Greptile Summary

This PR fixes the TCC identity mismatch (#192) by routing the packaged agent helper through LaunchServices (open -g -n) instead of direct exec, ensuring the agent registers under its own "OpenLogi Agent" entry in the Accessibility list. It also adds a UI hint across all 20 locale files instructing users to enable that specific entry (and how to remove a stale one).

• ipc_client.rs: Introduces launch_agent + helper_bundle to detect the packaged .app layout and dispatch to open -g -n <bundle> on macOS, falling back to disclaim::Command for dev/non-macOS builds.
• app.rs + locale files: Adds a new muted-text instructional block in the Accessibility permission dialog, directing users to the "OpenLogi Agent" entry rather than the app itself.

Confidence Score: 4/5

Safe to merge with awareness that the -n flag can spawn a duplicate agent instance in launchd-managed deployments.

The core TCC fix is correct and well-tested for the happy path. The -n flag (already flagged in prior review) creates a real race window in launchd-managed deployments where two agent instances race to bind the same Unix socket.

crates/openlogi-gui/src/ipc_client.rs — the open -n flag and ancestors().nth(3) bundle detection logic both have noted fragility worth addressing before ship.

Important Files Changed

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
 A[spawn_agent called] --> B[agent_binary_path]
 B -->|None| C[warn: binary not found]
 B -->|Some path| D[launch_agent]
 D -->|macOS| E[helper_bundle path]
 E -->|Some bundle| F["open -g -n bundle\nLaunchServices launch\nAgent gets own TCC identity"]
 E -->|None dev binary| G["disclaim::Command\ndirect exec with TCC disclaimer"]
 D -->|non-macOS| G
 F --> H[Agent registers as\nOpenLogi Agent in TCC]
 G --> I[Agent inherits or\ndisclaims GUI TCC identity]

_{Reviews (3): Last reviewed commit: "fix(gui): launch agent helper via Launch..." | Re-trigger Greptile}