feat: implement open source security setup

- Add comprehensive .env.example template with security documentation
- Update .gitignore to exclude certificates, keys, and sensitive files
- Make build-swift-audio.sh generic with automatic certificate detection
- Add code signing security guidelines to CONTRIBUTING.md
- Create entitlements.plist for native binary signing
- Remove hardcoded certificate names for open source safety

This enables safe open source publication while maintaining
production signing capabilities for maintainers.

Author: vijaythecoder

.env.example

@@ -64,11 +64,28 @@ AWS_USE_PATH_STYLE_ENDPOINT=false
 
 VITE_APP_NAME="${APP_NAME}"
 
-# AI Provider Keys
-OPENAI_API_KEY=
-ANTHROPIC_API_KEY=
-GEMINI_API_KEY=
+# AI Provider Keys (Required for functionality)
+# Get your API keys from the respective providers:
+# OpenAI: https://platform.openai.com/api-keys
+# Anthropic: https://console.anthropic.com/
+# Google AI: https://ai.google.dev/
+OPENAI_API_KEY=your-openai-api-key-here
+ANTHROPIC_API_KEY=your-anthropic-api-key-here
+GEMINI_API_KEY=your-gemini-api-key-here
 
 # Realtime API Configuration
 VITE_OPENAI_API_KEY="${OPENAI_API_KEY}"
 VITE_REALTIME_RELAY_URL=wss://localhost:8080/realtime
+
+# NativePHP/Electron Configuration
+# Change this to your own app identifier (reverse domain format)
+NATIVEPHP_APP_ID=com.yourcompany.yourapp
+# NATIVEPHP_APP_VERSION=DEBUG
+
+# Apple Developer Code Signing (Required for macOS distribution)
+# Only needed if you want to build signed, distributable macOS apps
+# Get these from your Apple Developer Account: https://developer.apple.com/account/
+# IMPORTANT: Never commit real values to version control!
+NATIVEPHP_APPLE_ID=[email protected]
+NATIVEPHP_APPLE_ID_PASS=your-app-specific-password
+NATIVEPHP_APPLE_TEAM_ID=YOUR_10_CHAR_TEAM_ID

.gitignore

@@ -24,3 +24,24 @@ yarn-error.log
 /.zed
 /dist
 .DS_Store
+
+# Security & Certificates - Never commit these!
+*.cer
+*.p12
+*.mobileprovision
+*.keychain
+*.keychain-db
+**/certificates/
+**/signing/
+.env.local
+.env.*.local
+*.pem
+*.key.pub
+keychain_password.txt
+apple_certificates/
+
+# Build artifacts that may contain sensitive data
+/build/certificates/
+/build/signing/
+/build/*.cer
+/build/*.p12

CONTRIBUTING.md

@@ -87,16 +87,54 @@ Unsure where to begin contributing? You can start by looking through these issue
    php artisan migrate --database=nativephp
    ```
 
-5. **Add your OpenAI API key to `.env`:**
+5. **Add your API keys to `.env`:**
    ```
-   OPENAI_API_KEY=your-api-key-here
+   OPENAI_API_KEY=your-openai-api-key-here
+   ANTHROPIC_API_KEY=your-anthropic-api-key-here
+   GEMINI_API_KEY=your-gemini-api-key-here
+   NATIVEPHP_APP_ID=com.yourcompany.yourapp
    ```
 
 6. **Run the development server:**
    ```bash
    composer dev
    ```
 
+## 🔐 Code Signing & Security
+
+### For Contributors (Development)
+
+**You don't need Apple Developer certificates for contributing!** The project automatically creates unsigned builds for development, which are perfect for testing your changes.
+
+If you see warnings like this, it's completely normal:
+```
+⚠️  No code signing certificate found - creating unsigned build
+💡 To create signed builds, install an Apple Developer certificate in Keychain
+```
+
+### Security Guidelines
+
+**❌ NEVER commit these:**
+- `.env` file with real credentials
+- Certificate files (`.cer`, `.p12`)
+- Apple Developer credentials
+- Real API keys
+
+**✅ SAFE to commit:**
+- `.env.example` (template only)
+- Source code
+- Build scripts (auto-detect certificates)
+- Documentation
+
+### Before Committing
+
+Always verify no sensitive data:
+```bash
+git status
+git diff --cached
+grep -r "your-actual-api-key" . --exclude-dir=vendor
+```
+
 ## Pull Request Process
 
 1. **Before submitting:**

build-swift-audio.sh

@@ -23,6 +23,56 @@ if [ $? -eq 0 ]; then
     echo "Executable location: build/native/macos-audio-capture"
     # Make sure it's executable
     chmod +x build/native/macos-audio-capture
+    
+    # Attempt to sign the binary with available certificate
+    echo "🔐 Attempting to sign Swift audio capture binary..."
+    
+    # Try to find a Developer ID Application certificate first (for distribution)
+    DIST_CERT=$(security find-identity -v -p codesigning | grep "Developer ID Application" | head -1 | cut -d'"' -f2)
+    
+    # If no distribution cert, try Development certificate (for local testing)
+    if [ -z "$DIST_CERT" ]; then
+        DEV_CERT=$(security find-identity -v -p codesigning | grep "Apple Development" | head -1 | cut -d'"' -f2)
+        CERT_NAME="$DEV_CERT"
+        CERT_TYPE="Development"
+    else
+        CERT_NAME="$DIST_CERT"
+        CERT_TYPE="Distribution"
+    fi
+    
+    if [ -n "$CERT_NAME" ]; then
+        echo "📋 Using $CERT_TYPE certificate: $CERT_NAME"
+        codesign --force --sign "$CERT_NAME" \
+            --options runtime \
+            --entitlements native/macos-audio-capture/entitlements.plist \
+            build/native/macos-audio-capture
+        
+        if [ $? -eq 0 ]; then
+            echo "✅ Swift audio capture signed successfully with $CERT_TYPE certificate"
+            
+            # Also sign the extras directory binary if it exists
+            if [ -f "extras/macos-audio-capture" ]; then
+                echo "🔐 Signing extras audio capture binary..."
+                codesign --force --sign "$CERT_NAME" \
+                    --options runtime \
+                    --entitlements native/macos-audio-capture/entitlements.plist \
+                    extras/macos-audio-capture
+                
+                if [ $? -eq 0 ]; then
+                    echo "✅ Extras audio capture signed successfully"
+                else
+                    echo "⚠️  Warning: Failed to sign extras audio capture (continuing anyway)"
+                fi
+            fi
+        else
+            echo "⚠️  Warning: Failed to sign Swift audio capture (continuing anyway)"
+        fi
+    else
+        echo "⚠️  No code signing certificate found - creating unsigned build"
+        echo "💡 To create signed builds, install an Apple Developer certificate in Keychain"
+        echo "   For distribution: 'Developer ID Application' certificate"
+        echo "   For development: 'Apple Development' certificate"
+    fi
 else
     echo "❌ Failed to build Swift audio capture"
     exit 1

native/macos-audio-capture/entitlements.plist

@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+    <key>com.apple.security.cs.allow-jit</key>
+    <true/>
+    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+    <true/>
+    <key>com.apple.security.cs.disable-executable-page-protection</key>
+    <true/>
+    <key>com.apple.security.cs.disable-library-validation</key>
+    <true/>
+    <key>com.apple.security.device.audio-input</key>
+    <true/>
+    <key>com.apple.security.device.microphone</key>
+    <true/>
+</dict>
+</plist>