Defend against nsec exposure in signup flow

[Copilot]

Users who click "Sign Up" instead of "Login" sometimes paste their nsec private key into profile fields (Name, Bio), inadvertently publishing it on Nostr. This adds detection and a blocking warning before they can proceed.

Changes

CreateAccountView.swift

• containsPrivateKeyMaterial(_ text: String) -> Bool — detects bech32 nsec1… keys (via decode_bech32_key) and raw 64-char hex strings (via hex_decode); explicitly ignores npub, NIP-05, and plain text
• fieldsContainPrivateKey() -> Bool — tokenises account.name and account.about on whitespace, applies the helper to each token
• "Next" button now calls fieldsContainPrivateKey() before navigating; shows a destructive alert on a hit with Go Back (cancel) / Continue Anyway (destructive) options

damusTests/CreateAccountTests.swift — unit tests covering: nsec detected, 64-char hex detected, npub not flagged, plain names not flagged, short hex not flagged.

Checklist

Standard PR Checklist

• I have read (or I am familiar with) the Contribution Guidelines
• I have tested the changes in this PR
• I have profiled the changes to ensure there are no performance regressions, or I do not need to profile the changes.
  • If not needed, provide reason: Detection runs only on "Next" button tap; two short string scans with early exit — no measurable overhead.
• I have opened or referred to an existing github issue related to this change.
• My PR is either small, or I have split it into smaller logical commits that are easier to review
• I have added the signoff line to all my commits. See Signing off your work
• I have added appropriate changelog entries for the changes in this PR. See Adding changelog entries
  • I do not need to add a changelog entry. Reason: [Please provide a reason]
• I have added appropriate Closes: or Fixes: tags in the commit messages wherever applicable, or made sure those are not needed. See Submitting patches

Test report

Device: iPhone 16 Simulator

iOS: 18.x

Damus: f6fdef1

Steps:

1. Launch app, tap Create Account
2. Paste a valid nsec1… key into the Name field, tap Next → warning alert appears
3. Tap Go Back → stays on form; remove the key, tap Next → proceeds normally
4. Repeat with a raw 64-char hex key in the Bio field → same warning fires
5. Enter a normal name/bio → no alert, proceeds to SaveKeys

Results:

• PASS
• Partial PASS

Other notes

The 64-char hex heuristic will also catch pubkeys in raw hex form. This is intentional and conservative — raw hex in a display name is almost certainly a paste mistake regardless of key type.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>defend against nsec unhappy path on login</issue_title>
<issue_description>## Summary

There is an unhappy path where users click "sign up" instead of "login" and accidentally paste their nsec to the profile name field (or similar), which causes them to accidentally compromise the security of their account.

We should add a detection mechanism to the signup flow that detects when an nsec key or a hex encoded key is present and shows them a big warning before continuing.

Other notes

Apparently two people doxxed their nsec this way

@jb55

https://damus.io/nevent1qqsfsv5927w6qy4p5hlpjfrmlvpsk9vsupp42acpwaq85hj4rsx0c7qrpurcg

</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes defend against nsec unhappy path on login #3710

---

⌨️ Start Copilot coding agent tasks without leaving your editor — available in VS Code, Visual Studio, JetBrains IDEs and Eclipse.