fix: unblock mac node bridge TLS

apps/macos/Sources/Clawdbot/NodeMode/MacNodeBridgeTLS.swift

@@ -40,11 +40,10 @@ func makeMacNodeTLSOptions(_ params: MacNodeBridgeTLSParams?) -> NWProtocolTLS.O
     sec_protocol_options_set_verify_block(
         options.securityProtocolOptions,
         { _, trust, complete in
-            guard let trust else {
-                complete(false)
-                return
-            }
-            if let cert = SecTrustGetCertificateAtIndex(trust, 0) {
+            let trustRef = sec_trust_copy_ref(trust).takeRetainedValue()
+            if let chain = SecTrustCopyCertificateChain(trustRef) as? [SecCertificate],
+               let cert = chain.first
+            {
                 let data = SecCertificateCopyData(cert) as Data
                 let fingerprint = sha256Hex(data)
                 if let expected {
@@ -57,7 +56,7 @@ func makeMacNodeTLSOptions(_ params: MacNodeBridgeTLSParams?) -> NWProtocolTLS.O
                     return
                 }
             }
-            let ok = SecTrustEvaluateWithError(trust, nil)
+            let ok = SecTrustEvaluateWithError(trustRef, nil)
             complete(ok)
         },
         DispatchQueue(label: "com.clawdbot.macos.bridge.tls.verify"))

apps/macos/Sources/Clawdbot/NodeMode/MacNodeModeCoordinator.swift

@@ -463,7 +463,7 @@ final class MacNodeModeCoordinator {
         }
     }
 
-    private static func targetFromResult(_ result: NWBrowser.Result) -> BridgeTarget? {
+    nonisolated private static func targetFromResult(_ result: NWBrowser.Result) -> BridgeTarget? {
         let endpoint = result.endpoint
         guard case .service = endpoint else { return nil }
         let stableID = BridgeEndpointID.stableID(endpoint)
@@ -477,7 +477,7 @@ final class MacNodeModeCoordinator {
         return BridgeTarget(endpoint: endpoint, stableID: stableID, tls: tlsParams)
     }
 
-    private static func resolveDiscoveredTLSParams(
+    nonisolated private static func resolveDiscoveredTLSParams(
         stableID: String,
         tlsEnabled: Bool,
         tlsFingerprintSha256: String?) -> MacNodeBridgeTLSParams?
@@ -503,7 +503,7 @@ final class MacNodeModeCoordinator {
         return nil
     }
 
-    private static func resolveManualTLSParams(stableID: String) -> MacNodeBridgeTLSParams? {
+    nonisolated private static func resolveManualTLSParams(stableID: String) -> MacNodeBridgeTLSParams? {
         if let stored = MacNodeBridgeTLSStore.loadFingerprint(stableID: stableID) {
             return MacNodeBridgeTLSParams(
                 required: true,
@@ -519,12 +519,12 @@ final class MacNodeModeCoordinator {
             storeKey: stableID)
     }
 
-    private static func txtValue(_ dict: [String: String], key: String) -> String? {
+    nonisolated private static func txtValue(_ dict: [String: String], key: String) -> String? {
         let raw = dict[key]?.trimmingCharacters(in: .whitespacesAndNewlines) ?? ""
         return raw.isEmpty ? nil : raw
     }
 
-    private static func txtBoolValue(_ dict: [String: String], key: String) -> Bool {
+    nonisolated private static func txtBoolValue(_ dict: [String: String], key: String) -> Bool {
         guard let raw = self.txtValue(dict, key: key)?.lowercased() else { return false }
         return raw == "1" || raw == "true" || raw == "yes"
     }