Active development · testnet
ProductsDownloadsAssistantAPIBlockchainNetworkPricingCustomersStoreWikiDevs
Launch
Back to Wiki

Wiki · Wallets

Wallet Management

Endpoints for retrieving the proxy wallet, native account, and balances. Keys held in KIS.

Wallet Management

Each authenticated user automatically receives a proxy wallet (EVM, on the SPACE OS chain) and a native account (SPACE OS native chain).

For the rationale behind the three-wallet model, see Architecture.

Get proxy wallet

GET /api/keys/proxy
Authorization: Bearer <jwt>

Returns:

{ "proxyAddress": "0x..." }

Get native account

GET /api/keys/native
Authorization: Bearer <jwt>

Returns:

{ "nativeAccount": "...", "publicKey": "..." }

Get balances

GET /api/user/proxy-balances
Authorization: Bearer <jwt>

Returns:

{
  "space": "12.4500",
  "usdt": "0.00",
  "usdc": "10.00",
  "totalUsd": "11.83"
}

Who runs what — chain vs entities

TL;DR: SPACE OS the chain is a public protocol owned by no single entity. The chain doesn't "go bust". The entities that operate services around the chain (KIS pods, the foundation treasury, Keystone consultancy) are separate legal companies with their own insolvency posture.

There are four distinct things that get called "SPACE OS" colloquially. They have different failure modes + different legal postures:

What Who runs it What happens if it stops
The public chain — Antelope core consensus, on-chain Vault, embedded EVM. Chain ID 800000. Permissionless validator network under the Open Node Protocol. Anyone runs nodes; anyone deploys contracts; anyone audits traffic. The chain is decentralised — it can't "go bust" because no single entity is required for it to keep producing blocks. If validators churn, others step in (same threat model as Ethereum / Antelope networks generally). Funds on the chain remain accessible regardless of any single operator's status.
IGSF (Intergalactic Space Foundation) — holds the SPACE token treasury, the core IP, the mission. Jurisdiction: Switzerland Stiftung or Cayman Foundation Co (final structure pending). An independent foundation board, separate from operating companies. Treasury is held in a bankruptcy-remote structure (multisig + dedicated KIS region). If the foundation dissolves, treasury distribution follows its constitutional documents; the chain continues; user wallets are unaffected (the foundation doesn't hold user keys).
The operating company (currently SPACE OS Ecosystem OÜ, Estonia) — holds CASP / VASP authorisations, operates Mode 0/1 KIS pods, ships the Web App + Aether Desktop + SpaceRouter inference, employs engineering staff. An EU-regulated operating entity (and equivalent regulated subsidiaries in other target jurisdictions as we open them). This is the entity that could go bust like any normal company. Critically, user funds in Mode 0/1 are NOT part of this company's insolvency estate — they sit under MiCA Article 75 client-asset segregation (and equivalents in UK/US/SG/HK/AU). On insolvency, custody can be transferred to a successor CASP under the regulator's supervision. See "What if the operating company fails?" below for the full mechanism.
Keystone — the consultancy arm. Sovereign deployments for institutions, governments, industry. Runs as a service line under the operating company (or a sister entity per jurisdiction). The same operating company (or its sister entities). Keystone delivery contracts are commercial; their failure mode is "the consultancy doesn't deliver" — separate from custody. Customer-side deployments (on-prem KIS pods, dedicated Mode 1 instances) keep running; the customer can take over operation if needed.

For Mode 2 users, none of the entities above hold your keys — the keys live exclusively on your device's kisd-local sidecar. The operating company's status (or anyone else's) is irrelevant to whether your wallet keeps working.

Key custody

Proxy and native keys are held in KIS (Key Custody Service), a separate-trust-domain Rust service. Keys never appear in the app API process, in logs, or in backups outside KIS itself. A compromise of the main API does not compromise user funds.

KIS supports four custody modes (see the strategy wiki):

  • Mode 0 — single central pod (today's default for net-new users)
  • Mode 1 — regional pods (kis-eu-1, kis-us-1) for EU / US data residency and MiCA / GDPR alignment
  • Mode 2 — user-hosted (Aether desktop sidecar; Phase 2 — shipped, including all four migration ceremonies)
  • Mode 3 — threshold / MPC (Phase 3)

For Mode 1, signing requests route to the regional pod that holds the user's key — there is no cross-region failover (data residency takes precedence over availability). When a user changes jurisdictions or a regulatory shift requires re-domiciling a cohort, the cross-region migration ceremony moves their signing key from one regional pod to another via an X25519 + ChaCha20Poly1305 envelope; the relay (app-api) never sees cleartext.

Mode 2 lifecycle ceremonies

All four Mode-2-touching ceremonies are rotation events — wallet address changes, on-chain history threads through a sweep transaction, no key bytes ever cross the trust boundary. Distinct from cross-region above, which ferries the key but keeps the wallet address.

  • Mode 0/1 → Mode 2 ("go sovereign") — operator + auto-orchestrated (/sweep-to); user opts in, funds sweep on-chain to a fresh device-held wallet.
  • Mode 2 → Mode 0/1 ("give my keys back") — operator-driven for v1; user-initiated + KYC-gated path queued behind the Aether-cluster bridge. Above-threshold custody-acquisition events produce an append-only counsel-notification audit row for per-jurisdiction reporting.
  • Mode 2 ↔ Mode 2 device-to-device (Phase 2.5) — user has new laptop, both devices online; sovereign-to-sovereign sweep brokered by app-api via session-token + 6-digit visualCode rendezvous. Sidecars own all keys; server orchestrates the chain side but cannot sign.
  • Restore-from-recovery-phrase — Aether wizard path for the lost-device case. Restores the master from BIP-39; per-wallet keypairs (random-per-wallet under the master, NOT BIP-44-HD-derived) do NOT come back via mnemonic restore alone — explicit caveat copy in the wizard.

For users — what this means for you

Question you might have Answer
Where is my money? On the public chain. The wallet address is yours; the signing key is held by the operating company in Mode 0/1, or by you in Mode 2. The cryptocurrency itself lives on a permissionless validator network — anyone can see your wallet's balance; nobody can revoke its existence.
Can anyone take my money? On Mode 0/1, the operating company holds the signing key under regulated CASP / VASP authority (EU MiCA + equivalents). They can act under court order, on a sanctions list, or under their own AML/CFT obligations — but only the operating company; the chain itself, the validators, and the foundation cannot. We've structured the entity + key custody so this is hard but not impossible (see "Per-jurisdiction custody position" below). On Mode 2, no — the key never exists outside your device.
What if I lose my device (Mode 2)? Three recovery paths in priority order: (1) restore from your 24-word recovery phrase on a fresh device, (2) device-to-device sweep if your old device still works, (3) nothing — funds are lost permanently. No SPACE OS entity can recover Mode 2 funds — not the operating company, not the foundation, not Keystone, not anyone. The wizard makes you write down + verify the recovery phrase before any wallet is created.
Is my Mode 2 wallet insured? No. Mode 0/1 wallets are insured by the operating company (SaaS-grade theft cover for keys it holds). Mode 2 wallets are uninsured — the trade-off for sovereignty. The mode-selection screen says this verbatim before you click Continue.
Can I move between modes? Yes — see Mode 2 lifecycle ceremonies. Mode 0/1 → Mode 2 is one click. Mode 2 → Mode 0/1 takes longer because the operating company has to verify your identity at the moment of acquiring custody.
Is my wallet private? The wallet address is pseudonymous on-chain (anyone with the address sees the balance + history, but it's not directly tied to your name unless you publicly link it). Inside the operating company's records, wallet activity is associated with your account; valid lawful requests reach the operating company's records (KYC/transaction logs), not on-chain history (which is public anyway and not held by anyone).
What if I'm compromised (phishing / wallet drainer)? Mode 0/1: contact the operating company; they can freeze custodial wallets pending investigation. Mode 2: same as any sovereign wallet — funds may already be gone. Mitigation is the proxy-contract pattern (see Architecture) which limits per-tx exposure.
What if the operating company fails? The chain itself doesn't fail — it's a public protocol, validator-run, with no single point of failure (see Who runs what). For Mode 0/1 keys held by the operating company: under MiCA Art. 75 (and equivalents in UK/US/SG/HK/AU), client crypto-assets are segregated from company assets and are NOT part of the insolvency estate. Custody transfers to a successor CASP under the regulator's supervision. For Mode 2 users, the operating company's status is irrelevant — your keys are on your device. The foundation's treasury is bankruptcy-remote from the operating company.
What if the foundation fails? The foundation's treasury is held in a bankruptcy-remote structure (multisig spanning multiple legal entities, dedicated KIS region). On dissolution, treasury distribution follows the foundation's constitutional documents. The chain continues independently of the foundation — validators keep producing blocks; user wallets keep working. The foundation doesn't hold user keys.
What if the chain itself goes down? Same risk profile as any other public chain — depends on validator participation. The Open Node Protocol means anyone can spin up a node, so the chain has the same recoverability story as Ethereum or Antelope networks. No single party can shut down the chain. What can happen: validators churn (fees go up), or a contentious fork (chain history splits) — both protocol-level concerns rather than corporate-level.
What about taxes? No SPACE OS entity computes your tax position. Wallet balances + transaction history are public on-chain; you (or your accountant) can pull them for whichever tax authority applies. The operating company provides CSV exports of activity inside its records on request.

