feat(login) password login using encrypted nsec

Enables the user to only handle the nsec upon first use of the tool
by encrypting it with a password and storing it on disk in an
application cache.

The approach to encryption draws heavily from that used by the gossip
nostr client.
 - unencrypted nsec is zeroed from memory
 - a salt is used to defend against rainbow tables
 - computationally expensive key stretching defends against
   brute-force attacks of passwords with low entropy.

There is UX trade-off between decryption speed and key-stretching
computation. This UX challenge is exacerbated in a cli tool as
decryption must take place more regularly. Thought was put into the
selected n_log and a heavily reduced value is provided for long
passwords where security benefits are smaller.

A more granular reducing in computation was also considered by
rejected to avoided to revealing just how weak a password is as most
weak passwords are reused.

1 files changed, 4 insertions, 1 deletions

diff --git a/src/main.rs b/src/main.rs
index d16f1a3..e6eac32 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -17,8 +17,11 @@ pub struct Cli {
     #[command(subcommand)]
     command: Commands,
     /// nsec or hex private key
-    #[arg(short, long)]
+    #[arg(short, long, global = true)]
     nsec: Option<String>,
+    /// password to decrypt nsec
+    #[arg(short, long, global = true)]
+    password: Option<String>,
 }
 
 #[derive(Subcommand)]