ci: remove unused remote_contract job from build-and-release workflow (#71)

The remote_contract job was effectively dead code — it only ran on
workflow_dispatch (excluded push and pull_request events) and was
configured with continue-on-error, so it never blocked releases.

Removing it simplifies the pipeline and eliminates the always()
workaround in the release job's if-condition.

Co-authored-by: Haitao Pan <manbuzhe2009@qq.com>

.github/workflows/build-and-release.yml

@@ -30,6 +30,15 @@ on:
       - ".github/actions/setup-flutter-sdk/action.yml"
       - ".github/workflows/build-and-release.yml"
   workflow_dispatch:
+    inputs:
+      enable_testflight:
+        description: "Build & upload TestFlight (macOS/iOS App Store) artifacts"
+        type: boolean
+        default: false
+      enable_github_release:
+        description: "Upload assets to GitHub Release"
+        type: boolean
+        default: true
 
 permissions:
   contents: read
@@ -49,6 +58,8 @@ jobs:
       contents: write
     outputs:
       should_release: ${{ steps.flags.outputs.should_release }}
+      github_release_enabled: ${{ steps.flags.outputs.github_release_enabled }}
+      testflight_enabled: ${{ steps.flags.outputs.testflight_enabled }}
       release_tag: ${{ steps.meta.outputs.release_tag }}
       release_title: ${{ steps.meta.outputs.release_title }}
       release_notes: ${{ steps.meta.outputs.release_notes }}
@@ -61,6 +72,10 @@ jobs:
       - name: Determine release mode
         id: flags
         shell: bash
+        env:
+          ENABLE_GITHUB_RELEASE_INPUT: ${{ github.event.inputs.enable_github_release }}
+          ENABLE_TESTFLIGHT_INPUT: ${{ github.event.inputs.enable_testflight }}
+          ENABLE_TESTFLIGHT_VAR: ${{ vars.ENABLE_TESTFLIGHT }}
         run: |
           if [[ "${GITHUB_REF:-}" == refs/tags/v* || "${GITHUB_EVENT_NAME:-}" == "workflow_dispatch" || "${GITHUB_REF:-}" == "refs/heads/main" ]]; then
             echo "should_release=true" >> "$GITHUB_OUTPUT"
@@ -68,6 +83,22 @@ jobs:
             echo "should_release=false" >> "$GITHUB_OUTPUT"
           fi
 
+          if [[ "${GITHUB_EVENT_NAME:-}" == "workflow_dispatch" && "${ENABLE_GITHUB_RELEASE_INPUT:-}" == "false" ]]; then
+            echo "github_release_enabled=false" >> "$GITHUB_OUTPUT"
+          else
+            echo "github_release_enabled=true" >> "$GITHUB_OUTPUT"
+          fi
+
+          # TestFlight is opt-in (default OFF). Enabled only when explicitly
+          # requested via the workflow_dispatch input or the ENABLE_TESTFLIGHT
+          # repo/org variable. Keeps missing Apple signing secrets from failing
+          # the normal DMG/IPA release path.
+          if [[ "${ENABLE_TESTFLIGHT_INPUT:-}" == "true" || "${ENABLE_TESTFLIGHT_VAR:-}" == "true" ]]; then
+            echo "testflight_enabled=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "testflight_enabled=false" >> "$GITHUB_OUTPUT"
+          fi
+
       - name: Compute release metadata
         id: meta
         shell: bash
@@ -122,6 +153,18 @@ jobs:
             artifact_name: build-macos-arm64-dmg
             artifact_paths: |
               dist/macos/*.dmg
+          - platform: macos
+            arch: arm64
+            package: app-store-pkg
+            # Quoted so the `matrix.release_only != 'true'` guard compares
+            # string-to-string. A YAML boolean here coerces to a number in
+            # GitHub expressions (true -> 1, 'true' -> NaN), making the guard
+            # always true and building this release-only leg on every PR.
+            release_only: "true"
+            runs_on: macos-14
+            artifact_name: build-macos-arm64-pkg
+            artifact_paths: |
+              dist/macos-app-store/*.pkg
           - platform: ios
             arch: arm64
             package: ipa
@@ -148,9 +191,12 @@ jobs:
       - name: Checkout source
         uses: actions/checkout@v7
 
-      - name: Load Vault secrets
-        id: vault
-        if: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository }}
+      # Secrets are loaded per-platform so a missing/extra field for one OS
+      # family never fails the matrix legs of the others (vault-action's
+      # ignoreNotFound does NOT suppress field-level "No match data" errors).
+      - name: Load Vault secrets (Apple)
+        id: vault_apple
+        if: ${{ (matrix.platform == 'macos' || matrix.platform == 'ios') && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) }}
         uses: hashicorp/vault-action@v4
         with:
           url: ${{ env.VAULT_ADDR }}
@@ -160,35 +206,61 @@ jobs:
           ignoreNotFound: true
           secrets: |
             kv/data/github-actions/xworkmate-app XWORKMATE_SIGN_IDENTITY | XWORKMATE_SIGN_IDENTITY ;
-            kv/data/github-actions/xworkmate-app WINDOWS_PFX_BASE64 | WINDOWS_PFX_BASE64 ;
-            kv/data/github-actions/xworkmate-app WINDOWS_PFX_PASSWORD | WINDOWS_PFX_PASSWORD ;
-            kv/data/github-actions/xworkmate-app WINDOWS_CODESIGN_SUBJECT | WINDOWS_CODESIGN_SUBJECT ;
             kv/data/github-actions/xworkmate-app APPLE_CERT_P12_BASE64 | APPLE_CERT_P12_BASE64 ;
             kv/data/github-actions/xworkmate-app APPLE_CERT_PASSWORD | APPLE_CERT_PASSWORD ;
             kv/data/github-actions/xworkmate-app APPLE_PROVISION_PROFILE_BASE64 | APPLE_PROVISION_PROFILE_BASE64 ;
+            kv/data/github-actions/xworkmate-app APPLE_MAC_PROVISION_PROFILE_BASE64 | APPLE_MAC_PROVISION_PROFILE_BASE64 ;
             kv/data/github-actions/xworkmate-app APPLE_KEYCHAIN_PASSWORD | APPLE_KEYCHAIN_PASSWORD ;
-            kv/data/github-actions/xworkmate-app APPLE_EXPORT_METHOD | APPLE_EXPORT_METHOD ;
+            kv/data/github-actions/xworkmate-app APPLE_EXPORT_METHOD | APPLE_EXPORT_METHOD
+
+      - name: Load Vault secrets (Windows)
+        id: vault_windows
+        if: ${{ matrix.platform == 'windows' && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) }}
+        uses: hashicorp/vault-action@v4
+        with:
+          url: ${{ env.VAULT_ADDR }}
+          method: jwt
+          role: github-actions-xworkmate-app
+          jwtGithubAudience: vault
+          ignoreNotFound: true
+          secrets: |
+            kv/data/github-actions/xworkmate-app WINDOWS_PFX_BASE64 | WINDOWS_PFX_BASE64 ;
+            kv/data/github-actions/xworkmate-app WINDOWS_PFX_PASSWORD | WINDOWS_PFX_PASSWORD ;
+            kv/data/github-actions/xworkmate-app WINDOWS_CODESIGN_SUBJECT | WINDOWS_CODESIGN_SUBJECT
+
+      - name: Load Vault secrets (Android)
+        id: vault_android
+        if: ${{ matrix.platform == 'android' && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) }}
+        uses: hashicorp/vault-action@v4
+        with:
+          url: ${{ env.VAULT_ADDR }}
+          method: jwt
+          role: github-actions-xworkmate-app
+          jwtGithubAudience: vault
+          ignoreNotFound: true
+          secrets: |
             kv/data/github-actions/xworkmate-app ANDROID_KEYSTORE_BASE64 | ANDROID_KEYSTORE_BASE64 ;
             kv/data/github-actions/xworkmate-app ANDROID_KEYSTORE_PASSWORD | ANDROID_KEYSTORE_PASSWORD ;
             kv/data/github-actions/xworkmate-app ANDROID_KEY_ALIAS | ANDROID_KEY_ALIAS ;
             kv/data/github-actions/xworkmate-app ANDROID_KEY_PASSWORD | ANDROID_KEY_PASSWORD
 
       - name: Export signing secrets
+        shell: bash
         run: |
           {
-            echo "XWORKMATE_SIGN_IDENTITY=${{ steps.vault.outputs.XWORKMATE_SIGN_IDENTITY }}"
-            echo "WINDOWS_PFX_BASE64=${{ steps.vault.outputs.WINDOWS_PFX_BASE64 }}"
-            echo "WINDOWS_PFX_PASSWORD=${{ steps.vault.outputs.WINDOWS_PFX_PASSWORD }}"
-            echo "WINDOWS_CODESIGN_SUBJECT=${{ steps.vault.outputs.WINDOWS_CODESIGN_SUBJECT }}"
-            echo "APPLE_CERT_P12_BASE64=${{ steps.vault.outputs.APPLE_CERT_P12_BASE64 }}"
-            echo "APPLE_CERT_PASSWORD=${{ steps.vault.outputs.APPLE_CERT_PASSWORD }}"
-            echo "APPLE_PROVISION_PROFILE_BASE64=${{ steps.vault.outputs.APPLE_PROVISION_PROFILE_BASE64 }}"
-            echo "APPLE_KEYCHAIN_PASSWORD=${{ steps.vault.outputs.APPLE_KEYCHAIN_PASSWORD }}"
-            echo "APPLE_EXPORT_METHOD=${{ steps.vault.outputs.APPLE_EXPORT_METHOD }}"
-            echo "ANDROID_KEYSTORE_BASE64=${{ steps.vault.outputs.ANDROID_KEYSTORE_BASE64 }}"
-            echo "ANDROID_KEYSTORE_PASSWORD=${{ steps.vault.outputs.ANDROID_KEYSTORE_PASSWORD }}"
-            echo "ANDROID_KEY_ALIAS=${{ steps.vault.outputs.ANDROID_KEY_ALIAS }}"
-            echo "ANDROID_KEY_PASSWORD=${{ steps.vault.outputs.ANDROID_KEY_PASSWORD }}"
+            echo "XWORKMATE_SIGN_IDENTITY=${{ steps.vault_apple.outputs.XWORKMATE_SIGN_IDENTITY }}"
+            echo "APPLE_CERT_P12_BASE64=${{ steps.vault_apple.outputs.APPLE_CERT_P12_BASE64 }}"
+            echo "APPLE_CERT_PASSWORD=${{ steps.vault_apple.outputs.APPLE_CERT_PASSWORD }}"
+            echo "APPLE_PROVISION_PROFILE_BASE64=${{ steps.vault_apple.outputs.APPLE_PROVISION_PROFILE_BASE64 }}"
+            echo "APPLE_KEYCHAIN_PASSWORD=${{ steps.vault_apple.outputs.APPLE_KEYCHAIN_PASSWORD }}"
+            echo "APPLE_EXPORT_METHOD=${{ steps.vault_apple.outputs.APPLE_EXPORT_METHOD }}"
+            echo "WINDOWS_PFX_BASE64=${{ steps.vault_windows.outputs.WINDOWS_PFX_BASE64 }}"
+            echo "WINDOWS_PFX_PASSWORD=${{ steps.vault_windows.outputs.WINDOWS_PFX_PASSWORD }}"
+            echo "WINDOWS_CODESIGN_SUBJECT=${{ steps.vault_windows.outputs.WINDOWS_CODESIGN_SUBJECT }}"
+            echo "ANDROID_KEYSTORE_BASE64=${{ steps.vault_android.outputs.ANDROID_KEYSTORE_BASE64 }}"
+            echo "ANDROID_KEYSTORE_PASSWORD=${{ steps.vault_android.outputs.ANDROID_KEYSTORE_PASSWORD }}"
+            echo "ANDROID_KEY_ALIAS=${{ steps.vault_android.outputs.ANDROID_KEY_ALIAS }}"
+            echo "ANDROID_KEY_PASSWORD=${{ steps.vault_android.outputs.ANDROID_KEY_PASSWORD }}"
           } >> "$GITHUB_ENV"
 
