From 83186de1195b25a9945567d78ec4eb924e64c745 Mon Sep 17 00:00:00 2001
From: John Blackbourn <john@johnblackbourn.com>
Date: Tue, 20 Jan 2026 11:26:27 +0100
Subject: [PATCH] Remove a bunch of magic numbers and strings.

---
 src/Ed25519Keypair.ts             | 10 +++---
 src/cli/did-rotation-key-check.ts |  8 ++---
 src/did-validation.ts             | 46 ++++++++++++++++++---------
 src/domain.ts                     |  9 ++++--
 src/keyfile.ts                    | 18 +++++++++--
 src/keys.ts                       | 12 ++++---
 src/metadata.ts                   | 45 ++++++++++++++++++--------
 src/signing.ts                    | 52 +++++++++++++++++++++----------
 src/verify.ts                     |  2 +-
 9 files changed, 141 insertions(+), 61 deletions(-)

diff --git a/src/Ed25519Keypair.ts b/src/Ed25519Keypair.ts
index 45d4fa7..a3ddd1a 100644
--- a/src/Ed25519Keypair.ts
+++ b/src/Ed25519Keypair.ts
@@ -1,4 +1,5 @@
 import { bytesToMultibase, multibaseToBytes, Keypair } from '@atproto/crypto';
+import { DID_KEY_PREFIX } from './did-validation.js';
 import { ed25519 } from '@noble/curves/ed25519';
 import * as uint8arrays from 'uint8arrays';
 
@@ -8,10 +9,9 @@ import * as uint8arrays from 'uint8arrays';
 export const ED25519_PUBLIC_PREFIX = new Uint8Array([0xed, 0x01]);
 
 /**
- * Multibase base58btc prefix for Ed25519 public keys (z6Mk).
- * This is the base58btc encoding of ED25519_PUBLIC_PREFIX.
+ * Length of an Ed25519 public key in bytes.
  */
-export const ED25519_PUBLIC_MULTIBASE_PREFIX = 'z6Mk';
+const ED25519_PUBLIC_KEY_SIZE = 32;
 
 /**
  * Ed25519 verification keypair.
@@ -56,7 +56,7 @@ export class Ed25519Keypair implements Keypair {
 	 */
 	static async fromPublicKeyMultibase(publicKeyMultibase: string): Promise<Ed25519Keypair> {
 		const decoded = multibaseToBytes(publicKeyMultibase);
-		const expectedLength = ED25519_PUBLIC_PREFIX.length + 32;
+		const expectedLength = ED25519_PUBLIC_PREFIX.length + ED25519_PUBLIC_KEY_SIZE;
 
 		// Validate minimum length before accessing array indices
 		if (decoded.length < ED25519_PUBLIC_PREFIX.length) {
@@ -106,7 +106,7 @@ export class Ed25519Keypair implements Keypair {
 	 * Get the public key as a did:key string.
 	 */
 	did(): string {
-		return `did:key:${this.publicKeyStr()}`;
+		return `${DID_KEY_PREFIX}${this.publicKeyStr()}`;
 	}
 
 	/**
diff --git a/src/cli/did-rotation-key-check.ts b/src/cli/did-rotation-key-check.ts
index 4738da1..fa6f7a9 100644
--- a/src/cli/did-rotation-key-check.ts
+++ b/src/cli/did-rotation-key-check.ts
@@ -3,7 +3,7 @@
 import { parseArgs } from 'node:util';
 import { readFile } from 'node:fs/promises';
 import { getRotationPublicKeyMultibase, parseRotationPublicKeyOnly, RotationKeyInputError } from '../keys.js';
-import { validatePlcDid, DidValidationError } from '../did-validation.js';
+import { validatePlcDid, DidValidationError, DID_KEY_PREFIX } from '../did-validation.js';
 import { checkRotationKey, DidLogFetchError, DidLogValidationError } from '../verify.js';
 
