chore(release): v0.1.2

- fix(ci): remove dead biome suppressions + non-null assertion to get lint green
- feat(packaging): stable artifactName across platforms (-x64/-arm64 suffixes)
- feat(release): SHA256SUMS + CycloneDX SBOM attached to each Release
- feat(release): best-effort Snap build (isolated job, continue-on-error)
- feat(packaging): Homebrew Cask + winget + Flathub manifest templates
- feat(release): auto-bump jobs for Homebrew/winget (gated on secrets)
- docs(readme): honest per-channel status for v0.1.x install surface
- docs(website): SmartDownload reads version from package.json; new asset naming

Author: hqhq1025

.github/workflows/release.yml

@@ -61,7 +61,7 @@ jobs:
         run: pnpm typecheck
 
       - name: Test
-        run: pnpm -r test
+        run: pnpm test
 
   # ------------------------------------------------------------------
   # Changelog: build release notes from conventional commits.
@@ -175,12 +175,134 @@ jobs:
           if-no-files-found: error
           retention-days: 7
 
+  # ------------------------------------------------------------------
+  # Snap: best-effort build of a .snap on ubuntu using snapcraft.
+  # Isolated into its own job because snapcraft is heavyweight and
+  # occasionally flakes on hosted runners; failure here should NOT
+  # block the release (publish job does not `needs:` this one).
+  # ------------------------------------------------------------------
+  build-snap:
+    name: Build Linux Snap (best-effort)
+    needs: [gate]
+    runs-on: ubuntu-latest
+    continue-on-error: true
+    env:
+      RELEASE_REF: ${{ github.event_name == 'push' && github.ref || format('refs/tags/{0}', inputs.tag) }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ env.RELEASE_REF }}
+          fetch-depth: 0
+
+      - name: Setup pnpm
+        uses: pnpm/action-setup@b906affcce14559ad1aafd4ab0e942779e9f58b1 # v4
+
+      - name: Setup Node
+        uses: actions/setup-node@v4
+        with:
+          node-version-file: .nvmrc
+          cache: pnpm
+
+      - name: Install
+        run: pnpm install --frozen-lockfile
+
+      - name: Install snapcraft + LXD
+        # snapcraft itself handles most simple electron-builder builds via
+        # `snap pack`, but recent electron-builder (post core22/core24) will
+        # fall back to invoking snapcraft which needs LXD for its build
+        # environment. Setting both up here keeps the step resilient.
+        run: |
+          sudo snap install snapcraft --classic
+          sudo snap install lxd
+          sudo lxd waitready --timeout=60
+          sudo lxd init --auto
+
+      - name: Build workspace
+        run: pnpm --filter '!@open-codesign/desktop' -r build
+
+      - name: Package snap
+        working-directory: apps/desktop
+        env:
+          CSC_IDENTITY_AUTO_DISCOVERY: 'false'
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: pnpm exec electron-vite build && pnpm exec electron-builder --linux snap --publish never
+
+      - name: Upload snap artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: installer-snap
+          path: apps/desktop/release/*.snap
+          if-no-files-found: warn
+          retention-days: 7
+
+  # ------------------------------------------------------------------
+  # Supply-chain: checksums + CycloneDX SBOM for the whole workspace.
+  # Runs on one runner after all platform artifacts are uploaded.
+  # ------------------------------------------------------------------
+  provenance:
+    name: Checksums + SBOM
+    needs: [build, build-snap]
+    runs-on: ubuntu-latest
+    env:
+      RELEASE_REF: ${{ github.event_name == 'push' && github.ref || format('refs/tags/{0}', inputs.tag) }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ env.RELEASE_REF }}
+          fetch-depth: 0
+
+      - name: Setup pnpm
+        uses: pnpm/action-setup@b906affcce14559ad1aafd4ab0e942779e9f58b1 # v4
+
+      - name: Setup Node
+        uses: actions/setup-node@v4
+        with:
+          node-version-file: .nvmrc
+          cache: pnpm
+
+      - name: Install
+        run: pnpm install --frozen-lockfile
+
+      - name: Download all installers
+        uses: actions/download-artifact@v4
+        with:
+          path: dist/
+          merge-multiple: true
+
+      - name: Generate CycloneDX SBOM (workspace)
+        uses: anchore/sbom-action@v0
+        with:
+          path: .
+          format: cyclonedx-json
+          output-file: dist/open-codesign-${{ github.event_name == 'push' && github.ref_name || inputs.tag }}-sbom.cdx.json
+
+      - name: Generate SHA256SUMS.txt
+        working-directory: dist
+        run: |
+          shopt -s nullglob
+          : > SHA256SUMS.txt
+          for f in *; do
+            [ -f "$f" ] && [ "$f" != "SHA256SUMS.txt" ] || continue
+            sha256sum "$f" >> SHA256SUMS.txt
+          done
+          cat SHA256SUMS.txt
+
+      - name: Upload provenance artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: provenance
+          path: |
+            dist/SHA256SUMS.txt
+            dist/open-codesign-*-sbom.cdx.json
+          if-no-files-found: error
+          retention-days: 7
+
   # ------------------------------------------------------------------
   # Publish: create (or update draft) GitHub Release and attach files.
   # ------------------------------------------------------------------
   publish:
     name: Publish GitHub Release
-    needs: [build, changelog]
+    needs: [build, build-snap, changelog, provenance]
     runs-on: ubuntu-latest
     env:
       RELEASE_REF: ${{ github.event_name == 'push' && github.ref || format('refs/tags/{0}', inputs.tag) }}
@@ -221,3 +343,66 @@ jobs:
           fail_on_unmatched_files: false
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+  # ------------------------------------------------------------------
+  # Homebrew Cask bump — opens a PR against OpenCoworkAI/homebrew-tap
+  # with the new version + sha256 of the mac DMGs.
+  # Skipped until HOMEBREW_TAP_TOKEN is set (see packaging/homebrew/README.md).
+  # ------------------------------------------------------------------
+  homebrew:
+    name: Bump Homebrew Cask
+    needs: [publish]
+    runs-on: macos-latest
+    if: github.event_name == 'push' && !contains(github.ref_name, '-')
+    steps:
+      - name: Guard on secret
+        id: guard
+        run: |
+          if [ -z "${{ secrets.HOMEBREW_TAP_TOKEN }}" ]; then
+            echo "skip=true" >> "$GITHUB_OUTPUT"
+            echo "::notice::HOMEBREW_TAP_TOKEN not set — skipping Homebrew bump. See packaging/homebrew/README.md."
+          else
+            echo "skip=false" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Bump cask
+        if: steps.guard.outputs.skip == 'false'
+        # TODO: pin to commit SHA when flipping HOMEBREW_TAP_TOKEN on (Scorecard).
+        uses: macauley/action-homebrew-bump-cask@v1
+        with:
+          token: ${{ secrets.HOMEBREW_TAP_TOKEN }}
+          tap: OpenCoworkAI/homebrew-tap
+          cask: open-codesign
+          tag: ${{ github.ref_name }}
+          force: false
+
+  # ------------------------------------------------------------------
+  # winget manifest PR — submits to microsoft/winget-pkgs.
+  # Skipped until WINGET_PAT is set (see packaging/winget/).
+  # Requires initial manual submission of the manifest first.
+  # ------------------------------------------------------------------
+  winget:
+    name: Submit winget manifest
+    needs: [publish]
+    runs-on: windows-latest
+    if: github.event_name == 'push' && !contains(github.ref_name, '-')
+    steps:
+      - name: Guard on secret
+        id: guard
+        shell: bash
+        run: |
+          if [ -z "${{ secrets.WINGET_PAT }}" ]; then
+            echo "skip=true" >> "$GITHUB_OUTPUT"
+            echo "::notice::WINGET_PAT not set — skipping winget submission. See packaging/winget/."
+          else
+            echo "skip=false" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Release winget package
+        if: steps.guard.outputs.skip == 'false'
+        # TODO: pin to commit SHA when flipping WINGET_PAT on (Scorecard).
+        uses: vedantmgoyal9/winget-releaser@v2
+        with:
+          identifier: OpenCoworkAI.OpenCoDesign
+          installers-regex: '-x64-setup\.exe$|-arm64-setup\.exe$'
+          token: ${{ secrets.WINGET_PAT }}

README.md

@@ -99,29 +99,30 @@ Your providers, models, and API keys import in one click — no copy-paste, no r
 
 ### 1. Install
 
-**Package managers** (recommended):
+**Direct download** (v0.1.x) from [GitHub Releases](https://github.com/OpenCoworkAI/open-codesign/releases):
 
-```sh
-# macOS — Homebrew
-brew tap OpenCoworkAI/tap
-brew install --cask open-codesign
+| Platform | File |
+|---|---|
+| macOS (Apple Silicon) | `open-codesign-*-arm64.dmg` |
+| macOS (Intel) | `open-codesign-*-x64.dmg` |
+| Windows (x64) | `open-codesign-*-x64-setup.exe` |
+| Windows (ARM64) | `open-codesign-*-arm64-setup.exe` |
+| Linux (x64) | `open-codesign-*-x64.AppImage` |
 
-# Windows — winget
-winget install OpenCoworkAI.open-codesign
+Each release ships with `SHA256SUMS.txt` and a CycloneDX SBOM (`*-sbom.cdx.json`) so you can verify what you downloaded.
 
