create-ekka-desktop-app 0.2.2

package/template/src-tauri/src/grants.rs

@@ -0,0 +1,129 @@
+//! Grant validation
+//!
+//! Handles verification of HOME grants and home status checks.
+
+use crate::bootstrap::resolve_home_path;
+use crate::state::{AuthContext, EngineState, HomeState};
+use crate::types::EngineResponse;
+use ekka_sdk_core::ekka_path_guard::GrantStore;
+use std::path::PathBuf;
+use std::time::{SystemTime, UNIX_EPOCH};
+
+/// Check if a valid HOME grant exists for the given auth context
+pub fn check_home_grant(home_path: &PathBuf, auth: &AuthContext) -> Result<bool, String> {
+    let grants_path = home_path.join("grants.json");
+
+    // No grants file = no grant
+    if !grants_path.exists() {
+        return Ok(false);
+    }
+
+    // Load engine verify key
+    let key_b64 = match std::env::var("ENGINE_GRANT_VERIFY_KEY_B64") {
+        Ok(k) => k,
+        Err(_) => return Err("ENGINE_GRANT_VERIFY_KEY_B64 not set".to_string()),
+    };
+
+    // Load and verify grants
+    let store = GrantStore::new(grants_path, &key_b64).map_err(|e| e.to_string())?;
+    let grants = store.grants();
+
+    // Check for valid HOME grant matching auth context
+    let now = SystemTime::now()
+        .duration_since(UNIX_EPOCH)
+        .unwrap_or_default()
+        .as_secs() as i64;
+
+    for grant in grants {
+        // Check if this is a HOME grant (covers home_path)
+        let home_str = home_path.to_string_lossy();
+        if !home_str.starts_with(grant.path_prefix()) && grant.path_prefix() != home_str {
+            continue;
+        }
+
+        // Check tenant_id matches
+        if grant.tenant_id() != auth.tenant_id {
+            continue;
+        }
+
+        // Check sub matches
+        if grant.subject() != auth.sub {
+            continue;
+        }
+
+        // Check not expired
+        if grant.expires_at() < now {
+            continue;
+        }
+
+        // Valid HOME grant found
+        return Ok(true);
+    }
+
+    Ok(false)
+}
+
+/// Get current home status including state, path, and grant presence
+pub fn get_home_status(state: &EngineState) -> (HomeState, PathBuf, bool, Option<String>) {
+    // Resolve home path
+    let home_path = match resolve_home_path() {
+        Ok(p) => p,
+        Err(e) => {
+            return (
+                HomeState::BootstrapPreLogin,
+                PathBuf::new(),
+                false,
+                Some(format!("Failed to resolve home path: {}", e)),
+            );
+        }
+    };
+
+    // Store home path
+    if let Ok(mut hp) = state.home_path.lock() {
+        *hp = Some(home_path.clone());
+    }
+
+    // Check auth
+    let auth = match state.auth.lock() {
+        Ok(guard) => guard.clone(),
+        Err(_) => {
+            return (
+                HomeState::BootstrapPreLogin,
+                home_path,
+                false,
+                Some("Lock error".to_string()),
+            )
+        }
+    };
+
+    let auth = match auth {
+        Some(a) => a,
+        None => return (HomeState::BootstrapPreLogin, home_path, false, None),
+    };
+
+    // Check for valid HOME grant
+    match check_home_grant(&home_path, &auth) {
+        Ok(true) => (HomeState::HomeGranted, home_path, true, None),
+        Ok(false) => (
+            HomeState::AuthenticatedNoHomeGrant,
+            home_path,
+            false,
+            Some("No valid HOME grant found".to_string()),
+        ),
+        Err(e) => (HomeState::AuthenticatedNoHomeGrant, home_path, false, Some(e)),
+    }
+}
+
+/// Guard function: returns error response if HOME grant is not present
+pub fn require_home_granted(state: &EngineState) -> Result<(), EngineResponse> {
+    let (home_state, _, _, reason) = get_home_status(state);
+
+    if home_state != HomeState::HomeGranted {
+        return Err(EngineResponse::err(
+            "HOME_GRANT_REQUIRED",
+            &reason.unwrap_or_else(|| "HOME grant required before this operation".to_string()),
+        ));
+    }
+
+    Ok(())
+}

