Remove legacy keypair.pub after PQ migration (#96)

* Initial plan

* fix: remove legacy keypair pub after migration

---------

Co-authored-by: openai-code-agent[bot] <242516109+Codex@users.noreply.github.com>
Co-authored-by: therealpaulgg <paul@paul.systems>

Author: Codex

pkg/actions/migrate.go

@@ -109,6 +109,9 @@ func Migrate(c *cli.Context) error {
 
 	os.Remove(filepath.Join(sshSyncDir, "keypair.bak"))
 	os.Remove(filepath.Join(sshSyncDir, "master_key.bak"))
+	if err := removeLegacyPublicKey(sshSyncDir); err != nil {
+		fmt.Fprintf(os.Stderr, "WARNING: could not remove legacy keypair.pub: %v\n", err)
+	}
 
 	fmt.Println()
 	fmt.Println("Migration complete! Your keys are now using post-quantum cryptography.")
@@ -196,3 +199,10 @@ func restoreBackup(backupPath, originalPath string) {
 		fmt.Fprintf(os.Stderr, "WARNING: could not restore %s: %v\n", originalPath, err)
 	}
 }
+
+func removeLegacyPublicKey(sshSyncDir string) error {
+	if err := os.Remove(filepath.Join(sshSyncDir, "keypair.pub")); err != nil && !errors.Is(err, os.ErrNotExist) {
+		return err
+	}
+	return nil
+}

pkg/actions/migrate_test.go

@@ -0,0 +1,28 @@
+package actions
+
+import (
+	"errors"
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestRemoveLegacyPublicKeyDeletesFile(t *testing.T) {
+	dir := t.TempDir()
+	pubPath := filepath.Join(dir, "keypair.pub")
+	require.NoError(t, os.WriteFile(pubPath, []byte("legacy"), 0600))
+
+	require.NoError(t, removeLegacyPublicKey(dir))
+
+	_, err := os.Stat(pubPath)
+	assert.True(t, errors.Is(err, os.ErrNotExist), "keypair.pub should be removed")
+}
+
+func TestRemoveLegacyPublicKeyMissingOK(t *testing.T) {
+	dir := t.TempDir()
+
+	assert.NoError(t, removeLegacyPublicKey(dir))
+}