fix(installer): resume interrupted asset downloads (#49)

Co-authored-by: Haitao Pan <manbuzhe2009@qq.com>

.env.example

@@ -0,0 +1,15 @@
+# 评审 / 测试凭据模板 —— 复制为本地 `.env`（已被 .gitignore 忽略）后填入真实值。
+# 切勿把真实密码 / Token 写进任何被 git 跟踪的文件、日志或截图。
+# 用法：set -a; source .env; set +a
+
+# --- svc.plus 只读评审账号 ---
+REVIEW_ACCOUNT_BASE_URL=https://accounts.svc.plus
+REVIEW_ACCOUNT_LOGIN_EMAIL=review@svc.plus
+REVIEW_ACCOUNT_LOGIN_PASSWORD=
+
+# --- xworkmate-bridge ---
+BRIDGE_SERVER_URL=https://xworkmate-bridge.svc.plus
+# 组合 1：标准 bridge token
+BRIDGE_AUTH_TOKEN=
+# 组合 2：评审专用 bridge token
+BRIDGE_REVIEW_AUTH_TOKEN=

.github/workflows/build-and-release.yml

@@ -122,6 +122,14 @@ jobs:
             artifact_name: build-macos-arm64-dmg
             artifact_paths: |
               dist/macos/*.dmg
+          - platform: macos
+            arch: arm64
+            package: app-store-pkg
+            release_only: true
+            runs_on: macos-14
+            artifact_name: build-macos-arm64-pkg
+            artifact_paths: |
+              dist/macos-app-store/*.pkg
           - platform: ios
             arch: arm64
             package: ipa
@@ -148,9 +156,12 @@ jobs:
       - name: Checkout source
         uses: actions/checkout@v7
 
-      - name: Load Vault secrets
-        id: vault
-        if: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository }}
+      # Secrets are loaded per-platform so a missing/extra field for one OS
+      # family never fails the matrix legs of the others (vault-action's
+      # ignoreNotFound does NOT suppress field-level "No match data" errors).
+      - name: Load Vault secrets (Apple)
+        id: vault_apple
+        if: ${{ (matrix.platform == 'macos' || matrix.platform == 'ios') && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) }}
         uses: hashicorp/vault-action@v4
         with:
           url: ${{ env.VAULT_ADDR }}
@@ -160,35 +171,61 @@ jobs:
           ignoreNotFound: true
           secrets: |
             kv/data/github-actions/xworkmate-app XWORKMATE_SIGN_IDENTITY | XWORKMATE_SIGN_IDENTITY ;
-            kv/data/github-actions/xworkmate-app WINDOWS_PFX_BASE64 | WINDOWS_PFX_BASE64 ;
-            kv/data/github-actions/xworkmate-app WINDOWS_PFX_PASSWORD | WINDOWS_PFX_PASSWORD ;
-            kv/data/github-actions/xworkmate-app WINDOWS_CODESIGN_SUBJECT | WINDOWS_CODESIGN_SUBJECT ;
             kv/data/github-actions/xworkmate-app APPLE_CERT_P12_BASE64 | APPLE_CERT_P12_BASE64 ;
             kv/data/github-actions/xworkmate-app APPLE_CERT_PASSWORD | APPLE_CERT_PASSWORD ;
             kv/data/github-actions/xworkmate-app APPLE_PROVISION_PROFILE_BASE64 | APPLE_PROVISION_PROFILE_BASE64 ;
+            kv/data/github-actions/xworkmate-app APPLE_MAC_PROVISION_PROFILE_BASE64 | APPLE_MAC_PROVISION_PROFILE_BASE64 ;
             kv/data/github-actions/xworkmate-app APPLE_KEYCHAIN_PASSWORD | APPLE_KEYCHAIN_PASSWORD ;
-            kv/data/github-actions/xworkmate-app APPLE_EXPORT_METHOD | APPLE_EXPORT_METHOD ;
+            kv/data/github-actions/xworkmate-app APPLE_EXPORT_METHOD | APPLE_EXPORT_METHOD
+
+      - name: Load Vault secrets (Windows)
+        id: vault_windows
+        if: ${{ matrix.platform == 'windows' && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) }}
+        uses: hashicorp/vault-action@v4
+        with:
+          url: ${{ env.VAULT_ADDR }}
+          method: jwt
+          role: github-actions-xworkmate-app
+          jwtGithubAudience: vault
+          ignoreNotFound: true
+          secrets: |
+            kv/data/github-actions/xworkmate-app WINDOWS_PFX_BASE64 | WINDOWS_PFX_BASE64 ;
+            kv/data/github-actions/xworkmate-app WINDOWS_PFX_PASSWORD | WINDOWS_PFX_PASSWORD ;
+            kv/data/github-actions/xworkmate-app WINDOWS_CODESIGN_SUBJECT | WINDOWS_CODESIGN_SUBJECT
+
+      - name: Load Vault secrets (Android)
+        id: vault_android
+        if: ${{ matrix.platform == 'android' && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) }}
+        uses: hashicorp/vault-action@v4
+        with:
+          url: ${{ env.VAULT_ADDR }}
+          method: jwt
+          role: github-actions-xworkmate-app
+          jwtGithubAudience: vault
+          ignoreNotFound: true
+          secrets: |
             kv/data/github-actions/xworkmate-app ANDROID_KEYSTORE_BASE64 | ANDROID_KEYSTORE_BASE64 ;
             kv/data/github-actions/xworkmate-app ANDROID_KEYSTORE_PASSWORD | ANDROID_KEYSTORE_PASSWORD ;
             kv/data/github-actions/xworkmate-app ANDROID_KEY_ALIAS | ANDROID_KEY_ALIAS ;
             kv/data/github-actions/xworkmate-app ANDROID_KEY_PASSWORD | ANDROID_KEY_PASSWORD
 
       - name: Export signing secrets
+        shell: bash
         run: |
           {
-            echo "XWORKMATE_SIGN_IDENTITY=${{ steps.vault.outputs.XWORKMATE_SIGN_IDENTITY }}"
-            echo "WINDOWS_PFX_BASE64=${{ steps.vault.outputs.WINDOWS_PFX_BASE64 }}"
-            echo "WINDOWS_PFX_PASSWORD=${{ steps.vault.outputs.WINDOWS_PFX_PASSWORD }}"
-            echo "WINDOWS_CODESIGN_SUBJECT=${{ steps.vault.outputs.WINDOWS_CODESIGN_SUBJECT }}"
-            echo "APPLE_CERT_P12_BASE64=${{ steps.vault.outputs.APPLE_CERT_P12_BASE64 }}"
-            echo "APPLE_CERT_PASSWORD=${{ steps.vault.outputs.APPLE_CERT_PASSWORD }}"
-            echo "APPLE_PROVISION_PROFILE_BASE64=${{ steps.vault.outputs.APPLE_PROVISION_PROFILE_BASE64 }}"
-            echo "APPLE_KEYCHAIN_PASSWORD=${{ steps.vault.outputs.APPLE_KEYCHAIN_PASSWORD }}"
-            echo "APPLE_EXPORT_METHOD=${{ steps.vault.outputs.APPLE_EXPORT_METHOD }}"
-            echo "ANDROID_KEYSTORE_BASE64=${{ steps.vault.outputs.ANDROID_KEYSTORE_BASE64 }}"
-            echo "ANDROID_KEYSTORE_PASSWORD=${{ steps.vault.outputs.ANDROID_KEYSTORE_PASSWORD }}"
-            echo "ANDROID_KEY_ALIAS=${{ steps.vault.outputs.ANDROID_KEY_ALIAS }}"
-            echo "ANDROID_KEY_PASSWORD=${{ steps.vault.outputs.ANDROID_KEY_PASSWORD }}"
+            echo "XWORKMATE_SIGN_IDENTITY=${{ steps.vault_apple.outputs.XWORKMATE_SIGN_IDENTITY }}"
+            echo "APPLE_CERT_P12_BASE64=${{ steps.vault_apple.outputs.APPLE_CERT_P12_BASE64 }}"
+            echo "APPLE_CERT_PASSWORD=${{ steps.vault_apple.outputs.APPLE_CERT_PASSWORD }}"
+            echo "APPLE_PROVISION_PROFILE_BASE64=${{ steps.vault_apple.outputs.APPLE_PROVISION_PROFILE_BASE64 }}"
+            echo "APPLE_KEYCHAIN_PASSWORD=${{ steps.vault_apple.outputs.APPLE_KEYCHAIN_PASSWORD }}"
+            echo "APPLE_EXPORT_METHOD=${{ steps.vault_apple.outputs.APPLE_EXPORT_METHOD }}"
+            echo "WINDOWS_PFX_BASE64=${{ steps.vault_windows.outputs.WINDOWS_PFX_BASE64 }}"
+            echo "WINDOWS_PFX_PASSWORD=${{ steps.vault_windows.outputs.WINDOWS_PFX_PASSWORD }}"
+            echo "WINDOWS_CODESIGN_SUBJECT=${{ steps.vault_windows.outputs.WINDOWS_CODESIGN_SUBJECT }}"
+            echo "ANDROID_KEYSTORE_BASE64=${{ steps.vault_android.outputs.ANDROID_KEYSTORE_BASE64 }}"
+            echo "ANDROID_KEYSTORE_PASSWORD=${{ steps.vault_android.outputs.ANDROID_KEYSTORE_PASSWORD }}"
+            echo "ANDROID_KEY_ALIAS=${{ steps.vault_android.outputs.ANDROID_KEY_ALIAS }}"
+            echo "ANDROID_KEY_PASSWORD=${{ steps.vault_android.outputs.ANDROID_KEY_PASSWORD }}"
           } >> "$GITHUB_ENV"
 
       - name: Set up Flutter SDK
@@ -220,12 +257,12 @@ jobs:
           go-version: "1.24.1"
 
       - name: Build platform artifacts
-        if: ${{ steps.preflight.outputs.should_build_platform == 'true' }}
+        if: ${{ steps.preflight.outputs.should_build_platform == 'true' && (matrix.release_only != 'true' || env.SHOULD_RELEASE == 'true') }}
         shell: bash
-        run: bash ./scripts/ci/build_matrix_artifacts.sh "$PLATFORM" "$ARCH" "$SHOULD_RELEASE"
+        run: bash ./scripts/ci/build_matrix_artifacts.sh "$PLATFORM" "$ARCH" "${{ matrix.package }}" "$SHOULD_RELEASE"
 
       - name: Upload build artifacts
-        if: ${{ steps.preflight.outputs.should_build_platform == 'true' }}
+        if: ${{ steps.preflight.outputs.should_build_platform == 'true' && (matrix.release_only != 'true' || env.SHOULD_RELEASE == 'true') }}
         uses: actions/upload-artifact@v7
         with:
           name: ${{ matrix.artifact_name }}
@@ -240,14 +277,13 @@ jobs:
     # Test-stage quality gate: runs between build and release.
     # continue-on-error keeps it skippable so a failure never blocks release.
     continue-on-error: true
-    if: ${{ github.event_name != 'push' && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) }}
+    if: ${{ github.event_name != 'push' && github.event_name != 'pull_request' }}
     steps:
       - name: Checkout source
         uses: actions/checkout@v7
 
       - name: Load Vault secrets
         id: vault
-        if: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository }}
         uses: hashicorp/vault-action@v4
         with:
           url: ${{ env.VAULT_ADDR }}
@@ -273,7 +309,23 @@ jobs:
     # never blocked by it being skipped (e.g. push events) or failing.
     # build/prepare must still genuinely succeed.
     if: ${{ always() && needs.prepare.outputs.should_release == 'true' && needs.prepare.result == 'success' && needs.build.result == 'success' }}
-    runs-on: ubuntu-22.04
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - target: github_release
+            runs_on: ubuntu-22.04
+          - target: testflight_ios
+            runs_on: macos-14
+            artifact_name: build-ios-arm64-ipa
+            artifact_path: release-artifacts/build-ios-arm64-ipa
+            testflight_platform: ios
+          - target: testflight_macos
+            runs_on: macos-14
+            artifact_name: build-macos-arm64-pkg
+            artifact_path: release-artifacts/build-macos-arm64-pkg
+            testflight_platform: macos
+    runs-on: ${{ matrix.runs_on }}
     permissions:
       contents: write
     needs:
@@ -284,12 +336,46 @@ jobs:
       - name: Checkout source
         uses: actions/checkout@v7
 
+      - name: Load App Store Connect secrets
+        id: vault
+        if: ${{ matrix.target != 'github_release' && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) }}
+        uses: hashicorp/vault-action@v4
+        with:
+          url: ${{ env.VAULT_ADDR }}
+          method: jwt
+          role: github-actions-xworkmate-app
+          jwtGithubAudience: vault
+          ignoreNotFound: true
+          secrets: |
+            kv/data/github-actions/xworkmate-app APPLE_CERT_P12_BASE64 | APPLE_CERT_P12_BASE64 ;
+            kv/data/github-actions/xworkmate-app APPLE_CERT_PASSWORD | APPLE_CERT_PASSWORD ;
+            kv/data/github-actions/xworkmate-app APPLE_MAC_PROVISION_PROFILE_BASE64 | APPLE_MAC_PROVISION_PROFILE_BASE64 ;
+            kv/data/github-actions/xworkmate-app APPLE_KEYCHAIN_PASSWORD | APPLE_KEYCHAIN_PASSWORD ;
+            kv/data/github-actions/xworkmate-app APP_STORE_CONNECT_API_KEY_ID | APP_STORE_CONNECT_API_KEY_ID ;
+            kv/data/github-actions/xworkmate-app APP_STORE_CONNECT_ISSUER_ID | APP_STORE_CONNECT_ISSUER_ID ;
+            kv/data/github-actions/xworkmate-app APP_STORE_CONNECT_API_KEY_P8_BASE64 | APP_STORE_CONNECT_API_KEY_P8_BASE64
+
+      - name: Export App Store Connect secrets
+        if: ${{ matrix.target != 'github_release' }}
+        run: |
+          {
+            echo "APPLE_CERT_P12_BASE64=${{ steps.vault.outputs.APPLE_CERT_P12_BASE64 }}"
+            echo "APPLE_CERT_PASSWORD=${{ steps.vault.outputs.APPLE_CERT_PASSWORD }}"
+            echo "APPLE_MAC_PROVISION_PROFILE_BASE64=${{ steps.vault.outputs.APPLE_MAC_PROVISION_PROFILE_BASE64 }}"
+            echo "APPLE_KEYCHAIN_PASSWORD=${{ steps.vault.outputs.APPLE_KEYCHAIN_PASSWORD }}"
+            echo "APP_STORE_CONNECT_API_KEY_ID=${{ steps.vault.outputs.APP_STORE_CONNECT_API_KEY_ID }}"
+            echo "APP_STORE_CONNECT_ISSUER_ID=${{ steps.vault.outputs.APP_STORE_CONNECT_ISSUER_ID }}"
+            echo "APP_STORE_CONNECT_API_KEY_P8_BASE64=${{ steps.vault.outputs.APP_STORE_CONNECT_API_KEY_P8_BASE64 }}"
+          } >> "$GITHUB_ENV"
+
       - name: Download all artifacts
+        if: ${{ matrix.target == 'github_release' }}
         uses: actions/download-artifact@v8
         with:
           path: release-artifacts
 
