update README

.github/workflows/release.yml

@@ -10,7 +10,6 @@ concurrency:
   cancel-in-progress: false
 
 permissions:
-  actions: read
   contents: write
 
 jobs:
@@ -104,8 +103,6 @@ jobs:
 
       - name: Build AppImage
         run: bun run build:appimage
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Build unversioned AppImage
         run: |
@@ -182,7 +179,6 @@ jobs:
       - name: Build signed + notarized macOS artifacts
         run: bun run build:mac
         env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           CSC_LINK: ${{ secrets.CSC_LINK }}
           CSC_KEY_PASSWORD: ${{ secrets.CSC_KEY_PASSWORD }}
           APPLE_ID: ${{ secrets.APPLE_ID }}
@@ -223,26 +219,6 @@ jobs:
           restore-keys: |
             ${{ runner.os }}-bun-
 
-      - name: Validate Windows signing secrets
-        shell: bash
-        run: |
-          missing=0
-          for name in SIGNPATH_API_TOKEN SIGNPATH_ORGANIZATION_ID SIGNPATH_PROJECT_SLUG SIGNPATH_SIGNING_POLICY_SLUG; do
-            if [ -z "${!name}" ]; then
-              echo "Missing required secret: $name"
-              missing=1
-            fi
-          done
-          if [ "$missing" -ne 0 ]; then
-            echo "Set the SignPath Windows signing secrets and rerun."
-            exit 1
-          fi
-        env:
-          SIGNPATH_API_TOKEN: ${{ secrets.SIGNPATH_API_TOKEN }}
-          SIGNPATH_ORGANIZATION_ID: ${{ secrets.SIGNPATH_ORGANIZATION_ID }}
-          SIGNPATH_PROJECT_SLUG: ${{ secrets.SIGNPATH_PROJECT_SLUG }}
-          SIGNPATH_SIGNING_POLICY_SLUG: ${{ secrets.SIGNPATH_SIGNING_POLICY_SLUG }}
-
       - name: Install dependencies
         run: bun install --frozen-lockfile
 
@@ -254,40 +230,16 @@ jobs:
           bun run build
 
       - name: Build unsigned Windows artifacts
-        run: bun run build:win
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: bun run build:win:unsigned
 
-      - name: Upload unsigned Windows artifact for SignPath
-        id: upload-unsigned-windows-artifact
-        uses: actions/upload-artifact@v4
-        with:
-          name: unsigned-windows
-          path: |
-            release/*.exe
-            release/*.zip
-          if-no-files-found: error
-
-      - name: Submit Windows signing request
-        id: signpath-sign
-        uses: signpath/github-action-submit-signing-request@v2
-        with:
-          api-token: ${{ secrets.SIGNPATH_API_TOKEN }}
-          organization-id: ${{ secrets.SIGNPATH_ORGANIZATION_ID }}
-          project-slug: ${{ secrets.SIGNPATH_PROJECT_SLUG }}
-          signing-policy-slug: ${{ secrets.SIGNPATH_SIGNING_POLICY_SLUG }}
-          github-artifact-id: ${{ steps.upload-unsigned-windows-artifact.outputs.artifact-id }}
-          wait-for-completion: true
-          output-artifact-directory: signed-windows
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Upload signed Windows artifacts
+      - name: Upload Windows artifacts
         uses: actions/upload-artifact@v4
         with:
           name: windows
           path: |
-            signed-windows/*.exe
-            signed-windows/*.zip
+            release/*.exe
+            release/*.zip
+          if-no-files-found: error
 
   release:
     needs: [build-linux, build-macos, build-windows]
@@ -380,6 +332,7 @@ jobs:
           if gh release view "${{ steps.version.outputs.VERSION }}" >/dev/null 2>&1; then
             # Do not pass the prerelease flag here; gh defaults to a normal release.
             gh release edit "${{ steps.version.outputs.VERSION }}" \
+              --draft=false \
               --title "${{ steps.version.outputs.VERSION }}" \
               --notes-file release/release-notes.md
           else

