fix(permissions): handle accessibility loss after auto-update

kdcokenny · kdcokenny · commit 85b9350a5abd · 2025-12-19T23:10:28.000-05:00
diff --git a/OpenDictation/App/AppDelegate.swift b/OpenDictation/App/AppDelegate.swift
@@ -43,9 +43,17 @@ final class AppDelegate: NSObject, NSApplicationDelegate, NSWindowDelegate {
         // MARK: - Accessibility Permission Check
         // Check accessibility FIRST - before any other setup.
         // This prevents the escape key bug by ensuring event taps can be created.
-        // Pattern from Touch Bar Simulator by Sindre Sorhus.
         permissionsManager = PermissionsManager()
-        permissionsManager?.checkAccessibilityOnLaunch()
+        
+        // Check for post-update launch (binary changed but accessibility lost)
+        if permissionsManager?.isPostUpdateLaunch() == true && !AXIsProcessTrusted() {
+            permissionsManager?.handlePostUpdateAccessibilityCheck()
+            // If we get here, handlePostUpdateAccessibilityCheck either handled it 
+            // and we continue (unlikely but possible) or it triggered a quit/relaunch flow.
+        } else {
+            // Normal launch flow
+            permissionsManager?.checkAccessibilityOnLaunch()
+        }
         
         // MARK: - App Setup
         // Check if app should be moved to Applications (before other setup)
diff --git a/OpenDictation/Core/Services/PermissionsManager.swift b/OpenDictation/Core/Services/PermissionsManager.swift
@@ -22,6 +22,7 @@ final class PermissionsManager: ObservableObject {
     
     private enum Keys {
         static let accessibilityPromptedVersion = "PermissionsManager_AccessibilityPromptedVersion"
+        static let lastLaunchedBuildNumber = "PermissionsManager_LastLaunchedBuildNumber"
     }
     
     // MARK: - Published Properties
@@ -170,6 +171,134 @@ final class PermissionsManager: ObservableObject {
         }
     }
     
+    // MARK: - Post-Update Handling
+    
+    /// Detects if this launch is after an app update that changed the binary.
+    /// Uses version comparison as primary signal (reliable) with delegate flag as optimization.
+    func isPostUpdateLaunch() -> Bool {
+        let currentBuild = Bundle.main.infoDictionary?["CFBundleVersion"] as? String
+        let lastBuild = UserDefaults.standard.string(forKey: Keys.lastLaunchedBuildNumber)
+        
+        // Always update for next launch
+        UserDefaults.standard.set(currentBuild, forKey: Keys.lastLaunchedBuildNumber)
+        
+        // Post-update if: (1) build changed, OR (2) Sparkle delegate set flag
+        let buildChanged = (lastBuild != nil) && (lastBuild != currentBuild)
+        let delegateFlag = UpdateService.consumePostUpdateFlag()
+        
+        if buildChanged || delegateFlag {
+            logger.info("Detected post-update launch (buildChanged: \(buildChanged), delegateFlag: \(delegateFlag))")
+            return true
+        }
+        
+        return false
+    }
+    
+    /// Handles accessibility check specifically after an auto-update.
+    /// Terminates app so user can manually relaunch for proper TCC registration.
+    func handlePostUpdateAccessibilityCheck() {
+        // Already granted? Continue normally (user may have manually fixed or relaunch worked)
+        if AXIsProcessTrusted() {
+            logger.info("Accessibility already granted on post-update launch")
+            isAccessibilityGranted = true
+            return
+        }
+        
+        logger.info("Post-update launch detected - accessibility not granted")
+        
+        // Force app to front
+        NSApp.activate(ignoringOtherApps: true)
+        
+        // Reset stale TCC entries
+        let resetSucceeded = resetAccessibilityAndReturnStatus()
+        
+        if resetSucceeded {
+            showPostUpdateQuitDialog()
+        } else {
+            showManualRemovalDialog()
+        }
+        
+        NSApp.terminate(nil)
+    }
+    
+    /// Shows dialog when tccutil reset succeeded.
+    private func showPostUpdateQuitDialog() {
+        let alert = NSAlert()
+        alert.messageText = "One More Step After Update"
+        alert.informativeText = """
+        Open Dictation was just updated. macOS security requires you to:
+        
+        1. Click "Quit" below
+        2. Reopen Open Dictation from the Dock or Applications folder
+        3. Enable accessibility permission when prompted
+        
+        This is a one-time step after updates.
+        """
+        alert.alertStyle = .informational
+        alert.addButton(withTitle: "Quit")
+        alert.addButton(withTitle: "Open Applications Folder")
+        
+        if alert.runModal() == .alertSecondButtonReturn {
+            NSWorkspace.shared.selectFile(Bundle.main.bundlePath, inFileViewerRootedAtPath: "/Applications")
+        }
+    }
+    
+    /// Shows dialog when tccutil reset FAILED - user must manually remove.
+    private func showManualRemovalDialog() {
+        let alert = NSAlert()
+        alert.messageText = "Manual Step Required"
+        alert.informativeText = """
+        Open Dictation was just updated, but automatic permission reset failed.
+        
+        Please follow these steps:
+        
+        1. Click "Open System Settings" below
+        2. Find "Open Dictation" in the list
+        3. Click the minus (-) button to REMOVE it
+        4. Close this app and reopen it
+        5. Re-add Open Dictation when prompted
+        
+        Toggling the checkbox off/on will NOT work—you must fully remove it.
+        """
+        alert.alertStyle = .warning
+        alert.addButton(withTitle: "Open System Settings")
+        alert.addButton(withTitle: "Quit")
+        
+        if alert.runModal() == .alertFirstButtonReturn {
+            if let url = URL(string: "x-apple.systempreferences:com.apple.preference.security?Privacy_Accessibility") {
+                NSWorkspace.shared.open(url)
+            }
+        }
+    }
+    
+    /// Resets accessibility and returns whether it succeeded.
+    private nonisolated func resetAccessibilityAndReturnStatus() -> Bool {
+        guard let bundleID = Bundle.main.bundleIdentifier else { return false }
+        
+        do {
+            let process = Process()
+            process.executableURL = URL(fileURLWithPath: "/usr/bin/tccutil")
+            process.arguments = ["reset", "Accessibility", bundleID]
+            process.standardOutput = FileHandle.nullDevice
+            process.standardError = FileHandle.nullDevice
+            try process.run()
+            process.waitUntilExit()
+            
+            let log = OSLog.app(category: "PermissionsManager")
+            if process.terminationStatus == 0 {
+                os_log("Reset accessibility permissions for %{public}@", log: log, type: .info, bundleID)
+                return true
+            } else {
+                os_log("tccutil reset failed with status %d", log: log, type: .error, process.terminationStatus)
+                return false
+            }
+        } catch {
+            let log = OSLog.app(category: "PermissionsManager")
+            os_log("Failed to run tccutil: %{public}@", log: log, type: .error, error.localizedDescription)
+            return false
+        }
+    }
+    
     // MARK: - Accessibility Permission
     
