@onekeyfe/hardware-cli 1.1.26-alpha.106 → 1.1.26-alpha.4

package/src/storage/secure-storage.macos.ts

@@ -0,0 +1,68 @@
+import { defaultProcessRunner } from './process-utils';
+
+import type { IProcessRunner, ISecureStorage, SecureStorageBackend } from './types';
+
+const SERVICE_NAME = 'onekey-hw-cli';
+
+export class MacOSSecureStorage implements ISecureStorage {
+  private readonly runner: IProcessRunner;
+
+  constructor(runner: IProcessRunner = defaultProcessRunner) {
+    this.runner = runner;
+  }
+
+  getBackendType(): SecureStorageBackend {
+    return 'macos-keychain';
+  }
+
+  async set(key: string, value: Buffer): Promise<void> {
+    const hex = value.toString('hex');
+    // Use `security -i` (interactive/batch mode): the tool parses commands
+    // from stdin internally instead of re-spawning a sub-process per command,
+    // so the password argument never appears in /proc or `ps aux` output.
+    //
+    // Keys are of the form `onekey-hw:<deviceId>/<slot>` and hex values only
+    // contain 0-9a-f, so neither contains shell metacharacters that would
+    // break the simple quoting security's parser expects.
+    const cmd = `add-generic-password -s "${SERVICE_NAME}" -a "${key}" -w "${hex}" -U`;
+    await this.runner.spawnWithStdin('security', ['-i'], cmd);
+  }
+
+  async get(key: string): Promise<Buffer | null> {
+    try {
+      const { stdout } = await this.runner.execFileAsync('security', [
+        'find-generic-password',
+        '-s',
+        SERVICE_NAME,
+        '-a',
+        key,
+        '-w',
+      ]);
+      const hex = stdout.trim();
+      return hex ? Buffer.from(hex, 'hex') : null;
+    } catch (error) {
+      if (this.isItemNotFound(error)) return null;
+      throw error;
+    }
+  }
+
+  async delete(key: string): Promise<void> {
+    try {
+      await this.runner.execFileAsync('security', [
+        'delete-generic-password',
+        '-s',
+        SERVICE_NAME,
+        '-a',
+        key,
+      ]);
+    } catch (error) {
+      if (this.isItemNotFound(error)) return;
+      throw error;
+    }
+  }
+
+  private isItemNotFound(error: unknown): boolean {
+    const err = error as Error & { code?: number; stderr?: string };
+    return err.code === 44 || err.stderr?.includes('could not be found') === true;
+  }
+}

package/src/storage/storage-factory.ts

@@ -0,0 +1,13 @@
+import { LinuxSecureStorage } from './secure-storage.linux';
+import { MacOSSecureStorage } from './secure-storage.macos';
+
+import type { ISecureStorage } from './types';
+
+export function createSecureStorage(platform: NodeJS.Platform = process.platform): ISecureStorage {
+  if (platform === 'darwin') return new MacOSSecureStorage();
+  if (platform === 'linux') return new LinuxSecureStorage();
+  throw new Error(
+    `Secure storage is not supported on platform "${platform}". ` +
+      'Use macOS Keychain or Linux Secret Service.'
+  );
+}

package/src/storage/types.ts

@@ -0,0 +1,17 @@
+export type SecureStorageBackend = 'macos-keychain' | 'linux-secret-service';
+
+export interface ISecureStorage {
+  getBackendType(): SecureStorageBackend;
+  get(key: string): Promise<Buffer | null>;
+  set(key: string, value: Buffer): Promise<void>;
+  delete(key: string): Promise<void>;
+}
+
+export interface IProcessRunner {
+  execFileAsync(cmd: string, args: string[]): Promise<{ stdout: string; stderr: string }>;
+  spawnWithStdin(
+    cmd: string,
+    args: string[],
+    input: string
+  ): Promise<{ stdout: string; stderr: string }>;
+}

package/tsconfig.json

@@ -3,16 +3,14 @@
     "target": "ES2020",
     "module": "commonjs",
     "lib": ["ES2020"],
-    "declaration": true,
+    "outDir": "dist",
+    "rootDir": "src",
     "strict": true,
-    "noImplicitAny": false,
     "esModuleInterop": true,
     "skipLibCheck": true,
-    "forceConsistentCasingInFileNames": true,
     "resolveJsonModule": true,
-    "outDir": "./dist",
-    "rootDir": "./src"
+    "declaration": true
   },
-  "include": ["src/**/*"],
-  "exclude": ["node_modules", "dist", "evals"]
+  "include": ["src"],
+  "exclude": ["node_modules", "dist"]
 }

