diff --git a/.gitignore b/.gitignore index 431861e..6cc509b 100644 --- a/.gitignore +++ b/.gitignore @@ -24,3 +24,5 @@ build/ *.db *.asc .venv/ +.wallet/ +.potentialfix.md diff --git a/playbook.md b/playbook.md index 7c9b326..9fc48c2 100644 --- a/playbook.md +++ b/playbook.md @@ -29,7 +29,7 @@ A command-line tool for generating and recovering HD wallets (BIP39) with suppor - **Private key export**: Export derived private keys in encrypted payloads. - **Solana profiles**: Multiple derivation paths for Solana compatibility. - **Self-testing**: Built-in tests to verify functionality. -- **Secure mode**: Optional paranoid mode with memory zeroing, temp files, and no output printing for high-security use. +- **Off-screen mode**: Optional paranoid mode with memory zeroing, temp files, and no output printing for high-security use. ## Installation @@ -80,10 +80,10 @@ A command-line tool for generating and recovering HD wallets (BIP39) with suppor python ./src/pyhdwallet.py fetchkey "https://example.com/key.asc" --out mykey.asc ``` -4. Use secure mode for high-security operations: +4. Use off-screen mode for high-security operations: ```bash - python ./src/pyhdwallet.py gen --secure-mode --pgp-pubkey-file key.asc --chains ethereum --addresses 1 + python ./src/pyhdwallet.py gen --off-screen --pgp-pubkey-file key.asc --chains ethereum --addresses 1 ``` 5. Run tests: @@ -109,7 +109,7 @@ python ./src/pyhdwallet.py fetchkey [--out FILE] [--timeout SECONDS] - `url`: URL to the ASCII-armored PGP key - `--out FILE`: Save the key to a file - `--timeout SECONDS`: Request timeout (default: 15) -- `--secure-mode`: Enable secure mode (temp files, no extra output) +- `--off-screen`: Enable off-screen mode (temp files, no extra output) **Example:** @@ -131,7 +131,7 @@ python ./src/pyhdwallet.py gen [options] - `--words {12,15,18,21,24}`: Number of mnemonic words (default: 12) - `--dice-rolls "1 2 3 ..."`: Space-separated dice rolls for entropy -- `--passphrase PASSPHRASE`: BIP39 passphrase +- `--passphrase`: Prompt for BIP39 passphrase interactively - `--passphrase-hint HINT`: Hint for the passphrase - `--chains {ethereum,solana,bitcoin}`: Chains to derive (default: all) - `--addresses N`: Number of addresses per chain (default: 5) @@ -143,7 +143,7 @@ python ./src/pyhdwallet.py gen [options] - `--export-private`: Include private keys in encrypted payload - `--include-source`: Include mnemonic in encrypted payload - `--unsafe-print`: Print mnemonic even when encrypting -- `--secure-mode`: Enable secure mode (no printing, temp files, memory zeroing) +- `--off-screen`: Enable off-screen mode (no printing, temp files, memory zeroing) **Examples:** @@ -151,11 +151,11 @@ python ./src/pyhdwallet.py gen [options] # Basic generation python ./src/pyhdwallet.py gen -# With secure mode -python ./src/pyhdwallet.py gen --secure-mode --pgp-pubkey-file key.asc +# With off-screen mode +python ./src/pyhdwallet.py gen --off-screen --pgp-pubkey-file key.asc # With passphrase and encryption -python ./src/pyhdwallet.py gen --passphrase "mysecret" --pgp-pubkey-file key.asc --export-private +python ./src/pyhdwallet.py gen --passphrase --pgp-pubkey-file key.asc --export-private # JSON output to file python ./src/pyhdwallet.py gen --chains ethereum --addresses 10 --output json --file wallet.json @@ -176,7 +176,7 @@ python ./src/pyhdwallet.py recover [options] - `--mnemonic MNEMONIC`: BIP39 mnemonic phrase - `--seed HEX_SEED`: 128-character hex seed - `--interactive`: Prompt for mnemonic/seed interactively -- `--secure-mode`: Enable secure mode (no printing, temp files, memory zeroing) +- `--off-screen`: Enable off-screen mode (no printing, temp files, memory zeroing) **Examples:** @@ -198,12 +198,12 @@ Run minimal self-tests to verify functionality. **Usage:** ```bash -python ./src/pyhdwallet.py test [--secure-mode] +python ./src/pyhdwallet.py test [--off-screen] ``` **Options:** -- `--secure-mode`: Enable secure mode (no extra output) +- `--off-screen`: Enable off-screen mode (no extra output) **Output:** Success/failure messages for derivation tests. @@ -222,7 +222,7 @@ echo "-----BEGIN PGP MESSAGE-----..." | gpg -d ### 2. Recover from Mnemonic with Passphrase ```bash -python ./src/pyhdwallet.py recover --mnemonic "word1 word2 ... word12" --passphrase "mypass" --chains ethereum --addresses 10 --output json +python ./src/pyhdwallet.py recover --mnemonic "word1 word2 ... word12" --passphrase --chains ethereum --addresses 10 --output json ``` ### 3. Fetch and Use PGP Key @@ -235,14 +235,14 @@ python ./src/pyhdwallet.py fetchkey "https://example.com/pubkey.asc" --out mykey python ./src/pyhdwallet.py recover --interactive --pgp-pubkey-file mykey.asc --export-private ``` -### 4. High-Security Operations with Secure Mode +### 4. High-Security Operations with Off-Screen Mode ```bash # Generate without printing sensitive data -python ./src/pyhdwallet.py gen --secure-mode --pgp-pubkey-file key.asc --chains ethereum --addresses 1 +python ./src/pyhdwallet.py gen --off-screen --pgp-pubkey-file key.asc --chains ethereum --addresses 1 -# Recover in secure mode -python ./src/pyhdwallet.py recover --secure-mode --interactive --pgp-pubkey-file key.asc --export-private +# Recover in off-screen mode +python ./src/pyhdwallet.py recover --off-screen --interactive --pgp-pubkey-file key.asc --export-private ``` ### 5. Solana-Specific Derivation @@ -256,14 +256,14 @@ python ./src/pyhdwallet.py gen --chains solana --sol-profile phantom_bip44change - **Offline operation**: `gen`, `recover`, and `test` commands block network access. - **No plaintext secrets**: Mnemonics and private keys are never printed unless encrypted or `--unsafe-print` is used. - **PGP encryption**: Use for secure storage of sensitive data. -- **Secure mode**: Use `--secure-mode` for paranoid operations—suppresses output, uses temp files with auto-deletion, and zeros memory. +- **Off-screen mode**: Use `--off-screen` for paranoid operations—suppresses output, uses temp files with auto-deletion, and zeros memory. - **Passphrase handling**: Passphrases are not stored; only hints are included. - **Private key export**: Only export what's needed; treat encrypted payloads as sensitive. - **File permissions**: Output files are set to owner-only (0o600) for security. - **Memory zeroing**: In secure mode, sensitive variables are cleared after use. - **Best practices**: - Use `--interactive` to avoid command-line history exposure. - - Use `--secure-mode` for high-risk operations. + - Use `--off-screen` for high-risk operations. - Verify PGP fingerprints out-of-band. - Run on trusted, offline machines. @@ -279,6 +279,6 @@ python ./src/pyhdwallet.py gen --chains solana --sol-profile phantom_bip44change ## Changelog - **v1.0.3**: Changed default behavior to always show help without subcommand; added README.md; updated documentation. -- **v1.0.2**: Security patches - added --secure-mode, memory zeroing, file permission fixes, auto-deletion in secure mode, sanitized errors. +- **v1.0.2**: Security patches - added --off-screen, memory zeroing, file permission fixes, auto-deletion in off-screen mode, sanitized errors. - **v1.0.1**: Renamed to pyhdwallet, added --version flag, updated documentation, excluded _toDelete in .gitignore. - **v1.0.0**: Initial release with gen, recover, fetchkey, and test commands. diff --git a/test_output.json b/test_output.json deleted file mode 100644 index bccc9b9..0000000 --- a/test_output.json +++ /dev/null @@ -1,16 +0,0 @@ -{ - "master_fingerprint": "DD1449B7", - "passphrase_used": false, - "passphrase_hint": "", - "dice_rolls_used": false, - "solana_profile": "phantom_bip44change", - "addresses": { - "ethereum": [ - { - "index": 0, - "path": "m/44'/60'/0'/0/0", - "address": "0x9d3e3540f4C507ca992035607326798130051e03" - } - ] - } -} \ No newline at end of file