Spaces:
Sleeping
Sleeping
solidprivacy-nl commited on
Commit ·
ef6d204
1
Parent(s): 11b1d8b
Align packaging decision with final-phase installer deferral
Browse files- DESKTOP_PACKAGING_DECISION.md +52 -341
DESKTOP_PACKAGING_DECISION.md
CHANGED
|
@@ -3,291 +3,68 @@
|
|
| 3 |
Status: completed decision/documentation-only
|
| 4 |
Repository: `solidprivacy-nl/scrub`
|
| 5 |
|
| 6 |
-
## 1. Decision
|
| 7 |
|
| 8 |
-
The
|
| 9 |
|
| 10 |
```text
|
| 11 |
-
|
| 12 |
-
```
|
| 13 |
-
|
| 14 |
-
This means Scrub is distributed as a controlled local folder containing the repository/app code, documented dependency setup and a Windows-oriented launcher wrapper. The user or IT operator starts the app locally, bound to `127.0.0.1`, and opens the local browser UI.
|
| 15 |
-
|
| 16 |
-
The recommended next concrete packaging proof, only if the coordinator approves it, is:
|
| 17 |
-
|
| 18 |
-
```text
|
| 19 |
-
WP48B or WP49B — concrete portable/PyInstaller packaging proof
|
| 20 |
-
```
|
| 21 |
-
|
| 22 |
-
The recommended later professional desktop direction is:
|
| 23 |
-
|
| 24 |
-
```text
|
| 25 |
-
Tauri shell with reusable Python core, unless team capability or frontend requirements make Electron preferable
|
| 26 |
-
```
|
| 27 |
-
|
| 28 |
-
A real MSI remains a future managed-deployment option only after packaging, signing, update, rollback, offline, network, temp-file and support boundaries have been validated.
|
| 29 |
-
|
| 30 |
-
## 2. Why portable Python folder first?
|
| 31 |
-
|
| 32 |
-
A portable Python folder is the best first local MVP distribution form because it has the lowest architecture and security risk at this stage.
|
| 33 |
-
|
| 34 |
-
It:
|
| 35 |
-
|
| 36 |
-
- reuses the current Python/Streamlit app;
|
| 37 |
-
- avoids a frontend rewrite;
|
| 38 |
-
- avoids an opaque executable bundle during early privacy validation;
|
| 39 |
-
- avoids installer/elevation/admin behavior;
|
| 40 |
-
- keeps files and dependencies easier to inspect;
|
| 41 |
-
- matches the WP46/WP47/WP48 local runtime path;
|
| 42 |
-
- supports local confidential-processing validation without claiming production maturity.
|
| 43 |
-
|
| 44 |
-
For a professional privacy product, this is important: the first serious claim should be that the app can run locally and that the local boundary is understandable and testable. It should not prematurely claim to be a finished secure desktop product.
|
| 45 |
-
|
| 46 |
-
## 3. Suitability for jurists and care organizations
|
| 47 |
-
|
| 48 |
-
### Controlled MVP / pilot
|
| 49 |
-
|
| 50 |
-
For early legal and care pilots, the best fit is:
|
| 51 |
-
|
| 52 |
-
```text
|
| 53 |
-
Portable Python folder managed by the coordinator or local IT
|
| 54 |
-
```
|
| 55 |
-
|
| 56 |
-
Reason:
|
| 57 |
-
|
| 58 |
-
- IT can inspect the folder and command before use;
|
| 59 |
-
- no installer rights are required by the app packaging itself;
|
| 60 |
-
- no production installer claim is made;
|
| 61 |
-
- no automatic update channel is introduced;
|
| 62 |
-
- confidential-processing instructions can stay explicit;
|
| 63 |
-
- local-only behavior can be validated before organizational rollout.
|
| 64 |
-
|
| 65 |
-
This is suitable for:
|
| 66 |
-
|
| 67 |
-
- small internal pilots;
|
| 68 |
-
- trusted testers;
|
| 69 |
-
- local-first workflow validation;
|
| 70 |
-
- demonstrations with synthetic or approved non-confidential data;
|
| 71 |
-
- IT/security review of the local runtime boundary.
|
| 72 |
-
|
| 73 |
-
It is not suitable yet as a broad unmanaged end-user deployment.