package/.claude-plugin/plugin.json

@@ -1,14 +0,0 @@
-{
-  "name": "onekey-hardware",
-  "description": "OneKey hardware wallet CLI skills for Claude Code — device management, multi-chain signing, firmware updates",
-  "version": "1.1.25-alpha.1",
-  "author": {
-    "name": "OneKey",
-    "email": "dev@onekey.so"
-  },
-  "homepage": "https://onekey.so",
-  "repository": "https://github.com/OneKeyHQ/hardware-js-sdk",
-  "license": "Apache-2.0",
-  "keywords": ["hardware-wallet", "signing", "bitcoin", "ethereum", "onekey", "security"],
-  "skills": "./skills/"
-}

package/AGENTS.md

@@ -1,40 +0,0 @@
-# OneKey Hardware Wallet — CLI Agent Skills
-
-When working with the `onekey-hw` CLI, read the skill files before running commands.
-Do NOT guess parameters or explore via `--help` — the skills document exact
-command signatures, workflows, and security rules.
-
-## Skills
-
-| Skill | Path | Use When |
-|---|---|---|
-| **Device** | `skills/device/SKILL.md` | Search devices (with features), lock, verify, wipe |
-| **Signing** | `skills/signing/SKILL.md` | Get addresses, sign transactions/messages (27 chains) |
-| **Firmware** | `skills/firmware/SKILL.md` | Check firmware versions (updates via OneKey App only) |
-| **Security** | `skills/security/SKILL.md` | PIN, passphrase, device settings, factory reset |
-
-## Quick Start
-
-```bash
-# Install globally
-npm install -g @onekeyfe/hardware-cli
-
-# Search for connected devices (auto-fetches device info)
-onekey-hw search
-
-# Get an Ethereum address
-onekey-hw get-address --chain evm --use-empty-passphrase
-
-# Sign a message
-onekey-hw sign-message --chain evm --message "hello" --use-empty-passphrase
-```
-
-## Important
-
-- All signing operations require **physical confirmation** on the hardware device
-- Commands block while waiting for device interaction (PIN, button press)
-- All output is structured JSON
-- Uses direct USB (libusb) — no external daemon needed
-
-Each skill file includes pre-flight checks, security rules, and parameter
-conventions. Read the relevant skill for your task.

package/CLAUDE.md

@@ -1,40 +0,0 @@
-# OneKey Hardware Wallet — CLI Agent Skills
-
-When working with the `onekey-hw` CLI, read the skill files before running commands.
-Do NOT guess parameters or explore via `--help` — the skills document exact
-command signatures, workflows, and security rules.
-
-## Skills
-
-| Skill | Path | Use When |
-|---|---|---|
-| **Device** | `skills/device/SKILL.md` | Search devices (with features), lock, verify, wipe |
-| **Signing** | `skills/signing/SKILL.md` | Get addresses, sign transactions/messages (27 chains) |
-| **Firmware** | `skills/firmware/SKILL.md` | Check firmware versions (updates via OneKey App only) |
-| **Security** | `skills/security/SKILL.md` | PIN, passphrase, device settings, factory reset |
-
-## Quick Start
-
-```bash
-# Install globally
-npm install -g @onekeyfe/hardware-cli
-
-# Search for connected devices (auto-fetches device info)
-onekey-hw search
-
-# Get an Ethereum address
-onekey-hw get-address --chain evm --use-empty-passphrase
-
-# Sign a message
-onekey-hw sign-message --chain evm --message "hello" --use-empty-passphrase
-```
-
-## Important
-
-- All signing operations require **physical confirmation** on the hardware device
-- Commands block while waiting for device interaction (PIN, button press)
-- All output is structured JSON
-- Uses direct USB (libusb) — no external daemon needed
-
-Each skill file includes pre-flight checks, security rules, and parameter
-conventions. Read the relevant skill for your task.

