#84 Enhancement: Use a default password to encrypt in disk

[andycreed0x]

Purpose

Encrypt every mnemonic at rest, even when the user provides no password. Previously, wallets imported without a password stored the mnemonic as base64-only plaintext (plain: prefix), making it trivially readable by any process scanning for BIP39 word patterns. A hardcoded default password is now applied automatically so no mnemonic ever lands in plaintext on disk.

Closes #84 Enhancement: Use a default password to encrypt in disk

Description

This is obfuscation, not full security — the default password lives in source code and won't stop a targeted attacker with code access. The stated goal is to defeat automated plaintext-seed scanners. Wallets encrypted with a user-supplied password are unaffected and continue to require that password for signing.

Lazy migration: existing plain: wallets are silently re-encrypted to default:1: the first time their mnemonic is read (signing or load), with an atomic write-back. Write-back failures are logged as warnings but never break signing.

Main Changes

• New prefix-tagged storage format: default:1: (default-encrypted), user: (user-password), plain: (legacy read-only), untagged (legacy user-password)
• New Storage.read_and_migrate_mnemonic(wallet, password) — single lazy-migration choke point wired at wallet.py:load_wallet and bitcoin.py:send
• Rename is_mnemonic_encrypted → requires_user_password across 9 production call sites (wallet.py, bitcoin.py, lightning.py, sideshift.py, changelly.py, sideswap.py) — correctly reflects that default-encrypted wallets do not need a user password
• Versioned default:N: prefix from day one — default:1: today, rotation-ready via version integer
• _DEFAULT_MNEMONIC_PASSWORD + _DEFAULT_PWD_VERSION = 1 constants in storage.py; unsupported versions raise ValueError (no silent fallback)
• 21 new unit tests: prefix detection, lazy migration round-trip, predicate truth table, signing flows for default/user wallets, atomicity, perms (0o600) preservation, write-failure tolerance via caplog, bitcoin-side migration wiring

Backwards compatibility

• Existing plain: wallets auto-migrate to default:1: on next read — no user action required
• Existing user-password wallets (untagged legacy) continue working identically
• Watch-only wallets unaffected (no mnemonic)

⚠️ Breaking Changes

• Storage.is_mnemonic_encrypted is removed; callers must use Storage.requires_user_password (different semantics: returns False for default: blobs).
• New wallets imported without a password now store default:1:... instead of plain:.... Tests asserting the plain: prefix must be updated (already done in this PR for test_tools.py and test_cli.py).

Checklist

• Added/updated tests (21 new + 5 updated)
• Merged develop (includes Fix lightning send test to neutralize AQUA_PASSWORD from .env #85 lightning test fix — full suite now 809 passed, 25 skipped, 0 failed)
• Added/updated relevant documentation (server.py LLM prompt copy around lines 1060/1089/1095 still references old "ask user about encryption" flow — follow-up PR)