@123456btc/123456btc-cli 1.0.1 → 1.0.2

package/dist/vault/index.js

@@ -0,0 +1,276 @@
+"use strict";
+/**
+ * VaultManager - Secure key vault for 123456btc CLI
+ *
+ * Manages encrypted storage of:
+ * - Exchange API keys (Binance, OKX, Bybit, etc.)
+ * - LLM provider keys (OpenAI, Anthropic, etc.)
+ * - Wallet private keys (Solana, etc.)
+ *
+ * Security model:
+ * - Master password → scrypt KDF → KEK
+ * - KEK encrypts all vault data (AES-256-GCM)
+ * - Plaintext keys only exist in memory during active use
+ * - Memory buffers are explicitly wiped after use
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.VaultManager = void 0;
+exports.getVault = getVault;
+exports.resetVault = resetVault;
+const crypto_1 = require("./crypto");
+const storage_1 = require("./storage");
+class VaultManager {
+    state = {
+        unlocked: false,
+        entries: [],
+        meta: null,
+    };
+    kek = null;
+    backend = null;
+    autoLockTimer = null;
+    autoLockMs;
+    constructor(options = {}) {
+        this.autoLockMs = options.autoLockMs ?? 300_000; // 5 minutes default
+    }
+    /**
+     * Initialize vault with a master password
+     * Creates new vault if not exists
+     */
+    async init(password) {
+        this.backend = await (0, storage_1.selectBackend)();
+        const existing = await this.backend.read();
+        if (existing) {
+            throw new Error('Vault already exists. Use `unlock` instead.');
+        }
+        const salt = (0, crypto_1.generateSalt)();
+        this.kek = (0, crypto_1.deriveKey)(password, salt);
+        const meta = {
+            version: crypto_1.VAULT_VERSION,
+            createdAt: new Date().toISOString(),
+            salt: Buffer.from(salt).toString('hex'),
+            kdfParams: crypto_1.DEFAULT_KDF,
+        };
+        this.state = {
+            unlocked: true,
+            entries: [],
+            meta,
+        };
+        await this._save();
+        this._startAutoLock();
+    }
+    /**
+     * Unlock vault with master password
+     */
+    async unlock(password) {
+        if (this.state.unlocked)
+            return;
+        this.backend = await (0, storage_1.selectBackend)();
+        const encrypted = await this.backend.read();
+        if (!encrypted) {
+            throw new Error('Vault not found. Run `vault init` first.');
+        }
+        // First, try to decrypt to get metadata and validate password
+        let plaintext;
+        try {
+            // The file format: salt(32) + encrypted_payload
+            const salt = encrypted.slice(0, 32);
+            const payload = encrypted.slice(32);
+            this.kek = (0, crypto_1.deriveKey)(password, new Uint8Array(salt));
+            plaintext = (0, crypto_1.decrypt)(new Uint8Array(payload), this.kek.data);
+        }
+        catch {
+            this._clearKek();
+            throw new Error('Invalid master password.');
+        }
+        try {
+            const data = (0, crypto_1.decodeVaultData)(plaintext);
+            if (data.version !== crypto_1.VAULT_VERSION) {
+                throw new Error(`Unsupported vault version: ${data.version}`);
+            }
+            this.state = {
+                unlocked: true,
+                entries: data.entries,
+                meta: data.meta,
+            };
+            this._startAutoLock();
+        }
+        catch (err) {
+            this._clearKek();
+            throw new Error(`Failed to decode vault: ${err.message}`);
+        }
+    }
+    /**
+     * Lock vault, wipe KEK from memory
+     */
+    lock() {
+        this._clearKek();
+        this.state.unlocked = false;
+        this.state.entries = [];
+        this.state.meta = null;
+        if (this.autoLockTimer) {
+            clearTimeout(this.autoLockTimer);
+            this.autoLockTimer = null;
+        }
+    }
+    /**
+     * Check if vault is unlocked
+     */
+    isUnlocked() {
+        return this.state.unlocked && this.kek !== null;
+    }
+    /**
+     * Set a vault entry (create or update)
+     */
+    async set(name, data, category = 'other', tags) {
+        this._ensureUnlocked();
+        const now = new Date().toISOString();
+        const existingIndex = this.state.entries.findIndex(e => e.name === name);
+        if (existingIndex >= 0) {
+            this.state.entries[existingIndex] = {
+                ...this.state.entries[existingIndex],
+                data,
+                category,
+                updatedAt: now,
+                tags,
+            };
+        }
+        else {
+            this.state.entries.push({
+                name,
+                category,
+                data,
+                createdAt: now,
+                updatedAt: now,
+                tags,
+            });
+        }
+        await this._save();
+    }
+    /**
+     * Get a vault entry by name
+     * Returns decrypted data as SecureBuffer-compatible plain object
+     */
+    get(name) {
+        this._ensureUnlocked();
+        return this.state.entries.find(e => e.name === name);
+    }
+    /**
+     * Get sensitive value as SecureBuffer (must call .wipe() after use!)
+     */
+    getSecure(name, field) {
+        this._ensureUnlocked();
+        const entry = this.state.entries.find(e => e.name === name);
+        if (!entry)
+            return undefined;
+        const value = entry.data[field];
+        if (!value)
+            return undefined;
+        return (0, crypto_1.secureBuffer)(new TextEncoder().encode(value));
+    }
+    /**
+     * List all vault entries (sensitive values masked)
+     */
+    list() {
+        this._ensureUnlocked();
+        return this.state.entries.map(e => ({
+            name: e.name,
+            category: e.category,
+            createdAt: e.createdAt,
+            updatedAt: e.updatedAt,
+            tags: e.tags,
+            fields: Object.keys(e.data),
+        }));
+    }
+    /**
+     * Remove an entry by name
+     */
+    async remove(name) {
+        this._ensureUnlocked();
+        const idx = this.state.entries.findIndex(e => e.name === name);
+        if (idx < 0)
+            return false;
+        this.state.entries.splice(idx, 1);
+        await this._save();
+        return true;
+    }
+    /**
+     * Change master password
+     */
+    async changePassword(oldPassword, newPassword) {
+        await this.unlock(oldPassword);
+        const salt = (0, crypto_1.generateSalt)();
+        const newKek = (0, crypto_1.deriveKey)(newPassword, salt);
+        const meta = {
+            version: crypto_1.VAULT_VERSION,
+            createdAt: this.state.meta.createdAt,
+            salt: Buffer.from(salt).toString('hex'),
+            kdfParams: crypto_1.DEFAULT_KDF,
+        };
+        this.state.meta = meta;
+        this._clearKek();
+        this.kek = newKek;
+        await this._save();
+    }
+    /**
+     * Destroy vault (delete all data)
+     */
+    async destroy() {
+        this.backend = await (0, storage_1.selectBackend)();
+        await this.backend.delete();
+        this.lock();
+    }
+    /**
+     * Get storage backend name
+     */
+    getBackendName() {
+        return this.backend?.name ?? 'unknown';
+    }
+    // ---- Private helpers ----
+    _ensureUnlocked() {
+        if (!this.state.unlocked || !this.kek) {
+            throw new Error('Vault is locked. Run `vault unlock` first.');
+        }
+    }
+    async _save() {
+        if (!this.backend || !this.kek || !this.state.meta) {
+            throw new Error('Cannot save: vault not initialized');
+        }
+        const payload = (0, crypto_1.encodeVaultData)(this.state.entries, this.state.meta);
+        const encrypted = (0, crypto_1.encrypt)(payload, this.kek.data);
+        // Format: salt + encrypted
+        const salt = Buffer.from(this.state.meta.salt, 'hex');
+        const data = Buffer.concat([salt, Buffer.from(encrypted)]);
+        await this.backend.write(data);
+    }
+    _startAutoLock() {
+        if (this.autoLockTimer) {
+            clearTimeout(this.autoLockTimer);
+        }
+        this.autoLockTimer = setTimeout(() => {
+            console.log('\n[Vault] Auto-locked due to inactivity.');
+            this.lock();
+        }, this.autoLockMs);
+    }
+    _clearKek() {
+        if (this.kek) {
+            this.kek.wipe();
+            this.kek = null;
+        }
+    }
+}
+exports.VaultManager = VaultManager;
+// Singleton instance
+let vaultInstance = null;
+function getVault(options) {
+    if (!vaultInstance) {
+        vaultInstance = new VaultManager(options);
+    }
+    return vaultInstance;
+}
+function resetVault() {
+    if (vaultInstance) {
+        vaultInstance.lock();
+        vaultInstance = null;
+    }
+}
+//# sourceMappingURL=index.js.map

package/dist/vault/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/vault/index.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;GAaG;;;AAiSH,4BAKC;AAED,gCAKC;AA1SD,qCAUkB;AAClB,uCAA0C;AAE1C,MAAa,YAAY;IACf,KAAK,GAAe;QAC1B,QAAQ,EAAE,KAAK;QACf,OAAO,EAAE,EAAE;QACX,IAAI,EAAE,IAAI;KACX,CAAC;IAEM,GAAG,GAAwB,IAAI,CAAC;IAChC,OAAO,GAA2B,IAAI,CAAC;IACvC,aAAa,GAA0B,IAAI,CAAC;IACnC,UAAU,CAAS;IAEpC,YAAY,UAAuD,EAAE;QACnE,IAAI,CAAC,UAAU,GAAG,OAAO,CAAC,UAAU,IAAI,OAAO,CAAC,CAAC,oBAAoB;IACvE,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,IAAI,CAAC,QAAgB;QACzB,IAAI,CAAC,OAAO,GAAG,MAAM,IAAA,uBAAa,GAAE,CAAC;QAErC,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;QAC3C,IAAI,QAAQ,EAAE,CAAC;YACb,MAAM,IAAI,KAAK,CAAC,6CAA6C,CAAC,CAAC;QACjE,CAAC;QAED,MAAM,IAAI,GAAG,IAAA,qBAAY,GAAE,CAAC;QAC5B,IAAI,CAAC,GAAG,GAAG,IAAA,kBAAS,EAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;QAErC,MAAM,IAAI,GAAc;YACtB,OAAO,EAAE,sBAAa;YACtB,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACnC,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC;YACvC,SAAS,EAAE,oBAAW;SACvB,CAAC;QAEF,IAAI,CAAC,KAAK,GAAG;YACX,QAAQ,EAAE,IAAI;YACd,OAAO,EAAE,EAAE;YACX,IAAI;SACL,CAAC;QAEF,MAAM,IAAI,CAAC,KAAK,EAAE,CAAC;QACnB,IAAI,CAAC,cAAc,EAAE,CAAC;IACxB,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,MAAM,CAAC,QAAgB;QAC3B,IAAI,IAAI,CAAC,KAAK,CAAC,QAAQ;YAAE,OAAO;QAEhC,IAAI,CAAC,OAAO,GAAG,MAAM,IAAA,uBAAa,GAAE,CAAC;QACrC,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;QAC5C,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,MAAM,IAAI,KAAK,CAAC,0CAA0C,CAAC,CAAC;QAC9D,CAAC;QAED,8DAA8D;QAC9D,IAAI,SAAqB,CAAC;QAC1B,IAAI,CAAC;YACH,gDAAgD;YAChD,MAAM,IAAI,GAAG,SAAS,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;YACpC,MAAM,OAAO,GAAG,SAAS,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;YAEpC,IAAI,CAAC,GAAG,GAAG,IAAA,kBAAS,EAAC,QAAQ,EAAE,IAAI,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC;YACrD,SAAS,GAAG,IAAA,gBAAO,EAAC,IAAI,UAAU,CAAC,OAAO,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QAC9D,CAAC;QAAC,MAAM,CAAC;YACP,IAAI,CAAC,SAAS,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CAAC,0BAA0B,CAAC,CAAC;QAC9C,CAAC;QAED,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,IAAA,wBAAe,EAAC,SAAS,CAAC,CAAC;YACxC,IAAI,IAAI,CAAC,OAAO,KAAK,sBAAa,EAAE,CAAC;gBACnC,MAAM,IAAI,KAAK,CAAC,8BAA8B,IAAI,CAAC,OAAO,EAAE,CAAC,CAAC;YAChE,CAAC;YACD,IAAI,CAAC,KAAK,GAAG;gBACX,QAAQ,EAAE,IAAI;gBACd,OAAO,EAAE,IAAI,CAAC,OAAuB;gBACrC,IAAI,EAAE,IAAI,CAAC,IAAiB;aAC7B,CAAC;YACF,IAAI,CAAC,cAAc,EAAE,CAAC;QACxB,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAClB,IAAI,CAAC,SAAS,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CAAC,2BAA2B,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC;QAC5D,CAAC;IACH,CAAC;IAED;;OAEG;IACH,IAAI;QACF,IAAI,CAAC,SAAS,EAAE,CAAC;QACjB,IAAI,CAAC,KAAK,CAAC,QAAQ,GAAG,KAAK,CAAC;QAC5B,IAAI,CAAC,KAAK,CAAC,OAAO,GAAG,EAAE,CAAC;QACxB,IAAI,CAAC,KAAK,CAAC,IAAI,GAAG,IAAI,CAAC;QACvB,IAAI,IAAI,CAAC,aAAa,EAAE,CAAC;YACvB,YAAY,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;YACjC,IAAI,CAAC,aAAa,GAAG,IAAI,CAAC;QAC5B,CAAC;IACH,CAAC;IAED;;OAEG;IACH,UAAU;QACR,OAAO,IAAI,CAAC,KAAK,CAAC,QAAQ,IAAI,IAAI,CAAC,GAAG,KAAK,IAAI,CAAC;IAClD,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,GAAG,CAAC,IAAY,EAAE,IAA4B,EAAE,WAAmC,OAAO,EAAE,IAAe;QAC/G,IAAI,CAAC,eAAe,EAAE,CAAC;QAEvB,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;QACrC,MAAM,aAAa,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,IAAI,CAAC,CAAC;QAEzE,IAAI,aAAa,IAAI,CAAC,EAAE,CAAC;YACvB,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,aAAa,CAAC,GAAG;gBAClC,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,aAAa,CAAC;gBACpC,IAAI;gBACJ,QAAQ;gBACR,SAAS,EAAE,GAAG;gBACd,IAAI;aACL,CAAC;QACJ,CAAC;aAAM,CAAC;YACN,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC;gBACtB,IAAI;gBACJ,QAAQ;gBACR,IAAI;gBACJ,SAAS,EAAE,GAAG;gBACd,SAAS,EAAE,GAAG;gBACd,IAAI;aACL,CAAC,CAAC;QACL,CAAC;QAED,MAAM,IAAI,CAAC,KAAK,EAAE,CAAC;IACrB,CAAC;IAED;;;OAGG;IACH,GAAG,CAAC,IAAY;QACd,IAAI,CAAC,eAAe,EAAE,CAAC;QACvB,OAAO,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,IAAI,CAAC,CAAC;IACvD,CAAC;IAED;;OAEG;IACH,SAAS,CAAC,IAAY,EAAE,KAAa;QACnC,IAAI,CAAC,eAAe,EAAE,CAAC;QACvB,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,IAAI,CAAC,CAAC;QAC5D,IAAI,CAAC,KAAK;YAAE,OAAO,SAAS,CAAC;QAC7B,MAAM,KAAK,GAAG,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAChC,IAAI,CAAC,KAAK;YAAE,OAAO,SAAS,CAAC;QAC7B,OAAO,IAAA,qBAAY,EAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC;IACvD,CAAC;IAED;;OAEG;IACH,IAAI;QACF,IAAI,CAAC,eAAe,EAAE,CAAC;QACvB,OAAO,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;YAClC,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,QAAQ,EAAE,CAAC,CAAC,QAAQ;YACpB,SAAS,EAAE,CAAC,CAAC,SAAS;YACtB,SAAS,EAAE,CAAC,CAAC,SAAS;YACtB,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,MAAM,EAAE,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC;SAC5B,CAAC,CAAC,CAAC;IACN,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,MAAM,CAAC,IAAY;QACvB,IAAI,CAAC,eAAe,EAAE,CAAC;QACvB,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,IAAI,CAAC,CAAC;QAC/D,IAAI,GAAG,GAAG,CAAC;YAAE,OAAO,KAAK,CAAC;QAC1B,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC;QAClC,MAAM,IAAI,CAAC,KAAK,EAAE,CAAC;QACnB,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,cAAc,CAAC,WAAmB,EAAE,WAAmB;QAC3D,MAAM,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;QAE/B,MAAM,IAAI,GAAG,IAAA,qBAAY,GAAE,CAAC;QAC5B,MAAM,MAAM,GAAG,IAAA,kBAAS,EAAC,WAAW,EAAE,IAAI,CAAC,CAAC;QAE5C,MAAM,IAAI,GAAc;YACtB,OAAO,EAAE,sBAAa;YACtB,SAAS,EAAE,IAAI,CAAC,KAAK,CAAC,IAAK,CAAC,SAAS;YACrC,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC;YACvC,SAAS,EAAE,oBAAW;SACvB,CAAC;QAEF,IAAI,CAAC,KAAK,CAAC,IAAI,GAAG,IAAI,CAAC;QACvB,IAAI,CAAC,SAAS,EAAE,CAAC;QACjB,IAAI,CAAC,GAAG,GAAG,MAAM,CAAC;QAClB,MAAM,IAAI,CAAC,KAAK,EAAE,CAAC;IACrB,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,OAAO;QACX,IAAI,CAAC,OAAO,GAAG,MAAM,IAAA,uBAAa,GAAE,CAAC;QACrC,MAAM,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC;QAC5B,IAAI,CAAC,IAAI,EAAE,CAAC;IACd,CAAC;IAED;;OAEG;IACH,cAAc;QACZ,OAAO,IAAI,CAAC,OAAO,EAAE,IAAI,IAAI,SAAS,CAAC;IACzC,CAAC;IAED,4BAA4B;IAEpB,eAAe;QACrB,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,QAAQ,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC;YACtC,MAAM,IAAI,KAAK,CAAC,4CAA4C,CAAC,CAAC;QAChE,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,KAAK;QACjB,IAAI,CAAC,IAAI,CAAC,OAAO,IAAI,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;YACnD,MAAM,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAC;QACxD,CAAC;QAED,MAAM,OAAO,GAAG,IAAA,wBAAe,EAAC,IAAI,CAAC,KAAK,CAAC,OAAO,EAAE,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QACrE,MAAM,SAAS,GAAG,IAAA,gBAAO,EAAC,OAAO,EAAE,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QAElD,2BAA2B;QAC3B,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;QACtD,MAAM,IAAI,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;QAE3D,MAAM,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IACjC,CAAC;IAEO,cAAc;QACpB,IAAI,IAAI,CAAC,aAAa,EAAE,CAAC;YACvB,YAAY,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;QACnC,CAAC;QACD,IAAI,CAAC,aAAa,GAAG,UAAU,CAAC,GAAG,EAAE;YACnC,OAAO,CAAC,GAAG,CAAC,0CAA0C,CAAC,CAAC;YACxD,IAAI,CAAC,IAAI,EAAE,CAAC;QACd,CAAC,EAAE,IAAI,CAAC,UAAU,CAAC,CAAC;IACtB,CAAC;IAEO,SAAS;QACf,IAAI,IAAI,CAAC,GAAG,EAAE,CAAC;YACb,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC;YAChB,IAAI,CAAC,GAAG,GAAG,IAAI,CAAC;QAClB,CAAC;IACH,CAAC;CACF;AA5QD,oCA4QC;AAED,qBAAqB;AACrB,IAAI,aAAa,GAAwB,IAAI,CAAC;AAE9C,SAAgB,QAAQ,CAAC,OAAqD;IAC5E,IAAI,CAAC,aAAa,EAAE,CAAC;QACnB,aAAa,GAAG,IAAI,YAAY,CAAC,OAAO,CAAC,CAAC;IAC5C,CAAC;IACD,OAAO,aAAa,CAAC;AACvB,CAAC;AAED,SAAgB,UAAU;IACxB,IAAI,aAAa,EAAE,CAAC;QAClB,aAAa,CAAC,IAAI,EAAE,CAAC;QACrB,aAAa,GAAG,IAAI,CAAC;IACvB,CAAC;AACH,CAAC"}

