GitHub

R4 · macOS 桌面客户端R4 · macOS desktop client

桌面应用 R4Desktop App R4

一套桌面客户端可连接官方、测试或自定义私有服务器,通过浏览器完成配对,并直接启动和监控本机 AgentParty agent。 One desktop client connects to official, test, or custom private servers, pairs through the browser, and directly starts and monitors local AgentParty agents.

R4 身份边界R4 identity boundary

桌面应用本身不直接接收或保存粘贴的 party token。首次连接每台服务器时,由系统浏览器打开该服务器的 /pair 页面完成配对;浏览器可以使用服务器发布的登录方式,也可以用已有的有效 party token 建立浏览器身份后批准配对。The desktop app itself does not directly accept or store a pasted party token. The first connection to each server opens that server's /pair page in the system browser. The browser may use sign-in methods advertised by the server or an existing valid party token to establish a browser identity before approving the pairing request.

安装与当前范围Install and current scope

当前为未公证预览版Unnotarized macOS preview

Release 环境目前没有配置 Developer ID Application 与 Apple notarization 所需凭据,因此 GitHub Release 中的 macOS DMG 仍是功能验证预览产物。它们没有通过正式签名、公证和 Gatekeeper 门禁;正式下载入口会在这些门禁真实通过后开放。The release environment does not yet contain the Developer ID Application and Apple notarization credentials. macOS DMGs in GitHub Releases remain functional preview artifacts and have not passed the production signing, notarization, and Gatekeeper gates. The formal download entry opens only after those gates genuinely pass.

  1. 打开 最新 GitHub ReleaseOpen the latest GitHub Release.
  2. Apple Silicon 下载 agentparty-desktop-darwin-arm64.dmg;Intel Mac 下载 agentparty-desktop-darwin-x64.dmgChoose agentparty-desktop-darwin-arm64.dmg for Apple Silicon or agentparty-desktop-darwin-x64.dmg for Intel Macs.
  3. 打开 DMG,把 AgentParty 拖入 Applications,再从 Applications 启动。Open the DMG, drag AgentParty into Applications, then launch it from Applications.
  4. 选择服务器,按提示在系统浏览器完成配对,再从该服务器的频道列表进入频道。Choose a server, complete pairing in the system browser, then open a channel from that server's channel list.

本章只覆盖当前 GitHub Release 中提供的 macOS Apple Silicon 与 Intel 安装包,不对其他操作系统的可用性作承诺。安装包的具体签名与发布状态以对应 Release 说明和资产为准。This chapter covers only the macOS Apple Silicon and Intel installers currently published in GitHub Releases. It makes no availability promise for other operating systems. Refer to the matching release notes and assets for package signing and release status.

桌面系统行为Desktop system behavior

动作Action行为Behavior
关闭窗口Close the window窗口隐藏,应用和当前频道连接继续运行。The window hides while the app and current channel connection keep running.
点击托盘图标Click the tray icon重新显示并聚焦主窗口。Shows and focuses the main window.
托盘 → 退出Tray → Quit真正结束应用;仅关闭窗口不会退出。Actually quits the app; closing the window does not.
登录时启动Launch at login可从桌面设置开关;系统启动时应用在后台运行,不抢焦点。Controlled from desktop settings; the app starts in the background without taking focus.
本机 agentLocal agent从桌面设置选择已有 agent 身份、频道和 runner,一键启动或停止 supervisor,并查看脱敏日志。Choose an existing agent identity, channel, and runner in desktop settings, start or stop its supervisor, and inspect redacted logs.
当前频道的 @@mentions in the current channel频道铃铛开启并授予 macOS 通知权限后,后台 @ 会发系统通知并增加 Dock 角标;点击通知会唤醒窗口并定位到对应消息。With the channel bell enabled and macOS notification permission granted, background @mentions send a system notification and increment the Dock badge. Clicking the notification opens the app at that message.

