From 72a7e6963deee1bcc1298a2a613e2fa34048410c Mon Sep 17 00:00:00 2001
From: Gregory Schier <gschier1990@gmail.com>
Date: Sun, 11 Jan 2026 14:05:47 -0800
Subject: [PATCH] Separate entitlements for main app, yaaknode, and yaakprotoc

---
 .github/workflows/release.yml                       |  7 +++----
 crates-tauri/yaak-app/macos/entitlements.plist      |  8 --------
 .../yaak-app/macos/entitlements.yaaknode.plist      | 13 +++++++++++++
 .../yaak-app/macos/entitlements.yaakprotoc.plist    |  6 ++++++
 4 files changed, 22 insertions(+), 12 deletions(-)
 create mode 100644 crates-tauri/yaak-app/macos/entitlements.yaaknode.plist
 create mode 100644 crates-tauri/yaak-app/macos/entitlements.yaakprotoc.plist

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index fcac3dff..69f79149 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -119,10 +119,9 @@ jobs:
           security import certificate.p12 -P "$APPLE_CERTIFICATE_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
           security list-keychain -d user -s $KEYCHAIN_PATH
 
-          # Sign vendored binaries with hardened runtime
-          codesign --force --options runtime --sign "$APPLE_SIGNING_IDENTITY" crates-tauri/yaak-app/vendored/protoc/yaakprotoc || true
-          # Node.js needs entitlements for JIT and loading plugins with different Team IDs
-          codesign --force --options runtime --entitlements crates-tauri/yaak-app/macos/entitlements.plist --sign "$APPLE_SIGNING_IDENTITY" crates-tauri/yaak-app/vendored/node/yaaknode || true
+          # Sign vendored binaries with hardened runtime and their specific entitlements
+          codesign --force --options runtime --entitlements crates-tauri/yaak-app/macos/entitlements.yaakprotoc.plist --sign "$APPLE_SIGNING_IDENTITY" crates-tauri/yaak-app/vendored/protoc/yaakprotoc || true
+          codesign --force --options runtime --entitlements crates-tauri/yaak-app/macos/entitlements.yaaknode.plist --sign "$APPLE_SIGNING_IDENTITY" crates-tauri/yaak-app/vendored/node/yaaknode || true
 
       - uses: tauri-apps/tauri-action@v0
         env:
diff --git a/crates-tauri/yaak-app/macos/entitlements.plist b/crates-tauri/yaak-app/macos/entitlements.plist
index b9dff51f..7902d8a7 100644
--- a/crates-tauri/yaak-app/macos/entitlements.plist
+++ b/crates-tauri/yaak-app/macos/entitlements.plist
@@ -2,14 +2,6 @@
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
     <dict>
-        <!-- Enable for NodeJS execution -->
-        <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
-        <true/>
-
-        <!-- Allow loading 1Password's dylib (signed with different Team ID) -->
-        <key>com.apple.security.cs.disable-library-validation</key>
-        <true/>
-
         <!--    Re-enable for sandboxing. Currently disabled because auto-updater doesn't work with sandboxing.-->
         <!--    <key>com.apple.security.app-sandbox</key> <true/>-->
         <!--    <key>com.apple.security.files.user-selected.read-write</key> <true/>-->
diff --git a/crates-tauri/yaak-app/macos/entitlements.yaaknode.plist b/crates-tauri/yaak-app/macos/entitlements.yaaknode.plist
new file mode 100644
index 00000000..6ed9b770
--- /dev/null
+++ b/crates-tauri/yaak-app/macos/entitlements.yaaknode.plist
@@ -0,0 +1,13 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+    <dict>
+        <!-- Enable for NodeJS/V8 JIT compiler -->
+        <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+        <true/>
+
+        <!-- Allow loading plugins signed with different Team IDs (e.g., 1Password) -->
+        <key>com.apple.security.cs.disable-library-validation</key>
+        <true/>
+    </dict>
+</plist>
diff --git a/crates-tauri/yaak-app/macos/entitlements.yaakprotoc.plist b/crates-tauri/yaak-app/macos/entitlements.yaakprotoc.plist
new file mode 100644
index 00000000..36a87067
--- /dev/null
+++ b/crates-tauri/yaak-app/macos/entitlements.yaakprotoc.plist
@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+    <dict>
+    </dict>
+</plist>