fix(agent): harden macos es/ne scaffolding and supervision

[bb-connor]

Summary

• harden macOS ES/NE scaffolding so status, receipts, and release packaging fail closed instead of reporting false healthy or supervised success
• add macOS host status collection plus native ES/NE status helpers, fixtures, and tests under the agent app system-extension scaffolding
• replace repo-driven swarm shell execution with validated bootstrap presets and safer lane/worktree/branch handling

Testing

• cargo test -p clawdstrike sandbox:: -- --nocapture
• cargo test -p hush-cli --test supervisor_tests -- --nocapture
• cargo test -p hush-cli hush_run::tests -- --nocapture
• cargo test --manifest-path apps/agent/src-tauri/Cargo.toml macos:: -- --nocapture
• cargo test --manifest-path apps/agent/src-tauri/Cargo.toml agent_health_route_reports_pending_host_state -- --nocapture
• cargo clippy -p clawdstrike --tests -- -D warnings
• cargo clippy -p hush-cli --tests -- -D warnings
• cargo clippy --manifest-path apps/agent/src-tauri/Cargo.toml --tests -- -D warnings
• swift test --package-path apps/agent/src-tauri/macos/system-extension/endpoint-security
• swift test --package-path apps/agent/src-tauri/macos/system-extension/network-extension
• swift run --package-path apps/agent/src-tauri/macos/system-extension/endpoint-security endpoint-security-status-tool live
• swift run --package-path apps/agent/src-tauri/macos/system-extension/network-extension network-extension-status-tool live
• CLAWDSTRIKE_VALIDATE_MACOS_PACKAGING=1 CLAWDSTRIKE_REQUIRE_CONCRETE_MACOS_PACKAGING=1 cargo check --manifest-path apps/agent/src-tauri/Cargo.toml
• bash -n scripts/notarize-agent-macos.sh scripts/codex-swarm/common.sh scripts/codex-swarm/setup-worktrees.sh
• git diff --check -- .codex/swarm/lanes.tsv .codex/swarm/waves.tsv .github/workflows/ci.yml .github/workflows/release.yml apps/agent/src-tauri/build.rs apps/agent/src-tauri/src/api_server.rs apps/agent/src-tauri/src/main.rs apps/agent/src-tauri/src/macos/collector.rs apps/agent/src-tauri/src/macos/host.rs apps/agent/src-tauri/src/macos/mod.rs apps/agent/src-tauri/src/macos/status.rs apps/agent/src-tauri/tauri.conf.json crates/libs/clawdstrike/src/sandbox/attestation.rs crates/libs/clawdstrike/src/sandbox/capability_builder.rs crates/services/hush-cli/src/hush_run.rs crates/services/hush-cli/src/supervised_exec.rs crates/services/hush-cli/tests/supervisor_tests.rs docs/plans/multi-agent/codex-swarm-playbook.md docs/plans/threat-intel/overview.md scripts/codex-swarm/common.sh scripts/codex-swarm/setup-worktrees.sh scripts/notarize-agent-macos.sh

---

Note

Medium Risk
Medium risk because it materially changes CI/release behavior (new fail-closed packaging checks, Swift coverage gates, and notarization/signing steps) and updates dependency lockfiles, which could cause build/release failures if environment variables, signing assets, or updated crates behave differently.

Overview
This PR hardens the agent’s macOS system-extension packaging by adding build-time validation in apps/agent/src-tauri/build.rs (required assets present, tauri.conf.json includes required macOS settings/resources, and optionally release-gated checks for placeholders/scaffold_only plus verification of a prebuilt signed .systemextension bundle via codesign and required entitlements).

CI is expanded to run and gate Swift system-extension packages: a new macOS job runs swift test for EndpointSecurity/NetworkExtension packages, generates coverage JSON via llvm-cov, and enforces a changed-line Swift coverage floor; Rust coverage now also includes agent Tauri LCOV, and cargo-audit behavior is tightened for app lockfiles while adding new ignored advisories. Release automation is updated to validate macOS packaging preflight, verify offline/vendored Rust builds, and replace the agent DMG build with a notarization/signing flow (pinned tauri-cli, certificate/keychain setup, notarytool profile handling, provisioning a prebuilt system-extension bundle, and uploading notarization evidence). Dependency updates include pinning workspace rand to 0.9.4 and refreshing Cargo.lock/apps/agent/src-tauri/Cargo.lock; prepare-bundled-hushd.sh now also builds/bundles Swift status tools, and the agent README is expanded to document local EDR endpoints and telemetry behavior.

