doc/todo.md

@@ -11,8 +11,7 @@
 * Logging
 * Icon
 * Auto-updates
-* ~~SSH key handling~~
-* ~~Docker credential helper~~
+* SSH key handling
 * Encrypted sync server
 
 ## Maybe

package-lock.json

@@ -1,12 +1,12 @@
 {
   "name": "creddy",
-  "version": "0.6.4",
+  "version": "0.4.9",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "creddy",
-      "version": "0.6.4",
+      "version": "0.4.9",
       "dependencies": {
         "@tauri-apps/api": "^2.0.0-beta.13",
         "@tauri-apps/plugin-dialog": "^2.0.0-beta.5",
@@ -15,7 +15,7 @@
       },
       "devDependencies": {
         "@sveltejs/vite-plugin-svelte": "^1.0.1",
-        "@tauri-apps/cli": "^2.2.1",
+        "@tauri-apps/cli": "^2.0.0-beta.20",
         "autoprefixer": "^10.4.8",
         "postcss": "^8.4.16",
         "svelte": "^3.49.0",
@@ -213,9 +213,9 @@
       }
     },
     "node_modules/@tauri-apps/cli": {
-      "version": "2.2.1",
-      "resolved": "https://registry.npmjs.org/@tauri-apps/cli/-/cli-2.2.1.tgz",
-      "integrity": "sha512-oLWX/2tW0v8cBaShI9/bt5RsquCLK7ZCwhPXXnf55oil8/GrNtLzW9/67iyydcnxiYYU5jYMpo3uXptknOSdpA==",
+      "version": "2.0.0-beta.20",
+      "resolved": "https://registry.npmjs.org/@tauri-apps/cli/-/cli-2.0.0-beta.20.tgz",
+      "integrity": "sha512-707q9uIc2oNrYHd2dtMvxTrpZXVpart5EIktnRymNOpphkLlB6WUBjHD+ga45WqTU6cNGKbYvkKqTNfshNul9Q==",
       "dev": true,
       "bin": {
         "tauri": "tauri.js"
@@ -228,22 +228,22 @@
         "url": "https://opencollective.com/tauri"
       },
       "optionalDependencies": {
-        "@tauri-apps/cli-darwin-arm64": "2.2.1",
-        "@tauri-apps/cli-darwin-x64": "2.2.1",
-        "@tauri-apps/cli-linux-arm-gnueabihf": "2.2.1",
-        "@tauri-apps/cli-linux-arm64-gnu": "2.2.1",
-        "@tauri-apps/cli-linux-arm64-musl": "2.2.1",
-        "@tauri-apps/cli-linux-x64-gnu": "2.2.1",
-        "@tauri-apps/cli-linux-x64-musl": "2.2.1",
-        "@tauri-apps/cli-win32-arm64-msvc": "2.2.1",
-        "@tauri-apps/cli-win32-ia32-msvc": "2.2.1",
-        "@tauri-apps/cli-win32-x64-msvc": "2.2.1"
+        "@tauri-apps/cli-darwin-arm64": "2.0.0-beta.20",
+        "@tauri-apps/cli-darwin-x64": "2.0.0-beta.20",
+        "@tauri-apps/cli-linux-arm-gnueabihf": "2.0.0-beta.20",
+        "@tauri-apps/cli-linux-arm64-gnu": "2.0.0-beta.20",
+        "@tauri-apps/cli-linux-arm64-musl": "2.0.0-beta.20",
+        "@tauri-apps/cli-linux-x64-gnu": "2.0.0-beta.20",
+        "@tauri-apps/cli-linux-x64-musl": "2.0.0-beta.20",
+        "@tauri-apps/cli-win32-arm64-msvc": "2.0.0-beta.20",
+        "@tauri-apps/cli-win32-ia32-msvc": "2.0.0-beta.20",
+        "@tauri-apps/cli-win32-x64-msvc": "2.0.0-beta.20"
       }
     },
     "node_modules/@tauri-apps/cli-darwin-arm64": {
-      "version": "2.2.1",
-      "resolved": "https://registry.npmjs.org/@tauri-apps/cli-darwin-arm64/-/cli-darwin-arm64-2.2.1.tgz",
-      "integrity": "sha512-658OPWObcEA7x/Pe/fAXfyJtC5SdcpD2Q9ZSVKoLBovPzfU6Ug2mCaQmH1L5iA7Zb7a26ctzkaz3Sh3dMeGcJw==",
+      "version": "2.0.0-beta.20",
+      "resolved": "https://registry.npmjs.org/@tauri-apps/cli-darwin-arm64/-/cli-darwin-arm64-2.0.0-beta.20.tgz",
+      "integrity": "sha512-oCJOCib7GuYkwkBXx+ekamR8NZZU+2i3MLP+DHpDxK5gS2uhCE+CBkamJkNt6y1x6xdVnwyqZOm5RvN4SRtyIA==",
       "cpu": [
         "arm64"
       ],
@@ -257,9 +257,9 @@
       }
     },
     "node_modules/@tauri-apps/cli-darwin-x64": {
-      "version": "2.2.1",
-      "resolved": "https://registry.npmjs.org/@tauri-apps/cli-darwin-x64/-/cli-darwin-x64-2.2.1.tgz",
-      "integrity": "sha512-3g11km4caJa6StvETI5GIynniNC/e9AWpUy+lWQRfQBdelRrEGoEDw949SihxqKHAoP2E9cm7z5DUsiRiT/Yaw==",
+      "version": "2.0.0-beta.20",
+      "resolved": "https://registry.npmjs.org/@tauri-apps/cli-darwin-x64/-/cli-darwin-x64-2.0.0-beta.20.tgz",
+      "integrity": "sha512-lC5QSnRExedYN4Ds6ZlSvC2PxP8qfIYBJQ5ktf+PJI5gQALdNeVtd6YnTG1ODCEklfLq9WKkGwp7JdALTU5wDA==",
       "cpu": [
         "x64"
       ],
@@ -273,9 +273,9 @@
       }
     },
     "node_modules/@tauri-apps/cli-linux-arm-gnueabihf": {
-      "version": "2.2.1",
-      "resolved": "https://registry.npmjs.org/@tauri-apps/cli-linux-arm-gnueabihf/-/cli-linux-arm-gnueabihf-2.2.1.tgz",
-      "integrity": "sha512-Ldbw3Y56TAfpsGRuWJnkdl0TV0NHhtP3bGyjh2lJACofkHMCOtsLHOx4/HP2hFnn7DcSLWHUayyPlj2rAikKkA==",
+      "version": "2.0.0-beta.20",
+      "resolved": "https://registry.npmjs.org/@tauri-apps/cli-linux-arm-gnueabihf/-/cli-linux-arm-gnueabihf-2.0.0-beta.20.tgz",
+      "integrity": "sha512-nZCeBMHHye5DLOJV5k2w658hnCS+LYaOZ8y/G9l3ei+g0L/HBjlSy6r4simsAT5TG8+l3oCZzLBngfTMdDS/YA==",
       "cpu": [
         "arm"
       ],
@@ -289,9 +289,9 @@
       }
     },
     "node_modules/@tauri-apps/cli-linux-arm64-gnu": {
-      "version": "2.2.1",
-      "resolved": "https://registry.npmjs.org/@tauri-apps/cli-linux-arm64-gnu/-/cli-linux-arm64-gnu-2.2.1.tgz",
-      "integrity": "sha512-ay3NwilDR95RyvK/AIdivuULcbpGgrUISNLDOfTKEvKMMnRWkMV4gzY3hifQ8H7CDonGhqMl2PjP+WvDQpXUig==",
+      "version": "2.0.0-beta.20",
+      "resolved": "https://registry.npmjs.org/@tauri-apps/cli-linux-arm64-gnu/-/cli-linux-arm64-gnu-2.0.0-beta.20.tgz",
+      "integrity": "sha512-B79ISVLPVBgwnCchVqwTKU+vxnFYqxKomcR4rmsvxfs0NVtT5QuNzE1k4NUQnw3966yjwhYR3mnHsSJQSB4Eyw==",
       "cpu": [
         "arm64"
       ],
@@ -305,9 +305,9 @@
       }
     },
     "node_modules/@tauri-apps/cli-linux-arm64-musl": {
-      "version": "2.2.1",
-      "resolved": "https://registry.npmjs.org/@tauri-apps/cli-linux-arm64-musl/-/cli-linux-arm64-musl-2.2.1.tgz",
-      "integrity": "sha512-d2zK4Qb9DZlNjNB8Fda0yxOlg6sk6GZGhO5dVnie5VYJMt4lDct2LZljg4boUb5t1pk6sfAPB9356G7R8l4qCQ==",
+      "version": "2.0.0-beta.20",
+      "resolved": "https://registry.npmjs.org/@tauri-apps/cli-linux-arm64-musl/-/cli-linux-arm64-musl-2.0.0-beta.20.tgz",
+      "integrity": "sha512-ojIkv/1uZHhcrgfIN8xgn4BBeo/Xg+bnV0wer6lD78zyxkUMWeEZ+u3mae1ejCJNhhaZOxNaUQ67MvDOiGyr5Q==",
       "cpu": [
         "arm64"
       ],
@@ -321,9 +321,9 @@
       }
     },
     "node_modules/@tauri-apps/cli-linux-x64-gnu": {
-      "version": "2.2.1",
-      "resolved": "https://registry.npmjs.org/@tauri-apps/cli-linux-x64-gnu/-/cli-linux-x64-gnu-2.2.1.tgz",
-      "integrity": "sha512-P0Zm3nmRbBS/KIxSrzul2ieZEwtTdU4bjsB9pOIk+oPF15HXnrLLbVBeMofNjXOWsIxTJw2tIt/XPD8Jt9jSEg==",
+      "version": "2.0.0-beta.20",
+      "resolved": "https://registry.npmjs.org/@tauri-apps/cli-linux-x64-gnu/-/cli-linux-x64-gnu-2.0.0-beta.20.tgz",
+      "integrity": "sha512-xBy1FNbHKlc7T6pOmFQQPECxJaI5A9QWX7Kb9N64cNVusoOGlvc3xHYkXMS4PTr7xXOT0yiE1Ww2OwDRJ3lYsg==",
       "cpu": [
         "x64"
       ],
@@ -337,9 +337,9 @@
       }
     },
     "node_modules/@tauri-apps/cli-linux-x64-musl": {
-      "version": "2.2.1",
-      "resolved": "https://registry.npmjs.org/@tauri-apps/cli-linux-x64-musl/-/cli-linux-x64-musl-2.2.1.tgz",
-      "integrity": "sha512-AwYuKTpPGdR0BJMDdJsjGm8vfVDBpXYRDJ+1B/FlIMTikAx4A/wSODxphjf6Ls9uOC5F3To0XlfqskBkTq0WKw==",
+      "version": "2.0.0-beta.20",
+      "resolved": "https://registry.npmjs.org/@tauri-apps/cli-linux-x64-musl/-/cli-linux-x64-musl-2.0.0-beta.20.tgz",
+      "integrity": "sha512-+O6zq5jmtUxA1FUAAwF2ywPysy4NRo2Y6G+ESZDkY9XosRwdt5OUjqAsYktZA3AxDMZVei8r9buwTqUwi9ny/g==",
       "cpu": [
         "x64"
       ],
@@ -353,9 +353,9 @@
       }
     },
     "node_modules/@tauri-apps/cli-win32-arm64-msvc": {
-      "version": "2.2.1",
-      "resolved": "https://registry.npmjs.org/@tauri-apps/cli-win32-arm64-msvc/-/cli-win32-arm64-msvc-2.2.1.tgz",
-      "integrity": "sha512-t1Pv+Og5O+Cp0uYHFzSWEl+hssr1bKJjgWg05ElTpwYMb4xKA5bh1BTGN5orGqKs0e2+D+EPsOqVfM8KuUWR4Q==",
+      "version": "2.0.0-beta.20",
+      "resolved": "https://registry.npmjs.org/@tauri-apps/cli-win32-arm64-msvc/-/cli-win32-arm64-msvc-2.0.0-beta.20.tgz",
+      "integrity": "sha512-RswgMbWyOQcv53CHvIuiuhAh4kKDqaGyZfWD4VlxqX/XhkoF5gsNgr0MxzrY7pmoL+89oVI+fiGVJz4nOQE5vA==",
       "cpu": [
         "arm64"
       ],
@@ -369,9 +369,9 @@
       }
     },
     "node_modules/@tauri-apps/cli-win32-ia32-msvc": {
-      "version": "2.2.1",
-      "resolved": "https://registry.npmjs.org/@tauri-apps/cli-win32-ia32-msvc/-/cli-win32-ia32-msvc-2.2.1.tgz",
-      "integrity": "sha512-erY+Spho6hBJgNzHKbA3JFxMztlHAikCiF/OYhk9fy6MbU5KpYHPrAC+Jhj2tcDy/xevWw/6KVNvLmk9PhLcXQ==",
+      "version": "2.0.0-beta.20",
+      "resolved": "https://registry.npmjs.org/@tauri-apps/cli-win32-ia32-msvc/-/cli-win32-ia32-msvc-2.0.0-beta.20.tgz",
+      "integrity": "sha512-5lgWmDVXhX3SBGbiv5SduM1yajiRnUEJClWhSdRrEEJeXdsxpCsBEhxYnUnDCEzPKxLLn5fdBv3VrVctJ03csQ==",
       "cpu": [
         "ia32"
       ],
@@ -385,9 +385,9 @@
       }
     },
     "node_modules/@tauri-apps/cli-win32-x64-msvc": {
-      "version": "2.2.1",
-      "resolved": "https://registry.npmjs.org/@tauri-apps/cli-win32-x64-msvc/-/cli-win32-x64-msvc-2.2.1.tgz",
-      "integrity": "sha512-GIdUtdje1CvCn0/Sh3VwPWaFKmD1C0edJUMueGwkRFHmF6HfatXPVhW5FySP+EEO2+rVym1qJkODstJrunraWA==",
+      "version": "2.0.0-beta.20",
+      "resolved": "https://registry.npmjs.org/@tauri-apps/cli-win32-x64-msvc/-/cli-win32-x64-msvc-2.0.0-beta.20.tgz",
+      "integrity": "sha512-SuSiiVQTQPSzWlsxQp/NMzWbzDS9TdVDOw7CCfgiG5wnT2GsxzrcIAVN6i7ILsVFLxrjr0bIgPldSJcdcH84Yw==",
       "cpu": [
         "x64"
       ],

package.json

@@ -1,6 +1,6 @@
 {
   "name": "creddy",
-  "version": "0.6.5",
+  "version": "0.4.9",
   "scripts": {
     "dev": "vite",
     "build": "vite build",
@@ -9,7 +9,7 @@
   },
   "devDependencies": {
     "@sveltejs/vite-plugin-svelte": "^1.0.1",
-    "@tauri-apps/cli": "^2.2.1",
+    "@tauri-apps/cli": "^2.0.0-beta.20",
     "autoprefixer": "^10.4.8",
     "postcss": "^8.4.16",
     "svelte": "^3.49.0",

src-tauri/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "creddy"
-version = "0.6.5"
+version = "0.4.9"
 description = "A friendly AWS credentials manager"
 authors = ["Joseph Montanaro"]
 license = ""
@@ -9,67 +9,51 @@ default-run = "creddy"
 edition = "2021"
 rust-version = "1.57"
 
+[[bin]]
+name = "creddy_cli"
+path = "src/bin/creddy_cli.rs"
+
 [[bin]]
 name = "creddy"
 path = "src/main.rs"
 
-# we use a workspace so that we can split out the CLI and make it possible to build independently
-[workspace]
-members = ["creddy_cli"]
-
-[workspace.dependencies]
-dirs = "5.0"
-serde = { version = "1.0", features = ["derive"] }
-serde_json = "1.0"
-tokio = { version = ">=1.19", features = ["full"] }
-windows = { version = "0.51.1", features = ["Win32_Foundation", "Win32_System_Pipes"] }
-
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
 
 [build-dependencies]
-tauri-build = { version = "2.0.4", features = [] }
+tauri-build = { version = "2.0.0-beta", features = [] }
 
 [dependencies]
-creddy_cli = { path = "./creddy_cli" }
-tauri = { version = "2.2.0", features = ["tray-icon", "test"] }
+serde_json = "1.0"
+serde = { version = "1.0", features = ["derive"] }
+tauri = { version = "2.0.0-beta", features = ["tray-icon"] }
 sodiumoxide = "0.2.7"
+tokio = { version = ">=1.19", features = ["full"] }
 sysinfo = "0.26.8"
 aws-config = "1.5.3"
 aws-types = "1.3.2"
 aws-sdk-sts = "1.33.0"
 aws-smithy-types = "1.2.0"
-dirs = { workspace = true }
 thiserror = "1.0.38"
 once_cell = "1.16.0"
 strum = "0.24"
 strum_macros = "0.24"
 auto-launch = "0.4.0"
+dirs = "5.0"
+clap = { version = "3.2.23", features = ["derive"] }
 is-terminal = "0.4.7"
 argon2 = { version = "0.5.0", features = ["std"] }
 chacha20poly1305 = { version = "0.10.1", features = ["std"] }
 which = "4.4.0"
+windows = { version = "0.51.1", features = ["Win32_Foundation", "Win32_System_Pipes"] }
 time = "0.3.31"
-tauri-plugin-global-shortcut = "2.2.0"
-tauri-plugin-os = "2.2.0"
-tauri-plugin-dialog = "2.2.0"
-rfd = "0.13.0"
+tauri-plugin-single-instance = "2.0.0-beta.9"
+tauri-plugin-global-shortcut = "2.0.0-beta.6"
+rfd = "0.14.1"
 ssh-agent-lib = "0.4.0"
 ssh-key = { version = "0.6.6", features = ["rsa", "ed25519", "encryption"] }
 signature = "2.2.0"
 tokio-stream = "0.1.15"
-serde = { workspace = true }
-serde_json = { workspace = true }
 sqlx = { version = "0.7.4", features = ["sqlite", "runtime-tokio", "uuid"] }
-tokio = { workspace = true }
-tokio-util = { version = "0.7.11", features = ["codec"] }
-futures = "0.3.30"
-# openssl = { version = "0.10.64", features = ["vendored"] }
-rsa = "0.9.6"
-sha2 = "0.10.8"
-ssh-encoding = "0.2.0"
-
-[target.'cfg(windows)'.dependencies]
-windows = { workspace = true }
 
 [features]
 # by default Tauri runs in production mode

src-tauri/capabilities/migrated.json

@@ -6,14 +6,12 @@
     "main"
   ],
   "permissions": [
-    "core:path:default",
-    "core:event:default",
-    "core:window:default",
-    "core:app:default",
-    "core:resources:default",
-    "core:menu:default",
-    "core:tray:default",
-    "os:allow-os-type",
-    "dialog:allow-open"
+    "path:default",
+    "event:default",
+    "window:default",
+    "app:default",
+    "resources:default",
+    "menu:default",
+    "tray:default"
   ]
 }

src-tauri/creddy_cli/Cargo.toml

@@ -1,15 +0,0 @@
-[package]
-name = "creddy_cli"
-version = "0.6.5"
-edition = "2021"
-
-[dependencies]
-anyhow = "1.0.86"
-clap = { version = "4", features = ["derive"] }
-dirs = { workspace = true }
-serde = { workspace = true }
-serde_json = { workspace = true }
-tokio = { workspace = true }
-
-[target.'cfg(windows)'.dependencies]
-windows = { workspace = true }

src-tauri/creddy_cli/src/cli/docker.rs

@@ -1,62 +0,0 @@
-use std::io::{self, Read};
-
-use anyhow::bail;
-
-use crate::proto::{CliResponse, DockerCredential};
-use super::{
-    CliCredential,
-    CliRequest,
-    GlobalArgs
-};
-
-
-pub fn docker_store(global_args: GlobalArgs) -> anyhow::Result<()> {
-    let input: DockerCredential = serde_json::from_reader(io::stdin())?;
-
-    let req = CliRequest::StoreDockerCredential(input);
-
-    match super::make_request(global_args.server_addr, &req)?? {
-        CliResponse::Empty => Ok(()),
-        r => bail!("Unexpected response from server: {r}"),
-    }
-}
-
-
-pub fn docker_get(global_args: GlobalArgs) -> anyhow::Result<()> {
-    let mut server_url = String::new();
-    io::stdin().read_to_string(&mut server_url)?;
-    let req = CliRequest::GetDockerCredential {
-       server_url: server_url.trim().to_owned()
-    };
-
-    let server_resp = super::make_request(global_args.server_addr, &req)?;
-    match server_resp {
-        Ok(CliResponse::Credential(CliCredential::Docker(d))) => {
-            println!("{}", serde_json::to_string(&d)?);
-        },
-        Err(e) if e.code == "NoCredentials" => {
-            // To indicate credentials are not found, a credential helper *must* print
-            // this message to stdout, then exit 1. Any other message/status will cause
-            // some builds to fail. This is, of course, not documented anywhere.
-            println!("credentials not found in native keychain");
-            std::process::exit(1);
-        },
-        Err(e) => Err(e)?,
-        Ok(r) => bail!("Unexpected response from server: {r}"),
-    }
-    Ok(())
-}
-
-
-pub fn docker_erase(global_args: GlobalArgs) -> anyhow::Result<()> {
-    let mut server_url = String::new();
-    io::stdin().read_to_string(&mut server_url)?;
-    let req = CliRequest::EraseDockerCredential {
-        server_url: server_url.trim().to_owned()
-    };
-
-    match super::make_request(global_args.server_addr, &req)?? {
-        CliResponse::Empty => Ok(()),
-        r => bail!("Unexpected response from server: {r}"),
-    }
-}

src-tauri/creddy_cli/src/cli/mod.rs

@@ -1,233 +0,0 @@
-use std::path::PathBuf;
-use std::process::Command as ChildCommand;
-#[cfg(unix)]
-use std::os::unix::process::CommandExt;
-
-use anyhow::{bail, Context};
-use clap::{
-    Args,
-    Parser,
-    Subcommand
-};
-use clap::builder::styling::{Styles, AnsiColor};
-use tokio::io::{AsyncReadExt, AsyncWriteExt};
-
-use crate::proto::{
-    CliCredential,
-    CliRequest,
-    CliResponse,
-    ServerError,
-    ShortcutAction,
-};
-
-mod docker;
-
-
-#[derive(Debug, Parser)]
-#[command(
-    about,
-    version,
-    name = "creddy",
-    bin_name = "creddy",
-    styles = Styles::styled()
-        .header(AnsiColor::Yellow.on_default())
-        .usage(AnsiColor::Yellow.on_default())
-        .literal(AnsiColor::Green.on_default())
-        .placeholder(AnsiColor::Green.on_default())
-)]
-/// A friendly credential manager
-pub struct Cli {
-    #[command(flatten)]
-    pub global_args: GlobalArgs,
-
-    #[command(subcommand)]
-    pub action: Option<Action>,
-}
-
-impl Cli {
-    // proxy the Parser method so that main crate doesn't have to depend on Clap
-    pub fn parse() -> Self {
-        <Self as Parser>::parse()
-    }
-}
-
-
-#[derive(Debug, Clone, Args)]
-pub struct GlobalArgs {
-    /// Connect to the main Creddy application at this path
-    #[arg(long, short = 'a')]
-    server_addr: Option<PathBuf>,
-}
-
-
-#[derive(Debug, Subcommand)]
-pub enum Action {
-    /// Launch Creddy
-    Run(RunArgs),
-    /// Request credentials from Creddy and output to stdout
-    Get(GetArgs),
-    /// Inject credentials into the environment of another command
-    Exec(ExecArgs),
-    /// Invoke an action normally triggered by hotkey (e.g. launch terminal)
-    Shortcut(InvokeArgs),
-    /// Interact with Docker credentials via the docker-credential-helper protocol
-    #[command(subcommand)]
-    Docker(DockerCmd),
-}
-
-
-#[derive(Debug, Args)]
-pub struct RunArgs {
-    /// Minimize to system tray on launch
-    #[arg(long, default_value_t = false)]
-    pub minimized: bool,
-}
-
-
-#[derive(Debug, Args)]
-pub struct GetArgs {
-    /// If unspecified, use default credentials
-    #[arg(short, long)]
-    name: Option<String>,
-    /// Use base credentials instead of session credentials (only applicable to AWS)
-    #[arg(long, short, default_value_t = false)]
-    base: bool,
-}
-
-
-#[derive(Debug, Args)]
-pub struct ExecArgs {
-    #[command(flatten)]
-    get_args: GetArgs,
-    #[arg(trailing_var_arg = true)]
-    /// Command to be wrapped
-    command: Vec<String>,
-}
-
-
-#[derive(Debug, Args)]
-pub struct InvokeArgs {
-    #[arg(value_name = "ACTION", value_enum)]
-    pub shortcut_action: ShortcutAction,
-}
-
-
-#[derive(Debug, Subcommand)]
-pub enum DockerCmd {
-    /// Get a stored Docker credential
-    Get,
-    /// Store a new Docker credential
-    Store,
-    /// Remove a stored Docker credential
-    Erase,
-}
-
-
-pub fn get(args: GetArgs, global: GlobalArgs) -> anyhow::Result<()> {
-    let req = CliRequest::GetAwsCredential {
-        name: args.name,
-        base: args.base,
-    };
-
-    let output = match make_request(global.server_addr, &req)?? {
-        CliResponse::Credential(CliCredential::AwsBase(c)) => {
-            serde_json::to_string_pretty(&c).unwrap()
-        },
-        CliResponse::Credential(CliCredential::AwsSession(c)) => {
-            serde_json::to_string_pretty(&c).unwrap()
-        },
-        r => bail!("Unexpected response from server: {r}"),
-    };
-    println!("{output}");
-    Ok(())
-}
-
-
-pub fn exec(args: ExecArgs, global: GlobalArgs) -> anyhow::Result<()> {
-    // Clap guarantees that cmd_line will be a sequence of at least 1 item
-    // test this!
-    let mut cmd_line = args.command.iter();
-    let cmd_name = cmd_line.next().unwrap();
-    let mut cmd = ChildCommand::new(cmd_name);
-    cmd.args(cmd_line);
-
-    let req = CliRequest::GetAwsCredential {
-        name: args.get_args.name,
-        base: args.get_args.base,
-    };
-
-    match make_request(global.server_addr, &req)?? {
-        CliResponse::Credential(CliCredential::AwsBase(creds)) => {
-            cmd.env("AWS_ACCESS_KEY_ID", creds.access_key_id);
-            cmd.env("AWS_SECRET_ACCESS_KEY", creds.secret_access_key);
-        },
-        CliResponse::Credential(CliCredential::AwsSession(creds)) => {
-            cmd.env("AWS_ACCESS_KEY_ID", creds.access_key_id);
-            cmd.env("AWS_SECRET_ACCESS_KEY", creds.secret_access_key);
-            cmd.env("AWS_SESSION_TOKEN", creds.session_token);
-        },
-        r => bail!("Unexpected response from server: {r}"),
-    }
-
-    #[cfg(unix)]
-    {
-        let e = cmd.exec();
-        // cmd.exec() never returns if successful, so we never hit this line unless there's an error
-        Err(e).with_context(|| {
-            // eventually figure out how to display the actual command
-            format!("Failed to execute command: {}", args.command.join(" "))
-        })?;
-        Ok(())
-    }
-
-    #[cfg(windows)]
-    {
-        let mut child = cmd.spawn()
-            .with_context(|| format!("Failed to execute command: {}", args.command.join(" ")))?;
-        let status = child.wait()
-            .with_context(|| format!("Failed to execute command: {}", args.command.join(" ")))?;
-        std::process::exit(status.code().unwrap_or(1));
-    };
-}
-
-
-pub fn invoke_shortcut(args: InvokeArgs, global: GlobalArgs) -> anyhow::Result<()> {
-    let req = CliRequest::InvokeShortcut{action: args.shortcut_action};
-    match make_request(global.server_addr, &req)?? {
-        CliResponse::Empty => Ok(()),
-        r => bail!("Unexpected response from server: {r}"),
-    }
-}
-
-
-pub fn docker_credential_helper(cmd: DockerCmd, global_args: GlobalArgs) -> anyhow::Result<()> {
-    match cmd {
-        DockerCmd::Get => docker::docker_get(global_args),
-        DockerCmd::Store => docker::docker_store(global_args),
-        DockerCmd::Erase => docker::docker_erase(global_args),
-    }
-}
-
-
-// Explanation for double-result: the server will return a (serialized) Result
-// to indicate when the operation succeeded or failed, which we deserialize.
-// However, the operation may fail to even communicate with the server, in
-// which case we return the outer Result
-// (probably this should be modeled differently)
-#[tokio::main]
-async fn make_request(
-    addr: Option<PathBuf>,
-    req: &CliRequest
-) -> anyhow::Result<Result<CliResponse, ServerError>> {
-    let mut data = serde_json::to_string(req).unwrap();
-    // server expects newline marking end of request
-    data.push('\n');
-
-    let mut stream = crate::connect(addr).await?;
-    stream.write_all(&data.as_bytes()).await?;
-
-    let mut buf = Vec::with_capacity(1024);
-    stream.read_to_end(&mut buf).await?;
-    let res: Result<CliResponse, ServerError> = serde_json::from_slice(&buf)?;
-    Ok(res)
-}

src-tauri/creddy_cli/src/lib.rs

@@ -1,77 +0,0 @@
-mod cli;
-pub use cli::{
-    Action,
-    Cli,
-    docker_credential_helper,
-    exec,
-    get,
-    GlobalArgs,
-    RunArgs,
-    invoke_shortcut,
-};
-
-pub use platform::{connect, server_addr};
-
-pub mod proto;
-
-
-pub fn show_window(global_args: GlobalArgs) -> anyhow::Result<()> {
-    let invoke = cli::InvokeArgs { shortcut_action: proto::ShortcutAction::ShowWindow };
-    cli::invoke_shortcut(invoke, global_args)
-}
-
-
-#[cfg(unix)]
-mod platform {
-    use std::path::PathBuf;
-    use tokio::net::UnixStream;
-
-    pub async fn connect(addr: Option<PathBuf>) -> Result<UnixStream, std::io::Error> {
-        let path = addr.unwrap_or_else(|| server_addr("creddy-server"));
-        UnixStream::connect(&path).await
-    }
-
-    pub fn server_addr(sock_name: &str) -> PathBuf {
-        let mut path = dirs::runtime_dir()
-            .unwrap_or_else(|| PathBuf::from("/tmp"));
-        if cfg!(debug_assertions) {
-            path.push(format!("{sock_name}.dev.sock"))
-        }
-        else {
-            path.push(format!("{sock_name}.sock"));
-        }
-        path
-    }
-}
-
-
-#[cfg(windows)]
-mod platform {
-    use std::path::PathBuf;
-    use std::time::Duration;
-    use tokio::net::windows::named_pipe::{NamedPipeClient, ClientOptions};
-    use windows::Win32::Foundation::ERROR_PIPE_BUSY;
-
-    pub async fn connect(addr: Option<PathBuf>) -> std::io::Result<NamedPipeClient> {
-        let opts = ClientOptions::new();
-        let pipe_name = addr.unwrap_or_else(|| server_addr("creddy-server"));
-        loop {
-            match opts.open(&pipe_name) {
-                Ok(client) => return Ok(client),
-                Err(e) if e.raw_os_error() == Some(ERROR_PIPE_BUSY.0 as i32) => {
-                    tokio::time::sleep(Duration::from_millis(50)).await;
-                },
-                Err(e) => return Err(e),
-            }
-        }
-    }
-
-    pub fn server_addr(sock_name: &str) -> PathBuf {
-        if cfg!(debug_assertions) {
-            format!(r"\\.\pipe\{sock_name}.dev").into()
-        }
-        else {
-            format!(r"\\.\pipe\{sock_name}").into()
-        }
-    }
-}

src-tauri/creddy_cli/src/main.rs

@@ -1,44 +0,0 @@
-use std::env;
-use std::process::{self, Command};
-
-use creddy_cli::{
-    Action,
-    Cli,
-    RunArgs,
-};
-
-fn main() {
-    let cli = Cli::parse();
-    let res = match cli.action {
-        None => launch_gui(RunArgs { minimized: false }),
-        Some(Action::Run(run_args)) => launch_gui(run_args),
-        Some(Action::Get(args)) => creddy_cli::get(args, cli.global_args),
-        Some(Action::Exec(args)) => creddy_cli::exec(args, cli.global_args),
-        Some(Action::Shortcut(args)) => creddy_cli::invoke_shortcut(args, cli.global_args),
-        Some(Action::Docker(cmd)) => creddy_cli::docker_credential_helper(cmd, cli.global_args),
-    };
-
-    if let Err(e) = res {
-        eprintln!("Error: {e:?}");
-        process::exit(1);
-    }
-}
-
-
-fn launch_gui(run_args: RunArgs) -> anyhow::Result<()>  {
-    let mut path = env::current_exe()?;
-    path.pop(); // bin dir
-
-    // binaries are colocated in dev, but not in production
-    #[cfg(not(debug_assertions))]
-    path.pop(); // install dir
-
-    path.push("creddy.exe"); // exe in main install dir (aka gui exe)
-
-    let mut cmd = Command::new(path);
-    if run_args.minimized {
-        cmd.arg("--minimized");
-    }
-    cmd.spawn()?;
-    Ok(())
-}

src-tauri/creddy_cli/src/proto.rs

@@ -1,113 +0,0 @@
-use std::fmt::{
-    Display,
-    Formatter,
-    Error as FmtError
-};
-
-use clap::ValueEnum;
-use serde::{Serialize, Deserialize};
-
-
-#[derive(Debug, Serialize, Deserialize)]
-#[serde(tag = "type")]
-pub enum CliRequest {
-    GetAwsCredential {
-        name: Option<String>,
-        base: bool,
-    },
-    GetDockerCredential {
-        server_url: String,
-    },
-    StoreDockerCredential(DockerCredential),
-    EraseDockerCredential {
-        server_url: String,
-    },
-    InvokeShortcut{
-        action: ShortcutAction,
-    },
-}
-
-
-#[derive(Debug, Copy, Clone, Serialize, Deserialize, ValueEnum)]
-pub enum ShortcutAction {
-    ShowWindow,
-    LaunchTerminal,
-}
-
-
-#[derive(Debug, Serialize, Deserialize)]
-pub enum CliResponse {
-    Credential(CliCredential),
-    Empty,
-}
-
-impl Display for CliResponse {
-    fn fmt(&self, f: &mut Formatter) -> Result<(), FmtError> {
-        match self {
-            CliResponse::Credential(CliCredential::AwsBase(_)) => write!(f, "Credential (AwsBase)"),
-            CliResponse::Credential(CliCredential::AwsSession(_)) => write!(f, "Credential (AwsSession)"),
-            CliResponse::Credential(CliCredential::Docker(_)) => write!(f, "Credential (Docker)"),
-            CliResponse::Empty => write!(f, "Empty"),
-        }
-    }
-}
-
-
-#[derive(Debug, Serialize, Deserialize)]
-pub enum CliCredential {
-    AwsBase(AwsBaseCredential),
-    AwsSession(AwsSessionCredential),
-    Docker(DockerCredential),
-}
-
-
-#[derive(Debug, Eq, PartialEq, Serialize, Deserialize)]
-#[serde(rename_all = "PascalCase")]
-pub struct AwsBaseCredential {
-    #[serde(default = "default_aws_version")]
-    pub version: usize,
-    pub access_key_id: String,
-    pub secret_access_key: String,
-}
-
-
-#[derive(Debug, Eq, PartialEq, Serialize, Deserialize)]
-#[serde(rename_all = "PascalCase")]
-pub struct AwsSessionCredential {
-    #[serde(default = "default_aws_version")]
-    pub version: usize,
-    pub access_key_id: String,
-    pub secret_access_key: String,
-    pub session_token: String,
-    // we don't need to know the expiration for the CLI, so just use a string here
-    pub expiration: String,
-}
-
-
-fn default_aws_version() -> usize { 1 }
-
-
-#[derive(Debug, Eq, PartialEq, Serialize, Deserialize)]
-#[serde(rename_all = "PascalCase")]
-pub struct DockerCredential {
-    #[serde(rename = "ServerURL")]
-    pub server_url: String,
-    pub username: String,
-    pub secret: String,
-}
-
-
-#[derive(Debug, Serialize, Deserialize)]
-pub struct ServerError {
-    pub code: String,
-    pub msg: String,
-}
-
-impl Display for ServerError {
-    fn fmt(&self, f: &mut Formatter) -> Result<(), FmtError> {
-        write!(f, "Error response ({}) from server: {}", self.code, self.msg)?;
-        Ok(())
-    }
-}
-
-impl std::error::Error for ServerError {}

src-tauri/gen/schemas/capabilities.json

@@ -1 +1 @@
-{"migrated":{"identifier":"migrated","description":"permissions that were migrated from v1","local":true,"windows":["main"],"permissions":["core:path:default","core:event:default","core:window:default","core:app:default","core:resources:default","core:menu:default","core:tray:default","os:allow-os-type","dialog:allow-open"]}}
+{"migrated":{"identifier":"migrated","description":"permissions that were migrated from v1","local":true,"windows":["main"],"permissions":["path:default","event:default","window:default","app:default","resources:default","menu:default","tray:default"]}}

src-tauri/gen/schemas/linux-schema.json

@@ -247,82 +247,6 @@
             "app:deny-version"
           ]
         },
-        {
-          "type": "string",
-          "enum": [
-            "dialog:default"
-          ]
-        },
-        {
-          "description": "dialog:allow-ask -> Enables the ask command without any pre-configured scope.",
-          "type": "string",
-          "enum": [
-            "dialog:allow-ask"
-          ]
-        },
-        {
-          "description": "dialog:allow-confirm -> Enables the confirm command without any pre-configured scope.",
-          "type": "string",
-          "enum": [
-            "dialog:allow-confirm"
-          ]
-        },
-        {
-          "description": "dialog:allow-message -> Enables the message command without any pre-configured scope.",
-          "type": "string",
-          "enum": [
-            "dialog:allow-message"
-          ]
-        },
-        {
-          "description": "dialog:allow-open -> Enables the open command without any pre-configured scope.",
-          "type": "string",
-          "enum": [
-            "dialog:allow-open"
-          ]
-        },
-        {
-          "description": "dialog:allow-save -> Enables the save command without any pre-configured scope.",
-          "type": "string",
-          "enum": [
-            "dialog:allow-save"
-          ]
-        },
-        {
-          "description": "dialog:deny-ask -> Denies the ask command without any pre-configured scope.",
-          "type": "string",
-          "enum": [
-            "dialog:deny-ask"
-          ]
-        },
-        {
-          "description": "dialog:deny-confirm -> Denies the confirm command without any pre-configured scope.",
-          "type": "string",
-          "enum": [
-            "dialog:deny-confirm"
-          ]
-        },
-        {
-          "description": "dialog:deny-message -> Denies the message command without any pre-configured scope.",
-          "type": "string",
-          "enum": [
-            "dialog:deny-message"
-          ]
-        },
-        {
-          "description": "dialog:deny-open -> Denies the open command without any pre-configured scope.",
-          "type": "string",
-          "enum": [
-            "dialog:deny-open"
-          ]
-        },
-        {
-          "description": "dialog:deny-save -> Denies the save command without any pre-configured scope.",
-          "type": "string",
-          "enum": [
-            "dialog:deny-save"
-          ]
-        },
         {
           "description": "event:default -> Default permissions for the plugin.",
           "type": "string",
@@ -854,124 +778,6 @@
             "menu:deny-text"
           ]
         },
-        {
-          "type": "string",
-          "enum": [
-            "os:default"
-          ]
-        },
-        {
-          "description": "os:allow-arch -> Enables the arch command without any pre-configured scope.",
-          "type": "string",
-          "enum": [
-            "os:allow-arch"
-          ]
-        },
-        {
-          "description": "os:allow-exe-extension -> Enables the exe_extension command without any pre-configured scope.",
-          "type": "string",
-          "enum": [
-            "os:allow-exe-extension"
-          ]
-        },
-        {
-          "description": "os:allow-family -> Enables the family command without any pre-configured scope.",
-          "type": "string",
-          "enum": [
-            "os:allow-family"
-          ]
-        },
-        {
-          "description": "os:allow-hostname -> Enables the hostname command without any pre-configured scope.",
-          "type": "string",
-          "enum": [
-            "os:allow-hostname"
-          ]
-        },
-        {
-          "description": "os:allow-locale -> Enables the locale command without any pre-configured scope.",
-          "type": "string",
-          "enum": [
-            "os:allow-locale"
-          ]
-        },
-        {
-          "description": "os:allow-os-type -> Enables the os_type command without any pre-configured scope.",
-          "type": "string",
-          "enum": [
-            "os:allow-os-type"
-          ]
-        },
-        {
-          "description": "os:allow-platform -> Enables the platform command without any pre-configured scope.",
-          "type": "string",
-          "enum": [
-            "os:allow-platform"
-          ]
-        },
-        {
-          "description": "os:allow-version -> Enables the version command without any pre-configured scope.",
-          "type": "string",
-          "enum": [
-            "os:allow-version"
-          ]
-        },
-        {
-          "description": "os:deny-arch -> Denies the arch command without any pre-configured scope.",
-          "type": "string",
-          "enum": [
-            "os:deny-arch"
-          ]
-        },
-        {
-          "description": "os:deny-exe-extension -> Denies the exe_extension command without any pre-configured scope.",
-          "type": "string",
-          "enum": [
-            "os:deny-exe-extension"
-          ]
-        },
-        {
-          "description": "os:deny-family -> Denies the family command without any pre-configured scope.",
-          "type": "string",
-          "enum": [
-            "os:deny-family"
-          ]
-        },
-        {
-          "description": "os:deny-hostname -> Denies the hostname command without any pre-configured scope.",
-          "type": "string",
-          "enum": [
-            "os:deny-hostname"
-          ]
-        },
-        {
-          "description": "os:deny-locale -> Denies the locale command without any pre-configured scope.",
-          "type": "string",
-          "enum": [
-            "os:deny-locale"
-          ]
-        },
-        {
-          "description": "os:deny-os-type -> Denies the os_type command without any pre-configured scope.",
-          "type": "string",
-          "enum": [
-            "os:deny-os-type"
-          ]
-        },
-        {
-          "description": "os:deny-platform -> Denies the platform command without any pre-configured scope.",
-          "type": "string",
-          "enum": [
-            "os:deny-platform"
-          ]
-        },
-        {
-          "description": "os:deny-version -> Denies the version command without any pre-configured scope.",
-          "type": "string",
-          "enum": [
-            "os:deny-version"
-          ]
-        },
         {
           "description": "path:default -> Default permissions for the plugin.",
           "type": "string",

src-tauri/migrations/20240617142724_credential_split.sql

@@ -69,12 +69,9 @@ DROP TABLE aws_tmp;
 
 
 -- SSH keys are the new hotness
-CREATE TABLE ssh_credentials (
-    id BLOB UNIQUE NOT NULL,
-    algorithm TEXT NOT NULL,
-    comment TEXT NOT NULL,
+CREATE TABLE ssh_keys (
+    name TEXT UNIQUE NOT NULL,
     public_key BLOB NOT NULL,
     private_key_enc BLOB NOT NULL,
-    nonce BLOB NOT NULL,
-    FOREIGN KEY(id) REFERENCES credentials(id) ON DELETE CASCADE
+    nonce BLOB NOT NULL
 );

src-tauri/migrations/20240919135710_docker_creds.sql

@@ -1,12 +0,0 @@
-CREATE TABLE docker_credentials (
-    id BLOB UNIQUE NOT NULL,
-    -- The Docker credential helper protocol only sends the server_url, so
-    -- we should guarantee that we will only ever have one matching credential.
-    -- Also, it's easier to go from unique -> not-unique than vice versa if we
-    -- decide that's necessary in the future
-    server_url TEXT UNIQUE NOT NULL,
-    username TEXT NOT NULL,
-    secret_enc BLOB NOT NULL,
-    nonce BLOB NOT NULL,
-    FOREIGN KEY(id) REFERENCES credentials(id) ON DELETE CASCADE
-);

src-tauri/src/_credentials.rs

@@ -0,0 +1,350 @@
+use std::fmt::{self, Formatter};
+use std::time::{SystemTime, UNIX_EPOCH};
+
+ use aws_smithy_types::date_time::{DateTime, Format};
+use argon2::{
+    Argon2,
+    Algorithm,
+    Version,
+    ParamsBuilder,
+    password_hash::rand_core::{RngCore, OsRng},
+};
+use chacha20poly1305::{
+    XChaCha20Poly1305,
+    XNonce,
+    aead::{
+        Aead,
+        AeadCore,
+        KeyInit,
+        Error as AeadError,
+        generic_array::GenericArray,
+    },
+};
+use serde::{
+    Serialize,
+    Deserialize,
+    Serializer,
+    Deserializer,
+};
+use serde::de::{self, Visitor};
+use sqlx::SqlitePool;
+
+
+use crate::errors::*;
+
+
+#[derive(Clone, Debug)]
+pub enum Session {
+    Unlocked{
+        base: BaseCredentials,
+        session: SessionCredentials,
+    },
+    Locked(LockedCredentials),
+    Empty,
+}
+
+impl Session {
+    pub async fn load(pool: &SqlitePool) -> Result<Self, SetupError> {
+        let res = sqlx::query!("SELECT * FROM credentials ORDER BY created_at desc")
+            .fetch_optional(pool)
+            .await?;
+        let row = match res {
+            Some(r) => r,
+            None => {return Ok(Session::Empty);}
+        };
+
+        let salt: [u8; 32] = row.salt
+            .try_into()
+            .map_err(|_e| SetupError::InvalidRecord)?;
+        let nonce = XNonce::from_exact_iter(row.nonce.into_iter())
+            .ok_or(SetupError::InvalidRecord)?;
+
+        let creds = LockedCredentials {
+            access_key_id: row.access_key_id,
+            secret_key_enc: row.secret_key_enc,
+            salt,
+            nonce,
+        };
+        Ok(Session::Locked(creds))
+    }
+
+    pub async fn renew_if_expired(&mut self) -> Result<bool, GetSessionError> {
+        match self {
+            Session::Unlocked{ref base, ref mut session} => {
+                if !session.is_expired() {
+                    return Ok(false);
+                }
+                *session = SessionCredentials::from_base(base).await?;
+                Ok(true)
+            },
+            Session::Locked(_) => Err(GetSessionError::CredentialsLocked),
+            Session::Empty => Err(GetSessionError::CredentialsEmpty),
+        }
+    }
+
+    pub fn try_get(
+        &self
+    ) -> Result<(&BaseCredentials, &SessionCredentials), GetCredentialsError> {
+        match self {
+            Self::Empty => Err(GetCredentialsError::Empty),
+            Self::Locked(_) => Err(GetCredentialsError::Locked),
+            Self::Unlocked{ ref base, ref session } => Ok((base, session))
+        }
+    }
+}
+
+
+#[derive(Clone, Debug)]
+pub struct LockedCredentials {
+    pub access_key_id: String,
+    pub secret_key_enc: Vec<u8>,
+    pub salt: [u8; 32],
+    pub nonce: XNonce,
+}
+
+impl LockedCredentials {
+    pub async fn save(&self, pool: &SqlitePool) -> Result<(), sqlx::Error> {
+        sqlx::query(
+            "INSERT INTO credentials (access_key_id, secret_key_enc, salt, nonce, created_at)
+            VALUES (?, ?, ?, ?, strftime('%s'))"
+        )
+            .bind(&self.access_key_id)
+            .bind(&self.secret_key_enc)
+            .bind(&self.salt[..])
+            .bind(&self.nonce[..])
+            .execute(pool)
+            .await?;
+
+        Ok(())
+    }
+
+    pub fn decrypt(&self, passphrase: &str) -> Result<BaseCredentials, UnlockError> {
+        let crypto = Crypto::new(passphrase, &self.salt)
+            .map_err(|e| CryptoError::Argon2(e))?;
+        let decrypted = crypto.decrypt(&self.nonce, &self.secret_key_enc)
+            .map_err(|e| CryptoError::Aead(e))?;
+        let secret_access_key = String::from_utf8(decrypted)
+            .map_err(|_| UnlockError::InvalidUtf8)?;
+
+        let creds = BaseCredentials::new(
+            self.access_key_id.clone(),
+            secret_access_key,
+        );
+        Ok(creds)
+    }
+}
+
+
+fn default_credentials_version() -> usize { 1 }
+
+#[derive(Clone, Debug, Serialize, Deserialize)]
+#[serde(rename_all = "PascalCase")]
+pub struct BaseCredentials {
+    #[serde(default = "default_credentials_version")]
+    pub version: usize,
+    pub access_key_id: String,
+    pub secret_access_key: String,
+}
+
+impl BaseCredentials {
+    pub fn new(access_key_id: String, secret_access_key: String) -> Self {
+        Self {version: 1, access_key_id, secret_access_key}
+    }
+
+    pub fn encrypt(&self, passphrase: &str) -> Result<LockedCredentials, CryptoError> {
+        let salt = Crypto::salt();
+        let crypto = Crypto::new(passphrase, &salt)?;
+        let (nonce, secret_key_enc) = crypto.encrypt(self.secret_access_key.as_bytes())?;
+
+        let locked = LockedCredentials {
+            access_key_id: self.access_key_id.clone(),
+            secret_key_enc,
+            salt,
+            nonce,
+        };
+        Ok(locked)
+    }
+}
+
+
+#[derive(Clone, Debug, Serialize, Deserialize)]
+#[serde(rename_all = "PascalCase")]
+pub struct SessionCredentials {
+    #[serde(default = "default_credentials_version")]
+    pub version: usize,
+    pub access_key_id: String,
+    pub secret_access_key: String,
+    pub session_token: String,
+    #[serde(serialize_with = "serialize_expiration")]
+    #[serde(deserialize_with = "deserialize_expiration")]
+    pub expiration: DateTime,
+}
+
+impl SessionCredentials {
+    pub async fn from_base(base: &BaseCredentials) -> Result<Self, GetSessionError> {
+        let req_creds = aws_sdk_sts::Credentials::new(
+            &base.access_key_id,
+            &base.secret_access_key,
+            None, // token
+            None, //expiration
+            "Creddy", // "provider name" apparently
+        );
+        let config = aws_config::from_env()
+            .credentials_provider(req_creds)
+            .load()
+            .await;
+
+        let client = aws_sdk_sts::Client::new(&config);
+        let resp = client.get_session_token()
+            .duration_seconds(43_200)
+            .send()
+            .await?;
+
+        let aws_session = resp.credentials().ok_or(GetSessionError::EmptyResponse)?;
+
+        let access_key_id = aws_session.access_key_id()
+            .ok_or(GetSessionError::EmptyResponse)?
+            .to_string();
+        let secret_access_key = aws_session.secret_access_key()
+            .ok_or(GetSessionError::EmptyResponse)?
+            .to_string();
+        let session_token = aws_session.session_token()
+            .ok_or(GetSessionError::EmptyResponse)?
+            .to_string();
+        let expiration = aws_session.expiration()
+            .ok_or(GetSessionError::EmptyResponse)?
+            .clone();
+
+        let session_creds = SessionCredentials {
+            version: 1,
+            access_key_id,
+            secret_access_key,
+            session_token,
+            expiration,
+        };
+
+        #[cfg(debug_assertions)]
+        println!("Got new session:\n{}", serde_json::to_string(&session_creds).unwrap());
+
+        Ok(session_creds)
+    }
+
+    pub fn is_expired(&self) -> bool {
+        let current_ts = SystemTime::now()
+            .duration_since(UNIX_EPOCH)
+            .unwrap() // doesn't panic because UNIX_EPOCH won't be later than now()
+            .as_secs();
+
+        let expire_ts = self.expiration.secs();
+        let remaining = expire_ts - (current_ts as i64);
+        remaining < 60
+    }
+}
+
+
+#[derive(Debug, Serialize, Deserialize)]
+pub enum Credentials {
+    Base(BaseCredentials),
+    Session(SessionCredentials),
+}
+
+
+fn serialize_expiration<S>(exp: &DateTime, serializer: S) -> Result<S::Ok, S::Error>
+where S: Serializer
+{
+    // this only fails if the d/t is out of range, which it can't be for this format
+    let time_str = exp.fmt(Format::DateTime).unwrap();
+    serializer.serialize_str(&time_str)
+}
+
+
+struct DateTimeVisitor;
+
+impl<'de> Visitor<'de> for DateTimeVisitor {
+    type Value = DateTime;
+
+    fn expecting(&self, formatter: &mut Formatter) -> fmt::Result {
+        write!(formatter, "an RFC 3339 UTC string, e.g. \"2014-01-05T10:17:34Z\"")
+    }
+
+    fn visit_str<E: de::Error>(self, v: &str) -> Result<DateTime, E> {
+        DateTime::from_str(v, Format::DateTime)
+            .map_err(|_| E::custom(format!("Invalid date/time: {v}")))
+    }
+}
+
+
+fn deserialize_expiration<'de, D>(deserializer: D) -> Result<DateTime, D::Error>
+where D: Deserializer<'de>
+{
+    deserializer.deserialize_str(DateTimeVisitor)
+}
+
+
+struct Crypto {
+    cipher: XChaCha20Poly1305,
+}
+
+impl Crypto {
+    /// Argon2 params rationale:
+    ///
+    /// m_cost is measured in KiB, so 128 * 1024 gives us 128MiB.
+    /// This should roughly double the memory usage of the application
+    /// while deriving the key.
+    ///
+    /// p_cost is irrelevant since (at present) there isn't any parallelism
+    /// implemented, so we leave it at 1.
+    ///
+    /// With the above m_cost, t_cost = 8 results in about 800ms to derive
+    /// a key on my (somewhat older) CPU. This is probably overkill, but
+    /// given that it should only have to happen ~once a day for most 
+    /// usage, it should be acceptable.
+    #[cfg(not(debug_assertions))]
+    const MEM_COST: u32 = 128 * 1024;
+    #[cfg(not(debug_assertions))]
+    const TIME_COST: u32 = 8;
+
+    /// But since this takes a million years without optimizations,
+    /// we turn it way down in debug builds.
+    #[cfg(debug_assertions)]
+    const MEM_COST: u32 = 48 * 1024;
+    #[cfg(debug_assertions)]
+    const TIME_COST: u32 = 1;
+    
+
+    fn new(passphrase: &str, salt: &[u8]) -> argon2::Result<Crypto> {
+        let params = ParamsBuilder::new()
+            .m_cost(Self::MEM_COST)
+            .p_cost(1)
+            .t_cost(Self::TIME_COST)
+            .build()
+            .unwrap(); // only errors if the given params are invalid
+
+        let hasher = Argon2::new(
+            Algorithm::Argon2id,
+            Version::V0x13,
+            params,
+        );
+
+        let mut key = [0; 32];
+        hasher.hash_password_into(passphrase.as_bytes(), &salt, &mut key)?;
+        let cipher = XChaCha20Poly1305::new(GenericArray::from_slice(&key));
+        Ok(Crypto { cipher })
+    }
+
+    fn salt() -> [u8; 32] {
+        let mut salt = [0; 32];
+        OsRng.fill_bytes(&mut salt);
+        salt
+    }
+
+    fn encrypt(&self, data: &[u8]) -> Result<(XNonce, Vec<u8>), AeadError> {
+        let nonce = XChaCha20Poly1305::generate_nonce(&mut OsRng);
+        let ciphertext = self.cipher.encrypt(&nonce, data)?;
+        Ok((nonce, ciphertext))
+    }
+
+    fn decrypt(&self, nonce: &XNonce, data: &[u8]) -> Result<Vec<u8>, AeadError> {
+        self.cipher.decrypt(nonce, data)
+    }
+}

src-tauri/src/app.rs

@@ -2,6 +2,10 @@ use std::error::Error;
 use std::time::Duration;
 
 use once_cell::sync::OnceCell;
+use rfd::{
+    MessageDialog,
+    MessageLevel,
+};
 use sqlx::{
     SqlitePool,
     sqlite::SqlitePoolOptions,
@@ -15,13 +19,13 @@ use tauri::{
     RunEvent,
     WindowEvent,
 };
-use creddy_cli::{GlobalArgs, RunArgs};
+use tauri::menu::MenuItem;
 
 use crate::{
     config::{self, AppConfig},
     credentials::AppSession,
     ipc,
-    srv::{creddy_server, agent},
+    server::Server,
     errors::*,
     shortcuts,
     state::AppState,
@@ -32,16 +36,13 @@ use crate::{
 pub static APP: OnceCell<AppHandle> = OnceCell::new();
 
 
-pub fn run(run_args: RunArgs, global_args: GlobalArgs) -> tauri::Result<()> {
-    if let Ok(_) = creddy_cli::show_window(global_args) {
-        // app is already running, so terminate
-        return Ok(());
-    }
-
+pub fn run() -> tauri::Result<()> {
     tauri::Builder::default()
+        .plugin(tauri_plugin_single_instance::init(|app, _argv, _cwd| {
+            show_main_window(app)
+                .error_popup("Failed to show main window")
+        }))
         .plugin(tauri_plugin_global_shortcut::Builder::default().build())
-        .plugin(tauri_plugin_os::init())
-        .plugin(tauri_plugin_dialog::init())
         .invoke_handler(tauri::generate_handler![
             ipc::unlock,
             ipc::lock,
@@ -53,16 +54,23 @@ pub fn run(run_args: RunArgs, global_args: GlobalArgs) -> tauri::Result<()> {
             ipc::save_credential,
             ipc::delete_credential,
             ipc::list_credentials,
-            ipc::sshkey_from_file,
-            ipc::sshkey_from_private_key,
             ipc::get_config,
             ipc::save_config,
             ipc::launch_terminal,
             ipc::get_setup_errors,
-            ipc::get_devmode,
             ipc::exit,
         ])
-        .setup(|app| rt::block_on(setup(app, run_args)))
+        .setup(|app| {
+            let res = rt::block_on(setup(app));
+            if let Err(ref e) = res {
+                MessageDialog::new()
+                    .set_level(MessageLevel::Error)
+                    .set_title("Creddy failed to start")
+                    .set_description(format!("{e}"))
+                    .show();
+            }
+            res
+        })
         .build(tauri::generate_context!())?
         .run(|app, run_event| {
             if let RunEvent::WindowEvent { event, .. } = run_event {
@@ -88,11 +96,11 @@ pub async fn connect_db() -> Result<SqlitePool, SetupError> {
 }
 
 
-async fn setup(app: &mut App, run_args: RunArgs) -> Result<(), Box<dyn Error>> {
+async fn setup(app: &mut App) -> Result<(), Box<dyn Error>> {
     APP.set(app.handle().clone()).unwrap();
     tray::setup(app)?;
     // get_or_create_db_path doesn't create the actual db file, just the directory
-    let is_first_launch = !config::get_or_create_db_path()?.try_exists()?;
+    let is_first_launch = !config::get_or_create_db_path()?.exists();
     let pool = connect_db().await?;
     let mut setup_errors: Vec<String> = vec![];
 
@@ -108,19 +116,12 @@ async fn setup(app: &mut App, run_args: RunArgs) -> Result<(), Box<dyn Error>> {
     };
 
     let app_session = AppSession::load(&pool).await?;
-    creddy_server::serve(app.handle().clone())?;
-    agent::serve(app.handle().clone())?;
+    Server::start(app.handle().clone())?;
 
-    // if this is the first launch, setup system with default auto-launch settings
-    if is_first_launch {
-        if let Err(e) = conf.set_auto_launch() {
-            setup_errors.push(format!("Failed to manage autolaunch: {e}"));
-        }
+    config::set_auto_launch(conf.start_on_login)?;
+    if let Err(_e) = config::set_auto_launch(conf.start_on_login) {
+        setup_errors.push("Error: Failed to manage autolaunch.".into());
     }
-    // otherwise, treat the system as the source of truth and ensure ours matches
-    else {
-        conf.match_auto_launch(&pool).await?;
-    };
 
     // if hotkeys fail to register, disable them so that this error doesn't have to keep showing up
     if let Err(_e) = shortcuts::register_hotkeys(&conf.hotkeys) {
@@ -133,7 +134,7 @@ async fn setup(app: &mut App, run_args: RunArgs) -> Result<(), Box<dyn Error>> {
         .map(|names| names.split(':').any(|n| n == "GNOME"))
         .unwrap_or(false);
 
-    if !run_args.minimized {
+    if !conf.start_minimized || is_first_launch {
         show_main_window(&app.handle())?;
     }
 
@@ -166,8 +167,8 @@ fn start_auto_locker(app: AppHandle) {
 pub fn show_main_window(app: &AppHandle) -> Result<(), WindowError> {
     let w = app.get_webview_window("main").ok_or(WindowError::NoMainWindow)?;
     w.show()?;
-    let menu = app.state::<tray::MenuItems>();
-    menu.after_show()?;
+    let show_hide = app.state::<MenuItem<tauri::Wry>>();
+    show_hide.set_text("Hide")?;
     Ok(())
 }
 
@@ -175,8 +176,8 @@ pub fn show_main_window(app: &AppHandle) -> Result<(), WindowError> {
 pub fn hide_main_window(app: &AppHandle) -> Result<(), WindowError> {
     let w = app.get_webview_window("main").ok_or(WindowError::NoMainWindow)?;
     w.hide()?;
-    let menu = app.state::<tray::MenuItems>();
-    menu.after_hide()?;
+    let show_hide = app.state::<MenuItem<tauri::Wry>>();
+    show_hide.set_text("Show")?;
     Ok(())
 }
 

src-tauri/src/bin/agent.rs

@@ -0,0 +1,7 @@
+use creddy::server::ssh_agent;
+
+
+#[tokio::main]
+async fn main() {
+    ssh_agent::run().await;
+}

src-tauri/src/bin/creddy_cli.rs

@@ -0,0 +1,47 @@
+// Windows isn't really amenable to having a single executable work as both a CLI and GUI app,
+// so we just have a second binary for CLI usage
+use creddy::{
+    cli,
+    errors::CliError,
+};
+use std::{
+    env,
+    process::{self, Command},
+};
+
+
+fn main() {
+    let args = cli::parser().get_matches();
+    if let Some(true) = args.get_one::<bool>("help") {
+        cli::parser().print_help().unwrap(); // if we can't print help we can't print an error
+        process::exit(0);
+    }
+
+    let res = match args.subcommand() {
+        None | Some(("run", _)) => launch_gui(),
+        Some(("get", m)) => cli::get(m),
+        Some(("exec", m)) => cli::exec(m),
+        Some(("shortcut", m)) => cli::invoke_shortcut(m),
+        _ => unreachable!("Unknown subcommand"),
+    };
+
+    if let Err(e) = res {
+        eprintln!("Error: {e}");
+        process::exit(1);
+    }
+}
+
+
+fn launch_gui() -> Result<(), CliError>  {
+    let mut path = env::current_exe()?;
+    path.pop(); // bin dir
+    
+    // binaries are colocated in dev, but not in production
+    #[cfg(not(debug_assertions))]
+    path.pop(); // install dir
+
+    path.push("creddy.exe"); // exe in main install dir (aka gui exe)
+
+    Command::new(path).spawn()?;
+    Ok(())
+}

src-tauri/src/bin/key.rs

@@ -0,0 +1,13 @@
+use ssh_key::private::PrivateKey;
+
+
+fn main() {
+    // let passphrase = std::env::var("PRIVKEY_PASSPHRASE").unwrap();
+    let p = AsRef::<std::path::Path>::as_ref("/home/joe/.ssh/test");
+    let privkey = PrivateKey::read_openssh_file(p)
+        .unwrap();
+        // .decrypt(passphrase.as_bytes())
+        // .unwrap();
+
+    dbg!(String::from_utf8_lossy(&privkey.to_bytes().unwrap()));
+}

src-tauri/src/cli.rs

@@ -0,0 +1,194 @@
+use std::ffi::OsString;
+use std::process::Command as ChildCommand;
+#[cfg(windows)]
+use std::time::Duration;
+
+use clap::{
+    Command,
+    Arg,
+    ArgMatches,
+    ArgAction,
+    builder::PossibleValuesParser,
+ };
+use tokio::io::{AsyncReadExt, AsyncWriteExt};
+
+use crate::errors::*;
+use crate::server::{Request, Response};
+use crate::shortcuts::ShortcutAction;
+
+#[cfg(unix)]
+use {
+    std::os::unix::process::CommandExt,
+    tokio::net::UnixStream,
+};
+
+#[cfg(windows)]
+use {
+    tokio::net::windows::named_pipe::{NamedPipeClient, ClientOptions},
+    windows::Win32::Foundation::ERROR_PIPE_BUSY,
+};
+
+
+pub fn parser() -> Command<'static> {
+    Command::new("creddy")
+        .version(env!("CARGO_PKG_VERSION"))
+        .about("A friendly AWS credentials manager")
+        .subcommand(
+            Command::new("run")
+                .about("Launch Creddy")
+        )
+        .subcommand(
+            Command::new("get")
+                .about("Request AWS credentials from Creddy and output to stdout")
+                .arg(
+                    Arg::new("base")
+                        .short('b')
+                        .long("base")
+                        .action(ArgAction::SetTrue)
+                        .help("Use base credentials instead of session credentials")
+                )
+        )
+        .subcommand(
+            Command::new("exec")
+                .about("Inject AWS credentials into the environment of another command")
+                .trailing_var_arg(true)
+                .arg(
+                    Arg::new("base")
+                        .short('b')
+                        .long("base")
+                        .action(ArgAction::SetTrue)
+                        .help("Use base credentials instead of session credentials")
+                )
+                .arg(
+                    Arg::new("command")
+                        .multiple_values(true)
+                )
+        )
+        .subcommand(
+            Command::new("shortcut")
+                .about("Invoke an action normally trigged by hotkey (e.g. launch terminal)")
+                .arg(
+                    Arg::new("action")
+                        .value_parser(
+                            PossibleValuesParser::new(["show_window", "launch_terminal"])
+                        )
+                )
+        )
+}
+
+
+pub fn get(args: &ArgMatches) -> Result<(), CliError> {
+    let base = args.get_one("base").unwrap_or(&false);
+    let output = match make_request(&Request::GetAwsCredentials { base: *base })? {
+        Response::AwsBase(creds) => serde_json::to_string(&creds).unwrap(),
+        Response::AwsSession(creds) => serde_json::to_string(&creds).unwrap(),
+        r => return Err(RequestError::Unexpected(r).into()),
+    };
+    println!("{output}");
+    Ok(())
+}
+
+
+pub fn exec(args: &ArgMatches) -> Result<(), CliError> {
+    let base = *args.get_one("base").unwrap_or(&false);
+    let mut cmd_line = args.get_many("command")
+        .ok_or(ExecError::NoCommand)?;
+
+    let cmd_name: &String = cmd_line.next().unwrap(); // Clap guarantees that there will be at least one
+    let mut cmd = ChildCommand::new(cmd_name);
+    cmd.args(cmd_line);
+    
+    match make_request(&Request::GetAwsCredentials { base })? {
+        Response::AwsBase(creds) => {
+            cmd.env("AWS_ACCESS_KEY_ID", creds.access_key_id);
+            cmd.env("AWS_SECRET_ACCESS_KEY", creds.secret_access_key);
+        },
+        Response::AwsSession(creds) => {
+            cmd.env("AWS_ACCESS_KEY_ID", creds.access_key_id);
+            cmd.env("AWS_SECRET_ACCESS_KEY", creds.secret_access_key);
+            cmd.env("AWS_SESSION_TOKEN", creds.session_token);
+        },
+        r => return Err(RequestError::Unexpected(r).into()),
+    }
+
+    #[cfg(unix)]
+    {
+        // cmd.exec() never returns if successful
+        let e = cmd.exec();
+        match e.kind() {
+            std::io::ErrorKind::NotFound => {
+                let name: OsString = cmd_name.into();
+                Err(ExecError::NotFound(name).into())
+            }
+            _ => Err(ExecError::ExecutionFailed(e).into()),
+        }
+    }
+
+    #[cfg(windows)]
+    {
+        let mut child = match cmd.spawn() {
+            Ok(c) => c,
+            Err(e) if e.kind() == std::io::ErrorKind::NotFound => {
+                let name: OsString = cmd_name.into();
+                return Err(ExecError::NotFound(name).into());
+            }
+            Err(e) => return Err(ExecError::ExecutionFailed(e).into()),
+        };
+
+        let status = child.wait()
+            .map_err(|e| ExecError::ExecutionFailed(e))?;
+        std::process::exit(status.code().unwrap_or(1));
+    };
+}
+
+
+pub fn invoke_shortcut(args: &ArgMatches) -> Result<(), CliError> {
+    let action = match args.get_one::<String>("action").map(|s| s.as_str()) {
+        Some("show_window") => ShortcutAction::ShowWindow,
+        Some("launch_terminal") => ShortcutAction::LaunchTerminal,
+        Some(&_) | None => unreachable!("Unknown shortcut action"), // guaranteed by clap
+    };
+
+    let req = Request::InvokeShortcut(action);
+    match make_request(&req) {
+        Ok(Response::Empty) => Ok(()),
+        Ok(r) => Err(RequestError::Unexpected(r).into()),
+        Err(e) => Err(e.into()),
+    }
+}
+
+
+#[tokio::main]
+async fn make_request(req: &Request) -> Result<Response, RequestError> {
+    let mut data = serde_json::to_string(req).unwrap();
+    // server expects newline marking end of request
+    data.push('\n');
+
+    let mut stream = connect().await?;
+    stream.write_all(&data.as_bytes()).await?;
+
+    let mut buf = Vec::with_capacity(1024);
+    stream.read_to_end(&mut buf).await?;
+    let res: Result<Response, ServerError> = serde_json::from_slice(&buf)?;
+    Ok(res?)
+}
+
+
+#[cfg(windows)]
+async fn connect() -> Result<NamedPipeClient, std::io::Error> {
+    // apparently attempting to connect can fail if there's already a client connected
+    loop {
+        match ClientOptions::new().open(r"\\.\pipe\creddy-requests") {
+            Ok(stream) => return Ok(stream),
+            Err(e) if e.raw_os_error() == Some(ERROR_PIPE_BUSY.0 as i32) => (),
+            Err(e) => return Err(e),
+        }
+        tokio::time::sleep(Duration::from_millis(10)).await;
+    }
+}
+
+
+#[cfg(unix)]
+async fn connect() -> Result<UnixStream, std::io::Error> {
+    UnixStream::connect("/tmp/creddy.sock").await
+}

src-tauri/src/clientinfo.rs

@@ -1,13 +1,6 @@
 use std::path::{Path, PathBuf};
 
-use sysinfo::{
-    System,
-    SystemExt,
-    Pid,
-    PidExt,
-    ProcessExt,
-    UserExt,
-};
+use sysinfo::{System, SystemExt, Pid, PidExt, ProcessExt};
 use serde::{Serialize, Deserialize};
 
 use crate::errors::*;
@@ -17,36 +10,26 @@ use crate::errors::*;
 pub struct Client {
     pub pid: u32,
     pub exe: Option<PathBuf>,
-    pub username: Option<String>,
 }
 
 
-pub fn get_client(pid: u32, parent: bool) -> Result<Client, ClientInfoError> {
+pub fn get_process_parent_info(pid: u32) -> Result<Client, ClientInfoError> {
     let sys_pid = Pid::from_u32(pid);
-    let mut sys = System::new();
+    let mut sys = System::new();   
     sys.refresh_process(sys_pid);
-    sys.refresh_users_list();
-
-    let mut proc = sys.process(sys_pid)
+    let proc = sys.process(sys_pid)
         .ok_or(ClientInfoError::ProcessNotFound)?;
 
-    if parent {
-        let parent_pid_sys = proc.parent()
-            .ok_or(ClientInfoError::ParentPidNotFound)?;
-        sys.refresh_process(parent_pid_sys);
-        proc = sys.process(parent_pid_sys)
-            .ok_or(ClientInfoError::ParentProcessNotFound)?;
-    }
+    let parent_pid_sys = proc.parent()
+        .ok_or(ClientInfoError::ParentPidNotFound)?;
+    sys.refresh_process(parent_pid_sys);
+    let parent = sys.process(parent_pid_sys)
+        .ok_or(ClientInfoError::ParentProcessNotFound)?;
 
-    let username = proc.user_id()
-        .map(|uid| sys.get_user_by_id(uid))
-        .flatten()
-        .map(|u| u.name().to_owned());
-
-    let exe = match proc.exe() {
+    let exe = match parent.exe() {
         p if p == Path::new("") => None,
         p => Some(PathBuf::from(p)),
     };
 
-    Ok(Client { pid: proc.pid().as_u32(), exe, username })
+    Ok(Client { pid: parent_pid_sys.as_u32(), exe })
 }

src-tauri/src/config.rs

@@ -1,7 +1,7 @@
 use std::path::PathBuf;
 use std::time::Duration;
 
-use auto_launch::{AutoLaunch, AutoLaunchBuilder};
+use auto_launch::AutoLaunchBuilder;
 use is_terminal::IsTerminal;
 use serde::{Serialize, Deserialize};
 use sqlx::SqlitePool;
@@ -89,49 +89,29 @@ impl AppConfig {
     pub async fn save(&self, pool: &SqlitePool) -> Result<(), sqlx::error::Error> {
         kv::save(pool, "config", self).await
     }
+}
 
-    /// Configure system with auto-launch settings
-    pub fn set_auto_launch(&self) -> Result<(), SetupError> {
-        let mgr = self.auto_launch_manager()?;
 
-        // if enabled, disabled regardless of desired end state because either:
-        // a) we are just going to leave it disabled, or
-        // b) we need to disable-and-reenable in case args are different
-        if mgr.is_enabled()? {
-            mgr.disable()?;
-        }
-        if self.start_on_login {
-            mgr.enable()?;
-        }
+pub fn set_auto_launch(is_configured: bool) -> Result<(), SetupError> {
+    let path_buf = std::env::current_exe()
+        .map_err(|e| auto_launch::Error::Io(e))?;
+    let path = path_buf
+        .to_string_lossy();
 
-        Ok(())
+    let auto = AutoLaunchBuilder::new()
+        .set_app_name("Creddy")
+        .set_app_path(&path)
+        .build()?;
+
+    let is_enabled = auto.is_enabled()?;
+    if is_configured && !is_enabled {
+        auto.enable()?;
+    }
+    else if !is_configured && is_enabled {
+        auto.disable()?;
     }
 
-    /// Match own auto-launch settings to system
-    pub async fn match_auto_launch(&mut self, pool: &SqlitePool) -> Result<(), SetupError> {
-        let mgr = self.auto_launch_manager()?;
-        let is_enabled = mgr.is_enabled()?;
-        if is_enabled != self.start_on_login {
-            self.start_on_login = is_enabled;
-            self.save(pool).await?;
-        }
-        Ok(())
-    }
-
-    fn auto_launch_manager(&self) -> Result<AutoLaunch, SetupError> {
-        let path_buf = std::env::current_exe()
-            .map_err(|e| auto_launch::Error::Io(e))?;
-
-        let name = if cfg!(debug_assertions) { "Creddy (dev)" } else { "Creddy" };
-        let mut builder = AutoLaunchBuilder::new();
-        builder.set_app_name(name);
-        builder.set_app_path(&path_buf.to_string_lossy());
-        if self.start_minimized {
-            builder.set_args(&["run", "--minimized"]);
-        }
-
-        Ok(builder.build()?)
-    }
+    Ok(())
 }
 
 

src-tauri/src/credentials/aws.rs

@@ -76,7 +76,7 @@ impl PersistentCredential for AwsBaseCredential {
                 access_key_id,
                 secret_key_enc,
                 nonce
-            )
+            ) 
             VALUES (?, ?, ?, ?);",
             id, self.access_key_id, ciphertext, nonce_bytes,
         ).execute(&mut **txn).await?;
@@ -185,16 +185,10 @@ where S: Serializer
 #[cfg(test)]
 mod tests {
     use super::*;
-    use aws_sdk_sts::primitives::DateTimeFormat;
-    use creddy_cli::proto::{
-        AwsBaseCredential as CliBase,
-        AwsSessionCredential as CliSession,
-    };
     use sqlx::SqlitePool;
     use sqlx::types::uuid::uuid;
 
 
-
     fn creds() -> AwsBaseCredential {
         AwsBaseCredential::new(
             "AKIAIOSFODNN7EXAMPLE".into(),
@@ -209,6 +203,19 @@ mod tests {
         )
     }
 
+    fn test_uuid() -> Uuid {
+        Uuid::try_parse("00000000-0000-0000-0000-000000000000").unwrap()
+    }
+
+    fn test_uuid_2() -> Uuid {
+        Uuid::try_parse("ffffffff-ffff-ffff-ffff-ffffffffffff").unwrap()
+    }
+
+    fn test_uuid_random() -> Uuid {
+        let bytes = Crypto::salt();
+        Uuid::from_slice(&bytes[..16]).unwrap()
+    }
+
 
     #[sqlx::test(fixtures("aws_credentials"))]
     async fn test_load(pool: SqlitePool) {
@@ -247,99 +254,5 @@ mod tests {
 
         assert_eq!(&creds().into_credential(), &list[0]);
         assert_eq!(&creds_2().into_credential(), &list[1]);
-    }
-
-
-    // In order to avoid the CLI depending on the main app (and thus defeating the purpose
-    // of having a separate CLI at all) it re-defines the credentials that need to be sent
-    // back and forth. To prevent the separate definitions from drifting aprt, we test
-    // serializing/deserializing in both directions.
-
-    #[test]
-    fn test_cli_to_app_base() {
-        let cli_base = CliBase {
-            version: 1,
-            access_key_id: "AKIAIOSFODNN7EXAMPLE".into(),
-            secret_access_key: "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY".into(),
-        };
-
-        let json = serde_json::to_string(&cli_base).unwrap();
-        let computed: AwsBaseCredential = serde_json::from_str(&json)
-            .expect("Failed to deserialize base credentials from CLI -> main app");
-
-        assert_eq!(creds(), computed);
-    }
-
-    #[test]
-    fn test_app_to_cli_base() {
-        let base = creds();
-        let json = serde_json::to_string(&base).unwrap();
-
-        let computed: CliBase = serde_json::from_str(&json)
-            .expect("Failed to deserialize base credentials from main app -> CLI");
-
-        let expected = CliBase {
-            version: 1,
-            access_key_id: "AKIAIOSFODNN7EXAMPLE".into(),
-            secret_access_key: "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY".into(),
-        };
-
-        assert_eq!(expected, computed);
-    }
-
-    #[test]
-    fn test_cli_to_app_session() {
-        let cli_session = CliSession {
-            version: 1,
-            access_key_id: "ASIAIOSFODNN7EXAMPLE".into(),
-            secret_access_key: "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY".into(),
-            session_token: "JQ70sxbqnOGKu7+krevstYCLCaX2+alUAT60ARTBBnQ=ETC.".into(),
-            expiration: "2024-07-21T00:00:00Z".into(),
-        };
-
-        let json = serde_json::to_string(&cli_session).unwrap();
-        let computed: AwsSessionCredential = serde_json::from_str(&json)
-            .expect("Failed to deserialize session credentials from CLI -> main app");
-
-        let expected = AwsSessionCredential {
-            version: 1,
-            access_key_id: "ASIAIOSFODNN7EXAMPLE".into(),
-            secret_access_key: "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY".into(),
-            session_token: "JQ70sxbqnOGKu7+krevstYCLCaX2+alUAT60ARTBBnQ=ETC.".into(),
-            expiration: DateTime::from_str(
-                "2024-07-21T00:00:00Z",
-                DateTimeFormat::DateTimeWithOffset
-            ).unwrap(),
-        };
-
-        assert_eq!(expected, computed);
-    }
-
-    #[test]
-    fn test_app_to_cli_session() {
-        let session = AwsSessionCredential {
-            version: 1,
-            access_key_id: "ASIAIOSFODNN7EXAMPLE".into(),
-            secret_access_key: "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY".into(),
-            session_token: "JQ70sxbqnOGKu7+krevstYCLCaX2+alUAT60ARTBBnQ=ETC.".into(),
-            expiration: DateTime::from_str(
-                "2024-07-21T00:00:00Z",
-                DateTimeFormat::DateTimeWithOffset
-            ).unwrap(),
-        };
-
-        let json = serde_json::to_string(&session).unwrap();
-        let computed: CliSession = serde_json::from_str(&json)
-            .expect("Failed to deserialize session credentials from main app -> CLI");
-
-        let expected = CliSession {
-            version: 1,
-            access_key_id: "ASIAIOSFODNN7EXAMPLE".into(),
-            secret_access_key: "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY".into(),
-            session_token: "JQ70sxbqnOGKu7+krevstYCLCaX2+alUAT60ARTBBnQ=ETC.".into(),
-            expiration: "2024-07-21T00:00:00Z".into(),
-        };
-
-        assert_eq!(expected, computed);
-    }
+    }   
 }

src-tauri/src/credentials/docker.rs

@@ -1,196 +0,0 @@
-use chacha20poly1305::XNonce;
-use serde::{Serialize, Deserialize};
-use sqlx::{
-    FromRow,
-    Sqlite,
-    Transaction,
-    types::Uuid,
-};
-
-use super::{Credential, Crypto, PersistentCredential};
-
-use crate::errors::*;
-
-
-#[derive(Debug, Clone, FromRow)]
-pub struct DockerRow {
-    id: Uuid,
-    server_url: String,
-    username: String,
-    secret_enc: Vec<u8>,
-    nonce: Vec<u8>,
-}
-
-
-#[derive(Clone, Debug, Eq, PartialEq, Serialize, Deserialize)]
-#[serde(rename_all = "PascalCase")]
-pub struct DockerCredential {
-    #[serde(rename = "ServerURL")]
-    pub server_url: String,
-    pub username: String,
-    pub secret: String,
-}
-
-impl PersistentCredential for DockerCredential {
-    type Row = DockerRow;
-
-    fn type_name() -> &'static str { "docker" }
-
-    fn into_credential(self) -> Credential { Credential::Docker(self) }
-
-    fn row_id(row: &DockerRow) -> Uuid { row.id }
-
-    fn from_row(row: DockerRow, crypto: &Crypto) -> Result<Self, LoadCredentialsError> {
-        let nonce = XNonce::clone_from_slice(&row.nonce);
-        let secret_bytes = crypto.decrypt(&nonce, &row.secret_enc)?;
-        let secret = String::from_utf8(secret_bytes)
-            .map_err(|_| LoadCredentialsError::InvalidData)?;
-
-        Ok(DockerCredential {
-            server_url: row.server_url,
-            username: row.username,
-            secret
-        })
-    }
-
-    async fn save_details(&self, id: &Uuid, crypto: &Crypto, txn: &mut Transaction<'_, Sqlite>) -> Result<(), SaveCredentialsError> {
-        let (nonce, ciphertext) = crypto.encrypt(self.secret.as_bytes())?;
-        let nonce_bytes = &nonce.as_slice();
-
-        sqlx::query!(
-            "INSERT OR REPLACE INTO docker_credentials (
-                id,
-                server_url,
-                username,
-                secret_enc,
-                nonce
-            )
-            VALUES (?, ?, ?, ?, ?)",
-            id, self.server_url, self.username, ciphertext, nonce_bytes,
-        ).execute(&mut **txn).await?;
-
-        Ok(())
-    }
-}
-
-
-#[cfg(test)]
-mod tests {
-    use super::*;
-    use crate::credentials::CredentialRecord;
-    use creddy_cli::proto::DockerCredential as CliDockerCredential;
-    use sqlx::SqlitePool;
-    use sqlx::types::uuid::uuid;
-
-
-
-    fn test_credential() -> DockerCredential {
-        DockerCredential {
-            server_url: "https://registry.jfmonty2.com".into(),
-            username: "joe@jfmonty2.com".into(),
-            secret: "correct horse battery staple".into(),
-        }
-    }
-
-    fn test_credential_2() -> DockerCredential {
-        DockerCredential {
-            server_url: "https://index.docker.io/v1".into(),
-            username: "test@example.com".into(),
-            secret: "a very secure passphrase".into(),
-        }
-    }
-
-    fn test_record() -> CredentialRecord {
-        CredentialRecord {
-            id: uuid!("00000000-0000-0000-0000-000000000000"),
-            name: "docker_test".into(),
-            is_default: false,
-            credential: Credential::Docker(test_credential()),
-        }
-    }
-
-    fn test_record_2() -> CredentialRecord {
-        CredentialRecord {
-            id: uuid!("ffffffff-ffff-ffff-ffff-ffffffffffff"),
-            name: "docker_test_2".into(),
-            is_default: false,
-            credential: Credential::Docker(test_credential_2()),
-        }
-    }
-
-
-    #[sqlx::test]
-    fn test_save(pool: SqlitePool) {
-        let crypt = Crypto::random();
-        test_record().save(&crypt, &pool).await
-            .expect("Failed to save record");
-    }
-
-    #[sqlx::test(fixtures("docker_credentials"))]
-    fn test_load(pool: SqlitePool) {
-        let crypt = Crypto::fixed();
-        let id = uuid!("00000000-0000-0000-0000-000000000000");
-        let loaded = DockerCredential::load(&id, &crypt, &pool).await
-            .expect("Failed to load record");
-
-        assert_eq!(test_credential(), loaded);
-    }
-
-    #[sqlx::test(fixtures("docker_credentials"))]
-    async fn test_overwrite(pool: SqlitePool) {
-        let crypt = Crypto::fixed();
-        let mut record = test_record_2();
-        // give it the same id as test_record so that it overwrites
-        let id = uuid!("00000000-0000-0000-0000-000000000000");
-        record.id = id;
-        record.save(&crypt, &pool).await
-            .expect("Failed to overwrite original record with second record");
-
-        let loaded = DockerCredential::load(&id, &crypt, &pool).await
-            .expect("Failed to load again after overwriting");
-
-        assert_eq!(test_credential_2(), loaded);
-    }
-
-    #[sqlx::test(fixtures("docker_credentials"))]
-    async fn test_list(pool: SqlitePool) {
-        let crypt = Crypto::fixed();
-        let records = CredentialRecord::list(&crypt, &pool).await
-            .expect("Failed to list credentials");
-
-        assert_eq!(test_record(), records[0]);
-    }
-
-
-    // make sure that CLI credentials and app credentials don't drift apart
-    #[test]
-    fn test_cli_to_app() {
-        let cli_creds = CliDockerCredential {
-            server_url: "https://registry.jfmonty2.com".into(),
-            username: "joe@jfmonty2.com".into(),
-            secret: "correct horse battery staple".into(),
-        };
-
-        let json = serde_json::to_string(&cli_creds).unwrap();
-        let computed: DockerCredential = serde_json::from_str(&json)
-            .expect("Failed to deserialize Docker credentials from CLI -> main app");
-
-        assert_eq!(test_credential(), computed);
-    }
-
-    #[test]
-    fn test_app_to_cli() {
-        let app_creds = test_credential();
-        let json = serde_json::to_string(&app_creds).unwrap();
-
-        let computed: CliDockerCredential = serde_json::from_str(&json)
-            .expect("Failed to deserialize Docker credentials from main app -> CLI");
-
-        let expected = CliDockerCredential {
-            server_url: "https://registry.jfmonty2.com".into(),
-            username: "joe@jfmonty2.com".into(),
-            secret: "correct horse battery staple".into(),
-        };
-        assert_eq!(expected, computed);
-    }
-}

src-tauri/src/credentials/fixtures/docker_credentials.sql

@@ -1,11 +0,0 @@
-INSERT INTO credentials (id, name, credential_type, is_default, created_at)
-VALUES (X'00000000000000000000000000000000', 'docker_test', 'docker', 0, 1726756380);
-
-INSERT INTO docker_credentials (id, server_url, username, secret_enc, nonce)
-VALUES (
-    X'00000000000000000000000000000000',
-    'https://registry.jfmonty2.com',
-    'joe@jfmonty2.com',
-    X'C0B36EE54539D4113A8F73E99FB96B2BF4D87E91F7C3B48256C07E83E3E7EC738888B2FDE2B4DB0BE48BEFDE',
-    X'C5F7F627BBE09A1BB275BE8D2390596C76143881A7766E60'
-);

