From 781fa821a19e94bd510c451cd31ef1097188a7d7 Mon Sep 17 00:00:00 2001
From: admin <admin@MacBook-Air-7.local>
Date: Sun, 7 Jun 2026 14:42:15 -0400
Subject: [PATCH] macOS: enable network.client entitlement so account sync
 works
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The macOS app set `com.apple.security.network.client: false` ("this app
never reaches the network") — correct for the original white-noise-only
build. The listening-time account/sync feature (the magic-link sign-in +
G-Counter sync to cascade-sync-server) was added afterwards but the
sandbox entitlement was never re-enabled, so under the App Sandbox every
outbound URLSession call fails silently and the UI just shows
"Couldn't send the sign-in link."

Flip the entitlement to true (and regenerate Cascade.entitlements). This
is the macOS counterpart of the Android INTERNET-permission fix (#10).

Verified end-to-end on macOS after the change: magic-link request,
verify/sign-in, cross-device sync pull, delete-data, and delete-account
all work against the live sync server.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 apps/apple/CascadeMac/Cascade.entitlements | 2 +-
 apps/apple/project.yml                     | 5 +++--
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/apps/apple/CascadeMac/Cascade.entitlements b/apps/apple/CascadeMac/Cascade.entitlements
index 0ab12df..ee95ab7 100644
--- a/apps/apple/CascadeMac/Cascade.entitlements
+++ b/apps/apple/CascadeMac/Cascade.entitlements
@@ -5,6 +5,6 @@
 	<key>com.apple.security.app-sandbox</key>
 	<true/>
 	<key>com.apple.security.network.client</key>
-	<false/>
+	<true/>
 </dict>
 </plist>
diff --git a/apps/apple/project.yml b/apps/apple/project.yml
index 6b8b8d9..ecca7cc 100644
--- a/apps/apple/project.yml
+++ b/apps/apple/project.yml
@@ -56,8 +56,9 @@ targets:
         # App Sandbox: audio + Application Support writes + IOKit power
         # assertions + MediaPlayer Now Playing all work under sandbox.
         com.apple.security.app-sandbox: true
-        # Explicit: this app never reaches the network.
-        com.apple.security.network.client: false
+        # Outbound network for the optional account/listening-time sync
+        # (magic-link sign-in + G-Counter sync to cascade-sync-server).
+        com.apple.security.network.client: true
     settings:
       base:
         PRODUCT_BUNDLE_IDENTIFIER: page.stephens.cascade