Lumpini ships one wedge at a time. Every phase below assumes local storage first — cloud features appear only where explicitly marked as opt-in. Timelines are estimates; order and scope may shift as we learn from daily use.
We optimize for retention and trust, not vanity downloads.
Phase 0 — Foundation
A daily-driver desktop browser: calm shell, local data, real security.
- Tauri desktop app — tabs, omnibox, workspace switcher, native WebKit content
- Local SQLite for workspaces, tabs, bookmarks, history, and settings
- Privacy & Protection — ad/tracker blocking, blocklists, per-site controls, DNS-over-HTTPS
- Encrypted Vault with autofill, search & sort; WebAuthn groundwork (passkey sheet pending Apple’s browser entitlement)
- Certificate warnings, HTTP “not secure” bar, local download scanning
- Download manager with progress and cancel; default-browser and .html file handling
- 14 themes, flexible tab bars, dock magnification, 18 languages with RTL
- Developer ID signing, Apple notarization, and signed auto-updates
Exit criteria — met: browse daily, tabs restored after restart, signed installer with in-app updates.
Phase 1 — Attention OS
“The browser that remembers your projects.”
- Session restore per workspace
- Tab hibernation — park inactive tabs, wake on focus
- Multiple browser windows and tab tear-off
- Vertical tabs, pinned tabs, and tab groups
- Local full-text history search
- Import bookmarks from Chrome or Safari (file-based, no upload)
Phase 2 — Trust layer
“The browser that stops you getting scammed.”
- Lookalike domain warnings
- Payment page highlights (new merchant, subscription language)
- Download and extension install guardrails with permission UI
- Blocklist updates via signed local bundles — no account required
- Optional (cloud opt-in) faster threat intelligence feed
Phase 3 — Local intelligence
“AI that works offline and stays on your machine.”
- Ollama / on-device models — summarize and explain page
- Research mode — highlights to cited brief, stored locally
- Agentic tasks with step-by-step approval (no silent pay or send)
- Optional (cloud opt-in) stronger models via your own API key
Phase 4 — Engine & reach
- Evaluate Chromium (CEF) if extension compatibility requires it
- Windows and Linux builds
- Mobile exploration (WebView limits documented honestly)
- Public release polish and privacy policy
Phase 5 — Sync
- End-to-end encrypted sync for bookmarks, tabs, and workspaces
- Self-hostable sync server spec for power users
- Never required for core browsing
Lumpini Extension Store
Lumpini extensions are not Chrome Web Store packages. They are signed
.lumpini-extension ZIP archives with explicit, user-approved permissions —
built for WebView without Chromium’s extension worker model.
| Stage | Name | What you get |
|---|---|---|
| B0 | Local install | Install signed extensions from file. Configuration panel to list, enable, disable, and uninstall. Content scripts, local storage API, permission UI. Most of B0 is shipped today. |
| B0.5 | Install from URL | Install and update extensions from a trusted HTTPS URL — still no store, no accounts. |
| B1 | Extension catalog | Lumpini Extension Store (curated catalog on lumpini.com) — browse and install reviewed, signed extensions. No accounts required to browse or install free extensions. |
| B2 | Developer registration | Developer sign-up and submission workflow for third-party extension authors. |
| B3 | Marketplace | Paid extensions and a full marketplace — only after trust and review infrastructure is proven. |
Extension principles (won’t change)
- No silent auto-install — every capability is named and approved
- No 24/7 background service workers
- No arbitrary native code inside extensions
- Local-first storage for extension data
- Maximum package size and file count limits
What we measure
- 7-day retention — do you reopen Lumpini?
- Tabs restored successfully after quit
- Crash-free sessions
- “Would you recommend?” from early power users