Paragon panel: keep cascade passives, strip free actives; DK passive DBC fix

- PanelLearnSpellChain: record every non-chain passive as panel_spell_child;
  only revoke non-passive (Blood Presence, Death Coil, Death Grip, etc.).
- RevokeUnwantedCascadeSpellsForPlayer: skip passive rewards on login sweep.
- RevokeBlockedSpellsForPlayer: migrate legacy passive revoke rows to
  children; walk (parent, revoked) pairs from DB.
- PruneSkillLineCascadeChildrenFromDb: only strip actives wrongly stored as
  children; never strip passives.
- SpellInfoCorrections: set SPELL_ATTR0_PASSIVE on Forceful Deflection (49410)
  and Runic Focus (61455) so IsPassive() matches spellbook behavior.
- PanelUnlearnTalentPurchase: mirror resetTalents (_removeTalentAurasAndSpells,
  _removeTalent, SendTalentsInfoData) so Beast Mastery loss triggers pet reset.
- OnPlayerLogin: run legacy passive attach before scoped cascade sweep.
- Add .paragon recalibrate GM command (RBAC modify): full panel reset + AE/TE
  reconciliation for selected player or self.

Co-authored-by: Cursor <cursoragent@cursor.com>

.github/workflows/fractured-launcher-ci.yml

@@ -22,7 +22,7 @@ concurrency:
   cancel-in-progress: true
 
 jobs:
-  electron-launcher:
+  electron-launcher-windows:
     runs-on: windows-latest
     timeout-minutes: 45
     defaults:
@@ -50,3 +50,32 @@ jobs:
             tools/fractured-launcher-electron/dist/*.exe
             tools/fractured-launcher-electron/dist/latest.yml
             tools/fractured-launcher-electron/dist/*.blockmap
+
+  electron-launcher-linux:
+    runs-on: ubuntu-latest
+    timeout-minutes: 45
+    defaults:
+      run:
+        working-directory: tools/fractured-launcher-electron
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+          cache: npm
+          cache-dependency-path: tools/fractured-launcher-electron/package-lock.json
+
+      - name: Install and pack (AppImage)
+        run: |
+          npm ci
+          npm run pack:linux
+
+      - uses: actions/upload-artifact@v4
+        with:
+          name: fractured-launcher-electron-linux-${{ github.run_id }}
+          if-no-files-found: warn
+          path: |
+            tools/fractured-launcher-electron/dist/*.AppImage
+            tools/fractured-launcher-electron/dist/*.yml
+            tools/fractured-launcher-electron/dist/*.blockmap

.github/workflows/gitea-release-sync.yml

@@ -0,0 +1,224 @@
+# Primary path for player-facing binaries: every *published* GitHub Release on this repo
+# is mirrored to your self-hosted Gitea (same tag). No public GitHub distro repo.
+#
+# Triggers:
+#   - release: published / released → GitHub “Release” (not a raw git tag alone).
+#   - workflow_dispatch → Actions → this workflow → “Run workflow” (enter tag).
+#
+# Troubleshooting: “Re-run failed jobs” on an OLD run replays the *original* workflow
+# YAML (e.g. still runs `npm run pack:win` without --publish never). After changing this
+# file on default branch, start a *new* run via “Run workflow”, not Re-run on a pre-fix run.
+#
+# Important: pushing only a git tag does NOT run this — you must create/publish a
+# Release on github.com (Releases → Draft/new release → Publish). The workflow
+# definition must exist on the repo DEFAULT branch (GitHub runs it from there).
+#
+# Steps: Windows (NSIS+portable) + Linux (AppImage) in parallel, launcher from DEFAULT BRANCH
+# overlay on tag checkout → merge with GitHub release assets → upload all to Gitea.
+#
+# Secrets: GITEA_BASE_URL, GITEA_TOKEN, GITEA_OWNER, GITEA_REPO
+# Optional variable: GITEA_TARGET_REF (see tools/fractured-launcher-electron/README.md)
+#
+# Job guard: edit `if:` if github.repository is not Dawnforger/Fractured.
+
+name: Sync release to Gitea
+
+on:
+  release:
+    types: [published, released]
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: 'Release tag on this GitHub repo (must exist; e.g. v1.0.0)'
+        required: true
+        type: string
+
+permissions:
+  contents: read
+
+concurrency:
+  group: gitea-release-sync-${{ github.repository }}-${{ github.event_name == 'workflow_dispatch' && github.event.inputs.tag || github.event.release.tag_name }}
+  cancel-in-progress: false
+
+jobs:
+  meta:
+    runs-on: ubuntu-latest
+    if: github.repository == 'Dawnforger/Fractured'
+    outputs:
+      tag: ${{ steps.t.outputs.tag }}
+    steps:
+      - name: Resolve tag
+        id: t
+        shell: bash
+        run: |
+          if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
+            echo "tag=${{ github.event.inputs.tag }}" >> "$GITHUB_OUTPUT"
+          else
+            echo "tag=${{ github.event.release.tag_name }}" >> "$GITHUB_OUTPUT"
+          fi
+
+  build-electron:
+    needs: meta
+    if: github.repository == 'Dawnforger/Fractured'
+    runs-on: windows-latest
+    timeout-minutes: 45
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ needs.meta.outputs.tag }}
+
+      # Release tags often point at server/game commits that predate launcher lib fixes.
+      # Always pack the launcher from default branch so app.asar includes the full tree.
+      - name: Overlay launcher from default branch
+        shell: bash
+        run: |
+          set -euo pipefail
+          DB="${{ github.event.repository.default_branch }}"
+          git fetch --no-tags --depth=1 origin "+refs/heads/${DB}:refs/remotes/origin/${DB}"
+          git checkout "origin/${DB}" -- tools/fractured-launcher-electron
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+          cache: npm
+          cache-dependency-path: tools/fractured-launcher-electron/package-lock.json
+
+      - name: Install and pack (NSIS + portable)
+        working-directory: tools/fractured-launcher-electron
+        run: |
+          npm ci
+          npm run pack:win
+
+      - name: Stage launcher files for upload
+        shell: pwsh
+        run: |
+          New-Item -ItemType Directory -Force -Path launcher-publish | Out-Null
+          Copy-Item tools/fractured-launcher-electron/dist/*.exe launcher-publish/
+          if (Test-Path tools/fractured-launcher-electron/dist/latest.yml) {
+            Copy-Item tools/fractured-launcher-electron/dist/latest.yml launcher-publish/
+          }
+          Get-ChildItem tools/fractured-launcher-electron/dist/*.blockmap -ErrorAction SilentlyContinue |
+            Copy-Item -Destination launcher-publish/
+
+      - uses: actions/upload-artifact@v4
+        with:
+          name: electron-dist-windows
+          path: launcher-publish/
+
+  build-electron-linux:
+    needs: meta
+    if: github.repository == 'Dawnforger/Fractured'
+    runs-on: ubuntu-latest
+    timeout-minutes: 45
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ needs.meta.outputs.tag }}
+
+      - name: Overlay launcher from default branch
+        shell: bash
+        run: |
+          set -euo pipefail
+          DB="${{ github.event.repository.default_branch }}"
+          git fetch --no-tags --depth=1 origin "+refs/heads/${DB}:refs/remotes/origin/${DB}"
+          git checkout "origin/${DB}" -- tools/fractured-launcher-electron
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+          cache: npm
+          cache-dependency-path: tools/fractured-launcher-electron/package-lock.json
+
+      - name: Install and pack (AppImage)
+        working-directory: tools/fractured-launcher-electron
+        run: |
+          npm ci
+          npm run pack:linux
+
+      - name: Stage Linux launcher for upload
+        shell: bash
+        run: |
+          set -euo pipefail
+          mkdir -p launcher-linux-publish
+          shopt -s nullglob
+          cp -f tools/fractured-launcher-electron/dist/*.AppImage launcher-linux-publish/ 2>/dev/null || true
+          cp -f tools/fractured-launcher-electron/dist/*.yml launcher-linux-publish/ 2>/dev/null || true
+          cp -f tools/fractured-launcher-electron/dist/*.blockmap launcher-linux-publish/ 2>/dev/null || true
+          ls -la launcher-linux-publish/
+          if ! compgen -G "launcher-linux-publish/*.AppImage" > /dev/null; then
+            echo "No AppImage under dist/ — electron-builder linux target failed" >&2
+            exit 1
+          fi
+
+      - uses: actions/upload-artifact@v4
+        with:
+          name: electron-dist-linux
+          path: launcher-linux-publish/
+
+  sync-gitea:
+    needs: [meta, build-electron, build-electron-linux]
+    if: github.repository == 'Dawnforger/Fractured'
+    runs-on: ubuntu-latest
+    env:
+      GITEA_BASE_URL: ${{ secrets.GITEA_BASE_URL }}
+      GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}
+      GITEA_OWNER: ${{ secrets.GITEA_OWNER }}
+      GITEA_REPO: ${{ secrets.GITEA_REPO }}
+      GITEA_TARGET_REF: ${{ vars.GITEA_TARGET_REF }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          # Script may not exist on older release tags; always use default branch.
+          ref: ${{ github.event.repository.default_branch }}
+          sparse-checkout: |
+            tools/fractured-launcher-electron/scripts
+          sparse-checkout-cone-mode: true
+
+      - uses: actions/download-artifact@v4
+        with:
+          name: electron-dist-windows
+          path: /tmp/electron-win
+
+      - uses: actions/download-artifact@v4
+        with:
+          name: electron-dist-linux
+          path: /tmp/electron-linux
+
+      - name: Merge GitHub release assets + Electron build
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          set -euo pipefail
+          TAG="${{ needs.meta.outputs.tag }}"
+          mkdir -p combined
+          mkdir -p /tmp/from-main
+          if gh release download "$TAG" -R "${{ github.repository }}" -D /tmp/from-main 2>/tmp/dl.err; then
+            shopt -s nullglob
+            for f in /tmp/from-main/*; do
+              if [ -f "$f" ]; then
+                cp -f "$f" combined/
+              fi
+            done
+            echo "Merged assets from ${{ github.repository }} release $TAG"
+          else
+            echo "GitHub release download note (continuing with launcher only):"
+            cat /tmp/dl.err || true
+          fi
+          shopt -s nullglob
+          for f in /tmp/electron-win/* /tmp/electron-linux/*; do
+            if [ -f "$f" ]; then
+              cp -f "$f" combined/
+            fi
+          done
+          ls -la combined/
+
+      - name: Upload to Gitea
+        run: |
+          set -euo pipefail
+          for v in GITEA_BASE_URL GITEA_TOKEN GITEA_OWNER GITEA_REPO; do
+            if [ -z "${!v:-}" ]; then
+              echo "Missing secret $v — add it under repo Settings → Secrets and variables → Actions." >&2
+              exit 1
+            fi
+          done
+          bash tools/fractured-launcher-electron/scripts/upload-release-to-gitea.sh combined "${{ needs.meta.outputs.tag }}"

