From 51f21b20f7a9fded2013a060bdc35b65605b1b70 Mon Sep 17 00:00:00 2001
From: 0x3639 <0x3639@protonmail.com>
Date: Thu, 4 Jun 2026 11:07:37 -0500
Subject: [PATCH 1/8] docs: design spec for encrypted-wallet hardening

Passphrase entropy floor + strength meter, and an Argon2id timeCost
increase with no-patch KDF orchestration and upgrade-on-unlock migration.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 ...6-04-wallet-encryption-hardening-design.md | 257 ++++++++++++++++++
 1 file changed, 257 insertions(+)
 create mode 100644 docs/superpowers/specs/2026-06-04-wallet-encryption-hardening-design.md

diff --git a/docs/superpowers/specs/2026-06-04-wallet-encryption-hardening-design.md b/docs/superpowers/specs/2026-06-04-wallet-encryption-hardening-design.md
new file mode 100644
index 0000000..2b436d0
--- /dev/null
+++ b/docs/superpowers/specs/2026-06-04-wallet-encryption-hardening-design.md
@@ -0,0 +1,257 @@
+# Encrypted-Wallet Hardening — Design Spec
+
+**Date:** 2026-06-04
+**Branch:** `fix/wallet-encryption-hardening` (off `main`)
+**Status:** Approved design, ready for implementation planning
+
+## Summary
+
+Address a High-severity PR finding: a weak offline brute-force boundary for
+encrypted wallets. Encrypted keyfiles are persisted to browser storage
+(`wallet-service.ts`, `local-storage-adapter.ts`), but the app only requires
+8-character passwords (`config.ts`) and the SDK's Argon2id KDF uses `timeCost: 1`
+(`znn-typescript-sdk` `keyFile.js`). If an attacker exfiltrates the encrypted
+keyfile, the in-memory unlock throttling in `wallet-service.ts` does not help —
+the attack is offline.
+
+Two coordinated fixes close the gap:
+
+- **Part A — Passphrase strength:** raise the floor and add a strength meter/entropy
+  estimate, enforced at wallet creation and import. This is the primary lever: a
+  high-entropy passphrase makes offline brute-force infeasible regardless of KDF.
+- **Part B — KDF cost:** raise Argon2id `timeCost` for new wallets and transparently
+  upgrade existing wallets on next unlock, as defense-in-depth (raises per-guess
+  cost).
+
+## Goals
+
+- Reject low-entropy passphrases at create/import with clear, live feedback.
+- Materially increase the Argon2id work factor for all wallets over time.
+- Migrate existing wallets without data loss and without user action.
+
+## Non-Goals (YAGNI)
+
+- No common-password blocklist (explicitly excluded).
+- No third-party strength library (zxcvbn) — keep the bundle lean for the extension.
+- No patching/forking of `znn-typescript-sdk`.
+- No re-scoring of passphrases at unlock (only create/import enforce the floor).
+- No change to the existing in-memory unlock throttling.
+
+## Threat model note
+
+The fix targets the **offline** attack: attacker has the encrypted keyfile JSON
+and brute-forces the passphrase locally. The two defenses multiply: passphrase
+entropy sets the size of the search space; KDF cost sets the time per guess. The
+passphrase floor is the dominant factor and is applied to all new/imported
+wallets immediately; the KDF bump is a constant-factor hardening migrated in over
+time.
+
+---
+
+## Part A — Passphrase strength
+
+### `src/core/password-strength.ts` (new, pure, no Vue)
+
+Single source of truth, replacing the duplicated `password.length >= 8` checks in
+the two forms.
+
+```ts
+export interface PasswordStrength {
+  bits: number            // estimated entropy
+  score: 0 | 1 | 2 | 3 | 4
+  label: 'Very weak' | 'Weak' | 'Fair' | 'Good' | 'Strong'
+  meetsFloor: boolean     // length >= MIN_PASSWORD_LENGTH && score >= MIN_PASSWORD_SCORE
+  suggestions: string[]   // shown to help the user clear the floor
+}
+
+export function estimatePasswordStrength(password: string): PasswordStrength
+```
+
+**Entropy estimate (lightweight, no dictionary):**
+- Determine which character pools the password uses: lowercase (26), uppercase
+  (26), digits (10), symbols (32). `poolSize` = sum of pools present.
+- `bits = password.length * log2(poolSize)` (0 for an empty password / poolSize ≤ 1).
+
+**Score buckets (by bits):** `< 40` → 0 (Very weak), `40–59` → 1 (Weak), `60–79`
+→ 2 (Fair), `80–99` → 3 (Good), `>= 100` → 4 (Strong).
+
+**Floor:** `meetsFloor = password.length >= MIN_PASSWORD_LENGTH && score >= MIN_PASSWORD_SCORE`.
+
+**Suggestions:** derive from what's missing, e.g. `Use at least ${MIN_PASSWORD_LENGTH}
+characters` when too short; `Mix in uppercase, numbers, or symbols` when pool
+variety is low. Return an empty array when `meetsFloor` is true.
+
+### `src/config.ts`
+
+- Change `MIN_PASSWORD_LENGTH` from `8` to `12`.
+- Add `MIN_PASSWORD_SCORE = 2` (the "Fair" bucket — the minimum score allowed to
+  create/import).
+- Add `PASSWORD_STRENGTH_LABELS` (the five score labels) for reuse by the meter.
+
+### `src/components/PasswordStrengthMeter.vue` (new)
+
+Presentational component shared by both forms.
+- Prop: `strength: PasswordStrength` — the parent computes the estimate and passes
+  it in, keeping this component pure (no estimation logic inside).
+- Renders: a 4-segment bar colored by score (red → amber → green), the `label`,
+  and the first `suggestion` (if any) as muted helper text.
+- No logic beyond display.
+
+### `CreateWalletForm.vue` and `ImportWalletForm.vue`
+
+Both currently compute `passwordStrong = password.length >= MIN_PASSWORD_LENGTH`.
+Replace with:
+- `const strength = computed(() => estimatePasswordStrength(password.value))`
+- Use `strength.value.meetsFloor` everywhere `passwordStrong` was used (submit
+  `:disabled`, the pre-submit guard, and the inline warning).
+- Render `<PasswordStrengthMeter :strength="strength" />` under the password field
+  (only when `password` is non-empty).
+- Update the static hint text from "at least 8 characters" to reflect the new
+  floor (min length + "Fair or better").
+
+The unlock dialog (`UnlockWalletDialog.vue`) is unchanged.
+
+---
+
+## Part B — KDF cost + migration (no-patch orchestration)
+
+### Background
+
+`KeyFile.hashPassword` reads a static `KeyFile.DEFAULT_CONFIG` at hash time, and
+the encrypted keyfile JSON persists only the `salt` (not the Argon2 params). So
+decryption always uses whatever `DEFAULT_CONFIG` holds at decrypt time. Naively
+raising the static would break every existing wallet (different derived key →
+decrypt fails). We therefore orchestrate the static per operation and record each
+wallet's KDF version in our own storage.
+
+### `src/config.ts`
+
+```ts
+export interface KdfParams {
+  timeCost: number
+  memoryCost: number   // KiB
+  hashLength: number
+  parallelism: number
+}
+
+// Legacy params — must match the SDK's historical KeyFile.DEFAULT_CONFIG exactly.
+export const KDF_PARAMS_V1: KdfParams = {
+  timeCost: 1, memoryCost: 64 * 1024, hashLength: 32, parallelism: 4
+}
+
+// Strong params for new/upgraded wallets. timeCost is the starting target;
+// tune during implementation to keep unlock under ~1.5s in argon2-browser (WASM).
+export const KDF_PARAMS_V2: KdfParams = {
+  timeCost: 3, memoryCost: 64 * 1024, hashLength: 32, parallelism: 4
+}
+
+export const CURRENT_KDF_VERSION = 2
+
+export function kdfParamsForVersion(version: number | undefined): KdfParams {
+  return version === 2 ? KDF_PARAMS_V2 : KDF_PARAMS_V1
+}
+```
+
+### `src/core/kdf.ts` (new)
+
+The single place that mutates the SDK static. Sets `KeyFile.DEFAULT_CONFIG`,
+awaits the operation, restores the previous value in `finally`.
+
+```ts
+import { KeyFile } from 'znn-typescript-sdk'
+import type { KdfParams } from '@/config'
+
+export async function withKdfParams<T>(params: KdfParams, fn: () => Promise<T>): Promise<T> {
+  const previous = KeyFile.DEFAULT_CONFIG
+  KeyFile.DEFAULT_CONFIG = { ...params, type: 2 } // Argon2id
+  try {
+    return await fn()
+  } finally {
+    KeyFile.DEFAULT_CONFIG = previous
+  }
+}
+```
+
+Wallet operations are user-driven and serialized, so there is no concurrent
+encrypt/decrypt with differing params. (A mutex is possible but unnecessary; note
+it as optional.) Verify `KeyFile.DEFAULT_CONFIG` is writable from app code during
+implementation; if the SDK's typings don't expose it, access via a narrowly-scoped
+cast confined to this file.
+
+### `Wallet` type (`src/types`)
+
+Add `kdfVersion?: number`. Absent ⇒ legacy (V1).
+
+### `src/core/wallet-service.ts`
+
+- **`saveWallet`** (used by both create and import): wrap the
+  `keyFile.encrypt(keyStore)` call in `withKdfParams(KDF_PARAMS_V2, …)` and set
+  `wallet.kdfVersion = CURRENT_KDF_VERSION`.
+- **`unlockWallet`**: look up the wallet, then decrypt inside
+  `withKdfParams(kdfParamsForVersion(wallet.kdfVersion), …)`. Keep the existing
+  failed-attempt throttling and the `delete(address)` on success. On a successful
+  decrypt, if `(wallet.kdfVersion ?? 1) < CURRENT_KDF_VERSION`, **upgrade on
+  unlock**:
+  - re-encrypt the just-decrypted `keyStore` inside `withKdfParams(KDF_PARAMS_V2, …)`,
+  - overwrite `wallet.encryptedKeyFile`, set `wallet.kdfVersion = CURRENT_KDF_VERSION`,
+  - persist via `storage.set`.
+  - Wrap the upgrade in its own try/catch: a re-encrypt/persist failure is logged
+    and swallowed — it must never block the unlock or lose the session.
+- The `sessionManager.unlock(...)` call happens regardless of upgrade outcome.
+
+### Migration behavior
+
+An existing wallet has no `kdfVersion` → treated as V1 → decrypts at `timeCost: 1`
+→ on success re-encrypts to V2 and records `kdfVersion: 2`. The next unlock uses
+V2. New/imported wallets are V2 from creation. The SDK keyfile's own
+`version: 1`/format field is independent and untouched.
+
+---
+
+## Data flow
+
+```
+Create/Import:  estimatePasswordStrength → meetsFloor gate
+                → withKdfParams(V2){ keyFile.encrypt } → store { …, kdfVersion: 2 }
+
+Unlock:         withKdfParams(paramsFor(wallet.kdfVersion)){ keyFile.decrypt }
+                ├ fail → throttle counter++, "Invalid password"
+                └ ok   → clear counter, sessionManager.unlock
+                         └ if legacy → best-effort: withKdfParams(V2){ re-encrypt }
+                                       → store { encryptedKeyFile, kdfVersion: 2 }
+```
+
+## Files touched
+
+- New: `src/core/password-strength.ts`, `src/components/PasswordStrengthMeter.vue`,
+  `src/core/kdf.ts`
+- Modified: `src/config.ts`, `src/components/CreateWalletForm.vue`,
+  `src/components/ImportWalletForm.vue`, `src/types` (the `Wallet` interface),
+  `src/core/wallet-service.ts`
+
+## Testing & verification
+
+No automated suite (per `CLAUDE.md`). Gates: `npm run typecheck` (no NEW errors
+beyond the pre-existing baseline), `npm run lint` (0 errors), `npm run build`.
+Manual:
+
+1. **Create:** weak passwords (short / single-pool) are rejected with a live meter;
+   a 12+ mixed password is accepted. New wallet stores `kdfVersion: 2`; lock then
+   unlock succeeds.
+2. **Import:** same floor + meter; imported wallet is V2.
+3. **Legacy upgrade:** simulate a pre-existing wallet (encrypt at V1 / no
+   `kdfVersion`), unlock once → verify it still unlocks, then verify storage now
+   shows `kdfVersion: 2` and a subsequent unlock works.
+4. **Wrong password** still increments throttling and shows "Invalid password".
+5. **Unlock latency:** measure decrypt time at `KDF_PARAMS_V2` in the browser; tune
+   `timeCost` (and/or `memoryCost`) so unlock stays under ~1.5s on typical
+   hardware. A visible spinner already covers the unlock state.
+
+## Open risks
+
+- `withKdfParams` mutates an undocumented SDK static; an SDK update could change
+  `DEFAULT_CONFIG`'s shape/name. Mitigation: it's isolated to `kdf.ts`, and
+  `KDF_PARAMS_V1` must be kept in lockstep with the SDK's historical default so
+  legacy decrypts keep working.
+- argon2-browser performance at higher `timeCost`/memory is hardware-dependent;
+  the V2 params are a starting target to be tuned against the latency budget.

