@mirinjs/cli 0.0.1-alpha.12 → 0.0.1-alpha.14

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@mirinjs/cli",
-  "version": "0.0.1-alpha.12",
+  "version": "0.0.1-alpha.14",
   "description": "CLI for mirin apps: dev, build, init.",
   "type": "module",
   "license": "MIT",
@@ -27,11 +27,11 @@
     "bun": ">=1.2.0"
   },
   "dependencies": {
-    "create-mirinjs": "0.0.1-alpha.12",
-    "mirinjs": "0.0.1-alpha.12"
+    "create-mirinjs": "0.0.1-alpha.14",
+    "mirinjs": "0.0.1-alpha.14"
   },
   "optionalDependencies": {
-    "@mirinjs/darwin-arm64": "0.0.1-alpha.12"
+    "@mirinjs/darwin-arm64": "0.0.1-alpha.14"
   },
   "publishConfig": {
     "access": "public"

package/src/build.ts

@@ -35,6 +35,12 @@ export interface BuildResult {
   baseUrl?: string;
   /** libmirin_core path (for the updater codec at release time). */
   coreDylib: string;
+  /** Project root (so `mirin release` can resolve relative asset paths). */
+  projectDir: string;
+  /** DMG config from mirin.config.ts (`true`/object/`false`); default `true`. */
+  dmg: boolean | import("mirinjs").DmgConfig;
+  /** Codesign identity used for the bundle, if any (MIRIN_SIGN_IDENTITY). */
+  signIdentity?: string;
 }
 
 /** Read the project's package.json version (the single source of app version). */
@@ -62,6 +68,7 @@ export async function build(projectDir = process.cwd()): Promise<BuildResult> {
   const version = appVersion(projectDir);
   const channel: string = config.release?.channel ?? "stable";
   const baseUrl: string | undefined = config.release?.baseUrl;
+  const dmg: boolean | import("mirinjs").DmgConfig = config.dmg ?? true;
 
   console.log(`[mirin build] ${appName} ${version}`);
 
@@ -74,6 +81,7 @@ export async function build(projectDir = process.cwd()): Promise<BuildResult> {
 
   // 3 + 4. host + worker (minified)
   console.log("[mirin build] compiling host + bundling main process…");
+  const signIdentity = process.env.MIRIN_SIGN_IDENTITY;
   const hostExe = join(work, "host-release");
   const workerJs = join(work, "worker.release.js");
   await $`bun build --compile --minify ${artifacts.hostEntry} --outfile ${hostExe}`.cwd(projectDir);
@@ -97,7 +105,7 @@ export async function build(projectDir = process.cwd()): Promise<BuildResult> {
     cefPath: artifacts.cefPath,
     version,
     icon: config.icon ? join(projectDir, config.icon) : undefined,
-    signIdentity: process.env.MIRIN_SIGN_IDENTITY,
+    signIdentity,
     resources: {
       uiDir: join(projectDir, "dist"),
       workerJs,
@@ -108,5 +116,16 @@ export async function build(projectDir = process.cwd()): Promise<BuildResult> {
 
   console.log(`\n[mirin build] done → ${app}`);
   console.log(`  open "${app}"`);
-  return { app, appName, bundleId, version, channel, baseUrl, coreDylib: artifacts.coreDylib };
+  return {
+    app,
+    appName,
+    bundleId,
+    version,
+    channel,
+    baseUrl,
+    coreDylib: artifacts.coreDylib,
+    projectDir,
+    dmg,
+    signIdentity,
+  };
 }

package/src/bundle.ts

@@ -12,7 +12,7 @@
  */
 
 import { $ } from "bun";
-import { cpSync, mkdirSync, rmSync, writeFileSync, existsSync } from "node:fs";
+import { cpSync, mkdirSync, rmSync, writeFileSync, existsSync, readdirSync } from "node:fs";
 import { join } from "node:path";
 
 const FRAMEWORK = "Chromium Embedded Framework.framework";
@@ -208,14 +208,66 @@ export async function buildAppBundle(opts: BundleOptions): Promise<{ app: string
     );
   }
 
-  // Sign inside-out: framework, helpers, then the outer app. Ad-hoc ("-") by
-  // default; pass a Developer ID to produce a distributable, notarizable app.
+  // Sign inside-out. Ad-hoc ("-") by default for local builds; pass a Developer
+  // ID to produce a distributable, notarizable app. Notarization requires the
+  // hardened runtime (--options runtime), a secure timestamp (--timestamp), and
+  // entitlements that let CEF + Bun JIT and load unsigned executable memory —
+  // without all three the Apple notary service returns "Invalid".
   const identity = opts.signIdentity ?? "-";
-  await $`codesign --force --sign ${identity} ${join(frameworks, FRAMEWORK)}`.quiet();
-  for (const { suffix } of HELPER_TYPES) {
-    await $`codesign --force --sign ${identity} ${join(frameworks, `${appName} Helper${suffix}.app`)}`.quiet();
+  const notarizable = identity !== "-";
+  const cef = join(frameworks, FRAMEWORK);
+
+  if (notarizable) {
+    // Mirrors the entitlement set Electrobun ships for Bun + CEF under hardened
+    // runtime (electrobun-reference/package/src/cli/index.ts).
+    const entitlements = join(opts.outDir, "_entitlements.plist");
+    writeFileSync(
+      entitlements,
+      `<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+  <key>com.apple.security.cs.allow-jit</key><true/>
+  <key>com.apple.security.cs.allow-unsigned-executable-memory</key><true/>
+  <key>com.apple.security.cs.disable-library-validation</key><true/>
+</dict>
+</plist>
+`,
+    );
+    const sign = (path: string, ents = false) =>
+      ents
+        ? $`codesign --force --timestamp --options runtime --entitlements ${entitlements} --sign ${identity} ${path}`.quiet()
+        : $`codesign --force --timestamp --options runtime --sign ${identity} ${path}`.quiet();
+
+    // 1. CEF's nested libraries, then 2. the framework bundle itself.
+    const cefLibs = join(cef, "Libraries");
+    if (existsSync(cefLibs)) {
+      for (const lib of readdirSync(cefLibs)) {
+        if (lib.endsWith(".dylib")) await sign(join(cefLibs, lib));
+      }
+    }
+    await sign(cef);
+    // 3. our FFI core dylib.
+    await sign(join(macos, "libmirin_core.dylib"));
+    // 4. each helper: the inner executable, then the .app wrapper (entitlements
+    //    on both — the renderer/GPU helpers are what actually JIT).
+    for (const { suffix } of HELPER_TYPES) {
+      const name = `${appName} Helper${suffix}`;
+      const helperApp = join(frameworks, `${name}.app`);
+      await sign(join(helperApp, "Contents", "MacOS", name), true);
+      await sign(helperApp, true);
+    }
+    // 5. finally the outer app.
+    await sign(app, true);
+    rmSync(entitlements, { force: true });
+  } else {
+    // Ad-hoc: enough to launch locally; not distributable or notarizable.
+    await $`codesign --force --sign ${identity} ${cef}`.quiet();
+    for (const { suffix } of HELPER_TYPES) {
+      await $`codesign --force --sign ${identity} ${join(frameworks, `${appName} Helper${suffix}.app`)}`.quiet();
+    }
+    await $`codesign --force --sign ${identity} ${app}`.quiet();
   }
-  await $`codesign --force --sign ${identity} ${app}`.quiet();
 
