// nsealr · v0 · stateless · pre-production
Sign Nostr
events offline.
A non-profit, open-source program for reproducible Nostr signing devices. Companion software, five signer solutions, and open hardware references — auditable instead of proprietary.
# verify a request — companion
$ nsealr verify --request req.json
✓ approval_digest ok
! sign-event disabled in dev firmware
// system
One companion. Five signer solutions.
The companion prepares requests, moves them over QR, file, stdio, serial, USB, or card transports, and verifies every successful response. The signer keeps or protects the private key and signs only through an explicit policy boundary.
Companion surfaces:
nsealrCLI- npm SDK
- browser extension
- local app
- local service
- NIP-46 bridge
// families
Pick the boundary that matches your trust model.
The five signer solutions: Raspberry/Pi Stateless QR Vault · ESP32 Stateless QR Vault · ESP32 USB/NIP-46 Signer · JavaCard/NFC Smartcard Signer · Custom Nostr Hardware Wallet With Persistent Secret.
Air-gapped RAM-only Raspberry/Pi flow inspired by SeedSigner principles for Nostr events.
Air-gapped ESP32-S3 camera/display signer line; T-Display S3 Pro OV5640 candidate, no persistent secret.
Daily-use USB/display signer firmware for ESP32-S3 first, with classic ESP32/TTGO compatibility later. Real signing still gated.
Display-less APDU card research for key protection, not trusted event review alone.
Advanced persistent-secret research for custom boards and secure-element-assisted designs; direct TROPIC01 Schnorr remains unproven.
// status
Current maturity is explicit.
Per-family contracts, gates, and smoke evidence — sourced from the
signer feature matrix in nSealr/specs.
- Specs: v0 request, response, QR envelope, fixtures, review-screen vectors, review detail pages,
approval_digestcontracts, and NIP-46 bridge decisions. - Companion: CLI, verification, transports, QR, serial framing with request-bound capture checks,
nsealr serial-line exchangefor one-shot local USB-serial bring-up,nsealr nip46 decidefor already-decrypted payload policy checks, and untrusted detail-page previews. - Raspberry: desktop stateless QR vault simulation with NIP-06 signing,
approval_digest-bound review, and hardware-neutral adapter boundaries for later Pi drivers. - ESP32 QR: stateless QR vault host-core review flow and T-Display S3 review scenario smoke while the T-Display S3 Pro OV5640 hardware target remains pending.
- ESP32 USB/NIP-46: native USB scaffold with get_public_key,
signing_disabled,approval_digest-gated approval core, companion-to-device serial smoke, sign-event-disabled smoke, firmware protocol evidence, and Unicode fallback tracking for disabled-signing development firmware. - Smartcard: JavaCard/NFC Smartcard Signer research with APDU simulator plus nsealr-smartcard CLI probes for public-key and event-id signing research; no trusted review or real-card compatibility claim yet.
- Custom wallet: Custom Nostr Hardware Wallet With Persistent Secret research is limited to secure-element/root-of-trust and persistent-secret architecture until real hardware evidence exists.
- Hardware: checked requirements, BOM scaffold, and Raspberry/Pi OS profile, including Raspberry/Pi kit requirements, request-id and
approval_digestreview binding.
// security
No production security claim yet.
nSealr is pre-production research and implementation work. The project documents trust boundaries, test evidence, and known limits before presenting any device as ready for real keys.
Per-family maturity, capability matrix, and contract IDs are in the
signer pages; the threat model and trust boundaries get their own
deep-dive in /docs/security/.