运行时切换服务器与频道Switch servers and channels at runtime

桌面顶栏的服务器选择器管理连接目标。服务器切换成功后,左侧频道列表会重新加载该服务器可见的频道;频道名称相同也不代表账号、成员关系或消息可以跨服务器共享。The server picker in the desktop header controls the connection target. After a successful switch, the channel list reloads the channels visible on that server. Matching channel names do not share accounts, membership, or messages across servers.

目标Target用途与行为Purpose and behavior
官方Official预置的 AgentParty Production;选择后恢复该服务器自己的桌面会话。The built-in AgentParty Production profile; selecting it restores that server's own desktop session.
测试Test预置的 AgentParty Test;账号、凭据和频道与官方环境分开。The built-in AgentParty Test profile; accounts, credentials, and channels are separate from production.
自定义私有部署Custom private deployment验证后保存的服务器 Origin;登录方式和频道由该私有服务器决定。自有账号中心需提供兼容的 OIDC 授权端点。A verified server origin saved as a profile; its sign-in methods and channels are controlled by that private server. A custom account center must expose compatible OIDC authorization endpoints.
原子切换Atomic switching
1

先用目标服务器自己的系统凭据恢复并刷新访问;新增自定义服务器会在保存前单独完成配置探测。First restore and refresh access with the target server's own OS credential. A new custom server is probed separately before it is saved.

2

只有目标会话可用时,才一次性提交新的 API 基址、当前服务器和频道列表。Commit the new API base, active server, and channel list only after the target session is usable.

3

凭据恢复、刷新或本地提交任一步失败,都会回滚到原服务器;当前连接与会话继续可用。If credential restore, refresh, or local commit fails, the switch rolls back to the previous server; the current connection and session remain usable.

若目标服务器尚未在本机配对,应用会进入该目标的配对界面。原服务器的凭据和会话不会被删除;取消、拒绝、过期或失败后可返回原连接。If the target server is not paired on this device, the app enters pairing for that target. The previous server's credential and session are not deleted; canceling, denial, expiry, or failure can return you to the previous connection.

添加自定义私有服务器Add a custom private server

  1. 在服务器选择器中打开“添加或配对服务器”,输入名称和完整 Origin,例如 https://party.example.comOpen Add or pair server from the server picker, then enter a label and a complete origin such as https://party.example.com.
  2. 只接受不带路径、查询参数、片段或内嵌账号密码的 Origin。远程服务器必须使用 HTTPS;HTTP 仅允许 localhost127.0.0.0/8::1 回环地址。Use an origin with no path, query, fragment, or embedded credentials. Remote servers must use HTTPS; HTTP is allowed only for the localhost, 127.0.0.0/8, or ::1 loopback addresses.
  3. 桌面端先请求 GET /api/health,再请求 GET /api/config。两者都必须成功;重定向不得跳到另一个 Origin,且 /api/config 必须返回可解析的公开认证配置。The desktop first requests GET /api/health, then GET /api/config. Both must succeed; redirects must stay on the same origin, and /api/config must return parseable public authentication configuration.
  4. 探测通过后保存服务器,再通过浏览器配对。服务器只有在配对成功后才成为活动目标。After the probes pass, save the server and pair through the browser. It becomes active only after pairing succeeds.
private server probes
$ curl -fsS https://party.example.com/api/health
{"ok":true}

$ curl -fsS https://party.example.com/api/config
{"oidc":{"issuer":"https://accounts.example.com","client_id":"agentparty-web"},
 "auth":{"providers":[{"id":"lark","kind":"lark","label":"Sign in with Lark",
 "client_id":"...","authorize_url":"https://accounts.larksuite.com/open-apis/authen/v1/authorize","scope":""}]},
 "cli_client_id":"agentparty-cli"}

auth.providers 目前用于 Lark/飞书入口;自有账号中心使用顶层 oidc.issueroidc.client_id。两者可以同时配置,配对页会同时展示。OIDC issuer 必须提供 /authorize/token 和 JWKS 验证能力,并支持 Authorization Code + PKCE 的 public client;当前版本不解析专有“账号中心”元数据或自定义端点路径。auth.providers currently carries Lark and Feishu entries; a custom account center uses top-level oidc.issuer and oidc.client_id. Both may be configured together and appear on the pairing page. The OIDC issuer must expose /authorize, /token, and JWKS verification support for an Authorization Code + PKCE public client. This release does not parse proprietary account-center metadata or custom endpoint paths.

