Custody. Per-user Solana keypairs are generated server-side, encrypted with HKDF-derived data keys bound to a master KEK held outside the database. Decryption happens only inside a single authenticated server function.

Treasury. Hot (operational), warm (multisig), cold (offline) tiers. Cold reserve never touches application code.

Webhooks & cron. Every `/api/public/*` endpoint enforces HMAC-SHA256 verification before any side-effect.

Disclosure. Responsible-disclosure inbox: security@cli.computer. Bug bounty terms will publish before mainnet.