Improve launch robustness: fix sandbox networking, update signing and bundle ID

- Add network.client, network.name, and network.server sandbox entitlements
  to fix DNS resolution blocked by app sandbox
- Switch to automatic signing with Apple Development identity
- Set app category to Productivity
- Change bundle identifier from com.taskmenu to dev.crazytan.TaskMenu
- Make keychain load/save log errors via os.log instead of silently
  swallowing with try?; on load failure, clear all tokens so the user
  gets a clean sign-in prompt
- Add FailingKeychainService test stub and keychain error test
- Move signing config (CODE_SIGN_STYLE, CODE_SIGN_IDENTITY) from
  Config.xcconfig into project.yml; only DEVELOPMENT_TEAM remains
  per-developer

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: crazytan

Config.xcconfig.example

@@ -5,8 +5,6 @@
 GOOGLE_CLIENT_ID = your-client-id.apps.googleusercontent.com
 GOOGLE_CLIENT_SECRET = your-client-secret
 
-// Optional local signing overrides.
-// Keep these out of source control so different machines and CI can provide their own values.
+// Developer-specific signing. CODE_SIGN_STYLE and CODE_SIGN_IDENTITY are set
+// in project.yml (Automatic / Apple Development). Override here if needed.
 DEVELOPMENT_TEAM = YOUR_TEAM_ID
-CODE_SIGN_STYLE = Automatic
-CODE_SIGN_IDENTITY =

