Reproducible client builds
How Shhhs plans to reduce hosted-JavaScript trust with build evidence and signed artifacts.
Hosted app boundary
A hosted browser app still requires trust in the deployed JavaScript. Shhhs should reduce that gap with deterministic build instructions, versioned artifacts, checksums, and release notes instead of asking users to rely only on marketing copy.
- Build from a commit
- Verify artifact hashes
- Publish release notes
CLI artifacts
The CLI release has a manifest, SHA-256 files, and a verification command. If CI provides an Ed25519 release key, npm run cli:release signs the manifest and npm run cli:release:verify validates it. Without the key, the artifact is checksum-only beta evidence.
- Manifest
- SHA-256
- Optional Ed25519 signature
- Verify with npm run cli:release:verify
Roadmap
The next stronger step is a public build recipe for the client bundle, then signed release artifacts and external review evidence when available.
- Client build recipe
- Signed artifacts
- External review evidence