datum-cloud
diff --git a/‎.github/workflows/bundle.yml‎
Lines changed: 18 additions & 3 deletions b/‎.github/workflows/bundle.yml‎
Lines changed: 18 additions & 3 deletions
diff --git a/‎.github/workflows/manual-release.yml‎
Lines changed: 15 additions & 2 deletions b/‎.github/workflows/manual-release.yml‎
Lines changed: 15 additions & 2 deletions
diff --git a/‎Cargo.lock‎
Lines changed: 1 addition & 0 deletions b/‎Cargo.lock‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎Cargo.toml‎
Lines changed: 1 addition & 0 deletions b/‎Cargo.toml‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎README.md‎
Lines changed: 18 additions & 151 deletions b/‎README.md‎
Lines changed: 18 additions & 151 deletions
diff --git a/‎lib/Cargo.toml‎
Lines changed: 1 addition & 0 deletions b/‎lib/Cargo.toml‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎lib/src/lib.rs‎
Lines changed: 1 addition & 1 deletion b/‎lib/src/lib.rs‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎lib/src/repo.rs‎
Lines changed: 4 additions & 0 deletions b/‎lib/src/repo.rs‎
Lines changed: 4 additions & 0 deletions
@@ -269,7 +269,21 @@ jobs:
       contents: write
     # Only create releases for v* tags (no rolling release on main)
     if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v')
+    outputs:
+      # Matches desktop updater: pre-release tags (e.g. v1.0.0-beta.1) => beta channel + GitHub prerelease
+      is_prerelease: ${{ steps.channel.outputs.prerelease }}
     steps:
+      - name: Classify stable vs beta (semver pre-release tag)
+        id: channel
+        run: |
+          TAG_NAME="${{ github.ref_name }}"
+          V="${TAG_NAME#v}"
+          if [[ "$V" == *-* ]]; then
+            echo "prerelease=true" >> $GITHUB_OUTPUT
+          else
+            echo "prerelease=false" >> $GITHUB_OUTPUT
+          fi
+
       - name: Set Version Info and Paths
         id: set_paths
         run: |
@@ -305,8 +319,8 @@ jobs:
         with:
           name: ${{ env.RELEASE_NAME }}
           tag_name: ${{ env.RELEASE_TAG }}
-          make_latest: true
-          prerelease: false
+          make_latest: ${{ steps.channel.outputs.prerelease != 'true' }}
+          prerelease: ${{ steps.channel.outputs.prerelease == 'true' }}
           body: |
             Version: ${{ env.RELEASE_VERSION }}
             Tag: ${{ env.RELEASE_TAG }}
@@ -321,7 +335,8 @@ jobs:
   update-homebrew:
     needs: [release]
     runs-on: ubuntu-latest
-    if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v')
+    # Stable tags only — beta/pre-release builds must not replace the Homebrew cask
+    if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v') && needs.release.outputs.is_prerelease == 'false'
     steps:
       - name: Download macOS artifacts
         uses: actions/download-artifact@v7
 
@@ -4,7 +4,7 @@ on:
   workflow_dispatch:
     inputs:
       version:
-        description: "Release version tag (e.g. v0.0.1)"
+        description: "Release tag (stable: v1.2.3 — beta: v1.2.3-beta.1; hyphen after v => GitHub pre-release, in-app beta channel)"
         required: true
         type: string
       publish_docker:
@@ -188,6 +188,18 @@ jobs:
     permissions:
       contents: write
     steps:
+      - name: Classify stable vs beta (semver pre-release tag)
+        id: channel
+        env:
+          VERSION_TAG: ${{ inputs.version }}
+        run: |
+          V="${VERSION_TAG#v}"
+          if [[ "$V" == *-* ]]; then
+            echo "prerelease=true" >> $GITHUB_OUTPUT
+          else
+            echo "prerelease=false" >> $GITHUB_OUTPUT
+          fi
+
       - name: Download All Artifacts
         uses: actions/download-artifact@v7
         with:
@@ -214,8 +226,9 @@ jobs:
         with:
           name: DatumConnect ${{ inputs.version }}
           tag_name: ${{ inputs.version }}
+          # Do not mark as "latest" — tag pushes from bundle.yml own that; beta still gets prerelease: true
           make_latest: false
-          prerelease: false
+          prerelease: ${{ steps.channel.outputs.prerelease == 'true' }}
           draft: false
           files: artifacts/**/*
 
 
@@ -36,6 +36,7 @@ rand = "0.9"
 reqwest = { version = "0.12", features = ["rustls-tls", "json"] }
 rustls = { version = "0.23", features = ["ring"] }
 serde = { version = "1", features = ["derive"] }
+semver = "1.0"
 serde_json = "1.0.145"
 serde_yml = "0.0.12"
 tokio = { version = "1.34.0", features = ["full"] }
 
@@ -1,170 +1,37 @@
 ## Datum Tunnels
 
-This repo is broken into 3 components, a CLI, GUI app, and shared-core library that the CLI & GUI draw on.
+CLI, GUI app, and shared library for exposing local environments to the internet.
 
