//#region extensions/crypto/src/services/keychain-wallet.d.ts /** * Keychain Wallet — local key generation with encrypted Keychain storage. * * Extends `private_key` mode with: * - BIP-39 mnemonic generation via viem/accounts * - scrypt + AES-256-GCM envelope encryption * - macOS Keychain storage (via `security` CLI) * - Encrypted file fallback for Linux/Docker * * The runtime behavior is identical to raw `private_key` mode — once we have * a viem Account object, the same wallet client code path is used. The only * difference is how the key is acquired (generated vs env var) and stored * (Keychain vs plaintext env). * * No new dependencies. Uses: * - viem/accounts: generateMnemonic, mnemonicToAccount * - @scure/bip39/wordlists/english: BIP-39 English wordlist (transitive via viem) * - @noble/hashes/scrypt: key derivation * - node:crypto: AES-256-GCM encryption */ interface EncryptedPayload { /** scrypt salt (hex) */ salt: string; /** AES-GCM nonce (hex) */ nonce: string; /** AES-GCM ciphertext (hex) */ ciphertext: string; /** AES-GCM auth tag (hex) */ tag: string; /** Encryption version for future-proofing */ version: 1; } interface GeneratedWallet { /** 12-word BIP-39 mnemonic */ mnemonic: string; /** Derived Ethereum address */ address: string; } /** * Encrypt a plaintext string with AES-256-GCM using a password-derived key. */ declare function encrypt(plaintext: string, password: string): Promise; /** * Decrypt an AES-256-GCM encrypted payload using a password-derived key. * Throws on wrong password (GCM auth tag mismatch). */ declare function decrypt(payload: EncryptedPayload, password: string): Promise; /** * Generate a new BIP-39 wallet. Returns the mnemonic and derived address. * Does NOT store anything — call encryptAndStore() after user confirms backup. */ declare function generateWallet(): Promise; /** * Encrypt a mnemonic with user password and store in Keychain (macOS) or * encrypted file (Linux/Docker). */ declare function encryptAndStore(mnemonic: string, password: string): Promise; /** * Load and decrypt the stored mnemonic, then derive a viem Account. * Returns the Account object ready for privateKeyToAccount-style usage. */ declare function loadAndDecrypt(password: string): Promise<{ account: any; mnemonic: string; address: string; }>; /** * Check if an encrypted wallet exists in storage. */ declare function hasKeychainWallet(): boolean; /** * Delete the encrypted wallet from storage. */ declare function deleteKeychainWallet(): boolean; /** * Export encrypted backup file to a specified path (or default backup location). * Returns the path where the backup was written. */ declare function exportBackupFile(outputDir?: string): string; /** * Import wallet from a backup file. Requires the original password. * Stores into the active storage backend (Keychain or file). */ declare function importFromBackup(backupPath: string, password: string): Promise; /** * Generate 3 random word indices for mnemonic confirmation. * Returns array of {index, word} pairs the user must confirm. */ declare function getConfirmationWords(mnemonic: string, count?: number): Array<{ index: number; word: string; }>; /** * Validate that the user's confirmation words match the mnemonic. */ declare function validateConfirmation(mnemonic: string, confirmations: Array<{ index: number; word: string; }>): boolean; /** * Get the storage backend description (for display to user). */ declare function getStorageInfo(): { backend: 'keychain' | 'file'; path?: string; }; //#endregion export { EncryptedPayload, GeneratedWallet, decrypt, deleteKeychainWallet, encrypt, encryptAndStore, exportBackupFile, generateWallet, getConfirmationWords, getStorageInfo, hasKeychainWallet, importFromBackup, loadAndDecrypt, validateConfirmation }; //# sourceMappingURL=keychain-wallet.d.mts.map