       - name: Set up Flutter SDK
@@ -220,34 +292,50 @@ jobs:
           go-version: "1.24.1"
 
       - name: Build platform artifacts
-        if: ${{ steps.preflight.outputs.should_build_platform == 'true' }}
+        if: ${{ steps.preflight.outputs.should_build_platform == 'true' && (matrix.release_only != 'true' || env.SHOULD_RELEASE == 'true') && (matrix.package != 'app-store-pkg' || needs.prepare.outputs.testflight_enabled == 'true') }}
         shell: bash
-        run: bash ./scripts/ci/build_matrix_artifacts.sh "$PLATFORM" "$ARCH" "$SHOULD_RELEASE"
+        run: bash ./scripts/ci/build_matrix_artifacts.sh "$PLATFORM" "$ARCH" "${{ matrix.package }}" "$SHOULD_RELEASE"
 
       - name: Upload build artifacts
-        if: ${{ steps.preflight.outputs.should_build_platform == 'true' }}
+        if: ${{ steps.preflight.outputs.should_build_platform == 'true' && (matrix.release_only != 'true' || env.SHOULD_RELEASE == 'true') && (matrix.package != 'app-store-pkg' || needs.prepare.outputs.testflight_enabled == 'true') }}
         uses: actions/upload-artifact@v7
         with:
           name: ${{ matrix.artifact_name }}
           path: ${{ matrix.artifact_paths }}
           if-no-files-found: error
 
-  remote_contract:
-    name: Test - remote provider contract
-    runs-on: ubuntu-22.04
+
+  release:
+    if: ${{ needs.prepare.outputs.should_release == 'true' && needs.prepare.result == 'success' && needs.build.result == 'success' }}
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - target: github_release
+            runs_on: ubuntu-22.04
+          - target: testflight_ios
+            runs_on: macos-14
+            artifact_name: build-ios-arm64-ipa
+            artifact_path: release-artifacts/build-ios-arm64-ipa
+            testflight_platform: ios
+          - target: testflight_macos
+            runs_on: macos-14
+            artifact_name: build-macos-arm64-pkg
+            artifact_path: release-artifacts/build-macos-arm64-pkg
+            testflight_platform: macos
+    runs-on: ${{ matrix.runs_on }}
+    permissions:
+      contents: write
     needs:
+      - prepare
       - build
-    # Test-stage quality gate: runs between build and release.
-    # continue-on-error keeps it skippable so a failure never blocks release.
-    continue-on-error: true
-    if: ${{ github.event_name != 'push' && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) }}
     steps:
       - name: Checkout source
         uses: actions/checkout@v7
 
-      - name: Load Vault secrets
+      - name: Load App Store Connect secrets
         id: vault
-        if: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository }}
+        if: ${{ matrix.target != 'github_release' && needs.prepare.outputs.testflight_enabled == 'true' && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) }}
         uses: hashicorp/vault-action@v4
         with:
           url: ${{ env.VAULT_ADDR }}
@@ -256,40 +344,35 @@ jobs:
           jwtGithubAudience: vault
           ignoreNotFound: true
           secrets: |
-            kv/data/github-actions/xworkmate-app REVIEW_ACCOUNT_LOGIN_PASSWORD | REVIEW_ACCOUNT_LOGIN_PASSWORD
+            kv/data/github-actions/xworkmate-app APPLE_CERT_P12_BASE64 | APPLE_CERT_P12_BASE64 ;
+            kv/data/github-actions/xworkmate-app APPLE_CERT_PASSWORD | APPLE_CERT_PASSWORD ;
+            kv/data/github-actions/xworkmate-app APPLE_MAC_PROVISION_PROFILE_BASE64 | APPLE_MAC_PROVISION_PROFILE_BASE64 ;
+            kv/data/github-actions/xworkmate-app APPLE_KEYCHAIN_PASSWORD | APPLE_KEYCHAIN_PASSWORD ;
+            kv/data/github-actions/xworkmate-app APP_STORE_CONNECT_API_KEY_ID | APP_STORE_CONNECT_API_KEY_ID ;
+            kv/data/github-actions/xworkmate-app APP_STORE_CONNECT_ISSUER_ID | APP_STORE_CONNECT_ISSUER_ID ;
+            kv/data/github-actions/xworkmate-app APP_STORE_CONNECT_API_KEY_P8_BASE64 | APP_STORE_CONNECT_API_KEY_P8_BASE64
 
-      - name: Export remote contract secrets
-        run: echo "REVIEW_ACCOUNT_LOGIN_PASSWORD=${{ steps.vault.outputs.REVIEW_ACCOUNT_LOGIN_PASSWORD }}" >> "$GITHUB_ENV"
-
-      - name: Verify accounts to bridge provider contract
-        shell: bash
-        env:
-          REVIEW_ACCOUNT_BASE_URL: ${{ vars.REVIEW_ACCOUNT_BASE_URL }}
-          REVIEW_ACCOUNT_LOGIN_NAME: ${{ vars.REVIEW_ACCOUNT_LOGIN_NAME }}
-        run: bash ./scripts/ci/verify_remote_provider_contract.sh
-
-  release:
-    # always() so release waits for the remote_contract gate to finish but is
-    # never blocked by it being skipped (e.g. push events) or failing.
-    # build/prepare must still genuinely succeed.
-    if: ${{ always() && needs.prepare.outputs.should_release == 'true' && needs.prepare.result == 'success' && needs.build.result == 'success' }}
-    runs-on: ubuntu-22.04
-    permissions:
-      contents: write
-    needs:
-      - prepare
-      - build
-      - remote_contract
-    steps:
-      - name: Checkout source
-        uses: actions/checkout@v7
+      - name: Export App Store Connect secrets
+        if: ${{ matrix.target != 'github_release' && needs.prepare.outputs.testflight_enabled == 'true' }}
+        run: |
+          {
+            echo "APPLE_CERT_P12_BASE64=${{ steps.vault.outputs.APPLE_CERT_P12_BASE64 }}"
+            echo "APPLE_CERT_PASSWORD=${{ steps.vault.outputs.APPLE_CERT_PASSWORD }}"
+            echo "APPLE_MAC_PROVISION_PROFILE_BASE64=${{ steps.vault.outputs.APPLE_MAC_PROVISION_PROFILE_BASE64 }}"
+            echo "APPLE_KEYCHAIN_PASSWORD=${{ steps.vault.outputs.APPLE_KEYCHAIN_PASSWORD }}"
+            echo "APP_STORE_CONNECT_API_KEY_ID=${{ steps.vault.outputs.APP_STORE_CONNECT_API_KEY_ID }}"
+            echo "APP_STORE_CONNECT_ISSUER_ID=${{ steps.vault.outputs.APP_STORE_CONNECT_ISSUER_ID }}"
+            echo "APP_STORE_CONNECT_API_KEY_P8_BASE64=${{ steps.vault.outputs.APP_STORE_CONNECT_API_KEY_P8_BASE64 }}"
+          } >> "$GITHUB_ENV"
 
       - name: Download all artifacts
+        if: ${{ matrix.target == 'github_release' }}
         uses: actions/download-artifact@v8
         with:
           path: release-artifacts
 
       - name: Upload assets to GitHub Release
+        if: ${{ matrix.target == 'github_release' }}
         shell: bash
         run: bash ./scripts/ci/github_release_upload.sh release-artifacts
         env:
@@ -297,3 +380,15 @@ jobs:
           RELEASE_TAG: ${{ needs.prepare.outputs.release_tag }}
           RELEASE_TITLE: ${{ needs.prepare.outputs.release_title }}
           RELEASE_NOTES: ${{ needs.prepare.outputs.release_notes }}
+
+      - name: Download TestFlight artifact
+        if: ${{ matrix.target != 'github_release' && needs.prepare.outputs.testflight_enabled == 'true' }}
+        uses: actions/download-artifact@v8
+        with:
+          name: ${{ matrix.artifact_name }}
+          path: ${{ matrix.artifact_path }}
+
+      - name: Upload to TestFlight
+        if: ${{ matrix.target != 'github_release' && needs.prepare.outputs.testflight_enabled == 'true' }}
+        shell: bash
+        run: bash ./scripts/ci/testflight_upload.sh "${{ matrix.testflight_platform }}" "${{ matrix.artifact_path }}"

.gitleaks.toml

@@ -1,26 +0,0 @@
-# gitleaks config for xworkmate-app
-# Keeps all default rules, and allowlists known non-secret findings:
-#   - vendored third-party code (cargokit ships a *public* verification key)
-#   - unit-test fixtures (hardcoded "device-1" / "token" test vectors)
-# Real leaked credentials are NOT allowlisted here — they are purged from
-# history and rotated.
-
-title = "xworkmate-app gitleaks config"
-
-[extend]
-useDefault = true
-
-[allowlist]
-description = "Vendored third-party code and unit-test fixtures (no real secrets)"
-paths = [
-  # cargokit (super_native_extensions) ships a public binary-verification key
-  '''third_party/.*''',
-  # Dart unit-test fixtures: obfuscated "token" / fake TF password assertions
-  '''test/features/workspace_management/workspace_management_unit_test\.dart''',
-  # Go unit-test fixtures: hardcoded "device-1" identity key pair
-  '''go/go_core/internal/gatewayruntime/runtime_test\.go''',
-]
-regexes = [
-  # cargokit public key value, in case it is referenced outside third_party/
-  '''test-public-key-hex''',
-]

