Description
## Summary
Analysis of macOS kiosk head architecture. Recommendation: build a new hydraheadmacOS app (Option A), replacing hydraheadflatscreen.
## Root cause of TCC issues in hydraheadflatscreen
hydraheadflatscreen is a raw Go CLI with no .app bundle, no CFBundleIdentifier, no Team ID. macOS TCC grants are keyed to (bundleID, teamID) — an unsigned binary falls back to path identity only.
1. Microphone — grant breaks on every auto-update (binary swap changes the file