Zero client password key material after use

[sidhujag]

Summary

• Zero raw PBKDF2 master bytes after non-login password flows finish using them.
• Wipe transient HKDF output bytes after auth-hash and vault-key derivation.
• Add regression coverage for password-change and account-deletion cleanup paths.

Context

Follow-up to the Nightglass audit finding posted on PR #11 about non-login password flows leaving raw PBKDF2 master bytes uncleared.

Test plan

• source ~/.nvm/nvm.sh && nvm use 22.17.1 && CI=true npm test -- --watchAll=false --runInBand src/lib/crypto/kdf.test.js src/lib/authService.test.js src/context/VaultContext.test.js src/components/ChangePasswordCard.test.js src/components/DeleteAccountCard.test.js
• source ~/.nvm/nvm.sh && nvm use 22.17.1 && CI=true npm test -- --watchAll=false --runInBand
• source ~/.nvm/nvm.sh && nvm use 22.17.1 && npm run build
• source ~/.nvm/nvm.sh && nvm use 22.17.1 && npm audit --omit=dev

Made with Cursor

[sidhujag]

@codex review

[chatgpt-codex-connector]

Codex Review: Didn't find any major issues. Already looking forward to the next diff.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".