create-ekka-desktop-app 0.2.2

package/template/src-tauri/src/node_vault_crypto.rs

@@ -0,0 +1,113 @@
+//! Node Vault Cryptography
+//!
+//! Provides key derivation and AES-256-GCM encryption for node-level secrets.
+//! Uses the existing ekka-crypto primitives for consistency.
+
+use crate::device_secret::load_or_create_device_secret;
+use ekka_sdk_core::ekka_crypto::{self, KeyDerivationConfig, KeyMaterial};
+use std::path::Path;
+
+/// Purpose label for node vault key derivation
+const NODE_VAULT_PURPOSE: &str = "node-vault";
+
+/// Derive the encryption key for the node vault
+///
+/// Key derivation inputs:
+/// - device_secret: 32 bytes from device secret file (device-bound)
+/// - security_epoch: Current security epoch (for key rotation)
+///
+/// Note: node_id is NOT used in key derivation because it's a business
+/// identifier stored inside the encrypted credentials, not a cryptographic input.
+///
+/// Uses PBKDF2-SHA256 with 100k iterations (via ekka-crypto).
+pub fn derive_node_vault_key(home: &Path, epoch: u32) -> anyhow::Result<KeyMaterial> {
+    let device_secret = load_or_create_device_secret(home)?;
+
+    // Convert device secret to hex string for derivation
+    let device_secret_hex = hex::encode(device_secret);
+
+    // User context is fixed for node vault (no user-specific data needed)
+    let user_context = "node-vault-context";
+
+    let config = KeyDerivationConfig::default();
+
+    let key = ekka_crypto::derive_key(
+        &device_secret_hex,
+        user_context,
+        epoch,
+        NODE_VAULT_PURPOSE,
+        &config,
+    );
+
+    Ok(key)
+}
+
+/// Encrypt plaintext bytes using AES-256-GCM
+///
+/// Returns the encrypted envelope as bytes (version || nonce || ciphertext).
+pub fn encrypt_node_value(key: &KeyMaterial, plaintext: &[u8]) -> anyhow::Result<Vec<u8>> {
+    ekka_crypto::encrypt(plaintext, key).map_err(|e| anyhow::anyhow!("Encryption failed: {}", e))
+}
+
+/// Decrypt ciphertext bytes using AES-256-GCM
+///
+/// Expects the encrypted envelope format (version || nonce || ciphertext).
+pub fn decrypt_node_value(key: &KeyMaterial, ciphertext: &[u8]) -> anyhow::Result<Vec<u8>> {
+    ekka_crypto::decrypt(ciphertext, key).map_err(|e| anyhow::anyhow!("Decryption failed: {}", e))
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use tempfile::TempDir;
+
+    #[test]
+    fn test_derive_node_vault_key_deterministic() {
+        let temp_dir = TempDir::new().unwrap();
+        let epoch = 1u32;
+
+        let key1 = derive_node_vault_key(temp_dir.path(), epoch).unwrap();
+        let key2 = derive_node_vault_key(temp_dir.path(), epoch).unwrap();
+
+        // Same inputs should produce same key
+        assert_eq!(key1.as_bytes(), key2.as_bytes());
+    }
+
+    #[test]
+    fn test_derive_node_vault_key_different_epoch() {
+        let temp_dir = TempDir::new().unwrap();
+
+        let key1 = derive_node_vault_key(temp_dir.path(), 1).unwrap();
+        let key2 = derive_node_vault_key(temp_dir.path(), 2).unwrap();
+
+        // Different epochs should produce different keys
+        assert_ne!(key1.as_bytes(), key2.as_bytes());
+    }
+
+    #[test]
+    fn test_encrypt_decrypt_roundtrip() {
+        let temp_dir = TempDir::new().unwrap();
+        let key = derive_node_vault_key(temp_dir.path(), 1).unwrap();
+
+        let plaintext = b"test secret data";
+        let ciphertext = encrypt_node_value(&key, plaintext).unwrap();
+        let decrypted = decrypt_node_value(&key, &ciphertext).unwrap();
+
+        assert_eq!(plaintext.as_slice(), decrypted.as_slice());
+    }
+
+    #[test]
+    fn test_decrypt_wrong_key_fails() {
+        let temp_dir = TempDir::new().unwrap();
+
+        let key1 = derive_node_vault_key(temp_dir.path(), 1).unwrap();
+        let key2 = derive_node_vault_key(temp_dir.path(), 2).unwrap();
+
+        let plaintext = b"secret";
+        let ciphertext = encrypt_node_value(&key1, plaintext).unwrap();
+
+        // Decrypting with wrong key should fail
+        let result = decrypt_node_value(&key2, &ciphertext);
+        assert!(result.is_err());
+    }
+}

package/template/src-tauri/src/node_vault_store.rs

@@ -0,0 +1,267 @@
+//! Node Vault Store
+//!
