create-ekka-desktop-app 0.3.5 → 0.3.7

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "create-ekka-desktop-app",
-  "version": "0.3.5",
+  "version": "0.3.7",
   "description": "Create an EKKA desktop app with built-in demo backend. No setup required.",
   "type": "module",
   "bin": {

package/template/src/demo/DemoApp.tsx

@@ -35,6 +35,34 @@ interface DemoState {
   error: string | null;
 }
 
+// DocGen state persisted across tab switches
+interface DocGenPersistedState {
+  runId: string | null;
+  folder: string | null;
+}
+
+const DOCGEN_STORAGE_KEY = 'ekka.docgen.state';
+
+function loadDocGenState(): DocGenPersistedState {
+  try {
+    const saved = localStorage.getItem(DOCGEN_STORAGE_KEY);
+    if (saved) {
+      return JSON.parse(saved) as DocGenPersistedState;
+    }
+  } catch {
+    // Ignore parse errors
+  }
+  return { runId: null, folder: null };
+}
+
+function saveDocGenState(state: DocGenPersistedState): void {
+  try {
+    localStorage.setItem(DOCGEN_STORAGE_KEY, JSON.stringify(state));
+  } catch {
+    // Ignore storage errors
+  }
+}
+
 export function DemoApp(): ReactElement {
   const [selectedPage, setSelectedPage] = useState<Page>('path-permissions');
   const [darkMode, setDarkMode] = useState<boolean>(() => {
@@ -51,6 +79,14 @@ export function DemoApp(): ReactElement {
     error: null,
   });
 
+  // DocGen state - persisted to localStorage
+  const [docGenState, setDocGenState] = useState<DocGenPersistedState>(loadDocGenState);
+
+  const handleDocGenStateChange = (newState: DocGenPersistedState) => {
+    setDocGenState(newState);
+    saveDocGenState(newState);
+  };
+
   useEffect(() => {
     void initializeApp();
   }, []);
@@ -251,7 +287,13 @@ export function DemoApp(): ReactElement {
       {state.error && <div style={errorStyle}>{state.error}</div>}
       {selectedPage === 'path-permissions' && <PathPermissionsPage darkMode={darkMode} />}
       {selectedPage === 'vault' && <VaultPage darkMode={darkMode} />}
-      {selectedPage === 'doc-gen' && <DocGenPage darkMode={darkMode} />}
+      {selectedPage === 'doc-gen' && (
+        <DocGenPage
+          darkMode={darkMode}
+          persistedState={docGenState}
+          onStateChange={handleDocGenStateChange}
+        />
+      )}
       {selectedPage === 'runner' && <RunnerPage darkMode={darkMode} />}
       {selectedPage === 'audit-log' && <AuditLogPage darkMode={darkMode} />}
       {selectedPage === 'system' && <SystemPage darkMode={darkMode} />}

package/template/src/demo/pages/DocGenPage.tsx

@@ -14,8 +14,15 @@ import {
 } from '../../ekka/ops/workflowRuns';
 import * as debugOps from '../../ekka/ops/debug';
 
+interface DocGenPersistedState {
+  runId: string | null;
+  folder: string | null;
+}
+
 interface DocGenPageProps {
   darkMode: boolean;
+  persistedState?: DocGenPersistedState;
+  onStateChange?: (state: DocGenPersistedState) => void;
 }
 
 type GenerationStatus = 'idle' | 'queued' | 'running' | 'completed' | 'failed';
@@ -27,16 +34,22 @@ const PROMPT_CONFIG = {
   prompt_version: '1',
 } as const;
 
-export function DocGenPage({ darkMode }: DocGenPageProps): ReactElement {
-  const [selectedFolder, setSelectedFolder] = useState<string | null>(null);
+export function DocGenPage({ darkMode, persistedState, onStateChange }: DocGenPageProps): ReactElement {
+  const [selectedFolder, setSelectedFolder] = useState<string | null>(persistedState?.folder ?? null);
   const [status, setStatus] = useState<GenerationStatus>('idle');
-  const [workflowRunId, setWorkflowRunId] = useState<string | null>(null);
+  const [workflowRunId, setWorkflowRunId] = useState<string | null>(persistedState?.runId ?? null);
   const [workflowRun, setWorkflowRun] = useState<WorkflowRun | null>(null);
   const [error, setError] = useState<string | null>(null);
   const [copySuccess, setCopySuccess] = useState(false);
   const [isDevMode, setIsDevMode] = useState(false);
   const [pathCopySuccess, setPathCopySuccess] = useState(false);
   const pollingRef = useRef<number | null>(null);
+  const hasResumedRef = useRef(false);
+
+  // Notify parent of state changes for persistence
+  const updatePersistedState = (runId: string | null, folder: string | null) => {
+    onStateChange?.({ runId, folder });
+  };
 
   const colors = {
     text: darkMode ? '#ffffff' : '#1d1d1f',
@@ -296,6 +309,45 @@ export function DocGenPage({ darkMode }: DocGenPageProps): ReactElement {
     };
   }, []);
 
+  // Resume from persisted state on mount
+  useEffect(() => {
+    if (hasResumedRef.current) return;
+    if (!persistedState?.runId) return;
+
+    hasResumedRef.current = true;
+
+    // Fetch current status of persisted run
+    const resumeRun = async () => {
+      try {
+        const run = await getWorkflowRun(persistedState.runId!);
+        setWorkflowRun(run);
+
+        if (run.status === 'completed') {
+          setStatus('completed');
+        } else if (run.status === 'failed') {
+          setStatus('failed');
+          setError(run.error || 'Workflow failed');
+        } else if (run.status === 'running' || run.progress > 0) {
+          setStatus('running');
+          // Resume polling
+          startPolling(persistedState.runId!);
+        } else {
+          setStatus('queued');
+          // Resume polling
+          startPolling(persistedState.runId!);
+        }
+      } catch (err) {
+        // Run may have been deleted or expired - clear persisted state
+        console.warn('[DocGen] Failed to resume run:', err);
+        updatePersistedState(null, selectedFolder);
+        setWorkflowRunId(null);
+        setStatus('idle');
+      }
+    };
+
+    void resumeRun();
+  }, [persistedState?.runId]);
+
   // Handle folder selection
   const handleSelectFolder = async () => {
     setError(null);
@@ -308,6 +360,8 @@ export function DocGenPage({ darkMode }: DocGenPageProps): ReactElement {
         setStatus('idle');
         setWorkflowRunId(null);
         setWorkflowRun(null);
+        // Persist folder, clear run
+        updatePersistedState(null, selected);
       }
     } catch (err) {
       const message = err instanceof Error ? err.message : String(err);
@@ -342,6 +396,8 @@ export function DocGenPage({ darkMode }: DocGenPageProps): ReactElement {
       });
 
       setWorkflowRunId(response.id);
+      // Persist run ID for tab switch recovery
+      updatePersistedState(response.id, selectedFolder);
 
       // Start polling
       startPolling(response.id);

package/template/src-tauri/src/commands.rs

@@ -763,8 +763,7 @@ fn handle_bootstrap_node_session(payload: &Value, state: &EngineState) -> Engine
         Err(e) => return EngineResponse::err("INTERNAL_ERROR", &e.to_string()),
     };
 
