mirror of
https://github.com/openclaw/openclaw.git
synced 2026-07-05 12:53:33 +00:00
* fix(infra): bound jsonl-socket response buffer to prevent OOM * fix(macos): cap exec host socket output * fix(macos): satisfy swiftformat for exec limiter * test(macos): prove exec host output cap on command output * chore: keep jsonl socket cap scoped to infra * fix(infra): raise jsonl socket buffer cap * test(infra): prove jsonl socket cap beats timeout * ci: rerun jsonl socket buffer bound checks * fix(macos): cap exec host response output * test(macos): avoid private exec response fixtures * fix(macos): satisfy exec output limiter formatting * fix(macos): avoid static self formatting conflict * chore: keep jsonl socket guard infra-only * fix(jsonl-socket): parse complete lines before enforcing the buffer cap * chore: remove unnecessary return after finish(null) * fix(infra): frame bounded JSONL socket lines * fix(infra): frame bounded JSONL socket lines * style(macos): keep exec limiter patch focused * style(macos): keep exec limiter patch focused * style(macos): satisfy exec limiter formatting * style(infra): satisfy socket loop lint --------- Co-authored-by: Peter Steinberger <peter@steipete.me> Co-authored-by: Peter Steinberger <steipete@gmail.com>
OpenClaw macOS app (dev + signing)
Quick dev run
# from repo root
scripts/restart-mac.sh
Options:
scripts/restart-mac.sh --no-sign # fastest dev; ad-hoc signing (TCC permissions do not stick)
scripts/restart-mac.sh --sign # force code signing (requires cert)
Packaging flow
scripts/package-mac-app.sh
Creates dist/OpenClaw.app and signs it via scripts/codesign-mac-app.sh.
Signing behavior
Auto-selects identity (first match):
- Developer ID Application
- Apple Distribution
- Apple Development
- first available identity
If none found:
- errors by default
- set
ALLOW_ADHOC_SIGNING=1orSIGN_IDENTITY="-"to ad-hoc sign
Team ID audit (Sparkle mismatch guard)
After signing, we read the app bundle Team ID and compare every Mach-O inside the app. If any embedded binary has a different Team ID, signing fails.
Skip the audit:
SKIP_TEAM_ID_CHECK=1 scripts/package-mac-app.sh
Library validation workaround (dev only)
If Sparkle Team ID mismatch blocks loading (common with Apple Development certs), opt in:
DISABLE_LIBRARY_VALIDATION=1 scripts/package-mac-app.sh
This adds com.apple.security.cs.disable-library-validation to app entitlements.
Use for local dev only; keep off for release builds.
Useful env flags
SIGN_IDENTITY="Apple Development: Your Name (TEAMID)"ALLOW_ADHOC_SIGNING=1(ad-hoc, TCC permissions do not persist)CODESIGN_TIMESTAMP=off(offline debug)DISABLE_LIBRARY_VALIDATION=1(dev-only Sparkle workaround)SKIP_TEAM_ID_CHECK=1(bypass audit)