Skip to content

Mac Access: prove pristine-Mac onboarding and VM-to-Mac CUA end to end #706

Description

@100yenadmin

Cross-repo proof prerequisites — 2026-07-15

Before the composed proof can pass, the exact staging candidate must consume:

Proof step 3 requires the public one-use code path. An authenticated broker handoff may be tested only as an optional convenience and cannot substitute for code pairing.

Source/CI or closure of these server issues is not deployment or composed proof. #706 still requires the exact deployed staging routes, signed Mac artifact, pristine-Mac path, real VM-to-Mac CUA, negative binding cases, access modes, stop/revoke/kill, update/rollback, and same-identity Workbench coexistence.


Parent epic: #698
Depends on: #702, #703, #704, and #705.
Related proof contracts: #655, #662, #687, #688.

Context

Source review, fixtures, green CI, a signed artifact, or a prepared developer Mac cannot establish that a non-Workbench customer can install Mac Access and let the broker-selected VM agent control the correct Mac safely. This issue owns the composed proof for the exact release candidate.

Required proof environments

  1. A supported pristine Mac with no evaOS Workbench, no prior Mac Access state, no Homebrew/system Python dependency, no separately installed bridge, and no Tailscale/private-network enrollment.
  2. A broker/ws-proxy staging environment with a non-customer test account, VM/runtime, device, and grant.
  3. The exact signed/notarized/stapled Mac Access RC produced by the packaging issue.
  4. A second phase that installs/launches a compatible Workbench candidate to prove coexistence without changing the Mac Access trust owner.

Proof sequence

  1. Verify download checksum, source SHA, core digest, bundle/helper identities, codesign, entitlements, notarization, stapling, and Gatekeeper.
  2. Install to /Applications/evaOS Mac Access.app and launch the exact path.
  3. Complete onboarding with no terminal: pair through the public code/broker handoff, grant the named macOS permissions, and choose Ask Every Time.
  4. Verify the selected customer/device/grant/runtime binding at Mac, broker, and VM sides using redacted IDs.
  5. From the VM agent, call the real Mac-control tool path through broker/ws-proxy and the outbound Mac Access channel:
    • status/capabilities;
    • read-only desktop_see or equivalent;
    • one approved low-impact pointer/focus action;
    • structured result and audit/correlation IDs.
  6. Prove Ask Every Time denies timeout, wrong parameters, replay, and wrong binding; then approve one exact action.
  7. Switch to Full Access with explicit local consent, perform one low-impact action, then pause and verify later action denial.
  8. Reconnect after sleep/wake and network interruption without duplicate action or scope drift.
  9. Revoke the VM and prove later commands fail; engage emergency stop and prove local enforcement while broker connectivity is removed.
  10. Restart the Mac and verify safe recovery without silent permission/access-mode escalation.
  11. Install/launch Workbench and prove one connector leader, one TCC/helper identity, one binding, one audit source, and consistent status.
  12. Exercise upgrade and rollback/uninstall cleanup, then verify no orphan remote-control path remains.

Acceptance criteria

  1. The entire normal pristine-Mac path completes without Workbench, a terminal, system/Homebrew Python, pip, Tailscale, public inbound ports, or manual connector URLs/tokens.
  2. The VM agent controls only the broker-selected Mac binding. Cross-customer, cross-device, stale-grant, replay, expired, and revoked requests fail closed.
  3. Ask Every Time, Full Access, Off, pause, revoke, and emergency stop all pass positive and negative proof.
  4. The same exact connector/core and selected binding are used by Mac Access alone and later by Workbench coexistence.
  5. Evidence records exact source/artifact/runtime identity, timestamps, safe scope IDs, action categories, audit/correlation IDs, and pass/fail gate IDs.
  6. Evidence contains no tokens, connector URLs, private addresses, customer data, raw prompts, keystrokes, screenshots, screen content, or accessibility trees unless a separately approved, redacted visual is required.
  7. Failure at any gate leaves publication and customer rollout disabled and produces one typed blocker with the exact retry/rollback action.
  8. A second supported clean-Mac repetition confirms the result is not a one-machine setup artifact before any customer-ready claim.

Evidence packet

Store redacted proof under /Volumes/LEXAR/Codex/evidence/evaos-mac-access-v0.1/:

  • candidate manifest and checksums;
  • codesign/notary/stapler/Gatekeeper summaries;
  • pristine-host inventory proving absent dependencies;
  • pairing and selected-binding summaries;
  • structured VM-agent tool results and audit/correlation summaries;
  • access-mode, revoke, kill-switch, recovery, coexistence, update, rollback, and uninstall gate reports;
  • exact GitHub Actions runs and PR/release draft links.

Stop conditions

Stop immediately if the candidate:

  • needs Workbench, terminal repair, external Python, Homebrew, Tailscale, port forwarding, or a raw connector credential;
  • targets a different account/device/grant/runtime than the broker selection;
  • produces duplicate connector ownership or TCC identity;
  • executes after pause, revoke, expiry, or kill switch;
  • leaks sensitive data into evidence; or
  • can only pass on a prepared developer Mac.

Proof boundary

Passing this issue proves the exact RC works in the named staging/pristine environments. Public publication and customer rollout remain separate explicit decisions. It does not retroactively prove Workbench #655/#662 unless those issues accept the same exact artifact and their own gates are closed.

Metadata

Metadata

Assignees

No one assigned

    Labels

    area:brokerevaOS broker/session/auth integrationarea:native-companionNative macOS companion boundaryarea:releasePackaging, signing, updater, rollbackblockedCannot proceed without an external dependency or decisionenhancementNew feature or requestevaosevaOS public beta R&D workkind:integrationIntegration implementation issuepriority:P0Critical customer/runtime blocker requiring immediate attentionrisk:securitySecurity, auth, secrets, permission risk

    Projects

    No projects

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions