fix(mobile): configure iOS Keychain access group#3665
Conversation
This keeps development iOS builds aligned with the bundle-scoped Keychain storage used by SecureStore during local simulator pairing.
|
Important Review skippedAuto reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Repository UI Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
ApprovabilityVerdict: Needs human review This PR modifies iOS Keychain entitlements, which falls under security-sensitive configuration. Even though the change follows standard patterns (scoping keychain access to the app's own bundle), security-related configurations warrant human review. You can customize Macroscope's approvability policy. Learn more. |
|
Context for the human review flagged above: the declared group |
Summary
The mobile app stores connection credentials through
expo-secure-store, which uses the iOS Keychain. During iOS simulator pairing, SecureStore previously failed with:The Expo iOS config did not explicitly declare a bundle-scoped Keychain access group. This adds
$(AppIdentifierPrefix)<bundle identifier>for each app variant.Test plan
vp run --filter @t3tools/mobile test -- app.config.test.tsvp run typecheckvp run lint:mobilevp checkNotes
This app uses Expo native tooling/dev-client style builds, not Expo Go.
On this Xcode simulator setup, the installed simulator app still reports empty embedded entitlements because Xcode reports
ENTITLEMENTS_ALLOWED = NO. The runtime pairing and SecureStore read-back flow was validated successfully.Note
Low Risk
Expo iOS entitlement and regression-test changes only; no auth logic or insecure storage fallbacks.
Overview
Adds explicit iOS Keychain access-group entitlements to the Expo config so
expo-secure-storecan read/write credentials without the simulator “required entitlement isn’t present” error.Each app variant now declares
keychain-access-groupsas$(AppIdentifierPrefix)<iosBundleIdentifier>, aligned with that variant’s bundle ID. A newapp.config.test.tsreloads the config perAPP_VARIANTand asserts the development build getscom.t3tools.t3code.devand the matching access group.Reviewed by Cursor Bugbot for commit 61f9307. Bugbot is set up for automated code reviews on this repo. Configure here.
Note
Configure iOS Keychain access group entitlement in mobile app config
Adds a Keychain access groups entitlement to the iOS config in app.config.ts, setting the value to
$(AppIdentifierPrefix)<bundle-id>derived from the active variant. Adds a test in app.config.test.ts that verifies the entitlement is set correctly for the development variant.Macroscope summarized 61f9307.