@mirinjs/cli 0.0.1-alpha.11 → 0.0.1-alpha.13

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@mirinjs/cli",
-  "version": "0.0.1-alpha.11",
+  "version": "0.0.1-alpha.13",
   "description": "CLI for mirin apps: dev, build, init.",
   "type": "module",
   "license": "MIT",
@@ -27,10 +27,11 @@
     "bun": ">=1.2.0"
   },
   "dependencies": {
-    "create-mirinjs": "0.0.1-alpha.11"
+    "create-mirinjs": "0.0.1-alpha.13",
+    "mirinjs": "0.0.1-alpha.13"
   },
   "optionalDependencies": {
-    "@mirinjs/darwin-arm64": "0.0.1-alpha.11"
+    "@mirinjs/darwin-arm64": "0.0.1-alpha.13"
   },
   "publishConfig": {
     "access": "public"

package/src/build.ts

@@ -33,6 +33,8 @@ export interface BuildResult {
   channel: string;
   /** Update baseUrl, if `release` is configured. */
   baseUrl?: string;
+  /** libmirin_core path (for the updater codec at release time). */
+  coreDylib: string;
 }
 
 /** Read the project's package.json version (the single source of app version). */
@@ -106,5 +108,5 @@ export async function build(projectDir = process.cwd()): Promise<BuildResult> {
 
   console.log(`\n[mirin build] done → ${app}`);
   console.log(`  open "${app}"`);
-  return { app, appName, bundleId, version, channel, baseUrl };
+  return { app, appName, bundleId, version, channel, baseUrl, coreDylib: artifacts.coreDylib };
 }

package/src/bundle.ts

@@ -12,7 +12,7 @@
  */
 
 import { $ } from "bun";
-import { cpSync, mkdirSync, rmSync, writeFileSync, existsSync } from "node:fs";
+import { cpSync, mkdirSync, rmSync, writeFileSync, existsSync, readdirSync } from "node:fs";
 import { join } from "node:path";
 
 const FRAMEWORK = "Chromium Embedded Framework.framework";
@@ -208,14 +208,66 @@ export async function buildAppBundle(opts: BundleOptions): Promise<{ app: string
     );
   }
 
-  // Sign inside-out: framework, helpers, then the outer app. Ad-hoc ("-") by
-  // default; pass a Developer ID to produce a distributable, notarizable app.
+  // Sign inside-out. Ad-hoc ("-") by default for local builds; pass a Developer
+  // ID to produce a distributable, notarizable app. Notarization requires the
+  // hardened runtime (--options runtime), a secure timestamp (--timestamp), and
+  // entitlements that let CEF + Bun JIT and load unsigned executable memory —
+  // without all three the Apple notary service returns "Invalid".
   const identity = opts.signIdentity ?? "-";
-  await $`codesign --force --sign ${identity} ${join(frameworks, FRAMEWORK)}`.quiet();
-  for (const { suffix } of HELPER_TYPES) {
-    await $`codesign --force --sign ${identity} ${join(frameworks, `${appName} Helper${suffix}.app`)}`.quiet();
+  const notarizable = identity !== "-";
+  const cef = join(frameworks, FRAMEWORK);
+
+  if (notarizable) {
+    // Mirrors the entitlement set Electrobun ships for Bun + CEF under hardened
+    // runtime (electrobun-reference/package/src/cli/index.ts).
+    const entitlements = join(opts.outDir, "_entitlements.plist");
+    writeFileSync(
+      entitlements,
+      `<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+  <key>com.apple.security.cs.allow-jit</key><true/>
+  <key>com.apple.security.cs.allow-unsigned-executable-memory</key><true/>
+  <key>com.apple.security.cs.disable-library-validation</key><true/>
+</dict>
+</plist>
+`,
+    );
+    const sign = (path: string, ents = false) =>
+      ents
+        ? $`codesign --force --timestamp --options runtime --entitlements ${entitlements} --sign ${identity} ${path}`.quiet()
+        : $`codesign --force --timestamp --options runtime --sign ${identity} ${path}`.quiet();
+
+    // 1. CEF's nested libraries, then 2. the framework bundle itself.
+    const cefLibs = join(cef, "Libraries");
+    if (existsSync(cefLibs)) {
+      for (const lib of readdirSync(cefLibs)) {
+        if (lib.endsWith(".dylib")) await sign(join(cefLibs, lib));
+      }
+    }
+    await sign(cef);
+    // 3. our FFI core dylib.
+    await sign(join(macos, "libmirin_core.dylib"));
+    // 4. each helper: the inner executable, then the .app wrapper (entitlements
+    //    on both — the renderer/GPU helpers are what actually JIT).
+    for (const { suffix } of HELPER_TYPES) {
+      const name = `${appName} Helper${suffix}`;
+      const helperApp = join(frameworks, `${name}.app`);
+      await sign(join(helperApp, "Contents", "MacOS", name), true);
+      await sign(helperApp, true);
+    }
+    // 5. finally the outer app.
+    await sign(app, true);
+    rmSync(entitlements, { force: true });
+  } else {
+    // Ad-hoc: enough to launch locally; not distributable or notarizable.
+    await $`codesign --force --sign ${identity} ${cef}`.quiet();
+    for (const { suffix } of HELPER_TYPES) {
+      await $`codesign --force --sign ${identity} ${join(frameworks, `${appName} Helper${suffix}.app`)}`.quiet();
+    }
+    await $`codesign --force --sign ${identity} ${app}`.quiet();
   }
-  await $`codesign --force --sign ${identity} ${app}`.quiet();
 
   return { app, exe: join(macos, appName) };
 }

package/src/release.ts

@@ -2,46 +2,49 @@
  * `mirin release` — build the app and emit flat-named update artifacts.
  *
  * Produces, under `build/release/`:
- *   {channel}-{platform}-{arch}-update.json   the manifest the app polls
- *   {channel}-{platform}-{arch}-{Name}.app.tar.gz   the full bundle
+ *   {channel}-{platform}-{arch}-update.json          the manifest the app polls
+ *   {channel}-{platform}-{arch}-{Name}.app.tar.zst   the full bundle (fallback)
+ *   {channel}-{platform}-{arch}-{prevVersion}.patch  delta from the previous release
  *
- * These names are flat (no folders) so they upload as-is to GitHub Releases,
- * S3/R2, or any static host — whatever `release.baseUrl` points at. Channels
- * coexist at the same baseUrl because the channel is part of every filename.
+ * The bundle is a zstd-compressed tar of the whole signed `.app`. Identity is the
+ * SHA-256 of the *uncompressed* tar (`tarHash`), so a delta patch can reconstruct
+ * it exactly. When the previous release is reachable at `baseUrl`, a bsdiff patch
+ * (prev → this) is generated; the app applies it instead of re-downloading the
+ * whole bundle, falling back to the full bundle whenever a patch isn't usable.
  *
- * The app's `app.updater` polls `{baseUrl}/{prefix}-update.json`, compares the
- * advertised version to its own, downloads `url`, verifies `sha256`, then swaps
- * the whole `.app` and relaunches. (A signed/notarized `.app` must be replaced
- * whole — never modified in place — so the artifact is the entire bundle.)
+ * Names are flat (no folders) so they upload as-is to GitHub Releases, S3/R2, or
+ * any static host. Channels coexist because the channel is part of every name.
  */
 
 import { $ } from "bun";
-import { mkdirSync, rmSync, readFileSync } from "node:fs";
+import { mkdirSync, rmSync, readFileSync, existsSync } from "node:fs";
 import { join } from "node:path";
+import { tmpdir } from "node:os";
 import { build } from "./build.ts";
+import { loadCodec } from "mirinjs/codec";
+
+const sha256File = (path: string) =>
+  new Bun.CryptoHasher("sha256").update(readFileSync(path)).digest("hex");
 