TaskMenu.xcodeproj/project.pbxproj

@@ -43,6 +43,7 @@
 		E53F1F56DBC73CF159E93516 /* SignInView.swift in Sources */ = {isa = PBXBuildFile; fileRef = 7270F80F12239828D873B133 /* SignInView.swift */; };
 		E54169E513191306010635A7 /* AppIcon.svg in Resources */ = {isa = PBXBuildFile; fileRef = 8C8C52C19BDA6F8F2D3C638F /* AppIcon.svg */; };
 		E7D0145136EE024CB87D7963 /* TaskListView.swift in Sources */ = {isa = PBXBuildFile; fileRef = 612D4C039654B488ADC17151 /* TaskListView.swift */; };
+		F583510B7875405F768BADD3 /* TaskDetailViewTests.swift in Sources */ = {isa = PBXBuildFile; fileRef = 62C9B2D2EE1B7668B9245DBE /* TaskDetailViewTests.swift */; };
 		FEBB3BC550B3CC63B620ED8F /* AppStateTests.swift in Sources */ = {isa = PBXBuildFile; fileRef = 8F3614C7335BB0200D28F074 /* AppStateTests.swift */; };
 		FF5F630937F736E64BD3C1FD /* SettingsView.swift in Sources */ = {isa = PBXBuildFile; fileRef = 5D04BFBB6F10A824FCFD02C9 /* SettingsView.swift */; };
 /* End PBXBuildFile section */
@@ -72,6 +73,7 @@
 		5AF69FFA11009E78484C090A /* TaskMenuApp.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = TaskMenuApp.swift; sourceTree = "<group>"; };
 		5D04BFBB6F10A824FCFD02C9 /* SettingsView.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = SettingsView.swift; sourceTree = "<group>"; };
 		612D4C039654B488ADC17151 /* TaskListView.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = TaskListView.swift; sourceTree = "<group>"; };
+		62C9B2D2EE1B7668B9245DBE /* TaskDetailViewTests.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = TaskDetailViewTests.swift; sourceTree = "<group>"; };
 		633899C51990EF71D24F5C89 /* TaskList.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = TaskList.swift; sourceTree = "<group>"; };
 		63E868E0B0520F6ABD40D350 /* GoogleAuthService.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = GoogleAuthService.swift; sourceTree = "<group>"; };
 		68CD93FC69779BFB08340F08 /* TaskMenu.entitlements */ = {isa = PBXFileReference; lastKnownFileType = text.plist.entitlements; path = TaskMenu.entitlements; sourceTree = "<group>"; };
@@ -208,6 +210,7 @@
 				058C00FB539FD9B1D05BCBFD /* KeychainServiceTests.swift */,
 				BB598B8D34C0A014D7826A63 /* MockURLProtocol.swift */,
 				4AC00155161191D4DBBDA015 /* SearchFilterTests.swift */,
+				62C9B2D2EE1B7668B9245DBE /* TaskDetailViewTests.swift */,
 				6E4CD6808B2587AD2F8F9563 /* TaskItemModelTests.swift */,
 				A2191A69341B04C760925B55 /* TaskListViewTests.swift */,
 				9C0DB3189CC6045A5C0A230F /* TaskMenuAppTests.swift */,
@@ -275,12 +278,11 @@
 				LastUpgradeCheck = 2640;
 				TargetAttributes = {
 					2499498786EF41DCFC6BE7F6 = {
-						DevelopmentTeam = ZW5U6862Q8;
-						ProvisioningStyle = Manual;
+						DevelopmentTeam = V82M9YX8BR;
 					};
 					54F3465CB5E85F801680719A = {
-						DevelopmentTeam = ZW5U6862Q8;
-						ProvisioningStyle = Manual;
+						DevelopmentTeam = V82M9YX8BR;
+						ProvisioningStyle = Automatic;
 					};
 				};
 			};
@@ -360,6 +362,7 @@
 				3059000A80728B12B6989398 /* KeychainServiceTests.swift in Sources */,
 				D321CE95DA3DC0D6090CD619 /* MockURLProtocol.swift in Sources */,
 				8F3D1A4FC0600A0D85BA22E8 /* SearchFilterTests.swift in Sources */,
+				F583510B7875405F768BADD3 /* TaskDetailViewTests.swift in Sources */,
 				0FD718B29CF8183561A6F550 /* TaskItemModelTests.swift in Sources */,
 				B1E9E90C4184BDD3DED97A2B /* TaskListViewTests.swift in Sources */,
 				44D8CA5D6D124CF97A57EF1D /* TaskMenuAppTests.swift in Sources */,
@@ -383,16 +386,20 @@
 			buildSettings = {
 				ASSETCATALOG_COMPILER_APPICON_NAME = AppIcon;
 				CODE_SIGN_ENTITLEMENTS = TaskMenu/Resources/TaskMenu.entitlements;
+				CODE_SIGN_IDENTITY = "Apple Development";
+				CODE_SIGN_STYLE = Automatic;
 				COMBINE_HIDPI_IMAGES = YES;
 				ENABLE_APP_SANDBOX = YES;
 				ENABLE_HARDENED_RUNTIME = YES;
 				INFOPLIST_FILE = TaskMenu/Resources/Info.plist;
+				INFOPLIST_KEY_LSApplicationCategoryType = "public.app-category.productivity";
 				LD_RUNPATH_SEARCH_PATHS = (
 					"$(inherited)",
 					"@executable_path/../Frameworks",
 				);
-				PRODUCT_BUNDLE_IDENTIFIER = com.taskmenu.TaskMenu;
+				PRODUCT_BUNDLE_IDENTIFIER = dev.crazytan.TaskMenu;
 				PRODUCT_NAME = TaskMenu;
+				PROVISIONING_PROFILE_SPECIFIER = "";
 				SDKROOT = macosx;
 			};
 			name = Release;
@@ -478,7 +485,7 @@
 					"@executable_path/../Frameworks",
 					"@loader_path/../Frameworks",
 				);
-				PRODUCT_BUNDLE_IDENTIFIER = com.taskmenu.TaskMenuTests;
+				PRODUCT_BUNDLE_IDENTIFIER = dev.crazytan.TaskMenuTests;
 				SDKROOT = macosx;
 				TEST_HOST = "$(BUILT_PRODUCTS_DIR)/TaskMenu.app/Contents/MacOS/TaskMenu";
 			};
@@ -552,16 +559,20 @@
 			buildSettings = {
 				ASSETCATALOG_COMPILER_APPICON_NAME = AppIcon;
 				CODE_SIGN_ENTITLEMENTS = TaskMenu/Resources/TaskMenu.entitlements;
+				CODE_SIGN_IDENTITY = "Apple Development";
+				CODE_SIGN_STYLE = Automatic;
 				COMBINE_HIDPI_IMAGES = YES;
 				ENABLE_APP_SANDBOX = YES;
 				ENABLE_HARDENED_RUNTIME = YES;
 				INFOPLIST_FILE = TaskMenu/Resources/Info.plist;
+				INFOPLIST_KEY_LSApplicationCategoryType = "public.app-category.productivity";
 				LD_RUNPATH_SEARCH_PATHS = (
 					"$(inherited)",
 					"@executable_path/../Frameworks",
 				);
-				PRODUCT_BUNDLE_IDENTIFIER = com.taskmenu.TaskMenu;
+				PRODUCT_BUNDLE_IDENTIFIER = dev.crazytan.TaskMenu;
 				PRODUCT_NAME = TaskMenu;
+				PROVISIONING_PROFILE_SPECIFIER = "";
 				SDKROOT = macosx;
 			};
 			name = Debug;
@@ -577,7 +588,7 @@
 					"@executable_path/../Frameworks",
 					"@loader_path/../Frameworks",
 				);
-				PRODUCT_BUNDLE_IDENTIFIER = com.taskmenu.TaskMenuTests;
+				PRODUCT_BUNDLE_IDENTIFIER = dev.crazytan.TaskMenuTests;
 				SDKROOT = macosx;
 				TEST_HOST = "$(BUILT_PRODUCTS_DIR)/TaskMenu.app/Contents/MacOS/TaskMenu";
 			};