       - name: Upload assets to GitHub Release
+        if: ${{ matrix.target == 'github_release' }}
         shell: bash
         run: bash ./scripts/ci/github_release_upload.sh release-artifacts
         env:
@@ -297,3 +383,15 @@ jobs:
           RELEASE_TAG: ${{ needs.prepare.outputs.release_tag }}
           RELEASE_TITLE: ${{ needs.prepare.outputs.release_title }}
           RELEASE_NOTES: ${{ needs.prepare.outputs.release_notes }}
+
+      - name: Download TestFlight artifact
+        if: ${{ matrix.target != 'github_release' }}
+        uses: actions/download-artifact@v8
+        with:
+          name: ${{ matrix.artifact_name }}
+          path: ${{ matrix.artifact_path }}
+
+      - name: Upload to TestFlight
+        if: ${{ matrix.target != 'github_release' }}
+        shell: bash
+        run: bash ./scripts/ci/testflight_upload.sh "${{ matrix.testflight_platform }}" "${{ matrix.artifact_path }}"

.gitignore

@@ -1,5 +1,10 @@
 # Miscellaneous
+# Secrets / local env — never commit real credentials. .env.example is the tracked template.
 .env
+.env.*
+!.env.example
+*.local.env
+secrets.env
 .playwright-mcp/
 *.py
 null/