|
| 74 |
-
|
| 75 |
-
### Professional organizational deployment
|
| 76 |
-
|
| 77 |
-
For jurists and care organizations at production scale, the likely future need is:
|
| 78 |
-
|
| 79 |
-
```text
|
| 80 |
-
signed managed installer or enterprise deployment package
|
| 81 |
-
```
|
| 82 |
-
|
| 83 |
-
But this should come later. Before production deployment, the project needs decisions on:
|
| 84 |
-
|
| 85 |
-
- code signing;
|
| 86 |
-
- update policy;
|
| 87 |
-
- rollback policy;
|
| 88 |
-
- offline dependency/model assets;
|
| 89 |
-
- local storage location;
|
| 90 |
-
- Scrub Key protection model;
|
| 91 |
-
- logging and diagnostics;
|
| 92 |
-
- endpoint management restrictions;
|
| 93 |
-
- support process without sharing real documents;
|
| 94 |
-
- managed deployment and uninstall behavior.
|
| 95 |
-
|
| 96 |
-
## 4. Option comparison
|
| 97 |
-
|
| 98 |
-
| Option | Fit for first MVP | Fit for professional future | Security / management risk | Main reason |
|
| 99 |
-
| --- | --- | --- | --- | --- |
|
| 100 |
-
| Portable Python folder | Best | Limited but useful for controlled pilots | Lowest current risk | Transparent, inspectable, no installer/elevation, reuses current app |
|
| 101 |
-
| PyInstaller | Good next proof, not first default | Possible bridge to Windows distribution | Medium | Hides Python setup, but can create dependency, antivirus, temp-file and signing issues |
|
| 102 |
-
| Tauri | Too early for MVP | Best later professional shell candidate | Medium, after architecture work | Smaller desktop shell, good for future document-centric frontend, but requires Rust/frontend/backend design |
|
| 103 |
-
| Electron | Too early for MVP | Viable later alternative | Higher | Mature and flexible, but heavier footprint and larger dependency/security surface |
|
| 104 |
-
| MSI later | Out of scope now | Likely enterprise option after proof | High if premature; acceptable after signing/update policy | Managed deployment needs packaging maturity, signing, update/rollback and IT review |
|
| 105 |
-
|
| 106 |
-
## 5. Portable Python folder
|
| 107 |
-
|
| 108 |
-
Description:
|
| 109 |
-
|
| 110 |
-
```text
|
| 111 |
-
A local folder with the existing app, Python dependency setup, and launcher scripts.
|
| 112 |
-
```
|
| 113 |
-
|
| 114 |
-
Recommended role:
|
| 115 |
-
|
| 116 |
-
```text
|
| 117 |
-
First MVP local distribution and controlled pilot path.
|
| 118 |
-
```
|
| 119 |
-
|
| 120 |
-
Benefits:
|
| 121 |
-
|
| 122 |
-
- fastest route from current codebase to local-first validation;
|
| 123 |
-
- easiest to inspect and debug;
|
| 124 |
-
- no hidden packaging layer;
|
| 125 |
-
- no installer behavior;
|
| 126 |
-
- no admin/elevation requirement from packaging itself;
|
| 127 |
-
- no new runtime framework;
|
| 128 |
-
- no Streamlit UI changes;
|
| 129 |
-
- no Docker/Hugging Face startup changes;
|
| 130 |
-
- no cloud document processing.
|
| 131 |
-
|
| 132 |
-
Risks:
|
| 133 |
-
|
| 134 |
-
- less polished for non-technical users;
|
| 135 |
-
- dependency setup can be fragile;
|
| 136 |
-
- support burden remains higher than a signed installer;
|
| 137 |
-
- does not prove full offline behavior by itself;
|
| 138 |
-
- not ideal for broad unmanaged distribution.
|
| 139 |
-
|
| 140 |
-
Decision:
|
| 141 |
-
|
| 142 |
-
```text
|
| 143 |
-
Use this as the first local MVP distribution form.
|
| 144 |
-
```
|
| 145 |
-
|
| 146 |
-
## 6. PyInstaller
|
| 147 |
-
|
| 148 |
-
Description:
|
| 149 |
-
|
| 150 |
-
```text
|
| 151 |
-
Bundle Python app/dependencies into a Windows-friendly folder or executable.
|
| 152 |
-
```
|
| 153 |
-
|
| 154 |
-
Recommended role:
|
| 155 |
-
|
| 156 |
-
```text
|
| 157 |
-
Next approved packaging proof, not automatic production packaging.
