navio-sdk 0.1.0 → 0.1.2

package/dist/index.mjs

@@ -1,22 +1,282 @@
+import argon2 from 'argon2-browser';
 import { sha256 } from '@noble/hashes/sha256';
 import { ripemd160 } from '@noble/hashes/ripemd160';
+import * as bip39 from '@scure/bip39';
+import { wordlist } from '@scure/bip39/wordlists/english.js';
 import * as blsctModule from 'navio-blsct';
 import { BlsctChain, setChain } from 'navio-blsct';
 export { BlsctChain, getChain, setChain } from 'navio-blsct';
 import * as net from 'net';
 
+var __defProp = Object.defineProperty;
+var __getOwnPropNames = Object.getOwnPropertyNames;
 var __require = /* @__PURE__ */ ((x) => typeof require !== "undefined" ? require : typeof Proxy !== "undefined" ? new Proxy(x, {
   get: (a, b) => (typeof require !== "undefined" ? require : a)[b]
 }) : x)(function(x) {
   if (typeof require !== "undefined") return require.apply(this, arguments);
   throw Error('Dynamic require of "' + x + '" is not supported');
 });
+var __esm = (fn, res) => function __init() {
+  return fn && (res = (0, fn[__getOwnPropNames(fn)[0]])(fn = 0)), res;
+};
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+function toBufferSource(data) {
+  return new Uint8Array(data).buffer;
+}
+function getCrypto() {
+  if (typeof globalThis.crypto !== "undefined" && typeof globalThis.crypto.subtle !== "undefined" && typeof globalThis.crypto.getRandomValues === "function") {
+    return globalThis.crypto;
+  }
+  const nodeCrypto = __require("crypto");
+  if (nodeCrypto.webcrypto) {
+    return nodeCrypto.webcrypto;
+  }
+  throw new Error("Web Crypto API not available. Requires Node.js 15+ or a modern browser.");
+}
+function randomBytes(length) {
+  const crypto = getCrypto();
+  const bytes = new Uint8Array(length);
+  crypto.getRandomValues(bytes);
+  return bytes;
+}
+async function deriveKey(password, salt) {
+  const result = await argon2.hash({
+    pass: password,
+    salt,
+    type: ARGON2_PARAMS.type,
+    mem: ARGON2_PARAMS.memory,
+    time: ARGON2_PARAMS.iterations,
+    parallelism: ARGON2_PARAMS.parallelism,
+    hashLen: ARGON2_PARAMS.hashLen
+  });
+  const crypto = getCrypto();
+  const key = await crypto.subtle.importKey(
+    "raw",
+    toBufferSource(result.hash),
+    { name: "AES-GCM", length: 256 },
+    false,
+    // not extractable
+    ["encrypt", "decrypt"]
+  );
+  return key;
+}
+async function deriveKeyBytes(password, salt) {
+  const result = await argon2.hash({
+    pass: password,
+    salt,
+    type: ARGON2_PARAMS.type,
+    mem: ARGON2_PARAMS.memory,
+    time: ARGON2_PARAMS.iterations,
+    parallelism: ARGON2_PARAMS.parallelism,
+    hashLen: ARGON2_PARAMS.hashLen
+  });
+  return result.hash;
+}
+async function encrypt(data, password) {
+  const crypto = getCrypto();
+  const salt = randomBytes(SALT_LENGTH);
+  const iv = randomBytes(IV_LENGTH);
+  const key = await deriveKey(password, salt);
+  const ciphertext = await crypto.subtle.encrypt(
+    { name: "AES-GCM", iv: toBufferSource(iv) },
+    key,
+    toBufferSource(data)
+  );
+  return {
+    ciphertext: new Uint8Array(ciphertext),
+    iv,
+    salt
+  };
+}
+async function encryptWithKey(data, key, salt) {
+  const crypto = getCrypto();
+  const iv = randomBytes(IV_LENGTH);
+  const ciphertext = await crypto.subtle.encrypt(
+    { name: "AES-GCM", iv: toBufferSource(iv) },
+    key,
+    toBufferSource(data)
+  );
+  return {
+    ciphertext: new Uint8Array(ciphertext),
+    iv,
+    salt
+  };
+}
+async function decrypt(encrypted, password) {
+  const crypto = getCrypto();
+  const key = await deriveKey(password, encrypted.salt);
+  try {
+    const plaintext = await crypto.subtle.decrypt(
+      { name: "AES-GCM", iv: toBufferSource(encrypted.iv) },
+      key,
+      toBufferSource(encrypted.ciphertext)
+    );
+    return new Uint8Array(plaintext);
+  } catch {
+    throw new Error("Decryption failed: wrong password or corrupted data");
+  }
+}
+async function decryptWithKey(encrypted, key) {
+  const crypto = getCrypto();
+  try {
+    const plaintext = await crypto.subtle.decrypt(
+      { name: "AES-GCM", iv: toBufferSource(encrypted.iv) },
+      key,
+      toBufferSource(encrypted.ciphertext)
+    );
+    return new Uint8Array(plaintext);
+  } catch {
+    throw new Error("Decryption failed: wrong key or corrupted data");
+  }
+}
+function serializeEncryptedData(encrypted) {
+  return {
+    ciphertext: bytesToBase64(encrypted.ciphertext),
+    iv: bytesToBase64(encrypted.iv),
+    salt: bytesToBase64(encrypted.salt),
+    version: ENCRYPTION_VERSION
+  };
+}
+function deserializeEncryptedData(serialized) {
+  if (serialized.version > ENCRYPTION_VERSION) {
