chore(devex): CI 加 mac 矩阵 + version-triplet 校验 + bump-version.sh

[appergb]

User description

针对审查反馈 #1 / #3 / #4 的工程基建改进。

A. CI 加 mac 矩阵 + version 校验

`.github/workflows/ci.yml` 从单一 `windows-tauri` 1 job 改成 matrix：

• macos-latest: cargo check + npm run build（验证 mac 端跨平台编译）
• windows-latest: 原 preflight + ps1 tokenize + cargo check + npm run build
• 新校验：version triplet 一致性 — 一旦 package.json / tauri.conf.json / Cargo.toml drift 立刻 CI fail

B. .gitignore 兜底

• `promo-openless-v2/`（已实测出现在 untracked）
• `node_modules/` + `dist/` + `target/` 全局兜底
• `.cargo/registry/` + `.cargo/git/`

C. `scripts/bump-version.sh`（新文件）

1 个参数（X.Y.Z），sed 同步 3 处版本号 + cargo update -p openless 同步 Cargo.lock。已 dry-run 测试过，输出三处版本号一致 + 后续 git 操作建议。

```
./scripts/bump-version.sh 1.2.21
```

跨 macOS sed / GNU sed 兼容（-i.bak 然后 rm）。

E2E 测试（审查反馈 #2）

单独立 issue，本 PR 不动。E2E 工程量大（Playwright + Tauri WebView2/WebKit driver + CI mock mic/hotkey），需要单独 sprint。

Test plan

• `scripts/bump-version.sh` dry-run 通过
• CI macos-latest checks 通过
• CI windows-latest checks 通过
• CI version verify 通过（三处都是 1.2.20 应该 pass）

---

PR Type

Enhancement, Documentation

---

Description

• Add GitHub Actions matrix for macOS and Windows CI

• Introduce version consistency check across five files

• Add scripts/bump-version.sh for safe version synchronization

• Add comprehensive engineering audit report (docs/audit-2026-05-06.md)

---

Diagram Walkthrough

flowchart LR
  A["Pull Request"] -- "triggers" --> B["CI Matrix"]
  B -- "macOS-latest" --> C["macOS: cargo check + vite build"]
  B -- "windows-latest" --> D["Windows: preflight + cargo check + vite build"]
  C --> E["Version consistency check across 5 files"]
  D --> E
  F["scripts/bump-version.sh"] -- "synchronizes" --> G["package.json, package-lock.json, tauri.conf.json, Cargo.toml, Cargo.lock"]

Loading

File Walkthrough

	Relevant files
Tooling	bump-version.sh Add bump-version.sh for synchronized version bumps              scripts/bump-version.sh Add bash script to update version across all required locations Handle package.json, package-lock.json, tauri.conf.json, Cargo.toml, and Cargo.lock Use npm version, sed, and awk with cross‑platform (BSD/GNU) compatibility Include post‑update verification and git commit guidance +110/-0
Ci	ci.yml Expand CI to macOS matrix with version sync check                .github/workflows/ci.yml Replace single Windows job with matrix strategy targeting macOS and Windows Add conditional preflight and PowerShell tokenization steps Add frontend tsc + vite build and backend cargo check steps Add version consistency verification across all five version files +54/-5
Documentation	audit-2026-05-06.md Add comprehensive engineering audit report                              docs/audit-2026-05-06.md Add full‑stack engineering audit covering architecture, frontend bugs, and platform consistency Document backend issues like coordinator fragmentation and command‑layer business logic Analyze frontend animation bugs, XSS surface, and scroll interruptions Provide P0/P1/P2 recommendations for immediate and long‑term improvements +293/-0

---

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: b997f5fca2

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Avoid GNU-only sed addressing in the macOS release helper

When this helper is run on macOS, the default BSD/POSIX sed does not accept the GNU-only 0,/.../ address range (GNU sed itself rejects it under --posix), so the script aborts while updating Cargo.toml. Because this is the version-bump path developers are likely to run from a Mac, use a portable range/awk/perl/node edit instead of 0, here.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Stop swallowing Cargo.lock update failures

If cargo update -p openless fails in this step, the trailing || true still lets the script continue and the later validation only checks Cargo.toml, not Cargo.lock. In that failure mode the helper prints success and suggests committing a stale lockfile version, which is exactly the release mismatch this script is meant to prevent.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Include package-lock.json in version bumps

This helper updates package.json but never updates or stages openless-all/app/package-lock.json, even though the lockfile records the root package version and the repo release instructions require bumping it together with the other version fields. Running this script for a release can therefore leave package-lock.json on the previous version while the script reports the bump as complete.

