@oxyhq/core 1.0.0

package/dist/esm/crypto/keyManager.js

@@ -0,0 +1,850 @@
+/**
+ * Key Manager - ECDSA secp256k1 Key Generation and Storage
+ *
+ * Handles secure generation, storage, and retrieval of cryptographic keys.
+ * Private keys are stored securely using expo-secure-store and never leave the device.
+ */
+import { ec as EC } from 'elliptic';
+import { isWeb, isIOS, isAndroid } from '../utils/platform';
+import { logger } from '../utils/loggerUtils';
+// Lazy imports for React Native specific modules
+let SecureStore = null;
+let ExpoCrypto = null;
+const ec = new EC('secp256k1');
+const STORAGE_KEYS = {
+    PRIVATE_KEY: 'oxy_identity_private_key',
+    PUBLIC_KEY: 'oxy_identity_public_key',
+    BACKUP_PRIVATE_KEY: 'oxy_identity_backup_private_key',
+    BACKUP_PUBLIC_KEY: 'oxy_identity_backup_public_key',
+    BACKUP_TIMESTAMP: 'oxy_identity_backup_timestamp',
+    // Shared keys accessible across all Oxy apps (iOS Keychain Group / Android Account Manager)
+    SHARED_PRIVATE_KEY: 'oxy_shared_identity_private_key',
+    SHARED_PUBLIC_KEY: 'oxy_shared_identity_public_key',
+    SHARED_SESSION_TOKEN: 'oxy_shared_session_token',
+    SHARED_SESSION_ID: 'oxy_shared_session_id',
+};
+/**
+ * iOS Keychain Access Group for sharing identities across Oxy apps
+ * All Oxy apps must have this access group enabled in their entitlements
+ * Format: [Team ID].com.oxy.shared or group.com.oxy.shared
+ */
+const IOS_KEYCHAIN_GROUP = 'group.com.oxy.shared';
+/**
+ * Android Account Manager type for shared authentication
+ * Used with sharedUserId to share sessions across apps
+ */
+const ANDROID_ACCOUNT_TYPE = 'com.oxy.account';
+/**
+ * Initialize React Native specific modules
+ * This allows the module to work in both Node.js and React Native environments
+ */
+async function initSecureStore() {
+    if (!SecureStore) {
+        try {
+            SecureStore = await import('expo-secure-store');
+        }
+        catch (error) {
+            const errorMessage = error instanceof Error ? error.message : String(error);
+            throw new Error(`Failed to load expo-secure-store: ${errorMessage}. Make sure expo-secure-store is installed and properly configured.`);
+        }
+    }
+    if (!SecureStore) {
+        throw new Error('expo-secure-store module is not available');
+    }
+    return SecureStore;
+}
+/**
+ * Check if we're in a React Native environment
+ */
+function isReactNative() {
+    return typeof navigator !== 'undefined' && navigator.product === 'ReactNative';
+}
+/**
+ * Check if we're in a Node.js environment
+ */
+function isNodeJS() {
+    return typeof process !== 'undefined' && process.versions != null && process.versions.node != null;
+}
+/**
+ * Check if we're on web platform
+ * Identity storage is only available on native platforms (iOS/Android)
+ */
+function isWebPlatform() {
+    return isWeb();
+}
+async function initExpoCrypto() {
+    if (!ExpoCrypto) {
+        ExpoCrypto = await import('expo-crypto');
+    }
+    return ExpoCrypto;
+}
+/**
+ * Convert Uint8Array to hexadecimal string
+ * Works in both Node.js and React Native
+ */
+function uint8ArrayToHex(bytes) {
+    return Array.from(bytes)
+        .map(b => b.toString(16).padStart(2, '0'))
+        .join('');
+}
+/**
+ * Generate cryptographically secure random bytes
+ */
+async function getSecureRandomBytes(length) {
+    // In React Native, always use expo-crypto
+    if (isReactNative() || !isNodeJS()) {
+        const Crypto = await initExpoCrypto();
+        return Crypto.getRandomBytes(length);
+    }
+    // In Node.js, use Node's crypto module
+    // Use Function constructor to prevent Metro bundler from statically analyzing this require
+    // This ensures the require is only evaluated in Node.js runtime, not during Metro bundling
+    try {
+        // eslint-disable-next-line @typescript-eslint/no-implied-eval
+        const getCrypto = new Function('return require("crypto")');
+        const crypto = getCrypto();
+        return new Uint8Array(crypto.randomBytes(length));
+    }
+    catch (error) {
+        // Fallback to expo-crypto if Node crypto fails
+        const Crypto = await initExpoCrypto();
+        return Crypto.getRandomBytes(length);
