w3pk 0.7.6 → 0.7.7
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +85 -21
- package/dist/index.d.mts +248 -597
- package/dist/index.d.ts +248 -597
- package/dist/index.js +59 -49
- package/dist/index.js.map +1 -1
- package/dist/index.mjs +59 -49
- package/dist/index.mjs.map +1 -1
- package/docs/.internal/ATTACK_VECTORS.md +2123 -0
- package/docs/.internal/IMPLEMENTATION_SUMMARY.md +322 -0
- package/docs/.internal/PHILOSOPHY.md +1788 -0
- package/docs/.internal/SECURITY_LEVELS.md +207 -0
- package/docs/.internal/SECURITY_v0.7.6_CHANGES.md +333 -0
- package/docs/.internal/URL_DERIVATION.md +374 -0
- package/docs/API_REFERENCE.md +425 -10
- package/docs/BUILD_VERIFICATION.md +310 -0
- package/docs/EIP_7702.md +586 -0
- package/docs/SECURITY.md +396 -7
- package/package.json +28 -24
- package/scripts/compute-build-hash.mjs +104 -0
package/README.md
CHANGED
|
@@ -1,5 +1,6 @@
|
|
|
1
1
|
[](https://www.npmjs.com/package/w3pk)
|
|
2
2
|
[](https://www.npmjs.com/package/w3pk)
|
|
3
|
+
[](https://github.com/w3hc/w3pk/blob/main/docs/BUILD_VERIFICATION.md)
|
|
3
4
|
|
|
4
5
|
# w3pk
|
|
5
6
|
|
|
@@ -29,9 +30,9 @@ await w3pk.login()
|
|
|
29
30
|
// Sign message
|
|
30
31
|
const signature = await w3pk.signMessage('Hello World')
|
|
31
32
|
|
|
32
|
-
// Derive addresses
|
|
33
|
-
const
|
|
34
|
-
const
|
|
33
|
+
// Derive addresses (2 modes)
|
|
34
|
+
const gamingWallet = await w3pk.deriveWallet('GAMING') // By tag - includes privateKey
|
|
35
|
+
const mainWallet = await w3pk.deriveWallet() // Auto (MAIN tag) - public address only, no privateKey
|
|
35
36
|
|
|
36
37
|
// Get RPC endpoints for any chain
|
|
37
38
|
const endpoints = await w3pk.getEndpoints(1) // Ethereum
|
|
@@ -41,14 +42,16 @@ const rpcUrl = endpoints[0]
|
|
|
41
42
|
## Features
|
|
42
43
|
|
|
43
44
|
- 🔐 Passwordless authentication (WebAuthn/FIDO2)
|
|
44
|
-
-
|
|
45
|
+
- 🛡️ Origin-specific key isolation with tag-based access control
|
|
45
46
|
- ⏱️ Session management (configurable duration, prevents repeated prompts)
|
|
46
47
|
- 🌱 HD wallet generation (BIP39/BIP44)
|
|
47
48
|
- 🔢 Multi-address derivation
|
|
48
|
-
-
|
|
49
|
+
- 🌐 Origin-specific addresses (deterministic derivation per website with tag support)
|
|
50
|
+
- 🥷 ERC-5564 stealth addresses (opt-in, privacy-preserving transactions with view tags)
|
|
49
51
|
- 🧮 ZK primitives (zero-knowledge proof generation and verification)
|
|
50
52
|
- 🔗 Chainlist support (2390+ networks, auto-filtered RPC endpoints)
|
|
51
53
|
- ⚡ EIP-7702 network detection (329+ supported networks)
|
|
54
|
+
- 🔍 Build verification (IPFS CIDv1 hashing for package integrity)
|
|
52
55
|
- 🛡️ Three-layer backup & recovery system
|
|
53
56
|
- Passkey auto-sync (iCloud/Google/Microsoft)
|
|
54
57
|
- Encrypted backups (ZIP/QR with password protection)
|
|
@@ -76,27 +79,38 @@ w3pk.user
|
|
|
76
79
|
|
|
77
80
|
**Important: Backup your wallet!**
|
|
78
81
|
```typescript
|
|
79
|
-
// After registration, users can create a backup
|
|
80
|
-
const mnemonic = await w3pk.exportMnemonic({ requireAuth: true })
|
|
81
|
-
console.log('⚠️ Save this recovery phrase:', mnemonic)
|
|
82
82
|
|
|
83
|
-
//
|
|
83
|
+
// Create encrypted backups:
|
|
84
84
|
const zipBackup = await w3pk.createZipBackup('strong-password')
|
|
85
85
|
const qrBackup = await w3pk.createQRBackup('optional-password')
|
|
86
86
|
```
|
|
87
87
|
|
|
88
88
|
### Wallet Operations
|
|
89
89
|
|
|
90
|
-
|
|
91
|
-
// Derive addresses
|
|
92
|
-
const wallet0 = await w3pk.deriveWallet(0)
|
|
93
|
-
// Returns: { address, privateKey }
|
|
94
|
-
|
|
95
|
-
// Export mnemonic
|
|
96
|
-
const mnemonic = await w3pk.exportMnemonic()
|
|
90
|
+
**SECURITY MODEL**: `deriveWallet()` supports two secure modes:
|
|
97
91
|
|
|
98
|
-
|
|
99
|
-
|
|
92
|
+
```typescript
|
|
93
|
+
// 1. MAIN tag (default) - ADDRESS ONLY, NO PRIVATE KEY
|
|
94
|
+
const mainWallet = await w3pk.deriveWallet()
|
|
95
|
+
// Returns: { address, index, origin, tag: 'MAIN' }
|
|
96
|
+
// ✅ Safe for display
|
|
97
|
+
// ❌ No privateKey exposed
|
|
98
|
+
|
|
99
|
+
// 2. Custom tag - INCLUDES PRIVATE KEY for app-specific use
|
|
100
|
+
const gamingWallet = await w3pk.deriveWallet('GAMING')
|
|
101
|
+
const funWallet = await w3pk.deriveWallet('FUN')
|
|
102
|
+
const basicWallet = await w3pk.deriveWallet('BASIC')
|
|
103
|
+
// Returns: { address, privateKey, index, origin, tag }
|
|
104
|
+
|
|
105
|
+
// Different tags = different addresses
|
|
106
|
+
console.log(mainWallet.address !== gamingWallet.address) // true
|
|
107
|
+
console.log(gamingWallet.address !== tradingWallet.address) // true
|
|
108
|
+
|
|
109
|
+
// SECURITY: Applications CANNOT access master mnemonic
|
|
110
|
+
// await w3pk.exportMnemonic() // ❌ Throws error
|
|
111
|
+
|
|
112
|
+
// Sign message (works with any address - no key exposure needed)
|
|
113
|
+
const signature = await w3pk.signMessage('Hello World')
|
|
100
114
|
```
|
|
101
115
|
|
|
102
116
|
### Session Management
|
|
@@ -113,10 +127,9 @@ const w3pk = createWeb3Passkey({
|
|
|
113
127
|
await w3pk.login()
|
|
114
128
|
|
|
115
129
|
// These operations use the cached session
|
|
116
|
-
await w3pk.deriveWallet(
|
|
117
|
-
await w3pk.exportMnemonic()
|
|
130
|
+
await w3pk.deriveWallet('GAMING')
|
|
118
131
|
await w3pk.signMessage('Hello')
|
|
119
|
-
await w3pk.stealth
|
|
132
|
+
await w3pk.stealth?.getKeys() // If stealth module enabled
|
|
120
133
|
|
|
121
134
|
// Check session status
|
|
122
135
|
w3pk.hasActiveSession() // true
|
|
@@ -274,10 +287,61 @@ console.log('Can recover:', result.canRecover)
|
|
|
274
287
|
|
|
275
288
|
See [Recovery Guide](./docs/RECOVERY.md) for complete documentation.
