app-storage: ENCLAVEAPP_MOCK_STORAGE env var forces mock backend (#71)

Adds a runtime escape hatch for environments that cannot satisfy a
real hardware-backed backend. When ENCLAVEAPP_MOCK_STORAGE is set to
a non-empty value, create_encryption_storage returns a fresh
MockEncryptionStorage instead of initialising AppEncryptionStorage.

Primary use case: GitHub Actions macOS runners running integration
tests that would otherwise block indefinitely on a login-keychain
ACL confirmation prompt the headless runner cannot answer. The
library tests in enclaveapp-apple still exercise the real keychain
path locally — this only affects consumer integration tests that
opt in via the env var.

Mechanical changes:
- Move the mock module off the `mock` feature gate and compile it
  unconditionally; the aes-gcm + rand cost is already paid by the
  dependency graph.
- Re-export MockEncryptionStorage for downstream consumers.
- Drop the now-redundant `mock` feature from Cargo.toml.

Co-authored-by: Jay Gowdy <jay@gowdy.me>

Author: jgowdy-godaddy

crates/enclaveapp-app-storage/Cargo.toml

@@ -12,16 +12,16 @@ workspace = true
 
 [features]
 default = []
-mock = ["aes-gcm", "rand"]
 
 [dependencies]
 enclaveapp-core = { workspace = true }
 thiserror = { workspace = true }
 tracing = "0.1"
 
-# Mock backend (feature-gated)
-aes-gcm = { workspace = true, optional = true }
-rand = { workspace = true, optional = true }
+# Mock backend — always compiled so `ENCLAVEAPP_MOCK_STORAGE=1` can
+# swap it in at runtime without any feature flag gymnastics.
+aes-gcm = { workspace = true }
+rand = { workspace = true }
 
 [dev-dependencies]
 enclaveapp-test-support = { workspace = true }

crates/enclaveapp-app-storage/src/lib.rs

@@ -49,14 +49,14 @@
 
 pub mod encryption;
 pub mod error;
-#[cfg(feature = "mock")]
 pub mod mock;
 pub mod platform;
 pub mod signing;
 
 // Re-export primary types for consumers.
 pub use encryption::{AppEncryptionStorage, EncryptionStorage};
 pub use error::{Result, StorageError};
+pub use mock::MockEncryptionStorage;
 pub use platform::BackendKind;
 pub use signing::AppSigningBackend;
 
@@ -88,9 +88,34 @@ pub struct StorageConfig {
     pub force_keyring: bool,
 }
 
+/// Environment variable that, when set to a non-empty value, forces
+/// [`create_encryption_storage`] to return a [`MockEncryptionStorage`]
+/// instead of the real platform backend.
+///
+/// This is the sanctioned escape hatch for CI environments that
+/// cannot satisfy a real hardware-backed backend — typically GitHub
+/// Actions macOS runners, which would otherwise block indefinitely
+/// on a login-keychain ACL confirmation prompt. It is **not** a
+/// production-safe mode: the mock uses a random in-memory AES key
+/// and provides no hardware backing.
+pub const MOCK_STORAGE_ENV: &str = "ENCLAVEAPP_MOCK_STORAGE";
+
 /// Create encryption storage with automatic platform detection.
-/// Returns a trait object for use with mock backends in tests.
+///
+/// Honours [`MOCK_STORAGE_ENV`]: when that env var is set to a
+/// non-empty value the returned box wraps a fresh
+/// [`MockEncryptionStorage`]. Callers get a uniform
+/// [`EncryptionStorage`] trait object either way.
 pub fn create_encryption_storage(config: StorageConfig) -> Result<Box<dyn EncryptionStorage>> {
+    if let Ok(val) = std::env::var(MOCK_STORAGE_ENV) {
+        if !val.is_empty() {
+            tracing::warn!(
+                app = %config.app_name,
+                "{MOCK_STORAGE_ENV} is set — returning MockEncryptionStorage (no hardware backing)"
+            );
+            return Ok(Box::new(MockEncryptionStorage::new()));
+        }
+    }
     let storage = AppEncryptionStorage::init(config)?;
     Ok(Box::new(storage))
 }

crates/enclaveapp-app-storage/src/mock.rs

@@ -6,6 +6,11 @@
 //! Uses AES-256-GCM with a random in-memory key. Provides no hardware
 //! backing; suitable only for tests and development.
 
+// aes-gcm 0.10 still uses generic-array 0.14 internally and emits a
+// deprecation notice on `Nonce::from_slice` — the 1.x migration is
+// upstream work, silence here so `-D warnings` doesn't trip.
+#![allow(deprecated)]
+
 use aes_gcm::aead::Aead;
 use aes_gcm::{Aes256Gcm, KeyInit, Nonce};
 use rand::RngCore;