// the management console for Heartwood
Shape your signer.
Sapwood is the browser console for the Heartwood signer: flash firmware, provision masters, derive identities, set policies, approve requests, take backups. It is a static page with no account, no server and no analytics, and it talks to the signer over USB, through end-to-end encrypted relay commands, or via the keyless bridge daemon on your own network. Once provisioned, your keys stay on the device; the browser only ever shapes what the device will agree to do.
$ sapwood ▸ device
✓ HEARTWOOD v0.13.7 · Heltec V4 · serial connected
2 masters provisioned. 5 approved clients.
$ sapwood ▸ identities
forge npub1q3k…x7d0 tree m/0
market npub1zzj…p2q4 tree m/1
$ sapwood ▸ approvals
! kind 1 (note) · client "gossip" · waiting
[approve] [deny]
$ sapwood ▸ firmware --update
✓ signature verified · sha-256 ok
✓ Firmware updated. Rebooting.
EVERYTHING THE SIGNER NEEDS. NOTHING IT SHOULDN'T.
-
Provision
Bootstrap a device over USB from a 12/24-word mnemonic or an existing nsec, derived as a tree or used as-is. Secrets are zeroised in browser memory the moment they are transmitted.
-
Identities
Type a name; the signer derives the identity on-device from a master it already holds. No secret ever exists in the browser to steal.
-
Policies
Exact per-client allowlists of methods and event kinds, with presets for common apps. Anything outside the ceiling fails closed.
-
Approvals
A pending queue for requests that policy alone won't decide. Approve or deny from the console; the device remains the authority.
-
Firmware
Flash a new board in the browser, and update over USB or through the local bridge with the release signature and SHA‑256 verified before a byte is committed.
-
Backups
An imported key writes out as 24 BIP‑39 words that restore the identical npub, in Sapwood or the offline CLI, never on a server.
-
Connectivity
Stage WiFi and relay changes, then activate them rollback-safe, with live red/amber/green health for every relay the signer uses.
-
Logs
The device's own log stream, live in the console. Watch a request arrive, meet policy, and leave signed.
-
Phone handoff
Move the operator credential to your phone through a protected QR flow that fails closed if anything looks wrong.
WHAT A COMPROMISED BROWSER GETS: NOTHING
- No keys to take
- Master secrets never leave the ESP32. Sapwood holds a management credential, not signing power. A hostile page with full control of the console still cannot extract a key or sign an event.
- Every change is challenged
- Remote mutations require the operator key, a device-issued one-time challenge, and the current client credential, so a captured command replays as garbage.
- The button outranks the browser
- Provisioning, seed and PIN changes, factory reset and the start of any firmware update need a physical press on the device. Software can ask; only your thumb can insist.
- Bounded operator
- The operator credential can shape policies and connectivity. It cannot read or replace seeds, change the PIN, or push firmware. By design, not by promise.
THREE PATHS, ALL YOURS
USB. Plug the board in and Sapwood speaks to it directly over Web Serial: flashing, provisioning, recovery, logs. Everything stays on your desk; nothing needs a network at all.
RELAYS. Day to day, management commands travel as end-to-end encrypted Nostr events to the signer's own outbound connection. No inbound port, no port forwarding, no cloud account, no management server. The relay carries ciphertext it cannot read.
BRIDGE. A signer tethered to a Pi or any Linux box is reachable through the keyless bridge daemon on your LAN: the same console, plus daemon health and restarts, with verified firmware pushed down the tether.
Honest requirements: Web Serial means a Chromium browser (Chrome, Edge or Opera) for the USB path. Firefox and Safari don't ship it.
FIRST BOOT IN MINUTES
-
01
Plug a supported board into USB. See the boards.
-
02
Open sapwood.forgesworn.dev in a Chromium browser and follow the flasher wizard.
-
03
Provision a master (new mnemonic or existing nsec) and name your first identity.
-
04
Connect an app: Sapwood issues the
bunker://pairing for Bark, Cambium, or any NIP‑46 client.
THE WHOLE TREE
Heartwood
The core. Keys on a chip behind a physical button.
Sapwood
The management console. Shape your signer. You are here.
Cambium
The living layer on Android. A NIP‑55 signer that holds no keys.
Bark
The protective outer layer. NIP‑07 in your browser, keys nowhere near it.