Skip to content

fix(mobile): configure iOS Keychain access group#3665

Open
VedankPurohit wants to merge 2 commits into
pingdotgg:mainfrom
VedankPurohit:fix/mobile-ios-keychain-access-group
Open

fix(mobile): configure iOS Keychain access group#3665
VedankPurohit wants to merge 2 commits into
pingdotgg:mainfrom
VedankPurohit:fix/mobile-ios-keychain-access-group

Conversation

@VedankPurohit

@VedankPurohit VedankPurohit commented Jul 2, 2026

Copy link
Copy Markdown

Summary

  • Adds explicit iOS Keychain access-group configuration for mobile app variants.
  • Covers the development bundle identifier with a small Expo config regression test.
  • Keeps credential storage on SecureStore; no insecure fallback storage is added.

The mobile app stores connection credentials through expo-secure-store, which uses the iOS Keychain. During iOS simulator pairing, SecureStore previously failed with:

Calling the 'getValueWithKeyAsync' function has failed
A required entitlement isn't present.

The Expo iOS config did not explicitly declare a bundle-scoped Keychain access group. This adds $(AppIdentifierPrefix)<bundle identifier> for each app variant.

Test plan

  • vp run --filter @t3tools/mobile test -- app.config.test.ts
  • vp run typecheck
  • vp run lint:mobile
  • vp check
  • Built and installed the native iOS simulator app, paired with a local server, then relaunched and confirmed the saved environment loaded.

Notes

This app uses Expo native tooling/dev-client style builds, not Expo Go.

On this Xcode simulator setup, the installed simulator app still reports empty embedded entitlements because Xcode reports ENTITLEMENTS_ALLOWED = NO. The runtime pairing and SecureStore read-back flow was validated successfully.


Note

Medium Risk
Touches credential-storage entitlements on iOS; wrong access groups could break SecureStore until fixed, but the change is narrow and variant-scoped.

Overview
Fixes iOS SecureStore / Keychain failures (missing entitlement) during simulator pairing by declaring an explicit Keychain access group on each app variant.

app.config.ts now sets ios.entitlements["keychain-access-groups"] to $(AppIdentifierPrefix)<variant bundle identifier>, aligned with the variant’s iosBundleIdentifier so expo-secure-store can read and write connection credentials after native builds.

Adds app.config.test.ts to lock in the development variant: bundle id com.t3tools.t3code.dev and the matching access-group entitlement. Requires a native iOS rebuild for the entitlement to take effect.

Reviewed by Cursor Bugbot for commit 2b64756. Bugbot is set up for automated code reviews on this repo. Configure here.

Note

Configure iOS Keychain access group entitlement in mobile app config

Adds a Keychain access groups entitlement to the iOS config in app.config.ts, setting the value to $(AppIdentifierPrefix)<bundle-id> derived from the active variant. Adds a test in app.config.test.ts that verifies the entitlement is set correctly for the development variant.

Macroscope summarized 2b64756.

This keeps development iOS builds aligned with the bundle-scoped Keychain
storage used by SecureStore during local simulator pairing.
@coderabbitai

coderabbitai Bot commented Jul 2, 2026

Copy link
Copy Markdown

Important

Review skipped

Auto reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 4c52df7f-64d4-4fd5-9f73-df9319d588e6

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@github-actions github-actions Bot added vouch:unvouched PR author is not yet trusted in the VOUCHED list. size:XS 0-9 changed lines (additions + deletions). labels Jul 2, 2026
@macroscopeapp

macroscopeapp Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Approvability

Verdict: Needs human review

This PR modifies iOS Keychain entitlements, which falls under security-sensitive configuration. Even though the change follows standard patterns (scoping keychain access to the app's own bundle), security-related configurations warrant human review.

You can customize Macroscope's approvability policy. Learn more.

@VedankPurohit

Copy link
Copy Markdown
Author

Context for the human review flagged above: the declared group $(AppIdentifierPrefix)<bundle identifier> is each app variant's own default Keychain access group, so this doesn't broaden access — it makes the implicit default explicit so SecureStore's Keychain calls stop failing during simulator pairing. The widget extension target only uses an App Group (com.apple.security.application-groups) and has never declared Keychain sharing, so no other target's access changes.

…in-access-group

# Conflicts:
#	apps/mobile/app.config.ts
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

size:XS 0-9 changed lines (additions + deletions). vouch:unvouched PR author is not yet trusted in the VOUCHED list.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant