tsafe-nativehost 1.0.5

Browser native messaging host for tsafe — lets Chrome/Edge/Firefox extensions read vault secrets safely
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81

# tsafe-nativehost

Browser native messaging host for [tsafe](https://crates.io/crates/tsafe-cli).

Implements the Chrome / Edge / Firefox native messaging protocol so the tsafe
browser extension can read secrets from the local vault without exposing them
to web pages.

## Install

Included in the default CLI install:

```
cargo install tsafe-cli
```

Or standalone:

```
cargo install tsafe-nativehost
```

## Registration

After install, register the host with your browser:

```
tsafe browser-native-host register [EXTENSION_ID]
```

This writes the native messaging manifest to the correct location for each
browser:

- **Chrome / Edge (Linux/macOS)**`~/.config/google-chrome/NativeMessagingHosts/`
- **Firefox (Linux/macOS)**`~/.mozilla/native-messaging-hosts/`
- **Chrome / Edge (Windows)** — registry key under `HKCU\Software\Google\Chrome\NativeMessagingHosts\`
- **Firefox (Windows)**`%APPDATA%\Mozilla\NativeMessagingHosts\`

## Protocol

The host speaks the Chrome native messaging wire format: a 4-byte
little-endian length prefix followed by a UTF-8 JSON body, over stdin/stdout.
On Windows, both handles are switched to binary mode at startup to prevent the
C runtime from mangling newline bytes.

Supported JSON commands:

| Command        | Description                                              |
|----------------|----------------------------------------------------------|
| `unlock`       | Open a vault session; returns a `session_token`          |
| `lock`         | Drop the active session immediately                      |
| `list_logins`  | List secret keys visible to the requesting hostname      |
| `get_login`    | Fetch a single secret value                              |
| `save_login`   | Write a new or updated secret into the vault             |

All commands except `unlock` require a `session_token` obtained from a prior
`unlock` response. Sessions expire after 5 minutes of inactivity; each
successful request resets the idle timer.

## Security model

- **Domain isolation** — each `list_logins`, `get_login`, and `save_login`
  request must include a `hostname` field. The hostname is validated against a
  browser-profile mapping (`browser-profiles.json`) so the extension can only
  read secrets that have been explicitly mapped to the current browser profile.
- **Phishing guard** — if the requesting hostname is not mapped but is one edit
  distance away from a registered domain (e.g. `paypa1.com` vs `paypal.com`),
  the response is `{"status":"phishing_warning","registered":"paypal.com"}`
  rather than a generic error.
- **Hostname fill guard** — structurally invalid hostnames (too many labels,
  excessive label length) are rejected before profile lookup.
- **Concurrent requests** — the persistent native messaging port allows the
  popup and content script to interleave requests. Each request may carry an
  `id` field; the host echoes it back on the response so the extension can
  route concurrent replies to the correct awaiter.
- **Audit log** — every `browser-list` and `browser-get` operation is appended
  to the profile's audit log.

## License

Same as the tsafe workspace — see the repository root.