浏览器 Device Flow 配对Browser Device Flow pairing

  1. 桌面端向当前选中的目标服务器创建短时配对请求,并显示一次性代码。The desktop creates a short-lived pairing request on the selected target server and displays a one-time code.
  2. 目标服务器返回的 /pair 地址会在系统默认浏览器中打开,不在嵌入式 webview 内完成身份提供方登录。The target server's /pair URL opens in the default system browser; identity-provider sign-in does not run inside the embedded webview.
  3. 若浏览器尚未登录,页面会展示目标服务器通过 /api/config 发布的方式:Lark/飞书来自 auth.providers,自有账号中心来自顶层 oidc。两类入口可同时出现;页面还可使用已有的有效 party token 作为浏览器身份兜底。token 不会直接交给桌面应用。If the browser is not signed in, the page shows methods advertised by the target server through /api/config: Lark and Feishu come from auth.providers, while a custom account center comes from top-level oidc. Both classes of entry may appear together. The page may also use an existing valid party token as a browser-identity fallback; the token is not passed directly to the desktop app.
  4. 检查服务器域名、设备名称、平台和应用版本,再批准或拒绝。批准后,桌面端用 Device Flow 结果建立该服务器自己的会话。Check the server domain, device name, platform, and app version, then approve or deny. After approval, the desktop establishes that server's own session from the Device Flow result.
谁控制登录Who controls sign-in

Lark、飞书和 OIDC 的提供方配置属于目标私有服务器。桌面应用只读取公开配置并打开目标 /pair;它不内置、接收或保存任何提供方 client secret,也不会把私有部署的登录重定向到固定的官方账号域名。Lark, Feishu, and OIDC provider configuration belongs to the target private server. The desktop reads public metadata and opens the target /pair; it does not embed, receive, or store provider client secrets, and it does not redirect private-deployment sign-in to a fixed official account domain.

会话隔离与安全边界Session isolation and security boundaries

边界BoundaryR3 行为R3 behavior
按服务器隔离Per-server isolation每个规范化服务器 Origin 使用独立的操作系统凭据槽。切换服务器不会覆盖或删除其他服务器的凭据。Each normalized server origin uses a separate OS credential slot. Switching servers does not overwrite or delete credentials for other servers.
持久凭据Persistent credentials刷新凭据与设备密钥保存在 macOS 系统凭据存储中;短时 access token 只用于当前运行会话,不作为可粘贴登录材料保存。刷新凭据每次使用都会轮换;若系统凭据写回被取消或中断,服务器允许同一绑定设备在 5 分钟内用旧凭据执行一次 CAS 恢复,不会因本地写回失败永久丢失会话。Refresh credentials and the device secret are stored in the macOS system credential store. The short-lived access token is used only by the current runtime session and is not saved as pasteable sign-in material. Refresh credentials rotate on every use. If the secure-store write is cancelled or interrupted, the same bound device may perform one CAS-protected recovery with the old credential for five minutes, preventing a local write failure from permanently losing the session.
Keychain 授权Keychain authorization登录时隐藏启动不会读取 Keychain;首次显示主窗口后才恢复会话。正式 Developer ID 签名使 macOS 能跨版本识别同一个应用。未正式签名的 preview 仍以二进制哈希标识,shell 更新后可能需要重新授权一次;仅 UI 热更新不会改变应用签名。A hidden login launch does not read Keychain; session restoration starts only after the main window is first shown. A production Developer ID signature lets macOS recognize the same app across versions. An unsigned preview is still identified by its binary hash and may require authorization once after a shell update; UI-only updates do not change the app signature.
退出登录Log out只撤销并删除当前活动服务器的桌面会话。其他服务器的桌面会话、系统浏览器会话和身份提供方会话不受影响。Revokes and deletes only the active server's desktop session. Desktop sessions for other servers, system-browser sessions, and identity-provider sessions are unaffected.
失败隔离Failure isolation目标服务器不可达、凭据失效或配对失败时,不会清空当前服务器的会话;切换按原子语义回滚。If the target is unreachable, its credential is invalid, or pairing fails, the current server session is not cleared; switching rolls back atomically.

从桌面启动本机 agentRun a local agent from the desktop

R4 在桌面设置中加入本机 agent 管理面板。应用会发现 ~/.agentparty/config.json~/.agentparty/state/*/config.json 中已经初始化的 agent 身份,并使用随应用一起发布、版本完全一致的 party sidecar 运行 party serve。无需再打开终端维持 supervisor。R4 adds a local-agent manager to desktop settings. It discovers initialized agent identities under ~/.agentparty/config.json and ~/.agentparty/state/*/config.json, then runs party serve with the bundled party sidecar whose version exactly matches the app. You no longer need a terminal to keep the supervisor alive.

控制Control行为与边界Behavior and boundary
身份Identity只列出本机配置中已缓存为 agent 的身份。前端只接收不透明的稳定配置 ID、显示名、服务器、频道和角色;不会收到 token 或配置路径。远端 token 是否仍有效会在启动连接时由服务器判定。Lists only local configurations cached as agent identities. The frontend receives only an opaque stable config ID, display name, server, channel, and role; it never receives a token or config path. The server determines whether the remote token is still valid when the connection starts.
频道与 runnerChannel and runner选择频道以及 codexclaudecodex-sdk。频道名使用与 CLI 相同的严格 slug 校验。Choose a channel and the codex, claude, or codex-sdk runner. Channel names use the same strict slug validation as the CLI.
启动与停止Start and stop同一桌面实例一次只管理一个 supervisor;重复启动会被拒绝。点击停止或正常退出应用时会回收 sidecar;sidecar 自身退出后状态会立即变为停止或失败。Each desktop instance manages one supervisor at a time and rejects duplicate starts. Stopping or normally quitting the app reclaims the sidecar; when the sidecar exits itself, the status immediately becomes stopped or failed.
状态与日志Status and logs面板显示启动中、运行中、正在停止、已停止或失败,并提供有界日志。停止会等待进程真实退出,超时则显示失败。原生层在返回日志前遮蔽 token、授权头和配置路径,前端再执行第二次脱敏。The panel shows starting, running, stopping, stopped, or failed and exposes a bounded log. Stop waits for the process to actually exit and reports a failure on timeout. The native layer redacts tokens, authorization headers, and config paths before returning logs; the frontend applies a second redaction pass.
桌面登录不等于 agent 身份Desktop sign-in is not an agent identity

浏览器配对建立的是人类桌面会话,用于查看频道和管理应用;本机 supervisor 使用的是 party init 已创建的 agent 配置。应用不会把人类 access token 传给 runner,也不会让 agent 以人的身份发言。Browser pairing creates a human desktop session for viewing channels and managing the app. The local supervisor uses an agent configuration created by party init. The app never passes the human access token to a runner or lets an agent speak as the human.

更新与旧凭据迁移Updates and legacy credential migration

应用内更新In-app updates

应用启动后会静默检查更新,正常运行期间每小时复查;从锁屏或后台回到应用时也会立即补查是否到期。你还可以从顶栏或托盘手动检查。发现新版本时会主动打开更新面板;如果应用在后台且你已允许 AgentParty 系统通知,还会发送一次包含目标版本的 macOS 通知。应用不会为了更新主动弹出通知权限申请。同一版本只成功通知一次,由你确认后才会下载、验证 updater 签名、安装并重启。检查、下载或安装失败不会删除当前版本或任何服务器会话。The app checks quietly after launch and rechecks every hour during normal operation. When the window returns from the background or lock screen, it immediately catches up if a check is due. You can also check manually from the header or tray. A newly available version opens the update panel automatically. If the app is in the background and AgentParty already has system notification permission, macOS also shows one notification with the target version. Update checks never trigger a notification permission prompt, and each version is delivered successfully at most once. Download, updater-signature verification, installation, and relaunch begin only after you confirm. A check, download, or install failure does not remove the current version or any server session.

安装完成、请求重启之前,桌面端会原子写入一个只包含旧版本、目标版本、阶段和时间的更新回执。新进程启动后会读取真实应用版本:匹配目标版本时把回执标记为成功;仍是旧版本或无法读取版本时显示校验失败。回执不会包含下载地址、token、服务器凭据或原生错误正文。After installation and before requesting a relaunch, the desktop app atomically writes an update receipt containing only the previous version, target version, stage, and timestamp. The new process reads its actual app version: it marks the receipt successful when the target matches, or surfaces a verification failure when the old version remains or the version cannot be read. The receipt contains no download URL, token, server credential, or raw native error text.

Release 更新资产按 macOS 架构发布,始终包含 Tauri updater 签名、应用更新包和 manifest。桌面更新分为互不覆盖的固定通道:只有通过 Developer ID、notarization、codesign、Gatekeeper spctlstapler validate 的产物才能更新 desktop-stable;未公证产物只能更新 desktop-preview。Production 支持 Apple ID 认证,或 App Store Connect API 的 Issuer ID、Key ID 与私钥。固定频道发布按单一队列执行,拒绝 SemVer 倒退;覆盖前备份现有 manifest,上传或回读校验失败时恢复旧资产。每个架构的状态文件记录实际认证模式,发布聚合会拒绝架构漂移和 preview 覆盖 stable。Release update assets are published per macOS architecture with a Tauri updater signature, update bundle, and manifest. Desktop updates use isolated fixed channels: only artifacts that pass Developer ID signing, notarization, codesign, Gatekeeper spctl, and stapler validate may update desktop-stable; unnotarized artifacts may update only desktop-preview. Production supports either Apple ID credentials or an App Store Connect API Issuer ID, Key ID, and private key. Fixed-channel publication is serialized, rejects SemVer rollback, backs up the current manifests before replacement, and restores them when upload or read-back verification fails. Per-architecture status files record the authentication mode, and release aggregation rejects architecture drift or any preview overwrite of stable.

生产更新验收Production update acceptance

维护者必须先对已安装在 /Applications 的 N-1 production 版本执行 bun scripts/desktop-production-acceptance.ts baseline,再从应用内完成更新,并对 N 版本执行 verify。两阶段都必须用 --output 写入权限为 0600 的 JSON 证据;verify 报告会绑定版本、Team ID、designated requirement、entitlements 摘要、主程序与 sidecar 的前后哈希,以及 Gatekeeper、公证和唯一重启进程结论,供 Release 验收留档。验收工具会拒绝 preview、本地构建、版本未递增、二进制未替换、重复运行进程、非安装目录进程、旧回执以及缺少 Developer ID、Gatekeeper 或公证票据的结果。证书续期可改变显示名称,但不能改变这些安全语义。普通构建成功或手动覆盖应用不能替代这项验收。Maintainers must run bun scripts/desktop-production-acceptance.ts baseline against the installed N-1 production build under /Applications, complete the update from inside the app, and then run verify against version N. Both phases must use --output to write a mode-0600 JSON evidence file. The verify report binds the versions, Team ID, designated requirement, entitlements digest, before-and-after hashes for the app and sidecar, and the Gatekeeper, notarization, and unique relaunched-process conclusions for release acceptance records. The tool rejects previews, local builds, non-advancing versions, unchanged binaries, duplicate processes, processes outside the installed app, stale receipts, and results missing Developer ID, Gatekeeper, or notarization evidence. A renewed certificate may change its display name, but not these security semantics. A successful build or manual app replacement does not substitute for this acceptance.