 export async function release(projectDir = process.cwd()): Promise<number> {
   const result = await build(projectDir);
   if (!result.baseUrl) {
-    console.error(
-      "[mirin release] no `release.baseUrl` in mirin.config.ts — nothing to publish.",
-    );
+    console.error("[mirin release] no `release.baseUrl` in mirin.config.ts — nothing to publish.");
     return 1;
   }
 
   const platform = "darwin";
   const arch = process.arch; // "arm64" | "x64"
   const prefix = `${result.channel}-${platform}-${arch}`;
-  // Sanitize the app name for a URL-safe artifact filename (spaces break hosts).
   const safeName = result.appName.replace(/[^A-Za-z0-9._-]/g, "");
+  const base = result.baseUrl.replace(/\/$/, "");
 
   const buildDir = join(projectDir, "build");
   const outDir = join(buildDir, "release");
   rmSync(outDir, { recursive: true, force: true });
   mkdirSync(outDir, { recursive: true });
 
-  // Notarize + staple before packing (so the shipped bundle passes Gatekeeper on
-  // end-user machines), when notary credentials are present in the environment.
+  // Optional notarize + staple (Developer ID) before packing, when configured.
   const apple = process.env.MIRIN_NOTARY_APPLE_ID;
   const pw = process.env.MIRIN_NOTARY_PASSWORD;
   const team = process.env.MIRIN_NOTARY_TEAM_ID;
@@ -49,37 +52,101 @@ export async function release(projectDir = process.cwd()): Promise<number> {
     console.log("[mirin release] notarizing (this can take a few minutes)…");
     const zip = join(buildDir, "_notarize.zip");
     await $`ditto -c -k --keepParent ${result.app} ${zip}`;
-    await $`xcrun notarytool submit ${zip} --apple-id ${apple} --password ${pw} --team-id ${team} --wait`;
-    await $`xcrun stapler staple ${result.app}`;
+    // `notarytool submit --wait` exits 0 even when the result is "Invalid", so
+    // parse the JSON status ourselves and surface the notary log on rejection —
+    // otherwise the only symptom is a confusing `stapler` failure downstream.
+    const out =
+      await $`xcrun notarytool submit ${zip} --apple-id ${apple} --password ${pw} --team-id ${team} --wait --output-format json`.text();
     rmSync(zip, { force: true });
+    let sub: { id?: string; status?: string } = {};
+    try {
+      sub = JSON.parse(out);
+    } catch {
+      console.error(out);
+    }
+    if (sub.status !== "Accepted") {
+      console.error(`[mirin release] notarization ${sub.status ?? "failed"} (id: ${sub.id ?? "?"})`);
+      if (sub.id) {
+        const log =
+          await $`xcrun notarytool log ${sub.id} --apple-id ${apple} --password ${pw} --team-id ${team}`
+            .text()
+            .catch(() => "");
+        if (log) console.error(log);
+      }
+      throw new Error(`notarization not accepted: ${sub.status ?? "unknown"}`);
+    }
+    await $`xcrun stapler staple ${result.app}`;
   }
 
-  const tarName = `${prefix}-${safeName}.app.tar.gz`;
-  const tarPath = join(outDir, tarName);
+  const codec = loadCodec(result.coreDylib);
 
