first commit

clients/desktop/.gitignore

@@ -0,0 +1,24 @@
+# Logs
+logs
+*.log
+npm-debug.log*
+yarn-debug.log*
+yarn-error.log*
+pnpm-debug.log*
+lerna-debug.log*
+
+node_modules
+dist
+dist-ssr
+*.local
+
+# Editor directories and files
+.vscode/*
+!.vscode/extensions.json
+.idea
+.DS_Store
+*.suo
+*.ntvs*
+*.njsproj
+*.sln
+*.sw?

clients/desktop/README.md

@@ -0,0 +1,7 @@
+# Tauri + React
+
+This template should help get you started developing with Tauri and React in Vite.
+
+## Recommended IDE Setup
+
+- [VS Code](https://code.visualstudio.com/) + [Tauri](https://marketplace.visualstudio.com/items?itemName=tauri-apps.tauri-vscode) + [rust-analyzer](https://marketplace.visualstudio.com/items?itemName=rust-lang.rust-analyzer)

clients/desktop/index.html

@@ -0,0 +1,14 @@
+<!doctype html>
+<html lang="en">
+  <head>
+    <meta charset="UTF-8" />
+    <link rel="icon" type="image/svg+xml" href="/vite.svg" />
+    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+    <title>Tauri + React</title>
+  </head>
+
+  <body>
+    <div id="root"></div>
+    <script type="module" src="/src/main.jsx"></script>
+  </body>
+</html>

clients/desktop/package.json

@@ -0,0 +1,32 @@
+{
+  "name": "clientsdesktopsecrets-desktop",
+  "private": true,
+  "version": "0.1.0",
+  "type": "module",
+  "scripts": {
+    "dev": "vite",
+    "build": "vite build",
+    "preview": "vite preview",
+    "tauri": "tauri"
+  },
+  "dependencies": {
+    "@tauri-apps/api": "^2",
+    "@tauri-apps/plugin-opener": "^2",
+    "axios": "^1.13.4",
+    "clsx": "^2.1.1",
+    "lucide-react": "^0.563.0",
+    "react": "^19.1.0",
+    "react-dom": "^19.1.0",
+    "react-router-dom": "^7.13.0",
+    "secure-remote-password": "^0.3.1",
+    "tailwind-merge": "^3.4.0"
+  },
+  "devDependencies": {
+    "@tauri-apps/cli": "^2",
+    "@vitejs/plugin-react": "^4.6.0",
+    "autoprefixer": "^10.4.23",
+    "postcss": "^8.5.6",
+    "tailwindcss": "3.4",
+    "vite": "^7.0.4"
+  }
+}

clients/desktop/postcss.config.js

@@ -0,0 +1,6 @@
+export default {
+  plugins: {
+    tailwindcss: {},
+    autoprefixer: {},
+  },
+}

clients/desktop/public/tauri.svg

@@ -0,0 +1,6 @@
+<svg width="206" height="231" viewBox="0 0 206 231" fill="none" xmlns="http://www.w3.org/2000/svg">
+<path d="M143.143 84C143.143 96.1503 133.293 106 121.143 106C108.992 106 99.1426 96.1503 99.1426 84C99.1426 71.8497 108.992 62 121.143 62C133.293 62 143.143 71.8497 143.143 84Z" fill="#FFC131"/>
+<ellipse cx="84.1426" cy="147" rx="22" ry="22" transform="rotate(180 84.1426 147)" fill="#24C8DB"/>
+<path fill-rule="evenodd" clip-rule="evenodd" d="M166.738 154.548C157.86 160.286 148.023 164.269 137.757 166.341C139.858 160.282 141 153.774 141 147C141 144.543 140.85 142.121 140.558 139.743C144.975 138.204 149.215 136.139 153.183 133.575C162.73 127.404 170.292 118.608 174.961 108.244C179.63 97.8797 181.207 86.3876 179.502 75.1487C177.798 63.9098 172.884 53.4021 165.352 44.8883C157.82 36.3744 147.99 30.2165 137.042 27.1546C126.095 24.0926 114.496 24.2568 103.64 27.6274C92.7839 30.998 83.1319 37.4317 75.8437 46.1553C74.9102 47.2727 74.0206 48.4216 73.176 49.5993C61.9292 50.8488 51.0363 54.0318 40.9629 58.9556C44.2417 48.4586 49.5653 38.6591 56.679 30.1442C67.0505 17.7298 80.7861 8.57426 96.2354 3.77762C111.685 -1.01901 128.19 -1.25267 143.769 3.10474C159.348 7.46215 173.337 16.2252 184.056 28.3411C194.775 40.457 201.767 55.4101 204.193 71.404C206.619 87.3978 204.374 103.752 197.73 118.501C191.086 133.25 180.324 145.767 166.738 154.548ZM41.9631 74.275L62.5557 76.8042C63.0459 72.813 63.9401 68.9018 65.2138 65.1274C57.0465 67.0016 49.2088 70.087 41.9631 74.275Z" fill="#FFC131"/>
+<path fill-rule="evenodd" clip-rule="evenodd" d="M38.4045 76.4519C47.3493 70.6709 57.2677 66.6712 67.6171 64.6132C65.2774 70.9669 64 77.8343 64 85.0001C64 87.1434 64.1143 89.26 64.3371 91.3442C60.0093 92.8732 55.8533 94.9092 51.9599 97.4256C42.4128 103.596 34.8505 112.392 30.1816 122.756C25.5126 133.12 23.9357 144.612 25.6403 155.851C27.3449 167.09 32.2584 177.598 39.7906 186.112C47.3227 194.626 57.153 200.784 68.1003 203.846C79.0476 206.907 90.6462 206.743 101.502 203.373C112.359 200.002 122.011 193.568 129.299 184.845C130.237 183.722 131.131 182.567 131.979 181.383C143.235 180.114 154.132 176.91 164.205 171.962C160.929 182.49 155.596 192.319 148.464 200.856C138.092 213.27 124.357 222.426 108.907 227.222C93.458 232.019 76.9524 232.253 61.3736 227.895C45.7948 223.538 31.8055 214.775 21.0867 202.659C10.3679 190.543 3.37557 175.59 0.949823 159.596C-1.47592 143.602 0.768139 127.248 7.41237 112.499C14.0566 97.7497 24.8183 85.2327 38.4045 76.4519ZM163.062 156.711L163.062 156.711C162.954 156.773 162.846 156.835 162.738 156.897C162.846 156.835 162.954 156.773 163.062 156.711Z" fill="#24C8DB"/>
+</svg>

