Release Trust

Release Trust Pack

The signed/store-trusted installer workspace for channel choice, signing evidence, no-secret handling, safe commands, and paid-beta release gating.

Trust Pack Controls

Open release trust CSV

Run npm run release:trust, npm run release:candidate:preflight, and npm run release:trust:pack after changing release channel, signing path, certificate status, Store status, or installer evidence.

Pack status Release Trust Waiting On Handoffs Ready

Release channel Direct download beta + Microsoft Store prep Ready

Signing decision Microsoft Trusted Signing first Ready

Current signing Unsigned internal alpha evidence only Ready

Candidate Internal Alpha Only Ready

Actions 2 Ready

Commands 6 Ready

Blocked actions 2 Ready

Release Trust Form

Release package

Checking command-center API...

Release ChannelCode Signing DecisionCertificate StatusStore Developer AccountSigning Evidence PathInstaller Storage Path

Do not paste certificate passwords, private keys, PFX files, token PINs, Partner Center secrets, or signing credentials into dashboard fields.

Safe Command Sequence

Phase	Owner	Command	Purpose	No-Go Rule
0. Local Trust Validation	Codex	`npm run release:trust && npm run test:signing-distribution`	Refresh the signing/distribution plan, no-go rules, dashboard fields, and source-backed decision doc.	Do not proceed while the release trust plan or signing distribution check fails.
3. Release Evidence	Codex	`npm run release:installer:rehearsal`	Build an internal installer rehearsal after channel=Direct download beta + Microsoft Store prep and signing=Microsoft Trusted Signing first are chosen.	Rehearsal artifacts are internal alpha evidence only until signed or store-trusted evidence exists.
4. Signed Or Store Evidence	User + Codex	`Get-AuthenticodeSignature "<SIGNED_SETUP_EXE>" \| Format-List Status,SignerCertificate,TimeStamperCertificate`	Verify the direct-download setup artifact shows a valid Windows signature after certificate signing is configured.	Use a placeholder path in docs. Never store certificate private keys, PFX passwords, token PINs, or timestamp credentials in repo files.
5. Candidate Evidence Refresh	Codex	`npm run release:evidence && npm run release:candidate:preflight && npm run test:release-candidate-preflight`	Regenerate manifest, checksums, release-candidate verdict, and paid-beta/internal-alpha status from the trusted artifact.	Do not mark paid beta ready unless release-candidate preflight and deployability both clear P0 blockers.
5. Candidate Evidence Refresh	Codex	`npm run test:release-package:evidence && npm run deployability:preflight && npm run intake:scan`	Verify release package evidence, money-readiness blocker state, and handoff routing after trust evidence changes.	Do not ship if deployability returns NO_GO_LIVE_MONEY or handoffs still require user/secret-store action.
6. Dashboard Sync	Codex	`npm run release:trust:pack && npm run daily:brief`	Push the current release-trust evidence into the dashboard, daily brief, workbook, and agent queue.	The daily command brief remains the start-here source before agents decide the next build task.

Release Trust Actions

Phase	Priority	Owner	Status	Action	What To Do	Evidence	Page	Field	Verify
4. Signed Or Store Evidence	P0	User + Codex	User + Codex gated	Paid beta installer is signed or store-trusted	Produce signed direct-download installer evidence or store-trusted package/listing evidence before any paid beta customer receives the build.	Save releasePackage.signingStatus and upload sanitized signature/store evidence to code-signing. Never upload private keys, PFX passwords, token PINs, or Partner Center secrets.	pages/release-package.html	releasePackage.signingStatus	npm run release:installer:rehearsal && npm run release:evidence && npm run release:candidate:preflight
4. Signed Or Store Evidence	P0	User + Codex	blocked	Trusted installer evidence clears release candidate	Choose the release trust path and produce signed or store-trusted installer evidence before paid beta.	Choose the release trust path and produce signed or store-trusted installer evidence before paid beta.	pages/release-package.html	releasePackage.signingStatus	npm run release:trust:pack && npm run release:candidate:preflight

Decision Paths

Path	Dashboard Value	Best For	Paid Beta Gate
Direct signed installer	Direct download beta	Fastest controlled paid beta once a Windows code-signing certificate, timestamping, support, policies, and billing are ready.	Installer must verify as signed, release notes must name the support path, and checkout stays disabled until deployability has no P0 blockers.
Microsoft Store or store-trusted channel	Microsoft Store	Higher customer trust and store-managed distribution when Partner Center, package identity, listing assets, screenshots, and review are ready.	Store account, first manual submission, package/listing assets, policy URLs, support path, and billing posture must match the shipping app.
Both direct signed and Microsoft Store	Both	Direct beta speed plus later store trust if support capacity can handle two release channels.	Both channels must show the same version, policies, support path, checksums where applicable, and rollback plan.
Hold unsigned internal alpha	Hold	Internal QA only when the product is still changing or business/support/legal/payment handoffs are not ready.	Cannot be used for paid public beta.

