Rust CLI for managing macOS TCC (Transparency, Consent, and Control) privacy permissions databases. Replaces Apple's limited tccutil and the Python-based tccutil.py with a single static binary — no runtime dependencies.
This file is the agent navigation map. Each section is a pointer:
- User-facing usage, install, commands, JSON envelope → README.md
- Contributor setup, validation, conventions, PR expectations → CONTRIBUTING.md
- Vulnerability reporting → SECURITY.md
- Rust 2024 edition (
edition = "2024"in Cargo.toml; toolchain pinned inrust-toolchain.toml) - rusqlite (bundled SQLite) — reads/writes TCC.db directly
- clap (derive) — CLI argument parsing
- colored — terminal output formatting
- chrono — timestamp formatting (CoreData + Unix)
- sha1_smol — schema digest verification
- dirs — home directory resolution
- libc — root/euid check
Single binary, two source files. Reads both user (~/Library/Application Support/com.apple.TCC/TCC.db) and system (/Library/Application Support/com.apple.TCC/TCC.db) databases. System DB writes require sudo. SIP may block writes on newer macOS.
src/main.rs— CLI definition (clap derive), subcommand dispatch, table output formattingsrc/tcc.rs— Core logic:TccDbstruct, DB reads/writes, service name mapping (SERVICE_MAP), schema validation, timestamp formattingtests/integration.rs— Integration tests; exec the real binary viaCARGO_BIN_EXE_tccutil-rsscripts/verify.sh— Single canonical gate. CI calls it; the pre-push hook calls it; run it locally before opening a PRCargo.toml— Dependencies and package metadatarust-toolchain.toml— Pinned toolchain channel.releaserc.json— semantic-release config (Conventional Commits → version + tag + GitHub Release). See CONTRIBUTING.md → Releasesscripts/release-prepare.sh— BumpsCargo.toml+Cargo.lockduring the release pipeline (invoked by@semantic-release/exec).github/workflows/ci.yml— Single workflow withverify(PR + push) andreleasejobs (push tomain, runs semantic-release + dual-arch macOS build + Homebrew tap bump)