feat(wallets): add Turnkey signer support

rplusq · claude · rplusq · commit bd31b193b8b7 · 2025-10-31T23:19:55.000+09:00
Add Turnkey as a remote signer option alongside AWS KMS and GCP KMS. Key changes: - Added alloy-signer-turnkey dependency to foundry-wallets - Implemented Turnkey wallet CLI args and initialization logic - Added turnkey feature flags to cast and forge - Updated Dockerfile and Makefile to include turnkey in release builds Fixed forge wallet feature flags: - Moved foundry-wallets from dev-dependencies to dependencies in forge/Cargo.toml - This fixes an issue where aws-kms, gcp-kms, and turnkey features were defined but non-functional when using cargo run with --features flags - The features worked in release builds (via Makefile) but not in local dev - This aligns forge with cast, which already had foundry-wallets as a regular dependency 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -256,6 +256,7 @@ alloy-signer-gcp = { version = "1.0.42", default-features = false }
 alloy-signer-ledger = { version = "1.0.42", default-features = false }
 alloy-signer-local = { version = "1.0.42", default-features = false }
 alloy-signer-trezor = { version = "1.0.42", default-features = false }
+alloy-signer-turnkey = { version = "1.0.42", default-features = false }
 alloy-transport = { version = "1.0.42", default-features = false }
 alloy-transport-http = { version = "1.0.42", default-features = false }
 alloy-transport-ipc = { version = "1.0.42", default-features = false }
diff --git a/Dockerfile b/Dockerfile
@@ -19,7 +19,7 @@ COPY . .
 RUN git update-index --force-write-index
 
 RUN --mount=type=cache,target=/root/.cargo/registry --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/opt/foundry/target \
-    source $HOME/.profile && cargo build --release --features anvil/js-tracer,cast/aws-kms,cast/gcp-kms,forge/aws-kms,forge/gcp-kms \
+    source $HOME/.profile && cargo build --release --features anvil/js-tracer,cast/aws-kms,cast/gcp-kms,cast/turnkey,forge/aws-kms,forge/gcp-kms,forge/turnkey \
     && mkdir out \
     && mv target/release/forge out/forge \
     && mv target/release/cast out/cast \
diff --git a/Makefile b/Makefile
@@ -15,9 +15,9 @@ CARGO_TARGET_DIR ?= target
 # List of features to use when building. Can be overridden via the environment.
 # No jemalloc on Windows
 ifeq ($(OS),Windows_NT)
-    FEATURES ?= aws-kms gcp-kms cli asm-keccak
+    FEATURES ?= aws-kms gcp-kms turnkey cli asm-keccak
 else
-    FEATURES ?= jemalloc aws-kms gcp-kms cli asm-keccak
+    FEATURES ?= jemalloc aws-kms gcp-kms turnkey cli asm-keccak
 endif
 
 ##@ Help
@@ -47,15 +47,15 @@ build-%:
 .PHONY: docker-build-push
 docker-build-push: docker-build-prepare ## Build and push a cross-arch Docker image tagged with DOCKER_IMAGE_NAME.
 	# Build x86_64-unknown-linux-gnu.
-	cargo build --target x86_64-unknown-linux-gnu --features "jemalloc aws-kms gcp-kms cli asm-keccak js-tracer" --profile "$(PROFILE)"
+	cargo build --target x86_64-unknown-linux-gnu --features "jemalloc aws-kms gcp-kms turnkey cli asm-keccak js-tracer" --profile "$(PROFILE)"
 	mkdir -p $(BIN_DIR)/amd64
 	for bin in anvil cast chisel forge; do \
 		cp $(CARGO_TARGET_DIR)/x86_64-unknown-linux-gnu/$(PROFILE)/$$bin $(BIN_DIR)/amd64/; \
 	done
 
