fix: refresh privacy-core pin on source startup

scripts/refresh_privacy_core_pin.py

@@ -0,0 +1,100 @@
+from __future__ import annotations
+
+import hashlib
+import re
+from pathlib import Path
+
+
+TRUE_VALUES = {"1", "true", "yes", "on", "allow", "enabled"}
+PIN_KEY = "PRIVACY_CORE_ALLOWED_SHA256"
+PRIVATE_LANE_KEYS = ("MESH_ARTI_ENABLED", "MESH_RNS_ENABLED")
+
+
+def _repo_root() -> Path:
+    return Path(__file__).resolve().parents[1]
+
+
+def _privacy_core_library(root: Path) -> Path | None:
+    release_dir = root / "privacy-core" / "target" / "release"
+    candidates = (
+        release_dir / "privacy_core.dll",
+        release_dir / "libprivacy_core.so",
+        release_dir / "libprivacy_core.dylib",
+    )
+    for candidate in candidates:
+        if candidate.is_file():
+            return candidate
+    return None
+
+
+def _parse_env(lines: list[str]) -> dict[str, str]:
+    values: dict[str, str] = {}
+    for line in lines:
+        match = re.match(r"^\s*([A-Za-z_][A-Za-z0-9_]*)\s*=\s*(.*)\s*$", line)
+        if not match:
+            continue
+        key, raw_value = match.groups()
+        values[key] = raw_value.strip().strip('"').strip("'")
+    return values
+
+
+def _private_lane_enabled(values: dict[str, str]) -> bool:
+    for key in PRIVATE_LANE_KEYS:
+        value = values.get(key, "")
+        if value.strip().lower() in TRUE_VALUES:
+            return True
+    return False
+
+
+def _replace_or_append_pin(lines: list[str], digest: str) -> tuple[list[str], bool]:
+    updated: list[str] = []
+    replaced = False
+    pattern = re.compile(rf"^(\s*{re.escape(PIN_KEY)}\s*=).*$")
+    for line in lines:
+        if pattern.match(line):
+            updated.append(f"{PIN_KEY}={digest}")
+            replaced = True
+        else:
+            updated.append(line)
+    if not replaced:
+        if updated and updated[-1].strip():
+            updated.append("")
+        updated.append(f"{PIN_KEY}={digest}")
+    return updated, replaced
+
+
+def main() -> int:
+    root = _repo_root()
+    env_path = root / "backend" / ".env"
+    if not env_path.is_file():
+        print("[*] privacy-core trust pin refresh skipped: backend/.env not found.")
+        return 0
+
+    library_path = _privacy_core_library(root)
+    if library_path is None:
+        print("[*] privacy-core trust pin refresh skipped: shared library not found.")
+        return 0
+
+    text = env_path.read_text(encoding="utf-8-sig")
+    lines = text.splitlines()
+    values = _parse_env(lines)
+    has_pin = PIN_KEY in values
+    if not has_pin and not _private_lane_enabled(values):
+        print("[*] privacy-core trust pin refresh skipped: private-lane mode is not enabled.")
+        return 0
+
+    digest = hashlib.sha256(library_path.read_bytes()).hexdigest()
+    if values.get(PIN_KEY, "").strip().lower() == digest:
+        print("[*] privacy-core trust pin already current.")
+        return 0
+
+    updated, replaced = _replace_or_append_pin(lines, digest)
+    newline = "\r\n" if "\r\n" in text else "\n"
+    env_path.write_text(newline.join(updated) + newline, encoding="utf-8")
+    action = "refreshed" if replaced else "enrolled"
+    print(f"[*] privacy-core trust pin {action} for local shared library.")
+    return 0
+
+
+if __name__ == "__main__":
+    raise SystemExit(main())

start.bat

@@ -258,7 +258,14 @@ if not exist "%PRIVACY_CORE_DLL%" (
         cd /d "%ROOT%\backend"
     )
 )
-if exist "%PRIVACY_CORE_DLL%" echo [*] privacy-core DLL OK.
+if exist "%PRIVACY_CORE_DLL%" (
+    echo [*] privacy-core DLL OK.
+    "%VENV_PY%" "%ROOT%\scripts\refresh_privacy_core_pin.py"
+    if errorlevel 1 (
+        echo [!] WARNING: privacy-core trust pin refresh failed. Startup may fail if backend\.env pins an old hash.
+        echo.
+    )
+)
 
 cd /d "%ROOT%"
 

start.sh

@@ -215,6 +215,10 @@ if [ ! -f "$PRIVACY_CORE_SO" ] && [ ! -f "$PRIVACY_CORE_DYLIB" ]; then
 fi
 if [ -f "$PRIVACY_CORE_SO" ] || [ -f "$PRIVACY_CORE_DYLIB" ]; then
     echo "[*] privacy-core shared library OK."
+    "$VENV_PY" "$SCRIPT_DIR/scripts/refresh_privacy_core_pin.py" || {
+        echo "[!] WARNING: privacy-core trust pin refresh failed. Startup may fail if backend/.env pins an old hash."
+        echo ""
+    }
 fi
 
 cd "$SCRIPT_DIR"