Add signing pipeline scoreboard backend and runner profiles

Author: FaulMit

.github/workflows/release.yml

@@ -48,6 +48,11 @@ jobs:
       GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       WINDOWS_CERTIFICATE_BASE64: ${{ secrets.WINDOWS_CERTIFICATE_BASE64 }}
       WINDOWS_CERTIFICATE_PASSWORD: ${{ secrets.WINDOWS_CERTIFICATE_PASSWORD }}
+      MACOS_CERTIFICATE_BASE64: ${{ secrets.MACOS_CERTIFICATE_BASE64 }}
+      MACOS_CERTIFICATE_PASSWORD: ${{ secrets.MACOS_CERTIFICATE_PASSWORD }}
+      APPLE_ID: ${{ secrets.APPLE_ID }}
+      APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }}
+      APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
 
     steps:
       - name: Checkout
@@ -98,6 +103,25 @@ jobs:
           "CSC_LINK=$env:WIN_CSC_LINK" >> $env:GITHUB_ENV
           "CSC_KEY_PASSWORD=$env:WIN_CSC_KEY_PASSWORD" >> $env:GITHUB_ENV
 
+      - name: Decode macOS signing certificate
+        if: runner.os == 'macOS' && env.MACOS_CERTIFICATE_BASE64 != ''
+        shell: bash
+        run: |
+          CERT_PATH="$RUNNER_TEMP/macos-signing-cert.p12"
+          echo "$MACOS_CERTIFICATE_BASE64" | base64 --decode > "$CERT_PATH"
+          echo "CSC_LINK=$CERT_PATH" >> "$GITHUB_ENV"
+          echo "CSC_KEY_PASSWORD=$MACOS_CERTIFICATE_PASSWORD" >> "$GITHUB_ENV"
+          echo "CSC_IDENTITY_AUTO_DISCOVERY=true" >> "$GITHUB_ENV"
+
+      - name: Disable signing when no certificate is configured
+        shell: pwsh
+        run: |
+          if ($env:CSC_LINK) {
+            "CSC_IDENTITY_AUTO_DISCOVERY=true" >> $env:GITHUB_ENV
+          } else {
+            "CSC_IDENTITY_AUTO_DISCOVERY=false" >> $env:GITHUB_ENV
+          }
+
       - name: Build packages
         shell: pwsh
         run: |
@@ -114,7 +138,6 @@ jobs:
           exit $exitCode
         env:
           BUILD_SCRIPT: ${{ matrix.script }}
-          CSC_IDENTITY_AUTO_DISCOVERY: false
           ELECTRON_BUILDER_ALLOW_UNRESOLVED_DEPENDENCIES: true
 
       - name: Upload build artifacts

README.md

@@ -161,6 +161,16 @@ npm start
 
 Tokens stay on the backend. The browser UI never asks for or stores a GitHub token.
 
+For a proper leaderboard service, run the bundled scoreboard backend:
+
+```powershell
+npm run scoreboard
+$env:RIGSCOPE_SCOREBOARD_URL="http://127.0.0.1:8797"
+npm start
+```
+
+The scoreboard backend adds challenge nonces, rate limiting, server-side profile normalization, score bounds, and setup lookup endpoints. See [docs/SCOREBOARD.md](docs/SCOREBOARD.md).
+
 ## Security Model
 
