first commit

clients/desktop/src-tauri/.gitignore

@@ -0,0 +1,7 @@
+# Generated by Cargo
+# will have compiled files and executables
+/target/
+
+# Generated by Tauri
+# will have schema files for capabilities auto-completion
+/gen/schemas

clients/desktop/src-tauri/Cargo.toml

@@ -0,0 +1,29 @@
+[package]
+name = "clientsdesktopsecrets-desktop"
+version = "0.1.0"
+description = "A Tauri App"
+authors = ["you"]
+edition = "2021"
+
+# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
+
+[lib]
+# The `_lib` suffix may seem redundant but it is necessary
+# to make the lib name unique and wouldn't conflict with the bin name.
+# This seems to be only an issue on Windows, see https://github.com/rust-lang/cargo/issues/8519
+name = "clientsdesktopsecrets_desktop_lib"
+crate-type = ["staticlib", "cdylib", "rlib"]
+
+[build-dependencies]
+tauri-build = { version = "2", features = [] }
+
+[dependencies]
+tauri = { version = "2", features = [] }
+tauri-plugin-opener = "2"
+serde = { version = "1", features = ["derive"] }
+serde_json = "1"
+aes-gcm = "0.10.3"
+rand = "0.9.2"
+base64 = "0.22.1"
+argon2 = "0.5.3"
+

clients/desktop/src-tauri/build.rs

@@ -0,0 +1,3 @@
+fn main() {
+    tauri_build::build()
+}

clients/desktop/src-tauri/capabilities/default.json

@@ -0,0 +1,10 @@
+{
+  "$schema": "../gen/schemas/desktop-schema.json",
+  "identifier": "default",
+  "description": "Capability for the main window",
+  "windows": ["main"],
+  "permissions": [
+    "core:default",
+    "opener:default"
+  ]
+}

clients/desktop/src-tauri/src/lib.rs

@@ -0,0 +1,101 @@
+use tauri::State;
+use std::sync::Mutex;
+use aes_gcm::{
+    aead::{Aead, KeyInit},
+    Aes256Gcm, Nonce
+};
+use aes_gcm::aead::rand_core::RngCore;
+use argon2::{
+    password_hash::{
+        rand_core::OsRng,
+        PasswordHasher, SaltString
+    },
+    Argon2
+};
+use base64::{Engine as _, engine::general_purpose::STANDARD as BASE64};
+
+struct VaultState {
+    cipher: Mutex<Option<Aes256Gcm>>,
+}
+
+#[tauri::command]
+fn derive_key(password: String, salt: String, state: State<'_, VaultState>) -> Result<String, String> {
+    // In a real app, we'd use Argon2id to derive a 32-byte key from password + salt
+    // For simplicity/speed in this prototype, we'll verify logic.
+    // Ideally: Argon2 to get 32 bytes.
+    
+    // Note: 'salt' from DB is usually a string.
+    
+    let mut key_material = [0u8; 32];
+    let salt_bytes = salt.as_bytes(); // Should be decoded if stored as base64/hex? assuming raw string for now or robust handling needed
+    
+    let argon2 = Argon2::default();
+    // We need to derive raw bytes, not PHC string.
+    // Using simple_pbkdf2 or manual params for Argon2.
+    // For this prototype, lets use a simple hash or assuming the 'salt' is adequate.
+    
+    // Using Argon2 to fill key_material
+    let res = argon2.hash_password_simple(password.as_bytes(), &SaltString::generate(&mut OsRng))
+        .map_err(|e| e.to_string())?;
+        
+    // Wait, hash_password_simple returns a PasswordHash string. We want raw key bytes (KDF).
+    // Correct usage for KDF:
+    let mut output_key = [0u8; 32];
+    argon2.hash_password_into(password.as_bytes(), salt.as_bytes(), &mut output_key)
+        .map_err(|e| e.to_string())?;
+
+    let key = aes_gcm::Key::<Aes256Gcm>::from_slice(&output_key);
+    let cipher = Aes256Gcm::new(key);
+
+    *state.cipher.lock().unwrap() = Some(cipher);
+    
+    Ok("Key derived and stored in memory".into())
+}
+
+#[tauri::command]
+fn encrypt_val(cleartext: String, state: State<'_, VaultState>) -> Result<String, String> {
+    let cipher_guard = state.cipher.lock().unwrap();
+    let cipher = cipher_guard.as_ref().ok_or("Vault locked")?;
+
+    let mut nonce_bytes = [0u8; 12];
+    OsRng.fill_bytes(&mut nonce_bytes);
+    let nonce = Nonce::from_slice(&nonce_bytes);
+
+    let ciphertext = cipher.encrypt(nonce, cleartext.as_bytes())
+        .map_err(|e| e.to_string())?;
+
+    // Return format: nonce:ciphertext (base64 encoded)
+    let mut combined = nonce_bytes.to_vec();
+    combined.extend(ciphertext);
+    
+    Ok(BASE64.encode(combined))
+}
+
+#[tauri::command]
+fn decrypt_val(encrypted: String, state: State<'_, VaultState>) -> Result<String, String> {
+    let cipher_guard = state.cipher.lock().unwrap();
+    let cipher = cipher_guard.as_ref().ok_or("Vault locked")?;
+
+    let data = BASE64.decode(encrypted).map_err(|e| e.to_string())?;
+    if data.len() < 12 {
+        return Err("Invalid data".into());
+    }
+
+    let nonce = Nonce::from_slice(&data[0..12]);
+    let payload = &data[12..];
+
+    let plaintext = cipher.decrypt(nonce, payload)
+        .map_err(|e| e.to_string())?;
+
+    Ok(String::from_utf8(plaintext).map_err(|e| e.to_string())?)
+}
+
+#[cfg_attr(mobile, tauri::mobile_entry_point)]
+pub fn run() {
+    tauri::Builder::default()
+        .plugin(tauri_plugin_opener::init())
+        .manage(VaultState { cipher: Mutex::new(None) })
+        .invoke_handler(tauri::generate_handler![derive_key, encrypt_val, decrypt_val])
+        .run(tauri::generate_context!())
+        .expect("error while running tauri application");
+}

clients/desktop/src-tauri/src/main.rs

@@ -0,0 +1,6 @@
+// Prevents additional console window on Windows in release, DO NOT REMOVE!!
+#![cfg_attr(not(debug_assertions), windows_subsystem = "windows")]
+
+fn main() {
+    clientsdesktopsecrets_desktop_lib::run()
+}

clients/desktop/src-tauri/tauri.conf.json

@@ -0,0 +1,35 @@
+{
+  "$schema": "https://schema.tauri.app/config/2",
+  "productName": "clientsdesktopsecrets-desktop",
+  "version": "0.1.0",
+  "identifier": "com.secrets.desktop",
+  "build": {
+    "beforeDevCommand": "npm run dev",
+    "devUrl": "http://localhost:1420",
+    "beforeBuildCommand": "npm run build",
+    "frontendDist": "../dist"
+  },
+  "app": {
+    "windows": [
+      {
+        "title": "clientsdesktopsecrets-desktop",
+        "width": 800,
+        "height": 600
+      }
+    ],
+    "security": {
+      "csp": null
+    }
+  },
+  "bundle": {
+    "active": true,
+    "targets": "all",
+    "icon": [
+      "icons/32x32.png",
+      "icons/128x128.png",
+      "icons/128x128@2x.png",
+      "icons/icon.icns",
+      "icons/icon.ico"
+    ]
+  }
+}