malpercio.dev / ezpds
An easy-to-host PDS on the ATProtocol, iPhone and MacOS. Maintain control of your keys and data, always.
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

fix: remove AC references from source comments; SE app_label fail-fast

- device_key.rs: Replace '(breaking AC2.1)' with '(key would not survive app restart)'
- device_key.rs: Remove AC prefix from all test comments (AC1.1, AC1.2, AC1.3, AC3.1, AC3.2, AC3.3, AC4.1)
- device_key.rs: Replace SE app_label() if-let with fail-fast pattern (unwrap->ok_or)
- lib.rs: Remove AC prefix from all test comment headers

authored by

Malpercio and committed by
Tangled 134473e8 ec54ca21

+26 -25
+16 -15
apps/identity-wallet/src-tauri/src/device_key.rs
··· 153 153 // Generate a new SE-backed P-256 key. 154 154 // set_location(DataProtectionKeychain) is required — without it, security_framework sets 155 155 // kSecAttrIsPermanent = false, meaning the key is not persisted to the Keychain and will 156 - // not survive app restart (breaking AC2.1). 156 + // not survive app restart (key would not survive app restart). 157 157 // set_access_control with PRIVATE_KEY_USAGE is required for SE keys — the SE enforces 158 158 // that only explicitly-authorized operations can use the private key for signing. 159 159 // ··· 206 206 207 207 // Store the application_label (OS-assigned SHA1 of public key, 20 bytes) 208 208 // so sign() can locate the SE private key on future app launches. 209 - if let Some(app_label) = priv_key.application_label() { 210 - crate::keychain::store_item(SE_APP_LABEL_ACCOUNT, &app_label).map_err(|e| { 211 - DeviceKeyError::KeychainError { 212 - message: e.to_string(), 213 - } 214 - })?; 215 - } 209 + let app_label = priv_key 210 + .application_label() 211 + .ok_or(DeviceKeyError::KeyGenerationFailed)?; 212 + crate::keychain::store_item(SE_APP_LABEL_ACCOUNT, &app_label).map_err(|e| { 213 + DeviceKeyError::KeychainError { 214 + message: e.to_string(), 215 + } 216 + })?; 216 217 217 218 let multibase = multibase::encode(multibase::Base::Base58Btc, &compressed); 218 219 // did:key requires the P-256 multicodec varint prefix [0x80, 0x24] (0x1200 as LEB128). ··· 277 278 // Tests use the real macOS Keychain under service "ezpds-identity-wallet". 278 279 // Run with `cargo test -- --test-threads=1` to prevent Keychain races between tests. 279 280 280 - // AC1.1 — multibase starts with 'z' and decodes to 33 bytes 281 + // multibase starts with 'z' and decodes to 33 bytes 281 282 #[test] 282 283 fn get_or_create_returns_valid_multibase() { 283 284 let result = get_or_create().expect("get_or_create should succeed"); ··· 289 290 assert_eq!(decoded.len(), 33, "compressed P-256 point must be 33 bytes"); 290 291 } 291 292 292 - // AC1.2 — two successive calls are idempotent 293 + // two successive calls are idempotent 293 294 #[test] 294 295 fn get_or_create_is_idempotent() { 295 296 let first = get_or_create().expect("first call should succeed"); ··· 301 302 assert_eq!(first.key_id, second.key_id, "key_id must be stable"); 302 303 } 303 304 304 - // AC1.3 — key_id starts with "did:key:z" 305 + // key_id starts with "did:key:z" 305 306 #[test] 306 307 fn key_id_has_did_key_prefix() { 307 308 let result = get_or_create().expect("get_or_create should succeed"); ··· 312 313 ); 313 314 } 314 315 315 - // AC3.1 — sign returns exactly 64 bytes 316 + // sign returns exactly 64 bytes 316 317 #[test] 317 318 fn sign_returns_64_bytes() { 318 319 get_or_create().expect("must have key before signing"); ··· 320 321 assert_eq!(sig.len(), 64, "raw r||s signature must be 64 bytes"); 321 322 } 322 323 323 - // AC3.2 — signing is deterministic (RFC 6979) 324 + // signing is deterministic (RFC 6979) 324 325 #[test] 325 326 fn sign_is_deterministic() { 326 327 get_or_create().expect("must have key before signing"); ··· 332 333 ); 333 334 } 334 335 335 - // AC3.3 — sign before get_or_create returns KeyNotFound 336 + // sign before get_or_create returns KeyNotFound 336 337 #[test] 337 338 fn sign_before_generate_returns_key_not_found() { 338 339 // Delete any key left by previous tests to simulate a fresh state. ··· 345 346 ); 346 347 } 347 348 348 - // AC4.1 — DeviceKeyError variants serialize as { "code": "SCREAMING_SNAKE_CASE" } 349 + // DeviceKeyError variants serialize as { "code": "SCREAMING_SNAKE_CASE" } 349 350 #[test] 350 351 fn device_key_error_serializes_as_code() { 351 352 let err = DeviceKeyError::KeyGenerationFailed;
+10 -10
apps/identity-wallet/src-tauri/src/lib.rs
··· 206 206 mod tests { 207 207 use super::*; 208 208 209 - // -- AC2.2: CreateMobileAccountRequest serialization -- 209 + // -- CreateMobileAccountRequest serialization -- 210 210 #[test] 211 211 fn create_mobile_account_request_serializes_camel_case() { 212 212 let req = CreateMobileAccountRequest { ··· 224 224 assert_eq!(json["claimCode"], "ABC123"); 225 225 } 226 226 227 - // -- AC2.5: CreateAccountResult serialization -- 227 + // -- CreateAccountResult serialization -- 228 228 #[test] 229 229 fn create_account_result_serializes_camel_case() { 230 230 let result = CreateAccountResult { ··· 253 253 assert!(result.is_err()); 254 254 } 255 255 256 - // -- AC3.1: CreateAccountError::ExpiredCode serialization -- 256 + // -- CreateAccountError::ExpiredCode serialization -- 257 257 #[test] 258 258 fn error_expired_code_serializes_correctly() { 259 259 let err = CreateAccountError::ExpiredCode; ··· 261 261 assert_eq!(json["code"], "EXPIRED_CODE"); 262 262 } 263 263 264 - // -- AC3.2: CreateAccountError::RedeemedCode serialization -- 264 + // -- CreateAccountError::RedeemedCode serialization -- 265 265 #[test] 266 266 fn error_redeemed_code_serializes_correctly() { 267 267 let err = CreateAccountError::RedeemedCode; ··· 269 269 assert_eq!(json["code"], "REDEEMED_CODE"); 270 270 } 271 271 272 - // -- AC3.3: CreateAccountError::EmailTaken serialization -- 272 + // -- CreateAccountError::EmailTaken serialization -- 273 273 #[test] 274 274 fn error_email_taken_serializes_correctly() { 275 275 let err = CreateAccountError::EmailTaken; ··· 277 277 assert_eq!(json["code"], "EMAIL_TAKEN"); 278 278 } 279 279 280 - // -- AC3.4: CreateAccountError::HandleTaken serialization -- 280 + // -- CreateAccountError::HandleTaken serialization -- 281 281 #[test] 282 282 fn error_handle_taken_serializes_correctly() { 283 283 let err = CreateAccountError::HandleTaken; ··· 285 285 assert_eq!(json["code"], "HANDLE_TAKEN"); 286 286 } 287 287 288 - // -- AC3.5: CreateAccountError::NetworkError serialization -- 288 + // -- CreateAccountError::NetworkError serialization -- 289 289 #[test] 290 290 fn error_network_error_serializes_correctly() { 291 291 let err = CreateAccountError::NetworkError { ··· 296 296 assert_eq!(json["message"], "Connection timeout"); 297 297 } 298 298 299 - // -- AC3.6: CreateAccountError::KeychainError serialization -- 299 + // -- CreateAccountError::KeychainError serialization -- 300 300 #[test] 301 301 fn error_keychain_error_serializes_correctly() { 302 302 let err = CreateAccountError::KeychainError; ··· 304 304 assert_eq!(json["code"], "KEYCHAIN_ERROR"); 305 305 } 306 306 307 - // -- AC3.7: CreateAccountError::Unknown serialization -- 307 + // -- CreateAccountError::Unknown serialization -- 308 308 #[test] 309 309 fn error_unknown_serializes_correctly() { 310 310 let err = CreateAccountError::Unknown { ··· 332 332 assert!(json["message"].as_str().unwrap().contains("409:")); 333 333 } 334 334 335 - // AC5.1 — create_account will use this key as device_public_key. 335 + // create_account uses device_key::get_or_create() as its public key source 336 336 // We verify: (a) the key exists and is correctly formatted, (b) it's stable so 337 337 // create_account always sends the same device_public_key for this device. 338 338 #[test]