First shot at an macOS AutoFill integration

[fberlakovich]

Fixes #6265

Disclaimer: Like explained in #6265 I did use claude to write 95% of the code (although it took dozens of iterations and manual reading of lots of documentation) + I couldn't really manually test the changes because I don't have an Apple Developer certificate.

This PR adds a native macOS AutoFill Credential Provider to KeePassXC.
Once enabled, Safari and any app that uses the system password AutoFill sheet
can pull credentials directly from an unlocked KeePassXC database without browser extension.

It consists of two new components that live inside the app bundle:

• keepassxc-autofill.appex -- the Credential Provider extension itself.
  It implements ASCredentialProviderViewController, presents matching entries
  in a table, and hands the selected credential back to the system.

• keepassxc-autofill-xpc.xpc -- an XPC service that bridges the
  extension (which runs in its own sandbox) and the main KeePassXC process.
  The main app pushes its credential store to the XPC service whenever databases
  are unlocked, locked, or modified.

Only password credentials are supported for now. Entries without a URL or
password are ignored. The URL matching logic (host + subdomain) mirrors what
the desktop app already does for browser integration.

Building

Standard KeePassXC build, no extra flags. I tried with ldid to embed
entitlements, but codesign with a privisioning profile should actually do it.

cd build
cmake ../src -G Xcode -DWITH_XC_ALL=ON -DCMAKE_BUILD_TYPE=Debug
cmake --build . --target KeePassXC

The build produces the .appex and .xpc bundles automatically and copies
them into the right places inside KeePassXC.app.

Testing Strategy

Unit tests

59 tests cover the URL/host matching utilities:

cmake --build . --target testautofillutils
./tests/Debug/testautofillutils

Manual testing

You need a proper Apple Developer signing identity.

# Register the extension with the system
pluginkit -a src/Debug/KeePassXC.app/Contents/PlugIns/keepassxc-autofill.appex

# Launch the app and unlock a database
open src/Debug/KeePassXC.app

# The extension should now appear in:
#   System Settings -> Passwords -> Password Options -> AutoFill Providers

I never got past this last step, even in a macOS VM with SIP disabled.

Open Safari, visit a site that has a matching entry in your database, click the
password field, and KeePassXC should show up in the AutoFill popover.

Useful debugging commands

# Stream extension logs
log stream --predicate 'subsystem == "org.keepassxc.keepassxc.autofill" OR process == "keepassxc-autofill"'

# Check extension registration
pluginkit -m | grep -i keepass

Limitations

• Password credentials only (no passkeys, no TOTP).
• The main app must be running with at least one database unlocked.
• If the app is locked or closed, the AutoFill sheet shows a message asking you
  to unlock KeePassXC -- it cannot unlock the database itself.
• Ad-hoc signed builds require ldid for entitlement embedding; standard
  codesign silently drops entitlements without a provisioning profile.

Source layout

src/autofill/
  AutoFill.h / AutoFill.mm        -- Qt-side interface, manages XPC lifecycle
  AutoFillUtils.h                  -- Host matching, URL parsing (header-only, testable from C++)
  AutoFillProviderProtocol.h       -- Protocol the main app implements to provide credentials
  AutoFillXPCProtocol.h            -- XPC interface definition
  AutoFillXPCService.m             -- XPC service implementation
  CredentialProviderViewController.mm -- The extension's UI and credential selection logic
  mac/Info.plist.in                -- Extension Info.plist template
  mac/MacAutoFill.entitlements     -- Required entitlements

tests/
  TestAutoFillUtils.h / .cpp       -- Unit tests for AutoFillUtils

Type of change

• ✅ New feature (change that adds functionality)

[phoerious]

That's a lot of code for a seemingly simple feature. But thanks, I'll check it when I find the time.

[fberlakovich]

That's a lot of code for a seemingly simple feature. But thanks, I'll check it when I find the time.

Agree, a lot of the complexity comes from the KeepassXC app and the macOS extension communicating via an XPC service.

Strongbox, afaict, uses a unix domain socket (see https://github.com/strongbox-password-safe/Strongbox/blob/master/macbox/autofill-proxy/AutoFillProxyClient.m and https://github.com/strongbox-password-safe/Strongbox/blob/master/macbox/autofill-proxy/AutoFIllRequestHandler.swift), but follows a similar client-server architecture for AutoFill.
Bitwarden also uses some sort of IPC (see https://github.com/bitwarden/clients/blob/main/apps/desktop/macos/autofill-extension/CredentialProviderViewController.swift), but not sure what exactly.

[michaelk83]

This is one PR which you probably don't want to write with AI:

• Security-sensitive (not the central DB security, but still handles sensitive data for the auto-fill).
• Hundreds of lines of code that could hide less-than-obvious errors.

Even if this is thoroughly reviewed (which I assume it will be), it can attract a lot of negative response (or slip in potentially risky bugs, which is worse).

[phoerious]

We'll use it as a start and see what we can keep and what we must throw away. This will certainly need a lot of editing, but I'll have to study the code first. I would trust a human PR of this complexity as little as this one. At the moment, the tests don't even pass.

[fberlakovich]

The latest changes should fix the failing test and remove some of the clutter introduced during my local troubleshooting