Upgraded dependencies (#761)

.github/workflows/build-and-release.yml

@@ -771,17 +771,29 @@ jobs:
           PRIVATE_PUBLISH_KEY_PASSWORD: ${{ secrets.PRIVATE_PUBLISH_KEY_PASSWORD }}
         run: |
           bundles="${{ matrix.tauri_bundle }}"
+          tauri_config_args=()
 
           if [ "${{ needs.determine_run_mode.outputs.is_pr_build }}" = "true" ]; then
             echo "Running PR test build without updater bundle signing"
             bundles="${{ matrix.tauri_bundle_pr }}"
+            tauri_config_args=(--config '{"bundle":{"createUpdaterArtifacts":false}}')
           else
             export TAURI_SIGNING_PRIVATE_KEY="$PRIVATE_PUBLISH_KEY"
             export TAURI_SIGNING_PRIVATE_KEY_PASSWORD="$PRIVATE_PUBLISH_KEY_PASSWORD"
           fi
 
           cd runtime
-          cargo tauri build --target ${{ matrix.rust_target }} --bundles "$bundles"
+          cargo tauri build --target ${{ matrix.rust_target }} --bundles "$bundles" "${tauri_config_args[@]}"
+
+          if [ "${{ needs.determine_run_mode.outputs.is_pr_build }}" = "true" ]; then
+            updater_artifact_count=$(find target/${{ matrix.rust_target }}/release/bundle -type f \( -name '*.app.tar.gz*' -o -name '*.AppImage.tar.gz*' -o -name '*nsis.zip*' \) | wc -l)
+
+            if [ "$updater_artifact_count" -ne 0 ]; then
+              echo "PR builds must not generate updater artifacts."
+              find target/${{ matrix.rust_target }}/release/bundle -type f \( -name '*.app.tar.gz*' -o -name '*.AppImage.tar.gz*' -o -name '*nsis.zip*' \)
+              exit 1
+            fi
+          fi
 
           if [ "${{ needs.determine_run_mode.outputs.is_pr_build }}" != "true" ] && [[ "${{ matrix.platform }}" == macos* ]]; then
             app_update_archive_count=$(find target/${{ matrix.rust_target }}/release/bundle/macos -maxdepth 1 -name '*.app.tar.gz' | wc -l)
@@ -800,17 +812,29 @@ jobs:
           PRIVATE_PUBLISH_KEY_PASSWORD: ${{ secrets.PRIVATE_PUBLISH_KEY_PASSWORD }}
         run: |
           $bundles = "${{ matrix.tauri_bundle }}"
+          $tauriConfigArgs = @()
 
           if ("${{ needs.determine_run_mode.outputs.is_pr_build }}" -eq "true") {
             Write-Output "Running PR test build without updater bundle signing"
             $bundles = "${{ matrix.tauri_bundle_pr }}"
+            $tauriConfigArgs = @("--config", '{"bundle":{"createUpdaterArtifacts":false}}')
           } else {
             $env:TAURI_SIGNING_PRIVATE_KEY="$env:PRIVATE_PUBLISH_KEY"
             $env:TAURI_SIGNING_PRIVATE_KEY_PASSWORD="$env:PRIVATE_PUBLISH_KEY_PASSWORD"
           }
 
           cd runtime
-          cargo tauri build --target ${{ matrix.rust_target }} --bundles $bundles
+          cargo tauri build --target ${{ matrix.rust_target }} --bundles $bundles @tauriConfigArgs
+
+          if ("${{ needs.determine_run_mode.outputs.is_pr_build }}" -eq "true") {
+            $updaterArtifacts = Get-ChildItem -Path "target/${{ matrix.rust_target }}/release/bundle" -Recurse -File -Include "*.app.tar.gz*", "*.AppImage.tar.gz*", "*nsis.zip*" -ErrorAction SilentlyContinue
+
+            if ($updaterArtifacts.Count -ne 0) {
+              Write-Error "PR builds must not generate updater artifacts."
+              $updaterArtifacts | ForEach-Object { Write-Error $_.FullName }
+              exit 1
+            }
+          }
 
       - name: Upload artifact (macOS)
         if: startsWith(matrix.platform, 'macos')

app/MindWork AI Studio/Assistants/I18N/allTexts.lua

@@ -6019,9 +6019,6 @@ UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T1890416390"] = "Check for update
 -- Vision
 UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T1892426825"] = "Vision"
 
--- In order to use any LLM, each user must store their so-called API key for each LLM provider. This key must be kept secure, similar to a password. The safest way to do this is offered by operating systems like macOS, Windows, and Linux: They have mechanisms to store such data, if available, on special security hardware. Since this is currently not possible in .NET, we use this Rust library.
-UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T1915240766"] = "In order to use any LLM, each user must store their so-called API key for each LLM provider. This key must be kept secure, similar to a password. The safest way to do this is offered by operating systems like macOS, Windows, and Linux: They have mechanisms to store such data, if available, on special security hardware. Since this is currently not possible in .NET, we use this Rust library."
-
 -- This library is used to convert HTML to Markdown. This is necessary, e.g., when you provide a URL as input for an assistant.
 UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T1924365263"] = "This library is used to convert HTML to Markdown. This is necessary, e.g., when you provide a URL as input for an assistant."
 
@@ -6160,6 +6157,9 @@ UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T3449345633"] = "AI Studio runs w
 -- Tauri is used to host the Blazor user interface. It is a great project that allows the creation of desktop applications using web technologies. I love Tauri!
 UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T3494984593"] = "Tauri is used to host the Blazor user interface. It is a great project that allows the creation of desktop applications using web technologies. I love Tauri!"
 
+-- AI Studio stores secrets like API keys in your operating system’s secure credential store. The keyring-core library handles this by connecting to macOS Keychain, Windows Credential Manager, and Linux Secret Service.
+UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T3527399572"] = "AI Studio stores secrets like API keys in your operating system’s secure credential store. The keyring-core library handles this by connecting to macOS Keychain, Windows Credential Manager, and Linux Secret Service."
+
 -- Motivation
 UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T3563271893"] = "Motivation"
 

app/MindWork AI Studio/MindWork AI Studio.csproj

@@ -50,12 +50,12 @@
     <ItemGroup>
       <PackageReference Include="CodeBeam.MudBlazor.Extensions" Version="8.3.0" />
       <PackageReference Include="HtmlAgilityPack" Version="1.12.4" />
-      <PackageReference Include="Microsoft.Extensions.FileProviders.Embedded" Version="9.0.15" />
+      <PackageReference Include="Microsoft.Extensions.FileProviders.Embedded" Version="9.0.16" />
       <PackageReference Include="MudBlazor" Version="8.15.0" />
       <PackageReference Include="MudBlazor.Markdown" Version="8.11.0" />
-      <PackageReference Include="Qdrant.Client" Version="1.17.0" />
+      <PackageReference Include="Qdrant.Client" Version="1.18.1" />
       <PackageReference Include="ReverseMarkdown" Version="5.0.0" />
-      <PackageReference Include="LuaCSharp" Version="0.5.3" />
+      <PackageReference Include="LuaCSharp" Version="0.5.5" />
     </ItemGroup>
 
