@wangyaoshen/remux 0.3.8-dev.bab6c95 → 0.3.9-dev.390cb29

package/packages/RemuxKit/Sources/RemuxKit/Networking/MessageRouter.swift

@@ -6,7 +6,8 @@ public struct MessageRouter: Sendable {
 
     /// Parsed message with type info extracted
     public enum RoutedMessage: Sendable {
-        case state(WorkspaceState)
+        case workspaceSnapshot(WorkspaceSnapshot)
+        case attached(AttachedPayload)
         case inspectResult(InspectSnapshot)
         case roleChanged(String) // "active" or "observer"
         case deviceList([DeviceInfo])
@@ -42,13 +43,58 @@ public struct MessageRouter: Sendable {
         guard let type = msgType else { return nil }
 
         switch type {
+        case "bootstrap":
+            if let p = payload, let bootstrap = decode(BootstrapPayload.self, from: p) {
+                return .workspaceSnapshot(
+                    WorkspaceSnapshot(sessions: bootstrap.sessions, clients: bootstrap.clients)
+                )
+            }
         case "state":
-            if let p = payload, let state = decode(WorkspaceState.self, from: p) {
-                return .state(state)
+            if let p = payload {
+                if let snapshot = decode(CurrentWorkspaceStatePayload.self, from: p) {
+                    return .workspaceSnapshot(
+                        WorkspaceSnapshot(sessions: snapshot.sessions, clients: snapshot.clients)
+                    )
+                }
+                if let state = decode(WorkspaceState.self, from: p) {
+                    let session = WorkspaceSessionSummary(
+                        name: state.session,
+                        tabs: state.tabs.map {
+                            WorkspaceSessionTab(
+                                id: $0.index,
+                                title: $0.name,
+                                ended: false,
+                                clients: 0,
+                                restored: false
+                            )
+                        },
+                        createdAt: 0
+                    )
+                    return .workspaceSnapshot(
+                        WorkspaceSnapshot(
+                            sessions: [session],
+                            clients: [ConnectedClientInfo(
+                                clientId: "",
+                                role: "active",
+                                session: state.session,
+                                tabId: state.activeTabIndex
+                            )]
+                        )
+                    )
+                }
+            }
+        case "attached":
+            if let p = payload, let attached = decode(AttachedPayload.self, from: p) {
+                return .attached(attached)
             }
         case "inspect_result":
-            if let p = payload, let snapshot = decode(InspectSnapshot.self, from: p) {
-                return .inspectResult(snapshot)
+            if let p = payload {
+                if let snapshot = decode(InspectSnapshot.self, from: p) {
+                    return .inspectResult(snapshot)
+                }
+                if let result = decode(ServerInspectResult.self, from: p) {
+                    return .inspectResult(convertInspectResult(result))
+                }
             }
         case "role_changed":
             if let role = payload?["role"] as? String {
@@ -67,7 +113,9 @@ public struct MessageRouter: Sendable {
                 return .pushStatus(status)
             }
         case "error":
-            let message = payload?["message"] as? String ?? "Unknown error"
+            let message = payload?["reason"] as? String
+                ?? payload?["message"] as? String
+                ?? "Unknown error"
             return .error(message)
         default:
             return .unknown(type: type, raw: text)
@@ -76,6 +124,37 @@ public struct MessageRouter: Sendable {
         return .unknown(type: type, raw: text)
     }
 
+    private func convertInspectResult(_ result: ServerInspectResult) -> InspectSnapshot {
+        let timestamp = ISO8601DateFormatter().string(from: Date(timeIntervalSince1970: TimeInterval(result.meta.timestamp) / 1000))
+        let lines = result.text.split(separator: "\n", omittingEmptySubsequences: false)
+        let items = lines.enumerated().map { offset, line in
+            InspectItem(
+                type: "output",
+                content: String(line),
+                lineNumber: offset + 1,
+                timestamp: timestamp,
+                paneId: result.meta.tabId.map(String.init),
+                highlights: nil
+            )
+        }
+
+        return InspectSnapshot(
+            descriptor: InspectDescriptor(
+                scope: "tab",
+                source: "server",
+                precision: "precise",
+                staleness: "fresh",
+                capturedAt: timestamp,
+                paneId: result.meta.tabId.map(String.init),
+                tabIndex: result.meta.tabId,
+                totalItems: items.count
+            ),
+            items: items,
+            cursor: nil,
+            truncated: false
+        )
+    }
+
     private func decode<T: Decodable>(_ type: T.Type, from dict: [String: Any]) -> T? {
         guard let data = try? JSONSerialization.data(withJSONObject: dict) else { return nil }
         return try? JSONDecoder().decode(type, from: data)
@@ -89,8 +168,8 @@ public struct DeviceInfo: Codable, Equatable, Sendable {
     public let fingerprint: String?
     public let name: String?
     public let platform: String?
-    public let trustLevel: String
-    public let lastSeen: String?
+    public let trust: String
+    public let lastSeen: Int?
 }
 
 public struct DeviceListPayload: Codable, Equatable, Sendable {
@@ -100,7 +179,7 @@ public struct DeviceListPayload: Codable, Equatable, Sendable {
 public struct PairResultPayload: Codable, Equatable, Sendable {
     public let success: Bool
     public let deviceId: String?
-    public let error: String?
+    public let reason: String?
 }
 
 public struct PushStatusPayload: Codable, Equatable, Sendable {

package/packages/RemuxKit/Sources/RemuxKit/Networking/RemuxConnection.swift

@@ -10,7 +10,7 @@ public enum ConnectionStatus: Sendable, Equatable {
 }
 
 /// Credentials used to authenticate with the server
-public enum RemuxCredential: Sendable {
+public enum RemuxCredential: Sendable, Equatable {
     case token(String)
     case password(String)
     case resumeToken(String)
@@ -30,6 +30,29 @@ public protocol RemuxConnectionDelegate: AnyObject, Sendable {
 /// Handles authentication, automatic reconnection with exponential backoff, and heartbeat.
 public final class RemuxConnection: NSObject, @unchecked Sendable {
 
+    enum IncomingTextDisposition: Equatable {
+        case terminal(String)
+        case control(String?)
+    }
+
+    static let legacyControlTypes: Set<String> = [
+        "auth_ok",
+        "auth_error",
+        "attached",
+        "bootstrap",
+        "device_list",
+        "error",
+        "inspect_result",
+        "pair_code",
+        "pair_result",
+        "ping",
+        "push_status",
+        "push_subscribed",
+        "role_changed",
+        "state",
+        "vapid_key",
+    ]
+
     public let serverURL: URL
     private let credential: RemuxCredential
     private let cols: Int
@@ -223,21 +246,19 @@ public final class RemuxConnection: NSObject, @unchecked Sendable {
     }
 
     private func handleTextMessage(_ text: String) {
-        // PTY data from remux server is sent as raw text (not JSON).
-        // JSON control messages start with '{'. If text doesn't start with '{',
-        // it's PTY terminal data — forward as binary data for rendering.
-        guard text.hasPrefix("{") else {
-            if let data = text.data(using: .utf8) {
+        switch Self.classifyIncomingText(text) {
+        case .terminal(let terminalText):
+            if let data = terminalText.data(using: .utf8) {
                 let delegate = self.delegate
                 DispatchQueue.main.async { delegate?.connectionDidReceiveData(data) }
             }
             return
+        case .control:
+            break
         }
 
-        // Try JSON parse for control messages
         guard let data = text.data(using: .utf8),
               let json = try? JSONSerialization.jsonObject(with: data) as? [String: Any] else {
-            // Malformed JSON — treat as PTY data
             if let data = text.data(using: .utf8) {
                 let delegate = self.delegate
                 DispatchQueue.main.async { delegate?.connectionDidReceiveData(data) }
@@ -392,4 +413,22 @@ public final class RemuxConnection: NSObject, @unchecked Sendable {
             delegate?.connectionDidChangeStatus(status)
         }
     }
+
+    static func classifyIncomingText(_ text: String) -> IncomingTextDisposition {
+        guard text.hasPrefix("{"),
+              let data = text.data(using: .utf8),
+              let json = try? JSONSerialization.jsonObject(with: data) as? [String: Any] else {
+            return .terminal(text)
+        }
+
+        if let version = json["v"] as? Int, version >= 1, json["type"] as? String != nil {
+            return .control(json["type"] as? String)
+        }
+
+        if let type = json["type"] as? String, legacyControlTypes.contains(type) {
+            return .control(type)
+        }
+
+        return .terminal(text)
+    }
 }

package/packages/RemuxKit/Sources/RemuxKit/State/RemuxState.swift

@@ -35,12 +35,16 @@ public final class RemuxState {
 
     private var connection: RemuxConnection?
     private let router = MessageRouter()
+    private var workspaceSnapshot = WorkspaceSnapshot(sessions: [], clients: [])
+    private var clientId: String?
+    private var currentTabId: Int?
 
     public init() {}
 
     // MARK: - Connection management
 
     public func connect(url: URL, credential: RemuxCredential) {
+        connection?.disconnect()
         serverURL = url
         let conn = RemuxConnection(serverURL: url, credential: credential)
         conn.delegate = self
@@ -56,19 +60,23 @@ public final class RemuxState {
     // MARK: - Actions
 
     public func switchTab(id: String) {
-        sendJSON(["type": "attach_tab", "tabId": id])
+        sendJSON(["type": "attach_tab", "tabId": Int(id) ?? id])
     }
 
     public func createTab() {
-        sendJSON(["type": "new_tab"])
+        var payload: [String: Any] = ["type": "new_tab"]
+        if !currentSession.isEmpty {
+            payload["session"] = currentSession
+        }
+        sendJSON(payload)
     }
 
     public func closeTab(id: String) {
-        sendJSON(["type": "close_tab", "tabId": id])
+        sendJSON(["type": "close_tab", "tabId": Int(id) ?? id])
     }
 
     public func renameTab(id: String, name: String) {
-        sendJSON(["type": "rename_tab", "tabId": id, "name": name])
+        sendJSON(["type": "rename_tab", "tabId": Int(id) ?? id, "title": name])
     }
 
     public func createSession(name: String) {
@@ -80,6 +88,9 @@ public final class RemuxState {
     }
 
     public func requestInspect(tabIndex: Int? = nil, query: String? = nil) {
+        if let tabId = tabIndex, tabId != currentTabId {
+            sendJSON(["type": "attach_tab", "tabId": tabId])
+        }
         var dict: [String: Any] = ["type": "inspect"]
         if let idx = tabIndex { dict["tabIndex"] = idx }
         if let q = query { dict["query"] = q }
@@ -127,10 +138,14 @@ public final class RemuxState {
         guard let routed = router.route(text) else { return }
 
         switch routed {
-        case .state(let ws):
-            currentSession = ws.session
-            tabs = ws.tabs
-            activeTabIndex = ws.activeTabIndex
+        case .workspaceSnapshot(let snapshot):
+            applyWorkspaceSnapshot(snapshot)
+        case .attached(let attached):
+            clientId = attached.clientId
+            currentSession = attached.session
+            currentTabId = attached.tabId
+            clientRole = attached.role
+            rebuildTabs()
         case .inspectResult(let snapshot):
             inspectSnapshot = snapshot
         case .roleChanged(let role):
@@ -148,6 +163,64 @@ public final class RemuxState {
             break
         }
     }
+
+    private func applyWorkspaceSnapshot(_ snapshot: WorkspaceSnapshot) {
+        workspaceSnapshot = snapshot
+
+        if let clientId,
+           let client = snapshot.clients.first(where: { $0.clientId == clientId }) {
+            currentSession = client.session ?? currentSession
+            currentTabId = client.tabId ?? currentTabId
+            clientRole = client.role
+        } else if currentSession.isEmpty, let firstSession = snapshot.sessions.first?.name {
+            currentSession = firstSession
+        }
+
+        rebuildTabs()
+    }
+
+    private func rebuildTabs() {
+        let sessionSummary =
+            workspaceSnapshot.sessions.first(where: { $0.name == currentSession })
+            ?? workspaceSnapshot.sessions.first
+
+        if currentSession.isEmpty, let sessionSummary {
+            currentSession = sessionSummary.name
+        }
+
+        guard let sessionSummary else {
+            tabs = []
+            activeTabIndex = 0
+            return
+        }
+
+        let activeTabId = currentTabId ?? sessionSummary.tabs.first?.id
+        currentTabId = activeTabId
+        activeTabIndex = activeTabId ?? 0
+        tabs = sessionSummary.tabs.map { tab in
+            let isActive = tab.id == activeTabId
+            return WorkspaceTab(
+                index: tab.id,
+                name: tab.title,
+                active: isActive,
+                isFullscreen: false,
+                hasBell: false,
+                panes: [
+                    WorkspacePane(
+                        id: String(tab.id),
+                        focused: isActive,
+                        title: tab.title,
+                        command: nil,
+                        cwd: nil,
+                        rows: 24,
+                        cols: 80,
+                        x: 0,
+                        y: 0
+                    )
+                ]
+            )
+        }
+    }
 }
 
 // MARK: - RemuxConnectionDelegate

package/packages/RemuxKit/Sources/RemuxKit/Storage/KeychainStore.swift

@@ -51,10 +51,29 @@ public struct KeychainStore: Sendable {
 
     /// Returns all server URLs that have stored credentials.
     public func savedServers() -> [String] {
+        let labels = ["resume_token", "server_token"]
+        var servers = Set<String>()
+        for label in labels {
+            servers.formUnion(savedServers(label: label))
+        }
+        return servers.sorted()
+    }
+
+    public func preferredCredential(forServer server: String) -> RemuxCredential? {
+        if let resumeToken = loadResumeToken(forServer: server) {
+            return .resumeToken(resumeToken)
+        }
+        if let token = loadServerToken(forServer: server) {
+            return .token(token)
+        }
+        return nil
+    }
+
+    private func savedServers(label: String) -> [String] {
         let query: [String: Any] = [
             kSecClass as String: kSecClassGenericPassword,
             kSecAttrService as String: Self.service,
-            kSecAttrLabel as String: "resume_token",
+            kSecAttrLabel as String: label,
             kSecMatchLimit as String: kSecMatchLimitAll,
             kSecReturnAttributes as String: true,
         ]

package/packages/RemuxKit/Tests/RemuxKitTests/ConnectionIntegrationTest.swift

@@ -72,3 +72,19 @@ struct ConnectionIntegrationTests {
         #expect(result.state == true)
     }
 }
+
+@Suite("RemuxConnection")
+struct RemuxConnectionTests {
+
+    @Test("Treat non-protocol JSON output as terminal data")
+    func classifyJsonTerminalOutput() {
+        let disposition = RemuxConnection.classifyIncomingText(#"{"message":"hello"}"#)
+        #expect(disposition == .terminal(#"{"message":"hello"}"#))
+    }
+
+    @Test("Treat enveloped messages as control")
+    func classifyEnvelopedControl() {
+        let disposition = RemuxConnection.classifyIncomingText(#"{"v":1,"type":"state","payload":{"sessions":[],"clients":[]}}"#)
+        #expect(disposition == .control("state"))
+    }
+}

package/packages/RemuxKit/Tests/RemuxKitTests/KeychainStoreTests.swift

@@ -78,4 +78,30 @@ struct KeychainStoreTests {
         #expect(store.loadServerToken(forServer: testServer) == nil)
         #expect(store.loadDeviceId(forServer: testServer) == nil)
     }
+
+    @Test("Saved servers include token-only and resume-token-only entries", .enabled(if: keychainAvailable))
+    func savedServersIncludesAllCredentialTypes() throws {
+        let tokenOnly = "token-only-\(UUID().uuidString)"
+        let resumeOnly = "resume-only-\(UUID().uuidString)"
+        try store.saveServerToken("tok", forServer: tokenOnly)
+        try store.saveResumeToken("resume", forServer: resumeOnly)
+        defer {
+            store.deleteAll(forServer: tokenOnly)
+            store.deleteAll(forServer: resumeOnly)
+        }
+
+        let servers = store.savedServers()
+        #expect(servers.contains(tokenOnly))
+        #expect(servers.contains(resumeOnly))
+    }
+
+    @Test("Preferred credential uses resume token before server token", .enabled(if: keychainAvailable))
+    func preferredCredentialPrefersResumeToken() throws {
+        try store.saveServerToken("tok", forServer: testServer)
+        try store.saveResumeToken("resume", forServer: testServer)
+        defer { store.deleteAll(forServer: testServer) }
+
+        let credential = store.preferredCredential(forServer: testServer)
+        #expect(credential == .resumeToken("resume"))
+    }
 }

package/packages/RemuxKit/Tests/RemuxKitTests/ProtocolModelsTests.swift

@@ -118,14 +118,16 @@ struct MessageRouterTests {
     func routeStateMessage() throws {
         let router = MessageRouter()
         let json = """
-        {"v":1,"type":"state","domain":"runtime","emittedAt":"2026-04-01T00:00:00Z","source":"server","payload":{"session":"main","tabs":[],"activeTabIndex":0}}
+        {"v":1,"type":"state","domain":"runtime","emittedAt":"2026-04-01T00:00:00Z","source":"server","payload":{"sessions":[{"name":"main","tabs":[{"id":7,"title":"zsh","ended":false,"clients":1,"restored":false}],"createdAt":1712000000000}],"clients":[{"clientId":"c1","role":"active","session":"main","tabId":7}]}}
         """
         let result = router.route(json)
-        guard case .state(let state) = result else {
-            Issue.record("Expected .state, got \(String(describing: result))")
+        guard case .workspaceSnapshot(let snapshot) = result else {
+            Issue.record("Expected .workspaceSnapshot, got \(String(describing: result))")
             return
         }
-        #expect(state.session == "main")
+        #expect(snapshot.sessions.count == 1)
+        #expect(snapshot.sessions[0].name == "main")
+        #expect(snapshot.sessions[0].tabs[0].id == 7)
     }
 
     @Test("Route legacy state message")
@@ -135,11 +137,12 @@ struct MessageRouterTests {
         {"type":"state","session":"dev","tabs":[],"activeTabIndex":0}
         """
         let result = router.route(json)
-        guard case .state(let state) = result else {
-            Issue.record("Expected .state, got \(String(describing: result))")
+        guard case .workspaceSnapshot(let snapshot) = result else {
+            Issue.record("Expected .workspaceSnapshot, got \(String(describing: result))")
             return
         }
-        #expect(state.session == "dev")
+        #expect(snapshot.sessions.first?.name == "dev")
+        #expect(snapshot.sessions.first?.tabs.isEmpty == true)
     }
 
     @Test("Route role_changed message")
@@ -176,4 +179,35 @@ struct MessageRouterTests {
         let result = router.route("not json")
         #expect(result == nil)
     }
+
+    @Test("Route bootstrap message")
+    func routeBootstrapMessage() throws {
+        let router = MessageRouter()
+        let json = """
+        {"v":1,"type":"bootstrap","domain":"core","emittedAt":"2026-04-01T00:00:00Z","source":"server","payload":{"sessions":[{"name":"default","tabs":[{"id":1,"title":"shell","ended":false,"clients":1,"restored":false}],"createdAt":1712000000000}],"clients":[{"clientId":"c1","role":"active","session":"default","tabId":1}]}}
+        """
+        let result = router.route(json)
+        guard case .workspaceSnapshot(let snapshot) = result else {
+            Issue.record("Expected .workspaceSnapshot")
+            return
+        }
+        #expect(snapshot.sessions.first?.tabs.first?.title == "shell")
+        #expect(snapshot.clients.first?.clientId == "c1")
+    }
+
+    @Test("Route current inspect result")
+    func routeCurrentInspectResult() throws {
+        let router = MessageRouter()
+        let json = """
+        {"v":1,"type":"inspect_result","domain":"runtime","emittedAt":"2026-04-01T00:00:00Z","source":"server","payload":{"text":"first\\nsecond","meta":{"session":"default","tabId":7,"tabTitle":"shell","cols":80,"rows":24,"timestamp":1712000000000}}}
+        """
+        let result = router.route(json)
+        guard case .inspectResult(let snapshot) = result else {
+            Issue.record("Expected .inspectResult")
+            return
+        }
+        #expect(snapshot.items.count == 2)
+        #expect(snapshot.items[0].content == "first")
+        #expect(snapshot.descriptor.tabIndex == 7)
+    }
 }

package/packages/RemuxKit/Tests/RemuxKitTests/RemuxStateTests.swift

@@ -20,12 +20,13 @@ struct RemuxStateTests {
     func processWorkspaceState() {
         let state = RemuxState()
         let json = """
-        {"type":"state","session":"main","tabs":[{"index":0,"name":"zsh","active":true,"isFullscreen":false,"hasBell":false,"panes":[{"id":"p1","focused":true,"title":"zsh","command":null,"cwd":"/tmp","rows":24,"cols":80,"x":0,"y":0}]}],"activeTabIndex":0}
+        {"type":"state","sessions":[{"name":"main","tabs":[{"id":11,"title":"zsh","ended":false,"clients":1,"restored":false}],"createdAt":1712000000000}],"clients":[]}
         """
         state.connectionDidReceiveMessage(json)
         #expect(state.currentSession == "main")
         #expect(state.tabs.count == 1)
         #expect(state.tabs[0].name == "zsh")
+        #expect(state.tabs[0].panes[0].id == "11")
     }
 
     @Test("Process role_changed message")
@@ -44,7 +45,7 @@ struct RemuxStateTests {
     func processInspectResult() {
         let state = RemuxState()
         let json = """
-        {"type":"inspect_result","descriptor":{"scope":"tab","source":"state_tracker","precision":"precise","staleness":"fresh","capturedAt":"2026-04-01T00:00:00Z","paneId":null,"tabIndex":0,"totalItems":1},"items":[{"type":"output","content":"hello","lineNumber":1,"timestamp":"2026-04-01T00:00:00Z","paneId":"p1","highlights":null}],"cursor":null,"truncated":false}
+        {"type":"inspect_result","text":"hello","meta":{"session":"main","tabId":11,"tabTitle":"zsh","cols":80,"rows":24,"timestamp":1712000000000}}
         """
         state.connectionDidReceiveMessage(json)
         #expect(state.inspectSnapshot != nil)
@@ -52,6 +53,23 @@ struct RemuxStateTests {
         #expect(state.inspectSnapshot?.items[0].content == "hello")
     }
 
+    @Test("Attached message updates current tab and role")
+    @MainActor
+    func processAttached() {
+        let state = RemuxState()
+        state.connectionDidReceiveMessage("""
+        {"type":"state","sessions":[{"name":"main","tabs":[{"id":11,"title":"zsh","ended":false,"clients":1,"restored":false}],"createdAt":1712000000000}],"clients":[]}
+        """)
+        state.connectionDidReceiveMessage("""
+        {"type":"attached","tabId":11,"session":"main","clientId":"c1","role":"observer"}
+        """)
+
+        #expect(state.currentSession == "main")
+        #expect(state.activeTabIndex == 11)
+        #expect(state.clientRole == "observer")
+        #expect(state.tabs.first?.active == true)
+    }
+
     @Test("ConnectionStatus is Equatable")
     func statusEquatable() {
         #expect(ConnectionStatus.connected == ConnectionStatus.connected)

package/scripts/setup-ci-secrets.sh

@@ -0,0 +1,80 @@
+#!/bin/bash
+# Export signing certificates and configure GitHub Secrets for CI/CD.
+# Must be run interactively (GUI session required for keychain export).
+set -euo pipefail
+
+REPO="yaoshenwang/remux"
+EXPORT_PW="ci-remux-2024"
+TMPDIR=$(mktemp -d)
+trap "rm -rf $TMPDIR" EXIT
+
+echo "=== Remux CI/CD Secrets Setup ==="
+echo ""
+
+# Step 1: Export certificates
+echo "[1/4] 导出签名证书..."
+echo "  macOS 会弹出 Keychain 授权对话框，请点击「允许」"
+echo ""
+
+# Find cert hashes
+DEV_HASH=$(security find-identity -v -p codesigning | grep "Apple Development" | head -1 | awk '{print $2}')
+DIST_HASH=$(security find-identity -v -p codesigning | grep "Apple Distribution" | head -1 | awk '{print $2}')
+DEVID_HASH=$(security find-identity -v -p codesigning | grep "Developer ID Application" | head -1 | awk '{print $2}')
+
+echo "  Apple Development: $DEV_HASH"
+echo "  Apple Distribution: $DIST_HASH"
+echo "  Developer ID Application: $DEVID_HASH"
+echo ""
+
+# Export all identities as one .p12 (Keychain will prompt for each)
+security export -k ~/Library/Keychains/login.keychain-db \
+  -t identities -f pkcs12 -P "$EXPORT_PW" \
+  -o "$TMPDIR/certs.p12"
+
+echo "✓ 证书导出成功"
+
+# Step 2: Base64 encode
+echo ""
+echo "[2/4] 编码证书和 API Key..."
+
+CERTS_B64=$(base64 < "$TMPDIR/certs.p12")
+P8_B64=$(base64 < ~/.private_keys/AuthKey_2D79888WND.p8)
+
+echo "✓ 编码完成"
+
+# Step 3: Set GitHub Secrets
+echo ""
+echo "[3/4] 设置 GitHub Secrets..."
+
+gh secret set APPLE_CERTIFICATES_P12 --repo "$REPO" --body "$CERTS_B64"
+echo "  ✓ APPLE_CERTIFICATES_P12"
+
+gh secret set APPLE_CERTIFICATES_PASSWORD --repo "$REPO" --body "$EXPORT_PW"
+echo "  ✓ APPLE_CERTIFICATES_PASSWORD"
+
+gh secret set APP_STORE_CONNECT_API_KEY_ID --repo "$REPO" --body "2D79888WND"
+echo "  ✓ APP_STORE_CONNECT_API_KEY_ID"
+
+gh secret set APP_STORE_CONNECT_ISSUER_ID --repo "$REPO" --body "871408b2-72c1-4989-9530-5b72d99f4f27"
+echo "  ✓ APP_STORE_CONNECT_ISSUER_ID"
+
+gh secret set APP_STORE_CONNECT_API_KEY_P8 --repo "$REPO" --body "$P8_B64"
+echo "  ✓ APP_STORE_CONNECT_API_KEY_P8"
+
+gh secret set APPLE_TEAM_ID --repo "$REPO" --body "LY8QD6TJN6"
+echo "  ✓ APPLE_TEAM_ID"
+
+# Step 4: Verify
+echo ""
+echo "[4/4] 验证..."
+gh secret list --repo "$REPO"
+
+echo ""
+echo "=== 全部完成 ✅ ==="
+echo "已配置以下 Secrets:"
+echo "  APPLE_CERTIFICATES_P12          — 签名证书 (Development + Distribution + Developer ID)"
+echo "  APPLE_CERTIFICATES_PASSWORD     — 证书导出密码"
+echo "  APP_STORE_CONNECT_API_KEY_ID    — API Key ID"
+echo "  APP_STORE_CONNECT_ISSUER_ID     — Issuer ID"
+echo "  APP_STORE_CONNECT_API_KEY_P8    — API Key .p8 (base64)"
+echo "  APPLE_TEAM_ID                   — Apple Team ID"