From 8f22710c878370211e5ca6d7f16f36bff17f85b5 Mon Sep 17 00:00:00 2001
From: Tony Eichelberger <tony.eichelberger@jamf.com>
Date: Thu, 29 Jan 2026 16:32:23 -0600
Subject: [PATCH 01/53] AI generated removal of the big sur compatibility
 logic. Needs vetted and tested

---
 PPPC UtilityTests/ModelTests/ModelTests.swift | 197 +-----------------
 Resources/Base.lproj/Main.storyboard          |  21 +-
 Source/Model/Model.swift                      |  52 +----
 .../TCCProfileViewController.swift            |  59 ------
 4 files changed, 12 insertions(+), 317 deletions(-)

diff --git a/PPPC UtilityTests/ModelTests/ModelTests.swift b/PPPC UtilityTests/ModelTests/ModelTests.swift
index a07cb54..85ea06e 100644
--- a/PPPC UtilityTests/ModelTests/ModelTests.swift	
+++ b/PPPC UtilityTests/ModelTests/ModelTests.swift	
@@ -130,7 +130,6 @@ class ModelTests: XCTestCase {
 
     func testExportProfileWithAppleEventsAndAuthorization() {
         // given
-        model.usingLegacyAllowKey = false
         let exe1 = Executable(identifier: "one", codeRequirement: "oneReq")
         let exe2 = Executable(identifier: "two", codeRequirement: "twoReq")
 
@@ -185,65 +184,6 @@ class ModelTests: XCTestCase {
         }
     }
 
-    func testExportProfileWithAppleEventsAndLegacyAllowed() {
-        // given
-        let exe1 = Executable(identifier: "one", codeRequirement: "oneReq")
-        let exe2 = Executable(identifier: "two", codeRequirement: "twoReq")
-
-        exe1.appleEvents = [AppleEventRule(source: exe1, destination: exe2, value: true)]
-        exe2.policy.SystemPolicyAllFiles = "Allow"
-
-        model.selectedExecutables = [exe1, exe2]
-        model.usingLegacyAllowKey = true
-
-        // when
-        let profile = model.exportProfile(organization: "Org", identifier: "ID", displayName: "Name", payloadDescription: "Desc")
-
-        // then check top level settings
-        XCTAssertEqual("Org", profile.organization)
-        XCTAssertEqual("ID", profile.identifier)
-        XCTAssertEqual("Name", profile.displayName)
-        XCTAssertEqual("Desc", profile.payloadDescription)
-        XCTAssertEqual("System", profile.scope)
-        XCTAssertEqual("Configuration", profile.type)
-        XCTAssertNotNil(profile.uuid)
-        XCTAssertEqual(1, profile.version)
-
-        // then check policy settings
-        // then verify the payload content top level
-        XCTAssertEqual(1, profile.content.count)
-        profile.content.forEach { content in
-            XCTAssertNotNil(content.uuid)
-            XCTAssertEqual(1, content.version)
-
-            // then verify the services
-            XCTAssertEqual(2, content.services.count)
-            let appleEvents = content.services["AppleEvents"]
-            XCTAssertNotNil(appleEvents)
-            let appleEventsPolicy = appleEvents?.first
-            XCTAssertEqual("one", appleEventsPolicy?.identifier)
-            XCTAssertEqual("oneReq", appleEventsPolicy?.codeRequirement)
-            XCTAssertEqual("bundleID", appleEventsPolicy?.identifierType)
-            XCTAssertEqual("two", appleEventsPolicy?.receiverIdentifier)
-            XCTAssertEqual("twoReq", appleEventsPolicy?.receiverCodeRequirement)
-            XCTAssertEqual("bundleID", appleEventsPolicy?.receiverIdentifierType)
-            XCTAssertTrue(appleEventsPolicy?.allowed == true)
-            XCTAssertNil(appleEventsPolicy?.authorization)
-
-            let allFiles = content.services["SystemPolicyAllFiles"]
-            XCTAssertNotNil(allFiles)
-            let allFilesPolicy = allFiles?.first
-            XCTAssertEqual("two", allFilesPolicy?.identifier)
-            XCTAssertEqual("twoReq", allFilesPolicy?.codeRequirement)
-            XCTAssertEqual("bundleID", allFilesPolicy?.identifierType)
-            XCTAssertNil(allFilesPolicy?.receiverIdentifier)
-            XCTAssertNil(allFilesPolicy?.receiverCodeRequirement)
-            XCTAssertNil(allFilesPolicy?.receiverIdentifierType)
-            XCTAssertTrue(allFilesPolicy?.allowed == true)
-            XCTAssertNil(allFilesPolicy?.authorization)
-        }
-    }
-
     // MARK: - tests for importProfile
 
     func testImportProfileUsingAuthorizationKeyAllow() {
@@ -330,11 +270,10 @@ class ModelTests: XCTestCase {
         XCTAssertEqual("Deny", model.selectedExecutables.first?.policy.SystemPolicyAllFiles)
     }
 
-    // MARK: - tests for profileToString
+    // MARK: - tests for policyFromString
 
-    func testPolicyWhenUsingAllowAndAuthorizationKey() {
+    func testPolicyWhenUsingAllow() {
         // given
-        model.usingLegacyAllowKey = false
         let app = Executable(identifier: "id", codeRequirement: "req")
 
         // when
@@ -347,7 +286,6 @@ class ModelTests: XCTestCase {
 
     func testPolicyWhenUsingDeny() {
         // given
-        model.usingLegacyAllowKey = false
         let app = Executable(identifier: "id", codeRequirement: "req")
 
         // when
@@ -360,7 +298,6 @@ class ModelTests: XCTestCase {
 
     func testPolicyWhenUsingAllowForStandardUsers() {
         // given
-        model.usingLegacyAllowKey = false
         let app = Executable(identifier: "id", codeRequirement: "req")
 
         // when
@@ -382,134 +319,4 @@ class ModelTests: XCTestCase {
         XCTAssertNil(policy, "should have not created the policy with an unknown value")
     }
 
-    func testPolicyWhenUsingLegacyDeny() {
-        // given
-        let app = Executable(identifier: "id", codeRequirement: "req")
-        model.usingLegacyAllowKey = true
-
-        // when
-        let policy = model.policyFromString(executable: app, value: "Deny")
-
-        // then
-        XCTAssertNil(policy?.authorization, "should not set authorization when in legacy mode")
-        XCTAssertEqual(policy?.allowed, false)
-    }
-
-    func testPolicyWhenUsingLegacyAllow() {
-        // given
-        let app = Executable(identifier: "id", codeRequirement: "req")
-        model.usingLegacyAllowKey = true
-
-        // when
-        let policy = model.policyFromString(executable: app, value: "Allow")
-
-        // then
-        XCTAssertNil(policy?.authorization, "should not set authorization when in legacy mode")
-        XCTAssertEqual(policy?.allowed, true)
-    }
-
-    // test for the unrecognized strings for both legacy and normal
-    func testPolicyWhenUsingLegacyAllowButNonLegacyValueUsed() {
-        // given
-        let app = Executable(identifier: "id", codeRequirement: "req")
-        model.usingLegacyAllowKey = true
-
-        // when
-        let policy = model.policyFromString(executable: app, value: "Let Standard Users Approve")
-
-        // then
-        XCTAssertNil(policy, "should have errored out because of an invalid value")
-    }
-
-    // MARK: - tests for requiresAuthorizationKey
-
-    func testWhenServiceIsUsingAllowStandarUsersToApprove() {
-        // given
-        let profile = TCCProfileBuilder().buildProfile(authorization: .allowStandardUserToSetSystemService)
-
-        // when
-        model.importProfile(tccProfile: profile)
-
-        // then
-        XCTAssertTrue(model.requiresAuthorizationKey())
-    }
-
-    func testWhenServiceIsUsingOnlyAllowKey() {
-        // given
-        let profile = TCCProfileBuilder().buildProfile(authorization: .allow)
-
-        // when
-        model.importProfile(tccProfile: profile)
-
-        // then
-        XCTAssertFalse(model.requiresAuthorizationKey())
-    }
-
-    func testWhenServiceIsUsingOnlyDenyKey() {
-        // given
-        let profile = TCCProfileBuilder().buildProfile(authorization: .deny)
-
-        // when
-        model.importProfile(tccProfile: profile)
-
-        // then
-        XCTAssertFalse(model.requiresAuthorizationKey())
-    }
-
-    // MARK: - tests for changeToUseLegacyAllowKey
-
-    func testChangingFromAuthorizationKeyToLegacyAllowKey() {
-        // given
-        let allowStandard = TCCProfileDisplayValue.allowStandardUsersToApprove.rawValue
-        let exeSettings = ["AddressBook": "Allow", "ListenEvent": allowStandard, "ScreenCapture": allowStandard]
-        let model = ModelBuilder().addExecutable(settings: exeSettings).build()
-        model.usingLegacyAllowKey = false
-
-        // when
-        model.changeToUseLegacyAllowKey()
-
-        // then
-        XCTAssertEqual(1, model.selectedExecutables.count, "should have only one exe")
-        let policy = model.selectedExecutables.first?.policy
-        XCTAssertEqual("Allow", policy?.AddressBook)
-        XCTAssertEqual("-", policy?.Camera)
-        XCTAssertEqual("-", policy?.ListenEvent)
-        XCTAssertEqual("-", policy?.ScreenCapture)
-        XCTAssertTrue(model.usingLegacyAllowKey)
-    }
-
-    func testChangingFromAuthorizationKeyToLegacyAllowKeyWithMoreComplexVaues() {
-        // given
-        let allowStandard = TCCProfileDisplayValue.allowStandardUsersToApprove.rawValue
-        let p1Settings = ["SystemPolicyAllFiles": "Allow",
-                           "ListenEvent": allowStandard,
-                           "ScreenCapture": "Deny",
-                           "Camera": "Deny"]
-
-        let p2Settings = ["SystemPolicyAllFiles": "Deny",
-                           "ScreenCapture": allowStandard,
-                           "Calendar": "Allow"]
-        let builder = ModelBuilder().addExecutable(settings: p1Settings)
-        model = builder.addExecutable(settings: p2Settings).build()
-        model.usingLegacyAllowKey = false
-
-        // when
-        model.changeToUseLegacyAllowKey()
-
-        // then
-        XCTAssertEqual(2, model.selectedExecutables.count, "should have only one exe")
-        let policy1 = model.selectedExecutables[0].policy
-        XCTAssertEqual("Allow", policy1.SystemPolicyAllFiles)
-        XCTAssertEqual("-", policy1.ListenEvent)
-        XCTAssertEqual("Deny", policy1.ScreenCapture)
-        XCTAssertEqual("Deny", policy1.Camera)
-
-        let policy2 = model.selectedExecutables[1].policy
-        XCTAssertEqual("Deny", policy2.SystemPolicyAllFiles)
-        XCTAssertEqual("-", policy2.ListenEvent)
-        XCTAssertEqual("-", policy2.ScreenCapture)
-        XCTAssertEqual("Allow", policy2.Calendar)
-        XCTAssertTrue(model.usingLegacyAllowKey)
-    }
-
 }
diff --git a/Resources/Base.lproj/Main.storyboard b/Resources/Base.lproj/Main.storyboard
index 76e1e55..bd1a5b6 100644
--- a/Resources/Base.lproj/Main.storyboard
+++ b/Resources/Base.lproj/Main.storyboard
@@ -2397,20 +2397,6 @@
                                     <color key="backgroundColor" name="textBackgroundColor" catalog="System" colorSpace="catalog"/>
                                 </textFieldCell>
                             </textField>
-                            <switch horizontalHuggingPriority="750" verticalHuggingPriority="750" baseWritingDirection="leftToRight" alignment="left" translatesAutoresizingMaskIntoConstraints="NO" id="SiC-OP-K6P">
-                                <rect key="frame" x="1350" y="652" width="42" height="25"/>
-                                <connections>
-                                    <action selector="toggleAuthorizationKeyUsage:" target="ZfI-PN-mks" id="8uJ-TA-vPn"/>
-                                </connections>
-                            </switch>
-                            <textField horizontalHuggingPriority="251" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="P4p-7C-knr">
-                                <rect key="frame" x="1228" y="656" width="123" height="15"/>
-                                <textFieldCell key="cell" lineBreakMode="clipping" title="Big Sur Compatibility" id="22F-cE-hwd">
-                                    <font key="font" metaFont="cellTitle"/>
-                                    <color key="textColor" name="labelColor" catalog="System" colorSpace="catalog"/>
-                                    <color key="backgroundColor" name="textBackgroundColor" catalog="System" colorSpace="catalog"/>
-                                </textFieldCell>
-                            </textField>
                             <button verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="jIB-Ce-nfY">
                                 <rect key="frame" x="1187" y="13" width="74" height="32"/>
                                 <buttonCell key="cell" type="push" title="Import" bezelStyle="rounded" alignment="center" borderStyle="border" imageScaling="proportionallyDown" inset="2" id="dRT-sQ-hbk">
@@ -2433,9 +2419,7 @@
                             <constraint firstAttribute="bottom" secondItem="Gwb-6x-mB1" secondAttribute="bottom" constant="20" id="8SN-fe-Ihh"/>
                             <constraint firstItem="RsL-5g-N88" firstAttribute="centerY" secondItem="v8I-Mx-BrF" secondAttribute="centerY" id="AsU-Vr-IoN"/>
                             <constraint firstItem="pHR-Fa-o0o" firstAttribute="leading" secondItem="bKS-CN-KZi" secondAttribute="leading" constant="21" id="AtX-pF-Pn9"/>
-                            <constraint firstItem="P4p-7C-knr" firstAttribute="leading" relation="greaterThanOrEqual" secondItem="zBr-K2-oEH" secondAttribute="trailing" constant="8" symbolic="YES" id="CCn-3z-wQM"/>
                             <constraint firstItem="96P-n0-YO3" firstAttribute="top" secondItem="bKS-CN-KZi" secondAttribute="top" constant="20" id="CWE-BE-Iga"/>
-                            <constraint firstItem="SiC-OP-K6P" firstAttribute="leading" secondItem="P4p-7C-knr" secondAttribute="trailing" constant="3" id="D26-B0-eoj"/>
                             <constraint firstItem="5hq-Rl-ues" firstAttribute="leading" secondItem="03S-CM-lPV" secondAttribute="trailing" constant="15" id="EHv-BX-sOY"/>
                             <constraint firstAttribute="bottom" secondItem="jIB-Ce-nfY" secondAttribute="bottom" constant="20" id="FTZ-cQ-BaB"/>
                             <constraint firstItem="03S-CM-lPV" firstAttribute="leading" secondItem="3Am-A7-MGr" secondAttribute="trailing" constant="12" id="GSZ-Pk-E5b"/>
@@ -2452,7 +2436,6 @@
                             <constraint firstItem="YNV-Zn-1jp" firstAttribute="leading" secondItem="JSo-Ex-mKB" secondAttribute="leading" id="dB2-pF-h9K"/>
                             <constraint firstAttribute="bottom" secondItem="03S-CM-lPV" secondAttribute="bottom" constant="90" id="dLI-ZX-EdF"/>
                             <constraint firstItem="3Am-A7-MGr" firstAttribute="top" secondItem="VBi-VJ-3w4" secondAttribute="bottom" constant="5" id="eKS-9Z-J2D"/>
-                            <constraint firstAttribute="trailing" secondItem="SiC-OP-K6P" secondAttribute="trailing" constant="20" id="eji-RX-K57"/>
                             <constraint firstItem="3Am-A7-MGr" firstAttribute="bottom" secondItem="dDB-re-qJn" secondAttribute="bottom" id="fMM-MI-13D"/>
                             <constraint firstItem="03S-CM-lPV" firstAttribute="width" secondItem="5hq-Rl-ues" secondAttribute="width" id="g5s-ug-Y6t"/>
                             <constraint firstAttribute="bottom" secondItem="wba-mI-3Kz" secondAttribute="bottom" constant="20" id="h5w-xf-7cn"/>
@@ -2460,10 +2443,9 @@
                             <constraint firstAttribute="trailing" secondItem="96P-n0-YO3" secondAttribute="trailing" id="jRF-ds-m0E"/>
                             <constraint firstAttribute="bottom" secondItem="RsL-5g-N88" secondAttribute="bottom" constant="61" id="jX5-qu-b9A"/>
                             <constraint firstItem="zBr-K2-oEH" firstAttribute="leading" relation="greaterThanOrEqual" secondItem="L3L-II-z9D" secondAttribute="trailing" constant="8" symbolic="YES" id="jo0-NQ-zc1"/>
-                            <constraint firstItem="5hq-Rl-ues" firstAttribute="top" secondItem="P4p-7C-knr" secondAttribute="bottom" constant="7" id="l7D-Ce-DTa"/>
+                            <constraint firstItem="5hq-Rl-ues" firstAttribute="top" secondItem="L3L-II-z9D" secondAttribute="bottom" constant="7" id="l7D-Ce-DTa"/>
                             <constraint firstItem="RsL-5g-N88" firstAttribute="top" secondItem="5hq-Rl-ues" secondAttribute="bottom" constant="8" id="pHo-Rk-OrR"/>
                             <constraint firstItem="v8I-Mx-BrF" firstAttribute="leading" secondItem="RsL-5g-N88" secondAttribute="trailing" constant="8" id="pVT-22-VSY"/>
-                            <constraint firstItem="5hq-Rl-ues" firstAttribute="top" secondItem="SiC-OP-K6P" secondAttribute="bottom" constant="5" id="rAP-R8-4al"/>
                             <constraint firstAttribute="trailing" secondItem="wba-mI-3Kz" secondAttribute="trailing" constant="18" id="rwL-U7-x5t"/>
                             <constraint firstItem="RsL-5g-N88" firstAttribute="leading" secondItem="dDB-re-qJn" secondAttribute="leading" id="vlB-ox-Uku"/>
                             <constraint firstItem="5hq-Rl-ues" firstAttribute="top" secondItem="03S-CM-lPV" secondAttribute="top" id="xkQ-C1-VJt"/>
@@ -2491,7 +2473,6 @@
                         <outlet property="allFilesStackView" destination="PKW-Wz-1vE" id="ZUk-ek-82t"/>
                         <outlet property="appleEventsAC" destination="qGh-WP-H0J" id="Yxo-OD-XI3"/>
                         <outlet property="appleEventsTable" destination="dDB-re-qJn" id="5g0-oE-XOS"/>
-                        <outlet property="authorizationKeySwitch" destination="SiC-OP-K6P" id="Y1H-fD-vIY"/>
                         <outlet property="calendarHelpButton" destination="tva-g6-iKu" id="l9S-mU-Mea"/>
                         <outlet property="calendarPopUp" destination="bSe-hT-Ah8" id="mjo-yN-eWq"/>
                         <outlet property="calendarPopUpAC" destination="2dL-gR-cae" id="I88-mv-eOh"/>
diff --git a/Source/Model/Model.swift b/Source/Model/Model.swift
index 7600d15..e067eee 100644
--- a/Source/Model/Model.swift
+++ b/Source/Model/Model.swift
@@ -30,8 +30,6 @@ import OSLog
 
 @objc class Model: NSObject {
 
-    var usingLegacyAllowKey = true
-
     @objc dynamic var current: Executable?
     @objc dynamic static let shared = Model()
     @objc dynamic var identities: [SigningIdentity] = []
@@ -93,27 +91,6 @@ typealias LoadExecutableCompletion = ((LoadExecutableResult) -> Void)
 
 extension Model {
 
-    func requiresAuthorizationKey() -> Bool {
-        return selectedExecutables.contains { exe -> Bool in
-            return exe.policy.allPolicyValues().contains { value -> Bool in
-                return value == TCCProfileDisplayValue.allowStandardUsersToApprove.rawValue
-            }
-        }
-    }
-
-    /// Will convert any Authorization key values to the legacy Allowed key
-    func changeToUseLegacyAllowKey() {
-        usingLegacyAllowKey = true
-        selectedExecutables.forEach { exe in
-            if exe.policy.ListenEvent == TCCProfileDisplayValue.allowStandardUsersToApprove.rawValue {
-                exe.policy.ListenEvent = "-"
-            }
-            if exe.policy.ScreenCapture == TCCProfileDisplayValue.allowStandardUsersToApprove.rawValue {
-                exe.policy.ScreenCapture = "-"
-            }
-        }
-    }
-
     // TODO - refactor this method so it isn't so complex
     // swiftlint:disable:next cyclomatic_complexity
     func loadExecutable(url: URL, completion: @escaping LoadExecutableCompletion) {
@@ -248,26 +225,15 @@ extension Model {
                          codeRequirement: executable.codeRequirement,
                          receiverIdentifier: event?.destination.identifier,
                          receiverCodeRequirement: event?.destination.codeRequirement)
-        if usingLegacyAllowKey {
-            switch value {
-            case TCCProfileDisplayValue.allow.rawValue:
-                policy.allowed = true
-            case TCCProfileDisplayValue.deny.rawValue:
-                policy.allowed = false
-            default:
-                return nil
-            }
-        } else {
-            switch value {
-            case TCCProfileDisplayValue.allow.rawValue:
-                policy.authorization = .allow
-            case TCCProfileDisplayValue.deny.rawValue:
-                policy.authorization = .deny
-            case TCCProfileDisplayValue.allowStandardUsersToApprove.rawValue:
-                policy.authorization = .allowStandardUserToSetSystemService
-            default:
-                return nil
-            }
+        switch value {
+        case TCCProfileDisplayValue.allow.rawValue:
+            policy.authorization = .allow
+        case TCCProfileDisplayValue.deny.rawValue:
+            policy.authorization = .deny
+        case TCCProfileDisplayValue.allowStandardUsersToApprove.rawValue:
+            policy.authorization = .allowStandardUserToSetSystemService
+        default:
+            return nil
         }
         return policy
     }
diff --git a/Source/View Controllers/TCCProfileViewController.swift b/Source/View Controllers/TCCProfileViewController.swift
index 835439a..cad84af 100644
--- a/Source/View Controllers/TCCProfileViewController.swift	
+++ b/Source/View Controllers/TCCProfileViewController.swift	
@@ -132,7 +132,6 @@ class TCCProfileViewController: NSViewController {
     @IBOutlet weak var addAppleEventButton: NSButton!
     @IBOutlet weak var removeAppleEventButton: NSButton!
     @IBOutlet weak var removeExecutableButton: NSButton!
-    @IBOutlet weak var authorizationKeySwitch: NSSwitch!
 
