db: Add encrypted Turso adapter with shared migration flow#50
Open
stefanskoricdev wants to merge 7 commits into
Open
db: Add encrypted Turso adapter with shared migration flow#50stefanskoricdev wants to merge 7 commits into
stefanskoricdev wants to merge 7 commits into
Conversation
- Add EncryptedTursoDb<M: DbSpec> alongside TursoDb<M> in the shared DB module - Require SCE_DB_ENCRYPTION_KEY, reject empty keys, and configure Turso encryption via EncryptionOpts with strict aegis256 - Reuse extracted shared helpers for parent directory setup, runtime creation, and migration execution to keep encrypted/non-encrypted paths consistent - Expose sync execute()/query() on encrypted adapter and keep __sce_migrations metadata behavior aligned - Update context memory files to reflect the current shared Turso DB architecture and glossary terms Co-authored-by: SCE <sce@crocoder.dev>
Add encrypted auth DB foundation: `AuthDb = EncryptedTursoDb<AuthDbSpec>` wrapper, ordered auth token migrations (table + email index), and `AuthDbLifecycle` provider registered in the shared lifecycle catalog. Wire the canonical `<state_root>/sce/auth.db` path resolver, module export, and lifecycle ordering (config → local_db → auth_db → agent_trace_db → hooks). Sync context files to reflect the new current-state DB surface. Plan: encrypted-auth-db Tasks: T01 (auth DB path + migrations), T02 (auth_db mod.rs), T03 (lifecycle integration) Co-authored-by: SCE <sce@crocoder.dev>
…h_credentials Replace baseline auth schema/table naming from auth_tokens to auth_credentials. Add updated_at column and an auto-update trigger to track credential modification timestamp Co-authored-by: SCE <sce@crocoder.dev>
Replace the legacy JSON file-based token storage (`~/.local/state/sce/auth/tokens.json`) with persistence through the encrypted `AuthDb` (`auth_credentials` table in `<state_root>/sce/auth.db`) using a `OnceLock` lazy singleton and constant row ID 1. - `save_tokens`/`load_tokens`/`delete_tokens` now execute SQL against `auth_credentials` instead of file read/write/delete; `TokenStorageError` replaces `Io`/`Serialization`/ `CorruptedTokenFile`/`Permission` variants with a single `Database` variant - `auth.rs` public functions decouple HTTP from storage: `*_returning_token` variants return `TokenResponse`; callers in `auth_command/mod.rs` explicitly invoke `token_storage::save_tokens` outside tokio `block_on` to avoid nested-runtime panics - `default_paths.rs` removes `auth_tokens_file()`, `AuthTokens` artifact ID, and corresponding entry from the artifact-locations catalog - Migration DDL fixes `auth_credentials.id` from `TEXT` to `INTEGER PRIMARY KEY` - `EncryptedTursoDb` gains `query_map` for typed synchronous row mapping Co-authored-by: SCE <sce@crocoder.dev>
Encryption keys are now managed via the platform-native credential store (macOS Keychain, Linux keyutils, Windows Credential Store). Add cli/src/services/db/encryption_key.rs with: - get_or_create_encryption_key() that generates a 32-byte random key on first use and retrieves it from the credential store on subsequent calls - ensure_default_store() for platform-specific store initialization - Clear remediation messaging for missing keys (e.g. Linux keyutils expiry) or unsupported platforms - Hex encoding helpers and unit tests Update EncryptedTursoDb::new() to consume the new module. Update error messages in token_storage.rs and context docs. New dependencies: keyring-core v1, rand v0.8, and platform-specific keyring store crates (linux-keyutils-keyring-store, apple-native-keyring-store, windows-native-keyring-store). Co-authored-by: SCE <sce@crocoder.dev>
stefanskoricdev
force-pushed
the
auth/credentials-storage
branch
from
7bf6624 to
2314b2c
Compare
Replace `as i64` and `as u64` truncating casts with `TryFrom` conversions that return explicit errors when values are out of range. Error messages are mapped to `TokenStorageError::Database` in `save_tokens` and to `anyhow::Error` in `load_tokens`. Removes the `#[allow(clippy::cast_possible_wrap)]` and `#[allow(clippy::cast_sign_loss)]` attributes that were suppressing warnings for these unsafe casts. Co-authored-by: SCE <sce@crocoder.dev>
Replace Linux keyring backend for encryption key management from linux-keyutils-keyring-store to zbus-secret-service-keyring-store. Update target dependencies and lockfile to match the new Secret Service backend, and align keyring error/help text with Secret Service behavior. Co-authored-by: SCE <sce@crocoder.dev>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.