feat: add desktop release packaging with auto-update (wesm#109)

## Summary

- Add GitHub Actions workflow for building signed macOS DMG and Windows
  NSIS desktop installers on tag push
- Add Tauri updater plugin for in-app desktop updates with native
dialogs
  and menu bar integration
- Add Go server update-check endpoint and frontend update notification
UI
  for CLI/browser users
- Add sidecar build script with version resolution, semver patching, and
  cross-compilation support
- Add setup guide for Apple signing, notarization, and Tauri signing
keys

## Desktop release CI (`.github/workflows/desktop-release.yml`)

Workflow triggered on `v*` tags with three jobs:

- **build-macos**: Imports Apple signing certificate into ephemeral
  keychain, writes App Store Connect API key, builds with full bundle
  targets (no `--bundles` flag) so the `.app` bundle exists for the
  updater `.tar.gz` to be derived from. Code signing and notarization
  included.
- **build-windows**: Sets up MinGW, builds with `--bundles nsis` (avoids
MSI version format restrictions). `createUpdaterArtifacts:
"v1Compatible"`
  generates `.nsis.zip` + `.sig` updater bundles.
- **release**: Downloads artifacts, generates `SHA256SUMS-desktop` and
`latest.json` updater manifest. Uploads `.dmg` and `.exe` installers to
the versioned release. Uploads updater bundles (`.app.tar.gz`,
`.nsis.zip`,
  sigs, `latest.json`) to a permanent `updater` prerelease, keeping the
  user-facing release page clean.

The workflow patches `tauri.conf.json` at build time via `sed` to inject
the updater pubkey and correct the endpoint URL for the current
repository
(fork-aware via `${GITHUB_REPOSITORY}`).

Build outputs are copied to a flat staging directory before
`upload-artifact` to avoid nested directory structures.

## Tauri configuration

- `bundle.createUpdaterArtifacts: "v1Compatible"` generates
`.app.tar.gz`
  (macOS) and `.nsis.zip` (Windows) updater bundles alongside installers
- `plugins.updater.pubkey` set to `"NOT_SET"` placeholder, patched by CI
- Updater endpoint points to `releases/download/updater/latest.json`
  (the permanent updater prerelease)
- `Entitlements.plist`: Hardened runtime entitlements for WebKit JIT

## Tauri desktop updater (`desktop/src-tauri/src/lib.rs`)

- Registers `tauri-plugin-updater` and `tauri-plugin-dialog`
- `option_env!("AGENTSVIEW_UPDATER_PUBKEY")` compile-time override
- Menu bar "Check for Updates..." item
- Auto-check 5s after startup (disabled via
  `AGENTSVIEW_DESKTOP_AUTOUPDATE=0`)
- Native confirmation dialogs for download and restart
- `AtomicBool` guard prevents concurrent update checks
- Redirect URL includes `?desktop=1` for frontend context detection

## Go server update endpoint

- `GET /api/v1/update/check` handler with 1-hour cache
- `WithUpdateChecker()` and `WithDataDir()` server options for testing
- Four deterministic tests (no network access needed)

## Frontend update notification

- `UpdateModal.svelte`: current vs latest version with CLI instructions
- `StatusBar.svelte`: clickable "update available" indicator
- Skips update check in desktop mode (`?desktop=1`)
- Tests for desktop and non-desktop paths

## Test plan

- [x] Push test tag to fork, verify CI produces signed+notarized DMG,
  NSIS installer, updater artifacts, `latest.json`, and
  `SHA256SUMS-desktop`
- [x] Versioned release contains only `.dmg`, `.exe`, and checksums
- [x] Updater prerelease contains `.app.tar.gz`, `.nsis.zip`, sigs,
  and `latest.json`
- [ ] `make test` -- Go tests pass
- [ ] `bash desktop/scripts/test-prepare-sidecar.sh` -- sidecar tests
- [ ] `cd frontend && npx vitest run` -- frontend tests pass