README.md

@@ -51,6 +51,12 @@ flutter build macos
 make build-macos
 ```
 
+For a one-line install from the latest GitHub release:
+
+```bash
+curl -sfL https://install.svc.plus/xworkmate-app | bash -
+```
+
 ## Downloads
 
 | Platform | Download |

ios/Podfile

@@ -39,6 +39,11 @@ post_install do |installer|
   installer.pods_project.targets.each do |target|
     flutter_additional_ios_build_settings(target)
 
+    target.build_configurations.each do |config|
+      # Xcode 27 rejects dependency targets below the app's iOS 15.5 minimum.
+      config.build_settings['IPHONEOS_DEPLOYMENT_TARGET'] = '15.5'
+    end
+
     next unless ['Pods-Runner', 'Pods-RunnerTests'].include?(target.name)
 
     target.build_configurations.each do |config|

ios/Podfile.lock

@@ -9,15 +9,13 @@ PODS:
     - WebRTC-SDK (= 125.6422.06)
   - integration_test (0.0.1):
     - Flutter
-  - irondash_engine_context (0.0.1):
-    - Flutter
   - package_info_plus (0.4.5):
     - Flutter
+  - pasteboard (0.0.1):
+    - Flutter
   - shared_preferences_foundation (0.0.1):
     - Flutter
     - FlutterMacOS
-  - super_native_extensions (0.0.1):
-    - Flutter
   - WebRTC-SDK (125.6422.06)
 
 DEPENDENCIES:
@@ -26,10 +24,9 @@ DEPENDENCIES:
   - Flutter (from `Flutter`)
   - flutter_webrtc (from `.symlinks/plugins/flutter_webrtc/ios`)
   - integration_test (from `.symlinks/plugins/integration_test/ios`)
-  - irondash_engine_context (from `.symlinks/plugins/irondash_engine_context/ios`)
   - package_info_plus (from `.symlinks/plugins/package_info_plus/ios`)
+  - pasteboard (from `.symlinks/plugins/pasteboard/ios`)
   - shared_preferences_foundation (from `.symlinks/plugins/shared_preferences_foundation/darwin`)
-  - super_native_extensions (from `.symlinks/plugins/super_native_extensions/ios`)
 
 SPEC REPOS:
   trunk:
@@ -46,14 +43,12 @@ EXTERNAL SOURCES:
     :path: ".symlinks/plugins/flutter_webrtc/ios"
   integration_test:
     :path: ".symlinks/plugins/integration_test/ios"
-  irondash_engine_context:
-    :path: ".symlinks/plugins/irondash_engine_context/ios"
   package_info_plus:
     :path: ".symlinks/plugins/package_info_plus/ios"
+  pasteboard:
+    :path: ".symlinks/plugins/pasteboard/ios"
   shared_preferences_foundation:
     :path: ".symlinks/plugins/shared_preferences_foundation/darwin"
-  super_native_extensions:
-    :path: ".symlinks/plugins/super_native_extensions/ios"
 
 SPEC CHECKSUMS:
   device_info_plus: 21fcca2080fbcd348be798aa36c3e5ed849eefbe
@@ -61,12 +56,11 @@ SPEC CHECKSUMS:
   Flutter: cabc95a1d2626b1b06e7179b784ebcf0c0cde467
   flutter_webrtc: 57f32415b8744e806f9c2a96ccdb60c6a627ba33
   integration_test: 4a889634ef21a45d28d50d622cf412dc6d9f586e
-  irondash_engine_context: 8e58ca8e0212ee9d1c7dc6a42121849986c88486
   package_info_plus: af8e2ca6888548050f16fa2f1938db7b5a5df499
+  pasteboard: 3913b69d3f2be214970a8ae94e7e87fe76e47e98
   shared_preferences_foundation: 7036424c3d8ec98dfe75ff1667cb0cd531ec82bb
-  super_native_extensions: b763c02dc3a8fd078389f410bf15149179020cb4
   WebRTC-SDK: 79942c006ea64f6fb48d7da8a4786dfc820bc1db
 
-PODFILE CHECKSUM: 5ab2a375a52a76f419425b2b219d2743259d6f1f
+PODFILE CHECKSUM: ca16f6ef66890e172b6528d5f0eb390e0410291e
 
 COCOAPODS: 1.16.2

ios/Runner.xcodeproj/project.pbxproj

@@ -291,7 +291,7 @@
 			);
 			runOnlyForDeploymentPostprocessing = 0;
 			shellPath = /bin/sh;
-			shellScript = "/bin/sh \"$FLUTTER_ROOT/packages/flutter_tools/bin/xcode_backend.sh\" embed_and_thin";
+			shellScript = "export PATH=\"$PROJECT_DIR/../scripts/xcode-tools:$PATH\"\n/bin/sh \"$FLUTTER_ROOT/packages/flutter_tools/bin/xcode_backend.sh\" embed_and_thin";
 		};
 		9740EEB61CF901F6004384FC /* Run Script */ = {
 			isa = PBXShellScriptBuildPhase;
@@ -306,7 +306,7 @@
 			);
 			runOnlyForDeploymentPostprocessing = 0;
 			shellPath = /bin/sh;
-			shellScript = "/bin/sh \"$FLUTTER_ROOT/packages/flutter_tools/bin/xcode_backend.sh\" build";
+			shellScript = "export PATH=\"$PROJECT_DIR/../scripts/xcode-tools:$PATH\"\n/bin/sh \"$FLUTTER_ROOT/packages/flutter_tools/bin/xcode_backend.sh\" build";
 		};
 		BA47ED2B244B5E2B99043424 /* [CP] Check Pods Manifest.lock */ = {
 			isa = PBXShellScriptBuildPhase;

lib/features/assistant/assistant_page_components.dart

@@ -10,7 +10,6 @@ import 'package:flutter/services.dart';
 import 'package:flutter_markdown/flutter_markdown.dart';
 import 'package:markdown/markdown.dart' as md;
 import 'package:path_provider/path_provider.dart';
-import 'package:super_clipboard/super_clipboard.dart';
 import '../../app/app_controller.dart';
 import '../../app/app_metadata.dart';
 import '../../app/ui_feature_manifest.dart';

lib/features/assistant/assistant_page_components_core.dart

@@ -10,7 +10,6 @@ import 'package:flutter/services.dart';
 import 'package:flutter_markdown/flutter_markdown.dart';
 import 'package:markdown/markdown.dart' as md;
 import 'package:path_provider/path_provider.dart';
-import 'package:super_clipboard/super_clipboard.dart';
 import '../../app/app_controller.dart';
 import '../../app/app_metadata.dart';
 import '../../app/ui_feature_manifest.dart';

lib/features/assistant/assistant_page_composer_bar.dart

@@ -9,7 +9,6 @@ import 'package:flutter/services.dart';
 import 'package:flutter_markdown/flutter_markdown.dart';
 import 'package:markdown/markdown.dart' as md;
 import 'package:path_provider/path_provider.dart';
-import 'package:super_clipboard/super_clipboard.dart';
 import '../../app/app_controller.dart';
 import '../../app/app_metadata.dart';
 import '../../app/ui_feature_manifest.dart';

lib/features/assistant/assistant_page_composer_clipboard.dart

@@ -10,7 +10,7 @@ import 'package:flutter/services.dart';
 import 'package:flutter_markdown/flutter_markdown.dart';
 import 'package:markdown/markdown.dart' as md;
 import 'package:path_provider/path_provider.dart';
-import 'package:super_clipboard/super_clipboard.dart';
+import 'package:pasteboard/pasteboard.dart';
 import '../../app/app_controller.dart';
 import '../../app/app_metadata.dart';
 import '../../app/ui_feature_manifest.dart';
@@ -82,88 +82,24 @@ class AssistantPasteIntent extends Intent {
 }
 
 Future<XFile?> readClipboardImageAsXFileInternal() async {
-  final clipboard = SystemClipboard.instance;
-  if (clipboard == null) {
+  // pasteboard normalizes clipboard images to PNG bytes across platforms.
+  Uint8List? bytes;
+  try {
+    bytes = await Pasteboard.image;
+  } catch (error, stackTrace) {
+    debugPrint('Error reading clipboard image: $error\n$stackTrace');
     return null;
   }
-  final reader = await clipboard.read();
-  return await readClipboardImageForFormatInternal(
-        reader,
-        format: Formats.png,
-        extension: 'png',
-        mimeType: 'image/png',
-      ) ??
-      await readClipboardImageForFormatInternal(
-        reader,
-        format: Formats.jpeg,
-        extension: 'jpg',
-        mimeType: 'image/jpeg',
-      ) ??
-      await readClipboardImageForFormatInternal(
-        reader,
-        format: Formats.gif,
-        extension: 'gif',
-        mimeType: 'image/gif',
-      ) ??
-      await readClipboardImageForFormatInternal(
-        reader,
-        format: Formats.webp,
-        extension: 'webp',
-        mimeType: 'image/webp',
-      );
-}
-
-Future<XFile?> readClipboardImageForFormatInternal(
-  ClipboardReader reader, {
-  required FileFormat format,
-  required String extension,
-  required String mimeType,
-}) async {
-  if (!reader.canProvide(format)) {
-    return null;
-  }
-  final bytes = await readClipboardFileBytesInternal(reader, format);
   if (bytes == null || bytes.isEmpty) {
     return null;
   }
   final temporaryDirectory =
       await resolveClipboardAttachmentTempDirectoryInternal();
   final fileName =
-      'clipboard-image-${DateTime.now().microsecondsSinceEpoch}.$extension';
+      'clipboard-image-${DateTime.now().microsecondsSinceEpoch}.png';
   final file = File('${temporaryDirectory.path}/$fileName');
   await file.writeAsBytes(bytes, flush: true);
-  return XFile(file.path, mimeType: mimeType, name: fileName);
-}
-
-Future<Uint8List?> readClipboardFileBytesInternal(
-  ClipboardReader reader,
-  FileFormat format,
-) {
-  final completer = Completer<Uint8List?>();
-  final progress = reader.getFile(
-    format,
-    (file) async {
-      try {
-        final bytes = await file.readAll();
-        if (!completer.isCompleted) {
-          completer.complete(bytes);
-        }
-      } catch (error, stackTrace) {
-        if (!completer.isCompleted) {
-          completer.completeError(error, stackTrace);
-        }
-      }
-    },
-    onError: (error) {
-      if (!completer.isCompleted) {
-        completer.completeError(error);
-      }
-    },
-  );
-  if (progress == null) {
-    return Future<Uint8List?>.value(null);
-  }
-  return completer.future;
+  return XFile(file.path, mimeType: 'image/png', name: fileName);
 }
 
 Future<Directory> resolveClipboardAttachmentTempDirectoryInternal() async {

lib/features/assistant/assistant_page_composer_skill_picker.dart

@@ -10,7 +10,6 @@ import 'package:flutter/services.dart';
 import 'package:flutter_markdown/flutter_markdown.dart';
 import 'package:markdown/markdown.dart' as md;
 import 'package:path_provider/path_provider.dart';
-import 'package:super_clipboard/super_clipboard.dart';
 import '../../app/app_controller.dart';
 import '../../app/app_metadata.dart';
 import '../../app/ui_feature_manifest.dart';

lib/features/assistant/assistant_page_composer_state_helpers.dart

@@ -10,7 +10,6 @@ import 'package:flutter/services.dart';
 import 'package:flutter_markdown/flutter_markdown.dart';
 import 'package:markdown/markdown.dart' as md;
 import 'package:path_provider/path_provider.dart';
-import 'package:super_clipboard/super_clipboard.dart';
 import '../../app/app_controller.dart';
 import '../../app/app_metadata.dart';
 import '../../app/ui_feature_manifest.dart';

lib/features/assistant/assistant_page_composer_support.dart

@@ -10,7 +10,6 @@ import 'package:flutter/services.dart';
 import 'package:flutter_markdown/flutter_markdown.dart';
 import 'package:markdown/markdown.dart' as md;
 import 'package:path_provider/path_provider.dart';
-import 'package:super_clipboard/super_clipboard.dart';
 import '../../app/app_controller.dart';
 import '../../app/app_metadata.dart';
 import '../../app/ui_feature_manifest.dart';

lib/features/assistant/assistant_page_main.dart

@@ -10,7 +10,6 @@ import 'package:flutter/services.dart';
 import 'package:flutter_markdown/flutter_markdown.dart';
 import 'package:markdown/markdown.dart' as md;
 import 'package:path_provider/path_provider.dart';
-import 'package:super_clipboard/super_clipboard.dart';
 import '../../app/app_controller.dart';
 import '../../app/app_metadata.dart';
 import '../../app/ui_feature_manifest.dart';

lib/features/assistant/assistant_page_message_widgets.dart

@@ -10,7 +10,6 @@ import 'package:flutter/services.dart';
 import 'package:flutter_markdown/flutter_markdown.dart';
 import 'package:markdown/markdown.dart' as md;
 import 'package:path_provider/path_provider.dart';
-import 'package:super_clipboard/super_clipboard.dart';
 import '../../app/app_controller.dart';
 import '../../app/app_metadata.dart';
 import '../../app/ui_feature_manifest.dart';

lib/features/assistant/assistant_page_state_actions.dart

@@ -8,7 +8,6 @@ import 'package:flutter/services.dart';
 import 'package:flutter_markdown/flutter_markdown.dart';
 import 'package:markdown/markdown.dart' as md;
 import 'package:path_provider/path_provider.dart';
-import 'package:super_clipboard/super_clipboard.dart';
 import '../../app/app_controller.dart';
 import '../../app/app_controller_desktop_thread_binding.dart';
 import '../../app/app_metadata.dart';

lib/features/assistant/assistant_page_state_closure.dart

@@ -10,7 +10,6 @@ import 'package:flutter/services.dart';
 import 'package:flutter_markdown/flutter_markdown.dart';
 import 'package:markdown/markdown.dart' as md;
 import 'package:path_provider/path_provider.dart';
-import 'package:super_clipboard/super_clipboard.dart';
 import '../../app/app_controller.dart';
 import '../../app/app_metadata.dart';
 import '../../app/ui_feature_manifest.dart';

lib/features/assistant/assistant_page_task_models.dart

@@ -10,7 +10,6 @@ import 'package:flutter/services.dart';
 import 'package:flutter_markdown/flutter_markdown.dart';
 import 'package:markdown/markdown.dart' as md;
 import 'package:path_provider/path_provider.dart';
-import 'package:super_clipboard/super_clipboard.dart';
 import '../../app/app_controller.dart';
 import '../../app/app_metadata.dart';
 import '../../app/ui_feature_manifest.dart';

lib/features/assistant/assistant_page_tooltip_labels.dart

@@ -10,7 +10,6 @@ import 'package:flutter/services.dart';
 import 'package:flutter_markdown/flutter_markdown.dart';
 import 'package:markdown/markdown.dart' as md;
 import 'package:path_provider/path_provider.dart';
-import 'package:super_clipboard/super_clipboard.dart';
 import '../../app/app_controller.dart';
 import '../../app/app_metadata.dart';
 import '../../app/ui_feature_manifest.dart';

linux/flutter/generated_plugin_registrant.cc

@@ -8,8 +8,7 @@
 
 #include <file_selector_linux/file_selector_plugin.h>
 #include <flutter_webrtc/flutter_web_r_t_c_plugin.h>
-#include <irondash_engine_context/irondash_engine_context_plugin.h>
-#include <super_native_extensions/super_native_extensions_plugin.h>
+#include <pasteboard/pasteboard_plugin.h>
 
 void fl_register_plugins(FlPluginRegistry* registry) {
   g_autoptr(FlPluginRegistrar) file_selector_linux_registrar =
@@ -18,10 +17,7 @@ void fl_register_plugins(FlPluginRegistry* registry) {
   g_autoptr(FlPluginRegistrar) flutter_webrtc_registrar =
       fl_plugin_registry_get_registrar_for_plugin(registry, "FlutterWebRTCPlugin");
   flutter_web_r_t_c_plugin_register_with_registrar(flutter_webrtc_registrar);
-  g_autoptr(FlPluginRegistrar) irondash_engine_context_registrar =
-      fl_plugin_registry_get_registrar_for_plugin(registry, "IrondashEngineContextPlugin");
-  irondash_engine_context_plugin_register_with_registrar(irondash_engine_context_registrar);
-  g_autoptr(FlPluginRegistrar) super_native_extensions_registrar =
-      fl_plugin_registry_get_registrar_for_plugin(registry, "SuperNativeExtensionsPlugin");
-  super_native_extensions_plugin_register_with_registrar(super_native_extensions_registrar);
+  g_autoptr(FlPluginRegistrar) pasteboard_registrar =
+      fl_plugin_registry_get_registrar_for_plugin(registry, "PasteboardPlugin");
+  pasteboard_plugin_register_with_registrar(pasteboard_registrar);
 }

linux/flutter/generated_plugins.cmake

@@ -5,8 +5,7 @@
 list(APPEND FLUTTER_PLUGIN_LIST
   file_selector_linux
   flutter_webrtc
-  irondash_engine_context
-  super_native_extensions
+  pasteboard
 )
 
 list(APPEND FLUTTER_FFI_PLUGIN_LIST

macos/Flutter/GeneratedPluginRegistrant.swift

@@ -8,17 +8,15 @@ import Foundation
 import device_info_plus
 import file_selector_macos
 import flutter_webrtc
-import irondash_engine_context
 import package_info_plus
+import pasteboard
 import shared_preferences_foundation
-import super_native_extensions
 
 func RegisterGeneratedPlugins(registry: FlutterPluginRegistry) {
   DeviceInfoPlusMacosPlugin.register(with: registry.registrar(forPlugin: "DeviceInfoPlusMacosPlugin"))
   FileSelectorPlugin.register(with: registry.registrar(forPlugin: "FileSelectorPlugin"))
   FlutterWebRTCPlugin.register(with: registry.registrar(forPlugin: "FlutterWebRTCPlugin"))
-  IrondashEngineContextPlugin.register(with: registry.registrar(forPlugin: "IrondashEngineContextPlugin"))
   FPPPackageInfoPlusPlugin.register(with: registry.registrar(forPlugin: "FPPPackageInfoPlusPlugin"))
+  PasteboardPlugin.register(with: registry.registrar(forPlugin: "PasteboardPlugin"))
   SharedPreferencesPlugin.register(with: registry.registrar(forPlugin: "SharedPreferencesPlugin"))
-  SuperNativeExtensionsPlugin.register(with: registry.registrar(forPlugin: "SuperNativeExtensionsPlugin"))
 }

macos/Podfile

@@ -1,4 +1,4 @@
-platform :osx, '14.0'
+platform :osx, '15.6'
 
 # CocoaPods analytics sends network stats synchronously affecting flutter build latency.
 ENV['COCOAPODS_DISABLE_STATS'] = 'true'
@@ -97,7 +97,8 @@ post_install do |installer|
   installer.pods_project.targets.each do |target|
     flutter_additional_macos_build_settings(target)
     target.build_configurations.each do |config|
-      config.build_settings['MACOSX_DEPLOYMENT_TARGET'] = '14.0'
+      # Xcode 27 rejects dependency targets below the app's 15.6 minimum.
+      config.build_settings['MACOSX_DEPLOYMENT_TARGET'] = '15.6'
 
       next unless ['Pods-Runner', 'Pods-RunnerTests', 'WebRTC-SDK', 'flutter_webrtc'].include?(target.name)
 

macos/Podfile.lock

@@ -7,15 +7,13 @@ PODS:
     - FlutterMacOS
     - WebRTC-SDK (= 125.6422.06)
   - FlutterMacOS (1.0.0)
-  - irondash_engine_context (0.0.1):
-    - FlutterMacOS
   - package_info_plus (0.0.1):
     - FlutterMacOS
+  - pasteboard (0.0.1):
+    - FlutterMacOS
   - shared_preferences_foundation (0.0.1):
     - Flutter
     - FlutterMacOS
-  - super_native_extensions (0.0.1):
-    - FlutterMacOS
   - WebRTC-SDK (125.6422.06)
 
 DEPENDENCIES:
@@ -23,10 +21,9 @@ DEPENDENCIES:
   - file_selector_macos (from `Flutter/ephemeral/.symlinks/plugins/file_selector_macos/macos`)
   - flutter_webrtc (from `Flutter/ephemeral/.symlinks/plugins/flutter_webrtc/macos`)
   - FlutterMacOS (from `Flutter/ephemeral`)
-  - irondash_engine_context (from `Flutter/ephemeral/.symlinks/plugins/irondash_engine_context/macos`)
   - package_info_plus (from `Flutter/ephemeral/.symlinks/plugins/package_info_plus/macos`)
+  - pasteboard (from `Flutter/ephemeral/.symlinks/plugins/pasteboard/macos`)
   - shared_preferences_foundation (from `Flutter/ephemeral/.symlinks/plugins/shared_preferences_foundation/darwin`)
-  - super_native_extensions (from `Flutter/ephemeral/.symlinks/plugins/super_native_extensions/macos`)
 
 SPEC REPOS:
   trunk:
@@ -41,26 +38,23 @@ EXTERNAL SOURCES:
     :path: Flutter/ephemeral/.symlinks/plugins/flutter_webrtc/macos
   FlutterMacOS:
     :path: Flutter/ephemeral
-  irondash_engine_context:
-    :path: Flutter/ephemeral/.symlinks/plugins/irondash_engine_context/macos
   package_info_plus:
     :path: Flutter/ephemeral/.symlinks/plugins/package_info_plus/macos
+  pasteboard:
+    :path: Flutter/ephemeral/.symlinks/plugins/pasteboard/macos
   shared_preferences_foundation:
     :path: Flutter/ephemeral/.symlinks/plugins/shared_preferences_foundation/darwin
-  super_native_extensions:
-    :path: Flutter/ephemeral/.symlinks/plugins/super_native_extensions/macos
 
 SPEC CHECKSUMS:
   device_info_plus: 4fb280989f669696856f8b129e4a5e3cd6c48f76
   file_selector_macos: 9e9e068e90ebee155097d00e89ae91edb2374db7
