electrobun 0.0.19-beta.99 → 0.1.1

package/src/cli/index.ts

@@ -1,4 +1,4 @@
-import { join, dirname, basename } from "path";
+import { join, dirname, basename, relative } from "path";
 import {
   existsSync,
   readFileSync,
@@ -15,6 +15,7 @@ import {
   copyFileSync,
 } from "fs";
 import { execSync } from "child_process";
+import * as readline from "readline";
 import tar from "tar";
 import archiver from "archiver";
 import { ZstdInit } from "@oneidentity/zstd-js/wasm";
@@ -29,8 +30,12 @@ const MAX_CHUNK_SIZE = 1024 * 2;
 
 // this when run as an npm script this will be where the folder where package.json is.
 const projectRoot = process.cwd();
-const configName = "electrobun.config";
-const configPath = join(projectRoot, configName);
+
+// Find TypeScript ESM config file
+function findConfigFile(): string | null {
+  const configFile = join(projectRoot, 'electrobun.config.ts');
+  return existsSync(configFile) ? configFile : null;
+}
 
 // Note: cli args can be called via npm bun /path/to/electorbun/binary arg1 arg2
 const indexOfElectrobun = process.argv.findIndex((arg) =>
@@ -191,7 +196,8 @@ async function ensureCoreDependencies(targetOS?: 'macos' | 'win' | 'linux', targ
     // Use Windows native tar.exe on Windows due to npm tar library issues
     if (OS === 'win') {
       console.log('Using Windows native tar.exe for reliable extraction...');
-      execSync(`tar -xf "${tempFile}" -C "${platformDistPath}"`, { 
+      const relativeTempFile = relative(platformDistPath, tempFile);
+      execSync(`tar -xf "${relativeTempFile}"`, { 
         stdio: 'inherit',
         cwd: platformDistPath 
       });
@@ -244,6 +250,9 @@ async function ensureCoreDependencies(targetOS?: 'macos' | 'win' | 'linux', targ
       console.error('This suggests the tarball structure is different than expected');
     }
     
+    // Note: We no longer need to remove or re-add signatures from downloaded binaries
+    // The CI-added adhoc signatures are actually required for macOS to run the binaries
+    
     // For development: if main.js doesn't exist in shared dist/, copy from platform-specific download as fallback
     const sharedDistPath = join(ELECTROBUN_DEP_PATH, 'dist');
     const extractedMainJs = join(platformDistPath, 'main.js');
@@ -297,53 +306,164 @@ async function ensureCEFDependencies(targetOS?: 'macos' | 'win' | 'linux', targe
   const archName = platformArch;
   const cefTarballUrl = `https://github.com/blackboardsh/electrobun/releases/download/${version}/electrobun-cef-${platformName}-${archName}.tar.gz`;
   
-  console.log(`Downloading CEF from: ${cefTarballUrl}`);
+  // Helper function to download with retry logic
+  async function downloadWithRetry(url: string, filePath: string, maxRetries = 3): Promise<void> {
+    for (let attempt = 1; attempt <= maxRetries; attempt++) {
+      try {
+        console.log(`Downloading CEF (attempt ${attempt}/${maxRetries}) from: ${url}`);
+        
+        const response = await fetch(url);
+        if (!response.ok) {
+          throw new Error(`HTTP ${response.status}: ${response.statusText}`);
+        }
+        
+        // Get content length for progress tracking
+        const contentLength = response.headers.get('content-length');
+        const totalSize = contentLength ? parseInt(contentLength, 10) : 0;
+        
+        // Create temp file with unique name to avoid conflicts
+        const fileStream = createWriteStream(filePath);
+        let downloadedSize = 0;
+        let lastReportedPercent = -1;
+        
+        // Stream download with progress
+        if (response.body) {
+          const reader = response.body.getReader();
+          while (true) {
+            const { done, value } = await reader.read();
+            if (done) break;
+            
+            const chunk = Buffer.from(value);
+            fileStream.write(chunk);
+            downloadedSize += chunk.length;
+            
+            if (totalSize > 0) {
+              const percent = Math.round((downloadedSize / totalSize) * 100);
+              const percentTier = Math.floor(percent / 10) * 10;
+              if (percentTier > lastReportedPercent && percentTier <= 100) {
+                console.log(`  Progress: ${percentTier}% (${Math.round(downloadedSize / 1024 / 1024)}MB/${Math.round(totalSize / 1024 / 1024)}MB)`);
+                lastReportedPercent = percentTier;
+              }
+            }
+          }
+        }
+        
+        await new Promise((resolve, reject) => {
+          fileStream.end((error: any) => {
+            if (error) reject(error);
+            else resolve(void 0);
+          });
+        });
+        
+        // Verify file size if content-length was provided
+        if (totalSize > 0) {
+          const actualSize = (await import('fs')).statSync(filePath).size;
+          if (actualSize !== totalSize) {
+            throw new Error(`Downloaded file size mismatch: expected ${totalSize}, got ${actualSize}`);
+          }
+        }
+        
+        console.log(`✓ Download completed successfully (${Math.round(downloadedSize / 1024 / 1024)}MB)`);
+        return; // Success, exit retry loop
+        
+      } catch (error: any) {
+        console.error(`Download attempt ${attempt} failed:`, error.message);
+        
+        // Clean up partial download
+        if (existsSync(filePath)) {
+          unlinkSync(filePath);
+        }
+        
+        if (attempt === maxRetries) {
+          throw new Error(`Failed to download after ${maxRetries} attempts: ${error.message}`);
+        }
+        
+        // Wait before retrying (exponential backoff)
+        const delay = Math.pow(2, attempt) * 1000; // 2s, 4s, 8s...
+        console.log(`Retrying in ${delay / 1000} seconds...`);
+        await new Promise(resolve => setTimeout(resolve, delay));
+      }
+    }
+  }
   
