MSIX distribution hardening: AppInstaller updates and packaged setup launch

[indierawk2k2]

Simplifies the MSIX packaging PR while keeping the AppInstaller work:

• Restores the legacy Inno installer, portable ZIP, and Updatum release surfaces so this PR adds MSIX/AppInstaller without sunsetting existing distribution.
• Moves the tray MSIX to framework-dependent Windows App SDK packaging and publishes the matching Microsoft.WindowsAppRuntime.2 framework packages as AppInstaller dependencies.
• Fixes packaged first-run setup launch: SetupEngine is copied as a child payload, published framework-dependent with WindowsAppSdkBootstrapInitialize=false, XAML resources are injected after packaging, and the tray launches it directly with UseShellExecute=false.
• Keeps release signing/verification for both outer MSIX packages and inner executable/script payloads.

Validation completed locally:

• ./build.ps1
• dotnet test ./tests/OpenClaw.Shared.Tests/OpenClaw.Shared.Tests.csproj --no-restore
• dotnet test ./tests/OpenClaw.Tray.Tests/OpenClaw.Tray.Tests.csproj --no-restore
• Real x64 Add-AppxPackage -Path install/launch validation with trusted test cert: tray launched and SetupEngine showed OpenClaw Setup.

Fresh fork test release assets are available at:
https://github.com/indierawk2k2/openclaw-windows-node/releases/tag/msix-production-feed-test-2026-05-27

[indierawk2k2]

Coverage gap found during PR creation flow — addressed in commit 9fdf999

Two new ghost Terminal frames appeared during the gh pr create invocation that opened this PR. Investigation:

Default terminal app on Win11 (the new default since 24H2) is Windows Terminal:

\
HKCU\Console%%Startup\DelegationConsole = {2EACA947-7F5F-4CFA-BA87-8F7FBEEFBE69} # Windows Terminal CLSID
\\

That means every console-spawning child process — gh, git, dotnet, fresh pwsh sessions, agent-driven tool invocations — allocates a Cascadia hosting frame. Most close cleanly when the child exits; a small fraction leak under timing conditions.

The cleanup we already shipped only fires from triggers we wired:

1. testhost lifetime (WinAppSdkGhostWindowCleanup [ModuleInitializer] + xUnit before/after attribute)
2. build.ps1 end-of-build hook

gh pr create matches neither. So those two ghosts were structurally outside our coverage — not a logic bug, a coverage gap.

Fix (commit 9fdf999)

Added two new modes to scripts/cleanup-ghost-windows.ps1 for sessions where the wired triggers aren't enough:

• -Daemon [-PollSeconds N] — foreground watcher (default 30s, range 5..3600). Use when you're about to do a lot of shell work; Ctrl+C to stop.
• -InstallScheduledTask — registers a hidden 5-minute task under the current user (no admin needed, idempotent). Uninstall with -UninstallScheduledTask.

Validated install/uninstall round-trip on the test box. Filter logic, close-message sequence, and the 1000×500 safety guard are unchanged — only invocation modes are new.

AGENTS.md updated to explicitly call out the Win11-default-terminal-app trigger and the new escalation paths. GhostWindowCleanupScriptContractTests gains 5 new assertions pinning all four switch names and the scheduled-task name.

Where this leaves the PR

The PR can't fix the underlying Windows Terminal / ConPTY leak (that's a Microsoft-owned bug). What it can do — and now does — is ship a thorough recovery story across the full leak surface:

Source of ghost	Caught by
Tray test process lifetime	WinAppSdkGhostWindowCleanup (in-process)
msbuild MSIX packaging	build.ps1 end-of-build hook
gh / git / ad-hoc shell work	-Daemon or -InstallScheduledTask (developer opt-in)
Killed-with-Ctrl+C testhost	One-shot scripts/cleanup-ghost-windows.ps1 (manual)
CI runner	CI VMs are ephemeral; build.ps1 hook keeps the runner clean for the job's lifetime

Validation after the fix: ./build.ps1 OK, Shared.Tests 1776 / 28 skipped, Tray.Tests 1144 passed (+5). PR is now at 15 commits.

Recommendation for reviewers / your collaborator who's about to do heavy shell work on this branch: ./scripts/cleanup-ghost-windows.ps1 -InstallScheduledTask once, then forget about it (or use -Daemon for the duration of a single session).

[clawsweeper]

Codex review: needs real behavior proof before merge. Reviewed May 28, 2026, 1:58 AM ET / 05:58 UTC.

Summary
The PR adds MSIX/AppInstaller release/feed automation, packaged SetupEngine launch support, payload signing/verification, MSIX recovery scripts, and related docs/tests while preserving the existing installer and portable release channels.

Reproducibility: yes. for the review finding: source inspection shows the packaged manual-update branch returns before the existing dialog-rendering switch runs. The broader distribution behavior still needs real Windows proof for the signed release paths.

Review metrics: 3 noteworthy metrics.

