Onboarding: improve FDA prompt UX and probe

- Deep-link Open System Settings straight to the Full Disk Access pane (Ventura+ uses `PrivacySecurity.extension`, older macOS keeps `preference.security`).
- Modal copy is now version-aware: Ventura+ says "in the list", macOS 12 and older say "at the end of the list" (matches the legacy non-alphabetical order).
- Add a "Tip" substep covering the macOS 26 (Tahoe) case where Cmdr may not auto-appear in the FDA list — guides the user to the `+` button.
- Re-probe `check_full_disk_access` right before opening Settings so the bundle is freshly registered with TCC.
- Switch the probe from `read_dir` on `~/Library/Mail` (often `NotFound`, doesn't trigger TCC) to `File::open` + 1-byte `read` on a list of TCC-protected files (`Safari/History.db`, `Safari/Bookmarks.plist`, `Mail/V10/MailData/Envelope Index`, `Messages/chat.db`, `com.apple.TCC/TCC.db`, `AddressBook-v22.abcddb`). On denial, also fire `mmap`, `NSData dataWithContentsOfFile:`, and a `read_dir` of the parent — multi-trigger fallback for Tahoe where the kernel can short-circuit `read()` denials without consulting tccd.
- Add `get_macos_major_version` IPC so the frontend can branch copy/host without parsing `sw_vers` itself.

Author: vdavid

apps/desktop/src-tauri/Cargo.toml

@@ -176,7 +176,7 @@ urlencoding = "2.1.3"
 objc2 = { version = "0.6", features = ["std", "exception"] }
 objc2-foundation = { version = "0.3", features = [
     "NSURL", "NSString", "NSDictionary", "NSDate", "NSArray", "NSValue", "NSError",
-    "NSFileManager", "NSNotification", "NSBundle", "NSDistributedNotificationCenter", "NSUserDefaults",
+    "NSData", "NSFileManager", "NSNotification", "NSBundle", "NSDistributedNotificationCenter", "NSUserDefaults",
 ] }
 objc2-app-kit = { version = "0.3", features = [
     "NSDragging", "NSDraggingItem", "NSImage", "NSColor", "NSColorSpace",

apps/desktop/src-tauri/src/ipc.rs

@@ -424,6 +424,7 @@ fn collect_permission_types(types: &mut Types) -> Vec<Function> {
     use specta::function::collect_functions;
     collect_functions![
         crate::permissions::check_full_disk_access,
+        crate::permissions::get_macos_major_version,
         crate::permissions::open_privacy_settings,
         crate::permissions::open_appearance_settings,
         crate::permissions::open_system_settings_url,
@@ -434,6 +435,7 @@ fn collect_permission_types(types: &mut Types) -> Vec<Function> {
     use specta::function::collect_functions;
     collect_functions![
         crate::permissions_linux::check_full_disk_access,
+        crate::permissions_linux::get_macos_major_version,
         crate::permissions_linux::open_privacy_settings,
         crate::permissions_linux::open_appearance_settings,
         crate::permissions_linux::open_system_settings_url,
@@ -444,6 +446,7 @@ fn collect_permission_types(types: &mut Types) -> Vec<Function> {
     use specta::function::collect_functions;
     collect_functions![
         crate::stubs::permissions::check_full_disk_access,
+        crate::stubs::permissions::get_macos_major_version,
         crate::stubs::permissions::open_privacy_settings,
         crate::stubs::permissions::open_appearance_settings,
         crate::stubs::permissions::open_system_settings_url,
@@ -805,6 +808,8 @@ pub fn builder() -> Builder<tauri::Wry> {
         #[cfg(target_os = "macos")]
         crate::permissions::check_full_disk_access,
         #[cfg(target_os = "macos")]
+        crate::permissions::get_macos_major_version,
+        #[cfg(target_os = "macos")]
         crate::permissions::open_privacy_settings,
         #[cfg(target_os = "macos")]
         crate::permissions::open_appearance_settings,
@@ -813,6 +818,8 @@ pub fn builder() -> Builder<tauri::Wry> {
         #[cfg(target_os = "linux")]
         crate::permissions_linux::check_full_disk_access,
         #[cfg(target_os = "linux")]
+        crate::permissions_linux::get_macos_major_version,
+        #[cfg(target_os = "linux")]
         crate::permissions_linux::open_privacy_settings,
         #[cfg(target_os = "linux")]
         crate::permissions_linux::open_appearance_settings,
@@ -821,6 +828,8 @@ pub fn builder() -> Builder<tauri::Wry> {
         #[cfg(not(any(target_os = "macos", target_os = "linux")))]
         crate::stubs::permissions::check_full_disk_access,
         #[cfg(not(any(target_os = "macos", target_os = "linux")))]
+        crate::stubs::permissions::get_macos_major_version,
+        #[cfg(not(any(target_os = "macos", target_os = "linux")))]
         crate::stubs::permissions::open_privacy_settings,
         #[cfg(not(any(target_os = "macos", target_os = "linux")))]
         crate::stubs::permissions::open_appearance_settings,

apps/desktop/src-tauri/src/permissions.rs

@@ -1,22 +1,205 @@
 //! macOS permission checking and system settings helpers.
 
-/// Checks if the app has full disk access by probing ~/Library/Mail.
-/// This is a standard technique used by macOS apps - Mail is always protected.
+use std::ffi::CString;
+use std::fs::File;
+use std::io::{ErrorKind, Read};
+use std::os::unix::ffi::OsStrExt;
+use std::path::{Path, PathBuf};
+
+/// Specific TCC-protected files we probe to determine FDA status.
+///
+/// We `open()` + `read()` actual *files*, not directory listings: TCC's
+/// registration hook fires on read syscalls into protected paths, not on
+/// `opendir()`. A `read_dir` attempt against a protected directory may be
+/// silently denied without ever adding the bundle to System Settings → Privacy
+/// & Security → Full Disk Access. Even `open()` alone has been observed not
+/// to register the bundle on some macOS versions — the actual `read()` is
+/// what reliably triggers `tccd`.
+///
+/// Order matters: we walk until we hit a file that exists on this account,
+/// because `NotFound` doesn't trigger TCC. Once we hit one, the read attempt
+/// either succeeds (FDA granted) or returns `PermissionDenied` (FDA not
+/// granted, bundle now registered with TCC).
+fn fda_probe_files() -> Vec<PathBuf> {
+    let Some(home) = dirs::home_dir() else {
+        return Vec::new();
+    };
+    vec![
+        home.join("Library/Safari/History.db"), // TCC-protected, present after Safari use
+        home.join("Library/Safari/Bookmarks.plist"), // TCC-protected, present after first Safari launch
+        home.join("Library/Mail/V10/MailData/Envelope Index"), // Mail user
+        home.join("Library/Messages/chat.db"),  // Messages user
+        home.join("Library/Application Support/com.apple.TCC/TCC.db"), // always exists, TCC-protected
+        home.join("Library/Application Support/AddressBook/AddressBook-v22.abcddb"), // Contacts user
+    ]
+}
+
+/// Tries to open `path` and read at least one byte from it. The read is what
+/// trips TCC; `open()` alone has been observed not to register the bundle.
+fn try_read_byte(path: &Path) -> std::io::Result<()> {
+    let mut f = File::open(path)?;
+    let mut buf = [0u8; 1];
+    // We don't care if we got 0 bytes (empty file) or 1 — both mean the read
+    // syscall reached the kernel and was allowed. The variant we care about
+    // is the `Err` case, which is what TCC denial returns.
+    let _ = f.read(&mut buf)?;
+    Ok(())
+}
+
+/// Tries to mmap the first byte of `path`. Different syscall path than
+/// `read()` (mmap goes through the VM subsystem); on some macOS versions
+/// this is observed to trigger tccd registration where plain `read()`
+/// doesn't.
+fn try_mmap_byte(path: &Path) -> std::io::Result<()> {
+    let cpath =
+        CString::new(path.as_os_str().as_bytes()).map_err(|e| std::io::Error::new(ErrorKind::InvalidInput, e))?;
+    // Safety: passing valid pointers, validating return values, calling
+    // the matching `munmap`/`close` on every path out.
+    unsafe {
+        let fd = libc::open(cpath.as_ptr(), libc::O_RDONLY);
+        if fd < 0 {
+            return Err(std::io::Error::last_os_error());
+        }
+        let len: libc::size_t = 1;
+        let ptr = libc::mmap(std::ptr::null_mut(), len, libc::PROT_READ, libc::MAP_PRIVATE, fd, 0);
+        if ptr == libc::MAP_FAILED {
+            let err = std::io::Error::last_os_error();
+            libc::close(fd);
+            return Err(err);
+        }
+        // Force the fault by reading the byte through the mapping.
+        let _ = std::ptr::read_volatile(ptr as *const u8);
+        libc::munmap(ptr, len);
+        libc::close(fd);
+    }
+    Ok(())
+}
+
+/// Tries to read `path` via `NSData dataWithContentsOfFile:`. Goes through
+/// Foundation's higher-level file API rather than raw POSIX, in case Tahoe
+/// only triggers tccd registration for Foundation-routed reads.
+fn try_nsdata_read(path: &Path) -> std::io::Result<()> {
+    use objc2_foundation::{NSData, NSString};
+    let path_str = NSString::from_str(&path.to_string_lossy());
+    // `dataWithContentsOfFile:` returns nil on failure (no error detail).
+    // We don't care about the data; we only want the syscall to land at
+    // tccd. Any nil result is treated as "denied" for our purposes.
+    let data = NSData::dataWithContentsOfFile(&path_str);
+    if data.is_some() {
+        Ok(())
+    } else {
+        Err(std::io::Error::from(ErrorKind::PermissionDenied))
+    }
+}
+
+/// Tries to list the parent directory of `path` via `read_dir`. The
+/// pre-Tahoe Cmdr probe used `read_dir(~/Library/Mail)` directly, which
+/// some users reported as the trigger that put Cmdr in the FDA list. Kept
+/// as one of the multi-trigger fallbacks.
+fn try_read_dir_parent(path: &Path) -> std::io::Result<()> {
+    let parent = path.parent().ok_or(std::io::Error::from(ErrorKind::InvalidInput))?;
+    std::fs::read_dir(parent).map(|_| ())
+}
+
+/// Checks if the app has full disk access by probing TCC-protected files.
+///
+/// Probing is also how the bundle gets registered with TCC, which is what
+/// makes Cmdr show up in the Full Disk Access list in System Settings. On
+/// macOS 26 (Tahoe), the kernel/sandbox can short-circuit `read()` denials
+/// without consulting tccd, leaving the bundle out of the FDA list. To
+/// maximize the chance one of the access paths threads the needle, on a
+/// denial we fire all three: raw `read`, `mmap`, `NSData`, plus a
+/// `read_dir` of the parent directory.
 #[tauri::command]
 #[specta::specta]
 pub fn check_full_disk_access() -> bool {
-    let mail_path = dirs::home_dir().map(|h| h.join("Library/Mail")).unwrap_or_default();
+    for path in fda_probe_files() {
+        match try_read_byte(&path) {
+            Ok(()) => {
+                log::debug!(target: "fda_probe", "FDA probe: read OK on {:?} → FDA granted", path);
+                return true;
+            }
+            Err(e) if e.kind() == ErrorKind::PermissionDenied => {
+                log::debug!(target: "fda_probe", "FDA probe: PermissionDenied on {:?} via read() → FDA NOT granted; firing extra triggers", path);
+                // Best-effort extra triggers — we don't care about results,
+                // only that tccd hears about us through different syscall
+                // paths. Each one is independently logged so we can see in
+                // the TCC log which one (if any) finally registers the bundle.
+                match try_mmap_byte(&path) {
+                    Ok(()) => {
+                        log::debug!(target: "fda_probe", "FDA probe extra: mmap OK on {:?} (FDA actually granted? unexpected)", path)
+                    }
+                    Err(e) => {
+                        log::debug!(target: "fda_probe", "FDA probe extra: mmap on {:?} → {} ({:?})", path, e, e.kind())
+                    }
+                }
+                match try_nsdata_read(&path) {
+                    Ok(()) => {
+                        log::debug!(target: "fda_probe", "FDA probe extra: NSData OK on {:?} (FDA actually granted? unexpected)", path)
+                    }
+                    Err(e) => {
+                        log::debug!(target: "fda_probe", "FDA probe extra: NSData on {:?} → {} ({:?})", path, e, e.kind())
+                    }
+                }
+                match try_read_dir_parent(&path) {
+                    Ok(()) => log::debug!(target: "fda_probe", "FDA probe extra: read_dir(parent of {:?}) OK", path),
+                    Err(e) => {
+                        log::debug!(target: "fda_probe", "FDA probe extra: read_dir(parent of {:?}) → {} ({:?})", path, e, e.kind())
+                    }
+                }
+                return false;
+            }
+            Err(e) => {
+                log::debug!(target: "fda_probe", "FDA probe: skipping {:?}: {} ({:?})", path, e, e.kind());
+                continue;
+            }
+        }
+    }
+    log::warn!(target: "fda_probe", "FDA probe: no candidate path produced a definitive signal — treating as no FDA");
+    // No probed file existed. Treat as "no FDA" — better to show the prompt
+    // than skip it.
+    false
+}
 