+    throw new Error(`Unsupported encryption version: ${serialized.version}`);
+  }
+  return {
+    ciphertext: base64ToBytes(serialized.ciphertext),
+    iv: base64ToBytes(serialized.iv),
+    salt: base64ToBytes(serialized.salt)
+  };
+}
+async function encryptDatabase(dbBuffer, password) {
+  const encrypted = await encrypt(dbBuffer, password);
+  const combined = new Uint8Array(1 + SALT_LENGTH + IV_LENGTH + encrypted.ciphertext.length);
+  combined[0] = ENCRYPTION_VERSION;
+  combined.set(encrypted.salt, 1);
+  combined.set(encrypted.iv, 1 + SALT_LENGTH);
+  combined.set(encrypted.ciphertext, 1 + SALT_LENGTH + IV_LENGTH);
+  return combined;
+}
+async function decryptDatabase(encryptedBuffer, password) {
+  if (encryptedBuffer.length < 1 + SALT_LENGTH + IV_LENGTH) {
+    throw new Error("Invalid encrypted database: too short");
+  }
+  const version = encryptedBuffer[0];
+  if (version > ENCRYPTION_VERSION) {
+    throw new Error(`Unsupported encryption version: ${version}`);
+  }
+  const salt = encryptedBuffer.slice(1, 1 + SALT_LENGTH);
+  const iv = encryptedBuffer.slice(1 + SALT_LENGTH, 1 + SALT_LENGTH + IV_LENGTH);
+  const ciphertext = encryptedBuffer.slice(1 + SALT_LENGTH + IV_LENGTH);
+  return decrypt({ ciphertext, iv, salt }, password);
+}
+function isEncryptedDatabase(buffer) {
+  if (buffer.length < 1 + SALT_LENGTH + IV_LENGTH) {
+    return false;
+  }
+  const version = buffer[0];
+  return version >= 1 && version <= ENCRYPTION_VERSION;
+}
+async function createPasswordVerification(password, salt) {
+  const keyBytes = await deriveKeyBytes(password, salt);
+  const crypto = getCrypto();
+  const keyBuffer = new Uint8Array(keyBytes).buffer;
+  const verificationHash = await crypto.subtle.digest("SHA-256", keyBuffer);
+  return new Uint8Array(verificationHash);
+}
+async function verifyPassword(password, salt, storedHash) {
+  const computedHash = await createPasswordVerification(password, salt);
+  if (computedHash.length !== storedHash.length) {
+    return false;
+  }
+  let result = 0;
+  for (let i = 0; i < computedHash.length; i++) {
+    result |= computedHash[i] ^ storedHash[i];
+  }
+  return result === 0;
+}
+function bytesToBase64(bytes) {
+  if (typeof Buffer !== "undefined") {
+    return Buffer.from(bytes).toString("base64");
+  } else {
+    let binary = "";
+    for (let i = 0; i < bytes.length; i++) {
+      binary += String.fromCharCode(bytes[i]);
+    }
+    return btoa(binary);
+  }
+}
+function base64ToBytes(base64) {
+  if (typeof Buffer !== "undefined") {
+    return new Uint8Array(Buffer.from(base64, "base64"));
+  } else {
+    const binary = atob(base64);
+    const bytes = new Uint8Array(binary.length);
+    for (let i = 0; i < binary.length; i++) {
+      bytes[i] = binary.charCodeAt(i);
+    }
+    return bytes;
+  }
+}
+var ARGON2_PARAMS, ENCRYPTION_VERSION, IV_LENGTH, SALT_LENGTH;
+var init_encryption = __esm({
+  "src/crypto/encryption.ts"() {
+    ARGON2_PARAMS = {
+      type: argon2.ArgonType.Argon2id,
+      memory: 65536,
+      // 64 MB
+      iterations: 3,
+      parallelism: 4,
+      hashLen: 32
+      // 256 bits for AES-256
+    };
+    ENCRYPTION_VERSION = 1;
+    IV_LENGTH = 12;
+    SALT_LENGTH = 16;
+  }
+});
+
+// src/crypto/index.ts
+var crypto_exports = {};
+__export(crypto_exports, {
+  ENCRYPTION_VERSION: () => ENCRYPTION_VERSION,
+  IV_LENGTH: () => IV_LENGTH,
+  SALT_LENGTH: () => SALT_LENGTH,
+  createPasswordVerification: () => createPasswordVerification,
+  decrypt: () => decrypt,
+  decryptDatabase: () => decryptDatabase,
+  decryptWithKey: () => decryptWithKey,
+  deriveKey: () => deriveKey,
+  deriveKeyBytes: () => deriveKeyBytes,
+  deserializeEncryptedData: () => deserializeEncryptedData,
+  encrypt: () => encrypt,
+  encryptDatabase: () => encryptDatabase,
+  encryptWithKey: () => encryptWithKey,
+  isEncryptedDatabase: () => isEncryptedDatabase,
+  randomBytes: () => randomBytes,
+  serializeEncryptedData: () => serializeEncryptedData,
+  verifyPassword: () => verifyPassword
+});
+var init_crypto = __esm({
+  "src/crypto/index.ts"() {
+    init_encryption();
+  }
+});
+
+// src/key-manager.ts
+init_crypto();
 var Scalar2 = blsctModule.Scalar;
 var ChildKey2 = blsctModule.ChildKey;
 var PublicKey2 = blsctModule.PublicKey;
 var SubAddr2 = blsctModule.SubAddr;
 var SubAddrId2 = blsctModule.SubAddrId;
 var DoublePublicKey2 = blsctModule.DoublePublicKey;
+var Address2 = blsctModule.Address;
+var AddressEncoding2 = blsctModule.AddressEncoding;
+var setChain2 = blsctModule.setChain;
+var BlsctChain2 = blsctModule.BlsctChain;
 var calcPrivSpendingKey2 = blsctModule.calcPrivSpendingKey;
 var recoverAmount2 = blsctModule.recoverAmount;
 var ViewTag2 = blsctModule.ViewTag;
@@ -26,7 +286,7 @@ var getAmountRecoveryResultSize2 = blsctModule.getAmountRecoveryResultSize;
 var getAmountRecoveryResultIsSucc2 = blsctModule.getAmountRecoveryResultIsSucc;
 var getAmountRecoveryResultAmount2 = blsctModule.getAmountRecoveryResultAmount;
 var deleteAmountsRetVal2 = blsctModule.deleteAmountsRetVal;
-var KeyManager = class {
+var KeyManager = class _KeyManager {
   constructor() {
     this.hdChain = null;
     this.viewKey = null;
@@ -63,6 +323,11 @@ var KeyManager = class {
     // Flags
     this.fViewKeyDefined = false;
     this.fSpendKeyDefined = false;
+    // Encryption state
+    this.encrypted = false;
+    this.encryptionSalt = null;
+    this.passwordVerificationHash = null;
+    this.encryptionKey = null;
   }
   /**
    * Check if HD is enabled (has a seed)
@@ -78,6 +343,196 @@ var KeyManager = class {
   canGenerateKeys() {
     return this.isHDEnabled();
   }
+  // ============================================================================
+  // Encryption Methods
+  // ============================================================================
+  /**
+   * Check if the wallet is encrypted
+   * @returns True if the wallet has been encrypted with a password
+   */
+  isEncrypted() {
+    return this.encrypted;
+  }
+  /**
+   * Check if the wallet is unlocked (decryption key is cached)
+   * @returns True if the wallet is unlocked and can access private keys
+   */
+  isUnlocked() {
+    return !this.encrypted || this.encryptionKey !== null;
+  }
+  /**
+   * Set a password to encrypt the wallet
+   * This encrypts all private keys and stores them in encrypted form
+   * 
+   * @param password - The password to encrypt the wallet with
+   * @throws Error if wallet is already encrypted
+   */
+  async setPassword(password) {
+    if (this.encrypted) {
+      throw new Error("Wallet is already encrypted. Use changePassword() to change the password.");
+    }
+    this.encryptionSalt = randomBytes(SALT_LENGTH);
+    this.encryptionKey = await deriveKey(password, this.encryptionSalt);
+    this.passwordVerificationHash = await createPasswordVerification(password, this.encryptionSalt);
+    await this.encryptAllKeys();
+    this.encrypted = true;
+  }
+  /**
+   * Unlock an encrypted wallet with the password
+   * This derives the encryption key and caches it for decrypting private keys
+   * 
+   * @param password - The wallet password
+   * @returns True if the password is correct and wallet is unlocked
+   */
+  async unlock(password) {
+    if (!this.encrypted) {
+      return true;
+    }
+    if (!this.encryptionSalt || !this.passwordVerificationHash) {
+      throw new Error("Wallet encryption state is corrupted");
+    }
+    const isValid = await verifyPassword(password, this.encryptionSalt, this.passwordVerificationHash);
+    if (!isValid) {
+      return false;
+    }
+    this.encryptionKey = await deriveKey(password, this.encryptionSalt);
+    await this.decryptEssentialKeys();
+    return true;
+  }
+  /**
+   * Lock the wallet, clearing the cached encryption key
+   * After locking, private keys cannot be accessed without unlocking again
+   */
+  lock() {
+    if (!this.encrypted) {
+      return;
+    }
+    this.encryptionKey = null;
+  }
+  /**
+   * Change the wallet password
+   * 
+   * @param oldPassword - The current password
+   * @param newPassword - The new password
+   * @returns True if password was changed successfully
+   * @throws Error if wallet is not encrypted or old password is incorrect
+   */
+  async changePassword(oldPassword, newPassword) {
+    if (!this.encrypted) {
+      throw new Error("Wallet is not encrypted. Use setPassword() first.");
+    }
+    const unlocked = await this.unlock(oldPassword);
+    if (!unlocked) {
+      return false;
+    }
+    const newSalt = randomBytes(SALT_LENGTH);
+    const newKey = await deriveKey(newPassword, newSalt);
+    await this.reEncryptAllKeys(newKey, newSalt);
+    this.encryptionSalt = newSalt;
+    this.encryptionKey = newKey;
+    this.passwordVerificationHash = await createPasswordVerification(newPassword, newSalt);
+    return true;
+  }
+  /**
+   * Get encryption parameters for storage
+   * @returns Encryption salt and verification hash, or null if not encrypted
+   */
+  getEncryptionParams() {
+    if (!this.encrypted || !this.encryptionSalt || !this.passwordVerificationHash) {
+      return null;
+    }
+    return {
+      salt: this.bytesToHex(this.encryptionSalt),
+      verificationHash: this.bytesToHex(this.passwordVerificationHash)
+    };
+  }
+  /**
+   * Set encryption parameters from storage (for loading encrypted wallet)
+   * @param salt - Hex-encoded salt
+   * @param verificationHash - Hex-encoded verification hash
+   */
+  setEncryptionParams(salt, verificationHash) {
+    this.encryptionSalt = this.hexToBytes(salt);
+    this.passwordVerificationHash = this.hexToBytes(verificationHash);
+    this.encrypted = true;
+  }
+  /**
+   * Encrypt all private keys in the wallet
+   * Internal method called when setting password
+   */
+  async encryptAllKeys() {
+    if (!this.encryptionKey || !this.encryptionSalt) {
+      throw new Error("Encryption key not available");
+    }
+    for (const [keyIdHex, secretKey] of this.keys) {
+      const keyBytes = this.hexToBytes(secretKey.serialize());
+      const encrypted = await encryptWithKey(keyBytes, this.encryptionKey, this.encryptionSalt);
+      const publicKey = PublicKey2.fromScalar(secretKey);
+      this.cryptedKeys.set(keyIdHex, {
+        publicKey,
+        encryptedSecret: this.serializeEncryptedToBytes(encrypted)
+      });
+    }
+    for (const [outIdHex, secretKey] of this.outKeys) {
+      const keyBytes = this.hexToBytes(secretKey.serialize());
+      const encrypted = await encryptWithKey(keyBytes, this.encryptionKey, this.encryptionSalt);
+      const publicKey = PublicKey2.fromScalar(secretKey);
+      this.cryptedOutKeys.set(outIdHex, {
+        publicKey,
+        encryptedSecret: this.serializeEncryptedToBytes(encrypted)
+      });
+    }
+  }
+  /**
+   * Decrypt essential keys needed for wallet operations
+   * Called after successful unlock
+   */
+  async decryptEssentialKeys() {
+  }
+  /**
+   * Re-encrypt all keys with a new key (for password change)
+   */
+  async reEncryptAllKeys(newKey, newSalt) {
+    if (!this.encryptionKey) {
+      throw new Error("Wallet must be unlocked to change password");
+    }
+    for (const [keyIdHex, cryptedData] of this.cryptedKeys) {
+      const encrypted = this.deserializeEncryptedFromBytes(cryptedData.encryptedSecret);
+      const decrypted = await decryptWithKey(encrypted, this.encryptionKey);
+      const reEncrypted = await encryptWithKey(decrypted, newKey, newSalt);
+      this.cryptedKeys.set(keyIdHex, {
+        publicKey: cryptedData.publicKey,
+        encryptedSecret: this.serializeEncryptedToBytes(reEncrypted)
+      });
+    }
+    for (const [outIdHex, cryptedData] of this.cryptedOutKeys) {
+      const encrypted = this.deserializeEncryptedFromBytes(cryptedData.encryptedSecret);
+      const decrypted = await decryptWithKey(encrypted, this.encryptionKey);
+      const reEncrypted = await encryptWithKey(decrypted, newKey, newSalt);
+      this.cryptedOutKeys.set(outIdHex, {
+        publicKey: cryptedData.publicKey,
+        encryptedSecret: this.serializeEncryptedToBytes(reEncrypted)
+      });
+    }
+  }
+  /**
+   * Serialize EncryptedData to bytes for storage
+   */
+  serializeEncryptedToBytes(encrypted) {
+    const serialized = serializeEncryptedData(encrypted);
+    return new TextEncoder().encode(JSON.stringify(serialized));
+  }
+  /**
+   * Deserialize EncryptedData from bytes
+   */
+  deserializeEncryptedFromBytes(bytes) {
+    const json = new TextDecoder().decode(bytes);
+    const serialized = JSON.parse(json);
+    return deserializeEncryptedData(serialized);
+  }
+  // ============================================================================
+  // End Encryption Methods
+  // ============================================================================
   /**
    * Generate a new random seed
    * @returns A new random Scalar (seed)
@@ -171,6 +626,108 @@ var KeyManager = class {
     }
     return this.masterSeed;
   }
+  // ============================================================
+  // Mnemonic Support (BIP39)
+  // ============================================================
+  /**
+   * Generate a new random mnemonic phrase (24 words)
+   * @param strength - Entropy strength in bits (128=12 words, 160=15 words, 192=18 words, 224=21 words, 256=24 words)
+   * @returns A BIP39 mnemonic phrase
+   */
+  static generateMnemonic(strength = 256) {
+    return bip39.generateMnemonic(wordlist, strength);
+  }
+  /**
+   * Validate a mnemonic phrase
+   * @param mnemonic - The mnemonic phrase to validate
+   * @returns True if the mnemonic is valid
+   */
+  static validateMnemonic(mnemonic) {
+    return bip39.validateMnemonic(mnemonic, wordlist);
+  }
+  /**
+   * Convert a mnemonic phrase to seed bytes
+   * Uses BIP39 standard derivation with optional passphrase
+   * @param mnemonic - The mnemonic phrase
+   * @param passphrase - Optional passphrase for additional security
+   * @returns 64-byte seed derived from mnemonic
+   */
