fix: resolve 6 CI failures — fe_inv addition chain, MSVC cipher_interface, gitleaks, ASan suppressions

- Fix fe_inv constant-time addition chain: 2 squarings (z^8) not 3 (z^16) per NaCl ref10
- Parenthesize std::min/std::numeric_limits in cipher_interface.hpp for MSVC
- Replace gitleaks-action@v2 (requires org license) with free gitleaks CLI binary
- Remove invalid LSan suppression path from ASAN_OPTIONS (LSan format != ASan format)

Author: Johnson-Ogundeji

.github/workflows/ci.yml

@@ -76,7 +76,7 @@ jobs:
       - name: Test
         run: ctest --test-dir build-asan --output-on-failure
         env:
-          ASAN_OPTIONS: detect_leaks=1:halt_on_error=1:suppressions=${{ github.workspace }}/.lsan_suppressions.txt
+          ASAN_OPTIONS: detect_leaks=1:halt_on_error=1
           LSAN_OPTIONS: suppressions=${{ github.workspace }}/.lsan_suppressions.txt
           UBSAN_OPTIONS: halt_on_error=1:print_stacktrace=1
 
@@ -441,9 +441,13 @@ jobs:
         with:
           fetch-depth: 0
 
-      - uses: gitleaks/gitleaks-action@v2
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Install gitleaks
+        run: |
+          curl -sSfL https://github.com/gitleaks/gitleaks/releases/download/v8.24.3/gitleaks_8.24.3_linux_x64.tar.gz \
+            | sudo tar xz -C /usr/local/bin gitleaks
+
+      - name: Run gitleaks
+        run: gitleaks detect --source . --verbose --redact
 
   # ---------------------------------------------------------------------------
   # Gap T-16: Python SAST (bandit) — security scanning for Python bindings

include/signet/crypto/cipher_interface.hpp

@@ -123,7 +123,7 @@ inline void fill_random_bytes(uint8_t* buf, size_t size) {
         written += static_cast<size_t>(ret);
     }
 #elif defined(_WIN32)
-    if (size > static_cast<size_t>(std::numeric_limits<ULONG>::max())) {
+    if (size > static_cast<size_t>((std::numeric_limits<ULONG>::max)())) {
         throw std::runtime_error("csprng_fill: size exceeds ULONG max");
     }
     NTSTATUS status = BCryptGenRandom(NULL, buf, static_cast<ULONG>(size),
@@ -397,11 +397,11 @@ class AesGcmCipher final : public ICipher {
 
     /// Construct from a key vector (must be 32 bytes for AES-256).
     explicit AesGcmCipher(const std::vector<uint8_t>& key)
-        : key_{} { std::memcpy(key_.data(), key.data(), std::min(key.size(), key_.size())); }
+        : key_{} { std::memcpy(key_.data(), key.data(), (std::min)(key.size(), key_.size())); }
 
     /// Construct from a raw key pointer and length.
     explicit AesGcmCipher(const uint8_t* key, size_t key_len)
-        : key_{} { std::memcpy(key_.data(), key, std::min(key_len, key_.size())); }
+        : key_{} { std::memcpy(key_.data(), key, (std::min)(key_len, key_.size())); }
 
     /// Register a callback invoked when the key approaches its invocation limit.
     /// NIST SP 800-38D §8.2 requires key rotation before 2^32 random-IV GCM
@@ -517,11 +517,11 @@ class AesCtrCipher final : public ICipher {
 public:
     /// Construct from a key vector (must be 32 bytes for AES-256).
     explicit AesCtrCipher(const std::vector<uint8_t>& key)
-        : key_{} { std::memcpy(key_.data(), key.data(), std::min(key.size(), key_.size())); }
+        : key_{} { std::memcpy(key_.data(), key.data(), (std::min)(key.size(), key_.size())); }
 
     /// Construct from a raw key pointer and length.
     explicit AesCtrCipher(const uint8_t* key, size_t key_len)
-        : key_{} { std::memcpy(key_.data(), key, std::min(key_len, key_.size())); }
+        : key_{} { std::memcpy(key_.data(), key, (std::min)(key_len, key_.size())); }
 
     [[nodiscard]] expected<std::vector<uint8_t>> encrypt(
         const uint8_t* data, size_t size,

include/signet/crypto/post_quantum.hpp

@@ -516,13 +516,14 @@ inline void fe_cswap(Fe& a, Fe& b, uint64_t swap) {
 /// Constant-time addition chain — no data-dependent branching (CWE-208).
 /// Uses the standard Itoh-Tsujii-style chain for GF(2^255-19) inversion.
 inline Fe fe_inv(const Fe& z) {
-    // z^1 already have
+    // Constant-time addition chain for z^(p-2) mod p, p = 2^255 - 19
+    // Follows NaCl ref10 / SUPERCOP — branch-free (CWE-208 compliant)
     Fe t0 = fe_sq(z);                                       // z^2
-    Fe t1 = fe_sq(fe_sq(fe_sq(t0)));                        // z^16
-    t1 = fe_mul(t1, z);                                     // z^17  (unused name kept for symmetry)
-    t0 = fe_mul(t1, t0);                                    // z^19
-    Fe t2 = fe_sq(t0);                                      // z^38
-    t2 = fe_mul(t2, t1);                                    // z^(2^5-1)
+    Fe t1 = fe_sq(fe_sq(t0));                               // z^8
+    t1 = fe_mul(t1, z);                                     // z^9
+    t0 = fe_mul(t0, t1);                                    // z^11
+    Fe t2 = fe_sq(t0);                                      // z^22
+    t2 = fe_mul(t2, t1);                                    // z^(2^5-1) = z^31
     // z^(2^10-1)
     Fe a = t2; for (int i = 0; i < 5; ++i) a = fe_sq(a);
     a = fe_mul(a, t2);
@@ -668,13 +669,13 @@ inline void fe_cswap(Fe& a, Fe& b, uint64_t swap) {
 }
 
 inline Fe fe_inv(const Fe& z) {
-    // Same addition chain, but using 10-limb operations
-    Fe t0 = fe_sq(z);
-    Fe t1 = fe_sq(fe_sq(fe_sq(t0)));
-    t1 = fe_mul(t1, z);
-    t0 = fe_mul(t1, t0);
-    Fe t2 = fe_sq(t0);
-    t2 = fe_mul(t2, t1);
+    // Same addition chain (ref10), but using 10-limb operations
+    Fe t0 = fe_sq(z);                                       // z^2
+    Fe t1 = fe_sq(fe_sq(t0));                               // z^8
+    t1 = fe_mul(t1, z);                                     // z^9
+    t0 = fe_mul(t0, t1);                                    // z^11
+    Fe t2 = fe_sq(t0);                                      // z^22
+    t2 = fe_mul(t2, t1);                                    // z^31 = z^(2^5-1)
     Fe a = t2;
     for (int i=0;i<5;i++) a=fe_sq(a);
     a=fe_mul(a,t2);