npm - @sidhujag/sysweb3-keyring - Versions diffs - 1.0.545 → 1.0.547 - Mend

@sidhujag/sysweb3-keyring 1.0.545 → 1.0.547

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (212) hide show

package/coverage/clover.xml +2875 -0
package/coverage/coverage-final.json +29468 -0
package/coverage/lcov-report/base.css +354 -0
package/coverage/lcov-report/block-navigation.js +85 -0
package/coverage/lcov-report/favicon.png +0 -0
package/coverage/lcov-report/index.html +320 -0
package/coverage/lcov-report/prettify.css +101 -0
package/coverage/lcov-report/prettify.js +1008 -0
package/coverage/lcov-report/sort-arrow-sprite.png +0 -0
package/coverage/lcov-report/sorter.js +191 -0
package/coverage/lcov-report/src/index.html +276 -0
package/coverage/lcov-report/src/index.ts.html +114 -0
package/coverage/lcov-report/src/initial-state.ts.html +558 -0
package/coverage/lcov-report/src/keyring-manager.ts.html +6279 -0
package/coverage/lcov-report/src/ledger/bitcoin_client/index.html +178 -0
package/coverage/lcov-report/src/ledger/bitcoin_client/index.ts.html +144 -0
package/coverage/lcov-report/src/ledger/bitcoin_client/lib/appClient.ts.html +1560 -0
package/coverage/lcov-report/src/ledger/bitcoin_client/lib/bip32.ts.html +276 -0
package/coverage/lcov-report/src/ledger/bitcoin_client/lib/buffertools.ts.html +495 -0
package/coverage/lcov-report/src/ledger/bitcoin_client/lib/clientCommands.ts.html +1138 -0
package/coverage/lcov-report/src/ledger/bitcoin_client/lib/index.html +363 -0
package/coverage/lcov-report/src/ledger/bitcoin_client/lib/merkelizedPsbt.ts.html +289 -0
package/coverage/lcov-report/src/ledger/bitcoin_client/lib/merkle.ts.html +486 -0
package/coverage/lcov-report/src/ledger/bitcoin_client/lib/merkleMap.ts.html +240 -0
package/coverage/lcov-report/src/ledger/bitcoin_client/lib/policy.ts.html +342 -0
package/coverage/lcov-report/src/ledger/bitcoin_client/lib/psbtv2.ts.html +2388 -0
package/coverage/lcov-report/src/ledger/bitcoin_client/lib/varint.ts.html +453 -0
package/coverage/lcov-report/src/ledger/consts.ts.html +177 -0
package/coverage/lcov-report/src/ledger/index.html +216 -0
package/coverage/lcov-report/src/ledger/index.ts.html +1371 -0
package/coverage/lcov-report/src/ledger/utils.ts.html +102 -0
package/coverage/lcov-report/src/signers.ts.html +591 -0
package/coverage/lcov-report/src/storage.ts.html +198 -0
package/coverage/lcov-report/src/transactions/ethereum.ts.html +5826 -0
package/coverage/lcov-report/src/transactions/index.html +216 -0
package/coverage/lcov-report/src/transactions/index.ts.html +93 -0
package/coverage/lcov-report/src/transactions/syscoin.ts.html +1521 -0
package/coverage/lcov-report/src/trezor/index.html +176 -0
package/coverage/lcov-report/src/trezor/index.ts.html +2655 -0
package/coverage/lcov-report/src/types.ts.html +1443 -0
package/coverage/lcov-report/src/utils/derivation-paths.ts.html +486 -0
package/coverage/lcov-report/src/utils/index.html +196 -0
package/coverage/lcov-report/src/utils/psbt.ts.html +159 -0
package/coverage/lcov-report/test/helpers/constants.ts.html +627 -0
package/coverage/lcov-report/test/helpers/index.html +176 -0
package/coverage/lcov.info +4832 -0
package/{cjs → dist/cjs}/ledger/bitcoin_client/lib/appClient.js +1 -124
package/dist/cjs/ledger/bitcoin_client/lib/appClient.js.map +1 -0
package/{cjs → dist/cjs}/transactions/ethereum.js +6 -2
package/dist/cjs/transactions/ethereum.js.map +1 -0
package/dist/package.json +50 -0
package/{types → dist/types}/ledger/bitcoin_client/lib/appClient.d.ts +0 -6
package/examples/basic-usage.js +140 -0
package/jest.config.js +32 -0
package/package.json +31 -13
package/readme.md +201 -0
package/src/declare.d.ts +7 -0
package/src/errorUtils.ts +83 -0
package/src/hardware-wallet-manager.ts +655 -0
package/src/index.ts +12 -0
package/src/initial-state.ts +108 -0
package/src/keyring-manager.ts +2698 -0