From b8ffb9906f77fb9c20000ed00215b45b4ec1357c Mon Sep 17 00:00:00 2001
From: 0x3639 <0x3639@protonmail.com>
Date: Thu, 4 Jun 2026 11:18:33 -0500
Subject: [PATCH 2/8] feat: enforce passphrase strength with entropy floor and
 meter

---
 src/components/CreateWalletForm.vue      | 12 ++---
 src/components/ImportWalletForm.vue      | 10 ++---
 src/components/PasswordStrengthMeter.vue | 33 ++++++++++++++
 src/config.ts                            | 17 ++++++-
 src/core/password-strength.ts            | 56 ++++++++++++++++++++++++
 5 files changed, 116 insertions(+), 12 deletions(-)
 create mode 100644 src/components/PasswordStrengthMeter.vue
 create mode 100644 src/core/password-strength.ts

diff --git a/src/components/CreateWalletForm.vue b/src/components/CreateWalletForm.vue
index e903430..af1ec38 100644
--- a/src/components/CreateWalletForm.vue
+++ b/src/components/CreateWalletForm.vue
@@ -1,7 +1,7 @@
 <script setup lang="ts">
 import {computed, ref} from 'vue'
 import {useWallet} from '@/core'
-import {MIN_PASSWORD_LENGTH} from '@/config'
+import {estimatePasswordStrength} from '@/core/password-strength'
 import {
   Button,
   Field,
@@ -17,6 +17,7 @@ import {
 } from '@nom/ui'
 import {EyeIcon, EyeOffIcon} from 'lucide-vue-next'
 import MnemonicDisplay from './MnemonicDisplay.vue'
+import PasswordStrengthMeter from './PasswordStrengthMeter.vue'
 
 const emit = defineEmits<{
   success: [walletAddress: string]
@@ -36,11 +37,12 @@ const address = ref<string | null>(null)
 const isCreating = ref(false)
 
 const passwordsMatch = computed(() => password.value === confirmPassword.value)
-const passwordStrong = computed(() => password.value.length >= MIN_PASSWORD_LENGTH)
+const strength = computed(() => estimatePasswordStrength(password.value))
+const passwordStrong = computed(() => strength.value.meetsFloor)
 
 async function handleCreate() {
   if (!passwordStrong.value) {
-    toast.show(`Password must be at least ${MIN_PASSWORD_LENGTH} characters`, 'warning')
+    toast.show('Please choose a stronger password', 'warning')
     return
   }
   if (!passwordsMatch.value) {
@@ -103,9 +105,7 @@ function handleComplete() {
               </InputGroupButton>
             </InputGroupAddon>
           </InputGroup>
-          <FieldDescription v-if="password && !passwordStrong" class="text-destructive">
-            Password must be at least {{ MIN_PASSWORD_LENGTH }} characters
-          </FieldDescription>
+          <PasswordStrengthMeter v-if="password" :strength="strength" class="mt-2" />
         </Field>
 
         <Field>
diff --git a/src/components/ImportWalletForm.vue b/src/components/ImportWalletForm.vue
index b7b38a6..b054074 100644
--- a/src/components/ImportWalletForm.vue
+++ b/src/components/ImportWalletForm.vue
@@ -1,7 +1,7 @@
 <script setup lang="ts">
 import {computed, ref} from 'vue'
 import {useWallet} from '@/core'
-import {MIN_PASSWORD_LENGTH} from '@/config'
+import {estimatePasswordStrength} from '@/core/password-strength'
 import {
   Button,
   Field,
@@ -17,6 +17,7 @@ import {
   useToast
 } from '@nom/ui'
 import {EyeIcon, EyeOffIcon} from 'lucide-vue-next'
+import PasswordStrengthMeter from './PasswordStrengthMeter.vue'
 
 const emit = defineEmits<{
   success: [walletAddress: string]
@@ -36,7 +37,8 @@ const isImporting = ref(false)
 const mnemonicWords = computed(() => mnemonic.value.trim().split(/\s+/).filter(Boolean))
 const mnemonicValid = computed(() => mnemonicWords.value.length === 12 || mnemonicWords.value.length === 24)
 const passwordsMatch = computed(() => password.value === confirmPassword.value)
-const passwordStrong = computed(() => password.value.length >= MIN_PASSWORD_LENGTH)
+const strength = computed(() => estimatePasswordStrength(password.value))
+const passwordStrong = computed(() => strength.value.meetsFloor)
 const canSubmit = computed(
   () => mnemonicValid.value && passwordStrong.value && passwordsMatch.value && !isImporting.value
 )
@@ -110,9 +112,7 @@ async function handleImport() {
             </InputGroupButton>
           </InputGroupAddon>
         </InputGroup>
-        <FieldDescription v-if="password && !passwordStrong" class="text-destructive">
-          Password must be at least {{ MIN_PASSWORD_LENGTH }} characters
-        </FieldDescription>
+        <PasswordStrengthMeter v-if="password" :strength="strength" class="mt-2" />
       </Field>
 
       <Field>
diff --git a/src/components/PasswordStrengthMeter.vue b/src/components/PasswordStrengthMeter.vue
new file mode 100644
index 0000000..8331f37
--- /dev/null
+++ b/src/components/PasswordStrengthMeter.vue
@@ -0,0 +1,33 @@
+<script setup lang="ts">
+import {computed} from 'vue'
+import type {PasswordStrength} from '@/core/password-strength'
+
+const props = defineProps<{strength: PasswordStrength}>()
+
+const barClass = computed(() => {
+  const s = props.strength.score
+  if (s <= 1) return 'bg-destructive'
+  if (s === 2) return 'bg-amber-500'
+  if (s === 3) return 'bg-green-500'
+  return 'bg-green-600'
+})
+</script>
+
+<template>
+  <div class="space-y-1">
+    <div class="flex gap-1">
+      <div
+          v-for="i in 4"
+          :key="i"
+          class="h-1.5 flex-1 rounded-full"
+          :class="i <= strength.score ? barClass : 'bg-muted'"
+      />
+    </div>
+    <div class="flex items-center justify-between text-xs">
+      <span class="text-muted-foreground">{{ strength.label }}</span>
+      <span v-if="strength.suggestions.length" class="text-muted-foreground">
+        {{ strength.suggestions[0] }}
+      </span>
+    </div>
+  </div>
+</template>
diff --git a/src/config.ts b/src/config.ts
index d59b6b6..876e614 100644
--- a/src/config.ts
+++ b/src/config.ts
@@ -49,4 +49,19 @@ export const STAKE_DURATION_OPTIONS: StakeDurationOption[] = [
 
