diff --git a/Cargo.lock b/Cargo.lock
index 61a4131..a29558c 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -341,12 +341,16 @@ dependencies = [
 name = "enclaveapp-apple"
 version = "0.1.0"
 dependencies = [
+ "aes-gcm",
  "base64 0.22.1",
  "dirs",
  "enclaveapp-core",
  "libc",
+ "rand",
  "serde",
  "serde_json",
+ "tempfile",
+ "tracing",
 ]
 
 [[package]]
diff --git a/DESIGN.md b/DESIGN.md
index a44ab96..86233f8 100644
--- a/DESIGN.md
+++ b/DESIGN.md
@@ -156,7 +156,7 @@ Signing keys are long-lived identity keys (e.g., SSH keys). At Levels 1-3, the h
 
 | Level | Backend | Who signs? | Private key exportable? | User presence | Key storage |
 |:-----:|---------|-----------|:----------------------:|---------------|-------------|
-| **1** | macOS Secure Enclave | **The SE hardware.** `sshenc` sends data to the SE via CryptoKit; the SE performs ECDSA P-256 internally and returns the signature. The private key never exists outside the chip. Works for both signed and unsigned binaries on Apple Silicon. | **No** — impossible. Even root cannot extract it. The `dataRepresentation` on disk is an opaque SE handle (not key material); it is written with 0600 permissions today. AES-GCM wrapping under a Keychain-stored key is planned (see `fix-macos.md`) and not yet implemented. | Touch ID / biometric enforced by SE hardware per-signature (when access policy is set). | Secure Enclave coprocessor + handle file on disk (0600). Keychain-wrapped handle is a planned hardening. |
+| **1** | macOS Secure Enclave | **The SE hardware.** `sshenc` sends data to the SE via CryptoKit; the SE performs ECDSA P-256 internally and returns the signature. The private key never exists outside the chip. Works for both signed and unsigned binaries on Apple Silicon. | **No** — impossible. Even root cannot extract it. The `dataRepresentation` on disk is an opaque SE handle (not key material); it is AES-256-GCM wrapped under a 32-byte key stored in the login Keychain (service `com.enclaveapp.<app>`, account `<label>`). File format `[EHW1 magic][nonce][ciphertext][tag]`. | Touch ID / biometric enforced by SE hardware per-signature (when access policy is set). | Secure Enclave coprocessor + Keychain-wrapped handle on disk (0600). |
 | **2** | Windows TPM 2.0 | **The TPM hardware.** CNG sends signing requests to the TPM via NCrypt. | **No** — key is a non-exportable TPM object. | Windows Hello (biometric/PIN) enforced per-signature via `NCRYPT_UI_POLICY`. | TPM 2.0 chip. |
 | **3** | Linux TPM 2.0 | **The TPM hardware.** Signing performed by the TPM via `tss-esapi`. | **No** — key is TPM-resident. | Not enforced (no standard Linux biometric API). | TPM 2.0 device (`/dev/tpmrm0`). glibc only. |
 | **4** | Software (Linux glibc) | **Software.** The P-256 private key is decrypted from the keyring into memory and used for signing via the `p256` crate. | **Yes (encrypted at rest)** — P-256 private key on disk, encrypted via system keyring (D-Bus Secret Service / GNOME Keyring / KWallet). | Not enforced. | `~/.config/{app}/keys/` encrypted via keyring. |
@@ -170,7 +170,7 @@ The blast radius of encryption key compromise is further bounded by the expirati
 
 | Level | Backend | Who decrypts? | Private key exportable? | User presence | Cached data protection |
 |:-----:|---------|--------------|:----------------------:|---------------|----------------------|
-| **1** | macOS Secure Enclave | **The SE hardware.** ECDH key agreement happens inside the SE. The shared secret is derived internally; only the AES-GCM decryption of the ciphertext body happens in software. Handle blob stored 0600 on disk; Keychain-wrapped handle is a planned hardening (see `fix-macos.md`). | **No** — impossible. | Touch ID / biometric can be required per-decrypt. | Ciphertext on disk can only be decrypted by the SE that created the key. Full disk access is insufficient without the SE. |
+| **1** | macOS Secure Enclave | **The SE hardware.** ECDH key agreement happens inside the SE. The shared secret is derived internally; only the AES-GCM decryption of the ciphertext body happens in software. Handle blob is AES-256-GCM wrapped under a Keychain-held key (see `crates/enclaveapp-apple/src/keychain_wrap.rs`). | **No** — impossible. | Touch ID / biometric can be required per-decrypt. | Ciphertext on disk can only be decrypted by the SE that created the key. Full disk access is insufficient without the SE, and the Keychain wrapping key gates same-UID handle theft. |
 | **2** | Windows TPM 2.0 | **The TPM hardware** performs ECDH. | **No** — TPM-bound. | Windows Hello can be required per-decrypt. | Only decryptable on the same machine's TPM. |
 | **3** | Linux TPM 2.0 | **The TPM hardware** via `tss-esapi`. | **No** — TPM-bound. | Not enforced. | Same machine-binding as Windows TPM. |
 | **4** | Software (Linux glibc) | **Software.** P-256 key decrypted from keyring. | **Yes (encrypted at rest)** — keyring-protected. | Not enforced. | Keyring-encrypted key protects cache at rest. |
@@ -182,11 +182,13 @@ All supported macOS hardware (Apple Silicon) has a Secure Enclave, and **CryptoK
 
 The `com.apple.developer.secure-enclave` entitlement is a **Security.framework** concept for Keychain-stored SE keys (`SecItemAdd` with `kSecAttrTokenIDSecureEnclave`). Since libenclaveapp uses CryptoKit's `dataRepresentation` for key persistence (not Security.framework), the entitlement is not required.
 
-**Handle protection for unsigned apps — planned, not yet implemented.** The SE's `dataRepresentation` is an opaque handle blob that allows the same device's SE to reconstruct the key reference. While the private key itself cannot be extracted from this blob, the blob is stored as a file on disk — and another process running as the same user could copy it and use it to request SE operations.
+**Handle protection for unsigned apps.** The SE's `dataRepresentation` is an opaque handle blob that allows the same device's SE to reconstruct the key reference. While the private key itself cannot be extracted from this blob, the blob is stored as a file on disk — and another process running as the same user could copy it and use it to request SE operations.
 
-**Current state.** `.handle` is written with 0600 permissions and no further wrapping (see `crates/enclaveapp-apple/src/keychain.rs`). A same-UID attacker can read the handle and replay it against the SE from another process.
+**Implemented.** `generate_and_save_key` creates a fresh 32-byte AES-256 wrapping key per label, stores it in the login keychain as a `kSecClassGenericPassword` item (service `com.enclaveapp.<app>`, account `<label>`), AES-256-GCM encrypts the `dataRepresentation` under that key, and writes the sealed blob to `.handle` with the magic prefix `EHW1`. Format: `[magic(4)][nonce(12)][ciphertext][tag(16)]`. See `crates/enclaveapp-apple/src/keychain_wrap.rs`.
 