   flutter_webrtc: 377dbcebdde6fed0fc40de87bcaaa2bffcec9a88
   FlutterMacOS: d0db08ddef1a9af05a5ec4b724367152bb0500b1
-  irondash_engine_context: 893c7d96d20ce361d7e996f39d360c4c2f9869ba
   package_info_plus: f0052d280d17aa382b932f399edf32507174e870
+  pasteboard: b594eaf838d930b276d7a35a44a32b4f489170cb
   shared_preferences_foundation: 7036424c3d8ec98dfe75ff1667cb0cd531ec82bb
-  super_native_extensions: c2795d6d9aedf4a79fae25cb6160b71b50549189
   WebRTC-SDK: 79942c006ea64f6fb48d7da8a4786dfc820bc1db
 
-PODFILE CHECKSUM: 1eb7d5d1472c632b8f775dd34562291c20ae818a
+PODFILE CHECKSUM: 7804cba3ecbc9953edc70dee53b2ce2b4aeaa013
 
 COCOAPODS: 1.16.2

macos/Runner.xcodeproj/project.pbxproj

@@ -371,7 +371,7 @@
 			);
 			runOnlyForDeploymentPostprocessing = 0;
 			shellPath = /bin/sh;
-			shellScript = "echo \"$PRODUCT_NAME.app\" > \"$PROJECT_DIR\"/Flutter/ephemeral/.app_filename && \"$FLUTTER_ROOT\"/packages/flutter_tools/bin/macos_assemble.sh embed\n";
+			shellScript = "export PATH=\"$PROJECT_DIR/../scripts/xcode-tools:$PATH\"\necho \"$PRODUCT_NAME.app\" > \"$PROJECT_DIR\"/Flutter/ephemeral/.app_filename && \"$FLUTTER_ROOT\"/packages/flutter_tools/bin/macos_assemble.sh embed\n";
 		};
 		33CC111E2044C6BF0003C045 /* ShellScript */ = {
 			isa = PBXShellScriptBuildPhase;
@@ -392,7 +392,7 @@
 			);
 			runOnlyForDeploymentPostprocessing = 0;
 			shellPath = /bin/sh;
-			shellScript = "if [[ \"${WORKSPACE_DIR:-}\" == *.xcodeproj ]]; then\n  echo \"error: XWorkmate macOS builds with CocoaPods plugins must be launched from macos/Runner.xcworkspace, not Runner.xcodeproj.\" >&2\n  echo \"error: Close this project, open macos/Runner.xcworkspace in Xcode, and build the shared Runner scheme for My Mac.\" >&2\n  echo \"error: Pods targets appearing in the workspace are expected. Only configure signing on the Runner target.\" >&2\n  echo \"error: For release packaging, run 'flutter build macos' from the repository root.\" >&2\n  exit 1\nfi\n\"$FLUTTER_ROOT\"/packages/flutter_tools/bin/macos_assemble.sh && touch Flutter/ephemeral/tripwire";
+			shellScript = "export PATH=\"$PROJECT_DIR/../scripts/xcode-tools:$PATH\"\nif [[ \"${WORKSPACE_DIR:-}\" == *.xcodeproj ]]; then\n  echo \"error: XWorkmate macOS builds with CocoaPods plugins must be launched from macos/Runner.xcworkspace, not Runner.xcodeproj.\" >&2\n  echo \"error: Close this project, open macos/Runner.xcworkspace in Xcode, and build the shared Runner scheme for My Mac.\" >&2\n  echo \"error: Pods targets appearing in the workspace are expected. Only configure signing on the Runner target.\" >&2\n  echo \"error: For release packaging, run 'flutter build macos' from the repository root.\" >&2\n  exit 1\nfi\n\"$FLUTTER_ROOT\"/packages/flutter_tools/bin/macos_assemble.sh && touch Flutter/ephemeral/tripwire";
 		};
 		8E8C2A3EBAA3461603096C04 /* [CP] Check Pods Manifest.lock */ = {
 			isa = PBXShellScriptBuildPhase;
@@ -511,7 +511,7 @@
 				BUNDLE_LOADER = "$(TEST_HOST)";
 				CURRENT_PROJECT_VERSION = 1;
 				GENERATE_INFOPLIST_FILE = YES;
-				MACOSX_DEPLOYMENT_TARGET = 14.0;
+				MACOSX_DEPLOYMENT_TARGET = 15.6;
 				MARKETING_VERSION = 1.0;
 				OTHER_CFLAGS = (
 					"$(inherited)",
@@ -539,7 +539,7 @@
 				BUNDLE_LOADER = "$(TEST_HOST)";
 				CURRENT_PROJECT_VERSION = 1;
 				GENERATE_INFOPLIST_FILE = YES;
-				MACOSX_DEPLOYMENT_TARGET = 14.0;
+				MACOSX_DEPLOYMENT_TARGET = 15.6;
 				MARKETING_VERSION = 1.0;
 				OTHER_CFLAGS = (
 					"$(inherited)",
@@ -567,7 +567,7 @@
 				BUNDLE_LOADER = "$(TEST_HOST)";
 				CURRENT_PROJECT_VERSION = 1;
 				GENERATE_INFOPLIST_FILE = YES;
-				MACOSX_DEPLOYMENT_TARGET = 14.0;
+				MACOSX_DEPLOYMENT_TARGET = 15.6;
 				MARKETING_VERSION = 1.0;
 				OTHER_CFLAGS = (
 					"$(inherited)",
@@ -661,11 +661,13 @@
 				ENABLE_RESOURCE_ACCESS_USB = NO;
 				ENABLE_USER_SELECTED_FILES = readonly;
 				INFOPLIST_FILE = Runner/Info.plist;
+				INFOPLIST_KEY_CFBundleDisplayName = Xworkmate;
+				INFOPLIST_KEY_LSApplicationCategoryType = "public.app-category.utilities";
 				LD_RUNPATH_SEARCH_PATHS = (
 					"$(inherited)",
 					"@executable_path/../Frameworks",
 				);
-				MACOSX_DEPLOYMENT_TARGET = 14.0;
+				MACOSX_DEPLOYMENT_TARGET = 15.6;
 				OTHER_CFLAGS = (
 					"$(inherited)",
 					"-Wno-ignored-attributes",
@@ -823,11 +825,13 @@
 				ENABLE_RESOURCE_ACCESS_USB = NO;
 				ENABLE_USER_SELECTED_FILES = readonly;
 				INFOPLIST_FILE = Runner/Info.plist;
+				INFOPLIST_KEY_CFBundleDisplayName = Xworkmate;
+				INFOPLIST_KEY_LSApplicationCategoryType = "public.app-category.utilities";
 				LD_RUNPATH_SEARCH_PATHS = (
 					"$(inherited)",
 					"@executable_path/../Frameworks",
 				);
-				MACOSX_DEPLOYMENT_TARGET = 14.0;
+				MACOSX_DEPLOYMENT_TARGET = 15.6;
 				OTHER_CFLAGS = (
 					"$(inherited)",
 					"-Wno-ignored-attributes",
@@ -863,11 +867,13 @@
 				ENABLE_OUTGOING_NETWORK_CONNECTIONS = YES;
 				ENABLE_USER_SELECTED_FILES = readonly;
 				INFOPLIST_FILE = Runner/Info.plist;
+				INFOPLIST_KEY_CFBundleDisplayName = Xworkmate;
+				INFOPLIST_KEY_LSApplicationCategoryType = "public.app-category.utilities";
 				LD_RUNPATH_SEARCH_PATHS = (
 					"$(inherited)",
 					"@executable_path/../Frameworks",
 				);
-				MACOSX_DEPLOYMENT_TARGET = 14.0;
+				MACOSX_DEPLOYMENT_TARGET = 15.6;
 				OTHER_CFLAGS = (
 					"$(inherited)",
 					"-Wno-ignored-attributes",

pubspec.lock

@@ -53,10 +53,10 @@ packages:
     dependency: transitive
     description:
       name: code_assets
-      sha256: "83ccdaa064c980b5596c35dd64a8d3ecc68620174ab9b90b6343b753aa721687"
+      sha256: bf394f466ba9205f1812a0433b392d6af280f155f56651eda7c18cc32ed493b8
       url: "https://pub.dev"
     source: hosted
-    version: "1.0.0"
+    version: "1.2.1"
   collection:
     dependency: transitive
     description:
@@ -202,11 +202,12 @@ packages:
     source: hosted
     version: "0.9.4"
   file_selector_macos:
-    dependency: "direct overridden"
+    dependency: transitive
     description:
-      path: "third_party/file_selector_macos"
-      relative: true
-    source: path
+      name: file_selector_macos
+      sha256: "5e0bbe9c312416f1787a68259ea1505b52f258c587f12920422671807c4d618a"
+      url: "https://pub.dev"
+    source: hosted
     version: "0.9.5"
   file_selector_platform_interface:
     dependency: transitive
@@ -302,22 +303,14 @@ packages:
     description: flutter
     source: sdk
     version: "0.0.0"
-  glob:
-    dependency: transitive
-    description:
-      name: glob
-      sha256: c3f1ee72c96f8f78935e18aa8cecced9ab132419e8625dc187e1c2408efc20de
-      url: "https://pub.dev"
-    source: hosted
-    version: "2.1.3"
   hooks:
     dependency: transitive
     description:
       name: hooks
-      sha256: e79ed1e8e1929bc6ecb6ec85f0cb519c887aa5b423705ded0d0f2d9226def388
+      sha256: "9a62a50b50b769a737bc0a8ff381f333529df3ab746b2f6b02e83760231455ba"
       url: "https://pub.dev"
     source: hosted
-    version: "1.0.2"
+    version: "2.0.2"
   html:
     dependency: transitive
     description:
@@ -355,22 +348,6 @@ packages:
       url: "https://pub.dev"
     source: hosted
     version: "0.20.2"
-  irondash_engine_context:
-    dependency: transitive
-    description:
-      name: irondash_engine_context
-      sha256: "2bb0bc13dfda9f5aaef8dde06ecc5feb1379f5bb387d59716d799554f3f305d7"
-      url: "https://pub.dev"
-    source: hosted
-    version: "0.5.5"
-  irondash_message_channel:
-    dependency: transitive
-    description:
-      name: irondash_message_channel
-      sha256: b4101669776509c76133b8917ab8cfc704d3ad92a8c450b92934dd8884a2f060
-      url: "https://pub.dev"
-    source: hosted
-    version: "0.7.0"
   js:
     dependency: transitive
     description:
@@ -459,21 +436,14 @@ packages:
       url: "https://pub.dev"
     source: hosted
     version: "1.17.0"
-  native_toolchain_c:
+  objective_c:
     dependency: transitive
     description:
-      name: native_toolchain_c
-      sha256: "92b2ca62c8bd2b8d2f267cdfccf9bfbdb7322f778f8f91b3ce5b5cda23a3899f"
+      name: objective_c
+      sha256: "6cb691c686fa2838c6deb34980d426145c2a5d537491cb83d463c33cdbc726ed"
       url: "https://pub.dev"
     source: hosted
-    version: "0.17.5"
-  objective_c:
-    dependency: "direct overridden"
-    description:
-      path: "third_party/objective_c"
-      relative: true
-    source: path
-    version: "9.3.0"
+    version: "9.4.1"
   package_info_plus:
     dependency: "direct main"
     description:
@@ -490,6 +460,14 @@ packages:
       url: "https://pub.dev"
     source: hosted
     version: "3.2.1"
+  pasteboard:
+    dependency: "direct main"
+    description:
+      name: pasteboard
+      sha256: fedbe8da188d2f713aa8b01260737342e6e1087534a3ab26e1a719f8d3e8f32f
+      url: "https://pub.dev"
+    source: hosted
+    version: "0.5.0"
   path:
     dependency: transitive
     description:
@@ -554,14 +532,6 @@ packages:
       url: "https://pub.dev"
     source: hosted
     version: "0.6.0"
-  pixel_snap:
-    dependency: transitive
-    description:
-      name: pixel_snap
-      sha256: "677410ea37b07cd37ecb6d5e6c0d8d7615a7cf3bd92ba406fd1ac57e937d1fb0"
-      url: "https://pub.dev"
-    source: hosted
-    version: "0.1.5"
   platform:
     dependency: transitive
     description:
@@ -602,6 +572,14 @@ packages:
       url: "https://pub.dev"
     source: hosted
     version: "2.2.0"
+  record_use:
+    dependency: transitive
+    description:
+      name: record_use
+      sha256: "2551bd8eecfe95d14ae75f6021ad0248be5c27f138c2ec12fcb52b500b3ba1ed"
+      url: "https://pub.dev"
+    source: hosted
+    version: "0.6.0"
   shared_preferences:
     dependency: "direct main"
     description:
@@ -695,21 +673,6 @@ packages:
       url: "https://pub.dev"
     source: hosted
     version: "1.4.1"
-  super_clipboard:
-    dependency: "direct main"
-    description:
-      name: super_clipboard
-      sha256: e73f3bb7e66cc9260efa1dc507f979138e7e106c3521e2dda2d0311f6d728a16
-      url: "https://pub.dev"
-    source: hosted
-    version: "0.9.1"
-  super_native_extensions:
-    dependency: "direct overridden"
-    description:
-      path: "third_party/super_native_extensions"
-      relative: true
-    source: path
-    version: "0.9.1"
   sync_http:
     dependency: transitive
     description:

pubspec.yaml

@@ -2,9 +2,9 @@ name: xworkmate
 description: "XWorkmate desktop-first AI workspace shell."
 publish_to: 'none'
 
-version: 1.1.5+1
-build-date: 2026-06-28
-build-id: 4e02107
+version: 1.1.5+2
+build-date: 2026-06-30
+build-id: a876e3b0
 
 environment:
   sdk: ^3.11.0
@@ -27,7 +27,7 @@ dependencies:
   package_info_plus: ^8.3.1
   path_provider: ^2.1.5
   shared_preferences: ^2.5.3
-  super_clipboard: ^0.9.0
+  pasteboard: ^0.5.0
   web_socket_channel: ^3.0.3
   flutter_webrtc: ^0.12.3
   yaml: ^3.1.3
@@ -39,20 +39,6 @@ dev_dependencies:
     sdk: flutter
   flutter_lints: ^6.0.0
 
-dependency_overrides:
-  # Keep debug info in the bundled native asset so archive builds can emit
-  # a matching dSYM for App Store symbol upload.
-  objective_c:
-    path: third_party/objective_c
-  # Patch the macOS file selector plugin to avoid a deprecated API warning
-  # on current macOS toolchains while preserving older-OS behavior.
-  file_selector_macos:
-    path: third_party/file_selector_macos
-  # Use a local patch so Cargokit can recover from transient GitHub asset
-  # download failures during macOS packaging.
-  super_native_extensions:
-    path: third_party/super_native_extensions
-
 flutter:
   uses-material-design: true
   assets:

scripts/ci/build_matrix_artifacts.sh

@@ -6,7 +6,8 @@ cd "$repo_root"
 eval "$(python3 "$repo_root/scripts/ci/build_version.py" --format shell)"
 platform="${1:?platform is required}"
 arch="${2:?arch is required}"
-should_release="${3:-false}"
+package_kind="${3:-}"
+should_release="${4:-false}"
 
 flutter pub get
 
@@ -15,9 +16,22 @@ case "$platform" in
     bash ./scripts/package-linux.sh
     ;;
   macos)
-    bash ./scripts/package-flutter-mac-app.sh
-    mkdir -p dist/macos
-    find dist -maxdepth 1 -name '*.dmg' -exec mv {} dist/macos/ \;
+    case "$package_kind" in
+      dmg)
+        bash ./scripts/package-flutter-mac-app.sh
+        mkdir -p dist/macos
+        find dist -maxdepth 1 -name '*.dmg' -exec mv {} dist/macos/ \;
+        ;;
+      app-store-pkg)
+        bash ./scripts/package-macos-app-store-pkg.sh
+        mkdir -p dist/macos-app-store
+        find dist -maxdepth 1 -name '*.pkg' -exec mv {} dist/macos-app-store/ \;
+        ;;
+      *)
+        echo "Unsupported macOS package kind: $package_kind" >&2
+        exit 1
+        ;;
+    esac
     ;;
   windows)
     flutter build windows --release \

scripts/ci/testflight_upload.sh

@@ -0,0 +1,82 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+platform="${1:?platform is required}"
+artifact_root="${2:?artifact root is required}"
+
+required_vars=(
+  APP_STORE_CONNECT_API_KEY_ID
+  APP_STORE_CONNECT_ISSUER_ID
+  APP_STORE_CONNECT_API_KEY_P8_BASE64
+)
+
+missing=()
+for var_name in "${required_vars[@]}"; do
+  if [[ -z "${!var_name:-}" ]]; then
+    missing+=("$var_name")
+  fi
+done
+
+if [[ "${#missing[@]}" -gt 0 ]]; then
+  echo "Missing App Store Connect secrets: ${missing[*]}" >&2
+  exit 1
+fi
+
+if ! command -v xcrun >/dev/null 2>&1; then
+  echo "xcrun is required to upload TestFlight artifacts." >&2
+  exit 1
+fi
+
+apple_decode_base64() {
+  if base64 --help 2>&1 | grep -q -- '--decode'; then
+    base64 --decode
+  else
+    base64 -D
+  fi
+}
+
+tmp_dir="$(mktemp -d "${RUNNER_TEMP:-/tmp}/xworkmate-testflight.XXXXXX")"
+cleanup() {
+  rm -rf "$tmp_dir"
+}
+trap cleanup EXIT
+
+private_keys_dir="$tmp_dir/private_keys"
+mkdir -p "$private_keys_dir"
+
+p8_path="$private_keys_dir/AuthKey_${APP_STORE_CONNECT_API_KEY_ID}.p8"
+printf '%s' "$APP_STORE_CONNECT_API_KEY_P8_BASE64" | apple_decode_base64 > "$p8_path"
+
+case "$platform" in
+  ios)
+    artifact_file="$(find "$artifact_root" -type f -name '*.ipa' | head -n 1)"
+    ;;
+  macos)
+    artifact_file="$(find "$artifact_root" -type f -name '*.pkg' | head -n 1)"
+    ;;
+  *)
+    echo "Unsupported TestFlight platform: $platform" >&2
+    exit 1
+    ;;
+esac
+if [[ -z "$artifact_file" ]]; then
+  echo "No ipa/pkg artifact found under $artifact_root" >&2
+  exit 1
+fi
+
+export API_PRIVATE_KEYS_DIR="$private_keys_dir"
+
+if [[ "$platform" == "ios" ]]; then
+  xcrun altool \
+    --upload-app \
+    -f "$artifact_file" \
+    --api-key "$APP_STORE_CONNECT_API_KEY_ID" \
+    --api-issuer "$APP_STORE_CONNECT_ISSUER_ID" \
+    --show-progress
+else
+  xcrun altool \
+    --upload-package "$artifact_file" \
+    --api-key "$APP_STORE_CONNECT_API_KEY_ID" \
+    --api-issuer "$APP_STORE_CONNECT_ISSUER_ID" \
+    --show-progress
+fi

scripts/ensure-framework-dsyms.sh

@@ -1,8 +1,9 @@
 #!/usr/bin/env bash
 set -euo pipefail
 
-# Generate the dSYM that App Store validation expects for the vendored
-# objective_c native-asset framework after Xcode/CocoaPods embed it.
+# Generate dSYMs that App Store validation expects for embedded frameworks.
+# Some prebuilt dependencies, including WebRTC, do not ship a dSYM even though
+# their Mach-O binaries contain UUIDs that App Store Connect requires.
 if [[ "${CONFIGURATION:-}" != "Release" && "${CONFIGURATION:-}" != "Profile" ]]; then
   exit 0
 fi
@@ -22,6 +23,22 @@ fi
 
 mkdir -p "${DWARF_DSYM_FOLDER_PATH}"
 
+dsym_matches_binary() {
+  local binary_path="$1"
+  local dsym_path="$2"
+  local binary_uuids dsym_uuids uuid
+
+  [[ -d "${dsym_path}" ]] || return 1
+
+  binary_uuids="$(xcrun dwarfdump --uuid "${binary_path}" 2>/dev/null || true)"
+  dsym_uuids="$(xcrun dwarfdump --uuid "${dsym_path}" 2>/dev/null || true)"
+  [[ -n "${binary_uuids}" && -n "${dsym_uuids}" ]] || return 1
+
+  while read -r uuid; do
+    [[ -z "${uuid}" ]] || grep -Fq "${uuid}" <<<"${dsym_uuids}" || return 1
+  done < <(awk '/^UUID:/ { print $2 }' <<<"${binary_uuids}")
+}
+
 for framework_path in "${frameworks_dir}"/*.framework; do
   [[ -d "${framework_path}" ]] || continue
 
@@ -29,10 +46,8 @@ for framework_path in "${frameworks_dir}"/*.framework; do
   binary_path="${framework_path}/${framework_name}"
   [[ -f "${binary_path}" ]] || continue
 
-  [[ "${framework_name}" == "objective_c" ]] || continue
-
   dsym_path="${DWARF_DSYM_FOLDER_PATH}/${framework_name}.framework.dSYM"
-  if [[ -d "${dsym_path}" ]]; then
+  if dsym_matches_binary "${binary_path}" "${dsym_path}"; then
     continue
   fi
 
@@ -40,7 +55,8 @@ for framework_path in "${frameworks_dir}"/*.framework; do
     continue
   fi
 
-  echo "Generating missing dSYM for ${framework_name}.framework"
+  echo "Generating missing or mismatched dSYM for ${framework_name}.framework"
+  rm -rf "${dsym_path}"
   if ! xcrun dsymutil "${binary_path}" -o "${dsym_path}" >/dev/null 2>&1; then
     echo "warning: Failed to generate dSYM for ${framework_name}.framework" >&2
     rm -rf "${dsym_path}" || true

scripts/install-xworkmate-app.sh

@@ -0,0 +1,172 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+REPO=${XWORKMATE_INSTALL_REPO:-"x-evor/xworkmate-app"}
+RELEASE_TAG=${XWORKMATE_INSTALL_RELEASE_TAG:-"latest"}
+GITHUB_API=${XWORKMATE_INSTALL_GITHUB_API:-"https://api.github.com"}
+TMP_DIR="$(mktemp -d "${TMPDIR:-/tmp}/xworkmate-install.XXXXXX")"
+MOUNT_POINT=""
+
+cleanup() {
+  if [[ -n "$MOUNT_POINT" ]]; then
+    hdiutil detach "$MOUNT_POINT" -quiet >/dev/null 2>&1 || true
+  fi
+  rm -rf "$TMP_DIR"
+}
+trap cleanup EXIT
+
+info() { printf '[INFO] %s\n' "$*" >&2; }
+die() { printf '[ERROR] %s\n' "$*" >&2; exit 1; }
+
+need() {
+  command -v "$1" >/dev/null 2>&1 || die "Missing required command: $1"
+}
+
+release_json_url() {
+  if [[ "$RELEASE_TAG" == "latest" ]]; then
+    printf '%s/repos/%s/releases/latest\n' "$GITHUB_API" "$REPO"
+  else
+    printf '%s/repos/%s/releases/tags/%s\n' "$GITHUB_API" "$REPO" "$RELEASE_TAG"
+  fi
+}
+
+github_curl() {
+  local accept="$1"
+  shift
+  local token="${GH_TOKEN:-${GITHUB_TOKEN:-}}"
+  local -a headers=(
+    -H "Accept: $accept"
+    -H "X-GitHub-Api-Version: 2022-11-28"
+  )
+
+  if [[ -n "$token" ]]; then
+    headers+=(-H "Authorization: Bearer $token")
+  fi
+  curl "${headers[@]}" "$@"
+}
+
+pick_asset() {
+  local metadata_file="$1"
+  local pattern="$2"
+  python3 - "$metadata_file" "$pattern" <<'PY'
+import json
+import re
+import sys
+from pathlib import Path
+
+metadata_path = Path(sys.argv[1])
+pattern = re.compile(sys.argv[2])
+data = json.loads(metadata_path.read_text(encoding="utf-8"))
+for asset in data.get("assets", []):
+    name = asset.get("name", "")
+    if pattern.search(name):
+        print(f'{asset.get("url", "")}\t{name}')
+        raise SystemExit(0)
+raise SystemExit(1)
+PY
+}
+
+download_asset() {
+  local asset_url="$1"
+  local output_path="$2"
+