     @IBAction func addToProfile(_ sender: NSButton) {
         promptForExecutables {
@@ -148,37 +147,6 @@ class TCCProfileViewController: NSViewController {
 
     let logger = Logger.TCCProfileViewController
 
-    private func toggleAuthorizationKey(theSwitch: NSSwitch, showAlert: Bool) {
-        switch theSwitch.state {
-        case .on:
-            if model.usingLegacyAllowKey && showAlert {
-                let message = """
-                Enabling Big Sur Compatibility will require the profile to be installed on macOS versions Big Sur (11.0) or greater.
-
-                Deploying this profile to computers with macOS 10.15 or earlier will result in an error.
-                """
-                Alert().display(header: "Compatibility Warning", message: message)
-            }
-            model.usingLegacyAllowKey = false
-        default:
-            var allowToggle = true
-            if model.requiresAuthorizationKey() && showAlert {
-                let message = "Disabling Big Sur Compatibility will cause some settings you configured to be lost."
-                allowToggle = Alert().displayWithCancel(header: "Compatibility Warning", message: message)
-            }
-            if allowToggle {
-                model.changeToUseLegacyAllowKey()
-            } else {
-                theSwitch.state = .on
-                model.usingLegacyAllowKey = false
-            }
-        }
-    }
-
-    @IBAction func toggleAuthorizationKeyUsage(_ sender: NSSwitch) {
-        toggleAuthorizationKey(theSwitch: sender, showAlert: true)
-    }
-
 	@IBAction func uploadAction(_ sender: NSButton) {
 		let identities: [SigningIdentity]
 		do {
@@ -206,13 +174,6 @@ class TCCProfileViewController: NSViewController {
         alertWindow.beginSheetModal(for: window)
     }
 
-    func turnOnBigSurCompatibilityIfImportedProfileNeedsTo() {
-        if model.requiresAuthorizationKey() {
-            authorizationKeySwitch.state = .on
-            toggleAuthorizationKey(theSwitch: authorizationKeySwitch, showAlert: false)
-        }
-    }
-
     @IBAction func importProfile(_ sender: NSButton) {
         guard let window = self.view.window else {
             return
@@ -226,7 +187,6 @@ class TCCProfileViewController: NSViewController {
             switch tccProfileResult {
             case .success(let tccProfile):
                 weakSelf.model.importProfile(tccProfile: tccProfile)
-                weakSelf.turnOnBigSurCompatibilityIfImportedProfileNeedsTo()
             case .failure(let tccProfileImportError):
                 if !tccProfileImportError.isCancelled {
                     weakSelf.showAlert(tccProfileImportError, for: window)
@@ -269,13 +229,6 @@ class TCCProfileViewController: NSViewController {
         .urlReadingContentsConformToTypes: [ kUTTypeBundle, kUTTypeUnixExecutable ]
     ]
 
-    @IBAction func checkForAuthorizationFeaturesUsed(_ sender: NSPopUpButton) {
-        if model.requiresAuthorizationKey() {
-            authorizationKeySwitch.state = .on
-            toggleAuthorizationKeyUsage(authorizationKeySwitch)
-        }
-    }
-
     override func viewDidLoad() {
         super.viewDidLoad()
 
@@ -299,7 +252,6 @@ class TCCProfileViewController: NSViewController {
 
         setupStandardUserAllowAndDeny(policies: [screenCapturePopUpAC,
                                                  listenEventPopUpAC])
-        setupActionForStandardUserAllowedDropDowns(dropDowns: [listenEventPopUp, screenCapturePopUp])
 
         setupDenyOnly(policies: [cameraPopUpAC,
                                  microphonePopUpAC])
@@ -322,23 +274,12 @@ class TCCProfileViewController: NSViewController {
         executablesTable.dataSource = self
         appleEventsTable.registerForDraggedTypes([.fileURL])
         appleEventsTable.dataSource = self
-
-        authorizationKeySwitch.state = model.usingLegacyAllowKey ? .off : .on
     }
 
     @IBAction func showHelpMessage(_ sender: InfoButton) {
         sender.showHelpMessage()
     }
 
-    /// Setup actions to display a warning when certain values are selected
-    /// that are not supported on all macOS versions
-    /// - Parameter dropDowns: NSPopupButtons to add the action to
-    private func setupActionForStandardUserAllowedDropDowns(dropDowns: [NSPopUpButton]) {
-        dropDowns.forEach { popup in
-            popup.action = #selector(self.checkForAuthorizationFeaturesUsed(_:))
-        }
-    }
-
     private func setupStandardUserAllowAndDeny(policies: [NSArrayController]) {
         for policy in policies {
             policy.add(contentsOf: ["-",

From bcb3a12c415ab1247578407d80feb12cc8dbde9c Mon Sep 17 00:00:00 2001
From: JJ Pritzl <jj.pritzl@jamf.com>
Date: Tue, 10 Mar 2026 11:09:33 -0500
Subject: [PATCH 02/53] big-sur story/JPCFM-5531 Add minor changes to update
 minimum supported OS and remove remaining Big Sur things

---
 .github/workflows/tests.yml                   |  9 +++-
 CHANGELOG.md                                  |  3 +-
 PPPC Utility.xcodeproj/project.pbxproj        |  8 +--
 .../ModelTests/PPPCServicesManagerTests.swift |  2 +-
 README.md                                     |  2 +-
 Resources/PPPCServices.json                   |  4 +-
 Source/Model/PPPCServiceInfo.swift            |  2 +-
 .../URLSessionAsyncCompatibility.swift        | 52 -------------------
 8 files changed, 17 insertions(+), 65 deletions(-)
 delete mode 100644 Source/Networking/URLSessionAsyncCompatibility.swift

diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index d5d148e..7b2c8a5 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -15,11 +15,18 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
-      - name: Run unit tests
+      - name: Run unit tests with code coverage
         run: |
           xcodebuild test \
             -project "PPPC Utility.xcodeproj" \
             -scheme "PPPC Utility" \
             -destination "platform=macOS" \
+            -enableCodeCoverage YES \
+            -resultBundlePath TestResults.xcresult \
             CODE_SIGN_IDENTITY="-" \
             CODE_SIGNING_REQUIRED=NO
+
+      - name: Display code coverage summary
+        if: always()
+        run: |
+          xcrun xccov view --report TestResults.xcresult | grep -E "^[A-Z].*\.app|PPPC-Utility/Source"
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 81b4616..3819149 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -13,7 +13,8 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 ### Changed
 - Update print and os_log calls to the modern OSLog class calls for updated logging. ([Issue #112](https://github.com/jamf/PPPC-Utility/issues/112)) [@SkylerGodfrey](https://github.com/SkylerGodfrey)
 - Now using [Haversack](https://github.com/jamf/Haversack) for simplified access to the keychain ([Issue #124](https://github.com/jamf/PPPC-Utility/issues/124)) [@macblazer](https://github.com/macblazer).
-- PPPC Utility now requires macOS 11+ to run.  It can still produce profiles usable on older versions of macOS.
+- PPPC Utility now requires macOS 13+ to run.  It can still produce profiles usable on older versions of macOS.
+- Removed Big Sur compatibility toggle and legacy `Allowed` key support.  The `Authorization` key is now always used.
 
 ## [1.5.0] - 2022-10-04
 
diff --git a/PPPC Utility.xcodeproj/project.pbxproj b/PPPC Utility.xcodeproj/project.pbxproj
index 660a02b..7161580 100644
--- a/PPPC Utility.xcodeproj/project.pbxproj	
+++ b/PPPC Utility.xcodeproj/project.pbxproj	
@@ -59,7 +59,6 @@
 		C0EE9A7D28639BF800738B6B /* TestTCCProfileForJamfProAPI.txt in Resources */ = {isa = PBXBuildFile; fileRef = C0EE9A7C28639BF800738B6B /* TestTCCProfileForJamfProAPI.txt */; };
 		C0EE9A7F2863BDE300738B6B /* JamfProAPITypes.swift in Sources */ = {isa = PBXBuildFile; fileRef = C0EE9A7E2863BDE300738B6B /* JamfProAPITypes.swift */; };
 		C0EE9A812863BE2B00738B6B /* NetworkAuthManager.swift in Sources */ = {isa = PBXBuildFile; fileRef = C0EE9A802863BE2B00738B6B /* NetworkAuthManager.swift */; };
-		C0EE9A832863BEEB00738B6B /* URLSessionAsyncCompatibility.swift in Sources */ = {isa = PBXBuildFile; fileRef = C0EE9A822863BEEB00738B6B /* URLSessionAsyncCompatibility.swift */; };
 /* End PBXBuildFile section */
 
 /* Begin PBXContainerItemProxy section */
@@ -131,7 +130,6 @@
 		C0EE9A7C28639BF800738B6B /* TestTCCProfileForJamfProAPI.txt */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text; path = TestTCCProfileForJamfProAPI.txt; sourceTree = "<group>"; };
 		C0EE9A7E2863BDE300738B6B /* JamfProAPITypes.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = JamfProAPITypes.swift; sourceTree = "<group>"; };
 		C0EE9A802863BE2B00738B6B /* NetworkAuthManager.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = NetworkAuthManager.swift; sourceTree = "<group>"; };
-		C0EE9A822863BEEB00738B6B /* URLSessionAsyncCompatibility.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = URLSessionAsyncCompatibility.swift; sourceTree = "<group>"; };
 /* End PBXFileReference section */
 
 /* Begin PBXFrameworksBuildPhase section */
@@ -324,7 +322,6 @@
 				C03270BF28636397008B38E0 /* JamfProAPIClient.swift */,
 				C0EE9A7E2863BDE300738B6B /* JamfProAPITypes.swift */,
 				C05844B72AD4512D00141353 /* Token.swift */,
-				C0EE9A822863BEEB00738B6B /* URLSessionAsyncCompatibility.swift */,
 			);
 			path = Networking;
 			sourceTree = "<group>";
@@ -535,7 +532,6 @@
 				6E6216F9215321CE0043DF18 /* OpenViewController.swift in Sources */,
 				C05844B82AD4512D00141353 /* Token.swift in Sources */,
 				6EC40A10214DE3B200BE4F17 /* Executable.swift in Sources */,
-				C0EE9A832863BEEB00738B6B /* URLSessionAsyncCompatibility.swift in Sources */,
 				C0EE9A812863BE2B00738B6B /* NetworkAuthManager.swift in Sources */,
 				6EC40A16214ECF1E00BE4F17 /* SaveViewController.swift in Sources */,
 				C05844BE2AD45F7900141353 /* UploadInfoView.swift in Sources */,
@@ -667,7 +663,7 @@
 				GCC_WARN_UNUSED_FUNCTION = YES;
 				GCC_WARN_UNUSED_VARIABLE = YES;
 				IBSC_NOTICES = NO;
-				MACOSX_DEPLOYMENT_TARGET = 11.0;
+				MACOSX_DEPLOYMENT_TARGET = 13.0;
 				MTL_ENABLE_DEBUG_INFO = INCLUDE_SOURCE;
 				MTL_FAST_MATH = YES;
 				ONLY_ACTIVE_ARCH = YES;
@@ -723,7 +719,7 @@
 				GCC_WARN_UNUSED_FUNCTION = YES;
 				GCC_WARN_UNUSED_VARIABLE = YES;
 				IBSC_NOTICES = NO;
-				MACOSX_DEPLOYMENT_TARGET = 11.0;
+				MACOSX_DEPLOYMENT_TARGET = 13.0;
 				MTL_ENABLE_DEBUG_INFO = NO;
 				MTL_FAST_MATH = YES;
 				SDKROOT = macosx;
diff --git a/PPPC UtilityTests/ModelTests/PPPCServicesManagerTests.swift b/PPPC UtilityTests/ModelTests/PPPCServicesManagerTests.swift
index 767cdae..d92bc82 100644
--- a/PPPC UtilityTests/ModelTests/PPPCServicesManagerTests.swift	
+++ b/PPPC UtilityTests/ModelTests/PPPCServicesManagerTests.swift	
@@ -82,7 +82,7 @@ class PPPCServicesManagerTests: XCTestCase {
         let service = try XCTUnwrap(services.allServices["ScreenCapture"])
 
         // when
-        let actual = try XCTUnwrap(service.allowStandardUsersMacOS11Plus)
+        let actual = try XCTUnwrap(service.allowStandardUsers)
 
         // then
         XCTAssertTrue(actual)
diff --git a/README.md b/README.md
index 8354018..1ce0ce9 100644
--- a/README.md
+++ b/README.md
@@ -2,7 +2,7 @@
 
 [logo]: /Resources/Assets.xcassets/AppIcon.appiconset/PPPC_Logo_32%402x.png "PPPC Utility"
 
-PPPC Utility is a macOS (10.15 and newer) application for creating configuration profiles containing the Privacy Preferences Policy Control payload for macOS. The profiles can be saved locally, signed or unsigned. Profiles can also be uploaded directly to a Jamf Pro server.
+PPPC Utility is a macOS (13.0 and newer) application for creating configuration profiles containing the Privacy Preferences Policy Control payload for macOS. The profiles can be saved locally, signed or unsigned. Profiles can also be uploaded directly to a Jamf Pro server.
 
 All changes to the application are tracked in [the changelog](https://github.com/jamf/PPPC-Utility/blob/master/CHANGELOG.md).
 
diff --git a/Resources/PPPCServices.json b/Resources/PPPCServices.json
index 2a506a5..72d6410 100644
--- a/Resources/PPPCServices.json
+++ b/Resources/PPPCServices.json
@@ -90,7 +90,7 @@
             "com.apple.vm.device-access"
         ],
         "denyOnly": true,
-        "allowStandardUsersMacOS11Plus": true
+        "allowStandardUsers": true
     },
     {
         "mdmKey": "MediaLibrary",
@@ -163,7 +163,7 @@
         "englishName": "Screen Recording",
         "englishDescription": "Deny specified apps access to capture (read) the contents of the system display.",
         "denyOnly": true,
-        "allowStandardUsersMacOS11Plus": true
+        "allowStandardUsers": true
     },
     {
         "mdmKey": "SpeechRecognition",
diff --git a/Source/Model/PPPCServiceInfo.swift b/Source/Model/PPPCServiceInfo.swift
index c940d96..fad2e96 100644
--- a/Source/Model/PPPCServiceInfo.swift
+++ b/Source/Model/PPPCServiceInfo.swift
@@ -34,7 +34,7 @@ struct PPPCServiceInfo: Decodable {
     let englishDescription: String
     let entitlements: [String]?
     let denyOnly: Bool?
-    let allowStandardUsersMacOS11Plus: Bool?
+    let allowStandardUsers: Bool?
 
     var userHelp: String {
         if let entitlements = entitlements {
diff --git a/Source/Networking/URLSessionAsyncCompatibility.swift b/Source/Networking/URLSessionAsyncCompatibility.swift
deleted file mode 100644
index 5f38e53..0000000
--- a/Source/Networking/URLSessionAsyncCompatibility.swift
+++ /dev/null
@@ -1,52 +0,0 @@
-//
-//  URLSessionAsyncCompatibility.swift
-//  Based on AsyncCompatibilityKit's URLSession+Async.swift which is
-//  Copyright (c) John Sundell 2021
-//  MIT license, see LICENSE.md file for details
-//
-//  Change from AsyncCompatibilityKit: Modified the `@available` line to be deprecated in macOS 12 instead of iOS 15.
-//
-
-import Foundation
-
-@available(macOS, deprecated: 12.0, message: "AsyncCompatibilityKit is only useful when targeting macOS versions earlier than 12")
-public extension URLSession {
-    /// Start a data task with a URL using async/await.
-    /// - parameter url: The URL to send a request to.
-    /// - returns: A tuple containing the binary `Data` that was downloaded,
-    ///   as well as a `URLResponse` representing the server's response.
-    /// - throws: Any error encountered while performing the data task.
-    func data(from url: URL) async throws -> (Data, URLResponse) {
-        try await data(for: URLRequest(url: url))
-    }
-
-    /// Start a data task with a `URLRequest` using async/await.
-    /// - parameter request: The `URLRequest` that the data task should perform.
-    /// - returns: A tuple containing the binary `Data` that was downloaded,
-    ///   as well as a `URLResponse` representing the server's response.
-    /// - throws: Any error encountered while performing the data task.
-    func data(for request: URLRequest) async throws -> (Data, URLResponse) {
-        var dataTask: URLSessionDataTask?
-        let onCancel = { dataTask?.cancel() }
-
-        return try await withTaskCancellationHandler(
-			operation: {
-				try await withCheckedThrowingContinuation { continuation in
-					dataTask = self.dataTask(with: request) { data, response, error in
-						guard let data = data, let response = response else {
-							let error = error ?? URLError(.badServerResponse)
-							return continuation.resume(throwing: error)
-						}
-
-						continuation.resume(returning: (data, response))
-					}
-
-					dataTask?.resume()
-				}
-			},
-			onCancel: {
-				onCancel()
-            }
-        )
-    }
-}

From 5efa22658f0424ccd4236fbff042e6252a9cd465 Mon Sep 17 00:00:00 2001
From: JJ Pritzl <jj.pritzl@jamf.com>
Date: Tue, 10 Mar 2026 13:11:49 -0500
Subject: [PATCH 03/53] big-sur story/JPCFM-5531 Remove swiftlint disable call
 due to reduced file length

---
 Source/View Controllers/TCCProfileViewController.swift | 1 -
 1 file changed, 1 deletion(-)

diff --git a/Source/View Controllers/TCCProfileViewController.swift b/Source/View Controllers/TCCProfileViewController.swift
index cad84af..30e7a9e 100644
--- a/Source/View Controllers/TCCProfileViewController.swift	
+++ b/Source/View Controllers/TCCProfileViewController.swift	
@@ -24,7 +24,6 @@
 //  OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 //  SOFTWARE.
 //
-// swiftlint:disable file_length
 
 import Cocoa
 import OSLog

From 93ed2bea48f110fce523334ac571a6a7f959fbb2 Mon Sep 17 00:00:00 2001
From: JJ Pritzl <jj.pritzl@jamf.com>
Date: Fri, 13 Mar 2026 11:57:16 -0500
Subject: [PATCH 04/53] big-sur story/JPCFM-5531 Add Copilot suggestion for
 generating test results

---
 .github/workflows/tests.yml | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index 7b2c8a5..dd554f2 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -29,4 +29,21 @@ jobs:
       - name: Display code coverage summary
         if: always()
         run: |
-          xcrun xccov view --report TestResults.xcresult | grep -E "^[A-Z].*\.app|PPPC-Utility/Source"
+          if [ ! -d TestResults.xcresult ]; then
+            echo "Coverage bundle 'TestResults.xcresult' not found; skipping coverage summary."
+            exit 0
+          fi
+          # Generate coverage report; capture output while still printing it
+          echo "Generating coverage report from TestResults.xcresult..."
+          if ! xcrun xccov view --report TestResults.xcresult | tee coverage-report.txt; then
+            echo "Failed to generate coverage report with xccov; printing any captured output and continuing."
+            cat coverage-report.txt 2>/dev/null || true
+            exit 0
+          fi
+          echo
+          echo "Filtered coverage summary (matching app targets or PPPC-Utility/Source):"
+          if ! grep -E '^[A-Z].*\.app|PPPC-Utility/Source' coverage-report.txt; then
+            echo
+            echo "No matching coverage lines found; displaying full coverage report instead."
+            cat coverage-report.txt
+          fi

From dc8df6317772310422e9b4dea09b3dd17b07b100 Mon Sep 17 00:00:00 2001
From: JJ Pritzl <jj.pritzl@jamf.com>
Date: Fri, 13 Mar 2026 12:19:49 -0500
Subject: [PATCH 05/53] big-sur story/JPCFM-5531 Add Copilot refactor to
 loadExecutable function

