Harden provider UX and test git-smoke paths (#127)

BunsDev · web-flow · commit 27a30c5bd77e · 2026-03-31T20:04:33.000-05:00
* Centralize provider status copy and setup guidance

- Extract shared provider status presentation helpers
- Reuse headings, descriptions, and setup phase labels across chat UI
- Add tests for phase classification and auth-specific copy

* Pin Effect smol deps and fix custom theme parsing

- Add the shared Effect catalog override
- Merge theme vars directly when parsing Tweakcn JSON
- Remove an unused theme dialog import

* Disable Git signing in tests and harden theme root access

- Force `commit.gpgsign=false` in Git test helpers and fixtures
- Make theme application tolerate missing DOM root targets

* Resolve Electron binary in desktop smoke test

- Load Electron via `require("electron")` instead of a fixed `node_modules` path
- Fail fast with a clear error if the smoke test cannot launch Electron

* Add desktop release smoke test script

- Add a `release-smoke` script for the desktop app
- Expose a root `test:desktop-release-smoke` turbo command
- Register the new task in desktop turbo config

* Add marketing Turbo config and remove probe scripts

- Add a Turbo config for the marketing app's persistent preview task
- Drop obsolete Claude probe scripts from `scripts/package.json`

* Require signed desktop release artifacts

- Fail macOS release builds closed unless signing is enabled
- Add `--require-signed` to desktop artifact builder and document release behavior
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -208,7 +208,7 @@ jobs:
             printf '%s' "$APPLE_API_KEY" > "$key_path"
             export APPLE_API_KEY="$key_path"
             echo "macOS signing + notarization enabled."
-            args+=(--signed)
+            args+=(--signed --require-signed)
           elif [[ "${{ matrix.platform }}" == "win" ]]; then
             if has_all \
               "$AZURE_TENANT_ID" \
diff --git a/apps/desktop/package.json b/apps/desktop/package.json
@@ -11,7 +11,8 @@
     "start": "bun run scripts/start-electron.mjs",
     "typecheck": "tsc --noEmit",
     "test": "vitest run --passWithNoTests",
-    "smoke-test": "node scripts/smoke-test.mjs"
+    "smoke-test": "node scripts/smoke-test.mjs",
+    "release-smoke": "node ../../scripts/release-smoke.ts"
   },
   "dependencies": {
     "effect": "catalog:",
diff --git a/apps/desktop/turbo.jsonc b/apps/desktop/turbo.jsonc
@@ -20,5 +20,9 @@
       "cache": false,
       "outputs": [],
     },
+    "release-smoke": {
+      "cache": false,
+      "outputs": [],
+    },
   },
 }
diff --git a/apps/marketing/turbo.jsonc b/apps/marketing/turbo.jsonc
@@ -0,0 +1,11 @@
+{
+  "$schema": "https://turbo.build/schema.json",
+  "extends": ["//"],
+  "tasks": {
+    "preview": {
+      "dependsOn": ["build"],
+      "cache": false,
+      "persistent": true,
+    },
+  },
+}
diff --git a/docs/release.md b/docs/release.md
@@ -2,7 +2,7 @@
 
 Canonical release process documentation for the OK Code project.
 
-**Last updated:** 2026-03-27
+**Last updated:** 2026-03-31
 
 ---
 
@@ -32,7 +32,7 @@ A release of OK Code produces:
 
 The **`okcodes` CLI npm package** is **not** published by CI; publish it manually when needed (see [npm publishing (CLI, manual)](#npm-publishing-cli-manual)).
 
-Releases follow Semantic Versioning and are triggered either by pushing a version tag (`v*.*.*`) or by manual workflow dispatch. Code signing is automatic when the required secrets are configured and is gracefully skipped otherwise.
+Releases follow Semantic Versioning and are triggered either by pushing a version tag (`v*.*.*`) or by manual workflow dispatch. macOS release builds fail closed unless signing and notarization are enabled. Windows signing is used when Azure Trusted Signing secrets are configured, and Linux AppImage builds remain unsigned.
 
 ---
 
@@ -272,7 +272,7 @@ To validate the release pipeline without shipping a real version:
 1. Create a test prerelease tag: `git tag v0.0.0-test.1`
 2. Push it: `git push origin v0.0.0-test.1`
 3. Wait for the workflow to complete.
-4. Verify the GitHub prerelease contains all platform artifacts.
+4. Verify the GitHub prerelease contains all expected platform artifacts.
 5. Delete the prerelease and tag when done.
 
