e842b60ad8
Root cause: macOS Sequoia+ blocks Python.app from executing files carrying the com.apple.provenance extended attribute. Files written by an agent/IDE terminal get it (shell scripts and pre-session files do not). This is a macOS security feature, not a bug in our code — so the fix is an operator workaround, not a code change to the tools. - scripts/clear-provenance: recursively removes ONLY com.apple.provenance under a path (default: repo root); tolerates files without it; leaves other xattrs intact; supports --dry-run. Advises running from a Full-Disk-Access terminal. - README Troubleshooting section documenting the symptom, the helper, manual xattr equivalents, and the Full Disk Access alternative. Narrow + macOS-specific; no auth/release/worktree/tracker/MCP behavior changed. Tests: tests/test_clear_provenance.py (6 cases) — dry-run default/explicit path, missing-path error, bad-flag/too-many-args exit 2, and that only com.apple.provenance is targeted (not a blanket xattr clear). Dry-run only; no real xattr mutation. bash -n clean; py_compile mcp_server.py clean; full suite 319 passed / 0 failures; git diff --check clean; no secrets. Closes #3. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>