 const { values } = parseArgs({
@@ -131,16 +131,16 @@ if (result.allKeys.length === 0) {
 
 if (result.valid) {
 	console.log(`\n✓ Rotation key is valid`);
-	console.log(`Public key: did:key:${result.publicKeyMultibase}`);
+	console.log(`Public key: ${DID_KEY_PREFIX}${result.publicKeyMultibase}`);
 	console.log(`This key can be used to sign PLC operations for ${did}`);
 	process.exit(0);
 } else {
 	console.log(`\n❌ Rotation key is not valid`);
-	console.log(`Public key: did:key:${result.publicKeyMultibase}`);
+	console.log(`Public key: ${DID_KEY_PREFIX}${result.publicKeyMultibase}`);
 	console.log(`This key is not present in the latest operation of the DID log for ${did}`);
 	console.log(`\nValid rotation keys for this DID:`);
 	for (const key of result.allKeys) {
-		console.log(`  did:key:${key}`);
+		console.log(`  ${DID_KEY_PREFIX}${key}`);
 	}
 	process.exit(1);
 }
diff --git a/src/did-validation.ts b/src/did-validation.ts
index 8861fa6..9dda87a 100644
--- a/src/did-validation.ts
+++ b/src/did-validation.ts
@@ -8,28 +8,45 @@ export class DidValidationError extends Error {}
  */
 export class PublicKeyValidationError extends Error {}
 
+/**
+ * Prefix for did:plc URIs.
+ */
+export const DID_PLC_PREFIX = 'did:plc:';
+
 /**
  * Expected length of a valid did:plc: identifier.
  * Format: did:plc: (8 chars) + 24 character base32 hash = 32 characters total.
  */
-const DID_PLC_LENGTH = 32;
+export const DID_PLC_LENGTH = 32;
 
 /**
  * Prefix for did:key URIs.
  */
 export const DID_KEY_PREFIX = 'did:key:';
 
+/**
+ * Multibase prefix for Ed25519 public keys (verification keys).
+ * Format: z6Mk...
+ */
+export const ED25519_PUBLIC_MULTIBASE_PREFIX = 'z6Mk';
+
+/**
+ * Multibase prefix for Secp256k1 public keys (rotation keys).
+ * Format: zQ3sh...
+ */
+export const SECP256K1_PUBLIC_MULTIBASE_PREFIX = 'zQ3sh';
+
 /**
  * Prefix for Ed25519 public keys in did:key format (verification keys).
  * Format: did:key:z6Mk...
  */
-export const ED25519_DID_KEY_PREFIX = 'did:key:z6Mk';
+export const ED25519_DID_KEY_PREFIX = DID_KEY_PREFIX + ED25519_PUBLIC_MULTIBASE_PREFIX;
 
 /**
  * Prefix for Secp256k1 public keys in did:key format (rotation keys).
  * Format: did:key:zQ3sh...
  */
-export const SECP256K1_DID_KEY_PREFIX = 'did:key:zQ3sh';
+export const SECP256K1_DID_KEY_PREFIX = DID_KEY_PREFIX + SECP256K1_PUBLIC_MULTIBASE_PREFIX;
 
 /**
  * Expected length of a did:key Ed25519 public key.
@@ -44,15 +61,14 @@ export const ED25519_DID_KEY_LENGTH = 56;
 export const SECP256K1_DID_KEY_LENGTH = 57;
 
 /**
- * Multibase prefix for Secp256k1 public keys (rotation keys).
- * Format: zQ3sh...
+ * Multicodec prefix for secp256k1 compressed public keys (rotation keys).
  */
-export const SECP256K1_PUBLIC_MULTIBASE_PREFIX = 'zQ3sh';
+export const SECP256K1_PUBLIC_MULTICODEC_PREFIX = new Uint8Array([0xe7, 0x01]);
 
 /**
- * Multicodec prefix for secp256k1 compressed public keys (rotation keys).
+ * Length of a secp256k1 compressed public key in bytes.
  */
-export const SECP256K1_PUBLIC_MULTICODEC_PREFIX = new Uint8Array([0xe7, 0x01]);
+export const SECP256K1_COMPRESSED_PUBLIC_KEY_SIZE = 33;
 
 /**
  * Multicodec prefix for secp256k1 private keys (rotation keys).
@@ -71,8 +87,8 @@ export const ED25519_PRIVATE_MULTICODEC_PREFIX = new Uint8Array([0x80, 0x26]);
  * @throws {DidValidationError} If the DID doesn't start with 'did:plc:' or has incorrect length
  */
 export function validatePlcDid(did: string): void {
-	if (!did.startsWith('did:plc:')) {
-		throw new DidValidationError(`Invalid DID format. DID must have the prefix 'did:plc:'.`);
+	if (!did.startsWith(DID_PLC_PREFIX)) {
+		throw new DidValidationError(`Invalid DID format. DID must have the prefix '${DID_PLC_PREFIX}'.`);
 	}
 	if (did.length !== DID_PLC_LENGTH) {
 		throw new DidValidationError(`Invalid DID format. DID must be ${DID_PLC_LENGTH} characters in length.`);
@@ -86,8 +102,10 @@ export function validatePlcDid(did: string): void {
  * @throws {PublicKeyValidationError} If the key format is invalid
  */
 export function validateVerificationKey(key: string): void {
-	if (!key.startsWith('did:key:')) {
-		throw new PublicKeyValidationError(`Invalid verification key format. Key must start with 'did:key:' prefix.`);
+	if (!key.startsWith(DID_KEY_PREFIX)) {
+		throw new PublicKeyValidationError(
+			`Invalid verification key format. Key must start with '${DID_KEY_PREFIX}' prefix.`,
+		);
 	}
 
 	if (key.startsWith(SECP256K1_DID_KEY_PREFIX)) {
@@ -116,8 +134,8 @@ export function validateVerificationKey(key: string): void {
  * @throws {PublicKeyValidationError} If the key format is invalid
  */
 export function validateRotationKey(key: string): void {
-	if (!key.startsWith('did:key:')) {
-		throw new PublicKeyValidationError(`Invalid rotation key format. Key must start with 'did:key:' prefix.`);
+	if (!key.startsWith(DID_KEY_PREFIX)) {
+		throw new PublicKeyValidationError(`Invalid rotation key format. Key must start with '${DID_KEY_PREFIX}' prefix.`);
 	}
 
 	if (key.startsWith(ED25519_DID_KEY_PREFIX)) {
diff --git a/src/domain.ts b/src/domain.ts
index 2379e44..93c52dd 100644
--- a/src/domain.ts
+++ b/src/domain.ts
@@ -1,5 +1,10 @@
 import { resolveTxt } from 'node:dns/promises';
 
+/**
+ * Maximum length of a domain name per DNS specification.
+ */
+const MAX_DOMAIN_LENGTH = 255;
+
 const DOMAIN_REGEX = /^[a-z0-9][a-z0-9-]{0,62}(\.[a-z0-9][a-z0-9-]{0,62})+$/i;
 const DID_RECORD_REGEX = /^did="?([^"]+)"?$/;
 
@@ -29,8 +34,8 @@ export function validateDomain(domain: string): void {
 		throw new InvalidDomainError('Domain is required');
 	}
 
-	if (domain.length > 255) {
-		throw new InvalidDomainError('Domain must not exceed 255 characters');
+	if (domain.length > MAX_DOMAIN_LENGTH) {
+		throw new InvalidDomainError(`Domain must not exceed ${MAX_DOMAIN_LENGTH} characters`);
 	}
 
 	if (!DOMAIN_REGEX.test(domain)) {
diff --git a/src/keyfile.ts b/src/keyfile.ts
index 4d9760c..2e3ba16 100644
--- a/src/keyfile.ts
+++ b/src/keyfile.ts
@@ -43,6 +43,16 @@ interface FormatKeyFileContentOptions {
  */
 export class SaveKeyError extends Error {}
 
+/**
+ * Size of the uncompressed public key prefix byte (0x04).
+ */
+const UNCOMPRESSED_KEY_PREFIX_SIZE = 1;
+
+/**
+ * Size of a secp256k1 coordinate (X or Y) in bytes.
+ */
+const SECP256K1_COORDINATE_SIZE = 32;
+
 /**
  * Encodes a rotation key (secp256k1) as a PEM string in SEC1 format.
  *
@@ -51,8 +61,12 @@ export class SaveKeyError extends Error {}
  */
 export function encodeRotationKey(privateKey: Uint8Array): string {
 	const uncompressedPublicKey = secp256k1.getPublicKey(privateKey, false);
-	const publicKeyX = uncompressedPublicKey.slice(1, 33);
-	const publicKeyY = uncompressedPublicKey.slice(33, 65);
+	// Uncompressed format: 0x04 prefix + 32-byte X + 32-byte Y
+	const xStart = UNCOMPRESSED_KEY_PREFIX_SIZE;
+	const xEnd = xStart + SECP256K1_COORDINATE_SIZE;
+	const yEnd = xEnd + SECP256K1_COORDINATE_SIZE;
+	const publicKeyX = uncompressedPublicKey.slice(xStart, xEnd);
+	const publicKeyY = uncompressedPublicKey.slice(xEnd, yEnd);
 
 	const keyObject = crypto.createPrivateKey({
 		key: {
diff --git a/src/keys.ts b/src/keys.ts
index 0413d16..2b63dd6 100644
--- a/src/keys.ts
+++ b/src/keys.ts
@@ -1,10 +1,14 @@
 import { Keypair, Secp256k1Keypair, verifySignature, multibaseToBytes } from '@atproto/crypto';
 import { ed25519 } from '@noble/curves/ed25519';
-import { Ed25519Keypair, ED25519_PUBLIC_MULTIBASE_PREFIX } from './Ed25519Keypair.js';
+import { Ed25519Keypair } from './Ed25519Keypair.js';
 import {
 	DID_KEY_PREFIX,
+	ED25519_PUBLIC_MULTIBASE_PREFIX,
+	ED25519_DID_KEY_PREFIX,
 	SECP256K1_PUBLIC_MULTIBASE_PREFIX,
+	SECP256K1_DID_KEY_PREFIX,
 	SECP256K1_PUBLIC_MULTICODEC_PREFIX,
+	SECP256K1_COMPRESSED_PUBLIC_KEY_SIZE,
 } from './did-validation.js';
 
 export interface KeyPairBundle<T extends Keypair = Keypair> {
@@ -203,7 +207,7 @@ export async function getVerificationPublicKeyMultibase(keyInput: string): Promi
 	}
 
 	throw new VerificationKeyInputError(
-		'Unrecognized key format. Expected a public key (did:key:z6Mk...) or private key (PEM, multibase, or hex)',
+		`Unrecognized key format. Expected a public key (${ED25519_DID_KEY_PREFIX}...) or private key (PEM, multibase, or hex)`,
 	);
 }
 
@@ -237,7 +241,7 @@ function validateSecp256k1PublicKeyMultibase(multibase: string): void {
 	}
 
