Add native Windows tray setup

[vincentkoc]

Summary

• add a native Windows notification-area companion under Windows/ with a provider snapshot/command probe contract
• add self-contained Windows build/publish/installer scripting plus Inno Setup packaging
• wire Windows CI/release artifacts, including Azure Trusted Signing hooks matching the OpenClaw Windows certificate profile
• document Windows setup and surface it in README/changelog

Verification

• git diff --check
• ruby -e 'require "yaml"; YAML.load_file(".github/workflows/ci.yml"); YAML.load_file(".github/workflows/release-cli.yml"); puts "yaml ok"'
• autoreview branch pass: clean on 3bee2abf20c316298ae68066731e2074bd81b335
• fork CI: https://github.com/vincentkoc/CodexBar/actions/runs/27071976339 success on 3bee2abf20c316298ae68066731e2074bd81b335
  • Windows tray (win-x64): test, publish, installer, artifact upload passed
  • Windows tray (win-arm64): test, publish, installer, artifact upload passed
  • lint-build-test, build-linux-cli (linux-x64), and build-linux-cli (linux-arm64) passed
• uploaded run artifacts: codexbar-windows-win-x64, codexbar-windows-win-arm64
• visual proof: launched CodexBar.Windows.exe from the codexbar-windows-win-x64 CI artifact on Crabbox AWS Windows desktop lease cbx_37c447e51894

Screenshots

Screenshots are cropped to omit cloud host metadata.

Proof bundle gist: https://gist.github.com/vincentkoc/4eb0d10435048a7590fd0928d40103d2

[clawsweeper]

Codex review: needs real behavior proof before merge. Reviewed June 7, 2026, 6:21 AM ET / 10:21 UTC.

Summary
The PR adds a native Windows notification-area companion, Windows provider probe settings, Windows tests, build/installer scripts, CI/release artifact jobs, and Windows documentation.

Reproducibility: not applicable. as a user bug; this is a new platform feature. The review blockers are source-reproducible from the PR files: the signing fallbacks are in the workflows, and first-run settings enable sample data.

Review metrics: 2 noteworthy metrics.

• Changed surface: 26 files, 2354 additions, 2 deletions. The PR adds a new platform app, installer, documentation, tests, and automation rather than a narrow menu-bar patch.
• Workflow surface: 2 workflows changed. CI and release automation would begin building, signing, packaging, and uploading Windows artifacts.

Merge readiness
Overall: 🦪 silver shellfish
Proof: 🦐 gold shrimp
Patch quality: 🦪 silver shellfish
Result: blocked until stronger real behavior proof is added.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• [P1] Add redacted proof for installer or launch plus a real provider probe path; screenshots, recording, terminal output, linked artifacts, or logs are acceptable after removing private details.
• Remove non-CodexBar Azure signing fallbacks and require explicit repository-owned signing variables.
• Disable or clearly label sample provider data so first run cannot look like real quota status.

Proof guidance:

• [P1] Needs stronger real behavior proof before merge: Screenshots show the Windows tray menu and tooltip from a CI artifact, but they do not show installer behavior or a real provider probe source beyond configured local values; add redacted proof and update the PR body for re-review.

Mantis proof suggestion
A visible Windows desktop proof would materially help verify the installer, tray menu, and configured provider-probe behavior before maintainers take on the platform surface. A maintainer can ask Mantis to capture proof by posting a new PR comment that starts with the OpenClaw Mantis account mention, followed by:

visual task: verify the Windows artifact or installer launches, opens the tray menu, and shows a configured real provider probe with private details redacted.

Risk before merge

• [P1] Merging this changes CodexBar from a macOS-first desktop app with a community Windows option into a first-party Windows release surface that maintainers need to explicitly own.
• [P2] The Windows signing workflow can attempt official artifact signing with non-CodexBar fallback account/profile names when repository variables are missing.
• [P1] The current proof shows tray UI, but not installer behavior or a clearly real provider probe path, so the broad release surface is not fully demonstrated.
• [P1] The GitHub context reports the PR merge state as dirty, so maintainers need a refreshed merge result before merge readiness can be trusted.

Maintainer options:

1. Harden Windows release ownership before merge (recommended)
   Remove non-CodexBar signing fallbacks, require explicit signing variables, disable sample quota data, refresh the dirty branch, and rerun Windows CI plus proof before maintainers reconsider merge.
2. Approve Windows as a first-party platform
   Maintainers can intentionally accept the support and release burden after confirming who owns Windows packaging, signing, documentation, and installer validation.
3. Pause first-party bundling
   If Windows support is not ready to become a maintained release surface, close or replace this with a narrower PR for documented external integration or probe-contract exploration.

Next step before merge

• [P1] The remaining work includes contributor proof and maintainer platform/release approval, so it is not a safe autonomous repair lane even though two code issues are concrete.

Security
Needs attention: The diff adds Windows signing/release automation, and the current fallback account/profile names are not safe for official release signing.

Review findings

• [P1] Require CodexBar-owned signing configuration — .github/workflows/release-cli.yml:267-268
• [P2] Disable sample quota data on first run — Windows/CodexBar.Windows.Core/WindowsSettings.cs:79-84

Review details

Best possible solution:

Require CodexBar-owned signing configuration, disable or clearly mark sample data, collect redacted proof for installer plus real provider-probe behavior, and then have maintainers explicitly approve whether Windows artifacts belong in first-party releases.

Do we have a high-confidence way to reproduce the issue?

Not applicable as a user bug; this is a new platform feature. The review blockers are source-reproducible from the PR files: the signing fallbacks are in the workflows, and first-run settings enable sample data.

Is this the best way to solve the issue?

No; the current PR is not the best merge-ready solution until signing fails closed to CodexBar-owned config, sample data cannot look live, and maintainers explicitly accept the Windows release surface.

Full review comments:

• [P1] Require CodexBar-owned signing configuration — .github/workflows/release-cli.yml:267-268
  The release workflow falls back to hanselman / WindowsEdgeLight when repository variables are missing, so official Windows artifacts could be signed against a non-CodexBar account/profile or fail in a surprising way. Please make these values explicit required CodexBar-owned variables in both Windows signing jobs.
  Confidence: 0.9
• [P2] Disable sample quota data on first run — Windows/CodexBar.Windows.Core/WindowsSettings.cs:79-84
CreateDefault enables the Codex provider while pointing it at codex.sample.json, which makes a fresh install display fake healthy quota data as if it were live provider status. The sample should be disabled or unmistakably marked as sample-only until the user configures a real probe.
  Confidence: 0.87

Overall correctness: patch is incorrect
Overall confidence: 0.86

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 1583d6cc1005.

Label changes

Label changes:

• add proof: 📸 screenshot: Contributor real behavior proof includes screenshot evidence. Screenshots show the Windows tray menu and tooltip from a CI artifact, but they do not show installer behavior or a real provider probe source beyond configured local values; add redacted proof and update the PR body for re-review.
• add rating: 🦪 silver shellfish: Overall readiness is 🦪 silver shellfish; proof is 🦐 gold shrimp and patch quality is 🦪 silver shellfish.
• remove rating: 🧂 unranked krab: Current PR rating is rating: 🦪 silver shellfish, so this older rating label is no longer current.

Label justifications:

• P2: This is a normal-priority feature with substantial release and platform review needs but no current emergency impact.
• merge-risk: 🚨 compatibility: First-party Windows support changes documented platform expectations and release artifacts for existing users.
• merge-risk: 🚨 security-boundary: The PR adds executable signing paths tied to Azure credentials and certificate profiles.
• merge-risk: 🚨 automation: The PR changes CI and release workflows that build, package, sign, and upload artifacts.
• rating: 🦪 silver shellfish: Overall readiness is 🦪 silver shellfish; proof is 🦐 gold shrimp and patch quality is 🦪 silver shellfish.
• status: 📣 needs proof: The PR needs real behavior proof before ClawSweeper can clear the contributor ask. Needs stronger real behavior proof before merge: Screenshots show the Windows tray menu and tooltip from a CI artifact, but they do not show installer behavior or a real provider probe source beyond configured local values; add redacted proof and update the PR body for re-review.
• proof: 📸 screenshot: Contributor real behavior proof includes screenshot evidence. Screenshots show the Windows tray menu and tooltip from a CI artifact, but they do not show installer behavior or a real provider probe source beyond configured local values; add redacted proof and update the PR body for re-review.

Evidence reviewed

Security concerns:

• [medium] Signing defaults use a non-CodexBar profile — .github/workflows/release-cli.yml:267
  Release signing should fail closed unless CodexBar-owned Azure signing account and certificate profile variables are configured; otherwise a missing repository variable can route signing to the hard-coded fallback names.
  Confidence: 0.9

What I checked:

• Repository policy read: AGENTS.md was read fully; it emphasizes small changes, existing scripts/package manager, release-script care, and PR proof expectations relevant to this broad Windows release change. (AGENTS.md:1, 1583d6cc1005)
• Vision sign-off boundary: VISION.md says new features, package/toolchain changes, maintenance complexity, and release/data-storage changes need sign-off, which applies to adding a first-party Windows tray, installer, settings file, and release artifacts. (VISION.md:15, 1583d6cc1005)
• Current platform positioning: Current main describes CodexBar as a macOS 14+ menu bar app and points Windows users to a community Win-CodexBar project rather than first-party Windows desktop support. (README.md:14, 1583d6cc1005)
• No current Windows implementation: Current main has no Windows directory or Windows tray implementation, so the PR is not obsolete or implemented on main. (1583d6cc1005)
• Signing fallback blocker: The PR release workflow still defaults Azure signing to the non-CodexBar account/profile names hanselman and WindowsEdgeLight instead of requiring explicit CodexBar-owned variables. (.github/workflows/release-cli.yml:267, 3bee2abf20c3)
• Sample provider blocker: The first-run Windows settings create an enabled Codex provider pointing at codex.sample.json, so the tray can show sample quota data as live provider status. (Windows/CodexBar.Windows.Core/WindowsSettings.cs:79, 3bee2abf20c3)

Likely related people:

• Peter Steinberger: Current README Windows positioning and the CI/release workflow files are attributed to the latest release commit in local history, making this the strongest routing signal for first-party platform and release decisions. (role: recent release and platform-surface contributor; confidence: high; commits: 723734ef3422; files: README.md, .github/workflows/ci.yml, .github/workflows/release-cli.yml)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[vincentkoc]

Added Windows visual proof.

• launched CodexBar.Windows.exe from CI artifact codexbar-windows-win-x64 produced by successful run 27071976339 at 3bee2abf20c316298ae68066731e2074bd81b335
• captured on Crabbox AWS Windows desktop lease cbx_37c447e51894
• screenshots are cropped to omit cloud host metadata

Proof bundle gist: https://gist.github.com/vincentkoc/4eb0d10435048a7590fd0928d40103d2

[steipete]

Thanks for the substantial prototype. Closing this draft in its current form: it establishes a new first-party platform, release pipeline, installer, and signing burden without an approved Windows ownership plan. The current branch also falls back to unrelated signing identities and enables sample quota data that can look live on fresh installs. A new proposal would need explicit platform ownership, CodexBar-owned signing, real provider and installer proof, and a current-main implementation.