@123456btc/123456btc-cli 1.0.1 → 1.0.2

package/dist/vault/backends/os-secret.js

@@ -0,0 +1,57 @@
+"use strict";
+/**
+ * Linux libsecret storage backend
+ * Uses `secret-tool` command-line utility (package: libsecret-tools)
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.LinuxSecretBackend = void 0;
+const child_process_1 = require("child_process");
+const COLLECTION = '123456btc-cli';
+const LABEL = '123456btc Vault';
+class LinuxSecretBackend {
+    name = 'Linux libsecret';
+    async isAvailable() {
+        if (process.platform !== 'linux')
+            return false;
+        try {
+            (0, child_process_1.execSync)('which secret-tool', { stdio: 'ignore' });
+            return true;
+        }
+        catch {
+            return false;
+        }
+    }
+    async read() {
+        try {
+            const result = (0, child_process_1.execSync)(`secret-tool lookup collection "${COLLECTION}" label "${LABEL}"`, { encoding: 'utf8', stdio: ['pipe', 'pipe', 'pipe'] });
+            return Buffer.from(result.trim(), 'base64');
+        }
+        catch (err) {
+            if (err.status === 1)
+                return null; // not found
+            throw err;
+        }
+    }
+    async write(data) {
+        const b64 = data.toString('base64');
+        // Clear existing
+        try {
+            (0, child_process_1.execSync)(`secret-tool clear collection "${COLLECTION}" label "${LABEL}"`, { stdio: 'ignore' });
+        }
+        catch {
+            // ignore
+        }
+        // Store new
+        (0, child_process_1.execSync)(`echo -n "${b64}" | secret-tool store --label="${LABEL}" collection "${COLLECTION}" label "${LABEL}"`, { stdio: 'ignore' });
+    }
+    async delete() {
+        try {
+            (0, child_process_1.execSync)(`secret-tool clear collection "${COLLECTION}" label "${LABEL}"`, { stdio: 'ignore' });
+        }
+        catch {
+            // ignore
+        }
+    }
+}
+exports.LinuxSecretBackend = LinuxSecretBackend;
+//# sourceMappingURL=os-secret.js.map

package/dist/vault/backends/os-secret.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"os-secret.js","sourceRoot":"","sources":["../../../src/vault/backends/os-secret.ts"],"names":[],"mappings":";AAAA;;;GAGG;;;AAEH,iDAAyC;AAGzC,MAAM,UAAU,GAAG,eAAe,CAAC;AACnC,MAAM,KAAK,GAAG,iBAAiB,CAAC;AAEhC,MAAa,kBAAkB;IACpB,IAAI,GAAG,iBAAiB,CAAC;IAElC,KAAK,CAAC,WAAW;QACf,IAAI,OAAO,CAAC,QAAQ,KAAK,OAAO;YAAE,OAAO,KAAK,CAAC;QAC/C,IAAI,CAAC;YACH,IAAA,wBAAQ,EAAC,mBAAmB,EAAE,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC,CAAC;YACnD,OAAO,IAAI,CAAC;QACd,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IAED,KAAK,CAAC,IAAI;QACR,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,IAAA,wBAAQ,EACrB,kCAAkC,UAAU,YAAY,KAAK,GAAG,EAChE,EAAE,QAAQ,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,CACtD,CAAC;YACF,OAAO,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,EAAE,EAAE,QAAQ,CAAC,CAAC;QAC9C,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAClB,IAAI,GAAG,CAAC,MAAM,KAAK,CAAC;gBAAE,OAAO,IAAI,CAAC,CAAC,YAAY;YAC/C,MAAM,GAAG,CAAC;QACZ,CAAC;IACH,CAAC;IAED,KAAK,CAAC,KAAK,CAAC,IAAY;QACtB,MAAM,GAAG,GAAG,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;QACpC,iBAAiB;QACjB,IAAI,CAAC;YACH,IAAA,wBAAQ,EACN,iCAAiC,UAAU,YAAY,KAAK,GAAG,EAC/D,EAAE,KAAK,EAAE,QAAQ,EAAE,CACpB,CAAC;QACJ,CAAC;QAAC,MAAM,CAAC;YACP,SAAS;QACX,CAAC;QACD,YAAY;QACZ,IAAA,wBAAQ,EACN,YAAY,GAAG,kCAAkC,KAAK,iBAAiB,UAAU,YAAY,KAAK,GAAG,EACrG,EAAE,KAAK,EAAE,QAAQ,EAAE,CACpB,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,MAAM;QACV,IAAI,CAAC;YACH,IAAA,wBAAQ,EACN,iCAAiC,UAAU,YAAY,KAAK,GAAG,EAC/D,EAAE,KAAK,EAAE,QAAQ,EAAE,CACpB,CAAC;QACJ,CAAC;QAAC,MAAM,CAAC;YACP,SAAS;QACX,CAAC;IACH,CAAC;CACF;AAtDD,gDAsDC"}

package/dist/vault/backends/os-win-cred.d.ts

@@ -0,0 +1,13 @@
+/**
+ * Windows Credential Manager backend
+ * Uses PowerShell [Windows.Security.Credentials.PasswordVault]
+ */
+import type { IStorageBackend } from '../types';
+export declare class WindowsCredBackend implements IStorageBackend {
+    readonly name = "Windows Credential Manager";
+    isAvailable(): Promise<boolean>;
+    read(): Promise<Buffer | null>;
+    write(data: Buffer): Promise<void>;
+    delete(): Promise<void>;
+}
+//# sourceMappingURL=os-win-cred.d.ts.map

package/dist/vault/backends/os-win-cred.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"os-win-cred.d.ts","sourceRoot":"","sources":["../../../src/vault/backends/os-win-cred.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAGH,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,UAAU,CAAC;AAKhD,qBAAa,kBAAmB,YAAW,eAAe;IACxD,QAAQ,CAAC,IAAI,gCAAgC;IAEvC,WAAW,IAAI,OAAO,CAAC,OAAO,CAAC;IAgB/B,IAAI,IAAI,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IAqB9B,KAAK,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAWlC,MAAM,IAAI,OAAO,CAAC,IAAI,CAAC;CAW9B"}

package/dist/vault/backends/os-win-cred.js

@@ -0,0 +1,76 @@
+"use strict";
+/**
+ * Windows Credential Manager backend
+ * Uses PowerShell [Windows.Security.Credentials.PasswordVault]
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.WindowsCredBackend = void 0;
+const child_process_1 = require("child_process");
+const RESOURCE = '123456btc-cli-vault';
+const USERNAME = 'vault';
+class WindowsCredBackend {
+    name = 'Windows Credential Manager';
+    async isAvailable() {
+        if (process.platform !== 'win32')
+            return false;
+        try {
+            (0, child_process_1.execSync)('powershell -Command "Get-Command Get-Credential"', { stdio: 'ignore' });
+            return true;
+        }
+        catch {
+            // Fallback: just check powershell exists
+            try {
+                (0, child_process_1.execSync)('powershell -Command "echo test"', { stdio: 'ignore' });
+                return true;
+            }
+            catch {
+                return false;
+            }
+        }
+    }
+    async read() {
+        try {
+            const ps = `
+        $vault = New-Object Windows.Security.Credentials.PasswordVault;
+        try {
+          $cred = $vault.Retrieve("${RESOURCE}", "${USERNAME}");
+          $cred.Password;
+        } catch {
+          exit 1;
+        }
+      `;
+            const result = (0, child_process_1.execSync)(`powershell -Command "${ps.replace(/\n/g, ' ').replace(/"/g, '\\"')}"`, {
+                encoding: 'utf8',
+                stdio: ['pipe', 'pipe', 'pipe'],
+            });
+            return Buffer.from(result.trim(), 'base64');
+        }
+        catch {
+            return null;
+        }
+    }
+    async write(data) {
+        const b64 = data.toString('base64');
+        const ps = `
+      $vault = New-Object Windows.Security.Credentials.PasswordVault;
+      try { $vault.Remove((New-Object Windows.Security.Credentials.PasswordCredential("${RESOURCE}", "${USERNAME}", ""))); } catch { }
+      $cred = New-Object Windows.Security.Credentials.PasswordCredential("${RESOURCE}", "${USERNAME}", "${b64}");
+      $vault.Add($cred);
+    `;
+        (0, child_process_1.execSync)(`powershell -Command "${ps.replace(/\n/g, ' ')}"`, { stdio: 'ignore' });
+    }
+    async delete() {
+        try {
+            const ps = `
+        $vault = New-Object Windows.Security.Credentials.PasswordVault;
+        $vault.Remove((New-Object Windows.Security.Credentials.PasswordCredential("${RESOURCE}", "${USERNAME}", "")));
+      `;
+            (0, child_process_1.execSync)(`powershell -Command "${ps.replace(/\n/g, ' ')}"`, { stdio: 'ignore' });
+        }
+        catch {
+            // ignore
+        }
+    }
+}
+exports.WindowsCredBackend = WindowsCredBackend;
+//# sourceMappingURL=os-win-cred.js.map