-  console.log(`[mirin release] packing ${result.appName}.app → ${tarName}`);
-  // BSD tar preserves the CEF framework's symlinks + executable bits.
-  await $`tar -czf ${tarPath} -C ${buildDir} ${`${result.appName}.app`}`;
+  // Uncompressed tar — the identity + diff/patch basis (BSD tar keeps symlinks).
+  const newTar = join(outDir, "_new.tar");
+  await $`tar -cf ${newTar} -C ${buildDir} ${`${result.appName}.app`}`;
+  const tarHash = sha256File(newTar);
+
+  // Full bundle: zstd(newTar).
+  const bundleName = `${prefix}-${safeName}.app.tar.zst`;
+  const bundlePath = join(outDir, bundleName);
+  console.log(`[mirin release] compressing → ${bundleName}`);
+  codec.compress(newTar, bundlePath, 19);
+  const bundleSha = sha256File(bundlePath);
+  const bundleSize = readFileSync(bundlePath).byteLength;
+
+  // Delta patch vs the previous release (if reachable). Best-effort.
+  const patches: Array<{ fromVersion: string; url: string; sha256: string; size: number }> = [];
+  try {
+    const prevRes = await fetch(`${base}/${prefix}-update.json?t=${Date.now()}`, { redirect: "follow" });
+    if (prevRes.ok) {
+      const prev = (await prevRes.json()) as { version: string; bundle?: { url: string } };
+      if (prev.version && prev.version !== result.version && prev.bundle?.url) {
+        console.log(`[mirin release] generating delta ${prev.version} → ${result.version}…`);
+        const tmp = join(tmpdir(), `mirin-release-${Date.now()}`);
+        mkdirSync(tmp, { recursive: true });
+        const prevZst = join(tmp, "prev.tar.zst");
+        const dl = await fetch(`${base}/${prev.bundle.url}`, { redirect: "follow" });
+        if (!dl.ok || !dl.body) throw new Error(`prev bundle ${dl.status}`);
+        await Bun.write(prevZst, await dl.arrayBuffer());
+        const prevTar = join(tmp, "prev.tar");
+        codec.decompress(prevZst, prevTar);
+        const rawPatch = join(tmp, "patch.bin");
+        codec.diff(prevTar, newTar, rawPatch); // bsdiff
+        const patchName = `${prefix}-${prev.version}.patch`;
+        const patchPath = join(outDir, patchName);
+        codec.compress(rawPatch, patchPath, 19);
+        rmSync(tmp, { recursive: true, force: true });
+        patches.push({
+          fromVersion: prev.version,
+          url: patchName,
+          sha256: sha256File(patchPath),
+          size: readFileSync(patchPath).byteLength,
+        });
+      }
+    }
+  } catch (e) {
+    console.warn(`[mirin release] skipping delta patch: ${e instanceof Error ? e.message : e}`);
+  }
 
-  const bytes = readFileSync(tarPath);
-  const sha256 = new Bun.CryptoHasher("sha256").update(bytes).digest("hex");
+  rmSync(newTar, { force: true });
 
   const manifest = {
     version: result.version,
     channel: result.channel,
     platform,
     arch,
-    url: tarName,
-    sha256,
-    size: bytes.byteLength,
+    tarHash,
+    bundle: { url: bundleName, sha256: bundleSha, size: bundleSize },
+    patches,
   };
   const manifestName = `${prefix}-update.json`;
   await Bun.write(join(outDir, manifestName), `${JSON.stringify(manifest, null, 2)}\n`);
 
-  const mb = (bytes.byteLength / 1e6).toFixed(1);
+  const mb = (n: number) => (n / 1e6).toFixed(1);
   console.log(`\n[mirin release] done → build/release/`);
   console.log(`  ${manifestName}`);
-  console.log(`  ${tarName} (${mb} MB)`);
-  console.log(`\nUpload both to: ${result.baseUrl}`);
+  console.log(`  ${bundleName} (${mb(bundleSize)} MB)`);
+  for (const p of patches) console.log(`  ${p.url} (${mb(p.size)} MB delta from ${p.fromVersion})`);
+  console.log(`\nUpload all of build/release/ to: ${result.baseUrl}`);
+  if (existsSync(join(outDir, "_new.tar"))) rmSync(join(outDir, "_new.tar"), { force: true });
   return 0;
 }