Skip to content

reHydrate v1.0.0

Choose a tag to compare

View all tags
@github-actions github-actions released this 13 May 20:58
v1.0.0
07a767b

First stable release. The goal of v1.0 was to ship the audit cleanups
the v0.9.x line accumulated and to land enough of the
"organise-your-library" UI for daily use against a reMarkable 2.

Added

  • Folders, end-to-end. Create folders and subfolders from the
    sidebar; drag-reorder rows in the sidebar (local-only ordering, not
    pushed to the device); move documents into folders by drag-and-drop,
    by a new "Move to folder…" item in the three-dot menus, or in bulk
    from the selection bar. The "Move to folder…" picker also has an
    inline "+ New folder here…" affordance so common workflows don't
    dead-end in cancel-create-retry.
  • Drag PDFs and EPUBs from Finder / Explorer onto the window to
    import. A full-window overlay shows the drop zone; bytes travel
    over IPC into a tempfile and through the existing import path. Cap
    is 512 MiB per file.
  • Render typed text in v6 notebook PDFs. Until now the renderer
    only emitted ink strokes; typed text on a page was silently
    dropped from the export. Now it lands as Helvetica at the recorded
    position.
  • Respect erased strokes and hidden layers when rendering
    notebooks. A stroke the user erased on the tablet no longer
    reappears in the exported PDF; layers toggled off on the tablet
    are skipped.
  • Retry button on a failed sync, plus a warning card for non-fatal
    sync issues (e.g. xochitl restart failed — files landed, the
    tablet's UI just needs a reboot to pick them up).
  • Toast warnings for keyring write failures (Linux without
    secret-service) and legacy-format notebook fallbacks (v3 / v5
    .rm files that fall back to thumbnail previews).
  • OCR via a user-provided Ollama daemon. "Convert to text…" on
    any document renders every .rm page to PNG, ships it to
    Ollama's /api/generate, and stores the transcript as a derived
    artefact attached to the document's current version. The
    Settings modal's Ollama tab lets the user point at a local or
    remote Ollama (default http://localhost:11434) and pick from
    the curated qwen3.5:4b (default, fast) / qwen3.5:9b (sharper
    at cursive + math) options, or supply a custom model tag.
    Qwen 3.5 is Ollama's current unified vision-language family
    (released ~one month before v1.0.0) and outperforms the older
    Qwen3-VL / Qwen2.5-VL lines on OCRBench (93.1%) and
    OmniDocBench1.5 (90.8%) — both directly relevant to the
    handwritten-notebook workload. Test Connection probes
    /api/tags and reports which models are pulled. Background
    progress is shown in a floating chip; the result lands in the
    Transcript drawer with Save-as-.txt / Save-as-.md actions.
  • Auto-OCR at startup. Optional toggle in Settings → Ollama.
    When enabled, every notebook without an existing transcript is
    transcribed sequentially after the app opens. Silently skips
    when Ollama is unreachable (no nagging at launch); per-doc
    failures don't abort the sweep; the progress chip shows
    "(N of M)" batch progress and × cancels the whole queue. Off
    by default — opt-in keeps first-run users from unexpected
    network traffic.
  • Publish transcripts as drafts to Ghost or WordPress. The
    Transcript drawer's "Publish to Ghost" / "Publish to WordPress"
    buttons convert the Markdown transcript to HTML and POST it
    to the configured CMS as a draft. Credentials live in the OS
    keychain; the Publishing tab in Settings handles entry, test
    connection, and forget. Every request routes through a
    host-pinned RestrictedAgent with redirects disabled, so a
    hijacked CMS endpoint can't redirect transcript content
    anywhere else.
  • Tabbed Settings modal. New gear icon in the toolbar (and
    "Settings…" entry in the menu) opens a single modal with two
    tabs: Ollama (OCR) and Publishing. Failed OCR / publish actions
    auto-open the relevant tab with an explanatory banner instead
    of dead-ending the user on a raw error toast.
  • LICENSE-MIT and LICENSE-APACHE at the repo root and a new
    SECURITY.md documenting the v1.0 threat model.

Changed

  • Tauri webview devtools is disabled in release builds. Dev
    builds still expose F12 / Cmd+Opt+I for local debugging; the
    release workflow builds with --no-default-features so end users
    can't open the inspector.
  • Manifest path validation now rejects control characters,
    trailing dots/spaces, Windows reserved names (CON, PRN, etc.),
    and NTFS alternate-data-stream colons. The export-filename
    sanitiser applies the same rules so a doc titled CON exports as
    doc-CON-… instead of failing silently on Windows.
  • Document cache keys now include the full content hash and the
    document UUID. The previous 12-char hash prefix was inside
    birthday-collision range; a malicious device could craft two
    documents that collide in the cache.
  • update_last_seen_manifest retries on transient SQLite errors
    with backoff before propagating, so a momentary busy-lock doesn't
    leave the next push silently overwriting tablet-side edits.
  • Single xochitl restart per push session instead of one per
    document. A multi-doc push no longer blanks the tablet UI N times.
    If the restart fails, the sync completes successfully but a
    warning surfaces in the UI.
  • GC clock-skew guard: blobs whose filesystem mtime appears to
    be in the future relative to wall-clock now are kept rather than
    deleted, so an NTP backwards-jump can't sweep recent blobs.

Fixed

  • import_dropped_file is now size-capped at 512 MiB, matching the
    cap that already protected SFTP-side reads.
  • Library::reorder_folder rejects cycles in a single transaction
    and the UI short-circuits descendant drops in the folder picker.

Security

See SECURITY.md for the full v1.0 threat model. Summary: SSH host-
key verification remains TOFU-without-pinning (USB-cabled threat
model); credentials live in the OS keyring; logs are size-capped and
rotated; CSP locks script-src to 'self'; no HTTP egress in any
business crate, enforced by an integration test.

Download: macOS (Apple Silicon, 11.0+) — .dmg attached below.

macOS builds are unsigned and un-notarized. First launch needs
a right-click → Open to bypass Gatekeeper.

Verifying the download: shasum -a 256 reHydrate_*.dmg
and compare against SHA256SUMS (also attached). For tamper
evidence beyond the workflow log, see this run's
build provenance attestation.

Source: built from
07a767b20f325d4cfa298e928eabeafb66c81da9.

See SECURITY.md
for the threat model and the vulnerability-report channel.

Assets 5
Loading