vdavid
diff --git a/‎AGENTS.md‎
Lines changed: 9 additions & 0 deletions b/‎AGENTS.md‎
Lines changed: 9 additions & 0 deletions
diff --git a/‎apps/desktop/src-tauri/Info.plist‎
Lines changed: 16 additions & 11 deletions b/‎apps/desktop/src-tauri/Info.plist‎
Lines changed: 16 additions & 11 deletions
diff --git a/‎apps/desktop/src-tauri/src/commands/icons.rs‎
Lines changed: 22 additions & 0 deletions b/‎apps/desktop/src-tauri/src/commands/icons.rs‎
Lines changed: 22 additions & 0 deletions
diff --git a/‎apps/desktop/src-tauri/src/commands/indexing.rs‎
Lines changed: 33 additions & 6 deletions b/‎apps/desktop/src-tauri/src/commands/indexing.rs‎
Lines changed: 33 additions & 6 deletions
diff --git a/‎apps/desktop/src-tauri/src/fda_gate.rs‎
Lines changed: 73 additions & 0 deletions b/‎apps/desktop/src-tauri/src/fda_gate.rs‎
Lines changed: 73 additions & 0 deletions
diff --git a/‎apps/desktop/src-tauri/src/indexing/CLAUDE.md‎
Lines changed: 12 additions & 4 deletions b/‎apps/desktop/src-tauri/src/indexing/CLAUDE.md‎
Lines changed: 12 additions & 4 deletions
@@ -177,6 +177,15 @@ resilience, and common pitfalls.
 - When adding a new user-facing action, add it to `command-registry.ts` and `handleCommandExecute` in
   `routes/(main)/command-dispatch.ts`.
 - If you added a new Tauri command touching the filesystem, check `docs/architecture.md` § Platform constraints.
+- ❌ **Don't read TCC-protected paths or call NSWorkspace icon/LaunchServices APIs at app launch without the FDA gate.**
+  `~/Downloads`, `~/Documents`, `~/Desktop`, `~/Pictures`, `~/Movies`, `~/Music`, `~/Library/CloudStorage`, and any
+  `NSWorkspace.iconForFile:` call (even on `/Applications` or the iCloud root) can trigger macOS TCC popups during
+  onboarding. We had **5–10 popups stacked on top of the in-app FDA modal** before this gate landed. Use
+  `crate::fda_gate::is_fda_pending_runtime()` for launch-time call sites, or
+  `crate::fda_gate::is_fda_pending(fda_choice, os_fda_granted)` for pure logic and tests. After Allow + restart, or Deny
+  in-session via `start_indexing_after_fda_decision`, the gate clears and the same call sites run normally. See
+  [`apps/desktop/src-tauri/src/fda_gate.rs`](apps/desktop/src-tauri/src/fda_gate.rs) and
+  [`apps/desktop/src/lib/onboarding/CLAUDE.md`](apps/desktop/src/lib/onboarding/CLAUDE.md) § "FDA gate".
 - ❌ **Tauri APIs fail silently without permissions.** Whenever you call a new Tauri API from a window — `setMinSize`,
   `setTitle`, `show`, plugin commands, anything new — add the matching permission to that window's capability file in
   `src-tauri/capabilities/{default,settings,viewer}.json`. Without it, the call rejects with a generic "not allowed"
 
@@ -9,18 +9,23 @@
     <key>CFBundleIconName</key>
     <string>Sequoia</string>
 
-    <!-- Privacy usage descriptions shown in macOS TCC prompts -->
-    <key>NSNetworkVolumesUsageDescription</key>
-    <string>Cmdr needs access to network volumes to browse and manage files on your NAS and other network drives.</string>
-    <key>NSRemovableVolumesUsageDescription</key>
-    <string>Cmdr needs access to removable volumes to browse and manage files on USB drives and external disks.</string>
-    <key>NSDesktopFolderUsageDescription</key>
-    <string>Cmdr needs access to your Desktop folder to browse and manage files there.</string>
-    <key>NSDocumentsFolderUsageDescription</key>
-    <string>Cmdr needs access to your Documents folder to browse and manage files there.</string>
+    <!-- Privacy usage descriptions shown in macOS TCC prompts. Value-first copy with the
+         "grant FDA for fewer popups" hint where it applies. Keep each string ≤200 chars. -->
     <key>NSDownloadsFolderUsageDescription</key>
-    <string>Cmdr needs access to your Downloads folder to browse and manage files there.</string>
+    <string>Cmdr needs this access to let you browse your downloads. If you want fewer popups, grant Cmdr "Full Disk Access" in System Settings → Privacy &amp; Security.</string>
+    <key>NSDocumentsFolderUsageDescription</key>
+    <string>Cmdr needs this access to let you browse your docs. If you want fewer popups, grant Cmdr "Full Disk Access" in System Settings → Privacy &amp; Security.</string>
+    <key>NSDesktopFolderUsageDescription</key>
+    <string>Cmdr needs this access to let you browse your Desktop. If you want fewer popups, grant Cmdr "Full Disk Access" in System Settings → Privacy &amp; Security.</string>
     <key>NSLocalNetworkUsageDescription</key>
-    <string>Cmdr uses your local network to discover SMB file servers like NAS devices and connect to them for browsing and transferring files.</string>
+    <string>Cmdr needs Local Network access to let you connect to SMB servers (NAS, file shares) super fast! Cmdr's connection is 4–30x faster than macOS's built-in mount.</string>
+    <key>NSNetworkVolumesUsageDescription</key>
+    <string>Cmdr needs this access to let you browse your network shares/drives. If you want fewer popups, grant Cmdr "Full Disk Access" in System Settings.</string>
+    <key>NSRemovableVolumesUsageDescription</key>
+    <string>Cmdr needs this access to let you browse the USB drives, SD cards, and external disks you connect. If you Don't Allow, macOS won't let Cmdr access those devices.</string>
+    <key>NSAppleMusicUsageDescription</key>
+    <string>Cmdr reads music file metadata to render file icons matching Apple Music. Cmdr doesn't read your library. If you want fewer popups, grant Cmdr "Full Disk Access" in System Settings.</string>
+    <key>NSPhotoLibraryUsageDescription</key>
+    <string>Cmdr reads image file metadata to render thumbnails for your photos. We don't read your library or upload anything. If you want fewer popups, grant Cmdr "Full Disk Access" in System Settings.</string>
 </dict>
 </plist>
@@ -15,9 +15,22 @@ const ICONS_TIMEOUT: Duration = Duration::from_secs(2);
 /// When `use_app_icons_for_documents` is true and on macOS, extension-based icons
 /// are fetched from app bundles (showing the app's icon as fallback). When false,
 /// the system's default document icons are used (Finder-style with app badge).
+///
+/// Returns an empty map while `crate::fda_gate::is_fda_pending_runtime()` is true.
+/// `fetch_fresh_extension_icon` walks UTType / LaunchServices, which on macOS
+/// touches MediaLibrary, AppData, FileProvider, and Apple Events TCC services
+/// for media/app/cloud-storage/scriptable extensions — exactly the popups we
+/// must not stack on top of the in-app FDA modal. Frontend re-requests after
+/// the gate clears.
 #[tauri::command]
 #[specta::specta]
 pub async fn get_icons(icon_ids: Vec<String>, use_app_icons_for_documents: bool) -> TimedOut<HashMap<String, String>> {
+    if crate::fda_gate::is_fda_pending_runtime() {
+        return TimedOut {
+            data: HashMap::new(),
+            timed_out: false,
+        };
+    }
     blocking_with_timeout_flag(ICONS_TIMEOUT, HashMap::new(), move || {
         icons::get_icons(icon_ids, use_app_icons_for_documents)
     })
@@ -30,13 +43,22 @@ pub async fn get_icons(icon_ids: Vec<String>, use_app_icons_for_documents: bool)
 ///
 /// When `use_app_icons_for_documents` is true, falls back to app icons for files without
 /// document-specific icons. When false, uses Finder-style document icons.
+///
+/// Returns an empty map while the FDA gate is pending — same reason as
+/// `get_icons`. See `crate::fda_gate`.
 #[tauri::command]
 #[specta::specta]
 pub async fn refresh_directory_icons(
     directory_paths: Vec<String>,
     extensions: Vec<String>,
     use_app_icons_for_documents: bool,
 ) -> TimedOut<HashMap<String, String>> {
+    if crate::fda_gate::is_fda_pending_runtime() {
+        return TimedOut {
+            data: HashMap::new(),
+            timed_out: false,
+        };
+    }
     blocking_with_timeout_flag(ICONS_TIMEOUT, HashMap::new(), move || {
         icons::refresh_icons_for_directory(directory_paths, extensions, use_app_icons_for_documents)
     })
 
@@ -68,18 +68,45 @@ pub async fn set_indexing_enabled(app: AppHandle, enabled: bool) -> Result<(), S
     Ok(())
 }
 
-/// Start the indexer once the user has decided about Full Disk Access.
+/// Apply the user's FDA decision: clear the gate, start the MTP watcher
+/// (deferred at launch to avoid the MacDroid File Provider prompt during
+/// onboarding), and start the indexer.
 ///
-/// At app launch, indexing is skipped when the FDA choice is `NotAskedYet` AND
-/// the OS reports FDA as not granted (see `should_auto_start_indexing`). The
-/// frontend calls this command after the user clicks "Deny" so the indexer
-/// starts within the same session. The "Allow" path needs no call: the user
-/// restarts the app, and the launch-time gate passes via the OS check.
+/// Three things happen at the gate boundary:
+/// 1. Clear the FDA-pending atomic (`crate::fda_gate::set_fda_pending(false)`)
+///    so subsequent code paths can run normally. The deny path runs in the
+///    same process; the allow path restarts the app, which re-enters
+///    `setup()` and sets the atomic via the OS probe.
+/// 2. Start the MTP hotplug watcher. MTP is opt-in per device — the
+///    watcher itself doesn't trigger TCC.
+/// 3. Start the drive indexer. On the Deny path this is what surfaces the
+///    "individual Allow/Deny prompts" the user signed up for by denying
+///    FDA: the scan walks protected folders, macOS fires one TCC popup per
+///    folder, the user grants or denies each. Folders that get denied stay
+///    unindexed (size shows as `<dir>`); the rest get indexed normally.
+///
+/// **No proactive `volumes-changed` re-emission.** Emitting here would
+/// refire every per-folder TCC prompt at once via NSWorkspace icon
+/// resolution, on TOP of the per-folder prompts the indexer is already
+/// generating. The sidebar keeps the icon-less favorites it got during
+/// onboarding; the next listing-driven flow refreshes them naturally.
+///
+/// At app launch, indexing is skipped when the FDA choice is `NotAskedYet`
+/// AND the OS reports FDA as not granted (see `should_auto_start_indexing`).
+/// The frontend calls this command after the user clicks "Deny" so the
+/// indexer starts within the same session. The "Allow" path needs no call:
+/// the user restarts the app, and the launch-time gate passes via the OS
+/// check.
 ///
 /// Idempotent: a no-op when indexing is already running or initializing.
 #[tauri::command]
 #[specta::specta]
 pub async fn start_indexing_after_fda_decision(app: AppHandle) -> Result<(), String> {
+    crate::fda_gate::set_fda_pending(false);
+
+    #[cfg(any(target_os = "macos", target_os = "linux"))]
+    crate::mtp::start_mtp_watcher(&app);
+
     if indexing::is_active() {
         return Ok(());
     }
 
@@ -0,0 +1,73 @@
+//! Full Disk Access gate.
+//!
+//! At first launch on macOS, Cmdr shows an in-app modal that walks the user
+//! through granting Full Disk Access (FDA) before the indexer scans `/`.
+//! The same gate applies more broadly: any launch-time code that touches
+//! TCC-protected paths (Downloads, Documents, Desktop, ...) or NSWorkspace
+//! icon/LaunchServices APIs on those paths must skip work while the FDA
+//! decision is pending. Otherwise macOS stacks several native permission
+//! popups (MediaLibrary, AppData, Desktop, Documents, Downloads, ...) on
+//! top of our in-app modal — exactly the onboarding-flood UX we want to
+//! avoid.
+//!
+//! The gate has two pieces:
+//!
+//! 1. `is_fda_pending(fda_choice, os_fda_granted)` — pure decision used at
+//!    startup and by tests. Pending iff the user hasn't decided AND the OS
+//!    reports FDA isn't granted.
+//! 2. A process-global `AtomicBool` set once at startup (and cleared when
+//!    the user denies FDA in-session). Read by code that runs after startup
+//!    via `is_fda_pending_runtime()`.
+//!
+//! On non-macOS platforms FDA doesn't exist; the runtime gate is always
+//! `false` (open) so cross-platform callers get the right behaviour without
+//! cfg-guards at every site.
+
+use std::sync::OnceLock;
+use std::sync::atomic::{AtomicBool, Ordering};
+
+use crate::settings::FullDiskAccessChoice;
+
+static FDA_PENDING: OnceLock<AtomicBool> = OnceLock::new();
+
+/// Pure decision: is the FDA decision still pending at this moment?
