diff --git a/CLAUDE.md b/CLAUDE.md index 9324114..daaffaa 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -27,7 +27,7 @@ npm run build:chrome && npm run build:firefox ### Monorepo Structure -This is an Angular CLI monorepo with three projects: +This is an Angular 19 CLI monorepo with three projects: - **projects/chrome**: Chrome extension (MV3) - **projects/firefox**: Firefox extension @@ -49,10 +49,20 @@ Message flow: Web App → `window.nostr` → Content Script → Background → C - **BrowserSyncHandler**: Encrypted vault data synced across browser instances (or local-only based on user preference) - **BrowserSessionHandler**: Session-scoped decrypted data (unlocked vault state) -- **SignerMetaHandler**: Extension metadata (sync flow preference) +- **SignerMetaHandler**: Extension metadata (sync flow preference, reckless mode, whitelisted hosts) Each browser (Chrome/Firefox) has its own handler implementations in `projects/{browser}/src/app/common/data/`. +### Vault Encryption (v2) + +The vault uses Argon2id + AES-256-GCM for password-based encryption: +- **Key derivation**: Argon2id with 256MB memory, 4 threads, 8 iterations (~3 second derivation) +- **Encryption**: AES-256-GCM with random 12-byte IV per encryption +- **Salt**: Random 32-byte salt per vault (stored in `BrowserSyncData.salt`) +- The derived key is cached in session storage (`BrowserSessionData.vaultKey`) to avoid re-derivation on each operation + +Note: Argon2id runs on main thread via WebAssembly (hash-wasm) because Web Workers cannot load external scripts in browser extensions due to CSP restrictions. A deriving modal provides user feedback during the ~3 second operation. + ### Custom Webpack Build Both extensions use `@angular-builders/custom-webpack` to bundle additional entry points beyond the main Angular app: @@ -66,9 +76,18 @@ Both extensions use `@angular-builders/custom-webpack` to bundle additional entr The `@common` import alias resolves to `projects/common/src/public-api.ts`. Key exports: - `StorageService`: Central data management with encryption/decryption -- `CryptoHelper`, `NostrHelper`: Cryptographic utilities +- `CryptoHelper`, `NostrHelper`: Cryptographic utilities (nostr-tools based) +- `Argon2Crypto`: Vault encryption with Argon2id key derivation - Shared Angular components and pipes +### Permission System + +Permissions are stored per identity+host+method combination. The background script checks permissions before executing NIP-07 methods: +- `allow`/`deny` policies can be stored for each method +- Kind-specific permissions supported for `signEvent` +- **Reckless mode**: Auto-approves all actions without prompting (global setting) +- **Whitelisted hosts**: Auto-approves all actions from specific hosts + ## Testing Extensions Locally **Chrome:** diff --git a/package.json b/package.json index 777adf9..628f695 100644 --- a/package.json +++ b/package.json @@ -1,12 +1,12 @@ { "name": "plebeian-signer", - "version": "v1.0.0", + "version": "v1.0.1", "custom": { "chrome": { - "version": "v1.0.0" + "version": "v1.0.1" }, "firefox": { - "version": "v1.0.0" + "version": "v1.0.1" } }, "scripts": { diff --git a/projects/chrome/public/manifest.json b/projects/chrome/public/manifest.json index a4192c0..8be0cf2 100644 --- a/projects/chrome/public/manifest.json +++ b/projects/chrome/public/manifest.json @@ -2,7 +2,7 @@ "manifest_version": 3, "name": "Plebeian Signer - Nostr Identity Manager & Signer", "description": "Manage and switch between multiple identities while interacting with Nostr apps", - "version": "1.0.0", + "version": "1.0.1", "homepage_url": "https://git.mleku.dev/mleku/plebeian-signer", "options_page": "options.html", "permissions": [ diff --git a/projects/firefox/public/manifest.json b/projects/firefox/public/manifest.json index d58692e..c64b69c 100644 --- a/projects/firefox/public/manifest.json +++ b/projects/firefox/public/manifest.json @@ -2,7 +2,7 @@ "manifest_version": 3, "name": "Plebeian Signer", "description": "Nostr Identity Manager & Signer", - "version": "1.0.0", + "version": "1.0.1", "homepage_url": "https://git.mleku.dev/mleku/plebeian-signer", "options_page": "options.html", "permissions": [