⚠️ IMPORTANT
UPDATED TO USE THE LATEST SERVO EMBEDDINGS 0.1.0!
We were using 0.0.6 so this is a large jump and allows us better control and ci along with bring in a whole sport of improvements from stability to performance. Please go take a look and give them some love! Servo 0.1.0 release
NEW SUPPORT FOR ENCRYPTED APPS with AEAD-ENCRYPTED (AES-256-GCM) VFS
The latest version adds support for packaging your app in a VFS with a natively derived key. This allows developers to ship closed-source applications while still leveraging web-based frontends. The decryption key is sharded across the native binary and never touches the V8 heap or the Node.js environment.
Disclaimer about Encryption and Closed-Source Software
Lotus supports encryption to protect your intellectual property. However, the encryption layer relies on secrets injected during the build process. Anyone with access to the decrypted application in memory (e.g., using debugging tools like WinDbg, Frida, or manual memory inspection) may eventually extract these secrets. Users should be aware that client-side encryption is primarily a deterrent against casual reverse engineering and unauthorized distribution, not a guarantee of absolute security against determined adversaries. As always, security in distributed binaries is a game of making extraction difficult enough that most people won't bother. It is fundamentally impossible to keep assets perfectly secure in the presence of a dedicated reverse engineer.
Lotus is a high-performance, lightweight desktop GUI framework that pairs the power of Node.js with the speed of the Servo rendering engine.
It's designed for developers who want to build cross-platform desktop applications with web technologies (HTML/CSS/JS) and want someting a bit easier to use. By using Servo instead of Chromium and keeping Node.js in the driver's seat for OS integration, Lotus delivers a "blistering fast" experience with a tiny footprint.
🏎️ "LOTUS IS MADE WITH THE IDEOLOGY OF A LOTUS ELISE." "If a part doesn't make it start faster, use less memory, or render pixels, it's gone. No extra suspension. No spare tires. No browser pretending to be an operating system."
🥊 THE ARCHITECTURE (Or: Why It's Fast) • Lotus Strategy: Node owns the OS. Servo paints the pixels. No magic. No fake sandboxes. No hidden instances listening to how you use each piece of it for telemetry. The Goal here is to just be a renderer and let the devs do everything else directly in node with a blistering fast ipc (tested up to 9k messages per second reliably)
🔧 THE ANALOGY THAT EXPLAINS EVERYTHING: • Node.js is the track. • Servo is the car. • IPC is the steering wheel. "On a track, you don't worry about potholes. You worry about lap times."
💡 THE POINT: "Node.js already does OS integration. We just needed a renderer. That's it. That's the whole project."
The Easy Way: working Windows and Linux builds are on npm. You don't need to build from source.
The fastest way to get started is with the CLI:
npx lotus init my-app
cd my-app
npm install
npx lotus dev
If you prefer to set things up yourself:
mkdir my-lotus-app && cd my-lotus-app
npm init -y
npm install @lotus-gui/core @lotus-gui/dev
Then see the example code below or check
node_modules/@lotus-gui/core/test_appfor a full reference.
Speed that actually matters:
Hybrid Runtime:
Hybrid Mode (File Serving):
lotus-resource:// serves files from disk.../../ your way to /etc/passwd. Nice try. This will also be further enhanced with the encrypted file systems in the future as you will be chunk loading on the fly in the loader itself or from ram if we load the whole thing in so reaching outside of that is noticiably harder on accident.Asset Protection (Encrypted VFS):
Advanced IPC (The Steering Wheel):
tokio + axum on 127.0.0.1:0 with persistent WebSocket connections. It works. It's pretty fast and low latency. Yeah i know its a bit overkill but it works and it was fun to implement, though the main reasons are it also gives us blustering fast ipc, at least on my system in my personal testing i was able to get 10k messages per second reliably at an average latency of 0.111 ms in a string message test.
IPC stress test: 9,000+ messages/second at 0.111ms average latency (Linux)
Auto-Adapting: JSON? Binary? Blobs? We don't care. We handle it via WebSockets natively using msgpack to massively decrease the serialization/deserialization overhead and increase performance.
invoke() / handle() (Promise IPC): The renderer calls window.lotus.invoke('ch', data) and gets back a Promise. Node registers ipcMain.handle('ch', async fn). No manual reply channels, no leaked listeners, no correlation IDs in your app code. I wanted this as simple as possible so it is easier to just pickup and use, though with the invoke and handle we still have .send and .on for the more advanced users who want more control over the ipc.window.lotus.on('file-drop', ...)) and Node.js (win.on('file-drop', ...)). Zero Servo involvement, pure winit event forwarding so we dont have to have it touch pieces it doesnt have to.Window State Persistence:
Script Injection:
Native Look & Feel:
Frameless Windows:
-webkit-app-region: drag or data-lotus-drag. Lotus bridges it to the OS, no JS required.Multi-Window Support:
Lotus is organized as a monorepo with two packages:
lotus/
├── packages/
│ ├── lotus-core/ # @lotus-gui/core -- Runtime engine (Servo + Node bindings)
│ │ ├── src/ # Rust source (N-API bindings, window management)
│ │ ├── lotus.js # High-level JS API (ServoWindow, IpcMain, App)
│ │ ├── index.js # Native binding loader
│ │ ├── resources/ # IPC bridge scripts, debugger
│ │ └── test_app/ # Example application
│ │
│ └── lotus-dev/ # @lotus-gui/dev -- CLI toolkit for development & packaging
│ ├── bin/lotus.js # CLI entry point (lotus dev, build, clean)
│ └── lib/templates/ # Installer templates (RPM spec, etc.)
│
├── package.json # Monorepo root (npm workspaces)
└── README.md # You are here
| Package | npm Name | What It Does |
|---|---|---|
| lotus-core | @lotus-gui/core |
The runtime -- Servo engine, window management, IPC. This is what your app require()s. |
| lotus-dev | @lotus-gui/dev |
CLI toolkit -- dev server with hot-reload, build system, DEB/RPM installer packaging. |
| Platform | Arch | Native Binary (.node) |
Installer Target | Status |
|---|---|---|---|---|
| Linux (Debian/Ubuntu) | x64 | ✅ Verified | .deb (Stable) |
Ready |
| Linux (Fedora/RHEL) | x64 | ✅ Verified | .rpm (Stable) |
Ready |
| Linux (openSUSE) | x64 | 🛠 Testing | Planned | Alpha |
| Windows | x64 | ✅ Verified | .msi (testing) |
Beta *1 |
| FreeBSD | x64 | 🛠 Testing | Planned | Alpha |
| macOS | arm64 | 🆘 Help Wanted | TBD | On Hold |
1 Windows Status:*
What Works:
.node available on npmlotus build creates .msi installers Known Issues:
lotus build --target nsis still uses old logicNote: * Installer Target: The packaged distribution format (what users download/install) * Native Binary: The
.nodefile that powers the runtime (what developersrequire())
We have working Windows and Linux builds available on npm (@lotus-gui/core@0.3.3).
Mac support is missing (because their ecosystem needs someone who nows it, please feel free to help!). BSD and SUSE support is planned (because I know the pain points over there, see Roadmap). Right now there are builds for BSD and SUSE so you can use it though it does not have an installer builder for them yet. I plan to add that in future releases.
$ claude mcp add project-lotus \
-- python -m otcore.mcp_server <graph>