   return { app, exe: join(macos, appName) };
 }

package/src/dmg.ts

@@ -0,0 +1,236 @@
+/**
+ * macOS `.dmg` installer for `mirin release`.
+ *
+ * Two paths:
+ *  - **plain** (default): stage the `.app` + an `/Applications` symlink, then
+ *    `hdiutil create … -format ULFO`. Rock-solid in CI — this is what ships when
+ *    `dmg: true`. ULFO (lzfse) handles large CEF frameworks best on modern macOS.
+ *  - **laid-out**: when a `background` or any window/icon position is configured,
+ *    build a read-write image, style the Finder window via AppleScript, then
+ *    convert to the compressed read-only format. Best-effort — falls back to the
+ *    plain DMG if Finder automation isn't available (e.g. a headless runner).
+ *
+ * The DMG is codesigned (a DMG carries no entitlements / hardened runtime — it's
+ * not executable code) and, when notary credentials are present, notarized +
+ * stapled so a fresh download opens without a Gatekeeper prompt.
+ */
+
+import { $ } from "bun";
+import { cpSync, mkdirSync, rmSync, symlinkSync, existsSync } from "node:fs";
+import { join, basename, isAbsolute } from "node:path";
+import { tmpdir } from "node:os";
+
+export interface DmgOptions {
+  volumeName?: string;
+  format?: "ULFO" | "UDZO" | "UDBZ";
+  background?: string;
+  windowSize?: { width: number; height: number };
+  iconSize?: number;
+  appPosition?: { x: number; y: number };
+  applicationsPosition?: { x: number; y: number };
+}
+
+export interface BuildDmgInput {
+  /** Path to the (signed) `.app`. */
+  app: string;
+  appName: string;
+  /** Output directory for the `.dmg`. */
+  outDir: string;
+  /** Output file name (e.g. `stable-darwin-arm64-Anko.dmg`). */
+  fileName: string;
+  /** Resolved DMG options. */
+  options: DmgOptions;
+  /** Project root, for resolving a relative `background` path. */
+  projectDir: string;
+  /** Codesign identity ("-"/undefined → ad-hoc, no notarization). */
+  signIdentity?: string;
+}
+
+/** hdiutil volume names choke on some punctuation; keep it tame but readable. */
+function volumeName(name: string): string {
+  return name.replace(/[/:\\]/g, " ").trim() || "App";
+}
+
+/**
+ * Notarize + staple a `.app` or `.dmg` using MIRIN_NOTARY_* env credentials.
+ * No-op (returns false) when credentials are absent. Throws on rejection,
+ * printing the notary log so the failure is diagnosable.
+ */
+export async function notarizeAndStaple(target: string): Promise<boolean> {
+  const apple = process.env.MIRIN_NOTARY_APPLE_ID;
+  const pw = process.env.MIRIN_NOTARY_PASSWORD;
+  const team = process.env.MIRIN_NOTARY_TEAM_ID;
+  if (!apple || !pw || !team) return false;
+
+  const isApp = target.endsWith(".app");
+  // notarytool wants a zip for a bundle; a .dmg is submitted as-is.
+  const submitPath = isApp ? `${target}.notarize.zip` : target;
+  if (isApp) await $`ditto -c -k --keepParent ${target} ${submitPath}`;
+
+  console.log(`[mirin release] notarizing ${basename(target)} (this can take a few minutes)…`);
+  const out =
+    await $`xcrun notarytool submit ${submitPath} --apple-id ${apple} --password ${pw} --team-id ${team} --wait --output-format json`.text();
+  if (isApp) rmSync(submitPath, { force: true });
+
+  let sub: { id?: string; status?: string } = {};
+  try {
+    sub = JSON.parse(out);
+  } catch {
+    console.error(out);
+  }
+  if (sub.status !== "Accepted") {
+    console.error(`[mirin release] notarization ${sub.status ?? "failed"} (id: ${sub.id ?? "?"})`);
+    if (sub.id) {
+      const log =
+        await $`xcrun notarytool log ${sub.id} --apple-id ${apple} --password ${pw} --team-id ${team}`
+          .text()
+          .catch(() => "");
+      if (log) console.error(log);
+    }
+    throw new Error(`notarization not accepted: ${sub.status ?? "unknown"}`);
+  }
+  await $`xcrun stapler staple ${target}`;
+  return true;
+}
+
+/** Does this config ask for a styled Finder window (vs. a plain DMG)? */
+function wantsLayout(o: DmgOptions): boolean {
+  return !!(o.background || o.appPosition || o.applicationsPosition || o.windowSize || o.iconSize);
+}
+
+/**
+ * Build (and codesign) the `.dmg`, returning its path. Notarization is the
+ * caller's responsibility (so it can be sequenced with the other artifacts).
+ */
+export async function buildDmg(input: BuildDmgInput): Promise<string> {
+  const { app, appName, outDir, fileName, options, projectDir, signIdentity } = input;
+  const vol = volumeName(options.volumeName ?? appName);
+  const format = options.format ?? "ULFO";
+  const dmgPath = join(outDir, fileName);
+  rmSync(dmgPath, { force: true });
+
+  const staging = join(tmpdir(), `mirin-dmg-${process.pid}`);
+  rmSync(staging, { recursive: true, force: true });
+  mkdirSync(staging, { recursive: true });
