fix: land daemon macOS system CA default (#32205) (thanks @magos-minor)

CHANGELOG.md

@@ -26,6 +26,7 @@ Docs: https://docs.openclaw.ai
 ### Fixes
 
 - macOS/LaunchAgent security defaults: write `Umask=63` (octal `077`) into generated gateway launchd plists so post-update service reinstalls keep owner-only file permissions by default instead of falling back to system `022`. (#32022) Fixes #31905. Thanks @liuxiaopai-ai.
+- Daemon/macOS TLS trust defaults: set `NODE_USE_SYSTEM_CA=1` by default in gateway/node supervised service environments on macOS (while preserving explicit env overrides), so launchd-managed installs trust enterprise system keychains without manual shell env wiring. (#32205) Thanks @magos-minor.
 - Plugin SDK/runtime hardening: add package export verification in CI/release checks to catch missing runtime exports before publish-time regressions. (#28575) Thanks @Glucksberg.
 - Media understanding/provider HTTP proxy routing: pass a proxy-aware fetch function from `HTTPS_PROXY`/`HTTP_PROXY` env vars into audio/video provider calls (with graceful malformed-proxy fallback) so transcription/video requests honor configured outbound proxies. (#27093) Thanks @mcaxtr.
 - Media understanding/malformed attachment guards: harden attachment selection and decision summary formatting against non-array or malformed attachment payloads to prevent runtime crashes on invalid inbound metadata shapes. (#28024) Thanks @claw9267.

src/daemon/service-env.test.ts

@@ -354,6 +354,33 @@ describe("buildServiceEnvironment", () => {
     });
     expect(env.NODE_EXTRA_CA_CERTS).toBe("/custom/certs/ca.pem");
   });
+
+  it("defaults NODE_USE_SYSTEM_CA=1 on macOS", () => {
+    const env = buildServiceEnvironment({
+      env: { HOME: "/home/user" },
+      port: 18789,
+      platform: "darwin",
+    });
+    expect(env.NODE_USE_SYSTEM_CA).toBe("1");
+  });
+
+  it("does not default NODE_USE_SYSTEM_CA on non-macOS", () => {
+    const env = buildServiceEnvironment({
+      env: { HOME: "/home/user" },
+      port: 18789,
+      platform: "linux",
+    });
+    expect(env.NODE_USE_SYSTEM_CA).toBeUndefined();
+  });
+
+  it("respects user-provided NODE_USE_SYSTEM_CA over the default", () => {
+    const env = buildServiceEnvironment({
+      env: { HOME: "/home/user", NODE_USE_SYSTEM_CA: "0" },
+      port: 18789,
+      platform: "darwin",
+    });
+    expect(env.NODE_USE_SYSTEM_CA).toBe("0");
+  });
 });
 
 describe("buildNodeServiceEnvironment", () => {
@@ -449,6 +476,30 @@ describe("buildNodeServiceEnvironment", () => {
     });
     expect(env.NODE_EXTRA_CA_CERTS).toBe("/custom/certs/ca.pem");
   });
+
+  it("defaults NODE_USE_SYSTEM_CA=1 on macOS for node services", () => {
+    const env = buildNodeServiceEnvironment({
+      env: { HOME: "/home/user" },
+      platform: "darwin",
+    });
+    expect(env.NODE_USE_SYSTEM_CA).toBe("1");
+  });
+
+  it("does not default NODE_USE_SYSTEM_CA on non-macOS for node services", () => {
+    const env = buildNodeServiceEnvironment({
+      env: { HOME: "/home/user" },
+      platform: "linux",
+    });
+    expect(env.NODE_USE_SYSTEM_CA).toBeUndefined();
+  });
+
+  it("respects user-provided NODE_USE_SYSTEM_CA for node services", () => {
+    const env = buildNodeServiceEnvironment({
+      env: { HOME: "/home/user", NODE_USE_SYSTEM_CA: "0" },
+      platform: "darwin",
+    });
+    expect(env.NODE_USE_SYSTEM_CA).toBe("0");
+  });
 });
 
 describe("resolveGatewayStateDir", () => {

src/daemon/service-env.ts

@@ -251,6 +251,7 @@ export function buildServiceEnvironment(params: {
     PATH: sharedEnv.minimalPath,
     ...sharedEnv.proxyEnv,
     NODE_EXTRA_CA_CERTS: sharedEnv.nodeCaCerts,
+    NODE_USE_SYSTEM_CA: sharedEnv.nodeUseSystemCa,
     OPENCLAW_PROFILE: profile,
     OPENCLAW_STATE_DIR: sharedEnv.stateDir,
     OPENCLAW_CONFIG_PATH: sharedEnv.configPath,
@@ -279,6 +280,7 @@ export function buildNodeServiceEnvironment(params: {
     PATH: sharedEnv.minimalPath,
     ...sharedEnv.proxyEnv,
     NODE_EXTRA_CA_CERTS: sharedEnv.nodeCaCerts,
+    NODE_USE_SYSTEM_CA: sharedEnv.nodeUseSystemCa,
     OPENCLAW_STATE_DIR: sharedEnv.stateDir,
     OPENCLAW_CONFIG_PATH: sharedEnv.configPath,
     OPENCLAW_GATEWAY_TOKEN: gatewayToken,
@@ -303,6 +305,7 @@ function resolveSharedServiceEnvironmentFields(
   minimalPath: string;
   proxyEnv: Record<string, string | undefined>;
   nodeCaCerts: string | undefined;
+  nodeUseSystemCa: string | undefined;
 } {
   const stateDir = env.OPENCLAW_STATE_DIR;
   const configPath = env.OPENCLAW_CONFIG_PATH;
@@ -314,6 +317,7 @@ function resolveSharedServiceEnvironmentFields(
   // works correctly when running as a LaunchAgent without extra user configuration.
   const nodeCaCerts =
     env.NODE_EXTRA_CA_CERTS ?? (platform === "darwin" ? "/etc/ssl/cert.pem" : undefined);
+  const nodeUseSystemCa = env.NODE_USE_SYSTEM_CA ?? (platform === "darwin" ? "1" : undefined);
   return {
     stateDir,
     configPath,
@@ -321,5 +325,6 @@ function resolveSharedServiceEnvironmentFields(
     minimalPath: buildMinimalServicePath({ env }),
     proxyEnv,
     nodeCaCerts,
+    nodeUseSystemCa,
   };
 }