feat(connect,doctor): macOS App-Data (TCC) denial diagnostic (spec 075 US3)

[Dumbris]

Spec 075 US3 — doctor flags a persisted macOS App-Data (TCC) denial

Closes the US3 deliverable for the macOS-TCC-safe Connect epic (MCP-2828). mcpproxy doctor now surfaces a persisted macOS App Data (TCC) privacy denial that blocks mcpproxy from reading MCP client configs, with the exact one-command tccutil remediation. No-op off macOS.

Built on the merged US1 (#706, stat-only status + content-read seam) and US2 (#707, classifyAccess/AccessError/remediationText).

What's here

• connect.Service.DetectAppDataDenial() (denied bool, remediation string) (internal/connect/access.go, T022): walks supported clients; for the first whose config exists (os.Stat metadata only) it does one content read through the US1 seam; the first accessDenied outcome is reported with the canonical remediation. Returns (false, "") when no client is installed or access is granted — no false positives. Unlike GetAllStatus this deliberately reads content (the doctor is the explicit-action path).
• Doctor wiring (internal/management/diagnostics.go, T023): Doctor() appends the warning to contracts.Diagnostics.RuntimeWarnings (rendered by the CLI as "⚠️ Runtime Warnings", counted in TotalIssues). Build-tagged tcc_appdata_darwin.go (real probe) / tcc_appdata_other.go (no-op), with a pure cross-platform translator tcc_appdata.go.
• T004 resolved (documented in tasks.md): the runtime doctor registry is internal/management Doctor() → contracts.Diagnostics, not the static internal/diagnostics error-code catalog (which is classification metadata, not runtime checks).

Tests (TDD)

• TestDetectAppDataDenial — denied (EPERM on an installed config) / clean read / no installed clients (asserts the reader is never called → no false positive).
• TestAppDataWarningFrom — the translator warns with remediation when denied, nothing otherwise (cross-platform, satisfies the darwin check assertion).
• TestAppDataDenialWarning_NoOpOffDarwin (//go:build !darwin) — the OS hook is a no-op off macOS.

Verification

• go build ./cmd/mcpproxy ✅ · GOOS=darwin go build ./internal/management/... ./internal/connect/... ✅
• go test ./internal/connect/ ./internal/management/ -race ✅ · GOOS=darwin go vet ✅
• golangci-lint --new-from-rev=origin/main → 0 issues ✅
• Note: the darwin runtime smoke (./mcpproxy doctor with a real TCC denial) needs a Mac with a denied App-Data grant; CI's macOS build covers compilation. The denial path is unit-tested via the injected seam.

Related spec 075 (US1 #706, US2 #707). Resolves MCP-2831.

[cloudflare-workers-and-pages]

Deploying mcpproxy-docs with    Cloudflare Pages

Latest commit:	9b9071a
Status:	✅  Deploy successful!
Preview URL:	https://83a22a93.mcpproxy-docs.pages.dev
Branch Preview URL:	https://075-us3-doctor-tcc-check.mcpproxy-docs.pages.dev

View logs

[codecov-commenter]

⚠️ Please install the to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

❌ Patch coverage is 70.00000% with 6 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
internal/connect/access.go	66.66%	2 Missing and 2 partials ⚠️
internal/management/diagnostics.go	0.00%	1 Missing and 1 partial ⚠️

📢 Thoughts on this report? Let us know!

[github-actions]

📦 Build Artifacts

Workflow Run: View Run
Branch: 075-us3-doctor-tcc-check

Available Artifacts

• archive-darwin-amd64 (28 MB)
• archive-darwin-arm64 (25 MB)
• archive-linux-amd64 (16 MB)
• archive-linux-arm64 (14 MB)
• archive-windows-amd64 (28 MB)
• archive-windows-arm64 (25 MB)
• frontend-dist-pr (0 MB)
• installer-dmg-darwin-amd64 (21 MB)
• installer-dmg-darwin-arm64 (19 MB)

How to Download

Option 1: GitHub Web UI (easiest)

1. Go to the workflow run page linked above
2. Scroll to the bottom "Artifacts" section
3. Click on the artifact you want to download

Option 2: GitHub CLI

gh run download 27741211747 --repo smart-mcp-proxy/mcpproxy-go

Note: Artifacts expire in 14 days.