For customers (product / Keystone)

Default deployment for net-new accounts on the operating company's hosted services: Mode 0 (central) for low-friction onboarding. Mode 1 enrolment kicks in automatically once a user declares EU or US residency (data-residency requirement). Mode 2 is opt-in; users who pick "sovereign" at signup go through the Aether-desktop setup flow + their keys never leave their device. (None of these touch the chain itself — they're choices about where the signing key for your on-chain wallet lives.)

Keystone deployments (sovereign on-prem for institutions, government, industry — see /keystone): a Keystone tenant gets a dedicated KIS pod in the customer's chosen jurisdiction (EU, US, SG, HK, AU, or on-prem). Mode 1 by default; Mode 2 available for individual users within the tenant who want device-side sovereignty. Mode 3 (TSS) is the institutional default once Phase 3 ships — neither side alone can sign without the other.

Capability Mode 0 Mode 1 Mode 2 Mode 3
Latency to sign (typical) ~10ms ~10-50ms ~50-200ms ~50-150ms
Operates while user device offline ❌ (with proxy-contract: ✅ for delegated actions)
EU MiCA / GDPR data residency compliant depends on user residency ✅ (key on user device)
Insurance coverage Yes (SaaS-grade theft) Yes No TBD (Phase 3)
Recovery without user action ✅ (with re-KYC + delay)
Best fit Low-friction onboarding, default for consumer Regulated jurisdictions, institutional ops wallets Sovereignty-conscious individual users High-value institutional wallets, dual-control
Apogee fund operational wallet model ✅ + multisig (planned migration)

Integration paths:

  • REST API (above): GET /api/keys/proxy, GET /api/keys/native, GET /api/user/proxy-balances. Keys live in KIS regardless of which mode.
  • Aether desktop SDK: window.spaceos.* IPC for app-side signing requests (Mode 2 routes through the local sidecar).
  • Proxy-contract pattern (see Architecture): server-side delegated signing for auto-pay, scheduled actions, subscriptions — works alongside Mode 2 so a sovereign user still gets the conveniences.

Support model: Mode 0/1 users get standard support including frozen-account / dispute resolution. Mode 2 users get setup support + the migration-ceremony runbooks (we can help walk a user through restoration or device migration) but not key recovery — by design, we never have the keys.

For compliance — regulatory mapping

Per-jurisdiction custody position summary

The four-mode model maps to different custody classifications across jurisdictions. Detailed analysis lives in KIS_LEGAL_MEMO.md (private; counsel-only) — this table summarises the public-facing position. Throughout, "operating company" = the regulated CASP/VASP entity (currently SPACE OS Ecosystem OÜ in the EU; sister entities elsewhere as we license per jurisdiction); the public chain itself + the foundation + Keystone are NOT the custodian, even on Mode 0/1.

Jurisdiction Mode 0/1 (operating company holds key) Mode 2 (user holds key) Mode 3 (threshold)
EU (MiCA / 2023/1114) CASP — custody of crypto-assets on behalf of clients (Annex I §J) Outside scope — non-custodial software (KIS_LEGAL_MEMO §9.1) Open — depends on share-allocation analysis
UK (FSMA + FCA registration regime) Crypto-asset custody activity Outside scope — software-with-recovery for individuals Open
US (FinCEN money-transmitter test + state regimes) MTL-required in money-transmission states; 31 CFR 1010.100(ff)(5)(i)(A) custody Outside scope (user controls private key) per FinCEN 2019 guidance Open — partial-share analysis varies by state
Singapore (PSA / DPT licensing) DPT service provider (custody) Outside scope — software facilitator Open
Hong Kong (SFC VASP regime) VASP — virtual-asset custody Outside scope under the SFC consultation paper Open
Australia (AUSTRAC + DCE) DCE registration + AML/CTF obligations Outside scope (user-controlled wallet) Open

The "outside scope" classification for Mode 2 across all six jurisdictions is the load-bearing legal position the counsel review package covers (T3 — counsel + auditor only). It rests on a 14-item "deliberately do NOT do" contract — the things that, if any SPACE OS entity did them, would reframe Mode 2 as custodial. Most load-bearing among them: no SPACE OS entity ever has the user's mnemonic, master key, or private key bytes at any point — neither the operating company, nor the foundation, nor Keystone, nor any successor.

AMLD6 (EU 2018/1673) — money-laundering directive mapping

AMLD6 obligation Mode 0/1 Mode 2
Customer due diligence at onboarding (Art. 13) ✅ standard KYC at signup for EU residents Not at Mode 2 onboarding (no custody acquired); ✅ at Mode 2 → Mode 0/1 reverse-migration (custody-acquisition trigger — Q5 in counsel package)
Transaction monitoring (Art. 33) ✅ for transactions that route through the operating company's hosted services N/A — Mode 2 transactions go directly from user device to chain; the operating company doesn't see them
Suspicious activity reporting ✅ to relevant FIU (Mode 0/1 transactions visible to us) N/A for Mode 2
Record retention (Art. 40 — 5 years post-account-closure) ✅ — KYC + transaction records retained 5y; survives GDPR Art. 17 erasure under Art. 17(3)(b) overriding-legal-obligation carve-out Same retention applies to Mode 2 → Mode 0/1 custody-acquisition events (CounselNotificationLog)
Travel Rule (FATF Rec 16 / EU Reg 2023/1113) Applies on transfers between VASPs ≥ EUR 1000 (or USD 3000 US-side); we forward originator/beneficiary info per the regulation N/A for Mode 2 wallet → external (user is the originator; rule applies between VASPs)

MiCA (EU 2023/1114) — markets in crypto-assets

  • Title V Authorisation — we operate as CASP (Crypto-Asset Service Provider) for Mode 0/1 custody. EU passporting via home-Member-State authorisation.
  • Title III asset-referenced tokens / Title IV e-money tokens — out of scope (we don't issue stablecoins; we route to existing ones).
  • Annex I §J — custody of crypto-assets on behalf of clients (Mode 0/1).
  • MiCA Article 75 — operational segregation of client crypto-assets from own assets. Implemented via per-region KIS pods + the on-chain Vault separation pattern; client funds are NEVER on company operational wallets.
  • Mode 2 — outside MiCA scope per the §9.1 outside-scope analysis.

GDPR (EU 2016/679) — data protection

Obligation Mode 0/1 Mode 2
Data residency (Art. 44-50 transfer rules) ✅ Mode 1 regional pods (kis-eu-1) keep keys + signing logs in-jurisdiction N/A — keys never on our servers
Right to access (Art. 15) ✅ standard data export Limited — most Mode 2 user data is on the user's device
Right to erasure (Art. 17) ✅ — see services/gdpr-erasure.ts. Pseudonymises email + agent profile + preferences. N/A — user wipes their own device
Erasure exceptions (Art. 17(3)(b) — legal obligation) ✅ — KYC + transaction logs + CounselNotificationLog retained 5y under AMLD6 Art. 40 + per-jurisdiction reporting obligations. The user's erasure receipt enumerates the basis + surfaces a count of retained CounselNotificationLog rows so it's auditable. N/A
Records of processing (Art. 30) Maintained internally + available to supervisory authorities Mode 2 user data minimised (we know the user has a paired sidecar; we don't know what's in it)

