feat(settings): add microphone device selection#1
Open
sora520 wants to merge 55 commits into
Open
Conversation
Co-authored-by: Cursor <cursoragent@cursor.com>
…18n) Co-authored-by: Cursor <cursoragent@cursor.com>
Reset combo-based shortcut monitors when entering shortcut recording to avoid stuck held states, and enforce cross-action hotkey conflict checks so one binding cannot trigger multiple actions. Co-authored-by: Cursor <cursoragent@cursor.com>
Fix Windows hotkey dispatch to return a bool in custom-trigger path and keep user preference serde mappings in sync by including chinese_script_preference. Co-authored-by: Cursor <cursoragent@cursor.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
Provider credentials should follow the platform credential-store threat model instead of continuing normal plaintext JSON writes. The vault now stores the existing multi-provider credentials payload in the OS credential store, migrates the legacy JSON file only when the vault has no entry, removes the legacy file after a successful write, and keeps raw credential IPC restricted to the main settings window. Constraint: User explicitly chose Keychain/Credential Manager/Linux keyring for issue Open-Less#230. Constraint: Preserve the existing provider schema and active-provider routing with minimal frontend churn. Rejected: Keep plaintext JSON as the documented product choice | user rejected this direction. Rejected: Split every credential field into separate vault entries | larger migration surface and risks losing active provider state. Confidence: medium Scope-risk: moderate Directive: Security-model and storage-strategy choices must be confirmed with the user before implementation. Tested: cargo check --manifest-path src-tauri/Cargo.toml; npm run -s build; git diff --check; grep for stale plaintext/Keychain fallback wording. Not-tested: Manual migration on macOS Keychain, Windows Credential Manager, or Linux desktop keyring. Related: Open-Less#230
The OS vault migration keeps provider state as one logical JSON payload, but Windows Credential Manager limits each credential blob. Store the logical payload as a manifest plus bounded chunks so long API keys, multiple providers, or extra headers do not make future saves fail on Windows. Constraint: Windows Credential Manager generic credential blob is capped and keyring stores passwords as UTF-16 on Windows. Rejected: Split each provider field into independent vault entries | broader schema rewrite and more migration surface than needed for this review fix. Confidence: high Scope-risk: narrow Directive: Keep the legacy plaintext credentials.json path migration-only; do not add compatibility for transient PR-internal vault formats unless the release shipped them. Tested: cargo check --manifest-path src-tauri/Cargo.toml Tested: cargo test --manifest-path src-tauri/Cargo.toml credential_payload_chunks_stay_under_windows_blob_limit Tested: npm run -s build Tested: git diff --check Not-tested: Live Windows Credential Manager write with oversized real provider payload. Related: Open-Less#230
Users upgrading from the plaintext credentials file should not lose access to existing settings just because the OS vault backend is temporarily unavailable or migration cannot be written. Keep the old file migration-only, but return its contents as the compatibility source when vault reads or writes fail. Constraint: credentials.json remains a legacy compatibility source only, not the normal write target. Rejected: Return defaults on vault read/write errors | hides existing upgrade data and makes configured providers appear empty. Confidence: high Scope-risk: narrow Directive: Do not reintroduce plaintext writes; fallback reads are only for pre-PR legacy migration compatibility. Tested: cargo check --manifest-path src-tauri/Cargo.toml Tested: cargo test --manifest-path src-tauri/Cargo.toml credential_payload_chunks_stay_under_windows_blob_limit Tested: npm run -s build Tested: git diff --check Not-tested: Manual vault-unavailable upgrade run on Windows/macOS/Linux. Related: Open-Less#230
Credential vault saves now write a fresh generation of chunks before switching the manifest, so failed chunk writes or crashes do not overwrite chunks still referenced by the previous manifest. The same change also migrates documented per-account vault entries into the chunked manifest before falling back to legacy JSON. Constraint: Windows Credential Manager requires chunking, and legacy credentials may exist either as plaintext JSON or documented per-account vault entries. Rejected: Overwrite stable chunk names before manifest update | can mix old and new payloads after partial writes. Confidence: high Scope-risk: narrow Directive: Treat the manifest as the commit pointer; write new-generation chunks before updating it and delete old chunks only after manifest write succeeds. Tested: cargo check --manifest-path src-tauri/Cargo.toml Tested: cargo test --manifest-path src-tauri/Cargo.toml credential_payload_chunks_stay_under_windows_blob_limit Tested: npm run -s build Tested: git diff --check Not-tested: Manual crash injection during OS vault writes. Related: Open-Less#230
The migration path must prefer the current legacy JSON source over older per-account vault leftovers, clean those leftovers after a valid manifest is available, and avoid write operations overwriting a damaged or unreadable vault payload with fallback defaults. Constraint: credentials.json is migration-only, but it was the previous Tauri source of truth.\nRejected: Use read fallback for mutating updates | can overwrite unreadable vault data with defaults.\nConfidence: high\nScope-risk: narrow\nDirective: Mutating credential operations must propagate chunked vault read errors instead of saving fallback roots.\nTested: cargo check --manifest-path src-tauri/Cargo.toml\nTested: cargo test --manifest-path src-tauri/Cargo.toml credential_payload_chunks_stay_under_windows_blob_limit\nTested: npm run -s build\nTested: git diff --check\nNot-tested: Manual migration with simultaneous JSON and stale per-account vault entries.\nRelated: Open-Less#230
Vault migration should not silently report success when credentials were written to the OS vault but the previous plaintext credentials file could not be removed. Propagating that cleanup error on write/update paths makes the remaining plaintext exposure visible instead of treating the migration as complete. Constraint: credentials.json is allowed only as a migration source, not a durable fallback after a successful vault write.\nRejected: Keep deletion best-effort only | can leave plaintext credentials indefinitely with no user-visible failure.\nConfidence: high\nScope-risk: narrow\nDirective: Do not hide legacy plaintext deletion failures on credential write paths.\nTested: cargo check --manifest-path src-tauri/Cargo.toml\nTested: cargo test --manifest-path src-tauri/Cargo.toml credential_payload_chunks_stay_under_windows_blob_limit\nTested: npm run -s build\nTested: git diff --check\nNot-tested: Manual permission-denied legacy file cleanup on installed apps.\nRelated: Open-Less#230
Linux credential storage must survive reboot after the legacy plaintext file is removed. The keyring linux-native feature uses kernel keyutils, so the Linux build now enables the persistent Secret Service-backed combo and the migration read fallback also considers older per-account vault entries when a current manifest is unreadable. Constraint: credentials.json must be removed after successful vault migration.\nConstraint: keyring linux-native/keyutils is an in-memory cache across reboot.\nRejected: Keep plaintext JSON as Linux fallback | violates the vault storage boundary.\nConfidence: high\nScope-risk: moderate\nDirective: Linux credential storage must remain persistent if legacy plaintext cleanup is enforced.\nTested: cargo check --manifest-path src-tauri/Cargo.toml\nTested: cargo test --manifest-path src-tauri/Cargo.toml credential_payload_chunks_stay_under_windows_blob_limit\nTested: npm run -s build\nTested: git diff --check\nNot-tested: Manual Secret Service read/write on a desktop Linux keyring session.\nRelated: Open-Less#230
Legacy per-account vault migration must be all-or-nothing. If one old entry is temporarily unreadable, saving the readable subset and deleting the original entries can silently drop the failed secret, so update-path migration now aborts on any legacy vault read error while the non-mutating read fallback remains conservative. Constraint: migration cleanup deletes old per-account vault entries after saving the chunked manifest.\nRejected: Migrate the readable subset | can discard an unreadable legacy secret before retry.\nConfidence: high\nScope-risk: narrow\nDirective: Do not remove legacy per-account vault entries unless every legacy account read completed without error.\nTested: cargo check --manifest-path src-tauri/Cargo.toml\nTested: cargo test --manifest-path src-tauri/Cargo.toml credential_payload_chunks_stay_under_windows_blob_limit\nTested: npm run -s build\nTested: git diff --check\nNot-tested: Manual transient per-account vault read failure during upgrade.\nRelated: Open-Less#230
When the current legacy credentials.json source wins migration, older per-account vault entries should not remain as stale fallback data. After the JSON payload is successfully written to the chunked vault and plaintext cleanup succeeds, the migration now removes those older per-account entries as well. Constraint: credentials.json is the previous Tauri source of truth and must win over stale Swift-era vault entries.\nRejected: Leave per-account entries for fallback | keeps stale secrets reachable after successful migration.\nConfidence: high\nScope-risk: narrow\nDirective: Clean old per-account vault entries after any successful authoritative migration source is saved.\nTested: cargo check --manifest-path src-tauri/Cargo.toml\nTested: cargo test --manifest-path src-tauri/Cargo.toml credential_payload_chunks_stay_under_windows_blob_limit\nTested: npm run -s build\nTested: git diff --check\nNot-tested: Manual upgrade with both credentials.json and stale per-account vault entries.\nRelated: Open-Less#230
Credential writes should not fail only because an old migration source cannot be deleted. Once current vault data is readable and writable, legacy plaintext cleanup remains best-effort and logged so users can still save or remove credentials even if credentials.json is locked or read-only.\n\nThe rebase also brought the new Japanese and Korean locale files onto this branch, so the credential storage notice key is filled there to keep the frontend type contract intact.\n\nConstraint: credentials.json is obsolete migration data after vault write.\nRejected: Propagate legacy JSON deletion failures on every vault save | blocks credential updates despite a valid vault.\nConfidence: high\nScope-risk: narrow\nDirective: Do not make credential updates depend on deleting legacy plaintext files.\nTested: cargo check --manifest-path src-tauri/Cargo.toml\nTested: cargo test --manifest-path src-tauri/Cargo.toml credential_payload_chunks_stay_under_windows_blob_limit\nTested: npm run -s build\nTested: git diff --check\nNot-tested: Manual locked/read-only credentials.json cleanup.\nRelated: Open-Less#230
Windows smoke scripts should no longer fail solely because credentials.json was migrated into the OS credential vault. The default suite now runs runtime startup without the obsolete JSON gate, and explicit legacy JSON checks warn instead of blocking vault-backed test machines.\n\nConstraint: Provider credentials now live in the OS credential vault after migration.\nRejected: Query Windows Credential Manager from smoke scripts | larger platform-specific parsing surface for a smoke gate that only needs to avoid the obsolete JSON blocker.\nConfidence: high\nScope-risk: narrow\nDirective: Do not make Windows smoke defaults depend on migrated plaintext credentials.json.\nTested: git diff --check\nTested: Python sanity check for conflict markers in edited PowerShell scripts\nNot-tested: PowerShell parser unavailable in this Linux environment.\nRelated: Open-Less#230
…tial-storage-model 对齐凭据存储策略与威胁模型
审查反馈:
1. CI 缺质量门禁 — 仅 windows-latest 1 job,mac 端 cargo check 路径
无 PR-time 验证,每次 release-tauri.yml 才暴露平台问题
2. .gitignore 不全 — promo-openless-v2/ 反复出现在 git status;
