@mirinjs/cli 0.0.1-alpha.13 → 0.0.1-alpha.15

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@mirinjs/cli",
-  "version": "0.0.1-alpha.13",
+  "version": "0.0.1-alpha.15",
   "description": "CLI for mirin apps: dev, build, init.",
   "type": "module",
   "license": "MIT",
@@ -27,11 +27,11 @@
     "bun": ">=1.2.0"
   },
   "dependencies": {
-    "create-mirinjs": "0.0.1-alpha.13",
-    "mirinjs": "0.0.1-alpha.13"
+    "create-mirinjs": "0.0.1-alpha.15",
+    "mirinjs": "0.0.1-alpha.15"
   },
   "optionalDependencies": {
-    "@mirinjs/darwin-arm64": "0.0.1-alpha.13"
+    "@mirinjs/darwin-arm64": "0.0.1-alpha.15"
   },
   "publishConfig": {
     "access": "public"

package/src/build.ts

@@ -21,6 +21,7 @@ import { join } from "node:path";
 import { buildAppBundle } from "./bundle.ts";
 import { resolveArtifacts } from "./artifacts.ts";
 import { sweepBuildTemps } from "./temps.ts";
+import { normalizeSidecars, compileWorkers } from "./extras.ts";
 
 export interface BuildResult {
   /** Path to the assembled .app. */
@@ -35,6 +36,12 @@ export interface BuildResult {
   baseUrl?: string;
   /** libmirin_core path (for the updater codec at release time). */
   coreDylib: string;
+  /** Project root (so `mirin release` can resolve relative asset paths). */
+  projectDir: string;
+  /** DMG config from mirin.config.ts (`true`/object/`false`); default `true`. */
+  dmg: boolean | import("mirinjs").DmgConfig;
+  /** Codesign identity used for the bundle, if any (MIRIN_SIGN_IDENTITY). */
+  signIdentity?: string;
 }
 
 /** Read the project's package.json version (the single source of app version). */
@@ -62,6 +69,7 @@ export async function build(projectDir = process.cwd()): Promise<BuildResult> {
   const version = appVersion(projectDir);
   const channel: string = config.release?.channel ?? "stable";
   const baseUrl: string | undefined = config.release?.baseUrl;
+  const dmg: boolean | import("mirinjs").DmgConfig = config.dmg ?? true;
 
   console.log(`[mirin build] ${appName} ${version}`);
 
@@ -74,11 +82,16 @@ export async function build(projectDir = process.cwd()): Promise<BuildResult> {
 
   // 3 + 4. host + worker (minified)
   console.log("[mirin build] compiling host + bundling main process…");
+  const signIdentity = process.env.MIRIN_SIGN_IDENTITY;
   const hostExe = join(work, "host-release");
   const workerJs = join(work, "worker.release.js");
   await $`bun build --compile --minify ${artifacts.hostEntry} --outfile ${hostExe}`.cwd(projectDir);
   await $`bun build ${mainEntry} --target=bun --minify --outfile ${workerJs}`.cwd(projectDir);
 
+  // Extra assets: resolve sidecar binaries + compile any extra worker entries.
+  const sidecars = normalizeSidecars(projectDir, config.sidecars);
+  const extraWorkers = await compileWorkers(projectDir, config.workers, join(work, "workers"), true);
+
   // 5. assemble + sign
   console.log("[mirin build] assembling .app…");
   rmSync(join(outDir, `${appName}.app`), { recursive: true, force: true });
@@ -97,16 +110,29 @@ export async function build(projectDir = process.cwd()): Promise<BuildResult> {
     cefPath: artifacts.cefPath,
     version,
     icon: config.icon ? join(projectDir, config.icon) : undefined,
-    signIdentity: process.env.MIRIN_SIGN_IDENTITY,
+    signIdentity,
     resources: {
       uiDir: join(projectDir, "dist"),
       workerJs,
       manifestJson: JSON.stringify({ windows: config.windows }),
       versionJson,
+      sidecars,
+      workers: extraWorkers,
     },
   });
 