package/dist/vault/backends/os-win-cred.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"os-win-cred.js","sourceRoot":"","sources":["../../../src/vault/backends/os-win-cred.ts"],"names":[],"mappings":";AAAA;;;GAGG;;;AAEH,iDAAyC;AAGzC,MAAM,QAAQ,GAAG,qBAAqB,CAAC;AACvC,MAAM,QAAQ,GAAG,OAAO,CAAC;AAEzB,MAAa,kBAAkB;IACpB,IAAI,GAAG,4BAA4B,CAAC;IAE7C,KAAK,CAAC,WAAW;QACf,IAAI,OAAO,CAAC,QAAQ,KAAK,OAAO;YAAE,OAAO,KAAK,CAAC;QAC/C,IAAI,CAAC;YACH,IAAA,wBAAQ,EAAC,kDAAkD,EAAE,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC,CAAC;YAClF,OAAO,IAAI,CAAC;QACd,CAAC;QAAC,MAAM,CAAC;YACP,yCAAyC;YACzC,IAAI,CAAC;gBACH,IAAA,wBAAQ,EAAC,iCAAiC,EAAE,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC,CAAC;gBACjE,OAAO,IAAI,CAAC;YACd,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO,KAAK,CAAC;YACf,CAAC;QACH,CAAC;IACH,CAAC;IAED,KAAK,CAAC,IAAI;QACR,IAAI,CAAC;YACH,MAAM,EAAE,GAAG;;;qCAGoB,QAAQ,OAAO,QAAQ;;;;;OAKrD,CAAC;YACF,MAAM,MAAM,GAAG,IAAA,wBAAQ,EAAC,wBAAwB,EAAE,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,KAAK,CAAC,GAAG,EAAE;gBAC9F,QAAQ,EAAE,MAAM;gBAChB,KAAK,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC;aAChC,CAAC,CAAC;YACH,OAAO,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,EAAE,EAAE,QAAQ,CAAC,CAAC;QAC9C,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED,KAAK,CAAC,KAAK,CAAC,IAAY;QACtB,MAAM,GAAG,GAAG,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;QACpC,MAAM,EAAE,GAAG;;yFAE0E,QAAQ,OAAO,QAAQ;4EACpC,QAAQ,OAAO,QAAQ,OAAO,GAAG;;KAExG,CAAC;QACF,IAAA,wBAAQ,EAAC,wBAAwB,EAAE,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,GAAG,EAAE,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC,CAAC;IACnF,CAAC;IAED,KAAK,CAAC,MAAM;QACV,IAAI,CAAC;YACH,MAAM,EAAE,GAAG;;qFAEoE,QAAQ,OAAO,QAAQ;OACrG,CAAC;YACF,IAAA,wBAAQ,EAAC,wBAAwB,EAAE,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,GAAG,EAAE,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC,CAAC;QACnF,CAAC;QAAC,MAAM,CAAC;YACP,SAAS;QACX,CAAC;IACH,CAAC;CACF;AA9DD,gDA8DC"}