package/src/ledger/bitcoin_client/index.ts +19 -0
package/src/ledger/bitcoin_client/lib/appClient.ts +405 -0
package/src/ledger/bitcoin_client/lib/bip32.ts +61 -0
package/src/ledger/bitcoin_client/lib/buffertools.ts +134 -0
package/src/ledger/bitcoin_client/lib/clientCommands.ts +356 -0
package/src/ledger/bitcoin_client/lib/constants.ts +12 -0
package/src/ledger/bitcoin_client/lib/merkelizedPsbt.ts +65 -0
package/src/ledger/bitcoin_client/lib/merkle.ts +136 -0
package/src/ledger/bitcoin_client/lib/merkleMap.ts +49 -0
package/src/ledger/bitcoin_client/lib/policy.ts +91 -0
package/src/ledger/bitcoin_client/lib/psbtv2.ts +768 -0
package/src/ledger/bitcoin_client/lib/varint.ts +120 -0
package/src/ledger/consts.ts +3 -0
package/src/ledger/index.ts +685 -0
package/src/ledger/types.ts +74 -0
package/src/network-utils.ts +99 -0
package/src/providers.ts +345 -0
package/src/signers.ts +158 -0
package/src/storage.ts +63 -0
package/src/transactions/__tests__/integration.test.ts +303 -0
package/src/transactions/__tests__/syscoin.test.ts +409 -0
package/src/transactions/ethereum.ts +2503 -0
package/src/transactions/index.ts +2 -0
package/src/transactions/syscoin.ts +542 -0
package/src/trezor/index.ts +1050 -0
package/src/types.ts +366 -0
package/src/utils/derivation-paths.ts +133 -0
package/src/utils/psbt.ts +24 -0
package/src/utils.ts +191 -0
package/test/README.md +158 -0
package/test/__mocks__/ledger-mock.js +20 -0
package/test/__mocks__/trezor-mock.js +75 -0
package/test/cleanup-summary.md +167 -0
package/test/helpers/README.md +78 -0
package/test/helpers/constants.ts +79 -0
package/test/helpers/setup.ts +714 -0
package/test/integration/import-validation.spec.ts +588 -0
package/test/unit/hardware/ledger.spec.ts +869 -0
package/test/unit/hardware/trezor.spec.ts +828 -0
package/test/unit/keyring-manager/account-management.spec.ts +970 -0
package/test/unit/keyring-manager/import-watchonly.spec.ts +181 -0
package/test/unit/keyring-manager/import-wif.spec.ts +126 -0
package/test/unit/keyring-manager/initialization.spec.ts +782 -0
package/test/unit/keyring-manager/key-derivation.spec.ts +996 -0
package/test/unit/keyring-manager/security.spec.ts +505 -0
package/test/unit/keyring-manager/state-management.spec.ts +375 -0
package/test/unit/network/network-management.spec.ts +372 -0
package/test/unit/transactions/ethereum-transactions.spec.ts +382 -0
package/test/unit/transactions/syscoin-transactions.spec.ts +615 -0
package/tsconfig.json +14 -0
package/cjs/ledger/bitcoin_client/lib/appClient.js.map +0 -1
package/cjs/transactions/ethereum.js.map +0 -1
/package/{README.md → dist/README.md} +0 -0
/package/{cjs → dist/cjs}/errorUtils.js +0 -0
/package/{cjs → dist/cjs}/errorUtils.js.map +0 -0
/package/{cjs → dist/cjs}/hardware-wallet-manager.js +0 -0
/package/{cjs → dist/cjs}/hardware-wallet-manager.js.map +0 -0
/package/{cjs → dist/cjs}/index.js +0 -0
/package/{cjs → dist/cjs}/index.js.map +0 -0
/package/{cjs → dist/cjs}/initial-state.js +0 -0
/package/{cjs → dist/cjs}/initial-state.js.map +0 -0
/package/{cjs → dist/cjs}/keyring-manager.js +0 -0
/package/{cjs → dist/cjs}/keyring-manager.js.map +0 -0
/package/{cjs → dist/cjs}/ledger/bitcoin_client/index.js +0 -0
/package/{cjs → dist/cjs}/ledger/bitcoin_client/index.js.map +0 -0
/package/{cjs → dist/cjs}/ledger/bitcoin_client/lib/bip32.js +0 -0
/package/{cjs → dist/cjs}/ledger/bitcoin_client/lib/bip32.js.map +0 -0
/package/{cjs → dist/cjs}/ledger/bitcoin_client/lib/buffertools.js +0 -0
/package/{cjs → dist/cjs}/ledger/bitcoin_client/lib/buffertools.js.map +0 -0
/package/{cjs → dist/cjs}/ledger/bitcoin_client/lib/clientCommands.js +0 -0
/package/{cjs → dist/cjs}/ledger/bitcoin_client/lib/clientCommands.js.map +0 -0
/package/{cjs → dist/cjs}/ledger/bitcoin_client/lib/constants.js +0 -0
/package/{cjs → dist/cjs}/ledger/bitcoin_client/lib/constants.js.map +0 -0
/package/{cjs → dist/cjs}/ledger/bitcoin_client/lib/merkelizedPsbt.js +0 -0
/package/{cjs → dist/cjs}/ledger/bitcoin_client/lib/merkelizedPsbt.js.map +0 -0
/package/{cjs → dist/cjs}/ledger/bitcoin_client/lib/merkle.js +0 -0
/package/{cjs → dist/cjs}/ledger/bitcoin_client/lib/merkle.js.map +0 -0
/package/{cjs → dist/cjs}/ledger/bitcoin_client/lib/merkleMap.js +0 -0
/package/{cjs → dist/cjs}/ledger/bitcoin_client/lib/merkleMap.js.map +0 -0
/package/{cjs → dist/cjs}/ledger/bitcoin_client/lib/policy.js +0 -0
/package/{cjs → dist/cjs}/ledger/bitcoin_client/lib/policy.js.map +0 -0
/package/{cjs → dist/cjs}/ledger/bitcoin_client/lib/psbtv2.js +0 -0
/package/{cjs → dist/cjs}/ledger/bitcoin_client/lib/psbtv2.js.map +0 -0
/package/{cjs → dist/cjs}/ledger/bitcoin_client/lib/varint.js +0 -0
/package/{cjs → dist/cjs}/ledger/bitcoin_client/lib/varint.js.map +0 -0
/package/{cjs → dist/cjs}/ledger/consts.js +0 -0
/package/{cjs → dist/cjs}/ledger/consts.js.map +0 -0
/package/{cjs → dist/cjs}/ledger/index.js +0 -0
/package/{cjs → dist/cjs}/ledger/index.js.map +0 -0
/package/{cjs → dist/cjs}/ledger/types.js +0 -0
/package/{cjs → dist/cjs}/ledger/types.js.map +0 -0
/package/{cjs → dist/cjs}/network-utils.js +0 -0
/package/{cjs → dist/cjs}/network-utils.js.map +0 -0
/package/{cjs → dist/cjs}/providers.js +0 -0
/package/{cjs → dist/cjs}/providers.js.map +0 -0
/package/{cjs → dist/cjs}/signers.js +0 -0
/package/{cjs → dist/cjs}/signers.js.map +0 -0
/package/{cjs → dist/cjs}/storage.js +0 -0
/package/{cjs → dist/cjs}/storage.js.map +0 -0
/package/{cjs → dist/cjs}/transactions/__tests__/integration.test.js +0 -0
/package/{cjs → dist/cjs}/transactions/__tests__/integration.test.js.map +0 -0
/package/{cjs → dist/cjs}/transactions/__tests__/syscoin.test.js +0 -0
/package/{cjs → dist/cjs}/transactions/__tests__/syscoin.test.js.map +0 -0
/package/{cjs → dist/cjs}/transactions/index.js +0 -0
/package/{cjs → dist/cjs}/transactions/index.js.map +0 -0
/package/{cjs → dist/cjs}/transactions/syscoin.js +0 -0
/package/{cjs → dist/cjs}/transactions/syscoin.js.map +0 -0
/package/{cjs → dist/cjs}/trezor/index.js +0 -0
/package/{cjs → dist/cjs}/trezor/index.js.map +0 -0
/package/{cjs → dist/cjs}/types.js +0 -0
/package/{cjs → dist/cjs}/types.js.map +0 -0
/package/{cjs → dist/cjs}/utils/derivation-paths.js +0 -0
/package/{cjs → dist/cjs}/utils/derivation-paths.js.map +0 -0
/package/{cjs → dist/cjs}/utils/psbt.js +0 -0
/package/{cjs → dist/cjs}/utils/psbt.js.map +0 -0
/package/{cjs → dist/cjs}/utils.js +0 -0
/package/{cjs → dist/cjs}/utils.js.map +0 -0
/package/{types → dist/types}/errorUtils.d.ts +0 -0
/package/{types → dist/types}/hardware-wallet-manager.d.ts +0 -0
/package/{types → dist/types}/index.d.ts +0 -0
/package/{types → dist/types}/initial-state.d.ts +0 -0
/package/{types → dist/types}/keyring-manager.d.ts +0 -0
/package/{types → dist/types}/ledger/bitcoin_client/index.d.ts +0 -0
/package/{types → dist/types}/ledger/bitcoin_client/lib/bip32.d.ts +0 -0
/package/{types → dist/types}/ledger/bitcoin_client/lib/buffertools.d.ts +0 -0
/package/{types → dist/types}/ledger/bitcoin_client/lib/clientCommands.d.ts +0 -0
/package/{types → dist/types}/ledger/bitcoin_client/lib/constants.d.ts +0 -0
/package/{types → dist/types}/ledger/bitcoin_client/lib/merkelizedPsbt.d.ts +0 -0
/package/{types → dist/types}/ledger/bitcoin_client/lib/merkle.d.ts +0 -0
/package/{types → dist/types}/ledger/bitcoin_client/lib/merkleMap.d.ts +0 -0
/package/{types → dist/types}/ledger/bitcoin_client/lib/policy.d.ts +0 -0
/package/{types → dist/types}/ledger/bitcoin_client/lib/psbtv2.d.ts +0 -0
/package/{types → dist/types}/ledger/bitcoin_client/lib/varint.d.ts +0 -0
/package/{types → dist/types}/ledger/consts.d.ts +0 -0
/package/{types → dist/types}/ledger/index.d.ts +0 -0
/package/{types → dist/types}/ledger/types.d.ts +0 -0
/package/{types → dist/types}/network-utils.d.ts +0 -0
/package/{types → dist/types}/providers.d.ts +0 -0
/package/{types → dist/types}/signers.d.ts +0 -0
/package/{types → dist/types}/storage.d.ts +0 -0
/package/{types → dist/types}/transactions/__tests__/integration.test.d.ts +0 -0
/package/{types → dist/types}/transactions/__tests__/syscoin.test.d.ts +0 -0
/package/{types → dist/types}/transactions/ethereum.d.ts +0 -0
/package/{types → dist/types}/transactions/index.d.ts +0 -0
/package/{types → dist/types}/transactions/syscoin.d.ts +0 -0
/package/{types → dist/types}/trezor/index.d.ts +0 -0
/package/{types → dist/types}/types.d.ts +0 -0
/package/{types → dist/types}/utils/derivation-paths.d.ts +0 -0
/package/{types → dist/types}/utils/psbt.d.ts +0 -0
/package/{types → dist/types}/utils.d.ts +0 -0

package/test/unit/keyring-manager/security.spec.ts ADDED Viewed

@@ -0,0 +1,505 @@
+import { INetworkType } from '@sidhujag/sysweb3-network';
+import { KeyringManager, KeyringAccountType } from '../../../src';
+import { FAKE_PASSWORD, PEACE_SEED_PHRASE } from '../../helpers/constants';
+import { setupMocks } from '../../helpers/setup';
+describe('KeyringManager - Security', () => {
+  let keyringManager: KeyringManager;
+  let mockVaultStateGetter: jest.Mock;
+  let currentVaultState: any;
+  beforeEach(async () => {
+    setupMocks();
+    // Set up vault-keys that would normally be created by Pali's MainController
+    await setupTestVault(FAKE_PASSWORD);
+  });
+  describe('Password Management', () => {
+    beforeEach(async () => {
+      // Set up EVM vault state
+      currentVaultState = createMockVaultState({
+        activeAccountId: 0,
+        activeAccountType: KeyringAccountType.HDAccount,
+        networkType: INetworkType.Ethereum,
+        chainId: 1,
+      });
+      mockVaultStateGetter = jest.fn(() => currentVaultState);
+      keyringManager = await KeyringManager.createInitialized(
+        PEACE_SEED_PHRASE,
+        FAKE_PASSWORD,
+        mockVaultStateGetter
+      );
+    });
+    it('should require password for sensitive operations', async () => {
+      // getSeed requires password
+      await expect(keyringManager.getSeed('wrong_password')).rejects.toThrow(
+        'Invalid password'
+      );
+      // getPrivateKeyByAccountId requires password
+      await expect(
+        keyringManager.getPrivateKeyByAccountId(
+          0,
+          KeyringAccountType.HDAccount,
+          'wrong_password'
+        )
+      ).rejects.toThrow('Invalid password');
+      // forgetMainWallet requires password
+      await expect(
+        keyringManager.forgetMainWallet('wrong_password')
+      ).rejects.toThrow('Invalid password');
+    });
+    it('should validate password complexity in real implementation', async () => {
+      // Note: This is a placeholder for password complexity validation
+      // In real implementation, weak passwords should be rejected
+      const weakPasswords = ['123', 'abc', 'password', ''];
+      // Current implementation accepts any password
+      // This test documents expected behavior for future implementation
+      // Future: should reject weak passwords
+      expect(weakPasswords.length).toBeGreaterThan(0); // Placeholder assertion
+      // for (const weakPassword of weakPasswords) {
+      //   await expect(
+      //     KeyringManager.createInitialized(PEACE_SEED_PHRASE, weakPassword, INetworkType.Ethereum, mockVaultStateGetter)
+      //   ).rejects.toThrow('Password too weak');
+      // }
+    });
+    it('should handle password changes securely', async () => {
+      // Current implementation doesn't support password changes
+      // This test documents expected behavior for future implementation
+      // Future implementation:
+      // await keyringManager.changePassword(FAKE_PASSWORD, 'newPassword123!');
+      // keyringManager.lockWallet();
+      // const result = await keyringManager.unlock('newPassword123!');
+      // expect(result.canLogin).toBe(true);
+    });
+  });
+  describe('Encryption', () => {
+    beforeEach(async () => {
+      // Set up EVM vault state
+      currentVaultState = createMockVaultState({
+        activeAccountId: 0,
+        activeAccountType: KeyringAccountType.HDAccount,
+        networkType: INetworkType.Ethereum,
+        chainId: 1,
+      });
+      mockVaultStateGetter = jest.fn(() => currentVaultState);
+      keyringManager = await KeyringManager.createInitialized(
+        PEACE_SEED_PHRASE,
+        FAKE_PASSWORD,
+        mockVaultStateGetter
+      );
+    });
+    it('should encrypt sensitive data in memory', async () => {
+      // Test that keyring is unlocked (session data exists)
+      expect(keyringManager.isUnlocked()).toBe(true);
+      // Test that we can retrieve the seed (proving session data is encrypted and functional)
+      const retrievedSeed = await keyringManager.getSeed(FAKE_PASSWORD);
+      expect(retrievedSeed).toBe(PEACE_SEED_PHRASE);
+      // Test that private keys are properly encrypted in storage
+      const activeAccount = keyringManager.getActiveAccount().activeAccount;
+      expect(activeAccount.address).toBeDefined();
+      expect(activeAccount.xpub).toBeDefined();
+      // Private key should not be exposed in public API
+      expect(activeAccount).not.toHaveProperty('xprv');
+    });
+    it('should encrypt private keys in vault state', async () => {
+      // Check HD account in vault state
+      const hdAccount =
+        currentVaultState.accounts[KeyringAccountType.HDAccount][0];
+      // xprv should be encrypted
+      expect(hdAccount.xprv).toBeDefined();
+      expect(hdAccount.xprv.startsWith('0x')).toBe(false); // Not plaintext hex
+      expect(hdAccount.xprv.length).toBeGreaterThan(66); // Longer than raw key
+      // Import an account
+      const privateKey =
+        '0x4c0883a69102937d6231471b5dbb6204fe5129617082792ae468d01a3f362318';
+      const imported = await keyringManager.importAccount(privateKey);
+      // Update vault state to include the imported account
+      currentVaultState.accounts[KeyringAccountType.Imported][imported.id] = {
+        id: imported.id,
+        label: 'Imported 1',
+        address: imported.address,
+        xpub: imported.xpub,
+        xprv: imported.xprv,
+        isImported: true,
+        isTrezorWallet: false,
+        isLedgerWallet: false,
+        balances: { syscoin: 0, ethereum: 0 },
+        assets: { syscoin: [], ethereum: [] },
+      };
+      const importedAccount =
+        currentVaultState.accounts[KeyringAccountType.Imported][imported.id];
+      expect(importedAccount.xprv).not.toBe(privateKey);
+      expect(importedAccount.xprv.length).toBeGreaterThan(privateKey.length);
+    });
+    it('should clear sensitive data on lock', () => {
+      // Verify wallet is unlocked
+      expect(keyringManager.isUnlocked()).toBe(true);
+      // Lock wallet
+      keyringManager.lockWallet();
+      // Session data should be cleared - keyring should not be unlocked
+      expect(keyringManager.isUnlocked()).toBe(false);
+      // Should not be able to perform sensitive operations without unlocking
+      expect(keyringManager.getActiveAccount()).toBeDefined(); // Public data still accessible
+    });
+  });
+  describe('Key Derivation Security', () => {
+    it('should use standard derivation paths', async () => {
+      // Set up EVM vault state
+      const evmVaultState = createMockVaultState({
+        activeAccountId: 0,
+        activeAccountType: KeyringAccountType.HDAccount,
+        networkType: INetworkType.Ethereum,
+        chainId: 1,
+      });
+      const evmVaultStateGetter = jest.fn(() => evmVaultState);
+      // EVM should use BIP44 m/44'/60'/0'/0/x
+      const evmKeyring = await KeyringManager.createInitialized(
+        PEACE_SEED_PHRASE,
+        FAKE_PASSWORD,
+        evmVaultStateGetter
+      );
+      // Set up UTXO vault state
+      const utxoVaultState = createMockVaultState({
+        activeAccountId: 0,
+        activeAccountType: KeyringAccountType.HDAccount,
+        networkType: INetworkType.Syscoin,
+        chainId: 57,
+      });
+      const utxoVaultStateGetter = jest.fn(() => utxoVaultState);
+      // UTXO should use BIP84 m/84'/57'/0'/0/x for Syscoin
+      const utxoKeyring = await KeyringManager.createInitialized(
+        PEACE_SEED_PHRASE,
+        FAKE_PASSWORD,
+        utxoVaultStateGetter
+      );
+      // Addresses should be different due to different derivation paths
+      const evmAddress = evmKeyring.getActiveAccount().activeAccount.address;
+      const utxoAddress = utxoKeyring.getActiveAccount().activeAccount.address;
+      expect(evmAddress).not.toBe(utxoAddress);
+      expect(evmAddress.startsWith('0x')).toBe(true);
+      expect(utxoAddress.match(/^(sys1|tsys1)/)).toBeTruthy();
+    });
+    it('should not expose intermediate keys', async () => {
+      // Set up EVM vault state
+      currentVaultState = createMockVaultState({
+        activeAccountId: 0,
+        activeAccountType: KeyringAccountType.HDAccount,
+        networkType: INetworkType.Ethereum,
+        chainId: 1,
+      });
+      mockVaultStateGetter = jest.fn(() => currentVaultState);
+      keyringManager = await KeyringManager.createInitialized(
+        PEACE_SEED_PHRASE,
+        FAKE_PASSWORD,
+        mockVaultStateGetter
+      );
+      // Only final private keys should be accessible, not master keys
+      const privateKey = await keyringManager.getPrivateKeyByAccountId(
+        0,
+        KeyringAccountType.HDAccount,
+        FAKE_PASSWORD
+      );
+      // Should be account private key, not master private key
+      expect(privateKey.startsWith('0x')).toBe(true);
+      expect(privateKey.length).toBe(66); // Standard Ethereum private key length
+    });
+  });
+  describe('Vault Security', () => {
+    it('should protect vault with proper encryption', async () => {
+      // Vault should require password to decrypt
+      keyringManager = new KeyringManager();
+      // Set up mock vault state getter for initializeWalletSecurely
+      currentVaultState = createMockVaultState({
+        activeAccountId: 0,
+        activeAccountType: KeyringAccountType.HDAccount,
+        networkType: INetworkType.Ethereum,
+        chainId: 1,
+      });
+      mockVaultStateGetter = jest.fn(() => currentVaultState);
+      keyringManager.setVaultStateGetter(mockVaultStateGetter);
+      await keyringManager.initializeWalletSecurely(
+        PEACE_SEED_PHRASE,
+        FAKE_PASSWORD
+      );
+      // Lock and try to unlock with wrong password
+      keyringManager.lockWallet();
+      const wrongResult = await keyringManager.unlock('wrong_password');
+      expect(wrongResult.canLogin).toBe(false);
+      // Correct password should work
+      const correctResult = await keyringManager.unlock(FAKE_PASSWORD);
+      expect(correctResult.canLogin).toBe(true);
+    });
+    it('should use salt for password hashing', async () => {
+      // Mock storage should contain vault-keys with salt
+      const mockStorage = (global as any).mockStorage || new Map();
+      // Set up EVM vault state
+      currentVaultState = createMockVaultState({
+        activeAccountId: 0,
+        activeAccountType: KeyringAccountType.HDAccount,
+        networkType: INetworkType.Ethereum,
+        chainId: 1,
+      });
+      mockVaultStateGetter = jest.fn(() => currentVaultState);
+      keyringManager = await KeyringManager.createInitialized(
+        PEACE_SEED_PHRASE,
+        FAKE_PASSWORD,
+        mockVaultStateGetter
+      );
