Add macOS entitlements and TCC usage descriptions

vdavid · vdavid · commit ff0c27ee496d · 2026-02-26T14:58:51.000+01:00
- Info.plist: NS*UsageDescription keys so macOS shows permission
  prompts for network volumes, removable drives, and protected
  folders instead of silently denying access
- Entitlements.plist: hardened runtime entitlements for notarization
- tauri.conf.json: reference entitlements file for production signing
diff --git a/apps/desktop/src-tauri/Entitlements.plist b/apps/desktop/src-tauri/Entitlements.plist
@@ -0,0 +1,17 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<!--
+  Entitlements for Cmdr production builds (hardened runtime).
+  Used during Apple code signing (codesign -\-entitlements).
+  Required for notarization.
+-->
+<dict>
+    <!-- WebView (WKWebView) needs unsigned executable memory for JIT -->
+    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+    <true/>
+    <!-- Allow loading Tauri's WebView framework without Apple-signed validation -->
+    <key>com.apple.security.cs.disable-library-validation</key>
+    <true/>
+</dict>
+</plist>
diff --git a/apps/desktop/src-tauri/Info.plist b/apps/desktop/src-tauri/Info.plist
@@ -4,5 +4,17 @@
 <dict>
     <key>CFBundleName</key>
     <string>Cmdr</string>
+
+    <!-- Privacy usage descriptions shown in macOS TCC prompts -->
+    <key>NSNetworkVolumesUsageDescription</key>
+    <string>Cmdr needs access to network volumes to browse and manage files on your NAS and other network drives.</string>
+    <key>NSRemovableVolumesUsageDescription</key>
+    <string>Cmdr needs access to removable volumes to browse and manage files on USB drives and external disks.</string>
+    <key>NSDesktopFolderUsageDescription</key>
+    <string>Cmdr needs access to your Desktop folder to browse and manage files there.</string>
+    <key>NSDocumentsFolderUsageDescription</key>
+    <string>Cmdr needs access to your Documents folder to browse and manage files there.</string>
+    <key>NSDownloadsFolderUsageDescription</key>
+    <string>Cmdr needs access to your Downloads folder to browse and manage files there.</string>
 </dict>
 </plist>
diff --git a/apps/desktop/src-tauri/tauri.conf.json b/apps/desktop/src-tauri/tauri.conf.json
@@ -55,7 +55,8 @@
       "resources/llama-server.tar.gz"
     ],
     "macOS": {
-      "bundleName": "Cmdr"
+      "bundleName": "Cmdr",
+      "entitlements": "./Entitlements.plist"
     }
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -55,7 +55,8 @@`
`55`	`55`	`"resources/llama-server.tar.gz"`
`56`	`56`	`],`
`57`	`57`	`"macOS": {`
`58`		`- "bundleName": "Cmdr"`
	`58`	`+ "bundleName": "Cmdr",`
	`59`	`+ "entitlements": "./Entitlements.plist"`
`59`	`60`	`}`
`60`	`61`	`}`
`61`	`62`	`}`