macOS MeshAgent: Complete Rebuild and Enhancement#313
Open
PeetMcK wants to merge 20 commits intoYlianst:masterfrom
Open
macOS MeshAgent: Complete Rebuild and Enhancement#313PeetMcK wants to merge 20 commits intoYlianst:masterfrom
PeetMcK wants to merge 20 commits intoYlianst:masterfrom
Conversation
…ration Reverse the KVM socket architecture so the agent connects TO the KVM process instead of the KVM process connecting to the agent. This enables proper macOS LaunchAgent integration for TCC (Transparency, Consent, Control) permissions. Core changes: - mac_kvm_auth.c/h: New authentication module for KVM socket connections - mac_kvm.c/h: Implement reversed socket architecture with LaunchD support - linux_kvm.c/h: Update Linux KVM to support new architecture patterns - agentcore.c/h: Add KVM1 infrastructure and configuration support This is the foundational architectural change that enables proper macOS permission handling and multi-installation support via ServiceID system.
Implement ServiceID system to support multiple MeshAgent installations on the same machine with complete isolation between instances. Core changes: - agent-installer.js: Add service-specific installation paths (~/.mesh_serviceId/) - service-manager.js: LaunchDaemon/LaunchAgent integration with ServiceID support Key features: - Service-specific data directories prevent conflicts between installations - LaunchDaemon integration for proper macOS service management - Each installation maintains independent configuration and state - Enables testing, development, and production instances side-by-side This builds on the KVM1 architecture to enable proper isolation between multiple agent instances.
Major overhaul of installation system and build infrastructure: Installation System: - Unified installServiceUnified() function replaces separate -install/-upgrade - Auto-upgrade mode when existing installation detected - 4-tier config discovery: command flags → plist → .msh → .db - LaunchDaemon/LaunchAgent plist generation for KVM1 architecture - Support for service-specific installation paths App Bundle Support: - bundle_detection.c/h for runtime .app bundle detection - Automatic .app bundle creation during build - Support for both bundled and standalone binary installations - Proper resource path resolution for different execution modes Build System Overhaul: - Universal binary support (arm64 + x86_64) via ARCHID=10005 - Automated code signing (macos-sign.sh) and notarization (macos-notarize.sh) - Consolidated build scripts (macos-build_with_test.sh) - Info.plist template system for binary and bundle modes - Module synchronization and timestamp generation tooling - Code-utils for minimal 8-module development builds Platform Helpers: - macOSHelpers.js module with shared macOS utilities - security-permissions.js for file permission management - Cross-platform compatibility improvements This builds on KVM1 and ServiceID to deliver a complete modern macOS installation and build system.
PeetMcK
force-pushed
the
_100-PR-macOS-MeshAgent-Rebuild
branch
2 times, most recently
from
c0dd959 to
984ccb5
Compare
|
Congratulations and thankyou for your hard work on this functionality. Its been great to watch and test this as the process moves along. I can't wait for this to get pushed through to main line, and I can start deploying the agent to all our Mac clients. |
PeetMcK
force-pushed
the
_100-PR-macOS-MeshAgent-Rebuild
branch
from
984ccb5 to
3670129
Compare
Collaborator
|
you accidently pushed ur tactial agent into the repo, please can u remove it |
Professional logging infrastructure and TCC permissions detection: Logger Module: - logger.js: Centralized logging with timestamps and log levels - Migrate agent-installer.js to use logger (107 instances) - Consistent logging format across install/upgrade/uninstall operations - Support for both console and file-based logging TCC Permissions UI: - mac_permissions_window.m/h: Native Cocoa UI for permission management - mac_tcc_detection.c/h: Real-time TCC permission detection - Detects Accessibility, Full Disk Access, and Screen Recording permissions - Native "Open System Settings" buttons for each permission - "Do not remind me again" preference support - SHIFT+double-click activation from agent binary - Integration with install flow This builds on the installation system to provide better visibility into installation progress and help users grant required macOS permissions.
Complete macOS Installation Assistant with professional UI: Installation Assistant: - mac_install_window.m/h: Native macOS installation wizard - mac_authorized_install.m/h: Admin credential prompting with Authorization Services - Real-time progress display with scrollable log output - .msh file viewer with validation - Version display (current + installed for upgrade mode) - CMD+double-click activation from agent binary - TCC check toggle, auto-update toggle - Professional macOS-style interface with native controls UI Infrastructure: - mac_ui_helpers.m/h: Shared UI utilities for both TCC and Install UI - mac_plist_utils.c/h: Plist parsing for reading configuration - mac_logging_utils.c/h: Native logging utilities for Objective-C code TCC UI Improvements: - Fix TCC UI spawning during install/upgrade - Improve permission detection reliability - Better integration with installation flow Build System Enhancements: - generate-build-timestamp.sh: Centralized timestamp generation - generate-info-plist.sh: Dynamic Info.plist generation - sync-modules.sh: Unified module synchronization - Improved create-app-bundle.sh with better error handling Documentation: - FDA (Full Disk Access) tutorial with screenshots - TCC permissions comprehensive guide - Installation Assistant usage documentation Critical Security Fix: - Fix CRITICAL command injection in KVM cleanup (CVE-candidate) - Replace unsafe system() calls with fork/execvp - Strict input validation for session IDs This completes the major user-facing features and hardens security.
Final refinements and bug fixes: Security and Stability: - Additional memory safety improvements in KVM authentication - Thread-unsafe progress callback fix in Installation UI - Memory leak fixes in TCC permission checks - Buffer overflow prevention in UI components Code Quality: - Remove all debug logging from production code - Fix Accessibility detection edge cases (window removal via '-' button) - Fix Screen Recording detection false negatives (3-window limit removed) - Improve error handling in KVM and TCC UI components Build System: - Update embedded module timestamps - Polyfills synchronization - Build metadata refinements This completes the macOS MeshAgent rebuild with all features stable and production-ready. Clean up macOS build script and rename to reflect actual purpose Removed all MSH_EXEC functionality and 22 --msh-* arguments that were added to support executing meshagent commands after building. This simplifies the script to focus on its core purpose: building, signing, and notarizing the macOS MeshAgent. Changes: - Removed all MSH_* variable declarations and argument parsing - Removed command execution section (~175 lines) - Fixed notarization validation to skip when signing is skipped - Cleaned up final output messages - Removed interactive prompt to open build folder - Updated help text to remove all MSH_* documentation - Renamed: macos-build_with_test.sh → macos-build_sign_notarize.sh - Added version display and Install UI launch instructions at end - Improved "must run as root" error to mention -E flag for signing Result: Script reduced from 1138 to ~700 lines (38% reduction) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> Add build-info.plist to gitignore (auto-generated by build script) This file is automatically updated with the current version on every build. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> Rename bundle_detection.c to mac_bundle_detection.c for consistency All macOS utility files now follow the mac_* naming convention: - Renamed bundle_detection.c → mac_bundle_detection.c - Renamed bundle_detection.h → mac_bundle_detection.h - Updated 3 include statements (agentcore.c, main.c, self-include) - Updated makefile MACOSUTILSOURCES variable - Updated 6 documentation files and cross-references Tested: Build successful, functionality verified Add missing build-info.plist for munkipkg and remove from .gitignore The build-info.plist file is required by munkipkg to build the macOS installer package. Previously it was deleted and gitignored with the assumption it would be auto-generated, but no generation script exists. Changes: - Created build-info.plist with standard munkipkg template - Removed build-info.plist from .gitignore - Build script will now update version in this file during builds The file contains: - identifier: meshagent - install_location: / - version: 0.1 (updated by build script) Make .pkg building opt-in with --build-pkg flag Packaging functionality is not yet complete, so .pkg building should be disabled by default and only enabled when explicitly requested. Changes: - Added --build-pkg flag to enable .pkg building - Updated help text to document new flag - Pkg building now skipped by default with info message - Shows "Skipping .pkg build (use --build-pkg to enable)" when disabled This prevents incomplete packaging from running on every build while still allowing testing when needed. Update Install UI launch instructions with open command Simplified the final output message to show a single command that opens Finder directly to the output directory, rather than multi-step manual navigation instructions. Changes: - Changed from 3-step manual navigation to single 'open' command - Uses full path: open $REPO_DIR/build/output/osx-universal-64-app/ - Users can then navigate to MeshAgent.app and launch it from Finder This makes it easier to locate and launch the Install UI for testing. Fix Install UI instructions: restore steps and make path dynamic Fixed two issues with previous commit: 1. Restored steps 2 and 3 (CMD+double-click instructions) 2. Made path dynamic using $(dirname "$BUNDLE_PATH") instead of hardcoding The path now adapts to the architecture being built: - osx-x86-64-app for Intel - osx-arm-64-app for Apple Silicon - osx-universal-64-app for Universal binary Example output: 1. Navigate to: open /Users/peet/GitHub/MeshAgent/build/output/osx-universal-64-app/ 2. Hold CMD and double-click MeshAgent.app (or select it and press CMD+O) 3. Keep holding CMD until prompted to authenticate
This folder contains test builds and should not be included in the upstream PR. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
PeetMcK
force-pushed
the
_100-PR-macOS-MeshAgent-Rebuild
branch
from
3b3b240 to
cbc52b8
Compare
Author
Cheers.Peet |
PeetMcK
force-pushed
the
_100-PR-macOS-MeshAgent-Rebuild
branch
2 times, most recently
from
7ba681b to
9538dc5
Compare
Install/Upgrade Improvements: - Add comprehensive argument validation system - Fix -fullinstall path construction and LaunchAgent handling - Enhance service lookup for custom ServiceIDs during self-update - Add install validation to prevent blank .db creation - Improve installer logging with verbosity control - Add launchctl job cleanup to prevent upgrade conflicts - Replace implicit self-upgrade detection with explicit LaunchDaemon plist scan - Refactor plist updates to use cached customizations (surgical updates) App Bundle Enhancements: - Set app bundle capability bit (0x80) for proper .app bundle detection - Fix critical bugs in bundle handling and upgrade process - Complete zip creation, signing, and notarization workflow - Add runtime universal binary detection Build System: - Add MODULESYNC_MODE build variable with macos-only default - Expose embedded version info to JavaScript (DRY compliant) - Add -buildver and -fullversion flags for version reporting - Enhance build output with version verification and improved formatting - Add meshagent_ver to LaunchDaemon/LaunchAgent plists Logging & Permissions: - Set LaunchAgent log files to 666 permissions for user access - Add comprehensive logging throughout install/upgrade process - Improve Install UI version detection using meshagent binary 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
PeetMcK
force-pushed
the
_100-PR-macOS-MeshAgent-Rebuild
branch
from
c0178dd to
1bd5ad0
Compare
Author
|
#313 Both updated and I'm calling it good. If anyone runs into issues testin feel free to open an issue: https://github.com/PeetMcK/MeshAgent/issues/ |
Remove excessive debug logging from TCC permission system and simplify mesh_log_message utility to use severity-based routing instead of file logging. Makes daemon logs cleaner and more production-ready. Changes: 1. Simplified mesh_log_message utility (mac_logging_utils.c): - Changed from dual-output (stderr + file) to severity-based routing - Routes ERROR/WARN/FATAL/CRITICAL to stderr, everything else to stdout - Removed /tmp/meshagent-install-ui.log file logging - Auto-detects severity from message content (keyword matching) - Maintains immediate flush behavior for crash safety 2. Removed 89 debug logging statements across 3 components: TCC Permissions Window (mac_permissions_window.m): 29 logs removed - Removed TCCUI_LOG macro definition - Removed [TCC-UI] lifecycle logging (window open/close/update) - Removed [TCC-ASYNC] verbose posix_spawn logging - Kept functional code, removed visibility of internal operations TCC Check Command (meshconsole/main.c): 44 logs removed - Removed all [TCC-CHECK] verbose logging from -check-tcc handler - Condensed handler from ~160 lines to ~95 lines - Silent operation: checks permissions, shows UI if needed, exits - Preserved all logic (bundle detection, DB access, permission checks) Agent Core (meshcore/agentcore.c): 