chore: cut v0.5.2 release

.github/workflows/release.yml

@@ -224,7 +224,7 @@ jobs:
         shell: bash
         run: |
           missing=0
-          for name in SIGNPATH_API_TOKEN SIGNPATH_ORGANIZATION_ID SIGNPATH_PROJECT_SLUG SIGNPATH_SIGNING_POLICY_SLUG; do
+          for name in SIGNPATH_API_TOKEN SIGNPATH_ORGANIZATION_ID SIGNPATH_PROJECT_SLUG SIGNPATH_SIGNING_POLICY_SLUG SIGNPATH_ARTIFACT_CONFIGURATION_SLUG; do
             if [ -z "${!name}" ]; then
               echo "Missing required secret: $name"
               missing=1
@@ -239,6 +239,7 @@ jobs:
           SIGNPATH_ORGANIZATION_ID: ${{ secrets.SIGNPATH_ORGANIZATION_ID }}
           SIGNPATH_PROJECT_SLUG: ${{ secrets.SIGNPATH_PROJECT_SLUG }}
           SIGNPATH_SIGNING_POLICY_SLUG: ${{ secrets.SIGNPATH_SIGNING_POLICY_SLUG }}
+          SIGNPATH_ARTIFACT_CONFIGURATION_SLUG: ${{ secrets.SIGNPATH_ARTIFACT_CONFIGURATION_SLUG }}
 
       - name: Install dependencies
         run: bun install --frozen-lockfile
@@ -272,6 +273,7 @@ jobs:
           organization-id: ${{ secrets.SIGNPATH_ORGANIZATION_ID }}
           project-slug: ${{ secrets.SIGNPATH_PROJECT_SLUG }}
           signing-policy-slug: ${{ secrets.SIGNPATH_SIGNING_POLICY_SLUG }}
+          artifact-configuration-slug: ${{ secrets.SIGNPATH_ARTIFACT_CONFIGURATION_SLUG }}
           github-artifact-id: ${{ steps.upload-unsigned-windows-artifact.outputs.artifact-id }}
           wait-for-completion: true
           output-artifact-directory: signed-windows-attempt-1
@@ -287,6 +289,7 @@ jobs:
           organization-id: ${{ secrets.SIGNPATH_ORGANIZATION_ID }}
           project-slug: ${{ secrets.SIGNPATH_PROJECT_SLUG }}
           signing-policy-slug: ${{ secrets.SIGNPATH_SIGNING_POLICY_SLUG }}
+          artifact-configuration-slug: ${{ secrets.SIGNPATH_ARTIFACT_CONFIGURATION_SLUG }}
           github-artifact-id: ${{ steps.upload-unsigned-windows-artifact.outputs.artifact-id }}
           wait-for-completion: true
           output-artifact-directory: signed-windows-attempt-2
@@ -302,6 +305,7 @@ jobs:
           organization-id: ${{ secrets.SIGNPATH_ORGANIZATION_ID }}
           project-slug: ${{ secrets.SIGNPATH_PROJECT_SLUG }}
           signing-policy-slug: ${{ secrets.SIGNPATH_SIGNING_POLICY_SLUG }}
+          artifact-configuration-slug: ${{ secrets.SIGNPATH_ARTIFACT_CONFIGURATION_SLUG }}
           github-artifact-id: ${{ steps.upload-unsigned-windows-artifact.outputs.artifact-id }}
           wait-for-completion: true
           output-artifact-directory: signed-windows-attempt-3

CHANGELOG.md

@@ -1,5 +1,10 @@
 # Changelog
 
+## v0.5.2 (2026-03-09)
+
+### Internal
+- Release: Pinned the Windows SignPath submission workflow to an explicit artifact-configuration slug instead of relying on the SignPath project's default configuration.
+
 ## v0.5.1 (2026-03-09)
 
 ### Changed

backlog/tasks/task-136 - Pin-SignPath-artifact-configuration-in-release-workflow.md

