Wallet HD Derivation Kit

Security posture

The runtime is offline-only, normal APIs omit private material, public vectors are differential-tested in seven runtimes, dependency audits run weekly, and parsers/decoders are fuzzed. Releases include checksums, SBOMs, attestations, and signatures.

The package is not a key vault, signer, transaction validator, backup system, hardware-wallet boundary, or substitute for an independent audit. The project has not yet been independently audited.

Read SECURITY.md, the threat model, private-material guide, and audit checklist.