+  static mnemonicToSeedBytes(mnemonic, passphrase = "") {
+    if (!_KeyManager.validateMnemonic(mnemonic)) {
+      throw new Error("Invalid mnemonic phrase");
+    }
+    return bip39.mnemonicToSeedSync(mnemonic, passphrase);
+  }
+  /**
+   * Convert a seed (Scalar) to a mnemonic phrase
+   * Note: This converts the 32-byte scalar to mnemonic using it as entropy
+   * @param seed - The seed Scalar
+   * @returns A 24-word mnemonic phrase
+   */
+  static seedToMnemonic(seed) {
+    const seedHex = seed.serialize().padStart(64, "0");
+    const seedBytes = Buffer.from(seedHex, "hex");
+    if (seedBytes.length !== 32) {
+      throw new Error(`Invalid seed length: ${seedBytes.length}, expected 32 bytes`);
+    }
+    return bip39.entropyToMnemonic(seedBytes, wordlist);
+  }
+  /**
+   * Convert a mnemonic phrase to a Scalar seed
+   * For direct entropy-based conversion (mnemonic as entropy, not BIP39 derivation)
+   * @param mnemonic - The mnemonic phrase
+   * @returns A Scalar seed
+   */
+  static mnemonicToScalar(mnemonic) {
+    if (!_KeyManager.validateMnemonic(mnemonic)) {
+      throw new Error("Invalid mnemonic phrase");
+    }
+    const entropy = bip39.mnemonicToEntropy(mnemonic, wordlist);
+    const entropyHex = Buffer.from(entropy).toString("hex");
+    return Scalar2.deserialize(entropyHex);
+  }
+  /**
+   * Generate a new mnemonic and set it as the HD seed
+   * @param strength - Entropy strength in bits (default: 256 for 24 words)
+   * @returns The mnemonic phrase that can be used to recover this wallet
+   * @note The returned mnemonic is derived from the stored seed, which ensures
+   *       it will produce the same wallet when used for restoration. Due to BLS
+   *       Scalar normalization, this may differ from the initially generated entropy.
+   */
+  generateNewMnemonic(strength = 256) {
+    const mnemonic = _KeyManager.generateMnemonic(strength);
+    this.setHDSeedFromMnemonic(mnemonic);
+    return this.getMnemonic();
+  }
+  /**
+   * Set the HD seed from a mnemonic phrase
+   * Uses direct entropy conversion (mnemonic words encode the seed directly)
+   * @param mnemonic - The mnemonic phrase
+   */
+  setHDSeedFromMnemonic(mnemonic) {
+    const seed = _KeyManager.mnemonicToScalar(mnemonic);
+    this.setHDSeed(seed);
+  }
+  /**
+   * Get the mnemonic phrase for the current seed
+   * @returns The mnemonic phrase for the current master seed
+   */
+  getMnemonic() {
+    if (!this.masterSeed) {
+      throw new Error("No master seed available");
+    }
+    return _KeyManager.seedToMnemonic(this.masterSeed);
+  }
+  /**
+   * Get the master seed as a hex string
+   * @returns The master seed as a 64-character hex string (32 bytes)
+   */
+  getMasterSeedHex() {
+    if (!this.masterSeed) {
+      throw new Error("No master seed available");
+    }
+    return this.masterSeed.serialize().padStart(64, "0");
+  }
   /**
    * Get the private view key
    * @returns The view key
@@ -204,6 +761,37 @@ var KeyManager = class {
     const subAddrId = SubAddrId2.generate(id.account, id.address);
     return SubAddr2.generate(this.viewKey, this.spendPublicKey, subAddrId);
   }
+  /**
+   * Get a bech32m encoded address string for the given sub-address identifier
+   * @param id - The sub-address identifier (defaults to account 0, address 0)
+   * @param network - The network type ('mainnet' or 'testnet', defaults to 'mainnet')
+   * @returns The bech32m encoded address string
+   * @example
+   * ```typescript
+   * const keyManager = new KeyManager();
+   * keyManager.setHDSeed(seed);
+   * 
+   * // Get mainnet address
+   * const mainnetAddress = keyManager.getSubAddressBech32m({ account: 0, address: 0 }, 'mainnet');
+   * 
+   * // Get testnet address  
+   * const testnetAddress = keyManager.getSubAddressBech32m({ account: 0, address: 0 }, 'testnet');
+   * ```
+   */
+  getSubAddressBech32m(id = { account: 0, address: 0 }, network = "mainnet") {
+    const chain = network === "mainnet" ? BlsctChain2.Mainnet : BlsctChain2.Testnet;
+    setChain2(chain);
+    const subAddress = this.getSubAddress(id);
+    const serialized = subAddress.serialize();
+    const dpk = DoublePublicKey2.deserialize(serialized);
+    const address = Address2.encode(dpk, AddressEncoding2.Bech32M);
+    if (!address || address.length === 0) {
+      throw new Error(
+        `Address encoding returned empty. This may indicate a navio-blsct WASM issue. Serialized subAddress (${serialized.length} chars): ${serialized.substring(0, 32)}...`
+      );
+    }
+    return address;
+  }
   /**
    * Generate a new sub-address for the given account
    * @param account - The account number (0 for main, -1 for change, -2 for staking)
@@ -665,6 +1253,13 @@ var KeyManager = class {
   bytesToHex(bytes) {
     return Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("");
   }
+  hexToBytes(hex) {
+    const bytes = new Uint8Array(hex.length / 2);
+    for (let i = 0; i < hex.length; i += 2) {
+      bytes[i / 2] = parseInt(hex.slice(i, i + 2), 16);
+    }
+    return bytes;
+  }
   /**
    * Get the private spending key
    * Replicates GetSpendingKey from keyman.cpp
@@ -1362,7 +1957,7 @@ async function loadSQL() {
     throw new Error(`Failed to load SQL.js: ${error}. Please install sql.js: npm install sql.js`);
   }
 }
-var WalletDB = class {
+var WalletDB = class _WalletDB {
   /**
    * Create a new WalletDB instance
    * @param dbPath - Path to the database file (or name for in-memory)
@@ -1530,6 +2125,15 @@ var WalletDB = class {
         version INTEGER NOT NULL DEFAULT 1
       )
     `);
+    this.db.run(`
+      CREATE TABLE IF NOT EXISTS encryption_metadata (
+        id INTEGER PRIMARY KEY,
+        is_encrypted INTEGER NOT NULL DEFAULT 0,
+        salt TEXT,
+        verification_hash TEXT,
+        encryption_version INTEGER NOT NULL DEFAULT 1
+      )
+    `);
     this.db.run(`
       CREATE TABLE IF NOT EXISTS wallet_outputs (
         output_hash TEXT PRIMARY KEY,
@@ -1703,6 +2307,28 @@ var WalletDB = class {
     this.keyManager = keyManager;
     return keyManager;
   }
+  /**
+   * Restore wallet from mnemonic phrase
+   * @param mnemonic - The BIP39 mnemonic phrase (12-24 words)
+   * @param creationHeight - Optional block height to start scanning from (for faster restore)
+   * @returns The restored KeyManager instance
+   */
+  async restoreWalletFromMnemonic(mnemonic, creationHeight) {
+    await this.initDatabase();
+    const keyManager = new KeyManager();
+    keyManager.setHDSeedFromMnemonic(mnemonic);
+    keyManager.newSubAddressPool(0);
+    keyManager.newSubAddressPool(-1);
+    keyManager.newSubAddressPool(-2);
+    await this.saveWallet(keyManager);
+    await this.saveWalletMetadata({
+      creationHeight: creationHeight ?? 0,
+      creationTime: Date.now(),
+      restoredFromSeed: true
+    });
+    this.keyManager = keyManager;
+    return keyManager;
+  }
   /**
    * Save wallet metadata to database
    */
@@ -2031,6 +2657,255 @@ var WalletDB = class {
     stmt.free();
     return outputs;
   }
+  // ============================================================================
+  // Encryption Methods
+  // ============================================================================
+  /**
+   * Check if the database has encryption enabled
+   * @returns True if encryption is enabled
+   */
+  isEncrypted() {
+    if (!this.isOpen) {
+      return false;
+    }
+    const stmt = this.db.prepare("SELECT is_encrypted FROM encryption_metadata WHERE id = 0");
+    if (stmt.step()) {
+      const result = stmt.getAsObject().is_encrypted === 1;
+      stmt.free();
+      return result;
+    }
+    stmt.free();
+    return false;
+  }
+  /**
+   * Save encryption metadata to the database
+   * @param salt - Hex-encoded salt
+   * @param verificationHash - Hex-encoded password verification hash
+   */
+  saveEncryptionMetadata(salt, verificationHash) {
+    if (!this.isOpen) {
+      throw new Error("Database not initialized");
+    }
+    this.db.run(`
+      INSERT OR REPLACE INTO encryption_metadata (id, is_encrypted, salt, verification_hash, encryption_version)
+      VALUES (0, 1, ?, ?, 1)
+    `, [salt, verificationHash]);
+  }
+  /**
+   * Load encryption metadata from the database
+   * @returns Encryption metadata or null if not encrypted
+   */
+  getEncryptionMetadata() {
+    if (!this.isOpen) {
+      throw new Error("Database not initialized");
+    }
+    const stmt = this.db.prepare(`
+      SELECT salt, verification_hash FROM encryption_metadata WHERE id = 0 AND is_encrypted = 1
+    `);
+    if (stmt.step()) {
+      const row = stmt.getAsObject();
+      stmt.free();
+      if (row.salt && row.verification_hash) {
+        return {
+          salt: row.salt,
+          verificationHash: row.verification_hash
+        };
+      }
+    }
+    stmt.free();
+    return null;
+  }
+  /**
+   * Save an encrypted key to the database
+   * @param keyId - Key identifier (hex)
+   * @param publicKey - Public key (hex)
+   * @param encryptedSecret - Encrypted secret (JSON string)
+   */
+  saveEncryptedKey(keyId, publicKey, encryptedSecret) {
+    if (!this.isOpen) {
+      throw new Error("Database not initialized");
+    }
+    this.db.run(`
+      INSERT OR REPLACE INTO crypted_keys (key_id, public_key, encrypted_secret)
+      VALUES (?, ?, ?)