scripts/vps-paragon-diagnostics.sh

@@ -0,0 +1,336 @@
+#!/usr/bin/env bash
+# Collect VPS evidence for Paragon / DBUpdater / binary staleness triage.
+# Run ON the VPS (Linux). Safe: read-only; does not restart services.
+#
+# Usage (from clone):
+#   bash scripts/vps-paragon-diagnostics.sh
+#
+# Optional environment:
+#   FRACTURED_REPO           — absolute path to Fractured git root (default: parent of scripts/)
+#   FRACTURED_WS_BIN         — path to worldserver binary (default: auto-detect)
+#   FRACTURED_WORLDSERVER_CONF — path to worldserver.conf (default: guess from BIN + common layouts)
+#   FRACTURED_SYSTEMD_UNITS  — space-separated units to try (default: "fractured-world worldserver ac-worldserver")
+#   FRACTURED_MYSQL          — prefix to invoke mysql, e.g. 'mysql -uacore -pacore -h127.0.0.1'
+#                              (default Fractured local DB user/password are often both "acore"; use ~/.my.cnf if you prefer not to pass -p on the command line)
+#                              If unset, SQL blocks are printed for manual copy-paste only.
+#   FRACTURED_SPELL_IDS      — space-separated spell IDs for spell_dbc spot-check (defaults to common DK rune spenders)
+#   FRACTURED_DIAG_OUTPUT    — full log file path (default: <repo>/var/vps-paragon-diagnostics-last.txt)
+#
+# All output is mirrored to the log file (tee) while still printing to the terminal.
+# Default path lives under var/ (gitignored in this repo). Open that file in Cursor,
+# scp it down, or: git add -f var/vps-paragon-diagnostics-last.txt  if you intend to commit it.
+
+set -u
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+REPO="${FRACTURED_REPO:-$(cd "$SCRIPT_DIR/.." && pwd)}"
+
+DIAG_OUT="${FRACTURED_DIAG_OUTPUT:-$REPO/var/vps-paragon-diagnostics-last.txt}"
+mkdir -p "$(dirname "$DIAG_OUT")"
+exec > >(tee "$DIAG_OUT") 2>&1
+echo "Logging to: $DIAG_OUT"
+
+hr() { printf '\n%s\n' "================================================================================"; }
+sub() { printf '\n-- %s\n' "$1"; }
+
+detect_worldserver_bin() {
+  local bin="" es path u units
+  if [[ -n "${FRACTURED_WS_BIN:-}" ]]; then
+    readlink -f "$FRACTURED_WS_BIN" 2>/dev/null && return
+    echo "$FRACTURED_WS_BIN"
+    return
+  fi
+
+  units="${FRACTURED_SYSTEMD_UNITS:-fractured-world worldserver ac-worldserver}"
+  for u in $units; do
+    if systemctl is-active --quiet "$u" 2>/dev/null || systemctl is-enabled --quiet "$u" 2>/dev/null; then
+      es=$(systemctl show "$u" -p ExecStart --value 2>/dev/null || true)
+      if [[ -n "$es" ]]; then
+        if [[ "$es" == \{*path=* ]]; then
+          path=$(printf '%s' "$es" | sed -n 's/.*path=\([^;]*\).*/\1/p')
+        else
+          path=$(printf '%s' "$es" | awk '{print $1}' | sed 's/^path=//')
+        fi
+        if [[ -n "$path" && -x "$path" ]]; then
+          readlink -f "$path" 2>/dev/null && return
+        fi
+      fi
+    fi
+  done
+
+  local pid
+  pid=$(pgrep -xo worldserver 2>/dev/null || true)
+  if [[ -n "$pid" ]]; then
+    readlink -f "/proc/$pid/exe" 2>/dev/null && return
+  fi
+
+  if command -v worldserver >/dev/null 2>&1; then
+    readlink -f "$(command -v worldserver)" 2>/dev/null && return
+  fi
+
+  echo ""
+}
+
+guess_worldserver_conf() {
+  local bin="$1"
+  local d cands=()
+  [[ -z "$bin" ]] && return
+  d=$(dirname "$bin")
+  cands+=("$d/../etc/worldserver.conf")
+  cands+=("$d/../../etc/worldserver.conf")
+  cands+=("$HOME/azeroth-server/etc/worldserver.conf")
+  cands+=("$HOME/env/dist/etc/worldserver.conf")
+  for f in "${cands[@]}"; do
+    f=$(readlink -f "$f" 2>/dev/null || true)
+    if [[ -n "$f" && -f "$f" ]]; then
+      echo "$f"
+      return
+    fi
+  done
+  echo ""
+}
+
+binary_strings_paths() {
+  local ws="$1"
+  [[ -z "$ws" || ! -f "$ws" ]] && return
+  strings "$ws" 2>/dev/null | grep -iE '/(home|root|opt|srv|var)[^[:space:]]*/(Fractured|fractured|azeroth|AzerothCore|acore)' | sort -u | head -40
+}
+
+hr
+echo "Fractured Paragon / native VPS diagnostics"
+echo "Date (UTC): $(date -u '+%Y-%m-%d %H:%M:%S UTC')"
+echo "Repo (expected): $REPO"
+
+sub "1A — worldserver binary"
+WS=$(detect_worldserver_bin || true)
+if [[ -z "$WS" ]]; then
+  echo "ERROR: Could not find worldserver. Set FRACTURED_WS_BIN=/full/path/to/worldserver and re-run."
+else
+  echo "Binary: $WS"
+  if stat -c 'binary mtime: %y' "$WS" 2>/dev/null; then
+    :
+  else
+    stat -f 'binary mtime: %Sm' -t '%Y-%m-%d %H:%M:%S %z' "$WS" 2>/dev/null || stat "$WS"
+  fi
+fi
+
+sub "1B — repo HEAD + Paragon_Essence.cpp mtime"
+if [[ -d "$REPO/.git" ]]; then
+  (cd "$REPO" && git log -1 --format='HEAD commit: %h %ci %s')
+else
+  echo "WARN: not a git repo: $REPO (set FRACTURED_REPO)"
+fi
+PE="$REPO/modules/mod-paragon/src/Paragon_Essence.cpp"
+if [[ -f "$PE" ]]; then
+  if stat -c 'Paragon_Essence.cpp mtime: %y' "$PE" 2>/dev/null; then
+    :
+  else
+    stat -f 'Paragon_Essence.cpp mtime: %Sm' -t '%Y-%m-%d %H:%M:%S %z' "$PE" 2>/dev/null || stat "$PE"
+  fi
+else
+  echo "WARN: missing $PE"
+fi
+
+sub "1C — strings heuristics (0 can mean stripped binary — use 1A+1B)"
+if [[ -n "$WS" && -f "$WS" ]]; then
+  c1=$(strings "$WS" 2>/dev/null | grep -c 'CLASS_PARAGON' || true)
+  c2=$(strings "$WS" 2>/dev/null | grep -c 'C BUILD SAVE_CURRENT' || true)
+  c3=$(strings "$WS" 2>/dev/null | grep -c 'character_paragon_build_share_archive' || true)
+  echo "CLASS_PARAGON count: $c1"
+  echo "C BUILD SAVE_CURRENT count: $c2"
+  echo "character_paragon_build_share_archive count: $c3"
+else
+  echo "(skipped — no binary)"
+fi
+
+sub "1D — binary fingerprint (compare sha256 across dev vs VPS)"
+if [[ -n "$WS" && -f "$WS" ]]; then
+  if command -v sha256sum >/dev/null 2>&1; then
+    sha256sum "$WS"
+  elif command -v shasum >/dev/null 2>&1; then
+    shasum -a 256 "$WS"
+  else
+    echo "(no sha256sum — install coreutils)"
+  fi
+  echo "Embedded revision / version strings (first matches):"
+  strings "$WS" 2>/dev/null | grep -iE 'azerothcore|revision|git|commit|build.*20[0-9]{2}' | head -25 || echo "(none matched)"
+else
+  echo "(skipped — no binary)"
+fi
+
+CONF="${FRACTURED_WORLDSERVER_CONF:-}"
+if [[ -z "$CONF" && -n "$WS" ]]; then
+  CONF=$(guess_worldserver_conf "$WS")
+fi
+
+sub "2B — worldserver.conf (updater / source / rates / paragon)"
+if [[ -n "$CONF" && -f "$CONF" ]]; then
+  echo "Using conf: $CONF"
+  grep -E '^SourceDirectory|^Updates\.EnableDatabases|^Updates\.AutoSetup|^[[:space:]]*SourceDirectory|^[[:space:]]*Updates\.EnableDatabases|^[[:space:]]*Updates\.AutoSetup' "$CONF" 2>/dev/null || echo "(no matching lines or unreadable)"
+  echo "--- Rate.RunicPower (if set) ---"
+  grep -iE '^Rate\.RunicPower|^[[:space:]]*Rate\.RunicPower' "$CONF" 2>/dev/null || echo "(not set — server uses default)"
+  echo "--- Paragon.* module options (if any) ---"
+  grep -iE '^Paragon\.|^[[:space:]]*Paragon\.' "$CONF" 2>/dev/null || echo "(no Paragon.* keys in worldserver.conf — check etc/modules/mod_paragon.conf)"
+else
+  echo "WARN: worldserver.conf not found. Set FRACTURED_WORLDSERVER_CONF=/path/to/worldserver.conf"
+fi
+
+if [[ -n "$WS" && -f "$WS" ]]; then
+  ETCGuess=$(readlink -f "$(dirname "$WS")/../etc" 2>/dev/null || true)
+  MPC="$ETCGuess/modules/mod_paragon.conf"
+  if [[ -f "$MPC" ]]; then
+    sub "2B2 — mod_paragon.conf Paragon.* toggles (non-comment)"
+    grep -E '^Paragon\.' "$MPC" 2>/dev/null | head -40 || echo "(no uncommented Paragon.* lines)"
+  fi
+fi
+
+sub "2A — path-like strings from binary (candidate source roots)"
+if [[ -n "$WS" && -f "$WS" ]]; then
+  binary_strings_paths "$WS" || true
+else
+  echo "(skipped)"
+fi
+
+sub "Resolved source root for 2D"
+RESOLVED=""
+if [[ -n "$CONF" && -f "$CONF" ]]; then
+  sd=$(awk -F= '/^[[:space:]]*SourceDirectory[[:space:]]*=/ {
+    gsub(/^[[:space:]]+|[[:space:]]+$/, "", $2);
+    gsub(/^["'\'']|["'\'']$/, "", $2);
+    print $2; exit }' "$CONF" 2>/dev/null || true)
+  if [[ -n "${sd:-}" ]]; then
+    RESOLVED="$sd"
+  fi
+fi
+if [[ -z "$RESOLVED" ]]; then
+  RESOLVED="$REPO"
+fi
+echo "Using RESOLVED=$RESOLVED (from SourceDirectory if set in conf, else FRACTURED_REPO)"
+
+sub "2D — Paragon SQL dirs under RESOLVED"
+for subdir in \
+  "$RESOLVED/modules/mod-paragon/data/sql/db-world/updates/" \
+  "$RESOLVED/modules/mod-paragon/data/sql/db-characters/updates/"; do
+  if [[ -d "$subdir" ]]; then
+    echo "Listing: $subdir"
+    ls -la "$subdir" 2>/dev/null | tail -15
+  else
+    echo "MISSING: $subdir"
+  fi
+done
+
+sub "CMake build dir hints (common Fractured layouts)"
+for cand in "$REPO/var/build/obj" "$REPO/build" "$REPO/../build"; do
+  if [[ -f "$cand/CMakeCache.txt" ]]; then
+    echo "Found CMakeCache: $cand/CMakeCache.txt"
+    grep -E '^CMAKE_HOME_DIRECTORY:|^MODULES:|^CMAKE_INSTALL_PREFIX:' "$cand/CMakeCache.txt" 2>/dev/null | head -5
+  fi
+done
+
+sub "DATABASE — updates rows (2026_05_10 / paragon)"
+SQL_WORLD=$(cat <<'EOS'
+SELECT name, hash, speed FROM updates
+ WHERE name LIKE '2026_05_10%' OR name LIKE '%paragon%'
+ ORDER BY name DESC LIMIT 30;
+EOS
+)
+SQL_CHAR="$SQL_WORLD"
+
+if [[ -n "${FRACTURED_MYSQL:-}" ]]; then
+  echo "--- acore_world ---"
+  $FRACTURED_MYSQL acore_world -e "$SQL_WORLD" || echo "(mysql failed for acore_world)"
+  echo "--- acore_characters ---"
+  $FRACTURED_MYSQL acore_characters -e "$SQL_CHAR" || echo "(mysql failed for acore_characters)"
+
+  sub "DATABASE — DBC parity for runes / Paragon (acore_world)"
+  # Common DK rune spenders (WotLK). Override: export FRACTURED_SPELL_IDS='45477 45462'
+  SPELL_IDS="${FRACTURED_SPELL_IDS:-45477 45462 49923 55050 56815}"
+  IDS_CSV=$(echo "$SPELL_IDS" | tr ' ' ',')
+  echo "--- spell_dbc table size (world DB overrides; 0 rows = all spells from disk DBC only) ---"
+  $FRACTURED_MYSQL acore_world -e "SELECT COUNT(*) AS spell_dbc_rows FROM spell_dbc;" 2>/dev/null || echo "(spell_dbc missing or no access)"
+  echo "--- acore_world.version (last core revision written by worldserver) ---"
+  $FRACTURED_MYSQL acore_world -e "SELECT * FROM version LIMIT 5;" 2>/dev/null || echo "(version table missing?)"
+
+  echo "--- chrclasses_dbc class 6 + 12 (DisplayPower: 0=mana, 5=POWER_RUNE in AC) ---"
+  $FRACTURED_MYSQL acore_world -e "
+SELECT ID, DisplayPower, Name_Lang_enUS FROM chrclasses_dbc WHERE ID IN (6,12);
+" 2>/dev/null || echo "(query failed — chrclasses_dbc missing?)"
+  echo "Note: If only ID=12 appears, class 6 (DK) is not overridden in DB — loaded from disk DBC (normal)."
+
+  echo "--- spell_dbc: are sample DK spells overridden in DB? ---"
+  spell_sample_n=$($FRACTURED_MYSQL acore_world -N -B -e \
+    "SELECT COUNT(*) FROM spell_dbc WHERE ID IN ($IDS_CSV);" 2>/dev/null || echo 0)
+  echo "Row count in spell_dbc for sample IDs ($SPELL_IDS): ${spell_sample_n:-0}"
+  if [[ "${spell_sample_n:-0}" == "0" ]]; then
+    echo "=> 0 means those spells use on-disk Spell.dbc only; the sample block below will be empty (not an error)."
+  fi
+  echo "--- spell_dbc sample (PowerType 5 = POWER_RUNE in AC) ---"
+  $FRACTURED_MYSQL acore_world -e "
+SELECT ID, PowerType, ManaCost, RuneCostID FROM spell_dbc WHERE ID IN ($IDS_CSV);
+" 2>/dev/null || echo "(query failed — spell_dbc missing or wrong schema)"
+  echo "--- spellrunecost join for sample IDs (empty if no spell_dbc rows above) ---"
+  $FRACTURED_MYSQL acore_world -e "
+SELECT s.ID AS spell_id, s.PowerType, s.RuneCostID, r.Blood, r.Unholy, r.Frost, r.RunicPower
+FROM spell_dbc s
+LEFT JOIN spellrunecost_dbc r ON r.ID = s.RuneCostID
+WHERE s.ID IN ($IDS_CSV);
+" 2>/dev/null || echo "(join failed — check spellrunecost_dbc)"
+
+  echo "--- spell_dbc suspicious overrides: RuneCostID>0 but PowerType!=5 (can break rune checks) ---"
+  $FRACTURED_MYSQL acore_world -e "
+SELECT ID, PowerType, ManaCost, RuneCostID FROM spell_dbc
+ WHERE RuneCostID > 0 AND PowerType <> 5
+ ORDER BY ID LIMIT 40;
+" 2>/dev/null || echo "(query failed)"
+  echo "Compare counts/IDs to dev: unexpected rows here warrant a DB diff."
+
+  echo "--- spell_dbc POWER_RUNE (5) spells with RuneCostID (sample) ---"
+  $FRACTURED_MYSQL acore_world -e "
+SELECT ID, PowerType, RuneCostID FROM spell_dbc
+ WHERE PowerType = 5 AND RuneCostID > 0
+ ORDER BY ID LIMIT 15;
+" 2>/dev/null || echo "(query failed)"
+else
+  echo "FRACTURED_MYSQL not set — run manually (example: export FRACTURED_MYSQL='mysql -uUSER -hHOST')"
+  echo "acore_world:"
+  echo "$SQL_WORLD"
+  echo "acore_characters:"
+  echo "$SQL_CHAR"
+  echo ""
+  echo "Optional DBC parity (acore_world) — run after connecting:"
+  echo "  SELECT ID, DisplayPower, Name_Lang_enUS FROM chrclasses_dbc WHERE ID IN (6,12);"
+  echo "  SELECT ID, PowerType, ManaCost, RuneCostID FROM spell_dbc WHERE ID IN (45477,45462,49923,55050,56815);"
+  echo "  SELECT s.ID, s.RuneCostID, r.Blood, r.Unholy, r.Frost, r.RunicPower FROM spell_dbc s"
+  echo "    LEFT JOIN spellrunecost_dbc r ON r.ID = s.RuneCostID WHERE s.ID IN (45477,45462,49923,55050,56815);"
+fi
+
+sub "mod_paragon.conf vs .dist (install etc)"
+ETC=""
+if [[ -n "$WS" ]]; then
+  ETC=$(readlink -f "$(dirname "$WS")/../etc" 2>/dev/null || true)
+fi
+if [[ -z "$ETC" || ! -d "$ETC" ]]; then
+  ETC=$(readlink -f "$HOME/azeroth-server/etc" 2>/dev/null || true)
+fi
+if [[ -n "$ETC" && -d "$ETC/modules" ]]; then
+  MP="$ETC/modules/mod_paragon.conf"
+  MPD="$ETC/modules/mod_paragon.conf.dist"
+  if [[ -f "$MP" && -f "$MPD" ]]; then
+    diff -u "$MP" "$MPD" 2>/dev/null | head -80 || true
+  else
+    echo "ETC=$ETC — mod_paragon.conf or .dist missing (MP=$MP MPD=$MPD)"
+  fi
+else
+  echo "Could not find install etc/modules (set paths manually for diff)."
+fi
+
+hr
+echo "DELIVERABLE for maintainer:"
+echo "1) Paste 1A–1D (binary mtime, git HEAD, strings, sha256 + revision strings)."
+echo "2) Paste DATABASE blocks: updates + DBC parity (chrclasses 12, spell_dbc, spellrunecost join)."
+echo "3) Paste 2A path strings + 2D listings (or MISSING lines)."
+echo "4) From dev: same 1D sha256 of worldserver OR same SQL block — proves binary/data parity."
+echo "5) ONE sentence: exact in-game symptom."
+echo "Done."
+echo ""
+echo "Full transcript: $DIAG_OUT"