     <ItemGroup>

app/MindWork AI Studio/Pages/Information.razor

@@ -284,7 +284,7 @@
                     <ThirdPartyComponent Name="Rustls" Developer="Joe Birr-Pixton, Dirkjan Ochtman, Daniel McCarney, Brian Smith, Jacob Hoffman-Andrews, Jorge Aparicio & Open Source Community" LicenseName="MIT" LicenseUrl="https://github.com/rustls/rustls/blob/main/LICENSE-MIT" RepositoryUrl="https://github.com/rustls/rustls" UseCase="@T("Rustls helps secure the internal connection between the app's user interface and the Rust runtime. This protects the local communication that AI Studio needs while it is running.")"/>
                     <ThirdPartyComponent Name="serde" Developer="Erick Tryzelaar, David Tolnay & Open Source Community" LicenseName="MIT" LicenseUrl="https://github.com/serde-rs/serde/blob/master/LICENSE-MIT" RepositoryUrl="https://github.com/serde-rs/serde" UseCase="@T("Now we have multiple systems, some developed in .NET and others in Rust. The data format JSON is responsible for translating data between both worlds (called data serialization and deserialization). Serde takes on this task in the Rust world. The counterpart in the .NET world is an integral part of .NET and is located in System.Text.Json.")"/>
                     <ThirdPartyComponent Name="strum_macros" Developer="Peter Glotfelty & Open Source Community" LicenseName="MIT" LicenseUrl="https://github.com/Peternator7/strum/blob/master/LICENSE" RepositoryUrl="https://github.com/Peternator7/strum" UseCase="@T("This crate provides derive macros for Rust enums, which we use to reduce boilerplate when implementing string conversions and metadata for runtime types. This is helpful for the communication between our Rust and .NET systems.")"/>
-                    <ThirdPartyComponent Name="keyring" Developer="Walther Chen, Daniel Brotsky & Open Source Community" LicenseName="MIT" LicenseUrl="https://github.com/hwchen/keyring-rs/blob/master/LICENSE-MIT" RepositoryUrl="https://github.com/hwchen/keyring-rs" UseCase="@T("In order to use any LLM, each user must store their so-called API key for each LLM provider. This key must be kept secure, similar to a password. The safest way to do this is offered by operating systems like macOS, Windows, and Linux: They have mechanisms to store such data, if available, on special security hardware. Since this is currently not possible in .NET, we use this Rust library.")"/>
+                    <ThirdPartyComponent Name="keyring-core" Developer="Daniel Brotsky & Open Source Community" LicenseName="MIT" LicenseUrl="https://github.com/open-source-cooperative/keyring-core/blob/main/LICENSE-MIT" RepositoryUrl="https://github.com/open-source-cooperative/keyring-core" UseCase="@T("AI Studio stores secrets like API keys in your operating system’s secure credential store. The keyring-core library handles this by connecting to macOS Keychain, Windows Credential Manager, and Linux Secret Service.")"/>
                     <ThirdPartyComponent Name="arboard" Developer="Artur Kovacs, Avi Weinstock, 1Password & Open Source Community" LicenseName="MIT" LicenseUrl="https://github.com/1Password/arboard/blob/master/LICENSE-MIT.txt" RepositoryUrl="https://github.com/1Password/arboard" UseCase="@T("To be able to use the responses of the LLM in other apps, we often use the clipboard of the respective operating system. Unfortunately, in .NET there is no solution that works with all operating systems. Therefore, I have opted for this library in Rust. This way, data transfer to other apps works on every system.")"/>
                     <ThirdPartyComponent Name="tokio" Developer="Alex Crichton, Carl Lerche, Alice Ryhl, Taiki Endo, Ivan Petkov, Eliza Weisman, Lucio Franco & Open Source Community" LicenseName="MIT" LicenseUrl="https://github.com/tokio-rs/tokio/blob/master/LICENSE" RepositoryUrl="https://github.com/tokio-rs/tokio" UseCase="@T("Code in the Rust language can be specified as synchronous or asynchronous. Unlike .NET and the C# language, Rust cannot execute asynchronous code by itself. Rust requires support in the form of an executor for this. Tokio is one such executor.")"/>
                     <ThirdPartyComponent Name="futures" Developer="Alex Crichton, Taiki Endo, Taylor Cramer, Nemo157, Josef Brandl, Aaron Turon & Open Source Community" LicenseName="MIT" LicenseUrl="https://github.com/rust-lang/futures-rs/blob/master/LICENSE-MIT" RepositoryUrl="https://github.com/rust-lang/futures-rs" UseCase="@T("This is a library providing the foundations for asynchronous programming in Rust. It includes key trait definitions like Stream, as well as utilities like join!, select!, and various futures combinator methods which enable expressive asynchronous control flow.")"/>

app/MindWork AI Studio/Plugins/languages/de-de-43065dbc-78d0-45b7-92be-f14c2926e2dc/plugin.lua

@@ -6021,9 +6021,6 @@ UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T1890416390"] = "Nach Updates suc
 -- Vision
 UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T1892426825"] = "Vision"
 
--- In order to use any LLM, each user must store their so-called API key for each LLM provider. This key must be kept secure, similar to a password. The safest way to do this is offered by operating systems like macOS, Windows, and Linux: They have mechanisms to store such data, if available, on special security hardware. Since this is currently not possible in .NET, we use this Rust library.
-UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T1915240766"] = "Um ein beliebiges LLM nutzen zu können, muss jeder User seinen sogenannten API-Schlüssel für jeden LLM-Anbieter speichern. Dieser Schlüssel muss sicher aufbewahrt werden – ähnlich wie ein Passwort. Die sicherste Methode hierfür bieten Betriebssysteme wie macOS, Windows und Linux: Sie verfügen über Mechanismen, solche Daten – sofern vorhanden – auf spezieller Sicherheits-Hardware zu speichern. Da dies derzeit in .NET nicht möglich ist, verwenden wir diese Rust-Bibliothek."
-
 -- This library is used to convert HTML to Markdown. This is necessary, e.g., when you provide a URL as input for an assistant.
 UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T1924365263"] = "Diese Bibliothek wird verwendet, um HTML in Markdown umzuwandeln. Das ist zum Beispiel notwendig, wenn Sie eine URL als Eingabe für einen Assistenten angeben."
 
