Two verified medium leaks in the B7 scrub chain:
- parseRpcResult parses the body into a local `response` tree and returns a COPY
of response["result"] (operator[] yields an lvalue ref, so the by-value return
copy-constructs). The local tree — holding its own heap copy of the secret — was
then freed without zeroing, so callSecret/callSecretString still left one
un-scrubbed copy. Add scrubJsonSecrets() (recursive string zero) and a
scrubSource flag; the secret paths opt in, wiping the tree before it frees. The
secret export chain is now fully covered: raw body → parse tree → result copy →
caller-owned string.
- key_export_dialog cleared s_key with plain std::string::clear() on the Close
button, the scrim/Esc dismiss path, and the QR cache (s_qr_cached) — leaving the
displayed private/spending key in freed heap on the ordinary close paths. Route
all three through wallet::secureWipeLiteSecret (zero-then-clear), matching
show()/hide().
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>