[macOS26]

For those wondering about Priv. Agent is built on least priv. It will Run TCC related tasks locally and each app that is being automated required consent from the user. same with automating Safari + user must check a few boxes in Developer tools for Safari. Then there's shell scripting which the preferred route is the Launch Agent which the user approves along with the Launch Daemon. If the Launch Agent is not available, shell scripts run locally. AgentScripts within in swift also run locally in the app.

Anything priv. runs through the Launch Daemon. This is mostly used for software updates. Lately when creating a dmg using hdiutil, I have seen Agent securely ask for the the password and not use the launch daemon.

The Daemon was created first as a test to see what would happen if an LLM had access to one. And under that mode it knew about 50 things it could run as an administrator of the computer. It was never ran in that state. and its 3-4 layers of access were created.

The user can turn of the Launch Daemon and when this happens not only us the Daemon turned off, so are is access to the Launch Daemon tool. This model is used all over Agent! The user can turn off anything. I do plan to harden the Launch Agent and Launch Daemon on off access with Local Authentication and later a Pass-Key to prevent Agent! from turning it back on via things like Accessibility.