GANDALF — Development Wallet Extension
Rust Core • WASM Boundary • Secrets Shall Not Pass
A Chrome Manifest V3 wallet built for protocol developers — with every security-critical operation locked inside Rust compiled to WebAssembly, so JavaScript never touches a plaintext secret. Argon2id and XChaCha20-Poly1305 seal the vault; BIP39 mnemonics and HD derivation drive Ed25519 signing on Tetra and ECDSA/Schnorr signing on a private Bitcoin devnet, from segwit to Taproot. Strict CSP, no content scripts, no remote code: a wallet for devnets that takes security more seriously than most wallets for mainnet.
Browser Wallets Trust JavaScript Too Much
Extension wallets live in the most hostile runtime there is — and most of them keep their deepest secrets in the scripting language of that runtime.
Secrets in Script Memory
Typical extension wallets decrypt mnemonics and keys straight into JavaScript objects — inspectable, copyable, and never reliably erased by a garbage collector.
Sprawling Attack Surface
Content scripts injected into every page, remote code, and deep dependency trees each add a path from a hostile web page to your keys.
Devnets Get Leftover Wallets
Protocol developers test custom chains and private Bitcoin networks with mainnet wallets that don't speak their protocols — or with real-fund wallets that shouldn't be anywhere near a debugger.
Dated Vault Crypto
Wallet vaults still lean on fast, GPU-friendly KDFs, leaving exported or synced vault files one wordlist away from compromise.
A Wallet Where JavaScript Never Sees a Secret
Gandalf draws one hard line: everything security-critical lives in Rust compiled to WebAssembly. JavaScript renders screens and relays messages — signatures come out, secrets never do.
The WASM Wall
All key handling lives in the gandalf-core and gandalf-wasm Rust crates. The serialized WASM boundary never returns plaintext secrets, and sensitive buffers are zeroized after use.
Modern Vault Crypto
The vault is sealed with an Argon2id KDF — memory-hard by design — and XChaCha20-Poly1305 authenticated encryption with authenticated metadata.
Multi-Ledger by Design
One BIP39 seed, HD path m/1204'/1980'/account'/0/0, two signature families: Ed25519 for Tetra, k256 ECDSA and Schnorr for Bitcoin — bech32 and bs58 addresses included.
Strict MV3 Posture
Strict Content-Security-Policy, no content scripts, no remote code. The extension asks for storage and an optional local-node host permission — nothing more.
Four Layers, One Hard Boundary
The stack is organized around a single principle: the further up you go, the less there is to steal. Everything above the WASM boundary handles only public data.
Extension Shell
Manifest V3 popup, onboarding tab, and background service worker with shared typed messages. It renders accounts, addresses, and confirmations — and holds nothing worth stealing.
WASM Boundary
The gandalf-wasm crate exposes a serialized API that by construction never returns plaintext secrets. Requests go in, signatures and public data come out; plaintext buffers are zeroized behind the wall.
Multi-Ledger Wallet Core
gandalf-core implements BIP39 mnemonics, HD derivation at m/1204'/1980'/account'/0/0, and per-ledger signing: Ed25519 for Tetra; k256 ECDSA and Schnorr for the Bitcoin devnet, covering BIP143 P2WPKH segwit and BIP341 P2TR Taproot key-path spends.
Vault Foundation
An encrypted vault sealed with Argon2id and XChaCha20-Poly1305 with authenticated metadata — wrong-password and tamper cases are covered by tests, alongside 32 Rust tests across the gandalf crates.
Life of a Signature
From password to broadcast, secrets exist only inside the WASM module — and only for as long as the operation needs them.
Unlock
Password → WASMWhat Happens
- Argon2id stretches the password into a vault key
- XChaCha20-Poly1305 decrypts the vault inside WASM
- Authenticated metadata rejects tampered vaults
- Wrong-password paths covered by dedicated tests
Derive
One Seed, Two LedgersWhat Happens
- BIP39 mnemonic expands to the HD tree
- Path m/1204'/1980'/account'/0/0 selects the account
- Ed25519 keys for Tetra, k256 for Bitcoin
- bech32 and bs58 addresses surface as public data
Sign
Inside the WallWhat Happens
- Transaction reviewed in the UI — amount, fee, inputs, change
- Ed25519 signing for Tetra transfers
- BIP143 P2WPKH and BIP341 Taproot key-path signing for Bitcoin
- Only the finished signature crosses into JavaScript
Zeroize & Broadcast
CleanupWhat Happens
- Plaintext buffers zeroized after use
- Signed transaction submitted to the target devnet
- Confirmation tracked against Tetra or the private Bitcoin fork
- End-to-end proof: P2WPKH send and P2TR round trip confirmed on the devnet
Ten Stages, Acceptance-Tested
Gandalf follows a staged roadmap where an item moves to done only after its acceptance tests pass. Stages 0–6 are complete; the path to release is explicit.
Stages 0–6 + Bitcoin
ShippedDelivered
- Rust core, vault crypto, and the sealed WASM boundary
- MV3 shell, onboarding, accounts, read-only sync
- First end-to-end Tetra transfer on a five-node localnet
- Bitcoin devnet adapter: segwit and Taproot sends confirmed
Reliability & Recovery
Stage 7Planned Deliverables
- Failure handling matrix — funds, network, expiry, duplicates
- Encrypted vault export and import
- Password-authorized mnemonic reveal
- Service-worker restart resilience tests
Security & Release
Stage 8Planned Deliverables
- Dependency and license review, fuzzing, threat-model review
- No secrets in logs, analytics, or clipboard persistence
- Chrome end-to-end test suite
- Reproducible builds and install documentation
Extended Capabilities
Stages 9–10Planned Deliverables
- Fee-economics simulator with governed parameters
- Multi-asset transfers and script budgets
- Website connectivity once wallet-owned transfers are stable
- Additional ledger adapters (Cardano next)
Who Gandalf Is For
A development wallet for devnets and testnets — deliberately not for mainnet funds — that treats its threat model like production anyway.
For Protocol Developers
For Security Engineers
For Wallet Builders
Draw the Line Below JavaScript
Whether you're building a wallet, hardening an extension, or standing up a devnet your team can actually test against — let's talk about putting the secrets where the scripts can't reach.