npm - @ducat-unit/ducat-snap - Versions diffs - 0.1.0 - Mend

@ducat-unit/ducat-snap 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (15) hide show

package/AUDIT_SCOPE.md ADDED Viewed

@@ -0,0 +1,46 @@
+# Ducat Snap Audit Scope
+This file defines the minimum security review scope before publishing `@ducat-unit/ducat-snap` or submitting it for MetaMask allowlisting.
+## In Scope
+- `snap.manifest.json` permissions and allowed origins.
+- BIP32 entropy use for `m/84'/1'` and `m/86'/1'`.
+- Local BIP32 child derivation in `src/bip32.ts`.
+- Account derivation in `src/accounts.ts`.
+- BIP322-style message signing in `src/message.ts`.
+- PSBT parsing, validation, summarization, and signing in `src/psbt.ts`.
+- Taproot script-path commitment verification in `src/psbt.ts`.
+- Ducat vault sequence and OP_RETURN return-data decoding in `src/psbt.ts`.
+- Transfer construction, signing, and broadcast in `src/transfer.ts`.
+- RPC routing and origin authorization in `src/rpc.ts`.
+- User confirmation content in `src/confirmations.ts`.
+- State storage in `src/state.ts`.
+- Home page network fetches in `src/home.ts`.
+- Build artifacts produced by `npm run verify`.
+## Required Findings To Rule Out
+- Any path that exports, logs, stores, or returns private keys or raw entropy.
+- Any signing path that signs an input not explicitly listed in `signInputs`.
+- Any signing path that signs inputs for addresses not derived by the Snap.
+- Any irreversible operation that can proceed without a MetaMask confirmation.
+- Any mainnet key path, address, broadcast endpoint, or signing support in V1.
+- Any unauthorized origin able to invoke Snap RPC methods.
+- Any malformed PSBT, wrong-network PSBT, unknown address, or unknown input index that is accepted.
+- Any package dependency that violates MetaMask Snap SES constraints or creates avoidable key-management risk.
+- Any Taproot script-path behavior that signs a Ducat vault input without proving the tapleaf commits to the prevout output key and contains the derived vault pubkey.
+## Audit Evidence
+The final audit package should include:
+- Public source repository URL.
+- Audited commit hash.
+- Fixed commit hash, if fixes are required.
+- `npm pack --dry-run` output.
+- `npm audit --omit=dev` output.
+- `npm run verify` output.
+- Snapper/security scan output.
+- Final `snap.manifest.json` shasum.
+- Demo video URL following `DEMO_SCRIPT.md`.

package/DEMO_SCRIPT.md ADDED Viewed

@@ -0,0 +1,35 @@
+# Ducat Snap Demo Script
+Use this script for the MetaMask allowlist/directory submission video. Record against the audited build and the same package version submitted to npm.
+## Setup
+1. Build and serve the Snap with `npm run verify` and `npm run serve`.
+2. Configure the Ducat frontend with `NEXT_PUBLIC_DUCAT_SNAP_ID` pointing at the local Snap during pre-submission testing, or `npm:@ducat-unit/ducat-snap` for the npm build.
+3. Use signet or mutinynet only.
+4. Fund the Snap-derived sats account with test BTC.
+## Recording Steps
+1. Open the Ducat frontend and choose MetaMask from the wallet list.
+2. Show the MetaMask Snap install request and permissions.
+3. Approve the Snap installation.
+4. Connect and show the derived `sats`, `runes`, and `vault` addresses in the Ducat app.
+5. Open MetaMask Snap home and show account addresses, BTC balance, UNIT balance, vault status, recent actions, clickable HTTPS app links, and copyable local routes.
+6. Execute or stage a create-vault flow and show the compact Ducat PSBT confirmation summary, inputs, outputs, fees, warnings, and app metadata.
+7. Execute or stage deposit BTC and show the confirmation summary.
+8. Execute or stage borrow UNIT and show the confirmation summary.
+9. Execute or stage repay UNIT and show the confirmation summary.
+10. Execute or stage withdraw BTC and show the confirmation summary.
+11. Execute or stage UNIT swap and show the confirmation summary.
+12. Execute or stage liquidation/repossess and show the batch confirmation.
+13. Sign an authentication message and show the message confirmation.
+14. Disable and re-enable the Snap, then reconnect from the Ducat frontend.
+## Evidence To Capture
+- Every irreversible signing action shows a MetaMask confirmation.
+- Confirmations include origin, network, signed input indexes, output summary, and fee when calculable.
+- Private keys are never exported or shown.
+- Mainnet is not available in the V1 manifest or UI.
+- Xverse and UniSat remain available in the wallet list.

package/DEPENDENCY_AUDIT.md ADDED Viewed

@@ -0,0 +1,36 @@
+# Dependency Audit Notes
+Last local production audit:
+```bash
+npm run audit:prod
+```
+Result: 0 production vulnerabilities.
+Last local full audit:
+```bash
+npm audit
+```
+Result: 31 development-toolchain vulnerabilities, all low or moderate.
+## Current Assessment
+The published Snap package contains the production bundle and release metadata. `npm audit --omit=dev` is clean for production dependencies.
+Direct `dependencies` and `devDependencies` in `package.json` are pinned to exact versions. Transitive dependency versions are locked by `package-lock.json`.
+The full audit findings are in development tooling paths, primarily transitive dependencies of MetaMask Snap build/test tooling. `npm audit fix --package-lock-only` did not resolve them. npm reports that the remaining forced path would install older breaking versions of MetaMask Snap packages, so it was not applied locally.
+## Release Requirement
+Before public submission, re-run:
+```bash
+npm audit
+npm run audit:prod
+```
+Then review whether newer compatible MetaMask Snap SDK/CLI releases are available, or document auditor approval for the remaining dev-toolchain findings if production dependencies remain clean.

package/LICENSE ADDED Viewed

@@ -0,0 +1,21 @@
+MIT License
+Copyright (c) 2026 Ducat
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/LISTING.md ADDED Viewed

@@ -0,0 +1,44 @@
+# Ducat Snap Listing
+## Short Description
+Ducat Bitcoin accounts and Ducat-aware transaction signing in MetaMask.
+## Long Description
+Ducat is a MetaMask Snap for using Ducat with Bitcoin signet and mutinynet accounts derived inside MetaMask. The Snap derives deterministic testnet Bitcoin accounts from the user's MetaMask Secret Recovery Phrase, keeps private keys inside MetaMask, and signs only explicit PSBT inputs requested by the Ducat web app.
+The Ducat web app remains the action surface for create, deposit, borrow, repay, withdraw, swap, liquidation, and repossess flows. The Snap provides account discovery, BIP322-style message signing, PSBT signing, batch PSBT signing, a simple transfer path, Ducat-aware MetaMask confirmations, pending/completed/failed action notifications, recent action history, and a Snap home page with copyable account addresses, BTC/UNIT balance, vault summary lookups, recent activity, and Ducat app routes.
+Mainnet is intentionally not enabled in this release.
+## Permissions Rationale
+- `endowment:rpc`: Allows only approved Ducat frontend origins to invoke the Snap.
+- `snap_getBip32Entropy`: Derives Bitcoin testnet account keys for `m/84'/1'` and `m/86'/1'`.
+- `snap_dialog`: Shows mandatory confirmations before message signing, PSBT signing, batch signing, or transfers.
+- `snap_manageState`: Stores recent Ducat action metadata for Snap home.
+- `snap_notify`: Shows informational MetaMask notifications for pending approvals, completed actions, and failed non-rejection actions.
+- `endowment:page-home`: Shows Ducat account status and Ducat app routes in MetaMask.
+- `endowment:network-access`: Fetches public balance, vault, fee, UTXO, and broadcast data.
+- `endowment:lifecycle-hooks`: Shows the install notice.
+## Screenshot Checklist
+- Install approval screen for the Ducat Snap.
+- Ducat app wallet modal showing MetaMask as a connector.
+- Connected Ducat account addresses.
+- PSBT confirmation for create or deposit showing an action title, origin, testnet network, compact summary rows, signed input details, output details, fees, warnings, and Ducat app metadata.
+- Batch confirmation for liquidation or repossess showing all-or-nothing signing, per-transaction rows, total fee, and warnings.
+- Message signing confirmation showing origin, network, signing account, BIP322 signature type, message fingerprint, message length, and copyable message body.
+- Transfer confirmation showing amount, fee, the `You pay` amount, change, sender, recipient, selected UTXOs, and broadcast endpoint.
+- Snap home showing structured cards for accounts, BTC balance, UNIT balance, vault status, recent actions, clickable HTTPS app links, and copyable local development routes.
+## Listing Asset Checklist
+- Square icon: `images/icon.svg`.
+- Screenshots captured from the audited build.
+- Demo video following `DEMO_SCRIPT.md`.
+- Privacy policy from `PRIVACY.md` or approved legal URL.
+- Support and escalation contact from `SUPPORT.md`.
+- Security disclosure process from `SECURITY.md`.

package/PRIVACY.md ADDED Viewed

@@ -0,0 +1,13 @@
+# Privacy Policy
+Last updated: 2026-06-12
+The Ducat Snap derives Bitcoin accounts locally inside MetaMask using the user's MetaMask Secret Recovery Phrase. Private keys never leave MetaMask.
+The Snap stores only recent Ducat action metadata needed for the Snap home page, such as action type, action title, status, network, origin, timestamp, approximate amount, summary text, and transaction IDs. The Snap also remembers the last connected Ducat app origin and network so Snap Home can show the correct testnet and Ducat app routes.
+The Snap may query public Bitcoin indexer APIs and Ducat validator APIs to display balances, display vault status, estimate fees, fetch UTXOs, and broadcast transactions. Those services may receive public Bitcoin addresses, transaction identifiers, requested network, and normal request metadata such as IP address and user agent.
+The Snap does not collect analytics, sell user data, or expose private keys. The Snap does not store seed phrases, private keys, or signed transaction secrets in Snap state.
+Users can remove locally stored recent-action metadata by invoking the confirmed `ducat_clearRecentActions` RPC method from an approved Ducat frontend origin, or by removing the Snap from MetaMask.

package/README.md ADDED Viewed

@@ -0,0 +1,234 @@
+# Ducat MetaMask Snap
+`@ducat-unit/ducat-snap` is the Ducat Bitcoin account and signing Snap for MetaMask.
+The Snap derives deterministic Bitcoin testnet accounts from the user's MetaMask Secret Recovery Phrase and exposes a small Ducat JSON-RPC API to the Ducat frontend. The Ducat web app remains the action surface. Users create, deposit, borrow, repay, withdraw, swap, and liquidate in the web app; the Snap handles account derivation, MetaMask confirmations, PSBT/message signing, transfer signing, recent action state, action notifications, and a Snap home page.
+## Launch Scope
+- Proposed Snap name: `Ducat`
+- npm package: `@ducat-unit/ducat-snap`
+- Snap ID after publish: `npm:@ducat-unit/ducat-snap`
+- Local development Snap ID: `local:http://localhost:8080`
+- V1 networks: `signet` and `mutinynet`
+- Mainnet: intentionally disabled until audit, soak testing, and allowlist approval
+- Derivation paths:
+  - sats: `m/84'/1'/0'/0/0`, P2WPKH `tb1q...`, compressed 33-byte public key
+  - runes/vault: `m/86'/1'/0'/0/0`, P2TR `tb1p...`, x-only 32-byte internal public key
+## Requirements
+- Node.js and npm. The repo is currently verified with the bundled Codex Node runtime, Node `24.14.0`.
+- MetaMask with Snaps support.
+- For `local:http://localhost:8080`, MetaMask must allow local Snap fetching. If MetaMask shows `Fetching local snaps is disabled`, enable local Snap development in MetaMask/Flask developer settings, then retry the install/update.
+- A Ducat frontend checkout configured to use this Snap. The current integration branch uses `/Users/lucasrodriguez/Desktop/Ducat/frontend-metamask-snap`.
+## Install
+```bash
+cd /Users/lucasrodriguez/Desktop/Ducat/SNAP
+npm ci
+```
+## Verify
+Use the normal development gate while editing:
+```bash
+npm run type-check
+npm test
+npm run build
+npm run manifest
+```
+Or run the combined gate:
+```bash
+npm run verify
+```
+The stricter release gate also runs the production dependency audit, Snapper, and an npm package dry-run:
+```bash
+npm run verify:release
+```
+## Run Locally
+Serve the Snap manifest and bundle:
+```bash
+cd /Users/lucasrodriguez/Desktop/Ducat/SNAP
+npm run serve
+```
+The Snap is served from:
+```text
+http://localhost:8080
+```
+Every source, dependency, or icon change can change `snap.manifest.json`'s `source.shasum`. After changing the Snap, run:
+```bash
+npm run build
+npm run manifest
+```
+Then restart `npm run serve` if the server is already running.
+## Frontend Setup
+In the Ducat frontend `.env.local`, point the MetaMask connector at the local Snap:
+```bash
+NEXT_PUBLIC_DUCAT_SNAP_ID="local:http://localhost:8080"
+NEXT_PUBLIC_DUCAT_SNAP_VERSION=""
+```
+For the published Snap, use:
+```bash
+NEXT_PUBLIC_DUCAT_SNAP_ID="npm:@ducat-unit/ducat-snap"
+NEXT_PUBLIC_DUCAT_SNAP_VERSION="^0.1.0"
+```
+Run the frontend on an origin allowed by `snap.manifest.json`, for example:
+```bash
+cd /Users/lucasrodriguez/Desktop/Ducat/frontend-metamask-snap
+npm run dev -- -p 3002
+```
+Allowed local origins are:
+- `http://localhost:3000`
+- `http://localhost:3001`
+- `http://localhost:3002`
+- `http://localhost:3003`
+Allowed HTTPS QA origins are:
+- `https://dev-git-feat-metamask-snap-connector-ducat.vercel.app`
+These localhost origins are intentionally present for local development and Snap QA only. Do not remove them from the development manifest during local testing.
+### Known Deferred Issue: Localhost Manifest Origins
+`snap.manifest.json` currently includes localhost origins. That is intentional for local Snap development and QA, but the current development manifest is not directory-ready. Do not remove the localhost origins in this iteration; handle this as a dedicated release-manifest task before MetaMask submission.
+Release update plan:
+1. Keep the current development manifest available for local Snap testing.
+2. Add a release manifest path or manifest-generation mode that removes every localhost origin.
+3. Keep only approved HTTPS Ducat frontend origins in `endowment:rpc.allowedOrigins`.
+4. Rebuild from the audited commit and regenerate the Snap manifest source shasum.
+5. Update all release artifacts from that exact build: `RELEASE_EVIDENCE.md`, `AUDITOR_HANDOFF.md`, `submission/metamask-directory.json`, `submission/ALLOWLIST_SUBMISSION.md`, package shasum/integrity, screenshots, demo notes, and frontend production Snap env values.
+6. Run `npm run build`, `npm run manifest`, `npm run verify:release-manifest`, `npm run verify:release`, and `npm run verify:submission-ready`.
+7. Retag the final audit or submission candidate only after the release manifest, package evidence, and submission metadata are synced.
+## MetaMask Local Update Flow
+1. Run `npm run serve` in this repo.
+2. Run the frontend with `NEXT_PUBLIC_DUCAT_SNAP_ID="local:http://localhost:8080"`.
+3. Connect MetaMask from the Ducat wallet picker.
+4. If the Snap was already installed and the local shasum changed, use the frontend `Update Snap` button in the wallet picker or connected wallet dropdown.
+5. Approve the MetaMask update prompt.
+6. Retry the Ducat action.
+The connector intentionally does not call `wallet_requestSnaps` before every signature. Signing methods use `wallet_invokeSnap` against the installed Snap, so a stale local build must be updated explicitly.
+## JSON-RPC API
+- `ducat_getAccounts({ network })`
+- `ducat_clearRecentActions()`
+- `ducat_getCapabilities()`
+- `ducat_signMessage({ network, address, message })`
+- `ducat_signPsbt({ network, psbt, signInputs, context })`
+- `ducat_signBatch({ network, entries, context })`
+- `ducat_sendTransfer({ network, address, amountSats, feeRate })`
+- `ducat_getHomeState({ network })`
+## What Users See
+MetaMask confirmations are intentionally action-specific and use structured sections and rows:
+- Message signing shows the Ducat action label, origin, testnet network, signing account, BIP322 signature type, message length, message fingerprint, and copyable message body.
+- PSBT signing shows the Ducat action label, origin, testnet network, compact summary rows, signed input details, output details, fee, warnings, and Ducat app metadata.
+- Batch signing shows transaction count, all-or-nothing semantics, total fee, per-transaction summaries, and warning count.
+- Simple BTC transfer shows amount, estimated fee, the `You pay` amount, change, sender, recipient, selected UTXO count/value, and broadcast endpoint.
+- Snap Home shows structured cards for the last connected network, copyable BTC/UNIT/vault addresses, BTC and UNIT balances when services are available, vault status, recent action status, clickable links for HTTPS Ducat app origins, and copyable local routes during development. Approved Ducat origins can request a confirmed recent-action history clear.
+- MetaMask notifications announce pending approvals, completed signing/broadcast actions, and non-rejection failures. Notifications are informational only and never gate signing behavior.
+Errors returned to the frontend are friendly by default and include a stable `code` plus diagnostic `details` for developers. The frontend should display the `message` and keep details available for expanded debugging.
+## Troubleshooting
+| Symptom | Likely Cause | Fix |
+| --- | --- | --- |
+| `Fetching local snaps is disabled` | MetaMask local Snap development is disabled. | Enable local Snap fetching in MetaMask/Flask developer settings, then retry install/update. |
+| MetaMask asks to reinstall before signing | The served local Snap shasum changed. | Run `npm run build && npm run manifest`, restart `npm run serve`, then use the frontend `Update Snap` button. |
+| `This site is not authorized to use the Ducat Snap` | The frontend origin is not in `snap.manifest.json`. | Use one of the allowed local origins or add the origin intentionally and regenerate the manifest. |
+| `This transaction is trying to spend an input from a different Ducat Snap account` | The PSBT input does not match the derived Snap account requested in `signInputs`. | Refresh the frontend wallet account state and rebuild the Ducat transaction. Use diagnostic details to compare expected and actual input addresses. |
+| Balance or vault status is unavailable on Snap Home | Public indexer or Ducat validator lookup timed out or failed. | Retry later. Signing still uses PSBT data supplied by the Ducat app. |
+## Security Model
+- Private keys never leave the Snap.
+- The Snap only requests testnet BIP32 entropy paths in v1.
+- Mainnet requests are rejected.
+- Only explicit `signInputs` indexes are signed.
+- Signing is restricted to derived Ducat Snap accounts.
+- Every message, PSBT, batch, and transfer signing path requires MetaMask confirmation.
+- Friendly frontend action context is display metadata only. Parsed PSBT data is the trusted signing summary.
+- Unauthorized origins cannot invoke the Snap RPC API.
+### Taproot Script-Path Policy
+Vault PSBTs that spend Taproot script-path inputs must include tapleaf and control-block data that recomputes to the prevout P2TR output key. The Snap rejects uncommitted script-path inputs even if the leaf contains the derived Ducat vault key.
+Mainnet support still requires a separate audit pass, but the signet/mutinynet Snap no longer contains the earlier alpha fallback that accepted uncommitted tapleaf data.
+## Audit Readiness Plan
+Use this plan to move the current audit candidate from "ready to review" to "ready to submit". Do not change `snap.manifest.json` localhost origins as part of this note; handle that as a dedicated release-manifest task before external submission.
