quiet-node
diff --git a/‎.github/workflows/release-please.yml‎
Lines changed: 47 additions & 3 deletions b/‎.github/workflows/release-please.yml‎
Lines changed: 47 additions & 3 deletions
diff --git a/‎docs/configurations.md‎
Lines changed: 20 additions & 0 deletions b/‎docs/configurations.md‎
Lines changed: 20 additions & 0 deletions
diff --git a/‎docs/release-process.md‎
Lines changed: 96 additions & 0 deletions b/‎docs/release-process.md‎
Lines changed: 96 additions & 0 deletions
diff --git a/‎package.json‎
Lines changed: 1 addition & 0 deletions b/‎package.json‎
Lines changed: 1 addition & 0 deletions
@@ -103,6 +103,43 @@ jobs:
           codesign --deep --force --sign - src-tauri/target/release/bundle/macos/Thuki.app
           codesign --verify --verbose src-tauri/target/release/bundle/macos/Thuki.app
 
+      - name: Pack and sign updater payload
+        env:
+          TAURI_SIGNING_PRIVATE_KEY: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY }}
+          TAURI_SIGNING_PRIVATE_KEY_PASSWORD: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY_PASSWORD }}
+          TAG: ${{ needs.release-please.outputs.tag_name }}
+        working-directory: src-tauri/target/release/bundle/macos
+        run: |
+          VERSION="${TAG#v}"
+          PAYLOAD="Thuki_${VERSION}_aarch64.app.tar.gz"
+          tar czf "$PAYLOAD" Thuki.app
+          # Sign the payload with the project ed25519 key. The CLI reads the
+          # key + password from TAURI_SIGNING_PRIVATE_KEY[_PASSWORD] env vars.
+          bunx --bun @tauri-apps/cli signer sign "$PAYLOAD"
+
+      - name: Generate updater manifest
+        env:
+          TAG: ${{ needs.release-please.outputs.tag_name }}
+        working-directory: src-tauri/target/release/bundle/macos
+        run: |
+          VERSION="${TAG#v}"
+          PAYLOAD="Thuki_${VERSION}_aarch64.app.tar.gz"
+          SIG="$(cat "${PAYLOAD}.sig")"
+          PUB_DATE="$(date -u +%Y-%m-%dT%H:%M:%SZ)"
+          cat > latest.json <<EOF
+          {
+            "version": "${VERSION}",
+            "notes": "https://github.com/quiet-node/thuki/releases/tag/${TAG}",
+            "pub_date": "${PUB_DATE}",
+            "platforms": {
+              "darwin-aarch64": {
+                "signature": "${SIG}",
+                "url": "https://github.com/quiet-node/thuki/releases/download/${TAG}/${PAYLOAD}"
+              }
+            }
+          }
+          EOF
+
       - name: Install create-dmg
         run: brew install create-dmg
 
@@ -128,9 +165,16 @@ jobs:
 
           rm -rf /tmp/thuki-dmg-src
 
-      - name: Upload release asset
+      - name: Upload release assets
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          TAG: ${{ needs.release-please.outputs.tag_name }}
+        working-directory: src-tauri/target/release/bundle
         run: |
-          gh release upload ${{ needs.release-please.outputs.tag_name }} \
-            src-tauri/target/release/bundle/dmg/Thuki.dmg
+          VERSION="${TAG#v}"
+          PAYLOAD="Thuki_${VERSION}_aarch64.app.tar.gz"
+          gh release upload "$TAG" \
+            "dmg/Thuki.dmg" \
+            "macos/${PAYLOAD}" \
+            "macos/${PAYLOAD}.sig" \
+            "macos/latest.json"
@@ -77,6 +77,14 @@ router_timeout_s = 45
 [debug]
 # Records every chat conversation and /search session to disk for later inspection.
 trace_enabled = false
+
+[updater]
+# Poll for new Thuki releases at startup and on a recurring interval.
+auto_check = true
+# Hours between background checks. Bound to 1..168.
+check_interval_hours = 24
+# URL of the signed update manifest. Override only when mirroring releases.
