feat(app): LaunchDaemon mode with SMAppService XPC privileged helper

[martinmarsian]

Summary

This PR adds LaunchDaemon support to WiredServerApp, allowing the Wired 3 server to run as a system service that starts at boot — independently of any user session. The centrepiece is a new WiredServerHelper privileged XPC tool installed via SMAppService.daemon, which eliminates the need for password prompts or Touch ID for any admin operation.

---

What's included

1. WiredServerHelper — new SMAppService XPC daemon target

A new WiredServerHelper SPM executableTarget (Sources/WiredServerHelper/) is a lightweight privileged XPC helper that the app installs once via SMAppService. It handles every operation that requires elevated access:

XPC method	What it does
createSystemDirectory	Creates /Library/Wired3/ with correct ownership
migrateDataToSystemDirectory	Copies user data to /Library/Wired3/ (upgrade path)
writeLaunchDaemonPlist / removeLaunchDaemonPlist	Manages /Library/LaunchDaemons/fr.read-write.WiredServer3.plist
startDaemon / stopDaemon	Calls launchctl bootstrap/bootout
reloadDaemonConfig	Sends SIGHUP to the running daemon process
runFDACheck	Tests read access to the files directory from the helper's context
setPosixPermissions	Sets ownership/mode on server-managed paths
getDaemonPid	Reads the PID file as the privileged user

The helper's launchd plist is embedded in the Mach-O __TEXT __info_plist section (via linkerSettings in Package.swift) so SMD can read MachServices and SMAuthorizedClients without a separate file on disk.

Signing note: SMAuthorizedClients and SMPrivilegedExecutables use Team ID VGB467J8DZ. The helper binary must be signed with the same Team ID and placed under Contents/Library/LaunchServices/ in the app bundle — standard Xcode project setup.

2. HelperConnection — async/await XPC lifecycle manager

Sources/WiredServerApp/HelperConnection.swift manages the full SMAppService lifecycle: detects whether the helper is installed, installs/upgrades it automatically, and exposes all XPC calls as async throws functions. A version mismatch triggers an automatic reinstall.

3. LaunchDaemon mode in the app

• New installMode preference: .launchAgent (default, unchanged behaviour) or .launchDaemon (new).
• In daemon mode, data lives at /Library/Wired3/; a one-time migration copies existing user data.
• New Advanced settings pane: mode toggle, daemon user/group fields, Full Disk Access status + re-check, daemon start/stop controls.
• GeneralTabView simplified — no duplicate controls.
• External-volume warning when the files directory is on a volume that may not be mounted at boot.

4. Touch ID removed

Touch ID was added before the XPC helper as a workaround for password prompts. With the helper in place it is entirely obsolete and has been removed.

5. ServerIdentity — world-readable .pub companion file

On key generation or first load, wired-identity.pub (0644) is written alongside the private key (0600), containing the raw 64-byte P256 public key. New fingerprintFromPublicKeyFile(at:) lets the GUI read the fingerprint as a different OS user (logged-in user vs. _wired daemon) without accessing the private key.

6. Localisation

~55 new keys in en, de, and fr Localizable.strings for all new UI strings.

---

Test plan

• Build: both WiredServerApp and WiredServerHelper targets compile cleanly
• LaunchAgent mode (default): start/stop works as before — no regression
• LaunchDaemon mode: toggle in Advanced, migrate data, confirm server starts at boot as _wired
• Helper version bump: increment kHelperVersion, confirm automatic reinstall
• FDA check: verify status row with and without Full Disk Access granted
• .pub file: delete it, restart server, confirm re-created with 0644
• Fingerprint display: in daemon mode (different user), fingerprint shows via .pub
• Localisations: switch to DE and FR, verify no missing strings

🤖 Generated with Claude Code

[nark]

Hi @nark,

just a heads-up: I've reorganized all my open pull requests. I noticed you're using an automated Claude review system, so I wanted to make sure each PR is clean, atomic, and easy to review — one logical unit per PR, all based on current main.