   try {
-    // Download CEF tarball
-    const response = await fetch(cefTarballUrl);
-    if (!response.ok) {
-      throw new Error(`Failed to download CEF: ${response.status} ${response.statusText}`);
-    }
+    // Create temp file with unique name
+    const tempFile = join(ELECTROBUN_DEP_PATH, `cef-${platformOS}-${platformArch}-${Date.now()}.tar.gz`);
     
-    // Create temp file
-    const tempFile = join(ELECTROBUN_DEP_PATH, `cef-${platformOS}-${platformArch}-temp.tar.gz`);
-    const fileStream = createWriteStream(tempFile);
-    
-    // Write response to file
-    if (response.body) {
-      const reader = response.body.getReader();
-      while (true) {
-        const { done, value } = await reader.read();
-        if (done) break;
-        fileStream.write(Buffer.from(value));
-      }
-    }
-    fileStream.end();
+    // Download with retry logic
+    await downloadWithRetry(cefTarballUrl, tempFile);
     
     // Extract to platform-specific dist directory
     console.log(`Extracting CEF dependencies for ${platformOS}-${platformArch}...`);
     const platformDistPath = join(ELECTROBUN_DEP_PATH, `dist-${platformOS}-${platformArch}`);
     mkdirSync(platformDistPath, { recursive: true });
     
-    // Use Windows native tar.exe on Windows due to npm tar library issues
-    if (OS === 'win') {
-      console.log('Using Windows native tar.exe for reliable extraction...');
-      execSync(`tar -xf "${tempFile}" -C "${platformDistPath}"`, { 
-        stdio: 'inherit',
-        cwd: platformDistPath 
-      });
-    } else {
-      await tar.x({
-        file: tempFile,
-        cwd: platformDistPath,
-        preservePaths: false,
-        strip: 0,
-      });
+    // Helper function to validate tar file before extraction
+    async function validateTarFile(filePath: string): Promise<void> {
+      try {
+        // Quick validation - try to read the tar file header
+        const fd = await import('fs').then(fs => fs.promises.readFile(filePath));
+        
+        // Check if it's a gzip file (magic bytes: 1f 8b)
+        if (fd.length < 2 || fd[0] !== 0x1f || fd[1] !== 0x8b) {
+          throw new Error('Invalid gzip header - file may be corrupted');
+        }
+        
+        console.log(`✓ Tar file validation passed (${Math.round(fd.length / 1024 / 1024)}MB)`);
+      } catch (error: any) {
+        throw new Error(`Tar file validation failed: ${error.message}`);
+      }
     }
     
-    // Clean up temp file
-    unlinkSync(tempFile);
+    // Validate downloaded file before extraction
+    await validateTarFile(tempFile);
+    
+    try {
+      // Use Windows native tar.exe on Windows due to npm tar library issues
+      if (OS === 'win') {
+        console.log('Using Windows native tar.exe for reliable extraction...');
+        const relativeTempFile = relative(platformDistPath, tempFile);
+        execSync(`tar -xf "${relativeTempFile}"`, { 
+          stdio: 'inherit',
+          cwd: platformDistPath 
+        });
+      } else {
+        await tar.x({
+          file: tempFile,
+          cwd: platformDistPath,
+          preservePaths: false,
+          strip: 0,
+        });
+      }
+      
+      console.log(`✓ Extraction completed successfully`);
+      
+    } catch (error: any) {
+      // Check if CEF directory was created despite the error (partial extraction)
+      const cefDir = join(platformDistPath, 'cef');
+      if (existsSync(cefDir)) {
+        const cefFiles = readdirSync(cefDir);
+        if (cefFiles.length > 0) {
+          console.warn(`⚠️ Extraction warning: ${error.message}`);
+          console.warn(`  However, CEF files were extracted (${cefFiles.length} files found).`);
+          console.warn(`  Proceeding with partial extraction - this usually works fine.`);
+          // Don't throw - continue with what we have
+        } else {
+          // No files extracted, this is a real failure
+          throw new Error(`Extraction failed (no files extracted): ${error.message}`);
+        }
+      } else {
+        // No CEF directory created, this is a real failure
+        throw new Error(`Extraction failed (no CEF directory created): ${error.message}`);
+      }
+    }
+    
+    // Clean up temp file only after successful extraction
+    try {
+      unlinkSync(tempFile);
+    } catch (cleanupError) {
+      console.warn('Could not clean up temp file:', cleanupError);
+    }
     
     // Debug: List what was actually extracted for CEF
     try {
@@ -360,11 +480,28 @@ async function ensureCEFDependencies(targetOS?: 'macos' | 'win' | 'linux', targe
       console.error('Could not list CEF extracted files:', e);
     }
     
-    console.log(`CEF dependencies for ${platformOS}-${platformArch} downloaded and cached successfully`);
+    console.log(`✓ CEF dependencies for ${platformOS}-${platformArch} downloaded and cached successfully`);
     
   } catch (error: any) {
     console.error(`Failed to download CEF dependencies for ${platformOS}-${platformArch}:`, error.message);
-    console.error('Please ensure you have an internet connection and the release exists.');
+    
+    // Provide helpful guidance based on the error
+    if (error.message.includes('corrupted download') || error.message.includes('zlib') || error.message.includes('unexpected end')) {
+      console.error('\n💡 This appears to be a download corruption issue. Suggestions:');
+      console.error('  • Check your internet connection stability');
+      console.error('  • Try running the command again (it will retry automatically)');
+      console.error('  • Clear the cache if the issue persists:');
+      console.error(`    rm -rf "${ELECTROBUN_DEP_PATH}"`);
+    } else if (error.message.includes('HTTP 404') || error.message.includes('Not Found')) {
+      console.error('\n💡 The CEF release was not found. This could mean:');
+      console.error('  • The version specified doesn\'t have CEF binaries available');
+      console.error('  • You\'re using a development/unreleased version');
+      console.error('  • Try using a stable version instead');
+    } else {
+      console.error('\nPlease ensure you have an internet connection and the release exists.');
+      console.error(`If the problem persists, try clearing the cache: rm -rf "${ELECTROBUN_DEP_PATH}"`);
+    }
+    
     process.exit(1);
   }
 }
@@ -402,6 +539,9 @@ const defaultConfig = {
       entitlements: {
         // This entitlement is required for Electrobun apps with a hardened runtime (required for notarization) to run on macos
         "com.apple.security.cs.allow-jit": true,
+        // Required for bun runtime to work with dynamic code execution and JIT compilation when signed
+        "com.apple.security.cs.allow-unsigned-executable-memory": true,
+        "com.apple.security.cs.disable-library-validation": true,
       },
       icons: "icon.iconset",
     },
@@ -424,6 +564,55 @@ const defaultConfig = {
   },
 };
 
+// Mapping of entitlements to their corresponding Info.plist usage description keys
+const ENTITLEMENT_TO_PLIST_KEY: Record<string, string> = {
+  "com.apple.security.device.camera": "NSCameraUsageDescription",
+  "com.apple.security.device.microphone": "NSMicrophoneUsageDescription",
+  "com.apple.security.device.audio-input": "NSMicrophoneUsageDescription",
+  "com.apple.security.personal-information.location": "NSLocationUsageDescription",
+  "com.apple.security.personal-information.location-when-in-use": "NSLocationWhenInUseUsageDescription",
+  "com.apple.security.personal-information.contacts": "NSContactsUsageDescription",
+  "com.apple.security.personal-information.calendars": "NSCalendarsUsageDescription",
+  "com.apple.security.personal-information.reminders": "NSRemindersUsageDescription",
+  "com.apple.security.personal-information.photos-library": "NSPhotoLibraryUsageDescription",
+  "com.apple.security.personal-information.apple-music-library": "NSAppleMusicUsageDescription",
+  "com.apple.security.personal-information.motion": "NSMotionUsageDescription",
+  "com.apple.security.personal-information.speech-recognition": "NSSpeechRecognitionUsageDescription",
+  "com.apple.security.device.bluetooth": "NSBluetoothAlwaysUsageDescription",
+  "com.apple.security.files.user-selected.read-write": "NSDocumentsFolderUsageDescription",
+  "com.apple.security.files.downloads.read-write": "NSDownloadsFolderUsageDescription",
+  "com.apple.security.files.desktop.read-write": "NSDesktopFolderUsageDescription",
+};
+
+// Helper function to escape XML special characters
+function escapeXml(str: string): string {
+  return str
+    .replace(/&/g, '&amp;')
+    .replace(/</g, '&lt;')
+    .replace(/>/g, '&gt;')
+    .replace(/"/g, '&quot;')
+    .replace(/'/g, '&apos;');
+}
+
+// Helper function to generate usage description entries for Info.plist
+function generateUsageDescriptions(entitlements: Record<string, boolean | string>): string {
+  const usageEntries: string[] = [];
+  
+  for (const [entitlement, value] of Object.entries(entitlements)) {
+    const plistKey = ENTITLEMENT_TO_PLIST_KEY[entitlement];
+    if (plistKey && value) {
+      // Use the string value as description, or a default if it's just true
+      const description = typeof value === "string" 
+        ? escapeXml(value)
+        : `This app requires access for ${entitlement.split('.').pop()?.replace('-', ' ')}`;
+      
+      usageEntries.push(`    <key>${plistKey}</key>\n    <string>${description}</string>`);
+    }
+  }
+  
+  return usageEntries.join('\n');
+}
+
 const command = commandDefaults[commandArg];
 
 if (!command) {
@@ -431,19 +620,21 @@ if (!command) {
   process.exit(1);
 }
 
-const config = getConfig();
+// Main execution function
+async function main() {
+  const config = await getConfig();
 
-const envArg =
-  process.argv.find((arg) => arg.startsWith("--env="))?.split("=")[1] || "";
+  const envArg =
+    process.argv.find((arg) => arg.startsWith("--env="))?.split("=")[1] || "";
 
