Document Sparkle update contract

[jmcte]

Summary

• Documents Sparkle 2 as APW.app's in-app update mechanism and records the rationale over a custom updater.
• Defines the stable GitHub release appcast URL, signed appcast requirements, managed disable key, and security-update surfacing contract.
• Adds a Sparkle appcast template plus scripts/ci/validate-appcast-contract.sh, then wires that validator into fast checks.
• Validates the appcast template XML directly so the release archive URL, EdDSA signature, and length must be attributes on the <enclosure> element.
• Adds scripts/prepare-sparkle-appcast.sh and regression coverage for signed update enclosures, signed release-notes links, and critical-update release notes.
• Wires tagged release automation to publish appcast.xml and a signed APW.app update archive when SPARKLE_GENERATE_APPCAST is configured on the release runner.
• Factors native app Info.plist rendering into a tested helper and embeds Sparkle update keys when APW_SPARKLE_PUBLIC_ED_KEY is configured.
• Links the native app to Sparkle 2 through Swift Package Manager, starts SPUStandardUpdaterController behind the managed update-disable policy, and embeds Sparkle.framework into APW.app.
• Reports the managed in-app update disable policy and feed URL through APW.app status/doctor payloads.
• Hardens native-host frame reads and daemon response test reads against interrupted socket reads observed in the optional Rust CI job.
• Removes the native app AuthenticationServices error-mapping exhaustiveness warning under the current SDK.

Related issue: #57.

This now covers the documented Sparkle decision, signed appcast publication path, native bundle metadata, runtime Sparkle linkage, and managed update-disable policy. The remaining acceptance proof for #57 is a signed/notarized update-flow run against a real release appcast.

Verification

• ./scripts/ci/validate-appcast-contract.sh
• ./scripts/test-prepare-sparkle-appcast.sh
• ./scripts/test-render-native-app-info-plist.sh
• bash -n scripts/prepare-sparkle-appcast.sh scripts/test-prepare-sparkle-appcast.sh scripts/ci/validate-appcast-contract.sh scripts/ci/run-fast-checks.sh
• ruby -e 'require "yaml"; YAML.load_file(".github/workflows/release.yml"); puts "release.yml parses"'
• bash scripts/ci/run-fast-checks.sh
• swift test --package-path native-app
• bash scripts/build-native-app.sh
• native-app/dist/APW.app/Contents/MacOS/APW doctor
• test -d native-app/dist/APW.app/Contents/Frameworks/Sparkle.framework && otool -l native-app/dist/APW.app/Contents/MacOS/APW | rg -q '@loader_path/\\.\\./Frameworks'
• codesign --verify --deep --strict --verbose=2 native-app/dist/APW.app
• APW_SPARKLE_PUBLIC_ED_KEY=test-ed25519-public-key bash scripts/build-native-app.sh && grep -q '<key>SUPublicEDKey</key>' native-app/dist/APW.app/Contents/Info.plist && grep -q 'test-ed25519-public-key' native-app/dist/APW.app/Contents/Info.plist && grep -q '<key>SURequireSignedFeed</key>' native-app/dist/APW.app/Contents/Info.plist
• cargo fmt --manifest-path rust/Cargo.toml -- --check
• cargo clippy --manifest-path rust/Cargo.toml --all-targets -- -D warnings
• cargo test --manifest-path rust/Cargo.toml daemon::tests::start_daemon_native_routes_requests_and_tracks_host_disconnect
• cargo test --manifest-path rust/Cargo.toml
• git diff --check

Notes

• Sparkle security requirements are based on the current official Sparkle documentation for SUFeedURL, EdDSA signatures, SUVerifyUpdateBeforeExtraction, SURequireSignedFeed, and sparkle:criticalUpdate.
• Release automation skips appcast publication with a warning when SPARKLE_GENERATE_APPCAST is absent so it cannot publish unsigned placeholder metadata.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 4f85f38132

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Scope archive signature check to the enclosure element

The signed archive enclosure assertion only greps for sparkle:edSignature= anywhere in the template, so it still passes if the archive <enclosure> loses its signature while sparkle:releaseNotesLink keeps one. In that case, fast checks would report the appcast contract as valid even though the update archive is no longer guaranteed to be signed, which weakens the security gate this script is intended to enforce.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Tie archive length validation to the enclosure entry

The archive length check matches length="[0-9]+" globally, which is satisfied by sparkle:length on sparkle:releaseNotesLink even if the archive <enclosure> no longer has a length attribute. That creates a false pass for a malformed appcast item and undermines this CI contract check for update metadata integrity.

Useful? React with 👍 / 👎.