+Current candidate progress: duplicate previous-output rejection, missing previous-output data rejection, oversized signing request rejection, PSBT input/output size guard coverage, suspicious data-output warnings, malformed transfer broadcast txid rejection, bounded primitive app-context metadata validation, hostile app-context containment for decoded vault data, create/borrow/repay/withdraw/repo/liquidate vault action decode coverage, malformed Snap Home balance and vault-data rejection, public-account fixture replay for captured PSBT confirmation text, a HTTPS-only release-manifest verifier, and a final submission-readiness gate for fixtures, E2E evidence, screenshots, audit/demo URLs, and npm metadata are implemented. Remaining external evidence work is real transaction fixture capture, full E2E recording, final support/privacy/escalation details, npm publish evidence, and the third-party audit report.
+1. Expand the Ducat transaction fixture corpus. Capture real client-sdk/validator PSBT fixtures for create, deposit, borrow, repay, withdraw, swap, liquidation, and repossess flows on mutinynet/signet. Include the exact Snap `WalletAccountRecord` and expected confirmation text so `npm run verify:fixtures` can replay OP_RETURN decoding, action labels, vault state summaries, data-output labels, warning behavior, and confirmation rendering without private keys.
+2. Harden PSBT policy tests. Add adversarial cases for wrong network, unknown sign indexes, duplicate inputs, mixed account ownership, malicious frontend context, malformed data outputs, uncommitted Taproot script-path inputs, missing previous-output data, and suspicious zero-value outputs.
+3. Split development and release configuration. Keep localhost origins and `local:http://localhost:8080` for development, but create a release manifest path that allows only approved HTTPS Ducat origins. Update CI to verify the release manifest, package shasum, and submission metadata together.
+4. Complete E2E evidence. Record install, update, connect, reload reconnect, create, deposit, borrow, repay, withdraw, swap, liquidation, repossess, rejection, and disabled/re-enabled Snap flows using the same candidate bundle submitted to audit.
+5. Lock the external submission packet. Finalize privacy/support/escalation contacts, screenshots, demo video, npm publish evidence, audited commit, fixed commit if needed, and the audit report. Update `submission/ALLOWLIST_SUBMISSION.md`, `submission/metamask-directory.json`, and `RELEASE_EVIDENCE.md` from that final candidate.
+## Release Path
+1. Confirm `npm run verify:release` passes from a clean checkout.
+2. Update `RELEASE_EVIDENCE.md` for the audited candidate.
+3. Tag the audit candidate.
+4. Complete the third-party audit required for `snap_getBip32Entropy`.
+5. Merge any audit fixes and tag the fixed candidate.
+6. Publish `@ducat-unit/ducat-snap@0.1.0` to npm.
+7. Replace pending external fields in `submission/metamask-directory.json` and `submission/ALLOWLIST_SUBMISSION.md`.
+8. Capture real PSBT fixtures into `submission/fixtures/`.
+9. Capture final E2E evidence into `submission/e2e/evidence.json`.
+10. Capture final screenshots into `submission/screenshots/`.
+11. Record the demo video using `DEMO_SCRIPT.md`.
+12. Run `npm run verify:submission-ready`.
+13. Submit the MetaMask allowlist/directory request with audit report, npm URL, public repo URL, demo video, support details, and listing assets.
+## Useful Commands
+```bash
+npm run type-check
+npm test
+npm run build
+npm run manifest
+npm run serve
+npm run verify
+npm run verify:release
+npm run verify:metadata
+npm run verify:submission-ready
+npm run audit:prod
+npm run pack:dry-run
+```

