Shadowbroker
8dfa6a7199
Bumps every hardcoded 0.9.79 → 0.9.8 across backend, frontend,
desktop-shell, helm, lockfiles, test fixtures. Refreshes the in-app
ChangelogModal HEADLINE_FEATURES, NEW_FEATURES, and BUG_FIXES with the
v0.9.8 highlights.
Release artifacts built locally and hashed into release_digests.json:
ShadowBroker_v0.9.8.zip 6.06 MB
d506f6b8462ccb12096f0cd9462233be58928094240416b65fb3127bdd1f3820
ShadowBroker_0.9.8_x64_en-US.msi 122.4 MB
d4be4cb68c3e6409fff54c225acdcdd08e27d5d6d2b31616d78d2a4f6812991d
ShadowBroker_0.9.8_x64-setup.exe 76.5 MB
1115d1f5cf37edd03ea2c21d821c7626e1bf3319c990402aaa0293bca46fea67
Sizes match the v0.9.79 reference shape (5.76 MB / 117 MB / 72.9 MB)
within expected drift for new code. The .zip is a `git archive` of the
v0.9.8 source tree (matching v0.9.79's approach).
Audit confirms no .env, .key, .venv-dir, or cache files leaked into the
backend-runtime bundle. Python 3.11.9 + 199 site-packages + privacy_core
all staged correctly.
Headline changes since v0.9.79:
* Cumulative fuel/CO2 per flight (#317) — running totals since first
observation, not just per-hour rate.
* AIS maritime resilience (#314, #316) — outage banner + AISHub REST
fallback when AISStream WebSocket primary is offline.
* Data-layer repair (#311, #312) — UAP fallback respects the 60-day
cutoff; GPS jamming threshold tuning + nac_p=0 inclusion so the layer
actually fires.
* Per-flight source attribution (#313) — source field on every record.
* Cross-node DM mailbox replication (#309).
* Infonet sync HTTP 429 honored (#310).
Test fixtures updated:
* test_per_operator_outbound_attribution.py — added v0.9.8 UA strings
to the banned-aggregate-literals list (alongside v0.9.79).
* updateRuntime.test.ts — bumped asset filename fixtures to v0.9.8.
release_digests.json keeps the v0.9.79 block alongside v0.9.8 so
operators still on 0.9.79 validate cleanly during the rollout.
The accent narrowing fix in ChangelogModal (one feature uses 'purple',
two use 'cyan' so the renderer's `accent === 'purple'` comparison
still type-checks) is included.
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
Tauri Skeleton
Cross-platform Tauri integration for the ShadowBroker desktop boundary.
Scope
This skeleton covers the accepted native desktop foundation:
- Rust-authoritative local-control policy enforcement and audit
- cross-platform tray/menu-bar lifecycle
- packaged managed local backend runtime
- packaged loopback runtime for same-origin
/api/* - optional reduced-trust browser companion opener
- desktop packaging flow with branded bundle icons and release manifests
It does not move DM/data-plane operations into native code.
Architecture
main.rscreates the main window programmatically and attaches aninitialization_scriptsowindow.__SHADOWBROKER_DESKTOP__exists before page JavaScript runsbridge.rsroutes Tauri IPC throughpolicy.rsbefore any privileged backend dispatchbackend_runtime.rsinstalls and launches the bundled backend runtime into app-local writable storage for packaged buildscompanion_server.rsprovides the packaged loopback HTTP origin used by:- the native main window for ordinary same-origin
/api/* - the optional external browser companion opener
- the native main window for ordinary same-origin
tray.rsowns tray/menu-bar restore/hide/quit behaviorhttp_client.rsforwards privileged native requests with the native-owned admin key
Environment variables
SHADOWBROKER_BACKEND_URL- Optional backend override. In packaged mode, if unset, the app launches its bundled local backend automatically.SHADOWBROKER_ADMIN_KEY- Optional admin key for privileged backend accessSHADOWBROKER_FRONTEND_URL- Explicit frontend origin override for dev/custom setups
Development
# Install Tauri CLI
cargo install tauri-cli@^2
# Start the dev shell (frontend dev server must already be running on :3000)
./dev.sh
Platform dependencies:
- Linux:
libwebkit2gtk-4.1-dev,libjavascriptcoregtk-4.1-dev,libayatana-appindicator3-dev,libxdo-dev - macOS: Xcode command-line tools
- Windows: Visual Studio C++ build tools
Production build
Use whichever entrypoint matches your environment:
# POSIX shell
./build.sh
# Windows PowerShell
./build.ps1
# Cross-platform npm wrapper from repo root
npm --prefix desktop-shell run build:desktop
Add --clean when you want a fresh export/icon rebuild and old bundle
artifacts removed before packaging.
