npm - create-ekka-desktop-app - Versions diffs - 0.3.3 → 0.3.5 - Mend

create-ekka-desktop-app 0.3.3 → 0.3.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/package.json +1 -1
package/template/src-tauri/src/commands.rs +3 -12
package/template/src-tauri/src/main.rs +3 -9
package/template/src-tauri/src/node_credentials.rs +3 -13
package/template/src-tauri/src/security_epoch.rs +128 -0

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "create-ekka-desktop-app",
-  "version": "0.3.3",
+  "version": "0.3.5",
   "description": "Create an EKKA desktop app with built-in demo backend. No setup required.",
   "type": "module",
   "bin": {

package/template/src-tauri/src/commands.rs CHANGED Viewed

@@ -741,18 +741,9 @@ fn handle_ensure_node_identity(state: &EngineState) -> EngineResponse {
 /// Requires local engine to be available (strict local engine mode).
 /// Does NOT use Ed25519 register/challenge/session flow.
 fn handle_bootstrap_node_session(payload: &Value, state: &EngineState) -> EngineResponse {
-    // STRICT LOCAL ENGINE MODE: Gate node_auth + node_runner behind engine availability
-    if !state.is_engine_available() {
-        tracing::warn!(
-            op = "node_runner.skipped.engine_unavailable",
-            engine_available = false,
-            "Node session bootstrap skipped: local engine not available"
-        );
-        return EngineResponse::err(
-            "ENGINE_UNAVAILABLE",
-            "Local engine not available. Node session requires local engine.",
-        );
-    }
+    // NodeSessionRunner is an in-process runner that uses node session auth (Authorization: Bearer).
+    // It does NOT require the local engine-bootstrap binary - it makes direct HTTP calls to the engine API.
+    // The engine_available check was overly restrictive and has been removed.
     // Get home_path
     let home_path = match state.home_path.lock() {

package/template/src-tauri/src/main.rs CHANGED Viewed

@@ -19,6 +19,7 @@ mod node_runner;
 mod node_vault_crypto;
 mod node_vault_store;
 mod ops;
+mod security_epoch;
 mod state;
 mod types;
@@ -31,7 +32,8 @@ use tauri::Manager;
 fn main() {
     // Load .env.local for development (before anything else)
-    // This provides EKKA_SECURITY_EPOCH and other dev-time overrides.
+    // This provides optional dev-time overrides (EKKA_SECURITY_EPOCH, etc).
+    // Note: EKKA_SECURITY_EPOCH is optional - epoch is resolved from marker file by default.
     // Note: ENGINE_GRANT_VERIFY_KEY_B64 is now fetched from /.well-known/ekka-configuration
     if let Err(_) = dotenvy::from_filename(".env.local") {
         // Also try parent directory (when running from src-tauri)
@@ -63,14 +65,6 @@ fn main() {
             // Attempt to spawn engine process
             tracing::info!(op = "desktop.startup", "EKKA Desktop starting");
-            // Log security epoch status (still needed for home bootstrap)
-            let security_epoch_set = std::env::var("EKKA_SECURITY_EPOCH").is_ok();
-            tracing::info!(
-                op = "desktop.required_env.loaded",
-                EKKA_SECURITY_EPOCH = security_epoch_set,
-                "Security epoch env var status"
-            );
             // Log build-time baked engine URL presence (not the URL itself)
             let engine_url_baked = option_env!("EKKA_ENGINE_URL").is_some();
             tracing::info!(

package/template/src-tauri/src/node_credentials.rs CHANGED Viewed

@@ -16,6 +16,7 @@ use crate::node_vault_store::{
     delete_node_secret, has_node_secret, read_node_secret, write_node_secret,
     SECRET_ID_NODE_CREDENTIALS,
 };
+use crate::security_epoch::resolve_security_epoch;
 use chrono::{DateTime, Utc};
 use serde::{Deserialize, Serialize};
 use std::sync::RwLock;
@@ -134,17 +135,6 @@ impl std::fmt::Display for CredentialsError {
 impl std::error::Error for CredentialsError {}
-// =============================================================================
-// Helper: Get epoch for vault operations
-// =============================================================================
-/// Get the security epoch from environment
-fn get_security_epoch() -> u32 {
-    std::env::var("EKKA_SECURITY_EPOCH")
-        .ok()
-        .and_then(|s| s.parse().ok())
-        .unwrap_or(1)
-}
 // =============================================================================
 // Core Functions
@@ -170,7 +160,7 @@ pub fn store_credentials(node_id: &Uuid, node_secret: &str) -> Result<(), Creden
     // Initialize home if needed
     let bootstrap = initialize_home().map_err(|e| CredentialsError::VaultError(e))?;
     let home = bootstrap.home_path();
-    let epoch = get_security_epoch();
+    let epoch = resolve_security_epoch(home);
     // Store node_id + node_secret as JSON
     let creds = NodeCredentials {
@@ -202,7 +192,7 @@ pub fn store_credentials(node_id: &Uuid, node_secret: &str) -> Result<(), Creden
 /// * `Err(CredentialsError)` if not found or invalid
 pub fn load_credentials() -> Result<(Uuid, String), CredentialsError> {
     let home = resolve_home_path().map_err(|e| CredentialsError::VaultError(e))?;
-    let epoch = get_security_epoch();
+    let epoch = resolve_security_epoch(&home);
     // Key derivation uses device_secret + epoch only (not node_id)
     let plaintext = read_node_secret(&home, epoch, SECRET_ID_NODE_CREDENTIALS)

package/template/src-tauri/src/security_epoch.rs ADDED Viewed

@@ -0,0 +1,128 @@
+//! Security Epoch Resolution
+//!
+//! Resolves the security epoch used for vault key derivation.
+//! Resolution order:
+//! 1. EKKA_SECURITY_EPOCH env var (override for dev/testing)
+//! 2. Marker file epoch_seen field (canonical source)
+//! 3. Default to 1 (new installations)
+use std::path::Path;
+use std::sync::OnceLock;
+/// Cached resolved epoch (env var source only - marker is read fresh)
+static ENV_EPOCH_CACHE: OnceLock<Option<u32>> = OnceLock::new();
+/// Source of the resolved epoch
+#[derive(Debug, Clone, Copy, PartialEq)]
+pub enum EpochSource {
+    Env,
+    Marker,
+    Default,
+}
+impl std::fmt::Display for EpochSource {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        match self {
+            EpochSource::Env => write!(f, "env"),
+            EpochSource::Marker => write!(f, "marker"),
+            EpochSource::Default => write!(f, "default"),
+        }
+    }
+}
+/// Resolve security epoch from env var
+fn try_env_epoch() -> Option<u32> {
+    *ENV_EPOCH_CACHE.get_or_init(|| {
+        std::env::var("EKKA_SECURITY_EPOCH")
+            .ok()
+            .and_then(|s| s.parse().ok())
+    })
+}
+/// Read epoch_seen from marker file
+fn try_marker_epoch(home: &Path) -> Option<u32> {
+    let marker_path = home.join(".ekka-marker.json");
+    let content = std::fs::read_to_string(&marker_path).ok()?;
+    let marker: serde_json::Value = serde_json::from_str(&content).ok()?;
+    marker.get("epoch_seen").and_then(|v| v.as_u64()).map(|v| v as u32)
+}
+/// Resolve security epoch with precedence: env > marker > default
+///
+/// Logs the resolution once per unique (home, source) combination.
+pub fn resolve_security_epoch(home: &Path) -> u32 {
+    let (epoch, source) = resolve_with_source(home);
+    // Log resolution (only first time per call site in practice)
+    tracing::info!(
+        op = "security_epoch.resolved",
+        source = %source,
+        value = epoch,
+        "Security epoch resolved"
+    );
+    epoch
+}
+/// Resolve epoch and return both value and source
+pub fn resolve_with_source(home: &Path) -> (u32, EpochSource) {
+    // 1. Check env var override
+    if let Some(epoch) = try_env_epoch() {
+        return (epoch, EpochSource::Env);
+    }
+    // 2. Read from marker file
+    if let Some(epoch) = try_marker_epoch(home) {
+        return (epoch, EpochSource::Marker);
+    }
+    // 3. Default
+    (1, EpochSource::Default)
+}
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use tempfile::TempDir;
+    use std::fs;
+    #[test]
+    fn test_marker_epoch_read() {
+        let temp = TempDir::new().unwrap();
+        let marker = serde_json::json!({
+            "schema_version": "1.0",
+            "app_name": "test",
+            "instance_id": "00000000-0000-0000-0000-000000000000",
+            "device_id_fingerprint": "sha256:test",
+            "created_at": "2024-01-01T00:00:00Z",
+            "last_seen_at": "2024-01-01T00:00:00Z",
+            "epoch_seen": 42,
+            "storage_layout_version": "v1"
+        });
+        fs::write(temp.path().join(".ekka-marker.json"), marker.to_string()).unwrap();
+        let epoch = try_marker_epoch(temp.path());
+        assert_eq!(epoch, Some(42));
+    }
+    #[test]
+    fn test_default_when_no_marker() {
+        let temp = TempDir::new().unwrap();
+        let (epoch, source) = resolve_with_source(temp.path());
+        assert_eq!(epoch, 1);
+        assert_eq!(source, EpochSource::Default);
+    }
+    #[test]
+    fn test_marker_source() {
+        let temp = TempDir::new().unwrap();
+        let marker = serde_json::json!({
+            "epoch_seen": 5
+        });
+        fs::write(temp.path().join(".ekka-marker.json"), marker.to_string()).unwrap();
+        let (epoch, source) = resolve_with_source(temp.path());
+        assert_eq!(epoch, 5);
+        assert_eq!(source, EpochSource::Marker);
+    }
+}