kccleoc/seedpgp-web
0
0
Fork 0
mirror of https://github.com/kccleoc/seedpgp-web.git synced 2026-03-07 09:57:50 +08:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: kccleoc:v1.2.0
Branches Tags
kccleoc:main
kccleoc:v1.4.7 kccleoc:v1.4.6 kccleoc:v1.4.5 kccleoc:v1.4.4 kccleoc:v1.4.3 kccleoc:v1.4.2 kccleoc:v1.4.1 kccleoc:v1.4.0 kccleoc:v1.3.0 kccleoc:v1.2.1 kccleoc:v1.2.0 kccleoc:v1.1.0
..
compare: kccleoc:v1.4.1
Branches Tags
kccleoc:main
kccleoc:v1.4.7 kccleoc:v1.4.6 kccleoc:v1.4.5 kccleoc:v1.4.4 kccleoc:v1.4.3 kccleoc:v1.4.2 kccleoc:v1.4.1 kccleoc:v1.4.0 kccleoc:v1.3.0 kccleoc:v1.2.1 kccleoc:v1.2.0 kccleoc:v1.1.0

16 Commits
v1.2.0 ... v1.4.1

Author SHA1 Message Date
LC mac
9ffdbbd50f feat(v1.4): Add 'Encrypted in memory' badge 2026-01-30 01:21:28 +08:00
LC mac
b024856c08 docs: update GEMINI.md for v1.4.0 + remove debug logs 2026-01-30 00:44:46 +08:00
LC mac
a919e8bf09 chore: small fix in 1.4.0 2026-01-30 00:36:09 +08:00
LC mac
e4516f3d19 chore: bump version to 1.4.0 2026-01-30 00:35:00 +08:00
LC mac
4b5bd80be6 feat(v1.3.0): ephemeral session-key encryption + cleanup 
- Update version to 1.3.0
- Remove debug console logs
- Session-key encryption working in production
- Mnemonic auto-clears after QR generation
- Lock/Clear functionality verified
 2026-01-30 00:08:43 +08:00
LC mac
8124375537 debug: add console logs to sessionCrypto for troubleshooting 2026-01-30 00:01:02 +08:00
LC mac
2107dab501 feat(v1.3.0): add ephemeral session-key encryption for sensitive state 
- Add src/lib/sessionCrypto.ts with AES-GCM-256 non-exportable session keys
- Integrate into Backup flow: auto-clear plaintext mnemonic after QR generation
- Add Lock/Clear button to destroy session key and clear all state
- Add cleanup useEffect on component unmount
- Add comprehensive GEMINI.md for AI agent onboarding
- Fix TypeScript strict mode errors and unused imports

Tested:
- Session-key encryption working (mnemonic clears after QR gen)
- Lock/Clear functionality verified
- No plaintext secrets in localStorage/sessionStorage
- Production build successful
 2026-01-29 23:48:21 +08:00
LC mac
0f397859e6 feat(v1.3.0): add ephemeral session-key encryption for sensitive state 
- Add src/lib/sessionCrypto.ts with AES-GCM-256 session keys
- Integrate into Backup flow: auto-clear plaintext mnemonic after QR gen
- Add Lock/Clear button to destroy key and clear all state
- Add cleanup on component unmount
- Fix unused imports and TypeScript strict mode errors
 2026-01-29 23:35:08 +08:00
LC mac
d4919f3d93 docs: add comprehensive GEMINI.md for AI agent onboarding (v1.3.0) 2026-01-29 23:34:23 +08:00
LC mac
c1b1f566df Fix: Resolve type incompatibility errors in sessionCrypto.ts 2026-01-29 23:24:57 +08:00
LC mac
6bbfe665cd bug fix app.tsx 2026-01-29 23:18:29 +08:00
LC mac
8e656749fe feat(v1.3.0): add ephemeral session-key encryption for sensitive state 2026-01-29 23:14:42 +08:00
LC mac
5a4018dcfe feat(v1.2.1): add security monitoring components 
- Add Storage Indicator (browser localStorage/sessionStorage monitor)
- Add Security Warnings (educational panel on JS limitations)
- Add Clipboard Tracker (copy event detection with clear function)
- Add data-sensitive attributes to sensitive fields

Security Features:
- Real-time storage monitoring with sensitive data highlighting
- Clipboard activity tracking with character count
- System clipboard clearing functionality
- Collapsible floating widgets (non-intrusive)
- Auto-refresh storage display every 2s
- Educational warnings about GC, string immutability, etc.

UI/UX:
- Floating widgets: Storage (bottom-right), Warnings (bottom-left), Clipboard (bottom-right stacked)
- Color-coded alerts (red=sensitive, orange=activity, yellow=warnings)
- Responsive and clean design with TailwindCSS
 2026-01-29 01:20:50 +08:00
LC mac
94764248d0 docs: update public README for v1.2.0 2026-01-29 00:36:00 +08:00
LC mac
a4a737540a feat(v1.2.0): add QR scanner with camera/upload support 
- Add QRScanner component with camera and image upload
- Add QR code download button with auto-naming (SeedPGP_DATE_TIME.png)
- Split state for backup/restore (separate public/private keys and passwords)
- Improve QR generation settings (margin: 4, errorCorrection: M)
- Fix Safari camera permissions and Continuity Camera support
- Add React timing fix for Html5Qrcode initialization
- Configure Vite for GitHub Pages deployment
- Update deploy script for dist as public repo
- Update public README for v1.2.0 features

Features:
- Camera scanning with live preview and Continuity Camera
- Image file upload scanning
- Automatic SEEDPGP1 validation
- 512x512px high-quality QR generation with download
- User-friendly error messages
 2026-01-29 00:33:09 +08:00
LC mac
b7da81c5d4 chore: configure vite for GitHub Pages deployment 2026-01-29 00:21:26 +08:00
16 changed files with 1736 additions and 473 deletions
Expand all files Collapse all files

