Shadowbroker
2dc1fcc778
What this release does
----------------------
1. Establishes a fresh Tauri updater signing keypair. The previous keypair
(pubkey baked into v0.9.79 / v0.9.8) had no matching private key on
any maintainer-controlled machine — every prior release shipped
without signatures, so auto-update has never actually worked. v0.9.81
rotates to a new pubkey and ships signed installers + latest.json so
every release from here is a one-click upgrade.
2. Fixes the ``admin_session_required`` race in TopRightControls.tsx.
The updateAction state used to default to ``auto_apply`` at React-init
time. A click on the Update button before the async runtime probe
completed went down the auto_apply path (POST /api/system/update),
which throws ``admin_session_required`` on fresh sessions. Desktop
installs now default to ``manual_download`` based on synchronous
``window.__TAURI__`` detection at useState init.
One-time cost for current installs
----------------------------------
Anyone on v0.9.79 or v0.9.8 will see the in-app Update button still
trigger the broken path on their existing install (the fix only takes
effect once they're ON v0.9.81). The MANUAL DOWNLOAD button in the
update dialog opens the GitHub release page, where they grab the .msi
and run it. After that one manual hop, all future updates are seamless.
Release artifacts
-----------------
ShadowBroker_v0.9.81.zip 6.06 MB
42f8a51f9a5690d1e7349d90d8ecf2d163c9061d6cf90c69ee03647a785437ff
ShadowBroker_0.9.81_x64_en-US.msi 122.4 MB
a45b177c26c95d2b28d71592d7147e88ff4e104865f214fde11249d311ec9e25
ShadowBroker_0.9.81_x64-setup.exe 76.5 MB
eca884b9d37eeccd0f11c91dcc6f6ae1b3609d9dee72bd73c37c9a427babfef2
Plus .sig files for the .msi and .exe, plus a signed latest.json for
the Tauri updater endpoint.
Sizes match the v0.9.79 / v0.9.8 reference shape within drift for
the new TopRightControls patch.
release_digests.json keeps v0.9.79 + v0.9.8 blocks alongside v0.9.81
so operators still on those versions continue to validate cleanly
during the rollout transition.
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
Tauri Skeleton
Cross-platform Tauri integration for the ShadowBroker desktop boundary.
Scope
This skeleton covers the accepted native desktop foundation:
- Rust-authoritative local-control policy enforcement and audit
- cross-platform tray/menu-bar lifecycle
- packaged managed local backend runtime
- packaged loopback runtime for same-origin
/api/* - optional reduced-trust browser companion opener
- desktop packaging flow with branded bundle icons and release manifests
It does not move DM/data-plane operations into native code.
Architecture
main.rscreates the main window programmatically and attaches aninitialization_scriptsowindow.__SHADOWBROKER_DESKTOP__exists before page JavaScript runsbridge.rsroutes Tauri IPC throughpolicy.rsbefore any privileged backend dispatchbackend_runtime.rsinstalls and launches the bundled backend runtime into app-local writable storage for packaged buildscompanion_server.rsprovides the packaged loopback HTTP origin used by:- the native main window for ordinary same-origin
/api/* - the optional external browser companion opener
- the native main window for ordinary same-origin
tray.rsowns tray/menu-bar restore/hide/quit behaviorhttp_client.rsforwards privileged native requests with the native-owned admin key
Environment variables
SHADOWBROKER_BACKEND_URL- Optional backend override. In packaged mode, if unset, the app launches its bundled local backend automatically.SHADOWBROKER_ADMIN_KEY- Optional admin key for privileged backend accessSHADOWBROKER_FRONTEND_URL- Explicit frontend origin override for dev/custom setups
Development
# Install Tauri CLI
cargo install tauri-cli@^2
# Start the dev shell (frontend dev server must already be running on :3000)
./dev.sh
Platform dependencies:
- Linux:
libwebkit2gtk-4.1-dev,libjavascriptcoregtk-4.1-dev,libayatana-appindicator3-dev,libxdo-dev - macOS: Xcode command-line tools
- Windows: Visual Studio C++ build tools
Production build
Use whichever entrypoint matches your environment:
# POSIX shell
./build.sh
# Windows PowerShell
./build.ps1
# Cross-platform npm wrapper from repo root
npm --prefix desktop-shell run build:desktop
Add --clean when you want a fresh export/icon rebuild and old bundle
artifacts removed before packaging.
