{"id":31841581,"url":"https://github.com/dirvine/secure-app-framework","last_synced_at":"2025-10-12T05:21:16.821Z","repository":{"id":312537952,"uuid":"1047819090","full_name":"dirvine/secure-app-framework","owner":"dirvine","description":null,"archived":false,"fork":false,"pushed_at":"2025-08-31T12:01:40.000Z","size":74,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-08-31T12:11:47.402Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/dirvine.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-08-31T09:59:19.000Z","updated_at":"2025-08-31T12:01:43.000Z","dependencies_parsed_at":"2025-08-31T12:12:15.450Z","dependency_job_id":"7d816506-f85e-4d5b-844f-3d6a11804593","html_url":"https://github.com/dirvine/secure-app-framework","commit_stats":null,"previous_names":["dirvine/secure-app-framework"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/dirvine/secure-app-framework","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dirvine%2Fsecure-app-framework","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dirvine%2Fsecure-app-framework/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dirvine%2Fsecure-app-framework/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dirvine%2Fsecure-app-framework/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/dirvine","download_url":"https://codeload.github.com/dirvine/secure-app-framework/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dirvine%2Fsecure-app-framework/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":279010341,"owners_count":26084738,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-12T02:00:06.719Z","response_time":53,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-10-12T05:21:11.353Z","updated_at":"2025-10-12T05:21:16.815Z","avatar_url":"https://github.com/dirvine.png","language":"Rust","funding_links":[],"categories":[],"sub_categories":[],"readme":"# secure-app-framework\n\n**A reference implementation of a secure, auditable, cross‑platform app** using **WASM + native broker** (Option A) with an ultra‑modern, native‑feeling UI and a rigorous, reproducible software supply chain. Targets **Linux, macOS, Windows, Android, iOS** on **x86_64 \u0026 ARM**. Includes Option B (native‑only) notes for future research.\n\n\u003e Owner: `github.com/divine/secure-app-framework` (rename later if needed).  \n\u003e License: **Apache‑2.0 or MIT** (pick one; examples assume Apache‑2.0).  \n\u003e Status: **Test app** + **framework skeleton** suitable for production hardening.\n\n---\n\n## 0) Executive Summary\n\nThis repository demonstrates a **new delivery paradigm**: ship application logic as a **WebAssembly (WASM) component** compiled from **Rust**, and run it through a **small, signed native broker** per platform that:\n- Provides **capability‑based filesystem access** (user‑granted folders only) and **network access** via **WASI Preview 2** host shims.\n- Enforces **least privilege** + **policy** (allowlists/quotas) and produces a **tamper‑evident audit log**.\n- Hosts a **native‑feeling UI** (Tauri v2 or Slint) for an ultra‑modern cross‑platform experience.\n\nThe framework comes with a **reproducible build toolchain**, **artifact signing (Sigstore cosign)**, **SLSA provenance**, **SBOM generation (CycloneDX / Syft)**, and **CI matrices** to cross‑compile and package installers for all target OSes. Security checks include **CodeQL** for Rust (public preview), **cargo‑audit** (RustSec), and **cargo‑deny** (licenses \u0026 bans).\n\nThe included **Test App** exercises the end‑to‑end flow: user picks a workspace folder, the broker **pre‑opens** it for the WASM core, the core **lists/reads/writes** files inside that folder, fetches remote JSON (network allowed domain), and renders data with a polished UI. Every FS/network operation is **logged \u0026 hash‑chained**.\n\n\u003e **Why Option A?** One auditable core across all targets, strict sandboxing by default, and a consistent security model.  \n\u003e **Option B** (native‑only) is documented below for scenarios needing deep OS integration or kernel‑level performance.\n\n---\n\n## 1) Goals \u0026 Non‑Goals\n\n### Goals\n- **Portability:** Ship one core logic component across all OS/CPU targets.\n- **Sandboxing:** No ambient FS or network; **capabilities are explicitly granted**.\n- **Reproducibility:** Deterministic builds + verifiable provenance.\n- **Auditability:** SBOMs, signed artifacts, SLSA provenance, hash‑chained audit log.\n- **Excellent UX:** First‑run permission prompts, polished UI, native‑feeling look.\n- **Developer Experience:** Clear tasks, scripts, CI, and templates.\n\n### Non‑Goals\n- Full containerisation (not required for end‑users).\n- Kernel‑mode drivers or hypervisor isolation (out of scope; can be added later).\n- App Store publication guides (summarised but store‑submission specifics are separate).\n\n---\n\n## 2) Architecture Overview (Option A: WASM + Native Broker)\n\n```\n┌─────────────────────────────────────────────────────────────────┐\n│                      Native Broker (Rust)                       │\n│  UI (Tauri v2 or Slint)   |   WASI Host (Wasmtime)              │\n│  • OS pickers (xdg-portal /  |  • Pre-open FS (granted dirs)    │\n│    macOS bookmarks / Win FAL)|  • sockets (WASI p2)             │\n│  • Policy engine (JSON)    |   • host bindings for WIT          │\n│  • Hash-chained audit log  |   • audit hooks                    │\n│  • OS sandbox (Landlock / AppContainer / App Sandbox)           │\n└──────────────┬───────────────────────────────────────────┬──────┘\n               │                                           │\n         WIT bindings                                 User Grants\n               │                                           │\n        ┌──────▼───────────────────────────────────────────▼─────┐\n        │                    WASM Core (Rust)                     │\n        │   • Pure app logic (deterministic, capability-based)   │\n        │   • Filesystem \u0026 network via WIT interfaces             │\n        └─────────────────────────────────────────────────────────┘\n```\n\n### Key Concepts\n- **WIT/Component model:** Define a `world` for `fs`, `net`, `log`, `ui-bridge` (minimal), implemented by the host. The core never performs raw syscalls.\n- **Preopens \u0026 pickers:** The broker uses OS pickers to acquire user‑granted directories, then **pre‑opens** only those into the WASI FS.\n- **Network:** The broker exposes **WASI Preview 2 sockets** (via Wasmtime) gated by policy (domain/IP allowlist, TLS by default).\n- **Audit:** Every host call (FS/Net) is logged with a rolling hash (H2 = H(H1 || event)), persisted within the app data dir.\n- **Sandbox:** The broker itself reduces ambient rights (Linux **Landlock**; Windows **AppContainer** via MSIX; macOS **App Sandbox**).\n\n---\n\n## 3) Components \u0026 Crate Layout\n\nMonorepo workspace:\n\n```\n/secure-app-framework\n├─ /crates\n│  ├─ broker/            # Native host/broker (Rust, Wasmtime, UI shell)\n│  ├─ core/              # Rust → WASM component (business logic)\n│  ├─ wit/               # .wit files, shared interfaces \u0026 versions\n│  ├─ ui/                # Tauri v2 (default) or Slint UI layer\n│  ├─ policy/            # Policy JSON schemas + parser\n│  └─ audit/             # Hash‑chained logging utilities\n├─ /dist                 # Packaged artifacts (CI)\n├─ /scripts              # Build, sign, verify, reproduce\n├─ /ci                   # GitHub Actions workflows\n├─ /docs                 # Additional docs (Option B notes, threat model)\n└─ README.md\n```\n\n### Broker (Rust)\n- Embeds **Wasmtime** with **WASI Preview 1 \u0026 2** support.\n- Implements WIT host traits for `fs`, `net`, `log`, `time`, `rand` (deterministic stub for tests).\n- Calls OS pickers; persist grants:\n  - **Linux:** `xdg-desktop-portal` FileChooser + **Documents portal** for durable access.\n  - **Windows:** **FutureAccessList** (FAL) for persistent file/folder tokens.\n  - **macOS/iOS:** **security‑scoped bookmarks** (`startAccessingSecurityScopedResource`).\n  - **Android:** **Storage Access Framework (SAF)** (`DocumentFile`, tree URIs).\n- Enforces policy: allowlists for domains, max payload size, path quotas; policy file in app config dir.\n- Starts UI shell (Tauri v2 default; Slint as alternative) and bridges minimal events to the core.\n\n### Core (Rust → WASM component)\n- Pure logic compiled with `cargo component` using WIT for host calls.\n- Implements app features (see Test App below). No platform code.\n\n### UI (Tauri v2 default)\n- UI written with web tech (HTML/CSS/TS) but packaged as a native app; or **Slint** for fully native widgets.\n- Communicates with broker via command API; broker calls core and returns results.\n- Themes: light/dark; native system font stack; high‑DPI assets; keyboard shortcuts.\n\n---\n\n## 4) Test App Functionality (MVP)\n\n1) **Workspace Selection**: first run shows a platform picker; user chooses a folder.  \n   - Broker persists the grant (FAL/bookmark/SAF) and **pre‑opens** it for the core under `/workspace`.\n2) **Filesystem Operations** (via core):\n   - List directory, open/edit/save text/JSON files **within** `/workspace` only.\n   - Attempting to escape `/workspace` is blocked \u0026 logged.\n3) **Network Fetch** (via core):\n   - GET `https://example.org/data.json` (configurable allowlist). Display data in UI.\n4) **Audit Panel**:\n   - Real‑time, append‑only view of FS/Net events with rolling hash; export audit log.\n5) **Policy \u0026 Permissions**:\n   - UI page shows active grants and policy; allow user to revoke domain or folder grants.\n6) **Telemetry**: off by default; opt‑in only; logs never leave device unless explicitly exported.\n\n---\n\n## 5) Security Model\n\n- **Capability‑based runtime** (no ambient FS/Net): host grants **only what’s asked \u0026 approved**.\n- **Defense‑in‑depth**: sandbox the broker itself (Landlock/AppContainer/App Sandbox). No JIT if policy forbids; prefer AOT compilation of WASM module where available.\n- **Cryptography**: BLAKE3 for audit chaining; SHA‑256 for artifact checksums; TLS (native platform) for network. All crypto dependencies pinned.\n- **Secrets**: OS keychain/keystore if needed. No secrets in source/CI logs.\n- **Threats considered**: supply‑chain tampering, malicious dependency, path traversal, TOCTOU FS, exfiltration via network, downgrade of policy, binary substitution.\n- **Out‑of‑scope (for MVP)**: kernel exploits, malicious UI themes, side channels, hardware attacks.\n\n---\n\n## 6) Build, Cross‑Compilation \u0026 Packaging\n\n### Toolchain \u0026 Targets\n- **Rust stable** + `cargo component` (WIT bindings) for the core.\n- **Wasmtime** in broker; `wasmtime-wasi` p1/p2 host support.\n- Targets (examples):  \n  - macOS: `aarch64-apple-darwin`, `x86_64-apple-darwin`  \n  - Windows: `x86_64-pc-windows-msvc`, `aarch64-pc-windows-msvc`  \n  - Linux: `x86_64-unknown-linux-gnu`, `aarch64-unknown-linux-gnu`  \n  - Android: via Tauri mobile or cargo‑mobile; AAB/APK (arm64-v8a)  \n  - iOS: via Tauri mobile or cargo‑mobile; `aarch64-apple-ios`\n\n\u003e **Note:** On iOS you must build on macOS; on Windows ARM you’ll need the MSVC toolset; on Linux ARM cross use `cross`/`zig` or native runners.\n\n### CI (GitHub Actions) Matrix (excerpt)\n- Jobs: `build_core_wasm`, `build_broker_{windows,macos,linux}`, `package_desktop`, `sign_{win,mac,linux}`, `mobile_{android,ios}`, `sbom`, `provenance`, `release`.\n- Cache: cargo, npm (for Tauri UI), wasmtime artifacts.\n- Reproducible flags (see §7); release artifacts smoke‑tested on VMs.\n\n### Desktop Packaging\n- **Windows**: MSIX (preferred; AppContainer), or signed exe/msi.\n- **macOS**: `.app` + `.dmg`, hardened runtime + notarisation.\n- **Linux**: AppImage (signed), plus optional `.deb`/`.rpm` if desired.