No-Go Rules

No paid beta customers receive the raw win-unpacked folder.
No paid public release ships with an unsigned direct-download installer.
No signing secrets, certificate passwords, token PINs, or Partner Center client secrets are stored in the repo or dashboard JSON.
No release is marked beta-ready until support, policy URLs, billing rehearsal, rollback, and installer trust evidence agree.

Certificate private keys, PFX passwords, token PINs, Partner Center client secrets, timestamp credentials, and signing passwords stay outside this repo and outside dashboard JSON/CSV/Markdown.

Agent Run Log

Each manual intake or scheduled cloud marker becomes a visible build handoff. Use this to confirm the dashboard was read and routed.

No intake runs loaded yet.

Release Trust Pack JSON

{
  "schemaVersion": 1,
  "generatedAt": "2026-06-17T22:59:02.462Z",
  "status": "RELEASE_TRUST_WAITING_ON_HANDOFFS",
  "label": "Release Trust Waiting On Handoffs",
  "releaseTrust": {
    "status": "SIGNED_OR_STORE_EVIDENCE_REQUIRED",
    "label": "Signed Or Store Evidence Required",
    "selectedReleaseChannel": "Direct download beta + Microsoft Store prep",
    "selectedCodeSigningDecision": "Microsoft Trusted Signing first",
    "certificateStatus": "Not provided",
    "storeDeveloperAccount": "Not provided",
    "signingEvidencePath": "",
    "installerStoragePath": ""
  },
  "currentBuild": {
    "artifactTarget": "nsis",
    "signingConfigured": false,
    "signingStatus": "Unsigned internal alpha evidence only",
    "signAndEditExecutable": false
  },
  "releaseCandidate": {
    "status": "INTERNAL_ALPHA_ONLY",
    "label": "Internal Alpha Only",
    "paidBetaAllowed": false,
    "readinessPercent": 41
  },
  "decisionPaths": [
    {
      "path": "Direct signed installer",
      "dashboardValue": "Direct download beta",
      "bestFor": "Fastest controlled paid beta once a Windows code-signing certificate, timestamping, support, policies, and billing are ready.",
      "userHandoff": "Choose legal publisher name, buy/verify code-signing certificate, keep private key or token out of the repo, and provide signing method through a secret store.",
      "codexAction": "Enable electron-builder signing, add signing verification evidence, package an installer, and publish checksum/install notes.",
      "paidBetaGate": "Installer must verify as signed, release notes must name the support path, and checkout stays disabled until deployability has no P0 blockers."
    },
    {
      "path": "Microsoft Store or store-trusted channel",
      "dashboardValue": "Microsoft Store",
      "bestFor": "Higher customer trust and store-managed distribution when Partner Center, package identity, listing assets, screenshots, and review are ready.",
      "userHandoff": "Create/confirm Partner Center account, reserve app name, complete identity/tax/profile requirements, and provide store package/listing decisions.",
      "codexAction": "Map Store package identity, listing checklist, screenshots, version metadata, policies, installer/package notes, and submission evidence.",
      "paidBetaGate": "Store account, first manual submission, package/listing assets, policy URLs, support path, and billing posture must match the shipping app."
    },
    {
      "path": "Both direct signed and Microsoft Store",
      "dashboardValue": "Both",
      "bestFor": "Direct beta speed plus later store trust if support capacity can handle two release channels.",
      "userHandoff": "Approve both distribution paths and keep one version/source-of-truth policy for support, rollback, and known issues.",
      "codexAction": "Track channel-specific install, update, rollback, support, and screenshot evidence in the command center.",
      "paidBetaGate": "Both channels must show the same version, policies, support path, checksums where applicable, and rollback plan."
    },
    {
      "path": "Hold unsigned internal alpha",
      "dashboardValue": "Hold",
      "bestFor": "Internal QA only when the product is still changing or business/support/legal/payment handoffs are not ready.",
      "userHandoff": "Acknowledge this is not a paid public release path.",
      "codexAction": "Keep generating clean-build evidence and block paid checkout/distribution.",
      "paidBetaGate": "Cannot be used for paid public beta."
    }
  ],
  "dashboardFields": [
    "decisions.releaseChannel",
    "decisions.codeSigningDecision",
    "appVersion.publisherName",
    "releaseTrust.certificateStatus",
    "releaseTrust.storeDeveloperAccount",
    "releaseTrust.signingEvidencePath",
    "releaseTrust.installerStoragePath"