 // --- Wallet / security ---
 /** Minimum password length for wallet encryption. */
-export const MIN_PASSWORD_LENGTH = 8
+export const MIN_PASSWORD_LENGTH = 12
+
+/**
+ * Minimum acceptable password-strength score (0–4) to create/import a wallet.
+ * 2 = "Fair". See estimatePasswordStrength in core/password-strength.ts.
+ */
+export const MIN_PASSWORD_SCORE = 2
+
+/** Human labels for the 0–4 password-strength score. */
+export const PASSWORD_STRENGTH_LABELS = [
+  'Very weak',
+  'Weak',
+  'Fair',
+  'Good',
+  'Strong'
+] as const
diff --git a/src/core/password-strength.ts b/src/core/password-strength.ts
new file mode 100644
index 0000000..3c20792
--- /dev/null
+++ b/src/core/password-strength.ts
@@ -0,0 +1,56 @@
+import {MIN_PASSWORD_LENGTH, MIN_PASSWORD_SCORE, PASSWORD_STRENGTH_LABELS} from '@/config'
+
+export interface PasswordStrength {
+  bits: number
+  score: 0 | 1 | 2 | 3 | 4
+  label: (typeof PASSWORD_STRENGTH_LABELS)[number]
+  meetsFloor: boolean
+  suggestions: string[]
+}
+
+// Character-pool sizes for a rough entropy estimate (no dictionary lookup).
+const POOLS: ReadonlyArray<{test: RegExp; size: number}> = [
+  {test: /[a-z]/, size: 26},
+  {test: /[A-Z]/, size: 26},
+  {test: /[0-9]/, size: 10},
+  {test: /[^a-zA-Z0-9]/, size: 32}
+]
+
+function scoreFromBits(bits: number): 0 | 1 | 2 | 3 | 4 {
+  if (bits >= 100) return 4
+  if (bits >= 80) return 3
+  if (bits >= 60) return 2
+  if (bits >= 40) return 1
+  return 0
+}
+
+/**
+ * Estimate password strength from length and character-class variety.
+ * bits ≈ length × log2(sum of character-pool sizes present). No dictionary /
+ * common-password list by design.
+ */
+export function estimatePasswordStrength(password: string): PasswordStrength {
+  const poolSize = POOLS.reduce((sum, p) => (p.test.test(password) ? sum + p.size : sum), 0)
+  const bits = password.length > 0 && poolSize > 1 ? password.length * Math.log2(poolSize) : 0
+  const score = scoreFromBits(bits)
+  const meetsFloor = password.length >= MIN_PASSWORD_LENGTH && score >= MIN_PASSWORD_SCORE
+
+  const suggestions: string[] = []
+  if (!meetsFloor) {
+    if (password.length < MIN_PASSWORD_LENGTH) {
+      suggestions.push(`Use at least ${MIN_PASSWORD_LENGTH} characters`)
+    }
+    const poolsUsed = POOLS.filter((p) => p.test.test(password)).length
+    if (poolsUsed < 3) {
+      suggestions.push('Mix in uppercase letters, numbers, or symbols')
+    }
+  }
+
+  return {
+    bits,
+    score,
+    label: PASSWORD_STRENGTH_LABELS[score],
+    meetsFloor,
+    suggestions
+  }
+}

From ba856a5f8aa5f43947ceccf9298a7b022ab9b54b Mon Sep 17 00:00:00 2001
From: 0x3639 <0x3639@protonmail.com>
Date: Thu, 4 Jun 2026 11:22:55 -0500
Subject: [PATCH 3/8] refactor: expose password-strength via @/core barrel

---
 src/components/CreateWalletForm.vue      | 3 +--
 src/components/ImportWalletForm.vue      | 3 +--
 src/components/PasswordStrengthMeter.vue | 2 +-
 src/core/index.ts                        | 2 ++
 4 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/src/components/CreateWalletForm.vue b/src/components/CreateWalletForm.vue
index af1ec38..09a833a 100644
--- a/src/components/CreateWalletForm.vue
+++ b/src/components/CreateWalletForm.vue
@@ -1,7 +1,6 @@
 <script setup lang="ts">
 import {computed, ref} from 'vue'
-import {useWallet} from '@/core'
-import {estimatePasswordStrength} from '@/core/password-strength'
+import {estimatePasswordStrength, useWallet} from '@/core'
 import {
   Button,
   Field,
diff --git a/src/components/ImportWalletForm.vue b/src/components/ImportWalletForm.vue
index b054074..d343e38 100644
--- a/src/components/ImportWalletForm.vue
+++ b/src/components/ImportWalletForm.vue
@@ -1,7 +1,6 @@
 <script setup lang="ts">
 import {computed, ref} from 'vue'
-import {useWallet} from '@/core'
-import {estimatePasswordStrength} from '@/core/password-strength'
+import {estimatePasswordStrength, useWallet} from '@/core'
 import {
   Button,
   Field,
diff --git a/src/components/PasswordStrengthMeter.vue b/src/components/PasswordStrengthMeter.vue
index 8331f37..157551b 100644
--- a/src/components/PasswordStrengthMeter.vue
+++ b/src/components/PasswordStrengthMeter.vue
@@ -1,6 +1,6 @@
 <script setup lang="ts">
 import {computed} from 'vue'
-import type {PasswordStrength} from '@/core/password-strength'
+import type {PasswordStrength} from '@/core'
 
 const props = defineProps<{strength: PasswordStrength}>()
 
diff --git a/src/core/index.ts b/src/core/index.ts
index f107fae..0cd25b8 100644
--- a/src/core/index.ts
+++ b/src/core/index.ts
@@ -4,5 +4,7 @@
 export type { PlasmaLevel } from './account-service'
 export type { RewardType, RewardInfo } from './rewards-service'
 export { isGeneratingPow } from './pow-status'
+export { estimatePasswordStrength } from './password-strength'
+export type { PasswordStrength } from './password-strength'
 export * from './composables'
 export * from './composables/utils/formatters'
\ No newline at end of file

From 7f0d86c75565d7125b3a328666df0bec153222b8 Mon Sep 17 00:00:00 2001
From: 0x3639 <0x3639@protonmail.com>
Date: Thu, 4 Jun 2026 11:24:54 -0500
Subject: [PATCH 4/8] feat: strengthen wallet KDF with upgrade-on-unlock
 migration

---
 src/config.ts              | 39 ++++++++++++++++++++++++++++++++++++++
 src/core/kdf.ts            | 25 ++++++++++++++++++++++++
 src/core/wallet-service.ts | 22 +++++++++++++++++++--
 src/types/wallet.ts        |  2 ++
 4 files changed, 86 insertions(+), 2 deletions(-)
 create mode 100644 src/core/kdf.ts

diff --git a/src/config.ts b/src/config.ts
index 876e614..1e68181 100644
--- a/src/config.ts
+++ b/src/config.ts
@@ -65,3 +65,42 @@ export const PASSWORD_STRENGTH_LABELS = [
   'Good',
   'Strong'
 ] as const
+
+/** Argon2id KDF parameters used to derive the wallet encryption key. */
+export interface KdfParams {
+  timeCost: number
+  /** Memory cost in KiB. */
+  memoryCost: number
+  hashLength: number
+  parallelism: number
+}
+
+/**
+ * Legacy KDF params — MUST match the SDK's historical KeyFile.DEFAULT_CONFIG so
+ * that wallets encrypted before the hardening can still be decrypted.
+ */
+export const KDF_PARAMS_V1: KdfParams = {
+  timeCost: 1,
+  memoryCost: 64 * 1024,
+  hashLength: 32,
+  parallelism: 4
+}
+
+/**
+ * Strong KDF params for new and upgraded wallets. timeCost is the starting
+ * target; tune to keep unlock under ~1.5s in the browser (argon2-browser/WASM).
+ */
+export const KDF_PARAMS_V2: KdfParams = {
+  timeCost: 3,
+  memoryCost: 64 * 1024,
+  hashLength: 32,
+  parallelism: 4
+}
+
+/** Current KDF version applied to new/upgraded wallets. */
+export const CURRENT_KDF_VERSION = 2
+
+/** Resolve the KDF params for a stored wallet's kdfVersion (absent ⇒ legacy V1). */
+export function kdfParamsForVersion(version: number | undefined): KdfParams {
+  return version === 2 ? KDF_PARAMS_V2 : KDF_PARAMS_V1
+}
diff --git a/src/core/kdf.ts b/src/core/kdf.ts
new file mode 100644
index 0000000..f07c77f
--- /dev/null
+++ b/src/core/kdf.ts
@@ -0,0 +1,25 @@
+import { KeyFile } from 'znn-typescript-sdk'
+import type { KdfParams } from '@/config'
+
+// The SDK reads a static `KeyFile.DEFAULT_CONFIG` (typed `private static readonly`)
+// at hash time and does not persist KDF params in the keyfile. We therefore set
+// the params around each encrypt/decrypt and restore them afterward. The cast is
+// required because the field is private/readonly in the typings; at runtime it is
+// a plain writable static. Confined to this module.
+type KdfConfig = KdfParams & { type: number }
+const keyFileStatic = KeyFile as unknown as { DEFAULT_CONFIG: KdfConfig }
+
+/**
+ * Run `fn` with the SDK's Argon2id parameters set to `params`, restoring the
+ * previous config afterward. Wallet operations are user-driven and serial, so
+ * there is no concurrent encrypt/decrypt with differing params.
+ */
+export async function withKdfParams<T>(params: KdfParams, fn: () => Promise<T>): Promise<T> {
+  const previous = keyFileStatic.DEFAULT_CONFIG
+  keyFileStatic.DEFAULT_CONFIG = { ...params, type: 2 } // 2 = Argon2id
+  try {
+    return await fn()
+  } finally {
+    keyFileStatic.DEFAULT_CONFIG = previous
+  }
+}
diff --git a/src/core/wallet-service.ts b/src/core/wallet-service.ts
index 3edad41..bb0315f 100644
--- a/src/core/wallet-service.ts
+++ b/src/core/wallet-service.ts
@@ -1,7 +1,9 @@
 import {KeyFile, KeyStore} from 'znn-typescript-sdk'
 import type {StorageAdapter, Wallet, WalletAccount, WalletStorage} from '@/types'
+import {CURRENT_KDF_VERSION, KDF_PARAMS_V2, kdfParamsForVersion} from '@/config'
 import {sessionManager} from './session-manager'
 import {storageService} from './storage/storage-service'
+import {withKdfParams} from './kdf'
 import {Buffer} from 'buffer'
 
 const STORAGE_KEY = 'nom-wallet-storage'
@@ -64,7 +66,7 @@ export class WalletService {
   // Shared logic for saving a wallet
   private async saveWallet(keyStore: KeyStore, password: string, name: string): Promise<Wallet> {
     const keyFile = KeyFile.setPassword(password)
-    const encryptedKeyFile = await keyFile.encrypt(keyStore)
+    const encryptedKeyFile = await withKdfParams(KDF_PARAMS_V2, () => keyFile.encrypt(keyStore))
 
     // Create base account (index 0)
     const baseAccount: WalletAccount = {
@@ -79,6 +81,7 @@ export class WalletService {
       encryptedKeyFile,
       accounts: [baseAccount],
       createdAt: Date.now(),
+      kdfVersion: CURRENT_KDF_VERSION,
     }
 
     // Store wallet
@@ -123,10 +126,25 @@ export class WalletService {
 
     try {
       const keyFile = KeyFile.setPassword(password)
-      const keyStore = await keyFile.decrypt(wallet.encryptedKeyFile)
+      const keyStore = await withKdfParams(kdfParamsForVersion(wallet.kdfVersion), () =>
+        keyFile.decrypt(wallet.encryptedKeyFile)
+      )
 
       this.failedAttempts.delete(address)
       sessionManager.unlock(address, keyStore)
+
+      // Upgrade-on-unlock: transparently re-encrypt legacy wallets with stronger
+      // KDF params. Best-effort — a failure here must never block the unlock.
+      if ((wallet.kdfVersion ?? 1) < CURRENT_KDF_VERSION) {
+        try {
+          const upgraded = await withKdfParams(KDF_PARAMS_V2, () => keyFile.encrypt(keyStore))
+          wallet.encryptedKeyFile = upgraded
+          wallet.kdfVersion = CURRENT_KDF_VERSION
+          await this.storage.set(STORAGE_KEY, data!)
+        } catch (err) {
+          console.error('Failed to upgrade wallet KDF on unlock:', err)
+        }
+      }
     } catch {
       const current = this.failedAttempts.get(address) ?? { count: 0, lastAttemptAt: 0 }
       this.failedAttempts.set(address, {
diff --git a/src/types/wallet.ts b/src/types/wallet.ts
index c922ca5..5d5ad4e 100644
--- a/src/types/wallet.ts
+++ b/src/types/wallet.ts
@@ -29,6 +29,8 @@ export interface Wallet {
   encryptedKeyFile: KeyFileEncryptedData
   accounts: WalletAccount[]
   createdAt: number
+  /** Argon2id KDF version used to encrypt this wallet (absent ⇒ legacy V1). */
+  kdfVersion?: number
 }
 
 // Storage structure for all wallets

From 2557ab19db5203ec1d7506b220f4a079f7dd0b6e Mon Sep 17 00:00:00 2001
From: 0x3639 <0x3639@protonmail.com>
Date: Thu, 4 Jun 2026 11:28:52 -0500
Subject: [PATCH 5/8] refactor: resolve KDF params via a version map

---
 src/config.ts | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/src/config.ts b/src/config.ts
index 1e68181..31786b0 100644
--- a/src/config.ts
+++ b/src/config.ts
@@ -100,7 +100,16 @@ export const KDF_PARAMS_V2: KdfParams = {
 /** Current KDF version applied to new/upgraded wallets. */
 export const CURRENT_KDF_VERSION = 2
 
+/**
+ * KDF params keyed by wallet version. Add an entry here when introducing a new
+ * version so {@link kdfParamsForVersion} resolves it (rather than falling back).
+ */
+const KDF_PARAMS_BY_VERSION: Record<number, KdfParams> = {
+  1: KDF_PARAMS_V1,
+  2: KDF_PARAMS_V2
+}
+
 /** Resolve the KDF params for a stored wallet's kdfVersion (absent ⇒ legacy V1). */
 export function kdfParamsForVersion(version: number | undefined): KdfParams {
-  return version === 2 ? KDF_PARAMS_V2 : KDF_PARAMS_V1
+  return KDF_PARAMS_BY_VERSION[version ?? 1] ?? KDF_PARAMS_V1
 }

From ab67f7d1767207cb70e301cc76c5efff2bea10da Mon Sep 17 00:00:00 2001
From: 0x3639 <0x3639@protonmail.com>
Date: Fri, 5 Jun 2026 20:10:27 -0500
Subject: [PATCH 6/8] chore: gitignore and untrack docs/superpowers

These design docs are useful locally for the PR-authoring process but
shouldn't live in the repo. Ignore the directory and remove the tracked
spec from version control (the file stays on disk).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 .gitignore                                    |   3 +-
 ...6-04-wallet-encryption-hardening-design.md | 257 ------------------
 2 files changed, 2 insertions(+), 258 deletions(-)
 delete mode 100644 docs/superpowers/specs/2026-06-04-wallet-encryption-hardening-design.md