TaskMenu/Resources/TaskMenu.entitlements

@@ -2,10 +2,10 @@
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
 <dict>
-	<key>com.apple.security.app-sandbox</key>
-	<true/>
 	<key>com.apple.security.network.client</key>
 	<true/>
+	<key>com.apple.security.network.name</key>
+	<true/>
 	<key>com.apple.security.network.server</key>
 	<true/>
 </dict>

TaskMenu/Services/GoogleAuthService.swift

@@ -1,6 +1,9 @@
 import AuthenticationServices
 import CryptoKit
 import Foundation
+import os.log
+
+private let logger = Logger(subsystem: Bundle.main.bundleIdentifier ?? "TaskMenu", category: "Auth")
 
 @MainActor
 final class GoogleAuthService: Sendable {
@@ -138,22 +141,32 @@ final class GoogleAuthService: Sendable {
     }
 
     private func saveTokens() {
-        try? keychain.save(key: Constants.Keychain.accessTokenKey, string: accessToken ?? "")
-        if let refreshToken {
-            try? keychain.save(key: Constants.Keychain.refreshTokenKey, string: refreshToken)
-        }
-        if let expiration = tokenExpiration {
-            let data = String(expiration.timeIntervalSince1970)
-            try? keychain.save(key: Constants.Keychain.expirationKey, string: data)
+        do {
+            try keychain.save(key: Constants.Keychain.accessTokenKey, string: accessToken ?? "")
+            if let refreshToken {
+                try keychain.save(key: Constants.Keychain.refreshTokenKey, string: refreshToken)
+            }
+            if let expiration = tokenExpiration {
+                try keychain.save(key: Constants.Keychain.expirationKey, string: String(expiration.timeIntervalSince1970))
+            }
+        } catch {
+            logger.error("Failed to save tokens to keychain: \(error.localizedDescription)")
         }
     }
 
     private func loadTokens() {
-        accessToken = try? keychain.readString(key: Constants.Keychain.accessTokenKey)
-        refreshToken = try? keychain.readString(key: Constants.Keychain.refreshTokenKey)
-        if let expStr = try? keychain.readString(key: Constants.Keychain.expirationKey),
-           let interval = Double(expStr) {
-            tokenExpiration = Date(timeIntervalSince1970: interval)
+        do {
+            accessToken = try keychain.readString(key: Constants.Keychain.accessTokenKey)
+            refreshToken = try keychain.readString(key: Constants.Keychain.refreshTokenKey)
+            if let expStr = try keychain.readString(key: Constants.Keychain.expirationKey),
+               let interval = Double(expStr) {
+                tokenExpiration = Date(timeIntervalSince1970: interval)
+            }
+        } catch {
+            logger.error("Failed to load tokens from keychain: \(error.localizedDescription)")
+            accessToken = nil
+            refreshToken = nil
+            tokenExpiration = nil
         }
     }
 

TaskMenu/Utilities/Constants.swift

@@ -20,7 +20,7 @@ enum Constants {
     static let redirectHost = "127.0.0.1"
 
     enum Keychain {
-        static let service = "com.taskmenu.oauth"
+        static let service = "dev.crazytan.TaskMenu.oauth"
         static let accessTokenKey = "access_token"
         static let refreshTokenKey = "refresh_token"
         static let expirationKey = "token_expiration"
@@ -31,6 +31,6 @@ enum Constants {
     }
 
     enum Notifications {
-        static let dueDateIdentifierPrefix = "com.taskmenu.dueDate"
+        static let dueDateIdentifierPrefix = "dev.crazytan.TaskMenu.dueDate"
     }
 }

