feat(cloud-sync): enhance keyless sync with proper encryption handling and unified pwdHash

- Add comprehensive BIP32 key encryption documentation
- Fix keyless credential derivation to use deterministic decrypted keys
- Remove keyless wallet filtering from sync flow managers
- Unify pwdHash retrieval from sync credential across all modes
- Clean up duplicate API calls in mock server
- Add debug tools and UI improvements for keyless sync testing
- Remove unused import in Button component

Author: sidmorizon

packages/components/src/primitives/Button/index.tsx

@@ -19,7 +19,6 @@ import { Spinner } from '../Spinner';
 import { useSharedPress } from './useEvent';
 
 import type { IIconProps, IKeyOfIcons } from '../Icon';
-import type { GestureResponderEvent } from 'react-native';
 
 export interface IButtonProps extends ThemeableStackProps {
   type?: ButtonHTMLAttributes<HTMLButtonElement>['type'];

packages/core/src/secret/bip32.ts

@@ -11,6 +11,36 @@ export type IBip32ExtendedKeySerialized = {
   key: string;
   chainCode: string;
 };
+
+/**
+ * BIP32 Extended Key
+ *
+ * Represents a BIP32 hierarchical deterministic key pair with chain code.
+ *
+ * **Key Encryption State:**
+ * The `key` field can be in two states depending on context:
+ *
+ * 1. **Unencrypted (Raw Private Key):**
+ *    - During BIP32 derivation calculations (CKDPriv, CKDPub)
+ *    - Internal processing within secret module
+ *    - Should NEVER be exposed outside the secret module
+ *
+ * 2. **Encrypted (AES-256 Encrypted Private Key):**
+ *    - When returned by `batchGetPrivateKeys()` or similar functions
+ *    - When stored or passed between modules
+ *    - Encryption method: AES-256-CBC with PBKDF2
+ *      - Random salt (32 bytes) + Random IV (16 bytes)
+ *      - Format: `[salt(32) + iv(16) + encrypted_data]`
+ *    - Must be decrypted with `decryptAsync({ password, data: key })` before use
+ *
+ * **For Public Keys:**
+ * When this type represents a public key (via `deriver.N()`):
+ * - `key` contains the raw public key (unencrypted, as public keys are meant to be public)
+ * - No encryption is applied
+ *
+ * @see batchGetKeys() in secret/index.ts for encryption logic
+ * @see encryptAsync() in secret/encryptors/aes256.ts for encryption implementation
+ */
 export type IBip32ExtendedKey = {
   key: Buffer;
   chainCode: Buffer;

packages/kit-bg/src/dbs/local/LocalDbBase.ts

@@ -884,9 +884,6 @@ export abstract class LocalDbBase extends LocalDbBaseContainer {
       // TODO performance
       const { wallets } = await this.getWallets();
       const walletsByXfp = wallets.filter((w) => {
-        if (w.isKeyless && !includingKeylessWallets) {
-          return false;
-        }
         return w.xfp === xfp;
       });
       return walletsByXfp;
@@ -914,9 +911,6 @@ export abstract class LocalDbBase extends LocalDbBaseContainer {
       const { wallets } = await this.getWallets();
       if (walletType === WALLET_TYPE_HD) {
         const wallet = wallets.find((w) => {
-          if (w.isKeyless) {
-            return false;
-          }
           const r = w.type === walletType && w.hash === walletHash;
           return r;
         });

packages/kit-bg/src/services/ServicePrimeCloudSync/CloudSyncFlowManager/CloudSyncFlowManagerAccount.ts

@@ -26,14 +26,6 @@ export class CloudSyncFlowManagerAccount extends CloudSyncFlowManagerBase<
       return false;
     }
 
-    // Keyless wallet accounts should not be synced
-    const walletId = accountUtils.getWalletIdFromAccountId({
-      accountId: account.id,
-    });
-    if (accountUtils.isKeylessWallet({ walletId })) {
-      return false;
-    }
-
     return (
       accountUtils.isWatchingAccount({ accountId: account.id }) ||
       accountUtils.isImportedAccount({ accountId: account.id })

packages/kit-bg/src/services/ServicePrimeCloudSync/CloudSyncFlowManager/CloudSyncFlowManagerIndexedAccount.ts

@@ -40,11 +40,6 @@ export class CloudSyncFlowManagerIndexedAccount extends CloudSyncFlowManagerBase
   ): Promise<boolean> {
     const { indexedAccount, wallet } = target;
 
-    // Keyless wallet should not be synced
-    if (accountUtils.isKeylessWallet({ walletId: wallet?.id })) {
-      return false;
-    }
-
     if (wallet?.xfp && accountUtils.isValidWalletXfp({ xfp: wallet.xfp })) {
       return true;
     }

packages/kit-bg/src/services/ServicePrimeCloudSync/CloudSyncFlowManager/CloudSyncFlowManagerWallet.ts

@@ -24,11 +24,6 @@ export class CloudSyncFlowManagerWallet extends CloudSyncFlowManagerBase<
   ): Promise<boolean> {
     const { wallet } = target;
 
-    // Keyless wallet should not be synced
-    if (accountUtils.isKeylessWallet({ walletId: wallet.id })) {
-      return false;
-    }
-
     console.log('isSupportSync', wallet.id);
 
     return (

packages/kit-bg/src/services/ServicePrimeCloudSync/ServicePrimeCloudSync.tsx

@@ -859,15 +859,13 @@ class ServicePrimeCloudSync extends ServiceBase {
       lockItem = undefined;
       // pwdHash = RESET_CLOUD_SYNC_MASTER_PASSWORD_UUID; // TODO server should clear pwdHash
     } else {
-      if (activeMode === ECloudSyncMode.Keyless) {
-        pwdHash = '';
-      } else {
-        pwdHash =
-          await this.backgroundApi.serviceMasterPassword.getLocalMasterPasswordUUID();
-      }
+      // eslint-disable-next-line no-param-reassign
+      syncCredential = syncCredential || (await this.getSyncCredentialSafe());
+      pwdHash =
+        syncCredential?.keylessCredential?.pwdHash ||
+        syncCredential?.masterPasswordUUID ||
+        '';
       if (isFlush) {
-        // eslint-disable-next-line no-param-reassign
-        syncCredential = syncCredential || (await this.getSyncCredentialSafe());
         const syncCredentialForLock = syncCredential
           ? this.syncManagers.lock.getLockStaticSyncCredential(syncCredential)
           : undefined;
@@ -1499,8 +1497,13 @@ class ServicePrimeCloudSync extends ServiceBase {
       const allLocalItems = localItems;
       const totalItemsCount = allLocalItems.length;
 
+      const credential = await this.getSyncCredentialSafe();
+      // const pwdHash =
+      //   await this.backgroundApi.serviceMasterPassword.getLocalMasterPasswordUUIDSafe();
       const pwdHash =
-        await this.backgroundApi.serviceMasterPassword.getLocalMasterPasswordUUIDSafe();
+        credential?.keylessCredential?.pwdHash ||
+        credential?.masterPasswordUUID ||
+        '';
       if (pwdHash) {
         localItems = allLocalItems.filter((item) => item.pwdHash === pwdHash);
         const availableItemsCount = localItems.length;
@@ -1671,6 +1674,7 @@ class ServicePrimeCloudSync extends ServiceBase {
     }
   }
 
+  @backgroundMethod()
   async getSyncCredentialSafe(): Promise<ICloudSyncCredential | undefined> {
     try {
       return await this.getSyncCredentialWithCache();
@@ -1704,15 +1708,17 @@ class ServicePrimeCloudSync extends ServiceBase {
         };
       }
 
-      const { masterPasswordUUID, encryptedSecurityPasswordR1 } =
-        await primeMasterPasswordPersistAtom.get();
-      if (!masterPasswordUUID || !encryptedSecurityPasswordR1) {
-        void this.showAlertDialogIfLocalPasswordNotSet();
-        throw new OneKeyError(
-          'No masterPasswordUUID or encryptedSecurityPasswordR1 in atom',
-        );
-      }
-
+      const {
+        masterPasswordUUID,
+        // encryptedSecurityPasswordR1
+      } = await primeMasterPasswordPersistAtom.get();
+      // if (!masterPasswordUUID || !encryptedSecurityPasswordR1) {
+      //   void this.showAlertDialogIfLocalPasswordNotSet();
+      //   throw new OneKeyError(
+      //     'No masterPasswordUUID or encryptedSecurityPasswordR1 in atom',
+      //   );
+      // }
+      //
       const securityPasswordR1Info =
         await this.backgroundApi.serviceMasterPassword.getSecurityPasswordR1InfoSafe(
           {

