Updater: preserve macOS FDA perms across updates

- New `updater` module (macOS-only): check, download, verify, and install updates by syncing files into the existing `.app` bundle instead of replacing it
- Minisign signature verification matching Tauri's internal format
- Privilege escalation via `osascript` when direct writes are denied
- Frontend branches on platform: `invoke()` on macOS, Tauri updater plugin on other platforms
- Tauri updater plugin registration gated to non-macOS with `#[cfg]`

Author: vdavid

Cargo.lock

@@ -137,6 +137,11 @@ block2 = "0.6"
 security-framework = "3.2"
 # Drive indexing: macOS FSEvents watcher with event IDs and sinceWhen replay
 cmdr-fsevent-stream = { path = "../../../crates/fsevent-stream" }
+# Custom updater: signature verification, tarball extraction, version comparison
+minisign-verify = "0.2"
+flate2 = "1"
+tar = "0.4"
+semver = "1"
 
 # CrabNebula automation plugin for macOS E2E testing (optional, feature-gated)
 tauri-plugin-automation = { version = "0.1", optional = true }

apps/desktop/src-tauri/Cargo.toml

@@ -48,6 +48,10 @@ use cocoon as _;
 #[cfg(not(debug_assertions))]
 use tauri_plugin_mcp_bridge as _;
 //noinspection ALL
+// tauri_plugin_updater is only registered on non-macOS (custom updater handles macOS)
+#[cfg(target_os = "macos")]
+use tauri_plugin_updater as _;
+//noinspection ALL
 // security_framework is used in network/keychain.rs for Keychain integration
 #[cfg(target_os = "macos")]
 use security_framework as _;
@@ -100,6 +104,8 @@ mod permissions;
 mod permissions_linux;
 mod settings;
 #[cfg(target_os = "macos")]
+mod updater;
+#[cfg(target_os = "macos")]
 mod volumes;
 #[cfg(target_os = "linux")]
 mod volumes_linux;
@@ -172,7 +178,9 @@ pub fn run() {
     #[cfg(feature = "automation")]
     let builder = builder.plugin(tauri_plugin_automation::init());
 
-    // Skip updater plugin in CI to avoid network dependency and latency during E2E tests
+    // Skip Tauri updater plugin on macOS (custom updater preserves TCC permissions)
+    // and in CI (avoids network dependency and latency during E2E tests)
+    #[cfg(not(target_os = "macos"))]
     let builder = if std::env::var("CI").is_ok() {
         builder
     } else {
@@ -353,6 +361,10 @@ pub fn run() {
                 let _ = window.set_title_bar_style(TitleBarStyle::Visible);
             }
 
+            // Initialize custom updater state (shared between download and install commands)
+            #[cfg(target_os = "macos")]
+            app.manage(updater::UpdateState::new());
+
             // Initialize pane state store for MCP context tools
             app.manage(mcp::PaneStateStore::new());
 
@@ -866,6 +878,13 @@ pub fn run() {
             commands::clipboard::read_clipboard_files,
             commands::clipboard::read_clipboard_text,
             commands::clipboard::clear_clipboard_cut_state,
+            // Custom updater commands (macOS rsync-into-bundle, preserves TCC permissions)
+            #[cfg(target_os = "macos")]
+            updater::check_for_update,
+            #[cfg(target_os = "macos")]
+            updater::download_update,
+            #[cfg(target_os = "macos")]
+            updater::install_update,
         ])
         .on_window_event(|window, event| {
             // When the main window is closed, quit the entire app (including settings/debug/viewer windows)

apps/desktop/src-tauri/src/lib.rs

@@ -0,0 +1,58 @@
+# Updater module
+
+Custom macOS updater that syncs files *into* the existing `.app` bundle, preserving its inode and
+`com.apple.macl` xattr so macOS TCC (Full Disk Access) permissions survive across updates.
+
+Compiled only on macOS (`#[cfg(target_os = "macos")]`). On other platforms, the Tauri updater plugin handles updates
+and the frontend calls the plugin API directly.
+
+## File map
+
+| File | Purpose |
+|------|---------|
+| `mod.rs` | Three Tauri commands (`check_for_update`, `download_update`, `install_update`) and shared `UpdateState` |
+| `manifest.rs` | Parses `latest.json`, compares versions, resolves platform key |
+| `signature.rs` | Minisign signature verification (base64-wrapped, matching Tauri's format) |
+| `installer.rs` | Extracts tarball, syncs into running bundle, handles privilege escalation |
+
+## Key decisions
+
+**Decision**: Sync files into the bundle instead of replacing the `.app` directory.
+**Why**: Replacing the bundle changes its inode, which causes macOS TCC to lose FDA grants. Users would have to
+re-grant Full Disk Access after every update.
+
+**Decision**: Sync order is Resources, Info.plist, _CodeSignature, then MacOS binary last.
+**Why**: Updating the binary last minimizes the window where the code signature is inconsistent with the binary on
+disk. If the app crashes mid-update, the old binary is still intact.
+
+**Decision**: Unconditional deletion of stale files after sync.
+**Why**: Old files left behind could cause version mismatches or bloat. The deletion pass removes anything in the
+destination that isn't in the source, then cleans up empty directories bottom-up.
+
+**Decision**: Minisign verification before writing tarball to disk.
+**Why**: Ensures integrity and authenticity of the update. The public key is compiled into the binary. Both key and
+signatures use base64(minisign-text-format) encoding, matching Tauri's internal convention.
+
+**Decision**: Privilege escalation via `osascript` with `rsync -a --delete`.
+**Why**: When the app is installed in `/Applications` (owned by root), direct writes fail. `osascript`'s
+`do shell script ... with administrator privileges` shows the native macOS auth dialog. `rsync` is used because it
+expresses the full sync (copy + delete stale) in a single shell command.
+
+## Key patterns and gotchas
+
+- **macOS-only.** The module, command registrations, and `UpdateState` are all gated with `#[cfg(target_os = "macos")]`.
+  On non-macOS, the frontend uses `@tauri-apps/plugin-updater` directly.
+- **Staging dir is `/tmp/cmdr-update-staging`.** Cleaned before and after install. If the app crashes mid-install,
+  leftover staging doesn't block the next attempt (it gets cleaned on retry).
+- **Privilege escalation via `osascript`.** Only triggers when direct writes to `/Applications/Cmdr.app` are denied.
+  Users who run from `~/Applications` or a dev build won't see the auth dialog.
+- **CI guard.** `check_for_update` returns `None` when the `CI` env var is set, avoiding network calls in tests.
+- **Manifest URL is hardcoded** (`https://getcmdr.com/latest.json`), not configurable from the frontend.
+
+## Dependencies
+
+- `reqwest` -- HTTP client for manifest and tarball download
+- `minisign-verify` -- signature verification
+- `flate2`, `tar` -- tarball extraction
+- `filetime` -- touching the bundle after install to trigger LaunchServices refresh
+- `base64` -- decoding the double-encoded minisign key and signatures