+//! Encrypted storage for node-level secrets that works before user authentication.
+//! Uses AES-256-GCM with device-bound key derivation.
+//!
+//! Storage layout:
+//! ```text
+//! {EKKA_HOME}/vault/node/
+//!   values/
+//!     node_credentials.enc    # Encrypted node credentials
+//! ```
+
+use crate::node_vault_crypto::{decrypt_node_value, derive_node_vault_key, encrypt_node_value};
+use base64::{engine::general_purpose::STANDARD as BASE64, Engine};
+use serde::{Deserialize, Serialize};
+use std::fs;
+use std::io::Write;
+use std::path::{Path, PathBuf};
+
+#[cfg(unix)]
+use std::os::unix::fs::PermissionsExt;
+
+/// Secret ID for node credentials
+pub const SECRET_ID_NODE_CREDENTIALS: &str = "node_credentials";
+
+/// Encrypted value envelope stored on disk
+#[derive(Debug, Serialize, Deserialize)]
+struct EncryptedEnvelope {
+    /// Version for future format changes
+    v: u8,
+    /// Base64-encoded encrypted data (version || nonce || ciphertext)
+    data_b64: String,
+}
+
+impl EncryptedEnvelope {
+    const CURRENT_VERSION: u8 = 1;
+
+    fn new(encrypted_bytes: &[u8]) -> Self {
+        Self {
+            v: Self::CURRENT_VERSION,
+            data_b64: BASE64.encode(encrypted_bytes),
+        }
+    }
+
+    fn decode(&self) -> anyhow::Result<Vec<u8>> {
+        if self.v != Self::CURRENT_VERSION {
+            anyhow::bail!("Unsupported envelope version: {}", self.v);
+        }
+        BASE64
+            .decode(&self.data_b64)
+            .map_err(|e| anyhow::anyhow!("Base64 decode failed: {}", e))
+    }
+}
+
+/// Get the node vault directory path
+pub fn node_vault_dir(home: &Path) -> PathBuf {
+    home.join("vault").join("node")
+}
+
+/// Get the node vault values directory path
+pub fn node_vault_values_dir(home: &Path) -> PathBuf {
+    node_vault_dir(home).join("values")
+}
+
+/// Get the path for a specific secret
+fn secret_path(home: &Path, secret_id: &str) -> PathBuf {
+    node_vault_values_dir(home).join(format!("{}.enc", secret_id))
+}
+
+/// Ensure the node vault directory structure exists
+fn ensure_dirs(home: &Path) -> anyhow::Result<()> {
+    let values_dir = node_vault_values_dir(home);
+    if !values_dir.exists() {
+        fs::create_dir_all(&values_dir)?;
+
+        // Set secure permissions on Unix
+        #[cfg(unix)]
+        {
+            let perms = fs::Permissions::from_mode(0o700);
+            fs::set_permissions(&node_vault_dir(home), perms.clone())?;
+            fs::set_permissions(&values_dir, perms)?;
+        }
+    }
+    Ok(())
+}
+
+/// Write a secret to the node vault
+///
+/// Encrypts the plaintext using the derived key and writes atomically.
