From 384d7e89d9acaa294cfab5d395c67f9780020fc2 Mon Sep 17 00:00:00 2001
From: "Aaron D. Lee" <aaron.daniel.lee@gmail.com>
Date: Wed, 1 Apr 2026 18:33:56 -0400
Subject: [PATCH] Fix all mypy type errors (10 errors in 5 files)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Use type: ignore for cbor2/json Any returns in serialization/deadman
- Fix callable→Callable in killswitch.py and usb_monitor.py
- Add Ed25519PrivateKey assertion in CLI chain-wrap path
- Allow None for RotationResult fingerprints
- Annotate channel key as str in manager.py

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 src/soosef/cli.py                      | 2 ++
 src/soosef/federation/serialization.py | 4 ++--
 src/soosef/fieldkit/deadman.py         | 4 ++--
 src/soosef/fieldkit/killswitch.py      | 5 +++--
 src/soosef/fieldkit/usb_monitor.py     | 6 ++++--
 src/soosef/keystore/manager.py         | 2 +-
 src/soosef/keystore/models.py          | 4 ++--
 7 files changed, 16 insertions(+), 11 deletions(-)

diff --git a/src/soosef/cli.py b/src/soosef/cli.py
index 48f8c69..6c371a9 100644
--- a/src/soosef/cli.py
+++ b/src/soosef/cli.py
@@ -282,6 +282,7 @@ def _attest_file(
     """
     import hashlib
 
+    from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PrivateKey
     from cryptography.hazmat.primitives.serialization import (
         Encoding,
         PublicFormat,
@@ -333,6 +334,7 @@ def _attest_file(
 
         priv_pem = IDENTITY_PRIVATE_KEY.read_bytes()
         chain_key = load_pem_private_key(priv_pem, password=None)
+        assert isinstance(chain_key, Ed25519PrivateKey)
 
         chain_metadata: dict = {}
         if caption:
diff --git a/src/soosef/federation/serialization.py b/src/soosef/federation/serialization.py
index 7c4c08d..34d839e 100644
--- a/src/soosef/federation/serialization.py
+++ b/src/soosef/federation/serialization.py
@@ -51,7 +51,7 @@ def canonical_bytes(record: AttestationChainRecord) -> bytes:
         8: _entropy_to_cbor_map(record.entropy_witnesses) if record.entropy_witnesses else {},
         9: record.signer_pubkey,
     }
-    return cbor2.dumps(m, canonical=True)
+    return cbor2.dumps(m, canonical=True)  # type: ignore[no-any-return]
 
 
 def compute_record_hash(record: AttestationChainRecord) -> bytes:
@@ -74,7 +74,7 @@ def serialize_record(record: AttestationChainRecord) -> bytes:
         9: record.signer_pubkey,
         10: record.signature,
     }
-    return cbor2.dumps(m, canonical=True)
+    return cbor2.dumps(m, canonical=True)  # type: ignore[no-any-return]
 
 
 def deserialize_record(data: bytes) -> AttestationChainRecord:
diff --git a/src/soosef/fieldkit/deadman.py b/src/soosef/fieldkit/deadman.py
index f88ad6a..0b5b2e7 100644
--- a/src/soosef/fieldkit/deadman.py
+++ b/src/soosef/fieldkit/deadman.py
@@ -26,7 +26,7 @@ class DeadmanSwitch:
     def _load_state(self) -> dict:
         if self._state_file.exists():
             with open(self._state_file) as f:
-                return json.load(f)
+                return json.load(f)  # type: ignore[no-any-return]
         return {
             "armed": False,
             "last_checkin": None,
@@ -64,7 +64,7 @@ class DeadmanSwitch:
         logger.info("Dead man's switch check-in recorded")
 
     def is_armed(self) -> bool:
-        return self._load_state()["armed"]
+        return self._load_state()["armed"]  # type: ignore[no-any-return]
 
     def is_overdue(self) -> bool:
         """Check if the switch has expired (past interval, ignoring grace)."""
diff --git a/src/soosef/fieldkit/killswitch.py b/src/soosef/fieldkit/killswitch.py
index 90d4721..0007da7 100644
--- a/src/soosef/fieldkit/killswitch.py
+++ b/src/soosef/fieldkit/killswitch.py
@@ -15,6 +15,7 @@ import logging
 import platform
 import shutil
 import subprocess
+from collections.abc import Callable
 from dataclasses import dataclass, field
 from pathlib import Path
 
@@ -84,7 +85,7 @@ def execute_purge(scope: PurgeScope = PurgeScope.ALL, reason: str = "manual") ->
     result = PurgeResult()
     logger.warning("KILLSWITCH ACTIVATED — reason: %s, scope: %s", reason, scope.value)
 
-    steps: list[tuple[str, callable]] = [
+    steps: list[tuple[str, Callable]] = [
         ("destroy_identity_keys", lambda: _secure_delete_dir(paths.IDENTITY_DIR)),
         ("destroy_channel_key", lambda: _secure_delete_file(paths.CHANNEL_KEY_FILE)),
         ("destroy_flask_secret", lambda: _secure_delete_file(paths.INSTANCE_DIR / ".secret_key")),
@@ -142,7 +143,7 @@ except ImportError:
 def watch_hardware_button(
     pin: int = 17,
     hold_seconds: float = 5.0,
-    callback: callable | None = None,
+    callback: Callable | None = None,
 ) -> None:
     """
     Monitor GPIO pin for physical killswitch button.
diff --git a/src/soosef/fieldkit/usb_monitor.py b/src/soosef/fieldkit/usb_monitor.py
index 8c4290e..7bc8e12 100644
--- a/src/soosef/fieldkit/usb_monitor.py
+++ b/src/soosef/fieldkit/usb_monitor.py
@@ -9,7 +9,9 @@ from __future__ import annotations
 
 import json
 import logging
+from collections.abc import Callable
 from pathlib import Path
+from typing import Any
 
 from soosef.paths import USB_WHITELIST
 
@@ -44,13 +46,13 @@ def save_whitelist(devices: set[str], path: Path | None = None) -> None:
 class USBMonitor:
     """Watch for USB device connections and check against whitelist."""
 
-    def __init__(self, on_violation: callable | None = None, whitelist_path: Path | None = None):
+    def __init__(self, on_violation: Callable | None = None, whitelist_path: Path | None = None):
         if not HAS_PYUDEV:
             raise RuntimeError("pyudev not available — USB monitoring requires Linux + pyudev")
 
         self.whitelist = load_whitelist(whitelist_path)
         self.on_violation = on_violation or self._default_violation
-        self._observer = None
+        self._observer: Any = None
 
     def start(self) -> None:
         """Start monitoring USB events in a background thread."""
diff --git a/src/soosef/keystore/manager.py b/src/soosef/keystore/manager.py
index aafd64b..cb15cf9 100644
--- a/src/soosef/keystore/manager.py
+++ b/src/soosef/keystore/manager.py
@@ -217,7 +217,7 @@ class KeystoreManager:
         """Generate and store a new channel key."""
         from stegasoo import generate_channel_key
 
-        key = generate_channel_key()
+        key: str = generate_channel_key()
         self.set_channel_key(key)
         return key
 
diff --git a/src/soosef/keystore/models.py b/src/soosef/keystore/models.py
index 354a4b5..5f0ade4 100644
--- a/src/soosef/keystore/models.py
+++ b/src/soosef/keystore/models.py
@@ -29,6 +29,6 @@ class KeystoreStatus:
 class RotationResult:
     """Result of a key rotation operation."""
 
-    old_fingerprint: str
-    new_fingerprint: str
+    old_fingerprint: str | None
+    new_fingerprint: str | None
     archive_path: Path