create-ekka-desktop-app 0.2.2 → 0.3.0

package/bin/cli.js

@@ -3,70 +3,251 @@
 import { existsSync, mkdirSync, cpSync, readFileSync, writeFileSync } from 'node:fs';
 import { resolve, join, dirname } from 'node:path';
 import { fileURLToPath } from 'node:url';
+import { createInterface } from 'node:readline';
 
 const __dirname = dirname(fileURLToPath(import.meta.url));
 const templateDir = resolve(__dirname, '..', 'template');
 
-const projectName = process.argv[2];
+// Parse command line arguments
+const args = process.argv.slice(2);
+let projectName = null;
+let configFile = null;
+let appName = null;
+let appSlug = null;
+let engineUrl = null;
+let orgPrefix = 'ai.ekka';
+
+for (let i = 0; i < args.length; i++) {
+  const arg = args[i];
+  if (arg === '--config' || arg === '-c') {
+    configFile = args[++i];
+  } else if (arg === '--name' || arg === '-n') {
+    appName = args[++i];
+  } else if (arg === '--slug' || arg === '-s') {
+    appSlug = args[++i];
+  } else if (arg === '--engine-url' || arg === '-e') {
+    engineUrl = args[++i];
+  } else if (arg === '--org' || arg === '-o') {
+    orgPrefix = args[++i];
+  } else if (arg === '--help' || arg === '-h') {
+    console.log(`
+Usage: npx create-ekka-desktop-app [project-dir] [options]
+
+Options:
+  -c, --config <file>     Use config file (skips all prompts)
+  -n, --name <name>       App display name
+  -s, --slug <slug>       App identifier (lowercase, hyphens only)
+  -e, --engine-url <url>  EKKA Engine URL (required)
+  -o, --org <prefix>      Organization prefix (default: ai.ekka)
+  -h, --help              Show this help
+
+Examples:
+  npx create-ekka-desktop-app my-app
+  npx create-ekka-desktop-app my-app --engine-url https://api.ekka.ai
+  npx create-ekka-desktop-app my-app --config ./app.config.json
+`);
+    process.exit(0);
+  } else if (!arg.startsWith('-') && !projectName) {
+    projectName = arg;
+  }
+}
+
+// Helper to prompt for input
+async function prompt(question, defaultValue = '') {
+  const rl = createInterface({
+    input: process.stdin,
+    output: process.stdout
+  });
+
+  return new Promise((resolve) => {
+    const displayDefault = defaultValue ? ` (${defaultValue})` : '';
+    rl.question(`${question}${displayDefault}: `, (answer) => {
+      rl.close();
+      resolve(answer.trim() || defaultValue);
+    });
+  });
+}
 
-if (!projectName) {
-  console.error('Usage: npx create-ekka-desktop-app <project-name>');
-  process.exit(1);
+// Helper to convert to title case
+function titleCase(str) {
+  return str
+    .split('-')
+    .map(word => word.charAt(0).toUpperCase() + word.slice(1))
+    .join(' ');
 }
 
-const targetDir = resolve(process.cwd(), projectName);
+// Helper to slugify
+function slugify(str) {
+  return str
+    .toLowerCase()
+    .replace(/[^a-z0-9-]/g, '-')
+    .replace(/-+/g, '-')
+    .replace(/^-|-$/g, '');
+}
 
-if (existsSync(targetDir)) {
-  console.error(`Error: Directory "${projectName}" already exists.`);
-  process.exit(1);
+// Validate slug
+function isValidSlug(slug) {
+  return /^[a-z][a-z0-9-]*$/.test(slug);
 }
 