package/dist/vault/storage.d.ts

@@ -0,0 +1,14 @@
+/**
+ * Storage backend selection and abstraction
+ */
+import type { IStorageBackend } from './types';
+/**
+ * Auto-detect and select the best available storage backend
+ * Priority: macOS Keychain > Linux libsecret > Windows Cred > encrypted file
+ */
+export declare function selectBackend(forceFile?: string): Promise<IStorageBackend>;
+/**
+ * Reset backend selection (for testing)
+ */
+export declare function resetBackend(): void;
+//# sourceMappingURL=storage.d.ts.map

package/dist/vault/storage.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"storage.d.ts","sourceRoot":"","sources":["../../src/vault/storage.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,SAAS,CAAC;AAQ/C;;;GAGG;AACH,wBAAsB,aAAa,CAAC,SAAS,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,eAAe,CAAC,CA+BhF;AAmBD;;GAEG;AACH,wBAAgB,YAAY,IAAI,IAAI,CAEnC"}

package/dist/vault/storage.js

@@ -0,0 +1,68 @@
+"use strict";
+/**
+ * Storage backend selection and abstraction
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.selectBackend = selectBackend;
+exports.resetBackend = resetBackend;
+const os_keychain_1 = require("./backends/os-keychain");
+const os_secret_1 = require("./backends/os-secret");
+const os_win_cred_1 = require("./backends/os-win-cred");
+const file_1 = require("./backends/file");
+let selectedBackend = null;
+/**
+ * Auto-detect and select the best available storage backend
+ * Priority: macOS Keychain > Linux libsecret > Windows Cred > encrypted file
+ */
+async function selectBackend(forceFile) {
+    if (selectedBackend)
+        return selectedBackend;
+    // Force file backend
+    if (forceFile) {
+        selectedBackend = new file_1.FileBackend(forceFile);
+        return selectedBackend;
+    }
+    // Try OS-native backends
+    const candidates = [
+        new os_keychain_1.MacOSKeychainBackend(),
+        new os_secret_1.LinuxSecretBackend(),
+        new os_win_cred_1.WindowsCredBackend(),
+    ];
+    for (const backend of candidates) {
+        try {
+            if (await backend.isAvailable()) {
+                selectedBackend = backend;
+                return backend;
+            }
+        }
+        catch {
+            // continue to next
+        }
+    }
+    // Fallback to encrypted file in user's config dir
+    const path = getDefaultVaultPath();
+    selectedBackend = new file_1.FileBackend(path);
+    return selectedBackend;
+}
+/**
+ * Get default vault file path based on OS
+ */
+function getDefaultVaultPath() {
+    const os = process.platform;
+    const home = process.env.HOME || process.env.USERPROFILE || '.';
+    switch (os) {
+        case 'darwin':
+            return `${home}/Library/Application Support/123456btc/vault.enc`;
+        case 'win32':
+            return `${home}/AppData/Roaming/123456btc/vault.enc`;
+        default:
+            return `${home}/.config/123456btc/vault.enc`;
+    }
+}
+/**
+ * Reset backend selection (for testing)
+ */
+function resetBackend() {
+    selectedBackend = null;
+}
+//# sourceMappingURL=storage.js.map

package/dist/vault/storage.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"storage.js","sourceRoot":"","sources":["../../src/vault/storage.ts"],"names":[],"mappings":";AAAA;;GAEG;;AAcH,sCA+BC;AAsBD,oCAEC;AAlED,wDAA8D;AAC9D,oDAA0D;AAC1D,wDAA4D;AAC5D,0CAA8C;AAE9C,IAAI,eAAe,GAA2B,IAAI,CAAC;AAEnD;;;GAGG;AACI,KAAK,UAAU,aAAa,CAAC,SAAkB;IACpD,IAAI,eAAe;QAAE,OAAO,eAAe,CAAC;IAE5C,qBAAqB;IACrB,IAAI,SAAS,EAAE,CAAC;QACd,eAAe,GAAG,IAAI,kBAAW,CAAC,SAAS,CAAC,CAAC;QAC7C,OAAO,eAAe,CAAC;IACzB,CAAC;IAED,yBAAyB;IACzB,MAAM,UAAU,GAAsB;QACpC,IAAI,kCAAoB,EAAE;QAC1B,IAAI,8BAAkB,EAAE;QACxB,IAAI,gCAAkB,EAAE;KACzB,CAAC;IAEF,KAAK,MAAM,OAAO,IAAI,UAAU,EAAE,CAAC;QACjC,IAAI,CAAC;YACH,IAAI,MAAM,OAAO,CAAC,WAAW,EAAE,EAAE,CAAC;gBAChC,eAAe,GAAG,OAAO,CAAC;gBAC1B,OAAO,OAAO,CAAC;YACjB,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,mBAAmB;QACrB,CAAC;IACH,CAAC;IAED,kDAAkD;IAClD,MAAM,IAAI,GAAG,mBAAmB,EAAE,CAAC;IACnC,eAAe,GAAG,IAAI,kBAAW,CAAC,IAAI,CAAC,CAAC;IACxC,OAAO,eAAe,CAAC;AACzB,CAAC;AAED;;GAEG;AACH,SAAS,mBAAmB;IAC1B,MAAM,EAAE,GAAG,OAAO,CAAC,QAAQ,CAAC;IAC5B,MAAM,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC,IAAI,IAAI,OAAO,CAAC,GAAG,CAAC,WAAW,IAAI,GAAG,CAAC;IAEhE,QAAQ,EAAE,EAAE,CAAC;QACX,KAAK,QAAQ;YACX,OAAO,GAAG,IAAI,kDAAkD,CAAC;QACnE,KAAK,OAAO;YACV,OAAO,GAAG,IAAI,sCAAsC,CAAC;QACvD;YACE,OAAO,GAAG,IAAI,8BAA8B,CAAC;IACjD,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAgB,YAAY;IAC1B,eAAe,GAAG,IAAI,CAAC;AACzB,CAAC"}

