Upgrade to recommended Xcode 26 project settings

[mattt]

No description provided.

[Copilot]

Pull request overview

This PR claims to upgrade Xcode project settings to "Xcode 26", but this appears to be an error as Xcode 26 does not exist. The changes update LastUpgradeVersion/LastUpgradeCheck values to "2620" and make significant modifications to build settings and entitlements files.

Changes:

• Updates version numbers in Xcode project files from "1630" to "2620"
• Adds new sandbox permission build settings (ENABLE_APP_SANDBOX, network connections, resource access for camera, calendar, contacts, location, etc.)
• Removes most explicit entitlement declarations from both App.entitlements and App.Debug.entitlements files, keeping only a minimal set

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 9 comments.

File	Description
iMCP.xcodeproj/xcshareddata/xcschemes/iMCP.xcscheme	Updates LastUpgradeVersion to "2620" (invalid version)
iMCP.xcodeproj/project.pbxproj	Updates LastUpgradeCheck to "2620", adds sandbox permission build settings, reorders some settings
App/App.entitlements	Removes most entitlement declarations, retaining only weatherkit, inherit, health, and temporary exceptions
App/App.Debug.entitlements	Removes most entitlement declarations, retaining only user-selected files, inherit, health, and temporary exceptions

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Critical entitlements are being removed from the debug entitlements file while the corresponding build settings are being added to the Debug configuration in project.pbxproj. For a sandboxed macOS app, the entitlements file must explicitly contain the entitlement keys (e.g., com.apple.security.app-sandbox, com.apple.security.network.client, com.apple.security.device.camera, etc.) - build settings alone are not sufficient. Without these explicit entitlements, the app will not have the permissions it needs at runtime, even if the build settings are enabled.

[Copilot]

The CODE_SIGN_IDENTITY has been changed from an empty string ("") to a dash ("-"). While both indicate "Don't Code Sign", the dash is the more explicit and recommended way to disable code signing in Xcode. However, verify that this change is intentional and consistent with your build requirements, as it may affect debugging and distribution workflows.

Suggested change

	CODE_SIGN_IDENTITY = "-";
	CODE_SIGN_IDENTITY = "";

[Copilot]

The Debug configuration is missing several sandbox resource access settings that are present in the Release configuration. Specifically, Debug is missing: ENABLE_RESOURCE_ACCESS_BLUETOOTH, ENABLE_RESOURCE_ACCESS_PHOTO_LIBRARY, ENABLE_RESOURCE_ACCESS_PRINTING, and ENABLE_RESOURCE_ACCESS_USB. This inconsistency between configurations could lead to different runtime behavior when testing in Debug vs Release builds, making it harder to catch permission-related issues during development.

Suggested change

	ENABLE_RESOURCE_ACCESS_AUDIO_INPUT = YES;
	ENABLE_RESOURCE_ACCESS_CALENDARS = YES;
	ENABLE_RESOURCE_ACCESS_CAMERA = YES;
	ENABLE_RESOURCE_ACCESS_CONTACTS = YES;
	ENABLE_RESOURCE_ACCESS_LOCATION = YES;
	ENABLE_RESOURCE_ACCESS_AUDIO_INPUT = YES;
	ENABLE_RESOURCE_ACCESS_BLUETOOTH = YES;
	ENABLE_RESOURCE_ACCESS_CALENDARS = YES;
	ENABLE_RESOURCE_ACCESS_CAMERA = YES;
	ENABLE_RESOURCE_ACCESS_CONTACTS = YES;
	ENABLE_RESOURCE_ACCESS_LOCATION = YES;
	ENABLE_RESOURCE_ACCESS_PHOTO_LIBRARY = YES;
	ENABLE_RESOURCE_ACCESS_PRINTING = YES;
	ENABLE_RESOURCE_ACCESS_USB = YES;

[Copilot]

AUTOMATION_APPLE_EVENTS is being changed from NO to YES. This grants the app permission to control other applications via Apple Events/AppleScript. Given that the app's capabilities include accessing Calendar, Contacts, Messages, and other system data, verify that this permission is necessary. If the app doesn't actually need to automate other applications, leaving this enabled could be a security concern and may require additional justification during App Store review.

Suggested change

	AUTOMATION_APPLE_EVENTS = YES;
	AUTOMATION_APPLE_EVENTS = NO;

[Copilot]

AUTOMATION_APPLE_EVENTS is being added and set to YES in the Debug configuration. This grants the app permission to control other applications via Apple Events. Verify this is necessary for the app's functionality. Additionally, ensure that the corresponding entitlement (com.apple.security.automation.apple-events) is present in App.Debug.entitlements, as it appears to have been removed in the current changes, which would prevent Apple Events automation from working even with this build setting enabled.

Suggested change

	AUTOMATION_APPLE_EVENTS = YES;
	AUTOMATION_APPLE_EVENTS = NO;

[Copilot]

Critical security entitlements are being removed from the entitlements file while corresponding build settings are being added to enable these capabilities in the project configuration. This creates a potential mismatch where the build settings enable permissions (ENABLE_INCOMING_NETWORK_CONNECTIONS, ENABLE_OUTGOING_NETWORK_CONNECTIONS, etc.) but the entitlements file no longer contains the required entitlement keys (com.apple.security.network.client, com.apple.security.network.server, etc.). The app may fail to function properly or fail App Store review because the entitlements file should contain the actual entitlement keys that grant these permissions. Build settings alone are not sufficient - the entitlements file must explicitly declare these capabilities for sandboxed macOS apps.