378
GEMINI.md Normal file
View File

@@ -0,0 +1,378 @@
# SeedPGP - Gemini Code Assist Project Brief
## Project Overview
**SeedPGP v1.3.0**: Client-side BIP39 mnemonic encryption webapp
**Stack**: Bun + Vite + React + TypeScript + OpenPGP.js + Tailwind CSS
**Deploy**: GitHub Pages (public repo: `seedpgp-web-app`, private source: `seedpgp-web`)
**Live URL**: <https://kccleoc.github.io/seedpgp-web-app/>
## Core Constraints
1. **Security-first**: Never persist secrets (mnemonic/passphrase/private keys) to localStorage/sessionStorage/IndexedDB
2. **Small PRs**: Max 1-5 files per feature; propose plan before coding
3. **Client-side only**: No backend; all crypto runs in browser (Web Crypto API + OpenPGP.js)
4. **GitHub Pages deploy**: Base path `/seedpgp-web-app/` configured in vite.config.ts
5. **Honest security claims**: Don't overclaim what client-side JS can guarantee
## Non-Negotiables
- Small diffs only: one feature slice per PR (1-5 files if possible)
- No big code dumps; propose plan first, then implement
- Never persist secrets to browser storage
- Prefer "explain what you found in the repo" over guessing
- TypeScript strict mode; no `any` types without justification
---
## Architecture Map
### Entry Points
- `src/main.tsx``src/App.tsx` (main application)
- Build output: `dist/` (separate git repo for GitHub Pages deployment)
### Directory Structure
```BASH
src/
├── components/ # React UI components
│ ├── PgpKeyInput.tsx
│ ├── QrDisplay.tsx
│ ├── QrScanner.tsx
│ ├── ReadOnly.tsx
│ ├── StorageIndicator.tsx
│ ├── SecurityWarnings.tsx
│ └── ClipboardTracker.tsx
├── lib/ # Core logic & crypto utilities
│ ├── seedpgp.ts # Main encrypt/decrypt functions
│ ├── sessionCrypto.ts # Ephemeral AES-GCM session keys
│ ├── types.ts # TypeScript interfaces
│ └── qr.ts # QR code utilities
├── App.tsx # Main app component
└── main.tsx # React entry point
```
### Key Modules
#### `src/lib/seedpgp.ts`
Core encryption/decryption:
- `encryptToSeedPgp()` - Encrypts mnemonic with PGP public key + optional password
- `decryptFromSeedPgp()` - Decrypts with PGP private key + optional password
- Uses OpenPGP.js for PGP operations
- Output format: `SEEDPGP1:version:base64data:fingerprint`
#### `src/lib/sessionCrypto.ts` (v1.3.0+)
Ephemeral session-key encryption:
- `getSessionKey()` - Generates/returns non-exportable AES-GCM-256 key (idempotent)
- `encryptJsonToBlob(obj)` - Encrypts to `{v, alg, iv_b64, ct_b64}`
- `decryptBlobToJson(blob)` - Decrypts back to original object
- `destroySessionKey()` - Drops key reference for garbage collection
- Test: `await window.runSessionCryptoTest()` (DEV only)
#### `src/lib/types.ts`
Core interfaces:
- `SeedPgpPlaintext` - Decrypted mnemonic data structure
- `SeedPgpCiphertext` - Encrypted payload structure
- `EncryptedBlob` - Session-key encrypted cache format
---
## Key Features
### v1.0 - Core Functionality
- **Backup**: Encrypt mnemonic with PGP public key + optional password → QR display
- **Restore**: Scan/paste QR → decrypt with private key → show mnemonic
- **PGP support**: Import public/private keys (.asc files or paste)
### v1.1 - QR Features
- **QR Display**: Generate QR codes from encrypted data
- **QR Scanner**: Camera + file upload (uses html5-qrcode library)
### v1.2 - Security Monitoring
- **Storage Indicator**: Real-time display of localStorage/sessionStorage contents
- **Security Warnings**: Context-aware alerts about browser memory limitations
- **Clipboard Tracker**: Monitor clipboard operations on sensitive fields
- **Read-only Mode**: Toggle to clear state + show CSP/build info
### v1.3-v1.4 - Session-Key Encryption
- **Ephemeral encryption**: AES-GCM-256 session key (non-exportable) encrypts sensitive state
- **Backup flow (v1.3)**: Mnemonic auto-clears immediately after QR generation
- **Restore flow (v1.4)**: Decrypted mnemonic auto-clears after 10 seconds + manual Hide button
- **Encrypted cache**: Only ciphertext stored in React state; key lives in memory only
- **Lock/Clear**: Manual cleanup destroys session key + clears all state
- **Lifecycle**: Session key auto-destroyed on page close/refresh
---
## Development Workflow
### Commands
```bash
bun install # Install dependencies
bun run dev # Dev server (localhost:5173)
bun run build # Build to dist/
bun run typecheck # TypeScript validation (tsc --noEmit)
bun run preview # Preview production build
./scripts/deploy.sh v1.x.x # Build + push to public repo
```
### Deployment Process
1. **Private repo** (`seedpgp-web`): Source code, development
2. **Public repo** (`seedpgp-web-app`): Built files for GitHub Pages
3. **Deploy script** (`scripts/deploy.sh`): Builds + copies to dist/ + pushes to public repo
### Git Workflow
```bash
# Commit feature
git add src/
git commit -m "feat(v1.x): description"
# Tag version
git tag v1.x.x
git push origin main --tags
# Deploy to GitHub Pages
./scripts/deploy.sh v1.x.x
```
---
## Required Workflow for AI Agents
### 1. Study First
Before implementing any feature:
- Read relevant files
- Explain current architecture + entry points
- List files that will be touched
- Identify potential conflicts or dependencies
### 2. Plan
- Propose smallest vertical slice (1-5 files)
- Show API signatures or interface changes first
- Get approval before generating full implementation
### 3. Implement
- Generate code with TypeScript strict mode
- Include JSDoc comments for public APIs
- Show unified diffs, not full file rewrites (when possible)
- Keep changes under 50-100 lines per file when feasible
### 4. Verify
- Run `bun run typecheck` - no errors
- Run `bun run build` - successful dist/ output
- Provide manual test steps for browser verification
- Show build output / console logs / DevTools screenshots
---
## Common Patterns
### State Management
- React `useState` + `useEffect` (no Redux/Zustand/external store)
- Ephemeral state only; avoid persistent storage for secrets
### Styling
- Tailwind utility classes (configured in `tailwind.config.js`)
- Responsive design: mobile-first with `md:` breakpoints
- Dark theme primary: slate-900 background, blue-400 accents
### Icons
- `lucide-react` library
- Common: Shield, QrCode, Lock, Eye, AlertCircle
### Crypto Operations
- **PGP**: OpenPGP.js (`openpgp` package)
- **Session keys**: Web Crypto API (`crypto.subtle`)
- **Key generation**: `crypto.subtle.generateKey()` with `extractable: false`
- **Encryption**: AES-GCM with random 12-byte IV per operation
### Type Safety
- Strict TypeScript (`tsconfig.json`: `strict: true`)
- Check `src/lib/types.ts` for core interfaces
- Avoid `any`; use `unknown` + type guards when necessary
---
## Security Architecture
### Threat Model (Honest)
**What we protect against:**
- Accidental persistence to localStorage/sessionStorage
- Plaintext secrets lingering in React state after use
- Clipboard history exposure (with warnings)
**What we DON'T protect against (and must not claim to):**
- Active XSS or malicious browser extensions
- Memory dumps or browser crash reports
- JavaScript garbage collection timing (non-deterministic)
### Memory Handling
- **Session keys**: Non-exportable CryptoKey objects (Web Crypto API)
- **Plaintext clearing**: Set to empty string + drop references (but GC timing is non-deterministic)
- **No guarantees**: Cannot force immediate memory wiping in JavaScript
### Storage Policy
- **NEVER write to**: localStorage, sessionStorage, IndexedDB, cookies
- **Exception**: Non-sensitive UI state only (theme preferences, etc.) - NOT IMPLEMENTED YET
- **Verification**: StorageIndicator component monitors all storage APIs
---
## What NOT to Do
### Code Generation
- Don't generate full file rewrites unless necessary
- Don't add dependencies without discussing bundle size impact
- Don't use `any` types without explicit justification
- Don't skip TypeScript strict mode checks
### Security Claims
- Don't claim "RAM is wiped" (JavaScript can't force GC)
- Don't claim "offline mode" without real CSP headers (GitHub Pages can't set custom headers)
- Don't promise protection against active browser compromise (XSS/extensions)
### Storage
- Don't write secrets to storage without explicit approval
- Don't cache decrypted data beyond immediate use
- Don't assume browser storage is secure
---
## Testing & Verification
### Manual Test Checklist (Before Marking Feature Complete)
1.`bun run typecheck` passes (no TypeScript errors)
2.`bun run build` succeeds (dist/ generated)
3. ✅ Browser test: Feature works as described
4. ✅ DevTools Console: No runtime errors
5. ✅ DevTools Application tab: No plaintext secrets in storage
6. ✅ DevTools Network tab: No unexpected network calls (if Read-only Mode)
### Session-Key Encryption Test (v1.3+)
```javascript
// In browser DevTools console:
await window.runSessionCryptoTest()
// Expected: ✅ Success: Data integrity verified.
```
---
## Current Version: v1.4.0
### Recent Changes (2026-01-30)
- ✅ Extended session-key encryption to Restore flow
- ✅ Added 10-second auto-clear timer for restored mnemonic
- ✅ Added Hide button for manual clear
- ✅ Removed debug console logs from sessionCrypto.ts
### Known Limitations
- GitHub Pages cannot set custom CSP headers (need Cloudflare Pages for enforcement)
- Read-only Mode is UI-level only (not browser-enforced)
- Session-key encryption doesn't protect against active XSS/extensions
### Next Priorities (Suggested)
1. Extend session-key encryption to Restore flow
2. Migrate to Cloudflare Pages for real CSP header enforcement
3. Add "Encrypted in memory" badge when encryptedMnemonicCache exists
4. Document reproducible builds (git hash verification)
---
## Quick Reference
### File a Bug/Feature
1. Describe expected vs actual behavior
2. Include browser console errors (if any)
3. Specify which flow (Backup/Restore/QR Scanner)
### Roll Over to Next Session
Always provide:
- Current version number
- What was implemented this session
- Files modified
- What still needs work
- Any gotchas or edge cases discovered
---
## Example Prompts for Gemini
### Exploration
```
Read GEMINI.md, then explain:
1. Where is the mnemonic textarea and how is its value managed?
2. List all places localStorage/sessionStorage are used
3. Show data flow from "Backup" button to QR display
```
### Feature Request
```
Task: [Feature description]
Requirements:
1. [Specific requirement]
2. [Another requirement]
Files to touch:
- [List files]
Plan first: show proposed API/changes before generating code.
```
### Verification
```
Audit the codebase to verify [feature] is fully implemented.
Check:
1. [Requirement 1]
2. [Requirement 2]
Output: ✅ or ❌ for each item + suggest fixes for failures.
```
---
**Last Updated**: 2026-01-29
**Maintained by**: @kccleoc
**AI Agent**: Optimized for Gemini Code Assist

2
index.html
View File

@@ -4,7 +4,7 @@
<head> <head>
<meta charset="UTF-8" /> <meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" /> <meta name="viewport" content="width=device-width, initial-scale=1.0" />
<title>SeedPGP v1.1</title> <title>SeedPGP v1.4</title>
</head> </head>
<body> <body>

5
package.json
View File

@@ -1,12 +1,13 @@
{ {
"name": "seedpgp-web", "name": "seedpgp-web",
"private": true, "private": true,
"version": "1.1.0", "version": "1.4.0",
"type": "module", "type": "module",
"scripts": { "scripts": {
"dev": "vite", "dev": "vite",
"build": "tsc && vite build", "build": "tsc && vite build",
"preview": "vite preview" "preview": "vite preview",
"typecheck": "tsc --noEmit"
}, },
"dependencies": { "dependencies": {
"html5-qrcode": "^2.3.8", "html5-qrcode": "^2.3.8",

115
public/README.md
View File

@@ -1,48 +1,121 @@
# SeedPGP Web App # SeedPGP Web App
**Secure BIP39 mnemonic backup tool using PGP encryption** **Secure BIP39 mnemonic backup tool using OpenPGP encryption**
🔗 **Live App**: https://kccleoc.github.io/seedpgp-web-app/ 🔗 **Live App**: https://kccleoc.github.io/seedpgp-web-app/
## About ## About
This is a client-side web application for encrypting cryptocurrency seed phrases (BIP39 mnemonics) using OpenPGP encryption and Base45 encoding for QR code generation. Client-side web application for encrypting cryptocurrency seed phrases (BIP39 mnemonics) using OpenPGP encryption with QR code generation and scanning capabilities.
### Features ### Features
- 🔐 PGP encryption with cv25519 (Curve25519) - 🔐 **OpenPGP Encryption** - Curve25519Legacy (cv25519) encryption
- 📱 QR code-ready output (Base45 + CRC16) - 📱 **QR Code Generation** - High-quality 512x512px PNG with download
- ✅ Supports 12/18/24-word BIP39 mnemonics - 📸 **QR Code Scanner** - Camera or image upload with live preview
- 🔒 All encryption happens in your browser (client-side only) - 🔄 **Round-trip Flow** - Encrypt → QR → Scan → Decrypt seamlessly
-**BIP39 Support** - 12/18/24-word mnemonics with optional passphrase
- 🔒 **Symmetric Encryption** - Optional password-only encryption (SKESK)
- 🎯 **CRC16 Validation** - Frame integrity checking
- 📦 **Base45 Encoding** - Compact QR-friendly format (RFC 9285)
- 🌐 **100% Client-Side** - No backend, no data transmission
## Security Notice ## 🔒 Security Notice
⚠️ **Your private keys and seed phrases never leave your browser** ⚠️ **Your private keys and seed phrases never leave your browser**
- This is a static web app with no backend server - Static web app with **no backend server**
- All cryptographic operations run locally in your browser - All cryptographic operations run **locally in your browser**
- No data is transmitted to any server - **No data transmitted** to any server
- Camera access requires **HTTPS or localhost**
- Always verify you're on the correct URL before use - Always verify you're on the correct URL before use
### For Maximum Security ### For Maximum Security
For production use with real funds: For production use with real funds:
- Download and run locally - 🏠 Download and run locally (\`bun run dev\`)
- Or use a self-hosted version - 🔐 Use on airgapped device
- Source code: https://github.com/kccleoc/seedpgp-web - 📥 Self-host on your own domain
- 🔍 Source code: https://github.com/kccleoc/seedpgp-web (private)
## How to Use ## 📖 How to Use
1. **Encrypt**: Enter your mnemonic + PGP public key → Get QR code ### Backup Flow
2. **Decrypt**: Scan QR code + provide private key → Recover mnemonic 1. **Enter** your 12/24-word BIP39 mnemonic
2. **Add** PGP public key and/or message password (optional)
3. **Generate** encrypted QR code
4. **Download** or scan QR code for backup
## Version ### Restore Flow
1. **Scan QR Code** using camera or upload image
2. **Provide** private key and/or message password
3. **Decrypt** to recover your mnemonic
Current deployment: **v1.1.0** ### QR Scanner Features
- 📷 **Camera Mode** - Live scanning with environment camera (iPhone Continuity Camera supported on macOS)
- 📁 **Upload Mode** - Scan from saved images or screenshots
-**Auto-validation** - Verifies SEEDPGP1 format before accepting
Last updated: 2026-01-28 ## 🛠 Technical Stack
- **TypeScript** - Type-safe development
- **React 18** - Modern UI framework
- **Vite 6** - Lightning-fast build tool
- **OpenPGP.js v6** - RFC 4880 compliant encryption
- **html5-qrcode** - QR scanning library
- **TailwindCSS** - Utility-first styling
- **Lucide React** - Beautiful icons
## 📋 Protocol Format
\`\`\`
SEEDPGP1:0:ABCD:BASE45DATA
SEEDPGP1 - Protocol identifier + version
0 - Frame number (single frame)
ABCD - CRC16-CCITT-FALSE checksum
BASE45 - Base45-encoded OpenPGP binary message
\`\`\`
## 🔐 Encryption Details
- **Algorithm**: AES-256 (preferred symmetric cipher)
- **Curve**: Curve25519Legacy for modern security
- **Key Format**: OpenPGP RFC 4880 compliant
- **Error Correction**: QR Level M (15% recovery)
- **Integrity**: CRC16-CCITT-FALSE frame validation
## 📱 Browser Compatibility
- ✅ Chrome/Edge (latest)
- ✅ Safari 16+ (macOS/iOS)
- ✅ Firefox (latest)
- 📷 Camera requires HTTPS or localhost
## 📦 Version
**Current deployment: v1.2.0**
### Changelog
#### v1.2.0 (2026-01-29)
- ✨ Added QR scanner with camera/upload support
- 📥 Added QR code download with auto-naming
- 🔧 Split state for backup/restore tabs
- 🎨 Improved QR generation quality
- 🐛 Fixed Safari camera permissions
- 📱 Added Continuity Camera support
#### v1.1.0 (2026-01-28)
- 🎉 Initial public release
- 🔐 OpenPGP encryption/decryption
- 📱 QR code generation
- ✅ BIP39 validation
--- ---
Built with TypeScript, React, Vite, and OpenPGP.js v6 **Last updated**: 2026-01-29
**Built with** ❤️ using TypeScript, React, Vite, and OpenPGP.js
**License**: Private source code - deployment only