     /// Requests Accessibility permission if not already prompted this app version.
diff --git a/OpenDictation/Core/Services/UpdateService.swift b/OpenDictation/Core/Services/UpdateService.swift
@@ -12,6 +12,7 @@ final class UpdateService: ObservableObject {
     static let shared = UpdateService()
     
     private let controller: SPUStandardUpdaterController
+    private let delegate = UpdateServiceDelegate()
     
     /// The underlying SPUUpdater for bindings and state observation
     var updater: SPUUpdater { controller.updater }
@@ -22,7 +23,7 @@ final class UpdateService: ObservableObject {
     private init() {
         controller = SPUStandardUpdaterController(
             startingUpdater: true,
-            updaterDelegate: nil,
+            updaterDelegate: delegate,
             userDriverDelegate: nil
         )
         
@@ -42,3 +43,33 @@ final class UpdateService: ObservableObject {
         controller.updater.checkForUpdates()
     }
 }
+
+// MARK: - Update Delegate
+
+/// Separate delegate class to handle Sparkle callbacks.
+/// This avoids Swift init order issues (can't pass self to constructor before init).
+private final class UpdateServiceDelegate: NSObject, SPUUpdaterDelegate {
+    
+    func updaterWillRelaunchApplication(_ updater: SPUUpdater) {
+        // Set flag so post-update launch can detect this was an auto-update relaunch
+        // Using synchronize() to ensure it's written before the process terminates
+        UserDefaults.standard.set(true, forKey: kPostUpdateRelaunchKey)
+        UserDefaults.standard.synchronize()
+    }
+}
+
+// MARK: - Post-Update Detection
+
+/// File-level constant to avoid Swift concurrency issues with accessing MainActor-isolated properties
+private let kPostUpdateRelaunchKey = "OpenDictation_PostUpdateRelaunch"
+
+extension UpdateService {
+    /// Checks and clears the post-update relaunch flag
+    static func consumePostUpdateFlag() -> Bool {
+        let value = UserDefaults.standard.bool(forKey: kPostUpdateRelaunchKey)
+        if value {
+            UserDefaults.standard.removeObject(forKey: kPostUpdateRelaunchKey)
+        }
+        return value
+    }
+}
