Add patch_playbook_postgres_macos() to rewrite the postgres macos.yml install
from the community.general.homebrew module (which can select a crashing stale
Intel Homebrew) to a brew command using the PATH brew, matching the playbooks
repo fix. Documents TC-MAC-018.
postgresql_deploy_mode defaults to compose (Docker) and the admin password is
generated via a /root password-file lookup, both of which fail on a native
macOS deploy (no Docker, /root not writable). The role already ships a native
path (macos.yml, Homebrew postgresql@16). In the script's Darwin block, set
postgresql_deploy_mode=native and pass postgresql_admin_password directly
(highest-precedence extra-var, bypassing the /root lookup). Linux unchanged.
Documents TC-MAC-017.
Root cause of the repeated 'Bootstrap Vault admin userpass auth' failure was
not macOS-specific: init_vault_admin.sh derived entity_id by logging in as the
user, but the login MFA enforcement it creates makes that login MFA-gated on
re-runs (dev Vault persists across deploys), yielding 'missing entityID'.
patch_playbook_vault_macos() now rewrites init_vault_admin.sh to resolve
entity_id via the userpass entity-alias (creating entity+alias on first run),
matching the same fix landed in the playbooks repo. Removes the temporary
no_log/file-dump diagnostic. Documents TC-MAC-016.
vault : Bootstrap Vault admin userpass auth runs init_vault_admin.sh, which
require_cmd's vault/jq/curl/base64. macOS has no jq by default (the apt deps
task is Darwin-skipped) and ansible.builtin.script uses a minimal PATH without
/opt/homebrew/bin. Extend patch_playbook_vault_macos() to brew install jq and
add environment PATH to the bootstrap task. Idempotent; verified. TC-MAC-015.
The common role's 'Base | *' tasks (timedatectl timezone, /etc/hostname,
hostname, /etc/hosts, ssh hardening, fail2ban, file limits, firewall) all run
with become: true against Linux-only tooling/paths and fail on macOS — the
reported timedatectl failure is just the first. Add patch_playbook_common_macos()
(post-clone, Darwin-only) that appends an ansible_os_family != 'Darwin' guard to
the whole Base block. Idempotent; verified against the real role; Linux
unchanged. Documents TC-MAC-014.
The vault role's 'Ensure standalone Vault directories exist' task creates
/etc/vault.d and /opt/vault/data with owner: root and lacks the Darwin guard
its sibling tasks have, so it fails under macOS become=false. Unlike the
bridge dir (owned by the service user, fixable via -e), this owner: root is
hardcoded and not overridable, so the role logic must change.
Since the role lives in a separate playbooks repo, reuse the existing
post-clone patch mechanism (cf. patch_playbook_user_systemd): add
patch_playbook_vault_macos() that, on Darwin only, guards the directory task,
makes vault dirs/binary OS-conditional (macOS -> ~/Library/Application
Support/vault[/data], /opt/homebrew/bin/vault; Linux unchanged), and creates
the user-owned data dir in macos.yml. Idempotent; verified against the real
role. Documents TC-MAC-013.
Switch the macOS bridge base dir to the Apple-standard per-user location
$HOME/Library/Application Support/cloud-neutral/xworkmate-bridge, while Linux
keeps /opt/cloud-neutral/xworkmate-bridge. Applied both as the Darwin -e
override in setup-ai-workspace-all-in-one.sh (the lever that reaches the
curl|bash path) and as an OS-conditional role default. Updates TC-MAC-012 and
the progress report with the not-pushed root cause of the 19:09 re-failure.
macOS deploys run with ansible_become=false, so the bridge role default
xworkmate_bridge_base_dir=/opt/cloud-neutral failed with EACCES creating
/opt/cloud-neutral. Inject a Darwin -e override pointing the base dir at
$HOME/.local/state/cloud-neutral/xworkmate-bridge, matching existing macOS
overrides for gateway_openclaw/agent_skills/xworkspace_console. Documents the
failure and fix as TC-MAC-012.
