feat: Complete secure-app-framework MVP implementation

- Implement complete WASM component architecture with WIT interfaces
- Add cross-platform broker with workspace management and audit logging
- Create Tauri-based UI shell with modern web interface
- Set up comprehensive CI/CD with multi-platform builds
- Implement security scanning and reproducible builds
- Add component model with fs, net, log, time, rand interfaces
- Create workspace picker with OS-specific implementations
- Add policy engine with domain allowlists and audit trails
- Generate SBOMs and security artifacts
- Complete build automation and packaging scripts

This implements the full MVP as specified in the framework documentation,
providing a secure, auditable, cross-platform application architecture
using WASM components and native brokers.

Author: dirvine

.github/workflows/build.yml

@@ -0,0 +1,322 @@
+name: Build & Release
+
+on:
+  push:
+    branches: [ main ]
+    tags: [ 'v*' ]
+  pull_request:
+    branches: [ main ]
+  workflow_dispatch:
+    inputs:
+      release_type:
+        description: 'Release type'
+        required: false
+        default: 'snapshot'
+        type: choice
+        options:
+          - snapshot
+          - release
+
+env:
+  CARGO_TERM_COLOR: never
+  RUST_BACKTRACE: 1
+
+jobs:
+  # Pre-build checks and validation
+  check:
+    name: Check & Lint
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Setup Rust
+        uses: dtolnay/rust-toolchain@stable
+        with:
+          components: rustfmt, clippy
+
+      - name: Setup Node.js for Tauri
+        uses: actions/setup-node@v4
+        with:
+          node-version: '18'
+
+      - name: Cache dependencies
+        uses: actions/cache@v4
+        with:
+          path: |
+            ~/.cargo/registry
+            ~/.cargo/git
+            target
+          key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }}
+          restore-keys: ${{ runner.os }}-cargo-
+
+      - name: Format check
+        run: cargo fmt --all -- --check
+
+      - name: Clippy
+        run: cargo clippy --all-features -- -D clippy::panic -D clippy::unwrap_used -D clippy::expect_used
+
+      - name: Run tests
+        run: cargo test --workspace
+
+      - name: Security audit
+        uses: rustsec/audit-check@v2
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: License check
+        uses: EmbarkStudios/cargo-deny-action@v1
+        with:
+          command: check
+
+  # Build WASM component
+  build-wasm:
+    name: Build WASM Component
+    runs-on: ubuntu-latest
+    needs: check
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup Rust
+        uses: dtolnay/rust-toolchain@stable
+        with:
+          targets: wasm32-wasip1
+
+      - name: Install cargo-component
+        run: cargo install cargo-component --locked
+
+      - name: Build WASM component
+        run: cargo component build --release --package saf-component-demo
+
+      - name: Upload WASM artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: wasm-component
+          path: target/wasm32-wasip1/release/saf_component_demo.wasm
+          retention-days: 30
+
+  # Build broker for different platforms
+  build-broker:
+    name: Build Broker (${{ matrix.target }})
+    runs-on: ${{ matrix.os }}
+    needs: check
+    strategy:
+      matrix:
+        include:
+          - os: ubuntu-latest
+            target: x86_64-unknown-linux-gnu
+            name: linux-x64
+          - os: windows-latest
+            target: x86_64-pc-windows-msvc
+            name: windows-x64
+          - os: macos-latest
+            target: x86_64-apple-darwin
+            name: macos-x64
+          - os: macos-latest
+            target: aarch64-apple-darwin
+            name: macos-arm64
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup Rust
+        uses: dtolnay/rust-toolchain@stable
+        with:
+          targets: ${{ matrix.target }}
+
+      - name: Setup Node.js for Tauri
+        uses: actions/setup-node@v4
+        with:
+          node-version: '18'
+
+      - name: Cache dependencies
+        uses: actions/cache@v4
+        with:
+          path: |
+            ~/.cargo/registry
+            ~/.cargo/git
+            target
+          key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }}
+          restore-keys: ${{ runner.os }}-cargo-
+
+      - name: Install dependencies (Linux)
+        if: matrix.os == 'ubuntu-latest'
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y libwebkit2gtk-4.1-dev libappindicator3-dev librsvg2-dev patchelf
+
+      - name: Build broker
+        run: cargo build --release --target ${{ matrix.target }} --package broker --features wasmtime-host,ui
+
+      - name: Build UI (Tauri)
+        if: matrix.os != 'ubuntu-latest' || matrix.target != 'aarch64-apple-darwin'
+        run: |
+          cd crates/ui
+          cargo tauri build --no-bundle
+
+      - name: Create distribution package
+        shell: bash
+        run: |
+          mkdir -p dist
+          cd dist
+
+          # Create platform-specific package
+          PACKAGE_NAME="secure-app-framework-${{ matrix.name }}"
+          mkdir -p "$PACKAGE_NAME"
+
+          # Copy broker binary
+          if [[ "${{ matrix.target }}" == *"windows"* ]]; then
+            cp "../target/${{ matrix.target }}/release/broker.exe" "$PACKAGE_NAME/"
+          else
+            cp "../target/${{ matrix.target }}/release/broker" "$PACKAGE_NAME/"
+          fi
+
+          # Copy WASM component
+          cp "../target/wasm32-wasip1/release/saf_component_demo.wasm" "$PACKAGE_NAME/" 2>/dev/null || true
+
+          # Copy documentation
+          cp "../README.md" "$PACKAGE_NAME/" 2>/dev/null || true
+          cp "../LICENSE" "$PACKAGE_NAME/" 2>/dev/null || true
+
+          # Create checksums
+          cd "$PACKAGE_NAME"
+          if command -v sha256sum >/dev/null 2>&1; then
+            find . -type f -not -name "*.sha256" -exec sha256sum {} \; > checksums.sha256
+          fi
+          cd ..
+
+          # Create archive
+          if [[ "${{ matrix.target }}" == *"windows"* ]]; then
+            if command -v zip >/dev/null 2>&1; then
+              zip -r "${PACKAGE_NAME}.zip" "$PACKAGE_NAME"
+            fi
+          else
+            if command -v tar >/dev/null 2>&1; then
+              tar -czf "${PACKAGE_NAME}.tar.gz" "$PACKAGE_NAME"
+            fi
+          fi
+
+      - name: Upload broker artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: broker-${{ matrix.name }}
+          path: |
+            target/${{ matrix.target }}/release/broker*
+            dist/
+          retention-days: 30
+
+  # Generate SBOM and security artifacts
+  security-artifacts:
+    name: Generate Security Artifacts
+    runs-on: ubuntu-latest
+    needs: [check, build-wasm]
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup Rust
+        uses: dtolnay/rust-toolchain@stable
+
+      - name: Install SBOM tools
+        run: |
+          cargo install cyclonedx-bom --locked
+          curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
+
+      - name: Generate CycloneDX SBOM (Cargo)
+        run: cyclonedx-bom -o sbom-cyclonedx-cargo.json
+
+      - name: Generate Syft SBOM (binaries)
+        run: syft dir:. -o cyclonedx-json > sbom-cyclonedx-syft.json
+
+      - name: Upload SBOMs
+        uses: actions/upload-artifact@v4
+        with:
+          name: sboms
+          path: |
+            sbom-*.json
+          retention-days: 30
+
+  # Sign artifacts (for releases)
+  sign-release:
+    name: Sign Release Artifacts
+    runs-on: ubuntu-latest
+    needs: [build-broker, security-artifacts]
+    if: startsWith(github.ref, 'refs/tags/v')
+    steps:
+      - name: Download all artifacts
+        uses: actions/download-artifact@v4
+        with:
+          path: artifacts
+
+      - name: Install cosign
+        uses: sigstore/cosign-installer@v3
+
+      - name: Sign artifacts with cosign
+        run: |
+          find artifacts -type f \( -name "*.tar.gz" -o -name "*.zip" -o -name "*.wasm" -o -name "*.json" \) \
+            -exec cosign sign-blob --yes --identity-token "$ACTIONS_ID_TOKEN" {} \;
+        env:
+          ACTIONS_ID_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Upload signed artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: signed-artifacts
+          path: artifacts/
+          retention-days: 60
+
+  # Create GitHub release
+  release:
+    name: Create Release
+    runs-on: ubuntu-latest
+    needs: sign-release
+    if: startsWith(github.ref, 'refs/tags/v')
+    steps:
+      - name: Download signed artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: signed-artifacts
+          path: release-artifacts
+
+      - name: Create release
+        uses: softprops/action-gh-release@v1
+        with:
+          files: release-artifacts/**/*
+          generate_release_notes: true
+          draft: false
+          prerelease: ${{ contains(github.ref, 'alpha') || contains(github.ref, 'beta') }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+  # Deploy documentation (optional)
+  docs:
+    name: Deploy Documentation
+    runs-on: ubuntu-latest
+    needs: check
+    if: github.ref == 'refs/heads/main'
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '18'
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Build docs
+        run: npm run build
+
+      - name: Deploy to GitHub Pages
+        uses: peaceiris/actions-gh-pages@v3
+        if: github.ref == 'refs/heads/main'
+        with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          publish_dir: ./dist
+          cname: docs.secure-app-framework.dev

Cargo.toml

@@ -5,6 +5,7 @@ members = [
     "crates/ui",
     "crates/policy",
     "crates/audit",
+    "crates/component-demo",
 ]
 resolver = "2"
 
@@ -15,4 +16,3 @@ publish = false
 
 [workspace.lints.rust]
 unsafe_code = "forbid"
-

crates/broker/Cargo.toml

@@ -12,12 +12,33 @@ anyhow = { version = "1", optional = true }
 wasmtime = { version = "21", optional = true, default-features = false, features = ["component-model"] }
 wasmtime-wasi = { version = "21", optional = true }
 rand = { version = "0.8", optional = true }
+tauri = { version = "2.0", features = [], optional = true }
+serde_json = "1.0"
+tokio = { version = "1.0", features = ["rt", "rt-multi-thread", "macros"] }
+dirs = "5.0"
+uuid = { version = "1.0", features = ["v4"] }
+async-trait = "0.1"
+base64 = "0.22"
+url = "2.5"
+
+[target.'cfg(target_os = "linux")'.dependencies]
+ashpd = "0.9"  # For xdg-desktop-portal
+
+[target.'cfg(target_os = "windows")'.dependencies]
+windows = { version = "0.58", features = ["Storage", "Storage_Provider"] }
+
+[target.'cfg(target_os = "macos")'.dependencies]
+objc = "0.2"
+cocoa = "0.25"
+objc-foundation = "0.1"
 
 [[bin]]
 name = "broker"
 path = "src/main.rs"
 
 [features]
 default = []
+# UI integration
+ui = ["dep:tauri"]
 # Wasmtime integration for running components
 wasmtime-host = ["dep:wasmtime", "dep:wasmtime-wasi", "dep:anyhow", "dep:rand"]