t41372
diff --git a/‎.github/ISSUE_TEMPLATE/config.yml‎
Lines changed: 2 additions & 2 deletions b/‎.github/ISSUE_TEMPLATE/config.yml‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎.github/workflows/release.yml‎
Lines changed: 2 additions & 2 deletions b/‎.github/workflows/release.yml‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎README.md‎
Lines changed: 2 additions & 2 deletions b/‎README.md‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎RELEASE.md‎
Lines changed: 24 additions & 16 deletions b/‎RELEASE.md‎
Lines changed: 24 additions & 16 deletions
diff --git a/‎TESTING.md‎
Lines changed: 5 additions & 1 deletion b/‎TESTING.md‎
Lines changed: 5 additions & 1 deletion
diff --git a/‎docs/plan/CHANGELOG.md‎
Lines changed: 15 additions & 0 deletions b/‎docs/plan/CHANGELOG.md‎
Lines changed: 15 additions & 0 deletions
@@ -1,8 +1,8 @@
 blank_issues_enabled: false
 contact_links:
   - name: Troubleshooting guide
-    url: https://github.com/t41372/BrowserHistoryBackup/blob/main/TROUBLESHOOTING.md
+    url: https://github.com/t41372/PathKeep/blob/main/TROUBLESHOOTING.md
     about: Start here for scheduler, permissions, keyring, remote backup, and derived-state troubleshooting.
   - name: Support guide
-    url: https://github.com/t41372/BrowserHistoryBackup/blob/main/SUPPORT.md
+    url: https://github.com/t41372/PathKeep/blob/main/SUPPORT.md
     about: Read the diagnostics and redaction checklist before filing a bug.
@@ -32,9 +32,9 @@ on:
           - windows
           - macos
       unsigned_preview:
-        description: Build unsigned preview bundles without updater artifacts
+        description: Build unsigned bundles without updater artifacts; use this for the Windows release path.
         required: true
-        default: false
+        default: true
         type: boolean
 
 permissions:
 
@@ -124,7 +124,7 @@ On top of that archive, PathKeep gives you powerful recall (full-text search, re
 Download the latest release from [GitHub Releases](https://github.com/t41372/PathKeep/releases).
 
 - **macOS:** open the `.dmg`, move `PathKeep.app` to `/Applications`, then open it. Safari Browser Direct import requires granting Full Disk Access to PathKeep before scanning Safari history.
-- **Windows:** Support is on the way. Build from source if you want to try it out right now. ~~install the release package. Scheduled backups use Windows Task Scheduler and remain preview-quality until more machines are validated.~~
+- **Windows:** install the unsigned `.msi` or `-setup.exe` release package. Windows will show `Unknown Publisher`, and SmartScreen may require **More info -> Run anyway** until PathKeep has publisher reputation. Scheduled backups use Windows Task Scheduler. The installer bundles the WebView2 offline installer, but Windows Server Core / headless Server environments are not valid GUI acceptance hosts.
 - **Linux:** Support is on the way. Build from source if you want to try it out right now. ~~install the `.AppImage`, `.deb`, or `.rpm` artifact. Linux scheduled-backup support is still preview/manual-review because desktop keyring and `systemd --user` behavior varies by distribution.~~
 
 ## Uninstall
@@ -206,7 +206,7 @@ Implemented browsers appear in discovery and archive data but are not yet in the
 | Platform | Status  | Notes                                                                                        |
 | -------- | ------- | -------------------------------------------------------------------------------------------- |
 | macOS    | Primary | Signed / notarized builds; Touch ID session unlock; Safari support requires Full Disk Access |
-| Windows  | Preview | MSI / NSIS builds available; code signing is maintainer-operated                             |
+| Windows  | Preview | Unsigned MSI / NSIS installers; `Unknown Publisher` is expected; Task Scheduler supported    |
 | Linux    | Preview | AppImage / `.deb` / `.rpm` builds available; keyring behavior varies by desktop environment  |
 