 	# Build aarch64-unknown-linux-gnu.
 	rustup target add aarch64-unknown-linux-gnu
-	RUSTFLAGS="-C linker=aarch64-linux-gnu-gcc" cargo build --target aarch64-unknown-linux-gnu --features "aws-kms gcp-kms cli asm-keccak js-tracer" --profile "$(PROFILE)"
+	RUSTFLAGS="-C linker=aarch64-linux-gnu-gcc" cargo build --target aarch64-unknown-linux-gnu --features "aws-kms gcp-kms turnkey cli asm-keccak js-tracer" --profile "$(PROFILE)"
 	mkdir -p $(BIN_DIR)/arm64
 	for bin in anvil cast chisel forge; do \
 		cp $(CARGO_TARGET_DIR)/aarch64-unknown-linux-gnu/$(PROFILE)/$$bin $(BIN_DIR)/arm64/; \
diff --git a/crates/cast/Cargo.toml b/crates/cast/Cargo.toml
@@ -101,4 +101,5 @@ mimalloc = ["foundry-cli/mimalloc"]
 tracy-allocator = ["foundry-cli/tracy-allocator"]
 aws-kms = ["foundry-wallets/aws-kms"]
 gcp-kms = ["foundry-wallets/gcp-kms"]
+turnkey = ["foundry-wallets/turnkey"]
 isolate-by-default = ["foundry-config/isolate-by-default"]
diff --git a/crates/forge/Cargo.toml b/crates/forge/Cargo.toml
@@ -50,6 +50,7 @@ forge-script.workspace = true
 forge-sol-macro-gen.workspace = true
 foundry-cli.workspace = true
 foundry-debugger.workspace = true
+foundry-wallets.workspace = true
 
 alloy-chains.workspace = true
 alloy-dyn-abi.workspace = true
@@ -101,7 +102,6 @@ alloy-hardforks.workspace = true
 anvil.workspace = true
 forge-script-sequence.workspace = true
 foundry-test-utils.workspace = true
-foundry-wallets.workspace = true
 futures.workspace = true
 reqwest = { workspace = true, features = ["json"] }
 
@@ -122,4 +122,5 @@ mimalloc = ["foundry-cli/mimalloc"]
 tracy-allocator = ["foundry-cli/tracy-allocator"]
 aws-kms = ["foundry-wallets/aws-kms"]
 gcp-kms = ["foundry-wallets/gcp-kms"]
+turnkey = ["foundry-wallets/turnkey"]
 isolate-by-default = ["foundry-config/isolate-by-default"]
diff --git a/crates/wallets/Cargo.toml b/crates/wallets/Cargo.toml
@@ -32,6 +32,9 @@ aws-config = { version = "1", default-features = true, optional = true }
 # gcp-kms
 alloy-signer-gcp = { workspace = true, features = ["eip712"], optional = true }
 
+# turnkey
+alloy-signer-turnkey = { workspace = true, features = ["eip712"], optional = true }
+
 async-trait.workspace = true
 clap = { version = "4", features = ["derive", "env", "unicode", "wrap_help"] }
 derive_builder = "0.20"
@@ -48,3 +51,4 @@ tokio = { workspace = true, features = ["macros"] }
 [features]
 aws-kms = ["dep:alloy-signer-aws", "dep:aws-config"]
 gcp-kms = ["dep:alloy-signer-gcp"]
+turnkey = ["dep:alloy-signer-turnkey"]
diff --git a/crates/wallets/src/error.rs b/crates/wallets/src/error.rs
@@ -10,6 +10,9 @@ use alloy_signer_aws::AwsSignerError;
 #[cfg(feature = "gcp-kms")]
 use alloy_signer_gcp::GcpSignerError;
 
+#[cfg(feature = "turnkey")]
+use alloy_signer_turnkey::TurnkeySignerError;
+
 #[derive(Debug, thiserror::Error)]
 pub enum PrivateKeyError {
     #[error("Failed to create wallet from private key. Private key is invalid hex: {0}")]
@@ -37,6 +40,9 @@ pub enum WalletSignerError {
     #[cfg(feature = "gcp-kms")]
     Gcp(#[from] Box<GcpSignerError>),
     #[error(transparent)]
+    #[cfg(feature = "turnkey")]
+    Turnkey(#[from] TurnkeySignerError),
+    #[error(transparent)]
     Io(#[from] std::io::Error),
     #[error(transparent)]
     InvalidHex(#[from] FromHexError),
@@ -54,4 +60,8 @@ impl WalletSignerError {
     pub fn gcp_unsupported() -> Self {
         Self::UnsupportedSigner("Google Cloud KMS")
     }
+
+    pub fn turnkey_unsupported() -> Self {
+        Self::UnsupportedSigner("Turnkey")
+    }
 }
diff --git a/crates/wallets/src/multi_wallet.rs b/crates/wallets/src/multi_wallet.rs
@@ -86,6 +86,7 @@ macro_rules! create_hw_wallets {
 /// 5. Private Keys (cleartext in CLI)
 /// 6. Private Keys (interactively via secure prompt)
 /// 7. AWS KMS
+/// 8. Turnkey
 #[derive(Builder, Clone, Debug, Default, Serialize, Parser)]
 #[command(next_help_heading = "Wallet options", about = None, long_about = None)]
 pub struct MultiWalletOpts {
@@ -221,6 +222,15 @@ pub struct MultiWalletOpts {
     /// See: <https://cloud.google.com/kms/docs>
     #[arg(long, help_heading = "Wallet options - remote", hide = !cfg!(feature = "gcp-kms"))]
     pub gcp: bool,
+
+    /// Use Turnkey.
+    ///
+    /// Ensure the following environment variables are set: TURNKEY_API_PRIVATE_KEY,
+    /// TURNKEY_ORGANIZATION_ID, TURNKEY_ADDRESS.
+    ///
+    /// See: <https://docs.turnkey.com/getting-started/quickstart>
+    #[arg(long, help_heading = "Wallet options - remote", hide = !cfg!(feature = "turnkey"))]
+    pub turnkey: bool,
 }
 