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

Author: wesm

.github/workflows/desktop-release.yml

@@ -0,0 +1,299 @@
+name: Desktop Release
+
+on:
+  push:
+    tags:
+      - 'v*'
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  build-macos:
+    name: Desktop Build (macOS)
+    runs-on: macos-15
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+        with:
+          persist-credentials: false
+          fetch-depth: 0
+
+      - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417  # v6.3.0
+        with:
+          go-version-file: go.mod
+
+      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238  # v6.2.0
+        with:
+          node-version: "24"
+
+      - name: Install desktop dependencies
+        run: npm ci
+        working-directory: desktop
+
+      - name: Prepare sidecar
+        env:
+          AGENTSVIEW_VERSION: ${{ github.ref_name }}
+        run: npm run prepare-sidecar
+        working-directory: desktop
+
+      - name: Patch updater config for current repository
+        env:
+          AGENTSVIEW_UPDATER_PUBKEY: ${{ secrets.AGENTSVIEW_UPDATER_PUBKEY }}
+        run: |
+          sed -i.bak \
+            -e "s|wesm/agentsview|${GITHUB_REPOSITORY}|g" \
+            -e "s|NOT_SET|${AGENTSVIEW_UPDATER_PUBKEY}|g" \
+            desktop/src-tauri/tauri.conf.json
+          rm -f desktop/src-tauri/tauri.conf.json.bak
+
+      - name: Import signing certificate
+        env:
+          APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }}
+          APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
+        run: |
+          KEYCHAIN_PATH="$RUNNER_TEMP/build.keychain"
+          KEYCHAIN_PASS="$(openssl rand -base64 32)"
+
+          security create-keychain -p "$KEYCHAIN_PASS" "$KEYCHAIN_PATH"
+          security set-keychain-settings -lut 3600 "$KEYCHAIN_PATH"
+          security unlock-keychain -p "$KEYCHAIN_PASS" "$KEYCHAIN_PATH"
+
+          CERT_PATH="$RUNNER_TEMP/certificate.p12"
+          echo "$APPLE_CERTIFICATE" | base64 -d > "$CERT_PATH"
+          security import "$CERT_PATH" \
+            -k "$KEYCHAIN_PATH" \
+            -P "$APPLE_CERTIFICATE_PASSWORD" \
+            -T /usr/bin/codesign \
+            -T /usr/bin/security
+          rm -f "$CERT_PATH"
+
+          security set-key-partition-list \
+            -S apple-tool:,apple: \
+            -k "$KEYCHAIN_PASS" "$KEYCHAIN_PATH"
+          security list-keychains -d user -s "$KEYCHAIN_PATH" login.keychain
+
+      - name: Write API key
+        env:
+          APPLE_API_KEY_CONTENT: ${{ secrets.APPLE_API_KEY_CONTENT }}
+          APPLE_API_KEY: ${{ secrets.APPLE_API_KEY }}
+        run: |
+          KEY_DIR="$RUNNER_TEMP/apple-keys"
+          mkdir -p "$KEY_DIR"
+          echo "$APPLE_API_KEY_CONTENT" | base64 -d \
+            > "$KEY_DIR/AuthKey_${APPLE_API_KEY}.p8"
+          echo "APPLE_API_KEY_PATH=$KEY_DIR/AuthKey_${APPLE_API_KEY}.p8" \
+            >> "$GITHUB_ENV"
+
+      - name: Build DMG and updater bundle
+        env:
+          APPLE_SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY }}
+          APPLE_API_ISSUER: ${{ secrets.APPLE_API_ISSUER }}
+          APPLE_API_KEY: ${{ secrets.APPLE_API_KEY }}
+          TAURI_SIGNING_PRIVATE_KEY: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY }}
+          TAURI_SIGNING_PRIVATE_KEY_PASSWORD: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY_PASSWORD }}
+          AGENTSVIEW_UPDATER_PUBKEY: ${{ secrets.AGENTSVIEW_UPDATER_PUBKEY }}