.gitignore

@@ -37,3 +37,4 @@ tests/*
 .worktrees/
 .codex/*
 .agents/*
+favicon.png

CHANGELOG.md

@@ -1,5 +1,28 @@
 # Changelog
 
+## v0.5.3 (2026-03-09)
+
+### Changed
+- Release: Publish unsigned Windows `.exe` and `.zip` artifacts directly from release CI instead of routing them through SignPath.
+- Release: Added `bun run build:win:unsigned` for explicit local unsigned Windows packaging.
+
+## v0.5.2 (2026-03-09)
+
+### Internal
+- Release: Pinned the Windows SignPath submission workflow to an explicit artifact-configuration slug instead of relying on the SignPath project's default configuration.
+
+## v0.5.1 (2026-03-09)
+
+### Changed
+- Launcher: Removed the YouTube subtitle generation mode switch so YouTube playback always preloads subtitles before mpv starts.
+
+### Fixed
+- Launcher: Hardened YouTube AI subtitle fixing so fenced SRT output and text-only one-cue-per-block responses can still be applied without losing original cue timing.
+- Launcher: Skipped AniSkip lookup during URL playback and YouTube subtitle-preload playback, limiting AniSkip to local file targets where it can actually resolve anime metadata.
+- Launcher: Keep the background SubMiner process running after a launcher-managed mpv session exits so the next mpv instance can reconnect without restarting the app.
+- Launcher: Reuse prior tokenization readiness after the background app is already warm so reopening a video does not pause again waiting for duplicate warmup completion.
+- Windows: Acquire the app single-instance lock earlier so Windows overlay/video launches reuse the running background SubMiner process instead of booting a second full app and repeating startup warmups.
+
 ## v0.3.0 (2026-03-05)
 - Added keyboard-driven Yomitan navigation and popup controls, including optional auto-pause.
 - Added subtitle/jump keyboard handling fixes for smoother subtitle playback control.

README.md

@@ -20,8 +20,6 @@
 
 <br />
 
-Initial packaged Windows support is now available alongside the existing Linux and macOS builds.
-
 ## What it does
 
 SubMiner is an Electron overlay that sits on top of mpv. It turns your video player into a full sentence-mining workstation:
@@ -71,7 +69,7 @@ SubMiner.AppImage
 
 On macOS, launch `SubMiner.app`. On Windows, launch `SubMiner.exe` from the Start menu or install directory.
 
-On first launch, SubMiner now:
+On first launch, SubMiner:
 
 - starts in the tray/background
 - creates the default config directory and `config.jsonc`
@@ -114,17 +112,6 @@ Windows builds use native window tracking and do not require the Linux composito
 
 For full guides on configuration, Anki, Jellyfin, and more, see [docs.subminer.moe](https://docs.subminer.moe).
 
-## Testing
-
-- Run `bun run test` or `bun run test:fast` for the default fast lane: config/core coverage plus representative entry/runtime, Anki integration, and main runtime checks.
-- Run `bun run test:full` for the maintained test surface: Bun-compatible `src/**` coverage, Bun-compatible launcher unit coverage, and the maintained dist compatibility slice for `ipc`, `anki-jimaku-ipc`, `overlay-manager`, `config-validation`, `startup-config`, and runtime registry coverage.
-- Run `bun run test:node:compat` directly when you only need that dist compatibility slice. The command name is legacy; it now runs under Bun.
-- Run `bun run test:env` for environment-specific verification: launcher smoke/plugin checks plus the SQLite-backed immersion tracker lane.
-- Run `bun run test:immersion:sqlite` when you specifically need the dist SQLite persistence coverage.
-- Run `bun run test:subtitle` for the maintained `alass`/`ffsubsync` subtitle surface.
-
-The Bun-managed discovery lanes intentionally exclude a small set of suites from the source-file discovery pass and keep them in the maintained dist compatibility slice instead: Electron-focused tests in `src/core/services/ipc.test.ts`, `src/core/services/anki-jimaku-ipc.test.ts`, and `src/core/services/overlay-manager.test.ts`, plus runtime/config tests in `src/main/config-validation.test.ts`, `src/main/runtime/startup-config.test.ts`, and `src/main/runtime/registry.test.ts`. `bun run test:node:compat` keeps those suites in the standard workflow instead of leaving them untracked.
-
 ## Acknowledgments
 
 Built on the shoulders of [GameSentenceMiner](https://github.com/bpwhelan/GameSentenceMiner), [Renji's Texthooker Page](https://github.com/Renji-XD/texthooker-ui), [mpvacious](https://github.com/Ajatt-Tools/mpvacious), [Anacreon-Script](https://github.com/friedrich-de/Anacreon-Script), and [Bee's Character Dictionary](https://github.com/bee-san/Japanese_Character_Name_Dictionary). Subtitles powered by [Jimaku.cc](https://jimaku.cc). Dictionary lookups via [Yomitan](https://github.com/yomidevs/yomitan).

backlog/tasks/task-134 - Harden-Windows-release-signing-against-transient-SignPath-failures.md

@@ -0,0 +1,66 @@
+---
+id: TASK-134
+title: Harden Windows release signing against transient SignPath failures
+status: Done
+assignee:
+  - codex
+created_date: '2026-03-09 00:00'
+updated_date: '2026-03-08 20:23'
+labels:
+  - ci
+  - release
+  - windows
+  - signing
+dependencies: []
+references:
+  - .github/workflows/release.yml
+  - package.json
+  - src/release-workflow.test.ts
+  - https://github.com/ksyasuda/SubMiner/actions/runs/22836585479
+priority: high
+---
+
+## Description
+
+<!-- SECTION:DESCRIPTION:BEGIN -->
+The tag-driven Release workflow currently fails the Windows lane if the SignPath connector returns transient 502 errors during submission, and the tagged build scripts also allow electron-builder to implicitly publish unsigned artifacts before the final release job runs. Harden the workflow so transient SignPath outages get bounded retries and release packaging never auto-publishes unsigned assets.
+<!-- SECTION:DESCRIPTION:END -->
+
+## Acceptance Criteria
+<!-- AC:BEGIN -->
+- [ ] #1 Windows release signing retries transient SignPath submission failures within the release workflow before failing the job.
+- [ ] #2 Release packaging scripts disable electron-builder implicit publish so build jobs do not upload unsigned assets on tag builds.
+- [ ] #3 Regression coverage fails if SignPath retry scaffolding or publish suppression is removed.
+<!-- AC:END -->
+
+## Implementation Plan
+
+<!-- SECTION:PLAN:BEGIN -->
+1. Add a regression test for the release workflow/package script shape covering SignPath retries and `--publish never`.
+2. Patch the Windows release job to retry SignPath submission a bounded number of times and still fail hard if every attempt fails.
+3. Update tagged package build scripts to disable implicit electron-builder publishing during release builds.
+4. Run targeted release-workflow verification and capture any remaining manual release cleanup needed for `v0.5.0`.
+<!-- SECTION:PLAN:END -->
+
+## Implementation Notes
+
+<!-- SECTION:NOTES:BEGIN -->
+The failed Windows signing step in GitHub Actions run `22836585479` was not caused by missing secrets or an artifact-shape mismatch. The SignPath GitHub action retried repeated `502` responses from the SignPath connector for several minutes and then failed the job.
+
+Hardened `.github/workflows/release.yml` by replacing the single SignPath submission with three bounded attempts. The second and third submissions only run if the previous attempt failed, and the job now fails with an explicit rerun message only after all three attempts fail. Signed-artifact upload is keyed to the successful attempt so the release job still consumes the normal `windows` artifact name.
+
+Also fixed a separate release regression exposed by the same run: `electron-builder` was implicitly publishing unsigned release assets during tag builds because the packaging scripts did not set `--publish never` and the workflow injected `GH_TOKEN` into build jobs. Updated the relevant package scripts to pass `--publish never`, removed `GH_TOKEN` from the packaging jobs, and made the final publish step force `--draft=false` when editing an existing tag release so previously-created draft releases get published.
+
+Verification: `bun test src/release-workflow.test.ts`, `bun run typecheck`, and `bun run test:fast` all passed locally after restoring the missing local `libsql` install with `bun install --frozen-lockfile`.
+<!-- SECTION:NOTES:END -->
+
+## Final Summary
+
+<!-- SECTION:FINAL_SUMMARY:BEGIN -->
+Windows release signing is now resilient to transient SignPath connector outages. The release workflow retries the SignPath submission up to three times before failing, and only uploads the signed Windows artifact from the attempt that succeeded.
+
+Release packaging also no longer auto-publishes unsigned assets on tag builds. The `electron-builder` scripts now force `--publish never`, the build jobs no longer pass `GH_TOKEN` into packaging steps, and the final GitHub release publish step explicitly clears draft state when updating an existing tag release.
+
+Validation: `bun test src/release-workflow.test.ts`, `bun run typecheck`, `bun run test:fast`.
+Manual follow-up for the failed `v0.5.0` release: rerun the `Release` workflow after merging/pushing this fix, then clean up the stray draft/untagged release assets created by the failed run if they remain.
+<!-- SECTION:FINAL_SUMMARY:END -->

backlog/tasks/task-135 - Cut-patch-release-v0.5.1-for-Windows-signing-fix.md

@@ -0,0 +1,57 @@
+---
+id: TASK-135
+title: Cut patch release v0.5.1 for Windows signing fix
+status: Done
+assignee:
+  - codex
+created_date: '2026-03-08 20:24'
+updated_date: '2026-03-08 20:28'
+labels:
+  - release
+  - patch
+dependencies:
+  - TASK-134
+references:
+  - package.json
+  - CHANGELOG.md
+  - release/release-notes.md
+priority: high
+---
+
+## Description
+
+<!-- SECTION:DESCRIPTION:BEGIN -->
+Publish a patch release from the workflow-signing fix on `main` by bumping the app version, generating the committed changelog artifacts for the new version, and pushing a new `v0.5.1` tag instead of rewriting the failed `v0.5.0` tag.
+<!-- SECTION:DESCRIPTION:END -->
+
+## Acceptance Criteria
+<!-- AC:BEGIN -->
+- [ ] #1 Repository version metadata is updated to `0.5.1`.
+- [ ] #2 `CHANGELOG.md` and `release/release-notes.md` contain the committed `v0.5.1` section and released fragments are removed.
+- [ ] #3 New `v0.5.1` commit and tag are pushed to `origin`.
+<!-- AC:END -->
+
+## Implementation Plan
+
+<!-- SECTION:PLAN:BEGIN -->
+1. Bump the package version to `0.5.1`.
+2. Run the changelog builder so `CHANGELOG.md`/`release-notes.md` match the release workflow contract.
+3. Run the relevant verification commands.
+4. Commit the release-prep changes, create `v0.5.1`, and push both commit and tag.
+<!-- SECTION:PLAN:END -->
+
+## Implementation Notes
+
+<!-- SECTION:NOTES:BEGIN -->
+Bumped `package.json` from `0.5.0` to `0.5.1`, then ran `bun run changelog:build` so the committed release artifacts match the release workflow contract. That prepended the `v0.5.1` section to `CHANGELOG.md`, regenerated `release/release-notes.md`, and removed the consumed changelog fragments from `changes/`.
+
+Verification before tagging: `bun run changelog:lint`, `bun run changelog:check --version 0.5.1`, `bun run typecheck`, and `bun run test:fast`.
+<!-- SECTION:NOTES:END -->
+
+## Final Summary
+
+<!-- SECTION:FINAL_SUMMARY:BEGIN -->
+Prepared patch release `v0.5.1` from the signing-workflow fix on `main` instead of rewriting the failed `v0.5.0` tag. Repository version metadata, changelog, and committed release notes are all aligned with the new release tag, and the consumed changelog fragments were removed.
+
+Validation: `bun run changelog:lint`, `bun run changelog:check --version 0.5.1`, `bun run typecheck`, `bun run test:fast`.
+<!-- SECTION:FINAL_SUMMARY:END -->

backlog/tasks/task-136 - Pin-SignPath-artifact-configuration-in-release-workflow.md

@@ -0,0 +1,61 @@
+---
+id: TASK-136
+title: Pin SignPath artifact configuration in release workflow
+status: Done
+assignee:
+  - codex
+created_date: '2026-03-08 20:41'
+updated_date: '2026-03-08 20:58'
+labels:
+  - ci
+  - release
+  - windows
+  - signing
+dependencies:
+  - TASK-134
+references:
+  - .github/workflows/release.yml
+  - build/signpath-windows-artifact-config.xml
+  - src/release-workflow.test.ts
+priority: high
+---
+
+## Description
+
+<!-- SECTION:DESCRIPTION:BEGIN -->
+The Windows release workflow currently relies on the default SignPath artifact configuration configured in the SignPath UI. Pin the workflow to an explicit artifact-configuration slug so the checked-in signing configuration and CI behavior stay deterministic across future SignPath project changes.
+<!-- SECTION:DESCRIPTION:END -->
+
+## Acceptance Criteria
+<!-- AC:BEGIN -->
+- [ ] #1 The Windows release workflow validates a dedicated SignPath artifact-configuration secret/input.
+- [ ] #2 Every SignPath submission attempt passes `artifact-configuration-slug`.
+- [ ] #3 Regression coverage fails if the explicit SignPath artifact-configuration binding is removed.
+<!-- AC:END -->
+
+## Implementation Plan
+
+<!-- SECTION:PLAN:BEGIN -->
+1. Add a failing workflow regression test for the explicit SignPath artifact-configuration slug.
+2. Patch the Windows signing secret validation and SignPath action inputs to require the slug.
+3. Run targeted release-workflow verification plus the standard fast lane.
+4. Cut a new patch release so the tag-triggered release workflow runs with the pinned SignPath configuration.
+<!-- SECTION:PLAN:END -->
+
+## Implementation Notes
+
+<!-- SECTION:NOTES:BEGIN -->
+Added regression coverage in `src/release-workflow.test.ts` for an explicit SignPath artifact-configuration slug so the release workflow test now fails if the slug validation or action input is removed.
+
+Patched `.github/workflows/release.yml` so Windows signing now requires `SIGNPATH_ARTIFACT_CONFIGURATION_SLUG` during secret validation and passes `artifact-configuration-slug: ${{ secrets.SIGNPATH_ARTIFACT_CONFIGURATION_SLUG }}` on every SignPath submission attempt.
+
+Verification: `bun test src/release-workflow.test.ts`, `bun run typecheck`, `bun run test:fast`.
+<!-- SECTION:NOTES:END -->
+
+## Final Summary
+
+<!-- SECTION:FINAL_SUMMARY:BEGIN -->
+The release workflow is now pinned to an explicit SignPath artifact configuration instead of relying on whichever SignPath artifact config is marked default in the UI. Windows signing secret validation fails fast if `SIGNPATH_ARTIFACT_CONFIGURATION_SLUG` is missing, and every SignPath submission attempt now includes the pinned slug.
+
+Validation: `bun test src/release-workflow.test.ts`, `bun run typecheck`, `bun run test:fast`.
+<!-- SECTION:FINAL_SUMMARY:END -->

backlog/tasks/task-137 - Cut-patch-release-v0.5.2-for-SignPath-artifact-config-pinning.md

