* fix(macos): workaround App Store Connect dSYM validation bug for App.framework
* test: mock device and package plugins and increase timeout
- Increase sync loop timeout in thread workspace binding test to avoid flakiness
- Mock device_info and package_info plugins for gateway runtime tests
- Update pubspec.yaml version
* test: fix missing plugin in runtime_controllers_settings_account_test
* build: make sync-version.sh auto-increment build number
---------
Co-authored-by: Haitao Pan <manbuzhe2009@qq.com>
* ci: gate TestFlight behind opt-in toggle + Xcode 27 build fixes
TestFlight is now opt-in (default OFF). A workflow_dispatch boolean
`enable_testflight` (or the `ENABLE_TESTFLIGHT` repo variable) drives a
`prepare.outputs.testflight_enabled` flag that gates the macOS
app-store-pkg build leg and both testflight_ios/testflight_macos upload
legs. Missing Apple signing secrets no longer fail the normal DMG/IPA
release path (package-macos-app-store-pkg.sh hard-exits without them).
Xcode 27 build compatibility:
- Align Apple deployment targets so no pod sits below the app minimum
(Xcode 27 rejects this): macOS pods + RunnerTests -> 15.6, iOS pods
-> 15.5 to match the Runner targets.
- Add a `lipo` shim (scripts/xcode-tools/lipo) wired onto PATH in the
iOS/macOS build phases; Xcode 27 only accepts one `-verify_arch`
architecture per call while Flutter passes them all at once.
- macOS project hygiene: correct PrivacyInfo.xcprivacy path, set app
display name + LSApplicationCategoryType.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
* test: make temp-dir cleanup resilient to concurrent-write races
The assistant execution target tests deleted their temp HOME/workspace
dirs with a raw recursive delete in addTearDown. A background flush
(e.g. controller dispose still persisting state) can keep writing into
the dir while the delete walks it, so the delete races and fails with
"Directory not empty" (errno 39), failing the test on CI.
Route all unguarded teardown deletes through the existing
_resilientDelete helper (re-check existence + retry), and harden that
helper so its final fallback never re-throws — a temp-dir cleanup
failure must never fail a test.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---------
Co-authored-by: Haitao Pan <manbuzhe2009@qq.com>
Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
* chore(security): add gitleaks config allowlisting vendored/test fixtures
Suppress false positives so `gitleaks detect` is clean:
- third_party/* (cargokit ships a public binary-verification key)
- workspace_management_unit_test.dart (obfuscated "token" fixture)
- gatewayruntime/runtime_test.go (hardcoded "device-1" test key pair)
Real leaked secrets are purged from history, not allowlisted.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
* chore(security): remove historical secret fixtures
* chore(release): bump build metadata for 1.1.5+2
* chore(release): bump version to 1.1.5+2
* chore(release): bump build metadata for 1.1.5+2
---------
Co-authored-by: Haitao Pan <manbuzhe2009@qq.com>
* ci(release): add TestFlight release matrix
* chore(release): bump version to 1.1.5+2
* chore(release): bump build metadata for 1.1.5+2
* ci(release): add TestFlight release matrix
---------
Co-authored-by: Haitao Pan <manbuzhe2009@qq.com>
* ci(release): load Vault secrets per-platform in build matrix
The build matrix loaded all 17 signing secrets in one shared block for
every platform. vault-action's ignoreNotFound only suppresses path-level
404s, not field-level "No match data" errors, so a single missing field
(e.g. APPLE_MAC_PROVISION_PROFILE_BASE64) failed every leg — including
linux/windows/android that need no Apple secrets.
Split the load into per-OS-family steps gated by matrix.platform:
- Apple (macos/ios): Apple cert + provisioning + keychain + export method
- Windows: WINDOWS_PFX_* + codesign subject
- Android: ANDROID_KEYSTORE_* + key alias/password
Linux requests nothing.
Also drop APP_STORE_CONNECT_* from the build matrix: only
testflight_upload.sh consumes them and it runs in the release job, which
loads them itself. The build matrix no longer depends on them.
Add shell: bash to the Export step (its `{ … } >> $GITHUB_ENV` brace
syntax is bash-only and would fail under the default pwsh on windows).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---------
Co-authored-by: Haitao Pan <haitao.pan@xworkmate.ai>
Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
Co-authored-by: Haitao Pan <manbuzhe2009@qq.com>
Headless Linux runners have no display, so 'flutter test integration_test'
fails to launch the GTK app ('The log reader stopped unexpectedly, or never
started'). Wrap integration/patrol layers in xvfb-run with a 24-bit screen
and install xvfb + mesa DRI driver for headless GL. macOS/local runs are
unaffected (no xvfb-run -> command runs directly).
Co-authored-by: Haitao Pan <haitao.pan@xworkmate.ai>
Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
The Flutter verification lane runs on Ubuntu 22.04 without ripgrep
installed, so the FFI integration guard silently fell through and
printed 'No app-side Codex FFI integration artifacts found' on every
run. Replace rg with the POSIX grep -RInE that ships with the runner,
keep the same excludes (check-no-app-ffi.sh, Pods, ephemeral, build,
.dart_tool) and emit the actual offending matches so the gate fails
loudly when a forbidden reference reappears.
The release preflight used to set should_build_platform=false whenever any
Apple signing secret was unset, which silently skipped the entire macos dmg
and ios ipa lanes (build + upload gated on that flag). Result: releases only
shipped linux, windows and android artifacts even when the iOS/macOS lanes
were otherwise healthy.
Make the preflight always release the lane, but emit a :⚠️: and
annotate the skip_reason when a secret is missing. The iOS branch in
build_matrix_artifacts.sh now picks the signed vs unsigned build path based
on actual secret availability instead of should_release alone, so it falls
back to flutter build ios --no-codesign + zip Runner.app whenever a secret
is absent. package-flutter-mac-app.sh already handled the no-secret case
locally (ad-hoc codesign --sign -) and needs no change.
Behavior matrix:
macos: secret present -> signed DMG; secret missing -> unsigned DMG
ios: secret present + release -> signed IPA
secret present + non-release -> unsigned zip
secret missing (any) -> unsigned zip
- Add delay and explicit existence check for mounted volume before styling
- Implement resilient .app selector in AppleScript to handle naming mismatches
- Gracefully skip styling if volume is not visible to Finder
- Implement 'inside-out' signing strategy in package-flutter-mac-app.sh to fix nested code validity errors
- Fix install_name of embedded FFI library to use @rpath for portability
- Remove manual 'cargo build' triggers from Makefile and integration scripts (externalize management)
- Clean up unused types and structs in Rust source (lib.rs and types.rs)
- Update architecture docs to reflect AcpBridgeServerModeConfig priority logic
- Include target/release/libcodex_ffi.dylib in FFI framework search paths
- Embed libcodex_ffi.dylib directly into the macOS app bundle during packaging
- Embed xworkmate-go-core for non-App-Store local builds
- Ad-hoc re-sign the app bundle after modifying its contents
- Fix DMG path resolution in the installation script to handle filenames with spaces
- Consolidate settings, tasks, and audit storage into SettingsStore and SecretStore
- Implement PersistentWriteFailure for detailed error reporting across storage scopes
- Migrate secret retrieval to rely primarily on reference-based lookups
- Add ThemeMode persistence and AccountSyncState serialization
- Modernize SecureConfigStore with clear path resolution and support for UI state
- Streamline Rust build process by migrating from custom scripts to Makefile
- Remove redundant build_rust_ffi.sh and update integration scripts