+pub fn write_node_secret(
+    home: &Path,
+    epoch: u32,
+    secret_id: &str,
+    plaintext: &[u8],
+) -> anyhow::Result<()> {
+    ensure_dirs(home)?;
+
+    // Derive key (device-bound, no node_id needed)
+    let key = derive_node_vault_key(home, epoch)?;
+
+    // Encrypt
+    let encrypted = encrypt_node_value(&key, plaintext)?;
+
+    // Create envelope
+    let envelope = EncryptedEnvelope::new(&encrypted);
+    let json = serde_json::to_string_pretty(&envelope)?;
+
+    // Atomic write: temp file + rename
+    let final_path = secret_path(home, secret_id);
+    let temp_path = final_path.with_extension("enc.tmp");
+
+    {
+        let mut file = fs::File::create(&temp_path)?;
+        file.write_all(json.as_bytes())?;
+        file.sync_all()?;
+
+        // Set secure permissions on Unix
+        #[cfg(unix)]
+        {
+            let perms = fs::Permissions::from_mode(0o600);
+            fs::set_permissions(&temp_path, perms)?;
+        }
+    }
+
+    fs::rename(&temp_path, &final_path)?;
+
+    tracing::info!(
+        op = "node_vault.write",
+        secret_id = secret_id,
+        "Node secret written"
+    );
+
+    Ok(())
+}
+
+/// Read a secret from the node vault
+///
+/// Returns None if the secret doesn't exist.
+pub fn read_node_secret(
+    home: &Path,
+    epoch: u32,
+    secret_id: &str,
+) -> anyhow::Result<Option<Vec<u8>>> {
+    let path = secret_path(home, secret_id);
+
+    if !path.exists() {
+        tracing::info!(
+            op = "node_vault.read",
+            secret_id = secret_id,
+            hit = false,
+            "Node secret not found"
+        );
+        return Ok(None);
+    }
+
+    // Read envelope
+    let content = fs::read_to_string(&path)?;
+    let envelope: EncryptedEnvelope = serde_json::from_str(&content)?;
+
+    // Decode base64
+    let encrypted = envelope.decode()?;
+
+    // Derive key (device-bound, no node_id needed)
+    let key = derive_node_vault_key(home, epoch)?;
+
+    // Decrypt
+    let plaintext = decrypt_node_value(&key, &encrypted)?;
+
+    tracing::info!(
+        op = "node_vault.read",
+        secret_id = secret_id,
+        hit = true,
+        "Node secret read"
+    );
+
+    Ok(Some(plaintext))
+}
+
+/// Delete a secret from the node vault
+pub fn delete_node_secret(home: &Path, secret_id: &str) -> anyhow::Result<()> {
+    let path = secret_path(home, secret_id);
+
+    if path.exists() {
+        fs::remove_file(&path)?;
+        tracing::info!(
+            op = "node_vault.delete",
+            secret_id = secret_id,
+            "Node secret deleted"
+        );
+    }
+
+    Ok(())
+}
+
+/// Check if a secret exists in the node vault
+pub fn has_node_secret(home: &Path, secret_id: &str) -> bool {
+    secret_path(home, secret_id).exists()
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use tempfile::TempDir;
+
+    #[test]
+    fn test_write_read_roundtrip() {
+        let temp_dir = TempDir::new().unwrap();
+        let epoch = 1u32;
+        let secret_id = "test_secret";
+        let plaintext = b"my secret data";
+
+        // Write
+        write_node_secret(temp_dir.path(), epoch, secret_id, plaintext).unwrap();
+
+        // Read
+        let result = read_node_secret(temp_dir.path(), epoch, secret_id).unwrap();
+
+        assert!(result.is_some());
+        assert_eq!(result.unwrap(), plaintext.to_vec());
+    }
+
+    #[test]
+    fn test_read_nonexistent_returns_none() {
+        let temp_dir = TempDir::new().unwrap();
+        let result = read_node_secret(temp_dir.path(), 1, "nonexistent").unwrap();
+        assert!(result.is_none());
+    }
+
+    #[test]
+    fn test_delete_secret() {
+        let temp_dir = TempDir::new().unwrap();
+        let epoch = 1u32;
+        let secret_id = "to_delete";
+
+        // Write
+        write_node_secret(temp_dir.path(), epoch, secret_id, b"data").unwrap();
+        assert!(has_node_secret(temp_dir.path(), secret_id));
+
+        // Delete
+        delete_node_secret(temp_dir.path(), secret_id).unwrap();
+        assert!(!has_node_secret(temp_dir.path(), secret_id));
+    }
+
+    #[test]
+    fn test_has_node_secret() {
+        let temp_dir = TempDir::new().unwrap();
+
+        assert!(!has_node_secret(temp_dir.path(), "test"));
+
+        write_node_secret(temp_dir.path(), 1, "test", b"data").unwrap();
+
+        assert!(has_node_secret(temp_dir.path(), "test"));
+    }
+
+    #[test]
+    fn test_wrong_epoch_fails_decrypt() {
+        let temp_dir = TempDir::new().unwrap();
+        let secret_id = "epoch_test";
+
+        // Write with epoch 1
+        write_node_secret(temp_dir.path(), 1, secret_id, b"secret").unwrap();
+
+        // Read with epoch 2 should fail
+        let result = read_node_secret(temp_dir.path(), 2, secret_id);
+        assert!(result.is_err());
+    }
+}

package/template/src-tauri/src/ops/auth.rs

@@ -0,0 +1,50 @@
+//! Auth operations
+//!
+//! Handles: auth.set
+
+use crate::state::{AuthContext, EngineState};
+use crate::types::EngineResponse;
+use serde_json::{json, Value};
+
+/// Handle auth.set operation
+pub fn handle_set(payload: &Value, state: &EngineState) -> EngineResponse {
+    let tenant_id = match payload.get("tenantId").and_then(|v| v.as_str()) {
+        Some(t) if !t.is_empty() => t.to_string(),
+        _ => return EngineResponse::err("INVALID_PAYLOAD", "Missing or empty 'tenantId'"),
+    };
+
+    let sub = match payload.get("sub").and_then(|v| v.as_str()) {
+        Some(s) if !s.is_empty() => s.to_string(),
+        _ => return EngineResponse::err("INVALID_PAYLOAD", "Missing or empty 'sub'"),
+    };
+
+    let jwt = match payload.get("jwt").and_then(|v| v.as_str()) {
+        Some(j) if !j.is_empty() => j.to_string(),
+        _ => return EngineResponse::err("INVALID_PAYLOAD", "Missing or empty 'jwt'"),
+    };
+
+    // Workspace ID is optional - defaults to tenant_id if not provided
+    let workspace_id = payload
+        .get("workspaceId")
+        .and_then(|v| v.as_str())
+        .filter(|s| !s.is_empty())
+        .map(|s| s.to_string());
+
+    let auth_context = AuthContext {
+        tenant_id,
+        sub,
+        jwt,
+        workspace_id,
+    };
+
+    // Clear vault cache when auth changes (new tenant/user means new encryption key)
+    state.clear_vault_cache();
+
+    match state.auth.lock() {
+        Ok(mut guard) => {
+            *guard = Some(auth_context);
+            EngineResponse::ok(json!({ "ok": true }))
+        }
+        Err(e) => EngineResponse::err("INTERNAL_ERROR", &e.to_string()),
+    }
+}

package/template/src-tauri/src/ops/home.rs

@@ -0,0 +1,251 @@
+//! Home operations (DEPRECATED - use handlers/home.rs)
+//!
+//! Handles: home.status, home.grant
+//!
+//! This module is deprecated in favor of SDK-based handlers.
