fix: add actionable FDA guidance for TCC authorization denial

[glitch418x]

Summary

Improve TCC database open error handling so authorization-denied failures show actionable Full Disk Access guidance for terminal-based workflows.

Changes

• Added targeted DbOpen hint mapping in src/tcc.rs for authorization/open-denied SQLite errors on TCC DB paths only.
• Included actionable guidance in the hint: grant Full Disk Access to terminal app (Terminal/iTerm/Ghostty/VS Code), fully restart app, and note that sudo does not bypass TCC.
• Added unit tests covering hint emission and non-emission cases.
• Added a short README troubleshooting section for Full Disk Access authorization-denied scenarios.

Validation

• cargo fmt
• cargo clippy -- -D warnings
• cargo test

Linked Issues

• None

Summary by CodeRabbit

• Documentation

  • Added troubleshooting section with guidance on granting Full Disk Access permissions for database operations.

• Bug Fixes

  • Enhanced error messages for database access failures with actionable Full Disk Access authorization hints.

[coderabbitai]

📝 Walkthrough

Walkthrough

The PR enhances error handling and user documentation for Full Disk Access authorization issues when accessing the macOS TCC.db file. Changes include adding helpful error messages to diagnose permission problems and documenting troubleshooting steps in the README.

Changes

Cohort / File(s)	Summary
Documentation README.md	Added Troubleshooting subsection with guidance on handling Full Disk Access authorization issues when accessing TCC.db.
Error Handling & Tests src/tcc.rs	Enhanced error display for DbOpen errors with helpful Full Disk Access hints. Added private helper functions to detect TCC.db paths and authorization-denied errors, plus four new tests validating hint behavior in various scenarios.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 When disks deny access with protective might,
Clear hints now guide toward Full Disk Access light,
Tests verify the wisdom rings so true,
Documentation helps your terminal through! ✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 62.50% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: adding actionable Full Disk Access guidance for TCC authorization denial errors, which aligns with both the README and src/tcc.rs modifications.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/fda-authorization-hints

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

src/tcc.rs (1)

121-127: Minor: Redundant substring check.

The check for "open authorization denied" is redundant since "authorization denied" would already match that case. This doesn't affect correctness but could be simplified.

♻️ Suggested simplification

     let source_lower = source.to_lowercase();
     let is_open_denied = source_lower.contains("authorization denied")
-        || source_lower.contains("open authorization denied")
         || source_lower.contains("not authorized");
     if !is_open_denied {
         return None;
     }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/tcc.rs` around lines 121 - 127, The is_open_denied check in src/tcc.rs
redundantly tests for "open authorization denied" because
source_lower.contains("authorization denied") already covers that case; update
the boolean expression using the existing symbols (source_lower and
is_open_denied) to remove the redundant contains call so it only checks for
"authorization denied" || "not authorized", keeping the rest of the early-return
logic unchanged.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@src/tcc.rs`:
- Around line 121-127: The is_open_denied check in src/tcc.rs redundantly tests
for "open authorization denied" because source_lower.contains("authorization
denied") already covers that case; update the boolean expression using the
existing symbols (source_lower and is_open_denied) to remove the redundant
contains call so it only checks for "authorization denied" || "not authorized",
keeping the rest of the early-return logic unchanged.