create-ekka-desktop-app 0.2.3 → 0.3.1

package/bin/cli.js

@@ -3,70 +3,251 @@
 import { existsSync, mkdirSync, cpSync, readFileSync, writeFileSync } from 'node:fs';
 import { resolve, join, dirname } from 'node:path';
 import { fileURLToPath } from 'node:url';
+import { createInterface } from 'node:readline';
 
 const __dirname = dirname(fileURLToPath(import.meta.url));
 const templateDir = resolve(__dirname, '..', 'template');
 
-const projectName = process.argv[2];
+// Parse command line arguments
+const args = process.argv.slice(2);
+let projectName = null;
+let configFile = null;
+let appName = null;
+let appSlug = null;
+let engineUrl = null;
+let orgPrefix = 'ai.ekka';
+
+for (let i = 0; i < args.length; i++) {
+  const arg = args[i];
+  if (arg === '--config' || arg === '-c') {
+    configFile = args[++i];
+  } else if (arg === '--name' || arg === '-n') {
+    appName = args[++i];
+  } else if (arg === '--slug' || arg === '-s') {
+    appSlug = args[++i];
+  } else if (arg === '--engine-url' || arg === '-e') {
+    engineUrl = args[++i];
+  } else if (arg === '--org' || arg === '-o') {
+    orgPrefix = args[++i];
+  } else if (arg === '--help' || arg === '-h') {
+    console.log(`
+Usage: npx create-ekka-desktop-app [project-dir] [options]
+
+Options:
+  -c, --config <file>     Use config file (skips all prompts)
+  -n, --name <name>       App display name
+  -s, --slug <slug>       App identifier (lowercase, hyphens only)
+  -e, --engine-url <url>  EKKA Engine URL (required)
+  -o, --org <prefix>      Organization prefix (default: ai.ekka)
+  -h, --help              Show this help
+
+Examples:
+  npx create-ekka-desktop-app my-app
+  npx create-ekka-desktop-app my-app --engine-url https://api.ekka.ai
+  npx create-ekka-desktop-app my-app --config ./app.config.json
+`);
+    process.exit(0);
+  } else if (!arg.startsWith('-') && !projectName) {
+    projectName = arg;
+  }
+}
+
+// Helper to prompt for input
+async function prompt(question, defaultValue = '') {
+  const rl = createInterface({
+    input: process.stdin,
+    output: process.stdout
+  });
+
+  return new Promise((resolve) => {
+    const displayDefault = defaultValue ? ` (${defaultValue})` : '';
+    rl.question(`${question}${displayDefault}: `, (answer) => {
+      rl.close();
+      resolve(answer.trim() || defaultValue);
+    });
+  });
+}
 
-if (!projectName) {
-  console.error('Usage: npx create-ekka-desktop-app <project-name>');
-  process.exit(1);
+// Helper to convert to title case
+function titleCase(str) {
+  return str
+    .split('-')
+    .map(word => word.charAt(0).toUpperCase() + word.slice(1))
+    .join(' ');
 }
 
-const targetDir = resolve(process.cwd(), projectName);
+// Helper to slugify
+function slugify(str) {
+  return str
+    .toLowerCase()
+    .replace(/[^a-z0-9-]/g, '-')
+    .replace(/-+/g, '-')
+    .replace(/^-|-$/g, '');
+}
 
-if (existsSync(targetDir)) {
-  console.error(`Error: Directory "${projectName}" already exists.`);
-  process.exit(1);
+// Validate slug
+function isValidSlug(slug) {
+  return /^[a-z][a-z0-9-]*$/.test(slug);
 }
 