 ---
@@ -309,9 +309,9 @@ The release workflow (`.github/workflows/release.yml`) runs five jobs:
 - Runs in parallel across platforms with `fail-fast: false` (one platform failing does not cancel others).
 - Aligns all workspace `package.json` versions to the release version via `scripts/update-release-package-versions.ts`.
 - Invokes `bun run dist:desktop:artifact` with `--platform`, `--target`, `--arch`, and `--build-version` flags.
-- Detects signing secrets per platform and passes `--signed` when all required secrets are present:
+- Requires signing only for macOS release artifacts and fails the job if the Apple signing secrets are incomplete:
   - **macOS:** Writes `APPLE_API_KEY` to a temporary `.p8` file at `$RUNNER_TEMP`.
-  - **Windows:** Uses Azure Trusted Signing via environment variables.
+  - **Windows:** Uses Azure Trusted Signing via environment variables when configured.
   - **Linux:** No code signing.
 - Collects release assets (`.dmg`, `.zip`, `.AppImage`, `.exe`, `.blockmap`, `latest*.yml`) into `release-publish/`.
 - Renames `latest-mac.yml` to `latest-mac-x64.yml` for the non-arm64 macOS build (prevents collision before merging).
diff --git a/package.json b/package.json
@@ -39,6 +39,7 @@
     "lint": "oxlint --report-unused-disable-directives",
     "test": "turbo run test",
     "test:desktop-smoke": "turbo run smoke-test --filter=@okcode/desktop",
+    "test:desktop-release-smoke": "turbo run release-smoke --filter=@okcode/desktop",
     "fmt": "oxfmt",
     "fmt:check": "oxfmt --check",
     "build:contracts": "turbo run build --filter=@okcode/contracts",
diff --git a/scripts/build-desktop-artifact.ts b/scripts/build-desktop-artifact.ts
@@ -73,6 +73,7 @@ interface BuildCliInput {
   readonly skipBuild: Option.Option<boolean>;
   readonly keepStage: Option.Option<boolean>;
   readonly signed: Option.Option<boolean>;
+  readonly requireSigned: Option.Option<boolean>;
   readonly verbose: Option.Option<boolean>;
 }
 
@@ -161,6 +162,7 @@ interface ResolvedBuildOptions {
   readonly skipBuild: boolean;
   readonly keepStage: boolean;
   readonly signed: boolean;
+  readonly requireSigned: boolean;
   readonly verbose: boolean;
 }
 
@@ -203,9 +205,14 @@ const BuildEnvConfig = Config.all({
   skipBuild: Config.boolean("OKCODE_DESKTOP_SKIP_BUILD").pipe(Config.withDefault(false)),
   keepStage: Config.boolean("OKCODE_DESKTOP_KEEP_STAGE").pipe(Config.withDefault(false)),
   signed: Config.boolean("OKCODE_DESKTOP_SIGNED").pipe(Config.withDefault(false)),
+  requireSigned: Config.boolean("OKCODE_DESKTOP_REQUIRE_SIGNED").pipe(Config.withDefault(false)),
   verbose: Config.boolean("OKCODE_DESKTOP_VERBOSE").pipe(Config.withDefault(false)),
 });
 
+function supportsReleaseSigning(platform: typeof BuildPlatform.Type): boolean {
+  return platform === "mac" || platform === "win";
+}
+
 const resolveBooleanFlag = (flag: Option.Option<boolean>, envValue: boolean) =>
   Option.getOrElse(Option.filter(flag, Boolean), () => envValue);
 const mergeOptions = <A>(a: Option.Option<A>, b: Option.Option<A>, defaultValue: A) =>
@@ -236,8 +243,22 @@ const resolveBuildOptions = Effect.fn("resolveBuildOptions")(function* (input: B
   const skipBuild = resolveBooleanFlag(input.skipBuild, env.skipBuild);
   const keepStage = resolveBooleanFlag(input.keepStage, env.keepStage);
   const signed = resolveBooleanFlag(input.signed, env.signed);
+  const requireSigned = resolveBooleanFlag(input.requireSigned, env.requireSigned);
   const verbose = resolveBooleanFlag(input.verbose, env.verbose);
 
+  if (requireSigned && !supportsReleaseSigning(platform)) {
+    return yield* new BuildScriptError({
+      message: `Signed desktop releases are not supported for platform '${platform}'.`,
+    });
+  }
+
+  if (requireSigned && !signed) {
+    return yield* new BuildScriptError({
+      message:
+        "This desktop artifact requires signing. Re-run with --signed after configuring the required signing secrets.",
+    });
+  }
+
   return {
     platform,
     target,
@@ -247,6 +268,7 @@ const resolveBuildOptions = Effect.fn("resolveBuildOptions")(function* (input: B
     skipBuild,
     keepStage,
     signed,
+    requireSigned,
     verbose,
   } satisfies ResolvedBuildOptions;
 });
@@ -851,6 +873,12 @@ const buildDesktopArtifactCli = Command.make("build-desktop-artifact", {
     ),
     Flag.optional,
   ),
+  requireSigned: Flag.boolean("require-signed").pipe(
+    Flag.withDescription(
+      "Fail closed unless the artifact is signed; supported for release macOS and Windows builds (env: OKCODE_DESKTOP_REQUIRE_SIGNED).",
+    ),
+    Flag.optional,
+  ),
   verbose: Flag.boolean("verbose").pipe(
     Flag.withDescription("Stream subprocess stdout (env: OKCODE_DESKTOP_VERBOSE)."),
     Flag.optional,
diff --git a/scripts/package.json b/scripts/package.json
@@ -4,8 +4,6 @@
   "type": "module",
   "scripts": {
     "prepare": "node -e \"process.exit(process.env.CI ? 0 : 1)\" || node ./patch-effect-language-service.ts",
-    "claude-fast-mode-probe": "bun run claude-fast-mode-probe.ts",
-    "claude-haiku-thinking-probe": "bun run claude-haiku-thinking-probe.ts",
     "typecheck": "tsc --noEmit",
     "test": "vitest run"
   },
