@cogcoin/client 0.5.15 → 1.0.1

package/dist/wallet/root-resolution.d.ts

@@ -1,9 +1,7 @@
 import type { WalletRuntimePaths } from "./runtime.js";
-import { loadWalletExplicitLock } from "./state/explicit-lock.js";
 import type { WalletSecretProvider } from "./state/provider.js";
-import { loadUnlockSession } from "./state/session.js";
 import { type RawWalletStateEnvelope } from "./state/storage.js";
-export type WalletRootResolutionSource = "wallet-state" | "unlock-session" | "explicit-lock" | "default-uninitialized";
+export type WalletRootResolutionSource = "wallet-state" | "default-uninitialized";
 export interface WalletRootResolution {
     walletRootId: string;
     source: WalletRootResolutionSource;
@@ -15,6 +13,4 @@ export declare function resolveWalletRootIdFromLocalArtifacts(options: {
         primaryPath: string;
         backupPath: string;
     }) => Promise<RawWalletStateEnvelope | null>;
-    loadUnlockSession?: typeof loadUnlockSession;
-    loadWalletExplicitLock?: typeof loadWalletExplicitLock;
 }): Promise<WalletRootResolution>;

package/dist/wallet/root-resolution.js

@@ -1,6 +1,4 @@
 import { UNINITIALIZED_WALLET_ROOT_ID } from "../bitcoind/service-paths.js";
-import { loadWalletExplicitLock } from "./state/explicit-lock.js";
-import { loadUnlockSession } from "./state/session.js";
 import { extractWalletRootIdHintFromWalletStateEnvelope, loadRawWalletStateEnvelope, } from "./state/storage.js";
 export async function resolveWalletRootIdFromLocalArtifacts(options) {
     const rawEnvelope = await (options.loadRawWalletStateEnvelope ?? loadRawWalletStateEnvelope)({
@@ -14,22 +12,6 @@ export async function resolveWalletRootIdFromLocalArtifacts(options) {
             source: "wallet-state",
         };
     }
-    const session = await (options.loadUnlockSession ?? loadUnlockSession)(options.paths.walletUnlockSessionPath, {
-        provider: options.provider,
-    }).catch(() => null);
-    if (session !== null) {
-        return {
-            walletRootId: session.walletRootId,
-            source: "unlock-session",
-        };
-    }
-    const explicitLock = await (options.loadWalletExplicitLock ?? loadWalletExplicitLock)(options.paths.walletExplicitLockPath).catch(() => null);
-    if (explicitLock?.walletRootId) {
-        return {
-            walletRootId: explicitLock.walletRootId,
-            source: "explicit-lock",
-        };
-    }
     return {
         walletRootId: UNINITIALIZED_WALLET_ROOT_ID,
         source: "default-uninitialized",

package/dist/wallet/runtime.d.ts

@@ -9,7 +9,6 @@ export interface WalletRuntimePaths {
     clientConfigPath: string;
     runtimeRoot: string;
     walletRuntimeRoot: string;
-    hooksRoot: string;
     stateRoot: string;
     walletStateRoot: string;
     seedRegistryPath: string;
@@ -22,16 +21,11 @@ export interface WalletRuntimePaths {
     walletStateBackupPath: string;
     walletInitPendingPath: string;
     walletInitPendingBackupPath: string;
-    walletUnlockSessionPath: string;
-    walletExplicitLockPath: string;
     walletControlLockPath: string;
     bitcoindLockPath: string;
     bitcoindStatusPath: string;
     indexerDaemonLockPath: string;
     indexerStatusPath: string;
-    hooksMiningDir: string;
-    hooksMiningEntrypointPath: string;
-    hooksMiningPackageJsonPath: string;
     miningRoot: string;
     miningStatusPath: string;
     miningEventsPath: string;

