feat: scaffold platforms/ with working code for all 6 targets

- core: TypeScript types + NSEProvider interface
- ios: Swift Package + NSE.swift with Secure Enclave scaffold
- android: Kotlin NSE object with StrongBox/TEE scaffold
- server: CF Workers + Node.js implementations
- browser: WebAuthn + SubtleCrypto scaffold
- python: nse-dev package with async API

Author: vveerrgg

CLAUDE.md

@@ -7,12 +7,19 @@ Public landing page for **NSE (Nostr Secure Enclave)** at [nse.dev](https://nse.
 ## Repo Structure
 
 ```
-docs/           ← GitHub Pages source (served from main branch)
-  index.html    ← Single-page site (HTML + inline CSS, no build step)
-  og-image.png  ← 1200x630 OG/Twitter social card
-  CNAME         ← Custom domain: nse.dev
-generate-og.py  ← Pillow script to regenerate the social card
-README.md       ← Full project overview + DNS setup
+docs/                  ← GitHub Pages source (served from main branch)
+  index.html           ← Single-page site (HTML + inline CSS, no build step)
+  og-image.png         ← 1200x630 OG/Twitter social card
+  CNAME                ← Custom domain: nse.dev
+platforms/             ← Working code for each target platform
+  core/                ← @nse-dev/core — shared TypeScript types + NSEProvider interface
+  ios/                 ← @nse-dev/ios — Swift Package (Secure Enclave)
+  android/             ← @nse-dev/android — Kotlin (StrongBox / TEE)
+  server/              ← @nse-dev/server — TypeScript (CF Workers + Node.js)
+  browser/             ← @nse-dev/browser — TypeScript (WebAuthn + SubtleCrypto)
+  python/              ← nse-dev — Python (PyPI)
+generate-og.py         ← Pillow script to regenerate the social card
+README.md              ← Full project overview + DNS setup
 ```
 
 ## How to Work With This Repo

platforms/android/README.md

@@ -0,0 +1,27 @@
+# @nse-dev/android
+
+Kotlin library for hardware-backed Nostr key management via Android StrongBox / TEE.
+
+## Package: `@nse-dev/android` (Maven)
+
+## How It Works
+
+1. P-256 key generated in StrongBox / TEE via `android.security.keystore`
+2. AES-256-GCM key derived from KeyStore P-256 key
+3. secp256k1 keypair generated (via secp256k1-kmp or libsecp256k1 JNI)
+4. secp256k1 private key encrypted with KeyStore-derived AES key
+5. Encrypted blob stored in EncryptedSharedPreferences
+6. Biometric-gated unlock via BiometricPrompt
+
+## First Consumer
+
+NostrKeep Signer (`nostrkey.app.android.src`)
+
+## Dependencies
+
+- `android.security.keystore` (Android, built-in)
+- `androidx.biometric:biometric` (BiometricPrompt)
+- `secp256k1-kmp` or `libsecp256k1` JNI (secp256k1 signing)
+- `androidx.security:security-crypto` (EncryptedSharedPreferences)
+
+## Status: Planned (Phase 2)