20
scripts/deploy.sh
View File

@@ -1,4 +1,5 @@
#!/bin/bash #!/bin/bash
set -e set -e
VERSION=$1 VERSION=$1
@@ -9,23 +10,26 @@ if [ -z "$VERSION" ]; then
fi fi
echo "🔨 Building $VERSION..." echo "🔨 Building $VERSION..."
# Remove old build files but keep .git
rm -rf dist/assets dist/index.html dist/*.js dist/*.css dist/vite.svg
bun run build bun run build
echo "📄 Adding README..." echo "📄 Adding README..."
cp public/README.md dist/README.md if [ -f public/README.md ]; then
cp public/README.md dist/README.md
fi
echo "📦 Deploying to GitHub Pages..." echo "📦 Deploying to GitHub Pages..."
cd dist cd dist
git add . git add .
git commit -m "Deploy $VERSION" || echo "No changes to commit" git commit -m "Deploy $VERSION" || echo "No changes to commit"
git push git push
cd .. cd ..
echo "✅ Deployed to https://kccleoc.github.io/seedpgp-web-app/" echo "✅ Deployed to https://kccleoc.github.io/seedpgp-web-app/"
echo "📖 Repo: https://github.com/kccleoc/seedpgp-web-app" echo ""
echo "🏷️ Don't forget to tag: git tag $VERSION && git push --tags" echo "Tag private repo:"
echo "./scripts/deploy.sh v1.2.0" echo " git tag $VERSION && git push origin --tags"
echo "git tag v1.2.0"
echo "git push --tags"

946
src/App.tsx
View File

@@ -1,436 +1,540 @@
import { useState } from 'react'; import { useState, useEffect } from 'react';
import { import {
Shield, Shield,
QrCode, QrCode,
RefreshCw, RefreshCw,
CheckCircle2, CheckCircle2, Lock,
AlertCircle, AlertCircle,
Lock,
Unlock, Unlock,
Eye,
EyeOff, EyeOff,
FileKey, FileKey,
Info Info,
WifiOff
} from 'lucide-react'; } from 'lucide-react';
import { PgpKeyInput } from './components/PgpKeyInput'; import { PgpKeyInput } from './components/PgpKeyInput';
import { QrDisplay } from './components/QrDisplay'; import { QrDisplay } from './components/QrDisplay';
import QRScanner from './components/QRScanner'; import QRScanner from './components/QRScanner';
import { validateBip39Mnemonic } from './lib/bip39'; import { validateBip39Mnemonic } from './lib/bip39';
import { buildPlaintext, encryptToSeedPgp, decryptSeedPgp } from './lib/seedpgp'; import { buildPlaintext, encryptToSeedPgp, decryptSeedPgp } from './lib/seedpgp';
import type { SeedPgpPlaintext } from './lib/types';
import * as openpgp from 'openpgp'; import * as openpgp from 'openpgp';
import { StorageIndicator } from './components/StorageIndicator';
console.log("OpenPGP.js version:", openpgp.config.versionString); import { SecurityWarnings } from './components/SecurityWarnings';
import { ClipboardTracker } from './components/ClipboardTracker';
function App() { import { ReadOnly } from './components/ReadOnly';
const [activeTab, setActiveTab] = useState<'backup' | 'restore'>('backup'); import { getSessionKey, encryptJsonToBlob, destroySessionKey, EncryptedBlob } from './lib/sessionCrypto';
const [mnemonic, setMnemonic] = useState('');
const [backupMessagePassword, setBackupMessagePassword] = useState(''); console.log("OpenPGP.js version:", openpgp.config.versionString);
const [restoreMessagePassword, setRestoreMessagePassword] = useState('');
function App() {
const [publicKeyInput, setPublicKeyInput] = useState(''); const [activeTab, setActiveTab] = useState<'backup' | 'restore'>('backup');
const [privateKeyInput, setPrivateKeyInput] = useState(''); const [mnemonic, setMnemonic] = useState('');
const [privateKeyPassphrase, setPrivateKeyPassphrase] = useState(''); const [backupMessagePassword, setBackupMessagePassword] = useState('');
const [hasBip39Passphrase, setHasBip39Passphrase] = useState(false); const [restoreMessagePassword, setRestoreMessagePassword] = useState('');
const [qrPayload, setQrPayload] = useState('');
const [recipientFpr, setRecipientFpr] = useState(''); const [publicKeyInput, setPublicKeyInput] = useState('');
const [restoreInput, setRestoreInput] = useState(''); const [privateKeyInput, setPrivateKeyInput] = useState('');
const [restoredData, setRestoredData] = useState<SeedPgpPlaintext | null>(null); const [privateKeyPassphrase, setPrivateKeyPassphrase] = useState('');
const [error, setError] = useState(''); const [hasBip39Passphrase, setHasBip39Passphrase] = useState(false);
const [loading, setLoading] = useState(false); const [qrPayload, setQrPayload] = useState('');
const [showMnemonic, setShowMnemonic] = useState(false); const [recipientFpr, setRecipientFpr] = useState('');
const [copied, setCopied] = useState(false); const [restoreInput, setRestoreInput] = useState('');
const [showQRScanner, setShowQRScanner] = useState(false); const [decryptedRestoredMnemonic, setDecryptedRestoredMnemonic] = useState<string | null>(null);
const [error, setError] = useState('');
const copyToClipboard = async (text: string) => { const [loading, setLoading] = useState(false);
try { const [copied, setCopied] = useState(false);
await navigator.clipboard.writeText(text); const [showQRScanner, setShowQRScanner] = useState(false);
setCopied(true); const [isReadOnly, setIsReadOnly] = useState(false);
window.setTimeout(() => setCopied(false), 1500); const [encryptedMnemonicCache, setEncryptedMnemonicCache] = useState<EncryptedBlob | null>(null);
} catch {
const ta = document.createElement("textarea"); useEffect(() => {
ta.value = text; // When entering read-only mode, clear sensitive data for security.
ta.style.position = "fixed"; if (isReadOnly) {
ta.style.left = "-9999px"; setMnemonic('');
document.body.appendChild(ta); setBackupMessagePassword('');
ta.focus(); setRestoreMessagePassword('');
ta.select(); setPublicKeyInput('');
document.execCommand("copy"); setPrivateKeyInput('');
document.body.removeChild(ta); setPrivateKeyPassphrase('');
setCopied(true); setQrPayload('');
window.setTimeout(() => setCopied(false), 1500); setRestoreInput('');
} setDecryptedRestoredMnemonic(null);
}; setError('');
}
const handleBackup = async () => { }, [isReadOnly]);
setLoading(true);
setError(''); // Cleanup session key on component unmount
setQrPayload(''); useEffect(() => {
setRecipientFpr(''); return () => {
destroySessionKey();
try { };
const validation = validateBip39Mnemonic(mnemonic); }, []);
if (!validation.valid) {
throw new Error(validation.error);
} const copyToClipboard = async (text: string) => {
if (isReadOnly) {
const plaintext = buildPlaintext(mnemonic, hasBip39Passphrase); setError("Copy to clipboard is disabled in Read-only mode.");
return;
const result = await encryptToSeedPgp({ }
plaintext, try {
publicKeyArmored: publicKeyInput || undefined, await navigator.clipboard.writeText(text);
messagePassword: backupMessagePassword || undefined, // Changed setCopied(true);
}); window.setTimeout(() => setCopied(false), 1500);
} catch {
setQrPayload(result.framed); const ta = document.createElement("textarea");
if (result.recipientFingerprint) { ta.value = text;
setRecipientFpr(result.recipientFingerprint); ta.style.position = "fixed";
} ta.style.left = "-9999px";
} catch (e) { document.body.appendChild(ta);
setError(e instanceof Error ? e.message : 'Encryption failed'); ta.focus();
} finally { ta.select();
setLoading(false); document.execCommand("copy");
} document.body.removeChild(ta);
}; setCopied(true);
window.setTimeout(() => setCopied(false), 1500);
const handleRestore = async () => { }
setLoading(true); };
setError('');
setRestoredData(null); const handleBackup = async () => {
setLoading(true);
try { setError('');
const result = await decryptSeedPgp({ setQrPayload('');
frameText: restoreInput, setRecipientFpr('');
privateKeyArmored: privateKeyInput || undefined,
privateKeyPassphrase: privateKeyPassphrase || undefined, try {
messagePassword: restoreMessagePassword || undefined, // Changed const validation = validateBip39Mnemonic(mnemonic);
}); if (!validation.valid) {
throw new Error(validation.error);
}
setRestoredData(result);
} catch (e) { const plaintext = buildPlaintext(mnemonic, hasBip39Passphrase);
setError(e instanceof Error ? e.message : 'Decryption failed');
} finally { const result = await encryptToSeedPgp({
setLoading(false); plaintext,
} publicKeyArmored: publicKeyInput || undefined,
}; messagePassword: backupMessagePassword || undefined,
});
return ( setQrPayload(result.framed);
<> if (result.recipientFingerprint) {
<div className="min-h-screen bg-gradient-to-br from-slate-50 to-slate-100 text-slate-900 p-4 md:p-8"> setRecipientFpr(result.recipientFingerprint);
<div className="max-w-5xl mx-auto bg-white rounded-2xl shadow-2xl overflow-hidden border border-slate-200"> }
{/* Header */} // Initialize session key before encrypting
<div className="bg-gradient-to-r from-slate-900 to-slate-800 p-6 text-white flex items-center justify-between"> await getSessionKey();
<div className="flex items-center gap-3"> // Encrypt mnemonic with session key and clear plaintext state
<div className="p-2 bg-blue-600 rounded-lg shadow-lg"> const blob = await encryptJsonToBlob({ mnemonic, timestamp: Date.now() });
<Shield size={28} /> setEncryptedMnemonicCache(blob);
</div> setMnemonic(''); // Clear plaintext mnemonic
<div> } catch (e) {
<h1 className="text-2xl font-bold tracking-tight"> setError(e instanceof Error ? e.message : 'Encryption failed');
SeedPGP <span className="text-blue-400 font-mono text-base ml-2">v1.2</span> } finally {
</h1> setLoading(false);
<p className="text-xs text-slate-400 mt-0.5">OpenPGP-secured BIP39 backup</p> }
</div> };
</div>
<div className="flex bg-slate-800/50 rounded-lg p-1 backdrop-blur"> const handleRestore = async () => {
<button setLoading(true);
onClick={() => { setError('');
setActiveTab('backup'); setDecryptedRestoredMnemonic(null);
setError('');
setQrPayload(''); try {
setRestoredData(null); const result = await decryptSeedPgp({
}} frameText: restoreInput,
className={`px-5 py-2 rounded-md text-sm font-semibold transition-all ${activeTab === 'backup' privateKeyArmored: privateKeyInput || undefined,
? 'bg-white text-slate-900 shadow-lg' privateKeyPassphrase: privateKeyPassphrase || undefined,
: 'text-slate-300 hover:text-white hover:bg-slate-700/50' messagePassword: restoreMessagePassword || undefined,
}`} });
>
Backup // Encrypt the restored mnemonic with the session key
</button> await getSessionKey();
<button const blob = await encryptJsonToBlob({ mnemonic: result.w, timestamp: Date.now() });
onClick={() => { setEncryptedMnemonicCache(blob);
setActiveTab('restore');
setError(''); // Temporarily display the mnemonic and then clear it
setQrPayload(''); setDecryptedRestoredMnemonic(result.w);
setRestoredData(null); setTimeout(() => {
}} setDecryptedRestoredMnemonic(null);
className={`px-5 py-2 rounded-md text-sm font-semibold transition-all ${activeTab === 'restore' }, 10000); // Auto-clear after 10 seconds
? 'bg-white text-slate-900 shadow-lg'
: 'text-slate-300 hover:text-white hover:bg-slate-700/50' } catch (e) {
}`} setError(e instanceof Error ? e.message : 'Decryption failed');
> } finally {
Restore setLoading(false);
</button> }
</div> };
</div>
const handleLockAndClear = () => {
<div className="p-6 md:p-8 space-y-6"> destroySessionKey();
{/* Error Display */} setEncryptedMnemonicCache(null);
{error && ( setMnemonic('');
<div className="p-4 bg-red-50 border-l-4 border-red-500 rounded-r-xl flex gap-3 text-red-800 text-sm items-start animate-in slide-in-from-top-2"> setBackupMessagePassword('');
<AlertCircle className="shrink-0 mt-0.5" size={20} /> setRestoreMessagePassword('');
<div> setPublicKeyInput('');
<p className="font-bold mb-1">Error</p> setPrivateKeyInput('');
<p className="whitespace-pre-wrap">{error}</p> setPrivateKeyPassphrase('');
</div> setQrPayload('');
</div> setRecipientFpr('');
)} setRestoreInput('');
setDecryptedRestoredMnemonic(null);
{/* Info Banner */} setError('');
{recipientFpr && activeTab === 'backup' && ( setCopied(false);
<div className="p-3 bg-blue-50 border border-blue-200 rounded-lg flex items-start gap-3 text-blue-800 text-xs animate-in fade-in"> setShowQRScanner(false);
<Info size={16} className="shrink-0 mt-0.5" /> };
<div>
<strong>Recipient Key:</strong> <code className="bg-blue-100 px-1.5 py-0.5 rounded font-mono">{recipientFpr}</code>
</div> return (
</div> <>
)} <div className="min-h-screen bg-gradient-to-br from-slate-50 to-slate-100 text-slate-900 p-4 md:p-8">
<div className="max-w-5xl mx-auto bg-white rounded-2xl shadow-2xl overflow-hidden border border-slate-200">
{/* Main Content Grid */}
<div className="grid gap-6 md:grid-cols-3"> {/* Header */}
<div className="md:col-span-2 space-y-6"> <div className="bg-gradient-to-r from-slate-900 to-slate-800 p-6 text-white flex items-center justify-between">
{activeTab === 'backup' ? ( <div className="flex items-center gap-3">
<> <div className="p-2 bg-blue-600 rounded-lg shadow-lg">
<div className="space-y-2"> <Shield size={28} />
<label className="text-sm font-semibold text-slate-700">BIP39 Mnemonic</label> </div>
<textarea <div>
className="w-full h-32 p-4 bg-slate-50 border border-slate-200 rounded-xl text-sm font-mono focus:outline-none focus:ring-2 focus:ring-blue-500 transition-all resize-none" <h1 className="text-2xl font-bold tracking-tight">
placeholder="Enter your 12 or 24 word seed phrase..." SeedPGP <span className="text-blue-400 font-mono text-base ml-2">v{__APP_VERSION__}</span>
value={mnemonic} </h1>
onChange={(e) => setMnemonic(e.target.value)} <p className="text-xs text-slate-400 mt-0.5">OpenPGP-secured BIP39 backup</p>
/> </div>
</div> </div>
{encryptedMnemonicCache && ( // Show only if encrypted data exists
<PgpKeyInput <button
label="PGP Public Key (Optional)" onClick={handleLockAndClear}
icon={FileKey} className="flex items-center gap-2 text-sm text-red-400 bg-slate-800/50 px-3 py-1.5 rounded-lg hover:bg-red-900/50 transition-colors"
placeholder="-----BEGIN PGP PUBLIC KEY BLOCK-----&#10;&#10;Paste or drag & drop your public key..." >
value={publicKeyInput} <Lock size={16} />
onChange={setPublicKeyInput} <span>Lock/Clear</span>
/> </button>
</> )}
) : ( <div className="flex items-center gap-4">
<> {isReadOnly && (
<div className="flex gap-2"> <div className="flex items-center gap-2 text-sm text-amber-400 bg-slate-800/50 px-3 py-1.5 rounded-lg">
<button <WifiOff size={16} />
onClick={() => setShowQRScanner(true)} <span>Read-only</span>
className="flex-1 py-3 bg-gradient-to-r from-purple-600 to-purple-700 text-white rounded-xl font-semibold flex items-center justify-center gap-2 hover:from-purple-700 hover:to-purple-800 transition-all shadow-lg" </div>
> )}
<QrCode size={18} /> {encryptedMnemonicCache && (
Scan QR Code <div className="flex items-center gap-2 text-sm text-green-400 bg-slate-800/50 px-3 py-1.5 rounded-lg">
</button> <Shield size={16} />
</div> <span>Encrypted in memory</span>
</div>
<div className="space-y-2"> )}
<label className="text-sm font-semibold text-slate-700">SEEDPGP1 Payload</label> <div className="flex bg-slate-800/50 rounded-lg p-1 backdrop-blur">
<textarea <button
className="w-full h-32 p-4 bg-slate-50 border border-slate-200 rounded-xl text-xs font-mono focus:outline-none focus:ring-2 focus:ring-blue-500 transition-all resize-none" onClick={() => {
placeholder="SEEDPGP1:0:ABCD:..." setActiveTab('backup');
value={restoreInput} setError('');
onChange={(e) => setRestoreInput(e.target.value)} setQrPayload('');
/> setDecryptedRestoredMnemonic(null);
</div> }}
className={`px-5 py-2 rounded-md text-sm font-semibold transition-all ${activeTab === 'backup'
<PgpKeyInput ? 'bg-white text-slate-900 shadow-lg'
label="PGP Private Key (Optional)" : 'text-slate-300 hover:text-white hover:bg-slate-700/50'
icon={FileKey} }`}
placeholder="-----BEGIN PGP PRIVATE KEY BLOCK-----&#10;&#10;Paste or drag & drop your private key..." >
value={privateKeyInput} Backup
onChange={setPrivateKeyInput} </button>
/> <button
onClick={() => {
{privateKeyInput && ( setActiveTab('restore');
<div className="space-y-2"> setError('');
<label className="text-xs font-bold text-slate-500 uppercase tracking-wider">Private Key Passphrase</label> setQrPayload('');
<div className="relative"> setDecryptedRestoredMnemonic(null);
<Lock className="absolute left-3 top-3 text-slate-400" size={16} /> }}
<input className={`px-5 py-2 rounded-md text-sm font-semibold transition-all ${activeTab === 'restore'
type="password" ? 'bg-white text-slate-900 shadow-lg'
className="w-full pl-10 pr-4 py-2.5 bg-white border border-slate-200 rounded-lg text-sm focus:outline-none focus:ring-2 focus:ring-blue-500 transition-all" : 'text-slate-300 hover:text-white hover:bg-slate-700/50'
