From f13cd0fd4704529b8b34a1315c3ba0054b14e346 Mon Sep 17 00:00:00 2001
From: clawbot <clawbot@noreply.example.org>
Date: Fri, 27 Feb 2026 11:36:19 -0800
Subject: [PATCH] security: add TODO comments for password plaintext over
 runtime.sendMessage

---
 src/background/index.js     | 14 ++++++++++++--
 src/popup/views/approval.js |  2 ++
 2 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/src/background/index.js b/src/background/index.js
index 02ddeb5..db30f43 100644
--- a/src/background/index.js
+++ b/src/background/index.js
@@ -714,7 +714,8 @@ runtime.onMessage.addListener((msg, sender, sendResponse) => {
                     if (wallet) break;
                 }
                 if (!wallet) throw new Error("Wallet not found");
-                const decrypted = await decryptWithPassword(
+                // TODO(security): Move decryption to popup to avoid sending password via runtime.sendMessage
+                let decrypted = await decryptWithPassword(
                     wallet.encryptedSecret,
                     msg.password,
                 );
@@ -723,6 +724,10 @@ runtime.onMessage.addListener((msg, sender, sendResponse) => {
                     addrIndex,
                     decrypted,
                 );
+                // Best-effort: clear decrypted secret after use.
+                // Note: JS strings are immutable; this nulls the reference but
+                // the original string may persist in memory until GC.
+                decrypted = null;
                 const provider = getProvider(state.rpcUrl);
                 const connected = signer.connect(provider);
                 const tx = await connected.sendTransaction(approval.txParams);
@@ -768,7 +773,8 @@ runtime.onMessage.addListener((msg, sender, sendResponse) => {
                     if (wallet) break;
                 }
                 if (!wallet) throw new Error("Wallet not found");
-                const decrypted = await decryptWithPassword(
+                // TODO(security): Move decryption to popup to avoid sending password via runtime.sendMessage
+                let decrypted = await decryptWithPassword(
                     wallet.encryptedSecret,
                     msg.password,
                 );
@@ -777,6 +783,10 @@ runtime.onMessage.addListener((msg, sender, sendResponse) => {
                     addrIndex,
                     decrypted,
                 );
+                // Best-effort: clear decrypted secret after use.
+                // Note: JS strings are immutable; this nulls the reference but
+                // the original string may persist in memory until GC.
+                decrypted = null;
 
                 const sp = approval.signParams;
                 let signature;
diff --git a/src/popup/views/approval.js b/src/popup/views/approval.js
index c86a1a0..359b506 100644
--- a/src/popup/views/approval.js
+++ b/src/popup/views/approval.js
@@ -385,6 +385,7 @@ function init(ctx) {
                 type: "AUTISTMASK_TX_RESPONSE",
                 id: approvalId,
                 approved: true,
+                // TODO(security): Move decryption to popup to avoid sending password via runtime.sendMessage
                 password: password,
             },
             (response) => {
@@ -424,6 +425,7 @@ function init(ctx) {
                 type: "AUTISTMASK_SIGN_RESPONSE",
                 id: approvalId,
                 approved: true,
+                // TODO(security): Move decryption to popup to avoid sending password via runtime.sendMessage
                 password: password,
             },
             (response) => {