Wallet password protection

[dkackman]

fix #206

[dkackman]

Code review

Found 2 issues:

1. Biometric unlock breaks after the first successful use — skipKeychainRef.current.add(fingerprint) is called every time the OS keychain returns a stored password (as a "pending validation" marker), but is never cleared when the backend accepts that password. It is only cleared in handleSubmit — the manual-entry path. In practice: the first biometric-authenticated operation succeeds, the flag stays set, and every subsequent operation in the same session skips the keychain and falls back to the password dialog. Biometric effectively works only once per session.

sage/src/contexts/PasswordContext.tsx

Lines 127 to 133 in 815e594

	const stored = await keychainGet(keychainKey(fingerprint));
	if (stored !== null) {
	// Mark as pending validation — if backend rejects, next call skips keychain
	skipKeychainRef.current.add(fingerprint);
	return stored;
	}
	// Fall through to password dialog if keychain retrieval fails

2. Delete confirmation dialog stays open when the password prompt is cancelled — setIsDeleteOpen(false) is only called at the bottom of deleteSelf, after the backend call. The early return on password === undefined (user cancels the password dialog) exits before that line, leaving the delete dialog stuck open. The Details dialog handles this correctly by calling setIsDetailsOpen(false) before the early return.

sage/src/components/WalletCard.tsx

Lines 81 to 92 in 815e594

	const deleteSelf = async () => {
	const password = await requestPassword(info.has_password);
	if (password === undefined) return;
	await commands
	.deleteKey({ fingerprint: info.fingerprint })
	.then(async () => {
	await clearKeychainEntry(info.fingerprint);
	setKeys(keys.filter((key) => key.fingerprint !== info.fingerprint));
	})
	.catch(addError);
	setIsDeleteOpen(false);
	};

🤖 Generated with Claude Code

_{- If this code review was useful, please react with 👍. Otherwise, react with 👎.}

[Copilot]

Pull request overview

Implements wallet password protection (issue #206) across the backend and frontend, including password propagation through signing/secret-access endpoints and a new UI/auth flow that optionally bridges biometrics to OS keychain storage on mobile.

Changes:

• Add password-aware key management to the Rust keychain and expose has_password + change_password through the API/bindings.
• Introduce a unified frontend auth gate (PasswordProvider / usePassword) and thread password through sensitive commands (UI + WalletConnect).
• Add mobile keychain plugin support (Rust + JS) and update settings UI for password/biometric behavior.

Reviewed changes

Copilot reviewed 46 out of 50 changed files in this pull request and generated 6 comments.

