nexo-brain 2.6.5 → 2.6.7

package/bin/nexo-brain.js

@@ -31,6 +31,8 @@ const LAUNCH_AGENTS = path.join(
   "Library",
   "LaunchAgents"
 );
+const MACOS_FDA_SETTINGS_URL = "x-apple.systempreferences:com.apple.preference.security?Privacy_AllFiles";
+const PUBLIC_CONTRIBUTION_UPSTREAM = "wazionapps/nexo";
 
 function isEphemeralInstall(nexoHome) {
   const homeDir = require("os").homedir();
@@ -114,6 +116,139 @@ function logMacPermissionsNotice(nexoHome, pythonPath = "") {
   log("  System Settings → Privacy & Security → Full Disk Access");
 }
 
+function getRuntimePythonTargets(pythonPath = "") {
+  const candidates = [];
+  const venvPy = path.join(NEXO_HOME, ".venv", "bin", "python3");
+  if (fs.existsSync(venvPy)) candidates.push(venvPy);
+  if (pythonPath) candidates.push(pythonPath);
+  const discovered = run("which python3") || run("which python") || "";
+  if (discovered) candidates.push(discovered);
+  return [...new Set(candidates.filter(Boolean))];
+}
+
+function detectFullDiskAccessReasons(nexoHome) {
+  if (process.platform !== "darwin") return [];
+  const reasons = [];
+  if (isProtectedMacPath(nexoHome)) {
+    reasons.push(`NEXO_HOME is inside a protected macOS folder: ${nexoHome}`);
+  }
+
+  const logsDir = path.join(nexoHome, "logs");
+  if (fs.existsSync(logsDir)) {
+    const candidates = fs.readdirSync(logsDir).filter((name) => name.endsWith("-stderr.log"));
+    for (const name of candidates) {
+      try {
+        const text = fs.readFileSync(path.join(logsDir, name), "utf8");
+        if (text.includes("Operation not permitted")) {
+          reasons.push(`Recent background job stderr hit 'Operation not permitted' (${name})`);
+          break;
+        }
+      } catch {}
+    }
+  }
+  return reasons;
+}
+
+function probeFullDiskAccess(nexoHome) {
+  if (process.platform !== "darwin") {
+    return { checked: false, granted: null, probePath: "", message: "macOS-only" };
+  }
+
+  const candidates = [
+    path.join(require("os").homedir(), "Library", "Application Support", "com.apple.TCC", "TCC.db"),
+    path.join(require("os").homedir(), "Library", "Mail"),
+    path.join(require("os").homedir(), "Library", "Messages"),
+    path.join(require("os").homedir(), "Library", "Safari"),
+    path.join(require("os").homedir(), "Library", "Application Support", "AddressBook"),
+  ].filter((item) => fs.existsSync(item));
+
+  if (isProtectedMacPath(nexoHome)) candidates.push(nexoHome);
+  if (!candidates.length) {
+    return { checked: false, granted: null, probePath: "", message: "No probe path available." };
+  }
+
+  const seen = new Set();
+  for (const candidate of candidates) {
+    if (!candidate || seen.has(candidate)) continue;
+    seen.add(candidate);
+    const result = spawnSync("/bin/bash", [
+      "-lc",
+      'TARGET="$1"; if [ -d "$TARGET" ]; then ls "$TARGET" >/dev/null 2>&1; else head -c 1 "$TARGET" >/dev/null 2>&1; fi',
+      "_",
+      candidate,
+    ], { encoding: "utf8" });
+    if (result.status === 0) {
+      return { checked: true, granted: true, probePath: candidate, message: "" };
+    }
+  }
+  return { checked: true, granted: false, probePath: candidates[0], message: "Could not verify Full Disk Access yet." };
+}
+
+async function maybeConfigureFullDiskAccess(schedule, useDefaults, pythonPath = "") {
+  const current = String((schedule && schedule.full_disk_access_status) || "unset").toLowerCase();
+  schedule.full_disk_access_status_version = 1;
+  const reasons = detectFullDiskAccessReasons(NEXO_HOME);
+  schedule.full_disk_access_reasons = reasons;
+
+  if (process.platform !== "darwin" || !reasons.length) {
+    fs.writeFileSync(path.join(NEXO_HOME, "config", "schedule.json"), JSON.stringify(schedule, null, 2));
+    return schedule;
+  }
+
+  if (current === "granted") {
+    const probe = probeFullDiskAccess(NEXO_HOME);
+    if (probe.granted) {
+      fs.writeFileSync(path.join(NEXO_HOME, "config", "schedule.json"), JSON.stringify(schedule, null, 2));
+      return schedule;
+    }
+    schedule.full_disk_access_status = "later";
+  } else if (current === "declined") {
+    fs.writeFileSync(path.join(NEXO_HOME, "config", "schedule.json"), JSON.stringify(schedule, null, 2));
+    return schedule;
+  }
+
+  if (useDefaults || !process.stdin.isTTY || !process.stdout.isTTY) {
+    schedule.full_disk_access_status = current === "granted" ? "later" : current || "unset";
+    fs.writeFileSync(path.join(NEXO_HOME, "config", "schedule.json"), JSON.stringify(schedule, null, 2));
+    return schedule;
+  }
+
+  console.log("");
+  log("Optional macOS Full Disk Access guidance:");
+  log("macOS does not allow granting this automatically. NEXO can only open the correct System Settings screen and verify best effort.");
+  log("Reason(s) detected:");
+  reasons.forEach((item) => log(`  - ${item}`));
+  log("If you proceed, add your terminal app and, if needed for background jobs, these binaries:");
+  log("  - /bin/bash");
+  getRuntimePythonTargets(pythonPath).forEach((item) => log(`  - ${item}`));
+
+  const answer = (await ask("  Open Full Disk Access setup now? [y/N/later]: ")).trim().toLowerCase();
+  if (answer === "y" || answer === "yes") {
+    spawnSync("open", [MACOS_FDA_SETTINGS_URL], { stdio: "ignore" });
+    log("Opened System Settings → Privacy & Security → Full Disk Access.");
+    const followUp = (await ask("  Press Enter after granting it, or type later to skip for now: ")).trim().toLowerCase();
+    if (followUp === "later" || followUp === "l") {
+      schedule.full_disk_access_status = "later";
+    } else {
+      const probe = probeFullDiskAccess(NEXO_HOME);
+      if (probe.granted) {
+        schedule.full_disk_access_status = "granted";
+        log(`Full Disk Access verified via ${probe.probePath}.`);
+      } else {
+        schedule.full_disk_access_status = "later";
+        log("Could not verify Full Disk Access yet. NEXO will remind you later if background jobs still hit TCC.");
+      }
+    }
+  } else if (answer === "later" || answer === "l" || answer === "") {
+    schedule.full_disk_access_status = "later";
+  } else {
+    schedule.full_disk_access_status = "declined";
+  }
+
+  fs.writeFileSync(path.join(NEXO_HOME, "config", "schedule.json"), JSON.stringify(schedule, null, 2));
+  return schedule;
+}
+
 // ══════════════════════════════════════════════════════════════════════════════
 // CORE PROCESS & HOOK DEFINITIONS
 // All core nightly/periodic processes and all 8 core hooks that make NEXO functional.
@@ -296,6 +431,25 @@ function getDefaultSchedule(timezone) {
     auto_update: true,
     power_policy: "unset",
     power_policy_version: 2,
+    full_disk_access_status: "unset",
+    full_disk_access_status_version: 1,
+    full_disk_access_reasons: [],
+    public_contribution: {
+      enabled: false,
+      mode: "unset",
+      consent_version: 1,
+      github_user: "",
+      upstream_repo: PUBLIC_CONTRIBUTION_UPSTREAM,
+      fork_repo: "",
+      machine_id: crypto.createHash("sha1").update(require("os").hostname()).digest("hex").slice(0, 12),
+      active_pr_url: "",
+      active_pr_number: null,
+      active_branch: "",
+      status: "unset",
+      cooldown_until: "",
+      last_run_at: "",
+      last_result: "",
+    },
     processes: {
       "cognitive-decay": { hour: 3, minute: 0 },
       "postmortem": { hour: 23, minute: 30 },
@@ -308,6 +462,23 @@ function getDefaultSchedule(timezone) {
   };
 }
 
