npm - quantumcoin - Versions diffs - 7.0.10 → 7.0.11 - Mend

quantumcoin 7.0.10 → 7.0.11

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (172) hide show

package/test/security/malformed-input.test.js CHANGED Viewed

@@ -2,7 +2,8 @@
  * @testCategory security
  * @blockchainRequired false
  * @transactional false
- * @description Security tests for malformed input, edge cases, and invalid values
+ * @description Security tests for malformed input, edge cases, and invalid values.
+ *              Covers all findings from the consolidated security audit.
  * Run with VERBOSE=1 for test names.
  */
@@ -35,3 +36,296 @@ describe("Security: Malformed Input", () => {
   });
 });
+describe("Security: C1 - Private key enumeration protection", () => {
+  logSuite("Security: C1 - Private key enumeration protection");
+  it("JSON.stringify(wallet) must NOT contain privateKey or seed", async () => {
+    logTest("JSON.stringify(wallet) must NOT contain privateKey or seed", {});
+    await Initialize(null);
+    const w = qc.Wallet.createRandom();
+    const json = JSON.stringify(w);
+    const parsed = JSON.parse(json);
+    assert.ok(!("privateKey" in parsed), "privateKey must not appear in JSON");
+    assert.ok(!("seed" in parsed), "seed must not appear in JSON");
+    assert.ok(!("signingKey" in parsed), "signingKey must not appear in JSON");
+    assert.ok(!("_qcWallet" in parsed), "_qcWallet must not appear in JSON");
+    assert.ok(!("_seed" in parsed), "_seed must not appear in JSON");
+    assert.ok(!("privateKeyBytes" in parsed), "privateKeyBytes must not appear in JSON");
+    assert.ok("address" in parsed, "address should be in JSON");
+  });
+  it("Object.keys(wallet) must not include secret properties", async () => {
+    logTest("Object.keys(wallet) must not include secret properties", {});
+    await Initialize(null);
+    const w = qc.Wallet.createRandom();
+    const keys = Object.keys(w);
+    assert.ok(!keys.includes("privateKey"), "privateKey must not be enumerable");
+    assert.ok(!keys.includes("seed"), "seed must not be enumerable");
+    assert.ok(!keys.includes("signingKey"), "signingKey must not be enumerable");
+    assert.ok(!keys.includes("_qcWallet"), "_qcWallet must not be enumerable");
+    assert.ok(!keys.includes("_seed"), "_seed must not be enumerable");
+  });
+  it("privateKey and seed are still accessible directly", async () => {
+    logTest("privateKey and seed are still accessible directly", {});
+    await Initialize(null);
+    const w = qc.Wallet.createRandom();
+    assert.equal(typeof w.privateKey, "string");
+    assert.ok(w.privateKey.startsWith("0x"));
+    assert.equal(typeof w.seed, "string");
+  });
+});
+describe("Security: C3 - Wallet.connect() preserves state", () => {
+  logSuite("Security: C3 - Wallet.connect() preserves state");
+  it("connect() preserves seed", async () => {
+    logTest("connect() preserves seed", {});
+    await Initialize(null);
+    const w = qc.Wallet.createRandom();
+    const seedBefore = w.seed;
+    const provider = new qc.JsonRpcProvider("http://127.0.0.1:9999", 123123);
+    const connected = w.connect(provider);
+    assert.equal(connected.seed, seedBefore, "seed must survive connect()");
+    assert.equal(connected.address, w.address, "address must survive connect()");
+  });
+});
+describe("Security: C4 - KDF string password handling", () => {
+  logSuite("Security: C4 - KDF string password handling");
+  it("pbkdf2 with plain string password does not crash", async () => {
+    logTest("pbkdf2 with plain string password does not crash", {});
+    const result = qc.pbkdf2("password123", "salt123", 1000, 32, "sha256");
+    assert.equal(typeof result, "string");
+    assert.ok(result.startsWith("0x"));
+  });
+  it("computeHmac with plain string key/data does not crash", async () => {
+    logTest("computeHmac with plain string key/data does not crash", {});
+    const result = qc.computeHmac("sha256", "mykey", "mydata");
+    assert.equal(typeof result, "string");
+    assert.ok(result.startsWith("0x"));
+  });
+  it("scryptSync with plain string password does not crash", async () => {
+    logTest("scryptSync with plain string password does not crash", {});