package/dist/wallet/runtime.js

@@ -28,8 +28,6 @@ export function deriveWalletRuntimePathsForSeed(basePaths, seedName) {
         walletStateBackupPath: join(seedLayout.walletStateRoot, "wallet-state.enc.bak"),
         walletInitPendingPath: join(seedLayout.walletStateRoot, "wallet-init-pending.enc"),
         walletInitPendingBackupPath: join(seedLayout.walletStateRoot, "wallet-init-pending.enc.bak"),
-        walletUnlockSessionPath: join(seedLayout.walletRuntimeRoot, "wallet-unlock-session.enc"),
-        walletExplicitLockPath: join(seedLayout.walletRuntimeRoot, "wallet-explicit-lock.json"),
         miningRoot: join(seedLayout.walletRuntimeRoot, "mining"),
         miningStatusPath: join(seedLayout.walletRuntimeRoot, "mining", "status.json"),
         miningEventsPath: join(seedLayout.walletRuntimeRoot, "mining", "events.jsonl"),
@@ -43,7 +41,6 @@ export function resolveWalletRuntimePathsForTesting(resolution = {}) {
         clientConfigPath: paths.clientConfigPath,
         runtimeRoot: paths.runtimeRoot,
         walletRuntimeRoot: paths.runtimeRoot,
-        hooksRoot: paths.hooksRoot,
         stateRoot: paths.stateRoot,
         walletStateRoot: paths.stateRoot,
         seedRegistryPath: join(paths.stateRoot, "seed-index.json"),
@@ -56,16 +53,11 @@ export function resolveWalletRuntimePathsForTesting(resolution = {}) {
         walletStateBackupPath: join(paths.stateRoot, "wallet-state.enc.bak"),
         walletInitPendingPath: join(paths.stateRoot, "wallet-init-pending.enc"),
         walletInitPendingBackupPath: join(paths.stateRoot, "wallet-init-pending.enc.bak"),
-        walletUnlockSessionPath: join(paths.runtimeRoot, "wallet-unlock-session.enc"),
-        walletExplicitLockPath: join(paths.runtimeRoot, "wallet-explicit-lock.json"),
         walletControlLockPath: paths.walletControlLockPath,
         bitcoindLockPath: paths.bitcoindLockPath,
         bitcoindStatusPath: paths.bitcoindStatusPath,
         indexerDaemonLockPath: paths.indexerDaemonLockPath,
         indexerStatusPath: paths.indexerStatusPath,
-        hooksMiningDir: paths.hooksMiningDir,
-        hooksMiningEntrypointPath: paths.hooksMiningEntrypointPath,
-        hooksMiningPackageJsonPath: paths.hooksMiningPackageJsonPath,
         miningRoot: join(paths.runtimeRoot, "mining"),
         miningStatusPath: join(paths.runtimeRoot, "mining", "status.json"),
         miningEventsPath: join(paths.runtimeRoot, "mining", "events.jsonl"),

