feat: license card in settings (#47 )

Adds the user-facing layer on top of the Rust license commands shipped in #46. - `licenseService.ts` thin wrapper around the new Tauri commands - `useLicense` hook follows the project's useReducer pattern (idle, loading, ready, validating, error) and exposes `submitKey`, `refresh`, and `checkEntitlement` for cross-component use - `LicenseCard` shows the current edition, the expiry date when set, accepts a license key with inline validation feedback, and links to the purchase page via `openUrl` from `@tauri-apps/plugin-opener` - Card is inserted at the top of `SettingsPage` so the edition is the first thing users see when looking for license-related actions - i18n: new `license.*` keys in both `fr.json` and `en.json` - Bilingual CHANGELOG entries
feat: license validation commands + entitlements system (#46 )
2026-04-09 15:47:04 -04:00 · 2026-04-09 19:35:32 +00:00 · 2026-04-09 11:12:10 -04:00 · 2026-04-09 10:59:12 -04:00 · 2026-04-09 10:02:02 -04:00 · 2026-04-09 14:01:39 +00:00
7 changed files with 282 additions and 78 deletions
--- a/.forgejo/workflows/check.yml
+++ b/.forgejo/workflows/check.yml
@ -0,0 +1,97 @@
+name: PR Check
+
+# Validates Rust + frontend on every branch push and PR.
+# Goal: catch compile errors, type errors, and failing tests BEFORE merge,
+# instead of waiting for the release tag (which is when release.yml runs).
+
+on:
+  push:
+    branches-ignore:
+      - main
+  pull_request:
+    branches:
+      - main
+
+jobs:
+  rust:
+    runs-on: ubuntu
+    container: ubuntu:22.04
+    env:
+      PATH: /root/.cargo/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+      CARGO_TERM_COLOR: always
+    steps:
+      - name: Install system dependencies, Node.js and Rust
+        run: |
+          apt-get update
+          apt-get install -y --no-install-recommends \
+            curl wget git ca-certificates build-essential pkg-config \
+            libwebkit2gtk-4.1-dev libappindicator3-dev librsvg2-dev libssl-dev
+          # Node.js is required by actions/checkout and actions/cache (they
+          # are JavaScript actions and need `node` in the container PATH).
+          curl -fsSL https://deb.nodesource.com/setup_20.x | bash -
+          apt-get install -y nodejs
+          # Rust toolchain
+          curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain stable --profile minimal
+          node --version
+          rustc --version
+          cargo --version
+
+      - name: Checkout
+        uses: https://github.com/actions/checkout@v4
+
+      - name: Cache cargo registry and git
+        uses: https://github.com/actions/cache@v4
+        with:
+          path: |
+            ~/.cargo/registry
+            ~/.cargo/git
+          key: ${{ runner.os }}-cargo-registry-${{ hashFiles('src-tauri/Cargo.lock') }}
+          restore-keys: |
+            ${{ runner.os }}-cargo-registry-
+
+      - name: Cache cargo build target
+        uses: https://github.com/actions/cache@v4
+        with:
+          path: src-tauri/target
+          key: ${{ runner.os }}-cargo-target-${{ hashFiles('src-tauri/Cargo.lock') }}
+          restore-keys: |
+            ${{ runner.os }}-cargo-target-
+
+      - name: cargo check
+        run: cargo check --manifest-path src-tauri/Cargo.toml --all-targets
+
+      - name: cargo test
+        run: cargo test --manifest-path src-tauri/Cargo.toml --all-targets
+
+  frontend:
+    runs-on: ubuntu
+    container: ubuntu:22.04
+    steps:
+      - name: Install Node.js 20
+        run: |
+          apt-get update
+          apt-get install -y --no-install-recommends curl ca-certificates git
+          curl -fsSL https://deb.nodesource.com/setup_20.x | bash -
+          apt-get install -y nodejs
+          node --version
+          npm --version
+
+      - name: Checkout
+        uses: https://github.com/actions/checkout@v4
+
+      - name: Cache npm cache
+        uses: https://github.com/actions/cache@v4
+        with:
+          path: ~/.npm
+          key: ${{ runner.os }}-npm-${{ hashFiles('package-lock.json') }}
+          restore-keys: |
+            ${{ runner.os }}-npm-
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Build (tsc + vite)
+        run: npm run build
+
+      - name: Tests (vitest)
+        run: npm test
--- a/.github/workflows/check.yml
+++ b/.github/workflows/check.yml
@ -0,0 +1,68 @@
+name: PR Check
+
+# Mirror of .forgejo/workflows/check.yml using GitHub-native runners.
+# Forgejo is the primary host; this file keeps the GitHub mirror functional.
+
+on:
+  push:
+    branches-ignore:
+      - main
+  pull_request:
+    branches:
+      - main
+
+jobs:
+  rust:
+    runs-on: ubuntu-latest
+    env:
+      CARGO_TERM_COLOR: always
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install system dependencies
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y --no-install-recommends \
+            pkg-config libwebkit2gtk-4.1-dev libappindicator3-dev librsvg2-dev libssl-dev
+
+      - name: Install Rust toolchain (stable)
+        uses: dtolnay/rust-toolchain@stable
+
+      - name: Cache cargo
+        uses: actions/cache@v4
+        with:
+          path: |
+            ~/.cargo/registry
+            ~/.cargo/git
+            src-tauri/target
+          key: ${{ runner.os }}-cargo-${{ hashFiles('src-tauri/Cargo.lock') }}
+          restore-keys: |
+            ${{ runner.os }}-cargo-
+
+      - name: cargo check
+        run: cargo check --manifest-path src-tauri/Cargo.toml --all-targets
+
+      - name: cargo test
+        run: cargo test --manifest-path src-tauri/Cargo.toml --all-targets
+
+  frontend:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Node.js 20
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+          cache: 'npm'
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Build (tsc + vite)
+        run: npm run build
+
+      - name: Tests (vitest)
+        run: npm test
--- a/CHANGELOG.fr.md
+++ b/CHANGELOG.fr.md
@ -3,6 +3,7 @@
 ## [Non publié]

