npm - create-ekka-desktop-app - Versions diffs - 0.4.0 → 0.4.1 - Mend

create-ekka-desktop-app 0.4.0 → 0.4.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (49) hide show

package/bin/cli.js +1 -5
package/package.json +1 -1
package/template/src/demo/DemoApp.tsx +0 -44
package/template/src/demo/layout/Sidebar.tsx +2 -13
package/template/src/demo/pages/LoginPage.tsx +1 -2
package/template/src/demo/pages/SystemPage.tsx +1 -1
package/template/src/ekka/backend/demo.ts +1 -1
package/template/src/ekka/constants.ts +0 -4
package/template/src/ekka/index.ts +0 -2
package/template/src/ekka/internal/backend.ts +8 -8
package/template/src/ekka/ops/index.ts +1 -2
package/template/src/ekka/utils/index.ts +0 -1
package/template/src-tauri/Cargo.toml +2 -0
package/template/src-tauri/crates/ekka-desktop-core/Cargo.toml +30 -0
package/template/src-tauri/crates/ekka-desktop-core/build.rs +42 -0
package/template/src-tauri/crates/ekka-desktop-core/src/bootstrap.rs +39 -0
package/template/src-tauri/crates/ekka-desktop-core/src/config.rs +32 -0
package/template/src-tauri/crates/ekka-desktop-core/src/device_secret.rs +74 -0
package/template/src-tauri/crates/ekka-desktop-core/src/main.rs +1225 -0
package/template/src-tauri/crates/ekka-desktop-core/src/node_credentials.rs +413 -0
package/template/src-tauri/crates/ekka-desktop-core/src/node_vault_crypto.rs +57 -0
package/template/src-tauri/crates/ekka-desktop-core/src/node_vault_store.rs +198 -0
package/template/src-tauri/crates/ekka-desktop-core/src/security_epoch.rs +80 -0
package/template/src-tauri/resources/ekka-engine-bootstrap +0 -0
package/template/src-tauri/src/commands.rs +137 -958
package/template/src-tauri/src/config.rs +4 -44
package/template/src-tauri/src/core_process.rs +335 -0
package/template/src-tauri/src/engine_process.rs +103 -0
package/template/src-tauri/src/handlers/home.rs +1 -32
package/template/src-tauri/src/main.rs +240 -153
package/template/src-tauri/src/node_auth.rs +2 -748
package/template/src-tauri/src/node_credentials.rs +2 -201
package/template/src-tauri/src/node_runner.rs +2 -55
package/template/src-tauri/src/node_vault_crypto.rs +0 -33
package/template/src-tauri/src/node_vault_store.rs +1 -150
package/template/src-tauri/src/ops/mod.rs +0 -2
package/template/src-tauri/src/state.rs +7 -63
package/template/src-tauri/src/types.rs +1 -23
package/template/src-tauri/src/updater.rs +215 -0
package/template/src-tauri/tauri.conf.json +9 -0
package/template/src/demo/pages/DocGenPage.tsx +0 -731
package/template/src/ekka/config.ts +0 -48
package/template/src/ekka/ops/debug.ts +0 -68
package/template/src/ekka/ops/executionRuns.ts +0 -147
package/template/src/ekka/ops/workflowRuns.ts +0 -119
package/template/src/ekka/utils/idempotency.ts +0 -14
package/template/src-tauri/src/ops/home.rs +0 -251
package/template/src-tauri/src/ops/runtime.rs +0 -21
package/template/src-tauri/src/well_known.rs +0 -83

package/bin/cli.js CHANGED Viewed

@@ -225,14 +225,10 @@ Creating EKKA desktop app in ${targetDir}...
   cargoContent = cargoContent.replace(/^description = ".*"$/m, `description = "${config.app.name}"`);
   writeFileSync(cargoPath, cargoContent);
-  // Update src-tauri/tauri.conf.json
+  // Update src-tauri/tauri.conf.json identifier
   const tauriConfPath = join(targetDir, 'src-tauri', 'tauri.conf.json');
   const tauriConf = JSON.parse(readFileSync(tauriConfPath, 'utf8'));
   tauriConf.identifier = config.app.identifier;
-  tauriConf.productName = config.app.name;
-  if (tauriConf.app?.windows?.[0]) {
-    tauriConf.app.windows[0].title = config.app.name;
-  }
   writeFileSync(tauriConfPath, JSON.stringify(tauriConf, null, 2) + '\n');
   console.log(`