packages/kit-bg/src/services/ServicePrimeCloudSync/keylessCloudSyncMockApi.ts

@@ -72,11 +72,6 @@ class KeylessCloudSyncMockApi {
     signatureHeader: string;
     postData: ICloudSyncUploadPostData;
   }): Promise<ICloudSyncUploadResult | undefined> {
-    void params.client.post<IApiClientResponse<ICloudSyncUploadResult>>(
-      '/prime/v1/sync/upload-keyless',
-      params.postData,
-    );
-
     return this.postToMockServer<ICloudSyncUploadResult>({
       client: params.client,
       url: '/prime/v1/sync/upload-keyless',
@@ -95,12 +90,6 @@ class KeylessCloudSyncMockApi {
     result: ICloudSyncCheckServerStatusResult;
     serverTime: string;
   }> {
-    void params.client.post<
-      IApiClientResponse<ICloudSyncCheckServerStatusResult>
-    >('/prime/v1/sync/check-keyless', {
-      ...params.postData,
-    });
-
     return this.postToMockServer<{
       result: ICloudSyncCheckServerStatusResult;
       serverTime: string;
@@ -119,11 +108,6 @@ class KeylessCloudSyncMockApi {
     signatureHeader?: string;
     postData: ICloudSyncDownloadPostData;
   }): Promise<ICloudSyncDownloadResult> {
-    void params.client.post<IApiClientResponse<ICloudSyncDownloadResult>>(
-      '/prime/v1/sync/download-keyless',
-      params.postData,
-    );
-
     if (params.publicKey && params.signatureHeader) {
       return this.postToMockServer<ICloudSyncDownloadResult>({
         client: params.client,

packages/kit-bg/src/services/ServicePrimeCloudSync/keylessCloudSyncUtils.ts

@@ -15,6 +15,10 @@ import {
   publicFromPrivate,
   sign,
 } from '@onekeyhq/core/src/secret';
+import {
+  decryptAsync,
+  encryptAsync,
+} from '@onekeyhq/core/src/secret/encryptors/aes256';
 import type { ICoreHdCredentialEncryptHex } from '@onekeyhq/core/src/types';
 import {
   KEYLESS_PWDHASH_CONTEXT,
@@ -97,13 +101,24 @@ export async function deriveKeylessCredential({
     password,
   );
 
-  const encryptionKeyHex = bufferUtils.bytesToHex(
-    encryptionKeyInfo.extendedKey.key,
-  );
+  // Decrypt private keys to get deterministic hex values
+  // batchGetPrivateKeys returns encrypted keys with random salt/IV,
+  // so we decrypt them to ensure consistent values across sessions
+  const decryptedSigningPrivateKey = await decryptAsync({
+    password,
+    data: signingKey.extendedKey.key,
+  });
+
+  const decryptedEncryptionKey = await decryptAsync({
+    password,
+    data: encryptionKeyInfo.extendedKey.key,
+  });
+
+  const encryptionKeyHex = bufferUtils.bytesToHex(decryptedEncryptionKey);
 
   return {
     keylessWalletId,
-    signingPrivateKey: bufferUtils.bytesToHex(signingKey.extendedKey.key),
+    signingPrivateKey: bufferUtils.bytesToHex(decryptedSigningPrivateKey),
     signingPublicKey: bufferUtils.bytesToHex(signingPublicKey),
     encryptionKey: encryptionKeyHex,
     pwdHash: computeKeylessPwdHash(encryptionKeyHex),
@@ -177,9 +192,9 @@ function generateNonce(): string {
 /**
  * Sign message and build Header content
  *
- * @param signingPrivateKey - Signing private key (hex)
+ * @param signingPrivateKey - Signing private key (decrypted, hex format)
  * @param signingPublicKey - Signing public key (hex)
- * @param password - Wallet password (for decrypting private key)
+ * @param password - Wallet password (for encrypting private key before signing)
  * @param dataHash - Data hash to include when uploading (optional)
  * @returns Base64 encoded signature Header value
  */
@@ -208,10 +223,16 @@ export async function buildKeylessSignatureHeader({
   const messageString = JSON.stringify(signMessage);
   const messageHash = sha256(bufferUtils.toBuffer(messageString, 'utf8'));
 
-  // Sign (private key is encrypted, needs password to decrypt)
+  // Encrypt private key before signing (sign function expects encrypted key)
+  const encryptedPrivateKey = await encryptAsync({
+    password,
+    data: bufferUtils.toBuffer(signingPrivateKey, 'hex'),
+  });
+
+  // Sign using encrypted private key
   const signature = await sign(
     'secp256k1',
-    bufferUtils.toBuffer(signingPrivateKey, 'hex'),
+    encryptedPrivateKey,
     Buffer.from(messageHash),
     password,
   );

packages/kit/src/components/MultipleClickStack/MultipleClickStack.tsx

@@ -10,7 +10,7 @@ import type { GestureResponderEvent } from 'react-native';
 export function MultipleClickStack({
   children,
   onPress,
-  showDevBgColor: _showDevBgColor = false,
+  showDevBgColor = false,
   triggerAt = platformEnv.isDev ? 3 : 10,
   debugComponent,
   ...others
@@ -28,8 +28,8 @@ export function MultipleClickStack({
   return (
     <>
       <Stack
-        bg={undefined}
-        // bg={showDevBgColor && platformEnv.isDev ? '$bgCritical' : undefined}
+        // bg={undefined}
+        bg={showDevBgColor && platformEnv.isDev ? '$bgCritical' : undefined}
         {...others}
         onPress={(event) => {
           if (clickCount > triggerAt) {