 impl MultiWalletOpts {
@@ -241,6 +251,9 @@ impl MultiWalletOpts {
         if let Some(gcp_signer) = self.gcp_signers().await? {
             signers.extend(gcp_signer);
         }
+        if let Some(turnkey_signers) = self.turnkey_signers()? {
+            signers.extend(turnkey_signers);
+        }
         if let Some((pending_keystores, unlocked)) = self.keystores()? {
             pending.extend(pending_keystores);
             signers.extend(unlocked);
@@ -449,6 +462,20 @@ impl MultiWalletOpts {
 
         Ok(None)
     }
+
+    pub fn turnkey_signers(&self) -> Result<Option<Vec<WalletSigner>>> {
+        #[cfg(feature = "turnkey")]
+        if self.turnkey {
+            let api_private_key = std::env::var("TURNKEY_API_PRIVATE_KEY")?;
+            let organization_id = std::env::var("TURNKEY_ORGANIZATION_ID")?;
+            let address = std::env::var("TURNKEY_ADDRESS")?.parse()?;
+
+            let signer = WalletSigner::from_turnkey(api_private_key, organization_id, address)?;
+            return Ok(Some(vec![signer]));
+        }
+
+        Ok(None)
+    }
 }
 
 #[cfg(test)]
diff --git a/crates/wallets/src/wallet.rs b/crates/wallets/src/wallet.rs
@@ -11,6 +11,7 @@ use serde::Serialize;
 /// 4. Keystore (via file path)
 /// 5. AWS KMS
 /// 6. Google Cloud KMS
+/// 7. Turnkey
 #[derive(Clone, Debug, Default, Serialize, Parser)]
 #[command(next_help_heading = "Wallet options", about = None, long_about = None)]
 pub struct WalletOpts {
@@ -91,6 +92,15 @@ pub struct WalletOpts {
     /// See: <https://cloud.google.com/kms/docs>
     #[arg(long, help_heading = "Wallet options - remote", hide = !cfg!(feature = "gcp-kms"))]
     pub gcp: bool,
+
+    /// Use Turnkey.
+    ///
+    /// Ensure the following environment variables are set: TURNKEY_API_PRIVATE_KEY,
+    /// TURNKEY_ORGANIZATION_ID, TURNKEY_ADDRESS.
+    ///
+    /// See: <https://docs.turnkey.com/getting-started/quickstart>
+    #[arg(long, help_heading = "Wallet options - remote", hide = !cfg!(feature = "turnkey"))]
+    pub turnkey: bool,
 }
 
 impl WalletOpts {
@@ -120,6 +130,14 @@ impl WalletOpts {
                 .parse()
                 .map_err(|_| eyre::eyre!("GCP_KEY_VERSION could not be parsed into u64"))?;
             WalletSigner::from_gcp(project_id, location, keyring, key_name, key_version).await?
+        } else if self.turnkey {
+            let api_private_key = get_env("TURNKEY_API_PRIVATE_KEY")?;
+            let organization_id = get_env("TURNKEY_ORGANIZATION_ID")?;
+            let address_str = get_env("TURNKEY_ADDRESS")?;
+            let address = address_str.parse().map_err(|_| {
+                eyre::eyre!("TURNKEY_ADDRESS could not be parsed as an Ethereum address")
+            })?;
+            WalletSigner::from_turnkey(api_private_key, organization_id, address)?
         } else if let Some(raw_wallet) = self.raw.signer()? {
             raw_wallet
         } else if let Some(path) = utils::maybe_get_keystore_path(
@@ -152,6 +170,7 @@ flag to set your key via:
 --mnemonic-path
 --aws
 --gcp
+--turnkey
 --trezor
 --ledger
 
@@ -222,6 +241,7 @@ mod tests {
             trezor: false,
             aws: false,
             gcp: false,
+            turnkey: false,
         };
         match wallet.signer().await {
             Ok(_) => {
diff --git a/crates/wallets/src/wallet_signer.rs b/crates/wallets/src/wallet_signer.rs
