fix: document + tool the macOS com.apple.provenance workaround (#3)
Root cause: macOS Sequoia+ blocks Python.app from executing files carrying the com.apple.provenance extended attribute. Files written by an agent/IDE terminal get it (shell scripts and pre-session files do not). This is a macOS security feature, not a bug in our code — so the fix is an operator workaround, not a code change to the tools. - scripts/clear-provenance: recursively removes ONLY com.apple.provenance under a path (default: repo root); tolerates files without it; leaves other xattrs intact; supports --dry-run. Advises running from a Full-Disk-Access terminal. - README Troubleshooting section documenting the symptom, the helper, manual xattr equivalents, and the Full Disk Access alternative. Narrow + macOS-specific; no auth/release/worktree/tracker/MCP behavior changed. Tests: tests/test_clear_provenance.py (6 cases) — dry-run default/explicit path, missing-path error, bad-flag/too-many-args exit 2, and that only com.apple.provenance is targeted (not a blanket xattr clear). Dry-run only; no real xattr mutation. bash -n clean; py_compile mcp_server.py clean; full suite 319 passed / 0 failures; git diff --check clean; no secrets. Closes #3. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -382,3 +382,35 @@ python3 -m pytest tests/ -v
|
||||
| `test_mirror_refs.py` | Flags, safety defaults, local integration tests |
|
||||
|
||||
All tests mock network and keychain access — no real API calls are made.
|
||||
|
||||
## Troubleshooting
|
||||
|
||||
### macOS: `com.apple.provenance` blocks Python execution (#3)
|
||||
|
||||
On macOS Sequoia and later, files written by an agent/IDE terminal receive the
|
||||
`com.apple.provenance` extended attribute, and macOS blocks `Python.app` from
|
||||
**executing** such files. Symptoms: newly created/restored `.py` files fail to
|
||||
run (e.g. `create_issue.py` "vanishing" or refusing to execute), while shell
|
||||
scripts and files created before the session are unaffected. This is a macOS
|
||||
security feature, not a bug in this project's code.
|
||||
|
||||
Workarounds (run from a terminal with **Full Disk Access**, e.g. `Terminal.app`
|
||||
— not the IDE terminal, or the removal itself may be blocked):
|
||||
|
||||
```bash
|
||||
# Preferred: strip only com.apple.provenance under the repo (dry-run first)
|
||||
./scripts/clear-provenance --dry-run
|
||||
./scripts/clear-provenance
|
||||
|
||||
# Or a single file
|
||||
./scripts/clear-provenance /path/to/file.py
|
||||
|
||||
# Manual equivalents
|
||||
xattr -r -d com.apple.provenance /Users/jasonwalker/Development/Gitea-Tools/
|
||||
xattr -cr /Users/jasonwalker/Development/Gitea-Tools/ # clears ALL xattrs
|
||||
```
|
||||
|
||||
Alternatively, grant Full Disk Access to the terminal app in
|
||||
**System Settings → Privacy & Security**. `scripts/clear-provenance` removes only
|
||||
`com.apple.provenance` (leaving other extended attributes intact) and supports
|
||||
`--dry-run`.
|
||||
|
||||
Reference in New Issue
Block a user