\n\n### Mobile Packaging\n- **Android**: AAB for Play, signed with `apksigner` (v2/v3/v4 as per minSdk).  \n- **iOS**: Xcode project via Tauri mobile/cargo‑mobile; provisioning profiles; App Sandbox entitlements.\n\n---\n\n## 7) Reproducible Builds \u0026 Provenance\n\n### Determinism\n- Set `SOURCE_DATE_EPOCH` during builds.\n- Disable timestamps \u0026 embed paths: use `RUSTFLAGS=\"--remap-path-prefix=$(pwd)=/source\"`; prefer Cargo `trim-paths` if available.\n- Pin toolchains via `rust-toolchain.toml`; lock dependencies (`Cargo.lock`) and npm `package-lock.json`/`pnpm-lock.yaml`.\n- Avoid non‑determinism (time, randomness) in core logic; gate randomness behind deterministic PRNG for tests.\n\n### SBOM \u0026 Vulnerability Scanning\n- **CycloneDX for Cargo** (`cyclonedx-rust-cargo`) + **Syft** for binary SBOMs.  \n- Continuous scanning with **Grype** (optional) and **cargo‑audit**.\n\n### SLSA \u0026 Signing\n- Generate **in‑toto/SLSA provenance** for every artifact.\n- **Cosign**: sign release zips, installers, and SBOMs. Prefer **keyless** with GitHub OIDC.\n- Publish checksums, SBOMs, signatures, and provenance in the GitHub Release.\n\n---\n\n## 8) Code Signing (per‑platform)\n\n- **Windows**: Sign with **SignTool** (`/fd SHA256 /tr \u003ctimestamp\u003e /td SHA256`). Prefer MSIX packaging for AppContainer benefits.\n- **macOS**: `codesign` with **Hardened Runtime**, then **notarytool** submit; **staple** tickets; include entitlements.\n- **Linux**: Sign AppImages with **gpg** (AppImage `--sign`); publish public key; provide verification instructions.\n- **Android**: Sign with **apksigner**; configure **Play App Signing** for store deployment.\n- **iOS**: Apple certificates \u0026 provisioning; entitlements aligned with App Sandbox.\n\nScripts in `/scripts` provide `sign-win.ps1`, `sign-mac.sh`, `sign-linux.sh`, `sign-android.sh`, `sign-ios.sh` examples.\n\n---\n\n## 9) UI \u0026 UX Guidelines\n\n- **Look \u0026 feel**: native system font stack; adaptive spacing; dark/light theming; prefers‑color‑scheme on desktop; haptic/gesture support on mobile.\n- **First‑run**: gentle primer + picker dialog; show what access is granted and why. Persist choices; easily revoke.\n- **Status surface**: in‑app sheet shows: selected workspace path, domains allowed, and live audit events.\n- **Accessibility**: keyboard navigation, high contrast, screen‑reader labels, scalable text.\n- **Performance**: lazy load large folder listings; debounce IO; async tasks with progress HUDs.\n\n---\n\n## 10) Option B (Native‑Only) – Future Track\n\nIf deep OS integration or kernel‑level file performance is required, compile Rust **natively** per platform and apply OS sandboxes directly:\n- **macOS**: App Sandbox entitlements + security‑scoped bookmarks; Hardened Runtime + notarisation.\n- **Windows**: MSIX AppContainer; FutureAccessList persistence; WinUI UI.\n- **Linux**: Landlock to drop ambient FS; XDG portals for user‑granted files.\n\nYou still keep §7–§8 supply‑chain guarantees (reproducible builds, SBOM, SLSA, signatures). The test app can be recompiled to native and reuse the same UI (Tauri/Slint).\n\n---\n\n## 11) Tasks (Detailed, end‑to‑end)\n\n### Milestone 0: Repo \u0026 Scaffolding\n- [ ] Create repo `secure-app-framework` with `LICENSE`, `CODE_OF_CONDUCT.md`, `SECURITY.md`.\n- [ ] Add Rust workspace with crates: `broker`, `core`, `wit`, `ui`, `policy`, `audit`.\n- [ ] Add rust‑toolchain, `.editorconfig`, `.gitattributes` (normalize line endings), `.pre-commit-config.yaml` (fmt, clippy).\n\n### Milestone 1: WIT \u0026 Core\n- [ ] Define `wit/world.wit` with interfaces: `fs`, `net`, `log`, `time`, `rand`.\n- [ ] Add `core` crate using `cargo component`; implement functions:\n      `list_dir(path)`, `read_text(path)`, `write_text(path, content)`, `fetch_json(url)`.\n- [ ] Unit tests (deterministic PRNG, fixture FS via in‑memory adapter).\n\n### Milestone 2: Broker Host \u0026 Policy\n- [ ] Integrate **Wasmtime**; implement host bindings for the WIT world.\n- [ ] Implement **preopen** logic; map `/workspace` to granted dir(s).\n- [ ] OS pickers:\n    - Linux: call **xdg‑desktop‑portal** FileChooser; persist via Documents portal.\n    - Windows: FolderPicker + **FutureAccessList**.\n    - macOS/iOS: NSOpenPanel / UIDocumentPicker + **security‑scoped bookmarks**.\n    - Android: **SAF** (ACTION_OPEN_DOCUMENT_TREE) → persistable URI permissions.\n- [ ] Policy engine: JSON (allowlisted domains, max bytes, path quotas, timeouts).\n- [ ] Audit log crate: append‑only file with rolling hash (BLAKE3), rotation, export.\n\n### Milestone 3: UI Shell\n- [ ] Tauri v2 UI (default): setup routes/panels (Workspace, Files, Network, Audit, Policy).\n- [ ] Native‑feel theming; keyboard shortcuts; file editor component.\n- [ ] Connect UI → broker commands; broker → core; render results \u0026 errors.\n\n### Milestone 4: Cross‑Build \u0026 Packaging\n- [ ] GitHub Actions matrix (win/macos/linux; x86_64/arm64) builds broker+core, packages installers.\n- [ ] Android (AAB/APK) \u0026 iOS builds using Tauri mobile or cargo‑mobile; device smoke tests.\n- [ ] Upload artifacts; generate checksums.\n\n### Milestone 5: Reproducibility \u0026 Security\n- [ ] Make builds deterministic: `SOURCE_DATE_EPOCH`, `--remap-path-prefix`, pinned toolchains.\n- [ ] SBOMs: CycloneDX for Cargo + Syft for produced binaries.\n- [ ] Vulnerability scanning: **cargo‑audit** (RustSec), **cargo‑deny** (licenses/bans).\n- [ ] **CodeQL** for Rust (public preview) in CI; schedule weekly deep scans.\n- [ ] SLSA provenance (in‑toto attestation) for all artifacts.\n- [ ] Sign artifacts with **cosign** (keyless via GitHub OIDC).\n\n### Milestone 6: Code Signing \u0026 Notarisation\n- [ ] Windows: Sign installers (and binaries) with **SignTool**; MSIX optional.\n- [ ] macOS: Hardened Runtime, entitlements, `notarytool` submit \u0026 **staple**.\n- [ ] Linux: AppImage **gpg** signature; publish public key and verification instructions.\n- [ ] Android: sign with **apksigner**; enable Play App Signing.\n- [ ] iOS: configure certificates \u0026 provisioning; entitlements aligned with sandbox.\n\n### Milestone 7: QA \u0026 Release\n- [ ] End‑to‑end tests: pick workspace → read/write → network fetch → audit export.\n- [ ] Fuzz core APIs with `cargo‑fuzz`; property tests with `proptest`.\n- [ ] Manual UX review on each platform (HIG checks).\n- [ ] Tag `v0.1.0-alpha` release with SBOMs, signatures, provenance, installers.\n\n---\n\n## 12) Scripts \u0026 Snippets (Examples)\n\n### Deterministic build environment\n```bash\n# scripts/env.sh\nexport SOURCE_DATE_EPOCH=\"$(git log -1 --pretty=%ct)\"\nexport RUSTFLAGS=\"--remap-path-prefix=$(pwd)=/source\"\nexport CARGO_TERM_COLOR=never\n```\n\n### Cosign (keyless) sign/verify\n```bash\n# Sign\ncosign sign-blob --yes --identity-token \"$ACTIONS_ID_TOKEN\"   --output-signature dist/app.zip.sig dist/app.zip\n\n# Verify (public transparency log)\ncosign verify-blob --certificate-oidc-issuer https://token.actions.githubusercontent.com   --signature dist/app.zip.sig dist/app.zip\n```\n\n### Windows SignTool\n```powershell\nsigntool sign /fd SHA256 /tr http://timestamp.digicert.com /td SHA256 `\n  /a \".\\dist\\AppInstaller.msi\"\n```\n\n### macOS notarisation\n```bash\nxcrun codesign --force --options runtime --entitlements entitlements.plist   --sign \"Developer ID Application: YOUR ORG\" MyApp.app\nxcrun notarytool submit MyApp.dmg --apple-id you@example.com --team-id ABCDE12345 --wait\nxcrun stapler staple MyApp.app\n```\n\n### SBOM (CycloneDX + Syft)\n```bash\ncargo install cyclonedx-bom\ncyclonedx-bom -o sbom-cyclonedx.json\n\nsyft dir:. -o cyclonedx-json \u003e binary-sbom.json\n```\n\n---\n\n## 13) References \u0026 Further Reading\n\n- **WASI/Wasmtime \u0026 Component Model**\n  - Wasmtime WASI p2 host: https://docs.wasmtime.dev/api/wasmtime_wasi/p2/\n  - Component model \u0026 WIT (Rust): https://docs.wasmtime.dev/api/wasmtime/component/\n  - Component