// nsealr · v0 · stateless · pre-production
Sign Nostr
events offline.
A non-profit, open-source program for reproducible Nostr signing devices. Companion software, five signer solutions, and open hardware references — auditable instead of proprietary.
# verify a response — companion
$ nsealr verify-response --request req.json --response resp.json
✓ approval_digest ok
! sign-event disabled in dev firmware
// system
One companion. Five signer solutions.
The companion prepares requests, moves them over QR, file, stdio, serial, USB, or card transports, and verifies every successful response. The signer keeps or protects the private key and signs only through an explicit policy boundary.
Companion surfaces:
nsealrCLI- npm SDK
- browser extension
- local app
- local service
- NIP-46 bridge
// families
Pick the boundary that matches your trust model.
The five signer solutions: nSealr Vault — Pi edition · nSealr Vault — ESP32 edition · nSealr Key · nSealr Card · nSealr One.
Air-gapped RAM-only Raspberry/Pi QR vault inspired by SeedSigner principles for Nostr events.
Air-gapped ESP32-P4 QR signer on the Waveshare ESP32-P4-WIFI6-Touch-LCD-3.5 with an OV5647 camera; RAM-only, no persistent secret.
Daily-use connected touch signer running one universal firmware across the curated Waveshare ESP32-S3-Touch family. Real signing still gated.
Display-less Satochip JavaCard on an EAL6+ secure element; in-card BIP-340 Schnorr, external review required.
Minimal all-SMD, display-agnostic Nostr hardware wallet: ESP32-S3 host + TROPIC01-backed encrypted vault + key-split, USB-C, battery-operable.
// status
Current maturity is explicit.
Per-family contracts, gates, and smoke evidence — sourced from the
signer feature matrix in nSealr/specs.
- Specs: v0 request, response, QR envelope, fixtures, review-screen vectors, review detail pages,
approval_digestcontracts, and NIP-46 bridge decisions. - Companion: CLI, verification, transports, QR, serial framing with request-bound capture checks,
nsealr serial-line exchangefor one-shot local USB-serial bring-up,nsealr nip46 decidefor already-decrypted payload policy checks, and untrusted detail-page previews. - Raspberry: desktop stateless QR vault simulation with NIP-06 signing,
approval_digest-bound review, and hardware-neutral adapter boundaries for later Pi drivers. - ESP32 QR: stateless QR vault host-core review flow and T-Display S3 review scenario smoke while the ESP32-P4 QR-board hardware target (Waveshare ESP32-P4-WIFI6-Touch-LCD-3.5, OV5647 camera) remains pending.
- ESP32 USB/NIP-46: native USB scaffold with get_public_key,
signing_disabled,approval_digest-gated approval core, companion-to-device serial smoke, sign-event-disabled smoke, firmware protocol evidence, and Unicode fallback tracking for disabled-signing development firmware. - Smartcard: nSealr Card research — a Satochip JavaCard on an EAL6+ secure element with in-card BIP-340 Schnorr — with APDU simulator plus nsealr-smartcard CLI probes for public-key and event-id signing research; no trusted review or real-card compatibility claim yet.
- Custom wallet: nSealr One research — a minimal all-SMD, display-agnostic board (ESP32-S3 host + TROPIC01-backed encrypted vault + provisioned OPTIGA/ATECC key-split, USB-C, battery-operable) with a hardened Rust firmware signer and a checked
persistent-secret-custody-v0lifecycle. The old complex board is archived. - Hardware: checked requirements, BOM scaffold, Raspberry/Pi OS profile, Raspberry/Pi kit requirements, request-id and
approval_digestreview binding, and specs-backed custom-wallet custody gates.
// security
No production security claim yet.
nSealr is pre-production research and implementation work. The project documents trust boundaries, test evidence, and known limits before presenting any device as ready for real keys.
Per-family maturity, capability matrix, and contract IDs are in the
signer pages; the threat model and trust boundaries get their own
deep-dive in /docs/security/.