-**Planned state** (see `fix-macos.md`). Wrap the `dataRepresentation` with **AES-256-GCM** using a Keychain-stored wrapping key. The Keychain's per-application access control then gates same-user handle theft:
+Legacy plaintext `.handle` files are accepted by `load_handle` for transparent migration; they re-wrap on the next rotation. `delete_key` removes the keychain entry alongside the on-disk artifacts.
+
+The Keychain's per-application access control then gates same-user handle theft:
 
 - **Signed app (code-signed with Developer ID):** The Keychain ACL is bound to the app's code signature. Other apps cannot access the wrapping key. Handle files are protected against same-user attacks.
 
@@ -200,7 +202,7 @@ On macOS, the `enclaveapp-apple` backend auto-detects which path to use at runti
 
 - **Signed/entitled (Level 1):** The app is code-signed with a Developer ID certificate and has the Secure Enclave entitlement. Keys are created inside SE hardware via `SecureEnclave.P256.Signing.PrivateKey` / `SecureEnclave.P256.KeyAgreement.PrivateKey`. The key material physically cannot be extracted. This is the production path for distributed binaries.
 
-- **Unsigned/development (Level 4):** The app is not code-signed or lacks entitlements (typical during local development with `cargo build`). Keys are created via regular `CryptoKit.P256` (not SE-bound). The private key's `dataRepresentation` is currently written to disk as a 0600 `.handle` file without additional wrapping; Keychain-backed AES-GCM wrapping is planned (see `fix-macos.md`). Even today the keys are not hardware-bound in this mode.
+- **Unsigned/development (Level 4):** The app is not code-signed or lacks entitlements (typical during local development with `cargo build`). Keys are created via regular `CryptoKit.P256` (not SE-bound). The private key's `dataRepresentation` is AES-256-GCM wrapped under a Keychain-held key and written to a 0600 `.handle` file. Even with the wrapping, the keys are not hardware-bound in this mode — the SE isn't in the path.
 
 #### Linux glibc vs. musl
 
diff --git a/THREAT_MODEL.md b/THREAT_MODEL.md
index 462ac2d..ab7ec6e 100644
--- a/THREAT_MODEL.md
+++ b/THREAT_MODEL.md
@@ -83,8 +83,8 @@ Unsafe FFI surfaces are trusted by design but fragile.
 
 ### Keychain and key-backend-specific risks
 
-- **macOS `.handle` storage is currently plaintext (0600).** DESIGN.md describes AES-GCM wrapping under a Keychain-stored key as the handle-theft defense. That code is not yet merged (see `fix-macos.md`). Until it lands, a same-UID attacker can copy a `.handle` file and replay it against the SE from another process. The SE still refuses to export the private key itself.
-- **Cross-binary Keychain access on macOS** for ad-hoc signed builds (Homebrew, `cargo build`) is controlled by binary hash; every rebuild invalidates the ACL and reprompts the user. This is the Keychain enforcing its ACL, not a vulnerability, but it becomes load-bearing once Keychain wrapping lands (see above).
+- **macOS `.handle` storage is AES-256-GCM wrapped under a Keychain-held key.** `generate_and_save_key` creates a fresh 32-byte wrapping key per label, stores it in the login keychain as a `kSecClassGenericPassword` item (service `com.enclaveapp.<app>`, account `<label>`), and writes the AES-GCM-sealed SE `dataRepresentation` to `.handle` (magic `EHW1`, format `[magic][nonce][ciphertext][tag]`). A same-UID attacker who copies the `.handle` file still needs the keychain-held wrapping key to replay SE operations — and the keychain's code-signature-bound ACL blocks access from a different binary, prompting the user on first use of a rebuilt binary. Legacy plaintext `.handle` files are accepted transparently for migration; they upgrade to wrapped format on the next rotation. See `crates/enclaveapp-apple/src/keychain_wrap.rs`.
+- **Cross-binary Keychain access on macOS** for ad-hoc signed builds (Homebrew, `cargo build`) is controlled by binary hash; every rebuild invalidates the ACL and reprompts the user. This is the Keychain enforcing its ACL — it's now load-bearing because the wrapping key is what gates same-UID handle theft (above). Trusted signing identities eliminate the per-upgrade prompt.
 - **Keyring D-Bus peer trust.** The keyring backend talks to the session D-Bus Secret Service. A hostile session bus (another process running as the user that took over the bus) could intercept unlock / decrypt requests. Same-user already-compromised session; out of scope for the library.
 
 ### Filesystem races and metadata tamper
diff --git a/crates/enclaveapp-apple/Cargo.toml b/crates/enclaveapp-apple/Cargo.toml
index 8a318e7..31a527b 100644
--- a/crates/enclaveapp-apple/Cargo.toml
+++ b/crates/enclaveapp-apple/Cargo.toml
@@ -17,8 +17,14 @@ encryption = []
 
 [dependencies]
 enclaveapp-core = { workspace = true }
+aes-gcm = { workspace = true }
 base64 = { workspace = true }
 dirs = { workspace = true }
+rand = { workspace = true }
 serde = { workspace = true }
 serde_json = { workspace = true }
 libc = { workspace = true }
+tracing = "0.1"
+
+[dev-dependencies]
+tempfile = { workspace = true }
diff --git a/crates/enclaveapp-apple/src/ffi.rs b/crates/enclaveapp-apple/src/ffi.rs
index 7e182bd..4baddac 100644
--- a/crates/enclaveapp-apple/src/ffi.rs
+++ b/crates/enclaveapp-apple/src/ffi.rs
@@ -72,4 +72,38 @@ extern "C" {
         plaintext_out: *mut u8,
         plaintext_len: *mut i32,
     ) -> i32;
+
+    // Keychain generic-password helpers (wrapping-key storage).
+    //
+    // Return codes:
+    //   0   SE_OK
+    //   4   SE_ERR_BUFFER_TOO_SMALL
+    //   9   SE_ERR_KEYCHAIN_STORE
+    //   10  SE_ERR_KEYCHAIN_LOAD
+    //   11  SE_ERR_KEYCHAIN_DELETE
+    //   12  SE_ERR_KEYCHAIN_NOT_FOUND
+    pub fn enclaveapp_keychain_store(
+        service: *const u8,
+        service_len: i32,
+        account: *const u8,
+        account_len: i32,
+        secret: *const u8,
+        secret_len: i32,
+    ) -> i32;
+
+    pub fn enclaveapp_keychain_load(
+        service: *const u8,
+        service_len: i32,
+        account: *const u8,
+        account_len: i32,
+        secret_out: *mut u8,
+        secret_len: *mut i32,
+    ) -> i32;
+
+    pub fn enclaveapp_keychain_delete(
+        service: *const u8,
+        service_len: i32,
+        account: *const u8,
+        account_len: i32,
+    ) -> i32;
 }
diff --git a/crates/enclaveapp-apple/src/keychain.rs b/crates/enclaveapp-apple/src/keychain.rs
index a37244c..5a222f3 100644
--- a/crates/enclaveapp-apple/src/keychain.rs
+++ b/crates/enclaveapp-apple/src/keychain.rs
@@ -124,6 +124,15 @@ where
 }
 
