npm - gentyr - Versions diffs - 1.3.0 - Mend

gentyr 1.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (599) hide show

package/scripts/reap-completed-agents.js ADDED Viewed

@@ -0,0 +1,439 @@
+#!/usr/bin/env node
+/**
+ * Agent Reaper — Precision process cleanup for completed spawned Claude sessions.
+ *
+ * Finds agents tracked by agent-tracker that have finished their work
+ * (last JSONL line is assistant-only text with no tool_use) and kills them.
+ *
+ * Safety guarantees:
+ *   - Only kills processes whose session file starts with [Task] (automated)
+ *   - Only kills processes whose last assistant message has no tool_use blocks
+ *   - Never kills interactive (non-[Task]) sessions
+ *   - Never kills processes it can't match to a known session file
+ *   - Processes that are already dead are simply marked completed
+ *
+ * @version 2.0.0
+ */
+import fs from 'fs';
+import path from 'path';
+import os from 'os';
+// Lazy-loaded SQLite for TODO reconciliation
+let Database = null;
+try {
+  Database = (await import('better-sqlite3')).default;
+} catch {
+  // Non-fatal: TODO reconciliation will be skipped
+}
+// ============================================================================
+// Configuration
+// ============================================================================
+const CLAUDE_PROJECTS_DIR = path.join(os.homedir(), '.claude', 'projects');
+const HEAD_BYTES = 2000;  // Bytes to read from start of JSONL for agent ID match
+const TAIL_BYTES = 4000;  // Bytes to read from end of JSONL for completion check
+// ============================================================================
+// Core Functions
+// ============================================================================
+/**
+ * Check if a process is alive.
+ * @param {number} pid
+ * @returns {boolean}
+ */
+function isProcessAlive(pid) {
+  try {
+    process.kill(pid, 0);
+    return true;
+  } catch (err) {
+    return err.code !== 'ESRCH';
+  }
+}
+/**
+ * Discover the normalized session directory for a project.
+ * @param {string} projectDir
+ * @returns {string|null}
+ */
+function getSessionDir(projectDir) {
+  const projectPath = projectDir.replace(/[^a-zA-Z0-9]/g, '-');
+  const sessionDir = path.join(CLAUDE_PROJECTS_DIR, projectPath);
+  if (fs.existsSync(sessionDir)) return sessionDir;
+  const altPath = path.join(CLAUDE_PROJECTS_DIR, projectPath.replace(/^-/, ''));
+  if (fs.existsSync(altPath)) return altPath;
+  return null;
+}
+/**
+ * Read the first N bytes of a file using a file descriptor (no full-file read).
+ * @param {string} filePath
+ * @param {number} numBytes
+ * @returns {string}
+ */
+function readHead(filePath, numBytes) {
+  let fd;
+  try {
+    fd = fs.openSync(filePath, 'r');
+    const buf = Buffer.alloc(numBytes);
+    const bytesRead = fs.readSync(fd, buf, 0, numBytes, 0);
+    return buf.toString('utf8', 0, bytesRead);
+  } catch {
+    return '';
+  } finally {
+    if (fd !== undefined) fs.closeSync(fd);
+  }
+}
+/**
+ * Read the last N bytes of a file using a file descriptor (seek to end).
+ * @param {string} filePath
+ * @param {number} numBytes
+ * @returns {string}
+ */
+function readTail(filePath, numBytes) {
+  let fd;
+  try {
+    fd = fs.openSync(filePath, 'r');
+    const stat = fs.fstatSync(fd);
+    const start = Math.max(0, stat.size - numBytes);
+    const buf = Buffer.alloc(Math.min(numBytes, stat.size));
+    const bytesRead = fs.readSync(fd, buf, 0, buf.length, start);
+    return buf.toString('utf8', 0, bytesRead);
+  } catch {
+    return '';
+  } finally {
+    if (fd !== undefined) fs.closeSync(fd);
+  }
+}
+/**
+ * Find the session file that contains a given agent tracking ID
+ * by scanning the first bytes of each JSONL file.
