Merge branch 'master' into feeat/beef-clone

shruggr · shruggr · commit c471af449e88 · 2025-12-05T13:07:55.000-05:00
diff --git a/.github/workflows/codecov.yaml b/.github/workflows/codecov.yaml
@@ -17,7 +17,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
         with:
           fetch-depth: 2
 
diff --git a/.github/workflows/golangci-lint.yaml b/.github/workflows/golangci-lint.yaml
@@ -18,7 +18,7 @@ jobs:
     outputs:
       modules: ${{ steps.set-modules.outputs.modules }}
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
       - uses: actions/setup-go@v6
         with:
           go-version: ${{ env.GO_VERSION }}
@@ -32,12 +32,12 @@ jobs:
       matrix:
         modules: ${{ fromJSON(needs.detect-modules.outputs.modules) }}
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
       - uses: actions/setup-go@v6
         with:
           go-version: ${{ env.GO_VERSION }}
       - name: golangci-lint ${{ matrix.modules }}
-        uses: golangci/golangci-lint-action@v8
+        uses: golangci/golangci-lint-action@v9
         with:
           version: ${{ env.GOLANGCI_LINT_VERSION }}
           working-directory: ${{ matrix.modules }}
diff --git a/.github/workflows/sonar.yaml b/.github/workflows/sonar.yaml
@@ -21,7 +21,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
         with:
           fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
 
@@ -41,7 +41,7 @@ jobs:
 
       # Re-run golangci separately without exiting on errors and generating a report for use in Sonar
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@v8
+        uses: golangci/golangci-lint-action@v9
         with:
           version: ${{ env.GOLANGCI_LINT_VERSION }}
           args: --timeout=5m --issues-exit-code=0 --output.checkstyle.path=golangci-lint-report.xml
diff --git a/docs/examples/create_wallet/create_wallet.go b/docs/examples/create_wallet/create_wallet.go
@@ -1,6 +1,7 @@
 package main
 
 import (
+	"crypto/sha256"
 	"fmt"
 	"log"
 
@@ -26,7 +27,7 @@ func main() {
 	if err != nil {
 		log.Fatalf("Failed to generate mnemonic: %v", err)
 	}
-	fmt.Printf("Generated Mnemonic: %s\n\n", mnemonic)
+	fmt.Println("Mnemonic generated (not logged for security). Store it securely.")
 
 	// Generate a seed from the mnemonic
 	// An empty password is used for simplicity in this example
@@ -39,7 +40,7 @@ func main() {
 	if err != nil {
 		log.Fatalf("Failed to create master key: %v", err)
 	}
-	fmt.Printf("Master Private Key (xPriv): %s\n", masterKey.String())
+	fmt.Println("Master private key created (not logged for security).")
 
 	// Create a wallet instance from the master private key
 	// Note: The wallet instance itself doesn't store the mnemonic or master xPriv directly for this example
@@ -67,19 +68,20 @@ func main() {
 	// The DeriveChildFromPath method handles string paths.
 	derivedKey, err := masterKey.DeriveChildFromPath(derivationPathStr)
 	if err != nil {
-		log.Fatalf("Failed to derive key for path %s: %v", derivationPathStr, err)
+		log.Fatal("Failed to derive key for requested path; aborting to protect sensitive data")
 	}
 
 	// Get the private key from the derived extended key
 	privateKey, err := derivedKey.ECPrivKey()
 	if err != nil {
 		log.Fatalf("Failed to get derived private key: %v", err)
 	}
-	fmt.Printf("Derived Private Key (Hex): %x\n", privateKey.Serialize())
+	fmt.Println("Derived private key created (not logged for security).")
 
 	// Get the public key from the private key
 	publicKey := privateKey.PubKey()
-	fmt.Printf("Derived Public Key (Hex): %x\n", publicKey.Compressed())
+	publicKeyHash := sha256.Sum256(publicKey.Compressed())
+	fmt.Printf("Derived public key fingerprint: %x\n", publicKeyHash[:8])
 
 	// Get the P2PKH address from the public key
 	// This is one way to get the address.
@@ -93,5 +95,5 @@ func main() {
 
 	fmt.Println("Wallet creation and key derivation complete.")
 	fmt.Println("IMPORTANT: Store your mnemonic phrase securely. This example generates a new wallet on each run.")
-	fmt.Printf("To use this wallet, you would typically persist the mnemonic or the master extended private key (xPriv: %s).\n", masterKey.String())
+	fmt.Println("Never log or transmit your mnemonic or private keys in plaintext.")
 }
diff --git a/docs/examples/generate_hd_key/README.md b/docs/examples/generate_hd_key/README.md
@@ -7,7 +7,7 @@ This example demonstrates how to use the `bip32` compatibility package to genera
 The `generate_hd_key` example showcases:
 1. Calling `bip32.GenerateHDKeyPair` with a specified seed length (`bip32.SecureSeedLength`).
 2. Receiving the generated extended private key (xPriv) and extended public key (xPub).
-3. Printing both keys.
+3. Verifying the public key via a fingerprint without exposing key material.
 
