test(desktop): strengthen plist tests — value assertions, XML escaping, ProgramArguments order

- Entitlements: verify <true/> values (not just key presence), no dangerous
  entitlements (disable-executable-page-protection, get-task-allow), no
  duplicate keys, hardenedRuntime enabled in electron-builder
- ProgramArguments: exact ordering for controller [node, entry] and
  openclaw [node, openclaw.mjs, gateway, run], dev --auth none insertion
- Openclaw completeness: WorkingDirectory, StandardErrorPath, KeepAlive
  SuccessfulExit, ThrottleInterval, RunAtLoad=false
- XML escaping: &, <, >, ", ' in path fields correctly escaped

Author: lefarcen

tests/desktop/entitlements-plist.test.ts

@@ -32,6 +32,29 @@ function plistHasKey(plistContent: string, key: string): boolean {
   return plistContent.includes(`<key>${key}</key>`);
 }
 
+/**
+ * Extract all key-value pairs from a flat plist <dict>.
+ * Returns a map of key → value string (e.g. "true" for <true/>).
+ */
+function parsePlistDict(plistContent: string): Map<string, string> {
+  const result = new Map<string, string>();
+  const keyRegex = /<key>([^<]+)<\/key>\s*<([^/> ]+)\s*\/?>([^<]*)/g;
+  let match = keyRegex.exec(plistContent);
+  while (match !== null) {
+    const key = match[1];
+    const tag = match[2];
+    if (tag === "true") {
+      result.set(key, "true");
+    } else if (tag === "false") {
+      result.set(key, "false");
+    } else if (tag === "string") {
+      result.set(key, match[3]);
+    }
+    match = keyRegex.exec(plistContent);
+  }
+  return result;
+}
+
 describe("macOS Entitlements — V8 JIT requirements", () => {
   const parentPlist = readPlist("entitlements.mac.plist");
   const inheritPlist = readPlist("entitlements.mac.inherit.plist");
@@ -132,4 +155,88 @@ describe("macOS Entitlements — V8 JIT requirements", () => {
       ),
     ).toBe(true);
   });
+
+  // -------------------------------------------------------------------------
+  // 8. Value-level: all required keys are set to <true/>
+  // -------------------------------------------------------------------------
+  it("parent plist sets all required entitlements to true (not just key presence)", () => {
+    const dict = parsePlistDict(parentPlist);
+    expect(dict.get("com.apple.security.cs.allow-jit")).toBe("true");
+    expect(
+      dict.get("com.apple.security.cs.allow-unsigned-executable-memory"),
+    ).toBe("true");
+    expect(dict.get("com.apple.security.cs.disable-library-validation")).toBe(
+      "true",
+    );
+  });
+
+  it("inherit plist sets all required entitlements to true", () => {
+    const dict = parsePlistDict(inheritPlist);
+    expect(dict.get("com.apple.security.inherit")).toBe("true");
+    expect(dict.get("com.apple.security.cs.allow-jit")).toBe("true");
+    expect(
+      dict.get("com.apple.security.cs.allow-unsigned-executable-memory"),
+    ).toBe("true");
+  });
+
+  // -------------------------------------------------------------------------
+  // 9. No dangerous entitlements that would weaken security unnecessarily
+  // -------------------------------------------------------------------------
+  it("neither plist grants com.apple.security.cs.disable-executable-page-protection", () => {
+    expect(
+      plistHasKey(
+        parentPlist,
+        "com.apple.security.cs.disable-executable-page-protection",
+      ),
+    ).toBe(false);
+    expect(
+      plistHasKey(
+        inheritPlist,
+        "com.apple.security.cs.disable-executable-page-protection",
+      ),
+    ).toBe(false);
+  });
+
+  it("neither plist grants com.apple.security.get-task-allow in production", () => {
+    // get-task-allow is for debugging only; must not ship in release builds
+    expect(plistHasKey(parentPlist, "com.apple.security.get-task-allow")).toBe(
+      false,
+    );
+    expect(plistHasKey(inheritPlist, "com.apple.security.get-task-allow")).toBe(
+      false,
+    );
+  });
+
+  // -------------------------------------------------------------------------
+  // 10. No duplicate keys (malformed plist)
+  // -------------------------------------------------------------------------
+  it("parent plist has no duplicate keys", () => {
+    const keys = [...parentPlist.matchAll(/<key>([^<]+)<\/key>/g)].map(
+      (m) => m[1],
+    );
+    const unique = new Set(keys);
+    expect(keys.length).toBe(unique.size);
+  });
+
+  it("inherit plist has no duplicate keys", () => {
+    const keys = [...inheritPlist.matchAll(/<key>([^<]+)<\/key>/g)].map(
+      (m) => m[1],
+    );
+    const unique = new Set(keys);
+    expect(keys.length).toBe(unique.size);
+  });
+
+  // -------------------------------------------------------------------------
+  // 11. electron-builder hardenedRuntime must be enabled
+  // -------------------------------------------------------------------------
+  it("electron-builder config enables hardenedRuntime", () => {
+    const packageJson = readFileSync(
+      resolve(DESKTOP_ROOT, "package.json"),
+      "utf8",
+    );
+    const config = JSON.parse(packageJson) as Record<string, unknown>;
+    const build = config.build as Record<string, unknown>;
+    const mac = build.mac as Record<string, unknown>;
+    expect(mac.hardenedRuntime).toBe(true);
+  });
 });