diff --git a/.gitignore b/.gitignore
index b39afc6..228165a 100644
--- a/.gitignore
+++ b/.gitignore
@@ -7,4 +7,5 @@ dist-extension
 .idea
 *.log
 .env
-.air
\ No newline at end of file
+.air
+docs/superpowers/
\ No newline at end of file
diff --git a/docs/superpowers/specs/2026-06-04-wallet-encryption-hardening-design.md b/docs/superpowers/specs/2026-06-04-wallet-encryption-hardening-design.md
deleted file mode 100644
index 2b436d0..0000000
--- a/docs/superpowers/specs/2026-06-04-wallet-encryption-hardening-design.md
+++ /dev/null
@@ -1,257 +0,0 @@
-# Encrypted-Wallet Hardening — Design Spec
-
-**Date:** 2026-06-04
-**Branch:** `fix/wallet-encryption-hardening` (off `main`)
-**Status:** Approved design, ready for implementation planning
-
-## Summary
-
-Address a High-severity PR finding: a weak offline brute-force boundary for
-encrypted wallets. Encrypted keyfiles are persisted to browser storage
-(`wallet-service.ts`, `local-storage-adapter.ts`), but the app only requires
-8-character passwords (`config.ts`) and the SDK's Argon2id KDF uses `timeCost: 1`
-(`znn-typescript-sdk` `keyFile.js`). If an attacker exfiltrates the encrypted
-keyfile, the in-memory unlock throttling in `wallet-service.ts` does not help —
-the attack is offline.
-
-Two coordinated fixes close the gap:
-
-- **Part A — Passphrase strength:** raise the floor and add a strength meter/entropy
-  estimate, enforced at wallet creation and import. This is the primary lever: a
-  high-entropy passphrase makes offline brute-force infeasible regardless of KDF.
-- **Part B — KDF cost:** raise Argon2id `timeCost` for new wallets and transparently
-  upgrade existing wallets on next unlock, as defense-in-depth (raises per-guess
-  cost).
-
-## Goals
-
-- Reject low-entropy passphrases at create/import with clear, live feedback.
-- Materially increase the Argon2id work factor for all wallets over time.
-- Migrate existing wallets without data loss and without user action.
-
-## Non-Goals (YAGNI)
-
-- No common-password blocklist (explicitly excluded).
-- No third-party strength library (zxcvbn) — keep the bundle lean for the extension.
-- No patching/forking of `znn-typescript-sdk`.
-- No re-scoring of passphrases at unlock (only create/import enforce the floor).
-- No change to the existing in-memory unlock throttling.
-
-## Threat model note
-
-The fix targets the **offline** attack: attacker has the encrypted keyfile JSON
-and brute-forces the passphrase locally. The two defenses multiply: passphrase
-entropy sets the size of the search space; KDF cost sets the time per guess. The
-passphrase floor is the dominant factor and is applied to all new/imported
-wallets immediately; the KDF bump is a constant-factor hardening migrated in over
-time.
-
----
-
-## Part A — Passphrase strength
-
-### `src/core/password-strength.ts` (new, pure, no Vue)
-
-Single source of truth, replacing the duplicated `password.length >= 8` checks in
-the two forms.
-
-```ts
-export interface PasswordStrength {
-  bits: number            // estimated entropy
-  score: 0 | 1 | 2 | 3 | 4
-  label: 'Very weak' | 'Weak' | 'Fair' | 'Good' | 'Strong'
-  meetsFloor: boolean     // length >= MIN_PASSWORD_LENGTH && score >= MIN_PASSWORD_SCORE
-  suggestions: string[]   // shown to help the user clear the floor
-}
-
-export function estimatePasswordStrength(password: string): PasswordStrength
-```
-
-**Entropy estimate (lightweight, no dictionary):**
-- Determine which character pools the password uses: lowercase (26), uppercase
-  (26), digits (10), symbols (32). `poolSize` = sum of pools present.
-- `bits = password.length * log2(poolSize)` (0 for an empty password / poolSize ≤ 1).
-
-**Score buckets (by bits):** `< 40` → 0 (Very weak), `40–59` → 1 (Weak), `60–79`
-→ 2 (Fair), `80–99` → 3 (Good), `>= 100` → 4 (Strong).
-
-**Floor:** `meetsFloor = password.length >= MIN_PASSWORD_LENGTH && score >= MIN_PASSWORD_SCORE`.
-
-**Suggestions:** derive from what's missing, e.g. `Use at least ${MIN_PASSWORD_LENGTH}
-characters` when too short; `Mix in uppercase, numbers, or symbols` when pool
-variety is low. Return an empty array when `meetsFloor` is true.
-
-### `src/config.ts`
-
-- Change `MIN_PASSWORD_LENGTH` from `8` to `12`.
-- Add `MIN_PASSWORD_SCORE = 2` (the "Fair" bucket — the minimum score allowed to
-  create/import).
-- Add `PASSWORD_STRENGTH_LABELS` (the five score labels) for reuse by the meter.
-
-### `src/components/PasswordStrengthMeter.vue` (new)
-
-Presentational component shared by both forms.
-- Prop: `strength: PasswordStrength` — the parent computes the estimate and passes
-  it in, keeping this component pure (no estimation logic inside).
-- Renders: a 4-segment bar colored by score (red → amber → green), the `label`,
-  and the first `suggestion` (if any) as muted helper text.
-- No logic beyond display.
-
-### `CreateWalletForm.vue` and `ImportWalletForm.vue`
-
-Both currently compute `passwordStrong = password.length >= MIN_PASSWORD_LENGTH`.
-Replace with:
-- `const strength = computed(() => estimatePasswordStrength(password.value))`
-- Use `strength.value.meetsFloor` everywhere `passwordStrong` was used (submit
-  `:disabled`, the pre-submit guard, and the inline warning).
-- Render `<PasswordStrengthMeter :strength="strength" />` under the password field
-  (only when `password` is non-empty).
-- Update the static hint text from "at least 8 characters" to reflect the new
-  floor (min length + "Fair or better").
-
-The unlock dialog (`UnlockWalletDialog.vue`) is unchanged.
-
----
-
-## Part B — KDF cost + migration (no-patch orchestration)
-
-### Background
-
-`KeyFile.hashPassword` reads a static `KeyFile.DEFAULT_CONFIG` at hash time, and
-the encrypted keyfile JSON persists only the `salt` (not the Argon2 params). So
-decryption always uses whatever `DEFAULT_CONFIG` holds at decrypt time. Naively
-raising the static would break every existing wallet (different derived key →
-decrypt fails). We therefore orchestrate the static per operation and record each
-wallet's KDF version in our own storage.
-
-### `src/config.ts`
-
-```ts
-export interface KdfParams {
-  timeCost: number
-  memoryCost: number   // KiB
-  hashLength: number
-  parallelism: number
-}
-
-// Legacy params — must match the SDK's historical KeyFile.DEFAULT_CONFIG exactly.
-export const KDF_PARAMS_V1: KdfParams = {
-  timeCost: 1, memoryCost: 64 * 1024, hashLength: 32, parallelism: 4
-}
-
-// Strong params for new/upgraded wallets. timeCost is the starting target;
-// tune during implementation to keep unlock under ~1.5s in argon2-browser (WASM).
-export const KDF_PARAMS_V2: KdfParams = {
-  timeCost: 3, memoryCost: 64 * 1024, hashLength: 32, parallelism: 4
-}
-
-export const CURRENT_KDF_VERSION = 2
-
-export function kdfParamsForVersion(version: number | undefined): KdfParams {
-  return version === 2 ? KDF_PARAMS_V2 : KDF_PARAMS_V1
-}
-```
-
-### `src/core/kdf.ts` (new)
-
-The single place that mutates the SDK static. Sets `KeyFile.DEFAULT_CONFIG`,
-awaits the operation, restores the previous value in `finally`.
-
-```ts
-import { KeyFile } from 'znn-typescript-sdk'
-import type { KdfParams } from '@/config'
-
-export async function withKdfParams<T>(params: KdfParams, fn: () => Promise<T>): Promise<T> {
-  const previous = KeyFile.DEFAULT_CONFIG
-  KeyFile.DEFAULT_CONFIG = { ...params, type: 2 } // Argon2id
-  try {
-    return await fn()
-  } finally {
-    KeyFile.DEFAULT_CONFIG = previous
-  }
-}
-```
-
-Wallet operations are user-driven and serialized, so there is no concurrent
-encrypt/decrypt with differing params. (A mutex is possible but unnecessary; note
-it as optional.) Verify `KeyFile.DEFAULT_CONFIG` is writable from app code during
-implementation; if the SDK's typings don't expose it, access via a narrowly-scoped
-cast confined to this file.
-
-### `Wallet` type (`src/types`)
-
-Add `kdfVersion?: number`. Absent ⇒ legacy (V1).
-
-### `src/core/wallet-service.ts`
-
-- **`saveWallet`** (used by both create and import): wrap the
-  `keyFile.encrypt(keyStore)` call in `withKdfParams(KDF_PARAMS_V2, …)` and set
-  `wallet.kdfVersion = CURRENT_KDF_VERSION`.
-- **`unlockWallet`**: look up the wallet, then decrypt inside
-  `withKdfParams(kdfParamsForVersion(wallet.kdfVersion), …)`. Keep the existing
-  failed-attempt throttling and the `delete(address)` on success. On a successful
-  decrypt, if `(wallet.kdfVersion ?? 1) < CURRENT_KDF_VERSION`, **upgrade on
-  unlock**:
-  - re-encrypt the just-decrypted `keyStore` inside `withKdfParams(KDF_PARAMS_V2, …)`,
-  - overwrite `wallet.encryptedKeyFile`, set `wallet.kdfVersion = CURRENT_KDF_VERSION`,
-  - persist via `storage.set`.
-  - Wrap the upgrade in its own try/catch: a re-encrypt/persist failure is logged
-    and swallowed — it must never block the unlock or lose the session.
-- The `sessionManager.unlock(...)` call happens regardless of upgrade outcome.
-
-### Migration behavior
-
-An existing wallet has no `kdfVersion` → treated as V1 → decrypts at `timeCost: 1`
-→ on success re-encrypts to V2 and records `kdfVersion: 2`. The next unlock uses
-V2. New/imported wallets are V2 from creation. The SDK keyfile's own
-`version: 1`/format field is independent and untouched.
-
----
-
-## Data flow
-
-```
-Create/Import:  estimatePasswordStrength → meetsFloor gate
-                → withKdfParams(V2){ keyFile.encrypt } → store { …, kdfVersion: 2 }
-
-Unlock:         withKdfParams(paramsFor(wallet.kdfVersion)){ keyFile.decrypt }
-                ├ fail → throttle counter++, "Invalid password"
-                └ ok   → clear counter, sessionManager.unlock
-                         └ if legacy → best-effort: withKdfParams(V2){ re-encrypt }
-                                       → store { encryptedKeyFile, kdfVersion: 2 }
-```
-
-## Files touched
-
-- New: `src/core/password-strength.ts`, `src/components/PasswordStrengthMeter.vue`,
-  `src/core/kdf.ts`
-- Modified: `src/config.ts`, `src/components/CreateWalletForm.vue`,
-  `src/components/ImportWalletForm.vue`, `src/types` (the `Wallet` interface),
-  `src/core/wallet-service.ts`
-
-## Testing & verification
-
-No automated suite (per `CLAUDE.md`). Gates: `npm run typecheck` (no NEW errors
-beyond the pre-existing baseline), `npm run lint` (0 errors), `npm run build`.
-Manual:
-
-1. **Create:** weak passwords (short / single-pool) are rejected with a live meter;
-   a 12+ mixed password is accepted. New wallet stores `kdfVersion: 2`; lock then
-   unlock succeeds.
-2. **Import:** same floor + meter; imported wallet is V2.
-3. **Legacy upgrade:** simulate a pre-existing wallet (encrypt at V1 / no
-   `kdfVersion`), unlock once → verify it still unlocks, then verify storage now
-   shows `kdfVersion: 2` and a subsequent unlock works.
-4. **Wrong password** still increments throttling and shows "Invalid password".
-5. **Unlock latency:** measure decrypt time at `KDF_PARAMS_V2` in the browser; tune
-   `timeCost` (and/or `memoryCost`) so unlock stays under ~1.5s on typical
-   hardware. A visible spinner already covers the unlock state.
-
-## Open risks
-
-- `withKdfParams` mutates an undocumented SDK static; an SDK update could change
-  `DEFAULT_CONFIG`'s shape/name. Mitigation: it's isolated to `kdf.ts`, and
-  `KDF_PARAMS_V1` must be kept in lockstep with the SDK's historical default so
-  legacy decrypts keep working.
-- argon2-browser performance at higher `timeCost`/memory is hardware-dependent;
-  the V2 params are a starting target to be tuned against the latency budget.

From f872d51ef36942b04b9533fcd888a66dc6e71a57 Mon Sep 17 00:00:00 2001
From: 0x3639 <0x3639@protonmail.com>
Date: Sun, 14 Jun 2026 12:14:13 -0500
Subject: [PATCH 7/8] refactor: use self-describing keyfile (SDK v1.0.4) for
 KDF hardening

Replaces the DEFAULT_CONFIG mutation workaround and our own kdfVersion
tracking with the SDK's self-describing keyfile, per PR #3 review.

- Bump znn-typescript-sdk to ^1.0.4
- encrypt(keyStore, KDF_CONFIG): SDK persists the Argon2id params in the
  keyfile; decrypt reads them back (falls back to legacy DEFAULT_CONFIG
  for paramless keyfiles)
- Gate upgrade-on-unlock on KeyFile.needsUpgrade() instead of kdfVersion
- Delete src/core/kdf.ts (withKdfParams private-static hack)
- Collapse config KDF version machinery to a single KDF_CONFIG target
- argon2Params gains optional timeCost/memoryCost/hashLength/parallelism;
  drop redundant Wallet.kdfVersion

Verified: legacy paramless wallets decrypt and re-encrypt to timeCost:3
(new salt) on unlock; new wallets persist strong params from creation.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 package-lock.json          |  8 +++----
 package.json               |  2 +-
 src/config.ts              | 49 +++++++-------------------------------
 src/core/kdf.ts            | 25 -------------------
 src/core/wallet-service.ts | 24 +++++++++----------
 src/types/wallet.ts        |  9 +++++--
 6 files changed, 31 insertions(+), 86 deletions(-)
 delete mode 100644 src/core/kdf.ts

diff --git a/package-lock.json b/package-lock.json
index ee8e5dc..60c3070 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -17,7 +17,7 @@
         "lucide-vue-next": "^0.563.0",
         "vue": "^3.4.0",
         "vue-router": "^4.2.0",
-        "znn-typescript-sdk": "^1.0.3"
+        "znn-typescript-sdk": "^1.0.4"
       },
       "devDependencies": {
         "@crxjs/vite-plugin": "^2.0.0-beta.23",
@@ -6758,9 +6758,9 @@
       }
     },
     "node_modules/znn-typescript-sdk": {
-      "version": "1.0.3",
-      "resolved": "https://registry.npmjs.org/znn-typescript-sdk/-/znn-typescript-sdk-1.0.3.tgz",
-      "integrity": "sha512-jS90Tu+8ql3wYEzoobDKY/EeeTDnkSK6b77yafwJzP/2jThPHdvGfJRvFdPpfJQy+xfUtjVxB+ggjkSf0U1F0w==",
+      "version": "1.0.4",
+      "resolved": "https://registry.npmjs.org/znn-typescript-sdk/-/znn-typescript-sdk-1.0.4.tgz",
+      "integrity": "sha512-a0S7MmCtMNgar/0Ag4ioKAXxTjCr4+Nj2UdtXdJOqo6jsp0vX/W/cUmO+0DbKOnccHWHu1jTEQ4yApPRrLVKtQ==",
       "license": "MIT",
       "dependencies": {
         "@noble/ed25519": "^2.2.3",
diff --git a/package.json b/package.json
index 7e0da40..d37be81 100644
--- a/package.json
+++ b/package.json
@@ -25,7 +25,7 @@
     "lucide-vue-next": "^0.563.0",
     "vue": "^3.4.0",
     "vue-router": "^4.2.0",
-    "znn-typescript-sdk": "^1.0.3"
+    "znn-typescript-sdk": "^1.0.4"
   },
   "devDependencies": {
     "@crxjs/vite-plugin": "^2.0.0-beta.23",
diff --git a/src/config.ts b/src/config.ts
index 31786b0..696486a 100644
--- a/src/config.ts
+++ b/src/config.ts
@@ -66,50 +66,17 @@ export const PASSWORD_STRENGTH_LABELS = [
   'Strong'
 ] as const
 
-/** Argon2id KDF parameters used to derive the wallet encryption key. */
-export interface KdfParams {
-  timeCost: number
-  /** Memory cost in KiB. */
-  memoryCost: number
-  hashLength: number
-  parallelism: number
-}
-
-/**
- * Legacy KDF params — MUST match the SDK's historical KeyFile.DEFAULT_CONFIG so
- * that wallets encrypted before the hardening can still be decrypted.
- */
-export const KDF_PARAMS_V1: KdfParams = {
-  timeCost: 1,
-  memoryCost: 64 * 1024,
-  hashLength: 32,
-  parallelism: 4
-}
-
 /**
- * Strong KDF params for new and upgraded wallets. timeCost is the starting
- * target; tune to keep unlock under ~1.5s in the browser (argon2-browser/WASM).
+ * Strong Argon2id KDF params for new and upgraded wallets. Passed to the SDK's
+ * `KeyFile.encrypt()`, which persists them in the keyfile (self-describing) and
+ * falls back to its weaker DEFAULT_CONFIG when decrypting legacy keyfiles. Also
+ * the target for `KeyFile.needsUpgrade()` on unlock. timeCost is tuned to keep
+ * unlock under ~1.5s in the browser (argon2-browser/WASM); shape matches the
+ * SDK's `KdfConfig` (memory cost in KiB).
  */
-export const KDF_PARAMS_V2: KdfParams = {
+export const KDF_CONFIG = {
   timeCost: 3,
   memoryCost: 64 * 1024,
   hashLength: 32,
   parallelism: 4
-}
-
-/** Current KDF version applied to new/upgraded wallets. */
-export const CURRENT_KDF_VERSION = 2
-
-/**
- * KDF params keyed by wallet version. Add an entry here when introducing a new
- * version so {@link kdfParamsForVersion} resolves it (rather than falling back).
- */
-const KDF_PARAMS_BY_VERSION: Record<number, KdfParams> = {
-  1: KDF_PARAMS_V1,
-  2: KDF_PARAMS_V2
-}
-
-/** Resolve the KDF params for a stored wallet's kdfVersion (absent ⇒ legacy V1). */
-export function kdfParamsForVersion(version: number | undefined): KdfParams {
-  return KDF_PARAMS_BY_VERSION[version ?? 1] ?? KDF_PARAMS_V1
-}
+} as const
diff --git a/src/core/kdf.ts b/src/core/kdf.ts
deleted file mode 100644
index f07c77f..0000000
--- a/src/core/kdf.ts
+++ /dev/null
@@ -1,25 +0,0 @@
-import { KeyFile } from 'znn-typescript-sdk'
-import type { KdfParams } from '@/config'
-
-// The SDK reads a static `KeyFile.DEFAULT_CONFIG` (typed `private static readonly`)
-// at hash time and does not persist KDF params in the keyfile. We therefore set
-// the params around each encrypt/decrypt and restore them afterward. The cast is
-// required because the field is private/readonly in the typings; at runtime it is
-// a plain writable static. Confined to this module.
-type KdfConfig = KdfParams & { type: number }
-const keyFileStatic = KeyFile as unknown as { DEFAULT_CONFIG: KdfConfig }
-
-/**
- * Run `fn` with the SDK's Argon2id parameters set to `params`, restoring the
- * previous config afterward. Wallet operations are user-driven and serial, so
- * there is no concurrent encrypt/decrypt with differing params.
- */
-export async function withKdfParams<T>(params: KdfParams, fn: () => Promise<T>): Promise<T> {
-  const previous = keyFileStatic.DEFAULT_CONFIG
-  keyFileStatic.DEFAULT_CONFIG = { ...params, type: 2 } // 2 = Argon2id
-  try {
-    return await fn()
-  } finally {
-    keyFileStatic.DEFAULT_CONFIG = previous
-  }
-}
diff --git a/src/core/wallet-service.ts b/src/core/wallet-service.ts
index bb0315f..fc85d5a 100644
--- a/src/core/wallet-service.ts
+++ b/src/core/wallet-service.ts
@@ -1,9 +1,8 @@
 import {KeyFile, KeyStore} from 'znn-typescript-sdk'
 import type {StorageAdapter, Wallet, WalletAccount, WalletStorage} from '@/types'
-import {CURRENT_KDF_VERSION, KDF_PARAMS_V2, kdfParamsForVersion} from '@/config'
+import {KDF_CONFIG} from '@/config'
 import {sessionManager} from './session-manager'
 import {storageService} from './storage/storage-service'
-import {withKdfParams} from './kdf'
 import {Buffer} from 'buffer'
 
 const STORAGE_KEY = 'nom-wallet-storage'
@@ -66,7 +65,8 @@ export class WalletService {
   // Shared logic for saving a wallet
   private async saveWallet(keyStore: KeyStore, password: string, name: string): Promise<Wallet> {
     const keyFile = KeyFile.setPassword(password)
-    const encryptedKeyFile = await withKdfParams(KDF_PARAMS_V2, () => keyFile.encrypt(keyStore))
+    // Encrypt with strong KDF params; the SDK persists them in the keyfile.
+    const encryptedKeyFile = await keyFile.encrypt(keyStore, KDF_CONFIG)
 
     // Create base account (index 0)
     const baseAccount: WalletAccount = {
@@ -81,7 +81,6 @@ export class WalletService {
       encryptedKeyFile,
       accounts: [baseAccount],
       createdAt: Date.now(),
-      kdfVersion: CURRENT_KDF_VERSION,
     }
 
     // Store wallet
@@ -126,20 +125,19 @@ export class WalletService {
 
     try {
       const keyFile = KeyFile.setPassword(password)
-      const keyStore = await withKdfParams(kdfParamsForVersion(wallet.kdfVersion), () =>
-        keyFile.decrypt(wallet.encryptedKeyFile)
-      )
+      // The keyfile is self-describing: decrypt reads its stored KDF params
+      // (or falls back to the SDK's legacy DEFAULT_CONFIG for older keyfiles).
+      const keyStore = await keyFile.decrypt(wallet.encryptedKeyFile)
 
       this.failedAttempts.delete(address)
       sessionManager.unlock(address, keyStore)
 
