LayerX

Problem Statement

Safe Desktop is a local-first, Electron-based 2-of-3 multisignature wallet that blends user-friendly UX with hardware-grade security by including a Trusted Platform Module (TPM) as one of the signers. It uses Envio’s Dynamic Contracts to deploy and manage flexible on-chain multisig logic (so Safes can be created or updated with dynamic rules without manual redeployment). The intended audience is power users, devs, auditors, DAOs and teams who want a transparent, auditable multisig experience that leverages local keys and a hardware-backed signer.Core idea in one line: every Safe transaction requires 2 of 3 signatures — user key, app key, and a TPM key — and all key management and signing happen locally (or via the local TPM server), while flexible on-chain logic is provided by Envio dynamic contracts.Why the project exists (problems it solves)Many multisig tools are web-hosted and rely on remote key custody — higher attack surface for key leakage.Existing tools often obscure how keys are generated, stored and combined.Research and hardware integration (TPM, HSMs) are not well-supported in popular multisig GUIs. Safe Desktop addresses these by:Local-first key handling (two keys generated locally; TPM provides the third).Clear, auditable UI flows: key generation → Safe deployment → tx creation → signing → submission.Support for both predeployed Safes (for quicker testing) and dynamic Safe deployment (Envio).TPM server that simulates or interfaces with hardware-grade signing so you can test hardware-backed workflows.Key concepts explained2-of-3 multisig: A Safe requires signatures from any two of the three owners to authorize a transaction. Owners here are: (1) user private key, (2) app key, (3) TPM key.TPM server: A local service (written in Go) that exposes a public key and signing endpoint representing the TPM. The app fetches the TPM public key and uses the server to request TPM-backed signatures.Dynamic Contracts (Envio): On-chain smart contract templates that allow rules (ownership, session constraints, dynamic ownership) to be changed or instantiated without the monolithic redeploys typical of immutable contracts.Auto-funding: After deployment, the app will fund the Safe automatically from the deployer wallet (leaving gas buffer) to simplify onboarding/testing.HyperIndex / Indexer: Indexer that provides GraphQL endpoints for on-chain and off-chain data related to Safe activity (transaction history, contract metadata).Main partsElectron renderer (React) — UI pages/components (SafeSetup, TxComposer, Dashboard, HyperIndexPage, TxLifecycle).safeKit / services — client-side helpers: safe-sdk.service.js (interacts with Safe protocol kit / ethers), sig-utils.js (signature assembly and verification), hyperindex.service.js (calls indexer GraphQL).Local backend/server — API endpoints to assist signing utilities, server-side safe sdk operations, or bridging to the TPM agent if needed.tpm-signing-agent/ — Go code providing TPM public key and signing endpoint (can simulate TPM for development or integrate OS TPM).indexer/ — indexer definitions and ABI files used by hyperindex to surface Safe transactions and contract metadata.How TPM signing works here (technical)The TPM agent exposes:An endpoint to return the TPM public key (owner key) — used as the third owner address when deploying Safe.A signing endpoint which, given a transaction digest (Safe tx hash), uses the TPM to produce a signature (r, s, v).Signing flow (for a tx):App computes the Safe transaction hash (per Safe/EIP-712 or contract-specific scheme).App sends the digest to the TPM signing endpoint (signed over local IPC/localhost).TPM returns signature bytes; the app verifies signature corresponds to the TPM public key.App assembles signatures (user/app/TPM) into the Safe-compatible format and submits.Fallback: if TPM server not reachable, the app uses a preconfigured test key but warns users — never use fallback keys in production.

Solution

Safe Desktop is built as a cross-platform Electron app powered by a React + Vite frontend and a Go-based TPM signing agent.Frontend: The React renderer (using Context API) manages key generation, Safe deployment, and transaction flow entirely on the client. It interfaces directly with the blockchain via ethers.js and the Safe Protocol Kit, without relying on any backend server.Electron Integration: Electron bridges the system layer and frontend, enabling secure local storage, access to environment variables, and interaction with the TPM agent running on the user’s device.TPM Agent: A lightweight Go server runs locally to expose a signing API backed by the device’s Trusted Platform Module (TPM). It provides a public key and signs transaction hashes, acting as one of the Safe owners for true hardware-grade security.Dynamic Contracts: We used Envio’s Dynamic Contracts to deploy and manage flexible multisig logic on-chain — allowing owner sets and session rules to evolve without redeployment.Real-time Indexing: Envio HyperIndex powers the live dashboard, giving real-time Safe transaction updates through GraphQL queries.