From 2f7cec32cef71a02c6e96e1c4bd99b11f4e3469e Mon Sep 17 00:00:00 2001
From: Ivan <ivan@quad4.io>
Date: Tue, 7 Apr 2026 16:02:41 -0500
Subject: [PATCH] feat(build): skip backend-manifest.json during macOS
 universal builds to ensure identical non-binary files

---
 docs/meshchatx.md                |  4 ++--
 package.json                     |  3 ++-
 scripts/build-backend.js         | 14 +++++++++++++-
 scripts/build-macos-universal.sh |  6 ++++++
 4 files changed, 23 insertions(+), 4 deletions(-)

diff --git a/docs/meshchatx.md b/docs/meshchatx.md
index 7ddc353..3498dfe 100644
--- a/docs/meshchatx.md
+++ b/docs/meshchatx.md
@@ -105,7 +105,7 @@ The project favors predictable SQL behavior and explicit migration control, whic
 - Auth and access-attempt tracking integrated with IP/User-Agent aware controls
 - Debug endpoints provide visibility into logs and access-attempt records
 
-This is also very well tested, but I still would not recommend exposing MeshChatX to the internet. 
+This is also very well tested, but I still would not recommend exposing MeshChatX to the internet.
 
 ## Security Model
 
@@ -155,4 +155,4 @@ When adding features, prefer:
 
 - identity-scoped state over global mutable state,
 - explicit migration/version changes for DB schema updates,
-- endpoint-level tests plus focused manager unit tests.
\ No newline at end of file
+- endpoint-level tests plus focused manager unit tests.
diff --git a/package.json b/package.json
index adad7f7..3295533 100644
--- a/package.json
+++ b/package.json
@@ -141,7 +141,8 @@
                     "from": "build/exe/darwin-${arch}",
                     "to": "backend",
                     "filter": [
-                        "**/*"
+                        "**/*",
+                        "!backend-manifest.json"
                     ]
                 }
             ]
diff --git a/scripts/build-backend.js b/scripts/build-backend.js
index b7ea5d3..b474851 100755
--- a/scripts/build-backend.js
+++ b/scripts/build-backend.js
@@ -122,7 +122,19 @@ try {
             stripPythonBytecodeArtifacts(buildDir);
         }
         const manifestPath = path.join(buildDir, "backend-manifest.json");
-        generateManifest(buildDir, manifestPath);
+        const skipManifest =
+            process.env.MESHCHATX_SKIP_BACKEND_MANIFEST === "1" ||
+            process.env.MESHCHATX_SKIP_BACKEND_MANIFEST === "true";
+        if (skipManifest) {
+            if (fs.existsSync(manifestPath)) {
+                fs.unlinkSync(manifestPath);
+            }
+            console.log(
+                "Skipping backend-manifest.json (MESHCHATX_SKIP_BACKEND_MANIFEST); universal merge requires identical non-binary files."
+            );
+        } else {
+            generateManifest(buildDir, manifestPath);
+        }
     } else {
         console.error(`Build directory not found (${buildDir}), manifest generation skipped.`);
     }
diff --git a/scripts/build-macos-universal.sh b/scripts/build-macos-universal.sh
index ebf7f5c..8bb2eac 100644
--- a/scripts/build-macos-universal.sh
+++ b/scripts/build-macos-universal.sh
@@ -7,6 +7,12 @@ set -euo pipefail
 ROOT="$(cd "$(dirname "$0")/.." && pwd)"
 cd "$ROOT"
 
+# @electron/universal merges x64 and arm64 app bundles and requires every non-binary
+# file present in both trees to have identical bytes. Per-arch backend-manifest.json
+# contents always differ, so skip embedding it here; electron/main.js treats a missing
+# manifest as "skip integrity check" (see verifyBackendIntegrity).
+export MESHCHATX_SKIP_BACKEND_MANIFEST=1
+
 pnpm run electron-postinstall
 pnpm run version:sync
 pnpm run build-frontend