feat(settings): add microphone device selection

.github/workflows/ci.yml

@@ -1,15 +1,32 @@
 name: CI
 
+# 多平台跨语言质量门禁。release-tauri.yml 是发版流水线（仅打包构建），这里负责
+# 在合并前快速验证两件事：
+#   1. 前端 typecheck + vite bundle 通过（tsc + vite build，捕获跨 locale 类型 drift）
+#   2. Rust 后端在 macOS / Windows 都能 cargo check 过（捕获 cfg 漏分支 / 平台 API 误用）
+# 跑 build-mac.sh / windows-package-msvc.ps1 太重；只跑轻量 cargo check + vite build。
+
 on:
   push:
     branches: [main, dev]
   pull_request:
     branches: [main, dev]
 
 jobs:
-  windows-tauri:
-    name: Windows Tauri checks
-    runs-on: windows-latest
+  cross-platform:
+    name: ${{ matrix.label }} checks
+    strategy:
+      # 一个平台挂掉不阻塞其他平台拿到验证结果。
+      fail-fast: false
+      matrix:
+        include:
+          - os: macos-latest
+            label: macOS
+            preflight: false
+          - os: windows-latest
+            label: Windows
+            preflight: true
+    runs-on: ${{ matrix.os }}
     defaults:
       run:
         working-directory: openless-all/app
@@ -32,10 +49,12 @@ jobs:
         run: npm ci
 
       - name: Check Windows prerequisites
+        if: matrix.preflight
         shell: pwsh
         run: ./scripts/windows-preflight.ps1 -Toolchain msvc
 
       - name: Check PowerShell scripts
+        if: matrix.preflight
         shell: pwsh
         run: |
           foreach ($script in @("./scripts/windows-preflight.ps1", "./scripts/windows-build-gnu.ps1", "./scripts/windows-runtime-smoke.ps1")) {
@@ -47,8 +66,38 @@ jobs:
             }
           }
 
-      - name: Build frontend
+      - name: Build frontend (tsc + vite)
         run: npm run build
 
-      - name: Check Tauri backend
+      - name: Check Tauri backend (cargo check)
         run: cargo check --manifest-path src-tauri/Cargo.toml
+
+      - name: Verify version sync across all 5 files
+        # 两个平台都跑这个校验：Windows runner 自带 git-bash，跨 shell 表现一致。
+        # 一旦版本号 drift 立刻 fail，避免发版时再发现漏改。
+        # 校验 5 处：package.json / package-lock.json (root + nested) /
+        # tauri.conf.json / Cargo.toml / Cargo.lock 的 [openless] 包。
+        shell: bash
+        run: |
+          PKG=$(node -p "require('./package.json').version")
+          LOCK_ROOT=$(node -p "require('./package-lock.json').version")
+          LOCK_NESTED=$(node -p "require('./package-lock.json').packages[''].version")
+          TAU=$(node -p "require('./src-tauri/tauri.conf.json').version")
+          CRG=$(grep -E '^version = ' src-tauri/Cargo.toml | head -1 | sed -E 's/^version = "(.+)"$/\1/')
+          # Cargo.lock：找 [openless] 包紧跟的 version 行
+          CARGO_LOCK_VER=$(awk 'BEGIN{found=0} /^name = "openless"$/{found=1; next} found && /^version = /{gsub(/"/,""); print $3; exit}' src-tauri/Cargo.lock)
+          echo "package.json         = $PKG"
+          echo "package-lock root    = $LOCK_ROOT"
+          echo "package-lock nested  = $LOCK_NESTED"
+          echo "tauri.conf.json      = $TAU"
+          echo "Cargo.toml           = $CRG"
+          echo "Cargo.lock openless  = $CARGO_LOCK_VER"
+          mismatch=0
+          for v in "$LOCK_ROOT" "$LOCK_NESTED" "$TAU" "$CRG" "$CARGO_LOCK_VER"; do
+            if [ "$v" != "$PKG" ]; then mismatch=1; fi
+          done
+          if [ "$mismatch" -ne 0 ]; then
+            echo "::error::版本号未对齐 — 请用 scripts/bump-version.sh 同步更新"
+            exit 1
+          fi
+          echo "[ok] 全部 5 处版本号一致：$PKG"

.github/workflows/release-tauri.yml

@@ -32,10 +32,15 @@ jobs:
             rust-target: aarch64-apple-darwin
             updater-target: darwin
             updater-arch: aarch64
-          - platform: macos-13
-            rust-target: x86_64-apple-darwin
-            updater-target: darwin
-            updater-arch: x86_64
+          # 暂时搁置 Intel mac 构建：GitHub Actions 把 macos-13 标记为 deprecated
+          # runner，pool 容量紧张到每次 dispatch 都 queue 1-2h 拿不到分配，多次
+          # release 都因这个 job 卡住整个 run 的 conclusion。等 GH 把 macOS x86_64
+          # 迁移到非 deprecated runner（macos-14 / macos-15-large）或 macos-13
+          # pool 缓解后再恢复。Apple Silicon dmg 在 Intel mac 上跑 Rosetta 仍可用。
+          # - platform: macos-13
+          #   rust-target: x86_64-apple-darwin
+          #   updater-target: darwin
+          #   updater-arch: x86_64
           - platform: windows-latest
             rust-target: x86_64-pc-windows-msvc
             updater-target: windows

.gitignore

@@ -22,9 +22,18 @@ SC/
 apps/
 promo/
 promo-openless/
+promo-openless-v2/
 docs/old-promo/
 .worktrees/
 
+# 派生产物（兜底）：项目曾出现 promo-openless-v2/node_modules 等遗漏，
+# 这里全局通配，避免某子目录漏配 .gitignore 时把 build artifact 推进 PR。
+node_modules/
+dist/
+target/
+.cargo/registry/
+.cargo/git/
+
 # Windows TSF IME local build outputs
 openless-all/app/windows-ime/OpenLessIme/
 openless-all/app/windows-ime/x64/

AGENTS.md

@@ -64,7 +64,7 @@ recorder.rs                                   Mic → 16 kHz mono Int16 PCM, RMS
 asr/{mod,frame,volcengine,whisper}.rs         ASR providers: Volcengine streaming WebSocket + Whisper HTTP
 polish.rs                                     OpenAI-compatible chat completions (Ark / DeepSeek / etc.)
 insertion.rs                                  AX focused-element write → clipboard + Cmd+V → copy-only fallback
-persistence.rs                                History/preferences/vocab JSON + Keychain credentials
+persistence.rs                                History/preferences/vocab JSON + platform credential vault
 coordinator.rs + commands.rs + lib.rs         State machine, IPC surface, tray icon, window plumbing
 permissions.rs                                TCC checks (Accessibility / Microphone)
 
@@ -91,9 +91,9 @@ Invariants:
 
 ### Permissions, credentials, on-disk state
 
-- **Bundle ID `com.openless.app`** is hard-coded in `openless-all/app/src-tauri/tauri.conf.json` and `CredentialsVault.serviceName`. Changing it breaks Keychain lookups *and* every existing TCC grant.
+- **Bundle ID `com.openless.app`** is hard-coded in `openless-all/app/src-tauri/tauri.conf.json` and `CredentialsVault.serviceName`. Changing it breaks system credential vault lookups *and* every existing TCC grant.
 - **TCC**: Microphone + Accessibility + AppleEvents. `NSMicrophoneUsageDescription` / `NSAccessibilityUsageDescription` / `NSAppleEventsUsageDescription` live in `openless-all/app/src-tauri/Info.plist`. After a fresh build that resets TCC, the app must be **fully quit and relaunched** after granting Accessibility before the global hotkey tap installs.
-- **Credentials** live in Keychain under accounts in `CredentialAccount` (`volcengine.app_key`, `volcengine.access_key`, `volcengine.resource_id`, `ark.api_key`, `ark.model_id`, `ark.endpoint`). The plaintext fallback at `~/.openless/credentials.json` is read on first launch so legacy users keep their creds without re-entering. Never hard-code keys.
+- **Credentials** live in the OS credential vault (macOS Keychain, Windows Credential Manager, Linux keyring) under service `com.openless.app`. The legacy plaintext JSON (`~/.openless/credentials.json` on macOS/Linux, `%APPDATA%\OpenLess\credentials.json` on Windows) is only a migration source and is removed after a successful vault write. Never hard-code keys or include legacy credential files in logs, exports, build artifacts, or bug reports.
 - **Per-user data**:
   - macOS: `~/Library/Application Support/OpenLess/{history.json, preferences.json, dictionary.json}` — capped at 200 history entries. **Do not rename `dictionary.json` to `vocab.json`** (drops user data).
   - Windows: `%APPDATA%\OpenLess\`

CLAUDE.md

@@ -64,7 +64,7 @@ recorder.rs                                   Mic → 16 kHz mono Int16 PCM, RMS
 asr/{mod,frame,volcengine,whisper}.rs         ASR providers: Volcengine streaming WebSocket + Whisper HTTP
 polish.rs                                     OpenAI-compatible chat completions (Ark / DeepSeek / etc.)
 insertion.rs                                  AX focused-element write → clipboard + Cmd+V → copy-only fallback
-persistence.rs                                History/preferences/vocab JSON + Keychain credentials
+persistence.rs                                History/preferences/vocab JSON + platform credential vault
 coordinator.rs + commands.rs + lib.rs         State machine, IPC surface, tray icon, window plumbing
 permissions.rs                                TCC checks (Accessibility / Microphone)
 
@@ -91,9 +91,9 @@ Invariants:
 
 ### Permissions, credentials, on-disk state
 
-- **Bundle ID `com.openless.app`** is hard-coded in `openless-all/app/src-tauri/tauri.conf.json` and `CredentialsVault.serviceName`. Changing it breaks Keychain lookups *and* every existing TCC grant.
+- **Bundle ID `com.openless.app`** is hard-coded in `openless-all/app/src-tauri/tauri.conf.json` and `CredentialsVault.serviceName`. Changing it breaks system credential vault lookups *and* every existing TCC grant.
 - **TCC**: Microphone + Accessibility + AppleEvents. `NSMicrophoneUsageDescription` / `NSAccessibilityUsageDescription` / `NSAppleEventsUsageDescription` live in `openless-all/app/src-tauri/Info.plist`. After a fresh build that resets TCC, the app must be **fully quit and relaunched** after granting Accessibility before the global hotkey tap installs.
-- **Credentials** live in Keychain under accounts in `CredentialAccount` (`volcengine.app_key`, `volcengine.access_key`, `volcengine.resource_id`, `ark.api_key`, `ark.model_id`, `ark.endpoint`). The plaintext fallback at `~/.openless/credentials.json` is read on first launch so legacy users keep their creds without re-entering. Never hard-code keys.
+- **Credentials** live in the OS credential vault (macOS Keychain, Windows Credential Manager, Linux keyring) under service `com.openless.app`. The legacy plaintext JSON (`~/.openless/credentials.json` on macOS/Linux, `%APPDATA%\OpenLess\credentials.json` on Windows) is only a migration source and is removed after a successful vault write. Never hard-code keys or include legacy credential files in logs, exports, build artifacts, or bug reports.
 - **Per-user data**:
   - macOS: `~/Library/Application Support/OpenLess/{history.json, preferences.json, dictionary.json}` — capped at 200 history entries. **Do not rename `dictionary.json` to `vocab.json`** (drops user data).
   - Windows: `%APPDATA%\OpenLess\`

README.md

@@ -195,9 +195,14 @@ Logs: `~/Library/Logs/OpenLess/openless.log` (macOS) / `%LOCALAPPDATA%\OpenLess\
 
 ## Credentials
 
-Credentials live in the local Keychain (service = `com.openless.app`). A plaintext JSON file at `~/.openless/credentials.json` (mode 0600, dir 0700) is kept as a dev-mode fallback when Keychain is unavailable.
+Credentials live in the OS credential vault (service = `com.openless.app`): macOS Keychain, Windows Credential Manager, or Linux keyring. A legacy plaintext JSON file is read only as a migration source and removed after a successful vault write:
 
-The repository contains no API keys, tokens, or private endpoints.
+```text
+macOS / Linux: ~/.openless/credentials.json
+Windows:       %APPDATA%\OpenLess\credentials.json
+```
+
+New credential writes do not persist plaintext secrets. The repository contains no API keys, tokens, or private endpoints.
 
 You'll need:
 
@@ -247,7 +252,7 @@ recorder.rs      Mic → 16 kHz mono Int16 PCM, RMS callback
 asr/             Volcengine streaming ASR (WebSocket) + Whisper HTTP
 polish.rs        OpenAI-compatible chat-completions (Ark / DeepSeek / etc.)
 insertion.rs     AX focused-element → clipboard + Cmd+V → copy-only fallback
-persistence.rs   History / preferences / vocab JSON + Keychain credentials
+persistence.rs   History / preferences / vocab JSON + platform credential vault
 permissions.rs   TCC checks (Accessibility / Microphone)
 coordinator.rs   State machine: Idle → Starting → Listening → Processing
 commands.rs      Tauri IPC surface

README.zh.md

@@ -198,13 +198,14 @@ npm run build
 
 ## 凭据
 
-凭据保存在本机 Keychain（service = `com.openless.app`）。开发期同时维护一份明文 JSON 兜底，用于在 Keychain 不可用时回退：
+凭据保存在系统凭据库（service = `com.openless.app`）：macOS Keychain、Windows Credential Manager 或 Linux keyring。旧版明文 JSON 只作为迁移来源读取，成功写入系统凭据库后会被删除：
 
 ```text
-~/.openless/credentials.json   # 0600，目录 0700
+macOS / Linux: ~/.openless/credentials.json
+Windows:       %APPDATA%\OpenLess\credentials.json
 ```
 
-仓库本身不包含任何 API Key、Token 或 Endpoint 之外的私有信息。
+新的凭据写入不会继续保存明文 secrets。仓库本身不包含任何 API Key、Token 或 Endpoint 之外的私有信息。
 
 需要配置的字段：
 
@@ -254,7 +255,7 @@ recorder.rs      麦克风 → 16 kHz 单声道 Int16 PCM，RMS 回调
 asr/             火山引擎流式 ASR（WebSocket）+ Whisper HTTP
 polish.rs        OpenAI 兼容 chat-completions（Ark / DeepSeek 等）
 insertion.rs     AX focused-element → 剪贴板 + Cmd+V → 仅复制兜底
-persistence.rs   历史记录 / 偏好设置 / 词典 JSON + Keychain 凭据
+persistence.rs   历史记录 / 偏好设置 / 词典 JSON + 系统凭据库
 permissions.rs   TCC 权限检查（辅助功能 / 麦克风）
 coordinator.rs   状态机：Idle → Starting → Listening → Processing
 commands.rs      Tauri IPC 接口