model tutorial: https://component-model.bytecodealliance.org/tutorial.html\n- **Turning WASM into native executables**\n  - Wasmer “WASM as universal binary” \u0026 `create-exe`: https://wasmer.io/posts/wasm-as-universal-binary-format-part-1-native-executables\n  - Wasmer create‑exe docs: https://wasmerio.github.io/wasmer/crates/doc/wasmer_cli/commands/create_exe/\n- **OS‑level pickers \u0026 persistent access**\n  - Windows **FutureAccessList**: https://learn.microsoft.com/en-us/uwp/api/windows.storage.accesscache.storageitemaccesslist\n  - macOS **security‑scoped bookmarks**: https://developer.apple.com/documentation/foundation/url/startaccessingsecurityscopedresource\n  - Android **SAF**: https://developer.android.com/guide/topics/providers/document-provider\n  - XDG **FileChooser** \u0026 Documents portal: https://flatpak.github.io/xdg-desktop-portal/docs/doc-org.freedesktop.portal.FileChooser.html\n- **OS sandboxes**\n  - Linux **Landlock**: https://docs.kernel.org/userspace-api/landlock.html\n  - Windows **AppContainer**: https://learn.microsoft.com/en-us/windows/msix/msix-container\n  - macOS **App Sandbox**: https://developer.apple.com/documentation/bundleresources/entitlements/com.apple.security.app-sandbox\n- **UI frameworks**\n  - **Tauri v2** (desktop+mobile): https://v2.tauri.app/\n  - **Slint**: https://slint.dev/\n- **Reproducible builds \u0026 provenance**\n  - Reproducible builds: https://reproducible-builds.org/\n  - SOURCE_DATE_EPOCH: https://reproducible-builds.org/docs/source-date-epoch/\n  - Cargo path sanitisation (trim‑paths/remap): https://rust-lang.github.io/rfcs/3127-trim-paths.html\n  - SLSA provenance: https://slsa.dev/spec/v0.1/provenance\n  - Sigstore Cosign quickstart: https://docs.sigstore.dev/quickstart/quickstart-cosign/\n  - Syft (SBOM): https://github.com/anchore/syft\n  - CycloneDX Cargo: https://github.com/CycloneDX/cyclonedx-rust-cargo\n- **Security scanners**\n  - cargo‑audit (RustSec): https://crates.io/crates/cargo-audit\n  - cargo‑deny: https://github.com/EmbarkStudios/cargo-deny\n  - GitHub CodeQL for Rust: https://github.blog/changelog/2025-06-30-codeql-support-for-rust-now-in-public-preview/\n- **Windows \u0026 macOS signing**\n  - SignTool: https://learn.microsoft.com/en-us/windows/win32/seccrypto/signtool\n  - macOS Notarization: https://developer.apple.com/documentation/security/notarizing-macos-software-before-distribution\n  - AppImage signing: https://docs.appimage.org/packaging-guide/optional/signatures.html\n  - Android signing: https://developer.android.com/studio/publish/app-signing\n\n---\n\n## 14) Contributing \u0026 Governance\n\n- All changes via PR with CI green. Security‑relevant changes require two reviewers.\n- Run `scripts/checks.sh` (fmt, clippy, deny, audit) before pushing.\n- Security policy in `SECURITY.md` explains vulnerability reporting.\n\n---\n\n## 15) Roadmap (beyond MVP)\n\n- Sandboxed plugin system (untrusted extensions in separate WASM modules).\n- AOT‑compiled WASM for faster startup, WAMR/Cranelift exploration.\n- Optional TEE‑based build attestations.\n- Auto‑update channel secured with TUF.\n\n---\n\n## 16) Appendix: Threat Model (MVP extract)\n\n**Assets:** user workspace contents; credentials/tokens; integrity of binaries; privacy.  \n**Adversaries:** malicious dependencies; compromised CI; local malware; network MITM.  \n**Mitigations:** deterministic builds, SBOMs, signatures, code scanning, strict capability grants, OS sandboxes, TLS‑only networking, human review of policy changes.\n\n---\n\n\u003e **Kickoff:** create repo, copy this README, and open issues for each milestone. The CI and boilerplate templates will follow in the first PR.\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdirvine%2Fsecure-app-framework","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdirvine%2Fsecure-app-framework","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdirvine%2Fsecure-app-framework/lists"}