src/server/game/Spells/SpellInfoCorrections.cpp

@@ -5368,6 +5368,18 @@ void SpellMgr::LoadSpellInfoCorrections()
     LockEntry* key = const_cast<LockEntry*>(sLockStore.LookupEntry(36)); // 3366 Opening, allows to open without proper key
     key->Type[2] = LOCK_KEY_NONE;
 
+    // Fractured / Paragon: DK weapon-line "passives" Forceful Deflection and
+    // Runic Focus ship in 3.3.5a Spell.dbc without SPELL_ATTR0_PASSIVE set.
+    // SpellInfo::IsPassive() is therefore false, and mod-paragon's panel-learn
+    // diff treats them as castable actives and revokes them — while true
+    // actives (Blood Presence, Death Coil, Death Grip, ...) must stay
+    // stripped. Mark these two passive in-memory so the panel policy matches
+    // the spellbook UX for every class (stock DK benefits too).
+    ApplySpellFix({ 49410, 61455 }, [](SpellInfo* spellInfo)
+    {
+        spellInfo->Attributes |= SPELL_ATTR0_PASSIVE;
+    });
+
     // Fractured: strip reagent requirements from every player-class spell at
     // load time. Filtered by SpellFamilyName != 0 so that profession spells
     // (cooking, alchemy, enchanting, blacksmithing, jewelcrafting, leatherworking,

tools/fractured-launcher-electron/README.md

@@ -1,6 +1,6 @@
 # Fractured Launcher (Electron)
 
-Windows launcher with **no extra console window**, **native Browse folder** dialog, GitHub **release assets** + repo file sync, **realmlist**, optional **auth**, **Play**, and **auto-update** (via `electron-updater`). This is the **only** supported client launcher in this repo.
+**Windows** and **Linux (AppImage)** launcher with **no extra console window**, **native Browse folder** dialog, **Gitea or GitHub** release assets + GitHub repo file sync, **realmlist**, optional **auth**, **Play**, and **auto-update** (via `electron-updater`). This is the **only** supported client launcher in this repo.
 
