Releases: Protonk/PolicyWitness
Releases · Protonk/PolicyWitness
Security, what a thing!
perpetual-pebkac
com.apple.security.cs.allow-dyld-environment-variables doesn't really do what I needed it to do, so now we can remove it.
JIT
Too many things are called preflight
- Added a new host‑side SBPL preflight helper that compiles SBPL and emits a JSON envelope: controller/src/bin/sbpl-preflight.rs.
- Wired preflight into the controller run flow with fast‑fail on SBPL compile errors and extra diagnostics on XPC errors, plus new output fields: controller/src/run_flow.rs.
- Added preflight integration plumbing and documentation: controller/src/policy_preflight.rs, controller/src/main.rs, controller/Cargo.toml, controller/README.md, tests/build-evidence.py.
- Updated the build to build/copy/sign the new helper inside the app bundle: build.sh.
- Added signing guidance reminders for embedded helpers: AGENTS.md, SIGNING.md.
- Removed the unused runner selector helper and adjusted the test accordingly: controller/src/runner_select.rs.
Consolidation
Internal re-organization to make PolicyWitness more inspectable.
Learning
Highlights
- Fixed BYOXPC startup by forcing mach‑service mode even when launchd doesn’t forward --mach-service, avoiding the libxpc/xpc_main breakpoint.
- Added tested external runner install guidance (BYOXPC and MachMe) plus a quick smoke request and troubleshooting notes in the user guide.
- Moved sb_api_validator into controller/tools/ and updated build/docs to match.
Triad
Sonoma Cross-check
we cross check a problem that might appear in sandbox_check w/ paths.
Contract
Unification
Unified into a single runner with JSON output. End to end tests added to validated runtime witness. External "BYOSig" routine available for entitlement based restrictions.