nullxnothing
diff --git a/‎.github/workflows/ci.yml‎
Lines changed: 28 additions & 23 deletions b/‎.github/workflows/ci.yml‎
Lines changed: 28 additions & 23 deletions
diff --git a/‎.github/workflows/release.yml‎
Lines changed: 102 additions & 24 deletions b/‎.github/workflows/release.yml‎
Lines changed: 102 additions & 24 deletions
diff --git a/‎build/README.md‎
Lines changed: 13 additions & 0 deletions b/‎build/README.md‎
Lines changed: 13 additions & 0 deletions
diff --git a/‎build/entitlements.mac.plist‎
Lines changed: 16 additions & 0 deletions b/‎build/entitlements.mac.plist‎
Lines changed: 16 additions & 0 deletions
diff --git a/‎electron-builder.json‎
Lines changed: 26 additions & 7 deletions b/‎electron-builder.json‎
Lines changed: 26 additions & 7 deletions
diff --git a/‎electron/config/constants.ts‎
Lines changed: 2 additions & 0 deletions b/‎electron/config/constants.ts‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎electron/db/db.ts‎
Lines changed: 15 additions & 0 deletions b/‎electron/db/db.ts‎
Lines changed: 15 additions & 0 deletions
diff --git a/‎electron/db/migrations.ts‎
Lines changed: 25 additions & 1 deletion b/‎electron/db/migrations.ts‎
Lines changed: 25 additions & 1 deletion
@@ -6,13 +6,8 @@ on:
   pull_request:
     branches: [main]
 
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-
 jobs:
   typecheck:
-    name: Typecheck
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
@@ -27,7 +22,6 @@ jobs:
       - run: pnpm run typecheck
 
   test:
-    name: Test
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
@@ -39,17 +33,32 @@ jobs:
           node-version: 22
           cache: pnpm
       - run: pnpm install --frozen-lockfile
-      - run: pnpm run pretest
       - run: pnpm run test
 
-  build:
-    name: Build
+  build-windows:
+    runs-on: windows-latest
+    needs: [typecheck, test]
+    steps:
+      - uses: actions/checkout@v4
+      - uses: pnpm/action-setup@v4
+        with:
+          version: 9
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 22
+          cache: pnpm
+      - run: pnpm install --frozen-lockfile
+      - run: pnpm run build
+      - run: pnpm run package
+      - uses: actions/upload-artifact@v4
+        with:
+          name: windows-build
+          path: release/**/*.exe
+          if-no-files-found: warn
+
+  build-macos:
+    runs-on: macos-latest
     needs: [typecheck, test]
-    strategy:
-      fail-fast: false
-      matrix:
-        os: [windows-latest, macos-latest]
-    runs-on: ${{ matrix.os }}
     steps:
       - uses: actions/checkout@v4
       - uses: pnpm/action-setup@v4
@@ -61,15 +70,11 @@ jobs:
           cache: pnpm
       - run: pnpm install --frozen-lockfile
       - run: pnpm run build
-      - name: Package
-        run: pnpm run package
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - run: pnpm run package
       - uses: actions/upload-artifact@v4
         with:
-          name: daemon-${{ matrix.os }}
+          name: macos-build
           path: |
-            release/*.exe
-            release/*.dmg
-            release/*.AppImage
-          retention-days: 7
+            release/**/*.dmg
+            release/**/*.zip
+          if-no-files-found: warn
@@ -9,19 +9,51 @@ permissions:
   contents: write
 
 jobs:
-  release:
-    name: Build & Release
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: windows-latest
-            artifact: '*.exe'
-          - os: macos-latest
-            artifact: '*.dmg'
-    runs-on: ${{ matrix.os }}
+  release-windows:
+    runs-on: windows-latest
+    env:
+      CSC_LINK: ${{ secrets.CSC_LINK }}
+      CSC_KEY_PASSWORD: ${{ secrets.CSC_KEY_PASSWORD }}
     steps:
       - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - uses: pnpm/action-setup@v4
+        with:
+          version: 9
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 22
+          cache: pnpm
+      - run: pnpm install --frozen-lockfile
+      - run: pnpm run build
+      - run: pnpm run package
+      - name: Generate checksums
+        shell: pwsh
+        run: |
+          Get-ChildItem -Path release -Recurse -Include *.exe | ForEach-Object {
+            $hash = (Get-FileHash $_.FullName -Algorithm SHA256).Hash.ToLower()
+            "$hash  $($_.Name)" | Out-File -Append -FilePath release/checksums-windows.txt
+          }
+      - uses: actions/upload-artifact@v4
+        with:
+          name: windows-release
+          path: |
+            release/**/*.exe
+            release/checksums-windows.txt
+
+  release-macos:
+    runs-on: macos-latest
+    env:
+      CSC_LINK: ${{ secrets.CSC_LINK }}
+      CSC_KEY_PASSWORD: ${{ secrets.CSC_KEY_PASSWORD }}
+      APPLE_ID: ${{ secrets.APPLE_ID }}
+      APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }}
+      APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
       - uses: pnpm/action-setup@v4
         with:
           version: 9
@@ -30,20 +62,66 @@ jobs:
           node-version: 22
           cache: pnpm
       - run: pnpm install --frozen-lockfile
-      - run: pnpm run typecheck
-      - run: pnpm run pretest
-      - run: pnpm run test
       - run: pnpm run build
-      - name: Package
-        run: pnpm run package
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      - name: Upload release assets
+      - name: Package with optional notarization
+        run: |
+          if [ -n "$APPLE_ID" ] && [ -n "$APPLE_APP_SPECIFIC_PASSWORD" ] && [ -n "$APPLE_TEAM_ID" ]; then
+            echo "Notarization secrets found, enabling notarize"
+            npx json -I -f electron-builder.json -e 'this.mac.notarize=true'
+          fi
+          pnpm run package
+      - name: Generate checksums
+        run: |
+          cd release
+          find . -name "*.dmg" -o -name "*.zip" | while read f; do
+            shasum -a 256 "$f" >> checksums-macos.txt
+          done
+      - uses: actions/upload-artifact@v4
+        with:
+          name: macos-release
+          path: |
+            release/**/*.dmg
+            release/**/*.zip
+            release/checksums-macos.txt
+
+  publish:
+    runs-on: ubuntu-latest
+    needs: [release-windows, release-macos]
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - uses: actions/download-artifact@v4
+        with:
+          name: windows-release
+          path: artifacts/windows
+      - uses: actions/download-artifact@v4
+        with:
+          name: macos-release
+          path: artifacts/macos
+      - name: Generate changelog
+        id: changelog
+        run: |
+          PREV_TAG=$(git describe --tags --abbrev=0 HEAD^ 2>/dev/null || git rev-list --max-parents=0 HEAD)
+          echo "## Changes" > changelog.md
+          echo "" >> changelog.md
+          git log --pretty=format:"- %s (%h)" "$PREV_TAG"..HEAD >> changelog.md
+          echo "" >> changelog.md
+          echo "" >> changelog.md
+          echo "## Checksums" >> changelog.md
+          echo '```' >> changelog.md
+          cat artifacts/windows/checksums-windows.txt 2>/dev/null >> changelog.md || true
+          cat artifacts/macos/checksums-macos.txt 2>/dev/null >> changelog.md || true
+          echo '```' >> changelog.md
+      - name: Create GitHub Release
         uses: softprops/action-gh-release@v2
         with:
+          body_path: changelog.md
+          draft: false
+          prerelease: ${{ contains(github.ref, '-beta') || contains(github.ref, '-alpha') || contains(github.ref, '-rc') }}
           files: |
-            release/*.exe
-            release/*.dmg
-            release/*.AppImage
-          draft: true
-          generate_release_notes: true
+            artifacts/windows/**/*.exe
+            artifacts/macos/**/*.dmg
+            artifacts/macos/**/*.zip
+            artifacts/windows/checksums-windows.txt
+            artifacts/macos/checksums-macos.txt
@@ -0,0 +1,13 @@
+# Build Configuration
+
+## Code Signing (Optional)
+
+### Windows
+Set `CSC_LINK` to the path/base64 of your .pfx certificate and `CSC_KEY_PASSWORD` to the password.
+
+### macOS
+Set `CSC_LINK` to the path/base64 of your .p12 certificate, `CSC_KEY_PASSWORD`, and for notarization: `APPLE_ID`, `APPLE_APP_SPECIFIC_PASSWORD`, `APPLE_TEAM_ID`.
+
+### GitHub Actions
+Add these as repository secrets. The release workflow will use them automatically.
+Without signing secrets, builds are unsigned (fine for development).
@@ -0,0 +1,16 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+  <key>com.apple.security.cs.allow-jit</key>
+  <true/>
+  <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+  <true/>
+  <key>com.apple.security.cs.allow-dyld-environment-variables</key>
+  <true/>
+  <key>com.apple.security.network.client</key>
+  <true/>
+  <key>com.apple.security.files.user-selected.read-write</key>
+  <true/>
+</dict>
+</plist>
@@ -4,7 +4,7 @@
   "productName": "DAEMON",
   "asar": true,
   "directories": {
-    "output": "release"
+    "output": "release/${version}"
   },
   "files": [
     "dist-electron",
@@ -13,13 +13,24 @@
   ],
   "asarUnpack": [
     "node_modules/better-sqlite3/**",
-    "node_modules/node-pty/**",
-    "node_modules/node-pty/build/**"
+    "node_modules/node-pty/**"
+  ],
+  "publish": [
+    {
+      "provider": "github",
+      "owner": "nullxnothing",
+      "repo": "daemon"
+    }
   ],
   "mac": {
-    "target": "dmg",
+    "target": ["dmg", "zip"],
     "category": "public.app-category.developer-tools",
-    "artifactName": "${productName}_${version}.${ext}"
+    "artifactName": "${productName}-${version}-${arch}.${ext}",
+    "hardenedRuntime": true,
+    "gatekeeperAssess": false,
+    "entitlements": "build/entitlements.mac.plist",
+    "entitlementsInherit": "build/entitlements.mac.plist",
+    "notarize": false
   },
   "win": {
     "target": [
@@ -28,12 +39,20 @@
         "arch": ["x64"]
       }
     ],
-    "artifactName": "${productName}_${version}.${ext}"
+    "artifactName": "${productName}-${version}-setup.${ext}",
+    "signingHashAlgorithms": ["sha256"]
   },
   "nsis": {
     "oneClick": false,
     "perMachine": false,
     "allowToChangeInstallationDirectory": true,
-    "deleteAppDataOnUninstall": false
+    "deleteAppDataOnUninstall": false,
+    "createDesktopShortcut": true,
+    "createStartMenuShortcut": true
+  },
+  "linux": {
+    "target": ["AppImage"],
+    "category": "Development",
+    "artifactName": "${productName}-${version}.${ext}"
   }
 }
@@ -35,4 +35,6 @@ export const API_ENDPOINTS = {
   GOOGLE_OAUTH_TOKEN: 'https://oauth2.googleapis.com/token',
   GOOGLE_OAUTH_AUTH: 'https://accounts.google.com/o/oauth2/v2/auth',
   GMAIL_API_BASE: 'https://gmail.googleapis.com/gmail/v1/users/me',
+  VERCEL_API: 'https://api.vercel.com',
+  RAILWAY_API: 'https://backboard.railway.com/graphql/v2',
 } as const
@@ -1,5 +1,6 @@
 import Database from 'better-sqlite3'
 import path from 'node:path'
+import fs from 'node:fs'
 import { app } from 'electron'
 import { runMigrations } from './migrations'
 
@@ -15,13 +16,27 @@ export function getDb(): Database.Database {
   _db.pragma('foreign_keys = ON')
   _db.pragma('busy_timeout = 5000')
 
+  // Integrity check before migrations — detect corruption early
+  const integrity = _db.pragma('integrity_check') as Array<{ integrity_check: string }>
+  if (integrity[0]?.integrity_check !== 'ok') {
+    const backupPath = dbPath + '.corrupted.' + Date.now()
+    fs.copyFileSync(dbPath, backupPath)
+    _db.close()
+    _db = null
+    fs.unlinkSync(dbPath)
+    throw new Error(`Database corruption detected. Backup saved to ${backupPath}. Restarting with fresh database.`)
+  }
+
   runMigrations(_db)
 
   return _db
 }
 
 export function closeDb() {
   if (_db) {
+    try {
+      _db.pragma('wal_checkpoint(TRUNCATE)')
+    } catch { /* checkpoint is best-effort */ }
     _db.close()
     _db = null
   }
 
@@ -1,5 +1,5 @@
 import type Database from 'better-sqlite3'
-import { SCHEMA_V1, SCHEMA_V2, SCHEMA_V3, SCHEMA_V4, SCHEMA_V5, SCHEMA_V6, SCHEMA_V7, SCHEMA_V8, SCHEMA_V9 } from './schema'
+import { SCHEMA_V1, SCHEMA_V2, SCHEMA_V3, SCHEMA_V4, SCHEMA_V5, SCHEMA_V6, SCHEMA_V7, SCHEMA_V8, SCHEMA_V9, SCHEMA_V10, SCHEMA_V11, SCHEMA_V12 } from './schema'
 
 export function runMigrations(db: Database.Database) {
   db.exec(`
@@ -90,6 +90,30 @@ export function runMigrations(db: Database.Database) {
     })()
   }
 
+  if (currentVersion < 10) {
+    db.transaction(() => {
+      const stmts = SCHEMA_V10.split(';').map((s) => s.trim()).filter(Boolean)
+      for (const stmt of stmts) {
+        try { db.exec(stmt) } catch { /* column/index may already exist */ }
+      }
+      db.prepare('INSERT INTO _migrations (version) VALUES (?)').run(10)
+    })()
+  }
+
+  if (currentVersion < 11) {
+    db.transaction(() => {
+      db.exec(SCHEMA_V11)
+      db.prepare('INSERT INTO _migrations (version) VALUES (?)').run(11)
+    })()
+  }
+
+  if (currentVersion < 12) {
+    db.transaction(() => {
+      db.exec(SCHEMA_V12)
+      db.prepare('INSERT INTO _migrations (version) VALUES (?)').run(12)
+    })()
+  }
+
   // Ensure built-in tools exist (idempotent — handles upgrades where table exists but seed was missed)
   try {
     const hasRecovery = db.prepare("SELECT id FROM tools WHERE id = 'builtin-wallet-recovery'").get()