-console.log(`Creating EKKA desktop app in ${targetDir}...`);
-
-// Copy template
-mkdirSync(targetDir, { recursive: true });
-cpSync(templateDir, targetDir, { recursive: true });
-
-// Update package.json with project name
-const pkgPath = join(targetDir, 'package.json');
-const pkg = JSON.parse(readFileSync(pkgPath, 'utf8'));
-pkg.name = projectName;
-writeFileSync(pkgPath, JSON.stringify(pkg, null, 2) + '\n');
-
-// Update branding/app.json with project name
-const brandingPath = join(targetDir, 'branding', 'app.json');
-const branding = JSON.parse(readFileSync(brandingPath, 'utf8'));
-// Convert project-name to "Project Name" for display
-const displayName = projectName
-  .split('-')
-  .map(word => word.charAt(0).toUpperCase() + word.slice(1))
-  .join(' ');
-// Convert project-name to ai.ekka.projectname for bundleId
-const bundleId = `ai.ekka.${projectName.replace(/-/g, '')}`;
-branding.name = displayName;
-branding.bundleId = bundleId;
-writeFileSync(brandingPath, JSON.stringify(branding, null, 2) + '\n');
-
-// Update src-tauri/Cargo.toml crate name
-const cargoPath = join(targetDir, 'src-tauri', 'Cargo.toml');
-let cargoContent = readFileSync(cargoPath, 'utf8');
-cargoContent = cargoContent.replace(/^name = ".*"$/m, `name = "${projectName}"`);
-cargoContent = cargoContent.replace(/^description = ".*"$/m, `description = "${displayName}"`);
-writeFileSync(cargoPath, cargoContent);
-
-console.log(`
-Done! To get started:
+// Main
+async function main() {
+  console.log(`
+╔══════════════════════════════════════════════════════════════╗
+║                  CREATE EKKA DESKTOP APP                     ║
+╚══════════════════════════════════════════════════════════════╝
+`);
+
+  // If config file provided, load it and skip prompts
+  let config = null;
+  if (configFile) {
+    if (!existsSync(configFile)) {
+      console.error(`Error: Config file not found: ${configFile}`);
+      process.exit(1);
+    }
+    try {
+      config = JSON.parse(readFileSync(configFile, 'utf8'));
+      console.log(`Using config from: ${configFile}\n`);
+    } catch (e) {
+      console.error(`Error: Invalid JSON in config file: ${e.message}`);
+      process.exit(1);
+    }
+  }
+
+  // Get project directory
+  if (!projectName) {
+    projectName = await prompt('Project directory', 'my-ekka-app');
+  }
+
+  const targetDir = resolve(process.cwd(), projectName);
+
+  if (existsSync(targetDir)) {
+    console.error(`\nError: Directory "${projectName}" already exists.`);
+    process.exit(1);
+  }
+
+  // Build config from flags, prompts, or config file
+  if (!config) {
+    // Get app name
+    if (!appName) {
+      appName = await prompt('App display name', titleCase(projectName));
+    }
+
+    // Get app slug
+    if (!appSlug) {
+      const defaultSlug = slugify(projectName);
+      appSlug = await prompt('App identifier (lowercase, hyphens)', defaultSlug);
+      while (!isValidSlug(appSlug)) {
+        console.log('  ⚠ Must be lowercase letters, numbers, and hyphens only');
+        appSlug = await prompt('App identifier (lowercase, hyphens)', defaultSlug);
+      }
+    }
+
+    // Get engine URL
+    if (!engineUrl) {
+      engineUrl = await prompt('EKKA Engine URL', 'https://api.ekka.ai');
+    }
+
+    // Get org prefix (only prompt if not all values provided via flags)
+    if (orgPrefix === 'ai.ekka' && !process.argv.includes('--engine-url') && !process.argv.includes('-e')) {
+      const customOrg = await prompt('Organization prefix', 'ai.ekka');
+      if (customOrg) orgPrefix = customOrg;
+    }
+
+    config = {
+      app: {
+        name: appName,
+        slug: appSlug,
+        identifier: `${orgPrefix}.${appSlug.replace(/-/g, '')}`
+      },
+      storage: {
+        homeFolderName: `.${appSlug}`,
+        keychainService: `${orgPrefix}.${appSlug.replace(/-/g, '')}`
+      },
+      engine: {
+        url: engineUrl
+      }
+    };
+  }
+
+  // Validate config
+  if (!config.app?.slug) {
+    console.error('\nError: app.slug is required in config');
+    process.exit(1);
+  }
+  if (!config.engine?.url) {
+    console.error('\nError: engine.url is required in config');
+    process.exit(1);
+  }
+
+  // Derive missing values
+  config.app.name = config.app.name || titleCase(config.app.slug);
+  config.app.identifier = config.app.identifier || `ai.ekka.${config.app.slug.replace(/-/g, '')}`;
+  config.storage = config.storage || {};
+  config.storage.homeFolderName = config.storage.homeFolderName || `.${config.app.slug}`;
+  config.storage.keychainService = config.storage.keychainService || config.app.identifier;
+
+  console.log(`
+Creating EKKA desktop app in ${targetDir}...
+
+  App Name:     ${config.app.name}
+  App Slug:     ${config.app.slug}
+  Identifier:   ${config.app.identifier}
+  Home Folder:  ~/${config.storage.homeFolderName}
+  Engine URL:   ${config.engine.url}
+`);
+
+  // Copy template
+  mkdirSync(targetDir, { recursive: true });
+  cpSync(templateDir, targetDir, { recursive: true });
+
+  // Write app.config.json
+  const appConfigPath = join(targetDir, 'app.config.json');
+  writeFileSync(appConfigPath, JSON.stringify(config, null, 2) + '\n');
+
+  // Update package.json with project name
+  const pkgPath = join(targetDir, 'package.json');
+  const pkg = JSON.parse(readFileSync(pkgPath, 'utf8'));
+  pkg.name = config.app.slug;
+  writeFileSync(pkgPath, JSON.stringify(pkg, null, 2) + '\n');
+
+  // Update branding/app.json
+  const brandingPath = join(targetDir, 'branding', 'app.json');
+  const branding = JSON.parse(readFileSync(brandingPath, 'utf8'));
+  branding.name = config.app.name;
+  branding.bundleId = config.app.identifier;
+  writeFileSync(brandingPath, JSON.stringify(branding, null, 2) + '\n');
+
+  // Update src-tauri/Cargo.toml crate name
+  const cargoPath = join(targetDir, 'src-tauri', 'Cargo.toml');
+  let cargoContent = readFileSync(cargoPath, 'utf8');
+  cargoContent = cargoContent.replace(/^name = ".*"$/m, `name = "${config.app.slug}"`);
+  cargoContent = cargoContent.replace(/^description = ".*"$/m, `description = "${config.app.name}"`);
+  writeFileSync(cargoPath, cargoContent);
+
+  // Update src-tauri/tauri.conf.json identifier
+  const tauriConfPath = join(targetDir, 'src-tauri', 'tauri.conf.json');
+  const tauriConf = JSON.parse(readFileSync(tauriConfPath, 'utf8'));
+  tauriConf.identifier = config.app.identifier;
+  writeFileSync(tauriConfPath, JSON.stringify(tauriConf, null, 2) + '\n');
+
+  console.log(`
+╔══════════════════════════════════════════════════════════════╗
+║  SUCCESS! Your app is ready.                                 ║
+╚══════════════════════════════════════════════════════════════╝
+
+To get started:
 