node_modules / dist / target 没全局兜底
3. 版本号同步风险 — package.json + tauri.conf.json + Cargo.toml 三处
人工改,每次发版都担心漏一处
改动:
A. .github/workflows/ci.yml
- 单一 windows-tauri job → matrix(macos-latest + windows-latest)
- mac job:cargo check + npm run build 验证跨平台编译
- Windows job:保留原 preflight + ps1 tokenize
- 新加 step:Verify version triplet stays in sync(两端都跑)—
一旦 package.json / tauri.conf.json / Cargo.toml 三处 drift 立刻
fail,给发版工程加 long-running guard
B. .gitignore
- 加 promo-openless-v2/(已实测出现在 untracked)
- 加 node_modules/ + dist/ + target/ 全局兜底(避免某子目录漏配
时 build artifact 进 PR)
- 加 .cargo/registry / .cargo/git 兜底
C. scripts/bump-version.sh(新文件)
- 1 个参数(X.Y.Z),sed 同步改 3 个文件 + cargo update -p openless
同步 Cargo.lock
- 验证三处一致后输出后续 git 操作建议
- 跨 macOS sed / GNU sed 兼容(-i.bak 后 rm)
下次发版:./scripts/bump-version.sh 1.2.21 一行搞定。
未来 PR 漏改版本号 CI 立刻 fail,不需要靠人记忆。
完整工程审计报告(系统化逐项检查): - 后端架构总评 + 5 个 P1/P2 优化点(coordinator/commands 拆分等) - 前端 4 个 UI bug(tab 切换竞态、流式滚动打断 QA 等) - 工程化水平评估 + 4 条改善(CI 门禁 / E2E / gitignore / 版本号) → 其中 3 条已在本 PR 实现(CI matrix + gitignore + bump-version 脚本) - 多端逻辑与体验一致性表(macOS vs Windows 平台差异 vs 行为一致性) - UI/后端 IPC 1:1 映射校验(全部命令前后端对齐 ✓) - 改进建议汇总:P0 无;P1 5 项;P2 6 项 - 总结:项目整体健康,建议下迭代处理 coordinator 拆分 + 前端动画竞态 把这份基线纳入 git,让 main 留下 v1.2.20→v1.2.21 这一阶段的工程现状 锚点,后续审计有 baseline 对照。
sora520
force-pushed
the
feat/microphone-device-selection
branch
from
87dc426 to
bf85f97
Compare
Owner
Author
|
@codex review pr |
Codex 在 PR Open-Less#294 上提了 3 个 P2,全部采纳: P2-A: BSD sed 不支持 GNU 行号范围 0,/.../ 原 sed -E -i.bak "0,/^version = .../s//.../" 在 macOS 默认 BSD sed 上 会 fail。换成 awk first-match 替换(mac BSD awk + GNU awk 都支持)。 P2-B: Cargo.lock 同步失败被 `|| true` 吞了 原 cargo update -p openless ... || true 会让脚本继续,validate 又只 校验 Cargo.toml 不校验 Cargo.lock。删 || true,让 set -euo pipefail 在 cargo update fail 时立刻退出;同时 validate 加 Cargo.lock 校验。 P2-C: package-lock.json 未跟着同步 npm 把 root version 也存在 package-lock.json 里(root + packages[''] 两处)。原脚本只 sed package.json 不更 lock,会让 npm ci 在 CI 出现 EUSAGE。换成 npm version --no-git-tag-version --allow-same-version 一次更两个文件。 ci.yml 的 verify step 也升级到校验 5 处一致: package.json / package-lock.json root+nested / tauri.conf.json / Cargo.toml / Cargo.lock 的 [openless] 包。 dry-run 已验证(用当前版本 1.2.20 跑一遍输出全部一致)。
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: bf85f973a5
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
…nd-version-bump chore(devex): CI 加 mac 矩阵 + version-triplet 校验 + bump-version.sh
主要修复 ───────── - fix(windows): TSF DLL 静态链接 CRT,防 host 进程(QQ 等)私有 MSVCP140 劫持导致切微软拼音崩溃 0xc0000005(PR Open-Less#287 + Open-Less#289 + Codex P1 review)。 - fix(windows): 移除 DisableThreadLibraryCalls — /MT 下 CRT 需要 thread attach/detach 通知做 per-thread TLS 清理,禁用反而触发崩溃。 - fix(recording): 录音条出现时 mic 已 capture,按 Option 不再吞开头 字。emit Recording 加 race 检查避免短按时覆盖 stop/cancel UI 信号。 - fix(startup): splash 透明背景 + 卡片化,避免长启动时左半白屏。 - fix(vault): keyring chunks 用稳定 account name —— macOS Keychain Always-Allow 不再因 UUID 轮换失效;不再每次 load 都尝试删 9 个 legacy entries 触发 ACL 弹窗(与 PR Open-Less#277 一起)。 新功能 ───────── - feat(security): 凭据从 plaintext JSON 迁移到平台 credential vault (macOS Keychain / Windows Credential Manager / Linux libsecret)。 Windows 2560 byte 限制下用 chunked storage;partial-write safe。 legacy 多源迁移完成后自动清理(PR Open-Less#277)。 工程 ───────── - chore(ci): 暂时搁置 macos-13(Intel mac)matrix —— GH Actions runner pool 紧张到每次 dispatch queue 1-2h(已观测 4 次)。Apple Silicon 用户 dmg 仍发;Intel mac 用户保留 v1.2.20 dmg + Rosetta 说明(issue Open-Less#299)。 - chore(devex): CI 加 macOS 矩阵 + 5-way 版本号一致性校验 + scripts/bump-version.sh 一行同步 5 处版本号。.gitignore 加 promo-openless-v2 / node_modules / dist / target 全局兜底(PR Open-Less#294)。 - docs: docs/audit-2026-05-06.md 工程审计基线,覆盖架构 / UI bug / 多端一致性 / IPC 1:1 校验 / P0/P1/P2 改进路径。 - chore: 9 个改进 issue (Open-Less#295-Open-Less#303) 跟踪 audit 列出的所有 P1/P2/P3 问题。
sora520
force-pushed
the
feat/microphone-device-selection
branch
from
bf85f97 to
476a8f5
Compare
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 476a8f5502
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
sora520
force-pushed
the
feat/microphone-device-selection
branch
from
476a8f5 to
d19da6c
Compare
Owner
Author
|
