Documentation
¶
Index ¶
- Constants
- Variables
- func DisplayRecoveryOnce(header, body string) error
- func FormatSeedWords(mnemonic string) string
- func IsStdinTTY() bool
- func IsStdoutTTY() bool
- func ReadBundlePassphrase(prompt string) ([]byte, error)
- func ReadLine(prompt string) (string, error)
- func ReadLineSecret(prompt string) ([]byte, error)
- func ReadNewPassphrase(prompt, confirmPrompt string) ([]byte, error)
- func ReadPassphrase(prompt string) ([]byte, error)
- func ResetEnvWarnForTest()
- func SharedStdin() *bufio.Reader
Constants ¶
const BundlePassphraseEnv = "KPOT_BUNDLE_PASSPHRASE"
BundlePassphraseEnv is a SEPARATE env var for bundle creation / import. Distinct from PassphraseEnv on purpose — bundle passphrases are typically meant to be shared with a recipient (different secret than your everyday vault passphrase). Reusing KPOT_PASSPHRASE for bundle ops would silently make bundle pw == vault pw, defeating the "share the bundle pw out-of-band" mental model.
const PassphraseEnv = "KPOT_PASSPHRASE"
PassphraseEnv is the environment variable that bypasses the TTY prompt for VAULT-OPENING passphrases. Useful for scripted/non- interactive runs; printed warning on stderr so users notice when they leave it set in production.
Variables ¶
var ErrNoTTY = errors.New("recovery operations require a TTY (no pipes / redirects allowed)")
ErrNoTTY is returned by recovery-display helpers when stdin/stdout aren't terminals. The pipe-or-redirect case is rejected on purpose: secrets must not flow into log files, scrollback buffers, or CI artifacts. Users running scripted setups have to take the manual route (init interactively, then automate after).
Functions ¶
func DisplayRecoveryOnce ¶
DisplayRecoveryOnce shows a recovery secret directly to the user's terminal (NOT into stdout/stderr if those have been redirected somewhere capturable), waits for the user to acknowledge, and then ANSI-clears the screen. There is no API to redisplay; lose the paper, lose the recovery.
On Unix the sink is `/dev/tty` (so even with stdout/stderr piped to a logger, the secret never reaches the pipe). On Windows there's no /dev/tty, so the sink is os.Stdout — which is the actual console because the IsStdinTTY/IsStdoutTTY check above ensures we only run when both ends are real terminals.
header is the leading "WRITE THIS DOWN" warning block. body is the secret itself (mnemonic words or formatted secret-key string).
func FormatSeedWords ¶
FormatSeedWords renders 12/24 BIP-39 words as a 4-column numbered grid for easy hand-copying.
func IsStdinTTY ¶
func IsStdinTTY() bool
IsStdinTTY reports whether stdin is connected to a real terminal. Wraps golang.org/x/term so callers (cmd/kpot, recovery flows) don't each grow their own implementation with subtly different semantics.
func IsStdoutTTY ¶
func IsStdoutTTY() bool
IsStdoutTTY mirrors IsStdinTTY for stdout. Used by display flows that must refuse to write secrets when the destination is captured.
func ReadBundlePassphrase ¶
ReadBundlePassphrase reads a bundle-only passphrase. Same shape as ReadPassphrase, but consults BundlePassphraseEnv instead of PassphraseEnv so a vault-unlock env var doesn't silently determine the bundle's passphrase too. The bundle passphrase is intended to be shared with a recipient out-of-band; defaulting to the vault's passphrase would defeat that.
func ReadLine ¶
ReadLine prompts on stderr and reads one line of (echoed) input as a string. Use this for non-sensitive input only; sensitive input should go through ReadLineSecret so the caller can zero the buffer.
func ReadLineSecret ¶
ReadLineSecret reads one line of (echoed) input as a byte slice the caller is expected to crypto.Zero after use. Use for recovery secrets (seed phrases, recovery keys) so the user-typed bytes can be wiped explicitly.
Caveat: bufio.Reader internally buffers a copy we cannot reach, and any string-typed downstream operation (e.g. BIP-39 validation) will produce a string copy that lives until GC. This wipe is best-effort, not airtight — same posture as crypto.Zero for keys.
func ReadNewPassphrase ¶
ReadNewPassphrase prompts twice and verifies the entries match.
func ReadPassphrase ¶
ReadPassphrase prompts the user for a passphrase with no echo. Falls back to plain stdin reading if the input is not a terminal (useful for tests piping a passphrase). All non-TTY reads go through a single shared bufio.Reader so consecutive prompts don't lose lines to per-call buffering.
If the KPOT_PASSPHRASE environment variable is set, its value is returned without prompting (and a one-time warning is printed to stderr so the user knows the bypass is active).
func ResetEnvWarnForTest ¶
func ResetEnvWarnForTest()
ResetEnvWarnForTest re-arms the once-per-process warning that fires when KPOT_PASSPHRASE is set. Tests that exercise multiple bypass paths in one binary need this; production code never calls it.
func SharedStdin ¶
SharedStdin returns a process-wide bufio.Reader bound to os.Stdin. Multiple subsystems (passphrase prompt, REPL) MUST share one reader, otherwise eager bufio buffering in one reader silently swallows lines the next reader expects to see.
Types ¶
This section is empty.
Source Files