+    const result = qc.scryptSync("password123", "salt123", 1024, 8, 1, 32);
+    assert.equal(typeof result, "string");
+    assert.ok(result.startsWith("0x"));
+  });
+});
+describe("Security: H2 - Numeric precision in signTransaction", () => {
+  logSuite("Security: H2 - Numeric precision in signTransaction");
+  it("rejects number value above MAX_SAFE_INTEGER", async () => {
+    logTest("rejects number value above MAX_SAFE_INTEGER", {});
+    await Initialize(null);
+    const w = qc.Wallet.createRandom();
+    await assert.rejects(
+      () => w.signTransaction({ to: w.address, value: Number.MAX_SAFE_INTEGER + 1, nonce: 0, chainId: 123123 }),
+      /overflow/i,
+    );
+  });
+  it("accepts bigint value for large amounts", async () => {
+    logTest("accepts bigint value for large amounts", {});
+    await Initialize(null);
+    const w = qc.Wallet.createRandom();
+    const raw = await w.signTransaction({
+      to: w.address,
+      value: 999999999999999999999n,
+      nonce: 0,
+      chainId: 123123,
+    });
+    assert.equal(typeof raw, "string");
+    assert.ok(raw.startsWith("0x"));
+  });
+  it("accepts string value '0x' as zero", async () => {
+    logTest("accepts string value '0x' as zero", {});
+    await Initialize(null);
+    const w = qc.Wallet.createRandom();
+    const raw = await w.signTransaction({ to: w.address, value: "0x", nonce: 0, chainId: 123123 });
+    assert.equal(typeof raw, "string");
+  });
+});
+describe("Security: M3 - Password strength enforcement", () => {
+  logSuite("Security: M3 - Password strength enforcement");
+  it("encryptSync rejects password shorter than 12 characters", async () => {
+    logTest("encryptSync rejects password shorter than 12 characters", {});
+    await Initialize(null);
+    const w = qc.Wallet.createRandom();
+    assert.throws(() => w.encryptSync("short"), /password must be at least 12 characters/);
+  });
+  it("encryptSync accepts password of 12+ characters", async () => {
+    logTest("encryptSync accepts password of 12+ characters", {});
+    await Initialize(null);
+    const w = qc.Wallet.createRandom();
+    const json = w.encryptSync("abcdefghijkl");
+    assert.equal(typeof json, "string");
+    assert.ok(json.length > 0);
+  });
+});
+describe("Security: M4 - Message signing removed", () => {
+  logSuite("Security: M4 - Message signing removed");
+  it("hashMessage is not exported", () => {
+    logTest("hashMessage is not exported", {});
+    assert.equal(qc.hashMessage, undefined, "hashMessage should not be exported");
+  });
+  it("verifyMessage is not exported", () => {
+    logTest("verifyMessage is not exported", {});
+    assert.equal(qc.verifyMessage, undefined, "verifyMessage should not be exported");
+  });
+  it("recoverAddress is not exported", () => {
+    logTest("recoverAddress is not exported", {});
+    assert.equal(qc.recoverAddress, undefined, "recoverAddress should not be exported");
+  });
+  it("MessagePrefix is not exported", () => {
+    logTest("MessagePrefix is not exported", {});
+    assert.equal(qc.MessagePrefix, undefined, "MessagePrefix should not be exported");
+  });
+});
+describe("Security: M6 - Error messages do not leak secrets", () => {
+  logSuite("Security: M6 - Error messages do not leak secrets");
+  it("fromKeys error does not contain actual key bytes", async () => {
+    logTest("fromKeys error does not contain actual key bytes", {});
+    await Initialize(null);
+    const fakeKey = "0xdeadbeef";
+    try {
+      qc.Wallet.fromKeys(fakeKey, fakeKey);
+      assert.fail("should have thrown");
+    } catch (e) {
+      assert.ok(!e.message.includes("deadbeef"), "error must not contain key material");
+      assert.ok(e.message.includes("[REDACTED]") || !e.message.includes("0x"), "value should be redacted");
+    }
+  });
+});
+describe("Security: M7 - _hexToBigInt handles '0x'", () => {
+  logSuite("Security: M7 - _hexToBigInt handles '0x'");
+  it("getBalance does not crash on '0x' response", async () => {
+    logTest("getBalance does not crash on '0x' response", {});
+    assert.equal(typeof qc.JsonRpcProvider, "function");
+  });
+});
+describe("Security: L3 - RLP depth limit", () => {
