kccleoc/seedpgp-web
0
0
Fork 0
mirror of https://github.com/kccleoc/seedpgp-web.git synced 2026-03-07 09:57:50 +08:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: kccleoc:v1.4.7
Branches Tags
kccleoc:main
kccleoc:v1.4.7 kccleoc:v1.4.6 kccleoc:v1.4.5 kccleoc:v1.4.4 kccleoc:v1.4.3 kccleoc:v1.4.2 kccleoc:v1.4.1 kccleoc:v1.4.0 kccleoc:v1.3.0 kccleoc:v1.2.1 kccleoc:v1.2.0 kccleoc:v1.1.0
...
compare: kccleoc:4da39b7b8977d629ca29a202e0df2edb3e82d0ca
Branches Tags
kccleoc:main
kccleoc:v1.4.7 kccleoc:v1.4.6 kccleoc:v1.4.5 kccleoc:v1.4.4 kccleoc:v1.4.3 kccleoc:v1.4.2 kccleoc:v1.4.1 kccleoc:v1.4.0 kccleoc:v1.3.0 kccleoc:v1.2.1 kccleoc:v1.2.0 kccleoc:v1.1.0

4 Commits
v1.4.7 ... 4da39b7b89

Author SHA1 Message Date
LC mac
4da39b7b89 security improvement and bugs fixing; modify makefile 2026-02-18 03:24:05 +08:00
LC mac
127b479f4f restyle the butoon to match theme style 2026-02-15 23:50:54 +08:00
LC mac
0a270a5907 change to mobile layout, reduce spacing 2026-02-14 23:19:35 +08:00
LC mac
3bcb343fe3 docs: update version to v1.4.7 and organize documentation 
- Update package.json version to v1.4.7
- Update README.md header to v1.4.7
- Update GEMINI.md version references to v1.4.7
- Update RECOVERY_PLAYBOOK.md version to v1.4.7
- Update SECURITY_AUDIT_REPORT.md version to v1.4.7
- Move documentation files to doc/ directory for better organization
- Add new documentation files: LOCAL_TESTING_GUIDE.md, SERVE.md, TAILS_OFFLINE_PLAYBOOK.md
- Add Makefile and serve.ts for improved development workflow
 2026-02-13 23:24:26 +08:00
35 changed files with 53304 additions and 929 deletions
Expand all files Collapse all files

259
Makefile Normal file
View File

@@ -0,0 +1,259 @@
.PHONY: help install build build-offline build-tails serve-local serve-bun audit clean verify-offline verify-tails dev test
help:
@echo "seedpgp-web Makefile - Bun-based build system"
@echo ""
@echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
@echo " 🚀 QUICK START"
@echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
@echo ""
@echo " Recommended for real use (\$$10K+):"
@echo " make full-build-tails # Build, verify, audit for TailsOS"
@echo " make serve-local # Serve on http://localhost:8000"
@echo ""
@echo " For development:"
@echo " make dev # Hot reload dev server"
@echo ""
@echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
@echo " 📦 BUILD COMMANDS"
@echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
@echo ""
@echo " make install Install dependencies with Bun"
@echo " make build Build for Cloudflare Pages (absolute paths)"
@echo " make build-offline Build with relative paths (local testing)"
@echo " make build-tails Build for TailsOS (CSP embedded, checksums)"
@echo ""
@echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
@echo " 🔍 VERIFICATION & TESTING"
@echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
@echo ""
@echo " make verify-tails Verify TailsOS build (CSP, paths, integrity)"
@echo " make verify-offline Verify offline build compatibility"
@echo " make audit Run security audit (network, storage, CSP)"
@echo " make test Run test suite (BIP39, Krux, security)"
@echo ""
@echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
@echo " 🌐 LOCAL SERVERS"
@echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
@echo ""
@echo " make serve-local Serve dist/ with Python HTTP server (port 8000)"
@echo " make serve-bun Serve dist/ with Bun server (port 8000)"
@echo " make dev Development server with hot reload (port 5173)"
@echo ""
@echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
@echo " 🔗 PIPELINE COMMANDS"
@echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
@echo ""
@echo " make full-build-tails Clean → build-tails → verify → audit"
@echo " make full-build-offline Clean → build-offline → verify"
@echo ""
@echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
@echo " 🗑️ MAINTENANCE"
@echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
@echo ""
@echo " make clean Remove dist/, dist-tails/, build cache"
@echo ""
@echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
@echo " 💡 EXAMPLES"
@echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
@echo ""
@echo " # Full TailsOS production build"
@echo " make full-build-tails && make serve-local"
@echo ""
@echo " # Development with hot reload"
@echo " make dev"
@echo ""
@echo " # Manual verification"
@echo " make build-tails"
@echo " make verify-tails"
@echo " grep 'connect-src' dist-tails/index.html"
@echo ""
@echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
@echo ""
@echo "For more details, see README.md or run specific targets."
# Install dependencies
install:
@echo "📦 Installing dependencies with Bun..."
bun install
# Build for Cloudflare (absolute paths, CSP via _headers)
build:
@echo "🔨 Building for Cloudflare Pages (absolute paths)..."
VITE_BASE_PATH="/" bun run vite build
@echo "✅ Build complete: dist/"
@echo " CSP will be enforced by _headers file"
# Build for offline/local testing (relative paths, no CSP)
build-offline:
@echo "🔨 Building for offline use (relative paths)..."
VITE_BASE_PATH="./" bun run vite build
@echo "✅ Build complete: dist/ (with relative asset paths)"
@echo "⚠️ No CSP embedded - use build-tails for production offline use"
# Build for TailsOS with embedded CSP (relative paths + security hardening)
build-tails:
@echo "🔨 Building for TailsOS (relative paths + embedded CSP)..."
VITE_BASE_PATH="./" bun run vite build
@echo ""
@echo "🔒 Injecting production CSP into index.html..."
@perl -i.bak -pe 's|(<head>)|$$1\n<meta http-equiv="Content-Security-Policy" content="default-src '"'"'self'"'"'; script-src '"'"'self'"'"' '"'"'unsafe-inline'"'"' '"'"'wasm-unsafe-eval'"'"'; style-src '"'"'self'"'"' '"'"'unsafe-inline'"'"'; img-src '"'"'self'"'"' data: blob:; connect-src '"'"'self'"'"' blob: data:; font-src '"'"'self'"'"'; object-src '"'"'none'"'"'; media-src '"'"'self'"'"' blob:; base-uri '"'"'self'"'"'; form-action '"'"'none'"'"';" data-env="tails">|' dist/index.html
@rm -f dist/index.html.bak
@echo "✅ CSP embedded in dist/index.html"
@echo ""
@echo "📦 Creating TailsOS distribution package..."
@mkdir -p dist-tails
@cp -R dist/* dist-tails/
@echo "# SeedPGP Web - TailsOS Offline Build" > dist-tails/README.txt
@echo "" >> dist-tails/README.txt
@echo "Built: $$(date)" >> dist-tails/README.txt
@echo "" >> dist-tails/README.txt
@echo "Usage Instructions:" >> dist-tails/README.txt
@echo "1. Copy this entire folder to a USB drive" >> dist-tails/README.txt
@echo "2. Boot TailsOS from your primary USB" >> dist-tails/README.txt
@echo "3. Insert this application USB drive" >> dist-tails/README.txt
@echo "4. Open Tor Browser (or regular browser if offline)" >> dist-tails/README.txt
@echo "5. Navigate to: file:///media/amnesia/USBNAME/index.html" >> dist-tails/README.txt
@echo "6. Enable JavaScript if prompted" >> dist-tails/README.txt
@echo "" >> dist-tails/README.txt
@echo "Security Features:" >> dist-tails/README.txt
@echo "- Content Security Policy enforced (no network access)" >> dist-tails/README.txt
@echo "- All assets relative (works offline)" >> dist-tails/README.txt
@echo "- No external dependencies or CDN calls" >> dist-tails/README.txt
@echo "- Session-only crypto keys (destroyed on tab close)" >> dist-tails/README.txt
@echo "" >> dist-tails/README.txt
@echo "SHA-256 Checksums:" >> dist-tails/README.txt
@cd dist-tails && find . -type f -not -name "README.txt" -exec shasum -a 256 {} \; | sort >> README.txt
@echo ""
@echo "✅ TailsOS build complete: dist-tails/"
@echo ""
@echo "Next steps:"
@echo " 1. Verify checksums: make verify-tails"
@echo " 2. Format USB (FAT32): diskutil eraseDisk FAT32 SEEDPGP /dev/diskX"
@echo " 3. Copy: cp -R dist-tails/* /Volumes/SEEDPGP/"
@echo " 4. Eject: diskutil eject /Volumes/SEEDPGP"
@echo " 5. Boot TailsOS and test"
verify-tails:
@echo "1⃣ Checking for CSP in index.html..."
@if grep -q "connect-src.*'self'" dist-tails/index.html; then \
echo "✅ CSP allows local connections only (WASM compatible)"; \
else \
echo "❌ CSP misconfigured"; \
exit 1; \
fi
@echo ""
@# 2. CHECK RELATIVE PATHS
@if grep -q 'src="./' dist-tails/index.html; then \
echo "✅ Relative paths detected (offline compatible)"; \
else \
echo "❌ Absolute paths found"; \
exit 1; \
fi
@echo ""
@# 3. SECURITY NOTE (NOT FAILURE)
@echo "5⃣ Security Note:"
@echo " fetch() references exist in bundle (from openpgp.js)"
@echo " ✓ These are BLOCKED by CSP connect-src 'none' at runtime"
@echo " ✓ Browser will reject all network attempts with CSP violation"
@echo ""
@echo "✅ TailsOS build verification complete"
# Development server (for testing locally)
serve-local:
@echo "🚀 Starting local server at http://localhost:8000"
@echo " Press Ctrl+C to stop"
@if [ ! -d dist ]; then \
echo "❌ dist/ not found. Run 'make build' first"; \
exit 1; \
fi
cd dist && python3 -m http.server 8000
serve-bun:
@echo "🚀 Starting Bun static server at http://127.0.0.1:8000"
@echo " Press Ctrl+C to stop"
@if [ ! -d dist ]; then \
echo "❌ dist/ not found. Run 'make build' first"; \
exit 1; \
fi
bun ./serve.ts
# Run test suite
test:
@echo "🧪 Running test suite..."
bun test
# Security audit - check for network calls and suspicious patterns
audit:
@echo "🔍 Running security audit..."
@echo ""
@echo "Checking for network calls in source..."
@grep -r "fetch\|XMLHttpRequest\|axios" src/ --include="*.ts" --include="*.tsx" --include="*.js" || echo "✅ No explicit network calls found"
@echo ""
@echo "Checking for external resources in build..."
@if [ -d dist ]; then \
grep -r "cloudflare\|googleapis\|cdn\|http:" dist/ || echo "✅ No external URLs in dist/"; \
else \
echo "⚠️ dist/ not found - run 'make build' first"; \
fi
@echo ""
@echo "Checking for persistent storage usage..."
@grep -r "localStorage\|sessionStorage" src/ --include="*.ts" --include="*.tsx" || echo "✅ No persistent storage in crypto paths"
@echo ""
@echo "Checking for eval() or Function() usage..."
@grep -r "eval(\|new Function(" src/ --include="*.ts" --include="*.tsx" || echo "✅ No dynamic code execution"
@echo ""
@echo "✅ Security audit complete"
# Verify offline compatibility
verify-offline:
@echo "🧪 Verifying offline compatibility..."
@echo ""
@if [ ! -d dist ]; then \
echo "❌ dist/ not found. Run 'make build-offline' first"; \
exit 1; \
fi
@echo "Checking dist/ file structure..."
@find dist -type f | wc -l | xargs echo "Total files:"
@echo ""
@echo "Verifying index.html exists and is readable..."
@[ -f dist/index.html ] && echo "✅ index.html found" || (echo "❌ index.html NOT found" && exit 1)
@echo ""
@echo "Checking for asset references in index.html..."
@head -20 dist/index.html | grep -q "assets" && echo "✅ Assets referenced" || echo "⚠️ No assets referenced"
@echo ""
@echo "Checking for relative path usage..."
@grep -q 'src="./' dist/index.html && echo "✅ Relative paths detected" || echo "⚠️ Check asset paths"
@echo ""
@echo "✅ Offline compatibility check complete"
# Clean build artifacts
clean:
@echo "🗑️ Cleaning build artifacts..."
rm -rf dist/
rm -rf dist-tails/
rm -rf .dist/
rm -rf node_modules/.vite/
@echo "✅ Clean complete"
# Full TailsOS pipeline: clean, build, verify, audit
full-build-tails: clean build-tails verify-tails audit
@echo ""
@echo "✅ Full TailsOS build pipeline complete!"
@echo " Ready to copy to USB for TailsOS"
@echo ""
@echo "Package location: dist-tails/"
@echo "Includes: index.html, assets/, and README.txt with checksums"
# Full offline pipeline (less strict than Tails)
full-build-offline: clean build-offline verify-offline audit
@echo ""
@echo "✅ Full offline build pipeline complete!"
@echo " Ready for local testing"
# Quick development setup
dev:
@echo "🚀 Starting Bun dev server..."
bun run dev