package/RELEASE_CHECKLIST.md ADDED Viewed

@@ -0,0 +1,51 @@
+# Ducat Snap Release Checklist
+## Pre-Submission
+- [x] Public repository contains the current audit-candidate source commit.
+- [x] `.github/workflows/verify.yml` succeeds on the current audit candidate.
+- [x] `npm run verify:release` succeeds locally.
+- [ ] `submission/metamask-directory.json` pending external fields are replaced.
+- [ ] `npm run verify:submission-ready` succeeds after external evidence is complete.
+- [x] `npm run pack:dry-run` output reviewed.
+- [x] `npm run audit:prod` output reviewed.
+- [x] Dependency audit reviewed.
+- [x] Snapper/security scan reviewed.
+- [x] Console logs, unused permissions, accidental placeholders, and dead RPC methods removed or documented as external gates.
+- [x] Alpha Taproot script-path compatibility fallback in `src/psbt.ts` was removed and replaced with committed tapleaf verification.
+- [ ] Real create/deposit/borrow/repay/withdraw/swap/liquidation/repossess PSBT fixtures captured in `submission/fixtures/`.
+- [ ] Final signet/mutinynet E2E evidence captured in `submission/e2e/evidence.json`.
+- [ ] Third-party audit completed because the Snap uses `snap_getBip32Entropy`.
+- [ ] Audit fixes merged and tagged.
+## Listing Assets
+- [x] Icon.
+- [ ] `submission/screenshots/` contains final screenshots.
+- [ ] Screenshots captured from the audited build using `LISTING.md`.
+- [x] Short description from `LISTING.md`.
+- [x] Long description from `LISTING.md`.
+- [x] Privacy policy.
+- [ ] Support and escalation contact.
+- [ ] Demo video recorded with `DEMO_SCRIPT.md`, showing install, connect, create/deposit/borrow/repay/withdraw/swap/liquidation signing, and Snap home.
+## Publish
+- [ ] Publish `@ducat-unit/ducat-snap` to npm.
+- [ ] Submit MetaMask allowlist/directory request with:
+  - [ ] audited commit
+  - [ ] fixed commit
+  - [ ] audit report
+  - [ ] npm URL
+  - [ ] public repo URL
+  - [ ] demo video
+  - [ ] support details
+  - [ ] listing assets
+## Production Cutover
+- [ ] MetaMask allowlist approval received.
+- [ ] Frontend production config uses `NEXT_PUBLIC_DUCAT_SNAP_ID=npm:@ducat-unit/ducat-snap`.
+- [ ] Frontend production config uses the approved release range in `NEXT_PUBLIC_DUCAT_SNAP_VERSION`.
+- [ ] Existing Xverse and UniSat regression flows pass.
+- [ ] Signet/mutinynet install, connect, create, deposit, borrow, repay, withdraw, swap, and liquidation/repossess E2E scenarios pass.

package/SECURITY.md ADDED Viewed

@@ -0,0 +1,13 @@
+# Security
+Report security issues privately to the Ducat maintainers before public disclosure.
+Production release requirements:
+- Third-party audit for key-management usage of `snap_getBip32Entropy`.
+- MetaMask allowlist/directory review.
+- Dependency audit and Snapper/security scan.
+- No mainnet permissions until the mainnet release audit delta is complete.
+V1 signs only explicit PSBT input indexes that match the Snap-derived signet/mutinynet addresses.

package/SNAPPER_REVIEW.md ADDED Viewed

@@ -0,0 +1,34 @@
+# Snapper Review
+Last local command:
+```bash
+npx --yes @sayfer_io/snapper --path . --output snapper-report.json
+```
+Local result: 184 findings, all risk 1 and all under the `ESLinting` category.
+## Addressed Findings
+The first local scan reported 105 findings. The implementation now fixes the non-style/high-signal findings from that run:
+- Removed an unused `Buffer` import.
+- Replaced empty catch handling with explicit behavior.
+- Removed duplicate taproot key update catch logic by validating `tapInternalKey` before signing.
+- Removed an unused function parameter.
+- Removed an unused type import introduced during the confirmation cleanup.
+- Replaced `||` fallback logic with `??` where empty strings should remain meaningful.
+- Removed the content-type false positive from the hardcoded-secret detector.
+## Remaining Finding Summary
+- 167 missing JSDoc comments.
+- External API response fields using snake_case, such as Esplora and Ducat validator fields (`funded_txo_sum`, `spent_txo_sum`, `chain_stats`, `mempool_stats`, and vault summary fields).
+- One object literal key using `vault_pubkey`, matching the Ducat validator API.
+- One `hmac(sha512, ...)` style warning in local BIP32 derivation.
+## Review Notes
+The remaining findings should be reviewed by the external Snap auditor, but they are not currently treated as local release blockers because they are style or scanner-policy findings rather than signing, key-export, origin-authorization, confirmation-bypass, or network-scope findings.
+The generated `snapper-report.json` is intentionally ignored and not included in the npm package because it contains machine-local absolute paths. Keep it with release evidence for the audited commit rather than committing it to the public source repository.

package/SUPPORT.md ADDED Viewed

@@ -0,0 +1,9 @@
+# Support
+Use the Ducat Snap repository issue tracker for development support and bug reports:
+https://github.com/DUCAT-UNIT/ducat-snap/issues
+Security issues should not be filed as public issues. Follow `SECURITY.md` for private disclosure.
+For MetaMask directory submission, the public support URL, escalation contact, and response-time expectations must also be copied into `submission/ALLOWLIST_SUBMISSION.md`.