fix: close TOCTOU in LoadLocalSigner and LoadEVMSigner (PILOT-86)

[matthew-pilot]

What

Closes a time-of-check/time-of-use (TOCTOU) race in two identity-loading functions:

• pkg/wallet/signer.go LoadLocalSigner (Ed25519 key)
• pkg/evm/key.go LoadEVMSigner (secp256k1 key)

Both used os.Stat(path) to validate 0600 permissions, then os.ReadFile(path) to load the key material. An attacker with local filesystem access could chmod 0644 between the two syscalls, defeating the permission check entirely.

Fix

Replace the two-step path-based check with a single fd-based operation:

// Before (TOCTOU — attacker can chmod between these):
info, _ := os.Stat(path)
// ...check info.Mode()...
data, _ := os.ReadFile(path)

// After (atomic — all ops on same inode handle):
fd, _ := os.Open(path)
info, _ := fd.Stat()
// ...check info.Mode()...
data, _ := io.ReadAll(fd)

All three operations (open, stat, read) now target the same inode via the file descriptor — the kernel guarantees identity of the underlying file.

Verification

go build ./...  — clean
go vet ./...   — clean
go test ./...  — 5/5 packages pass

Jira

PILOT-86 — Wallet TOCTOU on private-key file permission check

[codecov]

Codecov Report

❌ Patch coverage is 80.00000% with 4 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
pkg/evm/key.go	80.00%	1 Missing and 1 partial ⚠️
pkg/wallet/signer.go	80.00%	1 Missing and 1 partial ⚠️

📢 Thoughts on this report? Let us know!