Add auto-update for desktop and CLI

Desktop uses tauri-plugin-updater to check GitHub Releases on startup,
show an install banner, and expose a manual "Check for updates" button
in Settings. The app version is shown in every layout header.

CLI runs a fire-and-forget update check against the GitHub releases API
at startup and prints an upgrade hint if a newer release exists.

Release workflow now produces signed updater bundles, collects
per-platform signatures, and publishes a merged latest.json alongside
the release assets.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: mikkeldamsgaard

.github/workflows/release.yml

@@ -119,12 +119,15 @@ jobs:
           - os: macos-latest
             target: aarch64-apple-darwin
             artifact: ralph-desktop-macos-arm64
+            updater_platform: darwin-aarch64
           - os: windows-latest
             target: x86_64-pc-windows-msvc
             artifact: ralph-desktop-windows-x86_64
+            updater_platform: windows-x86_64
           - os: ubuntu-latest
             target: x86_64-unknown-linux-gnu
             artifact: ralph-desktop-linux-x86_64
+            updater_platform: linux-x86_64
 
     runs-on: ${{ matrix.os }}
 
@@ -161,9 +164,12 @@ jobs:
           APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
           APPLE_SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY }}
           KEYCHAIN_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
+          # Updater signing — required to produce .sig files and latest.json.
+          TAURI_SIGNING_PRIVATE_KEY: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY }}
+          TAURI_SIGNING_PRIVATE_KEY_PASSWORD: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY_PASSWORD }}
         with:
           args: --target ${{ matrix.target }}
-          includeUpdaterJson: false
+          includeUpdaterJson: true
 
       - name: Notarize and staple DMG (macOS)
         if: runner.os == 'macOS'
@@ -184,16 +190,65 @@ jobs:
 
           rm -f "$APPLE_API_KEY_PATH"
 
+      - name: Collect updater metadata
+        shell: bash
+        env:
+          TAG_NAME: ${{ github.ref_name }}
+          BUNDLE_DIR: target/${{ matrix.target }}/release/bundle
+          UPDATER_PLATFORM: ${{ matrix.updater_platform }}
+        run: |
+          set -euo pipefail
+          VERSION="${TAG_NAME#release-}"
+          # Find the updater bundle + its .sig produced by Tauri. Each OS
+          # has exactly one updater target: .app.tar.gz (mac), .nsis .exe
+          # (windows), .AppImage (linux).
+          case "$UPDATER_PLATFORM" in
+            darwin-*)
+              BUNDLE=$(ls "$BUNDLE_DIR"/macos/*.app.tar.gz | head -n1)
+              ;;
+            windows-*)
+              BUNDLE=$(ls "$BUNDLE_DIR"/nsis/*-setup.exe | head -n1)
+              ;;
+            linux-*)
+              BUNDLE=$(ls "$BUNDLE_DIR"/appimage/*.AppImage | head -n1)
+              ;;
+          esac
+          SIG_FILE="${BUNDLE}.sig"
+          SIG=$(cat "$SIG_FILE")
+          ASSET_NAME=$(basename "$BUNDLE")
+          URL="https://github.com/KitStream/ralph/releases/download/${TAG_NAME}/${ASSET_NAME}"
+          mkdir -p updater-meta
+          cat > "updater-meta/${UPDATER_PLATFORM}.json" <<EOF
+          {
+            "platform": "${UPDATER_PLATFORM}",
+            "version": "${VERSION}",
+            "signature": "${SIG//$'\n'/\\n}",
+            "url": "${URL}",
+            "bundle": "${BUNDLE}"
+          }
+          EOF
+
       - name: Upload desktop artifacts
         uses: actions/upload-artifact@v4
         with:
           name: ${{ matrix.artifact }}
           path: |
             target/${{ matrix.target }}/release/bundle/dmg/*.dmg
             target/${{ matrix.target }}/release/bundle/nsis/*.exe
+            target/${{ matrix.target }}/release/bundle/nsis/*.exe.sig
             target/${{ matrix.target }}/release/bundle/msi/*.msi
+            target/${{ matrix.target }}/release/bundle/msi/*.msi.sig
             target/${{ matrix.target }}/release/bundle/deb/*.deb
             target/${{ matrix.target }}/release/bundle/appimage/*.AppImage
+            target/${{ matrix.target }}/release/bundle/appimage/*.AppImage.sig
+            target/${{ matrix.target }}/release/bundle/macos/*.app.tar.gz
+            target/${{ matrix.target }}/release/bundle/macos/*.app.tar.gz.sig
+
+      - name: Upload updater metadata
+        uses: actions/upload-artifact@v4
+        with:
+          name: updater-meta-${{ matrix.updater_platform }}
+          path: updater-meta/*.json
 