   console.log(`\n[mirin build] done → ${app}`);
   console.log(`  open "${app}"`);
-  return { app, appName, bundleId, version, channel, baseUrl, coreDylib: artifacts.coreDylib };
+  return {
+    app,
+    appName,
+    bundleId,
+    version,
+    channel,
+    baseUrl,
+    coreDylib: artifacts.coreDylib,
+    projectDir,
+    dmg,
+    signIdentity,
+  };
 }

package/src/bundle.ts

@@ -12,7 +12,7 @@
  */
 
 import { $ } from "bun";
-import { cpSync, mkdirSync, rmSync, writeFileSync, existsSync, readdirSync } from "node:fs";
+import { cpSync, mkdirSync, rmSync, writeFileSync, existsSync, readdirSync, chmodSync } from "node:fs";
 import { join } from "node:path";
 
 const FRAMEWORK = "Chromium Embedded Framework.framework";
@@ -45,9 +45,43 @@ export interface BundleOptions {
     workerJs?: string; // bundled main-process Worker entry -> Resources/worker.js
     manifestJson?: string; // serialized manifest -> Resources/mirin.manifest.json
     versionJson?: string; // serialized version.json -> Resources/version.json (updater)
+    /** Bundled sidecar binaries -> Resources/sidecars/<name> (copied + signed). */
+    sidecars?: SidecarBundle[];
+    /** Compiled extra-worker JS (name -> abs path) -> Resources/workers/<name>.js. */
+    workers?: Record<string, string>;
   };
 }
 
+/** A sidecar binary to bundle: logical name, source path, hardened-runtime entitlements. */
+export interface SidecarBundle {
+  name: string;
+  src: string;
+  entitlements: string[];
+}
+
+/** Short entitlement name -> the full `com.apple.security.cs.*` key. */
+const SIDECAR_ENTITLEMENT_KEYS: Record<string, string> = {
+  "allow-jit": "com.apple.security.cs.allow-jit",
+  "allow-unsigned-executable-memory": "com.apple.security.cs.allow-unsigned-executable-memory",
+  "disable-library-validation": "com.apple.security.cs.disable-library-validation",
+};
+
+function entitlementsPlist(names: string[]): string {
+  const keys = names
+    .map((n) => SIDECAR_ENTITLEMENT_KEYS[n])
+    .filter(Boolean)
+    .map((k) => `  <key>${k}</key><true/>`)
+    .join("\n");
+  return `<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+${keys}
+</dict>
+</plist>
+`;
+}
+
 /** The 10 standard iconset renditions (point size + @1x/@2x pixel size). */
 const ICONSET_RENDITIONS = [
   { name: "icon_16x16.png", px: 16 },
@@ -182,6 +216,28 @@ export async function buildAppBundle(opts: BundleOptions): Promise<{ app: string
   if (opts.resources?.versionJson != null) {
     writeFileSync(join(resources, "version.json"), opts.resources.versionJson);
   }
+  // Extra Bun Worker bundles -> Resources/workers/<name>.js (resolveWorker()).
+  if (opts.resources?.workers && Object.keys(opts.resources.workers).length) {
+    const workersDir = join(resources, "workers");
+    mkdirSync(workersDir, { recursive: true });
+    for (const [name, src] of Object.entries(opts.resources.workers)) {
+      cpSync(src, join(workersDir, `${name}.js`));
+    }
+  }
+  // Sidecar binaries -> Resources/sidecars/<name> (chmod +x; signed below). Paths
+  // collected here so the codesign loop can sign them inside-out with the app.
+  const sidecarDests: SidecarBundle[] = [];
+  if (opts.resources?.sidecars?.length) {
+    const sidecarsDir = join(resources, "sidecars");
+    mkdirSync(sidecarsDir, { recursive: true });
+    for (const sc of opts.resources.sidecars) {
+      if (!existsSync(sc.src)) throw new Error(`sidecar "${sc.name}" not found: ${sc.src}`);
+      const dest = join(sidecarsDir, sc.name);
+      cpSync(sc.src, dest);
+      chmodSync(dest, 0o755);
+      sidecarDests.push({ name: sc.name, src: dest, entitlements: sc.entitlements });
+    }
+  }
 
   for (const { suffix, id } of HELPER_TYPES) {
     const name = `${appName} Helper${suffix}`;
@@ -249,6 +305,18 @@ export async function buildAppBundle(opts: BundleOptions): Promise<{ app: string
     await sign(cef);
     // 3. our FFI core dylib.
     await sign(join(macos, "libmirin_core.dylib"));
+    // 3b. sidecars: hardened runtime + timestamp; per-binary entitlements only
+    //     when the spec asks (most CLIs need none — over-entitling is a smell).
+    for (const sc of sidecarDests) {
+      if (sc.entitlements.length) {
+        const ent = join(opts.outDir, `_sidecar_${sc.name}.plist`);
+        writeFileSync(ent, entitlementsPlist(sc.entitlements));
+        await $`codesign --force --timestamp --options runtime --entitlements ${ent} --sign ${identity} ${sc.src}`.quiet();
+        rmSync(ent, { force: true });
+      } else {
+        await sign(sc.src);
+      }
+    }
     // 4. each helper: the inner executable, then the .app wrapper (entitlements
     //    on both — the renderer/GPU helpers are what actually JIT).
     for (const { suffix } of HELPER_TYPES) {
@@ -263,6 +331,9 @@ export async function buildAppBundle(opts: BundleOptions): Promise<{ app: string
   } else {
     // Ad-hoc: enough to launch locally; not distributable or notarizable.
     await $`codesign --force --sign ${identity} ${cef}`.quiet();
+    for (const sc of sidecarDests) {
+      await $`codesign --force --sign ${identity} ${sc.src}`.quiet();
+    }
     for (const { suffix } of HELPER_TYPES) {
       await $`codesign --force --sign ${identity} ${join(frameworks, `${appName} Helper${suffix}.app`)}`.quiet();
     }

package/src/dev.ts

@@ -9,13 +9,17 @@
  */
 
 import { $ } from "bun";
-import { mkdirSync } from "node:fs";
+import { mkdirSync, rmSync, symlinkSync, existsSync } from "node:fs";
+import { createServer } from "node:net";
 import { join } from "node:path";
 import { buildAppBundle } from "./bundle.ts";
 import { resolveArtifacts } from "./artifacts.ts";
 import { sweepBuildTemps } from "./temps.ts";
+import { normalizeSidecars, compileWorkers } from "./extras.ts";
 
-const DEV_URL = "http://localhost:5173";
+/** Vite's default port. `mirin dev` probes upward from here for a free one, so a
+ *  second dev session (or anything already on 5173) doesn't collide. */
+const DEV_PORT_BASE = 5173;
 
 export async function dev(projectDir = process.cwd()): Promise<number> {
   const work = join(projectDir, ".mirin");
@@ -40,6 +44,19 @@ export async function dev(projectDir = process.cwd()): Promise<number> {
   await $`bun build --compile ${artifacts.hostEntry} --outfile ${hostExe}`.cwd(projectDir);
   await $`bun build ${mainEntry} --target=bun --outfile ${workerJs}`.cwd(projectDir);
 
+  // Extra assets (dev): compile workers into .mirin/workers and symlink sidecar
+  // binaries into .mirin/sidecars (no copy/sign in dev — they run unsigned locally).
+  const workersDir = join(work, "workers");
+  await compileWorkers(projectDir, config.workers, workersDir, false);
+  const sidecarsDir = join(work, "sidecars");
+  mkdirSync(sidecarsDir, { recursive: true });
+  for (const sc of normalizeSidecars(projectDir, config.sidecars)) {
+    const link = join(sidecarsDir, sc.name);
+    rmSync(link, { force: true });
+    if (existsSync(sc.src)) symlinkSync(sc.src, link);
+    else console.warn(`[mirin dev] sidecar "${sc.name}" not found: ${sc.src}`);
+  }
+
   // --- assemble the dev .app ---
   console.log("[mirin dev] assembling dev bundle…");
   const { app, exe } = await buildAppBundle({
@@ -53,13 +70,21 @@ export async function dev(projectDir = process.cwd()): Promise<number> {
     icon: config.icon ? join(projectDir, config.icon) : undefined,
   });
 