tests/desktop/launchd-startup-scenarios.test.ts

@@ -956,4 +956,79 @@ describe("Launchd Startup Scenarios", () => {
     expect(result.isAttach).toBe(false);
     expect(result.effectivePorts.controllerPort).toBe(50800);
   });
+
+  // -----------------------------------------------------------------------
+  // Scenario 25: Upgrade from pre-version runtime-ports forces clean restart
+  // -----------------------------------------------------------------------
+  it("Scenario 25: missing appVersion in recovered ports triggers clean cold start", async () => {
+    const fsMock = await import("node:fs/promises");
+    const legacyPorts = JSON.stringify({
+      writtenAt: new Date().toISOString(),
+      electronPid: 12345,
+      controllerPort: 50800,
+      openclawPort: 18789,
+      webPort: 50810,
+      nexuHome: "/tmp/nexu-home",
+      isDev: true,
+      userDataPath: "/tmp/user-data",
+      buildSource: "stable",
+    });
+
+    (fsMock.readFile as ReturnType<typeof vi.fn>)
+      .mockRejectedValueOnce(new Error("ENOENT"))
+      .mockRejectedValueOnce(new Error("ENOENT"))
+      .mockResolvedValueOnce(JSON.stringify(legacyPorts))
+      .mockResolvedValueOnce(JSON.stringify(legacyPorts));
+
+    mockLaunchdManager.getServiceStatus.mockResolvedValue(
+      mockRunningService({ NEXU_HOME: "/tmp/nexu-home", PORT: "50800" }),
+    );
+
+    const { bootstrapWithLaunchd } = await import(
+      "../../apps/desktop/main/services/launchd-bootstrap"
+    );
+
+    const result = await bootstrapWithLaunchd(
+      makeBootstrapEnv({
+        appVersion: "1.0.0",
+        userDataPath: "/tmp/user-data",
+        buildSource: "stable",
+      }) as never,
+    );
+
+    expect(result.isAttach).toBe(false);
+    expect(result.effectivePorts.controllerPort).toBe(50800);
+    expect(mockLaunchdManager.installService).toHaveBeenCalledTimes(2);
+  });
+
+  // -----------------------------------------------------------------------
+  // Scenario 26: stale force-quit session cleans runtime-ports and services
+  // -----------------------------------------------------------------------
+  it("Scenario 26: stale dead-electron session older than threshold is cleaned before restart", async () => {
+    const fsMock = await import("node:fs/promises");
+    const stalePorts = makeRuntimePorts({
+      electronPid: 999999,
+      writtenAt: new Date(Date.now() - 10 * 60 * 1000).toISOString(),
+    });
+    (fsMock.readFile as ReturnType<typeof vi.fn>)
+      .mockRejectedValueOnce(new Error("ENOENT"))
+      .mockRejectedValueOnce(new Error("ENOENT"))
+      .mockResolvedValueOnce(stalePorts);
+
+    mockLaunchdManager.getServiceStatus.mockResolvedValue(
+      mockRunningService({ NEXU_HOME: "/tmp/nexu-home", PORT: "50800" }),
+    );
+
+    const { bootstrapWithLaunchd } = await import(
+      "../../apps/desktop/main/services/launchd-bootstrap"
+    );
+
+    const result = await bootstrapWithLaunchd(makeBootstrapEnv() as never);
+
+    expect(result.isAttach).toBe(false);
+    expect(mockLaunchdManager.bootoutService).toHaveBeenCalled();
+    expect(fsMock.unlink).toHaveBeenCalledWith(
+      expect.stringContaining("runtime-ports.json"),
+    );
+  });
 });

tests/desktop/plist-generator.test.ts

@@ -124,6 +124,176 @@ describe("generatePlist", () => {
     );
   });
 
+  // -----------------------------------------------------------------------
+  // ProgramArguments ordering — controller
+  // -----------------------------------------------------------------------
+  it("controller ProgramArguments: [nodePath, controllerEntryPath] in exact order", async () => {
+    const { generatePlist } = await import(
+      "../../apps/desktop/main/services/plist-generator"
+    );
+    const plist = generatePlist("controller", mockEnv);
+
+    // Extract ProgramArguments array content
+    const argsMatch = plist.match(
+      /<key>ProgramArguments<\/key>\s*<array>([\s\S]*?)<\/array>/,
+    );
+    expect(argsMatch).not.toBeNull();
+    const argsBlock = argsMatch?.[1] ?? "";
+    const strings = [...argsBlock.matchAll(/<string>([^<]*)<\/string>/g)].map(
+      (m) => m[1],
+    );
+    expect(strings).toEqual([
+      "/usr/local/bin/node",
+      "/app/controller/dist/index.js",
+    ]);
+  });
+
+  // -----------------------------------------------------------------------
+  // ProgramArguments ordering — openclaw
+  // -----------------------------------------------------------------------
+  it("openclaw ProgramArguments: [nodePath, openclawPath, gateway, run] in exact order", async () => {
+    const { generatePlist } = await import(
+      "../../apps/desktop/main/services/plist-generator"
+    );
+    const plist = generatePlist("openclaw", mockEnv);
+
+    const argsMatch = plist.match(
+      /<key>ProgramArguments<\/key>\s*<array>([\s\S]*?)<\/array>/,
+    );
+    expect(argsMatch).not.toBeNull();
+    const argsBlock = argsMatch?.[1] ?? "";
+    const strings = [...argsBlock.matchAll(/<string>([^<]*)<\/string>/g)].map(
+      (m) => m[1],
+    );
+    expect(strings).toEqual([
+      "/usr/local/bin/node",
+      "/app/openclaw/openclaw.mjs",
+      "gateway",
+      "run",
+    ]);
+  });
+
+  it("openclaw dev mode inserts --auth none after gateway run", async () => {
+    const { generatePlist } = await import(
+      "../../apps/desktop/main/services/plist-generator"
+    );
+    const plist = generatePlist("openclaw", { ...mockEnv, isDev: true });
+
+    const argsMatch = plist.match(
+      /<key>ProgramArguments<\/key>\s*<array>([\s\S]*?)<\/array>/,
+    );
+    expect(argsMatch).not.toBeNull();
+    const argsBlock = argsMatch?.[1] ?? "";
+    const strings = [...argsBlock.matchAll(/<string>([^<]*)<\/string>/g)].map(
+      (m) => m[1],
+    );
+    expect(strings).toEqual([
+      "/usr/local/bin/node",
+      "/app/openclaw/openclaw.mjs",
+      "gateway",
+      "run",
+      "--auth",
+      "none",
+    ]);
+  });
+
+  // -----------------------------------------------------------------------
+  // Openclaw plist completeness — WorkingDirectory, error log, KeepAlive
+  // -----------------------------------------------------------------------
+  it("openclaw plist has correct WorkingDirectory", async () => {
+    const { generatePlist } = await import(
+      "../../apps/desktop/main/services/plist-generator"
+    );
+    const plist = generatePlist("openclaw", mockEnv);
+
+    expect(plist).toContain(
+      "<key>WorkingDirectory</key>\n    <string>/app</string>",
+    );
+  });
+
+  it("openclaw plist has StandardErrorPath", async () => {
+    const { generatePlist } = await import(
+      "../../apps/desktop/main/services/plist-generator"
+    );
+    const plist = generatePlist("openclaw", mockEnv);
+
+    expect(plist).toContain(
+      "<string>/Users/testuser/.nexu/logs/openclaw.error.log</string>",
+    );
+  });
+
+  it("openclaw plist KeepAlive restarts on non-zero exit", async () => {
+    const { generatePlist } = await import(
+      "../../apps/desktop/main/services/plist-generator"
+    );
+    const plist = generatePlist("openclaw", mockEnv);
+
+    // SuccessfulExit=false means launchd restarts when exit code != 0
+    expect(plist).toContain("<key>SuccessfulExit</key>");
+    expect(plist).toMatch(/<key>SuccessfulExit<\/key>\s*<false\/>/);
+  });
+
+  it("openclaw plist has ThrottleInterval to prevent rapid respawn", async () => {
+    const { generatePlist } = await import(
+      "../../apps/desktop/main/services/plist-generator"
+    );
+    const plist = generatePlist("openclaw", mockEnv);
+
+    expect(plist).toContain("<key>ThrottleInterval</key>");
+    expect(plist).toMatch(
+      /<key>ThrottleInterval<\/key>\s*<integer>\d+<\/integer>/,
+    );
+  });
+
+  it("controller plist has correct WorkingDirectory", async () => {
+    const { generatePlist } = await import(
+      "../../apps/desktop/main/services/plist-generator"
+    );
+    const plist = generatePlist("controller", mockEnv);
+
+    expect(plist).toContain(
+      "<key>WorkingDirectory</key>\n    <string>/app/controller</string>",
+    );
+  });
+
+  it("both plists have RunAtLoad=false (explicit start only)", async () => {
+    const { generatePlist } = await import(
+      "../../apps/desktop/main/services/plist-generator"
+    );
+    const controller = generatePlist("controller", mockEnv);
+    const openclaw = generatePlist("openclaw", mockEnv);
+
+    expect(controller).toMatch(/<key>RunAtLoad<\/key>\s*<false\/>/);
+    expect(openclaw).toMatch(/<key>RunAtLoad<\/key>\s*<false\/>/);
+  });
+
+  // -----------------------------------------------------------------------
+  // XML escaping robustness
+  // -----------------------------------------------------------------------
+  it("escapes ampersand, angle brackets, quotes, and apostrophes in all path fields", async () => {
+    const { generatePlist } = await import(
+      "../../apps/desktop/main/services/plist-generator"
+    );
+
+    const nastEnv = {
+      ...mockEnv,
+      nodePath: "/usr/bin/node's",
+      controllerCwd: '/app/"controller"',
+      openclawPath: "/path/with&special<chars>.mjs",
+      openclawConfigPath: "/Users/test'user/.nexu/config",
+    };
+
+    const controller = generatePlist("controller", nastEnv);
+    const openclaw = generatePlist("openclaw", nastEnv);
+
+    // Verify escaped forms present, raw forms absent
+    expect(controller).toContain("node&apos;s");
+    expect(controller).not.toContain("node's</string>");
+    expect(controller).toContain("&quot;controller&quot;");
+    expect(openclaw).toContain("&amp;special&lt;chars&gt;");
+    expect(openclaw).toContain("test&apos;user");
+  });
+
   it("sets ELECTRON_RUN_AS_NODE=1 for both services", async () => {
     const { generatePlist } = await import(
       "../../apps/desktop/main/services/plist-generator"