Step 25: Real FIDO2 hardware key support.

HardwareFIDO2 implements FIDO2Device via go-libfido2 (CGo bindings to Yubico's libfido2). Gated behind //go:build fido2 tag to keep default builds CGo-free. Nix flake adds sgard-fido2 package variant. CLI changes: --fido2-pin flag, unlockDEK helper tries FIDO2 first, add-fido2/encrypt init --fido2 use real hardware, auto-unlock added to restore/checkpoint/diff for encrypted entries. Tested manually: add-fido2, add --encrypt, restore, checkpoint, diff all work with hardware FIDO2 key (touch-to-unlock, no passphrase). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-24 12:40:46 -07:00
parent 5529fff649
commit 490db0599c
17 changed files with 358 additions and 34 deletions
--- a/flake.nix
+++ b/flake.nix
@@ -15,11 +15,11 @@
        packages = {
          sgard = pkgs.buildGoModule {
            pname = "sgard";
-            version = "2.0.0";
+            version = "2.1.0";
            src = pkgs.lib.cleanSource ./.;
            subPackages = [ "cmd/sgard" "cmd/sgardd" ];

-            vendorHash = "sha256-0YpP1YfpAIAgY8k+7DlWosYN6MT5a2KLtNhQFvKT7pM=";
+            vendorHash = "sha256-0aGo5EbvPWt9Oflq+GTq8nEBUWZj3O5Ni4Qwd5EBa7Y=";

            ldflags = [ "-s" "-w" ];

@@ -29,6 +29,26 @@
            };
          };

+          sgard-fido2 = pkgs.buildGoModule {
+            pname = "sgard-fido2";
+            version = "2.1.0";
+            src = pkgs.lib.cleanSource ./.;
+            subPackages = [ "cmd/sgard" "cmd/sgardd" ];
+
+            vendorHash = "sha256-LSz15iFsP4N3Cif1PFHEKg3udeqH/9WQQbZ50sxtWTk=";
+
+            buildInputs = [ pkgs.libfido2 ];
+            nativeBuildInputs = [ pkgs.pkg-config ];
+            tags = [ "fido2" ];
+
+            ldflags = [ "-s" "-w" ];
+
+            meta = {
+              description = "Shimmering Clarity Gardener: dotfile management (with FIDO2 hardware support)";
+              mainProgram = "sgard";
+            };
+          };
+
          default = self.packages.${system}.sgard;
        };

@@ -39,6 +59,8 @@
            protobuf
            protoc-gen-go
            protoc-gen-go-grpc
+            libfido2
+            pkg-config
          ];
        };
      }