From 1d8b47785c1546a40d52194cc1796bab178bb6d1 Mon Sep 17 00:00:00 2001
From: Josh Palmer <joshp123@users.noreply.github.com>
Date: Sat, 20 Dec 2025 21:59:00 +0100
Subject: [PATCH] feat(macos): add current TeamID to Peekaboo allowlist
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Problem: The bridge only accepts the upstream TeamID, so packaged builds signed locally (Nix/CI) can’t use the bridge even though they are the same app.

Fix: Include the running app’s TeamID (from its code signature) in the allowlist.

Safety: TeamID gating remains; this just adds the app’s own TeamID to preserve permissions/automation in reproducible installs.
---
 .../PeekabooBridgeHostCoordinator.swift       | 31 ++++++++++++++++++-
 1 file changed, 30 insertions(+), 1 deletion(-)

diff --git a/apps/macos/Sources/Clawdis/PeekabooBridgeHostCoordinator.swift b/apps/macos/Sources/Clawdis/PeekabooBridgeHostCoordinator.swift
index 88c7e89bf..13edfaf20 100644
--- a/apps/macos/Sources/Clawdis/PeekabooBridgeHostCoordinator.swift
+++ b/apps/macos/Sources/Clawdis/PeekabooBridgeHostCoordinator.swift
@@ -1,4 +1,5 @@
 import Foundation
+import Security
 import os
 import PeekabooAutomationKit
 import PeekabooBridge
@@ -32,7 +33,10 @@ final class PeekabooBridgeHostCoordinator {
     private func startIfNeeded() async {
         guard self.host == nil else { return }
 
-        let allowlistedTeamIDs: Set<String> = ["Y5PE65HELJ"]
+        var allowlistedTeamIDs: Set<String> = ["Y5PE65HELJ"]
+        if let teamID = Self.currentTeamID() {
+            allowlistedTeamIDs.insert(teamID)
+        }
         let allowlistedBundles: Set<String> = []
 
         let services = ClawdisPeekabooBridgeServices()
@@ -55,6 +59,31 @@ final class PeekabooBridgeHostCoordinator {
         self.logger
             .info("PeekabooBridge host started at \(PeekabooBridgeConstants.clawdisSocketPath, privacy: .public)")
     }
+
+    private static func currentTeamID() -> String? {
+        var code: SecCode?
+        guard SecCodeCopySelf(SecCSFlags(), &code) == errSecSuccess,
+              let code
+        else {
+            return nil
+        }
+
+        var staticCode: SecStaticCode?
+        guard SecCodeCopyStaticCode(code, SecCSFlags(), &staticCode) == errSecSuccess,
+              let staticCode
+        else {
+            return nil
+        }
+
+        var infoCF: CFDictionary?
+        guard SecCodeCopySigningInformation(staticCode, SecCSFlags(rawValue: kSecCSSigningInformation), &infoCF) == errSecSuccess,
+              let info = infoCF as? [String: Any]
+        else {
+            return nil
+        }
+
+        return info[kSecCodeInfoTeamIdentifier as String] as? String
+    }
 }
 
 @MainActor