Add napi-rs CI for hardware-keys platform builds#2
Merged
Conversation
…y resolution - New @aauth/hardware-keys napi-rs package: Rust crate wrapping the `yubikey` crate for PIV slot 9e signing (no PIN) and `security-framework` for Secure Enclave, compiled as a Node.js native addon via napi-rs - Swift SE helper (se-helper): codesigned binary for persistent Secure Enclave key management — generate, sign, list, delete via CryptoKit - Backend abstraction: software (OS keychain), yubikey-piv, secure-enclave — each with discover, generateKey, signHash, listKeys, getPublicKey, getDeviceLabel - Key resolution chain: fetch JWKS → match thumbprints against local keys → config fallback → hardware fallback → software fallback. Hardware always preferred, unavailable devices gracefully skipped. - Multi-agent config (~/.aauth/config.json): agents map with per-agent personServerUrl, hosting platform, and keys map (kid → backend metadata) - Updated agent-token.ts: hardware key signing via manual JWT assembly + hash signing, person server URL as `ps` claim - CLI redesigned for agent use: discover, generate, sign-token, public-key, add-agent, config, show, skill — all JSON output except show/help - Skills system with front matter: setup skill for key generation + platform discovery, platform skills (github-pages, gitlab-pages, cloudflare-pages, netlify) with detection metadata for agent-driven discovery - 23 vitest tests covering all backends, agent token signing + verification, config management, and device labels Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Add jti (randomUUID) to agent tokens (both software and hardware signing paths) - Add jti to resource tokens - Rename Mission.manager → Mission.approver per spec (MM → Person Server) - Update setup skill: default person server is https://issuer.hello.coop Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- mcp-stdio: --agent-url is now optional, resolved from ~/.aauth/config.json - mcp-openclaw: agent_url is now optional in PluginConfig - local-keys config: added agentServerUrl and jwksUri fields to AgentConfig - resolveKey: fetches JWKS and agent metadata in parallel when jwksUri is cached, verifies agent server still points to same jwksUri - CLI: auto-derives and stores agentServerUrl/jwksUri on generate and add-agent Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…ackages
- Bump hardware-keys to v0.3.0 to match all workspace packages
- Add singleFork to root vitest config (YubiKey exclusive access)
- Remove prebuilt se-helper from local-keys/bin (will ship in platform packages)
- SE backend looks for se-helper in @aauth/hardware-keys-{arch} package first
- Add @aauth/hardware-keys as optionalDependency of local-keys
- Add hardware-keys to release workflow version check
- Remove postinstall (se-helper is prebuilt, not built at install time)
- 146/146 tests passing
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Build native .node binaries for darwin-arm64, darwin-x64, linux-x64-gnu, and win32-x64-msvc. Include prebuilt se-helper Swift binary in darwin platform packages. Integrate into release.yml via workflow_call. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- darwin-x64: cross-compile Rust + Swift from arm64 runner (macos-13 unavailable)
- Smoke tests: use index.js loader from hardware-keys/ working directory
- Stage step: rename output to index.{platform}.node for npm packages
- Add debug ls step to confirm build output filenames
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
napi build produces hardware-keys.{platform}.node, not index.{platform}.node.
Load the binary directly instead of through index.js which expects the index prefix.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
hardware-keys.ymlworkflow that builds native.nodebinaries on 4 platforms (darwin-arm64, darwin-x64, linux-x64-gnu, win32-x64-msvc)se-helperSwift binarydiscover()call) to verify the module loadsrelease.ymlviaworkflow_callfor publishing platform packages with provenanceTest plan
discover: [](no hardware on runners)🤖 Generated with Claude Code