Release v0.1.1: mixed-key truth + microphone readiness fixes

.github/workflows/ci.yml

@@ -1,4 +1,6 @@
 name: CI
+env:
+  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
 
 on:
   pull_request:
@@ -20,29 +22,26 @@ jobs:
           cache: pnpm
       - run: pnpm install --frozen-lockfile
       - run: pnpm lint:structure
-      - name: Detect lint targets
-        id: lint-targets
+      - name: Run ESLint on changed files
         run: |
           if [[ "${{ github.event_name }}" == "pull_request" ]]; then
             BASE_SHA="${{ github.event.pull_request.base.sha }}"
           else
             BASE_SHA="${{ github.event.before }}"
           fi
-          CHANGED_FILES="$(git diff --name-only "$BASE_SHA" "${{ github.sha }}" -- \
+          git diff --name-only "$BASE_SHA" "${{ github.sha }}" -- \
             apps/web/src \
             packages/storage/src \
             packages/pipeline/transcribe/src \
             packages/pipeline/assemble/src \
             scripts/check-no-phi-logs.mjs \
             config/scripts/check-structure.mjs \
-            | tr '\n' ' ')"
-          echo "files=${CHANGED_FILES}" >> "$GITHUB_OUTPUT"
-      - name: Run ESLint on changed files
-        if: steps.lint-targets.outputs.files != ''
-        run: pnpm exec eslint --config config/eslint.config.mjs ${{ steps.lint-targets.outputs.files }}
-      - name: Skip ESLint when no tracked files changed
-        if: steps.lint-targets.outputs.files == ''
-        run: echo "No lint-tracked files changed; skipping eslint."
+            > /tmp/lint-targets.txt
+          if [[ -s /tmp/lint-targets.txt ]]; then
+            xargs pnpm exec eslint --config config/eslint.config.mjs < /tmp/lint-targets.txt
+          else
+            echo "No lint-tracked files changed; skipping eslint."
+          fi
 
   typecheck:
     runs-on: ubuntu-latest

.github/workflows/desktop-release.yml

@@ -0,0 +1,202 @@
+name: Desktop Release
+
+on:
+  workflow_dispatch:
+    inputs:
+      release_version:
+        description: "Release version (e.g. 0.2.0)"
+        required: true
+      release_base_url:
+        description: "Base download URL for manifest entries"
+        required: false
+  push:
+    tags:
+      - "v*"
+
+permissions:
+  contents: write
+
+jobs:
+  build-desktop:
+    name: Build ${{ matrix.target }}-${{ matrix.arch }} on ${{ matrix.os }}
+    runs-on: ${{ matrix.os }}
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: macos-latest
+            target: mac
+            arch: x64
+            platform_id: darwin
+          - os: macos-latest
+            target: mac
+            arch: arm64
+            platform_id: darwin
+          - os: windows-latest
+            target: win
+            arch: x64
+            platform_id: win32
+          - os: ubuntu-latest
+            target: linux
+            arch: x64
+            platform_id: linux
+          - os: ubuntu-latest
+            target: linux
+            arch: arm64
+            platform_id: linux
+    env:
+      CSC_LINK: ${{ secrets.CSC_LINK }}
+      CSC_KEY_PASSWORD: ${{ secrets.CSC_KEY_PASSWORD }}
+      APPLE_ID: ${{ secrets.APPLE_ID }}
+      APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }}
+      APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
+      WIN_CSC_LINK: ${{ secrets.WIN_CSC_LINK }}
+      WIN_CSC_KEY_PASSWORD: ${{ secrets.WIN_CSC_KEY_PASSWORD }}
+      LINUX_SIGNING_KEY: ${{ secrets.LINUX_SIGNING_KEY }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Node
+        uses: actions/setup-node@v4
+        with:
+          node-version: "22"
+
+      - name: Setup Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+
+      - name: Install pnpm
+        uses: pnpm/action-setup@v4
+        with:
+          version: 10
+
+      - name: Install Dependencies
+        run: pnpm install --frozen-lockfile
+
+      - name: Backend Unit Tests
+        shell: bash
+        run: |
+          cd local-only/openscribe-backend
+          PYTHONPATH=. python -m unittest discover -s tests -p "test*_unittest.py"
+
+      - name: Provision Clean Environment
+        run: pnpm test:e2e:desktop:provision
+
+      - name: Generate E2E Fixtures
+        run: pnpm test:e2e:desktop:fixtures
+
+      - name: Build Desktop Installer
+        run: node scripts/build-desktop.mjs ${{ matrix.target }} ${{ matrix.arch }} installer
+
+      - name: Build Desktop Unpacked Dir
+        run: node scripts/build-desktop.mjs ${{ matrix.target }} ${{ matrix.arch }} dir
+
+      - name: Smoke Check Artifacts
+        run: pnpm test:desktop:artifacts
+
+      - name: Runtime Launch Smoke
+        run: pnpm test:e2e:desktop:launch
+
+      - name: Install Lifecycle Smoke
+        run: pnpm test:e2e:desktop:lifecycle
+
+      - name: IPC Contract Regression
+        run: pnpm test:e2e:desktop:ipc
+
+      - name: Signing/Notarization Gate
+        run: pnpm test:e2e:desktop:signing
+        env:
+          CI_PLATFORM: ${{ matrix.platform_id }}
+
+      - name: Generate Release Manifest
+        run: pnpm build:release:manifest
+        env:
+          RELEASE_VERSION: ${{ github.ref_name }}
+          RELEASE_BASE_URL: ${{ inputs.release_base_url }}
+          SIGNATURE_STATUS: VERIFIED
+
+      - name: Generate Checksums
+        run: pnpm build:release:checksums
+
+      - name: Upload Artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: desktop-${{ matrix.target }}-${{ matrix.arch }}
+          path: |
+            build/dist/**
+
+  validate-release-evidence:
+    name: Validate Release Evidence
+    runs-on: ubuntu-latest
+    needs: build-desktop
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Download All Desktop Artifacts
+        uses: actions/download-artifact@v4
+        with:
+          path: build/evidence
+          pattern: desktop-*
+
+      - name: Validate 5-target evidence and integrity files
+        run: node scripts/e2e/validate-release-evidence.mjs
+
+  publish-github-release:
+    name: Publish GitHub Release
+    runs-on: ubuntu-latest
+    needs: validate-release-evidence
+    if: startsWith(github.ref, 'refs/tags/v') || github.event_name == 'workflow_dispatch'
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Node
+        uses: actions/setup-node@v4
+        with:
+          node-version: "22"
+
+      - name: Install pnpm
+        uses: pnpm/action-setup@v4
+        with:
+          version: 10
+
+      - name: Download All Desktop Artifacts
+        uses: actions/download-artifact@v4
+        with:
+          path: build/release-artifacts
+          pattern: desktop-*
+
+      - name: Resolve release tag
+        id: release_tag
+        shell: bash
+        run: |
+          if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then
+            tag="${{ inputs.release_version }}"
+            if [[ ! "$tag" =~ ^v ]]; then
+              tag="v$tag"
+            fi
+          else
+            tag="${{ github.ref_name }}"
+          fi
+          echo "tag=$tag" >> "$GITHUB_OUTPUT"
+
+      - name: Collect installer assets
+        run: pnpm build:release:collect
+
+      - name: Generate consolidated manifest/checksums
+        run: |
+          DIST_DIR=build/publish RELEASE_VERSION=${{ steps.release_tag.outputs.tag }} RELEASE_BASE_URL=https://github.com/${{ github.repository }}/releases/download/${{ steps.release_tag.outputs.tag }} SIGNATURE_STATUS=VERIFIED pnpm build:release:manifest
+          DIST_DIR=build/publish pnpm build:release:checksums
+
+      - name: Publish Release
+        uses: softprops/action-gh-release@v2
+        with:
+          tag_name: ${{ steps.release_tag.outputs.tag }}
+          draft: false
+          prerelease: false
+          generate_release_notes: true
+          files: |
+            build/publish/*

