🛡️ Security & Integrity
Security is not an add-on; it is the foundation of CLAW Wallet.
🔑 Key Management
- Encryption: Private keys are encrypted using AES-256-GCM.
- Derivation: Keys are derived using Scrypt or stored in secure HSM providers.
- Zero-Storage of Master Keys: The server only holds the encrypted blobs; the decryption key must be provided via environment or KMS at runtime.
🚧 Authentication Tiers
We implement a tiered API key system:
- Admin Key: Required for system setup, migrations, and creating scoped keys.
- Standard Key: Read/Write access to specific wallets.
- Restricted Key: Read-only or single-chain access.
🛡️ Policy Engine Tiers
| Tier | Enforcement | Use Case |
|---|---|---|
| Auto-Approve | Instant | Small gas payments, known whitelists |
| Soft Limit | Log + Warning | Thresholds for monitoring |
| Hard Limit | Block | Strictly enforced safety caps |
| HITL | Wait for Webhook | Large transfers, protocol interactions |
📦 Rate Limiting
Rate limiting is enforced at the middleware level based on the API key tier and IP address to prevent DoS attacks on the RPC nodes.