-# Windows — Scoop
-scoop bucket add opencowork https://github.com/OpenCoworkAI/scoop-bucket
-scoop install opencowork/open-codesign
-```
+<details>
+<summary><b>Package managers</b> — status for v0.1.x</summary>
 
-**Direct download** from [GitHub Releases](https://github.com/OpenCoworkAI/open-codesign/releases):
+| Manager | Command | Status |
+|---|---|---|
+| Homebrew Cask (macOS) | `brew install --cask opencoworkai/tap/open-codesign` | 🟡 Tap pending — manifest in [`packaging/homebrew/`](./packaging/homebrew/) |
+| winget (Windows) | `winget install OpenCoworkAI.OpenCoDesign` | 🟡 First submission pending — manifest in [`packaging/winget/`](./packaging/winget/) |
+| Flathub (Linux) | `flatpak install flathub ai.opencowork.codesign` | 🟡 Submission pending — manifest in [`packaging/flatpak/`](./packaging/flatpak/) |
+| Snap (Linux) | `snap install --dangerous open-codesign-*.snap` | 🟡 Attached to releases best-effort; Snap Store publish not yet wired |
 
-| Platform | File |
-|---|---|
-| macOS (Apple Silicon) | `open-codesign-*-arm64.dmg` |
-| macOS (Intel) | `open-codesign-*.dmg` |
-| Windows (x64 / arm64) | `open-codesign-*-setup.exe` |
-| Linux | `open-codesign-*.AppImage` |
+Each release-time PR is auto-opened by CI once the corresponding tap/manifest/secret is provisioned — see each `packaging/*/README.md` for setup.
+</details>
 
 > **v0.1 note:** installers are unsigned. macOS: right-click → Open, or run `xattr -d com.apple.quarantine /Applications/open-codesign.app` after install. Windows: SmartScreen → More info → Run anyway.
 > Want a verified build? Compile from source — see [CONTRIBUTING.md](./CONTRIBUTING.md).

README.zh-CN.md

@@ -99,29 +99,30 @@ Open CoDesign 把自然语言提示词变成精美的 HTML 原型、幻灯片或
 
 ### 1. 安装
 
-**包管理器**（推荐）：
+**直接下载**（v0.1.x）从 [GitHub Releases](https://github.com/OpenCoworkAI/open-codesign/releases)：
 
-```sh
-# macOS — Homebrew
-brew tap OpenCoworkAI/tap
-brew install --cask open-codesign
+| 平台 | 文件 |
+|---|---|
+| macOS（Apple Silicon）| `open-codesign-*-arm64.dmg` |
+| macOS（Intel）| `open-codesign-*-x64.dmg` |
+| Windows（x64）| `open-codesign-*-x64-setup.exe` |
+| Windows（ARM64）| `open-codesign-*-arm64-setup.exe` |
+| Linux（x64）| `open-codesign-*-x64.AppImage` |
 
-# Windows — winget
-winget install OpenCoworkAI.open-codesign
+每个 release 附带 `SHA256SUMS.txt` 和 CycloneDX SBOM（`*-sbom.cdx.json`），可用于校验下载完整性。
 
-# Windows — Scoop
-scoop bucket add opencowork https://github.com/OpenCoworkAI/scoop-bucket
-scoop install opencowork/open-codesign
-```
+<details>
+<summary><b>包管理器</b>——v0.1.x 状态</summary>
 
-**直接下载** 从 [GitHub Releases](https://github.com/OpenCoworkAI/open-codesign/releases)：
+| 管理器 | 命令 | 状态 |
+|---|---|---|
+| Homebrew Cask（macOS）| `brew install --cask opencoworkai/tap/open-codesign` | 🟡 Tap 待建 —— 模板见 [`packaging/homebrew/`](./packaging/homebrew/) |
+| winget（Windows）| `winget install OpenCoworkAI.OpenCoDesign` | 🟡 首次提交待处理 —— 模板见 [`packaging/winget/`](./packaging/winget/) |
+| Flathub（Linux）| `flatpak install flathub ai.opencowork.codesign` | 🟡 Flathub 提交待处理 —— 模板见 [`packaging/flatpak/`](./packaging/flatpak/) |
+| Snap（Linux）| `snap install --dangerous open-codesign-*.snap` | 🟡 每次 release 尽力附带；尚未推到 Snap Store |
 