@@ -0,0 +1,57 @@
+---
+id: TASK-137
+title: Cut patch release v0.5.2 for SignPath artifact config pinning
+status: Done
+assignee:
+  - codex
+created_date: '2026-03-08 20:44'
+updated_date: '2026-03-08 20:58'
+labels:
+  - release
+  - patch
+dependencies:
+  - TASK-136
+references:
+  - package.json
+  - CHANGELOG.md
+  - release/release-notes.md
+priority: high
+---
+
+## Description
+
+<!-- SECTION:DESCRIPTION:BEGIN -->
+Publish a patch release from the SignPath artifact-configuration pinning change by bumping the app version, generating the committed changelog artifacts for the new version, and pushing a new `v0.5.2` tag.
+<!-- SECTION:DESCRIPTION:END -->
+
+## Acceptance Criteria
+<!-- AC:BEGIN -->
+- [ ] #1 Repository version metadata is updated to `0.5.2`.
+- [ ] #2 `CHANGELOG.md` and `release/release-notes.md` contain the committed `v0.5.2` section and consumed fragments are removed.
+- [ ] #3 New `v0.5.2` commit and tag are pushed to `origin`.
+<!-- AC:END -->
+
+## Implementation Plan
+
+<!-- SECTION:PLAN:BEGIN -->
+1. Add the release fragment for the SignPath configuration pinning change.
+2. Bump `package.json` to `0.5.2` and run the changelog builder.
+3. Run changelog/typecheck/test verification.
+4. Commit the release-prep change set, create `v0.5.2`, and push commit plus tag.
+<!-- SECTION:PLAN:END -->
+
+## Implementation Notes
+
+<!-- SECTION:NOTES:BEGIN -->
+Bumped `package.json` from `0.5.1` to `0.5.2`, ran `bun run changelog:build`, and committed the generated release artifacts. That prepended the `v0.5.2` section to `CHANGELOG.md`, regenerated `release/release-notes.md`, and removed the consumed `changes/signpath-artifact-config-pin.md` fragment.
+
+Verification before tagging: `bun run changelog:lint`, `bun run changelog:check --version 0.5.2`, `bun run typecheck`, and `bun run test:fast`.
+<!-- SECTION:NOTES:END -->
+
+## Final Summary
+
+<!-- SECTION:FINAL_SUMMARY:BEGIN -->
+Prepared patch release `v0.5.2` so the explicit SignPath artifact-configuration pin ships on a fresh release tag. Version metadata, committed changelog artifacts, and release notes are aligned with the new patch version.
+
+Validation: `bun run changelog:lint`, `bun run changelog:check --version 0.5.2`, `bun run typecheck`, `bun run test:fast`.
+<!-- SECTION:FINAL_SUMMARY:END -->

backlog/tasks/task-138 - Publish-unsigned-Windows-release-artifacts-and-add-local-unsigned-build-script.md

@@ -0,0 +1,62 @@
+---
+id: TASK-138
+title: Publish unsigned Windows release artifacts and add local unsigned build script
+status: Done
+assignee:
+  - codex
+created_date: '2026-03-09 00:00'
+updated_date: '2026-03-09 00:00'
+labels:
+  - release
+  - windows
+dependencies: []
+references:
+  - .github/workflows/release.yml
+  - package.json
+  - src/release-workflow.test.ts
+priority: high
+---
+
+## Description
+
+<!-- SECTION:DESCRIPTION:BEGIN -->
+Stop the tag-driven release workflow from depending on SignPath and publish unsigned Windows `.exe` and `.zip` artifacts directly. Add an explicit local `build:win:unsigned` script without changing the existing `build:win` command.
+<!-- SECTION:DESCRIPTION:END -->
+
+## Acceptance Criteria
+<!-- AC:BEGIN -->
+- [x] #1 Windows release CI builds unsigned artifacts without requiring SignPath secrets.
+- [x] #2 The Windows release job uploads `release/*.exe` and `release/*.zip` directly as the `windows` artifact.
+- [x] #3 The repo exposes a local `build:win:unsigned` script for explicit unsigned Windows packaging.
+- [x] #4 Regression coverage fails if the workflow reintroduces SignPath submission or drops the unsigned script.
+<!-- AC:END -->
+
+## Implementation Plan
+
+<!-- SECTION:PLAN:BEGIN -->
+1. Update workflow regression tests to assert unsigned Windows release behavior and the new local script.
+2. Patch `package.json` to add `build:win:unsigned`.
+3. Patch `.github/workflows/release.yml` to build unsigned Windows artifacts and upload them directly.
+4. Add the release changelog fragment and run focused verification.
+<!-- SECTION:PLAN:END -->
+
+## Implementation Notes
+
+<!-- SECTION:NOTES:BEGIN -->
+Removed the Windows SignPath secret validation and submission steps from `.github/workflows/release.yml`. The Windows release job now runs `bun run build:win:unsigned` and uploads `release/*.exe` and `release/*.zip` directly as the `windows` artifact consumed by the release job.
+
+Added `scripts/build-win-unsigned.mjs` plus the `build:win:unsigned` package script. The wrapper clears Windows code-signing environment variables and disables identity auto-discovery before invoking `electron-builder`, so release CI stays unsigned even if signing credentials are configured elsewhere.
+
+Updated `src/release-workflow.test.ts` to assert the unsigned workflow contract and added the release changelog fragment in `changes/unsigned-windows-release-builds.md`.
+<!-- SECTION:NOTES:END -->
+
+## Final Summary
+
+<!-- SECTION:FINAL_SUMMARY:BEGIN -->
+Windows release CI now publishes unsigned artifacts directly and no longer depends on SignPath. Local developers also have an explicit `bun run build:win:unsigned` path for unsigned packaging without changing the existing `build:win` command.
+
+Verification:
+- `bun test src/release-workflow.test.ts`
+- `bun run typecheck`
+- `node --check scripts/build-win-unsigned.mjs`
+<!-- SECTION:FINAL_SUMMARY:END -->