+function normalizePublicContributionConfig(config = {}) {
+  const base = getDefaultSchedule().public_contribution;
+  const merged = { ...base, ...(config || {}) };
+  merged.enabled = Boolean(merged.enabled);
+  merged.mode = String(merged.mode || "unset").toLowerCase();
+  merged.status = String(merged.status || "unset").toLowerCase();
+  merged.github_user = String(merged.github_user || "").trim();
+  merged.fork_repo = String(merged.fork_repo || "").trim();
+  merged.upstream_repo = String(merged.upstream_repo || PUBLIC_CONTRIBUTION_UPSTREAM).trim() || PUBLIC_CONTRIBUTION_UPSTREAM;
+  merged.active_pr_url = String(merged.active_pr_url || "").trim();
+  merged.active_branch = String(merged.active_branch || "").trim();
+  merged.cooldown_until = String(merged.cooldown_until || "").trim();
+  merged.last_run_at = String(merged.last_run_at || "").trim();
+  merged.last_result = String(merged.last_result || "").trim();
+  return merged;
+}
+
 async function maybeConfigurePowerPolicy(schedule, useDefaults) {
   const current = String((schedule && schedule.power_policy) || "unset").toLowerCase();
   if (current && current !== "unset") {
@@ -340,6 +511,84 @@ async function maybeConfigurePowerPolicy(schedule, useDefaults) {
   return schedule;
 }
 
+function ghLogin() {
+  const login = run("gh api user --jq .login 2>/dev/null");
+  return (login || "").trim();
+}
+
+function ensureFork(login) {
+  if (!login) return { ok: false, message: "Missing GitHub login.", forkRepo: "" };
+  const forkRepo = `${login}/nexo`;
+  const existing = run(`gh repo view "${forkRepo}" --json nameWithOwner 2>/dev/null`);
+  if (existing) return { ok: true, message: "", forkRepo };
+  const created = run(`gh repo fork "${PUBLIC_CONTRIBUTION_UPSTREAM}" --clone=false --remote=false 2>/dev/null`);
+  if (created !== null) return { ok: true, message: "", forkRepo };
+  return { ok: false, message: `Could not ensure fork ${forkRepo}.`, forkRepo: "" };
+}
+
+async function maybeConfigurePublicContribution(schedule, useDefaults) {
+  const current = normalizePublicContributionConfig((schedule && schedule.public_contribution) || {});
+  if (current.mode && current.mode !== "unset") {
+    schedule.public_contribution = current;
+    fs.writeFileSync(path.join(NEXO_HOME, "config", "schedule.json"), JSON.stringify(schedule, null, 2));
+    return schedule;
+  }
+
+  if (useDefaults || !process.stdin.isTTY || !process.stdout.isTTY) {
+    schedule.public_contribution = current;
+    fs.writeFileSync(path.join(NEXO_HOME, "config", "schedule.json"), JSON.stringify(schedule, null, 2));
+    return schedule;
+  }
+
+  console.log("");
+  log("Optional public contribution mode:");
+  log("If enabled, this machine may prepare core NEXO improvements from an isolated checkout and open a Draft PR to the public repository.");
+  log("NEXO never auto-merges, and it pauses public evolution on this machine while that Draft PR stays open.");
+  log("Public contribution must never publish personal scripts, runtime data, local prompts, logs, or secrets.");
+  const answer = (await ask("  Enable public contribution via Draft PRs on this machine? [y/N/later]: ")).trim().toLowerCase();
+  if (answer === "y" || answer === "yes") {
+    const login = ghLogin();
+    if (!login) {
+      current.enabled = false;
+      current.mode = "pending_auth";
+      current.status = "pending_auth";
+      current.github_user = "";
+      current.fork_repo = "";
+      log("GitHub CLI authentication is missing. Contributor mode is pending until 'gh auth login' succeeds.");
+    } else {
+      const fork = ensureFork(login);
+      if (!fork.ok) {
+        current.enabled = false;
+        current.mode = "pending_auth";
+        current.status = "pending_auth";
+        current.github_user = login;
+        current.fork_repo = "";
+        log(fork.message || "Could not ensure a GitHub fork.");
+      } else {
+        current.enabled = true;
+        current.mode = "draft_prs";
+        current.status = "active";
+        current.github_user = login;
+        current.fork_repo = fork.forkRepo;
+      }
+    }
+  } else if (answer === "later" || answer === "l" || answer === "") {
+    current.enabled = false;
+    current.mode = "unset";
+    current.status = "unset";
+  } else {
+    current.enabled = false;
+    current.mode = "off";
+    current.status = "off";
+    current.github_user = "";
+    current.fork_repo = "";
+  }
+
+  schedule.public_contribution = current;
+  fs.writeFileSync(path.join(NEXO_HOME, "config", "schedule.json"), JSON.stringify(schedule, null, 2));
+  return schedule;
+}
+
 /**
  * Resolve the venv python path for an existing NEXO_HOME installation.
  */
@@ -843,7 +1092,9 @@ async function main() {
         // Regenerate all core LaunchAgents / systemd timers
         let migSchedule = loadOrCreateSchedule(NEXO_HOME);
         migSchedule = await maybeConfigurePowerPolicy(migSchedule, useDefaults);
+        migSchedule = await maybeConfigurePublicContribution(migSchedule, useDefaults);
         const migPython = findVenvPython(NEXO_HOME) || "python3";
+        migSchedule = await maybeConfigureFullDiskAccess(migSchedule, useDefaults, migPython);
         let migOptionals = {};
         try {
           const optFile = path.join(NEXO_HOME, "config", "optionals.json");
@@ -1478,6 +1729,7 @@ async function main() {
   );
 