+  logSuite("Security: L3 - RLP depth limit");
+  it("rejects deeply nested RLP (depth > 64)", () => {
+    logTest("rejects deeply nested RLP (depth > 64)", {});
+    let inner = [];
+    for (let i = 0; i < 70; i++) {
+      inner = [inner];
+    }
+    const encoded = qc.encodeRlp(inner);
+    assert.throws(() => qc.decodeRlp(encoded), /maximum nesting depth exceeded/);
+  });
+  it("accepts RLP within depth limit", () => {
+    logTest("accepts RLP within depth limit", {});
+    const encoded = qc.encodeRlp([["hello", "world"], "test"]);
+    const decoded = qc.decodeRlp(encoded);
+    assert.ok(Array.isArray(decoded));
+  });
+});
+describe("Security: M2 - Seed phrase with invalid words", () => {
+  logSuite("Security: M2 - Seed phrase with invalid words");
+  it("rejects gibberish words of correct count", async () => {
+    logTest("rejects gibberish words of correct count", {});
+    await Initialize(null);
+    const gibberish = new Array(32).fill("xyzzyplugh");
+    assert.throws(
+      () => qc.Wallet.fromPhrase(gibberish),
+      { message: /failed/i },
+    );
+  });
+  it("rejects empty string words of correct count", async () => {
+    logTest("rejects empty string words of correct count", {});
+    await Initialize(null);
+    const empty = new Array(32).fill("");
+    assert.throws(() => qc.Wallet.fromPhrase(empty));
+  });
+});
+describe("Security: L6 - Keccak-256 test vectors", () => {
+  logSuite("Security: L6 - Keccak-256 test vectors");
+  it("keccak256 of empty bytes matches known digest", async () => {
+    logTest("keccak256 of empty bytes matches known digest", {});
+    const result = qc.keccak256(new Uint8Array(0));
+    assert.equal(result, "0xc5d2460186f7233c927e7db2dcc703c0e500b653ca82273b7bfad8045d85a470");
+  });
+  it("keccak256 of 'hello' matches known digest", async () => {
+    logTest("keccak256 of 'hello' matches known digest", {});
+    const bytes = new TextEncoder().encode("hello");
+    const result = qc.keccak256(bytes);
+    assert.equal(result, "0x1c8aff950685c2ed4bc3174f3472287b56d9517b9c948127319a09a7a36deac8");
+  });
+  it("sha256 produces correct length output", () => {
+    logTest("sha256 produces correct length output", {});
+    const result = qc.sha256(new Uint8Array([1, 2, 3]));
+    assert.equal(typeof result, "string");
+    assert.equal(result.length, 66);
+  });
+});
+describe("Security: H5 - BigInt in provider params", () => {
+  logSuite("Security: H5 - BigInt in provider params");
+  it("JsonRpcProvider serializes BigInt params without crashing", async (t) => {
+    logTest("JsonRpcProvider serializes BigInt params without crashing", {});
+    if (typeof fetch !== "function") {
+      t.skip("global fetch not available");
+      return;
+    }
+    const originalFetch = fetch;
+    global.fetch = async (_url, init) => {
+      const body = JSON.parse(init.body);
+      assert.equal(body.params[0].value, "0x3e8");
+      const responseBody = JSON.stringify({ jsonrpc: "2.0", id: body.id, result: "0x1" });
+      return { ok: true, text: async () => responseBody, json: async () => JSON.parse(responseBody) };
+    };
+    try {
+      const p = new qc.JsonRpcProvider("http://example.invalid", 123123);
+      await p._perform("eth_call", [{ to: "0x" + "00".repeat(32), value: 1000n }]);
+    } finally {
+      global.fetch = originalFetch;
+    }
+  });
+});
+describe("Security: H6 - Per-instance RPC IDs", () => {
+  logSuite("Security: H6 - Per-instance RPC IDs");
+  it("different provider instances have independent ID counters", () => {
+    logTest("different provider instances have independent ID counters", {});
+    const p1 = new qc.JsonRpcProvider("http://a.invalid", 1);
+    const p2 = new qc.JsonRpcProvider("http://b.invalid", 1);
+    assert.equal(p1._rpcId, 1);
+    assert.equal(p2._rpcId, 1);
+  });
+});

package/test/unit/address-wallet.test.js CHANGED Viewed

@@ -29,7 +29,7 @@ describe("Address + Wallet (offline)", () => {
   const TEST_WALLET_ADDRESS = "0x1a846abe71c8b989e8337c55d608be81c28ab3b2e40c83eaa2a68d516049aec6";
   // ---------------------------------------------------------------------------
-  // Hardcoded seed words (generated once via quantum-coin-js-sdk.newWalletSeed()).