   cd ${projectName}
   npm install
+  npm run tauri:dev
 
-Development:
-  npm start            # Web (browser)
-  npm run tauri:dev    # Desktop (native window)
+Configuration:
+  Edit app.config.json to change app identity or engine URL.
 
 Build:
-  npm run tauri:build  # Create distributable app
-
-Edit src/app/App.tsx to build your UI.
-Delete src/demo/ when ready.
+  npm run tauri:build
 `);
+}
+
+main().catch(console.error);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "create-ekka-desktop-app",
-  "version": "0.2.3",
+  "version": "0.3.1",
   "description": "Create an EKKA desktop app with built-in demo backend. No setup required.",
   "type": "module",
   "bin": {

package/template/app.config.json

@@ -0,0 +1,14 @@
+{
+  "app": {
+    "name": "EKKA Desktop",
+    "slug": "ekka-desktop",
+    "identifier": "ai.ekka.desktop"
+  },
+  "storage": {
+    "homeFolderName": ".ekka-desktop",
+    "keychainService": "ai.ekka.desktop"
+  },
+  "engine": {
+    "url": ""
+  }
+}

package/template/src-tauri/Cargo.toml

@@ -10,7 +10,7 @@ edition = "2021"
 
 [build-dependencies]
 tauri-build = { version = "2", features = [] }
-dotenvy = "0.15"
+serde_json = "1"
 
 [dependencies]
 tauri = { version = "2", features = [] }

package/template/src-tauri/build.rs

@@ -1,47 +1,79 @@
+use std::fs;
+
 fn main() {
-    // Rerun if env files change (check both src-tauri and project root)
-    println!("cargo:rerun-if-changed=.env");
-    println!("cargo:rerun-if-changed=.env.local");
-    println!("cargo:rerun-if-changed=../.env");
-    println!("cargo:rerun-if-changed=../.env.local");
-
-    // Load env files: try src-tauri first, then project root
-    // .env.local takes precedence over .env
-    let _ = dotenvy::from_filename(".env.local");
-    let _ = dotenvy::from_filename(".env");
-    let _ = dotenvy::from_filename("../.env.local");
-    let _ = dotenvy::from_filename("../.env");
-
-    // EKKA_ENGINE_URL is required at build time
-    let engine_url = std::env::var("EKKA_ENGINE_URL").unwrap_or_else(|_| {
+    // Rerun if config changes
+    println!("cargo:rerun-if-changed=../app.config.json");
+
+    // 1. Read app.config.json
+    let config_path = "../app.config.json";
+    let config_str = fs::read_to_string(config_path).unwrap_or_else(|_| {
         panic!(
             "\n\n\
             ╔══════════════════════════════════════════════════════════════════╗\n\
-            ║  BUILD ERROR: EKKA_ENGINE_URL is not set                         ║\n\
+            ║  BUILD ERROR: app.config.json not found                          ║\n\
             ╠══════════════════════════════════════════════════════════════════╣\n\
-            ║  Add EKKA_ENGINE_URL to .env.local or .env before building:      ║\n\
+            ║  This file is required and should have been created by CDA.      ║\n\
+            ║  Regenerate your app with:                                       ║\n\
             ║                                                                  ║\n\
-            ║    echo 'EKKA_ENGINE_URL=https://api.ekka.ai' >> .env.local      ║\n\
+            ║    npx create-ekka-desktop-app@latest my-app                     ║\n\
             ║                                                                  ║\n\
             ╚══════════════════════════════════════════════════════════════════╝\n\n"
         )
     });
 
-    if engine_url.trim().is_empty() {
+    let config: serde_json::Value = serde_json::from_str(&config_str).unwrap_or_else(|e| {
+        panic!("\n\nBUILD ERROR: Invalid app.config.json: {}\n\n", e)
+    });
+
+    // 2. Extract and validate required fields
+    let app = config.get("app").expect("app.config.json missing 'app' section");
+    let storage = config.get("storage").expect("app.config.json missing 'storage' section");
+    let engine = config.get("engine").expect("app.config.json missing 'engine' section");
+
+    let app_name = app.get("name").and_then(|v| v.as_str())
+        .expect("app.config.json: app.name is required");
+    let app_slug = app.get("slug").and_then(|v| v.as_str())
+        .expect("app.config.json: app.slug is required");
+    let app_identifier = app.get("identifier").and_then(|v| v.as_str())
+        .expect("app.config.json: app.identifier is required");
+
+    let home_folder = storage.get("homeFolderName").and_then(|v| v.as_str())
+        .expect("app.config.json: storage.homeFolderName is required");
+    let keychain_service = storage.get("keychainService").and_then(|v| v.as_str())
+        .expect("app.config.json: storage.keychainService is required");
+
+    let engine_url = engine.get("url").and_then(|v| v.as_str())
+        .expect("app.config.json: engine.url is required");
+
+    // 3. Validate non-empty
+    if app_slug.is_empty() {
+        panic!("\n\nBUILD ERROR: app.slug cannot be empty in app.config.json\n\n");
+    }
+    if home_folder.is_empty() {
+        panic!("\n\nBUILD ERROR: storage.homeFolderName cannot be empty in app.config.json\n\n");
+    }
+    if engine_url.is_empty() {
         panic!(
             "\n\n\
             ╔══════════════════════════════════════════════════════════════════╗\n\
-            ║  BUILD ERROR: EKKA_ENGINE_URL is empty                           ║\n\
+            ║  BUILD ERROR: engine.url is empty in app.config.json             ║\n\
             ╠══════════════════════════════════════════════════════════════════╣\n\
-            ║  Set a valid URL in .env.local or .env:                          ║\n\
+            ║  Set your EKKA Engine URL in app.config.json:                    ║\n\
             ║                                                                  ║\n\
-            ║    EKKA_ENGINE_URL=https://api.ekka.ai                           ║\n\
+            ║    \"engine\": {{                                                  ║\n\
+            ║      \"url\": \"https://api.ekka.ai\"                               ║\n\
+            ║    }}                                                             ║\n\
             ║                                                                  ║\n\
             ╚══════════════════════════════════════════════════════════════════╝\n\n"
-        )
+        );
     }
 
-    // Bake EKKA_ENGINE_URL into the binary at compile time
+    // 4. Bake values into binary at compile time
+    println!("cargo:rustc-env=EKKA_APP_NAME={}", app_name);
+    println!("cargo:rustc-env=EKKA_APP_SLUG={}", app_slug);
+    println!("cargo:rustc-env=EKKA_APP_IDENTIFIER={}", app_identifier);
+    println!("cargo:rustc-env=EKKA_HOME_FOLDER={}", home_folder);
+    println!("cargo:rustc-env=EKKA_KEYCHAIN_SERVICE={}", keychain_service);
     println!("cargo:rustc-env=EKKA_ENGINE_URL={}", engine_url);
 
     // Continue with tauri build

package/template/src-tauri/src/bootstrap.rs

@@ -2,19 +2,20 @@
 //!
 //! Handles initialization and resolution of the EKKA home directory.
 
+use crate::config;
 use ekka_sdk_core::ekka_home_bootstrap::{BootstrapConfig, EpochSource, HomeBootstrap, HomeStrategy};
 use std::path::PathBuf;
 
-/// Standard bootstrap configuration for EKKA Desktop
+/// Standard bootstrap configuration - all values from app.config.json (baked at build time)
 pub fn bootstrap_config() -> BootstrapConfig {
     BootstrapConfig {
-        app_name: "ekka-desktop".to_string(),
-        default_folder_name: ".ekka-desktop".to_string(),
+        app_name: config::app_name().to_string(),
+        default_folder_name: config::home_folder().to_string(),
         home_strategy: HomeStrategy::DataHome {
             env_var: "EKKA_DATA_HOME".to_string(),
         },
         marker_filename: ".ekka-marker.json".to_string(),
-        keychain_service: "ai.ekka.desktop".to_string(),
+        keychain_service: config::keychain_service().to_string(),
         subdirs: vec!["vault".to_string(), "db".to_string(), "tmp".to_string()],
         epoch_source: EpochSource::EnvVar("EKKA_SECURITY_EPOCH".to_string()),
         storage_layout_version: "v1".to_string(),

package/template/src-tauri/src/commands.rs

@@ -3,6 +3,7 @@
 //! Entry points for TypeScript → Rust communication.
 
 use crate::bootstrap::initialize_home;
+use crate::config;
 use crate::engine_process;
 use crate::grants::require_home_granted;
 use crate::handlers;
@@ -541,7 +542,7 @@ fn handle_runner_task_stats(state: &EngineState) -> EngineResponse {
         .header("X-EKKA-CORRELATION-ID", &request_id)
         .header("X-EKKA-MODULE", "engine.runner_tasks")
         .header("X-EKKA-ACTION", "stats")
-        .header("X-EKKA-CLIENT", "ekka-desktop")
+        .header("X-EKKA-CLIENT", config::app_slug())
         .header("X-EKKA-CLIENT-VERSION", "0.2.0")
         .send();
 
@@ -902,7 +903,7 @@ fn build_security_headers(jwt: Option<&str>, module: &str, action: &str) -> Vec<
         ("X-EKKA-PROOF-TYPE".to_string(), if jwt.is_some() { "jwt" } else { "none" }.to_string()),
         ("X-EKKA-MODULE".to_string(), module.to_string()),
         ("X-EKKA-ACTION".to_string(), action.to_string()),
-        ("X-EKKA-CLIENT".to_string(), "ekka-desktop".to_string()),
+        ("X-EKKA-CLIENT".to_string(), config::app_slug().to_string()),
         ("X-EKKA-CLIENT-VERSION".to_string(), "0.2.0".to_string()),
     ];
 

package/template/src-tauri/src/config.rs

@@ -0,0 +1,35 @@
+//! Compile-time app configuration
+//!
+//! All values are baked at build time from app.config.json.
+//! ZERO runtime configuration or hardcoding.
+
+#![allow(dead_code)] // Not all config values are used yet
+
+macro_rules! baked_config {
+    ($name:ident, $env:literal) => {
+        pub fn $name() -> &'static str {
+            option_env!($env).expect(concat!(
+                $env,
+                " not baked at build time. Check build.rs and app.config.json"
+            ))
+        }
+    };
+}
+
+// App display name (e.g., "EKKA Studio")
+baked_config!(app_name, "EKKA_APP_NAME");
+
+// App slug for machine use (e.g., "ekka-studio")
+baked_config!(app_slug, "EKKA_APP_SLUG");
+
+// App identifier for OS (e.g., "ai.ekka.studio")
+baked_config!(app_identifier, "EKKA_APP_IDENTIFIER");
+
+// Home folder name (e.g., ".ekka-studio")
+baked_config!(home_folder, "EKKA_HOME_FOLDER");
+
+// Keychain service identifier (e.g., "ai.ekka.studio")
+baked_config!(keychain_service, "EKKA_KEYCHAIN_SERVICE");
+
+// EKKA Engine URL (e.g., "https://api.ekka.ai")
+baked_config!(engine_url, "EKKA_ENGINE_URL");

package/template/src-tauri/src/grants.rs

@@ -10,7 +10,7 @@ use std::path::PathBuf;
 use std::time::{SystemTime, UNIX_EPOCH};
 
 /// Check if a valid HOME grant exists for the given auth context
-pub fn check_home_grant(home_path: &PathBuf, auth: &AuthContext) -> Result<bool, String> {
+pub fn check_home_grant(home_path: &PathBuf, auth: &AuthContext, verify_key: &str) -> Result<bool, String> {
     let grants_path = home_path.join("grants.json");
 
     // No grants file = no grant
@@ -18,11 +18,7 @@ pub fn check_home_grant(home_path: &PathBuf, auth: &AuthContext) -> Result<bool,
         return Ok(false);
     }
 
-    // Load engine verify key
-    let key_b64 = match std::env::var("ENGINE_GRANT_VERIFY_KEY_B64") {
-        Ok(k) => k,
-        Err(_) => return Err("ENGINE_GRANT_VERIFY_KEY_B64 not set".to_string()),
-    };
+    let key_b64 = verify_key;
 
     // Load and verify grants
     let store = GrantStore::new(grants_path, &key_b64).map_err(|e| e.to_string())?;
@@ -101,8 +97,21 @@ pub fn get_home_status(state: &EngineState) -> (HomeState, PathBuf, bool, Option
         None => return (HomeState::BootstrapPreLogin, home_path, false, None),
     };
 
