fix(desktop): allow Codex Computer Use automation on macOS

[spineda1208]

What Changed

This adds the macOS Automation entitlement and usage description to the packaged desktop app so Codex Computer Use can request the normal macOS Automation prompt when it needs to inspect/control another app.

Specifically:

• Adds apps/desktop/resources/entitlements.mac.plist.
• Keeps the existing hardened runtime allowances in that plist.
• Adds com.apple.security.automation.apple-events.
• Wires the plist into electron-builder for the app and inherited helper signing.
• Adds NSAppleEventsUsageDescription for the macOS prompt text.

Why

When Codex calls Computer Use from inside the packaged T3 Code desktop app, macOS can reject the Apple Event request with:

Apple event error -1743

I hit this while testing Codex Computer Use through T3 Code. Codex itself could run, the Computer Use server could run, and the target app was available, but the packaged Electron app did not have the Automation entitlement/prompt wiring needed for macOS to grant that path.

This is related to #2156, but it does not try to solve the whole Computer Use approval/support UX. It only fixes the concrete macOS packaging permission blocker I ran into.

Validation

Ran focused checks locally:

bun lint scripts/build-desktop-artifact.ts apps/desktop/resources/entitlements.mac.plist
bun typecheck --filter=@t3tools/scripts

I also built and tested a local preview app with this entitlement path. After macOS showed the Automation prompt and I allowed it, nested Codex Computer Use from T3 Code was able to inspect Helium successfully instead of failing with Apple event error -1743.

UI Changes

None.

Checklist

• This PR is small and focused
• I explained what changed and why
• I included before/after screenshots for any UI changes
• I included a video for animation/interaction changes

The last two are marked complete because this PR has no UI, animation, or interaction changes.

---

Note

Low Risk
Packaging-only macOS signing/Info.plist changes with no runtime app logic changes.

Overview
Fixes macOS Automation for Codex Computer Use in the packaged desktop app by adding a dedicated entitlements plist and wiring it into the mac build.

The new entitlements.mac.plist grants Apple Events (com.apple.security.automation.apple-events) alongside the existing hardened-runtime allowances (JIT, unsigned executable memory, library validation). scripts/build-desktop-artifact.ts points electron-builder at that plist for both the app and inherited helpers, and sets NSAppleEventsUsageDescription so macOS can show the Automation prompt instead of failing with Apple event error -1743.

^{Reviewed by Cursor Bugbot for commit f36f4b5. Bugbot is set up for automated code reviews on this repo. Configure here.}

Note

Allow Codex Computer Use automation on macOS via Apple Events entitlements

• Adds entitlements.mac.plist declaring com.apple.security.automation.apple-events, JIT, unsigned executable memory, and disabled library validation entitlements.
• Updates build-desktop-artifact.ts to sign macOS builds with these entitlements and inject NSAppleEventsUsageDescription into Info.plist.
• Risk: cs.disable-library-validation and cs.allow-unsigned-executable-memory relax code signing checks at runtime, which broadens the app's security surface.

^{Macroscope summarized f36f4b5.}

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 15360eed-8eb7-4eaf-830e-f5e5a0c30bc9

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[macroscopeapp]

Approvability

Verdict: Needs human review

This PR adds macOS entitlements that relax security restrictions (allow-unsigned-executable-memory, disable-library-validation). Changes with security implications require human review to ensure the trade-offs are intentional and acceptable.

^{You can customize Macroscope's approvability policy. Learn more.}