-console.log(`Creating EKKA desktop app in ${targetDir}...`);
-
-// Copy template
-mkdirSync(targetDir, { recursive: true });
-cpSync(templateDir, targetDir, { recursive: true });
-
-// Update package.json with project name
-const pkgPath = join(targetDir, 'package.json');
-const pkg = JSON.parse(readFileSync(pkgPath, 'utf8'));
-pkg.name = projectName;
-writeFileSync(pkgPath, JSON.stringify(pkg, null, 2) + '\n');
-
-// Update branding/app.json with project name
-const brandingPath = join(targetDir, 'branding', 'app.json');
-const branding = JSON.parse(readFileSync(brandingPath, 'utf8'));
-// Convert project-name to "Project Name" for display
-const displayName = projectName
-  .split('-')
-  .map(word => word.charAt(0).toUpperCase() + word.slice(1))
-  .join(' ');
-// Convert project-name to ai.ekka.projectname for bundleId
-const bundleId = `ai.ekka.${projectName.replace(/-/g, '')}`;
-branding.name = displayName;
-branding.bundleId = bundleId;
-writeFileSync(brandingPath, JSON.stringify(branding, null, 2) + '\n');
-
-// Update src-tauri/Cargo.toml crate name
-const cargoPath = join(targetDir, 'src-tauri', 'Cargo.toml');
-let cargoContent = readFileSync(cargoPath, 'utf8');
-cargoContent = cargoContent.replace(/^name = ".*"$/m, `name = "${projectName}"`);
-cargoContent = cargoContent.replace(/^description = ".*"$/m, `description = "${displayName}"`);
-writeFileSync(cargoPath, cargoContent);
-
-console.log(`
-Done! To get started:
+// Main
+async function main() {
+  console.log(`
+╔══════════════════════════════════════════════════════════════╗
+║                  CREATE EKKA DESKTOP APP                     ║
+╚══════════════════════════════════════════════════════════════╝
+`);
+
+  // If config file provided, load it and skip prompts
+  let config = null;
+  if (configFile) {
+    if (!existsSync(configFile)) {
+      console.error(`Error: Config file not found: ${configFile}`);
+      process.exit(1);
+    }
+    try {
+      config = JSON.parse(readFileSync(configFile, 'utf8'));
+      console.log(`Using config from: ${configFile}\n`);
+    } catch (e) {
+      console.error(`Error: Invalid JSON in config file: ${e.message}`);
+      process.exit(1);
+    }
+  }
+
+  // Get project directory
+  if (!projectName) {
+    projectName = await prompt('Project directory', 'my-ekka-app');
+  }
+
+  const targetDir = resolve(process.cwd(), projectName);
+
+  if (existsSync(targetDir)) {
+    console.error(`\nError: Directory "${projectName}" already exists.`);
+    process.exit(1);
+  }
+
+  // Build config from flags, prompts, or config file
+  if (!config) {
+    // Get app name
+    if (!appName) {
+      appName = await prompt('App display name', titleCase(projectName));
+    }
+
+    // Get app slug
+    if (!appSlug) {
+      const defaultSlug = slugify(projectName);
+      appSlug = await prompt('App identifier (lowercase, hyphens)', defaultSlug);
+      while (!isValidSlug(appSlug)) {
+        console.log('  ⚠ Must be lowercase letters, numbers, and hyphens only');
+        appSlug = await prompt('App identifier (lowercase, hyphens)', defaultSlug);
+      }
+    }
+
+    // Get engine URL
+    if (!engineUrl) {
+      engineUrl = await prompt('EKKA Engine URL', 'https://api.ekka.ai');
+    }
+
+    // Get org prefix (only prompt if not all values provided via flags)
+    if (orgPrefix === 'ai.ekka' && !process.argv.includes('--engine-url') && !process.argv.includes('-e')) {
+      const customOrg = await prompt('Organization prefix', 'ai.ekka');
+      if (customOrg) orgPrefix = customOrg;
+    }
+
+    config = {
+      app: {
+        name: appName,
+        slug: appSlug,
+        identifier: `${orgPrefix}.${appSlug.replace(/-/g, '')}`
+      },
+      storage: {
+        homeFolderName: `.${appSlug}`,
+        keychainService: `${orgPrefix}.${appSlug.replace(/-/g, '')}`
+      },
+      engine: {
+        url: engineUrl
+      }
+    };
+  }
+
+  // Validate config
+  if (!config.app?.slug) {
+    console.error('\nError: app.slug is required in config');
+    process.exit(1);
+  }
+  if (!config.engine?.url) {
+    console.error('\nError: engine.url is required in config');
+    process.exit(1);
+  }
+
+  // Derive missing values
+  config.app.name = config.app.name || titleCase(config.app.slug);
+  config.app.identifier = config.app.identifier || `ai.ekka.${config.app.slug.replace(/-/g, '')}`;
+  config.storage = config.storage || {};
+  config.storage.homeFolderName = config.storage.homeFolderName || `.${config.app.slug}`;
+  config.storage.keychainService = config.storage.keychainService || config.app.identifier;
+
+  console.log(`
+Creating EKKA desktop app in ${targetDir}...
+
+  App Name:     ${config.app.name}
+  App Slug:     ${config.app.slug}
+  Identifier:   ${config.app.identifier}
+  Home Folder:  ~/${config.storage.homeFolderName}
+  Engine URL:   ${config.engine.url}
+`);
+
+  // Copy template
+  mkdirSync(targetDir, { recursive: true });
+  cpSync(templateDir, targetDir, { recursive: true });
+
+  // Write app.config.json
+  const appConfigPath = join(targetDir, 'app.config.json');
+  writeFileSync(appConfigPath, JSON.stringify(config, null, 2) + '\n');
+
+  // Update package.json with project name
+  const pkgPath = join(targetDir, 'package.json');
+  const pkg = JSON.parse(readFileSync(pkgPath, 'utf8'));
+  pkg.name = config.app.slug;
+  writeFileSync(pkgPath, JSON.stringify(pkg, null, 2) + '\n');
+
+  // Update branding/app.json
+  const brandingPath = join(targetDir, 'branding', 'app.json');
+  const branding = JSON.parse(readFileSync(brandingPath, 'utf8'));
+  branding.name = config.app.name;
+  branding.bundleId = config.app.identifier;
+  writeFileSync(brandingPath, JSON.stringify(branding, null, 2) + '\n');
+
+  // Update src-tauri/Cargo.toml crate name
+  const cargoPath = join(targetDir, 'src-tauri', 'Cargo.toml');
+  let cargoContent = readFileSync(cargoPath, 'utf8');
+  cargoContent = cargoContent.replace(/^name = ".*"$/m, `name = "${config.app.slug}"`);
+  cargoContent = cargoContent.replace(/^description = ".*"$/m, `description = "${config.app.name}"`);
+  writeFileSync(cargoPath, cargoContent);
+
+  // Update src-tauri/tauri.conf.json identifier
+  const tauriConfPath = join(targetDir, 'src-tauri', 'tauri.conf.json');
+  const tauriConf = JSON.parse(readFileSync(tauriConfPath, 'utf8'));
+  tauriConf.identifier = config.app.identifier;
+  writeFileSync(tauriConfPath, JSON.stringify(tauriConf, null, 2) + '\n');
+
+  console.log(`
+╔══════════════════════════════════════════════════════════════╗
+║  SUCCESS! Your app is ready.                                 ║
+╚══════════════════════════════════════════════════════════════╝
+
+To get started:
 