• Changed Surface: 55 files, +4891/-363. The patch spans release automation, app runtime behavior, manifests, scripts, docs, and tests, so maintainers should treat it as a distribution change rather than a narrow code fix.
• Workflow Surface: 1 workflow added, 1 workflow changed. Release and feed automation changes can affect signing, published assets, and automatic client updates outside normal unit-test coverage.
• Validation Scripts: 8 scripts added, 1 script changed, 1 script removed. The release process now depends on new PowerShell packaging, signing, rendering, validation, and smoke-test scripts.

Merge readiness
Overall: 🦐 gold shrimp
Proof: 🦐 gold shrimp
Patch quality: 🦐 gold shrimp
Result: blocked until stronger real behavior proof is added.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• Show visible packaged update-check results for Current, Failed, Available, and Ready states.
• Post current-head proof for signed AppInstaller install/update/uninstall and ARM64 behavior, with private data redacted.

Proof guidance:

• [P1] Needs stronger real behavior proof before merge: The PR has useful x64 install/setup-launch logs, but it still needs current-head proof for signed AppInstaller update/uninstall and ARM64 install/update behavior; redact private data before posting proof. After adding proof, update the PR body; ClawSweeper should re-review automatically. If it does not, the PR author or someone with repository write access can comment @clawsweeper re-review.

Risk before merge

• [P1] Packaged users can still see no obvious response from the tray-menu update check when the AppInstaller feed is current, unavailable, invalid, or failed because the packaged branch only updates AppState and returns.
• [P1] The branch changes install, first-launch setup, signing, AppInstaller feed, and stable-feed automation behavior that normal unit tests cannot fully validate.
• [P1] The proof is strong for iterative x64 setup-launch debugging, but it does not yet cover current-head signed AppInstaller update/uninstall behavior or ARM64 install/update behavior.

Maintainer options:

1. Fix Packaged Update Feedback First (recommended)
   Add a visible packaged AppInstaller result surface for Current, Failed, Available, and Ready outcomes before merging.
2. Accept Release-Path Risk Deliberately
   Maintainers can choose to land with the current proof gap only if they explicitly own follow-up validation for signed AppInstaller update/uninstall and ARM64 behavior.
3. Pause Until Full Matrix Proof
   Keep the draft paused until the contributor posts current-head proof for the signed AppInstaller install, update, uninstall, and ARM64 paths.

Next step before merge

• [P1] Human review is needed because contributor real-behavior proof and release-path signoff remain required even though the update-feedback code defect is narrow.

Security
Cleared: Security-sensitive packaging and signing surfaces were inspected; no concrete secret leak or supply-chain vulnerability was found, though maintainer release-path review remains important.

Review findings

• [P1] Show a result for packaged update checks — src/OpenClaw.Tray.WinUI/App.xaml.cs:3611-3614

Review details

Best possible solution:

Land the MSIX/AppInstaller work only after packaged update checks surface explicit results and maintainers have current-head proof for the signed install/update/uninstall paths on the supported architectures.

Do we have a high-confidence way to reproduce the issue?

Yes for the review finding: source inspection shows the packaged manual-update branch returns before the existing dialog-rendering switch runs. The broader distribution behavior still needs real Windows proof for the signed release paths.

Is this the best way to solve the issue?

No: the packaging direction may be right, but the packaged update-check path should reuse or add an explicit visible result surface instead of only mutating AppState.

Full review comments:

• [P1] Show a result for packaged update checks — src/OpenClaw.Tray.WinUI/App.xaml.cs:3611-3614
  For packaged builds this returns immediately after CheckForPackagedAppInstallerUpdateAsync(), so the existing Current/Failed dialog handling below never runs. A tray-menu click can still appear to do nothing when the feed is current, 404s, is invalid, or otherwise fails unless the user already has a status-observing hub surface open.
  Confidence: 0.88

Overall correctness: patch is incorrect
Overall confidence: 0.84

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 6a5921883c86.

Label changes

Label justifications:

• P2: This is significant Windows distribution work with limited blast radius to install/update paths and no active emergency signal.
• merge-risk: 🚨 compatibility: The PR changes MSIX install/update behavior and release assets while preserving legacy installer and portable channels.
• merge-risk: 🚨 security-boundary: The diff touches MSIX full-trust capabilities, startup task registration, toast COM activation, inner payload signing, and release credentials.
• merge-risk: 🚨 availability: A bad package, runtime dependency, SetupEngine launch, or AppInstaller feed can leave the tray or first-run setup unavailable after install.
• rating: 🦐 gold shrimp: Overall readiness is 🦐 gold shrimp; proof is 🦐 gold shrimp and patch quality is 🦐 gold shrimp.
• status: 📣 needs proof: The PR needs real behavior proof before ClawSweeper can clear the contributor ask. Needs stronger real behavior proof before merge: The PR has useful x64 install/setup-launch logs, but it still needs current-head proof for signed AppInstaller update/uninstall and ARM64 install/update behavior; redact private data before posting proof. After adding proof, update the PR body; ClawSweeper should re-review automatically. If it does not, the PR author or someone with repository write access can comment @clawsweeper re-review.

Evidence reviewed

Acceptance criteria:

• [P1] ./build.ps1.
• [P1] dotnet test ./tests/OpenClaw.Shared.Tests/OpenClaw.Shared.Tests.csproj --no-restore.
• [P1] dotnet test ./tests/OpenClaw.Tray.Tests/OpenClaw.Tray.Tests.csproj --no-restore.

