Babysitter macos-entitlements-generator

Generate entitlements.plist with appropriate sandbox capabilities for macOS applications

install

source · Clone the upstream repo

git clone https://github.com/a5c-ai/babysitter

Claude Code · Install into ~/.claude/skills/

T=$(mktemp -d) && git clone --depth=1 https://github.com/a5c-ai/babysitter "$T" && mkdir -p ~/.claude/skills && cp -r "$T/library/specializations/desktop-development/skills/macos-entitlements-generator" ~/.claude/skills/a5c-ai-babysitter-macos-entitlements-generator && rm -rf "$T"

manifest: library/specializations/desktop-development/skills/macos-entitlements-generator/SKILL.md

macos-entitlements-generator

Generate entitlements.plist with appropriate sandbox capabilities for macOS applications. This skill configures the App Sandbox, hardened runtime, and specific entitlements required for app functionality.

Capabilities

Generate entitlements.plist configuration
Configure App Sandbox entitlements
Set up hardened runtime entitlements
Configure file access permissions
Enable network access
Configure hardware access (camera, microphone)
Set up inter-app communication
Generate both development and distribution entitlements

Input Schema

{
  "type": "object",
  "properties": {
    "projectPath": {
      "type": "string",
      "description": "Path to the Xcode project"
    },
    "appFeatures": {
      "type": "array",
      "items": {
        "enum": [
          "network-client", "network-server",
          "file-read", "file-write",
          "downloads-read", "downloads-write",
          "pictures-read", "pictures-write",
          "music-read", "music-write",
          "movies-read", "movies-write",
          "user-selected-files",
          "camera", "microphone",
          "usb", "bluetooth",
          "print", "calendar", "contacts",
          "location", "apple-events",
          "jit", "unsigned-memory"
        ]
      }
    },
    "appGroups": {
      "type": "array",
      "items": { "type": "string" },
      "description": "App group identifiers"
    },
    "keychainGroups": {
      "type": "array",
      "items": { "type": "string" },
      "description": "Keychain access groups"
    },
    "disableSandbox": {
      "type": "boolean",
      "default": false,
      "description": "Disable sandbox (not recommended)"
    },
    "isMASApp": {
      "type": "boolean",
      "default": false,
      "description": "Target Mac App Store"
    }
  },
  "required": ["projectPath", "appFeatures"]
}

Output Schema

{
  "type": "object",
  "properties": {
    "success": { "type": "boolean" },
    "files": {
      "type": "array",
      "items": {
        "type": "object",
        "properties": {
          "path": { "type": "string" },
          "type": { "enum": ["entitlements", "info-plist-additions"] }
        }
      }
    },
    "warnings": {
      "type": "array",
      "items": { "type": "string" }
    }
  },
  "required": ["success"]
}

Entitlements.plist Examples

Basic App with Network Access

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <!-- App Sandbox -->
    <key>com.apple.security.app-sandbox</key>
    <true/>

    <!-- Network access -->
    <key>com.apple.security.network.client</key>
    <true/>

    <!-- User-selected files (via Open/Save panels) -->
    <key>com.apple.security.files.user-selected.read-write</key>
    <true/>
</dict>
</plist>

Media App with Camera/Microphone

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>com.apple.security.app-sandbox</key>
    <true/>

    <!-- Camera access -->
    <key>com.apple.security.device.camera</key>
    <true/>

    <!-- Microphone access -->
    <key>com.apple.security.device.microphone</key>
    <true/>

    <!-- Network for streaming -->
    <key>com.apple.security.network.client</key>
    <true/>
    <key>com.apple.security.network.server</key>
    <true/>

    <!-- Save recordings -->
    <key>com.apple.security.files.user-selected.read-write</key>
    <true/>
    <key>com.apple.security.files.movies.read-write</key>
    <true/>
</dict>
</plist>

Developer Tool with JIT

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>com.apple.security.app-sandbox</key>
    <true/>

    <!-- JIT compilation (NOT allowed in Mac App Store) -->
    <key>com.apple.security.cs.allow-jit</key>
    <true/>

    <!-- Disable library validation for plugins -->
    <key>com.apple.security.cs.disable-library-validation</key>
    <true/>

    <!-- File access -->
    <key>com.apple.security.files.user-selected.read-write</key>
    <true/>

    <key>com.apple.security.network.client</key>
    <true/>
</dict>
</plist>

App with Hardened Runtime (Direct Distribution)

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <!-- Hardened runtime (required for notarization) -->
    <key>com.apple.security.cs.allow-jit</key>
    <false/>

    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
    <false/>

    <key>com.apple.security.cs.disable-library-validation</key>
    <false/>

    <!-- App-specific needs -->
    <key>com.apple.security.automation.apple-events</key>
    <true/>

    <key>com.apple.security.device.audio-input</key>
    <true/>
</dict>
</plist>

App Groups and Keychain

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>com.apple.security.app-sandbox</key>
    <true/>

    <!-- App Groups for sharing data with extensions -->
    <key>com.apple.security.application-groups</key>
    <array>
        <string>$(TeamIdentifierPrefix)com.mycompany.myapp</string>
    </array>

    <!-- Keychain access groups -->
    <key>keychain-access-groups</key>
    <array>
        <string>$(AppIdentifierPrefix)com.mycompany.myapp</string>
    </array>

    <key>com.apple.security.network.client</key>
    <true/>
</dict>
</plist>

Common Entitlement Keys

File System

Key	Description
`files.user-selected.read-only`	Read user-selected files
`files.user-selected.read-write`	Read/write user-selected files
`files.downloads.read-only`	Read Downloads folder
`files.downloads.read-write`	Read/write Downloads folder
`files.pictures.read-only`	Read Pictures folder
`files.music.read-only`	Read Music folder
`files.movies.read-only`	Read Movies folder

Network

Key	Description
`network.client`	Outgoing connections
`network.server`	Incoming connections

Hardware

Key	Description
`device.camera`	Camera access
`device.microphone`	Microphone access
`device.usb`	USB device access
`device.bluetooth`	Bluetooth access
`print`	Printing

Hardened Runtime

Key	Description
`cs.allow-jit`	Allow JIT compilation
`cs.allow-unsigned-executable-memory`	Allow unsigned executable memory
`cs.disable-library-validation`	Load arbitrary plugins
`cs.disable-executable-page-protection`	Disable W^X

Privacy Keys (Info.plist)

When using certain entitlements, add corresponding privacy descriptions:

<!-- Info.plist additions -->
<key>NSCameraUsageDescription</key>
<string>This app needs camera access for video calls.</string>

<key>NSMicrophoneUsageDescription</key>
<string>This app needs microphone access for audio recording.</string>

<key>NSAppleEventsUsageDescription</key>
<string>This app needs to control other applications for automation.</string>

<key>NSLocationUsageDescription</key>
<string>This app needs your location for local weather.</string>

Best Practices

Request minimum permissions: Only what the app needs
Use user-selected files: Prefer over broad folder access
Document entitlement usage: Explain to Apple reviewers
Test in sandbox: Always test sandboxed behavior
Separate dev/prod entitlements: Different needs for each
Check MAS restrictions: Some entitlements are prohibited

Related Skills

```
macos-notarization-workflow
```
- Code signing and notarization
```
macos-codesign-workflow
```
- Code signing
```
security-hardening
```
process - Security audit

Related Agents

```
swiftui-macos-expert
```
- macOS development
```
desktop-security-auditor
```
- Security review