[AGENT] Productize Chronote Desktop with release CI/CD and native test gates

[BASIC-BIT]

[AGENT]

Summary

Productize Chronote Desktop beyond the current beta/dev workflow by adding a robust release pipeline, signed artifacts, native desktop test gates, and user/support documentation.

This follows the accepted desktop ADR, which intentionally deferred signed packaging and auto-update hardening until release signing custody and artifact hosting were ready.

Current State

• Basic Windows desktop recorder/uploader is implemented.
• Desktop API is gated behind ENABLE_DESKTOP_API plus DESKTOP_ALLOWED_USER_IDS or SUPER_ADMIN_USER_IDS.
• PR CI has Desktop Check on windows-latest using yarn desktop:ci.
• Desktop CI currently covers dependency install, TypeScript typecheck, Vite desktop web build, and cargo check.
• Mocked Playwright visual snapshots cover the desktop recorder UI flow.
• Backend tests cover desktop auth, beta allowlist behavior, multi-source upload intent/complete/status, and validation.

Productization Goals

• Ship a Windows desktop app users can install, update, troubleshoot, and trust.
• Make desktop release quality depend on native/package-level gates, not only mocked browser UI checks.
• Keep signing credentials and release controls protected.
• Preserve the invariant that the desktop client never holds OpenAI credentials.

Proposed Scope

Release CI/CD

• Add a dedicated desktop release workflow separate from ordinary PR CI.
• Build Windows installers/artifacts with Tauri in CI.
• Publish release artifacts with checksums and enough metadata to validate what was shipped.
• Use protected GitHub environments for signing and release publication.
• Decide beta/stable channel naming and versioning rules.
• Make release jobs reproducible enough to rebuild a tagged desktop artifact.

Signing and Updates

• Decide certificate/key custody for Windows signing.
• Sign release artifacts before publication.
• Add or explicitly defer Tauri updater support with a documented update manifest and rollback plan.
• Keep unsigned/local dev builds clearly distinct from production builds.

Native Desktop Testing

• Add packaged-app smoke tests on windows-latest that launch the built desktop app, not just the Vite web shell.
• Run the packaged app against a mock/local Chronote API so login/upload/status/open-link behavior can be exercised without production credentials.
• Add a synthetic audio/test feature or injectable recorder backend so CI can verify record/stop/upload without physical audio devices.
• Verify installer creation and basic install/uninstall behavior where practical in CI.
• Preserve current mocked Playwright visual coverage, but do not treat it as sufficient for release readiness.

Release Gates

• Gate desktop releases on TypeScript, Rust, web build, Tauri build, packaged smoke, installer artifact validation, and existing desktop API tests.
• Add artifact validation for expected files, versions, identifiers, checksums, and signing status.
• Add a manual hardware smoke-test checklist for Windows audio capture before broad release.

Security and Privacy

• Review Tauri capabilities, CSP, external URL handling, token storage, local callback handling, and update signing before stable release.
• Document privacy implications of recording microphone and system audio.
• Ensure support logs redact tokens and do not contain secrets.
• Keep desktop API production access gated until release readiness is explicit.

Docs and Support

• Document install, update, uninstall, beta access, troubleshooting, and known Windows audio/device limitations.
• Add support-log collection guidance for desktop failures.
• Document rollback/revocation steps for a bad desktop release.

Non-goals

• macOS/Linux production support in this epic unless a specific subissue scopes it.
• Mobile/watch apps.
• Discord user-token automation.
• Moving transcription or OpenAI credentials into the desktop client.

Acceptance Criteria

1. A protected desktop release workflow can build and publish Windows desktop artifacts from a tag or approved release dispatch.
2. Release artifacts are signed or the lack of signing is explicitly blocked from stable release.
3. Release artifacts include checksums and artifact/version metadata.
4. CI can launch a packaged desktop build against a mock/local API and verify a basic login/record/stop/upload/status/link flow.
5. CI can exercise desktop recording behavior through a synthetic/injectable audio backend without physical devices.
6. Installer artifact creation is validated, and install/uninstall behavior is tested or covered by a manual release checklist with owners.
7. Existing mocked visual coverage remains in place for desktop UI states.
8. Desktop API tests remain part of the release gate.
9. Security/privacy review items for Tauri permissions, CSP, token storage, external links, callback handling, and updater signing are resolved or tracked as blocking subissues.
10. User-facing docs cover installation, updates, troubleshooting, privacy expectations, and support-log collection.
11. A rollback plan exists for bad desktop releases.

Suggested First Subissues

• Add desktop release workflow and artifact validation.
• Add packaged desktop smoke test harness with mock API.
• Add synthetic audio recorder backend for CI.
• Decide Windows signing and updater custody model.
• Write desktop install/troubleshooting/support-log docs.
• Harden desktop security/privacy before stable release.

[BASIC-BIT]

[AGENT]

PR #250 merged as 63fe3e8, delivering the desktop release gates, native smoke harness, artifact validation/checksums, desktop shell polish, and productization docs.

Stable desktop release remains intentionally blocked until Authenticode signing is configured and verified; that should be handled as a follow-up workstream.