npm - bsv-bap - Versions diffs - 0.2.0 → 0.3.0 - Mend

bsv-bap 0.2.0 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

package/dist/touchid.d.ts ADDED Viewed

@@ -0,0 +1,45 @@
+/**
+ * Touch ID vault integration for BAP identity protection.
+ *
+ * Architecture:
+ *   - P-256 key generated INSIDE the macOS Secure Enclave (never leaves the chip)
+ *   - Encryption uses ECIES (ECDH + AES-256-GCM) via the SE public key
+ *   - Decryption requires Touch ID — SE performs ECDH internally
+ *   - Encrypted data stored at ~/.secure-enclave-vault/bap-master.vault.json
+ *   - Config stores sentinel "se:bap-master" in rootPkEncrypted
+ *   - Plaintext WIF never touches disk when Touch ID is active
+ *
+ * Powered by @1sat/vault (Secure Enclave hardware vault).
+ */
+/**
+ * Encrypt a WIF private key with the Secure Enclave.
+ *
+ * Touch ID is NOT required for encryption — only for decryption.
+ * Returns the sentinel string "se:bap-master" to store in config.
+ */
+export declare function protectRootKey(wif: string): Promise<string>;
+/**
+ * Decrypt the protected root key using Touch ID + Secure Enclave.
+ *
+ * The ECDH key agreement happens INSIDE the Secure Enclave hardware.
+ * The P-256 private key never leaves the chip.
+ */
+export declare function unlockRootKey(sentinel: string): Promise<string>;
+/**
+ * Remove the Secure Enclave key and vault file.
+ * After this, the encrypted rootPk becomes permanently undecryptable.
+ * The caller must replace rootPkEncrypted with rootPk before calling this.
+ */
+export declare function removeProtection(): Promise<void>;
+/**
+ * Check Touch ID availability and whether the identity is currently protected.
+ */
+export declare function getTouchIDStatus(hasEncryptedKey: boolean): Promise<{
+    available: boolean;
+    biometryType: string;
+    protected: boolean;
+}>;
+/**
+ * Synchronous check for Secure Enclave support (macOS arm64).
+ */
+export declare function isTouchIDSupported(): boolean;

package/dist/utils.d.ts CHANGED Viewed

@@ -1,3 +1,4 @@
+import { type PrivateKey } from "@bsv/sdk";
 import type { PathPrefix } from "./interface.js";
 /**
  * Derive a BAP ID from a Bitcoin address (rootAddress).
@@ -22,6 +23,17 @@ export declare function bapIdFromAddress(address: string): string;
  * so this correctly bridges BRC-31 auth to BAP identity lookups.
  */
 export declare function bapIdFromPubkey(pubkeyHex: string): string;
+/**
+ * Derive the BAP identity-0 address from a BRC-100 wallet root private key.
+ *
+ * Matches @1sat/actions: derives the public key at protocolID `[1, "sigma"]`,
+ * keyID `"identity-0"`, counterparty `"self"` (forSelf=true), then converts to
+ * a P2PKH address. The bapId is computed from this address.
+ *
+ * BRC-100 wallets don't allow signing with the wallet root itself, so the
+ * "root" used for bapId derivation is this first standard-derived signing key.
+ */
+export declare function deriveIdentity0Address(walletRoot: PrivateKey): string;
 export declare const Utils: {
     /**
      * Helper function to generate cryptographically secure random bytes

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "bsv-bap",
-  "version": "0.2.0",
+  "version": "0.3.0",
   "description": "BAP npm module",
   "repository": {
     "type": "git",
@@ -27,6 +27,7 @@
     "dist/*.js.map",
     "dist/*.d.ts",
     "src/cli.ts",
+    "src/touchid.ts",
     "README.md",
     "LICENSE"
   ],
@@ -49,10 +50,14 @@
     "typescript": "^5.9.3"
   },
   "dependencies": {
+    "@1sat/vault": "0.0.3",
     "commander": "^14.0.3",
     "schema-dts": "^1.1.5"
   },
   "peerDependencies": {
     "@bsv/sdk": "^2.0.1"
-  }
+  },
+  "trustedDependencies": [
+    "@1sat/vault"
+  ]
 }