This library must never compromise control of a user secret. Every subsystem (vault, storage, crypto, permissions, sessions) must adhere to the following invariants:

• Never write plaintext private keys, mnemonics, or derived credentials to disk or persistent storage.
• Only persist encrypted vault blobs that contain the minimum metadata required for recovery.

• Decrypt sensitive material strictly in memory and zeroize buffers when practical.
• Do not stream decrypted bytes to other subsystems; pass them through typed functions instead.

• Every permission, session, and challenge must bind to an exact origin string in the form scheme://host:port.
• Normalize origins before storing or comparing.

• Challenge payloads must always be serialized using the canonical JSON rules defined in src/types/canonical.ts (stable key order, no whitespace, UTF-8 encoding).
• Hashes and signatures must be derived from the canonical serialization only.

• All signing operations must reference structured inputs (challenge objects, canonicalized events, etc.).
• Reject signing requests that are not tied to a defined permission and origin pair.

If new constraints are discovered, amend this document and update AGENTS.md so future contributors inherit the requirements.