 ## Requirements
 
@@ -14,7 +14,12 @@ npm install
 npm start
 ```
 
-On first run, `launcher.json` is created next to the app (dev: in this folder). By default **`github.repo`** is **`Fractured-Distro`** (public release assets); no token is required for patches. Set **GITHUB_TOKEN** only if you override `github` to a **private** repo.
+On first run, `launcher.json` is created next to the app (dev: in this folder).
+
+### Where patches download from
+
+- **Recommended (self-hosted Gitea):** set **`gitea.base_url`**, **`gitea.owner`**, **`gitea.repo`** in `launcher.json` (see **`default-launcher.json`**). Players need **`GITEA_TOKEN`** (or the env name in **`gitea.token_env`**) if the Gitea repo is **private** — same trade-off as any private host (per-player token, SSO proxy, or a read-only deploy token you accept distributing).
+- **Fallback:** if **`gitea.base_url`** is empty, **`from_release`** uses the **GitHub** Releases API against **`github.owner` / `github.repo`** (defaults to this **`Fractured`** repo for non-release paths), with optional **`GITHUB_TOKEN`** for private assets.
 
 ## Build Windows installers
 
@@ -30,63 +35,135 @@ Produces under **`dist/`**:
 | `Fractured-Launcher-${version}-Setup.exe` (NSIS) | **Recommended for players** — supports seamless **auto-update** and restart. |
 | `Fractured-Launcher-${version}-Windows-Portable.exe` | No installer; players replace the file manually. Auto-update is **less reliable** than NSIS. |
 
+## Build Linux AppImage
+
+```bash
+cd tools/fractured-launcher-electron
+npm install
+npm run pack:linux
+```
+
+Produces **`dist/Fractured-Launcher-${version}-Linux-x86_64.AppImage`**. Same **`lib/baked-gitea-channel.js`** and **`default-launcher.json`** as Windows; run on **Linux** (or use **Fractured launcher CI** / **Sync release to Gitea**, which upload this file to Gitea with the Windows installers).
+
+**Quick local test (avoids tag snapshot / CI):**
+- **Linux:** from repo root, **`bash tools/fractured-launcher-electron/scripts/manual-pack-linux.sh`** → **`dist/*.AppImage`**.
+- **Windows:** on a Windows machine, **`cd tools/fractured-launcher-electron`**, **`npm ci`**, **`npm run pack:win`** → **`dist/*.exe`**.
+
+### Hardcoded Gitea channel (non-token)
+
+**`lib/baked-gitea-channel.js`** exports **`base_url`**, **`owner`**, **`repo`**, **`release_tag`**. Set those strings once in the repo (same values you use for CI upload — not secret). At runtime **`config-store`** merges them into **`gitea.*`** so **`launcher.json`** does not need those fields; **`GITEA_TOKEN`** (or **`gitea.token_env`**) is still only for **private** Gitea. Leave a field **`''`** in the baked file to fall back to **`default-launcher.json`** / user **`launcher.json`** for that key.
+
+**`npm run pack:win`** is plain **electron-builder** — no inject step, no extra JSON beside the app.
+
 ## Auto-update behaviour
 
 - **Packaged** builds only (`npm run pack:win` output). In `npm start` dev mode, update checks are skipped (button still explains that).
-- **~5 seconds** after launch, then **every 6 hours**, the app checks for a newer version.
+- **No implicit GitHub feed:** the app does **not** guess `package.json` → `repository` anymore. Without configuration you get a clear “skipped” message instead of a **404** on a private repo.
+- **Configured feeds** (first match wins): **`update_feed_url` / `LAUNCHER_UPDATE_URL`** (generic `latest.yml`); or **`gitea`** block filled in + **`GITEA_TOKEN`** when the instance is private (resolves `…/releases/download/{tag}/`); or **`GITHUB_TOKEN`** + **`github.owner` / `github.repo`** for **private** GitHub releases only.
+- **~5 seconds** after launch, then **every 6 hours**, the app checks when a feed is configured.
 - When a download finishes, a dialog offers **Restart now** (calls `quitAndInstall`) or **Later**.
 - **Manual check:** button **Check launcher updates** in the UI.
 
-### Where updates are hosted
+### Where launcher updates are hosted
 
-**`package.json`** → `build.publish` targets **`Dawnforger/Fractured-Distro`** (public). `electron-updater` reads **`latest.yml`** from the **latest** release there; players do not need a GitHub token for launcher updates.
+**`npm run publish:win`** runs **`electron-builder` with `--publish never`** — artifacts stay in **`dist/`**; CI uploads them to Gitea when you **publish a GitHub release**. For ad-hoc uploads, use **`scripts/upload-release-to-gitea.sh`**. For launcher auto-update, prefer:
 
-**Private GitHub** (if you change `build.publish` or `github` back to a private repo): set **`GH_TOKEN`** / **`GITHUB_TOKEN`** / **`github.token_env`** before starting the launcher so the updater can authenticate.
+- Set **`update_feed_url`** (or **`LAUNCHER_UPDATE_URL`**) to a **generic** HTTPS base URL where **`latest.yml`** and the installer files are hosted (often the same Gitea release attachment URLs pattern your reverse proxy exposes), **or**
+- Keep publishing to a GitHub release only for **`latest.yml`** + installers if you accept that small metadata/binary channel there.
 
-**Public generic feed** (optional CDN): set **`update_feed_url`** or **`LAUNCHER_UPDATE_URL`** to a folder that hosts `latest.yml` + installers; optional Bearer token if the host requires it.
+**Private GitHub** updater: set **`GH_TOKEN`** / **`GITHUB_TOKEN`** / **`github.token_env`** as documented in `lib/auto-update.js` behaviour.
+
+**Generic feed:** optional Bearer token via the same token envs if your static host checks `Authorization`.
 
 ### Publishing a new launcher version
 
-1. Bump **`version`** in `package.json` (semver, e.g. `1.0.1`).
-2. Create a **GitHub personal access token** with `repo` (or `public_repo` for public repos).
-3. From this directory:
+1. Bump **`version`** in `package.json` on `main` (or your release branch) and merge.
+2. Create a **GitHub release** (tag + attach patches / `Wow.exe` if needed) and click **Publish** — **Sync release to Gitea** builds **Windows + Linux** launcher artifacts and mirrors everything to Gitea.
+3. Local check: **`npm run pack:win`** (on Windows) or **`npm run pack:linux`** / **`scripts/manual-pack-linux.sh`**, then **`scripts/upload-release-to-gitea.sh`** with the same **`GITEA_*`** env vars as CI if you need a manual upload.
 
-```bash
-set GH_TOKEN=ghp_your_token_here
-npm run publish:win
+## Sync to Gitea (patches + launcher binaries)
+
+CI workflow **Sync release to Gitea** (`.github/workflows/gitea-release-sync.yml`) runs on **every published GitHub release** on this repo:
+
+1. Triggers on **release published** on **`Dawnforger/Fractured`** (or **workflow_dispatch** with a tag).
+2. Builds **Windows** (NSIS + portable) and **Linux** (AppImage) in parallel, each using **`tools/fractured-launcher-electron` from the default branch** (overlaid onto the tag checkout), so older release tags never ship a launcher missing new **`lib/*.js`** files.
+3. Downloads **all assets** attached to that **GitHub** release (MPQs, patched `Wow.exe`, etc.).
+4. Merges with the built launcher artifacts and uploads everything to a **Gitea release** with the **same tag** (existing attachments on that Gitea release are replaced).
+
+**GitHub Actions secrets** (repository → Settings → Secrets and variables → Actions):
+
+| Secret | Example |
+|--------|---------|
+| **`GITEA_BASE_URL`** | `https://git.yourdomain.com` (no trailing slash) |
+| **`GITEA_TOKEN`** | Gitea personal access token with permission to manage releases and attachments on the target repo |
+| **`GITEA_OWNER`** | Organization or username on Gitea |
+| **`GITEA_REPO`** | Repository name — must already have **at least one commit** (Gitea returns HTTP 422 “repo is empty” for zero-commit repos; push e.g. a README on **`main`** or set **`GITEA_TARGET_REF`** to your default branch) |
+
+**Optional variable** (Settings → Variables): **`GITEA_TARGET_REF`** — default branch/commitish used **only when the workflow must create a new Gitea release** and Gitea needs `target_commitish` (defaults to **`main`** in the upload script if unset).
+
+**Player `launcher.json`:** packaged builds should already include **`gitea.base_url` / `owner` / `repo`** from the bake step above. Players only need to set **`GITEA_TOKEN`** (or your **`token_env`**) if the Gitea repo is **private**. To point at another instance, edit **`gitea`** in **`launcher.json`**:
+
+```json
+"gitea": {
+  "base_url": "https://git.yourdomain.com",
+  "owner": "myorg",
+  "repo": "fractured-patches",
+  "release_tag": "latest",
+  "token_env": "GITEA_TOKEN"
+}
 ```
 
-That builds NSIS + portable and **uploads** update metadata and installers to the configured GitHub repo’s **releases** (see [electron-builder publish](https://www.electron.build/configuration/publish)).
+**Manual upload:** `bash scripts/upload-release-to-gitea.sh /path/to/files v1.0.0` with the same env vars as CI.
 
-Players on an older NSIS install will pick up the next version automatically on the next check.
+### Sync did not run / Gitea unchanged — checklist
 
-## Public distro repo (patches + launcher binaries)
+1. **Git tag ≠ GitHub Release** — Only **Releases** (published on the GitHub **Releases** page) trigger this workflow. If your teammate only **`git push --tags`**, create a **Release** from that tag and click **Publish** (or run **Actions → Sync release to Gitea → Run workflow** and enter the tag).
+2. **Draft release** — Must click **Publish release**; drafts do not mirror.
+3. **Workflow on default branch** — GitHub runs `release` workflows from the **default branch** (e.g. `main`). Ensure `.github/workflows/gitea-release-sync.yml` is merged there.
+4. **Repo name guard** — Jobs use `if: github.repository == 'Dawnforger/Fractured'`. Forks or renames must change that line or runs are skipped.
+5. **Secrets** — **`GITEA_BASE_URL`**, **`GITEA_TOKEN`**, **`GITEA_OWNER`**, **`GITEA_REPO`** must be set under **Settings → Secrets and variables → Actions**. A failed “Upload to Gitea” step usually prints which is missing.
+6. **Actions tab** — Open the latest **Sync release to Gitea** run; a red **build-electron** (old tag without `package-lock.json`, etc.) or **Upload to Gitea** step shows the real error.
+7. **HTTP 422 `repo is empty`** — The Gitea repo has **no commits** yet. Push any initial commit (e.g. **Add README** in the Gitea web UI, or `git push` to **`main`**). Optionally set **`GITEA_TARGET_REF`** to match your real default branch if it is not **`main`**. From this repo you can run **`scripts/bootstrap-gitea-repo.sh`** (see script header for `GITEA_*` env or pass the HTTPS/SSH clone URL as the first argument).
 