-const targetsArg =
-  process.argv.find((arg) => arg.startsWith("--targets="))?.split("=")[1] || "";
+  const targetsArg =
+    process.argv.find((arg) => arg.startsWith("--targets="))?.split("=")[1] || "";
 
-const validEnvironments = ["dev", "canary", "stable"];
+  const validEnvironments = ["dev", "canary", "stable"];
 
-// todo (yoav): dev, canary, and stable;
-const buildEnvironment: "dev" | "canary" | "stable" =
-  validEnvironments.includes(envArg || "dev") ? (envArg || "dev") : "dev";
+  // todo (yoav): dev, canary, and stable;
+  const buildEnvironment: "dev" | "canary" | "stable" =
+    validEnvironments.includes(envArg || "dev") ? (envArg || "dev") : "dev";
 
 // Determine build targets
 type BuildTarget = { os: 'macos' | 'win' | 'linux', arch: 'arm64' | 'x64' };
@@ -678,6 +869,13 @@ function escapePathForTerminal(filePath: string) {
 
   return escapedPath;
 }
+
+function sanitizeVolumeNameForHdiutil(volumeName: string) {
+  // Remove or replace characters that cause issues with hdiutil volume mounting
+  // Parentheses and other special characters can cause "Operation not permitted" errors
+  return volumeName.replace(/[()]/g, '');
+}
+
 // MyApp
 
 // const appName = config.app.name.replace(/\s/g, '-').toLowerCase();
@@ -696,57 +894,117 @@ const bundleFileName = targetOS === 'macos' ? `${appFileName}.app` : appFileName
 let proc = null;
 
 if (commandArg === "init") {
-  const projectName = process.argv[indexOfElectrobun + 2] || "my-electrobun-app";
-  const templateName = process.argv.find(arg => arg.startsWith("--template="))?.split("=")[1] || "hello-world";
-  
-  console.log(`🚀 Initializing Electrobun project: ${projectName}`);
-  
-  // Validate template name
-  const availableTemplates = getTemplateNames();
-  if (!availableTemplates.includes(templateName)) {
-    console.error(`❌ Template "${templateName}" not found.`);
-    console.log(`Available templates: ${availableTemplates.join(", ")}`);
-    process.exit(1);
-  }
-  
-  const template = getTemplate(templateName);
-  if (!template) {
-    console.error(`❌ Could not load template "${templateName}"`);
-    process.exit(1);
-  }
-  
-  // Create project directory
-  const projectPath = join(process.cwd(), projectName);
-  if (existsSync(projectPath)) {
-    console.error(`❌ Directory "${projectName}" already exists.`);
-    process.exit(1);
-  }
-  
-  mkdirSync(projectPath, { recursive: true });
-  
-  // Extract template files
-  let fileCount = 0;
-  for (const [relativePath, content] of Object.entries(template.files)) {
-    const fullPath = join(projectPath, relativePath);
-    const dir = dirname(fullPath);
+  await (async () => {
+    const secondArg = process.argv[indexOfElectrobun + 2];
+    const availableTemplates = getTemplateNames();
     
-    // Create directory if it doesn't exist
-    mkdirSync(dir, { recursive: true });
+    let projectName: string;
+    let templateName: string;
     
-    // Write file
-    writeFileSync(fullPath, content, 'utf-8');
-    fileCount++;
-  }
-  
-  console.log(`✅ Created ${fileCount} files from "${templateName}" template`);
-  console.log(`📁 Project created at: ${projectPath}`);
-  console.log("");
-  console.log("📦 Next steps:");
-  console.log(`   cd ${projectName}`);
-  console.log("   bun install");
-  console.log("   bunx electrobun dev");
-  console.log("");
-  console.log("🎉 Happy building with Electrobun!");
+    // Check if --template= flag is used
+    const templateFlag = process.argv.find(arg => arg.startsWith("--template="));
+    if (templateFlag) {
+      // Traditional usage: electrobun init my-project --template=photo-booth
+      projectName = secondArg || "my-electrobun-app";
+      templateName = templateFlag.split("=")[1];
+    } else if (secondArg && availableTemplates.includes(secondArg)) {
+      // New intuitive usage: electrobun init photo-booth
+      projectName = secondArg; // Use template name as project name
+      templateName = secondArg;
+    } else {
+      // Interactive menu when no template specified
+      console.log("🚀 Welcome to Electrobun!");
+      console.log("");
+      console.log("Available templates:");
+      availableTemplates.forEach((template, index) => {
+        console.log(`  ${index + 1}. ${template}`);
+      });
+      console.log("");
+      
+      // Simple CLI selection using readline
+      const rl = readline.createInterface({
+        input: process.stdin,
+        output: process.stdout
+      });
+      
+      const choice = await new Promise<string>((resolve) => {
+        rl.question('Select a template (enter number): ', (answer) => {
+          rl.close();
+          resolve(answer.trim());
+        });
+      });
+      
+      const templateIndex = parseInt(choice) - 1;
+      if (templateIndex < 0 || templateIndex >= availableTemplates.length) {
+        console.error(`❌ Invalid selection. Please enter a number between 1 and ${availableTemplates.length}.`);
+        process.exit(1);
+      }
+      
+      templateName = availableTemplates[templateIndex];
+      
+      // Ask for project name
+      const rl2 = readline.createInterface({
+        input: process.stdin,
+        output: process.stdout
+      });
+      
+      projectName = await new Promise<string>((resolve) => {
+        rl2.question(`Enter project name (default: my-${templateName}-app): `, (answer) => {
+          rl2.close();
+          resolve(answer.trim() || `my-${templateName}-app`);
+        });
+      });
+    }
+    
+    console.log(`🚀 Initializing Electrobun project: ${projectName}`);
+    console.log(`📋 Using template: ${templateName}`);
+    
+    // Validate template name
+    if (!availableTemplates.includes(templateName)) {
+      console.error(`❌ Template "${templateName}" not found.`);
+      console.log(`Available templates: ${availableTemplates.join(", ")}`);
+      process.exit(1);
+    }
+    
+    const template = getTemplate(templateName);
+    if (!template) {
+      console.error(`❌ Could not load template "${templateName}"`);
+      process.exit(1);
+    }
+    
+    // Create project directory
+    const projectPath = join(process.cwd(), projectName);
+    if (existsSync(projectPath)) {
+      console.error(`❌ Directory "${projectName}" already exists.`);
+      process.exit(1);
+    }
+    
+    mkdirSync(projectPath, { recursive: true });
+    
+    // Extract template files
+    let fileCount = 0;
+    for (const [relativePath, content] of Object.entries(template.files)) {
+      const fullPath = join(projectPath, relativePath);
+      const dir = dirname(fullPath);
+      
+      // Create directory if it doesn't exist
+      mkdirSync(dir, { recursive: true });
+      
+      // Write file
+      writeFileSync(fullPath, content, 'utf-8');
+      fileCount++;
+    }
+    
+    console.log(`✅ Created ${fileCount} files from "${templateName}" template`);
+    console.log(`📁 Project created at: ${projectPath}`);
+    console.log("");
+    console.log("📦 Next steps:");
+    console.log(`   cd ${projectName}`);
+    console.log("   bun install");
+    console.log("   bun start");
+    console.log("");
+    console.log("🎉 Happy building with Electrobun!");
+  })();
 } else if (commandArg === "build") {
   // Ensure core binaries are available for the target platform before starting build
   await ensureCoreDependencies(currentTarget.os, currentTarget.arch);
@@ -792,6 +1050,9 @@ if (commandArg === "init") {
 