+ *
+ * @param {string} sessionDir - Directory containing JSONL session files
+ * @param {string} agentId - The agent ID to search for (e.g. "agent-mlr08lpw-2444b1e0")
+ * @returns {string|null} Full path to matching session file, or null
+ */
+function findSessionFileByAgentId(sessionDir, agentId) {
+  const marker = `[AGENT:${agentId}]`;
+  let files;
+  try {
+    files = fs.readdirSync(sessionDir).filter(f => f.endsWith('.jsonl'));
+  } catch {
+    return null;
+  }
+  for (const file of files) {
+    const filePath = path.join(sessionDir, file);
+    const head = readHead(filePath, HEAD_BYTES);
+    if (head.includes(marker)) {
+      return filePath;
+    }
+  }
+  return null;
+}
+/**
+ * Check if a session's last assistant message indicates completion.
+ * Completion = last JSON line is type=assistant with text-only content (no tool_use).
+ *
+ * @param {string} sessionFile - Path to the JSONL session file
+ * @returns {boolean}
+ */
+function isSessionComplete(sessionFile) {
+  const tail = readTail(sessionFile, TAIL_BYTES);
+  if (!tail) return false;
+  // Split into lines and find the last parseable JSON line
+  const lines = tail.split('\n').filter(l => l.trim());
+  // Work backwards to find the last parseable line
+  for (let i = lines.length - 1; i >= 0; i--) {
+    let parsed;
+    try {
+      parsed = JSON.parse(lines[i]);
+    } catch {
+      continue;
+    }
+    // Must be an assistant message
+    if (parsed.type !== 'assistant') return false;
+    // Check content array for tool_use blocks
+    const content = parsed.message?.content;
+    if (!Array.isArray(content)) {
+      // If content isn't an array, it's text-only — session is complete
+      return true;
+    }
+    // If any content block is tool_use, agent is still working
+    const hasToolUse = content.some(c => c.type === 'tool_use');
+    return !hasToolUse;
+  }
+  return false;
+}
+/**
+ * Verify that a session is automated (starts with [Task]) — defense-in-depth.
+ *
+ * @param {string} sessionFile - Path to the JSONL session file
+ * @returns {boolean}
+ */
+function isAutomatedSession(sessionFile) {
+  const head = readHead(sessionFile, HEAD_BYTES);
+  return head.includes('[Task]');
+}
+/**
+ * Check if a session JSONL contains evidence of a complete_task MCP tool call.
+ * Searches the last 16KB for the tool name pattern.
+ *
+ * @param {string} sessionFile - Path to the JSONL session file
+ * @returns {boolean}
+ */
+function sessionContainsCompleteTask(sessionFile) {
+  const tail = readTail(sessionFile, 16384);
+  return tail.includes('"mcp__todo-db__complete_task"') ||
+         tail.includes('"name":"complete_task"');
+}
+/**
+ * Reconcile a TODO item after an agent is reaped.
+ * - If session completed normally but forgot to mark TODO: mark it completed
+ * - If session died unexpectedly: reset TODO to pending for re-spawn
+ *
+ * @param {object} agent - Agent record from tracker history
+ * @param {string} projectDir - Project directory
+ * @param {string} reapReason - Why the agent was reaped
+ * @returns {{ action: string, taskId: string } | null}
+ */
+function reconcileTodo(agent, projectDir, reapReason) {
+  if (!Database) return null;
+  // Only reconcile agents that have a linked task ID
+  const taskId = agent.metadata?.taskId;
+  if (!taskId) return null;
+  const todoDbPath = path.join(projectDir, '.claude', 'todo.db');
+  if (!fs.existsSync(todoDbPath)) return null;
+  let db;
+  try {
+    db = new Database(todoDbPath);
+    // Check current task status
+    const task = db.prepare('SELECT id, status FROM tasks WHERE id = ?').get(taskId);
+    if (!task) return null;
+    // Only act on in_progress tasks (already completed = no action needed)
+    if (task.status !== 'in_progress') return null;
+    if (reapReason === 'session_complete') {
+      // Agent completed normally - check if it called complete_task
+      const sessionFile = agent.sessionFile;
+      if (sessionFile && fs.existsSync(sessionFile) && sessionContainsCompleteTask(sessionFile)) {
+        // complete_task was called, TODO should already be marked - no action needed
+        return null;
+      }
+      // Agent finished but didn't mark TODO as complete
+      db.prepare("UPDATE tasks SET status = 'completed' WHERE id = ?").run(taskId);
+      return { action: 'completed', taskId };
+    }
+    if (reapReason === 'process_already_dead') {
+      // Session died unexpectedly - reset TODO so automation can re-spawn
+      db.prepare("UPDATE tasks SET status = 'pending', started_at = NULL WHERE id = ?").run(taskId);
+      return { action: 'reset_to_pending', taskId };
+    }
+    return null;
+  } catch {
+    return null;
+  } finally {
+    if (db) {
+      try { db.close(); } catch { /* ignore */ }
+    }
+  }
+}
+/**
+ * Reap completed automated agents.
