Great article about lightning wallets https://darthcoin.substack.com/p/lightning-wallets-comparison
I have build an AI-Mermaid-Chart-Generator and tried a difficult prompt (Palestine/Israel): https://flow-scribe-magic-words.lovable.app/nutty/river/water
The chart gives a walkthrough of events. I downloaded the SVG, made a PDF out of it, and gave it NotebookLM from Google, this is the result of the AI generated podcast https://notebooklm.google.com/notebook/75835e6c-7cdb-4d0d-bc5d-d98fbd1930bd/audio
https://blossom.primal.net/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
NotebookLM is nice but the app is 100% vibe coded, horribly bad
Tomorrow I will add „pay with lightning“ and nostr wallet connect. Flow chart generator and share and edit and fix
https://flow-scribe-magic-words.lovable.app/
Found those mermaid things very helpful in developing complex code bases.
flowchart TD
%% USER DEVICE
subgraph "User Device"
direction TB
DevPasskey["Built-in Device Passkey
(Face ID / Touch ID)"]:::int
WebAuthn["WebAuthn assertion
(via external key OR device passkey)"]:::logic
KeyShareA["Key Share A
(AES-encrypted at rest,
gated by Secure Enclave)"]:::secret
FROSTSign["FROST MPC signing
(runs in device RAM
after user auth)"]:::compute
EncA["Encrypted backup of
Key Share A
(iCloud/Google — passkey-encrypted, never plain)"]:::backup
PasskeySync["Passkey backup
(iCloud/Google)"]:::backup
DevPasskey --> WebAuthn
DevPasskey --> PasskeySync
WebAuthn -->|unlock| KeyShareA
KeyShareA -- "decrypted → RAM" --> FROSTSign
KeyShareA -. "passkey-encrypted
export only" .-> EncA
FROSTSign -- "Partial Sig A" --> Combine
end
%% EXTERNAL: hardware FIDO2 key for normal use
HWKey["Hardware Security Key
(FIDO2 token, USB/NFC)"]:::ext
HWKey --> WebAuthn
%% GUARDIAN / SOCIAL SHARE C (Shamir split, not passkey-encrypted)
GuardianShareC["Guardian/Social Recovery
Share C (Shamir split, not passkey-encrypted)"]:::secret
EncC["Distributed guardian shares of C
(print, cloud, trusted people)
Collect quorum to reconstruct"]:::backup
GuardianShareC -- "split and distribute (Shamir)" --> EncC
EncC --> RecoveryTool
%% OPTIONAL: hardware Bitcoin wallet full signing
HWBtc["Hardware Bitcoin Wallet
(Ledger/Trezor/BitBox)"]:::opt
HWBtc -.-> Combine
%% SERVER / TEE
subgraph "Server / TEE (Nitro Enclave)"
direction TB
WebAuthnSrv["WebAuthn required
to access"]:::logic
ShareB["Key Share B
(sealed inside TEE)"]:::secret
EnclaveSign["Partial Sig B
(FROST, runs inside TEE)"]:::compute
WebAuthnSrv --> ShareB
ShareB --> EnclaveSign
EnclaveSign -- "Partial Sig B" --> Combine
end
%% THRESHOLD COMBINE & CHAIN
Combine["Combine Partial Sig A + B
(FROST threshold signature)"]:::combine
Blockchain["Broadcast to Bitcoin network"]:::chain
Confirmed["Confirmed transaction"]:::chain
Combine --> Blockchain --> Confirmed
%% SOCIAL RECOVERY (MANDATORY)
EncA --> RecoveryTool
RecoveryTool -. "reconstruct C
(from guardian shares)" .-> Combine
%% NOTE
Note1["Threshold MPC — full key **never** exists in one place.
Mobile share is passkey-gated; server share lives only in TEE.
Guardian/social recovery shares (Share C) are split among trusted people and NOT passkey-encrypted — collect quorum for recovery.
**Server must be present for any spending, recovery, or inheritance (as in Bitkey).**
If either share is compromised, wallet cannot be drained.
Optional hardware wallet can provide additional resilience.
