Skip to content

tcc: gate cltbld-TCC.db-dependent resources on a custom fact#1211

Open
rcurranmoz wants to merge 2 commits into
masterfrom
tcc-db-cltbld-session-fact
Open

tcc: gate cltbld-TCC.db-dependent resources on a custom fact#1211
rcurranmoz wants to merge 2 commits into
masterfrom
tcc-db-cltbld-session-fact

Conversation

@rcurranmoz
Copy link
Copy Markdown
Contributor

@rcurranmoz rcurranmoz commented May 12, 2026

Summary

Fixes #1208.

Replaces the log-grep reboot trigger in run-puppet.sh with a proactive fact-based gate.

The bootstrap script currently does this:

```bash
if grep -q "unable to open database \"/Users/cltbld/.../TCC.db" "$TMP_LOG"; then
echo "Detected TCC.db issue. A reboot is required."
sudo shutdown -r now
exit 0
fi
```

That string is Apple-controlled (we'd silently lose the trigger if Apple rewords or localizes it), reboots mid-apply (so downstream resources never run in this pass), and can't distinguish "cltbld TCC.db not ready yet" from "cltbld TCC.db permanently broken" — same string, very different remediation.

Changes

  • New custom fact `cltbld_tcc_db_present` in `modules/macos_tcc_perms/lib/facter/`. Boolean — true iff `/Users/cltbld/Library/Application Support/com.apple.TCC/TCC.db` exists.
  • `macos_tcc_perms`: gates the `execute tcc perms script` exec on `$facts['cltbld_tcc_db_present']`.
  • `macos_safaridriver`: gates `execute perms script` and `execute enable remote automation script` on the same fact (both write to or depend on cltbld's TCC.db).
  • `run-puppet.sh`: removes the log-grep block. Adds a post-success check — if cltbld TCC.db is still missing after a clean apply, the script reboots once so autologin can fire; the next apply (via bootstrap LaunchDaemon macos_run_puppet: make bootstrap reboot-survivable via LaunchDaemon #1206 or the regular at-boot mechanism) will see the fact flip to true and apply the resources cleanly.

Behavior on a fresh host

  1. First apply: autologin set up, TCC resources skipped (no errors)
  2. Post-success check sees TCC.db absent → reboot
  3. cltbld autologs in → TCC.db materializes
  4. Next apply: TCC resources actually run

Test plan

  • Fresh M4 host (cltbld absent at start of apply): puppet apply completes without errors, post-success check triggers reboot, second apply applies TCC perms
  • Already-bootstrapped host (cltbld TCC.db present): TCC resources apply normally, no reboot
  • Kitchen mac suite: `running_in_test_kitchen` guard still keeps TCC resources from firing
  • Confirm `facter -p cltbld_tcc_db_present` returns the correct boolean on a managed host
  • Linux suites unaffected (fact is confined to Darwin)

Related

Pairs naturally with #1206 (reboot-survivable bootstrap LaunchDaemon) — together they eliminate the babysitter ssh pattern entirely.

🤖 Generated with Claude Code

@rcurranmoz @claude
tcc: gate cltbld-TCC.db-dependent resources on a custom fact
4deef20 
Replaces the log-grep reboot trigger in run-puppet.sh with a proactive
gate based on a new `cltbld_tcc_db_present` custom fact.

The script in `modules/macos_run_puppet/files/run-puppet.sh` previously
greps puppet's stdout for the literal string

  unable to open database "/Users/cltbld/.../TCC.db"

and on match does `sudo shutdown -r now`. That string is Apple-controlled,
fires mid-apply (so downstream resources never run in that pass), and
can't tell "cltbld TCC.db not ready yet" from "cltbld TCC.db permanently
broken" — same string, very different remediation.

This commit:

- Adds `cltbld_tcc_db_present` (Boolean) custom fact in
  modules/macos_tcc_perms/lib/facter/. Returns true iff
  /Users/cltbld/Library/Application Support/com.apple.TCC/TCC.db exists.

- Gates `macos_tcc_perms::execute tcc perms script` on the fact.

- Gates `macos_safaridriver::execute perms script` and
  `macos_safaridriver::execute enable remote automation script` on the
  same fact. Both write to or depend on cltbld's TCC.db.

- Removes the log-grep block from run-puppet.sh — with the fact-gating
  in place, the resources are no-ops on first apply (before cltbld
  autologin), so the puppet error string never appears.

- Adds a post-success check in run-puppet.sh: if cltbld's TCC.db is
  still missing after a successful apply, reboot once so cltbld
  autologs in. The next puppet apply (via either the bootstrap
  LaunchDaemon (#1206) or the regular at-boot LaunchDaemon) will see
  cltbld_tcc_db_present=true and apply the gated resources cleanly.

Behavior on a fresh host now goes:
  1. Apply: autologin set up, TCC resources skipped, no errors
  2. Reboot triggered by post-success check
  3. cltbld autologs in, TCC.db materializes
  4. Next apply: TCC resources actually apply

Fixes #1208

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

Mac Improvement

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

macos_run_puppet: replace TCC.db log-grep reboot trigger with cltbld-session gate

1 participant

@rcurranmoz