16 logs removed - Removed [TCC-SPAWN] logging from KVM and startup TCC spawning - Removed DEBUG: logging from importSettings and .msh file detection - Silent spawn decision tree (checks disableTccCheck flag, spawns UI) - Kept all functional code paths intact 3. Updated documentation to reflect new logging behavior: - mac_logging_utils.md: Updated for severity-based routing - macos-tcc-permissions.md: Removed log file references - macos-install-assistant.md: Updated logging examples - meshagent-commands.md: Updated -check-tcc description Debug log prefixes removed: [TCC-UI] - TCC permissions UI window lifecycle [TCC-CHECK] - TCC permission check process details [TCC-SPAWN] - TCC check spawning from daemon [TCC-ASYNC] - Async TCC window spawning via posix_spawn DEBUG: - General debug statements Impact: - 13 files changed: 206 insertions, 388 deletions (-182 lines) - Production daemon logs now clean and focused on errors/warnings - Debugging still possible via Console.app (stderr/stdout streams) - No functional changes - only removed logging visibility Rationale: - Debug logs were cluttering daemon logs in production deployments - File logging to /tmp/ was unnecessary for production use - Severity-based routing provides better log organization - Reduced noise makes actual errors/warnings more visible 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
PeetMcK
force-pushed
the
_100-PR-macOS-MeshAgent-Rebuild
branch
from
4590fab to
b00dd69
Compare
Updated TCC permissions window Accessibility "Open Settings" button to spawn `meshagent -request-accessibility` as the console user via su. Changes: - TCCButtonHandler: Added exePath and consoleUID properties - openAccessibilitySettings: Spawns via `su -l <user> -c "meshagent -request-accessibility"` - main.c: Added console user UID detection helper function - main.c: Updated all show_tcc_permissions_window() calls to pass exe_path and uid - main.c: Added handlers for -request-accessibility, -request-screenrecording, -request-fulldiskaccess flags - main.c: Updated -help documentation with warning about terminal usage Implementation notes: - Uses su instead of launchctl asuser to ensure process runs with actual user credentials - getpwuid() converts UID to username for su command - Help text warns that running -request-* from terminal requests permissions for terminal app 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
|
Hi @PeetMcK, Write me please to kirill@flamingo.cx cc @si458 |
Author
|
@kirill-567 I'd need more information here. Basic troublshooting information:
Signing information: What is the output of
|
|
Issue description (Screen Sharing / Screen Recording permissions): Testing environment:
Is this a fresh macOS install?
Have you reset Screen Recording (TCC) permissions?
Troubleshooting steps performed:
Signing:
|
- Fix findInstallation() to use plist-based detection only, removing the .msh file detection that incorrectly treated distribution bundle locations as existing installations - Add automatic polyfill regeneration to Makefile macos target so JS module changes are always compiled into the binary - Add debug logging to findInstallation() for troubleshooting 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Fix BUILD_TIMESTAMP variable name in recursive make calls (was using undefined BUILD_TIME) - Fix version verification to combine CFBundleShortVersionString (date) and CFBundleVersion (time) from plist - Skip module sync and polyfill regeneration on recursive calls using BUILD_TIMESTAMP check - Move full polyfills regeneration before success message so build ends with paths output - Default SKIP_POLYFILLS=yes in macos-build_sign_notarize.sh since Makefile now handles polyfill regeneration automatically - Add modules/embedded.info to .gitignore 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Author
|
Issues with a black screen are not relateded to Screen Recording TCC. Black screen issues with meshagent/MeshAgent.app are cased by the -kvm1/LaunchAgent on the device. Screen Recording TCC issues virtually always present as seeing a desktop with a menubar, but no windows (this is for any macOS screen recording software). While it might not be neccessary given the extended information, it may still prove useful to provide the requested signing information What is the output of For troubleshooting the black screen lets start from a known state. First make sure to build from the most current commit ... 70ddb69 ... then do the following:
Now lets reinstall:
At this point you should be set. If you're still getting a black screen, refer to your |
Updated ensure_running_as_root() to use shell wrapper for launchctl asuser. This ensures the elevated process runs with root privileges AND in the user's GUI session, allowing the Installation Assistant window to display properly. Changes: - Use /bin/sh -c to execute: launchctl asuser <uid> <path> -show-install-ui - AuthorizationExecuteWithPrivileges alone launches outside GUI session - Shell wrapper successfully combines privilege elevation + GUI access Fixes CMD+double-click Installation UI functionality. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Document post-Nov-27 work including: - Installation UI launch fix via launchctl asuser - Version race condition fix - Polyfill handling improvements - TCC Accessibility enhancement - Install location detection improvements - Debug logging cleanup 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Changes default install/upgrade behavior from "backup by default" to "no backup by default" for faster operations, with explicit --backup flag to enable comprehensive backups when needed. Changes: - Default: NO backup (matches Windows/Linux behavior) - New flag: --backup to enable backup on demand - Comprehensive: Backs up binary/bundle, .msh, and .db with same timestamp - Unconditional: Works even during self-upgrades when explicitly requested C code (meshcore/agentcore.c): - Added handling for simple flags without values (e.g., --backup) - Simple flags now cached as paramName=1 and passed to JavaScript - Fixes issue where only --param=value flags were passed to JS C code (meshconsole/main.c): - Removed old --omit-backup and --skip-backup flags - Added new --backup flag (both simple and value formats) JavaScript (modules/agent-installer.js): - Reversed logic: backup only when --backup specified - Enhanced backupInstallation() to include .msh and .db files - All backup files use same timestamp for easy restoration - Updated cleanup code to recognize .msh and .db backup patterns - Removed --omit-backup parameter normalization Example usage: sudo meshagent -upgrade --backup # Creates: meshagent.TIMESTAMP, meshagent.msh.TIMESTAMP, meshagent.db.TIMESTAMP 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
|
|
||
| # Default paths | ||
| MESHAGENT_BINARY="$REPO_DIR/build/tools/code-utils/macos/meshagent_code-utils" | ||
| DEFAULT_DB_PATH="/opt/tacticalmesh/meshagent.db" |
Contributor
There was a problem hiding this comment.
This would only be for a tactical mesh agent, not native mesh
| echo "" | ||
| echo "Examples:" | ||
| echo " $0" | ||
| echo " $0 /opt/tacticalmesh/meshagent.db" |
Contributor
There was a problem hiding this comment.
This would only be for a tactical mesh agent, not native mesh
| echo "Examples:" | ||
| echo " $0" | ||
| echo " $0 /opt/tacticalmesh/meshagent.db" | ||
| echo " $0 /opt/tacticalmesh/" |
Contributor
There was a problem hiding this comment.
This would only be for a tactical mesh agent, not native mesh
| echo " $0" | ||
| echo " $0 /opt/tacticalmesh/meshagent.db" | ||
| echo " $0 /opt/tacticalmesh/" | ||
| echo " $0 /opt/tacticalmesh/meshagent.db dump.txt" |
Contributor
There was a problem hiding this comment.
This would only be for a tactical mesh agent, not native mesh
| - Used for installations from .pkg installer or manual .app deployment | ||
|
|
||
| **Mode 2: Standalone Binary** | ||
| - Agent runs as bare binary `/opt/tacticalmesh/meshagent` |
Contributor
There was a problem hiding this comment.
Referencing Tacticalmesh
| | Deployment Mode | Execution Path | Initial Working Dir | After Adjustment | | ||
| |-----------------|----------------|---------------------|------------------| | ||
| | Bundle | `/Applications/MeshAgent.app/Contents/MacOS/meshagent` | `Contents/MacOS/` | `/Applications/` | | ||
| | Standalone | `/opt/tacticalmesh/meshagent` | `/opt/tacticalmesh/` | `/opt/tacticalmesh/` (unchanged) | |
Contributor
There was a problem hiding this comment.
Tactical references
docs/c-modules/mac_plist_utils.md
Outdated
|
|
||
| **Example:** | ||
| ```c | ||
| char* label = mesh_plist_get_label("/Library/LaunchDaemons/meshagent.tactical.plist"); |
docs/c-modules/mac_plist_utils.md
Outdated
| ```c | ||
| char* label = mesh_plist_get_label("/Library/LaunchDaemons/meshagent.tactical.plist"); | ||
| if (label) { | ||
| printf("Service label: %s\n", label); // "meshagent.tactical" |
docs/c-modules/mac_plist_utils.md
Outdated
| **Example:** | ||
| ```c | ||
| MeshPlistInfo info; | ||
| if (mesh_parse_launchdaemon_plist("/Library/LaunchDaemons/meshagent.tactical.plist", &info)) { |
docs/c-modules/mac_plist_utils.md
Outdated
| <plist version="1.0"> | ||
| <dict> | ||
| <key>Label</key> | ||
| <string>meshagent.tacticalmesh</string> |
Contributor
There was a problem hiding this comment.