   // We likely want to let users configure this for different environments (eg: dev, canary, stable) and/or
   // provide methods to help segment data in those folders based on channel/environment
+  // Generate usage descriptions from entitlements
+  const usageDescriptions = generateUsageDescriptions(config.build.mac.entitlements || {});
+  
   const InfoPlistContents = `<?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
@@ -807,7 +1068,7 @@ if (commandArg === "init") {
     <key>CFBundlePackageType</key>
     <string>APPL</string>
     <key>CFBundleIconFile</key>
-    <string>AppIcon</string>
+    <string>AppIcon</string>${usageDescriptions ? '\n' + usageDescriptions : ''}
 </dict>
 </plist>`;
 
@@ -847,23 +1108,21 @@ if (commandArg === "init") {
   //     mkdirSync(destLauncherFolder, {recursive: true});
   // }
   // cpSync(zigLauncherBinarySource, zigLauncherDestination, {recursive: true, dereference: true});
-  // Only copy launcher for non-dev builds
-  if (buildEnvironment !== "dev") {
-    const bunCliLauncherBinarySource = targetPaths.LAUNCHER_RELEASE;
-    const bunCliLauncherDestination = join(appBundleMacOSPath, "launcher") + targetBinExt;
-    const destLauncherFolder = dirname(bunCliLauncherDestination);
-    if (!existsSync(destLauncherFolder)) {
-      // console.info('creating folder: ', destFolder);
-      mkdirSync(destLauncherFolder, { recursive: true });
-    }
-
-    cpSync(bunCliLauncherBinarySource, bunCliLauncherDestination, {
-      recursive: true,
-      dereference: true,
-    });
+  // Copy zig launcher for all builds (dev, canary, stable)
+  const bunCliLauncherBinarySource = targetPaths.LAUNCHER_RELEASE;
+  const bunCliLauncherDestination = join(appBundleMacOSPath, "launcher") + targetBinExt;
+  const destLauncherFolder = dirname(bunCliLauncherDestination);
+  if (!existsSync(destLauncherFolder)) {
+    // console.info('creating folder: ', destFolder);
+    mkdirSync(destLauncherFolder, { recursive: true });
   }
 
-  cpSync(targetPaths.MAIN_JS, join(appBundleMacOSPath, 'main.js'));
+  cpSync(bunCliLauncherBinarySource, bunCliLauncherDestination, {
+    recursive: true,
+    dereference: true,
+  });
+
+  cpSync(targetPaths.MAIN_JS, join(appBundleFolderResourcesPath, 'main.js'));
 
   // Bun runtime binary
   // todo (yoav): this only works for the current architecture
@@ -1271,11 +1530,13 @@ if (commandArg === "init") {
   
   // Run postBuild script
   if (config.scripts.postBuild) {
+    console.log("Running postBuild script:", config.scripts.postBuild);
     // Use host platform's bun binary for running scripts, not target platform's
     const hostPaths = getPlatformPaths(OS, ARCH);
     
