feat: BIP-39 passphrase support for auth keygen and recover (HIGH-3)

Add --passphrase flag to 'muse auth keygen' and 'muse auth recover'. Also reads MUSE_BIP39_PASSPHRASE env var (flag takes priority).

The passphrase ('25th word') is mixed into the PBKDF2 seed derivation so the same mnemonic + different passphrase produces completely different Ed25519 keys. It is never stored — operators must supply it at every derivation.

_resolve_passphrase() helper centralises flag > env var > '' priority. Both the human-key and agent-key paths in run_keygen pass the passphrase through to mnemonic_to_seed(). run_recover does the same.

Tests (test_bip39_passphrase.py — 10 tests): I1-I3 keygen --passphrase produces different/deterministic fingerprints II1-2 MUSE_BIP39_PASSPHRASE env var fallback; flag wins over env var III1-3 recover with matching passphrase reproduces keygen fingerprint IV1-2 passphrase never appears in identity.toml or JSON stdout

sha256:421d52c5f90eae755ac6ffa6250f2f0975125c4347065e7daf79e974d8d55b04 sha

sha256:c31c80786c5a51a2332a31b0e67339e2f9e09ef1d65b9b849a9264570f6c2105 parent

sha256:efb80f30f157d90b36b136686aa3145e554bc46e3e9f7d51016f77fd8c4eef93 snapshot

← Older Oldest on task/high3-bip39-passphrase

All commits

Newer → Latest on task/high3-bip39-passphrase

0 comments

No comments yet. Be the first to start the discussion.

To add a comment, use the Muse CLI: muse hub commit comment sha256:421d52c5f90eae755ac6ffa6250f2f0975125c4347065e7daf79e974d8d55b04 --body "your comment"

Provenance signed

AI Agent

claude-sonnet-4-6

Bump patch

Agent claude-code

Signature Cryptographically verified

Snapshot

ID sha256:efb80f30f157d90b36b136686aa3145e554bc46e3e9f7d51016f77fd8c4eef93

Files 0

Browse tree at this commit →

Commit

SHA sha256:421d52c5f90eae755ac6ffa6250f2f0975125c4347065e7daf79e974d8d55b04

Parent

sha256:c31c80786c5a51a2332a31b0e67339e2f9e09ef1d65b9b849a9264570f6c2105

Branch task/high3-bip39-passphrase