jared f883781c1f fix(security+audit): strip latent RCE grants, opener allowlist, GDI leaks, CI hardening
From the deep-audit wave (reviewer-verified: capability identifiers valid, no
removed-crate references, GDI free ordering correct):

- Removed 8 never-registered plugins (clipboard-manager, fs, shell, http,
  process, os, dialog, global-shortcut) from Cargo.toml AND their capability
  grants (shell:allow-execute, unscoped fs writes, http:default, …) — verified
  the web never invokes any of them. A latent RCE-class surface is gone.
- on_new_window: only http/https/mailto reach the OS opener (file:///custom
  schemes previously bypassed the opener capability scope entirely).
- set_badge_count: freed hdc + hdc_screen on all three GDI error paths
  (leaked per badge update in a long-running tray app).
- 8s reveal failsafe gated by an AtomicBool: no longer re-shows a window the
  user closed to tray; page-load reveal now fires once only (logout reloads
  don't re-surface a tray-hidden window); recovery for a missed page-load
  event preserved.
- toast.rs: store pruned on Activated too + capped at 20 (was unbounded).
- Startup no longer panics when the bundled icon is missing (tray skipped
  gracefully); msSmartScreenProtection no longer disabled (throttling
  disables kept); rust-version corrected to 1.77.2.
- release.yml update-manifest: fails on empty signatures (was: could publish
  a manifest that traps Windows users in a failed-update loop); partial-
  failure window documented. Deleted the stale upstream tauri.yml workflow.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-07-02 08:49:07 -04:00
2022-04-29 19:52:14 +05:30
2022-09-18 20:25:59 +05:30
2023-02-24 17:30:37 +05:30

Cinny desktop

GitHub release downloads

Cinny is a matrix client focusing primarily on simple, elegant and secure interface. The desktop app is made with Tauri.

Download

Installers for macOS, Windows and Linux can be downloaded from Github releases. Releases are signed with a Ed25519 public-key.

Operating System Download
Windows Get it on Windows
macOS Get it on macOS
Linux Get it on Linux · Flatpak

Decoded public key:

RWRflTUQD3RHFtn25QNANCmePR9+4LSK89kAKTMEEB4OKpOFpLMgc64z

To verify release files, you need to download minisign tool and decode the .sig file before running:

minisign -Vm RELEASE_FILE.msi.zip -P RWRflTUQD3RHFtn25QNANCmePR9+4LSK89kAKTMEEB4OKpOFpLMgc64z -x SINGATURE.msi.zip.sig

Local development

Firstly, to setup Rust, NodeJS and build tools follow Tauri documentation.

Now, to setup development locally run the following commands:

  • git clone --recursive https://github.com/cinnyapp/cinny-desktop.git
  • cd cinny-desktop/cinny
  • npm ci
  • cd ..
  • npm ci

To build the app locally, run:

  • npm run tauri build

To start local dev server, run:

  • npm run tauri dev
S
Description
Lotus Chat desktop app (Tauri wrapper for cinny)
Readme AGPL-3.0 7.9 MiB
Languages
Rust 93.3%
JavaScript 4.9%
C 1.8%