+  // Hardcoded seed words (generated once via quantum-coin-js-sdk.newWalletSeedWords()).
   // WARNING: test-only seed words; never use for real funds.
   // ---------------------------------------------------------------------------
   const TEST_SEED_WORDS = [
@@ -174,69 +174,6 @@ describe("Address + Wallet (offline)", () => {
     assert.throws(() => qc.Wallet.fromKeys(new Uint8Array(1), new Uint8Array(0)), /publicKey must not be empty/);
   });
-  it("fromKeys wallet can sign messages", async () => {
-    await Initialize(null);
-    const original = qc.Wallet.fromPhrase(TEST_SEED_WORDS);
-    const restored = qc.Wallet.fromKeys(
-      original.signingKey.privateKeyBytes,
-      original.signingKey.publicKeyBytes,
-    );
-    assert.equal(restored.address, original.address);
-    const msg = "fromKeys signing test";
-    const sig = restored.signMessageSync(msg);
-    assert.equal(typeof sig, "string");
-    assert.ok(sig.startsWith("0x"));
-    const recovered = qc.verifyMessage(msg, sig);
-    assert.equal(recovered, original.address.toLowerCase());
-  });
-  it("signMessageSync + verifyMessage roundtrip (known wallet)", async () => {
-    await Initialize(null);
-    const wallet = qc.Wallet.fromEncryptedJsonSync(TEST_WALLET_ENCRYPTED_JSON, TEST_WALLET_PASSPHRASE);
-    const sig = wallet.signMessageSync("Hello, QuantumCoin!");
-    assert.equal(typeof sig, "string");
-    assert.ok(sig.startsWith("0x"));
-    const recovered = qc.verifyMessage("Hello, QuantumCoin!", sig);
-    assert.equal(recovered, wallet.address.toLowerCase());
-  });
-  it("signMessageSync returns combined signature hex and verifyMessage roundtrip (fromPhrase wallet)", async () => {
-    await Initialize(null);
-    const wallet = qc.Wallet.fromPhrase(TEST_SEED_WORDS);
-    const msg = "test message";
-    const sig = wallet.signMessageSync(msg);
-    assert.equal(typeof sig, "string");
-    assert.ok(sig.startsWith("0x"));
-    assert.ok(sig.length > 4);
-    const recovered = qc.verifyMessage(msg, sig);
-    assert.equal(recovered, wallet.address.toLowerCase());
-  });
-  it("signMessageSync + verifyMessage roundtrip (32-word phrase wallet)", async () => {
-    await Initialize(null);
-    const wallet = qc.Wallet.fromPhrase(TEST_SEED_WORDS_32);
-    const msg = "hello 32";
-    const sig = wallet.signMessageSync(msg);
-    assert.equal(typeof sig, "string");
-    assert.ok(sig.startsWith("0x"));
-    const recovered = qc.verifyMessage(msg, sig);
-    assert.equal(recovered, wallet.address.toLowerCase());
-    assert.equal(recovered, TEST_SEED_ADDRESS_32.toLowerCase());
-  });
-  it("signMessageSync + verifyMessage roundtrip (36-word phrase wallet)", async () => {
-    await Initialize(null);
-    const wallet = qc.Wallet.fromPhrase(TEST_SEED_WORDS_36);
-    const msg = "hello 36";
-    const sig = wallet.signMessageSync(msg);
-    assert.equal(typeof sig, "string");
-    assert.ok(sig.startsWith("0x"));
-    const recovered = qc.verifyMessage(msg, sig);
-    assert.equal(recovered, wallet.address.toLowerCase());
-    assert.equal(recovered, TEST_SEED_ADDRESS_36.toLowerCase());
-  });
   it("signTransaction works offline and returns raw tx hex", async () => {
     await Initialize(null);
     const wallet = qc.Wallet.fromEncryptedJsonSync(TEST_WALLET_ENCRYPTED_JSON, TEST_WALLET_PASSPHRASE);
@@ -399,22 +336,16 @@ describe("Address + Wallet (offline)", () => {
     assert.equal(qc.isAddress(w.address), true);
   });
-  it("createRandom(null, 3) creates wallet with keyType 3 and sign/verify roundtrip", async () => {
+  it("createRandom(null, 3) creates wallet with keyType 3", async () => {
     await Initialize(null);
     const w = qc.Wallet.createRandom(null, 3);
     assert.equal(qc.isAddress(w.address), true);
-    const sig = w.signMessageSync("kt3 test");
-    assert.ok(sig.startsWith("0x"));
-    assert.equal(qc.verifyMessage("kt3 test", sig), w.address.toLowerCase());
   });
-  it("createRandom(null, 5) creates wallet with keyType 5 and sign/verify roundtrip", async () => {
+  it("createRandom(null, 5) creates wallet with keyType 5", async () => {
     await Initialize(null);
     const w = qc.Wallet.createRandom(null, 5);
     assert.equal(qc.isAddress(w.address), true);
-    const sig = w.signMessageSync("kt5 test");
-    assert.ok(sig.startsWith("0x"));
-    assert.equal(qc.verifyMessage("kt5 test", sig), w.address.toLowerCase());
   });
   it("createRandom(null, 3) signTransaction works offline", async () => {
@@ -458,70 +389,30 @@ describe("Address + Wallet (offline)", () => {
     assert.throws(() => qc.Wallet.createRandom(null, true), /keyType must be null, 3, or 5/);
   });
-  // ---------------------------------------------------------------------------
-  // createRandomSeed
-  // ---------------------------------------------------------------------------
-  it("createRandomSeed() returns 32-word array (default keyType)", async () => {
-    await Initialize(null);
-    const words = qc.Wallet.createRandomSeed();
-    assert.equal(Array.isArray(words), true);
-    assert.equal(words.length, 32);
-    assert.ok(words.every((w) => typeof w === "string" && w.length > 0));
-  });
-  it("createRandomSeed(3) returns 32-word array", async () => {
-    await Initialize(null);
-    const words = qc.Wallet.createRandomSeed(3);
-    assert.equal(words.length, 32);
-  });
-  it("createRandomSeed(5) returns 36-word array", async () => {
-    await Initialize(null);
-    const words = qc.Wallet.createRandomSeed(5);
-    assert.equal(words.length, 36);
-  });
-  it("createRandomSeed roundtrip via fromPhrase produces valid signing wallet", async () => {
-    await Initialize(null);
-    const words = qc.Wallet.createRandomSeed(3);
-    const w = qc.Wallet.fromPhrase(words);
-    assert.equal(qc.isAddress(w.address), true);
-    const sig = w.signMessageSync("seed roundtrip");
-    assert.equal(qc.verifyMessage("seed roundtrip", sig), w.address.toLowerCase());
-  });
-  it("createRandomSeed rejects invalid keyType", async () => {
-    await Initialize(null);
-    assert.throws(() => qc.Wallet.createRandomSeed(1), /keyType must be null, 3, or 5/);
-    assert.throws(() => qc.Wallet.createRandomSeed(2), /keyType must be null, 3, or 5/);
-    assert.throws(() => qc.Wallet.createRandomSeed(4), /keyType must be null, 3, or 5/);
-  });
   // ---------------------------------------------------------------------------
   // fromSeed
   // ---------------------------------------------------------------------------
-  it("fromSeed roundtrip: createRandomSeed(3) -> fromPhrase -> fromSeed produces same address", async () => {
+  it("fromSeed roundtrip: createRandom(keyType 3) seed -> fromSeed produces same address", async () => {
     await Initialize(null);