|
| 158 |
-
```
|
| 159 |
-
|
| 160 |
-
Benefits:
|
| 161 |
-
|
| 162 |
-
- hides Python setup from end users;
|
| 163 |
-
- can produce a more recognizable Windows launch experience;
|
| 164 |
-
- can help validate bundled dependencies and local assets;
|
| 165 |
-
- can be a bridge toward a future signed installer.
|
| 166 |
-
|
| 167 |
-
Risks:
|
| 168 |
-
|
| 169 |
-
- NLP/document/PDF dependencies may be hard to bundle;
|
| 170 |
-
- model/data asset paths need careful testing;
|
| 171 |
-
- one-file mode may create temp-file behavior that requires privacy validation;
|
| 172 |
-
- antivirus false positives are possible;
|
| 173 |
-
- signing and update policies remain unresolved;
|
| 174 |
-
- still does not solve final professional UX if Streamlit remains the UI.
|
| 175 |
-
|
| 176 |
-
Decision:
|
| 177 |
-
|
| 178 |
-
```text
|
| 179 |
-
Use only as a separately approved proof package, preferably one-folder first. Do not jump directly to one-file or production installer claims.
|
| 180 |
-
```
|
| 181 |
-
|
| 182 |
-
## 7. Tauri
|
| 183 |
-
|
| 184 |
-
Description:
|
| 185 |
-
|
| 186 |
-
```text
|
| 187 |
-
Native desktop shell with web frontend and local backend integration.
|
| 188 |
-
```
|
| 189 |
-
|
| 190 |
-
Recommended role:
|
| 191 |
-
|
| 192 |
-
```text
|
| 193 |
-
Preferred later professional desktop direction if Scrub moves beyond Streamlit into a document-centric review interface.
|
| 194 |
-
```
|
| 195 |
-
|
| 196 |
-
Benefits:
|
| 197 |
-
|
| 198 |
-
- good fit for a polished desktop product;
|
| 199 |
-
- smaller desktop-shell posture than Electron in many cases;
|
| 200 |
-
- can support a future document-centric review UI;
|
| 201 |
-
- can give better control over local file dialogs, windows and user flow;
|
| 202 |
-
- can keep Python core local if backend boundaries are designed carefully.
|
| 203 |
-
|
| 204 |
-
Risks:
|
| 205 |
-
|
| 206 |
-
- requires frontend architecture work;
|
| 207 |
-
- requires Rust/Tauri build capability;
|
| 208 |
-
- Python backend/sidecar integration must be designed securely;
|
| 209 |
-
- installer/signing/update policies are still needed;
|
| 210 |
-
- premature adoption could slow privacy/core validation.
|
| 211 |
-
|
| 212 |
-
Decision:
|
| 213 |
-
|
| 214 |
-
```text
|
| 215 |
-
Keep as preferred later professional shell candidate, not MVP packaging.
|
| 216 |
-
```
|
| 217 |
-
|
| 218 |
-
## 8. Electron
|
| 219 |
-
|
| 220 |
-
Description:
|
| 221 |
-
|
| 222 |
-
```text
|
| 223 |
-
Desktop shell using Chromium/Node with a web frontend and local backend bridge.
|
| 224 |
-
```
|
| 225 |
-
|
| 226 |
-
Recommended role:
|
| 227 |
-
|
| 228 |
-
```text
|
| 229 |
-
Later alternative to Tauri if team skills, frontend requirements or ecosystem needs outweigh footprint and dependency concerns.
|
| 230 |
```
|
| 231 |
|
| 232 |
-
|
| 233 |
|
| 234 |
-
-
|
| 235 |
-
- strong frontend flexibility;
|
| 236 |
-
- many developers know web/Electron tooling;
|
| 237 |
-
- good fit for rich document-centric interfaces.
|
| 238 |
|
| 239 |
-
|
| 240 |
|
| 241 |
-
|
| 242 |
-
- larger dependency/security surface;
|
| 243 |
-
- Node/backend bridge requires strict security design;
|
| 244 |
-
- update/signing policy still required;
|
| 245 |
-
- overkill for the first local MVP.
|
| 246 |
-
|
| 247 |
-
Decision:
|
| 248 |
|
| 249 |
```text
|
| 250 |
-
|
| 251 |
```
|
| 252 |
|
| 253 |
-
|
| 254 |
-
|
| 255 |
-
Description:
|
| 256 |
|
| 257 |
```text
|
| 258 |
-
|
| 259 |
```
|
| 260 |
|
| 261 |
-
|
| 262 |
-
|
| 263 |
-
```text
|
| 264 |
-
Future enterprise deployment option only.