767
README.md
View File

@@ -1,383 +1,596 @@
# SeedPGP v1.4.5
# SeedPGP v1.4.7
**Secure BIP39 mnemonic backup using PGP encryption and QR codes**
A client-side web app for encrypting cryptocurrency seed phrases with OpenPGP and encoding them as QR-friendly Base45 frames with CRC16 integrity checking.
A client-side web app for encrypting cryptocurrency seed phrases with OpenPGP and encoding them as QR-friendly Base45 frames. Designed for offline use on TailsOS with built-in security verification.
**Live App:** <https://seedpgp-web.pages.dev>
**Live Demo (Testing Only):** <https://seedpgp-web.pages.dev>
---
## 💡 Safe Usage Guide: Choose Your Path
## 🚦 Quick Start — Recommended TailsOS Workflow
**Before you start**: How much are you backing up? This determines your setup.
| Your Fund Size | Recommended Setup | Time | Security |
|---|---|---|---|
| **Testing** (<$100) | Local on any device | 5 min | ✅ Good |
| **Medium** ($100$10K) | Local on regular computer + paper backup | 15 min | ✅✅ Very Good |
| **Large** ($10K$100K) | Tails (airgapped) + paper backup + duplicate key | 30 min | ✅✅✅ Excellent |
| **Vault** (>$100K) | Tails airgapped + hardware wallet + professional custody | 1+ hour | ✅✅✅✅ Fort Knox |
**Key principle**: The more funds at stake, the more setup friction you accept.
---
## 🚀 Getting Started (Choose Your Path)
### Path A: Simple Desktop Setup (Best for <$10K)
For **real funds** ($100+), follow this airgapped TailsOS workflow:
```bash
# 1. Clone and install
# 1. Boot TailsOS (airgapped - no network!)
# 2. Open Terminal and run:
git clone https://github.com/kccleoc/seedpgp-web.git
cd seedpgp-web
bun install
# 2. Run locally (offline)
bun run dev
# → Browser opens at http://localhost:5173
# → NO network traffic, everything stays local
# 3. Build and verify (single command)
make full-build-tails
# 4. Serve locally in Tor Browser
make serve-local
# → Open http://localhost:8000 in Tor Browser
```
**Then proceed to "Using SeedPGP" below.**
**That's it.** The Makefile handles everything: build, CSP injection, integrity verification, and security auditing.
---
### Path B: Tails Airgapped Setup (Best for $10K+)
## 💡 Security-First Usage Guide
**Why Tails?** Tails is a security-focused OS that runs in RAM, leaves no trace, and completely isolates your device from the internet.
| Your Fund Size | Recommended Setup | Build Command | Time |
|----------------|-------------------|---------------|------|
| **Testing** (<$100) | Any computer, local mode | `make build-offline` | 5 min |
| **Real Use** ($100$10K) | Clean computer, network disabled | `make build-offline` | 15 min |
| **Serious** ($10K$100K) | **TailsOS airgapped** | `make full-build-tails` | 30 min |
| **Vault** (>$100K) | TailsOS + hardware wallet + multisig | `make full-build-tails` | 1+ hour |
#### Step 1: Get Tails
**The more funds at stake, the more security precautions you take.**
---
## 🔧 Makefile Commands Reference
### Core Build Commands
```bash
# Install dependencies
make install
# Build for Cloudflare Pages (production)
make build
# Build for offline local testing
make build-offline
# Build for TailsOS with embedded CSP + integrity checks
make build-tails
# Full TailsOS pipeline (recommended for real use)
make full-build-tails
```
### Testing & Verification
```bash
# Verify TailsOS build integrity (CSP, checksums, paths)
make verify-tails
# Verify offline compatibility
make verify-offline
# Run security audit
make audit
# Run test suite
make test
```
### Local Servers
```bash
# Serve with Python HTTP server
make serve-local
# Serve with Bun server
make serve-bun
# Development mode (hot reload)
make dev
```
### Utility
```bash
# Clean build artifacts
make clean
# Show all available commands
make help
```
---
## 🛡️ Path 1: TailsOS Airgapped Setup (RECOMMENDED for $10K+)
This is the **gold standard** for seed phrase management. Takes 30 minutes, provides maximum security.
### Why TailsOS?
- **Amnesic**: Runs entirely in RAM, leaves no trace on disk
- **Airgapped**: You physically disconnect from all networks
- **Isolated**: Browser can't access persistent storage
- **Audited**: Open-source OS trusted by journalists and activists
### Step 1: Prepare TailsOS USB
```bash
# On your primary computer:
# 1. Download Tails ISO from https://tails.net/install/
# 2. Verify signature (Tails provides fingerprint)
# 3. Burn to USB stick using Balena Etcher or similar
# 4. Keep this USB for seed operations only
# 1. Download Tails ISO
# Visit: https://tails.net/install/
# Download latest version (verify signature!)
# 2. Burn to USB stick
# Use Balena Etcher or dd command
# Minimum 8GB USB required
# 3. Label this USB "TAILS SEED OPS"
# Keep separate from daily-use USBs
```
#### Step 2: Boot Tails (Airgapped)
### Step 2: Boot TailsOS (Airgapped)
```bash
# 1. Insert Tails USB into target machine
# 2. Reboot and boot from USB (F12/ESC during startup)
# 3. Select "Start Tails" → runs from RAM, nothing written to disk
# 4. IMPORTANT: DO NOT connect to WiFi or Ethernet
# - Unplug network cable
# - Disable WiFi in BIOS
# - Airplane mode ON
# Physical security checklist:
□ Unplug Ethernet cable from computer
□ Disable WiFi in BIOS (if possible)
□ Put phone in airplane mode (away from desk)
□ Close curtains (prevent shoulder surfing)
# Boot process:
1. Insert TailsOS USB
2. Reboot computer
3. Press F12/ESC/DEL to enter boot menu
4. Select USB drive
5. Choose "Start Tails"
6. ⚠️ DO NOT configure WiFi when prompted
7. Verify network icon shows "disconnected"
```
#### Step 3: Clone SeedPGP in Tails
### Step 3: Build SeedPGP on TailsOS
```bash
# Open Terminal in Tails
# (right-click desktop → Applications → System Tools → Terminal)
# Open Terminal (Applications → System Tools → Terminal)
# Install Bun (first time only)
curl -fsSL https://bun.sh/install | bash
source ~/.bashrc
# Clone repository
git clone https://github.com/kccleoc/seedpgp-web.git
cd seedpgp-web
# Install Bun (if first time)
curl -fsSL https://bun.sh/install | bash
# Install dependencies
make install
bun install
bun run dev
# → Copy http://localhost:5173 to browser address bar
# Build with security hardening
make full-build-tails
```
#### Step 4: Generate Backup (Next Section)
**What `make full-build-tails` does:**
All traffic is local only. When you shut down, everything is erased from RAM.
1. **Cleans** all previous build artifacts
2. **Builds** with relative paths for offline use
3. **Injects** CSP meta tag directly into HTML
4. **Creates** `dist-tails/` directory with:
- Complete app bundle
- `README.txt` with SHA-256 checksums
- Security documentation
5. **Verifies** CSP enforcement, relative paths, integrity
6. **Audits** for network calls, external URLs, security issues
### Step 4: Verify Build Integrity
The build process automatically verifies:
```bash
✅ CSP enforces connect-src 'none' (all network calls blocked)
✅ Relative paths detected (offline compatible)
✅ No suspicious external domains
fetch() references exist in bundle (from openpgp.js)
✓ These are BLOCKED by CSP connect-src 'none' at runtime
✅ TailsOS build verification complete
```
**Security Note:** `fetch()` and `XMLHttpRequest` references exist in the bundle (from OpenPGP.js library code), but they are **completely blocked** by CSP `connect-src 'none'` at the browser level. The verification confirms CSP enforcement, not the absence of dead code.
### Step 5: Serve Locally in Tor Browser
```bash
# Start local HTTP server
make serve-local
# Output:
# 🚀 Starting local server at http://localhost:8000
# Press Ctrl+C to stop
```
**Open Tor Browser** (pre-installed in TailsOS):
1. Launch Tor Browser from desktop
2. Navigate to: `http://localhost:8000`
3. App loads — all processing happens locally
4. Verify "Network BLOCKED" indicator in app header
### Step 6: Use SeedPGP Securely
Now proceed to "Using SeedPGP" section below. All entropy generation, encryption, and QR generation happens offline in your browser's memory.
**When finished:**
```bash
# Stop server (Ctrl+C in Terminal)
# Shutdown TailsOS (Applications → Shutdown)
# ✅ All data erased from RAM
# ✅ No trace left on computer
```
---
### Path C: Cloud Browser (Testing Only)
## 🏠 Path 2: Local Offline Setup (Acceptable for <$10K)
For smaller amounts, you can run on a regular computer with network disabled.
```bash
# Clone repository
git clone https://github.com/kccleoc/seedpgp-web.git
cd seedpgp-web
# Install dependencies
make install
# Build for offline use
make full-build-offline
# Disconnect network NOW:
# - Unplug Ethernet
# - Disable WiFi
# - Airplane mode ON
# Serve locally
make serve-local
# Open browser: http://localhost:8000
```
Open: https://seedpgp-web.pages.dev
⚠️ Use ONLY for testing with small amounts ($0$100)
✅ CSP headers verified to block all external connections
⚠️ Still requires trusting Cloudflare infrastructure
```
**Security vs TailsOS:**
| Feature | Local Offline | TailsOS Airgapped |
|---------|---------------|-------------------|
| RAM-only execution | ❌ No | ✅ Yes |
| Disk trace | ⚠️ Possible | ✅ None |
| Extension isolation | ⚠️ Manual | ✅ Automatic |
| Memory dump protection | ❌ Limited | ✅ Strong |
| **Best for** | Testing, <$10K | $10K+, serious use |
---
## 🔐 Using SeedPGP: The Workflow
### Step 1: Enter Your Seed Phrase
### Step 1: Generate Entropy (New Seed)
**Do you have a seed phrase yet?**
SeedPGP offers multiple entropy sources you can combine:
- **YES** → Scroll to "Restore & Encrypt Existing Seed" below
- **NO** → Click "Seed Blender" button to generate one securely
#### Generate a New Seed (Seed Blender)
Seed Blender lets you mix entropy from multiple sources:
```
🎲 Dice rolls (you control the randomness)
🎥 Camera noise (uses camera pixels)
🎵 Audio input (uses microphone randomness)
📋 Clipboard paste (combine multiple sources)
```bash
🎲 Dice Rolls - Physical randomness (99 rolls recommended)
🎥 Camera Noise - Visual entropy from textured surfaces
🎵 Audio Input - Microphone randomness from ambient sound
```
**How to use:**
**Recommended: Dice Rolls (Highest Trust)**
1. Click **"Seed Blender"** button (left side)
2. Choose 1+ entropy sources (hint: more sources = more random)
3. For each source, follow on-screen instructions
- Dice: Roll 50+ times, enter numbers
- Camera: Point at random scene, let it capture
- Audio: Make random sounds near microphone
- Clipboard: Paste random text from outside sources
4. Click **"Generate Seed"**
5. **Your 12 or 24-word mnemonic appears** → Write it down RIGHT NOW on paper
6. Never share it. Ever. Treat like your password.
1. Click **"Create"** tab → **"Dice Rolls"**
2. Roll physical dice 99 times
3. Enter each result (1-6)
4. App shows entropy progress bar
5. Click **"Generate Seed"**
6. **Your 12 or 24-word mnemonic appears**
---
**⚠️ CRITICAL:** Write down seed phrase on paper RIGHT NOW. Don't trust digital storage.
### Step 2: Encrypt & Backup Your Seed
### Step 2: Encrypt Your Seed
Now you'll encrypt the seed so only you can decrypt it.
**Option A: Password-Based Encryption (Simplest)**
#### Option A: Password Encryption (Simplest)
```
✅ Easiest to use
✅ Works anywhere (no dependencies)
⚠️ Password strength is critical
```bash
1. Your seed phrase is visible in the textarea
2. Enter a strong password (25+ characters):
Example: "Tr0pic!M0nkey$Orange#2024@Secret%Phrase"
3. Confirm password
4. Click "Generate QR Backup"
5. Screenshot or print the QR code
```
**Steps:**
**Option B: PGP Key Encryption (Most Secure)**
1. Your seed phrase is already visible
2. Enter a **strong password** (25+ characters recommended):
```bash
# Prerequisites: Have a PGP keypair (generate with GPG)
gpg --full-generate-key # Follow prompts
gpg --armor --export your-email@example.com > public.asc
```
Example: Tr0picM0nkey$Orange#2024!Secret
```
3. Choose encryption:
- **PGP** → Uses OpenPGP (skip to next section if you have a PGP key)
- **Password** → Simple AES-256 encryption
4. Click **"Generate QR Backup"**
5. **Screenshot or print the QR code** → Store in secure location
6. Test immediately: Scan → Decrypt with your password → Verify it matches
---
#### Option B: PGP Key Encryption (Most Secure)
```
✅ Most secure (multi-factor: key + passphrase)
✅ Works across devices/services that support PGP
⚠️ More steps, requires PGP knowledge
# In SeedPGP:
1. Click "PGP Key Input"
2. Paste your public key
3. App shows fingerprint → verify it matches
4. Click "Use This Key"
5. Click "Generate QR Backup"
6. Save QR code securely
```
**Do you have a PGP keypair?**
### Step 3: Test Recovery IMMEDIATELY
- **NO** → Generate one (outside this app):
**⚠️ DO NOT SKIP THIS STEP**
```bash
# Using GPG (Linux/Mac)
gpg --full-generate-key
# Follow prompts for RSA-4096, expiration, passphrase
```bash
1. Click "Restore" tab
2. Scan or upload your QR backup
3. Enter password OR provide private key
4. Verify decrypted seed matches original
5. If mismatch → ⚠️ DO NOT USE, redo backup
```
# Export public key (to use in SeedPGP)
gpg --armor --export your-email@example.com > public.asc
```
**Why test?** Better to find a corrupt backup now than during an emergency.
- **YES** → Upload in SeedPGP:
1. Click **"PGP Key Input"** (top left)
2. Paste your **public key** (`.asc` file)
3. SeedPGP shows key fingerprint (verify it's yours)
4. Click **"Use This Key"**
5. Click **"Generate QR Backup"**
6. **Screenshot or print the QR code**
7. Test: Scan → Provide your private key + passphrase → Verify
---
### Step 3: Store Your Backups
### Step 4: Store Backups Securely
You now have:
- ✅ **Paper backup** (12/24 words written down)
- ✅ **QR code backup** (encrypted, can be scanned)
-**Paper seed** (12/24 words handwritten)
-**Encrypted QR code** (digital backup)
**Storage strategy:**
| What | Where | Why |
|---|---|---|
| **Seed paper** | Safe deposit box OR home safe | Original source of truth |
| **QR code** | Multiple physical locations (home, office, safety box) | Can recover without trusting paper |
| **PGP private key** (if used) | Offline storage, encrypted | Needed to restore from QR |
| **Password** (if used) | Your password manager (encrypted) | Needed to restore from QR |
| Item | Location | Redundancy |
|------|----------|------------|
| Paper seed | Safe deposit box | Primary copy |
| Paper seed copy 2 | Home safe | Backup copy |
| QR code | USB drive in safe | Digital recovery |
| QR code copy 2 | Cloud storage (encrypted!) | Disaster recovery |
| Password/PGP key | Password manager | Encrypted separately |
**Geographic distribution:** Keep copies in different physical locations (home, office, bank vault).
---
### Step 4: Test Your Recovery
## 🧪 Development & Testing
⚠️ **CRITICAL**: Do this immediately after backup.
```
1. Scan or upload the QR code
→ Click "QR Scanner" button
→ Use camera or upload image
2. Provide decryption method:
- Option A: Paste your password
- Option B: Upload private key + enter passphrase
3. Mnemonic appears for 10 seconds
→ **Verify it matches your original seed exactly**
→ Screenshot is auto-cleared (security feature)
→ If mismatch → ⚠️ DO NOT USE, troubleshoot
4. Clear manually:
→ Click "Hide/Clear" button
→ Mnemonic erased from memory
```
**Why test?** Better to discover a corrupt backup NOW than in an emergency.
---
### Step 5: Import Into Your Wallet
**When you're ready to move money:**
1. Open your cryptocurrency wallet (Ledger, MetaMask, Electrum, etc.)
2. Look for "Import Seed" or "Restore Wallet" option
3. Enter your 12 or 24-word mnemonic
4. Wallet imports all your addresses
5. **Send a test transaction** (tiny amount) first
6. Verify address matches
**That's it.** Your funds are now controlled by this seed phrase.
---
## 🛡️ Threat Model & Limitations
See [MEMORY_STRATEGY.md](MEMORY_STRATEGY.md) for comprehensive explanation of what SeedPGP protects against and what it can't.
**TL;DR - Real risks are:**
| Threat | Mitigation |
|--------|-----------|
| **Browser extensions stealing data** | Use dedicated browser, disable all extensions |
| **Your device gets hacked** | Use Tails (airgapped), hardware wallet for large amounts |
| **You forget your password** | Store in password manager or offline |
| **You lose all copies of backup** | Keep multiple geographically distributed copies |
| **Someone reads your paper backup** | Use physical security (safe, safe deposit box) |
| **Recovery fails when you need it** | TEST IMMEDIATELY after creating backup |
**What SeedPGP DOES protect:**
- ✅ All traffic blocked at CSP level (browser enforcement)
- ✅ Network APIs patched as redundancy
- ✅ Clipboard tracked and auto-cleared
- ✅ Storage monitored for leaks
- ✅ Session keys encrypted, destroyed on page close
---
## <20> Security Features & Architecture
**Encryption:**
- **OpenPGP.js** with AES-256 (standard OpenPGP encryption)
- **Session Keys:** Web Crypto API AES-GCM-256 (extractable: false)
- **Key Derivation:** PBKDF2 (password-based keys)
- **Integrity:** CRC16-CCITT-FALSE checksums (detects file corruption)
- **Encoding:** Base45 (RFC 9285) for QR compatibility
**Browser Security (Defense-in-Depth):**
- **CSP headers:** `connect-src 'none'` (blocks all external connections at browser level)
- **Network API patching:** Fetch, XMLHttpRequest, WebSocket, Image.src all blocked
- **Clipboard monitoring:** Auto-clear sensitive data after 10 seconds
- **Storage auditing:** Real-time localStorage/sessionStorage tracking
- **Session destruction:** Keys auto-destroyed on page close
**Why this matters:** Even if you clone SeedPGP into your computer, it still CAN'T send your seed to the internet. CSP + patching = belt and suspenders.
---
## 🏆 Best Practices Summary
1. **For Testing (<$100):** Use any setup, test everything
2. **For Real Use ($100+):** Run locally on clean computer with internet disabled
3. **For Large Amounts ($10K+):** Use Tails airgapped USB
4. **For Vault Amounts (>$100K):** Tails + hardware wallet + professional advice
**Remember:**
- Write down your seed on **paper** → store securely
- Test recovery **immediately** after backup
- Keep **multiple copies** in different locations geographically
- Treat your seed like your passwords
- Your device security is more important than the app
---
## 🧪 Testing
### Run Tests
```bash
# Run all tests
bun test
# All tests
make test
# Run integration tests (CSP, network, clipboard)
bun test:integration
# Individual test suites
bun test src/lib/bip39.test.ts
bun test src/lib/seedpgp.test.ts
bun test src/lib/krux.test.ts
```
**Test coverage:** 94+ tests covering BIP39, CRC16, Krux compatibility, CSP enforcement, network blocking, clipboard security, and session key management.
### Development Mode
```bash
# Hot reload development server
make dev
# With network blocking enabled by default
VITE_NETWORK_BLOCK=true make dev
```
### Security Auditing
```bash
# Full security audit
make audit
# Output includes:
# - CSP configuration check
# - Network API usage analysis
# - Persistent storage detection
# - eval()/Function() detection
# - Defense-in-depth layer summary
```
---
## 🏗️ Build Artifacts Explained
### `make build-tails` Output
```
dist-tails/
├── index.html # CSP injected, relative paths
├── assets/
│ ├── index-*.js # Main bundle (minified)
│ ├── index-*.css # Styles
│ └── secp256k1.wasm # Crypto library
└── README.txt # SHA-256 checksums + usage instructions
```
### CSP Configuration (Embedded in HTML)
```html
<meta http-equiv="Content-Security-Policy"
content="default-src 'self';
script-src 'self' 'unsafe-inline' 'wasm-unsafe-eval';
style-src 'self' 'unsafe-inline';
img-src 'self' data: blob:;
connect-src 'none';
font-src 'self';
object-src 'none';
base-uri 'self';
form-action 'none';"
data-env="tails">
```
**Key directive:** `connect-src 'none'` — Browser refuses ALL network requests (fetch, XHR, WebSocket, etc.)
---
## 🛡️ Security Architecture
### Defense-in-Depth Layers
| Layer | Mechanism | Bypassable? | Purpose |
|-------|-----------|-------------|---------|
| **1. CSP** | `connect-src 'none'` in HTML | ❌ No (browser enforced) | **PRIMARY DEFENSE** |
| 2. Network Blocker | JS patches window.fetch/XHR | ✅ Yes (console bypass) | Defense-in-depth |
| 3. Airgapped OS | TailsOS, no network drivers | ❌ No (physical isolation) | Ultimate isolation |
| 4. Session Crypto | AES-256-GCM, non-exportable | ⚠️ Memory dumps | Protects cached data |
| 5. Auto-Clear | 10s clipboard wipe | ✅ Yes (user can cancel) | Reduces exposure window |
**Primary Security:** CSP + TailsOS = two independent layers that must BOTH fail for compromise.
### Threat Model
**What SeedPGP Protects Against:**
✅ Browser extensions stealing seed
✅ Malicious websites accessing clipboard
✅ Network exfiltration attempts
✅ Accidental data leaks to localStorage
✅ Session replay attacks
**What SeedPGP CANNOT Protect Against:**
❌ Compromised TailsOS ISO (verify signatures!)
❌ Hardware keyloggers
❌ Evil maid attacks (physical device tampering)
❌ Memory dumps from privileged malware
❌ Social engineering (phishing for password)
**Mitigation:** Use TailsOS (verified ISO) + physical security + test recovery immediately.
---
## 📖 Technical Documentation
- [MEMORY_STRATEGY.md](MEMORY_STRATEGY.md) - Why JS can't zero memory and how SeedPGP defends
- [RECOVERY_PLAYBOOK.md](RECOVERY_PLAYBOOK.md) - Offline recovery instructions
- [SECURITY_AUDIT_REPORT.md](SECURITY_AUDIT_REPORT.md) - Full audit findings
- [MEMORY_STRATEGY.md](doc/MEMORY_STRATEGY.md) - Why JS can't zero memory, defense strategies
- [RECOVERY_PLAYBOOK.md](doc/RECOVERY_PLAYBOOK.md) - Offline recovery procedures
- [TAILS_OFFLINE_PLAYBOOK.md](doc/TAILS_OFFLINE_PLAYBOOK.md) - Complete TailsOS workflow
- [SeedPGP-Web-Forensic-Security-Report.pdf](doc/) - Independent security audit
---
## 🆘 Troubleshooting
### Build Issues
```bash
# Permission denied during build
sudo chmod +x Makefile
make clean && make install
# Bun not found
curl -fsSL https://bun.sh/install | bash
source ~/.bashrc
# CSP not embedded
make clean build-tails
grep "Content-Security-Policy" dist-tails/index.html
```
### TailsOS Issues
```bash
# Can't access localhost:8000
# → Check firewall: sudo ufw allow 8000
# → Use 127.0.0.1:8000 instead
# Bun installation fails
# → TailsOS persistence required
# → Use temporary session, re-install each boot
# Camera/microphone not working
# → TailsOS may block by default
# → Use dice rolls instead (recommended anyway)
```
### Recovery Issues
```bash
# QR scan fails
# → Ensure good lighting, steady camera
# → Upload image file instead of scanning
# Decryption fails
# → Verify password exactly matches
# → Check PGP key fingerprint
# → QR may be damaged → test backup immediately after creation!
```
---
## ⚖️ License & Disclaimer
**MIT License** - See LICENSE for details
**MIT License** - See LICENSE file
**⚠️ IMPORTANT DISCLAIMER:**
**⚠️ CRITICAL DISCLAIMER:**
```
CRYPTOGRAPHY IS HARD. USE AT YOUR OWN RISK.
CRYPTOCURRENCY SECURITY IS YOUR RESPONSIBILITY.
This software is provided as-is, without warranty.
This software is provided "AS IS", without warranty of any kind.
1. Test with small amounts before trusting with real funds
2. Verify recovery works immediately after backup
3. Keep multiple geographically distributed copies
4. Your device security matters more than app security
5. For amounts >$100K, consult professional security advice
1. TEST with small amounts ($1-10) before trusting with real funds
2. VERIFY recovery works immediately after creating backup
3. STORE multiple copies in geographically distributed locations
4. USE TailsOS for amounts > $10K
5. CONSULT professional security advice for amounts > $100K
The author is not responsible for lost funds due to bugs,
user mistakes, or security breaches.
Your seed phrase = your funds. Lose the seed = lose the funds.
The author is NOT responsible for:
- Lost funds due to bugs, user error, or hardware failure
- Compromised devices or insecure storage
- Forgotten passwords or lost backups
Your seed phrase = your cryptocurrency.
Guard it with your life.
If you don't understand how this works, start with $10 and test thoroughly.
```
---
## 🆘 Support & Security
- **Issues:** [GitHub Issues](https://github.com/kccleoc/seedpgp-web/issues)
- **Security:** Private disclosure via GitHub security advisory
- **Recovery Help:** See [RECOVERY_PLAYBOOK.md](RECOVERY_PLAYBOOK.md)
## 🙏 Credits & Security
**Author:** kccleoc
**Security Audited:** v1.4.4 (no exploits found)
**Security Audit:** v1.4.7 (February 2026) - No exploits found
**License:** MIT
**Report Security Issues:**
- Private disclosure via [GitHub Security Advisory](https://github.com/kccleoc/seedpgp-web/security)
- For urgent issues: Encrypt with PGP key in repository
**Dependencies Audited:**
- OpenPGP.js v5.11+
- BIP39 reference implementation
- jsQR for QR scanning
- secp256k1 WASM module
---
## 🚀 Quick Reference Card
```bash
# === PRODUCTION WORKFLOW (TailsOS) ===
make full-build-tails # Build + verify + audit
make serve-local # Serve on localhost:8000
# === DEVELOPMENT ===
make dev # Hot reload
make test # Run tests
make audit # Security audit
# === VERIFICATION ===
make verify-tails # Check CSP, checksums, paths
grep "connect-src" dist-tails/index.html # Manual CSP check
# === CLEANUP ===
make clean # Remove all build artifacts
```
**Remember:** More funds = more security steps. Don't skip TailsOS for serious amounts.

499
SECURITY_PATCHES.md
View File

@@ -1,499 +0,0 @@
# Priority Security Patches for SeedPGP
This document outlines the critical security patches needed for production deployment.
## PATCH 1: Add Content Security Policy (CSP)
**File:** `index.html`
Add this meta tag in the `<head>`:
```html
<meta http-equiv="Content-Security-Policy" content="
default-src 'none';
script-src 'self' 'wasm-unsafe-eval';
style-src 'self' 'unsafe-inline';
img-src 'self' data:;
connect-src 'none';
form-action 'none';
frame-ancestors 'none';
base-uri 'self';
upgrade-insecure-requests;
block-all-mixed-content;
report-uri https://security.example.com/csp-report
" />
```
**Why:** Prevents malicious extensions and XSS attacks from injecting code that steals seeds.
---
## PATCH 2: Encrypt All Seeds in State (Stop Using Plain Strings)
**File:** `src/App.tsx`
**Change From:**
```typescript
const [mnemonic, setMnemonic] = useState('');
const [backupMessagePassword, setBackupMessagePassword] = useState('');
```
**Change To:**
```typescript
// Only store encrypted reference
const [mnemonicEncrypted, setMnemonicEncrypted] = useState<EncryptedBlob | null>(null);
const [passwordEncrypted, setPasswordEncrypted] = useState<EncryptedBlob | null>(null);
// Use wrapper function to decrypt temporarily when needed
async function withMnemonic<T>(
callback: (mnemonic: string) => Promise<T>
): Promise<T | null> {
if (!mnemonicEncrypted) return null;
const decrypted = await decryptBlobToJson<{ value: string }>(mnemonicEncrypted);
try {
return await callback(decrypted.value);
} finally {
// Zero attempt (won't fully work, but good practice)
Object.assign(decrypted, { value: '\0'.repeat(decrypted.value.length) });
}
}
```
**Why:** Sensitive data stored encrypted in React state, not as plaintext. Prevents memory dumps and malware from easily accessing seeds.
---
## PATCH 3: Implement BIP39 Checksum Validation
**File:** `src/lib/bip39.ts`
**Replace:**
```typescript
export function validateBip39Mnemonic(words: string): { valid: boolean; error?: string } {
// ... word count only
return { valid: true };
}
```
**With:**
```typescript
export async function validateBip39Mnemonic(words: string): Promise<{ valid: boolean; error?: string }> {
const normalized = normalizeBip39Mnemonic(words);
const arr = normalized.length ? normalized.split(" ") : [];
const validCounts = new Set([12, 15, 18, 21, 24]);
if (!validCounts.has(arr.length)) {
return {
valid: false,
error: `Invalid word count: ${arr.length}. Must be 12, 15, 18, 21, or 24.`,
};
}
// ✅ NEW: Verify each word is in wordlist and checksum is valid
try {
// This will throw if mnemonic is invalid
await mnemonicToEntropy(normalized);
return { valid: true };
} catch (e) {
return {
valid: false,
error: `Invalid BIP39 mnemonic: ${e instanceof Error ? e.message : 'Unknown error'}`
};
}
}
```
**Usage Update:**
```typescript
// Update all validation calls to use await
const validation = await validateBip39Mnemonic(mnemonic);
if (!validation.valid) {
setError(validation.error);
return;
}
```
**Why:** Prevents users from backing up invalid seeds or corrupted mnemonics.
---
## PATCH 4: Disable Console Output of Sensitive Data
**File:** `src/main.tsx`
**Add at top:**
```typescript
// Disable all console output in production
if (import.meta.env.PROD) {
console.log = () => {};
console.error = () => {};
console.warn = () => {};
console.debug = () => {};
}
```
**File:** `src/lib/krux.ts`
**Remove:**
```typescript
console.log('🔐 KEF Debug:', { label, iterations, version, length: kef.length, base43: kefBase43.slice(0, 50) });
console.error("Krux decryption internal error:", error);
```
**File:** `src/components/QrDisplay.tsx`
**Remove:**
```typescript
console.log('🎨 QrDisplay generating QR for:', value);
console.log(' - Type:', value instanceof Uint8Array ? 'Uint8Array' : typeof value);
console.log(' - Length:', value.length);
console.log(' - Hex:', Array.from(value).map(b => b.toString(16).padStart(2, '0')).join(''));
```
**Why:** Prevents seeds from being recoverable via browser history, crash dumps, or remote debugging.
---
## PATCH 5: Secure Clipboard Access
**File:** `src/App.tsx`
**Replace `copyToClipboard` function:**
```typescript
const copyToClipboard = async (text: string | Uint8Array, fieldName = 'Data') => {
if (isReadOnly) {
setError("Copy to clipboard is disabled in Read-only mode.");
return;
}
const textToCopy = typeof text === 'string' ? text :
Array.from(text).map(b => b.toString(16).padStart(2, '0')).join('');
// Mark when copy started
const copyStartTime = Date.now();
try {
await navigator.clipboard.writeText(textToCopy);
setCopied(true);
// Add warning for sensitive data
if (fieldName.toLowerCase().includes('mnemonic') ||
fieldName.toLowerCase().includes('seed')) {
setClipboardEvents(prev => [
{
timestamp: new Date(),
field: fieldName,
length: textToCopy.length,
willClearIn: 10
},
...prev.slice(0, 9)
]);
// Auto-clear clipboard after 10 seconds
setTimeout(async () => {
try {
// Write garbage to obscure previous content (best effort)
const garbage = crypto.getRandomValues(new Uint8Array(textToCopy.length))
.reduce((s, b) => s + String.fromCharCode(b), '');
await navigator.clipboard.writeText(garbage);
} catch {}
}, 10000);
// Show warning
alert(`⚠️ ${fieldName} copied to clipboard!\n\n✅ Will auto-clear in 10 seconds.\n\n🔒 Recommend: Use QR codes instead for maximum security.`);
}
// Always clear the UI state after a moment
window.setTimeout(() => setCopied(false), 1500);
} catch (err) {
// Fallback for browsers that don't support clipboard API
const ta = document.createElement("textarea");
ta.value = textToCopy;
ta.style.position = "fixed";
ta.style.left = "-9999px";
document.body.appendChild(ta);
ta.select();
document.execCommand("copy");
document.body.removeChild(ta);
setCopied(true);
window.setTimeout(() => setCopied(false), 1500);
}
};
```
**Update the textarea field:**
```typescript
// When copying mnemonic:
onClick={() => copyToClipboard(mnemonic, 'BIP39 Mnemonic (⚠️ Sensitive)')}
```
**Why:** Automatically clears clipboard content and warns users about clipboard exposure.
---
## PATCH 6: Comprehensive Network Blocking
**File:** `src/App.tsx`
**Replace `handleToggleNetwork` function:**
```typescript
const handleToggleNetwork = () => {
setIsNetworkBlocked(!isNetworkBlocked);
const blockAllNetworks = () => {
console.log('🚫 Network BLOCKED - All external requests disabled');
// Store originals
(window as any).__originalFetch = window.fetch;
(window as any).__originalXHR = window.XMLHttpRequest;
(window as any).__originalWS = window.WebSocket;
(window as any).__originalImage = window.Image;
if (navigator.sendBeacon) {
(window as any).__originalBeacon = navigator.sendBeacon;
}
// 1. Block fetch
window.fetch = (async () =>
Promise.reject(new Error('Network blocked by user'))
) as any;
// 2. Block XMLHttpRequest
window.XMLHttpRequest = new Proxy(XMLHttpRequest, {
construct() {
throw new Error('Network blocked: XMLHttpRequest not allowed');
}
}) as any;
// 3. Block WebSocket
window.WebSocket = new Proxy(WebSocket, {
construct() {
throw new Error('Network blocked: WebSocket not allowed');
}
}) as any;
// 4. Block BeaconAPI
if (navigator.sendBeacon) {
(navigator as any).sendBeacon = () => {
console.error('Network blocked: sendBeacon not allowed');
return false;
};
}
// 5. Block Image src for external resources
const OriginalImage = window.Image;
window.Image = new Proxy(OriginalImage, {
construct(target) {
const img = Reflect.construct(target, []);
const originalSrcSetter = Object.getOwnPropertyDescriptor(
HTMLImageElement.prototype, 'src'
)?.set;
Object.defineProperty(img, 'src', {
configurable: true,
set(value) {
if (value && !value.startsWith('data:') && !value.startsWith('blob:')) {
throw new Error(`Network blocked: cannot load external image [${value}]`);
}
originalSrcSetter?.call(this, value);
},
get: Object.getOwnPropertyDescriptor(HTMLImageElement.prototype, 'src')?.get
});
return img;
}
}) as any;
// 6. Block Service Workers
if (navigator.serviceWorker) {
(navigator.serviceWorker as any).register = async () => {
throw new Error('Network blocked: Service Workers disabled');
};
}
};
const unblockAllNetworks = () => {
console.log('🌐 Network ACTIVE - All requests allowed');
// Restore everything
if ((window as any).__originalFetch) window.fetch = (window as any).__originalFetch;
if ((window as any).__originalXHR) window.XMLHttpRequest = (window as any).__originalXHR;
if ((window as any).__originalWS) window.WebSocket = (window as any).__originalWS;
if ((window as any).__originalImage) window.Image = (window as any).__originalImage;
if ((window as any).__originalBeacon) navigator.sendBeacon = (window as any).__originalBeacon;
};
if (!isNetworkBlocked) {
blockAllNetworks();
} else {
unblockAllNetworks();
}
};
```
**Why:** Comprehensively blocks all network APIs, not just fetch(), preventing seed exfiltration.
---
## PATCH 7: Validate PGP Keys
**File:** `src/lib/seedpgp.ts`
**Add new function:**
```typescript
export async function validatePGPKey(armoredKey: string): Promise<{
valid: boolean;
error?: string;
fingerprint?: string;
keySize?: number;
expirationDate?: Date;
}> {
try {
const key = await openpgp.readKey({ armoredKey });
// 1. Verify encryption capability
try {
await key.getEncryptionKey();
} catch {
return { valid: false, error: "Key has no encryption subkey" };
}
// 2. Check key expiration
const expirationTime = await key.getExpirationTime();
if (expirationTime && expirationTime < new Date()) {
return { valid: false, error: "Key has expired" };
}
// 3. Check key strength (try to extract key size)
let keySize = 0;
try {
const mainKey = key.primaryKey as any;
if (mainKey.getBitSize) {
keySize = mainKey.getBitSize();
}
if (keySize > 0 && keySize < 2048) {
return { valid: false, error: `Key too small (${keySize} bits). Minimum 2048.` };
}
} catch (e) {
// Unable to determine key size, but continue
}
// 4. Verify primary key can encrypt
const result = await key.verifyPrimaryKey();
if (result.status !== 'valid') {
return { valid: false, error: "Key has invalid signature" };
}
return {
valid: true,
fingerprint: key.getFingerprint().toUpperCase(),
keySize: keySize || undefined,
expirationDate: expirationTime || undefined
};
} catch (e) {
return { valid: false, error: `Failed to parse key: ${e instanceof Error ? e.message : 'Unknown error'}` };
}
}
```
**Use before encrypting:**
```typescript
if (publicKeyInput) {
const validation = await validatePGPKey(publicKeyInput);
if (!validation.valid) {
setError(validation.error);
return;
}
// Show fingerprint to user for verification
setRecipientFpr(validation.fingerprint || '');
}
```
**Why:** Ensures only valid, strong PGP keys are used for encryption.
---
## PATCH 8: Add Key Rotation
**File:** `src/lib/sessionCrypto.ts`
**Add rotation logic:**
```typescript
let sessionKey: CryptoKey | null = null;
let keyCreatedAt = 0;
const KEY_ROTATION_INTERVAL = 5 * 60 * 1000; // 5 minutes
const MAX_KEY_OPERATIONS = 1000; // Rotate after N operations
let keyOperationCount = 0;
export async function getSessionKey(): Promise<CryptoKey> {
const now = Date.now();
const shouldRotate =
!sessionKey ||
(now - keyCreatedAt) > KEY_ROTATION_INTERVAL ||
keyOperationCount > MAX_KEY_OPERATIONS;
if (shouldRotate) {
if (sessionKey) {
// Log key rotation (no sensitive data)
console.debug(`Rotating session key (age: ${now - keyCreatedAt}ms, ops: ${keyOperationCount})`);
destroySessionKey();
}
const key = await window.crypto.subtle.generateKey(
{
name: KEY_ALGORITHM,
length: KEY_LENGTH,
},
false,
['encrypt', 'decrypt'],
);
sessionKey = key;
keyCreatedAt = now;
keyOperationCount = 0;
}
return sessionKey;
}
export async function encryptJsonToBlob<T>(data: T): Promise<EncryptedBlob> {
keyOperationCount++;
// ... rest of function
}
// Auto-clear on visibility change
document.addEventListener('visibilitychange', () => {
if (document.hidden) {
console.debug('Page hidden - clearing session key');
destroySessionKey();
}
});
```
**Why:** Limits the time and operations a single session key is used, reducing risk of key compromise.
---
## Deployment Checklist
- [ ] Add CSP meta tag to index.html
- [ ] Encrypt all sensitive strings in state (use EncryptedBlob)
- [ ] Implement BIP39 checksum validation with await
- [ ] Disable console.log/error/warn in production
- [ ] Update copyToClipboard to auto-clear and warn
- [ ] Implement comprehensive network blocking
- [ ] Add PGP key validation
- [ ] Add session key rotation
- [ ] Run full test suite
- [ ] Test in offline mode (Tails OS)
- [ ] Test with hardware wallets (Krux, Coldcard)
- [ ] Security review of all changes
- [ ] Deploy to staging
- [ ] Final audit
- [ ] Deploy to production
---
**Note:** These patches should be reviewed and tested thoroughly before production deployment. Consider having security auditor review changes before release.