@@ -6162,6 +6159,9 @@ UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T3449345633"] = "AI Studio wird m
 -- Tauri is used to host the Blazor user interface. It is a great project that allows the creation of desktop applications using web technologies. I love Tauri!
 UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T3494984593"] = "Tauri wird verwendet, um die Blazor-Benutzeroberfläche bereitzustellen. Es ist ein großartiges Projekt, das die Erstellung von Desktop-Anwendungen mit Webtechnologien ermöglicht. Ich liebe Tauri!"
 
+-- AI Studio stores secrets like API keys in your operating system’s secure credential store. The keyring-core library handles this by connecting to macOS Keychain, Windows Credential Manager, and Linux Secret Service.
+UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T3527399572"] = "AI Studio speichert vertrauliche Daten wie API-Schlüssel im sicheren Speicher Ihres Betriebssystems. Die Bibliothek keyring-core übernimmt dies, indem sie eine Verbindung zum macOS-Schlüsselbund, zur Windows-Anmeldeinformationsverwaltung und zum Linux Secret Service herstellt."
+
 -- Motivation
 UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T3563271893"] = "Motivation"
 

app/MindWork AI Studio/Plugins/languages/en-us-97dfb1ba-50c4-4440-8dfa-6575daf543c8/plugin.lua

@@ -6021,9 +6021,6 @@ UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T1890416390"] = "Check for update
 -- Vision
 UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T1892426825"] = "Vision"
 
--- In order to use any LLM, each user must store their so-called API key for each LLM provider. This key must be kept secure, similar to a password. The safest way to do this is offered by operating systems like macOS, Windows, and Linux: They have mechanisms to store such data, if available, on special security hardware. Since this is currently not possible in .NET, we use this Rust library.
-UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T1915240766"] = "In order to use any LLM, each user must store their so-called API key for each LLM provider. This key must be kept secure, similar to a password. The safest way to do this is offered by operating systems like macOS, Windows, and Linux: They have mechanisms to store such data, if available, on special security hardware. Since this is currently not possible in .NET, we use this Rust library."
-
 -- This library is used to convert HTML to Markdown. This is necessary, e.g., when you provide a URL as input for an assistant.
 UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T1924365263"] = "This library is used to convert HTML to Markdown. This is necessary, e.g., when you provide a URL as input for an assistant."
 
@@ -6162,6 +6159,9 @@ UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T3449345633"] = "AI Studio runs w
 -- Tauri is used to host the Blazor user interface. It is a great project that allows the creation of desktop applications using web technologies. I love Tauri!
 UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T3494984593"] = "Tauri is used to host the Blazor user interface. It is a great project that allows the creation of desktop applications using web technologies. I love Tauri!"
 
+-- AI Studio stores secrets like API keys in your operating system’s secure credential store. The keyring-core library handles this by connecting to macOS Keychain, Windows Credential Manager, and Linux Secret Service.
+UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T3527399572"] = "AI Studio stores secrets like API keys in your operating system’s secure credential store. The keyring-core library handles this by connecting to macOS Keychain, Windows Credential Manager, and Linux Secret Service."
+
 -- Motivation
 UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T3563271893"] = "Motivation"
 