+    // Get verify key from state (fetched from well-known endpoint)
+    let verify_key = match state.get_grant_verify_key() {
+        Some(k) => k,
+        None => {
+            return (
+                HomeState::AuthenticatedNoHomeGrant,
+                home_path,
+                false,
+                Some("Grant verification key not loaded. Waiting for engine configuration.".to_string()),
+            );
+        }
+    };
+
     // Check for valid HOME grant
-    match check_home_grant(&home_path, &auth) {
+    match check_home_grant(&home_path, &auth, &verify_key) {
         Ok(true) => (HomeState::HomeGranted, home_path, true, None),
         Ok(false) => (
             HomeState::AuthenticatedNoHomeGrant,

package/template/src-tauri/src/main.rs

@@ -7,9 +7,11 @@
 
 mod bootstrap;
 mod commands;
+mod config;
 mod device_secret;
 mod engine_process;
 mod grants;
+mod well_known;
 mod handlers;
 mod node_auth;
 mod node_credentials;
@@ -29,14 +31,11 @@ use tauri::Manager;
 
 fn main() {
     // Load .env.local for development (before anything else)
-    // This provides ENGINE_GRANT_VERIFY_KEY_B64, EKKA_SECURITY_EPOCH, etc.
-    if let Err(e) = dotenvy::from_filename(".env.local") {
+    // This provides EKKA_SECURITY_EPOCH and other dev-time overrides.
+    // Note: ENGINE_GRANT_VERIFY_KEY_B64 is now fetched from /.well-known/ekka-configuration
+    if let Err(_) = dotenvy::from_filename(".env.local") {
         // Also try parent directory (when running from src-tauri)
         let _ = dotenvy::from_filename("../.env.local");
-        // Silence error in production where .env.local may not exist
-        if std::env::var("ENGINE_GRANT_VERIFY_KEY_B64").is_err() {
-            eprintln!("Warning: .env.local not loaded and ENGINE_GRANT_VERIFY_KEY_B64 not set: {}", e);
-        }
     }
 
     // Initialize tracing for runner logs
@@ -64,14 +63,12 @@ fn main() {
             // Attempt to spawn engine process
             tracing::info!(op = "desktop.startup", "EKKA Desktop starting");
 
-            // Log required env vars status
-            let grant_key_set = std::env::var("ENGINE_GRANT_VERIFY_KEY_B64").is_ok();
+            // Log security epoch status (still needed for home bootstrap)
             let security_epoch_set = std::env::var("EKKA_SECURITY_EPOCH").is_ok();
             tracing::info!(
                 op = "desktop.required_env.loaded",
-                ENGINE_GRANT_VERIFY_KEY_B64 = grant_key_set,
                 EKKA_SECURITY_EPOCH = security_epoch_set,
-                "Required security env vars"
+                "Security epoch env var status"
             );
 
             // Log build-time baked engine URL presence (not the URL itself)
@@ -106,6 +103,28 @@ fn main() {
             let node_auth_holder = state_handle.node_auth_token.clone();
             let node_auth_state = state_handle.node_auth_state.clone();
 
+            // Fetch grant verification key from engine's well-known endpoint
+            // This runs async and caches the key in state for grant verification
+            let app_handle = app.app_handle().clone();
+            tauri::async_runtime::spawn(async move {
+                let state = app_handle.state::<EngineState>();
+                match well_known::fetch_and_cache_verify_key(&state).await {
+                    Ok(()) => {
+                        tracing::info!(
+                            op = "desktop.well_known.loaded",
+                            "Grant verification key loaded from engine"
+                        );
+                    }
+                    Err(e) => {
+                        tracing::warn!(
+                            op = "desktop.well_known.failed",
+                            error = %e,
+                            "Failed to fetch grant verification key - grants will not be verified"
+                        );
+                    }
+                }
+            });
+
             // Spawn engine in background thread to not block UI
             let engine = engine_for_setup.clone();
             std::thread::spawn(move || {

package/template/src-tauri/src/node_auth.rs

@@ -17,6 +17,7 @@
 
 #![allow(dead_code)] // API types may not all be used yet
 
+use crate::config;
 use base64::{engine::general_purpose::STANDARD as BASE64, Engine};
 use chrono::{DateTime, Utc};
 use ed25519_dalek::{Signature, Signer, SigningKey, VerifyingKey};
@@ -240,7 +241,8 @@ pub fn get_private_key_vault_path(node_id: &Uuid) -> PathBuf {
 fn derive_node_encryption_key(node_id: &Uuid, device_fingerprint: Option<&str>) -> KeyMaterial {
     // Use node_id + device fingerprint for key derivation
     // This binds the key to this specific node on this device
-    let device_secret = device_fingerprint.unwrap_or("ekka-desktop-default-device");
+    let default_device = format!("{}-default-device", config::app_slug());
+    let device_secret = device_fingerprint.unwrap_or(&default_device);
 
     derive_key(
         device_secret,
@@ -386,7 +388,7 @@ pub fn register_node(
         "node_id": node_id.to_string(),
         "public_key_b64": public_key_b64,
         "default_workspace_id": default_workspace_id,
-        "display_name": "ekka-desktop",
+        "display_name": config::app_name(),
         "node_type": "desktop"
     });
 
@@ -403,7 +405,7 @@ pub fn register_node(
         .header("X-EKKA-CORRELATION-ID", &request_id)
         .header("X-EKKA-MODULE", "desktop.node_auth")
         .header("X-EKKA-ACTION", "register")
-        .header("X-EKKA-CLIENT", "ekka-desktop")
+        .header("X-EKKA-CLIENT", config::app_slug())
         .header("X-EKKA-CLIENT-VERSION", "0.2.0")
         .json(&body)
         .send()
@@ -459,7 +461,7 @@ pub fn get_challenge(engine_url: &str, node_id: &Uuid) -> Result<ChallengeRespon
         .header("X-EKKA-CORRELATION-ID", &request_id)
         .header("X-EKKA-MODULE", "desktop.node_auth")
         .header("X-EKKA-ACTION", "challenge")
-        .header("X-EKKA-CLIENT", "ekka-desktop")
+        .header("X-EKKA-CLIENT", config::app_slug())
         .header("X-EKKA-CLIENT-VERSION", "0.2.0")
         .json(&serde_json::json!({ "node_id": node_id.to_string() }))
         .send()
@@ -503,7 +505,7 @@ pub fn create_session(
         .header("X-EKKA-CORRELATION-ID", &request_id)
         .header("X-EKKA-MODULE", "desktop.node_auth")
         .header("X-EKKA-ACTION", "session")
-        .header("X-EKKA-CLIENT", "ekka-desktop")
+        .header("X-EKKA-CLIENT", config::app_slug())
         .header("X-EKKA-CLIENT-VERSION", "0.2.0")
         .json(&serde_json::json!({
             "node_id": node_id.to_string(),
@@ -798,7 +800,7 @@ impl NodeSessionRunnerConfig {
             ("X-REQUEST-ID", Uuid::new_v4().to_string()),
             ("X-EKKA-CORRELATION-ID", Uuid::new_v4().to_string()),
             ("X-EKKA-MODULE", "engine.runner_tasks".to_string()),
-            ("X-EKKA-CLIENT", "ekka-desktop".to_string()),
+            ("X-EKKA-CLIENT", config::app_slug().to_string()),
             ("X-EKKA-CLIENT-VERSION", "0.2.0".to_string()),
             ("X-EKKA-NODE-ID", self.node_id.to_string()),
         ]

package/template/src-tauri/src/node_credentials.rs

@@ -11,6 +11,7 @@
 //! - No OS keychain prompts
 
 use crate::bootstrap::{initialize_home, resolve_home_path};
+use crate::config;
 use crate::node_vault_store::{
     delete_node_secret, has_node_secret, read_node_secret, write_node_secret,
     SECRET_ID_NODE_CREDENTIALS,
@@ -394,7 +395,7 @@ pub fn authenticate_node(engine_url: &str) -> Result<NodeAuthToken, CredentialsE
         .header("X-EKKA-CORRELATION-ID", &request_id)
         .header("X-EKKA-MODULE", "desktop.node_auth")
         .header("X-EKKA-ACTION", "authenticate")
-        .header("X-EKKA-CLIENT", "ekka-desktop")
+        .header("X-EKKA-CLIENT", config::app_slug())
         .header("X-EKKA-CLIENT-VERSION", "0.2.0")
         .json(&body)
         .send()

package/template/src-tauri/src/node_runner.rs

@@ -17,6 +17,7 @@
 
 #![allow(dead_code)] // API types and fields may not all be used yet
 
+use crate::config;
 use crate::node_auth::{
     refresh_node_session, NodeSession, NodeSessionHolder, NodeSessionRunnerConfig,
 };
@@ -236,7 +237,7 @@ impl NodeSessionRunner {
             ("X-REQUEST-ID", Uuid::new_v4().to_string()),
             ("X-EKKA-CORRELATION-ID", Uuid::new_v4().to_string()),
             ("X-EKKA-MODULE", "engine.runner_tasks".to_string()),
-            ("X-EKKA-CLIENT", "ekka-desktop".to_string()),
+            ("X-EKKA-CLIENT", config::app_slug().to_string()),
             ("X-EKKA-CLIENT-VERSION", "0.2.0".to_string()),
             ("X-EKKA-NODE-ID", self.node_id.to_string()),
         ])
@@ -700,7 +701,7 @@ impl NodeSessionRunnerHeartbeat {
             .header("X-EKKA-CORRELATION-ID", Uuid::new_v4().to_string())
             .header("X-EKKA-MODULE", "engine.runner_tasks")
             .header("X-EKKA-ACTION", "heartbeat")
-            .header("X-EKKA-CLIENT", "ekka-desktop")
+            .header("X-EKKA-CLIENT", config::app_slug())
             .header("X-EKKA-CLIENT-VERSION", "0.2.0")
             .header("X-EKKA-NODE-ID", self.node_id.to_string())
             .json(&serde_json::json!({ "runner_id": self.runner_id }))

package/template/src-tauri/src/state.rs

@@ -325,6 +325,8 @@ pub struct EngineState {
     pub node_auth_state: Arc<NodeAuthStateHolder>,
     /// External engine process (Phase 3A)
     pub engine_process: Option<Arc<EngineProcess>>,
+    /// Cached grant verification key (fetched from /.well-known/ekka-configuration)
+    pub grant_verify_key: RwLock<Option<String>>,
 }
 
 impl Default for EngineState {
@@ -341,6 +343,7 @@ impl Default for EngineState {
             node_auth_token: Arc::new(NodeAuthTokenHolder::new()),
             node_auth_state: Arc::new(NodeAuthStateHolder::new()),
             engine_process: None,
+            grant_verify_key: RwLock::new(None),
         }
     }
 }
@@ -360,6 +363,7 @@ impl EngineState {
             node_auth_token: Arc::new(NodeAuthTokenHolder::new()),
             node_auth_state: Arc::new(NodeAuthStateHolder::new()),
             engine_process: Some(engine),
+            grant_verify_key: RwLock::new(None),
         }
     }
 
@@ -431,6 +435,18 @@ impl EngineState {
     pub fn clear_vault_cache(&self) {
         self.vault_cache.clear();
     }
+
+    /// Get cached grant verification key
+    pub fn get_grant_verify_key(&self) -> Option<String> {
+        self.grant_verify_key.read().ok()?.clone()
+    }
+
+    /// Set grant verification key (fetched from well-known endpoint)
+    pub fn set_grant_verify_key(&self, key: String) {
+        if let Ok(mut guard) = self.grant_verify_key.write() {
+            *guard = Some(key);
+        }
+    }
 }
 
 // =============================================================================

package/template/src-tauri/src/well_known.rs

@@ -0,0 +1,77 @@
+//! Well-Known Configuration Fetcher
+//!
+//! Fetches public configuration from the EKKA Engine's /.well-known/ekka-configuration endpoint.
+//! This includes the grant verification key needed for cryptographic grant validation.
+
+use crate::config;
+use serde::Deserialize;
+
+/// Response from /.well-known/ekka-configuration
+#[derive(Debug, Deserialize)]
+pub struct WellKnownConfig {
+    pub grant_verify_key_b64: String,
+    pub grant_signing_algorithm: String,
+    #[serde(default)]
+    pub api_version: Option<String>,
+}
+
+/// Fetch the well-known configuration from the engine.
+/// Returns the grant verification key (base64).
+pub async fn fetch_grant_verify_key() -> Result<String, String> {
+    let engine_url = config::engine_url();
+    let url = format!("{}/.well-known/ekka-configuration", engine_url.trim_end_matches('/'));
+
+    tracing::info!(
+        op = "well_known.fetch.start",
+        url = %url,
+        "Fetching grant verification key from engine"
+    );
+
+    let client = reqwest::Client::builder()
+        .timeout(std::time::Duration::from_secs(10))
+        .build()
+        .map_err(|e| format!("Failed to create HTTP client: {}", e))?;
+
+    let response = client
+        .get(&url)
+        .header("X-EKKA-CLIENT", config::app_slug())
+        .send()
+        .await
+        .map_err(|e| format!("Failed to fetch well-known config: {}", e))?;
+
+    if !response.status().is_success() {
+        return Err(format!(
+            "Engine returned error: {} {}",
+            response.status().as_u16(),
+            response.status().canonical_reason().unwrap_or("Unknown")
+        ));
+    }
+
+    let config: WellKnownConfig = response
+        .json()
+        .await
+        .map_err(|e| format!("Failed to parse well-known config: {}", e))?;
+
+    tracing::info!(
+        op = "well_known.fetch.success",
+        algorithm = %config.grant_signing_algorithm,
+        "Grant verification key fetched successfully"
+    );
+
+    Ok(config.grant_verify_key_b64)
+}
+
+/// Fetch and cache the grant verification key in state.
+/// Also sets ENGINE_GRANT_VERIFY_KEY_B64 env var for SDK compatibility.
+/// This is called on app startup.
+pub async fn fetch_and_cache_verify_key(state: &crate::state::EngineState) -> Result<(), String> {
+    let key = fetch_grant_verify_key().await?;
+
+    // Cache in state
+    state.set_grant_verify_key(key.clone());
+
+    // Also set env var for SDK compatibility (ekka-ops, ekka-path-guard use it)
+    std::env::set_var("ENGINE_GRANT_VERIFY_KEY_B64", &key);
+
+    Ok(())
+}