Not for native mesh, only Tactical
docs/c-modules/mac_plist_utils.md
Outdated
|
|
||
| <key>ProgramArguments</key> | ||
| <array> | ||
| <string>/opt/tacticalmesh/meshagent</string> |
Contributor
There was a problem hiding this comment.
Not for native mesh, only Tactical
docs/macOS-ServiceID-System.md
Outdated
| └─────────────────────────────────────────────────────────────┘ | ||
|
|
||
| 1. Command-Line Flags (Transient) | ||
| └─ --meshServiceName=Tactical --companyName="ACME Corp" |
Contributor
There was a problem hiding this comment.
Referencing Tactical RMM
docs/macOS-ServiceID-System.md
Outdated
| |-------------|-------------|---------------------|----------| | ||
| | (default) | (none) | `meshagent` | Standard installation | | ||
| | (default) | `acme-corp` | `meshagent.acme-corp` | Company-specific, default service | | ||
| | `tactical` | (none) | `meshagent.tactical` | Custom service, no company branding | |
Contributor
There was a problem hiding this comment.
This whole file is filled with Tactical References. I think this is just as an optional service documentation reference, but should review
docs/macos-tcc-permissions.md
Outdated
| **Read current preference**: | ||
| ```bash | ||
| ./build/tools/code-utils/macos/meshagent_code-utils -db-get \ | ||
| /opt/tacticalmesh/meshagent.db disableTccCheck |
Contributor
There was a problem hiding this comment.
Tactical DB references.
docs/macos-tcc-permissions.md
Outdated
| **Manually disable UI**: | ||
| ```bash | ||
| ./build/tools/code-utils/macos/meshagent_code-utils -db-put \ | ||
| /opt/tacticalmesh/meshagent.db disableTccCheck "1" |
Contributor
There was a problem hiding this comment.
Tactical DB references.
docs/macos-tcc-permissions.md
Outdated
| **Clear preference**: | ||
| ```bash | ||
| ./build/tools/code-utils/macos/meshagent_code-utils -db-delete \ | ||
| /opt/tacticalmesh/meshagent.db disableTccCheck |
Contributor
There was a problem hiding this comment.
Tactical DB references.
Contributor
silversword411
left a comment
silversword411
left a comment
There was a problem hiding this comment.
I've only gotten to the MESHCORE_OVERVIEW.MD so far...and this is high level atm just keyword searching for tact after getting the first jist of changes.
I know you're a tactical user, but this PR has to be mesh specific, and then TRMM will need to customize the extra fixes specific to Tactical in their deployment.
- Add modules/agent-paths.js helper to derive .msh/.db filenames from binary name - Update meshconsole/main.c TCC check to use executable-derived paths - Update agent-installer.js to use dynamic filenames (~40 references) - Update _agentNodeId.js and security-permissions.js to use agent-paths - Add testing/build-lithium-remote.sh with sign/notarize/staple by default - Add testing/test-configurable-names.sh for verification Binary named 'lithium-remote' now uses lithium-remote.msh and lithium-remote.db instead of hardcoded meshagent.msh/meshagent.db names. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
…parameterization Replaces all hardcoded "meshagent" references with dynamic names derived from the executable, enabling white-label deployments (e.g., AcmeMesh). ServiceID system: - Derive ServiceID and config filenames (.msh/.db) from executable name - Read ServiceID from .msh configuration files - Add --setServiceID flag to override during install/upgrade - Resolve serviceID from LaunchDaemon plist Label as fallback - Reuse existing plist filenames during upgrade to prevent duplicates - Parameterize plist parser with configurable agent name Deployment Assistant UI: - Add uninstall mode (standard + full uninstall) with confirmation dialogs - Replace SF Symbols with custom-drawn Lucide/Bootstrap vector icons - Extract shared UI helpers (mac_ui_helpers.h/m) to reduce duplication - Add shared helpers: checkbox, rounded