4.1 KiB
4.1 KiB
Motr Enclave
Extism WASM plugin providing encrypted key storage for the Nebula wallet. Built with Go 1.25+ for wasip1 target.
Features
- WebAuthn Integration - Device-bound credentials with PRF key derivation
- MPC Key Shares - Secure threshold signature key storage
- Multi-Chain Support - BIP44 derivation for Sonr, Ethereum, Bitcoin
- UCAN v1.0.0-rc.1 - Capability-based authorization with CID-indexed delegations
- Encryption at Rest - AES-256-GCM encrypted database serialization
- SQLite Functions - Custom functions for address derivation and signing
Quick Start
make start
This single command:
- Installs dependencies (Go, Bun)
- Builds the WASM plugin
- Builds the TypeScript SDK
- Starts the dev server at http://localhost:8080
Manual Setup
make deps # Install tooling
make build # Build WASM plugin
make sdk # Build TypeScript SDK
make dev # Start dev server
Usage
TypeScript/ESM
import { createEnclave } from '@sonr/motr-enclave';
const enclave = await createEnclave('/enclave.wasm');
// Generate new identity with MPC key share
const result = await enclave.generate(credentialBase64);
// Returns: { did, enclave_id, public_key, accounts, database }
// Load existing database
await enclave.load(database);
// List accounts across all chains
const accounts = await enclave.exec('resource:accounts action:list');
// Sign data with an enclave
const signature = await enclave.exec('resource:enclaves action:sign subject:enclave_id:data_hex');
// Query DID document
const didDoc = await enclave.query();
CLI Testing
make test-plugin
Plugin Functions
| Function | Input | Output |
|---|---|---|
ping |
Message string | Echo response |
generate |
WebAuthn credential (base64) | DID, enclave_id, public_key, accounts[], database |
load |
Database buffer | Success status, DID |
exec |
Filter string | Action result |
query |
DID (optional) | DID document |
Exec Resources & Actions
| Resource | Actions |
|---|---|
accounts |
list, get, sign |
enclaves |
list, get, sign, rotate, archive, delete |
credentials |
list, get |
sessions |
list, revoke |
grants |
list, revoke |
delegations |
list, list_received, list_command, get, revoke, verify, cleanup |
verification_methods |
list, get, delete |
services |
list, get, get_by_id |
Filter Syntax
resource:<name> action:<action> [subject:<value>]
Examples:
# List all accounts
resource:accounts action:list
# Get specific account
resource:accounts action:get subject:sonr1abc...
# Sign with enclave
resource:enclaves action:sign subject:enc_123:48656c6c6f
# List delegations by command
resource:delegations action:list_command subject:/vault/read
Architecture
The enclave uses SQLite as a computation engine with custom functions:
| Function | Purpose |
|---|---|
bip44_derive(pubkey, chain) |
Derive address from public key |
bip44_derive_from_enclave(id, chain) |
Derive address from stored enclave |
Supported chains: sonr (Cosmos 118), ethereum (60), bitcoin (0)
Project Structure
motr-enclave/
├── cmd/enclave/ # WASM plugin entry point
├── internal/
│ ├── keybase/ # Database layer + SQLite functions
│ ├── crypto/mpc/ # MPC key operations
│ ├── crypto/ucan/ # UCAN v1.0.0-rc.1 builders
│ └── migrations/ # Schema + queries
├── src/ # TypeScript SDK
├── dist/ # Built SDK
├── example/ # Browser demo
└── Makefile
Development
make test # Run Go tests
make lint # Run linter
make clean # Remove build artifacts
make generate # Regenerate SQLC code
Documentation
- AGENTS.md - Architecture and coding guidelines
- TODO.md - Remaining implementation tasks
- CHANGELOG.md - Version history
- MIGRATION.md - Original schema design