backlog/tasks/task-139 - Cut-patch-release-v0.5.3-for-unsigned-Windows-release-builds.md

@@ -0,0 +1,57 @@
+---
+id: TASK-139
+title: Cut patch release v0.5.3 for unsigned Windows release builds
+status: Done
+assignee:
+  - codex
+created_date: '2026-03-09 00:00'
+updated_date: '2026-03-09 00:00'
+labels:
+  - release
+  - patch
+dependencies:
+  - TASK-138
+references:
+  - package.json
+  - CHANGELOG.md
+  - release/release-notes.md
+priority: high
+---
+
+## Description
+
+<!-- SECTION:DESCRIPTION:BEGIN -->
+Publish a patch release from the unsigned Windows release-build change by bumping the app version, generating committed changelog artifacts for `v0.5.3`, and pushing the release-prep commit.
+<!-- SECTION:DESCRIPTION:END -->
+
+## Acceptance Criteria
+<!-- AC:BEGIN -->
+- [x] #1 Repository version metadata is updated to `0.5.3`.
+- [x] #2 `CHANGELOG.md` and `release/release-notes.md` contain the committed `v0.5.3` section and consumed fragments are removed.
+- [x] #3 New `v0.5.3` release-prep commit is pushed to `origin/main`.
+<!-- AC:END -->
+
+## Implementation Plan
+
+<!-- SECTION:PLAN:BEGIN -->
+1. Bump `package.json` from `0.5.2` to `0.5.3`.
+2. Run `bun run changelog:build` so committed changelog artifacts match the new patch version.
+3. Run changelog/typecheck/test verification.
+4. Commit the release-prep change set and push `main`.
+<!-- SECTION:PLAN:END -->
+
+## Implementation Notes
+
+<!-- SECTION:NOTES:BEGIN -->
+Bumped `package.json` from `0.5.2` to `0.5.3`, ran `bun run changelog:build`, and committed the generated release artifacts. That prepended the `v0.5.3` section to `CHANGELOG.md`, regenerated `release/release-notes.md`, and removed the consumed `changes/unsigned-windows-release-builds.md` fragment.
+
+Verification before push: `bun run changelog:lint`, `bun run changelog:check --version 0.5.3`, `bun run typecheck`, and `bun run test:fast`.
+<!-- SECTION:NOTES:END -->
+
+## Final Summary
+
+<!-- SECTION:FINAL_SUMMARY:BEGIN -->
+Prepared patch release `v0.5.3` so the unsigned Windows release-build change is captured in committed release metadata on `main`. Version metadata, changelog output, and release notes are aligned with the new patch version.
+
+Validation: `bun run changelog:lint`, `bun run changelog:check --version 0.5.3`, `bun run typecheck`, `bun run test:fast`.
+<!-- SECTION:FINAL_SUMMARY:END -->

changes/task-117.1.md

@@ -1,4 +0,0 @@
-type: fixed
-area: launcher
-
-- Hardened YouTube AI subtitle fixing so fenced SRT output and text-only one-cue-per-block responses can still be applied without losing original cue timing.

changes/task-127.md

@@ -1,4 +0,0 @@
-type: fixed
-area: launcher
-
-- Skipped AniSkip lookup during URL playback and YouTube subtitle-preload playback, limiting AniSkip to local file targets where it can actually resolve anime metadata.

changes/task-130.md

@@ -1,5 +0,0 @@
-type: fixed
-area: launcher
-
-- Keep the background SubMiner process running after a launcher-managed mpv session exits so the next mpv instance can reconnect without restarting the app.
-- Reuse prior tokenization readiness after the background app is already warm so reopening a video does not pause again waiting for duplicate warmup completion.

changes/windows-background-reuse.md

@@ -1,4 +0,0 @@
-type: fixed
-area: windows
-
-- Acquire the app single-instance lock earlier so Windows overlay/video launches reuse the running background SubMiner process instead of booting a second full app and repeating startup warmups.

changes/youtube-single-flow.md

@@ -1,4 +0,0 @@
-type: changed
-area: launcher
-
-- Removed the YouTube subtitle generation mode switch so YouTube playback always preloads subtitles before mpv starts.

