Gilbert Codex v0.5.5

Gilbert Codex v0.5.5 is a maintenance-heavy alpha release, but it is not a tiny one. This update is about making the app feel more complete in daily use: better customization, cleaner app and plugin surfaces, stronger Google/Gmail/Calendar setup, offline voice dictation, smoother workspace behavior, and a release pipeline that can package the private runtime pieces without putting them in the public repository.

The big theme is simple: keep the public repo clean, keep user credentials local, and still ship a Windows installer that has the tools, bridge code, plugins, voice resources, and updater metadata it needs.

Release Status

• Version: 0.5.5
• Tag: v0.5.5
• Previous public milestone: v0.5.0
• Primary packaged target: Windows x64
• Release vehicle: GitHub Actions Release workflow plus Tauri NSIS installer
• Installer family: Gilbert-Codex-0.5.5-x64-setup.exe
• Update feed asset: latest.json
• Updater signature asset: Gilbert-Codex-0.5.5-x64-setup.exe.sig
• Checksum asset: Gilbert-Codex-0.5.5-x64-setup.exe.sha256
• Published SHA-256: pending final release build

Do not fill the checksum until the final installer artifact has been built and uploaded. Keep the GitHub Release body aligned with this file.

What Changed

• App customization is much deeper now: appearance, motion, workspace behavior, dictation hotkeys, terminal choices, notifications, provider settings, model budgets, and web-search behavior are easier to tune from Settings.
• Apps and integrations moved forward with stronger Gmail, Google Calendar, Google Tasks, GitHub, Discord, plugin, MCP, and project-task surfaces.
• Google OAuth is now bring-your-own from Settings > Google. The app no longer needs a shared Google OAuth client ID, Google client secret, downloaded credential JSON, or Google private key in the public repo or release workflow.
• GitHub OAuth setup is stored locally from Settings > GitHub. The release build no longer depends on VITE_GITHUB_OAUTH_CLIENT_ID.
• Offline voice dictation is wired into the desktop composer with Whisper resources and native dictation commands. Release builds prepare the verified Whisper model and pinned Vulkan SDK before building the Windows app.
• The private tool bridge and optional plugin bundles remain outside public Git, then the release workflow restores them from the private release overlay before packaging.
• Provider streaming, planning/research flows, approval revision fallback, source handling, browser preview capture, and terminal state handling all received background cleanup.
• The README, installer docs, Google/Gmail/GitHub docs, and release notes now describe the new credential boundary more clearly.

Release Automation

The GitHub Release workflow now expects only the release infrastructure secrets it truly needs:

• TAURI_SIGNING_PRIVATE_KEY
• TAURI_SIGNING_PRIVATE_KEY_PASSWORD when the key is password-protected
• GILBERT_PRIVATE_RELEASE_OVERLAY_REPOSITORY
• GILBERT_PRIVATE_RELEASE_OVERLAY_TOKEN
• GILBERT_PRIVATE_RELEASE_OVERLAY_REF when the private overlay should build from a branch or tag other than main

The workflow restores src/toolBridge, optional plugins, and optional .agents/plugins from the private overlay. It also prepares the Whisper model and Vulkan SDK, then builds the Windows updater release with offline-dictation-gpu enabled.

The workflow no longer requires Google OAuth, GitHub OAuth, support-link, provider-key, or app-user credentials. Those belong in the installed app's local settings or local user storage, not in GitHub Actions.

Public Repository Boundary

The public repository intentionally excludes private runtime files, local plugin bundles, generated outputs, dependencies, local databases, logs, environment files, signing credentials, OAuth secrets, provider keys, and app-user tokens.

Release packaging still works because the private release overlay restores app-only runtime files inside the GitHub Actions workspace before the installer is compiled. That keeps public clones reviewable while downloaded release builds still include the app runtime pieces users expect.

Upgrade Notes For Users

• Install the Windows x64 setup executable from GitHub Releases.
• If Windows SmartScreen appears, review the source before continuing. This alpha is unsigned unless a signed build is provided.
• Create or sign into a local Gilbert user so chats, settings, projects, integrations, and workspace state stay namespaced.
• Configure provider keys, local endpoints, subscription accounts, GitHub OAuth, Google OAuth, Discord, and workspace permissions from Settings.
• For Gmail, Google Calendar, or Tasks, create a Desktop OAuth client in Google Cloud, paste the Client ID and Client secret into Settings > Google, then install the integration from Apps.
• For GitHub, create a GitHub OAuth App with Device Flow enabled, paste the public Client ID into Settings > GitHub, then continue with browser sign-in.
• For voice input, use the composer microphone control in the packaged desktop app. The release build includes the verified Whisper model resource.

Maintainer Notes

• Keep version fields aligned across package.json, package-lock.json, src-tauri/Cargo.toml, src-tauri/Cargo.lock, src-tauri/tauri.conf.json, frontend fallback app info, and MCP client metadata.
• Keep docs/releases/v0.5.5.md aligned with the GitHub Release body.
• Keep src/toolBridge, plugins, and .agents/plugins out of public Git. The private overlay is the release packaging path for those files.
• Do not restore build-time VITE_* OAuth requirements unless the app code genuinely needs a public, user-inspectable frontend value again.
• Do not commit Whisper model binaries or Vulkan SDK files. The scripts download and verify them for local and release builds.

Validation Commands

Recommended local checks:

npm.cmd run build
npm.cmd run rust:fmt:check
npm.cmd run rust:check
npm.cmd run audit:prod
git diff --check

Recommended release build:

npm.cmd run app:release

The GitHub release workflow performs the Windows updater release build when the tag is pushed or the workflow is dispatched with a version input.

Known Limits

Windows x64 is the packaged target for this release. macOS support is in development and should be out soon, but it still needs native release validation before it should be presented as official. Linux remains source-first until native packaging and QA are complete.

Google integrations are intentionally bring-your-own OAuth for now. That is appropriate for personal testing and early adopters, but broad public Gmail access with a shared Gilbert-owned Google app would still require the normal Google OAuth verification process.

The installer is not Authenticode code-signed unless a release is built with valid signing configuration. SmartScreen warnings are expected on some machines.