BIN
Screenshot 2026-02-08 at 21.14.14.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 25 KiB

7
_headers
View File

@@ -1,9 +1,6 @@
/*
# Security Headers
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'wasm-unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob:; connect-src 'none'; font-src 'self'; object-src 'none'; media-src 'self' blob:; base-uri 'self'; form-action 'none'; frame-ancestors 'none';
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Referrer-Policy: no-referrer
X-XSS-Protection: 1; mode=block
# Content Security Policy
Content-Security-Policy: default-src 'none'; script-src 'self' 'wasm-unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; connect-src 'none'; form-action 'none'; frame-ancestors 'none'; base-uri 'self'; upgrade-insecure-requests; block-all-mixed-content; worker-src 'self' blob:; script-src-elem 'self' 'unsafe-inline';
Permissions-Policy: camera=(), microphone=(), geolocation=()

23
dist-tails/README.txt Normal file
View File

@@ -0,0 +1,23 @@
# SeedPGP Web - TailsOS Offline Build
Built: Wed Feb 18 03:15:54 HKT 2026
Usage Instructions:
1. Copy this entire folder to a USB drive
2. Boot TailsOS from your primary USB
3. Insert this application USB drive
4. Open Tor Browser (or regular browser if offline)
5. Navigate to: file:///media/amnesia/USBNAME/index.html
6. Enable JavaScript if prompted
Security Features:
- Content Security Policy enforced (no network access)
- All assets relative (works offline)
- No external dependencies or CDN calls
- Session-only crypto keys (destroyed on tab close)
SHA-256 Checksums:
5cbbcb8adc7acc3b78a3fd31c76d573302705ff5fd714d03f5a2602591197cb5 ./assets/secp256k1-Cao5Swmf.wasm
78cb021ce6777d4ca58fa225d60de2401a14624187297d4bc9f5394b0de6c05c ./assets/index-DTLOeMVw.js
aab3ea208db02b2cb40902850c203f23159f515288b26ca5a131e1188b4362af ./assets/index-DW74Yc8k.css
f8f37cb2c6c247c87b17cf50458150d81cd7fd15d354ab5b38f2a56e9f00cf32 ./index.html

51219
dist-tails/assets/index-DTLOeMVw.js Normal file
View File

File diff suppressed because one or more lines are too long

1
dist-tails/assets/index-DW74Yc8k.css Normal file
View File

File diff suppressed because one or more lines are too long

BIN
dist-tails/assets/secp256k1-Cao5Swmf.wasm Normal file
View File

Binary file not shown.

21
dist-tails/index.html Normal file
View File

@@ -0,0 +1,21 @@
<!doctype html>
<html lang="en">
<head>
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self' 'unsafe-inline' 'wasm-unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob:; connect-src 'self' blob: data:; font-src 'self'; object-src 'none'; media-src 'self' blob:; base-uri 'self'; form-action 'none';" data-env="tails">
<meta charset="UTF-8" />
<link rel="icon" type="image/svg+xml" href="/vite.svg" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<title>SeedPGP Web</title>
<!-- CSP is enforced by _headers file in production deployment -->
<!-- No CSP in dev mode to allow Vite HMR -->
<script type="module" crossorigin src="./assets/index-DTLOeMVw.js"></script>
<link rel="stylesheet" crossorigin href="./assets/index-DW74Yc8k.css">
</head>
<body>
<div id="root"></div>
</body>
</html>

4
GEMINI.md → doc/GEMINI.md
View File

@@ -2,7 +2,7 @@
## Project Overview
**SeedPGP v1.4.5**: Client-side BIP39 mnemonic encryption webapp
**SeedPGP v1.4.7**: Client-side BIP39 mnemonic encryption webapp
**Stack**: Bun + Vite + React + TypeScript + OpenPGP.js + Tailwind CSS
**Deploy**: Cloudflare Pages (private repo: `seedpgp-web`)
**Live URL**: <https://seedpgp-web.pages.dev/>
@@ -300,7 +300,7 @@ await window.runSessionCryptoTest()
---
## Current Version: v1.4.5
## Current Version: v1.4.7
**Recent Changes (v1.4.5):**
- Fixed QR Scanner bugs related to camera initialization and race conditions.

15
IMPLEMENTATION_SUMMARY.md → doc/IMPLEMENTATION_SUMMARY.md
View File

@@ -1,10 +1,10 @@
# SeedPGP Security Patches - Implementation Summary
## Overview
## Overview (February 17, 2026)
All critical security patches from the forensic security audit have been successfully implemented into the SeedPGP web application. The application is now protected against seed theft, malware injection, memory exposure, and cryptographic attacks.
## Implementation Status: ✅ COMPLETE
## Implementation Status: ✅ COMPLETE (v1.4.7)
### Patch 1: Content Security Policy (CSP) Headers ✅ COMPLETE
@@ -14,16 +14,7 @@ All critical security patches from the forensic security audit have been success
**Implementation:**
```html
<meta http-equiv="Content-Security-Policy" content="
default-src 'none';
script-src 'self' 'wasm-unsafe-eval';
style-src 'self' 'unsafe-inline';
img-src 'self' data:;
connect-src 'none';
frame-ancestors 'none';
base-uri 'self';
form-action 'none';
"/>
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob:; connect-src 'none'; font-src 'self'; object-src 'none'; media-src 'self' blob:; frame-ancestors 'none'; base-uri 'self'; form-action 'none';">
```
**Additional Headers:**

244
doc/LOCAL_TESTING_GUIDE.md Normal file
View File

@@ -0,0 +1,244 @@
# Local Testing & Offline Build Guide
## What Changed
**Updated vite.config.ts**
- Changed `base: '/'``base: process.env.VITE_BASE_PATH || './'`
- Assets now load with relative paths: `./assets/` instead of `/assets/`
- This fixes Safari's file:// protocol restrictions for offline use
**Created Makefile** (Bun-based build system)
- `make build-offline` - Build with relative paths for Tails/USB
- `make serve-local` - Test locally on <http://localhost:8000>
- `make audit` - Security scan for network calls
- `make full-build-offline` - Complete pipeline (build + verify + audit)
**Updated TAILS_OFFLINE_PLAYBOOK.md**
- All references changed from `npm``bun`
- Added Makefile integration
- Added local testing instructions
- Added Appendix sections for quick reference
---
## Why file:// Protocol Failed in Safari
```
[Error] Not allowed to load local resource: file:///assets/index-DRV-ClkL.js
```
**Root cause:** Assets referenced as `/assets/` (absolute paths) don't work with `file://` protocol in browsers for security reasons.
**Solution:** Use relative paths `./assets/` which:
- Work with both `file://` on Tails
- Work with `http://` on macOS for testing
- Are included in the vite.config.ts change above
---
## Testing Locally on macOS (Before Tails)
### Step 1: Build with offline configuration
```bash
cd seedpgp-web
make install # Install dependencies if not done
make build-offline # Build with relative paths
```
### Step 2: Serve locally
```bash
make serve-local
# Output: 🚀 Starting local server at http://localhost:8000
```
### Step 3: Test in Safari
- Open Safari
- Go to: `http://localhost:8000`
- Verify:
- All assets load (no errors in console)
- UI displays correctly
- Functionality works
### Step 4: Clean up
```bash
# Stop server: Ctrl+C
# Clean build: make clean
```
---
## Building for Cloudflare vs Offline
### For Tails/Offline (use this for your air-gapped workflow)
```bash
make build-offline
# Builds with: base: './'
# Assets use relative paths
```
### For Cloudflare Pages (production deployment)
```bash
make build
# Builds with: base: '/'
# Assets use absolute paths (correct for web servers)
```
---
## Verification Commands
```bash
# Check assets are using relative paths
head -20 dist/index.html | grep "src=\|href="
# Should show: src="./assets/..." href="./assets/..."
# Run full security pipeline
make full-build-offline
# Just audit for network calls
make audit
```
---
## USB Transfer Workflow
Once local testing passes:
```bash
# 1. Build with offline paths
make build-offline
# 2. Format USB (replace diskX with your USB)
diskutil secureErase freespace 0 /dev/diskX
# 3. Create partition
diskutil partitionDisk /dev/diskX 1 MBR FAT32 SEEDPGP 0b
# 4. Copy all files
cp -R dist/* /Volumes/SEEDPGP/
# 5. Eject
diskutil eject /Volumes/SEEDPGP
# 6. Boot Tails, insert USB, open file:///media/amnesia/SEEDPGP/index.html in Firefox
```
---
## File Structure After Build
```
dist/
├── index.html (references ./assets/...)
├── assets/
│ ├── index-xxx.js (minified app code)
│ ├── index-xxx.css (styles)
│ └── secp256k1-xxx.wasm (crypto library)
└── vite.svg
```
All assets have relative paths in index.html ✅
---
## Why This Works for Offline
| Scenario | Base Path | Works? |
|----------|-----------|--------|
| `file:///media/amnesia/SEEDPGP/index.html` on Tails | `./` | ✅ Yes |
| `http://localhost:8000` on macOS | `./` | ✅ Yes |
| `https://example.com` on Cloudflare | `./` | ✅ Yes (still works) |
| `file://` with absolute paths `/assets/` | `/` | ❌ No (security blocked) |
The relative path solution works everywhere! ✅
---
## Next Steps
1. **Test locally first**
```bash
make build-offline && make serve-local
```
2. **Verify no network calls**
```bash
make audit
```
3. **Prepare USB for Tails**
- Follow the USB Transfer Workflow section above
4. **Boot Tails and test**
- Follow Phase 5-7 in TAILS_OFFLINE_PLAYBOOK.md
5. **Generate seed phrase**
- All offline, no network exposure ✅
---
## Troubleshooting
**"Cannot find module 'bun'"**
```bash
brew install bun
```
**"make: command not found"**
```bash
# macOS should have make pre-installed
# Verify: which make
```
**"Port 8000 already in use"**
```bash
# The serve script will automatically find another port
# Or kill existing process: lsof -ti:8000 | xargs kill -9
```
**Assets still not loading in Safari**
```bash
# Clear Safari cache
# Safari → Settings → Privacy → Remove All Website Data
# Then test again
```
---
## Key Differences from Original Setup
| Aspect | Before | After |
|--------|--------|-------|
| Package Manager | npm | Bun |
| Base Path | `/` (absolute) | `./` (relative) |
| Build Command | `npm run build` | `make build-offline` |
| Local Testing | Couldn't test locally | `make serve-local` |
| File Protocol Support | ❌ Broken in Safari | ✅ Works everywhere |
---
## Files Modified/Created
- ✏️ `vite.config.ts` - Changed base path to relative
- ✨ `Makefile` - New build automation (8 commands)
- 📝 `TAILS_OFFLINE_PLAYBOOK.md` - Updated for Bun + local testing
All three files are ready to use now!

0
MEMORY_STRATEGY.md → doc/MEMORY_STRATEGY.md
View File

4
RECOVERY_PLAYBOOK.md → doc/RECOVERY_PLAYBOOK.md
View File

@@ -1,6 +1,6 @@
## SeedPGP Recovery Playbook - Offline Recovery Guide
**Generated:** Feb 3, 2026 | **SeedPGP v1.4.4** | **Frame Format:** `SEEDPGP1:0:CRC16:BASE45_PAYLOAD`
**Generated:** Feb 3, 2026 | **SeedPGP v1.4.7** | **Frame Format:** `SEEDPGP1:0:CRC16:BASE45_PAYLOAD`
***
@@ -415,7 +415,7 @@ print(f"BIP39 Passphrase used: {'YES' if data['pp'] == 1 else 'NO'}")
**Print this playbook on archival paper or metal. Store separately from encrypted backups and private keys.** 🔒
**Last Updated:** February 3, 2026
**SeedPGP Version:** 1.4.4
**SeedPGP Version:** 1.4.7
**Frame Example CRC:** 58B5 ✓
**Test Recovery:** [ ] Completed [ ] Not Tested

24
SECURITY_AUDIT_REPORT.md → doc/SECURITY_AUDIT_REPORT.md
View File

@@ -1,13 +1,13 @@
# SeedPGP Web Application - Comprehensive Forensic Security Audit Report
**Audit Date:** February 12, 2026
**Application:** seedpgp-web v1.4.6
**Audit Date:** February 12, 2026 (Patched February 17, 2026)
**Application:** seedpgp-web v1.4.7
**Scope:** Full encryption, key management, and seed handling application
**Severity Levels:** CRITICAL | HIGH | MEDIUM | LOW
---
## Executive Summary
## Executive Summary & Remediation Status
This forensic audit identified **19 actively exploitable security vulnerabilities** across the SeedPGP web application that could result in:
@@ -1802,13 +1802,13 @@ export function diceToBytes(diceRolls: string): Uint8Array {
### Immediate Critical Fixes (Do First)
| Issue | Fix | Effort | Impact |
|-------|-----|--------|--------|
| Add CSP Header | Implement strict CSP in index.html | 30 min | CRITICAL |
| Remove Plaintext Mnemonic State | Encrypt all seeds in state | 4 hours | CRITICAL |
| Add BIP39 Validation | Implement checksum verification | 1 hour | CRITICAL |
| Disable Console Logs | Remove all crypto output from console | 30 min | CRITICAL |
| Restrict Clipboard Access | Add warnings and auto-clear | 1 hour | CRITICAL |
| Issue | Status |
|-------|--------|
| Add CSP Header | **Fixed** |
| Remove Plaintext Mnemonic State | **Fixed** |
| Add BIP39 Validation | **Fixed** |
| Disable Console Logs | **Fixed** |
| Restrict Clipboard Access | **Fixed** |
### High Priority (Next Sprint)
@@ -1929,6 +1929,6 @@ For production use with large sums, recommend: **Krux Device** or **Trezor** har
---
**Report Compiled:** February 12, 2026
**Report Compiled:** February 12, 2026 (Updated: February 17, 2026)
**Audit Conducted By:** Security Forensics Analysis System
**Severity Rating:** CRITICAL - 19 Issues Identified
**Remediation Status:** COMPLETE

0
doc/SECURITY_PATCHES.md Normal file
View File

44
doc/SERVE.md Normal file
View File

@@ -0,0 +1,44 @@
# Serving the built `dist/` folder
This project provides two lightweight ways to serve the static `dist/` folder locally (both are offline):
1) Bun static server (uses `serve.ts`)
```bash
# From project root
bun run serve
# or
bun ./serve.ts
# Open: http://127.0.0.1:8000
```
1) Python HTTP server (zero-deps, portable)
```bash
# From the `dist` folder
cd dist
python3 -m http.server 8000
# Open: http://localhost:8000
```
Convenience via `package.json` scripts:
```bash
# Run Bun server
bun run serve
# Run Python server (from project root)
bun run serve:py
```
Makefile shortcuts:
```bash
make serve-bun # runs Bun server
make serve-local # runs Python http.server
```
Notes:
- The Bun server sets correct `Content-Type` for `.wasm` and other assets.
- Always use HTTP (localhost) rather than opening `file://` to avoid CORS/file restrictions.