Useful? React with 👍 / 👎.

[github-actions]

PR Reviewer Guide 🔍

(Review updated until commit 97fca4a)

Here are some key observations to aid the review process:

🎫 Ticket compliance analysis ❌ 1 - Not compliant Non-compliant requirements: Hold-to-talk recording mode 2 - Not compliant Non-compliant requirements: Hold-to-talk hotkey mode Pressed/released hotkey edge events Mode-aware DictationCoordinator handling Settings selector for recording mode Feature docs, build metadata, and tests 4 - Not compliant Non-compliant requirements: Free-form translation target language setting Shift-modified translation trigger Persisted translation target language preference Translate polish mode and prompt template Translation capsule UI label

⏱️ Estimated effort to review: 3 🔵🔵🔵⚪⚪

🧪 No relevant tests

🔒 No security concerns identified

⚡ Recommended focus areas for review Version scope The Cargo.toml rewrite and validation both act on the first version = line they find. If src-tauri/Cargo.toml ever contains another version field before [package] (for example workspace metadata or a dependency table), the script can update the wrong value and still report success, leaving the package version out of sync. awk -v new="$NEW" ' !done && /^version = "[0-9]+\.[0-9]+\.[0-9]+"$/ { sub(/"[0-9]+\.[0-9]+\.[0-9]+"/, "\"" new "\"") done = 1 } { print } ' "$CARGO_TOML" > "$CARGO_TOML.tmp" mv "$CARGO_TOML.tmp" "$CARGO_TOML" # Cargo.lock：cargo update 显式同步 openless package；失败要立刻退出，不能吞错。 echo "▶ 同步 Cargo.lock" ( cd "$APP/src-tauri" && cargo update -p openless 2>&1 | tail -5 ) # 校验五处一致（package.json / package-lock.json / tauri.conf.json / Cargo.toml / Cargo.lock） echo echo "===== 验证版本一致性 =====" PKG=$(node -p "require('$PKG_JSON').version") LOCK_ROOT=$(node -p "require('$PKG_LOCK').version") LOCK_NESTED=$(node -p "require('$PKG_LOCK').packages[''].version") TAU=$(node -p "require('$TAURI_CONF').version") CRG=$(grep -E '^version = ' "$CARGO_TOML" | head -1 | sed -E 's/^version = "(.+)"$/\1/') CARGO_LOCK_VER=$(awk '/^name = "openless"$/{getline; if (match($0, /version = "([0-9.]+)"/, a)) {print a[1]; exit}}' "$CARGO_LOCK" 2>/dev/null \ || awk 'BEGIN{found=0} /^name = "openless"$/{found=1; next} found && /^version = /{gsub(/"/,""); print $3; exit}' "$CARGO_LOCK")

[github-actions]

Persistent review updated to latest commit 938c6a7

[appergb]

@codex 三个 P2 已全部采纳（commit 97fca4a）：

P2-A 修: BSD sed 兼容性 — Cargo.toml 替换从 GNU 0,/.../ 行号范围 改成 awk first-match 替换（mac BSD awk + GNU awk 都支持）

P2-B 修: cargo update 失败必须 fail — 删除 || true，让 set -euo pipefail 在失败时立刻退出；validate 也加上 Cargo.lock 校验

P2-C 修: package-lock.json 同步 — 原脚本只 sed package.json，现在用 npm version --no-git-tag-version --allow-same-version 一次更新两个文件（root + packages[''] 都同步）

ci.yml 的 verify step 也升级：从校验 3 处改为校验 5 处 一致：package.json / package-lock.json (root+nested) / tauri.conf.json / Cargo.toml / Cargo.lock 的 [openless] 包。

dry-run 已验证（用当前版本 1.2.20 跑一遍输出全部一致）。

[chatgpt-codex-connector]

To use Codex here, create an environment for this repo.

[github-actions]

Persistent review updated to latest commit 97fca4a