docs/plans/2026-03-09-unsigned-windows-release-builds.md

@@ -0,0 +1,77 @@
+# Unsigned Windows Release Builds Implementation Plan
+
+> **For Claude:** REQUIRED SUB-SKILL: Use superpowers:executing-plans to implement this plan task-by-task.
+
+**Goal:** Publish unsigned Windows release artifacts in GitHub Actions while adding an explicit local `build:win:unsigned` script.
+
+**Architecture:** Keep Windows packaging on `electron-builder`, but stop the release workflow from routing artifacts through SignPath. The Windows release job will build unsigned artifacts and upload them directly under the existing `windows` artifact name so the downstream release job stays stable. Local developer behavior remains unchanged except for a new explicit unsigned build script.
+
+**Tech Stack:** GitHub Actions, Bun, Electron Builder, Node test runner
+
+---
+
+### Task 1: Track the workflow contract change
+
+**Files:**
+- Create: `backlog/tasks/task-138 - Publish-unsigned-Windows-release-artifacts-and-add-local-unsigned-build-script.md`
+- Create: `changes/unsigned-windows-release-builds.md`
+
+**Step 1: Write the backlog task + changelog fragment**
+
+Document the scope: unsigned Windows release CI, new local unsigned script, no SignPath dependency.
+
+**Step 2: Review file formatting**
+
+Run: `sed -n '1,220p' backlog/tasks/task-138\ -\ Publish-unsigned-Windows-release-artifacts-and-add-local-unsigned-build-script.md && sed -n '1,80p' changes/unsigned-windows-release-builds.md`
+Expected: task metadata matches existing backlog files; changelog fragment matches `changes/README.md` format.
+
+### Task 2: Write failing workflow regression tests
+
+**Files:**
+- Modify: `src/release-workflow.test.ts`
+
+**Step 1: Write the failing test**
+
+Replace SignPath-specific workflow assertions with assertions for:
+- unsigned Windows artifacts built via `bun run build:win:unsigned`
+- direct `windows` artifact upload from `release/*.exe` and `release/*.zip`
+- no SignPath action references
+- package scripts include `build:win:unsigned`
+
+**Step 2: Run test to verify it fails**
+
+Run: `bun test src/release-workflow.test.ts`
+Expected: FAIL because the current workflow still validates SignPath secrets and submits signing requests.
+
+### Task 3: Patch package scripts and release workflow
+
+**Files:**
+- Modify: `package.json`
+- Modify: `.github/workflows/release.yml`
+
+**Step 1: Write minimal implementation**
+
+- add `build:win:unsigned` that clears Windows signing env and disables auto discovery before invoking `electron-builder --win nsis zip --publish never`
+- change the Windows release job to remove SignPath secret validation/submission
+- build Windows artifacts with `bun run build:win:unsigned`
+- upload `release/*.exe` and `release/*.zip` directly as `windows`
+
+**Step 2: Run tests to verify they pass**
+
+Run: `bun test src/release-workflow.test.ts`
+Expected: PASS
+
+### Task 4: Run focused verification
+
+**Files:**
+- Modify: none
+
+**Step 1: Run focused checks**
+
+Run: `bun test src/release-workflow.test.ts && bun run typecheck`
+Expected: all green
+
+**Step 2: Spot-check diff**
+
+Run: `git --no-pager diff -- .github/workflows/release.yml package.json src/release-workflow.test.ts changes/unsigned-windows-release-builds.md backlog/tasks/task-138\ -\ Publish-unsigned-Windows-release-artifacts-and-add-local-unsigned-build-script.md docs/plans/2026-03-09-unsigned-windows-release-builds.md`
+Expected: only scoped unsigned-Windows workflow/script/docs changes

package.json

@@ -1,6 +1,6 @@
 {
   "name": "subminer",
-  "version": "0.5.0",
+  "version": "0.5.3",
   "description": "All-in-one sentence mining overlay with AnkiConnect and dictionary integration",
   "packageManager": "bun@1.3.5",
   "main": "dist/main-entry.js",
@@ -56,11 +56,12 @@
     "dev": "bun run build && electron . --start --dev",
     "stop": "electron . --stop",
     "toggle": "electron . --toggle",
-    "build:appimage": "bun run build && electron-builder --linux AppImage",
-    "build:mac": "bun run build && electron-builder --mac dmg zip",
-    "build:mac:unsigned": "bun run build && env -u APPLE_ID -u APPLE_APP_SPECIFIC_PASSWORD -u APPLE_TEAM_ID -u CSC_LINK -u CSC_KEY_PASSWORD CSC_IDENTITY_AUTO_DISCOVERY=false electron-builder --mac dmg zip",
-    "build:mac:zip": "bun run build && electron-builder --mac zip",
-    "build:win": "bun run build && electron-builder --win nsis zip"
+    "build:appimage": "bun run build && electron-builder --linux AppImage --publish never",
+    "build:mac": "bun run build && electron-builder --mac dmg zip --publish never",
+    "build:mac:unsigned": "bun run build && env -u APPLE_ID -u APPLE_APP_SPECIFIC_PASSWORD -u APPLE_TEAM_ID -u CSC_LINK -u CSC_KEY_PASSWORD CSC_IDENTITY_AUTO_DISCOVERY=false electron-builder --mac dmg zip --publish never",
+    "build:mac:zip": "bun run build && electron-builder --mac zip --publish never",
+    "build:win": "bun run build && electron-builder --win nsis zip --publish never",
+    "build:win:unsigned": "bun run build && node scripts/build-win-unsigned.mjs"
   },
   "keywords": [
     "anki",

