update todo

Previously, when Creddy was configured to start minimized, it would always start minimized, regardless of how it was launched. Really, though, when you use this setting what you probably want is for it to start minimized only when it's being launched automatically, i.e. on login. This update changes its behavior so that it will only start minimized when auto-launching.

Additionally, if Creddy detects on startup that its start-on-login configuration doesn't match the system, it will modify its own settings to match the system (unless it's the very first launch, of course.) That way if you disable Creddy's start-on-login behavior from your system dialog, it will respect your change.

doc/todo.md

@@ -11,7 +11,8 @@
 * Logging
 * Icon
 * Auto-updates
-* SSH key handling
+* ~~SSH key handling~~
+* ~~Docker credential helper~~
 * Encrypted sync server
 
 ## Maybe

package-lock.json

@@ -1,12 +1,12 @@
 {
   "name": "creddy",
-  "version": "0.4.9",
+  "version": "0.6.4",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "creddy",
-      "version": "0.4.9",
+      "version": "0.6.4",
       "dependencies": {
         "@tauri-apps/api": "^2.0.0-beta.13",
         "@tauri-apps/plugin-dialog": "^2.0.0-beta.5",
@@ -15,7 +15,7 @@
       },
       "devDependencies": {
         "@sveltejs/vite-plugin-svelte": "^1.0.1",
-        "@tauri-apps/cli": "^2.0.0-beta.20",
+        "@tauri-apps/cli": "^2.2.1",
         "autoprefixer": "^10.4.8",
         "postcss": "^8.4.16",
         "svelte": "^3.49.0",
@@ -213,9 +213,9 @@
       }
     },
     "node_modules/@tauri-apps/cli": {
-      "version": "2.0.0-beta.20",
-      "resolved": "https://registry.npmjs.org/@tauri-apps/cli/-/cli-2.0.0-beta.20.tgz",
-      "integrity": "sha512-707q9uIc2oNrYHd2dtMvxTrpZXVpart5EIktnRymNOpphkLlB6WUBjHD+ga45WqTU6cNGKbYvkKqTNfshNul9Q==",
+      "version": "2.2.1",
+      "resolved": "https://registry.npmjs.org/@tauri-apps/cli/-/cli-2.2.1.tgz",
+      "integrity": "sha512-oLWX/2tW0v8cBaShI9/bt5RsquCLK7ZCwhPXXnf55oil8/GrNtLzW9/67iyydcnxiYYU5jYMpo3uXptknOSdpA==",
       "dev": true,
       "bin": {
         "tauri": "tauri.js"
@@ -228,22 +228,22 @@
         "url": "https://opencollective.com/tauri"
       },
       "optionalDependencies": {
-        "@tauri-apps/cli-darwin-arm64": "2.0.0-beta.20",
-        "@tauri-apps/cli-darwin-x64": "2.0.0-beta.20",
-        "@tauri-apps/cli-linux-arm-gnueabihf": "2.0.0-beta.20",
-        "@tauri-apps/cli-linux-arm64-gnu": "2.0.0-beta.20",
-        "@tauri-apps/cli-linux-arm64-musl": "2.0.0-beta.20",
-        "@tauri-apps/cli-linux-x64-gnu": "2.0.0-beta.20",
-        "@tauri-apps/cli-linux-x64-musl": "2.0.0-beta.20",
-        "@tauri-apps/cli-win32-arm64-msvc": "2.0.0-beta.20",
-        "@tauri-apps/cli-win32-ia32-msvc": "2.0.0-beta.20",
-        "@tauri-apps/cli-win32-x64-msvc": "2.0.0-beta.20"
+        "@tauri-apps/cli-darwin-arm64": "2.2.1",
+        "@tauri-apps/cli-darwin-x64": "2.2.1",
+        "@tauri-apps/cli-linux-arm-gnueabihf": "2.2.1",
+        "@tauri-apps/cli-linux-arm64-gnu": "2.2.1",
+        "@tauri-apps/cli-linux-arm64-musl": "2.2.1",
+        "@tauri-apps/cli-linux-x64-gnu": "2.2.1",
+        "@tauri-apps/cli-linux-x64-musl": "2.2.1",
+        "@tauri-apps/cli-win32-arm64-msvc": "2.2.1",
+        "@tauri-apps/cli-win32-ia32-msvc": "2.2.1",
+        "@tauri-apps/cli-win32-x64-msvc": "2.2.1"
       }
     },
     "node_modules/@tauri-apps/cli-darwin-arm64": {
-      "version": "2.0.0-beta.20",
-      "resolved": "https://registry.npmjs.org/@tauri-apps/cli-darwin-arm64/-/cli-darwin-arm64-2.0.0-beta.20.tgz",
-      "integrity": "sha512-oCJOCib7GuYkwkBXx+ekamR8NZZU+2i3MLP+DHpDxK5gS2uhCE+CBkamJkNt6y1x6xdVnwyqZOm5RvN4SRtyIA==",
+      "version": "2.2.1",
+      "resolved": "https://registry.npmjs.org/@tauri-apps/cli-darwin-arm64/-/cli-darwin-arm64-2.2.1.tgz",
+      "integrity": "sha512-658OPWObcEA7x/Pe/fAXfyJtC5SdcpD2Q9ZSVKoLBovPzfU6Ug2mCaQmH1L5iA7Zb7a26ctzkaz3Sh3dMeGcJw==",
       "cpu": [
         "arm64"
       ],
@@ -257,9 +257,9 @@
       }
     },
     "node_modules/@tauri-apps/cli-darwin-x64": {
-      "version": "2.0.0-beta.20",
-      "resolved": "https://registry.npmjs.org/@tauri-apps/cli-darwin-x64/-/cli-darwin-x64-2.0.0-beta.20.tgz",
-      "integrity": "sha512-lC5QSnRExedYN4Ds6ZlSvC2PxP8qfIYBJQ5ktf+PJI5gQALdNeVtd6YnTG1ODCEklfLq9WKkGwp7JdALTU5wDA==",
+      "version": "2.2.1",
+      "resolved": "https://registry.npmjs.org/@tauri-apps/cli-darwin-x64/-/cli-darwin-x64-2.2.1.tgz",
+      "integrity": "sha512-3g11km4caJa6StvETI5GIynniNC/e9AWpUy+lWQRfQBdelRrEGoEDw949SihxqKHAoP2E9cm7z5DUsiRiT/Yaw==",
       "cpu": [
         "x64"
       ],
@@ -273,9 +273,9 @@
       }
     },
     "node_modules/@tauri-apps/cli-linux-arm-gnueabihf": {
-      "version": "2.0.0-beta.20",
-      "resolved": "https://registry.npmjs.org/@tauri-apps/cli-linux-arm-gnueabihf/-/cli-linux-arm-gnueabihf-2.0.0-beta.20.tgz",
-      "integrity": "sha512-nZCeBMHHye5DLOJV5k2w658hnCS+LYaOZ8y/G9l3ei+g0L/HBjlSy6r4simsAT5TG8+l3oCZzLBngfTMdDS/YA==",
+      "version": "2.2.1",
+      "resolved": "https://registry.npmjs.org/@tauri-apps/cli-linux-arm-gnueabihf/-/cli-linux-arm-gnueabihf-2.2.1.tgz",
+      "integrity": "sha512-Ldbw3Y56TAfpsGRuWJnkdl0TV0NHhtP3bGyjh2lJACofkHMCOtsLHOx4/HP2hFnn7DcSLWHUayyPlj2rAikKkA==",
       "cpu": [
         "arm"
       ],
@@ -289,9 +289,9 @@
       }
     },
     "node_modules/@tauri-apps/cli-linux-arm64-gnu": {
-      "version": "2.0.0-beta.20",
-      "resolved": "https://registry.npmjs.org/@tauri-apps/cli-linux-arm64-gnu/-/cli-linux-arm64-gnu-2.0.0-beta.20.tgz",
-      "integrity": "sha512-B79ISVLPVBgwnCchVqwTKU+vxnFYqxKomcR4rmsvxfs0NVtT5QuNzE1k4NUQnw3966yjwhYR3mnHsSJQSB4Eyw==",
+      "version": "2.2.1",
+      "resolved": "https://registry.npmjs.org/@tauri-apps/cli-linux-arm64-gnu/-/cli-linux-arm64-gnu-2.2.1.tgz",
+      "integrity": "sha512-ay3NwilDR95RyvK/AIdivuULcbpGgrUISNLDOfTKEvKMMnRWkMV4gzY3hifQ8H7CDonGhqMl2PjP+WvDQpXUig==",
       "cpu": [
         "arm64"
       ],
@@ -305,9 +305,9 @@
       }
     },
     "node_modules/@tauri-apps/cli-linux-arm64-musl": {
-      "version": "2.0.0-beta.20",
-      "resolved": "https://registry.npmjs.org/@tauri-apps/cli-linux-arm64-musl/-/cli-linux-arm64-musl-2.0.0-beta.20.tgz",
-      "integrity": "sha512-ojIkv/1uZHhcrgfIN8xgn4BBeo/Xg+bnV0wer6lD78zyxkUMWeEZ+u3mae1ejCJNhhaZOxNaUQ67MvDOiGyr5Q==",
+      "version": "2.2.1",
+      "resolved": "https://registry.npmjs.org/@tauri-apps/cli-linux-arm64-musl/-/cli-linux-arm64-musl-2.2.1.tgz",
+      "integrity": "sha512-d2zK4Qb9DZlNjNB8Fda0yxOlg6sk6GZGhO5dVnie5VYJMt4lDct2LZljg4boUb5t1pk6sfAPB9356G7R8l4qCQ==",
       "cpu": [
         "arm64"
       ],
@@ -321,9 +321,9 @@
       }
     },
     "node_modules/@tauri-apps/cli-linux-x64-gnu": {
-      "version": "2.0.0-beta.20",
-      "resolved": "https://registry.npmjs.org/@tauri-apps/cli-linux-x64-gnu/-/cli-linux-x64-gnu-2.0.0-beta.20.tgz",
-      "integrity": "sha512-xBy1FNbHKlc7T6pOmFQQPECxJaI5A9QWX7Kb9N64cNVusoOGlvc3xHYkXMS4PTr7xXOT0yiE1Ww2OwDRJ3lYsg==",
+      "version": "2.2.1",
+      "resolved": "https://registry.npmjs.org/@tauri-apps/cli-linux-x64-gnu/-/cli-linux-x64-gnu-2.2.1.tgz",
+      "integrity": "sha512-P0Zm3nmRbBS/KIxSrzul2ieZEwtTdU4bjsB9pOIk+oPF15HXnrLLbVBeMofNjXOWsIxTJw2tIt/XPD8Jt9jSEg==",
       "cpu": [
         "x64"
       ],
@@ -337,9 +337,9 @@
       }
     },
     "node_modules/@tauri-apps/cli-linux-x64-musl": {
-      "version": "2.0.0-beta.20",
-      "resolved": "https://registry.npmjs.org/@tauri-apps/cli-linux-x64-musl/-/cli-linux-x64-musl-2.0.0-beta.20.tgz",
-      "integrity": "sha512-+O6zq5jmtUxA1FUAAwF2ywPysy4NRo2Y6G+ESZDkY9XosRwdt5OUjqAsYktZA3AxDMZVei8r9buwTqUwi9ny/g==",
+      "version": "2.2.1",
+      "resolved": "https://registry.npmjs.org/@tauri-apps/cli-linux-x64-musl/-/cli-linux-x64-musl-2.2.1.tgz",
+      "integrity": "sha512-AwYuKTpPGdR0BJMDdJsjGm8vfVDBpXYRDJ+1B/FlIMTikAx4A/wSODxphjf6Ls9uOC5F3To0XlfqskBkTq0WKw==",
       "cpu": [
         "x64"
       ],
@@ -353,9 +353,9 @@
       }
     },
     "node_modules/@tauri-apps/cli-win32-arm64-msvc": {
-      "version": "2.0.0-beta.20",
-      "resolved": "https://registry.npmjs.org/@tauri-apps/cli-win32-arm64-msvc/-/cli-win32-arm64-msvc-2.0.0-beta.20.tgz",
-      "integrity": "sha512-RswgMbWyOQcv53CHvIuiuhAh4kKDqaGyZfWD4VlxqX/XhkoF5gsNgr0MxzrY7pmoL+89oVI+fiGVJz4nOQE5vA==",
+      "version": "2.2.1",
+      "resolved": "https://registry.npmjs.org/@tauri-apps/cli-win32-arm64-msvc/-/cli-win32-arm64-msvc-2.2.1.tgz",
+      "integrity": "sha512-t1Pv+Og5O+Cp0uYHFzSWEl+hssr1bKJjgWg05ElTpwYMb4xKA5bh1BTGN5orGqKs0e2+D+EPsOqVfM8KuUWR4Q==",
       "cpu": [
         "arm64"
       ],
@@ -369,9 +369,9 @@
       }
     },
     "node_modules/@tauri-apps/cli-win32-ia32-msvc": {
-      "version": "2.0.0-beta.20",
-      "resolved": "https://registry.npmjs.org/@tauri-apps/cli-win32-ia32-msvc/-/cli-win32-ia32-msvc-2.0.0-beta.20.tgz",
-      "integrity": "sha512-5lgWmDVXhX3SBGbiv5SduM1yajiRnUEJClWhSdRrEEJeXdsxpCsBEhxYnUnDCEzPKxLLn5fdBv3VrVctJ03csQ==",
+      "version": "2.2.1",
+      "resolved": "https://registry.npmjs.org/@tauri-apps/cli-win32-ia32-msvc/-/cli-win32-ia32-msvc-2.2.1.tgz",
+      "integrity": "sha512-erY+Spho6hBJgNzHKbA3JFxMztlHAikCiF/OYhk9fy6MbU5KpYHPrAC+Jhj2tcDy/xevWw/6KVNvLmk9PhLcXQ==",
       "cpu": [
         "ia32"
       ],
@@ -385,9 +385,9 @@
       }
     },
     "node_modules/@tauri-apps/cli-win32-x64-msvc": {
-      "version": "2.0.0-beta.20",
-      "resolved": "https://registry.npmjs.org/@tauri-apps/cli-win32-x64-msvc/-/cli-win32-x64-msvc-2.0.0-beta.20.tgz",
-      "integrity": "sha512-SuSiiVQTQPSzWlsxQp/NMzWbzDS9TdVDOw7CCfgiG5wnT2GsxzrcIAVN6i7ILsVFLxrjr0bIgPldSJcdcH84Yw==",
+      "version": "2.2.1",
+      "resolved": "https://registry.npmjs.org/@tauri-apps/cli-win32-x64-msvc/-/cli-win32-x64-msvc-2.2.1.tgz",
+      "integrity": "sha512-GIdUtdje1CvCn0/Sh3VwPWaFKmD1C0edJUMueGwkRFHmF6HfatXPVhW5FySP+EEO2+rVym1qJkODstJrunraWA==",
       "cpu": [
         "x64"
       ],

package.json

@@ -1,6 +1,6 @@
 {
   "name": "creddy",
-  "version": "0.4.9",
+  "version": "0.6.5",
   "scripts": {
     "dev": "vite",
     "build": "vite build",
@@ -9,7 +9,7 @@
   },
   "devDependencies": {
     "@sveltejs/vite-plugin-svelte": "^1.0.1",
-    "@tauri-apps/cli": "^2.0.0-beta.20",
+    "@tauri-apps/cli": "^2.2.1",
     "autoprefixer": "^10.4.8",
     "postcss": "^8.4.16",
     "svelte": "^3.49.0",

src-tauri/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "creddy"
-version = "0.4.9"
+version = "0.6.5"
 description = "A friendly AWS credentials manager"
 authors = ["Joseph Montanaro"]
 license = ""
@@ -9,51 +9,67 @@ default-run = "creddy"
 edition = "2021"
 rust-version = "1.57"
 
-[[bin]]
-name = "creddy_cli"
-path = "src/bin/creddy_cli.rs"
-
 [[bin]]
 name = "creddy"
 path = "src/main.rs"
 
+# we use a workspace so that we can split out the CLI and make it possible to build independently
+[workspace]
+members = ["creddy_cli"]
+
+[workspace.dependencies]
+dirs = "5.0"
+serde = { version = "1.0", features = ["derive"] }
+serde_json = "1.0"
+tokio = { version = ">=1.19", features = ["full"] }
+windows = { version = "0.51.1", features = ["Win32_Foundation", "Win32_System_Pipes"] }
+
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
 
 [build-dependencies]
-tauri-build = { version = "2.0.0-beta", features = [] }
+tauri-build = { version = "2.0.4", features = [] }
 
 [dependencies]
-serde_json = "1.0"
-serde = { version = "1.0", features = ["derive"] }
-tauri = { version = "2.0.0-beta", features = ["tray-icon"] }
+creddy_cli = { path = "./creddy_cli" }
+tauri = { version = "2.2.0", features = ["tray-icon", "test"] }
 sodiumoxide = "0.2.7"
-tokio = { version = ">=1.19", features = ["full"] }
 sysinfo = "0.26.8"
 aws-config = "1.5.3"
 aws-types = "1.3.2"
 aws-sdk-sts = "1.33.0"
 aws-smithy-types = "1.2.0"
+dirs = { workspace = true }
 thiserror = "1.0.38"
 once_cell = "1.16.0"
 strum = "0.24"
 strum_macros = "0.24"
 auto-launch = "0.4.0"
-dirs = "5.0"
-clap = { version = "3.2.23", features = ["derive"] }
 is-terminal = "0.4.7"
 argon2 = { version = "0.5.0", features = ["std"] }
 chacha20poly1305 = { version = "0.10.1", features = ["std"] }
 which = "4.4.0"
-windows = { version = "0.51.1", features = ["Win32_Foundation", "Win32_System_Pipes"] }
 time = "0.3.31"
-tauri-plugin-single-instance = "2.0.0-beta.9"
-tauri-plugin-global-shortcut = "2.0.0-beta.6"
-rfd = "0.14.1"
+tauri-plugin-global-shortcut = "2.2.0"
+tauri-plugin-os = "2.2.0"
+tauri-plugin-dialog = "2.2.0"
+rfd = "0.13.0"
 ssh-agent-lib = "0.4.0"
 ssh-key = { version = "0.6.6", features = ["rsa", "ed25519", "encryption"] }
 signature = "2.2.0"
 tokio-stream = "0.1.15"
+serde = { workspace = true }
+serde_json = { workspace = true }
 sqlx = { version = "0.7.4", features = ["sqlite", "runtime-tokio", "uuid"] }
+tokio = { workspace = true }
+tokio-util = { version = "0.7.11", features = ["codec"] }
+futures = "0.3.30"
+# openssl = { version = "0.10.64", features = ["vendored"] }
+rsa = "0.9.6"
+sha2 = "0.10.8"
+ssh-encoding = "0.2.0"
+
+[target.'cfg(windows)'.dependencies]
+windows = { workspace = true }
 
 [features]
 # by default Tauri runs in production mode

src-tauri/capabilities/migrated.json

@@ -6,12 +6,14 @@
     "main"
   ],
   "permissions": [
-    "path:default",
-    "event:default",
-    "window:default",
-    "app:default",
-    "resources:default",
-    "menu:default",
-    "tray:default"
+    "core:path:default",
+    "core:event:default",
+    "core:window:default",
+    "core:app:default",
+    "core:resources:default",
+    "core:menu:default",
+    "core:tray:default",
+    "os:allow-os-type",
+    "dialog:allow-open"
   ]
 }

src-tauri/creddy_cli/Cargo.toml

@@ -0,0 +1,15 @@
+[package]
+name = "creddy_cli"
+version = "0.6.5"
+edition = "2021"
+
+[dependencies]
+anyhow = "1.0.86"
+clap = { version = "4", features = ["derive"] }
+dirs = { workspace = true }
+serde = { workspace = true }
+serde_json = { workspace = true }
+tokio = { workspace = true }
+
+[target.'cfg(windows)'.dependencies]
+windows = { workspace = true }

src-tauri/creddy_cli/src/cli/docker.rs

@@ -0,0 +1,62 @@
+use std::io::{self, Read};
+
+use anyhow::bail;
+
+use crate::proto::{CliResponse, DockerCredential};
+use super::{
+    CliCredential,
+    CliRequest,
+    GlobalArgs
+};
+
+
+pub fn docker_store(global_args: GlobalArgs) -> anyhow::Result<()> {
+    let input: DockerCredential = serde_json::from_reader(io::stdin())?;
+
+    let req = CliRequest::StoreDockerCredential(input);
+
+    match super::make_request(global_args.server_addr, &req)?? {
+        CliResponse::Empty => Ok(()),
+        r => bail!("Unexpected response from server: {r}"),
+    }
+}
+
+
+pub fn docker_get(global_args: GlobalArgs) -> anyhow::Result<()> {
+    let mut server_url = String::new();
+    io::stdin().read_to_string(&mut server_url)?;
+    let req = CliRequest::GetDockerCredential {
+       server_url: server_url.trim().to_owned()
+    };
+
+    let server_resp = super::make_request(global_args.server_addr, &req)?;
+    match server_resp {
+        Ok(CliResponse::Credential(CliCredential::Docker(d))) => {
+            println!("{}", serde_json::to_string(&d)?);
+        },
+        Err(e) if e.code == "NoCredentials" => {
+            // To indicate credentials are not found, a credential helper *must* print
+            // this message to stdout, then exit 1. Any other message/status will cause
+            // some builds to fail. This is, of course, not documented anywhere.
+            println!("credentials not found in native keychain");
+            std::process::exit(1);
+        },
+        Err(e) => Err(e)?,
+        Ok(r) => bail!("Unexpected response from server: {r}"),
+    }
+    Ok(())
+}
+
+
+pub fn docker_erase(global_args: GlobalArgs) -> anyhow::Result<()> {
+    let mut server_url = String::new();
+    io::stdin().read_to_string(&mut server_url)?;
+    let req = CliRequest::EraseDockerCredential {
+        server_url: server_url.trim().to_owned()
+    };
+
+    match super::make_request(global_args.server_addr, &req)?? {
+        CliResponse::Empty => Ok(()),
+        r => bail!("Unexpected response from server: {r}"),
+    }
+}

src-tauri/creddy_cli/src/cli/mod.rs

@@ -0,0 +1,233 @@
+use std::path::PathBuf;
+use std::process::Command as ChildCommand;
+#[cfg(unix)]
+use std::os::unix::process::CommandExt;
+
+use anyhow::{bail, Context};
+use clap::{
+    Args,
+    Parser,
+    Subcommand
+};
+use clap::builder::styling::{Styles, AnsiColor};
+use tokio::io::{AsyncReadExt, AsyncWriteExt};
+
+use crate::proto::{
+    CliCredential,
+    CliRequest,
+    CliResponse,
+    ServerError,
+    ShortcutAction,
+};
+
+mod docker;
+
+
+#[derive(Debug, Parser)]
+#[command(
+    about,
+    version,
+    name = "creddy",
+    bin_name = "creddy",
+    styles = Styles::styled()
+        .header(AnsiColor::Yellow.on_default())
+        .usage(AnsiColor::Yellow.on_default())
+        .literal(AnsiColor::Green.on_default())
+        .placeholder(AnsiColor::Green.on_default())
+)]
+/// A friendly credential manager
+pub struct Cli {
+    #[command(flatten)]
+    pub global_args: GlobalArgs,
+
+    #[command(subcommand)]
+    pub action: Option<Action>,
+}
+
+impl Cli {
+    // proxy the Parser method so that main crate doesn't have to depend on Clap
+    pub fn parse() -> Self {
+        <Self as Parser>::parse()
+    }
+}
+
+
+#[derive(Debug, Clone, Args)]
+pub struct GlobalArgs {
+    /// Connect to the main Creddy application at this path
+    #[arg(long, short = 'a')]
+    server_addr: Option<PathBuf>,
+}
+
+
+#[derive(Debug, Subcommand)]
+pub enum Action {
+    /// Launch Creddy
+    Run(RunArgs),
+    /// Request credentials from Creddy and output to stdout
+    Get(GetArgs),
+    /// Inject credentials into the environment of another command
+    Exec(ExecArgs),
+    /// Invoke an action normally triggered by hotkey (e.g. launch terminal)
+    Shortcut(InvokeArgs),
+    /// Interact with Docker credentials via the docker-credential-helper protocol
+    #[command(subcommand)]
+    Docker(DockerCmd),
+}
+
+
+#[derive(Debug, Args)]
+pub struct RunArgs {
+    /// Minimize to system tray on launch
+    #[arg(long, default_value_t = false)]
+    pub minimized: bool,
+}
+
+
+#[derive(Debug, Args)]
+pub struct GetArgs {
+    /// If unspecified, use default credentials
+    #[arg(short, long)]
+    name: Option<String>,
+    /// Use base credentials instead of session credentials (only applicable to AWS)
+    #[arg(long, short, default_value_t = false)]
+    base: bool,
+}
+
+
+#[derive(Debug, Args)]
+pub struct ExecArgs {
+    #[command(flatten)]
+    get_args: GetArgs,
+    #[arg(trailing_var_arg = true)]
+    /// Command to be wrapped
+    command: Vec<String>,
+}
+
+
+#[derive(Debug, Args)]
+pub struct InvokeArgs {
+    #[arg(value_name = "ACTION", value_enum)]
+    pub shortcut_action: ShortcutAction,
+}
+
+
+#[derive(Debug, Subcommand)]
+pub enum DockerCmd {
+    /// Get a stored Docker credential
+    Get,
+    /// Store a new Docker credential
+    Store,
+    /// Remove a stored Docker credential
+    Erase,
+}
+
+
+pub fn get(args: GetArgs, global: GlobalArgs) -> anyhow::Result<()> {
+    let req = CliRequest::GetAwsCredential {
+        name: args.name,
+        base: args.base,
+    };
+
+    let output = match make_request(global.server_addr, &req)?? {
+        CliResponse::Credential(CliCredential::AwsBase(c)) => {
+            serde_json::to_string_pretty(&c).unwrap()
+        },
+        CliResponse::Credential(CliCredential::AwsSession(c)) => {
+            serde_json::to_string_pretty(&c).unwrap()
+        },
+        r => bail!("Unexpected response from server: {r}"),
+    };
+    println!("{output}");
+    Ok(())
+}
+
+
+pub fn exec(args: ExecArgs, global: GlobalArgs) -> anyhow::Result<()> {
+    // Clap guarantees that cmd_line will be a sequence of at least 1 item
+    // test this!
+    let mut cmd_line = args.command.iter();
+    let cmd_name = cmd_line.next().unwrap();
+    let mut cmd = ChildCommand::new(cmd_name);
+    cmd.args(cmd_line);
+
+    let req = CliRequest::GetAwsCredential {
+        name: args.get_args.name,
+        base: args.get_args.base,
+    };
+
+    match make_request(global.server_addr, &req)?? {
+        CliResponse::Credential(CliCredential::AwsBase(creds)) => {
+            cmd.env("AWS_ACCESS_KEY_ID", creds.access_key_id);
+            cmd.env("AWS_SECRET_ACCESS_KEY", creds.secret_access_key);
+        },
+        CliResponse::Credential(CliCredential::AwsSession(creds)) => {
+            cmd.env("AWS_ACCESS_KEY_ID", creds.access_key_id);
+            cmd.env("AWS_SECRET_ACCESS_KEY", creds.secret_access_key);
+            cmd.env("AWS_SESSION_TOKEN", creds.session_token);
+        },
+        r => bail!("Unexpected response from server: {r}"),
+    }
+
+    #[cfg(unix)]
+    {
+        let e = cmd.exec();
+        // cmd.exec() never returns if successful, so we never hit this line unless there's an error
+        Err(e).with_context(|| {
+            // eventually figure out how to display the actual command
+            format!("Failed to execute command: {}", args.command.join(" "))
+        })?;
+        Ok(())
+    }
+
+    #[cfg(windows)]
+    {
+        let mut child = cmd.spawn()
+            .with_context(|| format!("Failed to execute command: {}", args.command.join(" ")))?;
+        let status = child.wait()
+            .with_context(|| format!("Failed to execute command: {}", args.command.join(" ")))?;
+        std::process::exit(status.code().unwrap_or(1));
+    };
+}
+
+
+pub fn invoke_shortcut(args: InvokeArgs, global: GlobalArgs) -> anyhow::Result<()> {
+    let req = CliRequest::InvokeShortcut{action: args.shortcut_action};
+    match make_request(global.server_addr, &req)?? {
+        CliResponse::Empty => Ok(()),
+        r => bail!("Unexpected response from server: {r}"),
+    }
+}
+
+
+pub fn docker_credential_helper(cmd: DockerCmd, global_args: GlobalArgs) -> anyhow::Result<()> {
+    match cmd {
+        DockerCmd::Get => docker::docker_get(global_args),
+        DockerCmd::Store => docker::docker_store(global_args),
+        DockerCmd::Erase => docker::docker_erase(global_args),
+    }
+}
+
+
+// Explanation for double-result: the server will return a (serialized) Result
+// to indicate when the operation succeeded or failed, which we deserialize.
+// However, the operation may fail to even communicate with the server, in
+// which case we return the outer Result
+// (probably this should be modeled differently)
+#[tokio::main]
+async fn make_request(
+    addr: Option<PathBuf>,
+    req: &CliRequest
+) -> anyhow::Result<Result<CliResponse, ServerError>> {
+    let mut data = serde_json::to_string(req).unwrap();
+    // server expects newline marking end of request
+    data.push('\n');
+
+    let mut stream = crate::connect(addr).await?;
+    stream.write_all(&data.as_bytes()).await?;
+
+    let mut buf = Vec::with_capacity(1024);
+    stream.read_to_end(&mut buf).await?;
+    let res: Result<CliResponse, ServerError> = serde_json::from_slice(&buf)?;
+    Ok(res)
+}

src-tauri/creddy_cli/src/lib.rs

@@ -0,0 +1,77 @@
+mod cli;
+pub use cli::{
+    Action,
+    Cli,
+    docker_credential_helper,
+    exec,
+    get,
+    GlobalArgs,
+    RunArgs,
+    invoke_shortcut,
+};
+
+pub use platform::{connect, server_addr};
+
+pub mod proto;
+
+
+pub fn show_window(global_args: GlobalArgs) -> anyhow::Result<()> {
+    let invoke = cli::InvokeArgs { shortcut_action: proto::ShortcutAction::ShowWindow };
+    cli::invoke_shortcut(invoke, global_args)
+}
+
+
+#[cfg(unix)]
+mod platform {
+    use std::path::PathBuf;
+    use tokio::net::UnixStream;
+
+    pub async fn connect(addr: Option<PathBuf>) -> Result<UnixStream, std::io::Error> {
+        let path = addr.unwrap_or_else(|| server_addr("creddy-server"));
+        UnixStream::connect(&path).await
+    }
+
+    pub fn server_addr(sock_name: &str) -> PathBuf {
+        let mut path = dirs::runtime_dir()
+            .unwrap_or_else(|| PathBuf::from("/tmp"));
+        if cfg!(debug_assertions) {
+            path.push(format!("{sock_name}.dev.sock"))
+        }
+        else {
+            path.push(format!("{sock_name}.sock"));
+        }
+        path
+    }
+}
+
+
+#[cfg(windows)]
+mod platform {
+    use std::path::PathBuf;
+    use std::time::Duration;
+    use tokio::net::windows::named_pipe::{NamedPipeClient, ClientOptions};
+    use windows::Win32::Foundation::ERROR_PIPE_BUSY;
+
+    pub async fn connect(addr: Option<PathBuf>) -> std::io::Result<NamedPipeClient> {
+        let opts = ClientOptions::new();
+        let pipe_name = addr.unwrap_or_else(|| server_addr("creddy-server"));
+        loop {
+            match opts.open(&pipe_name) {
+                Ok(client) => return Ok(client),
+                Err(e) if e.raw_os_error() == Some(ERROR_PIPE_BUSY.0 as i32) => {
+                    tokio::time::sleep(Duration::from_millis(50)).await;
+                },
+                Err(e) => return Err(e),
+            }
+        }
+    }
+
+    pub fn server_addr(sock_name: &str) -> PathBuf {
+        if cfg!(debug_assertions) {
+            format!(r"\\.\pipe\{sock_name}.dev").into()
+        }
+        else {
+            format!(r"\\.\pipe\{sock_name}").into()
+        }
+    }
+}

