From 5c343c7944f434b4df5e59083b9881df2df1f7cb Mon Sep 17 00:00:00 2001
From: LC <kccleoc@gmail.com>
Date: Mon, 5 Jan 2026 16:48:32 +0000
Subject: [PATCH] Fix secure-mode logic: move memory zeroing after PGP
 encryption to ensure mnemonic is included in payload

---
 src/pyhdwallet.py | 36 ++++++++++++++++++------------------
 1 file changed, 18 insertions(+), 18 deletions(-)

diff --git a/src/pyhdwallet.py b/src/pyhdwallet.py
index a33381d..56dbb62 100644
--- a/src/pyhdwallet.py
+++ b/src/pyhdwallet.py
@@ -341,7 +341,7 @@ def cmd_gen(args):
         require_for_offline(args.chains)
 
         if args.secure_mode:
-            print("⚠️  Secure mode enabled: Sensitive data will not be printed, temp files used, memory zeroed.")
+            print("⚠️  Secure mode enabled: Sensitive data will not be printed, temp files used.")
 
         import secrets
         from bip_utils import Bip39MnemonicGenerator, Bip39Languages, Bip39SeedGenerator
@@ -371,13 +371,6 @@ def cmd_gen(args):
 
         result = derive_all(seed_bytes, args.chains, args.addresses, args.sol_profile, export_private=False)
 
-        # Memory zeroing
-        if args.secure_mode:
-            mnemonic = None
-            del mnemonic
-            seed_bytes = None
-            del seed_bytes
-
         if not args.pgp_pubkey_file or args.unsafe_print:
             if not args.secure_mode:
                 print(f"📍 Generated {args.words}-word BIP39 mnemonic:\n{mnemonic}\n")
@@ -436,13 +429,20 @@ def cmd_gen(args):
             else:
                 print("Encrypted payload generated (not printed in secure mode).")
 
+        # Memory zeroing
+        if args.secure_mode:
+            mnemonic = None
+            del mnemonic
+            seed_bytes = None
+            del seed_bytes
+
 
 def cmd_recover(args):
     with NetworkGuard("recover"):
         require_for_offline(args.chains)
 
         if args.secure_mode:
-            print("⚠️  Secure mode enabled: Sensitive data will not be printed, temp files used, memory zeroed.")
+            print("⚠️  Secure mode enabled: Sensitive data will not be printed, temp files used.")
 
         from bip_utils import Bip39MnemonicValidator, Bip39SeedGenerator
 
@@ -490,15 +490,6 @@ def cmd_recover(args):
 
         result = derive_all(seed_bytes, args.chains, args.addresses, args.sol_profile, export_private=args.export_private)
 
-        # Memory zeroing
-        if args.secure_mode:
-            if mnemonic:
-                mnemonic = None
-            if seed_hex:
-                seed_hex = None
-            seed_bytes = None
-            del seed_bytes
-
         if args.output == "json":
             out_text = json.dumps({
                 "master_fingerprint": fp,
@@ -557,6 +548,15 @@ def cmd_recover(args):
             else:
                 print("Encrypted payload generated (not printed in secure mode).")
 
+        # Memory zeroing
+        if args.secure_mode:
+            if mnemonic:
+                mnemonic = None
+            if seed_hex:
+                seed_hex = None
+            seed_bytes = None
+            del seed_bytes
+
 
 def cmd_test(args):
     with NetworkGuard("test"):