  ],
  "actions": [
    {
      "id": "signed-release",
      "source": "deployability-blockers",
      "phase": "4. Signed Or Store Evidence",
      "priority": "P0",
      "owner": "User + Codex",
      "status": "User + Codex gated",
      "label": "Paid beta installer is signed or store-trusted",
      "detail": "signingStatus=Unsigned internal alpha evidence only",
      "action": "Produce signed direct-download installer evidence or store-trusted package/listing evidence before any paid beta customer receives the build.",
      "evidenceNeeded": "Save releasePackage.signingStatus and upload sanitized signature/store evidence to code-signing. Never upload private keys, PFX passwords, token PINs, or Partner Center secrets.",
      "dashboardPage": "pages/release-package.html",
      "dashboardField": "releasePackage.signingStatus",
      "uploadSlot": "code-signing",
      "verificationCommand": "npm run release:installer:rehearsal && npm run release:evidence && npm run release:candidate:preflight",
      "noGoRule": "No paid beta customer receives an unsigned direct-download installer or raw win-unpacked folder."
    },
    {
      "id": "candidate-trusted-installer",
      "source": "release-candidate-preflight",
      "phase": "4. Signed Or Store Evidence",
      "priority": "P0",
      "owner": "User + Codex",
      "status": "blocked",
      "label": "Trusted installer evidence clears release candidate",
      "detail": "Choose the release trust path and produce signed or store-trusted installer evidence before paid beta.",
      "action": "Choose the release trust path and produce signed or store-trusted installer evidence before paid beta.",
      "evidenceNeeded": "Choose the release trust path and produce signed or store-trusted installer evidence before paid beta.",
      "dashboardPage": "pages/release-package.html",
      "dashboardField": "releasePackage.signingStatus",
      "uploadSlot": "code-signing",
      "verificationCommand": "npm run release:trust:pack && npm run release:candidate:preflight",
      "noGoRule": "Paid beta remains blocked until the release-candidate preflight shows the installer trust gate as pass."
    }
  ],
  "phases": [
    {
      "phase": "4. Signed Or Store Evidence",
      "actions": [
        {
          "id": "signed-release",
          "source": "deployability-blockers",
          "phase": "4. Signed Or Store Evidence",
          "priority": "P0",
          "owner": "User + Codex",
          "status": "User + Codex gated",
          "label": "Paid beta installer is signed or store-trusted",
          "detail": "signingStatus=Unsigned internal alpha evidence only",
          "action": "Produce signed direct-download installer evidence or store-trusted package/listing evidence before any paid beta customer receives the build.",
          "evidenceNeeded": "Save releasePackage.signingStatus and upload sanitized signature/store evidence to code-signing. Never upload private keys, PFX passwords, token PINs, or Partner Center secrets.",
          "dashboardPage": "pages/release-package.html",
          "dashboardField": "releasePackage.signingStatus",
          "uploadSlot": "code-signing",
          "verificationCommand": "npm run release:installer:rehearsal && npm run release:evidence && npm run release:candidate:preflight",
          "noGoRule": "No paid beta customer receives an unsigned direct-download installer or raw win-unpacked folder."
        },
        {
          "id": "candidate-trusted-installer",
          "source": "release-candidate-preflight",
          "phase": "4. Signed Or Store Evidence",
          "priority": "P0",
          "owner": "User + Codex",
          "status": "blocked",
          "label": "Trusted installer evidence clears release candidate",
          "detail": "Choose the release trust path and produce signed or store-trusted installer evidence before paid beta.",
          "action": "Choose the release trust path and produce signed or store-trusted installer evidence before paid beta.",
          "evidenceNeeded": "Choose the release trust path and produce signed or store-trusted installer evidence before paid beta.",
          "dashboardPage": "pages/release-package.html",
          "dashboardField": "releasePackage.signingStatus",
          "uploadSlot": "code-signing",
          "verificationCommand": "npm run release:trust:pack && npm run release:candidate:preflight",
          "noGoRule": "Paid beta remains blocked until the release-candidate preflight shows the installer trust gate as pass."
        }
      ]
    }
  ],
  "trustCommands": [