src-tauri/creddy_cli/src/main.rs

@@ -0,0 +1,44 @@
+use std::env;
+use std::process::{self, Command};
+
+use creddy_cli::{
+    Action,
+    Cli,
+    RunArgs,
+};
+
+fn main() {
+    let cli = Cli::parse();
+    let res = match cli.action {
+        None => launch_gui(RunArgs { minimized: false }),
+        Some(Action::Run(run_args)) => launch_gui(run_args),
+        Some(Action::Get(args)) => creddy_cli::get(args, cli.global_args),
+        Some(Action::Exec(args)) => creddy_cli::exec(args, cli.global_args),
+        Some(Action::Shortcut(args)) => creddy_cli::invoke_shortcut(args, cli.global_args),
+        Some(Action::Docker(cmd)) => creddy_cli::docker_credential_helper(cmd, cli.global_args),
+    };
+
+    if let Err(e) = res {
+        eprintln!("Error: {e:?}");
+        process::exit(1);
+    }
+}
+
+
+fn launch_gui(run_args: RunArgs) -> anyhow::Result<()>  {
+    let mut path = env::current_exe()?;
+    path.pop(); // bin dir
+
+    // binaries are colocated in dev, but not in production
+    #[cfg(not(debug_assertions))]
+    path.pop(); // install dir
+
+    path.push("creddy.exe"); // exe in main install dir (aka gui exe)
+
+    let mut cmd = Command::new(path);
+    if run_args.minimized {
+        cmd.arg("--minimized");
+    }
+    cmd.spawn()?;
+    Ok(())
+}

src-tauri/creddy_cli/src/proto.rs

@@ -0,0 +1,113 @@
+use std::fmt::{
+    Display,
+    Formatter,
+    Error as FmtError
+};
+
+use clap::ValueEnum;
+use serde::{Serialize, Deserialize};
+
+
+#[derive(Debug, Serialize, Deserialize)]
+#[serde(tag = "type")]
+pub enum CliRequest {
+    GetAwsCredential {
+        name: Option<String>,
+        base: bool,
+    },
+    GetDockerCredential {
+        server_url: String,
+    },
+    StoreDockerCredential(DockerCredential),
+    EraseDockerCredential {
+        server_url: String,
+    },
+    InvokeShortcut{
+        action: ShortcutAction,
+    },
+}
+
+
+#[derive(Debug, Copy, Clone, Serialize, Deserialize, ValueEnum)]
+pub enum ShortcutAction {
+    ShowWindow,
+    LaunchTerminal,
+}
+
+
+#[derive(Debug, Serialize, Deserialize)]
+pub enum CliResponse {
+    Credential(CliCredential),
+    Empty,
+}
+
+impl Display for CliResponse {
+    fn fmt(&self, f: &mut Formatter) -> Result<(), FmtError> {
+        match self {
+            CliResponse::Credential(CliCredential::AwsBase(_)) => write!(f, "Credential (AwsBase)"),
+            CliResponse::Credential(CliCredential::AwsSession(_)) => write!(f, "Credential (AwsSession)"),
+            CliResponse::Credential(CliCredential::Docker(_)) => write!(f, "Credential (Docker)"),
+            CliResponse::Empty => write!(f, "Empty"),
+        }
+    }
+}
+
+
+#[derive(Debug, Serialize, Deserialize)]
+pub enum CliCredential {
+    AwsBase(AwsBaseCredential),
+    AwsSession(AwsSessionCredential),
+    Docker(DockerCredential),
+}
+
+
+#[derive(Debug, Eq, PartialEq, Serialize, Deserialize)]
+#[serde(rename_all = "PascalCase")]
+pub struct AwsBaseCredential {
+    #[serde(default = "default_aws_version")]
+    pub version: usize,
+    pub access_key_id: String,
+    pub secret_access_key: String,
+}
+
+
+#[derive(Debug, Eq, PartialEq, Serialize, Deserialize)]
+#[serde(rename_all = "PascalCase")]
+pub struct AwsSessionCredential {
+    #[serde(default = "default_aws_version")]
+    pub version: usize,
+    pub access_key_id: String,
+    pub secret_access_key: String,
+    pub session_token: String,
+    // we don't need to know the expiration for the CLI, so just use a string here
+    pub expiration: String,
+}
+
+
+fn default_aws_version() -> usize { 1 }
+
+
+#[derive(Debug, Eq, PartialEq, Serialize, Deserialize)]
+#[serde(rename_all = "PascalCase")]
+pub struct DockerCredential {
+    #[serde(rename = "ServerURL")]
+    pub server_url: String,
+    pub username: String,
+    pub secret: String,
+}
+
+
+#[derive(Debug, Serialize, Deserialize)]
+pub struct ServerError {
+    pub code: String,
+    pub msg: String,
+}
+
+impl Display for ServerError {
+    fn fmt(&self, f: &mut Formatter) -> Result<(), FmtError> {
+        write!(f, "Error response ({}) from server: {}", self.code, self.msg)?;
+        Ok(())
+    }
+}
+
+impl std::error::Error for ServerError {}

src-tauri/gen/schemas/capabilities.json

@@ -1 +1 @@
-{"migrated":{"identifier":"migrated","description":"permissions that were migrated from v1","local":true,"windows":["main"],"permissions":["path:default","event:default","window:default","app:default","resources:default","menu:default","tray:default"]}}
+{"migrated":{"identifier":"migrated","description":"permissions that were migrated from v1","local":true,"windows":["main"],"permissions":["core:path:default","core:event:default","core:window:default","core:app:default","core:resources:default","core:menu:default","core:tray:default","os:allow-os-type","dialog:allow-open"]}}

src-tauri/gen/schemas/linux-schema.json

@@ -247,6 +247,82 @@
             "app:deny-version"
           ]
         },
+        {
+          "type": "string",
+          "enum": [
+            "dialog:default"
+          ]
+        },
+        {
+          "description": "dialog:allow-ask -> Enables the ask command without any pre-configured scope.",
+          "type": "string",
+          "enum": [
+            "dialog:allow-ask"
+          ]
+        },
+        {
+          "description": "dialog:allow-confirm -> Enables the confirm command without any pre-configured scope.",
+          "type": "string",
+          "enum": [
+            "dialog:allow-confirm"
+          ]
+        },
+        {
+          "description": "dialog:allow-message -> Enables the message command without any pre-configured scope.",
+          "type": "string",
+          "enum": [
+            "dialog:allow-message"
+          ]
+        },
+        {
+          "description": "dialog:allow-open -> Enables the open command without any pre-configured scope.",
+          "type": "string",
+          "enum": [
+            "dialog:allow-open"
+          ]
+        },
+        {
+          "description": "dialog:allow-save -> Enables the save command without any pre-configured scope.",
+          "type": "string",
+          "enum": [
+            "dialog:allow-save"
+          ]
+        },
+        {
+          "description": "dialog:deny-ask -> Denies the ask command without any pre-configured scope.",
+          "type": "string",
+          "enum": [
+            "dialog:deny-ask"
+          ]
+        },
+        {
+          "description": "dialog:deny-confirm -> Denies the confirm command without any pre-configured scope.",
+          "type": "string",
+          "enum": [
+            "dialog:deny-confirm"
+          ]
+        },
+        {
+          "description": "dialog:deny-message -> Denies the message command without any pre-configured scope.",
+          "type": "string",
+          "enum": [
+            "dialog:deny-message"
+          ]
+        },
+        {
+          "description": "dialog:deny-open -> Denies the open command without any pre-configured scope.",
+          "type": "string",
+          "enum": [
+            "dialog:deny-open"
+          ]
+        },
+        {
+          "description": "dialog:deny-save -> Denies the save command without any pre-configured scope.",
+          "type": "string",
+          "enum": [
+            "dialog:deny-save"
+          ]
+        },
         {
           "description": "event:default -> Default permissions for the plugin.",
           "type": "string",
@@ -778,6 +854,124 @@
             "menu:deny-text"
           ]
         },
+        {
+          "type": "string",
+          "enum": [
+            "os:default"
+          ]
+        },
+        {
+          "description": "os:allow-arch -> Enables the arch command without any pre-configured scope.",
+          "type": "string",
+          "enum": [
+            "os:allow-arch"
+          ]
+        },
+        {
+          "description": "os:allow-exe-extension -> Enables the exe_extension command without any pre-configured scope.",
+          "type": "string",
+          "enum": [
+            "os:allow-exe-extension"
+          ]
+        },
+        {
+          "description": "os:allow-family -> Enables the family command without any pre-configured scope.",
+          "type": "string",
+          "enum": [
+            "os:allow-family"
+          ]
+        },
+        {
+          "description": "os:allow-hostname -> Enables the hostname command without any pre-configured scope.",
+          "type": "string",
+          "enum": [
+            "os:allow-hostname"
+          ]
+        },
+        {
+          "description": "os:allow-locale -> Enables the locale command without any pre-configured scope.",
+          "type": "string",
+          "enum": [
+            "os:allow-locale"
+          ]
+        },
+        {
+          "description": "os:allow-os-type -> Enables the os_type command without any pre-configured scope.",
+          "type": "string",
+          "enum": [
+            "os:allow-os-type"
+          ]
+        },
+        {
+          "description": "os:allow-platform -> Enables the platform command without any pre-configured scope.",
+          "type": "string",
+          "enum": [
+            "os:allow-platform"
+          ]
+        },
+        {
+          "description": "os:allow-version -> Enables the version command without any pre-configured scope.",
+          "type": "string",
+          "enum": [
+            "os:allow-version"
+          ]
+        },
+        {
+          "description": "os:deny-arch -> Denies the arch command without any pre-configured scope.",
+          "type": "string",
+          "enum": [
+            "os:deny-arch"
+          ]
+        },
+        {
+          "description": "os:deny-exe-extension -> Denies the exe_extension command without any pre-configured scope.",
+          "type": "string",
+          "enum": [
+            "os:deny-exe-extension"
+          ]
+        },
+        {
+          "description": "os:deny-family -> Denies the family command without any pre-configured scope.",
+          "type": "string",
+          "enum": [
+            "os:deny-family"
+          ]
+        },
+        {
+          "description": "os:deny-hostname -> Denies the hostname command without any pre-configured scope.",
+          "type": "string",
+          "enum": [
+            "os:deny-hostname"
+          ]
+        },
+        {
+          "description": "os:deny-locale -> Denies the locale command without any pre-configured scope.",
+          "type": "string",
+          "enum": [
+            "os:deny-locale"
+          ]
+        },
+        {
+          "description": "os:deny-os-type -> Denies the os_type command without any pre-configured scope.",
+          "type": "string",
+          "enum": [
+            "os:deny-os-type"
+          ]
+        },
+        {
+          "description": "os:deny-platform -> Denies the platform command without any pre-configured scope.",
+          "type": "string",
+          "enum": [
+            "os:deny-platform"
+          ]
+        },
+        {
+          "description": "os:deny-version -> Denies the version command without any pre-configured scope.",
+          "type": "string",
+          "enum": [
+            "os:deny-version"
+          ]
+        },
         {
           "description": "path:default -> Default permissions for the plugin.",
           "type": "string",

src-tauri/migrations/20240617142724_credential_split.sql

@@ -69,9 +69,12 @@ DROP TABLE aws_tmp;
 
 
 -- SSH keys are the new hotness
-CREATE TABLE ssh_keys (
-    name TEXT UNIQUE NOT NULL,
+CREATE TABLE ssh_credentials (
+    id BLOB UNIQUE NOT NULL,
+    algorithm TEXT NOT NULL,
+    comment TEXT NOT NULL,
     public_key BLOB NOT NULL,
     private_key_enc BLOB NOT NULL,
-    nonce BLOB NOT NULL
+    nonce BLOB NOT NULL,
+    FOREIGN KEY(id) REFERENCES credentials(id) ON DELETE CASCADE
 );

src-tauri/migrations/20240919135710_docker_creds.sql

@@ -0,0 +1,12 @@
+CREATE TABLE docker_credentials (
+    id BLOB UNIQUE NOT NULL,
+    -- The Docker credential helper protocol only sends the server_url, so
+    -- we should guarantee that we will only ever have one matching credential.
+    -- Also, it's easier to go from unique -> not-unique than vice versa if we
+    -- decide that's necessary in the future
+    server_url TEXT UNIQUE NOT NULL,
+    username TEXT NOT NULL,
+    secret_enc BLOB NOT NULL,
+    nonce BLOB NOT NULL,
+    FOREIGN KEY(id) REFERENCES credentials(id) ON DELETE CASCADE
+);

src-tauri/src/_credentials.rs

@@ -1,350 +0,0 @@
-use std::fmt::{self, Formatter};
-use std::time::{SystemTime, UNIX_EPOCH};
-
- use aws_smithy_types::date_time::{DateTime, Format};
-use argon2::{
-    Argon2,
-    Algorithm,
-    Version,
-    ParamsBuilder,
-    password_hash::rand_core::{RngCore, OsRng},
-};
-use chacha20poly1305::{
-    XChaCha20Poly1305,
-    XNonce,
-    aead::{
-        Aead,
-        AeadCore,
-        KeyInit,
-        Error as AeadError,
-        generic_array::GenericArray,
-    },
-};
-use serde::{
-    Serialize,
-    Deserialize,
-    Serializer,
-    Deserializer,
-};
-use serde::de::{self, Visitor};
-use sqlx::SqlitePool;
-
-
-use crate::errors::*;
-
-
-#[derive(Clone, Debug)]
-pub enum Session {
-    Unlocked{
-        base: BaseCredentials,
-        session: SessionCredentials,
-    },
-    Locked(LockedCredentials),
-    Empty,
-}
-
-impl Session {
-    pub async fn load(pool: &SqlitePool) -> Result<Self, SetupError> {
-        let res = sqlx::query!("SELECT * FROM credentials ORDER BY created_at desc")
-            .fetch_optional(pool)
-            .await?;
-        let row = match res {
-            Some(r) => r,
-            None => {return Ok(Session::Empty);}
-        };
-
-        let salt: [u8; 32] = row.salt
-            .try_into()
-            .map_err(|_e| SetupError::InvalidRecord)?;
-        let nonce = XNonce::from_exact_iter(row.nonce.into_iter())
-            .ok_or(SetupError::InvalidRecord)?;
-
-        let creds = LockedCredentials {
-            access_key_id: row.access_key_id,
-            secret_key_enc: row.secret_key_enc,
-            salt,
-            nonce,
-        };
-        Ok(Session::Locked(creds))
-    }
-
-    pub async fn renew_if_expired(&mut self) -> Result<bool, GetSessionError> {
-        match self {
-            Session::Unlocked{ref base, ref mut session} => {
-                if !session.is_expired() {
-                    return Ok(false);
-                }
-                *session = SessionCredentials::from_base(base).await?;
-                Ok(true)
-            },
-            Session::Locked(_) => Err(GetSessionError::CredentialsLocked),
-            Session::Empty => Err(GetSessionError::CredentialsEmpty),
-        }
-    }
-
-    pub fn try_get(
-        &self
-    ) -> Result<(&BaseCredentials, &SessionCredentials), GetCredentialsError> {
-        match self {
-            Self::Empty => Err(GetCredentialsError::Empty),
-            Self::Locked(_) => Err(GetCredentialsError::Locked),
-            Self::Unlocked{ ref base, ref session } => Ok((base, session))
-        }
-    }
-}
-
-
-#[derive(Clone, Debug)]
-pub struct LockedCredentials {
-    pub access_key_id: String,
-    pub secret_key_enc: Vec<u8>,
-    pub salt: [u8; 32],
-    pub nonce: XNonce,
-}
-
-impl LockedCredentials {
-    pub async fn save(&self, pool: &SqlitePool) -> Result<(), sqlx::Error> {
-        sqlx::query(
-            "INSERT INTO credentials (access_key_id, secret_key_enc, salt, nonce, created_at)
-            VALUES (?, ?, ?, ?, strftime('%s'))"
-        )
-            .bind(&self.access_key_id)
-            .bind(&self.secret_key_enc)
-            .bind(&self.salt[..])
-            .bind(&self.nonce[..])
-            .execute(pool)
-            .await?;
-
-        Ok(())
-    }
-
-    pub fn decrypt(&self, passphrase: &str) -> Result<BaseCredentials, UnlockError> {
-        let crypto = Crypto::new(passphrase, &self.salt)
-            .map_err(|e| CryptoError::Argon2(e))?;
-        let decrypted = crypto.decrypt(&self.nonce, &self.secret_key_enc)
-            .map_err(|e| CryptoError::Aead(e))?;
-        let secret_access_key = String::from_utf8(decrypted)
-            .map_err(|_| UnlockError::InvalidUtf8)?;
-
-        let creds = BaseCredentials::new(
-            self.access_key_id.clone(),
-            secret_access_key,
-        );
-        Ok(creds)
-    }
-}
-
-
-fn default_credentials_version() -> usize { 1 }
-
-#[derive(Clone, Debug, Serialize, Deserialize)]
-#[serde(rename_all = "PascalCase")]
-pub struct BaseCredentials {
-    #[serde(default = "default_credentials_version")]
-    pub version: usize,
-    pub access_key_id: String,
-    pub secret_access_key: String,
-}
-
-impl BaseCredentials {
-    pub fn new(access_key_id: String, secret_access_key: String) -> Self {
-        Self {version: 1, access_key_id, secret_access_key}
-    }
-
-    pub fn encrypt(&self, passphrase: &str) -> Result<LockedCredentials, CryptoError> {
-        let salt = Crypto::salt();
-        let crypto = Crypto::new(passphrase, &salt)?;
-        let (nonce, secret_key_enc) = crypto.encrypt(self.secret_access_key.as_bytes())?;
-
-        let locked = LockedCredentials {
-            access_key_id: self.access_key_id.clone(),
-            secret_key_enc,
-            salt,
-            nonce,
-        };
-        Ok(locked)
-    }
-}
-
-
-#[derive(Clone, Debug, Serialize, Deserialize)]
-#[serde(rename_all = "PascalCase")]
-pub struct SessionCredentials {
-    #[serde(default = "default_credentials_version")]
-    pub version: usize,
-    pub access_key_id: String,
-    pub secret_access_key: String,
-    pub session_token: String,
-    #[serde(serialize_with = "serialize_expiration")]
-    #[serde(deserialize_with = "deserialize_expiration")]
-    pub expiration: DateTime,
-}
-
-impl SessionCredentials {
-    pub async fn from_base(base: &BaseCredentials) -> Result<Self, GetSessionError> {
-        let req_creds = aws_sdk_sts::Credentials::new(
-            &base.access_key_id,
-            &base.secret_access_key,
-            None, // token
-            None, //expiration
-            "Creddy", // "provider name" apparently
-        );
-        let config = aws_config::from_env()
-            .credentials_provider(req_creds)
-            .load()
-            .await;
-
-        let client = aws_sdk_sts::Client::new(&config);
-        let resp = client.get_session_token()
-            .duration_seconds(43_200)
-            .send()
-            .await?;
-
-        let aws_session = resp.credentials().ok_or(GetSessionError::EmptyResponse)?;
-
-        let access_key_id = aws_session.access_key_id()
-            .ok_or(GetSessionError::EmptyResponse)?
-            .to_string();
-        let secret_access_key = aws_session.secret_access_key()
-            .ok_or(GetSessionError::EmptyResponse)?
-            .to_string();
-        let session_token = aws_session.session_token()
-            .ok_or(GetSessionError::EmptyResponse)?
-            .to_string();
-        let expiration = aws_session.expiration()
-            .ok_or(GetSessionError::EmptyResponse)?
-            .clone();
-
-        let session_creds = SessionCredentials {
-            version: 1,
-            access_key_id,
-            secret_access_key,
-            session_token,
-            expiration,
-        };
-
-        #[cfg(debug_assertions)]
-        println!("Got new session:\n{}", serde_json::to_string(&session_creds).unwrap());
-
-        Ok(session_creds)
-    }
-
-    pub fn is_expired(&self) -> bool {
-        let current_ts = SystemTime::now()
-            .duration_since(UNIX_EPOCH)
-            .unwrap() // doesn't panic because UNIX_EPOCH won't be later than now()
-            .as_secs();
-
-        let expire_ts = self.expiration.secs();
-        let remaining = expire_ts - (current_ts as i64);
-        remaining < 60
-    }
-}
-
-
-#[derive(Debug, Serialize, Deserialize)]
-pub enum Credentials {
-    Base(BaseCredentials),
-    Session(SessionCredentials),
-}
-
-
-fn serialize_expiration<S>(exp: &DateTime, serializer: S) -> Result<S::Ok, S::Error>
-where S: Serializer
-{
-    // this only fails if the d/t is out of range, which it can't be for this format
-    let time_str = exp.fmt(Format::DateTime).unwrap();
-    serializer.serialize_str(&time_str)
-}
-
-
-struct DateTimeVisitor;
-
-impl<'de> Visitor<'de> for DateTimeVisitor {
-    type Value = DateTime;
-
-    fn expecting(&self, formatter: &mut Formatter) -> fmt::Result {
-        write!(formatter, "an RFC 3339 UTC string, e.g. \"2014-01-05T10:17:34Z\"")
-    }
-
-    fn visit_str<E: de::Error>(self, v: &str) -> Result<DateTime, E> {
-        DateTime::from_str(v, Format::DateTime)
-            .map_err(|_| E::custom(format!("Invalid date/time: {v}")))
-    }
-}
-
-
-fn deserialize_expiration<'de, D>(deserializer: D) -> Result<DateTime, D::Error>
-where D: Deserializer<'de>
-{
-    deserializer.deserialize_str(DateTimeVisitor)
-}
-
-
-struct Crypto {
-    cipher: XChaCha20Poly1305,
-}
-
-impl Crypto {
-    /// Argon2 params rationale:
-    ///
-    /// m_cost is measured in KiB, so 128 * 1024 gives us 128MiB.
-    /// This should roughly double the memory usage of the application
-    /// while deriving the key.
-    ///
-    /// p_cost is irrelevant since (at present) there isn't any parallelism
-    /// implemented, so we leave it at 1.
-    ///
-    /// With the above m_cost, t_cost = 8 results in about 800ms to derive
-    /// a key on my (somewhat older) CPU. This is probably overkill, but
-    /// given that it should only have to happen ~once a day for most 
-    /// usage, it should be acceptable.
-    #[cfg(not(debug_assertions))]
-    const MEM_COST: u32 = 128 * 1024;
-    #[cfg(not(debug_assertions))]
-    const TIME_COST: u32 = 8;
-
-    /// But since this takes a million years without optimizations,
-    /// we turn it way down in debug builds.
-    #[cfg(debug_assertions)]
-    const MEM_COST: u32 = 48 * 1024;
-    #[cfg(debug_assertions)]
-    const TIME_COST: u32 = 1;
-    
-
-    fn new(passphrase: &str, salt: &[u8]) -> argon2::Result<Crypto> {
-        let params = ParamsBuilder::new()
-            .m_cost(Self::MEM_COST)
-            .p_cost(1)
-            .t_cost(Self::TIME_COST)
-            .build()
-            .unwrap(); // only errors if the given params are invalid
-
-        let hasher = Argon2::new(
-            Algorithm::Argon2id,
-            Version::V0x13,
-            params,
-        );
-
-        let mut key = [0; 32];
-        hasher.hash_password_into(passphrase.as_bytes(), &salt, &mut key)?;
-        let cipher = XChaCha20Poly1305::new(GenericArray::from_slice(&key));
-        Ok(Crypto { cipher })
-    }
-
-    fn salt() -> [u8; 32] {
-        let mut salt = [0; 32];
-        OsRng.fill_bytes(&mut salt);
-        salt
-    }
-
-    fn encrypt(&self, data: &[u8]) -> Result<(XNonce, Vec<u8>), AeadError> {
-        let nonce = XChaCha20Poly1305::generate_nonce(&mut OsRng);
-        let ciphertext = self.cipher.encrypt(&nonce, data)?;
-        Ok((nonce, ciphertext))
-    }
-
-    fn decrypt(&self, nonce: &XNonce, data: &[u8]) -> Result<Vec<u8>, AeadError> {
-        self.cipher.decrypt(nonce, data)
-    }
-}

src-tauri/src/app.rs

@@ -2,10 +2,6 @@ use std::error::Error;
 use std::time::Duration;
 
 use once_cell::sync::OnceCell;
-use rfd::{
-    MessageDialog,
-    MessageLevel,
-};
 use sqlx::{
     SqlitePool,
     sqlite::SqlitePoolOptions,
@@ -19,13 +15,13 @@ use tauri::{
     RunEvent,
     WindowEvent,
 };
-use tauri::menu::MenuItem;
+use creddy_cli::{GlobalArgs, RunArgs};
 
 use crate::{
     config::{self, AppConfig},
     credentials::AppSession,
     ipc,
-    server::Server,
+    srv::{creddy_server, agent},
     errors::*,
     shortcuts,
     state::AppState,
@@ -36,13 +32,16 @@ use crate::{
 pub static APP: OnceCell<AppHandle> = OnceCell::new();
 
 
-pub fn run() -> tauri::Result<()> {
+pub fn run(run_args: RunArgs, global_args: GlobalArgs) -> tauri::Result<()> {
+    if let Ok(_) = creddy_cli::show_window(global_args) {
+        // app is already running, so terminate
+        return Ok(());
+    }
+
     tauri::Builder::default()
-        .plugin(tauri_plugin_single_instance::init(|app, _argv, _cwd| {
-            show_main_window(app)
-                .error_popup("Failed to show main window")
-        }))
         .plugin(tauri_plugin_global_shortcut::Builder::default().build())
+        .plugin(tauri_plugin_os::init())
+        .plugin(tauri_plugin_dialog::init())
         .invoke_handler(tauri::generate_handler![
             ipc::unlock,
             ipc::lock,
@@ -54,23 +53,16 @@ pub fn run() -> tauri::Result<()> {
             ipc::save_credential,
             ipc::delete_credential,
             ipc::list_credentials,
+            ipc::sshkey_from_file,
+            ipc::sshkey_from_private_key,
             ipc::get_config,
             ipc::save_config,
             ipc::launch_terminal,
             ipc::get_setup_errors,
+            ipc::get_devmode,
             ipc::exit,
         ])
-        .setup(|app| {
-            let res = rt::block_on(setup(app));
-            if let Err(ref e) = res {
-                MessageDialog::new()
-                    .set_level(MessageLevel::Error)
-                    .set_title("Creddy failed to start")
-                    .set_description(format!("{e}"))
-                    .show();
-            }
-            res
-        })
+        .setup(|app| rt::block_on(setup(app, run_args)))
         .build(tauri::generate_context!())?
         .run(|app, run_event| {
             if let RunEvent::WindowEvent { event, .. } = run_event {
@@ -96,11 +88,11 @@ pub async fn connect_db() -> Result<SqlitePool, SetupError> {
 }
 
 
-async fn setup(app: &mut App) -> Result<(), Box<dyn Error>> {
+async fn setup(app: &mut App, run_args: RunArgs) -> Result<(), Box<dyn Error>> {
     APP.set(app.handle().clone()).unwrap();
     tray::setup(app)?;
     // get_or_create_db_path doesn't create the actual db file, just the directory
-    let is_first_launch = !config::get_or_create_db_path()?.exists();
+    let is_first_launch = !config::get_or_create_db_path()?.try_exists()?;
     let pool = connect_db().await?;
     let mut setup_errors: Vec<String> = vec![];
 
@@ -116,12 +108,19 @@ async fn setup(app: &mut App) -> Result<(), Box<dyn Error>> {
     };
 
     let app_session = AppSession::load(&pool).await?;
-    Server::start(app.handle().clone())?;
+    creddy_server::serve(app.handle().clone())?;
+    agent::serve(app.handle().clone())?;
 
-    config::set_auto_launch(conf.start_on_login)?;
-    if let Err(_e) = config::set_auto_launch(conf.start_on_login) {
-        setup_errors.push("Error: Failed to manage autolaunch.".into());
+    // if this is the first launch, setup system with default auto-launch settings
+    if is_first_launch {
+        if let Err(e) = conf.set_auto_launch() {
+            setup_errors.push(format!("Failed to manage autolaunch: {e}"));
+        }
     }
+    // otherwise, treat the system as the source of truth and ensure ours matches
+    else {
+        conf.match_auto_launch(&pool).await?;
+    };
 
     // if hotkeys fail to register, disable them so that this error doesn't have to keep showing up
     if let Err(_e) = shortcuts::register_hotkeys(&conf.hotkeys) {
@@ -134,7 +133,7 @@ async fn setup(app: &mut App) -> Result<(), Box<dyn Error>> {
         .map(|names| names.split(':').any(|n| n == "GNOME"))
         .unwrap_or(false);
 
-    if !conf.start_minimized || is_first_launch {
+    if !run_args.minimized {
         show_main_window(&app.handle())?;
     }
 
@@ -167,8 +166,8 @@ fn start_auto_locker(app: AppHandle) {
 pub fn show_main_window(app: &AppHandle) -> Result<(), WindowError> {
     let w = app.get_webview_window("main").ok_or(WindowError::NoMainWindow)?;
     w.show()?;
-    let show_hide = app.state::<MenuItem<tauri::Wry>>();
-    show_hide.set_text("Hide")?;
+    let menu = app.state::<tray::MenuItems>();
+    menu.after_show()?;
     Ok(())
 }
 
@@ -176,8 +175,8 @@ pub fn show_main_window(app: &AppHandle) -> Result<(), WindowError> {
 pub fn hide_main_window(app: &AppHandle) -> Result<(), WindowError> {
     let w = app.get_webview_window("main").ok_or(WindowError::NoMainWindow)?;
     w.hide()?;
-    let show_hide = app.state::<MenuItem<tauri::Wry>>();
-    show_hide.set_text("Show")?;
+    let menu = app.state::<tray::MenuItems>();
+    menu.after_hide()?;
     Ok(())
 }
 

src-tauri/src/bin/agent.rs

@@ -1,7 +0,0 @@
-use creddy::server::ssh_agent;
-
-
-#[tokio::main]
-async fn main() {
-    ssh_agent::run().await;
-}

src-tauri/src/bin/creddy_cli.rs

@@ -1,47 +0,0 @@
-// Windows isn't really amenable to having a single executable work as both a CLI and GUI app,
-// so we just have a second binary for CLI usage
-use creddy::{
-    cli,
-    errors::CliError,
-};
-use std::{
-    env,
-    process::{self, Command},
-};
-
-
-fn main() {
-    let args = cli::parser().get_matches();
-    if let Some(true) = args.get_one::<bool>("help") {
-        cli::parser().print_help().unwrap(); // if we can't print help we can't print an error
-        process::exit(0);
-    }
-
-    let res = match args.subcommand() {
-        None | Some(("run", _)) => launch_gui(),
-        Some(("get", m)) => cli::get(m),
-        Some(("exec", m)) => cli::exec(m),
-        Some(("shortcut", m)) => cli::invoke_shortcut(m),
-        _ => unreachable!("Unknown subcommand"),
-    };
-
-    if let Err(e) = res {
-        eprintln!("Error: {e}");
-        process::exit(1);
-    }
-}
-
-
-fn launch_gui() -> Result<(), CliError>  {
-    let mut path = env::current_exe()?;
-    path.pop(); // bin dir
-    
-    // binaries are colocated in dev, but not in production
-    #[cfg(not(debug_assertions))]
-    path.pop(); // install dir
-
-    path.push("creddy.exe"); // exe in main install dir (aka gui exe)
-
-    Command::new(path).spawn()?;
-    Ok(())
-}

src-tauri/src/bin/key.rs

@@ -1,13 +0,0 @@
-use ssh_key::private::PrivateKey;
-
-
-fn main() {
-    // let passphrase = std::env::var("PRIVKEY_PASSPHRASE").unwrap();
-    let p = AsRef::<std::path::Path>::as_ref("/home/joe/.ssh/test");
-    let privkey = PrivateKey::read_openssh_file(p)
-        .unwrap();
-        // .decrypt(passphrase.as_bytes())
-        // .unwrap();
-
-    dbg!(String::from_utf8_lossy(&privkey.to_bytes().unwrap()));
-}

src-tauri/src/cli.rs

@@ -1,194 +0,0 @@
-use std::ffi::OsString;
-use std::process::Command as ChildCommand;
-#[cfg(windows)]
-use std::time::Duration;
-
-use clap::{
-    Command,
-    Arg,
-    ArgMatches,
-    ArgAction,
-    builder::PossibleValuesParser,
- };
-use tokio::io::{AsyncReadExt, AsyncWriteExt};
-
-use crate::errors::*;
-use crate::server::{Request, Response};
-use crate::shortcuts::ShortcutAction;
-
-#[cfg(unix)]
-use {
-    std::os::unix::process::CommandExt,
-    tokio::net::UnixStream,
-};
-
-#[cfg(windows)]
-use {
-    tokio::net::windows::named_pipe::{NamedPipeClient, ClientOptions},
-    windows::Win32::Foundation::ERROR_PIPE_BUSY,
-};
-
-
-pub fn parser() -> Command<'static> {
-    Command::new("creddy")
-        .version(env!("CARGO_PKG_VERSION"))
-        .about("A friendly AWS credentials manager")
-        .subcommand(
-            Command::new("run")
-                .about("Launch Creddy")
-        )
-        .subcommand(
-            Command::new("get")
-                .about("Request AWS credentials from Creddy and output to stdout")
-                .arg(
-                    Arg::new("base")
-                        .short('b')
-                        .long("base")
-                        .action(ArgAction::SetTrue)
-                        .help("Use base credentials instead of session credentials")
-                )
-        )
-        .subcommand(
-            Command::new("exec")
-                .about("Inject AWS credentials into the environment of another command")
-                .trailing_var_arg(true)
-                .arg(
-                    Arg::new("base")
-                        .short('b')
-                        .long("base")
-                        .action(ArgAction::SetTrue)
-                        .help("Use base credentials instead of session credentials")
-                )
-                .arg(
-                    Arg::new("command")
-                        .multiple_values(true)
-                )
-        )
-        .subcommand(
-            Command::new("shortcut")
-                .about("Invoke an action normally trigged by hotkey (e.g. launch terminal)")
-                .arg(
-                    Arg::new("action")
-                        .value_parser(
-                            PossibleValuesParser::new(["show_window", "launch_terminal"])
-                        )
-                )
-        )
-}
-
-
-pub fn get(args: &ArgMatches) -> Result<(), CliError> {
-    let base = args.get_one("base").unwrap_or(&false);
-    let output = match make_request(&Request::GetAwsCredentials { base: *base })? {
-        Response::AwsBase(creds) => serde_json::to_string(&creds).unwrap(),
-        Response::AwsSession(creds) => serde_json::to_string(&creds).unwrap(),
-        r => return Err(RequestError::Unexpected(r).into()),
-    };
-    println!("{output}");
-    Ok(())
-}
-
-
-pub fn exec(args: &ArgMatches) -> Result<(), CliError> {
-    let base = *args.get_one("base").unwrap_or(&false);
-    let mut cmd_line = args.get_many("command")
-        .ok_or(ExecError::NoCommand)?;
-
-    let cmd_name: &String = cmd_line.next().unwrap(); // Clap guarantees that there will be at least one
-    let mut cmd = ChildCommand::new(cmd_name);
-    cmd.args(cmd_line);
-    
-    match make_request(&Request::GetAwsCredentials { base })? {
-        Response::AwsBase(creds) => {
-            cmd.env("AWS_ACCESS_KEY_ID", creds.access_key_id);
-            cmd.env("AWS_SECRET_ACCESS_KEY", creds.secret_access_key);
-        },
-        Response::AwsSession(creds) => {
-            cmd.env("AWS_ACCESS_KEY_ID", creds.access_key_id);
-            cmd.env("AWS_SECRET_ACCESS_KEY", creds.secret_access_key);
-            cmd.env("AWS_SESSION_TOKEN", creds.session_token);
-        },
-        r => return Err(RequestError::Unexpected(r).into()),
-    }
-
-    #[cfg(unix)]
-    {
-        // cmd.exec() never returns if successful
-        let e = cmd.exec();
-        match e.kind() {
-            std::io::ErrorKind::NotFound => {
-                let name: OsString = cmd_name.into();
-                Err(ExecError::NotFound(name).into())
-            }
-            _ => Err(ExecError::ExecutionFailed(e).into()),
-        }
-    }
-
-    #[cfg(windows)]
-    {
-        let mut child = match cmd.spawn() {
-            Ok(c) => c,
-            Err(e) if e.kind() == std::io::ErrorKind::NotFound => {
-                let name: OsString = cmd_name.into();
-                return Err(ExecError::NotFound(name).into());
-            }
-            Err(e) => return Err(ExecError::ExecutionFailed(e).into()),
-        };
-
-        let status = child.wait()
-            .map_err(|e| ExecError::ExecutionFailed(e))?;
-        std::process::exit(status.code().unwrap_or(1));
-    };
-}
-
-
-pub fn invoke_shortcut(args: &ArgMatches) -> Result<(), CliError> {
-    let action = match args.get_one::<String>("action").map(|s| s.as_str()) {
-        Some("show_window") => ShortcutAction::ShowWindow,
-        Some("launch_terminal") => ShortcutAction::LaunchTerminal,
-        Some(&_) | None => unreachable!("Unknown shortcut action"), // guaranteed by clap
-    };
-
-    let req = Request::InvokeShortcut(action);
-    match make_request(&req) {
-        Ok(Response::Empty) => Ok(()),
-        Ok(r) => Err(RequestError::Unexpected(r).into()),
-        Err(e) => Err(e.into()),
-    }
-}
-
-
-#[tokio::main]
-async fn make_request(req: &Request) -> Result<Response, RequestError> {
-    let mut data = serde_json::to_string(req).unwrap();
-    // server expects newline marking end of request
-    data.push('\n');
-
-    let mut stream = connect().await?;
-    stream.write_all(&data.as_bytes()).await?;
-
-    let mut buf = Vec::with_capacity(1024);
-    stream.read_to_end(&mut buf).await?;
-    let res: Result<Response, ServerError> = serde_json::from_slice(&buf)?;
-    Ok(res?)
-}
-
-
-#[cfg(windows)]
-async fn connect() -> Result<NamedPipeClient, std::io::Error> {
-    // apparently attempting to connect can fail if there's already a client connected
-    loop {
-        match ClientOptions::new().open(r"\\.\pipe\creddy-requests") {
-            Ok(stream) => return Ok(stream),
-            Err(e) if e.raw_os_error() == Some(ERROR_PIPE_BUSY.0 as i32) => (),
-            Err(e) => return Err(e),
-        }
-        tokio::time::sleep(Duration::from_millis(10)).await;
-    }
-}
-
-
-#[cfg(unix)]
-async fn connect() -> Result<UnixStream, std::io::Error> {
-    UnixStream::connect("/tmp/creddy.sock").await
-}

src-tauri/src/clientinfo.rs

@@ -1,6 +1,13 @@
 use std::path::{Path, PathBuf};
 
-use sysinfo::{System, SystemExt, Pid, PidExt, ProcessExt};
+use sysinfo::{
+    System,
+    SystemExt,
+    Pid,
+    PidExt,
+    ProcessExt,
+    UserExt,
+};
 use serde::{Serialize, Deserialize};
 
 use crate::errors::*;
@@ -10,26 +17,36 @@ use crate::errors::*;
 pub struct Client {
     pub pid: u32,
     pub exe: Option<PathBuf>,
+    pub username: Option<String>,
 }
 
 
-pub fn get_process_parent_info(pid: u32) -> Result<Client, ClientInfoError> {
+pub fn get_client(pid: u32, parent: bool) -> Result<Client, ClientInfoError> {
     let sys_pid = Pid::from_u32(pid);
-    let mut sys = System::new();   
+    let mut sys = System::new();
     sys.refresh_process(sys_pid);
-    let proc = sys.process(sys_pid)
+    sys.refresh_users_list();
+
+    let mut proc = sys.process(sys_pid)
         .ok_or(ClientInfoError::ProcessNotFound)?;
 
-    let parent_pid_sys = proc.parent()
-        .ok_or(ClientInfoError::ParentPidNotFound)?;
-    sys.refresh_process(parent_pid_sys);
-    let parent = sys.process(parent_pid_sys)
-        .ok_or(ClientInfoError::ParentProcessNotFound)?;
+    if parent {
+        let parent_pid_sys = proc.parent()
+            .ok_or(ClientInfoError::ParentPidNotFound)?;
+        sys.refresh_process(parent_pid_sys);
+        proc = sys.process(parent_pid_sys)
+            .ok_or(ClientInfoError::ParentProcessNotFound)?;
+    }
 
-    let exe = match parent.exe() {
+    let username = proc.user_id()
+        .map(|uid| sys.get_user_by_id(uid))
+        .flatten()
+        .map(|u| u.name().to_owned());
+
+    let exe = match proc.exe() {
         p if p == Path::new("") => None,
         p => Some(PathBuf::from(p)),
     };
 
-    Ok(Client { pid: parent_pid_sys.as_u32(), exe })
+    Ok(Client { pid: proc.pid().as_u32(), exe, username })
 }

src-tauri/src/config.rs

@@ -1,7 +1,7 @@
 use std::path::PathBuf;
 use std::time::Duration;
 
-use auto_launch::AutoLaunchBuilder;
+use auto_launch::{AutoLaunch, AutoLaunchBuilder};
 use is_terminal::IsTerminal;
 use serde::{Serialize, Deserialize};
 use sqlx::SqlitePool;
@@ -89,29 +89,49 @@ impl AppConfig {
     pub async fn save(&self, pool: &SqlitePool) -> Result<(), sqlx::error::Error> {
         kv::save(pool, "config", self).await
     }
-}
 
+    /// Configure system with auto-launch settings
+    pub fn set_auto_launch(&self) -> Result<(), SetupError> {
+        let mgr = self.auto_launch_manager()?;
 
-pub fn set_auto_launch(is_configured: bool) -> Result<(), SetupError> {
-    let path_buf = std::env::current_exe()
-        .map_err(|e| auto_launch::Error::Io(e))?;
-    let path = path_buf
-        .to_string_lossy();
+        // if enabled, disabled regardless of desired end state because either:
+        // a) we are just going to leave it disabled, or
+        // b) we need to disable-and-reenable in case args are different
+        if mgr.is_enabled()? {
+            mgr.disable()?;
+        }
+        if self.start_on_login {
+            mgr.enable()?;
+        }
 
-    let auto = AutoLaunchBuilder::new()
-        .set_app_name("Creddy")
-        .set_app_path(&path)
-        .build()?;
-
-    let is_enabled = auto.is_enabled()?;
-    if is_configured && !is_enabled {
-        auto.enable()?;
-    }
-    else if !is_configured && is_enabled {
-        auto.disable()?;
+        Ok(())
     }
 
-    Ok(())
+    /// Match own auto-launch settings to system
+    pub async fn match_auto_launch(&mut self, pool: &SqlitePool) -> Result<(), SetupError> {
+        let mgr = self.auto_launch_manager()?;
+        let is_enabled = mgr.is_enabled()?;
+        if is_enabled != self.start_on_login {
+            self.start_on_login = is_enabled;
+            self.save(pool).await?;
+        }
+        Ok(())
+    }
+
+    fn auto_launch_manager(&self) -> Result<AutoLaunch, SetupError> {
+        let path_buf = std::env::current_exe()
+            .map_err(|e| auto_launch::Error::Io(e))?;
+
+        let name = if cfg!(debug_assertions) { "Creddy (dev)" } else { "Creddy" };
+        let mut builder = AutoLaunchBuilder::new();
+        builder.set_app_name(name);
+        builder.set_app_path(&path_buf.to_string_lossy());
+        if self.start_minimized {
+            builder.set_args(&["run", "--minimized"]);
+        }
+
+        Ok(builder.build()?)
+    }
 }
 
 

src-tauri/src/credentials/aws.rs

@@ -76,7 +76,7 @@ impl PersistentCredential for AwsBaseCredential {
                 access_key_id,
                 secret_key_enc,
                 nonce
-            ) 
+            )
             VALUES (?, ?, ?, ?);",
             id, self.access_key_id, ciphertext, nonce_bytes,
         ).execute(&mut **txn).await?;
@@ -185,10 +185,16 @@ where S: Serializer
 #[cfg(test)]
 mod tests {
     use super::*;
+    use aws_sdk_sts::primitives::DateTimeFormat;
+    use creddy_cli::proto::{
+        AwsBaseCredential as CliBase,
+        AwsSessionCredential as CliSession,
+    };
     use sqlx::SqlitePool;
     use sqlx::types::uuid::uuid;
 
 
+
     fn creds() -> AwsBaseCredential {
         AwsBaseCredential::new(
             "AKIAIOSFODNN7EXAMPLE".into(),
@@ -203,19 +209,6 @@ mod tests {
         )
     }
 
-    fn test_uuid() -> Uuid {
-        Uuid::try_parse("00000000-0000-0000-0000-000000000000").unwrap()
-    }
-
-    fn test_uuid_2() -> Uuid {
-        Uuid::try_parse("ffffffff-ffff-ffff-ffff-ffffffffffff").unwrap()
-    }
-
-    fn test_uuid_random() -> Uuid {
-        let bytes = Crypto::salt();
-        Uuid::from_slice(&bytes[..16]).unwrap()
-    }
-
 
     #[sqlx::test(fixtures("aws_credentials"))]
     async fn test_load(pool: SqlitePool) {
@@ -254,5 +247,99 @@ mod tests {
 
         assert_eq!(&creds().into_credential(), &list[0]);
         assert_eq!(&creds_2().into_credential(), &list[1]);
-    }   
+    }
+
+
+    // In order to avoid the CLI depending on the main app (and thus defeating the purpose
+    // of having a separate CLI at all) it re-defines the credentials that need to be sent
+    // back and forth. To prevent the separate definitions from drifting aprt, we test
+    // serializing/deserializing in both directions.
+
+    #[test]
+    fn test_cli_to_app_base() {
+        let cli_base = CliBase {
+            version: 1,
+            access_key_id: "AKIAIOSFODNN7EXAMPLE".into(),
+            secret_access_key: "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY".into(),
+        };
+
+        let json = serde_json::to_string(&cli_base).unwrap();
+        let computed: AwsBaseCredential = serde_json::from_str(&json)
+            .expect("Failed to deserialize base credentials from CLI -> main app");
+
+        assert_eq!(creds(), computed);
+    }
+
+    #[test]
+    fn test_app_to_cli_base() {
+        let base = creds();
+        let json = serde_json::to_string(&base).unwrap();
+
+        let computed: CliBase = serde_json::from_str(&json)
+            .expect("Failed to deserialize base credentials from main app -> CLI");
+
+        let expected = CliBase {
+            version: 1,
+            access_key_id: "AKIAIOSFODNN7EXAMPLE".into(),
+            secret_access_key: "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY".into(),
+        };
+
+        assert_eq!(expected, computed);
+    }
+
+    #[test]
+    fn test_cli_to_app_session() {
+        let cli_session = CliSession {
+            version: 1,
+            access_key_id: "ASIAIOSFODNN7EXAMPLE".into(),
+            secret_access_key: "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY".into(),
+            session_token: "JQ70sxbqnOGKu7+krevstYCLCaX2+alUAT60ARTBBnQ=ETC.".into(),
+            expiration: "2024-07-21T00:00:00Z".into(),
+        };
+
+        let json = serde_json::to_string(&cli_session).unwrap();
+        let computed: AwsSessionCredential = serde_json::from_str(&json)
+            .expect("Failed to deserialize session credentials from CLI -> main app");
+
+        let expected = AwsSessionCredential {
+            version: 1,
+            access_key_id: "ASIAIOSFODNN7EXAMPLE".into(),
+            secret_access_key: "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY".into(),
+            session_token: "JQ70sxbqnOGKu7+krevstYCLCaX2+alUAT60ARTBBnQ=ETC.".into(),
+            expiration: DateTime::from_str(
+                "2024-07-21T00:00:00Z",
+                DateTimeFormat::DateTimeWithOffset
+            ).unwrap(),
+        };
+
+        assert_eq!(expected, computed);
+    }
+
+    #[test]
+    fn test_app_to_cli_session() {
+        let session = AwsSessionCredential {
+            version: 1,
+            access_key_id: "ASIAIOSFODNN7EXAMPLE".into(),
+            secret_access_key: "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY".into(),
+            session_token: "JQ70sxbqnOGKu7+krevstYCLCaX2+alUAT60ARTBBnQ=ETC.".into(),
+            expiration: DateTime::from_str(
+                "2024-07-21T00:00:00Z",
+                DateTimeFormat::DateTimeWithOffset
+            ).unwrap(),
+        };
+
+        let json = serde_json::to_string(&session).unwrap();
+        let computed: CliSession = serde_json::from_str(&json)
+            .expect("Failed to deserialize session credentials from main app -> CLI");
+
+        let expected = CliSession {
+            version: 1,
+            access_key_id: "ASIAIOSFODNN7EXAMPLE".into(),
+            secret_access_key: "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY".into(),
+            session_token: "JQ70sxbqnOGKu7+krevstYCLCaX2+alUAT60ARTBBnQ=ETC.".into(),
+            expiration: "2024-07-21T00:00:00Z".into(),
+        };
+
+        assert_eq!(expected, computed);
+    }
 }

src-tauri/src/credentials/docker.rs

@@ -0,0 +1,196 @@
+use chacha20poly1305::XNonce;
+use serde::{Serialize, Deserialize};
+use sqlx::{
+    FromRow,
+    Sqlite,
+    Transaction,
+    types::Uuid,
+};
+
+use super::{Credential, Crypto, PersistentCredential};
+
+use crate::errors::*;
+
+
+#[derive(Debug, Clone, FromRow)]
+pub struct DockerRow {
+    id: Uuid,
+    server_url: String,
+    username: String,
+    secret_enc: Vec<u8>,
+    nonce: Vec<u8>,
+}
+
+
+#[derive(Clone, Debug, Eq, PartialEq, Serialize, Deserialize)]
+#[serde(rename_all = "PascalCase")]
+pub struct DockerCredential {
+    #[serde(rename = "ServerURL")]
+    pub server_url: String,
+    pub username: String,
+    pub secret: String,
+}
+
+impl PersistentCredential for DockerCredential {
+    type Row = DockerRow;
+
+    fn type_name() -> &'static str { "docker" }
+
+    fn into_credential(self) -> Credential { Credential::Docker(self) }
+
+    fn row_id(row: &DockerRow) -> Uuid { row.id }
+
+    fn from_row(row: DockerRow, crypto: &Crypto) -> Result<Self, LoadCredentialsError> {
+        let nonce = XNonce::clone_from_slice(&row.nonce);
+        let secret_bytes = crypto.decrypt(&nonce, &row.secret_enc)?;
+        let secret = String::from_utf8(secret_bytes)
+            .map_err(|_| LoadCredentialsError::InvalidData)?;
+
+        Ok(DockerCredential {
+            server_url: row.server_url,
+            username: row.username,
+            secret
+        })
+    }
+
+    async fn save_details(&self, id: &Uuid, crypto: &Crypto, txn: &mut Transaction<'_, Sqlite>) -> Result<(), SaveCredentialsError> {
+        let (nonce, ciphertext) = crypto.encrypt(self.secret.as_bytes())?;
+        let nonce_bytes = &nonce.as_slice();
+
+        sqlx::query!(
+            "INSERT OR REPLACE INTO docker_credentials (
+                id,
+                server_url,
+                username,
+                secret_enc,
+                nonce
+            )
+            VALUES (?, ?, ?, ?, ?)",
+            id, self.server_url, self.username, ciphertext, nonce_bytes,
+        ).execute(&mut **txn).await?;
+
+        Ok(())
+    }
+}
+
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use crate::credentials::CredentialRecord;
+    use creddy_cli::proto::DockerCredential as CliDockerCredential;
+    use sqlx::SqlitePool;
+    use sqlx::types::uuid::uuid;
+
+
+
+    fn test_credential() -> DockerCredential {
+        DockerCredential {
+            server_url: "https://registry.jfmonty2.com".into(),
+            username: "joe@jfmonty2.com".into(),
+            secret: "correct horse battery staple".into(),
+        }
+    }
+
+    fn test_credential_2() -> DockerCredential {
+        DockerCredential {
+            server_url: "https://index.docker.io/v1".into(),
+            username: "test@example.com".into(),
+            secret: "a very secure passphrase".into(),
+        }
+    }
+
+    fn test_record() -> CredentialRecord {
+        CredentialRecord {
+            id: uuid!("00000000-0000-0000-0000-000000000000"),
+            name: "docker_test".into(),
+            is_default: false,
+            credential: Credential::Docker(test_credential()),
+        }
+    }
+
+    fn test_record_2() -> CredentialRecord {
+        CredentialRecord {
+            id: uuid!("ffffffff-ffff-ffff-ffff-ffffffffffff"),
+            name: "docker_test_2".into(),
+            is_default: false,
+            credential: Credential::Docker(test_credential_2()),
+        }
+    }
+
+
+    #[sqlx::test]
+    fn test_save(pool: SqlitePool) {
+        let crypt = Crypto::random();
+        test_record().save(&crypt, &pool).await
+            .expect("Failed to save record");
+    }
+
+    #[sqlx::test(fixtures("docker_credentials"))]
+    fn test_load(pool: SqlitePool) {
+        let crypt = Crypto::fixed();
+        let id = uuid!("00000000-0000-0000-0000-000000000000");
+        let loaded = DockerCredential::load(&id, &crypt, &pool).await
+            .expect("Failed to load record");
+
+        assert_eq!(test_credential(), loaded);
+    }
+
+    #[sqlx::test(fixtures("docker_credentials"))]
+    async fn test_overwrite(pool: SqlitePool) {
+        let crypt = Crypto::fixed();
+        let mut record = test_record_2();
+        // give it the same id as test_record so that it overwrites
+        let id = uuid!("00000000-0000-0000-0000-000000000000");
+        record.id = id;
+        record.save(&crypt, &pool).await
+            .expect("Failed to overwrite original record with second record");
+
+        let loaded = DockerCredential::load(&id, &crypt, &pool).await
+            .expect("Failed to load again after overwriting");
+
+        assert_eq!(test_credential_2(), loaded);
+    }
+
+    #[sqlx::test(fixtures("docker_credentials"))]
+    async fn test_list(pool: SqlitePool) {
+        let crypt = Crypto::fixed();
+        let records = CredentialRecord::list(&crypt, &pool).await
+            .expect("Failed to list credentials");
+
+        assert_eq!(test_record(), records[0]);
+    }
+
+
+    // make sure that CLI credentials and app credentials don't drift apart
+    #[test]
+    fn test_cli_to_app() {
+        let cli_creds = CliDockerCredential {
+            server_url: "https://registry.jfmonty2.com".into(),
+            username: "joe@jfmonty2.com".into(),
+            secret: "correct horse battery staple".into(),
+        };
+
+        let json = serde_json::to_string(&cli_creds).unwrap();
+        let computed: DockerCredential = serde_json::from_str(&json)
+            .expect("Failed to deserialize Docker credentials from CLI -> main app");
+
+        assert_eq!(test_credential(), computed);
+    }
+
+    #[test]
+    fn test_app_to_cli() {
+        let app_creds = test_credential();
+        let json = serde_json::to_string(&app_creds).unwrap();
+
+        let computed: CliDockerCredential = serde_json::from_str(&json)
+            .expect("Failed to deserialize Docker credentials from main app -> CLI");
+
+        let expected = CliDockerCredential {
+            server_url: "https://registry.jfmonty2.com".into(),
+            username: "joe@jfmonty2.com".into(),
+            secret: "correct horse battery staple".into(),
+        };
+        assert_eq!(expected, computed);
+    }
+}

src-tauri/src/credentials/fixtures/docker_credentials.sql

@@ -0,0 +1,11 @@
+INSERT INTO credentials (id, name, credential_type, is_default, created_at)
+VALUES (X'00000000000000000000000000000000', 'docker_test', 'docker', 0, 1726756380);
+
+INSERT INTO docker_credentials (id, server_url, username, secret_enc, nonce)
+VALUES (
+    X'00000000000000000000000000000000',
+    'https://registry.jfmonty2.com',
+    'joe@jfmonty2.com',
+    X'C0B36EE54539D4113A8F73E99FB96B2BF4D87E91F7C3B48256C07E83E3E7EC738888B2FDE2B4DB0BE48BEFDE',
+    X'C5F7F627BBE09A1BB275BE8D2390596C76143881A7766E60'
+);