src-tauri/src/credentials/fixtures/ssh_credentials.sql

@@ -1,42 +0,0 @@
-INSERT INTO credentials (id, name, credential_type, is_default, created_at)
-VALUES
-    (X'11111111111111111111111111111111', 'ssh-plain', 'ssh', 1, 1721557273),
-    (X'22222222222222222222222222222222', 'ssh-enc', 'ssh', 0, 1721557274),
-    (X'33333333333333333333333333333333', 'ed25519-plain', 'ssh', 0, 1721557275),
-    (X'44444444444444444444444444444444', 'ed25519-enc', 'ssh', 0, 1721557276);
-
-
-INSERT INTO ssh_credentials (id, algorithm, comment, public_key, private_key_enc, nonce)
-VALUES
-    (
-        X'11111111111111111111111111111111',
-        'ssh-rsa',
-        'hello world',
-        X'000000077373682D727361000000030100010000018100C4ABCE6D69400912EBAD527733401E30EBF3DC9433B79C8E343D7AFBE19A9F309934822577D9807346B48D4FB0604D022DA826E5624635E4CE19851AA5D30DFD2007DE99B04AE4C2F00823DFFC3C8DDE62F074831C1F8903067C83DCCD7D9CEE8643C93C5291F6B5047F53646A37C84098934FFDE5882B5DD7696CDDC4421C39E2894768CFD6650CE585E35A3F739B015650AA469ABDEFC6987E55DAFEC7D40B4388654ED3205D18528D881927C42CBE210CCF6F49A90619AD6E6ACBF1768D7EC52FF9CB85BE607B9414961566292016875164C1C1D1FBD4C3569D4424A7F19D043ABCDEE50573DFC4FC7F2C2718AA76528FA226C0DD5530DC705C30901E1BDE88FE5CC35CAE5AB8826D1E7F970DBED0A0F7E9833CFC7323A1F1323528D5CC3C00AEB98165D677CAF64BD69729132264D971B5C491D0AEAF53AAD22D03756B2E43754502E84488117EEBB962CCDF5DF59682C1E9BA472D5AB9B83DB2862E7EA380E8FD20DE9368CABCBBC5C95C233A52DE5DFE5E91CB59019D00B529C70C4305',
-        X'DB9B6A3B97FBAE6AC12BDAF9DA57DBEE4DDF6A92DD682958AF147FF5EF64C18255D2A1714D543F2D16BEFD7ED4C419C7A0E9C18754C4CAA251BCFA5AA46508B006CDB08A7C0DB63D8A7FE27F99CCC2F351203B36D2BC3D02302318ECC741574CEF70D956C5CCA41E538F2CA29B20E04778A596B0C3E5CD991A423443B01E3F811E004E2547C5D3DDAEBCFBFB68CDB03D0C16538224BBAA0A80767D64D8F3D2840975DD12B4F648F81B4D4B541CB500BAA99F9808F450A02688D583A924B8AE2B0BE777BC35CE808FD53B5DB8C0838D24A6CE31C3973880CF3174E63E3404F2E77783140A62DDBA06F9CD89ADE448A54FBCBD6C0EC8C0641724CDDEF2A8126EC0D0F5BDF89EB8112366D7EB6D3CE3565DF9E4036EAF3109E50BED5D7BD3558FFF69AD823F6522C5701CE26BCAFCC03D27D87547728A3C700719FF564EAEC961FA209252B113B404D75AD67CA4E40C5DAA36E9B0FB4ECDD6E5F853C81682123E8DF311A3C495F61A2CEE6A2B04C7FD3D0906583B9C724BC0D00D71106B7167983D6A0FBD3EA7361EE063A0B05E5A6B5CD82D0F795820BFC90E4F422E7CE2BDEBEAEE9493F5408F38732EB41741F15632185131CD6160433DD286869DF38679F6797A268EDE8ED0F442C4394FF52EFDE82EBEC5871A087288F7A12964615DA5AA02149FB661B0F76551CD53771B0DD180837A9D52A2BDF4757C4CF56DCD90B968F32B9F9EE5EE09EF5B791DB0366A4E6CCBBF0AF7D9CB5B7760BABAF4DE16BCC971DC95DCBD068A92DB8E8C709C0FBE9E2AB5B770EDFBCC6FB5045B706FB31DDEB6C52647618CD3B222CEF2DFD8D08ABAE6333A2E3C8768B8DB970BFF1777B75AE6DCE54DA7063F76846EFBDB92E55192A031DBA889D9DEDB0BF0FAA2FA6B4A0B0151B6F03D142D6B140EBB874CAF0A44D67AAD121127946DA90A14176EBB7B6C03DD2034987A100855E23F440CF6A404DEE46617B52581C7A248B7393FF56D8652855B23D19C35E1B535E5EC5EE87F3FF455458A740A55CDCB806053D4BCF44CDC2D76A1998418A60E11728BBC69F12C7E52A539E3834362C47A3E1863D265B3A7C2A41FA1953BB0FC64508679BB5F068DAF84C394A1497D564A3D6023B90D9A1C50E30FDC3E1C9B925EB0C19F960E7377B0678D662362129677E4B9AA515D2E4408A17A260D862F3C5D4291841855B91FE6EEA11C8E8EC19449CD9C31E6505BA364A45E7E3B89C5FA1C55708AF521F97440CED0ED0FAF06B7930E6A6F3A2B547E33EF73163D4C2E75B1AFA24BEB3129FFA978BC4EC43D0919ED262C0BE29AB78A87A57EAA55D51BE479A9E4015F9C3F2381745808AECF3783DEF5AB82E37C6EF68B97485CD36F7018B59C37E0EB93EAA32385E5E8CB95A5A3818B70F4CBE6102FC197946AAAAAABAD8B93750031CAC73C3F1B6B2F825B29435F2426B6AFABE35B1F8468E5A1CF73CC78E2FBB639AEFC171B7AD5D1728A536AB384B3F4AE924D5CEFA3F5EE5412094AE97303B8E728C7ACBCD9F9FB7C4FE7893145A55D96B7EDC1DD6257368C03AAC98B4F23D9AF15EF730BFD3FF09C2A11747035C8FD58EF97003503F568090C02A63117F3304989CFBAF20A281A729C8A8A4470524B3FDD2B4183E78BDE58BBB0B58B16D1E81702E58E225F7EED1A8E7F3920870FC9EE44D1433EEB39248A38108000EC1E151A26399A3F36CC41F6D272B3441198E8B56616E9A6C5A16303E562A62B4E6C27D16E9FADAF7E5A4AC7EFBD912883474302D5C9BB7D35C671DDECE68482A9472DAFA56B9AFF4E811A5BE7462FA6A988FED04178786DDB490A2010B8C178BD5601C23BBF5E3B1D13E86BB9980892B9999A6511FE2ECDAC681123745F676C155BB4627EFFAA65B1110B590A7FEE6D3359AED898D73C1B51AC8D534E94731934CCA9514F89E74C2BE5A799D8072C52399A7A647AF8F37F2D536C1B29D64214C490FE00565D912772256BF5E68F888E02FB704017F4D9FDD22E1C007A5FB4FCB51BC7A101DCAA56529231A59ACE14368268B7820C7C2BFBB0F5F78625E442C6EA83C88A9DEE318B2323AF0F3687ACF7B2B791D0B42B0576F0FF73E046DE1A56A5C2CBF6731E8D9485A02E9AD67D7752EBDBF3EBE703A760264363650CB9639B75985A9D00D210FFEBC93894E8E4BEAE7053FB6619BA9A8F0ECC4F822CF27606A6E58A8D5DAF55B519E7729B65A83FB859A3A028477BFBB7C8C01ABBE38EEDAAE11AA10ECC75868A281281792FA8D4EBDCC47DEB03868779A84D992D56612A8F46CAFADF65C5B32CFEA2974ECE34E4EDE9AF0AB4365C55D1A95FE551453BCFA5DF28CAF5AFA025CD5BD1CF86FB19AEB581135BFE2CBAA78643F209DE6A4D58206B0B236ADDD5A9122E8A21630907D0C5F23E86C151B8BFD8EA874DFF37DA7DE49D520DDAB7D074B37A726883211A788684A74D4E13A80CBC7655D8BBFF901CC44EF0A0368A3A69200695E277857AD620F2872D83224405A4DDD1E34AF68B72145AA442278C02DB7453AA8C184893AEBBCD4E15252CB8AF5972C49E047318362322CFAE99C38C5989A76C57E9D997BAACF6E13C19F66FCD618878D218DE7846C3D042E7E631B9AC126935AD6A3E15A659A3C4B9B5E521545A5A9B8A3CDFD21EADC2A5A74DBFA0769D63EC4F758D',
-        X'1A44F10CBD2579B378EF1ECE61005DBD0ED6189512B41293'
-    ),
-    (
-        X'22222222222222222222222222222222',
-        'ssh-rsa',
-        'hello world',
-        X'000000077373682D727361000000030100010000018100B021E0FE494231E75D4CFC9CED6DF524122F0E86717710BB066236D1ABF001CB4C7CB58964E998E5385836912300129A1334E549A7EF5E0EC4115D97E099038ACFBBA0AD2FE5D574F7F3FF122A97B59F75D8B62DCD921FF1A5BBFDCB55D77779A41ABD46528AEF8B2C0DA96370FCEC79387EED6AC1C0CED041AE979CBB880BEC6C17917711143F1C4D035548D273773D01E3F643463811B7339D9F4B3FC8D1FECF761C8878C135E2E600D9D230F11A3AD8E0415D1A923A398D108E9043F630A9B7BB1310927CA8A46455096E1A272BA56B6F06FEE5764E3C8AC85EA5DE408AED8EC549BE749FB231C1A2CC95DA0035DB009A9DFB2C622833A54CFCCB9FFB173159065F3335C6DDAFBB52A82CD5C327198C496C2A4404F1A544D82175F915954492A4488954B37C78C1F81B467A05F96CCC26146CDF517AF71674046947B11CE80B0E277B2ABA23915AF11E9A9F9D05717E1F0ED70341F470085569F88D8F5CBB8179605A0BF88537A57893329D15F1F8CA3582BE3612410F06568533F801602F',
-        X'AD54C319103CFBA088A4B70AEC743CDED7B0A3EE3DDE370BBD14AA4FA4EACBDD1BBE2FCEF499BB4EC4DDEA9D472F27BBF93453C612BF1689B714C9718212E78C0E1B2133AEB0E7C954413F6EBFC4155CC975A252962AB7C1BBEAE8DA8C6F990B9DE96313F0158AA8DD7896000AE2A4406080B81C37605B3986E463D5DEC01AC0BC4981A74BAF6413DF99119F65A337692885E9C5FBA9B483AA83783823981A0E66105083EB6CDB07AB93714AAF6AAF9A6239D256D8C9C56992AC846CF104E2B1B9DF96D0E67DF2EC9258E914EDFAA5AC36ABE3E9D5D641C92C6188D90D9B083DC3AFA9409B7809718279B52399145FE3173DA8E8A7E5C21715E0B140B22BFF8A0116E102B55C9BCB19B5B4FCCA88FBC5A2844E7E2AEC84ACA303BE8AC9448F93BB35366DFC2E38CEE31C66748847DA11CBB8A31F2CA4DD905362A8C513B6B8E3040EFCEC5BCFEB2E52902F33BF6DFEF911E56A00E51274C1548546DCA62261F94F580DCBAF7357F0C8F5058D2D1D5C91E0AAAB396A305E79350FC0F9879CAFD33316DB77586C36A8246F4D5A14EEC495CFCFA108B70A00008CE64ABC2EBC656DFE760612194B526BC1AE8C08325E3FE76999E6341D6C2BA35BA87CB9FB30A269891A0013E989246E80D5CF7590A66D8494CA79D5E2FD6A8FF7ECA1169379C2D45F4108BA5A796309D4CBDBEE6F45A0F6536B45666E1CF977B26612BC8108FCF32FF0D9296C9C414812C221032B2E5107CFCE1E4FCC2E07C5D31F1A1492732D0ECEB3920E50DFBCAA89561CE52436D23DA40D8678CE901BDC57C3F80233BBAF7AE5CA432547EB51DFBABF5B8BC94C0F6EAE47C94649CECE192D6436D609EE040A3AC059529E7CAAFA45D1B2E331E0E73BAFB1C6E05F71EBF28E222D2B15E724D5EBB3B9C3A709F0F9BCD41C87DF158BDCD3C1FCA86A8D4B57B98F4386AA6956BC3DC6BC2AF6A479560C1598B866935795C29F22CB93072E9D8D4D110AAC2B0F22CD8662354BF5D509750068613C052E88629EFF9488BD1C0B3E6FFD010A5B739F943234AA456F998B4DC7FA7B877961DE1CC744760712337B70971EED7AA4B97121F26298DCFDC2282D721CAB90098585ACFD31EC776EEE2C0211AB711BE94F31ED0D2BA4A9D8EFFC155FC68AB02EA1DC380A1525EF2BD14B55CC71210B54E5F55A8C3C876A6667EFA271095B1280B9ED6FAE9E73601A698FE2732756780BF453F927FD171F497F9C1FA6ADE7DC8187FEDA309E807E2E7895E1763DE1758E50035CE24D54A814745F05446FFD91F8E27770577384BBDC6E11E435658404533D32C461A0DB1CC6AE0847ABB744FB61C524CF9162E3660941CA3DA96F56EA5C036BF5E633C6CA0F033335AB5B623D08A024E87235FF8324B284FB981A9998DD0028A0DE54B4D6BE04C51E8D71DD09B3563C84E5C43826418365FB7912DFABDC5BB25BDE2C558DAC14AEED79F705F34E2D04F17829515C725675571EE1E4BDD21D8EBAA9C6075DE48EF8F2ED7814E20836A2721E46B5C71EE365CFE996A07ADABD84FE5B1E25EF5D9CC66B945084A4207004372AA792BA1BE97B67397635EA7DCC2F99C6AD5C394A8F4C0B7CBC87C38DE52F120993E6DC6BEA27D5B90D90E1C8F7626C860386121E53BE3D4F7B4005A69EB0334E118E70B7207CEDFCEE1EC2A30C789174AAA6531EAAD2E0BED7400CA44911E896E4C82DCA85ADBA92CA01B2CE75924AE81FE286C4CBD8073B7546313A75E52CA1882D8935D2F6058FECEBA4626B4445FCED2E9986632F9F5597C7BBD44F375027727D51B0033B87D23395EEC26EE06378B247B0C1469286F868828C942FCE2BF1BFFDC07CAEC1E214D37ADE737A7DFF082972C6E8411591BEE4B54BED231A7F856C022B26887ADD115A252807D3C58DCD8FB5D7D71DC3766C288438DB3D9D98FC8A22FEC92A7E6E3855ACD36BBEA79C5F98C7ABD9CCECB37C18C3315E5CC7B3BFF699FD201419F8EA402E422EFE62A25D4A76B2CCA0F6D43313BA7DF6537619FD2AE8ACF55B17F709961228076DBBB3592B6B7A1C3C271D54C06403902B0384492AE486E931DD63F68E739769E174D97EA46E7D780D03529EA21B418E0A68E44ED15AB9471B5F139E29EA25C7AE881E216A2863D6E908790002B0B1CC23B1DB3266CEACA2771BD661941AEDEE196316E8D8D7CE361C23E7C1BFFBFD0467329E948CD936B54C7313DC053F96BAFD139500ACB0CCDCA7C0AFBFEC02CFD31FECF4193C1E13F8E59378959BE3360C3B57BD325E5D87CA3D9CE08EFD00980200004D01EE4C6D4450C545A82BE0E1A527AE3432AD6500AF6C8B4400095D9CA7DAA0AA956DC8CD6A4336B876988128119997DB4847AFEFDF2CB8E3F88D5B66CC1E5A32229F79324063584C95C775C5D8D3B05956F0BC8432B9FB28D006247F1DF22C431515BDB4234C91B10CA20B5C05924CAAF82094C8C49123776F1C7170218FEC6C1D2D94F242277765EB9A6C48BE8751D92FFC4C3314155C7685940CA07BB70722D0B65585BC50253A9A6F793CD7A3269657B234C72EC8F2DD4F3B61A7260B3028FFB2B866A311E027C3D8D56592AB4795AA22452CBE37AEE68D7952EE473BB67CE6839E0F5DAA7C9B09F26CBF99CF5BF1181A41B683B9EA939A1823C3733B1EE8066614D3A692C99E5F9EA22231',
-        X'B9DF74AE34E4E7E17EA2EABECE5FD85B14ADB53EDB5BF27C'
-    ),
-    (
-        X'33333333333333333333333333333333',
-        'ssh-ed25519',
-        'hello world',
-        X'0000000B7373682D6564323535313900000020BBB05846908A7F4819CA69BE50E94658FD6F51D24FFECED678566D43E1DD6BF2',
-        X'7E3719254AB02100F159D971C17322CF51ECB60AC9E2CDA511EDFD88E75D9828A5A308F1F6A7D6919ED080FD0E6D3FAB64583A946334EE8870006AB7EDC57E6D7BCD145485D1F2A06D946B4DB69591467F289A5CD3BBF922FAAF5B54275F56CF81CC450DE4C8C0F24078C395BA02E8C646731FA6A50480392B13784FD2A85D094DDB8E73C56120936C02C3F94E910C23787FC307369239E264600BBE799EA851CE16FD653BE71D024AA73A582AACC390DD1F341C095788ECE6F4CC37D045A2BFFEC9F14AEBE73E43C6E78E00A9645C6A46D03F2847355DBCD33DA09C76148089A0FC1B3793AB5DA577B879D25EF7B8A8661387F19F392522CFD2886F6FEB65584841',
-        x'58E67EEE49A11FFDD9D32F63ED99053008091B415F87F1BA'
-    ),
-    (
-        X'44444444444444444444444444444444',
-        'ssh-ed25519',
-        'hello world',
-        X'0000000B7373682D65643235353139000000200491C64AD1D7E9C20D989937677C32EBE5FB35BCBA77422550A8FAA54C023923',
-        X'6BA994C263935729D807579173B377323F6353A88F660143EA92DE1E1A92F00682B8A1FAD838F0D211BD69855E8E34AE84D5A7B3C23F23A822B2AFF6E861BC81D89AFDDEB0DED063C84644B3EFEF2612DA1DA9C3C12EDAEFCBEA3542EA0ED1903FC1922E5F56E19FAD8CC75A2A30D64C83BF27ADE00E66BCCFE1CA67E95A00819F7BF91DDD22C4A1FB419E91B5D61544175D8D69EB5B416E6547DFD55CD386B62293B778322FB840D1F4DBBDCE2364A6FE4A7B090425031E7DB347314CEBD9BA09F85CC45CF3B4D02FE78B7F365D5C7E95331AA7A6F91A619E8A8663B77A31BAF639652D72B4FD11C8D430C8A1C5542C69DF4ACA74BAB7608B7E9ADD15BAF4674AFB',
-        X'46F31DCF22250039168D80F26D50C129C9AFDA166682C89A'
-    );

src-tauri/src/credentials/fixtures/ssh_ed25519_enc

@@ -1,8 +0,0 @@
------BEGIN OPENSSH PRIVATE KEY-----
-b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABAWtYanP1
-TBKT8lBL4IzKpYAAAAEAAAAAEAAAAzAAAAC3NzaC1lZDI1NTE5AAAAIASRxkrR1+nCDZiZ
-N2d8Muvl+zW8undCJVCo+qVMAjkjAAAAkI021XFPzB9VnO8uGAQ8f3bwP/ki5fDVuWD7Fc
-crN+yfT8Ugjhc7IL2dIt/xj9iJIa9fJDw0pg1Y8issqp9C8HVhasyWpf2iwJIalUHTOekn
-WdoxA+/OQBstRBKSv43sI801+9OC8dXCMNM2QzpiGNs0QxdLJpcJQhHEvqq/yDIODF0p7M
-h3e9eYGVPOR0CjlQ==
------END OPENSSH PRIVATE KEY-----

src-tauri/src/credentials/fixtures/ssh_ed25519_enc.pub

@@ -1 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIASRxkrR1+nCDZiZN2d8Muvl+zW8undCJVCo+qVMAjkj hello world

src-tauri/src/credentials/fixtures/ssh_ed25519_plain

@@ -1,7 +0,0 @@
------BEGIN OPENSSH PRIVATE KEY-----
-b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
-QyNTUxOQAAACC7sFhGkIp/SBnKab5Q6UZY/W9R0k/+ztZ4Vm1D4d1r8gAAAJAwEcgHMBHI
-BwAAAAtzc2gtZWQyNTUxOQAAACC7sFhGkIp/SBnKab5Q6UZY/W9R0k/+ztZ4Vm1D4d1r8g
-AAAEB9VXgjePmpl6Q3Y1t2a4DZhsdRf+183vWAJWAonDOneLuwWEaQin9IGcppvlDpRlj9
-b1HST/7O1nhWbUPh3WvyAAAAC2hlbGxvIHdvcmxkAQI=
------END OPENSSH PRIVATE KEY-----

src-tauri/src/credentials/fixtures/ssh_ed25519_plain.json

@@ -1 +0,0 @@
-{"algorithm":"ssh-ed25519","comment":"hello world","public_key":"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILuwWEaQin9IGcppvlDpRlj9b1HST/7O1nhWbUPh3Wvy hello world","private_key":"-----BEGIN OPENSSH PRIVATE KEY-----\nb3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW\nQyNTUxOQAAACC7sFhGkIp/SBnKab5Q6UZY/W9R0k/+ztZ4Vm1D4d1r8gAAAJAwEcgHMBHI\nBwAAAAtzc2gtZWQyNTUxOQAAACC7sFhGkIp/SBnKab5Q6UZY/W9R0k/+ztZ4Vm1D4d1r8g\nAAAEB9VXgjePmpl6Q3Y1t2a4DZhsdRf+183vWAJWAonDOneLuwWEaQin9IGcppvlDpRlj9\nb1HST/7O1nhWbUPh3WvyAAAAC2hlbGxvIHdvcmxkAQI=\n-----END OPENSSH PRIVATE KEY-----\n"}

src-tauri/src/credentials/fixtures/ssh_ed25519_plain.pub

@@ -1 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILuwWEaQin9IGcppvlDpRlj9b1HST/7O1nhWbUPh3Wvy hello world

src-tauri/src/credentials/fixtures/ssh_rsa_enc

@@ -1,39 +0,0 @@
------BEGIN OPENSSH PRIVATE KEY-----
-b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABAanK91R1
-FN66oOcvNyslkhAAAAEAAAAAEAAAGXAAAAB3NzaC1yc2EAAAADAQABAAABgQCwIeD+SUIx
-511M/JztbfUkEi8OhnF3ELsGYjbRq/ABy0x8tYlk6ZjlOFg2kSMAEpoTNOVJp+9eDsQRXZ
-fgmQOKz7ugrS/l1XT38/8SKpe1n3XYti3Nkh/xpbv9y1XXd3mkGr1GUorviywNqWNw/Ox5
-OH7tasHAztBBrpecu4gL7GwXkXcRFD8cTQNVSNJzdz0B4/ZDRjgRtzOdn0s/yNH+z3YciH
-jBNeLmANnSMPEaOtjgQV0akjo5jRCOkEP2MKm3uxMQknyopGRVCW4aJyula28G/uV2TjyK
-yF6l3kCK7Y7FSb50n7IxwaLMldoANdsAmp37LGIoM6VM/Muf+xcxWQZfMzXG3a+7Uqgs1c
-MnGYxJbCpEBPGlRNghdfkVlUSSpEiJVLN8eMH4G0Z6BflszCYUbN9RevcWdARpR7Ec6AsO
-J3squiORWvEemp+dBXF+Hw7XA0H0cAhVafiNj1y7gXlgWgv4hTeleJMynRXx+Mo1gr42Ek
-EPBlaFM/gBYC8AAAWQf6woBjAp1r47e3HsH4DyTDNF+u98eyCXLb86Lf8G9IFzOACMx4Bh
-auNdB2dZ/Re2FZ6bdzb+h9snQf0PY4y4zJ7bmJ5VbRcYAM/XnVcKP+Q2254te15DLAsKXA
-rzGVdEB8vshTloEHZTBVGiWRSFvn/rzPTNRhw5X/OMX21EAFR2yFXFHSxKwuPTWRCTTan3
-PA7BqJX8k6XtzwafPo9as0ui3jds/aL9VBlxlQB3x5uWfo7Kw73qReDzaIS94VVsm667tI
-KIN/0/e3mDpfXmWLH2Xc7BLZcs5eSHztwakYDPc5VzFTdAfb4juVdVmiLUs0ttj+aXnJo9
-6p/kX5ISSs5gzAaL2yGmPjNeeEXgV38ysYnNUB0fIoceuda54oM8kYAeZnQGpgV0Rh6ku+
-KNWajrJF22cH6QQ61VO4ymoDrw+oxyTog/M5n7IhCROGAJOQV4CRYKELHwMIt6niiihDfI
-+YbIs7Qs0ap4mHeVKbLS3WsSK7mZI70yCeLzT+ilNaqW28RLHxAEM86lRfuH1vmABKdy8D
-3e1K0WivbY5zmGvFGP1DIl3NXr6M7ZaFg5bgohssOXzMucAOR9mZpzMg20jF4SOt7IC9SU
-pWg+OIIP7pVfS2FjATMrh25xgeqD2BcDSoJWEH4xrlviyBS1wVA9W35npHiJSQptppn8cj
-EhwuS916OMhWOsXHPssqHFA+DrLByCZKcORD/mFPpsnI4/3TvA4PL6pqv2Kup0YBDqkyko
-wIyZQMjr4DjR6xYR3W0Mjzn2UG0Grn96QGrjnj1l/LAXAw00NeYktI4m5YX4wIIdhP/RT8
-RL9d4SE0YicneoDPtcLaaa4TTIvcbHJsP8aUP723reUzyxvw9Bdo9wC2bzE1xlOhm/WCmF
-0SNvEl6H/kivTjQkI2HQuGVq037eIAB5rToT6cVD3TiNmN6UuOX7Ec+8kw4JPGgLA/l+AB
-w3gCsyK7MyZoeWNw2+b1utkjMcqG0bjju0yTdjSho6KazGtoBQ4P+Jx9KIwiJT13Nr1WMz
-KBW98YojZCfCxPeNx6RPsp6PzM673R9DVRNXSs3yYhEZDXJEHCS7jDptR8r8uScogIIUEx
-YShJU0/WSVHgHZ4Ef2S7MDX1RLU4WGoUtbwxnTEQ26iNLjskYzV9/O88PajJSc2Wcz5vES
-I4BFROg2px+ViLlWqiegXIZc5NnN2HSJQ7ucTObSL0+oT5SzQiRfHy2TLa4w+c5hgO1VNx
-Xmq0doKjMW9DmU2ygwzFgnaQp9S8NlIIA/4mKkAODbCgWFqXz99gMgfL+dnUhwo4WHN3lU
-D/uVxRxwTKWWNp39z/p5hBYLKpqJbDCp+ysM9VpyllAkjk9aDihUq5dQVzpA1iTFH2DdbM
-TrclBWaXr9QQiH+F73mZvJPhP2//gT9qped6XumkSpuNXFrXoZ/P49xKgQ/51rg8Ri5ZJ7
-cIiofoppfat5ex20oBqAnumrM0JrhUrVxzhSd5tPPH5JGeZYml3sK1rM4pV7K7bnugXg9f
-C6HVxe/l2klAOvg0U9yJAvR35mS0+F0dpwvjRrFS/+JxG6RzzAAunDJHjADNne5FhKFNLB
-WRzsXHTCT+wGp497Nq8uS/0sgZAMHsy2KMK6n5h8V6kHL9t5VgsD18g0neu9ytwYrjvAuM
-AoDdwpuUkCJVNOiMHumxPvivGRNhSHwW7fTDHX+yI6/j1i/Wl1unjCxNgNCbgCMRCg1+dN
-wRw/wqs4mQyGf70AUA5JIVx/W7gAxlt3YWCFHfTRiK5A/BHa0qs+RPMzVlIJhAx0TGAOze
-BBJIg2kH26rWLV2aosOx8FFH/rZVj6gyYLw0JlsoTCva383SkifvlfiLY3DxfU+bwvJ9p0
-bnzyMMiKRuZb16OucNli84FIAuI=
------END OPENSSH PRIVATE KEY-----

src-tauri/src/credentials/fixtures/ssh_rsa_enc.pub

@@ -1 +0,0 @@
-ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCwIeD+SUIx511M/JztbfUkEi8OhnF3ELsGYjbRq/ABy0x8tYlk6ZjlOFg2kSMAEpoTNOVJp+9eDsQRXZfgmQOKz7ugrS/l1XT38/8SKpe1n3XYti3Nkh/xpbv9y1XXd3mkGr1GUorviywNqWNw/Ox5OH7tasHAztBBrpecu4gL7GwXkXcRFD8cTQNVSNJzdz0B4/ZDRjgRtzOdn0s/yNH+z3YciHjBNeLmANnSMPEaOtjgQV0akjo5jRCOkEP2MKm3uxMQknyopGRVCW4aJyula28G/uV2TjyKyF6l3kCK7Y7FSb50n7IxwaLMldoANdsAmp37LGIoM6VM/Muf+xcxWQZfMzXG3a+7Uqgs1cMnGYxJbCpEBPGlRNghdfkVlUSSpEiJVLN8eMH4G0Z6BflszCYUbN9RevcWdARpR7Ec6AsOJ3squiORWvEemp+dBXF+Hw7XA0H0cAhVafiNj1y7gXlgWgv4hTeleJMynRXx+Mo1gr42EkEPBlaFM/gBYC8= hello world

src-tauri/src/credentials/fixtures/ssh_rsa_plain

@@ -1,38 +0,0 @@
------BEGIN OPENSSH PRIVATE KEY-----
-b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
-NhAAAAAwEAAQAAAYEAxKvObWlACRLrrVJ3M0AeMOvz3JQzt5yOND16++GanzCZNIIld9mA
-c0a0jU+wYE0CLagm5WJGNeTOGYUapdMN/SAH3pmwSuTC8Agj3/w8jd5i8HSDHB+JAwZ8g9
-zNfZzuhkPJPFKR9rUEf1NkajfIQJiTT/3liCtd12ls3cRCHDniiUdoz9ZlDOWF41o/c5sB
-VlCqRpq978aYflXa/sfUC0OIZU7TIF0YUo2IGSfELL4hDM9vSakGGa1uasvxdo1+xS/5y4
-W+YHuUFJYVZikgFodRZMHB0fvUw1adRCSn8Z0EOrze5QVz38T8fywnGKp2Uo+iJsDdVTDc
-cFwwkB4b3oj+XMNcrlq4gm0ef5cNvtCg9+mDPPxzI6HxMjUo1cw8AK65gWXWd8r2S9aXKR
-MiZNlxtcSR0K6vU6rSLQN1ay5DdUUC6ESIEX7ruWLM3131loLB6bpHLVq5uD2yhi5+o4Do
-/SDek2jKvLvFyVwjOlLeXf5ekctZAZ0AtSnHDEMFAAAFgMFqGjPBahozAAAAB3NzaC1yc2
-EAAAGBAMSrzm1pQAkS661SdzNAHjDr89yUM7ecjjQ9evvhmp8wmTSCJXfZgHNGtI1PsGBN
-Ai2oJuViRjXkzhmFGqXTDf0gB96ZsErkwvAII9/8PI3eYvB0gxwfiQMGfIPczX2c7oZDyT
-xSkfa1BH9TZGo3yECYk0/95YgrXddpbN3EQhw54olHaM/WZQzlheNaP3ObAVZQqkaave/G
-mH5V2v7H1AtDiGVO0yBdGFKNiBknxCy+IQzPb0mpBhmtbmrL8XaNfsUv+cuFvmB7lBSWFW
-YpIBaHUWTBwdH71MNWnUQkp/GdBDq83uUFc9/E/H8sJxiqdlKPoibA3VUw3HBcMJAeG96I
-/lzDXK5auIJtHn+XDb7QoPfpgzz8cyOh8TI1KNXMPACuuYFl1nfK9kvWlykTImTZcbXEkd
-Cur1Oq0i0DdWsuQ3VFAuhEiBF+67lizN9d9ZaCwem6Ry1aubg9soYufqOA6P0g3pNoyry7
-xclcIzpS3l3+XpHLWQGdALUpxwxDBQAAAAMBAAEAAAGABsfTnKMR0Z5E4Ntkf7BYuiAQbs
-zvQYfUwUlTWabMEWv4BD7ucsTdcFwCMpMKRi+xgQh4mtT6DbafQnL72ba+lzkI/Gw5D0P2
-0pa9QeYs4klGCPtDX+9YZnHNTjCJJykHcjqZEAravHI+PvONlTnqHgwEnC/pP3obSKd6WO
-UA0H9QZ6I+I1hFcJ3jMVT1thMkhyjNzhRcsw0aSdTE8Z7LGT5RUAjZL5b2FTaK+C8OTOqb
-MhlewV/h9XWsxmLUpt0277I8ShvjJbJg6TEPJh6D7FRTU+tY4rjGK12DP9lVq6M7Md4ULV
-JW3aW350xVV2p9031HLDUfWs7dqZ5ufoD3EopOVZGvfGAE3C4aHvJB5D6K7wG7ptWsPgte
-EcCz84DpsoJ7KICTs8QoXt5bl68qnW3YvzCcqZc7DjLdKNh/wzjdMdzx8AMS4yBF2ceOSE
-I7Og9UZZtmGzZ0g4Dhg3jMUyWBA++sUayJUqg0izzA/htt+tVd9ABMkJOufcCpnuPRAAAA
-wCdCy66KXCLx5HCMIsd2/TdbGAZnuirYCn9ee3T5xhJyZjmwIfmZEXUuENKq8e+vYldwey
-EjdnevM+OCTc8xo77yowgYRBzguDa2R9UH3bg9cWZIpQGzXmnL35Dux4nZPUKs69WMht92
-bpRh9roPs2M5tSAcSpmfohFYhMwRxqVooSeSg+kGE4dCXnVqK1tURExnqKy8CkoDW4fhbH
-HNmPsBnbdTNtfAlg8MO1v1Hk+/+6mpNhiJ7bKF4au9lm+QHgAAAMEA11frEHqordrzlTRg
-kmqGq9qaORev2g/7n719DlXb2HjGfy5gK9iUCxsgGN6GiFF0mUD7hMY6UMIVfsC/Rm07aE
-700u7OJAm8AcnFkEANlZ3ucWltnumVtxyMBlKq7PxkcIG5X+nJ6N8oVw3zZTsjaYCMe1s1
-806oE5D3GZk10pnfVIrY9DFZBtT3+mBpF2uQZk0ZSwh8Hh9xGFGxsm6blkgpcip7v+26PR
-hqA88WlXAPMnvFpXthr0mny+cy7Q59AAAAwQDpzWi1Prhi3JtVolyac/ygvzje4lhuz5ei
-3pC7b1cepdFoQCS33tixwfzqKCp6RfHrtrKzZMqREaX5sor1Hha7S+Vo+KLtZWkFUONTHR
-987wmXIu8ziRWKBeuk6g9OSXI5w8hyLwn4XLEeVri4fAUIUwpi4B0Eazp4P/9AUf1188xz
-a4ACWXDYkUFoLQo9J07HWDhKbEKFZVlIznyfmLVXc8JEzwrPThW+viGK1AFi9FxeLB4QmK
-PkAC2GY5AmhSkAAAALaGVsbG8gd29ybGQ=
------END OPENSSH PRIVATE KEY-----

src-tauri/src/credentials/fixtures/ssh_rsa_plain.pub

@@ -1 +0,0 @@
-ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDEq85taUAJEuutUnczQB4w6/PclDO3nI40PXr74ZqfMJk0giV32YBzRrSNT7BgTQItqCblYkY15M4ZhRql0w39IAfembBK5MLwCCPf/DyN3mLwdIMcH4kDBnyD3M19nO6GQ8k8UpH2tQR/U2RqN8hAmJNP/eWIK13XaWzdxEIcOeKJR2jP1mUM5YXjWj9zmwFWUKpGmr3vxph+Vdr+x9QLQ4hlTtMgXRhSjYgZJ8QsviEMz29JqQYZrW5qy/F2jX7FL/nLhb5ge5QUlhVmKSAWh1FkwcHR+9TDVp1EJKfxnQQ6vN7lBXPfxPx/LCcYqnZSj6ImwN1VMNxwXDCQHhveiP5cw1yuWriCbR5/lw2+0KD36YM8/HMjofEyNSjVzDwArrmBZdZ3yvZL1pcpEyJk2XG1xJHQrq9TqtItA3VrLkN1RQLoRIgRfuu5YszfXfWWgsHpukctWrm4PbKGLn6jgOj9IN6TaMq8u8XJXCM6Ut5d/l6Ry1kBnQC1KccMQwU= hello world

src-tauri/src/credentials/mod.rs

@@ -14,20 +14,14 @@ use crate::errors::*;
 mod aws;
 pub use aws::{AwsBaseCredential, AwsSessionCredential};
 
-mod crypto;
-pub use crypto::Crypto;
-
-mod docker;
-pub use docker::DockerCredential;
-
 mod record;
 pub use record::CredentialRecord;
 
 mod session;
 pub use session::AppSession;
 
-mod ssh;
-pub use ssh::SshKey;
+mod crypto;
+pub use crypto::Crypto;
 
 
 #[derive(Debug, Clone, Eq, PartialEq, Serialize, Deserialize)]
@@ -35,8 +29,6 @@ pub use ssh::SshKey;
 pub enum Credential {
     AwsBase(AwsBaseCredential),
     AwsSession(AwsSessionCredential),
-    Docker(DockerCredential),
-    Ssh(SshKey),
 }
 
 
@@ -83,23 +75,6 @@ pub trait PersistentCredential: for<'a> Deserialize<'a> + Sized {
         Self::from_row(row, crypto)
     }
 
-    async fn load_by<T>(column: &str, value: T, crypto: &Crypto, pool: &SqlitePool) -> Result<Self, LoadCredentialsError>
-    where T: Send + for<'q> sqlx::Encode<'q, Sqlite> + sqlx::Type<Sqlite>
-    {
-        let query = format!(
-            "SELECT * FROM {} where {} = ?",
-            Self::table_name(),
-            column,
-        );
-        let row: Self::Row = sqlx::query_as(&query)
-            .bind(value)
-            .fetch_optional(pool)
-            .await?
-            .ok_or(LoadCredentialsError::NoCredentials)?;
-
-        Self::from_row(row, crypto)
-    }
-
     async fn load_default(crypto: &Crypto, pool: &SqlitePool) -> Result<Self, LoadCredentialsError> {
         let q = format!(
             "SELECT details.*
@@ -120,15 +95,15 @@ pub trait PersistentCredential: for<'a> Deserialize<'a> + Sized {
     async fn list(crypto: &Crypto, pool: &SqlitePool) -> Result<Vec<(Uuid, Credential)>, LoadCredentialsError> {
         let q = format!(
             "SELECT details.*
-            FROM
+            FROM 
                 {} details
                 JOIN credentials c
                     ON c.id = details.id
-             ORDER BY c.created_at",
+             ORDER BY c.created_at", 
              Self::table_name(),
         );
         let mut rows = sqlx::query_as::<_, Self::Row>(&q).fetch(pool);
-
+        
         let mut creds = Vec::new();
         while let Some(row) = rows.try_next().await? {
             let id = Self::row_id(&row);
@@ -139,10 +114,3 @@ pub trait PersistentCredential: for<'a> Deserialize<'a> + Sized {
         Ok(creds)
     }
 }
-
-
-pub fn random_uuid() -> Uuid {
-    // a bit weird to use salt() for this, but it's convenient
-    let random_bytes = Crypto::salt();
-    Uuid::from_slice(&random_bytes[..16]).unwrap()
-}

src-tauri/src/credentials/record.rs

@@ -20,14 +20,11 @@ use super::{
     AwsBaseCredential,
     Credential,
     Crypto,
-    DockerCredential,
     PersistentCredential,
-    SshKey,
 };
 
 
 #[derive(Debug, Clone, FromRow)]
-#[allow(dead_code)]
 struct CredentialRow {
     id: Uuid,
     name: String,
@@ -41,18 +38,16 @@ struct CredentialRow {
 pub struct CredentialRecord {
     #[serde(serialize_with = "serialize_uuid")]
     #[serde(deserialize_with = "deserialize_uuid")]
-    pub id: Uuid, // UUID so it can be generated on the frontend
-    pub name: String, // user-facing identifier so it can be changed
-    pub is_default: bool,
-    pub credential: Credential,
+    id: Uuid, // UUID so it can be generated on the frontend
+    name: String, // user-facing identifier so it can be changed
+    is_default: bool,
+    credential: Credential,
 }
 
 impl CredentialRecord {
     pub async fn save(&self, crypto: &Crypto, pool: &SqlitePool) -> Result<(), SaveCredentialsError> {
         let type_name = match &self.credential {
             Credential::AwsBase(_) => AwsBaseCredential::type_name(),
-            Credential::Ssh(_) => SshKey::type_name(),
-            Credential::Docker(_) => DockerCredential::type_name(),
             _ => return Err(SaveCredentialsError::NotPersistent),
         };
 
@@ -87,8 +82,6 @@ impl CredentialRecord {
         // save credential details to child table
         match &self.credential {
             Credential::AwsBase(b) => b.save_details(&self.id, crypto, &mut txn).await,
-            Credential::Ssh(s) => s.save_details(&self.id, crypto, &mut txn).await,
-            Credential::Docker(d) => d.save_details(&self.id, crypto, &mut txn).await,
             _ => Err(SaveCredentialsError::NotPersistent),
         }?;
 
@@ -115,7 +108,6 @@ impl CredentialRecord {
         Ok(Self::from_parts(row, credential))
     }
 
-    #[cfg(test)]
     pub async fn load(id: &Uuid, crypto: &Crypto, pool: &SqlitePool) -> Result<Self, LoadCredentialsError> {
         let row: CredentialRow = sqlx::query_as("SELECT * FROM credentials WHERE id = ?")
             .bind(id)
@@ -126,19 +118,9 @@ impl CredentialRecord {
         Self::load_credential(row, crypto, pool).await
     }
 
-    pub async fn load_by_name(name: &str, crypto: &Crypto, pool: &SqlitePool) -> Result<Self, LoadCredentialsError> {
-        let row: CredentialRow = sqlx::query_as("SELECT * FROM credentials WHERE name = ?")
-            .bind(name)
-            .fetch_optional(pool)
-            .await?
-            .ok_or(LoadCredentialsError::NoCredentials)?;
-
-        Self::load_credential(row, crypto, pool).await
-    }
-
     pub async fn load_default(credential_type: &str, crypto: &Crypto, pool: &SqlitePool) -> Result<Self, LoadCredentialsError> {
         let row: CredentialRow = sqlx::query_as(
-            "SELECT * FROM credentials
+            "SELECT * FROM credentials 
             WHERE credential_type = ? AND is_default = 1"
         ).bind(credential_type)
             .fetch_optional(pool)
@@ -165,16 +147,6 @@ impl CredentialRecord {
                 .ok_or(LoadCredentialsError::InvalidData)?;
             records.push(Self::from_parts(parent, credential));
         }
-        for (id, credential) in SshKey::list(crypto, pool).await? {
-            let parent = parent_map.remove(&id)
-                .ok_or(LoadCredentialsError::InvalidData)?;
-            records.push(Self::from_parts(parent, credential));
-        }
-        for (id, credential) in DockerCredential::list(crypto, pool).await? {
-            let parent = parent_map.remove(&id)
-                .ok_or(LoadCredentialsError::InvalidData)?;
-            records.push(Self::from_parts(parent, credential));
-        }
 
         Ok(records)
     }
@@ -288,7 +260,7 @@ mod tests {
 
 
     #[sqlx::test]
-    async fn test_save_load_aws(pool: SqlitePool) {
+    async fn test_save_load(pool: SqlitePool) {
         let crypt = Crypto::random();
         let mut record = aws_record();
         record.id = random_uuid();
@@ -428,7 +400,7 @@ mod uuid_tests {
     #[test]
     fn test_serialize_deserialize_uuid() {
         let buf = Crypto::salt();
-        let expected = UuidWrapper{
+        let expected = UuidWrapper{ 
             id: Uuid::from_slice(&buf[..16]).unwrap()
         };
         let serialized = serde_json::to_string(&expected).unwrap();

src-tauri/src/credentials/session.rs

@@ -97,4 +97,24 @@ impl AppSession {
             Self::Unlocked {crypto, ..} => Ok(crypto),
         }
     }
+
+    pub fn try_encrypt(&self, data: &[u8]) -> Result<(XNonce, Vec<u8>), GetCredentialsError> {
+        let crypto = match self {
+            Self::Empty => return Err(GetCredentialsError::Empty),
+            Self::Locked {..} => return Err(GetCredentialsError::Locked),
+            Self::Unlocked {crypto, ..} => crypto,
+        };
+        let res = crypto.encrypt(data)?;
+        Ok(res)
+    }
+
+    pub fn try_decrypt(&self, nonce: XNonce, data: &[u8]) -> Result<Vec<u8>, GetCredentialsError> {
+        let crypto = match self {
+            Self::Empty => return Err(GetCredentialsError::Empty),
+            Self::Locked {..} => return Err(GetCredentialsError::Locked),
+            Self::Unlocked {crypto, ..} => crypto,
+        };
+        let res = crypto.decrypt(&nonce, data)?;
+        Ok(res)
+    }
 }

src-tauri/src/credentials/ssh.rs

@@ -1,481 +0,0 @@
-use std::fmt::{self, Formatter};
-
-use chacha20poly1305::XNonce;
-use serde::{
-    Deserialize,
-    Deserializer,
-    Serialize,
-    Serializer,
-};
-use serde::ser::{
-    Error as SerError,
-    SerializeStruct,
-};
-use serde::de::{self, Visitor};
-use sha2::{Sha256, Sha512};
-use signature::{Signer, SignatureEncoding};
-use sqlx::{
-    FromRow,
-    Sqlite,
-    SqlitePool,
-    Transaction,
-    types::Uuid,
-};
-use ssh_agent_lib::proto::message::{
-    Identity,
-    SignRequest,
-};
-use ssh_encoding::Encode;
-use ssh_key::{
-    Algorithm,
-    LineEnding,
-    private::{PrivateKey, KeypairData},
-    public::PublicKey,
-};
-use tokio_stream::StreamExt;
-
-use crate::errors::*;
-use super::{
-    Credential,
-    Crypto,
-    PersistentCredential,
-};
-
-
-#[derive(Debug, Clone, FromRow)]
-pub struct SshRow {
-    id: Uuid,
-    algorithm: String,
-    comment: String,
-    public_key: Vec<u8>,
-    private_key_enc: Vec<u8>,
-    nonce: Vec<u8>,
-}
-
-
-#[derive(Debug, Clone, Eq, PartialEq, Deserialize)]
-pub struct SshKey {
-    #[serde(deserialize_with = "deserialize_algorithm")]
-    pub algorithm: Algorithm,
-    pub comment: String,
-    #[serde(deserialize_with = "deserialize_pubkey")]
-    pub public_key: PublicKey,
-    #[serde(deserialize_with = "deserialize_privkey")]
-    pub private_key: PrivateKey,
-}
-
-impl SshKey {
-    pub fn from_file(path: &str, passphrase: &str) -> Result<SshKey, LoadSshKeyError> {
-        let mut privkey = PrivateKey::read_openssh_file(path.as_ref())?;
-        if privkey.is_encrypted() {
-            privkey = privkey.decrypt(passphrase)
-                .map_err(|_| LoadSshKeyError::InvalidPassphrase)?;
-        }
-
-        Ok(SshKey {
-            algorithm: privkey.algorithm(),
-            comment: privkey.comment().into(),
-            public_key: privkey.public_key().clone(),
-            private_key: privkey,
-        })
-    }
-
-    pub fn from_private_key(private_key: &str, passphrase: &str) -> Result<SshKey, LoadSshKeyError> {
-        let mut privkey = PrivateKey::from_openssh(private_key)?;
-        if privkey.is_encrypted() {
-            privkey = privkey.decrypt(passphrase)
-                .map_err(|_| LoadSshKeyError::InvalidPassphrase)?;
-        }
-
-        Ok(SshKey {
-            algorithm: privkey.algorithm(),
-            comment: privkey.comment().into(),
-            public_key: privkey.public_key().clone(),
-            private_key: privkey,
-        })
-    }
-
-    pub async fn name_from_pubkey(pubkey: &[u8], pool: &SqlitePool) -> Result<String, LoadCredentialsError> {
-        let row = sqlx::query!(
-            "SELECT c.name
-            FROM credentials c
-            JOIN ssh_credentials s
-                ON s.id = c.id
-            WHERE s.public_key = ?",
-            pubkey
-        ).fetch_optional(pool)
-            .await?
-            .ok_or(LoadCredentialsError::NoCredentials)?;
-
-        Ok(row.name)
-    }
-
-    pub async fn list_identities(pool: &SqlitePool) -> Result<Vec<Identity>, LoadCredentialsError> {
-        let mut rows = sqlx::query!(
-            "SELECT public_key, comment FROM ssh_credentials"
-        ).fetch(pool);
-
-        let mut identities = Vec::new();
-        while let Some(row) = rows.try_next().await? {
-            identities.push(Identity {
-                pubkey_blob: row.public_key,
-                comment: row.comment,
-            });
-        }
-
-        Ok(identities)
-    }
-
-    pub fn sign_request(&self, req: &SignRequest) -> Result<Vec<u8>, HandlerError> {
-        let mut sig = Vec::new();
-        match self.private_key.key_data() {
-            KeypairData::Rsa(keypair) => {
-                // 2 is the flag value for `SSH_AGENT_RSA_SHA2_256`
-                if req.flags & 2 > 0 {
-                    let signer = rsa::pkcs1v15::SigningKey::<Sha256>::try_from(keypair)?;
-                    let sig_data = signer.try_sign(&req.data)?.to_vec();
-                    "rsa-sha-256".encode(&mut sig)?;
-                    sig_data.encode(&mut sig)?;
-                }
-                else {
-                    let signer = rsa::pkcs1v15::SigningKey::<Sha512>::try_from(keypair)?;
-                    let sig_data = signer.try_sign(&req.data)?.to_vec();
-                    "rsa-sha2-512".encode(&mut sig)?;
-                    sig_data.encode(&mut sig)?;
-                }
-            },
-            _ => {
-                let sig_data = self.private_key.try_sign(&req.data)?;
-                self.algorithm.as_str().encode(&mut sig)?;
-                sig_data.as_bytes().encode(&mut sig)?;
-            },
-        }
-        Ok(sig)
-    }
-}
-
-
-impl PersistentCredential for SshKey {
-    type Row = SshRow;
-
-    fn type_name() -> &'static str { "ssh" }
-
-    fn into_credential(self) -> Credential { Credential::Ssh(self) }
-
-    fn row_id(row: &SshRow) -> Uuid { row.id }
-
-    fn from_row(row: SshRow, crypto: &Crypto) -> Result<Self, LoadCredentialsError> {
-        let nonce = XNonce::clone_from_slice(&row.nonce);
-        let privkey_bytes = crypto.decrypt(&nonce, &row.private_key_enc)?;
-
-
-        let algorithm = Algorithm::new(&row.algorithm)
-            .map_err(|_| LoadCredentialsError::InvalidData)?;
-        let public_key = PublicKey::from_bytes(&row.public_key)
-            .map_err(|_| LoadCredentialsError::InvalidData)?;
-        let private_key = PrivateKey::from_bytes(&privkey_bytes)
-            .map_err(|_| LoadCredentialsError::InvalidData)?;
-
-        Ok(SshKey {
-            algorithm,
-            comment: row.comment,
-            public_key,
-            private_key,
-        })
-    }
-
-    async fn save_details(&self, id: &Uuid, crypto: &Crypto, txn: &mut Transaction<'_, Sqlite>) -> Result<(), SaveCredentialsError> {
-        let alg = self.algorithm.as_str();
-        let pubkey_bytes = self.public_key.to_bytes()?;
-        let privkey_bytes = self.private_key.to_bytes()?;
-        let (nonce, ciphertext) = crypto.encrypt(privkey_bytes.as_ref())?;
-        let nonce_bytes = nonce.as_slice();
-
-        sqlx::query!(
-            "INSERT OR REPLACE INTO ssh_credentials (
-                id,
-                algorithm,
-                comment,
-                public_key,
-                private_key_enc,
-                nonce
-            )
-            VALUES (?, ?, ?, ?, ?, ?)",
-            id, alg, self.comment, pubkey_bytes, ciphertext, nonce_bytes,
-        ).execute(&mut **txn).await?;
-
-        Ok(())
-    }
-}
-
-
-impl Serialize for SshKey {
-    fn serialize<S: Serializer>(&self, s: S) -> Result<S::Ok, S::Error> {
-        let mut key = s.serialize_struct("SshKey", 5)?;
-        key.serialize_field("algorithm", self.algorithm.as_str())?;
-        key.serialize_field("comment", &self.comment)?;
-
-        let pubkey_str = self.public_key.to_openssh()
-            .map_err(|e| S::Error::custom(format!("Failed to encode SSH public key: {e}")))?;
-        key.serialize_field("public_key", &pubkey_str)?;
-
-        let privkey_str = self.private_key.to_openssh(LineEnding::LF)
-            .map_err(|e| S::Error::custom(format!("Failed to encode SSH private key: {e}")))?;
-        key.serialize_field::<str>("private_key", privkey_str.as_ref())?;
-
-        key.end()
-    }
-}
-
-
-struct PubkeyVisitor;
-
-impl<'de> Visitor<'de> for PubkeyVisitor {
-    type Value = PublicKey;
-
-    fn expecting(&self, formatter: &mut Formatter) -> fmt::Result {
-        write!(formatter, "an OpenSSH-encoded public key, e.g. `ssh-rsa ...`")
-    }
-
-    fn visit_str<E: de::Error>(self, v: &str) -> Result<Self::Value, E> {
-        PublicKey::from_openssh(v)
-            .map_err(|e| E::custom(format!("{e}")))
-    }
-}
-
-fn deserialize_pubkey<'de, D>(deserializer: D) -> Result<PublicKey, D::Error>
-    where D: Deserializer<'de>
-{
-    deserializer.deserialize_str(PubkeyVisitor)
-}
-
-
-struct PrivkeyVisitor;
-
-impl<'de> Visitor<'de> for PrivkeyVisitor {
-    type Value = PrivateKey;
-
-    fn expecting(&self, formatter: &mut Formatter) -> fmt::Result {
-        write!(formatter, "an OpenSSH-encoded private key")
-    }
-
-    fn visit_str<E: de::Error>(self, v: &str) -> Result<Self::Value, E> {
-        PrivateKey::from_openssh(v)
-            .map_err(|e| E::custom(format!("{e}")))
-    }
-}
-
-fn deserialize_privkey<'de, D>(deserializer: D) -> Result<PrivateKey, D::Error>
-    where D: Deserializer<'de>
-{
-    deserializer.deserialize_str(PrivkeyVisitor)
-}
-
-
-struct AlgorithmVisitor;
-
-impl<'de> Visitor<'de> for AlgorithmVisitor {
-    type Value = Algorithm;
-
-    fn expecting(&self, formatter: &mut Formatter) -> fmt::Result {
-        write!(formatter, "an SSH key algorithm identifier, e.g. `ssh-rsa`")
-    }
-
-    fn visit_str<E: de::Error>(self, v: &str) -> Result<Self::Value, E> {
-        Algorithm::new(v)
-            .map_err(|e| E::custom(format!("{e}")))
-    }
-}
-
-fn deserialize_algorithm<'de, D>(deserializer: D) -> Result<Algorithm, D::Error>
-    where D: Deserializer<'de>
-{
-    deserializer.deserialize_str(AlgorithmVisitor)
-}
-
-
-
-#[cfg(test)]
-mod tests {
-    use std::fs::{self, File};
-    use sqlx::types::uuid::uuid;
-    use crate::credentials::CredentialRecord;
-
-    use super::*;
-
-    fn path(name: &str) -> String {
-        format!("./src/credentials/fixtures/{name}")
-    }
-
-    fn random_uuid() -> Uuid {
-        let bytes = Crypto::salt();
-        Uuid::from_slice(&bytes[..16]).unwrap()
-    }
-
-    fn rsa_plain() -> SshKey {
-        SshKey::from_file(&path("ssh_rsa_plain"), "")
-            .expect("Failed to load SSH key")
-    }
-
-    fn rsa_enc() -> SshKey {
-        SshKey::from_file(
-            &path("ssh_rsa_enc"),
-            "correct horse battery staple"
-        ).expect("Failed to load SSH key")
-    }
-
-    fn ed25519_plain() -> SshKey {
-        SshKey::from_file(&path("ssh_ed25519_plain"), "")
-            .expect("Failed to load SSH key")
-    }
-
-    fn ed25519_enc() -> SshKey {
-        SshKey::from_file(
-            &path("ssh_ed25519_enc"),
-            "correct horse battery staple"
-        ).expect("Failed to load SSH key")
-    }
-
-
-    #[test]
-    fn test_from_file_rsa_plain() {
-        let k = rsa_plain();
-        assert_eq!(k.algorithm.as_str(), "ssh-rsa");
-        assert_eq!(&k.comment, "hello world");
-
-        assert_eq!(
-            k.public_key.fingerprint(Default::default()),
-            k.private_key.fingerprint(Default::default()),
-        );
-        assert_eq!(
-            k.private_key.fingerprint(Default::default()).as_bytes(),
-            [90,162,92,235,160,164,88,179,144,234,84,135,1,249,9,206,
-            201,172,233,129,82,11,145,191,186,144,209,43,81,119,197,18],
-        );
-    }
-
-
-    #[test]
-    fn test_from_file_rsa_enc() {
-        let k = rsa_enc();
-        assert_eq!(k.algorithm.as_str(), "ssh-rsa");
-        assert_eq!(&k.comment, "hello world");
-
-        assert_eq!(
-            k.public_key.fingerprint(Default::default()),
-            k.private_key.fingerprint(Default::default()),
-        );
-        assert_eq!(
-            k.private_key.fingerprint(Default::default()).as_bytes(),
-            [254,147,219,185,96,234,125,190,195,128,37,243,214,193,8,162,
-            34,237,126,199,241,91,195,251,232,84,144,120,25,63,224,157],
-        );
-    }
-
-
-    #[test]
-    fn test_from_file_ed25519_plain() {
-        let k = ed25519_plain();
-        assert_eq!(k.algorithm.as_str(),"ssh-ed25519");
-        assert_eq!(&k.comment, "hello world");
-
-        assert_eq!(
-            k.public_key.fingerprint(Default::default()),
-            k.private_key.fingerprint(Default::default()),
-        );
-        assert_eq!(
-            k.private_key.fingerprint(Default::default()).as_bytes(),
-            [29,30,193,72,239,167,35,89,1,206,126,186,123,112,78,187,
-            240,59,1,15,107,189,72,30,44,64,114,216,32,195,22,201],
-        );
-    }
-
-
-    #[test]
-    fn test_from_file_ed25519_enc() {
-        let k = ed25519_enc();
-        assert_eq!(k.algorithm.as_str(), "ssh-ed25519");
-        assert_eq!(&k.comment, "hello world");
-
-        assert_eq!(
-            k.public_key.fingerprint(Default::default()),
-            k.private_key.fingerprint(Default::default()),
-        );
-        assert_eq!(
-            k.private_key.fingerprint(Default::default()).as_bytes(),
-            [87,233,161,170,18,47,245,116,30,177,120,211,248,54,65,255,
-            41,45,113,107,182,221,189,167,110,9,245,254,44,6,118,141],
-        );
-    }
-
-
-    #[test]
-    fn test_serialize() {
-        let expected = fs::read_to_string(path("ssh_ed25519_plain.json")).unwrap();
-
-        let k = ed25519_plain();
-        let computed = serde_json::to_string(&k)
-            .expect("Failed to serialize SshKey");
-
-        assert_eq!(expected, computed);
-    }
-
-
-    #[test]
-    fn test_deserialize() {
-        let expected = ed25519_plain();
-
-        let json_file = File::open(path("ssh_ed25519_plain.json")).unwrap();
-        let computed = serde_json::from_reader(json_file)
-            .expect("Failed to deserialize json file");
-
-        assert_eq!(expected, computed);
-    }
-
-
-    #[sqlx::test]
-    async fn test_save_db(pool: SqlitePool) {
-        let crypto = Crypto::random();
-        let record = CredentialRecord {
-            id: random_uuid(),
-            name: "save_test".into(),
-            is_default: false,
-            credential: Credential::Ssh(rsa_plain()),
-        };
-        record.save(&crypto, &pool).await
-            .expect("Failed to save SSH key CredentialRecord to database");
-    }
-
-
-    #[sqlx::test(fixtures("ssh_credentials"))]
-    async fn test_load_db(pool: SqlitePool) {
-        let crypto = Crypto::fixed();
-        let id = uuid!("11111111-1111-1111-1111-111111111111");
-        SshKey::load(&id, &crypto, &pool).await
-            .expect("Failed to load SSH key from database");
-    }
-
-
-    #[sqlx::test]
-    async fn test_save_load_db(pool: SqlitePool) {
-        let crypto = Crypto::random();
-
-        let id = random_uuid();
-        let record = CredentialRecord {
-            id,
-            name: "save_load_test".into(),
-            is_default: false,
-            credential: Credential::Ssh(ed25519_plain()),
-        };
-
-        record.save(&crypto, &pool).await.unwrap();
-        let loaded = SshKey::load(&id, &crypto, &pool).await.unwrap();
-        let known = ed25519_plain();
-
-        assert_eq!(known.algorithm, loaded.algorithm);
-        assert_eq!(known.comment, loaded.comment);
-        // comment gets stripped by saving as bytes, so we just compare raw key data
-        assert_eq!(known.public_key.key_data(), loaded.public_key.key_data());
-        assert_eq!(known.private_key, loaded.private_key);
-    }
-}

src-tauri/src/errors.rs

@@ -36,7 +36,7 @@ pub trait ShowError<T, E>
     fn error_print_prefix(self, prefix: &str);
 }
 
-impl<T, E> ShowError<T, E> for Result<T, E>
+impl<T, E> ShowError<T, E> for Result<T, E> 
 where E: std::fmt::Display
 {
     fn error_popup(self, title: &str) {
@@ -91,7 +91,7 @@ impl<E: Error> Serialize for SerializeUpstream<E> {
     }
 }
 
-fn serialize_upstream_err<E, M>(err: &E, map: &mut M) -> Result<(), M::Error>
+fn serialize_upstream_err<E, M>(err: &E, map: &mut M) -> Result<(), M::Error> 
 where
     E: Error,
     M: serde::ser::SerializeMap,
@@ -173,7 +173,7 @@ pub enum HandlerError {
     StreamIOError(#[from] std::io::Error),
     #[error("Received invalid UTF-8 in request")]
     InvalidUtf8(#[from] FromUtf8Error),
-    #[error("Request malformed: {0}")]
+    #[error("HTTP request malformed")]
     BadRequest(#[from] serde_json::Error),
     #[error("HTTP request too large")]
     RequestTooLarge,
@@ -183,8 +183,6 @@ pub enum HandlerError {
     Internal(#[from] RecvError),
     #[error("Error accessing credentials: {0}")]
     NoCredentials(#[from] GetCredentialsError),
-    #[error("Error saving credentials: {0}")]
-    SaveCredentials(#[from] SaveCredentialsError),
     #[error("Error getting client details: {0}")]
     ClientInfo(#[from] ClientInfoError),
     #[error("Error from Tauri: {0}")]
@@ -193,18 +191,6 @@ pub enum HandlerError {
     NoMainWindow,
     #[error("Request was denied")]
     Denied,
-    #[error(transparent)]
-    SshAgent(#[from] ssh_agent_lib::error::AgentError),
-    #[error(transparent)]
-    SshKey(#[from] ssh_key::Error),
-    #[error(transparent)]
-    Signature(#[from] signature::Error),
-    #[error(transparent)]
-    Encoding(#[from] ssh_encoding::Error),
-
-    #[cfg(windows)]
-    #[error(transparent)]
-    Windows(#[from] windows::core::Error),
 }
 
 
@@ -291,8 +277,6 @@ pub enum SaveCredentialsError {
     NotPersistent,
     #[error("A credential with that name already exists")]
     Duplicate,
-    #[error("Failed to save credentials: {0}")]
-    Encode(#[from] ssh_key::Error),
     // rekeying is fundamentally a save operation,
     // but involves loading in order to re-save
     #[error(transparent)]
@@ -348,8 +332,6 @@ pub enum ClientInfoError {
     #[cfg(windows)]
     #[error("Could not determine PID of connected client")]
     WindowsError(#[from] windows::core::Error),
-    #[error("Could not determine PID of connected client")]
-    PidNotFound,
     #[error(transparent)]
     Io(#[from] std::io::Error),
 }
@@ -376,7 +358,7 @@ pub enum RequestError {
     #[error("Error response from server: {0}")]
     Server(ServerError),
     #[error("Unexpected response from server")]
-    Unexpected(crate::srv::CliResponse),
+    Unexpected(crate::server::Response),
     #[error("The server did not respond with valid JSON")]
     InvalidJson(#[from] serde_json::Error),
     #[error("Error reading/writing stream: {0}")]
@@ -428,17 +410,6 @@ pub enum LaunchTerminalError {
 }
 
 
-#[derive(Debug, ThisError, AsRefStr)]
-pub enum LoadSshKeyError {
-    #[error("Passphrase is invalid")]
-    InvalidPassphrase,
-    #[error("Could not parse SSH private key data")]
-    InvalidData(#[from] ssh_key::Error),
-    #[error(transparent)]
-    Io(#[from] std::io::Error),
-}
-
-
 // =========================
 // Serialize implementations
 // =========================
@@ -465,7 +436,6 @@ impl_serialize_basic!(WindowError);
 impl_serialize_basic!(LockError);
 impl_serialize_basic!(SaveCredentialsError);
 impl_serialize_basic!(LoadCredentialsError);
-impl_serialize_basic!(LoadSshKeyError);
 
 
 impl Serialize for HandlerError {

src-tauri/src/ipc.rs

@@ -5,8 +5,7 @@ use tauri::{AppHandle, State};
 use crate::config::AppConfig;
 use crate::credentials::{
     AppSession,
-    CredentialRecord,
-    SshKey,
+    CredentialRecord
 };
 use crate::errors::*;
 use crate::clientinfo::Client;
@@ -14,65 +13,37 @@ use crate::state::AppState;
 use crate::terminal;
 
 
-#[derive(Clone, Debug, Serialize, Deserialize)]
-pub enum RequestAction {
-    Access,
-    Delete,
-    Save,
-}
-
-
 #[derive(Clone, Debug, Serialize, Deserialize)]
 pub struct AwsRequestNotification {
+    pub id: u64,
     pub client: Client,
-    pub name: Option<String>,
     pub base: bool,
 }
 
 
 #[derive(Clone, Debug, Serialize, Deserialize)]
 pub struct SshRequestNotification {
+    pub id: u64,
     pub client: Client,
     pub key_name: String,
 }
 
 
-#[derive(Clone, Debug, Serialize, Deserialize)]
-pub struct DockerRequestNotification {
-    pub action: RequestAction,
-    pub client: Client,
-    pub server_url: String,
-}
-
-
 #[derive(Clone, Debug, Serialize, Deserialize)]
 #[serde(tag = "type")]
-pub enum RequestNotificationDetail {
+pub enum RequestNotification {
     Aws(AwsRequestNotification),
     Ssh(SshRequestNotification),
-    Docker(DockerRequestNotification),
 }
 
-impl RequestNotificationDetail {
-    pub fn new_aws(client: Client, name: Option<String>, base: bool) -> Self {
-        Self::Aws(AwsRequestNotification {client, name, base})
+impl RequestNotification {
+    pub fn new_aws(id: u64, client: Client, base: bool) -> Self {
+        Self::Aws(AwsRequestNotification {id, client, base})
     }
 
-    pub fn new_ssh(client: Client, key_name: String) -> Self {
-        Self::Ssh(SshRequestNotification {client, key_name})
+    pub fn new_ssh(id: u64, client: Client, key_name: String) -> Self {
+        Self::Ssh(SshRequestNotification {id, client, key_name})
     }
-
-    pub fn new_docker(action: RequestAction, client: Client, server_url: String) -> Self {
-        Self::Docker(DockerRequestNotification {action, client, server_url})
-    }
-}
-
-
-#[derive(Clone, Debug, Serialize, Deserialize)]
-pub struct RequestNotification {
-    pub id: u64,
-    #[serde(flatten)]
-    pub detail: RequestNotificationDetail,
 }
 
 
@@ -163,18 +134,6 @@ pub async fn list_credentials(app_state: State<'_, AppState>) -> Result<Vec<Cred
 }
 
 
-#[tauri::command]
-pub async fn sshkey_from_file(path: &str, passphrase: &str) -> Result<SshKey, LoadSshKeyError> {
-    SshKey::from_file(path, passphrase)
-}
-
-
-#[tauri::command]
-pub async fn sshkey_from_private_key(private_key: &str, passphrase: &str) -> Result<SshKey, LoadSshKeyError> {
-    SshKey::from_private_key(private_key, passphrase)
-}
-
-
 #[tauri::command]
 pub async fn get_config(app_state: State<'_, AppState>) -> Result<AppConfig, ()> {
     let config = app_state.config.read().await;
@@ -193,8 +152,7 @@ pub async fn save_config(config: AppConfig, app_state: State<'_, AppState>) -> R
 
 #[tauri::command]
 pub async fn launch_terminal(base: bool) -> Result<(), LaunchTerminalError> {
-    let res = terminal::launch(base).await;
-    res
+    terminal::launch(base).await
 }
 
 
@@ -204,12 +162,6 @@ pub async fn get_setup_errors(app_state: State<'_, AppState>) -> Result<Vec<Stri
 }
 
 
-#[tauri::command]
-pub fn get_devmode() -> bool {
-    cfg!(debug_assertions)
-}
-
-
 #[tauri::command]
 pub fn exit(app_handle: AppHandle) {
     app_handle.exit(0)

src-tauri/src/kv.rs

@@ -44,8 +44,6 @@ pub async fn load_bytes(pool: &SqlitePool, name: &str) -> Result<Option<Vec<u8>>
 }
 
 
-// we don't have a need for this right now, but we will some day
-#[cfg(test)]
 pub async fn delete(pool: &SqlitePool, name: &str) -> Result<(), sqlx::Error> {
     sqlx::query!("DELETE FROM kv WHERE name = ?", name)
         .execute(pool)
@@ -54,13 +52,13 @@ pub async fn delete(pool: &SqlitePool, name: &str) -> Result<(), sqlx::Error> {
 }
 
 
-pub async fn delete_multi(pool: &SqlitePool, names: &[&str]) -> Result<(), sqlx::Error> {
+pub async fn delete_multi(pool: &SqlitePool, names: &[&str]) -> Result<(), sqlx::Error> {    
     let placeholder = names.iter()
         .map(|_| "?")
         .collect::<Vec<&str>>()
         .join(",");
     let query = format!("DELETE FROM kv WHERE name IN ({})", placeholder);
-
+    
     let mut q = sqlx::query(&query);
     for name in names {
         q = q.bind(name);
@@ -85,7 +83,7 @@ macro_rules! load_bytes_multi {
                     (
                         // ...with one item for each repetition of $name
                         $(
-                            // load_bytes returns Result<Option<_>>, the Result is handled by
+                            // load_bytes returns Result<Option<_>>, the Result is handled by 
                             // the ? and we match on the Option
                             match crate::kv::load_bytes($pool, $name).await? {
                                 Some(v) => v,
@@ -189,7 +187,7 @@ mod tests {
     async fn test_delete(pool: SqlitePool) {
         delete(&pool, "test_bytes").await
             .expect("Failed to delete data");
-
+        
         let loaded = load_bytes(&pool, "test_bytes").await
             .expect("Failed to load data");
         assert_eq!(loaded, None);

src-tauri/src/lib.rs

@@ -1,4 +1,5 @@
 pub mod app;
+pub mod cli;
 mod config;
 mod credentials;
 pub mod errors;
@@ -6,7 +7,7 @@ mod clientinfo;
 mod ipc;
 mod kv;
 mod state;
-mod srv;
+pub mod server;
 mod shortcuts;
 mod terminal;
 mod tray;

src-tauri/src/main.rs

@@ -3,34 +3,23 @@
     windows_subsystem = "windows"
 )]
 
-
 use creddy::{
     app,
+    cli,
     errors::ShowError,
 };
-use creddy_cli::{
-    Action,
-    Cli,
-    RunArgs,
-};
 
 
 fn main() {
-    let cli = Cli::parse();
-    let res = match cli.action {
-        None => {
-            let run_args = RunArgs { minimized: false };
-            app::run(run_args, cli.global_args).error_popup("Creddy encountered an error");
-            Ok(())
-        }
-        Some(Action::Run(run_args)) => {
-            app::run(run_args, cli.global_args).error_popup("Creddy encountered an error");
+    let res = match cli::parser().get_matches().subcommand() {
+        None | Some(("run", _)) => {
+            app::run().error_popup("Creddy encountered an error");
             Ok(())
         },
-        Some(Action::Get(args)) => creddy_cli::get(args, cli.global_args),
-        Some(Action::Exec(args)) => creddy_cli::exec(args, cli.global_args),
-        Some(Action::Shortcut(args)) => creddy_cli::invoke_shortcut(args, cli.global_args),
-        Some(Action::Docker(cmd)) => creddy_cli::docker_credential_helper(cmd, cli.global_args),
+        Some(("get", m)) => cli::get(m),
+        Some(("exec", m)) => cli::exec(m),
+        Some(("shortcut", m)) => cli::invoke_shortcut(m),
+        _ => unreachable!(),
     };
 
     if let Err(e) = res {

src-tauri/src/server/mod.rs

@@ -0,0 +1,170 @@
+use tokio::io::{AsyncReadExt, AsyncWriteExt};
+use tokio::sync::oneshot;
+
+use serde::{Serialize, Deserialize};
+
+use tauri::{AppHandle, Manager};
+
+use crate::errors::*;
+use crate::clientinfo::{self, Client};
+use crate::credentials::{
+    AwsBaseCredential,
+    AwsSessionCredential,
+};
+use crate::ipc::{Approval, RequestNotification};
+use crate::state::AppState;
+use crate::shortcuts::{self, ShortcutAction};
+
+#[cfg(windows)]
+mod server_win;
+#[cfg(windows)]
+pub use server_win::Server;
+#[cfg(windows)]
+use server_win::Stream;
+
+#[cfg(unix)]
+mod server_unix;
+#[cfg(unix)]
+pub use server_unix::Server;
+#[cfg(unix)]
+use server_unix::Stream;
+
+pub mod ssh_agent;
+
+
+#[derive(Serialize, Deserialize)]
+pub enum Request {
+    GetAwsCredentials{ 
+        base: bool,
+    },
+    InvokeShortcut(ShortcutAction),
+}
+
+
+#[derive(Debug, Serialize, Deserialize)]
+pub enum Response {
+    AwsBase(AwsBaseCredential),
+    AwsSession(AwsSessionCredential),
+    Empty,
+}
+
+
+struct CloseWaiter<'s> {
+    stream: &'s mut Stream,
+}
+
+impl<'s> CloseWaiter<'s> {
+    async fn wait_for_close(&mut self) -> std::io::Result<()> {
+        let mut buf = [0u8; 8];
+        loop {
+            match self.stream.read(&mut buf).await {
+                Ok(0) => break Ok(()),
+                Ok(_) => (),
+                Err(e) => break Err(e),
+            }
+        }
+    }
+}
+
+
+async fn handle(mut stream: Stream, app_handle: AppHandle, client_pid: u32) -> Result<(), HandlerError> 
+{
+    // read from stream until delimiter is reached
+    let mut buf: Vec<u8> = Vec::with_capacity(1024); // requests are small, 1KiB is more than enough
+    let mut n = 0;
+    loop {
+        n += stream.read_buf(&mut buf).await?;
+        if let Some(&b'\n') = buf.last() {
+            break;
+        }
+        else if n >= 1024 {
+            return Err(HandlerError::RequestTooLarge);
+        }
+    }
+
+    let client = clientinfo::get_process_parent_info(client_pid)?;
+    let waiter = CloseWaiter { stream: &mut stream };
+
+    let req: Request = serde_json::from_slice(&buf)?;
+    let res = match req {
+        Request::GetAwsCredentials{ base } => get_aws_credentials(
+            base, client, app_handle, waiter
+        ).await,
+        Request::InvokeShortcut(action) => invoke_shortcut(action).await,
+    };
+
+    // doesn't make sense to send the error to the client if the client has already left
+    if let Err(HandlerError::Abandoned) = res {
+        return Err(HandlerError::Abandoned);
+    }
+
+    let res = serde_json::to_vec(&res).unwrap();
+    stream.write_all(&res).await?;
+    Ok(())
+}
+
+
+async fn invoke_shortcut(action: ShortcutAction) -> Result<Response, HandlerError> {
+    shortcuts::exec_shortcut(action);
+    Ok(Response::Empty)
+}
+
+
+async fn get_aws_credentials(
+    base: bool,
+    client: Client,
+    app_handle: AppHandle,
+    mut waiter: CloseWaiter<'_>,
+) -> Result<Response, HandlerError> {
+    let state = app_handle.state::<AppState>();
+    let rehide_ms = {
+        let config = state.config.read().await;
+        config.rehide_ms
+    };
+    let lease = state.acquire_visibility_lease(rehide_ms).await
+        .map_err(|_e| HandlerError::NoMainWindow)?; // automate this conversion eventually?
+
+    let (chan_send, chan_recv) = oneshot::channel();
+    let request_id = state.register_request(chan_send).await;
+
+    // if an error occurs in any of the following, we want to abort the operation
+    // but ? returns immediately, and we want to unregister the request before returning
+    // so we bundle it all up in an async block and return a Result so we can handle errors
+    let proceed = async {
+        let notification = RequestNotification::new_aws(request_id, client, base);
+        app_handle.emit("credential-request", &notification)?;
+
+        let response = tokio::select! {
+            r = chan_recv => r?,
+            _ = waiter.wait_for_close() => {
+                app_handle.emit("request-cancelled", request_id)?;
+                return Err(HandlerError::Abandoned);
+            },
+        };
+
+        match response.approval {
+            Approval::Approved => {
+                if response.base {
+                    let creds = state.get_aws_base("default").await?;
+                    Ok(Response::AwsBase(creds))
+                }
+                else {
+                    let creds = state.get_aws_session("default").await?;
+                    Ok(Response::AwsSession(creds.clone()))
+                }
+            },
+            Approval::Denied => Err(HandlerError::Denied),
+        }
+    };
+
+    let result = match proceed.await {
+        Ok(r) => Ok(r),
+        Err(e) => {
+            state.unregister_request(request_id).await;
+            Err(e)
+        }
+    };
+
+    lease.release();
+    result
+}

src-tauri/src/server/server_unix.rs

@@ -0,0 +1,58 @@
+use std::io::ErrorKind;
+use tokio::net::{UnixListener, UnixStream};
+use tauri::{
+    AppHandle,
+    async_runtime as rt,
+};
+
+use crate::errors::*;
+
+
+pub type Stream = UnixStream;
+
+
+pub struct Server {
+    listener: UnixListener,
+    app_handle: AppHandle,
+}
+
+impl Server {
+    pub fn start(app_handle: AppHandle) -> std::io::Result<()> {
+        match std::fs::remove_file("/tmp/creddy.sock") {
+            Ok(_) => (),
+            Err(e) if e.kind() == ErrorKind::NotFound => (),
+            Err(e) => return Err(e),
+        }
+
+        let listener = UnixListener::bind("/tmp/creddy.sock")?;
+        let srv = Server { listener, app_handle };
+        rt::spawn(srv.serve());
+        Ok(())
+    }
+
+    async fn serve(self) {
+        loop {
+            self.try_serve()
+                .await
+                .error_print_prefix("Error accepting request: ");
+        }
+    }
+
+    async fn try_serve(&self) -> Result<(), HandlerError> {
+        let (stream, _addr) = self.listener.accept().await?;
+        let new_handle = self.app_handle.clone();
+        let client_pid = get_client_pid(&stream)?;
+        rt::spawn(async move {
+            super::handle(stream, new_handle, client_pid)
+                .await
+                .error_print_prefix("Error responding to request: ");
+        });
+        Ok(())
+    }
+}
+
+
+fn get_client_pid(stream: &UnixStream) -> std::io::Result<u32> {
+    let cred = stream.peer_cred()?;
+    Ok(cred.pid().unwrap() as u32)
+}

src-tauri/src/server/server_win.rs

@@ -0,0 +1,74 @@
+use tokio::net::windows::named_pipe::{
+    NamedPipeServer,
+    ServerOptions,
+};
+
+use tauri::{AppHandle, Manager};
+
+use windows::Win32:: {
+    Foundation::HANDLE,
+    System::Pipes::GetNamedPipeClientProcessId,
+};
+
+use std::os::windows::io::AsRawHandle;
+
+use tauri::async_runtime as rt;
+
+use crate::errors::*;
+
+
+// used by parent module
+pub type Stream = NamedPipeServer;
+
+
+pub struct Server {
+    listener: NamedPipeServer,
+    app_handle: AppHandle,
+}
+
+impl Server {
+    pub fn start(app_handle: AppHandle) -> std::io::Result<()> {
+        let listener = ServerOptions::new()
+            .first_pipe_instance(true)
+            .create(r"\\.\pipe\creddy-requests")?;
+
+        let srv = Server {listener, app_handle};
+        rt::spawn(srv.serve());
+        Ok(())
+    }
+
+    async fn serve(mut self) {
+        loop {
+            if let Err(e) = self.try_serve().await {
+                eprintln!("Error accepting connection: {e}");
+            }
+        }
+    }
+
+    async fn try_serve(&mut self) -> Result<(), HandlerError> {
+        // connect() just waits for a client to connect, it doesn't return anything
+        self.listener.connect().await?;
+
+        // create a new pipe instance to listen for the next client, and swap it in
+        let new_listener = ServerOptions::new().create(r"\\.\pipe\creddy-requests")?;
+        let stream = std::mem::replace(&mut self.listener, new_listener);
+        let new_handle = self.app_handle.clone();
+        let client_pid = get_client_pid(&stream)?;
+        rt::spawn(async move {
+            super::handle(stream, new_handle, client_pid)
+                .await
+                .error_print_prefix("Error responding to request: ");
+        });
+
+        Ok(())
+    }
+}
+
+
+fn get_client_pid(pipe: &NamedPipeServer) -> Result<u32, ClientInfoError> {
+    let raw_handle = pipe.as_raw_handle();
+    let mut pid = 0u32;
+    let handle = HANDLE(raw_handle as _);
+    unsafe { GetNamedPipeClientProcessId(handle, &mut pid as *mut u32)? };
+    Ok(pid)
+}

src-tauri/src/server/ssh_agent.rs

@@ -0,0 +1,77 @@
+use signature::Signer;
+use ssh_agent_lib::agent::{Agent, Session};
+use ssh_agent_lib::proto::message::Message;
+use ssh_key::public::PublicKey;
+use ssh_key::private::PrivateKey;
+use tokio::net::UnixListener;
+
+
+struct SshAgent;
+
+impl std::default::Default for SshAgent {
+    fn default() -> Self {
+        SshAgent {}
+    }
+}
+
+#[ssh_agent_lib::async_trait]
+impl Session for SshAgent {
+    async fn handle(&mut self, message: Message) -> Result<Message, Box<dyn std::error::Error>> {
+        println!("Received message");
+        match message {
+            Message::RequestIdentities => {
+                let p = std::path::PathBuf::from("/home/joe/.ssh/id_ed25519.pub");
+                let pubkey = PublicKey::read_openssh_file(&p).unwrap();
+                let id = ssh_agent_lib::proto::message::Identity {
+                    pubkey_blob: pubkey.to_bytes().unwrap(),
+                    comment: pubkey.comment().to_owned(),
+                };
+                Ok(Message::IdentitiesAnswer(vec![id]))
+            },
+            Message::SignRequest(req) => {
+                println!("Received sign request");
+                let mut req_bytes = vec![13];
+                encode_string(&mut req_bytes, &req.pubkey_blob);
+                encode_string(&mut req_bytes, &req.data);
+                req_bytes.extend(req.flags.to_be_bytes());
+                std::fs::File::create("/tmp/signreq").unwrap().write(&req_bytes).unwrap();
+
+                let p = std::path::PathBuf::from("/home/joe/.ssh/id_ed25519");
+                let passphrase = std::env::var("PRIVKEY_PASSPHRASE").unwrap();
+                let privkey = PrivateKey::read_openssh_file(&p)
+                    .unwrap()
+                    .decrypt(passphrase.as_bytes())
+                    .unwrap();
+
+
+
+                let sig = Signer::sign(&privkey, &req.data);
+                use std::io::Write;
+                std::fs::File::create("/tmp/sig").unwrap().write(sig.as_bytes()).unwrap();
+
+                let mut payload = Vec::with_capacity(128);
+                encode_string(&mut payload, "ssh-ed25519".as_bytes());
+                encode_string(&mut payload, sig.as_bytes());
+                println!("Payload length: {}", payload.len());
+                std::fs::File::create("/tmp/payload").unwrap().write(&payload).unwrap();
+                Ok(Message::SignResponse(payload))
+            },
+            _ => Ok(Message::Failure),
+        }
+    }
+}
+
+
+fn encode_string(buf: &mut Vec<u8>, s: &[u8]) {
+    let len = s.len() as u32;
+    buf.extend(len.to_be_bytes());
+    buf.extend(s);
+}
+
+
+pub async fn run() {
+    let socket = "/tmp/creddy-agent.sock";
+    let _ = std::fs::remove_file(socket);
+    let listener = UnixListener::bind(socket).unwrap();
+    SshAgent.listen(listener).await.unwrap();
+}

src-tauri/src/shortcuts.rs

@@ -44,7 +44,10 @@ fn launch_terminal() {
 pub fn register_hotkeys(hotkeys: &HotkeysConfig) -> Result<(), ShortcutError> {
     let app = APP.get().unwrap();
     let shortcuts = app.global_shortcut();
-    shortcuts.unregister_all()?;
+    shortcuts.unregister_all([
+        hotkeys.show_window.keys.as_str(),
+        hotkeys.launch_terminal.keys.as_str(),
+    ])?;
 
     if hotkeys.show_window.enabled {
         shortcuts.on_shortcut(

src-tauri/src/srv/agent.rs

@@ -1,88 +0,0 @@
-use futures::SinkExt;
-use ssh_agent_lib::agent::MessageCodec;
-use ssh_agent_lib::proto::message::{
-    Message,
-    SignRequest,
-};
-use tauri::{AppHandle, Manager};
-use tokio_stream::StreamExt;
-use tokio_util::codec::Framed;
-
-use crate::clientinfo;
-use crate::errors::*;
-use crate::ipc::{Approval, RequestNotificationDetail};
-use crate::state::AppState;
-
-use super::{CloseWaiter, Stream};
-
-
-pub fn serve(app_handle: AppHandle) -> std::io::Result<()> {
-    super::serve("creddy-agent", app_handle, handle)
-}
-
-
-async fn handle(
-    stream: Stream,
-    app_handle: AppHandle,
-    client_pid: u32
-) -> Result<(), HandlerError> {
-    let mut adapter = Framed::new(stream, MessageCodec);
-    while let Some(message) = adapter.try_next().await? {
-        match message {
-            Message::RequestIdentities => {
-                let resp = list_identities(app_handle.clone()).await?;
-                adapter.send(resp).await?;
-            },
-            Message::SignRequest(req) => {
-                // Note: If the client writes more data to the stream *while* at the
-                // same time waiting for a resopnse to a previous request, this will
-                // corrupt the framing. Clients don't seem to behave that way though?
-                let waiter = CloseWaiter { stream: adapter.get_mut() };
-                let resp = sign_request(req, app_handle.clone(), client_pid, waiter).await?;
-
-                // have to do this before we send since we can't inspect the message after
-                let is_failure = matches!(resp, Message::Failure);
-                adapter.send(resp).await?;
-
-                if is_failure {
-                    // this way we don't get spammed with requests for other keys
-                    // after denying the first
-                    break
-                }
-            },
-            _ => adapter.send(Message::Failure).await?,
-        };
-    }
-    Ok(())
-}
-
-
-async fn list_identities(app_handle: AppHandle) -> Result<Message, HandlerError> {
-    let state = app_handle.state::<AppState>();
-    let identities = state.list_ssh_identities().await?;
-    Ok(Message::IdentitiesAnswer(identities))
-}
-
-
-async fn sign_request(
-    req: SignRequest,
-    app_handle: AppHandle,
-    client_pid: u32,
-    waiter: CloseWaiter<'_>,
-) -> Result<Message, HandlerError> {
-    let state = app_handle.state::<AppState>();
-
-    let client = clientinfo::get_client(client_pid, false)?;
-    let key_name = state.ssh_name_from_pubkey(&req.pubkey_blob).await?;
-    let detail = RequestNotificationDetail::new_ssh(client, key_name.clone());
-
-    let response = super::send_credentials_request(detail, app_handle.clone(), waiter).await?;
-    match response.approval {
-        Approval::Approved => {
-            let key = state.sshkey_by_name(&key_name).await?;
-            let sig = key.sign_request(&req)?;
-            Ok(Message::SignResponse(sig))
-        },
-        Approval::Denied => Err(HandlerError::Abandoned),
-    }
-}

src-tauri/src/srv/creddy_server.rs

@@ -1,223 +0,0 @@
-use tauri::{AppHandle, Manager};
-use tokio::io::{AsyncReadExt, AsyncWriteExt};
-
-use crate::clientinfo::{self, Client};
-use crate::credentials::{
-    self,
-    Credential,
-    CredentialRecord,
-    DockerCredential,
-};
-use crate::errors::*;
-use crate::ipc::{
-    Approval,
-    RequestAction,
-    RequestNotificationDetail
-};
-use crate::shortcuts::{self, ShortcutAction};
-use crate::state::AppState;
-use super::{
-    CloseWaiter,
-    CliCredential,
-    CliRequest,
-    CliResponse,
-    Stream,
-};
-
-
-pub fn serve(app_handle: AppHandle) -> std::io::Result<()> {
-    super::serve("creddy-server", app_handle, handle)
-}
-
-
-async fn handle(
-    mut stream: Stream,
-    app_handle: AppHandle,
-    client_pid: u32
-) -> Result<(), HandlerError> {
-    // read from stream until delimiter is reached
-    let mut buf: Vec<u8> = Vec::with_capacity(1024); // requests are small, 1KiB is more than enough
-    let mut n = 0;
-    loop {
-        n += stream.read_buf(&mut buf).await?;
-        if let Some(&b'\n') = buf.last() {
-            break;
-        }
-        // sanity check, no request should ever be within a mile of 1MB
-        else if n >= (1024 * 1024) {
-            return Err(HandlerError::RequestTooLarge);
-        }
-    }
-
-    let client = clientinfo::get_client(client_pid, true)?;
-    let waiter = CloseWaiter { stream: &mut stream };
-
-
-    let req: CliRequest = serde_json::from_slice(&buf)?;
-    let res = match req {
-        CliRequest::GetAwsCredential{ name, base } => get_aws_credentials(
-            name, base, client, app_handle, waiter
-        ).await,
-        CliRequest::GetDockerCredential{ server_url } => get_docker_credential (
-            server_url, client, app_handle, waiter
-        ).await,
-        CliRequest::StoreDockerCredential(docker_credential) => store_docker_credential(
-             docker_credential, app_handle, client, waiter
-        ).await,
-        CliRequest::EraseDockerCredential { server_url } => erase_docker_credential(
-            server_url, app_handle, client, waiter
-        ).await,
-        CliRequest::InvokeShortcut{ action } => invoke_shortcut(action).await,
-    };
-
-    // doesn't make sense to send the error to the client if the client has already left
-    if let Err(HandlerError::Abandoned) = res {
-        return Err(HandlerError::Abandoned);
-    }
-
-    let res = serde_json::to_vec(&res).unwrap();
-    stream.write_all(&res).await?;
-    Ok(())
-}
-
-
-async fn invoke_shortcut(action: ShortcutAction) -> Result<CliResponse, HandlerError> {
-    shortcuts::exec_shortcut(action);
-    Ok(CliResponse::Empty)
-}
-
-
-async fn get_aws_credentials(
-    name: Option<String>,
-    base: bool,
-    client: Client,
-    app_handle: AppHandle,
-    waiter: CloseWaiter<'_>,
-) -> Result<CliResponse, HandlerError> {
-    let detail = RequestNotificationDetail::new_aws(client, name.clone(), base);
-    let response = super::send_credentials_request(detail, app_handle.clone(), waiter).await?;
-    match response.approval {
-        Approval::Approved => {
-            let state = app_handle.state::<AppState>();
-            if response.base {
-                let creds = state.get_aws_base(name).await?;
-                Ok(CliResponse::Credential(CliCredential::AwsBase(creds)))
-            }
-            else {
-                let creds = state.get_aws_session(name).await?.clone();
-                Ok(CliResponse::Credential(CliCredential::AwsSession(creds)))
-            }
-        },
-        Approval::Denied => Err(HandlerError::Denied),
-    }
-}
-
-async fn get_docker_credential(
-    server_url: String,
-    client: Client,
-    app_handle: AppHandle,
-    waiter: CloseWaiter<'_>,
-) -> Result<CliResponse, HandlerError> {
-    let state = app_handle.state::<AppState>();
-    let meta = state.docker_credential_meta(&server_url).await.unwrap_or(None);
-    if  meta.is_none() {
-        return Err(
-            HandlerError::NoCredentials(
-                GetCredentialsError::Load(
-                    LoadCredentialsError::NoCredentials
-                )
-            )
-        );
-    }
-
-    let detail = RequestNotificationDetail::new_docker(
-        RequestAction::Access,
-        client,
-        server_url.clone()
-    );
-    let response = super::send_credentials_request(detail, app_handle.clone(), waiter).await?;
-    match response.approval {
-        Approval::Approved => {
-            let creds = state.get_docker_credential(&server_url).await?;
-            Ok(CliResponse::Credential(CliCredential::Docker(creds)))
-        },
-        Approval::Denied => {
-            Err(HandlerError::Denied)
-        },
-    }
-}
-
-async fn store_docker_credential(
-    docker_credential: DockerCredential,
-    app_handle: AppHandle,
-    client: Client,
-    waiter: CloseWaiter<'_>,
-) -> Result<CliResponse, HandlerError> {
-    let state = app_handle.state::<AppState>();
-
-    // We want to do this before asking for confirmation from the user, because Docker has an annoying
-    // habit of calling `get` and then immediately turning around and calling `store` with the same
-    // data. In that case we want to avoid asking for confirmation at all.
-    match state.get_docker_credential(&docker_credential.server_url).await {
-        // if there is already a credential with this server_url, and it is unchanged, we're done
-        Ok(c) if c == docker_credential => return Ok(CliResponse::Empty),
-        // otherwise we are making an update, so proceed
-        Ok(_) => (),
-        // if the app is locked, then this isn't the situation described above, so proceed
-        Err(GetCredentialsError::Locked) => (),
-        // if the app is unlocked, and there is no matching credential, proceed
-        Err(GetCredentialsError::Load(LoadCredentialsError::NoCredentials)) => (),
-        // any other error is a failure
-        Err(e) => return Err(e.into()),
-    };
-
-    let detail = RequestNotificationDetail::new_docker(
-        RequestAction::Save,
-        client,
-        docker_credential.server_url.clone(),
-    );
-    let response = super::send_credentials_request(detail, app_handle.clone(), waiter).await?;
-    if matches!(response.approval, Approval::Denied) {
-        return Err(HandlerError::Denied);
-    }
-
-    let (id, name) = state.docker_credential_meta(&docker_credential.server_url)
-        .await
-        .map_err(|e| GetCredentialsError::Load(e))?
-        .unwrap_or_else(|| (credentials::random_uuid(), docker_credential.server_url.clone()));
-
-    let record = CredentialRecord {
-        id,
-        name,
-        is_default: false,
-        credential: Credential::Docker(docker_credential)
-    };
-    state.save_credential(record).await?;
-
-    Ok(CliResponse::Empty)
-}
-
-async fn erase_docker_credential(
-    server_url: String,
-    app_handle: AppHandle,
-    client: Client,
-    waiter: CloseWaiter<'_>
-) -> Result<CliResponse, HandlerError> {
-    let state = app_handle.state::<AppState>();
-
-    let detail = RequestNotificationDetail::new_docker(
-        RequestAction::Delete,
-        client,
-        server_url.clone(),
-    );
-    let resp = super::send_credentials_request(detail, app_handle.clone(), waiter).await?;
-    match resp.approval {
-        Approval::Approved => {
-            state.delete_credential_by_name(&server_url).await?;
-            Ok(CliResponse::Empty)
-        }
-        Approval::Denied => {
-            Err(HandlerError::Denied)
-        }
-    }
-}

src-tauri/src/srv/mod.rs

@@ -1,258 +0,0 @@
-use std::future::Future;
-
-use tauri::{
-    AppHandle,
-    async_runtime as rt,
-    Emitter,
-    Manager,
-    Runtime,
-};
-use tokio::io::AsyncReadExt;
-use tokio::sync::oneshot;
-use serde::{Serialize, Deserialize};
-
-use crate::credentials::{
-    AwsBaseCredential,
-    AwsSessionCredential,
-    DockerCredential,
-};
-use crate::errors::*;
-use crate::ipc::{RequestNotification, RequestNotificationDetail, RequestResponse};
-use crate::shortcuts::ShortcutAction;
-use crate::state::AppState;
-
-pub mod creddy_server;
-pub mod agent;
-use platform::Stream;
-
-
-// These types match what's defined in creddy_cli, but they are separate types
-// so that we avoid polluting the standalone CLI with a bunch of dependencies
-// that would make it impossible to build a completely static-linked version
-#[derive(Debug, Serialize, Deserialize)]
-#[serde(tag = "type")]
-pub enum CliRequest {
-    GetAwsCredential {
-        name: Option<String>,
-        base: bool,
-    },
-    GetDockerCredential {
-        server_url: String,
-    },
-    StoreDockerCredential(DockerCredential),
-    EraseDockerCredential {
-        server_url: String,
-    },
-    InvokeShortcut{
-        action: ShortcutAction,
-    },
-}
-
-
-#[derive(Debug, Serialize, Deserialize)]
-pub enum CliResponse {
-    Credential(CliCredential),
-    Empty,
-}
-
-
-#[derive(Debug, Serialize, Deserialize)]
-pub enum CliCredential {
-    AwsBase(AwsBaseCredential),
-    AwsSession(AwsSessionCredential),
-    Docker(DockerCredential),
-}
-
-
-struct CloseWaiter<'s> {
-    stream: &'s mut Stream,
-}
-
-impl<'s> CloseWaiter<'s> {
-    async fn wait_for_close(&mut self) -> std::io::Result<()> {
-        let mut buf = [0u8; 8];
-        loop {
-            match self.stream.read(&mut buf).await {
-                Ok(0) => break Ok(()),
-                Ok(_) => (),
-                Err(e) => break Err(e),
-            }
-        }
-    }
-}
-
-
-// note: AppHandle is generic over `Runtime` for testing
-fn serve<H, F, R>(sock_name: &str, app_handle: AppHandle<R>, handler: H) -> std::io::Result<()>
-    where H: Copy + Send + Fn(Stream, AppHandle<R>, u32) -> F + 'static,
-          F: Send + Future<Output = Result<(), HandlerError>>,
-          R: Runtime
-{
-    let (mut listener, addr) = platform::bind(sock_name)?;
-    rt::spawn(async move {
-        loop {
-            let (stream, client_pid) = match platform::accept(&mut listener, &addr).await {
-                Ok((s, c)) => (s, c),
-                Err(e) => {
-                    eprintln!("Error accepting request: {e}");
-                    continue;
-                },
-            };
-            let new_handle = app_handle.clone();
-            rt::spawn(async move {
-                handler(stream, new_handle, client_pid)
-                    .await
-                    .error_print_prefix("Error responding to request: ");
-            });
-        }
-    });
-    Ok(())
-}
-
-
-async fn send_credentials_request(
-    detail: RequestNotificationDetail,
-    app_handle: AppHandle,
-    mut waiter: CloseWaiter<'_>
-) -> Result<RequestResponse, HandlerError> {
-    let state = app_handle.state::<AppState>();
-    let rehide_ms = {
-        let config = state.config.read().await;
-        config.rehide_ms
-    };
-
-    let lease = state.acquire_visibility_lease(rehide_ms).await
-        .map_err(|_e| HandlerError::NoMainWindow)?;
-
-    let (chan_send, chan_recv) = oneshot::channel();
-    let request_id = state.register_request(chan_send).await;
-    let notification = RequestNotification { id: request_id, detail };
-
-    // the following could fail in various ways, but we want to make sure
-    // the request gets unregistered on any failure, so we wrap this all
-    // up in an async block so that we only have to handle the error case once
-    let proceed = async {
-        app_handle.emit("credential-request", &notification)?;
-        tokio::select! {
-            r = chan_recv => Ok(r?),
-            _ = waiter.wait_for_close() => {
-                app_handle.emit("request-cancelled", request_id)?;
-                Err(HandlerError::Abandoned)
-            },
-        }
-    };
-
-    let res = proceed.await;
-    if let Err(_) = &res {
-        state.unregister_request(request_id).await;
-    }
-
-    lease.release();
-    res
-}
-
-
-#[cfg(unix)]
-mod platform {
-    use std::io::ErrorKind;
-    use std::path::PathBuf;
-    use tokio::net::{UnixListener, UnixStream};
-    use super::*;
-
-
-    pub type Stream = UnixStream;
-
-    pub fn bind(sock_name: &str) -> std::io::Result<(UnixListener, PathBuf)> {
-        let path = creddy_cli::server_addr(sock_name);
-        match std::fs::remove_file(&path) {
-            Ok(_) => (),
-            Err(e) if e.kind() == ErrorKind::NotFound => (),
-            Err(e) => return Err(e),
-        }
-
-        let listener = UnixListener::bind(&path)?;
-        Ok((listener, path))
-    }
-
-    pub async fn accept(listener: &mut UnixListener, _addr: &PathBuf) -> Result<(UnixStream, u32), HandlerError> {
-        let (stream, _addr) = listener.accept().await?;
-        let pid = stream.peer_cred()?
-            .pid()
-            .ok_or(ClientInfoError::PidNotFound)?
-            as u32;
-
-        Ok((stream, pid))
-    }
-}
-
-
-#[cfg(windows)]
-mod platform {
-    use std::os::windows::io::AsRawHandle;
-    use std::path::PathBuf;
-    use tokio::net::windows::named_pipe::{
-        NamedPipeServer,
-        ServerOptions,
-    };
-    use windows::Win32::{
-        Foundation::HANDLE,
-        System::Pipes::GetNamedPipeClientProcessId,
-    };
-    use super::*;
-
-
-    pub type Stream = NamedPipeServer;
-
-    pub fn bind(sock_name: &str) -> std::io::Result<(NamedPipeServer, PathBuf)> {
-        let addr = creddy_cli::server_addr(sock_name);
-        let listener = ServerOptions::new()
-            .first_pipe_instance(true)
-            .create(&addr)?;
-        Ok((listener, addr))
-    }
-
-    pub async fn accept(listener: &mut NamedPipeServer, addr: &PathBuf) -> Result<(NamedPipeServer, u32), HandlerError> {
-        // connect() just waits for a client to connect, it doesn't return anything
-        listener.connect().await?;
-
-        // unlike Unix sockets, a Windows NamedPipeServer *becomes* the open stream
-        // once a client connects. If we want to keep listening, we have to construct
-        // a new server and swap it in.
-        let new_listener = ServerOptions::new().create(addr)?;
-        let stream = std::mem::replace(listener, new_listener);
-
-        let raw_handle = stream.as_raw_handle();
-        let mut pid = 0u32;
-        let handle = HANDLE(raw_handle as _);
-        unsafe { GetNamedPipeClientProcessId(handle, &mut pid as *mut u32)? };
-        Ok((stream, pid))
-    }
-}
-
-
-#[cfg(test)]
-mod tests {
-    use super::*;
-    use tokio::io::AsyncWriteExt;
-
-    #[tokio::test]
-    async fn test_server_connect() {
-        let app = tauri::test::mock_app();
-        serve("creddy_server_test", app.app_handle().clone(), |mut stream, _handle, _pid| {
-            async move {
-                let buf = serde_json::to_vec(&CliResponse::Empty).unwrap();
-                stream.write_all(&buf).await.unwrap();
-                Ok(())
-            }
-        }).unwrap();
-
-        let addr = creddy_cli::server_addr("creddy_server_test");
-        let mut stream = creddy_cli::connect(Some(addr)).await.unwrap();
-
-        let mut buf = Vec::new();
-        stream.read_to_end(&mut buf).await.unwrap();
-        let resp: CliResponse = serde_json::from_slice(&buf).unwrap();
-
-        assert!(matches!(resp, CliResponse::Empty))
-    }
-}

src-tauri/src/state.rs

@@ -1,5 +1,4 @@
 use std::collections::HashMap;
-use std::collections::hash_map::Entry;
 use std::time::Duration;
 use time::OffsetDateTime;
 
@@ -7,11 +6,9 @@ use tokio::{
     sync::{RwLock, RwLockReadGuard},
     sync::oneshot::{self, Sender},
 };
-use ssh_agent_lib::proto::message::Identity;
 use sqlx::SqlitePool;
 use sqlx::types::Uuid;
 use tauri::{
-    Emitter,
     Manager,
     async_runtime as rt,
 };
@@ -20,20 +17,16 @@ use crate::app;
 use crate::credentials::{
     AppSession,
     AwsSessionCredential,
-    DockerCredential,
-    SshKey,
 };
-use crate::config::AppConfig;
+use crate::{config, config::AppConfig};
 use crate::credentials::{
     AwsBaseCredential,
-    Credential,
     CredentialRecord,
     PersistentCredential
 };
 use crate::ipc::{self, RequestResponse};
 use crate::errors::*;
 use crate::shortcuts;
-use crate::tray;
 
 
 #[derive(Debug)]
@@ -114,8 +107,7 @@ impl VisibilityLease {
 pub struct AppState {
     pub config: RwLock<AppConfig>,
     pub app_session: RwLock<AppSession>,
-    // session cache is keyed on id rather than name because names can change
-    pub aws_sessions: RwLock<HashMap<Uuid, AwsSessionCredential>>,
+    pub aws_session: RwLock<Option<AwsSessionCredential>>,
     pub last_activity: RwLock<OffsetDateTime>,
     pub request_count: RwLock<u64>,
     pub waiting_requests: RwLock<HashMap<u64, Sender<RequestResponse>>>,
@@ -138,7 +130,7 @@ impl AppState {
         AppState {
             config: RwLock::new(config),
             app_session: RwLock::new(app_session),
-            aws_sessions: RwLock::new(HashMap::new()),
+            aws_session: RwLock::new(None),
             last_activity: RwLock::new(OffsetDateTime::now_utc()),
             request_count: RwLock::new(0),
             waiting_requests: RwLock::new(HashMap::new()),
@@ -163,13 +155,6 @@ impl AppState {
         Ok(())
     }
 
-    pub async fn delete_credential_by_name(&self, name: &str) -> Result<(), SaveCredentialsError> {
-        sqlx::query!("DELETE FROM credentials WHERE name = ?", name)
-            .execute(&self.pool)
-            .await?;
-        Ok(())
-    }
-
     pub async fn list_credentials(&self) -> Result<Vec<CredentialRecord>, GetCredentialsError> {
         let session = self.app_session.read().await;
         let crypto = session.try_get_crypto()?;
@@ -177,10 +162,6 @@ impl AppState {
         Ok(list)
     }
 
-    pub async fn list_ssh_identities(&self) -> Result<Vec<Identity>, GetCredentialsError> {
-        Ok(SshKey::list_identities(&self.pool).await?)
-    }
-
     pub async fn set_passphrase(&self, passphrase: &str) -> Result<(), SaveCredentialsError> {
         let mut cur_session = self.app_session.write().await;
         if let AppSession::Locked {..} = *cur_session {
@@ -203,11 +184,10 @@ impl AppState {
 
     pub async fn update_config(&self, new_config: AppConfig) -> Result<(), SetupError> {
         let mut live_config = self.config.write().await;
-
+        
         // update autostart if necessary
-        if new_config.start_on_login != live_config.start_on_login
-            || new_config.start_minimized != live_config.start_minimized {
-            new_config.set_auto_launch()?;
+        if new_config.start_on_login != live_config.start_on_login {
+            config::set_auto_launch(new_config.start_on_login)?;
         }
 
         // re-register hotkeys if necessary
@@ -255,11 +235,7 @@ impl AppState {
 
     pub async fn unlock(&self, passphrase: &str) -> Result<(), UnlockError> {
         let mut session = self.app_session.write().await;
-        session.unlock(passphrase)?;
-        let app_handle = app::APP.get().unwrap();
-        let menu = app_handle.state::<tray::MenuItems>();
-        let _ = menu.after_unlock(); // we don't care if this fails, it's non-essential
-        Ok(())
+        session.unlock(passphrase)
     }
 
     pub async fn lock(&self) -> Result<(), LockError> {
@@ -273,9 +249,6 @@ impl AppState {
                 let app_handle = app::APP.get().unwrap();
                 app_handle.emit("locked", None::<usize>)?;
 
-                let menu = app_handle.state::<tray::MenuItems>();
-                let _ = menu.after_lock();
-
                 Ok(())
             }
         }
@@ -288,82 +261,29 @@ impl AppState {
         Ok(())
     }
 
-    pub async fn get_aws_base(&self, name: Option<String>) -> Result<AwsBaseCredential, GetCredentialsError> {
+    pub async fn get_aws_base(&self, name: &str) -> Result<AwsBaseCredential, GetCredentialsError> {
         let app_session = self.app_session.read().await;
         let crypto = app_session.try_get_crypto()?;
-        let creds = match name {
-            Some(n) => AwsBaseCredential::load_by_name(&n, crypto, &self.pool).await?,
-            None => AwsBaseCredential::load_default(crypto, &self.pool).await?,
-        };
+        let creds = AwsBaseCredential::load_by_name(name, crypto, &self.pool).await?;
         Ok(creds)
     }
 
-    pub async fn get_aws_session(&self, name: Option<String>) -> Result<RwLockReadGuard<'_, AwsSessionCredential>, GetCredentialsError> {
-        let app_session = self.app_session.read().await;
-        let crypto = app_session.try_get_crypto()?;
-        let record = match name {
-            Some(n) => CredentialRecord::load_by_name(&n, crypto, &self.pool).await?,
-            None => CredentialRecord::load_default("aws", crypto, &self.pool).await?,
-        };
-        let base = match &record.credential {
-            Credential::AwsBase(b) => Ok(b),
-            _ => Err(LoadCredentialsError::NoCredentials)
-        }?;
-
+    pub async fn get_aws_session(&self, name: &str) -> Result<RwLockReadGuard<'_, AwsSessionCredential>, GetCredentialsError> {
+        // yes, this sometimes results in double-fetching base credentials from disk
+        // I'm done trying to be optimal
         {
-            let mut aws_sessions = self.aws_sessions.write().await;
-            match aws_sessions.entry(record.id) {
-                Entry::Vacant(e) => {
-                    e.insert(AwsSessionCredential::from_base(&base).await?);
-                },
-                Entry::Occupied(mut e) if e.get().is_expired() => {
-                    *(e.get_mut()) = AwsSessionCredential::from_base(&base).await?;
-                },
-                _ => ()
+            let mut aws_session = self.aws_session.write().await;
+            if aws_session.is_none() || aws_session.as_ref().unwrap().is_expired() {
+                let base_creds = self.get_aws_base(name).await?;
+                *aws_session = Some(AwsSessionCredential::from_base(&base_creds).await?);
             }
         }
 
-        // we know the unwrap is safe, because we just made sure of it
-        let s = RwLockReadGuard::map(self.aws_sessions.read().await, |map| map.get(&record.id).unwrap());
+        // we know this is safe, because we juse made sure of it
+        let s = RwLockReadGuard::map(self.aws_session.read().await, |opt| opt.as_ref().unwrap());
         Ok(s)
     }
 
-    pub async fn ssh_name_from_pubkey(&self, pubkey: &[u8]) -> Result<String, GetCredentialsError> {
-        let k = SshKey::name_from_pubkey(pubkey, &self.pool).await?;
-        Ok(k)
-    }
-
-    pub async fn sshkey_by_name(&self, name: &str) -> Result<SshKey, GetCredentialsError> {
-        let app_session = self.app_session.read().await;
-        let crypto = app_session.try_get_crypto()?;
-        let k = SshKey::load_by_name(name, crypto, &self.pool).await?;
-        Ok(k)
-    }
-
-    pub async fn docker_credential_meta(
-        &self, server_url: &str
-    ) -> Result<Option<(Uuid, String)>, LoadCredentialsError> {
-        let res = sqlx::query!(
-            r#"SELECT
-                c.id as "id: Uuid",
-                c.name
-            FROM
-                credentials c
-                JOIN docker_credentials d
-                    ON d.id = c.id
-            WHERE d.server_url = ?"#,
-            server_url
-        ).fetch_optional(&self.pool).await?;
-        Ok(res.map(|row| (row.id, row.name)))
-    }
-
-    pub async fn get_docker_credential(&self, server_url: &str) -> Result<DockerCredential, GetCredentialsError> {
-        let app_session = self.app_session.read().await;
-        let crypto = app_session.try_get_crypto()?;
-        let d = DockerCredential::load_by("server_url", server_url.to_owned(), crypto, &self.pool).await?;
-        Ok(d)
-    }
-
     pub async fn signal_activity(&self) {
         let mut last_activity = self.last_activity.write().await;
         *last_activity = OffsetDateTime::now_utc();

src-tauri/src/terminal.rs

@@ -1,11 +1,7 @@
 use std::process::Command;
 use std::time::Duration;
 
-use tauri::{
-    AppHandle,
-    Listener,
-    Manager,
-};
+use tauri::Manager;
 use tokio::time::sleep;
 
 use crate::app::APP;
@@ -22,18 +18,6 @@ pub async fn launch(use_base: bool) -> Result<(), LaunchTerminalError> {
         return Ok(());
     }
 
-    let res = do_launch(app, use_base).await;
-
-    state.unregister_terminal_request().await;
-    res
-}
-
-
-// this handles most of the work, the outer function is just to ensure we properly
-// unregister the request if there's an error
-async fn do_launch(app: &AppHandle, use_base: bool) -> Result<(), LaunchTerminalError> {
-    let state = app.state::<AppState>();
-
     let mut cmd = {
         let config = state.config.read().await;
         let mut cmd = Command::new(&config.terminal.exec);
@@ -57,6 +41,7 @@ async fn do_launch(app: &AppHandle, use_base: bool) -> Result<(), LaunchTerminal
             _ = rx => lease.release(),
             // otherwise, dump this request, but return Ok so we don't get an error popup
             _ = sleep(timeout) => {
+                state.unregister_terminal_request().await;
                 eprintln!("WARNING: Request to launch terminal timed out after 60 seconds.");
                 return Ok(());
             },
@@ -67,24 +52,27 @@ async fn do_launch(app: &AppHandle, use_base: bool) -> Result<(), LaunchTerminal
     // (i.e. lies about unlocking) we could end up here with a locked session
     // this will result in an error popup to the user (see main hotkey handler)
     if use_base {
-        let base_creds = state.get_aws_base(None).await?;
+        let base_creds = state.get_aws_base("default").await?;
         cmd.env("AWS_ACCESS_KEY_ID", &base_creds.access_key_id);
         cmd.env("AWS_SECRET_ACCESS_KEY", &base_creds.secret_access_key);
     }
     else {
-        let session_creds = state.get_aws_session(None).await?;
+        let session_creds = state.get_aws_session("default").await?;
         cmd.env("AWS_ACCESS_KEY_ID", &session_creds.access_key_id);
         cmd.env("AWS_SECRET_ACCESS_KEY", &session_creds.secret_access_key);
         cmd.env("AWS_SESSION_TOKEN", &session_creds.session_token);
     }
 
-    match cmd.spawn() {
+    let res = match cmd.spawn() {
         Ok(_) => Ok(()),
         Err(e) if std::io::ErrorKind::NotFound == e.kind() => {
             Err(ExecError::NotFound(cmd.get_program().to_owned()))
         },
         Err(e) => Err(ExecError::ExecutionFailed(e)),
-    }?;
+    };
 
+    state.unregister_terminal_request().await;
+
+    res?; // ? auto-conversion is more liberal than .into()
     Ok(())
 }

src-tauri/src/tray.rs

@@ -7,78 +7,27 @@ use tauri::{
 use tauri::menu::{
     MenuBuilder,
     MenuEvent,
-    MenuItem,
     MenuItemBuilder,
-    PredefinedMenuItem,
 };
-use tauri::tray::TrayIconBuilder;
 
 use crate::app;
 use crate::state::AppState;
 
 
-pub struct MenuItems {
-    pub status: MenuItem<tauri::Wry>,
-    pub show_hide: MenuItem<tauri::Wry>,
-}
-
-impl MenuItems {
-    pub fn after_show(&self) -> tauri::Result<()> {
-        self.show_hide.set_text("Hide")
-    }
-
-    pub fn after_hide(&self) -> tauri::Result<()> {
-        self.show_hide.set_text("Show")
-    }
-
-    pub fn after_lock(&self) -> tauri::Result<()> {
-        if cfg!(debug_assertions) {
-            self.status.set_text("Creddy (dev): Locked")
-        }
-        else {
-            self.status.set_text("Creddy: Locked")
-        }
-    }
-
-    pub fn after_unlock(&self) -> tauri::Result<()> {
-        if cfg!(debug_assertions) {
-            self.status.set_text("Creddy (dev): Unlocked")
-        }
-        else {
-            self.status.set_text("Creddy: Unlocked")
-        }
-    }
-}
-
-
 pub fn setup(app: &App) -> tauri::Result<()> {
-    let status_text =
-        if cfg!(debug_assertions) {
-            "Creddy (dev): Locked"
-        }
-        else {
-            "Creddy: Locked"
-        };
-
-    let status = MenuItemBuilder::with_id("status", status_text)
-        .enabled(false)
-        .build(app)?;
-    let sep = PredefinedMenuItem::separator(app)?;
     let show_hide = MenuItemBuilder::with_id("show_hide", "Show").build(app)?;
     let exit = MenuItemBuilder::with_id("exit", "Exit").build(app)?;
 
     let menu = MenuBuilder::new(app)
-        .items(&[&status, &sep, &show_hide, &exit])
+        .items(&[&show_hide, &exit])
         .build()?;
 
-    TrayIconBuilder::new()
-        .icon(app.default_window_icon().unwrap().clone())
-        .menu(&menu)
-        .on_menu_event(handle_event)
-        .build(app)?;
+    let tray = app.tray_by_id("main").unwrap();
+    tray.set_menu(Some(menu))?;
+    tray.on_menu_event(handle_event);
 
-    // stash these so we can find them later to change the text
-    app.manage(MenuItems { status, show_hide });
+    // stash this so we can find it later to change the text
+    app.manage(show_hide);
 
     Ok(())
 }

src-tauri/tauri.conf.json

@@ -50,7 +50,7 @@
     }
   },
   "productName": "creddy",
-  "version": "0.6.5",
+  "version": "0.4.9",
   "identifier": "creddy",
   "plugins": {},
   "app": {
@@ -65,6 +65,11 @@
         "visible": false
       }
     ],
+    "trayIcon": {
+      "id": "main",
+      "iconPath": "icons/icon.png",
+      "iconAsTemplate": true
+    },
     "security": {
       "csp": {
         "style-src": [
@@ -80,4 +85,4 @@
       }
     }
   }
-}
+}

src/App.svelte

@@ -14,7 +14,6 @@ import Unlock from './views/Unlock.svelte';
 // set up app state
 invoke('get_config').then(config => $appState.config = config);
 invoke('get_session_status').then(status => $appState.sessionStatus = status);
-invoke('get_devmode').then(dm => $appState.devmode = dm)
 getVersion().then(version => $appState.appVersion = version);
 invoke('get_setup_errors')
     .then(errs => {
@@ -52,7 +51,7 @@ acceptRequest();
 </script>
 
 
-<svelte:window
+<svelte:window 
     on:click={() => invoke('signal_activity')}
     on:keydown={() => invoke('signal_activity')}
 />
@@ -71,9 +70,3 @@ acceptRequest();
     <!-- normal operation -->
     <svelte:component this="{$currentView}" />
 {/if}
-
-{#if $appState.devmode }
-    <div class="fixed left-0 bottom-0 right-0 py-1 bg-warning text-xs text-center text-warning-content">
-        This is a development build of Creddy.
-    </div>
-{/if}

src/lib/errors.js

@@ -6,12 +6,3 @@ export function getRootCause(error) {
         return error;
     }
 }
-
-
-export function fullMessage(error) {
-    let msg = error?.msg ? error.msg : error;
-    if (error.source) {
-        msg = `${msg}: ${fullMessage(error.source)}`;
-    }
-    return msg
-}

src/ui/ErrorAlert.svelte

@@ -2,9 +2,6 @@
     import { onMount } from 'svelte';
     import { slide } from 'svelte/transition';
 
-    import { fullMessage } from '../lib/errors.js';
-
-
     let extraClasses = "";
     export {extraClasses as class};
     export let slideDuration = 150;
@@ -81,7 +78,7 @@
     <div transition:slide="{{duration: slideDuration}}" class="alert alert-error shadow-lg {animationClass} {extraClasses}">
         <svg xmlns="http://www.w3.org/2000/svg" class="stroke-current flex-shrink-0 h-6 w-6" fill="none" viewBox="0 0 24 24"><path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M10 14l2-2m0 0l2-2m-2 2l-2-2m2 2l2 2m7-2a9 9 0 11-18 0 9 9 0 0118 0z" /></svg>
         <span>
-            <slot {error}>{fullMessage(error)}</slot>
+            <slot {error}>{error.msg || error}</slot>
         </span>
 
         {#if $$slots.buttons}

src/ui/FileInput.svelte

@@ -1,52 +0,0 @@
-<script>
-    // import { listen } from '@tauri-apps/api/event';
-    import { open } from '@tauri-apps/plugin-dialog';
-    import { basename } from '@tauri-apps/api/path';
-    import { createEventDispatcher } from 'svelte';
-
-    import Icon from './Icon.svelte';
-
-
-    export let value = {};
-    export let params = {};
-    let displayValue = value?.name || '';
-
-    const dispatch = createEventDispatcher();
-
-    async function chooseFile() {
-        let path = await open(params);
-        if (path) {
-            displayValue = await basename(path);
-            value = {name: displayValue, path};
-            dispatch('update', value);
-        }
-    }
-
-    async function handleInput(evt) {
-        const name = await basename(evt.target.value);
-        value = {name, path: evt.target.value};
-    }
-
-    // some day, figure out drag-and-drop
-    // let drag = null;
-    // listen('tauri://drag', e => drag = e);
-    // listen('tauri://drop', e => console.log(e));
-    // listen('tauri://drag-cancelled', e => console.log(e));
-    // listen('tauri://drop-over', e => console.log(e));
-
-</script>
-
-
-<div class="relative flex join has-[:focus]:outline outline-2 outline-offset-2 outline-base-content/20">
-    <button type="button" class="btn btn-neutral join-item" on:click={chooseFile}>
-        Choose file
-    </button>
-    <input 
-        type="text"
-        class="join-item grow input input-bordered border-l-0 bg-transparent focus:outline-none"
-        value={displayValue}
-        on:input={handleInput}
-        on:change={() => dispatch('update', value)}
-        on:focus on:blur
-    >
-</div>

src/ui/PassphraseInput.svelte

@@ -4,15 +4,10 @@
     export let value = '';
     export let placeholder = '';
     export let autofocus = false;
-    export let show = false;
     let classes = '';
     export {classes as class};
 
-    let input;
-
-    export function focus() {
-        input.focus();
-    }
+    let show = false;
 </script>
 
 
@@ -24,14 +19,13 @@
 </style>
 
 
-<div class="join w-full has-[:focus]:outline outline-2 outline-offset-2 outline-base-content/20">
+<div class="join w-full">
     <input
-        bind:this={input}
         type={show ? 'text' : 'password'}
         {value} {placeholder} {autofocus}
         on:input={e => value = e.target.value}
         on:input on:change on:focus on:blur
-        class="input input-bordered flex-grow join-item placeholder:text-gray-500 focus:outline-none {classes}"
+        class="input input-bordered flex-grow join-item placeholder:text-gray-500 {classes}"
     />
 
     <button

src/ui/settings/FileSetting.svelte

@@ -7,13 +7,6 @@
     export let value;
 
     const dispatch = createEventDispatcher();
-
-    async function pickFile() {
-        let file = await open();
-        if (file) {
-            value = file.path
-        }
-    }
 </script>
 
 
@@ -25,10 +18,9 @@
             bind:value
             on:change={() => dispatch('update', {value})}
         >
-        <button
-            type="button"
+        <button 
             class="btn btn-sm btn-primary"
-            on:click={pickFile}
+            on:click={async () => value = await open()}
         >Browse</button>
     </div>
     <slot name="description" slot="description"></slot>

src/views/Approve.svelte

@@ -7,10 +7,9 @@
     import ShowResponse from './approve/ShowResponse.svelte';
     import Unlock from './Unlock.svelte';
 
-    console.log($appState.currentRequest);
 
     // Extra 50ms so the window can finish disappearing before the redraw
-    const rehideDelay = Math.min(5000, $appState.config.rehide_ms + 100);
+    const rehideDelay = Math.min(5000, $appState.config.rehide_ms + 50);
 
     let alert;
     let success = false;

src/views/Home.svelte

@@ -8,15 +8,11 @@
     import Icon from '../ui/Icon.svelte';
     import Link from '../ui/Link.svelte';
 
-    let launchTerminalError;
-    async function launchTerminal() {
-        try {
-            await invoke('launch_terminal', {base: false});
-        }
-        catch (e) {
-            console.log(e);
-            launchTerminalError = e;
-        }
+
+    let launchBase = false;
+    function launchTerminal() {
+        invoke('launch_terminal', {base: launchBase});
+        launchBase = false;
     }
 
     async function lock() {
@@ -36,41 +32,37 @@
 
 <div class="flex flex-col h-screen items-center justify-center p-4 space-y-4">
     <div class="grid grid-cols-2 gap-6">
-        <button
-            on:click={() => navigate('ManageCredentials')}
-            class="flex flex-col items-center gap-4 h-full max-w-56 rounded-box p-4 border border-primary hover:bg-base-200 transition-transform active:scale-[.98] transition-transform"
-        >
-            <Icon name="key" class="size-12 stroke-1 stroke-primary" />
-            <h3 class="text-lg font-bold">Credentials</h3>
-            <p class="text-sm">Add, remove, and change default credentials.</p>
-        </button>
+        <Link target="ManageCredentials">
+            <div class="flex flex-col items-center gap-4 h-full max-w-56 rounded-box p-4 border border-primary hover:bg-base-200 transition-colors">
+                <Icon name="key" class="size-12 stroke-1 stroke-primary" />
+                <h3 class="text-lg font-bold">Credentials</h3>
+                <p class="text-sm">Add, remove, and change defaults credentials.</p>
+            </div>
+        </Link>
         
-        <button 
-            on:click={launchTerminal}
-            class="flex flex-col items-center gap-4 h-full max-w-56 rounded-box p-4 border border-secondary hover:bg-base-200 transition-colors active:scale-[.98] transition-transform"
-        >
-            <Icon name="command-line" class="size-12 stroke-1 stroke-secondary" />
-            <h3 class="text-lg font-bold">Terminal</h3>
-            <p class="text-sm">Launch a terminal pre-configured with AWS credentials.</p>
-        </button>
+        <Link target={launchTerminal}>
+            <div class="flex flex-col items-center gap-4 h-full max-w-56 rounded-box p-4 border border-secondary hover:bg-base-200 transition-colors">
+                <Icon name="command-line" class="size-12 stroke-1 stroke-secondary" />
+                <h3 class="text-lg font-bold">Terminal</h3>
+                <p class="text-sm">Launch a terminal pre-configured with AWS credentials.</p>
+            </div>
+        </Link>
 
-        <button 
-            on:click={lock}
-            class="flex flex-col items-center gap-4 h-full max-w-56 rounded-box p-4 border border-warning hover:bg-base-200 transition-colors active:scale-[.98] transition-transform"
-        >
-            <Icon name="shield-check" class="size-12 stroke-1 stroke-warning" />
-            <h3 class="text-lg font-bold">Lock</h3>
-            <p class="text-sm">Lock Creddy.</p>
-        </button>
+        <Link target={lock}>
+            <div class="flex flex-col items-center gap-4 h-full max-w-56 rounded-box p-4 border border-accent hover:bg-base-200 transition-colors">
+                <Icon name="shield-check" class="size-12 stroke-1 stroke-accent" />
+                <h3 class="text-lg font-bold">Lock</h3>
+                <p class="text-sm">Lock Creddy.</p>
+            </div>
+        </Link>
 
-        <button 
-            on:click={() => invoke('exit')}
-            class="flex flex-col items-center gap-4 h-full max-w-56 rounded-box p-4 border border-accent hover:bg-base-200 transition-colors active:scale-[.98] transition-transform"
-        >
-            <Icon name="arrow-right-start-on-rectangle" class="size-12 stroke-1 stroke-accent" />
-            <h3 class="text-lg font-bold">Exit</h3>
-            <p class="text-sm">Close Creddy.</p>
-        </button>
+        <Link target={() => invoke('exit')}>
+            <div class="flex flex-col items-center gap-4 h-full max-w-56 rounded-box p-4 border border-warning hover:bg-base-200 transition-colors">
+                <Icon name="arrow-right-start-on-rectangle" class="size-12 stroke-1 stroke-warning" />
+                <h3 class="text-lg font-bold">Exit</h3>
+                <p class="text-sm">Close Creddy.</p>
+            </div>
+        </Link>
     </div>
 </div>
 
@@ -79,25 +71,10 @@
         {#each $appState.setupErrors as error}
             {#if error.show}
                 <div class="alert alert-error shadow-lg">
-                    <span>{error.msg}</span>
-                    <div>
-                        <button class="btn btn-sm btn-alert-error" on:click={() => error.show = false}>Ok</button>
-                    </div>
+                    {error.msg}
+                    <button class="btn btn-sm btn-alert-error" on:click={() => error.show = false}>Ok</button>
                 </div>
             {/if}
         {/each}
     </div>
-{/if}
-
-{#if launchTerminalError}
-    <div class="toast">
-        <div class="alert alert-error text-wrap shadow-lg">
-            <span>{launchTerminalError.msg || launchTerminalError}</span>
-            <div>
-                <button class="btn btn-alert-error" on:click={() => launchTerminalError = null}>
-                    Ok
-                </button>
-            </div>
-        </div>
-    </div>
 {/if}

src/views/ManageCredentials.svelte

@@ -5,18 +5,12 @@
     import { invoke } from '@tauri-apps/api/core';
 
     import AwsCredential from './credentials/AwsCredential.svelte';
-    import ConfirmDelete from './credentials/ConfirmDelete.svelte';
-    import DockerCredential from './credentials/DockerCredential.svelte';
-    import SshKey from './credentials/SshKey.svelte';
     import Icon from '../ui/Icon.svelte';
     import Nav from '../ui/Nav.svelte';
 
+    let show = false;
 
-    let records = null
-    $: awsRecords = (records || []).filter(r => r.credential.type === 'AwsBase');
-    $: sshRecords = (records || []).filter(r => r.credential.type === 'Ssh');
-    $: dockerRecords = (records || []).filter(r => r.credential.type === 'Docker');
-
+    let records = []
     let defaults = writable({});
     async function loadCreds() {
         records = await invoke('list_credentials');
@@ -30,44 +24,11 @@
             id: crypto.randomUUID(),
             name: null,
             is_default: false,
-            credential: {type: 'AwsBase', AccessKeyId: '', SecretAccessKey: ''},
+            credential: {type: 'AwsBase', AccessKeyId: null, SecretAccessKey: null},
             isNew: true,
         });
         records = records;
     }
-
-    function newSsh() {
-        records.push({
-            id: crypto.randomUUID(),
-            name: null,
-            is_default: false,
-            credential: {type: 'Ssh', algorithm: '', comment: '', private_key: '', public_key: '',},
-            isNew: true,
-        });
-        records = records;
-    }
-
-    function newDocker() {
-        records.push({
-            id: crypto.randomUUID(),
-            name: null,
-            is_default: false,
-            credential: {type: 'Docker', ServerURL: '', Username: '', Secret: ''},
-            isNew: true,
-        });
-        records = records;
-    }
-
-    let confirmDelete;
-    function handleDelete(evt) {
-        const record = evt.detail;
-        if (record.isNew) {
-            records = records.filter(r => r.id !== record.id);
-        }
-        else {
-            confirmDelete.confirm(record);
-        }
-    }
 </script>
 
 
@@ -75,82 +36,27 @@
     <h1 slot="title" class="text-2xl font-bold">Credentials</h1>
 </Nav>
 
-<div class="max-w-xl mx-auto mb-12 flex flex-col gap-y-12 justify-center">
-    <div class="flex flex-col gap-y-4">
-        <div class="divider">
-            <h2 class="text-xl font-bold">AWS Access Keys</h2>
-        </div>
+<div class="max-w-xl mx-auto mb-12 flex flex-col gap-y-4 justify-center">
+    <div class="divider">
+        <h2 class="text-xl font-bold">AWS Access Keys</h2>
+    </div>
 
-        {#if awsRecords.length > 0}
-            {#each awsRecords as record (record.id)}
-                <AwsCredential
-                    {record} {defaults}
-                    on:update={loadCreds}
-                    on:delete={handleDelete}
-                />
-            {/each}
+    {#if records.length > 0}
+        {#each records as record (record.id)}
+            <AwsCredential {record} {defaults} on:update={loadCreds} />
+        {/each}
+        <button class="btn btn-primary btn-wide mx-auto" on:click={newAws}>
+            <Icon name="plus-circle-mini" class="size-5" />
+            Add
+        </button>
+    {:else}
+        <div class="flex flex-col gap-6 items-center rounded-box border-2 border-dashed border-neutral-content/30 p-6">
+            <div>You have no saved AWS credentials.</div>
             <button class="btn btn-primary btn-wide mx-auto" on:click={newAws}>
                 <Icon name="plus-circle-mini" class="size-5" />
                 Add
             </button>
-        {:else if records !== null}
-            <div class="flex flex-col gap-6 items-center rounded-box border-2 border-dashed border-neutral-content/30 p-6">
-                <div>You have no saved AWS credentials.</div>
-                <button class="btn btn-primary btn-wide mx-auto" on:click={newAws}>
-                    <Icon name="plus-circle-mini" class="size-5" />
-                    Add
-                </button>
-            </div>
-        {/if}
-    </div>
-
-    <div class="flex flex-col gap-y-4">
-        <div class="divider">
-            <h2 class="text-xl font-bold">SSH Keys</h2>
         </div>
+    {/if}
 
-        {#if sshRecords.length > 0}
-            {#each sshRecords as record (record.id)}
-                <SshKey {record} on:save={loadCreds} on:delete={handleDelete} />
-            {/each}
-            <button class="btn btn-primary btn-wide mx-auto" on:click={newSsh}>
-                <Icon name="plus-circle-mini" class="size-5" />
-                Add
-            </button>
-        {:else if records !== null}
-            <div class="flex flex-col gap-6 items-center rounded-box border-2 border-dashed border-neutral-content/30 p-6">
-                <div>You have no saved SSH keys.</div>
-                <button class="btn btn-primary btn-wide mx-auto" on:click={newSsh}>
-                    <Icon name="plus-circle-mini" class="size-5" />
-                    Add
-                </button>
-            </div>
-        {/if}
-    </div>
-
-    <div class="flex flex-col gap-y-4">
-        <div class="divider">
-            <h2 class="text-xl font-bold">Docker credentials</h2>
-        </div>
-
-        {#if dockerRecords.length > 0}
-            {#each dockerRecords as record (record.id)}
-                <DockerCredential {record} on:save={loadCreds} on:delete={handleDelete} />
-            {/each}
-            <button class="btn btn-primary btn-wide mx-auto" on:click={newDocker}>
-                <Icon name="plus-circle-mini" class="size-5" />
-                Add
-            </button>
-        {:else if records !== null}
-            <div class="flex flex-col gap-6 items-center rounded-box border-2 border-dashed border-neutral-content/30 p-6">
-                <div>You have no saved Docker credentials.</div>
-                <button class="btn btn-primary btn-wide mx-auto" on:click={newDocker}>
-                    <Icon name="plus-circle-mini" class="size-5" />
-                    Add
-                </button>
-            </div>
-        {/if}
-    </div>
 </div>
-
-<ConfirmDelete bind:this={confirmDelete} on:confirm={loadCreds} />

src/views/Settings.svelte

@@ -20,6 +20,7 @@
     let error = null;
     async function save() {
         try {
+            throw('wtf');
             await invoke('save_config', {config});
             $appState.config = await invoke('get_config');
         }
@@ -28,7 +29,6 @@
         }
     }
 
-    window.getOsType = type;
     let osType = null;
     type().then(t => osType = t);
 </script>
@@ -40,20 +40,18 @@
 
 <form on:submit|preventDefault={save}>
     <div class="max-w-lg mx-auto my-1.5 p-4 space-y-16">
-        <SettingsGroup name="General">
+        <SettingsGroup name="General">            
             <ToggleSetting title="Start on login" bind:value={config.start_on_login}>
                 <svelte:fragment slot="description">
                     Start Creddy when you log in to your computer.
                 </svelte:fragment>
             </ToggleSetting>
 
-            {#if config.start_on_login}
-                <ToggleSetting title="Start minimized" bind:value={config.start_minimized}>
-                    <svelte:fragment slot="description">
-                        Minimize to the system tray when starting on login.
-                    </svelte:fragment>
-                </ToggleSetting>
-            {/if}
+            <ToggleSetting title="Start minimized" bind:value={config.start_minimized}>
+                <svelte:fragment slot="description">
+                    Minimize to the system tray at startup.
+                </svelte:fragment>
+            </ToggleSetting>
 
             <NumericSetting title="Re-hide delay" bind:value={config.rehide_ms} min={0} unit="Milliseconds">
                 <svelte:fragment slot="description">
@@ -115,7 +113,7 @@
 
 {#if error}
     <div transition:fly={{y: 100, easing: backInOut, duration: 400}} class="toast">
-        <div class="alert alert-error no-animation text-wrap">
+        <div class="alert alert-error no-animation">
             <div>
                 <span>{error}</span>
             </div>
@@ -127,7 +125,7 @@
     </div>
 {:else if configModified}
     <div transition:fly={{y: 100, easing: backInOut, duration: 400}} class="toast">
-        <div class="alert shadow-lg no-animation text-wrap">
+        <div class="alert shadow-lg no-animation">
             <span>You have unsaved changes.</span>
 
             <div>

src/views/Unlock.svelte

@@ -19,7 +19,7 @@
 
     let alert;
     let passphrase = '';
-
+    
     let saving = false;
     async function unlock() {
         saving = true;
@@ -34,14 +34,9 @@
         }
 
     }
-
-    let input;
-    onMount(() => input.focus());
 </script>
 
 
-<svelte:window on:focus={input.focus} />
-
 <div class="fixed top-0 w-full p-2 text-center">
     <h1 class="text-3xl font-bold">Creddy is locked</h1>
 </div>
@@ -57,11 +52,7 @@
         <ErrorAlert bind:this="{alert}" />
 
         <!-- svelte-ignore a11y-autofocus -->
-        <PassphraseInput
-            bind:this={input}
-            bind:value={passphrase}
-            placeholder="correct horse battery staple"
-        />
+        <PassphraseInput autofocus="true" bind:value={passphrase} placeholder="correct horse battery staple" />
     </label>
 
     <button type="submit" class="btn btn-primary">

src/views/approve/CollectResponse.svelte

@@ -14,7 +14,7 @@
     // Extract executable name from full path
     const client = $appState.currentRequest.client;
     const m = client.exe?.match(/\/([^/]+?$)|\\([^\\]+?$)/);
-    const appName = m ? m[1] || m[2] : '';
+    const appName = m[1] || m[2];
 
     const dispatch = createEventDispatcher();
 
@@ -26,12 +26,6 @@
         };
         dispatch('response');
     }
-
-    const actionDescriptions = {
-        Access: 'access your',
-        Delete: 'delete your',
-        Save: 'create new',
-    };
 </script>
 
 
@@ -40,7 +34,7 @@
         <div>
             <svg xmlns="http://www.w3.org/2000/svg" class="stroke-current flex-shrink-0 h-6 w-6" fill="none" viewBox="0 0 24 24"><path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M12 9v2m0 4h.01m-6.938 4h13.856c1.54 0 2.502-1.667 1.732-3L13.732 4c-.77-1.333-2.694-1.333-3.464 0L3.34 16c-.77 1.333.192 3 1.732 3z" /></svg>
             <span>
-                WARNING: This application is requesting your base AWS credentials.
+                WARNING: This application is requesting your base AWS credentials. 
                 These credentials are less secure than session credentials, since they don't expire automatically.
             </span>
         </div>
@@ -48,27 +42,13 @@
 {/if}
 
 <div class="space-y-1 mb-4">
-    <h2 class="text-xl font-bold">
-        {#if $appState.currentRequest.type === 'Aws'}
-            {#if $appState.currentRequest.name}
-                {appName ? `"${appName}"` : 'An appplication'} would like to access your AWS access key "{$appState.currentRequest.name}".
-            {:else}
-                {appName ? `"${appName}"` : 'An appplication'} would like to access your default AWS access key
-            {/if}
-        {:else if $appState.currentRequest.type === 'Ssh'}
-            {appName ? `"${appName}"` : 'An application'} would like to use your SSH key "{$appState.currentRequest.key_name}".
-        {:else if $appState.currentRequest.type === 'Docker'}
-            {appName ? `"${appName}"` : 'An application'} would like to {actionDescriptions[$appState.currentRequest.action]} Docker credentials for <code>{$appState.currentRequest.server_url}</code>.
-        {/if}
-    </h2>
+    <h2 class="text-xl font-bold">{appName ? `"${appName}"` : 'An appplication'} would like to access your AWS credentials.</h2>
 
     <div class="grid grid-cols-[auto_1fr] gap-x-3">
         <div class="text-right">Path:</div>
         <code class="">{@html client.exe ? breakPath(client.exe) : 'Unknown'}</code>
         <div class="text-right">PID:</div>
         <code>{client.pid}</code>
-        <div class="text-right">User:</div>
-        <code>{client.username ?? 'Unknown'}</code>
     </div>
 </div>
 
@@ -76,11 +56,7 @@
         <!-- Don't display the option to approve with session credentials if base was specifically requested -->
         {#if !$appState.currentRequest?.base}
             <h3 class="font-semibold">
-                {#if $appState.currentRequest.type === 'Aws'}
-                    Approve with session credentials
-                {:else}
-                    Approve
-                {/if}
+                Approve with session credentials
             </h3>
             <Link target={() => setResponse('Approved', false)} hotkey="Enter" shift={true}>
                 <button class="w-full btn btn-success">
@@ -89,22 +65,20 @@
             </Link>
         {/if}
 
-        {#if $appState.currentRequest.type === 'Aws'}
-            <h3 class="font-semibold">
-                <span class="mr-2">
-                    {#if $appState.currentRequest?.base}
-                        Approve
-                    {:else}
-                        Approve with base credentials
-                    {/if}
-                </span>
-            </h3>
-            <Link target={() => setResponse('Approved', true)} hotkey="Enter" shift={true} ctrl={true}>
-                <button class="w-full btn btn-warning">
-                    <KeyCombo keys={['Ctrl', 'Shift', 'Enter']} />
-                </button>
-            </Link>
-        {/if}
+        <h3 class="font-semibold">
+            <span class="mr-2">
+                {#if $appState.currentRequest?.base}
+                    Approve
+                {:else}
+                    Approve with base credentials
+                {/if}
+            </span>
+        </h3>
+        <Link target={() => setResponse('Approved', true)} hotkey="Enter" shift={true} ctrl={true}>
+            <button class="w-full btn btn-warning">
+                <KeyCombo keys={['Ctrl', 'Shift', 'Enter']} />
+            </button>
+        </Link>
 
         <h3 class="font-semibold">
             <span class="mr-2">Deny</span>

src/views/credentials/AwsCredential.svelte

@@ -5,19 +5,21 @@
 
     import ErrorAlert from '../../ui/ErrorAlert.svelte';
     import Icon from '../../ui/Icon.svelte';
-    import PassphraseInput from '../../ui/PassphraseInput.svelte';
-
 
     export let record;
     export let defaults;
 
+    import PassphraseInput from '../../ui/PassphraseInput.svelte';
+
+
     const dispatch = createEventDispatcher();
 
     let showDetails = record.isNew ? true : false;
 
+    let localName = name;
     let local = JSON.parse(JSON.stringify(record));
     $: isModified = JSON.stringify(local) !== JSON.stringify(record);
-
+    
     // explicitly subscribe to updates to `default`, so that we can update
     // our local copy even if the component hasn't been recreated
     // (sadly we can't use a reactive binding because reasons I guess)
@@ -30,19 +32,38 @@
         showDetails = false;
     }
 
+    let deleteModal;
+    function conditionalDelete() {
+        if (!record.isNew) {
+            deleteModal.showModal();
+        }
+        else {
+            deleteCredential();
+        }
+    }
 
+    async function deleteCredential() {
+        try {
+            if (!record.isNew) {
+                await invoke('delete_credential', {id: record.id});
+            }
+            dispatch('update');
+        }
+        catch (e) {
+            showDetails = true;
+            // wait for showDetails to take effect and the alert to be rendered
+            window.setTimeout(() => alert.setError(e), 0);
+        }
+    }
 </script>
 
 
-<div class="rounded-box space-y-4 bg-base-200 {record.is_default ? 'border border-accent' : ''}">
+<div 
+    transition:slide|local={{duration: record.isNew ? 300 : 0}}
+    class="rounded-box space-y-4 bg-base-200 {record.is_default ? 'border border-accent' : ''}"
+>
     <div class="flex items-center px-6 py-4 gap-x-4">
-        <h3 class="text-lg font-bold">
-            {#if !record?.isNew && showDetails}
-                <input type="text" class="input input-bordered bg-transparent" bind:value={local.name}>
-            {:else}
-                {record.name || ''}
-            {/if}
-        </h3>
+        <h3 class="text-lg font-bold">{record.name || ''}</h3>
 
         {#if record.is_default}
             <span class="badge badge-accent">Default</span>
@@ -59,7 +80,7 @@
             <button
                 type="button"
                 class="btn btn-outline btn-error join-item"
-                on:click={() => dispatch('delete', record)}
+                on:click={conditionalDelete}
             >
                 <Icon name="trash" class="size-6" />
             </button>
@@ -108,11 +129,27 @@
                         transition:fade={{duration: 100}}
                         type="submit"
                         class="btn btn-primary"
-                    >
-                        Save
-                    </button>
+                        >
+                            Save
+                        </button>
                 {/if}
             </div>
         </form>
     {/if}
+
+    <dialog bind:this={deleteModal} class="modal">
+        <div class="modal-box">
+            <h3 class="text-lg font-bold">Delete AWS credential "{record.name}"?</h3>
+            <div class="modal-action">
+                <form method="dialog" class="flex gap-x-4">
+                    <button class="btn btn-outline">Cancel</button>
+                    <button 
+                        autofocus
+                        class="btn btn-error"
+                        on:click={deleteCredential}
+                    >Delete</button>
+                </form>
+            </div>
+        </div>
+    </dialog>
 </div>

src/views/credentials/ConfirmDelete.svelte

@@ -1,65 +0,0 @@
-<script>
-    import { invoke } from '@tauri-apps/api/core';
-    import { createEventDispatcher } from 'svelte';
-
-    import ErrorAlert from '../../ui/ErrorAlert.svelte';
-
-    let record;
-    let modal;
-    let alert;
-
-    const dispatch = createEventDispatcher();
-
-    export function confirm(r) {
-        record = r;
-        modal.showModal();
-    }
-
-    async function deleteCredential() {
-        await invoke('delete_credential', {id: record.id})
-        // closing the modal is dependent on the previous step succeeding
-        modal.close();
-        dispatch('confirm');
-    }
-
-    function credentialDescription(record) {
-        if (record.credential.type === 'AwsBase') {
-            return 'AWS credential';
-        }
-        else if (record.credential.type === 'Ssh') {
-            return 'SSH key';
-        }
-        else {
-            return `${record.credential.type} credential`;
-        }
-    }
-</script>
-
-<dialog bind:this={modal} class="modal">
-    <div class="modal-box space-y-6">
-        <ErrorAlert bind:this={alert} />
-        <h3 class="text-lg font-bold">
-            {#if record}
-                Delete {credentialDescription(record)} "{record.name}"?
-            {/if}
-        </h3>
-        <div class="modal-action">
-            <form method="dialog" class="flex gap-x-4">
-                <button
-                    class="btn btn-outline"
-                    on:click={() => alert.setError(null)}
-                >
-                    Cancel
-                </button>
-
-                <button
-                    autofocus
-                    class="btn btn-error"
-                    on:click|preventDefault={() => alert.run(deleteCredential)}
-                >
-                    Delete
-                </button>
-            </form>
-        </div>
-    </div>
-</dialog>

src/views/credentials/DockerCredential.svelte

@@ -1,112 +0,0 @@
-<script>
-
-    import { createEventDispatcher } from 'svelte';
-    import { fade, slide } from 'svelte/transition';
-    import { invoke } from '@tauri-apps/api/core';
-
-    import ErrorAlert from '../../ui/ErrorAlert.svelte';
-    import Icon from '../../ui/Icon.svelte';
-    import PassphraseInput from '../../ui/PassphraseInput.svelte';
-
-
-    export let record;
-
-    let local = JSON.parse(JSON.stringify(record));
-    $: isModified = JSON.stringify(local) !== JSON.stringify(record);
-    let showDetails = record?.isNew;
-
-    let alert;
-    const dispatch = createEventDispatcher();
-    async function saveCredential() {
-        await invoke('save_credential', {record: local});
-        dispatch('save', local);
-        showDetails = false;
-    }
-</script>
-
-<div class="rounded-box space-y-4 bg-base-200">
-    <div class="flex items-center px-6 py-4 gap-x-4">
-        {#if !record.isNew}
-            {#if showDetails}
-                <input
-                    type="text"
-                    class="input input-bordered bg-transparent text-lg font-bold grow"
-                    bind:value={local.name}
-                >
-            {:else}
-                <h3 class="text-lg font-bold break-all">
-                    {record.name}
-                </h3>
-            {/if}
-        {/if}
-
-        <div class="join ml-auto">
-            <button
-                type="button"
-                class="btn btn-outline join-item"
-                on:click={() => showDetails = !showDetails}
-            >
-                <Icon name="pencil" class="size-6" />
-            </button>
-            <button
-                type="button"
-                class="btn btn-outline btn-error join-item"
-                on:click={() => dispatch('delete', record)}
-            >
-                <Icon name="trash" class="size-6" />
-            </button>
-        </div>
-    </div>
-
-    {#if showDetails}
-        <form
-            transition:slide|local={{duration: 200}}
-            class=" px-6 pb-4 space-y-4"
-            on:submit|preventDefault={() => alert.run(saveCredential)}
-        >
-            <ErrorAlert bind:this={alert} />
-
-            <div class="grid grid-cols-[auto_1fr] items-center gap-4">
-                {#if record.isNew}
-                    <span class="justify-self-end">Name</span>
-                    <input
-                        type="text"
-                        class="input input-bordered bg-transparent"
-                        bind:value={local.name}
-                    >
-                {/if}
-
-                <span class="justify-self-end">Server URL</span>
-                <input
-                    type="text"
-                    class="input input-bordered font-mono bg-transparent"
-                    bind:value={local.credential.ServerURL}
-                >
-
-                <span class="justify-self-end">Username</span>
-                <input
-                    type="text"
-                    class="input input-bordered font-mono bg-transparent"
-                    bind:value={local.credential.Username}
-                >
-
-                <span>Password</span>
-                <div class="font-mono">
-                    <PassphraseInput class="bg-transparent" bind:value={local.credential.Secret} />
-                </div>
-            </div>
-
-            <div class="flex justify-end">
-                {#if isModified}
-                    <button
-                        transition:fade={{duration: 100}}
-                        type="submit"
-                        class="btn btn-primary"
-                    >
-                        Save
-                    </button>
-                {/if}
-            </div>
-        </form>
-    {/if}
-</div>

src/views/credentials/EditSshKey.svelte

@@ -1,84 +0,0 @@
-<script>
-    import { invoke } from '@tauri-apps/api/core';
-    import { createEventDispatcher } from 'svelte';
-    import { fade } from 'svelte/transition';
-
-    import ErrorAlert from '../../ui/ErrorAlert.svelte';
-
-
-    export let local;
-    export let isModified;
-
-    const dispatch = createEventDispatcher();
-    let alert;
-
-    async function saveCredential() {
-        await invoke('save_credential', {record: local});
-        dispatch('save', local);
-    }
-
-    async function copyText(evt) {
-        const tooltip = event.currentTarget;
-        await navigator.clipboard.writeText(tooltip.dataset.copyText);
-        const prevText = tooltip.dataset.tip;
-        tooltip.dataset.tip = 'Copied!';
-        window.setTimeout(() => tooltip.dataset.tip = prevText, 2000);
-    }
-</script>
-
-
-<style>
-    .grid {
-        grid-template-columns: auto minmax(0, 1fr);
-    }
-</style>
-
-
-<form class="space-y-4" on:submit|preventDefault={() => alert.run(saveCredential)}>
-    <ErrorAlert bind:this={alert} />
-
-    <div class="grid items-baseline gap-4">
-        <span class="justify-self-end">Comment</span>
-        <input
-            type="text"
-            class="input input-bordered bg-transparent"
-            bind:value={local.credential.comment}
-        >
-
-        <span class="justify-self-end">Public key</span>
-        <div
-            class="tooltip tooltip-right"
-            data-tip="Click to copy"
-            data-copy-text={local.credential.public_key}
-            on:click={copyText}
-        >
-            <div class="cursor-pointer text-left textarea textarea-bordered bg-transparent font-mono break-all">
-                {local.credential.public_key}
-            </div>
-        </div>
-
-        <span class="justify-self-end">Private key</span>
-        <div
-            class="tooltip tooltip-right"
-            data-tip="Click to copy"
-            data-copy-text={local.credential.private_key}
-            on:click={copyText}
-        >
-            <div class="cursor-pointer text-left textarea textarea-bordered bg-transparent font-mono whitespace-pre overflow-x-auto">
-                {local.credential.private_key}
-            </div>
-        </div>
-    </div>
-
-    <div class="flex justify-end">
-        {#if isModified}
-            <button
-                transition:fade={{duration: 100}}
-                type="submit"
-                class="btn btn-primary"
-            >
-                Save
-            </button>
-        {/if}
-    </div>
-</form>

src/views/credentials/NewSshKey.svelte

@@ -1,119 +0,0 @@
-<script>
-    import { createEventDispatcher } from 'svelte';
-    import { invoke } from '@tauri-apps/api/core';
-    import { homeDir } from '@tauri-apps/api/path';
-    import { fade } from 'svelte/transition';
-
-    import ErrorAlert from '../../ui/ErrorAlert.svelte';
-    import FileInput from '../../ui/FileInput.svelte';
-    import PassphraseInput from '../../ui/PassphraseInput.svelte';
-    import Spinner from '../../ui/Spinner.svelte';
-
-    export let record;
-
-    let name;
-    let file;
-    let privateKey = '';
-    let passphrase = '';
-    let showDetails = true;
-    let mode = 'file';
-
-    const dispatch = createEventDispatcher();
-
-    let defaultPath = null;
-    homeDir().then(d => defaultPath = `${d}/.ssh`);
-
-
-    let alert;
-    let saving = false;
-    async function saveCredential() {
-        saving = true;
-        try {
-            let key = await getKey();
-            const payload = {
-                id: record.id,
-                name,
-                is_default: false, // ssh keys don't care about defaults
-                credential: {type: 'Ssh', ...key},
-            };
-            await invoke('save_credential', {record: payload});
-            dispatch('save', payload);
-        }
-        finally {
-            saving = false;
-        }
-    }
-
-    async function getKey() {
-        if (mode === 'file') {
-            return await invoke('sshkey_from_file', {path: file.path, passphrase});
-        }
-        else {
-            return await invoke('sshkey_from_private_key', {privateKey, passphrase});
-        }
-    }
-
-</script>
-
-
-<div role="tablist" class="join max-w-sm mx-auto flex justify-center">
-        <button
-            type="button"
-            role="tab"
-            class="join-item flex-1 btn border border-primary hover:border-primary"
-            class:btn-primary={mode === 'file'}
-            on:click={() => mode = 'file'}
-        >
-            From file
-        </button>
-        <button
-            type="button"
-            role="tab"
-            class="join-item flex-1 btn border border-primary hover:border-primary"
-            class:btn-primary={mode === 'direct'}
-            on:click={() => mode = 'direct'}
-        >
-            From private key
-        </button>
-</div>
-
-
-<form class="space-y-4" on:submit|preventDefault={alert.run(saveCredential)}>
-    <ErrorAlert bind:this={alert} />
-
-    <div class="grid grid-cols-[auto_1fr] items-center gap-4">
-        <span class="justify-self-end">Name</span>
-        <input
-            type="text"
-            class="input input-bordered bg-transparent"
-            bind:value={name}
-        >
-
-        {#if mode === 'file'}
-            <span class="justify-self-end">File</span>
-            <FileInput params={{defaultPath}} bind:value={file} on:update={() => name = file.name} />
-        {:else}
-            <span class="justify-self-end">Private key</span>
-            <textarea bind:value={privateKey} rows="5" class="textarea textarea-bordered bg-transparent font-mono whitespace-pre overflow-x-auto"></textarea>
-        {/if}
-
-        <span class="justify-self-end">Passphrase</span>
-        <PassphraseInput class="bg-transparent" bind:value={passphrase} />
-    </div>
-
-    <div class="flex justify-end">
-        {#if file?.path || privateKey !== ''}
-            <button
-                transition:fade={{duration: 100}}
-                type="submit"
-                class="btn btn-primary"
-            >
-                {#if saving}
-                    <Spinner class="size-5 min-w-16" thickness="12" />
-                {:else}
-                    <span class="min-w-16">Save</span>
-                {/if}
-            </button>
-        {/if}
-    </div>
-</form>

src/views/credentials/SshKey.svelte

@@ -1,71 +0,0 @@
-<script>
-    import { createEventDispatcher } from 'svelte';
-    import { slide } from 'svelte/transition';
-
-    import NewSshKey from './NewSshKey.svelte';
-    import EditSshKey from './EditSshKey.svelte';
-    import Icon from '../../ui/Icon.svelte';
-
-    export let record;
-
-    const dispatch = createEventDispatcher();
-
-    function copy(obj) {
-        return JSON.parse(JSON.stringify(obj));
-    }
-
-    let local = copy(record);
-    $: isModified = JSON.stringify(local) !== JSON.stringify(record);
-    let showDetails = record?.isNew;
-
-    function handleSave(evt) {
-        local = copy(evt.detail);
-        showDetails = false;
-    }
-</script>
-
-
-<div class="rounded-box space-y-4 bg-base-200">
-    <div class="flex items-center px-6 py-4 gap-x-4">
-        {#if !record.isNew}
-            {#if showDetails}
-                <input 
-                    type="text"
-                    class="input input-bordered bg-transparent text-lg font-bold"
-                    bind:value={local.name}
-                >
-            {:else}
-                <h3 class="text-lg font-bold">
-                    {record.name}
-                </h3>
-            {/if}
-        {/if}
-
-        <div class="join ml-auto">
-            <button
-                type="button"
-                class="btn btn-outline join-item"
-                on:click={() => showDetails = !showDetails}
-            >
-                <Icon name="pencil" class="size-6" />
-            </button>
-            <button
-                type="button"
-                class="btn btn-outline btn-error join-item"
-                on:click={() => dispatch('delete', record)}
-            >
-                <Icon name="trash" class="size-6" />
-            </button>
-        </div>
-    </div>
-
-    {#if record && showDetails}
-        <div transition:slide|local={{duration: 200}} class="px-6 pb-4 space-y-4">
-            {#if record.isNew}
-                <NewSshKey {record} on:save on:save={handleSave} />
-            {:else}
-                <EditSshKey bind:local={local} {isModified} on:save={handleSave} on:save />
-            {/if}
-        </div>
-    {/if}
-</div>

src/views/passphrase/EnterPassphrase.svelte

@@ -14,7 +14,6 @@
 
     const dispatch = createEventDispatcher();
 
-    let showPassphrase = false;
     let alert;
     let saving = false;
     let passphrase = '';
@@ -53,6 +52,7 @@
         try {
             await alert.run(async () => {
                 await invoke('set_passphrase', {passphrase})
+                throw('something bad happened');
                 $appState.sessionStatus = 'unlocked';
                 dispatch('save');
             });
@@ -73,7 +73,6 @@
         </div>
         <PassphraseInput
             bind:value={passphrase}
-            bind:show={showPassphrase}
             on:input={onInput}
             placeholder="correct horse battery staple"
         />
@@ -85,7 +84,6 @@
         </div>
         <PassphraseInput
             bind:value={confirmPassphrase}
-            bind:show={showPassphrase}
             on:input={onInput} on:change={onChange}
             placeholder="correct horse battery staple"
         />

tailwind.config.js

@@ -17,7 +17,7 @@ module.exports = {
           "primary": "#0ea5e9",
           "secondary": "#fb923c",
           "accent": "#8b5cf6",
-          "neutral": "#374151",
+          "neutral": "#2f292c",
           "base-100": "#252e3a",
           "info": "#66cccc",
           "success": "#52bf73",