fix(desktop): macOS bundled node inherits parent TCC grants#1614
Merged
Conversation
Place `node` next to a `com.apple.security.inherit` entitlement so the child Node process inherits the .app's Documents / Desktop / Downloads TCC grants instead of re-prompting on every spawn. - entitlements/main.plist applied via bundle.macOS.entitlements; Tauri's --deep codesign propagates inherit to Contents/Resources/node when Developer ID is configured - bundle-node.mjs adds an ad-hoc codesign with the helper plist so the inherit entitlement still attaches on unsigned local / CI builds where --deep never runs Closes #1611
esengine
pushed a commit
that referenced
this pull request
May 24, 2026
…moved, persisted usage stats, plan dispatch gate Headline themes: - Desktop: bundle the CLI-hosted React dashboard, retire Tauri+Preact duplicate (#1418) - Config: drop preset abstraction; flash/pro are direct model selections (#1657, #1630) - Stats: persist cumulative usage to session meta + auto-restore on startup (#1667, #1680, #1643, #1628) - Plans: editMode="plan" enforced at the ToolRegistry dispatch gate (#1681); step advance fix (#1629) - Context: fold once at turn start, drop pre-flight + byte-ceiling (#1642, #1646); collapsible compacted card (#1649) - Subagents: per-skill flash/pro override + Settings UI (#1632) - Desktop polish: sidebar drag-resize (#1688), responsive collapse (#1585), copy/edit overlay + msg-history nav (#1645), Esc closes modal not turn (#1685), QQ tab isolation (#1672), DiffCard for edits (#1662), theme-aware highlighting (#1655), system events toggle (#1654/#1650), macOS TCC inheritance (#1614), dashboard.enabled (#1612) - Dashboard polish: persistent session URL (#1586, #1589, #1599), theme-aware highlighting (#1664), IME confirm-enter guard (#1689), code-fence lang fix (#1677), vendor chunk split (#1587), markdown table h-scroll (#1562) - TUI: Alt+S input stash/recall; static history isolated from input rerenders (#1635); legacy mouse drop (#1637, #1648); multi-edit gated in review (#1647) - Diff: SplitDiff column border holds under CJK (#1686) - MCP: workspace roots passed to servers (#1625); codeCommand honors mcpServers (#1603) - Config plumbing: (baseUrl, apiKey) resolved as a tuple (#1658); stale model id self-heal (#1663) See CHANGELOG for the full list.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Reasonix.app/Contents/Resources/nodelacks thecom.apple.security.inheritentitlement, so macOS treats it as an independent helper with no relation to the parent .app and re-asks each time it spawns.entitlements/main.plist(includesinherit) and wire it into Tauri's codesign viabundle.macOS.entitlements. The--deeppass propagates that entitlement toContents/Resources/node, so signed releases let the child inherit the parent .app's TCC grants.entitlements/node-helper.plistplus an ad-hoccodesign --sign -at the end ofbundle-node.mjsto cover the unsigned-release path (whenHAS_APPLE_CERTis not set in CI). That keeps the inherit entitlement attached on builds that never go through Tauri's--deepstep.Verification
Signed release (CI with
HAS_APPLE_CERT==true):codesign -d --entitlements - Reasonix.app/Contents/Resources/node # expected to contain: <key>com.apple.security.inherit</key><true/>Unsigned local build:
Test plan
notarytoolacceptsinheriton the top-level binary (Apple treats it as a no-op there; if the first signed CI build is rejected we can move the entitlement into a node-only re-sign step instead)Closes #1611