@@ -0,0 +1,61 @@
+---
+id: TASK-136
+title: Pin SignPath artifact configuration in release workflow
+status: Done
+assignee:
+  - codex
+created_date: '2026-03-08 20:41'
+updated_date: '2026-03-08 20:58'
+labels:
+  - ci
+  - release
+  - windows
+  - signing
+dependencies:
+  - TASK-134
+references:
+  - .github/workflows/release.yml
+  - build/signpath-windows-artifact-config.xml
+  - src/release-workflow.test.ts
+priority: high
+---
+
+## Description
+
+<!-- SECTION:DESCRIPTION:BEGIN -->
+The Windows release workflow currently relies on the default SignPath artifact configuration configured in the SignPath UI. Pin the workflow to an explicit artifact-configuration slug so the checked-in signing configuration and CI behavior stay deterministic across future SignPath project changes.
+<!-- SECTION:DESCRIPTION:END -->
+
+## Acceptance Criteria
+<!-- AC:BEGIN -->
+- [ ] #1 The Windows release workflow validates a dedicated SignPath artifact-configuration secret/input.
+- [ ] #2 Every SignPath submission attempt passes `artifact-configuration-slug`.
+- [ ] #3 Regression coverage fails if the explicit SignPath artifact-configuration binding is removed.
+<!-- AC:END -->
+
+## Implementation Plan
+
+<!-- SECTION:PLAN:BEGIN -->
+1. Add a failing workflow regression test for the explicit SignPath artifact-configuration slug.
+2. Patch the Windows signing secret validation and SignPath action inputs to require the slug.
+3. Run targeted release-workflow verification plus the standard fast lane.
+4. Cut a new patch release so the tag-triggered release workflow runs with the pinned SignPath configuration.
+<!-- SECTION:PLAN:END -->
+
+## Implementation Notes
+
+<!-- SECTION:NOTES:BEGIN -->
+Added regression coverage in `src/release-workflow.test.ts` for an explicit SignPath artifact-configuration slug so the release workflow test now fails if the slug validation or action input is removed.
+
+Patched `.github/workflows/release.yml` so Windows signing now requires `SIGNPATH_ARTIFACT_CONFIGURATION_SLUG` during secret validation and passes `artifact-configuration-slug: ${{ secrets.SIGNPATH_ARTIFACT_CONFIGURATION_SLUG }}` on every SignPath submission attempt.
+
+Verification: `bun test src/release-workflow.test.ts`, `bun run typecheck`, `bun run test:fast`.
+<!-- SECTION:NOTES:END -->
+
+## Final Summary
+
+<!-- SECTION:FINAL_SUMMARY:BEGIN -->
+The release workflow is now pinned to an explicit SignPath artifact configuration instead of relying on whichever SignPath artifact config is marked default in the UI. Windows signing secret validation fails fast if `SIGNPATH_ARTIFACT_CONFIGURATION_SLUG` is missing, and every SignPath submission attempt now includes the pinned slug.
+
+Validation: `bun test src/release-workflow.test.ts`, `bun run typecheck`, `bun run test:fast`.
+<!-- SECTION:FINAL_SUMMARY:END -->

backlog/tasks/task-137 - Cut-patch-release-v0.5.2-for-SignPath-artifact-config-pinning.md

@@ -0,0 +1,57 @@
+---
+id: TASK-137
+title: Cut patch release v0.5.2 for SignPath artifact config pinning
+status: Done
+assignee:
+  - codex
+created_date: '2026-03-08 20:44'
+updated_date: '2026-03-08 20:58'
+labels:
+  - release
+  - patch
+dependencies:
+  - TASK-136
+references:
+  - package.json
+  - CHANGELOG.md
+  - release/release-notes.md
+priority: high
+---
+
+## Description
+
+<!-- SECTION:DESCRIPTION:BEGIN -->
+Publish a patch release from the SignPath artifact-configuration pinning change by bumping the app version, generating the committed changelog artifacts for the new version, and pushing a new `v0.5.2` tag.
+<!-- SECTION:DESCRIPTION:END -->
+
+## Acceptance Criteria
+<!-- AC:BEGIN -->
+- [ ] #1 Repository version metadata is updated to `0.5.2`.
+- [ ] #2 `CHANGELOG.md` and `release/release-notes.md` contain the committed `v0.5.2` section and consumed fragments are removed.
+- [ ] #3 New `v0.5.2` commit and tag are pushed to `origin`.
+<!-- AC:END -->
+
+## Implementation Plan
+
+<!-- SECTION:PLAN:BEGIN -->
+1. Add the release fragment for the SignPath configuration pinning change.
+2. Bump `package.json` to `0.5.2` and run the changelog builder.
+3. Run changelog/typecheck/test verification.
+4. Commit the release-prep change set, create `v0.5.2`, and push commit plus tag.
+<!-- SECTION:PLAN:END -->
+
+## Implementation Notes
+
+<!-- SECTION:NOTES:BEGIN -->
+Bumped `package.json` from `0.5.1` to `0.5.2`, ran `bun run changelog:build`, and committed the generated release artifacts. That prepended the `v0.5.2` section to `CHANGELOG.md`, regenerated `release/release-notes.md`, and removed the consumed `changes/signpath-artifact-config-pin.md` fragment.
+
+Verification before tagging: `bun run changelog:lint`, `bun run changelog:check --version 0.5.2`, `bun run typecheck`, and `bun run test:fast`.
+<!-- SECTION:NOTES:END -->
+
+## Final Summary
+
+<!-- SECTION:FINAL_SUMMARY:BEGIN -->
+Prepared patch release `v0.5.2` so the explicit SignPath artifact-configuration pin ships on a fresh release tag. Version metadata, committed changelog artifacts, and release notes are aligned with the new patch version.
+
+Validation: `bun run changelog:lint`, `bun run changelog:check --version 0.5.2`, `bun run typecheck`, `bun run test:fast`.
+<!-- SECTION:FINAL_SUMMARY:END -->

package.json

@@ -1,6 +1,6 @@
 {
   "name": "subminer",
-  "version": "0.5.1",
+  "version": "0.5.2",
   "description": "All-in-one sentence mining overlay with AnkiConnect and dictionary integration",
   "packageManager": "bun@1.3.5",
   "main": "dist/main-entry.js",

release/release-notes.md

@@ -1,13 +1,6 @@
 ## Highlights
-### Changed
-- Launcher: Removed the YouTube subtitle generation mode switch so YouTube playback always preloads subtitles before mpv starts.
-
-### Fixed
-- Launcher: Hardened YouTube AI subtitle fixing so fenced SRT output and text-only one-cue-per-block responses can still be applied without losing original cue timing.
-- Launcher: Skipped AniSkip lookup during URL playback and YouTube subtitle-preload playback, limiting AniSkip to local file targets where it can actually resolve anime metadata.
-- Launcher: Keep the background SubMiner process running after a launcher-managed mpv session exits so the next mpv instance can reconnect without restarting the app.
-- Launcher: Reuse prior tokenization readiness after the background app is already warm so reopening a video does not pause again waiting for duplicate warmup completion.
-- Windows: Acquire the app single-instance lock earlier so Windows overlay/video launches reuse the running background SubMiner process instead of booting a second full app and repeating startup warmups.
+### Internal
+- Release: Pinned the Windows SignPath submission workflow to an explicit artifact-configuration slug instead of relying on the SignPath project's default configuration.
 
 ## Installation
 

src/release-workflow.test.ts

@@ -47,6 +47,11 @@ test('windows release workflow retries SignPath submission and fails only after
   assert.match(releaseWorkflow, /All SignPath signing attempts failed; rerun the workflow when SignPath is healthy\./);
 });
 
+test('windows release workflow pins the SignPath artifact configuration slug explicitly', () => {
+  assert.match(releaseWorkflow, /SIGNPATH_ARTIFACT_CONFIGURATION_SLUG/);
+  assert.match(releaseWorkflow, /artifact-configuration-slug: \$\{\{ secrets\.SIGNPATH_ARTIFACT_CONFIGURATION_SLUG \}\}/);
+});
+
 test('Makefile routes Windows install-plugin setup through bun and documents Windows builds', () => {
   assert.match(makefile, /windows\) printf '%s\\n' "\[INFO\] Windows builds run via: bun run build:win" ;;/);
   assert.match(makefile, /bun \.\/scripts\/configure-plugin-binary-path\.mjs/);