 ## Code Walkthrough
 
@@ -21,9 +21,9 @@ if err != nil {
     log.Fatalf("Error generating HD key pair: %s", err.Error())
 }
 
-// Print the generated keys
-log.Printf("xPrivateKey: %s\n", xPrivateKey)
-log.Printf("xPublicKey: %s\n", xPublicKey)
+// Never log raw keys. Use a small fingerprint to confirm success.
+fingerprint := sha256.Sum256([]byte(xPublicKey))
+log.Printf("Generated HD key pair (xPriv length: %d, xPub fingerprint: %x)", len(xPrivateKey), fingerprint[:8])
 ```
 
 This section shows the direct use of `bip32.GenerateHDKeyPair`. This function creates a new master HD key from a randomly generated seed of the given length. It returns the extended private key (xPriv) and the corresponding extended public key (xPub) as strings.
@@ -35,11 +35,11 @@ To run this example:
 ```bash
 go run generate_hd_key.go
 ```
-The output will be the newly generated xPrivateKey and xPublicKey strings. Each run will produce a different key pair.
+The output will confirm the generated key lengths and show a short fingerprint of the xPub. Each run will produce a different key pair, so securely store the raw keys instead of logging them.
 
 **Note**:
-- The generated xPrivateKey is the master private key for an HD wallet structure. It should be kept extremely secure.
-- The xPublicKey can be used to derive child public keys without exposing the private key.
+- The generated xPrivateKey is the master private key for an HD wallet structure. It should be kept extremely secure and never logged in plaintext.
+- The xPublicKey can be used to derive child public keys without exposing the private key. Only expose fingerprints when confirming values in logs.
 - `bip32.SecureSeedLength` is typically 32 bytes (256 bits) or 64 bytes (512 bits) for strong security.
 
 ## Integration Steps
diff --git a/docs/examples/generate_hd_key/generate_hd_key.go b/docs/examples/generate_hd_key/generate_hd_key.go
@@ -1,6 +1,7 @@
 package main
 
 import (
+	"crypto/sha256"
 	"log"
 
 	bip32 "github.com/bsv-blockchain/go-sdk/compat/bip32"
@@ -12,6 +13,8 @@ func main() {
 		log.Fatalf("error occurred: %s", err.Error())
 	}
 
-	// Success!
-	log.Printf("xPrivateKey: %s \n xPublicKey: %s", xPrivateKey, xPublicKey)
+	// Success! Avoid logging sensitive key material. Use a fingerprint of the public key
+	// for verification instead of printing the full keys.
+	publicKeyFingerprint := sha256.Sum256([]byte(xPublicKey))
+	log.Printf("Generated HD key pair (xPriv length: %d, xPub fingerprint: %x)", len(xPrivateKey), publicKeyFingerprint[:8])
 }
diff --git a/go.mod b/go.mod
@@ -5,11 +5,11 @@ go 1.24.3
 require (
 	github.com/davecgh/go-spew v1.1.1
 	github.com/stretchr/testify v1.11.1
-	golang.org/x/crypto v0.43.0
-	golang.org/x/sync v0.17.0
+	golang.org/x/crypto v0.45.0
+	golang.org/x/sync v0.18.0
 )
 
-require golang.org/x/net v0.46.0
+require golang.org/x/net v0.47.0
 
 require (
 	github.com/pkg/errors v0.9.1
diff --git a/go.sum b/go.sum
@@ -6,12 +6,12 @@ github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZb
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
 github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
-golang.org/x/crypto v0.43.0 h1:dduJYIi3A3KOfdGOHX8AVZ/jGiyPa3IbBozJ5kNuE04=
-golang.org/x/crypto v0.43.0/go.mod h1:BFbav4mRNlXJL4wNeejLpWxB7wMbc79PdRGhWKncxR0=
-golang.org/x/net v0.46.0 h1:giFlY12I07fugqwPuWJi68oOnpfqFnJIJzaIIm2JVV4=
-golang.org/x/net v0.46.0/go.mod h1:Q9BGdFy1y4nkUwiLvT5qtyhAnEHgnQ/zd8PfU6nc210=
-golang.org/x/sync v0.17.0 h1:l60nONMj9l5drqw6jlhIELNv9I0A4OFgRsG9k2oT9Ug=
-golang.org/x/sync v0.17.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
+golang.org/x/crypto v0.45.0 h1:jMBrvKuj23MTlT0bQEOBcAE0mjg8mK9RXFhRH6nyF3Q=
+golang.org/x/crypto v0.45.0/go.mod h1:XTGrrkGJve7CYK7J8PEww4aY7gM3qMCElcJQ8n8JdX4=
+golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY=
+golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU=
+golang.org/x/sync v0.18.0 h1:kr88TuHDroi+UVf+0hZnirlk8o8T+4MrK6mr60WkH/I=
+golang.org/x/sync v0.18.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