-    Bun.spawnSync([hostPaths.BUN_BINARY, config.scripts.postBuild], {
+    const result = Bun.spawnSync([hostPaths.BUN_BINARY, config.scripts.postBuild], {
       stdio: ["ignore", "inherit", "inherit"],
+      cwd: projectRoot, // Add cwd to ensure script runs from project root
       env: {
         ...process.env,
         ELECTROBUN_BUILD_ENV: buildEnvironment,
@@ -1288,6 +1549,18 @@ if (commandArg === "init") {
         ELECTROBUN_ARTIFACT_DIR: artifactFolder,
       },
     });
+    
+    if (result.exitCode !== 0) {
+      console.error("postBuild script failed with exit code:", result.exitCode);
+      if (result.stderr) {
+        console.error("stderr:", result.stderr.toString());
+      }
+      // Also log which bun binary we're trying to use
+      console.error("Tried to run with bun at:", hostPaths.BUN_BINARY);
+      console.error("Script path:", config.scripts.postBuild);
+      console.error("Working directory:", projectRoot);
+      process.exit(1);
+    }
   }
   // All the unique files are in the bundle now. Create an initial temporary tar file
   // for hashing the contents
@@ -1476,7 +1749,7 @@ if (commandArg === "init") {
       // hdiutil create -volname "YourAppName" -srcfolder /path/to/YourApp.app -ov -format UDZO YourAppName.dmg
       // Note: use ULFO (lzfse) for better compatibility with large CEF frameworks and modern macOS
       execSync(
-        `hdiutil create -volname "${appFileName}" -srcfolder ${escapePathForTerminal(
+        `hdiutil create -volname "${sanitizeVolumeNameForHdiutil(appFileName)}" -srcfolder ${escapePathForTerminal(
           selfExtractingBundle.appBundleFolderPath
         )} -ov -format ULFO ${escapePathForTerminal(dmgPath)}`
       );
@@ -1741,24 +2014,27 @@ exec "\$LAUNCHER_BINARY" "\$@"
 
   let mainProc;
   let bundleExecPath: string;
+  let bundleResourcesPath: string;
   
   if (OS === 'macos') {
     bundleExecPath = join(buildFolder, bundleFileName, "Contents", 'MacOS');
+    bundleResourcesPath = join(buildFolder, bundleFileName, "Contents", 'Resources');
   } else if (OS === 'linux' || OS === 'win') {
     bundleExecPath = join(buildFolder, bundleFileName, "bin");
+    bundleResourcesPath = join(buildFolder, bundleFileName, "Resources");
   } else {
     throw new Error(`Unsupported OS: ${OS}`);
   }
 
   if (OS === 'macos') {
-
-    mainProc = Bun.spawn([join(bundleExecPath,'bun'), join(bundleExecPath, 'main.js')], {
+    // Use the zig launcher for all builds (dev, canary, stable)
+    mainProc = Bun.spawn([join(bundleExecPath, 'launcher')], {
       stdio: ['inherit', 'inherit', 'inherit'],
       cwd: bundleExecPath
     })
   } else if (OS === 'win') {  
-    // Try the main process
-    mainProc =  Bun.spawn(['./bun.exe', './main.js'], {
+    // Try the main process - use relative path to Resources folder
+    mainProc =  Bun.spawn(['./bun.exe', '../Resources/main.js'], {
       stdio: ['inherit', 'inherit', 'inherit'],
       cwd: bundleExecPath,
       onExit: (proc, exitCode, signalCode, error) => {
@@ -1779,7 +2055,7 @@ exec "\$LAUNCHER_BINARY" "\$@"
       }
     }
     
-    mainProc = Bun.spawn([join(bundleExecPath, 'bun'), join(bundleExecPath, 'main.js')], {
+    mainProc = Bun.spawn([join(bundleExecPath, 'bun'), join(bundleResourcesPath, 'main.js')], {
       stdio: ['inherit', 'inherit', 'inherit'],
       cwd: bundleExecPath,
       env
@@ -1787,23 +2063,49 @@ exec "\$LAUNCHER_BINARY" "\$@"
   }
 
   process.on("SIGINT", () => {
-    console.log('exit command')
-    // toLauncherPipe.write("exit command\n");      
-    mainProc.kill();
-    process.exit();
+    console.log('[electrobun dev] Received SIGINT, initiating graceful shutdown...')
+    
+    if (mainProc) {
+      // First attempt graceful shutdown by sending SIGINT to child
+      console.log('[electrobun dev] Requesting graceful shutdown from app...')
+      mainProc.kill("SIGINT");
+      
+      // Give the app time to clean up (e.g., call killApp())
+      setTimeout(() => {
+        if (mainProc && !mainProc.killed) {
+          console.log('[electrobun dev] App did not exit gracefully, forcing termination...')
+          mainProc.kill("SIGKILL");
+        }
+        process.exit(0);
+      }, 2000); // 2 second timeout for graceful shutdown
+    } else {
+      process.exit(0);
+    }
   });
 