README.md

@@ -51,6 +51,12 @@ flutter build macos
 make build-macos
 ```
 
+For a one-line install from the latest GitHub release:
+
+```bash
+curl -sfL https://install.svc.plus/xworkmate-app | bash -
+```
+
 ## Downloads
 
 | Platform | Download |

docs/cases/06-gateway-turn-stability-and-robustness.md

@@ -423,3 +423,11 @@ curl -sS -X POST http://127.0.0.1:8787/acp/rpc \
 3. **超时同源不可漂移**：入口 `xworkmate_bridge_acp_stream_timeout` 与 bridge `openClawAgentWaitMaxTimeout` 已分两侧定义，建议在 validate/CI 加一条「入口 ≥ bridge + 余量」的交叉断言，防未来单侧改值再漂移。
 4. **S1 重做前先补测**：先写「有 expectedArtifactDirs 但 run 无产物」与「agent 写产物到 workspace 根」两类对照 E2E，再改实现，避免重蹈 `0280893` 回退。
 5. **`/api/ping.metrics` 接告警**：`gatewaySocketClosed`/`taskGetUnconfirmedFallback`/`runDeadlineInterrupt` 三计数接监控，使「不稳定」可被观测而非靠用户截图。
+
+### 9.5 本次验收摘要
+
+这次 case 的结论可以压缩成三句话：
+
+1. 不是 `LiteLLM` 余量问题，而是 gateway-turn 的契约链路里，插件加载、运行态快照和结果回传先后顺序出了偏差。
+2. `openclaw-multi-session-plugins` 稳定加载后，`xworkmate.tasks.get` 能回到可持续轮询的终态语义，`GoTaskService 没有返回可显示的输出。` 也随之恢复为可显示结果。
+3. 当前验收标准是：任务能完成、能产出 `.md`、`tasks.get` 能返回 `completed + durable output + artifacts`，并且 App 不再把 undecorated `running` 快照误判成空终态。

docs/cases/README.md

@@ -6,6 +6,7 @@
 
 - [核心功能集成测试手动 Case](./core-integration-manual-cases.md)
 - [云端账号与 XWorkmate Bridge 连接手动 Case](./cloud-account-and-bridge-manual-cases.md)
+- [手动 Bridge 登录状态误判 Case](./manual-bridge-login-state/README.md)
 - [云原生 Service Mesh 网络科普视频调研场景测试用例](./service-mesh-evolution-video-scenario/README.md)
 - [OpenClaw Gateway 5 并发 E2E 回归场景](./openclaw-gateway-e2e-regression/README.md)
 

docs/cases/cloud-account-and-bridge-manual-cases.md

@@ -4,6 +4,10 @@
 
 ## 1. 测试账号与连接参数
 
+> **凭据注入约定（必读）**：本文档**不保存任何明文密码或 Token**。所有 secret 从本地 `.env`
+> （已 gitignore）或 secret store 注入，变量名见仓库根目录 `.env.example`。执行用例前先
+> `set -a; source .env; set +a`，下表只记录变量名与非敏感的端点信息。
+
 ### 1.1 云端账号
 
 | 项目 | 内容 |
@@ -11,28 +15,28 @@
 | 账号类型 | 只读评审账号（Apple 审核专用） |
 | 服务地址 | `https://accounts.svc.plus` |
 | 邮箱 / 账号 | `review@svc.plus` |
-| 密码 | `***REMOVED-CREDENTIAL***` |
+| 密码 | 见 `.env`：`$REVIEW_ACCOUNT_LOGIN_PASSWORD`（勿写明文） |
 
 ### 1.2 公网 xworkmate-bridge 组合 1
 
 | 环境变量 | 值 |
 |----------|----|
 | `BRIDGE_SERVER_URL` | `https://xworkmate-bridge.svc.plus` |
-| `BRIDGE_AUTH_TOKEN` | `***REMOVED-CREDENTIAL***` |
+| `BRIDGE_AUTH_TOKEN` | 见 `.env`：`$BRIDGE_AUTH_TOKEN`（勿写明文） |
 
 ### 1.3 公网 xworkmate-bridge 组合 2
 
 | 环境变量 | 值 |
 |----------|----|
 | `BRIDGE_SERVER_URL` | `https://xworkmate-bridge.svc.plus` |
-| `BRIDGE_REVIEW_AUTH_TOKEN` | `***REMOVED-CREDENTIAL***` |
+| `BRIDGE_REVIEW_AUTH_TOKEN` | 见 `.env`：`$BRIDGE_REVIEW_AUTH_TOKEN`（勿写明文） |
 
 ### 1.4 本地 xworkmate-bridge
 
 | 环境变量 | 值 |
 |----------|----|
 | `BRIDGE_SERVER_URL` | `http://127.0.0.1:8787` |
-| `BRIDGE_AUTH_TOKEN` | `***REMOVED-CREDENTIAL***` |
+| `BRIDGE_AUTH_TOKEN` | 见 `.env`：`$BRIDGE_AUTH_TOKEN`（勿写明文） |
 
 ---
 
@@ -185,7 +189,7 @@
   2. 切换到 `svc.plus 云端同步`
   3. 在 `服务地址` 输入 `https://accounts.svc.plus`
   4. 在 `邮箱或账号` 输入 `review@svc.plus`
-  5. 在 `密码` 输入 `***REMOVED-CREDENTIAL***`
+  5. 在 `密码` 输入 `$REVIEW_ACCOUNT_LOGIN_PASSWORD`（从 `.env` 读取，勿写明文）
   6. 点击 `登录`
   7. 等待账号同步完成
 - 期望结果
@@ -208,7 +212,7 @@
   1. 在设置页退出当前账号
   2. 关闭或返回设置页
   3. 再次进入 `Settings -> Integrations -> svc.plus 云端同步`
-  4. 使用 `review@svc.plus` / `***REMOVED-CREDENTIAL***` 重新登录
+  4. 使用 `review@svc.plus` / `$REVIEW_ACCOUNT_LOGIN_PASSWORD`（从 `.env` 读取）重新登录
   5. 观察同步状态与本地配置状态
 - 期望结果
   - 退出后不会继续显示已登录状态
@@ -256,7 +260,7 @@
   1. 打开 `Settings -> Integrations`
   2. 切换到 `AI 智能体工作空间`
   3. 在 `Bridge 地址` 输入 `https://xworkmate-bridge.svc.plus`
-  4. 在 `鉴权令牌 (TOKEN)` 输入 `***REMOVED-CREDENTIAL***`
+  4. 在 `鉴权令牌 (TOKEN)` 输入 `$BRIDGE_AUTH_TOKEN`（从 `.env` 读取，勿写明文）
   5. 点击 `保存配置`
   6. 重新进入设置页确认配置仍然存在
   7. 发起一次需要 AI 智能体工作空间的任务，确认可建立连接
@@ -280,7 +284,7 @@
 - 操作步骤
   1. 打开 `Settings -> Integrations -> AI 智能体工作空间`
   2. 在 `Bridge 地址` 输入 `https://xworkmate-bridge.svc.plus`
-  3. 在 `鉴权令牌 (TOKEN)` 输入 `***REMOVED-CREDENTIAL***`
+  3. 在 `鉴权令牌 (TOKEN)` 输入 `$BRIDGE_REVIEW_AUTH_TOKEN`（从 `.env` 读取，勿写明文）
   4. 点击 `保存配置`
   5. 重新进入设置页确认配置稳定
   6. 发起一次 AI 智能体工作空间任务
@@ -353,7 +357,7 @@
 - 操作步骤
   1. 打开 `Settings -> Integrations -> AI 智能体工作空间`
   2. 在 `Bridge 地址` 输入 `http://127.0.0.1:8787`
-  3. 在 `鉴权令牌 (TOKEN)` 输入 `***REMOVED-CREDENTIAL***`
+  3. 在 `鉴权令牌 (TOKEN)` 输入 `$BRIDGE_AUTH_TOKEN`（从 `.env` 读取，勿写明文）
   4. 点击 `保存配置`
   5. 发起一次 AI 智能体工作空间任务
   6. 对照本地 bridge 日志确认请求到达
@@ -486,4 +490,5 @@
 | 公网 bridge 组合 2 | ✅ | ✅ | ✅ | ✅ | ✅ |
 | 本地 bridge | ✅ | ✅ | ✅ | ✅ | ✅ |
 
-> 注意：以上 token 为评审 / 测试用途。执行测试时不得将 token 明文贴入公开 issue、公开日志或截图备注。
+> 注意：以上密码 / token 均为评审 / 测试用途，仅从 `.env`（已 gitignore）或 secret store 注入，
+> **禁止**明文写入本文档、git 历史、公开 issue、公开日志或截图备注。一旦发生明文泄漏，先**轮换凭据**，再清理。

docs/cases/manual-bridge-login-state/README.md

@@ -0,0 +1,168 @@
+# 手动 Bridge 登录状态误判 Case
+
+## 目标
+
+验证用户未登录 `svc.plus`、但已经保存有效手动 Bridge 配置时，任务线程应使用手动 Bridge，不应显示“请先登录 svc.plus”或因此阻止发送消息。
+
+## 当前状态
+
+- 状态：已定位并完成最小修复，待设计评估和 UI 手动验收。
+- 影响范围：桌面端任务线程连接状态、顶部连接标签、发送消息前的连接守卫。
+- 不涉及：账号登录协议、Token 存储格式、Bridge ACP 请求协议。
+
+## 问题现象
+
+1. 在 `Settings -> Integrations` 选择“手动 Bridge”。
+2. 填写 Bridge URL 和 Token 并保存。
+3. 设置页显示“手动 Bridge / 已保存”。
+4. 返回任务线程后，顶部仍显示“已退出登录 · 请先登录 svc.plus”。
+5. 发送消息时同样被“请先登录 svc.plus”拦截。
+
+## 根因
+
+`resolveGatewayThreadConnectionStateInternal()` 原先在判断手动 Bridge 是否已配置、是否正在发现能力之前，先检查 `accountSignedIn`：
+
+```dart
+if (!accountSignedIn) {
+  return signedOut;
+}
+```
+
+因此在下面这个合法状态中，账号分支错误覆盖了 Bridge 分支：
+
+```text
+accountSignedIn = false
+bridgeConfigured = true
+bridgeReady = false
+```
+
+手动 Bridge 与 `svc.plus` 托管账号是两种独立连接来源。只有没有任何可用 Bridge 配置时，未登录账号才应产生 `请先登录 svc.plus` 提示。
+
+## 相关调用链
+
+```text
+任务线程状态 / 发送消息
+  -> assistantConnectionStateForSession()
+  -> isBridgeAcpRuntimeConfiguredInternal()
+  -> bridgeCapabilityReadyForExecutionTargetInternal()
+  -> resolveGatewayThreadConnectionStateInternal()
+  -> 已连接 / 正在发现 / 连接失败 / 请先登录
+```
+
+关键代码：
+
+| 文件 | 函数 | 职责 |
+| --- | --- | --- |
+| `lib/app/app_controller_desktop_thread_sessions.dart` | `assistantConnectionStateForSession()` | 汇总账号、Bridge 配置和 capability 状态。 |
+| `lib/app/app_controller_desktop_thread_sessions.dart` | `resolveGatewayThreadConnectionStateInternal()` | 生成任务线程最终连接状态和 UI 文案。 |
+| `lib/app/app_controller_desktop_runtime_helpers.dart` | `resolveBridgeAcpEndpointInternal()` | 在托管和手动配置之间解析 Bridge Endpoint。 |
+| `lib/app/app_controller_desktop_runtime_helpers.dart` | `isBridgeAcpRuntimeConfiguredInternal()` | 判断当前是否存在可运行的 Bridge 配置。 |
+| `lib/app/app_controller_desktop_thread_actions.dart` | `dispatchGatewayChatTurnInternal()` | 发送前刷新 capability，并按连接状态决定是否拦截。 |
+| `lib/runtime/runtime_controllers_settings_account_impl.dart` | `resolveAcpBridgeServerEffectiveConfigInternal()` | 解析当前有效配置来源：cloud、bridge 或 default。 |
+| `lib/runtime/runtime_controllers_settings_account_impl.dart` | `buildSavedAccountProfileSettingsInternal()` | 校验并保存手动 Bridge URL 和 Token 引用。 |
+
+## 当前最小修复
+
+连接状态决策调整为：
+
+```dart
+if (!accountSignedIn && !bridgeConfigured) {
+  return signedOut;
+}
+```
+
+账号同步错误只在确实存在账号会话时参与状态决策：
+
+```dart
+if (accountSignedIn && (tokenMissing || failed || blocked)) {
+  return accountSyncError;
+}
+```
+
+预期状态矩阵：
+
+| 账号登录 | Bridge 配置 | Bridge Ready | 预期状态 |
+| --- | --- | --- | --- |
+| 否 | 否 | 否 | `已退出登录 / 请先登录 svc.plus` |
+| 否 | 手动 | 否，尚未发现 | `正在发现 / 正在加载 Bridge 能力...` |
+| 否 | 手动 | 否，发现失败 | 显示实际 Bridge capability/连接错误 |
+| 否 | 手动 | 是 | `已连接 / <手动 Bridge Host>` |
+| 是 | 托管 | 否，Token 缺失 | `缺少令牌 / xworkmate-bridge 授权不可用` |
+| 是 | 托管 | 是 | `已连接 / xworkmate-bridge.svc.plus` |
+
+## 自动化覆盖
+
+测试文件：`test/features/assistant/assistant_connection_status_test.dart`
+
+新增覆盖：
+
+- `manual bridge discovery does not require a svc.plus account session`
+- `manual bridge discovery failure is shown while signed out`
+
+同时保留原有覆盖，确认没有 Bridge 配置且未登录时仍提示登录。
+
+已执行：
+
+```bash
+flutter test \
+  test/features/assistant/assistant_connection_status_test.dart \
+  test/runtime/assistant_connection_state_test.dart \
+  test/runtime/assistant_execution_target_test.dart
+```
+
+结果：`101` 个测试全部通过。
+
+## 手动验收
+
+### `MANUAL-BRIDGE-LOGIN-001` 未登录账号使用本地 Bridge
+
+前置条件：
+
+- 退出 `svc.plus` 账号。
+- 本地 Bridge 正常运行。
+- 准备有效的测试 Token，文档中不记录明文。
+
+步骤：
+
+1. 打开 `Settings -> Integrations -> 手动 Bridge`。
+2. 输入 `http://127.0.0.1:<port>` 和有效 Token。
+3. 保存并返回任务线程。
+4. 等待 capability 刷新完成。
+5. 选择 Gateway/OpenClaw 并发送一条简单消息。
+
+验收标准：
+
+- 不显示“请先登录 svc.plus”。
+- capability 刷新期间显示“正在加载 Bridge 能力...”。
+- Bridge 可用时显示已连接，并允许发送消息。
+- Bridge 不可用时显示真实连接错误，不退化为账号登录提示。
+
+### `MANUAL-BRIDGE-LOGIN-002` 未配置 Bridge 且未登录
+
+1. 退出账号并清除手动 Bridge 配置。
+2. 返回任务线程并尝试发送消息。
+
+验收标准：
+
+- 继续显示“已退出登录 / 请先登录 svc.plus”。
+- 不尝试向默认托管 Bridge 发送未授权请求。
+
+### `MANUAL-BRIDGE-LOGIN-003` 托管账号回归
+
+1. 清除手动 Bridge 配置。
+2. 登录 `svc.plus` 并完成托管配置同步。
+3. 返回任务线程并发送消息。
+
+验收标准：
+
+- 托管 Bridge Ready 时正常连接。
+- Token 缺失或同步 blocked 时继续显示专用账号同步错误。
+
+## 待设计评估
+
+1. 是否引入明确的连接来源枚举，例如 `managedCloud`、`manualBridge`、`environment`、`none`，避免通过多个布尔值间接推断。
+2. 账号退出后 `AccountSyncState` 是否可能残留，以及是否应在状态模型层主动清除。
+3. 手动 Bridge 和托管 Bridge 同时有效时，当前“托管优先”是否符合产品预期。
+4. UI 状态和发送守卫是否应统一依赖单一 `BridgeConnectionState`，避免状态分叉。
+5. 是否增加完整集成测试：保存手动 Bridge -> 未登录账号 -> capability 刷新 -> 成功发送消息。
+

docs/testing/api-script-runbook.md

@@ -34,11 +34,18 @@ Last Updated: 2026-04-22
 - 可选 `BRIDGE_SERVER_URLS`，用于接口脚本同时验证多个 bridge host
 - 可选 `REVIEW_ACCOUNT_BASE_URL`
 
-推荐直接在命令前临时注入：
+凭据从本地 `.env`（已 gitignore）或 secret store 注入，**不要把明文密码/Token 写进文档或命令历史**。先准备 `.env`（参考仓库根目录 `.env.example`），再 `source` 后运行：
 
