Skip to main content

Roadmap

Missing pieces

  • A DRS-style per-version release document (theme, highlights, design boundaries)
  • Manifest release block fields populated (release.installer.sha256, release.installer.path, release.version, release.verified)
  • A per-version verification record (build, tests, install/uninstall, data safety) appended to the release checklist and manifest
  • Recorded SHA-256 of the built installer artifact and an evidence filehash.txt
  • A release checklist per DRS with a per-version verification block
  • Documentation included in publish/installer output
  • Signing status and evidence (code-signed / self-signed / unsigned)
  • Build and test verification — build_verified/tests_verified are currently false
  • Version consistency: manifest project.version (0.1.0) doesn't match tauri.conf.json product version (1.0.0)
  • release.status and lifecycle release metadata (draft/candidate/local-verified/published) not set
  • Reproducible-build guidance or dependency provenance, recommended before any public distribution

Next steps

  1. Inspect the nested it-tools workspace to confirm build commands and any forked modifications
  2. Reconcile version fields — align Tauri-IT.manifest.toml with tauri.conf.json's product version, choosing one canonical source
  3. Run a clean build: pnpm install && pnpm build && tauri build; capture build.log
  4. Compute SHA-256 of the final installer artifact; add artifact filename and hash to manifest.release.installer and the release note
  5. Create a DRS-format release note (theme, highlights, design boundaries, built-with, release artifact section)
  6. Append a per-version verification block to a release checklist, recording test counts and install/uninstall checks
  7. Decide a signing approach and record it explicitly — including "unsigned" if that's the choice
  8. Bundle docs/ (release note, trust doc) into the publish output, or include a clear external evidence folder
  9. Update manifest.release.verified with build/test/install evidence and set release.status appropriately

Potential improvements

  • A small local integrity verification UI that checks installer hash and evidence bundle after install
  • An SBOM (CycloneDX) generated as part of the build artifacts, stored under artifacts/sbom/
  • A dependency provenance document describing exact external package versions and sources
  • Automated release-evidence bundle creation (release-evidence/vX.Y.Z/*) at build time
  • A reproducible-build guide with pinned toolchain versions for Rust and Node
  • An operator-facing "about / release evidence" view inside the installed app, surfacing the release note, hash, and verification logs

Creative enhancements (ideas on file, not committed)

  • An offline "operator guide" inside the app surfacing release notes, the verification checklist, and rollback instructions for upgrades
  • An internal "release verifier" CLI (tauri-it-tools verify-release --artifact path --hash HASH) automating install/uninstall checks and writing release-evidence/
  • A local-first updater using a signed evidence bundle on a private network share to validate and apply updates
  • A small plugin host letting the operator drop local tool definitions (sandboxed) into a directory for the app to surface
  • A compact, versioned vault for operator settings, with an automatic pre-migration backup step following the DRS migration contract pattern