package/dist/vault/crypto.d.ts

@@ -0,0 +1,49 @@
+/**
+ * Vault cryptography - scrypt KDF + AES-256-GCM
+ *
+ * Security design:
+ * - Master password never stored
+ * - KEK (Key Encryption Key) derived via scrypt (2^17, r=8, p=1)
+ * - Data encrypted with AES-256-GCM, random IV per entry
+ * - Sensitive buffers are Uint8Array (can be zeroed after use)
+ */
+import type { SecureBuffer, KDFParams } from './types';
+declare const VAULT_VERSION = 1;
+declare const SALT_LEN = 32;
+declare const DEFAULT_KDF: KDFParams;
+export { VAULT_VERSION, DEFAULT_KDF, SALT_LEN };
+/**
+ * Derive KEK from password + salt using scrypt
+ */
+export declare function deriveKey(password: string, salt: Uint8Array, params?: KDFParams): SecureBuffer;
+/**
+ * Encrypt plaintext with AES-256-GCM
+ * Returns: iv (16) + ciphertext + authTag (16)
+ */
+export declare function encrypt(plaintext: Uint8Array, key: Uint8Array): Uint8Array;
+/**
+ * Decrypt ciphertext with AES-256-GCM
+ * Input format: iv (16) + ciphertext + authTag (16)
+ */
+export declare function decrypt(ciphertext: Uint8Array, key: Uint8Array): Uint8Array;
+/**
+ * Create a secure buffer that can be explicitly wiped from memory
+ */
+export declare function secureBuffer(data: Uint8Array | Buffer): SecureBuffer;
+/**
+ * Generate random salt
+ */
+export declare function generateSalt(): Uint8Array;
+/**
+ * Encode vault data for storage
+ */
+export declare function encodeVaultData(entries: unknown[], meta: unknown): Uint8Array;
+/**
+ * Decode vault data from storage
+ */
+export declare function decodeVaultData(data: Uint8Array): {
+    version: number;
+    meta: unknown;
+    entries: unknown[];
+};
+//# sourceMappingURL=crypto.d.ts.map

package/dist/vault/crypto.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"crypto.d.ts","sourceRoot":"","sources":["../../src/vault/crypto.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAGH,OAAO,KAAK,EAAE,YAAY,EAAE,SAAS,EAAE,MAAM,SAAS,CAAC;AAEvD,QAAA,MAAM,aAAa,IAAI,CAAC;AACxB,QAAA,MAAM,QAAQ,KAAK,CAAC;AAOpB,QAAA,MAAM,WAAW,EAAE,SAMlB,CAAC;AAEF,OAAO,EAAE,aAAa,EAAE,WAAW,EAAE,QAAQ,EAAE,CAAC;AAEhD;;GAEG;AACH,wBAAgB,SAAS,CAAC,QAAQ,EAAE,MAAM,EAAE,IAAI,EAAE,UAAU,EAAE,MAAM,GAAE,SAAuB,GAAG,YAAY,CAgB3G;AAED;;;GAGG;AACH,wBAAgB,OAAO,CAAC,SAAS,EAAE,UAAU,EAAE,GAAG,EAAE,UAAU,GAAG,UAAU,CAM1E;AAED;;;GAGG;AACH,wBAAgB,OAAO,CAAC,UAAU,EAAE,UAAU,EAAE,GAAG,EAAE,UAAU,GAAG,UAAU,CAW3E;AAED;;GAEG;AACH,wBAAgB,YAAY,CAAC,IAAI,EAAE,UAAU,GAAG,MAAM,GAAG,YAAY,CAapE;AAED;;GAEG;AACH,wBAAgB,YAAY,IAAI,UAAU,CAEzC;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,OAAO,EAAE,OAAO,EAAE,EAAE,IAAI,EAAE,OAAO,GAAG,UAAU,CAG7E;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,IAAI,EAAE,UAAU,GAAG;IAAE,OAAO,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,OAAO,CAAC;IAAC,OAAO,EAAE,OAAO,EAAE,CAAA;CAAE,CAGxG"}