+      // In real implementation, vault-keys should exist
+      // This verifies the mock is set up correctly
+      const vaultKeys = await mockStorage.get('vault-keys');
+      if (vaultKeys) {
+        expect(vaultKeys.salt).toBeDefined();
+        expect(vaultKeys.hash).toBeDefined();
+        expect(vaultKeys.salt.length).toBeGreaterThan(0);
+      }
+    });
+  });
+  describe('Import Security', () => {
+    beforeEach(async () => {
+      // Set up EVM vault state
+      currentVaultState = createMockVaultState({
+        activeAccountId: 0,
+        activeAccountType: KeyringAccountType.HDAccount,
+        networkType: INetworkType.Ethereum,
+        chainId: 1,
+      });
+      mockVaultStateGetter = jest.fn(() => currentVaultState);
+      keyringManager = await KeyringManager.createInitialized(
+        PEACE_SEED_PHRASE,
+        FAKE_PASSWORD,
+        mockVaultStateGetter
+      );
+    });
+    it('should validate imported keys before storing', async () => {
+      // Invalid keys should be rejected
+      const invalidKeys = [
+        'not_a_key',
+        '0x',
+        '0xZZZZ', // Invalid hex
+        '0x' + '0'.repeat(63), // Too short
+        '0x' + '0'.repeat(65), // Too long
+      ];
+      for (const key of invalidKeys) {
+        await expect(keyringManager.importAccount(key)).rejects.toThrow();
+      }
+    });
+    it('should isolate imported keys from HD keys', async () => {
+      // Create a clean keyring with only HD accounts (no placeholder imported accounts)
+      const cleanVaultState = createMockVaultState({
+        activeAccountId: 0,
+        activeAccountType: KeyringAccountType.HDAccount,
+        networkType: INetworkType.Ethereum,
+        chainId: 1,
+      });
+      // Clear imported accounts
+      cleanVaultState.accounts[KeyringAccountType.Imported] = {};
+      const cleanVaultStateGetter = jest.fn(() => cleanVaultState);
+      keyringManager = await KeyringManager.createInitialized(
+        PEACE_SEED_PHRASE,
+        FAKE_PASSWORD,
+        cleanVaultStateGetter
+      );
+      // Check initial state - should have 1 HD account, 0 imported
+      let hdAccounts = cleanVaultState.accounts[KeyringAccountType.HDAccount];
+      let importedAccounts =
+        cleanVaultState.accounts[KeyringAccountType.Imported];
+      expect(Object.keys(hdAccounts).length).toBe(1);
+      expect(Object.keys(importedAccounts).length).toBe(0);
+      // Import a key
+      const importedKey =
+        '0x4c0883a69102937d6231471b5dbb6204fe5129617082792ae468d01a3f362318';
+      const imported = await keyringManager.importAccount(importedKey);
+      // Update vault state to include the imported account
+      cleanVaultState.accounts[KeyringAccountType.Imported][imported.id] = {
+        id: imported.id,
+        label: 'Imported 1',
+        address: imported.address,
+        xpub: imported.xpub,
+        xprv: imported.xprv,
+        isImported: true,
+        isTrezorWallet: false,
+        isLedgerWallet: false,
+        balances: { syscoin: 0, ethereum: 0 },
+        assets: { syscoin: [], ethereum: [] },
+      };
+      // HD and imported accounts should be in separate stores
+      hdAccounts = cleanVaultState.accounts[KeyringAccountType.HDAccount];
+      importedAccounts = cleanVaultState.accounts[KeyringAccountType.Imported];
+      // HD accounts should remain unchanged (still 1), imported should now have 1
+      expect(Object.keys(hdAccounts).length).toBe(1);
+      expect(Object.keys(importedAccounts).length).toBe(1);
+      // They should have separate ID sequences and be isolated
+      expect(hdAccounts[0]).toBeDefined(); // HD account 0 exists
+      expect(importedAccounts[0]).toBeDefined(); // Imported account 0 exists
+      expect(hdAccounts[0].isImported).toBe(false);
+      expect(importedAccounts[0].isImported).toBe(true);
+    });
+  });
+  describe('Memory Security', () => {
+    it('should not leak sensitive data in error messages', async () => {
+      // Set up EVM vault state
+      currentVaultState = createMockVaultState({
+        activeAccountId: 0,
+        activeAccountType: KeyringAccountType.HDAccount,
+        networkType: INetworkType.Ethereum,
+        chainId: 1,
+      });
+      mockVaultStateGetter = jest.fn(() => currentVaultState);
+      keyringManager = await KeyringManager.createInitialized(
+        PEACE_SEED_PHRASE,
+        FAKE_PASSWORD,
+        mockVaultStateGetter
+      );
+      try {
+        await keyringManager.getSeed('wrong_password');
+      } catch (error) {
+        // Error message should not contain the actual password
+        expect(error.message).not.toContain(FAKE_PASSWORD);
+        expect(error.message).not.toContain(PEACE_SEED_PHRASE);
+      }
+      try {
+        await keyringManager.importAccount('invalid_key');
+      } catch (error) {
+        // Error should not leak the attempted key
+        expect(error.message).not.toContain('invalid_key');
+      }
+    });
+    it('should clear sensitive data on errors', async () => {
+      // If initialization fails, no sensitive data should remain
+      keyringManager = new KeyringManager();
+      // Set up mock vault state getter for initializeWalletSecurely
+      currentVaultState = createMockVaultState({
+        activeAccountId: 0,
+        activeAccountType: KeyringAccountType.HDAccount,
+        networkType: INetworkType.Ethereum,
+        chainId: 1,
+      });
+      mockVaultStateGetter = jest.fn(() => currentVaultState);
+      keyringManager.setVaultStateGetter(mockVaultStateGetter);
+      try {
+        await keyringManager.initializeWalletSecurely(
+          'invalid seed phrase',
+          FAKE_PASSWORD
+        );
+      } catch (error) {
+        // Wallet should not be unlocked after failed initialization
+        expect(keyringManager.isUnlocked()).toBe(false);
+      }
+    });
+  });
+  describe('Access Control', () => {
+    beforeEach(async () => {
+      // Use clean vault state without placeholder imported accounts
+      currentVaultState = createMockVaultState({
+        activeAccountId: 0,
+        activeAccountType: KeyringAccountType.HDAccount,
+        networkType: INetworkType.Ethereum,
+        chainId: 1,
+      });
+      // Clear imported accounts
+      currentVaultState.accounts[KeyringAccountType.Imported] = {};
+      mockVaultStateGetter = jest.fn(() => currentVaultState);
+      keyringManager = await KeyringManager.createInitialized(
+        PEACE_SEED_PHRASE,
+        FAKE_PASSWORD,
+        mockVaultStateGetter
+      );
+    });
+    it('should require unlock for sensitive operations', async () => {
+      keyringManager.lockWallet();
+      // These should fail when locked
+      await expect(keyringManager.addNewAccount()).rejects.toThrow();
+      await expect(
+        keyringManager.importAccount('0x' + '0'.repeat(64))
+      ).rejects.toThrow();
+      // These should work when locked (public data)
+      expect(() => keyringManager.getNetwork()).not.toThrow();
+      expect(() => keyringManager.getActiveAccount()).not.toThrow();
+    });
+    it('should validate account ownership', async () => {
+      // Can only get private keys for accounts that exist
+      await expect(
+        keyringManager.getPrivateKeyByAccountId(
+          999, // Non-existent account
+          KeyringAccountType.HDAccount,
+          FAKE_PASSWORD
+        )
+      ).rejects.toThrow('Account not found');
+      // Can only access accounts of the correct type
+      expect(() =>
+        keyringManager.getAccountById(
+          0,
+          KeyringAccountType.Imported // Wrong type
+        )
+      ).toThrow('Account not found');
+    });
+  });
+});