|
| 265 |
-
```
|
| 266 |
|
| 267 |
-
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 268 |
|
| 269 |
-
|
| 270 |
-
- supports managed deployment patterns;
|
| 271 |
-
- can support install/uninstall and versioning expectations;
|
| 272 |
-
- can fit legal/care organizational rollout.
|
| 273 |
|
| 274 |
-
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 275 |
|
| 276 |
-
|
| 277 |
-
- signing, update, rollback and support policy are required;
|
| 278 |
-
- installer may need admin or endpoint management review;
|
| 279 |
-
- wrong defaults could store sensitive runtime data in unmanaged locations;
|
| 280 |
-
- MSI does not itself solve privacy, offline, Scrub Key or telemetry risks.
|
| 281 |
|
| 282 |
-
|
| 283 |
|
| 284 |
-
|
| 285 |
-
|
| 286 |
-
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 287 |
|
| 288 |
-
|
| 289 |
|
| 290 |
-
##
|
| 291 |
|
| 292 |
A proof-of-concept may show:
|
| 293 |
|
|
@@ -295,8 +72,7 @@ A proof-of-concept may show:
|
|
| 295 |
- the app binds to `127.0.0.1`;
|
| 296 |
- Streamlit usage stats are disabled;
|
| 297 |
- documents are processed in the local Python process;
|
| 298 |
-
- no cloud document-processing endpoint is introduced by the launcher
|
| 299 |
-
- the local run path is understandable to IT/security reviewers.
|
| 300 |
|
| 301 |
A proof-of-concept must not claim:
|
| 302 |
|
|
@@ -308,12 +84,10 @@ A proof-of-concept must not claim:
|
|
| 308 |
- protected key storage;
|
| 309 |
- enterprise support readiness.
|
| 310 |
|
| 311 |
-
|
| 312 |
-
|
| 313 |
-
A production installation needs additional decisions and evidence:
|
| 314 |
|
| 315 |
- reproducible build pipeline;
|
| 316 |
-
- dependency
|
| 317 |
- code signing;
|
| 318 |
- installer/update/rollback policy;
|
| 319 |
- local storage policy;
|
|
@@ -324,30 +98,9 @@ A production installation needs additional decisions and evidence:
|
|
| 324 |
- support process for legal/care organizations;
|
| 325 |
- app verification with synthetic and approved pilot data.
|
| 326 |
|
| 327 |
-
##
|
| 328 |
-
|
| 329 |
-
For the next MVP step, the least security-/management-risk option is:
|
| 330 |
-
|
| 331 |
-
```text
|
| 332 |
-
Portable Python folder with documented local launcher
|
| 333 |
-
```
|
| 334 |
-
|
| 335 |
-
Reason:
|
| 336 |
-
|
| 337 |
-
- no installer elevation;
|
| 338 |
-
- no new desktop framework;
|
| 339 |
-
- no opaque executable bundling;
|
| 340 |
-
- no automatic updater;
|
| 341 |
-
- no additional packaging temp-file behavior;
|
| 342 |
-
- easier IT review;
|
| 343 |
-
- easiest rollback: delete/replace the folder;
|
| 344 |
-
- easiest to keep Hugging Face and local runtime boundaries separate.
|
| 345 |
-
|
| 346 |
-
For later organizational deployment, the least long-term management risk may become a signed managed installer, but only after the packaging proof and security model are mature.
|
| 347 |
|
| 348 |
-
|
| 349 |
-
|
| 350 |
-
WP49 does not implement or approve:
|
| 351 |
|
| 352 |
- MSI;
|
| 353 |
- PyInstaller build;
|
|
@@ -365,66 +118,24 @@ WP49 does not implement or approve:
|
|
| 365 |
- automatic deletion or expiry blocking;
|
| 366 |
- real-data packaging tests.
|
| 367 |
|
| 368 |
-
##
|
| 369 |
-
|
| 370 |
-
Before a real MSI, Scrub needs at least one approved concrete packaging proof package.
