bsv-bap 0.2.0 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (10) hide show
  1. package/dist/constants.d.ts +2 -0
  2. package/dist/index.modern.js +2 -2
  3. package/dist/index.modern.js.map +6 -6
  4. package/dist/index.module.js +2 -2
  5. package/dist/index.module.js.map +6 -6
  6. package/dist/touchid.d.ts +45 -0
  7. package/dist/utils.d.ts +12 -0
  8. package/package.json +7 -2
  9. package/src/cli.ts +593 -323
  10. package/src/touchid.ts +87 -0
package/src/touchid.ts ADDED
@@ -0,0 +1,87 @@
1
+ /**
2
+ * Touch ID vault integration for BAP identity protection.
3
+ *
4
+ * Architecture:
5
+ * - P-256 key generated INSIDE the macOS Secure Enclave (never leaves the chip)
6
+ * - Encryption uses ECIES (ECDH + AES-256-GCM) via the SE public key
7
+ * - Decryption requires Touch ID — SE performs ECDH internally
8
+ * - Encrypted data stored at ~/.secure-enclave-vault/bap-master.vault.json
9
+ * - Config stores sentinel "se:bap-master" in rootPkEncrypted
10
+ * - Plaintext WIF never touches disk when Touch ID is active
11
+ *
12
+ * Powered by @1sat/vault (Secure Enclave hardware vault).
13
+ */
14
+
15
+ import {
16
+ checkAvailability,
17
+ isSupported,
18
+ protectSecret,
19
+ removeSecret,
20
+ unlockSecret,
21
+ } from "@1sat/vault";
22
+
23
+ const LABEL = "bap-master";
24
+
25
+ /**
26
+ * Encrypt a WIF private key with the Secure Enclave.
27
+ *
28
+ * Touch ID is NOT required for encryption — only for decryption.
29
+ * Returns the sentinel string "se:bap-master" to store in config.
30
+ */
31
+ export async function protectRootKey(wif: string): Promise<string> {
32
+ await protectSecret(LABEL, wif, { type: "bap-root" });
33
+ return `se:${LABEL}`;
34
+ }
35
+
36
+ /**
37
+ * Decrypt the protected root key using Touch ID + Secure Enclave.
38
+ *
39
+ * The ECDH key agreement happens INSIDE the Secure Enclave hardware.
40
+ * The P-256 private key never leaves the chip.
41
+ */
42
+ export async function unlockRootKey(sentinel: string): Promise<string> {
43
+ if (!sentinel.startsWith("se:")) {
44
+ throw new Error(
45
+ `Unrecognized vault format: "${sentinel.slice(0, 20)}...". ` +
46
+ 'Old Keychain format is no longer supported. Re-import your backup with "bap import <file>".',
47
+ );
48
+ }
49
+ const label = sentinel.slice(3);
50
+ const { plaintext } = await unlockSecret(label);
51
+ return plaintext;
52
+ }
53
+
54
+ /**
55
+ * Remove the Secure Enclave key and vault file.
56
+ * After this, the encrypted rootPk becomes permanently undecryptable.
57
+ * The caller must replace rootPkEncrypted with rootPk before calling this.
58
+ */
59
+ export async function removeProtection(): Promise<void> {
60
+ await removeSecret(LABEL);
61
+ }
62
+
63
+ /**
64
+ * Check Touch ID availability and whether the identity is currently protected.
65
+ */
66
+ export async function getTouchIDStatus(hasEncryptedKey: boolean): Promise<{
67
+ available: boolean;
68
+ biometryType: string;
69
+ protected: boolean;
70
+ }> {
71
+ if (!isSupported()) {
72
+ return { available: false, biometryType: "None", protected: false };
73
+ }
74
+ const status = await checkAvailability();
75
+ return {
76
+ available: status.secureEnclave && status.biometryAvailable,
77
+ biometryType: status.biometryType,
78
+ protected: hasEncryptedKey,
79
+ };
80
+ }
81
+
82
+ /**
83
+ * Synchronous check for Secure Enclave support (macOS arm64).
84
+ */
85
+ export function isTouchIDSupported(): boolean {
86
+ return isSupported();
87
+ }