Missing pieces
- A DRS-style per-version release document (theme, highlights, design boundaries)
- Manifest release block fields populated (
release.installer.sha256, release.installer.path, release.version, release.verified)
- A per-version verification record (build, tests, install/uninstall, data safety) appended to the release checklist and manifest
- Recorded SHA-256 of the built installer artifact and an evidence
filehash.txt
- A release checklist per DRS with a per-version verification block
- Documentation included in publish/installer output
- Signing status and evidence (code-signed / self-signed / unsigned)
- Build and test verification —
build_verified/tests_verified are currently false
- Version consistency: manifest
project.version (0.1.0) doesn't match tauri.conf.json product version (1.0.0)
release.status and lifecycle release metadata (draft/candidate/local-verified/published) not set
- Reproducible-build guidance or dependency provenance, recommended before any public distribution
Next steps
- Inspect the nested it-tools workspace to confirm build commands and any forked modifications
- Reconcile version fields — align
Tauri-IT.manifest.toml with tauri.conf.json's product version, choosing one canonical source
- Run a clean build:
pnpm install && pnpm build && tauri build; capture build.log
- Compute SHA-256 of the final installer artifact; add artifact filename and hash to
manifest.release.installer and the release note
- Create a DRS-format release note (theme, highlights, design boundaries, built-with, release artifact section)
- Append a per-version verification block to a release checklist, recording test counts and install/uninstall checks
- Decide a signing approach and record it explicitly — including "unsigned" if that's the choice
- Bundle
docs/ (release note, trust doc) into the publish output, or include a clear external evidence folder
- Update
manifest.release.verified with build/test/install evidence and set release.status appropriately
Potential improvements
- A small local integrity verification UI that checks installer hash and evidence bundle after install
- An SBOM (CycloneDX) generated as part of the build artifacts, stored under
artifacts/sbom/
- A dependency provenance document describing exact external package versions and sources
- Automated release-evidence bundle creation (
release-evidence/vX.Y.Z/*) at build time
- A reproducible-build guide with pinned toolchain versions for Rust and Node
- An operator-facing "about / release evidence" view inside the installed app, surfacing the release note, hash, and verification logs
Creative enhancements (ideas on file, not committed)
- An offline "operator guide" inside the app surfacing release notes, the verification checklist, and rollback instructions for upgrades
- An internal "release verifier" CLI (
tauri-it-tools verify-release --artifact path --hash HASH) automating install/uninstall checks and writing release-evidence/
- A local-first updater using a signed evidence bundle on a private network share to validate and apply updates
- A small plugin host letting the operator drop local tool definitions (sandboxed) into a directory for the app to surface
- A compact, versioned vault for operator settings, with an automatic pre-migration backup step following the DRS migration contract pattern