[codex] Rewrite client connection architecture

apps/desktop/src/app/DesktopCloudAuthTokenStore.test.ts

@@ -5,7 +5,7 @@ import * as FileSystem from "effect/FileSystem";
 import * as Layer from "effect/Layer";
 import * as Option from "effect/Option";
 
-import * as ElectronSafeStorage from "../electron/ElectronSafeStorage.ts";
+import * as ElectronSafeStorage from "../electron/ElectronSafeStorageService.ts";
 import * as DesktopConfig from "./DesktopConfig.ts";
 import * as DesktopEnvironment from "./DesktopEnvironment.ts";
 import * as DesktopCloudAuthTokenStore from "./DesktopCloudAuthTokenStore.ts";

apps/desktop/src/app/DesktopCloudAuthTokenStore.ts

@@ -11,7 +11,7 @@ import * as Path from "effect/Path";
 import * as PlatformError from "effect/PlatformError";
 import * as Schema from "effect/Schema";
 
-import * as ElectronSafeStorage from "../electron/ElectronSafeStorage.ts";
+import * as ElectronSafeStorage from "../electron/ElectronSafeStorageService.ts";
 import * as DesktopEnvironment from "./DesktopEnvironment.ts";
 
 interface CloudAuthTokenDocument {

apps/desktop/src/app/DesktopConnectionCatalogStore.test.ts

@@ -0,0 +1,123 @@
+import * as NodeServices from "@effect/platform-node/NodeServices";
+import { assert, describe, it } from "@effect/vitest";
+import * as Effect from "effect/Effect";
+import * as FileSystem from "effect/FileSystem";
+import * as Layer from "effect/Layer";
+import * as Option from "effect/Option";
+import * as Ref from "effect/Ref";
+
+import * as ElectronSafeStorage from "../electron/ElectronSafeStorageService.ts";
+import * as DesktopConfig from "./DesktopConfig.ts";
+import * as DesktopConnectionCatalogStore from "./DesktopConnectionCatalogStore.ts";
+import * as DesktopEnvironment from "./DesktopEnvironment.ts";
+
+const textDecoder = new TextDecoder();
+const textEncoder = new TextEncoder();
+
+function makeSafeStorageLayer(available: boolean, failDecrypt: Ref.Ref<boolean> | null = null) {
+  return Layer.succeed(ElectronSafeStorage.ElectronSafeStorage, {
+    isEncryptionAvailable: Effect.succeed(available),
+    encryptString: (value) => Effect.succeed(textEncoder.encode(`encrypted:${value}`)),
+    decryptString: (value) => {
+      return Effect.gen(function* () {
+        const decoded = textDecoder.decode(value);
+        if (
+          !decoded.startsWith("encrypted:") ||
+          (failDecrypt !== null && (yield* Ref.get(failDecrypt)))
+        ) {
+          return yield* new ElectronSafeStorage.ElectronSafeStorageDecryptError({
+            cause: new Error("invalid encrypted catalog"),
+          });
+        }
+        return decoded.slice("encrypted:".length);
+      });
+    },
+  } satisfies ElectronSafeStorage.ElectronSafeStorageShape);
+}
+
+function makeLayer(
+  baseDir: string,
+  encryptionAvailable = true,
+  failDecrypt: Ref.Ref<boolean> | null = null,
+) {
+  const environmentLayer = DesktopEnvironment.layer({
+    dirname: "/repo/apps/desktop/src",