-    const seedwords = require("seed-words");
-    const words = qc.Wallet.createRandomSeed(3);
-    const seedArr = seedwords.getSeedArrayFromWordList(words);
-    assert.equal(seedArr.length, 64);
-    const wFromWords = qc.Wallet.fromPhrase(words);
-    const wFromSeed = qc.Wallet.fromSeed(Array.from(seedArr));
-    assert.equal(wFromSeed.address, wFromWords.address);
+    const w = qc.Wallet.createRandom(null, 3);
+    assert.notEqual(w.seed, null);
+    const { hexToBytes } = require("../../src/internal/hex");
+    const seedBytes = Array.from(hexToBytes(w.seed));
+    assert.equal(seedBytes.length, 64);
+    const wFromSeed = qc.Wallet.fromSeed(seedBytes);
+    assert.equal(wFromSeed.address, w.address);
   });
-  it("fromSeed roundtrip: createRandomSeed(5) -> fromPhrase -> fromSeed produces same address", async () => {
+  it("fromSeed roundtrip: createRandom(keyType 5) seed -> fromSeed produces same address", async () => {
     await Initialize(null);
-    const seedwords = require("seed-words");
-    const words = qc.Wallet.createRandomSeed(5);
-    const seedArr = seedwords.getSeedArrayFromWordList(words);
-    assert.equal(seedArr.length, 72);
-    const wFromWords = qc.Wallet.fromPhrase(words);
-    const wFromSeed = qc.Wallet.fromSeed(Array.from(seedArr));
-    assert.equal(wFromSeed.address, wFromWords.address);
+    const w = qc.Wallet.createRandom(null, 5);
+    assert.notEqual(w.seed, null);
+    const { hexToBytes } = require("../../src/internal/hex");
+    const seedBytes = Array.from(hexToBytes(w.seed));
+    assert.equal(seedBytes.length, 72);
+    const wFromSeed = qc.Wallet.fromSeed(seedBytes);
+    assert.equal(wFromSeed.address, w.address);
   });
   it("fromSeed rejects non-array input", async () => {
@@ -648,7 +539,175 @@ describe("Address + Wallet (offline)", () => {
   it("encryptSeedSync rejects password shorter than 12 characters", async () => {
     await Initialize(null);
     const seed = new Array(64).fill(1);
-    assert.throws(() => qc.Wallet.encryptSeedSync(seed, "short"), /serializeSeedAsEncryptedWallet failed/);
+    assert.throws(() => qc.Wallet.encryptSeedSync(seed, "short"), /password must be at least 12 characters/);
+  });
+  // ---------------------------------------------------------------------------
+  // publicKey getter
+  // ---------------------------------------------------------------------------
+  it("publicKey getter returns hex matching signingKey.publicKeyBytes", async () => {
+    await Initialize(null);
+    const w = qc.Wallet.fromPhrase(TEST_SEED_WORDS_32);
+    const expected = "0x" + Buffer.from(w.signingKey.publicKeyBytes).toString("hex");
+    assert.equal(w.publicKey, expected);
+    assert.equal((w.publicKey.length - 2) / 2, 1408);
+  });
+  it("publicKey getter works for keyType 5 (2688-byte public key)", async () => {
+    await Initialize(null);
+    const w = qc.Wallet.fromPhrase(TEST_SEED_WORDS_36);
+    const expected = "0x" + Buffer.from(w.signingKey.publicKeyBytes).toString("hex");
+    assert.equal(w.publicKey, expected);
+    assert.equal((w.publicKey.length - 2) / 2, 2688);
+  });
+  it("publicKey getter works for createRandom wallet", async () => {
+    await Initialize(null);
+    const w = qc.Wallet.createRandom();
+    assert.equal(typeof w.publicKey, "string");
+    assert.ok(w.publicKey.startsWith("0x"));