package/template/src-tauri/src/handlers/home.rs

@@ -0,0 +1,65 @@
+//! Home operation handlers
+//!
+//! Thin wrappers that call SDK operations.
+
+use crate::state::{EngineHttpGrantIssuer, EngineState};
+use crate::types::EngineResponse;
+use ekka_sdk_core::ekka_ops::home;
+use serde_json::json;
+
+/// Handle home.status operation
+pub fn handle_status(state: &EngineState) -> EngineResponse {
+    let ctx = match state.to_runtime_context() {
+        Some(c) => c,
+        None => {
+            // No context yet - return pre-login state
+            let home_path = state
+                .home_path
+                .lock()
+                .ok()
+                .and_then(|p| p.clone())
+                .map(|p| p.to_string_lossy().to_string())
+                .unwrap_or_default();
+
+            return EngineResponse::ok(json!({
+                "state": "BOOTSTRAP_PRE_LOGIN",
+                "homePath": home_path,
+                "grantPresent": false,
+                "reason": null,
+            }));
+        }
+    };
+
+    let status = home::status(&ctx);
+
+    EngineResponse::ok(json!({
+        "state": status.state,
+        "homePath": status.home_path,
+        "grantPresent": status.grant_present,
+        "reason": status.reason,
+    }))
+}
+
+/// Handle home.grant operation
+pub fn handle_grant(state: &EngineState) -> EngineResponse {
+    let ctx = match state.to_runtime_context() {
+        Some(c) => c,
+        None => return EngineResponse::err("NOT_CONNECTED", "Engine not initialized"),
+    };
+
+    // Check auth
+    if ctx.auth.is_none() {
+        return EngineResponse::err("NOT_AUTHENTICATED", "Must call auth.set before home.grant");
+    }
+
+    let issuer = EngineHttpGrantIssuer::new();
+
+    match home::grant(&ctx, &issuer) {
+        Ok(result) => EngineResponse::ok(json!({
+            "success": result.success,
+            "grant_id": result.grant_id,
+            "expires_at": result.expires_at,
+        })),
+        Err(e) => EngineResponse::err(e.code, &e.message),
+    }
+}

package/template/src-tauri/src/handlers/mod.rs

@@ -0,0 +1,7 @@
+//! Thin handlers for SDK operations
+//!
+//! Each handler converts EngineState to RuntimeContext, calls SDK, converts result.
+
+pub mod home;
+pub mod paths;
+pub mod vault;