src-tauri/src/credentials/fixtures/ssh_credentials.sql

@@ -0,0 +1,42 @@
+INSERT INTO credentials (id, name, credential_type, is_default, created_at)
+VALUES
+    (X'11111111111111111111111111111111', 'ssh-plain', 'ssh', 1, 1721557273),
+    (X'22222222222222222222222222222222', 'ssh-enc', 'ssh', 0, 1721557274),
+    (X'33333333333333333333333333333333', 'ed25519-plain', 'ssh', 0, 1721557275),
+    (X'44444444444444444444444444444444', 'ed25519-enc', 'ssh', 0, 1721557276);
+
+
+INSERT INTO ssh_credentials (id, algorithm, comment, public_key, private_key_enc, nonce)
+VALUES
+    (
+        X'11111111111111111111111111111111',
+        'ssh-rsa',
+        'hello world',
+        X'000000077373682D727361000000030100010000018100C4ABCE6D69400912EBAD527733401E30EBF3DC9433B79C8E343D7AFBE19A9F309934822577D9807346B48D4FB0604D022DA826E5624635E4CE19851AA5D30DFD2007DE99B04AE4C2F00823DFFC3C8DDE62F074831C1F8903067C83DCCD7D9CEE8643C93C5291F6B5047F53646A37C84098934FFDE5882B5DD7696CDDC4421C39E2894768CFD6650CE585E35A3F739B015650AA469ABDEFC6987E55DAFEC7D40B4388654ED3205D18528D881927C42CBE210CCF6F49A90619AD6E6ACBF1768D7EC52FF9CB85BE607B9414961566292016875164C1C1D1FBD4C3569D4424A7F19D043ABCDEE50573DFC4FC7F2C2718AA76528FA226C0DD5530DC705C30901E1BDE88FE5CC35CAE5AB8826D1E7F970DBED0A0F7E9833CFC7323A1F1323528D5CC3C00AEB98165D677CAF64BD69729132264D971B5C491D0AEAF53AAD22D03756B2E43754502E84488117EEBB962CCDF5DF59682C1E9BA472D5AB9B83DB2862E7EA380E8FD20DE9368CABCBBC5C95C233A52DE5DFE5E91CB59019D00B529C70C4305',
+        X'DB9B6A3B97FBAE6AC12BDAF9DA57DBEE4DDF6A92DD682958AF147FF5EF64C18255D2A1714D543F2D16BEFD7ED4C419C7A0E9C18754C4CAA251BCFA5AA46508B006CDB08A7C0DB63D8A7FE27F99CCC2F351203B36D2BC3D02302318ECC741574CEF70D956C5CCA41E538F2CA29B20E04778A596B0C3E5CD991A423443B01E3F811E004E2547C5D3DDAEBCFBFB68CDB03D0C16538224BBAA0A80767D64D8F3D2840975DD12B4F648F81B4D4B541CB500BAA99F9808F450A02688D583A924B8AE2B0BE777BC35CE808FD53B5DB8C0838D24A6CE31C3973880CF3174E63E3404F2E77783140A62DDBA06F9CD89ADE448A54FBCBD6C0EC8C0641724CDDEF2A8126EC0D0F5BDF89EB8112366D7EB6D3CE3565DF9E4036EAF3109E50BED5D7BD3558FFF69AD823F6522C5701CE26BCAFCC03D27D87547728A3C700719FF564EAEC961FA209252B113B404D75AD67CA4E40C5DAA36E9B0FB4ECDD6E5F853C81682123E8DF311A3C495F61A2CEE6A2B04C7FD3D0906583B9C724BC0D00D71106B7167983D6A0FBD3EA7361EE063A0B05E5A6B5CD82D0F795820BFC90E4F422E7CE2BDEBEAEE9493F5408F38732EB41741F15632185131CD6160433DD286869DF38679F6797A268EDE8ED0F442C4394FF52EFDE82EBEC5871A087288F7A12964615DA5AA02149FB661B0F76551CD53771B0DD180837A9D52A2BDF4757C4CF56DCD90B968F32B9F9EE5EE09EF5B791DB0366A4E6CCBBF0AF7D9CB5B7760BABAF4DE16BCC971DC95DCBD068A92DB8E8C709C0FBE9E2AB5B770EDFBCC6FB5045B706FB31DDEB6C52647618CD3B222CEF2DFD8D08ABAE6333A2E3C8768B8DB970BFF1777B75AE6DCE54DA7063F76846EFBDB92E55192A031DBA889D9DEDB0BF0FAA2FA6B4A0B0151B6F03D142D6B140EBB874CAF0A44D67AAD121127946DA90A14176EBB7B6C03DD2034987A100855E23F440CF6A404DEE46617B52581C7A248B7393FF56D8652855B23D19C35E1B535E5EC5EE87F3FF455458A740A55CDCB806053D4BCF44CDC2D76A1998418A60E11728BBC69F12C7E52A539E3834362C47A3E1863D265B3A7C2A41FA1953BB0FC64508679BB5F068DAF84C394A1497D564A3D6023B90D9A1C50E30FDC3E1C9B925EB0C19F960E7377B0678D662362129677E4B9AA515D2E4408A17A260D862F3C5D4291841855B91FE6EEA11C8E8EC19449CD9C31E6505BA364A45E7E3B89C5FA1C55708AF521F97440CED0ED0FAF06B7930E6A6F3A2B547E33EF73163D4C2E75B1AFA24BEB3129FFA978BC4EC43D0919ED262C0BE29AB78A87A57EAA55D51BE479A9E4015F9C3F2381745808AECF3783DEF5AB82E37C6EF68B97485CD36F7018B59C37E0EB93EAA32385E5E8CB95A5A3818B70F4CBE6102FC197946AAAAAABAD8B93750031CAC73C3F1B6B2F825B29435F2426B6AFABE35B1F8468E5A1CF73CC78E2FBB639AEFC171B7AD5D1728A536AB384B3F4AE924D5CEFA3F5EE5412094AE97303B8E728C7ACBCD9F9FB7C4FE7893145A55D96B7EDC1DD6257368C03AAC98B4F23D9AF15EF730BFD3FF09C2A11747035C8FD58EF97003503F568090C02A63117F3304989CFBAF20A281A729C8A8A4470524B3FDD2B4183E78BDE58BBB0B58B16D1E81702E58E225F7EED1A8E7F3920870FC9EE44D1433EEB39248A38108000EC1E151A26399A3F36CC41F6D272B3441198E8B56616E9A6C5A16303E562A62B4E6C27D16E9FADAF7E5A4AC7EFBD912883474302D5C9BB7D35C671DDECE68482A9472DAFA56B9AFF4E811A5BE7462FA6A988FED04178786DDB490A2010B8C178BD5601C23BBF5E3B1D13E86BB9980892B9999A6511FE2ECDAC681123745F676C155BB4627EFFAA65B1110B590A7FEE6D3359AED898D73C1B51AC8D534E94731934CCA9514F89E74C2BE5A799D8072C52399A7A647AF8F37F2D536C1B29D64214C490FE00565D912772256BF5E68F888E02FB704017F4D9FDD22E1C007A5FB4FCB51BC7A101DCAA56529231A59ACE14368268B7820C7C2BFBB0F5F78625E442C6EA83C88A9DEE318B2323AF0F3687ACF7B2B791D0B42B0576F0FF73E046DE1A56A5C2CBF6731E8D9485A02E9AD67D7752EBDBF3EBE703A760264363650CB9639B75985A9D00D210FFEBC93894E8E4BEAE7053FB6619BA9A8F0ECC4F822CF27606A6E58A8D5DAF55B519E7729B65A83FB859A3A028477BFBB7C8C01ABBE38EEDAAE11AA10ECC75868A281281792FA8D4EBDCC47DEB03868779A84D992D56612A8F46CAFADF65C5B32CFEA2974ECE34E4EDE9AF0AB4365C55D1A95FE551453BCFA5DF28CAF5AFA025CD5BD1CF86FB19AEB581135BFE2CBAA78643F209DE6A4D58206B0B236ADDD5A9122E8A21630907D0C5F23E86C151B8BFD8EA874DFF37DA7DE49D520DDAB7D074B37A726883211A788684A74D4E13A80CBC7655D8BBFF901CC44EF0A0368A3A69200695E277857AD620F2872D83224405A4DDD1E34AF68B72145AA442278C02DB7453AA8C184893AEBBCD4E15252CB8AF5972C49E047318362322CFAE99C38C5989A76C57E9D997BAACF6E13C19F66FCD618878D218DE7846C3D042E7E631B9AC126935AD6A3E15A659A3C4B9B5E521545A5A9B8A3CDFD21EADC2A5A74DBFA0769D63EC4F758D',
+        X'1A44F10CBD2579B378EF1ECE61005DBD0ED6189512B41293'
+    ),
+    (
+        X'22222222222222222222222222222222',
+        'ssh-rsa',
+        'hello world',
+        X'000000077373682D727361000000030100010000018100B021E0FE494231E75D4CFC9CED6DF524122F0E86717710BB066236D1ABF001CB4C7CB58964E998E5385836912300129A1334E549A7EF5E0EC4115D97E099038ACFBBA0AD2FE5D574F7F3FF122A97B59F75D8B62DCD921FF1A5BBFDCB55D77779A41ABD46528AEF8B2C0DA96370FCEC79387EED6AC1C0CED041AE979CBB880BEC6C17917711143F1C4D035548D273773D01E3F643463811B7339D9F4B3FC8D1FECF761C8878C135E2E600D9D230F11A3AD8E0415D1A923A398D108E9043F630A9B7BB1310927CA8A46455096E1A272BA56B6F06FEE5764E3C8AC85EA5DE408AED8EC549BE749FB231C1A2CC95DA0035DB009A9DFB2C622833A54CFCCB9FFB173159065F3335C6DDAFBB52A82CD5C327198C496C2A4404F1A544D82175F915954492A4488954B37C78C1F81B467A05F96CCC26146CDF517AF71674046947B11CE80B0E277B2ABA23915AF11E9A9F9D05717E1F0ED70341F470085569F88D8F5CBB8179605A0BF88537A57893329D15F1F8CA3582BE3612410F06568533F801602F',
+        X'AD54C319103CFBA088A4B70AEC743CDED7B0A3EE3DDE370BBD14AA4FA4EACBDD1BBE2FCEF499BB4EC4DDEA9D472F27BBF93453C612BF1689B714C9718212E78C0E1B2133AEB0E7C954413F6EBFC4155CC975A252962AB7C1BBEAE8DA8C6F990B9DE96313F0158AA8DD7896000AE2A4406080B81C37605B3986E463D5DEC01AC0BC4981A74BAF6413DF99119F65A337692885E9C5FBA9B483AA83783823981A0E66105083EB6CDB07AB93714AAF6AAF9A6239D256D8C9C56992AC846CF104E2B1B9DF96D0E67DF2EC9258E914EDFAA5AC36ABE3E9D5D641C92C6188D90D9B083DC3AFA9409B7809718279B52399145FE3173DA8E8A7E5C21715E0B140B22BFF8A0116E102B55C9BCB19B5B4FCCA88FBC5A2844E7E2AEC84ACA303BE8AC9448F93BB35366DFC2E38CEE31C66748847DA11CBB8A31F2CA4DD905362A8C513B6B8E3040EFCEC5BCFEB2E52902F33BF6DFEF911E56A00E51274C1548546DCA62261F94F580DCBAF7357F0C8F5058D2D1D5C91E0AAAB396A305E79350FC0F9879CAFD33316DB77586C36A8246F4D5A14EEC495CFCFA108B70A00008CE64ABC2EBC656DFE760612194B526BC1AE8C08325E3FE76999E6341D6C2BA35BA87CB9FB30A269891A0013E989246E80D5CF7590A66D8494CA79D5E2FD6A8FF7ECA1169379C2D45F4108BA5A796309D4CBDBEE6F45A0F6536B45666E1CF977B26612BC8108FCF32FF0D9296C9C414812C221032B2E5107CFCE1E4FCC2E07C5D31F1A1492732D0ECEB3920E50DFBCAA89561CE52436D23DA40D8678CE901BDC57C3F80233BBAF7AE5CA432547EB51DFBABF5B8BC94C0F6EAE47C94649CECE192D6436D609EE040A3AC059529E7CAAFA45D1B2E331E0E73BAFB1C6E05F71EBF28E222D2B15E724D5EBB3B9C3A709F0F9BCD41C87DF158BDCD3C1FCA86A8D4B57B98F4386AA6956BC3DC6BC2AF6A479560C1598B866935795C29F22CB93072E9D8D4D110AAC2B0F22CD8662354BF5D509750068613C052E88629EFF9488BD1C0B3E6FFD010A5B739F943234AA456F998B4DC7FA7B877961DE1CC744760712337B70971EED7AA4B97121F26298DCFDC2282D721CAB90098585ACFD31EC776EEE2C0211AB711BE94F31ED0D2BA4A9D8EFFC155FC68AB02EA1DC380A1525EF2BD14B55CC71210B54E5F55A8C3C876A6667EFA271095B1280B9ED6FAE9E73601A698FE2732756780BF453F927FD171F497F9C1FA6ADE7DC8187FEDA309E807E2E7895E1763DE1758E50035CE24D54A814745F05446FFD91F8E27770577384BBDC6E11E435658404533D32C461A0DB1CC6AE0847ABB744FB61C524CF9162E3660941CA3DA96F56EA5C036BF5E633C6CA0F033335AB5B623D08A024E87235FF8324B284FB981A9998DD0028A0DE54B4D6BE04C51E8D71DD09B3563C84E5C43826418365FB7912DFABDC5BB25BDE2C558DAC14AEED79F705F34E2D04F17829515C725675571EE1E4BDD21D8EBAA9C6075DE48EF8F2ED7814E20836A2721E46B5C71EE365CFE996A07ADABD84FE5B1E25EF5D9CC66B945084A4207004372AA792BA1BE97B67397635EA7DCC2F99C6AD5C394A8F4C0B7CBC87C38DE52F120993E6DC6BEA27D5B90D90E1C8F7626C860386121E53BE3D4F7B4005A69EB0334E118E70B7207CEDFCEE1EC2A30C789174AAA6531EAAD2E0BED7400CA44911E896E4C82DCA85ADBA92CA01B2CE75924AE81FE286C4CBD8073B7546313A75E52CA1882D8935D2F6058FECEBA4626B4445FCED2E9986632F9F5597C7BBD44F375027727D51B0033B87D23395EEC26EE06378B247B0C1469286F868828C942FCE2BF1BFFDC07CAEC1E214D37ADE737A7DFF082972C6E8411591BEE4B54BED231A7F856C022B26887ADD115A252807D3C58DCD8FB5D7D71DC3766C288438DB3D9D98FC8A22FEC92A7E6E3855ACD36BBEA79C5F98C7ABD9CCECB37C18C3315E5CC7B3BFF699FD201419F8EA402E422EFE62A25D4A76B2CCA0F6D43313BA7DF6537619FD2AE8ACF55B17F709961228076DBBB3592B6B7A1C3C271D54C06403902B0384492AE486E931DD63F68E739769E174D97EA46E7D780D03529EA21B418E0A68E44ED15AB9471B5F139E29EA25C7AE881E216A2863D6E908790002B0B1CC23B1DB3266CEACA2771BD661941AEDEE196316E8D8D7CE361C23E7C1BFFBFD0467329E948CD936B54C7313DC053F96BAFD139500ACB0CCDCA7C0AFBFEC02CFD31FECF4193C1E13F8E59378959BE3360C3B57BD325E5D87CA3D9CE08EFD00980200004D01EE4C6D4450C545A82BE0E1A527AE3432AD6500AF6C8B4400095D9CA7DAA0AA956DC8CD6A4336B876988128119997DB4847AFEFDF2CB8E3F88D5B66CC1E5A32229F79324063584C95C775C5D8D3B05956F0BC8432B9FB28D006247F1DF22C431515BDB4234C91B10CA20B5C05924CAAF82094C8C49123776F1C7170218FEC6C1D2D94F242277765EB9A6C48BE8751D92FFC4C3314155C7685940CA07BB70722D0B65585BC50253A9A6F793CD7A3269657B234C72EC8F2DD4F3B61A7260B3028FFB2B866A311E027C3D8D56592AB4795AA22452CBE37AEE68D7952EE473BB67CE6839E0F5DAA7C9B09F26CBF99CF5BF1181A41B683B9EA939A1823C3733B1EE8066614D3A692C99E5F9EA22231',
+        X'B9DF74AE34E4E7E17EA2EABECE5FD85B14ADB53EDB5BF27C'
+    ),
+    (
+        X'33333333333333333333333333333333',
+        'ssh-ed25519',
+        'hello world',
+        X'0000000B7373682D6564323535313900000020BBB05846908A7F4819CA69BE50E94658FD6F51D24FFECED678566D43E1DD6BF2',
+        X'7E3719254AB02100F159D971C17322CF51ECB60AC9E2CDA511EDFD88E75D9828A5A308F1F6A7D6919ED080FD0E6D3FAB64583A946334EE8870006AB7EDC57E6D7BCD145485D1F2A06D946B4DB69591467F289A5CD3BBF922FAAF5B54275F56CF81CC450DE4C8C0F24078C395BA02E8C646731FA6A50480392B13784FD2A85D094DDB8E73C56120936C02C3F94E910C23787FC307369239E264600BBE799EA851CE16FD653BE71D024AA73A582AACC390DD1F341C095788ECE6F4CC37D045A2BFFEC9F14AEBE73E43C6E78E00A9645C6A46D03F2847355DBCD33DA09C76148089A0FC1B3793AB5DA577B879D25EF7B8A8661387F19F392522CFD2886F6FEB65584841',
+        x'58E67EEE49A11FFDD9D32F63ED99053008091B415F87F1BA'
+    ),
+    (
+        X'44444444444444444444444444444444',
+        'ssh-ed25519',
+        'hello world',
+        X'0000000B7373682D65643235353139000000200491C64AD1D7E9C20D989937677C32EBE5FB35BCBA77422550A8FAA54C023923',
+        X'6BA994C263935729D807579173B377323F6353A88F660143EA92DE1E1A92F00682B8A1FAD838F0D211BD69855E8E34AE84D5A7B3C23F23A822B2AFF6E861BC81D89AFDDEB0DED063C84644B3EFEF2612DA1DA9C3C12EDAEFCBEA3542EA0ED1903FC1922E5F56E19FAD8CC75A2A30D64C83BF27ADE00E66BCCFE1CA67E95A00819F7BF91DDD22C4A1FB419E91B5D61544175D8D69EB5B416E6547DFD55CD386B62293B778322FB840D1F4DBBDCE2364A6FE4A7B090425031E7DB347314CEBD9BA09F85CC45CF3B4D02FE78B7F365D5C7E95331AA7A6F91A619E8A8663B77A31BAF639652D72B4FD11C8D430C8A1C5542C69DF4ACA74BAB7608B7E9ADD15BAF4674AFB',
+        X'46F31DCF22250039168D80F26D50C129C9AFDA166682C89A'
+    );

src-tauri/src/credentials/fixtures/ssh_ed25519_enc

@@ -0,0 +1,8 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABAWtYanP1
+TBKT8lBL4IzKpYAAAAEAAAAAEAAAAzAAAAC3NzaC1lZDI1NTE5AAAAIASRxkrR1+nCDZiZ
+N2d8Muvl+zW8undCJVCo+qVMAjkjAAAAkI021XFPzB9VnO8uGAQ8f3bwP/ki5fDVuWD7Fc
+crN+yfT8Ugjhc7IL2dIt/xj9iJIa9fJDw0pg1Y8issqp9C8HVhasyWpf2iwJIalUHTOekn
+WdoxA+/OQBstRBKSv43sI801+9OC8dXCMNM2QzpiGNs0QxdLJpcJQhHEvqq/yDIODF0p7M
+h3e9eYGVPOR0CjlQ==
+-----END OPENSSH PRIVATE KEY-----

src-tauri/src/credentials/fixtures/ssh_ed25519_enc.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIASRxkrR1+nCDZiZN2d8Muvl+zW8undCJVCo+qVMAjkj hello world

src-tauri/src/credentials/fixtures/ssh_ed25519_plain

@@ -0,0 +1,7 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
+QyNTUxOQAAACC7sFhGkIp/SBnKab5Q6UZY/W9R0k/+ztZ4Vm1D4d1r8gAAAJAwEcgHMBHI
+BwAAAAtzc2gtZWQyNTUxOQAAACC7sFhGkIp/SBnKab5Q6UZY/W9R0k/+ztZ4Vm1D4d1r8g
+AAAEB9VXgjePmpl6Q3Y1t2a4DZhsdRf+183vWAJWAonDOneLuwWEaQin9IGcppvlDpRlj9
+b1HST/7O1nhWbUPh3WvyAAAAC2hlbGxvIHdvcmxkAQI=
+-----END OPENSSH PRIVATE KEY-----

src-tauri/src/credentials/fixtures/ssh_ed25519_plain.json

@@ -0,0 +1 @@
+{"algorithm":"ssh-ed25519","comment":"hello world","public_key":"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILuwWEaQin9IGcppvlDpRlj9b1HST/7O1nhWbUPh3Wvy hello world","private_key":"-----BEGIN OPENSSH PRIVATE KEY-----\nb3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW\nQyNTUxOQAAACC7sFhGkIp/SBnKab5Q6UZY/W9R0k/+ztZ4Vm1D4d1r8gAAAJAwEcgHMBHI\nBwAAAAtzc2gtZWQyNTUxOQAAACC7sFhGkIp/SBnKab5Q6UZY/W9R0k/+ztZ4Vm1D4d1r8g\nAAAEB9VXgjePmpl6Q3Y1t2a4DZhsdRf+183vWAJWAonDOneLuwWEaQin9IGcppvlDpRlj9\nb1HST/7O1nhWbUPh3WvyAAAAC2hlbGxvIHdvcmxkAQI=\n-----END OPENSSH PRIVATE KEY-----\n"}

src-tauri/src/credentials/fixtures/ssh_ed25519_plain.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILuwWEaQin9IGcppvlDpRlj9b1HST/7O1nhWbUPh3Wvy hello world

src-tauri/src/credentials/fixtures/ssh_rsa_enc

@@ -0,0 +1,39 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABAanK91R1
+FN66oOcvNyslkhAAAAEAAAAAEAAAGXAAAAB3NzaC1yc2EAAAADAQABAAABgQCwIeD+SUIx
+511M/JztbfUkEi8OhnF3ELsGYjbRq/ABy0x8tYlk6ZjlOFg2kSMAEpoTNOVJp+9eDsQRXZ
+fgmQOKz7ugrS/l1XT38/8SKpe1n3XYti3Nkh/xpbv9y1XXd3mkGr1GUorviywNqWNw/Ox5
+OH7tasHAztBBrpecu4gL7GwXkXcRFD8cTQNVSNJzdz0B4/ZDRjgRtzOdn0s/yNH+z3YciH
+jBNeLmANnSMPEaOtjgQV0akjo5jRCOkEP2MKm3uxMQknyopGRVCW4aJyula28G/uV2TjyK
+yF6l3kCK7Y7FSb50n7IxwaLMldoANdsAmp37LGIoM6VM/Muf+xcxWQZfMzXG3a+7Uqgs1c
+MnGYxJbCpEBPGlRNghdfkVlUSSpEiJVLN8eMH4G0Z6BflszCYUbN9RevcWdARpR7Ec6AsO
+J3squiORWvEemp+dBXF+Hw7XA0H0cAhVafiNj1y7gXlgWgv4hTeleJMynRXx+Mo1gr42Ek
+EPBlaFM/gBYC8AAAWQf6woBjAp1r47e3HsH4DyTDNF+u98eyCXLb86Lf8G9IFzOACMx4Bh
+auNdB2dZ/Re2FZ6bdzb+h9snQf0PY4y4zJ7bmJ5VbRcYAM/XnVcKP+Q2254te15DLAsKXA
+rzGVdEB8vshTloEHZTBVGiWRSFvn/rzPTNRhw5X/OMX21EAFR2yFXFHSxKwuPTWRCTTan3
+PA7BqJX8k6XtzwafPo9as0ui3jds/aL9VBlxlQB3x5uWfo7Kw73qReDzaIS94VVsm667tI
+KIN/0/e3mDpfXmWLH2Xc7BLZcs5eSHztwakYDPc5VzFTdAfb4juVdVmiLUs0ttj+aXnJo9
+6p/kX5ISSs5gzAaL2yGmPjNeeEXgV38ysYnNUB0fIoceuda54oM8kYAeZnQGpgV0Rh6ku+
+KNWajrJF22cH6QQ61VO4ymoDrw+oxyTog/M5n7IhCROGAJOQV4CRYKELHwMIt6niiihDfI
++YbIs7Qs0ap4mHeVKbLS3WsSK7mZI70yCeLzT+ilNaqW28RLHxAEM86lRfuH1vmABKdy8D
+3e1K0WivbY5zmGvFGP1DIl3NXr6M7ZaFg5bgohssOXzMucAOR9mZpzMg20jF4SOt7IC9SU
+pWg+OIIP7pVfS2FjATMrh25xgeqD2BcDSoJWEH4xrlviyBS1wVA9W35npHiJSQptppn8cj
+EhwuS916OMhWOsXHPssqHFA+DrLByCZKcORD/mFPpsnI4/3TvA4PL6pqv2Kup0YBDqkyko
+wIyZQMjr4DjR6xYR3W0Mjzn2UG0Grn96QGrjnj1l/LAXAw00NeYktI4m5YX4wIIdhP/RT8
+RL9d4SE0YicneoDPtcLaaa4TTIvcbHJsP8aUP723reUzyxvw9Bdo9wC2bzE1xlOhm/WCmF
+0SNvEl6H/kivTjQkI2HQuGVq037eIAB5rToT6cVD3TiNmN6UuOX7Ec+8kw4JPGgLA/l+AB
+w3gCsyK7MyZoeWNw2+b1utkjMcqG0bjju0yTdjSho6KazGtoBQ4P+Jx9KIwiJT13Nr1WMz
+KBW98YojZCfCxPeNx6RPsp6PzM673R9DVRNXSs3yYhEZDXJEHCS7jDptR8r8uScogIIUEx
+YShJU0/WSVHgHZ4Ef2S7MDX1RLU4WGoUtbwxnTEQ26iNLjskYzV9/O88PajJSc2Wcz5vES
+I4BFROg2px+ViLlWqiegXIZc5NnN2HSJQ7ucTObSL0+oT5SzQiRfHy2TLa4w+c5hgO1VNx
+Xmq0doKjMW9DmU2ygwzFgnaQp9S8NlIIA/4mKkAODbCgWFqXz99gMgfL+dnUhwo4WHN3lU
+D/uVxRxwTKWWNp39z/p5hBYLKpqJbDCp+ysM9VpyllAkjk9aDihUq5dQVzpA1iTFH2DdbM
+TrclBWaXr9QQiH+F73mZvJPhP2//gT9qped6XumkSpuNXFrXoZ/P49xKgQ/51rg8Ri5ZJ7
+cIiofoppfat5ex20oBqAnumrM0JrhUrVxzhSd5tPPH5JGeZYml3sK1rM4pV7K7bnugXg9f
+C6HVxe/l2klAOvg0U9yJAvR35mS0+F0dpwvjRrFS/+JxG6RzzAAunDJHjADNne5FhKFNLB
+WRzsXHTCT+wGp497Nq8uS/0sgZAMHsy2KMK6n5h8V6kHL9t5VgsD18g0neu9ytwYrjvAuM
+AoDdwpuUkCJVNOiMHumxPvivGRNhSHwW7fTDHX+yI6/j1i/Wl1unjCxNgNCbgCMRCg1+dN
+wRw/wqs4mQyGf70AUA5JIVx/W7gAxlt3YWCFHfTRiK5A/BHa0qs+RPMzVlIJhAx0TGAOze
+BBJIg2kH26rWLV2aosOx8FFH/rZVj6gyYLw0JlsoTCva383SkifvlfiLY3DxfU+bwvJ9p0
+bnzyMMiKRuZb16OucNli84FIAuI=
+-----END OPENSSH PRIVATE KEY-----

src-tauri/src/credentials/fixtures/ssh_rsa_enc.pub

@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCwIeD+SUIx511M/JztbfUkEi8OhnF3ELsGYjbRq/ABy0x8tYlk6ZjlOFg2kSMAEpoTNOVJp+9eDsQRXZfgmQOKz7ugrS/l1XT38/8SKpe1n3XYti3Nkh/xpbv9y1XXd3mkGr1GUorviywNqWNw/Ox5OH7tasHAztBBrpecu4gL7GwXkXcRFD8cTQNVSNJzdz0B4/ZDRjgRtzOdn0s/yNH+z3YciHjBNeLmANnSMPEaOtjgQV0akjo5jRCOkEP2MKm3uxMQknyopGRVCW4aJyula28G/uV2TjyKyF6l3kCK7Y7FSb50n7IxwaLMldoANdsAmp37LGIoM6VM/Muf+xcxWQZfMzXG3a+7Uqgs1cMnGYxJbCpEBPGlRNghdfkVlUSSpEiJVLN8eMH4G0Z6BflszCYUbN9RevcWdARpR7Ec6AsOJ3squiORWvEemp+dBXF+Hw7XA0H0cAhVafiNj1y7gXlgWgv4hTeleJMynRXx+Mo1gr42EkEPBlaFM/gBYC8= hello world

src-tauri/src/credentials/fixtures/ssh_rsa_plain

@@ -0,0 +1,38 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
+NhAAAAAwEAAQAAAYEAxKvObWlACRLrrVJ3M0AeMOvz3JQzt5yOND16++GanzCZNIIld9mA
+c0a0jU+wYE0CLagm5WJGNeTOGYUapdMN/SAH3pmwSuTC8Agj3/w8jd5i8HSDHB+JAwZ8g9
+zNfZzuhkPJPFKR9rUEf1NkajfIQJiTT/3liCtd12ls3cRCHDniiUdoz9ZlDOWF41o/c5sB
+VlCqRpq978aYflXa/sfUC0OIZU7TIF0YUo2IGSfELL4hDM9vSakGGa1uasvxdo1+xS/5y4
+W+YHuUFJYVZikgFodRZMHB0fvUw1adRCSn8Z0EOrze5QVz38T8fywnGKp2Uo+iJsDdVTDc
+cFwwkB4b3oj+XMNcrlq4gm0ef5cNvtCg9+mDPPxzI6HxMjUo1cw8AK65gWXWd8r2S9aXKR
+MiZNlxtcSR0K6vU6rSLQN1ay5DdUUC6ESIEX7ruWLM3131loLB6bpHLVq5uD2yhi5+o4Do
+/SDek2jKvLvFyVwjOlLeXf5ekctZAZ0AtSnHDEMFAAAFgMFqGjPBahozAAAAB3NzaC1yc2
+EAAAGBAMSrzm1pQAkS661SdzNAHjDr89yUM7ecjjQ9evvhmp8wmTSCJXfZgHNGtI1PsGBN
+Ai2oJuViRjXkzhmFGqXTDf0gB96ZsErkwvAII9/8PI3eYvB0gxwfiQMGfIPczX2c7oZDyT
+xSkfa1BH9TZGo3yECYk0/95YgrXddpbN3EQhw54olHaM/WZQzlheNaP3ObAVZQqkaave/G
+mH5V2v7H1AtDiGVO0yBdGFKNiBknxCy+IQzPb0mpBhmtbmrL8XaNfsUv+cuFvmB7lBSWFW
+YpIBaHUWTBwdH71MNWnUQkp/GdBDq83uUFc9/E/H8sJxiqdlKPoibA3VUw3HBcMJAeG96I
+/lzDXK5auIJtHn+XDb7QoPfpgzz8cyOh8TI1KNXMPACuuYFl1nfK9kvWlykTImTZcbXEkd
+Cur1Oq0i0DdWsuQ3VFAuhEiBF+67lizN9d9ZaCwem6Ry1aubg9soYufqOA6P0g3pNoyry7
+xclcIzpS3l3+XpHLWQGdALUpxwxDBQAAAAMBAAEAAAGABsfTnKMR0Z5E4Ntkf7BYuiAQbs
+zvQYfUwUlTWabMEWv4BD7ucsTdcFwCMpMKRi+xgQh4mtT6DbafQnL72ba+lzkI/Gw5D0P2
+0pa9QeYs4klGCPtDX+9YZnHNTjCJJykHcjqZEAravHI+PvONlTnqHgwEnC/pP3obSKd6WO
+UA0H9QZ6I+I1hFcJ3jMVT1thMkhyjNzhRcsw0aSdTE8Z7LGT5RUAjZL5b2FTaK+C8OTOqb
+MhlewV/h9XWsxmLUpt0277I8ShvjJbJg6TEPJh6D7FRTU+tY4rjGK12DP9lVq6M7Md4ULV
+JW3aW350xVV2p9031HLDUfWs7dqZ5ufoD3EopOVZGvfGAE3C4aHvJB5D6K7wG7ptWsPgte
+EcCz84DpsoJ7KICTs8QoXt5bl68qnW3YvzCcqZc7DjLdKNh/wzjdMdzx8AMS4yBF2ceOSE
+I7Og9UZZtmGzZ0g4Dhg3jMUyWBA++sUayJUqg0izzA/htt+tVd9ABMkJOufcCpnuPRAAAA
+wCdCy66KXCLx5HCMIsd2/TdbGAZnuirYCn9ee3T5xhJyZjmwIfmZEXUuENKq8e+vYldwey
+EjdnevM+OCTc8xo77yowgYRBzguDa2R9UH3bg9cWZIpQGzXmnL35Dux4nZPUKs69WMht92
+bpRh9roPs2M5tSAcSpmfohFYhMwRxqVooSeSg+kGE4dCXnVqK1tURExnqKy8CkoDW4fhbH
+HNmPsBnbdTNtfAlg8MO1v1Hk+/+6mpNhiJ7bKF4au9lm+QHgAAAMEA11frEHqordrzlTRg
+kmqGq9qaORev2g/7n719DlXb2HjGfy5gK9iUCxsgGN6GiFF0mUD7hMY6UMIVfsC/Rm07aE
+700u7OJAm8AcnFkEANlZ3ucWltnumVtxyMBlKq7PxkcIG5X+nJ6N8oVw3zZTsjaYCMe1s1
+806oE5D3GZk10pnfVIrY9DFZBtT3+mBpF2uQZk0ZSwh8Hh9xGFGxsm6blkgpcip7v+26PR
+hqA88WlXAPMnvFpXthr0mny+cy7Q59AAAAwQDpzWi1Prhi3JtVolyac/ygvzje4lhuz5ei
+3pC7b1cepdFoQCS33tixwfzqKCp6RfHrtrKzZMqREaX5sor1Hha7S+Vo+KLtZWkFUONTHR
+987wmXIu8ziRWKBeuk6g9OSXI5w8hyLwn4XLEeVri4fAUIUwpi4B0Eazp4P/9AUf1188xz
+a4ACWXDYkUFoLQo9J07HWDhKbEKFZVlIznyfmLVXc8JEzwrPThW+viGK1AFi9FxeLB4QmK
+PkAC2GY5AmhSkAAAALaGVsbG8gd29ybGQ=
+-----END OPENSSH PRIVATE KEY-----

src-tauri/src/credentials/fixtures/ssh_rsa_plain.pub

@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDEq85taUAJEuutUnczQB4w6/PclDO3nI40PXr74ZqfMJk0giV32YBzRrSNT7BgTQItqCblYkY15M4ZhRql0w39IAfembBK5MLwCCPf/DyN3mLwdIMcH4kDBnyD3M19nO6GQ8k8UpH2tQR/U2RqN8hAmJNP/eWIK13XaWzdxEIcOeKJR2jP1mUM5YXjWj9zmwFWUKpGmr3vxph+Vdr+x9QLQ4hlTtMgXRhSjYgZJ8QsviEMz29JqQYZrW5qy/F2jX7FL/nLhb5ge5QUlhVmKSAWh1FkwcHR+9TDVp1EJKfxnQQ6vN7lBXPfxPx/LCcYqnZSj6ImwN1VMNxwXDCQHhveiP5cw1yuWriCbR5/lw2+0KD36YM8/HMjofEyNSjVzDwArrmBZdZ3yvZL1pcpEyJk2XG1xJHQrq9TqtItA3VrLkN1RQLoRIgRfuu5YszfXfWWgsHpukctWrm4PbKGLn6jgOj9IN6TaMq8u8XJXCM6Ut5d/l6Ry1kBnQC1KccMQwU= hello world

src-tauri/src/credentials/mod.rs

@@ -14,14 +14,20 @@ use crate::errors::*;
 mod aws;
 pub use aws::{AwsBaseCredential, AwsSessionCredential};
 
+mod crypto;
+pub use crypto::Crypto;
+
+mod docker;
+pub use docker::DockerCredential;
+
 mod record;
 pub use record::CredentialRecord;
 
 mod session;
 pub use session::AppSession;
 
-mod crypto;
-pub use crypto::Crypto;
+mod ssh;
+pub use ssh::SshKey;
 
 
 #[derive(Debug, Clone, Eq, PartialEq, Serialize, Deserialize)]
@@ -29,6 +35,8 @@ pub use crypto::Crypto;
 pub enum Credential {
     AwsBase(AwsBaseCredential),
     AwsSession(AwsSessionCredential),
+    Docker(DockerCredential),
+    Ssh(SshKey),
 }
 
 
@@ -75,6 +83,23 @@ pub trait PersistentCredential: for<'a> Deserialize<'a> + Sized {
         Self::from_row(row, crypto)
     }
 
+    async fn load_by<T>(column: &str, value: T, crypto: &Crypto, pool: &SqlitePool) -> Result<Self, LoadCredentialsError>
+    where T: Send + for<'q> sqlx::Encode<'q, Sqlite> + sqlx::Type<Sqlite>
+    {
+        let query = format!(
+            "SELECT * FROM {} where {} = ?",
+            Self::table_name(),
+            column,
+        );
+        let row: Self::Row = sqlx::query_as(&query)
+            .bind(value)
+            .fetch_optional(pool)
+            .await?
+            .ok_or(LoadCredentialsError::NoCredentials)?;
+
+        Self::from_row(row, crypto)
+    }
+
     async fn load_default(crypto: &Crypto, pool: &SqlitePool) -> Result<Self, LoadCredentialsError> {
         let q = format!(
             "SELECT details.*
@@ -95,15 +120,15 @@ pub trait PersistentCredential: for<'a> Deserialize<'a> + Sized {
     async fn list(crypto: &Crypto, pool: &SqlitePool) -> Result<Vec<(Uuid, Credential)>, LoadCredentialsError> {
         let q = format!(
             "SELECT details.*
-            FROM 
+            FROM
                 {} details
                 JOIN credentials c
                     ON c.id = details.id
-             ORDER BY c.created_at", 
+             ORDER BY c.created_at",
              Self::table_name(),
         );
         let mut rows = sqlx::query_as::<_, Self::Row>(&q).fetch(pool);
-        
+
         let mut creds = Vec::new();
         while let Some(row) = rows.try_next().await? {
             let id = Self::row_id(&row);
@@ -114,3 +139,10 @@ pub trait PersistentCredential: for<'a> Deserialize<'a> + Sized {
         Ok(creds)
     }
 }
+
+
+pub fn random_uuid() -> Uuid {
+    // a bit weird to use salt() for this, but it's convenient
+    let random_bytes = Crypto::salt();
+    Uuid::from_slice(&random_bytes[..16]).unwrap()
+}

src-tauri/src/credentials/record.rs

@@ -20,11 +20,14 @@ use super::{
     AwsBaseCredential,
     Credential,
     Crypto,
+    DockerCredential,
     PersistentCredential,
+    SshKey,
 };
 
 
 #[derive(Debug, Clone, FromRow)]
+#[allow(dead_code)]
 struct CredentialRow {
     id: Uuid,
     name: String,
@@ -38,16 +41,18 @@ struct CredentialRow {
 pub struct CredentialRecord {
     #[serde(serialize_with = "serialize_uuid")]
     #[serde(deserialize_with = "deserialize_uuid")]
-    id: Uuid, // UUID so it can be generated on the frontend
-    name: String, // user-facing identifier so it can be changed
-    is_default: bool,
-    credential: Credential,
+    pub id: Uuid, // UUID so it can be generated on the frontend
+    pub name: String, // user-facing identifier so it can be changed
+    pub is_default: bool,
+    pub credential: Credential,
 }
 
 impl CredentialRecord {
     pub async fn save(&self, crypto: &Crypto, pool: &SqlitePool) -> Result<(), SaveCredentialsError> {
         let type_name = match &self.credential {
             Credential::AwsBase(_) => AwsBaseCredential::type_name(),
+            Credential::Ssh(_) => SshKey::type_name(),
+            Credential::Docker(_) => DockerCredential::type_name(),
             _ => return Err(SaveCredentialsError::NotPersistent),
         };
 
@@ -82,6 +87,8 @@ impl CredentialRecord {
         // save credential details to child table
         match &self.credential {
             Credential::AwsBase(b) => b.save_details(&self.id, crypto, &mut txn).await,
+            Credential::Ssh(s) => s.save_details(&self.id, crypto, &mut txn).await,
+            Credential::Docker(d) => d.save_details(&self.id, crypto, &mut txn).await,
             _ => Err(SaveCredentialsError::NotPersistent),
         }?;
 
@@ -108,6 +115,7 @@ impl CredentialRecord {
         Ok(Self::from_parts(row, credential))
     }
 
+    #[cfg(test)]
     pub async fn load(id: &Uuid, crypto: &Crypto, pool: &SqlitePool) -> Result<Self, LoadCredentialsError> {
         let row: CredentialRow = sqlx::query_as("SELECT * FROM credentials WHERE id = ?")
             .bind(id)
@@ -118,9 +126,19 @@ impl CredentialRecord {
         Self::load_credential(row, crypto, pool).await
     }
 
+    pub async fn load_by_name(name: &str, crypto: &Crypto, pool: &SqlitePool) -> Result<Self, LoadCredentialsError> {
+        let row: CredentialRow = sqlx::query_as("SELECT * FROM credentials WHERE name = ?")
+            .bind(name)
+            .fetch_optional(pool)
+            .await?
+            .ok_or(LoadCredentialsError::NoCredentials)?;
+
+        Self::load_credential(row, crypto, pool).await
+    }
+
     pub async fn load_default(credential_type: &str, crypto: &Crypto, pool: &SqlitePool) -> Result<Self, LoadCredentialsError> {
         let row: CredentialRow = sqlx::query_as(
-            "SELECT * FROM credentials 
+            "SELECT * FROM credentials
             WHERE credential_type = ? AND is_default = 1"
         ).bind(credential_type)
             .fetch_optional(pool)
@@ -147,6 +165,16 @@ impl CredentialRecord {
                 .ok_or(LoadCredentialsError::InvalidData)?;
             records.push(Self::from_parts(parent, credential));
         }
+        for (id, credential) in SshKey::list(crypto, pool).await? {
+            let parent = parent_map.remove(&id)
+                .ok_or(LoadCredentialsError::InvalidData)?;
+            records.push(Self::from_parts(parent, credential));
+        }
+        for (id, credential) in DockerCredential::list(crypto, pool).await? {
+            let parent = parent_map.remove(&id)
+                .ok_or(LoadCredentialsError::InvalidData)?;
+            records.push(Self::from_parts(parent, credential));
+        }
 
         Ok(records)
     }
@@ -260,7 +288,7 @@ mod tests {
 
 
     #[sqlx::test]
-    async fn test_save_load(pool: SqlitePool) {
+    async fn test_save_load_aws(pool: SqlitePool) {
         let crypt = Crypto::random();
         let mut record = aws_record();
         record.id = random_uuid();
@@ -400,7 +428,7 @@ mod uuid_tests {
     #[test]
     fn test_serialize_deserialize_uuid() {
         let buf = Crypto::salt();
-        let expected = UuidWrapper{ 
+        let expected = UuidWrapper{
             id: Uuid::from_slice(&buf[..16]).unwrap()
         };
         let serialized = serde_json::to_string(&expected).unwrap();

src-tauri/src/credentials/session.rs

@@ -97,24 +97,4 @@ impl AppSession {
             Self::Unlocked {crypto, ..} => Ok(crypto),
         }
     }
-
-    pub fn try_encrypt(&self, data: &[u8]) -> Result<(XNonce, Vec<u8>), GetCredentialsError> {
-        let crypto = match self {
-            Self::Empty => return Err(GetCredentialsError::Empty),
-            Self::Locked {..} => return Err(GetCredentialsError::Locked),
-            Self::Unlocked {crypto, ..} => crypto,
-        };
-        let res = crypto.encrypt(data)?;
-        Ok(res)
-    }
-
-    pub fn try_decrypt(&self, nonce: XNonce, data: &[u8]) -> Result<Vec<u8>, GetCredentialsError> {
-        let crypto = match self {
-            Self::Empty => return Err(GetCredentialsError::Empty),
-            Self::Locked {..} => return Err(GetCredentialsError::Locked),
-            Self::Unlocked {crypto, ..} => crypto,
-        };
-        let res = crypto.decrypt(&nonce, data)?;
-        Ok(res)
-    }
 }

src-tauri/src/credentials/ssh.rs

@@ -0,0 +1,481 @@
+use std::fmt::{self, Formatter};
+
+use chacha20poly1305::XNonce;
+use serde::{
+    Deserialize,
+    Deserializer,
+    Serialize,
+    Serializer,
+};
+use serde::ser::{
+    Error as SerError,
+    SerializeStruct,
+};
+use serde::de::{self, Visitor};
+use sha2::{Sha256, Sha512};
+use signature::{Signer, SignatureEncoding};
+use sqlx::{
+    FromRow,
+    Sqlite,
+    SqlitePool,
+    Transaction,
+    types::Uuid,
+};
+use ssh_agent_lib::proto::message::{
+    Identity,
+    SignRequest,
+};
+use ssh_encoding::Encode;
+use ssh_key::{
+    Algorithm,
+    LineEnding,
+    private::{PrivateKey, KeypairData},
+    public::PublicKey,
+};
+use tokio_stream::StreamExt;
+
+use crate::errors::*;
+use super::{
+    Credential,
+    Crypto,
+    PersistentCredential,
+};
+
+
+#[derive(Debug, Clone, FromRow)]
+pub struct SshRow {
+    id: Uuid,
+    algorithm: String,
+    comment: String,
+    public_key: Vec<u8>,
+    private_key_enc: Vec<u8>,
+    nonce: Vec<u8>,
+}
+
+
+#[derive(Debug, Clone, Eq, PartialEq, Deserialize)]
+pub struct SshKey {
+    #[serde(deserialize_with = "deserialize_algorithm")]
+    pub algorithm: Algorithm,
+    pub comment: String,
+    #[serde(deserialize_with = "deserialize_pubkey")]
+    pub public_key: PublicKey,
+    #[serde(deserialize_with = "deserialize_privkey")]
+    pub private_key: PrivateKey,
+}
+
+impl SshKey {
+    pub fn from_file(path: &str, passphrase: &str) -> Result<SshKey, LoadSshKeyError> {
+        let mut privkey = PrivateKey::read_openssh_file(path.as_ref())?;
+        if privkey.is_encrypted() {
+            privkey = privkey.decrypt(passphrase)
+                .map_err(|_| LoadSshKeyError::InvalidPassphrase)?;
+        }
+
+        Ok(SshKey {
+            algorithm: privkey.algorithm(),
+            comment: privkey.comment().into(),
+            public_key: privkey.public_key().clone(),
+            private_key: privkey,
+        })
+    }
+
+    pub fn from_private_key(private_key: &str, passphrase: &str) -> Result<SshKey, LoadSshKeyError> {
+        let mut privkey = PrivateKey::from_openssh(private_key)?;
+        if privkey.is_encrypted() {
+            privkey = privkey.decrypt(passphrase)
+                .map_err(|_| LoadSshKeyError::InvalidPassphrase)?;
+        }
+
+        Ok(SshKey {
+            algorithm: privkey.algorithm(),
+            comment: privkey.comment().into(),
+            public_key: privkey.public_key().clone(),
+            private_key: privkey,
+        })
+    }
+
+    pub async fn name_from_pubkey(pubkey: &[u8], pool: &SqlitePool) -> Result<String, LoadCredentialsError> {
+        let row = sqlx::query!(
+            "SELECT c.name
+            FROM credentials c
+            JOIN ssh_credentials s
+                ON s.id = c.id
+            WHERE s.public_key = ?",
+            pubkey
+        ).fetch_optional(pool)
+            .await?
+            .ok_or(LoadCredentialsError::NoCredentials)?;
+
+        Ok(row.name)
+    }
+
+    pub async fn list_identities(pool: &SqlitePool) -> Result<Vec<Identity>, LoadCredentialsError> {
+        let mut rows = sqlx::query!(
+            "SELECT public_key, comment FROM ssh_credentials"
+        ).fetch(pool);
+
+        let mut identities = Vec::new();
+        while let Some(row) = rows.try_next().await? {
+            identities.push(Identity {
+                pubkey_blob: row.public_key,
+                comment: row.comment,
+            });
+        }
+
+        Ok(identities)
+    }
+
+    pub fn sign_request(&self, req: &SignRequest) -> Result<Vec<u8>, HandlerError> {
+        let mut sig = Vec::new();
+        match self.private_key.key_data() {
+            KeypairData::Rsa(keypair) => {
+                // 2 is the flag value for `SSH_AGENT_RSA_SHA2_256`
+                if req.flags & 2 > 0 {
+                    let signer = rsa::pkcs1v15::SigningKey::<Sha256>::try_from(keypair)?;
+                    let sig_data = signer.try_sign(&req.data)?.to_vec();
+                    "rsa-sha-256".encode(&mut sig)?;
+                    sig_data.encode(&mut sig)?;
+                }
+                else {
+                    let signer = rsa::pkcs1v15::SigningKey::<Sha512>::try_from(keypair)?;
+                    let sig_data = signer.try_sign(&req.data)?.to_vec();
+                    "rsa-sha2-512".encode(&mut sig)?;
+                    sig_data.encode(&mut sig)?;
+                }
+            },
+            _ => {
+                let sig_data = self.private_key.try_sign(&req.data)?;
+                self.algorithm.as_str().encode(&mut sig)?;
+                sig_data.as_bytes().encode(&mut sig)?;
+            },
+        }
+        Ok(sig)
+    }
+}
+
+
+impl PersistentCredential for SshKey {
+    type Row = SshRow;
+
+    fn type_name() -> &'static str { "ssh" }
+
+    fn into_credential(self) -> Credential { Credential::Ssh(self) }
+
+    fn row_id(row: &SshRow) -> Uuid { row.id }
+
+    fn from_row(row: SshRow, crypto: &Crypto) -> Result<Self, LoadCredentialsError> {
+        let nonce = XNonce::clone_from_slice(&row.nonce);
+        let privkey_bytes = crypto.decrypt(&nonce, &row.private_key_enc)?;
+
+
+        let algorithm = Algorithm::new(&row.algorithm)
+            .map_err(|_| LoadCredentialsError::InvalidData)?;
+        let public_key = PublicKey::from_bytes(&row.public_key)
+            .map_err(|_| LoadCredentialsError::InvalidData)?;
+        let private_key = PrivateKey::from_bytes(&privkey_bytes)
+            .map_err(|_| LoadCredentialsError::InvalidData)?;
+
+        Ok(SshKey {
+            algorithm,
+            comment: row.comment,
+            public_key,
+            private_key,
+        })
+    }
+
+    async fn save_details(&self, id: &Uuid, crypto: &Crypto, txn: &mut Transaction<'_, Sqlite>) -> Result<(), SaveCredentialsError> {
+        let alg = self.algorithm.as_str();
+        let pubkey_bytes = self.public_key.to_bytes()?;
+        let privkey_bytes = self.private_key.to_bytes()?;
+        let (nonce, ciphertext) = crypto.encrypt(privkey_bytes.as_ref())?;
+        let nonce_bytes = nonce.as_slice();
+
+        sqlx::query!(
+            "INSERT OR REPLACE INTO ssh_credentials (
+                id,
+                algorithm,
+                comment,
+                public_key,
+                private_key_enc,
+                nonce
+            )
+            VALUES (?, ?, ?, ?, ?, ?)",
+            id, alg, self.comment, pubkey_bytes, ciphertext, nonce_bytes,
+        ).execute(&mut **txn).await?;
+
+        Ok(())
+    }
+}
+
+
+impl Serialize for SshKey {
+    fn serialize<S: Serializer>(&self, s: S) -> Result<S::Ok, S::Error> {
+        let mut key = s.serialize_struct("SshKey", 5)?;
+        key.serialize_field("algorithm", self.algorithm.as_str())?;
+        key.serialize_field("comment", &self.comment)?;
+
+        let pubkey_str = self.public_key.to_openssh()
+            .map_err(|e| S::Error::custom(format!("Failed to encode SSH public key: {e}")))?;
+        key.serialize_field("public_key", &pubkey_str)?;
+
+        let privkey_str = self.private_key.to_openssh(LineEnding::LF)
+            .map_err(|e| S::Error::custom(format!("Failed to encode SSH private key: {e}")))?;
+        key.serialize_field::<str>("private_key", privkey_str.as_ref())?;
+
+        key.end()
+    }
+}
+
+
+struct PubkeyVisitor;
+
+impl<'de> Visitor<'de> for PubkeyVisitor {
+    type Value = PublicKey;
+
+    fn expecting(&self, formatter: &mut Formatter) -> fmt::Result {
+        write!(formatter, "an OpenSSH-encoded public key, e.g. `ssh-rsa ...`")
+    }
+
+    fn visit_str<E: de::Error>(self, v: &str) -> Result<Self::Value, E> {
+        PublicKey::from_openssh(v)
+            .map_err(|e| E::custom(format!("{e}")))
+    }
+}
+
+fn deserialize_pubkey<'de, D>(deserializer: D) -> Result<PublicKey, D::Error>
+    where D: Deserializer<'de>
+{
+    deserializer.deserialize_str(PubkeyVisitor)
+}
+
+
+struct PrivkeyVisitor;
+
+impl<'de> Visitor<'de> for PrivkeyVisitor {
+    type Value = PrivateKey;
+
+    fn expecting(&self, formatter: &mut Formatter) -> fmt::Result {
+        write!(formatter, "an OpenSSH-encoded private key")
+    }
+
+    fn visit_str<E: de::Error>(self, v: &str) -> Result<Self::Value, E> {
+        PrivateKey::from_openssh(v)
+            .map_err(|e| E::custom(format!("{e}")))
+    }
+}
+
+fn deserialize_privkey<'de, D>(deserializer: D) -> Result<PrivateKey, D::Error>
+    where D: Deserializer<'de>
+{
+    deserializer.deserialize_str(PrivkeyVisitor)
+}
+
+
+struct AlgorithmVisitor;
+
+impl<'de> Visitor<'de> for AlgorithmVisitor {
+    type Value = Algorithm;
+
+    fn expecting(&self, formatter: &mut Formatter) -> fmt::Result {
+        write!(formatter, "an SSH key algorithm identifier, e.g. `ssh-rsa`")
+    }
+
+    fn visit_str<E: de::Error>(self, v: &str) -> Result<Self::Value, E> {
+        Algorithm::new(v)
+            .map_err(|e| E::custom(format!("{e}")))
+    }
+}
+
+fn deserialize_algorithm<'de, D>(deserializer: D) -> Result<Algorithm, D::Error>
+    where D: Deserializer<'de>
+{
+    deserializer.deserialize_str(AlgorithmVisitor)
+}
+
+
+
+#[cfg(test)]
+mod tests {
+    use std::fs::{self, File};
+    use sqlx::types::uuid::uuid;
+    use crate::credentials::CredentialRecord;
+
+    use super::*;
+
+    fn path(name: &str) -> String {
+        format!("./src/credentials/fixtures/{name}")
+    }
+
+    fn random_uuid() -> Uuid {
+        let bytes = Crypto::salt();
+        Uuid::from_slice(&bytes[..16]).unwrap()
+    }
+
+    fn rsa_plain() -> SshKey {
+        SshKey::from_file(&path("ssh_rsa_plain"), "")
+            .expect("Failed to load SSH key")
+    }
+
+    fn rsa_enc() -> SshKey {
+        SshKey::from_file(
+            &path("ssh_rsa_enc"),
+            "correct horse battery staple"
+        ).expect("Failed to load SSH key")
+    }
+
+    fn ed25519_plain() -> SshKey {
+        SshKey::from_file(&path("ssh_ed25519_plain"), "")
+            .expect("Failed to load SSH key")
+    }
+
+    fn ed25519_enc() -> SshKey {
+        SshKey::from_file(
+            &path("ssh_ed25519_enc"),
+            "correct horse battery staple"
+        ).expect("Failed to load SSH key")
+    }
+
+
+    #[test]
+    fn test_from_file_rsa_plain() {
+        let k = rsa_plain();
+        assert_eq!(k.algorithm.as_str(), "ssh-rsa");
+        assert_eq!(&k.comment, "hello world");
+
+        assert_eq!(
+            k.public_key.fingerprint(Default::default()),
+            k.private_key.fingerprint(Default::default()),
+        );
+        assert_eq!(
+            k.private_key.fingerprint(Default::default()).as_bytes(),
+            [90,162,92,235,160,164,88,179,144,234,84,135,1,249,9,206,
+            201,172,233,129,82,11,145,191,186,144,209,43,81,119,197,18],
+        );
+    }
+
+
+    #[test]
+    fn test_from_file_rsa_enc() {
+        let k = rsa_enc();
+        assert_eq!(k.algorithm.as_str(), "ssh-rsa");
+        assert_eq!(&k.comment, "hello world");
+
+        assert_eq!(
+            k.public_key.fingerprint(Default::default()),
+            k.private_key.fingerprint(Default::default()),
+        );
+        assert_eq!(
+            k.private_key.fingerprint(Default::default()).as_bytes(),
+            [254,147,219,185,96,234,125,190,195,128,37,243,214,193,8,162,
+            34,237,126,199,241,91,195,251,232,84,144,120,25,63,224,157],
+        );
+    }
+
+
+    #[test]
+    fn test_from_file_ed25519_plain() {
+        let k = ed25519_plain();
+        assert_eq!(k.algorithm.as_str(),"ssh-ed25519");
+        assert_eq!(&k.comment, "hello world");
+
+        assert_eq!(
+            k.public_key.fingerprint(Default::default()),
+            k.private_key.fingerprint(Default::default()),
+        );
+        assert_eq!(
+            k.private_key.fingerprint(Default::default()).as_bytes(),
+            [29,30,193,72,239,167,35,89,1,206,126,186,123,112,78,187,
+            240,59,1,15,107,189,72,30,44,64,114,216,32,195,22,201],
+        );
+    }
+
+
+    #[test]
+    fn test_from_file_ed25519_enc() {
+        let k = ed25519_enc();
+        assert_eq!(k.algorithm.as_str(), "ssh-ed25519");
+        assert_eq!(&k.comment, "hello world");
+
+        assert_eq!(
+            k.public_key.fingerprint(Default::default()),
+            k.private_key.fingerprint(Default::default()),
+        );
+        assert_eq!(
+            k.private_key.fingerprint(Default::default()).as_bytes(),
+            [87,233,161,170,18,47,245,116,30,177,120,211,248,54,65,255,
+            41,45,113,107,182,221,189,167,110,9,245,254,44,6,118,141],
+        );
+    }
+
+
+    #[test]
+    fn test_serialize() {
+        let expected = fs::read_to_string(path("ssh_ed25519_plain.json")).unwrap();
+
+        let k = ed25519_plain();
+        let computed = serde_json::to_string(&k)
+            .expect("Failed to serialize SshKey");
+
+        assert_eq!(expected, computed);
+    }
+
+
+    #[test]
+    fn test_deserialize() {
+        let expected = ed25519_plain();
+
+        let json_file = File::open(path("ssh_ed25519_plain.json")).unwrap();
+        let computed = serde_json::from_reader(json_file)
+            .expect("Failed to deserialize json file");
+
+        assert_eq!(expected, computed);
+    }
+
+
+    #[sqlx::test]
+    async fn test_save_db(pool: SqlitePool) {
+        let crypto = Crypto::random();
+        let record = CredentialRecord {
+            id: random_uuid(),
+            name: "save_test".into(),
+            is_default: false,
+            credential: Credential::Ssh(rsa_plain()),
+        };
+        record.save(&crypto, &pool).await
+            .expect("Failed to save SSH key CredentialRecord to database");
+    }
+
+
+    #[sqlx::test(fixtures("ssh_credentials"))]
+    async fn test_load_db(pool: SqlitePool) {
+        let crypto = Crypto::fixed();
+        let id = uuid!("11111111-1111-1111-1111-111111111111");
+        SshKey::load(&id, &crypto, &pool).await
+            .expect("Failed to load SSH key from database");
+    }
+
+
+    #[sqlx::test]
+    async fn test_save_load_db(pool: SqlitePool) {
+        let crypto = Crypto::random();
+
+        let id = random_uuid();
+        let record = CredentialRecord {
+            id,
+            name: "save_load_test".into(),
+            is_default: false,
+            credential: Credential::Ssh(ed25519_plain()),
+        };
+
+        record.save(&crypto, &pool).await.unwrap();
+        let loaded = SshKey::load(&id, &crypto, &pool).await.unwrap();
+        let known = ed25519_plain();
+
+        assert_eq!(known.algorithm, loaded.algorithm);
+        assert_eq!(known.comment, loaded.comment);
+        // comment gets stripped by saving as bytes, so we just compare raw key data
+        assert_eq!(known.public_key.key_data(), loaded.public_key.key_data());
+        assert_eq!(known.private_key, loaded.private_key);
+    }
+}

src-tauri/src/errors.rs

@@ -36,7 +36,7 @@ pub trait ShowError<T, E>
     fn error_print_prefix(self, prefix: &str);
 }
 
-impl<T, E> ShowError<T, E> for Result<T, E> 
+impl<T, E> ShowError<T, E> for Result<T, E>
 where E: std::fmt::Display
 {
     fn error_popup(self, title: &str) {
@@ -91,7 +91,7 @@ impl<E: Error> Serialize for SerializeUpstream<E> {
     }
 }
 
-fn serialize_upstream_err<E, M>(err: &E, map: &mut M) -> Result<(), M::Error> 
+fn serialize_upstream_err<E, M>(err: &E, map: &mut M) -> Result<(), M::Error>
 where
     E: Error,
     M: serde::ser::SerializeMap,
@@ -173,7 +173,7 @@ pub enum HandlerError {
     StreamIOError(#[from] std::io::Error),
     #[error("Received invalid UTF-8 in request")]
     InvalidUtf8(#[from] FromUtf8Error),
-    #[error("HTTP request malformed")]
+    #[error("Request malformed: {0}")]
     BadRequest(#[from] serde_json::Error),
     #[error("HTTP request too large")]
     RequestTooLarge,
@@ -183,6 +183,8 @@ pub enum HandlerError {
     Internal(#[from] RecvError),
     #[error("Error accessing credentials: {0}")]
     NoCredentials(#[from] GetCredentialsError),
+    #[error("Error saving credentials: {0}")]
+    SaveCredentials(#[from] SaveCredentialsError),
     #[error("Error getting client details: {0}")]
     ClientInfo(#[from] ClientInfoError),
     #[error("Error from Tauri: {0}")]
@@ -191,6 +193,18 @@ pub enum HandlerError {
     NoMainWindow,
     #[error("Request was denied")]
     Denied,
+    #[error(transparent)]
+    SshAgent(#[from] ssh_agent_lib::error::AgentError),
+    #[error(transparent)]
+    SshKey(#[from] ssh_key::Error),
+    #[error(transparent)]
+    Signature(#[from] signature::Error),
+    #[error(transparent)]
+    Encoding(#[from] ssh_encoding::Error),
+
+    #[cfg(windows)]
+    #[error(transparent)]
+    Windows(#[from] windows::core::Error),
 }
 
 
@@ -277,6 +291,8 @@ pub enum SaveCredentialsError {
     NotPersistent,
     #[error("A credential with that name already exists")]
     Duplicate,
+    #[error("Failed to save credentials: {0}")]
+    Encode(#[from] ssh_key::Error),
     // rekeying is fundamentally a save operation,
     // but involves loading in order to re-save
     #[error(transparent)]
@@ -332,6 +348,8 @@ pub enum ClientInfoError {
     #[cfg(windows)]
     #[error("Could not determine PID of connected client")]
     WindowsError(#[from] windows::core::Error),
+    #[error("Could not determine PID of connected client")]
+    PidNotFound,
     #[error(transparent)]
     Io(#[from] std::io::Error),
 }
@@ -358,7 +376,7 @@ pub enum RequestError {
     #[error("Error response from server: {0}")]
     Server(ServerError),
     #[error("Unexpected response from server")]
-    Unexpected(crate::server::Response),
+    Unexpected(crate::srv::CliResponse),
     #[error("The server did not respond with valid JSON")]
     InvalidJson(#[from] serde_json::Error),
     #[error("Error reading/writing stream: {0}")]
@@ -410,6 +428,17 @@ pub enum LaunchTerminalError {
 }
 
 
+#[derive(Debug, ThisError, AsRefStr)]
+pub enum LoadSshKeyError {
+    #[error("Passphrase is invalid")]
+    InvalidPassphrase,
+    #[error("Could not parse SSH private key data")]
+    InvalidData(#[from] ssh_key::Error),
+    #[error(transparent)]
+    Io(#[from] std::io::Error),
+}
+
+
 // =========================
 // Serialize implementations
 // =========================
@@ -436,6 +465,7 @@ impl_serialize_basic!(WindowError);
 impl_serialize_basic!(LockError);
 impl_serialize_basic!(SaveCredentialsError);
 impl_serialize_basic!(LoadCredentialsError);
+impl_serialize_basic!(LoadSshKeyError);
 
 
 impl Serialize for HandlerError {

src-tauri/src/ipc.rs

@@ -5,7 +5,8 @@ use tauri::{AppHandle, State};
 use crate::config::AppConfig;
 use crate::credentials::{
     AppSession,
-    CredentialRecord
+    CredentialRecord,
+    SshKey,
 };
 use crate::errors::*;
 use crate::clientinfo::Client;
@@ -13,37 +14,65 @@ use crate::state::AppState;
 use crate::terminal;
 
 
+#[derive(Clone, Debug, Serialize, Deserialize)]
+pub enum RequestAction {
+    Access,
+    Delete,
+    Save,
+}
+
+
 #[derive(Clone, Debug, Serialize, Deserialize)]
 pub struct AwsRequestNotification {
-    pub id: u64,
     pub client: Client,
+    pub name: Option<String>,
     pub base: bool,
 }
 
 
 #[derive(Clone, Debug, Serialize, Deserialize)]
 pub struct SshRequestNotification {
-    pub id: u64,
     pub client: Client,
     pub key_name: String,
 }
 
 
 #[derive(Clone, Debug, Serialize, Deserialize)]
-#[serde(tag = "type")]
-pub enum RequestNotification {
-    Aws(AwsRequestNotification),
-    Ssh(SshRequestNotification),
+pub struct DockerRequestNotification {
+    pub action: RequestAction,
+    pub client: Client,
+    pub server_url: String,
 }
 
-impl RequestNotification {
-    pub fn new_aws(id: u64, client: Client, base: bool) -> Self {
-        Self::Aws(AwsRequestNotification {id, client, base})
+
+#[derive(Clone, Debug, Serialize, Deserialize)]
+#[serde(tag = "type")]
+pub enum RequestNotificationDetail {
+    Aws(AwsRequestNotification),
+    Ssh(SshRequestNotification),
+    Docker(DockerRequestNotification),
+}
+
+impl RequestNotificationDetail {
+    pub fn new_aws(client: Client, name: Option<String>, base: bool) -> Self {
+        Self::Aws(AwsRequestNotification {client, name, base})
     }
 
-    pub fn new_ssh(id: u64, client: Client, key_name: String) -> Self {
-        Self::Ssh(SshRequestNotification {id, client, key_name})
+    pub fn new_ssh(client: Client, key_name: String) -> Self {
+        Self::Ssh(SshRequestNotification {client, key_name})
     }
+
+    pub fn new_docker(action: RequestAction, client: Client, server_url: String) -> Self {
+        Self::Docker(DockerRequestNotification {action, client, server_url})
+    }
+}
+
+
+#[derive(Clone, Debug, Serialize, Deserialize)]
+pub struct RequestNotification {
+    pub id: u64,
+    #[serde(flatten)]
+    pub detail: RequestNotificationDetail,
 }
 
 
@@ -134,6 +163,18 @@ pub async fn list_credentials(app_state: State<'_, AppState>) -> Result<Vec<Cred
 }
 
 
+#[tauri::command]
+pub async fn sshkey_from_file(path: &str, passphrase: &str) -> Result<SshKey, LoadSshKeyError> {
+    SshKey::from_file(path, passphrase)
+}
+
+
+#[tauri::command]
+pub async fn sshkey_from_private_key(private_key: &str, passphrase: &str) -> Result<SshKey, LoadSshKeyError> {
+    SshKey::from_private_key(private_key, passphrase)
+}
+
+
 #[tauri::command]
 pub async fn get_config(app_state: State<'_, AppState>) -> Result<AppConfig, ()> {
     let config = app_state.config.read().await;
@@ -152,7 +193,8 @@ pub async fn save_config(config: AppConfig, app_state: State<'_, AppState>) -> R
 
 #[tauri::command]
 pub async fn launch_terminal(base: bool) -> Result<(), LaunchTerminalError> {
-    terminal::launch(base).await
+    let res = terminal::launch(base).await;
+    res
 }
 
 
@@ -162,6 +204,12 @@ pub async fn get_setup_errors(app_state: State<'_, AppState>) -> Result<Vec<Stri
 }
 
 
+#[tauri::command]
+pub fn get_devmode() -> bool {
+    cfg!(debug_assertions)
+}
+
+
 #[tauri::command]
 pub fn exit(app_handle: AppHandle) {
     app_handle.exit(0)

src-tauri/src/kv.rs

@@ -44,6 +44,8 @@ pub async fn load_bytes(pool: &SqlitePool, name: &str) -> Result<Option<Vec<u8>>
 }
 
 
+// we don't have a need for this right now, but we will some day
+#[cfg(test)]
 pub async fn delete(pool: &SqlitePool, name: &str) -> Result<(), sqlx::Error> {
     sqlx::query!("DELETE FROM kv WHERE name = ?", name)
         .execute(pool)
@@ -52,13 +54,13 @@ pub async fn delete(pool: &SqlitePool, name: &str) -> Result<(), sqlx::Error> {
 }
 
 
-pub async fn delete_multi(pool: &SqlitePool, names: &[&str]) -> Result<(), sqlx::Error> {    
+pub async fn delete_multi(pool: &SqlitePool, names: &[&str]) -> Result<(), sqlx::Error> {
     let placeholder = names.iter()
         .map(|_| "?")
         .collect::<Vec<&str>>()
         .join(",");
     let query = format!("DELETE FROM kv WHERE name IN ({})", placeholder);
-    
+
     let mut q = sqlx::query(&query);
     for name in names {
         q = q.bind(name);
@@ -83,7 +85,7 @@ macro_rules! load_bytes_multi {
                     (
                         // ...with one item for each repetition of $name
                         $(
-                            // load_bytes returns Result<Option<_>>, the Result is handled by 
+                            // load_bytes returns Result<Option<_>>, the Result is handled by
                             // the ? and we match on the Option
                             match crate::kv::load_bytes($pool, $name).await? {
                                 Some(v) => v,
@@ -187,7 +189,7 @@ mod tests {
     async fn test_delete(pool: SqlitePool) {
         delete(&pool, "test_bytes").await
             .expect("Failed to delete data");
-        
+
         let loaded = load_bytes(&pool, "test_bytes").await
             .expect("Failed to load data");
         assert_eq!(loaded, None);

src-tauri/src/lib.rs

@@ -1,5 +1,4 @@
 pub mod app;
-pub mod cli;
 mod config;
 mod credentials;
 pub mod errors;
@@ -7,7 +6,7 @@ mod clientinfo;
 mod ipc;
 mod kv;
 mod state;
-pub mod server;
+mod srv;
 mod shortcuts;
 mod terminal;
 mod tray;

src-tauri/src/main.rs

@@ -3,23 +3,34 @@
     windows_subsystem = "windows"
 )]
 
+
 use creddy::{
     app,
-    cli,
     errors::ShowError,
 };
+use creddy_cli::{
+    Action,
+    Cli,
+    RunArgs,
+};
 
 
 fn main() {
-    let res = match cli::parser().get_matches().subcommand() {
-        None | Some(("run", _)) => {
-            app::run().error_popup("Creddy encountered an error");
+    let cli = Cli::parse();
+    let res = match cli.action {
+        None => {
+            let run_args = RunArgs { minimized: false };
+            app::run(run_args, cli.global_args).error_popup("Creddy encountered an error");
+            Ok(())
+        }
+        Some(Action::Run(run_args)) => {
+            app::run(run_args, cli.global_args).error_popup("Creddy encountered an error");
             Ok(())
         },
-        Some(("get", m)) => cli::get(m),
-        Some(("exec", m)) => cli::exec(m),
-        Some(("shortcut", m)) => cli::invoke_shortcut(m),
-        _ => unreachable!(),
+        Some(Action::Get(args)) => creddy_cli::get(args, cli.global_args),
+        Some(Action::Exec(args)) => creddy_cli::exec(args, cli.global_args),
+        Some(Action::Shortcut(args)) => creddy_cli::invoke_shortcut(args, cli.global_args),
+        Some(Action::Docker(cmd)) => creddy_cli::docker_credential_helper(cmd, cli.global_args),
     };
 
     if let Err(e) = res {

src-tauri/src/server/mod.rs

@@ -1,170 +0,0 @@
-use tokio::io::{AsyncReadExt, AsyncWriteExt};
-use tokio::sync::oneshot;
-
-use serde::{Serialize, Deserialize};
-
-use tauri::{AppHandle, Manager};
-
-use crate::errors::*;
-use crate::clientinfo::{self, Client};
-use crate::credentials::{
-    AwsBaseCredential,
-    AwsSessionCredential,
-};
-use crate::ipc::{Approval, RequestNotification};
-use crate::state::AppState;
-use crate::shortcuts::{self, ShortcutAction};
-
-#[cfg(windows)]
-mod server_win;
-#[cfg(windows)]
-pub use server_win::Server;
-#[cfg(windows)]
-use server_win::Stream;
-
-#[cfg(unix)]
-mod server_unix;
-#[cfg(unix)]
-pub use server_unix::Server;
-#[cfg(unix)]
-use server_unix::Stream;
-
-pub mod ssh_agent;
-
-
-#[derive(Serialize, Deserialize)]
-pub enum Request {
-    GetAwsCredentials{ 
-        base: bool,
-    },
-    InvokeShortcut(ShortcutAction),
-}
-
-
-#[derive(Debug, Serialize, Deserialize)]
-pub enum Response {
-    AwsBase(AwsBaseCredential),
-    AwsSession(AwsSessionCredential),
-    Empty,
-}
-
-
-struct CloseWaiter<'s> {
-    stream: &'s mut Stream,
-}
-
-impl<'s> CloseWaiter<'s> {
-    async fn wait_for_close(&mut self) -> std::io::Result<()> {
-        let mut buf = [0u8; 8];
-        loop {
-            match self.stream.read(&mut buf).await {
-                Ok(0) => break Ok(()),
-                Ok(_) => (),
-                Err(e) => break Err(e),
-            }
-        }
-    }
-}
-
-
-async fn handle(mut stream: Stream, app_handle: AppHandle, client_pid: u32) -> Result<(), HandlerError> 
-{
-    // read from stream until delimiter is reached
-    let mut buf: Vec<u8> = Vec::with_capacity(1024); // requests are small, 1KiB is more than enough
-    let mut n = 0;
-    loop {
-        n += stream.read_buf(&mut buf).await?;
-        if let Some(&b'\n') = buf.last() {
-            break;
-        }
-        else if n >= 1024 {
-            return Err(HandlerError::RequestTooLarge);
-        }
-    }
-
-    let client = clientinfo::get_process_parent_info(client_pid)?;
-    let waiter = CloseWaiter { stream: &mut stream };
-
-    let req: Request = serde_json::from_slice(&buf)?;
-    let res = match req {
-        Request::GetAwsCredentials{ base } => get_aws_credentials(
-            base, client, app_handle, waiter
-        ).await,
-        Request::InvokeShortcut(action) => invoke_shortcut(action).await,
-    };
-
-    // doesn't make sense to send the error to the client if the client has already left
-    if let Err(HandlerError::Abandoned) = res {
-        return Err(HandlerError::Abandoned);
-    }
-
-    let res = serde_json::to_vec(&res).unwrap();
-    stream.write_all(&res).await?;
-    Ok(())
-}
-
-
-async fn invoke_shortcut(action: ShortcutAction) -> Result<Response, HandlerError> {
-    shortcuts::exec_shortcut(action);
-    Ok(Response::Empty)
-}
-
-
-async fn get_aws_credentials(
-    base: bool,
-    client: Client,
-    app_handle: AppHandle,
-    mut waiter: CloseWaiter<'_>,
-) -> Result<Response, HandlerError> {
-    let state = app_handle.state::<AppState>();
-    let rehide_ms = {
-        let config = state.config.read().await;
-        config.rehide_ms
-    };
-    let lease = state.acquire_visibility_lease(rehide_ms).await
-        .map_err(|_e| HandlerError::NoMainWindow)?; // automate this conversion eventually?
-
-    let (chan_send, chan_recv) = oneshot::channel();
-    let request_id = state.register_request(chan_send).await;
-
-    // if an error occurs in any of the following, we want to abort the operation
-    // but ? returns immediately, and we want to unregister the request before returning
-    // so we bundle it all up in an async block and return a Result so we can handle errors
-    let proceed = async {
-        let notification = RequestNotification::new_aws(request_id, client, base);
-        app_handle.emit("credential-request", &notification)?;
-
-        let response = tokio::select! {
-            r = chan_recv => r?,
-            _ = waiter.wait_for_close() => {
-                app_handle.emit("request-cancelled", request_id)?;
-                return Err(HandlerError::Abandoned);
-            },
-        };
-
-        match response.approval {
-            Approval::Approved => {
-                if response.base {
-                    let creds = state.get_aws_base("default").await?;
-                    Ok(Response::AwsBase(creds))
-                }
-                else {
-                    let creds = state.get_aws_session("default").await?;
-                    Ok(Response::AwsSession(creds.clone()))
-                }
-            },
-            Approval::Denied => Err(HandlerError::Denied),
-        }
-    };
-
-    let result = match proceed.await {
-        Ok(r) => Ok(r),
-        Err(e) => {
-            state.unregister_request(request_id).await;
-            Err(e)
-        }
-    };
-
-    lease.release();
-    result
-}

src-tauri/src/server/server_unix.rs

@@ -1,58 +0,0 @@
-use std::io::ErrorKind;
-use tokio::net::{UnixListener, UnixStream};
-use tauri::{
-    AppHandle,
-    async_runtime as rt,
-};
-
-use crate::errors::*;
-
-
-pub type Stream = UnixStream;
-
-
-pub struct Server {
-    listener: UnixListener,
-    app_handle: AppHandle,
-}
-
-impl Server {
-    pub fn start(app_handle: AppHandle) -> std::io::Result<()> {
-        match std::fs::remove_file("/tmp/creddy.sock") {
-            Ok(_) => (),
-            Err(e) if e.kind() == ErrorKind::NotFound => (),
-            Err(e) => return Err(e),
-        }
-
-        let listener = UnixListener::bind("/tmp/creddy.sock")?;
-        let srv = Server { listener, app_handle };
-        rt::spawn(srv.serve());
-        Ok(())
-    }
-
-    async fn serve(self) {
-        loop {
-            self.try_serve()
-                .await
-                .error_print_prefix("Error accepting request: ");
-        }
-    }
-
-    async fn try_serve(&self) -> Result<(), HandlerError> {
-        let (stream, _addr) = self.listener.accept().await?;
-        let new_handle = self.app_handle.clone();
-        let client_pid = get_client_pid(&stream)?;
-        rt::spawn(async move {
-            super::handle(stream, new_handle, client_pid)
-                .await
-                .error_print_prefix("Error responding to request: ");
-        });
-        Ok(())
-    }
-}
-
-
-fn get_client_pid(stream: &UnixStream) -> std::io::Result<u32> {
-    let cred = stream.peer_cred()?;
-    Ok(cred.pid().unwrap() as u32)
-}

src-tauri/src/server/server_win.rs

@@ -1,74 +0,0 @@
-use tokio::net::windows::named_pipe::{
-    NamedPipeServer,
-    ServerOptions,
-};
-
-use tauri::{AppHandle, Manager};
-
-use windows::Win32:: {
-    Foundation::HANDLE,
-    System::Pipes::GetNamedPipeClientProcessId,
-};
-
-use std::os::windows::io::AsRawHandle;
-
-use tauri::async_runtime as rt;
-
-use crate::errors::*;
-
-
-// used by parent module
-pub type Stream = NamedPipeServer;
-
-
-pub struct Server {
-    listener: NamedPipeServer,
-    app_handle: AppHandle,
-}
-
-impl Server {
-    pub fn start(app_handle: AppHandle) -> std::io::Result<()> {
-        let listener = ServerOptions::new()
-            .first_pipe_instance(true)
-            .create(r"\\.\pipe\creddy-requests")?;
-
-        let srv = Server {listener, app_handle};
-        rt::spawn(srv.serve());
-        Ok(())
-    }
-
-    async fn serve(mut self) {
-        loop {
-            if let Err(e) = self.try_serve().await {
-                eprintln!("Error accepting connection: {e}");
-            }
-        }
-    }
-
-    async fn try_serve(&mut self) -> Result<(), HandlerError> {
-        // connect() just waits for a client to connect, it doesn't return anything
-        self.listener.connect().await?;
-
-        // create a new pipe instance to listen for the next client, and swap it in
-        let new_listener = ServerOptions::new().create(r"\\.\pipe\creddy-requests")?;
-        let stream = std::mem::replace(&mut self.listener, new_listener);
-        let new_handle = self.app_handle.clone();
-        let client_pid = get_client_pid(&stream)?;
-        rt::spawn(async move {
-            super::handle(stream, new_handle, client_pid)
-                .await
-                .error_print_prefix("Error responding to request: ");
-        });
-
-        Ok(())
-    }
-}
-
-
-fn get_client_pid(pipe: &NamedPipeServer) -> Result<u32, ClientInfoError> {
-    let raw_handle = pipe.as_raw_handle();
-    let mut pid = 0u32;
-    let handle = HANDLE(raw_handle as _);
-    unsafe { GetNamedPipeClientProcessId(handle, &mut pid as *mut u32)? };
-    Ok(pid)
-}

src-tauri/src/server/ssh_agent.rs

@@ -1,77 +0,0 @@
-use signature::Signer;
-use ssh_agent_lib::agent::{Agent, Session};
-use ssh_agent_lib::proto::message::Message;
-use ssh_key::public::PublicKey;
-use ssh_key::private::PrivateKey;
-use tokio::net::UnixListener;
-
-
-struct SshAgent;
-
-impl std::default::Default for SshAgent {
-    fn default() -> Self {
-        SshAgent {}
-    }
-}
-
-#[ssh_agent_lib::async_trait]
-impl Session for SshAgent {
-    async fn handle(&mut self, message: Message) -> Result<Message, Box<dyn std::error::Error>> {
-        println!("Received message");
-        match message {
-            Message::RequestIdentities => {
-                let p = std::path::PathBuf::from("/home/joe/.ssh/id_ed25519.pub");
-                let pubkey = PublicKey::read_openssh_file(&p).unwrap();
-                let id = ssh_agent_lib::proto::message::Identity {
-                    pubkey_blob: pubkey.to_bytes().unwrap(),
-                    comment: pubkey.comment().to_owned(),
-                };
-                Ok(Message::IdentitiesAnswer(vec![id]))
-            },
-            Message::SignRequest(req) => {
-                println!("Received sign request");
-                let mut req_bytes = vec![13];
-                encode_string(&mut req_bytes, &req.pubkey_blob);
-                encode_string(&mut req_bytes, &req.data);
-                req_bytes.extend(req.flags.to_be_bytes());
-                std::fs::File::create("/tmp/signreq").unwrap().write(&req_bytes).unwrap();
-
-                let p = std::path::PathBuf::from("/home/joe/.ssh/id_ed25519");
-                let passphrase = std::env::var("PRIVKEY_PASSPHRASE").unwrap();
-                let privkey = PrivateKey::read_openssh_file(&p)
-                    .unwrap()
-                    .decrypt(passphrase.as_bytes())
-                    .unwrap();
-
-
-
-                let sig = Signer::sign(&privkey, &req.data);
-                use std::io::Write;
-                std::fs::File::create("/tmp/sig").unwrap().write(sig.as_bytes()).unwrap();
-
-                let mut payload = Vec::with_capacity(128);
-                encode_string(&mut payload, "ssh-ed25519".as_bytes());
-                encode_string(&mut payload, sig.as_bytes());
-                println!("Payload length: {}", payload.len());
-                std::fs::File::create("/tmp/payload").unwrap().write(&payload).unwrap();
-                Ok(Message::SignResponse(payload))
-            },
-            _ => Ok(Message::Failure),
-        }
-    }
-}
-
-
-fn encode_string(buf: &mut Vec<u8>, s: &[u8]) {
-    let len = s.len() as u32;
-    buf.extend(len.to_be_bytes());
-    buf.extend(s);
-}
-
-
-pub async fn run() {
-    let socket = "/tmp/creddy-agent.sock";
-    let _ = std::fs::remove_file(socket);
-    let listener = UnixListener::bind(socket).unwrap();
-    SshAgent.listen(listener).await.unwrap();
-}

src-tauri/src/shortcuts.rs

@@ -44,10 +44,7 @@ fn launch_terminal() {
 pub fn register_hotkeys(hotkeys: &HotkeysConfig) -> Result<(), ShortcutError> {
     let app = APP.get().unwrap();
     let shortcuts = app.global_shortcut();
-    shortcuts.unregister_all([
-        hotkeys.show_window.keys.as_str(),
-        hotkeys.launch_terminal.keys.as_str(),
-    ])?;
+    shortcuts.unregister_all()?;
 
     if hotkeys.show_window.enabled {
         shortcuts.on_shortcut(

src-tauri/src/srv/agent.rs

@@ -0,0 +1,88 @@
+use futures::SinkExt;
+use ssh_agent_lib::agent::MessageCodec;
+use ssh_agent_lib::proto::message::{
+    Message,
+    SignRequest,
+};
+use tauri::{AppHandle, Manager};
+use tokio_stream::StreamExt;
+use tokio_util::codec::Framed;
+
+use crate::clientinfo;
+use crate::errors::*;
+use crate::ipc::{Approval, RequestNotificationDetail};
+use crate::state::AppState;
+
+use super::{CloseWaiter, Stream};
+
+
+pub fn serve(app_handle: AppHandle) -> std::io::Result<()> {
+    super::serve("creddy-agent", app_handle, handle)
+}
+
+
+async fn handle(
+    stream: Stream,
+    app_handle: AppHandle,
+    client_pid: u32
+) -> Result<(), HandlerError> {
+    let mut adapter = Framed::new(stream, MessageCodec);
+    while let Some(message) = adapter.try_next().await? {
+        match message {
+            Message::RequestIdentities => {
+                let resp = list_identities(app_handle.clone()).await?;
+                adapter.send(resp).await?;
+            },
+            Message::SignRequest(req) => {
+                // Note: If the client writes more data to the stream *while* at the
+                // same time waiting for a resopnse to a previous request, this will
+                // corrupt the framing. Clients don't seem to behave that way though?
+                let waiter = CloseWaiter { stream: adapter.get_mut() };
+                let resp = sign_request(req, app_handle.clone(), client_pid, waiter).await?;
+
+                // have to do this before we send since we can't inspect the message after
+                let is_failure = matches!(resp, Message::Failure);
+                adapter.send(resp).await?;
+
+                if is_failure {
+                    // this way we don't get spammed with requests for other keys
+                    // after denying the first
+                    break
+                }
+            },
+            _ => adapter.send(Message::Failure).await?,
+        };
+    }
+    Ok(())
+}
+
+
+async fn list_identities(app_handle: AppHandle) -> Result<Message, HandlerError> {
+    let state = app_handle.state::<AppState>();
+    let identities = state.list_ssh_identities().await?;
+    Ok(Message::IdentitiesAnswer(identities))
+}
+
+
+async fn sign_request(
+    req: SignRequest,
+    app_handle: AppHandle,
+    client_pid: u32,
+    waiter: CloseWaiter<'_>,
+) -> Result<Message, HandlerError> {
+    let state = app_handle.state::<AppState>();
+
+    let client = clientinfo::get_client(client_pid, false)?;
+    let key_name = state.ssh_name_from_pubkey(&req.pubkey_blob).await?;
+    let detail = RequestNotificationDetail::new_ssh(client, key_name.clone());
+
+    let response = super::send_credentials_request(detail, app_handle.clone(), waiter).await?;
+    match response.approval {
+        Approval::Approved => {
+            let key = state.sshkey_by_name(&key_name).await?;
+            let sig = key.sign_request(&req)?;
+            Ok(Message::SignResponse(sig))
+        },
+        Approval::Denied => Err(HandlerError::Abandoned),
+    }
+}

src-tauri/src/srv/creddy_server.rs

@@ -0,0 +1,223 @@
+use tauri::{AppHandle, Manager};
+use tokio::io::{AsyncReadExt, AsyncWriteExt};
+
+use crate::clientinfo::{self, Client};
+use crate::credentials::{
+    self,
+    Credential,
+    CredentialRecord,
+    DockerCredential,
+};
+use crate::errors::*;
+use crate::ipc::{
+    Approval,
+    RequestAction,
+    RequestNotificationDetail
+};
+use crate::shortcuts::{self, ShortcutAction};
+use crate::state::AppState;
+use super::{
+    CloseWaiter,
+    CliCredential,
+    CliRequest,
+    CliResponse,
+    Stream,
+};
+
+
+pub fn serve(app_handle: AppHandle) -> std::io::Result<()> {
+    super::serve("creddy-server", app_handle, handle)
+}
+
+
+async fn handle(
+    mut stream: Stream,
+    app_handle: AppHandle,
+    client_pid: u32
+) -> Result<(), HandlerError> {
+    // read from stream until delimiter is reached
+    let mut buf: Vec<u8> = Vec::with_capacity(1024); // requests are small, 1KiB is more than enough
+    let mut n = 0;
+    loop {
+        n += stream.read_buf(&mut buf).await?;
+        if let Some(&b'\n') = buf.last() {
+            break;
+        }
+        // sanity check, no request should ever be within a mile of 1MB
+        else if n >= (1024 * 1024) {
+            return Err(HandlerError::RequestTooLarge);
+        }
+    }
+
+    let client = clientinfo::get_client(client_pid, true)?;
+    let waiter = CloseWaiter { stream: &mut stream };
+
+
+    let req: CliRequest = serde_json::from_slice(&buf)?;
+    let res = match req {
+        CliRequest::GetAwsCredential{ name, base } => get_aws_credentials(
+            name, base, client, app_handle, waiter
+        ).await,
+        CliRequest::GetDockerCredential{ server_url } => get_docker_credential (
+            server_url, client, app_handle, waiter
+        ).await,
+        CliRequest::StoreDockerCredential(docker_credential) => store_docker_credential(
+             docker_credential, app_handle, client, waiter
+        ).await,
+        CliRequest::EraseDockerCredential { server_url } => erase_docker_credential(
+            server_url, app_handle, client, waiter
+        ).await,
+        CliRequest::InvokeShortcut{ action } => invoke_shortcut(action).await,
+    };
+
+    // doesn't make sense to send the error to the client if the client has already left
+    if let Err(HandlerError::Abandoned) = res {
+        return Err(HandlerError::Abandoned);
+    }
+
+    let res = serde_json::to_vec(&res).unwrap();
+    stream.write_all(&res).await?;
+    Ok(())
+}
+
+
+async fn invoke_shortcut(action: ShortcutAction) -> Result<CliResponse, HandlerError> {
+    shortcuts::exec_shortcut(action);
+    Ok(CliResponse::Empty)
+}
+
+
+async fn get_aws_credentials(
+    name: Option<String>,
+    base: bool,
+    client: Client,
+    app_handle: AppHandle,
+    waiter: CloseWaiter<'_>,
+) -> Result<CliResponse, HandlerError> {
+    let detail = RequestNotificationDetail::new_aws(client, name.clone(), base);
+    let response = super::send_credentials_request(detail, app_handle.clone(), waiter).await?;
+    match response.approval {
+        Approval::Approved => {
+            let state = app_handle.state::<AppState>();
+            if response.base {
+                let creds = state.get_aws_base(name).await?;
+                Ok(CliResponse::Credential(CliCredential::AwsBase(creds)))
+            }
+            else {
+                let creds = state.get_aws_session(name).await?.clone();
+                Ok(CliResponse::Credential(CliCredential::AwsSession(creds)))
+            }
+        },
+        Approval::Denied => Err(HandlerError::Denied),
+    }
+}
+
+async fn get_docker_credential(
+    server_url: String,
+    client: Client,
+    app_handle: AppHandle,
+    waiter: CloseWaiter<'_>,
+) -> Result<CliResponse, HandlerError> {
+    let state = app_handle.state::<AppState>();
+    let meta = state.docker_credential_meta(&server_url).await.unwrap_or(None);
+    if  meta.is_none() {
+        return Err(
+            HandlerError::NoCredentials(
+                GetCredentialsError::Load(
+                    LoadCredentialsError::NoCredentials
+                )
+            )
+        );
+    }
+
+    let detail = RequestNotificationDetail::new_docker(
+        RequestAction::Access,
+        client,
+        server_url.clone()
+    );
+    let response = super::send_credentials_request(detail, app_handle.clone(), waiter).await?;
+    match response.approval {
+        Approval::Approved => {
+            let creds = state.get_docker_credential(&server_url).await?;
+            Ok(CliResponse::Credential(CliCredential::Docker(creds)))
+        },
+        Approval::Denied => {
+            Err(HandlerError::Denied)
+        },
+    }
+}
+
+async fn store_docker_credential(
+    docker_credential: DockerCredential,
+    app_handle: AppHandle,
+    client: Client,
+    waiter: CloseWaiter<'_>,
+) -> Result<CliResponse, HandlerError> {
+    let state = app_handle.state::<AppState>();
+
+    // We want to do this before asking for confirmation from the user, because Docker has an annoying
+    // habit of calling `get` and then immediately turning around and calling `store` with the same
+    // data. In that case we want to avoid asking for confirmation at all.
+    match state.get_docker_credential(&docker_credential.server_url).await {
+        // if there is already a credential with this server_url, and it is unchanged, we're done
+        Ok(c) if c == docker_credential => return Ok(CliResponse::Empty),
+        // otherwise we are making an update, so proceed
+        Ok(_) => (),
+        // if the app is locked, then this isn't the situation described above, so proceed
+        Err(GetCredentialsError::Locked) => (),
+        // if the app is unlocked, and there is no matching credential, proceed
+        Err(GetCredentialsError::Load(LoadCredentialsError::NoCredentials)) => (),
+        // any other error is a failure
+        Err(e) => return Err(e.into()),
+    };
+
+    let detail = RequestNotificationDetail::new_docker(
+        RequestAction::Save,
+        client,
+        docker_credential.server_url.clone(),
+    );
+    let response = super::send_credentials_request(detail, app_handle.clone(), waiter).await?;
+    if matches!(response.approval, Approval::Denied) {
+        return Err(HandlerError::Denied);
+    }
+
+    let (id, name) = state.docker_credential_meta(&docker_credential.server_url)
+        .await
+        .map_err(|e| GetCredentialsError::Load(e))?
+        .unwrap_or_else(|| (credentials::random_uuid(), docker_credential.server_url.clone()));
+
+    let record = CredentialRecord {
+        id,
+        name,
+        is_default: false,
+        credential: Credential::Docker(docker_credential)
+    };
+    state.save_credential(record).await?;
+
+    Ok(CliResponse::Empty)
+}
+
+async fn erase_docker_credential(
+    server_url: String,
+    app_handle: AppHandle,
+    client: Client,
+    waiter: CloseWaiter<'_>
+) -> Result<CliResponse, HandlerError> {
+    let state = app_handle.state::<AppState>();
+
+    let detail = RequestNotificationDetail::new_docker(
+        RequestAction::Delete,
+        client,
+        server_url.clone(),
+    );
+    let resp = super::send_credentials_request(detail, app_handle.clone(), waiter).await?;
+    match resp.approval {
+        Approval::Approved => {
+            state.delete_credential_by_name(&server_url).await?;
+            Ok(CliResponse::Empty)
+        }
+        Approval::Denied => {
+            Err(HandlerError::Denied)
+        }
+    }
+}

