Custom Nostr Hardware Wallet With Persistent Secret
Research family for a purpose-built persistent-secret Nostr hardware wallet. The current Rev A direction is USB-C bus-powered, connected/no-wireless, no-battery, and TROPIC01-assisted. BIP-340 signing stays on the ESP32-S3 host MCU unless a public TROPIC01 API, firmware release, or written vendor path proves non-exportable Schnorr support.
| Feature | Target | Current | Contract |
|---|---|---|---|
request_validation_v0 | required | planned | signing-request-v0+implementation-limits-v0+invalid-vectors |
nostr_event_review_universal | required | planned | trusted-review-v0+review-detail-pages-v0 |
review_detail_pages | required | planned | review-detail-pages-v0 |
approval_digest_binding | required | planned | approval-digest-v0 |
physical_approval | required | planned | physical-approval-v0 |
sign_event_bip340 | required | research | nostr-sign-event-bip340-v0 |
persistent_secret_custody | required | research | persistent-secret-custody-v0 |
secure_boot_hardening | required | research | firmware-boot-hardening-v0 |
device_display_review | required | planned | device-display-review-v0 |
response_verification | required | planned | signed-response-verification-v0 |
stateless_session_custody | forbidden | forbidden | — |
Rev A Boundary
- No air-gapped claim: USB carries data.
- No battery subsystem in Rev A.
persistent-secret-custody-v0is now a checked lifecycle contract: no plaintext secrets at rest, wrapped/encrypted storage only before persistent custody, ESP32-S3 RAM-only plaintext after TROPIC01-assisted unlock, required wipe events, and disabled-by-default backup/export behind local review plus physical approval.- TROPIC01 is used for secure channel, TRNG, device authenticity, pairing lifecycle, MAC-and-Destroy PIN hardening, and key wrapping or unlock material.
- Direct TROPIC01 Schnorr/BIP-340 remains future-gated, not a current capability claim.
Repository
Open hardware: github.com/nSealr/hardware. ESP32 firmware references: github.com/nSealr/esp32.