 ### Ajouté
+- CI : nouveau workflow `check.yml` qui exécute `cargo check`/`cargo test` et le build frontend sur chaque push de branche et PR, détectant les erreurs avant le merge plutôt qu'au moment de la release (#60)
 - Carte de licence dans les Paramètres : affiche l'édition actuelle (Gratuite/Base/Premium), accepte une clé de licence et redirige vers la page d'achat (#47)

 ## [0.6.7] - 2026-03-29
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -3,6 +3,7 @@
 ## [Unreleased]

 ### Added
+- CI: new `check.yml` workflow runs `cargo check`/`cargo test` and the frontend build on every branch push and PR, catching errors before merge instead of waiting for the release tag (#60)
 - License card in Settings page: shows the current edition (Free/Base/Premium), accepts a license key, and links to the purchase page (#47)

 ## [0.6.7] - 2026-03-29
--- a/CLAUDE.md
+++ b/CLAUDE.md
@ -157,9 +157,8 @@ Pour maintenir l'éligibilité aux crédits d'impôt R&D (RS&DE fédéral + CRIC

 ## CI/CD

- GitHub Actions (`release.yml`) déclenché par tags `v*`
- Build Windows (NSIS `.exe`) + Linux (`.deb`, `.rpm`)
- Signature des binaires + JSON d'updater pour mises à jour automatiques
+- **`check.yml`** (Forgejo Actions + miroir GitHub) — déclenché sur chaque push de branche (sauf `main`) et chaque PR vers `main`. Lance `cargo check`, `cargo test`, `npm run build` (tsc + vite) et `npm test` (vitest). Doit être vert avant tout merge.
+- **`release.yml`** — déclenché par les tags `v*`. Build Windows (NSIS `.exe`) + Linux (`.deb`, `.rpm`), signe les binaires et publie le JSON d'updater pour les mises à jour automatiques.

