feat: add GCP signer integration (#29)

* feat: add GCP signer integration

---------

Co-authored-by: amilz <85324096+amilz@users.noreply.github.com>

Author: nasjuice

.env.example

@@ -28,4 +28,8 @@ your-rsa-4096-private-key-here
 -----END PRIVATE KEY-----"
 FIREBLOCKS_VAULT_ACCOUNT_ID=0
 # FIREBLOCKS_ASSET_ID=SOL  # Optional, defaults to SOL (use SOL_TEST for devnet)
-# FIREBLOCKS_API_BASE_URL=https://api.fireblocks.io  # Optional, defaults to this
+# FIREBLOCKS_API_BASE_URL=https://api.fireblocks.io  # Optional, defaults to this
+
+# GCP KMS Integration Tests (uses Application Default Credentials)
+GCP_KMS_KEY_NAME=projects/your-project/locations/us-east1/keyRings/your-keyring/cryptoKeys/your-key/cryptoKeyVersions/1
+GCP_KMS_SIGNER_PUBKEY=YourSolanaPublicKeyBase58Here

.github/workflows/ci.yml

@@ -15,7 +15,7 @@ jobs:
     strategy:
       matrix:
         sdk_version: [v2, v3]
-        backend: [memory, vault, privy, turnkey, all]
+        backend: [memory, vault, privy, turnkey, aws_kms, fireblocks, gcp_kms, all]
     steps:
       - uses: actions/checkout@v4
       - uses: dtolnay/rust-toolchain@stable
@@ -37,10 +37,15 @@ jobs:
     strategy:
       matrix:
         sdk_version: [v2, v3]
-        test: [test_privy_integration, test_turnkey_integration, test_fireblocks_integration]
+        test: [test_privy_integration, test_turnkey_integration, test_fireblocks_integration, test_gcp_kms_integration]
     steps:
       - uses: actions/checkout@v4
       - uses: dtolnay/rust-toolchain@stable
+      - name: Setup GCP credentials
+        if: matrix.test == 'test_gcp_kms_integration'
+        uses: google-github-actions/auth@v2
+        with:
+          credentials_json: ${{ secrets.GCP_SERVICE_ACCOUNT_KEY }}
       - name: Run ${{ matrix.test }} with SDK ${{ matrix.sdk_version }}
         env:
           PRIVY_APP_ID: ${{ secrets.PRIVY_APP_ID }}
@@ -54,6 +59,8 @@ jobs:
           FIREBLOCKS_API_KEY: ${{ secrets.FIREBLOCKS_API_KEY }}
           FIREBLOCKS_PRIVATE_KEY_PEM: ${{ secrets.FIREBLOCKS_PRIVATE_KEY_PEM }}
           FIREBLOCKS_VAULT_ACCOUNT_ID: ${{ secrets.FIREBLOCKS_VAULT_ACCOUNT_ID }}
+          GCP_KMS_KEY_NAME: ${{ secrets.GCP_KMS_KEY_NAME }}
+          GCP_KMS_SIGNER_PUBKEY: ${{ secrets.GCP_KMS_SIGNER_PUBKEY }}
           SOLANA_RPC_URL: https://api.devnet.solana.com
         run: |
           if [ "${{ matrix.sdk_version }}" = "v2" ]; then

CLAUDE.md

@@ -4,7 +4,7 @@ This file provides guidance to Claude Code (claude.ai/code) when working with co
 
 ## Project Overview
 
-`solana-keychain` is a Rust library providing a unified interface for signing Solana transactions across multiple backend implementations. The architecture centers around a single `SolanaSigner` trait that abstracts over four different signing backends: Memory (local keypairs), Vault (HashiCorp), Privy, and Turnkey.
+`solana-keychain` is a Rust library providing a unified interface for signing Solana transactions across multiple backend implementations. The architecture centers around a single `SolanaSigner` trait that abstracts over seven different signing backends: Memory (local keypairs), Vault (HashiCorp), Privy, Turnkey, AWS KMS, Fireblocks, and GCP KMS.
 
 ## Common Commands
 
@@ -24,6 +24,9 @@ cd rust && cargo test --features memory
 cd rust && cargo test --features vault
 cd rust && cargo test --features privy
 cd rust && cargo test --features turnkey
+cd rust && cargo test --features aws_kms
+cd rust && cargo test --features fireblocks
+cd rust && cargo test --features gcp_kms
 
 # Run a single test
 cd rust && cargo test test_name --all-features
@@ -136,6 +139,23 @@ All signers follow a consistent pattern but differ in where keys are stored:
    - Response contains r,s signature components that must be padded to 32 bytes each
    - Availability checked via `whoami` endpoint
 
+5. **AWS KMS** ([rust/src/aws_kms/mod.rs](rust/src/aws_kms/mod.rs))
+   - Uses AWS SDK with EdDSA (Ed25519) signing
+   - Automatic credential discovery via environment or IAM
+   - Availability checked via `DescribeKey`
+
+6. **FireblocksSigner** ([rust/src/fireblocks/mod.rs](rust/src/fireblocks/mod.rs))
+   - Uses Fireblocks API with EdDSA (Ed25519) signing
+   - Requires `init()` to fetch public key before use
+   - JWT-based authentication
+   - Availability checked via user details endpoint
+
+7. **GCP KMS** ([rust/src/gcp_kms/mod.rs](rust/src/gcp_kms/mod.rs))
+   - Uses Google Cloud SDK with EdDSA (Ed25519) signing
+   - PureEdDSA mode with `EC_SIGN_ED25519` algorithm
+   - Automatic credential discovery via ADC
+   - Availability checked via `GetCryptoKeyVersion`
+
 ### Error Handling
 
 All errors are centralized in [rust/src/error.rs](rust/src/error.rs) using `thiserror`. The `SignerError` enum covers key formats, signing failures, remote API errors, serialization, and configuration issues.
@@ -147,21 +167,29 @@ The library uses Cargo features for zero-cost abstraction:
 - `vault` - Adds VaultSigner with reqwest, vaultrs, base64
 - `privy` - Adds PrivySigner with reqwest, base64
 - `turnkey` - Adds TurnkeySigner with reqwest, base64, p256, hex, chrono
+- `aws_kms` - Adds KmsSigner with aws-sdk-kms
+- `fireblocks` - Adds FireblocksSigner with reqwest, jsonwebtoken
+- `gcp_kms` - Adds GcpKmsSigner with google-cloud-kms-v1, google-cloud-auth
 - `all` - Enables all backends
 
 At least one feature must be enabled (enforced by `compile_error!` in lib.rs).
 
 ## Testing
 
-Tests are co-located with implementation code in each module. Remote signers (Vault, Privy, Turnkey) use `wiremock` to mock HTTP endpoints, avoiding actual API calls during testing. Tests cover:
+Tests are co-located with implementation code in each module. Remote signers (Vault, Privy, Turnkey, AWS, Fireblocks, GCP) use `wiremock` to mock HTTP endpoints, avoiding actual API calls during testing. Tests cover:
 - Constructor validation (invalid keys, etc.)
 - Successful signing operations
 - Error cases (unauthorized, malformed responses)
 - Availability checks
 
 Run specific backend tests:
 ```bash
+cd rust && cargo test --features vault vault::tests
 cd rust && cargo test --features privy privy::tests
+cd rust && cargo test --features turnkey turnkey::tests
+cd rust && cargo test --features aws_kms aws_kms::tests
+cd rust && cargo test --features fireblocks fireblocks::tests
+cd rust && cargo test --features gcp_kms gcp_kms::tests
 ```
 
 ## Key Implementation Notes
@@ -170,5 +198,7 @@ cd rust && cargo test --features privy privy::tests
 - Privy and Turnkey use Base64 encoding for payloads/responses
 - Vault uses Base64 for both input and output
 - Turnkey requires special handling for signature component padding (see [rust/src/turnkey/mod.rs:125-136](rust/src/turnkey/mod.rs))
-- PrivySigner must call `init()` before use; other signers are ready after construction
+- PrivySigner and FireblocksSigner must call `init()` before use; other signers are ready after construction
+- AWS KMS and GCP KMS use official cloud SDKs with automatic credential discovery
+- GCP KMS operates in PureEdDSA mode with `EC_SIGN_ED25519` algorithm
 - The unified `Signer` enum uses conditional compilation extensively with `#[cfg(feature = "...")]`

rust/Cargo.toml

@@ -24,7 +24,8 @@ fireblocks = [
     "dep:hex",
     "dep:chrono",
 ]
-all = ["memory", "vault", "privy", "turnkey", "aws_kms", "fireblocks"]
+gcp_kms = ["dep:google-cloud-kms-v1", "dep:google-cloud-auth", "dep:reqwest"]
+all = ["memory", "vault", "privy", "turnkey", "aws_kms", "fireblocks", "gcp_kms"]
 
 # SDK version selection (mutually exclusive)
 sdk-v2 = ["dep:solana-sdk"]
@@ -62,6 +63,8 @@ aws-config = { version = "1.1.7", optional = true }
 jsonwebtoken = { version = "10.2", optional = true, features = ["rust_crypto"] }
 sha2 = { version = "0.10.9", optional = true }
 uuid = { version = "1.19", optional = true, features = ["v4"] }
+google-cloud-kms-v1 = { version = "1.3.0", optional = true }
+google-cloud-auth = { version = "1.4.0", optional = true }
 
 # Core dependencies (used by all signers for transaction serialization)
 bincode = "1.3"
@@ -74,3 +77,5 @@ rand = "0.8.0"
 dotenvy = "0.15.7"
 litesvm = "0.7.0"
 litesvm-v3 = { package = "litesvm", version = "0.8.1" }
+serial_test = "3.3.1"
+scoped-env = "2.1"