fix(core,wasm): correct QR version comment, expect msg, zeroize image_secret in closure

crates/relicario-core/src/recovery_qr.rs

@@ -104,7 +104,7 @@ pub fn unwrap_recovery_qr_with_params(
             format!("unsupported version 0x{:02x}", payload_bytes[4])
         ));
     }
-    let kdf_salt: &[u8; 32] = payload_bytes[5..37].try_into().unwrap();
+    let kdf_salt: &[u8; 32] = payload_bytes[5..37].try_into().expect("slice length validated above");
     let wrap_nonce = &payload_bytes[37..61];
     let ciphertext = &payload_bytes[61..109];
 
@@ -122,7 +122,7 @@ pub fn unwrap_recovery_qr_with_params(
 pub fn recovery_qr_to_svg(payload: &RecoveryQrPayload) -> String {
     use qrcode::{QrCode, EcLevel};
     let code = QrCode::with_error_correction_level(payload.bytes.as_ref(), EcLevel::M)
-        .expect("109-byte payload always fits QR version 6");
+        .expect("109 bytes fits well within QR v40 capacity at EcLevel::M");
     code.render::<qrcode::render::svg::Color>()
         .min_dimensions(140, 140)
         .build()

crates/relicario-wasm/src/lib.rs

@@ -498,11 +498,8 @@ pub fn wasm_generate_recovery_qr(
     handle: &SessionHandle,
     passphrase: &str,
 ) -> Result<String, JsError> {
-    let image_secret_bytes = session::with_image_secret(handle.0, |s| s.to_vec())
-        .ok_or_else(|| JsError::new("invalid or locked session handle"))?;
-    let image_secret: &[u8; 32] = image_secret_bytes.as_slice().try_into()
-        .map_err(|_| JsError::new("image_secret must be 32 bytes"))?;
-    let payload = generate_recovery_qr(passphrase, image_secret)
+    let payload = session::with_image_secret(handle.0, |s| generate_recovery_qr(passphrase, s))
+        .ok_or_else(|| JsError::new("invalid or locked session handle"))?
         .map_err(|e| JsError::new(&e.to_string()))?;
     Ok(recovery_qr_to_svg(&payload))
 }