   cd ${projectName}
   npm install
+  npm run tauri:dev
 
-Development:
-  npm start            # Web (browser)
-  npm run tauri:dev    # Desktop (native window)
+Configuration:
+  Edit app.config.json to change app identity or engine URL.
 
 Build:
-  npm run tauri:build  # Create distributable app
-
-Edit src/app/App.tsx to build your UI.
-Delete src/demo/ when ready.
+  npm run tauri:build
 `);
+}
+
+main().catch(console.error);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "create-ekka-desktop-app",
-  "version": "0.2.2",
+  "version": "0.3.0",
   "description": "Create an EKKA desktop app with built-in demo backend. No setup required.",
   "type": "module",
   "bin": {

package/template/app.config.json

@@ -0,0 +1,14 @@
+{
+  "app": {
+    "name": "EKKA Desktop",
+    "slug": "ekka-desktop",
+    "identifier": "ai.ekka.desktop"
+  },
+  "storage": {
+    "homeFolderName": ".ekka-desktop",
+    "keychainService": "ai.ekka.desktop"
+  },
+  "engine": {
+    "url": ""
+  }
+}

package/template/src-tauri/Cargo.toml

@@ -10,6 +10,7 @@ edition = "2021"
 
 [build-dependencies]
 tauri-build = { version = "2", features = [] }
+serde_json = "1"
 
 [dependencies]
 tauri = { version = "2", features = [] }

package/template/src-tauri/build.rs

@@ -1,3 +1,81 @@
+use std::fs;
+
 fn main() {
+    // Rerun if config changes
+    println!("cargo:rerun-if-changed=../app.config.json");
+
+    // 1. Read app.config.json
+    let config_path = "../app.config.json";
+    let config_str = fs::read_to_string(config_path).unwrap_or_else(|_| {
+        panic!(
+            "\n\n\
+            ╔══════════════════════════════════════════════════════════════════╗\n\
+            ║  BUILD ERROR: app.config.json not found                          ║\n\
+            ╠══════════════════════════════════════════════════════════════════╣\n\
+            ║  This file is required and should have been created by CDA.      ║\n\
+            ║  Regenerate your app with:                                       ║\n\
+            ║                                                                  ║\n\
+            ║    npx create-ekka-desktop-app@latest my-app                     ║\n\
+            ║                                                                  ║\n\
+            ╚══════════════════════════════════════════════════════════════════╝\n\n"
+        )
+    });
+
+    let config: serde_json::Value = serde_json::from_str(&config_str).unwrap_or_else(|e| {
+        panic!("\n\nBUILD ERROR: Invalid app.config.json: {}\n\n", e)
+    });
+
+    // 2. Extract and validate required fields
+    let app = config.get("app").expect("app.config.json missing 'app' section");
+    let storage = config.get("storage").expect("app.config.json missing 'storage' section");
+    let engine = config.get("engine").expect("app.config.json missing 'engine' section");
+
+    let app_name = app.get("name").and_then(|v| v.as_str())
+        .expect("app.config.json: app.name is required");
+    let app_slug = app.get("slug").and_then(|v| v.as_str())
+        .expect("app.config.json: app.slug is required");
+    let app_identifier = app.get("identifier").and_then(|v| v.as_str())
+        .expect("app.config.json: app.identifier is required");
+
+    let home_folder = storage.get("homeFolderName").and_then(|v| v.as_str())
+        .expect("app.config.json: storage.homeFolderName is required");
+    let keychain_service = storage.get("keychainService").and_then(|v| v.as_str())
+        .expect("app.config.json: storage.keychainService is required");
+
+    let engine_url = engine.get("url").and_then(|v| v.as_str())
+        .expect("app.config.json: engine.url is required");
+
+    // 3. Validate non-empty
+    if app_slug.is_empty() {
+        panic!("\n\nBUILD ERROR: app.slug cannot be empty in app.config.json\n\n");
+    }
+    if home_folder.is_empty() {
+        panic!("\n\nBUILD ERROR: storage.homeFolderName cannot be empty in app.config.json\n\n");
+    }
+    if engine_url.is_empty() {
+        panic!(
+            "\n\n\
+            ╔══════════════════════════════════════════════════════════════════╗\n\
+            ║  BUILD ERROR: engine.url is empty in app.config.json             ║\n\
+            ╠══════════════════════════════════════════════════════════════════╣\n\
+            ║  Set your EKKA Engine URL in app.config.json:                    ║\n\
+            ║                                                                  ║\n\
+            ║    \"engine\": {{                                                  ║\n\
+            ║      \"url\": \"https://api.ekka.ai\"                               ║\n\
+            ║    }}                                                             ║\n\
+            ║                                                                  ║\n\
+            ╚══════════════════════════════════════════════════════════════════╝\n\n"
+        );
+    }
+
+    // 4. Bake values into binary at compile time
+    println!("cargo:rustc-env=EKKA_APP_NAME={}", app_name);
+    println!("cargo:rustc-env=EKKA_APP_SLUG={}", app_slug);
+    println!("cargo:rustc-env=EKKA_APP_IDENTIFIER={}", app_identifier);
+    println!("cargo:rustc-env=EKKA_HOME_FOLDER={}", home_folder);
+    println!("cargo:rustc-env=EKKA_KEYCHAIN_SERVICE={}", keychain_service);
+    println!("cargo:rustc-env=EKKA_ENGINE_URL={}", engine_url);
+
+    // Continue with tauri build
     tauri_build::build()
 }

package/template/src-tauri/src/bootstrap.rs

@@ -2,19 +2,20 @@
 //!
 //! Handles initialization and resolution of the EKKA home directory.
 
+use crate::config;
 use ekka_sdk_core::ekka_home_bootstrap::{BootstrapConfig, EpochSource, HomeBootstrap, HomeStrategy};
 use std::path::PathBuf;
 
-/// Standard bootstrap configuration for EKKA Desktop
+/// Standard bootstrap configuration - all values from app.config.json (baked at build time)
 pub fn bootstrap_config() -> BootstrapConfig {
     BootstrapConfig {
-        app_name: "ekka-desktop".to_string(),
-        default_folder_name: ".ekka-desktop".to_string(),
+        app_name: config::app_name().to_string(),
+        default_folder_name: config::home_folder().to_string(),
         home_strategy: HomeStrategy::DataHome {
             env_var: "EKKA_DATA_HOME".to_string(),
         },
         marker_filename: ".ekka-marker.json".to_string(),
-        keychain_service: "ai.ekka.desktop".to_string(),
+        keychain_service: config::keychain_service().to_string(),
         subdirs: vec!["vault".to_string(), "db".to_string(), "tmp".to_string()],
         epoch_source: EpochSource::EnvVar("EKKA_SECURITY_EPOCH".to_string()),
         storage_layout_version: "v1".to_string(),

package/template/src-tauri/src/commands.rs

@@ -3,6 +3,7 @@
 //! Entry points for TypeScript → Rust communication.
 
 use crate::bootstrap::initialize_home;
+use crate::config;
 use crate::engine_process;
 use crate::grants::require_home_granted;
 use crate::handlers;
@@ -455,9 +456,10 @@ fn handle_node_credentials_clear() -> EngineResponse {
 fn handle_runner_task_stats(state: &EngineState) -> EngineResponse {
     use crate::state::NodeAuthState;
 
