harden native binaries: peer verification, IPC security, and build improvements

- Add peer identity verification and process validation for IPC connections (Swift + Rust)
- Strengthen memory protection for key material with zeroize on drop
- Add entitlements file for macOS sandbox/hardened runtime
- Update build scripts for universal binary support
- Fix CI workflow to use build:universal command

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: theoephraim

.github/workflows/build-native-macos.yaml

@@ -102,7 +102,7 @@ jobs:
       # Compile (cached), bundle with mode-specific metadata, and sign
       - name: Build, bundle, and sign
         run: |
-          bun run --filter @varlock/encryption-binary-swift build:swift \
+          bun run --filter @varlock/encryption-binary-swift build:universal \
             -- --mode ${{ inputs.mode }} --version ${{ inputs.version }} --sign "$APPLE_SIGNING_IDENTITY"
 
       - name: Verify binary

packages/encryption-binary-rust/src/crypto.rs

@@ -22,6 +22,7 @@ use p256::{
     PublicKey, SecretKey,
 };
 use sha2::Sha256;
+use zeroize::Zeroize;
 
 const PAYLOAD_VERSION: u8 = 0x01;
 const HKDF_SALT: &[u8] = b"varlock-ecies-v1";
@@ -107,7 +108,11 @@ pub fn encrypt(public_key_base64: &str, plaintext: &[u8]) -> Result<String, Stri
 
     // AES-256-GCM encrypt
     let cipher = Aes256Gcm::new_from_slice(&aes_key)
-        .map_err(|e| format!("AES key init failed: {e}"))?;
+        .map_err(|e| {
+            aes_key.zeroize();
+            format!("AES key init failed: {e}")
+        })?;
+    aes_key.zeroize(); // Cipher has its own copy
 
     let mut nonce_bytes = [0u8; NONCE_LENGTH];
     rand::RngCore::fill_bytes(&mut OsRng, &mut nonce_bytes);
@@ -166,11 +171,15 @@ pub fn decrypt(
     }
 
     // Import private key from PKCS8 DER
-    let private_key_der = BASE64
+    let mut private_key_der = BASE64
         .decode(private_key_base64)
         .map_err(|e| format!("Invalid private key base64: {e}"))?;
     let secret_key = SecretKey::from_pkcs8_der(&private_key_der)
-        .map_err(|e| format!("Invalid PKCS8 private key: {e}"))?;
+        .map_err(|e| {
+            private_key_der.zeroize();
+            format!("Invalid PKCS8 private key: {e}")
+        })?;
+    private_key_der.zeroize(); // No longer needed — SecretKey has its own copy
 
     // Import ephemeral public key
     let ephemeral_point = p256::EncodedPoint::from_bytes(ephemeral_pub_raw)
@@ -204,7 +213,12 @@ pub fn decrypt(
     // AES-256-GCM decrypt
     // aes-gcm expects ciphertext || tag concatenated (same as wire format after header)
     let cipher = Aes256Gcm::new_from_slice(&aes_key)
-        .map_err(|e| format!("AES key init failed: {e}"))?;
+        .map_err(|e| {
+            aes_key.zeroize();
+            format!("AES key init failed: {e}")
+        })?;
+    aes_key.zeroize(); // Cipher has its own copy — zeroize ours
+
     let nonce = Nonce::from_slice(nonce_bytes);
 
     let plaintext = cipher

packages/encryption-binary-rust/src/daemon.rs

@@ -208,12 +208,14 @@ fn handle_decrypt(
     match key_store::load_key(key_id) {
         Ok((private_key_der, public_key_b64)) => {
             let secure_key = crate::secure_mem::SecureBytes::new(private_key_der);
-            let private_key_b64 = base64::Engine::encode(
-                &base64::engine::general_purpose::STANDARD,
-                secure_key.as_slice(),
+            let private_key_b64 = crate::secure_mem::SecureString::new(
+                base64::Engine::encode(
+                    &base64::engine::general_purpose::STANDARD,
+                    secure_key.as_slice(),
+                ),
             );
 
-            let result = match crypto::decrypt(&private_key_b64, &public_key_b64, ciphertext_b64) {
+            let result = match crypto::decrypt(private_key_b64.as_str(), &public_key_b64, ciphertext_b64) {
                 Ok(plaintext_bytes) => {
                     match String::from_utf8(plaintext_bytes) {
                         Ok(plaintext) => {

packages/encryption-binary-rust/src/ipc.rs

@@ -56,15 +56,42 @@ impl IpcServer {
     /// Start the IPC server. This blocks the calling thread.
     #[cfg(unix)]
     pub fn start(&self) -> Result<(), String> {
-        // Clean up stale socket
-        let _ = std::fs::remove_file(&self.socket_path);
-
-        // Ensure parent directory exists
+        // Ensure parent directory exists with restricted permissions
         if let Some(parent) = std::path::Path::new(&self.socket_path).parent() {
             std::fs::create_dir_all(parent)
                 .map_err(|e| format!("Failed to create socket directory: {e}"))?;
+            // Restrict directory to owner only (0700) — prevents other users
+            // from listing socket files or key filenames
+            use std::os::unix::fs::PermissionsExt;
+            let _ = std::fs::set_permissions(
+                parent,
+                std::fs::Permissions::from_mode(0o700),
+            );
         }
 
+        // Acquire exclusive lock before touching the socket file.
+        // Prevents a TOCTOU race where a malicious process could create a fake
+        // socket between our unlink() and bind(), intercepting client connections.
+        let lock_path = format!("{}.lock", self.socket_path);
+        let lock_fd = {
+            use std::os::unix::fs::OpenOptionsExt;
+            std::fs::OpenOptions::new()
+                .read(true)
+                .write(true)
+                .create(true)
+                .mode(0o600)
+                .open(&lock_path)
+                .map_err(|e| format!("Failed to create lock file: {e}"))?
+        };
+        use std::os::unix::io::AsRawFd;
+        let lock_result = unsafe { libc::flock(lock_fd.as_raw_fd(), libc::LOCK_EX | libc::LOCK_NB) };
+        if lock_result != 0 {
+            return Err("Another daemon instance holds the lock".into());
+        }
+
+        // Safe to remove stale socket now — we hold the lock
+        let _ = std::fs::remove_file(&self.socket_path);
+
         let listener = UnixListener::bind(&self.socket_path)
             .map_err(|e| format!("Socket bind failed: {e}"))?;
 
@@ -96,6 +123,12 @@ impl IpcServer {
                     let on_activity = self.on_activity.clone();
                     let running = self.running.clone();
 
+                    // Verify the connecting process is a trusted varlock binary
+                    if !verify_unix_client(&stream) {
+                        eprintln!("Rejected connection from untrusted process");
+                        continue;
+                    }
+
                     // Get peer TTY identity
                     let tty_id = get_peer_tty_id(&stream);
 
@@ -116,8 +149,9 @@ impl IpcServer {
             }
         }
 
-        // Cleanup
+        // Cleanup socket and lock
         let _ = std::fs::remove_file(&self.socket_path);
+        let _ = std::fs::remove_file(format!("{}.lock", self.socket_path));
         Ok(())
     }
 
@@ -227,6 +261,7 @@ impl Drop for IpcServer {
     fn drop(&mut self) {
         self.stop();
         let _ = std::fs::remove_file(&self.socket_path);
+        let _ = std::fs::remove_file(format!("{}.lock", self.socket_path));
     }
 }
 
@@ -309,6 +344,60 @@ fn send_response(stream: &mut impl Write, id: Option<&str>, response: &Value) ->
     Ok(())
 }
 
+// ── Unix client process verification ─────────────────────────────
+
+/// Verify that the connecting client process is a trusted varlock binary.
+/// Uses peer credentials to get the client PID, then reads /proc/<pid>/exe.
+#[cfg(target_os = "linux")]
+fn verify_unix_client(stream: &UnixStream) -> bool {
+    use nix::sys::socket::{getsockopt, sockopt::PeerCredentials};
+    use std::os::fd::AsFd;
+
+    let creds = match getsockopt(&stream.as_fd(), PeerCredentials) {
+        Ok(c) => c,
+        Err(_) => return false,
+    };
+
+    let pid = creds.pid();
+    if pid <= 0 {
+        return false;
+    }
+
+    // Read the executable path via /proc/<pid>/exe symlink
+    let exe_path = match std::fs::read_link(format!("/proc/{pid}/exe")) {
+        Ok(p) => p,
+        Err(_) => return false,
+    };
+
+    let exe_name = exe_path
+        .file_name()
+        .and_then(|n| n.to_str())
+        .unwrap_or("");
+
+    let allowed = [
+        "varlock-local-encrypt",
+        "varlock",
+        "node",
+        "bun",
+    ];
+
+    let is_trusted = allowed.iter().any(|name| exe_name == *name);
+    if !is_trusted {
+        eprintln!(
+            "Untrusted client process: PID={pid}, exe={}",
+            exe_path.display()
+        );
+    }
+    is_trusted
+}
+
+/// macOS: no /proc filesystem, skip process verification for now.
+/// The Unix socket 0600 permissions still restrict to the owning user.
+#[cfg(all(unix, not(target_os = "linux")))]
+fn verify_unix_client(_stream: &UnixStream) -> bool {
+    true
+}
+
 // ── Peer TTY identity (Linux) ────────────────────────────────────
 
 #[cfg(target_os = "linux")]

packages/encryption-binary-rust/src/key_store/mod.rs

@@ -268,9 +268,19 @@ pub fn generate_key(key_id: &str) -> Result<String, String> {
         created_at: now_iso8601(),
     };
 
-    // Write to disk
+    // Write to disk — restrict directory permissions to owner only
     let dir = get_key_store_dir();
     fs::create_dir_all(&dir).map_err(|e| format!("Failed to create key store: {e}"))?;
+    #[cfg(unix)]
+    {
+        use std::os::unix::fs::PermissionsExt;
+        // Set key store directory to 0700 — prevents other users from listing key files
+        let _ = fs::set_permissions(&dir, fs::Permissions::from_mode(0o700));
+        // Also restrict parent directories
+        if let Some(parent) = dir.parent() {
+            let _ = fs::set_permissions(parent, fs::Permissions::from_mode(0o700));
+        }
+    }
 
     let path = get_key_file_path(key_id);
     let json = serde_json::to_string_pretty(&stored)

packages/encryption-binary-rust/src/main.rs

@@ -181,9 +181,9 @@ fn cmd_decrypt(args: &[String]) {
     };
 
     let secure_key = secure_mem::SecureBytes::new(private_key_der);
-    let private_key_b64 = BASE64.encode(secure_key.as_slice());
+    let private_key_b64 = secure_mem::SecureString::new(BASE64.encode(secure_key.as_slice()));
 
-    match crypto::decrypt(&private_key_b64, &public_key_b64, &data_b64) {
+    match crypto::decrypt(private_key_b64.as_str(), &public_key_b64, &data_b64) {
         Ok(plaintext_bytes) => {
             let plaintext = match String::from_utf8(plaintext_bytes) {
                 Ok(s) => s,

packages/encryption-binary-rust/src/secure_mem.rs

@@ -15,7 +15,7 @@ impl SecureBytes {
     /// Create a SecureBytes from existing data. Locks the memory region.
     pub fn new(data: Vec<u8>) -> Self {
         if !data.is_empty() {
-            lock_memory(data.as_ptr(), data.len());
+            lock_memory(data.as_ptr(), data.capacity());
         }
         Self { inner: data }
     }
@@ -27,15 +27,39 @@ impl SecureBytes {
 
 impl Drop for SecureBytes {
     fn drop(&mut self) {
-        let ptr = self.inner.as_ptr();
-        let len = self.inner.len();
-
-        // Zeroize the contents
+        // Zeroize first while memory is still valid and locked
+        let cap = self.inner.capacity();
         self.inner.zeroize();
 
-        // Unlock the memory region
-        if len > 0 {
-            unlock_memory(ptr, len);
+        // Unlock after zeroizing — pointer is still valid (Vec keeps allocation until drop)
+        if cap > 0 {
+            unlock_memory(self.inner.as_ptr(), cap);
+        }
+    }
+}
+
+/// A String wrapper that zeroizes on drop. For derived representations
+/// of key material (e.g., base64-encoded private keys).
+pub struct SecureString {
+    inner: String,
+}
+
+impl SecureString {
+    pub fn new(s: String) -> Self {
+        Self { inner: s }
+    }
+
+    pub fn as_str(&self) -> &str {
+        &self.inner
+    }
+}
+
+impl Drop for SecureString {
+    fn drop(&mut self) {
+        // Safety: zeroize the underlying bytes
+        unsafe {
+            let bytes = self.inner.as_bytes_mut();
+            bytes.zeroize();
         }
     }
 }

packages/encryption-binary-swift/README.md

@@ -20,13 +20,13 @@ Rust is planned for Windows (TPM / Windows Hello) and Linux (TPM2), where the pl
 
 ```bash
 # Local dev (current arch, dev mode)
-bun run build:swift:dev
+bun run build:current
 
 # Universal binary (arm64 + x86_64, for CI)
-bun run build:swift
+bun run build:universal
 
 # With signing and release metadata
-bun run build:swift -- --mode release --version 1.2.3 --sign "Developer ID Application: ..."
+bun run build:universal -- --mode release --version 1.2.3 --sign "Developer ID Application: ..."
 ```
 
 Output: `packages/varlock/native-bins/darwin/VarlockEnclave.app`

packages/encryption-binary-swift/VarlockEnclave.entitlements

@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+    <key>com.apple.security.cs.disable-library-validation</key>
+    <false/>
+    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+    <false/>
+    <key>com.apple.security.cs.allow-dyld-environment-variables</key>
+    <false/>
+    <key>com.apple.security.cs.disable-executable-page-protection</key>
+    <false/>
+    <key>com.apple.security.cs.allow-jit</key>
+    <false/>
+    <key>com.apple.security.cs.debugger</key>
+    <false/>
+</dict>
+</plist>

packages/encryption-binary-swift/package.json

@@ -5,8 +5,8 @@
   "private": true,
   "scripts": {
     "kill-daemon": "bun run scripts/kill-daemon.ts",
-    "build:swift": "bun run kill-daemon && bun run scripts/build-swift.ts --universal",
-    "build:swift:dev": "bun run kill-daemon && bun run scripts/build-swift.ts",
+    "build:universal": "bun run kill-daemon && bun run scripts/build-swift.ts --universal",
+    "build:current": "bun run kill-daemon && bun run scripts/build-swift.ts",
     "clean": "rm -rf swift/.build"
   },
   "devDependencies": {