+    assert.equal(w.publicKey, "0x" + Buffer.from(w.signingKey.publicKeyBytes).toString("hex"));
+  });
+  // ---------------------------------------------------------------------------
+  // seed getter
+  // ---------------------------------------------------------------------------
+  it("seed is non-null hex for fromPhrase(32-word)", async () => {
+    await Initialize(null);
+    const w = qc.Wallet.fromPhrase(TEST_SEED_WORDS_32);
+    assert.equal(typeof w.seed, "string");
+    assert.ok(w.seed.startsWith("0x"));
+    assert.equal((w.seed.length - 2) / 2, 64);
+    assert.equal(w.seed, "0x319fda8ec642b6b649d805770647d82aa4377ced5c51e4e39c0026bd983ad7b150fc475633d246216ac8b81af68bf929bf68a3fd151a2b6c925ef3cc70ecdb8b");
+  });
+  it("seed is non-null hex for fromPhrase(36-word)", async () => {
+    await Initialize(null);
+    const w = qc.Wallet.fromPhrase(TEST_SEED_WORDS_36);
+    assert.equal(typeof w.seed, "string");
+    assert.equal((w.seed.length - 2) / 2, 72);
+    assert.equal(w.seed, "0x319fda8ec642b6b649d805770647d82aa4377ced5c51e4e39c0026bd983ad7b150fc475633d246216ac8b81af68bf929bf68a3fd151a2b6c925ef3cc70ecdb8bdaf9e0ff4c96cb07");
+  });
+  it("seed is non-null hex for fromPhrase(48-word)", async () => {
+    await Initialize(null);
+    const w = qc.Wallet.fromPhrase(TEST_SEED_WORDS);
+    assert.equal(typeof w.seed, "string");
+    assert.equal((w.seed.length - 2) / 2, 96);
+    assert.equal(w.seed, "0x319fda8ec642b6b649d805770647d82aa4377ced5c51e4e39c0026bd983ad7b150fc475633d246216ac8b81af68bf929bf68a3fd151a2b6c925ef3cc70ecdb8bdaf9e0ff4c96cb076c776546d970e1be70a962a868df0eeba1c076a780cb4c3b");
+  });
+  it("seed is non-null for fromSeed() and matches fromPhrase() with same words", async () => {
+    await Initialize(null);
+    const seedwords = require("seed-words");
+    const seedArr = seedwords.getSeedArrayFromWordList(TEST_SEED_WORDS_32);
+    const wSeed = qc.Wallet.fromSeed(Array.from(seedArr));
+    const wPhrase = qc.Wallet.fromPhrase(TEST_SEED_WORDS_32);
+    assert.equal(wSeed.seed, wPhrase.seed);
+    assert.equal(wSeed.address, wPhrase.address);
+  });
+  it("seed is non-null for createRandom() (seed-derived)", async () => {
+    await Initialize(null);
+    const w = qc.Wallet.createRandom();
+    assert.notEqual(w.seed, null);
+    assert.equal(typeof w.seed, "string");
+    assert.ok(w.seed.startsWith("0x"));
+    assert.equal((w.seed.length - 2) / 2, 64);
+  });
+  it("seed is non-null for createRandom(null, 5) (seed-derived, keyType 5)", async () => {
+    await Initialize(null);
+    const w = qc.Wallet.createRandom(null, 5);
+    assert.notEqual(w.seed, null);
+    assert.equal((w.seed.length - 2) / 2, 72);
+  });
+  it("seed is null for fromKeys()", async () => {
+    await Initialize(null);
+    const w = qc.Wallet.fromPhrase(TEST_SEED_WORDS_32);
+    const wk = qc.Wallet.fromKeys(w.signingKey.privateKeyBytes, w.signingKey.publicKeyBytes);
+    assert.equal(wk.seed, null);
+    assert.equal(wk.address, w.address);
+  });
+  it("seed is null for fromEncryptedJsonSync() with v3 JSON", async () => {
+    await Initialize(null);
+    const w = qc.Wallet.fromEncryptedJsonSync(TEST_WALLET_ENCRYPTED_JSON, TEST_WALLET_PASSPHRASE);
+    assert.equal(w.seed, null);
+  });
+  it("seed is null for fromEncryptedJsonSync() with v4 JSON", async () => {
+    await Initialize(null);
