Skip to content

Feat/hw three parties#11048

Draft
ByteZhang1024 wants to merge 11 commits intoxfrom
feat/hwThreeParties
Draft

Feat/hw three parties#11048
ByteZhang1024 wants to merge 11 commits intoxfrom
feat/hwThreeParties

Conversation

@ByteZhang1024
Copy link
Copy Markdown
Contributor

@ByteZhang1024 ByteZhang1024 commented Apr 3, 2026

No description provided.

@ByteZhang1024
feat: integrate Ledger hardware wallet support via third-party adapter
f65e39a 
- Add Ledger adapter infrastructure (connector-loader, vendorProfile, adapter types)
- Implement Ledger keyrings for BTC, EVM, SOL, TRON chains
- Add device fingerprint verification for Ledger cross-session identity
- Support HID device permission and auto-selection for desktop
- Add third-party hardware UI state management (toast/dialog)
- Store vendor in DB settingsRaw (no schema migration needed)
- Filter Ledger devices from OneKey device management and cloud sync
- Fix dgram polyfill and Ledger package main field in postinstall
@ByteZhang1024
fix: correct callLedgerWithFingerprintRetry generic type to use Respo…
85b124f 
…nse<T>
@ByteZhang1024
fix: replace any types with proper IThirdPartyHardwareAdapter and IDB…
ca0a663 
…Device in EVM keyring
@ByteZhang1024
fix: remove as-any casts and fix TS type issues
1c8a812 
- Use proper types for DeviceScannerUtils vendor param (EHardwareVendor)
- Cast rawXpub to IRawXpub union type instead of any
- Cast dbAccount to IDBUtxoAccount for xpub/xpubSegwit access
- Use navigator.hid directly with @types/w3c-web-hid
- Fix null→undefined for connectId param
- Mark unused vendor param with underscore prefix
@ByteZhang1024
fix: only auto-select Ledger HID devices, reject other vendors
74957e1
@revan-zhang
Copy link
Copy Markdown
Contributor

revan-zhang commented Apr 3, 2026
edited
Loading

Snyk checks have failed. 1 issues have been found so far.

Status Scan Engine Critical High Medium Low Total (1)
Open Source Security 0 1 0 0 1 issues
Licenses 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

@socket-security
Copy link
Copy Markdown

socket-security bot commented Apr 3, 2026
edited
Loading

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Added@​aptos-labs/​ts-sdk@​1.39.09710010050100
Added@​babel/​plugin-proposal-class-properties@​7.18.61001006550100
Added@​babel/​plugin-proposal-class-static-block@​7.21.01001007150100
Added@​babel/​plugin-proposal-nullish-coalescing-operator@​7.18.61001007050100
Added@​babel/​plugin-proposal-private-methods@​7.18.61001006550100
Added@​babel/​plugin-proposal-private-property-in-object@​7.21.111001007350100
Added@​mymonero/​mymonero-keyimage-cache@​3.0.0691005982100
Added@​bytezhang/​hardware-ledger-connector-ble@​0.0.43701006496100
Added@​bytezhang/​hardware-ledger-connector-webhid@​0.0.43711006496100
Added@​babel/​plugin-transform-numeric-separator@​7.25.91001006793100
Added@​bytezhang/​hardware-wallet-core@​0.0.43771007096100
Added@​expo/​plist@​0.1.37410071100100
Added@​magiceden-oss/​open_creator_protocol@​0.3.5921007281100
Added@​types/​node-fetch@​2.6.91001007281100
Added@​bytezhang/​ledger-adapter@​0.0.43771007396100
Added@​aptos-labs/​siwa@​0.4.0771007387100
Added@​mymonero/​mymonero-app-bridge@​3.0.0821007381100
Added@​babel/​preset-typescript@​7.27.11001007393100
Addedesbuild@​0.27.2911007394100
Added@​keystonehq/​keystone-sdk@​0.4.1841007490100
Updated@​babel/​plugin-transform-optional-chaining@​7.27.1 ⏵ 7.25.9100 +110074 +193100
Added@​formatjs/​intl-pluralrules@​4.3.31001007495100
Addedexpo-keep-awake@​14.1.47410082100100
Added@​formatjs/​intl-locale@​2.4.471001007594100
Added@​aivenio/​tsc-output-parser@​2.1.19910010075100
Added@​formatjs/​intl-getcanonicallocales@​1.9.21001007692100
Added@​babel/​preset-env@​7.28.6971007795100
Added@​glif/​filecoin-rpc-client@​3.0.27710010081100
Added@​benfen/​bfc.js@​0.2.7821007789100
Added@​alephium/​web3@​1.5.292100779670
Added@​babel/​core@​7.27.1971008094100
Added@​glif/​filecoin-message@​2.0.44801008184100
Added@​electron/​remote@​2.1.110010010081100
See 20 more rows in the dashboard

View full report

@socket-security
Copy link
Copy Markdown

socket-security bot commented Apr 3, 2026
edited
Loading

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn High
Obfuscated code: npm @emurgo/cardano-message-signing-asmjs is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: ?npm/@emurgo/cardano-message-signing-asmjs@1.0.1

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@emurgo/cardano-message-signing-asmjs@1.0.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm @ledgerhq/device-management-kit is 93.0% likely obfuscated

Confidence: 0.93

Location: Package overview

From: ?npm/@bytezhang/hardware-ledger-connector-ble@0.0.43npm/@bytezhang/ledger-adapter@0.0.43npm/@bytezhang/hardware-ledger-connector-webhid@0.0.43npm/@ledgerhq/device-management-kit@1.2.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@ledgerhq/device-management-kit@1.2.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

@ByteZhang1024
refactor: centralize IKeyringMap type, use enum constants, fix Trezor…
d944c01 
… vendor stub

- Define IKeyringMap in VaultBase.ts (includes hwLedger + hwTrezor slots)
- All 4 Vault files use IKeyringMap instead of inline intersection types
- Replace hardcoded 'ledger' strings with EHardwareVendor.ledger in ServiceHardware and fingerprintUtils
- Fix Trezor vendorProfile stub to have isThirdParty=true (prevents being treated as OneKey)
- Remove unused IDBWalletType and KeyringBase imports from Vault files
@ByteZhang1024
fix: resolve CI TypeScript errors
5e04251 
- Remove non-existent ETranslations keys, use English defaultMessage
- Cast avatarKey to IAllWalletAvatarImageNamesWithoutDividers
- Fix null-to-undefined for connectId assignments
- Fix import paths in EVM KeyringHardwareLedger
- Remove path/inputDerivations from btcSignTransaction (not in SDK type)
- Use (navigator as any).hid for CI compatibility
@ByteZhang1024
feat: third-party HW add-account only creates current network accounts
183fb44 
When adding an account to an existing third-party hardware wallet
(Ledger, Trezor), only create accounts for the currently selected
network instead of all default networks. Wallet creation still
creates all default networks. BTC/LTC derive types are properly
expanded when the current network is BTC/LTC.
@ByteZhang1024
chore: bump @bytezhang SDK packages to 0.0.41
c3beebf
@ByteZhang1024
feat: suppress per-chain AppNotInstalled toasts for third-party HW wa…
8276a1b 
…llet creation

When creating a third-party HW wallet (Ledger/Trezor), if all chains
fail due to app-not-installed, show a single toast instead of one per
chain. If some chains succeed, silently filter out AppNotInstalled
errors. Non-AppNotInstalled errors still surface via the existing
per-chain toast loop.
@ByteZhang1024
chore: bump @bytezhang SDK packages to 0.0.43
34bab09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ezailWang ezailWang Awaiting requested review from ezailWang ezailWang will be requested when the pull request is marked ready for review ezailWang is a code owner

@revan-zhang revan-zhang Awaiting requested review from revan-zhang revan-zhang will be requested when the pull request is marked ready for review revan-zhang is a code owner

@sidmorizon sidmorizon Awaiting requested review from sidmorizon sidmorizon will be requested when the pull request is marked ready for review sidmorizon is a code owner

@originalix originalix Awaiting requested review from originalix originalix will be requested when the pull request is marked ready for review originalix is a code owner

@huhuanming huhuanming Awaiting requested review from huhuanming huhuanming will be requested when the pull request is marked ready for review huhuanming is a code owner

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ByteZhang1024 @revan-zhang