Add secure five-digit LAN pairing with automatic host discovery, encrypted credential handoff, polished host/client setup UI, persistence, tests, and documentation.

Hop-State: A_06FNQN729W1JAHZXV6PY1N0
Hop-Proposal: R_06FNQN68SGDZRN85WXQGSWG
Hop-Task: T_06FNQHGRCHN66DEC5171JF8
Hop-Attempt: AT_06FNQHGRCHPM6DR3BVFFMXG
This commit is contained in:
2026-07-13 07:15:06 -07:00
committed by Hop
parent 38dc9b80e2
commit 76ec2ecd46
11 changed files with 1009 additions and 21 deletions
+8 -3
View File
@@ -11,6 +11,7 @@ Resonant is a desktop-first music player for personal collections. The desktop a
- An offline demo library with locally synthesized audio, so the app is useful immediately after cloning
- OpenSubsonic token authentication, connection testing, complete album/song pagination, artwork, and streaming URLs
- Managed Navidrome 0.61.2 and FFmpeg sidecars, with native folder selection, first-user setup, transcoding, LAN access, process lifecycle control, and app-private server data
- One-time five-digit pairing for connecting another Resonant computer on the same network without entering a server address or credentials
- Official release download and SHA-256 verification for Apple Silicon/Intel macOS, x64/ARM64 Linux, and x64 Windows desktop builds
- A charcoal and onyx interface with coral reserved for active state and primary action
- A Tauri 2 desktop shell for macOS, Windows, and Linux development
@@ -47,8 +48,8 @@ npm run check
Open the library control in the lower-left corner.
- **This computer:** choose a music folder and a library password. Resonant starts its bundled Navidrome process on port `4533`, stores the Navidrome database under the app data directory, and stops it when Resonant closes. It shows the LAN address other computers can use, clears demo content while scanning, and waits for real indexed tracks before showing the library.
- **Existing server:** enter the URL and credentials for a Navidrome or OpenSubsonic server you already run.
- **This computer:** choose a music folder and a library password. Resonant starts its bundled Navidrome process on port `4533`, stores the Navidrome database under the app data directory, and stops it when Resonant closes. To connect another Resonant computer, show a temporary five-digit code on the host and enter it on the other computer.
- **Another computer:** enter the host's pairing code, or use the manual path by entering the URL and credentials for a Navidrome or OpenSubsonic server you already run.
Passwords are saved in Keychain on macOS, Credential Manager on Windows, or Secret Service on Linux. Browser development can preview the interface and connect to servers that allow the development origin, but secure credential persistence, native folder selection, and the managed server require the Tauri desktop app.
@@ -63,6 +64,8 @@ Resonant desktop client
│ ├── library and artwork requests
│ └── authenticated stream URLs
└── Tauri shell
├── one-time LAN pairing service
│ └── encrypted credential handoff
└── managed Navidrome sidecar
├── official, pinned, checksum-verified binary
├── bundled FFmpeg transcoder
@@ -79,7 +82,9 @@ The protocol boundary is deliberate. Resonant owns the product experience withou
## Network boundary
The managed server is reachable by devices on the same LAN and is protected by the library password. It intentionally does not configure routers, public DNS, certificates, or internet exposure. Do not forward port `4533` directly to the public internet; remote access should use a trusted VPN or a TLS reverse proxy.
The managed server is reachable by devices on the same LAN and is protected by the library password. A pairing code expires after two minutes, can be used once, and stops accepting connections after five attempts. Resonant uses the code in a password-authenticated key exchange, then encrypts the credential handoff; the library password is never sent in plain text. Pairing uses local broadcast discovery, so segmented Wi-Fi or VLAN networks may require the manual connection path.
Resonant intentionally does not configure routers, public DNS, certificates, or internet exposure. Do not forward port `4533` directly to the public internet; remote access should use a trusted VPN or a TLS reverse proxy.
## Next milestones