feat(keychain): opt-in Touch ID / Face ID via SecAccessControl

[ndeloof]

Summary

Add an opt-in WithBiometricAuth(prompt) DarwinOptions so callers can require Touch ID / Face ID (with the device passcode as a fallback) instead of the keychain password popup when releasing a stored secret.

The default behaviour is unchanged: keychain items keep kSecAttrAccessibleAfterFirstUnlock and prompt for the user's macOS password on first access of the session. The new option is fully opt-in.

Why

Downstream callers (e.g. docker/sandboxes) want to give end-users a friendlier auth prompt when reading credentials from the keychain. Touch ID / Face ID with passcode fallback is the natural macOS pattern, but the current store/keychain API exposes only the kSecAttrAccessible* constants — no path to set kSecAttrAccessControl or wire a custom operation prompt.

Implementation

• internal/go-keychain/accesscontrol_darwin.go — cgo bindings for SecAccessControlCreateWithFlags, the kSecAccessControl* flag constants (UserPresence, BiometryAny, BiometryCurrentSet, DevicePasscode, Or/And combiners), and kSecAttrAccessControl / kSecUseOperationPrompt attribute keys. The new AccessControl value implements the existing Convertable interface so ConvertMapToCFDictionary releases the freshly-created CFTypeRef once the dictionary is destroyed — important because Item is reused across multi-call store operations (Save → Delete → Save).
• SetAccessControl intentionally drops kSecAttrAccessible from the item's attribute map: the protection class is encoded inside the SecAccessControl object, and supplying both yields errSecParam.
• store/keychain/keychain.go — exposes WithBiometricAuth(prompt string) DarwinOptions. Non-darwin platforms keep their existing behaviour: only the darwin store implements the new setBiometricAuth method on the darwinOptions interface, so the option falls through errSkipOptions on Linux/Windows.
• store/keychain/keychain_darwin.go — newKeychainItem sets kSecUseOperationPrompt on every query when biometric auth is enabled; applyBiometricACL swaps Accessible → AccessControl on Save. The default flag combination is AccessControlUserPresence, which accepts any enrolled biometric and falls back to the device passcode — friendlier than BiometryCurrentSet, which would invalidate the item whenever a fingerprint or face enrolment changes on the device.

Migration

Items already in the keychain keep their original ACL. Only secrets written after the store is constructed with WithBiometricAuth pick up the biometric policy. Downstream callers that want every existing secret to be protected need a one-off delete + re-save migration; this is documented in the option's godoc.

Test plan

• AccessControl.Convert() covered for multiple valid flag combinations + the unsupported-protection failure path, without touching the system keychain.
• SetAccessControl removes kSecAttrAccessible from the Item.attr map.
• New(...) plumbs the flag and prompt through; default-off invariant is covered explicitly.
• Existing TestMacosKeychain, TestUpsert, TestConvertAttributes still pass (Save/Get round-trips on the default Accessible path remain unchanged).
• A full Save/Get round-trip with biometric ACL is intentionally not in the suite — the macOS authentication dialog would block CI. Local validation has been performed by linking this branch into docker/sandboxes via a go.mod replace directive.

Downstream integration

I'm pulling this branch into docker/sandboxes via go.mod replace and gating it behind a new platform.keychainBiometricAuth setting (off by default; opt-in via sbx settings set).