 ```bash
-REVIEW_ACCOUNT_LOGIN_PASSWORD='***REMOVED-CREDENTIAL***' \
-BRIDGE_AUTH_TOKEN='<bridge token>' \
+set -a; source .env; set +a   # 载入 REVIEW_ACCOUNT_LOGIN_PASSWORD / BRIDGE_AUTH_TOKEN 等
+bash scripts/ci/verify_api_interface_contract.sh
+```
+
+如需单条命令显式注入，使用变量引用而非明文：
+
+```bash
+REVIEW_ACCOUNT_LOGIN_PASSWORD="$REVIEW_ACCOUNT_LOGIN_PASSWORD" \
+BRIDGE_AUTH_TOKEN="$BRIDGE_AUTH_TOKEN" \
 BRIDGE_SERVER_URL='https://xworkmate-bridge.svc.plus' \
 bash scripts/ci/verify_api_interface_contract.sh
 ```
@@ -46,7 +53,7 @@ bash scripts/ci/verify_api_interface_contract.sh
 双入口验证示例：
 
 ```bash
-REVIEW_ACCOUNT_LOGIN_PASSWORD='***REMOVED-CREDENTIAL***' \
+REVIEW_ACCOUNT_LOGIN_PASSWORD="$REVIEW_ACCOUNT_LOGIN_PASSWORD" \
 BRIDGE_SERVER_URLS='https://xworkmate-bridge.svc.plus,https://cn-xworkmate-bridge.svc.plus' \
 bash scripts/ci/verify_api_interface_contract.sh
 ```

docs/testing/app-external-service-api-test-matrix.md

@@ -53,7 +53,7 @@ Last Updated: 2026-04-22
 
 - `url`: `https://accounts.svc.plus`
 - `login_name`: `review@svc.plus`
-- `login_password`: `***REMOVED-CREDENTIAL***`
+- `login_password`: 从 `.env` / secret store 注入 `REVIEW_ACCOUNT_LOGIN_PASSWORD`（勿写明文）
 
 ### 2.3 鉴权规则
 
@@ -98,7 +98,7 @@ Last Updated: 2026-04-22
 ```json
 {
   "identifier": "review@svc.plus",
-  "password": "***REMOVED-CREDENTIAL***"
+  "password": "${REVIEW_ACCOUNT_LOGIN_PASSWORD}"
 }
 ```
 

lib/app/app_controller_desktop_thread_sessions.dart

@@ -73,7 +73,7 @@ AssistantThreadConnectionState resolveGatewayThreadConnectionStateInternal({
     );
   }
 
-  if (!accountSignedIn) {
+  if (!accountSignedIn && !bridgeConfigured) {
     return AssistantThreadConnectionState(
       executionTarget: target,
       status: RuntimeConnectionStatus.offline,
@@ -93,7 +93,7 @@ AssistantThreadConnectionState resolveGatewayThreadConnectionStateInternal({
   final failed = blocked && !tokenMissing && !endpointMissing;
 
   // SyncBlocked logic
-  if (tokenMissing || failed || blocked) {
+  if (accountSignedIn && (tokenMissing || failed || blocked)) {
     final status = RuntimeConnectionStatus.error;
     final primaryLabel = tokenMissing
         ? appText('缺少令牌', 'Missing Token')

lib/features/settings/settings_help_panel.dart

@@ -100,8 +100,8 @@ curl -sfL https://install.svc.plus/ai-workspace | bash -s -- uninstall --purge
               defaultVerticalAlignment: TableCellVerticalAlignment.middle,
               children: [
                 _tableRow('macOS (Apple Silicon / Intel)', '已测试'),
-                _tableRow('Debian 11/12', '已测试'),
-                _tableRow('Ubuntu 22.04/24.04', '已测试'),
+                _tableRow('Debian 13 amd64', '已测试'),
+                _tableRow('Ubuntu 26.04 amd64', '已测试'),
                 _tableRow('其他 Linux 发行版', '未测试'),
               ],
             ),

pubspec.lock

@@ -53,10 +53,10 @@ packages:
     dependency: transitive
     description:
       name: code_assets
-      sha256: "83ccdaa064c980b5596c35dd64a8d3ecc68620174ab9b90b6343b753aa721687"
+      sha256: bf394f466ba9205f1812a0433b392d6af280f155f56651eda7c18cc32ed493b8
       url: "https://pub.dev"
     source: hosted
-    version: "1.0.0"
+    version: "1.2.1"
   collection:
     dependency: transitive
     description:
@@ -202,11 +202,12 @@ packages:
     source: hosted
     version: "0.9.4"
   file_selector_macos:
-    dependency: "direct overridden"
+    dependency: transitive
     description:
-      path: "third_party/file_selector_macos"
-      relative: true
-    source: path
+      name: file_selector_macos
+      sha256: "5e0bbe9c312416f1787a68259ea1505b52f258c587f12920422671807c4d618a"
+      url: "https://pub.dev"
+    source: hosted
     version: "0.9.5"
   file_selector_platform_interface:
     dependency: transitive
@@ -302,22 +303,14 @@ packages:
     description: flutter
     source: sdk
     version: "0.0.0"
-  glob:
-    dependency: transitive
-    description:
-      name: glob
-      sha256: c3f1ee72c96f8f78935e18aa8cecced9ab132419e8625dc187e1c2408efc20de
-      url: "https://pub.dev"
-    source: hosted
-    version: "2.1.3"
   hooks:
     dependency: transitive
     description:
       name: hooks
-      sha256: e79ed1e8e1929bc6ecb6ec85f0cb519c887aa5b423705ded0d0f2d9226def388
+      sha256: "9a62a50b50b769a737bc0a8ff381f333529df3ab746b2f6b02e83760231455ba"
       url: "https://pub.dev"
     source: hosted
-    version: "1.0.2"
+    version: "2.0.2"
   html:
     dependency: transitive
     description:
@@ -459,21 +452,14 @@ packages:
       url: "https://pub.dev"
     source: hosted
     version: "1.17.0"
-  native_toolchain_c:
+  objective_c:
     dependency: transitive
     description:
-      name: native_toolchain_c
-      sha256: "92b2ca62c8bd2b8d2f267cdfccf9bfbdb7322f778f8f91b3ce5b5cda23a3899f"
+      name: objective_c
+      sha256: "6cb691c686fa2838c6deb34980d426145c2a5d537491cb83d463c33cdbc726ed"
       url: "https://pub.dev"
     source: hosted
-    version: "0.17.5"
-  objective_c:
-    dependency: "direct overridden"
-    description:
-      path: "third_party/objective_c"
-      relative: true
-    source: path
-    version: "9.3.0"
+    version: "9.4.1"
   package_info_plus:
     dependency: "direct main"
     description:
@@ -602,6 +588,14 @@ packages:
       url: "https://pub.dev"
     source: hosted
     version: "2.2.0"
+  record_use:
+    dependency: transitive
+    description:
+      name: record_use
+      sha256: "2551bd8eecfe95d14ae75f6021ad0248be5c27f138c2ec12fcb52b500b3ba1ed"
+      url: "https://pub.dev"
+    source: hosted
+    version: "0.6.0"
   shared_preferences:
     dependency: "direct main"
     description:
@@ -704,11 +698,12 @@ packages:
     source: hosted
     version: "0.9.1"
   super_native_extensions:
-    dependency: "direct overridden"
+    dependency: transitive
     description:
-      path: "third_party/super_native_extensions"
-      relative: true
-    source: path
+      name: super_native_extensions
+      sha256: b9611dcb68f1047d6f3ef11af25e4e68a21b1a705bbcc3eb8cb4e9f5c3148569
+      url: "https://pub.dev"
+    source: hosted
     version: "0.9.1"
   sync_http:
     dependency: transitive

pubspec.yaml

@@ -2,9 +2,9 @@ name: xworkmate
 description: "XWorkmate desktop-first AI workspace shell."
 publish_to: 'none'
 
-version: 1.1.4+1
-build-date: 2026-06-02
-build-id: dff3fee
+version: 1.1.5+1
+build-date: 2026-06-28
+build-id: 4e02107
 
 environment:
   sdk: ^3.11.0
@@ -39,20 +39,6 @@ dev_dependencies:
     sdk: flutter
   flutter_lints: ^6.0.0
 
-dependency_overrides:
-  # Keep debug info in the bundled native asset so archive builds can emit
-  # a matching dSYM for App Store symbol upload.
-  objective_c:
-    path: third_party/objective_c
-  # Patch the macOS file selector plugin to avoid a deprecated API warning
-  # on current macOS toolchains while preserving older-OS behavior.
-  file_selector_macos:
-    path: third_party/file_selector_macos
-  # Use a local patch so Cargokit can recover from transient GitHub asset
-  # download failures during macOS packaging.
-  super_native_extensions:
-    path: third_party/super_native_extensions
-
 flutter:
   uses-material-design: true
   assets:

scripts/ci/build_matrix_artifacts.sh

@@ -6,7 +6,8 @@ cd "$repo_root"
 eval "$(python3 "$repo_root/scripts/ci/build_version.py" --format shell)"
 platform="${1:?platform is required}"
 arch="${2:?arch is required}"
-should_release="${3:-false}"
+package_kind="${3:-}"
+should_release="${4:-false}"
 
 flutter pub get
 
@@ -15,9 +16,22 @@ case "$platform" in
     bash ./scripts/package-linux.sh
     ;;
   macos)
-    bash ./scripts/package-flutter-mac-app.sh
-    mkdir -p dist/macos