.github/workflows/quality-gates.yml

@@ -0,0 +1,90 @@
+name: Quality Gates
+env:
+  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
+
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+
+jobs:
+  checks:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Setup Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+
+      - name: Install pnpm
+        uses: pnpm/action-setup@v4
+
+      - name: Setup Node
+        uses: actions/setup-node@v4
+        with:
+          node-version: "20"
+          cache: pnpm
+
+      - name: Install Dependencies
+        run: pnpm install --frozen-lockfile
+
+      - name: Lint structure
+        run: pnpm lint:structure
+
+      - name: Run ESLint on changed files
+        run: |
+          if [[ "${{ github.event_name }}" == "pull_request" ]]; then
+            BASE_SHA="${{ github.event.pull_request.base.sha }}"
+          else
+            BASE_SHA="${{ github.event.before }}"
+          fi
+          git diff --name-only "$BASE_SHA" "${{ github.sha }}" -- \
+            apps/web/src \
+            packages/storage/src \
+            packages/pipeline/transcribe/src \
+            packages/pipeline/assemble/src \
+            scripts/check-no-phi-logs.mjs \
+            config/scripts/check-structure.mjs \
+            > /tmp/lint-targets.txt
+          if [[ -s /tmp/lint-targets.txt ]]; then
+            xargs pnpm exec eslint --config config/eslint.config.mjs < /tmp/lint-targets.txt
+          else
+            echo "No lint-tracked files changed; skipping eslint."
+          fi
+
+      - name: Build Tests
+        run: pnpm build:test
+
+      - name: Unit Tests
+        run: pnpm test:llm
+
+      - name: Desktop IPC Contract Test
+        run: pnpm test:e2e:desktop:ipc
+
+      - name: Detect dependency manifest changes
+        id: dep-scope
+        run: |
+          if [[ "${{ github.event_name }}" == "pull_request" ]]; then
+            BASE_SHA="${{ github.event.pull_request.base.sha }}"
+          else
+            BASE_SHA="${{ github.event.before }}"
+          fi
+          if git diff --name-only "$BASE_SHA" "${{ github.sha }}" -- pnpm-lock.yaml | grep -q .; then
+            echo "run_audit=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "run_audit=false" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Dependency Audit
+        if: steps.dep-scope.outputs.run_audit == 'true'
+        run: pnpm audit --audit-level high
+
+      - name: Skip dependency audit when manifests are unchanged
+        if: steps.dep-scope.outputs.run_audit != 'true'
+        run: echo "No dependency manifest changes; skipping audit."

.gitignore

@@ -23,3 +23,6 @@ yarn-debug.log*
 yarn-error.log*
 *.tsbuildinfo
 .idea
+local-only/openscribe-backend/ollama_startup_report.json
+local-only/openscribe-backend/recorder_state.json
+local-only/openscribe-backend/config.json