6bed472e09
- removed all logging of raw IV, JWK, session tokens, verification codes → logs now only include error codes, timestamps and short non-reversible SHA-256 hashes (first 4 bytes) - replaced global master key storage with PBKDF2-derived non-extractable AES key → master key lives only in session memory and is cleared on timeout/focus-out - added password-based derivation (PBKDF2) for master key initialization - migrated persistent key storage to AES-GCM wrapped ciphertext in IndexedDB → JWK export → encrypt with session master key → store ciphertext + IV + metadata → unwrap + import as non-extractable on restore - removed busy-wait loops and direct `window.gc()` calls → replaced with async non-blocking cleanup via setTimeout/Promise/WebWorker
3.1 KiB
3.1 KiB