+    homeDirectory: baseDir,
+    platform: "darwin",
+    processArch: "arm64",
+    appVersion: "1.2.3",
+    appPath: "/repo",
+    isPackaged: true,
+    resourcesPath: "/missing/resources",
+    runningUnderArm64Translation: false,
+  }).pipe(
+    Layer.provide(
+      Layer.mergeAll(NodeServices.layer, DesktopConfig.layerTest({ T3CODE_HOME: baseDir })),
+    ),
+  );
+
+  return DesktopConnectionCatalogStore.layer.pipe(
+    Layer.provideMerge(environmentLayer),
+    Layer.provideMerge(makeSafeStorageLayer(encryptionAvailable, failDecrypt)),
+    Layer.provideMerge(NodeServices.layer),
+  );
+}
+
+const withStore = <A, E, R>(
+  effect: Effect.Effect<A, E, R | DesktopConnectionCatalogStore.DesktopConnectionCatalogStore>,
+  encryptionAvailable = true,
+) =>
+  Effect.gen(function* () {
+    const fileSystem = yield* FileSystem.FileSystem;
+    const baseDir = yield* fileSystem.makeTempDirectoryScoped({
+      prefix: "t3-desktop-connection-catalog-test-",
+    });
+    return yield* effect.pipe(Effect.provide(makeLayer(baseDir, encryptionAvailable)));
+  }).pipe(Effect.provide(NodeServices.layer), Effect.scoped);
+
+describe("DesktopConnectionCatalogStore", () => {
+  it.effect("persists, reads, and clears an encrypted connection catalog", () =>
+    withStore(
+      Effect.gen(function* () {
+        const store = yield* DesktopConnectionCatalogStore.DesktopConnectionCatalogStore;
+        const catalog = '{"schemaVersion":1,"targets":[]}';
+
+        assert.isTrue(yield* store.set(catalog));
+        assert.deepStrictEqual(yield* store.get, Option.some(catalog));
+
+        yield* store.clear;
+        assert.deepStrictEqual(yield* store.get, Option.none());
+      }),
+    ),
+  );
+
+  it.effect("does not persist when secure storage is unavailable", () =>
+    withStore(
+      Effect.gen(function* () {
+        const store = yield* DesktopConnectionCatalogStore.DesktopConnectionCatalogStore;
+        assert.isFalse(yield* store.set("{}"));
+        assert.deepStrictEqual(yield* store.get, Option.none());
+      }),
+      false,
+    ),
+  );
+
+  it.effect("discards a catalog that can no longer be decrypted", () =>
+    Effect.gen(function* () {
+      const fileSystem = yield* FileSystem.FileSystem;
+      const baseDir = yield* fileSystem.makeTempDirectoryScoped({
+        prefix: "t3-desktop-connection-catalog-test-",
+      });
+      const failDecrypt = yield* Ref.make(false);
+      const layer = makeLayer(baseDir, true, failDecrypt);
+      const store = yield* DesktopConnectionCatalogStore.DesktopConnectionCatalogStore.pipe(
+        Effect.provide(layer),
+      );
+
+      assert.isTrue(yield* store.set('{"schemaVersion":1,"targets":[]}'));
+      yield* Ref.set(failDecrypt, true);
+      assert.deepStrictEqual(yield* store.get, Option.none());
+      assert.deepStrictEqual(yield* store.get, Option.none());
+    }).pipe(Effect.provide(NodeServices.layer), Effect.scoped),
+  );
+});

