fix: document + tool macOS com.apple.provenance workaround (#3) #60
Reference in New Issue
Block a user
Delete Branch "fix/issue-3-provenance-python-exec"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Closes #3.
Root cause
macOS Sequoia+ blocks
Python.appfrom executing files carrying thecom.apple.provenanceextended attribute. Agent/IDE-terminal-written.pyfiles get it (shell scripts + pre-session files don't). It's a macOS security feature, not a bug in our code — so the fix is an operator workaround (extended-attribute handling), not a change to the tools.Change (narrow, macOS-specific)
scripts/clear-provenance— recursively removes onlycom.apple.provenanceunder a path (default: repo root); tolerates files without it; leaves other xattrs intact;--dry-run. Advises running from a Full-Disk-Access terminal (Terminal.app).xattrequivalents, and the Full Disk Access alternative.No change to auth/release/worktree/tracker/MCP behavior.
Tests / checks
tests/test_clear_provenance.py— 6 cases: dry-run default + explicit path, missing-path error (exit 1), bad-flag/too-many-args (exit 2), and that onlycom.apple.provenanceis targeted (not a blanketxattr -rc). Dry-run only — no real xattr mutation (macOS-specific side effect).bash -n scripts/clear-provenanceclean;py_compile mcp_server.pyclean.git diff --checkclean; secret scan clean.Files changed
scripts/clear-provenance(new),tests/test_clear_provenance.py(new),README.md.Process
Isolated worktree:
./scripts/worktree-start fix/issue-3-provenance-python-exec→branches/fix-issue-3-provenance-python-exec.⚠️ Authored by me — do not self-merge. Needs review by another author.