|
| 371 |
-
|
| 372 |
-
Recommended next packaging proof options:
|
| 373 |
-
|
| 374 |
-
```text
|
| 375 |
-
WP48B — Portable Python folder hardening proof
|
| 376 |
-
```
|
| 377 |
-
|
| 378 |
-
or:
|
| 379 |
-
|
| 380 |
-
```text
|
| 381 |
-
WP49B — PyInstaller one-folder packaging proof
|
| 382 |
-
```
|
| 383 |
-
|
| 384 |
-
The proof should validate:
|
| 385 |
-
|
| 386 |
-
- reproducible local build steps;
|
| 387 |
-
- dependency and model asset inventory;
|
| 388 |
-
- local-only launch behavior;
|
| 389 |
-
- no document-content logging;
|
| 390 |
-
- temp-file behavior;
|
| 391 |
-
- network-traffic behavior;
|
| 392 |
-
- Windows Defender/endpoint behavior;
|
| 393 |
-
- supportable folder layout;
|
| 394 |
-
- app version display;
|
| 395 |
-
- synthetic diagnostics only;
|
| 396 |
-
- no real data;
|
| 397 |
-
- no cloud processing;
|
| 398 |
-
- no change to export/reinsert semantics.
|
| 399 |
-
|
| 400 |
-
Only after that should the project decide on:
|
| 401 |
-
|
| 402 |
-
- code signing;
|
| 403 |
-
- MSI/MSIX/installer format;
|
| 404 |
-
- update channel;
|
| 405 |
-
- rollback;
|
| 406 |
-
- enterprise deployment;
|
| 407 |
-
- managed storage;
|
| 408 |
-
- helpdesk/support process;
|
| 409 |
-
- professional desktop shell migration.
|
| 410 |
-
|
| 411 |
-
## 14. Final recommendation
|
| 412 |
|
| 413 |
Recommended sequence:
|
| 414 |
|
| 415 |
```text
|
| 416 |
-
1. Keep
|
| 417 |
-
2.
|
| 418 |
-
3.
|
| 419 |
-
4.
|
| 420 |
-
5. Keep
|
| 421 |
-
6. Keep
|
|
|
|
| 422 |
```
|
| 423 |
|
| 424 |
This keeps Scrub aligned with the product promise:
|
| 425 |
|
| 426 |
```text
|
| 427 |
-
Sensitive information stays local.
|
| 428 |
The user remains in control.
|
| 429 |
The document stays readable.
|
| 430 |
Residual risk is visible.
|
|
|
|
| 3 |
Status: completed decision/documentation-only
|
| 4 |
Repository: `solidprivacy-nl/scrub`
|
| 5 |
|
| 6 |
+
## 1. Decision update after roadmap adjustment
|
| 7 |
|
| 8 |
+
The packaging decision remains valid, but the roadmap sequence is now stricter:
|
| 9 |
|
| 10 |
```text
|
| 11 |
+
Validate logic, interface, security and trustworthiness online first. Delay local installer/MSI work until the core product behavior is acceptable.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12 |
```
|
| 13 |
|
| 14 |
+
This means the local installer is not a near-term default track. It belongs at the end of the roadmap.
|
| 15 |
|
| 16 |
+
The Hugging Face/Streamlit web prototype remains the preferred validation surface for synthetic and approved non-confidential testing because web-interface testing is faster and less labor-intensive than testing an installable desktop app.
|
|
|
|
|
|
|
|
|
|
| 17 |
|
| 18 |
+
## 2. Packaging decision
|
| 19 |
|
| 20 |
+
The recommended first local MVP distribution form, when local distribution is revisited, remains:
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 21 |
|
| 22 |
```text
|
| 23 |
+
Portable Python folder with the existing local Streamlit launcher
|
| 24 |
```
|
| 25 |
|
| 26 |
+
The recommended later professional desktop direction remains:
|
|
|
|
|
|
|
| 27 |
|
| 28 |
```text
|
| 29 |
+
Tauri shell with reusable Python core, unless team capability or frontend requirements make Electron preferable
|
| 30 |
```
|
| 31 |
|
| 32 |
+
A real MSI remains a future managed-deployment option only after:
|
|
|
|
|
|
|
|
|
|
|
|
|
| 33 |
|
| 34 |
+
- logic is acceptable;
|
| 35 |
+
- interface is acceptable;
|
| 36 |
+
- security and trustworthiness are acceptable;
|
| 37 |
+
- recall/residual-risk behavior is credible;
|
| 38 |
+
- DOCX hygiene and Scrub Key risks are visibly handled;
|
| 39 |
+
- online/web workflow validation is strong;
|
| 40 |
+
- packaging, signing, update, rollback, offline, network, temp-file and support boundaries have been validated.