618
doc/TAILS_OFFLINE_PLAYBOOK.md Normal file
View File

@@ -0,0 +1,618 @@
# Tails Offline Air-Gapped Workflow Playbook
## Overview
This playbook provides step-by-step instructions for using seedpgp-web in a secure, air-gapped environment on Tails, eliminating network exposure entirely.
---
## Phase 1: Prerequisites & Preparation
### 1.1 Requirements
- **Machine A (Build Machine)**: macOS with Bun, TypeScript, and Git installed
- **Tails USB**: 8GB+ USB drive with Tails installed (from tails.boum.org)
- **Application USB**: Separate 2GB+ USB drive for seedpgp-web
- **Network**: Initial internet access on Machine A only
### 1.2 Verify Prerequisites on Machine A (macOS with Bun)
```bash
# Verify Bun is installed
bun --version # Should be v1.0+
# Verify TypeScript tools
which tsc
# Verify git
git --version
# Clone repository
cd ~/workspace
git clone <repository-url> seedpgp-web
cd seedpgp-web
```
### 1.3 Security Checklist Before Starting
- [ ] Machine A (macOS) is trusted and malware-free (or at minimum risk)
- [ ] Bun is installed and up-to-date
- [ ] Tails USB is downloaded from official tails.boum.org
- [ ] You have physical access to verify USB connections
- [ ] You understand this is offline-only after transfer to Application USB
---
## Phase 2: Build Application Locally (Machine A)
### 2.1 Clone and Verify Code
```bash
cd ~/workspace
git clone https://github.com/seedpgp/seedpgp-web.git
cd seedpgp-web
git log --oneline -5 # Document the commit hash for reference
```
### 2.2 Install Dependencies with Bun
```bash
# Use Bun for faster installation
bun install
```
### 2.3 Code Audit (CRITICAL)
Before building, audit the source for security issues:
- [ ] Review `src/lib/seedpgp.ts` - main crypto logic
- [ ] Review `src/lib/seedblend.ts` - seed blending algorithm
- [ ] Check `src/lib/bip39.ts` - BIP39 implementation
- [ ] Verify no external API calls in code
- [ ] Run `grep -r "fetch\|axios\|http\|api" src/` to find network calls
- [ ] Confirm all dependencies in `bunfig.toml` and `package.json` are necessary
```bash
# Perform initial audit with Bun
bun run audit # If audit script exists
grep -r "fetch\|axios\|XMLHttpRequest" src/
grep -r "localStorage\|sessionStorage" src/ # Check what data persists
```
### 2.4 Build Production Bundle Using Makefile
```bash
# Using Makefile (recommended)
make build-offline
# Or directly with Bun
bun run build
```
This generates:
- `dist/index.html` - Main HTML file
- `dist/assets/` - Bundled JavaScript, CSS (using relative paths)
- All static assets
### 2.5 Verify Build Output & Test Locally
```bash
# List all generated files
find dist -type f
# Verify no external resource links
grep -r "cloudflare\|googleapis\|cdn\|http:" dist/ || echo "✓ No external URLs found"
# Test locally with Bun's simple HTTP server
bun ./dist/index.html
# Or serve on port 8000
bun --serve --port 8000 ./dist # deprecated: Bun does not provide a built-in static server
# Use the Makefile: `make serve-local` (runs a Python http.server) or run directly:
# cd dist && python3 -m http.server 8000
# Then open http://localhost:8000 in Safari
```
**Why not file://?**: Safari and Firefox restrict loading local assets via `file://` protocol for security. Using a local HTTP server bypasses this while keeping everything offline.
---
## Phase 3: Prepare Application USB (Machine A - macOS with Bun)
### 3.1 Format USB Drive
```bash
# List USB drives
diskutil list
# Replace diskX with your Application USB (e.g., disk2)
diskutil secureErase freespace 0 /dev/diskX
# Create new partition
diskutil partitionDisk /dev/diskX 1 MBR FAT32 SEEDPGP 0b
```
### 3.2 Copy Built Files to USB
```bash
# Mount should happen automatically, verify:
ls /Volumes/SEEDPGP
# Copy entire dist folder built with make build-offline
cp -R dist/* /Volumes/SEEDPGP/
# Verify copy completed
ls /Volumes/SEEDPGP/
ls /Volumes/SEEDPGP/assets/
# (Optional) Generate integrity hash for verification on Tails
sha256sum dist/* > /Volumes/SEEDPGP/INTEGRITY.sha256
```
### 3.3 Verify USB Contents
```bash
# Ensure index.html exists and is readable
cat /Volumes/SEEDPGP/index.html | head -20
# Check file count matches
echo "Source files:" && find dist -type f | wc -l
echo "USB files:" && find /Volumes/SEEDPGP -type f | wc -l
# Check assets are properly included
find /Volumes/SEEDPGP -type d -name "assets" && echo "✅ Assets folder present"
# Verify no external URLs in assets
grep -r "http:" /Volumes/SEEDPGP/ && echo "⚠️ Warning: HTTP URLs found" || echo "✅ No external URLs"
```
### 3.4 Eject USB Safely
```bash
diskutil eject /Volumes/SEEDPGP
```
---
## Phase 4: Boot Tails & Prepare Environment
### 4.1 Boot Tails from Tails USB
- Power off machine
- Insert Tails USB
- Power on and boot from USB (Cmd+Option during boot on Mac)
- Select "Start Tails"
- **DO NOT connect to network** (decline "Connect to Tor" if prompted)
### 4.2 Insert Application USB
- Once Tails is running, insert Application USB
- Tails should auto-mount it to `/media/amnesia/<random-name>/`
### 4.3 Verify Files Accessible & Start HTTP Server
```bash
# Open terminal in Tails
ls /media/amnesia/
# Should see your Application USB mount
# Navigate to application
cd /media/amnesia/SEEDPGP/
# Verify files are present
ls -la
cat index.html | head -5
# Start local HTTP server (runs completely offline)
python3 -m http.server 8080 &
# Output: Serving HTTP on 0.0.0.0 port 8080
# Verify server is running
curl http://localhost:8080/index.html | head -5
```
**Note:** Python3 is pre-installed on Tails. The http.server runs completely offline—no internet access required, just localhost.
---
## Phase 5: Run Application on Tails
### 5.1 Open Application in Browser via Local HTTP Server
**Why HTTP instead of file://?**
- HTTP is more reliable than `file://` protocol
- Eliminates browser security restrictions
- Identical to local testing on macOS
- Still completely offline (no network exposure)
**Steps:**
1. **In Terminal (where you started the server from Phase 4.3):**
- Verify server is still running: `ps aux | grep http.server`
- Should show: `python3 -m http.server 8080`
- If stopped, restart: `cd /media/amnesia/SEEDPGP && python3 -m http.server 8080 &`
2. **Open Firefox:**
- Click Firefox icon on desktop
- In address bar, type: `http://localhost:8080`
- Press Enter
3. **Verify application loaded:**
- Page should load completely
- All UI elements visible
- No errors in browser console (F12 → Console tab)
### 5.2 Verify Offline Functionality
- [ ] Page loads completely
- [ ] All UI elements are visible
- [ ] No error messages in browser console (F12)
- [ ] Images/assets display correctly
- [ ] No network requests are visible in Network tab (F12)
### 5.3 Test Application Features
**Basic Functionality:**
```
- [ ] Can generate new seed phrase
- [ ] Can input existing seed phrase
- [ ] Can encrypt seed phrase
- [ ] Can generate PGP key
- [ ] QR codes generate correctly
```
**Entropy Sources (all should work offline):**
- [ ] Dice entropy input works
- [ ] User mouse/keyboard entropy captures
- [ ] Random.org is NOT accessible (verify UI indicates offline mode)
- [ ] Audio entropy can be recorded
### 5.4 Generate Your Seed Phrase
1. Navigate to main application
2. Choose entropy source (Dice, Audio, or Interaction)
3. Follow prompts to generate entropy
4. Review generated 12/24-word seed phrase
5. **Write down on paper** (do NOT screenshot, use only pen & paper)
6. Verify BIP39 validation passes
---
## Phase 6: Secure Storage & Export
### 6.1 Export Encrypted Backup (Optional)
If you want to save encrypted backup to USB:
1. Use application's export feature
2. Encrypt with strong passphrase
3. Save to Application USB
4. **Do NOT save to host machine**
### 6.2 Generate PGP Key (Optional)
1. Use seedpgp-web to generate PGP key
2. Export private key (encrypted)
3. Save encrypted to USB if desired
4. **Passphrase should be memorable but not written**
### 6.3 Verify No Leaks
In Firefox Developer Tools (F12):
- **Network tab**: Should show only `localhost:8080` requests (all local)
- **Application/Storage**: Check nothing persistent was written
- **Console**: No fetch/XHR errors to external sites
**To verify server is local-only:**
```bash
# In terminal, check network connections
sudo netstat -tulpn | grep 8080
# Should show: tcp 0 0 127.0.0.1:8080 (LISTEN only on localhost)
# NOT on 0.0.0.0 or external interface
```
---
## Phase 7: Shutdown & Cleanup
### 7.1 Stop HTTP Server & Secure Shutdown
```bash
# Stop the http.server gracefully
killall python3
# Or find the PID and kill it
ps aux | grep http.server
kill -9 <PID> # Replace <PID> with actual process ID
# Verify it stopped
ps aux | grep http.server # Should show nothing
# Then power off Tails completely
sudo poweroff
# You can also:
# - Select "Power Off" from Tails menu
# - Or simply close/restart the laptop
```
**Important:** Killing the server ensures no background processes remain before shutdown.
### 7.2 Physical USB Handling
- [ ] Eject Application USB physically
- [ ] Eject Tails USB physically
- [ ] Store both in secure location
- **Tails memory is volatile** - all session data gone after power-off
### 7.3 Host Machine Cleanup (Machine A)
```bash
# Remove build artifacts if desired (optional)
rm -rf dist/
# Clear sensitive files from shell history
history -c
# Optionally wipe Machine A's work directory
rm -rf ~/workspace/seedpgp-web/
```
---
## Phase 8: Verification & Best Practices
### 8.1 Before Production Use - Full Test Run
**Test on macOS with Bun first:**
```bash
cd seedpgp-web
bun install
make build-offline # Build with relative paths
make serve-local # Serve on http://localhost:8000
# Open Safari: http://localhost:8000
# Verify: all assets load, no console errors, no network requests
```
1. Complete Phases 1-7 with test run on Tails
2. Verify seed phrase generation works reliably
3. Test entropy sources work offline
4. Confirm PGP key generation (if using)
5. Verify export/backup functionality
### 8.2 Security Best Practices
- [ ] **Air-gap is primary defense**: No network = no exfiltration
- [ ] **Tails is ephemeral**: Always boot fresh, always clean shutdown
- [ ] **Paper backups**: Write seed phrase with pen/paper only
- [ ] **Multiple USBs**: Keep Tails and Application USB separate
- [ ] **Verify hash**: Optional - generate hash of `dist/` folder to verify integrity on future builds
### 8.3 Future Seed Generation
Repeat these steps for each new seed phrase:
1. **Boot Tails** from Tails USB (network disconnected)
2. **Insert Application USB** when Tails is running
3. **Start HTTP server:**
```bash
cd /media/amnesia/SEEDPGP
python3 -m http.server 8080 &
```
4. **Open Firefox** → `http://localhost:8080`
5. **Generate seed phrase** (choose entropy source)
6. **Write on paper** (pen & paper only, no screenshots)
7. **Stop server and shutdown:**
```bash
killall python3
sudo poweroff
```
---
## Troubleshooting
### Issue: Application USB Not Mounting on Tails
**Solution**:
```bash
# Check if recognized
sudo lsblk
# Manual mount
sudo mkdir -p /media/usb
sudo mount /dev/sdX1 /media/usb
ls /media/usb
```
### Issue: Black Screen / Firefox Won't Start
**Solution**:
- Let Tails fully boot (may take 2-3 minutes)
- Try manually starting Firefox from Applications menu
- Check memory requirements (Tails recommends 2GB+ RAM)
### Issue: Assets Not Loading (Broken Images/Styling)
**Solution**:
```bash
# Verify file structure on USB
ls -la /media/amnesia/SEEDPGP/assets/
# Check permissions
chmod -R 755 /media/amnesia/SEEDPGP/
```
### Issue: Browser Console Shows Errors
**Solution**:
- Check if `index.html` references external URLs
- Verify `vite.config.ts` doesn't have external dependencies
- Review network tab - should show only `localhost:8080` requests
### Issue: Can't Access <http://localhost:8080>
**Solution**:
```bash
# Verify http.server is running
ps aux | grep http.server
# If not running, restart it
cd /media/amnesia/SEEDPGP
python3 -m http.server 8080 &
# If port 8080 is in use, try another port
python3 -m http.server 8081 &
# Then access http://localhost:8081
```
### Issue: "Connection refused" in Firefox
**Solution**:
```bash
# Check if port is listening
sudo netstat -tulpn | grep 8080
# If not, the server stopped. Restart it:
cd /media/amnesia/SEEDPGP
python3 -m http.server 8080 &
# Wait a few seconds and refresh Firefox (Cmd+R or Ctrl+R)
```
---
## Security Checklist Summary
Before each use:
- [ ] Using Tails booted from USB (never host OS)
- [ ] Application USB inserted (separate from Tails USB)
- [ ] Network disconnected or Tor disabled
- [ ] HTTP server started: `python3 -m http.server 8080` from USB
- [ ] Accessing <http://localhost:8080> (not file://)
- [ ] Firefox console shows no external requests
- [ ] All entropy sources working offline
- [ ] Seed phrase written on paper only
- [ ] HTTP server stopped before shutdown
- [ ] USB ejected after use
- [ ] Tails powered off completely
---
## Appendix A: Makefile Commands Quick Reference
All build commands are available via Makefile on Machine A:
```bash
make help # Show all available commands
make install # Install Bun dependencies
make build-offline # Build with relative paths (for Tails/offline)
make serve-local # Test locally on http://localhost:8000
make audit # Security audit for network calls
make verify-offline # Verify offline compatibility
make full-build-offline # Complete pipeline: clean → build → verify → audit
make clean # Remove dist/ folder
```
**Example workflow:**
```bash
cd seedpgp-web
make install
make audit # Security check
make full-build-offline # Build and verify
# Copy to USB when ready
```
---
## Appendix B: Local Testing on macOS Before Tails
**Why test locally first?**
- Catch build issues early
- Verify all assets load correctly
- Confirm no network requests
- Validation before USB transfer
**Steps:**
```bash
cd seedpgp-web
make build-offline # Build with relative paths
make serve-local # Start local server
# Open Safari: http://localhost:8000
# Test functionality, then Ctrl+C to stop
```
When served locally on <http://localhost:8000>, assets load correctly. On Tails via <http://localhost:8080>, the same relative paths work seamlessly.
---
## Appendix C: Why HTTP Server Instead of file:// Protocol?
### The Problem with file:// Protocol
Opening `file:///path/to/index.html` directly has limitations:
- **Browser security restrictions** - Some features may be blocked or behave unexpectedly
- **Asset loading issues** - Sporadic failures with relative/absolute paths
- **localStorage limitations** - Storage APIs may not work reliably
- **CORS restrictions** - Even local files face CORS-like restrictions on some browsers
- **Debugging difficulty** - Hard to distinguish app issues from browser security issues
### Why http.server Solves This
Python's `http.server` module:
1. **Mimics production environment** - Behaves like a real web server
2. **Completely offline** - Server runs only on localhost (127.0.0.1:8080)
3. **No internet required** - No connection to external servers
4. **Browser compatible** - Works reliably across Firefox, Safari, Chrome
5. **Identical to macOS testing** - Same mechanism for both platforms
6. **Simple & portable** - Python3 comes pre-installed on Tails
**Verify the server is local-only:**
```bash
sudo netstat -tulpn | grep 8080
# Output should show: 127.0.0.1:8080 LISTEN (localhost only)
# NOT 0.0.0.0:8080 (would indicate public access)
```
This ensures your seedpgp-web app runs in a standard HTTP environment without any network exposure. ✅
---
## Additional Resources
- **Tails Documentation**: <https://tails.boum.org/doc/>
- **seedpgp-web Security Audit**: See SECURITY_AUDIT_REPORT.md
- **BIP39 Standard**: <https://github.com/trezor/python-mnemonic>
- **Air-gap Best Practices**: <https://en.wikipedia.org/wiki/Air_gap_(networking)>
- **Bun Documentation**: <https://bun.sh/docs>
- **Python HTTP Server**: <https://docs.python.org/3/library/http.server.html>
---
## Version History
- **v2.1** - February 13, 2026 - Updated to use Python http.server instead of file:// for reliability
- **v2.0** - February 13, 2026 - Updated for Bun, Makefile, and offline compatibility
- **v1.0** - February 13, 2026 - Initial playbook creation

11
index.html
View File

@@ -3,11 +3,12 @@
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no" />
<title>SeedPGP v__APP_VERSION__</title>
<!-- Content Security Policy: Prevent XSS, malicious extensions, and external script injection -->
<link rel="icon" href="data:image/svg+xml,<svg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 100 100'><rect width='100' height='100' rx='20' fill='%230d0d0d'/><text x='50' y='65' font-family='Arial' font-size='82' font-weight='bold' text-anchor='middle' fill='%23f7931a'>₿</text><circle cx='50' cy='50' r='38' fill='none' stroke='white' stroke-width='6' opacity='0.7'/></svg>">
<meta http-equiv="X-UA-Compatible" content="IE=edge" />
<link rel="icon" type="image/svg+xml" href="/vite.svg" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<title>SeedPGP Web</title>
<!-- CSP is enforced by _headers file in production deployment -->
<!-- No CSP in dev mode to allow Vite HMR -->
</head>
<body>

4
package.json
View File

@@ -9,7 +9,9 @@
"preview": "vite preview",
"typecheck": "tsc --noEmit",
"test": "bun test",
"test:integration": "bun test src/integration.test.ts"
"test:integration": "bun test src/integration.test.ts",
"serve": "bun ./serve.ts",
"serve:py": "cd dist && python3 -m http.server 8000"
},
"dependencies": {
"@types/bip32": "^2.0.4",

57
serve.ts Normal file
View File

@@ -0,0 +1,57 @@
// Lightweight static file server using Bun
// Run with: bun ./serve.ts
import { extname } from 'path'
const DIST = new URL('./dist/', import.meta.url).pathname
function contentType(path: string) {
const ext = extname(path).toLowerCase()
switch (ext) {
case '.html': return 'text/html; charset=utf-8'
case '.js': return 'application/javascript; charset=utf-8'
case '.css': return 'text/css; charset=utf-8'
case '.wasm': return 'application/wasm'
case '.svg': return 'image/svg+xml'
case '.json': return 'application/json'
case '.png': return 'image/png'
case '.jpg': case '.jpeg': return 'image/jpeg'
case '.txt': return 'text/plain; charset=utf-8'
default: return 'application/octet-stream'
}
}
Bun.serve({
hostname: '127.0.0.1',
port: 8000,
fetch(request) {
try {
const url = new URL(request.url)
let pathname = decodeURIComponent(url.pathname)
if (pathname === '/' || pathname === '') pathname = '/index.html'
// prevent path traversal
const safePath = new URL('.' + pathname, 'file:' + DIST).pathname
// Ensure file is inside dist
if (!safePath.startsWith(DIST)) {
return new Response('Not Found', { status: 404 })
}
try {
const file = Bun.file(safePath)
const headers = new Headers()
headers.set('Content-Type', contentType(safePath))
// Localhost only; still set a permissive origin for local dev
headers.set('Access-Control-Allow-Origin', 'http://localhost')
return new Response(file.stream(), { status: 200, headers })
} catch (e) {
return new Response('Not Found', { status: 404 })
}
} catch (err) {
return new Response('Internal Server Error', { status: 500 })
}
}
})
console.log('Bun static server running at http://127.0.0.1:8000 serving ./dist')