apps/desktop/src/app/DesktopConnectionCatalogStore.ts

@@ -0,0 +1,187 @@
+import { fromLenientJson } from "@t3tools/shared/schemaJson";
+import * as Context from "effect/Context";
+import * as Crypto from "effect/Crypto";
+import * as Data from "effect/Data";
+import * as Effect from "effect/Effect";
+import * as Encoding from "effect/Encoding";
+import * as FileSystem from "effect/FileSystem";
+import * as Layer from "effect/Layer";
+import * as Option from "effect/Option";
+import * as Path from "effect/Path";
+import * as PlatformError from "effect/PlatformError";
+import * as Schema from "effect/Schema";
+
+import * as ElectronSafeStorage from "../electron/ElectronSafeStorageService.ts";
+import * as DesktopEnvironment from "./DesktopEnvironment.ts";
+
+const ConnectionCatalogDocument = Schema.Struct({
+  version: Schema.Literal(1),
+  encryptedCatalog: Schema.String,
+});
+type ConnectionCatalogDocument = typeof ConnectionCatalogDocument.Type;
+
+const ConnectionCatalogDocumentJson = fromLenientJson(ConnectionCatalogDocument);
+const decodeConnectionCatalogDocumentJson = Schema.decodeEffect(ConnectionCatalogDocumentJson);
+const encodeConnectionCatalogDocumentJson = Schema.encodeEffect(ConnectionCatalogDocumentJson);
+
+export class DesktopConnectionCatalogStoreWriteError extends Data.TaggedError(
+  "DesktopConnectionCatalogStoreWriteError",
+)<{
+  readonly cause: PlatformError.PlatformError | Schema.SchemaError;
+}> {
+  override get message() {
+    return `Failed to write desktop connection catalog: ${this.cause.message}`;
+  }
+}
+
+export class DesktopConnectionCatalogStoreDecodeError extends Data.TaggedError(
+  "DesktopConnectionCatalogStoreDecodeError",
+)<{
+  readonly cause: Encoding.EncodingError;
+}> {
+  override get message() {
+    return "Failed to decode the desktop connection catalog.";
+  }
+}
+
+export interface DesktopConnectionCatalogStoreShape {
+  readonly get: Effect.Effect<
+    Option.Option<string>,
+    | DesktopConnectionCatalogStoreDecodeError
+    | ElectronSafeStorage.ElectronSafeStorageAvailabilityError
+    | ElectronSafeStorage.ElectronSafeStorageDecryptError
+  >;
+  readonly set: (
+    catalog: string,
+  ) => Effect.Effect<
+    boolean,
+    | DesktopConnectionCatalogStoreWriteError
+    | ElectronSafeStorage.ElectronSafeStorageAvailabilityError
+    | ElectronSafeStorage.ElectronSafeStorageEncryptError
+  >;
+  readonly clear: Effect.Effect<void>;
+}
+
+export class DesktopConnectionCatalogStore extends Context.Service<
+  DesktopConnectionCatalogStore,
+  DesktopConnectionCatalogStoreShape
+>()("@t3tools/desktop/app/DesktopConnectionCatalogStore") {}
+
+function decodeSecretBytes(
+  encoded: string,
+): Effect.Effect<Uint8Array, DesktopConnectionCatalogStoreDecodeError> {
+  return Effect.fromResult(Encoding.decodeBase64(encoded)).pipe(
+    Effect.mapError((cause) => new DesktopConnectionCatalogStoreDecodeError({ cause })),
+  );
+}
+
+const readDocument = (
+  fileSystem: FileSystem.FileSystem,
+  catalogPath: string,
+): Effect.Effect<Option.Option<ConnectionCatalogDocument>> =>
+  fileSystem.readFileString(catalogPath).pipe(
+    Effect.option,
+    Effect.flatMap(
+      Option.match({
+        onNone: () => Effect.succeed(Option.none<ConnectionCatalogDocument>()),
+        onSome: (raw) => decodeConnectionCatalogDocumentJson(raw).pipe(Effect.option),
+      }),
+    ),
+  );
+
+const writeDocument = Effect.fn("desktop.connectionCatalogStore.writeDocument")(function* (input: {
+  readonly fileSystem: FileSystem.FileSystem;
+  readonly path: Path.Path;
+  readonly catalogPath: string;
+  readonly document: ConnectionCatalogDocument;
+  readonly suffix: string;
+}): Effect.fn.Return<void, PlatformError.PlatformError | Schema.SchemaError> {
+  const directory = input.path.dirname(input.catalogPath);
+  const tempPath = `${input.catalogPath}.${process.pid}.${input.suffix}.tmp`;
+  const encoded = yield* encodeConnectionCatalogDocumentJson(input.document);