+    `, [keyId, publicKey, encryptedSecret]);
+  }
+  /**
+   * Load an encrypted key from the database
+   * @param keyId - Key identifier (hex)
+   * @returns Encrypted key data or null if not found
+   */
+  getEncryptedKey(keyId) {
+    if (!this.isOpen) {
+      throw new Error("Database not initialized");
+    }
+    const stmt = this.db.prepare(`
+      SELECT public_key, encrypted_secret FROM crypted_keys WHERE key_id = ?
+    `);
+    stmt.bind([keyId]);
+    if (stmt.step()) {
+      const row = stmt.getAsObject();
+      stmt.free();
+      return {
+        publicKey: row.public_key,
+        encryptedSecret: row.encrypted_secret
+      };
+    }
+    stmt.free();
+    return null;
+  }
+  /**
+   * Get all encrypted keys from the database
+   * @returns Array of encrypted key data
+   */
+  getAllEncryptedKeys() {
+    if (!this.isOpen) {
+      throw new Error("Database not initialized");
+    }
+    const stmt = this.db.prepare("SELECT key_id, public_key, encrypted_secret FROM crypted_keys");
+    const keys = [];
+    while (stmt.step()) {
+      const row = stmt.getAsObject();
+      keys.push({
+        keyId: row.key_id,
+        publicKey: row.public_key,
+        encryptedSecret: row.encrypted_secret
+      });
+    }
+    stmt.free();
+    return keys;
+  }
+  /**
+   * Save an encrypted output key to the database
+   * @param outId - Output identifier (hex)
+   * @param publicKey - Public key (hex)
+   * @param encryptedSecret - Encrypted secret (JSON string)
+   */
+  saveEncryptedOutKey(outId, publicKey, encryptedSecret) {
+    if (!this.isOpen) {
+      throw new Error("Database not initialized");
+    }
+    this.db.run(`
+      INSERT OR REPLACE INTO crypted_out_keys (out_id, public_key, encrypted_secret)
+      VALUES (?, ?, ?)
+    `, [outId, publicKey, encryptedSecret]);
+  }
+  /**
+   * Load an encrypted output key from the database
+   * @param outId - Output identifier (hex)
+   * @returns Encrypted output key data or null if not found
+   */
+  getEncryptedOutKey(outId) {
+    if (!this.isOpen) {
+      throw new Error("Database not initialized");
+    }
+    const stmt = this.db.prepare(`
+      SELECT public_key, encrypted_secret FROM crypted_out_keys WHERE out_id = ?
+    `);
+    stmt.bind([outId]);
+    if (stmt.step()) {
+      const row = stmt.getAsObject();
+      stmt.free();
+      return {
+        publicKey: row.public_key,
+        encryptedSecret: row.encrypted_secret
+      };
+    }
+    stmt.free();
+    return null;
+  }
+  /**
+   * Get all encrypted output keys from the database
+   * @returns Array of encrypted output key data
+   */
+  getAllEncryptedOutKeys() {
+    if (!this.isOpen) {
+      throw new Error("Database not initialized");
+    }
+    const stmt = this.db.prepare("SELECT out_id, public_key, encrypted_secret FROM crypted_out_keys");
+    const keys = [];
+    while (stmt.step()) {
+      const row = stmt.getAsObject();
+      keys.push({
+        outId: row.out_id,
+        publicKey: row.public_key,
+        encryptedSecret: row.encrypted_secret
+      });
+    }
+    stmt.free();
+    return keys;
+  }
+  /**
+   * Delete plaintext keys (after encryption)
+   * This removes the unencrypted keys from the database
+   */
+  deletePlaintextKeys() {
+    if (!this.isOpen) {
+      throw new Error("Database not initialized");
+    }
+    this.db.run("DELETE FROM keys");
+    this.db.run("DELETE FROM out_keys");
+  }
+  /**
+   * Export the database as an encrypted binary blob
+   * Uses the encryption module to encrypt the entire SQLite database
+   * 
+   * @param password - Password to encrypt the export
+   * @returns Encrypted database bytes
+   */
+  async exportEncrypted(password) {
+    if (!this.isOpen) {
+      throw new Error("Database not initialized");
+    }
+    const { encryptDatabase: encryptDatabase2 } = await Promise.resolve().then(() => (init_crypto(), crypto_exports));
+    const dbBuffer = this.db.export();
+    const encrypted = await encryptDatabase2(new Uint8Array(dbBuffer), password);
+    return encrypted;
+  }
+  /**
+   * Load a database from an encrypted binary blob
+   * 
+   * @param encryptedData - Encrypted database bytes
