macOS desktop: install + in-app self-update

[OutThisLife]

Makes the macOS desktop install/update path work end to end. Targets bb/gui.

Changes

Installer/runtime path alignment

• paths.rs: the Tauri installer computed macOS HERMES_HOME as ~/Library/Application Support/hermes, but Python (hermes_constants.get_hermes_home()), install.sh, and the Electron app all use ~/.hermes. The drift meant the installer wrote to one dir and the desktop read from another. Aligned to ~/.hermes.

install.sh stage protocol

• Run each --stage body in a subshell so a stage helper that calls exit 1 still emits its JSON result frame instead of terminating before it (the Rust/Electron parser expects a {ok:false,…} frame, not a missing one).

git auto-provision (parity with install.ps1)

• install.ps1 downloads PortableGit on Windows; install.sh previously just printed a "please install git" hint and exited, so a fresh machine with no developer tools couldn't clone. check_git now provisions git first: macOS → Homebrew if present, else xcode-select --install; Linux → apt/dnf/pacman. Falls back to manual instructions only if that fails.

In-app self-update (macOS/Linux)

• With no staged updater binary, "Update now" previously only printed hermes update. POSIX has no venv-shim file lock, so the desktop now drives the update itself: hermes update --yes [--branch <current>] (backend) → hermes desktop --build-only (OS-aware GUI rebuild, with the managed Node + venv on PATH) → a detached swapper waits for the app to exit, dittos the rebuilt Hermes.app over the running bundle, clears quarantine, and relaunches. Degrades to "backend updated — restart to load the new GUI" if the rebuild fails or there's no bundle to swap (dev run / AppImage).

Verified locally

• Drag-install .dmg (npm run dist:mac:dmg): mounts to a volume with Hermes.app + /Applications shortcut and the correct icon on both the app and the volume.
• install.sh --manifest/--stage JSON contract: valid manifest, unknown-stage → exit 2 + frame, failure still emits a frame; check_git happy path.
• .app swap mechanism in isolation (old bundle replaced, no leftover temp dirs).
• main.cjs parses + lints clean.

Not in this PR / follow-ups

• Code signing + notarization (Apple Developer ID) — required for a downloaded dmg to open without the Gatekeeper override.
• End-to-end run on a clean Mac: drag-install → first-launch bootstrap → "Update now" rebuild/swap/relaunch.

[alt-glitch]

Related: Addresses HERMES_HOME drift described in #32741 (macOS LaunchAgent resets HERMES_HOME on reinstall). Competing fix: #32795.

Note: This PR targets bb/gui feature branch, not main.

[OutThisLife]

Pushed two more commits toward true normie-mac happy-path:

feat(install.sh): auto-provision git — parity with install.ps1's PortableGit. check_git now installs git before bailing: macOS → Homebrew (headless) else xcode-select --install (also gives the compiler some wheels need); Linux → apt/dnf/pacman. Removes the "fresh Mac has no git → clone fails" blocker.

feat(desktop): in-app GUI+backend self-update on macOS/Linux — "Update now" with no staged Hermes-Setup now drives it directly (no venv-lock on POSIX): hermes update (backend) → hermes desktop --build-only (OS-aware GUI rebuild) → detached swapper dittos the rebuilt Hermes.app over the running bundle, clears quarantine, relaunches. Degrades to "backend updated — restart to load the new GUI" if rebuild fails / no bundle (dev/AppImage).

Tested locally: install.sh syntax + git happy-path; .app swap mechanism in isolation (v1→v2, no leftover temp dirs); main.cjs parse + lint clean.

Still needs real-install E2E (can't fully exercise here): dragged /Applications/Hermes.app → first-launch bootstrap on a bare Mac (git auto-provision via CLT) → "Update now" → rebuild+swap+relaunch. And signing/notarization remains the separate prerequisite for a downloaded dmg to open without the Gatekeeper override.

[tonydwb]

Code Review Summary

Verdict: Approved ✅

Review

Fixes macOS installer HERMES_HOME drift (Tauri was using ~/Library/Application Support/hermes while everything else uses ~/.hermes) and hardens install.sh stage protocol for subshell failure-frame handling.

✅ Looks Good

• Correct fix: Removes the macOS cfg branch in paths.rs so it falls through to existing ~/.hermes path.
• Subshell fix: Stage body in subshell so exit 1 only unwinds the subshell and the parent emits {ok:false,...}.
• Well-documented: Clear explanation of the two macOS distribution models (drag .dmg vs Tauri installer) with open decision.
• Verified: Drag-install .dmg works with proper icon.

---

Reviewed by Hermes Agent (cron job)

[OutThisLife]

Local verification of the in-app update path

Ran the exact commands applyUpdatesPosixInApp invokes against a real install (5aade4bc5-era checkout + venv + apps/desktop):

• hermes update --yes --branch <its-branch> (normal same-branch update): HEAD fast-forwarded to the branch tip, dependencies refreshed, "Update complete." ✅
• hermes desktop --build-only: rebuilt apps/desktop/release/mac-arm64/Hermes.app. ✅
• .app bundle swap (ditto over the running bundle): verified in isolation (old→new, no leftover temp dirs). ✅

So the three steps the mac updater chains all work. Not yet exercised: the full Electron click-through (the "Update now" button driving these + the detached swap/relaunch) on a live dragged app — components proven, glue not GUI-tested.

Caveat worth a follow-up (pre-existing hermes update, shared with Windows — not this PR's code)

hermes update --branch <DIFFERENT-branch> on a dirty tree silently did not switch branches and reported "Already up to date" while staying on the old commit. The dirtiness is self-inflicted: the install/build step modifies tracked package-lock.json + ui-tui/package-lock.json, so every update has to autostash. The normal same-branch case works (above); the cross-branch case is fragile. Likely worth either committing the lockfile churn out of the install or hardening hermes update's branch-switch.