fix: stabilize launchd paths and appcast secret scan

.detect-secrets.cfg

@@ -41,3 +41,5 @@ pattern = grep -q 'N[O]DE_COMPILE_CACHE=/var/tmp/openclaw-compile-cache' ~/.bash
 pattern = env: \{ MISTRAL_API_K[E]Y: "sk-\.\.\." \},
 pattern = "ap[i]Key": "xxxxx",
 pattern = ap[i]Key: "A[I]za\.\.\.",
+# Sparkle appcast signatures are release metadata, not credentials.
+pattern = sparkle:edSignature="[A-Za-z0-9+/=]+"

.pre-commit-config.yaml

@@ -71,6 +71,8 @@ repos:
           - 'ap[i]Key: "A[I]za\.\.\.",'
           - --exclude-lines
           - '"ap[i]Key": "(resolved|normalized|legacy)-key"(,)?'
+          - --exclude-lines
+          - 'sparkle:edSignature="[A-Za-z0-9+/=]+"'
   # Shell script linting
   - repo: https://github.com/koalaman/shellcheck-precommit
     rev: v0.11.0

.secrets.baseline

@@ -153,7 +153,8 @@
         "env: \\{ MISTRAL_API_K[E]Y: \"sk-\\.\\.\\.\" \\},",
         "\"ap[i]Key\": \"xxxxx\"(,)?",
         "ap[i]Key: \"A[I]za\\.\\.\\.\",",
-        "\"ap[i]Key\": \"(resolved|normalized|legacy)-key\"(,)?"
+        "\"ap[i]Key\": \"(resolved|normalized|legacy)-key\"(,)?",
+        "sparkle:edSignature=\"[A-Za-z0-9+/=]+\""
       ]
     },
     {
@@ -180,29 +181,6 @@
         "line_number": 15
       }
     ],
-    "appcast.xml": [
-      {
-        "type": "Base64 High Entropy String",
-        "filename": "appcast.xml",
-        "hashed_secret": "7afea670e53d801f1f881c99c40aa177e3395bfa",
-        "is_verified": false,
-        "line_number": 365
-      },
-      {
-        "type": "Base64 High Entropy String",
-        "filename": "appcast.xml",
-        "hashed_secret": "6e1ba26139ac4e73427e68a7eec2abf96bcf1fd4",
-        "is_verified": false,
-        "line_number": 584
-      },
-      {
-        "type": "Base64 High Entropy String",
-        "filename": "appcast.xml",
-        "hashed_secret": "c0baa9660a8d3b11874c63a535d8369f4a8fa8fa",
-        "is_verified": false,
-        "line_number": 723
-      }
-    ],
     "apps/android/app/src/test/java/ai/openclaw/android/node/AppUpdateHandlerTest.kt": [
       {
         "type": "Hex High Entropy String",
@@ -13035,5 +13013,5 @@
       }
     ]
   },
-  "generated_at": "2026-03-09T06:30:58Z"
+  "generated_at": "2026-03-09T08:37:13Z"
 }

src/daemon/launchd.ts

@@ -276,8 +276,8 @@ export async function uninstallLegacyLaunchAgents({
     return agents;
   }
 
-  const home = resolveHomeDir(env);
+  const home = toPosixPath(resolveHomeDir(env));
-  const trashDir = path.join(home, ".Trash");
+  const trashDir = path.posix.join(home, ".Trash");
   try {
     await fs.mkdir(trashDir, { recursive: true });
   } catch {
@@ -323,8 +323,8 @@ export async function uninstallLaunchAgent({
     return;
   }
 
-  const home = resolveHomeDir(env);
+  const home = toPosixPath(resolveHomeDir(env));
-  const trashDir = path.join(home, ".Trash");
+  const trashDir = path.posix.join(home, ".Trash");
   const dest = path.join(trashDir, `${label}.plist`);
   try {
     await fs.mkdir(trashDir, { recursive: true });
@@ -415,9 +415,10 @@ export async function installLaunchAgent({
   }
 
   const plistPath = resolveLaunchAgentPlistPathForLabel(env, label);
-  const home = resolveHomeDir(env);
+  const home = toPosixPath(resolveHomeDir(env));
+  const libraryDir = path.posix.join(home, "Library");
   await ensureSecureDirectory(home);
-  await ensureSecureDirectory(path.join(home, "Library"));
+  await ensureSecureDirectory(libraryDir);
   await ensureSecureDirectory(path.dirname(plistPath));
 
   const serviceDescription = resolveGatewayServiceDescription({ env, environment, description });