feat: harden enterprise control plane

scripts/build-boss-agent-mac-app.sh

@@ -11,6 +11,11 @@ BINARY_PATH="$MACOS_DIR/boss-agent"
 ICONSET_DIR="$RESOURCES_DIR/BossAgent.iconset"
 ICON_PATH="$RESOURCES_DIR/BossAgent.icns"
 SIGNING_IDENTITY="${BOSS_AGENT_CODESIGN_IDENTITY:-}"
+NOTARIZE="${BOSS_AGENT_NOTARIZE:-0}"
+NOTARY_PROFILE="${BOSS_AGENT_NOTARY_PROFILE:-}"
+NOTARY_APPLE_ID="${BOSS_AGENT_NOTARY_APPLE_ID:-}"
+NOTARY_TEAM_ID="${BOSS_AGENT_NOTARY_TEAM_ID:-}"
+NOTARY_PASSWORD="${BOSS_AGENT_NOTARY_PASSWORD:-}"
 
 if ! command -v swiftc >/dev/null 2>&1; then
   echo "swiftc not found. Install Xcode Command Line Tools first." >&2
@@ -23,13 +28,24 @@ if ! command -v iconutil >/dev/null 2>&1; then
 fi
 
 if [[ -z "$SIGNING_IDENTITY" ]] && command -v security >/dev/null 2>&1; then
-  SIGNING_IDENTITY="$(
-    security find-identity -v -p codesigning 2>/dev/null \
-      | awk -F'"' '/"Apple Development:|Developer ID Application:|Mac Developer:|Boss Agent/ { print $2; exit }'
-  )"
+  if [[ "$NOTARIZE" == "1" ]]; then
+    SIGNING_IDENTITY="$(
+      security find-identity -v -p codesigning 2>/dev/null \
+        | awk -F'"' '/"Developer ID Application:/ { print $2; exit }'
+    )"
+  else
+    SIGNING_IDENTITY="$(
+      security find-identity -v -p codesigning 2>/dev/null \
+        | awk -F'"' '/"Apple Development:|Developer ID Application:|Mac Developer:|Boss Agent/ { print $2; exit }'
+    )"
+  fi
 fi
 
 if [[ -z "$SIGNING_IDENTITY" ]]; then
+  if [[ "$NOTARIZE" == "1" ]]; then
+    echo "boss-agent: BOSS_AGENT_NOTARIZE=1 requires a Developer ID Application signing identity." >&2
+    exit 1
+  fi
   SIGNING_IDENTITY="-"
   echo "boss-agent: no stable code signing identity found; falling back to ad-hoc signing." >&2
 else
@@ -172,5 +188,34 @@ cat > "$CONTENTS_DIR/Info.plist" <<'PLIST'
 PLIST
 
 plutil -lint "$CONTENTS_DIR/Info.plist" >/dev/null
-codesign --force --deep --timestamp=none --sign "$SIGNING_IDENTITY" "$APP_DIR" >/dev/null
+if [[ "$NOTARIZE" == "1" ]]; then
+  if ! command -v xcrun >/dev/null 2>&1; then
+    echo "boss-agent: xcrun is required for notarization." >&2
+    exit 1
+  fi
+  codesign --force --deep --options runtime --timestamp --sign "$SIGNING_IDENTITY" "$APP_DIR" >/dev/null
+
+  NOTARY_ZIP="$ROOT_DIR/dist/boss-agent-notary.zip"
+  rm -f "$NOTARY_ZIP"
+  (
+    cd "$ROOT_DIR/dist"
+    ditto -c -k --keepParent "boss-agent.app" "$NOTARY_ZIP"
+  )
+
+  NOTARY_ARGS=()
+  if [[ -n "$NOTARY_PROFILE" ]]; then
+    NOTARY_ARGS=(--keychain-profile "$NOTARY_PROFILE")
+  elif [[ -n "$NOTARY_APPLE_ID" && -n "$NOTARY_TEAM_ID" && -n "$NOTARY_PASSWORD" ]]; then
+    NOTARY_ARGS=(--apple-id "$NOTARY_APPLE_ID" --team-id "$NOTARY_TEAM_ID" --password "$NOTARY_PASSWORD")
+  else
+    echo "boss-agent: notarization requires BOSS_AGENT_NOTARY_PROFILE or Apple ID/team/password env vars." >&2
+    exit 1
+  fi
+
+  xcrun notarytool submit "$NOTARY_ZIP" "${NOTARY_ARGS[@]}" --wait >/dev/null
+  xcrun stapler staple "$APP_DIR" >/dev/null
+  rm -f "$NOTARY_ZIP"
+else
+  codesign --force --deep --timestamp=none --sign "$SIGNING_IDENTITY" "$APP_DIR" >/dev/null
+fi
 echo "$APP_DIR"