Desktop: tccutil reset creates infinite TCC loop with dev signing

[beastoin]

Closes no existing issue — new bug report from verification testing.

ScreenCaptureService.resetScreenCapturePermission() calls tccutil reset ScreenCapture which removes the TCC grant entirely. With ad-hoc or dev signing, the binary's CDHash changes every rebuild, triggering stale TCC detection in AppState.checkScreenRecordingPermission() (line 792) — which auto-calls resetScreenCapturePermission(). This creates an infinite loop: build → CDHash changes → stale detected → tccutil wipes grant → no permission → stale detected again.

Current Behavior

• checkScreenRecordingPermission() detects CGPreflightScreenCaptureAccess() == true but actual capture fails (stale CDHash)
• Auto-fires resetScreenCapturePermission() via Task.detached (AppState.swift:796-799)
• tccutil reset ScreenCapture removes the grant
• Next check: no permission → stale again → loop

Expected Behavior

Stale TCC detection should NOT auto-wipe the grant. Either skip the reset for dev-signed builds, or use softRecoveryAndRestart() (which already exists and preserves grants).

Affected Areas

File	Line	Description
desktop/Desktop/Sources/AppState.swift	792-799	Stale TCC detection auto-calls resetScreenCapturePermission()
desktop/Desktop/Sources/ScreenCaptureService.swift	270-288	resetScreenCapturePermission() runs tccutil reset ScreenCapture

Solution

Option A (minimal): Guard the auto-reset — detect ad-hoc/dev signing (SecCodeCopySigningInformation or check bundle ID suffix -dev) and skip resetScreenCapturePermission(), only logging the stale state.

Option B (better): Replace the auto tccutil reset call in the stale detection path with softRecoveryAndRestart() which preserves grants. Reserve tccutil reset for explicit user action only (sidebar button, notification).

Files to Modify

• desktop/Desktop/Sources/AppState.swift — stale TCC detection block (lines 792-799)

Impact

Dev/testing only — prod builds have stable Developer ID signing so CDHash doesn't change. But this blocks all dev testing on machines without a stable signing cert.

---

by AI for @beastoin

[beastoin]

@m13v This was flagged during dev testing on Mac Mini — checkScreenRecordingPermission() (AppState.swift:792) auto-calls resetScreenCapturePermission() when it detects a stale TCC entry, which runs tccutil reset ScreenCapture and wipes the grant. With dev/ad-hoc signing the CDHash changes every rebuild, so stale detection fires every time → infinite loop of grant removal.

Was the auto-reset intentional for prod (stable Developer ID signing), or should stale detection only log and prompt the user? There's already a softRecoveryAndRestart() that preserves grants — wondering if the auto path should use that instead.

---

by AI for @beastoin