placeholder="Unlock private key..." }`}
value={privateKeyPassphrase} >
onChange={(e) => setPrivateKeyPassphrase(e.target.value)} Restore
/> </button>
</div> </div>
</div> </div>
)} </div>
</>
)} <div className="p-6 md:p-8 space-y-6">
</div> {/* Error Display */}
{error && (
{/* Security Panel */} <div className="p-4 bg-red-50 border-l-4 border-red-500 rounded-r-xl flex gap-3 text-red-800 text-sm items-start animate-in slide-in-from-top-2">
<div className="space-y-6"> <AlertCircle className="shrink-0 mt-0.5" size={20} />
<div className="p-5 bg-gradient-to-br from-slate-50 to-slate-100 rounded-2xl border-2 border-slate-200 shadow-inner space-y-4"> <div>
<h3 className="text-sm font-bold text-slate-800 uppercase tracking-wider flex items-center gap-2"> <p className="font-bold mb-1">Error</p>
<Lock size={14} /> Security Options <p className="whitespace-pre-wrap">{error}</p>
</h3> </div>
</div>
<div className="space-y-2"> )}
<label className="text-xs font-bold text-slate-500 uppercase tracking-wider">Message Password</label>
<div className="relative"> {/* Info Banner */}
<Lock className="absolute left-3 top-3 text-slate-400" size={16} /> {recipientFpr && activeTab === 'backup' && (
<input <div className="p-3 bg-blue-50 border border-blue-200 rounded-lg flex items-start gap-3 text-blue-800 text-xs animate-in fade-in">
type="password" <Info size={16} className="shrink-0 mt-0.5" />
className="w-full pl-10 pr-4 py-2.5 bg-white border border-slate-200 rounded-lg text-sm focus:outline-none focus:ring-2 focus:ring-blue-500 transition-all" <div>
placeholder="Optional password..." <strong>Recipient Key:</strong> <code className="bg-blue-100 px-1.5 py-0.5 rounded font-mono">{recipientFpr}</code>
value={activeTab === 'backup' ? backupMessagePassword : restoreMessagePassword} </div>
onChange={(e) => activeTab === 'backup' ? setBackupMessagePassword(e.target.value) : setRestoreMessagePassword(e.target.value)} </div>
/> )}
</div>
<p className="text-[10px] text-slate-500 mt-1">Symmetric encryption password (SKESK)</p> {/* Main Content Grid */}
</div> <div className="grid gap-6 md:grid-cols-3">
<div className="md:col-span-2 space-y-6">
{activeTab === 'backup' ? (
{activeTab === 'backup' && ( <>
<div className="pt-3 border-t border-slate-300"> <div className="space-y-2">
<label className="flex items-center gap-2 cursor-pointer group"> <label className="text-sm font-semibold text-slate-700">BIP39 Mnemonic</label>
<input <textarea
type="checkbox" className="w-full h-32 p-4 bg-slate-50 border border-slate-200 rounded-xl text-sm font-mono focus:outline-none focus:ring-2 focus:ring-blue-500 transition-all resize-none"
checked={hasBip39Passphrase} data-sensitive="BIP39 Mnemonic"
onChange={(e) => setHasBip39Passphrase(e.target.checked)} placeholder="Enter your 12 or 24 word seed phrase..."
className="rounded text-blue-600 focus:ring-2 focus:ring-blue-500 transition-all" value={mnemonic}
/> onChange={(e) => setMnemonic(e.target.value)}
<span className="text-xs font-medium text-slate-700 group-hover:text-slate-900 transition-colors"> readOnly={isReadOnly}
BIP39 25th word active />
</span> </div>
</label>
</div> <PgpKeyInput
)} label="PGP Public Key (Optional)"
</div> icon={FileKey}
placeholder="-----BEGIN PGP PUBLIC KEY BLOCK-----&#10;&#10;Paste or drag & drop your public key..."
{/* Action Button */} value={publicKeyInput}
{activeTab === 'backup' ? ( onChange={setPublicKeyInput}
<button readOnly={isReadOnly}
onClick={handleBackup} />
disabled={!mnemonic || loading} </>
className="w-full py-4 bg-gradient-to-r from-blue-600 to-blue-700 text-white rounded-xl font-bold flex items-center justify-center gap-2 hover:from-blue-700 hover:to-blue-800 transition-all shadow-lg hover:shadow-xl disabled:opacity-50 disabled:cursor-not-allowed disabled:hover:from-blue-600 disabled:hover:to-blue-700" ) : (
> <>
{loading ? ( <div className="flex gap-2">
<RefreshCw className="animate-spin" size={20} /> <button
) : ( onClick={() => setShowQRScanner(true)}
<QrCode size={20} /> disabled={isReadOnly}
)} className="flex-1 py-3 bg-gradient-to-r from-purple-600 to-purple-700 text-white rounded-xl font-semibold flex items-center justify-center gap-2 hover:from-purple-700 hover:to-purple-800 transition-all shadow-lg disabled:opacity-50"
{loading ? 'Generating...' : 'Generate QR Backup'} >
</button> <QrCode size={18} />
) : ( Scan QR Code
<button </button>
onClick={handleRestore} </div>
disabled={!restoreInput || loading}
className="w-full py-4 bg-gradient-to-r from-slate-800 to-slate-900 text-white rounded-xl font-bold flex items-center justify-center gap-2 hover:from-slate-900 hover:to-black transition-all shadow-lg hover:shadow-xl disabled:opacity-50 disabled:cursor-not-allowed" <div className="space-y-2">
> <label className="text-sm font-semibold text-slate-700">SEEDPGP1 Payload</label>
{loading ? ( <textarea
<RefreshCw className="animate-spin" size={20} /> className="w-full h-32 p-4 bg-slate-50 border border-slate-200 rounded-xl text-xs font-mono focus:outline-none focus:ring-2 focus:ring-blue-500 transition-all resize-none"
) : ( placeholder="SEEDPGP1:0:ABCD:..."
<Unlock size={20} /> value={restoreInput}
)} onChange={(e) => setRestoreInput(e.target.value)}
{loading ? 'Decrypting...' : 'Decrypt & Restore'} readOnly={isReadOnly}
</button> />
)} </div>
</div>
</div> <PgpKeyInput
label="PGP Private Key (Optional)"
{/* QR Output */} icon={FileKey}
{qrPayload && activeTab === 'backup' && ( data-sensitive="PGP Private Key"
<div className="pt-6 border-t border-slate-200 space-y-6 animate-in fade-in slide-in-from-bottom-4"> placeholder="-----BEGIN PGP PRIVATE KEY BLOCK-----&#10;&#10;Paste or drag & drop your private key..."
<div className="flex justify-center"> value={privateKeyInput}
<QrDisplay value={qrPayload} /> onChange={setPrivateKeyInput}
</div> readOnly={isReadOnly}
<div className="space-y-2"> />
<div className="flex items-center justify-between gap-3">
<label className="text-xs font-bold text-slate-500 uppercase tracking-wider"> {privateKeyInput && (
Raw payload (copy for backup) <div className="space-y-2">
</label> <label className="text-xs font-bold text-slate-500 uppercase tracking-wider">Private Key Passphrase</label>
<div className="relative">
<button <Lock className="absolute left-3 top-3 text-slate-400" size={16} />
type="button" <input
onClick={() => copyToClipboard(qrPayload)} type="password"
className="inline-flex items-center gap-2 px-3 py-1.5 rounded-lg bg-slate-900 text-white text-xs font-semibold hover:bg-black transition-colors" data-sensitive="Message Password"
> className="w-full pl-10 pr-4 py-2.5 bg-white border border-slate-200 rounded-lg text-sm focus:outline-none focus:ring-2 focus:ring-blue-500 transition-all"
{copied ? <CheckCircle2 size={14} /> : <QrCode size={14} />} placeholder="Unlock private key..."
{copied ? "Copied" : "Copy"} value={privateKeyPassphrase}
</button> onChange={(e) => setPrivateKeyPassphrase(e.target.value)}
</div> readOnly={isReadOnly}
/>
<textarea </div>
readOnly </div>
value={qrPayload} )}
onFocus={(e) => e.currentTarget.select()} </>
className="w-full h-28 p-3 bg-slate-900 rounded-xl font-mono text-[10px] text-green-400 border border-slate-700 shadow-inner leading-relaxed resize-none focus:outline-none focus:ring-2 focus:ring-blue-500" )}
/> </div>
<p className="text-[11px] text-slate-500">
Tip: click the box to select all, or use Copy. {/* Security Panel */}
</p> <div className="space-y-6">
</div> <div className="p-5 bg-gradient-to-br from-slate-50 to-slate-100 rounded-2xl border-2 border-slate-200 shadow-inner space-y-4">
</div> <h3 className="text-sm font-bold text-slate-800 uppercase tracking-wider flex items-center gap-2">
)} <Lock size={14} /> Security Options
</h3>
{/* Restored Mnemonic */}
{restoredData && activeTab === 'restore' && ( <div className="space-y-2">
<div className="pt-6 border-t border-slate-200 animate-in zoom-in-95"> <label className="text-xs font-bold text-slate-500 uppercase tracking-wider">Message Password</label>
<div className="p-6 bg-gradient-to-br from-green-50 to-emerald-50 border-2 border-green-300 rounded-2xl shadow-lg"> <div className="relative">
<div className="flex items-center justify-between mb-4"> <Lock className="absolute left-3 top-3 text-slate-400" size={16} />
<span className="font-bold text-green-700 flex items-center gap-2 text-lg"> <input
<CheckCircle2 size={22} /> Mnemonic Recovered type="password"
</span> className="w-full pl-10 pr-4 py-2.5 bg-white border border-slate-200 rounded-lg text-sm focus:outline-none focus:ring-2 focus:ring-blue-500 transition-all"
<button placeholder="Optional password..."
onClick={() => setShowMnemonic(!showMnemonic)} value={activeTab === 'backup' ? backupMessagePassword : restoreMessagePassword}
className="p-2.5 hover:bg-green-100 rounded-xl transition-all text-green-700 hover:shadow" onChange={(e) => activeTab === 'backup' ? setBackupMessagePassword(e.target.value) : setRestoreMessagePassword(e.target.value)}
> readOnly={isReadOnly}
{showMnemonic ? <EyeOff size={22} /> : <Eye size={22} />} />
</button> </div>
</div> <p className="text-[10px] text-slate-500 mt-1">Symmetric encryption password (SKESK)</p>
</div>
<div className={`p-6 bg-white rounded-xl border-2 border-green-200 shadow-sm transition-all duration-300 ${showMnemonic ? 'blur-0' : 'blur-lg select-none'
}`}>
<p className="font-mono text-center text-lg text-slate-800 tracking-wide leading-relaxed break-words"> {activeTab === 'backup' && (
{restoredData.w} <div className="pt-3 border-t border-slate-300">
</p> <label className="flex items-center gap-2 cursor-pointer group">
</div> <input
type="checkbox"
{restoredData.pp === 1 && ( checked={hasBip39Passphrase}
<div className="mt-4 p-3 bg-orange-100 border border-orange-300 rounded-lg"> onChange={(e) => setHasBip39Passphrase(e.target.checked)}
<p className="text-xs text-center text-orange-800 font-bold uppercase tracking-widest flex items-center justify-center gap-2"> disabled={isReadOnly}
<AlertCircle size={14} /> BIP39 Passphrase Required (25th Word) className="rounded text-blue-600 focus:ring-2 focus:ring-blue-500 transition-all"
</p> />
</div> <span className="text-xs font-medium text-slate-700 group-hover:text-slate-900 transition-colors">
)} BIP39 25th word active
</span>
{restoredData.fpr && restoredData.fpr.length > 0 && ( </label>
<div className="mt-4 p-3 bg-blue-50 border border-blue-200 rounded-lg"> </div>
<p className="text-xs text-blue-800"> )}
<strong>Encrypted for keys:</strong> {restoredData.fpr.join(', ')}
</p> <ReadOnly
</div> isReadOnly={isReadOnly}
)} onToggle={setIsReadOnly}
</div> appVersion={__APP_VERSION__}
</div> buildHash={__BUILD_HASH__}
)} />
</div> </div>
</div>
{/* Action Button */}
{/* Footer */} {activeTab === 'backup' ? (
<div className="mt-8 text-center text-xs text-slate-500"> <button
<p>SeedPGP v1.2 OpenPGP (RFC 4880) + Base45 (RFC 9285) + CRC16/CCITT-FALSE</p> onClick={handleBackup}
<p className="mt-1">Never share your private keys or seed phrases. Always verify on an airgapped device.</p> disabled={!mnemonic || loading || isReadOnly}
</div> className="w-full py-4 bg-gradient-to-r from-blue-600 to-blue-700 text-white rounded-xl font-bold flex items-center justify-center gap-2 hover:from-blue-700 hover:to-blue-800 transition-all shadow-lg hover:shadow-xl disabled:opacity-50 disabled:cursor-not-allowed disabled:hover:from-blue-600 disabled:hover:to-blue-700"
</div> >
{loading ? (
{/* QR Scanner Modal */} <RefreshCw className="animate-spin" size={20} />
{showQRScanner && ( ) : (
<QRScanner <QrCode size={20} />
onScanSuccess={(scannedText) => { )}
setRestoreInput(scannedText); {loading ? 'Generating...' : 'Generate QR Backup'}
setShowQRScanner(false); </button>
setError(''); ) : (
}} <button
onClose={() => setShowQRScanner(false)} onClick={handleRestore}
/> disabled={!restoreInput || loading || isReadOnly}
)} className="w-full py-4 bg-gradient-to-r from-slate-800 to-slate-900 text-white rounded-xl font-bold flex items-center justify-center gap-2 hover:from-slate-900 hover:to-black transition-all shadow-lg hover:shadow-xl disabled:opacity-50 disabled:cursor-not-allowed"
</> >
); {loading ? (
<RefreshCw className="animate-spin" size={20} />
} ) : (
<Unlock size={20} />
export default App; )}
{loading ? 'Decrypting...' : 'Decrypt & Restore'}
</button>
)}
</div>
</div>
{/* QR Output */}
{qrPayload && activeTab === 'backup' && (
<div className="pt-6 border-t border-slate-200 space-y-6 animate-in fade-in slide-in-from-bottom-4">
<div className="flex justify-center">
<QrDisplay value={qrPayload} />
</div>
<div className="space-y-2">
<div className="flex items-center justify-between gap-3">
<label className="text-xs font-bold text-slate-500 uppercase tracking-wider">
Raw payload (copy for backup)
</label>
<button
type="button"
onClick={() => copyToClipboard(qrPayload)}
className="inline-flex items-center gap-2 px-3 py-1.5 rounded-lg bg-slate-900 text-white text-xs font-semibold hover:bg-black transition-colors"
>
{copied ? <CheckCircle2 size={14} /> : <QrCode size={14} />}
{copied ? "Copied" : "Copy"}
</button>
</div>
<textarea
readOnly
value={qrPayload}
onFocus={(e) => e.currentTarget.select()}
className="w-full h-28 p-3 bg-slate-900 rounded-xl font-mono text-[10px] text-green-400 border border-slate-700 shadow-inner leading-relaxed resize-none focus:outline-none focus:ring-2 focus:ring-blue-500"
/>
<p className="text-[11px] text-slate-500">
Tip: click the box to select all, or use Copy.
</p>
</div>
</div>
)}
{/* Restored Mnemonic */}
{decryptedRestoredMnemonic && activeTab === 'restore' && (
<div className="pt-6 border-t border-slate-200 animate-in zoom-in-95">
<div className="p-6 bg-gradient-to-br from-green-50 to-emerald-50 border-2 border-green-300 rounded-2xl shadow-lg">
<div className="flex items-center justify-between mb-4">
<span className="font-bold text-green-700 flex items-center gap-2 text-lg">
<CheckCircle2 size={22} /> Mnemonic Recovered
</span>
<button
onClick={() => setDecryptedRestoredMnemonic(null)}
className="p-2.5 hover:bg-green-100 rounded-xl transition-all text-green-700 hover:shadow"
>
<EyeOff size={22} /> Hide
</button>
</div>
<div className="p-6 bg-white rounded-xl border-2 border-green-200 shadow-sm">
<p className="font-mono text-center text-lg text-slate-800 tracking-wide leading-relaxed break-words">
{decryptedRestoredMnemonic}
</p>
</div>
</div>
</div>
)}
</div>
</div>
{/* Footer */}
<div className="mt-8 text-center text-xs text-slate-500">
<p>SeedPGP v{__APP_VERSION__} OpenPGP (RFC 4880) + Base45 (RFC 9285) + CRC16/CCITT-FALSE</p>
<p className="mt-1">Never share your private keys or seed phrases. Always verify on an airgapped device.</p>
</div>
</div>
{/* QR Scanner Modal */}
{showQRScanner && (
<QRScanner
onScanSuccess={(scannedText) => {
setRestoreInput(scannedText);
setShowQRScanner(false);
setError('');
}}
onClose={() => setShowQRScanner(false)}
/>
)}
<div className="max-w-4xl mx-auto p-8">
<h1>SeedPGP v1.2.0</h1>
{/* ... rest of your app ... */}
</div>
{/* Floating Storage Monitor - bottom right */}
{!isReadOnly && (
<>
<StorageIndicator />
<SecurityWarnings />
<ClipboardTracker />
</>
)}
</>
);
}
export default App;

