feat(release): add macOS arm64 build and installer support

- bundle.sh: parameterize output via BUNDLE_TARGET env var
  (default: linux-x64), produces safeclaw-${BUNDLE_TARGET}.tar.gz
- release.yml: matrix build for ubuntu-latest (linux-x64) and
  macos-15 (darwin-arm64); native sandbox helper built on Linux only
- install.sh: remove Linux-only restriction; detect OS/arch and map
  to correct release asset (linux-x64, linux-arm64, darwin-arm64,
  darwin-x64); skip sandbox helper on macOS; add ~/.zprofile for
  macOS login shells; Homebrew Node.js install hint on macOS

Author: linuxdevel

.github/workflows/release.yml

@@ -10,7 +10,15 @@ permissions:
 
 jobs:
   build-and-release:
-    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        include:
+          - os: ubuntu-latest
+            bundle_target: linux-x64
+          - os: macos-15
+            bundle_target: darwin-arm64
+
+    runs-on: ${{ matrix.os }}
 
     steps:
       - name: Checkout code
@@ -35,24 +43,39 @@ jobs:
 
       - name: Build and bundle
         run: pnpm bundle
+        env:
+          BUNDLE_TARGET: ${{ matrix.bundle_target }}
 
       - name: Install musl-tools
+        if: runner.os == 'Linux'
         run: sudo apt-get update && sudo apt-get install -y musl-tools
 
       - name: Build native sandbox helper
+        if: runner.os == 'Linux'
         run: make -C native
 
-      - name: Prepare native release assets
+      - name: Prepare release assets (Linux)
+        if: runner.os == 'Linux'
         run: |
           cp native/safeclaw-sandbox-helper safeclaw-sandbox-helper-linux-x86_64
-          sha256sum safeclaw-sandbox-helper-linux-x86_64 > SHA256SUMS
+          sha256sum safeclaw-${{ matrix.bundle_target }}.tar.gz safeclaw-sandbox-helper-linux-x86_64 > SHA256SUMS
 
-      - name: Create GitHub release
+      - name: Upload release assets (Linux)
+        if: runner.os == 'Linux'
         uses: softprops/action-gh-release@v2
         with:
           name: ${{ github.ref_name }}
           files: |
-            safeclaw-linux-x64.tar.gz
+            safeclaw-${{ matrix.bundle_target }}.tar.gz
             safeclaw-sandbox-helper-linux-x86_64
             SHA256SUMS
           generate_release_notes: true
+
+      - name: Upload release assets (macOS)
+        if: runner.os == 'macOS'
+        uses: softprops/action-gh-release@v2
+        with:
+          name: ${{ github.ref_name }}
+          files: |
+            safeclaw-${{ matrix.bundle_target }}.tar.gz
+          generate_release_notes: false

install.sh

@@ -44,30 +44,41 @@ for arg in "$@"; do
 done
 
 # ---------------------------------------------------------------------------
-# OS check — Linux only for v1
+# OS and architecture detection
 # ---------------------------------------------------------------------------
 OS="$(uname -s)"
-if [ "$OS" != "Linux" ]; then
-  error "Error: SafeClaw currently supports Linux only."
-  error "Detected OS: $OS"
-  error "macOS and Windows support is planned for a future release."
-  exit 1
-fi
-
-# ---------------------------------------------------------------------------
-# Architecture detection
-# ---------------------------------------------------------------------------
 RAW_ARCH="$(uname -m)"
-case "$RAW_ARCH" in
-  x86_64)  ARCH="x64"   ;;
-  aarch64) ARCH="arm64"  ;;
+
+case "$OS" in
+  Linux)
+    case "$RAW_ARCH" in
+      x86_64)  PLATFORM="linux-x64"  ;;
+      aarch64) PLATFORM="linux-arm64" ;;
+      *)
+        error "Error: Unsupported architecture: $RAW_ARCH"
+        error "SafeClaw supports x86_64 and aarch64 on Linux."
+        exit 1
+        ;;
+    esac
+    ;;
+  Darwin)
+    case "$RAW_ARCH" in
+      arm64)   PLATFORM="darwin-arm64" ;;
+      x86_64)  PLATFORM="darwin-x64"   ;;
+      *)
+        error "Error: Unsupported architecture: $RAW_ARCH"
+        error "SafeClaw supports arm64 and x86_64 on macOS."
+        exit 1
+        ;;
+    esac
+    ;;
   *)
-    error "Error: Unsupported architecture: $RAW_ARCH"
-    error "SafeClaw supports x86_64 (x64) and aarch64 (arm64)."
+    error "Error: Unsupported OS: $OS"
+    error "SafeClaw supports Linux and macOS."
     exit 1
     ;;
 esac
-info "Detected architecture: $RAW_ARCH (mapped to $ARCH)"
+info "Detected platform: $OS/$RAW_ARCH (mapped to $PLATFORM)"
 
