Init

.env.sample

@@ -0,0 +1,4 @@
+DATABASE_URL=postgres://localhost/opensecret
+OPENAI_API_KEY=
+ENCLAVE_SECRET_MOCK=
+RESEND_API_KEY=

.github/workflows/build.yml

@@ -0,0 +1,134 @@
+# This workflow handles Nix-based reproducible builds for opensecret
+# It requires a custom ARM64 runner for AWS Nitro Enclave compatibility
+name: "Nix Reproducible Builds"
+
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+    branches:
+      - master
+  workflow_dispatch:
+
+jobs:
+  dev:
+    name: "Development Reproducible Build"
+    # Run on all PRs and master pushes
+    if: github.event_name == 'workflow_dispatch' || github.event_name == 'pull_request' || github.event_name == 'push'
+    # Custom runner required: ARM64 architecture needed for AWS Nitro Enclaves
+    # 4 cores needed for efficient builds and PCR verification
+    runs-on: ubuntu-22.04-arm64-4core
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@v4
+
+      # Setup Nix with caching for faster builds
+      - name: Install Nix
+        uses: DeterminateSystems/nix-installer-action@v16
+
+      - name: Enable Magic Nix Cache
+        uses: DeterminateSystems/magic-nix-cache-action@v8
+
+      - name: Check flake.lock health
+        uses: DeterminateSystems/flake-checker-action@v9
+        with:
+          flake-lock-path: flake.lock
+
+      # Build development EIF directly using Nix package
+      - name: Build dev EIF
+        id: build-dev
+        run: |
+          set -euo pipefail
+          nix build .?submodules=1#eif-dev
+          echo "Build completed successfully"
+
+      # Verify PCR values match the reference
+      - name: Verify dev PCR
+        id: verify-dev
+        run: |
+          set -euo pipefail
+          if [ ! -f "./pcrDev.json" ]; then
+            echo "❌ No pcrDev.json found. This file must be checked into version control."
+            exit 1
+          fi
+
+          if diff -q "./pcrDev.json" result/pcr.json > /dev/null; then
+            echo "✅ Dev PCR values match!"
+          else
+            echo "❌ Dev PCR values do not match!"
+            echo "Expected (./pcrDev.json):"
+            cat "./pcrDev.json"
+            echo "Got (result/pcr.json):"
+            cat result/pcr.json
+            exit 1
+          fi
+
+      # Store artifacts for 7 days
+      - name: Upload dev artifacts
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: dev-artifacts
+          path: result/
+          retention-days: 7
+
+  prod:
+    name: "Production Reproducible Build"
+    # Only run on master pushes or manual triggers for production safety
+    if: github.event_name == 'workflow_dispatch' || (github.event_name == 'push' && github.ref == 'refs/heads/master')
+    # Same custom runner requirements as dev build
+    runs-on: ubuntu-22.04-arm64-4core
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@v4
+
+      # Setup Nix with caching for faster builds
+      - name: Install Nix
+        uses: DeterminateSystems/nix-installer-action@v16
+
+      - name: Enable Magic Nix Cache
+        uses: DeterminateSystems/magic-nix-cache-action@v8
+
+      - name: Check flake.lock health
+        uses: DeterminateSystems/flake-checker-action@v9
+        with:
+          flake-lock-path: flake.lock
+
+      # Build production EIF directly using Nix package
+      - name: Build prod EIF
+        id: build-prod
+        run: |
+          set -euo pipefail
+          nix build .?submodules=1#eif-prod
+          echo "Build completed successfully"
+
+      # Verify PCR values match the reference
+      - name: Verify prod PCR
+        id: verify-prod
+        run: |
+          set -euo pipefail
+          if [ ! -f "./pcrProd.json" ]; then
+            echo "❌ No pcrProd.json found. This file must be checked into version control."
+            exit 1
+          fi
+
+          if diff -q "./pcrProd.json" result/pcr.json > /dev/null; then
+            echo "✅ Production PCR values match!"
+          else
+            echo "❌ Production PCR values do not match!"
+            echo "Expected (./pcrProd.json):"
+            cat "./pcrProd.json"
+            echo "Got (result/pcr.json):"
+            cat result/pcr.json
+            exit 1
+          fi
+
+      # Store production artifacts for 30 days
+      - name: Upload prod artifacts
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: prod-artifacts
+          path: result/
+          retention-days: 30

.gitignore

@@ -0,0 +1,28 @@
+/debug
+/target
+/build
+/result
+/*.tar
+/*/*.tar
+
+# Environment variables
+.env
+.env.local
+.env.*.local
+
+# IDE files
+.vscode/
+.idea/
+
+# Operating system files
+.DS_Store
+Thumbs.db
+
+# Rust
+**/*.rs.bk
+
+# Clippy compile errors keep generating this
+/rustc-ice-*
+
+# Continuum local files
+continuum-manifests/

.gitmodules

@@ -0,0 +1,3 @@
+[submodule "nitro-toolkit"]
+	path = nitro-toolkit
+	url = [email protected]:OpenSecretCloud/nitro-toolkit.git