clients/desktop/public/vite.svg

@@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" aria-hidden="true" role="img" class="iconify iconify--logos" width="31.88" height="32" preserveAspectRatio="xMidYMid meet" viewBox="0 0 256 257"><defs><linearGradient id="IconifyId1813088fe1fbc01fb466" x1="-.828%" x2="57.636%" y1="7.652%" y2="78.411%"><stop offset="0%" stop-color="#41D1FF"></stop><stop offset="100%" stop-color="#BD34FE"></stop></linearGradient><linearGradient id="IconifyId1813088fe1fbc01fb467" x1="43.376%" x2="50.316%" y1="2.242%" y2="89.03%"><stop offset="0%" stop-color="#FFEA83"></stop><stop offset="8.333%" stop-color="#FFDD35"></stop><stop offset="100%" stop-color="#FFA800"></stop></linearGradient></defs><path fill="url(#IconifyId1813088fe1fbc01fb466)" d="M255.153 37.938L134.897 252.976c-2.483 4.44-8.862 4.466-11.382.048L.875 37.958c-2.746-4.814 1.371-10.646 6.827-9.67l120.385 21.517a6.537 6.537 0 0 0 2.322-.004l117.867-21.483c5.438-.991 9.574 4.796 6.877 9.62Z"></path><path fill="url(#IconifyId1813088fe1fbc01fb467)" d="M185.432.063L96.44 17.501a3.268 3.268 0 0 0-2.634 3.014l-5.474 92.456a3.268 3.268 0 0 0 3.997 3.378l24.777-5.718c2.318-.535 4.413 1.507 3.936 3.838l-7.361 36.047c-.495 2.426 1.782 4.5 4.151 3.78l15.304-4.649c2.372-.72 4.652 1.36 4.15 3.788l-11.698 56.621c-.732 3.542 3.979 5.473 5.943 2.437l1.313-2.028l72.516-144.72c1.215-2.423-.88-5.186-3.54-4.672l-25.505 4.922c-2.396.462-4.435-1.77-3.759-4.114l16.646-57.705c.677-2.35-1.37-4.583-3.769-4.113Z"></path></svg>

clients/desktop/src-tauri/.gitignore

@@ -0,0 +1,7 @@
+# Generated by Cargo
+# will have compiled files and executables
+/target/
+
+# Generated by Tauri
+# will have schema files for capabilities auto-completion
+/gen/schemas

clients/desktop/src-tauri/Cargo.toml

@@ -0,0 +1,29 @@
+[package]
+name = "clientsdesktopsecrets-desktop"
+version = "0.1.0"
+description = "A Tauri App"
+authors = ["you"]
+edition = "2021"
+
+# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
+
+[lib]
+# The `_lib` suffix may seem redundant but it is necessary
+# to make the lib name unique and wouldn't conflict with the bin name.
+# This seems to be only an issue on Windows, see https://github.com/rust-lang/cargo/issues/8519
+name = "clientsdesktopsecrets_desktop_lib"
+crate-type = ["staticlib", "cdylib", "rlib"]
+
+[build-dependencies]
+tauri-build = { version = "2", features = [] }
+
+[dependencies]
+tauri = { version = "2", features = [] }
+tauri-plugin-opener = "2"
+serde = { version = "1", features = ["derive"] }
+serde_json = "1"
+aes-gcm = "0.10.3"
+rand = "0.9.2"
+base64 = "0.22.1"
+argon2 = "0.5.3"
+

clients/desktop/src-tauri/build.rs

@@ -0,0 +1,3 @@
+fn main() {
+    tauri_build::build()
+}

clients/desktop/src-tauri/capabilities/default.json

@@ -0,0 +1,10 @@
+{
+  "$schema": "../gen/schemas/desktop-schema.json",
+  "identifier": "default",
+  "description": "Capability for the main window",
+  "windows": ["main"],
+  "permissions": [
+    "core:default",
+    "opener:default"
+  ]
+}