app/MindWork AI Studio/packages.lock.json

@@ -22,24 +22,28 @@
       },
       "LuaCSharp": {
         "type": "Direct",
-        "requested": "[0.5.3, )",
-        "resolved": "0.5.3",
-        "contentHash": "qpgmCaNx08+eiWOmz7U/mXOH8DXUyLW8fsCukKjN8hVled2y4HrapsZlmrnIf9iaNfEQusUR/8d1M2XX6NIzbQ=="
+        "requested": "[0.5.5, )",
+        "resolved": "0.5.5",
+        "contentHash": "IL44DCbMtEafyiy8DzHFd/f+1pXuDUVFJMCJPAu8vQHNfO3ADSoWSOKMg9Py1za/ZE1K0gs0jll1viInoN+19Q==",
+        "dependencies": {
+          "LuaCSharp.Annotations": "0.5.5",
+          "LuaCSharp.SourceGenerator": "0.5.5"
+        }
       },
       "Microsoft.Extensions.FileProviders.Embedded": {
         "type": "Direct",
-        "requested": "[9.0.15, )",
-        "resolved": "9.0.15",
-        "contentHash": "XFlI3ZISL344QdPLtaXG0yPyjkHQR82DYXrJa9aF00Qeu7dDnFxwFgP/ItkkyiLjAe/NSj6vksxOdnelXGT1vQ==",
+        "requested": "[9.0.16, )",
+        "resolved": "9.0.16",
+        "contentHash": "QRlSWz7zEplBxETrySKK3qpPm/7NPaRGnUpEXQNP3k6Ht2KdVy59JcoUPXlNGnNE3tJd3ycXfMeWqxBG6SyV0w==",
         "dependencies": {
-          "Microsoft.Extensions.FileProviders.Abstractions": "9.0.15"
+          "Microsoft.Extensions.FileProviders.Abstractions": "9.0.16"
         }
       },
       "Microsoft.NET.ILLink.Tasks": {
         "type": "Direct",
-        "requested": "[9.0.15, )",
-        "resolved": "9.0.15",
-        "contentHash": "EejcbfCMR77Dthy77qxRbEShmzLApHZUPqXMBVQK+A0pNrRThkaHoGGMGvbq/gTkC/waKcDEgjBkbaejB58Wtw=="
+        "requested": "[9.0.16, )",
+        "resolved": "9.0.16",
+        "contentHash": "ccPBYGLPJt8DeJTUzQ0JzOh/iuUAgnjayU63PokVywAhUOx+dzDKSPTL7AG94U/VpvNXflTT2AjsFAIF1+bXBw=="
       },
       "MudBlazor": {
         "type": "Direct",
@@ -64,9 +68,9 @@
       },
       "Qdrant.Client": {
         "type": "Direct",
-        "requested": "[1.17.0, )",
-        "resolved": "1.17.0",
-        "contentHash": "QFNtVu4Kiz6NHAAi2UQk+Ia64/qyX1NMecQGIBGnKqFOlpnxI3OCCBRBKXWGPk/c+4vAmR3Dj+cQ9apqX0zU8A==",
+        "requested": "[1.18.1, )",
+        "resolved": "1.18.1",
+        "contentHash": "eBwFLihGMvN02/jr/BNdcop2XmtA10y8VMOclVZ7K2H8yheAhl7jbkf7I8e4X3RYpT+cAxgcalP4xmOhgs4KJg==",
         "dependencies": {
           "Google.Protobuf": "3.31.0",
           "Grpc.Net.Client": "2.71.0"
@@ -113,6 +117,16 @@
           "Grpc.Core.Api": "2.71.0"
         }
       },
+      "LuaCSharp.Annotations": {
+        "type": "Transitive",
+        "resolved": "0.5.5",
+        "contentHash": "5VcwcTNGCY5YXLz2BRko5/Z0YGd6MZqNsnnfPOsGHHpAtqWPFbD0vtOZR4jUqaQLtQUvl2+WRfmIOhp6L2S0rw=="
+      },
+      "LuaCSharp.SourceGenerator": {
+        "type": "Transitive",
+        "resolved": "0.5.5",
+        "contentHash": "2xHKGc1bYXTsmSzZCNmKkuAU6A+1azulNiPY/ICKBSHIgEPMNRQ7JS6PvAClrHe6bk8SKcC/fbba6igtDzDaAw=="
+      },
       "Markdig": {
         "type": "Transitive",
         "resolved": "0.41.3",
@@ -182,10 +196,10 @@
       },
       "Microsoft.Extensions.FileProviders.Abstractions": {
         "type": "Transitive",
-        "resolved": "9.0.15",
-        "contentHash": "yzWilnNU/MvHINapPhY6iFAeApZnhToXbEBplORucn01hFc1F6ZaKt0V9dHYpUMun8WR9cSnq1ky35FWREVZbA==",
+        "resolved": "9.0.16",
+        "contentHash": "/YLSWDs+p0Y4+UGPoWI3uUNq7R5/f/8zw8XeViuhfSTGnPowoqbllBE9aR4TteFgNfIH4IHkhUwSlhMLB0aL8g==",
         "dependencies": {
-          "Microsoft.Extensions.Primitives": "9.0.15"
+          "Microsoft.Extensions.Primitives": "9.0.16"
         }
       },
       "Microsoft.Extensions.Localization": {
@@ -223,8 +237,8 @@
       },
       "Microsoft.Extensions.Primitives": {
         "type": "Transitive",
-        "resolved": "9.0.15",
-        "contentHash": "WRPJ9kpIwsOcghRT0tduIqiz7CDv7WsnL4kTJavtHS4j5AW++4LlR63oOSTL2o/zLR4T1z0/FQMgrnsPJ5bpQQ=="
+        "resolved": "9.0.16",
+        "contentHash": "w5RE1MR0lnAElsRJaFd2POIXl/H62aBKmfX8ibYmRmbk0JB9V/9jR0VD5NxiP1ETWpnDAnPguTSe7fF/FdsHEQ=="
       },
       "Microsoft.JSInterop": {
         "type": "Transitive",

