fix(desktop): correct inherited mac entitlements

[nettee]

What

Fix the macOS desktop app's inherited entitlements so helper and nested binaries use com.apple.security.inherit instead of main-app hardened runtime exceptions.

Why

Closes #508.

Sentry issue NEXU-DESKTOP-PROD-9 reported a fatal native crash in _libsecinit_appsandbox.cold.6 during packaged app launch on macOS. The root cause was that apps/desktop/build/entitlements.mac.inherit.plist granted helper processes the same hardened runtime entitlements as the main app (allow-jit, allow-unsigned-executable-memory, disable-library-validation), which can cause sandbox/secinit aborts very early in startup.

How

• Investigated GitHub issue 508 and the linked Sentry issue 7359842523
• Confirmed the crash was a native EXC_BREAKPOINT / minidump in _libsecinit_appsandbox
• Updated the inherited entitlements plist to the minimal helper entitlement:
  • com.apple.security.inherit = true
• Left the main app entitlements unchanged so the top-level app still keeps the hardened runtime exceptions it needs

Affected areas

• Desktop app (Electron shell)
• Controller (backend / API)
• Web dashboard (React UI)
• OpenClaw runtime
• Skills
• Shared schemas / packages
• Build / CI / Tooling

Checklist

• pnpm typecheck passes
• pnpm lint passes
• pnpm test passes
• pnpm generate-types run (if API routes/schemas changed)
• No credentials or tokens in code or logs
• No any types introduced (use unknown with narrowing)

Notes for reviewers

pnpm typecheck and pnpm lint are currently blocked in this local workspace by an environment/tooling issue unrelated to this plist-only change: the repo is missing installed workspace dependencies / is using an older TypeScript binary, so the workspace config in tsconfig.base.json is not understood. No application logic changed.

Summary by CodeRabbit

• Chores
  • Updated macOS application entitlements configuration to enable entitlements inheritance.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 8ed4f2f1-7c8f-4a7f-a202-a6cacd0dd2fc

📥 Commits

Reviewing files that changed from the base of the PR and between fc31260 and a7f3fc4.

📒 Files selected for processing (1)

• apps/desktop/build/entitlements.mac.inherit.plist

---

📝 Walkthrough

Walkthrough

Removes three individual macOS code-signing security capabilities (JIT, unsigned executable memory, library validation) from the entitlements configuration and replaces them with a single entitlements inheritance flag to allow inherited permissions.

Changes

Cohort / File(s)	Summary
macOS Entitlements Configuration apps/desktop/build/entitlements.mac.inherit.plist	Replaces granular security capability flags (com.apple.security.cs.allow-jit, com.apple.security.cs.allow-unsigned-executable-memory, com.apple.security.cs.disable-library-validation) with unified entitlements inheritance setting (com.apple.security.inherit = true).

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐰 A plist so simple, now cleaned and lean,
Entitlements inherited—no flags between,
One setting to rule them, security aligned,
The sandbox now smiles, at peace of mind! 🍀

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately and concisely describes the main change: correcting inherited Mac entitlements for the desktop app.
Description check	✅ Passed	The description covers all required sections (What, Why, How, Affected areas, Checklist) with comprehensive detail about the issue, root cause, and solution implemented.
Linked Issues check	✅ Passed	The PR successfully addresses issue #508 by replacing hardened runtime entitlements with the minimal com.apple.security.inherit=true entitlement for helper binaries to prevent sandbox/secinit aborts.
Out of Scope Changes check	✅ Passed	All changes are in-scope: the plist-only modification directly addresses the linked issue's objective of fixing the macOS entitlements inheritance problem.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix-sentry-508

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[nettee]

/cr Sentry issue auto fix: 修正 macOS 桌面端子进程继承的签名权限配置，避免打包应用启动时因 entitlements 不匹配触发 _libsecinit_appsandbox 崩溃。

[slack-code-review-channel]

✅ CR topic created in Feishu topic group Refly CR.