+manifest_url = "https://github.com/quiet-node/thuki/releases/latest/download/latest.json"
 ```
 
 ## Reading the reference tables
@@ -184,6 +192,18 @@ Records every chat conversation and `/search` session as JSON-Lines under `app_d
 | :-------------- | :------ | :------- | :-------------- | :----- | :--------------------------------------------------------------------------- |
 | `trace_enabled` | `false` | Yes      | —               | —      | Records every chat conversation and `/search` session to disk for debugging. |
 
+### `[updater]`
+
+Controls how Thuki polls for new releases. The actual download, signature verification, and binary swap are handled by the bundled Tauri updater plugin against a signed manifest hosted on GitHub Releases. The manifest is verified against an ed25519 public key compiled into the app, so a hijacked release cannot push a malicious binary to existing installs.
+
+| Field                  | Default                                                                              | Tunable? | Why not tunable | Bounds   | Description                                                                                                                                                                                  |
+| :--------------------- | :----------------------------------------------------------------------------------- | :------- | :-------------- | :------- | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `auto_check`           | `true`                                                                               | Yes      | n/a             | n/a      | Whether Thuki polls for updates automatically. When false, only the "Check now" button in Settings triggers a check. The tray badge and Settings banner still appear if a check finds an update. |
+| `check_interval_hours` | `24`                                                                                 | Yes      | n/a             | `1..168` | Hours between automatic background checks. Raise to spend less bandwidth on update polling; lower to surface new releases sooner. The interval also gates the startup check after a freshly resumed session. |
+| `manifest_url`         | GitHub releases default                                                              | Yes      | n/a             | n/a      | URL of the signed update manifest. Override only when mirroring releases (for example, an internal release feed). Empty values fall back to the default URL.                                |
+| `MAX_UPDATER_SNOOZE_HOURS` | `8760`                                                                           | No       | Defense-in-depth bound on `hours` arriving from the frontend IPC; prevents `u64` arithmetic in the snooze handlers from wrapping if a hostile or buggy caller supplies an extreme value. | n/a      | Maximum number of hours a "snooze update" request can defer the next nag. Caps at one year so the deadline math cannot overflow even in the worst case.                                     |
+| `DEFAULT_UPDATER_STATE_FILENAME` | `"updater_state.json"`                                                     | No       | Internal sidecar filename used for snooze persistence next to `config.toml`; not meaningful to expose and easy to break by typo. | n/a      | Filename of the JSON sidecar that records snooze deadlines so they survive app restarts. Lives in the same directory as `config.toml`.                                                      |
+
 ### `[activation]` (not in TOML)
 
 Settings for the double-tap-Control hotkey that opens Thuki, plus the macOS Accessibility permission check. None of these are user-tunable: the hotkey listener runs in a low-level system thread that cannot read live config, so changing them would require restructuring the keyboard plumbing.
 
@@ -0,0 +1,96 @@
+# Releasing Thuki
+
+Thuki ships signed updates to existing installs through the bundled Tauri updater. Releases are fully automated: the GitHub Actions workflow builds, signs, and publishes everything when a release-please PR merges.
+
+## Day-to-day: nothing to do
+
+Releases happen automatically. Land conventional-commit PRs into `main`. release-please opens a release PR. Merging that PR cuts a tag, which triggers the build workflow. The workflow produces:
+
+- `Thuki.dmg` (fresh-install download)
+- `Thuki_<version>_aarch64.app.tar.gz` (updater payload, ad-hoc-signed `.app` inside)
+- `Thuki_<version>_aarch64.app.tar.gz.sig` (ed25519 signature for the payload)
+- `latest.json` (the manifest the in-app updater polls)
+
+All four are uploaded to the GitHub release. Existing v0.7.x installs detect the new version on their next 24-hour check and offer to install in place.
+
+## Where the signing key lives
+
+The ed25519 private key is stored in **GitHub Actions secrets**, not on any developer laptop:
+
+- `TAURI_SIGNING_PRIVATE_KEY`: contents of the private key file.
+- `TAURI_SIGNING_PRIVATE_KEY_PASSWORD`: empty for the current key, kept as a secret for future password-protected rotations.
+
+The matching public key is committed to the repo at `src-tauri/tauri.conf.json` under `plugins.updater.pubkey`. Every Thuki binary verifies updates against that public key. An attacker who replaces a release file cannot also forge a valid signature without the private key, so the swap is rejected and the running app keeps its current version.
+
+A backup copy of both keys lives in the private `quiet-node/thuki-confidential` repo. That copy is the disaster-recovery anchor: if GitHub Actions secrets ever get wiped, restore from the backup; if the backup is ever compromised, rotate the keypair (which orphans every existing install at its current version, so do this only as a last resort).
+
+## Local development: no keys required
+
+`bun run build:all` and `bun run validate-build` produce an unsigned `.app` bundle. Devs can launch it, test production behavior, and verify everything compiles. The signing step is gated behind `bun run build:release`, which is only invoked by CI.
+
+There is nothing to set up on your laptop. No env vars, no key files, no `.zshrc.local` overrides. New contributors clone the repo and start working.
+
+## Cutting a release manually (rare)
+
+If for some reason a release must be cut outside of CI (incident response, rolling back a bad release-please commit, etc.), the procedure is:
+
+1. Restore the keypair from `quiet-node/thuki-confidential` to a temporary location.
+2. Export the env vars in the shell that runs the build:
+
+   ```bash
+   export TAURI_SIGNING_PRIVATE_KEY="$(cat /path/to/restored/thuki-updater.key)"
+   export TAURI_SIGNING_PRIVATE_KEY_PASSWORD=""
+   ```
+
+3. Bump versions in `package.json` and `src-tauri/tauri.conf.json` to match.
+4. Build the signed payload:
+
+   ```bash
+   bun run build:release
+   ```
+
+5. Codesign the inner `.app` with `codesign --deep --force --sign - <Thuki.app>`.
+6. Hand-craft `latest.json` (see template below) and upload it alongside the `.tar.gz`, `.sig`, and `Thuki.dmg` to the GitHub release.
+7. Securely delete the restored key from the temporary location.
+
+This path is documented for completeness only. CI is the supported path.
+
+## `latest.json` template
+
+```json
+{
+  "version": "0.8.0",
+  "notes": "https://github.com/quiet-node/thuki/releases/tag/v0.8.0",
+  "pub_date": "2026-05-08T12:00:00Z",
+  "platforms": {
+    "darwin-aarch64": {
+      "signature": "<contents of Thuki_0.8.0_aarch64.app.tar.gz.sig>",
+      "url": "https://github.com/quiet-node/thuki/releases/download/v0.8.0/Thuki_0.8.0_aarch64.app.tar.gz"
+    }
+  }
+}
+```
+
+The `signature` field is the entire content of the matching `.sig` file as a single string. Do not strip whitespace.
+
+## Verify a release
+
+After a release publishes, fetch the manifest:
+
+```bash
+curl -sL https://github.com/quiet-node/thuki/releases/latest/download/latest.json | jq .
+```
+
+Check that `version` matches the new tag, `url` resolves, and `signature` matches the contents of the `.sig` file in the release assets.
+
+For an end-to-end smoke test, install the previous version on a clean macOS account, leave it open for 24 hours (or trigger Settings → Check now), and confirm the in-app banner picks up the new version and installs cleanly.
+
+## Rollback
+
+The updater never moves backwards on its own. If a release is bad, publish a higher version that reverts the change.
+
+If a release ships with an invalid signature, existing installs reject the payload and surface an "update verification failed" message. They keep running on their current version. Re-cut the release with a valid signature, increment the patch version, and re-publish.
+
+## Apple Developer Program note
+
+Thuki does not require Apple Developer Program membership. The app is ad-hoc signed at build time. Auto-updates work because the Tauri updater downloads the payload via the application process, so no quarantine attribute is set on the swapped binary and Gatekeeper does not re-prompt at relaunch. First-install Gatekeeper friction (right-click, Open) still applies for users downloading the `.app` directly from a release page.
@@ -15,6 +15,7 @@
     "generate:commands": "bun scripts/generate-commands.ts",
     "build:frontend": "tsc && vite build",
     "build:backend": "tauri build --bundles app",
+    "build:release": "tauri build --bundles app -c \"{\\\"bundle\\\":{\\\"createUpdaterArtifacts\\\":true}}\"",
     "build:all": "bun run build:frontend && bun run build:backend",
     "preview": "vite preview",
     "tauri": "tauri",