184
src/components/ClipboardTracker.tsx Normal file
View File

@@ -0,0 +1,184 @@
import { useState, useEffect } from 'react';
interface ClipboardEvent {
timestamp: Date;
field: string;
length: number; // Show length without storing actual content
}
export const ClipboardTracker = () => {
const [events, setEvents] = useState<ClipboardEvent[]>([]);
const [isExpanded, setIsExpanded] = useState(false);
useEffect(() => {
const handleCopy = (e: ClipboardEvent & Event) => {
const target = e.target as HTMLElement;
// Get selection to measure length
const selection = window.getSelection()?.toString() || '';
const length = selection.length;
if (length === 0) return; // Nothing copied
// Detect field name
let field = 'Unknown field';
if (target.tagName === 'TEXTAREA' || target.tagName === 'INPUT') {
// Try multiple ways to identify the field
field =
target.getAttribute('aria-label') ||
target.getAttribute('name') ||
target.getAttribute('id') ||
(target as HTMLInputElement).type ||
target.tagName.toLowerCase();
// Check parent labels
const label = target.closest('label') ||
document.querySelector(`label[for="${target.id}"]`);
if (label) {
field = label.textContent?.trim() || field;
}
// Check for data-sensitive attribute
const sensitiveAttr = target.getAttribute('data-sensitive') ||
target.closest('[data-sensitive]')?.getAttribute('data-sensitive');
if (sensitiveAttr) {
field = sensitiveAttr;
}
// Detect if it looks like sensitive data
const isSensitive = /mnemonic|seed|key|private|password|secret/i.test(
target.className + ' ' + field + ' ' + (target.getAttribute('placeholder') || '')
);
if (isSensitive && field === target.tagName.toLowerCase()) {
// Try to guess from placeholder
const placeholder = target.getAttribute('placeholder');
if (placeholder) {
field = placeholder.substring(0, 40) + '...';
}
}
}
setEvents(prev => [
{ timestamp: new Date(), field, length },
...prev.slice(0, 9) // Keep last 10 events
]);
// Auto-expand on first copy
if (events.length === 0) {
setIsExpanded(true);
}
};
document.addEventListener('copy', handleCopy as EventListener);
return () => document.removeEventListener('copy', handleCopy as EventListener);
}, [events.length]);
const clearClipboard = async () => {
try {
// Actually clear the system clipboard
await navigator.clipboard.writeText('');
// Clear history
setEvents([]);
// Show success briefly
alert('✅ Clipboard cleared and history wiped');
} catch (err) {
// Fallback for browsers that don't support clipboard API
const dummy = document.createElement('textarea');
dummy.value = '';
document.body.appendChild(dummy);
dummy.select();
document.execCommand('copy');
document.body.removeChild(dummy);
setEvents([]);
alert('✅ History cleared (clipboard may require manual clearing)');
}
};
return (
<div className="fixed bottom-24 right-4 z-50 max-w-sm">
<div className={`rounded-lg shadow-lg border-2 transition-all ${events.length > 0
? 'bg-orange-50 border-orange-400'
: 'bg-gray-50 border-gray-300'
}`}>
{/* Header */}
<div
className={`px-4 py-3 cursor-pointer flex items-center justify-between rounded-t-lg transition-colors ${events.length > 0 ? 'hover:bg-orange-100' : 'hover:bg-gray-100'
}`}
onClick={() => setIsExpanded(!isExpanded)}
>
<div className="flex items-center gap-2">
<span className="text-lg">📋</span>
<span className="font-semibold text-sm text-gray-700">Clipboard Activity</span>
</div>
<div className="flex items-center gap-2">
{events.length > 0 && (
<span className="text-xs bg-orange-500 text-white px-2 py-0.5 rounded-full font-medium">
{events.length}
</span>
)}
<span className="text-gray-400 text-sm">{isExpanded ? '▼' : '▶'}</span>
</div>
</div>
{/* Expanded Content */}
{isExpanded && (
<div className="p-4 border-t border-gray-300">
{events.length > 0 && (
<div className="mb-3 bg-orange-100 border border-orange-300 rounded-md p-3 text-xs text-orange-900">
<strong> Clipboard Warning:</strong> Copied data is accessible to other apps,
browser tabs, and extensions. Clear clipboard after use.
</div>
)}
{events.length > 0 ? (
<>
<div className="space-y-2 mb-3 max-h-64 overflow-y-auto">
{events.map((event, idx) => (
<div
key={idx}
className="bg-white border border-orange-200 rounded-md p-2 text-xs"
>
<div className="flex justify-between items-start gap-2 mb-1">
<span className="font-semibold text-orange-900 break-all">
{event.field}
</span>
<span className="text-gray-400 text-[10px] whitespace-nowrap">
{event.timestamp.toLocaleTimeString()}
</span>
</div>
<div className="text-gray-600 text-[10px]">
Copied {event.length} character{event.length !== 1 ? 's' : ''}
</div>
</div>
))}
</div>
<button
onClick={(e) => {
e.stopPropagation(); // Prevent collapse toggle
clearClipboard();
}}
className="w-full text-xs py-2 px-3 bg-orange-600 hover:bg-orange-700 text-white rounded-md font-medium transition-colors"
>
🗑 Clear Clipboard & History
</button>
</>
) : (
<div className="text-center py-4">
<div className="text-3xl mb-2"></div>
<p className="text-xs text-gray-500">No clipboard activity detected</p>
</div>
)}
</div>
)}
</div>
</div>
);
};

26
src/components/PgpKeyInput.tsx
View File

@@ -1,15 +1,14 @@
import React, { useState } from 'react'; import React, { useState } from 'react';
import { Upload } from 'lucide-react'; import { Upload } from 'lucide-react';
import type { LucideIcon } from "lucide-react"; import type { LucideIcon } from "lucide-react";
interface PgpKeyInputProps { interface PgpKeyInputProps {
value: string; value: string;
onChange: (value: string) => void; onChange: (value: string) => void;
placeholder: string; placeholder: string;
label: string; label: string;
icon?: LucideIcon; icon?: LucideIcon;
readOnly?: boolean;
} }
export const PgpKeyInput: React.FC<PgpKeyInputProps> = ({ export const PgpKeyInput: React.FC<PgpKeyInputProps> = ({
@@ -17,21 +16,25 @@ export const PgpKeyInput: React.FC<PgpKeyInputProps> = ({
onChange, onChange,
placeholder, placeholder,
label, label,
icon: Icon icon: Icon,
readOnly = false,
}) => { }) => {
const [isDragging, setIsDragging] = useState(false); const [isDragging, setIsDragging] = useState(false);
const handleDragOver = (e: React.DragEvent) => { const handleDragOver = (e: React.DragEvent) => {
if (readOnly) return;
e.preventDefault(); e.preventDefault();
setIsDragging(true); setIsDragging(true);
}; };
const handleDragLeave = (e: React.DragEvent) => { const handleDragLeave = (e: React.DragEvent) => {
if (readOnly) return;
e.preventDefault(); e.preventDefault();
setIsDragging(false); setIsDragging(false);
}; };
const handleDrop = (e: React.DragEvent) => { const handleDrop = (e: React.DragEvent) => {
if (readOnly) return;
e.preventDefault(); e.preventDefault();
setIsDragging(false); setIsDragging(false);
@@ -53,24 +56,27 @@ export const PgpKeyInput: React.FC<PgpKeyInputProps> = ({
<span className="flex items-center gap-2"> <span className="flex items-center gap-2">
{Icon && <Icon size={14} />} {label} {Icon && <Icon size={14} />} {label}
</span> </span>
<span className="text-[10px] text-slate-400 font-normal bg-slate-100 px-2 py-0.5 rounded-full border border-slate-200"> {!readOnly && (
Drag & Drop .asc file <span className="text-[10px] text-slate-400 font-normal bg-slate-100 px-2 py-0.5 rounded-full border border-slate-200">
</span> Drag & Drop .asc file
</span>
)}
</label> </label>
<div <div
className={`relative transition-all duration-200 ${isDragging ? 'scale-[1.01]' : ''}`} className={`relative transition-all duration-200 ${isDragging && !readOnly ? 'scale-[1.01]' : ''}`}
onDragOver={handleDragOver} onDragOver={handleDragOver}
onDragLeave={handleDragLeave} onDragLeave={handleDragLeave}
onDrop={handleDrop} onDrop={handleDrop}
> >
<textarea <textarea
className={`w-full h-40 p-3 bg-slate-50 border rounded-xl text-xs font-mono transition-colors resize-none focus:outline-none focus:ring-2 focus:ring-blue-500 ${isDragging ? 'border-blue-500 bg-blue-50' : 'border-slate-200' className={`w-full h-40 p-3 bg-slate-50 border rounded-xl text-xs font-mono transition-colors resize-none focus:outline-none focus:ring-2 focus:ring-blue-500 ${isDragging && !readOnly ? 'border-blue-500 bg-blue-50' : 'border-slate-200'
}`} }`}
placeholder={placeholder} placeholder={placeholder}
value={value} value={value}
onChange={(e) => onChange(e.target.value)} onChange={(e) => onChange(e.target.value)}
readOnly={readOnly}
/> />
{isDragging && ( {isDragging && !readOnly && (
<div className="absolute inset-0 flex items-center justify-center bg-blue-50/90 rounded-xl border-2 border-dashed border-blue-500 pointer-events-none z-10"> <div className="absolute inset-0 flex items-center justify-center bg-blue-50/90 rounded-xl border-2 border-dashed border-blue-500 pointer-events-none z-10">
<div className="text-blue-600 font-bold flex flex-col items-center animate-bounce"> <div className="text-blue-600 font-bold flex flex-col items-center animate-bounce">
<Upload size={24} /> <Upload size={24} />

39
src/components/ReadOnly.tsx Normal file
View File

@@ -0,0 +1,39 @@
import { WifiOff } from 'lucide-react';
type ReadOnlyProps = {
isReadOnly: boolean;
onToggle: (isReadOnly: boolean) => void;
buildHash: string;
appVersion: string;
};
const CSP_POLICY = `default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; connect-src 'none';`;
export function ReadOnly({ isReadOnly, onToggle, buildHash, appVersion }: ReadOnlyProps) {
return (
<div className="pt-3 border-t border-slate-300">
<label className="flex items-center gap-2 cursor-pointer group">
<input
type="checkbox"
checked={isReadOnly}
onChange={(e) => onToggle(e.target.checked)}
className="rounded text-blue-600 focus:ring-2 focus:ring-blue-500 transition-all"
/>
<span className="text-xs font-medium text-slate-700 group-hover:text-slate-900 transition-colors">
Read-only Mode
</span>
</label>
{isReadOnly && (
<div className="mt-4 p-3 bg-slate-800 text-slate-200 rounded-lg text-xs space-y-2 animate-in fade-in">
<p className="font-bold flex items-center gap-2"><WifiOff size={14} /> Network & Persistence Disabled</p>
<div className="font-mono text-[10px] space-y-1">
<p><span className="font-semibold text-slate-400">Version:</span> {appVersion}</p>
<p><span className="font-semibold text-slate-400">Build:</span> {buildHash}</p>
<p className="pt-1 font-semibold text-slate-400">Content Security Policy:</p>
<p className="text-sky-300 break-words">{CSP_POLICY}</p>
</div>
</div>
)}
</div>
);
}

81
src/components/SecurityWarnings.tsx Normal file
View File

@@ -0,0 +1,81 @@
import { useState } from 'react';
export const SecurityWarnings = () => {
const [isExpanded, setIsExpanded] = useState(false);
return (
<div className="fixed bottom-4 left-4 z-50 max-w-sm">
<div className="bg-yellow-50 border-2 border-yellow-400 rounded-lg shadow-lg">
{/* Header */}
<div
className="px-4 py-3 cursor-pointer flex items-center justify-between hover:bg-yellow-100 transition-colors rounded-t-lg"
onClick={() => setIsExpanded(!isExpanded)}
>
<div className="flex items-center gap-2">
<span className="text-lg"></span>
<span className="font-semibold text-sm text-yellow-900">Security Limitations</span>
</div>
<span className="text-yellow-600 text-sm">{isExpanded ? '▼' : '▶'}</span>
</div>
{/* Expanded Content */}
{isExpanded && (
<div className="px-4 py-3 border-t border-yellow-300 space-y-3 max-h-96 overflow-y-auto">
<Warning
icon="🧵"
title="JavaScript Strings are Immutable"
description="Strings cannot be overwritten in memory. Copies persist until garbage collection runs (timing unpredictable)."
/>
<Warning
icon="🗑️"
title="No Guaranteed Memory Wiping"
description="JavaScript has no secure memory clearing. Sensitive data may linger in RAM until GC or browser restart."
/>
<Warning
icon="📋"
title="Clipboard Exposure"
description="Copied data is accessible to other tabs/apps. Browser extensions can read clipboard contents."
/>
<Warning
icon="💾"
title="Browser Storage Persistence"
description="localStorage survives browser restart. sessionStorage survives page refresh. Both readable by any script on this domain."
/>
<Warning
icon="🔍"
title="DevTools Access"
description="All app state, memory, and storage visible in browser DevTools. Never use on untrusted devices."
/>
<Warning
icon="🌐"
title="Network Risks (When Online)"
description="If hosted online: DNS, HTTPS, CDN, and browser can see usage patterns. Use offline/local for maximum security."
/>
<div className="pt-2 border-t border-yellow-300 text-xs text-yellow-800">
<strong>Recommendation:</strong> Use this tool on a dedicated offline device.
Clear browser data after each use. Never use on shared/public computers.
</div>
</div>
)}
</div>
</div>
);
};
const Warning = ({ icon, title, description }: { icon: string; title: string; description: string }) => (
<div className="flex gap-2 text-xs">
<span className="text-base flex-shrink-0">{icon}</span>
<div>
<div className="font-semibold text-yellow-900 mb-0.5">{title}</div>
<div className="text-yellow-800 leading-relaxed">{description}</div>
</div>
</div>
);

150
src/components/StorageIndicator.tsx Normal file
View File

@@ -0,0 +1,150 @@
import { useState, useEffect } from 'react';
interface StorageItem {
key: string;
value: string;
size: number;
isSensitive: boolean;
}
export const StorageIndicator = () => {
const [localItems, setLocalItems] = useState<StorageItem[]>([]);
const [sessionItems, setSessionItems] = useState<StorageItem[]>([]);
const [isExpanded, setIsExpanded] = useState(false);
const SENSITIVE_PATTERNS = ['key', 'mnemonic', 'seed', 'private', 'secret', 'pgp', 'password'];
const isSensitiveKey = (key: string): boolean => {
const lowerKey = key.toLowerCase();
return SENSITIVE_PATTERNS.some(pattern => lowerKey.includes(pattern));
};
const getStorageItems = (storage: Storage): StorageItem[] => {
const items: StorageItem[] = [];
for (let i = 0; i < storage.length; i++) {
const key = storage.key(i);
if (key) {
const value = storage.getItem(key) || '';
items.push({
key,
value: value.substring(0, 50) + (value.length > 50 ? '...' : ''),
size: new Blob([value]).size,
isSensitive: isSensitiveKey(key)
});
}
}
return items.sort((a, b) => (b.isSensitive ? 1 : 0) - (a.isSensitive ? 1 : 0));
};
const refreshStorage = () => {
setLocalItems(getStorageItems(localStorage));
setSessionItems(getStorageItems(sessionStorage));
};
useEffect(() => {
refreshStorage();
const interval = setInterval(refreshStorage, 2000);
return () => clearInterval(interval);
}, []);
const totalItems = localItems.length + sessionItems.length;
const sensitiveCount = [...localItems, ...sessionItems].filter(i => i.isSensitive).length;
return (
<div className="fixed bottom-4 right-4 z-50 max-w-md">
<div className={`bg-white rounded-lg shadow-lg border-2 ${sensitiveCount > 0 ? 'border-red-400' : 'border-gray-300'
} transition-all duration-200`}>
{/* Header Bar */}
<div
className={`px-4 py-3 rounded-t-lg cursor-pointer flex items-center justify-between ${sensitiveCount > 0 ? 'bg-red-50' : 'bg-gray-50'
} hover:opacity-90 transition-opacity`}
onClick={() => setIsExpanded(!isExpanded)}
>
<div className="flex items-center gap-2">
<span className="text-lg">🗄</span>
<span className="font-semibold text-sm text-gray-700">Storage Monitor</span>
</div>
<div className="flex items-center gap-2">
{sensitiveCount > 0 && (
<span className="text-xs bg-red-500 text-white px-2 py-0.5 rounded-full font-medium">
{sensitiveCount}
</span>
)}
<span className={`text-xs px-2 py-0.5 rounded-full font-medium ${totalItems > 0 ? 'bg-blue-100 text-blue-700' : 'bg-green-100 text-green-700'
}`}>
{totalItems === 0 ? '✓ Empty' : `${totalItems} item${totalItems !== 1 ? 's' : ''}`}
</span>
<span className="text-gray-400 text-sm">{isExpanded ? '▼' : '▶'}</span>
</div>
</div>
{/* Expanded Content */}
{isExpanded && (
<div className="p-4 max-h-96 overflow-y-auto">
{sensitiveCount > 0 && (
<div className="mb-3 bg-yellow-50 border border-yellow-300 rounded-md p-3 text-xs">
<div className="flex items-start gap-2">
<span className="text-yellow-600 mt-0.5"></span>
<div className="text-yellow-800">
<strong>Security Notice:</strong> Sensitive data persists in browser storage
(survives refresh/restart). Clear manually if on shared device.
</div>
</div>
</div>
)}
<div className="space-y-3">
<StorageSection title="localStorage" items={localItems} icon="💾" />
<StorageSection title="sessionStorage" items={sessionItems} icon="⏱️" />
</div>
{totalItems === 0 && (
<div className="text-center py-6">
<div className="text-4xl mb-2"></div>
<p className="text-sm text-gray-500">No data in browser storage</p>
</div>
)}
</div>
)}
</div>
</div>
);
};
const StorageSection = ({ title, items, icon }: { title: string; items: StorageItem[]; icon: string }) => {
if (items.length === 0) return null;
return (
<div>
<h4 className="text-xs font-bold text-gray-500 mb-2 flex items-center gap-1">
<span>{icon}</span>
<span className="uppercase">{title}</span>
<span className="ml-auto text-gray-400 font-normal">({items.length})</span>
</h4>
<div className="space-y-2">
{items.map((item) => (
<div
key={item.key}
className={`text-xs rounded-md border p-2 ${item.isSensitive
? 'bg-red-50 border-red-300'
: 'bg-gray-50 border-gray-200'
}`}
>
<div className="flex justify-between items-start gap-2 mb-1">
<span className={`font-mono font-semibold text-[11px] break-all ${item.isSensitive ? 'text-red-700' : 'text-gray-700'
}`}>
{item.isSensitive && '🔴 '}{item.key}
</span>
<span className="text-gray-400 text-[10px] whitespace-nowrap">{item.size}B</span>
</div>
<div className="text-gray-500 font-mono text-[10px] break-all leading-relaxed opacity-70">
{item.value}
</div>
</div>
))}
</div>
</div>
);
};