The older PRs (#77, #81, #83, #84, #94, #95) were getting messy and hard to review, so I closed them and replaced them with six focused PRs (#98–#103).

I'm sorry if this caused a flood of GitHub notifications — that wasn't my intention, and I appreciate your patience!

Hi @martinmarsian,

Thank you for cleaning this up — the cleaner it is, the easier the review will be.

And yes, I’m currently trying to automate part of the process using AI to prepare the review work and make things easier to move forward. It’s still not working as smoothly as I’d like, though, so I’m running a few tests at the moment. Sorry for the noise caused by all the PR open/close notifications.

[github-actions]

Claude finished @nark's task in 2m 49s —— View job

---

Review PR #103 — feat(app): LaunchDaemon mode with SMAppService XPC privileged helper

• Read context and key files
• Security analysis: XPC helper, privileged operations, paths
• Protocol compatibility analysis (wired.xml, COMPATIBILITY.md)
• General quality and Swift code review
• Wrote the final review

---

Hey @martinmarsian, nice PR! The XPC architecture is clean, the helper is well isolated, and parameter validation on the root side is solid. Here is my feedback.

---

🔴 Blocking

try! in ServerIdentity.signWithIdentity(data:) — daemon crash risk

Sources/WiredSwift/Crypto/ServerIdentity.swift:44:

let signature = try! privateKey.signature(for: data)

P256.Signing.PrivateKey.signature(for:) can throw in CryptoKit (failing secure element, OOM, etc.). A try! will crash the whole process — and this is the production daemon. The function already returns Data?, so the fix is immediate:

guard let sig = try? privateKey.signature(for: data) else { return nil }
return sig.rawRepresentation

Fix this →

---

🟡 Should fix

1. Info.plist version (5) ≠ kHelperVersion (6) — version mismatch

Sources/WiredServerHelper/Info.plist:7 has CFBundleVersion = 5 while kHelperVersion = "6" in WiredHelperProtocol.swift:4. SMAppService uses the bundle version to detect helper changes: without bumping it, launchd will not auto-replace the existing binary. These need to stay in sync.
Fix this →

2. deactivateDaemon always returns (true, "") even on error

Sources/WiredServerHelper/HelperDelegate.swift:175 — all intermediate commands (launchctl bootout, dscl -delete, chown -R) are invoked with @discardableResult and their errors are ignored. If dscl -delete fails (user already removed, or insufficient rights), the function still reports success. The caller deactivateDaemon in HelperConnection therefore cannot detect a partial deactivation.

3. Race condition when writing the private key

Sources/WiredSwift/Crypto/ServerIdentity.swift:74-79: Data.write(to:options:.atomic) first creates a temp file with permissions inherited from the umask (often 0644 on macOS), then setAttributes([.posixPermissions: 0o600]) is called separately. There is a brief window during which the private key is world-readable. The correct mitigation is to set permissions before writing, or to use a file descriptor opened with O_EXCL | O_CREAT and the right permissions from the start.

---

💡 Suggestions / questions

4. connectKeyExchange hardcodes false for isNewKey

Sources/WiredSwift/P7/P7Socket.swift:1382:

if !trustHandler(fp, false, strictIdentity) {

The isNewKey parameter of serverTrustHandler is documented as "true on the first connection" but is always false. The handler has to manage that logic itself via its own TOFU store — so the API is misleading. This is not a security bug (the ECDSA verification stays correct) but it deserves a clarifying comment or a reply here.

5. stopDaemon — pkill -x wired3 kills every wired3 process

Sources/WiredServerHelper/HelperDelegate.swift:79: killing by process name can affect unrelated wired3 instances. Prefer killing by PID (via the PID file) when available.

6. copyBinary without code-signature verification

Sources/WiredServerHelper/HelperDelegate.swift:216-232: the source is only validated by absolute path with no ... The validity (code signing, expected hash) of the binary copied to /Library/Wired3/bin/wired3 is not checked. This is acceptable under the current trust model (only the app signed with the right Team ID can call the helper), but worth documenting.