package/dist/vault/crypto.js

@@ -0,0 +1,122 @@
+"use strict";
+/**
+ * Vault cryptography - scrypt KDF + AES-256-GCM
+ *
+ * Security design:
+ * - Master password never stored
+ * - KEK (Key Encryption Key) derived via scrypt (2^17, r=8, p=1)
+ * - Data encrypted with AES-256-GCM, random IV per entry
+ * - Sensitive buffers are Uint8Array (can be zeroed after use)
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SALT_LEN = exports.DEFAULT_KDF = exports.VAULT_VERSION = void 0;
+exports.deriveKey = deriveKey;
+exports.encrypt = encrypt;
+exports.decrypt = decrypt;
+exports.secureBuffer = secureBuffer;
+exports.generateSalt = generateSalt;
+exports.encodeVaultData = encodeVaultData;
+exports.decodeVaultData = decodeVaultData;
+const crypto_1 = require("crypto");
+const VAULT_VERSION = 1;
+exports.VAULT_VERSION = VAULT_VERSION;
+const SALT_LEN = 32;
+exports.SALT_LEN = SALT_LEN;
+const IV_LEN = 16;
+const AUTH_TAG_LEN = 16;
+const KEY_LEN = 32;
+// scrypt parameters: N=2^17 (131072), r=8, p=1
+// ~100ms on modern CPU, memory ~128MB
+const DEFAULT_KDF = {
+    algorithm: 'scrypt',
+    n: 131072,
+    r: 8,
+    p: 1,
+    dkLen: KEY_LEN,
+};
+exports.DEFAULT_KDF = DEFAULT_KDF;
+/**
+ * Derive KEK from password + salt using scrypt
+ */
+function deriveKey(password, salt, params = DEFAULT_KDF) {
+    const pwdBuf = new TextEncoder().encode(password);
+    const n = params.n ?? 131072;
+    const r = params.r ?? 8;
+    const p = params.p ?? 1;
+    // maxmem = 128 * N * r * 2 (double for safety margin)
+    const maxmem = 128 * n * r * 2 + 1024 * 1024;
+    const key = (0, crypto_1.scryptSync)(pwdBuf, salt, params.dkLen, {
+        N: n,
+        r,
+        p,
+        maxmem,
+    });
+    // wipe password buffer
+    pwdBuf.fill(0);
+    return secureBuffer(key);
+}
+/**
+ * Encrypt plaintext with AES-256-GCM
+ * Returns: iv (16) + ciphertext + authTag (16)
+ */
+function encrypt(plaintext, key) {
+    const iv = (0, crypto_1.randomBytes)(IV_LEN);
+    const cipher = (0, crypto_1.createCipheriv)('aes-256-gcm', key, iv);
+    const ciphertext = Buffer.concat([cipher.update(plaintext), cipher.final()]);
+    const authTag = cipher.getAuthTag();
+    return Buffer.concat([iv, ciphertext, authTag]);
+}
+/**
+ * Decrypt ciphertext with AES-256-GCM
+ * Input format: iv (16) + ciphertext + authTag (16)
+ */
+function decrypt(ciphertext, key) {
+    if (ciphertext.length < IV_LEN + AUTH_TAG_LEN) {
+        throw new Error('Ciphertext too short');
+    }
+    const iv = ciphertext.slice(0, IV_LEN);
+    const encrypted = ciphertext.slice(IV_LEN, -AUTH_TAG_LEN);
+    const authTag = ciphertext.slice(-AUTH_TAG_LEN);
+    const decipher = (0, crypto_1.createDecipheriv)('aes-256-gcm', key, iv);
+    decipher.setAuthTag(authTag);
+    const plaintext = Buffer.concat([decipher.update(encrypted), decipher.final()]);
+    return plaintext;
+}
+/**
+ * Create a secure buffer that can be explicitly wiped from memory
+ */
+function secureBuffer(data) {
+    const buf = new Uint8Array(data);
+    return {
+        data: buf,
+        wipe() {
+            // random overwrite then zero
+            const tmp = new Uint8Array(buf.length);
+            const rnd = (0, crypto_1.randomBytes)(buf.length);
+            tmp.set(rnd);
+            buf.set(tmp);
+            buf.fill(0);
+        },
+    };
+}
+/**
+ * Generate random salt
+ */
+function generateSalt() {
+    return (0, crypto_1.randomBytes)(SALT_LEN);
+}
+/**
+ * Encode vault data for storage
+ */
+function encodeVaultData(entries, meta) {
+    const payload = JSON.stringify({ version: VAULT_VERSION, meta, entries });
+    return new TextEncoder().encode(payload);
+}
+/**
+ * Decode vault data from storage
+ */
+function decodeVaultData(data) {
+    const text = new TextDecoder().decode(data);
+    return JSON.parse(text);
+}
+//# sourceMappingURL=crypto.js.map