+///
+/// Returns `true` only when the user hasn't decided AND the OS confirms FDA
+/// isn't currently granted. If the OS check returns `true` we know the
+/// per-folder TCC services are subsumed by FDA, so it's safe to access
+/// protected paths even if no in-app choice has been recorded yet.
+pub fn is_fda_pending(fda_choice: FullDiskAccessChoice, os_fda_granted: bool) -> bool {
+    fda_choice == FullDiskAccessChoice::NotAskedYet && !os_fda_granted
+}
+
+/// Set the runtime gate. Call once at startup with the result of
+/// `is_fda_pending(...)`, and again with `false` after the user makes a
+/// choice in-session (deny path — the allow path requires a restart and
+/// re-enters startup).
+pub fn set_fda_pending(pending: bool) {
+    FDA_PENDING
+        .get_or_init(|| AtomicBool::new(pending))
+        .store(pending, Ordering::Release);
+}
+
+/// Read the runtime gate. Returns `false` until `set_fda_pending` has been
+/// called — safe default for tests and any non-macOS build that never sets
+/// it.
+pub fn is_fda_pending_runtime() -> bool {
+    FDA_PENDING.get().is_some_and(|f| f.load(Ordering::Acquire))
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn pending_only_when_not_asked_and_os_denies() {
+        assert!(is_fda_pending(FullDiskAccessChoice::NotAskedYet, false));
+        assert!(!is_fda_pending(FullDiskAccessChoice::NotAskedYet, true));
+        assert!(!is_fda_pending(FullDiskAccessChoice::Allow, false));
+        assert!(!is_fda_pending(FullDiskAccessChoice::Allow, true));
+        assert!(!is_fda_pending(FullDiskAccessChoice::Deny, false));
+        assert!(!is_fda_pending(FullDiskAccessChoice::Deny, true));
+    }
+}
@@ -129,10 +129,18 @@ Key test files are alongside each module (test functions within `#[cfg(test)]` b
 scanning from `/` opens iCloud Drive, Photos, and other TCC-protected directories, which makes macOS show native
 permission popups stacked on top of the in-app FDA modal. The result is a confusing pile of dialogs before the user has
 seen our prompt. `should_auto_start_indexing(indexing_enabled, fda_choice, os_fda_granted)` (in `mod.rs`) gates the
-launch-time start: it skips when `fda_choice == NotAskedYet` AND `os_fda_granted == false`. Once the user picks Allow
-(restart) or Deny (same session, via `start_indexing_after_fda_decision`), the indexer starts. `os_fda_granted == true`
-overrides `NotAskedYet` so users who granted FDA before our prompt persisted a choice still get auto-start. Pure
-function so the gate logic is unit-tested without touching `setup()`.
+launch-time start using `crate::fda_gate::is_fda_pending(fda_choice, os_fda_granted)`: skip when
+`fda_choice == NotAskedYet` AND `os_fda_granted == false`. Once the user picks Allow (restart) or Deny (same session,
+via `start_indexing_after_fda_decision`), the indexer starts. `os_fda_granted == true` overrides `NotAskedYet` so users
+who granted FDA externally before our prompt persisted a choice still get auto-start.
+
+After Deny the indexer runs in degraded mode: `read_dir` on protected paths still fires a TCC popup per folder, the
+user grants or denies each, and the scan walks past denied folders (they stay unindexed; their size shows as `<dir>`).
+That's the "individual Allow/Deny prompts" contract the user opted into by denying FDA — it's user-mediated, one prompt
+per protected folder, not a system-flood.
+
+Launch-time NSWorkspace icon fetches in `volumes::list_locations` use the same `is_fda_pending` predicate. The pure
+function is shared so the two gate sites can't drift apart.
 
 **`getattrlistbulk` (via jwalk) for scanning, not `enumeratorAtURL` or `searchfs`**: Benchmarked on ~5M files (macOS, Apple Silicon, APFS). `getattrlistbulk` recursive walk: 1m49s with sizes. `enumeratorAtURL` with prefetched keys: 2m05s (+11%), found ~500K fewer entries. `searchfs`: fast for name lookup but can't return sizes. `mdfind`: undercounts (Spotlight excludes `.git/`, `node_modules/`, caches). `getattrlistbulk` is what jwalk uses under the hood on macOS, and adding size collection costs only ~4% overhead (packed in the same bulk buffer, no extra syscalls).