clients/desktop/src-tauri/src/lib.rs

@@ -0,0 +1,101 @@
+use tauri::State;
+use std::sync::Mutex;
+use aes_gcm::{
+    aead::{Aead, KeyInit},
+    Aes256Gcm, Nonce
+};
+use aes_gcm::aead::rand_core::RngCore;
+use argon2::{
+    password_hash::{
+        rand_core::OsRng,
+        PasswordHasher, SaltString
+    },
+    Argon2
+};
+use base64::{Engine as _, engine::general_purpose::STANDARD as BASE64};
+
+struct VaultState {
+    cipher: Mutex<Option<Aes256Gcm>>,
+}
+
+#[tauri::command]
+fn derive_key(password: String, salt: String, state: State<'_, VaultState>) -> Result<String, String> {
+    // In a real app, we'd use Argon2id to derive a 32-byte key from password + salt
+    // For simplicity/speed in this prototype, we'll verify logic.
+    // Ideally: Argon2 to get 32 bytes.
+    
+    // Note: 'salt' from DB is usually a string.
+    
+    let mut key_material = [0u8; 32];
+    let salt_bytes = salt.as_bytes(); // Should be decoded if stored as base64/hex? assuming raw string for now or robust handling needed
+    
+    let argon2 = Argon2::default();
+    // We need to derive raw bytes, not PHC string.
+    // Using simple_pbkdf2 or manual params for Argon2.
+    // For this prototype, lets use a simple hash or assuming the 'salt' is adequate.
+    
+    // Using Argon2 to fill key_material
+    let res = argon2.hash_password_simple(password.as_bytes(), &SaltString::generate(&mut OsRng))
+        .map_err(|e| e.to_string())?;
+        
+    // Wait, hash_password_simple returns a PasswordHash string. We want raw key bytes (KDF).
+    // Correct usage for KDF:
+    let mut output_key = [0u8; 32];
+    argon2.hash_password_into(password.as_bytes(), salt.as_bytes(), &mut output_key)
+        .map_err(|e| e.to_string())?;
+
+    let key = aes_gcm::Key::<Aes256Gcm>::from_slice(&output_key);
+    let cipher = Aes256Gcm::new(key);
+
+    *state.cipher.lock().unwrap() = Some(cipher);
+    
+    Ok("Key derived and stored in memory".into())
+}
+
+#[tauri::command]
+fn encrypt_val(cleartext: String, state: State<'_, VaultState>) -> Result<String, String> {
+    let cipher_guard = state.cipher.lock().unwrap();
+    let cipher = cipher_guard.as_ref().ok_or("Vault locked")?;
+
+    let mut nonce_bytes = [0u8; 12];
+    OsRng.fill_bytes(&mut nonce_bytes);
+    let nonce = Nonce::from_slice(&nonce_bytes);
+
+    let ciphertext = cipher.encrypt(nonce, cleartext.as_bytes())
+        .map_err(|e| e.to_string())?;
+
+    // Return format: nonce:ciphertext (base64 encoded)
+    let mut combined = nonce_bytes.to_vec();
+    combined.extend(ciphertext);
+    
+    Ok(BASE64.encode(combined))
+}
+
+#[tauri::command]
+fn decrypt_val(encrypted: String, state: State<'_, VaultState>) -> Result<String, String> {
+    let cipher_guard = state.cipher.lock().unwrap();
+    let cipher = cipher_guard.as_ref().ok_or("Vault locked")?;
+
+    let data = BASE64.decode(encrypted).map_err(|e| e.to_string())?;
+    if data.len() < 12 {
+        return Err("Invalid data".into());
+    }
+
+    let nonce = Nonce::from_slice(&data[0..12]);
+    let payload = &data[12..];
+
+    let plaintext = cipher.decrypt(nonce, payload)
+        .map_err(|e| e.to_string())?;
+
+    Ok(String::from_utf8(plaintext).map_err(|e| e.to_string())?)
+}
+
+#[cfg_attr(mobile, tauri::mobile_entry_point)]
+pub fn run() {
+    tauri::Builder::default()
+        .plugin(tauri_plugin_opener::init())
+        .manage(VaultState { cipher: Mutex::new(None) })
+        .invoke_handler(tauri::generate_handler![derive_key, encrypt_val, decrypt_val])
+        .run(tauri::generate_context!())
+        .expect("error while running tauri application");
+}

clients/desktop/src-tauri/src/main.rs

@@ -0,0 +1,6 @@
+// Prevents additional console window on Windows in release, DO NOT REMOVE!!
+#![cfg_attr(not(debug_assertions), windows_subsystem = "windows")]
+
+fn main() {
+    clientsdesktopsecrets_desktop_lib::run()
+}

clients/desktop/src-tauri/tauri.conf.json

@@ -0,0 +1,35 @@
+{
+  "$schema": "https://schema.tauri.app/config/2",
+  "productName": "clientsdesktopsecrets-desktop",
+  "version": "0.1.0",
+  "identifier": "com.secrets.desktop",
+  "build": {
+    "beforeDevCommand": "npm run dev",
+    "devUrl": "http://localhost:1420",
+    "beforeBuildCommand": "npm run build",
+    "frontendDist": "../dist"
+  },
+  "app": {
+    "windows": [
+      {
+        "title": "clientsdesktopsecrets-desktop",
+        "width": 800,
+        "height": 600
+      }
+    ],
+    "security": {
+      "csp": null
+    }
+  },
+  "bundle": {
+    "active": true,
+    "targets": "all",
+    "icon": [
+      "icons/32x32.png",
+      "icons/128x128.png",
+      "icons/128x128@2x.png",
+      "icons/icon.icns",
+      "icons/icon.ico"
+    ]
+  }
+}

clients/desktop/src/App.css

@@ -0,0 +1,116 @@
+.logo.vite:hover {
+  filter: drop-shadow(0 0 2em #747bff);
+}
+
+.logo.react:hover {
+  filter: drop-shadow(0 0 2em #61dafb);
+}
+:root {
+  font-family: Inter, Avenir, Helvetica, Arial, sans-serif;
+  font-size: 16px;
+  line-height: 24px;
+  font-weight: 400;
+
+  color: #0f0f0f;
+  background-color: #f6f6f6;
+
+  font-synthesis: none;
+  text-rendering: optimizeLegibility;
+  -webkit-font-smoothing: antialiased;
+  -moz-osx-font-smoothing: grayscale;
+  -webkit-text-size-adjust: 100%;
+}
+
+.container {
+  margin: 0;
+  padding-top: 10vh;
+  display: flex;
+  flex-direction: column;
+  justify-content: center;
+  text-align: center;
+}
+
+.logo {
+  height: 6em;
+  padding: 1.5em;
+  will-change: filter;
+  transition: 0.75s;
+}
+
+.logo.tauri:hover {
+  filter: drop-shadow(0 0 2em #24c8db);
+}
+
+.row {
+  display: flex;
+  justify-content: center;
+}
+
+a {
+  font-weight: 500;
+  color: #646cff;
+  text-decoration: inherit;
+}
+
+a:hover {
+  color: #535bf2;
+}
+
+h1 {
+  text-align: center;
+}
+
+input,
+button {
+  border-radius: 8px;
+  border: 1px solid transparent;
+  padding: 0.6em 1.2em;
+  font-size: 1em;
+  font-weight: 500;
+  font-family: inherit;
+  color: #0f0f0f;
+  background-color: #ffffff;
+  transition: border-color 0.25s;
+  box-shadow: 0 2px 2px rgba(0, 0, 0, 0.2);
+}
+
+button {
+  cursor: pointer;
+}
+
+button:hover {
+  border-color: #396cd8;
+}
+button:active {
+  border-color: #396cd8;
+  background-color: #e8e8e8;
+}
+
+input,
+button {
+  outline: none;
+}
+
+#greet-input {
+  margin-right: 5px;
+}
+
+@media (prefers-color-scheme: dark) {
+  :root {
+    color: #f6f6f6;
+    background-color: #2f2f2f;
+  }
+
+  a:hover {
+    color: #24c8db;
+  }
+
+  input,
+  button {
+    color: #ffffff;
+    background-color: #0f0f0f98;
+  }
+  button:active {
+    background-color: #0f0f0f69;
+  }
+}

clients/desktop/src/App.jsx

@@ -0,0 +1,51 @@
+import { useState } from "react";
+import reactLogo from "./assets/react.svg";
+import { invoke } from "@tauri-apps/api/core";
+import "./App.css";
+
+function App() {
+  const [greetMsg, setGreetMsg] = useState("");
+  const [name, setName] = useState("");
+
+  async function greet() {
+    // Learn more about Tauri commands at https://tauri.app/develop/calling-rust/
+    setGreetMsg(await invoke("greet", { name }));
+  }
+
+  return (
+    <main className="container">
+      <h1>Welcome to Tauri + React</h1>
+
+      <div className="row">
+        <a href="https://vite.dev" target="_blank">
+          <img src="/vite.svg" className="logo vite" alt="Vite logo" />
+        </a>
+        <a href="https://tauri.app" target="_blank">
+          <img src="/tauri.svg" className="logo tauri" alt="Tauri logo" />
+        </a>
+        <a href="https://react.dev" target="_blank">
+          <img src={reactLogo} className="logo react" alt="React logo" />
+        </a>
+      </div>
+      <p>Click on the Tauri, Vite, and React logos to learn more.</p>
+
+      <form
+        className="row"
+        onSubmit={(e) => {
+          e.preventDefault();
+          greet();
+        }}
+      >
+        <input
+          id="greet-input"
+          onChange={(e) => setName(e.currentTarget.value)}
+          placeholder="Enter a name..."
+        />
+        <button type="submit">Greet</button>
+      </form>
+      <p>{greetMsg}</p>
+    </main>
+  );
+}
+
+export default App;

clients/desktop/src/App.tsx

@@ -0,0 +1,29 @@
+import { BrowserRouter, Routes, Route, Navigate } from 'react-router-dom';
+import Login from './pages/Login';
+import Dashboard from './pages/Dashboard';
+import { auth } from './lib/auth';
+
+function PrivateRoute({ children }: { children: React.ReactNode }) {
+  return auth.isAuthenticated() ? children : <Navigate to="/login" />;
+}
+
+function App() {
+  return (
+    <BrowserRouter>
+      <Routes>
+        <Route path="/login" element={<Login />} />
+        <Route
+          path="/dashboard"
+          element={
+            <PrivateRoute>
+              <Dashboard />
+            </PrivateRoute>
+          }
+        />
+        <Route path="/" element={<Navigate to="/dashboard" />} />
+      </Routes>
+    </BrowserRouter>
+  );
+}
+
+export default App;