36
src/App.tsx
View File

@@ -76,7 +76,7 @@ function App() {
const [blenderResetKey, setBlenderResetKey] = useState(0);
// Network blocking state
const [isNetworkBlocked, setIsNetworkBlocked] = useState(false);
const [isNetworkBlocked, setIsNetworkBlocked] = useState(true);
// Entropy generation states
const [entropySource, setEntropySource] = useState<'camera' | 'dice' | 'audio' | 'randomorg' | null>(null);
@@ -120,6 +120,16 @@ function App() {
return () => clearInterval(interval);
}, []);
useEffect(() => {
blockAllNetworks();
// setIsNetworkBlocked(true); // already set by default state
}, []);
useEffect(() => {
blockAllNetworks();
// setIsNetworkBlocked(true); // already set by default state
}, []);
// Cleanup session key on component unmount
@@ -661,7 +671,7 @@ function App() {
onResetAll={handleResetAll}
/>
<main className="w-full px-4 py-3">
<div className="bg-[#1a1a2e] rounded-xl border-2 border-[#00f0ff]/30 shadow-[0_0_30px_rgba(0,240,255,0.3)] p-8">
<div className="bg-[#1a1a2e] rounded-xl border-2 border-[#00f0ff]/30 shadow-[0_0_30px_rgba(0,240,255,0.3)] p-0">
<div className="p-6 md:p-8 space-y-6">
{/* Error Display */}
{error && (
@@ -875,17 +885,19 @@ function App() {
Send Generated Seed To
</label>
<div className="grid grid-cols-2 gap-3 max-w-sm mx-auto">
<label className={`p-4 rounded-lg border-2 cursor-pointer transition-all ${seedDestination === 'backup' ? 'bg-[#1a1a2e] border-[#ff006e] shadow-[0_0_15px_rgba(255,0,110,0.5)]' : 'bg-[#16213e] border-[#00f0ff]/30 hover:border-[#00f0ff]/50'}`}>
<label className={`p-3 md:p-4 rounded-lg border-2 cursor-pointer transition-all ${seedDestination === 'backup' ? 'bg-[#1a1a2e] border-[#ff006e] shadow-[0_0_15px_rgba(255,0,110,0.5)]' : 'bg-[#16213e] border-[#00f0ff]/30 hover:border-[#00f0ff]/50'}`}>
<input type="radio" name="destination" value="backup" checked={seedDestination === 'backup'} onChange={(e) => setSeedDestination(e.target.value as 'backup' | 'seedblender')} className="hidden" />
<div className="text-center space-y-1">
<div className={`text-sm font-bold ${seedDestination === 'backup' ? 'text-[#00f0ff]' : 'text-[#9d84b7]'}`}>📦 Backup</div>
<div className="flex flex-col items-center justify-center gap-1 md:gap-2">
<Lock className={`w-5 h-5 md:w-6 md:h-6 transition-colors ${seedDestination === 'backup' ? 'text-[#00f0ff]' : 'text-[#9d84b7]'}`} />
<div className={`text-xs md:text-sm font-bold ${seedDestination === 'backup' ? 'text-[#00f0ff]' : 'text-[#9d84b7]'}`}>Backup</div>
<p className="text-[10px] text-[#6ef3f7]">Encrypt immediately</p>
</div>
</label>
<label className={`p-4 rounded-lg border-2 cursor-pointer transition-all ${seedDestination === 'seedblender' ? 'bg-[#1a1a2e] border-[#ff006e] shadow-[0_0_15px_rgba(255,0,110,0.5)]' : 'bg-[#16213e] border-[#00f0ff]/30 hover:border-[#00f0ff]/50'}`}>
<label className={`p-3 md:p-4 rounded-lg border-2 cursor-pointer transition-all ${seedDestination === 'seedblender' ? 'bg-[#1a1a2e] border-[#ff006e] shadow-[0_0_15px_rgba(255,0,110,0.5)]' : 'bg-[#16213e] border-[#00f0ff]/30 hover:border-[#00f0ff]/50'}`}>
<input type="radio" name="destination" value="seedblender" checked={seedDestination === 'seedblender'} onChange={(e) => setSeedDestination(e.target.value as 'backup' | 'seedblender')} className="hidden" />
<div className="text-center space-y-1">
<div className={`text-sm font-bold ${seedDestination === 'seedblender' ? 'text-[#00f0ff]' : 'text-[#9d84b7]'}`}>🎨 Seed Blender</div>
<div className="flex flex-col items-center justify-center gap-1 md:gap-2">
<Dices className={`w-5 h-5 md:w-6 md:h-6 transition-colors ${seedDestination === 'seedblender' ? 'text-[#00f0ff]' : 'text-[#9d84b7]'}`} />
<div className={`text-xs md:text-sm font-bold ${seedDestination === 'seedblender' ? 'text-[#00f0ff]' : 'text-[#9d84b7]'}`}>Seed Blender</div>
<p className="text-[10px] text-[#6ef3f7]">Use for XOR blending</p>
</div>
</label>
@@ -893,8 +905,12 @@ function App() {
</div>
{/* Send Button */}
<button onClick={handleSendToDestination} className="w-full py-3 bg-gradient-to-r from-[#ff006e] to-[#ff4d8f] text-white text-sm rounded-xl font-bold uppercase hover:shadow-[0_0_30px_rgba(255,0,110,0.8)] transition-all">
Send to {seedDestination === 'backup' ? 'Backup' : 'Seed Blender'}
<button
onClick={handleSendToDestination}
className="w-full py-2.5 bg-[#1a1a2e] border-2 border-[#ff006e] text-[#00f0ff] text-xs md:text-sm rounded-lg font-bold uppercase tracking-wide hover:shadow-[0_0_25px_rgba(255,0,110,0.7)] active:scale-95 transition-all disabled:opacity-50 disabled:cursor-not-allowed shadow-[0_0_15px_rgba(255,0,110,0.5)]"
style={{ textShadow: '0 0 8px rgba(0,240,255,0.7)' }}
>
Continue to {seedDestination === 'backup' ? 'Backup' : 'Seed Blender'}
</button>
<button onClick={() => { setGeneratedSeed(''); setEntropySource(null); setEntropyStats(null); }} className="w-full py-2 bg-[#16213e] border-2 border-[#00f0ff] text-[#00f0ff] rounded-lg text-sm font-bold hover:bg-[#00f0ff]/20 transition-all">

37
src/AudioEntropy.tsx
View File

@@ -1,6 +1,7 @@
import React, { useState, useRef, useEffect } from 'react';
import { Mic, X, CheckCircle2 } from 'lucide-react';
import { InteractionEntropy } from './lib/interactionEntropy';
import { entropyToMnemonic } from './lib/seedblend';
interface AudioStats {
sampleRate: number;
@@ -58,7 +59,7 @@ const AudioEntropy: React.FC<AudioEntropyProps> = ({
if (scriptProcessorRef.current) {
(scriptProcessorRef.current as any).onaudioprocess = null;
try { scriptProcessorRef.current.disconnect(); } catch {}
try { scriptProcessorRef.current.disconnect(); } catch { }
scriptProcessorRef.current = null;
}
@@ -67,7 +68,7 @@ const AudioEntropy: React.FC<AudioEntropyProps> = ({
const ctx = audioContextRef.current;
audioContextRef.current = null;
if (ctx && ctx.state !== 'closed') {
try { await ctx.close(); } catch {}
try { await ctx.close(); } catch { }
}
};
@@ -138,7 +139,7 @@ const AudioEntropy: React.FC<AudioEntropyProps> = ({
// Deterministic logging every 30 frames
if (frameCounterRef.current++ % 30 === 0) {
console.log('🎙️ RAW mic RMS:', rawRms.toFixed(4), 'Sample:', inputBuffer.slice(0,5));
console.log('🎙️ RAW mic RMS:', rawRms.toFixed(4), 'Sample:', inputBuffer.slice(0, 5));
}
};
@@ -416,11 +417,9 @@ const AudioEntropy: React.FC<AudioEntropyProps> = ({
const data = encoder.encode(combined);
const hash = await crypto.subtle.digest('SHA-256', data);
const { entropyToMnemonic } = await import('bip39');
const entropyLength = wordCount === 12 ? 16 : 32;
const finalEntropy = new Uint8Array(hash).slice(0, entropyLength);
const entropyHex = Buffer.from(finalEntropy).toString('hex');
return entropyToMnemonic(entropyHex);
return entropyToMnemonic(finalEntropy);
};
useEffect(() => {
@@ -676,19 +675,19 @@ const AudioEntropy: React.FC<AudioEntropyProps> = ({
Continue with this Seed
</button>
<button
onClick={() => {
setStep('permission');
setStats(null);
setGeneratedMnemonic('');
setAudioLevel(0);
audioDataRef.current = [];
audioLevelLoggedRef.current = false;
}}
className="w-full py-2 bg-[#16213e] border-2 border-[#00f0ff] text-[#00f0ff] rounded-lg text-sm font-bold hover:bg-[#00f0ff20] transition-all"
>
Capture Again
</button>
<button
onClick={() => {
setStep('permission');
setStats(null);
setGeneratedMnemonic('');
setAudioLevel(0);
audioDataRef.current = [];
audioLevelLoggedRef.current = false;
}}
className="w-full py-2 bg-[#16213e] border-2 border-[#00f0ff] text-[#00f0ff] rounded-lg text-sm font-bold hover:bg-[#00f0ff20] transition-all"
>
Capture Again
</button>
</div>
</div>
)}

7
src/components/CameraEntropy.tsx
View File

@@ -1,6 +1,7 @@
import React, { useState, useRef, useEffect } from 'react';
import { Camera, X, AlertCircle, CheckCircle2 } from 'lucide-react';
import { InteractionEntropy } from '../lib/interactionEntropy';
import { entropyToMnemonic } from '../lib/seedblend';
interface EntropyStats {
shannon: number;
@@ -382,14 +383,10 @@ const CameraEntropy: React.FC<CameraEntropyProps> = ({
const hash = await crypto.subtle.digest('SHA-256', data);
// Use bip39 to generate mnemonic from the collected entropy hash
const { entropyToMnemonic } = await import('bip39');
const entropyLength = wordCount === 12 ? 16 : 32;
const finalEntropy = new Uint8Array(hash).slice(0, entropyLength);
// The bip39 library expects a hex string or a Buffer.
const entropyHex = Buffer.from(finalEntropy).toString('hex');
return entropyToMnemonic(entropyHex);
return entropyToMnemonic(finalEntropy);
};
useEffect(() => {

6
src/components/DiceEntropy.tsx
View File

@@ -154,20 +154,20 @@ const DiceEntropy: React.FC<DiceEntropyProps> = ({
{/* INPUT FORM - Show only when stats are NOT shown */}
{!stats && !processing && (
<>
<div className="p-4 bg-[#16213e] rounded-xl border-2 border-[#00f0ff]/30 space-y-3">
<div className="p-3 md:p-4 bg-[#16213e] rounded-xl border-2 border-[#00f0ff]/30 space-y-3">
<div className="flex items-center gap-2"><Dices size={20} className="text-[#00f0ff]" /><h3 className="text-sm font-bold text-[#00f0ff] uppercase">Dice Roll Entropy</h3></div>
<div className="space-y-2 text-xs text-[#6ef3f7]">
<p className="font-bold text-[#00f0ff]">Instructions:</p>
<ul className="list-disc list-inside space-y-1 pl-2">
<li>Roll a 6-sided die at least 99 times</li>
<li>Enter each result (1-6) in order</li>
<li>No spaces needed (e.g., 163452...)</li>
<li>Spaces are ignored (e.g., 163452...)</li>
<li>Pattern validation enabled</li>
</ul>
</div>
<div className="space-y-2">
<label className="text-[10px] font-bold text-[#00f0ff] uppercase tracking-widest">Enter Dice Rolls</label>
<textarea value={rolls} onChange={(e) => { setRolls(e.target.value.replace(/[^1-6\s]/g, '')); setError(''); }} placeholder="99+ dice rolls (e.g., 16345...)" className="w-full h-32 p-3 bg-[#0a0a0f] border-2 border-[#00f0ff]/50 rounded-lg font-mono text-xs text-[#00f0ff] placeholder:text-[10px] placeholder:text-[#6ef3f7] focus:outline-none focus:border-[#ff006e] focus:shadow-[0_0_20px_rgba(255,0,110,0.5)] transition-all resize-none" />
<textarea value={rolls} onChange={(e) => { setRolls(e.target.value.replace(/[^1-6\s]/g, '')); setError(''); }} placeholder="99+ dice rolls (e.g., 16345...)" className="w-full h-28 md:h-32 p-2 md:p-3 bg-[#0a0a0f] border-2 border-[#00f0ff]/50 rounded-lg font-mono text-xs text-[#00f0ff] placeholder:text-[10px] placeholder:text-[#6ef3f7] focus:outline-none focus:border-[#ff006e] focus:shadow-[0_0_20px_rgba(255,0,110,0.5)] transition-all resize-none" />
<p className="text-[10px] text-[#6ef3f7]">Current: {rolls.replace(/\s/g, '').length} rolls {rolls.replace(/\s/g, '').length >= 99 && ' ✓'}</p>
</div>
{error && (<div className="flex items-start gap-2 p-3 bg-[#0a0a0f] border border-[#ff006e] rounded-lg"><AlertCircle size={16} className="text-[#ff006e] shrink-0 mt-0.5" /><p className="text-xs text-[#ff006e]">{error}</p></div>)}

6
src/components/RandomOrgEntropy.tsx
View File

@@ -145,7 +145,7 @@ const RandomOrgEntropy: React.FC<RandomOrgEntropyProps> = ({
<div className="space-y-4 max-h-[calc(100vh-200px)] overflow-y-auto">
{!stats && !processing && (
<>
<div className="p-4 bg-[#16213e] rounded-xl border-2 border-[#00f0ff]/30 space-y-3">
<div className="p-3 md:p-4 bg-[#16213e] rounded-xl border-2 border-[#00f0ff]/30 space-y-3">
<div className="flex items-center gap-2">
<Globe size={20} className="text-[#00f0ff]" />
<h3 className="text-sm font-bold text-[#00f0ff] uppercase">🌍 Random.org Entropy</h3>
@@ -226,7 +226,7 @@ const RandomOrgEntropy: React.FC<RandomOrgEntropyProps> = ({
readOnly
value={requestJson}
onFocus={(e) => e.currentTarget.select()}
className="w-full h-36 p-3 bg-[#0a0a0f] border-2 border-[#00f0ff]/50 rounded-lg font-mono text-[10px] text-[#00f0ff] focus:outline-none"
className="w-full h-28 md:h-36 p-2 md:p-3 bg-[#0a0a0f] border-2 border-[#00f0ff]/50 rounded-lg font-mono text-[10px] text-[#00f0ff] focus:outline-none"
/>
<p className="text-[10px] text-[#6ef3f7]">
Endpoint: <span className="font-mono text-[#00f0ff]">https://api.random.org/json-rpc/1/invoke</span>
@@ -239,7 +239,7 @@ const RandomOrgEntropy: React.FC<RandomOrgEntropyProps> = ({
value={paste}
onChange={(e) => setPaste(e.target.value)}
placeholder="Paste JSON-RPC response, or paste a [1,6,2,...] array"
className="w-full h-36 p-3 bg-[#16213e] border-2 border-[#00f0ff]/50 rounded-lg font-mono text-[10px] text-[#00f0ff] placeholder-[#9d84b7] focus:outline-none focus:border-[#ff006e] transition-all"
className="w-full h-28 md:h-36 p-2 md:p-3 bg-[#16213e] border-2 border-[#00f0ff]/50 rounded-lg font-mono text-[10px] text-[#00f0ff] placeholder-[#9d84b7] focus:outline-none focus:border-[#ff006e] transition-all"
/>
</div>