+        run: npx tauri build
+        working-directory: desktop
+
+      - name: Collect build artifacts
+        run: |
+          mkdir -p staging
+          cp desktop/src-tauri/target/release/bundle/dmg/*.dmg staging/
+          cp desktop/src-tauri/target/release/bundle/macos/*.app.tar.gz staging/
+          cp desktop/src-tauri/target/release/bundle/macos/*.app.tar.gz.sig staging/
+          ls -la staging/
+
+      - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f  # v6.0.0
+        with:
+          name: agentsview-desktop-macos
+          path: staging/*
+          if-no-files-found: error
+
+      - name: Cleanup signing secrets
+        if: always()
+        run: |
+          KEYCHAIN_PATH="$RUNNER_TEMP/build.keychain"
+          security delete-keychain "$KEYCHAIN_PATH" 2>/dev/null || true
+          rm -rf "$RUNNER_TEMP/apple-keys" 2>/dev/null || true
+
+  build-windows:
+    name: Desktop Build (Windows)
+    runs-on: windows-latest
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+        with:
+          persist-credentials: false
+          fetch-depth: 0
+
+      - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417  # v6.3.0
+        with:
+          go-version-file: go.mod
+
+      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238  # v6.2.0
+        with:
+          node-version: "24"
+
+      - name: Setup MinGW
+        uses: msys2/setup-msys2@4f806de0a5a7294ffabaff804b38a9b435a73bda  # v2
+        with:
+          msystem: MINGW64
+          update: false
+          install: mingw-w64-x86_64-gcc
+          path-type: inherit
+
+      - name: Install desktop dependencies
+        run: npm ci
+        working-directory: desktop
+
+      - name: Prepare sidecar
+        shell: bash
+        env:
+          AGENTSVIEW_VERSION: ${{ github.ref_name }}
+        run: npm run prepare-sidecar
+        working-directory: desktop
+
+      - name: Patch updater config for current repository
+        shell: bash
+        env:
+          AGENTSVIEW_UPDATER_PUBKEY: ${{ secrets.AGENTSVIEW_UPDATER_PUBKEY }}
+        run: |
+          sed -i.bak \
+            -e "s|wesm/agentsview|${GITHUB_REPOSITORY}|g" \
+            -e "s|NOT_SET|${AGENTSVIEW_UPDATER_PUBKEY}|g" \
+            desktop/src-tauri/tauri.conf.json
+          rm -f desktop/src-tauri/tauri.conf.json.bak
+
+      - name: Build NSIS installer and updater bundle
+        shell: bash
+        env:
+          TAURI_SIGNING_PRIVATE_KEY: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY }}
+          TAURI_SIGNING_PRIVATE_KEY_PASSWORD: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY_PASSWORD }}
+          AGENTSVIEW_UPDATER_PUBKEY: ${{ secrets.AGENTSVIEW_UPDATER_PUBKEY }}
+        run: npx tauri build --bundles nsis
+        working-directory: desktop
+
+      - name: Collect build artifacts
+        shell: bash
+        run: |
+          mkdir -p staging
+          cp desktop/src-tauri/target/release/bundle/nsis/*.exe staging/
+          cp desktop/src-tauri/target/release/bundle/nsis/*.nsis.zip staging/
+          cp desktop/src-tauri/target/release/bundle/nsis/*.nsis.zip.sig staging/
+          ls -la staging/
+
+      - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f  # v6.0.0
+        with:
+          name: agentsview-desktop-windows
+          path: staging/*
+          if-no-files-found: error
+
+  release:
+    name: Upload Desktop Installers
+    needs: [build-macos, build-windows]
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    steps:
+      - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131  # v7.0.0
+        with:
+          path: artifacts
+          pattern: agentsview-desktop-*
+          merge-multiple: true
+
+      - name: Generate checksums
+        run: |
+          cd artifacts
+          sha256sum *.dmg *.exe *.tar.gz *.nsis.zip > SHA256SUMS-desktop 2>/dev/null || true
+          cat SHA256SUMS-desktop
+
+      - name: Generate updater manifest
+        run: |
+          set -euo pipefail
+          VERSION="${GITHUB_REF_NAME#v}"
+          DATE="$(date -u +%Y-%m-%dT%H:%M:%SZ)"
+          TAG="updater"
+
+          MACOS_SIG=""
+          MACOS_URL=""
+          WINDOWS_SIG=""
+          WINDOWS_URL=""
+
+          for f in artifacts/*.app.tar.gz.sig; do
+            if [ -f "$f" ]; then
+              MACOS_SIG="$(cat "$f")"
+              MACOS_TARBALL="$(basename "${f%.sig}")"
+              MACOS_URL="https://github.com/${GITHUB_REPOSITORY}/releases/download/${TAG}/${MACOS_TARBALL}"
+            fi
+          done
+
+          for f in artifacts/*.nsis.zip.sig; do
+            if [ -f "$f" ]; then
+              WINDOWS_SIG="$(cat "$f")"
+              NSIS_ZIP="$(basename "${f%.sig}")"
+              WINDOWS_URL="https://github.com/${GITHUB_REPOSITORY}/releases/download/${TAG}/${NSIS_ZIP}"
+            fi
+          done
+
+          if [ -z "$MACOS_SIG" ] || [ -z "$MACOS_URL" ]; then
+            echo "error: missing macOS updater signature or URL" >&2
+            exit 1
+          fi
+          if [ -z "$WINDOWS_SIG" ] || [ -z "$WINDOWS_URL" ]; then
+            echo "error: missing Windows updater signature or URL" >&2
+            exit 1
+          fi
+
+          cat > artifacts/latest.json << MANIFEST
+          {
+            "version": "${VERSION}",
+            "pub_date": "${DATE}",
+            "platforms": {
+              "darwin-aarch64": {
+                "url": "${MACOS_URL}",
+                "signature": "${MACOS_SIG}"
+              },
+              "windows-x86_64": {
+                "url": "${WINDOWS_URL}",
+                "signature": "${WINDOWS_SIG}"
+              }
+            }
+          }
+          MANIFEST
+
+          echo "Generated latest.json:"
+          cat artifacts/latest.json
+
+      - name: Upload installers to versioned release
+        uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b  # v2.5.0
+        with:
+          files: |
+            artifacts/*.dmg
+            artifacts/*.exe
+            artifacts/SHA256SUMS-desktop
+
+      - name: Upload updater artifacts
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          set -euo pipefail
+          # Create or update the permanent 'updater' release
+          if ! gh release view updater --repo "$GITHUB_REPOSITORY" >/dev/null 2>&1; then
+            gh release create updater \
+              --repo "$GITHUB_REPOSITORY" \
+              --title "Auto-Updater Artifacts" \
+              --notes "Internal release used by the desktop auto-updater. Do not delete." \
+              --prerelease
+          fi
+          # Overwrite existing assets
+          gh release upload updater \
+            --repo "$GITHUB_REPOSITORY" \
+            --clobber \
+            artifacts/*.app.tar.gz \
+            artifacts/*.app.tar.gz.sig \
+            artifacts/*.nsis.zip \
+            artifacts/*.nsis.zip.sig \
+            artifacts/latest.json