 	// Validate total length (2-byte prefix + 33-byte compressed public key = 35 bytes)
-	const expectedLength = SECP256K1_PUBLIC_MULTICODEC_PREFIX.length + 33;
+	const expectedLength = SECP256K1_PUBLIC_MULTICODEC_PREFIX.length + SECP256K1_COMPRESSED_PUBLIC_KEY_SIZE;
 	if (decoded.length !== expectedLength) {
 		throw new RotationKeyInputError(
 			`Invalid key length: expected ${expectedLength} bytes (2-byte prefix + 33-byte key), ` +
@@ -323,6 +327,6 @@ export async function getRotationPublicKeyMultibase(keyInput: string): Promise<s
 	}
 
 	throw new RotationKeyInputError(
-		'Unrecognized key format. Expected a public key (did:key:zQ3sh...) or private key (PEM, multibase, or hex)',
+		`Unrecognized key format. Expected a public key (${SECP256K1_DID_KEY_PREFIX}...) or private key (PEM, multibase, or hex)`,
 	);
 }
diff --git a/src/metadata.ts b/src/metadata.ts
index c5a554c..430d281 100644
--- a/src/metadata.ts
+++ b/src/metadata.ts
@@ -367,6 +367,25 @@ interface AssetPattern {
 	height: number | null;
 }
 
+/**
+ * WordPress plugin banner dimensions.
+ */
+const BANNER_SMALL_WIDTH = 772;
+const BANNER_SMALL_HEIGHT = 250;
+const BANNER_LARGE_WIDTH = 1544;
+const BANNER_LARGE_HEIGHT = 500;
+
+/**
+ * WordPress plugin icon dimensions.
+ */
+const ICON_SMALL_SIZE = 128;
+const ICON_LARGE_SIZE = 256;
+
+/**
+ * Maximum number of keywords allowed in metadata.
+ */
+const MAX_KEYWORDS = 5;
+
 /**
  * Asset file patterns for WordPress plugins.
  *
@@ -375,16 +394,16 @@ interface AssetPattern {
 const ASSET_PATTERNS: AssetPattern[] = [
 	// Banners
 	{
-		pattern: /^banner-772x250\.(png|jpe?g|gif)$/i,
+		pattern: new RegExp(`^banner-${BANNER_SMALL_WIDTH}x${BANNER_SMALL_HEIGHT}\\.(png|jpe?g|gif)$`, 'i'),
 		type: 'banner',
-		width: 772,
-		height: 250,
+		width: BANNER_SMALL_WIDTH,
+		height: BANNER_SMALL_HEIGHT,
 	},
 	{
-		pattern: /^banner-1544x500\.(png|jpe?g|gif)$/i,
+		pattern: new RegExp(`^banner-${BANNER_LARGE_WIDTH}x${BANNER_LARGE_HEIGHT}\\.(png|jpe?g|gif)$`, 'i'),
 		type: 'banner',
-		width: 1544,
-		height: 500,
+		width: BANNER_LARGE_WIDTH,
+		height: BANNER_LARGE_HEIGHT,
 	},
 	// Icons
 	{
@@ -394,16 +413,16 @@ const ASSET_PATTERNS: AssetPattern[] = [
 		height: null,
 	},
 	{
-		pattern: /^icon-128x128\.(png|jpe?g|gif)$/i,
+		pattern: new RegExp(`^icon-${ICON_SMALL_SIZE}x${ICON_SMALL_SIZE}\\.(png|jpe?g|gif)$`, 'i'),
 		type: 'icon',
-		width: 128,
-		height: 128,
+		width: ICON_SMALL_SIZE,
+		height: ICON_SMALL_SIZE,
 	},
 	{
-		pattern: /^icon-256x256\.(png|jpe?g|gif)$/i,
+		pattern: new RegExp(`^icon-${ICON_LARGE_SIZE}x${ICON_LARGE_SIZE}\\.(png|jpe?g|gif)$`, 'i'),
 		type: 'icon',
-		width: 256,
-		height: 256,
+		width: ICON_LARGE_SIZE,
+		height: ICON_LARGE_SIZE,
 	},
 ];
 
