security: zero intermediate DerivedKeys in derive_agent_sub_seed

- Loop over hardened indices, zeroing each intermediate DerivedKey before reassignment — prevents private_bytes + chain_code from lingering in heap - Zero the final DerivedKey after building the sub_seed bytearray - Update return type annotation bytes -> bytearray so callers can zero it - Matches zeroing pattern already applied in derive_path() and generate_hd_keypair()

TDD: tests/test_agent_sub_seed_zeroing.py::TestIntermediatesZeroed::test_III1 was RED before this commit; all 5 tests now GREEN

sha256:62422287600693cae73789ceb556d0b5993f4284197fc09d6495e485409f4be5 sha

sha256:8c444a31f6273c8b6865481dd8c60519bd67d384b4b0a4a5078c476c69a6d612 parent

sha256:f97e00db15b2a317ac9054ccee1eb88166fb143bed3fd96727895d2adb0b0d12 snapshot

← Older Oldest on dev

All commits

Newer → Latest on dev

0 comments

No comments yet. Be the first to start the discussion.

To add a comment, use the Muse CLI: muse hub commit comment sha256:62422287600693cae73789ceb556d0b5993f4284197fc09d6495e485409f4be5 --body "your comment"

Provenance signed

AI Agent

claude-sonnet-4-6

Bump BREAKING

Agent claude-code

Breaking

muse/core/hdkeys.py::derive_agent_sub_seed

Signature Cryptographically verified

Snapshot

ID sha256:f97e00db15b2a317ac9054ccee1eb88166fb143bed3fd96727895d2adb0b0d12

Files 0

Browse tree at this commit →

Commit

SHA sha256:62422287600693cae73789ceb556d0b5993f4284197fc09d6495e485409f4be5

Parent

sha256:8c444a31f6273c8b6865481dd8c60519bd67d384b4b0a4a5078c476c69a6d612

Branch dev