package/dist/vault/crypto.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"crypto.js","sourceRoot":"","sources":["../../src/vault/crypto.ts"],"names":[],"mappings":";AAAA;;;;;;;;GAQG;;;AA0BH,8BAgBC;AAMD,0BAMC;AAMD,0BAWC;AAKD,oCAaC;AAKD,oCAEC;AAKD,0CAGC;AAKD,0CAGC;AA9GD,mCAAmF;AAGnF,MAAM,aAAa,GAAG,CAAC,CAAC;AAgBf,sCAAa;AAftB,MAAM,QAAQ,GAAG,EAAE,CAAC;AAeiB,4BAAQ;AAd7C,MAAM,MAAM,GAAG,EAAE,CAAC;AAClB,MAAM,YAAY,GAAG,EAAE,CAAC;AACxB,MAAM,OAAO,GAAG,EAAE,CAAC;AAEnB,+CAA+C;AAC/C,sCAAsC;AACtC,MAAM,WAAW,GAAc;IAC7B,SAAS,EAAE,QAAQ;IACnB,CAAC,EAAE,MAAM;IACT,CAAC,EAAE,CAAC;IACJ,CAAC,EAAE,CAAC;IACJ,KAAK,EAAE,OAAO;CACf,CAAC;AAEsB,kCAAW;AAEnC;;GAEG;AACH,SAAgB,SAAS,CAAC,QAAgB,EAAE,IAAgB,EAAE,SAAoB,WAAW;IAC3F,MAAM,MAAM,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;IAClD,MAAM,CAAC,GAAG,MAAM,CAAC,CAAC,IAAI,MAAM,CAAC;IAC7B,MAAM,CAAC,GAAG,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC;IACxB,MAAM,CAAC,GAAG,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC;IACxB,sDAAsD;IACtD,MAAM,MAAM,GAAG,GAAG,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,IAAI,GAAG,IAAI,CAAC;IAC7C,MAAM,GAAG,GAAG,IAAA,mBAAU,EAAC,MAAM,EAAE,IAAI,EAAE,MAAM,CAAC,KAAK,EAAE;QACjD,CAAC,EAAE,CAAC;QACJ,CAAC;QACD,CAAC;QACD,MAAM;KACP,CAAC,CAAC;IACH,uBAAuB;IACvB,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IACf,OAAO,YAAY,CAAC,GAAG,CAAC,CAAC;AAC3B,CAAC;AAED;;;GAGG;AACH,SAAgB,OAAO,CAAC,SAAqB,EAAE,GAAe;IAC5D,MAAM,EAAE,GAAG,IAAA,oBAAW,EAAC,MAAM,CAAC,CAAC;IAC/B,MAAM,MAAM,GAAG,IAAA,uBAAc,EAAC,aAAa,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;IACtD,MAAM,UAAU,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;IAC7E,MAAM,OAAO,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;IACpC,OAAO,MAAM,CAAC,MAAM,CAAC,CAAC,EAAE,EAAE,UAAU,EAAE,OAAO,CAAC,CAAC,CAAC;AAClD,CAAC;AAED;;;GAGG;AACH,SAAgB,OAAO,CAAC,UAAsB,EAAE,GAAe;IAC7D,IAAI,UAAU,CAAC,MAAM,GAAG,MAAM,GAAG,YAAY,EAAE,CAAC;QAC9C,MAAM,IAAI,KAAK,CAAC,sBAAsB,CAAC,CAAC;IAC1C,CAAC;IACD,MAAM,EAAE,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC;IACvC,MAAM,SAAS,GAAG,UAAU,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,YAAY,CAAC,CAAC;IAC1D,MAAM,OAAO,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC,YAAY,CAAC,CAAC;IAChD,MAAM,QAAQ,GAAG,IAAA,yBAAgB,EAAC,aAAa,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;IAC1D,QAAQ,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC;IAC7B,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,SAAS,CAAC,EAAE,QAAQ,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;IAChF,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;GAEG;AACH,SAAgB,YAAY,CAAC,IAAyB;IACpD,MAAM,GAAG,GAAG,IAAI,UAAU,CAAC,IAAI,CAAC,CAAC;IACjC,OAAO;QACL,IAAI,EAAE,GAAG;QACT,IAAI;YACF,6BAA6B;YAC7B,MAAM,GAAG,GAAG,IAAI,UAAU,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;YACvC,MAAM,GAAG,GAAG,IAAA,oBAAW,EAAC,GAAG,CAAC,MAAM,CAAC,CAAC;YACpC,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;YACb,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;YACb,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACd,CAAC;KACF,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,SAAgB,YAAY;IAC1B,OAAO,IAAA,oBAAW,EAAC,QAAQ,CAAC,CAAC;AAC/B,CAAC;AAED;;GAEG;AACH,SAAgB,eAAe,CAAC,OAAkB,EAAE,IAAa;IAC/D,MAAM,OAAO,GAAG,IAAI,CAAC,SAAS,CAAC,EAAE,OAAO,EAAE,aAAa,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,CAAC;IAC1E,OAAO,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;AAC3C,CAAC;AAED;;GAEG;AACH,SAAgB,eAAe,CAAC,IAAgB;IAC9C,MAAM,IAAI,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;IAC5C,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC"}

package/dist/vault/index.d.ts

@@ -0,0 +1,88 @@
+/**
+ * VaultManager - Secure key vault for 123456btc CLI
+ *
+ * Manages encrypted storage of:
+ * - Exchange API keys (Binance, OKX, Bybit, etc.)
+ * - LLM provider keys (OpenAI, Anthropic, etc.)
+ * - Wallet private keys (Solana, etc.)
+ *
+ * Security model:
+ * - Master password → scrypt KDF → KEK
+ * - KEK encrypts all vault data (AES-256-GCM)
+ * - Plaintext keys only exist in memory during active use
+ * - Memory buffers are explicitly wiped after use
+ */
+import type { VaultEntry, SecureBuffer } from './types';
+export declare class VaultManager {
+    private state;
+    private kek;
+    private backend;
+    private autoLockTimer;
+    private readonly autoLockMs;
+    constructor(options?: {
+        autoLockMs?: number;
+        forceFile?: string;
+    });
+    /**
+     * Initialize vault with a master password
+     * Creates new vault if not exists
+     */
+    init(password: string): Promise<void>;
+    /**
+     * Unlock vault with master password
+     */
+    unlock(password: string): Promise<void>;
+    /**
+     * Lock vault, wipe KEK from memory
+     */
+    lock(): void;
+    /**
+     * Check if vault is unlocked
+     */
+    isUnlocked(): boolean;
+    /**
+     * Set a vault entry (create or update)
+     */
+    set(name: string, data: Record<string, string>, category?: VaultEntry['category'], tags?: string[]): Promise<void>;
+    /**
+     * Get a vault entry by name
+     * Returns decrypted data as SecureBuffer-compatible plain object
+     */
+    get(name: string): VaultEntry | undefined;
+    /**
+     * Get sensitive value as SecureBuffer (must call .wipe() after use!)
+     */
+    getSecure(name: string, field: string): SecureBuffer | undefined;
+    /**
+     * List all vault entries (sensitive values masked)
+     */
+    list(): Array<Pick<VaultEntry, 'name' | 'category' | 'createdAt' | 'updatedAt' | 'tags'> & {
+        fields: string[];
+    }>;
+    /**
+     * Remove an entry by name
+     */
+    remove(name: string): Promise<boolean>;
+    /**
+     * Change master password
+     */
+    changePassword(oldPassword: string, newPassword: string): Promise<void>;
+    /**
+     * Destroy vault (delete all data)
+     */
+    destroy(): Promise<void>;
+    /**
+     * Get storage backend name
+     */
+    getBackendName(): string;
+    private _ensureUnlocked;
+    private _save;
+    private _startAutoLock;
+    private _clearKek;
+}
+export declare function getVault(options?: {
+    autoLockMs?: number;
+    forceFile?: string;
+}): VaultManager;
+export declare function resetVault(): void;
+//# sourceMappingURL=index.d.ts.map

package/dist/vault/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/vault/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,KAAK,EAAE,UAAU,EAA0C,YAAY,EAAE,MAAM,SAAS,CAAC;AAchG,qBAAa,YAAY;IACvB,OAAO,CAAC,KAAK,CAIX;IAEF,OAAO,CAAC,GAAG,CAA6B;IACxC,OAAO,CAAC,OAAO,CAAgC;IAC/C,OAAO,CAAC,aAAa,CAA+B;IACpD,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAS;gBAExB,OAAO,GAAE;QAAE,UAAU,CAAC,EAAE,MAAM,CAAC;QAAC,SAAS,CAAC,EAAE,MAAM,CAAA;KAAO;IAIrE;;;OAGG;IACG,IAAI,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IA4B3C;;OAEG;IACG,MAAM,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAwC7C;;OAEG;IACH,IAAI,IAAI,IAAI;IAWZ;;OAEG;IACH,UAAU,IAAI,OAAO;IAIrB;;OAEG;IACG,GAAG,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,EAAE,QAAQ,GAAE,UAAU,CAAC,UAAU,CAAW,EAAE,IAAI,CAAC,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC;IA4BjI;;;OAGG;IACH,GAAG,CAAC,IAAI,EAAE,MAAM,GAAG,UAAU,GAAG,SAAS;IAKzC;;OAEG;IACH,SAAS,CAAC,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,YAAY,GAAG,SAAS;IAShE;;OAEG;IACH,IAAI,IAAI,KAAK,CAAC,IAAI,CAAC,UAAU,EAAE,MAAM,GAAG,UAAU,GAAG,WAAW,GAAG,WAAW,GAAG,MAAM,CAAC,GAAG;QAAE,MAAM,EAAE,MAAM,EAAE,CAAA;KAAE,CAAC;IAYhH;;OAEG;IACG,MAAM,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAS5C;;OAEG;IACG,cAAc,CAAC,WAAW,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAmB7E;;OAEG;IACG,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC;IAM9B;;OAEG;IACH,cAAc,IAAI,MAAM;IAMxB,OAAO,CAAC,eAAe;YAMT,KAAK;IAenB,OAAO,CAAC,cAAc;IAUtB,OAAO,CAAC,SAAS;CAMlB;AAKD,wBAAgB,QAAQ,CAAC,OAAO,CAAC,EAAE;IAAE,UAAU,CAAC,EAAE,MAAM,CAAC;IAAC,SAAS,CAAC,EAAE,MAAM,CAAA;CAAE,GAAG,YAAY,CAK5F;AAED,wBAAgB,UAAU,IAAI,IAAI,CAKjC"}