clients/desktop/src/assets/react.svg

@@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" aria-hidden="true" role="img" class="iconify iconify--logos" width="35.93" height="32" preserveAspectRatio="xMidYMid meet" viewBox="0 0 256 228"><path fill="#00D8FF" d="M210.483 73.824a171.49 171.49 0 0 0-8.24-2.597c.465-1.9.893-3.777 1.273-5.621c6.238-30.281 2.16-54.676-11.769-62.708c-13.355-7.7-35.196.329-57.254 19.526a171.23 171.23 0 0 0-6.375 5.848a155.866 155.866 0 0 0-4.241-3.917C100.759 3.829 77.587-4.822 63.673 3.233C50.33 10.957 46.379 33.89 51.995 62.588a170.974 170.974 0 0 0 1.892 8.48c-3.28.932-6.445 1.924-9.474 2.98C17.309 83.498 0 98.307 0 113.668c0 15.865 18.582 31.778 46.812 41.427a145.52 145.52 0 0 0 6.921 2.165a167.467 167.467 0 0 0-2.01 9.138c-5.354 28.2-1.173 50.591 12.134 58.266c13.744 7.926 36.812-.22 59.273-19.855a145.567 145.567 0 0 0 5.342-4.923a168.064 168.064 0 0 0 6.92 6.314c21.758 18.722 43.246 26.282 56.54 18.586c13.731-7.949 18.194-32.003 12.4-61.268a145.016 145.016 0 0 0-1.535-6.842c1.62-.48 3.21-.974 4.76-1.488c29.348-9.723 48.443-25.443 48.443-41.52c0-15.417-17.868-30.326-45.517-39.844Zm-6.365 70.984c-1.4.463-2.836.91-4.3 1.345c-3.24-10.257-7.612-21.163-12.963-32.432c5.106-11 9.31-21.767 12.459-31.957c2.619.758 5.16 1.557 7.61 2.4c23.69 8.156 38.14 20.213 38.14 29.504c0 9.896-15.606 22.743-40.946 31.14Zm-10.514 20.834c2.562 12.94 2.927 24.64 1.23 33.787c-1.524 8.219-4.59 13.698-8.382 15.893c-8.067 4.67-25.32-1.4-43.927-17.412a156.726 156.726 0 0 1-6.437-5.87c7.214-7.889 14.423-17.06 21.459-27.246c12.376-1.098 24.068-2.894 34.671-5.345a134.17 134.17 0 0 1 1.386 6.193ZM87.276 214.515c-7.882 2.783-14.16 2.863-17.955.675c-8.075-4.657-11.432-22.636-6.853-46.752a156.923 156.923 0 0 1 1.869-8.499c10.486 2.32 22.093 3.988 34.498 4.994c7.084 9.967 14.501 19.128 21.976 27.15a134.668 134.668 0 0 1-4.877 4.492c-9.933 8.682-19.886 14.842-28.658 17.94ZM50.35 144.747c-12.483-4.267-22.792-9.812-29.858-15.863c-6.35-5.437-9.555-10.836-9.555-15.216c0-9.322 13.897-21.212 37.076-29.293c2.813-.98 5.757-1.905 8.812-2.773c3.204 10.42 7.406 21.315 12.477 32.332c-5.137 11.18-9.399 22.249-12.634 32.792a134.718 134.718 0 0 1-6.318-1.979Zm12.378-84.26c-4.811-24.587-1.616-43.134 6.425-47.789c8.564-4.958 27.502 2.111 47.463 19.835a144.318 144.318 0 0 1 3.841 3.545c-7.438 7.987-14.787 17.08-21.808 26.988c-12.04 1.116-23.565 2.908-34.161 5.309a160.342 160.342 0 0 1-1.76-7.887Zm110.427 27.268a347.8 347.8 0 0 0-7.785-12.803c8.168 1.033 15.994 2.404 23.343 4.08c-2.206 7.072-4.956 14.465-8.193 22.045a381.151 381.151 0 0 0-7.365-13.322Zm-45.032-43.861c5.044 5.465 10.096 11.566 15.065 18.186a322.04 322.04 0 0 0-30.257-.006c4.974-6.559 10.069-12.652 15.192-18.18ZM82.802 87.83a323.167 323.167 0 0 0-7.227 13.238c-3.184-7.553-5.909-14.98-8.134-22.152c7.304-1.634 15.093-2.97 23.209-3.984a321.524 321.524 0 0 0-7.848 12.897Zm8.081 65.352c-8.385-.936-16.291-2.203-23.593-3.793c2.26-7.3 5.045-14.885 8.298-22.6a321.187 321.187 0 0 0 7.257 13.246c2.594 4.48 5.28 8.868 8.038 13.147Zm37.542 31.03c-5.184-5.592-10.354-11.779-15.403-18.433c4.902.192 9.899.29 14.978.29c5.218 0 10.376-.117 15.453-.343c-4.985 6.774-10.018 12.97-15.028 18.486Zm52.198-57.817c3.422 7.8 6.306 15.345 8.596 22.52c-7.422 1.694-15.436 3.058-23.88 4.071a382.417 382.417 0 0 0 7.859-13.026a347.403 347.403 0 0 0 7.425-13.565Zm-16.898 8.101a358.557 358.557 0 0 1-12.281 19.815a329.4 329.4 0 0 1-23.444.823c-7.967 0-15.716-.248-23.178-.732a310.202 310.202 0 0 1-12.513-19.846h.001a307.41 307.41 0 0 1-10.923-20.627a310.278 310.278 0 0 1 10.89-20.637l-.001.001a307.318 307.318 0 0 1 12.413-19.761c7.613-.576 15.42-.876 23.31-.876H128c7.926 0 15.743.303 23.354.883a329.357 329.357 0 0 1 12.335 19.695a358.489 358.489 0 0 1 11.036 20.54a329.472 329.472 0 0 1-11 20.722Zm22.56-122.124c8.572 4.944 11.906 24.881 6.52 51.026c-.344 1.668-.73 3.367-1.15 5.09c-10.622-2.452-22.155-4.275-34.23-5.408c-7.034-10.017-14.323-19.124-21.64-27.008a160.789 160.789 0 0 1 5.888-5.4c18.9-16.447 36.564-22.941 44.612-18.3ZM128 90.808c12.625 0 22.86 10.235 22.86 22.86s-10.235 22.86-22.86 22.86s-22.86-10.235-22.86-22.86s10.235-22.86 22.86-22.86Z"></path></svg>

clients/desktop/src/index.css

@@ -0,0 +1,17 @@
+@tailwind base;
+@tailwind components;
+@tailwind utilities;
+
+:root {
+  font-family: Inter, system-ui, Avenir, Helvetica, Arial, sans-serif;
+  line-height: 1.5;
+  font-weight: 400;
+}
+
+body {
+  margin: 0;
+  display: flex;
+  place-items: center;
+  min-width: 320px;
+  min-height: 100vh;
+}

clients/desktop/src/lib/api.ts

@@ -0,0 +1,15 @@
+import axios from 'axios';
+
+const api = axios.create({
+  baseURL: 'http://localhost', // Nginx Gateway
+});
+
+api.interceptors.request.use((config) => {
+  const token = localStorage.getItem('token');
+  if (token) {
+    config.headers.Authorization = `Bearer ${token}`;
+  }
+  return config;
+});
+
+export default api;

clients/desktop/src/lib/auth.ts

@@ -0,0 +1,69 @@
+import srp from 'secure-remote-password/client';
+import api from './api';
+import { crypto } from './crypto';
+
+export const auth = {
+  register: async (email, password) => {
+    const salt = srp.generateSalt();
+    const privateKey = srp.derivePrivateKey(salt, email, password);
+    const verifier = srp.deriveVerifier(privateKey);
+
+    await api.post('/api/auth/register', {
+      email,
+      salt,
+      verifier
+    });
+  },
+
+  login: async (email, password) => {
+    // Step 1
+    const secret = srp.generateEphemeral(); // 'a'
+    const clientPublic = secret.public; // 'A'
+
+    const step1Response = await api.post('/api/auth/login/step1', {
+      email,
+      clientPublic
+    });
+
+    const { salt, serverPublic } = step1Response.data;
+
+    // Calculate Client Proof (M1)
+    const privateKey = srp.derivePrivateKey(salt, email, password);
+    const clientSession = srp.deriveSession(
+      secret.secret,
+      serverPublic,
+      salt,
+      email,
+      privateKey
+    );
+
+    // Step 2
+    const step2Response = await api.post('/api/auth/login/step2', {
+      email,
+      clientProof: clientSession.proof
+    });
+
+    const { serverProof, token } = step2Response.data;
+
+    // Verify Server Proof (M2)
+    srp.verifySession(serverPublic, clientSession, serverProof);
+
+    // If we're here, SRP is successful
+    localStorage.setItem('token', token);
+
+    // Now derive the vault key in Rust
+    await crypto.deriveKey(password, salt);
+
+    return true;
+  },
+
+  logout: () => {
+    localStorage.removeItem('token');
+    // Ideally clear Rust state too, but hard to do without restart or command
+    // window.location.reload() might be enough
+  },
+
+  isAuthenticated: () => {
+    return !!localStorage.getItem('token');
+  }
+};

clients/desktop/src/lib/crypto.ts

@@ -0,0 +1,15 @@
+import { invoke } from '@tauri-apps/api/core';
+
+export const crypto = {
+  deriveKey: async (password: string, salt: string): Promise<string> => {
+    return invoke('derive_key', { password, salt });
+  },
+
+  encrypt: async (cleartext: string): Promise<string> => {
+    return invoke('encrypt_val', { cleartext });
+  },
+
+  decrypt: async (encrypted: string): Promise<string> => {
+    return invoke('decrypt_val', { encrypted });
+  }
+};

clients/desktop/src/main.jsx

@@ -0,0 +1,9 @@
+import React from "react";
+import ReactDOM from "react-dom/client";
+import App from "./App";
+
+ReactDOM.createRoot(document.getElementById("root")).render(
+  <React.StrictMode>
+    <App />
+  </React.StrictMode>,
+);

clients/desktop/src/pages/Dashboard.tsx

@@ -0,0 +1,224 @@
+import { useEffect, useState } from 'react';
+import api from '../lib/api';
+import { crypto } from '../lib/crypto';
+import { auth } from '../lib/auth';
+import { useNavigate } from 'react-router-dom';
+import { Plus, LogOut, Trash2, Eye, EyeOff, Copy } from 'lucide-react';
+
+interface Secret {
+  id: string;
+  encrypted_data: string; // bytea from pg comes as hex string usually in postgrest? or we encoded it?
+  // We didn't define encoding in schema, but usually PostgREST returns hex for bytea.
+  // However, our encrypt command returns base64. 
+  // We should ensure consistency. 
+  // If we send base64 to bytea column, PG might need decode.
+  // Or we store as TEXT in DB for simplicity in this prototype.
+  // Schema said BYTEA. PostgREST handles bytea as hex.
+  // We will assume we need to handle hex/base64 conversion if needed.
+  // actually, let's treat it as TEXT in the client for now to see what we get.
+  iv: string;
+  auth_tag: string;
+  type: string;
+  created_at: string;
+
+  // Decrypted
+  name?: string; // We don't have a name column? 
+  // Wait, PROJECT.md schema didn't have name.
+  // It had "data" blob.
+  // Just "encrypted_data".
+  // We should probably store a JSON blob inside encrypted_data: { name: "...", value: "..." }
+  // Or add a name column (encrypted or plaintext?).
+  // "Zero-Knowledge" implies name should be encrypted too if sensitive, 
+  // but usually metadata like name is useful to be plain or separately encrypted.
+  // Let's assume the blob is `name: value` or JSON.
+  decryptedValue?: string;
+}
+
+export default function Dashboard() {
+  const [secrets, setSecrets] = useState<Secret[]>([]);
+  const [loading, setLoading] = useState(true);
+  const [newSecret, setNewSecret] = useState('');
+  const [adding, setAdding] = useState(false);
+  const navigate = useNavigate();
+
+  const fetchSecrets = async () => {
+    try {
+      const res = await api.get('/rest/secrets?select=*');
+      const data = res.data as Secret[];
+
+      // Decrypt all
+      const decrypted = await Promise.all(data.map(async (s) => {
+        try {
+          // PostgREST returns bytea as hex starting with \x
+          // But we likely sent base64 string if we used TEXT column?
+          // Schema defined BYTEA. 
+          // Let's assume we receive hex string.
+          // But our crypto.decrypt expects Base64 (from our lib.rs).
+
+          // We need to handle this data format mismatch.
+          // For prototype, let's assume we store it as TEXT in schema for now to avoid hex conversion issues
+          // OR we convert.
+          // Let's assume the server returns what we sent if we use TEXT, or we need to parse.
+
+          // Let's try to decrypt whatever it is.
+          // In lib.rs, decrypt_val takes String (Base64).
+
+          // If it's Postgres Bytea Hex (\x...), we need to convert to Base64.
+
+          let ciphertext = s.encrypted_data;
+          if (ciphertext.startsWith('\\x')) {
+            // It is hex. Convert to base64.
+            // Skip \x
+            const hex = ciphertext.substring(2);
+            const bytes = new Uint8Array(hex.match(/.{1,2}/g)!.map(byte => parseInt(byte, 16)));
+            // Convert bytes to base64
+            ciphertext = btoa(String.fromCharCode(...bytes));
+          }
+
+          const plain = await crypto.decrypt(ciphertext);
+          return { ...s, decryptedValue: plain };
+        } catch (e) {
+          console.error("Failed to decrypt secret", s.id, e);
+          return { ...s, decryptedValue: 'Error decrypting' };
+        }
+      }));
+
+      setSecrets(decrypted);
+    } catch (err) {
+      console.error(err);
+    } finally {
+      setLoading(false);
+    }
+  };
+
+  useEffect(() => {
+    fetchSecrets();
+  }, []);
+
+  const handleLogout = () => {
+    auth.logout();
+    navigate('/login');
+  };
+
+  const handleAdd = async (e: React.FormEvent) => {
+    e.preventDefault();
+    if (!newSecret) return;
+    setAdding(true);
+    try {
+      const encrypted = await crypto.encrypt(newSecret);
+      // encrypted is base64 string (nonce+ciphertext).
+      // We need to split if schema enforces separation?
+      // Schema has: encrypted_data, iv, auth_tag.
+      // Our Rust `encrypt_val` returns combined blob (nonce+ciphertext).
+      // We should probably update Rust to return JSON or separate parts, 
+      // OR update Schema to just have `blob`.
+
+      // Current Schema: encrypted_data, iv, auth_tag.
+      // Current Rust: combined string.
+
+      // Workaround: We will store EVERYTHING in `encrypted_data` column for now,
+      // and dummy values for iv/auth_tag if required, OR update schema.
+      // Schema has NOT NULL for iv/auth_tag.
+
+      // Hack: Store combined in encrypted_data, and "00" in iv/auth_tag.
+      // Ideally we refactor.
+
+      // Note: Postgres Bytea expects hex format (start with \x) or valid escape.
+      // If we send a string to bytea, PostgREST might complain unless we format it.
+      // Better: Change schema columns to TEXT for prototype simplicity? 
+      // OR use a proper format.
+
+      // Let's try sending keys.
+
+      await api.post('/rest/secrets', {
+        encrypted_data: encrypted, // We might need to hex encode this for BYTEA?
+        iv: "00", // dummy
+        auth_tag: "00", // dummy
+        owner_id: (JSON.parse(atob(localStorage.getItem('token')!.split('.')[1]))).sub // extract sub from jwt
+      });
+
+      setNewSecret('');
+      fetchSecrets();
+    } catch (err) {
+      console.error(err);
+      alert('Failed to add secret');
+    } finally {
+      setAdding(false);
+    }
+  };
+
+  const [visible, setVisible] = useState<Record<string, boolean>>({});
+
+  return (
+    <div className="min-h-screen bg-gray-950 text-white font-sans">
+      <nav className="border-b border-gray-800 bg-gray-900 p-4">
+        <div className="mx-auto flex max-w-5xl items-center justify-between">
+          <h1 className="text-xl font-bold flex items-center gap-2">
+            <span className="text-blue-500">keys</span>
+            Secrets Manager
+          </h1>
+          <button
+            onClick={handleLogout}
+            className="flex items-center gap-2 rounded-md bg-gray-800 px-3 py-1.5 text-sm hover:bg-gray-700"
+          >
+            <LogOut size={16} /> Logout
+          </button>
+        </div>
+      </nav>
+
+      <main className="mx-auto max-w-5xl p-6">
+        <div className="mb-8 rounded-xl bg-gray-900 p-6 border border-gray-800">
+          <h2 className="mb-4 text-lg font-semibold">Store New Secret</h2>
+          <form onSubmit={handleAdd} className="flex gap-4">
+            <input
+              type="text"
+              value={newSecret}
+              onChange={(e) => setNewSecret(e.target.value)}
+              placeholder="Enter secret text (e.g. API_KEY=123)"
+              className="flex-1 rounded-md border border-gray-700 bg-gray-950 px-4 py-2 focus:border-blue-500 focus:outline-none"
+            />
+            <button
+              type="submit"
+              disabled={adding}
+              className="flex items-center gap-2 rounded-md bg-blue-600 px-6 py-2 font-medium hover:bg-blue-700 disabled:opacity-50"
+            >
+              <Plus size={18} /> Add
+            </button>
+          </form>
+        </div>
+
+        <div className="grid gap-4">
+          {loading ? (
+            <p className="text-gray-400">Loading vault...</p>
+          ) : (
+            secrets.map((secret) => (
+              <div key={secret.id} className="flex items-center justify-between rounded-lg border border-gray-800 bg-gray-900 p-4 transition hover:bg-gray-800/80">
+                <div className="flex-1 font-mono text-sm">
+                  {visible[secret.id] ? (
+                    <span className="text-green-400">{secret.decryptedValue || 'Decrypting...'}</span>
+                  ) : (
+                    <span className="text-gray-500">••••••••••••••••••••••••</span>
+                  )}
+                </div>
+                <div className="flex items-center gap-2">
+                  <button
+                    onClick={() => setVisible(p => ({ ...p, [secret.id]: !p[secret.id] }))}
+                    className="rounded p-2 text-gray-400 hover:bg-gray-700 hover:text-white"
+                  >
+                    {visible[secret.id] ? <EyeOff size={18} /> : <Eye size={18} />}
+                  </button>
+                  <button className="rounded p-2 text-gray-400 hover:bg-gray-700 hover:text-white">
+                    <Copy size={18} />
+                  </button>
+                  <button className="rounded p-2 text-red-400 hover:bg-red-900/20 hover:text-red-300">
+                    <Trash2 size={18} />
+                  </button>
+                </div>
+              </div>
+            ))
+          )}
+        </div>
+      </main>
+    </div>
+  );
+}

clients/desktop/src/pages/Login.tsx

@@ -0,0 +1,106 @@
+import { useState } from 'react';
+import { auth } from '../lib/auth';
+import { useNavigate } from 'react-router-dom';
+import { Lock, User, KeyRound } from 'lucide-react';
+
+export default function Login() {
+  const [isLogin, setIsLogin] = useState(true);
+  const [email, setEmail] = useState('');
+  const [password, setPassword] = useState('');
+  const [loading, setLoading] = useState(false);
+  const [error, setError] = useState('');
+  const navigate = useNavigate();
+
+  const handleSubmit = async (e: React.FormEvent) => {
+    e.preventDefault();
+    setLoading(true);
+    setError('');
+
+    try {
+      if (isLogin) {
+        await auth.login(email, password);
+        navigate('/dashboard');
+      } else {
+        await auth.register(email, password);
+        // After register, switch to login or auto-login
+        alert('Registration successful! Please login.');
+        setIsLogin(true);
+      }
+    } catch (err) {
+      console.error(err);
+      setError('Action failed. Please check credentials or try again.');
+    } finally {
+      setLoading(false);
+    }
+  };
+
+  return (
+    <div className="flex min-h-screen items-center justify-center bg-gray-950 p-4 text-white">
+      <div className="w-full max-w-md space-y-8 rounded-xl bg-gray-900 p-8 shadow-2xl border border-gray-800">
+        <div className="text-center">
+          <div className="mx-auto flex h-12 w-12 items-center justify-center rounded-full bg-blue-600">
+            <Lock className="h-6 w-6 text-white" />
+          </div>
+          <h2 className="mt-6 text-3xl font-extrabold tracking-tight">
+            {isLogin ? 'Unlock Vault' : 'Create Vault'}
+          </h2>
+          <p className="mt-2 text-sm text-gray-400">
+            Zero-Knowledge Encryption
+          </p>
+        </div>
+
+        <form className="mt-8 space-y-6" onSubmit={handleSubmit}>
+          <div className="space-y-4 rounded-md shadow-sm">
+            <div className="relative">
+              <User className="absolute left-3 top-3 h-5 w-5 text-gray-400" />
+              <input
+                required
+                type="email"
+                placeholder="Email address"
+                value={email}
+                onChange={(e) => setEmail(e.target.value)}
+                className="block w-full rounded-md border border-gray-700 bg-gray-800 pl-10 py-2 text-white placeholder-gray-400 focus:border-blue-500 focus:ring-blue-500 sm:text-sm"
+              />
+            </div>
+            <div className="relative">
+              <KeyRound className="absolute left-3 top-3 h-5 w-5 text-gray-400" />
+              <input
+                required
+                type="password"
+                placeholder="Master Password"
+                value={password}
+                onChange={(e) => setPassword(e.target.value)}
+                className="block w-full rounded-md border border-gray-700 bg-gray-800 pl-10 py-2 text-white placeholder-gray-400 focus:border-blue-500 focus:ring-blue-500 sm:text-sm"
+              />
+            </div>
+          </div>
+
+          {error && (
+            <div className="text-sm text-red-500 text-center">
+              {error}
+            </div>
+          )}
+
+          <div>
+            <button
+              type="submit"
+              disabled={loading}
+              className="group relative flex w-full justify-center rounded-md border border-transparent bg-blue-600 py-2 px-4 text-sm font-medium text-white hover:bg-blue-700 focus:outline-none focus:ring-2 focus:ring-blue-500 focus:ring-offset-2 disabled:opacity-50"
+            >
+              {loading ? 'Processing...' : (isLogin ? 'Unlock' : 'Create Account')}
+            </button>
+          </div>
+        </form>
+
+        <div className="text-center">
+          <button
+            onClick={() => setIsLogin(!isLogin)}
+            className="text-sm font-medium text-blue-500 hover:text-blue-400"
+          >
+            {isLogin ? 'Need an account? Register' : 'Already have an account? Login'}
+          </button>
+        </div>
+      </div>
+    </div>
+  );
+}

clients/desktop/tailwind.config.js

@@ -0,0 +1,11 @@
+/** @type {import('tailwindcss').Config} */
+export default {
+  content: [
+    "./index.html",
+    "./src/**/*.{js,ts,jsx,tsx}",
+  ],
+  theme: {
+    extend: {},
+  },
+  plugins: [],
+}

clients/desktop/vite.config.js

@@ -0,0 +1,31 @@
+import { defineConfig } from "vite";
+import react from "@vitejs/plugin-react";
+
+const host = process.env.TAURI_DEV_HOST;
+
+// https://vite.dev/config/
+export default defineConfig(async () => ({
+  plugins: [react()],
+
+  // Vite options tailored for Tauri development and only applied in `tauri dev` or `tauri build`
+  //
+  // 1. prevent Vite from obscuring rust errors
+  clearScreen: false,
+  // 2. tauri expects a fixed port, fail if that port is not available
+  server: {
+    port: 1420,
+    strictPort: true,
+    host: host || false,
+    hmr: host
+      ? {
+          protocol: "ws",
+          host,
+          port: 1421,
+        }
+      : undefined,
+    watch: {
+      // 3. tell Vite to ignore watching `src-tauri`
+      ignored: ["**/src-tauri/**"],
+    },
+  },
+}));