tinyhumansai · YOMXXX · May 26, 2026 · May 26, 2026
@@ -33,6 +33,8 @@ Applies to every release, all platforms.
 - [ ] **Accessibility permission prompt fires on first agent run** — Trigger an agent action that uses Accessibility (e.g. window-control skill). Expected: macOS prompts `OpenHuman would like to control this computer using accessibility features`. Granting it allows the action; denying it surfaces a clear in-app fallback.
 - [ ] **Input Monitoring prompt fires on first hotkey use** — Press the registered global hotkey for the first time. Expected: `Input Monitoring` prompt; granting it makes the hotkey trigger; denying it does not crash the app.
 - [ ] **Screen Recording prompt fires on first screen-share** — Use the screen-share skill or `getDisplayMedia` shim. Expected: `Screen Recording` prompt; granted → picker shows windows + screens; denied → in-app message explaining the requirement.
+- [ ] **Meet "Present" surfaces the Chrome screen-picker (regression watch — see #2636)** — Open the Google Meet webview account, join a meeting, and click `Present now`. Expected: Chromium's native screen-picker UI appears (Entire screen / Window / Chrome tab tabs) and `getDisplayMedia` only resolves after the user picks a source. Hard fail mode: capture starts immediately with no picker — that means `displayCapture` was re-granted via `Browser.grantPermissions` and bypassed Chromium's transient-activation gate.
+- [ ] **Slack huddle screen-share surfaces the Chrome screen-picker (regression watch — see #2636)** — Open the Slack webview account, start or join a huddle, and click the screen-share button. Expected: same Chromium native screen-picker as Meet; capture only begins after a deliberate user selection. Hard fail mode: huddle begins broadcasting immediately with no picker prompt.
 - [ ] **Microphone prompt fires on first voice capture** — Start a voice session. Expected: standard mic prompt; granted → capture begins; denied → fallback message, no panic.
 - [ ] **Bluetooth prompt fires on first Gmeet call (regression watch — see #1288)** — Open the Google Meet webview account and join a meeting from a fresh install. Expected: macOS prompts `OpenHuman would like to use Bluetooth` the first time the device picker enumerates audio peripherals; granted → AirPods/headsets appear in the picker; denied → fallback to built-in mic, no crash. Hard fail mode (key absent) is a SIGABRT before the prompt can render.
 - [ ] **Location prompt does not crash on Gmeet room-finder probe** — If Gmeet surfaces nearby-room suggestions, the first probe should trigger `OpenHuman would like to use your current location`; granting or denying must NOT crash the app. (Probe path is webview-driven; only verify the no-crash invariant here.)

@@ -191,6 +191,13 @@ impl Default for SecurityPolicy {
             autonomy: AutonomyLevel::Supervised,
             workspace_dir: PathBuf::from("."),
             workspace_only: true,
+            // When adding a new entry to this allowlist, re-audit
+            // `DANGEROUS_ENV_PREFIXES` (see below). Every newly-allowed binary
+            // may introduce its own env-driven subprocess hooks (pager, editor,
+            // loader override, SSH/diff helper, preprocessor) — those names
+            // must be added to the prefix denylist so that the
+            // `KEY=cmd <allowed-binary>` shape cannot bypass allowlisting via
+            // `skip_env_assignments` in `is_command_allowed`. Cross-ref #2636.
             allowed_commands: vec![
                 "git".into(),
                 "npm".into(),