-      // Upgrade-on-unlock: transparently re-encrypt legacy wallets with stronger
-      // KDF params. Best-effort — a failure here must never block the unlock.
-      if ((wallet.kdfVersion ?? 1) < CURRENT_KDF_VERSION) {
+      // Upgrade-on-unlock: transparently re-encrypt wallets whose KDF params are
+      // weaker than our target. Best-effort — a failure here must never block
+      // the unlock.
+      if (KeyFile.needsUpgrade(wallet.encryptedKeyFile, KDF_CONFIG)) {
         try {
-          const upgraded = await withKdfParams(KDF_PARAMS_V2, () => keyFile.encrypt(keyStore))
-          wallet.encryptedKeyFile = upgraded
-          wallet.kdfVersion = CURRENT_KDF_VERSION
+          wallet.encryptedKeyFile = await keyFile.encrypt(keyStore, KDF_CONFIG)
           await this.storage.set(STORAGE_KEY, data!)
         } catch (err) {
           console.error('Failed to upgrade wallet KDF on unlock:', err)
diff --git a/src/types/wallet.ts b/src/types/wallet.ts
index 5d5ad4e..5cb88b6 100644
--- a/src/types/wallet.ts
+++ b/src/types/wallet.ts
@@ -2,8 +2,15 @@
 export interface KeyFileEncryptedData {
   baseAddress: string
   crypto: {
+    // Self-describing KDF params (SDK ≥ v1.0.4). Optional so legacy keyfiles,
+    // which stored only the salt, remain assignable; the SDK falls back to its
+    // DEFAULT_CONFIG when these are absent on decrypt.
     argon2Params: {
       salt: string
+      timeCost?: number
+      memoryCost?: number
+      hashLength?: number
+      parallelism?: number
     }
     cipherData: string
     cipherName: string
@@ -29,8 +36,6 @@ export interface Wallet {
   encryptedKeyFile: KeyFileEncryptedData
   accounts: WalletAccount[]
   createdAt: number
-  /** Argon2id KDF version used to encrypt this wallet (absent ⇒ legacy V1). */
-  kdfVersion?: number
 }
 
 // Storage structure for all wallets

From d82a575b06250c91be99563eec52cdfb2e8ced40 Mon Sep 17 00:00:00 2001
From: 0x3639 <0x3639@protonmail.com>
Date: Sun, 14 Jun 2026 12:58:38 -0500
Subject: [PATCH 8/8] feat: score passwords with lazy-loaded zxcvbn

Replaces the dependency-free entropy heuristic (which still passed
keyboard walks, monotonic runs, and dictionary words) with zxcvbn-ts.

- zxcvbn core + language packs are dynamically imported into their own
  chunk, loaded on first password keystroke - not the initial bundle.
- estimatePasswordStrength is async; usePasswordStrength wraps it as a
  reactive ref that fails closed on every change (resets to EMPTY until
  the new score resolves) with a sequence token to drop stale results.
- Create/Import submit handlers snapshot the submitted values up front,
  re-score that snapshot as the authoritative gate, set the in-flight
  flag before the await (no double-submit), and create/import only from
  the snapshot - so editing the still-enabled fields mid-await can't
  swap a weaker password past the gate.

Verified: weak patterns (keyboard walks, monotonic runs, common words)
score below the floor; strong passwords pass; zxcvbn chunks load on
demand; strong->weak->submit creates no wallet; rapid double-click
creates exactly one wallet; and an imported wallet unlocks only with the
submitted password, not a value swapped into the fields after submit.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 package-lock.json                           | 33 ++++++++
 package.json                                |  3 +
 src/components/CreateWalletForm.vue         | 37 ++++++---
 src/components/ImportWalletForm.vue         | 28 +++++--
 src/core/composables/index.ts               |  1 +
 src/core/composables/usePasswordStrength.ts | 36 +++++++++
 src/core/password-strength.ts               | 90 ++++++++++++---------
 7 files changed, 172 insertions(+), 56 deletions(-)
 create mode 100644 src/core/composables/usePasswordStrength.ts

diff --git a/package-lock.json b/package-lock.json
index 60c3070..010b7e0 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -13,6 +13,9 @@
       "dependencies": {
         "@nom/ui": "workspace:*",
         "@vueuse/core": "^14.2.0",
+        "@zxcvbn-ts/core": "^3.0.4",
+        "@zxcvbn-ts/language-common": "^3.0.4",
+        "@zxcvbn-ts/language-en": "^3.0.2",
         "buffer": "^6.0.3",
         "lucide-vue-next": "^0.563.0",
         "vue": "^3.4.0",
@@ -2406,6 +2409,27 @@
       "dev": true,
       "license": "BSD-3-Clause"
     },
+    "node_modules/@zxcvbn-ts/core": {
+      "version": "3.0.4",
+      "resolved": "https://registry.npmjs.org/@zxcvbn-ts/core/-/core-3.0.4.tgz",
+      "integrity": "sha512-aQeiT0F09FuJaAqNrxynlAwZ2mW/1MdXakKWNmGM1Qp/VaY6CnB/GfnMS2T8gB2231Esp1/maCWd8vTG4OuShw==",
+      "license": "MIT",
+      "dependencies": {
+        "fastest-levenshtein": "1.0.16"
+      }
+    },
+    "node_modules/@zxcvbn-ts/language-common": {
+      "version": "3.0.4",
+      "resolved": "https://registry.npmjs.org/@zxcvbn-ts/language-common/-/language-common-3.0.4.tgz",
+      "integrity": "sha512-viSNNnRYtc7ULXzxrQIVUNwHAPSXRtoIwy/Tq4XQQdIknBzw4vz36lQLF6mvhMlTIlpjoN/Z1GFu/fwiAlUSsw==",
+      "license": "MIT"
+    },
+    "node_modules/@zxcvbn-ts/language-en": {
+      "version": "3.0.2",
+      "resolved": "https://registry.npmjs.org/@zxcvbn-ts/language-en/-/language-en-3.0.2.tgz",
+      "integrity": "sha512-Zp+zL+I6Un2Bj0tRXNs6VUBq3Djt+hwTwUz4dkt2qgsQz47U0/XthZ4ULrT/RxjwJRl5LwiaKOOZeOtmixHnjg==",
+      "license": "MIT"
+    },
     "node_modules/acorn": {
       "version": "8.16.0",
       "resolved": "https://registry.npmjs.org/acorn/-/acorn-8.16.0.tgz",
@@ -3834,6 +3858,15 @@
       "dev": true,
       "license": "MIT"
     },
+    "node_modules/fastest-levenshtein": {
+      "version": "1.0.16",
+      "resolved": "https://registry.npmjs.org/fastest-levenshtein/-/fastest-levenshtein-1.0.16.tgz",
+      "integrity": "sha512-eRnCtTTtGZFpQCwhJiUOuxPQWRXVKYDn0b2PeHfXL6/Zi53SLAzAHfVhVWK2AryC/WH05kGfxhFIPvTF0SXQzg==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 4.9.1"
+      }
+    },
     "node_modules/fastq": {
       "version": "1.20.1",
       "resolved": "https://registry.npmjs.org/fastq/-/fastq-1.20.1.tgz",
diff --git a/package.json b/package.json
index d37be81..2ba0fd1 100644
--- a/package.json
+++ b/package.json
@@ -21,6 +21,9 @@
   "dependencies": {
     "@nom/ui": "workspace:*",
     "@vueuse/core": "^14.2.0",
+    "@zxcvbn-ts/core": "^3.0.4",
+    "@zxcvbn-ts/language-common": "^3.0.4",
+    "@zxcvbn-ts/language-en": "^3.0.2",
     "buffer": "^6.0.3",
     "lucide-vue-next": "^0.563.0",
     "vue": "^3.4.0",
diff --git a/src/components/CreateWalletForm.vue b/src/components/CreateWalletForm.vue
index 09a833a..c5e2a7a 100644
--- a/src/components/CreateWalletForm.vue
+++ b/src/components/CreateWalletForm.vue
@@ -1,6 +1,6 @@
 <script setup lang="ts">
 import {computed, ref} from 'vue'
-import {estimatePasswordStrength, useWallet} from '@/core'
+import {estimatePasswordStrength, usePasswordStrength, useWallet} from '@/core'
 import {
   Button,
   Field,
@@ -36,22 +36,35 @@ const address = ref<string | null>(null)
 const isCreating = ref(false)
 
 const passwordsMatch = computed(() => password.value === confirmPassword.value)
-const strength = computed(() => estimatePasswordStrength(password.value))
+const strength = usePasswordStrength(password)
 const passwordStrong = computed(() => strength.value.meetsFloor)
 