+  yield* input.fileSystem.makeDirectory(directory, { recursive: true });
+  yield* Effect.gen(function* () {
+    yield* input.fileSystem.writeFileString(tempPath, `${encoded}\n`);
+    yield* input.fileSystem.rename(tempPath, input.catalogPath);
+  }).pipe(
+    Effect.ensuring(
+      input.fileSystem.remove(tempPath, { force: true }).pipe(
+        Effect.catch((error) =>
+          Effect.logWarning("Could not remove a temporary connection catalog file.", {
+            tempPath,
+            error,
+          }),
+        ),
+      ),
+    ),
+  );
+});
+
+export const layer = Layer.effect(
+  DesktopConnectionCatalogStore,
+  Effect.gen(function* () {
+    const environment = yield* DesktopEnvironment.DesktopEnvironment;
+    const fileSystem = yield* FileSystem.FileSystem;
+    const path = yield* Path.Path;
+    const safeStorage = yield* ElectronSafeStorage.ElectronSafeStorage;
+    const crypto = yield* Crypto.Crypto;
+    const catalogPath = path.join(environment.stateDir, "connection-catalog.json");
+
+    return DesktopConnectionCatalogStore.of({
+      get: Effect.gen(function* () {
+        const document = yield* readDocument(fileSystem, catalogPath);
+        if (Option.isNone(document) || !(yield* safeStorage.isEncryptionAvailable)) {
+          return Option.none<string>();
+        }
+        return yield* decodeSecretBytes(document.value.encryptedCatalog).pipe(
+          Effect.flatMap(safeStorage.decryptString),
+          Effect.map(Option.some),
+          Effect.catchTags({
+            DesktopConnectionCatalogStoreDecodeError: (error) =>
+              Effect.logWarning("Discarding an unreadable desktop connection catalog.", {
+                error,
+              }).pipe(
+                Effect.andThen(fileSystem.remove(catalogPath, { force: true })),
+                Effect.catch(() => Effect.void),
+                Effect.as(Option.none<string>()),
+              ),
+            ElectronSafeStorageDecryptError: (error) =>
+              Effect.logWarning("Discarding an undecryptable desktop connection catalog.", {
+                error,
+              }).pipe(
+                Effect.andThen(fileSystem.remove(catalogPath, { force: true })),
+                Effect.catch(() => Effect.void),
+                Effect.as(Option.none<string>()),
+              ),
+          }),
+        );
+      }).pipe(Effect.withSpan("desktop.connectionCatalogStore.get")),
+      set: Effect.fn("desktop.connectionCatalogStore.set")(function* (catalog) {
+        if (!(yield* safeStorage.isEncryptionAvailable)) {
+          return false;
+        }
+        const encryptedCatalog = Encoding.encodeBase64(yield* safeStorage.encryptString(catalog));
+        const suffix = (yield* crypto.randomUUIDv4.pipe(
+          Effect.mapError((cause) => new DesktopConnectionCatalogStoreWriteError({ cause })),
+        )).replace(/-/g, "");
+        yield* writeDocument({
+          fileSystem,
+          path,
+          catalogPath,
+          document: { version: 1, encryptedCatalog },
+          suffix,
+        }).pipe(Effect.mapError((cause) => new DesktopConnectionCatalogStoreWriteError({ cause })));
+        return true;
+      }),
+      clear: fileSystem.remove(catalogPath, { force: true }).pipe(
+        Effect.catch((error) =>
+          Effect.logWarning("Could not clear the desktop connection catalog.", {
+            catalogPath,
+            error,
+          }),
+        ),
+        Effect.withSpan("desktop.connectionCatalogStore.clear"),
+      ),
+    });
+  }),
+);

apps/desktop/src/backend/tailscaleEndpointProvider.ts

@@ -121,7 +121,7 @@ export const resolveTailscaleAdvertisedEndpoints = Effect.fn("resolveTailscaleAd
       input.readMagicDnsName ??
       readTailscaleStatus.pipe(
         Effect.map((status) => status.magicDnsName),
-        Effect.catch(() => Effect.succeed<string | null>(null)),
+        Effect.orElseSucceed(() => null),
       );
     const dnsName =
       input.statusJson === undefined