Release v0.3.1

[0.3.1] - 2026-05-20

Version-alignment release. v0.2.3 successfully published
@bunlet/native, @bunlet/cef, @bunlet/core to npm and
bunlet-native, bunlet-cef-native to crates.io. The fourth npm
package, @bunlet/cli, refused with:

Cannot implicitly apply the "latest" tag because previously published
version 0.3.0 is higher than the new version 0.2.3.

@bunlet/cli@0.3.0 had been published 2026-05-15, before this
production-readiness work began — the version-bump script overwrote
that in source to keep all package versions in sync, but the npm
registry remembered. Bumping everything to 0.3.1 unblocks the CLI
publish and re-syncs all packages.

Changed

• All packages and crates synced at version 0.3.1, skipping past the
  legacy @bunlet/cli@0.3.0 so a single tag publishes the whole
  workspace atomically.

Release v0.2.3

[0.2.3] - 2026-05-20

Third republish for the v0.2 line. v0.2.2's npm install -g npm@latest
step hit a known npm self-upgrade bug on Node 22 (Cannot find module 'promise-retry') where the upgrade leaves the install in a broken
state.

Fixed

• release(npm): switch the publish job to Node 24 LTS (ships with
  npm 11.x natively) instead of running an in-place self-upgrade from
  npm 10 → latest. Added a guard step that fails loudly if npm major
  version is < 11.

Release v0.2.2

[0.2.2] - 2026-05-20

Second republish for the v0.2 line. v0.2.1's npm publish failed
because Node 22 ships npm 10.x, which can sign provenance via OIDC but
cannot exchange the OIDC token for an npm publish credential — npm OIDC
trusted publishing requires npm >= 11.5.1. Symptom in v0.2.1 was a
confusing 404 Not Found after a successful sigstore attestation.

Fixed

• release(npm): add an explicit npm install -g npm@latest step
  after actions/setup-node@v4 so the publish job uses npm 11.x
  regardless of the bundled Node LTS version.

Release v0.2.1

[0.2.1] - 2026-05-20

Republish release for v0.2.0. No code changes — only the release
workflow's publish steps had to be fixed:

Fixed

• release(cargo): add --no-verify to cargo publish for both
  bunlet-native and bunlet-cef-native. The default verify-build
  failed on Ubuntu without gtk/glib/webkit2gtk system deps. The
  build-native matrix already verifies on real targets, so the
  redundant Linux-only verify build was the only thing blocking
  publish.
• release(npm): switch from a long-lived NPM_TOKEN secret to
  npm's OIDC trusted-publishing flow. Drops the Configure npm authentication step; npm publish --provenance exchanges the
  GitHub OIDC token for a scoped npm token automatically.
  Setup required: per-package "Trusted Publisher" config on
  npmjs.com pointing at github.com/dipankar/bunlet and
  .github/workflows/release.yml.

Release v0.2.0

[0.2.0] - 2026-05-20

The v1.0-blocker release. Closes the production-readiness gap list from
production-readiness-report.md and brings every cell in the verdict
matrix to ✓ (or ⚠ with documented rationale) across macOS, Linux, and
Windows in CI.

Added

• Window state sync. BrowserWindowState now tracks focused,
  minimized, maximized, fullscreen, and visible in addition to
  title / bounds. Native window events update the cache and
  user-driven maximize() / minimize() / show() / hide() /
  setFullScreen() update it optimistically. isFocused() /
  isMinimized() / etc. now read from the cache — fixes
  Missing native implementation: isWindowFocused on cross-backend
  paths.
• Linux screen API: cached primary display via OnceCell, primed at
  app-ready inside the GTK-safe window. Subsequent
  screen.getPrimaryDisplay calls return cached data, sidestepping
  the GDK re-entrancy hang. BrowserWindow.center() warns instead of
  throwing when the cache is cold.
• Menu.getApplicationMenu: returns the stored Menu via a static
  registry. No longer throws ERR_NOT_IMPLEMENTED.
• Menu.closePopup: best-effort no-op that delegates to
  native.closeContextMenu if exposed; safe to call regardless.
• Power-monitor thermal state: real per-OS readings — pmset -g therm on macOS, /sys/class/thermal/thermal_zone*/temp on Linux,
  MSAcpi_ThermalZoneTemperature via PowerShell WMI on Windows. Falls
  back to nominal on any read failure.
• Session spell-check: isSpellCheckerEnabled / setSpellCheckerEnabled
  are now session-local booleans (default on). Custom dictionaries are
  v1.1.
• macOS notarization: new notarizeDarwinApp() wraps
  xcrun notarytool submit --wait + xcrun stapler staple, reading
  credentials from NotarizeOptions or env vars (APPLE_ID,
  APPLE_TEAM_ID, APPLE_APP_SPECIFIC_PASSWORD) with a clean
  missing-credential error.
• Linux GPG signing: new signAppImage() wraps gpg --detach-sign --armor to produce .AppImage.sig sidecars.
• docs/packaging/signing.md: full guide for code-signing +
  notarization + GPG signing on all three platforms.
• Auto-updater integration test
  (packages/bunlet/src/auto-updater.integration.test.ts): spins up a
  local Bun.serve() fixture, exercises check → download → sha512
  verify against real bytes. Gated BUNLET_UPDATER_E2E=1.
• Native binding smoke test
  (packages/bunlet/src/native-binding.smoke.test.ts): the first test
  in the repo that loads the real Rust .node addon (no
  mock.module('./runtime')).