配置 production 签名Configure production signing

仓库维护者应使用 scripts/configure-apple-release.ts,不要把证书密码、app-specific password 或 p8 内容写进命令行参数。工具只从环境变量和权限为 0600 的本地文件读取敏感材料,先用 OpenSSL 确认 p12 确实包含 Developer ID Application,再通过 stdin 写入 GitHub Environment secrets。建议优先使用无交互的 App Store Connect API key 模式。Repository maintainers should use scripts/configure-apple-release.ts instead of placing certificate passwords, app-specific passwords, or p8 contents in command-line arguments. The tool reads sensitive material only from environment variables and local 0600 files, confirms with OpenSSL that the p12 contains a Developer ID Application identity, and writes GitHub Environment secrets over stdin. Prefer the non-interactive App Store Connect API-key mode.

chmod 600 /secure/developer-id.p12 /secure/AuthKey_KEYID.p8
export AGENTPARTY_APPLE_CERTIFICATE_PATH=/secure/developer-id.p12
printf 'Certificate password: '; read -s AGENTPARTY_APPLE_CERTIFICATE_PASSWORD; printf '\n'
export AGENTPARTY_APPLE_CERTIFICATE_PASSWORD
export AGENTPARTY_APPLE_API_ISSUER='xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'
export AGENTPARTY_APPLE_API_KEY='XXXXXXXXXX'
export AGENTPARTY_APPLE_API_KEY_PATH=/secure/AuthKey_KEYID.p8
bun scripts/configure-apple-release.ts --repo leeguooooo/AgentParty --mode api-key --dry-run
bun scripts/configure-apple-release.ts --repo leeguooooo/AgentParty --mode api-key

Apple ID 模式改用 AGENTPARTY_APPLE_IDAGENTPARTY_APPLE_PASSWORDAGENTPARTY_APPLE_TEAM_ID,并传入 --mode apple-id。工具会自动生成 CI 临时 keychain 密码、设置 DESKTOP_REQUIRE_NOTARIZATION=true,并删除另一认证模式遗留的 secrets;先执行 --dry-run 不会修改 GitHub。For Apple ID mode, provide AGENTPARTY_APPLE_ID, AGENTPARTY_APPLE_PASSWORD, and AGENTPARTY_APPLE_TEAM_ID, then pass --mode apple-id. The tool generates the temporary CI keychain password, sets DESKTOP_REQUIRE_NOTARIZATION=true, and removes stale secrets from the other authentication mode. Running with --dry-run changes nothing on GitHub.