6
src/lib/seedpgp.ts
View File

@@ -3,6 +3,12 @@ import { base45Encode, base45Decode } from "./base45";
import { crc16CcittFalse } from "./crc16"; import { crc16CcittFalse } from "./crc16";
import type { SeedPgpPlaintext, ParsedSeedPgpFrame } from "./types"; import type { SeedPgpPlaintext, ParsedSeedPgpFrame } from "./types";
// Configure OpenPGP.js (disable warnings)
openpgp.config.showComment = false;
openpgp.config.showVersion = false;
openpgp.config.allowUnauthenticatedMessages = true; // Suppress AES warning
openpgp.config.allowUnauthenticatedStream = true; // Suppress stream warning
function nonEmptyTrimmed(s?: string): string | undefined { function nonEmptyTrimmed(s?: string): string | undefined {
if (!s) return undefined; if (!s) return undefined;
const t = s.trim(); const t = s.trim();

205
src/lib/sessionCrypto.ts Normal file
View File

@@ -0,0 +1,205 @@
/**
* @file Ephemeral, per-session, in-memory encryption using Web Crypto API.
*
* This module manages a single, non-exportable AES-GCM key for a user's session.
* It's designed to encrypt sensitive data (like a mnemonic) before it's placed
* into React state, mitigating the risk of plaintext data in memory snapshots.
* The key is destroyed when the user navigates away or the session ends.
*/
// --- Helper functions for encoding ---
function base64ToBytes(base64: string): Uint8Array {
const binString = atob(base64);
return Uint8Array.from(binString, (m) => m.codePointAt(0)!);
}
function bytesToBase64(bytes: Uint8Array): string {
const binString = Array.from(bytes, (byte) =>
String.fromCodePoint(byte),
).join("");
return btoa(binString);
}
// --- Module-level state ---
/**
* Holds the session's AES-GCM key. This variable is not exported and is
* only accessible through the functions in this module.
* @private
*/
let sessionKey: CryptoKey | null = null;
const KEY_ALGORITHM = 'AES-GCM';
const KEY_LENGTH = 256;
/**
* An object containing encrypted data and necessary metadata for decryption.
*/
export interface EncryptedBlob {
v: 1;
/**
* The algorithm used. This is metadata; the actual Web Crypto API call
* uses `{ name: "AES-GCM", length: 256 }`.
*/
alg: 'A256GCM';
iv_b64: string; // Initialization Vector (base64)
ct_b64: string; // Ciphertext (base64)
}
// --- Core API Functions ---
/**
* Generates and stores a session-level AES-GCM 256-bit key.
* The key is non-exportable and is held in a private module-level variable.
* If a key already exists, the existing key is returned, making the function idempotent.
* This function must be called before any encryption or decryption can occur.
* @returns A promise that resolves to the generated or existing CryptoKey.
*/
export async function getSessionKey(): Promise<CryptoKey> {
if (sessionKey) {
return sessionKey;
}
const key = await window.crypto.subtle.generateKey(
{
name: KEY_ALGORITHM,
length: KEY_LENGTH,
},
false, // non-exportable
['encrypt', 'decrypt'],
);
sessionKey = key;
return key;
}
/**
* Encrypts a JSON-serializable object using the current session key.
* @param data The object to encrypt. Must be JSON-serializable.
* @returns A promise that resolves to an EncryptedBlob.
*/
export async function encryptJsonToBlob<T>(data: T): Promise<EncryptedBlob> {
if (!sessionKey) {
throw new Error('Session key not initialized. Call getSessionKey() first.');
}
const iv = window.crypto.getRandomValues(new Uint8Array(12)); // 96-bit IV is recommended for AES-GCM
const plaintext = new TextEncoder().encode(JSON.stringify(data));
const ciphertext = await window.crypto.subtle.encrypt(
{
name: KEY_ALGORITHM,
iv: new Uint8Array(iv),
},
sessionKey,
plaintext,
);
return {
v: 1,
alg: 'A256GCM',
iv_b64: bytesToBase64(iv),
ct_b64: bytesToBase64(new Uint8Array(ciphertext)),
};
}
/**
* Decrypts an EncryptedBlob back into its original object form.
* @param blob The EncryptedBlob to decrypt.
* @returns A promise that resolves to the original decrypted object.
*/
export async function decryptBlobToJson<T>(blob: EncryptedBlob): Promise<T> {
if (!sessionKey) {
throw new Error('Session key not initialized or has been destroyed.');
}
if (blob.v !== 1 || blob.alg !== 'A256GCM') {
throw new Error('Invalid or unsupported encrypted blob format.');
}
const iv = base64ToBytes(blob.iv_b64);
const ciphertext = base64ToBytes(blob.ct_b64);
const decrypted = await window.crypto.subtle.decrypt(
{
name: KEY_ALGORITHM,
iv: new Uint8Array(iv),
},
sessionKey,
new Uint8Array(ciphertext),
);
const jsonString = new TextDecoder().decode(decrypted);
return JSON.parse(jsonString) as T;
}
/**
* Destroys the session key reference, making it unavailable for future
* operations and allowing it to be garbage collected.
*/
export function destroySessionKey(): void {
sessionKey = null;
}
/**
* A standalone test function that can be run in the browser console
* to verify the complete encryption and decryption lifecycle.
*
* To use:
* 1. Copy this entire function into the browser's developer console.
* 2. Run it by typing: `await runSessionCryptoTest()`
* 3. Check the console for logs.
*/
export async function runSessionCryptoTest(): Promise<void> {
console.log('--- Running Session Crypto Test ---');
try {
// 1. Destroy any old key
destroySessionKey();
console.log('Old key destroyed (if any).');
// 2. Generate a new key
await getSessionKey();
console.log('New session key generated.');
// 3. Define a secret object
const originalObject = {
mnemonic: 'fee table visa input phrase lake buffalo vague merit million mesh blend',
timestamp: new Date().toISOString(),
};
console.log('Original object:', originalObject);
// 4. Encrypt the object
const encrypted = await encryptJsonToBlob(originalObject);
console.log('Encrypted blob:', encrypted);
if (typeof encrypted.ct_b64 !== 'string' || encrypted.ct_b64.length < 20) {
throw new Error('Encryption failed: ciphertext looks invalid.');
}
// 5. Decrypt the object
const decrypted = await decryptBlobToJson(encrypted);
console.log('Decrypted object:', decrypted);
// 6. Verify integrity
if (JSON.stringify(originalObject) !== JSON.stringify(decrypted)) {
throw new Error('Verification failed: Decrypted data does not match original data.');
}
console.log('%c✅ Success: Data integrity verified.', 'color: green; font-weight: bold;');
// 7. Test key destruction
destroySessionKey();
console.log('Session key destroyed.');
try {
await decryptBlobToJson(encrypted);
} catch (e) {
console.log('As expected, decryption failed after key destruction:', (e as Error).message);
}
} catch (error) {
console.error('%c❌ Test Failed:', 'color: red; font-weight: bold;', error);
} finally {
console.log('--- Test Complete ---');
}
}
// For convenience, attach the test runner to the window object.
// This is for development/testing only and can be removed in production.
if (import.meta.env.DEV && typeof window !== 'undefined') {
(window as any).runSessionCryptoTest = runSessionCryptoTest;
}

24
src/main.tsx
View File

@@ -1,8 +1,32 @@
// Suppress OpenPGP.js AES cipher warnings
const originalWarn = console.warn;
const originalError = console.error;
console.warn = (...args: any[]) => {
const msg = args[0]?.toString() || '';
if (msg.includes('AES-CBC') || msg.includes('AES-CTR') || msg.includes('authentication')) {
return;
}
originalWarn.apply(console, args);
};
console.error = (...args: any[]) => {
const msg = args[0]?.toString() || '';
if (msg.includes('AES-CBC') || msg.includes('AES-CTR') || msg.includes('authentication')) {
return;
}
originalError.apply(console, args);
};
import { StrictMode } from 'react' import { StrictMode } from 'react'
import { createRoot } from 'react-dom/client' import { createRoot } from 'react-dom/client'
import './index.css' import './index.css'
import App from './App' import App from './App'
if (import.meta.env.DEV) {
await import('./lib/sessionCrypto');
}
createRoot(document.getElementById('root')!).render( createRoot(document.getElementById('root')!).render(
<StrictMode> <StrictMode>
<App /> <App />

2
src/vite-env.d.ts vendored
View File

@@ -6,3 +6,5 @@ declare module '*.css' {
export default content; export default content;
} }
declare const __APP_VERSION__: string;
declare const __BUILD_HASH__: string;

26
vite.config.ts
View File

@@ -1,18 +1,24 @@
import { defineConfig } from 'vite' import { defineConfig } from 'vite'
import react from '@vitejs/plugin-react' import react from '@vitejs/plugin-react'
import { execSync } from 'child_process'
import fs from 'fs'
// Read version from package.json
const packageJson = JSON.parse(fs.readFileSync('./package.json', 'utf-8'))
const appVersion = packageJson.version
// Get git commit hash
const gitHash = execSync('git rev-parse --short HEAD').toString().trim()
export default defineConfig({ export default defineConfig({
plugins: [react()], plugins: [react()],
base: '/seedpgp-web-app/', // Match your repo name base: '/seedpgp-web-app/',
build: { build: {
chunkSizeWarningLimit: 600, // Suppress warning outDir: 'dist',
rollupOptions: { emptyOutDir: false,
output: { },
manualChunks: { define: {
'openpgp': ['openpgp'], // Separate chunk for PGP '__APP_VERSION__': JSON.stringify(appVersion),
} '__BUILD_HASH__': JSON.stringify(gitHash),
}
}
} }
}) })