Skip to content

P0: functional smoke writes Python bytecode into the signed Workbench app #694

Description

@100yenadmin

P0 problem

The Workbench functional-smoke workflow invokes the packaged bridge interpreter directly for the macOS framework import probe:

"$BRIDGE_PYTHON" -I -c ...

That path bypasses the normal evaos-desktop-bridge wrapper. The workflow also runs under env -i, while Python isolated mode (-I) ignores PYTHON* environment variables. As a result, the wrapper's existing PYTHONDONTWRITEBYTECODE=1 and external PYTHONPYCACHEPREFIX protections cannot apply to this probe.

The currently installed v2.1.35 app contains bytecode caches written after its earlier clean installed-app proof. Those added sealed resources make current deep codesign and spctl verification fail even though the stapled notarization ticket remains valid. This installed app is not valid release proof and must not be repaired by deleting files in place.

Root cause

  • Unsafe direct launch: .github/workflows/workbench-functional-smoke.yml packaged bridge import probe.
  • Existing protected launch path: the generated Contents/Resources/Bridge/evaos-desktop-bridge wrapper sets no-bytecode/external-cache policy before executing bundled Python.
  • -I does not disable bytecode generation; Python's CLI -B flag does.

Required fix

  • Change the exact packaged import probe to invoke "$BRIDGE_PYTHON" -I -B -c ....
  • Strengthen the release-gate parser so a functional-smoke workflow that directly invokes the packaged interpreter without -B is rejected.
  • Add a decoy regression proving nearby or unrelated -B text cannot satisfy the exact probe requirement.
  • Audit the Workbench workflows/scripts for any other direct bundled-interpreter execution and apply the same invariant without altering normal connector behavior.

Acceptance criteria

  • Focused tests prove the exact packaged import probe contains both -I and -B.
  • A fresh signed/notarized candidate contains zero __pycache__ directories and zero .pyc files inside the app before smoke.
  • Run the real functional-smoke/import path against the installed candidate.
  • The installed app still contains zero in-bundle bytecode caches afterward.
  • App and mounted-DMG app pass deep strict codesign, stapler, and spctl verification after the smoke.
  • The existing external cache/wrapper behavior remains covered.
  • No deletion, permission reset, or in-place mutation of the already-damaged installed v2.1.35 app is used as proof.
  • No change to CUA-primary / Peekaboo-fallback engine order, broker authority, pairing, stop/revoke, kill switch, or customer runtime.

Release boundary

Source and unit tests alone are not sufficient. This issue blocks a 2.1.36 release-good claim until a fresh signed artifact passes the post-smoke installed-bundle integrity checks above.

Metadata

Metadata

Assignees

No one assigned

    Labels

    area:native-companionNative macOS companion boundaryarea:releasePackaging, signing, updater, rollbackbugSomething isn't workingevaosevaOS public beta R&D workkind:integrationIntegration implementation issuepriority:P0Critical customer/runtime blocker requiring immediate attentionpublic-betaBlocks or contributes to the public beta gateready-for-agentIssue has enough handoff detail for an agent to startrelease-train:runtime-reliabilityCross-version Workbench/runtime reliability release trainrisk:securitySecurity, auth, secrets, permission risk

    Projects

    No projects

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions