claimable escrow.

when you launch with claimer = @somecreator and @somecreator has no wallet linked to gud.tek yet, we do this:

1. generate a fresh solana keypair (pk, sk) scoped to that handle.
2. encrypt sk using a KMS-backed envelope key. aws kms, gcp kms, anything with a real access policy and audit log.
3. set pk as the claimer on the pool.
4. publish the @somecreator → pk mapping. that wallet is visible on chain forever.

the token launches. fees accumulate to pk. nobody at gud.tek can spend that money without a verified claim. the kms access policy says: decrypt only when (a) the request carries a real oauth handshake against the right handle, and (b) the audit log records it.

// the access pattern, roughly
async function claim(identity, walletAddr, oauthProof) {
  if (!verifyOAuth(identity, oauthProof)) {
    throw new Error("not your handle, fam")
  }

  const wrapped = await db.escrow.findOne({ identity })
  const sk = await kms.decrypt(wrapped.cipher, {
    context: { identity, claimant: walletAddr, ts: now() }
  })

  const tx = buildTransferTx({
    from: wrapped.pk,
    to:   walletAddr,
    sk,
    amount: ALL,
  })
  return solana.send(tx)
}

the claim flow

real owner of @somecreator shows up at some later point:

1. they oauth with X. handshake proves they control the handle right now.
2. they connect a solana wallet (phantom, backpack, whatever).
3. our signer decrypts sk, signs a transfer of everything in pk to the connected wallet.
4. the pool's claimer field rotates to the new wallet. from now on, fees go straight there. no more escrow in the middle.

that's the whole loop. you didn't need a wallet to launch. you only need one to collect.