 - Local server binds to `127.0.0.1`.
@@ -202,6 +212,7 @@ npm start          # local server only
 npm run open       # server + default browser
 npm run app        # browser app mode
 npm run desktop    # Electron shell
+npm run scoreboard # local leaderboard backend
 npm run pack       # unpacked desktop build
 ```
 

build/entitlements.mac.plist

@@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+  <dict>
+    <key>com.apple.security.cs.allow-jit</key>
+    <true/>
+    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+    <true/>
+  </dict>
+</plist>

docs/RELEASE.md

@@ -83,8 +83,10 @@ Windows builds still run without these secrets, but the generated installer and
 
 For signing, configure:
 
-- `CSC_LINK`: Developer ID Application certificate, usually a base64 certificate or secure URL supported by `electron-builder`
-- `CSC_KEY_PASSWORD`: certificate password
+- `MACOS_CERTIFICATE_BASE64`: base64-encoded Developer ID Application `.p12`
+- `MACOS_CERTIFICATE_PASSWORD`: certificate password
+
+The workflow decodes the certificate and exposes it to `electron-builder` as `CSC_LINK` and `CSC_KEY_PASSWORD`. Local builds may still use `CSC_LINK` and `CSC_KEY_PASSWORD` directly.
 
 For notarization, configure placeholders expected by `electron-builder` tooling:
 
@@ -94,6 +96,8 @@ For notarization, configure placeholders expected by `electron-builder` tooling:
 
 The project currently defines macOS DMG and ZIP targets in `package.json`. Signing and notarization are active only when the certificate and Apple credentials are present in GitHub Secrets.
 
+The macOS build uses hardened runtime and `build/entitlements.mac.plist`. The notarization hook is `scripts/notarize.js`; it no-ops when Apple credentials are missing, so unsigned preview builds still work.
+
 ### Linux packages
 
 Linux AppImage, `.deb`, and `.tar.gz` packages are built unsigned by default. Add package signing later only if the distribution channel requires it.

docs/SCOREBOARD.md

@@ -0,0 +1,55 @@
+# RigScope Scoreboard Backend
+
+RigScope can use a real scoreboard service instead of the GitHub gist MVP.
+
+## Start Locally
+
+```powershell
+npm run scoreboard
+```
+
+Default URL:
+
+```text
+http://127.0.0.1:8797
+```
+
+Point the app server at it:
+
+```powershell
+$env:RIGSCOPE_SCOREBOARD_URL="http://127.0.0.1:8797"
+npm start
+```
+
+## API
+
+- `POST /api/v1/challenge` returns a short-lived nonce.
+- `POST /api/v1/submissions` accepts `{ nonce, profile }`, validates the nonce, normalizes the public score card, calculates the server-side public record, and stores it.
+- `GET /api/v1/leaderboard?limit=100` returns ranked public profiles.
+- `GET /api/v1/setups/:id` returns one public setup profile.
+- `GET /api/v1/health` returns service health.
+
+## Current Anti-Abuse Layer
+
+- short-lived challenge nonce
+- per-IP rate limit
+- server-side normalization and score bounds
+- public reduced profile only
+- raw IP is not stored; submissions store an IP hash
+- bounded JSON body size
+
+This is stronger than GitHub/gist sync, but it is not full anti-cheat. A production leaderboard should add signed benchmark attestations, account identity, moderation, replay detection, and server-side anomaly scoring.
+
+## Data
+
+By default data is stored in:
+
+```text
+~/.rigscope-scoreboard/scoreboard.json
+```
+
+Override:
+
+```powershell
+$env:RIGSCOPE_SCOREBOARD_DATA="D:\rigscope-scoreboard"
+```

native-runners.js

@@ -9,45 +9,116 @@ const MAX_DURATION_SEC = 900;
 
 const PROFILE_DEFINITIONS = [
   {
-    id: "prime95-torture",
+    id: "prime95-small-fft",
     toolId: "prime95",
-    label: "Prime95 / mprime Torture",
+    label: "Prime95 / mprime Small FFT",
+    target: "cpu",
+    risk: "high",
+    durationDefaultSec: 180,
+    durationMaxSec: 600,
+    args: () => ["-t"],
+    safety: {
+      maxDurationSec: 600,
+      recommendedMonitor: "Watch CPU package temperature and VRM temperature. Stop above your platform limit.",
+      stopBehavior: "RigScope terminates the process tree at the duration cap or when Stop Native is pressed."
+    },
+    notes: "Starts Prime95 torture mode. Prime95 chooses the exact torture preset from its local configuration, so treat it as a high-heat CPU test."