-Default **`default-launcher.json`** uses **`github.repo`: `Fractured-Distro`** so **`from_release`** assets (`patch-Z.MPQ`, `Wow-patched.exe`, …) download from **[Dawnforger/Fractured-Distro releases](https://github.com/Dawnforger/Fractured-Distro/releases)** — **no player token**.
+### Private Gitea token for players
 
-Publish assets there by:
+Do **not** embed a shared admin PAT in a shipped `launcher.json`. Prefer read-only tokens scoped to one repo, short-lived tokens, or a small auth service that redirects to signed URLs.
 
-- **GitHub Actions** — workflow **Sync release to Fractured-Distro** (`.github/workflows/distro-release-sync.yml`): on **release published** on `Dawnforger/Fractured`, it **builds the Electron launcher** from that tag on Windows (`npm run pack:win`), **downloads every asset** attached to that release (patches, `Wow-patched.exe`, …), merges them (launcher files overwrite on duplicate names), and creates or updates the **same tag** on **`Fractured-Distro`**. Requires repository secret **`DISTRO_SYNC_TOKEN`**. **Manual:** Actions → run workflow with an existing tag.
-- **Locally:** `scripts/publish-to-distro.sh` (see script header) if you need to upload without a full release cycle.
+**Release asset names** must match **`files[].source`** when **`from_release`**: true. Use **`release_tag`**: `"latest"` or a pinned tag matching both GitHub and Gitea.
 
-If your public repo slug is not `Fractured-Distro`, edit **`DISTRO_REPO`** in the workflow / script and **`github.repo`** in `launcher.json`.
+## Patch versions (same filenames, different bytes)
 
-### Private `github.repo` (optional)
+The launcher does **not** read Git commits. For **turn-key** updates when asset names stay fixed (`patch-Z.MPQ`, `Wow-patched.exe`, …):
 
-For a **private** release source, set `GITHUB_TOKEN` (or `github.token_env`) with read access — **do not** embed a shared PAT in shipped `launcher.json` for all players.
+1. Ship **`patch-manifest.json`** next to those files on **every** release (Gitea/GitHub attachment). It lists a **`version`** label (any string you bump per release, e.g. `v0.9.0-client`) and a **`sha256`** per **`files[].source`** name.
+2. With **`patch_manifest.enabled`**: true (default in **`default-launcher.json`**), **Download updates** first fetches the manifest from the same release channel. If the files already on disk match those checksums, the player sees **“already match build … (nothing to download)”** — no redundant downloads.
+3. After a real download, the launcher **re-hashes** installed files and compares to the manifest; mismatch → clear error. It also writes **`.fractured/patch-state.json`** under the WoW folder so the UI can show **“Installed client files: …”**.
 
-**Release asset names** must match **`files[].source`** exactly when **`from_release`**: true. Use **`release_tag`: `"latest"`** for the newest release, or pin a tag.
+If **`patch-manifest.json`** is missing on a release, the launcher falls back to **always downloading** all configured files (same as before).
+
+**Generate the manifest** when you cut a release (paths are your local patch binaries):
+
+```bash
+cd /path/to/staging
+node tools/fractured-launcher-electron/scripts/generate-patch-manifest.js v0.9.0-client patch-Z.MPQ Wow-patched.exe > patch-manifest.json
+```
+
+Attach **`patch-manifest.json`** together with the MPQ/exe to the GitHub release (CI sync copies it to Gitea with everything else).
 
 ## CI
 
-Workflow **Fractured launcher CI** (`.github/workflows/fractured-launcher-ci.yml`) runs on pushes/PRs under `tools/fractured-launcher-electron/`: Windows **`npm run pack:win`** and **artifacts** (`*.exe`, `latest.yml`, blockmaps). **Actions → Fractured launcher CI → Run workflow** runs it manually.
+Workflow **Fractured launcher CI** (`.github/workflows/fractured-launcher-ci.yml`) runs on pushes/PRs under `tools/fractured-launcher-electron/`: **Windows** (`npm run pack:win`) and **Linux** (`npm run pack:linux`) jobs, each **`electron-builder … --publish never`**. **Actions → Fractured launcher CI → Run workflow** runs it manually.
+
+**Sync release to Gitea** (`.github/workflows/gitea-release-sync.yml`) uses the same pack commands. If you see `GH_TOKEN` / `GitHubPublisher` errors in logs, the job is almost certainly an old **Re-run failed jobs** — open **Actions → Sync release to Gitea → Run workflow**, enter the tag, and start a **new** run instead.
 
 ## Config
 
 Schema is defined by **`default-launcher.json`** (shipped in the app; first run copies to `launcher.json` beside the executable):
 
 - **`game_dir`**: WoW 3.3.5a root (contains `Wow.exe`).
-- **`update_feed_url`**: optional generic HTTPS base for launcher auto-update (overrides default GitHub feed when set).
-- **`github`**: `owner`, `repo`, `ref` (repo file paths), **`release_tag`** (`latest` or e.g. `v1.0.0`), **`token_env`** (env var name for a PAT when using private sources).
-- **`files`**: `source`, `dest`, `backup`, **`from_release`** (asset name on GitHub release vs repo path).
-- **`realmlist`**, **`auth`**, **`launch`**.
+- **`update_feed_url`**: optional generic HTTPS base for launcher auto-update.
+- **`launcher_updates_from_github`**: default **`false`**. Only when **`true`** will a **`GITHUB_TOKEN`** (or **`github.token_env`**) enable **electron-updater**’s GitHub provider against **`github.owner` / `github.repo`**. Leave **`false`** when launcher binaries and **`latest.yml`** live on **Gitea** (use **`gitea`** + token instead) so a stray GitHub token does not produce “No published versions on GitHub”.
+- **`gitea`**: **`base_url`**, **`owner`**, **`repo`**, **`release_tag`**, **`token_env`** — when **`base_url`** is set (and owner/repo set), **`from_release`** downloads and (with token if needed) the **generic** updater feed use **Gitea**. **Required** for players if your CI mirrors patches/launchers to Gitea only.
+- **`github`**: used for **non-release** repo paths (`from_release`: false) and for **GitHub** **`from_release`** when **`gitea.base_url`** is empty.
+- **`patch_manifest`**: **`enabled`**, **`source`** (default `patch-manifest.json`), **`from_release`** — checksum-based skip + verify (see above).
+- **`files`**, **`realmlist`**, **`auth`**, **`launch`**.

tools/fractured-launcher-electron/default-launcher.json

@@ -1,13 +1,26 @@
 {
   "game_dir": "",
   "update_feed_url": "",
+  "launcher_updates_from_github": false,
+  "gitea": {
+    "base_url": "",
+    "owner": "",
+    "repo": "",
+    "release_tag": "latest",
+    "token_env": "GITEA_TOKEN"
+  },
   "github": {
     "owner": "Dawnforger",
-    "repo": "Fractured-Distro",
+    "repo": "Fractured",
     "ref": "main",
     "release_tag": "latest",
     "token_env": "GITHUB_TOKEN"
   },
+  "patch_manifest": {
+    "enabled": true,
+    "source": "patch-manifest.json",
+    "from_release": true
+  },
   "files": [
     {
       "source": "patch-Z.MPQ",

tools/fractured-launcher-electron/lib/auto-update.js

@@ -2,28 +2,51 @@
 
 const { dialog } = require('electron');
 const { autoUpdater } = require('electron-updater');
+const { useGiteaReleases, getGiteaUpdaterFeedBase } = require('./gitea-release');
 
 /**
  * @param {import('electron').App} app
  * @param {() => import('electron').BrowserWindow | null} getMainWindow
- * @param {{ updateFeedUrl?: string, githubOwner?: string, githubRepo?: string, token?: string }} opts
+ * @param {{
+ *   updateFeedUrl?: string,
+ *   githubOwner?: string,
+ *   githubRepo?: string,
+ *   githubToken?: string,
+ *   giteaToken?: string,
+ *   allowGithubLauncherUpdates?: boolean,
+ *   config?: object,
+ * }} opts
  */
-function setupAutoUpdater(app, getMainWindow, opts = {}) {
+async function setupAutoUpdater(app, getMainWindow, opts = {}) {
   if (!app.isPackaged) {
     return {
       checkNow: async () => ({ skipped: true, reason: 'development build' }),
     };
   }
 
-  autoUpdater.autoDownload = true;
-  autoUpdater.autoInstallOnAppQuit = true;
-
-  const token = String(opts.token || '').trim();
+  const ghToken = String(opts.githubToken || '').trim();
+  const giteaTok = String(opts.giteaToken || '').trim();
   const envGeneric = String(process.env.LAUNCHER_UPDATE_URL || '').trim();
   const configGeneric = String(opts.updateFeedUrl || '').trim();
-  const genericUrl = envGeneric || configGeneric;
-  const owner = String(opts.githubOwner || 'Dawnforger').trim();
-  const repo = String(opts.githubRepo || 'Fractured').trim();
+  let genericUrl = envGeneric || configGeneric;
+  let genericAuthHeader = '';
+
+  if (!genericUrl && opts.config && useGiteaReleases(opts.config)) {
+    const gfb = await getGiteaUpdaterFeedBase(opts.config);
+    if (gfb && gfb.url) {
+      genericUrl = gfb.url;
+      const t = String(gfb.token || giteaTok || '').trim();
+      if (t) genericAuthHeader = `token ${t}`;
+    }
+  } else if (genericUrl) {
+    if (giteaTok) genericAuthHeader = `token ${giteaTok}`;
+    else if (ghToken) genericAuthHeader = `Bearer ${ghToken}`;
+  }
+
+  const owner = String(opts.githubOwner || '').trim();
+  const repo = String(opts.githubRepo || '').trim();
+
+  let feedConfigured = false;
 
   if (genericUrl) {
     const base = genericUrl.replace(/\/?$/, '/');
@@ -31,22 +54,37 @@ function setupAutoUpdater(app, getMainWindow, opts = {}) {
       provider: 'generic',
       url: base,
     });
-    if (token) {
+    if (genericAuthHeader) {
       autoUpdater.requestHeaders = {
         ...autoUpdater.requestHeaders,
-        Authorization: `Bearer ${token}`,
+        Authorization: genericAuthHeader,
       };
     }
-  } else if (token && owner && repo) {
+    feedConfigured = true;
+  } else if (opts.allowGithubLauncherUpdates && ghToken && owner && repo) {
     autoUpdater.setFeedURL({
       provider: 'github',
       owner,
       repo,
       private: true,
-      token,
+      token: ghToken,
     });
+    feedConfigured = true;
   }
 
