create-ekka-desktop-app 0.3.0 → 0.3.2

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "create-ekka-desktop-app",
-  "version": "0.3.0",
+  "version": "0.3.2",
   "description": "Create an EKKA desktop app with built-in demo backend. No setup required.",
   "type": "module",
   "bin": {

package/template/src-tauri/src/grants.rs

@@ -10,7 +10,7 @@ use std::path::PathBuf;
 use std::time::{SystemTime, UNIX_EPOCH};
 
 /// Check if a valid HOME grant exists for the given auth context
-pub fn check_home_grant(home_path: &PathBuf, auth: &AuthContext) -> Result<bool, String> {
+pub fn check_home_grant(home_path: &PathBuf, auth: &AuthContext, verify_key: &str) -> Result<bool, String> {
     let grants_path = home_path.join("grants.json");
 
     // No grants file = no grant
@@ -18,11 +18,7 @@ pub fn check_home_grant(home_path: &PathBuf, auth: &AuthContext) -> Result<bool,
         return Ok(false);
     }
 
-    // Load engine verify key
-    let key_b64 = match std::env::var("ENGINE_GRANT_VERIFY_KEY_B64") {
-        Ok(k) => k,
-        Err(_) => return Err("ENGINE_GRANT_VERIFY_KEY_B64 not set".to_string()),
-    };
+    let key_b64 = verify_key;
 
     // Load and verify grants
     let store = GrantStore::new(grants_path, &key_b64).map_err(|e| e.to_string())?;
@@ -101,8 +97,21 @@ pub fn get_home_status(state: &EngineState) -> (HomeState, PathBuf, bool, Option
         None => return (HomeState::BootstrapPreLogin, home_path, false, None),
     };
 
+    // Get verify key from state (fetched from well-known endpoint)
+    let verify_key = match state.get_grant_verify_key() {
+        Some(k) => k,
+        None => {
+            return (
+                HomeState::AuthenticatedNoHomeGrant,
+                home_path,
+                false,
+                Some("Grant verification key not loaded. Waiting for engine configuration.".to_string()),
+            );
+        }
+    };
+
     // Check for valid HOME grant
-    match check_home_grant(&home_path, &auth) {
+    match check_home_grant(&home_path, &auth, &verify_key) {
         Ok(true) => (HomeState::HomeGranted, home_path, true, None),
         Ok(false) => (
             HomeState::AuthenticatedNoHomeGrant,

package/template/src-tauri/src/main.rs

@@ -11,6 +11,7 @@ mod config;
 mod device_secret;
 mod engine_process;
 mod grants;
+mod well_known;
 mod handlers;
 mod node_auth;
 mod node_credentials;
@@ -30,14 +31,11 @@ use tauri::Manager;
 
 fn main() {
     // Load .env.local for development (before anything else)
-    // This provides ENGINE_GRANT_VERIFY_KEY_B64, EKKA_SECURITY_EPOCH, etc.
-    if let Err(e) = dotenvy::from_filename(".env.local") {
+    // This provides EKKA_SECURITY_EPOCH and other dev-time overrides.
+    // Note: ENGINE_GRANT_VERIFY_KEY_B64 is now fetched from /.well-known/ekka-configuration
+    if let Err(_) = dotenvy::from_filename(".env.local") {
         // Also try parent directory (when running from src-tauri)
         let _ = dotenvy::from_filename("../.env.local");
-        // Silence error in production where .env.local may not exist
-        if std::env::var("ENGINE_GRANT_VERIFY_KEY_B64").is_err() {
-            eprintln!("Warning: .env.local not loaded and ENGINE_GRANT_VERIFY_KEY_B64 not set: {}", e);
-        }
     }
 
     // Initialize tracing for runner logs
@@ -65,14 +63,12 @@ fn main() {
             // Attempt to spawn engine process
             tracing::info!(op = "desktop.startup", "EKKA Desktop starting");
 
-            // Log required env vars status
-            let grant_key_set = std::env::var("ENGINE_GRANT_VERIFY_KEY_B64").is_ok();
+            // Log security epoch status (still needed for home bootstrap)
             let security_epoch_set = std::env::var("EKKA_SECURITY_EPOCH").is_ok();
             tracing::info!(
                 op = "desktop.required_env.loaded",
-                ENGINE_GRANT_VERIFY_KEY_B64 = grant_key_set,
                 EKKA_SECURITY_EPOCH = security_epoch_set,
-                "Required security env vars"
+                "Security epoch env var status"
             );
 
             // Log build-time baked engine URL presence (not the URL itself)
@@ -107,6 +103,28 @@ fn main() {
             let node_auth_holder = state_handle.node_auth_token.clone();
             let node_auth_state = state_handle.node_auth_state.clone();
 
+            // Fetch grant verification key from engine's well-known endpoint
+            // This runs async and caches the key in state for grant verification
+            let app_handle = app.app_handle().clone();
+            tauri::async_runtime::spawn(async move {
+                let state = app_handle.state::<EngineState>();
+                match well_known::fetch_and_cache_verify_key(&state).await {
+                    Ok(()) => {
+                        tracing::info!(
+                            op = "desktop.well_known.loaded",
+                            "Grant verification key loaded from engine"
+                        );
+                    }
+                    Err(e) => {
+                        tracing::warn!(
+                            op = "desktop.well_known.failed",
+                            error = %e,
+                            "Failed to fetch grant verification key - grants will not be verified"
+                        );
+                    }
+                }
+            });
+
             // Spawn engine in background thread to not block UI
             let engine = engine_for_setup.clone();
             std::thread::spawn(move || {

package/template/src-tauri/src/state.rs

@@ -325,6 +325,8 @@ pub struct EngineState {
     pub node_auth_state: Arc<NodeAuthStateHolder>,
     /// External engine process (Phase 3A)
     pub engine_process: Option<Arc<EngineProcess>>,
+    /// Cached grant verification key (fetched from /.well-known/ekka-configuration)
+    pub grant_verify_key: RwLock<Option<String>>,
 }
 
 impl Default for EngineState {
@@ -341,6 +343,7 @@ impl Default for EngineState {
             node_auth_token: Arc::new(NodeAuthTokenHolder::new()),
             node_auth_state: Arc::new(NodeAuthStateHolder::new()),
             engine_process: None,
+            grant_verify_key: RwLock::new(None),
         }
     }
 }
@@ -360,6 +363,7 @@ impl EngineState {
             node_auth_token: Arc::new(NodeAuthTokenHolder::new()),
             node_auth_state: Arc::new(NodeAuthStateHolder::new()),
             engine_process: Some(engine),
+            grant_verify_key: RwLock::new(None),
         }
     }
 
@@ -431,6 +435,18 @@ impl EngineState {
     pub fn clear_vault_cache(&self) {
         self.vault_cache.clear();
     }
+
+    /// Get cached grant verification key
+    pub fn get_grant_verify_key(&self) -> Option<String> {
+        self.grant_verify_key.read().ok()?.clone()
+    }
+
+    /// Set grant verification key (fetched from well-known endpoint)
+    pub fn set_grant_verify_key(&self, key: String) {
+        if let Ok(mut guard) = self.grant_verify_key.write() {
+            *guard = Some(key);
+        }
+    }
 }
 
 // =============================================================================

package/template/src-tauri/src/well_known.rs

@@ -0,0 +1,77 @@
+//! Well-Known Configuration Fetcher
+//!
+//! Fetches public configuration from the EKKA Engine's /.well-known/ekka-configuration endpoint.
+//! This includes the grant verification key needed for cryptographic grant validation.
+
+use crate::config;
+use serde::Deserialize;
+
+/// Response from /.well-known/ekka-configuration
+#[derive(Debug, Deserialize)]
+pub struct WellKnownConfig {
+    pub grant_verify_key_b64: String,
+    pub grant_signing_algorithm: String,
+    #[serde(default)]
+    pub api_version: Option<String>,
+}
+
+/// Fetch the well-known configuration from the engine.
+/// Returns the grant verification key (base64).
+pub async fn fetch_grant_verify_key() -> Result<String, String> {
+    let engine_url = config::engine_url();
+    let url = format!("{}/engine/.well-known/ekka-configuration", engine_url.trim_end_matches('/'));
+
+    tracing::info!(
+        op = "well_known.fetch.start",
+        url = %url,
+        "Fetching grant verification key from engine"
+    );
+
+    let client = reqwest::Client::builder()
+        .timeout(std::time::Duration::from_secs(10))
+        .build()
+        .map_err(|e| format!("Failed to create HTTP client: {}", e))?;
+
+    let response = client
+        .get(&url)
+        .header("X-EKKA-CLIENT", config::app_slug())
+        .send()
+        .await
+        .map_err(|e| format!("Failed to fetch well-known config: {}", e))?;
+
+    if !response.status().is_success() {
+        return Err(format!(
+            "Engine returned error: {} {}",
+            response.status().as_u16(),
+            response.status().canonical_reason().unwrap_or("Unknown")
+        ));
+    }
+
+    let config: WellKnownConfig = response
+        .json()
+        .await
+        .map_err(|e| format!("Failed to parse well-known config: {}", e))?;
+
+    tracing::info!(
+        op = "well_known.fetch.success",
+        algorithm = %config.grant_signing_algorithm,
+        "Grant verification key fetched successfully"
+    );
+
+    Ok(config.grant_verify_key_b64)
+}
+
+/// Fetch and cache the grant verification key in state.
+/// Also sets ENGINE_GRANT_VERIFY_KEY_B64 env var for SDK compatibility.
+/// This is called on app startup.
+pub async fn fetch_and_cache_verify_key(state: &crate::state::EngineState) -> Result<(), String> {
+    let key = fetch_grant_verify_key().await?;
+
+    // Cache in state
+    state.set_grant_verify_key(key.clone());
+
+    // Also set env var for SDK compatibility (ekka-ops, ekka-path-guard use it)
+    std::env::set_var("ENGINE_GRANT_VERIFY_KEY_B64", &key);
+
+    Ok(())
+}