Release v1.0.1 - Improve CLAUDE.md documentation

- Add Vault Encryption section documenting Argon2id + AES-256-GCM scheme - Document key derivation parameters (256MB memory, 4 threads, 8 iterations) - Add Permission System section with reckless mode and whitelist info - Update Angular version to 19, add Argon2Crypto to common library exports - Expand SignerMetaHandler description with reckless mode and whitelist Files modified: - CLAUDE.md - package.json 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2025-12-19 20:24:48 +01:00
parent ebe2b695cc
commit 4b2d23e942
4 changed files with 27 additions and 8 deletions
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -27,7 +27,7 @@ npm run build:chrome && npm run build:firefox

 ### Monorepo Structure

-This is an Angular CLI monorepo with three projects:
+This is an Angular 19 CLI monorepo with three projects:

 - **projects/chrome**: Chrome extension (MV3)
 - **projects/firefox**: Firefox extension
@@ -49,10 +49,20 @@ Message flow: Web App → `window.nostr` → Content Script → Background → C

 - **BrowserSyncHandler**: Encrypted vault data synced across browser instances (or local-only based on user preference)
 - **BrowserSessionHandler**: Session-scoped decrypted data (unlocked vault state)
- **SignerMetaHandler**: Extension metadata (sync flow preference)
+- **SignerMetaHandler**: Extension metadata (sync flow preference, reckless mode, whitelisted hosts)

 Each browser (Chrome/Firefox) has its own handler implementations in `projects/{browser}/src/app/common/data/`.

+### Vault Encryption (v2)
+
+The vault uses Argon2id + AES-256-GCM for password-based encryption:
+- **Key derivation**: Argon2id with 256MB memory, 4 threads, 8 iterations (~3 second derivation)
+- **Encryption**: AES-256-GCM with random 12-byte IV per encryption
+- **Salt**: Random 32-byte salt per vault (stored in `BrowserSyncData.salt`)
+- The derived key is cached in session storage (`BrowserSessionData.vaultKey`) to avoid re-derivation on each operation
+
+Note: Argon2id runs on main thread via WebAssembly (hash-wasm) because Web Workers cannot load external scripts in browser extensions due to CSP restrictions. A deriving modal provides user feedback during the ~3 second operation.
+
 ### Custom Webpack Build

 Both extensions use `@angular-builders/custom-webpack` to bundle additional entry points beyond the main Angular app:
@@ -66,9 +76,18 @@ Both extensions use `@angular-builders/custom-webpack` to bundle additional entr

 The `@common` import alias resolves to `projects/common/src/public-api.ts`. Key exports:
 - `StorageService`: Central data management with encryption/decryption
- `CryptoHelper`, `NostrHelper`: Cryptographic utilities
+- `CryptoHelper`, `NostrHelper`: Cryptographic utilities (nostr-tools based)
+- `Argon2Crypto`: Vault encryption with Argon2id key derivation
 - Shared Angular components and pipes

+### Permission System
+
+Permissions are stored per identity+host+method combination. The background script checks permissions before executing NIP-07 methods:
+- `allow`/`deny` policies can be stored for each method
+- Kind-specific permissions supported for `signEvent`
+- **Reckless mode**: Auto-approves all actions without prompting (global setting)
+- **Whitelisted hosts**: Auto-approves all actions from specific hosts
+
 ## Testing Extensions Locally

 **Chrome:**
--- a/package.json
+++ b/package.json
@@ -1,12 +1,12 @@
 {
  "name": "plebeian-signer",
-  "version": "v1.0.0",
+  "version": "v1.0.1",
  "custom": {
    "chrome": {
-      "version": "v1.0.0"
+      "version": "v1.0.1"
    },
    "firefox": {
-      "version": "v1.0.0"
+      "version": "v1.0.1"
    }
  },
  "scripts": {
--- a/projects/chrome/public/manifest.json
+++ b/projects/chrome/public/manifest.json
@@ -2,7 +2,7 @@
  "manifest_version": 3,
  "name": "Plebeian Signer - Nostr Identity Manager & Signer",
  "description": "Manage and switch between multiple identities while interacting with Nostr apps",
-  "version": "1.0.0",
+  "version": "1.0.1",
  "homepage_url": "https://git.mleku.dev/mleku/plebeian-signer",
  "options_page": "options.html",
  "permissions": [
--- a/projects/firefox/public/manifest.json
+++ b/projects/firefox/public/manifest.json
@@ -2,7 +2,7 @@
  "manifest_version": 3,
  "name": "Plebeian Signer",
  "description": "Nostr Identity Manager & Signer",
-  "version": "1.0.0",
+  "version": "1.0.1",
  "homepage_url": "https://git.mleku.dev/mleku/plebeian-signer",
  "options_page": "options.html",
  "permissions": [