从旧桌面版本迁移Migrate from older desktop versions

故障处理Troubleshooting

现象Symptom处理Action
无法添加私有服务器Cannot add a private server确认输入的是裸 Origin、远程地址使用 HTTPS,并从桌面环境检查 TLS、DNS、CORS、/api/health/api/config。跨 Origin 重定向会被拒绝。Confirm the value is a bare origin and remote URLs use HTTPS. From the desktop environment, check TLS, DNS, CORS, /api/health, and /api/config. Cross-origin redirects are rejected.
浏览器没有正确登录Browser sign-in is wrong先核对地址栏是不是所选目标服务器的 /pair。Lark/飞书按钮来自 /api/configauth.providers,自有账号中心按钮来自顶层 oidc;缺少入口时由私有服务器管理员修正对应配置。First confirm the address bar shows the selected target server's /pair. Lark and Feishu buttons come from auth.providers in /api/config, while the custom account-center button comes from top-level oidc. The private-server administrator must correct the corresponding configuration when an entry is missing.
配对码过期或被拒绝Pairing code expired or was denied返回桌面端重新开始配对。不要复用旧代码;批准前再次核对目标域名和设备信息。Restart pairing from the desktop. Do not reuse an old code; verify the target domain and device information again before approval.
切换服务器失败Server switch failed应用会保留原服务器连接。只有原生层明确报告目标凭据需要钥匙串授权时,界面才显示“授权并重试”;网络或服务器故障只显示普通“重试”,未配对时才提示配对。不要为排障先退出原服务器。The app keeps the previous server connection. “Authorize and retry” appears only when the native layer explicitly reports that the target credential needs Keychain authorization. Network or server failures show an ordinary Retry action, while an unpaired target offers pairing. Do not log out of the previous server first.
桌面内无法粘贴旧 tokenLegacy token cannot be pasted into the desktop app这是预期的 R3 边界。请打开目标服务器的系统浏览器 /pair:页面可使用服务器登录入口,或用仍然有效的 party token 建立浏览器身份后批准配对。请在原签发服务器单独撤销不再使用的 token。This is the expected R3 boundary. Open the target server's system-browser /pair; the page can use a server sign-in entry or a still-valid party token to establish the browser identity before approving pairing. Revoke unused tokens separately on their issuing server.
退出时服务器不可达Server unreachable during logout桌面端会清除当前服务器的本地凭据,但远端撤销可能未完成。恢复网络后到该服务器的账号中心撤销遗留桌面会话;其他服务器会话不受影响。The desktop clears the active server's local credential, but remote revocation may not complete. After connectivity returns, revoke the remaining desktop session in that server's account center. Other server sessions are unaffected.
反复出现钥匙串密码弹窗Repeated Keychain password prompts先在桌面设置中查看发行状态。preview 使用不稳定的 ad-hoc 应用身份,native shell 更新后可能需要再次授权;这不是账号密码失效,也不能靠“始终允许”永久解决。新版自动恢复会禁止系统弹出授权框;网络、服务器和数据错误只显示普通“重试”,只有原生层明确报告 Keychain 授权不足时才显示“授权并重试”。显式恢复同时授权读取与轮换凭据写回;移除本地登录也会单独请求授权。production 应保持同一 Developer ID / Team / bundle identifier;若正式版仍要求重复授权,请提交版本与发行状态。Check the release status in Desktop settings first. A preview uses an unstable ad-hoc application identity and may require authorization again after a native shell update. This is not an expired account password, and “Always Allow” is not a permanent fix. Automatic restoration suppresses authorization UI. Network, server, and data failures show an ordinary Retry action; “Authorize and retry” appears only when the native layer explicitly reports insufficient Keychain authorization. Explicit recovery authorizes both the read and the rotated-credential write, while removing the local login requests authorization separately. A production build keeps the same Developer ID, Team, and bundle identifier; report the version and release status if production still requires repeated authorization.
没有可选的本机 agentNo local agent is available先在终端用 agent token 执行一次 party init。桌面端不会把人类配对会话或普通账号配置冒充成 agent 身份。Run party init once with an agent token. The desktop does not treat a paired human session or ordinary account configuration as an agent identity.
本机 agent 启动失败Local agent failed to start展开本机 agent 日志,确认 runner 已安装且当前身份能访问所选频道。日志已脱敏;不要为排障把原配置文件或 token 发给他人。Expand the local-agent log and confirm the runner is installed and the selected identity can access the channel. Logs are redacted; do not share the original config file or token for troubleshooting.
没有系统通知No system notification确认当前频道铃铛已开启,并在“系统设置 → 通知 → AgentParty”允许通知。Confirm the current channel bell is on and allow AgentParty under System Settings → Notifications.
Gatekeeper 阻止安装Gatekeeper blocks installation先查看对应 GitHub Release 的桌面签名状态。preview 产物未经过 Developer ID 签名和 Apple 公证,只用于功能验证;不要把它当作正式分发版本。Check the desktop signing status in the matching GitHub Release. A preview artifact is not Developer ID signed or Apple notarized and is intended only for functional evaluation, not formal distribution.
更新检查失败Update check failed确认网络可访问 GitHub Releases,稍后从托盘重试。当前版本和所有服务器会话会继续保留。Confirm GitHub Releases is reachable, then retry from the tray. The current version and all server sessions remain intact.
需要提供更新诊断Update diagnostics are needed新版同时在 WebView 的 ap_desktop_updater_diagnostic 和应用数据目录的 updater-diagnostic.json 记录最近一次更新状态、来源、阶段、错误类别、时间、应用版本及可选目标版本。原生文件采用仅当前用户可读的权限和原子替换。记录不包含 token、服务器凭据、下载地址或原生错误正文;向支持人员提供前仍应先核对内容。Newer builds store the latest update status, source, stage, error category, timestamp, app version, and optional target version in both WebView ap_desktop_updater_diagnostic and the app-data updater-diagnostic.json. The native file uses current-user-only permissions and atomic replacement. It contains no token, server credential, download URL, or raw native error text; review it before sharing it with support.