pub fn load(agent_id: &str, dir: &Path) -> Result<AgentKeypair>Expand description
Load agent_id’s keypair from dir.
The public file must exist (errors otherwise). The private file is
optional — if absent the returned AgentKeypair.private is None
and the caller can verify but not sign.
§v0.7.0 S4-LOW1 — load-time mode-bits enforcement (Unix)
save writes the private file with mode 0o600, but an operator
(or a misconfigured restore-from-backup) can chmod-loosen the
file on disk after the fact. Without a load-time check the
daemon would happily sign with a world-readable key. On Unix we
now stat the .priv file before reading and refuse to load
when any group/other bit is set (mode & 0o077 != 0).
The error message names the path and the offending mode, and
includes the chmod invocation that restores 0600 — so an
operator hitting this in production has a copy-pasteable fix.
On non-Unix targets this check is a no-op (mode bits don’t apply to NTFS ACLs; hardware-backed key storage is the commercial AgenticMem layer’s responsibility — see the “Hardware-backed key storage” section above).