The watch-only node handles all networking and channel management. The signer
node holds the seed and performs cryptographic signing. Even if the agent machine
is fully compromised, the attacker cannot extract private keys.

See [references/architecture.md](references/architecture.md) for the full
architecture explainer.

## Quick Start (Container — Recommended)

### On the Signer Machine

### Two-Container Local Setup

For testing both on the same machine:

## Installation

Default: pulls the lnd Docker image for the signer.

This pulls `lightninglabs/lnd:v0.20.0-beta` from Docker Hub. The signer only
needs plain lnd (not litd) since it only holds keys and signs.

### Build from Source (Fallback)

## Native Mode

For running the signer without Docker:

## Remote Nodes

Export credentials from a remote signer:

## Credential Bundle Format

The exported bundle (`~/.lnget/signer/credentials-bundle/`) contains:

| File | Purpose |
|------|---------|
| `accounts.json` | Account xpubs for watch-only wallet import |
| `tls.cert` | Signer's TLS certificate for authenticated gRPC |
| `admin.macaroon` | Signer's admin macaroon for RPC authentication |

The bundle is also available as a single base64-encoded tar.gz file
(`credentials-bundle.tar.gz.b64`) for easy copy-paste transfer between machines.

## Scripts

| Script | Purpose |
|--------|---------|
| `install.sh` | Pull lnd signer image (or build from source) |
| `docker-start.sh` | Start signer container |
| `docker-stop.sh` | Stop signer container |
| `setup-signer.sh` | Create signer wallet and export credentials |
| `start-signer.sh` | Start signer (delegates to Docker by default) |
| `stop-signer.sh` | Stop signer (delegates to Docker by default) |
| `export-credentials.sh` | Re-export credentials from running signer |

## Managing the Signer

### Start

### Re-export Credentials

If TLS certificates or macaroons have been regenerated:

## Configuration

### Container Config

The signer compose template is at
`skills/lightning-security-module/templates/docker-compose-signer.yml`. Config
is passed via command-line arguments.

### Native Config

The native signer config template is at
`skills/lightning-security-module/templates/signer-lnd.conf.template`. Key
differences from a standard lnd node:

- **No P2P listening** (`--listen=`) — signer doesn't route
- **RPC on 0.0.0.0:10012** — accepts connections from watch-only node
- **REST on localhost:10013** — local only, for wallet creation
- **TLS extra IP 0.0.0.0** — watch-only on a different machine can connect
- **No autopilot, no routing fees** — signer is signing-only

## Security Model

**What stays on the signer:**
- 24-word seed mnemonic
- All private keys (funding, revocation, HTLC)
- Wallet database with key material

**What gets exported:**
- Account xpubs (public keys only — cannot spend)
- TLS certificate (for authenticated connection)
- Admin macaroon (for RPC auth — scope down for production)

**Threat model:**
- Compromised agent machine cannot sign transactions or extract keys
- Attacker with agent access can see balances and channel state but not spend
- Signer machine should have minimal attack surface

**Production hardening:**
- Replace admin macaroon with a signer-only macaroon (see `macaroon-bakery`)
- Restrict signer RPC to specific IP addresses via firewall
- Run signer on dedicated hardware or a hardened VM
- Use Lightning Node Connect (LNC) via `lightning-mcp-server` for read-only agent access

## Macaroon Bakery for Signer

For production, bake a signing-only macaroon:

Agent Machine                     Signer Machine (secure)
┌─────────────────┐              ┌─────────────────────┐
│  litd (watch-only)│◄──gRPC───►│  lnd (signer)        │
│  - neutrino      │             │  - holds seed         │
│  - manages chans │             │  - signs commitments  │
│  - routes pmts   │             │  - signs on-chain txs │
│  - NO key material│            │  - no p2p networking   │
└─────────────────┘              └─────────────────────┘