+ *
+ * @param {string} projectDir - The project directory
+ * @returns {{ reaped: Array<{agentId: string, pid: number, reason: string}>, skipped: Array<{agentId: string, reason: string}>, errors: Array<{agentId: string, error: string}>, todoReconciled: Array<{agentId: string, taskId: string, action: string}> }}
+ */
+export function reapCompletedAgents(projectDir) {
+  const result = { reaped: [], skipped: [], errors: [], todoReconciled: [] };
+  // Load agent tracker
+  const historyPath = path.join(projectDir, '.claude', 'state', 'agent-tracker-history.json');
+  let history;
+  try {
+    if (!fs.existsSync(historyPath)) return result;
+    history = JSON.parse(fs.readFileSync(historyPath, 'utf8'));
+  } catch {
+    return result;
+  }
+  if (!Array.isArray(history.agents)) return result;
+  // Find the session directory
+  const sessionDir = getSessionDir(projectDir);
+  if (!sessionDir) return result;
+  // Track whether we made any changes
+  let dirty = false;
+  for (const agent of history.agents) {
+    // Only process agents with status=running and a stored PID
+    if (agent.status !== 'running' || !agent.pid) continue;
+    const agentId = agent.id;
+    const pid = agent.pid;
+    // Step 1: Check if process is still alive
+    if (!isProcessAlive(pid)) {
+      // Try to discover session file before marking dead (needed for TODO reconciliation)
+      if (!agent.sessionFile) {
+        const discovered = findSessionFileByAgentId(sessionDir, agentId);
+        if (discovered) {
+          agent.sessionFile = discovered;
+        }
+      }
+      agent.status = 'completed';
+      agent.reapReason = 'process_already_dead';
+      agent.reapedAt = new Date().toISOString();
+      dirty = true;
+      result.reaped.push({ agentId, pid, reason: 'process_already_dead' });
+      // Reconcile linked TODO item
+      const todoResult = reconcileTodo(agent, projectDir, 'process_already_dead');
+      if (todoResult) {
+        result.todoReconciled.push({ agentId, ...todoResult });
+      }
+      continue;
+    }
+    // Step 2: Discover session file (use cached if available)
+    let sessionFile = agent.sessionFile || null;
+    if (!sessionFile) {
+      sessionFile = findSessionFileByAgentId(sessionDir, agentId);
+      if (!sessionFile) {
+        result.skipped.push({ agentId, reason: 'session_file_not_found' });
+        continue;
+      }
+      // Cache for future runs
+      agent.sessionFile = sessionFile;
+      dirty = true;
+    }
+    // Step 3: Check completion via JSONL
+    if (!isSessionComplete(sessionFile)) {
+      result.skipped.push({ agentId, reason: 'session_not_complete' });
+      continue;
+    }
+    // Step 4: Verify automated session (defense-in-depth)
+    if (!isAutomatedSession(sessionFile)) {
+      result.skipped.push({ agentId, reason: 'not_automated_session' });
+      continue;
+    }
+    // Step 5: Kill the process
+    try {
+      process.kill(pid, 'SIGKILL');
+      agent.status = 'reaped';
+      agent.reapedAt = new Date().toISOString();
+      agent.reapReason = 'session_complete';
+      dirty = true;
+      result.reaped.push({ agentId, pid, reason: 'session_complete' });
+      // Reconcile linked TODO item
+      const todoResult = reconcileTodo(agent, projectDir, 'session_complete');
+      if (todoResult) {
+        result.todoReconciled.push({ agentId, ...todoResult });
+      }
+    } catch (err) {
+      if (err.code === 'ESRCH') {
+        // Already dead between our check and kill
+        agent.status = 'completed';
+        agent.reapedAt = new Date().toISOString();
+        agent.reapReason = 'process_already_dead';
+        dirty = true;
+        result.reaped.push({ agentId, pid, reason: 'process_already_dead' });
+        // Reconcile linked TODO item
+        const todoResult = reconcileTodo(agent, projectDir, 'process_already_dead');
+        if (todoResult) {
+          result.todoReconciled.push({ agentId, ...todoResult });
+        }
+      } else {
+        result.errors.push({ agentId, error: `kill failed: ${err.message}` });