-### Download the app
-[![Download for macOS](https://img.shields.io/badge/Download-macOS-000000?logo=apple&logoColor=white)](https://github.com/datum-cloud/datum-connect/releases/latest/download/Datum.dmg)
-[![Download for Windows](https://img.shields.io/badge/Download-Windows-0078D6?logo=windows&logoColor=white)](https://github.com/datum-cloud/datum-connect/releases/latest/download/Datum-setup.exe)
-[![Download for Linux](https://img.shields.io/badge/Download-Linux-FCC624?logo=linux&logoColor=black)](https://github.com/datum-cloud/datum-connect/releases/latest/download/Datum.AppImage)
-
-If a download fails, use the latest release page: https://github.com/datum-cloud/datum-connect/releases/latest
-
-
-### Required Tools
-* For all three crates: [`rust & cargo`](https://rust-lang.org/tools/install/)
-* For UI: [`dioxus`](https://dioxuslabs.com/learn/0.6/getting_started/)
-  * specifically, install `dx` with `cargo install dioxus-cli`
-  * if you have [`binstall`](https://github.com/cargo-bins/cargo-binstall?tab=readme-ov-file#installation), you can skip compiling `dx` from source by running `cargo binstall dioxus-cli`
-
-### Running CLI commands:
-to run without compiling, use `cargo run` in the `cli` directory:
-
-```
-cd cli
-cargo run -- --help
-```
-
-### Local forward-proxy demo (no GUI)
-This exercises the CONNECT-based gateway flow that Envoy will use in staging/prod.
-
-#### 1) Start a local DNS dev server (out-of-band)
-Use a non-`.local` origin (e.g. `datumconnect.test`):
-
-```
-cargo run -p datum-connect -- dns-dev serve \
-  --origin datumconnect.test \
-  --bind 127.0.0.1:53535 \
-  --data ./dns-dev.yml
-```
-
-#### 2) Start the listen node (connector side)
-This prints the endpoint id and the iroh UDP bound sockets you must publish:
-
-```
-cargo run -p datum-connect -- serve
-```
+### Download
 
-Copy the printed `dns-dev upsert` example, but run it via `cargo run -p datum-connect -- ...`
-and make sure the origin matches `datumconnect.test`. Quote IPv6 addresses like `"[::]:1234"`.
+**macOS (Homebrew):**
 
-#### 3) Verify TXT resolution
-The `serve` command prints the z-base-32 ID and the full DNS name. Query it with:
-
-```
-dig +norecurse @127.0.0.1 -p 53535 TXT _iroh.<z32>.datumconnect.test
+```bash
+brew install datum-cloud/tap/desktop
 ```
 
-#### 4) Start the gateway in forward mode
+**Direct download:**
 
-```
-cargo run -p datum-connect -- gateway \
-  --port 8080 \
-  --metrics-addr 127.0.0.1 \
-  --metrics-port 9090 \
-  --mode forward \
-  --discovery dns \
-  --dns-origin datumconnect.test \
-  --dns-resolver 127.0.0.1:53535
-
-Discovery modes:
-- `default`: iroh defaults (n0 preset).
-- `dns`: only the provided DNS origin/resolver.
-- `hybrid`: default + custom DNS.
-- metrics endpoint: `GET http://127.0.0.1:9090/metrics` (when `--metrics-addr` or `--metrics-port` is set)
-```
-
-#### 5) Send a CONNECT request
-If your target TCP service is on `127.0.0.1:5173`:
-
-```
-curl --proxytunnel -x 127.0.0.1:8080 \
-  --proxy-header "x-iroh-endpoint-id: REPLACE_WITH_ENDPOINT_ID" \
-  "http://127.0.0.1:5173"
-```
-
-### GUI demo (browser tunnel)
-This mirrors the same flow, but uses the GUI to create the proxy entry.
+[![Download for macOS](https://img.shields.io/badge/Download-macOS-000000?logo=apple&logoColor=white)](https://github.com/datum-cloud/datum-connect/releases/latest/download/Datum.dmg)
+[![Download for Windows](https://img.shields.io/badge/Download-Windows-0078D6?logo=windows&logoColor=white)](https://github.com/datum-cloud/datum-connect/releases/latest/download/Datum-setup.exe)
+[![Download for Linux](https://img.shields.io/badge/Download-Linux-FCC624?logo=linux&logoColor=black)](https://github.com/datum-cloud/datum-connect/releases/latest/download/Datum.AppImage)
 
-If you want a one-shot experience, run:
+[Latest release →](https://github.com/datum-cloud/datum-connect/releases/latest)
 
-```
-./scripts/try-ui-demo.sh
-```
+### Development
 
-It starts dns-dev, an HTTPS origin, the gateway, and the GUI, and waits for you to
-create a TCP proxy in the UI before visiting `https://localhost:5173` in the browser.
+**Requirements:** [Rust](https://rust-lang.org/tools/install/), [Dioxus CLI](https://dioxuslabs.com/learn/0.6/getting_started/) (`cargo install dioxus-cli` or `cargo binstall dioxus-cli`)
 
-#### 1) Start `dns-dev`
-```
-cargo run -p datum-connect -- dns-dev serve \
-  --origin datumconnect.test \
-  --bind 127.0.0.1:53535 \
-  --data ./dns-dev.yml
-```
+**Run the GUI:**
 
-#### 2) Start a local HTTPS origin (so the browser uses CONNECT)
-```
-openssl req -x509 -nodes -newkey rsa:2048 -days 1 \
-  -keyout /tmp/iroh-dev.key -out /tmp/iroh-dev.crt \
-  -subj "/CN=localhost"
-openssl s_server -accept 5173 -cert /tmp/iroh-dev.crt -key /tmp/iroh-dev.key -www
-```
-
-#### 3) Run the GUI (share the repo with CLI)
-```
-export DATUM_CONNECT_REPO=$(pwd)/.datum-connect-dev
+```bash
 cd ui
 dx serve --platform desktop
 ```
 
