fix(desktop): trigger macOS Local Network permission on startup

[Kitenite]

Summary

• requestLocalNetworkAccess existed in apps/desktop/src/main/lib/local-network-permission.ts but was never called, so the NSLocalNetworkUsageDescription / NSBonjourServices keys wired up in electron-builder.ts never had a trigger.
• On macOS 15+, this silently blocks outbound connections to local-network IPs from the app and its spawned children (node, python, etc. in the workspace terminal). System binaries like curl escape the same TCC attribution path, which matches the reporter's symptom.
• Call the helper alongside requestAppleEventsAccess in the app.whenReady block.

Fixes #3474.

Test plan

Dev can exercise the code path but not the production grant (bundle id, signing identity, and Info.plist keys all differ). For end-to-end verification:

• Packaged canary build on a fresh macOS 15+ profile — confirm the Local Network prompt appears on first launch.
• Approve, then in a workspace terminal run a node script that HTTP-GETs a machine on the LAN (e.g. node -e 'require(\"http\").get(\"http://<local-ip>\", r=>console.log(r.statusCode))') — expect success.
• Confirm Superset now appears in System Settings → Privacy & Security → Local Network.
• Existing users who previously denied the prompt (silently or otherwise) will need to toggle it on manually; call out in release notes if relevant.

If granting permission doesn't resolve the repro, the next investigation areas are PTY subprocess TCC attribution and the agent-setup/shell-wrappers path.

---

Summary by cubic

Trigger the macOS Local Network permission on app startup to stop silent blocking of LAN connections on macOS 15+ for the app and its terminal child processes. Adds a call to requestLocalNetworkAccess() alongside requestAppleEventsAccess() in app.whenReady (fixes #3474).

^{Written for commit 9c2f4f0. Summary will update on new commits.}

Summary by CodeRabbit

• New Features
  • The app now requests local network access permissions during startup to enable connectivity with local network resources.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 909c69b8-878e-4503-a4c0-66bf13dfc4c3

📥 Commits

Reviewing files that changed from the base of the PR and between 867ef87 and 9c2f4f0.

📒 Files selected for processing (1)

• apps/desktop/src/main/index.ts

---

📝 Walkthrough

Walkthrough

Added a local network access permission request to the macOS app initialization sequence. During startup, after ready and Apple Events access, the app now requests local network permissions to enable spawned processes to communicate with local network resources.

Changes

Cohort / File(s)	Summary
macOS Startup Permissions apps/desktop/src/main/index.ts	Added import for requestLocalNetworkAccess and integrated the permission request into the app startup sequence following requestAppleEventsAccess().

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

Poem

🐰 A little hop through network gates,
Where local machines finally communicate,
No more blocked by sandboxes tight,
Spawned processes now see the light!
Two lines of code, but oh, what cheer,
The network's open, far and near!

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The PR title clearly and concisely describes the main change: triggering the macOS Local Network permission on startup.
Description check	✅ Passed	The PR description covers the problem, solution, testing approach, and linked issue. While it lacks formal checkbox sections from the template, it provides substantive technical detail.
Linked Issues check	✅ Passed	The PR directly addresses issue #3474 by implementing the required fix: calling requestLocalNetworkAccess on app startup to trigger the Local Network permission and enable spawned child processes to reach local-network IPs.
Out of Scope Changes check	✅ Passed	The changes are minimal and narrowly scoped: adding a single import and one function call. All modifications directly address the stated objective of triggering the Local Network permission.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/3474-outbound-blocked

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[greptile-apps]

Greptile Summary

This PR fixes a macOS local network permission issue in the Electron desktop app by calling the already-implemented requestLocalNetworkAccess() helper during startup. The helper existed in local-network-permission.ts but was never invoked, meaning the NSLocalNetworkUsageDescription / NSBonjourServices Info.plist keys wired up in electron-builder.ts were never triggered — silently blocking outbound LAN connections on macOS 15+ for the app and its spawned child processes.

Changes:

• Adds requestLocalNetworkAccess() call alongside requestAppleEventsAccess() in the app.whenReady() block in apps/desktop/src/main/index.ts
• The permission helper (local-network-permission.ts) was already correct: it creates a UDP socket, sends a 1-byte packet to the mDNS multicast address (224.0.0.251:5353), then closes the socket — which is the standard technique for triggering macOS's TCC local network permission dialog
• Platform-gating (process.platform !== "darwin") and full socket cleanup (error handler + send callback) are already in place
• The fix is intentionally minimal: one new call site, no other changes required

Confidence Score: 5/5

Safe to merge — minimal, targeted fix with no risk of regression on non-macOS platforms and correct socket lifecycle management.

Single call-site addition. The helper was already correct and tested in isolation; the only missing piece was invoking it. Platform guard, error handling, and socket cleanup were all in place. No logic changes, no new dependencies, no state mutation.

No files require special attention. End-to-end verification requires a signed/packaged canary build on macOS 15+ as noted in the test plan, which is outside the scope of code review.

Important Files Changed

Filename	Overview
apps/desktop/src/main/index.ts	Adds requestLocalNetworkAccess() call in the app.whenReady() block; import was already present. Change is minimal and correctly placed before main window creation.
apps/desktop/src/main/lib/local-network-permission.ts	Pre-existing helper; unchanged in this PR. Uses standard mDNS multicast send to trigger TCC permission dialog; platform-gated to darwin; socket lifecycle correctly cleaned up in all paths.

Sequence Diagram

sequenceDiagram
    participant E as Electron main
    participant AE as requestAppleEventsAccess()
    participant LN as requestLocalNetworkAccess()
    participant OS as macOS TCC
    participant UI as Main Window

    E->>E: app.whenReady()
    E->>AE: call (existing)
    AE-->>OS: AppleEvents permission check
    E->>LN: call (NEW - this PR)
    LN->>LN: dgram.createSocket(udp4)
    LN->>LN: socket.bind()
    LN->>OS: send 1-byte packet to 224.0.0.251:5353
    OS-->>E: Show "Local Network" permission dialog
    LN->>LN: socket.close()
    E->>UI: makeAppSetup() → MainWindow()

Loading

_{Reviews (1): Last reviewed commit: "fix(desktop): trigger macOS Local Networ..." | Re-trigger Greptile}

[cubic-dev-ai]

No issues found across 1 file

[github-actions]

🧹 Preview Cleanup Complete

The following preview resources have been cleaned up:

• ✅ Neon database branch
• ⚠️ Electric Fly.io app

Thank you for your contribution! 🎉