+      }
+    }
+  }
+  // Write back if changes were made
+  if (dirty) {
+    try {
+      fs.writeFileSync(historyPath, JSON.stringify(history, null, 2), 'utf8');
+    } catch (err) {
+      result.errors.push({ agentId: '_history_write', error: err.message });
+    }
+  }
+  return result;
+}
+// ============================================================================
+// CLI Entry Point
+// ============================================================================
+if (process.argv[1] && (
+  process.argv[1].endsWith('reap-completed-agents.js') ||
+  process.argv[1].endsWith('reap-completed-agents')
+)) {
+  const projectDir = process.argv[2] || process.env.CLAUDE_PROJECT_DIR || process.cwd();
+  const result = reapCompletedAgents(projectDir);
+  if (result.reaped.length > 0) {
+    console.log(`Reaped ${result.reaped.length} completed agent(s):`);
+    for (const r of result.reaped) {
+      console.log(`  ${r.agentId} (PID ${r.pid}): ${r.reason}`);
+    }
+  }
+  if (result.skipped.length > 0) {
+    console.log(`Skipped ${result.skipped.length} agent(s):`);
+    for (const s of result.skipped) {
+      console.log(`  ${s.agentId}: ${s.reason}`);
+    }
+  }
+  if (result.errors.length > 0) {
+    console.error(`Errors: ${result.errors.length}`);
+    for (const e of result.errors) {
+      console.error(`  ${e.agentId}: ${e.error}`);
+    }
+  }
+  if (result.todoReconciled.length > 0) {
+    console.log(`TODO reconciled for ${result.todoReconciled.length} agent(s):`);
+    for (const t of result.todoReconciled) {
+      console.log(`  ${t.agentId}: TODO ${t.taskId} → ${t.action}`);
+    }
+  }
+  if (result.reaped.length === 0 && result.skipped.length === 0) {
+    console.log('No agents with tracking data found (expected for pre-tracking agents).');
+  }
+}

package/scripts/reinstall.sh ADDED Viewed

@@ -0,0 +1,86 @@
+#!/bin/bash
+# Reinstall GENTYR (unprotect → install → protect)
+#
+# Usage: sudo scripts/reinstall.sh --path /path/to/project [--op-token <token>] [--makerkit|--no-makerkit]
+#
+# Requires sudo since it handles protection.
+# After reinstall, start a new Claude Code session and run /setup-gentyr
+# to configure credentials interactively.
+#
+# DEPRECATION NOTICE:
+#   This script will be superseded by the `npx gentyr` CLI in a future release.
+#   Prefer: sudo npx gentyr sync --path /path/to/project
+set -e
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+PROJECT_DIR=""
+OP_TOKEN=""
+MAKERKIT_FLAG=""
+while [[ $# -gt 0 ]]; do
+    case "$1" in
+        --path)
+            PROJECT_DIR="$2"
+            shift 2
+            ;;
+        --op-token)
+            OP_TOKEN="$2"
+            shift 2
+            ;;
+        --makerkit)
+            MAKERKIT_FLAG="--makerkit"
+            shift
+            ;;
+        --no-makerkit)
+            MAKERKIT_FLAG="--no-makerkit"
+            shift
+            ;;
+        *)
+            echo "Usage: sudo $0 --path /path/to/project [--op-token <token>] [--makerkit|--no-makerkit]"
+            exit 1
+            ;;
+    esac
+done
+if [ -z "$PROJECT_DIR" ]; then
+    echo "Usage: sudo $0 --path /path/to/project [--op-token <token>] [--makerkit|--no-makerkit]"
+    exit 1
+fi
+if [ "$EUID" -ne 0 ]; then
+    echo "Error: requires sudo"
+    echo "Usage: sudo $0 --path /path/to/project"
+    exit 1
+fi
+ORIGINAL_USER="${SUDO_USER:-$(logname 2>/dev/null || echo $USER)}"
+echo "Reinstalling framework at: $PROJECT_DIR"
+echo "Running install step as: $ORIGINAL_USER"
+echo ""
+# 1. Unprotect (as root)
+"$SCRIPT_DIR/setup.sh" --path "$PROJECT_DIR" --unprotect-only 2>/dev/null || true
+# 2. Install (as user)
+SETUP_ARGS=(--path "$PROJECT_DIR")
+if [ -n "$OP_TOKEN" ]; then
+    SETUP_ARGS+=(--op-token "$OP_TOKEN")
+fi
+if [ -n "$MAKERKIT_FLAG" ]; then
+    SETUP_ARGS+=("$MAKERKIT_FLAG")
+fi
+sudo -u "$ORIGINAL_USER" "$SCRIPT_DIR/setup.sh" "${SETUP_ARGS[@]}"
+# 3. Protect (as root)
+"$SCRIPT_DIR/setup.sh" --path "$PROJECT_DIR" --protect-only
+echo ""
+echo "════════════════════════════════════════════════════════════"
+echo "  Reinstall complete!"
