There's too much overthinking it. I think a literal physical key, in pairs, that has two buttons. One sends the nsec as a USB keyboard when long pressed, the other does a... I forget, piv challenge auth like the ones that yubikeys do, signing a hash, using the secret, and holding both for 10 seconds, activates a tiny battery that fries the chip.

This way it's hard to make a mistake, the signature way is short press, and needs an extension or other interface, browsers have USB interfaces, I learned that trying to copy the firmware I flashed to my programmable keyboard, and yeah, a light on the signer button to tell you it's been asked to sign or derive an encryption secret. To make it easier still, you only have to press the signer key once and when it's unplugged, it won't work again for a minute, giving you time to fry it if you are under duress.

The keys come as pairs, and the keys have a clearly visible number, 1 & 2, and the package around it inside the box has a big, legible text saying "after loading these with your nsec, store 2 in a safe or other safe place"

I hope someone makes this before I have to. Again, overthinking. Normies need to get used to it, and I can't think of a better way to bridge them to it. Easy to persuade someone to try it as a gift, just walk them through it all, link them to you as mutual follows, and check up on them.

The advanced stuff can come later.

As a programmer, I can attest from repeated experiences that access is first, security is second.