@@ -691,7 +710,7 @@ export async function buildMetadataFromContent(
 		authors,
 		license,
 		security,
-		keywords: (keywords || []).slice(0, 5),
+		keywords: (keywords || []).slice(0, MAX_KEYWORDS),
 		sections,
 		releases: [release, ...filteredReleases],
 	});
diff --git a/src/signing.ts b/src/signing.ts
index 4c46945..c642bef 100644
--- a/src/signing.ts
+++ b/src/signing.ts
@@ -6,6 +6,26 @@ import { SECP256K1_PRIVATE_MULTICODEC_PREFIX, ED25519_PRIVATE_MULTICODEC_PREFIX
 const SECP256K1_PRIV_PREFIX_HEX = Buffer.from(SECP256K1_PRIVATE_MULTICODEC_PREFIX).toString('hex');
 const ED25519_PRIV_PREFIX_HEX = Buffer.from(ED25519_PRIVATE_MULTICODEC_PREFIX).toString('hex');
 
+/**
+ * Length of the multibase prefix in bytes.
+ */
+const MULTIBASE_PREFIX_LENGTH = 2;
+
+/**
+ * Length of a raw Ed25519/Secp256k1 private key in bytes.
+ */
+const PRIVATE_KEY_SIZE = 32;
+
+/**
+ * Length of an Ed25519 key in Sodium format (seed + public key).
+ */
+const ED25519_SODIUM_FORMAT_LENGTH = 64;
+
+/**
+ * Length of a hex-encoded 32-byte private key.
+ */
+const HEX_ENCODED_PRIVATE_KEY_LENGTH = 64;
+
 /**
  * PEM header for EC private keys (SEC1 format, used for secp256k1 rotation keys).
  */
@@ -43,11 +63,11 @@ export function decodeMultibaseRotationKey(key: string): Uint8Array {
 		throw new SigningKeyError('Invalid key format. The key could not be decoded.');
 	}
 
-	if (decoded.length < 2) {
+	if (decoded.length < MULTIBASE_PREFIX_LENGTH) {
 		throw new SigningKeyError('Invalid key format. The key is too short.');
 	}
 
-	const prefixHex = Buffer.from(decoded.slice(0, 2)).toString('hex');
+	const prefixHex = Buffer.from(decoded.slice(0, MULTIBASE_PREFIX_LENGTH)).toString('hex');
 
 	if (prefixHex === ED25519_PRIV_PREFIX_HEX) {
 		throw new SigningKeyError(
@@ -59,9 +79,9 @@ export function decodeMultibaseRotationKey(key: string): Uint8Array {
 		throw new SigningKeyError(`Unrecognized key type (prefix: ${prefixHex}). Expected a rotation key.`);
 	}
 
-	const rawKey = decoded.slice(2);
+	const rawKey = decoded.slice(MULTIBASE_PREFIX_LENGTH);
 
-	if (rawKey.length !== 32) {
+	if (rawKey.length !== PRIVATE_KEY_SIZE) {
 		throw new SigningKeyError('Invalid key format. The key has the wrong length.');
 	}
 
@@ -86,11 +106,11 @@ export function decodeMultibaseVerificationKey(key: string): Uint8Array {
 		throw new SigningKeyError('Invalid key format. The key could not be decoded.');
 	}
 
-	if (decoded.length < 2) {
+	if (decoded.length < MULTIBASE_PREFIX_LENGTH) {
 		throw new SigningKeyError('Invalid key format. The key is too short.');
 	}
 
-	const prefixHex = Buffer.from(decoded.slice(0, 2)).toString('hex');
+	const prefixHex = Buffer.from(decoded.slice(0, MULTIBASE_PREFIX_LENGTH)).toString('hex');
 
 	if (prefixHex === SECP256K1_PRIV_PREFIX_HEX) {
 		throw new SigningKeyError(
@@ -102,11 +122,11 @@ export function decodeMultibaseVerificationKey(key: string): Uint8Array {
 		throw new SigningKeyError(`Unrecognized key type (prefix: ${prefixHex}). Expected a verification key.`);
 	}
 