 async function handleCreate() {
-  if (!passwordStrong.value) {
-    toast.show('Please choose a stronger password', 'warning')
-    return
-  }
-  if (!passwordsMatch.value) {
-    toast.show('Passwords do not match', 'warning')
-    return
-  }
-
+  // Guard re-entry before any await so a fast double-click can't start two
+  // concurrent creates while the password is being (re-)scored.
+  if (isCreating.value) return
   isCreating.value = true
   try {
-    const newWallet = await wallet.createWallet(password.value, name.value || 'Main Wallet')
+    // Snapshot the inputs before any await. Fields stay editable during scoring,
+    // so we must validate and create with the exact values submitted — never
+    // re-read password.value later, or an edit mid-await could swap in a weaker
+    // password than the one we scored.
+    const pw = password.value
+    const confirm = confirmPassword.value
+    const walletName = name.value || 'Main Wallet'
+
+    // Authoritative gate: re-score the snapshotted password.
+    const finalStrength = await estimatePasswordStrength(pw)
+    if (!finalStrength.meetsFloor) {
+      toast.show('Please choose a stronger password', 'warning')
+      return
+    }
+    if (pw !== confirm) {
+      toast.show('Passwords do not match', 'warning')
+      return
+    }
+
+    const newWallet = await wallet.createWallet(pw, walletName)
     mnemonic.value = wallet.exportMnemonic(newWallet.baseAddress)
     address.value = newWallet.baseAddress
     step.value = 'mnemonic'
diff --git a/src/components/ImportWalletForm.vue b/src/components/ImportWalletForm.vue
index d343e38..dbeab75 100644
--- a/src/components/ImportWalletForm.vue
+++ b/src/components/ImportWalletForm.vue
@@ -1,6 +1,6 @@
 <script setup lang="ts">
 import {computed, ref} from 'vue'
-import {estimatePasswordStrength, useWallet} from '@/core'
+import {estimatePasswordStrength, usePasswordStrength, useWallet} from '@/core'
 import {
   Button,
   Field,
@@ -36,7 +36,7 @@ const isImporting = ref(false)
 const mnemonicWords = computed(() => mnemonic.value.trim().split(/\s+/).filter(Boolean))
 const mnemonicValid = computed(() => mnemonicWords.value.length === 12 || mnemonicWords.value.length === 24)
 const passwordsMatch = computed(() => password.value === confirmPassword.value)
-const strength = computed(() => estimatePasswordStrength(password.value))
+const strength = usePasswordStrength(password)
 const passwordStrong = computed(() => strength.value.meetsFloor)
 const canSubmit = computed(
   () => mnemonicValid.value && passwordStrong.value && passwordsMatch.value && !isImporting.value
@@ -45,13 +45,27 @@ const canSubmit = computed(
 async function handleImport() {
   if (!canSubmit.value) return
 
+  // Guard re-entry before any await so a fast double-click can't start two
+  // concurrent imports while the password is being (re-)scored.
+  if (isImporting.value) return
   isImporting.value = true
   try {
-    const importedWallet = await wallet.importWallet(
-      mnemonic.value.trim(),
-      password.value,
-      name.value || 'Imported Wallet'
-    )
+    // Snapshot the inputs before any await. Fields stay editable during scoring,
+    // so we must validate and import with the exact values submitted — never
+    // re-read password.value later, or an edit mid-await could swap in a weaker
+    // password than the one we scored.
+    const pw = password.value
+    const mnemonicValue = mnemonic.value.trim()
+    const walletName = name.value || 'Imported Wallet'
+
+    // Authoritative gate: re-score the snapshotted password.
+    const finalStrength = await estimatePasswordStrength(pw)
+    if (!finalStrength.meetsFloor) {
+      toast.show('Please choose a stronger password', 'warning')
+      return
+    }
+
+    const importedWallet = await wallet.importWallet(mnemonicValue, pw, walletName)
     emit('success', importedWallet.baseAddress)
   } catch (error) {
     console.error('Failed to import wallet:', error)
diff --git a/src/core/composables/index.ts b/src/core/composables/index.ts
index 0ed7640..d6178b2 100644
--- a/src/core/composables/index.ts
+++ b/src/core/composables/index.ts
@@ -8,6 +8,7 @@ export { useRewards } from './useRewards'
 export { usePillar } from './usePillar'
 export type { PillarWithApr } from './usePillar'
 export { useStorage } from './useStorage'
+export { usePasswordStrength } from './usePasswordStrength'
 export { useToken } from './useToken'
 export { runActivity } from './useActivity'
 export type { ActivityController } from './useActivity'
diff --git a/src/core/composables/usePasswordStrength.ts b/src/core/composables/usePasswordStrength.ts
new file mode 100644
index 0000000..3becaa1
--- /dev/null
+++ b/src/core/composables/usePasswordStrength.ts
@@ -0,0 +1,36 @@
+import {ref, watch, type Ref} from 'vue'
+import {
+  EMPTY_PASSWORD_STRENGTH,
+  estimatePasswordStrength,
+  type PasswordStrength
+} from '../password-strength'
+
+/**
+ * Reactive password strength. Wraps the async (lazy-loaded zxcvbn) scorer.
+ *
+ * Fails closed: every password change immediately resets strength to
+ * EMPTY_PASSWORD_STRENGTH (meetsFloor = false) until the new score resolves, so
+ * a stale "strong" result can never gate a now-weaker password. A sequence token
+ * drops out-of-order async results. This is UX state only — submit handlers MUST
+ * still re-check the current password (it is the authoritative gate).
+ */
+export function usePasswordStrength(password: Ref<string>): Ref<PasswordStrength> {
+  const strength = ref<PasswordStrength>(EMPTY_PASSWORD_STRENGTH)
+  let seq = 0
+
+  watch(
+    password,
+    (pw) => {
+      const token = ++seq
+      // Fail closed; only the resolved score for the current password re-opens it.
+      strength.value = EMPTY_PASSWORD_STRENGTH
+      if (!pw) return
+      void estimatePasswordStrength(pw).then((result) => {
+        if (token === seq) strength.value = result
+      })
+    },
+    {immediate: true}
+  )
+
+  return strength
+}
diff --git a/src/core/password-strength.ts b/src/core/password-strength.ts
index 3c20792..625a31a 100644
--- a/src/core/password-strength.ts
+++ b/src/core/password-strength.ts
@@ -8,49 +8,65 @@ export interface PasswordStrength {
   suggestions: string[]
 }
 
-// Character-pool sizes for a rough entropy estimate (no dictionary lookup).
-const POOLS: ReadonlyArray<{test: RegExp; size: number}> = [
-  {test: /[a-z]/, size: 26},
-  {test: /[A-Z]/, size: 26},
-  {test: /[0-9]/, size: 10},
-  {test: /[^a-zA-Z0-9]/, size: 32}
-]
-
-function scoreFromBits(bits: number): 0 | 1 | 2 | 3 | 4 {
-  if (bits >= 100) return 4
-  if (bits >= 80) return 3
-  if (bits >= 60) return 2
-  if (bits >= 40) return 1
-  return 0
+/** Neutral strength for empty input (and the initial value before scoring). */
+export const EMPTY_PASSWORD_STRENGTH: PasswordStrength = {
+  bits: 0,
+  score: 0,
+  label: PASSWORD_STRENGTH_LABELS[0],
+  meetsFloor: false,
+  suggestions: []
+}
+
+// zxcvbn-ts (core + dictionaries) is dynamically imported so it lands in its own
+// chunk, loaded only when a password is first scored — keeping it out of the
+// initial bundle. The promise is memoized so the dictionaries load once.
+type ScoreFn = (password: string) => {
+  score: number
+  guessesLog10: number
+  feedback: {warning: string | null; suggestions: string[]}
+}
+let enginePromise: Promise<ScoreFn> | null = null
+
+function loadEngine(): Promise<ScoreFn> {
+  if (!enginePromise) {
+    enginePromise = (async () => {
+      const [core, common, en] = await Promise.all([
+        import('@zxcvbn-ts/core'),
+        import('@zxcvbn-ts/language-common'),
+        import('@zxcvbn-ts/language-en')
+      ])
+      core.zxcvbnOptions.setOptions({
+        dictionary: {...common.dictionary, ...en.dictionary},
+        graphs: common.adjacencyGraphs,
+        translations: en.translations
+      })
+      return (password: string) => core.zxcvbn(password)
+    })()
+  }
+  return enginePromise
 }
 
 /**
- * Estimate password strength from length and character-class variety.
- * bits ≈ length × log2(sum of character-pool sizes present). No dictionary /
- * common-password list by design.
+ * Estimate password strength with zxcvbn — dictionary, keyboard-pattern,
+ * sequence and repeat aware, so predictable passwords (common words, "qwerty…",
+ * "abc…xyz") score low. Async because the scoring engine is lazy-loaded on first
+ * use. Score 0–4; `meetsFloor` enforces the length + score gate.
  */
-export function estimatePasswordStrength(password: string): PasswordStrength {
-  const poolSize = POOLS.reduce((sum, p) => (p.test.test(password) ? sum + p.size : sum), 0)
-  const bits = password.length > 0 && poolSize > 1 ? password.length * Math.log2(poolSize) : 0
-  const score = scoreFromBits(bits)
-  const meetsFloor = password.length >= MIN_PASSWORD_LENGTH && score >= MIN_PASSWORD_SCORE
+export async function estimatePasswordStrength(password: string): Promise<PasswordStrength> {
+  if (!password) return EMPTY_PASSWORD_STRENGTH
+
+  const score = await loadEngine()
+  const result = score(password)
+  const clamped = Math.max(0, Math.min(4, result.score)) as 0 | 1 | 2 | 3 | 4
+  const bits = result.guessesLog10 * Math.log2(10)
+  const meetsFloor = password.length >= MIN_PASSWORD_LENGTH && clamped >= MIN_PASSWORD_SCORE
 
   const suggestions: string[] = []
-  if (!meetsFloor) {
-    if (password.length < MIN_PASSWORD_LENGTH) {
-      suggestions.push(`Use at least ${MIN_PASSWORD_LENGTH} characters`)
-    }
-    const poolsUsed = POOLS.filter((p) => p.test.test(password)).length
-    if (poolsUsed < 3) {
-      suggestions.push('Mix in uppercase letters, numbers, or symbols')
-    }
+  if (password.length < MIN_PASSWORD_LENGTH) {
+    suggestions.push(`Use at least ${MIN_PASSWORD_LENGTH} characters`)
   }
+  if (result.feedback.warning) suggestions.push(result.feedback.warning)
+  suggestions.push(...result.feedback.suggestions)
 
-  return {
-    bits,
-    score,
-    label: PASSWORD_STRENGTH_LABELS[score],
-    meetsFloor,
-    suggestions
-  }
+  return {bits, score: clamped, label: PASSWORD_STRENGTH_LABELS[clamped], meetsFloor, suggestions}
 }