^{Reviewed by Cursor Bugbot for commit 012f7bb. Bugbot is set up for automated code reviews on this repo. Configure here.}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: c52c469b75

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[bb-connor]

Addressed the review feedback in 1698f87. Changes:

• keep non-macOS /api/v1/agent/health on the previous ok fallback instead of forcing macOS host state
• fail closed when ES/NE install-state samples disagree, so partial deployment no longer collapses to installed
• stop placeholder macOS provider states from forcing every supervised attestation to degraded, while still requiring explicit provider-state attachment when we actually know the ES/NE state
• make attestation mechanism emission deterministic without relying on adjacent dedup()
• fix the all-features clippy/import regression and the platform-specific attestation test that broke coverage/offline CI

Local validation rerun:

• cargo test -p clawdstrike sandbox::attestation::tests -- --nocapture
• cargo test --manifest-path apps/agent/src-tauri/Cargo.toml macos::collector::tests -- --nocapture
• cargo test --manifest-path apps/agent/src-tauri/Cargo.toml agent_health_route_reports_pending_host_state -- --nocapture
• cargo clippy --all-targets --all-features -- -D warnings

[bb-connor]

@codex

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: e2406e139a

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[bb-connor]

Addressed the remaining PR feedback in 20d1e1349.

Changes:

• make combined macOS install-state aggregation fail closed for installed + unknown as well as partial-install disagreement
• make combined approval aggregation require consistent proof instead of promoting a single approved sample
• fix the hush_run degraded-supervision test to assert the platform-specific reason so Linux/offline CI no longer fails spuriously

Local validation:

• cargo test -p hush-cli --bin hush finalize_sandbox_contract_status_marks_degraded_supervised_runs -- --nocapture
• cargo test --manifest-path apps/agent/src-tauri/Cargo.toml macos::collector::tests -- --nocapture
• cargo test --manifest-path apps/agent/src-tauri/Cargo.toml agent_health_route_reports_pending_host_state -- --nocapture
• CARGO_NET_OFFLINE=true scripts/cargo-offline.sh test -p hush-cli --bin hush
• cargo clippy -p hush-cli --tests -- -D warnings
• cargo clippy --manifest-path apps/agent/src-tauri/Cargo.toml --tests -- -D warnings

The two remaining attestation bot threads are false positives: the comment bodies explicitly walk themselves back, and the current effective_enforcement_level behavior is already covered by the existing attestation tests.

[bb-connor]

Addressed the last open review comment in b24cc48b6.

Change:

• only advertise the resource-package swift run fallback when the Swift toolchain is actually present, matching the existing source-package fallback and preventing repeated runtime poll failures on end-user Macs without Swift installed

Local validation:

• cargo test --manifest-path apps/agent/src-tauri/Cargo.toml macos::collector::tests -- --nocapture
• cargo clippy --manifest-path apps/agent/src-tauri/Cargo.toml --tests -- -D warnings

[bb-connor]

@codex

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: b24cc48b6b

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[bb-connor]

Addressed the new aggregation/health comments in 29c7f5805.

Changes:

• stop poisoning combined install/approval state with the default unknown snapshot by only aggregating those fields when both ES and NE helpers reported
• preserve fail-closed behavior for missing helper output by keeping aggregate install/approval at unknown unless both helpers agree
• classify install_state: not_installed as degraded host health so missing protection does not look transient

Local validation:

• cargo test --manifest-path apps/agent/src-tauri/Cargo.toml macos::collector::tests -- --nocapture
• cargo test --manifest-path apps/agent/src-tauri/Cargo.toml macos_host_health_status -- --nocapture
• cargo clippy --manifest-path apps/agent/src-tauri/Cargo.toml --tests -- -D warnings

[bb-connor]

@codex

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 29c7f58058

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[bb-connor]

Pushed 5a5d90d28 to close the remaining sandbox review items.

Changes in this pass:

• attestation now fails closed when supervision was requested but is inactive, even if a caller constructed the runtime state without degraded reasons
• top-level provider_states duplication is removed; runtime.provider_states is now the single serialized source of truth
• dropped_event_count is written back into the sandbox attestation before receipt finalization so overflowed runs degrade truthfully
• the supervised receipt integration test now asserts the effective outer contract the runtime actually produced instead of assuming Linux is always fully active

Local validation:

• CARGO_NET_OFFLINE=true scripts/cargo-offline.sh test -p hush-cli --test supervisor_tests
• cargo test -p hush-cli --bin hush hush_run::tests -- --nocapture
• cargo test -p clawdstrike sandbox::attestation::tests -- --nocapture
• cargo clippy -p hush-cli --tests -- -D warnings
• cargo clippy -p clawdstrike --tests -- -D warnings

[bb-connor]

Addressed the latest review and CI issues in b21b417f1.

Changes in this pass:

• added #[serde(default)] coverage for the new SupervisorStats counters plus explicit legacy compatibility tests in attestation.rs
• tightened the macOS-only egress warning test so changed-file coverage stays platform-correct
• fixed the hush integration test binary fallback so coverage and vendored runs use the real sibling target/.../hush binary, never the deps/hush-<hash> Rust test harness

Local validation:

• cargo test -p clawdstrike sandbox::attestation::tests -- --nocapture
• cargo llvm-cov -p hush-cli --test supervisor_tests --no-report --all-features
• CARGO_NET_OFFLINE=true scripts/cargo-offline.sh test -p hush-cli --test supervisor_tests
• changed-file coverage gate: 80.17% via tools/scripts/check-changed-rust-coverage.py
• cargo clippy -p hush-cli --tests -- -D warnings
• git diff --check

[bb-connor]

@codex review current head e5a3360

[chatgpt-codex-connector]

Codex Review: Didn't find any major issues. Keep it up!

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[bb-connor]

@codex review current head f774c46

[chatgpt-codex-connector]

Codex Review: Didn't find any major issues. Delightful!

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[bb-connor]

@codex review current head 55d39d5

[chatgpt-codex-connector]

Codex Review: Didn't find any major issues. Chef's kiss.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[bb-connor]

@codex review current head 2227531

[chatgpt-codex-connector]

Codex Review: Didn't find any major issues. 👍

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[bb-connor]

@codex review current head edaaefa

[chatgpt-codex-connector]

Codex Review: Didn't find any major issues. 🚀

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[cursor]

Cursor Bugbot has reviewed your changes and found 2 potential issues.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit edaaefa. Configure here.}

[cursor]

Missing codesign exit status check before entitlement validation

Low Severity

validate_system_extension_codesign does not check entitlements.status.success() after running codesign -d --entitlements :-. If codesign fails to extract entitlements (e.g., corrupted bundle or permission error), the empty/error output is still passed to validate_system_extension_entitlements_output, which would report "missing entitlement" instead of the actual extraction failure. The earlier --verify and -dvv invocations both check their exit status, but this third invocation does not.

 

^{Reviewed by Cursor Bugbot for commit edaaefa. Configure here.}

[bb-connor]

@codex review current head 70a44d5

[chatgpt-codex-connector]

Codex Review: Didn't find any major issues. Can't wait for the next one!

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[bb-connor]

@codex review current head 012f7bbe9a

[bb-connor]

@codex review current head 012f7bb

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 012f7bbe91

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Reject undecodable packaging files during release scan

Treating String::from_utf8(bytes) failures as None makes the release gate silently skip any non-UTF-8 packaging source, and the caller now continues on None, so both placeholder and scaffold_only checks are bypassed for that file. In REQUIRE_CONCRETE builds, a mis-encoded text asset (for example a UTF-16 plist/profile) can therefore ship with unresolved __PLACEHOLDER__ values without failing validation; this should fail closed (error) for undecodable text instead of silently skipping.

Useful? React with 👍 / 👎.

[bb-connor]

@codex review

[chatgpt-codex-connector]

Codex Review: Didn't find any major issues. Keep them coming!

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".