This is a non-custodial wallet — security is critical. Users trust us with their keys.

Private keys, mnemonics, and passwords must never appear in logs.

Store sensitive data (keys, mnemonics) using SecureStorageService, which uses the device's secure keychain/keystore.

Never trust user input or API responses. Validate before processing.

Environment variables and API keys should be in .env files, not hardcoded.

pnpm audit              # Check for vulnerabilities

Review dependency updates carefully. Supply chain attacks are real.

If you're unsure whether something is secure, ask. Security mistakes are expensive.