button, path field, vector icons - Settings card with 2x2 checkbox grid (updates, TCC, verbose, agent logging) - Pre-populate .msh and install path fields regardless of initial mode - Dynamic button text and icon tinting based on selected mode - Progress window with real-time streaming output and completion status - .msh file viewer (sorted key-value table view as modal sheet) TCC Permissions UI: - Use shared mesh_createFloatingWindow() for window creation - Replace Bootstrap icon with shared mesh_createVectorIcon() framework - Replace SF Symbols checkmarks with custom Lucide circle-check-fill icons - Use shared helpers for buttons and checkboxes Build system: - Parameterize with EXENAME and BUNDLE_DISPLAY_NAME make variables - Rename icon asset to generic AppIcon.icns - Update all build/sign/notarize scripts for configurable names Other: - Fix argument validation to skip JS code after -exec/-b64exec - Remove companyName/meshServiceName from KVM path resolution - Remove TCC-DEBUG logging, orphaned format arguments - Update documentation for ServiceID system and commands - Remove obsolete test scripts and PR description file Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Author
Thanks for pointing out the non-generic references. I've removed them. If you see anyothers, please feel fee to correct them if the PR is ever merged. Cheers.Peet |
…ript output Universal builds (ARCHID=10005) now sign and notarize all 3 app bundles (universal, arm-64, x86-64) instead of only the universal one. Notarization of all bundles is submitted to Apple in parallel to avoid expanding wall-clock time. After sign/notarize, zip archives are regenerated with properly signed bundles. - Add notarize-app-bundles.sh for parallel multi-bundle notarization - Update makefile universal block to sign all 3 bundles sequentially and notarize all 3 in parallel via the new script - Add zip archive regeneration after sign/notarize for all 3 bundles - Unify output style across all 5 sign/notarize scripts: consistent color scheme (red=error, green=success, yellow=warning, cyan=headers), indented detail lines, no unicode emojis or decorative banners Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Build script consolidation: - Replace 5 sign/notarize scripts with 2 unified multi-target scripts (macos-sign.sh and macos-notarize.sh) that auto-detect .app bundles vs bare binaries, with parallel notarization for multiple targets - Delete sign-app-bundle.sh, notarize-app-bundle.sh, notarize-app-bundles.sh - Update makefile to call consolidated scripts Dead code removal: - Delete macos-build_sign_notarize.sh (makefile is the build interface) - Delete MeshAgent_pkg directory and --build-pkg option - Remove unused -request-fulldiskaccess CLI flag and standalone FDA dialog - Replace populate-FULL-polyfills.sh with minimal example in code-utils/ Build toolchain cleanup: - Move generate-build-timestamp.sh and generate-info-plist.sh into macos_build/ - Unify visual output style (colors, formatting) across all macOS scripts - Rewrite macos_build/README.md around makefile-driven workflows - Document macOS-specific build switches (SIGN, NOTARIZE, EXENAME, BUNDLE_DISPLAY_NAME, BUNDLE_ID, BUNDLE_ICON, SKIPSIGNNOTARY) in makefile header with usage examples - Add ARCHID=10005 (universal) to standard builds list Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
macOS MeshAgent: Complete Rebuild and Enhancement
Overview
This PR represents a comprehensive rebuild and enhancement of the macOS MeshAgent, implementing native macOS features, improving security, and providing a modern installation experience. The work includes KVM improvements, installation infrastructure, TCC permission handling, force agent updates with surgical plist management, configurable naming for white-label deployments, and extensive documentation.
