Conversation
…g version to 15.2.10 chore(enclave): add FCM_SERVICE_ACCOUNT_JSON placeholder in enclave.yaml chore(.gitignore): ignore env_values.auto.tfvars.json for sensitive data
…igned TLS bypass Replace the free-form URL text field with two preset cards on the onboarding server-connect screen. Regtest = 10.0.2.2 (gated on kDebugMode; emulator-only); Mutiny = mutiny.vtxos.network. Single-tap selects and advances to DKG. The Mutiny enclave now serves a CA-signed cert, so the production app's trust-everything HttpOverrides (in main.dart and integration test bootApp) is removed. The wallet now uses the system trust store like any other Dart HTTP caller. Integration test helpers updated: ServerConnectPage.useDefault -> pickRegtest / pickMutiny; the restore-flow stage in app_test.dart taps the new key. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…ication
The enclave-client crate bundled two unrelated concerns: HTTP transport
(reqwest + tokio) and attestation crypto (COSE_Sign1, X.509, P-384,
Schnorr). Two TLS configs, two retry policies, awkward error
marshalling across FFI. Split the responsibilities along the natural
seam:
- crates/enclave-client/ becomes a pure verification library. No
reqwest, no tokio, no async. Three pure functions:
verify_attestation_doc, extract_app_key_hash, verify_schnorr_signature.
Deleted: client.rs, manifest.rs, types.rs (the HTTP-bound pieces).
Cargo deps drop from 19 to 14 entries.
- FFI surface shrinks from 6 handle-based functions + a tokio runtime
to 2 stateless verifier functions (plus enclave_string_free for
string returns). No more ClientHandle, no block_on. tokio dropped
from ffi/Cargo.toml; hex added for PCR hex-encoding.
- app-core/lib/attested_wallet_api.dart drives the protocol from Dart:
package:http for transport, in-process attestation cache with TTL +
in-flight-verify dedup, X-Attestation-Signature header verified per
response. The previous async_enclave.dart isolate wrapper is gone -
per-request verify is sub-millisecond CPU work; init-time COSE/X.509
verify is ~10-50ms once per TTL, fine on main isolate.
The cache uses package:http's persistent Client for connection-pool
reuse. Wall-clock TTL is clamped against backward clock jumps so the
UI's ttlRemainingSecs stays sane; the cache self-heals across an
enclave key rotation via the retry-on-failed-verify loop.
Behavioral changes worth noting:
- Missing/failed X-Attestation-Signature is now a hard exception
instead of returning the body with signature_verified=false. No
consumers used the soft-fail path; net security improvement.
- The retry-on-transient closure now catches all exceptions, not just
reqwest connect/request errors. Matches the original intent
("attestation warmup, connection reset") more broadly.
- No /api/health warmup on init. First request pays one TLS handshake.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Replaces the placeholder wallet icon with a small hand-drawn SVG mark (mark-a-hat) on the splash screen, swaps the launcher PNGs across all mipmap densities, and changes the visible app label from "ap" to "merlin". Adds flutter_svg + the assets/logo/ entry to pubspec. Wires release signing in app/android/app/build.gradle gated on app/android/key.properties presence. With key.properties absent, falls back to debug signing so flutter run --release still works locally; with it present, produces a Play-uploadable AAB. The keystore files themselves are gitignored (not committed). Drive-by: print -> debugPrint in signing_screen.dart (lint), auto-generated app/devtools_options.yaml from `flutter pub get`. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
… for TLS support and KMS key management
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.