---
 Source/Model/Model.swift | 96 +++++++++++++++++++++++++---------------
 1 file changed, 60 insertions(+), 36 deletions(-)

diff --git a/Source/Model/Model.swift b/Source/Model/Model.swift
index e067eee..327029d 100644
--- a/Source/Model/Model.swift
+++ b/Source/Model/Model.swift
@@ -91,48 +91,18 @@ typealias LoadExecutableCompletion = ((LoadExecutableResult) -> Void)
 
 extension Model {
 
-    // TODO - refactor this method so it isn't so complex
-    // swiftlint:disable:next cyclomatic_complexity
     func loadExecutable(url: URL, completion: @escaping LoadExecutableCompletion) {
         let executable = Executable()
 
         if let bundle = Bundle(url: url) {
-            guard let identifier = bundle.bundleIdentifier else {
-                return completion(.failure(.identifierNotFound))
-            }
-            executable.identifier = identifier
-            let info = bundle.infoDictionary
-            executable.displayName = (info?["CFBundleName"] as? String) ?? executable.identifier
-            if let resourcesURL = bundle.resourceURL {
-                if let definedIconFile = info?["CFBundleIconFile"] as? String {
-                    var iconURL = resourcesURL.appendingPathComponent(definedIconFile)
-                    if iconURL.pathExtension.isEmpty {
-                        iconURL.appendPathExtension("icns")
-                    }
-                    executable.iconPath = iconURL.path
-                } else {
-                    executable.iconPath = resourcesURL.appendingPathComponent("DefaultAppIcon.icns").path
-                }
-
-                if !FileManager.default.fileExists(atPath: executable.iconPath) {
-                    switch url.pathExtension {
-                    case "app":
-                        executable.iconPath = IconFilePath.application
-                    case "bundle":
-                        executable.iconPath = IconFilePath.kext
-                    case "xpc":
-                        executable.iconPath = IconFilePath.kext
-                    default:
-                        executable.iconPath = IconFilePath.unknown
-                    }
-                }
-            } else {
-                return completion(.failure(.resourceURLNotFound))
+            switch populateFromBundle(executable, bundle: bundle, url: url) {
+            case .failure(let error):
+                return completion(.failure(error))
+            case .success:
+                break
             }
         } else {
-            executable.identifier = url.path
-            executable.displayName = url.lastPathComponent
-            executable.iconPath = IconFilePath.binary
+            populateFromPath(executable, url: url)
         }
 
         if let alreadyFoundExecutable = store[executable.identifier] {
@@ -147,6 +117,60 @@ extension Model {
             return completion(.failure(.codeRequirementError(description: error.localizedDescription)))
         }
     }
+
+    private func populateFromBundle(_ executable: Executable, bundle: Bundle, url: URL) -> Result<Void, LoadExecutableError> {
+        guard let identifier = bundle.bundleIdentifier else {
+            return .failure(.identifierNotFound)
+        }
+        executable.identifier = identifier
+
+        let info = bundle.infoDictionary
+        executable.displayName = (info?["CFBundleName"] as? String) ?? executable.identifier
+
+        guard let resourcesURL = bundle.resourceURL else {
+            return .failure(.resourceURLNotFound)
+        }
+
+        executable.iconPath = resolveIconPath(info: info, resourcesURL: resourcesURL, url: url)
+        return .success(())
+    }
+
+    private func populateFromPath(_ executable: Executable, url: URL) {
+        executable.identifier = url.path
+        executable.displayName = url.lastPathComponent
+        executable.iconPath = IconFilePath.binary
+    }
+
+    private func resolveIconPath(info: [String: Any]?, resourcesURL: URL, url: URL) -> String {
+        let candidatePath: String
+
+        if let definedIconFile = info?["CFBundleIconFile"] as? String {
+            var iconURL = resourcesURL.appendingPathComponent(definedIconFile)
+            if iconURL.pathExtension.isEmpty {
+                iconURL.appendPathExtension("icns")
+            }
+            candidatePath = iconURL.path
+        } else {
+            candidatePath = resourcesURL.appendingPathComponent("DefaultAppIcon.icns").path
+        }
+
+        if FileManager.default.fileExists(atPath: candidatePath) {
+            return candidatePath
+        }
+
+        return fallbackIconPath(for: url.pathExtension)
+    }
+
+    private func fallbackIconPath(for pathExtension: String) -> String {
+        switch pathExtension {
+        case "app":
+            return IconFilePath.application
+        case "bundle", "xpc":
+            return IconFilePath.kext
+        default:
+            return IconFilePath.unknown
+        }
+    }
 }
 
 // MARK: Exporting Profile

From 343399a076ab11cff9625afa462454265d9a444f Mon Sep 17 00:00:00 2001
From: JJ Pritzl <jj.pritzl@jamf.com>
Date: Tue, 24 Mar 2026 09:16:15 -0500
Subject: [PATCH 06/53] big-sur story/JPCFM-5531 Remove code coverage addition

---
 .github/workflows/tests.yml | 26 +-------------------------
 1 file changed, 1 insertion(+), 25 deletions(-)

diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index dd554f2..d5d148e 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -15,35 +15,11 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
-      - name: Run unit tests with code coverage
+      - name: Run unit tests
         run: |
           xcodebuild test \
             -project "PPPC Utility.xcodeproj" \
             -scheme "PPPC Utility" \
             -destination "platform=macOS" \
-            -enableCodeCoverage YES \
-            -resultBundlePath TestResults.xcresult \
             CODE_SIGN_IDENTITY="-" \
             CODE_SIGNING_REQUIRED=NO
-
-      - name: Display code coverage summary
-        if: always()
-        run: |
-          if [ ! -d TestResults.xcresult ]; then
-            echo "Coverage bundle 'TestResults.xcresult' not found; skipping coverage summary."
-            exit 0
-          fi
-          # Generate coverage report; capture output while still printing it
-          echo "Generating coverage report from TestResults.xcresult..."
-          if ! xcrun xccov view --report TestResults.xcresult | tee coverage-report.txt; then
-            echo "Failed to generate coverage report with xccov; printing any captured output and continuing."
-            cat coverage-report.txt 2>/dev/null || true
-            exit 0
-          fi
-          echo
-          echo "Filtered coverage summary (matching app targets or PPPC-Utility/Source):"
-          if ! grep -E '^[A-Z].*\.app|PPPC-Utility/Source' coverage-report.txt; then
-            echo
-            echo "No matching coverage lines found; displaying full coverage report instead."
-            cat coverage-report.txt
-          fi

From 1e0027ea534934e78ad42669f6911d7ea52e2a14 Mon Sep 17 00:00:00 2001
From: Tony Eichelberger <tony.eichelberger@jamf.com>
Date: Thu, 26 Mar 2026 15:26:41 -0500
Subject: [PATCH 07/53] added detailed plan for getting to swift 6 in stages

---
 PPPC Utility.xcodeproj/project.pbxproj |  12 ++
 docs/plans/approachable-concurrency.md | 243 +++++++++++++++++++++++++
 2 files changed, 255 insertions(+)
 create mode 100644 docs/plans/approachable-concurrency.md

diff --git a/PPPC Utility.xcodeproj/project.pbxproj b/PPPC Utility.xcodeproj/project.pbxproj
index 7161580..fd7dfb4 100644
--- a/PPPC Utility.xcodeproj/project.pbxproj	
+++ b/PPPC Utility.xcodeproj/project.pbxproj	
@@ -582,7 +582,10 @@
 				PRODUCT_BUNDLE_IDENTIFIER = "com.jamf.PPPC-UtilityTests";
 				PRODUCT_NAME = "$(TARGET_NAME)";
 				PROVISIONING_PROFILE_SPECIFIER = "";
+				SWIFT_APPROACHABLE_CONCURRENCY = YES;
+				SWIFT_DEFAULT_ACTOR_ISOLATION = MainActor;
 				SWIFT_OPTIMIZATION_LEVEL = "-Onone";
+				SWIFT_STRICT_CONCURRENCY = complete;
 				SWIFT_VERSION = 5.0;
 				TEST_HOST = "$(BUILT_PRODUCTS_DIR)/PPPC Utility.app/Contents/MacOS/PPPC Utility";
 			};
@@ -606,6 +609,9 @@
 				PRODUCT_BUNDLE_IDENTIFIER = "com.jamf.PPPC-UtilityTests";
 				PRODUCT_NAME = "$(TARGET_NAME)";
 				PROVISIONING_PROFILE_SPECIFIER = "";
+				SWIFT_APPROACHABLE_CONCURRENCY = YES;
+				SWIFT_DEFAULT_ACTOR_ISOLATION = MainActor;
+				SWIFT_STRICT_CONCURRENCY = complete;
 				SWIFT_VERSION = 5.0;
 				TEST_HOST = "$(BUILT_PRODUCTS_DIR)/PPPC Utility.app/Contents/MacOS/PPPC Utility";
 			};
@@ -747,6 +753,9 @@
 				PRODUCT_BUNDLE_IDENTIFIER = com.jamf.opensource.pppcutility;
 				PRODUCT_NAME = "$(TARGET_NAME)";
 				PROVISIONING_PROFILE_SPECIFIER = "";
+				SWIFT_APPROACHABLE_CONCURRENCY = YES;
+				SWIFT_DEFAULT_ACTOR_ISOLATION = MainActor;
+				SWIFT_STRICT_CONCURRENCY = complete;
 				SWIFT_VERSION = 5.0;
 			};
 			name = Debug;
@@ -770,6 +779,9 @@
 				PRODUCT_BUNDLE_IDENTIFIER = com.jamf.opensource.pppcutility;
 				PRODUCT_NAME = "$(TARGET_NAME)";
 				PROVISIONING_PROFILE_SPECIFIER = "";
+				SWIFT_APPROACHABLE_CONCURRENCY = YES;
+				SWIFT_DEFAULT_ACTOR_ISOLATION = MainActor;
+				SWIFT_STRICT_CONCURRENCY = complete;
 				SWIFT_VERSION = 5.0;
 			};
 			name = Release;
diff --git a/docs/plans/approachable-concurrency.md b/docs/plans/approachable-concurrency.md
new file mode 100644
index 0000000..127629f
--- /dev/null
+++ b/docs/plans/approachable-concurrency.md
@@ -0,0 +1,243 @@
+# Approachable Concurrency — Implementation Plan
+
+**Issue:** https://github.com/jamf/PPPC-Utility/issues/141
+
+## Problem
+
+PPPC Utility is on Swift 5.0 with zero concurrency checking. The goal is to adopt Swift 6.2 Approachable Concurrency so MainActor isolation is inferred by the compiler rather than manually annotated.
+
+## Approach
+
+**"Turn it on and see what breaks"** — enable Approachable Concurrency build settings first, then use compiler diagnostics to guide incremental fixes.
+
+## PR/Stage Boundaries
+
+**Every stage produces a buildable, functional app.** The build settings from Stage 1 are already applied and the app builds + tests pass with only warnings. Each subsequent stage resolves warnings and modernizes patterns — none are required for the app to function.
+
+| PR | Stage | Status | Description |
+|----|-------|--------|-------------|
+| 1 | Stage 1 | ✅ Done | Enable Approachable Concurrency build settings |
+| 2 | Stage 2 | Pending | Remove `NetworkAuthManager` actor → class |
+| 3a | Stage 3a | Pending | Remove 3 `DispatchQueue.main.async` wrappers |
+| 3b | Stage 3b | Pending | Convert `UploadManager` to async throws |
+| 3c | Stage 3c | Pending | Convert `Model.loadExecutable` to direct return |
+| 3d | Stage 3d | Pending | Convert `TCCProfileImporter` to direct return |
+| 4 | Stage 4 | Pending | Add `@concurrent` for background I/O |
+| 5 | Stage 5 | Pending | Enable Swift 6 language mode (warnings → errors) |
+
+PRs 3a–3d can be one PR or individual PRs — each is independently functional. PR 4 depends on PR 3c. PR 5 depends on all prior stages.
+
+## Stage 1: Enable Approachable Concurrency Build Settings ✅
+
+Add to both app and test targets (Debug + Release):
+- `SWIFT_DEFAULT_ACTOR_ISOLATION = MainActor`
+- `SWIFT_APPROACHABLE_CONCURRENCY = YES`
+- `SWIFT_STRICT_CONCURRENCY = complete`
+- Keep `SWIFT_VERSION = 5.0`
+
+Build, capture all warnings/errors, categorize them.
+
+## Stage 1 Results: Compiler Diagnostics (reference)
+
+Build + tests PASSED with only warnings. 2 concurrency warning categories found:
+1. `Token.isValid` cross-isolation (actor ↔ MainActor)
+2. XCTestCase/NSObject override isolation mismatch (all test classes + SaveViewController)
+
+---
+
+## Stage 2: Remove the `NetworkAuthManager` actor → class
+
+**Goal:** With `SWIFT_DEFAULT_ACTOR_ISOLATION = MainActor`, all types are MainActor by default. The `NetworkAuthManager` actor's synchronization purpose (single-flight token refresh) is now provided by MainActor serialization. Convert it to a regular class.
+
+### Changes:
+
+**`Source/Networking/NetworkAuthManager.swift`**
+- `actor NetworkAuthManager` → `class NetworkAuthManager`
+- `bearerAuthSupported()` — drop `async`, it was only async for actor isolation. Return type stays `Bool`.
+- `nonisolated func basicAuthString()` → `func basicAuthString()` — no longer an actor, `nonisolated` is unnecessary
+- `validToken(networking:)` — stays `async throws` (does async work internally)
+- `refreshToken(networking:)` — stays `async throws` (does async work internally)
+- The `Task { }` inside `refreshToken` inherits MainActor isolation under Approachable Concurrency, so mutations to `refreshTask`, `currentToken`, `supportsBearerAuth` remain safe
+
+**`Source/Networking/JamfProAPIClient.swift`**
+- `await authManager.bearerAuthSupported()` → `authManager.bearerAuthSupported()` (2 locations, lines ~80, ~101) — drop `await` since no longer async
+
+**`Source/Networking/Networking.swift`**
+- No changes needed — `authManager` property is `let`, and all calls to async methods already use `await`
+
+**`Source/SwiftUI/UploadInfoView.swift`**
+- `makeAuthManager()` — no changes, just returns the new class instead of actor
+
+**`PPPC UtilityTests/NetworkingTests/NetworkAuthManagerTests.swift`**
+- `await authManager.bearerAuthSupported()` → `authManager.bearerAuthSupported()` (2 locations, lines ~91, ~104) — drop `await`
+- Tests that are `async throws` stay that way (they still `await` async methods like `validToken`)
+
+**Side effect:** Resolves the `Token.isValid` cross-isolation warning because `Token` and `NetworkAuthManager` are now both on MainActor — no isolation boundary to cross.
+
+---
+
+## Stage 3: Remove `DispatchQueue.main.async` and convert `Task{}` + completion handlers to async
+
+**Goal:** With everything MainActor-isolated, manual dispatch to the main thread is redundant. Also, replace `Task{}` + completion handler patterns with direct async methods — callers can just `await`.
+
+### 3a. Remove `DispatchQueue.main.async` wrappers (3 simple locations)
+
+**1. `Source/Views/Alert.swift:32`** — `display(header:message:)`
+- Remove `DispatchQueue.main.async { ... }` wrapper, keep the body inline
+- `Alert` is MainActor by default, so `display()` is already on MainActor
+
+**2. `Source/View Controllers/OpenViewController.swift:51`** — `tableView(_:selectionIndexesForProposedSelection:)`
+- Remove `DispatchQueue.main.async { ... }` wrapper, keep the body inline
+- NSTableViewDelegate method called on MainActor
+
+**3. `Source/View Controllers/SaveViewController.swift:87`** — `savePressed(_:)` panel callback
+- Remove `DispatchQueue.main.async { ... }` wrapper, keep `self.saveTo(url: panel.url!)`
+- NSSavePanel.begin completion runs on main thread; SaveViewController is MainActor
+
+### 3b. Convert `UploadManager` from Task/completion to async (larger refactor)
+
+**Current pattern** — both methods use `Task{}` internally + call a `completionHandler`:
+- `verifyConnection(authManager:completionHandler:)` — wraps async networking in `Task{}`, calls back via completion
+- `upload(profile:authMgr:siteInfo:signingIdentity:completionHandler:)` — same pattern + `DispatchQueue.main.async` before callback
+
+**New pattern** — make both methods `async throws` directly:
+- `func verifyConnection(authManager:) async throws -> VerificationInfo` — no Task, no completion handler, just returns
+- `func upload(profile:authMgr:siteInfo:signingIdentity:) async throws` — no Task, no completion handler, throws on error
+
+**Caller update** — `UploadInfoView.swift`:
+- `verifyConnection()` — currently synchronous, calls `uploadMgr.verifyConnection(...) { result in }`. Refactor to:
+  ```swift
+  func verifyConnection() async { ... let info = try await uploadMgr.verifyConnection(...) }
+  ```
+  Button action becomes: `Task { await verifyConnection() }`
+  Note: This is the one place a `Task{}` remains necessary — bridging from SwiftUI button action to async. This is the idiomatic pattern.
+- `performUpload()` — same pattern as above
+
+### 3c. Convert `Model.loadExecutable` from completion handler to direct return
+
+**Current:** `func loadExecutable(url:completion: @escaping LoadExecutableCompletion)` — synchronous with completion handler callback. This is not actually async work — it reads bundle info and code requirements synchronously.
+
+**New:** `func loadExecutable(url: URL) throws -> Executable` — direct return, throws on error. No completion handler needed since the work is synchronous.
+
+**Callers to update:**
+- `Model.getAppleEventChoices(executable:)` — currently calls `loadExecutable(url:) { result in ... }` 3 times, switch on result. Simplify to `try loadExecutable(url:)` with do/catch.
+- `Model.findExecutableOnComputerUsing(bundleIdentifier:completion:)` → `func findExecutable(bundleIdentifier:) throws -> Executable` — direct return
+- `Model.getExecutableFrom(identifier:codeRequirement:)` — currently calls `findExecutableOnComputerUsing`. Update to use new direct call.
+- `Model.getExecutablesFromAllPolicies(policies:)` — calls `getExecutableFrom`. Update.
+- `TCCProfileViewController.promptForExecutables(_:)` — calls `model.loadExecutable(url:)`. Update to direct call.
+- `TCCProfileViewController.tableView(_:acceptDrop:row:dropOperation:)` — calls `model.loadExecutable(url:)`. Update.
+- `OpenViewController.prompt(_:)` — calls `Model.shared.loadExecutable(url:)`. Update.
+
+### 3d. Convert `TCCProfileImporter` from completion handler to direct return
+
+**Current:**
+- `decodeTCCProfile(data:completion:)` — synchronous decode with completion callback
+- `decodeTCCProfile(fileUrl:completion:)` — synchronous file read + decode with completion callback
+
+**New:**
+- `func decodeTCCProfile(data: Data) throws -> TCCProfile` — direct return
+- `func decodeTCCProfile(fileUrl: URL) throws -> TCCProfile` — direct return
+- Remove `TCCProfileImportCompletion` typealias (no longer needed)
+
+**Caller update:**
+- `TCCProfileConfigurationPanel.loadTCCProfileFromFile(importer:window:completion:)` — update to use direct calls inside the panel callback
+- `TCCProfileViewController.importProfile(_:)` — update to use new direct return
+
+---
+
+## Stage 4: Identify and annotate `@concurrent` for background work
+
+**Goal:** Find synchronous work that runs on MainActor and could block the UI. Mark it `@concurrent` to run on the cooperative thread pool.
+
+### Candidates analysis:
+
+**Networking layer (`Networking`, `JamfProAPIClient`)**
+- `URLSession.shared.data(for:)` is an Apple async API — it suspends, doesn't block MainActor ✅
+- JSON decoding after `await` runs synchronously on MainActor — payloads are tiny ✅
+- **No `@concurrent` needed** for networking methods
+
+**`SecurityWrapper` (static methods)**
+- `sign(data:using:)` — CMS signing could be slow for large profiles → **candidate for `@concurrent`**
+- `copyDesignatedRequirement(url:)` — reads code signatures from disk → **candidate for `@concurrent`**
+- `loadSigningIdentities()` — queries keychain for all identities → **candidate for `@concurrent`**
+- `loadCredentials()` / `saveCredentials()` / `removeCredentials()` — keychain ops, typically fast → **possible candidate**
+
+**`Model.loadExecutable(url:)` (after Stage 3c refactor)**
+- Reads bundle info from disk + calls `SecurityWrapper.copyDesignatedRequirement` → **candidate for `@concurrent`**
+- After Stage 3c this is `throws -> Executable`. Making it `@concurrent async throws -> Executable` would move disk I/O off MainActor.
+- Callers (`getAppleEventChoices`, `importProfile`, `promptForExecutables`, drag-drop handler) would need to `await`.
+
+**`TCCProfile.xmlData()` / `TCCProfile.jamfProAPIData()`**
+- PropertyListEncoder/XML encoding — fast for typical profile sizes → **likely not needed**
+
+### Recommended `@concurrent` annotations:
+1. `SecurityWrapper.copyDesignatedRequirement(url:)` → `@concurrent static func ... async throws`
+2. `SecurityWrapper.sign(data:using:)` → `@concurrent static func ... async throws`
+3. `SecurityWrapper.loadSigningIdentities()` → `@concurrent static func ... async throws`
+4. `Model.loadExecutable(url:)` → `@concurrent func ... async throws -> Executable` (since it calls copyDesignatedRequirement)
+5. All callers of the above need `await`
+6. `Model.getAppleEventChoices` → `async` (calls loadExecutable), callers update
+7. `Model.importProfile` → calls `getExecutableFrom` which calls `loadExecutable` — cascade of async
+
+### Note on remaining `Task{}` usage after all stages:
+The only `Task{}` calls that should remain are at **UI entry points** where we bridge from synchronous UI callbacks to async:
+- SwiftUI button actions in `UploadInfoView` (Task { await verifyConnection() }, Task { await performUpload() })
+- NSOpenPanel/NSSavePanel `.begin { }` callbacks if they need to call async methods
+- These are idiomatic and unavoidable — UI callbacks are synchronous by nature
+
+## Key Guidelines (from CLAUDE.md & swift-concurrency skill)
+
+- Do NOT add explicit `@MainActor` annotations — isolation is inferred via build settings
+- Do NOT annotate value types (structs, enums) as `Sendable` — they are Sendable by default
+- Prefer `@concurrent` for background work instead of actor isolation opt-outs
+- Avoid unnecessary `Task {}` — prefer async/await
+- `nonisolated(nonsending)` for generic async utilities that should stay on caller's executor
+
+---
+
+## Stage 5: Enable Swift 6 Language Mode — Full Strict Concurrency
+
+**Goal:** Flip `SWIFT_VERSION` from `5.0` to `6.0` so all concurrency warnings become hard errors. This is the capstone — the app and tests must compile with zero concurrency diagnostics.
+
+**Depends on:** Stages 1–4 complete (zero concurrency warnings).
+
+### 5a. Build setting change
+
+**`PPPC Utility.xcodeproj/project.pbxproj`** — 4 locations (app Debug, app Release, test Debug, test Release):
+- `SWIFT_VERSION = 5.0` → `SWIFT_VERSION = 6.0`
+
+All other concurrency settings are already correct from Stage 1:
+- `SWIFT_STRICT_CONCURRENCY = complete` ✅
+- `SWIFT_APPROACHABLE_CONCURRENCY = YES` ✅
+- `SWIFT_DEFAULT_ACTOR_ISOLATION = MainActor` ✅
+
+### 5b. Fix override isolation mismatches (from Stage 1 diagnostics)
+
+Stage 1 Results identified two warning categories. Category 1 (`Token.isValid` cross-isolation) is resolved by Stage 2. Category 2 — **override isolation mismatches** — is not addressed by Stages 2–4 and becomes an error in Swift 6.
+
+The issue: With `SWIFT_DEFAULT_ACTOR_ISOLATION = MainActor`, our classes and their method overrides are MainActor-isolated. But some parent class methods from ObjC frameworks are not annotated for MainActor in the SDK. The compiler warns (Swift 5) / errors (Swift 6) about the isolation mismatch.
+
+**Known locations from Stage 1 results:**
+
+1. **`SaveViewController.swift`** — `override func observeValue(forKeyPath:of:change:context:)`
+   - NSObject's `observeValue` is not MainActor-annotated in the SDK
+   - Fix: Add `nonisolated` to the override, since KVO callbacks can fire from any context. The method body only accesses `self` (which is MainActor), so wrap the body access in `MainActor.assumeIsolated { }` — this is safe because KVO on `@objc dynamic` properties from MainActor objects delivers on MainActor.
+   - Alternative: If Swift 6.2 SDK has annotated this method by the time we get here, no fix needed — verify by building first.
+
+2. **Test classes** — `override func setUp()` in `ModelTests`
+   - XCTestCase lifecycle methods (`setUp`, `tearDown`) are `nonisolated` in the XCTest header. With default MainActor isolation, test subclasses are MainActor, creating a mismatch on the override.
+   - Fix: Add `nonisolated` to `override func setUp()`. If the body needs MainActor access, mark the override as `override func setUp() async throws` (XCTest supports async setUp in modern versions) or move setup work to a helper.
+
+### 5c. Verification
+
+1. **Build** both app and test targets (Debug + Release) — zero errors, zero warnings
+2. **Run all tests** — all pass
+3. **Manual smoke test** — launch app, add executables, configure TCC policies, save/export profile, import profile
+4. Confirm no runtime isolation assertions (Swift 6 adds runtime checks for actor isolation violations)
+
+### What should NOT be in Stage 5
+
+- No explicit `@MainActor` annotations — isolation is inferred via `SWIFT_DEFAULT_ACTOR_ISOLATION = MainActor`
+- No `Sendable` annotations on value types (structs, enums) — they are Sendable by default
+- No new `Task {}` wrappers — if something needs async bridging, it should have been handled in Stages 3–4
+- No behavioral changes — Stage 5 is purely a compiler enforcement change