151
src/components/SeedBlender.tsx
View File

@@ -74,7 +74,9 @@ export function SeedBlender({ onDirtyStateChange, setMnemonicForBackup, requestT
const [finalMnemonic, setFinalMnemonic] = useState<string | null>(null);
const [mixing, setMixing] = useState(false);
const [showFinalQR, setShowFinalQR] = useState(false);
const [copiedFinal, setCopiedFinal] = useState(false);
const [targetWordCount, setTargetWordCount] = useState<12 | 24>(24);
useEffect(() => {
const isDirty = entries.some(e => e.rawInput.length > 0) || diceRolls.length > 0;
onDirtyStateChange(isDirty);
@@ -262,7 +264,7 @@ export function SeedBlender({ onDirtyStateChange, setMnemonicForBackup, requestT
if (!blendedResult) return;
setMixing(true);
try {
const outputBits = blendedResult.blendedEntropy.length >= 32 ? 256 : 128;
const outputBits = targetWordCount === 12 ? 128 : 256;
const result = await mixWithDiceAsync(blendedResult.blendedEntropy, diceRolls, outputBits);
setFinalMnemonic(result.finalMnemonic);
} catch (e) { setFinalMnemonic(null); } finally { setMixing(false); }
@@ -278,6 +280,25 @@ export function SeedBlender({ onDirtyStateChange, setMnemonicForBackup, requestT
// This preserves the blended seed in case user wants to come back and export QR
};
const copyFinalMnemonic = async () => {
if (!finalMnemonic) return;
try {
await navigator.clipboard.writeText(finalMnemonic);
setCopiedFinal(true);
window.setTimeout(() => setCopiedFinal(false), 1200);
} catch {
// fallback: select manually
const el = document.getElementById("final-mnemonic");
if (el) {
const range = document.createRange();
range.selectNodeContents(el);
const sel = window.getSelection();
sel?.removeAllRanges();
sel?.addRange(range);
}
}
};
const getBorderColor = (isValid: boolean | null) => {
if (isValid === true) return 'border-[#39ff14] focus:ring-[#39ff14]';
if (isValid === false) return 'border-[#ff006e] focus:ring-[#ff006e]';
@@ -286,18 +307,18 @@ export function SeedBlender({ onDirtyStateChange, setMnemonicForBackup, requestT
return (
<>
<div className="space-y-6 pb-20">
<div className="mb-6">
<h2 className="text-lg font-bold text-[#00f0ff] uppercase tracking-widest" style={{ textShadow: '0 0 10px rgba(0,240,255,0.7)' }}>
<div className="space-y-4 md:space-y-6 pb-10 md:pb-20">
<div className="mb-3 md:mb-6">
<h2 className="text-base md:text-lg font-bold text-[#00f0ff] uppercase tracking-widest" style={{ textShadow: '0 0 10px rgba(0,240,255,0.7)' }}>
Seed Blender
</h2>
</div>
<div className="p-6 bg-[#16213e] rounded-xl border-2 border-[#00f0ff]/30">
<h3 className="font-semibold text-lg mb-4 text-[#00f0ff]" style={{ textShadow: '0 0 10px rgba(0,240,255,0.7)' }}>Step 1: Input Mnemonics</h3>
<div className="space-y-4">
<div className="p-3 md:p-6 bg-[#16213e] rounded-xl border-2 border-[#00f0ff]/30">
<h3 className="font-semibold text-base md:text-lg mb-2 md:mb-4 text-[#00f0ff]" style={{ textShadow: '0 0 10px rgba(0,240,255,0.7)' }}>Step 1: Input Mnemonics</h3>
<div className="space-y-3 md:space-y-4">
{entries.map((entry, index) => (
<div key={entry.id} className="p-3 bg-[#1a1a2e] rounded-lg border-2 border-[#00f0ff]/20">
<div key={entry.id} className="p-2 md:p-3 bg-[#1a1a2e] rounded-lg border-2 border-[#00f0ff]/20">
{entry.passwordRequired ? (
<div className="space-y-2">
<div className="flex items-center justify-between"><label className="text-sm font-semibold text-[#00f0ff]">Decrypt {entry.inputType.toUpperCase()} Mnemonic</label><button onClick={() => updateEntry(index, createNewEntry())} className="text-xs text-[#6ef3f7] hover:text-[#00f0ff]">&times; Cancel</button></div>
@@ -314,9 +335,8 @@ export function SeedBlender({ onDirtyStateChange, setMnemonicForBackup, requestT
onFocus={(e) => e.target.classList.remove('blur-sensitive')}
onBlur={(e) => entry.rawInput && e.target.classList.add('blur-sensitive')}
placeholder={`Mnemonic #${index + 1} (12 or 24 words)`}
className={`w-full h-24 p-3 bg-[#0a0a0f] border-2 rounded-lg font-mono text-xs text-[#00f0ff] placeholder:text-[10px] placeholder:text-[#6ef3f7] focus:outline-none focus:border-[#ff006e] focus:shadow-[0_0_20px_rgba(255,0,110,0.5)] transition-all ${getBorderColor(entry.isValid)} ${
entry.rawInput ? 'blur-sensitive' : ''
}`}
className={`w-full h-20 md:h-24 p-2 md:p-3 bg-[#0a0a0f] border-2 rounded-lg font-mono text-xs text-[#00f0ff] placeholder:text-[10px] placeholder:text-[#6ef3f7] focus:outline-none focus:border-[#ff006e] focus:shadow-[0_0_20px_rgba(255,0,110,0.5)] transition-all ${getBorderColor(entry.isValid)} ${entry.rawInput ? 'blur-sensitive' : ''
}`}
/>
{/* Row 2: QR button (left) and X button (right) */}
<div className="flex items-center justify-between">
@@ -342,47 +362,114 @@ export function SeedBlender({ onDirtyStateChange, setMnemonicForBackup, requestT
)}
</div>
))}
<button onClick={handleAddEntry} className="w-full py-2.5 bg-[#1a1a2e] hover:bg-[#16213e] text-[#00f0ff] rounded-lg font-semibold flex items-center justify-center gap-2 border-2 border-[#00f0ff]/50"><Plus size={16} /> Add Another Mnemonic</button>
<button onClick={handleAddEntry} className="w-full py-2 bg-[#1a1a2e] hover:bg-[#16213e] text-[#00f0ff] rounded-lg font-semibold flex items-center justify-center gap-2 border-2 border-[#00f0ff]/50"><Plus size={16} /> Add Another Mnemonic</button>
</div>
</div>
<div className="p-6 bg-[#16213e] rounded-xl border-2 border-[#00f0ff]/30 min-h-[10rem]">
<h3 className="font-semibold text-lg mb-4 text-[#00f0ff]" style={{ textShadow: '0 0 10px rgba(0,240,255,0.7)' }}>Step 2: Blended Preview</h3>
{blending ? <p className="text-sm text-[#6ef3f7]">Blending...</p> : !blendError && blendedResult ? (<div className="space-y-4 animate-in fade-in">{xorStrength?.isWeak && (<div className="p-3 bg-[#ff006e]/10 border-2 border-[#ff006e]/30 text-[#ff006e] rounded-lg text-sm flex gap-3"><AlertTriangle /><div><span className="font-bold">Weak XOR Result:</span> Detected only {xorStrength.uniqueBytes} unique bytes. This can happen if seeds are identical or too similar.</div></div>)}<div className="space-y-1"><label className="text-xs font-semibold text-[#00f0ff] uppercase tracking-widest" style={{ textShadow: '0 0 10px rgba(0,240,255,0.7)' }}>Blended Mnemonic (12-word)</label><p data-sensitive="Blended Mnemonic (12-word)" className="p-3 bg-[#1a1a2e] rounded-md font-mono text-sm text-[#00f0ff] break-words border-2 border-[#00f0ff]/30">{blendedResult.blendedMnemonic12}</p></div>{blendedResult.blendedMnemonic24 && (<div className="space-y-1"><label className="text-xs font-semibold text-[#00f0ff] uppercase tracking-widest" style={{ textShadow: '0 0 10px rgba(0,240,255,0.7)' }}>Blended Mnemonic (24-word)</label><p data-sensitive="Blended Mnemonic (24-word)" className="p-3 bg-[#1a1a2e] rounded-md font-mono text-sm text-[#00f0ff] break-words border-2 border-[#00f0ff]/30">{blendedResult.blendedMnemonic24}</p></div>)}</div>) : (<p className="text-sm text-[#6ef3f7]">{blendError || 'Previews will appear here once you enter one or more valid mnemonics.'}</p>)}
<div className="p-3 md:p-6 bg-[#16213e] rounded-xl border-2 border-[#00f0ff]/30 min-h-[10rem]">
<h3 className="font-semibold text-base md:text-lg mb-2 md:mb-4 text-[#00f0ff]" style={{ textShadow: '0 0 10px rgba(0,240,255,0.7)' }}>Step 2: Blended Preview</h3>
{blending ? <p className="text-sm text-[#6ef3f7]">Blending...</p> : !blendError && blendedResult ? (<div className="space-y-3 md:space-y-4 animate-in fade-in">{xorStrength?.isWeak && (<div className="p-3 bg-[#ff006e]/10 border-2 border-[#ff006e]/30 text-[#ff006e] rounded-lg text-sm flex gap-3"><AlertTriangle /><div><span className="font-bold">Weak XOR Result:</span> Detected only {xorStrength.uniqueBytes} unique bytes. This can happen if seeds are identical or too similar.</div></div>)}<div className="space-y-1"><label className="text-xs font-semibold text-[#00f0ff] uppercase tracking-widest" style={{ textShadow: '0 0 10px rgba(0,240,255,0.7)' }}>Blended Mnemonic (12-word)</label><p data-sensitive="Blended Mnemonic (12-word)" className="p-2 md:p-3 bg-[#1a1a2e] rounded-md font-mono text-xs md:text-sm text-[#00f0ff] break-words border-2 border-[#00f0ff]/30">{blendedResult.blendedMnemonic12}</p></div>{blendedResult.blendedMnemonic24 && (<div className="space-y-1"><label className="text-xs font-semibold text-[#00f0ff] uppercase tracking-widest" style={{ textShadow: '0 0 10px rgba(0,240,255,0.7)' }}>Blended Mnemonic (24-word)</label><p data-sensitive="Blended Mnemonic (24-word)" className="p-2 md:p-3 bg-[#1a1a2e] rounded-md font-mono text-xs md:text-sm text-[#00f0ff] break-words border-2 border-[#00f0ff]/30">{blendedResult.blendedMnemonic24}</p></div>)}</div>) : (<p className="text-sm text-[#6ef3f7]">{blendError || 'Previews will appear here once you enter one or more valid mnemonics.'}</p>)}
</div>
<div className="p-6 bg-[#16213e] rounded-xl border-2 border-[#00f0ff]/30">
<h3 className="font-semibold text-lg mb-4 text-[#00f0ff]" style={{ textShadow: '0 0 10px rgba(0,240,255,0.7)' }}>Step 3: Input Dice Rolls</h3>
<div className="space-y-4">
<textarea value={diceRolls} onChange={(e) => setDiceRolls(e.target.value.replace(/[^1-6]/g, ''))} placeholder="99+ dice rolls (e.g., 16345...)" className="w-full h-32 p-3 bg-[#16213e] border-2 border-[#00f0ff]/50 rounded-lg font-mono text-sm placeholder:text-[10px] placeholder:text-[#6ef3f7]" />
<div className="p-3 md:p-6 bg-[#16213e] rounded-xl border-2 border-[#00f0ff]/30">
<h3 className="font-semibold text-base md:text-lg mb-2 md:mb-4 text-[#00f0ff]" style={{ textShadow: '0 0 10px rgba(0,240,255,0.7)' }}>Step 3: Input Dice Rolls</h3>
<div className="space-y-3 md:space-y-4">
<textarea
value={diceRolls}
onChange={(e) => setDiceRolls(e.target.value.replace(/[^1-6]/g, ''))}
placeholder="99+ dice rolls (e.g., 16345...)"
className="w-full h-24 md:h-32 p-2 md:p-3 bg-[#0a0a0f] border-2 border-[#00f0ff]/50 rounded-lg font-mono text-xs text-[#00f0ff] placeholder:text-[10px] placeholder:text-[#6ef3f7] focus:outline-none focus:border-[#ff006e] focus:shadow-[0_0_20px_rgba(255,0,110,0.5)] transition-all"
/>
{dicePatternWarning && (<div className="p-3 bg-[#ff006e]/10 border-2 border-[#ff006e]/30 text-[#ff006e] rounded-lg text-sm flex gap-3"><AlertTriangle /><p><span className="font-bold">Warning:</span> {dicePatternWarning}</p></div>)}
{diceStats && diceStats.length > 0 && (<div className="grid grid-cols-2 md:grid-cols-4 gap-4 text-center"><div className="p-3 bg-[#1a1a2e] rounded-lg border-2 border-[#00f0ff]/30"><p className="text-xs text-[#6ef3f7]">Rolls</p><p className="text-lg font-bold text-[#00f0ff]">{diceStats.length}</p></div><div className="p-3 bg-[#1a1a2e] rounded-lg border-2 border-[#00f0ff]/30"><p className="text-xs text-[#6ef3f7]">Entropy (bits)</p><p className="text-lg font-bold text-[#00f0ff]">{diceStats.estimatedEntropyBits.toFixed(1)}</p></div><div className="p-3 bg-[#1a1a2e] rounded-lg border-2 border-[#00f0ff]/30"><p className="text-xs text-[#6ef3f7]">Mean</p><p className="text-lg font-bold text-[#00f0ff]">{diceStats.mean.toFixed(2)}</p></div><div className="p-3 bg-[#1a1a2e] rounded-lg border-2 border-[#00f0ff]/30"><p className="text-xs text-[#6ef3f7]">Chi-Square</p><p className={`text-lg font-bold ${diceStats.chiSquare > 11.07 ? 'text-[#ff006e]' : 'text-[#00f0ff]'}`}>{diceStats.chiSquare.toFixed(2)}</p></div></div>)}
{diceOnlyMnemonic && (<div className="space-y-1 pt-2"><label className="text-xs font-semibold text-[#00f0ff] uppercase tracking-widest" style={{ textShadow: '0 0 10px rgba(0,240,255,0.7)' }}>Dice-Only Preview Mnemonic</label><p data-sensitive="Dice-Only Preview Mnemonic" className="p-3 bg-[#1a1a2e] rounded-md font-mono text-sm text-[#00f0ff] break-words border-2 border-[#00f0ff]/30">{diceOnlyMnemonic}</p></div>)}
{diceStats && diceStats.length > 0 && (<div className="grid grid-cols-2 md:grid-cols-4 gap-2 md:gap-4 text-center"><div className="p-3 bg-[#1a1a2e] rounded-lg border-2 border-[#00f0ff]/30"><p className="text-xs text-[#6ef3f7]">Rolls</p><p className="text-base md:text-lg font-bold text-[#00f0ff]">{diceStats.length}</p></div><div className="p-3 bg-[#1a1a2e] rounded-lg border-2 border-[#00f0ff]/30"><p className="text-xs text-[#6ef3f7]">Entropy (bits)</p><p className="text-base md:text-lg font-bold text-[#00f0ff]">{diceStats.estimatedEntropyBits.toFixed(1)}</p></div><div className="p-3 bg-[#1a1a2e] rounded-lg border-2 border-[#00f0ff]/30"><p className="text-xs text-[#6ef3f7]">Mean</p><p className="text-base md:text-lg font-bold text-[#00f0ff]">{diceStats.mean.toFixed(2)}</p></div><div className="p-3 bg-[#1a1a2e] rounded-lg border-2 border-[#00f0ff]/30"><p className="text-xs text-[#6ef3f7]">Chi-Square</p><p className={`text-base md:text-lg font-bold ${diceStats.chiSquare > 11.07 ? 'text-[#ff006e]' : 'text-[#00f0ff]'}`}>{diceStats.chiSquare.toFixed(2)}</p></div></div>)}
{diceOnlyMnemonic && (<div className="space-y-1 pt-2"><label className="text-xs font-semibold text-[#00f0ff] uppercase tracking-widest" style={{ textShadow: '0 0 10px rgba(0,240,255,0.7)' }}>Dice-Only Preview Mnemonic</label><p data-sensitive="Dice-Only Preview Mnemonic" className="p-2 md:p-3 bg-[#1a1a2e] rounded-md font-mono text-xs md:text-sm text-[#00f0ff] break-words border-2 border-[#00f0ff]/30">{diceOnlyMnemonic}</p></div>)}
</div>
</div>
<div className="p-6 bg-[#16213e] rounded-xl border-2 border-[#00f0ff]/50 shadow-[0_0_20px_rgba(0,240,255,0.3)]">
<h3 className="font-semibold text-lg mb-4 text-[#00f0ff]" style={{ textShadow: '0 0 10px rgba(0,240,255,0.7)' }}>Step 4: Generate Final Mnemonic</h3>
<div className="p-3 md:p-6 bg-[#16213e] rounded-xl border-2 border-[#00f0ff]/50 shadow-[0_0_20px_rgba(0,240,255,0.3)]">
<h3 className="font-semibold text-base md:text-lg mb-2 md:mb-4 text-[#00f0ff]" style={{ textShadow: '0 0 10px rgba(0,240,255,0.7)' }}>Step 4: Generate Final Mnemonic</h3>
{finalMnemonic ? (
<div className="p-4 bg-[#0a0a0f] border-2 border-[#39ff14] rounded-2xl shadow-[0_0_20px_rgba(57,255,20,0.3)]">
<div className="flex items-center justify-between mb-4"><span className="font-bold text-[#39ff14] flex items-center gap-2 text-lg" style={{ textShadow: '0 0 10px rgba(57,255,20,0.8)' }}><CheckCircle2 size={22} /> Final Mnemonic Generated</span><button onClick={() => setFinalMnemonic(null)} className="p-2.5 hover:bg-[#16213e] rounded-xl transition-all text-[#39ff14] hover:shadow-[0_0_15px_rgba(57,255,20,0.5)] flex items-center gap-2"><EyeOff size={22} /> Hide</button></div>
<div className="p-6 bg-[#0a0a0f] rounded-xl border-2 border-[#39ff14] shadow-[0_0_20px_rgba(57,255,20,0.3)]"><p data-sensitive="Final Blended Mnemonic" className="font-mono text-center text-lg break-words text-[#39ff14]">{finalMnemonic}</p></div>
<div className="p-4 bg-[#0a0a0f] border-2 border-[#39ff14] rounded-2xl shadow-[0_0_20px_rgba(57,255,20,0.3)] animate-in fade-in">
<div className="flex items-center justify-between mb-4">
<span className="font-bold text-[#39ff14] flex items-center gap-2 text-lg" style={{ textShadow: '0 0 10px rgba(57,255,20,0.8)' }}><CheckCircle2 size={22} /> Final Mnemonic Generated</span>
<button onClick={() => setFinalMnemonic(null)} className="p-2.5 hover:bg-[#16213e] rounded-xl transition-all text-[#39ff14] hover:shadow-[0_0_15px_rgba(57,255,20,0.5)] flex items-center gap-2"><EyeOff size={22} /> Hide</button>
</div>
<div className="p-6 bg-[#0a0a0f] rounded-xl border-2 border-[#39ff14] shadow-[0_0_20px_rgba(57,255,20,0.3)]">
<div className="flex items-center justify-end mb-3">
<button
type="button"
onClick={copyFinalMnemonic}
className="px-3 py-1.5 bg-[#16213e] border-2 border-[#39ff14]/50 text-[#39ff14] rounded-lg text-xs font-semibold hover:shadow-[0_0_15px_rgba(57,255,20,0.35)] transition-all"
title="Copy final mnemonic"
>
{copiedFinal ? "Copied" : "Copy"}
</button>
</div>
<p
id="final-mnemonic"
data-sensitive="Final Blended Mnemonic"
className="font-mono text-center text-sm md:text-base break-words text-[#39ff14] leading-relaxed select-text cursor-text"
onClick={(e) => {
const range = document.createRange();
range.selectNodeContents(e.currentTarget);
const sel = window.getSelection();
sel?.removeAllRanges();
sel?.addRange(range);
}}
>{finalMnemonic}</p>
<p className="text-[9px] text-[#6ef3f7] mt-2 text-center">Click the words to select all, or use Copy.</p>
</div>
<div className="mt-4 p-3 bg-[#ff006e]/10 text-[#ff006e] rounded-lg text-xs flex gap-2 border-2 border-[#ff006e]/30"><AlertTriangle size={16} className="shrink-0 mt-0.5" /><span><strong>Security Warning:</strong> Write this down immediately. Do not save it digitally.</span></div>
<div className="grid grid-cols-2 gap-3 mt-4">
<button onClick={() => setShowFinalQR(true)} className="w-full py-2.5 bg-[#1a1a2e] text-[#00f0ff] rounded-lg font-semibold flex items-center justify-center gap-2 border-2 border-[#00f0ff]/50 hover:bg-[#16213e] hover:shadow-[0_0_15px_rgba(0,240,255,0.3)]"><QrCode size={16} /> Export as QR</button>
<div className="grid grid-cols-1 sm:grid-cols-2 gap-3 mt-4">
<button
onClick={() => setShowFinalQR(true)}
className="w-full py-2.5 bg-[#16213e] border-2 border-[#00f0ff] text-[#00f0ff] text-xs md:text-sm rounded-lg font-bold uppercase tracking-wide flex items-center justify-center gap-2 hover:bg-[#00f0ff]/20 active:scale-95 transition-all"
style={{ textShadow: '0 0 8px rgba(0,240,255,0.7)' }}
>
<QrCode size={16} /> Export as QR
</button> <button
onClick={handleTransfer}
className="w-full py-2.5 bg-gradient-to-r from-[#ff006e] to-[#ff4d8f] text-white rounded-lg font-bold uppercase tracking-wider flex items-center justify-center gap-2 hover:shadow-[0_0_30px_rgba(255,0,110,0.8)] active:scale-95 transition-all disabled:opacity-50 disabled:cursor-not-allowed border border-[#ff006e]"
style={{ textShadow: '0 0 10px rgba(255,255,255,0.8)' }}
className="w-full py-2.5 bg-[#1a1a2e] border-2 border-[#ff006e] text-[#00f0ff] text-xs md:text-sm rounded-lg font-bold uppercase tracking-wide flex items-center justify-center gap-2 hover:shadow-[0_0_25px_rgba(255,0,110,0.7)] active:scale-95 transition-all disabled:opacity-50 disabled:cursor-not-allowed shadow-[0_0_15px_rgba(255,0,110,0.5)]"
style={{ textShadow: '0 0 8px rgba(0,240,255,0.7)' }}
disabled={!finalMnemonic}
>
<ArrowRight size={20} />
Send to Backup Tab
Send to Backup
</button>
</div>
</div>
) : (
<><p className="text-sm text-[#6ef3f7] mb-4">Once you have entered valid mnemonics and at least 50 dice rolls, you can generate the final mnemonic.</p><button onClick={handleFinalMix} disabled={!blendedResult || !diceRolls || diceRolls.length < 50 || mixing} className="w-full py-3 bg-gradient-to-r from-[#00f0ff] to-[#0066ff] text-[#16213e] rounded-xl font-bold flex items-center justify-center gap-2 disabled:opacity-50 hover:shadow-[0_0_20px_rgba(0,240,255,0.5)]">{mixing ? <RefreshCw className="animate-spin" size={20} /> : <Sparkles size={20} />}{mixing ? 'Generating...' : 'Mix Mnemonic + Dice'}</button></>
<>
<p className="text-xs md:text-sm text-[#6ef3f7] mb-2 md:mb-4">Once you have entered valid mnemonics and at least 50 dice rolls, you can generate the final mnemonic.</p>
<div className="space-y-3 pt-4 mb-4 border-t border-[#00f0ff]/30">
<label className="text-[10px] font-bold text-[#00f0ff] uppercase tracking-widest block text-center" style={{ textShadow: '0 0 10px rgba(0, 240, 255, 0.7)' }}>
Target Seed Length
</label>
<div className="grid grid-cols-2 gap-3 max-w-sm mx-auto">
<button
onClick={() => setTargetWordCount(12)}
className={`py-2.5 text-sm rounded-lg font-medium transition-all ${targetWordCount === 12
? 'bg-[#1a1a2e] text-[#00f0ff] border-2 border-[#ff006e] shadow-[0_0_15px_rgba(255,0,110,0.5)]'
: 'bg-[#16213e] text-[#9d84b7] border-2 border-[#00f0ff]/30 hover:text-[#6ef3f7] hover:border-[#00f0ff]/50'
}`}
style={targetWordCount === 12 ? { textShadow: '0 0 10px rgba(0, 240, 255, 0.8)' } : undefined}
>
12 Words
</button>
<button
onClick={() => setTargetWordCount(24)}
className={`py-2.5 text-sm rounded-lg font-medium transition-all ${targetWordCount === 24
? 'bg-[#1a1a2e] text-[#00f0ff] border-2 border-[#ff006e] shadow-[0_0_15px_rgba(255,0,110,0.5)]'
: 'bg-[#16213e] text-[#9d84b7] border-2 border-[#00f0ff]/30 hover:text-[#6ef3f7] hover:border-[#00f0ff]/50'
}`}
style={targetWordCount === 24 ? { textShadow: '0 0 10px rgba(0, 240, 255, 0.8)' } : undefined}
>
24 Words
</button>
</div>
</div>
<button onClick={handleFinalMix} disabled={!blendedResult || !diceRolls || diceRolls.length < 50 || mixing} className="w-full py-3 bg-gradient-to-r from-[#00f0ff] to-[#0066ff] text-[#16213e] rounded-xl font-bold flex items-center justify-center gap-2 disabled:opacity-50 hover:shadow-[0_0_20px_rgba(0,240,255,0.5)]">{mixing ? <RefreshCw className="animate-spin" size={20} /> : <Sparkles size={20} />}{mixing ? 'Generating...' : 'Mix Mnemonic + Dice'}</button>
</>
)}
</div>
</div>