package/README.md

@@ -1,112 +0,0 @@
-# @onekeyfe/hardware-cli
-
-OneKey hardware wallet CLI for AI agent integration. Enables Claude Code and other AI agents to interact with OneKey hardware wallets — search devices, get addresses, sign transactions, manage firmware and security.
-
-## Install
-
-### Claude Code
-
-```bash
-claude plugin marketplace add OneKeyHQ/hardware-js-sdk --sparse .claude-plugin packages/hd-cli
-claude plugin install onekey-hardware@onekey-hardware-plugins
-```
-
-The CLI is installed automatically on first use via the skill's pre-flight check.
-
-### Other AI Tools (Codex, Gemini, Cursor)
-
-```bash
-npm install -g @onekeyfe/hardware-cli
-```
-
-### Development / Testing
-
-```bash
-claude --plugin-dir /path/to/hardware-js-sdk/packages/hd-cli
-```
-
-## Commands
-
-### Device
-
-| Command | Description | Needs PIN? |
-|---------|-------------|:----------:|
-| `onekey-hw search` | Search devices + auto-fetch features | No |
-| `onekey-hw lock` | Lock the device | No |
-| `onekey-hw device-verify` | Verify device is genuine | Yes |
-| `onekey-hw device-settings` | Update label, language, etc. | Yes |
-| `onekey-hw device-wipe` | Factory reset (IRREVERSIBLE) | Yes |
-
-### Address & Signing
-
-| Command | Description | Needs PIN? |
-|---------|-------------|:----------:|
-| `onekey-hw get-address --chain <chain>` | Get address (27 chains) | Yes |
-| `onekey-hw get-public-key --chain <chain>` | Get public key | Yes |
-| `onekey-hw batch-get-address --bundle <json>` | Multi-chain batch | Yes |
-| `onekey-hw sign-transaction --chain <chain> --tx <json>` | Sign transaction | Yes |
-| `onekey-hw sign-message --chain <chain> --message <msg>` | Sign message | Yes |
-| `onekey-hw sign-typed-data --data <json>` | Sign EIP-712 (EVM) | Yes |
-| `onekey-hw sign-psbt --psbt <hex>` | Sign Bitcoin PSBT | Yes |
-| `onekey-hw verify-message --chain <chain> ...` | Verify signed message | Yes |
-
-### Chain-Specific
-
-| Command | Description |
-|---------|-------------|
-| `onekey-hw evm-sign-eip712` | EIP-712 by hash |
-| `onekey-hw sol-sign-offchain` | Solana off-chain message |
-| `onekey-hw nostr-encrypt` | Nostr NIP-04 encrypt |
-| `onekey-hw nostr-decrypt` | Nostr NIP-04 decrypt |
-| `onekey-hw nostr-sign-schnorr` | Nostr Schnorr signature |
-| `onekey-hw lnurl-auth` | Lightning LNURL auth |
-| `onekey-hw conflux-sign-cip23` | Conflux CIP-23 message |
-| `onekey-hw aptos-sign-in` | Aptos sign-in |
-| `onekey-hw ton-sign-proof` | TON Connect proof |
-
-### Firmware (Read-Only)
-
-| Command | Description |
-|---------|-------------|
-| `onekey-hw firmware-check` | Check firmware updates |
-| `onekey-hw firmware-check-all` | Check all components |
-| `onekey-hw bootloader-check` | Check bootloader |
-
-Firmware updates must be done via the [OneKey App](https://onekey.so/download) or [firmware.onekey.so](https://firmware.onekey.so/).
-
-### Security
-
-| Command | Description |
-|---------|-------------|
-| `onekey-hw change-pin` | Change/set PIN |
-| `onekey-hw passphrase-state` | Get passphrase state |
-| `onekey-hw toggle-passphrase --enable <bool>` | Enable/disable passphrase |
-
-## Supported Chains
-
-| Chain | `--chain` | Address | Sign TX | Sign Message |
-|-------|-----------|:-------:|:-------:|:------------:|
-| Ethereum / EVM | `evm` | ✅ | ✅ | ✅ |
-| Bitcoin | `btc` | ✅ | ✅ | ✅ |
-| Solana | `sol` | ✅ | ✅ | ✅ |
-| Cosmos | `cosmos` | ✅ | ✅ | — |
-| Cardano | `cardano` | ✅ | ✅ | ✅ |
-| Polkadot | `polkadot` | ✅ | ✅ | — |
-| Tron | `tron` | ✅ | ✅ | ✅ |
-| Aptos | `aptos` | ✅ | ✅ | ✅ |
-| Sui | `sui` | ✅ | ✅ | ✅ |
-| Near | `near` | ✅ | ✅ | — |
-| XRP | `xrp` | ✅ | ✅ | — |
-| Stellar | `stellar` | ✅ | ✅ | — |
-| TON | `ton` | ✅ | — | ✅ |
-| Nostr | `nostr` | ✅ | — | ✅ |
-| +13 more | | ✅ | ✅ | varies |
-
-## Transport
-
-Uses `libusb` for direct USB communication. No external daemon needed.
-Works on macOS, Linux, and Windows.
-
-## License
-
-Apache-2.0