Add native Windows tray setup

[vincentkoc]

Summary

• add a native Windows notification-area companion under Windows/ with a provider snapshot/command probe contract
• add self-contained Windows build/publish/installer scripting plus Inno Setup packaging
• wire Windows CI/release artifacts, including Azure Trusted Signing hooks matching the OpenClaw Windows certificate profile
• document Windows setup and surface it in README/changelog

Verification

• git diff --check
• ruby -e 'require "yaml"; YAML.load_file(".github/workflows/ci.yml"); YAML.load_file(".github/workflows/release-cli.yml"); puts "yaml ok"'
• autoreview branch pass: clean on 3bee2abf20c316298ae68066731e2074bd81b335
• fork CI: https://github.com/vincentkoc/CodexBar/actions/runs/27071976339 success on 3bee2abf20c316298ae68066731e2074bd81b335
  • Windows tray (win-x64): test, publish, installer, artifact upload passed
  • Windows tray (win-arm64): test, publish, installer, artifact upload passed
  • lint-build-test, build-linux-cli (linux-x64), and build-linux-cli (linux-arm64) passed
• uploaded run artifacts: codexbar-windows-win-x64, codexbar-windows-win-arm64
• visual proof: launched CodexBar.Windows.exe from the codexbar-windows-win-x64 CI artifact on Crabbox AWS Windows desktop lease cbx_37c447e51894

Screenshots

Screenshots are cropped to omit cloud host metadata.

Proof bundle gist: https://gist.github.com/vincentkoc/4eb0d10435048a7590fd0928d40103d2

[clawsweeper]

Codex review: needs real behavior proof before merge. Reviewed June 7, 2026, 6:21 AM ET / 10:21 UTC.

Summary
The PR adds a native Windows notification-area companion, Windows provider probe settings, Windows tests, build/installer scripts, CI/release artifact jobs, and Windows documentation.

Reproducibility: not applicable. as a user bug; this is a new platform feature. The review blockers are source-reproducible from the PR files: the signing fallbacks are in the workflows, and first-run settings enable sample data.

Review metrics: 2 noteworthy metrics.

• Changed surface: 26 files, 2354 additions, 2 deletions. The PR adds a new platform app, installer, documentation, tests, and automation rather than a narrow menu-bar patch.
• Workflow surface: 2 workflows changed. CI and release automation would begin building, signing, packaging, and uploading Windows artifacts.

Merge readiness
Overall: 🦪 silver shellfish
Proof: 🦐 gold shrimp
Patch quality: 🦪 silver shellfish
Result: blocked until stronger real behavior proof is added.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• [P1] Add redacted proof for installer or launch plus a real provider probe path; screenshots, recording, terminal output, linked artifacts, or logs are acceptable after removing private details.
• Remove non-CodexBar Azure signing fallbacks and require explicit repository-owned signing variables.
• Disable or clearly label sample provider data so first run cannot look like real quota status.

Proof guidance:

• [P1] Needs stronger real behavior proof before merge: Screenshots show the Windows tray menu and tooltip from a CI artifact, but they do not show installer behavior or a real provider probe source beyond configured local values; add redacted proof and update the PR body for re-review.

Mantis proof suggestion
A visible Windows desktop proof would materially help verify the installer, tray menu, and configured provider-probe behavior before maintainers take on the platform surface. A maintainer can ask Mantis to capture proof by posting a new PR comment that starts with the OpenClaw Mantis account mention, followed by:

visual task: verify the Windows artifact or installer launches, opens the tray menu, and shows a configured real provider probe with private details redacted.

Risk before merge

• [P1] Merging this changes CodexBar from a macOS-first desktop app with a community Windows option into a first-party Windows release surface that maintainers need to explicitly own.
• [P2] The Windows signing workflow can attempt official artifact signing with non-CodexBar fallback account/profile names when repository variables are missing.
• [P1] The current proof shows tray UI, but not installer behavior or a clearly real provider probe path, so the broad release surface is not fully demonstrated.
• [P1] The GitHub context reports the PR merge state as dirty, so maintainers need a refreshed merge result before merge readiness can be trusted.

Maintainer options:

1. Harden Windows release ownership before merge (recommended)
   Remove non-CodexBar signing fallbacks, require explicit signing variables, disable sample quota data, refresh the dirty branch, and rerun Windows CI plus proof before maintainers reconsider merge.
2. Approve Windows as a first-party platform
   Maintainers can intentionally accept the support and release burden after confirming who owns Windows packaging, signing, documentation, and installer validation.
3. Pause first-party bundling
   If Windows support is not ready to become a maintained release surface, close or replace this with a narrower PR for documented external integration or probe-contract exploration.

Next step before merge

• [P1] The remaining work includes contributor proof and maintainer platform/release approval, so it is not a safe autonomous repair lane even though two code issues are concrete.

Security
Needs attention: The diff adds Windows signing/release automation, and the current fallback account/profile names are not safe for official release signing.

Review findings

• [P1] Require CodexBar-owned signing configuration — .github/workflows/release-cli.yml:267-268
• [P2] Disable sample quota data on first run — Windows/CodexBar.Windows.Core/WindowsSettings.cs:79-84

Review details

Best possible solution:

Require CodexBar-owned signing configuration, disable or clearly mark sample data, collect redacted proof for installer plus real provider-probe behavior, and then have maintainers explicitly approve whether Windows artifacts belong in first-party releases.

Do we have a high-confidence way to reproduce the issue?

Not applicable as a user bug; this is a new platform feature. The review blockers are source-reproducible from the PR files: the signing fallbacks are in the workflows, and first-run settings enable sample data.

Is this the best way to solve the issue?

No; the current PR is not the best merge-ready solution until signing fails closed to CodexBar-owned config, sample data cannot look live, and maintainers explicitly accept the Windows release surface.

Full review comments:

• [P1] Require CodexBar-owned signing configuration — .github/workflows/release-cli.yml:267-268
  The release workflow falls back to hanselman / WindowsEdgeLight when repository variables are missing, so official Windows artifacts could be signed against a non-CodexBar account/profile or fail in a surprising way. Please make these values explicit required CodexBar-owned variables in both Windows signing jobs.
  Confidence: 0.9
• [P2] Disable sample quota data on first run — Windows/CodexBar.Windows.Core/WindowsSettings.cs:79-84
CreateDefault enables the Codex provider while pointing it at codex.sample.json, which makes a fresh install display fake healthy quota data as if it were live provider status. The sample should be disabled or unmistakably marked as sample-only until the user configures a real probe.
  Confidence: 0.87

Overall correctness: patch is incorrect
Overall confidence: 0.86

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 1583d6cc1005.

Label changes

Label changes:

• add proof: 📸 screenshot: Contributor real behavior proof includes screenshot evidence. Screenshots show the Windows tray menu and tooltip from a CI artifact, but they do not show installer behavior or a real provider probe source beyond configured local values; add redacted proof and update the PR body for re-review.
• add rating: 🦪 silver shellfish: Overall readiness is 🦪 silver shellfish; proof is 🦐 gold shrimp and patch quality is 🦪 silver shellfish.
• remove rating: 🧂 unranked krab: Current PR rating is rating: 🦪 silver shellfish, so this older rating label is no longer current.

Label justifications:

• P2: This is a normal-priority feature with substantial release and platform review needs but no current emergency impact.
• merge-risk: 🚨 compatibility: First-party Windows support changes documented platform expectations and release artifacts for existing users.
• merge-risk: 🚨 security-boundary: The PR adds executable signing paths tied to Azure credentials and certificate profiles.
• merge-risk: 🚨 automation: The PR changes CI and release workflows that build, package, sign, and upload artifacts.
• rating: 🦪 silver shellfish: Overall readiness is 🦪 silver shellfish; proof is 🦐 gold shrimp and patch quality is 🦪 silver shellfish.
• status: 📣 needs proof: The PR needs real behavior proof before ClawSweeper can clear the contributor ask. Needs stronger real behavior proof before merge: Screenshots show the Windows tray menu and tooltip from a CI artifact, but they do not show installer behavior or a real provider probe source beyond configured local values; add redacted proof and update the PR body for re-review.
• proof: 📸 screenshot: Contributor real behavior proof includes screenshot evidence. Screenshots show the Windows tray menu and tooltip from a CI artifact, but they do not show installer behavior or a real provider probe source beyond configured local values; add redacted proof and update the PR body for re-review.

Evidence reviewed

Security concerns:

• [medium] Signing defaults use a non-CodexBar profile — .github/workflows/release-cli.yml:267
  Release signing should fail closed unless CodexBar-owned Azure signing account and certificate profile variables are configured; otherwise a missing repository variable can route signing to the hard-coded fallback names.
  Confidence: 0.9

What I checked:

• Repository policy read: AGENTS.md was read fully; it emphasizes small changes, existing scripts/package manager, release-script care, and PR proof expectations relevant to this broad Windows release change. (AGENTS.md:1, 1583d6cc1005)
• Vision sign-off boundary: VISION.md says new features, package/toolchain changes, maintenance complexity, and release/data-storage changes need sign-off, which applies to adding a first-party Windows tray, installer, settings file, and release artifacts. (VISION.md:15, 1583d6cc1005)
• Current platform positioning: Current main describes CodexBar as a macOS 14+ menu bar app and points Windows users to a community Win-CodexBar project rather than first-party Windows desktop support. (README.md:14, 1583d6cc1005)
• No current Windows implementation: Current main has no Windows directory or Windows tray implementation, so the PR is not obsolete or implemented on main. (1583d6cc1005)
• Signing fallback blocker: The PR release workflow still defaults Azure signing to the non-CodexBar account/profile names hanselman and WindowsEdgeLight instead of requiring explicit CodexBar-owned variables. (.github/workflows/release-cli.yml:267, 3bee2abf20c3)
• Sample provider blocker: The first-run Windows settings create an enabled Codex provider pointing at codex.sample.json, so the tray can show sample quota data as live provider status. (Windows/CodexBar.Windows.Core/WindowsSettings.cs:79, 3bee2abf20c3)

Likely related people:

• Peter Steinberger: Current README Windows positioning and the CI/release workflow files are attributed to the latest release commit in local history, making this the strongest routing signal for first-party platform and release decisions. (role: recent release and platform-surface contributor; confidence: high; commits: 723734ef3422; files: README.md, .github/workflows/ci.yml, .github/workflows/release-cli.yml)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[vincentkoc]

Added Windows visual proof.

• launched CodexBar.Windows.exe from CI artifact codexbar-windows-win-x64 produced by successful run 27071976339 at 3bee2abf20c316298ae68066731e2074bd81b335
• captured on Crabbox AWS Windows desktop lease cbx_37c447e51894
• screenshots are cropped to omit cloud host metadata

Proof bundle gist: https://gist.github.com/vincentkoc/4eb0d10435048a7590fd0928d40103d2