diff --git a/scripts/codesign-mac-app.sh b/scripts/codesign-mac-app.sh
index 3a124d9f8..2276aa514 100755
--- a/scripts/codesign-mac-app.sh
+++ b/scripts/codesign-mac-app.sh
@@ -51,14 +51,8 @@ cat > "$ENT_TMP_BASE" <<'PLIST'
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
 <dict>
-    <key>com.apple.security.hardened-runtime</key>
-    <true/>
-    <key>com.apple.security.cs.allow-jit</key>
-    <true/>
     <key>com.apple.security.automation.apple-events</key>
     <true/>
-    <key>com.apple.security.device.audio-input</key>
-    <true/>
 </dict>
 </plist>
 PLIST
@@ -68,14 +62,8 @@ cat > "$ENT_TMP_APP_BASE" <<'PLIST'
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
 <dict>
-    <key>com.apple.security.hardened-runtime</key>
-    <true/>
-    <key>com.apple.security.cs.allow-jit</key>
-    <true/>
     <key>com.apple.security.automation.apple-events</key>
     <true/>
-    <key>com.apple.security.device.audio-input</key>
-    <true/>
 </dict>
 </plist>
 PLIST
@@ -87,29 +75,20 @@ cat > "$ENT_TMP_APP" <<'PLIST'
 <dict>
     <key>com.apple.developer.usernotifications.time-sensitive</key>
     <true/>
-    <key>com.apple.security.hardened-runtime</key>
-    <true/>
-    <key>com.apple.security.cs.allow-jit</key>
-    <true/>
     <key>com.apple.security.automation.apple-events</key>
     <true/>
-    <key>com.apple.security.device.audio-input</key>
-    <true/>
 </dict>
 </plist>
 PLIST
 
-# The time-sensitive entitlement is restricted and needs to be present in a
-# matching provisioning profile when using Apple Development signing.
-# Avoid breaking local debug builds by only enabling it when forced, or when
-# using distribution-style identities.
+# The time-sensitive entitlement is restricted and requires explicit enablement
+# (and typically a matching provisioning profile). It is *not* safe to enable
+# unconditionally for local debug packaging since AMFI will refuse to launch.
 APP_ENTITLEMENTS="$ENT_TMP_APP_BASE"
 if [[ "${ENABLE_TIME_SENSITIVE_NOTIFICATIONS:-}" == "1" ]]; then
   APP_ENTITLEMENTS="$ENT_TMP_APP"
-elif [[ "$IDENTITY" == *"Developer ID Application"* ]] || [[ "$IDENTITY" == *"Apple Distribution"* ]]; then
-  APP_ENTITLEMENTS="$ENT_TMP_APP"
 else
-  echo "Note: Time Sensitive Notifications entitlement disabled for this signing identity."
+  echo "Note: Time Sensitive Notifications entitlement disabled."
   echo "      To force it: ENABLE_TIME_SENSITIVE_NOTIFICATIONS=1 scripts/codesign-mac-app.sh <app>"
 fi
 
diff --git a/scripts/restart-mac.sh b/scripts/restart-mac.sh
index ed8a4285c..6cfd3c404 100755
--- a/scripts/restart-mac.sh
+++ b/scripts/restart-mac.sh
@@ -86,7 +86,16 @@ choose_app_bundle() {
 choose_app_bundle
 
 # 4) Launch the installed app in the foreground so the menu bar extra appears.
-run_step "launch app" open "${APP_BUNDLE}"
+# LaunchServices can inherit a huge environment from this shell (secrets, prompt vars, etc.).
+# That can cause launchd spawn failures and is undesirable for a GUI app anyway.
+run_step "launch app" env -i \
+  HOME="${HOME}" \
+  USER="${USER:-$(id -un)}" \
+  LOGNAME="${LOGNAME:-$(id -un)}" \
+  TMPDIR="${TMPDIR:-/tmp}" \
+  PATH="/usr/bin:/bin:/usr/sbin:/sbin" \
+  LANG="${LANG:-en_US.UTF-8}" \
+  /usr/bin/open "${APP_BUNDLE}"
 
 # 5) Verify the app is alive.
 sleep 1.5