-  // --- start Vite ---
-  console.log("[mirin dev] starting Vite dev server…");
-  const vite = Bun.spawn(["bunx", "vite", "--clearScreen", "false"], {
-    cwd: projectDir,
-    stdio: ["ignore", "inherit", "inherit"],
-  });
-  await waitForUrl(DEV_URL, 15_000);
+  // --- start Vite on a free port so concurrent dev sessions don't collide ---
+  // `--port <free> --strictPort` pins Vite to the port we probed (overriding any
+  // port/strictPort in the app's vite.config) and passes the real URL to the app,
+  // so the host and Vite never disagree about which port is in use.
+  const port = await findFreePort(DEV_PORT_BASE);
+  const devUrl = `http://localhost:${port}`;
+  console.log(`[mirin dev] starting Vite dev server on ${devUrl}…`);
+  const vite = Bun.spawn(
+    ["bunx", "vite", "--clearScreen", "false", "--port", String(port), "--strictPort"],
+    {
+      cwd: projectDir,
+      stdio: ["ignore", "inherit", "inherit"],
+    },
+  );
+  await waitForUrl(devUrl, 15_000);
 
   // --- launch the app ---
   console.log(`[mirin dev] launching ${appName}…`);
@@ -69,9 +94,11 @@ export async function dev(projectDir = process.cwd()): Promise<number> {
       ...process.env,
       MIRIN_CORE: join(app, "Contents", "MacOS", "libmirin_core.dylib"),
       MIRIN_WORKER: workerJs,
-      MIRIN_DEV_URL: DEV_URL,
+      MIRIN_DEV_URL: devUrl,
       MIRIN_MANIFEST_JSON: JSON.stringify({ windows: config.windows }),
       MIRIN_CONFIG_JSON: "{}",
+      MIRIN_SIDECAR_DIR: sidecarsDir,
+      MIRIN_WORKERS_DIR: workersDir,
     },
     stdio: ["ignore", "inherit", "inherit"],
   });
@@ -88,6 +115,32 @@ export async function dev(projectDir = process.cwd()): Promise<number> {
   return code;
 }
 
+/** First free TCP port at or above `start` on loopback. */
+async function findFreePort(start: number): Promise<number> {
+  for (let port = start; port < start + 100; port++) {
+    if (await isPortFree(port)) return port;
+  }
+  throw new Error(`[mirin dev] no free port in ${start}–${start + 99}`);
+}
+
+/** Free only if neither IPv4 nor IPv6 loopback reports the port in use — Vite
+ *  binds `localhost` (often `::1`), so a v4-only probe would miss an IPv6 holder. */
+async function isPortFree(port: number): Promise<boolean> {
+  const [v4, v6] = await Promise.all([portInUse(port, "127.0.0.1"), portInUse(port, "::1")]);
+  return !v4 && !v6;
+}
+
+function portInUse(port: number, host: string): Promise<boolean> {
+  return new Promise((resolve) => {
+    const srv = createServer();
+    // Only EADDRINUSE means taken; other errors (e.g. EADDRNOTAVAIL when IPv6 is
+    // off) just mean we can't test that family — treat as not-in-use.
+    srv.once("error", (err: NodeJS.ErrnoException) => resolve(err.code === "EADDRINUSE"));
+    srv.once("listening", () => srv.close(() => resolve(false)));
+    srv.listen(port, host);
+  });
+}
+
 async function waitForUrl(url: string, timeoutMs: number): Promise<void> {
   const deadline = Date.now() + timeoutMs;
   while (Date.now() < deadline) {

