fix(mobile): configure iOS Keychain access group#3665
Conversation
This keeps development iOS builds aligned with the bundle-scoped Keychain storage used by SecureStore during local simulator pairing.
|
Important Review skippedAuto reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Repository UI Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
ApprovabilityVerdict: Approved This is a standard iOS configuration change adding keychain-access-groups entitlement with the app's own bundle identifier. The change is declarative, follows standard patterns, and poses minimal risk. You can customize Macroscope's approvability policy. Learn more. |
|
Context for the human review flagged above: the declared group |
…in-access-group # Conflicts: # apps/mobile/app.config.ts
Summary
The mobile app stores connection credentials through
expo-secure-store, which uses the iOS Keychain. During iOS simulator pairing, SecureStore previously failed with:The Expo iOS config did not explicitly declare a bundle-scoped Keychain access group. This adds
$(AppIdentifierPrefix)<bundle identifier>for each app variant.Test plan
vp run --filter @t3tools/mobile test -- app.config.test.tsvp run typecheckvp run lint:mobilevp checkNotes
This app uses Expo native tooling/dev-client style builds, not Expo Go.
On this Xcode simulator setup, the installed simulator app still reports empty embedded entitlements because Xcode reports
ENTITLEMENTS_ALLOWED = NO. The runtime pairing and SecureStore read-back flow was validated successfully.Note
Low Risk
Expo iOS build/signing configuration only; no changes to credential storage logic or APIs.
Overview
Adds an explicit Keychain access groups iOS entitlement in
app.config.ts, set to$(AppIdentifierPrefix)plus each variant’siosBundleIdentifier, so native builds include the entitlementexpo-secure-storeneeds.This targets the simulator/runtime error where SecureStore reads failed with “A required entitlement isn’t present” because no bundle-scoped access group was declared in the Expo iOS config.
Reviewed by Cursor Bugbot for commit f368d56. Bugbot is set up for automated code reviews on this repo. Configure here.
Note
Add keychain-access-groups entitlement to iOS builds
Adds
ios.entitlementsto app.config.ts with akeychain-access-groupsentry set to$(AppIdentifierPrefix)<bundleIdentifier>. This configures the app to participate in the correct iOS keychain access group at runtime.Macroscope summarized f368d56.