fix(scripts): codesign setup pops keychain dialog on every build + dr…

[aregmii]

Summary

• Adds the missing security set-key-partition-list call after the security import in scripts/setup-dev-codesign.sh, so codesign can use the just-imported private key on subsequent pnpm --filter openhuman-app dev:app runs without errSecInternalComponent or per-helper keychain dialogs.
• Replaces all six yarn core:stage occurrences in the same script (header comment, "already set up" echo, and the post-success "Next steps" block) with pnpm core:stage to match the repo's migration from yarn to pnpm.

Problem

After bash scripts/setup-dev-codesign.sh on a clean Apple Silicon Mac and then pnpm --filter openhuman-app dev:app, codesign aborts on the first helper bundle:

Signing /.../OpenHuman Helper (Plugin).app: errSecInternalComponent
Error failed to bundle app: failed codesign application

Apple's security import -T <tool> flag adds the tool to the key's trusted-applications ACL, but macOS additionally requires the partition list to be committed via security set-key-partition-list before that access actually takes effect. Reproducible on every fresh contributor machine.

Solution

Shell-script-only change to scripts/setup-dev-codesign.sh. Adds an explicit security set-key-partition-list -S apple-tool:,apple:,unsigned: -s "$KEYCHAIN" call between the import and the trust step. The contributor is prompted once for their login keychain password during setup; subsequent codesign invocations run silently. Comment in-line explains why the step is required so future readers understand the macOS quirk.

The yarn → pnpm swaps are pure string fixes; the script logic doesn't shell out to either command.

Submission Checklist

• N/A — shell script with no runtime behavior to unit-test; the only verification is "run it on a clean Mac and dev:app builds without keychain prompts," which is what this PR is about.
• N/A — shell script not covered by Vitest or cargo-llvm-cov.
• N/A — no feature rows affected.
• N/A — no feature IDs touched.
• N/A — no external dependencies introduced; uses the macOS-bundled security CLI already invoked by the script.
• N/A — no release-cut surfaces touched.
• Linked issue closed via Closes #1785 in the ## Related section.

Impact

Fresh macOS contributors who ran setup-dev-codesign.sh previously hit errSecInternalComponent on the first dev:app codesign step and had to dig into Apple's security man page (or fall back to ad-hoc signing) to get past it. After this change, setup-dev-codesign.sh is sufficient on its own. No change to CI, no change to released binaries (release builds use a real Apple Developer ID cert via scripts/build-macos-signed.sh, which is unaffected).

Related

• Closes: fix(scripts): setup-dev-codesign.sh pops keychain dialog on every build + stale yarn refs #1785
• Follow-up from: docs(CONTRIBUTING): add missing macOS prereqs (Ninja, x86_64 target, codesign script) #1781 / docs(CONTRIBUTING): add missing macOS prereqs (Ninja, x86_64 target, … #1783 (both flagged this as a known follow-up).

---

AI Authored PR Metadata (required for Codex/Linear PRs)

N/A — Human-authored fix. AI-assisted drafting; not a Codex/Linear autonomous PR.

Linear Issue

• Key: N/A
• URL: N/A

Commit & Branch

• Branch: fix/setup-dev-codesign-partition-list
• Commit SHA: 3cde3825

Validation Run

• N/A — no JS/TS changed
• N/A — no TS types changed
• N/A — no TS to compile
• N/A — no Rust changed
• N/A — no Tauri code changed

Validation Blocked

• command: pre-push hook pnpm rust:check (cargo check --manifest-path src-tauri/Cargo.toml)
• error: exits 101 on the unmodified upstream/main HEAD (commit 45cd01a9); this branch only edits scripts/setup-dev-codesign.sh, so the failure is inherited from upstream and unrelated to this PR.
• impact: Pushed with --no-verify per CLAUDE.md guidance for hook failures unrelated to the change.

Behavior Changes

• Intended behavior change: setup-dev-codesign.sh now ends with a working codesign cert (partition-list committed) instead of one that still triggers errSecInternalComponent on first use.
• User-visible effect: A single keychain password prompt during setup instead of repeated prompts (or hard failures) on every dev:app build.

Parity Contract

• Legacy behavior preserved: Yes — the early-exit short-circuit at the top of the script still skips when the identity already exists, so re-running the script is a no-op on already-set-up machines.
• Guard/fallback/dispatch parity checks: N/A — no dispatch path touched.

Duplicate / Superseded PR Handling

• Duplicate PR(s): None
• Canonical PR: This one
• Resolution: N/A

Summary by CodeRabbit

• Chores
  • Updated development code-signing setup script to use pnpm instead of yarn.
  • Improved macOS Keychain permission handling with clearer user prompts during environment setup.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR fixes two issues in the macOS dev code-signing setup script: it adds the missing Keychain partition access grant via security set-key-partition-list so codesign can use the imported private key without dialogs or failures, and updates all user-facing references from yarn core:stage to pnpm core:stage following the package manager migration.

Changes

Dev Code-Signing Setup

Layer / File(s)	Summary
Keychain partition access grant scripts/setup-dev-codesign.sh	Adds explicit security set-key-partition-list call after the PKCS#12 import to grant codesign private-key partition access, with explanatory comments and a user-facing message about the one-time login keychain password prompt.
Package manager migration to pnpm scripts/setup-dev-codesign.sh	Updates introductory instructions (lines 6–15), certificate-exists message (line 35), and next-steps documentation (lines 122–127) to reference pnpm core:stage instead of yarn core:stage for consistency across all user-facing text.

🎯 2 (Simple) | ⏱️ ~10 minutes

🐰 A keychain fix hops onto the stage,
No more dialogs to rage and engage,
With pnpm now leading the way,
The codesign builds clean every day,
Fresh contributors smile with great praise! 🎉

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title directly addresses the two main objectives: fixing the keychain dialog issue and updating yarn references, matching the changeset's core focus.
Linked Issues check	✅ Passed	The pull request fulfills both requirements from issue #1785: adding the security set-key-partition-list call after import and replacing all six yarn core:stage occurrences with pnpm core:stage.
Out of Scope Changes check	✅ Passed	All changes directly address the stated objectives in issue #1785; the script modifications are limited to the keychain partition fix and yarn-to-pnpm string replacements without touching CI, release signing, or unrelated code.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}