-    // Get engine URL (needed for both auth and stats request)
-    let engine_url = std::env::var("EKKA_ENGINE_URL")
-        .unwrap_or_else(|_| "https://api.ekka.ai".to_string());
+    // Get engine URL (baked at build time)
+    let engine_url = option_env!("EKKA_ENGINE_URL")
+        .unwrap_or("https://api.ekka.ai")
+        .to_string();
 
     // Get node auth token for Authorization header
     let node_token = match state.get_node_auth_token() {
@@ -540,7 +542,7 @@ fn handle_runner_task_stats(state: &EngineState) -> EngineResponse {
         .header("X-EKKA-CORRELATION-ID", &request_id)
         .header("X-EKKA-MODULE", "engine.runner_tasks")
         .header("X-EKKA-ACTION", "stats")
-        .header("X-EKKA-CLIENT", "ekka-desktop")
+        .header("X-EKKA-CLIENT", config::app_slug())
         .header("X-EKKA-CLIENT-VERSION", "0.2.0")
         .send();
 
@@ -819,8 +821,9 @@ fn handle_bootstrap_node_session(payload: &Value, state: &EngineState) -> Engine
     if start_runner {
         // Build runner config from node auth token
         let runner_config = node_auth::NodeSessionRunnerConfig {
-            engine_url: std::env::var("EKKA_ENGINE_URL")
-                .or_else(|_| std::env::var("ENGINE_URL"))
+            engine_url: option_env!("EKKA_ENGINE_URL")
+                .map(|s| s.to_string())
+                .or_else(|| std::env::var("ENGINE_URL").ok())
                 .unwrap_or_default(),
             node_url: std::env::var("NODE_URL").unwrap_or_else(|_| "http://127.0.0.1:7777".to_string()),
             session_token: node_token.token.clone(),
@@ -900,7 +903,7 @@ fn build_security_headers(jwt: Option<&str>, module: &str, action: &str) -> Vec<
         ("X-EKKA-PROOF-TYPE".to_string(), if jwt.is_some() { "jwt" } else { "none" }.to_string()),
         ("X-EKKA-MODULE".to_string(), module.to_string()),
         ("X-EKKA-ACTION".to_string(), action.to_string()),
-        ("X-EKKA-CLIENT".to_string(), "ekka-desktop".to_string()),
+        ("X-EKKA-CLIENT".to_string(), config::app_slug().to_string()),
         ("X-EKKA-CLIENT-VERSION".to_string(), "0.2.0".to_string()),
     ];
 
@@ -913,8 +916,9 @@ fn build_security_headers(jwt: Option<&str>, module: &str, action: &str) -> Vec<
 
 /// Create a workflow run (POST /engine/workflow-runs)
 fn handle_workflow_runs_create(payload: &Value) -> EngineResponse {
-    let engine_url = std::env::var("EKKA_ENGINE_URL")
-        .unwrap_or_else(|_| "http://localhost:3200".to_string());
+    let engine_url = option_env!("EKKA_ENGINE_URL")
+        .unwrap_or("http://localhost:3200")
+        .to_string();
 
     // Extract request body
     let request = match payload.get("request") {
@@ -974,8 +978,9 @@ fn handle_workflow_runs_create(payload: &Value) -> EngineResponse {
 
 /// Get a workflow run (GET /engine/workflow-runs/{id})
 fn handle_workflow_runs_get(payload: &Value) -> EngineResponse {
-    let engine_url = std::env::var("EKKA_ENGINE_URL")
-        .unwrap_or_else(|_| "http://localhost:3200".to_string());
+    let engine_url = option_env!("EKKA_ENGINE_URL")
+        .unwrap_or("http://localhost:3200")
+        .to_string();
 
     // Extract workflow run ID
     let id = match payload.get("id").and_then(|v| v.as_str()) {