 } 
 
-function getConfig() {
+async function getConfig() {
   let loadedConfig = {};
-  if (existsSync(configPath)) {
-    const configFileContents = readFileSync(configPath, "utf8");
-    // Note: we want this to hard fail if there's a syntax error
+  const foundConfigPath = findConfigFile();
+  
+  if (foundConfigPath) {
+    console.log(`Using config file: ${basename(foundConfigPath)}`);
+    
     try {
-      loadedConfig = JSON.parse(configFileContents);
+      // Use dynamic import for TypeScript ESM files
+      // Bun handles TypeScript natively, no transpilation needed
+      const configModule = await import(foundConfigPath);
+      loadedConfig = configModule.default || configModule;
+      
+      // Validate that we got a valid config object
+      if (!loadedConfig || typeof loadedConfig !== 'object') {
+        console.error("Config file must export a default object");
+        console.error("using default config instead");
+        loadedConfig = {};
+      }
     } catch (error) {
-      console.error("Failed to parse config file:", error);
+      console.error("Failed to load config file:", error);
       console.error("using default config instead");
     }
   }
@@ -1851,7 +2153,7 @@ function getConfig() {
   };
 }
 
-function buildEntitlementsFile(entitlements) {
+function buildEntitlementsFile(entitlements: Record<string, boolean | string>) {
   return `<?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
@@ -1870,7 +2172,8 @@ function getEntitlementValue(value: boolean | string) {
   if (typeof value === "boolean") {
     return `<${value.toString()}/>`;
   } else {
-    return value;
+    // For string values (usage descriptions), still return boolean true for the entitlement
+    return `<true/>`;
   }
 }
 
@@ -2187,30 +2490,189 @@ function codesignAppBundle(
     process.exit(1);
   }
 
-  // list of entitlements https://developer.apple.com/documentation/security/hardened_runtime?language=objc
-  // todo (yoav): consider allowing separate entitlements config for each binary
-  // const entitlementsFilePath = join(buildFolder, 'entitlements.plist');
-
-  // codesign --deep --force --verbose --timestamp --sign "ELECTROBUN_DEVELOPER_ID" --options runtime --entitlements entitlementsFilePath appBundleOrDmgPath`
+  // If this is a DMG file, sign it directly
+  if (appBundleOrDmgPath.endsWith('.dmg')) {
+    execSync(
+      `codesign --force --verbose --timestamp --sign "${ELECTROBUN_DEVELOPER_ID}" ${escapePathForTerminal(
+        appBundleOrDmgPath
+      )}`
+    );
+    return;
+  }
 
+  // For app bundles, sign binaries individually to avoid --deep issues with notarization
+  const contentsPath = join(appBundleOrDmgPath, 'Contents');
+  const macosPath = join(contentsPath, 'MacOS');
+  
+  // Prepare entitlements if provided
   if (entitlementsFilePath) {
     const entitlementsFileContents = buildEntitlementsFile(
       config.build.mac.entitlements
     );
     Bun.write(entitlementsFilePath, entitlementsFileContents);
+  }
 
-    execSync(
-      `codesign --deep --force --verbose --timestamp --sign "${ELECTROBUN_DEVELOPER_ID}" --options runtime --entitlements ${entitlementsFilePath} ${escapePathForTerminal(
-        appBundleOrDmgPath
-      )}`
-    );
-  } else {
-    execSync(
-      `codesign --deep --force --verbose --timestamp --sign "${ELECTROBUN_DEVELOPER_ID}" ${escapePathForTerminal(
-        appBundleOrDmgPath
-      )}`
-    );
+  // Sign frameworks first (CEF framework requires special handling)
+  const frameworksPath = join(contentsPath, 'Frameworks');
+  if (existsSync(frameworksPath)) {
+    try {
+      const frameworks = readdirSync(frameworksPath);
+      for (const framework of frameworks) {
+        if (framework.endsWith('.framework')) {
+          const frameworkPath = join(frameworksPath, framework);
+          
+          if (framework === 'Chromium Embedded Framework.framework') {
+            console.log(`Signing CEF framework components: ${framework}`);
+            
+            // Sign CEF libraries first
+            const librariesPath = join(frameworkPath, 'Libraries');
+            if (existsSync(librariesPath)) {
+              const libraries = readdirSync(librariesPath);
+              for (const library of libraries) {
+                if (library.endsWith('.dylib')) {
+                  const libraryPath = join(librariesPath, library);
+                  console.log(`Signing CEF library: ${library}`);
+                  execSync(
+                    `codesign --force --verbose --timestamp --sign "${ELECTROBUN_DEVELOPER_ID}" --options runtime ${escapePathForTerminal(libraryPath)}`
+                  );
+                }
+              }
+            }
+            
+            // CEF helper apps are in the main Frameworks directory, not inside the CEF framework
+            // We'll sign them after signing all frameworks
+          }
+          
+          // Sign the framework bundle itself (for CEF and any other frameworks)
+          console.log(`Signing framework bundle: ${framework}`);
+          execSync(
+            `codesign --force --verbose --timestamp --sign "${ELECTROBUN_DEVELOPER_ID}" --options runtime ${escapePathForTerminal(frameworkPath)}`
+          );
+        }
+      }
+    } catch (err) {
+      console.log("Error signing frameworks:", err);
+      throw err; // Re-throw to fail the build since framework signing is critical
+    }
   }
+  
+  // Sign CEF helper apps (they're in the main Frameworks directory, not inside CEF framework)
+  const cefHelperApps = [
+    'bun Helper.app',
+    'bun Helper (GPU).app', 
+    'bun Helper (Plugin).app',
+    'bun Helper (Alerts).app',
+    'bun Helper (Renderer).app'
+  ];
+  
+  for (const helperApp of cefHelperApps) {
+    const helperPath = join(frameworksPath, helperApp);
+    if (existsSync(helperPath)) {
+      const helperExecutablePath = join(helperPath, 'Contents', 'MacOS', helperApp.replace('.app', ''));
+      if (existsSync(helperExecutablePath)) {
+        console.log(`Signing CEF helper executable: ${helperApp}`);
+        const entitlementFlag = entitlementsFilePath ? `--entitlements ${entitlementsFilePath}` : '';
+        execSync(
+          `codesign --force --verbose --timestamp --sign "${ELECTROBUN_DEVELOPER_ID}" --options runtime ${entitlementFlag} ${escapePathForTerminal(helperExecutablePath)}`
+        );
+      }
+      
+      console.log(`Signing CEF helper bundle: ${helperApp}`);
+      const entitlementFlag = entitlementsFilePath ? `--entitlements ${entitlementsFilePath}` : '';
+      execSync(
+        `codesign --force --verbose --timestamp --sign "${ELECTROBUN_DEVELOPER_ID}" --options runtime ${entitlementFlag} ${escapePathForTerminal(helperPath)}`
+      );
+    }
+  }
+
+  // Sign all binaries and libraries in MacOS folder and subdirectories
+  console.log("Signing all binaries in MacOS folder...");
+  
+  // Recursively find all executables and libraries in MacOS folder
+  function findExecutables(dir: string): string[] {
+    let executables: string[] = [];
+    
+    try {
+      const entries = readdirSync(dir, { withFileTypes: true });
+      
+      for (const entry of entries) {
+        const fullPath = join(dir, entry.name);
+        
+        if (entry.isDirectory()) {
+          // Recursively search subdirectories
+          executables = executables.concat(findExecutables(fullPath));
+        } else if (entry.isFile()) {
+          // Check if it's an executable or library
+          try {
+            const fileInfo = execSync(`file -b "${fullPath}"`, { encoding: 'utf8' }).trim();
+            if (fileInfo.includes('Mach-O') || entry.name.endsWith('.dylib')) {
+              executables.push(fullPath);
+            }
+          } catch {
+            // If file command fails, check by extension
+            if (entry.name.endsWith('.dylib') || !entry.name.includes('.')) {
+              // No extension often means executable
+              executables.push(fullPath);
+            }
+          }
+        }
+      }
+    } catch (err) {
+      console.error(`Error scanning directory ${dir}:`, err);
+    }
+    
+    return executables;
+  }
+  
+  const executablesInMacOS = findExecutables(macosPath);
+  
+  // Sign each found executable
+  for (const execPath of executablesInMacOS) {
+    const fileName = basename(execPath);
+    const relativePath = execPath.replace(macosPath + '/', '');
+    
+    // Use filename as identifier (without extension)
+    const identifier = fileName.replace(/\.[^.]+$/, '');
+    
+    console.log(`Signing ${relativePath} with identifier ${identifier}`);
+    const entitlementFlag = entitlementsFilePath ? `--entitlements ${entitlementsFilePath}` : '';
+    
+    try {
+      execSync(
+        `codesign --force --verbose --timestamp --sign "${ELECTROBUN_DEVELOPER_ID}" --options runtime --identifier ${identifier} ${entitlementFlag} ${escapePathForTerminal(execPath)}`
+      );
+    } catch (err) {
+      console.error(`Failed to sign ${relativePath}:`, err.message);
+      // Continue signing other files even if one fails
+    }
+  }
+
+  // Note: main.js is now in Resources and will be automatically sealed when signing the app bundle
+  
+  // Sign the main executable (launcher) - this should use the app's bundle identifier, not "launcher"
+  const launcherPath = join(macosPath, 'launcher');
+  if (existsSync(launcherPath)) {
+    console.log("Signing main executable (launcher)");
+    const entitlementFlag = entitlementsFilePath ? `--entitlements ${entitlementsFilePath}` : '';
+    try {
+      execSync(
+        `codesign --force --verbose --timestamp --sign "${ELECTROBUN_DEVELOPER_ID}" --options runtime ${entitlementFlag} ${escapePathForTerminal(launcherPath)}`
+      );
+    } catch (error) {
+      console.error("Failed to sign launcher:", error.message);
+      console.log("Attempting to sign launcher without runtime hardening...");
+      execSync(
+        `codesign --force --verbose --timestamp --sign "${ELECTROBUN_DEVELOPER_ID}" ${entitlementFlag} ${escapePathForTerminal(launcherPath)}`
+      );
+    }
+  }
+
+  // Finally, sign the app bundle itself (without --deep)
+  console.log("Signing app bundle");
+  const entitlementFlag = entitlementsFilePath ? `--entitlements ${entitlementsFilePath}` : '';
+  execSync(
+    `codesign --force --verbose --timestamp --sign "${ELECTROBUN_DEVELOPER_ID}" --options runtime ${entitlementFlag} ${escapePathForTerminal(appBundleOrDmgPath)}`
+  );
 }
 
 function notarizeAndStaple(appOrDmgPath: string) {
@@ -2349,3 +2811,11 @@ function createAppBundle(bundleName: string, parentFolder: string, targetOS: 'ma
     throw new Error(`Unsupported OS: ${targetOS}`);
   }
 }
+
+} // End of main() function
+
+// Run the main function
+main().catch((error) => {
+  console.error('Fatal error:', error);
+  process.exit(1);
+});