PR strategy: SeedKeeper + HIL to upstream specter-diy

[Amperstrand]

Overview

Plan for submitting SeedKeeper support and HIL testing to upstream cryptoadvance/specter-diy.

PRs (in order)

PR 1: SeedKeeper keystore (#2)

Branch: feat/seedkeeper (from upstream/master)
Scope: Smartcard-based keystore, no submodule changes
Depends on: Nothing
Status: Needs security fixes (see #4), logging decision

PR 2: HIL testing framework (#3)

Branch: feat/seedkeeper-hil (from PR 1 branch)
Scope: Hardware-in-the-loop test automation
Depends on: PR 1
Status: Internal flash path broken, only works with SeedKeeper card

NOT submitted (low priority)

Bitcoin Core v30 compat (#5)

Alternative: install older Bitcoin Core. Can submit if upstream asks.

Shared-File Challenge

src/specter.py and src/main.py have changes for both SeedKeeper and HIL. Split approach:

specter.py:

• SeedKeeper PR: select_keystore() rewrite, init_apps() fix, log_exception()
• HIL PR: HIL listener, heartbeat disable, hil_test_mode import

main.py:

• SeedKeeper PR: SeedKeeper import + keystores list
• HIL PR: os.dupterm(None, 0) guard, network = "regtest" override

Pre-Submission Checklist (SeedKeeper PR)

• Remove entropy hex logging from seedkeeper_applet.py:428
• Remove exported secret hex logging from seedkeeper_applet.py:339
• Add MITM risk warning to satochip_securechannel.py docstring
• Decide on debug_trace.py (include, strip, or gate behind __debug__)
• Verify MemoryCard still works on simulator after memorycard.py changes
• Run all tests (native 5/5, micropython 30/31, integration 16/16)

Branch Workflow

upstream/master
    ├── feat/seedkeeper          ← PR 1
    │       └── feat/seedkeeper-hil  ← PR 2
    └── seedkeeper-debug         ← working branch (satochip-dev)

Submodule Policy

Our PRs do NOT touch any submodule. The USART T=1 reconfig (#1) is a separate issue for diybitcoinhardware/f469-disco.

[Amperstrand]

Update (2026-03-20) — Complete rewrite

Current branch state

seedkeeper branch (clean, squashed):
160e368 Add SeedKeeper smartcard keystore support
bff4606 Fix MemoryCard connection leak in is_available()
29c0f7f Fix Makefile echo quoting for POSIX shell compatibility  ← hardwareintheloop tip
0e56ff8 Fix HIL build targets and storage wipe
6477aeb Fix HIL reset: use TEST_RESET instead of st-info --reset
6d564cb Fix HIL race: add _detect_keystore() with retry
77dee4b Add hardware-in-the-loop testing support
df07bb6 Bump firmware version to v1.10.1 (#346)              ← upstream master

Plan: Two PRs to upstream

PR 1: HIL testing framework (branch: hardwareintheloop)

• Target: cryptoadvance/specter-diy:master
• 5 commits (77dee4b through 29c0f7f)
• Scope: UART command framework, HardwareController, Makefile targets, test infrastructure
• No SeedKeeper code
• Status: Open as PR Add hardware-in-the-loop testing support cryptoadvance/specter-diy#347 (on fork)

PR 2: SeedKeeper keystore (branch: seedkeeper)

• Target: cryptoadvance/specter-diy:master (after PR 1 merges)
• Depends on: PR 1
• 2 commits:
  • bff4606 Fix MemoryCard connection leak in is_available() (bug fix, could land independently)
  • 160e368 Add SeedKeeper smartcard keystore support (full feature)
• Scope: SeedKeeper keystore + tests + applet + secure channel
• Status: Open as PR Add SeedKeeper keystore support #21 (on fork, targets hardwareintheloop)

Open questions for upstream reviewers

1. Should PR 1 include the Makefile changes (hil/hilflash/hiltest targets)?
2. Should HIL infrastructure go in test/ only, or is src/hil.py acceptable?
3. Do we need to remove debug_trace/hil conditional imports before upstream merge?
4. Should the MemoryCard bug fix (bff4606) be a separate PR?