   // Copy source files
+  log("Copying core runtime files...");
   const srcDir = path.join(__dirname, "..", "src");
   const pluginsSrcDir = path.join(srcDir, "plugins");
   const scriptsSrcDir = path.join(srcDir, "scripts");
@@ -1556,6 +1808,7 @@ async function main() {
   fs.writeFileSync(runtimeCliPath, runtimeCli);
   fs.chmodSync(runtimeCliPath, 0o755);
 
+  log("Copying core packages...");
   // Core packages (directories with __init__.py)
   ["db", "cognitive", "doctor"].forEach(pkg => {
     const pkgSrc = path.join(srcDir, pkg);
@@ -1564,6 +1817,7 @@ async function main() {
     }
   });
 
+  log("Copying plugins, scripts, and templates...");
   // Plugins (all .py files in plugins/)
   fs.mkdirSync(path.join(NEXO_HOME, "plugins"), { recursive: true });
   if (fs.existsSync(pluginsSrcDir)) {
@@ -2116,6 +2370,8 @@ ${doScan ? `- Stack: ${Object.keys(profileData.code.languages || {}).slice(0, 5)
   log("Setting up automated processes...");
   let schedule = loadOrCreateSchedule(NEXO_HOME);
   schedule = await maybeConfigurePowerPolicy(schedule, useDefaults);
+  schedule = await maybeConfigurePublicContribution(schedule, useDefaults);
+  schedule = await maybeConfigureFullDiskAccess(schedule, useDefaults, python);
   const enabledOptionals = { dashboard: doDashboard };
   if (isEphemeralInstall(NEXO_HOME)) {
     log("Ephemeral HOME/NEXO_HOME detected — skipping LaunchAgents installation.");

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "nexo-brain",
-  "version": "2.6.5",
+  "version": "2.6.7",
   "mcpName": "io.github.wazionapps/nexo",
   "description": "NEXO — local cognitive runtime for Claude Code. Persistent memory, overnight learning, recovery-aware crons, personal scripts, doctor diagnostics, startup preflight, and optional power helper.",
   "bin": {

package/src/auto_close_sessions.py

@@ -17,7 +17,7 @@ os.environ["NEXO_SKIP_FS_INDEX"] = "1"  # Skip FTS rebuild on import
 
 from db import (
     init_db, get_db, get_diary_draft, delete_diary_draft,
-    get_orphan_sessions, write_session_diary, now_epoch,
+    get_orphan_sessions, read_checkpoint, write_session_diary, now_epoch,
     SESSION_STALE_SECONDS,
 )
 