Suggested change

	</array>
	</array>
	<key>com.apple.security.network.client</key>
	<true/>
	<key>com.apple.security.network.server</key>
	<true/>

[Copilot]

Network connections are being enabled by changing ENABLE_INCOMING_NETWORK_CONNECTIONS and ENABLE_OUTGOING_NETWORK_CONNECTIONS from NO to YES. For an MCP (Model Context Protocol) app that connects to AI services, network access is expected. However, verify that the corresponding network entitlements (com.apple.security.network.client and com.apple.security.network.server) are properly declared in the App.entitlements file. Currently, these entitlements appear to have been removed from the entitlements file, which will prevent the app from establishing network connections at runtime.

[Copilot]

ENABLE_RESOURCE_ACCESS_CALENDARS is being changed from NO to YES, which is consistent with the app's documented Calendar capabilities. However, verify that the corresponding entitlement (com.apple.security.personal-information.calendars) is present in the App.entitlements file. The current changes show this entitlement being removed from the file, which will prevent calendar access at runtime even though the build setting is enabled.

Suggested change

	ENABLE_RESOURCE_ACCESS_CALENDARS = YES;
	ENABLE_RESOURCE_ACCESS_CALENDARS = NO;

[mattt]

Alternative review from Codex:

Based on the current project files, this looks like Xcode’s newer “capabilities → build settings” migration for macOS entitlements rather than a regression. The entitlements files now only include custom/exception keys, while the sandbox and resource access are represented in build settings. That’s a real, intentional shift in recent Xcode versions, not a known “break‑things” migration.

Here’s what I’m seeing in your repo:

• Entitlements files now only contain exceptions/custom keys (no sandbox/network/etc). That’s consistent with Xcode managing standard entitlements via build settings.

<dict>
	<key>com.apple.developer.weatherkit</key>
	<true/>
	<key>com.apple.security.inherit</key>
	<true/>
	<key>com.apple.security.personal-information.health</key>
	<true/>
	<key>com.apple.security.temporary-exception.apple-events</key>
	<array>
		<string>com.apple.Terminal</string>
	</array>
	<!-- ... -->
</dict>

• The “capabilities” entitlements are now represented in build settings (app sandbox, network, resource access, etc.).

AUTOMATION_APPLE_EVENTS = YES;
CODE_SIGN_ENTITLEMENTS = App/App.Debug.entitlements;
ENABLE_APP_SANDBOX = YES;
ENABLE_INCOMING_NETWORK_CONNECTIONS = YES;
ENABLE_OUTGOING_NETWORK_CONNECTIONS = YES;
ENABLE_RESOURCE_ACCESS_AUDIO_INPUT = YES;
ENABLE_RESOURCE_ACCESS_CALENDARS = YES;
ENABLE_RESOURCE_ACCESS_CAMERA = YES;
ENABLE_RESOURCE_ACCESS_CONTACTS = YES;
ENABLE_RESOURCE_ACCESS_LOCATION = YES;

Copilot comments, point‑by‑point

• “Entitlements removed from App.entitlements/App.Debug.entitlements”
  This is likely fine. The entitlements files now appear to be “supplemental,” while the standard sandbox capabilities are encoded in build settings. Xcode should synthesize the full entitlements at build time. This matches the migration behavior.

• CODE_SIGN_IDENTITY "" → "-"
  With CODE_SIGNING_ALLOWED = NO and CODE_SIGNING_REQUIRED = NO in Debug, it doesn’t materially change behavior. "-" is the newer, explicit “don’t sign” value; this is a common migration.

• Debug missing some resource access keys
  In Release those extra keys are explicitly set to NO. In Debug they’re absent (which effectively defaults to NO). That’s not a real mismatch.

• AUTOMATION_APPLE_EVENTS = YES
  This one is worth a quick sanity check. I don’t see any Apple Events usage in the codebase. If you aren’t automating other apps, turning it back to NO would avoid asking for that permission.
  If you do need Apple Events (e.g., the Terminal exception suggests possible use), then keep it, and make sure you have an NSAppleEventsUsageDescription in Info.plist and verify the codesigned entitlements include com.apple.security.automation.apple-events.

• “Xcode 26 doesn’t exist”
  Your scheme LastUpgradeVersion is 2620, which aligns with “Xcode 26.2” in your environment. Copilot’s comment is just out‑of‑date.

How to verify with certainty

If you want absolute confirmation the migration didn’t drop entitlements, the most reliable check is to inspect the codesigned entitlements of a built app:

• Build the app
• Run: codesign -d --entitlements :- "<built app path>/Contents/MacOS/iMCP"
  You should see com.apple.security.app-sandbox, network.client, network.server, etc. If they’re present, the migration is working as intended.

Bottom line

This is almost certainly a legitimate modernization: Xcode now uses build settings as the source of truth for common entitlements and keeps the entitlements file for “extra” keys. It doesn’t have a reputation for silently breaking apps, but Apple Events entitlement is the one change I’d double‑check is truly needed.

[mattt]

Just tested this out locally, and Claude Desktop was able to use all of the functionality without a problem.