package/dist/vault/types.d.ts

@@ -0,0 +1,41 @@
+/**
+ * Vault types - Secure key storage for 123456btc CLI
+ */
+export interface VaultEntry {
+    name: string;
+    category: 'exchange' | 'llm' | 'wallet' | 'other';
+    data: Record<string, string>;
+    createdAt: string;
+    updatedAt: string;
+    tags?: string[];
+}
+export interface VaultMeta {
+    version: number;
+    createdAt: string;
+    salt: string;
+    kdfParams: KDFParams;
+}
+export interface KDFParams {
+    algorithm: 'scrypt' | 'argon2id';
+    n?: number;
+    r?: number;
+    p?: number;
+    dkLen: number;
+}
+export interface VaultState {
+    unlocked: boolean;
+    entries: VaultEntry[];
+    meta: VaultMeta | null;
+}
+export interface SecureBuffer {
+    data: Uint8Array;
+    wipe(): void;
+}
+export interface IStorageBackend {
+    readonly name: string;
+    isAvailable(): Promise<boolean>;
+    read(): Promise<Buffer | null>;
+    write(data: Buffer): Promise<void>;
+    delete(): Promise<void>;
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/vault/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/vault/types.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,MAAM,WAAW,UAAU;IACzB,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,UAAU,GAAG,KAAK,GAAG,QAAQ,GAAG,OAAO,CAAC;IAClD,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC7B,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,IAAI,CAAC,EAAE,MAAM,EAAE,CAAC;CACjB;AAED,MAAM,WAAW,SAAS;IACxB,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;IAClB,IAAI,EAAE,MAAM,CAAC;IACb,SAAS,EAAE,SAAS,CAAC;CACtB;AAED,MAAM,WAAW,SAAS;IACxB,SAAS,EAAE,QAAQ,GAAG,UAAU,CAAC;IACjC,CAAC,CAAC,EAAE,MAAM,CAAC;IACX,CAAC,CAAC,EAAE,MAAM,CAAC;IACX,CAAC,CAAC,EAAE,MAAM,CAAC;IACX,KAAK,EAAE,MAAM,CAAC;CACf;AAED,MAAM,WAAW,UAAU;IACzB,QAAQ,EAAE,OAAO,CAAC;IAClB,OAAO,EAAE,UAAU,EAAE,CAAC;IACtB,IAAI,EAAE,SAAS,GAAG,IAAI,CAAC;CACxB;AAED,MAAM,WAAW,YAAY;IAC3B,IAAI,EAAE,UAAU,CAAC;IACjB,IAAI,IAAI,IAAI,CAAC;CACd;AAED,MAAM,WAAW,eAAe;IAC9B,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,WAAW,IAAI,OAAO,CAAC,OAAO,CAAC,CAAC;IAChC,IAAI,IAAI,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;IAC/B,KAAK,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACnC,MAAM,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;CACzB"}

package/dist/vault/types.js

@@ -0,0 +1,6 @@
+"use strict";
+/**
+ * Vault types - Secure key storage for 123456btc CLI
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=types.js.map

package/dist/vault/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/vault/types.ts"],"names":[],"mappings":";AAAA;;GAEG"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@123456btc/123456btc-cli",
-  "version": "1.0.1",
+  "version": "1.0.2",
   "description": "123456btc CLI - Strategy dispatch & gas settlement for AI agents",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -45,7 +45,9 @@
     "envalid": "^8.0.0",
     "figlet": "^1.7.0",
     "inquirer": "^10.0.0",
+    "qrcode-terminal": "^0.12.0",
     "semver": "^7.6.0",
+    "tar": "^6.2.0",
     "zod": "^3.23.0"
   },
   "devDependencies": {