nimimo Logonimimo
All articles
·5 min read

Open-Sourcing the Core

The cryptographic core of nimimo is now public. Read it, audit it, run it yourself.

launchvisionsecuritynon-custodial

The cryptographic core of nimimo is now open source. github.com/chriszemmel/nimimo-core. AGPL-3.0. Every line that touches your keys is in there.

If you have ever wondered what is actually running when you sign up, generate a wallet, encrypt your seed phrase, derive a Bitcoin address, or back up to a recovery card — you no longer have to take our word for it. You can read it. You can run it. You can fork it.

Why now

Until last week, nimimo was a closed-source product with an unusually transparent security audit. The audit page is still there. The 92/100 score is still there. The architecture is unchanged. What changed is the level of trust we are willing to ask for.

A non-custodial system asks people to trust the architecture, not the operator. That is the entire pitch. But if the architecture is closed, the trust still routes through us. We say the keys never leave your device. You either believe us or you do not. There is no third option.

Open-sourcing the core removes that asymmetry. The keys-never-leave-your-device claim is now testable in five minutes by anyone with a browser and a network tab. Either the code matches the claim or it does not. There is no longer any room for marketing language to do load-bearing work.

What's in the box

nimimo-core is the cryptographic substrate of the product. It contains everything that touches funds and identity, separated from the parts of the product that are about hosting, design, and creator monetization.

  • Client-side HD wallet — BIP-39 mnemonic generation, BIP-32/BIP-44 derivation, BIP-84 P2WPKH for Bitcoin, EIP-55 for Ethereum, Ed25519 for Solana, all from a single seed
  • Device-bound encryption — AES-256-GCM with PBKDF2-SHA256 at 600,000 iterations, non-extractable WebCrypto keys, no transmission of secret material
  • Recovery card crypto — separate PIN-derived key, encrypted PDF, QR-encoded ciphertext, full offline restore path
  • Identity primitives — handle generation, deterministic name space, the four-axis separation of access, identity, ownership, and recovery
  • Authorization checks — the ownership-scoped guard model that enforces "you can only act on identities your session owns"
  • Resolution — the read-only public API that turns @lucky-mountain into Bitcoin, Ethereum, and Solana addresses

The hosted UI, the creator monetization surface, the admin tooling, and the operational scaffolding stay closed. That is the open-core model: the parts that could harm you if they misbehaved are public; the product surface around them stays maintainable as a product.

Ten reasons, in plain language

There are a few different ways to explain this decision. None of them are mutually exclusive.

  • Build trust. Keys and identity should be inspectable, not promised.
  • Make security verifiable. Anyone can audit the core — not just the people we hire.
  • Remove black-box risk. There can be no hidden logic around funds.
  • Show the architecture. nimimo is about systems design, not just a UI.
  • Attract builders. Easier to collaborate, extend, and contribute back.
  • Create credibility. Working code is stronger than a CV or a pitch deck.
  • Enable composability. Others can build on top of the core.
  • Keep the core open, evolve the product fast. Open where it matters most; nimble everywhere else.
  • Align incentives. Users do not have to trust me — they can trust the source.
  • Grow through transparency, not marketing.

What this changes for you

If you already use nimimo, nothing changes operationally. Your wallet is the same. Your handle is the same. Your recovery card still works. The keys that were on your device are still on your device. The only difference is that the code that produced them is now public.

If you were waiting for nimimo to be auditable before signing up, you can stop waiting. Open the repo. Read lib/ownership/v1/derive.ts. Read lib/recovery/crypto.ts. Read the network requests in your browser's dev tools while the wallet generates. Confirm that no secret material crosses the wire. The proof is in the source.

If you are a developer, you can now resolve handles through the SDK and trust the resolution path because you can read it. You can also self-host the core if you prefer to run it under your own infrastructure. The license is AGPL-3.0, which means the freedom is real and the obligation to share modifications is too.

nimimo-core is published at github.com/chriszemmel/nimimo-core under AGPL-3.0. The hosted product (UI, creator monetization, admin tooling) remains closed source — open core, closed surface. The 92/100 audit at nimimo.com/audit is now testable line-by-line against the open repository.

What this changes for me

There is a version of this decision that is purely strategic — open source attracts attention, attracts contributors, attracts trust, attracts everything good. That version is true. There is also a more honest version.

I built nimimo because I believe the custody model crypto inherited from finance is the wrong shape for what crypto is supposed to be. I do not want to be the operator who could betray you. I want to be the operator who structurally cannot. Open-sourcing the core is the part where I stop describing that property and start letting you verify it.

It also closes a loop on something I have written about elsewhere: the architecture removes the capability to do harm, not just the intent. Intent is fragile. Capability boundaries are not. When the code that defines those boundaries is closed, the boundaries are still real, but only one person can prove it. When the code is open, anyone can.

What stays the same

The product is still the same product. You still sign up with an email. You still get a name. You still share a link. People still send from whatever wallet they already have, on Bitcoin, Ethereum, or Solana. The four-axis separation of access, identity, ownership, and recovery is the same separation it was the day nimimo shipped — and the day before that, when it was just a whitepaper.

The closed-source contract work continues. nimimo's hosted surface — the templates, the creator-monetization flows, the admin tooling — stays closed because that is the part that needs to ship fast and iterate on its own clock. The core stays open because the core is the part where speed should never come at the cost of trust.

Read it

The repository is at github.com/chriszemmel/nimimo-core. Start with the README if you want a tour. Start with lib/ownership/ if you want to see how a single seed becomes three addresses on three different chains. Start with lib/recovery/ if you want to see how the recovery PDF gets encrypted and decrypted entirely on your device. Start anywhere, really. There is no part of the cryptographic core that is hiding from you anymore.

That was the whole point.

Ready to try it?

No seed phrases. No KYC. Just an email.

Browse nimimo-core