@@ -67,9 +67,18 @@ def promote_draft_to_diary(sid: str, draft: dict, task: str = ""):
     context_hint = draft.get("last_context_hint", "")
     hb_count = draft.get("heartbeat_count", 0)
 
+    checkpoint = read_checkpoint(sid) or {}
     summary_parts = []
     if draft.get("summary_draft"):
         summary_parts.append(draft["summary_draft"])
+    if task and task not in " ".join(summary_parts):
+        summary_parts.append(f"Final task: {task}")
+    if context_hint:
+        summary_parts.append(f"Latest context: {context_hint[:300]}")
+    if checkpoint.get("current_goal"):
+        summary_parts.append(f"Current goal: {str(checkpoint['current_goal'])[:300]}")
+    if checkpoint.get("next_step"):
+        summary_parts.append(f"Next step was: {str(checkpoint['next_step'])[:240]}")
 
     tool_summary = get_tool_log_summary(sid)
     if tool_summary:
@@ -98,6 +107,10 @@ def promote_draft_to_diary(sid: str, draft: dict, task: str = ""):
         context_next = f"Last topic: {context_hint}"
     if tasks:
         context_next += f" | Tasks: {', '.join(tasks[-5:])}"
+    if checkpoint.get("reasoning_thread"):
+        context_next += f" | Reasoning: {str(checkpoint['reasoning_thread'])[:240]}"
+    if checkpoint.get("active_files"):
+        context_next += f" | Active files: {str(checkpoint['active_files'])[:180]}"
 
     write_session_diary(
         session_id=sid,
@@ -131,12 +144,19 @@ def main():
         if draft:
             promote_draft_to_diary(sid, draft, task=session.get("task", ""))
         else:
+            checkpoint = read_checkpoint(sid) or {}
+            tool_summary = get_tool_log_summary(sid)
+            summary_parts = [f"Auto-closed session. Task: {session.get('task', 'unknown')}"]
+            if checkpoint.get("current_goal"):
+                summary_parts.append(f"Current goal: {str(checkpoint['current_goal'])[:300]}")
+            if tool_summary:
+                summary_parts.append(tool_summary)
             write_session_diary(
                 session_id=sid,
                 decisions="No decisions logged",
-                summary=f"Auto-closed session. Task: {session.get('task', 'unknown')}",
-                context_next="",
-                mental_state="[auto-close] No draft available. Minimal diary.",
+                summary=" | ".join(summary_parts),
+                context_next=str(checkpoint.get("next_step") or ""),
+                mental_state="[auto-close] No draft available. Diary reconstructed from task/checkpoint/tool logs.",
                 self_critique="[auto-close] Session terminated without diary or draft.",
                 source="auto-close",
             )

package/src/auto_update.py

@@ -1236,7 +1236,7 @@ def _restore_runtime_tree(backup_dir: str, dest: Path = NEXO_HOME) -> None:
             shutil.copy2(str(item), str(target))
 
 
-def _copy_runtime_from_source(src_dir: Path, repo_dir: Path, dest: Path = NEXO_HOME) -> dict:
+def _copy_runtime_from_source(src_dir: Path, repo_dir: Path, dest: Path = NEXO_HOME, progress_fn=None) -> dict:
     import shutil
 
     packages = ["db", "cognitive", "doctor", "dashboard", "rules", "crons", "hooks"]
@@ -1253,6 +1253,7 @@ def _copy_runtime_from_source(src_dir: Path, repo_dir: Path, dest: Path = NEXO_H
     copied_packages = 0
     copied_files = 0
 
+    _emit_progress(progress_fn, "Copying core packages...")
     for pkg in packages:
         pkg_src = src_dir / pkg
         pkg_dest = dest / pkg
@@ -1266,12 +1267,14 @@ def _copy_runtime_from_source(src_dir: Path, repo_dir: Path, dest: Path = NEXO_H
             )
             copied_packages += 1
 
+    _emit_progress(progress_fn, "Copying core modules...")
     for name in flat_files:
         src_file = src_dir / name
         if src_file.is_file():
             shutil.copy2(str(src_file), str(dest / name))
             copied_files += 1
 
+    _emit_progress(progress_fn, "Copying plugin modules...")
     plugins_src = src_dir / "plugins"
     plugins_dest = dest / "plugins"
     if plugins_src.is_dir():
@@ -1280,6 +1283,7 @@ def _copy_runtime_from_source(src_dir: Path, repo_dir: Path, dest: Path = NEXO_H
             if item.is_file() and item.suffix == ".py":
                 shutil.copy2(str(item), str(plugins_dest / item.name))
 
+    _emit_progress(progress_fn, "Copying scripts...")
     scripts_src = src_dir / "scripts"
     scripts_dest = dest / "scripts"
     if scripts_src.is_dir():
@@ -1297,6 +1301,7 @@ def _copy_runtime_from_source(src_dir: Path, repo_dir: Path, dest: Path = NEXO_H
                 if item.suffix == ".sh":
                     dst.chmod(0o755)
 
+    _emit_progress(progress_fn, "Copying templates and version metadata...")
     templates_src = repo_dir / "templates"
     templates_dest = dest / "templates"
     if templates_src.is_dir():
@@ -1317,6 +1322,7 @@ def _copy_runtime_from_source(src_dir: Path, repo_dir: Path, dest: Path = NEXO_H
         except Exception:
             pass
 
+    _emit_progress(progress_fn, "Copying core skills and runtime wrapper...")
     skills_src = src_dir / "skills"
     skills_dest = dest / "skills-core"
     if skills_src.is_dir():
@@ -1365,10 +1371,11 @@ def _reinstall_runtime_pip_deps(runtime_root: Path = NEXO_HOME) -> bool:
         return False
 
 
-def _run_runtime_post_sync(dest: Path = NEXO_HOME) -> tuple[bool, list[str]]:
+def _run_runtime_post_sync(dest: Path = NEXO_HOME, progress_fn=None) -> tuple[bool, list[str]]:
     actions: list[str] = []
     env = {**os.environ, "NEXO_HOME": str(dest), "NEXO_CODE": str(dest)}
     try:
+        _emit_progress(progress_fn, "Initializing database and reconciling personal schedules...")
         init_result = subprocess.run(
             [
                 sys.executable,
@@ -1394,6 +1401,7 @@ def _run_runtime_post_sync(dest: Path = NEXO_HOME) -> tuple[bool, list[str]]:
     except Exception as e:
         return False, [f"runtime init error: {e}"]
 
+    _emit_progress(progress_fn, "Reconciling Python dependencies...")
     if _reinstall_runtime_pip_deps(dest):
         actions.append("pip-deps")
     else:
@@ -1402,6 +1410,7 @@ def _run_runtime_post_sync(dest: Path = NEXO_HOME) -> tuple[bool, list[str]]:
     sync_path = dest / "crons" / "sync.py"
     if sync_path.is_file():
         try:
+            _emit_progress(progress_fn, "Syncing core cron definitions...")
             sync_result = subprocess.run(
                 [sys.executable, str(sync_path)],
                 cwd=str(dest),
@@ -1418,10 +1427,12 @@ def _run_runtime_post_sync(dest: Path = NEXO_HOME) -> tuple[bool, list[str]]:
 
     from runtime_power import apply_power_policy
 
+    _emit_progress(progress_fn, "Refreshing runtime power helper...")
     power_result = apply_power_policy()
     if power_result.get("ok"):
         actions.append(f"power:{power_result.get('action')}")
 
+    _emit_progress(progress_fn, "Verifying runtime imports...")
     verify = subprocess.run(
         [sys.executable, "-c", "import server"],
         cwd=str(dest),
@@ -1460,11 +1471,20 @@ def _write_update_summary(summary: dict):
         _log(f"Failed to write update summary: {e}")
 
 
-def manual_sync_update(*, interactive: bool = False, allow_source_pull: bool = True) -> dict:
+def _emit_progress(progress_fn, message: str) -> None:
+    if callable(progress_fn):
+        try:
+            progress_fn(message)
+        except Exception:
+            pass
+
+
+def manual_sync_update(*, interactive: bool = False, allow_source_pull: bool = True, progress_fn=None) -> dict:
     src_dir, repo_dir = _resolve_sync_source()
     if src_dir is None or repo_dir is None:
         return {"ok": False, "mode": "sync", "error": "No source repo recorded for this runtime."}
 
