[Feat] Init mac os secure enclave signer

.github/workflows/publish.yml

@@ -5,11 +5,96 @@ on:
     branches: [main]
 
 jobs:
+  # ── Job 1: Build & sign the Swift binary on macOS ──────────────
+  build-swift:
+    runs-on: macos-14
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install Apple certificate
+        env:
+          APPLE_CERTIFICATE_P12: ${{ secrets.APPLE_CERTIFICATE_P12 }}
+          APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
+        run: |
+          CERTIFICATE_PATH=$RUNNER_TEMP/certificate.p12
+          echo -n "$APPLE_CERTIFICATE_P12" | base64 --decode -o $CERTIFICATE_PATH
+
+          KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
+          KEYCHAIN_PASSWORD=$(openssl rand -hex 24)
+
+          security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
+          security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
+          security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
+
+          security import $CERTIFICATE_PATH \
+            -P "$APPLE_CERTIFICATE_PASSWORD" \
+            -A -t cert -f pkcs12 \
+            -k $KEYCHAIN_PATH
+
+          security set-key-partition-list \
+            -S apple-tool:,apple:,codesign: \
+            -s -k "$KEYCHAIN_PASSWORD" \
+            $KEYCHAIN_PATH
+
+          security list-keychains -d user -s $KEYCHAIN_PATH $(security list-keychains -d user | tr -d '"')
+
+          echo "KEYCHAIN_PATH=$KEYCHAIN_PATH" >> $GITHUB_ENV
+
+      - name: Install provisioning profile
+        env:
+          APPLE_PROVISIONING_PROFILE: ${{ secrets.APPLE_PROVISIONING_PROFILE }}
+        run: |
+          PROFILE_PATH=$RUNNER_TEMP/embedded.provisionprofile
+          echo -n "$APPLE_PROVISIONING_PROFILE" | base64 --decode -o $PROFILE_PATH
+          echo "PROVISIONING_PROFILE=$PROFILE_PATH" >> $GITHUB_ENV
+
+      - name: Build and sign Swift binary
+        env:
+          SIGN_IDENTITY: "Developer ID Application: HyperPlay Labs Inc (RTGU82X53W)"
+        run: |
+          mkdir -p dist
+          bash swift/SecureEnclaveSigner/build.sh
+
+      - name: Verify code signature
+        run: |
+          codesign --verify --deep --strict dist/secure-enclave-signer.app
+          codesign -dvv dist/secure-enclave-signer.app
+
+      - name: Notarize
+        env:
+          APPLE_ID: ${{ secrets.APPLE_ID }}
+          APPLE_APP_PASSWORD: ${{ secrets.APPLE_APP_PASSWORD }}
+          APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
+        run: |
+          ditto -c -k --keepParent dist/secure-enclave-signer.app \
+            $RUNNER_TEMP/secure-enclave-signer.zip
+
+          xcrun notarytool submit $RUNNER_TEMP/secure-enclave-signer.zip \
+            --apple-id "$APPLE_ID" \
+            --password "$APPLE_APP_PASSWORD" \
+            --team-id "$APPLE_TEAM_ID" \
+            --wait
+
+          xcrun stapler staple dist/secure-enclave-signer.app
+
+      - name: Upload signed binary
+        uses: actions/upload-artifact@v4
+        with:
+          name: signed-swift-binary
+          path: dist/secure-enclave-signer.app
+          retention-days: 1
+
+      - name: Cleanup keychain
+        if: always()
+        run: security delete-keychain $KEYCHAIN_PATH 2>/dev/null || true
+
+  # ── Job 2: Build JS + publish npm package ──────────────────────
   publish:
+    needs: build-swift
     runs-on: ubuntu-latest
     permissions:
       contents: read
-      id-token: write  # enables npm provenance
+      id-token: write
 
     steps:
       - uses: actions/checkout@v4
@@ -30,8 +115,19 @@ jobs:
       - name: Typecheck
         run: pnpm codecheck
 
-      - name: Build
-        run: pnpm build
+      - name: Build JS bundle
+        run: pnpm exec vite build
+
+      - name: Download signed binary
+        uses: actions/download-artifact@v4
+        with:
+          name: signed-swift-binary
+          path: dist/secure-enclave-signer.app
+
+      - name: Create binary symlink
+        run: |
+          ln -sf secure-enclave-signer.app/Contents/MacOS/secure-enclave-signer \
+            dist/secure-enclave-signer
 
       - name: Check if version is already published
         id: version_check

.gitignore

@@ -140,4 +140,7 @@ vite.config.js.timestamp-*
 vite.config.ts.timestamp-*
 .vite/
 
-dist
+dist
+
+swift/SecureEnclaveSigner/.build
+**/.DS_Store

.vscode/launch.json

@@ -0,0 +1,24 @@
+{
+    "configurations": [
+        {
+            "type": "swift",
+            "request": "launch",
+            "args": [],
+            "cwd": "${workspaceFolder:agent-cli}/swift/SecureEnclaveSigner",
+            "name": "Debug SecureEnclaveSigner (swift/SecureEnclaveSigner)",
+            "target": "SecureEnclaveSigner",
+            "configuration": "debug",
+            "preLaunchTask": "swift: Build Debug SecureEnclaveSigner (swift/SecureEnclaveSigner)"
+        },
+        {
+            "type": "swift",
+            "request": "launch",
+            "args": [],
+            "cwd": "${workspaceFolder:agent-cli}/swift/SecureEnclaveSigner",
+            "name": "Release SecureEnclaveSigner (swift/SecureEnclaveSigner)",
+            "target": "SecureEnclaveSigner",
+            "configuration": "release",
+            "preLaunchTask": "swift: Build Release SecureEnclaveSigner (swift/SecureEnclaveSigner)"
+        }
+    ]
+}

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@coinfello/agent-cli",
-  "version": "0.1.3",
+  "version": "0.1.4",
   "description": "",
   "type": "module",
   "main": "dist/index.js",
@@ -14,8 +14,9 @@
     "access": "public"
   },
   "scripts": {
-    "build": "vite build",
+    "build": "vite build && pnpm run build:swift",
     "build:swift": "bash swift/SecureEnclaveSigner/build.sh",
+    "build:signed": "vite build && SIGN_IDENTITY=\"Apple Development: Brett Cleary (WF45KCA35Q)\" PROVISIONING_PROFILE=\"$HOME/Agent_Cli_Dev_Profile_1.provisionprofile\" pnpm run build:swift",
     "codecheck": "tsc --noEmit",
     "lint": "eslint src",
     "prettier-fix": "prettier --write src coinfello",
@@ -34,6 +35,8 @@
     "viem": "^2.45.1"
   },
   "devDependencies": {
+    "@noble/curves": "^2.0.1",
+    "@noble/hashes": "^2.0.1",
     "@types/node": "^25.2.1",
     "dotenv": "^17.3.1",
     "eslint": "^10.0.0",

src/account.ts

@@ -7,9 +7,11 @@ import {
   type CreateDelegationOptions,
 } from '@metamask/smart-accounts-kit'
 import { PrivateKeyAccount, privateKeyToAccount } from 'viem/accounts'
+import { toWebAuthnAccount } from 'viem/account-abstraction'
 import { createPublicClient, http, type Hex, type Chain } from 'viem'
 import * as chains from 'viem/chains'
 import { randomBytes } from 'node:crypto'
+import { generateKey, createSecureEnclaveGetFn } from './secure-enclave/index.js'
 
 export type HybridSmartAccount = ToMetaMaskSmartAccountReturnType<Implementation.Hybrid>
 export type DelegationScope = CreateDelegationOptions['scope']
@@ -94,3 +96,105 @@ export function createSubdelegation({
     salt: `0x${randomBytes(32).toString('hex')}` as Hex,
   })
 }
+
+// ── Secure Enclave P256 account functions ────────────────────────
+
+export async function createSmartAccountWithSecureEnclave(chainInput: string | number): Promise<{
+  smartAccount: HybridSmartAccount
+  address: string
+  keyTag: string
+  publicKeyX: string
+  publicKeyY: string
+  keyId: Hex
+}> {
+  const chain = resolveChainInput(chainInput)
+  const publicClient = createPublicClient({ chain, transport: http() })
+
+  // Generate P256 key in Secure Enclave
+  const keyPair = await generateKey()
+
+  // On-chain key identifier
+  const keyId = `0x${randomBytes(32).toString('hex')}` as Hex
+
+  // Encode uncompressed public key: 0x04 || x (32 bytes) || y (32 bytes)
+  const xHex = keyPair.x.toString(16).padStart(64, '0')
+  const yHex = keyPair.y.toString(16).padStart(64, '0')
+  const publicKeyHex = `0x04${xHex}${yHex}` as Hex
+  const credentialId = Buffer.from(keyPair.tag).toString('base64url')
+
+  const webAuthnAccount = toWebAuthnAccount({
+    credential: {
+      id: credentialId,
+      publicKey: publicKeyHex,
+    },
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    getFn: createSecureEnclaveGetFn(keyPair.tag) as any,
+    rpId: 'localhost',
+  })
+
+  const smartAccount = await toMetaMaskSmartAccount({
+    client: publicClient,
+    implementation: Implementation.Hybrid,
+    deployParams: [
+      '0x0000000000000000000000000000000000000000' as Hex,
+      [keyId],
+      [keyPair.x],
+      [keyPair.y],
+    ],
+    deploySalt: '0x',
+    signer: { webAuthnAccount, keyId },
+  })
+
+  const address = await smartAccount.getAddress()
+
+  return {
+    smartAccount,
+    address,
+    keyTag: keyPair.tag,
+    publicKeyX: `0x${xHex}`,
+    publicKeyY: `0x${yHex}`,
+    keyId,
+  }
+}
+
+export async function getSmartAccountFromSecureEnclave(
+  keyTag: string,
+  publicKeyX: string,
+  publicKeyY: string,
+  keyId: Hex,
+  chainInput: string | number
+): Promise<HybridSmartAccount> {
+  const chain = resolveChainInput(chainInput)
+  const publicClient = createPublicClient({ chain, transport: http() })
+
+  const xBigInt = BigInt(publicKeyX)
+  const yBigInt = BigInt(publicKeyY)
+
+  const xHex = xBigInt.toString(16).padStart(64, '0')
+  const yHex = yBigInt.toString(16).padStart(64, '0')
+  const publicKeyHex = `0x04${xHex}${yHex}` as Hex
+  const credentialId = Buffer.from(keyTag).toString('base64url')
+
+  const webAuthnAccount = toWebAuthnAccount({
+    credential: {
+      id: credentialId,
+      publicKey: publicKeyHex,
+    },
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    getFn: createSecureEnclaveGetFn(keyTag) as any,
+    rpId: 'localhost',
+  })
+
+  return toMetaMaskSmartAccount({
+    client: publicClient,
+    implementation: Implementation.Hybrid,
+    deployParams: [
+      '0x0000000000000000000000000000000000000000' as Hex,
+      [keyId],
+      [xBigInt],
+      [yBigInt],
+    ],
+    deploySalt: '0x',
+    signer: { webAuthnAccount, keyId },
+  })
+}

src/config.ts

@@ -9,6 +9,13 @@ export interface Config {
   chain?: string
   delegation?: Delegation
   session_token?: string
+  signer_type?: 'privateKey' | 'secureEnclave'
+  secure_enclave?: {
+    key_tag: string
+    public_key_x: string // hex
+    public_key_y: string // hex
+    key_id: string // hex, on-chain P256 key identifier
+  }
 }
 
 const CONFIG_DIR = join(homedir(), '.clawdbot', 'skills', 'coinfello')