package/template/src-tauri/src/config.rs

@@ -0,0 +1,35 @@
+//! Compile-time app configuration
+//!
+//! All values are baked at build time from app.config.json.
+//! ZERO runtime configuration or hardcoding.
+
+#![allow(dead_code)] // Not all config values are used yet
+
+macro_rules! baked_config {
+    ($name:ident, $env:literal) => {
+        pub fn $name() -> &'static str {
+            option_env!($env).expect(concat!(
+                $env,
+                " not baked at build time. Check build.rs and app.config.json"
+            ))
+        }
+    };
+}
+
+// App display name (e.g., "EKKA Studio")
+baked_config!(app_name, "EKKA_APP_NAME");
+
+// App slug for machine use (e.g., "ekka-studio")
+baked_config!(app_slug, "EKKA_APP_SLUG");
+
+// App identifier for OS (e.g., "ai.ekka.studio")
+baked_config!(app_identifier, "EKKA_APP_IDENTIFIER");
+
+// Home folder name (e.g., ".ekka-studio")
+baked_config!(home_folder, "EKKA_HOME_FOLDER");
+
+// Keychain service identifier (e.g., "ai.ekka.studio")
+baked_config!(keychain_service, "EKKA_KEYCHAIN_SERVICE");
+
+// EKKA Engine URL (e.g., "https://api.ekka.ai")
+baked_config!(engine_url, "EKKA_ENGINE_URL");

package/template/src-tauri/src/engine_process.rs

@@ -46,9 +46,9 @@ fn build_engine_env() -> Result<Vec<(&'static str, String)>, &'static str> {
     // EKKA_RUNNER_MODE=engine (always set)
     env.push(("EKKA_RUNNER_MODE", "engine".to_string()));
 
-    // EKKA_ENGINE_URL - pass through from process env or use default
-    if let Ok(url) = std::env::var("EKKA_ENGINE_URL") {
-        env.push(("EKKA_ENGINE_URL", url));
+    // EKKA_ENGINE_URL - baked at build time
+    if let Some(url) = option_env!("EKKA_ENGINE_URL") {
+        env.push(("EKKA_ENGINE_URL", url.to_string()));
     }
 
     // EKKA_INTERNAL_SERVICE_KEY - required for engine mode

package/template/src-tauri/src/main.rs

@@ -7,6 +7,7 @@
 
 mod bootstrap;
 mod commands;
+mod config;
 mod device_secret;
 mod engine_process;
 mod grants;
@@ -74,6 +75,14 @@ fn main() {
                 "Required security env vars"
             );
 
+            // Log build-time baked engine URL presence (not the URL itself)
+            let engine_url_baked = option_env!("EKKA_ENGINE_URL").is_some();
+            tracing::info!(
+                op = "desktop.engine_url.baked",
+                present = engine_url_baked,
+                "EKKA_ENGINE_URL baked at build time"
+            );
+
             // Check for stored node credentials (vault-backed)
             let has_creds = node_credentials::has_credentials();
 
@@ -112,13 +121,14 @@ fn main() {
                 }
 
                 // Authenticate node with server before spawning engine
-                let engine_url = match std::env::var("EKKA_ENGINE_URL") {
-                    Ok(url) => url,
-                    Err(_) => {
+                // EKKA_ENGINE_URL is baked at build time via build.rs
+                let engine_url = match option_env!("EKKA_ENGINE_URL") {
+                    Some(url) => url.to_string(),
+                    None => {
                         tracing::warn!(
                             op = "desktop.engine.start.blocked",
                             reason = "missing_engine_url",
-                            "Engine start blocked - EKKA_ENGINE_URL not set"
+                            "Engine start blocked - EKKA_ENGINE_URL not baked at build time"
                         );
                         return;
                     }

package/template/src-tauri/src/node_auth.rs

@@ -17,6 +17,7 @@
 
 #![allow(dead_code)] // API types may not all be used yet
 
+use crate::config;
 use base64::{engine::general_purpose::STANDARD as BASE64, Engine};
 use chrono::{DateTime, Utc};
 use ed25519_dalek::{Signature, Signer, SigningKey, VerifyingKey};
@@ -240,7 +241,8 @@ pub fn get_private_key_vault_path(node_id: &Uuid) -> PathBuf {
 fn derive_node_encryption_key(node_id: &Uuid, device_fingerprint: Option<&str>) -> KeyMaterial {
     // Use node_id + device fingerprint for key derivation
     // This binds the key to this specific node on this device
-    let device_secret = device_fingerprint.unwrap_or("ekka-desktop-default-device");
+    let default_device = format!("{}-default-device", config::app_slug());
+    let device_secret = device_fingerprint.unwrap_or(&default_device);
 
     derive_key(
         device_secret,
@@ -386,7 +388,7 @@ pub fn register_node(
         "node_id": node_id.to_string(),
         "public_key_b64": public_key_b64,
         "default_workspace_id": default_workspace_id,
-        "display_name": "ekka-desktop",
+        "display_name": config::app_name(),
         "node_type": "desktop"
     });
 