app/MindWork AI Studio/wwwroot/changelog/v26.5.5.md

@@ -1,3 +1,9 @@
 # v26.5.5, build 240 (2026-05-xx xx:xx UTC)
 - Improved the app's security foundation with major modernization of the native runtime and its internal communication layer. This work is mostly invisible during everyday use, but it replaces older components that no longer received the security updates we require. We also continued updating security-sensitive dependencies so AI Studio stays on a healthier, better maintained base.
-- Upgraded Tauri from v1.8.3 to v2.11.1.
+- Upgraded the native secret storage integration to `keyring-core`, keeping API keys in the secure credential store provided by the operating system.
+- Upgraded Rust to v1.95.0.
+- Upgraded .NET to v9.0.16.
+- Upgraded Tauri to v2.11.1.
+- Upgraded PDFium to v148.0.7763.0.
+- Upgraded Qdrant to v1.18.0.
+- Upgraded other dependencies as well.

metadata.txt

@@ -1,12 +1,12 @@
 26.5.4
 2026-05-13 11:58:02 UTC
 239
-9.0.116 (commit fb4af7e1b3)
-9.0.15 (commit 4250c8399a)
+9.0.117 (commit 6e241a69c1)
+9.0.16 (commit a1e6809fb8)
 1.95.0 (commit 59807616e)
 8.15.0
 2.11.1
 0089849e0c3, release
 osx-arm64
-144.0.7543.0
-1.17.1
+148.0.7763.0
+1.18.0

runtime/Cargo.toml

@@ -16,9 +16,9 @@ tauri-plugin-dialog = "2.7.1"
 tauri-plugin-opener = "2.5.4"
 serde = { version = "1.0.228", features = ["derive"] }
 serde_json = "1.0.149"
-keyring = { version = "3.6.2", features = ["apple-native", "windows-native", "sync-secret-service"] }
+keyring-core = "1.0.0"
 arboard = "3.6.1"
-tokio = { version = "1.50.0", features = ["rt", "rt-multi-thread", "macros", "process"] }
+tokio = { version = "1.52.3", features = ["rt", "rt-multi-thread", "macros", "process"] }
 tokio-stream = "0.1.18"
 futures = "0.3.32"
 async-stream = "0.3.6"
@@ -31,31 +31,32 @@ rustls = { version = "0.23.28", default-features = false, features = ["aws_lc_rs
 rand = "0.10.1"
 rand_chacha = "0.10.0"
 base64 = "0.22.1"
-aes = "0.8.4"
-cbc = "0.1.2"
-pbkdf2 = "0.12.2"
-hmac = "0.12.1"
-sha2 = "0.10.8"
-rcgen = { version = "0.14.7", features = ["pem"] }
+aes = "0.9.0"
+cbc = "0.2.0"
+pbkdf2 = "0.13.0"
+hmac = "0.13.0"
+sha2 = "0.11.0"
+rcgen = { version = "0.14.8", features = ["pem"] }
 file-format = "0.29.0"
-calamine = "0.34.0"
-pdfium-render = "0.8.37"
+calamine = "0.35.0"
+pdfium-render = "0.9.1"
 sys-locale = "0.3.2"
 cfg-if = "1.0.4"
 pptx-to-md = "0.4.0"
 tempfile = "3.27.0"
 strum_macros = "0.28.0"
-sysinfo = "0.38.4"
-
-# Fixes security vulnerability downstream, where the upstream is not fixed yet:
-bytes = "1.11.1" # -> almost every dependency
-
-[target.'cfg(target_os = "linux")'.dependencies]
-# See issue https://github.com/tauri-apps/tauri/issues/4470
-reqwest = { version = "0.13.2", features = ["native-tls-vendored"] }
+sysinfo = "0.39.1"
+bytes = "1.11.1"
 
