macos: per-pane TCC navigation and Sequoia-tolerant permission flow

On macOS the three TCC grants (Accessibility, Input Monitoring, Post Event) live in separate Privacy panes. Before this change the "Reenable" row sent the user to Accessibility regardless of which grant was actually missing, and the daemon's own permission checks re-fired the Accessibility prompt on every retry. - lan-mouse-gtk/src/macos_privacy.rs: new module that exposes silent preflight checks (AXIsProcessTrusted, CGPreflightListenEventAccess, CGPreflightPostEventAccess), per-pane URL-scheme navigation, and a Once-guarded fire_initial_prompts() called from build_ui. The initial-prompt path only fires the Accessibility prompt if AX is missing and then returns; secondary registrations run only after AX is granted, which prevents a double Accessibility alert on Sequoia where Post Event is nested under Accessibility. - Input Monitoring registration attempts CGEventTapCreate at kCGSessionEventTap (not kCGHIDEventTap) so a failure surfaces as an Input Monitoring signal rather than triggering an Accessibility prompt as a side effect. - lan-mouse-gtk/src/window/imp.rs: handle_capture / handle_emulation switch on the missing-pane enum and navigate to the specific pane via x-apple.systempreferences:... URLs before re-requesting. - lan-mouse-gtk/resources/window.ui: pill class on the Reenable buttons so the hover padding matches the rest of libadwaita. - input-capture/src/macos.rs, input-emulation/src/macos.rs: make request_*_permission() a silent preflight (AXIsProcessTrusted / CGPreflightListenEventAccess / CGPreflightPostEventAccess), so the daemon no longer fires TCC prompts on retry — all prompting is owned by the GUI. - input-capture/src/error.rs, input-emulation/src/error.rs: new error variants so the GUI can distinguish missing-AX from missing-IM / missing-PostEvent for pane routing. Verified on macOS 15.5: first launch fires a single AX prompt; second launch (AX granted) registers under Input Monitoring via the session-tap attempt and requests Post Event. Sequoia auto-grants the listen-only path via AX so the IM list may stay empty, which is the intended OS behavior and no longer blocks capture. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-08 15:18:05 +03:00 · 2026-04-24 02:09:32 -05:00
parent 903b0504e0
commit 5e79743bd0
8 changed files with 369 additions and 2 deletions
--- a/input-emulation/Cargo.toml
+++ b/input-emulation/Cargo.toml
@@ -49,6 +49,8 @@ reis = { version = "0.5.0", features = ["tokio"], optional = true }

 [target.'cfg(target_os="macos")'.dependencies]
 bitflags = "2.6.0"
+core-foundation = "0.10.0"
+core-foundation-sys = "0.8.6"
 core-graphics = { version = "0.25.0", features = ["highsierra"] }
 keycode = "1.0.0"

--- a/input-emulation/src/error.rs
+++ b/input-emulation/src/error.rs
@@ -154,6 +154,10 @@ pub enum X11EmulationCreationError {
 pub enum MacOSEmulationCreationError {
    #[error("could not create event source")]
    EventSourceCreation,
+    #[error("accessibility permission is required")]
+    AccessibilityPermission,
+    #[error("input control permission is required")]
+    InputControlPermission,
 }

 #[cfg(windows)]
--- a/input-emulation/src/macos.rs
+++ b/input-emulation/src/macos.rs
@@ -61,6 +61,8 @@ unsafe impl Send for MacOSEmulation {}

 impl MacOSEmulation {
    pub(crate) fn new() -> Result<Self, MacOSEmulationCreationError> {
+        request_macos_emulation_permissions()?;
+
        let event_source = CGEventSource::new(CGEventSourceStateID::CombinedSessionState)
            .map_err(|_| MacOSEmulationCreationError::EventSourceCreation)?;
        Ok(Self {
@@ -119,6 +121,42 @@ impl MacOSEmulation {
    }
 }

+fn request_macos_emulation_permissions() -> Result<(), MacOSEmulationCreationError> {
+    // Request both permissions up front so the user sees both TCC prompts
+    // on the first launch. See the matching comment in input-capture/src/
+    // macos.rs::request_macos_capture_permissions for the rationale.
+    let accessibility = request_accessibility_permission();
+    let input_control = request_input_control_permission();
+
+    if !accessibility {
+        return Err(MacOSEmulationCreationError::AccessibilityPermission);
+    }
+    if !input_control {
+        return Err(MacOSEmulationCreationError::InputControlPermission);
+    }
+    Ok(())
+}
+
+fn request_accessibility_permission() -> bool {
+    // Silent check. The GUI owns the one-time user-visible prompt at
+    // startup (see lan_mouse_gtk::macos_privacy).
+    unsafe { AXIsProcessTrusted() }
+}
+
+fn request_input_control_permission() -> bool {
+    unsafe { CGPreflightPostEventAccess() }
+}
+
+#[link(name = "CoreGraphics", kind = "framework")]
+extern "C" {
+    fn CGPreflightPostEventAccess() -> bool;
+}
+
+#[link(name = "ApplicationServices", kind = "framework")]
+extern "C" {
+    fn AXIsProcessTrusted() -> bool;
+}
+
 fn key_event(event_source: CGEventSource, key: u16, state: u8, modifiers: XMods) {
    let event = match CGEvent::new_keyboard_event(event_source, key, state != 0) {
        Ok(e) => e,