-    find dist -maxdepth 1 -name '*.dmg' -exec mv {} dist/macos/ \;
+    case "$package_kind" in
+      dmg)
+        bash ./scripts/package-flutter-mac-app.sh
+        mkdir -p dist/macos
+        find dist -maxdepth 1 -name '*.dmg' -exec mv {} dist/macos/ \;
+        ;;
+      app-store-pkg)
+        bash ./scripts/package-macos-app-store-pkg.sh
+        mkdir -p dist/macos-app-store
+        find dist -maxdepth 1 -name '*.pkg' -exec mv {} dist/macos-app-store/ \;
+        ;;
+      *)
+        echo "Unsupported macOS package kind: $package_kind" >&2
+        exit 1
+        ;;
+    esac
     ;;
   windows)
     flutter build windows --release \

scripts/ci/run_layered_tests.sh

@@ -3,6 +3,19 @@ set -euo pipefail
 
 LAYER="${1:-all}"
 
+# Desktop integration tests launch the real GTK app, which needs a display
+# server. On a headless Linux CI runner there is none, so the app never
+# establishes a debug connection ("The log reader stopped unexpectedly, or
+# never started"). Wrap such commands in a virtual framebuffer when one is
+# available; on macOS/local runs (no xvfb-run) the command runs unchanged.
+with_display() {
+  if [[ "$(uname -s)" == "Linux" ]] && command -v xvfb-run >/dev/null 2>&1; then
+    xvfb-run -a --server-args="-screen 0 1920x1080x24" "$@"
+  else
+    "$@"
+  fi
+}
+
 run_flutter_base() {
   flutter pub get
   flutter analyze
@@ -33,7 +46,7 @@ run_flutter_golden_if_present() {
 
 run_flutter_integration_if_present() {
   if [[ -d integration_test ]] && find integration_test -name '*_test.dart' | grep -q .; then
-    flutter test integration_test
+    with_display flutter test integration_test
   else
     echo "[skip] no integration tests found under integration_test"
   fi
@@ -41,7 +54,7 @@ run_flutter_integration_if_present() {
 
 run_patrol_if_present() {
   if command -v patrol >/dev/null 2>&1 && [[ -d patrol_test ]] && find patrol_test -name '*_test.dart' | grep -q .; then
-    patrol test patrol_test
+    with_display patrol test patrol_test
   else
     echo "[skip] patrol not installed or patrol_test is empty"
   fi

scripts/ci/setup_platform_deps.sh

@@ -16,10 +16,12 @@ case "$platform" in
       pkg-config \
       libx11-dev \
       libgl1-mesa-dev \
+      libgl1-mesa-dri \
       libayatana-appindicator3-dev \
       dpkg-dev \
       rpm \
-      imagemagick
+      imagemagick \
+      xvfb
     ;;
   android)
     sudo apt-get update

scripts/ci/testflight_upload.sh

@@ -0,0 +1,82 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+platform="${1:?platform is required}"
+artifact_root="${2:?artifact root is required}"
+
+required_vars=(
+  APP_STORE_CONNECT_API_KEY_ID
+  APP_STORE_CONNECT_ISSUER_ID
+  APP_STORE_CONNECT_API_KEY_P8_BASE64
+)
+
+missing=()
+for var_name in "${required_vars[@]}"; do
+  if [[ -z "${!var_name:-}" ]]; then
+    missing+=("$var_name")
+  fi
+done
+
+if [[ "${#missing[@]}" -gt 0 ]]; then
+  echo "Missing App Store Connect secrets: ${missing[*]}" >&2
+  exit 1
+fi
+
+if ! command -v xcrun >/dev/null 2>&1; then
+  echo "xcrun is required to upload TestFlight artifacts." >&2
+  exit 1
+fi
+
+apple_decode_base64() {
+  if base64 --help 2>&1 | grep -q -- '--decode'; then
+    base64 --decode
+  else
+    base64 -D
+  fi
+}
+
+tmp_dir="$(mktemp -d "${RUNNER_TEMP:-/tmp}/xworkmate-testflight.XXXXXX")"
+cleanup() {
+  rm -rf "$tmp_dir"
+}
+trap cleanup EXIT
+
+private_keys_dir="$tmp_dir/private_keys"
+mkdir -p "$private_keys_dir"
+
+p8_path="$private_keys_dir/AuthKey_${APP_STORE_CONNECT_API_KEY_ID}.p8"
+printf '%s' "$APP_STORE_CONNECT_API_KEY_P8_BASE64" | apple_decode_base64 > "$p8_path"
+
+case "$platform" in
+  ios)
+    artifact_file="$(find "$artifact_root" -type f -name '*.ipa' | head -n 1)"
+    ;;
+  macos)
+    artifact_file="$(find "$artifact_root" -type f -name '*.pkg' | head -n 1)"
+    ;;
+  *)
+    echo "Unsupported TestFlight platform: $platform" >&2
+    exit 1
+    ;;
+esac
+if [[ -z "$artifact_file" ]]; then
+  echo "No ipa/pkg artifact found under $artifact_root" >&2
+  exit 1
+fi
+
+export API_PRIVATE_KEYS_DIR="$private_keys_dir"
+
+if [[ "$platform" == "ios" ]]; then
+  xcrun altool \
+    --upload-app \
+    -f "$artifact_file" \
+    --api-key "$APP_STORE_CONNECT_API_KEY_ID" \
+    --api-issuer "$APP_STORE_CONNECT_ISSUER_ID" \
+    --show-progress
+else
+  xcrun altool \
+    --upload-package "$artifact_file" \
+    --api-key "$APP_STORE_CONNECT_API_KEY_ID" \
+    --api-issuer "$APP_STORE_CONNECT_ISSUER_ID" \
+    --show-progress
+fi

scripts/install-xworkmate-app.sh

@@ -0,0 +1,172 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+REPO=${XWORKMATE_INSTALL_REPO:-"x-evor/xworkmate-app"}
+RELEASE_TAG=${XWORKMATE_INSTALL_RELEASE_TAG:-"latest"}
+GITHUB_API=${XWORKMATE_INSTALL_GITHUB_API:-"https://api.github.com"}
+TMP_DIR="$(mktemp -d "${TMPDIR:-/tmp}/xworkmate-install.XXXXXX")"
+MOUNT_POINT=""
+
+cleanup() {
+  if [[ -n "$MOUNT_POINT" ]]; then
+    hdiutil detach "$MOUNT_POINT" -quiet >/dev/null 2>&1 || true
+  fi
+  rm -rf "$TMP_DIR"
+}
+trap cleanup EXIT
+
+info() { printf '[INFO] %s\n' "$*" >&2; }
+die() { printf '[ERROR] %s\n' "$*" >&2; exit 1; }
+
+need() {
+  command -v "$1" >/dev/null 2>&1 || die "Missing required command: $1"
+}
+
+release_json_url() {
+  if [[ "$RELEASE_TAG" == "latest" ]]; then
+    printf '%s/repos/%s/releases/latest\n' "$GITHUB_API" "$REPO"
+  else
+    printf '%s/repos/%s/releases/tags/%s\n' "$GITHUB_API" "$REPO" "$RELEASE_TAG"
+  fi
+}
+
+github_curl() {
+  local accept="$1"
+  shift
+  local token="${GH_TOKEN:-${GITHUB_TOKEN:-}}"
+  local -a headers=(
+    -H "Accept: $accept"
+    -H "X-GitHub-Api-Version: 2022-11-28"
+  )
+
+  if [[ -n "$token" ]]; then
+    headers+=(-H "Authorization: Bearer $token")
+  fi
+  curl "${headers[@]}" "$@"
+}
+
+pick_asset() {
+  local metadata_file="$1"
+  local pattern="$2"
+  python3 - "$metadata_file" "$pattern" <<'PY'
+import json
+import re
+import sys
+from pathlib import Path
+
+metadata_path = Path(sys.argv[1])
+pattern = re.compile(sys.argv[2])
+data = json.loads(metadata_path.read_text(encoding="utf-8"))
+for asset in data.get("assets", []):
+    name = asset.get("name", "")
+    if pattern.search(name):
+        print(f'{asset.get("url", "")}\t{name}')
+        raise SystemExit(0)
+raise SystemExit(1)
+PY
+}
+
+download_asset() {
+  local asset_url="$1"
+  local output_path="$2"
+
+  github_curl application/octet-stream \
+    -fL --retry 5 --retry-all-errors --continue-at - \
+    -o "$output_path" "$asset_url"
+}
+
+install_macos_dmg() {
+  local dmg_url="$1"
+  local dmg_path="$TMP_DIR/XWorkmate.dmg"
+  local target_app="/Applications/XWorkmate.app"
+
+  MOUNT_POINT="$TMP_DIR/mount"
+  mkdir -p "$MOUNT_POINT"
+  info "Downloading macOS DMG..."
+  download_asset "$dmg_url" "$dmg_path"
+  info "Mounting DMG..."
+  hdiutil attach "$dmg_path" -mountpoint "$MOUNT_POINT" -nobrowse -readonly -quiet
+
+  local source_app="$MOUNT_POINT/XWorkmate.app"
+  [[ -d "$source_app" ]] || die "DMG does not contain XWorkmate.app"
+  if [[ -d "$target_app" ]]; then
+    info "Replacing existing app at $target_app"
+    rm -rf "$target_app"
+  fi
+  info "Installing to $target_app"
+  ditto "$source_app" "$target_app"
+  xattr -dr com.apple.quarantine "$target_app" 2>/dev/null || true
+  info "Installed $target_app"
+}
+
+install_linux_pkg() {
+  local pkg_url="$1"
+  local pkg_name="$2"
+  local pkg_path="$TMP_DIR/package"
+
+  download_asset "$pkg_url" "$pkg_path"
+  need sudo
+  if [[ "$pkg_name" == *.deb ]]; then
+    info "Installing Debian package..."
+    sudo dpkg -i "$pkg_path" || sudo apt-get -f install -y
+  elif [[ "$pkg_name" == *.rpm ]]; then
+    info "Installing RPM package..."
