Notebook
Note
Download Markdown

Mac Dropbox Rsync Backup — Prompt

5 min read

Mac Dropbox rsync backup — prompt for Claude Code

How to use this file: open it, edit the Configuration block to match your setup, then copy the whole thing and paste it into Claude Code or Codex on your Mac. It needs to be Claude Code or Codex (or another AI that can run shell commands on your machine) — a chat-only AI can’t actually do the install for you. If you don’t use Dropbox, then do a search and replace in this prompt file and replace Dropbox with Google Drive or OneDrive.

Plaintext
## What I want

I want to set up an automatic, scheduled, one-way backup of a folder on
my Mac to my Dropbox folder, using `rsync` and `launchd`. The backup
should:

- run every couple of hours, automatically, even if I'm not actively
  using my Mac
- mirror the folder one-way (with `--delete`), so files I remove from
  the source also disappear from the destination — Dropbox's delete history is my safety net
- write a log I can spot-check whenever I want
- not show up as a flashing Dock icon every time it runs

I'm a bit beyond a beginner but I'm not a developer. I want the simplest
working approach, using only tools that are already built into macOS —
no Homebrew, no third-party apps.

## Configuration — fill these in before you paste this prompt

- **Source folder to back up:** `/Users/<my-username>/<folder-to-back-up>`
- **Destination folder in Dropbox:** `/Users/<my-username>/Library/CloudStorage/Dropbox/<where-to-mirror-it>`
- **How often:** every `2` hours (or whatever interval I want — in seconds for `StartInterval`)
- **Friendly name for the wrapper app:** something like `My Obsidian Folder Backup`
- **Reverse-DNS bundle identifier for the launchd job:** something like `com.<my-name>.<JobName>`

## Important things a friend learned doing this — please don't repeat these dead ends

A friend of mine set this up first and walked into three traps in a row.
The fix is well known once you know it, but it cost him a couple of
hours of "why is my FDA grant not working?" Here's the summary so we
don't go in circles:

### 1. Modern Dropbox lives under `~/Library/CloudStorage/`, which is TCC-protected

On macOS Ventura and later, the Dropbox folder is at
`~/Library/CloudStorage/Dropbox/...`. That whole `CloudStorage` tree is
protected by macOS's TCC (Privacy & Security) layer. A plain shell
script run by `launchd` cannot write into it. You'll see
`rsync error: ...: open: Operation not permitted` in the log every run.

### 2. You **cannot** grant Full Disk Access to `/bin/bash`

macOS deliberately blocks the shells in `/bin`, `/usr/bin`, `/sbin`, and
`/usr/sbin` from being added to Full Disk Access via the System Settings
GUI. Don't try — it's blocked on purpose to prevent privilege
escalation. Don't waste time on it.

### 3. The fix is to wrap the script in a tiny AppleScript `.app`

`osacompile` will turn a one-line AppleScript that says
`do shell script "/path/to/your/rsync-script.sh"` into a real `.app`
bundle. `.app` bundles **can** be added to Full Disk Access, and the
FDA grant propagates to the rsync child process. This is the standard
workaround; it works.

### 4. Two non-obvious gotchas with the wrapper `.app`

These are the ones that actually cost the time. Both must be done or
the FDA grant is silently ignored even though the toggle in System
Settings looks "on":

- **`osacompile` does NOT set a `CFBundleIdentifier`.** Without one, TCC
  can't reliably tie the FDA grant to the app. Add one with
  `/usr/libexec/PlistBuddy` after compiling — something like
  `com.<my-name>.<JobName>`.

- **The default ad-hoc signature does NOT bind the `Info.plist`.** The
  moment you modify the `Info.plist` (e.g. to add `LSBackgroundOnly`
  so it doesn't flash a Dock icon), the signature is invalidated and
  macOS treats the app as having an inconsistent identity. Re-sign
  with `codesign --force --deep --sign -` AFTER the Info.plist edits,
  to bind the signature to the modified Info.plist.

The symptom of skipping either of those: the app appears in the FDA
list with the toggle on, you reload the launchd job, and rsync still
fails with `Operation not permitted`. Maddening to debug. Just do them.

## What I want you to actually build

Please set up everything end-to-end. Specifically:

1. Write a small `rsync` shell script at `~/Scripts/<bundle-id>.sh` that
   uses `rsync -av --delete --exclude '.DS_Store'` from the source to
   the destination, with a log file at `~/Scripts/<bundle-id>.log.txt`.
2. Build a wrapper app at `~/Applications/<friendly name>.app` with
   `osacompile -e 'do shell script "..."'`.
3. Add a stable `CFBundleIdentifier` and `LSBackgroundOnly = true` to
   the app's `Info.plist` using `PlistBuddy`.
4. Re-sign the app with `codesign --force --deep --sign -` so the
   signature binds the modified `Info.plist`.
5. Register the app with Launch Services (`lsregister -f <app>`) so
   System Settings can see it for FDA.
6. Write the launchd plist at
   `~/Library/LaunchAgents/<bundle-id>.plist`. The `ProgramArguments`
   should point directly at the `.app`'s
   `Contents/MacOS/applet` binary — **not** at `/bin/bash <script>`. Use
   `StartInterval` for the schedule and `RunAtLoad: true`.
7. Load the job with
   `launchctl bootout` (idempotent — to clear any prior version) then
   `launchctl bootstrap gui/$(id -u) <plist>`.
8. Open System Settings → Privacy & Security → Full Disk Access for me
   with
   `open "x-apple.systempreferences:com.apple.preference.security?Privacy_AllFiles"`,
   open `~/Applications` in Finder, and tell me exactly what to drag
   in. Wait for me to confirm I've granted FDA before testing.
9. Once I confirm, kickstart a test run with
   `launchctl kickstart -k gui/$(id -u)/<bundle-id>` and tail
   `~/Scripts/<bundle-id>.log.txt` to verify there are no
   `Operation not permitted` errors.

## What success looks like

The log file should end with something like:

`sent 75182 bytes  received 308 bytes  1255 bytes/sec
total size is 130526  speedup is 1.73
--- Sync finished: <date> ---`


with **no** `Operation not permitted` lines. After that, it should run
on its own on the schedule and I should be able to forget about it.

## What I don't want

- Don't have launchd run `/bin/bash <script>` directly — that's the
  setup that doesn't work for CloudStorage destinations.
- Don't disable SIP or run anything as root. The `.app` wrapper is the
  right approach.
- Don't suggest moving Dropbox out of `~/Library/CloudStorage/` — modern
  Dropbox doesn't support relocating its folder.
- Don't install Homebrew, third-party rsync, or any helper apps. Use
  what ships with macOS: `rsync`, `osacompile`, `codesign`,
  `PlistBuddy`, `lsregister`, `launchctl`.

DO NOT start working yet. First, ask me clarifying questions so we can define the approach together. Only begin once we’ve aligned.