From 0a1425076330b2495083c216dbaa2d8d07dbaafd Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Thu, 26 Mar 2026 20:29:19 +0000
Subject: [PATCH 08/53] Initial plan


From 6741832d7f2e3a81cad80ec0df7279457ba8aabb Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Thu, 26 Mar 2026 20:33:58 +0000
Subject: [PATCH 09/53] Stage 2: Convert NetworkAuthManager from actor to class
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

With SWIFT_DEFAULT_ACTOR_ISOLATION = MainActor, all types are MainActor
by default. The actor's synchronization purpose (single-flight token
refresh) is now provided by MainActor serialization.

Changes:
- actor NetworkAuthManager → class NetworkAuthManager
- bearerAuthSupported(): drop async (no longer needed without actor)
- basicAuthString(): drop nonisolated (no longer an actor)
- JamfProAPIClient: drop await from bearerAuthSupported() calls
- NetworkAuthManagerTests: drop await from bearerAuthSupported() calls

Side effect: Resolves Token.isValid cross-isolation warning because
Token and NetworkAuthManager are now both on MainActor.

Agent-Logs-Url: https://github.com/jamf/PPPC-Utility/sessions/4235dbf5-feb0-4744-839d-543eee3b8ee5

Co-authored-by: watkyn <40115+watkyn@users.noreply.github.com>
---
 .../NetworkingTests/NetworkAuthManagerTests.swift    |  4 ++--
 Source/Networking/JamfProAPIClient.swift             |  4 ++--
 Source/Networking/NetworkAuthManager.swift           | 12 +++++++-----
 3 files changed, 11 insertions(+), 9 deletions(-)

diff --git a/PPPC UtilityTests/NetworkingTests/NetworkAuthManagerTests.swift b/PPPC UtilityTests/NetworkingTests/NetworkAuthManagerTests.swift
index d54ddd4..8cd1768 100644
--- a/PPPC UtilityTests/NetworkingTests/NetworkAuthManagerTests.swift	
+++ b/PPPC UtilityTests/NetworkingTests/NetworkAuthManagerTests.swift	
@@ -88,7 +88,7 @@ class NetworkAuthManagerTests: XCTestCase {
         networking.errorToThrow = NetworkingError.serverResponse(404, "No such page")
 
         // default is that bearer auth is supported.
-        let firstCheckBearerAuthSupported = await authManager.bearerAuthSupported()
+        let firstCheckBearerAuthSupported = authManager.bearerAuthSupported()
         XCTAssertTrue(firstCheckBearerAuthSupported)
 
         // when
@@ -101,7 +101,7 @@ class NetworkAuthManagerTests: XCTestCase {
         }
 
         // The authManager should now know that bearer auth is not supported
-        let secondCheckBearerAuthSupported = await authManager.bearerAuthSupported()
+        let secondCheckBearerAuthSupported = authManager.bearerAuthSupported()
         XCTAssertFalse(secondCheckBearerAuthSupported)
     }
 
diff --git a/Source/Networking/JamfProAPIClient.swift b/Source/Networking/JamfProAPIClient.swift
index 2d1d695..fb08bf1 100644
--- a/Source/Networking/JamfProAPIClient.swift
+++ b/Source/Networking/JamfProAPIClient.swift
@@ -77,7 +77,7 @@ class JamfProAPIClient: Networking {
     func load<T: Decodable>(request: URLRequest) async throws -> T {
         let result: T
 
-        if await authManager.bearerAuthSupported() {
+        if authManager.bearerAuthSupported() {
             do {
                 result = try await loadBearerAuthorized(request: request)
             } catch AuthError.bearerAuthNotSupported {
@@ -98,7 +98,7 @@ class JamfProAPIClient: Networking {
     func send(request: URLRequest) async throws -> Data {
         let result: Data
 
-        if await authManager.bearerAuthSupported() {
+        if authManager.bearerAuthSupported() {
             do {
                 result = try await sendBearerAuthorized(request: request)
             } catch AuthError.bearerAuthNotSupported {
diff --git a/Source/Networking/NetworkAuthManager.swift b/Source/Networking/NetworkAuthManager.swift
index 3e43b02..9074a77 100644
--- a/Source/Networking/NetworkAuthManager.swift
+++ b/Source/Networking/NetworkAuthManager.swift
@@ -46,8 +46,10 @@ enum AuthenticationInfo {
 	case clientCreds(id: String, secret: String)
 }
 
-/// This actor ensures that only one token refresh occurs at the same time.
-actor NetworkAuthManager {
+/// This class ensures that only one token refresh occurs at the same time.
+/// With MainActor default isolation, all types are MainActor by default,
+/// providing the same serialization that the actor previously offered.
+class NetworkAuthManager {
 	private let authInfo: AuthenticationInfo
 
     private var currentToken: Token?
@@ -111,15 +113,15 @@ actor NetworkAuthManager {
     /// The default is that bearer authentication is supported.  After the first network call attempting to use bearer auth, if the
     /// server does not actually support it this will return false.
     /// - Returns: True if bearer auth is supported.
-    func bearerAuthSupported() async -> Bool {
+    func bearerAuthSupported() -> Bool {
         return supportsBearerAuth
     }
 
     /// Properly encodes the username and password for use in Basic authentication.
     ///
-    /// This doesn't mutate any state and only accesses `let` constants so it doesn't need to be actor isolated.
+    /// This doesn't mutate any state and only accesses `let` constants so it doesn't need special isolation.
     /// - Returns: The encoded data string for use with Basic Auth.
-    nonisolated func basicAuthString() throws -> String {
+    func basicAuthString() throws -> String {
 		guard case .basicAuth(let username, let password) = authInfo,
 			  !username.isEmpty && !password.isEmpty else {
             throw AuthError.invalidUsernamePassword

From 9256bd019a4851ffec7af206d6708d004c03c0c0 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Thu, 26 Mar 2026 20:34:27 +0000
Subject: [PATCH 10/53] Stage 3a: Remove DispatchQueue.main.async wrappers

With MainActor default isolation, manual dispatch to the main thread
is redundant. All three locations are already MainActor-isolated.

Changes:
- Alert.swift: Remove DispatchQueue.main.async wrapper in display()
- OpenViewController.swift: Remove wrapper in tableView selectionIndexes
- SaveViewController.swift: Remove wrapper in savePressed panel callback

Agent-Logs-Url: https://github.com/jamf/PPPC-Utility/sessions/4235dbf5-feb0-4744-839d-543eee3b8ee5

Co-authored-by: watkyn <40115+watkyn@users.noreply.github.com>
---
 Source/View Controllers/OpenViewController.swift |  8 +++-----
 Source/View Controllers/SaveViewController.swift |  5 +----
 Source/Views/Alert.swift                         | 14 ++++++--------
 3 files changed, 10 insertions(+), 17 deletions(-)

diff --git a/Source/View Controllers/OpenViewController.swift b/Source/View Controllers/OpenViewController.swift
index d8bb09b..5d7721a 100644
--- a/Source/View Controllers/OpenViewController.swift	
+++ b/Source/View Controllers/OpenViewController.swift	
@@ -48,11 +48,9 @@ class OpenViewController: NSViewController, NSTableViewDataSource, NSTableViewDe
     }
 
     func tableView(_ tableView: NSTableView, selectionIndexesForProposedSelection proposedSelectionIndexes: IndexSet) -> IndexSet {
-        DispatchQueue.main.async {
-            guard let index = proposedSelectionIndexes.first else { return }
-            self.completionBlock?([.success(self.choices[index])])
-            self.dismiss(self)
-        }
+        guard let index = proposedSelectionIndexes.first else { return proposedSelectionIndexes }
+        self.completionBlock?([.success(self.choices[index])])
+        self.dismiss(self)
         return proposedSelectionIndexes
     }
 
diff --git a/Source/View Controllers/SaveViewController.swift b/Source/View Controllers/SaveViewController.swift
index c2d6081..28a0558 100644
--- a/Source/View Controllers/SaveViewController.swift	
+++ b/Source/View Controllers/SaveViewController.swift	
@@ -83,10 +83,7 @@ class SaveViewController: NSViewController {
 
         panel.begin { response in
             if response == .OK {
-                // Let the save panel fully close itself before doing any work that may require keychain access.
-                DispatchQueue.main.async {
-                    self.saveTo(url: panel.url!)
-                }
+                self.saveTo(url: panel.url!)
             }
         }
     }
diff --git a/Source/Views/Alert.swift b/Source/Views/Alert.swift
index 89f50f0..956d26c 100644
--- a/Source/Views/Alert.swift
+++ b/Source/Views/Alert.swift
@@ -29,14 +29,12 @@ import Cocoa
 
 class Alert: NSObject {
     func display(header: String, message: String) {
-        DispatchQueue.main.async {
-            let dialog: NSAlert = NSAlert()
-            dialog.messageText = header
-            dialog.informativeText = message
-            dialog.alertStyle = NSAlert.Style.warning
-            dialog.addButton(withTitle: "OK")
-            dialog.runModal()
-        }
+        let dialog: NSAlert = NSAlert()
+        dialog.messageText = header
+        dialog.informativeText = message
+        dialog.alertStyle = NSAlert.Style.warning
+        dialog.addButton(withTitle: "OK")
+        dialog.runModal()
     }
 
     /// Displays a message with a cancel button and returns true if OK was pressed

From 7b7711321904d5a4369480108d161e666f1aed55 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Thu, 26 Mar 2026 20:35:33 +0000
Subject: [PATCH 11/53] Stage 3b: Convert UploadManager to async throws

Replace Task/completion handler pattern with direct async throws methods.

Changes:
- UploadManager.verifyConnection: async throws -> VerificationInfo
- UploadManager.upload: async throws (no completion handler)
- UploadInfoView.verifyConnection: now async, uses try await
- UploadInfoView.performUpload: now async, uses try await
- Button action bridges to async with Task { await ... }

Agent-Logs-Url: https://github.com/jamf/PPPC-Utility/sessions/4235dbf5-feb0-4744-839d-543eee3b8ee5

Co-authored-by: watkyn <40115+watkyn@users.noreply.github.com>
---
 Source/Networking/UploadManager.swift | 68 +++++++++---------------
 Source/SwiftUI/UploadInfoView.swift   | 75 ++++++++++++++-------------
 2 files changed, 63 insertions(+), 80 deletions(-)

diff --git a/Source/Networking/UploadManager.swift b/Source/Networking/UploadManager.swift
index e7d3246..71194ba 100644
--- a/Source/Networking/UploadManager.swift
+++ b/Source/Networking/UploadManager.swift
@@ -23,61 +23,43 @@ struct UploadManager {
 		case anyError(String)
 	}
 
-	func verifyConnection(authManager: NetworkAuthManager, completionHandler: @escaping (Result<VerificationInfo, VerificationError>) -> Void) {
+	func verifyConnection(authManager: NetworkAuthManager) async throws -> VerificationInfo {
         logger.info("Checking connection to Jamf Pro server")
 
-		Task {
-			let networking = JamfProAPIClient(serverUrlString: serverURL, tokenManager: authManager)
-			let result: Result<VerificationInfo, VerificationError>
+		let networking = JamfProAPIClient(serverUrlString: serverURL, tokenManager: authManager)
 
-			do {
-				let version = try await networking.getJamfProVersion()
+		do {
+			let version = try await networking.getJamfProVersion()
 
-				// Must sign if Jamf Pro is less than v10.7.1
-				let mustSign = (version.semantic() < SemanticVersion(major: 10, minor: 7, patch: 1))
+			// Must sign if Jamf Pro is less than v10.7.1
+			let mustSign = (version.semantic() < SemanticVersion(major: 10, minor: 7, patch: 1))
 
-				let orgName = try await networking.getOrganizationName()
+			let orgName = try await networking.getOrganizationName()
 
-				result = .success(VerificationInfo(mustSign: mustSign, organization: orgName))
-			} catch is AuthError {
-                logger.error("Invalid credentials.")
-				result = .failure(VerificationError.anyError("Invalid credentials."))
-			} catch {
-                logger.error("Jamf Pro server is unavailable.")
-				result = .failure(VerificationError.anyError("Jamf Pro server is unavailable."))
-			}
-
-			completionHandler(result)
+			return VerificationInfo(mustSign: mustSign, organization: orgName)
+		} catch is AuthError {
+            logger.error("Invalid credentials.")
+			throw VerificationError.anyError("Invalid credentials.")
+		} catch {
+            logger.error("Jamf Pro server is unavailable.")
+			throw VerificationError.anyError("Jamf Pro server is unavailable.")
 		}
 	}
 
-	func upload(profile: TCCProfile, authMgr: NetworkAuthManager, siteInfo: (String, String)?, signingIdentity: SigningIdentity?, completionHandler: @escaping (Error?) -> Void) {
+	func upload(profile: TCCProfile, authMgr: NetworkAuthManager, siteInfo: (String, String)?, signingIdentity: SigningIdentity?) async throws {
         logger.info("Uploading profile: \(profile.displayName, privacy: .public)")
 
 		let networking = JamfProAPIClient(serverUrlString: serverURL, tokenManager: authMgr)
-		Task {
-			let success: Error?
-			var identity: SecIdentity?
-			if let signingIdentity = signingIdentity {
-                logger.info("Signing profile with \(signingIdentity.displayName)")
-				identity = signingIdentity.reference
-			}
-
-			do {
-				let profileData = try profile.jamfProAPIData(signingIdentity: identity, site: siteInfo)
-
-				_ = try await networking.upload(computerConfigProfile: profileData)
-
-				success = nil
-                logger.info("Uploaded successfully")
-			} catch {
-                logger.error("Error creating or uploading profile: \(error.localizedDescription)")
-				success = error
-			}
-
-			DispatchQueue.main.async {
-				completionHandler(success)
-			}
+		var identity: SecIdentity?
+		if let signingIdentity = signingIdentity {
+            logger.info("Signing profile with \(signingIdentity.displayName)")
+			identity = signingIdentity.reference
 		}
+
+		let profileData = try profile.jamfProAPIData(signingIdentity: identity, site: siteInfo)
+
+		_ = try await networking.upload(computerConfigProfile: profileData)
+
+        logger.info("Uploaded successfully")
 	}
 }
diff --git a/Source/SwiftUI/UploadInfoView.swift b/Source/SwiftUI/UploadInfoView.swift
index 18cdc98..78bf5e4 100644
--- a/Source/SwiftUI/UploadInfoView.swift
+++ b/Source/SwiftUI/UploadInfoView.swift
@@ -119,10 +119,12 @@ struct UploadInfoView: View {
 				.keyboardShortcut(.cancelAction)
 
 				Button(verifiedConnection ? "Upload" : "Check connection") {
-					if verifiedConnection {
-						performUpload()
-					} else {
-						verifyConnection()
+					Task {
+						if verifiedConnection {
+							await performUpload()
+						} else {
+							await verifyConnection()
+						}
 					}
 				}
 				.keyboardShortcut(.defaultAction)
@@ -271,7 +273,7 @@ struct UploadInfoView: View {
 		return NetworkAuthManager(clientId: username, clientSecret: password)
 	}
 
-	func verifyConnection() {
+	func verifyConnection() async {
 		guard connectionInfoPassesValidation(setWarningInfo: true) else {
 			return
 		}
@@ -279,29 +281,29 @@ struct UploadInfoView: View {
 		networkOperationInfo = "Checking Jamf Pro server"
 
 		let uploadMgr = UploadManager(serverURL: serverURL)
-		uploadMgr.verifyConnection(authManager: makeAuthManager()) { result in
-			if case .success(let success) = result {
-				mustSign = success.mustSign
-				organization = success.organization
-				verifiedConnectionHash = hashOfConnectionInfo
-				if saveToKeychain {
-					do {
-						try SecurityWrapper.saveCredentials(username: username,
-															password: password,
-															server: serverURL)
-					} catch {
-                        logger.error("Failed to save credentials with error: \(error.localizedDescription)")
-					}
+		do {
+			let info = try await uploadMgr.verifyConnection(authManager: makeAuthManager())
+			mustSign = info.mustSign
+			organization = info.organization
+			verifiedConnectionHash = hashOfConnectionInfo
+			if saveToKeychain {
+				do {
+					try SecurityWrapper.saveCredentials(username: username,
+														password: password,
+														server: serverURL)
+				} catch {
+                    logger.error("Failed to save credentials with error: \(error.localizedDescription)")
 				}
-				// Future on macOS 12+: focus on Payload Name field
-			} else if case .failure(let failure) = result,
-					  case .anyError(let errorString) = failure {
-				warningInfo = errorString
-				verifiedConnectionHash = 0
 			}
-
-			networkOperationInfo = nil
+		} catch UploadManager.VerificationError.anyError(let errorString) {
+			warningInfo = errorString
+			verifiedConnectionHash = 0
+		} catch {
+			warningInfo = error.localizedDescription
+			verifiedConnectionHash = 0
 		}
+
+		networkOperationInfo = nil
 	}
 
 	private func dismissView() {
@@ -314,7 +316,7 @@ struct UploadInfoView: View {
 		}
 	}
 
-	func performUpload() {
+	func performUpload() async {
 		guard connectionInfoPassesValidation(setWarningInfo: true) else {
 			return
 		}
@@ -338,18 +340,17 @@ struct UploadInfoView: View {
 		}
 
 		let uploadMgr = UploadManager(serverURL: serverURL)
-		uploadMgr.upload(profile: profile,
-						 authMgr: makeAuthManager(),
-						 siteInfo: siteIdAndName,
-						 signingIdentity: mustSign ? signingId : nil) { possibleError in
-			if let error = possibleError {
-				warningInfo = error.localizedDescription
-			} else {
-				Alert().display(header: "Success", message: "Profile uploaded succesfully")
-				dismissView()
-			}
-			networkOperationInfo = nil
+		do {
+			try await uploadMgr.upload(profile: profile,
+									   authMgr: makeAuthManager(),
+									   siteInfo: siteIdAndName,
+									   signingIdentity: mustSign ? signingId : nil)
+			Alert().display(header: "Success", message: "Profile uploaded succesfully")
+			dismissView()
+		} catch {
+			warningInfo = error.localizedDescription
 		}
+		networkOperationInfo = nil
 	}
 }
 

From a64ed560bb399e897ed86403529a5ec593919f4c Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Thu, 26 Mar 2026 20:36:51 +0000
Subject: [PATCH 12/53] Stage 3c: Convert Model.loadExecutable to direct return
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Replace completion handler pattern with throws -> Executable since the
work is synchronous (reads bundle info and code requirements).

Changes:
- Model.loadExecutable(url:) now throws -> Executable (no completion)
- Remove LoadExecutableCompletion typealias
- findExecutableOnComputerUsing → findExecutable, returns directly
- getExecutableFrom: uses do/catch instead of completion handler
- getAppleEventChoices: uses do/catch for each loadExecutable call
- TCCProfileViewController: promptForExecutables and acceptDrop updated
- OpenViewController.prompt: updated to use try/catch

Agent-Logs-Url: https://github.com/jamf/PPPC-Utility/sessions/4235dbf5-feb0-4744-839d-543eee3b8ee5

Co-authored-by: watkyn <40115+watkyn@users.noreply.github.com>
---
 Source/Model/Model.swift                      | 68 +++++++------------
 .../View Controllers/OpenViewController.swift |  9 ++-
 .../TCCProfileViewController.swift            | 56 +++++++--------
 3 files changed, 59 insertions(+), 74 deletions(-)

diff --git a/Source/Model/Model.swift b/Source/Model/Model.swift
index 327029d..a838ded 100644
--- a/Source/Model/Model.swift
+++ b/Source/Model/Model.swift
@@ -40,31 +40,22 @@ import OSLog
     func getAppleEventChoices(executable: Executable) -> [Executable] {
         var executables: [Executable] = []
 
-        loadExecutable(url: URL(fileURLWithPath: "/System/Library/CoreServices/System Events.app")) { result in
-            switch result {
-            case .success(let executable):
-                executables.append(executable)
-            case .failure(let error):
-                self.logger.error("\(error)")
-            }
+        do {
+            executables.append(try loadExecutable(url: URL(fileURLWithPath: "/System/Library/CoreServices/System Events.app")))
+        } catch {
+            self.logger.error("\(error)")
         }
 
-        loadExecutable(url: URL(fileURLWithPath: "/System/Library/CoreServices/SystemUIServer.app")) { result in
-            switch result {
-            case .success(let executable):
-                executables.append(executable)
-            case .failure(let error):
-                self.logger.error("\(error)")
-            }
+        do {
+            executables.append(try loadExecutable(url: URL(fileURLWithPath: "/System/Library/CoreServices/SystemUIServer.app")))
+        } catch {
+            self.logger.error("\(error)")
         }
 
-        loadExecutable(url: URL(fileURLWithPath: "/System/Library/CoreServices/Finder.app")) { result in
-            switch result {
-            case .success(let executable):
-                executables.append(executable)
-            case .failure(let error):
-                self.logger.error("\(error)")
-            }
+        do {
+            executables.append(try loadExecutable(url: URL(fileURLWithPath: "/System/Library/CoreServices/Finder.app")))
+        } catch {
+            self.logger.error("\(error)")
         }
 
         let others = store.values.filter { $0 != executable && !Set(executables).contains($0) }
@@ -87,17 +78,16 @@ struct IconFilePath {
 }
 
 typealias LoadExecutableResult = Result<Executable, LoadExecutableError>
-typealias LoadExecutableCompletion = ((LoadExecutableResult) -> Void)
 
 extension Model {
 
-    func loadExecutable(url: URL, completion: @escaping LoadExecutableCompletion) {
+    func loadExecutable(url: URL) throws -> Executable {
         let executable = Executable()
 
         if let bundle = Bundle(url: url) {
             switch populateFromBundle(executable, bundle: bundle, url: url) {
             case .failure(let error):
-                return completion(.failure(error))
+                throw error
             case .success:
                 break
             }
@@ -106,15 +96,15 @@ extension Model {
         }
 
         if let alreadyFoundExecutable = store[executable.identifier] {
-            return completion(.success(alreadyFoundExecutable))
+            return alreadyFoundExecutable
         }
 
         do {
             executable.codeRequirement = try SecurityWrapper.copyDesignatedRequirement(url: url)
             store[executable.identifier] = executable
-            return completion(.success(executable))
+            return executable
         } catch {
-            return completion(.failure(.codeRequirementError(description: error.localizedDescription)))
+            throw LoadExecutableError.codeRequirementError(description: error.localizedDescription)
         }
     }
 
@@ -278,19 +268,16 @@ extension Model {
 
     func getExecutableFrom(identifier: String, codeRequirement: String) -> Executable {
         var executable = Executable(identifier: identifier, codeRequirement: codeRequirement)
-        findExecutableOnComputerUsing(bundleIdentifier: identifier) { result in
-            switch result {
-            case .success(let goodExecutable):
-                executable = goodExecutable
-            case .failure(let error):
-                self.logger.error("\(error)")
-            }
+        do {
+            executable = try findExecutable(bundleIdentifier: identifier)
+        } catch {
+            self.logger.error("\(error)")
         }
 
         return executable
     }
 
-    private func findExecutableOnComputerUsing(bundleIdentifier: String, completion: @escaping LoadExecutableCompletion) {
+    private func findExecutable(bundleIdentifier: String) throws -> Executable {
 		var urlToLoad: URL?
         if bundleIdentifier.contains("/") {
 			urlToLoad = URL(string: "file://\(bundleIdentifier)")
@@ -299,16 +286,9 @@ extension Model {
         }
 
 		if let fileURL = urlToLoad {
-            self.loadExecutable(url: fileURL) { result in
-                switch result {
-                case .success(let executable):
-                    return completion(.success(executable))
-                case .failure(let error):
-                    return completion(.failure(error))
-                }
-            }
+            return try self.loadExecutable(url: fileURL)
         }
-        return completion(.failure(.executableNotFound))
+        throw LoadExecutableError.executableNotFound
     }
 
     private func cleanUpAndRemoveDependencies() {
diff --git a/Source/View Controllers/OpenViewController.swift b/Source/View Controllers/OpenViewController.swift
index 5d7721a..3e622fa 100644
--- a/Source/View Controllers/OpenViewController.swift	
+++ b/Source/View Controllers/OpenViewController.swift	
@@ -64,8 +64,13 @@ class OpenViewController: NSViewController, NSTableViewDataSource, NSTableViewDe
             if response == .OK {
                 var selections: [LoadExecutableResult] = []
                 panel.urls.forEach {
-                    Model.shared.loadExecutable(url: $0) { result in
-                        selections.append(result)
+                    do {
+                        let executable = try Model.shared.loadExecutable(url: $0)
+                        selections.append(.success(executable))
+                    } catch {
+                        if let loadError = error as? LoadExecutableError {
+                            selections.append(.failure(loadError))
+                        }
                     }
                 }
                 block?(selections)
diff --git a/Source/View Controllers/TCCProfileViewController.swift b/Source/View Controllers/TCCProfileViewController.swift
index 30e7a9e..5f40d5a 100644
--- a/Source/View Controllers/TCCProfileViewController.swift	
+++ b/Source/View Controllers/TCCProfileViewController.swift	
@@ -205,19 +205,19 @@ class TCCProfileViewController: NSViewController {
         panel.begin { response in
             if response == .OK {
                 panel.urls.forEach {
-                    self.model.loadExecutable(url: $0) { [weak self] result in
-                        switch result {
-                        case .success(let executable):
-                            guard self?.shouldExecutableBeAdded(executable) ?? false else {
-                                let error = LoadExecutableError.executableAlreadyExists
-                                self?.showAlert(error, for: window)
-                                return
-                            }
-                            block(executable)
-                        case .failure(let error):
-                            self?.showAlert(error, for: window)
-                            self?.logger.error("\(error)")
+                    do {
+                        let executable = try self.model.loadExecutable(url: $0)
+                        guard self.shouldExecutableBeAdded(executable) else {
+                            let error = LoadExecutableError.executableAlreadyExists
+                            self.showAlert(error, for: window)
+                            return
+                        }
+                        block(executable)
+                    } catch {
+                        if let loadError = error as? LoadExecutableError {
+                            self.showAlert(loadError, for: window)
                         }
+                        self.logger.error("\(error)")
                     }
                 }
             }
@@ -405,25 +405,25 @@ extension TCCProfileViewController: NSTableViewDataSource {
 
         var addedAny = false
         urls?.forEach { (url) in
-            model.loadExecutable(url: url) { [weak self] result in
-                switch result {
-                case .success(let newExecutable):
-                    if tableView == self?.executablesTable {
-                        guard self?.executablesAC.canInsert ?? false else {
-                            return
-                        }
-                        if self?.shouldExecutableBeAdded(newExecutable) ?? false {
-                            self?.executablesAC.insert(newExecutable, atArrangedObjectIndex: row)
-                            addedAny = true
-                        }
-                    } else {
-                        self?.insertIntoAppleEvents(newExecutable)
+            do {
+                let newExecutable = try model.loadExecutable(url: url)
+                if tableView == self.executablesTable {
+                    guard self.executablesAC.canInsert else {
+                        return
+                    }
+                    if self.shouldExecutableBeAdded(newExecutable) {
+                        self.executablesAC.insert(newExecutable, atArrangedObjectIndex: row)
                         addedAny = true
                     }
-                case .failure(let error):
-                    self?.showAlert(error, for: window)
-                    self?.logger.error("\(error)")
+                } else {
+                    self.insertIntoAppleEvents(newExecutable)
+                    addedAny = true
+                }
+            } catch {
+                if let loadError = error as? LoadExecutableError {
+                    self.showAlert(loadError, for: window)
                 }
+                self.logger.error("\(error)")
             }
         }
 

From 542a2873ca37fb3807c3d85ede0fc8ed06e7602a Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Thu, 26 Mar 2026 20:37:56 +0000
Subject: [PATCH 13/53] Stage 3d: Convert TCCProfileImporter to direct return

Replace completion handler pattern with throws -> TCCProfile since
the work is synchronous (decode data, read file).

Changes:
- TCCProfileImporter.decodeTCCProfile(data:) now throws -> TCCProfile
- TCCProfileImporter.decodeTCCProfile(fileUrl:) now throws -> TCCProfile
- Remove TCCProfileImportCompletion typealias
- TCCProfileConfigurationPanel: uses try/catch in panel callback
- TCCProfileImporterTests: updated to use try/catch pattern

Agent-Logs-Url: https://github.com/jamf/PPPC-Utility/sessions/4235dbf5-feb0-4744-839d-543eee3b8ee5

Co-authored-by: watkyn <40115+watkyn@users.noreply.github.com>
---
 .../TCCProfileImporterTests.swift             | 66 +++++++------------
 .../TCCProfileConfigurationPanel.swift        | 18 +++--
 .../TCCProfileImporter.swift                  | 31 +++++----
 3 files changed, 53 insertions(+), 62 deletions(-)

diff --git a/PPPC UtilityTests/TCCProfileImporterTests/TCCProfileImporterTests.swift b/PPPC UtilityTests/TCCProfileImporterTests/TCCProfileImporterTests.swift
index a70dc76..696f06e 100644
--- a/PPPC UtilityTests/TCCProfileImporterTests/TCCProfileImporterTests.swift	
+++ b/PPPC UtilityTests/TCCProfileImporterTests/TCCProfileImporterTests.swift	
@@ -37,14 +37,12 @@ class TCCProfileImporterTests: XCTestCase {
 
         let resourceURL = getResourceProfile(fileName: "TestTCCProfileSigned-Broken")
 
-        tccProfileImporter.decodeTCCProfile(fileUrl: resourceURL) { tccProfileResult in
-            switch tccProfileResult {
-            case .success:
-                XCTFail("Malformed profile should not succeed")
-            case .failure(let tccProfileError):
-                if case TCCProfileImportError.invalidProfileFile = tccProfileError { } else {
-                    XCTFail("Expected invalidProfileFile error, got \(tccProfileError)")
-                }
+        do {
+            _ = try tccProfileImporter.decodeTCCProfile(fileUrl: resourceURL)
+            XCTFail("Malformed profile should not succeed")
+        } catch {
+            if case TCCProfileImportError.invalidProfileFile = error { } else {
+                XCTFail("Expected invalidProfileFile error, got \(error)")
             }
         }
     }
@@ -56,46 +54,32 @@ class TCCProfileImporterTests: XCTestCase {
 
         let expectedTCCProfileError = TCCProfileImportError.invalidProfileFile(description: "PayloadContent")
 
-        tccProfileImporter.decodeTCCProfile(fileUrl: resourceURL) { tccProfileResult in
-            switch tccProfileResult {
-            case .success:
-                XCTFail("Empty Content, it shouldn't be success")
-            case .failure(let tccProfileError):
-                XCTAssertEqual(tccProfileError.localizedDescription, expectedTCCProfileError.localizedDescription)
-            }
+        do {
+            _ = try tccProfileImporter.decodeTCCProfile(fileUrl: resourceURL)
+            XCTFail("Empty Content, it shouldn't be success")
+        } catch {
+            XCTAssertEqual(error.localizedDescription, expectedTCCProfileError.localizedDescription)
         }
     }
 
-    func testCorrectUnsignedProfileContentData() {
+    func testCorrectUnsignedProfileContentData() throws {
         let tccProfileImporter = TCCProfileImporter()
 
         let resourceURL = getResourceProfile(fileName: "TestTCCUnsignedProfile")
 
-        tccProfileImporter.decodeTCCProfile(fileUrl: resourceURL) { tccProfileResult in
-            switch tccProfileResult {
-            case .success(let tccProfile):
-                XCTAssertNotNil(tccProfile.content)
-                XCTAssertNotNil(tccProfile.content[0].services)
-            case .failure(let tccProfileError):
-                XCTFail("Unable to read tccProfile \(tccProfileError.localizedDescription)")
-            }
-        }
+        let tccProfile = try tccProfileImporter.decodeTCCProfile(fileUrl: resourceURL)
+        XCTAssertNotNil(tccProfile.content)
+        XCTAssertNotNil(tccProfile.content[0].services)
     }
 
-    func testCorrectUnsignedProfileContentDataAllLowercase() {
+    func testCorrectUnsignedProfileContentDataAllLowercase() throws {
         let tccProfileImporter = TCCProfileImporter()
 
         let resourceURL = getResourceProfile(fileName: "TestTCCUnsignedProfile-allLower")
 
-        tccProfileImporter.decodeTCCProfile(fileUrl: resourceURL) { tccProfileResult in
-            switch tccProfileResult {
-            case .success(let tccProfile):
-                XCTAssertNotNil(tccProfile.content)
-                XCTAssertNotNil(tccProfile.content[0].services)
-            case .failure(let tccProfileError):
-                XCTFail("Unable to read tccProfile \(tccProfileError.localizedDescription)")
-            }
-        }
+        let tccProfile = try tccProfileImporter.decodeTCCProfile(fileUrl: resourceURL)
+        XCTAssertNotNil(tccProfile.content)
+        XCTAssertNotNil(tccProfile.content[0].services)
     }
 
     func testBrokenUnsignedProfile() {
@@ -105,13 +89,11 @@ class TCCProfileImporterTests: XCTestCase {
 
         let expectedTCCProfileError = TCCProfileImportError.invalidProfileFile(description: "The given data was not a valid property list.")
 
-        tccProfileImporter.decodeTCCProfile(fileUrl: resourceURL) { tccProfileResult in
-            switch tccProfileResult {
-            case .success:
-                XCTFail("Broken Unsigned Profile, it shouldn't be success")
-            case .failure(let tccProfileError):
-                XCTAssertEqual(tccProfileError.localizedDescription, expectedTCCProfileError.localizedDescription)
-            }
+        do {
+            _ = try tccProfileImporter.decodeTCCProfile(fileUrl: resourceURL)
+            XCTFail("Broken Unsigned Profile, it shouldn't be success")
+        } catch {
+            XCTAssertEqual(error.localizedDescription, expectedTCCProfileError.localizedDescription)
         }
     }
 
diff --git a/Source/TCCProfileImporter/TCCProfileConfigurationPanel.swift b/Source/TCCProfileImporter/TCCProfileConfigurationPanel.swift
index c9fc3f6..f2f00b9 100644
--- a/Source/TCCProfileImporter/TCCProfileConfigurationPanel.swift
+++ b/Source/TCCProfileImporter/TCCProfileConfigurationPanel.swift
@@ -31,8 +31,11 @@ import Foundation
 class TCCProfileConfigurationPanel {
     /// Load TCC Profile data from file
      ///
-     /// - Parameter completion: TCCProfileImportCompletion - success with TCCProfile or failure with TCCProfileImport Error
-    func loadTCCProfileFromFile(importer: TCCProfileImporter, window: NSWindow, _ completion: @escaping TCCProfileImportCompletion) {
+     /// - Parameters:
+     ///   - importer: The TCCProfileImporter to use
+     ///   - window: The window to present the open panel in
+     ///   - completion: Called with the result of the import
+    func loadTCCProfileFromFile(importer: TCCProfileImporter, window: NSWindow, _ completion: @escaping (TCCProfileImportResult) -> Void) {
          let openPanel = NSOpenPanel.init()
          openPanel.allowedFileTypes = ["mobileconfig", "plist"]
          openPanel.allowsMultipleSelection = false
@@ -46,8 +49,15 @@ class TCCProfileConfigurationPanel {
                 completion(.failure(.cancelled))
              } else {
                  if let result = openPanel.url {
-                     importer.decodeTCCProfile(fileUrl: result) { tccProfileResult in
-                         return completion(tccProfileResult)
+                     do {
+                         let tccProfile = try importer.decodeTCCProfile(fileUrl: result)
+                         completion(.success(tccProfile))
+                     } catch {
+                         if let importError = error as? TCCProfileImportError {
+                             completion(.failure(importError))
+                         } else {
+                             completion(.failure(.invalidProfileFile(description: error.localizedDescription)))
+                         }
                      }
                  } else {
                      completion(.failure(TCCProfileImportError.unableToOpenFile))
diff --git a/Source/TCCProfileImporter/TCCProfileImporter.swift b/Source/TCCProfileImporter/TCCProfileImporter.swift
index 0ac1111..3157d0d 100644
--- a/Source/TCCProfileImporter/TCCProfileImporter.swift
+++ b/Source/TCCProfileImporter/TCCProfileImporter.swift
@@ -28,45 +28,44 @@
 import Foundation
 
 typealias TCCProfileImportResult = Result<TCCProfile, TCCProfileImportError>
-typealias TCCProfileImportCompletion = ((TCCProfileImportResult) -> Void)
 
 /// Load tcc profiles
 public class TCCProfileImporter {
 
     // MARK: Load TCCProfile
 
-    /// Mapping & Decoding tcc profile
+    /// Mapping & Decoding tcc profile from data
     ///
-    /// - Parameter fileUrl: path with a file to load, completion: TCCProfileImportCompletion - success with TCCProfile or failure with TCCProfileImport Error
-    func decodeTCCProfile(data: Data, _ completion: @escaping TCCProfileImportCompletion) {
+    /// - Parameter data: The raw data to decode
+    /// - Returns: The decoded TCCProfile
+    func decodeTCCProfile(data: Data) throws -> TCCProfile {
         do {
             // Note that parse will ignore the signing portion of the data
-            let tccProfile = try TCCProfile.parse(from: data)
-            return completion(.success(tccProfile))
+            return try TCCProfile.parse(from: data)
         } catch TCCProfile.ParseError.failedToCreateDecoder {
-            return completion(.failure(.decodeProfileError))
+            throw TCCProfileImportError.decodeProfileError
         } catch let DecodingError.keyNotFound(codingKey, _) {
-            return completion(TCCProfileImportResult.failure(.invalidProfileFile(description: codingKey.stringValue)))
+            throw TCCProfileImportError.invalidProfileFile(description: codingKey.stringValue)
         } catch let DecodingError.typeMismatch(type, context) {
             let errorDescription = "Type \(type) mismatch: \(context.debugDescription) codingPath: \(context.codingPath)"
-            return completion(.failure(.invalidProfileFile(description: errorDescription)))
+            throw TCCProfileImportError.invalidProfileFile(description: errorDescription)
         } catch let error as NSError {
             let errorDescription = error.userInfo["NSDebugDescription"] as? String
-            return completion(.failure(.invalidProfileFile(description: errorDescription ?? error.localizedDescription)))
+            throw TCCProfileImportError.invalidProfileFile(description: errorDescription ?? error.localizedDescription)
         }
     }
 
-    /// Mapping & Decoding tcc profile
+    /// Mapping & Decoding tcc profile from a file URL
     ///
-    /// - Parameter fileUrl: path with a file to load, completion: TCCProfileImportCompletion - success with TCCProfile or failure with TCCProfileImport Error
-    func decodeTCCProfile(fileUrl: URL, _ completion: @escaping TCCProfileImportCompletion) {
+    /// - Parameter fileUrl: path with a file to load
+    /// - Returns: The decoded TCCProfile
+    func decodeTCCProfile(fileUrl: URL) throws -> TCCProfile {
         let data: Data
         do {
             data = try Data(contentsOf: fileUrl)
-            return decodeTCCProfile(data: data, completion)
         } catch {
-            return completion(.failure(.unableToOpenFile))
+            throw TCCProfileImportError.unableToOpenFile
         }
-
+        return try decodeTCCProfile(data: data)
     }
 }

From f38e4fcd1420cc5b3bfe4d868cda4ffba3ea844a Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Thu, 26 Mar 2026 20:41:28 +0000
Subject: [PATCH 14/53] Stage 4: Add @concurrent for background I/O

Mark SecurityWrapper and Model methods with @concurrent to move disk
I/O and security operations off MainActor onto the cooperative pool.

Changes:
- SecurityWrapper.copyDesignatedRequirement: @concurrent async throws
- SecurityWrapper.sign: @concurrent async throws
- SecurityWrapper.loadSigningIdentities: @concurrent async throws
- Model.loadExecutable: @concurrent async throws -> Executable
- Model.getAppleEventChoices: now async (calls loadExecutable)
- Model.getExecutableFrom/findExecutable: now async
- Model.getExecutablesFromAllPolicies: now async
- Model.importProfile: now async
- All callers updated to use Task/await where needed
- ModelTests: updated to async test methods

Agent-Logs-Url: https://github.com/jamf/PPPC-Utility/sessions/4235dbf5-feb0-4744-839d-543eee3b8ee5

Co-authored-by: watkyn <40115+watkyn@users.noreply.github.com>
---
 PPPC UtilityTests/ModelTests/ModelTests.swift | 54 +++++------
 Source/Model/Model.swift                      | 30 +++---
 Source/SecurityWrapper.swift                  |  6 +-
 .../View Controllers/OpenViewController.swift | 24 +++--
 .../View Controllers/SaveViewController.swift | 36 ++++---
 .../TCCProfileViewController.swift            | 97 ++++++++++---------
 6 files changed, 131 insertions(+), 116 deletions(-)

diff --git a/PPPC UtilityTests/ModelTests/ModelTests.swift b/PPPC UtilityTests/ModelTests/ModelTests.swift
index 85ea06e..5021027 100644
--- a/PPPC UtilityTests/ModelTests/ModelTests.swift	
+++ b/PPPC UtilityTests/ModelTests/ModelTests.swift	
@@ -41,13 +41,13 @@ class ModelTests: XCTestCase {
 
     // MARK: - tests for getExecutableFrom*
 
-    func testGetExecutableBasedOnIdentifierAndCodeRequirement_BundleIdentifierType() {
+    func testGetExecutableBasedOnIdentifierAndCodeRequirement_BundleIdentifierType() async {
         // given
             let identifier = "com.example.App"
             let codeRequirement = "testCodeRequirement"
 
         // when
-            let executable = model.getExecutableFrom(identifier: identifier, codeRequirement: codeRequirement)
+            let executable = await model.getExecutableFrom(identifier: identifier, codeRequirement: codeRequirement)
 
         // then
             XCTAssertEqual(executable.displayName, "App")
@@ -55,13 +55,13 @@ class ModelTests: XCTestCase {
             XCTAssertEqual(executable.iconPath, IconFilePath.application)
     }
 
-    func testGetExecutableBasedOnIdentifierAndCodeRequirement_PathIdentifierType() {
+    func testGetExecutableBasedOnIdentifierAndCodeRequirement_PathIdentifierType() async {
         // given
         let identifier = "/myGreatPath/Awesome/Binary"
         let codeRequirement = "testCodeRequirement"
 
         // when
-        let executable = model.getExecutableFrom(identifier: identifier, codeRequirement: codeRequirement)
+        let executable = await model.getExecutableFrom(identifier: identifier, codeRequirement: codeRequirement)
 
         // then
         XCTAssertEqual(executable.displayName, "Binary")
@@ -69,13 +69,13 @@ class ModelTests: XCTestCase {
         XCTAssertEqual(executable.iconPath, IconFilePath.binary)
     }
 
-    func testGetExecutableFromComputerBasedOnIdentifier() {
+    func testGetExecutableFromComputerBasedOnIdentifier() async {
         // given
             let identifier = "com.apple.Safari"
             let codeRequirement = "randomReq"
 
         // when
-            let executable = model.getExecutableFrom(identifier: identifier, codeRequirement: codeRequirement)
+            let executable = await model.getExecutableFrom(identifier: identifier, codeRequirement: codeRequirement)
 
         // then
             XCTAssertEqual(executable.displayName, "Safari")
@@ -83,11 +83,11 @@ class ModelTests: XCTestCase {
             XCTAssertNotEqual(codeRequirement, executable.codeRequirement)
     }
 
-    func testGetExecutableFromSelectedExecutables() {
+    func testGetExecutableFromSelectedExecutables() async {
         // given
         let expectedIdentifier = "com.something.1"
-        let executable = model.getExecutableFrom(identifier: expectedIdentifier, codeRequirement: "testReq")
-        let executableSecond = model.getExecutableFrom(identifier: "com.something.2", codeRequirement: "testReq2")
+        let executable = await model.getExecutableFrom(identifier: expectedIdentifier, codeRequirement: "testReq")
+        let executableSecond = await model.getExecutableFrom(identifier: "com.something.2", codeRequirement: "testReq2")
         model.selectedExecutables = [executable, executableSecond]
 
         // when
@@ -100,12 +100,12 @@ class ModelTests: XCTestCase {
         XCTAssertEqual(existingExecutable?.iconPath, IconFilePath.application)
     }
 
-    func testGetExecutableFromSelectedExecutables_Path() {
+    func testGetExecutableFromSelectedExecutables_Path() async {
         // given
         let expectedIdentifier = "/path/something/Special"
-        let executableOneMore = model.getExecutableFrom(identifier: "/path/something/Special1", codeRequirement: "testReq")
-        let executable = model.getExecutableFrom(identifier: expectedIdentifier, codeRequirement: "testReq")
-        let executableSecond = model.getExecutableFrom(identifier: "com.something.2", codeRequirement: "testReq2")
+        let executableOneMore = await model.getExecutableFrom(identifier: "/path/something/Special1", codeRequirement: "testReq")
+        let executable = await model.getExecutableFrom(identifier: expectedIdentifier, codeRequirement: "testReq")
+        let executableSecond = await model.getExecutableFrom(identifier: "com.something.2", codeRequirement: "testReq2")
         model.selectedExecutables = [executableOneMore, executable, executableSecond]
 
         // when
@@ -186,84 +186,84 @@ class ModelTests: XCTestCase {
 
     // MARK: - tests for importProfile
 
-    func testImportProfileUsingAuthorizationKeyAllow() {
+    func testImportProfileUsingAuthorizationKeyAllow() async {
         // given
         let profile = TCCProfileBuilder().buildProfile(authorization: .allow)
 
         // when
-        model.importProfile(tccProfile: profile)
+        await model.importProfile(tccProfile: profile)
 
         // then
         XCTAssertEqual(1, model.selectedExecutables.count)
         XCTAssertEqual("Allow", model.selectedExecutables.first?.policy.SystemPolicyAllFiles)
     }
 
-    func testImportProfileUsingAuthorizationKeyDeny() {
+    func testImportProfileUsingAuthorizationKeyDeny() async {
         // given
         let profile = TCCProfileBuilder().buildProfile(authorization: .deny)
 
         // when
-        model.importProfile(tccProfile: profile)
+        await model.importProfile(tccProfile: profile)
 
         // then
         XCTAssertEqual(1, model.selectedExecutables.count)
         XCTAssertEqual("Deny", model.selectedExecutables.first?.policy.SystemPolicyAllFiles)
     }
 
-    func testImportProfileUsingAuthorizationKeyAllowStandardUsers() {
+    func testImportProfileUsingAuthorizationKeyAllowStandardUsers() async {
         // given
         let profile = TCCProfileBuilder().buildProfile(authorization: .allowStandardUserToSetSystemService)
 
         // when
-        model.importProfile(tccProfile: profile)
+        await model.importProfile(tccProfile: profile)
 
         // then
         XCTAssertEqual(1, model.selectedExecutables.count)
         XCTAssertEqual("Let Standard Users Approve", model.selectedExecutables.first?.policy.SystemPolicyAllFiles)
     }
 
-    func testImportProfileUsingLegacyAllowKeyTrue() {
+    func testImportProfileUsingLegacyAllowKeyTrue() async {
         // given
         let profile = TCCProfileBuilder().buildProfile(allowed: true)
 
         // when
-        model.importProfile(tccProfile: profile)
+        await model.importProfile(tccProfile: profile)
 
         // then
         XCTAssertEqual(1, model.selectedExecutables.count)
         XCTAssertEqual("Allow", model.selectedExecutables.first?.policy.SystemPolicyAllFiles)
     }
 
-    func testImportProfileUsingLegacyAllowKeyFalse() {
+    func testImportProfileUsingLegacyAllowKeyFalse() async {
         // given
         let profile = TCCProfileBuilder().buildProfile(allowed: false)
 
         // when
-        model.importProfile(tccProfile: profile)
+        await model.importProfile(tccProfile: profile)
 
         // then
         XCTAssertEqual(1, model.selectedExecutables.count)
         XCTAssertEqual("Deny", model.selectedExecutables.first?.policy.SystemPolicyAllFiles)
     }
 
-    func testImportProfileUsingAuthorizationKeyThatIsInvalid() {
+    func testImportProfileUsingAuthorizationKeyThatIsInvalid() async {
         // given
         let profile = TCCProfileBuilder().buildProfile(authorization: "invalidkey")
 
         // when
-        model.importProfile(tccProfile: profile)
+        await model.importProfile(tccProfile: profile)
 
         // then
         XCTAssertEqual(1, model.selectedExecutables.count)
         XCTAssertEqual("Deny", model.selectedExecutables.first?.policy.SystemPolicyAllFiles)
     }
 
-    func testImportProfileUsingAuthorizationKeyTranslatesToAppleEvents() {
+    func testImportProfileUsingAuthorizationKeyTranslatesToAppleEvents() async {
         // given
         let profile = TCCProfileBuilder().buildProfile(authorization: "deny")
 
         // when
-        model.importProfile(tccProfile: profile)
+        await model.importProfile(tccProfile: profile)
 
         // then
         XCTAssertEqual(1, model.selectedExecutables.count)
diff --git a/Source/Model/Model.swift b/Source/Model/Model.swift
index a838ded..6dc6ae5 100644
--- a/Source/Model/Model.swift
+++ b/Source/Model/Model.swift
@@ -37,23 +37,23 @@ import OSLog
 
     let logger = Logger.Model
 
-    func getAppleEventChoices(executable: Executable) -> [Executable] {
+    func getAppleEventChoices(executable: Executable) async -> [Executable] {
         var executables: [Executable] = []
 
         do {
-            executables.append(try loadExecutable(url: URL(fileURLWithPath: "/System/Library/CoreServices/System Events.app")))
+            executables.append(try await loadExecutable(url: URL(fileURLWithPath: "/System/Library/CoreServices/System Events.app")))
         } catch {
             self.logger.error("\(error)")
         }
 
         do {
-            executables.append(try loadExecutable(url: URL(fileURLWithPath: "/System/Library/CoreServices/SystemUIServer.app")))
+            executables.append(try await loadExecutable(url: URL(fileURLWithPath: "/System/Library/CoreServices/SystemUIServer.app")))
         } catch {
             self.logger.error("\(error)")
         }
 
         do {
-            executables.append(try loadExecutable(url: URL(fileURLWithPath: "/System/Library/CoreServices/Finder.app")))
+            executables.append(try await loadExecutable(url: URL(fileURLWithPath: "/System/Library/CoreServices/Finder.app")))
         } catch {
             self.logger.error("\(error)")
         }
@@ -81,7 +81,7 @@ typealias LoadExecutableResult = Result<Executable, LoadExecutableError>
 
 extension Model {
 
-    func loadExecutable(url: URL) throws -> Executable {
+    @concurrent func loadExecutable(url: URL) async throws -> Executable {
         let executable = Executable()
 
         if let bundle = Bundle(url: url) {
@@ -100,7 +100,7 @@ extension Model {
         }
 
         do {
-            executable.codeRequirement = try SecurityWrapper.copyDesignatedRequirement(url: url)
+            executable.codeRequirement = try await SecurityWrapper.copyDesignatedRequirement(url: url)
             store[executable.identifier] = executable
             return executable
         } catch {
@@ -200,14 +200,14 @@ extension Model {
                           services: services)
     }
 
-    func importProfile(tccProfile: TCCProfile) {
+    func importProfile(tccProfile: TCCProfile) async {
         if let content = tccProfile.content.first {
             self.cleanUpAndRemoveDependencies()
 
             self.importedTCCProfile = tccProfile
 
             for (key, policies) in content.services {
-                getExecutablesFromAllPolicies(policies: policies)
+                await getExecutablesFromAllPolicies(policies: policies)
 
                 for policy in policies {
                     let executable = getExecutableFromSelectedExecutables(bundleIdentifier: policy.identifier)
@@ -215,7 +215,7 @@ extension Model {
                         if let source = executable,
                             let rIdentifier = policy.receiverIdentifier,
                             let rCodeRequirement = policy.receiverCodeRequirement {
-                            let destination = getExecutableFrom(identifier: rIdentifier, codeRequirement: rCodeRequirement)
+                            let destination = await getExecutableFrom(identifier: rIdentifier, codeRequirement: rCodeRequirement)
                             let allowed: Bool = (policy.allowed == true || policy.authorization == TCCPolicyAuthorizationValue.allow)
                             let appleEvent = AppleEventRule(source: source, destination: destination, value: allowed)
                             executable?.appleEvents.appendIfNew(appleEvent)
@@ -252,9 +252,9 @@ extension Model {
         return policy
     }
 
-    func getExecutablesFromAllPolicies(policies: [TCCPolicy]) {
+    func getExecutablesFromAllPolicies(policies: [TCCPolicy]) async {
         for tccPolicy in policies where getExecutableFromSelectedExecutables(bundleIdentifier: tccPolicy.identifier) == nil {
-			let executable = getExecutableFrom(identifier: tccPolicy.identifier, codeRequirement: tccPolicy.codeRequirement)
+			let executable = await getExecutableFrom(identifier: tccPolicy.identifier, codeRequirement: tccPolicy.codeRequirement)
 			self.selectedExecutables.append(executable)
         }
     }
@@ -266,10 +266,10 @@ extension Model {
         return nil
     }
 
-    func getExecutableFrom(identifier: String, codeRequirement: String) -> Executable {
+    func getExecutableFrom(identifier: String, codeRequirement: String) async -> Executable {
         var executable = Executable(identifier: identifier, codeRequirement: codeRequirement)
         do {
-            executable = try findExecutable(bundleIdentifier: identifier)
+            executable = try await findExecutable(bundleIdentifier: identifier)
         } catch {
             self.logger.error("\(error)")
         }
@@ -277,7 +277,7 @@ extension Model {
         return executable
     }
 
-    private func findExecutable(bundleIdentifier: String) throws -> Executable {
+    private func findExecutable(bundleIdentifier: String) async throws -> Executable {
 		var urlToLoad: URL?
         if bundleIdentifier.contains("/") {
 			urlToLoad = URL(string: "file://\(bundleIdentifier)")
@@ -286,7 +286,7 @@ extension Model {
         }
 
 		if let fileURL = urlToLoad {
-            return try self.loadExecutable(url: fileURL)
+            return try await self.loadExecutable(url: fileURL)
         }
         throw LoadExecutableError.executableNotFound
     }
diff --git a/Source/SecurityWrapper.swift b/Source/SecurityWrapper.swift
index ad83621..4f4e775 100644
--- a/Source/SecurityWrapper.swift
+++ b/Source/SecurityWrapper.swift
@@ -70,7 +70,7 @@ struct SecurityWrapper {
 		return nil
     }
 
-    static func copyDesignatedRequirement(url: URL) throws -> String {
+    @concurrent static func copyDesignatedRequirement(url: URL) async throws -> String {
         let flags = SecCSFlags(rawValue: 0)
         var staticCode: SecStaticCode?
         var requirement: SecRequirement?
@@ -83,7 +83,7 @@ struct SecurityWrapper {
         return text! as String
     }
 
-    static func sign(data: Data, using identity: SecIdentity) throws -> Data {
+    @concurrent static func sign(data: Data, using identity: SecIdentity) async throws -> Data {
 
         var outputData: CFData?
         var encoder: CMSEncoder?
@@ -96,7 +96,7 @@ struct SecurityWrapper {
         return outputData! as Data
     }
 
-    static func loadSigningIdentities() throws -> [SigningIdentity] {
+    @concurrent static func loadSigningIdentities() async throws -> [SigningIdentity] {
 		let haversack = Haversack()
 		let query = IdentityQuery().matching(mustBeValidOnDate: Date()).returning(.reference)
 
diff --git a/Source/View Controllers/OpenViewController.swift b/Source/View Controllers/OpenViewController.swift
index 3e622fa..f36f2a4 100644
--- a/Source/View Controllers/OpenViewController.swift	
+++ b/Source/View Controllers/OpenViewController.swift	
@@ -43,7 +43,9 @@ class OpenViewController: NSViewController, NSTableViewDataSource, NSTableViewDe
         //  Reload executables
         current = Model.shared.current
         if let value = current {
-            choices = Model.shared.getAppleEventChoices(executable: value)
+            Task {
+                choices = await Model.shared.getAppleEventChoices(executable: value)
+            }
         }
     }
 
@@ -62,18 +64,20 @@ class OpenViewController: NSViewController, NSTableViewDataSource, NSTableViewDe
         panel.directoryURL = URL(fileURLWithPath: "/Applications", isDirectory: true)
         panel.begin { response in
             if response == .OK {
-                var selections: [LoadExecutableResult] = []
-                panel.urls.forEach {
-                    do {
-                        let executable = try Model.shared.loadExecutable(url: $0)
-                        selections.append(.success(executable))
-                    } catch {
-                        if let loadError = error as? LoadExecutableError {
-                            selections.append(.failure(loadError))
+                Task {
+                    var selections: [LoadExecutableResult] = []
+                    for url in panel.urls {
+                        do {
+                            let executable = try await Model.shared.loadExecutable(url: url)
+                            selections.append(.success(executable))
+                        } catch {
+                            if let loadError = error as? LoadExecutableError {
+                                selections.append(.failure(loadError))
+                            }
                         }
                     }
+                    block?(selections)
                 }
-                block?(selections)
             }
         }
     }
diff --git a/Source/View Controllers/SaveViewController.swift b/Source/View Controllers/SaveViewController.swift
index 28a0558..6feb725 100644
--- a/Source/View Controllers/SaveViewController.swift	
+++ b/Source/View Controllers/SaveViewController.swift	
@@ -91,12 +91,14 @@ class SaveViewController: NSViewController {
     override func viewDidLoad() {
         super.viewDidLoad()
         payloadIdentifier = UUID().uuidString
-        do {
-            var identities = try SecurityWrapper.loadSigningIdentities()
-            identities.insert(SigningIdentity(name: "Not signed", reference: nil), at: 0)
-            identitiesPopUpAC.add(contentsOf: identities)
-        } catch {
-            logger.error("Error loading identities: \(error)")
+        Task {
+            do {
+                var identities = try await SecurityWrapper.loadSigningIdentities()
+                identities.insert(SigningIdentity(name: "Not signed", reference: nil), at: 0)
+                identitiesPopUpAC.add(contentsOf: identities)
+            } catch {
+                logger.error("Error loading identities: \(error)")
+            }
         }
 
         loadImportedTCCProfileInfo()
@@ -131,18 +133,20 @@ class SaveViewController: NSViewController {
                                           identifier: payloadIdentifier,
                                           displayName: payloadName,
                                           payloadDescription: payloadDescription ?? payloadName)
-        do {
-            var outputData = try profile.xmlData()
-            if let identity = identitiesPopUpAC.selectedObjects.first as? SigningIdentity, let ref = identity.reference {
-                logger.info("Signing profile with \(identity.displayName)")
-                outputData = try SecurityWrapper.sign(data: outputData, using: ref)
+        Task {
+            do {
+                var outputData = try profile.xmlData()
+                if let identity = identitiesPopUpAC.selectedObjects.first as? SigningIdentity, let ref = identity.reference {
+                    logger.info("Signing profile with \(identity.displayName)")
+                    outputData = try await SecurityWrapper.sign(data: outputData, using: ref)
+                }
+                try outputData.write(to: url)
+                logger.info("Saved successfully")
+            } catch {
+                logger.error("Error: \(error)")
             }
-            try outputData.write(to: url)
-            logger.info("Saved successfully")
-        } catch {
-            logger.error("Error: \(error)")
+            self.dismiss(nil)
         }
-        self.dismiss(nil)
     }
 
     func loadImportedTCCProfileInfo() {
diff --git a/Source/View Controllers/TCCProfileViewController.swift b/Source/View Controllers/TCCProfileViewController.swift
index 5f40d5a..4d3378c 100644
--- a/Source/View Controllers/TCCProfileViewController.swift	
+++ b/Source/View Controllers/TCCProfileViewController.swift	
@@ -147,21 +147,23 @@ class TCCProfileViewController: NSViewController {
     let logger = Logger.TCCProfileViewController
 
