This SDK handles private keys, HMAC secrets, and order signing for real financial transactions.

If you discover a security vulnerability, do NOT open a public issue. Instead:

1. Email: create a private security advisory on GitHub
2. Include: description, reproduction steps, and potential impact
3. We will respond within 48 hours

Security-relevant areas of this SDK:

• Private key handling (crypto/signer.hpp) — key zeroing, memory safety
• HMAC signing (crypto/hmac.hpp) — secret storage, OpenSSL usage
• Order signing (order/order_builder.hpp) — EIP-712, amount calculations
• TLS/SSL (http_client.hpp, ws_client.cpp) — certificate verification
• Salt generation (order_builder.hpp) — CSPRNG quality

• Private keys zeroed on Signer destruction and move (OPENSSL_cleanse)
• HMAC secrets decoded once, key material cleaned after use
• SSL_VERIFY_PEER enabled for all TLS connections
• Salt generated via OS CSPRNG (std::random_device), masked to 53 bits
• No secrets logged or included in error messages
• Input validation on addresses (length check), token IDs (digit-only), decimals (non-negative)