The release build now does the full packaging pipeline:
- Generates branded icons in
src-tauri/icons/ - Stages a desktop-only frontend export tree that omits Next server-only
routes/middleware (
src/app/api,src/middleware.ts) - Stages a managed backend runtime bundle from
backend/intosrc-tauri/backend-runtime/ - Builds the frontend export with
NEXT_OUTPUT=export - Copies
frontend/outtosrc-tauri/companion-www/ - Runs
cargo tauri build - Writes
SHA256SUMS.txtandrelease-manifest.jsontosrc-tauri/target/release/bundle/
If cargo tauri is not installed, the build now fails immediately with the
required install command instead of failing after the frontend export.
See RELEASE.md for the release-oriented checklist. See RELEASE_INPUTS.md for the future credentials/secrets that only matter once you want signed/notarized public distribution.
Runtime model
Native privileged path
The 27 privileged local-control commands still go through the Rust IPC bridge. The packaged loopback server does not replace that boundary.
Packaged loopback app server
In packaged builds, main.rs now launches a bundled local backend by default,
then starts a loopback HTTP server and points the native window at it. That
gives the packaged desktop app ownership of both the app shell and the local
backend runtime, while keeping a real same-origin /api/* path for ordinary
non-privileged fetches.
The managed backend runtime also seeds and persists its own local secrets on first launch:
ADMIN_KEYMESH_PEER_PUSH_SECRETMESH_DM_TOKEN_PEPPERMESH_SECURE_STORAGE_SECRETon non-Windows
It also defaults the managed compatibility-cutoff flags to the hardened desktop posture:
MESH_BLOCK_LEGACY_NODE_ID_COMPAT=trueMESH_ALLOW_LEGACY_NODE_ID_COMPAT_UNTIL=unless an operator sets a dated temporary migration overrideMESH_BLOCK_LEGACY_AGENT_ID_LOOKUP=true
That keeps the packaged desktop path out of the "edit .env by hand before it
is safe" trap for normal local users.
If a managed desktop operator leaves MESH_BLOCK_LEGACY_NODE_ID_COMPAT=false
in the managed backend .env, bootstrap now normalizes it back to true.
The only supported escape hatch for legacy 16-hex node IDs is a dated
MESH_ALLOW_LEGACY_NODE_ID_COMPAT_UNTIL=YYYY-MM-DD override. Source/server
deployments remain operator-controlled through their own env files and do not
inherit this desktop-specific default.
Browser companion
Browser companion is:
- optional
- disabled by default
- loopback-only
- reduced-trust
It does not receive the native bridge injection and is not equivalent
to standalone browser mode. The built-in loopback server is a thin static
/api/* proxy and does not reproduce Next middleware, admin-session cookie
logic, or wormhole routing.
Current status
This is now a runnable desktop build path with branded assets and repeatable bundle outputs.
What works:
- Native desktop window (dev + packaged)
- Packaged bundled local backend launch + ownership
- Managed packaged backend auto-seeding of local admin/private-plane secrets
- Packaged same-origin
/api/*path for non-privileged data - Rust-authoritative policy enforcement and audit
- Tray/menu-bar background lifecycle
- macOS dock reopen restores the main window
- Browser companion opener with honest reduced-trust scoping
- Branded bundle icon set (
.png,.ico,.icns, Windows tile assets) - Release checksums + artifact manifest alongside bundle output
- GitHub Actions desktop build matrix for Windows/macOS/Linux
- Tag-driven GitHub release asset upload without required secrets
What is still not done:
- Windows code signing
- macOS notarization credentials
- Auto-update publishing
- Final installer copy / splash polish
- Standalone-browser-equivalent companion parity