+
+#![allow(dead_code)]
+
+use crate::bootstrap::resolve_home_path;
+use crate::grants::get_home_status;
+use crate::state::EngineState;
+use crate::types::EngineResponse;
+use serde_json::{json, Value};
+
+/// Handle home.status operation
+pub fn handle_status(state: &EngineState) -> EngineResponse {
+    let (home_state, home_path, grant_present, reason) = get_home_status(state);
+
+    EngineResponse::ok(json!({
+        "state": home_state,
+        "homePath": home_path.to_string_lossy(),
+        "grantPresent": grant_present,
+        "reason": reason,
+    }))
+}
+
+/// Handle home.grant operation
+pub fn handle_grant(state: &EngineState) -> EngineResponse {
+    // 1. Must have auth with JWT
+    let auth = match state.auth.lock() {
+        Ok(guard) => guard.clone(),
+        Err(e) => return EngineResponse::err("INTERNAL_ERROR", &e.to_string()),
+    };
+
+    let auth = match auth {
+        Some(a) => a,
+        None => {
+            return EngineResponse::err("NOT_AUTHENTICATED", "Must call auth.set before home.grant")
+        }
+    };
+
+    // 2. Get home path
+    let home_path = match state.home_path.lock() {
+        Ok(guard) => guard.clone(),
+        Err(e) => return EngineResponse::err("INTERNAL_ERROR", &e.to_string()),
+    };
+
+    let home_path = match home_path {
+        Some(p) => p,
+        None => match resolve_home_path() {
+            Ok(p) => p,
+            Err(e) => return EngineResponse::err("HOME_PATH_ERROR", &e),
+        },
+    };
+
+    // 3. Load marker to get instance_id (used as node_id in grants)
+    let marker_path = home_path.join(".ekka-marker.json");
+    let marker_content = match std::fs::read_to_string(&marker_path) {
+        Ok(c) => c,
+        Err(e) => {
+            return EngineResponse::err(
+                "MARKER_READ_ERROR",
+                &format!("Failed to read marker: {}", e),
+            )
+        }
+    };
+
+    let marker: Value = match serde_json::from_str(&marker_content) {
+        Ok(m) => m,
+        Err(e) => {
+            return EngineResponse::err(
+                "MARKER_PARSE_ERROR",
+                &format!("Failed to parse marker: {}", e),
+            )
+        }
+    };
+
+    let node_id = match marker.get("instance_id").and_then(|v| v.as_str()) {
+        Some(n) => n.to_string(),
+        None => return EngineResponse::err("MARKER_INVALID", "Marker missing instance_id"),
+    };
+
+    // 4. Get engine URL
+    let engine_url = match std::env::var("EKKA_ENGINE_URL") {
+        Ok(u) => u,
+        Err(_) => {
+            return EngineResponse::err(
+                "ENGINE_NOT_CONFIGURED",
+                "EKKA_ENGINE_URL not set. HOME grant requires online engine.",
+            )
+        }
+    };
+
+    // 5. Build grant request
+    let grant_request = json!({
+        "resource": {
+            "kind": "path",
+            "path_prefix": home_path.to_string_lossy(),
+            "attrs": {
+                "path_type": "HOME"
+            }
+        },
+        "permissions": {
+            "ops": ["read", "write", "delete"],
+            "access": "READ_WRITE"
+        },
+        "purpose": "home_bootstrap",
+        "expires_in_seconds": 31536000,
+        "node_id": node_id,
+        "consent": {
+            "mode": "user_click"
+        }
+    });
+
+    // 6. Make HTTP request to engine
+    let client = match reqwest::blocking::Client::builder()
+        .timeout(std::time::Duration::from_secs(30))
+        .build()
+    {
+        Ok(c) => c,
+        Err(e) => return EngineResponse::err("HTTP_CLIENT_ERROR", &e.to_string()),
+    };
+
+    let request_id = uuid::Uuid::new_v4().to_string();
+    let response = match client
+        .post(format!("{}/engine/grants/issue", engine_url))
+        .header("Authorization", format!("Bearer {}", auth.jwt))
+        .header("Content-Type", "application/json")
+        .header("X-EKKA-PROOF-TYPE", "jwt")
+        .header("X-REQUEST-ID", &request_id)
+        .header("X-EKKA-CORRELATION-ID", &request_id)