+   * @param password - Password to decrypt
+   * @param dbPath - Path for the new database instance
+   * @returns New WalletDB instance with decrypted data
+   */
+  static async loadEncrypted(encryptedData, password, dbPath = ":memory:") {
+    const { decryptDatabase: decryptDatabase2, isEncryptedDatabase: isEncryptedDatabase2 } = await Promise.resolve().then(() => (init_crypto(), crypto_exports));
+    if (!isEncryptedDatabase2(encryptedData)) {
+      throw new Error("Data does not appear to be an encrypted database");
+    }
+    const decryptedBuffer = await decryptDatabase2(encryptedData, password);
+    const walletDb = new _WalletDB(dbPath);
+    const SQL2 = await loadSQL();
+    walletDb.db = new SQL2.Database(decryptedBuffer);
+    walletDb.isOpen = true;
+    return walletDb;
+  }
+  /**
+   * Get the raw database bytes (unencrypted)
+   * @returns Database bytes
+   */
+  export() {
+    if (!this.isOpen) {
+      throw new Error("Database not initialized");
+    }
+    return new Uint8Array(this.db.export());
+  }
+  /**
+   * Load a database from raw bytes
+   * 
+   * @param data - Raw database bytes
+   * @param dbPath - Path for the new database instance
+   * @returns New WalletDB instance
+   */
+  static async loadFromBytes(data, dbPath = ":memory:") {
+    const walletDb = new _WalletDB(dbPath);
+    const SQL2 = await loadSQL();
+    walletDb.db = new SQL2.Database(data);
+    walletDb.isOpen = true;
+    return walletDb;
+  }
 };
 var WebSocketClass;
 var isBrowserWebSocket = false;
@@ -2422,7 +3297,7 @@ var ElectrumClient = class {
   }
 };
 var TransactionKeysSync = class {
-  // Keep last 1k block hashes by default
+  // Keep last 10k block hashes by default
   /**
    * Create a new TransactionKeysSync instance
    * @param walletDB - The wallet database
@@ -2431,7 +3306,7 @@ var TransactionKeysSync = class {
   constructor(walletDB, provider) {
     this.keyManager = null;
     this.syncState = null;
-    this.blockHashRetention = 1e3;
+    this.blockHashRetention = 1e4;
     this.walletDB = walletDB;
     if ("type" in provider && (provider.type === "electrum" || provider.type === "p2p" || provider.type === "custom")) {
       this.syncProvider = provider;
@@ -2539,7 +3414,7 @@ var TransactionKeysSync = class {
       verifyHashes = true,
       saveInterval = 100,
       keepTxKeys = false,
-      blockHashRetention = 1e3
+      blockHashRetention = 1e4
     } = options;
     this.blockHashRetention = blockHashRetention;
     const lastSynced = this.syncState?.lastSyncedHeight ?? -1;
@@ -4659,6 +5534,13 @@ var _NavioClient = class _NavioClient {
       );
       this.syncManager.setKeyManager(this.keyManager);
       await this.syncProvider.connect();
+    } else if (this.config.restoreFromMnemonic) {
+      this.keyManager = await this.walletDB.restoreWalletFromMnemonic(
+        this.config.restoreFromMnemonic,
+        this.config.restoreFromHeight
+      );
+      this.syncManager.setKeyManager(this.keyManager);
+      await this.syncProvider.connect();
     } else {
       try {
         this.keyManager = await this.walletDB.loadWallet();
@@ -4997,6 +5879,9 @@ var _NavioClient = class _NavioClient {
 _NavioClient.CREATION_HEIGHT_MARGIN = 100;
 var NavioClient = _NavioClient;
 
-export { BaseSyncProvider, DefaultPorts, ElectrumClient, ElectrumError, ElectrumSyncProvider, InvType, KeyManager, MessageType, NavioClient, NetworkMagic, P2PClient, P2PSyncProvider, PROTOCOL_VERSION, ServiceFlags, TransactionKeysSync, WalletDB };
+// src/index.ts
+init_crypto();
+
+export { BaseSyncProvider, DefaultPorts, ENCRYPTION_VERSION, ElectrumClient, ElectrumError, ElectrumSyncProvider, IV_LENGTH, InvType, KeyManager, MessageType, NavioClient, NetworkMagic, P2PClient, P2PSyncProvider, PROTOCOL_VERSION, SALT_LENGTH, ServiceFlags, TransactionKeysSync, WalletDB, createPasswordVerification, decrypt, decryptDatabase, decryptWithKey, deriveKey, deriveKeyBytes, deserializeEncryptedData, encrypt, encryptDatabase, encryptWithKey, isEncryptedDatabase, randomBytes, serializeEncryptedData, verifyPassword };
 //# sourceMappingURL=index.mjs.map
 //# sourceMappingURL=index.mjs.map