+    _emit_progress(progress_fn, "Checking recorded source repository...")
     source_status = _source_repo_status(repo_dir)
     pulled = False
     old_head = source_status.get("local_head")
@@ -1474,17 +1494,21 @@ def manual_sync_update(*, interactive: bool = False, allow_source_pull: bool = T
         elif source_status.get("diverged"):
             _log("Source repo diverged; syncing local tree without remote pull.")
         elif source_status.get("behind"):
+            _emit_progress(progress_fn, "Pulling latest source changes...")
             rc, _, pull_err = _git_in_repo(repo_dir, "pull", "--ff-only", timeout=60)
             if rc != 0:
                 return {"ok": False, "mode": "sync", "error": pull_err or "git pull failed"}
             pulled = True
 
+    _emit_progress(progress_fn, "Creating runtime backups...")
     db_backup_dir = _backup_dbs()
     tree_backup_dir = _backup_runtime_tree(NEXO_HOME)
     sync_result = {"ok": False, "mode": "sync", "pulled_source": pulled, "backup_dir": db_backup_dir, "tree_backup": tree_backup_dir}
     try:
-        copy_stats = _copy_runtime_from_source(src_dir, repo_dir, NEXO_HOME)
-        ok, actions = _run_runtime_post_sync(NEXO_HOME)
+        _emit_progress(progress_fn, "Syncing runtime files...")
+        copy_stats = _copy_runtime_from_source(src_dir, repo_dir, NEXO_HOME, progress_fn=progress_fn)
+        _emit_progress(progress_fn, "Reconciling runtime state...")
+        ok, actions = _run_runtime_post_sync(NEXO_HOME, progress_fn=progress_fn)
         if not ok:
             raise RuntimeError("; ".join(actions))
         sync_result.update({
@@ -1496,7 +1520,9 @@ def manual_sync_update(*, interactive: bool = False, allow_source_pull: bool = T
             "source": copy_stats["source"],
             "repo": copy_stats["repo"],
         })
+        _emit_progress(progress_fn, "Runtime update completed.")
     except Exception as e:
+        _emit_progress(progress_fn, "Update failed; restoring previous runtime state...")
         _restore_runtime_tree(tree_backup_dir, NEXO_HOME)
         if db_backup_dir:
             _restore_dbs(db_backup_dir)
@@ -1522,15 +1548,26 @@ def startup_preflight(*, entrypoint: str, interactive: bool = False) -> dict:
         "migrations": [],
         "power_policy": None,
         "power_message": None,
+        "full_disk_access_status": None,
+        "full_disk_access_message": None,
         "error": None,
     }
 
-    from runtime_power import apply_power_policy, ensure_power_policy_choice, get_power_policy
+    from runtime_power import (
+        apply_power_policy,
+        ensure_power_policy_choice,
+        get_power_policy,
+        ensure_full_disk_access_choice,
+        get_full_disk_access_status,
+    )
 
     choice = ensure_power_policy_choice(interactive=interactive, reason=entrypoint)
     power_result = apply_power_policy(choice.get("policy"))
+    fda_choice = ensure_full_disk_access_choice(interactive=interactive, reason=entrypoint)
     result["power_policy"] = choice.get("policy") or get_power_policy()
     result["power_message"] = power_result.get("message")
+    result["full_disk_access_status"] = fda_choice.get("status") or get_full_disk_access_status()
+    result["full_disk_access_message"] = fda_choice.get("message")
     if power_result.get("ok"):
         result["actions"].append(f"power:{power_result.get('action')}")
 
@@ -1604,6 +1641,8 @@ def startup_preflight(*, entrypoint: str, interactive: bool = False) -> dict:
     result["entrypoint"] = entrypoint
     result["power_policy"] = choice.get("policy") or get_power_policy()
     result["power_message"] = power_result.get("message")
+    result["full_disk_access_status"] = fda_choice.get("status") or get_full_disk_access_status()
+    result["full_disk_access_message"] = fda_choice.get("message")
     if power_result.get("ok"):
         actions = result.setdefault("actions", [])
         actions.append(f"power:{power_result.get('action')}")