 /// Generate a Secure Enclave key and persist its local metadata atomically.
+///
+/// The SE `dataRepresentation` handle is wrapped with AES-256-GCM under a
+/// fresh 32-byte key stored in the macOS login keychain before being
+/// written to `.handle` on disk. See [`crate::keychain_wrap`] for the
+/// rationale and ciphertext format.
+///
+/// If any step after the SE key was created fails, the SE key is deleted
+/// and the keychain wrapping-key entry is cleaned up so the label is
+/// free to reuse.
 pub fn generate_and_save_key(
     config: &KeychainConfig,
     label: &str,
@@ -137,9 +146,46 @@ pub fn generate_and_save_key(
     prepare_label_for_save(&dir, label)?;
 
     let (pub_key, data_rep) = generate_key(key_type, policy.as_ffi_value())?;
-    persist_saved_key_material(&dir, label, key_type, policy, &data_rep, &pub_key, || {
+
+    // Generate a fresh wrapping key and store it in the keychain BEFORE
+    // encrypting, so a failure on either side leaves a consistent state.
+    let wrapping_key = crate::keychain_wrap::generate_wrapping_key();
+    let app_name = config.app_name.clone();
+    let app_name_for_cleanup = app_name.clone();
+    let label_owned = label.to_string();
+    if let Err(error) = crate::keychain_wrap::keychain_store(&app_name, label, &wrapping_key) {
+        // The SE key was created but we can't store its wrapping key —
+        // roll back the SE key so we don't leave an orphaned key that
+        // we can never reload.
+        drop(delete_key_from_data_rep(&data_rep));
+        return Err(error);
+    }
+
+    let wrapped_blob = match crate::keychain_wrap::encrypt_blob(&wrapping_key, &data_rep) {
+        Ok(blob) => blob,
+        Err(error) => {
+            drop(crate::keychain_wrap::keychain_delete(&app_name, label));
+            drop(delete_key_from_data_rep(&data_rep));
+            return Err(error);
+        }
+    };
+
+    let cleanup = move || {
+        drop(crate::keychain_wrap::keychain_delete(
+            &app_name_for_cleanup,
+            &label_owned,
+        ));
         delete_key_from_data_rep(&data_rep)
-    })?;
+    };
+    persist_saved_key_material(
+        &dir,
+        label,
+        key_type,
+        policy,
+        &wrapped_blob,
+        &pub_key,
+        cleanup,
+    )?;
 
     Ok(pub_key)
 }
@@ -204,6 +250,13 @@ fn save_key(
 }
 
 /// Load a key's data representation from the keys directory.
+///
+/// The `.handle` file may be either a wrapped blob (magic prefix `EHW1`)
+/// or a legacy plaintext CryptoKit `dataRepresentation`. Wrapped blobs
+/// are decrypted with the wrapping key loaded from the login keychain;
+/// legacy plaintext blobs are returned unchanged for transparent
+/// migration — they'll be re-wrapped the next time `generate_and_save_key`
+/// replaces the label.
 pub fn load_handle(config: &KeychainConfig, label: &str) -> Result<Vec<u8>> {
     validate_label(label)?;
     let path = config.keys_dir().join(format!("{label}.handle"));
@@ -212,7 +265,32 @@ pub fn load_handle(config: &KeychainConfig, label: &str) -> Result<Vec<u8>> {
             label: label.to_string(),
         });
     }
-    metadata::read_no_follow(&path)
+    let contents = metadata::read_no_follow(&path)?;
+
+    if !crate::keychain_wrap::is_wrapped_handle(&contents) {
+        // Legacy plaintext handle (pre-EHW1). Return as-is; the caller
+        // can sign/decrypt directly, and the next rotation picks up
+        // the wrapping. Logged for visibility.
+        tracing::debug!(
+            label = label,
+            "loaded legacy plaintext SE handle; re-save to upgrade to wrapped format"
+        );
+        return Ok(contents);
+    }
+
+    let wrapping_key = match crate::keychain_wrap::keychain_load(&config.app_name, label)? {
+        Some(k) => k,
+        None => {
+            return Err(Error::KeyOperation {
+                operation: "load_handle".into(),
+                detail: format!(
+                    "wrapped handle for label `{label}` is missing its keychain wrapping key; \
+                    the keychain entry may have been deleted or the user denied access"
+                ),
+            });
+        }
+    };
+    crate::keychain_wrap::decrypt_blob(&wrapping_key, &contents)
 }
 
 /// Load the cached public key for a label. Falls back to extracting from data rep.
@@ -230,6 +308,12 @@ pub fn list_labels(config: &KeychainConfig) -> Result<Vec<String>> {
 }
 
 /// Delete a key and all associated files.
+///
+/// Also removes the key's wrapping-key entry from the login keychain.
+/// The keychain removal is best-effort — if it fails for any reason
+/// other than "not found" the overall delete still proceeds so the
+/// on-disk state isn't left half-cleaned. A leftover keychain entry
+/// is harmless if the `.handle` file is gone (no one can use it).
 pub fn delete_key(config: &KeychainConfig, label: &str) -> Result<()> {
     validate_label(label)?;
     let dir = config.keys_dir();
@@ -242,7 +326,7 @@ pub fn delete_key(config: &KeychainConfig, label: &str) -> Result<()> {
         });
     }
     let _lock = metadata::DirLock::acquire(&dir)?;
-    match load_handle(config, label) {
+    let result = match load_handle(config, label) {
         Ok(data_rep) => {
             delete_key_from_data_rep(&data_rep).map_err(|error| Error::KeyOperation {
                 operation: "delete_key".into(),
@@ -257,7 +341,20 @@ pub fn delete_key(config: &KeychainConfig, label: &str) -> Result<()> {
                 "failed to read Secure Enclave handle; preserving local key material for retry: {error}"
             ),
         }),
+    };
+
+    // Clean up the keychain wrapping-key entry regardless of whether
+    // the local files were fully removed. If it fails here, log but
+    // don't propagate — a stale keychain entry without its handle is
+    // useless.
+    if let Err(error) = crate::keychain_wrap::keychain_delete(&config.app_name, label) {
+        tracing::warn!(
+            label = label,
+            "keychain_delete failed during delete_key (harmless if the handle is already gone): {error}"
+        );
     }
+
+    result
 }
 
 #[allow(unsafe_code)] // FFI call to CryptoKit Swift bridge
diff --git a/crates/enclaveapp-apple/src/keychain_wrap.rs b/crates/enclaveapp-apple/src/keychain_wrap.rs
new file mode 100644
index 0000000..23d1246
--- /dev/null
+++ b/crates/enclaveapp-apple/src/keychain_wrap.rs
@@ -0,0 +1,644 @@
+// Copyright 2024 Jay Gowdy
+// SPDX-License-Identifier: MIT
+
+//! Keychain-backed wrapping of Secure Enclave `dataRepresentation` handles.
+//!
+//! Unsigned / ad-hoc signed macOS builds cannot use SE keys via the modern
+//! `kSecAttrTokenIDSecureEnclave` path (it requires a provisioning profile
+//! that self-signed binaries cannot satisfy — AMFI kills the process). The
+//! alternative is CryptoKit's `SecureEnclave.P256.*.PrivateKey` which
+//! exposes a `dataRepresentation: Data` — an opaque handle blob that lets
+//! the same device's SE reconstruct the key.
+//!
+//! The private key itself stays inside the SE. But the handle is on disk,
+//! and any same-UID process that reads the file can use it to drive SE
+//! operations as us (sign / decrypt). That defeats the only protection
+//! the SE model offers against same-UID attackers.
+//!
+//! This module wraps the handle at rest with AES-256-GCM. The 32-byte
+//! wrapping key is stored in the macOS login keychain as a
+//! `kSecClassGenericPassword` item. The legacy keychain's access control
+//! is bound to the binary's code-signing identity:
+//!
+//! - Ad-hoc signed (`swiftc`/`rustc` default): one "Always Allow" prompt
+//!   per binary hash. After `brew upgrade` the hash changes and the user
+//!   is prompted once; subsequent runs are silent until the next upgrade.
+//! - Trusted signing identity (Apple Developer ID): transparent across
+//!   upgrades — no prompts.
+//! - Different binary at different path: always prompted, regardless of
+//!   signing.
+//!
+//! Ciphertext format on disk (replaces the old plain `dataRepresentation`):
+//!
+//! ```text
+//!   [4 bytes magic = "EHW1"] [12 bytes nonce] [ciphertext] [16 bytes tag]
+//! ```
+//!
+//! The magic is both a version marker and the backward-compat sentinel.
+//! `load_handle` tries to parse this format first; a legacy `.handle`
+//! file that doesn't start with `EHW1` is read as-is, and the caller
+//! can re-save it to migrate transparently.
+
+// aes-gcm's Nonce::from_slice still works but triggers a deprecation on
+// the transitively-pulled generic-array 0.14; the 1.x migration is
+// upstream work in aes-gcm. Silence the warning here so we don't
+// block the workspace.
+#![allow(deprecated)]
+
+use aes_gcm::aead::Aead;
+use aes_gcm::{Aes256Gcm, KeyInit, Nonce};
+use enclaveapp_core::{Error, Result};
+use rand::TryRngCore;
+
+use crate::ffi;
+
+/// Magic bytes that identify a wrapped handle file. The "1" is a format
+/// version — if we ever change the wrapping scheme we bump it and keep
+/// the old parser for backward compat.
+pub(crate) const WRAP_MAGIC: &[u8; 4] = b"EHW1";
+
+/// 32 bytes for AES-256.
+pub(crate) const WRAP_KEY_LEN: usize = 32;
+
+/// 12 bytes — AES-GCM standard nonce size.
+pub(crate) const WRAP_NONCE_LEN: usize = 12;
+
+/// 16 bytes — AES-GCM tag size.
+pub(crate) const WRAP_TAG_LEN: usize = 16;
+
+/// Minimum valid wrapped blob: magic + nonce + empty ciphertext + tag.
+pub(crate) const WRAP_MIN_LEN: usize = WRAP_MAGIC.len() + WRAP_NONCE_LEN + WRAP_TAG_LEN;
+
+/// `true` if `bytes` starts with the wrapped-handle magic prefix.
+#[must_use]
+pub fn is_wrapped_handle(bytes: &[u8]) -> bool {
+    bytes.len() >= WRAP_MAGIC.len() && &bytes[..WRAP_MAGIC.len()] == WRAP_MAGIC
+}
+
+/// Generate a fresh 32-byte AES-256 wrapping key from the OS CSPRNG.
+#[must_use]
+pub fn generate_wrapping_key() -> [u8; WRAP_KEY_LEN] {
+    let mut key = [0_u8; WRAP_KEY_LEN];
+    rand::rngs::OsRng
+        .try_fill_bytes(&mut key)
+        .expect("OS RNG must succeed");
+    key
+}
+
+/// Encrypt a handle blob under the given wrapping key using AES-256-GCM.
+///
+/// Returns `magic || nonce || ciphertext || tag`. Empty plaintext is
+/// handled; the output is always at least `WRAP_MIN_LEN` bytes.
+pub fn encrypt_blob(wrapping_key: &[u8; WRAP_KEY_LEN], plaintext: &[u8]) -> Result<Vec<u8>> {
+    let cipher = Aes256Gcm::new_from_slice(wrapping_key).map_err(|e| Error::KeyOperation {
+        operation: "keychain_wrap_encrypt".into(),
+        detail: format!("Aes256Gcm::new: {e}"),
+    })?;
+    let mut nonce_bytes = [0_u8; WRAP_NONCE_LEN];
+    rand::rngs::OsRng
+        .try_fill_bytes(&mut nonce_bytes)
+        .map_err(|e| Error::KeyOperation {
+            operation: "keychain_wrap_encrypt".into(),
+            detail: format!("OS RNG failed: {e}"),
+        })?;
+    let nonce = Nonce::from_slice(&nonce_bytes);
+    let ct = cipher
+        .encrypt(nonce, plaintext)
+        .map_err(|e| Error::KeyOperation {
+            operation: "keychain_wrap_encrypt".into(),
+            detail: format!("AES-GCM encrypt: {e}"),
+        })?;
+
+    let mut out = Vec::with_capacity(WRAP_MAGIC.len() + nonce_bytes.len() + ct.len());
+    out.extend_from_slice(WRAP_MAGIC);
+    out.extend_from_slice(&nonce_bytes);
+    out.extend_from_slice(&ct);
+    Ok(out)
+}
+
+/// Decrypt a wrapped handle blob. Returns the original `dataRepresentation`.
+///
+/// Input must start with `WRAP_MAGIC`; call [`is_wrapped_handle`] first.
+pub fn decrypt_blob(wrapping_key: &[u8; WRAP_KEY_LEN], blob: &[u8]) -> Result<Vec<u8>> {
+    if blob.len() < WRAP_MIN_LEN {
+        return Err(Error::KeyOperation {
+            operation: "keychain_wrap_decrypt".into(),
+            detail: format!(
+                "wrapped blob too short: {} bytes, need >= {WRAP_MIN_LEN}",
+                blob.len()
+            ),
+        });
+    }
+    if !is_wrapped_handle(blob) {
+        return Err(Error::KeyOperation {
+            operation: "keychain_wrap_decrypt".into(),
+            detail: "wrapped blob missing magic prefix".into(),
+        });
+    }
+
+    let nonce_start = WRAP_MAGIC.len();
+    let ct_start = nonce_start + WRAP_NONCE_LEN;
+    let nonce = Nonce::from_slice(&blob[nonce_start..ct_start]);
+    let ct_and_tag = &blob[ct_start..];
+
+    let cipher = Aes256Gcm::new_from_slice(wrapping_key).map_err(|e| Error::KeyOperation {
+        operation: "keychain_wrap_decrypt".into(),
+        detail: format!("Aes256Gcm::new: {e}"),
+    })?;
+    cipher
+        .decrypt(nonce, ct_and_tag)
+        .map_err(|e| Error::KeyOperation {
+            operation: "keychain_wrap_decrypt".into(),
+            detail: format!("AES-GCM decrypt: {e}"),
+        })
+}
+
+/// Compose the keychain service name used for all wrapping keys of a
+/// given app. The account is the key `<label>` so every key gets its own
+/// wrapping-key entry.
+pub fn service_name_for(app_name: &str) -> String {
+    format!("com.enclaveapp.{app_name}")
+}
+
+/// Store a wrapping key in the login keychain. Replaces any existing
+/// entry for the same service+account pair.
+#[allow(unsafe_code)]
+pub fn keychain_store(
+    app_name: &str,
+    label: &str,
+    wrapping_key: &[u8; WRAP_KEY_LEN],
+) -> Result<()> {
+    let service = service_name_for(app_name);
+    let service_bytes = service.as_bytes();
+    let account_bytes = label.as_bytes();
+
+    // i32 length fields in the Swift signature. Guard against >2GB.
+    let service_len = i32::try_from(service_bytes.len()).map_err(|_| Error::KeyOperation {
+        operation: "keychain_store".into(),
+        detail: "service name too long".into(),
+    })?;
+    let account_len = i32::try_from(account_bytes.len()).map_err(|_| Error::KeyOperation {
+        operation: "keychain_store".into(),
+        detail: "account name too long".into(),
+    })?;
+    let secret_len = i32::try_from(wrapping_key.len()).map_err(|_| Error::KeyOperation {
+        operation: "keychain_store".into(),
+        detail: "secret length too long".into(),
+    })?;
+
+    let rc = unsafe {
+        ffi::enclaveapp_keychain_store(
+            service_bytes.as_ptr(),
+            service_len,
+            account_bytes.as_ptr(),
+            account_len,
+            wrapping_key.as_ptr(),
+            secret_len,
+        )
+    };
+    if rc == 0 {
+        Ok(())
+    } else {
+        Err(Error::KeyOperation {
+            operation: "keychain_store".into(),
+            detail: format!("Swift bridge returned error code {rc}"),
+        })
+    }
+}
+
+/// Load a wrapping key from the login keychain.
+///
+/// Returns `None` if no entry exists for this service+account pair. That
+/// case is distinguished from a hard error (Keychain locked, access
+/// denied) so callers can decide between migration-from-plaintext and
+/// real failure.
+#[allow(unsafe_code)]
+pub fn keychain_load(app_name: &str, label: &str) -> Result<Option<[u8; WRAP_KEY_LEN]>> {
+    let service = service_name_for(app_name);
+    let service_bytes = service.as_bytes();
+    let account_bytes = label.as_bytes();
+    let service_len = service_bytes.len() as i32;
+    let account_len = account_bytes.len() as i32;
+
+    let mut out = [0_u8; WRAP_KEY_LEN];
+    let mut out_len: i32 = out.len() as i32;
+    let rc = unsafe {
+        ffi::enclaveapp_keychain_load(
+            service_bytes.as_ptr(),
+            service_len,
+            account_bytes.as_ptr(),
+            account_len,
+            out.as_mut_ptr(),
+            &mut out_len,
+        )
+    };
+    match rc {
+        0 => {
+            if out_len as usize != WRAP_KEY_LEN {
+                return Err(Error::KeyOperation {
+                    operation: "keychain_load".into(),
+                    detail: format!(
+                        "loaded wrapping key has unexpected length {out_len}, expected {WRAP_KEY_LEN}"
+                    ),
+                });
+            }
+            Ok(Some(out))
+        }
+        12 => Ok(None), // SE_ERR_KEYCHAIN_NOT_FOUND
+        _ => Err(Error::KeyOperation {
+            operation: "keychain_load".into(),
+            detail: format!("Swift bridge returned error code {rc}"),
+        }),
+    }
+}
+
+/// Delete a wrapping-key entry from the login keychain. Idempotent —
+/// treating "not found" as success so `delete_key` can clean up stale
+/// state without racing itself.
+#[allow(unsafe_code)]
+pub fn keychain_delete(app_name: &str, label: &str) -> Result<()> {
+    let service = service_name_for(app_name);
+    let service_bytes = service.as_bytes();
+    let account_bytes = label.as_bytes();
+    let rc = unsafe {
+        ffi::enclaveapp_keychain_delete(
+            service_bytes.as_ptr(),
+            service_bytes.len() as i32,
+            account_bytes.as_ptr(),
+            account_bytes.len() as i32,
+        )
+    };
+    if rc == 0 {
+        Ok(())
+    } else {
+        Err(Error::KeyOperation {
+            operation: "keychain_delete".into(),
+            detail: format!("Swift bridge returned error code {rc}"),
+        })
+    }
+}
+
+#[cfg(test)]
+#[allow(clippy::unwrap_used, clippy::panic)]
+mod tests {
+    use super::*;
+
+    // ───── Magic-prefix / format sanity ─────
+
+    #[test]
+    fn magic_prefix_is_exactly_four_bytes() {
+        assert_eq!(WRAP_MAGIC.len(), 4);
+        assert_eq!(WRAP_MAGIC, b"EHW1");
+    }
+
+    #[test]
+    fn is_wrapped_handle_matches_magic() {
+        assert!(is_wrapped_handle(b"EHW1...rest-of-blob-doesnt-matter"));
+    }
+
+    #[test]
+    fn is_wrapped_handle_rejects_short_input() {
+        assert!(!is_wrapped_handle(b""));
+        assert!(!is_wrapped_handle(b"EHW"));
+    }
+
+    #[test]
+    fn is_wrapped_handle_rejects_legacy_plaintext() {
+        // A plaintext CryptoKit dataRepresentation starts with arbitrary
+        // bytes — make sure we don't misidentify one as wrapped.
+        assert!(!is_wrapped_handle(b"legacy-plaintext-blob"));
+        assert!(!is_wrapped_handle(b"\x00\x00\x00\x00other-format"));
+    }
+
+    // ───── generate_wrapping_key ─────
+
+    #[test]
+    fn generate_wrapping_key_produces_32_bytes() {
+        let key = generate_wrapping_key();
+        assert_eq!(key.len(), WRAP_KEY_LEN);
+    }
+
+    #[test]
+    fn generate_wrapping_key_is_non_trivial() {
+        let key = generate_wrapping_key();
+        // Reject all-zero or all-identical — OsRng shouldn't ever
+        // produce either, but if something went catastrophically
+        // wrong upstream the test catches it.
+        assert!(key.iter().any(|&b| b != 0));
+        assert!(key.iter().any(|&b| b != key[0]));
+    }
+
+    #[test]
+    fn generate_wrapping_key_values_differ_between_calls() {
