refactor(vault): remove derive_password and site_password_path (task: vault/remove-password-derivation)

Drift item #7: remove the password-manager pattern (derive_password,
derive_password_string, site_password_path) — not relevant to an RPC system's
vault. Removed methods, path function, doc-table row, all tests, and the
now-unused base64 URL_SAFE_NO_PAD import.

Refs: docs/architecture/crates/vault/README.md drift #7
Implements: ADR-025 (resolves C9)
This commit is contained in:
2026-06-23 13:33:36 +00:00
2 changed files with 0 additions and 109 deletions

View File

@@ -11,7 +11,6 @@
//! | `m/74'/0'/0'/0'` | Primary identity keypair | Ed25519 (alknet auth) |
//! | `m/74'/0'/0'/{n}'` | Worker/device identity | Ed25519 |
//! | `m/74'/0'/1'/0'` | SSH host key | Ed25519 |
//! | `m/74'/1'/0'/{hash}'` | Site-specific password | Deterministic |
//! | `m/74'/2'/0'/0'` | Encryption key for external credentials | AES-256-GCM |
//! | `m/44'/60'/0'/0/0` | Ethereum signing key | secp256k1 |
@@ -52,13 +51,6 @@ pub fn device_path(index: u32) -> String {
format!("m/74'/0'/0'/{}'", index)
}
/// Construct a site-specific password derivation path with the given hash.
///
/// Path: `m/74'/1'/0'/{hash}'`
pub fn site_password_path(site_hash: &str) -> String {
format!("m/74'/1'/0'/{}'", site_hash)
}
/// A derived extended private key with its public key.
///
/// Contains the private key bytes and public key bytes from
@@ -248,11 +240,6 @@ mod tests {
assert_eq!(device_path(1), "m/74'/0'/0'/1'");
}
#[test]
fn test_site_password_path() {
assert_eq!(site_password_path("abc123"), "m/74'/1'/0'/abc123'");
}
#[test]
fn test_derive_master_key_from_seed() {
// Use a known 64-byte seed

View File

@@ -42,9 +42,6 @@
use std::sync::{Arc, RwLock};
use base64::engine::general_purpose::URL_SAFE_NO_PAD;
use base64::Engine;
use crate::cache::{CacheConfig, CachedKey, KeyCache};
use crate::derivation::{self, DerivationError, PATHS};
use crate::encryption::{self, EncryptedData, EncryptionKey};
@@ -283,29 +280,6 @@ impl VaultServiceHandle {
}
}
pub fn derive_password(&self, path: &str, length: usize) -> Result<Vec<u8>, VaultServiceError> {
let inner = self.inner.read().unwrap();
if !inner.unlocked {
return Err(VaultServiceError::VaultLocked);
}
let seed = inner.seed.as_ref().ok_or(VaultServiceError::VaultLocked)?;
let key = derivation::derive_path_from_seed(seed.as_bytes(), path)?;
let private_key = key.private_key();
let truncated_len = length.min(private_key.len());
let result = private_key[..truncated_len].to_vec();
Ok(result)
}
pub fn derive_password_string(
&self,
path: &str,
length: usize,
) -> Result<String, VaultServiceError> {
let bytes = self.derive_password(path, length)?;
Ok(URL_SAFE_NO_PAD.encode(&bytes))
}
/// Encrypt plaintext using the derived encryption key.
///
/// Uses the key at path `m/74'/2'/0'/0'` (PATHS::ENCRYPTION) by default.
@@ -463,76 +437,6 @@ mod tests {
assert!(service.decrypt(&encrypted).is_err());
}
#[test]
fn test_derive_password_deterministic() {
let service = VaultServiceHandle::new();
service.unlock_new(24).unwrap();
let path = "m/74'/1'/0'/12345'";
let pw1 = service.derive_password(path, 16).unwrap();
let pw2 = service.derive_password(path, 16).unwrap();
assert_eq!(pw1, pw2, "derive_password must be deterministic");
}
#[test]
fn test_derive_password_different_paths() {
let service = VaultServiceHandle::new();
service.unlock_new(24).unwrap();
let pw_a = service.derive_password("m/74'/1'/0'/100'", 16).unwrap();
let pw_b = service.derive_password("m/74'/1'/0'/200'", 16).unwrap();
assert_ne!(
pw_a, pw_b,
"different paths must produce different passwords"
);
}
#[test]
fn test_derive_password_length_truncation() {
let service = VaultServiceHandle::new();
service.unlock_new(24).unwrap();
let path = "m/74'/1'/0'/999'";
let pw_full = service.derive_password(path, 32).unwrap();
let pw_short = service.derive_password(path, 16).unwrap();
assert_eq!(pw_short.len(), 16);
assert_eq!(pw_full.len(), 32);
assert_eq!(
&pw_full[..16],
&pw_short[..],
"truncated bytes must match prefix of full key"
);
}
#[test]
fn test_derive_password_locked_error() {
let service = VaultServiceHandle::new();
let result = service.derive_password("m/74'/1'/0'/1'", 16);
assert!(matches!(result, Err(VaultServiceError::VaultLocked)));
}
#[test]
fn test_derive_password_string_base64url() {
let service = VaultServiceHandle::new();
service.unlock_new(24).unwrap();
let path = "m/74'/1'/0'/42'";
let encoded = service.derive_password_string(path, 16).unwrap();
assert!(!encoded.contains('='), "Base64url must not contain padding");
assert!(
encoded
.chars()
.all(|c| c.is_ascii_alphanumeric() || c == '-' || c == '_'),
"Base64url must only contain URL-safe characters"
);
let raw_bytes = service.derive_password(path, 16).unwrap();
let decoded = URL_SAFE_NO_PAD.decode(&encoded).unwrap();
assert_eq!(raw_bytes, decoded);
}
#[cfg(feature = "secp256k1")]
#[test]
fn test_derive_ethereum_key_bip32() {