+echo ""
+echo "  Next steps:"
+echo "    1. Start a new Claude Code session"
+echo "    2. Run /setup-gentyr to configure credentials"
+echo "════════════════════════════════════════════════════════════"

package/scripts/resign-node.sh ADDED Viewed

@@ -0,0 +1,185 @@
+#!/bin/bash
+# Re-sign Homebrew's Node.js binary for macOS TCC persistence
+#
+# macOS TCC (Transparency, Consent, and Control) requires binaries to have
+# a stable code identity to remember permission grants. Homebrew's node is
+# ad-hoc signed (no team identifier), so macOS re-prompts on every new
+# process. This script creates a self-signed certificate and re-signs node,
+# giving it a stable identity that TCC can persist.
+#
+# Run after: brew upgrade node
+# Run during: GENTYR setup (called automatically by setup.sh)
+#
+# Usage: scripts/resign-node.sh [--check] [--trigger-tcc]
+set -eo pipefail
+CERT_NAME="NodeLocalDev"
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+NC='\033[0m'
+# Resolve the actual node binary (follow symlinks)
+NODE_SYMLINK="/opt/homebrew/bin/node"
+if [ ! -e "$NODE_SYMLINK" ]; then
+    # Fallback for non-Homebrew installs
+    NODE_SYMLINK="$(which node 2>/dev/null || true)"
+    if [ -z "$NODE_SYMLINK" ]; then
+        echo -e "${RED}Error: node not found${NC}"
+        exit 1
+    fi
+fi
+NODE_PATH="$(readlink -f "$NODE_SYMLINK" 2>/dev/null || realpath "$NODE_SYMLINK" 2>/dev/null || echo "$NODE_SYMLINK")"
+# --check mode: just report current signing status
+if [ "$1" = "--check" ]; then
+    AUTHORITY=$(codesign -dvv "$NODE_PATH" 2>&1 | grep "^Authority=" | head -1 | cut -d= -f2)
+    if [ "$AUTHORITY" = "$CERT_NAME" ]; then
+        echo -e "${GREEN}Node is signed with $CERT_NAME${NC}"
+        echo "  Binary: $NODE_PATH"
+        exit 0
+    elif echo "$AUTHORITY" | grep -q "adhoc"; then
+        echo -e "${YELLOW}Node has ad-hoc signature (TCC prompts will repeat)${NC}"
+        echo "  Binary: $NODE_PATH"
+        exit 1
+    else
+        echo -e "${YELLOW}Node signed by: ${AUTHORITY:-unknown}${NC}"
+        echo "  Binary: $NODE_PATH"
+        exit 1
+    fi
+fi
+# ---------------------------------------------------------------------------
+# TCC trigger: run op through node so macOS attributes the access to node
+# ---------------------------------------------------------------------------
+trigger_tcc_prompt() {
+    # Check if op is installed
+    if ! command -v op &>/dev/null; then
+        echo -e "  ${YELLOW}1Password CLI (op) not found - skipping TCC trigger${NC}"
+        return 0
+    fi
+    echo -e "${YELLOW}Triggering macOS TCC permission for 1Password access...${NC}"
+    echo -e "  (If a macOS dialog appears, click Allow to grant permission)"
+    # Run op through node so macOS attributes the IPC access to node's code identity.
+    # This mirrors what hourly-automation.js does with execFileSync('op', ...).