package/template/src-tauri/src/handlers/paths.rs

@@ -0,0 +1,128 @@
+//! Path operation handlers
+//!
+//! Thin wrappers that call SDK operations.
+
+use crate::state::{EngineHttpGrantIssuer, EngineState};
+use crate::types::EngineResponse;
+use ekka_sdk_core::ekka_ops::{paths, PathAccess, PathType};
+use serde_json::{json, Value};
+use std::path::Path;
+
+/// Handle paths.check operation
+pub fn handle_check(payload: &Value, state: &EngineState) -> EngineResponse {
+    let ctx = match state.to_runtime_context() {
+        Some(c) => c,
+        None => return EngineResponse::err("NOT_CONNECTED", "Engine not initialized"),
+    };
+
+    let path = match payload.get("path").and_then(|v| v.as_str()) {
+        Some(p) => p,
+        None => return EngineResponse::err("INVALID_PAYLOAD", "Missing 'path'"),
+    };
+
+    let operation = payload
+        .get("operation")
+        .and_then(|v| v.as_str())
+        .unwrap_or("read");
+
+    let result = paths::check_detailed(&ctx, Path::new(path), operation);
+
+    EngineResponse::ok(json!({
+        "allowed": result.allowed,
+        "reason": result.reason,
+        "pathType": result.path_type,
+        "access": result.access,
+    }))
+}
+
+/// Handle paths.list operation
+pub fn handle_list(payload: &Value, state: &EngineState) -> EngineResponse {
+    let ctx = match state.to_runtime_context() {
+        Some(c) => c,
+        None => return EngineResponse::err("NOT_CONNECTED", "Engine not initialized"),
+    };
+
+    let path_type: Option<PathType> = payload
+        .get("pathType")
+        .and_then(|v| v.as_str())
+        .and_then(|s| serde_json::from_str(&format!("\"{}\"", s)).ok());
+
+    match paths::list(&ctx, path_type) {
+        Ok(paths_list) => EngineResponse::ok(json!({ "paths": paths_list })),
+        Err(e) => EngineResponse::err(e.code, &e.message),
+    }
+}
+
+/// Handle paths.get operation
+pub fn handle_get(payload: &Value, state: &EngineState) -> EngineResponse {
+    let ctx = match state.to_runtime_context() {
+        Some(c) => c,
+        None => return EngineResponse::err("NOT_CONNECTED", "Engine not initialized"),
+    };
+
+    let path = match payload.get("path").and_then(|v| v.as_str()) {
+        Some(p) => p,
+        None => return EngineResponse::err("INVALID_PAYLOAD", "Missing 'path'"),
+    };
+
+    match paths::get(&ctx, Path::new(path)) {
+        Ok(Some(info)) => EngineResponse::ok(json!(info)),
+        Ok(None) => EngineResponse::ok(Value::Null),
+        Err(e) => EngineResponse::err(e.code, &e.message),
+    }
+}
+
+/// Handle paths.request operation
+pub fn handle_request(payload: &Value, state: &EngineState) -> EngineResponse {
+    let ctx = match state.to_runtime_context() {
+        Some(c) => c,
+        None => return EngineResponse::err("NOT_CONNECTED", "Engine not initialized"),
+    };
+
+    // Check auth
+    if ctx.auth.is_none() {
+        return EngineResponse::err("NOT_AUTHENTICATED", "Must login before requesting path access");
+    }
+
+    let path = match payload.get("path").and_then(|v| v.as_str()) {
+        Some(p) => p,
+        None => return EngineResponse::err("INVALID_PAYLOAD", "Missing 'path'"),
+    };
+
+    let path_type: PathType = payload
+        .get("pathType")
+        .and_then(|v| v.as_str())
+        .and_then(|s| serde_json::from_str(&format!("\"{}\"", s)).ok())
+        .unwrap_or(PathType::General);
+
+    let access: PathAccess = payload
+        .get("access")
+        .and_then(|v| v.as_str())
+        .and_then(|s| serde_json::from_str(&format!("\"{}\"", s)).ok())
+        .unwrap_or(PathAccess::ReadOnly);
+
+    let issuer = EngineHttpGrantIssuer::new();
+
+    match paths::request(&ctx, &issuer, Path::new(path), path_type, access) {
+        Ok(result) => EngineResponse::ok(json!(result)),
+        Err(e) => EngineResponse::err(e.code, &e.message),
+    }
+}
+
+/// Handle paths.remove operation
+pub fn handle_remove(payload: &Value, state: &EngineState) -> EngineResponse {
+    let ctx = match state.to_runtime_context() {
+        Some(c) => c,
+        None => return EngineResponse::err("NOT_CONNECTED", "Engine not initialized"),
+    };
+
+    let path = match payload.get("path").and_then(|v| v.as_str()) {
+        Some(p) => p,
+        None => return EngineResponse::err("INVALID_PAYLOAD", "Missing 'path'"),
+    };
+
+    match paths::remove(&ctx, Path::new(path)) {
+        Ok(removed) => EngineResponse::ok(json!({ "removed": removed })),
+        Err(e) => EngineResponse::err(e.code, &e.message),
+    }
+}