forked from iOfficeAI/AionUi
-
Notifications
You must be signed in to change notification settings - Fork 0
Mac Access: add independent signed/notarized packaging, updater, and rollback #705
Copy link
Copy link
Open
Labels
area:native-companionNative macOS companion boundaryNative macOS companion boundaryarea:releasePackaging, signing, updater, rollbackPackaging, signing, updater, rollbackblockedCannot proceed without an external dependency or decisionCannot proceed without an external dependency or decisionenhancementNew feature or requestNew feature or requestevaosevaOS public beta R&D workevaOS public beta R&D workkind:integrationIntegration implementation issueIntegration implementation issuepriority:P0Critical customer/runtime blocker requiring immediate attentionCritical customer/runtime blocker requiring immediate attentionrelease-train:runtime-reliabilityCross-version Workbench/runtime reliability release trainCross-version Workbench/runtime reliability release trainrisk:securitySecurity, auth, secrets, permission riskSecurity, auth, secrets, permission risk
Milestone
Description
Metadata
Metadata
Assignees
Labels
area:native-companionNative macOS companion boundaryNative macOS companion boundaryarea:releasePackaging, signing, updater, rollbackPackaging, signing, updater, rollbackblockedCannot proceed without an external dependency or decisionCannot proceed without an external dependency or decisionenhancementNew feature or requestNew feature or requestevaosevaOS public beta R&D workevaOS public beta R&D workkind:integrationIntegration implementation issueIntegration implementation issuepriority:P0Critical customer/runtime blocker requiring immediate attentionCritical customer/runtime blocker requiring immediate attentionrelease-train:runtime-reliabilityCross-version Workbench/runtime reliability release trainCross-version Workbench/runtime reliability release trainrisk:securitySecurity, auth, secrets, permission riskSecurity, auth, secrets, permission risk
Code-requirement continuity amendment — 2026-07-15
Artifact and updater proof must preserve the exact designated code requirement, approved Team ID, TCC-owning executable, helper relationship, and entitlements class across install, upgrade, rollback, and reinstall. Bundle-ID equality alone is not identity continuity.
The artifact manifest and negative updater tests must fail on Team ID, designated requirement, executable-owner, helper-relation, entitlement, or core/schema drift even when the visible app name and bundle IDs match.
Parent epic: #698
Depends on: #700, #701, and #703.
Context
Mac Access needs an independent release cadence so connector fixes can ship without rebuilding the full Workbench. That independence must not create a second ungoverned updater, mutable helper identity, or artifact whose core differs from Workbench.
Required change
Add a macOS-only build and release pipeline for
evaOS Mac Access v0.1.0that produces a Developer ID signed, hardened-runtime, notarized, stapled artifact with an independently versioned update channel and explicit rollback/uninstall behavior.Packaging requirements
evaOS Mac Access;com.evaos.mac-access;com.evaos.mac-access.helper;com.evaos.mac-access.connectoronly if the architecture issue retains a LaunchAgent;mac-connector-coreversion/content digest/source SHA in the artifact manifest;pip, Tailscale, or Workbench;Acceptance criteria
Validation
Rollback
Keep publication and update promotion disabled. Revoke the RC channel, restore the last known-good draft, and verify uninstall cleanup. Do not ship unsigned emergency builds or point customers to Workbench internals.
Non-goals
Proof boundary
This issue may prove an installable signed/notarized RC. It cannot prove pristine onboarding, live VM-to-Mac CUA, customer readiness, or public distribution.