Add Windows GitLab packaging flow

.gitignore

@@ -21,6 +21,7 @@ docs/.claude/
 vendor/openclaw-runtime/runtime/
 vendor/openclaw-runtime/node/
 vendor/openclaw-runtime/openclaw/
+vendor/openclaw-runtime/playwright-browsers/
 vendor/openclaw-runtime/config/openclaw.json
 vendor/openclaw-runtime/runtime-manifest.json
 vendor/openclaw-runtime/python/

.gitlab-ci.yml

+stages:
+  - validate
+  - package
+
+variables:
+  COREPACK_HOME: "$CI_PROJECT_DIR\\.corepack"
+  PNPM_STORE_DIR: "$CI_PROJECT_DIR\\.pnpm-store"
+  GIT_STRATEGY: fetch
+
+cache:
+  key:
+    files:
+      - pnpm-lock.yaml
+  paths:
+    - .corepack/
+    - .pnpm-store/
+
+default:
+  before_script:
+    - |
+      $ErrorActionPreference = 'Stop'
+      if ($env:OS -ne 'Windows_NT') {
+        throw 'This pipeline requires a Windows runner because the repo packages a Windows Electron/NSIS installer.'
+      }
+      Write-Host "Using COREPACK_HOME=$env:COREPACK_HOME"
+      Write-Host "Using PNPM_STORE_DIR=$env:PNPM_STORE_DIR"
+
+typecheck_windows:
+  stage: validate
+  script:
+    - node --version
+    - corepack --version
+    - corepack pnpm install --frozen-lockfile --store-dir "$env:PNPM_STORE_DIR"
+    - corepack pnpm typecheck
+
+package_windows_installer:
+  stage: package
+  when: manual
+  allow_failure: false
+  script:
+    - |
+      $ErrorActionPreference = 'Stop'
+      $requiredCommands = @('node', 'python')
+      foreach ($commandName in $requiredCommands) {
+        if (-not (Get-Command $commandName -ErrorAction SilentlyContinue)) {
+          throw "Required command '$commandName' is not available on this runner."
+        }
+      }
+
+      $openClawCommand = Get-Command openclaw.cmd -ErrorAction SilentlyContinue
+      if (-not $openClawCommand) {
+        $openClawCommand = Get-Command openclaw -ErrorAction SilentlyContinue
+      }
+      if (-not $openClawCommand) {
+        throw "Required command 'openclaw' is not available on this runner."
+      }
+
+      $configPath = Join-Path $env:USERPROFILE '.openclaw\openclaw.json'
+      if (-not (Test-Path $configPath)) {
+        throw "Bundled runtime packaging requires OpenClaw config at $configPath"
+      }
+
+      Write-Host "Using OpenClaw config: $configPath"
+      node --version
+      python --version
+      & $openClawCommand.Source --version
+    - corepack pnpm install --frozen-lockfile --store-dir "$env:PNPM_STORE_DIR"
+    - corepack pnpm package
+  artifacts:
+    when: always
+    expire_in: 7 days
+    paths:
+      - dist/installer/*-Setup-*.exe
+      - dist/installer/*-Setup-*.blockmap
+      - dist/installer/*.yml

README.md

@@ -11,16 +11,49 @@ Windows-first Electron desktop shell for a bundled OpenClaw runtime.
 - `packages/shared-types`: IPC contracts and shared DTOs
 - `vendor/openclaw-runtime`: pinned runtime payload placeholder
 
-## Notes
+## Local Development
 
-- This repo is scaffolded only. Dependencies are not installed yet.
-- The current runtime and gateway implementations are placeholders with the right boundaries, not full OpenClaw integration.
-- UI talks to Electron through preload only. Renderer does not touch secrets, runtime files, or child processes directly.
+- Install dependencies with `corepack pnpm install`
+- Start the renderer + desktop shell with `corepack pnpm dev`
+- Run workspace type checks with `corepack pnpm typecheck`
+
+## Packaging
+
+- Build a Windows installer with `corepack pnpm package`
+- The package flow first runs `build/scripts/materialize-runtime-payload.ps1`
+- That script materializes `vendor/openclaw-runtime/` from the local machine, including:
+  - bundled `node.exe`
+  - the local OpenClaw package entry
+  - a copied Python runtime plus locked Python dependencies
+  - Playwright Chromium under `vendor/openclaw-runtime/playwright-browsers/`
+- `apps/desktop/electron-builder.yml` then copies `vendor/openclaw-runtime/` into the installer as `resources/vendor/openclaw-runtime`
+
+## Runtime Payload And Git
 
-## Next Steps
+- `vendor/openclaw-runtime/README.md` is tracked as the placeholder for the packaged runtime payload
+- Generated runtime payload directories are not source files and should not be committed
+- `.gitignore` excludes generated runtime content such as:
+  - `vendor/openclaw-runtime/node/`
+  - `vendor/openclaw-runtime/openclaw/`
+  - `vendor/openclaw-runtime/python/`
+  - `vendor/openclaw-runtime/playwright-browsers/`
+  - `vendor/openclaw-runtime/runtime-manifest.json`
+  - `vendor/openclaw-runtime/config/openclaw.json`
+- The Playwright browser binaries are still required in the final installer; they are produced during `materialize:runtime`, not meant to live in Git history
 
-1. Run `pnpm install`
-2. Put the pinned OpenClaw runtime payload under `vendor/openclaw-runtime`
-3. Replace placeholder runtime start/stop logic with real child process management
-4. Replace placeholder secret manager with `keytar`
-5. Replace mocked gateway client calls with the actual WebSocket protocol
+## GitLab CI
+
+- The repo now includes a root `.gitlab-ci.yml` for Windows runners
+- `typecheck_windows` installs dependencies and runs `corepack pnpm typecheck`
+- `package_windows_installer` is a manual job that runs `corepack pnpm package`
+- The packaging job validates the same prerequisites that `materialize-runtime-payload.ps1` needs on a real machine:
+  - `node`
+  - `python`
+  - `openclaw` or `openclaw.cmd`
+  - `%USERPROFILE%\.openclaw\openclaw.json`
+- The packaging job publishes the generated installer from `dist/installer/`
+
+## Notes
+
+- UI talks to Electron through preload only. Renderer does not touch secrets, runtime files, or child processes directly.
+- Installer smoke scripts exist under `build/scripts/`, but they launch a packaged Electron app and are better suited to a desktop-capable Windows machine than a generic CI runner service.