 ---
 
@@ -7,7 +7,7 @@ This is the contributor-facing release runbook. The implementation-level source
 | Platform | Channel | Policy                                                                                                                         |
 | -------- | ------- | ------------------------------------------------------------------------------------------------------------------------------ |
 | macOS    | Primary | External releases should be signed and notarized before public distribution.                                                   |
-| Windows  | Preview | CI builds installers, but maintainers must explicitly own the code-signing path they want to use.                              |
+| Windows  | Preview | CI builds unsigned MSI / NSIS installers. Code signing is optional future hardening, not a release blocker.                    |
 | Linux    | Preview | CI builds packages when host tooling is present; checksums are part of the release contract, signatures are not yet universal. |
 
 ## Browser Support Promise
@@ -18,15 +18,15 @@ This is the contributor-facing release runbook. The implementation-level source
 
 ## Artifact Matrix
 
-| Artifact                            | Produced By                   | Audience              | Notes                                                                                                           |
-| ----------------------------------- | ----------------------------- | --------------------- | --------------------------------------------------------------------------------------------------------------- |
-| Browser bundle                      | `bun run build`               | CI / local validation | Confirms the frontend bundle still builds.                                                                      |
-| Debug desktop binary                | `bun run desktop:build:debug` | Maintainers           | Used for pre-release smoke and packaging rehearsal.                                                             |
-| macOS `.app` / `.dmg`               | GitHub `Release` workflow     | Users                 | Signed / notarized only when Apple secrets are configured.                                                      |
-| Windows installers                  | GitHub `Release` workflow     | Users                 | MSI / NSIS outputs depend on the host bundle result; SmartScreen reputation depends on operator signing policy. |
-| Linux `.AppImage` / `.deb` / `.rpm` | GitHub `Release` workflow     | Users                 | Requires Linux packaging dependencies on the runner.                                                            |
-| `SHA256SUMS.txt`                    | GitHub `Release` workflow     | Users / operators     | Attached to every release.                                                                                      |
-| `RELEASE-MANIFEST.json`             | GitHub `Release` workflow     | Operators / support   | Lists released files, sizes, and checksums for traceability.                                                    |
+| Artifact                            | Produced By                   | Audience              | Notes                                                                                                                        |
+| ----------------------------------- | ----------------------------- | --------------------- | ---------------------------------------------------------------------------------------------------------------------------- |
+| Browser bundle                      | `bun run build`               | CI / local validation | Confirms the frontend bundle still builds.                                                                                   |
+| Debug desktop binary                | `bun run desktop:build:debug` | Maintainers           | Used for pre-release smoke and packaging rehearsal.                                                                          |
+| macOS `.app` / `.dmg`               | GitHub `Release` workflow     | Users                 | Signed / notarized only when Apple secrets are configured.                                                                   |
+| Windows installers                  | GitHub `Release` workflow     | Users                 | Unsigned MSI / NSIS outputs bundle the WebView2 offline installer; `Unknown Publisher` and SmartScreen prompts are expected. |
+| Linux `.AppImage` / `.deb` / `.rpm` | GitHub `Release` workflow     | Users                 | Requires Linux packaging dependencies on the runner.                                                                         |
+| `SHA256SUMS.txt`                    | GitHub `Release` workflow     | Users / operators     | Attached to every release.                                                                                                   |
+| `RELEASE-MANIFEST.json`             | GitHub `Release` workflow     | Operators / support   | Lists released files, sizes, and checksums for traceability.                                                                 |
 
 ## Versioning Rules
 
@@ -83,6 +83,8 @@ Manual workflow inputs:
 - `draft`
 - `prerelease`
 - `release_tag` (optional explicit tag; defaults to `v<package.json version>`)
+- `platforms` (`all`, `linux-windows`, `linux`, `windows`, or `macos`)
+- `unsigned_preview` (default `true`; required for the unsigned Windows release path)
 
 Workflow behavior:
 