 [target.'cfg(target_os = "windows")'.dependencies]
 windows-registry = "0.6.1"
+windows-native-keyring-store = "1.0.0"
+
+[target.'cfg(target_os = "macos")'.dependencies]
+apple-native-keyring-store = { version = "1.0.0", features = ["keychain"] }
+
+[target.'cfg(target_os = "linux")'.dependencies]
+dbus-secret-service-keyring-store = { version = "1.0.0", features = ["crypto-rust"] }
 
 [target.'cfg(not(any(target_os = "android", target_os = "ios")))'.dependencies]
 tauri-plugin-global-shortcut = "2"

runtime/src/encryption.rs

@@ -2,7 +2,7 @@ use std::fmt;
 use std::time::Instant;
 use base64::Engine;
 use base64::prelude::BASE64_STANDARD;
-use aes::cipher::{block_padding::Pkcs7, BlockDecryptMut, BlockEncryptMut, KeyIvInit};
+use aes::cipher::{block_padding::Pkcs7, BlockModeDecrypt, BlockModeEncrypt, KeyIvInit};
 use hmac::Hmac;
 use log::{error, info};
 use once_cell::sync::Lazy;
@@ -107,7 +107,7 @@ impl Encryption {
         let mut buffer = vec![0u8; data.len() + 16];
         buffer[..data.len()].copy_from_slice(data);
         let encrypted = cipher
-            .encrypt_padded_mut::<Pkcs7>(&mut buffer, data.len())
+            .encrypt_padded::<Pkcs7>(&mut buffer, data.len())
             .map_err(|e| format!("Error encrypting data: {e}"))?;
         let mut result = BASE64_STANDARD.encode(self.secret_key_salt);
         result.push_str(&BASE64_STANDARD.encode(encrypted));
@@ -130,7 +130,7 @@ impl Encryption {
         let cipher = Aes256CbcDec::new(&self.key.into(), &self.iv.into());
         let mut buffer = encrypted.to_vec();
         let decrypted = cipher
-            .decrypt_padded_mut::<Pkcs7>(&mut buffer)
+            .decrypt_padded::<Pkcs7>(&mut buffer)
             .map_err(|e| format!("Error decrypting data: {e}"))?;
 
         String::from_utf8(decrypted.to_vec()).map_err(|e| format!("Error converting decrypted data to string: {}", e))

runtime/src/main.rs

@@ -10,6 +10,7 @@ use mindwork_ai_studio::environment::is_dev;
 use mindwork_ai_studio::log::init_logging;
 use mindwork_ai_studio::metadata::MetaData;
 use mindwork_ai_studio::runtime_api::start_runtime_api;
+use mindwork_ai_studio::secret::init_secret_store;
 
 #[tokio::main]
 async fn main() {
@@ -41,6 +42,7 @@ async fn main() {
         info!("Running in production mode.");
     }
 
+    init_secret_store();
     generate_runtime_certificate();
     start_runtime_api();
     

runtime/src/secret.rs

@@ -1,11 +1,43 @@
-use keyring::Entry;
-use log::{error, info, warn};
 use axum::Json;
+use keyring_core::{Entry, Error as KeyringError};
+use log::{error, info, warn};
 use serde::{Deserialize, Serialize};
-use keyring::error::Error::NoEntry;
 use crate::api_token::APIToken;
 use crate::encryption::{EncryptedText, ENCRYPTION};
 