-| 平台 | 文件 |
-|---|---|
-| macOS（Apple Silicon）| `open-codesign-*-arm64.dmg` |
-| macOS（Intel）| `open-codesign-*.dmg` |
-| Windows（x64 / arm64）| `open-codesign-*-setup.exe` |
-| Linux | `open-codesign-*.AppImage` |
+一旦配好对应的 tap / manifest / secret，CI 会在每次发版时自动开 PR —— 具体步骤见 `packaging/*/README.md`。
+</details>
 
 > **v0.1 说明：** 安装包暂未签名。macOS：右键 → 打开，或安装后在终端执行 `xattr -d com.apple.quarantine /Applications/open-codesign.app`。Windows：SmartScreen → 更多信息 → 仍要运行。
 > 需要已验证的构建？请从源码自行编译，参见 [CONTRIBUTING.md](./CONTRIBUTING.md)。

apps/desktop/electron-builder.yml

@@ -22,6 +22,7 @@ mac:
   hardenedRuntime: true
   gatekeeperAssess: false
   notarize: false
+  artifactName: ${productName}-${version}-${arch}.${ext}
   target:
     - target: dmg
       arch: [arm64, x64]
@@ -47,6 +48,7 @@ dmg:
       path: /Applications
 win:
   icon: resources/icon.ico
+  artifactName: ${productName}-${version}-${arch}-setup.${ext}
   target:
     - target: nsis
       arch: [x64, arm64]
@@ -55,7 +57,21 @@ nsis:
   allowToChangeInstallationDirectory: true
 linux:
   icon: resources/icon.png
+  # Hardcode `x64` (not ${arch}) because electron-builder substitutes ${arch}
+  # differently per Linux target convention (AppImage → x86_64, deb → amd64,
+  # rpm → x86_64). SmartDownload.vue + Homebrew cask + Flatpak manifest all
+  # reference `-x64.ext`; picking a fixed literal keeps them in sync. We
+  # only ship one Linux arch, so this is safe until we add arm64.
+  artifactName: ${productName}-${version}-x64.${ext}
   target:
     - target: AppImage
       arch: [x64]
+    # Snap is built in a separate, best-effort CI step (see
+    # .github/workflows/release.yml) because snapcraft on ubuntu-latest
+    # is heavyweight and occasionally flakes. The target config below is
+    # used when that step invokes `electron-builder --linux snap`.
   category: Graphics
+snap:
+  grade: stable
+  confinement: strict
+  summary: Prompt → polished HTML prototypes, slide decks, and marketing assets.

apps/desktop/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@open-codesign/desktop",
-  "version": "0.1.1",
+  "version": "0.1.2",
   "private": true,
   "type": "module",
   "main": "./out/main/index.js",

apps/desktop/src/renderer/src/components/ModelSwitcher.tsx

@@ -69,13 +69,13 @@ export function ModelSwitcher({ variant }: ModelSwitcherProps) {
   const providerLabel = activeProviderRow?.label ?? provider;
 
   async function switchModel(model: string) {
-    if (!window.codesign || model === currentModel) {
+    if (!window.codesign || !provider || model === currentModel) {
       setOpen(false);
       return;
     }
     try {
       const next = await window.codesign.settings.setActiveProvider({
-        provider: provider!,
+        provider,
         modelPrimary: model,
       });
       setConfig(next);

package.json

@@ -1,6 +1,6 @@
 {
   "name": "open-codesign",
-  "version": "0.1.1",
+  "version": "0.1.2",
   "private": true,
   "description": "Open-source AI design tool — prompt to interactive prototype, slide deck, and marketing assets. Multi-model, BYOK, runs on your laptop.",
   "license": "Apache-2.0",

packages/artifacts/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@open-codesign/artifacts",
-  "version": "0.1.1",
+  "version": "0.1.2",
   "private": true,
   "type": "module",
   "main": "./src/index.ts",

packages/artifacts/src/parser.ts

@@ -176,7 +176,6 @@ export function createArtifactParser() {
  *                 must hold back from `start` and wait for more input
  *   - `none`:     no candidate; caller may flush the entire buffer as text
  */
-// biome-ignore lint/complexity/noExcessiveCognitiveComplexity: quote-aware tag scanning is inherently branchy; splitting hurts clarity
 function findOpenTag(buffer: string): OpenTagMatch {
   let from = 0;
   while (from <= buffer.length) {