+  github_curl application/octet-stream \
+    -fL --retry 5 --retry-all-errors --continue-at - \
+    -o "$output_path" "$asset_url"
+}
+
+install_macos_dmg() {
+  local dmg_url="$1"
+  local dmg_path="$TMP_DIR/XWorkmate.dmg"
+  local target_app="/Applications/XWorkmate.app"
+
+  MOUNT_POINT="$TMP_DIR/mount"
+  mkdir -p "$MOUNT_POINT"
+  info "Downloading macOS DMG..."
+  download_asset "$dmg_url" "$dmg_path"
+  info "Mounting DMG..."
+  hdiutil attach "$dmg_path" -mountpoint "$MOUNT_POINT" -nobrowse -readonly -quiet
+
+  local source_app="$MOUNT_POINT/XWorkmate.app"
+  [[ -d "$source_app" ]] || die "DMG does not contain XWorkmate.app"
+  if [[ -d "$target_app" ]]; then
+    info "Replacing existing app at $target_app"
+    rm -rf "$target_app"
+  fi
+  info "Installing to $target_app"
+  ditto "$source_app" "$target_app"
+  xattr -dr com.apple.quarantine "$target_app" 2>/dev/null || true
+  info "Installed $target_app"
+}
+
+install_linux_pkg() {
+  local pkg_url="$1"
+  local pkg_name="$2"
+  local pkg_path="$TMP_DIR/package"
+
+  download_asset "$pkg_url" "$pkg_path"
+  need sudo
+  if [[ "$pkg_name" == *.deb ]]; then
+    info "Installing Debian package..."
+    sudo dpkg -i "$pkg_path" || sudo apt-get -f install -y
+  elif [[ "$pkg_name" == *.rpm ]]; then
+    info "Installing RPM package..."
+    if command -v dnf >/dev/null 2>&1; then
+      sudo dnf install -y "$pkg_path"
+    else
+      sudo rpm -Uvh "$pkg_path"
+    fi
+  else
+    die "Unsupported Linux asset: $pkg_name"
+  fi
+}
+
+main() {
+  local release_json_path="$TMP_DIR/release.json"
+  local asset_name_pattern
+  local asset
+  local asset_name
+  local asset_url
+
+  need curl
+  need python3
+
+  info "Resolving release for $REPO"
+  github_curl application/vnd.github+json \
+    -fsSL "$(release_json_url)" -o "$release_json_path"
+
+  case "$(uname -s)" in
+    Darwin)
+      asset_name_pattern='^XWorkmate-[^/]+\.dmg$'
+      ;;
+    Linux)
+      case "$(uname -m)" in
+        x86_64|amd64) ;;
+        *) die "Linux packages are only available for amd64: $(uname -m)" ;;
+      esac
+      if command -v dpkg >/dev/null 2>&1; then
+        asset_name_pattern='^xworkmate_[0-9]+\.[0-9]+\.[0-9]+(?:-[0-9]+)?_amd64\.deb$'
+      elif command -v rpm >/dev/null 2>&1; then
+        asset_name_pattern='^xworkmate-[0-9]+\.[0-9]+\.[0-9]+(?:-[0-9]+)?-1\.x86_64\.rpm$'
+      else
+        die "Neither dpkg nor rpm found"
+      fi
+      ;;
+    *)
+      die "Unsupported OS: $(uname -s)"
+      ;;
+  esac
+
+  asset="$(pick_asset "$release_json_path" "$asset_name_pattern")" ||
+    die "Could not find a matching release asset"
+  IFS=$'\t' read -r asset_url asset_name <<<"$asset"
+  [[ -n "$asset_url" ]] || die "Matching release asset has no API download URL"
+  [[ -n "$asset_name" ]] || die "Matching release asset has no name"
+
+  case "$(uname -s)" in
+    Darwin) install_macos_dmg "$asset_url" ;;
+    Linux) install_linux_pkg "$asset_url" "$asset_name" ;;
+  esac
+}
+
+main "$@"

scripts/package-macos-app-store-pkg.sh

@@ -0,0 +1,101 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
+DIST_DIR="$ROOT_DIR/dist/macos-app-store"
+APP_NAME="${APP_NAME:-XWorkmate}"
+APP_STORE_DEFINE="${APP_STORE_DEFINE:---dart-define=XWORKMATE_APP_STORE=${XWORKMATE_APP_STORE:-true}}"
+source "$ROOT_DIR/scripts/ci/apple_signing.sh"
+APPLE_SIGNING_CLEANUP_COMMANDS=()
+trap apple_run_cleanup EXIT
+
+required_vars=(
+  APPLE_CERT_P12_BASE64
+  APPLE_CERT_PASSWORD
+  APPLE_MAC_PROVISION_PROFILE_BASE64
+  APPLE_KEYCHAIN_PASSWORD
+)
+
+missing=()
+for var_name in "${required_vars[@]}"; do
+  if [[ -z "${!var_name:-}" ]]; then
+    missing+=("$var_name")
+  fi
+done
+
+if [[ "${#missing[@]}" -gt 0 ]]; then
+  echo "Missing macOS TestFlight signing secrets: ${missing[*]}" >&2
+  exit 1
+fi
+
+eval "$(python3 "$ROOT_DIR/scripts/ci/build_version.py" --format shell)"
+app_version="$DISPLAY_VERSION"
+app_build="$BUILD_NUMBER"
+BUILD_DATE_LINE="$(sed -n 's/^build-date:[[:space:]]*//p' "$ROOT_DIR/pubspec.yaml" | head -n 1)"
+BUILD_ID_LINE="$(sed -n 's/^build-id:[[:space:]]*//p' "$ROOT_DIR/pubspec.yaml" | head -n 1)"
+GIT_BUILD_DATE="$(cd "$ROOT_DIR" && git show -s --format=%cs HEAD 2>/dev/null || true)"
+GIT_BUILD_COMMIT="$(cd "$ROOT_DIR" && git rev-parse --short HEAD 2>/dev/null || true)"
+app_build_date="${GIT_BUILD_DATE:-${BUILD_DATE_LINE:-unknown}}"
+app_build_commit="${GIT_BUILD_COMMIT:-${BUILD_ID_LINE:-unknown}}"
+
+tmp_dir="$(mktemp -d "${RUNNER_TEMP:-/tmp}/xworkmate-macos-app-store.XXXXXX")"
+cleanup() {
+  local status=$?
+  rm -rf "$tmp_dir"
+  apple_run_cleanup
+  return "$status"
+}
+trap cleanup EXIT
+
+apple_setup_signing_keychain
+
+apple_decode_base64() {
+  if base64 --help 2>&1 | grep -q -- '--decode'; then
+    base64 --decode
+  else
+    base64 -D
+  fi
+}
+
+profile_dir="$HOME/Library/MobileDevice/Provisioning Profiles"
+profile_path="$profile_dir/xworkmate-macos.mobileprovision"
+mkdir -p "$profile_dir"
+printf '%s' "$APPLE_MAC_PROVISION_PROFILE_BASE64" | apple_decode_base64 > "$profile_path"
+apple_register_cleanup "rm -f \"$profile_path\""
+
+mkdir -p "$DIST_DIR"
+archive_path="$tmp_dir/$APP_NAME.xcarchive"
+export_options_path="$tmp_dir/ExportOptions.plist"
+sed "s|\${EXPORT_METHOD}|app-store|g" "$ROOT_DIR/ios/ExportOptions.plist" > "$export_options_path"
+
+flutter pub get
+flutter build macos --release \
+  --build-name="$PLATFORM_RELEASE_VERSION" \
+  --build-number="$app_build" \
+  --dart-define="XWORKMATE_DISPLAY_VERSION=$app_version" \
+  --dart-define="XWORKMATE_BUILD_NUMBER=$app_build" \
+  --dart-define="XWORKMATE_BUILD_DATE=$app_build_date" \
+  --dart-define="XWORKMATE_BUILD_COMMIT=$app_build_commit" \
+  "$APP_STORE_DEFINE"
+
+xcodebuild archive \
+  -workspace "$ROOT_DIR/macos/Runner.xcworkspace" \
+  -scheme Runner \
+  -configuration Release \
+  -archivePath "$archive_path" \
+  -allowProvisioningUpdates \
+  -allowProvisioningDeviceRegistration \
+  DEVELOPMENT_TEAM="N3G9T67W78"
+
+xcodebuild -exportArchive \
+  -archivePath "$archive_path" \
+  -exportPath "$DIST_DIR" \
+  -exportOptionsPlist "$export_options_path" \
+  -allowProvisioningUpdates
+
+if ! compgen -G "$DIST_DIR/*.pkg" >/dev/null; then
+  echo "No macOS TestFlight pkg was produced under $DIST_DIR" >&2
+  exit 1
+fi
+
+echo "macOS TestFlight pkg: $(find "$DIST_DIR" -maxdepth 1 -name '*.pkg' | head -n 1)"

scripts/sync-version.sh

@@ -0,0 +1,29 @@
+#!/bin/bash
+set -e
+
+if [ -n "$1" ]; then
+  TARGET_VERSION="$1"
+else
+  # Extract current version from pubspec.yaml
+  CURRENT_VERSION=$(grep "^version: " pubspec.yaml | awk '{print $2}')
+  
+  if [[ "$CURRENT_VERSION" == *"+"* ]]; then
+    BASE_VERSION=$(echo "$CURRENT_VERSION" | cut -d'+' -f1)
+    BUILD_NUM=$(echo "$CURRENT_VERSION" | cut -d'+' -f2)
+    NEXT_BUILD_NUM=$((BUILD_NUM + 1))
+    TARGET_VERSION="${BASE_VERSION}+${NEXT_BUILD_NUM}"
+  else
+    TARGET_VERSION="${CURRENT_VERSION}+1"
+  fi
+fi
+DATE=$(date +%Y-%m-%d)
+COMMIT=$(git rev-parse --short HEAD)
+
+# Update version in pubspec.yaml
+sed -i.bak -e "s/^version: .*/version: ${TARGET_VERSION}/" \
+           -e "s/^build-date: .*/build-date: ${DATE}/" \
+           -e "s/^build-id: .*/build-id: ${COMMIT}/" pubspec.yaml
+
+rm -f pubspec.yaml.bak
+
+echo "Updated pubspec.yaml to version=${TARGET_VERSION}, build-date=${DATE}, build-id=${COMMIT}"

scripts/xcode-tools/lipo

@@ -0,0 +1,26 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+real_lipo="$(xcrun --find lipo)"
+args=("$@")
+verify_index=-1
+
+for ((index = 0; index < ${#args[@]}; index++)); do
+  if [[ "${args[index]}" == "-verify_arch" ]]; then
+    verify_index=$index
+    break
+  fi
+done
+
+# Xcode 27 accepts one architecture per -verify_arch invocation. Flutter
+# passes all requested architectures at once, so verify each one separately.
+if ((verify_index >= 0 && ${#args[@]} - verify_index > 2)); then
+  command_prefix=("${args[@]:0:verify_index}")
+  architectures=("${args[@]:verify_index+1}")
+  for architecture in "${architectures[@]}"; do
+    "$real_lipo" "${command_prefix[@]}" -verify_arch "$architecture"
+  done
+  exit 0
+fi
+
+exec "$real_lipo" "$@"

test/features/workspace_management/workspace_management_unit_test.dart

@@ -157,7 +157,13 @@ BRIDGE_PORT_443_OPEN=yes
       final yaml = controller.exportYaml();
 
       expect(yaml, contains('server_address: 203.0.113.10'));
-      expect(yaml, contains('ssh_password_fixture: "example"'));
+      const sshPasswordKey = 'ssh_password';
+      expect(
+        yaml,
+        contains(
+          '$sshPasswordKey: "${WorkspaceProvisionController.redactedValue}"',
+        ),
+      );
       expect(yaml, contains('extra_configs:'));
       expect(yaml, contains('key: DEEPSEEK_API_KEY'));
       expect(yaml, contains('value: "__redacted__"'));
@@ -407,7 +413,7 @@ ssh_port: 22
 install_path: /opt/xworkspace/playbooks
 show_advanced: true
 logs_expanded: false
-ssh_password_fixture: "example"
+ssh_password: "${WorkspaceProvisionController.redactedValue}"
 extra_configs:
   - key: DEEPSEEK_API_KEY
     value: "deepseek-new"

test/mock_plugins.dart

@@ -0,0 +1,41 @@
+import 'package:flutter/services.dart';
+import 'package:flutter_test/flutter_test.dart';
+
+void mockPlugins() {
+  TestDefaultBinaryMessengerBinding.instance.defaultBinaryMessenger
+      .setMockMethodCallHandler(
+    const MethodChannel('dev.fluttercommunity.plus/package_info'),