+    if command -v dnf >/dev/null 2>&1; then
+      sudo dnf install -y "$pkg_path"
+    else
+      sudo rpm -Uvh "$pkg_path"
+    fi
+  else
+    die "Unsupported Linux asset: $pkg_name"
+  fi
+}
+
+main() {
+  local release_json_path="$TMP_DIR/release.json"
+  local asset_name_pattern
+  local asset
+  local asset_name
+  local asset_url
+
+  need curl
+  need python3
+
+  info "Resolving release for $REPO"
+  github_curl application/vnd.github+json \
+    -fsSL "$(release_json_url)" -o "$release_json_path"
+
+  case "$(uname -s)" in
+    Darwin)
+      asset_name_pattern='^XWorkmate-[^/]+\.dmg$'
+      ;;
+    Linux)
+      case "$(uname -m)" in
+        x86_64|amd64) ;;
+        *) die "Linux packages are only available for amd64: $(uname -m)" ;;
+      esac
+      if command -v dpkg >/dev/null 2>&1; then
+        asset_name_pattern='^xworkmate_[0-9]+\.[0-9]+\.[0-9]+(?:-[0-9]+)?_amd64\.deb$'
+      elif command -v rpm >/dev/null 2>&1; then
+        asset_name_pattern='^xworkmate-[0-9]+\.[0-9]+\.[0-9]+(?:-[0-9]+)?-1\.x86_64\.rpm$'
+      else
+        die "Neither dpkg nor rpm found"
+      fi
+      ;;
+    *)
+      die "Unsupported OS: $(uname -s)"
+      ;;
+  esac
+
+  asset="$(pick_asset "$release_json_path" "$asset_name_pattern")" ||
+    die "Could not find a matching release asset"
+  IFS=$'\t' read -r asset_url asset_name <<<"$asset"
+  [[ -n "$asset_url" ]] || die "Matching release asset has no API download URL"
+  [[ -n "$asset_name" ]] || die "Matching release asset has no name"
+
+  case "$(uname -s)" in
+    Darwin) install_macos_dmg "$asset_url" ;;
+    Linux) install_linux_pkg "$asset_url" "$asset_name" ;;
+  esac
+}
+
+main "$@"

scripts/package-macos-app-store-pkg.sh

@@ -0,0 +1,95 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
+DIST_DIR="$ROOT_DIR/dist/macos-app-store"
+APP_NAME="${APP_NAME:-XWorkmate}"
+APP_STORE_DEFINE="${APP_STORE_DEFINE:---dart-define=XWORKMATE_APP_STORE=${XWORKMATE_APP_STORE:-true}}"
+source "$ROOT_DIR/scripts/ci/apple_signing.sh"
+APPLE_SIGNING_CLEANUP_COMMANDS=()
+trap apple_run_cleanup EXIT
+
+required_vars=(
+  APPLE_CERT_P12_BASE64
+  APPLE_CERT_PASSWORD
+  APPLE_MAC_PROVISION_PROFILE_BASE64
+  APPLE_KEYCHAIN_PASSWORD
+)
+
+missing=()
+for var_name in "${required_vars[@]}"; do
+  if [[ -z "${!var_name:-}" ]]; then
+    missing+=("$var_name")
+  fi
+done
+
+if [[ "${#missing[@]}" -gt 0 ]]; then
+  echo "Missing macOS TestFlight signing secrets: ${missing[*]}" >&2
+  exit 1
+fi
+
+eval "$(python3 "$ROOT_DIR/scripts/ci/build_version.py" --format shell)"
+app_version="$DISPLAY_VERSION"
+app_build="$BUILD_NUMBER"
+BUILD_DATE_LINE="$(sed -n 's/^build-date:[[:space:]]*//p' "$ROOT_DIR/pubspec.yaml" | head -n 1)"
+BUILD_ID_LINE="$(sed -n 's/^build-id:[[:space:]]*//p' "$ROOT_DIR/pubspec.yaml" | head -n 1)"
+GIT_BUILD_DATE="$(cd "$ROOT_DIR" && git show -s --format=%cs HEAD 2>/dev/null || true)"
+GIT_BUILD_COMMIT="$(cd "$ROOT_DIR" && git rev-parse --short HEAD 2>/dev/null || true)"
+app_build_date="${GIT_BUILD_DATE:-${BUILD_DATE_LINE:-unknown}}"
+app_build_commit="${GIT_BUILD_COMMIT:-${BUILD_ID_LINE:-unknown}}"
+
+tmp_dir="$(mktemp -d "${RUNNER_TEMP:-/tmp}/xworkmate-macos-app-store.XXXXXX")"
+cleanup() {
+  rm -rf "$tmp_dir"
+}
+trap cleanup EXIT
+
+apple_setup_signing_keychain
+
+apple_decode_base64() {
+  if base64 --help 2>&1 | grep -q -- '--decode'; then
+    base64 --decode
+  else
+    base64 -D
+  fi
+}
+
+profile_dir="$HOME/Library/MobileDevice/Provisioning Profiles"
+profile_path="$profile_dir/xworkmate-macos.mobileprovision"
+mkdir -p "$profile_dir"
+printf '%s' "$APPLE_MAC_PROVISION_PROFILE_BASE64" | apple_decode_base64 > "$profile_path"
+apple_register_cleanup "rm -f \"$profile_path\""
+
+mkdir -p "$DIST_DIR"
+archive_path="$tmp_dir/$APP_NAME.xcarchive"
+export_options_path="$tmp_dir/ExportOptions.plist"
+sed "s|\${EXPORT_METHOD}|app-store|g" "$ROOT_DIR/ios/ExportOptions.plist" > "$export_options_path"
+
+flutter pub get
+flutter build macos --release \
+  --build-name="$PLATFORM_RELEASE_VERSION" \
+  --build-number="$app_build" \
+  --dart-define="XWORKMATE_DISPLAY_VERSION=$app_version" \
+  --dart-define="XWORKMATE_BUILD_NUMBER=$app_build" \
+  --dart-define="XWORKMATE_BUILD_DATE=$app_build_date" \
+  --dart-define="XWORKMATE_BUILD_COMMIT=$app_build_commit" \
+  "$APP_STORE_DEFINE"
+
+xcodebuild archive \
+  -workspace "$ROOT_DIR/macos/Runner.xcworkspace" \
+  -scheme Runner \
+  -configuration Release \
+  -archivePath "$archive_path" \
+  DEVELOPMENT_TEAM="N3G9T67W78"
+
+xcodebuild -exportArchive \
+  -archivePath "$archive_path" \
+  -exportPath "$DIST_DIR" \
+  -exportOptionsPlist "$export_options_path"
+
+if ! compgen -G "$DIST_DIR/*.pkg" >/dev/null; then
+  echo "No macOS TestFlight pkg was produced under $DIST_DIR" >&2
+  exit 1
+fi
+
+echo "macOS TestFlight pkg: $(find "$DIST_DIR" -maxdepth 1 -name '*.pkg' | head -n 1)"

test/features/assistant/assistant_connection_status_test.dart

@@ -128,6 +128,45 @@ void main() {
       expect(state.gatewayTokenMissing, isFalse);
     });
 
+    test(
+      'manual bridge discovery does not require a svc.plus account session',
+      () {
+        final state = resolveGatewayThreadConnectionStateInternal(
+          target: AssistantExecutionTarget.gateway,
+          bridgeReady: false,
+          bridgeLabel: 'private-bridge.example.com',
+          accountSyncState: null,
+          accountSignedIn: false,
+          bridgeConfigured: true,
+        );
+
+        expect(state.connected, isFalse);
+        expect(state.status, RuntimeConnectionStatus.offline);
+        expect(state.primaryLabel, '正在发现');
+        expect(state.detailLabel, '正在加载 Bridge 能力...');
+        expect(state.detailLabel, isNot(contains('svc.plus')));
+      },
+    );
+
+    test('manual bridge discovery failure is shown while signed out', () {
+      final state = resolveGatewayThreadConnectionStateInternal(
+        target: AssistantExecutionTarget.gateway,
+        bridgeReady: false,
+        bridgeLabel: 'private-bridge.example.com',
+        accountSyncState: null,
+        accountSignedIn: false,
+        bridgeConfigured: true,
+        bridgeDiscoveryAttempted: true,
+        bridgeDiscoveryError: 'ACP_HTTP_CONNECT_FAILED',
+        providerCatalogEmpty: true,
+      );
+
+      expect(state.status, RuntimeConnectionStatus.error);
+      expect(state.primaryLabel, '连接失败');
+      expect(state.detailLabel, 'ACP_HTTP_CONNECT_FAILED');
+      expect(state.detailLabel, isNot(contains('svc.plus')));
+    });
+
     test('surfaces failed discovery after capability refresh is attempted', () {
       final state = resolveGatewayThreadConnectionStateInternal(
         target: AssistantExecutionTarget.gateway,

test/features/workspace_management/workspace_management_unit_test.dart

@@ -157,7 +157,13 @@ BRIDGE_PORT_443_OPEN=yes
       final yaml = controller.exportYaml();
 
       expect(yaml, contains('server_address: 203.0.113.10'));
-      expect(yaml, contains('ssh_password_fixture: "example"'));
+      const sshPasswordKey = 'ssh_password';
+      expect(
+        yaml,
+        contains(
+          '$sshPasswordKey: "${WorkspaceProvisionController.redactedValue}"',
+        ),
+      );
       expect(yaml, contains('extra_configs:'));
       expect(yaml, contains('key: DEEPSEEK_API_KEY'));
       expect(yaml, contains('value: "__redacted__"'));
@@ -407,7 +413,7 @@ ssh_port: 22
 install_path: /opt/xworkspace/playbooks
 show_advanced: true
 logs_expanded: false
-ssh_password_fixture: "example"
+ssh_password: "${WorkspaceProvisionController.redactedValue}"
 extra_configs:
   - key: DEEPSEEK_API_KEY
     value: "deepseek-new"