fix: document + tool macOS com.apple.provenance workaround (#3) #60

Merged
sysadmin merged 1 commits from fix/issue-3-provenance-python-exec into master 2026-07-02 05:23:23 -05:00
Owner

Closes #3.

Root cause

macOS Sequoia+ blocks Python.app from executing files carrying the com.apple.provenance extended attribute. Agent/IDE-terminal-written .py files get it (shell scripts + pre-session files don't). It's a macOS security feature, not a bug in our code — so the fix is an operator workaround (extended-attribute handling), not a change to the tools.

Change (narrow, macOS-specific)

  • scripts/clear-provenance — recursively removes only com.apple.provenance under a path (default: repo root); tolerates files without it; leaves other xattrs intact; --dry-run. Advises running from a Full-Disk-Access terminal (Terminal.app).
  • README Troubleshooting section: symptom, the helper, manual xattr equivalents, and the Full Disk Access alternative.

No change to auth/release/worktree/tracker/MCP behavior.

Tests / checks

  • tests/test_clear_provenance.py — 6 cases: dry-run default + explicit path, missing-path error (exit 1), bad-flag/too-many-args (exit 2), and that only com.apple.provenance is targeted (not a blanket xattr -rc). Dry-run only — no real xattr mutation (macOS-specific side effect).
  • bash -n scripts/clear-provenance clean; py_compile mcp_server.py clean.
  • Full suite (isolated worktree): 319 passed, 0 failures, 0 errors (JUnit XML).
  • git diff --check clean; secret scan clean.

Files changed

scripts/clear-provenance (new), tests/test_clear_provenance.py (new), README.md.

Process

Isolated worktree: ./scripts/worktree-start fix/issue-3-provenance-python-execbranches/fix-issue-3-provenance-python-exec.


⚠️ Authored by me — do not self-merge. Needs review by another author.

Closes #3. ## Root cause macOS Sequoia+ blocks `Python.app` from **executing** files carrying the `com.apple.provenance` extended attribute. Agent/IDE-terminal-written `.py` files get it (shell scripts + pre-session files don't). It's a **macOS security feature, not a bug in our code** — so the fix is an operator workaround (extended-attribute handling), not a change to the tools. ## Change (narrow, macOS-specific) - **`scripts/clear-provenance`** — recursively removes **only** `com.apple.provenance` under a path (default: repo root); tolerates files without it; leaves other xattrs intact; `--dry-run`. Advises running from a Full-Disk-Access terminal (`Terminal.app`). - **README Troubleshooting** section: symptom, the helper, manual `xattr` equivalents, and the Full Disk Access alternative. No change to auth/release/worktree/tracker/MCP behavior. ## Tests / checks - `tests/test_clear_provenance.py` — 6 cases: dry-run default + explicit path, missing-path error (exit 1), bad-flag/too-many-args (exit 2), and that only `com.apple.provenance` is targeted (not a blanket `xattr -rc`). Dry-run only — no real xattr mutation (macOS-specific side effect). - `bash -n scripts/clear-provenance` clean; `py_compile mcp_server.py` clean. - Full suite (isolated worktree): **319 passed, 0 failures, 0 errors** (JUnit XML). - `git diff --check` clean; secret scan clean. ## Files changed `scripts/clear-provenance` (new), `tests/test_clear_provenance.py` (new), `README.md`. ## Process Isolated worktree: `./scripts/worktree-start fix/issue-3-provenance-python-exec` → `branches/fix-issue-3-provenance-python-exec`. --- ⚠️ Authored by me — do **not** self-merge. Needs review by another author.
jcwalker3 added 1 commit 2026-07-02 05:13:54 -05:00
Root cause: macOS Sequoia+ blocks Python.app from executing files carrying the
com.apple.provenance extended attribute. Files written by an agent/IDE terminal
get it (shell scripts and pre-session files do not). This is a macOS security
feature, not a bug in our code — so the fix is an operator workaround, not a
code change to the tools.

- scripts/clear-provenance: recursively removes ONLY com.apple.provenance under
  a path (default: repo root); tolerates files without it; leaves other xattrs
  intact; supports --dry-run. Advises running from a Full-Disk-Access terminal.
- README Troubleshooting section documenting the symptom, the helper, manual
  xattr equivalents, and the Full Disk Access alternative.

Narrow + macOS-specific; no auth/release/worktree/tracker/MCP behavior changed.

Tests: tests/test_clear_provenance.py (6 cases) — dry-run default/explicit path,
missing-path error, bad-flag/too-many-args exit 2, and that only
com.apple.provenance is targeted (not a blanket xattr clear). Dry-run only; no
real xattr mutation.

bash -n clean; py_compile mcp_server.py clean; full suite 319 passed / 0
failures; git diff --check clean; no secrets.

Closes #3.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
sysadmin merged commit 848a4294ba into master 2026-07-02 05:23:23 -05:00
Sign in to join this conversation.