mac: add signing helper and document debug bundle

scripts/codesign-mac-app.sh

@@ -0,0 +1,55 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+APP_BUNDLE="${1:-dist/Clawdis.app}"
+IDENTITY="${SIGN_IDENTITY:--}"
+ENT_TMP=$(mktemp /tmp/clawdis-entitlements.XXXXXX.plist)
+
+if [ ! -d "$APP_BUNDLE" ]; then
+  echo "App bundle not found: $APP_BUNDLE" >&2
+  exit 1
+fi
+
+echo "Using signing identity: $IDENTITY"
+
+cat > "$ENT_TMP" <<'PLIST'
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+    <key>com.apple.security.hardened-runtime</key>
+    <true/>
+    <key>com.apple.security.automation.apple-events</key>
+    <true/>
+</dict>
+</plist>
+PLIST
+
+# clear extended attributes to avoid stale signatures
+xattr -cr "$APP_BUNDLE" 2>/dev/null || true
+
+sign_item() {
+  local target="$1"
+  codesign --force --options runtime --timestamp=none --entitlements "$ENT_TMP" --sign "$IDENTITY" "$target"
+}
+
+# Sign main binary and CLI helper if present
+if [ -f "$APP_BUNDLE/Contents/MacOS/Clawdis" ]; then
+  echo "Signing main binary"; sign_item "$APP_BUNDLE/Contents/MacOS/Clawdis"
+fi
+if [ -f "$APP_BUNDLE/Contents/MacOS/ClawdisCLI" ]; then
+  echo "Signing CLI helper"; sign_item "$APP_BUNDLE/Contents/MacOS/ClawdisCLI"
+fi
+
+# Sign any embedded frameworks/dylibs if they ever appear
+if [ -d "$APP_BUNDLE/Contents/Frameworks" ]; then
+  find "$APP_BUNDLE/Contents/Frameworks" \( -name "*.framework" -o -name "*.dylib" \) -print0 | while IFS= read -r -d '' f; do
+    echo "Signing framework: $f"; sign_item "$f"
+  done
+fi
+
+# Finally sign the bundle
+sign_item "$APP_BUNDLE"
+
+rm -f "$ENT_TMP"
+echo "Codesign complete for $APP_BUNDLE"

scripts/package-mac-app.sh

@@ -8,7 +8,9 @@ ROOT_DIR="$(cd "$(dirname "$0")/.." && pwd)"
 APP_ROOT="$ROOT_DIR/dist/Clawdis.app"
 BUILD_PATH="$ROOT_DIR/apps/macos/.build"
 PRODUCT="Clawdis"
-BUNDLE_ID="com.steipete.clawdis.debug"
+BUNDLE_ID="${BUNDLE_ID:-com.steipete.clawdis.debug}"
+BUILD_TS=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
+GIT_COMMIT=$(cd "$ROOT_DIR" && git rev-parse --short HEAD 2>/dev/null || echo "unknown")
 
 cd "$ROOT_DIR/apps/macos"
 
@@ -42,6 +44,10 @@ cat > "$APP_ROOT/Contents/Info.plist" <<PLIST
     <string>15.0</string>
     <key>LSUIElement</key>
     <true/>
+    <key>ClawdisBuildTimestamp</key>
+    <string>${BUILD_TS}</string>
+    <key>ClawdisGitCommit</key>
+    <string>${GIT_COMMIT}</string>
     <key>NSUserNotificationUsageDescription</key>
     <string>Clawdis needs notification permission to show alerts for agent actions.</string>
     <key>NSScreenCaptureDescription</key>
@@ -70,12 +76,8 @@ fi
 echo "⏹  Stopping any running Clawdis"
 killall -q Clawdis 2>/dev/null || true
 
-echo "🔏 Ad-hoc signing binaries for stable TCC permissions"
-codesign --force --options runtime --timestamp=none --sign - "$APP_ROOT/Contents/MacOS/Clawdis"
-if [ -f "$APP_ROOT/Contents/MacOS/ClawdisCLI" ]; then
-  codesign --force --options runtime --timestamp=none --sign - "$APP_ROOT/Contents/MacOS/ClawdisCLI"
-fi
-codesign --force --options runtime --timestamp=none --sign - "$APP_ROOT"
+echo "🔏 Signing bundle (ad-hoc by default; set SIGN_IDENTITY for real cert)"
+SIGN_IDENTITY="${SIGN_IDENTITY:--}" "$ROOT_DIR/scripts/codesign-mac-app.sh" "$APP_ROOT"
 
 echo "✅ Bundle ready at $APP_ROOT"