ci: TestFlight opt-in toggle + Xcode 27 build fixes (#54 )

* ci: gate TestFlight behind opt-in toggle + Xcode 27 build fixes TestFlight is now opt-in (default OFF). A workflow_dispatch boolean `enable_testflight` (or the `ENABLE_TESTFLIGHT` repo variable) drives a `prepare.outputs.testflight_enabled` flag that gates the macOS app-store-pkg build leg and both testflight_ios/testflight_macos upload legs. Missing Apple signing secrets no longer fail the normal DMG/IPA release path (package-macos-app-store-pkg.sh hard-exits without them). Xcode 27 build compatibility: - Align Apple deployment targets so no pod sits below the app minimum (Xcode 27 rejects this): macOS pods + RunnerTests -> 15.6, iOS pods -> 15.5 to match the Runner targets. - Add a `lipo` shim (scripts/xcode-tools/lipo) wired onto PATH in the iOS/macOS build phases; Xcode 27 only accepts one `-verify_arch` architecture per call while Flutter passes them all at once. - macOS project hygiene: correct PrivacyInfo.xcprivacy path, set app display name + LSApplicationCategoryType. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> * test: make temp-dir cleanup resilient to concurrent-write races The assistant execution target tests deleted their temp HOME/workspace dirs with a raw recursive delete in addTearDown. A background flush (e.g. controller dispose still persisting state) can keep writing into the dir while the delete walks it, so the delete races and fails with "Directory not empty" (errno 39), failing the test on CI. Route all unguarded teardown deletes through the existing _resilientDelete helper (re-check existence + retry), and harden that helper so its final fallback never re-throws — a temp-dir cleanup failure must never fail a test. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> --------- Co-authored-by: Haitao Pan <manbuzhe2009@qq.com> Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
ci: wire macOS profile from Vault (#51 )
2026-06-30 07:29:23 +08:00 · 2026-06-29 22:15:08 +08:00 · 2026-06-29 17:42:04 +08:00 · 2026-06-29 15:58:04 +08:00 · 2026-06-29 14:27:49 +08:00 · 2026-06-29 14:22:56 +08:00
31 changed files with 954 additions and 158 deletions
--- a/.env.example
+++ b/.env.example
@ -0,0 +1,15 @@
 # 评审 / 测试凭据模板 —— 复制为本地 `.env`（已被 .gitignore 忽略）后填入真实值。
 # 切勿把真实密码 / Token 写进任何被 git 跟踪的文件、日志或截图。
 # 用法：set -a; source .env; set +a
 # --- svc.plus 只读评审账号 ---
 REVIEW_ACCOUNT_BASE_URL=https://accounts.svc.plus
 REVIEW_ACCOUNT_LOGIN_EMAIL=review@svc.plus
 REVIEW_ACCOUNT_LOGIN_PASSWORD=
 # --- xworkmate-bridge ---
 BRIDGE_SERVER_URL=https://xworkmate-bridge.svc.plus
 # 组合 1：标准 bridge token
 BRIDGE_AUTH_TOKEN=
 # 组合 2：评审专用 bridge token
 BRIDGE_REVIEW_AUTH_TOKEN=
--- a/.github/workflows/build-and-release.yml
+++ b/.github/workflows/build-and-release.yml
@ -30,6 +30,11 @@ on:
      - ".github/actions/setup-flutter-sdk/action.yml"
      - ".github/workflows/build-and-release.yml"
  workflow_dispatch:
    inputs:
      enable_testflight:
        description: "Build & upload TestFlight (macOS/iOS App Store) artifacts"
        type: boolean
        default: false
 permissions:
  contents: read
@ -49,6 +54,7 @@ jobs:
      contents: write
    outputs:
      should_release: ${{ steps.flags.outputs.should_release }}
      testflight_enabled: ${{ steps.flags.outputs.testflight_enabled }}
      release_tag: ${{ steps.meta.outputs.release_tag }}
      release_title: ${{ steps.meta.outputs.release_title }}
      release_notes: ${{ steps.meta.outputs.release_notes }}
@ -61,6 +67,9 @@ jobs:
      - name: Determine release mode
        id: flags
        shell: bash
        env:
          ENABLE_TESTFLIGHT_INPUT: ${{ github.event.inputs.enable_testflight }}
          ENABLE_TESTFLIGHT_VAR: ${{ vars.ENABLE_TESTFLIGHT }}
        run: |
          if [[ "${GITHUB_REF:-}" == refs/tags/v* || "${GITHUB_EVENT_NAME:-}" == "workflow_dispatch" || "${GITHUB_REF:-}" == "refs/heads/main" ]]; then
            echo "should_release=true" >> "$GITHUB_OUTPUT"
@ -68,6 +77,16 @@ jobs:
            echo "should_release=false" >> "$GITHUB_OUTPUT"
          fi
          # TestFlight is opt-in (default OFF). Enabled only when explicitly
          # requested via the workflow_dispatch input or the ENABLE_TESTFLIGHT
          # repo/org variable. Keeps missing Apple signing secrets from failing
          # the normal DMG/IPA release path.
          if [[ "${ENABLE_TESTFLIGHT_INPUT:-}" == "true" || "${ENABLE_TESTFLIGHT_VAR:-}" == "true" ]]; then
            echo "testflight_enabled=true" >> "$GITHUB_OUTPUT"
          else
            echo "testflight_enabled=false" >> "$GITHUB_OUTPUT"
          fi
      - name: Compute release metadata
        id: meta
        shell: bash
@ -122,6 +141,14 @@ jobs:
            artifact_name: build-macos-arm64-dmg
            artifact_paths: |
              dist/macos/*.dmg
          - platform: macos
            arch: arm64
            package: app-store-pkg
            release_only: true
            runs_on: macos-14
            artifact_name: build-macos-arm64-pkg
            artifact_paths: |
              dist/macos-app-store/*.pkg
          - platform: ios
            arch: arm64
            package: ipa
@ -148,9 +175,12 @@ jobs:
      - name: Checkout source
        uses: actions/checkout@v7
-      - name: Load Vault secrets
+      # Secrets are loaded per-platform so a missing/extra field for one OS
-        id: vault
+      # family never fails the matrix legs of the others (vault-action's
-        if: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository }}
+      # ignoreNotFound does NOT suppress field-level "No match data" errors).
      - name: Load Vault secrets (Apple)
        id: vault_apple
        if: ${{ (matrix.platform == 'macos' || matrix.platform == 'ios') && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) }}
        uses: hashicorp/vault-action@v4
        with:
          url: ${{ env.VAULT_ADDR }}
@ -160,35 +190,62 @@ jobs:
          ignoreNotFound: true
          secrets: |
            kv/data/github-actions/xworkmate-app XWORKMATE_SIGN_IDENTITY | XWORKMATE_SIGN_IDENTITY ;
            kv/data/github-actions/xworkmate-app WINDOWS_PFX_BASE64 | WINDOWS_PFX_BASE64 ;
            kv/data/github-actions/xworkmate-app WINDOWS_PFX_PASSWORD | WINDOWS_PFX_PASSWORD ;
            kv/data/github-actions/xworkmate-app WINDOWS_CODESIGN_SUBJECT | WINDOWS_CODESIGN_SUBJECT ;
            kv/data/github-actions/xworkmate-app APPLE_CERT_P12_BASE64 | APPLE_CERT_P12_BASE64 ;
            kv/data/github-actions/xworkmate-app APPLE_CERT_PASSWORD | APPLE_CERT_PASSWORD ;
            kv/data/github-actions/xworkmate-app APPLE_PROVISION_PROFILE_BASE64 | APPLE_PROVISION_PROFILE_BASE64 ;
            kv/data/github-actions/xworkmate-app APPLE_MAC_PROVISION_PROFILE_BASE64 | APPLE_MAC_PROVISION_PROFILE_BASE64 ;
            kv/data/github-actions/xworkmate-app APPLE_KEYCHAIN_PASSWORD | APPLE_KEYCHAIN_PASSWORD ;
-            kv/data/github-actions/xworkmate-app APPLE_EXPORT_METHOD | APPLE_EXPORT_METHOD ;
+            kv/data/github-actions/xworkmate-app APPLE_EXPORT_METHOD | APPLE_EXPORT_METHOD
      - name: Load Vault secrets (Windows)
        id: vault_windows
        if: ${{ matrix.platform == 'windows' && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) }}
        uses: hashicorp/vault-action@v4
        with:
          url: ${{ env.VAULT_ADDR }}
          method: jwt
          role: github-actions-xworkmate-app
          jwtGithubAudience: vault
          ignoreNotFound: true
          secrets: |
            kv/data/github-actions/xworkmate-app WINDOWS_PFX_BASE64 | WINDOWS_PFX_BASE64 ;
            kv/data/github-actions/xworkmate-app WINDOWS_PFX_PASSWORD | WINDOWS_PFX_PASSWORD ;
            kv/data/github-actions/xworkmate-app WINDOWS_CODESIGN_SUBJECT | WINDOWS_CODESIGN_SUBJECT
      - name: Load Vault secrets (Android)
        id: vault_android
        if: ${{ matrix.platform == 'android' && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) }}
        uses: hashicorp/vault-action@v4
        with:
          url: ${{ env.VAULT_ADDR }}
          method: jwt
          role: github-actions-xworkmate-app
          jwtGithubAudience: vault
          ignoreNotFound: true
          secrets: |
            kv/data/github-actions/xworkmate-app ANDROID_KEYSTORE_BASE64 | ANDROID_KEYSTORE_BASE64 ;
            kv/data/github-actions/xworkmate-app ANDROID_KEYSTORE_PASSWORD | ANDROID_KEYSTORE_PASSWORD ;
            kv/data/github-actions/xworkmate-app ANDROID_KEY_ALIAS | ANDROID_KEY_ALIAS ;
            kv/data/github-actions/xworkmate-app ANDROID_KEY_PASSWORD | ANDROID_KEY_PASSWORD
      - name: Export signing secrets
        shell: bash
        run: |
          {
-            echo "XWORKMATE_SIGN_IDENTITY=${{ steps.vault.outputs.XWORKMATE_SIGN_IDENTITY }}"
+            echo "XWORKMATE_SIGN_IDENTITY=${{ steps.vault_apple.outputs.XWORKMATE_SIGN_IDENTITY }}"
-            echo "WINDOWS_PFX_BASE64=${{ steps.vault.outputs.WINDOWS_PFX_BASE64 }}"
+            echo "APPLE_CERT_P12_BASE64=${{ steps.vault_apple.outputs.APPLE_CERT_P12_BASE64 }}"
-            echo "WINDOWS_PFX_PASSWORD=${{ steps.vault.outputs.WINDOWS_PFX_PASSWORD }}"
+            echo "APPLE_CERT_PASSWORD=${{ steps.vault_apple.outputs.APPLE_CERT_PASSWORD }}"
-            echo "WINDOWS_CODESIGN_SUBJECT=${{ steps.vault.outputs.WINDOWS_CODESIGN_SUBJECT }}"
+            echo "APPLE_PROVISION_PROFILE_BASE64=${{ steps.vault_apple.outputs.APPLE_PROVISION_PROFILE_BASE64 }}"
-            echo "APPLE_CERT_P12_BASE64=${{ steps.vault.outputs.APPLE_CERT_P12_BASE64 }}"
+            echo "APPLE_MAC_PROVISION_PROFILE_BASE64=${{ steps.vault_apple.outputs.APPLE_MAC_PROVISION_PROFILE_BASE64 }}"
-            echo "APPLE_CERT_PASSWORD=${{ steps.vault.outputs.APPLE_CERT_PASSWORD }}"
+            echo "APPLE_KEYCHAIN_PASSWORD=${{ steps.vault_apple.outputs.APPLE_KEYCHAIN_PASSWORD }}"
-            echo "APPLE_PROVISION_PROFILE_BASE64=${{ steps.vault.outputs.APPLE_PROVISION_PROFILE_BASE64 }}"
+            echo "APPLE_EXPORT_METHOD=${{ steps.vault_apple.outputs.APPLE_EXPORT_METHOD }}"
-            echo "APPLE_KEYCHAIN_PASSWORD=${{ steps.vault.outputs.APPLE_KEYCHAIN_PASSWORD }}"
+            echo "WINDOWS_PFX_BASE64=${{ steps.vault_windows.outputs.WINDOWS_PFX_BASE64 }}"
-            echo "APPLE_EXPORT_METHOD=${{ steps.vault.outputs.APPLE_EXPORT_METHOD }}"
+            echo "WINDOWS_PFX_PASSWORD=${{ steps.vault_windows.outputs.WINDOWS_PFX_PASSWORD }}"
-            echo "ANDROID_KEYSTORE_BASE64=${{ steps.vault.outputs.ANDROID_KEYSTORE_BASE64 }}"
+            echo "WINDOWS_CODESIGN_SUBJECT=${{ steps.vault_windows.outputs.WINDOWS_CODESIGN_SUBJECT }}"
-            echo "ANDROID_KEYSTORE_PASSWORD=${{ steps.vault.outputs.ANDROID_KEYSTORE_PASSWORD }}"
+            echo "ANDROID_KEYSTORE_BASE64=${{ steps.vault_android.outputs.ANDROID_KEYSTORE_BASE64 }}"
-            echo "ANDROID_KEY_ALIAS=${{ steps.vault.outputs.ANDROID_KEY_ALIAS }}"
+            echo "ANDROID_KEYSTORE_PASSWORD=${{ steps.vault_android.outputs.ANDROID_KEYSTORE_PASSWORD }}"
-            echo "ANDROID_KEY_PASSWORD=${{ steps.vault.outputs.ANDROID_KEY_PASSWORD }}"
+            echo "ANDROID_KEY_ALIAS=${{ steps.vault_android.outputs.ANDROID_KEY_ALIAS }}"
            echo "ANDROID_KEY_PASSWORD=${{ steps.vault_android.outputs.ANDROID_KEY_PASSWORD }}"
          } >> "$GITHUB_ENV"
      - name: Set up Flutter SDK
@ -220,12 +277,12 @@ jobs:
          go-version: "1.24.1"
      - name: Build platform artifacts
-        if: ${{ steps.preflight.outputs.should_build_platform == 'true' }}
+        if: ${{ steps.preflight.outputs.should_build_platform == 'true' && (matrix.release_only != 'true' || env.SHOULD_RELEASE == 'true') && (matrix.package != 'app-store-pkg' || needs.prepare.outputs.testflight_enabled == 'true') }}
        shell: bash
-        run: bash ./scripts/ci/build_matrix_artifacts.sh "$PLATFORM" "$ARCH" "$SHOULD_RELEASE"
+        run: bash ./scripts/ci/build_matrix_artifacts.sh "$PLATFORM" "$ARCH" "${{ matrix.package }}" "$SHOULD_RELEASE"
      - name: Upload build artifacts
-        if: ${{ steps.preflight.outputs.should_build_platform == 'true' }}
+        if: ${{ steps.preflight.outputs.should_build_platform == 'true' && (matrix.release_only != 'true' || env.SHOULD_RELEASE == 'true') && (matrix.package != 'app-store-pkg' || needs.prepare.outputs.testflight_enabled == 'true') }}
        uses: actions/upload-artifact@v7
        with:
          name: ${{ matrix.artifact_name }}
@ -240,14 +297,13 @@ jobs:
    # Test-stage quality gate: runs between build and release.
    # continue-on-error keeps it skippable so a failure never blocks release.
    continue-on-error: true
-    if: ${{ github.event_name != 'push' && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) }}
+    if: ${{ github.event_name != 'push' && github.event_name != 'pull_request' }}
    steps:
      - name: Checkout source
        uses: actions/checkout@v7
      - name: Load Vault secrets
        id: vault
        if: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository }}
        uses: hashicorp/vault-action@v4
        with:
          url: ${{ env.VAULT_ADDR }}
@ -273,7 +329,23 @@ jobs:
    # never blocked by it being skipped (e.g. push events) or failing.
    # build/prepare must still genuinely succeed.
    if: ${{ always() && needs.prepare.outputs.should_release == 'true' && needs.prepare.result == 'success' && needs.build.result == 'success' }}
-    runs-on: ubuntu-22.04
+    strategy:
      fail-fast: false
      matrix:
        include:
          - target: github_release
            runs_on: ubuntu-22.04
          - target: testflight_ios
            runs_on: macos-14
            artifact_name: build-ios-arm64-ipa
            artifact_path: release-artifacts/build-ios-arm64-ipa
            testflight_platform: ios
          - target: testflight_macos
            runs_on: macos-14
            artifact_name: build-macos-arm64-pkg
            artifact_path: release-artifacts/build-macos-arm64-pkg
            testflight_platform: macos
    runs-on: ${{ matrix.runs_on }}
    permissions:
      contents: write
    needs:
@ -284,12 +356,38 @@ jobs:
      - name: Checkout source
        uses: actions/checkout@v7
      - name: Load App Store Connect secrets
        id: vault
        if: ${{ matrix.target != 'github_release' && needs.prepare.outputs.testflight_enabled == 'true' && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) }}
        uses: hashicorp/vault-action@v4
        with:
          url: ${{ env.VAULT_ADDR }}
          method: jwt
          role: github-actions-xworkmate-app
          jwtGithubAudience: vault
          ignoreNotFound: true
          secrets: |
            kv/data/github-actions/xworkmate-app APP_STORE_CONNECT_API_KEY_ID | APP_STORE_CONNECT_API_KEY_ID ;
            kv/data/github-actions/xworkmate-app APP_STORE_CONNECT_ISSUER_ID | APP_STORE_CONNECT_ISSUER_ID ;
            kv/data/github-actions/xworkmate-app APP_STORE_CONNECT_API_KEY_P8_BASE64 | APP_STORE_CONNECT_API_KEY_P8_BASE64
      - name: Export App Store Connect secrets
        if: ${{ matrix.target != 'github_release' && needs.prepare.outputs.testflight_enabled == 'true' }}
        run: |
          {
            echo "APP_STORE_CONNECT_API_KEY_ID=${{ steps.vault.outputs.APP_STORE_CONNECT_API_KEY_ID }}"
            echo "APP_STORE_CONNECT_ISSUER_ID=${{ steps.vault.outputs.APP_STORE_CONNECT_ISSUER_ID }}"
            echo "APP_STORE_CONNECT_API_KEY_P8_BASE64=${{ steps.vault.outputs.APP_STORE_CONNECT_API_KEY_P8_BASE64 }}"
          } >> "$GITHUB_ENV"
      - name: Download all artifacts
        if: ${{ matrix.target == 'github_release' }}
        uses: actions/download-artifact@v8
        with:
          path: release-artifacts
      - name: Upload assets to GitHub Release
        if: ${{ matrix.target == 'github_release' }}
        shell: bash
        run: bash ./scripts/ci/github_release_upload.sh release-artifacts
        env:
@ -297,3 +395,15 @@ jobs:
          RELEASE_TAG: ${{ needs.prepare.outputs.release_tag }}
          RELEASE_TITLE: ${{ needs.prepare.outputs.release_title }}
          RELEASE_NOTES: ${{ needs.prepare.outputs.release_notes }}
      - name: Download TestFlight artifact
        if: ${{ matrix.target != 'github_release' && needs.prepare.outputs.testflight_enabled == 'true' }}
        uses: actions/download-artifact@v8
        with:
          name: ${{ matrix.artifact_name }}
          path: ${{ matrix.artifact_path }}
      - name: Upload to TestFlight
        if: ${{ matrix.target != 'github_release' && needs.prepare.outputs.testflight_enabled == 'true' }}
        shell: bash
        run: bash ./scripts/ci/testflight_upload.sh "${{ matrix.testflight_platform }}" "${{ matrix.artifact_path }}"
--- a/.gitignore
+++ b/.gitignore
@ -1,5 +1,10 @@
 # Miscellaneous
 # Secrets / local env — never commit real credentials. .env.example is the tracked template.
 .env
 .env.*
 !.env.example
 *.local.env
 secrets.env
 .playwright-mcp/
 *.py
 null/
--- a/README.md
+++ b/README.md
@ -51,6 +51,12 @@ flutter build macos
 make build-macos
 ```
 For a one-line install from the latest GitHub release:
 ```bash
 curl -sfL https://install.svc.plus/xworkmate-app | bash -
 ```
 ## Downloads
 | Platform | Download |
--- a/docs/cases/06-gateway-turn-stability-and-robustness.md
+++ b/docs/cases/06-gateway-turn-stability-and-robustness.md
@ -423,3 +423,11 @@ curl -sS -X POST http://127.0.0.1:8787/acp/rpc \
 3. **超时同源不可漂移**：入口 `xworkmate_bridge_acp_stream_timeout` 与 bridge `openClawAgentWaitMaxTimeout` 已分两侧定义，建议在 validate/CI 加一条「入口 ≥ bridge + 余量」的交叉断言，防未来单侧改值再漂移。
 4. **S1 重做前先补测**：先写「有 expectedArtifactDirs 但 run 无产物」与「agent 写产物到 workspace 根」两类对照 E2E，再改实现，避免重蹈 `0280893` 回退。
 5. **`/api/ping.metrics` 接告警**：`gatewaySocketClosed`/`taskGetUnconfirmedFallback`/`runDeadlineInterrupt` 三计数接监控，使「不稳定」可被观测而非靠用户截图。
 ### 9.5 本次验收摘要
 这次 case 的结论可以压缩成三句话：
 1. 不是 `LiteLLM` 余量问题，而是 gateway-turn 的契约链路里，插件加载、运行态快照和结果回传先后顺序出了偏差。
 2. `openclaw-multi-session-plugins` 稳定加载后，`xworkmate.tasks.get` 能回到可持续轮询的终态语义，`GoTaskService 没有返回可显示的输出。` 也随之恢复为可显示结果。
 3. 当前验收标准是：任务能完成、能产出 `.md`、`tasks.get` 能返回 `completed + durable output + artifacts`，并且 App 不再把 undecorated `running` 快照误判成空终态。
--- a/docs/cases/README.md
+++ b/docs/cases/README.md
@ -6,6 +6,7 @@
 - [核心功能集成测试手动 Case](./core-integration-manual-cases.md)
 - [云端账号与 XWorkmate Bridge 连接手动 Case](./cloud-account-and-bridge-manual-cases.md)
 - [手动 Bridge 登录状态误判 Case](./manual-bridge-login-state/README.md)
 - [云原生 Service Mesh 网络科普视频调研场景测试用例](./service-mesh-evolution-video-scenario/README.md)
 - [OpenClaw Gateway 5 并发 E2E 回归场景](./openclaw-gateway-e2e-regression/README.md)
--- a/docs/cases/cloud-account-and-bridge-manual-cases.md
+++ b/docs/cases/cloud-account-and-bridge-manual-cases.md
@ -4,6 +4,10 @@
 ## 1. 测试账号与连接参数
 > **凭据注入约定（必读）**：本文档**不保存任何明文密码或 Token**。所有 secret 从本地 `.env`
 > （已 gitignore）或 secret store 注入，变量名见仓库根目录 `.env.example`。执行用例前先
 > `set -a; source .env; set +a`，下表只记录变量名与非敏感的端点信息。
 ### 1.1 云端账号
 | 项目 | 内容 |
@ -11,28 +15,28 @@
 | 账号类型 | 只读评审账号（Apple 审核专用） |
 | 服务地址 | `https://accounts.svc.plus` |
 | 邮箱 / 账号 | `review@svc.plus` |
-| 密码 | `***REMOVED-CREDENTIAL***` |
+| 密码 | 见 `.env`：`$REVIEW_ACCOUNT_LOGIN_PASSWORD`（勿写明文） |
 ### 1.2 公网 xworkmate-bridge 组合 1
 | 环境变量 | 值 |
 |----------|----|
 | `BRIDGE_SERVER_URL` | `https://xworkmate-bridge.svc.plus` |
-| `BRIDGE_AUTH_TOKEN` | `***REMOVED-CREDENTIAL***` |
+| `BRIDGE_AUTH_TOKEN` | 见 `.env`：`$BRIDGE_AUTH_TOKEN`（勿写明文） |
 ### 1.3 公网 xworkmate-bridge 组合 2
 | 环境变量 | 值 |
 |----------|----|
 | `BRIDGE_SERVER_URL` | `https://xworkmate-bridge.svc.plus` |
-| `BRIDGE_REVIEW_AUTH_TOKEN` | `***REMOVED-CREDENTIAL***` |
+| `BRIDGE_REVIEW_AUTH_TOKEN` | 见 `.env`：`$BRIDGE_REVIEW_AUTH_TOKEN`（勿写明文） |
 ### 1.4 本地 xworkmate-bridge
 | 环境变量 | 值 |
 |----------|----|
 | `BRIDGE_SERVER_URL` | `http://127.0.0.1:8787` |
-| `BRIDGE_AUTH_TOKEN` | `***REMOVED-CREDENTIAL***` |
+| `BRIDGE_AUTH_TOKEN` | 见 `.env`：`$BRIDGE_AUTH_TOKEN`（勿写明文） |
 ---
@ -185,7 +189,7 @@
  2. 切换到 `svc.plus 云端同步`
  3. 在 `服务地址` 输入 `https://accounts.svc.plus`
  4. 在 `邮箱或账号` 输入 `review@svc.plus`
-  5. 在 `密码` 输入 `***REMOVED-CREDENTIAL***`
+  5. 在 `密码` 输入 `$REVIEW_ACCOUNT_LOGIN_PASSWORD`（从 `.env` 读取，勿写明文）
  6. 点击 `登录`
  7. 等待账号同步完成
 - 期望结果
@ -208,7 +212,7 @@
  1. 在设置页退出当前账号
  2. 关闭或返回设置页
  3. 再次进入 `Settings -> Integrations -> svc.plus 云端同步`
-  4. 使用 `review@svc.plus` / `***REMOVED-CREDENTIAL***` 重新登录
+  4. 使用 `review@svc.plus` / `$REVIEW_ACCOUNT_LOGIN_PASSWORD`（从 `.env` 读取）重新登录
  5. 观察同步状态与本地配置状态
 - 期望结果
  - 退出后不会继续显示已登录状态
@ -256,7 +260,7 @@
  1. 打开 `Settings -> Integrations`
  2. 切换到 `AI 智能体工作空间`
  3. 在 `Bridge 地址` 输入 `https://xworkmate-bridge.svc.plus`
-  4. 在 `鉴权令牌 (TOKEN)` 输入 `***REMOVED-CREDENTIAL***`
+  4. 在 `鉴权令牌 (TOKEN)` 输入 `$BRIDGE_AUTH_TOKEN`（从 `.env` 读取，勿写明文）
  5. 点击 `保存配置`
  6. 重新进入设置页确认配置仍然存在
  7. 发起一次需要 AI 智能体工作空间的任务，确认可建立连接
@ -280,7 +284,7 @@
 - 操作步骤
  1. 打开 `Settings -> Integrations -> AI 智能体工作空间`
  2. 在 `Bridge 地址` 输入 `https://xworkmate-bridge.svc.plus`
-  3. 在 `鉴权令牌 (TOKEN)` 输入 `***REMOVED-CREDENTIAL***`
+  3. 在 `鉴权令牌 (TOKEN)` 输入 `$BRIDGE_REVIEW_AUTH_TOKEN`（从 `.env` 读取，勿写明文）
  4. 点击 `保存配置`
  5. 重新进入设置页确认配置稳定
  6. 发起一次 AI 智能体工作空间任务
@ -353,7 +357,7 @@
 - 操作步骤
  1. 打开 `Settings -> Integrations -> AI 智能体工作空间`
  2. 在 `Bridge 地址` 输入 `http://127.0.0.1:8787`
-  3. 在 `鉴权令牌 (TOKEN)` 输入 `***REMOVED-CREDENTIAL***`
+  3. 在 `鉴权令牌 (TOKEN)` 输入 `$BRIDGE_AUTH_TOKEN`（从 `.env` 读取，勿写明文）
  4. 点击 `保存配置`
  5. 发起一次 AI 智能体工作空间任务
  6. 对照本地 bridge 日志确认请求到达
@ -486,4 +490,5 @@
 | 公网 bridge 组合 2 | ✅ | ✅ | ✅ | ✅ | ✅ |
 | 本地 bridge | ✅ | ✅ | ✅ | ✅ | ✅ |
-> 注意：以上 token 为评审 / 测试用途。执行测试时不得将 token 明文贴入公开 issue、公开日志或截图备注。
+> 注意：以上密码 / token 均为评审 / 测试用途，仅从 `.env`（已 gitignore）或 secret store 注入，
 > **禁止**明文写入本文档、git 历史、公开 issue、公开日志或截图备注。一旦发生明文泄漏，先**轮换凭据**，再清理。
--- a/docs/cases/manual-bridge-login-state/README.md
+++ b/docs/cases/manual-bridge-login-state/README.md
@ -0,0 +1,168 @@
 # 手动 Bridge 登录状态误判 Case
 ## 目标
 验证用户未登录 `svc.plus`、但已经保存有效手动 Bridge 配置时，任务线程应使用手动 Bridge，不应显示“请先登录 svc.plus”或因此阻止发送消息。
 ## 当前状态
 - 状态：已定位并完成最小修复，待设计评估和 UI 手动验收。
 - 影响范围：桌面端任务线程连接状态、顶部连接标签、发送消息前的连接守卫。
 - 不涉及：账号登录协议、Token 存储格式、Bridge ACP 请求协议。
 ## 问题现象
 1. 在 `Settings -> Integrations` 选择“手动 Bridge”。
 2. 填写 Bridge URL 和 Token 并保存。
 3. 设置页显示“手动 Bridge / 已保存”。
 4. 返回任务线程后，顶部仍显示“已退出登录 · 请先登录 svc.plus”。
 5. 发送消息时同样被“请先登录 svc.plus”拦截。
 ## 根因
 `resolveGatewayThreadConnectionStateInternal()` 原先在判断手动 Bridge 是否已配置、是否正在发现能力之前，先检查 `accountSignedIn`：
 ```dart
 if (!accountSignedIn) {
  return signedOut;
 }
 ```
 因此在下面这个合法状态中，账号分支错误覆盖了 Bridge 分支：
 ```text
 accountSignedIn = false
 bridgeConfigured = true
 bridgeReady = false
 ```
 手动 Bridge 与 `svc.plus` 托管账号是两种独立连接来源。只有没有任何可用 Bridge 配置时，未登录账号才应产生 `请先登录 svc.plus` 提示。
 ## 相关调用链
 ```text
 任务线程状态 / 发送消息
  -> assistantConnectionStateForSession()
  -> isBridgeAcpRuntimeConfiguredInternal()
  -> bridgeCapabilityReadyForExecutionTargetInternal()
  -> resolveGatewayThreadConnectionStateInternal()
  -> 已连接 / 正在发现 / 连接失败 / 请先登录
 ```
 关键代码：
 | 文件 | 函数 | 职责 |
 | --- | --- | --- |
 | `lib/app/app_controller_desktop_thread_sessions.dart` | `assistantConnectionStateForSession()` | 汇总账号、Bridge 配置和 capability 状态。 |
 | `lib/app/app_controller_desktop_thread_sessions.dart` | `resolveGatewayThreadConnectionStateInternal()` | 生成任务线程最终连接状态和 UI 文案。 |
 | `lib/app/app_controller_desktop_runtime_helpers.dart` | `resolveBridgeAcpEndpointInternal()` | 在托管和手动配置之间解析 Bridge Endpoint。 |
 | `lib/app/app_controller_desktop_runtime_helpers.dart` | `isBridgeAcpRuntimeConfiguredInternal()` | 判断当前是否存在可运行的 Bridge 配置。 |
 | `lib/app/app_controller_desktop_thread_actions.dart` | `dispatchGatewayChatTurnInternal()` | 发送前刷新 capability，并按连接状态决定是否拦截。 |
 | `lib/runtime/runtime_controllers_settings_account_impl.dart` | `resolveAcpBridgeServerEffectiveConfigInternal()` | 解析当前有效配置来源：cloud、bridge 或 default。 |
 | `lib/runtime/runtime_controllers_settings_account_impl.dart` | `buildSavedAccountProfileSettingsInternal()` | 校验并保存手动 Bridge URL 和 Token 引用。 |
 ## 当前最小修复
 连接状态决策调整为：
 ```dart
 if (!accountSignedIn && !bridgeConfigured) {
  return signedOut;
 }
 ```
 账号同步错误只在确实存在账号会话时参与状态决策：
 ```dart
 if (accountSignedIn && (tokenMissing || failed || blocked)) {
  return accountSyncError;
 }
 ```
 预期状态矩阵：
 | 账号登录 | Bridge 配置 | Bridge Ready | 预期状态 |
 | --- | --- | --- | --- |
 | 否 | 否 | 否 | `已退出登录 / 请先登录 svc.plus` |
 | 否 | 手动 | 否，尚未发现 | `正在发现 / 正在加载 Bridge 能力...` |
 | 否 | 手动 | 否，发现失败 | 显示实际 Bridge capability/连接错误 |
 | 否 | 手动 | 是 | `已连接 / <手动 Bridge Host>` |
 | 是 | 托管 | 否，Token 缺失 | `缺少令牌 / xworkmate-bridge 授权不可用` |
 | 是 | 托管 | 是 | `已连接 / xworkmate-bridge.svc.plus` |
 ## 自动化覆盖
 测试文件：`test/features/assistant/assistant_connection_status_test.dart`
 新增覆盖：
 - `manual bridge discovery does not require a svc.plus account session`
 - `manual bridge discovery failure is shown while signed out`
 同时保留原有覆盖，确认没有 Bridge 配置且未登录时仍提示登录。
 已执行：
 ```bash
 flutter test \
  test/features/assistant/assistant_connection_status_test.dart \
  test/runtime/assistant_connection_state_test.dart \
  test/runtime/assistant_execution_target_test.dart
 ```
 结果：`101` 个测试全部通过。
 ## 手动验收
 ### `MANUAL-BRIDGE-LOGIN-001` 未登录账号使用本地 Bridge
 前置条件：
 - 退出 `svc.plus` 账号。
 - 本地 Bridge 正常运行。
 - 准备有效的测试 Token，文档中不记录明文。
 步骤：
 1. 打开 `Settings -> Integrations -> 手动 Bridge`。
 2. 输入 `http://127.0.0.1:<port>` 和有效 Token。
 3. 保存并返回任务线程。
 4. 等待 capability 刷新完成。
 5. 选择 Gateway/OpenClaw 并发送一条简单消息。
 验收标准：
 - 不显示“请先登录 svc.plus”。
 - capability 刷新期间显示“正在加载 Bridge 能力...”。
 - Bridge 可用时显示已连接，并允许发送消息。
 - Bridge 不可用时显示真实连接错误，不退化为账号登录提示。
 ### `MANUAL-BRIDGE-LOGIN-002` 未配置 Bridge 且未登录
 1. 退出账号并清除手动 Bridge 配置。
 2. 返回任务线程并尝试发送消息。
 验收标准：
 - 继续显示“已退出登录 / 请先登录 svc.plus”。
 - 不尝试向默认托管 Bridge 发送未授权请求。
 ### `MANUAL-BRIDGE-LOGIN-003` 托管账号回归
 1. 清除手动 Bridge 配置。
 2. 登录 `svc.plus` 并完成托管配置同步。
 3. 返回任务线程并发送消息。
 验收标准：
 - 托管 Bridge Ready 时正常连接。
 - Token 缺失或同步 blocked 时继续显示专用账号同步错误。
 ## 待设计评估
 1. 是否引入明确的连接来源枚举，例如 `managedCloud`、`manualBridge`、`environment`、`none`，避免通过多个布尔值间接推断。
 2. 账号退出后 `AccountSyncState` 是否可能残留，以及是否应在状态模型层主动清除。
 3. 手动 Bridge 和托管 Bridge 同时有效时，当前“托管优先”是否符合产品预期。
 4. UI 状态和发送守卫是否应统一依赖单一 `BridgeConnectionState`，避免状态分叉。
 5. 是否增加完整集成测试：保存手动 Bridge -> 未登录账号 -> capability 刷新 -> 成功发送消息。
--- a/docs/testing/api-script-runbook.md
+++ b/docs/testing/api-script-runbook.md
@ -34,11 +34,18 @@ Last Updated: 2026-04-22
 - 可选 `BRIDGE_SERVER_URLS`，用于接口脚本同时验证多个 bridge host
 - 可选 `REVIEW_ACCOUNT_BASE_URL`
-推荐直接在命令前临时注入：
+凭据从本地 `.env`（已 gitignore）或 secret store 注入，**不要把明文密码/Token 写进文档或命令历史**。先准备 `.env`（参考仓库根目录 `.env.example`），再 `source` 后运行：
 ```bash
-REVIEW_ACCOUNT_LOGIN_PASSWORD='***REMOVED-CREDENTIAL***' \
+set -a; source .env; set +a   # 载入 REVIEW_ACCOUNT_LOGIN_PASSWORD / BRIDGE_AUTH_TOKEN 等
-BRIDGE_AUTH_TOKEN='<bridge token>' \
+bash scripts/ci/verify_api_interface_contract.sh
 ```
 如需单条命令显式注入，使用变量引用而非明文：
 ```bash
 REVIEW_ACCOUNT_LOGIN_PASSWORD="$REVIEW_ACCOUNT_LOGIN_PASSWORD" \
 BRIDGE_AUTH_TOKEN="$BRIDGE_AUTH_TOKEN" \
 BRIDGE_SERVER_URL='https://xworkmate-bridge.svc.plus' \
 bash scripts/ci/verify_api_interface_contract.sh
 ```
@ -46,7 +53,7 @@ bash scripts/ci/verify_api_interface_contract.sh
 双入口验证示例：
 ```bash
-REVIEW_ACCOUNT_LOGIN_PASSWORD='***REMOVED-CREDENTIAL***' \
+REVIEW_ACCOUNT_LOGIN_PASSWORD="$REVIEW_ACCOUNT_LOGIN_PASSWORD" \
 BRIDGE_SERVER_URLS='https://xworkmate-bridge.svc.plus,https://cn-xworkmate-bridge.svc.plus' \
 bash scripts/ci/verify_api_interface_contract.sh
 ```
--- a/docs/testing/app-external-service-api-test-matrix.md
+++ b/docs/testing/app-external-service-api-test-matrix.md
@ -53,7 +53,7 @@ Last Updated: 2026-04-22
 - `url`: `https://accounts.svc.plus`
 - `login_name`: `review@svc.plus`
- `login_password`: `***REMOVED-CREDENTIAL***`
+- `login_password`: 从 `.env` / secret store 注入 `REVIEW_ACCOUNT_LOGIN_PASSWORD`（勿写明文）
 ### 2.3 鉴权规则
@ -98,7 +98,7 @@ Last Updated: 2026-04-22
 ```json
 {
  "identifier": "review@svc.plus",
-  "password": "***REMOVED-CREDENTIAL***"
+  "password": "${REVIEW_ACCOUNT_LOGIN_PASSWORD}"
 }
 ```
--- a/ios/Podfile
+++ b/ios/Podfile
@ -39,6 +39,11 @@ post_install do |installer|
  installer.pods_project.targets.each do |target|
    flutter_additional_ios_build_settings(target)
    target.build_configurations.each do |config|
      # Xcode 27 rejects dependency targets below the app's iOS 15.5 minimum.
      config.build_settings['IPHONEOS_DEPLOYMENT_TARGET'] = '15.5'
    end
    next unless ['Pods-Runner', 'Pods-RunnerTests'].include?(target.name)
    target.build_configurations.each do |config|
--- a/ios/Podfile.lock
+++ b/ios/Podfile.lock
@ -67,6 +67,6 @@ SPEC CHECKSUMS:
  super_native_extensions: b763c02dc3a8fd078389f410bf15149179020cb4
  WebRTC-SDK: 79942c006ea64f6fb48d7da8a4786dfc820bc1db
-PODFILE CHECKSUM: 5ab2a375a52a76f419425b2b219d2743259d6f1f
+PODFILE CHECKSUM: ca16f6ef66890e172b6528d5f0eb390e0410291e
 COCOAPODS: 1.16.2
--- a/ios/Runner.xcodeproj/project.pbxproj
+++ b/ios/Runner.xcodeproj/project.pbxproj
@ -291,7 +291,7 @@
 			);
 			runOnlyForDeploymentPostprocessing = 0;
 			shellPath = /bin/sh;
-			shellScript = "/bin/sh \"$FLUTTER_ROOT/packages/flutter_tools/bin/xcode_backend.sh\" embed_and_thin";
+			shellScript = "export PATH=\"$PROJECT_DIR/../scripts/xcode-tools:$PATH\"\n/bin/sh \"$FLUTTER_ROOT/packages/flutter_tools/bin/xcode_backend.sh\" embed_and_thin";
 		};
 		9740EEB61CF901F6004384FC /* Run Script */ = {
 			isa = PBXShellScriptBuildPhase;
@ -306,7 +306,7 @@
 			);
 			runOnlyForDeploymentPostprocessing = 0;
 			shellPath = /bin/sh;
-			shellScript = "/bin/sh \"$FLUTTER_ROOT/packages/flutter_tools/bin/xcode_backend.sh\" build";
+			shellScript = "export PATH=\"$PROJECT_DIR/../scripts/xcode-tools:$PATH\"\n/bin/sh \"$FLUTTER_ROOT/packages/flutter_tools/bin/xcode_backend.sh\" build";
 		};
 		BA47ED2B244B5E2B99043424 /* [CP] Check Pods Manifest.lock */ = {
 			isa = PBXShellScriptBuildPhase;
--- a/lib/app/app_controller_desktop_thread_sessions.dart
+++ b/lib/app/app_controller_desktop_thread_sessions.dart
@ -73,7 +73,7 @@ AssistantThreadConnectionState resolveGatewayThreadConnectionStateInternal({
    );
  }
-  if (!accountSignedIn) {
+  if (!accountSignedIn && !bridgeConfigured) {
    return AssistantThreadConnectionState(
      executionTarget: target,
      status: RuntimeConnectionStatus.offline,
@ -93,7 +93,7 @@ AssistantThreadConnectionState resolveGatewayThreadConnectionStateInternal({
  final failed = blocked && !tokenMissing && !endpointMissing;
  // SyncBlocked logic
-  if (tokenMissing || failed || blocked) {
+  if (accountSignedIn && (tokenMissing || failed || blocked)) {
    final status = RuntimeConnectionStatus.error;
    final primaryLabel = tokenMissing
        ? appText('缺少令牌', 'Missing Token')
--- a/lib/features/settings/settings_help_panel.dart
+++ b/lib/features/settings/settings_help_panel.dart
@ -100,8 +100,8 @@ curl -sfL https://install.svc.plus/ai-workspace | bash -s -- uninstall --purge
              defaultVerticalAlignment: TableCellVerticalAlignment.middle,
              children: [
                _tableRow('macOS (Apple Silicon / Intel)', '已测试'),
-                _tableRow('Debian 11/12', '已测试'),
+                _tableRow('Debian 13 amd64', '已测试'),
-                _tableRow('Ubuntu 22.04/24.04', '已测试'),
+                _tableRow('Ubuntu 26.04 amd64', '已测试'),
                _tableRow('其他 Linux 发行版', '未测试'),
              ],
            ),
--- a/macos/Podfile
+++ b/macos/Podfile
@ -1,4 +1,4 @@
-platform :osx, '14.0'
+platform :osx, '15.6'
 # CocoaPods analytics sends network stats synchronously affecting flutter build latency.
 ENV['COCOAPODS_DISABLE_STATS'] = 'true'
@ -97,7 +97,8 @@ post_install do |installer|
  installer.pods_project.targets.each do |target|
    flutter_additional_macos_build_settings(target)
    target.build_configurations.each do |config|
-      config.build_settings['MACOSX_DEPLOYMENT_TARGET'] = '14.0'
+      # Xcode 27 rejects dependency targets below the app's 15.6 minimum.
      config.build_settings['MACOSX_DEPLOYMENT_TARGET'] = '15.6'
      next unless ['Pods-Runner', 'Pods-RunnerTests', 'WebRTC-SDK', 'flutter_webrtc'].include?(target.name)
--- a/macos/Podfile.lock
+++ b/macos/Podfile.lock
@ -61,6 +61,6 @@ SPEC CHECKSUMS:
  super_native_extensions: c2795d6d9aedf4a79fae25cb6160b71b50549189
  WebRTC-SDK: 79942c006ea64f6fb48d7da8a4786dfc820bc1db
-PODFILE CHECKSUM: 1eb7d5d1472c632b8f775dd34562291c20ae818a
+PODFILE CHECKSUM: 7804cba3ecbc9953edc70dee53b2ce2b4aeaa013
 COCOAPODS: 1.16.2
--- a/macos/Runner.xcodeproj/project.pbxproj
+++ b/macos/Runner.xcodeproj/project.pbxproj
@ -371,7 +371,7 @@
 			);
 			runOnlyForDeploymentPostprocessing = 0;
 			shellPath = /bin/sh;
-			shellScript = "echo \"$PRODUCT_NAME.app\" > \"$PROJECT_DIR\"/Flutter/ephemeral/.app_filename && \"$FLUTTER_ROOT\"/packages/flutter_tools/bin/macos_assemble.sh embed\n";
+			shellScript = "export PATH=\"$PROJECT_DIR/../scripts/xcode-tools:$PATH\"\necho \"$PRODUCT_NAME.app\" > \"$PROJECT_DIR\"/Flutter/ephemeral/.app_filename && \"$FLUTTER_ROOT\"/packages/flutter_tools/bin/macos_assemble.sh embed\n";
 		};
 		33CC111E2044C6BF0003C045 /* ShellScript */ = {
 			isa = PBXShellScriptBuildPhase;
@ -392,7 +392,7 @@
 			);
 			runOnlyForDeploymentPostprocessing = 0;
 			shellPath = /bin/sh;
-			shellScript = "if [[ \"${WORKSPACE_DIR:-}\" == *.xcodeproj ]]; then\n  echo \"error: XWorkmate macOS builds with CocoaPods plugins must be launched from macos/Runner.xcworkspace, not Runner.xcodeproj.\" >&2\n  echo \"error: Close this project, open macos/Runner.xcworkspace in Xcode, and build the shared Runner scheme for My Mac.\" >&2\n  echo \"error: Pods targets appearing in the workspace are expected. Only configure signing on the Runner target.\" >&2\n  echo \"error: For release packaging, run 'flutter build macos' from the repository root.\" >&2\n  exit 1\nfi\n\"$FLUTTER_ROOT\"/packages/flutter_tools/bin/macos_assemble.sh && touch Flutter/ephemeral/tripwire";
+			shellScript = "export PATH=\"$PROJECT_DIR/../scripts/xcode-tools:$PATH\"\nif [[ \"${WORKSPACE_DIR:-}\" == *.xcodeproj ]]; then\n  echo \"error: XWorkmate macOS builds with CocoaPods plugins must be launched from macos/Runner.xcworkspace, not Runner.xcodeproj.\" >&2\n  echo \"error: Close this project, open macos/Runner.xcworkspace in Xcode, and build the shared Runner scheme for My Mac.\" >&2\n  echo \"error: Pods targets appearing in the workspace are expected. Only configure signing on the Runner target.\" >&2\n  echo \"error: For release packaging, run 'flutter build macos' from the repository root.\" >&2\n  exit 1\nfi\n\"$FLUTTER_ROOT\"/packages/flutter_tools/bin/macos_assemble.sh && touch Flutter/ephemeral/tripwire";
 		};
 		8E8C2A3EBAA3461603096C04 /* [CP] Check Pods Manifest.lock */ = {
 			isa = PBXShellScriptBuildPhase;
@ -511,7 +511,7 @@
 				BUNDLE_LOADER = "$(TEST_HOST)";
 				CURRENT_PROJECT_VERSION = 1;
 				GENERATE_INFOPLIST_FILE = YES;
-				MACOSX_DEPLOYMENT_TARGET = 14.0;
+				MACOSX_DEPLOYMENT_TARGET = 15.6;
 				MARKETING_VERSION = 1.0;
 				OTHER_CFLAGS = (
 					"$(inherited)",
@ -539,7 +539,7 @@
 				BUNDLE_LOADER = "$(TEST_HOST)";
 				CURRENT_PROJECT_VERSION = 1;
 				GENERATE_INFOPLIST_FILE = YES;
-				MACOSX_DEPLOYMENT_TARGET = 14.0;
+				MACOSX_DEPLOYMENT_TARGET = 15.6;
 				MARKETING_VERSION = 1.0;
 				OTHER_CFLAGS = (
 					"$(inherited)",
@ -567,7 +567,7 @@
 				BUNDLE_LOADER = "$(TEST_HOST)";
 				CURRENT_PROJECT_VERSION = 1;
 				GENERATE_INFOPLIST_FILE = YES;
-				MACOSX_DEPLOYMENT_TARGET = 14.0;
+				MACOSX_DEPLOYMENT_TARGET = 15.6;
 				MARKETING_VERSION = 1.0;
 				OTHER_CFLAGS = (
 					"$(inherited)",
@ -661,11 +661,13 @@
 				ENABLE_RESOURCE_ACCESS_USB = NO;
 				ENABLE_USER_SELECTED_FILES = readonly;
 				INFOPLIST_FILE = Runner/Info.plist;
 				INFOPLIST_KEY_CFBundleDisplayName = Xworkmate;
 				INFOPLIST_KEY_LSApplicationCategoryType = "public.app-category.utilities";
 				LD_RUNPATH_SEARCH_PATHS = (
 					"$(inherited)",
 					"@executable_path/../Frameworks",
 				);
-				MACOSX_DEPLOYMENT_TARGET = 14.0;
+				MACOSX_DEPLOYMENT_TARGET = 15.6;
 				OTHER_CFLAGS = (
 					"$(inherited)",
 					"-Wno-ignored-attributes",
@ -687,7 +689,7 @@
 		338D0CEB231458BD00FA5F75 /* Profile */ = {
 			isa = XCBuildConfiguration;
 			buildSettings = {
-				CODE_SIGN_STYLE = Manual;
+				CODE_SIGN_STYLE = Automatic;
 				MACOSX_DEPLOYMENT_TARGET = 14.0;
 				PRODUCT_NAME = "$(TARGET_NAME)";
 			};
@ -823,11 +825,13 @@
 				ENABLE_RESOURCE_ACCESS_USB = NO;
 				ENABLE_USER_SELECTED_FILES = readonly;
 				INFOPLIST_FILE = Runner/Info.plist;
 				INFOPLIST_KEY_CFBundleDisplayName = Xworkmate;
 				INFOPLIST_KEY_LSApplicationCategoryType = "public.app-category.utilities";
 				LD_RUNPATH_SEARCH_PATHS = (
 					"$(inherited)",
 					"@executable_path/../Frameworks",
 				);
-				MACOSX_DEPLOYMENT_TARGET = 14.0;
+				MACOSX_DEPLOYMENT_TARGET = 15.6;
 				OTHER_CFLAGS = (
 					"$(inherited)",
 					"-Wno-ignored-attributes",
@ -863,11 +867,13 @@
 				ENABLE_OUTGOING_NETWORK_CONNECTIONS = YES;
 				ENABLE_USER_SELECTED_FILES = readonly;
 				INFOPLIST_FILE = Runner/Info.plist;
 				INFOPLIST_KEY_CFBundleDisplayName = Xworkmate;
 				INFOPLIST_KEY_LSApplicationCategoryType = "public.app-category.utilities";
 				LD_RUNPATH_SEARCH_PATHS = (
 					"$(inherited)",
 					"@executable_path/../Frameworks",
 				);
-				MACOSX_DEPLOYMENT_TARGET = 14.0;
+				MACOSX_DEPLOYMENT_TARGET = 15.6;
 				OTHER_CFLAGS = (
 					"$(inherited)",
 					"-Wno-ignored-attributes",
--- a/pubspec.lock
+++ b/pubspec.lock
@ -53,10 +53,10 @@ packages:
    dependency: transitive
    description:
      name: code_assets
-      sha256: "83ccdaa064c980b5596c35dd64a8d3ecc68620174ab9b90b6343b753aa721687"
+      sha256: bf394f466ba9205f1812a0433b392d6af280f155f56651eda7c18cc32ed493b8
      url: "https://pub.dev"
    source: hosted
-    version: "1.0.0"
+    version: "1.2.1"
  collection:
    dependency: transitive
    description:
@ -202,11 +202,12 @@ packages:
    source: hosted
    version: "0.9.4"
  file_selector_macos:
-    dependency: "direct overridden"
+    dependency: transitive
    description:
-      path: "third_party/file_selector_macos"
+      name: file_selector_macos
-      relative: true
+      sha256: "5e0bbe9c312416f1787a68259ea1505b52f258c587f12920422671807c4d618a"
-    source: path
+      url: "https://pub.dev"
    source: hosted
    version: "0.9.5"
  file_selector_platform_interface:
    dependency: transitive
@ -302,22 +303,14 @@ packages:
    description: flutter
    source: sdk
    version: "0.0.0"
  glob:
    dependency: transitive
    description:
      name: glob
      sha256: c3f1ee72c96f8f78935e18aa8cecced9ab132419e8625dc187e1c2408efc20de
      url: "https://pub.dev"
    source: hosted
    version: "2.1.3"
  hooks:
    dependency: transitive
    description:
      name: hooks
-      sha256: e79ed1e8e1929bc6ecb6ec85f0cb519c887aa5b423705ded0d0f2d9226def388
+      sha256: "9a62a50b50b769a737bc0a8ff381f333529df3ab746b2f6b02e83760231455ba"
      url: "https://pub.dev"
    source: hosted
-    version: "1.0.2"
+    version: "2.0.2"
  html:
    dependency: transitive
    description:
@ -459,21 +452,14 @@ packages:
      url: "https://pub.dev"
    source: hosted
    version: "1.17.0"
-  native_toolchain_c:
+  objective_c:
    dependency: transitive
    description:
-      name: native_toolchain_c
+      name: objective_c
-      sha256: "92b2ca62c8bd2b8d2f267cdfccf9bfbdb7322f778f8f91b3ce5b5cda23a3899f"
+      sha256: "6cb691c686fa2838c6deb34980d426145c2a5d537491cb83d463c33cdbc726ed"
      url: "https://pub.dev"
    source: hosted
-    version: "0.17.5"
+    version: "9.4.1"
  objective_c:
    dependency: "direct overridden"
    description:
      path: "third_party/objective_c"
      relative: true
    source: path
    version: "9.3.0"
  package_info_plus:
    dependency: "direct main"
    description:
@ -602,6 +588,14 @@ packages:
      url: "https://pub.dev"
    source: hosted
    version: "2.2.0"
  record_use:
    dependency: transitive
    description:
      name: record_use
      sha256: "2551bd8eecfe95d14ae75f6021ad0248be5c27f138c2ec12fcb52b500b3ba1ed"
      url: "https://pub.dev"
    source: hosted
    version: "0.6.0"
  shared_preferences:
    dependency: "direct main"
    description:
@ -704,11 +698,12 @@ packages:
    source: hosted
    version: "0.9.1"
  super_native_extensions:
-    dependency: "direct overridden"
+    dependency: transitive
    description:
-      path: "third_party/super_native_extensions"
+      name: super_native_extensions
-      relative: true
+      sha256: b9611dcb68f1047d6f3ef11af25e4e68a21b1a705bbcc3eb8cb4e9f5c3148569
-    source: path
+      url: "https://pub.dev"
    source: hosted
    version: "0.9.1"
  sync_http:
    dependency: transitive
--- a/pubspec.yaml
+++ b/pubspec.yaml
@ -2,9 +2,9 @@ name: xworkmate
 description: "XWorkmate desktop-first AI workspace shell."
 publish_to: 'none'
-version: 1.1.4+1
+version: 1.1.5+1
-build-date: 2026-06-02
+build-date: 2026-06-28
-build-id: dff3fee
+build-id: 4e02107
 environment:
  sdk: ^3.11.0
@ -39,20 +39,6 @@ dev_dependencies:
    sdk: flutter
  flutter_lints: ^6.0.0
 dependency_overrides:
  # Keep debug info in the bundled native asset so archive builds can emit
  # a matching dSYM for App Store symbol upload.
  objective_c:
    path: third_party/objective_c
  # Patch the macOS file selector plugin to avoid a deprecated API warning
  # on current macOS toolchains while preserving older-OS behavior.
  file_selector_macos:
    path: third_party/file_selector_macos
  # Use a local patch so Cargokit can recover from transient GitHub asset
  # download failures during macOS packaging.
  super_native_extensions:
    path: third_party/super_native_extensions
 flutter:
  uses-material-design: true
  assets:
--- a/scripts/ci/apple_signing.sh
+++ b/scripts/ci/apple_signing.sh
@ -82,3 +82,47 @@ apple_install_provision_profile() {
  export APPLE_SIGNING_PROFILE_PATH="$profile_path"
  apple_register_cleanup "rm -f \"$profile_path\""
 }
 apple_install_base64_provision_profile() {
  local source_var="${1:?base64 source variable is required}"
  local expected_bundle_id="${2:-}"
  apple_require_signing_vars "$source_var"
  local tmp_dir
  tmp_dir="$(mktemp -d "${RUNNER_TEMP:-/tmp}/xworkmate-profile.XXXXXX")"
  local tmp_profile="$tmp_dir/profile.provisionprofile"
  local profile_plist="$tmp_dir/profile.plist"
  apple_register_cleanup "rm -rf \"$tmp_dir\""
  printf '%s' "${!source_var}" | apple_decode_base64 > "$tmp_profile"
  security cms -D -i "$tmp_profile" > "$profile_plist"
  local profile_uuid profile_name profile_team profile_app_id profile_platform
  profile_uuid="$(/usr/libexec/PlistBuddy -c 'Print :UUID' "$profile_plist")"
  profile_name="$(/usr/libexec/PlistBuddy -c 'Print :Name' "$profile_plist")"
  profile_team="$(/usr/libexec/PlistBuddy -c 'Print :TeamIdentifier:0' "$profile_plist")"
  profile_app_id="$(/usr/libexec/PlistBuddy -c 'Print :Entitlements:com.apple.application-identifier' "$profile_plist")"
  profile_platform="$(/usr/libexec/PlistBuddy -c 'Print :Platform:0' "$profile_plist")"
  if [[ "$profile_platform" != "OSX" ]]; then
    echo "Provisioning profile '$profile_name' targets '$profile_platform', expected 'OSX'." >&2
    return 1
  fi
  if [[ -n "$expected_bundle_id" && "$profile_app_id" != "$profile_team.$expected_bundle_id" ]]; then
    echo "Provisioning profile '$profile_name' has app identifier '$profile_app_id', expected '$profile_team.$expected_bundle_id'." >&2
    return 1
  fi
  local profile_dir="$HOME/Library/MobileDevice/Provisioning Profiles"
  local profile_path="$profile_dir/$profile_uuid.provisionprofile"
  mkdir -p "$profile_dir"
  mv "$tmp_profile" "$profile_path"
  export APPLE_SIGNING_PROFILE_PATH="$profile_path"
  export APPLE_SIGNING_PROFILE_UUID="$profile_uuid"
  export APPLE_SIGNING_PROFILE_NAME="$profile_name"
  export APPLE_SIGNING_PROFILE_TEAM="$profile_team"
  apple_register_cleanup "rm -f \"$profile_path\""
  echo "Installed macOS provisioning profile: $profile_name ($profile_uuid)"
 }
--- a/scripts/ci/build_matrix_artifacts.sh
+++ b/scripts/ci/build_matrix_artifacts.sh
@ -6,7 +6,8 @@ cd "$repo_root"
 eval "$(python3 "$repo_root/scripts/ci/build_version.py" --format shell)"
 platform="${1:?platform is required}"
 arch="${2:?arch is required}"
-should_release="${3:-false}"
+package_kind="${3:-}"
 should_release="${4:-false}"
 flutter pub get
@ -15,9 +16,22 @@ case "$platform" in
    bash ./scripts/package-linux.sh
    ;;
  macos)
-    bash ./scripts/package-flutter-mac-app.sh
+    case "$package_kind" in
-    mkdir -p dist/macos
+      dmg)
-    find dist -maxdepth 1 -name '*.dmg' -exec mv {} dist/macos/ \;
+        bash ./scripts/package-flutter-mac-app.sh
        mkdir -p dist/macos
        find dist -maxdepth 1 -name '*.dmg' -exec mv {} dist/macos/ \;
        ;;
      app-store-pkg)
        bash ./scripts/package-macos-app-store-pkg.sh
        mkdir -p dist/macos-app-store
        find dist -maxdepth 1 -name '*.pkg' -exec mv {} dist/macos-app-store/ \;
        ;;
      *)
        echo "Unsupported macOS package kind: $package_kind" >&2
        exit 1
        ;;
    esac
    ;;
  windows)
    flutter build windows --release \
--- a/scripts/ci/run_layered_tests.sh
+++ b/scripts/ci/run_layered_tests.sh
@ -3,6 +3,19 @@ set -euo pipefail
 LAYER="${1:-all}"
 # Desktop integration tests launch the real GTK app, which needs a display
 # server. On a headless Linux CI runner there is none, so the app never
 # establishes a debug connection ("The log reader stopped unexpectedly, or
 # never started"). Wrap such commands in a virtual framebuffer when one is
 # available; on macOS/local runs (no xvfb-run) the command runs unchanged.
 with_display() {
  if [[ "$(uname -s)" == "Linux" ]] && command -v xvfb-run >/dev/null 2>&1; then
    xvfb-run -a --server-args="-screen 0 1920x1080x24" "$@"
  else
    "$@"
  fi
 }
 run_flutter_base() {
  flutter pub get
  flutter analyze
@ -33,7 +46,7 @@ run_flutter_golden_if_present() {
 run_flutter_integration_if_present() {
  if [[ -d integration_test ]] && find integration_test -name '*_test.dart' | grep -q .; then
-    flutter test integration_test
+    with_display flutter test integration_test
  else
    echo "[skip] no integration tests found under integration_test"
  fi
@ -41,7 +54,7 @@ run_flutter_integration_if_present() {
 run_patrol_if_present() {
  if command -v patrol >/dev/null 2>&1 && [[ -d patrol_test ]] && find patrol_test -name '*_test.dart' | grep -q .; then
-    patrol test patrol_test
+    with_display patrol test patrol_test
  else
    echo "[skip] patrol not installed or patrol_test is empty"
  fi
--- a/scripts/ci/setup_platform_deps.sh
+++ b/scripts/ci/setup_platform_deps.sh
@ -16,10 +16,12 @@ case "$platform" in
      pkg-config \
      libx11-dev \
      libgl1-mesa-dev \
      libgl1-mesa-dri \
      libayatana-appindicator3-dev \
      dpkg-dev \
      rpm \
-      imagemagick
+      imagemagick \
      xvfb
    ;;
  android)
    sudo apt-get update
--- a/scripts/ci/testflight_upload.sh
+++ b/scripts/ci/testflight_upload.sh
@ -0,0 +1,82 @@
 #!/usr/bin/env bash
 set -euo pipefail
 platform="${1:?platform is required}"
 artifact_root="${2:?artifact root is required}"
 required_vars=(
  APP_STORE_CONNECT_API_KEY_ID
  APP_STORE_CONNECT_ISSUER_ID
  APP_STORE_CONNECT_API_KEY_P8_BASE64
 )
 missing=()
 for var_name in "${required_vars[@]}"; do
  if [[ -z "${!var_name:-}" ]]; then
    missing+=("$var_name")
  fi
 done
 if [[ "${#missing[@]}" -gt 0 ]]; then
  echo "Missing App Store Connect secrets: ${missing[*]}" >&2
  exit 1
 fi
 if ! command -v xcrun >/dev/null 2>&1; then
  echo "xcrun is required to upload TestFlight artifacts." >&2
  exit 1
 fi
 apple_decode_base64() {
  if base64 --help 2>&1 | grep -q -- '--decode'; then
    base64 --decode
  else
    base64 -D
  fi
 }
 tmp_dir="$(mktemp -d "${RUNNER_TEMP:-/tmp}/xworkmate-testflight.XXXXXX")"
 cleanup() {
  rm -rf "$tmp_dir"
 }
 trap cleanup EXIT
 private_keys_dir="$tmp_dir/private_keys"
 mkdir -p "$private_keys_dir"
 p8_path="$private_keys_dir/AuthKey_${APP_STORE_CONNECT_API_KEY_ID}.p8"
 printf '%s' "$APP_STORE_CONNECT_API_KEY_P8_BASE64" | apple_decode_base64 > "$p8_path"
 case "$platform" in
  ios)
    artifact_file="$(find "$artifact_root" -type f -name '*.ipa' | head -n 1)"
    ;;
  macos)
    artifact_file="$(find "$artifact_root" -type f -name '*.pkg' | head -n 1)"
    ;;
  *)
    echo "Unsupported TestFlight platform: $platform" >&2
    exit 1
    ;;
 esac
 if [[ -z "$artifact_file" ]]; then
  echo "No ipa/pkg artifact found under $artifact_root" >&2
  exit 1
 fi
 export API_PRIVATE_KEYS_DIR="$private_keys_dir"
 if [[ "$platform" == "ios" ]]; then
  xcrun altool \
    --upload-app \
    -f "$artifact_file" \
    --api-key "$APP_STORE_CONNECT_API_KEY_ID" \
    --api-issuer "$APP_STORE_CONNECT_ISSUER_ID" \
    --show-progress
 else
  xcrun altool \
    --upload-package "$artifact_file" \
    --api-key "$APP_STORE_CONNECT_API_KEY_ID" \
    --api-issuer "$APP_STORE_CONNECT_ISSUER_ID" \
    --show-progress
 fi
--- a/scripts/install-xworkmate-app.sh
+++ b/scripts/install-xworkmate-app.sh
@ -0,0 +1,172 @@
 #!/usr/bin/env bash
 set -euo pipefail
 REPO=${XWORKMATE_INSTALL_REPO:-"x-evor/xworkmate-app"}
 RELEASE_TAG=${XWORKMATE_INSTALL_RELEASE_TAG:-"latest"}
 GITHUB_API=${XWORKMATE_INSTALL_GITHUB_API:-"https://api.github.com"}
 TMP_DIR="$(mktemp -d "${TMPDIR:-/tmp}/xworkmate-install.XXXXXX")"
 MOUNT_POINT=""
 cleanup() {
  if [[ -n "$MOUNT_POINT" ]]; then
    hdiutil detach "$MOUNT_POINT" -quiet >/dev/null 2>&1 || true
  fi
  rm -rf "$TMP_DIR"
 }
 trap cleanup EXIT
 info() { printf '[INFO] %s\n' "$*" >&2; }
 die() { printf '[ERROR] %s\n' "$*" >&2; exit 1; }
 need() {
  command -v "$1" >/dev/null 2>&1 || die "Missing required command: $1"
 }
 release_json_url() {
  if [[ "$RELEASE_TAG" == "latest" ]]; then
    printf '%s/repos/%s/releases/latest\n' "$GITHUB_API" "$REPO"
  else
    printf '%s/repos/%s/releases/tags/%s\n' "$GITHUB_API" "$REPO" "$RELEASE_TAG"
  fi
 }
 github_curl() {
  local accept="$1"
  shift
  local token="${GH_TOKEN:-${GITHUB_TOKEN:-}}"
  local -a headers=(
    -H "Accept: $accept"
    -H "X-GitHub-Api-Version: 2022-11-28"
  )
  if [[ -n "$token" ]]; then
    headers+=(-H "Authorization: Bearer $token")
  fi
  curl "${headers[@]}" "$@"
 }
 pick_asset() {
  local metadata_file="$1"
  local pattern="$2"
  python3 - "$metadata_file" "$pattern" <<'PY'
 import json
 import re
 import sys
 from pathlib import Path
 metadata_path = Path(sys.argv[1])
 pattern = re.compile(sys.argv[2])
 data = json.loads(metadata_path.read_text(encoding="utf-8"))
 for asset in data.get("assets", []):
    name = asset.get("name", "")
    if pattern.search(name):
        print(f'{asset.get("url", "")}\t{name}')
        raise SystemExit(0)
 raise SystemExit(1)
 PY
 }
 download_asset() {
  local asset_url="$1"
  local output_path="$2"
  github_curl application/octet-stream \
    -fL --retry 5 --retry-all-errors --continue-at - \
    -o "$output_path" "$asset_url"
 }
 install_macos_dmg() {
  local dmg_url="$1"
  local dmg_path="$TMP_DIR/XWorkmate.dmg"
  local target_app="/Applications/XWorkmate.app"
  MOUNT_POINT="$TMP_DIR/mount"
  mkdir -p "$MOUNT_POINT"
  info "Downloading macOS DMG..."
  download_asset "$dmg_url" "$dmg_path"
  info "Mounting DMG..."
  hdiutil attach "$dmg_path" -mountpoint "$MOUNT_POINT" -nobrowse -readonly -quiet
  local source_app="$MOUNT_POINT/XWorkmate.app"
  [[ -d "$source_app" ]] || die "DMG does not contain XWorkmate.app"
  if [[ -d "$target_app" ]]; then
    info "Replacing existing app at $target_app"
    rm -rf "$target_app"
  fi
  info "Installing to $target_app"
  ditto "$source_app" "$target_app"
  xattr -dr com.apple.quarantine "$target_app" 2>/dev/null || true
  info "Installed $target_app"
 }
 install_linux_pkg() {
  local pkg_url="$1"
  local pkg_name="$2"
  local pkg_path="$TMP_DIR/package"
  download_asset "$pkg_url" "$pkg_path"
  need sudo
  if [[ "$pkg_name" == *.deb ]]; then
    info "Installing Debian package..."
    sudo dpkg -i "$pkg_path" || sudo apt-get -f install -y
  elif [[ "$pkg_name" == *.rpm ]]; then
    info "Installing RPM package..."
    if command -v dnf >/dev/null 2>&1; then
      sudo dnf install -y "$pkg_path"
    else
      sudo rpm -Uvh "$pkg_path"
    fi
  else
    die "Unsupported Linux asset: $pkg_name"
  fi
 }
 main() {
  local release_json_path="$TMP_DIR/release.json"
  local asset_name_pattern
  local asset
  local asset_name
  local asset_url
  need curl
  need python3
  info "Resolving release for $REPO"
  github_curl application/vnd.github+json \
    -fsSL "$(release_json_url)" -o "$release_json_path"
  case "$(uname -s)" in
    Darwin)
      asset_name_pattern='^XWorkmate-[^/]+\.dmg$'
      ;;
    Linux)
      case "$(uname -m)" in
        x86_64|amd64) ;;
        *) die "Linux packages are only available for amd64: $(uname -m)" ;;
      esac
      if command -v dpkg >/dev/null 2>&1; then
        asset_name_pattern='^xworkmate_[0-9]+\.[0-9]+\.[0-9]+(?:-[0-9]+)?_amd64\.deb$'
      elif command -v rpm >/dev/null 2>&1; then
        asset_name_pattern='^xworkmate-[0-9]+\.[0-9]+\.[0-9]+(?:-[0-9]+)?-1\.x86_64\.rpm$'
      else
        die "Neither dpkg nor rpm found"
      fi
      ;;
    *)
      die "Unsupported OS: $(uname -s)"
      ;;
  esac
  asset="$(pick_asset "$release_json_path" "$asset_name_pattern")" ||
    die "Could not find a matching release asset"
  IFS=$'\t' read -r asset_url asset_name <<<"$asset"
  [[ -n "$asset_url" ]] || die "Matching release asset has no API download URL"
  [[ -n "$asset_name" ]] || die "Matching release asset has no name"
  case "$(uname -s)" in
    Darwin) install_macos_dmg "$asset_url" ;;
    Linux) install_linux_pkg "$asset_url" "$asset_name" ;;
  esac
 }
 main "$@"
--- a/scripts/package-macos-app-store-pkg.sh
+++ b/scripts/package-macos-app-store-pkg.sh
@ -0,0 +1,95 @@
 #!/usr/bin/env bash
 set -euo pipefail
 ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
 DIST_DIR="$ROOT_DIR/dist/macos-app-store"
 APP_NAME="${APP_NAME:-XWorkmate}"
 APP_STORE_DEFINE="${APP_STORE_DEFINE:---dart-define=XWORKMATE_APP_STORE=${XWORKMATE_APP_STORE:-true}}"
 source "$ROOT_DIR/scripts/ci/apple_signing.sh"
 APPLE_SIGNING_CLEANUP_COMMANDS=()
 trap apple_run_cleanup EXIT
 required_vars=(
  APPLE_CERT_P12_BASE64
  APPLE_CERT_PASSWORD
  APPLE_MAC_PROVISION_PROFILE_BASE64
  APPLE_KEYCHAIN_PASSWORD
 )
 missing=()
 for var_name in "${required_vars[@]}"; do
  if [[ -z "${!var_name:-}" ]]; then
    missing+=("$var_name")
  fi
 done
 if [[ "${#missing[@]}" -gt 0 ]]; then
  echo "Missing macOS TestFlight signing secrets: ${missing[*]}" >&2
  exit 1
 fi
 eval "$(python3 "$ROOT_DIR/scripts/ci/build_version.py" --format shell)"
 app_version="$DISPLAY_VERSION"
 app_build="$BUILD_NUMBER"
 BUILD_DATE_LINE="$(sed -n 's/^build-date:[[:space:]]*//p' "$ROOT_DIR/pubspec.yaml" | head -n 1)"
 BUILD_ID_LINE="$(sed -n 's/^build-id:[[:space:]]*//p' "$ROOT_DIR/pubspec.yaml" | head -n 1)"
 GIT_BUILD_DATE="$(cd "$ROOT_DIR" && git show -s --format=%cs HEAD 2>/dev/null || true)"
 GIT_BUILD_COMMIT="$(cd "$ROOT_DIR" && git rev-parse --short HEAD 2>/dev/null || true)"
 app_build_date="${GIT_BUILD_DATE:-${BUILD_DATE_LINE:-unknown}}"
 app_build_commit="${GIT_BUILD_COMMIT:-${BUILD_ID_LINE:-unknown}}"
 tmp_dir="$(mktemp -d "${RUNNER_TEMP:-/tmp}/xworkmate-macos-app-store.XXXXXX")"
 cleanup() {
  local status=$?
  rm -rf "$tmp_dir"
  apple_run_cleanup
  return "$status"
 }
 trap cleanup EXIT
 apple_setup_signing_keychain
 apple_install_base64_provision_profile \
  APPLE_MAC_PROVISION_PROFILE_BASE64 \
  plus.svc.xworkmate
 if [[ "$APPLE_SIGNING_PROFILE_TEAM" != "N3G9T67W78" ]]; then
  echo "Provisioning profile team '$APPLE_SIGNING_PROFILE_TEAM' does not match expected team 'N3G9T67W78'." >&2
  exit 1
 fi
 mkdir -p "$DIST_DIR"
 archive_path="$tmp_dir/$APP_NAME.xcarchive"
 export_options_path="$tmp_dir/ExportOptions.plist"
 sed "s|\${EXPORT_METHOD}|app-store|g" "$ROOT_DIR/ios/ExportOptions.plist" > "$export_options_path"
 flutter pub get
 flutter build macos --release \
  --build-name="$PLATFORM_RELEASE_VERSION" \
  --build-number="$app_build" \
  --dart-define="XWORKMATE_DISPLAY_VERSION=$app_version" \
  --dart-define="XWORKMATE_BUILD_NUMBER=$app_build" \
  --dart-define="XWORKMATE_BUILD_DATE=$app_build_date" \
  --dart-define="XWORKMATE_BUILD_COMMIT=$app_build_commit" \
  "$APP_STORE_DEFINE"
 xcodebuild archive \
  -workspace "$ROOT_DIR/macos/Runner.xcworkspace" \
  -scheme Runner \
  -configuration Release \
  -archivePath "$archive_path" \
  -allowProvisioningUpdates \
  -allowProvisioningDeviceRegistration \
  DEVELOPMENT_TEAM="N3G9T67W78"
 xcodebuild -exportArchive \
  -archivePath "$archive_path" \
  -exportPath "$DIST_DIR" \
  -exportOptionsPlist "$export_options_path" \
  -allowProvisioningUpdates
 if ! compgen -G "$DIST_DIR/*.pkg" >/dev/null; then
  echo "No macOS TestFlight pkg was produced under $DIST_DIR" >&2
  exit 1
 fi
 echo "macOS TestFlight pkg: $(find "$DIST_DIR" -maxdepth 1 -name '*.pkg' | head -n 1)"
--- a/scripts/xcode-tools/lipo
+++ b/scripts/xcode-tools/lipo
@ -0,0 +1,26 @@
 #!/usr/bin/env bash
 set -euo pipefail
 real_lipo="$(xcrun --find lipo)"
 args=("$@")
 verify_index=-1
 for ((index = 0; index < ${#args[@]}; index++)); do
  if [[ "${args[index]}" == "-verify_arch" ]]; then
    verify_index=$index
    break
  fi
 done
 # Xcode 27 accepts one architecture per -verify_arch invocation. Flutter
 # passes all requested architectures at once, so verify each one separately.
 if ((verify_index >= 0 && ${#args[@]} - verify_index > 2)); then
  command_prefix=("${args[@]:0:verify_index}")
  architectures=("${args[@]:verify_index+1}")
  for architecture in "${architectures[@]}"; do
    "$real_lipo" "${command_prefix[@]}" -verify_arch "$architecture"
  done
  exit 0
 fi
 exec "$real_lipo" "$@"
--- a/test/features/assistant/assistant_connection_status_test.dart
+++ b/test/features/assistant/assistant_connection_status_test.dart
@ -128,6 +128,45 @@ void main() {
      expect(state.gatewayTokenMissing, isFalse);
    });
    test(
      'manual bridge discovery does not require a svc.plus account session',
      () {
        final state = resolveGatewayThreadConnectionStateInternal(
          target: AssistantExecutionTarget.gateway,
          bridgeReady: false,
          bridgeLabel: 'private-bridge.example.com',
          accountSyncState: null,
          accountSignedIn: false,
          bridgeConfigured: true,
        );
        expect(state.connected, isFalse);
        expect(state.status, RuntimeConnectionStatus.offline);
        expect(state.primaryLabel, '正在发现');
        expect(state.detailLabel, '正在加载 Bridge 能力...');
        expect(state.detailLabel, isNot(contains('svc.plus')));
      },
    );
    test('manual bridge discovery failure is shown while signed out', () {
      final state = resolveGatewayThreadConnectionStateInternal(
        target: AssistantExecutionTarget.gateway,
        bridgeReady: false,
        bridgeLabel: 'private-bridge.example.com',
        accountSyncState: null,
        accountSignedIn: false,
        bridgeConfigured: true,
        bridgeDiscoveryAttempted: true,
        bridgeDiscoveryError: 'ACP_HTTP_CONNECT_FAILED',
        providerCatalogEmpty: true,
      );
      expect(state.status, RuntimeConnectionStatus.error);
      expect(state.primaryLabel, '连接失败');
      expect(state.detailLabel, 'ACP_HTTP_CONNECT_FAILED');
      expect(state.detailLabel, isNot(contains('svc.plus')));
    });
    test('surfaces failed discovery after capability refresh is attempted', () {
      final state = resolveGatewayThreadConnectionStateInternal(
        target: AssistantExecutionTarget.gateway,
--- a/test/features/workspace_management/workspace_management_unit_test.dart
+++ b/test/features/workspace_management/workspace_management_unit_test.dart
@ -157,7 +157,13 @@ BRIDGE_PORT_443_OPEN=yes
      final yaml = controller.exportYaml();
      expect(yaml, contains('server_address: 203.0.113.10'));
-      expect(yaml, contains('ssh_password_fixture: "example"'));
+      const sshPasswordKey = 'ssh_password';
      expect(
        yaml,
        contains(
          '$sshPasswordKey: "${WorkspaceProvisionController.redactedValue}"',
        ),
      );
      expect(yaml, contains('extra_configs:'));
      expect(yaml, contains('key: DEEPSEEK_API_KEY'));
      expect(yaml, contains('value: "__redacted__"'));
@ -407,7 +413,7 @@ ssh_port: 22
 install_path: /opt/xworkspace/playbooks
 show_advanced: true
 logs_expanded: false
-ssh_password_fixture: "example"
+ssh_password: "${WorkspaceProvisionController.redactedValue}"
 extra_configs:
  - key: DEEPSEEK_API_KEY
    value: "deepseek-new"
--- a/test/runtime/assistant_execution_target_test.dart
+++ b/test/runtime/assistant_execution_target_test.dart
@ -322,9 +322,7 @@ void main() {
        'xworkmate-no-runtime-main-home-',
      );
      addTearDown(() async {
-        if (await localHome.exists()) {
+        await _resilientDelete(localHome);
          await localHome.delete(recursive: true);
        }
      });
      final controller = _sandboxController(
        environmentOverride: const <String, String>{},
@ -358,9 +356,7 @@ void main() {
          'xworkmate-refresh-no-session-one-',
        );
        addTearDown(() async {
-          if (await localHome.exists()) {
+          await _resilientDelete(localHome);
            await localHome.delete(recursive: true);
          }
        });
        final controller = _sandboxController(
          environmentOverride: const <String, String>{},
@ -439,9 +435,7 @@ void main() {
          'xworkmate-stable-task-selection-home-',
        );
        addTearDown(() async {
-          if (await localHome.exists()) {
+          await _resilientDelete(localHome);
            await localHome.delete(recursive: true);
          }
        });
        final controller = _sandboxController(
          environmentOverride: const <String, String>{},
@ -1716,9 +1710,7 @@ void main() {
          'xworkmate-acp-interrupt-artifacts-',
        );
        addTearDown(() async {
-          if (await localWorkspace.exists()) {
+          await _resilientDelete(localWorkspace);
            await localWorkspace.delete(recursive: true);
          }
        });
        final fakeGoTaskService = _RecordingGoTaskServiceClient()
          ..onExecuteTask = ((request) async {
@ -2017,9 +2009,7 @@ void main() {
          'xworkmate-acp-handshake-interrupt-artifacts-',
        );
        addTearDown(() async {
-          if (await localWorkspace.exists()) {
+          await _resilientDelete(localWorkspace);
            await localWorkspace.delete(recursive: true);
          }
        });
        final fakeGoTaskService = _RecordingGoTaskServiceClient()
          ..updatesBeforeNextOutcome.add(
@ -2383,9 +2373,7 @@ void main() {
          'xworkmate-background-completion-home-',
        );
        addTearDown(() async {
-          if (await localHome.exists()) {
+          await _resilientDelete(localHome);
            await localHome.delete(recursive: true);
          }
        });
        final fakeGoTaskService = _BlockingGoTaskServiceClient();
        final controller = _connectedController(
@ -2508,9 +2496,7 @@ void main() {
          'xworkmate-same-prompt-home-',
        );
        addTearDown(() async {
-          if (await localHome.exists()) {
+          await _resilientDelete(localHome);
            await localHome.delete(recursive: true);
          }
        });
        final fakeGoTaskService = _BlockingGoTaskServiceClient();
        final controller = _connectedController(
@ -2683,9 +2669,7 @@ void main() {
          'xworkmate-same-prompt-empty-home-',
        );
        addTearDown(() async {
-          if (await localHome.exists()) {
+          await _resilientDelete(localHome);
            await localHome.delete(recursive: true);
          }
        });
        final fakeGoTaskService = _BlockingGoTaskServiceClient();
        final controller = _connectedController(
@ -2707,9 +2691,7 @@ void main() {
              continue;
            }
            final directory = Directory(workspace);
-            if (await directory.exists()) {
+            await _resilientDelete(directory);
              await directory.delete(recursive: true);
            }
          }
        });
@ -2845,9 +2827,7 @@ void main() {
          'xworkmate-terminal-failure-home-',
        );
        addTearDown(() async {
-          if (await localHome.exists()) {
+          await _resilientDelete(localHome);
            await localHome.delete(recursive: true);
          }
        });
        final fakeGoTaskService = _BlockingGoTaskServiceClient();
        final controller = _connectedController(
@ -2925,9 +2905,7 @@ void main() {
          'xworkmate-empty-output-home-',
        );
        addTearDown(() async {
-          if (await localHome.exists()) {
+          await _resilientDelete(localHome);
            await localHome.delete(recursive: true);
          }
        });
        final fakeGoTaskService = _BlockingGoTaskServiceClient();
        final controller = _connectedController(
@ -3297,9 +3275,7 @@ void main() {
        addTearDown(() async {
          fakeGoTaskService.completeAll();
          controller.dispose();
-          if (await localHome.exists()) {
+          await _resilientDelete(localHome);
            await localHome.delete(recursive: true);
          }
        });
        for (
@ -4902,19 +4878,28 @@ UiFeatureManifest _defaultDesktopManifest() {
 }
 Future<void> _resilientDelete(Directory dir) async {
  if (!await dir.exists()) {
    return;
  }
  for (var attempt = 0; attempt < 8; attempt++) {
    if (!await dir.exists()) {
      return;
    }
    try {
      await dir.delete(recursive: true);
      return;
    } catch (error) {
      // A background flush (e.g. controller dispose still persisting state)
      // may keep writing into the temp dir, so a recursive delete can race
      // and fail with "Directory not empty". Retry a few times.
      debugPrint('Temporary directory delete retry: $error');
      await Future<void>.delayed(const Duration(milliseconds: 50));
    }
  }
-  await dir.delete(recursive: true);
+  // Best-effort cleanup: never fail a test over leftover temp files; the OS
  // reclaims the temp directory regardless.
  try {
    await dir.delete(recursive: true);
  } catch (error) {
    debugPrint('Giving up on temporary directory cleanup: $error');
  }
 }
 AppController _sandboxController({