fix: remove nonessential boss agent permission requests

local-agent/boss-agent-status.mjs

@@ -18,73 +18,17 @@ const PERMISSION_DEFS = [
   },
 ];
 
-const EXTENDED_PERMISSION_DEFS = [
-  {
-    key: "automation",
-    label: "自动化控制",
-    description: "用于 AppleScript 控制 Finder、浏览器和企业软件；基础桌面控制不强制依赖",
-    tier: "extended",
-  },
-  {
-    key: "fullDiskAccess",
-    label: "全磁盘访问",
-    description: "用于读取和写入企业授权目录、日志与开发资产",
-    tier: "extended",
-  },
-  {
-    key: "inputMonitoring",
-    label: "输入监控",
-    description: "用于低层热键、复杂输入和部分不可访问控件兜底",
-    tier: "extended",
-  },
-  {
-    key: "notifications",
-    label: "通知权限",
-    description: "用于后台任务、接管结果和风险告警提醒",
-    tier: "extended",
-  },
-  {
-    key: "microphone",
-    label: "麦克风",
-    description: "用于语音指令、会议和音频协作场景",
-    tier: "extended",
-  },
-  {
-    key: "camera",
-    label: "摄像头",
-    description: "用于视觉协作、会议和现场画面确认",
-    tier: "extended",
-  },
-  {
-    key: "localNetwork",
-    label: "本地网络",
-    description: "用于发现和连接局域网设备、开发板与企业内网服务",
-    tier: "extended",
-  },
-];
-
 const MACOS_PERMISSION_SETTINGS = {
-  all: "x-apple.systempreferences:com.apple.settings.PrivacySecurity.extension?Security",
   core: "x-apple.systempreferences:com.apple.settings.PrivacySecurity.extension?Privacy_Accessibility",
   accessibility: "x-apple.systempreferences:com.apple.settings.PrivacySecurity.extension?Privacy_Accessibility",
   screenRecording: "x-apple.systempreferences:com.apple.settings.PrivacySecurity.extension?Privacy_ScreenCapture",
-  automation: "x-apple.systempreferences:com.apple.settings.PrivacySecurity.extension?Privacy_Automation",
-  fullDiskAccess: "x-apple.systempreferences:com.apple.settings.PrivacySecurity.extension?Privacy_AllFiles",
-  inputMonitoring: "x-apple.systempreferences:com.apple.settings.PrivacySecurity.extension?Privacy_ListenEvent",
-  notifications: "x-apple.systempreferences:com.apple.Notifications-Settings.extension",
-  microphone: "x-apple.systempreferences:com.apple.settings.PrivacySecurity.extension?Privacy_Microphone",
-  camera: "x-apple.systempreferences:com.apple.settings.PrivacySecurity.extension?Privacy_Camera",
-  localNetwork: "x-apple.systempreferences:com.apple.settings.PrivacySecurity.extension?privacy-localnetwork",
 };
 
-const AUTO_PREFLIGHT_PERMISSION_KEYS = new Set(["accessibility", "screenRecording", "automation"]);
+const AUTO_PREFLIGHT_PERMISSION_KEYS = new Set(["accessibility", "screenRecording"]);
 
 const NATIVE_PERMISSION_QUERY_PARAMS = {
   accessibility: "nativeAccessibility",
   screenRecording: "nativeScreenRecording",
-  inputMonitoring: "nativeInputMonitoring",
-  microphone: "nativeMicrophone",
-  camera: "nativeCamera",
 };
 
 function nonEmpty(value) {
@@ -204,11 +148,7 @@ function resolvePermissionReadiness(coreItems, extendedItems) {
   const extendedGrantedCount = extendedItems.filter((item) => item.status === "granted").length;
   const coreReady = coreGrantedCount === coreItems.length;
   const fullControlReady = coreReady && extendedGrantedCount === extendedItems.length;
-  const summary = fullControlReady
-    ? "基础桌面控制和扩展能力权限已具备"
-    : coreReady
-      ? "基础桌面控制已可用，扩展权限按场景启用"
-      : "基础桌面控制待授权，桌面接管不可用";
+  const summary = coreReady ? "基础桌面控制已可用" : "基础桌面控制待授权，桌面接管不可用";
 
   return {
     coreReady,
@@ -219,12 +159,12 @@ function resolvePermissionReadiness(coreItems, extendedItems) {
     extendedTotal: extendedItems.length,
     summary,
     detail:
-      "参考 Codex Computer Use 的最小权限模型，基础桌面控制只要求辅助功能和屏幕录制；自动化控制、全磁盘访问、输入监控、通知、麦克风、摄像头和本地网络都按具体任务场景再单独启用。",
+      "参考 Codex Computer Use 的最小权限模型，boss-agent 只要求辅助功能和屏幕录制：辅助功能负责点击输入，屏幕录制负责画面识别。",
   };
 }
 
-function buildPermissionSetupPlan(coreItems, extendedItems, readiness) {
-  const actions = [...coreItems, ...extendedItems].map((item) => ({
+function buildPermissionSetupPlan(coreItems, readiness) {
+  const actions = coreItems.map((item) => ({
     key: item.key,
     label: item.label,
     description: item.description,
@@ -232,21 +172,18 @@ function buildPermissionSetupPlan(coreItems, extendedItems, readiness) {
     status: item.status,
     requiredForSilentControl: item.tier === "core",
     canPreflight: AUTO_PREFLIGHT_PERMISSION_KEYS.has(item.key),
-    settingsUrl: MACOS_PERMISSION_SETTINGS[item.key] ?? MACOS_PERMISSION_SETTINGS.all,
+    settingsUrl: MACOS_PERMISSION_SETTINGS[item.key] ?? MACOS_PERMISSION_SETTINGS.core,
     openUrl: `/api/v1/boss-agent/permissions/open?target=${encodeURIComponent(item.key)}&returnTab=permissions`,
     owner: "boss-agent.app",
   }));
   const missingRequiredActions = actions.filter(
     (action) => action.requiredForSilentControl && action.status !== "granted",
   );
-  const optionalMissingActions = actions.filter(
-    (action) => !action.requiredForSilentControl && action.status !== "granted",
-  );
 
   return {
     mode: "minimal_computer_use",
     title: "基础桌面控制授权",
-    goal: "按 Codex Computer Use 的思路，先拿辅助功能和屏幕录制两项最小权限；其他能力等任务需要时再申请。",
+    goal: "按 Codex Computer Use 的思路，只申请辅助功能和屏幕录制两项最小权限。",
     silentUseReady: missingRequiredActions.length === 0,
     primaryAction: {
       label: "打开基础授权",
@@ -256,9 +193,9 @@ function buildPermissionSetupPlan(coreItems, extendedItems, readiness) {
     actions,
     missingKeys: missingRequiredActions.map((action) => action.key),
     missingRequiredKeys: missingRequiredActions.map((action) => action.key),
-    optionalMissingKeys: optionalMissingActions.map((action) => action.key),
+    optionalMissingKeys: [],
     summary: readiness.coreReady
-      ? "基础桌面控制已可用；扩展权限不会阻塞接管，只在对应任务需要时提示。"
+      ? "基础桌面控制已可用；后续控制只校验这两项权限。"
       : "仍缺少基础桌面控制权限，请先授权辅助功能和屏幕录制。",
     persistenceNote:
       "macOS 会把授权持久写入系统隐私数据库；稳定签名后，后续更新不会因为二进制哈希变化反复丢失授权。",
@@ -270,7 +207,12 @@ export function mergeBossAgentNativePermissionOverrides(permissions = {}, queryP
     if (typeof queryParams.get === "function") return queryParams.get(name);
     return queryParams[name];
   };
-  const merged = { ...permissions };
+  const merged = {};
+  for (const permissionKey of Object.keys(NATIVE_PERMISSION_QUERY_PARAMS)) {
+    if (isPermissionStatus(permissions[permissionKey])) {
+      merged[permissionKey] = permissions[permissionKey];
+    }
+  }
   for (const [permissionKey, queryKey] of Object.entries(NATIVE_PERMISSION_QUERY_PARAMS)) {
     const value = getQueryValue(queryKey);
     if (isPermissionStatus(value)) {
@@ -312,9 +254,9 @@ export function buildBossAgentStatus(config = {}, runtime = {}, options = {}) {
   const serverOk = runtime.lastHeartbeatOk === true;
   const qrPayload = bound ? "" : buildBindingPayload(config);
   const corePermissionItems = permissionItems(PERMISSION_DEFS, permissions);
-  const extendedPermissionItems = permissionItems(EXTENDED_PERMISSION_DEFS, permissions);
+  const extendedPermissionItems = [];
   const permissionReadiness = resolvePermissionReadiness(corePermissionItems, extendedPermissionItems);
-  const permissionSetup = buildPermissionSetupPlan(corePermissionItems, extendedPermissionItems, permissionReadiness);
+  const permissionSetup = buildPermissionSetupPlan(corePermissionItems, permissionReadiness);
 
   return {
     appName: "boss-agent",
@@ -883,22 +825,27 @@ function runCommand(command, args, timeoutMs = 2500) {
   });
 }
 
-export function resolveBossAgentPermissionSettingsUrl(target = "all") {
-  return MACOS_PERMISSION_SETTINGS[target] ?? MACOS_PERMISSION_SETTINGS.all;
+function normalizePermissionTarget(target = "core") {
+  return Object.hasOwn(MACOS_PERMISSION_SETTINGS, target) ? target : "core";
 }
 
-export async function openBossAgentPermissionSettings(target = "all", platform = process.platform) {
-  const settingsUrl = resolveBossAgentPermissionSettingsUrl(target);
+export function resolveBossAgentPermissionSettingsUrl(target = "core") {
+  return MACOS_PERMISSION_SETTINGS[normalizePermissionTarget(target)];
+}
+
+export async function openBossAgentPermissionSettings(target = "core", platform = process.platform) {
+  const normalizedTarget = normalizePermissionTarget(target);
+  const settingsUrl = resolveBossAgentPermissionSettingsUrl(normalizedTarget);
   if (platform !== "darwin") {
     return {
       ok: false,
-      target,
+      target: normalizedTarget,
       settingsUrl,
       message: "当前平台暂不支持自动打开系统隐私设置，请在系统设置中手动完成授权。",
     };
   }
 
-  const nativeUrl = `boss-agent://permissions/open?target=${encodeURIComponent(target)}&returnTab=permissions`;
+  const nativeUrl = `boss-agent://permissions/open?target=${encodeURIComponent(normalizedTarget)}&returnTab=permissions`;
   const nativeLaunch = await runCommand(
     "open",
     [
@@ -906,7 +853,7 @@ export async function openBossAgentPermissionSettings(target = "all", platform =
       "/Applications/boss-agent.app",
       "--args",
       "--request-permission",
-      target,
+      normalizedTarget,
       "--return-tab",
       "permissions",
     ],
@@ -915,7 +862,7 @@ export async function openBossAgentPermissionSettings(target = "all", platform =
   if (nativeLaunch.ok) {
     return {
       ok: true,
-      target,
+      target: normalizedTarget,
       settingsUrl,
       message: "已通过 boss-agent 发起系统权限申请。",
       nativeRequest: true,
@@ -927,7 +874,7 @@ export async function openBossAgentPermissionSettings(target = "all", platform =
   if (nativeDeepLink.ok) {
     return {
       ok: true,
-      target,
+      target: normalizedTarget,
       settingsUrl,
       message: "已通过 boss-agent 发起系统权限申请。",
       nativeRequest: true,
@@ -938,7 +885,7 @@ export async function openBossAgentPermissionSettings(target = "all", platform =
   const result = await runCommand("open", [settingsUrl], 2500);
   return {
     ok: result.ok,
-    target,
+    target: normalizedTarget,
     settingsUrl,
     message: result.ok
       ? "已打开系统权限设置。"
@@ -959,7 +906,6 @@ export async function detectLocalComputerPermissions(platform = process.platform
     return {
       accessibility: "unknown",
       screenRecording: "unknown",
-      automation: "unknown",
     };
   }
 
@@ -967,7 +913,6 @@ export async function detectLocalComputerPermissions(platform = process.platform
     "-e",
     'tell application "System Events" to get UI elements enabled',
   ]);
-  const automation = await runCommand("osascript", ["-e", 'tell application "Finder" to get name']);
   const screenshotPath = path.join(os.tmpdir(), `boss-agent-permission-${Date.now()}.png`);
   const screen = await runCommand("screencapture", ["-x", "-t", "png", screenshotPath], 3500);
   let screenRecording = "missing";
@@ -985,6 +930,5 @@ export async function detectLocalComputerPermissions(platform = process.platform
   return {
     accessibility: accessibility.ok && /true/i.test(accessibility.stdout) ? "granted" : "missing",
     screenRecording,
-    automation: automation.ok ? "granted" : "missing",
   };
 }

local-agent/server.mjs

@@ -1037,7 +1037,7 @@ const server = createServer(async (request, response) => {
   }
 
   if (requestUrl.pathname === "/api/v1/boss-agent/permissions/open") {
-    const target = requestUrl.searchParams.get("target") || "all";
+    const target = requestUrl.searchParams.get("target") || "core";
     const returnTab = normalizeBossAgentTab(requestUrl.searchParams.get("returnTab") ?? "permissions");
     const result = await openBossAgentPermissionSettings(target);
     const wantsJson = String(request.headers.accept || "").includes("application/json");