+  try {
+    // BSD cp -R preserves the bundle's symlinks/signatures.
+    await $`cp -R ${app} ${join(staging, basename(app))}`;
+    symlinkSync("/Applications", join(staging, "Applications"));
+
+    let built = false;
+    if (wantsLayout(options)) {
+      try {
+        await buildLaidOutDmg({ staging, vol, format, dmgPath, options, projectDir, appFile: basename(app) });
+        built = true;
+      } catch (e) {
+        console.warn(
+          `[mirin release] DMG layout failed (${e instanceof Error ? e.message : e}); ` +
+            `falling back to a plain DMG.`,
+        );
+        rmSync(dmgPath, { force: true });
+      }
+    }
+    if (!built) {
+      await $`hdiutil create -volname ${vol} -srcfolder ${staging} -ov -format ${format} ${dmgPath}`.quiet();
+    }
+  } finally {
+    rmSync(staging, { recursive: true, force: true });
+  }
+
+  // Sign the image itself (Gatekeeper checks the DMG's signature too).
+  if (signIdentity && signIdentity !== "-") {
+    await $`codesign --force --timestamp --sign ${signIdentity} ${dmgPath}`.quiet();
+  } else if (signIdentity === "-") {
+    await $`codesign --force --sign - ${dmgPath}`.quiet();
+  }
+  return dmgPath;
+}
+
+/**
+ * Read-write image → style the Finder window via AppleScript → convert to the
+ * compressed read-only `format`. Throws if any step fails (caller falls back).
+ */
+async function buildLaidOutDmg(args: {
+  staging: string;
+  vol: string;
+  format: string;
+  dmgPath: string;
+  options: DmgOptions;
+  projectDir: string;
+  appFile: string;
+}): Promise<void> {
+  const { staging, vol, format, dmgPath, options, projectDir, appFile } = args;
+  const win = options.windowSize ?? { width: 640, height: 400 };
+  const iconSize = options.iconSize ?? 128;
+  const appPos = options.appPosition ?? { x: Math.round(win.width * 0.25), y: Math.round(win.height * 0.5) };
+  const appsPos =
+    options.applicationsPosition ?? { x: Math.round(win.width * 0.75), y: Math.round(win.height * 0.5) };
+
+  // Stage a background image (if any) under a hidden folder Finder can reference.
+  let bgFile: string | undefined;
+  if (options.background) {
+    const src = isAbsolute(options.background)
+      ? options.background
+      : join(projectDir, options.background);
+    if (!existsSync(src)) throw new Error(`background not found: ${src}`);
+    const bgDir = join(staging, ".background");
+    mkdirSync(bgDir, { recursive: true });
+    const ext = src.slice(src.lastIndexOf("."));
+    bgFile = `bg${ext}`;
+    cpSync(src, join(bgDir, bgFile));
+  }
+
+  const rw = `${dmgPath}.rw.dmg`;
+  rmSync(rw, { force: true });
+  // Read-write image sized to the staged contents, with slack for HFS overhead.
+  await $`hdiutil create -volname ${vol} -srcfolder ${staging} -fs HFS+ -format UDRW -ov ${rw}`.quiet();
+
+  // Attach without auto-opening a Finder window; parse the real mountpoint.
+  const attach =
+    await $`hdiutil attach ${rw} -readwrite -noverify -noautoopen`.text();
+  const mount = attach
+    .split("\n")
+    .map((l) => l.trim())
+    .find((l) => l.includes("/Volumes/"))
+    ?.split("\t")
+    .pop()
+    ?.trim();
+  if (!mount || !existsSync(mount)) {
+    await $`hdiutil detach ${rw}`.quiet().catch(() => {});
+    throw new Error("could not resolve DMG mountpoint");
+  }
+
+  try {
+    const bgClause = bgFile
+      ? `set background picture of viewOptions to file ".background:${bgFile}"`
+      : "";
+    const script = `
+      tell application "Finder"
+        tell disk "${vol}"
+          open
+          set current view of container window to icon view
+          set toolbar visible of container window to false
+          set statusbar visible of container window to false
+          set the bounds of container window to {200, 120, ${200 + win.width}, ${120 + win.height}}
+          set viewOptions to the icon view options of container window
+          set arrangement of viewOptions to not arranged
+          set icon size of viewOptions to ${iconSize}
+          ${bgClause}
+          set position of item "${appFile}" of container window to {${appPos.x}, ${appPos.y}}
+          set position of item "Applications" of container window to {${appsPos.x}, ${appsPos.y}}
+          update without registering applications
+          delay 1
+          close
+        end tell
+      end tell`;
+    await $`osascript -e ${script}`.quiet();
+    await $`sync`.quiet().catch(() => {});
+  } finally {
+    await $`hdiutil detach ${mount}`.quiet().catch(async () => {
+      await $`hdiutil detach ${rw} -force`.quiet().catch(() => {});
+    });
+  }
+
+  await $`hdiutil convert ${rw} -format ${format} -ov -o ${dmgPath}`.quiet();
+  rmSync(rw, { force: true });
+}

package/src/release.ts

@@ -21,6 +21,7 @@ import { mkdirSync, rmSync, readFileSync, existsSync } from "node:fs";
 import { join } from "node:path";
 import { tmpdir } from "node:os";
 import { build } from "./build.ts";
+import { buildDmg, notarizeAndStaple, type DmgOptions } from "./dmg.ts";
 import { loadCodec } from "mirinjs/codec";
 
 const sha256File = (path: string) =>
@@ -44,18 +45,10 @@ export async function release(projectDir = process.cwd()): Promise<number> {
   rmSync(outDir, { recursive: true, force: true });
   mkdirSync(outDir, { recursive: true });
 
-  // Optional notarize + staple (Developer ID) before packing, when configured.
-  const apple = process.env.MIRIN_NOTARY_APPLE_ID;
-  const pw = process.env.MIRIN_NOTARY_PASSWORD;
-  const team = process.env.MIRIN_NOTARY_TEAM_ID;
-  if (apple && pw && team) {
-    console.log("[mirin release] notarizing (this can take a few minutes)…");
-    const zip = join(buildDir, "_notarize.zip");
-    await $`ditto -c -k --keepParent ${result.app} ${zip}`;
-    await $`xcrun notarytool submit ${zip} --apple-id ${apple} --password ${pw} --team-id ${team} --wait`;
-    await $`xcrun stapler staple ${result.app}`;
-    rmSync(zip, { force: true });
-  }
+  // Notarize + staple the .app (Developer ID) before packing, when credentials
+  // are present. The .tar.zst / patch updater bundles are made from this signed,
+  // stapled .app, so the updater swaps in an already-notarized app.
+  await notarizeAndStaple(result.app);
 
   const codec = loadCodec(result.coreDylib);
 
@@ -120,11 +113,33 @@ export async function release(projectDir = process.cwd()): Promise<number> {
   const manifestName = `${prefix}-update.json`;
   await Bun.write(join(outDir, manifestName), `${JSON.stringify(manifest, null, 2)}\n`);
 
+  // Distributable installer: a drag-to-Applications .dmg of the same signed,
+  // stapled .app — for first-time installs (the updater uses the .tar.zst/patch).
+  let dmgName: string | undefined;
+  let dmgSize = 0;
+  if (result.dmg !== false) {
+    dmgName = `${prefix}-${safeName}.dmg`;
+    console.log(`[mirin release] building installer → ${dmgName}`);
+    const options: DmgOptions = typeof result.dmg === "object" ? result.dmg : {};
+    const dmgPath = await buildDmg({
+      app: result.app,
+      appName: result.appName,
+      outDir,
+      fileName: dmgName,
+      options,
+      projectDir: result.projectDir,
+      signIdentity: result.signIdentity,
+    });
+    await notarizeAndStaple(dmgPath); // no-op without notary credentials
+    dmgSize = readFileSync(dmgPath).byteLength;
+  }
+
   const mb = (n: number) => (n / 1e6).toFixed(1);
   console.log(`\n[mirin release] done → build/release/`);
   console.log(`  ${manifestName}`);
   console.log(`  ${bundleName} (${mb(bundleSize)} MB)`);
   for (const p of patches) console.log(`  ${p.url} (${mb(p.size)} MB delta from ${p.fromVersion})`);
+  if (dmgName) console.log(`  ${dmgName} (${mb(dmgSize)} MB installer)`);
   console.log(`\nUpload all of build/release/ to: ${result.baseUrl}`);
   if (existsSync(join(outDir, "_new.tar"))) rmSync(join(outDir, "_new.tar"), { force: true });
   return 0;