Show a summary per file

File	Description
src/walletconnect/handler.ts	Extends WalletConnect handler context to use password-based auth.
src/walletconnect/commands/offers.ts	Prompts for password and forwards it to offer endpoints.
src/walletconnect/commands/high-level.ts	Prompts for password and forwards it to signing/tx endpoints.
src/walletconnect/commands/chip0002.ts	Prompts for password and forwards it to CHIP-0002 signing endpoints.
src/pages/Settings.tsx	Adds password management UI and keychain cleanup when disabling biometrics.
src/pages/Offers.tsx	Adds password prompt for cancel-all offers flow.
src/pages/Offer.tsx	Adds password prompt for taking an offer.
src/hooks/usePassword.ts	Adds hook wrapper for PasswordContext.
src/hooks/useOfferProcessor.ts	Adds password prompt and forwards password in offer creation flow.
src/contexts/WalletConnectContext.tsx	Uses PasswordContext for WC request auth; passes hasPassword.
src/contexts/PasswordContext.tsx	New unified auth gate (password dialog + biometric/keychain bridge).
src/contexts/ErrorContext.tsx	Adds toast handling for wrong-password and certain unauthorized cases.
src/components/dialogs/PasswordDialog.tsx	New reusable password entry dialog used by PasswordProvider.
src/components/WalletCard.tsx	Adds password prompt for delete and secret-key display; clears keychain on delete.
src/components/OfferRowCard.tsx	Adds password prompt for cancel-offer action.
src/components/NftCard.tsx	Adjusts ARIA attributes on NFT card container.
src/components/ConfirmationDialog.tsx	Adds password prompt and forwards password when signing coin spends.
src/bindings.ts	Extends request types with optional password; adds changePassword + has_password.
src/App.tsx	Adds PasswordProvider to the provider tree.
src-tauri/src/lib.rs	Registers change_password command and initializes keychain plugin on mobile.
src-tauri/gen/apple/sage-tauri_iOS/sage-tauri_iOS.entitlements	Formatting change in generated iOS entitlements.
src-tauri/gen/apple/sage-tauri_iOS/Info.plist	Formatting change in generated iOS Info.plist.
src-tauri/gen/android/app/src/main/AndroidManifest.xml	Adds tools namespace/replace entry for Android manifest.
src-tauri/capabilities/mobile.json	Enables keychain capability for mobile builds.
src-tauri/Cargo.toml	Adds Rust dependency on tauri-plugin-keychain.
pnpm-lock.yaml	Adds JS dependency lock entries for tauri-plugin-keychain and related transitive deps.
package.json	Adds JS dependency tauri-plugin-keychain.
docs/superpowers/specs/2026-03-15-password-protection-design.md	Adds design spec describing password + biometric/keychain bridge.
crates/sage/src/utils/spends.rs	Threads password into secret extraction for signing.
crates/sage/src/error.rs	Maps new keychain errors to Unauthorized.
crates/sage/src/endpoints/wallet_connect.rs	Threads password into WalletConnect signing endpoints.
crates/sage/src/endpoints/transactions.rs	Threads password through transact/signing path across tx endpoints.
crates/sage/src/endpoints/offers.rs	Threads password through offer signing/cancel flows.
crates/sage/src/endpoints/keys.rs	Adds password support for import/secret retrieval; exposes has_password; adds change_password endpoint.
crates/sage/src/endpoints/actions.rs	Threads password into hardened derivation flow.
crates/sage/src/endpoints/action_system.rs	Threads password into action-system transaction creation flow.
crates/sage-wallet/src/wallet/offer.rs	Formatting changes in offer tests (no functional change).
crates/sage-rpc/src/tests.rs	Adds RPC-level tests for password protection and change_password.
crates/sage-keychain/src/keychain.rs	Adds password_protected flag, legacy deserialization fallback, and change_password implementation + tests.
crates/sage-keychain/src/key_data.rs	Adds password_protected to stored secret key data.
crates/sage-keychain/src/error.rs	Adds KeyNotFound/NoSecretKey errors.
crates/sage-api/src/types/key_info.rs	Adds has_password to KeyInfo type.
crates/sage-api/src/requests/wallet_connect.rs	Adds optional password fields to WC signing requests.
crates/sage-api/src/requests/transactions.rs	Adds optional password fields to transaction/signing requests.
crates/sage-api/src/requests/offers.rs	Adds optional password fields to offer requests.
crates/sage-api/src/requests/keys.rs	Adds optional password fields to key import/secret retrieval; adds ChangePassword request/response.
crates/sage-api/src/requests/actions.rs	Adds optional password field to IncreaseDerivationIndex.
crates/sage-api/src/requests/action_system.rs	Adds optional password field to CreateTransaction.
crates/sage-api/endpoints.json	Registers change_password endpoint.
Cargo.lock	Adds Rust lock entries for tauri-plugin-keychain.

Files not reviewed (1)

• pnpm-lock.yaml: Language not supported

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[dkackman]

Code review

Found 1 issue:

1. Concurrent requestPassword calls corrupt pendingRef — first caller's promise hangs indefinitely — pendingRef is a single useRef<PasswordRequest | null>. If two operations simultaneously reach the password dialog path (Case 4), the second write to pendingRef.current silently overwrites the first. handleSubmit only resolves the second caller. The first caller's Promise is permanently unresolved — that operation hangs with no error, no timeout, and no way to recover. A realistic trigger: a WalletConnect request arrives while the user is also initiating a UI signing operation.

sage/src/contexts/PasswordContext.tsx

Lines 158 to 165 in c88b3f9

	// Case 4: Has password → show dialog (fallback or no biometric)
	if (hasPassword) {
	return new Promise<string | null | undefined>((resolve) => {
	pendingRef.current = { resolve, fingerprint };
	setOpen(true);
	});
	}

The fix is to either (a) queue pending requests instead of replacing them, or (b) reject the in-flight request when a new one arrives (so at least the caller fails fast rather than hanging).

🤖 Generated with Claude Code

_{- If this code review was useful, please react with 👍. Otherwise, react with 👎.}