src-tauri/src/srv/mod.rs

@@ -0,0 +1,258 @@
+use std::future::Future;
+
+use tauri::{
+    AppHandle,
+    async_runtime as rt,
+    Emitter,
+    Manager,
+    Runtime,
+};
+use tokio::io::AsyncReadExt;
+use tokio::sync::oneshot;
+use serde::{Serialize, Deserialize};
+
+use crate::credentials::{
+    AwsBaseCredential,
+    AwsSessionCredential,
+    DockerCredential,
+};
+use crate::errors::*;
+use crate::ipc::{RequestNotification, RequestNotificationDetail, RequestResponse};
+use crate::shortcuts::ShortcutAction;
+use crate::state::AppState;
+
+pub mod creddy_server;
+pub mod agent;
+use platform::Stream;
+
+
+// These types match what's defined in creddy_cli, but they are separate types
+// so that we avoid polluting the standalone CLI with a bunch of dependencies
+// that would make it impossible to build a completely static-linked version
+#[derive(Debug, Serialize, Deserialize)]
+#[serde(tag = "type")]
+pub enum CliRequest {
+    GetAwsCredential {
+        name: Option<String>,
+        base: bool,
+    },
+    GetDockerCredential {
+        server_url: String,
+    },
+    StoreDockerCredential(DockerCredential),
+    EraseDockerCredential {
+        server_url: String,
+    },
+    InvokeShortcut{
+        action: ShortcutAction,
+    },
+}
+
+
+#[derive(Debug, Serialize, Deserialize)]
+pub enum CliResponse {
+    Credential(CliCredential),
+    Empty,
+}
+
+
+#[derive(Debug, Serialize, Deserialize)]
+pub enum CliCredential {
+    AwsBase(AwsBaseCredential),
+    AwsSession(AwsSessionCredential),
+    Docker(DockerCredential),
+}
+
+
+struct CloseWaiter<'s> {
+    stream: &'s mut Stream,
+}
+
+impl<'s> CloseWaiter<'s> {
+    async fn wait_for_close(&mut self) -> std::io::Result<()> {
+        let mut buf = [0u8; 8];
+        loop {
+            match self.stream.read(&mut buf).await {
+                Ok(0) => break Ok(()),
+                Ok(_) => (),
+                Err(e) => break Err(e),
+            }
+        }
+    }
+}
+
+
+// note: AppHandle is generic over `Runtime` for testing
+fn serve<H, F, R>(sock_name: &str, app_handle: AppHandle<R>, handler: H) -> std::io::Result<()>
+    where H: Copy + Send + Fn(Stream, AppHandle<R>, u32) -> F + 'static,
+          F: Send + Future<Output = Result<(), HandlerError>>,
+          R: Runtime
+{
+    let (mut listener, addr) = platform::bind(sock_name)?;
+    rt::spawn(async move {
+        loop {
+            let (stream, client_pid) = match platform::accept(&mut listener, &addr).await {
+                Ok((s, c)) => (s, c),
+                Err(e) => {
+                    eprintln!("Error accepting request: {e}");
+                    continue;
+                },
+            };
+            let new_handle = app_handle.clone();
+            rt::spawn(async move {
+                handler(stream, new_handle, client_pid)
+                    .await
+                    .error_print_prefix("Error responding to request: ");
+            });
+        }
+    });
+    Ok(())
+}
+
+
+async fn send_credentials_request(
+    detail: RequestNotificationDetail,
+    app_handle: AppHandle,
+    mut waiter: CloseWaiter<'_>
+) -> Result<RequestResponse, HandlerError> {
+    let state = app_handle.state::<AppState>();
+    let rehide_ms = {
+        let config = state.config.read().await;
+        config.rehide_ms
+    };
+
+    let lease = state.acquire_visibility_lease(rehide_ms).await
+        .map_err(|_e| HandlerError::NoMainWindow)?;
+
+    let (chan_send, chan_recv) = oneshot::channel();
+    let request_id = state.register_request(chan_send).await;
+    let notification = RequestNotification { id: request_id, detail };
+
+    // the following could fail in various ways, but we want to make sure
+    // the request gets unregistered on any failure, so we wrap this all
+    // up in an async block so that we only have to handle the error case once
+    let proceed = async {
+        app_handle.emit("credential-request", &notification)?;
+        tokio::select! {
+            r = chan_recv => Ok(r?),
+            _ = waiter.wait_for_close() => {
+                app_handle.emit("request-cancelled", request_id)?;
+                Err(HandlerError::Abandoned)
+            },
+        }
+    };
+
+    let res = proceed.await;
+    if let Err(_) = &res {
+        state.unregister_request(request_id).await;
+    }
+
+    lease.release();
+    res
+}
+
+
+#[cfg(unix)]
+mod platform {
+    use std::io::ErrorKind;
+    use std::path::PathBuf;
+    use tokio::net::{UnixListener, UnixStream};
+    use super::*;
+
+
+    pub type Stream = UnixStream;
+
+    pub fn bind(sock_name: &str) -> std::io::Result<(UnixListener, PathBuf)> {
+        let path = creddy_cli::server_addr(sock_name);
+        match std::fs::remove_file(&path) {
+            Ok(_) => (),
+            Err(e) if e.kind() == ErrorKind::NotFound => (),
+            Err(e) => return Err(e),
+        }
+
+        let listener = UnixListener::bind(&path)?;
+        Ok((listener, path))
+    }
+
+    pub async fn accept(listener: &mut UnixListener, _addr: &PathBuf) -> Result<(UnixStream, u32), HandlerError> {
+        let (stream, _addr) = listener.accept().await?;
+        let pid = stream.peer_cred()?
+            .pid()
+            .ok_or(ClientInfoError::PidNotFound)?
+            as u32;
+
+        Ok((stream, pid))
+    }
+}
+
+
+#[cfg(windows)]
+mod platform {
+    use std::os::windows::io::AsRawHandle;
+    use std::path::PathBuf;
+    use tokio::net::windows::named_pipe::{
+        NamedPipeServer,
+        ServerOptions,
+    };
+    use windows::Win32::{
+        Foundation::HANDLE,
+        System::Pipes::GetNamedPipeClientProcessId,
+    };
+    use super::*;
+
+
+    pub type Stream = NamedPipeServer;
+
+    pub fn bind(sock_name: &str) -> std::io::Result<(NamedPipeServer, PathBuf)> {
+        let addr = creddy_cli::server_addr(sock_name);
+        let listener = ServerOptions::new()
+            .first_pipe_instance(true)
+            .create(&addr)?;
+        Ok((listener, addr))
+    }
+
+    pub async fn accept(listener: &mut NamedPipeServer, addr: &PathBuf) -> Result<(NamedPipeServer, u32), HandlerError> {
+        // connect() just waits for a client to connect, it doesn't return anything
+        listener.connect().await?;
+
+        // unlike Unix sockets, a Windows NamedPipeServer *becomes* the open stream
+        // once a client connects. If we want to keep listening, we have to construct
+        // a new server and swap it in.
+        let new_listener = ServerOptions::new().create(addr)?;
+        let stream = std::mem::replace(listener, new_listener);
+
+        let raw_handle = stream.as_raw_handle();
+        let mut pid = 0u32;
+        let handle = HANDLE(raw_handle as _);
+        unsafe { GetNamedPipeClientProcessId(handle, &mut pid as *mut u32)? };
+        Ok((stream, pid))
+    }
+}
+
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use tokio::io::AsyncWriteExt;
+
+    #[tokio::test]
+    async fn test_server_connect() {
+        let app = tauri::test::mock_app();
+        serve("creddy_server_test", app.app_handle().clone(), |mut stream, _handle, _pid| {
+            async move {
+                let buf = serde_json::to_vec(&CliResponse::Empty).unwrap();
+                stream.write_all(&buf).await.unwrap();
+                Ok(())
+            }
+        }).unwrap();
+
+        let addr = creddy_cli::server_addr("creddy_server_test");
+        let mut stream = creddy_cli::connect(Some(addr)).await.unwrap();
+
+        let mut buf = Vec::new();
+        stream.read_to_end(&mut buf).await.unwrap();
+        let resp: CliResponse = serde_json::from_slice(&buf).unwrap();
+
+        assert!(matches!(resp, CliResponse::Empty))
+    }
+}

src-tauri/src/state.rs

@@ -1,4 +1,5 @@
 use std::collections::HashMap;
+use std::collections::hash_map::Entry;
 use std::time::Duration;
 use time::OffsetDateTime;
 
@@ -6,9 +7,11 @@ use tokio::{
     sync::{RwLock, RwLockReadGuard},
     sync::oneshot::{self, Sender},
 };
+use ssh_agent_lib::proto::message::Identity;
 use sqlx::SqlitePool;
 use sqlx::types::Uuid;
 use tauri::{
+    Emitter,
     Manager,
     async_runtime as rt,
 };
@@ -17,16 +20,20 @@ use crate::app;
 use crate::credentials::{
     AppSession,
     AwsSessionCredential,
+    DockerCredential,
+    SshKey,
 };
-use crate::{config, config::AppConfig};
+use crate::config::AppConfig;
 use crate::credentials::{
     AwsBaseCredential,
+    Credential,
     CredentialRecord,
     PersistentCredential
 };
 use crate::ipc::{self, RequestResponse};
 use crate::errors::*;
 use crate::shortcuts;
+use crate::tray;
 
 
 #[derive(Debug)]
@@ -107,7 +114,8 @@ impl VisibilityLease {
 pub struct AppState {
     pub config: RwLock<AppConfig>,
     pub app_session: RwLock<AppSession>,
-    pub aws_session: RwLock<Option<AwsSessionCredential>>,
+    // session cache is keyed on id rather than name because names can change
+    pub aws_sessions: RwLock<HashMap<Uuid, AwsSessionCredential>>,
     pub last_activity: RwLock<OffsetDateTime>,
     pub request_count: RwLock<u64>,
     pub waiting_requests: RwLock<HashMap<u64, Sender<RequestResponse>>>,
@@ -130,7 +138,7 @@ impl AppState {
         AppState {
             config: RwLock::new(config),
             app_session: RwLock::new(app_session),
-            aws_session: RwLock::new(None),
+            aws_sessions: RwLock::new(HashMap::new()),
             last_activity: RwLock::new(OffsetDateTime::now_utc()),
             request_count: RwLock::new(0),
             waiting_requests: RwLock::new(HashMap::new()),
@@ -155,6 +163,13 @@ impl AppState {
         Ok(())
     }
 
+    pub async fn delete_credential_by_name(&self, name: &str) -> Result<(), SaveCredentialsError> {
+        sqlx::query!("DELETE FROM credentials WHERE name = ?", name)
+            .execute(&self.pool)
+            .await?;
+        Ok(())
+    }
+
     pub async fn list_credentials(&self) -> Result<Vec<CredentialRecord>, GetCredentialsError> {
         let session = self.app_session.read().await;
         let crypto = session.try_get_crypto()?;
@@ -162,6 +177,10 @@ impl AppState {
         Ok(list)
     }
 
+    pub async fn list_ssh_identities(&self) -> Result<Vec<Identity>, GetCredentialsError> {
+        Ok(SshKey::list_identities(&self.pool).await?)
+    }
+
     pub async fn set_passphrase(&self, passphrase: &str) -> Result<(), SaveCredentialsError> {
         let mut cur_session = self.app_session.write().await;
         if let AppSession::Locked {..} = *cur_session {
@@ -184,10 +203,11 @@ impl AppState {
 
     pub async fn update_config(&self, new_config: AppConfig) -> Result<(), SetupError> {
         let mut live_config = self.config.write().await;
-        
+
         // update autostart if necessary
-        if new_config.start_on_login != live_config.start_on_login {
-            config::set_auto_launch(new_config.start_on_login)?;
+        if new_config.start_on_login != live_config.start_on_login
+            || new_config.start_minimized != live_config.start_minimized {
+            new_config.set_auto_launch()?;
         }
 
         // re-register hotkeys if necessary
@@ -235,7 +255,11 @@ impl AppState {
 
     pub async fn unlock(&self, passphrase: &str) -> Result<(), UnlockError> {
         let mut session = self.app_session.write().await;
-        session.unlock(passphrase)
+        session.unlock(passphrase)?;
+        let app_handle = app::APP.get().unwrap();
+        let menu = app_handle.state::<tray::MenuItems>();
+        let _ = menu.after_unlock(); // we don't care if this fails, it's non-essential
+        Ok(())
     }
 
     pub async fn lock(&self) -> Result<(), LockError> {
@@ -249,6 +273,9 @@ impl AppState {
                 let app_handle = app::APP.get().unwrap();
                 app_handle.emit("locked", None::<usize>)?;
 
+                let menu = app_handle.state::<tray::MenuItems>();
+                let _ = menu.after_lock();
+
                 Ok(())
             }
         }
@@ -261,29 +288,82 @@ impl AppState {
         Ok(())
     }
 
-    pub async fn get_aws_base(&self, name: &str) -> Result<AwsBaseCredential, GetCredentialsError> {
+    pub async fn get_aws_base(&self, name: Option<String>) -> Result<AwsBaseCredential, GetCredentialsError> {
         let app_session = self.app_session.read().await;
         let crypto = app_session.try_get_crypto()?;
-        let creds = AwsBaseCredential::load_by_name(name, crypto, &self.pool).await?;
+        let creds = match name {
+            Some(n) => AwsBaseCredential::load_by_name(&n, crypto, &self.pool).await?,
+            None => AwsBaseCredential::load_default(crypto, &self.pool).await?,
+        };
         Ok(creds)
     }
 
-    pub async fn get_aws_session(&self, name: &str) -> Result<RwLockReadGuard<'_, AwsSessionCredential>, GetCredentialsError> {
-        // yes, this sometimes results in double-fetching base credentials from disk
-        // I'm done trying to be optimal
+    pub async fn get_aws_session(&self, name: Option<String>) -> Result<RwLockReadGuard<'_, AwsSessionCredential>, GetCredentialsError> {
+        let app_session = self.app_session.read().await;
+        let crypto = app_session.try_get_crypto()?;
+        let record = match name {
+            Some(n) => CredentialRecord::load_by_name(&n, crypto, &self.pool).await?,
+            None => CredentialRecord::load_default("aws", crypto, &self.pool).await?,
+        };
+        let base = match &record.credential {
+            Credential::AwsBase(b) => Ok(b),
+            _ => Err(LoadCredentialsError::NoCredentials)
+        }?;
+
         {
-            let mut aws_session = self.aws_session.write().await;
-            if aws_session.is_none() || aws_session.as_ref().unwrap().is_expired() {
-                let base_creds = self.get_aws_base(name).await?;
-                *aws_session = Some(AwsSessionCredential::from_base(&base_creds).await?);
+            let mut aws_sessions = self.aws_sessions.write().await;
+            match aws_sessions.entry(record.id) {
+                Entry::Vacant(e) => {
+                    e.insert(AwsSessionCredential::from_base(&base).await?);
+                },
+                Entry::Occupied(mut e) if e.get().is_expired() => {
+                    *(e.get_mut()) = AwsSessionCredential::from_base(&base).await?;
+                },
+                _ => ()
             }
         }
 
-        // we know this is safe, because we juse made sure of it
-        let s = RwLockReadGuard::map(self.aws_session.read().await, |opt| opt.as_ref().unwrap());
+        // we know the unwrap is safe, because we just made sure of it
+        let s = RwLockReadGuard::map(self.aws_sessions.read().await, |map| map.get(&record.id).unwrap());
         Ok(s)
     }
 
+    pub async fn ssh_name_from_pubkey(&self, pubkey: &[u8]) -> Result<String, GetCredentialsError> {
+        let k = SshKey::name_from_pubkey(pubkey, &self.pool).await?;
+        Ok(k)
+    }
+
+    pub async fn sshkey_by_name(&self, name: &str) -> Result<SshKey, GetCredentialsError> {
+        let app_session = self.app_session.read().await;
+        let crypto = app_session.try_get_crypto()?;
+        let k = SshKey::load_by_name(name, crypto, &self.pool).await?;
+        Ok(k)
+    }
+
+    pub async fn docker_credential_meta(
+        &self, server_url: &str
+    ) -> Result<Option<(Uuid, String)>, LoadCredentialsError> {
+        let res = sqlx::query!(
+            r#"SELECT
+                c.id as "id: Uuid",
+                c.name
+            FROM
+                credentials c
+                JOIN docker_credentials d
+                    ON d.id = c.id
+            WHERE d.server_url = ?"#,
+            server_url
+        ).fetch_optional(&self.pool).await?;
+        Ok(res.map(|row| (row.id, row.name)))
+    }
+
+    pub async fn get_docker_credential(&self, server_url: &str) -> Result<DockerCredential, GetCredentialsError> {
+        let app_session = self.app_session.read().await;
+        let crypto = app_session.try_get_crypto()?;
+        let d = DockerCredential::load_by("server_url", server_url.to_owned(), crypto, &self.pool).await?;
+        Ok(d)
+    }
+
     pub async fn signal_activity(&self) {
         let mut last_activity = self.last_activity.write().await;
         *last_activity = OffsetDateTime::now_utc();

src-tauri/src/terminal.rs

@@ -1,7 +1,11 @@
 use std::process::Command;
 use std::time::Duration;
 
-use tauri::Manager;
+use tauri::{
+    AppHandle,
+    Listener,
+    Manager,
+};
 use tokio::time::sleep;
 
 use crate::app::APP;
@@ -18,6 +22,18 @@ pub async fn launch(use_base: bool) -> Result<(), LaunchTerminalError> {
         return Ok(());
     }
 
+    let res = do_launch(app, use_base).await;
+
+    state.unregister_terminal_request().await;
+    res
+}
+
+
+// this handles most of the work, the outer function is just to ensure we properly
+// unregister the request if there's an error
+async fn do_launch(app: &AppHandle, use_base: bool) -> Result<(), LaunchTerminalError> {
+    let state = app.state::<AppState>();
+
     let mut cmd = {
         let config = state.config.read().await;
         let mut cmd = Command::new(&config.terminal.exec);
@@ -41,7 +57,6 @@ pub async fn launch(use_base: bool) -> Result<(), LaunchTerminalError> {
             _ = rx => lease.release(),
             // otherwise, dump this request, but return Ok so we don't get an error popup
             _ = sleep(timeout) => {
-                state.unregister_terminal_request().await;
                 eprintln!("WARNING: Request to launch terminal timed out after 60 seconds.");
                 return Ok(());
             },
@@ -52,27 +67,24 @@ pub async fn launch(use_base: bool) -> Result<(), LaunchTerminalError> {
     // (i.e. lies about unlocking) we could end up here with a locked session
     // this will result in an error popup to the user (see main hotkey handler)
     if use_base {
-        let base_creds = state.get_aws_base("default").await?;
+        let base_creds = state.get_aws_base(None).await?;
         cmd.env("AWS_ACCESS_KEY_ID", &base_creds.access_key_id);
         cmd.env("AWS_SECRET_ACCESS_KEY", &base_creds.secret_access_key);
     }
     else {
-        let session_creds = state.get_aws_session("default").await?;
+        let session_creds = state.get_aws_session(None).await?;
         cmd.env("AWS_ACCESS_KEY_ID", &session_creds.access_key_id);
         cmd.env("AWS_SECRET_ACCESS_KEY", &session_creds.secret_access_key);
         cmd.env("AWS_SESSION_TOKEN", &session_creds.session_token);
     }
 
-    let res = match cmd.spawn() {
+    match cmd.spawn() {
         Ok(_) => Ok(()),
         Err(e) if std::io::ErrorKind::NotFound == e.kind() => {
             Err(ExecError::NotFound(cmd.get_program().to_owned()))
         },
         Err(e) => Err(ExecError::ExecutionFailed(e)),
-    };
+    }?;
 
-    state.unregister_terminal_request().await;
-
-    res?; // ? auto-conversion is more liberal than .into()
     Ok(())
 }

src-tauri/src/tray.rs

@@ -7,27 +7,78 @@ use tauri::{
 use tauri::menu::{
     MenuBuilder,
     MenuEvent,
+    MenuItem,
     MenuItemBuilder,
+    PredefinedMenuItem,
 };
+use tauri::tray::TrayIconBuilder;
 
 use crate::app;
 use crate::state::AppState;
 
 
+pub struct MenuItems {
+    pub status: MenuItem<tauri::Wry>,
+    pub show_hide: MenuItem<tauri::Wry>,
+}
+
+impl MenuItems {
+    pub fn after_show(&self) -> tauri::Result<()> {
+        self.show_hide.set_text("Hide")
+    }
+
+    pub fn after_hide(&self) -> tauri::Result<()> {
+        self.show_hide.set_text("Show")
+    }
+
+    pub fn after_lock(&self) -> tauri::Result<()> {
+        if cfg!(debug_assertions) {
+            self.status.set_text("Creddy (dev): Locked")
+        }
+        else {
+            self.status.set_text("Creddy: Locked")
+        }
+    }
+
+    pub fn after_unlock(&self) -> tauri::Result<()> {
+        if cfg!(debug_assertions) {
+            self.status.set_text("Creddy (dev): Unlocked")
+        }
+        else {
+            self.status.set_text("Creddy: Unlocked")
+        }
+    }
+}
+
+
 pub fn setup(app: &App) -> tauri::Result<()> {
+    let status_text =
+        if cfg!(debug_assertions) {
+            "Creddy (dev): Locked"
+        }
+        else {
+            "Creddy: Locked"
+        };
+
+    let status = MenuItemBuilder::with_id("status", status_text)
+        .enabled(false)
+        .build(app)?;
+    let sep = PredefinedMenuItem::separator(app)?;
     let show_hide = MenuItemBuilder::with_id("show_hide", "Show").build(app)?;
     let exit = MenuItemBuilder::with_id("exit", "Exit").build(app)?;
 
     let menu = MenuBuilder::new(app)
-        .items(&[&show_hide, &exit])
+        .items(&[&status, &sep, &show_hide, &exit])
         .build()?;
 
-    let tray = app.tray_by_id("main").unwrap();
-    tray.set_menu(Some(menu))?;
-    tray.on_menu_event(handle_event);
+    TrayIconBuilder::new()
+        .icon(app.default_window_icon().unwrap().clone())
+        .menu(&menu)
+        .on_menu_event(handle_event)
+        .build(app)?;
 
-    // stash this so we can find it later to change the text
-    app.manage(show_hide);
+    // stash these so we can find them later to change the text
+    app.manage(MenuItems { status, show_hide });
 
     Ok(())
 }

src-tauri/tauri.conf.json

@@ -50,7 +50,7 @@
     }
   },
   "productName": "creddy",
-  "version": "0.4.9",
+  "version": "0.6.5",
   "identifier": "creddy",
   "plugins": {},
   "app": {
@@ -65,11 +65,6 @@
         "visible": false
       }
     ],
-    "trayIcon": {
-      "id": "main",
-      "iconPath": "icons/icon.png",
-      "iconAsTemplate": true
-    },
     "security": {
       "csp": {
         "style-src": [
@@ -85,4 +80,4 @@
       }
     }
   }
-}
+}

src/App.svelte

@@ -14,6 +14,7 @@ import Unlock from './views/Unlock.svelte';
 // set up app state
 invoke('get_config').then(config => $appState.config = config);
 invoke('get_session_status').then(status => $appState.sessionStatus = status);
+invoke('get_devmode').then(dm => $appState.devmode = dm)
 getVersion().then(version => $appState.appVersion = version);
 invoke('get_setup_errors')
     .then(errs => {
@@ -51,7 +52,7 @@ acceptRequest();
 </script>
 
 
-<svelte:window 
+<svelte:window
     on:click={() => invoke('signal_activity')}
     on:keydown={() => invoke('signal_activity')}
 />
@@ -70,3 +71,9 @@ acceptRequest();
     <!-- normal operation -->
     <svelte:component this="{$currentView}" />
 {/if}
+
+{#if $appState.devmode }
+    <div class="fixed left-0 bottom-0 right-0 py-1 bg-warning text-xs text-center text-warning-content">
+        This is a development build of Creddy.
+    </div>
+{/if}

src/lib/errors.js

@@ -6,3 +6,12 @@ export function getRootCause(error) {
         return error;
     }
 }
+
+
+export function fullMessage(error) {
+    let msg = error?.msg ? error.msg : error;
+    if (error.source) {
+        msg = `${msg}: ${fullMessage(error.source)}`;
+    }
+    return msg
+}

src/ui/ErrorAlert.svelte

@@ -2,6 +2,9 @@
     import { onMount } from 'svelte';
     import { slide } from 'svelte/transition';
 
+    import { fullMessage } from '../lib/errors.js';
+
+
     let extraClasses = "";
     export {extraClasses as class};
     export let slideDuration = 150;
@@ -78,7 +81,7 @@
     <div transition:slide="{{duration: slideDuration}}" class="alert alert-error shadow-lg {animationClass} {extraClasses}">
         <svg xmlns="http://www.w3.org/2000/svg" class="stroke-current flex-shrink-0 h-6 w-6" fill="none" viewBox="0 0 24 24"><path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M10 14l2-2m0 0l2-2m-2 2l-2-2m2 2l2 2m7-2a9 9 0 11-18 0 9 9 0 0118 0z" /></svg>
         <span>
-            <slot {error}>{error.msg || error}</slot>
+            <slot {error}>{fullMessage(error)}</slot>
         </span>
 
         {#if $$slots.buttons}

src/ui/FileInput.svelte

@@ -0,0 +1,52 @@
+<script>
+    // import { listen } from '@tauri-apps/api/event';
+    import { open } from '@tauri-apps/plugin-dialog';
+    import { basename } from '@tauri-apps/api/path';
+    import { createEventDispatcher } from 'svelte';
+
+    import Icon from './Icon.svelte';
+
+
+    export let value = {};
+    export let params = {};
+    let displayValue = value?.name || '';
+
+    const dispatch = createEventDispatcher();
+
+    async function chooseFile() {
+        let path = await open(params);
+        if (path) {
+            displayValue = await basename(path);
+            value = {name: displayValue, path};
+            dispatch('update', value);
+        }
+    }
+
+    async function handleInput(evt) {
+        const name = await basename(evt.target.value);
+        value = {name, path: evt.target.value};
+    }
+
+    // some day, figure out drag-and-drop
+    // let drag = null;
+    // listen('tauri://drag', e => drag = e);
+    // listen('tauri://drop', e => console.log(e));
+    // listen('tauri://drag-cancelled', e => console.log(e));
+    // listen('tauri://drop-over', e => console.log(e));
+
+</script>
+
+
+<div class="relative flex join has-[:focus]:outline outline-2 outline-offset-2 outline-base-content/20">
+    <button type="button" class="btn btn-neutral join-item" on:click={chooseFile}>
+        Choose file
+    </button>
+    <input 
+        type="text"
+        class="join-item grow input input-bordered border-l-0 bg-transparent focus:outline-none"
+        value={displayValue}
+        on:input={handleInput}
+        on:change={() => dispatch('update', value)}
+        on:focus on:blur
+    >
+</div>

src/ui/PassphraseInput.svelte

@@ -4,10 +4,15 @@
     export let value = '';
     export let placeholder = '';
     export let autofocus = false;
+    export let show = false;
     let classes = '';
     export {classes as class};
 
-    let show = false;
+    let input;
+
+    export function focus() {
+        input.focus();
+    }
 </script>
 
 
@@ -19,13 +24,14 @@
 </style>
 
 
-<div class="join w-full">
+<div class="join w-full has-[:focus]:outline outline-2 outline-offset-2 outline-base-content/20">
     <input
+        bind:this={input}
         type={show ? 'text' : 'password'}
         {value} {placeholder} {autofocus}
         on:input={e => value = e.target.value}
         on:input on:change on:focus on:blur
-        class="input input-bordered flex-grow join-item placeholder:text-gray-500 {classes}"
+        class="input input-bordered flex-grow join-item placeholder:text-gray-500 focus:outline-none {classes}"
     />
 
     <button

src/ui/settings/FileSetting.svelte

@@ -7,6 +7,13 @@
     export let value;
 
     const dispatch = createEventDispatcher();
+
+    async function pickFile() {
+        let file = await open();
+        if (file) {
+            value = file.path
+        }
+    }
 </script>
 
 
@@ -18,9 +25,10 @@
             bind:value
             on:change={() => dispatch('update', {value})}
         >
-        <button 
+        <button
+            type="button"
             class="btn btn-sm btn-primary"
-            on:click={async () => value = await open()}
+            on:click={pickFile}
         >Browse</button>
     </div>
     <slot name="description" slot="description"></slot>

src/views/Approve.svelte

@@ -7,9 +7,10 @@
     import ShowResponse from './approve/ShowResponse.svelte';
     import Unlock from './Unlock.svelte';
 
+    console.log($appState.currentRequest);
 
     // Extra 50ms so the window can finish disappearing before the redraw
-    const rehideDelay = Math.min(5000, $appState.config.rehide_ms + 50);
+    const rehideDelay = Math.min(5000, $appState.config.rehide_ms + 100);
 
     let alert;
     let success = false;

src/views/Home.svelte

@@ -8,11 +8,15 @@
     import Icon from '../ui/Icon.svelte';
     import Link from '../ui/Link.svelte';
 
-
-    let launchBase = false;
-    function launchTerminal() {
-        invoke('launch_terminal', {base: launchBase});
-        launchBase = false;
+    let launchTerminalError;
+    async function launchTerminal() {
+        try {
+            await invoke('launch_terminal', {base: false});
+        }
+        catch (e) {
+            console.log(e);
+            launchTerminalError = e;
+        }
     }
 
     async function lock() {
@@ -32,37 +36,41 @@
 
 <div class="flex flex-col h-screen items-center justify-center p-4 space-y-4">
     <div class="grid grid-cols-2 gap-6">
-        <Link target="ManageCredentials">
-            <div class="flex flex-col items-center gap-4 h-full max-w-56 rounded-box p-4 border border-primary hover:bg-base-200 transition-colors">
-                <Icon name="key" class="size-12 stroke-1 stroke-primary" />
-                <h3 class="text-lg font-bold">Credentials</h3>
-                <p class="text-sm">Add, remove, and change defaults credentials.</p>
-            </div>
-        </Link>
+        <button
+            on:click={() => navigate('ManageCredentials')}
+            class="flex flex-col items-center gap-4 h-full max-w-56 rounded-box p-4 border border-primary hover:bg-base-200 transition-transform active:scale-[.98] transition-transform"
+        >
+            <Icon name="key" class="size-12 stroke-1 stroke-primary" />
+            <h3 class="text-lg font-bold">Credentials</h3>
+            <p class="text-sm">Add, remove, and change default credentials.</p>
+        </button>
         
-        <Link target={launchTerminal}>
-            <div class="flex flex-col items-center gap-4 h-full max-w-56 rounded-box p-4 border border-secondary hover:bg-base-200 transition-colors">
-                <Icon name="command-line" class="size-12 stroke-1 stroke-secondary" />
-                <h3 class="text-lg font-bold">Terminal</h3>
-                <p class="text-sm">Launch a terminal pre-configured with AWS credentials.</p>
-            </div>
-        </Link>
+        <button 
+            on:click={launchTerminal}
+            class="flex flex-col items-center gap-4 h-full max-w-56 rounded-box p-4 border border-secondary hover:bg-base-200 transition-colors active:scale-[.98] transition-transform"
+        >
+            <Icon name="command-line" class="size-12 stroke-1 stroke-secondary" />
+            <h3 class="text-lg font-bold">Terminal</h3>
+            <p class="text-sm">Launch a terminal pre-configured with AWS credentials.</p>
+        </button>
 
-        <Link target={lock}>
-            <div class="flex flex-col items-center gap-4 h-full max-w-56 rounded-box p-4 border border-accent hover:bg-base-200 transition-colors">
-                <Icon name="shield-check" class="size-12 stroke-1 stroke-accent" />
-                <h3 class="text-lg font-bold">Lock</h3>
-                <p class="text-sm">Lock Creddy.</p>
-            </div>
-        </Link>
+        <button 
+            on:click={lock}
+            class="flex flex-col items-center gap-4 h-full max-w-56 rounded-box p-4 border border-warning hover:bg-base-200 transition-colors active:scale-[.98] transition-transform"
+        >
+            <Icon name="shield-check" class="size-12 stroke-1 stroke-warning" />
+            <h3 class="text-lg font-bold">Lock</h3>
+            <p class="text-sm">Lock Creddy.</p>
+        </button>
 
-        <Link target={() => invoke('exit')}>
-            <div class="flex flex-col items-center gap-4 h-full max-w-56 rounded-box p-4 border border-warning hover:bg-base-200 transition-colors">
-                <Icon name="arrow-right-start-on-rectangle" class="size-12 stroke-1 stroke-warning" />
-                <h3 class="text-lg font-bold">Exit</h3>
-                <p class="text-sm">Close Creddy.</p>
-            </div>
-        </Link>
+        <button 
+            on:click={() => invoke('exit')}
+            class="flex flex-col items-center gap-4 h-full max-w-56 rounded-box p-4 border border-accent hover:bg-base-200 transition-colors active:scale-[.98] transition-transform"
+        >
+            <Icon name="arrow-right-start-on-rectangle" class="size-12 stroke-1 stroke-accent" />
+            <h3 class="text-lg font-bold">Exit</h3>
+            <p class="text-sm">Close Creddy.</p>
+        </button>
     </div>
 </div>
 
@@ -71,10 +79,25 @@
         {#each $appState.setupErrors as error}
             {#if error.show}
                 <div class="alert alert-error shadow-lg">
-                    {error.msg}
-                    <button class="btn btn-sm btn-alert-error" on:click={() => error.show = false}>Ok</button>
+                    <span>{error.msg}</span>
+                    <div>
+                        <button class="btn btn-sm btn-alert-error" on:click={() => error.show = false}>Ok</button>
+                    </div>
                 </div>
             {/if}
         {/each}
     </div>
+{/if}
+
+{#if launchTerminalError}
+    <div class="toast">
+        <div class="alert alert-error text-wrap shadow-lg">
+            <span>{launchTerminalError.msg || launchTerminalError}</span>
+            <div>
+                <button class="btn btn-alert-error" on:click={() => launchTerminalError = null}>
+                    Ok
+                </button>
+            </div>
+        </div>
+    </div>
 {/if}

src/views/ManageCredentials.svelte

@@ -5,12 +5,18 @@
     import { invoke } from '@tauri-apps/api/core';
 
     import AwsCredential from './credentials/AwsCredential.svelte';
+    import ConfirmDelete from './credentials/ConfirmDelete.svelte';
+    import DockerCredential from './credentials/DockerCredential.svelte';
+    import SshKey from './credentials/SshKey.svelte';
     import Icon from '../ui/Icon.svelte';
     import Nav from '../ui/Nav.svelte';
 
-    let show = false;
 
-    let records = []
+    let records = null
+    $: awsRecords = (records || []).filter(r => r.credential.type === 'AwsBase');
+    $: sshRecords = (records || []).filter(r => r.credential.type === 'Ssh');
+    $: dockerRecords = (records || []).filter(r => r.credential.type === 'Docker');
+
     let defaults = writable({});
     async function loadCreds() {
         records = await invoke('list_credentials');
@@ -24,11 +30,44 @@
             id: crypto.randomUUID(),
             name: null,
             is_default: false,
-            credential: {type: 'AwsBase', AccessKeyId: null, SecretAccessKey: null},
+            credential: {type: 'AwsBase', AccessKeyId: '', SecretAccessKey: ''},
             isNew: true,
         });
         records = records;
     }
+
+    function newSsh() {
+        records.push({
+            id: crypto.randomUUID(),
+            name: null,
+            is_default: false,
+            credential: {type: 'Ssh', algorithm: '', comment: '', private_key: '', public_key: '',},
+            isNew: true,
+        });
+        records = records;
+    }
+
+    function newDocker() {
+        records.push({
+            id: crypto.randomUUID(),
+            name: null,
+            is_default: false,
+            credential: {type: 'Docker', ServerURL: '', Username: '', Secret: ''},
+            isNew: true,
+        });
+        records = records;
+    }
+
+    let confirmDelete;
+    function handleDelete(evt) {
+        const record = evt.detail;
+        if (record.isNew) {
+            records = records.filter(r => r.id !== record.id);
+        }
+        else {
+            confirmDelete.confirm(record);
+        }
+    }
 </script>
 
 
@@ -36,27 +75,82 @@
     <h1 slot="title" class="text-2xl font-bold">Credentials</h1>
 </Nav>
 
-<div class="max-w-xl mx-auto mb-12 flex flex-col gap-y-4 justify-center">
-    <div class="divider">
-        <h2 class="text-xl font-bold">AWS Access Keys</h2>
-    </div>
+<div class="max-w-xl mx-auto mb-12 flex flex-col gap-y-12 justify-center">
+    <div class="flex flex-col gap-y-4">
+        <div class="divider">
+            <h2 class="text-xl font-bold">AWS Access Keys</h2>
+        </div>
 
-    {#if records.length > 0}
-        {#each records as record (record.id)}
-            <AwsCredential {record} {defaults} on:update={loadCreds} />
-        {/each}
-        <button class="btn btn-primary btn-wide mx-auto" on:click={newAws}>
-            <Icon name="plus-circle-mini" class="size-5" />
-            Add
-        </button>
-    {:else}
-        <div class="flex flex-col gap-6 items-center rounded-box border-2 border-dashed border-neutral-content/30 p-6">
-            <div>You have no saved AWS credentials.</div>
+        {#if awsRecords.length > 0}
+            {#each awsRecords as record (record.id)}
+                <AwsCredential
+                    {record} {defaults}
+                    on:update={loadCreds}
+                    on:delete={handleDelete}
+                />
+            {/each}
             <button class="btn btn-primary btn-wide mx-auto" on:click={newAws}>
                 <Icon name="plus-circle-mini" class="size-5" />
                 Add
             </button>
-        </div>
-    {/if}
+        {:else if records !== null}
+            <div class="flex flex-col gap-6 items-center rounded-box border-2 border-dashed border-neutral-content/30 p-6">
+                <div>You have no saved AWS credentials.</div>
+                <button class="btn btn-primary btn-wide mx-auto" on:click={newAws}>
+                    <Icon name="plus-circle-mini" class="size-5" />
+                    Add
+                </button>
+            </div>
+        {/if}
+    </div>
 
+    <div class="flex flex-col gap-y-4">
+        <div class="divider">
+            <h2 class="text-xl font-bold">SSH Keys</h2>
+        </div>
+
+        {#if sshRecords.length > 0}
+            {#each sshRecords as record (record.id)}
+                <SshKey {record} on:save={loadCreds} on:delete={handleDelete} />
+            {/each}
+            <button class="btn btn-primary btn-wide mx-auto" on:click={newSsh}>
+                <Icon name="plus-circle-mini" class="size-5" />
+                Add
+            </button>
+        {:else if records !== null}
+            <div class="flex flex-col gap-6 items-center rounded-box border-2 border-dashed border-neutral-content/30 p-6">
+                <div>You have no saved SSH keys.</div>
+                <button class="btn btn-primary btn-wide mx-auto" on:click={newSsh}>
+                    <Icon name="plus-circle-mini" class="size-5" />
+                    Add
+                </button>
+            </div>
+        {/if}
+    </div>
+
+    <div class="flex flex-col gap-y-4">
+        <div class="divider">
+            <h2 class="text-xl font-bold">Docker credentials</h2>
+        </div>
+
+        {#if dockerRecords.length > 0}
+            {#each dockerRecords as record (record.id)}
+                <DockerCredential {record} on:save={loadCreds} on:delete={handleDelete} />
+            {/each}
+            <button class="btn btn-primary btn-wide mx-auto" on:click={newDocker}>
+                <Icon name="plus-circle-mini" class="size-5" />
+                Add
+            </button>
+        {:else if records !== null}
+            <div class="flex flex-col gap-6 items-center rounded-box border-2 border-dashed border-neutral-content/30 p-6">
+                <div>You have no saved Docker credentials.</div>
+                <button class="btn btn-primary btn-wide mx-auto" on:click={newDocker}>
+                    <Icon name="plus-circle-mini" class="size-5" />
+                    Add
+                </button>
+            </div>
+        {/if}
+    </div>
 </div>
+
+<ConfirmDelete bind:this={confirmDelete} on:confirm={loadCreds} />

src/views/Settings.svelte

@@ -20,7 +20,6 @@
     let error = null;
     async function save() {
         try {
-            throw('wtf');
             await invoke('save_config', {config});
             $appState.config = await invoke('get_config');
         }
@@ -29,6 +28,7 @@
         }
     }
 
+    window.getOsType = type;
     let osType = null;
     type().then(t => osType = t);
 </script>
@@ -40,18 +40,20 @@
 
 <form on:submit|preventDefault={save}>
     <div class="max-w-lg mx-auto my-1.5 p-4 space-y-16">
-        <SettingsGroup name="General">            
+        <SettingsGroup name="General">
             <ToggleSetting title="Start on login" bind:value={config.start_on_login}>
                 <svelte:fragment slot="description">
                     Start Creddy when you log in to your computer.
                 </svelte:fragment>
             </ToggleSetting>
 
-            <ToggleSetting title="Start minimized" bind:value={config.start_minimized}>
-                <svelte:fragment slot="description">
-                    Minimize to the system tray at startup.
-                </svelte:fragment>
-            </ToggleSetting>
+            {#if config.start_on_login}
+                <ToggleSetting title="Start minimized" bind:value={config.start_minimized}>
+                    <svelte:fragment slot="description">
+                        Minimize to the system tray when starting on login.
+                    </svelte:fragment>
+                </ToggleSetting>
+            {/if}
 
             <NumericSetting title="Re-hide delay" bind:value={config.rehide_ms} min={0} unit="Milliseconds">
                 <svelte:fragment slot="description">
@@ -113,7 +115,7 @@
 
 {#if error}
     <div transition:fly={{y: 100, easing: backInOut, duration: 400}} class="toast">
-        <div class="alert alert-error no-animation">
+        <div class="alert alert-error no-animation text-wrap">
             <div>
                 <span>{error}</span>
             </div>
@@ -125,7 +127,7 @@
     </div>
 {:else if configModified}
     <div transition:fly={{y: 100, easing: backInOut, duration: 400}} class="toast">
-        <div class="alert shadow-lg no-animation">
+        <div class="alert shadow-lg no-animation text-wrap">
             <span>You have unsaved changes.</span>
 
             <div>

src/views/Unlock.svelte

@@ -19,7 +19,7 @@
 
     let alert;
     let passphrase = '';
-    
+
     let saving = false;
     async function unlock() {
         saving = true;
@@ -34,9 +34,14 @@
         }
 
     }
+
+    let input;
+    onMount(() => input.focus());
 </script>
 
 
+<svelte:window on:focus={input.focus} />
+
 <div class="fixed top-0 w-full p-2 text-center">
     <h1 class="text-3xl font-bold">Creddy is locked</h1>
 </div>
@@ -52,7 +57,11 @@
         <ErrorAlert bind:this="{alert}" />
 
         <!-- svelte-ignore a11y-autofocus -->
-        <PassphraseInput autofocus="true" bind:value={passphrase} placeholder="correct horse battery staple" />
+        <PassphraseInput
+            bind:this={input}
+            bind:value={passphrase}
+            placeholder="correct horse battery staple"
+        />
     </label>
 
     <button type="submit" class="btn btn-primary">

src/views/approve/CollectResponse.svelte

@@ -14,7 +14,7 @@
     // Extract executable name from full path
     const client = $appState.currentRequest.client;
     const m = client.exe?.match(/\/([^/]+?$)|\\([^\\]+?$)/);
-    const appName = m[1] || m[2];
+    const appName = m ? m[1] || m[2] : '';
 
     const dispatch = createEventDispatcher();
 
@@ -26,6 +26,12 @@
         };
         dispatch('response');
     }
+
+    const actionDescriptions = {
+        Access: 'access your',
+        Delete: 'delete your',
+        Save: 'create new',
+    };
 </script>
 
 
@@ -34,7 +40,7 @@
         <div>
             <svg xmlns="http://www.w3.org/2000/svg" class="stroke-current flex-shrink-0 h-6 w-6" fill="none" viewBox="0 0 24 24"><path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M12 9v2m0 4h.01m-6.938 4h13.856c1.54 0 2.502-1.667 1.732-3L13.732 4c-.77-1.333-2.694-1.333-3.464 0L3.34 16c-.77 1.333.192 3 1.732 3z" /></svg>
             <span>
-                WARNING: This application is requesting your base AWS credentials. 
+                WARNING: This application is requesting your base AWS credentials.
                 These credentials are less secure than session credentials, since they don't expire automatically.
             </span>
         </div>
@@ -42,13 +48,27 @@
 {/if}
 
 <div class="space-y-1 mb-4">
-    <h2 class="text-xl font-bold">{appName ? `"${appName}"` : 'An appplication'} would like to access your AWS credentials.</h2>
+    <h2 class="text-xl font-bold">
+        {#if $appState.currentRequest.type === 'Aws'}
+            {#if $appState.currentRequest.name}
+                {appName ? `"${appName}"` : 'An appplication'} would like to access your AWS access key "{$appState.currentRequest.name}".
+            {:else}
+                {appName ? `"${appName}"` : 'An appplication'} would like to access your default AWS access key
+            {/if}
+        {:else if $appState.currentRequest.type === 'Ssh'}
+            {appName ? `"${appName}"` : 'An application'} would like to use your SSH key "{$appState.currentRequest.key_name}".
+        {:else if $appState.currentRequest.type === 'Docker'}
+            {appName ? `"${appName}"` : 'An application'} would like to {actionDescriptions[$appState.currentRequest.action]} Docker credentials for <code>{$appState.currentRequest.server_url}</code>.
+        {/if}
+    </h2>
 
     <div class="grid grid-cols-[auto_1fr] gap-x-3">
         <div class="text-right">Path:</div>
         <code class="">{@html client.exe ? breakPath(client.exe) : 'Unknown'}</code>
         <div class="text-right">PID:</div>
         <code>{client.pid}</code>
+        <div class="text-right">User:</div>
+        <code>{client.username ?? 'Unknown'}</code>
     </div>
 </div>
 
@@ -56,7 +76,11 @@
         <!-- Don't display the option to approve with session credentials if base was specifically requested -->
         {#if !$appState.currentRequest?.base}
             <h3 class="font-semibold">
-                Approve with session credentials
+                {#if $appState.currentRequest.type === 'Aws'}
+                    Approve with session credentials
+                {:else}
+                    Approve
+                {/if}
             </h3>
             <Link target={() => setResponse('Approved', false)} hotkey="Enter" shift={true}>
                 <button class="w-full btn btn-success">
@@ -65,20 +89,22 @@
             </Link>
         {/if}
 
-        <h3 class="font-semibold">
-            <span class="mr-2">
-                {#if $appState.currentRequest?.base}
-                    Approve
-                {:else}
-                    Approve with base credentials
-                {/if}
-            </span>
-        </h3>
-        <Link target={() => setResponse('Approved', true)} hotkey="Enter" shift={true} ctrl={true}>
-            <button class="w-full btn btn-warning">
-                <KeyCombo keys={['Ctrl', 'Shift', 'Enter']} />
-            </button>
-        </Link>
+        {#if $appState.currentRequest.type === 'Aws'}
+            <h3 class="font-semibold">
+                <span class="mr-2">
+                    {#if $appState.currentRequest?.base}
+                        Approve
+                    {:else}
+                        Approve with base credentials
+                    {/if}
+                </span>
+            </h3>
+            <Link target={() => setResponse('Approved', true)} hotkey="Enter" shift={true} ctrl={true}>
+                <button class="w-full btn btn-warning">
+                    <KeyCombo keys={['Ctrl', 'Shift', 'Enter']} />
+                </button>
+            </Link>
+        {/if}
 
         <h3 class="font-semibold">
             <span class="mr-2">Deny</span>

src/views/credentials/AwsCredential.svelte

@@ -5,21 +5,19 @@
 
     import ErrorAlert from '../../ui/ErrorAlert.svelte';
     import Icon from '../../ui/Icon.svelte';
+    import PassphraseInput from '../../ui/PassphraseInput.svelte';
+
 
     export let record;
     export let defaults;
 
-    import PassphraseInput from '../../ui/PassphraseInput.svelte';
-
-
     const dispatch = createEventDispatcher();
 
     let showDetails = record.isNew ? true : false;
 
-    let localName = name;
     let local = JSON.parse(JSON.stringify(record));
     $: isModified = JSON.stringify(local) !== JSON.stringify(record);
-    
+
     // explicitly subscribe to updates to `default`, so that we can update
     // our local copy even if the component hasn't been recreated
     // (sadly we can't use a reactive binding because reasons I guess)
@@ -32,38 +30,19 @@
         showDetails = false;
     }
 
-    let deleteModal;
-    function conditionalDelete() {
-        if (!record.isNew) {
-            deleteModal.showModal();
-        }
-        else {
-            deleteCredential();
-        }
-    }
 
-    async function deleteCredential() {
-        try {
-            if (!record.isNew) {
-                await invoke('delete_credential', {id: record.id});
-            }
-            dispatch('update');
-        }
-        catch (e) {
-            showDetails = true;
-            // wait for showDetails to take effect and the alert to be rendered
-            window.setTimeout(() => alert.setError(e), 0);
-        }
-    }
 </script>
 
 
-<div 
-    transition:slide|local={{duration: record.isNew ? 300 : 0}}
-    class="rounded-box space-y-4 bg-base-200 {record.is_default ? 'border border-accent' : ''}"
->
+<div class="rounded-box space-y-4 bg-base-200 {record.is_default ? 'border border-accent' : ''}">
     <div class="flex items-center px-6 py-4 gap-x-4">
-        <h3 class="text-lg font-bold">{record.name || ''}</h3>
+        <h3 class="text-lg font-bold">
+            {#if !record?.isNew && showDetails}
+                <input type="text" class="input input-bordered bg-transparent" bind:value={local.name}>
+            {:else}
+                {record.name || ''}
+            {/if}
+        </h3>
 
         {#if record.is_default}
             <span class="badge badge-accent">Default</span>
@@ -80,7 +59,7 @@
             <button
                 type="button"
                 class="btn btn-outline btn-error join-item"
-                on:click={conditionalDelete}
+                on:click={() => dispatch('delete', record)}
             >
                 <Icon name="trash" class="size-6" />
             </button>
@@ -129,27 +108,11 @@
                         transition:fade={{duration: 100}}
                         type="submit"
                         class="btn btn-primary"
-                        >
-                            Save
-                        </button>
+                    >
+                        Save
+                    </button>
                 {/if}
             </div>
         </form>
     {/if}
-
-    <dialog bind:this={deleteModal} class="modal">
-        <div class="modal-box">
-            <h3 class="text-lg font-bold">Delete AWS credential "{record.name}"?</h3>
-            <div class="modal-action">
-                <form method="dialog" class="flex gap-x-4">
-                    <button class="btn btn-outline">Cancel</button>
-                    <button 
-                        autofocus
-                        class="btn btn-error"
-                        on:click={deleteCredential}
-                    >Delete</button>
-                </form>
-            </div>
-        </div>
-    </dialog>
 </div>

src/views/credentials/ConfirmDelete.svelte

@@ -0,0 +1,65 @@
+<script>
+    import { invoke } from '@tauri-apps/api/core';
+    import { createEventDispatcher } from 'svelte';
+
+    import ErrorAlert from '../../ui/ErrorAlert.svelte';
+
+    let record;
+    let modal;
+    let alert;
+
+    const dispatch = createEventDispatcher();
+
+    export function confirm(r) {
+        record = r;
+        modal.showModal();
+    }
+
+    async function deleteCredential() {
+        await invoke('delete_credential', {id: record.id})
+        // closing the modal is dependent on the previous step succeeding
+        modal.close();
+        dispatch('confirm');
+    }
+
+    function credentialDescription(record) {
+        if (record.credential.type === 'AwsBase') {
+            return 'AWS credential';
+        }
+        else if (record.credential.type === 'Ssh') {
+            return 'SSH key';
+        }
+        else {
+            return `${record.credential.type} credential`;
+        }
+    }
+</script>
+
+<dialog bind:this={modal} class="modal">
+    <div class="modal-box space-y-6">
+        <ErrorAlert bind:this={alert} />
+        <h3 class="text-lg font-bold">
+            {#if record}
+                Delete {credentialDescription(record)} "{record.name}"?
+            {/if}
+        </h3>
+        <div class="modal-action">
+            <form method="dialog" class="flex gap-x-4">
+                <button
+                    class="btn btn-outline"
+                    on:click={() => alert.setError(null)}
+                >
+                    Cancel
+                </button>
+
+                <button
+                    autofocus
+                    class="btn btn-error"
+                    on:click|preventDefault={() => alert.run(deleteCredential)}
+                >
+                    Delete
+                </button>
+            </form>
+        </div>
+    </div>
+</dialog>

src/views/credentials/DockerCredential.svelte

@@ -0,0 +1,112 @@
+<script>
+
+    import { createEventDispatcher } from 'svelte';
+    import { fade, slide } from 'svelte/transition';
+    import { invoke } from '@tauri-apps/api/core';
+
+    import ErrorAlert from '../../ui/ErrorAlert.svelte';
+    import Icon from '../../ui/Icon.svelte';
+    import PassphraseInput from '../../ui/PassphraseInput.svelte';
+
+
+    export let record;
+
+    let local = JSON.parse(JSON.stringify(record));
+    $: isModified = JSON.stringify(local) !== JSON.stringify(record);
+    let showDetails = record?.isNew;
+
+    let alert;
+    const dispatch = createEventDispatcher();
+    async function saveCredential() {
+        await invoke('save_credential', {record: local});
+        dispatch('save', local);
+        showDetails = false;
+    }
+</script>
+
+<div class="rounded-box space-y-4 bg-base-200">
+    <div class="flex items-center px-6 py-4 gap-x-4">
+        {#if !record.isNew}
+            {#if showDetails}
+                <input
+                    type="text"
+                    class="input input-bordered bg-transparent text-lg font-bold grow"
+                    bind:value={local.name}
+                >
+            {:else}
+                <h3 class="text-lg font-bold break-all">
+                    {record.name}
+                </h3>
+            {/if}
+        {/if}
+
+        <div class="join ml-auto">
+            <button
+                type="button"
+                class="btn btn-outline join-item"
+                on:click={() => showDetails = !showDetails}
+            >
+                <Icon name="pencil" class="size-6" />
+            </button>
+            <button
+                type="button"
+                class="btn btn-outline btn-error join-item"
+                on:click={() => dispatch('delete', record)}
+            >
+                <Icon name="trash" class="size-6" />
+            </button>
+        </div>
+    </div>
+
+    {#if showDetails}
+        <form
+            transition:slide|local={{duration: 200}}
+            class=" px-6 pb-4 space-y-4"
+            on:submit|preventDefault={() => alert.run(saveCredential)}
+        >
+            <ErrorAlert bind:this={alert} />
+
+            <div class="grid grid-cols-[auto_1fr] items-center gap-4">
+                {#if record.isNew}
+                    <span class="justify-self-end">Name</span>
+                    <input
+                        type="text"
+                        class="input input-bordered bg-transparent"
+                        bind:value={local.name}
+                    >
+                {/if}
+
+                <span class="justify-self-end">Server URL</span>
+                <input
+                    type="text"
+                    class="input input-bordered font-mono bg-transparent"
+                    bind:value={local.credential.ServerURL}
+                >
+
+                <span class="justify-self-end">Username</span>
+                <input
+                    type="text"
+                    class="input input-bordered font-mono bg-transparent"
+                    bind:value={local.credential.Username}
+                >
+
+                <span>Password</span>
+                <div class="font-mono">
+                    <PassphraseInput class="bg-transparent" bind:value={local.credential.Secret} />
+                </div>
+            </div>
+
+            <div class="flex justify-end">
+                {#if isModified}
+                    <button
+                        transition:fade={{duration: 100}}
+                        type="submit"
+                        class="btn btn-primary"
+                    >
+                        Save
+                    </button>
+                {/if}
+            </div>
+        </form>
+    {/if}
+</div>

src/views/credentials/EditSshKey.svelte

@@ -0,0 +1,84 @@
+<script>
+    import { invoke } from '@tauri-apps/api/core';
+    import { createEventDispatcher } from 'svelte';
+    import { fade } from 'svelte/transition';
+
+    import ErrorAlert from '../../ui/ErrorAlert.svelte';
+
+
+    export let local;
+    export let isModified;
+
+    const dispatch = createEventDispatcher();
+    let alert;
+
+    async function saveCredential() {
+        await invoke('save_credential', {record: local});
+        dispatch('save', local);
+    }
+
+    async function copyText(evt) {
+        const tooltip = event.currentTarget;
+        await navigator.clipboard.writeText(tooltip.dataset.copyText);
+        const prevText = tooltip.dataset.tip;
+        tooltip.dataset.tip = 'Copied!';
+        window.setTimeout(() => tooltip.dataset.tip = prevText, 2000);
+    }
+</script>
+
+
+<style>
+    .grid {
+        grid-template-columns: auto minmax(0, 1fr);
+    }
+</style>
+
+
+<form class="space-y-4" on:submit|preventDefault={() => alert.run(saveCredential)}>
+    <ErrorAlert bind:this={alert} />
+
+    <div class="grid items-baseline gap-4">
+        <span class="justify-self-end">Comment</span>
+        <input
+            type="text"
+            class="input input-bordered bg-transparent"
+            bind:value={local.credential.comment}
+        >
+
+        <span class="justify-self-end">Public key</span>
+        <div
+            class="tooltip tooltip-right"
+            data-tip="Click to copy"
+            data-copy-text={local.credential.public_key}
+            on:click={copyText}
+        >
+            <div class="cursor-pointer text-left textarea textarea-bordered bg-transparent font-mono break-all">
+                {local.credential.public_key}
+            </div>
+        </div>
+
+        <span class="justify-self-end">Private key</span>
+        <div
+            class="tooltip tooltip-right"
+            data-tip="Click to copy"
+            data-copy-text={local.credential.private_key}
+            on:click={copyText}
+        >
+            <div class="cursor-pointer text-left textarea textarea-bordered bg-transparent font-mono whitespace-pre overflow-x-auto">
+                {local.credential.private_key}
+            </div>
+        </div>
+    </div>
+
+    <div class="flex justify-end">
+        {#if isModified}
+            <button
+                transition:fade={{duration: 100}}
+                type="submit"
+                class="btn btn-primary"
+            >
+                Save
+            </button>
+        {/if}
+    </div>
+</form>

src/views/credentials/NewSshKey.svelte

@@ -0,0 +1,119 @@
+<script>
+    import { createEventDispatcher } from 'svelte';
+    import { invoke } from '@tauri-apps/api/core';
+    import { homeDir } from '@tauri-apps/api/path';
+    import { fade } from 'svelte/transition';
+
+    import ErrorAlert from '../../ui/ErrorAlert.svelte';
+    import FileInput from '../../ui/FileInput.svelte';
+    import PassphraseInput from '../../ui/PassphraseInput.svelte';
+    import Spinner from '../../ui/Spinner.svelte';
+
+    export let record;
+
+    let name;
+    let file;
+    let privateKey = '';
+    let passphrase = '';
+    let showDetails = true;
+    let mode = 'file';
+
+    const dispatch = createEventDispatcher();
+
+    let defaultPath = null;
+    homeDir().then(d => defaultPath = `${d}/.ssh`);
+
+
+    let alert;
+    let saving = false;
+    async function saveCredential() {
+        saving = true;
+        try {
+            let key = await getKey();
+            const payload = {
+                id: record.id,
+                name,
+                is_default: false, // ssh keys don't care about defaults
+                credential: {type: 'Ssh', ...key},
+            };
+            await invoke('save_credential', {record: payload});
+            dispatch('save', payload);
+        }
+        finally {
+            saving = false;
+        }
+    }
+
+    async function getKey() {
+        if (mode === 'file') {
+            return await invoke('sshkey_from_file', {path: file.path, passphrase});
+        }
+        else {
+            return await invoke('sshkey_from_private_key', {privateKey, passphrase});
+        }
+    }
+
+</script>
+
+
+<div role="tablist" class="join max-w-sm mx-auto flex justify-center">
+        <button
+            type="button"
+            role="tab"
+            class="join-item flex-1 btn border border-primary hover:border-primary"
+            class:btn-primary={mode === 'file'}
+            on:click={() => mode = 'file'}
+        >
+            From file
+        </button>
+        <button
+            type="button"
+            role="tab"
+            class="join-item flex-1 btn border border-primary hover:border-primary"
+            class:btn-primary={mode === 'direct'}
+            on:click={() => mode = 'direct'}
+        >
+            From private key
+        </button>
+</div>
+
+
+<form class="space-y-4" on:submit|preventDefault={alert.run(saveCredential)}>
+    <ErrorAlert bind:this={alert} />
+
+    <div class="grid grid-cols-[auto_1fr] items-center gap-4">
+        <span class="justify-self-end">Name</span>
+        <input
+            type="text"
+            class="input input-bordered bg-transparent"
+            bind:value={name}
+        >
+
+        {#if mode === 'file'}
+            <span class="justify-self-end">File</span>
+            <FileInput params={{defaultPath}} bind:value={file} on:update={() => name = file.name} />
+        {:else}
+            <span class="justify-self-end">Private key</span>
+            <textarea bind:value={privateKey} rows="5" class="textarea textarea-bordered bg-transparent font-mono whitespace-pre overflow-x-auto"></textarea>
+        {/if}
+
+        <span class="justify-self-end">Passphrase</span>
+        <PassphraseInput class="bg-transparent" bind:value={passphrase} />
+    </div>
+
+    <div class="flex justify-end">
+        {#if file?.path || privateKey !== ''}
+            <button
+                transition:fade={{duration: 100}}
+                type="submit"
+                class="btn btn-primary"
+            >
+                {#if saving}
+                    <Spinner class="size-5 min-w-16" thickness="12" />
+                {:else}
+                    <span class="min-w-16">Save</span>
+                {/if}
+            </button>
+        {/if}
+    </div>
+</form>

src/views/credentials/SshKey.svelte

@@ -0,0 +1,71 @@
+<script>
+    import { createEventDispatcher } from 'svelte';
+    import { slide } from 'svelte/transition';
+
+    import NewSshKey from './NewSshKey.svelte';
+    import EditSshKey from './EditSshKey.svelte';
+    import Icon from '../../ui/Icon.svelte';
+
+    export let record;
+
+    const dispatch = createEventDispatcher();
+
+    function copy(obj) {
+        return JSON.parse(JSON.stringify(obj));
+    }
+
+    let local = copy(record);
+    $: isModified = JSON.stringify(local) !== JSON.stringify(record);
+    let showDetails = record?.isNew;
+
+    function handleSave(evt) {
+        local = copy(evt.detail);
+        showDetails = false;
+    }
+</script>
+
+
+<div class="rounded-box space-y-4 bg-base-200">
+    <div class="flex items-center px-6 py-4 gap-x-4">
+        {#if !record.isNew}
+            {#if showDetails}
+                <input 
+                    type="text"
+                    class="input input-bordered bg-transparent text-lg font-bold"
+                    bind:value={local.name}
+                >
+            {:else}
+                <h3 class="text-lg font-bold">
+                    {record.name}
+                </h3>
+            {/if}
+        {/if}
+
+        <div class="join ml-auto">
+            <button
+                type="button"
+                class="btn btn-outline join-item"
+                on:click={() => showDetails = !showDetails}
+            >
+                <Icon name="pencil" class="size-6" />
+            </button>
+            <button
+                type="button"
+                class="btn btn-outline btn-error join-item"
+                on:click={() => dispatch('delete', record)}
+            >
+                <Icon name="trash" class="size-6" />
+            </button>
+        </div>
+    </div>
+
+    {#if record && showDetails}
+        <div transition:slide|local={{duration: 200}} class="px-6 pb-4 space-y-4">
+            {#if record.isNew}
+                <NewSshKey {record} on:save on:save={handleSave} />
+            {:else}
+                <EditSshKey bind:local={local} {isModified} on:save={handleSave} on:save />
+            {/if}
+        </div>
+    {/if}
+</div>

src/views/passphrase/EnterPassphrase.svelte

@@ -14,6 +14,7 @@
 
     const dispatch = createEventDispatcher();
 
+    let showPassphrase = false;
     let alert;
     let saving = false;
     let passphrase = '';
@@ -52,7 +53,6 @@
         try {
             await alert.run(async () => {
                 await invoke('set_passphrase', {passphrase})
-                throw('something bad happened');
                 $appState.sessionStatus = 'unlocked';
                 dispatch('save');
             });
@@ -73,6 +73,7 @@
         </div>
         <PassphraseInput
             bind:value={passphrase}
+            bind:show={showPassphrase}
             on:input={onInput}
             placeholder="correct horse battery staple"
         />
@@ -84,6 +85,7 @@
         </div>
         <PassphraseInput
             bind:value={confirmPassphrase}
+            bind:show={showPassphrase}
             on:input={onInput} on:change={onChange}
             placeholder="correct horse battery staple"
         />

tailwind.config.js

@@ -17,7 +17,7 @@ module.exports = {
           "primary": "#0ea5e9",
           "secondary": "#fb923c",
           "accent": "#8b5cf6",
-          "neutral": "#2f292c",
+          "neutral": "#374151",
           "base-100": "#252e3a",
           "info": "#66cccc",
           "success": "#52bf73",