+  if (!feedConfigured) {
+    const reason =
+      'No update channel configured. Set launcher.json → update_feed_url (HTTPS folder with latest.yml), ' +
+      'or fill gitea.base_url/owner/repo (+ GITEA_TOKEN for private), ' +
+      'or set launcher_updates_from_github to true with GITHUB_TOKEN for private GitHub release feeds.';
+    return {
+      checkNow: async () => ({ skipped: true, reason }),
+    };
+  }
+
+  autoUpdater.autoDownload = true;
+  autoUpdater.autoInstallOnAppQuit = true;
+
   const send = (msg) => {
     const w = getMainWindow();
     if (w && !w.isDestroyed()) {
@@ -63,9 +101,8 @@ function setupAutoUpdater(app, getMainWindow, opts = {}) {
     const m = (err && (err.message || String(err))) || '';
     if (/404|releases\.atom|HttpError:\s*404/i.test(m)) {
       send(
-        'Launcher update: could not read GitHub releases (404). ' +
-          'If the repo is private, set GITHUB_TOKEN (or your token_env) so the launcher can authenticate, ' +
-          'or set update_feed_url in launcher.json to a public HTTPS folder that contains latest.yml.'
+        'Launcher update: 404 (no latest.yml or wrong URL). For Gitea use gitea.* + token, or set update_feed_url. ' +
+          'For private GitHub set GITHUB_TOKEN.'
       );
       return;
     }

tools/fractured-launcher-electron/lib/baked-gitea-channel.js

@@ -0,0 +1,14 @@
+'use strict';
+
+/**
+ * Production Gitea mirror (non-secret). Edit here and ship — no inject script,
+ * no fractured-release-channel.json, no CI env needed for these fields.
+ * Token stays in env: GITEA_TOKEN or launcher.json → gitea.token_env.
+ */
+module.exports = {
+  // Scheme optional — gitea-release normalizes to https:// if missing.
+  base_url: 'https://brassnet.ddns.net:33983',
+  owner: 'Dawnsorrow',
+  repo: 'Fractured-Distro',
+  release_tag: 'latest',
+};

tools/fractured-launcher-electron/lib/config-store.js

@@ -11,7 +11,13 @@ function mergeConfig(defaults, user) {
       user.update_feed_url != null && user.update_feed_url !== ''
         ? user.update_feed_url
         : defaults.update_feed_url,
+    launcher_updates_from_github:
+      user.launcher_updates_from_github != null
+        ? user.launcher_updates_from_github
+        : defaults.launcher_updates_from_github,
     github: { ...defaults.github, ...(user.github || {}) },
+    gitea: { ...defaults.gitea, ...(user.gitea || {}) },
+    patch_manifest: { ...defaults.patch_manifest, ...(user.patch_manifest || {}) },
     launch: { ...defaults.launch, ...(user.launch || {}) },
     auth: user.auth != null ? { ...defaults.auth, ...user.auth } : defaults.auth,
     realmlist: user.realmlist != null ? { ...defaults.realmlist, ...user.realmlist } : defaults.realmlist,
@@ -19,6 +25,23 @@ function mergeConfig(defaults, user) {
   };
 }
 
+/** Hardcoded Gitea host/repo (see lib/baked-gitea-channel.js). Non-empty baked values win. */
+function applyBakedGitea(cfg) {
+  let baked;
+  try {
+    baked = require('./baked-gitea-channel');
+  } catch {
+    return cfg;
+  }
+  if (!baked || typeof baked !== 'object') return cfg;
+  cfg.gitea = { ...(cfg.gitea || {}) };
+  for (const k of ['base_url', 'owner', 'repo', 'release_tag']) {
+    const v = baked[k];
+    if (v != null && String(v).trim() !== '') cfg.gitea[k] = String(v).trim();
+  }
+  return cfg;
+}
+
 function getConfigPath(app) {
   if (process.env.FRACTURED_LAUNCHER_CONFIG) return process.env.FRACTURED_LAUNCHER_CONFIG;
   if (app && app.isPackaged) {
@@ -33,11 +56,12 @@ async function loadConfig(app) {
   const defaults = JSON.parse(await fs.readFile(defPath, 'utf8'));
   try {
     const user = JSON.parse(await fs.readFile(p, 'utf8'));
-    return { configPath: p, config: mergeConfig(defaults, user) };
+    return { configPath: p, config: applyBakedGitea(mergeConfig(defaults, user)) };
   } catch (e) {
     if (e.code === 'ENOENT') {
-      await fs.writeFile(p, JSON.stringify(defaults, null, 2), 'utf8');
-      return { configPath: p, config: JSON.parse(JSON.stringify(defaults)) };
+      const initial = applyBakedGitea(mergeConfig(defaults, {}));
+      await fs.writeFile(p, JSON.stringify(initial, null, 2), 'utf8');
+      return { configPath: p, config: JSON.parse(JSON.stringify(initial)) };
     }
     throw e;
   }
@@ -48,7 +72,7 @@ async function saveGameDir(configPath, gameDir) {
   const defaults = JSON.parse(await fs.readFile(defPath, 'utf8'));
   const user = JSON.parse(await fs.readFile(configPath, 'utf8'));
   user.game_dir = gameDir;
-  const merged = mergeConfig(defaults, user);
+  const merged = applyBakedGitea(mergeConfig(defaults, user));
   await fs.writeFile(configPath, JSON.stringify(merged, null, 2), 'utf8');
   return merged;
 }
@@ -60,4 +84,4 @@ function resolveGameDir(cfg, configPath) {
   return path.normalize(path.join(path.dirname(configPath), gd));
 }
 
-module.exports = { getConfigPath, loadConfig, saveGameDir, resolveGameDir, mergeConfig };
+module.exports = { getConfigPath, loadConfig, saveGameDir, resolveGameDir, mergeConfig, applyBakedGitea };

tools/fractured-launcher-electron/lib/gitea-release.js

@@ -0,0 +1,107 @@
+'use strict';
+
+const { downloadBodyToFile } = require('./http-download');
+
+function normalizeGiteaBaseUrl(raw) {
+  let b = String(raw || '').trim().replace(/\/+$/, '');
+  if (!b) return '';
+  if (!/^https?:\/\//i.test(b)) b = `https://${b}`;
+  return b;
+}
+
+function giteaApiBase(cfg) {
+  const base = normalizeGiteaBaseUrl(cfg.gitea.base_url);
+  return `${base}/api/v1`;
+}
+
+function giteaToken(cfg) {
+  const name = cfg.gitea && cfg.gitea.token_env;
+  if (name && process.env[name]) return String(process.env[name]).trim();
+  return String(process.env.GITEA_TOKEN || '').trim();
+}
+
+function giteaHeaders(token, json = false) {
+  const h = { 'User-Agent': 'Fractured-Launcher-Electron' };
+  if (json) h.Accept = 'application/json';
+  if (token) h.Authorization = `token ${token}`;
+  return h;
+}
+
+function useGiteaReleases(cfg) {
+  const g = cfg.gitea;
+  if (!g) return false;
+  return !!(String(g.base_url || '').trim() && String(g.owner || '').trim() && String(g.repo || '').trim());
+}
+
+async function downloadGiteaReleaseAsset(cfg, assetName, destPath) {
+  const api = giteaApiBase(cfg);
+  const { owner, repo } = cfg.gitea;
+  const tag = (cfg.gitea.release_tag || 'latest').trim() || 'latest';
+  const token = giteaToken(cfg);
+
+  let listUrl;
+  if (tag.toLowerCase() === 'latest') {
+    listUrl = `${api}/repos/${encodeURIComponent(owner)}/${encodeURIComponent(repo)}/releases/latest`;
+  } else {
+    listUrl = `${api}/repos/${encodeURIComponent(owner)}/${encodeURIComponent(repo)}/releases/tags/${encodeURIComponent(tag)}`;
+  }
+
+  const res = await fetch(listUrl, { headers: giteaHeaders(token, true) });
+  const text = await res.text();
+  if (!res.ok) {
+    let hint = '';
+    if (res.status === 404) hint = ' (wrong tag / no release / check base_url owner repo)';
+    if (res.status === 401 || res.status === 403) hint = ' (set GITEA_TOKEN or gitea.token_env)';
+    throw new Error(`Gitea release ${res.status}${hint}: ${text.slice(0, 600)}`);
+  }
+  const rel = JSON.parse(text);
+  const list = rel.attachments || rel.assets || [];
+  let downloadUrl = '';
+  for (const a of list) {
+    if (a.name !== assetName) continue;
+    downloadUrl = a.browser_download_url || a.download_url || '';
+    break;
+  }
+  if (!downloadUrl) {
+    const names = list.map((x) => x.name).filter(Boolean);
+    throw new Error(`Gitea release asset "${assetName}" not found; attachments: ${names.join(', ') || '(none)'}`);
+  }
+
+  const h = { Accept: 'application/octet-stream' };
+  if (token) h.Authorization = `token ${token}`;
+  const dl = await fetch(downloadUrl, { headers: h, redirect: 'follow' });
+  await downloadBodyToFile(dl, destPath);
+}
+
+/**
+ * Base URL for electron-updater generic provider (expects latest.yml under this path).
+ * Matches Gitea’s pattern: …/owner/repo/releases/download/{tag}/latest.yml
+ */
+async function getGiteaUpdaterFeedBase(cfg) {
+  if (!useGiteaReleases(cfg)) return null;
+  const api = giteaApiBase(cfg);
+  const { owner, repo } = cfg.gitea;
+  const tag = (cfg.gitea.release_tag || 'latest').trim() || 'latest';
+  const token = giteaToken(cfg);
+  let listUrl;
+  if (tag.toLowerCase() === 'latest') {
+    listUrl = `${api}/repos/${encodeURIComponent(owner)}/${encodeURIComponent(repo)}/releases/latest`;
+  } else {
+    listUrl = `${api}/repos/${encodeURIComponent(owner)}/${encodeURIComponent(repo)}/releases/tags/${encodeURIComponent(tag)}`;
+  }
+  const res = await fetch(listUrl, { headers: giteaHeaders(token, true) });
+  if (!res.ok) return null;
+  const rel = await res.json();
+  const tagName = rel.tag_name;
+  if (!tagName || typeof tagName !== 'string') return null;
+  const root = normalizeGiteaBaseUrl(cfg.gitea.base_url);
+  const url = `${root}/${encodeURIComponent(owner)}/${encodeURIComponent(repo)}/releases/download/${encodeURIComponent(tagName)}/`;
+  return { url, token };
+}
+
+module.exports = {
+  downloadGiteaReleaseAsset,
+  giteaToken,
+  useGiteaReleases,
+  getGiteaUpdaterFeedBase,
+};

