security: mnemonic_to_seed returns bytearray; zero seeds at all call sites

- mnemonic_to_seed() return type bytes -> bytearray so callers can wipe the 64-byte root seed from heap after use (previously immutable, never zeroable) - All auth.py call sites zero operator_seed, agent_sub_seed, and seed immediately after last use (generate_hd_keypair / derive_agent_sub_seed) - Add tests/test_seed_zeroing.py (5 tests: return type, mutability, determinism, length, passphrase variant) — RED before this commit - Add tests/test_agent_sub_seed_zeroing.py (5 tests: return type, mutability, intermediates zeroed, determinism, length) — validates prior commit too

sha256:1b7335af1da84059c62c6657ca0925e250ead304ce925c7b7ad469ad5501ecd4 sha

sha256:62422287600693cae73789ceb556d0b5993f4284197fc09d6495e485409f4be5 parent

sha256:8f1d86346b2e89393e5d570a22bbc05e16ae92051fbe6b498059aa3e404c6d1b snapshot

← Older Oldest on dev

All commits

Newer → Latest on dev

0 comments

No comments yet. Be the first to start the discussion.

To add a comment, use the Muse CLI: muse hub commit comment sha256:1b7335af1da84059c62c6657ca0925e250ead304ce925c7b7ad469ad5501ecd4 --body "your comment"

Provenance signed

AI Agent

claude-sonnet-4-6

Bump BREAKING

Agent claude-code

Breaking

muse/core/bip39.py::mnemonic_to_seed

Signature Cryptographically verified

Snapshot

ID sha256:8f1d86346b2e89393e5d570a22bbc05e16ae92051fbe6b498059aa3e404c6d1b

Files 0

Browse tree at this commit →

Commit

SHA sha256:1b7335af1da84059c62c6657ca0925e250ead304ce925c7b7ad469ad5501ecd4

Parent

sha256:62422287600693cae73789ceb556d0b5993f4284197fc09d6495e485409f4be5

Branch dev