|
|
276
289
|
|
|
290
|
+
### Build Verification
|
|
291
|
+
|
|
292
|
+
```typescript
|
|
293
|
+
import { getCurrentBuildHash, verifyBuildHash } from 'w3pk'
|
|
294
|
+
|
|
295
|
+
// Get IPFS hash of installed w3pk build
|
|
296
|
+
const hash = await getCurrentBuildHash()
|
|
297
|
+
console.log('Build hash:', hash)
|
|
298
|
+
// => bafybeifysgwvsyog2akxjk4cjky2grqqyzfehamuwyk6zy56srgkc5jopi
|
|
299
|
+
|
|
300
|
+
// Verify against trusted hash (from GitHub releases)
|
|
301
|
+
const trusted = 'bafybeifysgwvsyog2akxjk4cjky2grqqyzfehamuwyk6zy56srgkc5jopi'
|
|
302
|
+
const isValid = await verifyBuildHash(trusted)
|
|
303
|
+
if (isValid) {
|
|
304
|
+
console.log('✅ Build integrity verified!')
|
|
305
|
+
}
|
|
306
|
+
```
|
|
307
|
+
|
|
308
|
+
See [Build Verification Guide](./docs/BUILD_VERIFICATION.md) for complete documentation.
|
|
309
|
+
|
|
310
|
+
## Security & Verification
|
|
311
|
+
|
|
312
|
+
### Current Build Hash (v0.7.6)
|
|
313
|
+
|
|
314
|
+
```
|
|
315
|
+
bafybeifysgwvsyog2akxjk4cjky2grqqyzfehamuwyk6zy56srgkc5jopi
|
|
316
|
+
```
|
|
317
|
+
|
|
318
|
+
**Verify package integrity:**
|
|
319
|
+
|
|
320
|
+
```typescript
|
|
321
|
+
import { verifyBuildHash } from 'w3pk'
|
|
322
|
+
|
|
323
|
+
const TRUSTED_HASH = 'bafybeifysgwvsyog2akxjk4cjky2grqqyzfehamuwyk6zy56srgkc5jopi'
|
|
324
|
+
const isValid = await verifyBuildHash(TRUSTED_HASH)
|
|
325
|
+
|
|
326
|
+
if (!isValid) {
|
|
327
|
+
throw new Error('Package integrity check failed!')
|
|
328
|
+
}
|
|
329
|
+
```
|
|
330
|
+
|
|
331
|
+
**Multi-source verification:**
|
|
332
|
+
- **GitHub:** Check release notes for official hash
|
|
333
|
+
- **On-chain:** Verify via DAO-maintained registry (coming soon)
|
|
334
|
+
- **Local build:** `pnpm build && pnpm build:hash`
|
|
335
|
+
|
|
336
|
+
See [Build Verification Guide](./docs/BUILD_VERIFICATION.md) for complete documentation.
|
|
337
|
+
|
|
338
|
+
---
|
|
339
|
+
|
|
277
340
|
## Documentation
|
|
278
341
|
|
|
279
342
|
- [Quick Start Guide](./docs/QUICK_START.md) - Get started in 5 minutes
|
|
280
343
|
- [API Reference](./docs/API_REFERENCE.md) - Complete API documentation
|
|
344
|
+
- [Build Verification](./docs/BUILD_VERIFICATION.md) - Package integrity verification
|
|
281
345
|
- [Security Architecture](./docs/SECURITY.md) - Integration best practices
|
|
282
346
|
- [Recovery & Backup System](./docs/RECOVERY.md) - Three-layer backup architecture
|
|
283
347
|
- [ZK Proofs](./docs/ZK.md) - Zero-Knowledge cryptography utilities
|