package/src/dmg.ts

@@ -0,0 +1,236 @@
+/**
+ * macOS `.dmg` installer for `mirin release`.
+ *
+ * Two paths:
+ *  - **plain** (default): stage the `.app` + an `/Applications` symlink, then
+ *    `hdiutil create … -format ULFO`. Rock-solid in CI — this is what ships when
+ *    `dmg: true`. ULFO (lzfse) handles large CEF frameworks best on modern macOS.
+ *  - **laid-out**: when a `background` or any window/icon position is configured,
+ *    build a read-write image, style the Finder window via AppleScript, then
+ *    convert to the compressed read-only format. Best-effort — falls back to the
+ *    plain DMG if Finder automation isn't available (e.g. a headless runner).
+ *
+ * The DMG is codesigned (a DMG carries no entitlements / hardened runtime — it's
+ * not executable code) and, when notary credentials are present, notarized +
+ * stapled so a fresh download opens without a Gatekeeper prompt.
+ */
+
+import { $ } from "bun";
+import { cpSync, mkdirSync, rmSync, symlinkSync, existsSync } from "node:fs";
+import { join, basename, isAbsolute } from "node:path";
+import { tmpdir } from "node:os";
+
+export interface DmgOptions {
+  volumeName?: string;
+  format?: "ULFO" | "UDZO" | "UDBZ";
+  background?: string;
+  windowSize?: { width: number; height: number };
+  iconSize?: number;
+  appPosition?: { x: number; y: number };
+  applicationsPosition?: { x: number; y: number };
+}
+
+export interface BuildDmgInput {
+  /** Path to the (signed) `.app`. */
+  app: string;
+  appName: string;
+  /** Output directory for the `.dmg`. */
+  outDir: string;
+  /** Output file name (e.g. `stable-darwin-arm64-Anko.dmg`). */
+  fileName: string;
+  /** Resolved DMG options. */
+  options: DmgOptions;
+  /** Project root, for resolving a relative `background` path. */
+  projectDir: string;
+  /** Codesign identity ("-"/undefined → ad-hoc, no notarization). */
+  signIdentity?: string;
+}
+
+/** hdiutil volume names choke on some punctuation; keep it tame but readable. */
+function volumeName(name: string): string {
+  return name.replace(/[/:\\]/g, " ").trim() || "App";
+}
+
+/**
+ * Notarize + staple a `.app` or `.dmg` using MIRIN_NOTARY_* env credentials.
+ * No-op (returns false) when credentials are absent. Throws on rejection,
+ * printing the notary log so the failure is diagnosable.
+ */
+export async function notarizeAndStaple(target: string): Promise<boolean> {
+  const apple = process.env.MIRIN_NOTARY_APPLE_ID;
+  const pw = process.env.MIRIN_NOTARY_PASSWORD;
+  const team = process.env.MIRIN_NOTARY_TEAM_ID;
+  if (!apple || !pw || !team) return false;
+
+  const isApp = target.endsWith(".app");
+  // notarytool wants a zip for a bundle; a .dmg is submitted as-is.
+  const submitPath = isApp ? `${target}.notarize.zip` : target;
+  if (isApp) await $`ditto -c -k --keepParent ${target} ${submitPath}`;
+
+  console.log(`[mirin release] notarizing ${basename(target)} (this can take a few minutes)…`);
+  const out =
+    await $`xcrun notarytool submit ${submitPath} --apple-id ${apple} --password ${pw} --team-id ${team} --wait --output-format json`.text();
+  if (isApp) rmSync(submitPath, { force: true });
+
+  let sub: { id?: string; status?: string } = {};
+  try {
+    sub = JSON.parse(out);
+  } catch {
+    console.error(out);
+  }
+  if (sub.status !== "Accepted") {
+    console.error(`[mirin release] notarization ${sub.status ?? "failed"} (id: ${sub.id ?? "?"})`);
+    if (sub.id) {
+      const log =
+        await $`xcrun notarytool log ${sub.id} --apple-id ${apple} --password ${pw} --team-id ${team}`
+          .text()
+          .catch(() => "");
+      if (log) console.error(log);
+    }
+    throw new Error(`notarization not accepted: ${sub.status ?? "unknown"}`);
+  }
+  await $`xcrun stapler staple ${target}`;
+  return true;
+}
+
+/** Does this config ask for a styled Finder window (vs. a plain DMG)? */
+function wantsLayout(o: DmgOptions): boolean {
+  return !!(o.background || o.appPosition || o.applicationsPosition || o.windowSize || o.iconSize);
+}
+
+/**
+ * Build (and codesign) the `.dmg`, returning its path. Notarization is the
+ * caller's responsibility (so it can be sequenced with the other artifacts).
+ */
+export async function buildDmg(input: BuildDmgInput): Promise<string> {
+  const { app, appName, outDir, fileName, options, projectDir, signIdentity } = input;
+  const vol = volumeName(options.volumeName ?? appName);
+  const format = options.format ?? "ULFO";
+  const dmgPath = join(outDir, fileName);
+  rmSync(dmgPath, { force: true });
+
+  const staging = join(tmpdir(), `mirin-dmg-${process.pid}`);
+  rmSync(staging, { recursive: true, force: true });
+  mkdirSync(staging, { recursive: true });
+  try {
+    // BSD cp -R preserves the bundle's symlinks/signatures.
+    await $`cp -R ${app} ${join(staging, basename(app))}`;
+    symlinkSync("/Applications", join(staging, "Applications"));
+
+    let built = false;
+    if (wantsLayout(options)) {
+      try {
+        await buildLaidOutDmg({ staging, vol, format, dmgPath, options, projectDir, appFile: basename(app) });
+        built = true;
+      } catch (e) {
+        console.warn(
+          `[mirin release] DMG layout failed (${e instanceof Error ? e.message : e}); ` +
+            `falling back to a plain DMG.`,
+        );
+        rmSync(dmgPath, { force: true });
+      }
+    }
+    if (!built) {
+      await $`hdiutil create -volname ${vol} -srcfolder ${staging} -ov -format ${format} ${dmgPath}`.quiet();
+    }
+  } finally {
+    rmSync(staging, { recursive: true, force: true });
+  }
+
+  // Sign the image itself (Gatekeeper checks the DMG's signature too).
+  if (signIdentity && signIdentity !== "-") {
+    await $`codesign --force --timestamp --sign ${signIdentity} ${dmgPath}`.quiet();
+  } else if (signIdentity === "-") {
+    await $`codesign --force --sign - ${dmgPath}`.quiet();
+  }
+  return dmgPath;
+}
+
+/**
+ * Read-write image → style the Finder window via AppleScript → convert to the
+ * compressed read-only `format`. Throws if any step fails (caller falls back).
+ */
+async function buildLaidOutDmg(args: {
+  staging: string;
+  vol: string;
+  format: string;
+  dmgPath: string;
+  options: DmgOptions;
+  projectDir: string;
+  appFile: string;
+}): Promise<void> {
+  const { staging, vol, format, dmgPath, options, projectDir, appFile } = args;
+  const win = options.windowSize ?? { width: 640, height: 400 };
+  const iconSize = options.iconSize ?? 128;
+  const appPos = options.appPosition ?? { x: Math.round(win.width * 0.25), y: Math.round(win.height * 0.5) };
+  const appsPos =
+    options.applicationsPosition ?? { x: Math.round(win.width * 0.75), y: Math.round(win.height * 0.5) };
+
+  // Stage a background image (if any) under a hidden folder Finder can reference.
+  let bgFile: string | undefined;
+  if (options.background) {
+    const src = isAbsolute(options.background)
+      ? options.background
+      : join(projectDir, options.background);
+    if (!existsSync(src)) throw new Error(`background not found: ${src}`);
+    const bgDir = join(staging, ".background");
+    mkdirSync(bgDir, { recursive: true });
+    const ext = src.slice(src.lastIndexOf("."));
+    bgFile = `bg${ext}`;
+    cpSync(src, join(bgDir, bgFile));
+  }
+
+  const rw = `${dmgPath}.rw.dmg`;
+  rmSync(rw, { force: true });
+  // Read-write image sized to the staged contents, with slack for HFS overhead.
+  await $`hdiutil create -volname ${vol} -srcfolder ${staging} -fs HFS+ -format UDRW -ov ${rw}`.quiet();
+
+  // Attach without auto-opening a Finder window; parse the real mountpoint.
+  const attach =
+    await $`hdiutil attach ${rw} -readwrite -noverify -noautoopen`.text();
+  const mount = attach
+    .split("\n")
+    .map((l) => l.trim())
+    .find((l) => l.includes("/Volumes/"))
+    ?.split("\t")
+    .pop()
+    ?.trim();
+  if (!mount || !existsSync(mount)) {
+    await $`hdiutil detach ${rw}`.quiet().catch(() => {});
+    throw new Error("could not resolve DMG mountpoint");
+  }
+
+  try {
+    const bgClause = bgFile
+      ? `set background picture of viewOptions to file ".background:${bgFile}"`
+      : "";
+    const script = `
+      tell application "Finder"
+        tell disk "${vol}"
+          open
+          set current view of container window to icon view
+          set toolbar visible of container window to false
+          set statusbar visible of container window to false
+          set the bounds of container window to {200, 120, ${200 + win.width}, ${120 + win.height}}
+          set viewOptions to the icon view options of container window
+          set arrangement of viewOptions to not arranged
+          set icon size of viewOptions to ${iconSize}
+          ${bgClause}
+          set position of item "${appFile}" of container window to {${appPos.x}, ${appPos.y}}
+          set position of item "Applications" of container window to {${appsPos.x}, ${appsPos.y}}
+          update without registering applications
+          delay 1
+          close
+        end tell
+      end tell`;
+    await $`osascript -e ${script}`.quiet();
+    await $`sync`.quiet().catch(() => {});
+  } finally {
+    await $`hdiutil detach ${mount}`.quiet().catch(async () => {
+      await $`hdiutil detach ${rw} -force`.quiet().catch(() => {});
+    });
+  }
+
+  await $`hdiutil convert ${rw} -format ${format} -ov -o ${dmgPath}`.quiet();
+  rmSync(rw, { force: true });
+}

package/src/extras.ts

@@ -0,0 +1,61 @@
+/**
+ * Shared helpers for the two "extra asset" config blocks — `sidecars` (bundled
+ * binaries) and `workers` (extra Bun Worker entries) — used by both `mirin build`
+ * and `mirin dev`. Keeps the config normalization + worker compilation in one
+ * place so the two CLI paths stay in sync.
+ */
+
+import { $ } from "bun";
+import { join } from "node:path";
+
+/** Config shapes (mirrors packages/mirin/src/config.ts; CLI can't import the runtime). */
+export type SidecarConfig = Record<string, string | { bin: string; entitlements?: string[] }>;
+export type WorkersConfig = Record<string, string>;
+
+/** A sidecar resolved to an absolute source path + its requested entitlements. */
+export interface NormalizedSidecar {
+  name: string;
+  /** Absolute path to the source binary. */
+  src: string;
+  /** Short entitlement names (e.g. "allow-jit"); empty for most CLIs. */
+  entitlements: string[];
+}
+
+/** Resolve `config.sidecars` to absolute source paths. */
+export function normalizeSidecars(
+  projectDir: string,
+  sidecars: SidecarConfig | undefined,
+): NormalizedSidecar[] {
+  return Object.entries(sidecars ?? {}).map(([name, value]) => {
+    const spec = typeof value === "string" ? { bin: value } : value;
+    return {
+      name,
+      src: join(projectDir, spec.bin),
+      entitlements: spec.entitlements ?? [],
+    };
+  });
+}
+
+/**
+ * Compile each extra-worker entry to `<outDir>/<name>.js`. Returns name → path.
+ * `minify` matches the surrounding build (prod minifies; dev doesn't).
+ */
+export async function compileWorkers(
+  projectDir: string,
+  workers: WorkersConfig | undefined,
+  outDir: string,
+  minify: boolean,
+): Promise<Record<string, string>> {
+  const out: Record<string, string> = {};
+  for (const [name, entry] of Object.entries(workers ?? {})) {
+    const js = join(outDir, `${name}.js`);
+    const src = join(projectDir, entry);
+    if (minify) {
+      await $`bun build ${src} --target=bun --minify --outfile ${js}`.cwd(projectDir);
+    } else {
+      await $`bun build ${src} --target=bun --outfile ${js}`.cwd(projectDir);
+    }
+    out[name] = js;
+  }
+  return out;
+}

package/src/release.ts

@@ -21,6 +21,7 @@ import { mkdirSync, rmSync, readFileSync, existsSync } from "node:fs";
 import { join } from "node:path";
 import { tmpdir } from "node:os";
 import { build } from "./build.ts";
+import { buildDmg, notarizeAndStaple, type DmgOptions } from "./dmg.ts";
 import { loadCodec } from "mirinjs/codec";
 
 const sha256File = (path: string) =>
@@ -44,39 +45,10 @@ export async function release(projectDir = process.cwd()): Promise<number> {
   rmSync(outDir, { recursive: true, force: true });
   mkdirSync(outDir, { recursive: true });
 
-  // Optional notarize + staple (Developer ID) before packing, when configured.
-  const apple = process.env.MIRIN_NOTARY_APPLE_ID;
-  const pw = process.env.MIRIN_NOTARY_PASSWORD;
-  const team = process.env.MIRIN_NOTARY_TEAM_ID;
-  if (apple && pw && team) {
-    console.log("[mirin release] notarizing (this can take a few minutes)…");
-    const zip = join(buildDir, "_notarize.zip");
-    await $`ditto -c -k --keepParent ${result.app} ${zip}`;
-    // `notarytool submit --wait` exits 0 even when the result is "Invalid", so
-    // parse the JSON status ourselves and surface the notary log on rejection —
-    // otherwise the only symptom is a confusing `stapler` failure downstream.
-    const out =
-      await $`xcrun notarytool submit ${zip} --apple-id ${apple} --password ${pw} --team-id ${team} --wait --output-format json`.text();
-    rmSync(zip, { force: true });
-    let sub: { id?: string; status?: string } = {};
-    try {
-      sub = JSON.parse(out);
-    } catch {
-      console.error(out);
-    }
-    if (sub.status !== "Accepted") {
-      console.error(`[mirin release] notarization ${sub.status ?? "failed"} (id: ${sub.id ?? "?"})`);
-      if (sub.id) {
-        const log =
-          await $`xcrun notarytool log ${sub.id} --apple-id ${apple} --password ${pw} --team-id ${team}`
-            .text()
-            .catch(() => "");
-        if (log) console.error(log);
-      }
-      throw new Error(`notarization not accepted: ${sub.status ?? "unknown"}`);
-    }
-    await $`xcrun stapler staple ${result.app}`;
-  }
+  // Notarize + staple the .app (Developer ID) before packing, when credentials
+  // are present. The .tar.zst / patch updater bundles are made from this signed,
+  // stapled .app, so the updater swaps in an already-notarized app.
+  await notarizeAndStaple(result.app);
 
   const codec = loadCodec(result.coreDylib);
 
@@ -141,11 +113,33 @@ export async function release(projectDir = process.cwd()): Promise<number> {
   const manifestName = `${prefix}-update.json`;
   await Bun.write(join(outDir, manifestName), `${JSON.stringify(manifest, null, 2)}\n`);
 
+  // Distributable installer: a drag-to-Applications .dmg of the same signed,
+  // stapled .app — for first-time installs (the updater uses the .tar.zst/patch).
+  let dmgName: string | undefined;
+  let dmgSize = 0;
+  if (result.dmg !== false) {
+    dmgName = `${prefix}-${safeName}.dmg`;
+    console.log(`[mirin release] building installer → ${dmgName}`);
+    const options: DmgOptions = typeof result.dmg === "object" ? result.dmg : {};
+    const dmgPath = await buildDmg({
+      app: result.app,
+      appName: result.appName,
+      outDir,
+      fileName: dmgName,
+      options,
+      projectDir: result.projectDir,
+      signIdentity: result.signIdentity,
+    });
+    await notarizeAndStaple(dmgPath); // no-op without notary credentials
+    dmgSize = readFileSync(dmgPath).byteLength;
+  }
+
   const mb = (n: number) => (n / 1e6).toFixed(1);
   console.log(`\n[mirin release] done → build/release/`);
   console.log(`  ${manifestName}`);
   console.log(`  ${bundleName} (${mb(bundleSize)} MB)`);
   for (const p of patches) console.log(`  ${p.url} (${mb(p.size)} MB delta from ${p.fromVersion})`);
+  if (dmgName) console.log(`  ${dmgName} (${mb(dmgSize)} MB installer)`);
   console.log(`\nUpload all of build/release/ to: ${result.baseUrl}`);
   if (existsSync(join(outDir, "_new.tar"))) rmSync(join(outDir, "_new.tar"), { force: true });
   return 0;