mac/swift encryption binary + cross platform client

Author: theoephraim

.changeset/red-wasps-kick.md

@@ -0,0 +1,5 @@
+---
+"varlock": minor
+---
+
+add new varlock() function for built-in encryption

.gitignore

@@ -16,4 +16,5 @@ smoke-tests/pnpm-lock.yaml
 framework-tests/.packed
 framework-tests/.test-projects
 .magent
+.claude/worktrees/
 eslint-output.txt

bun.lock

@@ -159,6 +159,7 @@ export default tseslint.config(
     },
   },
   {
+    // allow console.log in some scripts/tests/etc
     files: [
       'scripts/**',
       'ignore/**',
@@ -168,6 +169,7 @@ export default tseslint.config(
       'packages/varlock/scripts/**',
       'smoke-tests/**',
       'framework-tests/**',
+      'packages/encryption-binary-swift/scripts/**',
     ],
     rules: {
       'no-console': 0,
@@ -179,22 +181,6 @@ export default tseslint.config(
       '@typescript-eslint/no-require-imports': 0,
     },
   },
-  {
-    // plugin files use triple-slash directives for the `plugin` global type
-    // which is injected at runtime by varlock via globalThis
-    files: [
-      'smoke-tests/**/plugins/**',
-      'packages/varlock/src/env-graph/test/plugins/**',
-    ],
-    languageOptions: {
-      globals: {
-        plugin: 'readonly',
-      },
-    },
-    rules: {
-      '@typescript-eslint/triple-slash-reference': 0,
-    },
-  },
   {
     // these files use build-time globals declared in globals.d.ts
     files: [

eslint.config.mjs

@@ -38,8 +38,6 @@
     "@typescript-eslint/parser": "^8.56.1",
     "@varlock/changeset-changelog": "workspace:*",
     "@varlock/tsconfig": "workspace:*",
-    "@varlock/cloudflare-integration": "workspace:*",
-    "@varlock/keepass-plugin": "workspace:*",
     "eslint": "^10.0.2",
     "eslint-plugin-es-x": "^9.5.0",
     "eslint-plugin-fix-disabled-rules": "^0.0.2",
@@ -49,7 +47,8 @@
     "globals": "^17.3.0",
     "turbo": "^2.8.12",
     "typescript": "catalog:",
-    "typescript-eslint": "^8.56.1"
+    "typescript-eslint": "^8.56.1",
+    "varlock": "workspace:*"
   },
   "packageManager": "bun@1.3.11",
   "engines": {

package.json

@@ -0,0 +1,22 @@
+# @defaultSensitive=false @defaultRequired=infer
+# @plugin(@varlock/1password-plugin)
+# @initOp(allowAppAuth=true, token=$OP_CI_TOKEN)
+# ---
+
+# this must be set in github actions secrets
+# @type=opServiceAccountToken @sensitive
+OP_CI_TOKEN=
+
+# Apple code signing - used in CI to sign the macOS native binary
+# @sensitive
+APPLE_CERTIFICATE_BASE64=op("op://VarlockCI/apple developer/APPLE_CERTIFICATE_BASE64")
+# @sensitive
+APPLE_CERTIFICATE_PASSWORD=op("op://VarlockCI/apple developer/APPLE_CERTIFICATE_PASSWORD")
+APPLE_SIGNING_IDENTITY=op("op://VarlockCI/apple developer/APPLE_SIGNING_IDENTITY")
+APPLE_TEAM_ID=op("op://VarlockCI/apple developer/APPLE_TEAM_ID")
+
+# Apple notarization
+# @sensitive
+APPLE_ID=op("op://VarlockCI/apple developer/APPLE_NOTARIZATION_APPLE_ID")
+# @sensitive
+APPLE_APP_PASSWORD=op("op://VarlockCI/apple developer/APPLE_NOTARIZATION_APP_PASSWORD")

packages/encryption-binary-swift/.env.schema

@@ -0,0 +1 @@
+swift/.build

packages/encryption-binary-swift/.gitignore

@@ -0,0 +1,32 @@
+# @varlock/encryption-binary-swift
+
+macOS native binary for varlock's local encryption, built in Swift.
+
+## Why Swift?
+
+Varlock uses the **Secure Enclave** for hardware-backed key storage on macOS. The Secure Enclave, Touch ID biometric prompts, and native UI (status bar menu, secure input dialogs) are only accessible through Apple's `Security`, `LocalAuthentication`, and `AppKit` frameworks — which are designed for Swift/Objective-C. Rust or other languages would require fragile FFI bindings with no stable C ABI to target.
+
+The `.app` bundle format is also required for custom Touch ID icons, `LSUIElement` (menu-bar-only) behavior, and proper code signing + notarization.
+
+Rust is planned for Windows (TPM / Windows Hello) and Linux (TPM2), where the platform APIs have C-friendly interfaces. The IPC protocol (length-prefixed JSON over a Unix socket) is the same across all platforms.
+
+## Structure
+
+- `swift/` — Swift Package Manager project (`VarlockEnclave` executable)
+- `scripts/build-swift.ts` — Two-phase build: compile (cacheable) + bundle (mode-specific `.app` wrapping + codesign)
+- `resources/` — App icon and other bundle resources
+
+## Building
+
+```bash
+# Local dev (current arch, dev mode)
+bun run build:swift:dev
+
+# Universal binary (arm64 + x86_64, for CI)
+bun run build:swift
+
+# With signing and release metadata
+bun run build:swift -- --mode release --version 1.2.3 --sign "Developer ID Application: ..."
+```
+
+Output: `packages/varlock/native-bins/darwin/VarlockEnclave.app`

packages/encryption-binary-swift/README.md

@@ -0,0 +1,18 @@
+{
+  "name": "@varlock/encryption-binary-swift",
+  "description": "macOS Secure Enclave encryption binary for varlock (Swift)",
+  "version": "0.0.1",
+  "private": true,
+  "scripts": {
+    "kill-daemon": "bun run scripts/kill-daemon.ts",
+    "build:swift": "bun run kill-daemon && bun run scripts/build-swift.ts --universal",
+    "build:swift:dev": "bun run kill-daemon && bun run scripts/build-swift.ts",
+    "clean": "rm -rf swift/.build"
+  },
+  "devDependencies": {
+    "@varlock/1password-plugin": "workspace:*",
+    "varlock": "workspace:*"
+  },
+  "author": "dmno-dev",
+  "license": "MIT"
+}