You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Lets the host store Wi-Fi credentials once in a DPAPI-encrypted blob
that only their own Windows login can decrypt, so a lab-mode operator
can apply them to the Pico without the password ever crossing the
tunnel.
couchlink save-wifi [--ssid X --password Y] [--clear]
writes/clears the vault at %APPDATA%/ParsecCouchLink/config/lab-wifi.bin.
The vault is decrypted only inside the lab-mode `wifi_apply_saved`
handler, in a spawn_blocking closure that hands the bytes straight to
the existing pico.set_wifi() path and zeroizes both intermediate
buffers on every code path. The Zeroizing<String> in LoadedCreds is a
second zero-on-drop guard.
The over-the-wire `wifi_set { ssid, password }` command is removed --
the vault path is now the only way to push credentials. If the host
hasn't saved any, the operator sees a clear "no saved creds; run
`couchlink save-wifi` on the host first" message and falls back to the
host's terminal. This narrows the tunnel command surface and removes
the one place cleartext credentials could have crossed the wire.
Adds the matching `wifi_clear` lab command, which sends the existing
CDC CLEAR_WIFI request so the Pico wipes flash credentials.
Round-trip verified live on this machine: DPAPI encrypt + decrypt
test passes, CLI save + clear cycle succeeds with the encrypted vault
appearing at the documented path.
0 commit comments