+/// Initializes the native credential store used by keyring-core.
+pub fn init_secret_store() {
+    cfg_if::cfg_if! {
+        if #[cfg(target_os = "macos")] {
+            match apple_native_keyring_store::keychain::Store::new() {
+                Ok(store) => {
+                    keyring_core::set_default_store(store);
+                    info!(Source = "Secret Store"; "Initialized the macOS Keychain credential store.");
+                },
+                Err(e) => error!(Source = "Secret Store"; "Failed to initialize the macOS Keychain credential store: {e}."),
+            }
+        } else if #[cfg(target_os = "windows")] {
+            match windows_native_keyring_store::Store::new() {
+                Ok(store) => {
+                    keyring_core::set_default_store(store);
+                    info!(Source = "Secret Store"; "Initialized the Windows Credential Manager store.");
+                },
+                Err(e) => error!(Source = "Secret Store"; "Failed to initialize the Windows Credential Manager store: {e}."),
+            }
+        } else if #[cfg(target_os = "linux")] {
+            match dbus_secret_service_keyring_store::Store::new() {
+                Ok(store) => {
+                    keyring_core::set_default_store(store);
+                    info!(Source = "Secret Store"; "Initialized the DBus Secret Service credential store.");
+                },
+                Err(e) => error!(Source = "Secret Store"; "Failed to initialize the DBus Secret Service credential store: {e}."),
+            }
+        } else {
+            warn!(Source = "Secret Store"; "No native credential store is configured for this platform.");
+        }
+    }
+}
+
 /// Stores a secret in the secret store using the operating system's keyring.
 pub async fn store_secret(_token: APIToken, request: Json<StoreSecret>) -> Json<StoreSecretResponse> {
     let user_name = request.user_name.as_str();
@@ -21,7 +53,16 @@ pub async fn store_secret(_token: APIToken, request: Json<StoreSecret>) -> Json<
     };
 
     let service = format!("mindwork-ai-studio::{}", request.destination);
-    let entry = Entry::new(service.as_str(), user_name).unwrap();
+    let entry = match Entry::new(service.as_str(), user_name) {
+        Ok(entry) => entry,
+        Err(e) => {
+            error!(Source = "Secret Store"; "Failed to create secret entry for {service} and user {user_name}: {e}.");
+            return Json(StoreSecretResponse {
+                success: false,
+                issue: e.to_string(),
+            });
+        },
+    };
     let result = entry.set_password(decrypted_text.as_str());
     match result {
         Ok(_) => {
@@ -61,7 +102,20 @@ pub struct StoreSecretResponse {
 pub async fn get_secret(_token: APIToken, request: Json<RequestSecret>) -> Json<RequestedSecret> {
     let user_name = request.user_name.as_str();
     let service = format!("mindwork-ai-studio::{}", request.destination);
-    let entry = Entry::new(service.as_str(), user_name).unwrap();
+    let entry = match Entry::new(service.as_str(), user_name) {
+        Ok(entry) => entry,
+        Err(e) => {
+            if !request.is_trying {
+                error!(Source = "Secret Store"; "Failed to create secret entry for '{service}' and user '{user_name}': {e}.");
+            }
+
+            return Json(RequestedSecret {
+                success: false,
+                secret: EncryptedText::new(String::from("")),
+                issue: format!("Failed to create secret entry for '{service}' and user '{user_name}': {e}"),
+            });
+        },
+    };
     let secret = entry.get_password();
     match secret {
         Ok(s) => {
@@ -121,7 +175,17 @@ pub struct RequestedSecret {
 pub async fn delete_secret(_token: APIToken, request: Json<RequestSecret>) -> Json<DeleteSecretResponse> {
     let user_name = request.user_name.as_str();
     let service = format!("mindwork-ai-studio::{}", request.destination);
-    let entry = Entry::new(service.as_str(), user_name).unwrap();
+    let entry = match Entry::new(service.as_str(), user_name) {
+        Ok(entry) => entry,
+        Err(e) => {
+            error!(Source = "Secret Store"; "Failed to create secret entry for {service} and user {user_name}: {e}.");
+            return Json(DeleteSecretResponse {
+                success: false,
+                was_entry_found: false,
+                issue: e.to_string(),
+            });
+        },
+    };
     let result = entry.delete_credential();
 
     match result {
@@ -134,7 +198,7 @@ pub async fn delete_secret(_token: APIToken, request: Json<RequestSecret>) -> Js
             })
         },
 
-        Err(NoEntry) => {
+        Err(KeyringError::NoEntry) => {
             warn!(Source = "Secret Store"; "No secret for {service} and user {user_name} was found.");
             Json(DeleteSecretResponse {
                 success: true,