 ---

--- a/src-tauri/Cargo.toml
+++ b/src-tauri/Cargo.toml
@ -39,4 +39,8 @@ jsonwebtoken = "9"
 machine-uid = "0.5"

 [dev-dependencies]
-ed25519-dalek = { version = "2", features = ["pkcs8", "pem", "rand_core"] }
+# Used in license_commands.rs tests to sign test JWTs. We avoid the `pem`
+# feature because the `LineEnding` re-export path varies between versions
+# of pkcs8/spki; building the PKCS#8 DER manually is stable and trivial
+# for Ed25519.
+ed25519-dalek = { version = "2", features = ["pkcs8", "rand_core"] }
--- a/src-tauri/src/commands/license_commands.rs
+++ b/src-tauri/src/commands/license_commands.rs
@ -95,24 +95,31 @@ fn strip_prefix(key: &str) -> Result<&str, String> {
    Err("License key must start with SR-BASE- or SR-PREMIUM-".to_string())
 }

-/// Pure validation: decode the JWT, verify signature against `public_key_pem`, ensure the
-/// edition claim is one we recognize. Returns `LicenseInfo` on success.
-///
-/// Separated from the Tauri command so tests can pass their own key.
-fn validate_with_key(key: &str, public_key_pem: &[u8]) -> Result<LicenseInfo, String> {
-    let jwt = strip_prefix(key)?;
-
-    let decoding_key = DecodingKey::from_ed_pem(public_key_pem)
-        .map_err(|e| format!("Invalid public key: {}", e))?;
-
+/// Build a `Validation` with `exp` and `iat` mandatory. Assertions are explicit so a future
+/// config change cannot silently disable expiry checking (CWE-613).
+fn strict_validation() -> Validation {
    let mut validation = Validation::new(Algorithm::EdDSA);
-    // jsonwebtoken validates `exp` by default; assert this explicitly so a future config
-    // change cannot silently disable it (CWE-613).
    validation.validate_exp = true;
    validation.leeway = 0;
    validation.set_required_spec_claims(&["exp", "iat"]);
+    validation
+}

-    let data = decode::<LicenseClaims>(jwt, &decoding_key, &validation)
+/// Build the production `DecodingKey` from the embedded PEM constant.
+fn embedded_decoding_key() -> Result<DecodingKey, String> {
+    DecodingKey::from_ed_pem(PUBLIC_KEY_PEM.as_bytes())
+        .map_err(|e| format!("Invalid public key: {}", e))
+}
+
+/// Pure validation: decode the JWT, verify signature with the provided key, ensure the
+/// edition claim is one we recognize. Returns `LicenseInfo` on success.
+///
+/// Separated from the Tauri command so tests can pass their own key.
+fn validate_with_key(key: &str, decoding_key: &DecodingKey) -> Result<LicenseInfo, String> {
+    let jwt = strip_prefix(key)?;
+    let validation = strict_validation();
+
+    let data = decode::<LicenseClaims>(jwt, decoding_key, &validation)
        .map_err(|e| format!("Invalid license: {}", e))?;

    let claims = data.claims;
@ -135,17 +142,11 @@ fn validate_with_key(key: &str, public_key_pem: &[u8]) -> Result<LicenseInfo, St
 fn validate_activation_with_key(
    token: &str,
    local_machine_id: &str,
-    public_key_pem: &[u8],
+    decoding_key: &DecodingKey,
 ) -> Result<(), String> {
-    let decoding_key = DecodingKey::from_ed_pem(public_key_pem)
-        .map_err(|e| format!("Invalid public key: {}", e))?;
+    let validation = strict_validation();

-    let mut validation = Validation::new(Algorithm::EdDSA);
-    validation.validate_exp = true;
-    validation.leeway = 0;
-    validation.set_required_spec_claims(&["exp", "iat"]);
-
-    let data = decode::<ActivationClaims>(token.trim(), &decoding_key, &validation)
+    let data = decode::<ActivationClaims>(token.trim(), decoding_key, &validation)
        .map_err(|e| format!("Invalid activation token: {}", e))?;

    if data.claims.machine_id != local_machine_id {
@ -160,14 +161,16 @@ fn validate_activation_with_key(
 /// before the user confirms storage.
 #[tauri::command]
 pub fn validate_license_key(key: String) -> Result<LicenseInfo, String> {
-    validate_with_key(&key, PUBLIC_KEY_PEM.as_bytes())
+    let decoding_key = embedded_decoding_key()?;
+    validate_with_key(&key, &decoding_key)
 }

 /// Persist a previously-validated license key to disk. The activation token (machine binding)
 /// is stored separately by [`store_activation_token`] once the server has issued one.
 #[tauri::command]
 pub fn store_license(app: tauri::AppHandle, key: String) -> Result<LicenseInfo, String> {
-    let info = validate_with_key(&key, PUBLIC_KEY_PEM.as_bytes())?;
+    let decoding_key = embedded_decoding_key()?;
+    let info = validate_with_key(&key, &decoding_key)?;
    let path = license_path(&app)?;
    if let Some(parent) = path.parent() {
        fs::create_dir_all(parent).map_err(|e| format!("Cannot create app data dir: {}", e))?;
@ -181,7 +184,8 @@ pub fn store_license(app: tauri::AppHandle, key: String) -> Result<LicenseInfo,
 #[tauri::command]
 pub fn store_activation_token(app: tauri::AppHandle, token: String) -> Result<(), String> {
    let local_id = machine_id_internal()?;
-    validate_activation_with_key(&token, &local_id, PUBLIC_KEY_PEM.as_bytes())?;
+    let decoding_key = embedded_decoding_key()?;
+    validate_activation_with_key(&token, &local_id, &decoding_key)?;
    let path = activation_path(&app)?;
    if let Some(parent) = path.parent() {
        fs::create_dir_all(parent).map_err(|e| format!("Cannot create app data dir: {}", e))?;
@ -198,7 +202,10 @@ pub fn read_license(app: tauri::AppHandle) -> Result<Option<LicenseInfo>, String
        return Ok(None);
    }
    let key = fs::read_to_string(&path).map_err(|e| format!("Cannot read license file: {}", e))?;
-    Ok(validate_with_key(&key, PUBLIC_KEY_PEM.as_bytes()).ok())
+    let Ok(decoding_key) = embedded_decoding_key() else {
+        return Ok(None);
+    };
+    Ok(validate_with_key(&key, &decoding_key).ok())
 }

 /// Returns the active edition (`"free"`, `"base"`, or `"premium"`) for use by feature gates.
@ -227,7 +234,10 @@ pub(crate) fn current_edition(app: &tauri::AppHandle) -> String {
    let Ok(key) = fs::read_to_string(&path) else {
        return EDITION_FREE.to_string();
    };
-    let Ok(info) = validate_with_key(&key, PUBLIC_KEY_PEM.as_bytes()) else {
+    let Ok(decoding_key) = embedded_decoding_key() else {
+        return EDITION_FREE.to_string();
+    };
+    let Ok(info) = validate_with_key(&key, &decoding_key) else {
        return EDITION_FREE.to_string();
    };

@ -241,8 +251,7 @@ pub(crate) fn current_edition(app: &tauri::AppHandle) -> String {
            let Ok(local_id) = machine_id_internal() else {
                return EDITION_FREE.to_string();
            };
-            if validate_activation_with_key(&token, &local_id, PUBLIC_KEY_PEM.as_bytes()).is_err()
-            {
+            if validate_activation_with_key(&token, &local_id, &decoding_key).is_err() {
                return EDITION_FREE.to_string();
            }
        }
@ -267,31 +276,56 @@ fn machine_id_internal() -> Result<String, String> {
 #[cfg(test)]
 mod tests {
    use super::*;
-    use ed25519_dalek::pkcs8::{EncodePrivateKey, EncodePublicKey, LineEnding};
    use ed25519_dalek::SigningKey;
    use jsonwebtoken::{encode, EncodingKey, Header};

+    // === Manual DER encoder for the Ed25519 private key =======================================
+    // We avoid the `pem` feature on `ed25519-dalek` because the `LineEnding` re-export path
+    // varies across `pkcs8`/`spki`/`der` versions. The Ed25519 PKCS#8 v1 byte layout is fixed
+    // and trivial: 16-byte prefix + 32-byte raw seed.
+    //
+    // Note the asymmetry in jsonwebtoken's API:
+    // - `EncodingKey::from_ed_der` expects a PKCS#8-wrapped private key (passed to ring's
+    //   `Ed25519KeyPair::from_pkcs8`).
+    // - `DecodingKey::from_ed_der` expects the *raw* 32-byte public key (passed to ring's
+    //   `UnparsedPublicKey::new` which takes raw bytes, not a SubjectPublicKeyInfo).
+
+    /// Wrap a 32-byte Ed25519 seed in a PKCS#8 v1 PrivateKeyInfo DER blob.
+    fn ed25519_pkcs8_private_der(seed: &[u8; 32]) -> Vec<u8> {
+        // SEQUENCE(46) {
+        //   INTEGER(1) 0           // version v1
+        //   SEQUENCE(5) {
+        //     OID(3) 1.3.101.112   // Ed25519
+        //   }
+        //   OCTET STRING(34) {
+        //     OCTET STRING(32) <32 bytes>
+        //   }
+        // }
+        let mut der = vec![
+            0x30, 0x2e, 0x02, 0x01, 0x00, 0x30, 0x05, 0x06, 0x03, 0x2b, 0x65, 0x70, 0x04, 0x22,
+            0x04, 0x20,
+        ];
+        der.extend_from_slice(seed);
+        der
+    }
+
    /// Build a deterministic test keypair so signed tokens are reproducible across runs.
-    fn test_keypair() -> (String, String) {
-        let seed = [42u8; 32];
+    fn test_keys(seed: [u8; 32]) -> (EncodingKey, DecodingKey) {
        let signing_key = SigningKey::from_bytes(&seed);
-        let verifying_key = signing_key.verifying_key();
-        let private_pem = signing_key
-            .to_pkcs8_pem(LineEnding::LF)
-            .unwrap()
-            .to_string();
-        let public_pem = verifying_key.to_public_key_pem(LineEnding::LF).unwrap();
-        (private_pem, public_pem)
+        let pubkey_bytes = signing_key.verifying_key().to_bytes();
+        let priv_der = ed25519_pkcs8_private_der(&seed);
+        let encoding_key = EncodingKey::from_ed_der(&priv_der);
+        // Raw 32-byte public key (NOT SubjectPublicKeyInfo) — see note above.
+        let decoding_key = DecodingKey::from_ed_der(&pubkey_bytes);
+        (encoding_key, decoding_key)
    }

-    fn make_token(private_pem: &str, claims: &LicenseClaims) -> String {
-        let key = EncodingKey::from_ed_pem(private_pem.as_bytes()).unwrap();
-        encode(&Header::new(Algorithm::EdDSA), claims, &key).unwrap()
+    fn default_keys() -> (EncodingKey, DecodingKey) {
+        test_keys([42u8; 32])
    }

-    fn make_activation_token(private_pem: &str, claims: &ActivationClaims) -> String {
-        let key = EncodingKey::from_ed_pem(private_pem.as_bytes()).unwrap();
-        encode(&Header::new(Algorithm::EdDSA), claims, &key).unwrap()
+    fn make_token<T: serde::Serialize>(encoding_key: &EncodingKey, claims: &T) -> String {
+        encode(&Header::new(Algorithm::EdDSA), claims, encoding_key).unwrap()
    }

    fn now() -> i64 {
@ -303,14 +337,14 @@ mod tests {

    #[test]
    fn rejects_key_without_prefix() {
-        let (_priv, public_pem) = test_keypair();
-        let result = validate_with_key("nonsense", public_pem.as_bytes());
+        let (_enc, dec) = default_keys();
+        let result = validate_with_key("nonsense", &dec);
        assert!(result.is_err());
    }

    #[test]
    fn accepts_well_formed_base_license() {
-        let (private_pem, public_pem) = test_keypair();
+        let (enc, dec) = default_keys();
        let claims = LicenseClaims {
            sub: "user@example.com".to_string(),
            iss: "lacompagniemaximus.com".to_string(),
@ -320,9 +354,9 @@ mod tests {
            features: vec!["auto-update".to_string()],
            machine_limit: 3,
        };
-        let jwt = make_token(&private_pem, &claims);
+        let jwt = make_token(&enc, &claims);
        let key = format!("{}{}", KEY_PREFIX_BASE, jwt);
-        let info = validate_with_key(&key, public_pem.as_bytes()).unwrap();
+        let info = validate_with_key(&key, &dec).unwrap();
        assert_eq!(info.edition, EDITION_BASE);
        assert_eq!(info.email, "user@example.com");
        assert_eq!(info.machine_limit, 3);
@ -330,7 +364,7 @@ mod tests {

    #[test]
    fn rejects_expired_license() {
-        let (private_pem, public_pem) = test_keypair();
+        let (enc, dec) = default_keys();
        let claims = LicenseClaims {
            sub: "user@example.com".to_string(),
            iss: "lacompagniemaximus.com".to_string(),
@ -340,22 +374,16 @@ mod tests {
            features: vec![],
            machine_limit: 3,
        };
-        let jwt = make_token(&private_pem, &claims);
+        let jwt = make_token(&enc, &claims);
        let key = format!("{}{}", KEY_PREFIX_BASE, jwt);
-        let result = validate_with_key(&key, public_pem.as_bytes());
+        let result = validate_with_key(&key, &dec);
        assert!(result.is_err(), "expired license must be rejected");
    }

    #[test]
    fn rejects_license_signed_with_wrong_key() {
-        let (private_pem, _public_pem) = test_keypair();
-        // Generate a different keypair to verify with
-        let other_seed = [7u8; 32];
-        let other_signing = SigningKey::from_bytes(&other_seed);
-        let other_public = other_signing
-            .verifying_key()
-            .to_public_key_pem(LineEnding::LF)
-            .unwrap();
+        let (enc_signer, _dec_signer) = default_keys();
+        let (_enc_other, dec_other) = test_keys([7u8; 32]);
        let claims = LicenseClaims {
            sub: "user@example.com".to_string(),
            iss: "lacompagniemaximus.com".to_string(),
@ -365,23 +393,23 @@ mod tests {
            features: vec![],
            machine_limit: 3,
        };
-        let jwt = make_token(&private_pem, &claims);
+        let jwt = make_token(&enc_signer, &claims);
        let key = format!("{}{}", KEY_PREFIX_BASE, jwt);
-        let result = validate_with_key(&key, other_public.as_bytes());
+        let result = validate_with_key(&key, &dec_other);
        assert!(result.is_err(), "wrong-key signature must be rejected");
    }

    #[test]
    fn rejects_corrupted_jwt() {
-        let (_priv, public_pem) = test_keypair();
+        let (_enc, dec) = default_keys();
        let key = format!("{}not.a.real.jwt", KEY_PREFIX_BASE);
-        let result = validate_with_key(&key, public_pem.as_bytes());
+        let result = validate_with_key(&key, &dec);
        assert!(result.is_err());
    }

    #[test]
    fn rejects_unknown_edition() {
-        let (private_pem, public_pem) = test_keypair();
+        let (enc, dec) = default_keys();
        let claims = LicenseClaims {
            sub: "user@example.com".to_string(),
            iss: "lacompagniemaximus.com".to_string(),
@ -391,36 +419,42 @@ mod tests {
            features: vec![],
            machine_limit: 3,
        };
-        let jwt = make_token(&private_pem, &claims);
+        let jwt = make_token(&enc, &claims);
        let key = format!("{}{}", KEY_PREFIX_BASE, jwt);
-        let result = validate_with_key(&key, public_pem.as_bytes());
+        let result = validate_with_key(&key, &dec);
        assert!(result.is_err());
    }

    #[test]
    fn activation_token_matches_machine() {
-        let (private_pem, public_pem) = test_keypair();
+        let (enc, dec) = default_keys();
        let claims = ActivationClaims {
            sub: "license-id".to_string(),
            iat: now(),
            exp: now() + 86400,
            machine_id: "this-machine".to_string(),
        };
-        let token = make_activation_token(&private_pem, &claims);
-        assert!(validate_activation_with_key(&token, "this-machine", public_pem.as_bytes()).is_ok());
+        let token = make_token(&enc, &claims);
+        assert!(validate_activation_with_key(&token, "this-machine", &dec).is_ok());
    }