@@ -91,8 +93,9 @@ Workflow behavior:
 - generate the local size attribution bundle with `bun run release:size-audit`
 - resolves the tag and version up front
 - verifies version sync across the repo
-- builds release bundles on macOS, Windows, and Linux
-- builds updater artifacts and publishes `latest.json`
+- builds release bundles on the selected platform matrix
+- when `unsigned_preview=true`, builds unsigned bundles with `--no-sign`, disables updater artifacts, and skips `latest.json`
+- when `unsigned_preview=false`, builds updater artifacts and publishes `latest.json`
 - uploads assets to the GitHub Release
 - downloads the assets again
 - publishes `SHA256SUMS.txt`
@@ -117,7 +120,9 @@ Workflow behavior:
 - `TAURI_SIGNING_PRIVATE_KEY`
 - `TAURI_SIGNING_PRIVATE_KEY_PASSWORD`
 
-The current Tauri config has `bundle.createUpdaterArtifacts=true`, so the `Release` workflow fails fast when `TAURI_SIGNING_PRIVATE_KEY` is not configured. Set the private key as a repository Actions secret before dispatching the workflow:
+The current Tauri config has `bundle.createUpdaterArtifacts=true`, so the `Release` workflow fails fast when `unsigned_preview=false` and `TAURI_SIGNING_PRIVATE_KEY` is not configured. Unsigned Windows installer builds use `unsigned_preview=true`; they do not need updater signing secrets and do not publish updater artifacts.
+
+Set the updater private key as a repository Actions secret only before dispatching an updater-enabled release:
 
 ```bash
 gh secret set TAURI_SIGNING_PRIVATE_KEY --repo t41372/PathKeep
@@ -126,13 +131,15 @@ gh secret set TAURI_SIGNING_PRIVATE_KEY_PASSWORD --repo t41372/PathKeep
 
 ### Windows Signing
 
-PathKeep does not hardcode a single Windows signing provider in repo config. If you want signed Windows releases, choose and wire one operator-owned path before GA:
+PathKeep's Windows release path is unsigned. The installer is expected to show `Unknown Publisher`, and SmartScreen may require the user to choose **More info -> Run anyway** until the project has publisher reputation.
+
+The CI release config must keep Windows buildable without Windows code-signing secrets. If maintainers later want signed Windows releases, wire that as an optional hardening path without making unsigned Windows installers fail:
 
 - certificate thumbprint in Tauri config
 - custom `signCommand`
 - Azure Trusted Signing / Azure Key Vault
 
-Until that is configured, Windows stays an explicit preview channel.
+Do not gate Windows preview support on any of those providers.
 
 ## Platform Validation
 
@@ -146,6 +153,7 @@ Every release rehearsal should cover:
 - Safari baseline backup after Full Disk Access is granted
 - schedule preview / install / verify / remove
 - Windows Task Scheduler apply / status / mismatch or not-installed / remove on a real Windows host or VM
+- Windows unsigned installer download, `Unknown Publisher` / SmartScreen prompt path, first launch, and reinstall / upgrade over an existing install
 - encrypted archive unlock and re-open
 - remote backup preview / execute / verify
 - upgrade or reinstall over existing data
@@ -179,7 +187,7 @@ If a release is bad:
 - Safari access on macOS still depends on Full Disk Access outside the app.
 - Firefox support is a history-only baseline in this release; Firefox favicons, downloads, keyword-search sidecars, and richer `moz_*` evidence remain future work.
 - ChatGPT Atlas / Perplexity Comet support remains scoped to the validated macOS browser-history profile layouts; Windows / Linux locations are not public release promises.
-- Windows SmartScreen reputation depends on maintainer signing policy and reputation, not just a successful CI build.
+- Windows installers are unsigned in the preview channel. SmartScreen reputation is not proof that the binary failed to build.
 - Linux keyring behavior varies by desktop environment; encrypted mode remains supported, but unattended unlock can degrade.
 - App Lock remains a session-only boundary; only macOS currently ships a real Touch ID unlock path.
 
 
@@ -12,7 +12,7 @@ bun run check
 
 `bun run check` is the authoritative per-commit checker. It runs:
 
-- `bun run check:base`: formatting, linting, i18n checks, type checking, unit tests, desktop-contract checks, Rust checks, supply-chain audit, and host-matched platform checks.
+- `bun run check:base`: formatting, linting, i18n checks, type checking, unit tests, desktop-contract checks, Rust checks, supply-chain audit, host-matched platform checks, and release-config drift checks.
 - `bun run coverage:js`: 100% statement / branch / function / line coverage for active frontend runtime source under `src/**/*.{ts,tsx}`.
 - `bun run coverage:rust`: 100% line + function coverage for full `src-tauri/**/src/*.rs` workspace source.
 - `bun run build`: TypeScript compile + Vite browser bundle.
@@ -27,6 +27,7 @@ Use these for release rehearsal and focused triage:
 ```bash
 bun run verify
 bun run check:base
+bun run release:check
 bun run coverage:js
 bun run coverage:rust
 bun run mutation:js
@@ -45,6 +46,7 @@ bun run test:e2e:desktop-bridge
 What they mean:
 
