Skip to content

P0: agent Mac-control tools must consume the broker-selected customer/grant scope #688

Description

@100yenadmin

P0 problem

Workbench can construct an exact customer/device/grant runtime contract, but its agent-facing Mac-control tools currently execute local bridge commands without consuming that selected scope. A single local connector credential proves access to the Mac, not which active customer grant authorized the request.

Parent: #686
Broker binding producer/enforcement: electricsheephq/electric-sheep-website-dashboard-6158a244#661 and #660
Related transport gate: #499

Scope

  • Bind customer_mac_status, customer_mac_capabilities, desktop_control_status, desktop_see, approved desktop actions, stop, kill switch, and audit-tail proof to the broker-selected customer/VM/device/grant scope.
  • Consume the authenticated runtime binding/opaque attestation from the supported agent/gateway path; do not use old node inventory or unscoped static connector configuration as authority.
  • Reject missing, ambiguous, stale, revoked, expired, wrong-customer, wrong-VM, wrong-device, wrong-grant, wrong-binding-version, and replayed scope with stable safe codes.
  • Preserve the local bridge as capability/safety enforcement. It must not choose a customer.
  • Keep P0: Workbench visible ACP Mac-control cannot consume session MCP #499's ACP/session-MCP transport decision explicit; transport success alone is not authorization proof.

Acceptance criteria

  • Agent tests cover one valid binding, two active customer scopes, explicit switch, session renewal, revoke, expiry, ACL loss, offline, restart, and cross-customer replay.
  • One route passing never implies another route is ready.
  • The assistant cannot claim connected from local status, token presence, or text-only final output.
  • Visible tool-event proof includes the selected safe scope plus customer_mac_status, desktop_control_status, desktop_see, one approved low-impact action, stop, kill switch, and audit evidence.
  • No connector material, customer identifiers, private addresses, cookies, session tokens, or raw logs enter UI, chat, issue, or release evidence.
  • CUA remains primary, Peekaboo remains fallback, and all permission/sensitive-app/takeover/stop/revoke/kill-switch invariants remain unchanged.

Proof boundary

Source tests or direct local bridge success do not establish installed signed-app agent proof, VM-to-Mac control, RC, public distribution, or customer readiness.

Metadata

Metadata

Assignees

No one assigned

    Labels

    area:brokerevaOS broker/session/auth integrationarea:native-companionNative macOS companion boundarybugSomething isn't workingevaosevaOS public beta R&D workkind:integrationIntegration implementation issuepriority:P0Critical customer/runtime blocker requiring immediate attentionpublic-betaBlocks or contributes to the public beta gateready-for-agentIssue has enough handoff detail for an agent to startrelease-train:runtime-reliabilityCross-version Workbench/runtime reliability release trainrisk:securitySecurity, auth, secrets, permission risk

    Projects

    No projects

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions