dmno-dev
diff --git a/‎.github/workflows/binary-release.yaml‎
Lines changed: 29 additions & 1 deletion b/‎.github/workflows/binary-release.yaml‎
Lines changed: 29 additions & 1 deletion
diff --git a/‎.github/workflows/build-native-macos.yaml‎
Lines changed: 77 additions & 0 deletions b/‎.github/workflows/build-native-macos.yaml‎
Lines changed: 77 additions & 0 deletions
diff --git a/‎.github/workflows/build-native-rust.yaml‎
Lines changed: 207 additions & 0 deletions b/‎.github/workflows/build-native-rust.yaml‎
Lines changed: 207 additions & 0 deletions
diff --git a/‎.github/workflows/release.yaml‎
Lines changed: 28 additions & 1 deletion b/‎.github/workflows/release.yaml‎
Lines changed: 28 additions & 1 deletion
@@ -49,8 +49,15 @@ jobs:
     secrets:
       OP_CI_TOKEN: ${{ secrets.OP_CI_TOKEN }}
 
+  # Build Rust native binaries for Linux and Windows
+  build-native-rust:
+    if: github.event_name == 'workflow_dispatch' || startsWith(github.ref_name, 'varlock@')
+    uses: ./.github/workflows/build-native-rust.yaml
+    with:
+      artifact-name: native-bin-rust
+
   release-binaries:
-    needs: notarize-native-macos
+    needs: [notarize-native-macos, build-native-rust]
     # was using github.ref.tag_name, but it seems that when publishing multiple tags at once, it was behaving weirdly
     if: github.event_name == 'workflow_dispatch' || startsWith(github.ref_name, 'varlock@')
     runs-on: ubuntu-latest
@@ -100,6 +107,27 @@ jobs:
       - name: Restore native binary execute permission
         run: chmod +x packages/varlock/native-bins/darwin/VarlockEnclave.app/Contents/MacOS/varlock-local-encrypt
 
+      # Download Rust native binaries for Linux and Windows
+      - name: Download Linux x64 native binary
+        uses: actions/download-artifact@v8
+        with:
+          name: native-bin-rust-linux-x64
+          path: packages/varlock/native-bins/linux-x64
+      - name: Download Linux arm64 native binary
+        uses: actions/download-artifact@v8
+        with:
+          name: native-bin-rust-linux-arm64
+          path: packages/varlock/native-bins/linux-arm64
+      - name: Download Windows x64 native binary
+        uses: actions/download-artifact@v8
+        with:
+          name: native-bin-rust-win32-x64
+          path: packages/varlock/native-bins/win32-x64
+      - name: Restore Rust binary execute permissions
+        run: |
+          chmod +x packages/varlock/native-bins/linux-x64/varlock-local-encrypt
+          chmod +x packages/varlock/native-bins/linux-arm64/varlock-local-encrypt
+
       - name: build libs
         run: bun run build:libs
         env:
 
@@ -117,6 +117,83 @@ jobs:
           echo "=== Info.plist ==="
           cat "$APP_PATH/Contents/Info.plist"
 
+      # Test the binary (using --no-auth since CI has no biometric)
+      # Keys are still Secure Enclave-backed, just without user presence requirement
+      - name: Test binary - status
+        run: |
+          BIN="packages/varlock/native-bins/darwin/VarlockEnclave.app/Contents/MacOS/varlock-local-encrypt"
+          echo "=== status ==="
+          $BIN status
+          $BIN status | python3 -c "import sys,json; d=json.load(sys.stdin); assert d['ok'], 'status not ok'"
+
+      - name: Test binary - SE key lifecycle + encrypt/decrypt roundtrip
+        run: |
+          BIN="packages/varlock/native-bins/darwin/VarlockEnclave.app/Contents/MacOS/varlock-local-encrypt"
+
+          echo "=== generate-key (--no-auth for CI) ==="
+          $BIN generate-key --key-id ci-test --no-auth
+
+          echo "=== key-exists ==="
+          $BIN key-exists --key-id ci-test | python3 -c "import sys,json; d=json.load(sys.stdin); assert d['exists']"
+
+          echo "=== encrypt ==="
+          PLAINTEXT=$(printf 'hello from macOS CI' | base64)
+          CIPHERTEXT=$($BIN encrypt --key-id ci-test --data "$PLAINTEXT" | python3 -c "import sys,json; print(json.load(sys.stdin)['ciphertext'])")
+          echo "Ciphertext: ${CIPHERTEXT:0:40}..."
+
+          echo "=== decrypt (one-shot, no auth needed) ==="
+          DECRYPTED=$($BIN decrypt --key-id ci-test --data "$CIPHERTEXT" | python3 -c "import sys,json; print(json.load(sys.stdin)['plaintext'])")
+          echo "Decrypted: $DECRYPTED"
+
+          if [ "$DECRYPTED" != "hello from macOS CI" ]; then
+            echo "::error::Roundtrip failed! Expected 'hello from macOS CI', got '$DECRYPTED'"
+            exit 1
+          fi
+
+          echo "=== delete-key ==="
+          $BIN delete-key --key-id ci-test
+
+          echo "All macOS binary tests passed"
+
+      - name: Test JS→Swift interop
+        run: |
+          BIN="packages/varlock/native-bins/darwin/VarlockEnclave.app/Contents/MacOS/varlock-local-encrypt"
+
+          # Generate SE key (no auth for CI)
+          $BIN generate-key --key-id interop-test --no-auth
+
+          # Get the public key from the SE binary
+          PUBLIC_KEY=$($BIN generate-key --key-id interop-tmp --no-auth > /dev/null 2>&1; echo "skip")
+          # Actually, get public key by generating and reading the output
+          GEN_OUTPUT=$($BIN key-exists --key-id interop-test)
+
+          # Use the SE binary's encrypt to get the public key indirectly:
+          # generate-key already printed it — let's re-generate to capture it
+          $BIN delete-key --key-id interop-test > /dev/null
+          PUBLIC_KEY=$($BIN generate-key --key-id interop-test --no-auth | python3 -c "import sys,json; print(json.load(sys.stdin)['publicKey'])")
+          echo "SE Public Key: ${PUBLIC_KEY:0:20}..."
+
+          # Encrypt with JS using the SE public key
+          CIPHERTEXT=$(bun -e "
+            const { encrypt } = await import('./packages/varlock/src/lib/local-encrypt/crypto.ts');
+            const result = await encrypt('$PUBLIC_KEY', 'javascript to secure enclave');
+            process.stdout.write(result);
+          ")
+          echo "JS Ciphertext: ${CIPHERTEXT:0:40}..."
+
+          # Decrypt with Swift SE binary (proves JS wire format is SE-compatible)
+          DECRYPTED=$($BIN decrypt --key-id interop-test --data "$CIPHERTEXT" | python3 -c "import sys,json; print(json.load(sys.stdin)['plaintext'])")
+
+          if [ "$DECRYPTED" != "javascript to secure enclave" ]; then
+            echo "::error::JS→Swift interop failed! Got: $DECRYPTED"
+            exit 1
+          fi
+          echo "✓ JS→Swift SE: '$DECRYPTED'"
+
+          # Cleanup
+          $BIN delete-key --key-id interop-test
+          echo "All macOS interop tests passed"
+
       - name: Upload native binary artifact
         uses: actions/upload-artifact@v7
         with:
 
@@ -0,0 +1,207 @@
+name: Build Rust native binaries
+
+# Reusable workflow that compiles the varlock-local-encrypt Rust binary
+# for Linux and Windows targets.
+#
+# Builds are cached by Cargo.lock + source hash. Each platform builds
+# natively on its own runner for maximum compatibility.
+#
+# Output: native binaries uploaded as artifacts, ready to be bundled
+# into the varlock npm package and CLI release archives.
+
+permissions:
+  contents: read
+
+on:
+  workflow_call:
+    inputs:
+      artifact-name:
+        description: 'Base name for uploaded artifacts (suffixed with platform)'
+        type: string
+        default: 'native-bin-rust'
+
+jobs:
+  build:
+    strategy:
+      matrix:
+        include:
+          - os: ubuntu-latest
+            target: x86_64-unknown-linux-gnu
+            native-bin-subdir: linux-x64
+            binary-name: varlock-local-encrypt
+            test-interop: true  # only need interop on one platform — crypto is identical
+          - os: ubuntu-24.04-arm
+            target: aarch64-unknown-linux-gnu
+            native-bin-subdir: linux-arm64
+            binary-name: varlock-local-encrypt
+            test-interop: false
+          - os: windows-latest
+            target: x86_64-pc-windows-msvc
+            native-bin-subdir: win32-x64
+            binary-name: varlock-local-encrypt.exe
+            test-interop: false
+
+    runs-on: ${{ matrix.os }}
+    name: Build ${{ matrix.native-bin-subdir }}
+
+    steps:
+      - uses: actions/checkout@v6
+
+      - name: Install Rust toolchain
+        uses: dtolnay/rust-toolchain@stable
+        with:
+          targets: ${{ matrix.target }}
+
+      # Cache Cargo registry + build artifacts by lockfile hash
+      - name: Cache Cargo
+        uses: actions/cache@v5
+        with:
+          path: |
+            ~/.cargo/registry
+            ~/.cargo/git
+            packages/encryption-binary-rust/target
+          key: rust-${{ matrix.target }}-${{ hashFiles('packages/encryption-binary-rust/Cargo.lock') }}-${{ hashFiles('packages/encryption-binary-rust/src/**') }}
+          restore-keys: |
+            rust-${{ matrix.target }}-${{ hashFiles('packages/encryption-binary-rust/Cargo.lock') }}-
+            rust-${{ matrix.target }}-
+
+      - name: Install UPX
+        shell: bash
+        run: |
+          if [[ "${{ matrix.os }}" == *"ubuntu"* ]]; then
+            sudo apt-get update && sudo apt-get install -y upx-ucl
+          elif [[ "${{ matrix.os }}" == *"windows"* ]]; then
+            choco install upx --yes
+          fi
+
+      - name: Build release binary
+        working-directory: packages/encryption-binary-rust
+        run: cargo build --release --target ${{ matrix.target }}
+
+      - name: Prepare artifact
+        shell: bash
+        run: |
+          ARTIFACT_DIR="native-bins/${{ matrix.native-bin-subdir }}"
+          mkdir -p "$ARTIFACT_DIR"
+          cp "packages/encryption-binary-rust/target/${{ matrix.target }}/release/${{ matrix.binary-name }}" "$ARTIFACT_DIR/"
+          echo "=== Binary info (before UPX) ==="
+          ls -la "$ARTIFACT_DIR/${{ matrix.binary-name }}"
+          file "$ARTIFACT_DIR/${{ matrix.binary-name }}" || true
+          echo "=== UPX compress ==="
+          upx --best "$ARTIFACT_DIR/${{ matrix.binary-name }}"
+          echo "=== Binary info (after UPX) ==="
+          ls -la "$ARTIFACT_DIR/${{ matrix.binary-name }}"
+
+      # Run Rust unit tests
+      - name: Run unit tests
+        working-directory: packages/encryption-binary-rust
+        run: cargo test --release --target ${{ matrix.target }}
+
+      # Test the built binary end-to-end (one-shot commands, no biometric)
+      # Uses python (not python3) for Windows compat; printf for reliable base64 input
+      - name: Test binary - status
+        shell: bash
+        run: |
+          BIN="native-bins/${{ matrix.native-bin-subdir }}/${{ matrix.binary-name }}"
+          PY=$(command -v python3 || command -v python)
+          echo "=== status ==="
+          $BIN status
+          $BIN status | $PY -c "import sys,json; d=json.load(sys.stdin); assert d['ok'], 'status not ok'"
+
+      - name: Test binary - key lifecycle + encrypt/decrypt roundtrip
+        shell: bash
+        run: |
+          BIN="native-bins/${{ matrix.native-bin-subdir }}/${{ matrix.binary-name }}"
+          PY=$(command -v python3 || command -v python)
+
+          echo "=== generate-key ==="
+          $BIN generate-key --key-id ci-test
+          $BIN key-exists --key-id ci-test | $PY -c "import sys,json; d=json.load(sys.stdin); assert d['exists']"
+
+          echo "=== encrypt ==="
+          PLAINTEXT=$($PY -c "import base64; print(base64.b64encode(b'hello from CI').decode())")
+          CIPHERTEXT=$($BIN encrypt --key-id ci-test --data "$PLAINTEXT" | $PY -c "import sys,json; print(json.load(sys.stdin)['ciphertext'])")
+          echo "Ciphertext: ${CIPHERTEXT:0:40}..."
+
+          echo "=== decrypt ==="
+          DECRYPTED=$($BIN decrypt --key-id ci-test --data "$CIPHERTEXT" | $PY -c "import sys,json; print(json.load(sys.stdin)['plaintext'])")
+          echo "Decrypted: $DECRYPTED"
+
+          if [ "$DECRYPTED" != "hello from CI" ]; then
+            echo "::error::Roundtrip failed! Expected 'hello from CI', got '$DECRYPTED'"
+            exit 1
+          fi
+
+          echo "=== delete-key ==="
+          $BIN delete-key --key-id ci-test
+
+          echo "All binary tests passed"
+
+      # Cross-platform interop: encrypt with Rust, decrypt with JS, and vice versa
+      # Only on platforms where Bun is available and keys aren't DPAPI-protected
+      - name: Setup Bun (for interop test)
+        if: matrix.test-interop
+        uses: oven-sh/setup-bun@v2
+
+      - name: Install JS deps (for interop test)
+        if: matrix.test-interop
+        run: bun install
+
+      # Bidirectional Rust↔JS interop test (Linux x64 only — crypto is platform-independent)
+      - name: Setup Bun (for interop test)
+        if: matrix.test-interop
+        uses: oven-sh/setup-bun@v2
+
+      - name: Install JS deps (for interop test)
+        if: matrix.test-interop
+        run: bun install
+
+      - name: Test Rust↔JS interop
+        if: matrix.test-interop
+        shell: bash
+        run: |
+          BIN="native-bins/${{ matrix.native-bin-subdir }}/${{ matrix.binary-name }}"
+
+          # Generate key with Rust (no DPAPI on Linux = plaintext PKCS8)
+          $BIN generate-key --key-id interop-test
+          KEY_FILE="$HOME/.config/varlock/local-encrypt/keys/interop-test.json"
+          PUBLIC_KEY=$(python3 -c "import json; print(json.load(open('$KEY_FILE'))['publicKey'])")
+          PRIVATE_KEY=$(python3 -c "import json; print(json.load(open('$KEY_FILE'))['protectedPrivateKey'])")
+
+          # Rust→JS: encrypt with Rust, decrypt with JS
+          PLAINTEXT_B64=$(python3 -c "import base64; print(base64.b64encode(b'rust to javascript').decode())")
+          CIPHERTEXT=$($BIN encrypt --key-id interop-test --data "$PLAINTEXT_B64" | python3 -c "import sys,json; print(json.load(sys.stdin)['ciphertext'])")
+          RESULT=$(bun -e "
+            const { decrypt } = await import('./packages/varlock/src/lib/local-encrypt/crypto.ts');
+            const result = await decrypt('$PRIVATE_KEY', '$PUBLIC_KEY', '$CIPHERTEXT');
+            process.stdout.write(result);
+          ")
+          [ "$RESULT" = "rust to javascript" ] || { echo "::error::Rust→JS failed! Got: $RESULT"; exit 1; }
+          echo "Rust→JS: '$RESULT'"
+
+          # JS→Rust: encrypt with JS, decrypt with Rust
+          CIPHERTEXT=$(bun -e "
+            const { encrypt } = await import('./packages/varlock/src/lib/local-encrypt/crypto.ts');
+            const result = await encrypt('$PUBLIC_KEY', 'javascript to rust');
+            process.stdout.write(result);
+          ")
+          RESULT=$($BIN decrypt --key-id interop-test --data "$CIPHERTEXT" | python3 -c "import sys,json; print(json.load(sys.stdin)['plaintext'])")
+          [ "$RESULT" = "javascript to rust" ] || { echo "::error::JS→Rust failed! Got: $RESULT"; exit 1; }
+          echo "JS→Rust: '$RESULT'"
+
+          $BIN delete-key --key-id interop-test
+          echo "All interop tests passed"
+
+      - name: Upload artifact
+        uses: actions/upload-artifact@v7
+        with:
+          name: ${{ inputs.artifact-name }}-${{ matrix.native-bin-subdir }}
+          path: native-bins/${{ matrix.native-bin-subdir }}/
+          retention-days: 7
+
+      # Cache the built binary so preview releases on other runners can restore it
+      - name: Cache built binary
+        uses: actions/cache/save@v5
+        with:
+          path: native-bins/${{ matrix.native-bin-subdir }}/
+          key: native-bin-rust-${{ matrix.native-bin-subdir }}-${{ hashFiles('packages/encryption-binary-rust/Cargo.lock', 'packages/encryption-binary-rust/src/**') }}
@@ -30,9 +30,15 @@ jobs:
     secrets:
       OP_CI_TOKEN: ${{ secrets.OP_CI_TOKEN }}
 
+  # Build Rust native binaries for Linux and Windows
+  build-native-rust:
+    uses: ./.github/workflows/build-native-rust.yaml
+    with:
+      artifact-name: native-bin-rust
+
   release:
     name: Release
-    needs: notarize-native-macos
+    needs: [notarize-native-macos, build-native-rust]
     runs-on: ubuntu-latest
     permissions:
       id-token: write  # Required for OIDC
@@ -77,6 +83,27 @@ jobs:
       - name: Restore native binary execute permission
         run: chmod +x packages/varlock/native-bins/darwin/VarlockEnclave.app/Contents/MacOS/varlock-local-encrypt
 
+      # Download Rust native binaries for Linux and Windows
+      - name: Download Linux x64 native binary
+        uses: actions/download-artifact@v8
+        with:
+          name: native-bin-rust-linux-x64
+          path: packages/varlock/native-bins/linux-x64
+      - name: Download Linux arm64 native binary
+        uses: actions/download-artifact@v8
+        with:
+          name: native-bin-rust-linux-arm64
+          path: packages/varlock/native-bins/linux-arm64
+      - name: Download Windows x64 native binary
+        uses: actions/download-artifact@v8
+        with:
+          name: native-bin-rust-win32-x64
+          path: packages/varlock/native-bins/win32-x64
+      - name: Restore Rust binary execute permissions
+        run: |
+          chmod +x packages/varlock/native-bins/linux-x64/varlock-local-encrypt
+          chmod +x packages/varlock/native-bins/linux-arm64/varlock-local-encrypt
+
       # ------------------------------------------------------------
       - name: Create Release Pull Request or Publish to npm
         id: changesets