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "create-ekka-desktop-app",
-  "version": "0.4.0",
+  "version": "0.4.1",
   "description": "Create an EKKA desktop app with built-in demo backend. No setup required.",
   "type": "module",
   "bin": {

package/template/src/demo/DemoApp.tsx CHANGED Viewed

@@ -19,7 +19,6 @@ import { SystemPage } from './pages/SystemPage';
 import { AuditLogPage } from './pages/AuditLogPage';
 import { PathPermissionsPage } from './pages/PathPermissionsPage';
 import { VaultPage } from './pages/VaultPage';
-import { DocGenPage } from './pages/DocGenPage';
 import { RunnerPage } from './pages/RunnerPage';
 import { LoginPage } from './pages/LoginPage';
 import { HomeSetupPage } from './pages/HomeSetupPage';
@@ -35,34 +34,6 @@ interface DemoState {
   error: string | null;
 }
-// DocGen state persisted across tab switches
-interface DocGenPersistedState {
-  runId: string | null;
-  folder: string | null;
-}
-const DOCGEN_STORAGE_KEY = 'ekka.docgen.state';
-function loadDocGenState(): DocGenPersistedState {
-  try {
-    const saved = localStorage.getItem(DOCGEN_STORAGE_KEY);
-    if (saved) {
-      return JSON.parse(saved) as DocGenPersistedState;
-    }
-  } catch {
-    // Ignore parse errors
-  }
-  return { runId: null, folder: null };
-}
-function saveDocGenState(state: DocGenPersistedState): void {
-  try {
-    localStorage.setItem(DOCGEN_STORAGE_KEY, JSON.stringify(state));
-  } catch {
-    // Ignore storage errors
-  }
-}
 export function DemoApp(): ReactElement {
   const [selectedPage, setSelectedPage] = useState<Page>('path-permissions');
   const [darkMode, setDarkMode] = useState<boolean>(() => {
@@ -79,14 +50,6 @@ export function DemoApp(): ReactElement {
     error: null,
   });
-  // DocGen state - persisted to localStorage
-  const [docGenState, setDocGenState] = useState<DocGenPersistedState>(loadDocGenState);
-  const handleDocGenStateChange = (newState: DocGenPersistedState) => {
-    setDocGenState(newState);
-    saveDocGenState(newState);
-  };
   useEffect(() => {
     void initializeApp();
   }, []);
@@ -287,13 +250,6 @@ export function DemoApp(): ReactElement {
       {state.error && <div style={errorStyle}>{state.error}</div>}
       {selectedPage === 'path-permissions' && <PathPermissionsPage darkMode={darkMode} />}
       {selectedPage === 'vault' && <VaultPage darkMode={darkMode} />}
-      {selectedPage === 'doc-gen' && (
-        <DocGenPage
-          darkMode={darkMode}
-          persistedState={docGenState}
-          onStateChange={handleDocGenStateChange}
-        />
-      )}
       {selectedPage === 'runner' && <RunnerPage darkMode={darkMode} />}
       {selectedPage === 'audit-log' && <AuditLogPage darkMode={darkMode} />}
       {selectedPage === 'system' && <SystemPage darkMode={darkMode} />}

package/template/src/demo/layout/Sidebar.tsx CHANGED Viewed

@@ -4,9 +4,8 @@
  */
 import { type CSSProperties, type ReactElement } from 'react';
-import branding from '../../../branding/app.json';
-export type Page = 'audit-log' | 'path-permissions' | 'vault' | 'doc-gen' | 'runner' | 'system';
+export type Page = 'audit-log' | 'path-permissions' | 'vault' | 'runner' | 'system';
 interface SidebarProps {
   selectedPage: Page;
@@ -119,14 +118,13 @@ export function Sidebar({ selectedPage, onNavigate, darkMode }: SidebarProps): R
   return (
     <aside style={styles.sidebar}>
       <div style={styles.logo}>
-        <span style={styles.logoText}>{branding.name}</span>
+        <span style={styles.logoText}>EKKA Desktop</span>
       </div>
       <nav style={styles.nav}>
         <div style={styles.sectionLabel}>Tools</div>
         <NavButton page="path-permissions" label="Path Permissions" icon={<PathIcon />} />
         <NavButton page="vault" label="Vault" icon={<VaultIcon />} />
-        <NavButton page="doc-gen" label="Generate Docs" icon={<DocGenIcon />} />
         <NavButton page="runner" label="Runner" icon={<RunnerIcon />} />
         <NavButton page="audit-log" label="Audit Log" icon={<AuditIcon />} />
       </nav>
@@ -173,15 +171,6 @@ function SystemIcon(): ReactElement {
   );
 }
-function DocGenIcon(): ReactElement {
-  return (
-    <svg width="16" height="16" viewBox="0 0 16 16" fill="currentColor" style={{ opacity: 0.7 }}>
-      <path d="M14 4.5V14a2 2 0 0 1-2 2H4a2 2 0 0 1-2-2V2a2 2 0 0 1 2-2h5.5L14 4.5zM9.5 4V1H4a1 1 0 0 0-1 1v12a1 1 0 0 0 1 1h8a1 1 0 0 0 1-1V4.5h-3.5z" />
-      <path d="M4.5 12.5A.5.5 0 0 1 5 12h3a.5.5 0 0 1 0 1H5a.5.5 0 0 1-.5-.5zm0-2A.5.5 0 0 1 5 10h6a.5.5 0 0 1 0 1H5a.5.5 0 0 1-.5-.5zm0-2A.5.5 0 0 1 5 8h6a.5.5 0 0 1 0 1H5a.5.5 0 0 1-.5-.5zm0-2A.5.5 0 0 1 5 6h6a.5.5 0 0 1 0 1H5a.5.5 0 0 1-.5-.5z" />
-    </svg>
-  );
-}
 function RunnerIcon(): ReactElement {
   return (
     <svg width="16" height="16" viewBox="0 0 16 16" fill="currentColor" style={{ opacity: 0.7 }}>

package/template/src/demo/pages/LoginPage.tsx CHANGED Viewed

@@ -6,7 +6,6 @@
 import { useState, type ReactElement, type FormEvent } from 'react';
 import { ekka } from '../../ekka';
-import branding from '../../../branding/app.json';
 interface LoginPageProps {
   onLoginSuccess: () => void;
@@ -135,7 +134,7 @@ export function LoginPage({ onLoginSuccess, darkMode }: LoginPageProps): ReactEl
   return (
     <div style={styles.container}>
       <div style={styles.card}>
-        <div style={styles.logo}>{branding.name}</div>
+        <div style={styles.logo}>EKKA Desktop</div>
         <div style={styles.subtitle}>Sign in to continue</div>
         <form style={styles.form} onSubmit={handleSubmit}>

package/template/src/demo/pages/SystemPage.tsx CHANGED Viewed

@@ -383,7 +383,7 @@ export function SystemPage({ darkMode }: SystemPageProps): ReactElement {
           <div style={styles.row}>
             <span style={styles.label}>Environment</span>
             <span style={{ ...styles.badge, ...styles.badgeBlue }}>
-              {info.runtime?.runtime === 'tauri' ? 'Desktop (Tauri)' : 'Web Browser'}
+              {info.runtime?.runtime === 'ekka-bridge' ? 'EKKA Desktop' : 'Web Browser'}
             </span>
           </div>
           <div style={styles.row}>

package/template/src/ekka/backend/demo.ts CHANGED Viewed

@@ -19,7 +19,7 @@ const DEMO_HOME_PATH = `~/.local/share/${slugify(branding.name) || 'ekka-desktop
 /**
  * Demo backend using in-memory storage.
- * Used when Tauri engine is not available.
+ * Used when EKKA Bridge is not available.
  */
 export class DemoBackend implements Backend {
   private connected = false;

package/template/src/ekka/constants.ts CHANGED Viewed

@@ -33,10 +33,6 @@ export const OPS = {
   RUNNER_STATUS: 'runner.status',
   RUNNER_TASK_STATS: 'runner.taskStats',
-  // Workflow Runs (proxied via Rust)
-  WORKFLOW_RUNS_CREATE: 'workflowRuns.create',
-  WORKFLOW_RUNS_GET: 'workflowRuns.get',
   // Auth (proxied via Rust)
   AUTH_LOGIN: 'auth.login',
   AUTH_REFRESH: 'auth.refresh',

package/template/src/ekka/index.ts CHANGED Viewed

@@ -501,8 +501,6 @@ export {
   formatExpiryInfo,
 } from './utils/time';
-export { generateIdempotencyKey } from './utils/idempotency';
 // =============================================================================
 // AUDIT (client-side event logging)
 // =============================================================================

