refactor: extract master-key code into masterkey package (#604)

browser/safari/extract_password.go

@@ -45,16 +45,9 @@ func countPasswords(keychainPassword string) (int, error) {
 	return len(passwords), nil
 }
 
-// getInternetPasswords reads InternetPassword records directly from the
-// macOS login keychain. See rfcs/006-key-retrieval-mechanisms.md §7 for why
-// Safari owns this path instead of routing through crypto/keyretriever.
-//
-// TryUnlock is always invoked — with the user-supplied password when one is
-// available, otherwise with no options — to enable keychainbreaker's partial
-// extraction mode. With a valid password we get fully decrypted entries; with
-// empty or wrong password we still get metadata records (URL, account,
-// timestamps) and PlainPassword left blank, which Safari can export as
-// metadata-only output instead of failing with ErrLocked.
+// getInternetPasswords reads InternetPassword records straight from the macOS login keychain (Safari owns its own key
+// path, separate from the masterkey package). TryUnlock always runs — even without a password — so a locked keychain
+// still yields metadata-only records (URL, account, blank password) instead of failing with ErrLocked.
 func getInternetPasswords(keychainPassword string) ([]keychainbreaker.InternetPassword, error) {
 	kc, err := keychainbreaker.Open()
 	if err != nil {
@@ -82,8 +75,7 @@ func buildURL(protocol, server string, port uint32, path string) string {
 		return ""
 	}
 
-	// Convert macOS Keychain FourCC protocol code to URL scheme.
-	// Only "htps" needs special mapping; others just need space trimming.
+	// macOS Keychain stores the protocol as a FourCC code; only "htps" needs remapping, others just trim padding.
 	scheme := strings.TrimRight(protocol, " ")
 	if scheme == "" || scheme == "htps" {
 		scheme = "https"