+    (MethodCall methodCall) async {
+      return {
+        'appName': 'XWorkmate',
+        'packageName': 'com.xevor.xworkmate',
+        'version': '1.1.5',
+        'buildNumber': '1',
+      };
+    },
+  );
+  TestDefaultBinaryMessengerBinding.instance.defaultBinaryMessenger
+      .setMockMethodCallHandler(
+    const MethodChannel('dev.fluttercommunity.plus/device_info'),
+    (MethodCall methodCall) async {
+      return {
+        'computerName': 'Test-Mac',
+        'hostName': 'Test-Mac',
+        'arch': 'arm64',
+        'model': 'MacBookPro18,1',
+        'kernelVersion': 'Darwin 21.4.0',
+        'osRelease': '21.4.0',
+        'activeCPUs': 10,
+        'memorySize': 34359738368,
+        'cpuFrequency': 3200000000,
+      };
+    },
+  );
+  TestDefaultBinaryMessengerBinding.instance.defaultBinaryMessenger
+      .setMockMethodCallHandler(
+    const MethodChannel('plugins.flutter.io/path_provider'),
+    (MethodCall methodCall) async {
+      return '/tmp';
+    },
+  );
+}

test/runtime/app_controller_thread_workspace_binding_test.dart

@@ -1230,7 +1230,7 @@ void main() {
       );
       for (
         var attempt = 0;
-        attempt < 300 &&
+        attempt < 1000 &&
             controller
                     .requireTaskThreadForSessionInternal('unit-fixture-task-a')
                     .lastArtifactSyncStatus !=

test/runtime/assistant_execution_target_test.dart

@@ -322,9 +322,7 @@ void main() {
         'xworkmate-no-runtime-main-home-',
       );
       addTearDown(() async {
-        if (await localHome.exists()) {
-          await localHome.delete(recursive: true);
-        }
+        await _resilientDelete(localHome);
       });
       final controller = _sandboxController(
         environmentOverride: const <String, String>{},
@@ -358,9 +356,7 @@ void main() {
           'xworkmate-refresh-no-session-one-',
         );
         addTearDown(() async {
-          if (await localHome.exists()) {
-            await localHome.delete(recursive: true);
-          }
+          await _resilientDelete(localHome);
         });
         final controller = _sandboxController(
           environmentOverride: const <String, String>{},
@@ -439,9 +435,7 @@ void main() {
           'xworkmate-stable-task-selection-home-',
         );
         addTearDown(() async {
-          if (await localHome.exists()) {
-            await localHome.delete(recursive: true);
-          }
+          await _resilientDelete(localHome);
         });
         final controller = _sandboxController(
           environmentOverride: const <String, String>{},
@@ -1716,9 +1710,7 @@ void main() {
           'xworkmate-acp-interrupt-artifacts-',
         );
         addTearDown(() async {
-          if (await localWorkspace.exists()) {
-            await localWorkspace.delete(recursive: true);
-          }
+          await _resilientDelete(localWorkspace);
         });
         final fakeGoTaskService = _RecordingGoTaskServiceClient()
           ..onExecuteTask = ((request) async {
@@ -2017,9 +2009,7 @@ void main() {
           'xworkmate-acp-handshake-interrupt-artifacts-',
         );
         addTearDown(() async {
-          if (await localWorkspace.exists()) {
-            await localWorkspace.delete(recursive: true);
-          }
+          await _resilientDelete(localWorkspace);
         });
         final fakeGoTaskService = _RecordingGoTaskServiceClient()
           ..updatesBeforeNextOutcome.add(
@@ -2383,9 +2373,7 @@ void main() {
           'xworkmate-background-completion-home-',
         );
         addTearDown(() async {
-          if (await localHome.exists()) {
-            await localHome.delete(recursive: true);
-          }
+          await _resilientDelete(localHome);
         });
         final fakeGoTaskService = _BlockingGoTaskServiceClient();
         final controller = _connectedController(
@@ -2508,9 +2496,7 @@ void main() {
           'xworkmate-same-prompt-home-',
         );
         addTearDown(() async {
-          if (await localHome.exists()) {
-            await localHome.delete(recursive: true);
-          }
+          await _resilientDelete(localHome);
         });
         final fakeGoTaskService = _BlockingGoTaskServiceClient();
         final controller = _connectedController(
@@ -2683,9 +2669,7 @@ void main() {
           'xworkmate-same-prompt-empty-home-',
         );
         addTearDown(() async {
-          if (await localHome.exists()) {
-            await localHome.delete(recursive: true);
-          }
+          await _resilientDelete(localHome);
         });
         final fakeGoTaskService = _BlockingGoTaskServiceClient();
         final controller = _connectedController(
@@ -2707,9 +2691,7 @@ void main() {
               continue;
             }
             final directory = Directory(workspace);
-            if (await directory.exists()) {
-              await directory.delete(recursive: true);
-            }
+            await _resilientDelete(directory);
           }
         });
 
@@ -2845,9 +2827,7 @@ void main() {
           'xworkmate-terminal-failure-home-',
         );
         addTearDown(() async {
-          if (await localHome.exists()) {
-            await localHome.delete(recursive: true);
-          }
+          await _resilientDelete(localHome);
         });
         final fakeGoTaskService = _BlockingGoTaskServiceClient();
         final controller = _connectedController(
@@ -2925,9 +2905,7 @@ void main() {
           'xworkmate-empty-output-home-',
         );
         addTearDown(() async {
-          if (await localHome.exists()) {
-            await localHome.delete(recursive: true);
-          }
+          await _resilientDelete(localHome);
         });
         final fakeGoTaskService = _BlockingGoTaskServiceClient();
         final controller = _connectedController(
@@ -3297,9 +3275,7 @@ void main() {
         addTearDown(() async {
           fakeGoTaskService.completeAll();
           controller.dispose();
-          if (await localHome.exists()) {
-            await localHome.delete(recursive: true);
-          }
+          await _resilientDelete(localHome);
         });
 
         for (
@@ -4902,19 +4878,28 @@ UiFeatureManifest _defaultDesktopManifest() {
 }
 
 Future<void> _resilientDelete(Directory dir) async {
-  if (!await dir.exists()) {
-    return;
-  }
   for (var attempt = 0; attempt < 8; attempt++) {
+    if (!await dir.exists()) {
+      return;
+    }
     try {
       await dir.delete(recursive: true);
       return;
     } catch (error) {
+      // A background flush (e.g. controller dispose still persisting state)
+      // may keep writing into the temp dir, so a recursive delete can race
+      // and fail with "Directory not empty". Retry a few times.
       debugPrint('Temporary directory delete retry: $error');
       await Future<void>.delayed(const Duration(milliseconds: 50));
     }
   }
-  await dir.delete(recursive: true);
+  // Best-effort cleanup: never fail a test over leftover temp files; the OS
+  // reclaims the temp directory regardless.
+  try {
+    await dir.delete(recursive: true);
+  } catch (error) {
+    debugPrint('Giving up on temporary directory cleanup: $error');
+  }
 }
 
 AppController _sandboxController({

test/runtime/gateway_runtime_bridge_skills_test.dart

@@ -1,3 +1,4 @@
+import "../mock_plugins.dart";
 import 'dart:convert';
 import 'dart:io';
 
@@ -11,6 +12,7 @@ import 'package:xworkmate/runtime/secure_config_store.dart';
 
 void main() {
   TestWidgetsFlutterBinding.ensureInitialized();
+  mockPlugins();
   HttpOverrides.global = null;
 
   test(

test/runtime/runtime_controllers_settings_account_test.dart

@@ -1,3 +1,4 @@
+import "../mock_plugins.dart";
 import 'dart:convert';
 import 'dart:io';
 
@@ -9,6 +10,8 @@ import 'package:xworkmate/runtime/runtime_models.dart';
 import 'package:xworkmate/runtime/secure_config_store.dart';
 
 void main() {
+  TestWidgetsFlutterBinding.ensureInitialized();
+  mockPlugins();
   group('SettingsController account sync', () {
     test(
       'prefers managed bridge token over stale profile token for remote gateway auth',

windows/flutter/generated_plugin_registrant.cc

@@ -8,16 +8,13 @@
 
 #include <file_selector_windows/file_selector_windows.h>
 #include <flutter_webrtc/flutter_web_r_t_c_plugin.h>
-#include <irondash_engine_context/irondash_engine_context_plugin_c_api.h>
-#include <super_native_extensions/super_native_extensions_plugin_c_api.h>
+#include <pasteboard/pasteboard_plugin.h>
 
 void RegisterPlugins(flutter::PluginRegistry* registry) {
   FileSelectorWindowsRegisterWithRegistrar(
       registry->GetRegistrarForPlugin("FileSelectorWindows"));
   FlutterWebRTCPluginRegisterWithRegistrar(
       registry->GetRegistrarForPlugin("FlutterWebRTCPlugin"));
-  IrondashEngineContextPluginCApiRegisterWithRegistrar(
-      registry->GetRegistrarForPlugin("IrondashEngineContextPluginCApi"));
-  SuperNativeExtensionsPluginCApiRegisterWithRegistrar(
-      registry->GetRegistrarForPlugin("SuperNativeExtensionsPluginCApi"));
+  PasteboardPluginRegisterWithRegistrar(
+      registry->GetRegistrarForPlugin("PasteboardPlugin"));
 }

windows/flutter/generated_plugins.cmake

@@ -5,8 +5,7 @@
 list(APPEND FLUTTER_PLUGIN_LIST
   file_selector_windows
   flutter_webrtc
-  irondash_engine_context
-  super_native_extensions
+  pasteboard
 )
 
 list(APPEND FLUTTER_FFI_PLUGIN_LIST