package/dist/wallet/state/client-password-agent.js

@@ -0,0 +1,208 @@
+import { createCipheriv, createDecipheriv, randomBytes } from "node:crypto";
+import net from "node:net";
+import { rm } from "node:fs/promises";
+function zeroizeBuffer(buffer) {
+    if (buffer != null) {
+        buffer.fill(0);
+    }
+}
+function createAgentError(message) {
+    return JSON.stringify({
+        ok: false,
+        error: message,
+    });
+}
+async function readBootstrapConfig() {
+    const endpoint = process.argv[2] ?? "";
+    const unlockUntilUnixMs = Number(process.argv[3] ?? "");
+    if (endpoint.length === 0 || !Number.isFinite(unlockUntilUnixMs)) {
+        throw new Error("wallet_client_password_agent_bootstrap_invalid");
+    }
+    const raw = await new Promise((resolve, reject) => {
+        let received = "";
+        const onData = (chunk) => {
+            received += chunk.toString("utf8");
+            const newlineIndex = received.indexOf("\n");
+            if (newlineIndex !== -1) {
+                cleanup();
+                resolve(received.slice(0, newlineIndex));
+            }
+        };
+        const onEnd = () => {
+            cleanup();
+            reject(new Error("wallet_client_password_agent_bootstrap_missing"));
+        };
+        const onError = (error) => {
+            cleanup();
+            reject(error);
+        };
+        const cleanup = () => {
+            process.stdin.off("data", onData);
+            process.stdin.off("end", onEnd);
+            process.stdin.off("error", onError);
+        };
+        process.stdin.on("data", onData);
+        process.stdin.on("end", onEnd);
+        process.stdin.on("error", onError);
+    });
+    const parsed = JSON.parse(raw);
+    if (typeof parsed.derivedKeyBase64 !== "string") {
+        throw new Error("wallet_client_password_agent_bootstrap_invalid");
+    }
+    return {
+        endpoint,
+        unlockUntilUnixMs,
+        derivedKey: Buffer.from(parsed.derivedKeyBase64, "base64"),
+    };
+}
+async function main() {
+    const bootstrap = await readBootstrapConfig();
+    let key = bootstrap.derivedKey;
+    let unlockUntilUnixMs = bootstrap.unlockUntilUnixMs;
+    let expiryTimer = null;
+    const cleanupAndExit = async () => {
+        if (expiryTimer !== null) {
+            clearTimeout(expiryTimer);
+            expiryTimer = null;
+        }
+        zeroizeBuffer(key);
+        key = Buffer.alloc(0);
+        if (!bootstrap.endpoint.startsWith("\\\\.\\")) {
+            await rm(bootstrap.endpoint, { force: true }).catch(() => undefined);
+        }
+        process.exit(0);
+    };
+    const refreshExpiry = () => {
+        if (expiryTimer !== null) {
+            clearTimeout(expiryTimer);
+        }
+        const remainingMs = Math.max(0, unlockUntilUnixMs - Date.now());
+        expiryTimer = setTimeout(() => {
+            void cleanupAndExit();
+        }, remainingMs);
+        expiryTimer.unref();
+    };
+    const encryptSecret = (secretBase64) => {
+        const nonce = randomBytes(12);
+        const cipher = createCipheriv("aes-256-gcm", key, nonce);
+        const ciphertext = Buffer.concat([
+            cipher.update(Buffer.from(secretBase64, "base64")),
+            cipher.final(),
+        ]);
+        const tag = cipher.getAuthTag();
+        return {
+            nonce: nonce.toString("base64"),
+            tag: tag.toString("base64"),
+            ciphertext: ciphertext.toString("base64"),
+        };
+    };
+    const decryptSecret = (options) => {
+        const decipher = createDecipheriv("aes-256-gcm", key, Buffer.from(options.nonce, "base64"));
+        decipher.setAuthTag(Buffer.from(options.tag, "base64"));
+        return Buffer.concat([
+            decipher.update(Buffer.from(options.ciphertext, "base64")),
+            decipher.final(),
+        ]).toString("base64");
+    };
+    const server = net.createServer((socket) => {
+        let received = "";
+        const send = (payload) => {
+            socket.end(`${JSON.stringify(payload)}\n`);
+        };
+        socket.on("data", (chunk) => {
+            received += chunk.toString("utf8");
+            const newlineIndex = received.indexOf("\n");
+            if (newlineIndex === -1) {
+                return;
+            }
+            let parsed;
+            try {
+                parsed = JSON.parse(received.slice(0, newlineIndex));
+            }
+            catch {
+                send({ ok: false, error: "wallet_client_password_agent_protocol_error" });
+                return;
+            }
+            try {
+                switch (parsed.command) {
+                    case "status":
+                        send({ ok: true, unlockUntilUnixMs });
+                        return;
+                    case "lock":
+                        send({ ok: true, unlockUntilUnixMs: null });
+                        setImmediate(() => {
+                            void cleanupAndExit();
+                        });
+                        return;
+                    case "refresh":
+                        if (!Number.isFinite(parsed.unlockUntilUnixMs)) {
+                            send({ ok: false, error: "wallet_client_password_agent_protocol_error" });
+                            return;
+                        }
+                        unlockUntilUnixMs = Number(parsed.unlockUntilUnixMs);
+                        refreshExpiry();
+                        send({ ok: true, unlockUntilUnixMs });
+                        return;
+                    case "encrypt":
+                        if (typeof parsed.secretBase64 !== "string") {
+                            send({ ok: false, error: "wallet_client_password_agent_protocol_error" });
+                            return;
+                        }
+                        send({
+                            ok: true,
+                            unlockUntilUnixMs,
+                            envelope: encryptSecret(parsed.secretBase64),
+                        });
+                        return;
+                    case "decrypt":
+                        if (typeof parsed.envelope?.nonce !== "string"
+                            || typeof parsed.envelope?.tag !== "string"
+                            || typeof parsed.envelope?.ciphertext !== "string") {
+                            send({ ok: false, error: "wallet_client_password_agent_protocol_error" });
+                            return;
+                        }
+                        send({
+                            ok: true,
+                            unlockUntilUnixMs,
+                            secretBase64: decryptSecret({
+                                nonce: parsed.envelope.nonce,
+                                tag: parsed.envelope.tag,
+                                ciphertext: parsed.envelope.ciphertext,
+                            }),
+                        });
+                        return;
+                    default:
+                        send({ ok: false, error: "wallet_client_password_agent_protocol_error" });
+                }
+            }
+            catch (error) {
+                send({
+                    ok: false,
+                    error: error instanceof Error ? error.message : String(error),
+                });
+            }
+        });
+    });
+    process.on("SIGTERM", () => {
+        void cleanupAndExit();
+    });
+    process.on("SIGINT", () => {
+        void cleanupAndExit();
+    });
+    process.on("exit", () => {
+        zeroizeBuffer(key);
+    });
+    refreshExpiry();
+    await new Promise((resolve, reject) => {
+        server.once("error", reject);
+        server.listen(bootstrap.endpoint, () => {
+            server.off("error", reject);
+            resolve();
+        });
+    });
+    process.stdout.write("ready\n");
+}
+void main().catch((error) => {
+    process.stderr.write(`${createAgentError(error instanceof Error ? error.message : String(error))}\n`);
+    process.exit(1);
+});

