Parent epic: #698
Depends on: #700 and #702.
Context
A background Mac connector is only acceptable if the Mac owner can see and control who has access, what mode is active, what just happened, and how to stop it immediately. The current bridge already has approval audit and kill-switch primitives; the standalone product must expose them coherently without weakening broker scope or local policy.
Required change
Implement one policy engine shared by Mac Access UI, connector-core dispatch, and Workbench status. It owns the explicit access modes, approval lifecycle, safe audit summaries, notifications, pause/revoke, and kill-switch enforcement.
Access modes
Off: reject all remote observation and control; pairing metadata may remain for later reconnect.
Ask Every Time: require a visible local approval for each control request or explicitly grouped action. Approval is single-use, bound to exact normalized parameters and selected binding, and expires after 60 seconds.
Full Access: allow actions within the selected binding and policy until the user disconnects, pauses, revokes, the grant expires, or the app/helper restarts into a state that requires reconfirmation.
Fresh installs and unpaired state start Off. After successful pairing, the app may recommend Ask Every Time, but it must not enable it without explicit local consent. No migration may silently grant Full Access.
Safety requirements
- Read-only observation and mutating input remain distinct action classes.
- Sensitive apps, credential fields, system-security panes, password managers, payment/authentication flows, and unknown high-risk actions fail closed or require the strongest local confirmation defined by policy.
- Every accepted/rejected action writes a bounded append-only local audit record with safe action category, selected binding identifiers, decision, reason code, timestamp, and correlation ID.
- Default UI/diagnostics never retain raw screen content, keystrokes, prompt text, accessibility trees, tokens, URLs, or customer data.
Pause now, Revoke this VM, and Emergency stop are available even when the broker is offline or the connector is unhealthy.
Acceptance criteria
- Core dispatch checks the policy engine before every action; UI state alone cannot authorize control.
Off, Ask Every Time, and Full Access have deterministic transitions and crash/restart behavior with unit tests.
- Ask Every Time approvals are single-use, exact-parameter and exact-binding scoped, expire after 60 seconds, and cannot be replayed.
- Pause, revoke, grant expiry, selected-binding change, and kill switch invalidate pending approvals and active action queues.
- Emergency stop works locally without broker reachability and blocks later commands until the user explicitly clears it through the safe recovery flow.
- The menu-bar icon and notification state make active control visible. Notifications contain safe action categories only.
- Audit rotation, file permissions, corrupt-record recovery, and redaction are tested.
- Current bridge approval/source-audit semantics remain compatible or receive an explicit versioned migration.
- Workbench and Mac Access display the same policy state from the same provider.
Testing plan
- transition-table property tests for every mode/event pair;
- approval replay, expiry, wrong parameters, wrong binding, revoke, and concurrent-action tests;
- sensitive-surface policy fixtures;
- offline local emergency-stop integration test;
- audit permissions/rotation/corruption/redaction tests;
- CUA action queue cancellation and post-kill negative proof.
Rollback
Fail the connector to Off, revoke test grants, and revert the isolated PR. Never fall back to a permissive mode or bypass approval to preserve connectivity.
Non-goals
- no enterprise policy console;
- no unattended customer rollout;
- no weakening of existing bridge/broker guardrails;
- no release-ready or customer-ready claim.
Parent epic: #698
Depends on: #700 and #702.
Context
A background Mac connector is only acceptable if the Mac owner can see and control who has access, what mode is active, what just happened, and how to stop it immediately. The current bridge already has approval audit and kill-switch primitives; the standalone product must expose them coherently without weakening broker scope or local policy.
Required change
Implement one policy engine shared by Mac Access UI, connector-core dispatch, and Workbench status. It owns the explicit access modes, approval lifecycle, safe audit summaries, notifications, pause/revoke, and kill-switch enforcement.
Access modes
Off: reject all remote observation and control; pairing metadata may remain for later reconnect.Ask Every Time: require a visible local approval for each control request or explicitly grouped action. Approval is single-use, bound to exact normalized parameters and selected binding, and expires after 60 seconds.Full Access: allow actions within the selected binding and policy until the user disconnects, pauses, revokes, the grant expires, or the app/helper restarts into a state that requires reconfirmation.Fresh installs and unpaired state start
Off. After successful pairing, the app may recommendAsk Every Time, but it must not enable it without explicit local consent. No migration may silently grantFull Access.Safety requirements
Pause now,Revoke this VM, andEmergency stopare available even when the broker is offline or the connector is unhealthy.Acceptance criteria
Off,Ask Every Time, andFull Accesshave deterministic transitions and crash/restart behavior with unit tests.Testing plan
Rollback
Fail the connector to
Off, revoke test grants, and revert the isolated PR. Never fall back to a permissive mode or bypass approval to preserve connectivity.Non-goals