Before this change, `license_commands::check_account_edition` read
`account.json` directly and granted Premium when `subscription_status`
was `"active"`. Any local process could write that JSON and bypass
the paywall without ever touching the Logto session.
Introduce `account_cache` with:
- `save(app, &AccountInfo)` — signs the serialised AccountInfo with
HMAC-SHA256 and writes a `{"data", "sig"}` envelope. The 32-byte
key lives in the OS keychain (service `com.simpl.resultat`, user
`account-hmac-key`) alongside the OAuth tokens from #78.
- `load_unverified` — accepts both signed and legacy payloads for UI
display (name, email, picture). The license path must never use
this.
- `load_verified` — requires a valid HMAC signature; returns None for
legacy payloads, missing keychain, tampered data. Used by
`check_account_edition` so Premium stays locked until the next
token refresh re-signs the cache.
- `delete` — wipes both the file and the keychain key on logout so
the next session generates a fresh cryptographic anchor.
`auth_commands::handle_auth_callback` and `refresh_auth_token` now
call `account_cache::save` instead of writing the file directly.
`logout` clears both stores. `get_account_info` delegates to
`load_unverified` so upgraded users see their profile immediately.
Trust boundary: the HMAC key lives in the keychain and shares its
security model with the OAuth tokens. If the keychain is unreachable,
the gating path refuses to grant Premium (fail-closed), which matches
the store_mode policy introduced in #78.
Refs #66, CWE-345
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Introduce a new token_store module that persists OAuth tokens in the OS
keychain (Credential Manager on Windows, Secret Service on Linux through
sync-secret-service + crypto-rust, both pure-Rust backends).
- Keychain service name matches the Tauri bundle identifier
(com.simpl.resultat) so credentials are scoped to the real app
identity.
- Transparent migration on first load: a legacy tokens.json is copied
into the keychain, then zeroed and unlinked before removal to reduce
refresh-token recoverability from unallocated disk blocks.
- Store-mode flag (keychain|file) persisted next to the auth dir.
After a successful keychain write the store refuses to silently
downgrade to the file fallback, so a subsequent failure forces
re-authentication instead of leaking plaintext.
- New get_token_store_mode command exposes the current mode to the
frontend so a settings banner can warn users running on the file
fallback.
- auth_commands.rs refactored: all tokens.json read/write/delete paths
go through token_store; check_subscription_status now uses
token_store::load().is_some() to trigger migration even when the
24h throttle would early-return.
Refs #66
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Introduces the offline license infrastructure for the Base/Premium editions.
- jsonwebtoken (EdDSA) verifies license JWTs against an embedded Ed25519
public key. The exp claim is mandatory (CWE-613) and is enforced via
Validation::set_required_spec_claims.
- Activation tokens (server-issued, machine-bound) prevent license.key
copying between machines. Storage is wired up; the actual issuance flow
ships with Issue #49.
- get_edition() fails closed to "free" when the license is missing,
invalid, expired, or activated for a different machine.
- New commands/entitlements module centralizes feature → tier mapping so
Issue #48 (and any future gate) reads from a single source of truth.
- machine-uid provides the cross-platform machine identifier; OS reinstall
invalidates the activation token by design.
- Tests cover happy path, expiry, wrong-key signature, malformed JWT,
unknown edition, and machine_id matching for activation tokens.
The embedded PUBLIC_KEY_PEM is the RFC 8410 §10.3 test vector, clearly
labelled as a development placeholder; replacing it with the production
public key is a release-time task.
Each profile gets its own SQLite database file for complete data isolation.
Profile selection screen at launch, sidebar switcher for quick switching,
and optional 4-6 digit PIN for privacy. Existing database becomes the
default profile with seamless upgrade.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add export (JSON/CSV) and import (full replace) to the Settings page.
Export supports 3 modes (transactions+categories, transactions only,
categories only) with optional password encryption using Argon2id key
derivation. Import detects encrypted .sref files, prompts for password,
and shows a destructive confirmation modal before replacing data.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