tools/fractured-launcher-electron/lib/github.js

@@ -3,6 +3,7 @@
 const path = require('path');
 const fs = require('fs').promises;
 const { githubToken } = require('./github-token');
+const { downloadGiteaReleaseAsset, useGiteaReleases } = require('./gitea-release');
 const { fetchToFile, downloadBodyToFile } = require('./http-download');
 
 function encodeRepoPath(repoPath) {
@@ -65,6 +66,9 @@ async function downloadGitHubRepoFile(cfg, repoPath, destPath) {
 }
 
 async function downloadReleaseAsset(cfg, assetName, destPath) {
+  if (useGiteaReleases(cfg)) {
+    return downloadGiteaReleaseAsset(cfg, assetName, destPath);
+  }
   const token = githubToken(cfg);
   const tag = (cfg.github.release_tag || 'latest').trim() || 'latest';
   const { owner, repo } = cfg.github;
@@ -78,7 +82,10 @@ async function downloadReleaseAsset(cfg, assetName, destPath) {
   const text = await res.text();
   if (!res.ok) {
     let hint = '';
-    if (res.status === 404) hint = ' (wrong tag or private repo without token?)';
+    if (res.status === 404) {
+      hint =
+        ' (wrong tag, private repo without token, or releases live on Gitea — set gitea.base_url, gitea.owner, gitea.repo in launcher.json)';
+    }
     if (res.status === 401 || res.status === 403) hint = ' (set GITHUB_TOKEN or token_env PAT)';
     throw new Error(`releases list ${res.status}${hint}: ${text.slice(0, 600)}`);
   }

tools/fractured-launcher-electron/lib/patch-manifest.js

@@ -0,0 +1,144 @@
+'use strict';
+
+const fs = require('fs').promises;
+const path = require('path');
+const os = require('os');
+const { createHash } = require('node:crypto');
+const { downloadReleaseAsset, downloadGitHubRepoFile } = require('./github');
+
+async function sha256File(absPath) {
+  const buf = await fs.readFile(absPath);
+  return createHash('sha256').update(buf).digest('hex');
+}
+
+function stateDir(gameDir) {
+  return path.join(gameDir, '.fractured');
+}
+
+function statePath(gameDir) {
+  return path.join(stateDir(gameDir), 'patch-state.json');
+}
+
+async function readPatchState(gameDir) {
+  if (!gameDir) return null;
+  try {
+    const t = await fs.readFile(statePath(gameDir), 'utf8');
+    return JSON.parse(t);
+  } catch {
+    return null;
+  }
+}
+
+async function writePatchState(gameDir, manifestVersion, fileShas) {
+  const p = statePath(gameDir);
+  await fs.mkdir(path.dirname(p), { recursive: true });
+  const body = {
+    client_build: manifestVersion,
+    updated_at: new Date().toISOString(),
+    files: fileShas,
+  };
+  const tmp = p + '.tmp';
+  await fs.writeFile(tmp, JSON.stringify(body, null, 2), 'utf8');
+  await fs.rename(tmp, p);
+}
+
+function validateManifest(m) {
+  if (!m || m.version == null || String(m.version).trim() === '') return false;
+  if (!m.files || typeof m.files !== 'object') return false;
+  return true;
+}
+
+/**
+ * Download and parse patch-manifest.json (or custom name). Returns null on any failure.
+ */
+async function loadManifest(cfg) {
+  const pm = cfg.patch_manifest;
+  if (!pm || !pm.enabled || !String(pm.source || '').trim()) return null;
+  const tmp = path.join(os.tmpdir(), `fr-patch-manifest-${Date.now()}-${Math.random().toString(36).slice(2)}.json`);
+  try {
+    if (pm.from_release) {
+      await downloadReleaseAsset(cfg, String(pm.source).trim(), tmp);
+    } else {
+      await downloadGitHubRepoFile(cfg, String(pm.source).trim(), tmp);
+    }
+    const raw = await fs.readFile(tmp, 'utf8');
+    await fs.unlink(tmp).catch(() => {});
+    return JSON.parse(raw);
+  } catch {
+    await fs.unlink(tmp).catch(() => {});
+    return null;
+  }
+}
+
+/**
+ * True if every from_release file on disk matches manifest sha256.
+ */
+async function patchesMatchManifest(cfg, manifest, onStatus) {
+  if (!validateManifest(manifest)) return false;
+  const gameDir = cfg.game_dir;
+  for (const entry of cfg.files || []) {
+    if (!entry.from_release) continue;
+    const spec = manifest.files[entry.source];
+    if (!spec || !spec.sha256) return false;
+    const parts = String(entry.dest).replace(/\\/g, '/').split('/').filter(Boolean);
+    const destAbs = path.join(gameDir, ...parts);
+    let disk;
+    try {
+      disk = await sha256File(destAbs);
+    } catch {
+      return false;
+    }
+    if (disk.toLowerCase() !== String(spec.sha256).trim().toLowerCase()) return false;
+  }
+  if (onStatus) {
+    onStatus(`Client files already match build ${manifest.version} (nothing to download).`);
+  }
+  return true;
+}
+
+async function verifyInstalledAgainstManifest(cfg, manifest) {
+  if (!validateManifest(manifest)) return;
+  for (const entry of cfg.files || []) {
+    if (!entry.from_release) continue;
+    const spec = manifest.files[entry.source];
+    if (!spec || !spec.sha256) {
+      throw new Error(
+        `patch-manifest.json is missing a sha256 for "${entry.source}" — regenerate the manifest for this release.`
+      );
+    }
+    const parts = String(entry.dest).replace(/\\/g, '/').split('/').filter(Boolean);
+    const destAbs = path.join(cfg.game_dir, ...parts);
+    const disk = await sha256File(destAbs);
+    if (disk.toLowerCase() !== String(spec.sha256).trim().toLowerCase()) {
+      throw new Error(
+        `${entry.source}: checksum mismatch after install (expected ${spec.sha256.slice(0, 12)}…, got ${disk.slice(0, 12)}…). Try syncing again.`
+      );
+    }
+  }
+}
+
+async function recordPatchState(cfg, manifest) {
+  if (!validateManifest(manifest)) return;
+  const shas = {};
+  for (const entry of cfg.files || []) {
+    if (!entry.from_release) continue;
+    const parts = String(entry.dest).replace(/\\/g, '/').split('/').filter(Boolean);
+    const destAbs = path.join(cfg.game_dir, ...parts);
+    try {
+      shas[entry.source] = await sha256File(destAbs);
+    } catch {
+      /* skip */
+    }
+  }
+  await writePatchState(cfg.game_dir, String(manifest.version), shas);
+}
+
+module.exports = {
+  loadManifest,
+  validateManifest,
+  patchesMatchManifest,
+  verifyInstalledAgainstManifest,
+  recordPatchState,
+  readPatchState,
+  statePath,
+};

tools/fractured-launcher-electron/main.js

@@ -5,6 +5,7 @@ const path = require('path');
 const { spawn } = require('child_process');
 const { loadConfig, saveGameDir, resolveGameDir } = require('./lib/config-store');
 const { applyPatches, wowExePath, wowInstallValid, doAuth } = require('./lib/patch');
+const { readPatchState } = require('./lib/patch-manifest');
 const { setupAutoUpdater } = require('./lib/auto-update');
 
 let mainWindow;
@@ -46,16 +47,23 @@ async function readMergedConfig() {
 app.whenReady().then(async () => {
   createWindow();
   const { config } = await loadConfig(app);
-  const tokenEnv = config.github && config.github.token_env;
-  const token =
-    (tokenEnv && String(process.env[tokenEnv] || '').trim()) ||
+  const ghEnv = config.github && config.github.token_env;
+  const githubToken =
+    (ghEnv && String(process.env[ghEnv] || '').trim()) ||
     String(process.env.GH_TOKEN || process.env.GITHUB_TOKEN || '').trim();
+  const giteaEnv = config.gitea && config.gitea.token_env;
+  const giteaToken =
+    (giteaEnv && String(process.env[giteaEnv] || '').trim()) ||
+    String(process.env.GITEA_TOKEN || '').trim();
   const updateFeedUrl = String(process.env.LAUNCHER_UPDATE_URL || config.update_feed_url || '').trim();
-  autoUpdateApi = setupAutoUpdater(app, () => mainWindow, {
+  autoUpdateApi = await setupAutoUpdater(app, () => mainWindow, {
     updateFeedUrl,
+    config,
     githubOwner: config.github && config.github.owner,
     githubRepo: config.github && config.github.repo,
-    token,
+    githubToken,
+    giteaToken,
+    allowGithubLauncherUpdates: config.launcher_updates_from_github === true,
   });
   app.on('activate', () => {
     if (BrowserWindow.getAllWindows().length === 0) createWindow();
@@ -68,12 +76,18 @@ app.on('window-all-closed', () => {
 
 ipcMain.handle('launcher:load', async () => {
   const { configPath, config } = await readMergedConfig();
+  let clientBuild = '';
+  if (wowInstallValid(config)) {
+    const st = await readPatchState(config.game_dir);
+    if (st && st.client_build) clientBuild = String(st.client_build);
+  }
   return {
     configPath,
     gameDir: config.game_dir || '',
     authEnabled: !!(config.auth && config.auth.enabled),
     wowExe: (config.launch && config.launch.exe) || 'Wow.exe',
     wowOk: wowInstallValid(config),
+    clientBuild,
   };
 });
 

tools/fractured-launcher-electron/package.json

@@ -1,6 +1,6 @@
 {
   "name": "fractured-launcher-electron",
-  "version": "1.0.1",
+  "version": "1.0.2",
   "description": "Fractured WoW launcher (Electron) — no console window, native folder picker, auto-update",
   "main": "main.js",
   "repository": {
@@ -9,8 +9,9 @@
   },
   "scripts": {
     "start": "electron .",
-    "pack:win": "electron-builder --win nsis portable --x64",
-    "publish:win": "electron-builder --win nsis portable --x64 --publish always"
+    "pack:win": "electron-builder --win nsis portable --x64 --publish never",
+    "pack:linux": "electron-builder --linux AppImage --x64 --publish never",
+    "publish:win": "electron-builder --win nsis portable --x64 --publish never"
   },
   "author": "",
   "license": "GPL-3.0",
@@ -27,13 +28,7 @@
     "directories": {
       "output": "dist"
     },
-    "publish": [
-      {
-        "provider": "github",
-        "owner": "Dawnforger",
-        "repo": "Fractured-Distro"
-      }
-    ],
+    "publish": null,
     "files": [
       "main.js",
       "preload.cjs",
@@ -41,6 +36,9 @@
       "renderer.js",
       "styles.css",
       "default-launcher.json",
+      "lib/baked-gitea-channel.js",
+      "lib/gitea-release.js",
+      "lib/patch-manifest.js",
       "lib/**/*"
     ],
     "win": {
@@ -62,6 +60,18 @@
     },
     "portable": {
       "artifactName": "Fractured-Launcher-${version}-Windows-Portable.${ext}"
+    },
+    "linux": {
+      "target": [
+        {
+          "target": "AppImage",
+          "arch": ["x64"]
+        }
+      ],
+      "category": "Game"
+    },
+    "appImage": {
+      "artifactName": "Fractured-Launcher-${version}-Linux-x86_64.${ext}"
     }
   }
 }

tools/fractured-launcher-electron/scripts/bootstrap-gitea-repo.sh

@@ -0,0 +1,50 @@
+#!/usr/bin/env bash
+# Push a one-file README so the Gitea repo is non-empty (fixes HTTP 422 "repo is empty"
+# when CI creates a release). Safe to re-run only if the repo still has no commits;
+# if it already has history, skip or use the Gitea web UI instead.
+#
+# Usage:
+#   export GITEA_BASE_URL=https://git.example.com
+#   export GITEA_OWNER=myorg
+#   export GITEA_REPO=fractured-patches
+#   ./bootstrap-gitea-repo.sh
+#
+# Or pass an explicit clone URL (HTTPS or SSH):
+#   ./bootstrap-gitea-repo.sh https://git.example.com/myorg/fractured-patches.git
+#
+set -euo pipefail
+
+BRANCH="${GITEA_TARGET_REF:-main}"
+
+if [ "${1:-}" != "" ]; then
+  URL="$1"
+else
+  : "${GITEA_BASE_URL:?Set GITEA_BASE_URL or pass clone URL as first argument}"
+  : "${GITEA_OWNER:?Set GITEA_OWNER or pass clone URL as first argument}"
+  : "${GITEA_REPO:?Set GITEA_REPO or pass clone URL as first argument}"
+  BASE="${GITEA_BASE_URL%/}"
+  URL="${BASE}/${GITEA_OWNER}/${GITEA_REPO}.git"
+fi
+
+TMP=$(mktemp -d)
+trap 'rm -rf "$TMP"' EXIT
+cd "$TMP"
+
+git init -q
+git checkout -q -b "$BRANCH"
+
+cat >README.md <<'EOF'
+# Fractured release mirror
+
+Release assets (launcher builds, patches, `patch-manifest.json`, etc.) are uploaded here by **GitHub Actions** (“Sync release to Gitea”) from the main Fractured repository.
+
+This initial commit exists because **Gitea requires at least one commit** in the repository before releases can be created.
+EOF
+
+git add README.md
+git commit -q -m "chore: initial commit (required for Gitea releases)"
+
+git remote add origin "$URL"
+git push -u origin "$BRANCH"
+
+echo "Pushed initial README to $URL (branch $BRANCH)."

tools/fractured-launcher-electron/scripts/generate-patch-manifest.js

@@ -0,0 +1,32 @@
+#!/usr/bin/env node
+/**
+ * Build patch-manifest.json for a release (same names as files[].source in launcher.json).
+ *
+ * Usage (from a folder containing the patch binaries):
+ *   node generate-patch-manifest.js v0.9.0-client patch-Z.MPQ Wow-patched.exe
+ *
+ * Prints JSON to stdout — redirect to file:
+ *   node generate-patch-manifest.js v0.9.0-client patch-Z.MPQ Wow-patched.exe > patch-manifest.json
+ */
+'use strict';
+
+const fs = require('fs');
+const path = require('path');
+const crypto = require('crypto');
+
+const version = process.argv[2];
+const names = process.argv.slice(3);
+if (!version || names.length === 0) {
+  console.error('Usage: generate-patch-manifest.js <version-label> <file1> [file2 ...]');
+  console.error('  Example: generate-patch-manifest.js v0.9.0-client patch-Z.MPQ Wow-patched.exe');
+  process.exit(1);
+}
+
+const out = { version, files: {} };
+for (const f of names) {
+  const base = path.basename(f);
+  const buf = fs.readFileSync(f);
+  const sha256 = crypto.createHash('sha256').update(buf).digest('hex');
+  out.files[base] = { sha256 };
+}
+process.stdout.write(`${JSON.stringify(out, null, 2)}\n`);

tools/fractured-launcher-electron/scripts/manual-pack-linux.sh

@@ -0,0 +1,11 @@
+#!/usr/bin/env bash
+# Local Linux AppImage build (uses current tree — no tag snapshot). Run from repo root or this dir.
+set -euo pipefail
+ROOT="$(cd "$(dirname "$0")/.." && pwd)"
+cd "$ROOT"
+echo "==> npm ci"
+npm ci
+echo "==> npm run pack:linux (AppImage x64)"
+npm run pack:linux
+echo "==> dist/:"
+ls -la dist/

tools/fractured-launcher-electron/scripts/upload-release-to-gitea.sh

@@ -0,0 +1,91 @@
+#!/usr/bin/env bash
+# Upload all files in a directory as attachments on a Gitea release (create release if missing).
+#
+# Usage:
+#   export GITEA_BASE_URL=https://git.example.com
+#   export GITEA_TOKEN=gta_...
+#   export GITEA_OWNER=myorg
+#   export GITEA_REPO=fractured-patches
+#   export GITEA_TARGET_REF=main   # optional, used when creating a new release (tag must not exist yet)
+#   ./upload-release-to-gitea.sh /path/to/combined v1.0.0
+#
+set -euo pipefail
+
+COMBINED_DIR="${1:?first arg: directory of files to attach}"
+TAG="${2:?second arg: release tag (e.g. v1.0.0)}"
+
+: "${GITEA_BASE_URL:?Set GITEA_BASE_URL (no trailing slash required)}"
+: "${GITEA_TOKEN:?Set GITEA_TOKEN}"
+: "${GITEA_OWNER:?Set GITEA_OWNER}"
+: "${GITEA_REPO:?Set GITEA_REPO}"
+
+BASE="${GITEA_BASE_URL%/}"
+API="$BASE/api/v1"
+TARGET="${GITEA_TARGET_REF:-main}"
+AUTH_H=(-H "Authorization: token ${GITEA_TOKEN}" -H "Accept: application/json")
+
+TAG_ENC=$(python3 -c "import urllib.parse,sys; print(urllib.parse.quote(sys.argv[1], safe=''))" "$TAG")
+REL_JSON=$(mktemp)
+trap 'rm -f "$REL_JSON"' EXIT
+
+code=$(curl -sS -o "$REL_JSON" -w "%{http_code}" "${AUTH_H[@]}" \
+  "$API/repos/${GITEA_OWNER}/${GITEA_REPO}/releases/tags/${TAG_ENC}")
+
+if [ "$code" = "200" ]; then
+  rel_id=$(jq -r '.id' "$REL_JSON")
+elif [ "$code" = "404" ]; then
+  body=$(jq -n \
+    --arg tag "$TAG" \
+    --arg name "Fractured $TAG" \
+    --arg body "Synced from GitHub Actions (Fractured)." \
+    --arg target "$TARGET" \
+    '{tag_name:$tag,name:$name,body:$body,draft:false,prerelease:false,target_commitish:$target}')
+  code=$(curl -sS -o "$REL_JSON" -w "%{http_code}" -X POST "${AUTH_H[@]}" \
+    -H "Content-Type: application/json" \
+    -d "$body" \
+    "$API/repos/${GITEA_OWNER}/${GITEA_REPO}/releases")
+  if [ "$code" != "201" ] && [ "$code" != "200" ]; then
+    echo "Gitea create release failed HTTP $code:" >&2
+    cat "$REL_JSON" >&2
+    if [ "$code" = "422" ] && jq -e '.message == "repo is empty"' "$REL_JSON" >/dev/null 2>&1; then
+      echo >&2
+      echo "Gitea does not allow releases on a repo with zero commits. Fix: push at least one commit" >&2
+      echo "to ${GITEA_OWNER}/${GITEA_REPO} (e.g. add README.md on branch ${TARGET} via web UI or git push)," >&2
+      echo "or set Actions variable GITEA_TARGET_REF to an existing default branch name." >&2
+    fi
+    exit 1
+  fi
+  rel_id=$(jq -r '.id' "$REL_JSON")
+else
+  echo "Gitea GET release by tag failed HTTP $code:" >&2
+  cat "$REL_JSON" >&2
+  exit 1
+fi
+
+if [ -z "$rel_id" ] || [ "$rel_id" = "null" ]; then
+  echo "Could not resolve Gitea release id" >&2
+  exit 1
+fi
+
+while read -r aid; do
+  [ -z "$aid" ] || [ "$aid" = "null" ] && continue
+  curl -fsS -X DELETE "${AUTH_H[@]}" \
+    "$API/repos/${GITEA_OWNER}/${GITEA_REPO}/releases/${rel_id}/assets/${aid}" || true
+done < <(jq -r '(.attachments // .assets // [])[] | .id' "$REL_JSON")
+
+shopt -s nullglob
+files=("$COMBINED_DIR"/*)
+if [ "${#files[@]}" -eq 0 ]; then
+  echo "No files in $COMBINED_DIR" >&2
+  exit 1
+fi
+
+for f in "${files[@]}"; do
+  [ -f "$f" ] || continue
+  echo "Uploading $(basename "$f") …"
+  curl -fsS -X POST "${AUTH_H[@]}" \
+    -F "attachment=@${f}" \
+    "$API/repos/${GITEA_OWNER}/${GITEA_REPO}/releases/${rel_id}/assets"
+done
+
+echo "Gitea release $TAG (id=$rel_id) updated with ${#files[@]} file(s)."