refactor(wallet-cli): Wrap daemon password/SRP in opaque Password/Srp types#8863
Draft
sirtimid wants to merge 1 commit into
Draft
refactor(wallet-cli): Wrap daemon password/SRP in opaque Password/Srp types#8863sirtimid wants to merge 1 commit into
sirtimid wants to merge 1 commit into
Conversation
… types Daemon password and secret recovery phrase are now opaque class wrappers that redact themselves under util.inspect, JSON.stringify, toString, and template-literal interpolation. The underlying string is reachable only via unwrap() at trust boundaries (the importSecretRecoveryPhrase call site in wallet-factory and the child-process env-var spawn in daemon-spawn). Srp.from validates word count (12/15/18/21/24) and every word against the BIP-39 English wordlist, surfacing typos at the CLI boundary instead of producing a malformed mnemonic downstream. Closes #8778. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
PasswordandSrpopaque class wrappers inpackages/wallet-cli/src/daemon/secrets.ts. Both redact themselves underutil.inspect,JSON.stringify,toString, and template-literal interpolation; the raw string is reachable only viaunwrap().DaemonSpawnConfig,daemon startflag parsing,MM_WALLET_PASSWORD/MM_WALLET_SRPenv reads indaemon-entry, andcreateWallet.unwrap()is called only at trust boundaries: theimportSecretRecoveryPhrasecall site inwallet-factory.tsand the child-process env-var assignment indaemon-spawn.ts.Srp.fromvalidates word count (12/15/18/21/24) and every word against the BIP-39 English wordlist, so typos fail fast at the CLI boundary instead of producing a malformed mnemonic inside the keyring.Password.frommatches the@metamask/keyring-controllerconvention: non-empty only, no minimum length.@metamask/wallet'simportSecretRecoveryPhrasesignature stays onstring— branding is scoped to wallet-cli, where the leak risk lives.Closes #8778.
Test plan
yarn workspace @metamask/wallet-cli run test— 234 tests pass, 100% coverage onsecrets.tsand all touched filessecrets.test.tscovers validation, redaction (inspect, JSON, String, template literal), and unwrap round-tripyarn lint:eslint packages/wallet-cli,yarn constraints,yarn lint:dependencies,yarn workspace @metamask/wallet-cli run changelog:validateall clean🤖 Generated with Claude Code