@@ -403,7 +405,7 @@ pub fn register_node(
         .header("X-EKKA-CORRELATION-ID", &request_id)
         .header("X-EKKA-MODULE", "desktop.node_auth")
         .header("X-EKKA-ACTION", "register")
-        .header("X-EKKA-CLIENT", "ekka-desktop")
+        .header("X-EKKA-CLIENT", config::app_slug())
         .header("X-EKKA-CLIENT-VERSION", "0.2.0")
         .json(&body)
         .send()
@@ -459,7 +461,7 @@ pub fn get_challenge(engine_url: &str, node_id: &Uuid) -> Result<ChallengeRespon
         .header("X-EKKA-CORRELATION-ID", &request_id)
         .header("X-EKKA-MODULE", "desktop.node_auth")
         .header("X-EKKA-ACTION", "challenge")
-        .header("X-EKKA-CLIENT", "ekka-desktop")
+        .header("X-EKKA-CLIENT", config::app_slug())
         .header("X-EKKA-CLIENT-VERSION", "0.2.0")
         .json(&serde_json::json!({ "node_id": node_id.to_string() }))
         .send()
@@ -503,7 +505,7 @@ pub fn create_session(
         .header("X-EKKA-CORRELATION-ID", &request_id)
         .header("X-EKKA-MODULE", "desktop.node_auth")
         .header("X-EKKA-ACTION", "session")
-        .header("X-EKKA-CLIENT", "ekka-desktop")
+        .header("X-EKKA-CLIENT", config::app_slug())
         .header("X-EKKA-CLIENT-VERSION", "0.2.0")
         .json(&serde_json::json!({
             "node_id": node_id.to_string(),
@@ -770,9 +772,11 @@ pub struct NodeSessionRunnerConfig {
 
 impl NodeSessionRunnerConfig {
     pub fn from_session(session: &NodeSession, node_id: Uuid) -> Result<Self, String> {
-        let engine_url = std::env::var("ENGINE_URL")
-            .or_else(|_| std::env::var("EKKA_ENGINE_URL"))
-            .map_err(|_| "ENGINE_URL or EKKA_ENGINE_URL required")?;
+        // EKKA_ENGINE_URL baked at build time, ENGINE_URL as runtime fallback
+        let engine_url = option_env!("EKKA_ENGINE_URL")
+            .map(|s| s.to_string())
+            .or_else(|| std::env::var("ENGINE_URL").ok())
+            .ok_or("EKKA_ENGINE_URL not baked at build time and ENGINE_URL not set")?;
 
         let node_url = std::env::var("NODE_URL").unwrap_or_else(|_| "http://127.0.0.1:7777".to_string());
 
@@ -796,7 +800,7 @@ impl NodeSessionRunnerConfig {
             ("X-REQUEST-ID", Uuid::new_v4().to_string()),
             ("X-EKKA-CORRELATION-ID", Uuid::new_v4().to_string()),
             ("X-EKKA-MODULE", "engine.runner_tasks".to_string()),
-            ("X-EKKA-CLIENT", "ekka-desktop".to_string()),
+            ("X-EKKA-CLIENT", config::app_slug().to_string()),
             ("X-EKKA-CLIENT-VERSION", "0.2.0".to_string()),
             ("X-EKKA-NODE-ID", self.node_id.to_string()),
         ]

package/template/src-tauri/src/node_credentials.rs

@@ -11,6 +11,7 @@
 //! - No OS keychain prompts
 
 use crate::bootstrap::{initialize_home, resolve_home_path};
+use crate::config;
 use crate::node_vault_store::{
     delete_node_secret, has_node_secret, read_node_secret, write_node_secret,
     SECRET_ID_NODE_CREDENTIALS,
@@ -394,7 +395,7 @@ pub fn authenticate_node(engine_url: &str) -> Result<NodeAuthToken, CredentialsE
         .header("X-EKKA-CORRELATION-ID", &request_id)
         .header("X-EKKA-MODULE", "desktop.node_auth")
         .header("X-EKKA-ACTION", "authenticate")
-        .header("X-EKKA-CLIENT", "ekka-desktop")
+        .header("X-EKKA-CLIENT", config::app_slug())
         .header("X-EKKA-CLIENT-VERSION", "0.2.0")
         .json(&body)
         .send()