 # ---------------------------------------------------------------------------
 # Node.js version check (>= 22)
@@ -82,10 +93,16 @@ if ! command -v node &>/dev/null; then
   error "  curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.40.1/install.sh | bash"
   error "  nvm install $MIN_NODE_VERSION"
   error ""
-  error "  # Using NodeSource:"
-  error "  curl -fsSL https://deb.nodesource.com/setup_${MIN_NODE_VERSION}.x | sudo -E bash -"
-  error "  sudo apt-get install -y nodejs"
-  error ""
+  if [ "$OS" = "Darwin" ]; then
+    error "  # Using Homebrew:"
+    error "  brew install node@$MIN_NODE_VERSION"
+    error ""
+  else
+    error "  # Using NodeSource (Linux):"
+    error "  curl -fsSL https://deb.nodesource.com/setup_${MIN_NODE_VERSION}.x | sudo -E bash -"
+    error "  sudo apt-get install -y nodejs"
+    error ""
+  fi
   error "  # Using fnm:"
   error "  curl -fsSL https://fnm.vercel.app/install | bash"
   error "  fnm install $MIN_NODE_VERSION"
@@ -173,7 +190,7 @@ info "Latest release: $TAG"
 # ---------------------------------------------------------------------------
 # Download tarball
 # ---------------------------------------------------------------------------
-ASSET_NAME="safeclaw-linux-${ARCH}.tar.gz"
+ASSET_NAME="safeclaw-${PLATFORM}.tar.gz"
 DOWNLOAD_URL="https://github.com/$REPO/releases/download/$TAG/$ASSET_NAME"
 TMPDIR="$(mktemp -d)"
 TARBALL="$TMPDIR/$ASSET_NAME"
@@ -197,36 +214,39 @@ mkdir -p "$INSTALL_DIR"
 tar xzf "$TARBALL" -C "$INSTALL_DIR" --strip-components=1
 