-	const rawKey = decoded.slice(2);
+	const rawKey = decoded.slice(MULTIBASE_PREFIX_LENGTH);
 
 	// Sodium format: 64 bytes (32-byte seed + 32-byte public key)
-	if (rawKey.length === 64) {
-		return rawKey.slice(0, 32);
+	if (rawKey.length === ED25519_SODIUM_FORMAT_LENGTH) {
+		return rawKey.slice(0, PRIVATE_KEY_SIZE);
 	}
 
 	throw new SigningKeyError('Invalid key format. Expected a 64-byte Sodium-format Ed25519 key.');
@@ -140,7 +160,7 @@ function decodeECPrivateKeyPEM(key: string): Uint8Array {
 
 	// JWK 'd' is base64url-encoded
 	const rawKey = Buffer.from(jwk.d, 'base64url');
-	if (rawKey.length !== 32) {
+	if (rawKey.length !== PRIVATE_KEY_SIZE) {
 		throw new SigningKeyError('Invalid rotation key. The key has the wrong length.');
 	}
 
@@ -175,7 +195,7 @@ function decodePKCS8PrivateKeyPEM(key: string): Uint8Array {
 
 	// JWK 'd' is base64url-encoded
 	const rawKey = Buffer.from(jwk.d, 'base64url');
-	if (rawKey.length !== 32) {
+	if (rawKey.length !== PRIVATE_KEY_SIZE) {
 		throw new SigningKeyError('Invalid verification key. The key has the wrong length.');
 	}
 
@@ -200,7 +220,7 @@ export function isPKCS8PrivateKeyPEM(content: string): boolean {
  * Check if content looks like a 32-byte hex-encoded private key.
  */
 export function isHexPrivateKey(content: string): boolean {
-	return /^[a-f0-9]{64}$/i.test(content);
+	return new RegExp(`^[a-f0-9]{${HEX_ENCODED_PRIVATE_KEY_LENGTH}}$`, 'i').test(content);
 }
 
 /**
@@ -212,10 +232,10 @@ export function isMultibaseRotationKey(content: string): boolean {
 	}
 	try {
 		const decoded = base58btc.decode(content);
-		if (decoded.length < 2) {
+		if (decoded.length < MULTIBASE_PREFIX_LENGTH) {
 			return false;
 		}
-		const prefixHex = Buffer.from(decoded.slice(0, 2)).toString('hex');
+		const prefixHex = Buffer.from(decoded.slice(0, MULTIBASE_PREFIX_LENGTH)).toString('hex');
 		return prefixHex === SECP256K1_PRIV_PREFIX_HEX;
 	} catch {
 		return false;
@@ -231,10 +251,10 @@ export function isMultibaseVerificationKey(content: string): boolean {
 	}
 	try {
 		const decoded = base58btc.decode(content);
-		if (decoded.length < 2) {
+		if (decoded.length < MULTIBASE_PREFIX_LENGTH) {
 			return false;
 		}
-		const prefixHex = Buffer.from(decoded.slice(0, 2)).toString('hex');
+		const prefixHex = Buffer.from(decoded.slice(0, MULTIBASE_PREFIX_LENGTH)).toString('hex');
 		return prefixHex === ED25519_PRIV_PREFIX_HEX;
 	} catch {
 		return false;
diff --git a/src/verify.ts b/src/verify.ts
index b76a8b9..6601393 100644
--- a/src/verify.ts
+++ b/src/verify.ts
@@ -883,7 +883,7 @@ export async function checkRotationKey(
 ): Promise<CheckRotationKeyResult> {
 	const { fetchDidLog } = await import('./plc-log.js');
 
-	const didKey = `did:key:${publicKeyMultibase}`;
+	const didKey = `${DID_KEY_PREFIX}${publicKeyMultibase}`;
 	const ops = await fetchDidLog(did, plcUrl);
 
 	if (ops.length === 0) {