+  },
+  {
+    id: "prime95-blend",
+    toolId: "prime95",
+    label: "Prime95 / mprime Blend",
     target: "cpu-memory",
     risk: "high",
     durationDefaultSec: 300,
     durationMaxSec: 900,
     args: () => ["-t"],
-    notes: "Starts the built-in torture mode. Stop from RigScope or close Prime95/mprime."
+    safety: {
+      maxDurationSec: 900,
+      recommendedMonitor: "Watch CPU temperature, memory temperature where available, and system responsiveness.",
+      stopBehavior: "RigScope terminates the process tree at the duration cap or when Stop Native is pressed."
+    },
+    notes: "Launches Prime95/mprime torture mode for a longer CPU/RAM stability pass. Configure blend mode inside Prime95 if prompted."
   },
   {
     id: "furmark-smoke",
     toolId: "furmark",
-    label: "FurMark GPU Smoke",
+    label: "FurMark GPU Smoke 720p",
     target: "gpu",
     risk: "high",
     durationDefaultSec: 120,
+    durationMaxSec: 300,
+    args: (tool, durationSec) => {
+      const exe = path.basename(tool.executable?.path || "").toLowerCase();
+      if (process.platform === "win32") {
+        return exe.includes("furmark2")
+          ? ["--demo", "--fullscreen=0"]
+          : ["/nogui", "/width=1280", "/height=720", `/max_time=${durationSec * 1000}`];
+      }
+      return [];
+    },
+    safety: {
+      maxDurationSec: 300,
+      recommendedMonitor: "Watch GPU hotspot, memory junction where available, fan speed, and power draw.",
+      stopBehavior: "RigScope terminates the process tree at the duration cap or when Stop Native is pressed."
+    },
+    notes: "Launches FurMark with a conservative 720p windowed smoke profile when supported by the installed build."
+  },
+  {
+    id: "furmark-burn-in-1080p",
+    toolId: "furmark",
+    label: "FurMark Burn-in 1080p",
+    target: "gpu",
+    risk: "extreme",
+    durationDefaultSec: 180,
     durationMaxSec: 600,
-    args: (tool) => {
+    args: (tool, durationSec) => {
       const exe = path.basename(tool.executable?.path || "").toLowerCase();
       if (process.platform === "win32") {
         return exe.includes("furmark2")
           ? ["--demo", "--fullscreen=0"]
-          : ["/nogui", "/width=1280", "/height=720", "/max_time=120000"];
+          : ["/nogui", "/width=1920", "/height=1080", `/max_time=${durationSec * 1000}`];
       }
       return [];
     },
-    notes: "Launches FurMark with a conservative windowed/smoke profile when supported by the installed build."
+    safety: {
+      maxDurationSec: 600,
+      recommendedMonitor: "Use only with active temperature monitoring. Stop immediately on artifacts, throttling, or unstable power.",
+      stopBehavior: "RigScope terminates the process tree at the duration cap or when Stop Native is pressed."
+    },
+    notes: "High-load FurMark profile intended for short validation runs, not unattended overnight testing."
   },
   {
     id: "occt-manual",
     toolId: "occt",
-    label: "OCCT Manual Session",
+    label: "OCCT Manual Stability Session",
     target: "stability-suite",
     risk: "high",
     durationDefaultSec: 300,
     durationMaxSec: 900,
     args: () => [],
-    notes: "OCCT CLI differs by release, so RigScope launches OCCT and tracks the process; choose the exact test in OCCT."
+    safety: {
+      maxDurationSec: 900,
+      recommendedMonitor: "Use OCCT's own telemetry and stop on errors, thermal throttling, or PSU instability.",
+      stopBehavior: "RigScope tracks and terminates the launched OCCT process when requested."
+    },
+    notes: "OCCT CLI differs by release, so RigScope launches OCCT and tracks the process; choose CPU, memory, GPU, or PSU inside OCCT."
+  },
+  {
+    id: "occt-psu-manual",
+    toolId: "occt",
+    label: "OCCT PSU Manual Session",
+    target: "psu-system",
+    risk: "extreme",
+    durationDefaultSec: 120,
+    durationMaxSec: 300,
+    args: () => [],
+    safety: {
+      maxDurationSec: 300,
+      recommendedMonitor: "PSU tests can load CPU and GPU together. Do not run unattended.",
+      stopBehavior: "RigScope tracks and terminates the launched OCCT process when requested."