CLAUDE.md

@@ -97,6 +97,7 @@ make vet        # go vet
 - Tests should be fast and isolated
 - No emojis in code or output
 - **The database is a persistent archive** — never drop, truncate, or recreate the database to handle data version changes. Use non-destructive migrations (ALTER TABLE, UPDATE) and full resync (build fresh DB, copy orphaned data, swap) instead. Session data must survive even when the original source files are gone.
+- **Markdown formatting**: Use `mdformat --wrap 80` to format Markdown files. Requires the `mdformat-tables` plugin (`uv tool install mdformat --with mdformat-tables`).
 
 ## Git Workflow
 

Makefile

@@ -11,7 +11,7 @@ LDFLAGS := -X main.version=$(VERSION) \
 LDFLAGS_RELEASE := $(LDFLAGS) -s -w
 DESKTOP_DIST_DIR := dist/desktop
 
-.PHONY: build build-release install frontend frontend-dev dev desktop-dev desktop-build desktop-macos-app desktop-windows-installer desktop-app test test-short e2e vet lint tidy clean release release-darwin-arm64 release-darwin-amd64 release-linux-amd64 install-hooks ensure-embed-dir help
+.PHONY: build build-release install frontend frontend-dev dev desktop-dev desktop-build desktop-macos-app desktop-macos-dmg desktop-windows-installer desktop-app test test-short e2e vet lint tidy clean release release-darwin-arm64 release-darwin-amd64 release-linux-amd64 install-hooks ensure-embed-dir help
 
 # Ensure go:embed has at least one file (no-op if frontend is built)
 ensure-embed-dir:
@@ -76,6 +76,22 @@ desktop-macos-app:
 		$(DESKTOP_DIST_DIR)/macos/AgentsView.app
 	@echo "macOS app bundle copied to $(DESKTOP_DIST_DIR)/macos/AgentsView.app"
 
+# Build macOS DMG installer
+desktop-macos-dmg:
+	cd desktop && npm install && npm run tauri:build:macos-dmg
+	mkdir -p $(DESKTOP_DIST_DIR)/macos
+	rm -f $(DESKTOP_DIST_DIR)/macos/*.dmg
+	@dmg_count=$$(find desktop/src-tauri/target/release/bundle/dmg \
+		-maxdepth 1 -type f -name '*.dmg' | wc -l | tr -d ' '); \
+	if [ "$$dmg_count" -eq 0 ]; then \
+		echo "error: no DMG installer found in bundle output" >&2; \
+		exit 1; \
+	fi; \
+	find desktop/src-tauri/target/release/bundle/dmg \
+		-maxdepth 1 -type f -name '*.dmg' \
+		-exec cp {} $(DESKTOP_DIST_DIR)/macos/ \;; \
+	echo "Copied $$dmg_count DMG installer(s) to $(DESKTOP_DIST_DIR)/macos/"
+
 # Build Windows NSIS installer bundle (.exe)
 # Run on Windows runner/host.
 desktop-windows-installer:
@@ -180,6 +196,7 @@ help:
 	@echo "  desktop-dev    - Run Tauri desktop wrapper in dev mode"
 	@echo "  desktop-build  - Build Tauri desktop app bundles"
 	@echo "  desktop-macos-app - Build macOS .app bundle only"
+	@echo "  desktop-macos-dmg - Build macOS DMG installer"
 	@echo "  desktop-windows-installer - Build Windows NSIS installer"
 	@echo "  desktop-app    - Alias for desktop-macos-app"
 	@echo ""

cmd/agentsview/main.go

@@ -198,6 +198,7 @@ func runServe(args []string) {
 			Commit:    commit,
 			BuildDate: buildDate,
 		}),
+		server.WithDataDir(cfg.DataDir),
 	)
 
 	url := fmt.Sprintf("http://%s:%d", cfg.Host, cfg.Port)

desktop/package.json

@@ -8,6 +8,7 @@
     "tauri:dev": "npm run prepare-sidecar && tauri dev",
     "tauri:build": "npm run prepare-sidecar && tauri build",
     "tauri:build:macos-app": "npm run prepare-sidecar && tauri build --bundles app",
+    "tauri:build:macos-dmg": "npm run prepare-sidecar && tauri build --bundles dmg",
     "tauri:build:windows": "npm run prepare-sidecar && tauri build --bundles nsis",
     "tauri": "tauri"
   },