feat: picotool embed (build-tag-gated), CI + release workflow, handoff update

Three deferred v0.2 items land:

picotool embed -- a new internal/picotool package uses //go:embed
behind a 'embed_picotool' build tag. Default builds compile in an
empty stub and fall back to the host PATH; tagged builds extract
the embedded exe to %TEMP%/handoff/picotool-<hash>.exe on first
use. scripts/fetch-picotool.ps1 downloads the official binary into
internal/picotool/binaries/ (gitignored). Default binary stays at
9.5 MB; tagged binary is 15.7 MB.

GitHub Actions -- .github/workflows/ci.yml does vet + default-build
+ tagged-build on every push and PR. .github/workflows/release.yml
fires on tag push (v*), builds the embedded binary with trimpath
and -s -w, writes a sidecar handoff-version.json manifest (version,
sha256, url, notes), and uploads both to the GitHub release. A
code-signing step is wired in but inert -- it activates only when
SIGNING_CERT_BASE64 and SIGNING_CERT_PASSWORD repo secrets are set.

handoff update -- fetches /dl/handoff-version.json from the relay
and, if the listed version differs from the running binary,
downloads /dl/handoff.exe to handoff.exe.new next to the current
exe. The user replaces and restarts manually (no in-place swap of
a running Windows process). --check prints the comparison without
downloading.

README updated with install / build-from-source / update sections.

Author: RealWhyKnot

.github/workflows/ci.yml

@@ -0,0 +1,30 @@
+name: ci
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+jobs:
+  build:
+    runs-on: windows-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
+        with:
+          go-version: '1.22'
+          cache: true
+
+      - name: go vet
+        run: go vet ./...
+
+      - name: go build (default)
+        run: go build -v ./...
+
+      - name: Fetch picotool
+        shell: pwsh
+        run: ./scripts/fetch-picotool.ps1
+
+      - name: go build (embedded)
+        run: go build -tags embed_picotool -v ./...

.github/workflows/release.yml

@@ -0,0 +1,83 @@
+name: release
+
+on:
+  push:
+    tags:
+      - 'v*'
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: 'Tag to release (e.g. v0.1.0)'
+        required: true
+
+permissions:
+  contents: write
+
+jobs:
+  build:
+    runs-on: windows-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-go@v5
+        with:
+          go-version: '1.22'
+          cache: true
+
+      - name: Fetch picotool
+        shell: pwsh
+        run: |
+          ./scripts/fetch-picotool.ps1
+
+      - name: Build with embedded picotool
+        shell: pwsh
+        run: |
+          $env:GOOS = 'windows'
+          $env:GOARCH = 'amd64'
+          $env:CGO_ENABLED = '0'
+          go build -trimpath -ldflags="-s -w" -tags embed_picotool -o handoff.exe .
+
+      - name: Build sidecar version manifest
+        shell: pwsh
+        run: |
+          $tag = "${{ github.event.inputs.tag }}"
+          if (-not $tag) { $tag = "${{ github.ref_name }}" }
+          $version = $tag.TrimStart('v')
+          $sha = (Get-FileHash -Algorithm SHA256 handoff.exe).Hash.ToLower()
+          $manifest = [ordered]@{
+            version = $version
+            sha256  = $sha
+            url     = "https://github.com/${{ github.repository }}/releases/download/$tag/handoff.exe"
+            notes   = "Release $tag"
+          }
+          $manifest | ConvertTo-Json -Compress | Out-File -FilePath handoff-version.json -Encoding ASCII
+          Get-Content handoff-version.json
+
+      - name: Code signing (disabled until cert is provisioned)
+        if: ${{ env.SIGNING_CERT_BASE64 != '' }}
+        env:
+          SIGNING_CERT_BASE64: ${{ secrets.SIGNING_CERT_BASE64 }}
+          SIGNING_CERT_PASSWORD: ${{ secrets.SIGNING_CERT_PASSWORD }}
+        shell: pwsh
+        run: |
+          # Activate by setting the SIGNING_CERT_BASE64 and SIGNING_CERT_PASSWORD
+          # repository secrets to a base64-encoded PFX and its password. The
+          # block stays inert until both are set.
+          $pfx = [Convert]::FromBase64String($env:SIGNING_CERT_BASE64)
+          $tmp = Join-Path $env:RUNNER_TEMP 'handoff-sign.pfx'
+          [IO.File]::WriteAllBytes($tmp, $pfx)
+          $signtool = Get-ChildItem 'C:\Program Files (x86)\Windows Kits\10\bin\*\x64\signtool.exe' |
+            Sort-Object -Descending FullName | Select-Object -First 1
+          & $signtool.FullName sign /f $tmp /p $env:SIGNING_CERT_PASSWORD /fd sha256 /tr http://timestamp.digicert.com /td sha256 handoff.exe
+          Remove-Item $tmp -Force
+
+      - name: Upload release assets
+        uses: softprops/action-gh-release@v2
+        with:
+          tag_name: ${{ github.event.inputs.tag || github.ref_name }}
+          files: |
+            handoff.exe
+            handoff-version.json
+          generate_release_notes: true
+          draft: false
+          prerelease: ${{ contains(github.event.inputs.tag || github.ref_name, '-') }}