What I checked:

• Repository policy read: AGENTS.md was read fully; its validation requirements and Windows-node guidance were treated as review policy, while build/tests were not run because this review is read-only. (AGENTS.md:1, 6a5921883c86)
• Packaged update path skips visible dialogs: The packaged branch in CheckForUpdatesUserInitiatedAsync awaits CheckForPackagedAppInstallerUpdateAsync and returns before the existing Current/Failed dialog switch runs. (src/OpenClaw.Tray.WinUI/App.xaml.cs:3611, e697b5be95a2)
• Tray menu exposes the affected action: The tray menu routes the Check for Updates action directly to CheckForUpdatesUserInitiatedAsync, so this can be hit without any status-observing hub page open. (src/OpenClaw.Tray.WinUI/Services/TrayMenuStateBuilder.cs:308, e697b5be95a2)
• Existing feedback behavior provenance: Current main's manual update feedback path was introduced around commit f3d3fd2, which added user feedback to Check for Updates; the PR's packaged branch bypasses that same result-dialog pattern. (src/OpenClaw.Tray.WinUI/App.xaml.cs:3542, f3d3fd2772f3)
• Release and packaging surface inspected: The diff touches release workflows, AppInstaller feed generation, MSIX signing, SetupEngine packaging, manifests, update services, and recovery CLI behavior across 55 files. (e697b5be95a2)
• Proof discussion reviewed: The PR body and comments include useful x64 Add-AppxPackage/setup-launch validation and fork release assets, but the current-head proof still does not cover the signed AppInstaller update/uninstall path and ARM64 install/update behavior. (e697b5be95a2)

Likely related people:

• Regis Brid: Git blame and -S history tie the existing manual Check for Updates result-dialog behavior to commit f3d3fd2, which is the path the PR bypasses for packaged builds. (role: introduced current update-feedback behavior; confidence: high; commits: f3d3fd2772f3; files: src/OpenClaw.Tray.WinUI/App.xaml.cs)
• ranjeshj: Current main history shows recent work on SetupEngine and CI release/signing surfaces that overlap the MSIX packaging and setup-launch changes. (role: recent setup and release-area contributor; confidence: high; commits: cefce3952ab1, ed126f2aac6d, 6bd98858e618; files: src/OpenClaw.SetupEngine.UI/Program.cs, .github/workflows/ci.yml)
• shanselman: Current history shows adjacent signing and App.xaml.cs work, making this a reasonable routing candidate for release-surface review. (role: adjacent release/signing contributor; confidence: medium; commits: bd21cd9c547c, 0d4fcbd50ad5; files: .github/workflows/ci.yml, src/OpenClaw.Tray.WinUI/App.xaml.cs)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[indierawk2k2]

Hanselman adversarial review completed after master resync + production MSIX cleanup

Models:

• Opus: claude-opus-4.6
• Codex: gpt-5.2-codex

Consensus table

Issue	Opus	Codex	Consensus	Fix confidence	Outcome
Tray WinUiStartupGate retried 0x80040111 but not observed transient E_FAIL / 0x80004005 while SetupEngine retried both	MEDIUM	MEDIUM	HIGH	95%	Fixed in b1a3922
SetupEngine startup breadcrumbs logged raw command-line args	LOW	—	LOW	90%	Fixed in b1a3922 by applying the same redaction shape as tray startup breadcrumbs
Prerelease MSIX/AppInstaller versions may not be monotonic for x64 alpha builds	—	HIGH	LOW / disputed	70%	Deferred: stable feed updates are explicitly blocked for prerelease tags in appinstaller-feed-pr.yml; alpha channel policy is intentionally undecided
Prerelease MSIX/AppInstaller versions may not be monotonic for ARM64 alpha builds	—	HIGH	LOW / disputed	70%	Deferred for the same reason as x64; if/when alpha AppInstaller feeds are enabled, the fourth MSIX version segment needs a monotonic prerelease policy

Fixes made

• b1a3922 fix(msix): align tray WinUI startup retry
  • Tray startup retry now treats 0x80004005 as transient, matching SetupEngine's observed XAML startup failure set.
  • Added tests for E_FAIL retry and non-retry of unrelated COM errors.
  • SetupEngine startup breadcrumbs now redact command-line arguments before writing setup-engine-startup.log.

Production prep completed

• Branch resynced with origin/master via merge commit de004ee.
• Production MSIX/AppInstaller cleanup committed in 31b88c3:
  • stable feed workflow requires production-named release assets (OpenClawCompanion-$versionText-win-x64.msix, OpenClawCompanion-$versionText-win-arm64.msix);
  • temporary color-channel artifact terminology removed from the committed PR diff;
  • release-flow tests pin production naming and Azure Trusted Signing MSIX signing.

Validation after review fixes

• ./build.ps1 passed
• Shared tests: 2022 passed / 29 skipped
• Tray tests: 929 passed

[ranjeshj]

Thanks @indierawk2k2 for putting this together. We're going to abandon this draft in favor of #732, which is the newer updated version of this work.