Purpose: Define what airseed is allowed to do, what it intentionally does not do, and which
safety boundaries future implementation must preserve.
Status: normative
Read this when: You are implementing or reviewing mnemonic generation, key derivation, output handling, dependency choices, or environment assumptions.
Not this document: The current scaffold binary behavior or the operator workflow. Use
docs/spec/cli.md for the checked-in binary contract and
docs/runbook/offline-generation.md for the recommended environment sequence.
Defines:
- the product scope for
airseed - the cryptography and dependency posture
- the default handling rules for mnemonic, seed, and private-key material
- the environment and threat-model boundaries
airseedexists to generate mnemonic phrases offline and derive the minimum wallet material the operator needs locally.airseedis not a full wallet, custody platform, browser extension, sync client, or portfolio application.airseedis intended for air-gapped or near-air-gapped use.
- Do not implement mnemonic generation, seed derivation, or key derivation cryptography from scratch in this repository.
- Prefer maintained crates with a small and reviewable surface.
- A minimal implementation is expected to use crates in the class of
bip39,bip32,rand_core::OsRng, andzeroize. - Any future widening of the cryptographic dependency surface must be documented explicitly.
- Mnemonics, seeds, and derived private keys are secret material.
- The default flow must not write secret material to disk.
- The default flow must not send secret material over the network.
- The default flow must not require screenshots, clipboard export, or cloud backup.
- The default operator path should optimize for human transcription and verification.
- For real funds, the recommended path remains a hardware wallet.
- On general-purpose computers, this project may reduce residue risk but cannot prove that no traces exist.
- Docker is not treated as a no-trace boundary.
- Virtual machines are lower-trust than bare-metal boot on a trusted live OS.
- The current documented no-hardware route is Tails booted from USB on compatible x86-64 hardware.
- Keep the CLI small and auditable.
- Avoid background daemons, telemetry, embedded update channels, or long-running services.
- Keep chain-specific logic separate from seed-generation logic.
- If the repo later adds file export, QR export, or clipboard output, that requires explicit opt-in and a spec update.
- Any change that broadens network access, persistence, secret-export surface, or cryptographic implementation responsibility must update this spec and the related decision record in the same change.