 - `bun run check:base`: fast static/unit/native triage path; it is not a signed-off merge gate by itself.
+- `bun run release:check`: focused release config guard for updater URLs, unsigned Windows installer workflow, offline WebView2 bundling, and support-link drift.
 - `bun run mutation:js`: desktop-contract Stryker gate used by `bun run check`.
 - `bun run mutation:js:full`: active frontend runtime Stryker sweep for manual / scheduled deep checks.
 - `bun run mutation:rust`: whole-workspace cargo-mutants deep sweep. Surviving mutants are failures unless a narrow equivalent/inapplicable exclusion is documented with evidence.
@@ -70,6 +72,7 @@ bun run test:unit:desktop-contract
 bun run coverage:js:desktop-contract
 bun run check:js
 bun run check:rust
+bun run release:check
 bun run mutation:js:desktop-contract
 bun run mutation:js:full
 bun run mutation:rust:quality
@@ -80,6 +83,7 @@ bun run mutation:rust:quality
 - Focused helpers do not replace `bun run check`.
 - The desktop-contract slice only protects `src/main.tsx` and `src/lib/ipc/bridge.ts`.
 - Browser-preview e2e does not verify native scheduler install, keyring integration, signing, notarization, or filesystem side effects. Windows Task Scheduler apply/status/remove must still be accepted on a real Windows host or VM even though the Rust unit slice uses a stubbed `schtasks` runner.
+- `bun run release:check` proves the release config still permits unsigned Windows installers and bundles the WebView2 offline installer; it does not prove a specific Windows host can launch the installer.
 - GitHub-hosted Windows runners currently validate the desktop surface with `desktop:build:debug`, `vault-platform` native-host tests, and frontend updater coverage. The `pathkeep-desktop` Rust test binary for updater/file-manager facades is skipped on Windows CI because the hosted runner fails before the test harness starts with a loader-level `STATUS_ENTRYPOINT_NOT_FOUND`; macOS/Linux still run those Rust facade tests.
 - Chrome desktop-bridge smoke verifies the typed desktop command facade from a real browser, but it still does not magically grant every Tauri guest API to Chrome. Treat it as an agent/dev-loop surface, not the final WebView plugin truth.
 - Platform validation for macOS / Windows / Linux lives in [RELEASE.md](./RELEASE.md) and [docs/plan/m4-full-polish/release-readiness-runbook.md](./docs/plan/m4-full-polish/release-readiness-runbook.md).
 
@@ -1248,3 +1248,18 @@
   - 2026-05-03 closeout：`archive/history.rs` 保留 public facade、mode dispatch、baseline/lexical/fuzzy/regex SQL 與 row shaping；pagination cursor/response helpers、lazy favicon hydration、export cursor-walk/rendering 已拆到 `archive/history/{pagination,favicons,export}.rs`。`history.rs` 從 `1229` 行降到 `729` 行，低於 1200 行 threshold；public API 與 SQL/ranking/cursor/export/favicon precedence contract 未改。
   - 同步回寫 [`docs/plan/history-read-surface-maintainability-review.md`](history-read-surface-maintainability-review.md)、[`docs/architecture/module-boundary-map.md`](../architecture/module-boundary-map.md)、[`docs/plan/STATUS.md`](STATUS.md)、[`docs/plan/BACKLOG.md`](BACKLOG.md) 與 [`docs/plan/CHANGELOG.md`](CHANGELOG.md)。
   - 驗收結果：targeted `cargo test --manifest-path src-tauri/Cargo.toml -p vault-core lexical_recall -- --test-threads=1`、`cargo test --manifest-path src-tauri/Cargo.toml -p vault-core archive::tests -- --test-threads=1`、Schedule Vitest regression slices、`cargo fmt --manifest-path src-tauri/Cargo.toml --all --check`、`git diff --check` 與 `bun run check` 通過。`bun run check` 中仍有既有 Vite `shared` chunk 超過 500 kB warning。
+
+- [x] **WORK-RELEASE-WINDOWS-UNSIGNED-A** — Unsigned Windows Installer Release Path
+  - 讀先：
+    `README.md`
+    `RELEASE.md`
+    `TESTING.md`
+    `docs/plan/program/quality-matrix.md`
+    `.github/workflows/release.yml`
+    `src-tauri/tauri.conf.json`
+  - 目標：撤回 Windows release 必須先有 code signing 的錯誤 gate，讓 v0.2 Windows 可以透過 GitHub `Release` workflow 產出 unsigned MSI / NSIS installer。
+  - 契約：不引入 Windows code-signing provider、不要求 PFX / Azure Trusted Signing / certificate thumbprint、不把 Windows release support 綁到 signing secret；unsigned release 必須明確告知 `Unknown Publisher` / SmartScreen prompt；如果需要 updater artifacts，仍由 updater minisign key 另行控制，不和 Windows installer code signing 混在一起。
+  - 2026-05-04 closeout：Git history 已回到 `64a89c33` 乾淨基底後重做本修復；錯誤 signing-gate commit 不再作為本 work block 的基底。`Release` workflow manual dispatch 預設 `unsigned_preview=true`，Windows platform option 保留，unsigned path 透過 `--no-sign --config src-tauri/ci.unsigned.conf.json` 關閉 updater artifacts；`src-tauri/tauri.conf.json` 固定 Windows WebView2 `offlineInstaller` 並 pin WiX `upgradeCode`，避免 Windows host 缺 WebView2 runtime 時只能依賴網路 bootstrap。Updater fallback / manifest endpoint、browser-preview fallback URL 與 GitHub issue support links 全部改回 `t41372/PathKeep`。
+  - 新增 `bun run release:check` 並納入 `check:base`，保護 PathKeep release URLs、unsigned Windows workflow、WebView2 offline installer、WiX upgrade code、support links，並防止 Windows signing gate / Azure signing script 被加回來。
+  - 同步回寫 [`README.md`](../../README.md)、[`RELEASE.md`](../../RELEASE.md)、[`TESTING.md`](../../TESTING.md)、[`docs/plan/program/quality-matrix.md`](program/quality-matrix.md)、[`docs/plan/STATUS.md`](STATUS.md) 與 [`docs/plan/CHANGELOG.md`](CHANGELOG.md)。
+  - 驗收結果：`ruby -e 'require "yaml"; YAML.load_file(".github/workflows/release.yml")'`、`jq empty src-tauri/tauri.conf.json package.json`、`node --check scripts/verify-release-config.mjs`、`bun run release:check`、`git diff --check` 與 `bun run check` 通過。