Audit trail + retention

The audit-trail surfaces a regulator or compliance reviewer can verify:

Surface What's logged Where Retention
ProxyContractAudit Mongo collection Every proxy-contract action: deploy, module-enable, allowance set/removed, sign, session-rotated, owner-override, revoke, reconcile-divergence. Indexed by region (E5). app-api Mongo AMLD6 5y window
CounselNotificationLog Mongo collection Custody-change events crossing the USD threshold (default $100k native). Two kinds: mode-2-to-mode-0-1 (reverse-migration; the operating company acquires custody) + mode-1-region-change (custody jurisdiction change between regulated entities). Append-only. app-api Mongo AMLD6 5y window — explicitly retained across user GDPR erasure (Art. 17(3)(b))
Sidecar audit log (Mode 2 only) Wallet generated, master sealed, restore-from-mnemonic, lock/unlock, mnemonic revealed, wallet deleted, wipe. Local-only — never crosses the user-device boundary. User device (spaceos-kis data dir) User-controlled
Seq structured events Every signed app-api request that crosses the API surface; counsel-notification triggers; device-migration session lifecycle (device-migration-begun, claimed, aborted, finalized, *-failed); cross-region migration ceremonies. Seq + (mirror) Mongo for AMLD6-bound classes Per-class — Seq operational ~90d; AMLD6-bound classes mirror to Mongo with 5y retention
Operator review URLs (X-Admin-Token gated) GET /api/admin/proxy-audit (region-filterable); GET /api/admin/counsel-notifications (kind / wallet / instance / date-range filterable, with /summary + /by-instance slices); GET /api/admin/migrations/in-progress (in-flight migration triage). API endpoints n/a (read access)

Counsel handoff cadence: counsel reviews CounselNotificationLog rows on a per-quarter basis (or on-demand for incidents). The endpoint URLs above are linkable; counsel doesn't need direct DB access.

Threat model summary

                   Threat × mode matrix
                   ────────────────────

                            Mode 0    Mode 1   Mode 2    Mode 3
                            ──────    ──────   ──────    ──────
   app-api breach            SAFE      SAFE     SAFE     SAFE
                                (KIS isolated; partial-share-only)

   KIS pod compromise        DRAIN    REGION    N/A     PARTIAL
                                       ONLY              (only one
                                                          share lost)

   Insider exfiltration     SEVERE   SEVERE    NONE    LIMITED
                                       per region

   User device compromise    N/A      N/A     DRAIN     NEEDS
                                                         server
                                                         share too

   Mass phishing             SIG      SIG     DEVICE-   DEVICE-
                                              LOCAL     LOCAL

   Court / sanctions         CAN      CAN     CANNOT    CANNOT
                            comply   comply   comply    comply
                                                         unilaterally

   Single share leaked       N/A      N/A      N/A    INSUFFICIENT
                                                       to sign alone

What we explicitly DON'T protect against (documented for honesty + disclosure adequacy):

  • Malware running with your user privilege on Mode 2 — can read your sealed-master sidecar files + brute-force your passphrase offline. Mitigation: Argon2id wrap-key (64MB / 3 iter / 4 lanes) makes brute-force expensive but not impossible. The sealed-mnemonic-on-disk is necessary for recovery; counsel reviews this trade-off explicitly.
  • Hardware-level supply-chain attacks — pre-installed malware, compromised firmware. Out of scope; same threat model as any consumer software.
  • Social engineering of the user — phishing-delivered visualCodes, fake "support requests" asking for the recovery phrase. Mitigation: explicit workflow copy at every step that says "never enter codes received via email/chat/support".
  • The user themselves — losing the recovery phrase, deleting the wallet, sending funds to the wrong address. By design, Mode 2 puts these failure modes on the user; the wizard makes that disclosure verbatim before any wallet is created.

Insurance + liability

Mode Coverage Insurer Limit
Mode 0 Custody-theft cover (operational + key-management failures) TBD per KIS_INSURANCE.md (KA-2 — pre-RFP) Per-account + aggregate caps
Mode 1 Same; per-region — EU and US carriers may differ Per region Per region
Mode 2 None. N/A N/A — user bears the risk
Mode 3 TBD (Phase 3) — share-only insurance is the structural plan Per KIS_INSURANCE.md Per-share basis

The Mode 2 "uninsured" line is verbatim in the mode-selection screen disclosure below. Disclosure adequacy is Q2 in the counsel review package.

