feat(keys): add --keys flag to dump for cross-host decryption

Consumer side of the cross-host key workflow (pairs with #599).
ApplyDump wires StaticProviders from a dump.json into matching
browsers, so dump --keys f.json -p /copied/data decrypts without
native retrievers.

cmd/hack-browser-data/dump.go

@@ -2,12 +2,14 @@ package main
 
 import (
 	"fmt"
+	"os"
 	"path/filepath"
 	"strings"
 
 	"github.com/spf13/cobra"
 
 	"github.com/moond4rk/hackbrowserdata/browser"
+	"github.com/moond4rk/hackbrowserdata/crypto/keyretriever"
 	"github.com/moond4rk/hackbrowserdata/log"
 	"github.com/moond4rk/hackbrowserdata/output"
 	"github.com/moond4rk/hackbrowserdata/types"
@@ -22,6 +24,7 @@ func dumpCmd() *cobra.Command {
 		outputDir    string
 		profilePath  string
 		keychainPw   string
+		keysPath     string
 		compress     bool
 	)
 
@@ -32,13 +35,10 @@ func dumpCmd() *cobra.Command {
   hack-browser-data dump -b chrome -c password,cookie
   hack-browser-data dump -b chrome -f json -d output
   hack-browser-data dump -f cookie-editor
+  hack-browser-data dump --keys dump.json -p /path/to/copied/User\ Data
   hack-browser-data dump --zip`,
 		RunE: func(cmd *cobra.Command, args []string) error {
-			browsers, err := browser.PickBrowsers(browser.PickOptions{
-				Name:             browserName,
-				ProfilePath:      profilePath,
-				KeychainPassword: keychainPw,
-			})
+			browsers, err := selectBrowsers(browserName, profilePath, keychainPw, keysPath)
 			if err != nil {
 				return err
 			}
@@ -86,11 +86,51 @@ func dumpCmd() *cobra.Command {
 	cmd.Flags().StringVarP(&outputDir, "dir", "d", "results", "output directory")
 	cmd.Flags().StringVarP(&profilePath, "profile-path", "p", "", "custom profile dir path, get with chrome://version")
 	cmd.Flags().StringVar(&keychainPw, "keychain-pw", "", "macOS keychain password")
+	cmd.Flags().StringVar(&keysPath, "keys", "", "import master keys from JSON file (from `keys export`), skipping platform retrieval")
 	cmd.Flags().BoolVar(&compress, "zip", false, "compress output to zip")
 
 	return cmd
 }
 
+// selectBrowsers returns wired-up browsers for either platform-native key retrieval (default) or
+// dump-based key injection (when keysPath is non-empty). The dump path uses DiscoverBrowsers so it
+// never triggers a keychain prompt or platform retrievers.
+func selectBrowsers(browserName, profilePath, keychainPw, keysPath string) ([]browser.Browser, error) {
+	if keysPath == "" {
+		return browser.PickBrowsers(browser.PickOptions{
+			Name:             browserName,
+			ProfilePath:      profilePath,
+			KeychainPassword: keychainPw,
+		})
+	}
+
+	if keychainPw != "" {
+		log.Warnf("--keychain-pw is ignored when --keys is set; platform key retrieval is skipped")
+	}
+
+	browsers, err := browser.DiscoverBrowsers(browser.PickOptions{
+		Name:        browserName,
+		ProfilePath: profilePath,
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	f, err := os.Open(keysPath)
+	if err != nil {
+		return nil, fmt.Errorf("open keys file %s: %w", keysPath, err)
+	}
+	defer f.Close()
+
+	dump, err := keyretriever.ReadJSON(f)
+	if err != nil {
+		return nil, fmt.Errorf("read keys file %s: %w", keysPath, err)
+	}
+
+	browser.ApplyDump(browsers, dump)
+	return browsers, nil
+}
+
 // parseCategories converts a comma-separated string into a Category slice.
 // "all" returns all categories.
 func parseCategories(s string) ([]types.Category, error) {