---

✨ Nice work

• Defensive XPC validation: isValidAccount, isValidLabel, mandatory path prefixes (/Library/, /Library/LaunchDaemons/) — excellent for a helper running as root.
• Anti-enumeration: the dummy password UUID().uuidString.sha256() for non-existent accounts (P7Socket:1649) is a good practice.
• Handshake timeouts: handshakeTimeout = 30s with enforceDeadline: true on every critical step — prevents thread-pool exhaustion.
• Touch ID removal: the workaround is cleanly dropped, replaced by the XPC architecture that makes it obsolete.
• wired-identity.pub (0644): elegant design for letting the GUI user display the fingerprint without exposing the private key to the daemon.
• Protocol compatibility: every new wired.xml entry carries version="3.2", the root version is bumped, the CompatibilityTests.swift tests are in place — COMPATIBILITY.md is respected.
• CompatibilityDiff: clean architecture for handling drift between minor versions without breaking sessions.
• Wired 2.5 → 3 migration: well documented, with a clear warning about the SHA1 → SHA256 issue.

---

Great work overall @martinmarsian — the try! is the only real blocker, the rest is robustness polish. Once that's sorted, this PR is in great shape.

[nark]

@martinmarsian sorry if some of the email notifications came through in French — everything has been translated to English on GitHub now.

[martinmarsian]

Merge note for maintainer: This PR includes the snapshot trigger functionality from PR #102 (feat/snapshot-sigusr2) and extends it with XPC helper support for LaunchDaemon mode. If you merge both PRs, you will get a merge conflict in Tabs.swift and WiredServerViewModel.swift.

Resolution: keep the triggerManualSnapshot() implementation from this PR (PR #103) and discard the triggerSnapshotNow() from PR #102. The triggerManualSnapshot() function is a superset — it sends SIGUSR2 directly in app-mode and delegates to the XPC helper in daemon-mode.

In Tabs.swift keep the HStack with the inline confirmation text (from this PR); in WiredServerViewModel.swift keep triggerManualSnapshot() + flashSnapshotConfirmed() and remove triggerSnapshotNow().

Suggested merge order: #102 first, then #103 (so git sees #103 as the later, superseding change).

[martinmarsian]

Note on the Claude PR Review workflow: The claude-review.yml from this PR is now in your repo but the CLAUDE_CODE_OAUTH_TOKEN secret isn't configured there, which is why every PR triggers a failing CI run.

To fix this you have two options:

1. Configure the secret — go to your repo → Settings → Secrets and variables → Actions → New repository secret, name it CLAUDE_CODE_OAUTH_TOKEN, and paste a valid Claude Code OAuth token (requires a Claude Pro or Teams subscription at claude.ai).

2. Remove the workflow — if you don't want automated Claude reviews, simply delete .github/workflows/claude-review.yml and .github/workflows/claude.yml from your repo.

Sorry for the noise — I should have flagged this before submitting the PR.

[martinmarsian]

Follow-up on the Claude review findings — all flagged items have been addressed in commits pushed after the review ran.

Issue	Status	Commit
🔴 try! in ServerIdentity.signWithIdentity(data:)	✅ Fixed — replaced with guard let sig = try? …	b620b7d
🟡 Info.plist CFBundleVersion 5 ≠ kHelperVersion 6	✅ Fixed — both now "6"	b620b7d
🟡 Race condition — private key briefly world-readable	✅ Fixed — FileManager.createFile sets 0600 at inode creation	1ff9bf1
🟡 deactivateDaemon always returns (true, "")	✅ Improved — returns (false, …) when launchctl bootout fails with the job still registered; dscl exits are logged	1ff9bf1

The automated re-review can't fire (the CLAUDE_CODE_OAUTH_TOKEN secret isn't configured on this repo), so leaving this note manually. The branch is ready for another look when you get the chance.