23 @@ package reqres
 
 import "github.com/spiffe/spike-sdk-go/api/entity/data"
 
+// RestoreRequest for disaster recovery.
 type RestoreRequest struct {
 	Id    int       `json:"id"`
 	Shard *[32]byte `json:"shard"`
 }
+
+// RestoreResponse for disaster recovery.
 type RestoreResponse struct {
 	data.RestorationStatus
 	Err data.ErrorCode `json:"err,omitempty"`
 }
 
+// RecoverRequest for disaster recovery.
 type RecoverRequest struct {
 }
 
+// RecoverResponse for disaster recovery.
 type RecoverResponse struct {
 	Shards map[int]*[32]byte `json:"shards"`
 	Err    data.ErrorCode    `json:"err,omitempty"`

api/entity/v1/reqres/policy.go

@@ -8,6 +8,7 @@ import (
 	"github.com/spiffe/spike-sdk-go/api/entity/data"
 )
 
+// PolicyCreateRequest for policy creation.
 type PolicyCreateRequest struct {
 	Name            string                  `json:"name"`
 	SpiffeIdPattern string                  `json:"spiffedPattern"`
@@ -15,41 +16,50 @@ type PolicyCreateRequest struct {
 	Permissions     []data.PolicyPermission `json:"permissions"`
 }
 
+// PolicyCreateResponse for policy creation.
 type PolicyCreateResponse struct {
 	Id  string         `json:"id,omitempty"`
 	Err data.ErrorCode `json:"err,omitempty"`
 }
 
+// PolicyReadRequest to read a policy.
 type PolicyReadRequest struct {
 	Id string `json:"id"`
 }
 
+// PolicyReadResponse to read a policy.
 type PolicyReadResponse struct {
 	data.Policy
 	Err data.ErrorCode `json:"err,omitempty"`
 }
 
+// PolicyDeleteRequest to delete a policy.
 type PolicyDeleteRequest struct {
 	Id string `json:"id"`
 }
 
+// PolicyDeleteResponse to delete a policy.
 type PolicyDeleteResponse struct {
 	Err data.ErrorCode `json:"err,omitempty"`
 }
 
+// PolicyListRequest to list policies.
 type PolicyListRequest struct{}
 
+// PolicyListResponse to list policies.
 type PolicyListResponse struct {
 	Policies []data.Policy  `json:"policies"`
 	Err      data.ErrorCode `json:"err,omitempty"`
 }
 
+// PolicyAccessCheckRequest to validate policy access.
 type PolicyAccessCheckRequest struct {
 	SpiffeId string `json:"spiffeId"`
 	Path     string `json:"path"`
 	Action   string `json:"action"`
 }
 
+// PolicyAccessCheckResponse to validate policy access,.
 type PolicyAccessCheckResponse struct {
 	Allowed          bool           `json:"allowed"`
 	MatchingPolicies []string       `json:"matchingPolicies"`

api/internal/config/config.go

@@ -30,34 +30,3 @@ func SpikeNexusDataFolder() string {
 	// The data dir is not configurable for security reasons.
 	return filepath.Join(spikeDir, "/data")
 }
-
-// SpikePilotRecoveryFolder returns the path to the directory where Pilot stores
-// recovery material for its root key.
-func SpikePilotRecoveryFolder() string {
-	homeDir, err := os.UserHomeDir()
-	if err != nil {
-		homeDir = "/tmp"
-	}
-
-	spikeDir := filepath.Join(homeDir, ".spike")
-
-	// Create directory if it doesn't exist
-	// 0700 because we want to restrict access to the directory
-	// but allow the user to create db files in it.
-	err = os.MkdirAll(spikeDir+"/recovery", 0700)
-	if err != nil {
-		panic(err)
-	}
-
-	// The data dir is not configurable for security reasons.
-	return filepath.Join(spikeDir, "/recovery")
-}
-
-// SpikePilotRootKeyRecoveryFile returns the path to the file where Pilot stores
-// the root key recovery file.
-func SpikePilotRootKeyRecoveryFile() string {
-	folder := SpikePilotRecoveryFolder()
-
-	// The file path and file name are NOT configurable for security reasons.
-	return filepath.Join(folder, ".root-key-recovery.spike")
-}

api/internal/impl/api/operator/recover.go

@@ -7,11 +7,11 @@ package operator
 import (
 	"encoding/json"
 	"errors"
-	"github.com/spiffe/spike-sdk-go/api/url"
 
 	"github.com/spiffe/go-spiffe/v2/workloadapi"
 
 	"github.com/spiffe/spike-sdk-go/api/entity/v1/reqres"
+	"github.com/spiffe/spike-sdk-go/api/url"
 	"github.com/spiffe/spike-sdk-go/net"
 )
 
@@ -22,8 +22,8 @@ import (
 //   - source: X509Source used for mTLS client authentication
 //
 // Returns:
-//   - *[]string: Array of recovery shard identifiers if successful, nil if
-//     not found
+//   - map[int]*[32]byte: Map of shard indices to shard byte arrays if
+//     successful, nil if not found
 //   - error: nil on success, error if:
 //   - Failed to marshal recover request
 //   - Failed to create mTLS client

api/internal/impl/api/operator/restore.go

@@ -7,12 +7,12 @@ package operator
 import (
 	"encoding/json"
 	"errors"
-	"github.com/spiffe/spike-sdk-go/api/url"
 
 	"github.com/spiffe/go-spiffe/v2/workloadapi"
 
 	"github.com/spiffe/spike-sdk-go/api/entity/data"
 	"github.com/spiffe/spike-sdk-go/api/entity/v1/reqres"
+	"github.com/spiffe/spike-sdk-go/api/url"
 	"github.com/spiffe/spike-sdk-go/net"
 )
 
@@ -21,7 +21,9 @@ import (
 // Parameters:
 //   - source *workloadapi.X509Source: X509Source used for mTLS client
 //     authentication
-//   - shard *[32]byte: Pointer to a 32-byte array containing the recovery shard
+//   - shardIndex int: Index of the recovery shard
+//   - shardValue *[32]byte: Pointer to a 32-byte array containing the recovery
+//     shard
 //
 // Returns:
 //   - *data.RestorationStatus: Status containing shards collected, remaining,
@@ -35,7 +37,7 @@ import (
 //
 // Example:
 //
-//	status, err := Restore(x509Source, shardPtr)
+//	status, err := Restore(x509Source, shardIndex, shardValue)
 func Restore(
 	source *workloadapi.X509Source, shardIndex int, shardValue *[32]byte,
 ) (*data.RestorationStatus, error) {

api/url/config.go

@@ -24,13 +24,9 @@ const SpikeNexusUrlInit ApiUrl = "/v1/auth/initialization"
 
 const SpikeNexusUrlPolicy ApiUrl = "/v1/acl/policy"
 
-const SpikeNexusUrlRecover ApiUrl = "/v1/operator/recover"
-const SpikeNexusUrlRestore ApiUrl = "/v1/operator/restore"
+const SpikeNexusUrlOperatorRecover ApiUrl = "/v1/operator/recover"
+const SpikeNexusUrlOperatorRestore ApiUrl = "/v1/operator/restore"
 
 const SpikeKeeperUrlKeep ApiUrl = "/v1/store/keep"
-
-const SpikeNexusUrlOperatorRestore = "/v1/operator/restore"
-const SpikeNexusUrlOperatorRecover = "/v1/operator/recover"
-
 const SpikeKeeperUrlContribute ApiUrl = "/v1/store/contribute"
 const SpikeKeeperUrlShard ApiUrl = "/v1/store/shard"

api/url/operator.go

@@ -13,7 +13,7 @@ import (
 func Restore() string {
 	u, _ := url.JoinPath(
 		env.NexusApiRoot(),
-		string(SpikeNexusUrlRestore),
+		string(SpikeNexusUrlOperatorRestore),
 	)
 	return u
 }
@@ -21,7 +21,7 @@ func Restore() string {
 func Recover() string {
 	u, _ := url.JoinPath(
 		env.NexusApiRoot(),
-		string(SpikeNexusUrlRecover),
+		string(SpikeNexusUrlOperatorRecover),
 	)
 	return u
 }

api/url/secret.go

@@ -10,7 +10,7 @@ import (
 	"github.com/spiffe/spike-sdk-go/api/internal/env"
 )
 
-// UrlSecretGet returns the URL for getting a secret.
+// SecretGet returns the URL for getting a secret.
 func SecretGet() string {
 	u, _ := url.JoinPath(
 		env.NexusApiRoot(),
@@ -21,7 +21,7 @@ func SecretGet() string {
 	return u + "?" + params.Encode()
 }
 
-// UrlSecretPut returns the URL for putting a secret.
+// SecretPut returns the URL for putting a secret.
 func SecretPut() string {
 	u, _ := url.JoinPath(
 		env.NexusApiRoot(),
@@ -30,7 +30,7 @@ func SecretPut() string {
 	return u
 }
 
-// UrlSecretDelete returns the URL for deleting a secret.
+// SecretDelete returns the URL for deleting a secret.
 func SecretDelete() string {
 	u, _ := url.JoinPath(
 		env.NexusApiRoot(),
@@ -41,7 +41,7 @@ func SecretDelete() string {
 	return u + "?" + params.Encode()
 }
 
-// UrlSecretUndelete returns the URL for undeleting a secret.
+// SecretUndelete returns the URL for undeleting a secret.
 func SecretUndelete() string {
 	u, _ := url.JoinPath(
 		env.NexusApiRoot(),
@@ -52,7 +52,7 @@ func SecretUndelete() string {
 	return u + "?" + params.Encode()
 }
 
-// UrlSecretList returns the URL for listing secrets.
+// SecretList returns the URL for listing secrets.
 func SecretList() string {
 	u, _ := url.JoinPath(
 		env.NexusApiRoot(),
@@ -63,7 +63,7 @@ func SecretList() string {
 	return u + "?" + params.Encode()
 }
 
-// UrlSecretMetadataGet returns the URL for getting a secret metadata.
+// SecretMetadataGet returns the URL for getting a secret metadata.
 func SecretMetadataGet() string {
 	u, _ := url.JoinPath(
 		env.NexusApiRoot(),

api/url/token.go

@@ -10,7 +10,7 @@ import (
 	"github.com/spiffe/spike-sdk-go/api/internal/env"
 )
 
-// UrlInit returns the URL for initializing SPIKE Nexus.
+// Init returns the URL for initializing SPIKE Nexus.
 func Init() string {
 	u, _ := url.JoinPath(
 		env.NexusApiRoot(),
@@ -19,7 +19,7 @@ func Init() string {
 	return u
 }
 
-// UrlInitState returns the URL for checking the initialization state of
+// InitState returns the URL for checking the initialization state of
 // SPIKE Nexus.
 func InitState() string {
 	u, _ := url.JoinPath(

retry/retry.go

@@ -231,7 +231,8 @@ func WithNotify(fn NotifyFn) RetrierOption {
 // It's used with the Do helper function for simple retry operations.
 type Handler[T any] func() (T, error)
 
-// Do provides a simplified way to retry a typed operation with default settings.
+// Do provides a simplified way to retry a typed operation with default
+// settings.
 // It creates a TypedRetrier with default exponential backoff configuration.
 //
 // Example:
@@ -239,7 +240,11 @@ type Handler[T any] func() (T, error)
 //	result, err := Do(ctx, func() (string, error) {
 //	    return fetchData()
 //	})
-func Do[T any](ctx context.Context, handler Handler[T], options ...RetrierOption) (T, error) {
+func Do[T any](
+	ctx context.Context,
+	handler Handler[T],
+	options ...RetrierOption,
+) (T, error) {
 	return NewTypedRetrier[T](
 		NewExponentialRetrier(options...),
 	).RetryWithBackoff(ctx, handler)