-    // Try to read the directory - if we can, we have FDA
-    std::fs::read_dir(&mail_path).is_ok()
+/// Returns the macOS major version (e.g. `13` for Ventura, `14` for Sonoma).
+///
+/// Used by the onboarding modal to tailor copy + the deep-link host:
+/// Ventura+ has the new System Settings app with the
+/// `PrivacySecurity.extension` URL host and an alphabetical FDA list; older
+/// macOS uses the legacy System Preferences `preference.security` host with
+/// new entries appended at the end.
+#[tauri::command]
+#[specta::specta]
+pub fn get_macos_major_version() -> u32 {
+    let Ok(output) = std::process::Command::new("sw_vers").arg("-productVersion").output() else {
+        return 13; // assume modern if sw_vers is unavailable
+    };
+    let Ok(version) = String::from_utf8(output.stdout) else {
+        return 13;
+    };
+    version
+        .trim()
+        .split('.')
+        .next()
+        .and_then(|s| s.parse().ok())
+        .unwrap_or(13)
 }
 
-/// Opens System Settings > Privacy & Security > Privacy.
+/// Opens System Settings directly on the Full Disk Access pane.
+///
+/// Picks the deep-link host based on macOS version: Ventura+ uses the new
+/// `PrivacySecurity.extension`, older macOS uses the legacy
+/// `preference.security` host. Both anchor on `Privacy_AllFiles`.
 #[tauri::command]
 #[specta::specta]
 pub fn open_privacy_settings() -> Result<(), String> {
+    let url = if get_macos_major_version() >= 13 {
+        "x-apple.systempreferences:com.apple.settings.PrivacySecurity.extension?Privacy_AllFiles"
+    } else {
+        "x-apple.systempreferences:com.apple.preference.security?Privacy_AllFiles"
+    };
     std::process::Command::new("open")
-        .arg("x-apple.systempreferences:com.apple.preference.security?Privacy")
+        .arg(url)
         .spawn()
         .map_err(|e| format!("Failed to open System Settings: {}", e))?;
     Ok(())

apps/desktop/src-tauri/src/permissions_linux.rs

@@ -12,6 +12,13 @@ pub fn check_full_disk_access() -> bool {
     true
 }
 
+/// Stub: macOS version is meaningless on Linux. Returns `0`.
+#[tauri::command]
+#[specta::specta]
+pub fn get_macos_major_version() -> u32 {
+    0
+}
+
 /// Opens the system privacy/security settings if a desktop environment is available.
 #[tauri::command]
 #[specta::specta]

apps/desktop/src-tauri/src/stubs/permissions.rs

@@ -13,6 +13,13 @@ pub fn check_full_disk_access() -> bool {
     true
 }
 
+/// Stub: macOS version is meaningless on this platform. Returns `0`.
+#[tauri::command]
+#[specta::specta]
+pub fn get_macos_major_version() -> u32 {
+    0
+}
+
 /// Opens privacy settings (stub: no-op, returns error).
 ///
 /// There's no equivalent to macOS System Settings > Privacy on Linux.

