feat(macos): add current TeamID to Peekaboo allowlist

Problem: The bridge only accepts the upstream TeamID, so packaged builds signed locally (Nix/CI) can’t use the bridge even though they are the same app. Fix: Include the running app’s TeamID (from its code signature) in the allowlist. Safety: TeamID gating remains; this just adds the app’s own TeamID to preserve permissions/automation in reproducible installs.
2025-12-20 21:59:00 +01:00
parent ced271bec1
commit 1d8b47785c
1 changed files with 30 additions and 1 deletions
--- a/apps/macos/Sources/Clawdis/PeekabooBridgeHostCoordinator.swift
+++ b/apps/macos/Sources/Clawdis/PeekabooBridgeHostCoordinator.swift
@@ -1,4 +1,5 @@
 import Foundation
+import Security
 import os
 import PeekabooAutomationKit
 import PeekabooBridge
@@ -32,7 +33,10 @@ final class PeekabooBridgeHostCoordinator {
    private func startIfNeeded() async {
        guard self.host == nil else { return }

-        let allowlistedTeamIDs: Set<String> = ["Y5PE65HELJ"]
+        var allowlistedTeamIDs: Set<String> = ["Y5PE65HELJ"]
+        if let teamID = Self.currentTeamID() {
+            allowlistedTeamIDs.insert(teamID)
+        }
        let allowlistedBundles: Set<String> = []

        let services = ClawdisPeekabooBridgeServices()
@@ -55,6 +59,31 @@ final class PeekabooBridgeHostCoordinator {
        self.logger
            .info("PeekabooBridge host started at \(PeekabooBridgeConstants.clawdisSocketPath, privacy: .public)")
    }
+
+    private static func currentTeamID() -> String? {
+        var code: SecCode?
+        guard SecCodeCopySelf(SecCSFlags(), &code) == errSecSuccess,
+              let code
+        else {
+            return nil
+        }
+
+        var staticCode: SecStaticCode?
+        guard SecCodeCopyStaticCode(code, SecCSFlags(), &staticCode) == errSecSuccess,
+              let staticCode
+        else {
+            return nil
+        }
+
+        var infoCF: CFDictionary?
+        guard SecCodeCopySigningInformation(staticCode, SecCSFlags(rawValue: kSecCSSigningInformation), &infoCF) == errSecSuccess,
+              let info = infoCF as? [String: Any]
+        else {
+            return nil
+        }
+
+        return info[kSecCodeInfoTeamIdentifier as String] as? String
+    }
 }

@MainActor