Liability allocation:

  • Mode 0/1: the operating company (the regulated CASP/VASP entity) bears the operational-failure liability — covered by its insurance + client-asset segregation per MiCA Art. 75 (and equivalents in UK/US/SG/HK/AU). On-chain protocol risk is the user's (e.g. a smart-contract exploit of a 3rd-party DeFi protocol — that's not on us regardless of mode).
  • Mode 2: user bears all liability for key custody on the device. The Aether desktop's sidecar is open-source-auditable Rust; the operating company provides the code under permissive license + supports the protocol — but no SPACE OS entity supports the user's individual key recovery, because no entity has the keys.
  • Chain-level: the public chain itself has no centralised liable party. Validators run independently under the Open Node Protocol; protocol-level failures (consensus halts, contentious forks) are the same shape as any other public chain — no SLA, no warranty, no cure.

Disclosures + user copy

These strings are copy-locked by tests in the codebase (apps/desktop/test/mode-2-pure.test.mjs::REQUIRED_DISCLOSURES — labels match the verbatim copy gate). Marketing, IR, and product surfaces all use the same wording.

Mode-selection screen (entry point)

MODE 2 — SOVEREIGN

Choose this if you want SPACE OS to never see your wallet keys.

You should know:

  • SPACE OS cannot recover your wallet. We never have your keys.
  • Lose your mnemonic backup → lose your funds. Permanently.
  • Mode 2 wallets are not insured by SPACE OS. Other modes are.

[I understand and want to continue] [Take me back to Mode 1 (recommended)]

Mnemonic-display + three-checkbox gate

The 24-word BIP-39 mnemonic appears in a numbered grid. Below the grid:

Write this down. These 24 words ARE your wallet. Write them down in order, store them somewhere safe and offline. We won't show them to you again unless you unlock the app + ask in Settings.

Three required checkboxes (each individually required before "Continue" enables):

  • I have written down my recovery phrase.
  • I understand SPACE OS cannot recover my wallet.
  • I understand losing my recovery phrase means losing my funds — permanently.

Verify-by-prompt (post-mnemonic)

After "Continue", the wizard picks 3 random word positions and prompts:

What were words #X, #Y and #Z?

If any are wrong, the wizard explicitly lists which positions didn't match. No lock-out — the user can retry as many times as needed (the design intent is "the user actually has the backup before proceeding", not "test their memory").

Restore-from-recovery-phrase

Restoring on a fresh device gets your master key back, but it does NOT recover individual wallet addresses from your old device — those keypairs only exist where you generated them. After restoring, you'll create a new wallet on this device. If your old device still has funds, sweep them off it before you stop using it.

This is the load-bearing UX caveat that distinguishes our restore from "import seed phrase" flows in other wallets — our wallets are random-per-wallet under the master, NOT BIP-44-HD-derived from it.

Phase 2.5 device-to-device migration

Open Aether on the device that holds your existing wallet. Go to Settings → Keys → "Migrate this wallet to a new device" and type the code below.

Only enter this code on your own Aether device that's open in front of you. Never enter codes received via email, chat, or support requests.

Mirror copy on Device A's claim modal:

Compare the wallet address below against the one shown on your OTHER Aether device. They should be identical. If they don't match, hit Cancel — the migration may have been intercepted.

The dual-device address-display is the load-bearing safety check (see Threat model summary). It defends against a network-level address-swap attack regardless of bridge trust.

Compliance verification — how to check our claims

For each load-bearing claim, the source-of-truth file lives in a public or T2 repo. Counsel + auditors can verify without reading the entire codebase.

Claim Verification path
Mnemonic generated on user device, never sent to server space-os-kis/src/local_mode.rs::generate_mnemonic + mnemonic_to_master. Server-side: grep -rn "mnemonic" space-os-app-api/src/ returns zero relevant hits.
Pairing uses X25519 ECDH + EIP-191 attestation space-os-kis/src/local_mode.rs::derive_pairing_secret + space-os-kis/src/local_mode.rs::pairing_attestation_message; server-side: space-os-app-api/src/services/mode-2-pairing.ts
Sidecar HMAC-enforces signing requests when paired space-os-kis/src/bin/kisd-local.rs::sign_evm_handlerwith_paired_secret
Sidecar binds 127.0.0.1 only space-os-kis/src/bin/kisd-local.rs::is_loopback
OS-keychain salt binding space-os-kis/src/local_mode.rs::OsKeychainSaltBackend (cross-platform via keyring crate)
Argon2id wrap-key derivation space-os-kis/src/local_mode.rs::derive_wrap_key (64 MB / 3 iter / 4 lanes)
Mesh relay path allowlist + header allowlist space-os-aether-app/apps/desktop/src/main/mode-2-mesh-relay.ts::ALLOWED_PATHS + FORWARD_HEADERS
Verbatim disclosure copy locked in space-os-aether-app/apps/desktop/src/renderer/components/mode-2-pure.ts::REQUIRED_DISCLOSURES (test: mode-2-pure.test.mjs)
Counsel-notification audit hook fires above threshold space-os-app-api/src/services/counsel-notification.ts::maybeNotifyCounsel; emitters: services/migrate-from-mode-2.ts + routes/admin-region-migrate.ts; tests: tests/counsel-notification.test.ts (24 cases)
GDPR retention of CounselNotificationLog across erasure space-os-app-api/src/services/gdpr-erasure.ts::standardRetention (AMLD6 Art. 40 + per-jurisdiction reporting obligations line item)
Phase 2.5 device-to-device — server cannot sign space-os-app-api/src/services/run-device-migration-sweep.ts builds tx; kis-client.ts::signEvm routes through mesh to sidecar; server holds no signing key. Trust property: `grep -rn "PrivateKeySigner\

Verify everything works — operator-runnable test plan: space-os-kis/docs/MODE_2_TEST_PLAN.md. Twelve sections, real commands, real expected outputs, sign-off criteria. The smoke run itself is the artefact that says "this works end-to-end".

Glossary

Term Meaning
CASP Crypto-Asset Service Provider (MiCA Title V)
VASP Virtual Asset Service Provider (FATF / per-jurisdiction)
DCE Digital Currency Exchange (Australia AUSTRAC)
DPT Digital Payment Token (Singapore PSA)
KIS Key Custody Service — the Rust process that holds signing keys
kisd KIS daemon — server-side Rust binary for Modes 0/1
kisd-local KIS daemon — user-device Rust binary for Mode 2
Mode 0 Single central KIS pod (default)
Mode 1 Regional KIS pods (EU, US, …) for data residency
Mode 2 User-hosted KIS sidecar — keys live on the user's device
Mode 3 Threshold / MPC — share-based signing (Phase 3)
Aether SPACE OS desktop app; runs the Mode 2 sidecar locally
Proxy wallet The user's primary wallet on the embedded EVM chain
Native account The user's account on the SPACE OS native chain (Antelope)
Proxy-contract pattern Safe + AllowanceModule for delegated server-side signing alongside Mode 2
Sidecar A separate-trust-domain process — used for KIS at all modes
Sweep An on-chain transaction that moves a wallet's entire balance to another address — the migration ceremonies' on-chain effect
Mesh Aether's WireGuard-based device-to-device transport — used for Mode 2 sign request routing
Visualcode 6-digit XXX-XXX code displayed during Phase 2.5 device-to-device migration; user copies it between devices

References

Audience Doc
Engineering Architecture — three-wallet model + KIS surface
Strategy / IR / corporate KIS strategy wiki (legal repo)
Counsel MODE_2_COUNSEL_REVIEW.md v1.2 (legal repo, T3 — not public)
Engineering deep-dive MODE_2_DESIGN.md, MODE_2_MIGRATION.md, MODE_2_DEVICE_MIGRATION.md, MODE_2_RECOVERY.md (app-api repo)
Operators MODE_2_MIGRATION_RUNBOOK.md, MODE_2_FROM_MIGRATION_RUNBOOK.md, MODE_2_DEVICE_MIGRATION_RUNBOOK.md, MIGRATION_RUNBOOK.md (app-api/manifests)
QA / pre-prod MODE_2_TEST_PLAN.md (kis repo)
Security /security — site-wide threat model; key custody section