   release:
     needs: [build-cli, build-desktop]
@@ -209,6 +264,35 @@ jobs:
         with:
           path: artifacts
 
+      - name: Assemble updater latest.json
+        run: |
+          set -euo pipefail
+          VERSION="${{ steps.version.outputs.version }}"
+          PUB_DATE=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
+          python3 - <<PY
+          import json, glob, os
+          platforms = {}
+          version = None
+          for path in glob.glob("artifacts/updater-meta-*/*.json"):
+              with open(path) as f:
+                  meta = json.load(f)
+              version = meta["version"]
+              platforms[meta["platform"]] = {
+                  "signature": meta["signature"],
+                  "url": meta["url"],
+              }
+          out = {
+              "version": version or "$VERSION",
+              "notes": "See release notes on GitHub.",
+              "pub_date": "$PUB_DATE",
+              "platforms": platforms,
+          }
+          os.makedirs("latest", exist_ok=True)
+          with open("latest/latest.json", "w") as f:
+              json.dump(out, f, indent=2)
+          print(json.dumps(out, indent=2))
+          PY
+
       - name: Create GitHub Release
         uses: softprops/action-gh-release@v2
         with:
@@ -219,4 +303,6 @@ jobs:
             The desktop app (`.dmg`) and CLI binaries are signed and notarized
             with a Developer ID. macOS will check Apple's notary service
             online on first launch — no manual `xattr` workaround needed.
-          files: artifacts/**/*
+          files: |
+            artifacts/ralph-*/**/*
+            latest/latest.json

ARCHITECTURE.md

@@ -83,3 +83,24 @@ Events are persisted to disk as JSONL for session replay.
 - The frontend can reliably prefix-match tool paths against `{project_dir}/.ralph/{branch}-worktree` for display shortening
 
 The frontend's `shortenPath` replaces the worktree prefix with `⌂` for compact display. This uses case-insensitive matching with backslash normalization for Windows compatibility.
+
+## Auto-update
+
+Both frontends notify the user when a newer release is published:
+
+- **Desktop** uses `tauri-plugin-updater`. On startup it fetches
+  `https://github.com/KitStream/ralph/releases/latest/download/latest.json`,
+  verifies the bundle signature against the public key in `tauri.conf.json`,
+  and prompts the user to install. `useAppUpdate` (`src/hooks/useAppUpdate.ts`)
+  drives the UI; `UpdateBanner` renders the top-of-window banner; `SettingsDialog`
+  exposes a manual "Check for updates" button.
+- **CLI** (`crates/ralph-cli/src/update_check.rs`) does a fire-and-forget HTTPS
+  request to the GitHub API with a 3 s timeout and prints an upgrade hint to
+  stderr if the latest release tag is numerically greater than the compiled
+  `CARGO_PKG_VERSION`. Failures are silent by design — the check must never
+  affect session execution.
+
+The release workflow (`.github/workflows/release.yml`) builds signed updater
+bundles per platform (`TAURI_SIGNING_PRIVATE_KEY` secret), collects their
+signatures into per-platform JSON fragments, and merges them into a single
+`latest.json` attached to the GitHub Release.