apps/desktop/src/lib/ipc/bindings.ts

@@ -1556,11 +1556,29 @@ export const commands = {
   // Tauri command: returns the current system text-size multiplier.
   getSystemTextSizeMultiplier: () => __TAURI_INVOKE<number>('get_system_text_size_multiplier'),
   /**
-   *  Checks if the app has full disk access by probing ~/Library/Mail.
-   *  This is a standard technique used by macOS apps - Mail is always protected.
+   *  Checks if the app has full disk access by probing TCC-protected files.
+   *
+   *  Probing is also how the bundle gets registered with TCC, which is what
+   *  makes Cmdr show up in the Full Disk Access list in System Settings.
    */
   checkFullDiskAccess: () => __TAURI_INVOKE<boolean>('check_full_disk_access'),
-  // Opens System Settings > Privacy & Security > Privacy.
+  /**
+   *  Returns the macOS major version (e.g. `13` for Ventura, `14` for Sonoma).
+   *
+   *  Used by the onboarding modal to tailor copy + the deep-link host:
+   *  Ventura+ has the new System Settings app with the
+   *  `PrivacySecurity.extension` URL host and an alphabetical FDA list; older
+   *  macOS uses the legacy System Preferences `preference.security` host with
+   *  new entries appended at the end.
+   */
+  getMacosMajorVersion: () => __TAURI_INVOKE<number>('get_macos_major_version'),
+  /**
+   *  Opens System Settings directly on the Full Disk Access pane.
+   *
+   *  Picks the deep-link host based on macOS version: Ventura+ uses the new
+   *  `PrivacySecurity.extension`, older macOS uses the legacy
+   *  `preference.security` host. Both anchor on `Privacy_AllFiles`.
+   */
   openPrivacySettings: () => typedError<null, string>(__TAURI_INVOKE('open_privacy_settings')),
   // Opens System Settings > Appearance.
   openAppearanceSettings: () => typedError<null, string>(__TAURI_INVOKE('open_appearance_settings')),

apps/desktop/src/lib/onboarding/CLAUDE.md

@@ -15,7 +15,9 @@ Access in macOS System Settings.
 
 Two actions are available:
 
-- **Open System Settings** — calls `openPrivacySettings()` via IPC, then shows a follow-up hint to restart the app.
+- **Open System Settings** — re-runs `checkFullDiskAccess()` (so TCC has a fresh registration of the bundle and the Cmdr
+  row appears in the FDA list), then calls `openPrivacySettings()` via IPC, then shows a follow-up hint to restart the
+  app. The IPC deep-links straight to the Full Disk Access pane (not the Privacy category list).
 - **Deny** — saves `fullDiskAccessChoice: 'deny'` to settings, calls `startIndexingAfterFdaDecision()` so the indexer
   starts within this session, then calls `onComplete()` to dismiss.
 
@@ -86,9 +88,20 @@ apps (VS Code, iTerm2) do.
 - Tauri provides no callback for when the user finishes in System Preferences. The app cannot detect the grant
   automatically. The post-click hint tells the user to restart manually.
 - Uses `dialogId="full-disk-access"` on `ModalDialog`, so MCP dialog tracking is automatic.
+- **TCC's registration hook fires on `open()`, not `opendir()`.** A `read_dir` against a protected directory may be
+  silently denied without ever adding the bundle to the Full Disk Access list — leaving the user with no row to toggle
+  on. The probe in `permissions.rs` opens specific protected _files_ (`~/Library/Safari/Bookmarks.plist`,
+  `~/Library/Mail/V10/MailData/Envelope Index`, `~/Library/Messages/chat.db`, etc.) and walks them in order until one
+  returns either `Ok` or `PermissionDenied`. `NotFound` doesn't trigger TCC, so we keep walking. The component re-runs
+  `checkFullDiskAccess()` right before `openPrivacySettings()` so the registration is fresh when the Settings pane
+  loads.
+- **Deep-link host changed in Ventura.** macOS 13+ uses `com.apple.settings.PrivacySecurity.extension`; older macOS uses
+  `com.apple.preference.security`. Both anchor on `Privacy_AllFiles`. `open_privacy_settings` picks the right one via
+  `get_macos_major_version`. The same version informs the modal copy: macOS 12 and older append new FDA entries at the
+  end of the list (instead of alphabetical), so the "find Cmdr" instruction adjusts.
 
 ## Dependencies
 
-- `$lib/tauri-commands` — `openPrivacySettings`
+- `$lib/tauri-commands` — `checkFullDiskAccess`, `getMacosMajorVersion`, `openPrivacySettings`
 - `$lib/settings-store` — `saveSettings`
 - `$lib/ui` — `ModalDialog`, `Button`

apps/desktop/src/lib/onboarding/FullDiskAccessPrompt.a11y.test.ts

@@ -12,6 +12,8 @@ import { expectNoA11yViolations } from '$lib/test-a11y'
 vi.mock('$lib/tauri-commands', () => ({
   notifyDialogOpened: vi.fn(() => Promise.resolve()),
   notifyDialogClosed: vi.fn(() => Promise.resolve()),
+  checkFullDiskAccess: vi.fn(() => Promise.resolve(false)),
+  getMacosMajorVersion: vi.fn(() => Promise.resolve(14)),
   openPrivacySettings: vi.fn(() => Promise.resolve()),
 }))