package/template/src-tauri/src/node_runner.rs

@@ -17,6 +17,7 @@
 
 #![allow(dead_code)] // API types and fields may not all be used yet
 
+use crate::config;
 use crate::node_auth::{
     refresh_node_session, NodeSession, NodeSessionHolder, NodeSessionRunnerConfig,
 };
@@ -236,7 +237,7 @@ impl NodeSessionRunner {
             ("X-REQUEST-ID", Uuid::new_v4().to_string()),
             ("X-EKKA-CORRELATION-ID", Uuid::new_v4().to_string()),
             ("X-EKKA-MODULE", "engine.runner_tasks".to_string()),
-            ("X-EKKA-CLIENT", "ekka-desktop".to_string()),
+            ("X-EKKA-CLIENT", config::app_slug().to_string()),
             ("X-EKKA-CLIENT-VERSION", "0.2.0".to_string()),
             ("X-EKKA-NODE-ID", self.node_id.to_string()),
         ])
@@ -700,7 +701,7 @@ impl NodeSessionRunnerHeartbeat {
             .header("X-EKKA-CORRELATION-ID", Uuid::new_v4().to_string())
             .header("X-EKKA-MODULE", "engine.runner_tasks")
             .header("X-EKKA-ACTION", "heartbeat")
-            .header("X-EKKA-CLIENT", "ekka-desktop")
+            .header("X-EKKA-CLIENT", config::app_slug())
             .header("X-EKKA-CLIENT-VERSION", "0.2.0")
             .header("X-EKKA-NODE-ID", self.node_id.to_string())
             .json(&serde_json::json!({ "runner_id": self.runner_id }))

package/template/src-tauri/src/ops/home.rs

@@ -80,13 +80,13 @@ pub fn handle_grant(state: &EngineState) -> EngineResponse {
         None => return EngineResponse::err("MARKER_INVALID", "Marker missing instance_id"),
     };
 
-    // 4. Get engine URL
-    let engine_url = match std::env::var("EKKA_ENGINE_URL") {
-        Ok(u) => u,
-        Err(_) => {
+    // 4. Get engine URL (baked at build time)
+    let engine_url = match option_env!("EKKA_ENGINE_URL") {
+        Some(u) => u,
+        None => {
             return EngineResponse::err(
                 "ENGINE_NOT_CONFIGURED",
-                "EKKA_ENGINE_URL not set. HOME grant requires online engine.",
+                "EKKA_ENGINE_URL not baked at build time. Rebuild with EKKA_ENGINE_URL set.",
             )
         }
     };

package/template/src-tauri/src/state.rs

@@ -179,7 +179,7 @@ impl Default for RunnerStatus {
             enabled: false,
             state: RunnerLoopState::Stopped,
             runner_id: None,
-            engine_url: std::env::var("EKKA_ENGINE_URL").ok(),
+            engine_url: option_env!("EKKA_ENGINE_URL").map(|s| s.to_string()),
             last_poll_at: None,
             last_claim_at: None,
             last_complete_at: None,
@@ -259,9 +259,10 @@ impl RunnerState {
             s.enabled = true;
             s.state = RunnerLoopState::Running;
             s.runner_id = Some(runner_id.to_string());
-            s.engine_url = std::env::var("EKKA_ENGINE_URL")
-                .or_else(|_| std::env::var("ENGINE_URL"))
-                .ok();
+            // EKKA_ENGINE_URL baked at build time, ENGINE_URL as runtime fallback
+            s.engine_url = option_env!("EKKA_ENGINE_URL")
+                .map(|s| s.to_string())
+                .or_else(|| std::env::var("ENGINE_URL").ok());
             s.last_error = None;
         });
     }
@@ -511,11 +512,11 @@ impl GrantIssuer for EngineHttpGrantIssuer {
             EkkaError::new(ops::codes::NOT_AUTHENTICATED, "Must login before requesting grant")
         })?;
 
-        // Get engine URL
-        let engine_url = std::env::var("EKKA_ENGINE_URL").map_err(|_| {
+        // Get engine URL (baked at build time)
+        let engine_url = option_env!("EKKA_ENGINE_URL").ok_or_else(|| {
             EkkaError::new(
                 ops::codes::ENGINE_ERROR,
-                "EKKA_ENGINE_URL not set. Grant requires online engine.",
+                "EKKA_ENGINE_URL not baked at build time. Rebuild with EKKA_ENGINE_URL set.",
             )
         })?;
 
@@ -613,10 +614,10 @@ impl GrantIssuer for EngineHttpGrantIssuer {
             EkkaError::new(ops::codes::NOT_AUTHENTICATED, "Must login to revoke grant")
         })?;
 
-        // Get engine URL (optional - revoke is best effort)
-        let engine_url = match std::env::var("EKKA_ENGINE_URL") {
-            Ok(url) => url,
-            Err(_) => return Ok(()), // No engine, just return success
+        // Get engine URL (baked at build time, optional - revoke is best effort)
+        let engine_url = match option_env!("EKKA_ENGINE_URL") {
+            Some(url) => url,
+            None => return Ok(()), // No engine baked, just return success
         };
 
         // Make revoke request (best effort)