+        let k1 = generate_wrapping_key();
+        let k2 = generate_wrapping_key();
+        assert_ne!(k1, k2);
+    }
+
+    // ───── encrypt_blob / decrypt_blob round-trip ─────
+
+    #[test]
+    fn round_trip_empty_plaintext() {
+        let key = generate_wrapping_key();
+        let blob = encrypt_blob(&key, b"").unwrap();
+        assert_eq!(blob.len(), WRAP_MIN_LEN);
+        let recovered = decrypt_blob(&key, &blob).unwrap();
+        assert_eq!(recovered, b"");
+    }
+
+    #[test]
+    fn round_trip_short_plaintext() {
+        let key = generate_wrapping_key();
+        let pt = b"hello, keychain";
+        let blob = encrypt_blob(&key, pt).unwrap();
+        let recovered = decrypt_blob(&key, &blob).unwrap();
+        assert_eq!(recovered, pt);
+    }
+
+    #[test]
+    fn round_trip_long_plaintext() {
+        let key = generate_wrapping_key();
+        // A realistic dataRepresentation is a few hundred bytes. Test
+        // both smaller and bigger to cover allocation boundaries.
+        let pt: Vec<u8> = (0..4096).map(|i| (i & 0xff) as u8).collect();
+        let blob = encrypt_blob(&key, &pt).unwrap();
+        let recovered = decrypt_blob(&key, &blob).unwrap();
+        assert_eq!(recovered, pt);
+    }
+
+    #[test]
+    fn encrypt_produces_different_ciphertexts_for_same_plaintext() {
+        // Nonce is random; two encrypts of the same plaintext under
+        // the same key must differ.
+        let key = generate_wrapping_key();
+        let pt = b"same plaintext twice";
+        let a = encrypt_blob(&key, pt).unwrap();
+        let b = encrypt_blob(&key, pt).unwrap();
+        assert_ne!(a, b);
+        // But both decrypt back to the same thing.
+        assert_eq!(decrypt_blob(&key, &a).unwrap(), pt);
+        assert_eq!(decrypt_blob(&key, &b).unwrap(), pt);
+    }
+
+    #[test]
+    fn wrap_blob_starts_with_magic() {
+        let key = generate_wrapping_key();
+        let blob = encrypt_blob(&key, b"pt").unwrap();
+        assert!(is_wrapped_handle(&blob));
+        assert_eq!(&blob[..4], WRAP_MAGIC);
+    }
+
+    // ───── Negative cases / tamper detection ─────
+
+    #[test]
+    fn decrypt_fails_on_wrong_key() {
+        let k1 = generate_wrapping_key();
+        let k2 = generate_wrapping_key();
+        let blob = encrypt_blob(&k1, b"secret").unwrap();
+        let err = decrypt_blob(&k2, &blob).unwrap_err();
+        assert!(err.to_string().contains("AES-GCM decrypt"));
+    }
+
+    #[test]
+    fn decrypt_fails_on_tampered_ciphertext() {
+        let key = generate_wrapping_key();
+        let mut blob = encrypt_blob(&key, b"secret").unwrap();
+        // Flip a byte in the ciphertext region.
+        let ct_start = WRAP_MAGIC.len() + WRAP_NONCE_LEN;
+        blob[ct_start] ^= 0x01;
+        let err = decrypt_blob(&key, &blob).unwrap_err();
+        assert!(err.to_string().contains("AES-GCM decrypt"));
+    }
+
+    #[test]
+    fn decrypt_fails_on_tampered_tag() {
+        let key = generate_wrapping_key();
+        let mut blob = encrypt_blob(&key, b"secret").unwrap();
+        let last = blob.len() - 1;
+        blob[last] ^= 0x01;
+        let err = decrypt_blob(&key, &blob).unwrap_err();
+        assert!(err.to_string().contains("AES-GCM decrypt"));
+    }
+
+    #[test]
+    fn decrypt_fails_on_tampered_nonce() {
+        let key = generate_wrapping_key();
+        let mut blob = encrypt_blob(&key, b"secret").unwrap();
+        blob[WRAP_MAGIC.len()] ^= 0x01;
+        let err = decrypt_blob(&key, &blob).unwrap_err();
+        assert!(err.to_string().contains("AES-GCM decrypt"));
+    }
+
+    #[test]
+    fn decrypt_fails_on_truncated_blob() {
+        let key = generate_wrapping_key();
+        let blob = encrypt_blob(&key, b"secret").unwrap();
+        let truncated = &blob[..WRAP_MIN_LEN - 1];
+        let err = decrypt_blob(&key, truncated).unwrap_err();
+        assert!(err.to_string().contains("too short"));
+    }
+
+    #[test]
+    fn decrypt_fails_on_missing_magic() {
+        let key = generate_wrapping_key();
+        let mut blob = encrypt_blob(&key, b"secret").unwrap();
+        blob[0] = b'X'; // corrupt magic
+        let err = decrypt_blob(&key, &blob).unwrap_err();
+        assert!(err.to_string().contains("magic"));
+    }
+
+    #[test]
+    fn decrypt_fails_on_legacy_plaintext() {
+        // A legacy plaintext dataRepresentation (no wrap) should not
+        // accidentally decrypt — the magic check catches it before
+        // we ever invoke AES-GCM.
+        let key = generate_wrapping_key();
+        let legacy = b"this-is-a-plain-dataRepresentation-blob";
+        let err = decrypt_blob(&key, legacy).unwrap_err();
+        assert!(err.to_string().contains("magic"));
+    }
+
+    // ───── service_name_for ─────
+
+    #[test]
+    fn service_name_matches_expected_format() {
+        assert_eq!(service_name_for("sshenc"), "com.enclaveapp.sshenc");
+        assert_eq!(service_name_for("awsenc"), "com.enclaveapp.awsenc");
+    }
+
+    // ───── Real-keychain integration tests (macOS only) ─────
+    //
+    // These exercise the Swift FFI against the system login keychain.
+    // They run by default in `cargo test` on macOS. Each test uses a
+    // test-unique service+account pair so parallel test runs don't
+    // interfere with each other, and each test cleans up after itself
+    // via a drop guard so a failing test never leaves an orphaned
+    // keychain entry.
+
+    /// RAII cleanup: delete the keychain entry on drop, regardless of
+    /// whether the test succeeded. Ensures subsequent test runs see
+    /// fresh state.
+    struct KeychainEntryGuard {
+        app: String,
+        label: String,
+    }
+
+    impl KeychainEntryGuard {
+        fn new(app: &str, label: &str) -> Self {
+            Self {
+                app: app.to_string(),
+                label: label.to_string(),
+            }
+        }
+    }
+
+    impl Drop for KeychainEntryGuard {
+        fn drop(&mut self) {
+            drop(keychain_delete(&self.app, &self.label));
+        }
+    }
+
+    /// Generate a test-unique label so tests don't conflict.
+    fn unique_test_label(base: &str) -> String {
+        let pid = std::process::id();
+        let nanos = std::time::SystemTime::now()