platforms/android/src/main/kotlin/dev/nse/NSE.kt

@@ -0,0 +1,101 @@
+package dev.nse
+
+import android.content.Context
+import android.security.keystore.KeyGenParameterSpec
+import android.security.keystore.KeyProperties
+import androidx.biometric.BiometricPrompt
+import java.security.KeyPairGenerator
+import java.security.KeyStore
+
+/**
+ * Nostr Secure Enclave — Android implementation
+ * Hardware-backed key management using StrongBox/TEE P-256 to protect secp256k1 keys
+ */
+object NSE {
+
+    private const val KEYSTORE_PROVIDER = "AndroidKeyStore"
+    private const val ENCLAVE_KEY_ALIAS = "dev.nse.enclave.p256"
+    private const val BLOB_PREF_KEY = "dev.nse.encrypted.secp256k1"
+
+    /**
+     * Generate a new secp256k1 keypair, protected by a StrongBox/TEE P-256 key
+     */
+    suspend fun generate(context: Context): KeyInfo {
+        // TODO: Phase 2 implementation
+        // 1. Generate P-256 key in StrongBox/TEE (setIsStrongBoxBacked, biometric-gated)
+        // 2. Generate secp256k1 keypair
+        // 3. Derive AES-256-GCM key from P-256 via ECDH + HKDF
+        // 4. Encrypt secp256k1 private key with AES key
+        // 5. Store encrypted blob in EncryptedSharedPreferences
+        // 6. Zero the plaintext: privateKeyBytes.fill(0)
+        // 7. Return pubkey + npub
+        throw NotImplementedError("Not yet implemented")
+    }
+
+    /**
+     * Sign a Nostr event
+     * Biometric unlock → decrypt secp256k1 key → Schnorr sign → zero memory
+     */
+    suspend fun sign(event: NostrEvent, promptInfo: BiometricPrompt.PromptInfo): SignedEvent {
+        // TODO: Phase 2 implementation
+        // 1. Biometric unlock via BiometricPrompt
+        // 2. Access KeyStore P-256 key
+        // 3. Derive AES key
+        // 4. Decrypt secp256k1 private key into memory
+        // 5. Schnorr sign the event (BIP-340)
+        // 6. Zero the plaintext: privateKeyBytes.fill(0)
+        // 7. Return signed event
+        throw NotImplementedError("Not yet implemented")
+    }
+
+    /** Get the hex pubkey (does not require biometric unlock) */
+    suspend fun getPublicKey(context: Context): String {
+        throw NotImplementedError("Not yet implemented")
+    }
+
+    /** Get the bech32 npub */
+    suspend fun getNpub(context: Context): String {
+        throw NotImplementedError("Not yet implemented")
+    }
+
+    /** Check if a key exists */
+    fun exists(): Boolean {
+        val keyStore = KeyStore.getInstance(KEYSTORE_PROVIDER)
+        keyStore.load(null)
+        return keyStore.containsAlias(ENCLAVE_KEY_ALIAS)
+    }
+
+    /** Wipe all key material */
+    suspend fun destroy(context: Context) {
+        // TODO: Delete KeyStore entry + EncryptedSharedPreferences blob
+        val keyStore = KeyStore.getInstance(KEYSTORE_PROVIDER)
+        keyStore.load(null)
+        keyStore.deleteEntry(ENCLAVE_KEY_ALIAS)
+    }
+
+    // Types
+
+    data class KeyInfo(
+        val pubkey: String,
+        val npub: String,
+        val createdAt: Long,
+        val hardwareBacked: Boolean
+    )
+
+    data class NostrEvent(
+        val kind: Int,
+        val content: String,
+        val tags: List<List<String>>,
+        val createdAt: Long
+    )
+
+    data class SignedEvent(
+        val id: String,
+        val pubkey: String,
+        val sig: String,
+        val kind: Int,
+        val content: String,
+        val tags: List<List<String>>,
+        val createdAt: Long
+    )
+}

platforms/browser/README.md

@@ -0,0 +1,19 @@
+# @nse-dev/browser
+
+TypeScript library for browser-based Nostr key management via WebAuthn + SubtleCrypto.
+
+## Package: `@nse-dev/browser` (npm)
+
+## How It Works
+
+1. SubtleCrypto P-256 key generation
+2. AES-GCM wrapping of secp256k1 key
+3. Encrypted blob stored in IndexedDB or localStorage
+4. Biometric prompt per sign operation (WebAuthn)
+
+## Open Questions
+
+- Is WebAuthn biometric per-sign acceptable UX?
+- Or is NIP-46 to a mobile signer always better?
+
+## Status: Research (Phase 5)

platforms/browser/src/index.ts

@@ -0,0 +1,39 @@
+/**
+ * @nse-dev/browser — Browser Nostr Secure Enclave
+ * WebAuthn + SubtleCrypto P-256 key wrapping for secp256k1
+ */
+
+import type { NSEProvider, NSEEvent, NSESignedEvent, NSEKeyInfo } from '../../core/src/index.js';
+
+/**
+ * Browser implementation using SubtleCrypto + WebAuthn
+ * P-256 key wraps secp256k1 via AES-GCM, stored in IndexedDB
+ */
+export class NSEBrowser implements NSEProvider {
+  // TODO: Phase 5 implementation
+  // Research: Is WebAuthn biometric per-sign acceptable UX?
+
+  async generate(): Promise<NSEKeyInfo> {
+    throw new Error('Not yet implemented');
+  }
+
+  async sign(event: NSEEvent): Promise<NSESignedEvent> {
+    throw new Error('Not yet implemented');
+  }
+
+  async getPublicKey(): Promise<string> {
+    throw new Error('Not yet implemented');
+  }
+
+  async getNpub(): Promise<string> {
+    throw new Error('Not yet implemented');
+  }
+
+  async exists(): Promise<boolean> {
+    throw new Error('Not yet implemented');
+  }
+
+  async destroy(): Promise<void> {
+    throw new Error('Not yet implemented');
+  }
+}

