chore: promote dev/v0.2 to main

Promote dev/v0.2 as the new mainline after selected main backfills, with additional security-scan hardening from the promotion PR. CodeQL was treated as advisory for this migration PR; CI and packaging smoke passed.

Author: hqhq1025

.Codex/environments/environment.toml

@@ -0,0 +1,11 @@
+# THIS IS AUTOGENERATED. DO NOT EDIT MANUALLY
+version = 1
+name = "codesign"
+
+[setup]
+script = ""
+
+[[actions]]
+name = "运行"
+icon = "run"
+command = "pnpm install && pnpm dev"

.Codex/workspace/agents_md_v2_update_plan.md

@@ -0,0 +1,33 @@
+# AGENTS.md v2 Update Plan
+
+## Goal
+
+Update `AGENTS.md` so Codex agents follow the latest v0.2 plan instead of the stale `CLAUDE.md` copy.
+
+## Sources Read
+
+- `CLAUDE.md`
+- `AGENTS.md`
+- `docs/VISION.md`
+- `docs/PRINCIPLES.md`
+- `docs/v0.2-plan.md`
+
+## Steps
+
+1. Identify stale CLAUDE/AGENTS content. - complete
+2. Rewrite `AGENTS.md` around v0.2 agentic workspace decisions. - complete
+3. Validate for stale references and whitespace issues. - complete
+
+## Findings
+
+- `CLAUDE.md` and current `AGENTS.md` still describe Open CoDesign mainly as a prompt-to-artifact app rather than a local design agent.
+- They still point design history at SQLite, while v0.2 moves sessions to pi JSONL and files to real workspaces.
+- They say pi-ai gaps should become `packages/providers` extensions, but the pi spike says provider/session/capability/bash should be handed to pi-coding-agent.
+- They hard-code some stack versions; `AGENTS.md` should tell agents to read manifests for exact versions.
+- Latest plan: design equals pi session, every design has a workspace, no sealed/open mode, no project abstraction in v0.2.
+- Validation found no stale old phrases for `better-sqlite3`, old provider-extension guidance, hardcoded React/Vite versions, or old storage wording.
+- `git diff --no-index --check /dev/null AGENTS.md` produced no whitespace warnings.
+
+## Errors
+
+- First stale-phrase search used a shell command with unescaped backticks in the pattern. That triggered command substitution. Re-ran with `rg -e` patterns and no backticks.

.Codex/workspace/core_fail_fast_audit.md

@@ -0,0 +1,17 @@
+# Issue Triage Findings
+
+## Project Context Read
+- `docs/VISION.md`: open-codesign is a local-first Electron app for prompt-to-design artifacts, with all model support routed through `pi-ai`.
+- `docs/PRINCIPLES.md`: keep features lean, lazy-load heavy capabilities, avoid silent fallbacks, and ensure public/persistent contracts are versioned.
+- Current branch is `dev/v0.2`, ahead of `origin/dev/v0.2` by 4 commits.
+- `AGENTS.md` is untracked in the working tree.
+
+## Issue Context
+- Recent provider-related issues cluster around provider capability profiles (#206), wire/role/reasoning policy (#207), diagnostics parity (#216), and model discovery modes (#210).
+- Gemini-specific bug #175 was closed by merged PR #186, which strips `models/` from Gemini OpenAI-compatible model IDs at the provider wire boundary.
+- #175 has a recent follow-up comment: a user confirms the issue still persists in the latest version for Google Gemini models.
+- PR #186 review comments identified a separate flaw: Gemini endpoint detection was initially too broad, and even after a follow-up was still host-only rather than requiring an OpenAI-compatible `/openai` path.
+- Issue #229 is separate but related provider compatibility work: self-signed TLS and `developer` role rejection by Bedrock-like OpenAI-compatible backends.
+- Local code contains the #186 fix in `packages/providers/src/index.ts`, but the live v0.2 generation path uses `packages/core/src/agent.ts::buildPiModel`.
+- `buildPiModel` currently sets `id: model.modelId` directly and `reasoning: true` for every provider/wire. This bypasses Gemini `models/` stripping and can also force developer/reasoning behavior on OpenAI-compatible custom providers.
+- This explains why #175 can remain visible after being closed: title/legacy provider calls were patched, but the agent runtime path still sends the old model ID shape.

.Codex/workspace/full_review_root_fix_plan.md

@@ -0,0 +1,21 @@
+# Issue Triage Plan
+
+## Goal
+Review recent GitHub issue activity for open-codesign, identify still-active problems in recently closed issues, and fix the Gemini-related issue if it is reproducible from the codebase.
+
+## Phases
+- [complete] Gather issue context from GitHub, focusing on recent comments and Gemini-related threads.
+- [complete] Map the issue symptoms to local code paths and reproduce or explain the bug.
+- [complete] Implement the smallest aligned fix with tests if code changes are needed.
+- [complete] Run targeted verification and summarize remaining risks.
+
+## Project Constraints
+- Model calls must go through `@mariozechner/pi-ai`; no direct provider SDK imports in app code.
+- Use `pnpm`, Vitest, Biome, and strict TypeScript.
+- Keep changes lean, local-first, and scoped.
+
+## Errors Encountered
+| Error | Attempt | Resolution |
+|---|---|---|
+| Vitest startup failed because `@rolldown/binding-darwin-arm64` is missing from `node_modules`. | Ran targeted provider/core tests. | Reinstall dependencies with `pnpm i`, then rerun targeted tests. |
+| Initial targeted Vitest command matched no files because package-relative paths were required. | Used workspace-root paths with `pnpm --filter`. | Reran with `pnpm --dir packages/... exec vitest run src/...`; tests executed and passed. |

.Codex/workspace/issue_triage_findings.md

@@ -0,0 +1,16 @@
+# Issue Triage Progress
+
+## Session Log
+- Started issue triage for recent GitHub activity, with emphasis on Gemini-related problems that may remain after a closed issue.
+- Read project vision and engineering principles before making changes.
+- Queried recent GitHub issue activity and Gemini-specific threads.
+- Confirmed #175 has a recent "still persists" comment after its closing fix PR #186.
+- Traced local model construction and found the likely bypass in the live agent runtime.
+- Patched Gemini URL detection and agent-runtime model construction; added provider/core regression tests.
+
+## Verification
+- `pnpm --dir packages/providers exec vitest run src/gemini-compat.test.ts src/index.test.ts` — 2 files, 36 tests passed.
+- `pnpm --dir packages/core exec vitest run src/agent.test.ts` — 1 file, 25 tests passed.
+- `pnpm typecheck` — passed across workspace.
+- `pnpm lint` — passed after fixing provider export ordering.
+- `git diff --check` on touched source/test files — passed.

.Codex/workspace/issue_triage_plan.md

@@ -0,0 +1,35 @@
+# PR Review Bot Update Plan
+
+## Goal
+
+Update the Codex PR review bot so public PR reviews do not cite private/internal docs as evidence and do not rely on stale model knowledge for version-sensitive claims.
+
+## Constraints Read
+
+- `docs/VISION.md`
+- `docs/PRINCIPLES.md`
+- `docs/COLLABORATION.md`
+- `CLAUDE.md`
+- `AGENTS.md`
+
+## Plan
+
+1. Complete context scan of the bot workflow and prompt. - complete
+2. Edit `.github/prompts/codex-pr-review.md` with public-evidence and fresh-version rules. - complete
+3. Check the edited prompt for consistency with the workflow. - complete
+4. Run lightweight validation on changed files. - complete
+
+## Findings
+
+- Bot is configured by `.github/workflows/codex-pr-review.yml`.
+- Main behavior lives in `.github/prompts/codex-pr-review.md`.
+- `docs/` is explicitly gitignored/internal; public contributors cannot see those files.
+- Current prompt names internal docs as "Key docs" and asks the bot to load/cite them, which can make public reviews point at files contributors cannot access.
+- Current prompt states version facts like "Electron 33+" directly, which can go stale as dependencies move.
+- Updated prompt now distinguishes public context from internal-only context.
+- Updated prompt requires repository/package metadata first, and public authoritative sources when needed, before version-sensitive findings.
+- `git diff --check` passed.
+
+## Errors
+
+None so far.

.Codex/workspace/issue_triage_progress.md

@@ -0,0 +1,12 @@
+# Preview Blank Fix Plan
+
+## Hypothesis
+
+Root cause: workspace file preview can render a JSX-backed `index.html` through the runtime, but `FilesTabView` does not subscribe to sandbox `IFRAME_ERROR` messages, so runtime failures appear as a blank canvas and the model/user workaround becomes adding React/Babel CDN scripts directly to `index.html`.
+
+## Tasks
+
+- [ ] Add regression coverage for HTML + `text/babel` preview and file-tab iframe error handling.
+- [ ] Wire `FilesTabView` iframe messages through the same trusted `IFRAME_ERROR` path as `PreviewPane`.
+- [ ] Tighten prompt/output guidance so generated `index.html` stays host-runtime source, not standalone CDN HTML.
+- [ ] Run focused tests.

.Codex/workspace/pr_review_bot_update_plan.md

@@ -0,0 +1,12 @@
+# Session History Restore Plan
+
+## Root Cause
+
+`window.codesign.chat.*` in `apps/desktop/src/preload/index.ts` is a v0.2 TODO stub. It returns empty lists and resolves appends in memory, so renderer chat rows are never persisted or reloaded.
+
+## Plan
+
+1. [x] Restore persisted chat IPC channels in main using the existing chat message helpers.
+2. [x] Point preload chat methods at those IPC channels.
+3. [x] Add IPC regression coverage for append/list, snapshot seeding, and tool status updates.
+4. [x] Run the focused desktop main-process tests.