security: zero DerivedKeys and seeds in agent.py and public_bytes_from_seed

agent.py: - _derive_agent_seed: zero intermediate seed bytearray after derive_agent_sub_seed - _sub_seed_to_public: call dk.zero() after Ed25519PrivateKey creation

hdkeys.py: - public_bytes_from_seed: call dk.zero() after Ed25519PrivateKey creation; convenience fn was discarding the DerivedKey without wiping it

Add tests/test_agent_seed_zeroing.py (3 tests) — all RED before this commit

sha256:c44cbb64fc0de98cd78382790a8db82180b17f17f37b9fbd4eabe9ff3b24f2da sha

sha256:e503af6ad34feaa2dad274389984a7f01df7df6c2f234819b7911f8f1a9f4664 parent

sha256:117459cb803f45be68bb1372bb367e6d0ddf583e6cc8876e5496fb25f88d54bc snapshot

← Older Oldest on dev

All commits

Newer → Latest on dev

0 comments

No comments yet. Be the first to start the discussion.

To add a comment, use the Muse CLI: muse hub commit comment sha256:c44cbb64fc0de98cd78382790a8db82180b17f17f37b9fbd4eabe9ff3b24f2da --body "your comment"

Provenance signed

AI Agent

claude-sonnet-4-6

Bump patch

Agent claude-code

Signature Cryptographically verified

Snapshot

ID sha256:117459cb803f45be68bb1372bb367e6d0ddf583e6cc8876e5496fb25f88d54bc

Files 0

Browse tree at this commit →

Commit

SHA sha256:c44cbb64fc0de98cd78382790a8db82180b17f17f37b9fbd4eabe9ff3b24f2da

Parent

sha256:e503af6ad34feaa2dad274389984a7f01df7df6c2f234819b7911f8f1a9f4664

Branch dev