Files
readest/apps/readest-app/src-tauri/plugins/tauri-plugin-native-bridge/permissions/autogenerated/reference.md
T
Huang Xin 712d564e9d feat(sync): encrypted OPDS credentials + Tauri keychain (PR 4c + 4d) (#4090)
* feat(sync): encrypt opds_catalog credentials end-to-end (TS path)

Wires encrypted-credential sync for opds_catalog via the CryptoSession
shipped in PR 4a (#4084) plus a new publish/pull crypto middleware.
TS-only — native still uses ephemeral storage (re-enter passphrase per
launch); PR 4d wires the OS keychain.

- ReplicaAdapter gains optional `encryptedFields: readonly string[]`.
  Adapters stay sync; the middleware handles the crypto round trip.
- replicaCryptoMiddleware.ts: encryptPackedFields drops the named
  fields from the push when the session is locked (no plaintext
  leak); decryptRowFields drops them on pull failure (local
  plaintext preserved by the store merge).
- replicaPublish / replicaPullAndApply invoke the middleware.
- OPDS adapter declares encryptedFields = [username, password] and
  now pack/unpack them as plaintext.
- passphraseGate.ts: ensurePassphraseUnlocked coalesces concurrent
  calls, prompts via the registered prompter with kind=setup|unlock,
  throws NO_PASSPHRASE on cancel.
- PassphrasePromptModal mounted at the Providers root; registers
  itself as the gate prompter.
- CryptoSession.forget() wipes server-side envelopes + salts.
- Migration 010 + replica_keys_forget RPC; DELETE
  /api/sync/replica-keys + client wrapper.
- SyncPassphraseSection on the user page: status / Set / Unlock /
  Lock / Forgot.
- CatalogManager pre-save: ensurePassphraseUnlocked when credentials
  are present; user cancel saves locally without sync.

Plan updated: PR 4 split documented as 4a/4b/4c/4d.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(sync): persist sync passphrase via OS keychain (Tauri)

Replaces the EphemeralPassphraseStore stub on native with real
OS-keychain storage so users don't re-enter their sync passphrase
every launch. Web stays on the in-memory ephemeral store by design.

Native bridge plugin gains 4 commands wired across all platforms:

- Rust desktop (`keyring` crate): macOS Keychain on apple-native,
  Windows Credential Manager on windows-native, Linux libsecret/
  Secret Service on sync-secret-service. Per-target features so each
  platform compiles only the backend it needs.
- iOS Swift: Security framework Keychain (kSecClassGenericPassword,
  SecItemAdd / Copy / Delete).
- Android Kotlin: androidx.security EncryptedSharedPreferences
  (AndroidKeystore-derived AES-GCM master key,
  AES256_SIV / AES256_GCM key/value encryption).

TS layer:

- TauriPassphraseStore wraps the bridge calls. set is fail-loud
  (surfaces keychain rejection); get is fail-soft (returns null on
  any error so the gate prompts).
- createPassphraseStore returns ephemeral synchronously;
  upgradeToKeychainIfAvailable swaps the singleton to
  TauriPassphraseStore on Tauri after probing the bridge. CryptoSession
  resolves the store via createPassphraseStore() each touch so the
  swap is transparent.
- CryptoSession.tryRestoreFromStore: silent unlock at boot. Stale-
  entry recovery clears the store when the account has no salt
  server-side. unlock/setup persist; forget also clears the store.
- Providers boot effect: upgrade keychain → silent restore.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix(sync): make encrypted-credential pull actually decrypt + UX polish

PR 4c shipped the encrypt path but the pull side silently dropped
ciphers when locked, the modal was busy with double-rings, and web
re-prompted on every page refresh. This rolls up the post-test
fixes + UX polish:

Pull-side decrypt:
- decryptRowFields takes an `onLocked` callback the orchestrator
  wires to the passphrase gate; encountering a cipher field with a
  locked session now triggers the lazy-prompt path instead of
  dropping the field.
- replicaPullAndApply re-applies the unpacked row for metadata-only
  kinds even when a local copy exists, so the now-decrypted creds
  reach the store (the binary-kind skip-if-local optimization
  doesn't apply).
- Cipher fingerprint comparison: capture the row's `cipher.c` for
  each encrypted field, compare against the local record's
  lastSeenCipher. Same → skip prompt + decrypt entirely. Different
  (rotation / value change on another device) → prompt to
  re-decrypt. Fingerprint persists via OPDSCatalog.lastSeenCipher.

Web persistence:
- SessionStoragePassphraseStore: passphrase survives page refresh
  within the same tab, dies on tab close. Replaces
  EphemeralPassphraseStore as the default on web. Avoids
  localStorage / IndexedDB to keep the tab-scoped trust boundary.

UI:
- Renamed PassphrasePromptModal → PassphrasePrompt; modernized: filled
  input style with single subtle focus border, btn-primary +
  btn-ghost replaced with leaner custom buttons. eink-bordered +
  btn-primary classes give the dialog correct e-paper rendering.
- globals.css: suppress redundant outline/box-shadow on focused text
  inputs / textareas (the element's own border is the focus
  indicator).
- AGENTS.md: documents the e-ink convention (`eink-bordered`,
  `btn-primary` for inverted CTAs, etc.) so future widgets ship with
  e-paper support.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-08 13:22:49 +02:00

12 KiB

Default Permission

Default permissions for the plugin

This default permission set includes the following:

  • allow-auth-with-safari
  • allow-auth-with-custom-tab
  • allow-copy-uri-to-path
  • allow-use-background-audio
  • allow-install-package
  • allow-set-system-ui-visibility
  • allow-get-status-bar-height
  • allow-get-sys-fonts-list
  • allow-intercept-keys
  • allow-lock-screen-orientation
  • allow-iap-is-available
  • allow-iap-initialize
  • allow-iap-fetch-products
  • allow-iap-purchase-product
  • allow-iap-restore-purchases
  • allow-get-system-color-scheme
  • allow-get-safe-area-insets
  • allow-get-screen-brightness
  • allow-set-screen-brightness
  • allow-get-external-sdcard-path
  • allow-open-external-url
  • allow-select-directory
  • allow-get-storefront-region-code
  • allow-request-manage-storage-permission
  • allow-register-listener
  • allow-remove-listener
  • allow-check-permissions
  • allow-request-permissions
  • allow-checkPermissions
  • allow-requestPermissions
  • allow-set-sync-passphrase
  • allow-get-sync-passphrase
  • allow-clear-sync-passphrase
  • allow-is-sync-keychain-available

Permission Table

Identifier Description

native-bridge:allow-auth-with-custom-tab

Enables the auth_with_custom_tab command without any pre-configured scope.

native-bridge:deny-auth-with-custom-tab

Denies the auth_with_custom_tab command without any pre-configured scope.

native-bridge:allow-auth-with-safari

Enables the auth_with_safari command without any pre-configured scope.

native-bridge:deny-auth-with-safari

Denies the auth_with_safari command without any pre-configured scope.

native-bridge:allow-check-permissions

Enables the check-permissions command without any pre-configured scope.

native-bridge:deny-check-permissions

Denies the check-permissions command without any pre-configured scope.

native-bridge:allow-checkPermissions

Enables the checkPermissions command without any pre-configured scope.

native-bridge:deny-checkPermissions

Denies the checkPermissions command without any pre-configured scope.

native-bridge:allow-check-permissions

Enables the check_permissions command without any pre-configured scope.

native-bridge:deny-check-permissions

Denies the check_permissions command without any pre-configured scope.

native-bridge:allow-clear-sync-passphrase

Enables the clear_sync_passphrase command without any pre-configured scope.

native-bridge:deny-clear-sync-passphrase

Denies the clear_sync_passphrase command without any pre-configured scope.

native-bridge:allow-copy-uri-to-path

Enables the copy_uri_to_path command without any pre-configured scope.

native-bridge:deny-copy-uri-to-path

Denies the copy_uri_to_path command without any pre-configured scope.

native-bridge:allow-get-external-sdcard-path

Enables the get_external_sdcard_path command without any pre-configured scope.

native-bridge:deny-get-external-sdcard-path

Denies the get_external_sdcard_path command without any pre-configured scope.

native-bridge:allow-get-safe-area-insets

Enables the get_safe_area_insets command without any pre-configured scope.

native-bridge:deny-get-safe-area-insets

Denies the get_safe_area_insets command without any pre-configured scope.

native-bridge:allow-get-screen-brightness

Enables the get_screen_brightness command without any pre-configured scope.

native-bridge:deny-get-screen-brightness

Denies the get_screen_brightness command without any pre-configured scope.

native-bridge:allow-get-status-bar-height

Enables the get_status_bar_height command without any pre-configured scope.

native-bridge:deny-get-status-bar-height

Denies the get_status_bar_height command without any pre-configured scope.

native-bridge:allow-get-storefront-region-code

Enables the get_storefront_region_code command without any pre-configured scope.

native-bridge:deny-get-storefront-region-code

Denies the get_storefront_region_code command without any pre-configured scope.

native-bridge:allow-get-sync-passphrase

Enables the get_sync_passphrase command without any pre-configured scope.

native-bridge:deny-get-sync-passphrase

Denies the get_sync_passphrase command without any pre-configured scope.

native-bridge:allow-get-sys-fonts-list

Enables the get_sys_fonts_list command without any pre-configured scope.

native-bridge:deny-get-sys-fonts-list

Denies the get_sys_fonts_list command without any pre-configured scope.

native-bridge:allow-get-system-color-scheme

Enables the get_system_color_scheme command without any pre-configured scope.

native-bridge:deny-get-system-color-scheme

Denies the get_system_color_scheme command without any pre-configured scope.

native-bridge:allow-iap-fetch-products

Enables the iap_fetch_products command without any pre-configured scope.

native-bridge:deny-iap-fetch-products

Denies the iap_fetch_products command without any pre-configured scope.

native-bridge:allow-iap-initialize

Enables the iap_initialize command without any pre-configured scope.

native-bridge:deny-iap-initialize

Denies the iap_initialize command without any pre-configured scope.

native-bridge:allow-iap-is-available

Enables the iap_is_available command without any pre-configured scope.

native-bridge:deny-iap-is-available

Denies the iap_is_available command without any pre-configured scope.

native-bridge:allow-iap-purchase-product

Enables the iap_purchase_product command without any pre-configured scope.

native-bridge:deny-iap-purchase-product

Denies the iap_purchase_product command without any pre-configured scope.

native-bridge:allow-iap-restore-purchases

Enables the iap_restore_purchases command without any pre-configured scope.

native-bridge:deny-iap-restore-purchases

Denies the iap_restore_purchases command without any pre-configured scope.

native-bridge:allow-install-package

Enables the install_package command without any pre-configured scope.

native-bridge:deny-install-package

Denies the install_package command without any pre-configured scope.

native-bridge:allow-intercept-keys

Enables the intercept_keys command without any pre-configured scope.

native-bridge:deny-intercept-keys

Denies the intercept_keys command without any pre-configured scope.

native-bridge:allow-is-sync-keychain-available

Enables the is_sync_keychain_available command without any pre-configured scope.

native-bridge:deny-is-sync-keychain-available

Denies the is_sync_keychain_available command without any pre-configured scope.

native-bridge:allow-lock-screen-orientation

Enables the lock_screen_orientation command without any pre-configured scope.

native-bridge:deny-lock-screen-orientation

Denies the lock_screen_orientation command without any pre-configured scope.

native-bridge:allow-open-external-url

Enables the open_external_url command without any pre-configured scope.

native-bridge:deny-open-external-url

Denies the open_external_url command without any pre-configured scope.

native-bridge:allow-register-listener

Enables the register_listener command without any pre-configured scope.

native-bridge:deny-register-listener

Denies the register_listener command without any pre-configured scope.

native-bridge:allow-remove-listener

Enables the remove_listener command without any pre-configured scope.

native-bridge:deny-remove-listener

Denies the remove_listener command without any pre-configured scope.

native-bridge:allow-request-permissions

Enables the request-permissions command without any pre-configured scope.

native-bridge:deny-request-permissions

Denies the request-permissions command without any pre-configured scope.

native-bridge:allow-requestPermissions

Enables the requestPermissions command without any pre-configured scope.

native-bridge:deny-requestPermissions

Denies the requestPermissions command without any pre-configured scope.

native-bridge:allow-request-manage-storage-permission

Enables the request_manage_storage_permission command without any pre-configured scope.

native-bridge:deny-request-manage-storage-permission

Denies the request_manage_storage_permission command without any pre-configured scope.

native-bridge:allow-request-permissions

Enables the request_permissions command without any pre-configured scope.

native-bridge:deny-request-permissions

Denies the request_permissions command without any pre-configured scope.

native-bridge:allow-select-directory

Enables the select_directory command without any pre-configured scope.

native-bridge:deny-select-directory

Denies the select_directory command without any pre-configured scope.

native-bridge:allow-set-screen-brightness

Enables the set_screen_brightness command without any pre-configured scope.

native-bridge:deny-set-screen-brightness

Denies the set_screen_brightness command without any pre-configured scope.

native-bridge:allow-set-sync-passphrase

Enables the set_sync_passphrase command without any pre-configured scope.

native-bridge:deny-set-sync-passphrase

Denies the set_sync_passphrase command without any pre-configured scope.

native-bridge:allow-set-system-ui-visibility

Enables the set_system_ui_visibility command without any pre-configured scope.

native-bridge:deny-set-system-ui-visibility

Denies the set_system_ui_visibility command without any pre-configured scope.

native-bridge:allow-use-background-audio

Enables the use_background_audio command without any pre-configured scope.

native-bridge:deny-use-background-audio

Denies the use_background_audio command without any pre-configured scope.