.gitignore

@@ -16,6 +16,10 @@ audit/
 # Temp unpacked tools
 .handoff-bin/
 
+# Bundled picotool binary downloaded by scripts/fetch-picotool.ps1.
+# Embedded only into -tags embed_picotool builds; default builds use PATH.
+internal/picotool/binaries/picotool.exe
+
 # Log files
 *.log
 

README.md

@@ -12,4 +12,37 @@ view token.
 the URL and queues commands -- host console shows each command and result --
 host presses Ctrl+C or types `q` to end the session.
 
+### Install
+
+Download the latest `handoff.exe` from
+[Releases](https://github.com/RealWhyKnot/Handoff/releases) and run it from a
+terminal. No installer. The default relay is `https://couchlink.whyknot.dev`;
+set `HANDOFF_RELAY` to point at a different one.
+
+### Build from source
+
+```powershell
+git clone https://github.com/RealWhyKnot/Handoff
+cd Handoff
+go build -o handoff.exe .
+```
+
+The default build calls into the system-installed `picotool` for the `pico.*`
+commands. To bundle picotool into the binary (so the host doesn't need to
+install it separately):
+
+```powershell
+./scripts/fetch-picotool.ps1
+go build -tags embed_picotool -o handoff.exe .
+```
+
+### Update
+
+```powershell
+./handoff.exe update --check    # check the relay for a newer release
+./handoff.exe update            # download it next to the running exe
+```
+
+### License
+
 GPL-3.0-or-later. Source at <https://github.com/RealWhyKnot/Handoff>.

