fix: load factory auth from droid v2 store

[davidarny]

Summary

• load Factory auth from Droid's current auth.v2.file + auth.v2.key store before falling back to legacy auth sources
• add host-side AES-256-GCM decrypt support so the Factory plugin can read the v2 encrypted auth payload
• keep the proactive refresh fallback fix and add regression coverage around v2 auth loading
• include the currently committed Rust/UI formatting changes that were already in the worktree

Testing

• bun run test --run plugins/factory/plugin.test.js
• cargo test --manifest-path src-tauri/Cargo.toml plugin_engine::host_api::tests
• bun run test:coverage (fails: global branch coverage is 89.58%, below the 90% threshold; PR created anyway per explicit user instruction)

[augmentcode]

🤖 Augment PR Summary

Summary: This PR updates the Factory provider to load authentication from Droid’s current v2 auth store before falling back to legacy sources.

Changes:

• Added support for reading ~/.factory/auth.v2.file + ~/.factory/auth.v2.key (AES-256-GCM envelope + base64 key) and preferring it over legacy files/keychain.
• Introduced a host-side crypto API (host.crypto.decryptAes256Gcm) implemented in Rust to decrypt the v2 auth payload for QuickJS plugins.
• Ensured refreshed v2 auth is kept in-memory while explicitly skipping persistence back to the unsupported v2 storage format.
• Hardened proactive refresh behavior by continuing with the existing access token when refresh errors occur but the token is still valid.
• Added regression tests covering v2 auth loading precedence, fallback behavior, and refresh/persistence behavior.
• Updated Factory provider documentation for the new token storage locations.
• Included incidental Rust/UI formatting changes present in the worktree.

Technical Notes: AES-256-GCM envelope format is iv_b64:tag_b64:ciphertext_b64; Rust uses OpenSSL for GCM decryption and exposes it via the plugin host API.

_{🤖 Was this summary useful? React with 👍 or 👎}

[augmentcode]

Review completed. No suggestions at this time.

Comment augment review to trigger a new review at any time.

[cubic-dev-ai]

No issues found across 13 files

[robinebers]

Hey! This is Rob's AI reviewer. Thanks for the contribution!

Nice improvement overall. Loading the newer auth.v2 store first is the right direction, and the added test coverage helped a lot. Two things to fix before merge:

1. file-v2 refreshes are not persisted. refreshToken() updates the in-memory access_token and refresh_token, but saveAuth() skips source === "file-v2". Since the refresh response can return a new refresh_token, the next probe or app restart can fall back to stale auth from disk and fail once the old access token expires.

2. This PR adds a new shared plugin API helper, ctx.host.crypto.decryptAes256Gcm(), but docs/plugins/api.md was not updated. Since this changes the plugin API surface, the docs should move with the code.

Everything else I spot-checked here looks good, and the focused JS/Rust tests passed.

[validatedev]

@codex review

[chatgpt-codex-connector]

Codex Review: Didn't find any major issues. More of your lovely PRs please.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[Copilot]

Pull request overview

This PR adds AES-256-GCM decryption support to the Rust plugin host API so the Factory provider plugin can read Factory’s newer encrypted auth storage format (auth.v2.file + auth.v2.key), and updates the Factory plugin to prefer that source and handle token refresh failures more gracefully.

Changes:

• Add host.crypto.decryptAes256Gcm(...) to the Tauri plugin host API (Rust) and wire it into the injected JS host object.
• Update the Factory provider plugin + tests to load/decrypt auth.v2.* credentials first, with fallbacks to legacy storage and improved proactive-refresh behavior.
• Apply various Rust formatting/refactor-only adjustments (no functional change intended) and update Factory docs.

Reviewed changes

Copilot reviewed 12 out of 13 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
src-tauri/src/webkit_config.rs	Refactors the WebKit suspension-disabling closure formatting.
src-tauri/src/tray.rs	Rustfmt-style formatting for tray menu item creation.
src-tauri/src/plugin_engine/runtime.rs	Formatting + minor control-flow style adjustments in probe runtime and parsing.
src-tauri/src/plugin_engine/mod.rs	Log formatting adjustments during plugin installation/copy steps.
src-tauri/src/plugin_engine/manifest.rs	Import ordering + minor log formatting in link sanitization.
src-tauri/src/plugin_engine/host_api.rs	Introduces AES-256-GCM decrypt helper, injects host.crypto API, and adds tests.
src-tauri/src/panel.rs	Import/log formatting and minor formatting of config parsing.
src-tauri/Cargo.toml	Adds direct openssl dependency needed by the new crypto helper.
src-tauri/Cargo.lock	Updates OpenSSL-related versions and records new direct dependency usage.
plugins/test-helpers.js	Adds a test double for host.crypto.decryptAes256Gcm using Node crypto.
plugins/factory/plugin.test.js	Adds coverage for v2 auth loading/decryption and refresh edge-cases.
plugins/factory/plugin.js	Implements v2 auth loading preference + safer proactive refresh fallback behavior.
docs/providers/factory.md	Documents the new v2 auth storage locations and precedence.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

[validatedev]

I can approve this after you resolve @robinebers's comment (if relevant). I don't use droid so I can't test this though.

[davidarny]

Addressing the AI review feedback:

• persisted refreshed Factory file-v2 auth back to ~/.factory/auth.v2.file using the same AES-256-GCM envelope/key path, so rotated refresh_token values survive the next probe/app restart
• documented the shared ctx.host.crypto.decryptAes256Gcm(...) and ctx.host.crypto.encryptAes256Gcm(...) helpers in docs/plugins/api.md

Verification:

• bun run test --run plugins/factory/plugin.test.js
• cargo test --manifest-path src-tauri/Cargo.toml plugin_engine::host_api::tests

[davidarny]

Addressing the two Copilot review comments:

• replaced the direct openssl dependency with stable RustCrypto aes-gcm 0.10.3, which avoids native OpenSSL linkage/toolchain risk while keeping Droid's 16-byte IV envelope format
• added explicit validation for AES-256 key length, IV length, and GCM auth-tag length before decrypt/encrypt, so bad envelopes fail with clear errors instead of lower-level crypto init failures

Verification:

• cargo test --manifest-path src-tauri/Cargo.toml plugin_engine::host_api::tests