Skip to content

fix(mobile): configure iOS Keychain access group#3665

Open
VedankPurohit wants to merge 1 commit into
pingdotgg:mainfrom
VedankPurohit:fix/mobile-ios-keychain-access-group
Open

fix(mobile): configure iOS Keychain access group#3665
VedankPurohit wants to merge 1 commit into
pingdotgg:mainfrom
VedankPurohit:fix/mobile-ios-keychain-access-group

Conversation

@VedankPurohit

@VedankPurohit VedankPurohit commented Jul 2, 2026

Copy link
Copy Markdown

Summary

  • Adds explicit iOS Keychain access-group configuration for mobile app variants.
  • Covers the development bundle identifier with a small Expo config regression test.
  • Keeps credential storage on SecureStore; no insecure fallback storage is added.

The mobile app stores connection credentials through expo-secure-store, which uses the iOS Keychain. During iOS simulator pairing, SecureStore previously failed with:

Calling the 'getValueWithKeyAsync' function has failed
A required entitlement isn't present.

The Expo iOS config did not explicitly declare a bundle-scoped Keychain access group. This adds $(AppIdentifierPrefix)<bundle identifier> for each app variant.

Test plan

  • vp run --filter @t3tools/mobile test -- app.config.test.ts
  • vp run typecheck
  • vp run lint:mobile
  • vp check
  • Built and installed the native iOS simulator app, paired with a local server, then relaunched and confirmed the saved environment loaded.

Notes

This app uses Expo native tooling/dev-client style builds, not Expo Go.

On this Xcode simulator setup, the installed simulator app still reports empty embedded entitlements because Xcode reports ENTITLEMENTS_ALLOWED = NO. The runtime pairing and SecureStore read-back flow was validated successfully.


Note

Low Risk
Expo iOS entitlement and regression-test changes only; no auth logic or insecure storage fallbacks.

Overview
Adds explicit iOS Keychain access-group entitlements to the Expo config so expo-secure-store can read/write credentials without the simulator “required entitlement isn’t present” error.

Each app variant now declares keychain-access-groups as $(AppIdentifierPrefix)<iosBundleIdentifier>, aligned with that variant’s bundle ID. A new app.config.test.ts reloads the config per APP_VARIANT and asserts the development build gets com.t3tools.t3code.dev and the matching access group.

Reviewed by Cursor Bugbot for commit 61f9307. Bugbot is set up for automated code reviews on this repo. Configure here.

Note

Configure iOS Keychain access group entitlement in mobile app config

Adds a Keychain access groups entitlement to the iOS config in app.config.ts, setting the value to $(AppIdentifierPrefix)<bundle-id> derived from the active variant. Adds a test in app.config.test.ts that verifies the entitlement is set correctly for the development variant.

Macroscope summarized 61f9307.

This keeps development iOS builds aligned with the bundle-scoped Keychain
storage used by SecureStore during local simulator pairing.
@coderabbitai

coderabbitai Bot commented Jul 2, 2026

Copy link
Copy Markdown

Important

Review skipped

Auto reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 2d8c33b2-e3f0-4331-95c1-cdac530f53a1

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@github-actions github-actions Bot added vouch:unvouched PR author is not yet trusted in the VOUCHED list. size:XS 0-9 changed lines (additions + deletions). labels Jul 2, 2026
@macroscopeapp

macroscopeapp Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Approvability

Verdict: Needs human review

This PR modifies iOS Keychain entitlements, which falls under security-sensitive configuration. Even though the change follows standard patterns (scoping keychain access to the app's own bundle), security-related configurations warrant human review.

You can customize Macroscope's approvability policy. Learn more.

@VedankPurohit

Copy link
Copy Markdown
Author

Context for the human review flagged above: the declared group $(AppIdentifierPrefix)<bundle identifier> is each app variant's own default Keychain access group, so this doesn't broaden access — it makes the implicit default explicit so SecureStore's Keychain calls stop failing during simulator pairing. The widget extension target only uses an App Group (com.apple.security.application-groups) and has never declared Keychain sharing, so no other target's access changes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

size:XS 0-9 changed lines (additions + deletions). vouch:unvouched PR author is not yet trusted in the VOUCHED list.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant