fix(homebrew): move venv to var/ to avoid dylib fixups and harden bin permissions

- Move Python venv from libexec/ to var/mfc/venv to keep it outside the keg
  This prevents Homebrew's Mach-O dylib ID fixup from touching Python .so files
- Write wrapper script directly to bin/mfc with 0755 permissions
- Explicitly chmod 0755 on all installed binaries to ensure executability
- Update tests to check var/mfc/venv instead of libexec/venv
- Symlink venv at runtime instead of copying (faster, less disk usage)

These changes resolve:
- 'Failed changing dylib ID of orjson.cpython-312-darwin.so' errors
- 'Non-executables were installed to bin' audit failures

Author: sbryngelson

packaging/homebrew/mfc.rb

@@ -21,12 +21,11 @@ class Mfc < Formula
   depends_on "openblas"
   depends_on "[email protected]"
 
-  # Preserve venv RECORD files (needed for pip to manage packages)
-  skip_clean "libexec/venv"
-
   def install
     # Create Python virtual environment (remove existing one first for clean reinstalls)
-    venv = libexec/"venv"
+    # Store in var/ instead of keg to avoid Homebrew dylib fixups on Python .so files
+    venv = var/"mfc/venv"
+    mkdir_p venv.parent
     rm_r(venv, force: true)
     system Formula["[email protected]"].opt_bin/"python3.12", "-m", "venv", venv
     system venv/"bin/pip", "install", "--upgrade", "pip", "setuptools", "wheel"
@@ -36,9 +35,7 @@ def install
 
     # Install MFC Python package and dependencies into venv
     # Keep toolchain in buildpath for now - mfc.sh needs it there
-    # Use editable install (-e) to avoid RECORD file issues when venv is copied
-    # Note: Homebrew may warn about dylib fixup failures for some Python packages (e.g., orjson)
-    # This is non-fatal since the venv is copied (not linked) at runtime
+    # Use editable install (-e) to avoid RECORD file issues when venv is symlinked at runtime
     system venv/"bin/pip", "install", "-e", buildpath/"toolchain"
 
     # Create symlink so mfc.sh uses our pre-installed venv
@@ -63,6 +60,7 @@ def install
       next if !File.file?(p) || !File.executable?(p)
 
       bin.install p
+      (bin/File.basename(p)).chmod 0755
     end
 
     # Install main mfc.sh script
@@ -72,72 +70,65 @@ def install
     prefix.install "examples"
 
     # Create smart wrapper script that:
-    # 1. Works around read-only Cellar issue by copying venv to tmpdir
-    # 2. Sets up toolchain symlink so mfc.sh can find toolchain/util.sh
+    # 1. Works around read-only Cellar issue by using a temp working dir
+    # 2. Uses the persistent var-based venv (no copy needed)
     # 3. Ensures mfc.sh doesn't reinstall packages by copying pyproject.toml
-
-    # Create wrapper script in buildpath first, then install it
-    wrapper_script = buildpath/"mfc_wrapper"
-    wrapper_script.write <<~EOS
-            #!/bin/bash
-            set -euo pipefail
-
-            # Unset VIRTUAL_ENV to ensure mfc.sh uses the copied venv, not the Cellar one
-            unset VIRTUAL_ENV || true
-
-            # Create a temporary working directory (Cellar is read-only)
-            TMPDIR="$(mktemp -d)"
-            trap 'rm -rf "${TMPDIR}"' EXIT
-
-            # Copy mfc.sh to temp dir (it may try to write build artifacts)
-            cp "#{libexec}/mfc.sh" "${TMPDIR}/"
-            cd "${TMPDIR}"
-
-            # Copy toolchain directory (not symlink) so Python paths resolve correctly
-            # This prevents paths from resolving back to read-only Cellar
-            cp -R "#{prefix}/toolchain" "toolchain"
-
-            # Patch toolchain to use Homebrew-installed binaries
-            # Replace get_install_binpath to return Homebrew bin directory
-            cat >> "toolchain/mfc/build.py" << 'PATCH_EOF'
-
-      # Homebrew patch: Override get_install_binpath to use pre-installed binaries
-      _original_get_install_binpath = MFCTarget.get_install_binpath
-      def _homebrew_get_install_binpath(self, case):
-          return "#{bin}/" + self.name
-      MFCTarget.get_install_binpath = _homebrew_get_install_binpath
-
-      # Override is_buildable to skip building main targets and syscheck
-      _original_is_buildable = MFCTarget.is_buildable
-      def _homebrew_is_buildable(self):
-          if self.name in ["pre_process", "simulation", "post_process", "syscheck"]:
-              return False  # Skip building - use pre-installed binaries
-          return _original_is_buildable(self)
-      MFCTarget.is_buildable = _homebrew_is_buildable
-      PATCH_EOF
-
-            # Copy examples directory (required by mfc.sh Python code)
-            cp -R "#{prefix}/examples" "examples"
-
-            # Create build directory and copy venv (not symlink - needs to be writable)
-            # Use cp -R for a full recursive copy
-            mkdir -p "build"
-            cp -R "#{venv}" "build/venv"
-
-            # Copy pyproject.toml to build/ so mfc.sh thinks dependencies are already installed
-            cp "#{prefix}/toolchain/pyproject.toml" "build/pyproject.toml"
-
-            # For 'mfc run', add --no-build flag to skip compilation
-            if [ "${1-}" = "run" ]; then
-              exec ./mfc.sh "$@" --no-build
-            else
-              exec ./mfc.sh "$@"
-            fi
+    (bin/"mfc").write <<~EOS
+      #!/bin/bash
+      set -euo pipefail
+
+      # Unset VIRTUAL_ENV to ensure mfc.sh uses our configured venv
+      unset VIRTUAL_ENV || true
+
+      # Create a temporary working directory (Cellar is read-only)
+      TMPDIR="$(mktemp -d)"
+      trap 'rm -rf "${TMPDIR}"' EXIT
+
+      # Copy mfc.sh to temp dir (it may try to write build artifacts)
+      cp "#{libexec}/mfc.sh" "${TMPDIR}/"
+      cd "${TMPDIR}"
+
+      # Copy toolchain directory (not symlink) so Python paths resolve correctly
+      # This prevents paths from resolving back to read-only Cellar
+      cp -R "#{prefix}/toolchain" "toolchain"
+
+      # Patch toolchain to use Homebrew-installed binaries
+      # Replace get_install_binpath to return Homebrew bin directory
+      cat >> "toolchain/mfc/build.py" << 'PATCH_EOF'
+
+  # Homebrew patch: Override get_install_binpath to use pre-installed binaries
+  _original_get_install_binpath = MFCTarget.get_install_binpath
+  def _homebrew_get_install_binpath(self, case):
+      return "#{bin}/" + self.name
+  MFCTarget.get_install_binpath = _homebrew_get_install_binpath
+
+  # Override is_buildable to skip building main targets and syscheck
+  _original_is_buildable = MFCTarget.is_buildable
+  def _homebrew_is_buildable(self):
+      if self.name in ["pre_process", "simulation", "post_process", "syscheck"]:
+          return False  # Skip building - use pre-installed binaries
+      return _original_is_buildable(self)
+  MFCTarget.is_buildable = _homebrew_is_buildable
+  PATCH_EOF
+
+      # Copy examples directory (required by mfc.sh Python code)
+      cp -R "#{prefix}/examples" "examples"
+
+      # Create build directory and symlink the persistent venv
+      mkdir -p "build"
+      ln -s "#{var}/mfc/venv" "build/venv"
+
+      # Copy pyproject.toml so mfc.sh thinks dependencies are already installed
+      cp "#{prefix}/toolchain/pyproject.toml" "build/pyproject.toml"
+
+      # For 'mfc run', add --no-build flag to skip compilation
+      if [ "${1-}" = "run" ]; then
+        exec ./mfc.sh "$@" --no-build
+      else
+        exec ./mfc.sh "$@"
+      fi
     EOS
-
-    # Make wrapper executable and install it
-    wrapper_script.chmod 0755
-    bin.install wrapper_script => "mfc"
+    (bin/"mfc").chmod 0755
   end
 
   def post_install
@@ -177,8 +168,8 @@ def caveats
     assert_path_exists prefix/"toolchain"
 
     # Test that venv exists and has required packages
-    assert_path_exists libexec/"venv"
-    assert_predicate libexec/"venv/bin/python", :executable?
+    assert_path_exists var/"mfc/venv"
+    assert_predicate (var/"mfc/venv/bin/python"), :executable?
 
     # Test that examples exist
     assert_path_exists prefix/"examples"