Replace dev_key_service with TEE worker for omni-anchored EVM keypair derivation

[hanwencheng]

Background

Per Stage 7 design (#64) and aligned with the Wildmeta omni_account + TEE-signer pattern, the daemon's auth flow should converge on:

• One user-facing identity (email / OAuth2) → omni_account anchor
• Server-derived EVM wallet per omni_account (deterministic, never leaves the trust boundary)
• No local key management by the operator — recovery via re-authenticating any linked identity in IdentityLinkStore

The pieces in place today:

• omni_account = sha256(client_id || identity_type || identity_value) (identity/omni_account.rs)
• Multi-identity linking + recovery (storage/identity_links.rs, handlers/wallet/recover_lookup.rs)
• SIWE / email-link / OAuth2 verifiers (broker auth plug-ins)

The missing piece: a custodial signer that derives a keypair from omni_account and signs SIWE challenges on the user's behalf so the daemon never needs a local secp256k1 key.

Step 1 (this issue's first deliverable) — dev_key_service in mock-server

Ship a development-only signer module in crates/agentkeys-mock-server with the exact wire shape the eventual TEE worker will use, gated by env so production builds reject it.

Module

• crates/agentkeys-mock-server/src/dev_key_service.rs
  • Loads master secret from \$DEV_KEY_SERVICE_MASTER_SECRET (32-byte hex). Refuse to enable if absent.
  • derive_keypair(omni_account) -> (secret_key, eth_address) via HKDF-SHA256 with info = "agentkeys-evm-wallet-v1:" || omni_account.
  • sign_eip191(omni_account, message) -> Signature.
  • Strong "DEV ONLY — replace with TEE" warnings in the file header + every public method.

Endpoints (env-gated, return 503 if DEV_KEY_SERVICE_MASTER_SECRET unset)

• POST /dev/derive-address — body { omni_account } → { address }
• POST /dev/sign-message — body { omni_account, message_hex } → { signature }

Daemon integration

Update crates/agentkeys-daemon/src/main.rs to use the new flow:

1. Operator authenticates via email/OAuth2 → broker mints session JWT for omni_email
2. Daemon calls backend /dev/derive-address with omni_email → derived EVM address
3. Daemon calls broker /v1/wallet/link (auth: omni_email session JWT) to register the derived address
4. Per-mint: daemon calls broker /v1/auth/wallet/start(derived_addr) → SIWE message
5. Daemon calls backend /dev/sign-message(omni_email, siwe_message) → signature
6. Daemon calls broker /v1/auth/wallet/verify → session JWT for omni_evm
7. Daemon calls broker /v1/mint-oidc-jwt → OIDC JWT → AssumeRoleWithWebIdentity → AWS temp creds

The signer call (step 5) is direct daemon → backend, mirroring the eventual daemon → TEE attested channel.

Removes

• agentkeys init --mock-token legacy bootstrap (replaced by email/OAuth2 + auto-derive)
• /v1/auth/exchange legacy bearer shim (no caller after daemon migrates)
• Broker → backend /session/validate round-trip (no caller after exchange shim deletes)

Step 2 (follow-up issue) — Replace dev_key_service with TEE worker

Same wire surface (/dev/* endpoints become /tee/* or stay), real TEE backing:

• Master secret generated inside the enclave at first boot, sealed-data persisted
• Remote attestation so daemon can verify the worker is genuine before sending omni → key derivation requests
• Logs every signing operation with omni_account + message hash, no secret material

When TEE lands: dev_key_service.rs deletes; routing flips to TEE worker URL via env var; zero changes to daemon or broker.

Out of scope

• Threshold signing for high-value omni_accounts
• Master-secret rotation policy
• Multi-region TEE replication
• Production gating of DEV_KEY_SERVICE_MASTER_SECRET (compile-time cfg(not(production)) could come later)

References

• Branch landing the prereq architecture: Stage 7 — pluggable broker live deploy + OIDC-only auto-provision (issue #64, #71 Option A) #73
• Stage 7 broker live deploy: Stage 7: explore zero-Heima broker architecture (Option C — pluggable attestation + audit, recommend new branch) #64
• OIDC-only auto-provision: broker: mint-aws-creds is broken after cloud-setup §4 federation lands #71
• Wildmeta omni_account + TEE design (informal reference)

[hanwencheng]

CEO review — scope decisions captured

Plan reviewed in SELECTIVE EXPANSION mode (docs/spec/plans/issue-74-dev-key-service-plan.md, commit bf76588 on evm).

Accepted into scope (6 of 8 surfaced expansions):

1. docs/spec/signer-protocol.md v0 wire contract — both dev_key_service and TEE worker conform; TEE swap becomes mechanical
2. Versioned HKDF derivation ([0x01] || "agentkeys-evm-wallet" || omni_account) — future master-secret rotation doesn't require re-deriving every linked wallet
3. Audit-log row on agentkeys init — day-1 observability for the new auth surface
4. agentkeys whoami CLI command — operator UX for the multi-identity + derived-wallet world
5. TEE-stub integration test — wire-shape-as-swap-point becomes a tested invariant
6. Hard cut of agentkeys init --mock-token flag in this PR (no deprecation runway)

Skipped:

• Feature-flag gating instead of env-var gating — env-var gating retained per current plan
• Short-lived session JWT + refresh flow — long TTL acceptable for current single-operator demo; revisit when team expands

Revised effort: 600 → 830 LOC, +1 design doc, +1 CLI command, +1 conformance-test infra. Human-team ~5 days; CC+gstack ~5 hours.

Blocked on: PR #73 merge (broker prerequisite work). Once #73 lands, this issue becomes the next branch's working scope.