+        .header("X-EKKA-MODULE", "desktop.home")
+        .header("X-EKKA-ACTION", "grant")
+        .header("X-EKKA-CLIENT", "desktop")
+        .header("X-EKKA-CLIENT-VERSION", "0.2.0")
+        .json(&grant_request)
+        .send()
+    {
+        Ok(r) => r,
+        Err(e) => {
+            return EngineResponse::err(
+                "ENGINE_REQUEST_FAILED",
+                &format!("HTTP request failed: {}", e),
+            )
+        }
+    };
+
+    // 7. Check response status
+    if !response.status().is_success() {
+        let status = response.status();
+        let error_body = response.text().unwrap_or_else(|_| "No error body".to_string());
+        return EngineResponse::err(
+            "ENGINE_GRANT_DENIED",
+            &format!("Engine returned {}: {}", status, error_body),
+        );
+    }
+
+    // 8. Parse response
+    let grant_response: Value = match response.json() {
+        Ok(v) => v,
+        Err(e) => {
+            return EngineResponse::err(
+                "RESPONSE_PARSE_ERROR",
+                &format!("Failed to parse response: {}", e),
+            )
+        }
+    };
+
+    // 9. Extract signed grant
+    let signed_grant = match grant_response.get("signed_grant") {
+        Some(sg) => sg.clone(),
+        None => return EngineResponse::err("INVALID_RESPONSE", "Response missing signed_grant"),
+    };
+
+    let grant_id = signed_grant
+        .get("grant")
+        .and_then(|g| g.get("grant_id"))
+        .and_then(|id| id.as_str())
+        .unwrap_or("unknown")
+        .to_string();
+
+    let expires_at = grant_response
+        .get("expires_at")
+        .and_then(|e| e.as_str())
+        .map(|s| s.to_string());
+
+    // 10. Load or create grants.json
+    let grants_path = home_path.join("grants.json");
+    let mut grants_file: Value = if grants_path.exists() {
+        match std::fs::read_to_string(&grants_path) {
+            Ok(content) => serde_json::from_str(&content).unwrap_or(json!({
+                "schema_version": "1.0",
+                "grants": []
+            })),
+            Err(_) => json!({
+                "schema_version": "1.0",
+                "grants": []
+            }),
+        }
+    } else {
+        json!({
+            "schema_version": "1.0",
+            "grants": []
+        })
+    };
+
+    // 11. Add grant to grants array
+    let path_grant = json!({
+        "schema": signed_grant.get("schema"),
+        "canon_alg": signed_grant.get("canon_alg"),
+        "signing_alg": signed_grant.get("signing_alg"),
+        "grant": signed_grant.get("grant"),
+        "grant_canonical_b64": signed_grant.get("grant_canonical_b64"),
+        "signature_b64": signed_grant.get("signature_b64"),
+        "path_type": "HOME",
+        "path_access": "READ_WRITE"
+    });
+
+    if let Some(grants_array) = grants_file.get_mut("grants").and_then(|g| g.as_array_mut()) {
+        grants_array.push(path_grant);
+    }
+
+    // 12. Write grants.json atomically
+    let grants_json = match serde_json::to_string_pretty(&grants_file) {
+        Ok(j) => j,
+        Err(e) => {
+            return EngineResponse::err(
+                "SERIALIZE_ERROR",
+                &format!("Failed to serialize grants: {}", e),
+            )
+        }
+    };
+
+    let temp_path = grants_path.with_extension("json.tmp");
+    if let Err(e) = std::fs::write(&temp_path, &grants_json) {
+        return EngineResponse::err("WRITE_ERROR", &format!("Failed to write grants: {}", e));
+    }
+    if let Err(e) = std::fs::rename(&temp_path, &grants_path) {
+        return EngineResponse::err(
+            "RENAME_ERROR",
+            &format!("Failed to rename grants file: {}", e),
+        );
+    }
+
+    // 13. Return success
+    EngineResponse::ok(json!({
+        "success": true,
+        "grant_id": grant_id,
+        "expires_at": expires_at,
+    }))
+}

package/template/src-tauri/src/ops/mod.rs

@@ -0,0 +1,7 @@
+//! Operation handlers
+//!
+//! Each module handles a group of related operations.
+
+pub mod auth;
+pub mod home;
+pub mod runtime;