+    TCC_RESULT=$("$NODE_PATH" -e "
+        const { execFileSync } = require('child_process');
+        try {
+            execFileSync('op', ['vault', 'list', '--format', 'json'], {
+                encoding: 'utf-8',
+                timeout: 30000,
+                stdio: 'pipe',
+            });
+            process.stdout.write('ok');
+        } catch (err) {
+            process.stderr.write(err.message || 'failed');
+            process.exit(1);
+        }
+    " 2>/dev/null) || true
+    if [ "$TCC_RESULT" = "ok" ]; then
+        echo -e "  ${GREEN}TCC permission granted - verifying persistence...${NC}"
+        # Run a second time to confirm no new prompt appears
+        VERIFY_RESULT=$("$NODE_PATH" -e "
+            const { execFileSync } = require('child_process');
+            try {
+                execFileSync('op', ['vault', 'list', '--format', 'json'], {
+                    encoding: 'utf-8',
+                    timeout: 15000,
+                    stdio: 'pipe',
+                });
+                process.stdout.write('persisted');
+            } catch {
+                process.stdout.write('failed');
+            }
+        " 2>/dev/null) || true
+        if [ "$VERIFY_RESULT" = "persisted" ]; then
+            echo -e "  ${GREEN}TCC permission verified and persisted - no future prompts expected${NC}"
+        else
+            echo -e "  ${YELLOW}TCC verification inconclusive - permission may need re-granting${NC}"
+        fi
+    else
+        echo -e "  ${YELLOW}1Password access check failed (may not be signed in)${NC}"
+        echo -e "  ${YELLOW}TCC prompt will appear on first automation run instead${NC}"
+    fi
+}
+# --trigger-tcc mode: just trigger and verify TCC without re-signing
+if [ "$1" = "--trigger-tcc" ]; then
+    trigger_tcc_prompt
+    exit 0
+fi
+echo -e "${YELLOW}Re-signing node for macOS TCC persistence...${NC}"
+echo "  Binary: $NODE_PATH"
+# Check if certificate exists
+CERT_EXISTS=$(security find-identity -v -p codesigning 2>&1 | grep "$CERT_NAME" || true)
+if [ -z "$CERT_EXISTS" ]; then
+    echo -e "  ${YELLOW}Creating self-signed codesigning certificate '$CERT_NAME'...${NC}"
+    # Generate certificate with openssl
+    TMPDIR_CERT="$(mktemp -d)"
+    openssl req -x509 -newkey rsa:2048 \
+        -keyout "$TMPDIR_CERT/key.pem" \
+        -out "$TMPDIR_CERT/cert.pem" \
+        -days 3650 \
+        -nodes \
+        -subj "/CN=$CERT_NAME/O=LocalDev" \
+        -addext "keyUsage=digitalSignature" \
+        -addext "extendedKeyUsage=codeSigning" \
+        2>/dev/null
+    # Create PKCS12 bundle and import into login keychain
+    openssl pkcs12 -export \
+        -out "$TMPDIR_CERT/cert.p12" \
+        -inkey "$TMPDIR_CERT/key.pem" \
+        -in "$TMPDIR_CERT/cert.pem" \
+        -passout pass:temp123 \
+        2>/dev/null
+    security import "$TMPDIR_CERT/cert.p12" \
+        -k ~/Library/Keychains/login.keychain-db \
+        -P temp123 \
+        -T /usr/bin/codesign \
+        -T /usr/bin/security \
+        2>/dev/null
+    # Trust the certificate for code signing
+    security add-trusted-cert -d -r trustRoot -p codeSign \
+        -k ~/Library/Keychains/login.keychain-db \
+        "$TMPDIR_CERT/cert.pem" \
+        2>/dev/null
+    # Clean up temp files
+    rm -rf "$TMPDIR_CERT"
+    echo -e "  ${GREEN}Certificate '$CERT_NAME' created and trusted${NC}"
+fi
+# Check current signature
+CURRENT_AUTHORITY=$(codesign -dvv "$NODE_PATH" 2>&1 | grep "^Authority=" | head -1 | cut -d= -f2)
+if [ "$CURRENT_AUTHORITY" = "$CERT_NAME" ]; then
+    echo -e "  ${GREEN}Already signed with $CERT_NAME - no re-signing needed${NC}"
+    trigger_tcc_prompt
+    exit 0
+fi
+# Re-sign the node binary
+codesign -fs "$CERT_NAME" "$NODE_PATH" 2>&1
+echo -e "  ${GREEN}Signed: $NODE_PATH${NC}"
+# Verify
+VERIFY=$(codesign -dvv "$NODE_PATH" 2>&1 | grep "^Authority=" | head -1)
+echo -e "  ${GREEN}Verified: $VERIFY${NC}"
+echo ""
+echo -e "${GREEN}Done. Node re-signed with $CERT_NAME.${NC}"
+# Trigger TCC prompt so the user grants permission now (during setup),
+# not randomly later during background automation.
+trigger_tcc_prompt