v1.6.0 — Security Hardening

What's New

Auto-Lock Improvements

• New timeout options: 1 hour, 90 minutes, and 3 hours
• Auto-lock timer now resets when you switch to a Nostr-enabled tab — no more surprise lockouts while actively browsing

Security Fixes (Red Team Audit)

• Auto-lock bypass blocked — malicious pages can no longer poll getPublicKey() to prevent the timer from firing
• Session key derivation — master password is no longer held in memory; replaced with an opaque CryptoKey via PBKDF2
• Sender validation — sensitive operations (password changes, data reset, backup, settings) now reject messages from content script contexts
• Lock clears keys — nostrAccessWhileLocked defaults to false; locking actually clears decrypted keys from memory
• Mutex serialization — lock/unlock can no longer race and leave inconsistent state
• Auto-lock timeout validated — rejects invalid values (NaN, negative, arbitrary numbers)
• No more key prefix logging — plaintext key prefixes removed from debug output

Chrome MV3 Reliability

• Auto-lock timer now uses chrome.alarms API which survives service worker eviction

Sideload

Download the zip for your browser below and follow sideloading instructions.