platforms/core/README.md

@@ -0,0 +1,20 @@
+# @nse-dev/core
+
+Shared TypeScript interfaces and types for NSE. Every platform implementation conforms to these contracts.
+
+## Package: `@nse-dev/core` (npm)
+
+## Types
+
+```typescript
+interface NSEProvider {
+  generate(): Promise<NSEKeyInfo>;
+  sign(event: NSEEvent): Promise<NSESignedEvent>;
+  getPublicKey(): Promise<string>;
+  getNpub(): Promise<string>;
+  exists(): Promise<boolean>;
+  destroy(): Promise<void>;
+}
+```
+
+## Status: Planned (Phase 4)

platforms/core/src/index.ts

@@ -0,0 +1,47 @@
+/**
+ * @nse-dev/core — Shared types for Nostr Secure Enclave
+ */
+
+/** Minimal Nostr event for signing */
+export interface NSEEvent {
+  kind: number;
+  content: string;
+  tags: string[][];
+  created_at: number;
+}
+
+/** Signed Nostr event (id + sig populated) */
+export interface NSESignedEvent extends NSEEvent {
+  id: string;
+  pubkey: string;
+  sig: string;
+}
+
+/** Key info returned by generate() */
+export interface NSEKeyInfo {
+  pubkey: string;
+  npub: string;
+  created_at: number;
+  hardware_backed: boolean;
+}
+
+/** Platform-agnostic NSE contract — every implementation conforms to this */
+export interface NSEProvider {
+  /** Generate a new secp256k1 keypair, protected by hardware */
+  generate(): Promise<NSEKeyInfo>;
+
+  /** Sign a Nostr event (biometric unlock → decrypt → sign → zero) */
+  sign(event: NSEEvent): Promise<NSESignedEvent>;
+
+  /** Get the hex pubkey */
+  getPublicKey(): Promise<string>;
+
+  /** Get the bech32 npub */
+  getNpub(): Promise<string>;
+
+  /** Check if a key exists in storage */
+  exists(): Promise<boolean>;
+
+  /** Wipe all key material */
+  destroy(): Promise<void>;
+}

platforms/ios/Package.swift

@@ -0,0 +1,35 @@
+// swift-tools-version: 5.9
+
+import PackageDescription
+
+let package = Package(
+    name: "NSE",
+    platforms: [
+        .iOS(.v15),
+        .macOS(.v13)
+    ],
+    products: [
+        .library(
+            name: "NSE",
+            targets: ["NSE"]
+        )
+    ],
+    dependencies: [
+        // secp256k1 Schnorr signing
+        .package(url: "https://github.com/21-DOT-DEV/swift-secp256k1", from: "0.17.0")
+    ],
+    targets: [
+        .target(
+            name: "NSE",
+            dependencies: [
+                .product(name: "secp256k1", package: "swift-secp256k1")
+            ],
+            path: "Sources/NSE"
+        ),
+        .testTarget(
+            name: "NSETests",
+            dependencies: ["NSE"],
+            path: "Tests/NSETests"
+        )
+    ]
+)

platforms/ios/README.md

@@ -0,0 +1,26 @@
+# @nse-dev/ios
+
+Swift Package for hardware-backed Nostr key management via iOS Secure Enclave.
+
+## Package: `@nse-dev/ios` (Swift Package Manager)
+
+## How It Works
+
+1. P-256 key generated in Secure Enclave via `CryptoKit SecureEnclave.P256`
+2. AES-256-GCM key derived from enclave P-256 key (ECDH + HKDF)
+3. secp256k1 keypair generated (via K1 or swift-secp256k1)
+4. secp256k1 private key encrypted with enclave-derived AES key
+5. Encrypted blob stored in Keychain (`kSecAttrAccessibleWhenUnlockedThisDeviceOnly`)
+6. Biometric-gated unlock via Face ID / Touch ID (LAContext)
+
+## First Consumer
+
+NostrKeep Signer (`nostrkey.app.ios.src`)
+
+## Dependencies
+
+- `CryptoKit` (Apple, built-in)
+- `LocalAuthentication` (Apple, built-in)
+- `K1` or `swift-secp256k1` (secp256k1 Schnorr signing)
+
+## Status: Planned (Phase 1)