package/template/src/ekka/internal/backend.ts CHANGED Viewed

@@ -18,7 +18,7 @@ export type TransportMode = 'unknown' | 'engine' | 'demo';
  * SmartBackend - single backend that auto-detects engine vs demo.
  *
  * On connect():
- * - Tries to connect to Tauri engine
+ * - Tries to connect to EKKA Bridge
  * - If successful: engine mode
  * - If fails: demo mode (in-memory)
  */
@@ -34,7 +34,7 @@ class SmartBackend {
   async connect(): Promise<void> {
     if (this.connected) return;
-    // Try engine first (only works in Tauri with engine present)
+    // Try engine first (only works in EKKA Bridge with engine present)
     try {
       const { invoke } = await import('@tauri-apps/api/core');
       await invoke('engine_connect');
@@ -88,7 +88,7 @@ class SmartBackend {
    * Send a request to the backend.
    */
   async request(req: EngineRequest): Promise<EngineResponse> {
-    // LOCAL-ONLY OPERATIONS: Always route to Tauri, never to demo backend
+    // LOCAL-ONLY OPERATIONS: Always route to Bridge, never to demo backend
     // These are desktop-specific operations that must be handled by Rust handlers
     const localOnlyOps = [
       'setup.status',
@@ -99,17 +99,17 @@ class SmartBackend {
     const isLocalOnlyOp = localOnlyOps.includes(req.op);
-    // Local-only ops ALWAYS go to Tauri - regardless of connection state or mode
+    // Local-only ops ALWAYS go to Bridge - regardless of connection state or mode
     // This ensures setup operations never accidentally route to demo backend
     if (isLocalOnlyOp) {
-      console.log(`[ts.op.dispatch] op=${req.op} backend=tauri (local-only)`);
+      console.log(`[ts.op.dispatch] op=${req.op} backend=bridge (local-only)`);
       try {
         const { invoke } = await import('@tauri-apps/api/core');
         return await invoke<EngineResponse>('engine_request', { req });
       } catch (e) {
-        const message = e instanceof Error ? e.message : 'Tauri not available';
-        console.error(`[ts.op.dispatch] op=${req.op} backend=tauri FAILED: ${message}`);
-        return err('TAURI_NOT_READY', message);
+        const message = e instanceof Error ? e.message : 'Bridge not available';
+        console.error(`[ts.op.dispatch] op=${req.op} backend=bridge FAILED: ${message}`);
+        return err('BRIDGE_NOT_READY', message);
       }
     }

package/template/src/ekka/ops/index.ts CHANGED Viewed

@@ -1,11 +1,10 @@
 /**
  * Operations
  *
- * Mirrors Rust src-tauri/src/ops/ and handlers/
+ * Mirrors Rust Bridge ops/ and handlers/
  */
 export * as auth from './auth';
-export * as debug from './debug';
 export * as home from './home';
 export * as paths from './paths';
 export * as runtime from './runtime';

package/template/src/ekka/utils/index.ts CHANGED Viewed

@@ -4,4 +4,3 @@
  */
 export * from './time';
-export * from './idempotency';

package/template/src-tauri/Cargo.toml CHANGED Viewed

@@ -15,6 +15,7 @@ serde_json = "1"
 [dependencies]
 tauri = { version = "2", features = [] }
 tauri-plugin-dialog = "2"
+tauri-plugin-updater = "2"
 serde = { version = "1", features = ["derive"] }
 serde_json = "1"
 chrono = { version = "0.4", features = ["serde"] }
@@ -22,6 +23,7 @@ ekka-sdk-core = { path = "../../ekka-execution-node-sdk-rust/crates/framework/ek
 ekka-runner-core = { path = "../../ekka-execution-node-sdk-rust/crates/framework/ekka-runner-core" }
 ekka-runner-local = { path = "../../ekka-execution-node-sdk-rust/crates/apps/ekka-runner-local" }
 reqwest = { version = "0.11", features = ["blocking", "json"] }
+http = "1"
 uuid = { version = "1.0", features = ["v4"] }
 tokio = { version = "1", features = ["sync"] }
 tracing = "0.1"

package/template/src-tauri/crates/ekka-desktop-core/Cargo.toml ADDED Viewed

@@ -0,0 +1,30 @@
+[package]
+name = "ekka-desktop-core"
+version = "0.1.0"
+edition = "2021"
+description = "EKKA Desktop Core - Security-critical logic process (JSON-RPC over stdio)"
+# Prevent inheriting parent workspace
+[workspace]
+[build-dependencies]
+serde_json = "1"
+[dependencies]
+serde = { version = "1", features = ["derive"] }
+serde_json = "1"
+chrono = { version = "0.4", features = ["serde"] }
+uuid = { version = "1.0", features = ["v4"] }
+reqwest = { version = "0.11", features = ["blocking", "json"] }
+tracing = "0.1"
+tracing-subscriber = { version = "0.3", features = ["env-filter"] }
+rand = "0.8"
+base64 = "0.22"
+hex = "0.4"
+anyhow = "1.0"
+# SDK dependencies (only the primitives we need)
+ekka-sdk-core = { path = "../../../../ekka-execution-node-sdk-rust/crates/framework/ekka-sdk-core" }
+[dev-dependencies]
+tempfile = "3"

package/template/src-tauri/crates/ekka-desktop-core/build.rs ADDED Viewed

@@ -0,0 +1,42 @@
+use std::fs;
+fn main() {
+    // Read app.config.json (same source as Bridge build.rs)
+    // Walk up to find app.config.json from crates/ekka-desktop-core/
+    let config_path = "../../../app.config.json";
+    println!("cargo:rerun-if-changed={}", config_path);
+    let config_str = fs::read_to_string(config_path).unwrap_or_else(|_| {
+        panic!(
+            "\n\nBUILD ERROR: app.config.json not found at {}\n\
+             Desktop Core must be built from within the ekka-desktop-app tree.\n\n",
+            config_path
+        )
+    });
+    let config: serde_json::Value = serde_json::from_str(&config_str).unwrap_or_else(|e| {
+        panic!("\n\nBUILD ERROR: Invalid app.config.json: {}\n\n", e)
+    });
+    let app = config.get("app").expect("app.config.json missing 'app' section");
+    let storage = config.get("storage").expect("app.config.json missing 'storage' section");
+    let engine = config.get("engine").expect("app.config.json missing 'engine' section");
+    let app_name = app.get("name").and_then(|v| v.as_str())
+        .expect("app.config.json: app.name is required");
+    let app_slug = app.get("slug").and_then(|v| v.as_str())
+        .expect("app.config.json: app.slug is required");
+    let home_folder = storage.get("homeFolderName").and_then(|v| v.as_str())
+        .expect("app.config.json: storage.homeFolderName is required");
+    let keychain_service = storage.get("keychainService").and_then(|v| v.as_str())
+        .expect("app.config.json: storage.keychainService is required");
+    let engine_url = engine.get("url").and_then(|v| v.as_str())
+        .expect("app.config.json: engine.url is required");
+    // Bake identical values as Bridge build.rs
+    println!("cargo:rustc-env=EKKA_APP_NAME={}", app_name);
+    println!("cargo:rustc-env=EKKA_APP_SLUG={}", app_slug);
+    println!("cargo:rustc-env=EKKA_HOME_FOLDER={}", home_folder);
+    println!("cargo:rustc-env=EKKA_KEYCHAIN_SERVICE={}", keychain_service);
+    println!("cargo:rustc-env=EKKA_ENGINE_URL={}", engine_url);
+}

package/template/src-tauri/crates/ekka-desktop-core/src/bootstrap.rs ADDED Viewed

@@ -0,0 +1,39 @@
+//! Home directory bootstrap
+//!
+//! Handles initialization and resolution of the EKKA home directory.
+//! Mirrors Bridge bootstrap.rs exactly.
+use crate::config;
+use ekka_sdk_core::ekka_home_bootstrap::{BootstrapConfig, EpochSource, HomeBootstrap, HomeStrategy};
+use std::path::PathBuf;
+/// Standard bootstrap configuration - all values from app.config.json (baked at build time)
+pub fn bootstrap_config() -> BootstrapConfig {
+    BootstrapConfig {
+        app_name: config::app_name().to_string(),
+        default_folder_name: config::home_folder().to_string(),
+        home_strategy: HomeStrategy::DataHome {
+            env_var: "EKKA_DATA_HOME".to_string(),
+        },
+        marker_filename: ".ekka-marker.json".to_string(),
+        keychain_service: config::keychain_service().to_string(),
+        subdirs: vec!["vault".to_string(), "db".to_string(), "tmp".to_string()],
+        epoch_source: EpochSource::EnvVar("EKKA_SECURITY_EPOCH".to_string()),
+        storage_layout_version: "v1".to_string(),
+    }
+}
+/// Resolve the home path without initializing
+pub fn resolve_home_path() -> Result<PathBuf, String> {
+    let config = bootstrap_config();
+    let bootstrap = HomeBootstrap::new(config).map_err(|e| e.to_string())?;
+    Ok(bootstrap.home_path().to_path_buf())
+}
+/// Initialize home directory and return the bootstrap instance
+pub fn initialize_home() -> Result<HomeBootstrap, String> {
+    let config = bootstrap_config();
+    let bootstrap = HomeBootstrap::new(config).map_err(|e| e.to_string())?;
+    bootstrap.initialize().map_err(|e| e.to_string())?;
+    Ok(bootstrap)
+}

package/template/src-tauri/crates/ekka-desktop-core/src/config.rs ADDED Viewed

@@ -0,0 +1,32 @@
+//! Compile-time app configuration
+//!
+//! All values are baked at build time from app.config.json.
+//! Mirrors Bridge config.rs for the subset needed by Desktop Core.
+#![allow(dead_code)]
+macro_rules! baked_config {
+    ($name:ident, $env:literal) => {
+        pub fn $name() -> &'static str {
+            option_env!($env).expect(concat!(
+                $env,
+                " not baked at build time. Check build.rs and app.config.json"
+            ))
+        }
+    };
+}
+// App display name (e.g., "EKKA Desktop")
+baked_config!(app_name, "EKKA_APP_NAME");
+// App slug for machine use (e.g., "ekka-desktop")
+baked_config!(app_slug, "EKKA_APP_SLUG");
+// Home folder name (e.g., ".ekka-desktop")
+baked_config!(home_folder, "EKKA_HOME_FOLDER");
+// Keychain service identifier (e.g., "ai.ekka.desktop")
+baked_config!(keychain_service, "EKKA_KEYCHAIN_SERVICE");
+// EKKA Engine URL (e.g., "https://api.ekka.ai")
+baked_config!(engine_url, "EKKA_ENGINE_URL");

package/template/src-tauri/crates/ekka-desktop-core/src/device_secret.rs ADDED Viewed

@@ -0,0 +1,74 @@
+//! Device Secret Management
+//!
+//! Generates and stores a device-bound secret for encrypting node-level data.
+//! The device secret is stored as a 32-byte file with 0600 permissions.
+//! This secret never leaves the device and is used to derive encryption keys.
+use rand::RngCore;
+use std::fs;
+use std::io::{Read, Write};
+use std::path::{Path, PathBuf};
+#[cfg(unix)]
+use std::os::unix::fs::PermissionsExt;
+/// Device secret filename
+const DEVICE_SECRET_FILENAME: &str = ".ekka-device-secret";
+/// Device secret size in bytes (256 bits)
+const DEVICE_SECRET_SIZE: usize = 32;
+/// Get the path to the device secret file
+pub fn device_secret_path(home: &Path) -> PathBuf {
+    home.join(DEVICE_SECRET_FILENAME)
+}
+/// Load or create the device secret
+///
+/// If the secret file exists, reads exactly 32 bytes.
+/// If not, generates 32 random bytes and writes with 0600 permissions.
+///
+/// # Returns
+/// * `Ok([u8; 32])` - The device secret bytes
+/// * `Err` - If file operations fail
+pub fn load_or_create_device_secret(home: &Path) -> anyhow::Result<[u8; 32]> {
+    let path = device_secret_path(home);
+    if path.exists() {
+        // Load existing secret
+        let mut file = fs::File::open(&path)?;
+        let mut secret = [0u8; DEVICE_SECRET_SIZE];
+        file.read_exact(&mut secret)?;
+        tracing::info!(
+            op = "device_secret.ready",
+            created = false,
+            "Device secret loaded"
+        );
+        Ok(secret)
+    } else {
+        // Generate new secret
+        let mut secret = [0u8; DEVICE_SECRET_SIZE];
+        rand::thread_rng().fill_bytes(&mut secret);
+        // Write with secure permissions
+        let mut file = fs::File::create(&path)?;
+        file.write_all(&secret)?;
+        // Set 0600 permissions on Unix
+        #[cfg(unix)]
+        {
+            let perms = fs::Permissions::from_mode(0o600);
+            fs::set_permissions(&path, perms)?;
+        }
+        tracing::info!(
+            op = "device_secret.ready",
+            created = true,
+            "Device secret created"
+        );
+        Ok(secret)
+    }
+}