+            .duration_since(std::time::UNIX_EPOCH)
+            .unwrap_or_default()
+            .as_nanos();
+        format!("{base}-{pid}-{nanos}")
+    }
+
+    const TEST_APP: &str = "enclaveapp-test";
+
+    #[test]
+    fn keychain_roundtrip_basic() {
+        let label = unique_test_label("basic");
+        let _guard = KeychainEntryGuard::new(TEST_APP, &label);
+
+        let key = generate_wrapping_key();
+        keychain_store(TEST_APP, &label, &key).unwrap();
+        let loaded = keychain_load(TEST_APP, &label).unwrap().unwrap();
+        assert_eq!(loaded, key, "loaded wrapping key must equal stored");
+    }
+
+    #[test]
+    fn keychain_load_missing_returns_none() {
+        let label = unique_test_label("missing");
+        // No guard needed — we never stored anything.
+        let loaded = keychain_load(TEST_APP, &label).unwrap();
+        assert!(loaded.is_none(), "load of absent entry must return None");
+    }
+
+    #[test]
+    fn keychain_store_is_idempotent_upsert() {
+        let label = unique_test_label("upsert");
+        let _guard = KeychainEntryGuard::new(TEST_APP, &label);
+
+        let k1 = generate_wrapping_key();
+        let k2 = generate_wrapping_key();
+        keychain_store(TEST_APP, &label, &k1).unwrap();
+        // Store again with a DIFFERENT key — should replace, not error.
+        keychain_store(TEST_APP, &label, &k2).unwrap();
+        let loaded = keychain_load(TEST_APP, &label).unwrap().unwrap();
+        assert_eq!(loaded, k2, "second store must overwrite first");
+    }
+
+    #[test]
+    fn keychain_delete_is_idempotent() {
+        let label = unique_test_label("del-idem");
+        // Delete without prior store — should succeed.
+        keychain_delete(TEST_APP, &label).unwrap();
+        // Delete again — still succeeds.
+        keychain_delete(TEST_APP, &label).unwrap();
+    }
+
+    #[test]
+    fn keychain_delete_actually_removes() {
+        let label = unique_test_label("del-real");
+        let _guard = KeychainEntryGuard::new(TEST_APP, &label);
+
+        let key = generate_wrapping_key();
+        keychain_store(TEST_APP, &label, &key).unwrap();
+        assert!(keychain_load(TEST_APP, &label).unwrap().is_some());
+        keychain_delete(TEST_APP, &label).unwrap();
+        assert!(
+            keychain_load(TEST_APP, &label).unwrap().is_none(),
+            "load after delete must return None"
+        );
+    }
+
+    #[test]
+    fn keychain_per_label_isolation() {
+        // Two labels under the same app get independent entries.
+        let label_a = unique_test_label("iso-a");
+        let label_b = unique_test_label("iso-b");
+        let _ga = KeychainEntryGuard::new(TEST_APP, &label_a);
+        let _gb = KeychainEntryGuard::new(TEST_APP, &label_b);
+
+        let ka = generate_wrapping_key();
+        let kb = generate_wrapping_key();
+        keychain_store(TEST_APP, &label_a, &ka).unwrap();
+        keychain_store(TEST_APP, &label_b, &kb).unwrap();
+        assert_eq!(keychain_load(TEST_APP, &label_a).unwrap().unwrap(), ka);
+        assert_eq!(keychain_load(TEST_APP, &label_b).unwrap().unwrap(), kb);
+        // Deleting A does not affect B.
+        keychain_delete(TEST_APP, &label_a).unwrap();
+        assert!(keychain_load(TEST_APP, &label_a).unwrap().is_none());
+        assert_eq!(keychain_load(TEST_APP, &label_b).unwrap().unwrap(), kb);
+    }
+
+    #[test]
+    fn keychain_per_app_isolation() {
+        // Same label under different app names get independent entries.
+        let label = unique_test_label("app-iso");
+        let app_x = format!("{TEST_APP}-x");
+        let app_y = format!("{TEST_APP}-y");
+        let _gx = KeychainEntryGuard::new(&app_x, &label);
+        let _gy = KeychainEntryGuard::new(&app_y, &label);
+
+        let kx = generate_wrapping_key();
+        let ky = generate_wrapping_key();
+        keychain_store(&app_x, &label, &kx).unwrap();
+        keychain_store(&app_y, &label, &ky).unwrap();
+        assert_eq!(keychain_load(&app_x, &label).unwrap().unwrap(), kx);
+        assert_eq!(keychain_load(&app_y, &label).unwrap().unwrap(), ky);
+    }
+
+    #[test]
+    fn full_wrap_unwrap_via_keychain_lifecycle() {
+        // End-to-end: generate key → keychain_store → encrypt →
+        // keychain_load → decrypt → verify plaintext round-trips.
+        let label = unique_test_label("full");
+        let _guard = KeychainEntryGuard::new(TEST_APP, &label);
+
+        let plaintext = b"simulated SE dataRepresentation blob with \x00 null \xff bytes";
+        let key = generate_wrapping_key();
+        keychain_store(TEST_APP, &label, &key).unwrap();
+        let wrapped = encrypt_blob(&key, plaintext).unwrap();
+
+        // Now the real load path: get the wrapping key back from the
+        // keychain and decrypt the blob.
+        let loaded_key = keychain_load(TEST_APP, &label).unwrap().unwrap();
+        let recovered = decrypt_blob(&loaded_key, &wrapped).unwrap();
+        assert_eq!(recovered, plaintext);
+    }
+
+    #[test]
+    fn encrypt_under_wrong_keychain_key_fails() {
+        // If someone swaps the keychain entry for a different key while
+        // the wrapped blob remains the old one, decrypt must fail —
+        // proves the keychain entry is actually load-bearing for
+        // security rather than just metadata.
+        let label = unique_test_label("wrong-key");
+        let _guard = KeychainEntryGuard::new(TEST_APP, &label);
+
+        let real_key = generate_wrapping_key();
+        let wrapped = encrypt_blob(&real_key, b"secret").unwrap();
+        let swapped_key = generate_wrapping_key();
+        keychain_store(TEST_APP, &label, &swapped_key).unwrap();
+        let loaded_key = keychain_load(TEST_APP, &label).unwrap().unwrap();
+        assert_ne!(loaded_key, real_key);
+        let err = decrypt_blob(&loaded_key, &wrapped).unwrap_err();
+        assert!(err.to_string().contains("AES-GCM decrypt"));
+    }
+}
diff --git a/crates/enclaveapp-apple/src/lib.rs b/crates/enclaveapp-apple/src/lib.rs
index 9d95754..e270ff6 100644
--- a/crates/enclaveapp-apple/src/lib.rs
+++ b/crates/enclaveapp-apple/src/lib.rs
@@ -13,6 +13,8 @@
 mod ffi;
 #[cfg(target_os = "macos")]
 mod keychain;
+#[cfg(target_os = "macos")]
+mod keychain_wrap;
 
 #[cfg(all(target_os = "macos", feature = "encryption"))]
 mod encrypt;
diff --git a/crates/enclaveapp-apple/swift/bridge.swift b/crates/enclaveapp-apple/swift/bridge.swift
index 2a2709b..32c8f5b 100644
--- a/crates/enclaveapp-apple/swift/bridge.swift
+++ b/crates/enclaveapp-apple/swift/bridge.swift
@@ -30,6 +30,10 @@ let SE_ERR_NOT_AVAILABLE: Int32 = 5
 let SE_ERR_ENCRYPT: Int32 = 6
 let SE_ERR_DECRYPT: Int32 = 7
 let SE_ERR_DELETE: Int32 = 8
+let SE_ERR_KEYCHAIN_STORE: Int32 = 9
+let SE_ERR_KEYCHAIN_LOAD: Int32 = 10
+let SE_ERR_KEYCHAIN_DELETE: Int32 = 11
+let SE_ERR_KEYCHAIN_NOT_FOUND: Int32 = 12
 
 // MARK: - ECIES format constants
 
@@ -392,3 +396,139 @@ public func enclaveapp_se_decrypt(
         return SE_ERR_DECRYPT
     }
 }
+
+// MARK: - Keychain helpers (generic-password wrapping keys)
+//
+// These helpers wrap the legacy (file-based) keychain's
+// kSecClassGenericPassword items. Rust calls them to store, load, and
+// delete the 32-byte AES wrapping key used to encrypt the SE
+// dataRepresentation before it's written to `.handle` on disk.
+//
+// DO NOT set `kSecUseDataProtectionKeychain: true` — on unsigned builds
+// (Homebrew, cargo build) the modern Data Protection keychain returns
+// errSecMissingEntitlement (-34018). The legacy keychain accepts
+// unsigned callers.
+//
+// Items are created with `kSecAttrAccessibleWhenUnlockedThisDeviceOnly`:
+// the device must be unlocked to read them, and they do NOT sync via
+// iCloud / migrate across devices.
+
+private func makeServiceData(_ service: UnsafePointer<UInt8>, _ len: Int32) -> Data {
+    return Data(bytes: service, count: Int(len))
+}
+
+private func makeAccountString(_ account: UnsafePointer<UInt8>, _ len: Int32) -> String? {
+    let bytes = Data(bytes: account, count: Int(len))
+    return String(data: bytes, encoding: .utf8)
+}
+
+private func makeServiceString(_ service: UnsafePointer<UInt8>, _ len: Int32) -> String? {
+    let bytes = Data(bytes: service, count: Int(len))
+    return String(data: bytes, encoding: .utf8)
+}
+
+/// Store (or replace) an opaque secret in the keychain as a generic
+/// password. Any existing entry with the same service+account pair is
+/// removed first, so the call is effectively an upsert.
+@_cdecl("enclaveapp_keychain_store")
+public func enclaveapp_keychain_store(
+    _ service: UnsafePointer<UInt8>, _ service_len: Int32,
+    _ account: UnsafePointer<UInt8>, _ account_len: Int32,
+    _ secret: UnsafePointer<UInt8>, _ secret_len: Int32
+) -> Int32 {
+    guard let serviceStr = makeServiceString(service, service_len) else {
+        return SE_ERR_KEYCHAIN_STORE
+    }
+    guard let accountStr = makeAccountString(account, account_len) else {
+        return SE_ERR_KEYCHAIN_STORE
+    }
+    let secretData = Data(bytes: secret, count: Int(secret_len))
+
+    // Delete any existing entry first.
+    let deleteQuery: [String: Any] = [
+        kSecClass as String: kSecClassGenericPassword,
+        kSecAttrService as String: serviceStr,
+        kSecAttrAccount as String: accountStr,
+    ]
+    _ = SecItemDelete(deleteQuery as CFDictionary)
+
+    let addQuery: [String: Any] = [
+        kSecClass as String: kSecClassGenericPassword,
+        kSecAttrService as String: serviceStr,
+        kSecAttrAccount as String: accountStr,
+        kSecValueData as String: secretData,
+        kSecAttrAccessible as String: kSecAttrAccessibleWhenUnlockedThisDeviceOnly,
+    ]
+    let status = SecItemAdd(addQuery as CFDictionary, nil)
+    return status == errSecSuccess ? SE_OK : SE_ERR_KEYCHAIN_STORE
+}
+
+/// Load a previously-stored secret by service+account. Returns
+/// `SE_ERR_KEYCHAIN_NOT_FOUND` if no entry exists.
+@_cdecl("enclaveapp_keychain_load")
+public func enclaveapp_keychain_load(
+    _ service: UnsafePointer<UInt8>, _ service_len: Int32,
+    _ account: UnsafePointer<UInt8>, _ account_len: Int32,
+    _ secret_out: UnsafeMutablePointer<UInt8>, _ secret_len: UnsafeMutablePointer<Int32>
+) -> Int32 {
+    guard let serviceStr = makeServiceString(service, service_len) else {
+        return SE_ERR_KEYCHAIN_LOAD
+    }
+    guard let accountStr = makeAccountString(account, account_len) else {
+        return SE_ERR_KEYCHAIN_LOAD
+    }
+
+    let query: [String: Any] = [
+        kSecClass as String: kSecClassGenericPassword,
+        kSecAttrService as String: serviceStr,
+        kSecAttrAccount as String: accountStr,
+        kSecReturnData as String: true,
+        kSecMatchLimit as String: kSecMatchLimitOne,
+    ]
+    var item: CFTypeRef?
+    let status = SecItemCopyMatching(query as CFDictionary, &item)
+    if status == errSecItemNotFound {
+        return SE_ERR_KEYCHAIN_NOT_FOUND
+    }
+    if status != errSecSuccess {
+        return SE_ERR_KEYCHAIN_LOAD
+    }
+    guard let data = item as? Data else {
+        return SE_ERR_KEYCHAIN_LOAD
+    }
+
+    let count = Int32(data.count)
+    if secret_len.pointee < count {
+        secret_len.pointee = count
+        return SE_ERR_BUFFER_TOO_SMALL
+    }
+    data.copyBytes(to: secret_out, count: data.count)
+    secret_len.pointee = count
+    return SE_OK
+}
+
+/// Delete the generic-password entry for a service+account pair. It is
+/// not an error if the entry does not exist — the caller treats that as
+/// idempotent cleanup.
+@_cdecl("enclaveapp_keychain_delete")
+public func enclaveapp_keychain_delete(
+    _ service: UnsafePointer<UInt8>, _ service_len: Int32,
+    _ account: UnsafePointer<UInt8>, _ account_len: Int32
+) -> Int32 {
+    guard let serviceStr = makeServiceString(service, service_len) else {
+        return SE_ERR_KEYCHAIN_DELETE
+    }
+    guard let accountStr = makeAccountString(account, account_len) else {
+        return SE_ERR_KEYCHAIN_DELETE
+    }
+    let query: [String: Any] = [
+        kSecClass as String: kSecClassGenericPassword,
+        kSecAttrService as String: serviceStr,
+        kSecAttrAccount as String: accountStr,
+    ]
+    let status = SecItemDelete(query as CFDictionary)
+    if status == errSecSuccess || status == errSecItemNotFound {
+        return SE_OK
+    }
+    return SE_ERR_KEYCHAIN_DELETE
+}
diff --git a/fix-macos.md b/fix-macos.md
index 87a979f..18d648f 100644
--- a/fix-macos.md
+++ b/fix-macos.md
@@ -1,5 +1,15 @@
 # macOS Secure Enclave: Implementation Plan
 
+> **Status (2026-04-17):** Steps 1-6 (the unsigned / Path-2 keychain-
+> wrapping pipeline) are **implemented and tested**. Steps 7-8 (the
+> entitled / Path-1 flow) are **deferred** — they require a
+> provisioning profile which cannot be tested from an unsigned or
+> ad-hoc-signed binary. The unsigned path is sufficient for Homebrew
+> and cargo-install distribution and closes the original
+> `.handle` same-UID theft threat.
+
+
+
 ## Background
 
 Read `CLAUDE.md` section "macOS Secure Enclave: Design & Findings" for full context. This plan implements the two-tier SE backend described there.