68
src/components/security.test.ts Normal file
View File

@@ -0,0 +1,68 @@
import { describe, it, expect, beforeEach } from 'bun:test';
import { detectEncryptionMode } from './../lib/seedpgp';
import {
encryptJsonToBlob,
decryptBlobToJson,
destroySessionKey,
getSessionKey,
} from './../lib/sessionCrypto';
describe('Security Fixes Verification', () => {
describe('F-02: Regex Fix for SeedQR detection', () => {
it('should correctly detect a standard numeric SeedQR', () => {
// A 48-digit string, representing 12 words
const numericSeedQR = '000011112222333344445555666677778888999901234567';
const mode = detectEncryptionMode(numericSeedQR);
expect(mode).toBe('seedqr');
});
it('should not detect a short numeric string as SeedQR', () => {
const shortNumeric = '1234567890'; // 10 digits - too short for SeedQR
const mode = detectEncryptionMode(shortNumeric);
// ✅ FIXED: Short numeric strings should NOT be detected as SeedQR
// (They may be detected as 'krux' if they match Base43 charset, which is fine)
expect(mode).not.toBe('seedqr');
});
it('should not detect a mixed-character string as numeric SeedQR', () => {
const mixedString = '00001111222233334444555566667777888899990123456a';
const mode = detectEncryptionMode(mixedString);
expect(mode).not.toBe('seedqr');
});
});
describe('F-01: Session Key Rotation Data Loss Fix', () => {
beforeEach(() => {
destroySessionKey();
});
it('should include a keyId in the encrypted blob', async () => {
const data = { secret: 'hello world' };
const blob = await encryptJsonToBlob(data);
expect(blob.keyId).toBeDefined();
expect(typeof blob.keyId).toBe('string');
expect(blob.keyId.length).toBeGreaterThan(0); // Additional check
});
it('should successfully decrypt a blob with the correct keyId', async () => {
const data = { secret: 'this is a test' };
const blob = await encryptJsonToBlob(data);
const decrypted = await decryptBlobToJson(blob);
expect(decrypted).toEqual(data);
});
it('should throw an error if the key is rotated before decryption', async () => {
const data = { secret: 'will be lost' };
const blob = await encryptJsonToBlob(data);
// Force key rotation by destroying the current one and getting a new one
destroySessionKey();
await getSessionKey(); // Generates a new key with a new keyId
// Decryption should now fail because the keyId in the blob does not match
await expect(decryptBlobToJson(blob)).rejects.toThrow(
'Session expired. The encryption key has rotated. Please re-enter your seed phrase.'
);
});
});
});

38
src/lib/bip39.ts
View File

@@ -2,37 +2,37 @@
import wordlistTxt from '../bip39_wordlist.txt?raw';
// --- BIP39 Wordlist Loading ---
export const BIP39_WORDLIST: readonly string[] = wordlistTxt.trim().split('\n');
export const BIP39_WORDLIST: readonly string[] = wordlistTxt.trim().split(/\r?\n/);
export const WORD_INDEX = new Map<string, number>(
BIP39_WORDLIST.map((word, index) => [word, index])
BIP39_WORDLIST.map((word, index) => [word, index])
);
if (BIP39_WORDLIST.length !== 2048) {
throw new Error(`Invalid wordlist loaded: expected 2048 words, got ${BIP39_WORDLIST.length}`);
throw new Error(`Invalid wordlist loaded: expected 2048 words, got ${BIP39_WORDLIST.length}`);
}
// --- Web Crypto API Helpers ---
async function getCrypto(): Promise<SubtleCrypto> {
if (globalThis.crypto?.subtle) {
return globalThis.crypto.subtle;
}
try {
const { webcrypto } = await import('crypto');
if (webcrypto?.subtle) {
return webcrypto.subtle as SubtleCrypto;
if (globalThis.crypto?.subtle) {
return globalThis.crypto.subtle;
}
} catch (e) {
// Ignore import errors
}
throw new Error("SubtleCrypto not found in this environment");
try {
const { webcrypto } = await import('crypto');
if (webcrypto?.subtle) {
return webcrypto.subtle as SubtleCrypto;
}
} catch (e) {
// Ignore import errors
}
throw new Error("SubtleCrypto not found in this environment");
}
async function sha256(data: Uint8Array): Promise<Uint8Array> {
const subtle = await getCrypto();
// Create a new Uint8Array to ensure the underlying buffer is not shared.
const dataCopy = new Uint8Array(data);
const hashBuffer = await subtle.digest('SHA-256', dataCopy);
return new Uint8Array(hashBuffer);
const subtle = await getCrypto();
// Create a new Uint8Array to ensure the underlying buffer is not shared.
const dataCopy = new Uint8Array(data);
const hashBuffer = await subtle.digest('SHA-256', dataCopy);
return new Uint8Array(hashBuffer);
}
// --- Public API ---

4
src/lib/seedpgp.ts
View File

@@ -15,8 +15,6 @@ import type {
// Configure OpenPGP.js (disable warnings)
openpgp.config.showComment = false;
openpgp.config.showVersion = false;
openpgp.config.allowUnauthenticatedMessages = true; // Suppress AES warning
openpgp.config.allowUnauthenticatedStream = true; // Suppress stream warning
function nonEmptyTrimmed(s?: string): string | undefined {
if (!s) return undefined;
@@ -416,7 +414,7 @@ export function detectEncryptionMode(text: string): EncryptionMode {
}
// 3. Standard SeedQR (all digits)
if (/^\\d+$/.test(trimmed) && trimmed.length >= 48) { // 12 words * 4 digits
if (/^\d+$/.test(trimmed) && trimmed.length >= 48) { // 12 words * 4 digits
return 'seedqr';
}

31
src/lib/sessionCrypto.ts
View File

@@ -29,6 +29,7 @@ function bytesToBase64(bytes: Uint8Array): string {
* @private
*/
let sessionKey: CryptoKey | null = null;
let sessionKeyId: string | null = null;
let keyCreatedAt = 0;
let keyOperationCount = 0;
const KEY_ALGORITHM = 'AES-GCM';
@@ -46,6 +47,7 @@ export interface EncryptedBlob {
* uses `{ name: "AES-GCM", length: 256 }`.
*/
alg: 'A256GCM';
keyId: string; // The ID of the key used for encryption
iv_b64: string; // Initialization Vector (base64)
ct_b64: string; // Ciphertext (base64)
}
@@ -56,7 +58,7 @@ export interface EncryptedBlob {
* Get or create session key with automatic rotation.
* Key rotates every 5 minutes or after 1000 operations.
*/
export async function getSessionKey(): Promise<CryptoKey> {
export async function getSessionKey(): Promise<{ key: CryptoKey; keyId: string }> {
const now = Date.now();
const shouldRotate =
!sessionKey ||
@@ -69,9 +71,11 @@ export async function getSessionKey(): Promise<CryptoKey> {
const elapsed = now - keyCreatedAt;
console.debug?.(`Rotating session key (age: ${elapsed}ms, ops: ${keyOperationCount})`);
sessionKey = null;
sessionKeyId = null;
}
const key = await window.crypto.subtle.generateKey(
// ✅ FIXED: Use global `crypto` instead of `window.crypto` for Node.js/Bun compatibility
const key = await crypto.subtle.generateKey(
{
name: KEY_ALGORITHM,
length: KEY_LENGTH,
@@ -80,11 +84,12 @@ export async function getSessionKey(): Promise<CryptoKey> {
['encrypt', 'decrypt'],
);
sessionKey = key;
sessionKeyId = crypto.randomUUID();
keyCreatedAt = now;
keyOperationCount = 0;
}
return sessionKey!;
return { key: sessionKey!, keyId: sessionKeyId! };
}
/**
@@ -93,17 +98,19 @@ export async function getSessionKey(): Promise<CryptoKey> {
* @returns A promise that resolves to an EncryptedBlob.
*/
export async function encryptJsonToBlob<T>(data: T): Promise<EncryptedBlob> {
const key = await getSessionKey(); // Ensures key exists and handles rotation
const { key, keyId } = await getSessionKey(); // Ensures key exists and handles rotation
keyOperationCount++; // Track operations for rotation
if (!key) {
throw new Error('Session key not initialized. Call getSessionKey() first.');
throw new Error('Session key not initialized or has been destroyed.');
}
const iv = window.crypto.getRandomValues(new Uint8Array(12)); // 96-bit IV is recommended for AES-GCM
// ✅ FIXED: Use global `crypto` instead of `window.crypto`
const iv = crypto.getRandomValues(new Uint8Array(12)); // 96-bit IV is recommended for AES-GCM
const plaintext = new TextEncoder().encode(JSON.stringify(data));
const ciphertext = await window.crypto.subtle.encrypt(
// ✅ FIXED: Use global `crypto` instead of `window.crypto`
const ciphertext = await crypto.subtle.encrypt(
{
name: KEY_ALGORITHM,
iv: new Uint8Array(iv),
@@ -115,6 +122,7 @@ export async function encryptJsonToBlob<T>(data: T): Promise<EncryptedBlob> {
return {
v: 1,
alg: 'A256GCM',
keyId: keyId,
iv_b64: bytesToBase64(iv),
ct_b64: bytesToBase64(new Uint8Array(ciphertext)),
};
@@ -126,7 +134,7 @@ export async function encryptJsonToBlob<T>(data: T): Promise<EncryptedBlob> {
* @returns A promise that resolves to the original decrypted object.
*/
export async function decryptBlobToJson<T>(blob: EncryptedBlob): Promise<T> {
const key = await getSessionKey(); // Ensures key exists and handles rotation
const { key, keyId } = await getSessionKey(); // Ensures key exists and handles rotation
keyOperationCount++; // Track operations for rotation
if (!key) {
@@ -135,11 +143,15 @@ export async function decryptBlobToJson<T>(blob: EncryptedBlob): Promise<T> {
if (blob.v !== 1 || blob.alg !== 'A256GCM') {
throw new Error('Invalid or unsupported encrypted blob format.');
}
if (blob.keyId !== keyId) {
throw new Error('Session expired. The encryption key has rotated. Please re-enter your seed phrase.');
}
const iv = base64ToBytes(blob.iv_b64);
const ciphertext = base64ToBytes(blob.ct_b64);
const decrypted = await window.crypto.subtle.decrypt(
// ✅ FIXED: Use global `crypto` instead of `window.crypto`
const decrypted = await crypto.subtle.decrypt(
{
name: KEY_ALGORITHM,
iv: new Uint8Array(iv),
@@ -158,6 +170,7 @@ export async function decryptBlobToJson<T>(blob: EncryptedBlob): Promise<T> {
*/
export function destroySessionKey(): void {
sessionKey = null;
sessionKeyId = null;
keyOperationCount = 0;
keyCreatedAt = 0;
}

6
src/vite-env.d.ts vendored
View File

@@ -6,6 +6,12 @@ declare module '*.css' {
export default content;
}
// Allow importing text files as raw strings
declare module '*?raw' {
const content: string;
export default content;
}
declare const __APP_VERSION__: string;
declare const __BUILD_HASH__: string;
declare const __BUILD_TIMESTAMP__: string;

0
vite-env.d.ts vendored Normal file
View File

2
vite.config.ts
View File

@@ -44,7 +44,7 @@ export default defineConfig({
}
}
},
base: '/', // Always use root, since we're Cloudflare Pages only
base: process.env.VITE_BASE_PATH || './', // Use relative paths for offline compatibility
publicDir: 'public', // ← Explicitly set (should be default)
build: {
outDir: 'dist',