@codex review pr |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: d19da6c82d
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
…inset fix(capsule): center Windows pill within shadow inset
sora520
force-pushed
the
feat/microphone-device-selection
branch
from
d19da6c to
310ca7c
Compare
Owner
Author
|
@codex review pr |
|
Codex Review: Didn't find any major issues. Another round soon, please! ℹ️ About Codex in GitHubYour team has set up Codex to review pull requests in this repo. Reviews are triggered when you
If Codex has suggestions, it will comment; otherwise it will react with 👍. Codex can also answer questions or update the PR. Try commenting "@codex address that feedback". |
sora520
force-pushed
the
feat/microphone-device-selection
branch
from
310ca7c to
c24c72c
Compare
💡 Codex Reviewopenless/openless-all/app/src-tauri/src/persistence.rs Lines 534 to 538 in c24c72c  Write credential chunks atomically before swapping manifest
Saving credentials now overwrites stable chunk keys ( ℹ️ About Codex in GitHubYour team has set up Codex to review pull requests in this repo. Reviews are triggered when you
If Codex has suggestions, it will comment; otherwise it will react with 👍. Codex can also answer questions or update the PR. Try commenting "@codex address that feedback". |
feat: add configurable shortcut bindings
PR Open-Less#236 合并后两处后续修复: 1. ja.ts / ko.ts 缺 PR 引入的 7 个 comboRecord* 键和 1 个 triggers.custom 键,导致 main 的 npm run build 直接 TS 报错。 补齐后 tsc 通过。 2. SelectionAsk 划词追问页:触发快捷键卡片把"右上角状态徽标 + 下方启用按钮"换成与 Style 页一致的右上角 36×20 toggle; 保存历史卡片同步从底部 44×24 开关改成右上角同款 toggle。 抽出 CardHeaderToggle 复用,跟 design_handoff Style 页对齐。
…ectionask-ui fix(i18n,ui): 修 PR Open-Less#236 合并后 ja/ko 缺键 + SelectionAsk 启用开关右置
sora520
force-pushed
the
feat/microphone-device-selection
branch
from
c24c72c to
be9daa1
Compare
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: be9daa1c3f
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
Comment on lines
+1508
to
+1510
| if is_builtin_translation_shift(&translation_hotkey) | ||
| || crate::shortcut_binding::legacy_modifier_trigger(&translation_hotkey) | ||
| .is_some() |
There was a problem hiding this comment.
When users set translation_hotkey to a modifier-only key other than Shift (for example RightControl), this condition still treats every TranslationModifierPressed event as valid. The platform hotkey adapters in hotkey.rs continue to emit TranslationModifierPressed on Shift-down unconditionally, so pressing Shift during dictation will incorrectly flip sessions into translation mode even though Shift is no longer the configured translation shortcut. This makes custom modifier translation bindings behave incorrectly in real use.
Useful? React with 👍 / 👎.
sora520
force-pushed
the
feat/microphone-device-selection
branch
from
be9daa1 to
98e3d37
Compare
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 98e3d3715e
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
Comment on lines
147
to
152
| persist_settings(&*coord, prefs.clone())?; | ||
| if let Err(err) = crate::refresh_tray_microphone_menu(&app) { | ||
| log::warn!("[tray] refresh microphone menu after settings save failed: {err}"); | ||
| sync_tray_microphone_selection(&tray_microphones.lock(), &prefs.microphone_device_name); | ||
| } | ||
| let _ = app.emit("prefs:changed", &prefs); |
There was a problem hiding this comment.
persist_settings normalizes incoming data via sync_dictation_hotkey_legacy_fields before writing (e.g. updating hotkey.trigger / custom_combo_hotkey from dictation_hotkey), but set_settings broadcasts prefs:changed using the original pre-normalization prefs. When users change dictation shortcuts, listeners in other windows (like QA panel and context sync) can receive stale hotkey fields and display/use inconsistent state until a full reload. Emit the stored/normalized preferences instead of the raw request payload.
Useful? React with 👍 / 👎.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
内部 PR,用于 Codex review 当前 fork 分支。
变更范围:
验证:
npm run build通过。暂不处理:
cpal暴露的设备名称保存/匹配。Windows endpoint ID / macOS CoreAudio UID 需要单独做平台专用实现和偏好迁移,避免在本 PR 中破坏现有托盘与旧偏好行为。