feat(security): Phase 6 — DerivedKey zeroing hardening

slip010.py: - SecretByteArray: bytearray subclass with zero() method and __del__ safety net - DerivedKey.__del__: calls zero() as GC backstop for forgotten explicit calls

hdkeys.py: - derive_agent_sub_seed now returns SecretByteArray instead of bytearray - public_bytes_from_seed: try/finally around dk.zero()

keypair.py: - derive_hd_public_info: try/finally around dk.zero() - generate_hd_keypair: try/finally around dk.zero()

identity.py: - resolve_signing_identity._derive: try/finally; exception returns None, dk always zeroed

auth.py: - run_register inline derivation: try/finally around dk.zero()

Tests: Z1-Z7 (test_security_zeroing.py) Doc: Phases 1-6 complete, Phase 7 pending

sha256:7ee0315af150d5a334c4668b5fbd944174095711a13e432568f66ad9fec528cd sha

sha256:a1157e1c48b653cabd6ebc9d43abbc7464ea0fc74413e1921c896ad45eb7e9df parent

sha256:daabee059e081141393c7965383e57e72aea2dc54904c1af659a3f860c338007 snapshot

← Older Oldest on dev

All commits

Newer → Latest on dev

0 comments

No comments yet. Be the first to start the discussion.

To add a comment, use the Muse CLI: muse hub commit comment sha256:7ee0315af150d5a334c4668b5fbd944174095711a13e432568f66ad9fec528cd --body "your comment"

Provenance signed

AI Agent

claude-sonnet-4-6

Bump patch

Agent claude-code

Signature Cryptographically verified

Snapshot

ID sha256:daabee059e081141393c7965383e57e72aea2dc54904c1af659a3f860c338007

Files 0

Browse tree at this commit →

Commit

SHA sha256:7ee0315af150d5a334c4668b5fbd944174095711a13e432568f66ad9fec528cd

Parent

sha256:a1157e1c48b653cabd6ebc9d43abbc7464ea0fc74413e1921c896ad45eb7e9df

Branch dev