    #[test]
    fn activation_token_rejects_other_machine() {
-        let (private_pem, public_pem) = test_keypair();
+        let (enc, dec) = default_keys();
        let claims = ActivationClaims {
            sub: "license-id".to_string(),
            iat: now(),
            exp: now() + 86400,
            machine_id: "machine-A".to_string(),
        };
-        let token = make_activation_token(&private_pem, &claims);
-        let result = validate_activation_with_key(&token, "machine-B", public_pem.as_bytes());
+        let token = make_token(&enc, &claims);
+        let result = validate_activation_with_key(&token, "machine-B", &dec);
        assert!(result.is_err(), "copied activation token must be rejected");
    }
+
+    #[test]
+    fn embedded_public_key_pem_parses() {
+        // Sanity check that the production PEM constant is well-formed.
+        assert!(embedded_decoding_key().is_ok());
+    }
 }
Author	SHA1	Message	Date
le king fu	2da2de183a	feat: license card in settings (#47 ) All checks were successful PR Check / rust (push) Successful in 16m19s Details PR Check / frontend (push) Successful in 2m14s Details Adds the user-facing layer on top of the Rust license commands shipped in #46. - `licenseService.ts` thin wrapper around the new Tauri commands - `useLicense` hook follows the project's useReducer pattern (idle, loading, ready, validating, error) and exposes `submitKey`, `refresh`, and `checkEntitlement` for cross-component use - `LicenseCard` shows the current edition, the expiry date when set, accepts a license key with inline validation feedback, and links to the purchase page via `openUrl` from `@tauri-apps/plugin-opener` - Card is inserted at the top of `SettingsPage` so the edition is the first thing users see when looking for license-related actions - i18n: new `license.*` keys in both `fr.json` and `en.json` - Bilingual CHANGELOG entries	2026-04-09 15:47:04 -04:00
maximus	59cefe8435	feat: license validation commands + entitlements system (#46 ) Merge PR #56 Closes #46	2026-04-09 19:35:32 +00:00
le king fu	2e9df1c0b9	fix(rust): pass raw public key bytes to DecodingKey::from_ed_der All checks were successful PR Check / rust (push) Successful in 15m54s Details PR Check / frontend (push) Successful in 2m15s Details PR Check / rust (pull_request) Successful in 16m7s Details PR Check / frontend (pull_request) Successful in 2m15s Details Previous test refactor wrapped both keys in their respective DER envelopes. CI surfaced the asymmetry: jsonwebtoken's two from_ed_der constructors expect different inputs. - EncodingKey::from_ed_der → PKCS#8 v1 wrapped (ring's Ed25519KeyPair::from_pkcs8 path). The 16-byte prefix + 32-byte seed blob is correct. - DecodingKey::from_ed_der → raw 32-byte public key. Internally it becomes ring's UnparsedPublicKey::new(&ED25519, key_bytes), which takes the bare bytes, NOT a SubjectPublicKeyInfo wrapper. The test was building an SPKI DER for the public key, so verification saw a malformed key and failed every signature with InvalidSignature (`accepts_well_formed_base_license` and `activation_token_matches_machine`). Drop the SPKI helper, pass `signing_key.verifying_key().to_bytes()` straight into DecodingKey::from_ed_der. Inline doc-comment captures the asymmetry so the next person doesn't fall in the same hole.	2026-04-09 11:12:10 -04:00
le king fu	69e136cab0	fix(rust): use DER-built keys in license tests, drop ed25519-dalek pem feature Some checks failed PR Check / rust (push) Failing after 10m20s Details PR Check / frontend (push) Successful in 2m15s Details PR Check / rust (pull_request) Failing after 9m30s Details PR Check / frontend (pull_request) Successful in 2m7s Details cargo CI flagged: `unresolved import ed25519_dalek::pkcs8::LineEnding`. The `LineEnding` re-export path varies between pkcs8/spki/der versions, so the test code that called `to_pkcs8_pem(LineEnding::LF)` won't compile against the dependency tree we get with ed25519-dalek 2.2 + pkcs8 0.10. Fix: - Drop the `pem` feature from the ed25519-dalek dev-dependency. - In tests, build the PKCS#8 v1 PrivateKeyInfo and SubjectPublicKeyInfo DER blobs manually from the raw 32-byte Ed25519 seed/public key. The Ed25519 layout is fixed (16-byte prefix + 32-byte key) so this is short and stable. - Pass the resulting DER bytes to `EncodingKey::from_ed_der` / `DecodingKey::from_ed_der`. Refactor: - Extract `strict_validation()` and `embedded_decoding_key()` helpers so the validation config (mandatory exp/iat for CWE-613) lives in one place and production callers all share the same DecodingKey constructor. - `validate_with_key` and `validate_activation_with_key` now take a `&DecodingKey` instead of raw PEM bytes; production builds the key once via `embedded_decoding_key()`. - New canary test `embedded_public_key_pem_parses` fails fast if the embedded PEM constant ever becomes malformed.	2026-04-09 10:59:12 -04:00