+    },
+    notes: "Opens OCCT for a short manual PSU validation session. The exact test must be started inside OCCT."
   },
   {
     id: "y-cruncher-manual",
@@ -58,7 +129,12 @@ const PROFILE_DEFINITIONS = [
     durationDefaultSec: 300,
     durationMaxSec: 900,
     args: () => [],
-    notes: "y-cruncher automation is intentionally not scripted yet; this launches the native tool and tracks it."
+    safety: {
+      maxDurationSec: 900,
+      recommendedMonitor: "Watch CPU temperature and memory stability. y-cruncher can expose marginal RAM/IMC instability quickly.",
+      stopBehavior: "RigScope tracks and terminates the launched y-cruncher process when requested."
+    },
+    notes: "Launches y-cruncher for manual stress/benchmark selection and tracks the process."
   }
 ];
 
@@ -75,7 +151,8 @@ const nativeRunner = {
   child: null,
   exitCode: null,
   signal: null,
-  output: []
+  output: [],
+  report: null
 };
 
 function getProfiles() {
@@ -95,6 +172,7 @@ function getProfiles() {
       durationDefaultSec: profile.durationDefaultSec,
       durationMaxSec: profile.durationMaxSec,
       acknowledgement: ACK,
+      safety: profile.safety,
       notes: profile.notes
     };
   });
@@ -115,7 +193,31 @@ function getStatus(reason = "status") {
     durationMs: nativeRunner.durationMs,
     exitCode: nativeRunner.exitCode,
     signal: nativeRunner.signal,
-    output: nativeRunner.output.slice(-12)
+    output: nativeRunner.output.slice(-12),
+    report: nativeRunner.report
+  };
+}
+
+function buildReport(reason = "status") {
+  const elapsedMs = nativeRunner.startedAt ? Date.now() - nativeRunner.startedAt : 0;
+  const completedRatio = nativeRunner.durationMs ? Math.min(1, elapsedMs / nativeRunner.durationMs) : 0;
+  return {
+    generatedAt: new Date().toISOString(),
+    reason,
+    id: nativeRunner.id,
+    profileId: nativeRunner.profileId,
+    label: nativeRunner.label,
+    target: nativeRunner.target,
+    risk: nativeRunner.risk,
+    pid: nativeRunner.pid,
+    elapsedMs,
+    durationMs: nativeRunner.durationMs,
+    completedRatio: Math.round(completedRatio * 100) / 100,
+    exitCode: nativeRunner.exitCode,
+    signal: nativeRunner.signal,
+    verdict: nativeRunner.exitCode === 0 ? "completed" : nativeRunner.signal ? "stopped" : reason,
+    outputTail: nativeRunner.output.slice(-20),
+    safety: nativeRunner.safety
   };
 }
 
@@ -151,7 +253,7 @@ function startProfile(options = {}) {
 
   const requested = Number(options.durationSec) || profile.durationDefaultSec;
   const durationSec = Math.max(10, Math.min(requested, profile.durationMaxSec, MAX_DURATION_SEC));
-  const args = profile.args(tool);
+  const args = profile.args(tool, durationSec);
   const child = spawn(tool.executable.path, args, {
     cwd: path.dirname(tool.executable.path),
     windowsHide: false,
@@ -164,13 +266,17 @@ function startProfile(options = {}) {
     profileId: profile.id,
     toolId: profile.toolId,
     label: profile.label,
+    target: profile.target,
+    risk: profile.risk,
+    safety: profile.safety,
     pid: child.pid,
     startedAt: Date.now(),
     durationMs: durationSec * 1000,
     child,
     exitCode: null,
     signal: null,
-    output: []
+    output: [],
+    report: null
   });
 
   const capture = (source, chunk) => {
@@ -185,6 +291,7 @@ function startProfile(options = {}) {
     nativeRunner.active = false;
     nativeRunner.exitCode = code;
     nativeRunner.signal = signal;
+    nativeRunner.report = buildReport(signal ? "stopped" : "exited");
     nativeRunner.child = null;
     clearTimeout(nativeRunner.timer);
   });
@@ -200,9 +307,11 @@ function stopProfile(reason = "stopped") {
   if (!nativeRunner.active || !child) {
     nativeRunner.active = false;
     nativeRunner.child = null;
+    nativeRunner.report = buildReport(reason);
     return getStatus(reason);
   }
   nativeRunner.active = false;
+  nativeRunner.report = buildReport(reason);
   if (process.platform === "win32" && child.pid) {
     execFile("taskkill.exe", ["/PID", String(child.pid), "/T", "/F"], { windowsHide: true }, () => {});
   } else {