# Motr Enclave Extism WASM plugin providing encrypted key storage for the Nebula wallet. Built with Go 1.25+ for `wasip1` target. ## Features - **WebAuthn Integration** - Device-bound credentials with PRF key derivation - **MPC Key Shares** - Secure threshold signature key storage - **Multi-Chain Support** - BIP44 derivation for Sonr, Ethereum, Bitcoin - **UCAN v1.0.0-rc.1** - Capability-based authorization with CID-indexed delegations - **Encryption at Rest** - AES-256-GCM encrypted database serialization - **SQLite Functions** - Custom functions for address derivation and signing ## Quick Start ```bash make start ``` This single command: 1. Installs dependencies (Go, Bun) 2. Builds the WASM plugin 3. Builds the TypeScript SDK 4. Starts the dev server at http://localhost:8080 ## Manual Setup ```bash make deps # Install tooling make build # Build WASM plugin make sdk # Build TypeScript SDK make dev # Start dev server ``` ## Usage ### TypeScript/ESM ```typescript import { createEnclave } from '@sonr/motr-enclave'; const enclave = await createEnclave('/enclave.wasm'); // Generate new identity with MPC key share const result = await enclave.generate(credentialBase64); // Returns: { did, enclave_id, public_key, accounts, database } // Load existing database await enclave.load(database); // List accounts across all chains const accounts = await enclave.exec('resource:accounts action:list'); // Sign data with an enclave const signature = await enclave.exec('resource:enclaves action:sign subject:enclave_id:data_hex'); // Query DID document const didDoc = await enclave.query(); ``` ### CLI Testing ```bash make test-plugin ``` ## Plugin Functions | Function | Input | Output | |----------|-------|--------| | `ping` | Message string | Echo response | | `generate` | WebAuthn credential (base64) | DID, enclave_id, public_key, accounts[], database | | `load` | Database buffer | Success status, DID | | `exec` | Filter string | Action result | | `query` | DID (optional) | DID document | ### Exec Resources & Actions | Resource | Actions | |----------|---------| | `accounts` | list, get, sign | | `enclaves` | list, get, sign, rotate, archive, delete | | `credentials` | list, get | | `sessions` | list, revoke | | `grants` | list, revoke | | `delegations` | list, list_received, list_command, get, revoke, verify, cleanup | | `verification_methods` | list, get, delete | | `services` | list, get, get_by_id | ### Filter Syntax ``` resource: action: [subject:] ``` Examples: ```bash # List all accounts resource:accounts action:list # Get specific account resource:accounts action:get subject:sonr1abc... # Sign with enclave resource:enclaves action:sign subject:enc_123:48656c6c6f # List delegations by command resource:delegations action:list_command subject:/vault/read ``` ## Architecture The enclave uses SQLite as a computation engine with custom functions: | Function | Purpose | |----------|---------| | `bip44_derive(pubkey, chain)` | Derive address from public key | | `bip44_derive_from_enclave(id, chain)` | Derive address from stored enclave | Supported chains: `sonr` (Cosmos 118), `ethereum` (60), `bitcoin` (0) ## Project Structure ``` motr-enclave/ ├── cmd/enclave/ # WASM plugin entry point ├── internal/ │ ├── keybase/ # Database layer + SQLite functions │ ├── crypto/mpc/ # MPC key operations │ ├── crypto/ucan/ # UCAN v1.0.0-rc.1 builders │ └── migrations/ # Schema + queries ├── src/ # TypeScript SDK ├── dist/ # Built SDK ├── example/ # Browser demo └── Makefile ``` ## Development ```bash make test # Run Go tests make lint # Run linter make clean # Remove build artifacts make generate # Regenerate SQLC code ``` ## Documentation - [AGENTS.md](./AGENTS.md) - Architecture and coding guidelines - [TODO.md](./TODO.md) - Remaining implementation tasks - [CHANGELOG.md](./CHANGELOG.md) - Version history - [MIGRATION.md](./MIGRATION.md) - Original schema design