alvin-bot 4.22.2 → 4.22.3

package/CHANGELOG.md

@@ -2,6 +2,20 @@
 
 All notable changes to Alvin Bot are documented here.
 
+## [4.22.3] — 2026-05-12
+
+### Fixed
+
+- **Codex CLI provider:** close stdin after spawn so `codex exec` returns immediately. The provider opened stdin as a pipe but never sent EOF — `codex exec` then printed `Reading additional input from stdin...` and blocked until the 120 s spawn timeout, which surfaced on the chat side as "no reply" / empty Telegram messages whenever a user picked Codex CLI as their AI provider. Single-line fix (`proc.stdin.end()`) plus an explanatory comment. ([#1](https://github.com/alvbln/Alvin-Bot/pull/1))
+
+### macOS UX: surface Full Disk Access gaps under launchd ([#2](https://github.com/alvbln/Alvin-Bot/pull/2))
+
+When the bot runs as a LaunchAgent, macOS TCC binds permissions to the `node` binary's real Cellar path. Anything the bot spawns (Codex CLI, file-reading skills, plugins touching `~/Documents`/`~/Desktop`) inherits that identity, and without Full Disk Access on `node` those reads silently fail — no dialog appears under launchd. Fresh public users were hitting this without knowing what was going on; the failure mode (spawned tools producing empty output) looked like a bot bug.
+
+- **`alvin-bot launchd install`** now detects FDA after a successful install and either confirms it's granted or prints a prominent warning with: the exact Cellar path to add (resolved via `realpathSync`), the `open "x-apple.systempreferences:..."` command for the right pane, the `launchctl kickstart` command to apply the grant, and a heads-up that `brew upgrade node` invalidates the grant (TCC binds to the versioned Cellar path).
+- **`alvin-bot doctor`** gains a "macOS permissions" section that shows FDA status and how to fix — useful after `brew upgrade node` rolls forward to a new Cellar path and the old grant becomes stale.
+- **README** "A note on permission prompts" is extended with the launchd/FDA caveat, linking to the macOS Setup Guide PDF.
+
 ## [4.22.2] — 2026-05-11
 
 ### Docs

package/README.md

@@ -68,6 +68,8 @@ Free AI providers available — no credit card needed. **Privacy-first?** Pick t
 
 The first time Alvin reaches for a new tool — a shell command, a file read, a web fetch — you may see a permission prompt from the underlying agent runtime asking whether to allow it. Those prompts come from Alvin himself, not from a third party. Approving one expands what he can do for you autonomously; denying keeps the scope narrow. The more you allow, the more capable and hands-off he becomes — you stay in control either way, and you can always revoke a permission later.
 
+**macOS only — one extra step under launchd.** If you install Alvin as a background service (`alvin-bot launchd install`), macOS won't be able to show you those permission dialogs interactively anymore. To let the bot and anything it spawns (Codex CLI, file-reading skills) actually read your files, grant **Full Disk Access** to `node` once: System Settings → Privacy & Security → Full Disk Access → **+** → add `/opt/homebrew/Cellar/node/<version>/bin/node` (find the exact path with `readlink -f "$(which node)"`). `alvin-bot launchd install` and `alvin-bot doctor` will both detect and remind you with the exact path. After `brew upgrade node` you'll need to re-grant, because TCC binds to the versioned Cellar path. The printable [macOS Setup Guide PDF](https://github.com/alvbln/Alvin-Bot/releases/latest/download/Alvin-Bot-macOS-Setup-Guide.pdf) covers this end-to-end.
+
 ### 📘 First-time setup walkthroughs
 
 Step-by-step printable PDF guides:

package/bin/cli.js

@@ -17,7 +17,7 @@
  */
 
 import { createInterface } from "readline";
-import { existsSync, writeFileSync, readFileSync, mkdirSync, copyFileSync, readdirSync, statSync } from "fs";
+import { existsSync, writeFileSync, readFileSync, mkdirSync, copyFileSync, readdirSync, statSync, accessSync, realpathSync, constants as fsConstants } from "fs";
 import { resolve, join } from "path";
 import { homedir } from "os";
 import { execSync } from "child_process";
@@ -1515,6 +1515,21 @@ async function doctor() {
     console.log(`  ${hasChrome ? "✅" : "⚠️ "} WhatsApp (Chrome: ${hasChrome ? "found" : "not found"})`);
   }
 
+  // ── macOS permissions (TCC) ────────────────────────────────────────────
+  if (process.platform === "darwin") {
+    console.log("\n  macOS permissions:");
+    const fda = checkMacosFullDiskAccess(process.execPath);
+    if (fda.hasFDA) {
+      console.log(`  ✅ Full Disk Access — granted to ${fda.realNodePath}`);
+    } else {
+      console.log(`  ⚠️  Full Disk Access NOT granted to node (${fda.realNodePath})`);
+      console.log(`     Spawned tools (codex CLI, file-reading skills) may silently fail`);
+      console.log(`     to read protected directories under launchd. To fix:`);
+      console.log(`       open "${fda.paneUrl}"`);
+      console.log(`     and add the path above with the "+" button.`);
+    }
+  }
+
   console.log("");
 }
 