-    // REQUIRE node auth token (from startup auth via node_id + node_secret)
-    // Do NOT fall back to user auth or Ed25519 flow
+    // Get node auth token - try auto-auth if not available
     let node_token = match state.get_node_auth_token() {
         Some(token) => {
             tracing::info!(
@@ -776,14 +775,55 @@ fn handle_bootstrap_node_session(payload: &Value, state: &EngineState) -> Engine
             token
         }
         None => {
-            tracing::error!(
-                op = "node_session.no_token",
-                "Node auth token not available - authenticate node at startup first"
-            );
-            return EngineResponse::err(
-                "NODE_NOT_AUTHENTICATED",
-                "Node not authenticated. Restart app with valid node credentials.",
+            // Token missing - try auto-auth from vault (single-flight)
+            // Check prerequisites BEFORE acquiring lock
+            if !node_credentials::has_credentials() {
+                tracing::error!(
+                    op = "node_session.no_credentials",
+                    "Node credentials not configured"
+                );
+                return EngineResponse::err(
+                    "NODE_CREDENTIALS_MISSING",
+                    "Node credentials not configured. Complete setup first.",
+                );
+            }
+
+            // Get engine URL from baked config (same source as everywhere else)
+            let engine_url = config::engine_url();
+
+            // Now acquire single-flight lock (after all prerequisite checks)
+            if !state.node_auth_state.try_start() {
+                return EngineResponse::err("NODE_AUTH_IN_PROGRESS", "Authentication in progress, please wait");
+            }
+
+            // From here, ALL paths must call set_authenticated() or set_failed()
+            tracing::info!(
+                op = "node_session.auto_auth",
+                "Auto-authenticating node after setup"
             );
+
+            match node_credentials::authenticate_node(engine_url) {
+                Ok(token) => {
+                    state.node_auth_token.set(token.clone());
+                    state.node_auth_state.set_authenticated();
+                    tracing::info!(
+                        op = "node_session.auto_auth_success",
+                        node_id = %token.node_id,
+                        "Node auto-authenticated successfully"
+                    );
+                    token
+                }
+                Err(e) => {
+                    let error_msg = format!("Node authentication failed: {}", e);
+                    tracing::error!(
+                        op = "node_session.auto_auth_failed",
+                        error = %e,
+                        "Node auto-authentication failed"
+                    );
+                    state.node_auth_state.set_failed(error_msg.clone());
+                    return EngineResponse::err("NODE_NOT_AUTHENTICATED", &error_msg);
+                }
+            }
         }
     };
 

package/template/src-tauri/src/node_runner.rs

@@ -1,26 +1,26 @@
 //! Desktop Node Session Runner
 //!
-//! Runner loop that uses Ed25519 node session authentication instead of internal service keys.
+//! Runner loop using node_id + node_secret authentication (NOT Ed25519).
 //!
 //! ## Architecture
 //!
-//! - Bootstrap node session FIRST before starting runner
-//! - Runner uses session token for all engine calls
-//! - Session is refreshed automatically when expired
-//! - Tenant/workspace comes from session (EKKA decides scope)
+//! - Uses node_credentials (vault) for authentication
+//! - Runner uses JWT token for all engine calls
+//! - Token refreshed automatically via node_secret auth when expired
+//! - Tenant/workspace comes from token (EKKA decides scope)
 //!
 //! ## Security
 //!
-//! - NO internal service keys used
+//! - NO Ed25519 keys required
 //! - NO environment variable credentials
-//! - Session tokens held in memory only
+//! - Tokens held in memory only
+//! - node_secret never logged
 
 #![allow(dead_code)] // API types and fields may not all be used yet
 
 use crate::config;
-use crate::node_auth::{
-    refresh_node_session, NodeSession, NodeSessionHolder, NodeSessionRunnerConfig,
-};
+use crate::node_auth::{NodeSession, NodeSessionHolder, NodeSessionRunnerConfig};
+use crate::node_credentials::authenticate_node;
 use crate::state::RunnerState;
 // Use ekka_runner_local for enhanced executor with debug bundle support
 use ekka_runner_local::dispatch::{classify_error, dispatch_task};
@@ -189,10 +189,8 @@ impl NodeSessionRunner {
 
     /// Get current valid session, refreshing if needed
     ///
+    /// Uses node_id + node_secret authentication (NOT Ed25519 keys).
     /// IMPORTANT: Uses spawn_blocking to avoid Tokio runtime panic.
-    /// The refresh_node_session function uses reqwest::blocking::Client internally,
-    /// which creates its own runtime. Calling it directly in async context causes:
-    /// "Cannot drop a runtime in a context where blocking is not allowed"
     async fn get_session(&self) -> Result<NodeSession, String> {
         // Check if we have a valid session
         if let Some(session) = self.session_holder.get_valid() {
@@ -200,29 +198,44 @@ impl NodeSessionRunner {
         }
 
         // Need to refresh - use spawn_blocking to avoid runtime panic
-        info!(op = "node_runner.refresh_session.start", "Refreshing node session");
+        info!(
+            op = "node_runner.refresh_session.start",
+            method = "node_secret",
+            "Refreshing node session via node_secret auth"
+        );
 
-        let home_path = self.home_path.clone();
-        let node_id = self.node_id;
         let engine_url = self.engine_url.clone();
-        let device_fingerprint = self.device_fingerprint.clone();
-
-        let session = tokio::task::spawn_blocking(move || {
-            refresh_node_session(
-                &home_path,
-                &node_id,
-                &engine_url,
-                device_fingerprint.as_deref(),
-            )
+
+        let auth_token = tokio::task::spawn_blocking(move || {
+            authenticate_node(&engine_url)
         })
         .await
         .map_err(|e| format!("Session refresh task failed: {}", e))?
         .map_err(|e| {
-            error!(op = "node_runner.refresh_session.failed", error = %e, "Session refresh failed");
+            error!(
+                op = "node_runner.refresh_session.failed",
+                method = "node_secret",
+                error = %e,
+                "Session refresh via node_secret failed"
+            );
             format!("Session refresh failed: {}", e)
         })?;
 
-        info!(op = "node_runner.refresh_session.ok", session_id = %session.session_id, "Session refreshed successfully");
+        // Convert NodeAuthToken to NodeSession
+        let session = NodeSession {
+            token: auth_token.token,
+            session_id: auth_token.session_id,
+            tenant_id: auth_token.tenant_id,
+            workspace_id: auth_token.workspace_id,
+            expires_at: auth_token.expires_at,
+        };
+
+        info!(
+            op = "node_runner.refresh_session.ok",
+            method = "node_secret",
+            session_id = %session.session_id,
+            "Session refreshed successfully via node_secret"
+        );
         self.session_holder.set(session.clone());
         Ok(session)
     }
@@ -526,9 +539,7 @@ impl NodeSessionRunner {
             engine_url: self.engine_url.clone(),
             runner_id: self.runner_id.clone(),
             session_holder: self.session_holder.clone(),
-            home_path: self.home_path.clone(),
             node_id: self.node_id,
-            device_fingerprint: self.device_fingerprint.clone(),
         };
 
         let heartbeat_fn: Arc<
@@ -643,9 +654,7 @@ struct NodeSessionRunnerHeartbeat {
     engine_url: String,
     runner_id: String,
     session_holder: Arc<NodeSessionHolder>,
-    home_path: PathBuf,
-    node_id: Uuid,
-    device_fingerprint: Option<String>,
+    node_id: Uuid, // Kept for headers only
 }
 
 impl NodeSessionRunnerHeartbeat {
@@ -654,31 +663,45 @@ impl NodeSessionRunnerHeartbeat {
         let session = if let Some(s) = self.session_holder.get_valid() {
             s
         } else {
-            // Try to refresh - use spawn_blocking to avoid Tokio runtime panic
-            // The refresh_node_session function uses reqwest::blocking::Client internally
-            info!(op = "node_runner.heartbeat.refresh_session.start", "Refreshing session for heartbeat");
+            // Try to refresh using node_secret auth (NOT Ed25519)
+            info!(
+                op = "node_runner.heartbeat.refresh_session.start",
+                method = "node_secret",
+                "Refreshing session for heartbeat via node_secret"
+            );
 
-            let home_path = self.home_path.clone();
-            let node_id = self.node_id;
             let engine_url = self.engine_url.clone();
-            let device_fingerprint = self.device_fingerprint.clone();
-
-            let session = tokio::task::spawn_blocking(move || {
-                refresh_node_session(
-                    &home_path,
-                    &node_id,
-                    &engine_url,
-                    device_fingerprint.as_deref(),
-                )
+
+            let auth_token = tokio::task::spawn_blocking(move || {
+                authenticate_node(&engine_url)
             })
             .await
             .map_err(|e| format!("Session refresh task failed: {}", e))?
             .map_err(|e| {
-                error!(op = "node_runner.heartbeat.refresh_session.failed", error = %e, "Session refresh for heartbeat failed");
+                error!(
+                    op = "node_runner.heartbeat.refresh_session.failed",
+                    method = "node_secret",
+                    error = %e,
+                    "Session refresh for heartbeat failed"
+                );
                 format!("Session refresh failed: {}", e)
             })?;
 
-            info!(op = "node_runner.heartbeat.refresh_session.ok", session_id = %session.session_id, "Session refreshed for heartbeat");
+            // Convert NodeAuthToken to NodeSession
+            let session = NodeSession {
+                token: auth_token.token,
+                session_id: auth_token.session_id,
+                tenant_id: auth_token.tenant_id,
+                workspace_id: auth_token.workspace_id,
+                expires_at: auth_token.expires_at,
+            };
+
+            info!(
+                op = "node_runner.heartbeat.refresh_session.ok",
+                method = "node_secret",
+                session_id = %session.session_id,
+                "Session refreshed for heartbeat via node_secret"
+            );
             self.session_holder.set(session.clone());
             session
         };
@@ -742,10 +765,15 @@ impl NodeSessionRunnerHeartbeat {
 // Public API
 // =============================================================================
 
+/// Max consecutive errors before entering backoff mode
+const MAX_CONSECUTIVE_ERRORS: u32 = 3;
+/// Max backoff delay in seconds
+const MAX_BACKOFF_SECS: u64 = 60;
+
 /// Start the node session runner loop
 ///
-/// This is the replacement for the internal-key based runner.
-/// Requires a valid node session to be established first.
+/// Uses node_id + node_secret auth for session refresh (NOT Ed25519).
+/// Includes backoff on repeated failures to prevent poll spam.
 pub async fn run_node_session_runner_loop(
     config: NodeSessionRunnerConfig,
     session_holder: Arc<NodeSessionHolder>,
@@ -764,9 +792,12 @@ pub async fn run_node_session_runner_loop(
         op = "node_runner.start",
         runner_id = %runner.runner_id,
         node_id = %runner.node_id,
-        "Node session runner starting"
+        auth_method = "node_secret",
+        "Node session runner starting (uses node_secret auth)"
     );
 
+    let mut consecutive_errors: u32 = 0;
+
     loop {
         // Check for shutdown signal
         if *shutdown_rx.borrow() {
@@ -777,6 +808,8 @@ pub async fn run_node_session_runner_loop(
 
         match runner.poll_tasks().await {
             Ok(tasks) => {
+                // Reset error count on success
+                consecutive_errors = 0;
                 cb.on_poll();
 
                 if tasks.is_empty() {
@@ -811,9 +844,29 @@ pub async fn run_node_session_runner_loop(
                 }
             }
             Err(e) => {
-                error!(op = "node_runner.poll.error", error = %e, "Poll failed");
+                consecutive_errors += 1;
+
+                // Calculate backoff: exponential up to MAX_BACKOFF_SECS
+                let backoff_secs = if consecutive_errors >= MAX_CONSECUTIVE_ERRORS {
+                    std::cmp::min(
+                        POLL_INTERVAL_SECS * (1 << (consecutive_errors - MAX_CONSECUTIVE_ERRORS)),
+                        MAX_BACKOFF_SECS,
+                    )
+                } else {
+                    POLL_INTERVAL_SECS
+                };
+
+                error!(
+                    op = "node_runner.poll.error",
+                    error = %e,
+                    consecutive_errors = consecutive_errors,
+                    backoff_secs = backoff_secs,
+                    "Poll failed"
+                );
                 cb.on_error(&e);
-                tokio::time::sleep(Duration::from_secs(POLL_INTERVAL_SECS)).await;
+
+                // Wait with backoff
+                tokio::time::sleep(Duration::from_secs(backoff_secs)).await;
             }
         }