chore: update entitlments for node binaries

apps/desktop/entitlements.node.plist

@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+    <!-- Minimal entitlements specifically for Node.js binary -->
+    <key>com.apple.security.cs.allow-jit</key>
+    <true/>
+    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+    <true/>
+</dict>
+</plist>

apps/desktop/forge.config.ts

@@ -296,6 +296,20 @@ const config: ForgeConfig = {
       : {
           osxSign: {
             identity: process.env.CODESIGNING_IDENTITY,
+            // Apply different entitlements based on file path
+            optionsForFile: (filePath: string) => {
+              // Apply minimal entitlements to Node binary
+              if (filePath.includes('node-binaries')) {
+                return {
+                  entitlements: './entitlements.node.plist',
+                  hardenedRuntime: true,
+                };
+              }
+              // Use default entitlements for everything else
+              // https://www.npmjs.com/package/@electron/osx-sign#opts
+              // !still need to do any
+              return null as any;
+            },
           },
           // Notarization for macOS
           ...(process.env.SKIP_NOTARIZATION === "true"