* chore(security): add gitleaks config allowlisting vendored/test fixtures
Suppress false positives so `gitleaks detect` is clean:
- third_party/* (cargokit ships a public binary-verification key)
- workspace_management_unit_test.dart (obfuscated "token" fixture)
- gatewayruntime/runtime_test.go (hardcoded "device-1" test key pair)
Real leaked secrets are purged from history, not allowlisted.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
* chore(security): remove historical secret fixtures
* chore(release): bump build metadata for 1.1.5+2
* chore(release): bump version to 1.1.5+2
* chore(release): bump build metadata for 1.1.5+2
---------
Co-authored-by: Haitao Pan <manbuzhe2009@qq.com>
* ci(release): add TestFlight release matrix
* chore(release): bump version to 1.1.5+2
* chore(release): bump build metadata for 1.1.5+2
* ci(release): add TestFlight release matrix
---------
Co-authored-by: Haitao Pan <manbuzhe2009@qq.com>
* ci(release): load Vault secrets per-platform in build matrix
The build matrix loaded all 17 signing secrets in one shared block for
every platform. vault-action's ignoreNotFound only suppresses path-level
404s, not field-level "No match data" errors, so a single missing field
(e.g. APPLE_MAC_PROVISION_PROFILE_BASE64) failed every leg — including
linux/windows/android that need no Apple secrets.
Split the load into per-OS-family steps gated by matrix.platform:
- Apple (macos/ios): Apple cert + provisioning + keychain + export method
- Windows: WINDOWS_PFX_* + codesign subject
- Android: ANDROID_KEYSTORE_* + key alias/password
Linux requests nothing.
Also drop APP_STORE_CONNECT_* from the build matrix: only
testflight_upload.sh consumes them and it runs in the release job, which
loads them itself. The build matrix no longer depends on them.
Add shell: bash to the Export step (its `{ … } >> $GITHUB_ENV` brace
syntax is bash-only and would fail under the default pwsh on windows).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---------
Co-authored-by: Haitao Pan <haitao.pan@xworkmate.ai>
Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
Co-authored-by: Haitao Pan <manbuzhe2009@qq.com>
Headless Linux runners have no display, so 'flutter test integration_test'
fails to launch the GTK app ('The log reader stopped unexpectedly, or never
started'). Wrap integration/patrol layers in xvfb-run with a 24-bit screen
and install xvfb + mesa DRI driver for headless GL. macOS/local runs are
unaffected (no xvfb-run -> command runs directly).
Co-authored-by: Haitao Pan <haitao.pan@xworkmate.ai>
Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
The Flutter verification lane runs on Ubuntu 22.04 without ripgrep
installed, so the FFI integration guard silently fell through and
printed 'No app-side Codex FFI integration artifacts found' on every
run. Replace rg with the POSIX grep -RInE that ships with the runner,
keep the same excludes (check-no-app-ffi.sh, Pods, ephemeral, build,
.dart_tool) and emit the actual offending matches so the gate fails
loudly when a forbidden reference reappears.
The release preflight used to set should_build_platform=false whenever any
Apple signing secret was unset, which silently skipped the entire macos dmg
and ios ipa lanes (build + upload gated on that flag). Result: releases only
shipped linux, windows and android artifacts even when the iOS/macOS lanes
were otherwise healthy.
Make the preflight always release the lane, but emit a :⚠️: and
annotate the skip_reason when a secret is missing. The iOS branch in
build_matrix_artifacts.sh now picks the signed vs unsigned build path based
on actual secret availability instead of should_release alone, so it falls
back to flutter build ios --no-codesign + zip Runner.app whenever a secret
is absent. package-flutter-mac-app.sh already handled the no-secret case
locally (ad-hoc codesign --sign -) and needs no change.
Behavior matrix:
macos: secret present -> signed DMG; secret missing -> unsigned DMG
ios: secret present + release -> signed IPA
secret present + non-release -> unsigned zip
secret missing (any) -> unsigned zip
- Add delay and explicit existence check for mounted volume before styling
- Implement resilient .app selector in AppleScript to handle naming mismatches
- Gracefully skip styling if volume is not visible to Finder
- Implement 'inside-out' signing strategy in package-flutter-mac-app.sh to fix nested code validity errors
- Fix install_name of embedded FFI library to use @rpath for portability
- Remove manual 'cargo build' triggers from Makefile and integration scripts (externalize management)
- Clean up unused types and structs in Rust source (lib.rs and types.rs)
- Update architecture docs to reflect AcpBridgeServerModeConfig priority logic
- Include target/release/libcodex_ffi.dylib in FFI framework search paths
- Embed libcodex_ffi.dylib directly into the macOS app bundle during packaging
- Embed xworkmate-go-core for non-App-Store local builds
- Ad-hoc re-sign the app bundle after modifying its contents
- Fix DMG path resolution in the installation script to handle filenames with spaces
- Consolidate settings, tasks, and audit storage into SettingsStore and SecretStore
- Implement PersistentWriteFailure for detailed error reporting across storage scopes
- Migrate secret retrieval to rely primarily on reference-based lookups
- Add ThemeMode persistence and AccountSyncState serialization
- Modernize SecureConfigStore with clear path resolution and support for UI state
- Streamline Rust build process by migrating from custom scripts to Makefile
- Remove redundant build_rust_ffi.sh and update integration scripts