-#### 4) Create a proxy in the GUI
-Add a TCP proxy for `127.0.0.1:5173`.
-
-#### 5) Start the listen node (uses the same repo)
-```
-cd ..
-export DATUM_CONNECT_REPO=$(pwd)/.datum-connect-dev
-cargo run -p datum-connect -- serve
-```
-Copy the printed `dns-dev upsert` example, but change the origin to `datumconnect.test`
-and run it via `cargo run -p datum-connect -- ...` (quote IPv6 addresses).
+**Run the CLI:**
 
-#### 6) Start the gateway in forward mode
-```
-export DATUM_CONNECT_REPO=$(pwd)/.datum-connect-dev
-cargo run -p datum-connect -- gateway \
-  --port 8080 \
-  --metrics-addr 127.0.0.1 \
-  --metrics-port 9090 \
-  --mode forward \
-  --discovery dns \
-  --dns-origin datumconnect.test \
-  --dns-resolver 127.0.0.1:53535
-```
-
-#### 7) Start a local entrypoint that always tunnels through the gateway
-This avoids any browser proxy configuration. It listens on `127.0.0.1:8888` and
-uses CONNECT under the hood to reach the target:
-```
-cargo run -p datum-connect -- tunnel-dev \
-  --gateway 127.0.0.1:8080 \
-  --node-id REPLACE_WITH_ENDPOINT_ID \
-  --target-host 127.0.0.1 \
-  --target-port 5173
-```
-Now visit:
-```
-https://localhost:8888
-```
-You should see the `openssl s_server` status page (cipher list + handshake info).
-That output is expected and means the CONNECT request tunneled through the gateway
-to the local origin.
-
-### Running the UI:
-
-to run the UI, make sure you have rust, cargo, and dioxus installed:
-
-```
-cd ui
-dx serve
+```bash
+cd cli
+cargo run -- --help
 ```
@@ -30,6 +30,7 @@ postcard.workspace = true
 quinn.workspace = true
 rand.workspace = true
 reqwest.workspace = true
+semver.workspace = true
 serde.workspace = true
 serde_json.workspace = true
 serde_yml.workspace = true
 
@@ -18,7 +18,7 @@ pub use project_control_plane::ProjectControlPlaneClient;
 pub use repo::Repo;
 pub use state::*;
 pub use tunnels::{TunnelDeleteOutcome, TunnelService, TunnelSummary};
-pub use update::{UpdateChecker, UpdateInfo, UpdateSettings};
+pub use update::{UpdateChannel, UpdateChecker, UpdateInfo, UpdateSettings};
 
 /// The root domain for datum connect urls to subdomain from. A proxy URL will
 /// be a three-word-codename subdomain off this URL. eg: "https://vast-gold-mine.iroh.datum.net"
 
@@ -17,6 +17,10 @@ use crate::{
 pub struct Repo(PathBuf);
 
 impl Repo {
+    /// Create a Repo from a path without opening/creating (for sync use cases like update install).
+    pub fn from_path(path: PathBuf) -> Self {
+        Self(path)
+    }
     const CONNECT_KEY_FILE: &str = "connect_key";
     const LISTEN_KEY_FILE: &str = "listen_key";
     const GATEWAY_KEY_FILE: &str = "gateway_key";