Raspberry/Pi Stateless QR Vault
A SeedSigner-style air-gapped Nostr signer for Raspberry/Pi hardware. Secret material lives in RAM only for the current signing session and is wiped when the device powers off. Every request and response moves over QR; no wireless, no host link.
Hardware target
The primary kit follows the SeedSigner Pi Zero pattern:
- Pi Zero-class board.
- Pi/ZeroCam OV5647 camera.
- Waveshare-compatible ST7789 240×240 LCD HAT.
- GPIO joystick / buttons.
- Removable microSD boot media.
- SeedSigner-OS-inspired minimal runtime (Raspberry/Pi OS profile: removable boot media, disabled or absent wireless, RAM-only session custody, no swap during signing, no remote access during signing, no persistent signing-secret storage).
Pi 3/4/5 variants can be development or accessibility targets later only if they preserve the same offline QR, local review, physical approval, and RAM-only custody boundary. See the Raspberry/Pi kit requirements in nSealr/hardware.
Capabilities
| Feature | Target | Current | Contract |
|---|---|---|---|
request_validation_v0 | required | implemented | signing-request-v0+implementation-limits-v0+invalid-vectors |
nostr_event_review_universal | required | implemented | trusted-review-v0+review-detail-pages-v0 |
review_detail_pages | required | implemented | review-detail-pages-v0 |
approval_digest_binding | required | implemented | approval-digest-v0 |
physical_approval | required | partial | physical-approval-v0 |
sign_event_bip340 | required | implemented | nostr-sign-event-bip340-v0 |
qr_static_request | required | implemented | qr-envelope-static-v0 |
qr_animated_request | required | implemented | qr-envelope-animated-v0 |
qr_response | required | implemented | qr-response-v0 |
stateless_session_custody | required | partial | stateless-session-custody-v0 |
manual_only_policy | required | implemented | manual-only-approval-policy-v0 |
device_display_review | required | partial | device-display-review-v0 |
response_verification | required | implemented | signed-response-verification-v0 |
persistent_secret_custody | forbidden | forbidden | — |
scoped_policy_automation | forbidden | forbidden | — |
Trust boundary
The companion is not trusted with key custody — it routes static and animated nsealr1: QR requests to the device and verifies signed responses against nSealr/specs fixtures. The vault performs trusted display review detail pages so long content and tags reach the user without truncation, binds the local approval action to the exact reviewed material through approval_digest, and signs BIP-340/secp256k1.