Shadowbroker
2dc1fcc778
What this release does
----------------------
1. Establishes a fresh Tauri updater signing keypair. The previous keypair
(pubkey baked into v0.9.79 / v0.9.8) had no matching private key on
any maintainer-controlled machine — every prior release shipped
without signatures, so auto-update has never actually worked. v0.9.81
rotates to a new pubkey and ships signed installers + latest.json so
every release from here is a one-click upgrade.
2. Fixes the ``admin_session_required`` race in TopRightControls.tsx.
The updateAction state used to default to ``auto_apply`` at React-init
time. A click on the Update button before the async runtime probe
completed went down the auto_apply path (POST /api/system/update),
which throws ``admin_session_required`` on fresh sessions. Desktop
installs now default to ``manual_download`` based on synchronous
``window.__TAURI__`` detection at useState init.
One-time cost for current installs
----------------------------------
Anyone on v0.9.79 or v0.9.8 will see the in-app Update button still
trigger the broken path on their existing install (the fix only takes
effect once they're ON v0.9.81). The MANUAL DOWNLOAD button in the
update dialog opens the GitHub release page, where they grab the .msi
and run it. After that one manual hop, all future updates are seamless.
Release artifacts
-----------------
ShadowBroker_v0.9.81.zip 6.06 MB
42f8a51f9a5690d1e7349d90d8ecf2d163c9061d6cf90c69ee03647a785437ff
ShadowBroker_0.9.81_x64_en-US.msi 122.4 MB
a45b177c26c95d2b28d71592d7147e88ff4e104865f214fde11249d311ec9e25
ShadowBroker_0.9.81_x64-setup.exe 76.5 MB
eca884b9d37eeccd0f11c91dcc6f6ae1b3609d9dee72bd73c37c9a427babfef2
Plus .sig files for the .msi and .exe, plus a signed latest.json for
the Tauri updater endpoint.
Sizes match the v0.9.79 / v0.9.8 reference shape within drift for
the new TopRightControls patch.
release_digests.json keeps v0.9.79 + v0.9.8 blocks alongside v0.9.81
so operators still on those versions continue to validate cleanly
during the rollout transition.
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
Desktop Shell
Native-side scaffold for the ShadowBroker desktop boundary.
Purpose
This package owns the accepted desktop track:
- native privileged control routing through Rust
- authoritative policy enforcement and audit
- packaged managed local backend ownership
- packaged desktop runtime with same-origin
/api/* - tray/menu-bar lifecycle
- optional reduced-trust browser companion mode
- desktop packaging/release tooling
Browser mode remains intact; the desktop path layers on top of it.
Source of truth
The shared desktop control contract still lives in:
frontend/src/lib/desktopControlContract.tsfrontend/src/lib/desktopControlRouting.ts
The native side imports that contract instead of redefining it.
Layout
desktop-shell/
├── package.json
├── scripts/
│ └── run-desktop-build.cjs # Cross-platform npm build wrapper
├── src/
│ ├── runtimeBridge.ts
│ ├── nativeControlRouter.ts
│ ├── nativeControlAudit.ts
│ └── handlers/
└── tauri-skeleton/
├── dev.sh
├── build.sh
├── build.ps1
├── RELEASE.md
├── scripts/
│ ├── generate-icons.cjs
│ └── write-release-manifest.cjs
└── src-tauri/
├── Cargo.toml
├── tauri.conf.json
├── icons/ # Generated branded bundle assets
└── src/
├── main.rs
├── bridge.rs
├── policy.rs
├── tray.rs
├── companion.rs
├── companion_server.rs
├── handlers.rs
└── http_client.rs
Desktop runtime model
Native privileged path
The accepted 27-command privileged path remains native-only:
- frontend bridge detection builds
window.__SHADOWBROKER_LOCAL_CONTROL__ - privileged requests go through Tauri IPC
- Rust policy enforces capability/profile rules before dispatch
- Rust audit ring records all outcomes
- the native admin key never reaches webview JavaScript
Packaged main window
Packaged builds now own a bundled local backend runtime by default, then use an
app-level loopback server as the native window origin so ordinary
non-privileged /api/* fetches resolve same-origin instead of dying on static
asset serving.
Browser companion
Browser companion remains:
- optional
- loopback-only
- explicitly enabled
- reduced-trust
It never receives the native bridge injection, and it is not a drop-in replacement for standalone browser mode.
Packaging / release flow
Use any of these entrypoints:
./desktop-shell/tauri-skeleton/build.sh
./desktop-shell/tauri-skeleton/build.ps1
npm --prefix desktop-shell run build:desktop
Use --clean to remove the previous export, generated icons, and old installer
artifacts before rebuilding.
The release flow now:
- generates branded desktop icons
- stages a desktop-only frontend export tree without Next server-only route handlers / middleware
- stages a managed backend runtime bundle from
backend/ - builds the frontend export for Tauri packaging
- copies the export to
companion-www - runs
cargo tauri build - writes
SHA256SUMS.txtandrelease-manifest.jsonnext to the bundle output
If the Tauri CLI is missing, the build scripts now fail immediately with the
correct cargo install tauri-cli@^2 instruction.
The repo also now has a no-secrets desktop matrix workflow at
../.github/workflows/desktop-release.yml
that builds unsigned desktop artifacts on Windows, macOS, and Linux and turns
v*.*.* tags into downloadable GitHub release assets.
See tauri-skeleton/RELEASE.md for release-path
details and tauri-skeleton/RELEASE_INPUTS.md
for the future inputs that only matter once public distribution trust becomes a
goal.
Current status
This is a runnable desktop foundation with a repeatable packaging path.
What works:
- native desktop window with full app UI
- packaged desktop ownership of a bundled local backend runtime
- packaged desktop auto-generates and persists its local backend admin/private-plane secrets on first run
- packaged desktop-managed backend blocks legacy
16-hex node-ID compat and directlegacy_agent_idlookup by default - packaged same-origin
/api/*path for non-privileged data - Rust-side policy enforcement and audit
- tray/menu-bar background lifecycle
- macOS dock reopen
- optional reduced-trust browser companion opener
- branded Tauri/Windows/macOS bundle icons
- release manifest + checksum generation
What is still not done:
- code signing / notarization
- auto-update mechanism
- final installer copy / splash polish
- DM/data-plane native migration
- standalone-browser-equivalent companion parity
Managed backend defaults
The packaged desktop-managed backend now defaults to the hardened posture for compatibility sunset work:
MESH_BLOCK_LEGACY_NODE_ID_COMPAT=trueMESH_ALLOW_LEGACY_NODE_ID_COMPAT_UNTIL=unless an operator sets a dated temporary migration overrideMESH_BLOCK_LEGACY_AGENT_ID_LOOKUP=true
That default applies to the app-owned managed backend created under
%LOCALAPPDATA%. Source/server deployments remain operator-controlled and can
set those flags independently.
If a managed desktop operator leaves MESH_BLOCK_LEGACY_NODE_ID_COMPAT=false
in the managed backend .env, bootstrap now normalizes it back to true.
The only supported escape hatch for legacy 16-hex node IDs is a dated
MESH_ALLOW_LEGACY_NODE_ID_COMPAT_UNTIL=YYYY-MM-DD override.
MESH_BLOCK_LEGACY_AGENT_ID_LOOKUP=false is still preserved if an operator
intentionally needs that separate migration path.