feat: support age plugin recipients in seal (enables age-plugin-se on macOS)

Adds --recipient flag to 'botlockbox seal' that accepts an age public key
string directly (e.g. age1se1q... from age-plugin-se). age.ParseRecipients
handles both X25519 (age1...) and plugin (age1se1...) keys, so sealing
to a Secure Enclave key no longer requires the private key material at
seal time.

--identity still works for X25519 keys (derives recipient from the key).
Exactly one of --identity or --recipient is required; providing both or
neither is an error. The resolution logic is extracted into resolveRecipient.

SE workflow on macOS (--access-control none gives machine binding without
Touch ID prompts at runtime):
  age-plugin-se keygen --access-control none -o ~/.botlockbox/identity.txt
  botlockbox seal --config ... --recipient age1se1q...
  botlockbox serve --config ... --identity ~/.botlockbox/identity.txt

Also adds:
- contrib/com.trodemaster.botlockbox.plist: launchd user-session agent
  example with PATH including Homebrew bin for age-plugin-se
- integration.yml: exercises --recipient path using public key extracted
  from age-keygen identity file comment alongside existing --identity test

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: trodemaster

.github/workflows/integration.yml

@@ -49,7 +49,8 @@ jobs:
                   Authorization: "Bearer {{secrets.github_token}}"
           EOF
 
-      - name: Seal GITHUB_TOKEN into secrets.age
+      # Seal via --identity (X25519 path).
+      - name: Seal GITHUB_TOKEN into secrets.age via --identity
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
@@ -58,6 +59,19 @@ jobs:
                 --config /tmp/botlockbox.yaml \
                 --identity /tmp/identity.txt
 
+      # Seal via --recipient (plugin-key path, used with age-plugin-se on macOS).
+      # age-keygen writes "# public key: age1..." as a comment; extract it and
+      # re-seal using the public key string directly.
+      - name: Seal GITHUB_TOKEN into secrets.age via --recipient
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          PUBKEY=$(grep '# public key:' /tmp/identity.txt | awk '{print $NF}')
+          printf 'github_token: "%s"\n' "$GITHUB_TOKEN" \
+            | ./bin/botlockbox seal \
+                --config /tmp/botlockbox.yaml \
+                --recipient "$PUBKEY"
+
       # -----------------------------------------------------------------------
       # Start proxy
       # -----------------------------------------------------------------------

cmd/botlockbox/seal.go

@@ -7,6 +7,7 @@ import (
 	"io"
 	"os"
 	"path/filepath"
+	"strings"
 	"time"
 
 	"filippo.io/age"
@@ -18,16 +19,18 @@ import (
 func runSeal(args []string) {
 	fs := flag.NewFlagSet("seal", flag.ExitOnError)
 	configPath := fs.String("config", "botlockbox.yaml", "path to botlockbox.yaml")
-	identityPath := fs.String("identity", "", "path to age identity file (required)")
+	identityPath := fs.String("identity", "", "path to age X25519 identity file (derives recipient from key)")
+	recipientStr := fs.String("recipient", "", "age recipient public key string (use for plugin keys such as age-plugin-se, e.g. age1se1q...)")
 	fs.Usage = func() {
 		fmt.Fprintln(os.Stderr, "Usage: botlockbox seal [flags]")
 		fmt.Fprintln(os.Stderr, "Reads secrets from stdin as YAML (key: value pairs) and seals them.")
+		fmt.Fprintln(os.Stderr, "Exactly one of --identity or --recipient is required.")
 		fs.PrintDefaults()
 	}
 	fs.Parse(args)
 
-	if *identityPath == "" {
-		fmt.Fprintln(os.Stderr, "error: --identity is required")
+	if (*identityPath == "") == (*recipientStr == "") {
+		fmt.Fprintln(os.Stderr, "error: exactly one of --identity or --recipient is required")
 		fs.Usage()
 		os.Exit(1)
 	}
@@ -77,30 +80,11 @@ func runSeal(args []string) {
 		os.Exit(1)
 	}
 
-	// Parse age identity to get the recipient.
-	identityFile, err := os.Open(*identityPath)
+	recipient, err := resolveRecipient(*identityPath, *recipientStr)
 	if err != nil {
-		fmt.Fprintf(os.Stderr, "error opening identity file: %v\n", err)
+		fmt.Fprintf(os.Stderr, "error resolving recipient: %v\n", err)
 		os.Exit(1)
 	}
-	defer identityFile.Close()
-
-	identities, err := age.ParseIdentities(identityFile)
-	if err != nil {
-		fmt.Fprintf(os.Stderr, "error parsing age identities: %v\n", err)
-		os.Exit(1)
-	}
-	if len(identities) == 0 {
-		fmt.Fprintln(os.Stderr, "error: no identities found in identity file")
-		os.Exit(1)
-	}
-
-	xi, ok := identities[0].(*age.X25519Identity)
-	if !ok {
-		fmt.Fprintln(os.Stderr, "error: identity is not an X25519 key")
-		os.Exit(1)
-	}
-	recipient := xi.Recipient()
 
 	// Ensure parent directory exists.
 	if err := os.MkdirAll(filepath.Dir(cfg.SecretsFile), 0700); err != nil {
@@ -138,3 +122,38 @@ func runSeal(args []string) {
 	fmt.Printf("Secrets sealed to %s\n", cfg.SecretsFile)
 	fmt.Printf("Config set to read-only (0444): %s\n", *configPath)
 }
+
+// resolveRecipient returns an age.Recipient from either a public key string
+// (for plugin keys such as age-plugin-se) or an X25519 identity file.
+func resolveRecipient(identityPath, recipientStr string) (age.Recipient, error) {
+	if recipientStr != "" {
+		recipients, err := age.ParseRecipients(strings.NewReader(recipientStr))
+		if err != nil {
+			return nil, fmt.Errorf("parsing recipient %q: %w", recipientStr, err)
+		}
+		if len(recipients) == 0 {
+			return nil, fmt.Errorf("no recipient found in %q", recipientStr)
+		}
+		return recipients[0], nil
+	}
+
+	// X25519 identity path: open the file and derive the recipient.
+	f, err := os.Open(identityPath)
+	if err != nil {
+		return nil, fmt.Errorf("opening identity file: %w", err)
+	}
+	defer f.Close()
+
+	identities, err := age.ParseIdentities(f)
+	if err != nil {
+		return nil, fmt.Errorf("parsing identity file: %w", err)
+	}
+	if len(identities) == 0 {
+		return nil, fmt.Errorf("no identities found in %q", identityPath)
+	}
+	xi, ok := identities[0].(*age.X25519Identity)
+	if !ok {
+		return nil, fmt.Errorf("identity in %q is not an X25519 key; use --recipient with the public key string instead", identityPath)
+	}
+	return xi.Recipient(), nil
+}

contrib/com.trodemaster.botlockbox.plist

@@ -0,0 +1,64 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
+  "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<!--
+  User-scope launchd agent for botlockbox.
+
+  Install:
+    cp com.trodemaster.botlockbox.plist ~/Library/LaunchAgents/
+    launchctl load ~/Library/LaunchAgents/com.trodemaster.botlockbox.plist
+
+  Uninstall:
+    launchctl unload ~/Library/LaunchAgents/com.trodemaster.botlockbox.plist
+    rm ~/Library/LaunchAgents/com.trodemaster.botlockbox.plist
+
+  age-plugin-se setup (one time):
+    age-plugin-se keygen --access-control none -o ~/.botlockbox/identity.txt
+    # note the "public key: age1se1q..." line in the output
+
+    printf 'my_secret: "value"\n' | botlockbox seal \
+      --config ~/.botlockbox/botlockbox.yaml \
+      --recipient age1se1q...
+
+  Secrets are bound to this machine's Secure Enclave. The identity file and
+  secrets.age file are useless on any other Mac. No Touch ID is required at
+  runtime because --access-control none was used at key generation.
+-->
+<plist version="1.0">
+<dict>
+  <key>Label</key>
+  <string>com.trodemaster.botlockbox</string>
+
+  <key>ProgramArguments</key>
+  <array>
+    <string>/usr/local/bin/botlockbox</string>
+    <string>serve</string>
+    <string>--config</string>
+    <string>/Users/YOUR_USERNAME/.botlockbox/botlockbox.yaml</string>
+    <string>--identity</string>
+    <string>/Users/YOUR_USERNAME/.botlockbox/identity.txt</string>
+    <string>--pidfile</string>
+    <string>/Users/YOUR_USERNAME/.botlockbox/botlockbox.pid</string>
+    <string>--ca-cert</string>
+    <string>/Users/YOUR_USERNAME/.botlockbox/ca.pem</string>
+  </array>
+
+  <!-- age-plugin-se must be in PATH for age.Decrypt to invoke the plugin. -->
+  <key>EnvironmentVariables</key>
+  <dict>
+    <key>PATH</key>
+    <string>/opt/homebrew/bin:/usr/local/bin:/usr/bin:/bin</string>
+  </dict>
+
+  <!-- Start at login and restart automatically if it exits. -->
+  <key>RunAtLoad</key>
+  <true/>
+  <key>KeepAlive</key>
+  <true/>
+
+  <key>StandardOutPath</key>
+  <string>/Users/YOUR_USERNAME/.botlockbox/botlockbox.log</string>
+  <key>StandardErrorPath</key>
+  <string>/Users/YOUR_USERNAME/.botlockbox/botlockbox.log</string>
+</dict>
+</plist>