feat: identity export/import (yaw-key-backup-1)

Portable encrypted identity backup compatible with the sister project's
format — argon2id KDF + nacl secretbox, peer ID visible in plaintext for
pre-import verification.

- crypto: ExportIdentity, ImportIdentity, SaveIdentity
- proto: export_identity / import_identity IPC commands + events
- ipc: export_identity returns encrypted blob; import_identity validates
  and decrypts (read-only — on-disk write requires daemon restart)
- netmgr: MasterIdentity() accessor
- daemon: --import-identity / --import-passphrase flags write identity.json
  and exit, enabling scripted account migration
- tests: roundtrip and wrong-passphrase rejection

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Fredrik Johansson
2026-06-22 21:44:48 +02:00
parent f1498697b6
commit b47f659b7d
7 changed files with 488 additions and 8 deletions

View File

@@ -4,6 +4,7 @@ package main
import (
"flag"
"fmt"
"log"
"os"
@@ -14,16 +15,41 @@ import (
)
func main() {
dataDir := flag.String("data-dir", "~/.waste", "path to identity/config directory")
alias := flag.String("alias", "anon", "display name shown to peers (advisory only)")
ipcPort := flag.Int("ipc-port", 17337, "port for local IPC (UI connects here)")
anchorURL := flag.String("anchor", "", "anchor WebSocket URL, e.g. ws://your-vps:17339/ws")
shareDir := flag.String("share-dir", "", "directory to share with peers on the network")
joinInvite := flag.String("join", "", "waste: invite string — sets anchor URL and auto-joins the network on startup")
dataDir := flag.String("data-dir", "~/.waste", "path to identity/config directory")
alias := flag.String("alias", "anon", "display name shown to peers (advisory only)")
ipcPort := flag.Int("ipc-port", 17337, "port for local IPC (UI connects here)")
anchorURL := flag.String("anchor", "", "anchor WebSocket URL, e.g. ws://your-vps:17339/ws")
shareDir := flag.String("share-dir", "", "directory to share with peers on the network")
joinInvite := flag.String("join", "", "waste: invite string — sets anchor URL and auto-joins the network on startup")
importBackup := flag.String("import-identity", "", "path to a yaw-key-backup-1 JSON file to import")
importPassword := flag.String("import-passphrase", "", "passphrase for --import-identity")
flag.Parse()
dir := expandHome(*dataDir)
// --import-identity: decrypt backup and write identity.json, then exit.
if *importBackup != "" {
if *importPassword == "" {
log.Fatal("--import-passphrase is required with --import-identity")
}
raw, err := os.ReadFile(*importBackup)
if err != nil {
log.Fatalf("import-identity: read file: %v", err)
}
imported, err := crypto.ImportIdentity(raw, *importPassword)
if err != nil {
log.Fatalf("import-identity: %v", err)
}
if err := os.MkdirAll(dir, 0700); err != nil {
log.Fatalf("import-identity: mkdir: %v", err)
}
if err := crypto.SaveIdentity(dir, imported); err != nil {
log.Fatalf("import-identity: save: %v", err)
}
fmt.Printf("identity imported: %s\n", imported.PeerID())
return
}
id, err := crypto.LoadOrCreate(dir, *alias)
if err != nil {
log.Fatalf("identity: %v", err)