+    }
+}
+export class KeyManager {
+    /**
+     * Invalidate cached identity state
+     * Called internally when identity is created/deleted/imported
+     */
+    static invalidateCache() {
+        KeyManager.cachedPublicKey = null;
+        KeyManager.cachedHasIdentity = null;
+    }
+    /**
+     * Invalidate cached shared identity state
+     * Called internally when shared identity is created/deleted/imported
+     */
+    static invalidateSharedCache() {
+        KeyManager.cachedSharedPublicKey = null;
+        KeyManager.cachedHasSharedIdentity = null;
+    }
+    /**
+     * Generate a new ECDSA secp256k1 key pair
+     * Returns the keys in hexadecimal format
+     */
+    static generateKeyPairSync() {
+        const keyPair = ec.genKeyPair();
+        return {
+            privateKey: keyPair.getPrivate('hex'),
+            publicKey: keyPair.getPublic('hex'),
+        };
+    }
+    /**
+     * Generate a new key pair using secure random bytes
+     */
+    static async generateKeyPair() {
+        const randomBytes = await getSecureRandomBytes(32);
+        const privateKeyHex = uint8ArrayToHex(randomBytes);
+        const keyPair = ec.keyFromPrivate(privateKeyHex);
+        return {
+            privateKey: keyPair.getPrivate('hex'),
+            publicKey: keyPair.getPublic('hex'),
+        };
+    }
+    // ==================== SHARED IDENTITY METHODS ====================
+    // These methods enable cross-app session sharing (like Google)
+    // iOS: Uses Keychain Access Groups
+    // Android: Uses Account Manager with shared user ID
+    // =================================================================
+    /**
+     * Create a shared identity accessible across all Oxy apps
+     *
+     * iOS: Stores in shared keychain group (requires entitlement configuration)
+     * Android: Stores in Account Manager (requires sharedUserId in manifest)
+     *
+     * This enables true cross-app SSO - when user signs in to one Oxy app,
+     * they're automatically signed in to all other Oxy apps.
+     *
+     * @returns Public key of the shared identity
+     * @throws Error if not on native platform or if sharing is not configured
+     */
+    static async createSharedIdentity() {
+        if (isWebPlatform()) {
+            throw new Error('Shared identity is only available on native platforms (iOS/Android).');
+        }
+        const store = await initSecureStore();
+        const { privateKey, publicKey } = await KeyManager.generateKeyPair();
+        if (isIOS()) {
+            // iOS: Store in shared keychain group
+            // Note: keychainAccessGroup requires Keychain Sharing capability in Xcode
+            try {
+                await store.setItemAsync(STORAGE_KEYS.SHARED_PRIVATE_KEY, privateKey, {
+                    keychainAccessible: store.WHEN_UNLOCKED_THIS_DEVICE_ONLY,
+                    keychainAccessGroup: IOS_KEYCHAIN_GROUP, // This enables sharing across apps
+                }); // Type assertion: keychainAccessGroup may not be in older @types but is supported
+                await store.setItemAsync(STORAGE_KEYS.SHARED_PUBLIC_KEY, publicKey, {
+                    keychainAccessGroup: IOS_KEYCHAIN_GROUP,
+                });
+            }
+            catch (error) {
+                throw new Error(`Failed to create shared identity on iOS. Ensure your app has the Keychain Sharing capability enabled with access group "${IOS_KEYCHAIN_GROUP}". Error: ${error}`);
+            }
+        }
+        else if (isAndroid()) {
+            // Android: Store in secure store (accessible via sharedUserId)
+            // Note: All Oxy apps must have the same sharedUserId in AndroidManifest.xml
+            await store.setItemAsync(STORAGE_KEYS.SHARED_PRIVATE_KEY, privateKey, {
+                keychainAccessible: store.WHEN_UNLOCKED_THIS_DEVICE_ONLY,
+            });
+            await store.setItemAsync(STORAGE_KEYS.SHARED_PUBLIC_KEY, publicKey);
+        }
+        // Update cache
+        KeyManager.cachedSharedPublicKey = publicKey;
+        KeyManager.cachedHasSharedIdentity = true;
+        if (__DEV__) {
+            logger.debug('Shared identity created successfully', { component: 'KeyManager' });
+        }
+        return publicKey;
+    }
+    /**
+     * Get the shared public key (accessible across all Oxy apps)
+     *
+     * @returns Shared public key or null if no shared identity exists
+     */
+    static async getSharedPublicKey() {
+        if (isWebPlatform()) {
+            return null;
+        }
+        // Return cached value if available
+        if (KeyManager.cachedSharedPublicKey !== null) {
+            return KeyManager.cachedSharedPublicKey;
+        }
+        try {
+            const store = await initSecureStore();
+            let publicKey = null;
+            if (isIOS()) {
+                publicKey = await store.getItemAsync(STORAGE_KEYS.SHARED_PUBLIC_KEY, {
+                    keychainAccessGroup: IOS_KEYCHAIN_GROUP,
+                });
+            }
+            else if (isAndroid()) {
+                publicKey = await store.getItemAsync(STORAGE_KEYS.SHARED_PUBLIC_KEY);
+            }
+            // Cache result
+            KeyManager.cachedSharedPublicKey = publicKey;
+            return publicKey;
+        }
+        catch (error) {
+            if (__DEV__) {
+                logger.warn('Failed to get shared public key', { component: 'KeyManager' }, error);
+            }
+            KeyManager.cachedSharedPublicKey = null;
+            return null;
+        }
+    }
+    /**
+     * Get the shared private key (for signing operations)
+     *
+     * WARNING: Only use this for signing operations within the app.
+     * The private key should NEVER be transmitted or exposed.
+     *
+     * @returns Shared private key or null if no shared identity exists
+     */
+    static async getSharedPrivateKey() {
+        if (isWebPlatform()) {
+            return null;
+        }
+        try {
+            const store = await initSecureStore();
+            let privateKey = null;
+            if (isIOS()) {
+                privateKey = await store.getItemAsync(STORAGE_KEYS.SHARED_PRIVATE_KEY, {
+                    keychainAccessGroup: IOS_KEYCHAIN_GROUP,
+                });
+            }
+            else if (isAndroid()) {
+                privateKey = await store.getItemAsync(STORAGE_KEYS.SHARED_PRIVATE_KEY);
+            }
+            return privateKey;
+        }
+        catch (error) {
+            if (__DEV__) {
+                logger.warn('Failed to get shared private key', { component: 'KeyManager' }, error);
+            }
+            return null;
+        }
+    }
+    /**
+     * Check if a shared identity exists (accessible across all Oxy apps)
+     *
+     * @returns True if shared identity exists, false otherwise
+     */
+    static async hasSharedIdentity() {
+        if (isWebPlatform()) {
+            return false;
+        }
+        // Return cached value if available
+        if (KeyManager.cachedHasSharedIdentity !== null) {
+            return KeyManager.cachedHasSharedIdentity;
+        }
+        try {
+            const privateKey = await KeyManager.getSharedPrivateKey();
+            const hasShared = privateKey !== null;
+            // Cache result
+            KeyManager.cachedHasSharedIdentity = hasShared;
+            return hasShared;
+        }
+        catch (error) {
+            if (__DEV__) {
+                logger.warn('Failed to check shared identity', { component: 'KeyManager' }, error);
+            }
+            KeyManager.cachedHasSharedIdentity = false;
+            return false;
+        }
+    }
+    /**
+     * Import an existing key pair as shared identity
+     *
+     * This is used when:
+     * 1. User signs in to a new Oxy app for the first time
+     * 2. User has existing identity on another Oxy app
+     * 3. We want to sync the identity across apps
+     *
+     * @param privateKey - Private key in hex format
+     * @returns Public key
+     */
+    static async importSharedIdentity(privateKey) {
+        if (isWebPlatform()) {
+            throw new Error('Shared identity import is only available on native platforms.');
+        }
+        const store = await initSecureStore();
+        const keyPair = ec.keyFromPrivate(privateKey);
+        const publicKey = keyPair.getPublic('hex');
+        if (isIOS()) {
+            await store.setItemAsync(STORAGE_KEYS.SHARED_PRIVATE_KEY, privateKey, {
+                keychainAccessible: store.WHEN_UNLOCKED_THIS_DEVICE_ONLY,
+                keychainAccessGroup: IOS_KEYCHAIN_GROUP,
+            });
+            await store.setItemAsync(STORAGE_KEYS.SHARED_PUBLIC_KEY, publicKey, {
+                keychainAccessGroup: IOS_KEYCHAIN_GROUP,
+            });
+        }
+        else if (isAndroid()) {
+            await store.setItemAsync(STORAGE_KEYS.SHARED_PRIVATE_KEY, privateKey, {
+                keychainAccessible: store.WHEN_UNLOCKED_THIS_DEVICE_ONLY,
+            });
+            await store.setItemAsync(STORAGE_KEYS.SHARED_PUBLIC_KEY, publicKey);
+        }
+        // Update cache
+        KeyManager.cachedSharedPublicKey = publicKey;
+        KeyManager.cachedHasSharedIdentity = true;
+        if (__DEV__) {
+            logger.debug('Shared identity imported successfully', { component: 'KeyManager' });
+        }
+        return publicKey;
+    }
+    /**
+     * Store session information in shared storage
+     *
+     * This allows all Oxy apps to access the same session without
+     * re-authenticating. When user signs in to one app, all apps
+     * get the session automatically.
+     *
+     * @param sessionId - Session ID from authentication
+     * @param accessToken - Access token for API calls
+     */
+    static async storeSharedSession(sessionId, accessToken) {
+        if (isWebPlatform()) {
+            return; // Not supported on web
+        }
+        try {
+            const store = await initSecureStore();
+            if (isIOS()) {
+                await store.setItemAsync(STORAGE_KEYS.SHARED_SESSION_ID, sessionId, {
+                    keychainAccessGroup: IOS_KEYCHAIN_GROUP,
+                });
+                await store.setItemAsync(STORAGE_KEYS.SHARED_SESSION_TOKEN, accessToken, {
+                    keychainAccessible: store.WHEN_UNLOCKED,
+                    keychainAccessGroup: IOS_KEYCHAIN_GROUP,
+                });
+            }
+            else if (isAndroid()) {
+                await store.setItemAsync(STORAGE_KEYS.SHARED_SESSION_ID, sessionId);
+                await store.setItemAsync(STORAGE_KEYS.SHARED_SESSION_TOKEN, accessToken);
+            }
+            if (__DEV__) {
+                logger.debug('Shared session stored successfully', { component: 'KeyManager' });
+            }
+        }
+        catch (error) {
+            if (__DEV__) {
+                logger.error('Failed to store shared session', error, { component: 'KeyManager' });
+            }
+            throw error;
+        }
+    }
+    /**
+     * Get shared session information
+     *
+     * This allows any Oxy app to check if user is already signed in
+     * via another Oxy app. Enables instant cross-app SSO.
+     *
+     * @returns Session data or null if no shared session exists
+     */
+    static async getSharedSession() {
+        if (isWebPlatform()) {
+            return null;
+        }
+        try {
+            const store = await initSecureStore();
+            let sessionId = null;
+            let accessToken = null;
+            if (isIOS()) {
+                sessionId = await store.getItemAsync(STORAGE_KEYS.SHARED_SESSION_ID, {
+                    keychainAccessGroup: IOS_KEYCHAIN_GROUP,
+                });
+                accessToken = await store.getItemAsync(STORAGE_KEYS.SHARED_SESSION_TOKEN, {
+                    keychainAccessGroup: IOS_KEYCHAIN_GROUP,
+                });
+            }
+            else if (isAndroid()) {
+                sessionId = await store.getItemAsync(STORAGE_KEYS.SHARED_SESSION_ID);
+                accessToken = await store.getItemAsync(STORAGE_KEYS.SHARED_SESSION_TOKEN);
+            }
+            if (!sessionId || !accessToken) {
+                return null;
+            }
+            return { sessionId, accessToken };
+        }
+        catch (error) {
+            if (__DEV__) {
+                logger.warn('Failed to get shared session', { component: 'KeyManager' }, error);
+            }
+            return null;
+        }
+    }
+    /**
+     * Clear shared session (on logout)
+     *
+     * This signs out the user from ALL Oxy apps simultaneously.
+     * Call this when user explicitly logs out.
+     */
+    static async clearSharedSession() {
+        if (isWebPlatform()) {
+            return;
+        }
+        try {
+            const store = await initSecureStore();
+            if (isIOS()) {
+                await store.deleteItemAsync(STORAGE_KEYS.SHARED_SESSION_ID, {
+                    keychainAccessGroup: IOS_KEYCHAIN_GROUP,
+                });
+                await store.deleteItemAsync(STORAGE_KEYS.SHARED_SESSION_TOKEN, {
+                    keychainAccessGroup: IOS_KEYCHAIN_GROUP,
+                });
+            }
+            else if (isAndroid()) {
+                await store.deleteItemAsync(STORAGE_KEYS.SHARED_SESSION_ID);
+                await store.deleteItemAsync(STORAGE_KEYS.SHARED_SESSION_TOKEN);
+            }
+            if (__DEV__) {
+                logger.debug('Shared session cleared successfully', { component: 'KeyManager' });
+            }
+        }
+        catch (error) {
+            if (__DEV__) {
+                logger.error('Failed to clear shared session', error, { component: 'KeyManager' });
+            }
+        }
+    }
+    /**
+     * Migrate local identity to shared identity
+     *
+     * Call this when upgrading existing apps to use shared identities.
+     * Copies the device-specific identity to shared storage so it can
+     * be accessed by other Oxy apps.
+     *
+     * @returns True if migration was successful, false if no local identity exists
+     */
+    static async migrateToSharedIdentity() {
+        if (isWebPlatform()) {
+            return false;
+        }
+        try {
+            // Check if we already have a shared identity
+            const hasShared = await KeyManager.hasSharedIdentity();
+            if (hasShared) {
+                if (__DEV__) {
+                    logger.debug('Shared identity already exists, skipping migration', { component: 'KeyManager' });
+                }
+                return true;
+            }
+            // Get local identity
+            const privateKey = await KeyManager.getPrivateKey();
+            if (!privateKey) {
+                if (__DEV__) {
+                    logger.debug('No local identity to migrate', { component: 'KeyManager' });
+                }
+                return false;
+            }
+            // Import to shared storage
+            await KeyManager.importSharedIdentity(privateKey);
+            if (__DEV__) {
+                logger.debug('Successfully migrated local identity to shared identity', { component: 'KeyManager' });
+            }
+            return true;
+        }
+        catch (error) {
+            if (__DEV__) {
+                logger.error('Failed to migrate to shared identity', error, { component: 'KeyManager' });
+            }
+            return false;
+        }
+    }
+    // ==================== END SHARED IDENTITY METHODS ====================
+    /**
+     * Generate and securely store a new key pair on the device
+     * Returns only the public key (private key is stored securely)
+     */
+    static async createIdentity() {
+        if (isWebPlatform()) {
+            throw new Error('Identity creation is only available on native platforms (iOS/Android). Please use the native app to create your identity.');
+        }
+        const store = await initSecureStore();
+        const { privateKey, publicKey } = await KeyManager.generateKeyPair();
+        await store.setItemAsync(STORAGE_KEYS.PRIVATE_KEY, privateKey, {
+            keychainAccessible: store.WHEN_UNLOCKED_THIS_DEVICE_ONLY,
+        });
+        await store.setItemAsync(STORAGE_KEYS.PUBLIC_KEY, publicKey);
+        // Update cache
+        KeyManager.cachedPublicKey = publicKey;
+        KeyManager.cachedHasIdentity = true;
+        return publicKey;
+    }
+    /**
+     * Import an existing key pair (e.g., from recovery phrase)
+     */
+    static async importKeyPair(privateKey) {
+        if (isWebPlatform()) {
+            throw new Error('Identity import is only available on native platforms (iOS/Android). Please use the native app to import your identity.');
+        }
+        const store = await initSecureStore();
+        const keyPair = ec.keyFromPrivate(privateKey);
+        const publicKey = keyPair.getPublic('hex');
+        await store.setItemAsync(STORAGE_KEYS.PRIVATE_KEY, privateKey, {
+            keychainAccessible: store.WHEN_UNLOCKED_THIS_DEVICE_ONLY,
+        });
+        await store.setItemAsync(STORAGE_KEYS.PUBLIC_KEY, publicKey);
+        // Update cache
+        KeyManager.cachedPublicKey = publicKey;
+        KeyManager.cachedHasIdentity = true;
+        return publicKey;
+    }
+    /**
+     * Get the stored private key
+     * WARNING: Only use this for signing operations within the app
+     */
+    static async getPrivateKey() {
+        if (isWebPlatform()) {
+            return null; // Identity storage is only available on native platforms
+        }
+        try {
+            const store = await initSecureStore();
+            return await store.getItemAsync(STORAGE_KEYS.PRIVATE_KEY);
+        }
+        catch (error) {
+            // If secure store is not available, return null (no identity)
+            // This allows the app to continue functioning even if secure store fails to load
+            if (__DEV__) {
+                logger.warn('Failed to access secure store', { component: 'KeyManager' }, error);
+            }
+            return null;
+        }
+    }
+    /**
+     * Get the stored public key (cached for performance)
+     */
+    static async getPublicKey() {
+        if (isWebPlatform()) {
+            return null; // Identity storage is only available on native platforms
+        }
+        if (KeyManager.cachedPublicKey !== null) {
+            return KeyManager.cachedPublicKey;
+        }
+        try {
+            const store = await initSecureStore();
+            const publicKey = await store.getItemAsync(STORAGE_KEYS.PUBLIC_KEY);
+            // Cache result (null is a valid cache value meaning no identity)
+            KeyManager.cachedPublicKey = publicKey;
+            return publicKey;
+        }
+        catch (error) {
+            // If secure store is not available, return null (no identity)
+            // Cache null to avoid repeated failed attempts
+            KeyManager.cachedPublicKey = null;
+            if (__DEV__) {
+                logger.warn('Failed to access secure store', { component: 'KeyManager' }, error);
+            }
+            return null;
+        }
+    }
+    /**
+     * Check if an identity (key pair) exists on this device (cached for performance)
+     */
+    static async hasIdentity() {
+        if (isWebPlatform()) {
+            return false; // Identity storage is only available on native platforms
+        }
+        if (KeyManager.cachedHasIdentity !== null) {
+            return KeyManager.cachedHasIdentity;
+        }
+        try {
+            const privateKey = await KeyManager.getPrivateKey();
+            const hasIdentity = privateKey !== null;
+            // Cache result
+            KeyManager.cachedHasIdentity = hasIdentity;
+            return hasIdentity;
+        }
+        catch (error) {
+            // If we can't check, assume no identity (safer default)
+            // Cache false to avoid repeated failed attempts
+            KeyManager.cachedHasIdentity = false;
+            if (__DEV__) {
+                logger.warn('Failed to check identity', { component: 'KeyManager' }, error);
+            }
+            return false;
+        }
+    }
+    /**
+     * Delete the stored identity (both keys)
+     * Use with EXTREME caution - this is irreversible without a recovery phrase
+     * This should ONLY be called when explicitly requested by the user
+     * @param skipBackup - If true, skip backup before deletion (default: false)
+     * @param force - If true, skip confirmation checks (default: false)
+     * @param userConfirmed - If true, user has explicitly confirmed deletion (default: false)
+     */
+    static async deleteIdentity(skipBackup = false, force = false, userConfirmed = false) {
+        if (isWebPlatform()) {
+            return; // Identity storage is only available on native platforms, nothing to delete
+        }
+        // CRITICAL SAFEGUARD: Require explicit user confirmation unless force is true
+        if (!force && !userConfirmed) {
+            throw new Error('Identity deletion requires explicit user confirmation. This is a safety measure to prevent accidental data loss.');
+        }
+        if (!force) {
+            const hasIdentity = await KeyManager.hasIdentity();
+            if (!hasIdentity) {
+                return; // Nothing to delete
+            }
+        }
+        const store = await initSecureStore();
+        // ALWAYS create backup before deletion unless explicitly skipped
+        if (!skipBackup) {
+            try {
+                const backupSuccess = await KeyManager.backupIdentity();
+                if (!backupSuccess && typeof __DEV__ !== 'undefined' && __DEV__) {
+                    logger.warn('Failed to backup identity before deletion - proceeding anyway', { component: 'KeyManager' });
+                }
+            }
+            catch (backupError) {
+                if (typeof __DEV__ !== 'undefined' && __DEV__) {
+                    logger.warn('Failed to backup identity before deletion', { component: 'KeyManager' }, backupError);
+                }
+            }
+        }
+        await store.deleteItemAsync(STORAGE_KEYS.PRIVATE_KEY);
+        await store.deleteItemAsync(STORAGE_KEYS.PUBLIC_KEY);
+        // Invalidate cache
+        KeyManager.invalidateCache();
+        // Also clear backup if force deletion
+        if (force) {
+            try {
+                await store.deleteItemAsync(STORAGE_KEYS.BACKUP_PRIVATE_KEY);
+                await store.deleteItemAsync(STORAGE_KEYS.BACKUP_PUBLIC_KEY);
+                await store.deleteItemAsync(STORAGE_KEYS.BACKUP_TIMESTAMP);
+            }
+            catch (error) {
+                // Ignore backup deletion errors
+            }
+        }
+    }
+    /**
+     * Backup identity to SecureStore (separate backup storage)
+     * This provides a recovery mechanism if primary storage fails
+     */
+    static async backupIdentity() {
+        if (isWebPlatform()) {
+            return false; // Identity storage is only available on native platforms
+        }
+        try {
+            const store = await initSecureStore();
+            const privateKey = await KeyManager.getPrivateKey();
+            const publicKey = await KeyManager.getPublicKey();
+            if (!privateKey || !publicKey) {
+                return false; // Nothing to backup
+            }
+            // Store backup in SecureStore (still secure, but separate from primary storage)
+            await store.setItemAsync(STORAGE_KEYS.BACKUP_PRIVATE_KEY, privateKey, {
+                keychainAccessible: store.WHEN_UNLOCKED_THIS_DEVICE_ONLY,
+            });
+            await store.setItemAsync(STORAGE_KEYS.BACKUP_PUBLIC_KEY, publicKey);
+            await store.setItemAsync(STORAGE_KEYS.BACKUP_TIMESTAMP, Date.now().toString());
+            return true;
+        }
+        catch (error) {
+            if (typeof __DEV__ !== 'undefined' && __DEV__) {
+                logger.error('Failed to backup identity', error, { component: 'KeyManager' });
+            }
+            return false;
+        }
+    }
+    /**
+     * Verify identity integrity - checks if keys are valid and accessible
+     */
+    static async verifyIdentityIntegrity() {
+        if (isWebPlatform()) {
+            return false; // Identity storage is only available on native platforms
+        }
+        try {
+            const privateKey = await KeyManager.getPrivateKey();
+            const publicKey = await KeyManager.getPublicKey();
+            if (!privateKey || !publicKey) {
+                return false;
+            }
+            // Validate private key format
+            if (!KeyManager.isValidPrivateKey(privateKey)) {
+                return false;
+            }
+            // Validate public key format
+            if (!KeyManager.isValidPublicKey(publicKey)) {
+                return false;
+            }
+            // Verify public key can be derived from private key
+            const derivedPublicKey = KeyManager.derivePublicKey(privateKey);
+            if (derivedPublicKey !== publicKey) {
+                return false; // Keys don't match
+            }
+            // Verify we can create a key pair object (tests elliptic curve operations)
+            const keyPair = await KeyManager.getKeyPairObject();
+            if (!keyPair) {
+                return false;
+            }
+            return true;
+        }
+        catch (error) {
+            if (typeof __DEV__ !== 'undefined' && __DEV__) {
+                logger.error('Identity integrity check failed', error, { component: 'KeyManager' });
+            }
+            return false;
+        }
+    }
+    /**
+     * Restore identity from backup if primary storage is corrupted
+     */
+    static async restoreIdentityFromBackup() {
+        if (isWebPlatform()) {
+            return false; // Identity storage is only available on native platforms
+        }
+        try {
+            const store = await initSecureStore();
+            // Check if backup exists
+            const backupPrivateKey = await store.getItemAsync(STORAGE_KEYS.BACKUP_PRIVATE_KEY);
+            const backupPublicKey = await store.getItemAsync(STORAGE_KEYS.BACKUP_PUBLIC_KEY);
+            if (!backupPrivateKey || !backupPublicKey) {
+                return false; // No backup available
+            }
+            // Verify backup integrity
+            if (!KeyManager.isValidPrivateKey(backupPrivateKey)) {
+                return false;
+            }
+            if (!KeyManager.isValidPublicKey(backupPublicKey)) {
+                return false;
+            }
+            // Verify keys match
+            const derivedPublicKey = KeyManager.derivePublicKey(backupPrivateKey);
+            if (derivedPublicKey !== backupPublicKey) {
+                return false; // Backup keys don't match
+            }
+            await store.setItemAsync(STORAGE_KEYS.PRIVATE_KEY, backupPrivateKey, {
+                keychainAccessible: store.WHEN_UNLOCKED_THIS_DEVICE_ONLY,
+            });
+            await store.setItemAsync(STORAGE_KEYS.PUBLIC_KEY, backupPublicKey);
+            const restored = await KeyManager.verifyIdentityIntegrity();
+            if (restored) {
+                // Update cache
+                KeyManager.cachedPublicKey = backupPublicKey;
+                KeyManager.cachedHasIdentity = true;
+                await store.setItemAsync(STORAGE_KEYS.BACKUP_TIMESTAMP, Date.now().toString());
+                return true;
+            }
+            return false;
+        }
+        catch (error) {
+            if (typeof __DEV__ !== 'undefined' && __DEV__) {
+                logger.error('Failed to restore identity from backup', error, { component: 'KeyManager' });
+            }
+            return false;
+        }
+    }
+    /**
+     * Get the elliptic curve key object from the stored private key
+     * Used internally for signing operations
+     */
+    static async getKeyPairObject() {
+        if (isWebPlatform()) {
+            return null; // Identity storage is only available on native platforms
+        }
+        const privateKey = await KeyManager.getPrivateKey();
+        if (!privateKey)
+            return null;
+        return ec.keyFromPrivate(privateKey);
+    }
+    /**
+     * Derive public key from a private key (without storing)
+     */
+    static derivePublicKey(privateKey) {
+        const keyPair = ec.keyFromPrivate(privateKey);
+        return keyPair.getPublic('hex');
+    }
+    /**
+     * Validate that a string is a valid public key
+     */
+    static isValidPublicKey(publicKey) {
+        try {
+            ec.keyFromPublic(publicKey, 'hex');
+            return true;
+        }
+        catch {
+            return false;
+        }
+    }
+    /**
+     * Validate that a string is a valid private key
+     */
+    static isValidPrivateKey(privateKey) {
+        try {
+            const keyPair = ec.keyFromPrivate(privateKey);
+            // Verify it can derive a public key
+            keyPair.getPublic('hex');
+            return true;
+        }
+        catch {
+            return false;
+        }
+    }
+    /**
+     * Get a shortened version of the public key for display
+     * Format: first 8 chars...last 8 chars
+     */
+    static shortenPublicKey(publicKey) {
+        if (publicKey.length <= 20)
+            return publicKey;
+        return `${publicKey.slice(0, 8)}...${publicKey.slice(-8)}`;
+    }
+}
+// In-memory cache for identity state (invalidated on identity changes)
+KeyManager.cachedPublicKey = null;
+KeyManager.cachedHasIdentity = null;
+KeyManager.cachedSharedPublicKey = null;
+KeyManager.cachedHasSharedIdentity = null;
+export default KeyManager;