package/dist/wallet/state/client-password.d.ts

@@ -0,0 +1,65 @@
+export declare const CLIENT_PASSWORD_SETUP_AUTO_UNLOCK_SECONDS = 86400;
+export type ClientPasswordReadiness = "ready" | "setup-required" | "migration-required";
+export type ClientPasswordSetupAction = "created" | "migrated" | "already-configured";
+export interface ClientPasswordPrompt {
+    readonly isInteractive: boolean;
+    writeLine(message: string): void;
+    prompt(message: string): Promise<string>;
+    promptHidden?(message: string): Promise<string>;
+}
+export interface ClientPasswordSessionStatus {
+    unlocked: boolean;
+    unlockUntilUnixMs: number | null;
+}
+export interface ClientPasswordStorageOptions {
+    platform: NodeJS.Platform;
+    stateRoot: string;
+    runtimeRoot: string;
+    directoryPath: string;
+    runtimeErrorCode: string;
+    legacyMacKeychainReader?: {
+        loadSecret(keyId: string): Promise<Uint8Array>;
+    } | null;
+}
+export declare function resolveLocalSecretFilePath(directoryPath: string, keyId: string): string;
+export declare function inspectClientPasswordReadiness(options: ClientPasswordStorageOptions): Promise<ClientPasswordReadiness>;
+export declare function readClientPasswordSessionStatus(options: ClientPasswordStorageOptions): Promise<ClientPasswordSessionStatus>;
+export declare function lockClientPasswordSession(options: ClientPasswordStorageOptions): Promise<ClientPasswordSessionStatus>;
+export declare function ensureClientPasswordConfigured(options: ClientPasswordStorageOptions & {
+    prompt: ClientPasswordPrompt;
+}): Promise<{
+    action: ClientPasswordSetupAction;
+    session: ClientPasswordSessionStatus;
+}>;
+export declare function loadClientProtectedSecret(options: ClientPasswordStorageOptions & {
+    keyId: string;
+    prompt?: ClientPasswordPrompt;
+}): Promise<Uint8Array>;
+export declare function storeClientProtectedSecret(options: ClientPasswordStorageOptions & {
+    keyId: string;
+    secret: Uint8Array;
+    prompt?: ClientPasswordPrompt;
+}): Promise<void>;
+export declare function deleteClientProtectedSecret(options: ClientPasswordStorageOptions & {
+    keyId: string;
+}): Promise<void>;
+export declare function unlockClientPasswordSession(options: ClientPasswordStorageOptions & {
+    prompt: ClientPasswordPrompt;
+}): Promise<ClientPasswordSessionStatus>;
+export declare function changeClientPassword(options: ClientPasswordStorageOptions & {
+    prompt: ClientPasswordPrompt;
+}): Promise<ClientPasswordSessionStatus>;
+export declare function createLegacyKeychainServiceName(): string;
+export declare function createAgentBootstrapState(options: {
+    unlockUntilUnixMs: number;
+    derivedKeyBase64: string;
+}): {
+    unlockUntilUnixMs: number;
+    derivedKeyBase64: string;
+};
+export declare function describeClientPasswordLockedMessage(): string;
+export declare function describeClientPasswordSetupMessage(): string;
+export declare function describeClientPasswordMigrationMessage(): string;
+export declare function listLocalSecretFilesForTesting(options: {
+    directoryPath: string;
+}): Promise<string[]>;