{ "bundle": { "active": true, "targets": "all", "windows": { "certificateThumbprint": null, "digestAlgorithm": "sha256", "timestampUrl": "", "webviewInstallMode": { "type": "downloadBootstrapper" }, "nsis": { "installMode": "currentUser" }, "wix": { "bannerPath": "wix/banner.bmp", "dialogImagePath": "wix/dialogImage.bmp" } }, "icon": [ "icons/32x32.png", "icons/128x128.png", "icons/128x128@2x.png", "icons/icon.icns", "icons/icon.ico" ], "resources": [], "externalBin": [], "copyright": "", "category": "SocialNetworking", "shortDescription": "Yet another matrix client", "longDescription": "", "macOS": { "frameworks": [], "minimumSystemVersion": "", "exceptionDomain": "", "signingIdentity": null, "providerShortName": null, "entitlements": null }, "linux": { "deb": { "depends": [] } }, "createUpdaterArtifacts": "v1Compatible" }, "build": { "beforeBuildCommand": "cd cinny && npm run build", "frontendDist": "../cinny/dist", "beforeDevCommand": "cd cinny && npm start", "devUrl": "http://localhost:8080" }, "productName": "Lotus Chat", "mainBinaryName": "cinny", "version": "4.12.2", "identifier": "org.lotusguild.lotus-chat", "plugins": { "updater": { "pubkey": "dW50cnVzdGVkIGNvbW1lbnQ6IG1pbmlzaWduIHB1YmxpYyBrZXk6IDM1N0Y0RThCQTJEQzY1NTkKUldSWlpkeWlpMDUvTlVjejMzN0E1U0FiaVpLK05QVkRXdWlMMm1NNUprMXAvTGZSbU5maVovNmwK", "endpoints": [ "https://code.lotusguild.org/LotusGuild/cinny-desktop/releases/download/latest/release.json" ] }, "deep-link": { "desktop": { "schemes": ["matrix"] } } }, "app": { "security": { "__csp_notes": "Tightened from the fully-open policy (audit 2026-07). script-src: 'unsafe-eval' MUST stay — the native→web bridge (forward_deeplink/emit_to_web) uses window.eval, which page CSP governs (also covers the crypto wasm). The sha256 hash allows the single inline `window.global ||= window;` shim in cinny's index.html (line ~96) — if that snippet or its indentation changes, recompute the hash or the shim is silently blocked. connect-src stays broad: users connect to arbitrary homeservers (img/media keep http: for plain-http homeservers, matching connect-src). Review-added allowances: Google Fonts (VT323 stylesheet+font in index.html) and the OpenStreetMap embed iframe (m.location messages). style-src keeps 'unsafe-inline' for React style attributes.", "csp": "default-src 'self'; script-src 'self' 'unsafe-eval' 'sha256-dT6noyex1I8o5CS9Sx/y8UOqwpZYIridpGz92gcObIM='; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' data: https://fonts.gstatic.com; img-src 'self' data: blob: http: https:; media-src 'self' blob: data: mediastream: http: https:; worker-src 'self' blob:; frame-src 'self' blob: https://www.openstreetmap.org; connect-src 'self' blob: data: ipc: ws: wss: http: https: http://ipc.localhost; object-src 'none'; base-uri 'self'" } } }