fix(mac): remove unused codesign entitlements

scripts/codesign-mac-app.sh

@@ -135,9 +135,7 @@ fi
 
 ENT_TMP_DIR=$(mktemp -d -t openclaw-entitlements.XXXXXX)
 trap cleanup EXIT
-ENT_TMP_BASE="$ENT_TMP_DIR/base.plist"
+ENT_TMP_APP="$ENT_TMP_DIR/app.plist"
-ENT_TMP_APP_BASE="$ENT_TMP_DIR/app-base.plist"
-ENT_TMP_RUNTIME="$ENT_TMP_DIR/runtime.plist"
 
 options_args=()
 if [[ "$IDENTITY" != "-" ]]; then
@@ -145,22 +143,7 @@ if [[ "$IDENTITY" != "-" ]]; then
 fi
 timestamp_args=("$timestamp_arg")
 
-cat > "$ENT_TMP_BASE" <<'PLIST'
+cat > "$ENT_TMP_APP" <<'PLIST'
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
-<plist version="1.0">
-<dict>
-    <key>com.apple.security.automation.apple-events</key>
-    <true/>
-    <key>com.apple.security.device.audio-input</key>
-    <true/>
-    <key>com.apple.security.device.camera</key>
-    <true/>
-</dict>
-</plist>
-PLIST
-
-cat > "$ENT_TMP_APP_BASE" <<'PLIST'
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
@@ -177,26 +160,13 @@ cat > "$ENT_TMP_APP_BASE" <<'PLIST'
 </plist>
 PLIST
 
-cat > "$ENT_TMP_RUNTIME" <<'PLIST'
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
-<plist version="1.0">
-<dict>
-    <key>com.apple.security.cs.allow-jit</key>
-    <true/>
-    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
-    <true/>
-</dict>
-</plist>
-PLIST
-
 if [[ "$DISABLE_LIBRARY_VALIDATION" == "1" ]]; then
-  /usr/libexec/PlistBuddy -c "Add :com.apple.security.cs.disable-library-validation bool true" "$ENT_TMP_APP_BASE" >/dev/null 2>&1 || \
+  /usr/libexec/PlistBuddy -c "Add :com.apple.security.cs.disable-library-validation bool true" "$ENT_TMP_APP" >/dev/null 2>&1 || \
-    /usr/libexec/PlistBuddy -c "Set :com.apple.security.cs.disable-library-validation true" "$ENT_TMP_APP_BASE"
+    /usr/libexec/PlistBuddy -c "Set :com.apple.security.cs.disable-library-validation true" "$ENT_TMP_APP"
   echo "Note: disable-library-validation entitlement enabled (DISABLE_LIBRARY_VALIDATION=1)."
 fi
 
-APP_ENTITLEMENTS="$ENT_TMP_APP_BASE"
+APP_ENTITLEMENTS="$ENT_TMP_APP"
 
 # clear extended attributes to avoid stale signatures
 xattr -cr "$APP_BUNDLE" 2>/dev/null || true

test/scripts/codesign-mac-app.test.ts

@@ -1,5 +1,5 @@
 import { spawnSync } from "node:child_process";
-import { mkdirSync, mkdtempSync, readdirSync, rmSync } from "node:fs";
+import { mkdirSync, mkdtempSync, readFileSync, readdirSync, rmSync } from "node:fs";
 import { tmpdir } from "node:os";
 import path from "node:path";
 import { afterEach, describe, expect, it } from "vitest";
@@ -35,6 +35,16 @@ afterEach(() => {
 });
 
 describe("codesign-mac-app temp file hygiene", () => {
+  it("does not generate unused entitlement plist files", () => {
+    const script = readFileSync(scriptPath, "utf8");
+
+    expect(script).toContain('ENT_TMP_APP="$ENT_TMP_DIR/app.plist"');
+    expect(script).not.toContain("ENT_TMP_BASE");
+    expect(script).not.toContain("ENT_TMP_RUNTIME");
+    expect(script).not.toContain("base.plist");
+    expect(script).not.toContain("runtime.plist");
+  });
+
   it("does not allocate entitlement temp files for help output", () => {
     const tempRoot = makeTempDir("openclaw-codesign-help-");
     const result = runCodesign(["--help"], tempRoot);