TaskMenuTests/AppStateBehaviorTests.swift

@@ -16,7 +16,7 @@ final class AppStateBehaviorTests: XCTestCase {
         MockURLProtocol.reset()
 
         keychain = InMemoryKeychainService()
-        userDefaultsSuiteName = "com.taskmenu.tests.appstate.behavior.\(UUID().uuidString)"
+        userDefaultsSuiteName = "dev.crazytan.TaskMenu.tests.appstate.behavior.\(UUID().uuidString)"
         userDefaults = UserDefaults(suiteName: userDefaultsSuiteName)
         userDefaults.removePersistentDomain(forName: userDefaultsSuiteName)
         dueDateNotificationService = TestDueDateNotificationService()

TaskMenuTests/AppStateTests.swift

@@ -10,7 +10,7 @@ final class AppStateTests: XCTestCase {
 
     override func setUp() async throws {
         keychain = InMemoryKeychainService()
-        userDefaultsSuiteName = "com.taskmenu.tests.appstate.\(UUID().uuidString)"
+        userDefaultsSuiteName = "dev.crazytan.TaskMenu.tests.appstate.\(UUID().uuidString)"
         userDefaults = UserDefaults(suiteName: userDefaultsSuiteName)
         userDefaults.removePersistentDomain(forName: userDefaultsSuiteName)
         dueDateNotificationService = TestDueDateNotificationService()

TaskMenuTests/GoogleAuthServiceTests.swift

@@ -74,6 +74,15 @@ final class GoogleAuthServiceTests: XCTestCase {
         XCTAssertNil(auth.tokenExpiration)
     }
 
+    func testLoadTokensClearsAllOnKeychainError() {
+        let failingKeychain = FailingKeychainService()
+        let auth = GoogleAuthService(keychain: failingKeychain)
+        XCTAssertNil(auth.accessToken)
+        XCTAssertNil(auth.refreshToken)
+        XCTAssertNil(auth.tokenExpiration)
+        XCTAssertFalse(auth.isSignedIn)
+    }
+
     // MARK: - Sign Out
 
     func testSignOutClearsTokens() throws {

TaskMenuTests/InMemoryKeychainService.swift

@@ -1,6 +1,33 @@
 @testable import TaskMenu
 import Foundation
 
+/// Keychain stub that always throws — for testing error-handling paths.
+final class FailingKeychainService: KeychainServiceProtocol, @unchecked Sendable {
+    func save(key: String, data: Data) throws {
+        throw KeychainError.saveFailed(-1)
+    }
+
+    func save(key: String, string: String) throws {
+        throw KeychainError.saveFailed(-1)
+    }
+
+    func read(key: String) throws -> Data? {
+        throw KeychainError.readFailed(-1)
+    }
+
+    func readString(key: String) throws -> String? {
+        throw KeychainError.readFailed(-1)
+    }
+
+    func delete(key: String) throws {
+        throw KeychainError.deleteFailed(-1)
+    }
+
+    func deleteAll() throws {
+        throw KeychainError.deleteFailed(-1)
+    }
+}
+
 /// In-memory keychain replacement for tests — avoids macOS Keychain prompts.
 final class InMemoryKeychainService: KeychainServiceProtocol, @unchecked Sendable {
     private var storage: [String: Data] = [:]

TaskMenuTests/KeychainServiceTests.swift

@@ -60,7 +60,7 @@ final class KeychainServiceTests: XCTestCase {
 
     func testProductionKeychainUsesInMemoryStoreUnderXCTest() throws {
         let keychain = KeychainService(
-            service: "com.taskmenu.test.production.\(UUID().uuidString)",
+            service: "dev.crazytan.TaskMenu.test.production.\(UUID().uuidString)",
             environment: testEnvironment
         )
 
@@ -71,11 +71,11 @@ final class KeychainServiceTests: XCTestCase {
 
     func testProductionKeychainInMemoryStoreIsScopedByService() throws {
         let keychainA = KeychainService(
-            service: "com.taskmenu.test.production.a.\(UUID().uuidString)",
+            service: "dev.crazytan.TaskMenu.test.production.a.\(UUID().uuidString)",
             environment: testEnvironment
         )
         let keychainB = KeychainService(
-            service: "com.taskmenu.test.production.b.\(UUID().uuidString)",
+            service: "dev.crazytan.TaskMenu.test.production.b.\(UUID().uuidString)",
             environment: testEnvironment
         )