+    const w32 = qc.Wallet.fromEncryptedJsonSync(TEST_ENCRYPTED_JSON_32, PASSPHRASE_PHRASE);
+    assert.equal(w32.seed, null);
+    const w36 = qc.Wallet.fromEncryptedJsonSync(TEST_ENCRYPTED_JSON_36, PASSPHRASE_PHRASE);
+    assert.equal(w36.seed, null);
+    const w48 = qc.Wallet.fromEncryptedJsonSync(TEST_ENCRYPTED_JSON_48, PASSPHRASE_PHRASE);
+    assert.equal(w48.seed, null);
+  });
+  // ---------------------------------------------------------------------------
+  // seed roundtrip through encryptSync / fromEncryptedJsonSync
+  // ---------------------------------------------------------------------------
+  it("seed roundtrips through encryptSync + fromEncryptedJsonSync for fromPhrase wallet", async () => {
+    await Initialize(null);
+    const w = qc.Wallet.fromPhrase(TEST_SEED_WORDS_32);
+    const json = w.encryptSync(PASSPHRASE_PHRASE);
+    assert.equal(JSON.parse(json).version, 5);
+    const restored = qc.Wallet.fromEncryptedJsonSync(json, PASSPHRASE_PHRASE);
+    assert.equal(restored.seed, w.seed);
+    assert.equal(restored.address, w.address);
+    assert.equal(restored.privateKey, w.privateKey);
+    assert.equal(restored.publicKey, w.publicKey);
+  });
+  it("seed roundtrips through encryptSync + fromEncryptedJsonSync for createRandom wallet", async () => {
+    await Initialize(null);
+    const w = qc.Wallet.createRandom();
+    const json = w.encryptSync(PASSPHRASE_PHRASE);
+    assert.equal(JSON.parse(json).version, 5);
+    const restored = qc.Wallet.fromEncryptedJsonSync(json, PASSPHRASE_PHRASE);
+    assert.equal(restored.seed, w.seed);
+    assert.equal(restored.address, w.address);
+  });
+  it("seed roundtrips through encryptSeedSync + fromEncryptedJsonSync", async () => {
+    await Initialize(null);
+    const seedwords = require("seed-words");
+    const seedArr = seedwords.getSeedArrayFromWordList(TEST_SEED_WORDS_32);
+    const seedHex = "0x" + Buffer.from(new Uint8Array(seedArr)).toString("hex");
+    const json = qc.Wallet.encryptSeedSync(Array.from(seedArr), PASSPHRASE_PHRASE);
+    const restored = qc.Wallet.fromEncryptedJsonSync(json, PASSPHRASE_PHRASE);
+    assert.equal(restored.seed, seedHex);
+    assert.equal(restored.address, TEST_SEED_ADDRESS_32);
+  });
+  // ---------------------------------------------------------------------------
+  // encryptSync version behavior
+  // ---------------------------------------------------------------------------
+  it("encryptSync on seed-bearing wallet produces version 5 JSON", async () => {
+    await Initialize(null);
+    const w = qc.Wallet.fromPhrase(TEST_SEED_WORDS_32);
+    assert.notEqual(w.seed, null);
+    const json = w.encryptSync(PASSPHRASE_PHRASE);
+    assert.equal(JSON.parse(json).version, 5);
+  });
+  it("encryptSync on non-seed wallet (fromKeys) uses fallback path", async () => {
+    await Initialize(null);
+    const w = qc.Wallet.fromPhrase(TEST_SEED_WORDS_32);
+    const wk = qc.Wallet.fromKeys(w.signingKey.privateKeyBytes, w.signingKey.publicKeyBytes);
+    assert.equal(wk.seed, null);
+    const json = wk.encryptSync(PASSPHRASE_PHRASE);
+    const parsed = JSON.parse(json);
+    assert.ok(parsed.version === 3 || parsed.version === 4);
+    const restored = qc.Wallet.fromEncryptedJsonSync(json, PASSPHRASE_PHRASE);
+    assert.equal(restored.address, wk.address);
   });
   // ---------------------------------------------------------------------------