The release build now does the full packaging pipeline:
- Generates branded icons in
src-tauri/icons/ - Stages a desktop-only frontend export tree that omits Next server-only
routes/middleware (
src/app/api,src/middleware.ts) - Stages a managed backend runtime bundle from
backend/intosrc-tauri/backend-runtime/ - Builds the frontend export with
NEXT_OUTPUT=export - Copies
frontend/outtosrc-tauri/companion-www/ - Runs
cargo tauri build - Writes
SHA256SUMS.txtandrelease-manifest.jsontosrc-tauri/target/release/bundle/
If cargo tauri is not installed, the build now fails immediately with the
required install command instead of failing after the frontend export.
See RELEASE.md for the release-oriented checklist. See RELEASE_INPUTS.md for the future credentials/secrets that only matter once you want signed/notarized public distribution.
Runtime model
Native privileged path
The 27 privileged local-control commands still go through the Rust IPC bridge. The packaged loopback server does not replace that boundary.
Packaged loopback app server
In packaged builds, main.rs now launches a bundled local backend by default,
then starts a loopback HTTP server and points the native window at it. That
gives the packaged desktop app ownership of both the app shell and the local
backend runtime, while keeping a real same-origin /api/* path for ordinary
non-privileged fetches.
The managed backend runtime also seeds and persists its own local secrets on first launch:
ADMIN_KEYMESH_PEER_PUSH_SECRETMESH_DM_TOKEN_PEPPERMESH_SECURE_STORAGE_SECRETon non-Windows
It also defaults the managed compatibility-cutoff flags to the hardened desktop posture:
MESH_BLOCK_LEGACY_NODE_ID_COMPAT=trueMESH_ALLOW_LEGACY_NODE_ID_COMPAT_UNTIL=unless an operator sets a dated temporary migration overrideMESH_BLOCK_LEGACY_AGENT_ID_LOOKUP=true
That keeps the packaged desktop path out of the "edit .env by hand before it
is safe" trap for normal local users.
If a managed desktop operator leaves MESH_BLOCK_LEGACY_NODE_ID_COMPAT=false
in the managed backend .env, bootstrap now normalizes it back to true.
The only supported escape hatch for legacy 16-hex node IDs is a dated
MESH_ALLOW_LEGACY_NODE_ID_COMPAT_UNTIL=YYYY-MM-DD override. Source/server
deployments remain operator-controlled through their own env files and do not
inherit this desktop-specific default.
Browser companion
Browser companion is:
- optional
- disabled by default
- loopback-only
- reduced-trust
It does not receive the native bridge injection and is not equivalent
to standalone browser mode. The built-in loopback server is a thin static
/api/* proxy and does not reproduce Next middleware, admin-session cookie
logic, or wormhole routing.
Current status
This is now a runnable desktop build path with branded assets and repeatable bundle outputs.
What works:
- Native desktop window (dev + packaged)
- Packaged bundled local backend launch + ownership
- Managed packaged backend auto-seeding of local admin/private-plane secrets
- Packaged same-origin
/api/*path for non-privileged data - Rust-authoritative policy enforcement and audit
- Tray/menu-bar background lifecycle
- macOS dock reopen restores the main window
- Browser companion opener with honest reduced-trust scoping
- Branded bundle icon set (
.png,.ico,.icns, Windows tile assets) - Release checksums + artifact manifest alongside bundle output
- GitHub Actions desktop build matrix for Windows/macOS/Linux
- Tag-driven GitHub release asset upload without required secrets
What is still not done:
- Windows code signing
- macOS notarization credentials
- Auto-update publishing
- Final installer copy / splash polish
- Standalone-browser-equivalent companion parity