faratech
diff --git a/‎.claude/settings.local.json‎
Lines changed: 15 additions & 2 deletions b/‎.claude/settings.local.json‎
Lines changed: 15 additions & 2 deletions
diff --git a/‎.github/workflows/sigstore-sign.yml‎
Lines changed: 141 additions & 0 deletions b/‎.github/workflows/sigstore-sign.yml‎
Lines changed: 141 additions & 0 deletions
diff --git a/‎.gitignore‎
Lines changed: 72 additions & 6 deletions b/‎.gitignore‎
Lines changed: 72 additions & 6 deletions
@@ -1,8 +1,21 @@
 {
   "permissions": {
     "allow": [
-      "Bash(dir)"
+      "Bash(dir)",
+      "Bash(cargo build:*)",
+      "Bash(ls:*)",
+      "Bash(npm run tauri build:*)",
+      "Bash(source:*)",
+      "Bash(export PATH=\"$PATH:$HOME/.cargo/bin\")",
+      "Bash(/root/.cargo/bin/cargo build)",
+      "Bash(npx tsc:*)",
+      "Bash(npm run build:*)",
+      "Bash(cargo audit:*)",
+      "Read(D:\\temp\\wfdiag\\src/**)"
     ],
-    "deny": []
+    "deny": [],
+    "additionalDirectories": [
+      "d:\\temp\\wfdiag-tauri"
+    ]
   }
 }
@@ -0,0 +1,141 @@
+name: Build and Sign with Sigstore
+
+on:
+  push:
+    branches: [ main ]
+    tags: [ 'v*' ]
+  pull_request:
+    branches: [ main ]
+  release:
+    types: [ published ]
+
+jobs:
+  build-and-sign:
+    runs-on: windows-latest
+    permissions:
+      contents: read
+      id-token: write  # Required for OIDC authentication with Sigstore
+      attestations: write  # For GitHub attestations
+      
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+
+    - name: Setup Node.js
+      uses: actions/setup-node@v4
+      with:
+        node-version: '20'
+        cache: 'npm'
+
+    - name: Setup Rust
+      uses: actions-rust-lang/setup-rust-toolchain@v1
+      with:
+        toolchain: stable
+
+    - name: Install Cosign
+      uses: sigstore/cosign-installer@v3
+      with:
+        cosign-release: 'v2.5.3'
+
+    - name: Install dependencies
+      run: npm ci
+
+    - name: Build frontend
+      run: npm run build
+
+    - name: Build Tauri app
+      run: |
+        cd src-tauri
+        cargo build --release
+
+    - name: Build Tauri bundles
+      run: npm run tauri build
+
+    - name: List build artifacts
+      run: |
+        Get-ChildItem -Recurse src-tauri/target/release/bundle/ -File | Select-Object FullName, Length
+
+    - name: Sign executables and installers with Sigstore
+      env:
+        COSIGN_EXPERIMENTAL: 1  # Enable experimental features
+      run: |
+        # Sign the main executable
+        if (Test-Path "src-tauri/target/release/wfdiag-tauri.exe") {
+          cosign-windows-amd64 sign-blob --yes --output-signature wfdiag-tauri.exe.sig --output-certificate wfdiag-tauri.exe.pem src-tauri/target/release/wfdiag-tauri.exe
+        }
+        
+        # Sign MSI installer if it exists
+        $msiPath = Get-ChildItem -Path "src-tauri/target/release/bundle/msi" -Filter "*.msi" -Recurse | Select-Object -First 1
+        if ($msiPath) {
+          cosign-windows-amd64 sign-blob --yes --output-signature "$($msiPath.BaseName).msi.sig" --output-certificate "$($msiPath.BaseName).msi.pem" $msiPath.FullName
+        }
+        
+        # Sign NSIS installer if it exists
+        $nsisPath = Get-ChildItem -Path "src-tauri/target/release/bundle/nsis" -Filter "*.exe" -Recurse | Select-Object -First 1
+        if ($nsisPath) {
+          cosign-windows-amd64 sign-blob --yes --output-signature "$($nsisPath.BaseName).nsis.sig" --output-certificate "$($nsisPath.BaseName).nsis.pem" $nsisPath.FullName
+        }
+
+    - name: Generate GitHub attestation
+      if: github.event_name == 'release'
+      uses: actions/attest-build-provenance@v1
+      with:
+        subject-path: |
+          src-tauri/target/release/wfdiag-tauri.exe
+          src-tauri/target/release/bundle/msi/*.msi
+          src-tauri/target/release/bundle/nsis/*.exe
+
+    - name: Upload signatures as artifacts
+      uses: actions/upload-artifact@v4
+      with:
+        name: sigstore-signatures
+        path: |
+          *.sig
+          *.pem
+        retention-days: 30
+
+    - name: Upload build artifacts
+      uses: actions/upload-artifact@v4
+      with:
+        name: tauri-builds
+        path: |
+          src-tauri/target/release/wfdiag-tauri.exe
+          src-tauri/target/release/bundle/
+        retention-days: 30
+
+  verify-signatures:
+    needs: build-and-sign
+    runs-on: ubuntu-latest
+    steps:
+    - name: Install Cosign
+      uses: sigstore/cosign-installer@v3
+
+    - name: Download signatures
+      uses: actions/download-artifact@v4
+      with:
+        name: sigstore-signatures
+
+    - name: Download build artifacts
+      uses: actions/download-artifact@v4
+      with:
+        name: tauri-builds
+
+    - name: Verify signatures
+      env:
+        COSIGN_EXPERIMENTAL: 1
+      run: |
+        # Verify executable signature
+        if [ -f "wfdiag-tauri.exe.sig" ] && [ -f "wfdiag-tauri.exe" ]; then
+          cosign verify-blob --signature wfdiag-tauri.exe.sig --certificate wfdiag-tauri.exe.pem wfdiag-tauri.exe
+        fi
+        
+        # Verify MSI signature
+        if ls *.msi.sig 1> /dev/null 2>&1; then
+          for sig in *.msi.sig; do
+            msi="${sig%.sig}"
+            pem="${msi}.pem"
+            if [ -f "$msi" ] && [ -f "$pem" ]; then
+              cosign verify-blob --signature "$sig" --certificate "$pem" "$msi"
+            fi
+          done
+        fi
@@ -36,8 +36,7 @@ lerna-debug.log*
 .env.production.local
 .env.*.local
 
-# IDE files
-.vscode/
+# IDE files (allow some .vscode config)
 .idea/
 *.swp
 *.swo
@@ -50,11 +49,12 @@ lerna-debug.log*
 # Tauri specific
 src-tauri/target/
 src-tauri/gen/
+src-tauri/Cargo.lock
+.tauri/
 
 # Security sensitive files
 *.pfx
 *.p12
-*.pem
 *.key
 *.crt
 *.cer
@@ -72,6 +72,14 @@ certificates/
 *.rsa
 *.dsa
 
+# Sigstore signatures (local development only)
+signatures/
+*.sig
+*.pem
+*.bundle
+*.rekor
+*-signature.json
+
 # Temporary and cache files
 .cache/
 .tmp/
@@ -98,24 +106,37 @@ tempstats_app/
 *.rpm
 *.tar.gz
 
-# Allow release artifacts in release directory
+# Allow versioned release artifacts in release directory only
 !release/
 !release/*.zip
 !release/*.exe
 !release/*.msi
+!release/*.sig
+!release/*.pem
 
 # Windows specific
 *.stackdump
 *.lnk
 
 # Build outputs that shouldn't be versioned
 src-tauri/target/release/
-src-tauri/target/debug/
+src-tauri/target/debug/  
 src-tauri/bundle/
 WFDiagnostics_*.msix
 *.nsis
+*.appx
+*.msixbundle
+
+# PowerShell build scripts (auto-generated)
 rebuild-msix-signed.ps1
 sign-*.ps1
+build-*.ps1
+create-*cert.ps1
+
+# Rust build artifacts
+**/*.rs.bk
+*.orig
+Cargo.lock.orig
 
 # Local configuration and user data
 config.json
@@ -133,4 +154,49 @@ apikey.txt
 token.txt
 oauth_tokens.json
 credentials.json
-auth_tokens.json
+auth_tokens.json
+
+# Development tools and artifacts
+.claude/
+.vscode/settings.json
+.vscode/launch.json
+*.code-workspace
+.history/
+.devcontainer/
+.dockerignore
+docker-compose.override.yml
+
+# Package manager locks (keep main package-lock.json but ignore temp ones)
+.pnpm-store/
+pnpm-lock.yaml
+yarn.lock
+.yarn/
+.pnp.*
+
+# GitHub Codespaces
+.devcontainer/
+.github/ISSUE_TEMPLATE/
+.github/PULL_REQUEST_TEMPLATE/
+
+# Performance and profiling
+.clinic/
+profile/
+*.cpuprofile
+*.heapprofile
+*.heapsnapshot
+*.perf
+
+# Modern build tools
+.turbo/
+.next/
+.nuxt/
+.output/
+.vercel/
+.netlify/
+
+# Backup and recovery files
+*.backup
+*.bak
+*.swp
+*.swo
+~$*