|
| 41 |
|
| 42 |
+
## 3. Option comparison
|
|
|
|
|
|
|
|
|
|
| 43 |
|
| 44 |
+
| Option | Current role | Later role | Main risk |
|
| 45 |
+
| --- | --- | --- | --- |
|
| 46 |
+
| Portable Python folder | Final-phase MVP local distribution candidate | Controlled local pilot path | Dependency/setup support burden |
|
| 47 |
+
| PyInstaller | Not default next work | Later one-folder proof if approved | Bundling, temp files, antivirus/signing |
|
| 48 |
+
| Tauri | Too early now | Preferred later professional shell candidate | Frontend/Rust/backend integration complexity |
|
| 49 |
+
| Electron | Too early now | Later alternative if frontend/team needs require it | Larger dependency and security surface |
|
| 50 |
+
| MSI | Out of scope now | Future managed deployment option | False production maturity if premature |
|
| 51 |
|
| 52 |
+
## 4. Why installer work is deferred
|
|
|
|
|
|
|
|
|
|
|
|
|
| 53 |
|
| 54 |
+
Installer work is deferred because it creates extra validation load before the product behavior is stable:
|
| 55 |
|
| 56 |
+
- OS-specific setup and support;
|
| 57 |
+
- antivirus/endpoint behavior;
|
| 58 |
+
- signing and trust warnings;
|
| 59 |
+
- update and rollback policy;
|
| 60 |
+
- dependency/model bundling;
|
| 61 |
+
- temp-file and network validation;
|
| 62 |
+
- enterprise deployment expectations;
|
| 63 |
+
- support process for legal/care organizations.
|
| 64 |
|
| 65 |
+
Those concerns matter, but they should not consume capacity before Scrub's core logic, interface, security and trustworthiness are acceptable.
|
| 66 |
|
| 67 |
+
## 5. Proof-of-concept versus production installation
|
| 68 |
|
| 69 |
A proof-of-concept may show:
|
| 70 |
|
|
|
|
| 72 |
- the app binds to `127.0.0.1`;
|
| 73 |
- Streamlit usage stats are disabled;
|
| 74 |
- documents are processed in the local Python process;
|
| 75 |
+
- no cloud document-processing endpoint is introduced by the launcher.
|
|
|
|
| 76 |
|
| 77 |
A proof-of-concept must not claim:
|
| 78 |
|
|
|
|
| 84 |
- protected key storage;
|
| 85 |
- enterprise support readiness.
|
| 86 |
|
| 87 |
+
A production installation needs:
|
|
|
|
|
|
|
| 88 |
|
| 89 |
- reproducible build pipeline;
|
| 90 |
+
- dependency and model asset inventory;
|
| 91 |
- code signing;
|
| 92 |
- installer/update/rollback policy;
|
| 93 |
- local storage policy;
|
|
|
|
| 98 |
- support process for legal/care organizations;
|
| 99 |
- app verification with synthetic and approved pilot data.
|
| 100 |
|
| 101 |
+
## 6. What remains outside scope
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 102 |
|
| 103 |
+
This decision does not implement or approve:
|
|
|
|
|
|
|
| 104 |
|
| 105 |
- MSI;
|
| 106 |
- PyInstaller build;
|
|
|
|
| 118 |
- automatic deletion or expiry blocking;
|
| 119 |
- real-data packaging tests.
|
| 120 |
|
| 121 |
+
## 7. Final recommendation
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 122 |
|
| 123 |
Recommended sequence:
|
| 124 |
|
| 125 |
```text
|
| 126 |
+
1. Keep validating logic/interface/security/trust online first.
|
| 127 |
+
2. Continue DOCX hygiene, Scrub Key verification, review UX and pilot workflow before installer investment.
|
| 128 |
+
3. Keep portable Python folder as the first local distribution candidate for the final phase.
|
| 129 |
+
4. Consider PyInstaller one-folder only as a later approved proof.
|
| 130 |
+
5. Keep Tauri as preferred later professional shell candidate.
|
| 131 |
+
6. Keep Electron as later alternative only.
|
| 132 |
+
7. Keep MSI as future enterprise deployment option, not current work.
|
| 133 |
```
|
| 134 |
|
| 135 |
This keeps Scrub aligned with the product promise:
|
| 136 |
|
| 137 |
```text
|
| 138 |
+
Sensitive information stays local in the final trust environment.
|
| 139 |
The user remains in control.
|
| 140 |
The document stays readable.
|
| 141 |
Residual risk is visible.
|