le king fu	99fef19a6b	feat: add license validation and entitlements (Rust) (#46 ) Some checks failed PR Check / rust (push) Failing after 5m50s Details PR Check / frontend (push) Successful in 2m9s Details PR Check / rust (pull_request) Failing after 6m1s Details PR Check / frontend (pull_request) Successful in 2m12s Details Introduces the offline license infrastructure for the Base/Premium editions. - jsonwebtoken (EdDSA) verifies license JWTs against an embedded Ed25519 public key. The exp claim is mandatory (CWE-613) and is enforced via Validation::set_required_spec_claims. - Activation tokens (server-issued, machine-bound) prevent license.key copying between machines. Storage is wired up; the actual issuance flow ships with Issue #49. - get_edition() fails closed to "free" when the license is missing, invalid, expired, or activated for a different machine. - New commands/entitlements module centralizes feature → tier mapping so Issue #48 (and any future gate) reads from a single source of truth. - machine-uid provides the cross-platform machine identifier; OS reinstall invalidates the activation token by design. - Tests cover happy path, expiry, wrong-key signature, malformed JWT, unknown edition, and machine_id matching for activation tokens. The embedded PUBLIC_KEY_PEM is the RFC 8410 §10.3 test vector, clearly labelled as a development placeholder; replacing it with the production public key is a release-time task.	2026-04-09 10:02:02 -04:00
maximus	8afcafe890	Merge pull request 'fix(ci): install Node.js in the rust job' (#62 ) from fix/check-workflow-rust-node into main	2026-04-09 14:01:39 +00:00
le king fu	60bf43fd65	fix(ci): install Node.js in the rust job All checks were successful PR Check / rust (push) Successful in 15m32s Details PR Check / frontend (push) Successful in 2m24s Details PR Check / rust (pull_request) Successful in 15m44s Details PR Check / frontend (pull_request) Successful in 2m33s Details actions/checkout@v4 and actions/cache@v4 are JavaScript actions and require `node` in the container PATH. The rust job in check.yml only installed system libs and the Rust toolchain, so the post-checkout cleanup failed with `exec: "node": executable file not found in $PATH` on every Forgejo run. The frontend job already installed Node, which is why it succeeded. The GitHub mirror is unaffected because ubuntu-latest ships with Node preinstalled. Validated against the failed run https://git.lacompagniemaximus.com/maximus/Simpl-Resultat/actions/runs/122	2026-04-09 09:44:24 -04:00
maximus	b5c81b2a01	Merge pull request 'ci: add PR validation workflow (cargo check/test + npm build) (#60 )' (#61 ) from issue-60-pr-check-workflow into main	2026-04-09 13:31:15 +00:00
le king fu	8e5228e61c	ci: add PR validation workflow (#60 ) Some checks failed PR Check / rust (push) Failing after 2m2s Details PR Check / frontend (push) Successful in 2m10s Details PR Check / rust (pull_request) Failing after 1m32s Details PR Check / frontend (pull_request) Successful in 2m8s Details Adds .forgejo/workflows/check.yml (and a GitHub mirror) that runs on every branch push (except main) and on every PR targeting main. Two parallel jobs: - rust: cargo check + cargo test, with cargo registry/git/target caches keyed on Cargo.lock. Installs the minimal Rust toolchain and the webkit2gtk system deps that the tauri build script needs. - frontend: npm ci + npm run build (tsc + vite) + npm test (vitest), with the npm cache keyed on package-lock.json. The Forgejo workflow uses the ubuntu:22.04 container pattern from release.yml. The GitHub mirror uses native runners (ubuntu-latest) since the GitHub mirror exists for portability and uses GitHub-native actions. Documents the new workflow in CLAUDE.md alongside release.yml so future contributors know what CI runs before merge.	2026-04-09 09:21:20 -04:00