Test your backup and recovery regularly."]:::note
Note1 --- Combine
%% STYLES
classDef ext fill:#dbeafe,stroke:#1e3a8a,stroke-width:2px
classDef int fill:#dbeafe,stroke:#475569,stroke-width:2px
classDef logic fill:#ffffff,stroke:#000000,stroke-width:2px
classDef secret fill:#ffe4e6,stroke:#be123c,stroke-width:2px
classDef compute fill:#fff7ed,stroke:#a16207,stroke-width:2px
classDef backup fill:#fefce8,stroke:#92400e,stroke-width:2px
classDef combine fill:#e2e8f0,stroke:#334155,stroke-width:2px
classDef chain fill:#ecfccb,stroke:#15803d,stroke-width:2px
classDef note fill:#fff3cd,stroke:#b38f00,stroke-width:2px
classDef opt fill:#f5f3ff,stroke:#6366f1,stroke-width:2px,stroke-dasharray:5 5
sequenceDiagram
actor User as User / Wallet UI
participant SECURITYKEY as Biometric Hardware
(FIDO2 authenticator)
participant ENCLAVE as Secure Enclave
Share A
note right of ENCLAVE: Signing happens securely here,
ensuring no RAM leak.
participant HSM as Cloud HSM
Share B
participant BTC as Bitcoin Network
%% ─── Spend flow ───
User->>SECURITYKEY: 1️⃣ WebAuthn “get assertion” (physical touch)
SECURITYKEY-->>User: hmac-secret + signature
User->>ENCLAVE: 2️⃣ Unlock Share A (using hmac-secret)
ENCLAVE-->>User: Partial Signature A
User->>HSM: 3️⃣ Sign request + Security Key assertion proof
HSM-->>User: Partial Signature B
User->>User: 4️⃣ Combine Sig A + Sig B (FROST threshold)
User->>BTC: 5️⃣ Broadcast Taproot tx
BTC-->>User: Tx confirmed
Note over User,BTC: Full private key is **never reconstructed** Security Key touch and Biometrics is always required.
Not a bad way to reduce scams https://www.mastercard.com/global/en/personal/payment-passkeys.html
vibe coded this. nostr firehose stream, media only, scroll to pause, tap media to get to profile
https://nostrstream.replit.app
nice in full screen.
(you may see things you don't want to see)
Amazing!! Can you share the code of it please as a base to fork for Replit?
That is amazing, I had a website called Flyerwall for Berlin for Events long time ago- this is better!
Unfortunately you do not get secp256k1 with fido2, except some old YubiKeys... I could hack-it into the card, but then i lose the fido2 certification, so the idea now is to just use the passkey as a hardware gatekeeper for the MPC shares. 
Like this:
Hi, I „solved“ it with fido2 not doing signing but gatekeeping the signing process and placed share A into the Secure Enclave of the phone and share B on the Secure Enclave of the server, this way we have no share or signing ever exposed anywhere, not even in RAM, does this sound right to you?
Forked Bitkey and got the server running locally
Hey nostr:nprofile1qqs9mvjd9uym8ey4w5vevlrxqfesm666cm6su27svcwqfvj8ztvhlgsprpmhxue69uhhyetvv9ujuumwdae8gtnnda3kjctvqyxhwumn8ghj7mn0wvhxcmmvnzhn97 nostr:npub1tcnvkw8fu29zspw54tuhfrk0tkzn6qdupmc45slt4zmase3dzqask6ctu0 I was able to successfully fork and build your server locally on my Mac, what a good code base!!
It’s time to update the system. #Bitcoin.
https://video.nostr.build/b38c8d80ce43f7b243aa387d199240909fb8d704f71a7a5c336f4c30a64e4e6f.mp4
I like it, but it’s actually not like this anymore
As soon as Bolt, Replit, Lovable, Cursor, Windsurf, Aider, Cline, Roo, Codex and Co. are good enough we are going to re-build every SaaS tool into a Bitcoin Lighting Powered 402 paymentrequired.com !
Building a FIDO2 Biometric Passkey gated MPC Bitcoin Wallet
The MIT license. Is it really allowed to fork and use it commercially?