Greptile Summary

This PR comprehensively addresses 10 security and concurrency findings from a 2026 security audit, implementing critical hardening measures across the iOS app.

Key improvements:

• Keychain security hardening: Enforces kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly on all writes via delete-then-add pattern, preventing weaker accessibility attributes from persisting
• Sensitive data migration: Moves TLS fingerprints and gateway connection metadata from backup-extractable UserDefaults to Keychain with automatic legacy cleanup
• Concurrency safety: Replaces unsafe synchronization patterns (objc_sync_enter/exit, bare Bool flags, nonisolated(unsafe) counters) with OSAllocatedUnfairLock<T> to eliminate data races in TLS probe, camera delegates, and diagnostics logging
• Attack surface reduction: Gates ElevenLabs API key behind #if DEBUG, tightens deep link rate limit (1s → 5s), caps WebSocket message size (16 MB → 4 MB)
• Diagnostics hardening: Relocates logs from Documents to Caches directory with file protection attribute

Migration safety: The UserDefaults-to-Keychain migration logic is idempotent and runs on first access. Both GatewayTLSStore and GatewaySettingsStore check for existing Keychain entries before migrating and clean up legacy keys afterward.

Test coverage: Updated tests validate Keychain round-trips, migration paths, and connection metadata persistence. The camera and TLS probe concurrency fixes eliminate critical race conditions that could cause crashes.

Confidence Score: 4/5

• This PR is safe to merge with minor considerations for edge cases
• The implementation correctly addresses all cited audit findings with appropriate security controls and concurrency primitives. The OSAllocatedUnfairLock usage follows correct atomic read-modify-write patterns, the Keychain delete-then-add pattern properly enforces accessibility attributes, and attack surface reductions are sensible. One minor consideration: migration logic discards Keychain save return values, so data could theoretically be lost if Keychain writes fail during migration (low probability, low impact—user would just need to reconnect). The comprehensive test coverage and alignment with audit recommendations support high confidence.
• No files require special attention - all changes align with security audit findings and follow established patterns

_{Last reviewed commit: ea47df9}

The failing test src/cron/isolated-agent.uses-last-non-empty-agent-text-as.test.ts ("applies model overrides with correct precedence") is unrelated to this PR.

This PR only touches iOS/Swift files under apps/ios/ and apps/shared/OpenClawKit/ — zero changes to src/cron/ or any TypeScript files. The failure appears to be a pre-existing flaky test on main (last touched in #31594).

Could a maintainer re-run CI to confirm? Thanks!

Thanks for the effort here. I’m going to ask for a split before we review this.

This PR is too broad: it bundles multiple independent changes (keychain migration, TLS pinning storage, concurrency fixes, rate-limit/message-size tweaks, diagnostics path/protection changes, and
test updates) in one go. Please break this into smaller focused PRs so each change can be reviewed and validated independently.

Also, please don’t include the large generated audit docs in this PR. Files like:

• apps/ios/AUDIT-REPORT-2026.md
• apps/ios/audit-api-modernization.md
• apps/ios/audit-architecture.md
• apps/ios/audit-concurrency.md
• apps/ios/audit-security.md
• apps/ios/audit-uiux.md

add a lot of noise and make review harder. Keep this PR to code + tests needed for the actual fix set, and move docs to separate targeted PR(s) only if they’re needed.

Please re-open as a series of focused PRs (one concern per PR), and we can review quickly.

I'll cherry pick, merge and give attribution as needed. Thanks @Rocuts