 # ---------------------------------------------------------------------------
-# Download sandbox helper binary (optional — sandboxing works without it)
+# Download sandbox helper binary (Linux only)
 # ---------------------------------------------------------------------------
-HELPER_ASSET="safeclaw-sandbox-helper-linux-${RAW_ARCH}"
-HELPER_URL="https://github.com/$REPO/releases/download/$TAG/$HELPER_ASSET"
-SHA_URL="https://github.com/$REPO/releases/download/$TAG/SHA256SUMS"
-
-info "Downloading sandbox helper..."
-HELPER_DL="$TMPDIR/$HELPER_ASSET"
-SHA_DL="$TMPDIR/SHA256SUMS"
-
-if curl -fSL --progress-bar -o "$HELPER_DL" "$HELPER_URL" 2>/dev/null && \
-   curl -fsSL -o "$SHA_DL" "$SHA_URL" 2>/dev/null; then
-
-    # Verify SHA-256 checksum
-    EXPECTED_HASH="$(grep "$HELPER_ASSET" "$SHA_DL" | awk '{print $1}')"
-    ACTUAL_HASH="$(sha256sum "$HELPER_DL" | awk '{print $1}')"
-
-    if [ -n "$EXPECTED_HASH" ] && [ "$EXPECTED_HASH" = "$ACTUAL_HASH" ]; then
-        mkdir -p "$BIN_DIR"
-        install -m755 "$HELPER_DL" "$BIN_DIR/safeclaw-sandbox-helper"
-        success "Sandbox helper installed (SHA-256 verified)."
-    else
-        warn "Warning: Sandbox helper checksum mismatch — skipping."
-        warn "Expected: $EXPECTED_HASH"
-        warn "Actual:   $ACTUAL_HASH"
-        warn "SafeClaw will run with namespace-only sandboxing."
-    fi
+if [ "$OS" = "Linux" ]; then
+  HELPER_ASSET="safeclaw-sandbox-helper-linux-${RAW_ARCH}"
+  HELPER_URL="https://github.com/$REPO/releases/download/$TAG/$HELPER_ASSET"
+  SHA_URL="https://github.com/$REPO/releases/download/$TAG/SHA256SUMS"
+
+  info "Downloading sandbox helper..."
+  HELPER_DL="$TMPDIR/$HELPER_ASSET"
+  SHA_DL="$TMPDIR/SHA256SUMS"
+
+  if curl -fSL --progress-bar -o "$HELPER_DL" "$HELPER_URL" 2>/dev/null && \
+     curl -fsSL -o "$SHA_DL" "$SHA_URL" 2>/dev/null; then
+
+      EXPECTED_HASH="$(grep "$HELPER_ASSET" "$SHA_DL" | awk '{print $1}')"
+      ACTUAL_HASH="$(sha256sum "$HELPER_DL" | awk '{print $1}')"
+
+      if [ -n "$EXPECTED_HASH" ] && [ "$EXPECTED_HASH" = "$ACTUAL_HASH" ]; then
+          mkdir -p "$BIN_DIR"
+          install -m755 "$HELPER_DL" "$BIN_DIR/safeclaw-sandbox-helper"
+          success "Sandbox helper installed (SHA-256 verified)."
+      else
+          warn "Warning: Sandbox helper checksum mismatch — skipping."
+          warn "Expected: $EXPECTED_HASH"
+          warn "Actual:   $ACTUAL_HASH"
+          warn "SafeClaw will run with namespace-only sandboxing."
+      fi
+  else
+      warn "Sandbox helper not available for $RAW_ARCH — skipping."
+      warn "SafeClaw will run with namespace-only sandboxing."
+  fi
 else
-    warn "Sandbox helper not available for $RAW_ARCH — skipping."
-    warn "SafeClaw will run with namespace-only sandboxing."
+  info "Sandbox helper is Linux-only — skipping on macOS."
 fi
 
 # ---------------------------------------------------------------------------
@@ -273,6 +293,13 @@ else
       printf '\n# SafeClaw\n%s\n' "$PATH_LINE" >> "$HOME/.zshrc"
       MODIFIED_CONFIGS+=("~/.zshrc")
     fi
+    # ~/.zprofile — login shells on macOS (Terminal.app opens login shells)
+    if [ "$OS" = "Darwin" ]; then
+      if [ -f "$HOME/.zprofile" ] && ! grep -qF '.safeclaw/bin' "$HOME/.zprofile" 2>/dev/null; then
+        printf '\n# SafeClaw\n%s\n' "$PATH_LINE" >> "$HOME/.zprofile"
+        MODIFIED_CONFIGS+=("~/.zprofile")
+      fi
+    fi
   fi
 
   if [ ${#MODIFIED_CONFIGS[@]} -gt 0 ]; then

scripts/bundle.sh

@@ -4,8 +4,11 @@ set -euo pipefail
 REPO_ROOT="$(cd "$(dirname "$0")/.." && pwd)"
 cd "$REPO_ROOT"
 
+BUNDLE_TARGET="${BUNDLE_TARGET:-linux-x64}"
+TARBALL="safeclaw-${BUNDLE_TARGET}.tar.gz"
+
 echo "==> Cleaning previous build artifacts..."
-rm -rf bundle/ safeclaw-linux-x64.tar.gz
+rm -rf bundle/ safeclaw-*.tar.gz
 pnpm -r exec rm -rf dist
 
 echo "==> Installing dependencies..."
@@ -51,10 +54,10 @@ echo "==> Installing production dependencies in bundle..."
 (cd bundle/safeclaw && pnpm install --prod --frozen-lockfile)
 
 echo "==> Creating tarball..."
-tar czf safeclaw-linux-x64.tar.gz -C bundle safeclaw
+tar czf "$TARBALL" -C bundle safeclaw
 
-TARBALL_SIZE="$(du -h safeclaw-linux-x64.tar.gz | cut -f1)"
+TARBALL_SIZE="$(du -h "$TARBALL" | cut -f1)"
 echo ""
 echo "Bundle complete:"
-echo "  Path: $(pwd)/safeclaw-linux-x64.tar.gz"
+echo "  Path: $(pwd)/$TARBALL"
 echo "  Size: $TARBALL_SIZE"