1. AUTH: Google/Apple via Supabase.
2. WALLET: Generated client-side, encrypted with AES-256-GCM (PBKDF2 600K). Only encrypted blob stored.
3. UNLOCK: Password decrypts key to sessionStorage (clears on tab close).
4. MULTI-CHAIN: Same address on all EVM chains. User picks chain.
5. TOKENS: Native + ERC20 tokens supported per chain.
6. DEPOSIT: User sends from MetaMask/exchange to their CryptoVault address.
7. VAULT: Pick token + amount + duration. Contract locks funds. Fee auto-routed.
8. WITHDRAW: After expiry, contract releases to user's wallet.
9. SECURITY: HTTPS, CSP, HSTS, XSS/CSRF protection, rate limiting. All signing client-side.