@@ -1557,6 +1572,57 @@ async function version() {
 
 // ── LaunchAgent helpers (macOS only) ────────────────────────────────────────
 
+/**
+ * Inspect the macOS Full Disk Access (TCC) state for the node binary that
+ * the bot will run under.
+ *
+ * Background: macOS TCC grants permissions to specific binary paths, not to
+ * user accounts. When `alvin-bot` runs under launchd, the bot process is
+ * `node` from Homebrew (e.g. /opt/homebrew/Cellar/node/<version>/bin/node).
+ * Any child process the bot spawns — `codex`, `ripgrep`, plugins reading
+ * ~/Documents, the file-manager skill — inherits the parent's TCC identity.
+ * If `node` doesn't have Full Disk Access, those children silently fail to
+ * read protected directories (no dialog appears under launchd).
+ *
+ * Heuristic for "FDA granted": try to read `~/Library/Mail`, which lives in
+ * the TCC-protected user-data quarantine. Successful read ⇒ FDA is on.
+ * This matches `src/services/sudo.ts:getSudoStatus()`.
+ *
+ * Returns { realNodePath, hasFDA, panEUrl, settingsCommand } so callers can
+ * print actionable guidance.
+ */
+function checkMacosFullDiskAccess(nodePath) {
+  if (process.platform !== "darwin") {
+    return { skipped: true };
+  }
+
+  // Resolve symlinks — TCC tracks the real binary path, not the symlink.
+  // /opt/homebrew/bin/node is typically a symlink into the Cellar.
+  let realNodePath = nodePath;
+  try {
+    realNodePath = realpathSync(nodePath);
+  } catch {
+    // Fall back to the symlink path if resolution fails.
+  }
+
+  let hasFDA = false;
+  try {
+    accessSync(resolve(homedir(), "Library", "Mail"), fsConstants.R_OK);
+    hasFDA = true;
+  } catch {
+    // Either Mail isn't there (very rare) or FDA is missing. Default to
+    // "missing" — false negatives just trigger a warning the user can ignore.
+    hasFDA = false;
+  }
+
+  return {
+    skipped: false,
+    realNodePath,
+    hasFDA,
+    paneUrl: "x-apple.systempreferences:com.apple.preference.security?Privacy_AllFiles",
+  };
+}
+
 /**
  * Render the launchd plist that runs `node dist/index.js` as a per-user
  * agent. Inherits the GUI login session so the macOS Keychain is
@@ -1726,6 +1792,40 @@ async function launchdInstall() {
     console.log("");
     console.log("💡 pm2 still has other projects running — leaving it installed.");
   }
+
+  // ── Full Disk Access reminder ────────────────────────────────────────────
+  //
+  // Under launchd, the bot has no foreground Terminal to inherit TCC from.
+  // Anything it spawns (codex CLI, file-reading skills, etc.) needs `node`
+  // itself to have Full Disk Access — otherwise reads silently fail.
+  const fda = checkMacosFullDiskAccess(nodePath);
+  if (!fda.skipped && !fda.hasFDA) {
+    console.log("");
+    console.log("⚠️  Full Disk Access not granted to node.");
+    console.log("");
+    console.log("   Under launchd, the bot can't ask for permission dialogs interactively.");
+    console.log("   Without FDA, anything the bot spawns (codex CLI, file-reading skills,");
+    console.log("   ~/Documents access, …) will silently fail to read protected files.");
+    console.log("");
+    console.log("   Grant once: System Settings → Privacy & Security → Full Disk Access → +");
+    console.log("   Then add this exact path (⌘⇧G to paste it):");
+    console.log("");
+    console.log(`      ${fda.realNodePath}`);
+    console.log("");
+    console.log("   Open the right pane now:");
+    console.log(`      open "${fda.paneUrl}"`);
+    console.log("");
+    console.log("   After granting, restart the bot to pick up the new permission:");
+    console.log(`      launchctl kickstart -k gui/$UID/${label}`);
+    console.log("");
+    console.log("   Note: re-grant is required after `brew upgrade node` — TCC binds to");
+    console.log("   the Cellar version path, which changes when node is upgraded.");
+  } else if (!fda.skipped && fda.hasFDA) {
+    console.log("");
+    console.log("✅ Full Disk Access already granted to node — spawned tools can read");
+    console.log(`   protected files. (Granted path: ${fda.realNodePath})`);
+  }
+
   process.exit(0);
 }
 

package/dist/providers/codex-cli-provider.js

@@ -91,6 +91,12 @@ export class CodexCLIProvider {
                 timeout: 120_000,
                 env: { ...process.env, NO_COLOR: "1" },
             });
+            // Close stdin so `codex exec` doesn't wait for additional input — the
+            // prompt is passed as a positional arg, no stdin payload follows.
+            // Without this, codex prints "Reading additional input from stdin..."
+            // and blocks until the 120s timeout, causing the bot to return
+            // "keine Antwort" / empty replies on the chat side.
+            proc.stdin.end();
             let stdout = "";
             let stderr = "";
             proc.stdout.on("data", (data) => {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "alvin-bot",
-  "version": "4.22.2",
+  "version": "4.22.3",
   "description": "Alvin Bot — Your personal AI agent on Telegram, WhatsApp, Discord, Signal, and Web.",
   "type": "module",
   "main": "dist/index.js",