create-ekka-desktop-app 0.3.4 → 0.3.5

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "create-ekka-desktop-app",
-  "version": "0.3.4",
+  "version": "0.3.5",
   "description": "Create an EKKA desktop app with built-in demo backend. No setup required.",
   "type": "module",
   "bin": {

package/template/src-tauri/src/main.rs

@@ -19,6 +19,7 @@ mod node_runner;
 mod node_vault_crypto;
 mod node_vault_store;
 mod ops;
+mod security_epoch;
 mod state;
 mod types;
 
@@ -31,7 +32,8 @@ use tauri::Manager;
 
 fn main() {
     // Load .env.local for development (before anything else)
-    // This provides EKKA_SECURITY_EPOCH and other dev-time overrides.
+    // This provides optional dev-time overrides (EKKA_SECURITY_EPOCH, etc).
+    // Note: EKKA_SECURITY_EPOCH is optional - epoch is resolved from marker file by default.
     // Note: ENGINE_GRANT_VERIFY_KEY_B64 is now fetched from /.well-known/ekka-configuration
     if let Err(_) = dotenvy::from_filename(".env.local") {
         // Also try parent directory (when running from src-tauri)
@@ -63,14 +65,6 @@ fn main() {
             // Attempt to spawn engine process
             tracing::info!(op = "desktop.startup", "EKKA Desktop starting");
 
-            // Log security epoch status (still needed for home bootstrap)
-            let security_epoch_set = std::env::var("EKKA_SECURITY_EPOCH").is_ok();
-            tracing::info!(
-                op = "desktop.required_env.loaded",
-                EKKA_SECURITY_EPOCH = security_epoch_set,
-                "Security epoch env var status"
-            );
-
             // Log build-time baked engine URL presence (not the URL itself)
             let engine_url_baked = option_env!("EKKA_ENGINE_URL").is_some();
             tracing::info!(

package/template/src-tauri/src/node_credentials.rs

@@ -16,6 +16,7 @@ use crate::node_vault_store::{
     delete_node_secret, has_node_secret, read_node_secret, write_node_secret,
     SECRET_ID_NODE_CREDENTIALS,
 };
+use crate::security_epoch::resolve_security_epoch;
 use chrono::{DateTime, Utc};
 use serde::{Deserialize, Serialize};
 use std::sync::RwLock;
@@ -134,17 +135,6 @@ impl std::fmt::Display for CredentialsError {
 
 impl std::error::Error for CredentialsError {}
 
-// =============================================================================
-// Helper: Get epoch for vault operations
-// =============================================================================
-
-/// Get the security epoch from environment
-fn get_security_epoch() -> u32 {
-    std::env::var("EKKA_SECURITY_EPOCH")
-        .ok()
-        .and_then(|s| s.parse().ok())
-        .unwrap_or(1)
-}
 
 // =============================================================================
 // Core Functions
@@ -170,7 +160,7 @@ pub fn store_credentials(node_id: &Uuid, node_secret: &str) -> Result<(), Creden
     // Initialize home if needed
     let bootstrap = initialize_home().map_err(|e| CredentialsError::VaultError(e))?;
     let home = bootstrap.home_path();
-    let epoch = get_security_epoch();
+    let epoch = resolve_security_epoch(home);
 
     // Store node_id + node_secret as JSON
     let creds = NodeCredentials {
@@ -202,7 +192,7 @@ pub fn store_credentials(node_id: &Uuid, node_secret: &str) -> Result<(), Creden
 /// * `Err(CredentialsError)` if not found or invalid
 pub fn load_credentials() -> Result<(Uuid, String), CredentialsError> {
     let home = resolve_home_path().map_err(|e| CredentialsError::VaultError(e))?;
-    let epoch = get_security_epoch();
+    let epoch = resolve_security_epoch(&home);
 
     // Key derivation uses device_secret + epoch only (not node_id)
     let plaintext = read_node_secret(&home, epoch, SECRET_ID_NODE_CREDENTIALS)

package/template/src-tauri/src/security_epoch.rs

@@ -0,0 +1,128 @@
+//! Security Epoch Resolution
+//!
+//! Resolves the security epoch used for vault key derivation.
+//! Resolution order:
+//! 1. EKKA_SECURITY_EPOCH env var (override for dev/testing)
+//! 2. Marker file epoch_seen field (canonical source)
+//! 3. Default to 1 (new installations)
+
+use std::path::Path;
+use std::sync::OnceLock;
+
+/// Cached resolved epoch (env var source only - marker is read fresh)
+static ENV_EPOCH_CACHE: OnceLock<Option<u32>> = OnceLock::new();
+
+/// Source of the resolved epoch
+#[derive(Debug, Clone, Copy, PartialEq)]
+pub enum EpochSource {
+    Env,
+    Marker,
+    Default,
+}
+
+impl std::fmt::Display for EpochSource {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        match self {
+            EpochSource::Env => write!(f, "env"),
+            EpochSource::Marker => write!(f, "marker"),
+            EpochSource::Default => write!(f, "default"),
+        }
+    }
+}
+
+/// Resolve security epoch from env var
+fn try_env_epoch() -> Option<u32> {
+    *ENV_EPOCH_CACHE.get_or_init(|| {
+        std::env::var("EKKA_SECURITY_EPOCH")
+            .ok()
+            .and_then(|s| s.parse().ok())
+    })
+}
+
+/// Read epoch_seen from marker file
+fn try_marker_epoch(home: &Path) -> Option<u32> {
+    let marker_path = home.join(".ekka-marker.json");
+    let content = std::fs::read_to_string(&marker_path).ok()?;
+    let marker: serde_json::Value = serde_json::from_str(&content).ok()?;
+    marker.get("epoch_seen").and_then(|v| v.as_u64()).map(|v| v as u32)
+}
+
+/// Resolve security epoch with precedence: env > marker > default
+///
+/// Logs the resolution once per unique (home, source) combination.
+pub fn resolve_security_epoch(home: &Path) -> u32 {
+    let (epoch, source) = resolve_with_source(home);
+
+    // Log resolution (only first time per call site in practice)
+    tracing::info!(
+        op = "security_epoch.resolved",
+        source = %source,
+        value = epoch,
+        "Security epoch resolved"
+    );
+
+    epoch
+}
+
+/// Resolve epoch and return both value and source
+pub fn resolve_with_source(home: &Path) -> (u32, EpochSource) {
+    // 1. Check env var override
+    if let Some(epoch) = try_env_epoch() {
+        return (epoch, EpochSource::Env);
+    }
+
+    // 2. Read from marker file
+    if let Some(epoch) = try_marker_epoch(home) {
+        return (epoch, EpochSource::Marker);
+    }
+
+    // 3. Default
+    (1, EpochSource::Default)
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use tempfile::TempDir;
+    use std::fs;
+
+    #[test]
+    fn test_marker_epoch_read() {
+        let temp = TempDir::new().unwrap();
+        let marker = serde_json::json!({
+            "schema_version": "1.0",
+            "app_name": "test",
+            "instance_id": "00000000-0000-0000-0000-000000000000",
+            "device_id_fingerprint": "sha256:test",
+            "created_at": "2024-01-01T00:00:00Z",
+            "last_seen_at": "2024-01-01T00:00:00Z",
+            "epoch_seen": 42,
+            "storage_layout_version": "v1"
+        });
+        fs::write(temp.path().join(".ekka-marker.json"), marker.to_string()).unwrap();
+
+        let epoch = try_marker_epoch(temp.path());
+        assert_eq!(epoch, Some(42));
+    }
+
+    #[test]
+    fn test_default_when_no_marker() {
+        let temp = TempDir::new().unwrap();
+        let (epoch, source) = resolve_with_source(temp.path());
+        assert_eq!(epoch, 1);
+        assert_eq!(source, EpochSource::Default);
+    }
+
+    #[test]
+    fn test_marker_source() {
+        let temp = TempDir::new().unwrap();
+        let marker = serde_json::json!({
+            "epoch_seen": 5
+        });
+        fs::write(temp.path().join(".ekka-marker.json"), marker.to_string()).unwrap();
+
+        let (epoch, source) = resolve_with_source(temp.path());
+        assert_eq!(epoch, 5);
+        assert_eq!(source, EpochSource::Marker);
+    }
+}