Summary
This PR transforms the macOS MeshAgent into a first-class macOS application with:
Commit Structure
This PR is organized into 9 chronological commit groups following the actual development timeline:
1. macOS: Implement KVM1 reversed socket architecture with LaunchD integration
2. macOS: Add ServiceID system for multiple installations
meshagent[.serviceName][.companyName]3. macOS: Unify -install and -upgrade commands with build infrastructure
4. macOS: Add logger module and TCC permissions UI
logger.jsmodule with DEBUG/INFO/WARN/ERROR levels--disableTccChecksupport)5. macOS: Add Installation Assistant UI and infrastructure improvements
6. macOS: Final polish and stability improvements
normalizeInstallPath()incorrectly stripping 'meshagent' from pathsprepareFolders()to use recursive directory creationvalidate_installation_path()to handle non-existent parent directoriesmacOSHelpers.js)security-permissions.js)7. macOS: Polish install/upgrade, app bundle, and build system
Install/Upgrade Improvements:
Force Agent Updates:
-upgradecommandmeshagent_verkey in LaunchDaemon/LaunchAgent plistsUpdateInProgressflagApp Bundle Enhancements:
Build System:
-buildverand-fullversionflags for version reportingBug Fixes:
8. macOS: Configurable naming, ServiceID overhaul, UI enhancements, and DRY refactoring
Configurable Naming (White-Label Support):
--setServiceIDflag to override during install/upgradeDeployment Assistant UI Overhaul:
TCC Permissions UI:
mesh_createFloatingWindow()for window creationDRY Refactoring — Shared UI Helpers (
mac_ui_helpers.h/m):mesh_createVectorIcon()— generic vector icon with configurable viewBox sizemesh_createLucideIcon()— Lucide icon wrapper (24×24 viewBox)mesh_bootstrapShieldCheckIcon()/mesh_lucideShieldCheckIcon()— shield iconsmesh_lucideCircleCheckFillIcon()— filled circle-check for success indicatorsmesh_lucideNetworkIcon(),mesh_lucideImportIcon(),mesh_lucideUploadIcon(),mesh_lucideTrashIcon()mesh_addRadioIcon()— attach icon to radio buttonmesh_createCheckbox(),mesh_createRoundedButton(),mesh_createPathField()Build System:
EXENAMEandBUNDLE_DISPLAY_NAMEmake variablesAppIcon.icnsOther:
-exec/-b64execcompanyName/meshServiceNamefrom KVM path resolution9. macOS: Consolidate build scripts, remove dead code, document makefile
Build Script Consolidation:
(
macos-sign.shandmacos-notarize.sh) that auto-detect.appbundlesvs bare binaries
sign-app-bundle.sh,notarize-app-bundle.sh,notarize-app-bundles.shDead Code Removal:
macos-build_sign_notarize.sh(makefile is the build interface)MeshAgent_pkgdirectory and--build-pkgoption-request-fulldiskaccessCLI flag and standalone FDA dialogpopulate-FULL-polyfills.shwith minimal example incode-utils/Build Toolchain Cleanup:
generate-build-timestamp.shandgenerate-info-plist.shintomacos_build/macos_build/README.mdaround makefile-driven workflowsDocumentation:
SIGN,NOTARIZE,EXENAME,BUNDLE_DISPLAY_NAME,BUNDLE_ID,BUNDLE_ICON,SKIPSIGNNOTARY)in makefile header with usage examples
ARCHID=10005(universal) to standard builds listNet result: 22 files changed, +643 / −2,926 lines
Key Features
🖥️ Remote Desktop (KVM)
🔐 Security & Permissions
📦 Installation Experience
🏷️ White-Label Support
--setServiceIDOverride: Explicit control over service naming during install/upgradeEXENAME,BUNDLE_DISPLAY_NAME,BUNDLE_ID, andBUNDLE_ICONmake variables🔄 Agent Updates & Plist Management
🏗️ Build Infrastructure
EXENAME/BUNDLE_DISPLAY_NAME/BUNDLE_ID/BUNDLE_ICONbuild variables📚 Documentation
New Modules
modules/logger.jsProfessional logging infrastructure with:
modules/macOSHelpers.jsmacOS platform helper functions:
modules/security-permissions.jsSecurity permissions management:
modules/agent-paths.jsAgent path resolution:
Testing
Tested On
Test Coverage
Security Testing
Migration Guide
For Users Upgrading from Previous Versions
Installation:
Or via command-line:
sudo ./meshagent -install --installPath="/existing/path/"ServiceID Migration:
Force Updates:
For Developers
Build Requirements:
Building:
Documentation:
Compatibility
Maintains Compatibility With:
Platform Support:
Related Issues
This PR addresses multiple long-standing issues and feature requests for macOS:
Related MeshCentral PR:
-upgradesystemChecklist
Issues & Bug Reports
If you encounter any problems with this PR, please open an issue on my fork:
_100-PR-macOS-MeshAgent-Rebuild