    {
      "id": "refresh-release-trust-plan",
      "phase": "0. Local Trust Validation",
      "owner": "Codex",
      "command": "npm run release:trust && npm run test:signing-distribution",
      "purpose": "Refresh the signing/distribution plan, no-go rules, dashboard fields, and source-backed decision doc.",
      "noGoRule": "Do not proceed while the release trust plan or signing distribution check fails."
    },
    {
      "id": "rehearse-installer",
      "phase": "3. Release Evidence",
      "owner": "Codex",
      "command": "npm run release:installer:rehearsal",
      "purpose": "Build an internal installer rehearsal after channel=Direct download beta + Microsoft Store prep and signing=Microsoft Trusted Signing first are chosen.",
      "noGoRule": "Rehearsal artifacts are internal alpha evidence only until signed or store-trusted evidence exists."
    },
    {
      "id": "verify-authenticode",
      "phase": "4. Signed Or Store Evidence",
      "owner": "User + Codex",
      "command": "Get-AuthenticodeSignature \"<SIGNED_SETUP_EXE>\" | Format-List Status,SignerCertificate,TimeStamperCertificate",
      "purpose": "Verify the direct-download setup artifact shows a valid Windows signature after certificate signing is configured.",
      "noGoRule": "Use a placeholder path in docs. Never store certificate private keys, PFX passwords, token PINs, or timestamp credentials in repo files."
    },
    {
      "id": "regenerate-release-evidence",
      "phase": "5. Candidate Evidence Refresh",
      "owner": "Codex",
      "command": "npm run release:evidence && npm run release:candidate:preflight && npm run test:release-candidate-preflight",
      "purpose": "Regenerate manifest, checksums, release-candidate verdict, and paid-beta/internal-alpha status from the trusted artifact.",
      "noGoRule": "Do not mark paid beta ready unless release-candidate preflight and deployability both clear P0 blockers."
    },
    {
      "id": "verify-release-package",
      "phase": "5. Candidate Evidence Refresh",
      "owner": "Codex",
      "command": "npm run test:release-package:evidence && npm run deployability:preflight && npm run intake:scan",
      "purpose": "Verify release package evidence, money-readiness blocker state, and handoff routing after trust evidence changes.",
      "noGoRule": "Do not ship if deployability returns NO_GO_LIVE_MONEY or handoffs still require user/secret-store action."
    },
    {
      "id": "refresh-release-trust-pack",
      "phase": "6. Dashboard Sync",
      "owner": "Codex",
      "command": "npm run release:trust:pack && npm run daily:brief",
      "purpose": "Push the current release-trust evidence into the dashboard, daily brief, workbook, and agent queue.",
      "noGoRule": "The daily command brief remains the start-here source before agents decide the next build task."
    }
  ],
  "noGoRules": [
    "No paid beta customers receive the raw win-unpacked folder.",
    "No paid public release ships with an unsigned direct-download installer.",
    "No signing secrets, certificate passwords, token PINs, or Partner Center client secrets are stored in the repo or dashboard JSON.",
    "No release is marked beta-ready until support, policy URLs, billing rehearsal, rollback, and installer trust evidence agree."
  ],
  "sourceLinks": [
    {
      "label": "Microsoft SignTool reference",
      "url": "https://learn.microsoft.com/en-us/windows/win32/seccrypto/signtool"
    },
    {
      "label": "Microsoft MSIX SignTool package signing",
      "url": "https://learn.microsoft.com/en-us/windows/msix/package/sign-app-package-using-signtool"
    },
    {
      "label": "Microsoft package identity overview",
      "url": "https://learn.microsoft.com/en-us/windows/apps/desktop/modernize/package-identity-overview"
    },
    {
      "label": "Microsoft Store submission API for MSI/EXE",
      "url": "https://learn.microsoft.com/en-us/windows/apps/publish/store-submission-api"
    },
    {
      "label": "electron-builder Windows code signing",
      "url": "https://www.electron.build/docs/tutorials/code-signing-windows-apps-on-unix/"
    }
  ],
  "counts": {
    "totalActions": 2,
    "userActions": 2,
    "codexActions": 2,
    "blockedActions": 2,
    "p0Actions": 2,
    "trustCommands": 6,
    "noGoRules": 4
  },
  "outputs": {
    "json": "docs/launch_command_center/release-trust-pack.json",
    "csv": "docs/launch_command_center/release-trust-pack.csv",
    "report": "docs/launch_command_center/RELEASE_TRUST_PACK.md",
    "dashboard": "docs/launch_command_center/pages/release-trust-pack.html"
  }
}