feat: implement color theme selection and notification system

.env.example

@@ -0,0 +1,8 @@
+# Ora Browser Private Key
+# This file contains sensitive cryptographic keys - NEVER commit to git!
+# Copy this file to .env and add your actual private key
+
+ORA_PRIVATE_KEY=-----BEGIN PRIVATE KEY-----
+# Paste your Ed25519 private key here
+# This key is used to sign app updates for security
+-----END PRIVATE KEY-----

.github/workflows/deploy-appcast.yml

@@ -0,0 +1,32 @@
+name: Deploy Appcast
+
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        description: 'Version to deploy'
+        required: true
+        type: string
+
+jobs:
+  deploy-appcast:
+    runs-on: macos-latest
+
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+
+    - name: Download appcast from release
+      run: |
+        # Download the appcast.xml from the latest release
+        curl -L -o appcast.xml "https://raw.githubusercontent.com/${{ github.repository }}/release/appcast.xml"
+
+    - name: Deploy to GitHub Pages
+      uses: peaceiris/actions-gh-pages@v3
+      with:
+        github_token: ${{ secrets.GITHUB_TOKEN }}
+        publish_dir: .
+        publish_branch: gh-pages
+        keep_files: true
+        exclude_assets: 'build/**,*.sh,*.yml,*.md,*.json,*.xcodeproj/**,ora/**,docs/**,SECURITY.md,check-security.sh,.github/**,.gitignore,README.md,LICENSE.md'
+        destination_dir: .

.gitignore

@@ -44,5 +44,45 @@ Temporary Items
 .vscode/
 .idea/
 
-# App specific
-*.app
+# Build directory (allow directory but ignore contents)
+build/*
+!build/
+!build/.gitkeep
+
+# Build artifacts and releases
+*.app
+*.dmg
+*.pkg
+*.zip
+*.tar.gz
+appcast.xml
+appcast.xml.bak
+dsa_priv.pem
+dsa_pub.pem
+exportOptions.plist
+Ora-Browser.dmg
+rw.*.Ora-Browser.dmg
+
+# Sparkle and signing (SECURITY: Never commit private keys!)
+*_private.pem
+*_public.pem
+*.pem
+dsa_priv.pem    # CRITICAL: Never commit this file!
+dsa_pub.pem     # Public key (safe to commit if needed)
+
+# Environment files (contains private keys!)
+.env
+.env.local
+.env.*.local
+
+# Archives and temporary files
+*.xcarchive
+*.xctimeline
+*.trace
+*.log
+
+# Release artifacts (keep in build/ folder)
+# Uncomment these if you want to commit release artifacts:
+# !build/*.dmg
+# !build/appcast.xml
+# !build/dsa_pub.pem

README.md

@@ -3,8 +3,10 @@
 Ora is a fast, secure, and beautiful browser built for macOS. Inspired by Safari and Arc, Ora delivers a clean, native experience that feels at home on macOS — without unnecessary bloat.
 
 > **⚠️ Disclaimer**  
-> Ora is currently in active development and **not yet ready for day-to-day use**.  
-> An alpha version with core features will be released soon. Use at your own discretion.
+Ora is currently in early stages of development and **not yet ready for day-to-day use**. An alpha version with core functionalities will be released soon.
+
+If you would like to support the project, please consider donating via [Buy Me A Coffee](https://buymeacoffee.com/orabrowser).
+[!["Buy Me A Coffee"](https://www.buymeacoffee.com/assets/img/custom_images/orange_img.png)](https://buymeacoffee.com/orabrowser)
 
 ## Features
 
@@ -47,6 +49,33 @@ Ora is a fast, secure, and beautiful browser built for macOS. Inspired by Safari
 - Tools: `xcodegen`, `swiftlint`, `swiftformat` (installed by the setup script)
 - Optional: `xcbeautify` (for prettier CLI build output)
 
+## Key Management for Updates
+
+Ora Browser uses Ed25519 cryptographic keys to sign and verify app updates for security:
+
+### Public Key (Committed to Git)
+- **File**: `ora_public_key.pem`
+- **Purpose**: Verifies update signatures in the app
+- **Status**: Committed to git repository
+- **Safety**: Public keys are safe to share
+
+### Private Key (Never Commit!)
+- **File**: `.env` (contains `ORA_PRIVATE_KEY`)
+- **Purpose**: Signs app updates during release
+- **Status**: Never committed to git
+- **Safety**: Keep secure and private
+
+### Setup Process
+1. **First machine**: Keys auto-generated and saved appropriately
+2. **Additional machines**: Copy `.env` file from first machine
+3. **Release process**: `./create-release.sh` handles key management automatically
+
+### Security Notes
+- `.env` is in `.gitignore` - it will never be committed
+- Public key is committed - this is safe and required
+- Never share your private key with anyone
+- If private key is lost, you'll need to regenerate keys (breaks update chain)
+
 ## Installation
 
 1. Clone the repository.
@@ -126,37 +155,39 @@ rm -f "$(getconf DARWIN_USER_DIR 2>/dev/null || echo "$HOME/Library/Application
 
 ### Releases and Updates
 
-Ora uses [Sparkle](https://sparkle-project.org/) for automatic updates. To set up releases:
+Ora uses [Sparkle](https://sparkle-project.org/) for automatic updates. All build artifacts are organized in the `build/` directory.
 
 1. **Add Sparkle dependency:**
    - Open `Ora.xcodeproj` in Xcode
-   - Go to File > Add Packages...
+   - Go to File → Add Packages...
    - Add `https://github.com/sparkle-project/Sparkle` (version 2.6.3+)
    - Add Sparkle to your target
 
-2. **Setup Sparkle keys:**
+2. **Setup Sparkle tools:**
    ```bash
+   brew install --cask sparkle
+   ./setup-sparkle-tools.sh
    ./setup-sparkle.sh
    ```
-   This generates DSA keys for signing releases.
+   This generates DSA keys in `build/` directory.
 
 3. **Configure signing:**
-   - Copy the public key from `dsa_pub.pem` to your `Info.plist` as `SUPublicEDKey`
-   - Keep `dsa_priv.pem` secure for signing releases
+   - Copy the public key from `build/dsa_pub.pem` to your `Info.plist` as `SUPublicEDKey`
+   - Keep `build/dsa_priv.pem` secure for signing releases
    - Add `SUFeedURL` to Info.plist pointing to your appcast.xml URL
 
 4. **Create a release:**
    ```bash
-   ./create-release.sh 0.0.2 dsa_priv.pem
+   ./create-release.sh 0.0.2 build/dsa_priv.pem
    ```
-   This builds, signs, and prepares the release files.
+   This builds, signs, and prepares release files in `build/`.
 
 5. **Host appcast.xml:**
-   - Upload `appcast.xml` to a public URL (e.g., GitHub Pages)
+   - Upload `build/appcast.xml` to a public URL (e.g., GitHub Pages)
    - Update `SUFeedURL` in `Info.plist` to point to your appcast.xml
 
 6. **Publish release:**
-   - Upload `Ora-Browser.dmg` to GitHub releases
+   - Upload `build/Ora-Browser.dmg` to GitHub releases
    - Users will automatically receive update notifications
 
 The app includes automatic update checking in Settings > General.
@@ -178,6 +209,12 @@ The app includes automatic update checking in Settings > General.
 
 Keyboard shortcuts: see `ora/Common/Constants/KeyboardShortcuts.swift`.
 
+## Documentation
+
+- **[Quick Start Guide](docs/QUICK_START.md)** - 5-minute setup for hosting and updates
+- **[Hosting Setup Guide](docs/HOSTING_SETUP.md)** - Complete guide for update hosting and deployment
+- **[Documentation Index](docs/README.md)** - All documentation organized by topic
+
 ## Contributing
 
 Contributions are welcome! To propose changes:

SECURITY.md

@@ -0,0 +1,43 @@
+# Ora Browser Security Guide
+
+## 🔐 DSA Key Management
+
+### Private Key Security
+- **NEVER** commit `build/dsa_priv.pem` to version control
+- **NEVER** share the private key with anyone
+- **NEVER** delete the private key once you've published releases with it
+
+### Key Generation & Reuse
+- Generate DSA keys **once** when setting up Sparkle updates
+- **Reuse the same keys** for all future releases
+- Deleting and regenerating keys will break the update chain for existing users
+
+### Security Checks
+Run `./check-security.sh` to verify:
+- Private key exists but is not tracked by git
+- Public key is available for app integration
+- `.gitignore` properly excludes sensitive files
+
+### Release Process
+1. Run `./create-release.sh <version>` - reuses existing keys automatically
+2. Upload `build/Ora-Browser.dmg` to GitHub releases
+3. Host `build/appcast.xml` at a public URL
+4. Add `build/dsa_pub.pem` content to app's `SUPublicEDKey` in Info.plist
+
+### Files to Keep Secure
+- `build/dsa_priv.pem` - **KEEP PRIVATE, NEVER COMMIT**
+- `build/dsa_pub.pem` - Safe to commit if needed for CI/CD
+- `build/appcast.xml` - Contains signatures, safe to host publicly
+
+### Emergency Key Regeneration
+If private key is compromised:
+1. Delete `build/dsa_priv.pem` and `build/dsa_pub.pem`
+2. Run `./create-release.sh <new-version>` to generate fresh keys
+3. Update app's `SUPublicEDKey` with new public key
+4. Existing users will need to download fresh installers
+
+## 🚨 Security Violations
+If you see any of these, stop immediately:
+- `dsa_priv.pem` appears in `git status`
+- Private key is committed to repository
+- Private key is shared or transmitted insecurely

appcast.xml

@@ -1,31 +1,30 @@
 <?xml version="1.0" encoding="utf-8"?>
 <rss version="2.0" xmlns:sparkle="http://www.andymatuschak.org/xml-namespaces/sparkle" xmlns:dc="http://purl.org/dc/elements/1.1/">
-    <channel>
-        <title>Ora Browser Changelog</title>
-        <description>Most recent changes with links to updates.</description>
-        <language>en</language>
-        <item>
-            <title>Ora Browser 0.0.1</title>
-            <description>
-                <![CDATA[
-                <h2>Initial Release</h2>
-                <p>Ora Browser is a fast, secure, and beautiful browser built for macOS.</p>
-                <ul>
-                    <li>Native macOS UI built with SwiftUI</li>
-                    <li>Fast browsing powered by WebKit</li>
-                    <li>Privacy-first with built-in content blocker</li>
-                    <li>Multiple search engine support</li>
-                    <li>Developer tools and extensions support</li>
-                </ul>
-                ]]>
-            </description>
-            <pubDate>Mon, 04 Sep 2025 12:00:00 +0000</pubDate>
-            <enclosure url="https://github.com/the-ora/browser/releases/download/v0.0.1/Ora-Browser.dmg"
-                       sparkle:version="1"
-                       sparkle:shortVersionString="0.0.1"
-                       length="0"
-                       type="application/octet-stream"
-                       sparkle:dsaSignature="YOUR_DSA_SIGNATURE_HERE"/>
-        </item>
-    </channel>
-</rss>
+  <channel>
+    <title>Ora Browser Changelog</title>
+    <description>Most recent changes with links to updates.</description>
+    <language>en</language>
+    <item>
+      <title>Version 0.0.62</title>
+      <description><![CDATA[
+        <h2>Ora Browser v0.0.62</h2>
+        <p>Latest release of Ora Browser with the following features:</p>
+        <ul>
+          <li>Modern web browsing experience</li>
+          <li>Tabbed interface with sidebar</li>
+          <li>Built-in ad blocking</li>
+          <li>Privacy-focused design</li>
+          <li>Automatic update system</li>
+        </ul>
+        <p>This release includes bug fixes and performance improvements. Enjoy browsing with Ora!</p>
+      ]]></description>
+      <pubDate>Fri, 05 Sep 2025 14:54:35 +0000</pubDate>
+      <enclosure url="https://github.com/the-ora/browser/releases/download/v0.0.62/Ora-Browser-0.0.62.dmg"
+                 sparkle:version="0.0.62"
+                 sparkle:shortVersionString="0.0.62"
+                 length="3873849"
+                 type="application/octet-stream"
+                  sparkle:edSignature="SfCKAcVQmxuvZHH8Ll2P3acmZEuJ1RAuiVeLFN32G/DxlsPc0kMvSrdcakMlwI9PlPPAUT+OKCgrv4liPSTtDw=="/>
+    </item>
+  </channel>
+</rss>

appcast.xml.backup

@@ -0,0 +1,30 @@
+<?xml version="1.0" encoding="utf-8"?>
+<rss version="2.0" xmlns:sparkle="http://www.andymatuschak.org/xml-namespaces/sparkle" xmlns:dc="http://purl.org/dc/elements/1.1/">
+  <channel>
+    <title>Ora Browser Changelog</title>
+    <description>Most recent changes with links to updates.</description>
+    <language>en</language>
+    <item>
+      <title>Version 0.0.30</title>
+      <description><![CDATA[
+        <h2>Ora Browser v0.0.30</h2>
+        <p>Latest release of Ora Browser with the following features:</p>
+        <ul>
+          <li>Modern web browsing experience</li>
+          <li>Tabbed interface with sidebar</li>
+          <li>Built-in ad blocking</li>
+          <li>Privacy-focused design</li>
+          <li>Automatic update system</li>
+        </ul>
+        <p>This release includes bug fixes and performance improvements. Enjoy browsing with Ora!</p>
+      ]]></description>
+      <pubDate>Fri, 05 Sep 2025 08:19:17 +0000</pubDate>
+      <enclosure url="https://github.com/the-ora/browser/releases/download/v0.0.30/Ora-Browser.dmg"
+                 sparkle:version="0.0.30"
+                 sparkle:shortVersionString="0.0.30"
+                 length="40933888"
+                 type="application/octet-stream"
+                  sparkle:edSignature="xgw9JY72k0tvLrqWDs++xKRrGZOGCw1jyNHVz0yqDuJ+y6i4ze8EV7Dh24tC1dSzgrBn+A6nEgzFmOlnCtpRDg=="/>
+    </item>
+  </channel>
+</rss>