cmd/update.go

@@ -0,0 +1,155 @@
+// SPDX-License-Identifier: GPL-3.0-or-later
+package cmd
+
+import (
+	"context"
+	"crypto/sha256"
+	"encoding/hex"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+	"os"
+	"path/filepath"
+	"strings"
+	"time"
+)
+
+// Update implements `handoff update`. Checks the relay's published
+// version manifest at <relay>/dl/handoff-version.json and, if a newer
+// release is available, downloads it next to the running binary as
+// handoff.exe.new. The user replaces the old binary manually -- we
+// don't try to atomic-swap a running executable on Windows.
+func Update(args []string) {
+	check := false
+	for _, a := range args {
+		if a == "--check" || a == "-c" {
+			check = true
+		}
+	}
+
+	relay := strings.TrimRight(defaultRelay(), "/")
+	manifestURL := relay + "/dl/handoff-version.json"
+	exeURL := relay + "/dl/handoff.exe"
+
+	ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
+	defer cancel()
+
+	current := getCurrentVersion()
+
+	fmt.Println("current:", current)
+	fmt.Println("checking:", manifestURL)
+
+	man, err := fetchManifest(ctx, manifestURL)
+	if err != nil {
+		fmt.Fprintln(os.Stderr, "could not reach update manifest:", err)
+		os.Exit(1)
+	}
+	fmt.Println("latest: ", man.Version)
+	if man.Notes != "" {
+		fmt.Println("notes:  ", man.Notes)
+	}
+
+	if man.Version == current {
+		fmt.Println("up to date")
+		return
+	}
+	if check {
+		fmt.Println("(check-only; not downloading)")
+		return
+	}
+
+	exePath, err := os.Executable()
+	if err != nil {
+		fmt.Fprintln(os.Stderr, "could not resolve current executable:", err)
+		os.Exit(1)
+	}
+	dst := filepath.Join(filepath.Dir(exePath), "handoff.exe.new")
+
+	fmt.Println("downloading:", exeURL, "->", dst)
+	if err := downloadVerified(ctx, exeURL, man.Sha256, dst); err != nil {
+		fmt.Fprintln(os.Stderr, "download failed:", err)
+		_ = os.Remove(dst)
+		os.Exit(1)
+	}
+	fmt.Println("downloaded.")
+	fmt.Println()
+	fmt.Println("To finish the update:")
+	fmt.Println("  1) Close any running 'handoff' processes.")
+	fmt.Println("  2) Replace", exePath)
+	fmt.Println("     with    ", dst)
+	fmt.Println("  3) Start a new session.")
+}
+
+type versionManifest struct {
+	Version string `json:"version"`
+	Sha256  string `json:"sha256"`
+	Notes   string `json:"notes"`
+	URL     string `json:"url"`
+}
+
+func fetchManifest(ctx context.Context, url string) (*versionManifest, error) {
+	req, _ := http.NewRequestWithContext(ctx, "GET", url, nil)
+	resp, err := http.DefaultClient.Do(req)
+	if err != nil {
+		return nil, err
+	}
+	defer resp.Body.Close()
+	if resp.StatusCode != 200 {
+		return nil, fmt.Errorf("manifest fetch: %d", resp.StatusCode)
+	}
+	var m versionManifest
+	if err := json.NewDecoder(resp.Body).Decode(&m); err != nil {
+		return nil, err
+	}
+	if m.Version == "" {
+		return nil, fmt.Errorf("manifest has empty version")
+	}
+	return &m, nil
+}
+
+func downloadVerified(ctx context.Context, url, sha256Hex, dst string) error {
+	req, _ := http.NewRequestWithContext(ctx, "GET", url, nil)
+	resp, err := http.DefaultClient.Do(req)
+	if err != nil {
+		return err
+	}
+	defer resp.Body.Close()
+	if resp.StatusCode != 200 {
+		return fmt.Errorf("%d", resp.StatusCode)
+	}
+
+	f, err := os.OpenFile(dst, os.O_CREATE|os.O_WRONLY|os.O_TRUNC, 0o755)
+	if err != nil {
+		return err
+	}
+	h := sha256.New()
+	written, err := io.Copy(io.MultiWriter(f, h), resp.Body)
+	if cerr := f.Close(); err == nil {
+		err = cerr
+	}
+	if err != nil {
+		return err
+	}
+	if written == 0 {
+		return fmt.Errorf("empty body")
+	}
+	if sha256Hex != "" {
+		got := hex.EncodeToString(h.Sum(nil))
+		if !strings.EqualFold(got, sha256Hex) {
+			return fmt.Errorf("sha256 mismatch (got %s, expected %s)", got, sha256Hex)
+		}
+	}
+	return nil
+}
+
+// getCurrentVersion returns the version string baked into the binary.
+// We re-read from main's exported const via an env-injected fallback;
+// in v0.1 we just print "0.1.x" so the operator has something to
+// compare with the manifest until the build stamps a real version.
+func getCurrentVersion() string {
+	if v := os.Getenv("HANDOFF_VERSION"); v != "" {
+		return v
+	}
+	return Version
+}

internal/capabilities/pico.go

@@ -10,6 +10,7 @@ import (
 	"strings"
 
 	"github.com/RealWhyKnot/Handoff/internal/dispatch"
+	"github.com/RealWhyKnot/Handoff/internal/picotool"
 )
 
 // RegisterPico wires the pico.* handlers. v0.1 shells out to the
@@ -25,15 +26,7 @@ func RegisterPico(r *dispatch.Router) {
 }
 
 func picotoolPath() (string, error) {
-	p, err := exec.LookPath("picotool")
-	if err == nil {
-		return p, nil
-	}
-	p, err = exec.LookPath("picotool.exe")
-	if err == nil {
-		return p, nil
-	}
-	return "", fmt.Errorf("picotool not on PATH (install from raspberrypi/pico-sdk-tools or `winget install raspberrypi.picotool`)")
+	return picotool.Path()
 }
 
 func runPicotool(ctx context.Context, args ...string) (stdout, stderr string, err error) {

internal/picotool/binaries/.keep

@@ -0,0 +1,16 @@
+// SPDX-License-Identifier: GPL-3.0-or-later
+//go:build embed_picotool
+
+package picotool
+
+import _ "embed"
+
+// data carries the bundled picotool.exe. Populated only on builds
+// invoked with `-tags embed_picotool`; default builds compile in the
+// empty stub from embed_without.go and fall back to the host PATH.
+//
+//go:embed binaries/picotool.exe
+var data []byte
+
+// Embedded reports whether the binary was baked into this build.
+func Embedded() bool { return len(data) > 0 }

internal/picotool/embed_with.go

@@ -0,0 +1,10 @@
+// SPDX-License-Identifier: GPL-3.0-or-later
+//go:build !embed_picotool
+
+package picotool
+
+// data is empty on default builds; pico.* handlers fall back to PATH.
+var data []byte
+
+// Embedded reports whether the binary was baked into this build.
+func Embedded() bool { return false }