release/release-notes.md

@@ -0,0 +1,16 @@
+## Highlights
+### Changed
+- Release: Publish unsigned Windows `.exe` and `.zip` artifacts directly from release CI instead of routing them through SignPath.
+- Release: Added `bun run build:win:unsigned` for explicit local unsigned Windows packaging.
+
+## Installation
+
+See the README and docs/installation guide for full setup steps.
+
+## Assets
+
+- Linux: `SubMiner.AppImage`
+- macOS: `SubMiner-*.dmg` and `SubMiner-*.zip`
+- Optional extras: `subminer-assets.tar.gz` and the `subminer` launcher
+
+Note: the `subminer` wrapper script uses Bun (`#!/usr/bin/env bun`), so `bun` must be installed and on `PATH`.

scripts/build-win-unsigned.mjs

@@ -0,0 +1,30 @@
+import { spawnSync } from 'node:child_process';
+import { fileURLToPath } from 'node:url';
+
+const env = { ...process.env };
+
+for (const name of [
+  'CSC_LINK',
+  'CSC_KEY_PASSWORD',
+  'WIN_CSC_LINK',
+  'WIN_CSC_KEY_PASSWORD',
+  'CSC_NAME',
+  'WIN_CSC_NAME',
+]) {
+  delete env[name];
+}
+
+env.CSC_IDENTITY_AUTO_DISCOVERY = 'false';
+
+const electronBuilderCli = fileURLToPath(new URL('../node_modules/electron-builder/out/cli/cli.js', import.meta.url));
+
+const result = spawnSync(process.execPath, [electronBuilderCli, '--win', 'nsis', 'zip', '--publish', 'never'], {
+  stdio: 'inherit',
+  env,
+});
+
+if (result.error) {
+  throw result.error;
+}
+
+process.exit(result.status ?? 1);

src/release-workflow.test.ts

@@ -7,11 +7,19 @@ const releaseWorkflowPath = resolve(__dirname, '../.github/workflows/release.yml
 const releaseWorkflow = readFileSync(releaseWorkflowPath, 'utf8');
 const makefilePath = resolve(__dirname, '../Makefile');
 const makefile = readFileSync(makefilePath, 'utf8');
+const packageJsonPath = resolve(__dirname, '../package.json');
+const packageJson = JSON.parse(readFileSync(packageJsonPath, 'utf8')) as {
+  scripts: Record<string, string>;
+};
 
 test('publish release leaves prerelease unset so gh creates a normal release', () => {
   assert.ok(!releaseWorkflow.includes('--prerelease'));
 });
 
+test('publish release forces an existing draft tag release to become public', () => {
+  assert.ok(releaseWorkflow.includes('--draft=false'));
+});
+
 test('release workflow verifies a committed changelog section before publish', () => {
   assert.match(releaseWorkflow, /bun run changelog:check/);
 });
@@ -26,6 +34,22 @@ test('release workflow includes the Windows installer in checksums and uploaded
   assert.match(releaseWorkflow, /artifacts=\([\s\S]*release\/\*\.exe[\s\S]*release\/SHA256SUMS\.txt[\s\S]*\)/);
 });
 
+test('release package scripts disable implicit electron-builder publishing', () => {
+  assert.match(packageJson.scripts['build:appimage'] ?? '', /--publish never/);
+  assert.match(packageJson.scripts['build:mac'] ?? '', /--publish never/);
+  assert.match(packageJson.scripts['build:win'] ?? '', /--publish never/);
+  assert.match(packageJson.scripts['build:win:unsigned'] ?? '', /build-win-unsigned\.mjs/);
+});
+
+test('windows release workflow publishes unsigned artifacts directly without SignPath', () => {
+  assert.match(releaseWorkflow, /Build unsigned Windows artifacts/);
+  assert.match(releaseWorkflow, /run: bun run build:win:unsigned/);
+  assert.match(releaseWorkflow, /name: windows/);
+  assert.match(releaseWorkflow, /path: \|\n\s+release\/\*\.exe\n\s+release\/\*\.zip/);
+  assert.ok(!releaseWorkflow.includes('signpath/github-action-submit-signing-request'));
+  assert.ok(!releaseWorkflow.includes('SIGNPATH_'));
+});
+
 test('Makefile routes Windows install-plugin setup through bun and documents Windows builds', () => {
   assert.match(makefile, /windows\) printf '%s\\n' "\[INFO\] Windows builds run via: bun run build:win" ;;/);
   assert.match(makefile, /bun \.\/scripts\/configure-plugin-binary-path\.mjs/);