 	@IBAction func uploadAction(_ sender: NSButton) {
-		let identities: [SigningIdentity]
-		do {
-			identities = try SecurityWrapper.loadSigningIdentities()
-		} catch {
-			identities = []
-            logger.error("Error loading identities: \(error.localizedDescription)")
-		}
+		Task {
+			let identities: [SigningIdentity]
+			do {
+				identities = try await SecurityWrapper.loadSigningIdentities()
+			} catch {
+				identities = []
+				logger.error("Error loading identities: \(error.localizedDescription)")
+			}
 
-		let uploadView = UploadInfoView(signingIdentities: identities) {
-			// Dismiss the sheet when the UploadInfoView decides it is done
-			if let controller = self.presentedViewControllers?.first {
-				self.dismiss(controller)
+			let uploadView = UploadInfoView(signingIdentities: identities) {
+				// Dismiss the sheet when the UploadInfoView decides it is done
+				if let controller = self.presentedViewControllers?.first {
+					self.dismiss(controller)
+				}
 			}
+			self.presentAsSheet(NSHostingController(rootView: uploadView))
 		}
-		self.presentAsSheet(NSHostingController(rootView: uploadView))
 	}
 
     fileprivate func showAlert(_ error: LocalizedError, for window: NSWindow) {
@@ -185,7 +187,9 @@ class TCCProfileViewController: NSViewController {
             guard let weakSelf = self else { return }
             switch tccProfileResult {
             case .success(let tccProfile):
-                weakSelf.model.importProfile(tccProfile: tccProfile)
+                Task {
+                    await weakSelf.model.importProfile(tccProfile: tccProfile)
+                }
             case .failure(let tccProfileImportError):
                 if !tccProfileImportError.isCancelled {
                     weakSelf.showAlert(tccProfileImportError, for: window)
@@ -204,20 +208,22 @@ class TCCProfileViewController: NSViewController {
         }
         panel.begin { response in
             if response == .OK {
-                panel.urls.forEach {
-                    do {
-                        let executable = try self.model.loadExecutable(url: $0)
-                        guard self.shouldExecutableBeAdded(executable) else {
-                            let error = LoadExecutableError.executableAlreadyExists
-                            self.showAlert(error, for: window)
-                            return
-                        }
-                        block(executable)
-                    } catch {
-                        if let loadError = error as? LoadExecutableError {
-                            self.showAlert(loadError, for: window)
+                Task {
+                    for url in panel.urls {
+                        do {
+                            let executable = try await self.model.loadExecutable(url: url)
+                            guard self.shouldExecutableBeAdded(executable) else {
+                                let error = LoadExecutableError.executableAlreadyExists
+                                self.showAlert(error, for: window)
+                                continue
+                            }
+                            block(executable)
+                        } catch {
+                            if let loadError = error as? LoadExecutableError {
+                                self.showAlert(loadError, for: window)
+                            }
+                            self.logger.error("\(error)")
                         }
-                        self.logger.error("\(error)")
                     }
                 }
             }
@@ -403,31 +409,32 @@ extension TCCProfileViewController: NSTableViewDataSource {
 
         guard let window = self.view.window else { return false }
 
-        var addedAny = false
-        urls?.forEach { (url) in
-            do {
-                let newExecutable = try model.loadExecutable(url: url)
-                if tableView == self.executablesTable {
-                    guard self.executablesAC.canInsert else {
-                        return
+        guard let urls = urls, !urls.isEmpty else { return false }
+
+        Task {
+            for url in urls {
+                do {
+                    let newExecutable = try await model.loadExecutable(url: url)
+                    if tableView == self.executablesTable {
+                        guard self.executablesAC.canInsert else {
+                            continue
+                        }
+                        if self.shouldExecutableBeAdded(newExecutable) {
+                            self.executablesAC.insert(newExecutable, atArrangedObjectIndex: row)
+                        }
+                    } else {
+                        self.insertIntoAppleEvents(newExecutable)
                     }
-                    if self.shouldExecutableBeAdded(newExecutable) {
-                        self.executablesAC.insert(newExecutable, atArrangedObjectIndex: row)
-                        addedAny = true
+                } catch {
+                    if let loadError = error as? LoadExecutableError {
+                        self.showAlert(loadError, for: window)
                     }
-                } else {
-                    self.insertIntoAppleEvents(newExecutable)
-                    addedAny = true
-                }
-            } catch {
-                if let loadError = error as? LoadExecutableError {
-                    self.showAlert(loadError, for: window)
+                    self.logger.error("\(error)")
                 }
-                self.logger.error("\(error)")
             }
         }
 
-        return addedAny
+        return true
     }
 
 }

From 23583a42c6f131aac6a1d1181b29505c287a4030 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Thu, 26 Mar 2026 20:42:44 +0000
Subject: [PATCH 15/53] Stage 5: Enable Swift 6 language mode

Flip SWIFT_VERSION from 5.0 to 6.0 so all concurrency warnings become
hard errors. Fix override isolation mismatches.

Changes:
- SWIFT_VERSION = 6.0 in all 4 build configurations
- SaveViewController.observeValue: add nonisolated + MainActor.assumeIsolated
- ModelTests.setUp: add nonisolated + MainActor.assumeIsolated
- Update plan document to reflect all stages complete

Agent-Logs-Url: https://github.com/jamf/PPPC-Utility/sessions/4235dbf5-feb0-4744-839d-543eee3b8ee5

Co-authored-by: watkyn <40115+watkyn@users.noreply.github.com>
---
 PPPC Utility.xcodeproj/project.pbxproj           |  8 ++++----
 PPPC UtilityTests/ModelTests/ModelTests.swift    |  6 ++++--
 Source/View Controllers/SaveViewController.swift | 12 +++++++-----
 docs/plans/approachable-concurrency.md           | 14 +++++++-------
 4 files changed, 22 insertions(+), 18 deletions(-)

diff --git a/PPPC Utility.xcodeproj/project.pbxproj b/PPPC Utility.xcodeproj/project.pbxproj
index fd7dfb4..551b2de 100644
--- a/PPPC Utility.xcodeproj/project.pbxproj	
+++ b/PPPC Utility.xcodeproj/project.pbxproj	
@@ -586,7 +586,7 @@
 				SWIFT_DEFAULT_ACTOR_ISOLATION = MainActor;
 				SWIFT_OPTIMIZATION_LEVEL = "-Onone";
 				SWIFT_STRICT_CONCURRENCY = complete;
-				SWIFT_VERSION = 5.0;
+				SWIFT_VERSION = 6.0;
 				TEST_HOST = "$(BUILT_PRODUCTS_DIR)/PPPC Utility.app/Contents/MacOS/PPPC Utility";
 			};
 			name = Debug;
@@ -612,7 +612,7 @@
 				SWIFT_APPROACHABLE_CONCURRENCY = YES;
 				SWIFT_DEFAULT_ACTOR_ISOLATION = MainActor;
 				SWIFT_STRICT_CONCURRENCY = complete;
-				SWIFT_VERSION = 5.0;
+				SWIFT_VERSION = 6.0;
 				TEST_HOST = "$(BUILT_PRODUCTS_DIR)/PPPC Utility.app/Contents/MacOS/PPPC Utility";
 			};
 			name = Release;
@@ -756,7 +756,7 @@
 				SWIFT_APPROACHABLE_CONCURRENCY = YES;
 				SWIFT_DEFAULT_ACTOR_ISOLATION = MainActor;
 				SWIFT_STRICT_CONCURRENCY = complete;
-				SWIFT_VERSION = 5.0;
+				SWIFT_VERSION = 6.0;
 			};
 			name = Debug;
 		};
@@ -782,7 +782,7 @@
 				SWIFT_APPROACHABLE_CONCURRENCY = YES;
 				SWIFT_DEFAULT_ACTOR_ISOLATION = MainActor;
 				SWIFT_STRICT_CONCURRENCY = complete;
-				SWIFT_VERSION = 5.0;
+				SWIFT_VERSION = 6.0;
 			};
 			name = Release;
 		};
diff --git a/PPPC UtilityTests/ModelTests/ModelTests.swift b/PPPC UtilityTests/ModelTests/ModelTests.swift
index 5021027..6bb3e5a 100644
--- a/PPPC UtilityTests/ModelTests/ModelTests.swift	
+++ b/PPPC UtilityTests/ModelTests/ModelTests.swift	
@@ -34,9 +34,11 @@ class ModelTests: XCTestCase {
 
     var model: Model!
 
-    override func setUp() {
+    nonisolated override func setUp() {
         super.setUp()
-        model = Model()
+        MainActor.assumeIsolated {
+            model = Model()
+        }
     }
 
     // MARK: - tests for getExecutableFrom*
diff --git a/Source/View Controllers/SaveViewController.swift b/Source/View Controllers/SaveViewController.swift
index 6feb725..7dd9b9d 100644
--- a/Source/View Controllers/SaveViewController.swift	
+++ b/Source/View Controllers/SaveViewController.swift	
@@ -118,11 +118,13 @@ class SaveViewController: NSViewController {
     }
 
     // swiftlint:disable:next block_based_kvo
-    override func observeValue(forKeyPath keyPath: String?, of object: Any?, change: [NSKeyValueChangeKey: Any]?, context: UnsafeMutableRawPointer?) {
-        if context == &SaveViewController.saveProfileKVOContext {
-            updateIsReadyToSave()
-        } else {
-            super.observeValue(forKeyPath: keyPath, of: object, change: change, context: context)
+    nonisolated override func observeValue(forKeyPath keyPath: String?, of object: Any?, change: [NSKeyValueChangeKey: Any]?, context: UnsafeMutableRawPointer?) {
+        MainActor.assumeIsolated {
+            if context == &SaveViewController.saveProfileKVOContext {
+                updateIsReadyToSave()
+            } else {
+                super.observeValue(forKeyPath: keyPath, of: object, change: change, context: context)
+            }
         }
     }
 
diff --git a/docs/plans/approachable-concurrency.md b/docs/plans/approachable-concurrency.md
index 127629f..7ea242f 100644
--- a/docs/plans/approachable-concurrency.md
+++ b/docs/plans/approachable-concurrency.md
@@ -17,13 +17,13 @@ PPPC Utility is on Swift 5.0 with zero concurrency checking. The goal is to adop
 | PR | Stage | Status | Description |
 |----|-------|--------|-------------|
 | 1 | Stage 1 | ✅ Done | Enable Approachable Concurrency build settings |
-| 2 | Stage 2 | Pending | Remove `NetworkAuthManager` actor → class |
-| 3a | Stage 3a | Pending | Remove 3 `DispatchQueue.main.async` wrappers |
-| 3b | Stage 3b | Pending | Convert `UploadManager` to async throws |
-| 3c | Stage 3c | Pending | Convert `Model.loadExecutable` to direct return |
-| 3d | Stage 3d | Pending | Convert `TCCProfileImporter` to direct return |
-| 4 | Stage 4 | Pending | Add `@concurrent` for background I/O |
-| 5 | Stage 5 | Pending | Enable Swift 6 language mode (warnings → errors) |
+| 2 | Stage 2 | ✅ Done | Remove `NetworkAuthManager` actor → class |
+| 3a | Stage 3a | ✅ Done | Remove 3 `DispatchQueue.main.async` wrappers |
+| 3b | Stage 3b | ✅ Done | Convert `UploadManager` to async throws |
+| 3c | Stage 3c | ✅ Done | Convert `Model.loadExecutable` to direct return |
+| 3d | Stage 3d | ✅ Done | Convert `TCCProfileImporter` to direct return |
+| 4 | Stage 4 | ✅ Done | Add `@concurrent` for background I/O |
+| 5 | Stage 5 | ✅ Done | Enable Swift 6 language mode (warnings → errors) |
 
 PRs 3a–3d can be one PR or individual PRs — each is independently functional. PR 4 depends on PR 3c. PR 5 depends on all prior stages.
 

From c24c1e9f8aac467f44ac5c5285215c6f960ec6e8 Mon Sep 17 00:00:00 2001
From: JJ Pritzl <jj.pritzl@jamf.com>
Date: Tue, 31 Mar 2026 12:12:39 -0500
Subject: [PATCH 16/53] create-separate story/JPCFM-5564 Fix failing build and
 tests

---
 PPPC Utility.xcodeproj/project.pbxproj           | 12 ++++++------
 PPPC UtilityTests/Helpers/ModelBuilder.swift     |  1 +
 PPPC UtilityTests/ModelTests/ModelTests.swift    |  2 +-
 .../ModelTests/PPPCServicesManagerTests.swift    | 12 ++++++------
 .../ModelTests/SemanticVersionTests.swift        |  2 +-
 .../NetworkingTests/JamfProAPIClientTests.swift  |  4 ++--
 .../NetworkAuthManagerTests.swift                |  8 ++++----
 .../NetworkingTests/TokenTests.swift             |  2 +-
 .../TCCProfileImporterTests.swift                | 12 ++++++------
 .../TCCProfileTests.swift                        | 16 ++++++++--------
 Source/AppDelegate.swift                         |  2 +-
 Source/Model/Model.swift                         |  2 +-
 Source/Model/SigningIdentity.swift               |  8 ++++----
 Source/Model/TCCProfile.swift                    |  4 ++--
 Source/Networking/UploadManager.swift            |  2 +-
 Source/SecurityWrapper.swift                     |  9 ++++++---
 Source/View Controllers/SaveViewController.swift |  8 ++++----
 17 files changed, 55 insertions(+), 51 deletions(-)

diff --git a/PPPC Utility.xcodeproj/project.pbxproj b/PPPC Utility.xcodeproj/project.pbxproj
index 551b2de..5d1b451 100644
--- a/PPPC Utility.xcodeproj/project.pbxproj	
+++ b/PPPC Utility.xcodeproj/project.pbxproj	
@@ -572,7 +572,7 @@
 				CODE_SIGN_IDENTITY = "Apple Development";
 				CODE_SIGN_STYLE = Automatic;
 				COMBINE_HIDPI_IMAGES = YES;
-				DEVELOPMENT_TEAM = XPLDEEDNHE;
+				DEVELOPMENT_TEAM = 483DWKW443;
 				INFOPLIST_FILE = "PPPC UtilityTests/Info.plist";
 				LD_RUNPATH_SEARCH_PATHS = (
 					"$(inherited)",
@@ -586,7 +586,7 @@
 				SWIFT_DEFAULT_ACTOR_ISOLATION = MainActor;
 				SWIFT_OPTIMIZATION_LEVEL = "-Onone";
 				SWIFT_STRICT_CONCURRENCY = complete;
-				SWIFT_VERSION = 6.0;
+				SWIFT_VERSION = 5.0;
 				TEST_HOST = "$(BUILT_PRODUCTS_DIR)/PPPC Utility.app/Contents/MacOS/PPPC Utility";
 			};
 			name = Debug;
@@ -599,7 +599,7 @@
 				CODE_SIGN_IDENTITY = "Apple Development";
 				CODE_SIGN_STYLE = Automatic;
 				COMBINE_HIDPI_IMAGES = YES;
-				DEVELOPMENT_TEAM = XPLDEEDNHE;
+				DEVELOPMENT_TEAM = 483DWKW443;
 				INFOPLIST_FILE = "PPPC UtilityTests/Info.plist";
 				LD_RUNPATH_SEARCH_PATHS = (
 					"$(inherited)",
@@ -612,7 +612,7 @@
 				SWIFT_APPROACHABLE_CONCURRENCY = YES;
 				SWIFT_DEFAULT_ACTOR_ISOLATION = MainActor;
 				SWIFT_STRICT_CONCURRENCY = complete;
-				SWIFT_VERSION = 6.0;
+				SWIFT_VERSION = 5.0;
 				TEST_HOST = "$(BUILT_PRODUCTS_DIR)/PPPC Utility.app/Contents/MacOS/PPPC Utility";
 			};
 			name = Release;
@@ -742,7 +742,7 @@
 				CODE_SIGN_IDENTITY = "Apple Development";
 				CODE_SIGN_STYLE = Automatic;
 				COMBINE_HIDPI_IMAGES = YES;
-				DEVELOPMENT_TEAM = XPLDEEDNHE;
+				DEVELOPMENT_TEAM = 483DWKW443;
 				ENABLE_HARDENED_RUNTIME = NO;
 				INFOPLIST_FILE = Resources/Info.plist;
 				LD_RUNPATH_SEARCH_PATHS = (
@@ -768,7 +768,7 @@
 				CODE_SIGN_IDENTITY = "Apple Development";
 				CODE_SIGN_STYLE = Automatic;
 				COMBINE_HIDPI_IMAGES = YES;
-				DEVELOPMENT_TEAM = XPLDEEDNHE;
+				DEVELOPMENT_TEAM = 483DWKW443;
 				ENABLE_HARDENED_RUNTIME = YES;
 				INFOPLIST_FILE = Resources/Info.plist;
 				LD_RUNPATH_SEARCH_PATHS = (
diff --git a/PPPC UtilityTests/Helpers/ModelBuilder.swift b/PPPC UtilityTests/Helpers/ModelBuilder.swift
index 30514ee..7073724 100644
--- a/PPPC UtilityTests/Helpers/ModelBuilder.swift	
+++ b/PPPC UtilityTests/Helpers/ModelBuilder.swift	
@@ -28,6 +28,7 @@ import Cocoa
 
 @testable import PPPC_Utility
 
+@MainActor
 class ModelBuilder {
 
     var model: Model
diff --git a/PPPC UtilityTests/ModelTests/ModelTests.swift b/PPPC UtilityTests/ModelTests/ModelTests.swift
index 6bb3e5a..4556bc9 100644
--- a/PPPC UtilityTests/ModelTests/ModelTests.swift	
+++ b/PPPC UtilityTests/ModelTests/ModelTests.swift	
@@ -26,7 +26,7 @@
 //
 
 import Foundation
-import XCTest
+@preconcurrency import XCTest
 
 @testable import PPPC_Utility
 
diff --git a/PPPC UtilityTests/ModelTests/PPPCServicesManagerTests.swift b/PPPC UtilityTests/ModelTests/PPPCServicesManagerTests.swift
index d92bc82..d8d5571 100644
--- a/PPPC UtilityTests/ModelTests/PPPCServicesManagerTests.swift	
+++ b/PPPC UtilityTests/ModelTests/PPPCServicesManagerTests.swift	
@@ -26,13 +26,13 @@
 //
 
 import Foundation
-import XCTest
+@preconcurrency import XCTest
 
 @testable import PPPC_Utility
 
 class PPPCServicesManagerTests: XCTestCase {
 
-    func testLoadAllServices() {
+    @MainActor func testLoadAllServices() async {
         // given/when
         let actual = PPPCServicesManager()
 
@@ -40,7 +40,7 @@ class PPPCServicesManagerTests: XCTestCase {
         XCTAssertEqual(actual.allServices.count, 21)
     }
 
-    func testUserHelp_withEntitlements() throws {
+    @MainActor func testUserHelp_withEntitlements() async throws {
         // given
         let services = PPPCServicesManager()
         let service = try XCTUnwrap(services.allServices["Camera"])
@@ -52,7 +52,7 @@ class PPPCServicesManagerTests: XCTestCase {
         XCTAssertEqual(actual, "Use to deny specified apps access to the camera.\n\nMDM Key: Camera\nRelated entitlements: [\"com.apple.developer.avfoundation.multitasking-camera-access\", \"com.apple.security.device.camera\"]")
     }
 
-    func testUserHelp_withoutEntitlements() throws {
+    @MainActor func testUserHelp_withoutEntitlements() async throws {
         // given
         let services = PPPCServicesManager()
         let service = try XCTUnwrap(services.allServices["ScreenCapture"])
@@ -64,7 +64,7 @@ class PPPCServicesManagerTests: XCTestCase {
         XCTAssertEqual(actual, "Deny specified apps access to capture (read) the contents of the system display.\n\nMDM Key: ScreenCapture")
     }
 
-    func testCameraIsDenyOnly() throws {
+    @MainActor func testCameraIsDenyOnly() async throws {
         // given
         let services = PPPCServicesManager()
         let service = try XCTUnwrap(services.allServices["Camera"])
@@ -76,7 +76,7 @@ class PPPCServicesManagerTests: XCTestCase {
         XCTAssertTrue(actual)
     }
 
-    func testScreenCaptureAllowsStandardUsers() throws {
+    @MainActor func testScreenCaptureAllowsStandardUsers() async throws {
         // given
         let services = PPPCServicesManager()
         let service = try XCTUnwrap(services.allServices["ScreenCapture"])
diff --git a/PPPC UtilityTests/ModelTests/SemanticVersionTests.swift b/PPPC UtilityTests/ModelTests/SemanticVersionTests.swift
index 93e788c..2219545 100644
--- a/PPPC UtilityTests/ModelTests/SemanticVersionTests.swift	
+++ b/PPPC UtilityTests/ModelTests/SemanticVersionTests.swift	
@@ -27,7 +27,7 @@
 
 import Foundation
 @testable import PPPC_Utility
-import XCTest
+@preconcurrency import XCTest
 
 class SemanticVersionTests: XCTestCase {
     func testLessThan() {
diff --git a/PPPC UtilityTests/NetworkingTests/JamfProAPIClientTests.swift b/PPPC UtilityTests/NetworkingTests/JamfProAPIClientTests.swift
index 308decd..0deddb5 100644
--- a/PPPC UtilityTests/NetworkingTests/JamfProAPIClientTests.swift	
+++ b/PPPC UtilityTests/NetworkingTests/JamfProAPIClientTests.swift	
@@ -6,12 +6,12 @@
 //  Copyright (c) 2023 Jamf Software
 
 import Foundation
-import XCTest
+@preconcurrency import XCTest
 
 @testable import PPPC_Utility
 
 class JamfProAPIClientTests: XCTestCase {
-	func testOAuthTokenRequest() throws {
+	@MainActor func testOAuthTokenRequest() async throws {
 		// given
 		let authManager = NetworkAuthManager(username: "", password: "")
 		let apiClient = JamfProAPIClient(serverUrlString: "https://something", tokenManager: authManager)
diff --git a/PPPC UtilityTests/NetworkingTests/NetworkAuthManagerTests.swift b/PPPC UtilityTests/NetworkingTests/NetworkAuthManagerTests.swift
index 8cd1768..0d8c14e 100644
--- a/PPPC UtilityTests/NetworkingTests/NetworkAuthManagerTests.swift	
+++ b/PPPC UtilityTests/NetworkingTests/NetworkAuthManagerTests.swift	
@@ -26,7 +26,7 @@
 //
 
 import Foundation
-import XCTest
+@preconcurrency import XCTest
 
 @testable import PPPC_Utility
 
@@ -121,7 +121,7 @@ class NetworkAuthManagerTests: XCTestCase {
         }
     }
 
-    func testBasicAuthString() throws {
+    @MainActor func testBasicAuthString() async throws {
         // given
         let authManager = NetworkAuthManager(username: "test", password: "none")
 
@@ -132,7 +132,7 @@ class NetworkAuthManagerTests: XCTestCase {
         XCTAssertEqual(actual, "dGVzdDpub25l")
     }
 
-    func testBasicAuthStringEmptyUsername() throws {
+    @MainActor func testBasicAuthStringEmptyUsername() async throws {
         // given
         let authManager = NetworkAuthManager(username: "", password: "none")
 
@@ -146,7 +146,7 @@ class NetworkAuthManagerTests: XCTestCase {
         }
     }
 
-    func testBasicAuthStringEmptyPassword() throws {
+    @MainActor func testBasicAuthStringEmptyPassword() async throws {
         // given
         let authManager = NetworkAuthManager(username: "mine", password: "")
 
diff --git a/PPPC UtilityTests/NetworkingTests/TokenTests.swift b/PPPC UtilityTests/NetworkingTests/TokenTests.swift
index 973e1d5..4d02f10 100644
--- a/PPPC UtilityTests/NetworkingTests/TokenTests.swift	
+++ b/PPPC UtilityTests/NetworkingTests/TokenTests.swift	
@@ -26,7 +26,7 @@
 //
 
 import Foundation
-import XCTest
+@preconcurrency import XCTest
 
 @testable import PPPC_Utility
 
diff --git a/PPPC UtilityTests/TCCProfileImporterTests/TCCProfileImporterTests.swift b/PPPC UtilityTests/TCCProfileImporterTests/TCCProfileImporterTests.swift
index 696f06e..c6d7a9c 100644
--- a/PPPC UtilityTests/TCCProfileImporterTests/TCCProfileImporterTests.swift	
+++ b/PPPC UtilityTests/TCCProfileImporterTests/TCCProfileImporterTests.swift	
@@ -26,13 +26,13 @@
 //
 
 import Foundation
-import XCTest
+@preconcurrency import XCTest
 
 @testable import PPPC_Utility
 
 class TCCProfileImporterTests: XCTestCase {
 
-    func testMalformedTCCProfile() {
+    @MainActor func testMalformedTCCProfile() async {
         let tccProfileImporter = TCCProfileImporter()
 
         let resourceURL = getResourceProfile(fileName: "TestTCCProfileSigned-Broken")
@@ -47,7 +47,7 @@ class TCCProfileImporterTests: XCTestCase {
         }
     }
 
-    func testEmptyContentTCCProfile() {
+    @MainActor func testEmptyContentTCCProfile() async {
         let tccProfileImporter = TCCProfileImporter()
 
         let resourceURL = getResourceProfile(fileName: "TestTCCUnsignedProfile-Empty")
@@ -62,7 +62,7 @@ class TCCProfileImporterTests: XCTestCase {
         }
     }
 
-    func testCorrectUnsignedProfileContentData() throws {
+    @MainActor func testCorrectUnsignedProfileContentData() async throws {
         let tccProfileImporter = TCCProfileImporter()
 
         let resourceURL = getResourceProfile(fileName: "TestTCCUnsignedProfile")
@@ -72,7 +72,7 @@ class TCCProfileImporterTests: XCTestCase {
         XCTAssertNotNil(tccProfile.content[0].services)
     }
 
-    func testCorrectUnsignedProfileContentDataAllLowercase() throws {
+    @MainActor func testCorrectUnsignedProfileContentDataAllLowercase() async throws {
         let tccProfileImporter = TCCProfileImporter()
 
         let resourceURL = getResourceProfile(fileName: "TestTCCUnsignedProfile-allLower")
@@ -82,7 +82,7 @@ class TCCProfileImporterTests: XCTestCase {
         XCTAssertNotNil(tccProfile.content[0].services)
     }
 
-    func testBrokenUnsignedProfile() {
+    @MainActor func testBrokenUnsignedProfile() async {
         let tccProfileImporter = TCCProfileImporter()
 
         let resourceURL = getResourceProfile(fileName: "TestTCCUnsignedProfile-Broken")
diff --git a/PPPC UtilityTests/TCCProfileImporterTests/TCCProfileTests.swift b/PPPC UtilityTests/TCCProfileImporterTests/TCCProfileTests.swift
index f643e93..d37b811 100644
--- a/PPPC UtilityTests/TCCProfileImporterTests/TCCProfileTests.swift	
+++ b/PPPC UtilityTests/TCCProfileImporterTests/TCCProfileTests.swift	
@@ -23,7 +23,7 @@
 //  OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 //  SOFTWARE.
 //
-import XCTest
+@preconcurrency import XCTest
 
 @testable import PPPC_Utility
 
@@ -31,7 +31,7 @@ class TCCProfileTests: XCTestCase {
 
     // MARK: - tests for serializing to and from xml
 
-    func testSerializationOfComplexProfileUsingAuthorization() throws {
+    @MainActor func testSerializationOfComplexProfileUsingAuthorization() async throws {
         // when we export to xml and reimport it should still have the same attributes
         let plistData = try TCCProfileBuilder().buildProfile(authorization: .allowStandardUserToSetSystemService).xmlData()
         let profile = try TCCProfile.parse(from: plistData)
@@ -75,7 +75,7 @@ class TCCProfileTests: XCTestCase {
         }
     }
 
-    func testSerializationOfProfileUsingLegacyAllowedKey() throws {
+    @MainActor func testSerializationOfProfileUsingLegacyAllowedKey() async throws {
         // when we export to xml and reimport it should still have the same attributes
         let plistData = try TCCProfileBuilder().buildProfile(allowed: true).xmlData()
         let profile = try TCCProfile.parse(from: plistData)
@@ -119,7 +119,7 @@ class TCCProfileTests: XCTestCase {
         }
     }
 
-    func testSerializationOfProfileWhenBothAllowedAndAuthorizationUsed() throws {
+    @MainActor func testSerializationOfProfileWhenBothAllowedAndAuthorizationUsed() async throws {
         // when we export to xml and reimport it should still have the same attributes
         let plistData = try TCCProfileBuilder().buildProfile(allowed: false, authorization: .allow).xmlData()
         let profile = try TCCProfile.parse(from: plistData)
@@ -146,7 +146,7 @@ class TCCProfileTests: XCTestCase {
 
     // unit tests for handling both Auth and allowed keys should fail?
 
-    func testSettingLegacyAllowValueNullifiesAuthorization() throws {
+    @MainActor func testSettingLegacyAllowValueNullifiesAuthorization() async throws {
         // given
         var tccPolicy = TCCPolicy(identifier: "id", codeRequirement: "req", receiverIdentifier: "recId", receiverCodeRequirement: "recreq")
         tccPolicy.authorization = .allow
@@ -159,7 +159,7 @@ class TCCProfileTests: XCTestCase {
         XCTAssertTrue(try XCTUnwrap(tccPolicy.allowed))
     }
 
-    func testSettingAuthorizationValueDoesNotNullifyAllowed() {
+    @MainActor func testSettingAuthorizationValueDoesNotNullifyAllowed() async {
         // given
         var tccPolicy = TCCPolicy(identifier: "id", codeRequirement: "req", receiverIdentifier: "recId", receiverCodeRequirement: "recreq")
         tccPolicy.allowed = false
@@ -172,13 +172,13 @@ class TCCProfileTests: XCTestCase {
         XCTAssertEqual(tccPolicy.authorization, TCCPolicyAuthorizationValue.allowStandardUserToSetSystemService)
     }
 
-    func testJamfProAPIData() throws {
+    func testJamfProAPIData() async throws {
         // given - build the test profile
         let tccProfile = TCCProfileBuilder().buildProfile(allowed: false, authorization: .allow)
         let expected = try loadTextFile(fileName: "TestTCCProfileForJamfProAPI").trimmingCharacters(in: .whitespacesAndNewlines)
 
         // when - wrap in Jamf Pro API xml
-        let data = try tccProfile.jamfProAPIData(signingIdentity: nil, site: nil)
+        let data = try await tccProfile.jamfProAPIData(signingIdentity: nil, site: nil)
 
         // then
         let xmlString = String(data: data, encoding: .utf8)
diff --git a/Source/AppDelegate.swift b/Source/AppDelegate.swift
index ec32034..041ac5b 100644
--- a/Source/AppDelegate.swift
+++ b/Source/AppDelegate.swift
@@ -27,7 +27,7 @@
 
 import Cocoa
 
-@NSApplicationMain
+@main
 class AppDelegate: NSObject, NSApplicationDelegate {
 
     func applicationDidFinishLaunching(_ aNotification: Notification) {}
diff --git a/Source/Model/Model.swift b/Source/Model/Model.swift
index 6dc6ae5..3854d7f 100644
--- a/Source/Model/Model.swift
+++ b/Source/Model/Model.swift
@@ -81,7 +81,7 @@ typealias LoadExecutableResult = Result<Executable, LoadExecutableError>
 
 extension Model {
 
-    @concurrent func loadExecutable(url: URL) async throws -> Executable {
+    func loadExecutable(url: URL) async throws -> Executable {
         let executable = Executable()
 
         if let bundle = Bundle(url: url) {
diff --git a/Source/Model/SigningIdentity.swift b/Source/Model/SigningIdentity.swift
index 7ba021a..469412f 100644
--- a/Source/Model/SigningIdentity.swift
+++ b/Source/Model/SigningIdentity.swift
@@ -30,11 +30,11 @@ import Cocoa
 class SigningIdentity: NSObject {
 
     @objc dynamic var displayName: String
-    var reference: SecIdentity?
+    nonisolated(unsafe) var reference: SecIdentity?
 
-    init(name: String, reference: SecIdentity?) {
-        displayName = name
-        super.init()
+    nonisolated init(name: String, reference: SecIdentity?) {
+        self.displayName = name
         self.reference = reference
+        super.init()
     }
 }
diff --git a/Source/Model/TCCProfile.swift b/Source/Model/TCCProfile.swift
index 329228e..92b0e8d 100644
--- a/Source/Model/TCCProfile.swift
+++ b/Source/Model/TCCProfile.swift
@@ -160,11 +160,11 @@ public struct TCCProfile: Codable {
     ///   - signingIdentity: A signing identity; can be nil to leave the profile unsigned.
     ///   - site: A Jamf Pro site
     /// - Returns: XML data for use with the Jamf Pro API.
-    func jamfProAPIData(signingIdentity: SecIdentity?, site: (String, String)?) throws -> Data {
+    func jamfProAPIData(signingIdentity: SecIdentity?, site: (String, String)?) async throws -> Data {
         var profileText: String
         var profileData = try xmlData()
         if let identity = signingIdentity {
-            profileData = try SecurityWrapper.sign(data: profileData, using: identity)
+            profileData = try await SecurityWrapper.sign(data: profileData, using: identity)
         }
         profileText = String(data: profileData, encoding: .utf8) ?? ""
 
diff --git a/Source/Networking/UploadManager.swift b/Source/Networking/UploadManager.swift
index 71194ba..2ca5a25 100644
--- a/Source/Networking/UploadManager.swift
+++ b/Source/Networking/UploadManager.swift
@@ -56,7 +56,7 @@ struct UploadManager {
 			identity = signingIdentity.reference
 		}
 
-		let profileData = try profile.jamfProAPIData(signingIdentity: identity, site: siteInfo)
+		let profileData = try await profile.jamfProAPIData(signingIdentity: identity, site: siteInfo)
 
 		_ = try await networking.upload(computerConfigProfile: profileData)
 
diff --git a/Source/SecurityWrapper.swift b/Source/SecurityWrapper.swift
index 4f4e775..3960b1d 100644
--- a/Source/SecurityWrapper.swift
+++ b/Source/SecurityWrapper.swift
@@ -27,10 +27,13 @@
 
 import Foundation
 import Haversack
+import Security
+
+extension SecIdentity: @unchecked @retroactive Sendable {}
 
 struct SecurityWrapper {
 
-    static func execute(block: () -> (OSStatus)) throws {
+    nonisolated static func execute(block: () -> (OSStatus)) throws {
         let status = block()
         if status != 0 {
             throw NSError(domain: NSOSStatusErrorDomain, code: Int(status), userInfo: nil)
@@ -100,7 +103,7 @@ struct SecurityWrapper {
 		let haversack = Haversack()
 		let query = IdentityQuery().matching(mustBeValidOnDate: Date()).returning(.reference)
 
-		let identities = try haversack.search(where: query)
+		let identities = try await haversack.search(where: query)
 
 		return identities.compactMap {
 			guard let secIdentity = $0.reference else {
@@ -113,7 +116,7 @@ struct SecurityWrapper {
 		}
     }
 
-    static func getCertificateCommonName(for identity: SecIdentity) throws -> String {
+    nonisolated static func getCertificateCommonName(for identity: SecIdentity) throws -> String {
         var certificate: SecCertificate?
         var commonName: CFString?
         try execute { SecIdentityCopyCertificate(identity, &certificate) }
diff --git a/Source/View Controllers/SaveViewController.swift b/Source/View Controllers/SaveViewController.swift
index 7dd9b9d..da9c97f 100644
--- a/Source/View Controllers/SaveViewController.swift	
+++ b/Source/View Controllers/SaveViewController.swift	
@@ -119,12 +119,12 @@ class SaveViewController: NSViewController {
 
     // swiftlint:disable:next block_based_kvo
     nonisolated override func observeValue(forKeyPath keyPath: String?, of object: Any?, change: [NSKeyValueChangeKey: Any]?, context: UnsafeMutableRawPointer?) {
-        MainActor.assumeIsolated {
-            if context == &SaveViewController.saveProfileKVOContext {
+        if context == &SaveViewController.saveProfileKVOContext {
+            MainActor.assumeIsolated {
                 updateIsReadyToSave()
-            } else {
-                super.observeValue(forKeyPath: keyPath, of: object, change: change, context: context)
             }
+        } else {
+            super.observeValue(forKeyPath: keyPath, of: object, change: change, context: context)
         }
     }
 

From 24d36a5500cff216f7931aee74e6af170e38227b Mon Sep 17 00:00:00 2001
From: JJ Pritzl <jj.pritzl@jamf.com>
Date: Tue, 31 Mar 2026 12:18:37 -0500
Subject: [PATCH 17/53] create-separate story/JPCFM-5564 Fix code signing
 mistake

---
 PPPC Utility.xcodeproj/project.pbxproj | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/PPPC Utility.xcodeproj/project.pbxproj b/PPPC Utility.xcodeproj/project.pbxproj
index 5d1b451..e916348 100644
--- a/PPPC Utility.xcodeproj/project.pbxproj	
+++ b/PPPC Utility.xcodeproj/project.pbxproj	
@@ -572,7 +572,7 @@
 				CODE_SIGN_IDENTITY = "Apple Development";
 				CODE_SIGN_STYLE = Automatic;
 				COMBINE_HIDPI_IMAGES = YES;
-				DEVELOPMENT_TEAM = 483DWKW443;
+				DEVELOPMENT_TEAM = "XPLDEEDNHE";
 				INFOPLIST_FILE = "PPPC UtilityTests/Info.plist";
 				LD_RUNPATH_SEARCH_PATHS = (
 					"$(inherited)",
@@ -599,7 +599,7 @@
 				CODE_SIGN_IDENTITY = "Apple Development";
 				CODE_SIGN_STYLE = Automatic;
 				COMBINE_HIDPI_IMAGES = YES;
-				DEVELOPMENT_TEAM = 483DWKW443;
+				DEVELOPMENT_TEAM = "XPLDEEDNHE";
 				INFOPLIST_FILE = "PPPC UtilityTests/Info.plist";
 				LD_RUNPATH_SEARCH_PATHS = (
 					"$(inherited)",
@@ -742,7 +742,7 @@
 				CODE_SIGN_IDENTITY = "Apple Development";
 				CODE_SIGN_STYLE = Automatic;
 				COMBINE_HIDPI_IMAGES = YES;
-				DEVELOPMENT_TEAM = 483DWKW443;
+				DEVELOPMENT_TEAM = XPLDEEDNHE;
 				ENABLE_HARDENED_RUNTIME = NO;
 				INFOPLIST_FILE = Resources/Info.plist;
 				LD_RUNPATH_SEARCH_PATHS = (
@@ -768,7 +768,7 @@
 				CODE_SIGN_IDENTITY = "Apple Development";
 				CODE_SIGN_STYLE = Automatic;
 				COMBINE_HIDPI_IMAGES = YES;
-				DEVELOPMENT_TEAM = 483DWKW443;
+				DEVELOPMENT_TEAM = XPLDEEDNHE;
 				ENABLE_HARDENED_RUNTIME = YES;
 				INFOPLIST_FILE = Resources/Info.plist;
 				LD_RUNPATH_SEARCH_PATHS = (

From cf78ace64656e26d9365ca8ab49ed2a4a89599b2 Mon Sep 17 00:00:00 2001
From: JJ Pritzl <jj.pritzl@jamf.com>
Date: Tue, 31 Mar 2026 12:20:03 -0500
Subject: [PATCH 18/53] create-separate story/JPCFM-5564 Fix bad syntax in
 build settings

---
 PPPC Utility.xcodeproj/project.pbxproj | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/PPPC Utility.xcodeproj/project.pbxproj b/PPPC Utility.xcodeproj/project.pbxproj
index e916348..6b2735e 100644
--- a/PPPC Utility.xcodeproj/project.pbxproj	
+++ b/PPPC Utility.xcodeproj/project.pbxproj	
@@ -742,7 +742,7 @@
 				CODE_SIGN_IDENTITY = "Apple Development";
 				CODE_SIGN_STYLE = Automatic;
 				COMBINE_HIDPI_IMAGES = YES;
-				DEVELOPMENT_TEAM = XPLDEEDNHE;
+				DEVELOPMENT_TEAM = "XPLDEEDNHE";
 				ENABLE_HARDENED_RUNTIME = NO;
 				INFOPLIST_FILE = Resources/Info.plist;
 				LD_RUNPATH_SEARCH_PATHS = (
@@ -768,7 +768,7 @@
 				CODE_SIGN_IDENTITY = "Apple Development";
 				CODE_SIGN_STYLE = Automatic;
 				COMBINE_HIDPI_IMAGES = YES;
-				DEVELOPMENT_TEAM = XPLDEEDNHE;
+				DEVELOPMENT_TEAM = "XPLDEEDNHE";
 				ENABLE_HARDENED_RUNTIME = YES;
 				INFOPLIST_FILE = Resources/Info.plist;
 				LD_RUNPATH_SEARCH_PATHS = (

From 60390d533814e39b5ff74e5396477a8687e91983 Mon Sep 17 00:00:00 2001
From: JJ Pritzl <jj.pritzl@jamf.com>
Date: Tue, 31 Mar 2026 12:22:24 -0500
Subject: [PATCH 19/53] create-separate story/JPCFM-5564 Fix bad syntax in
 project settings for last time

---
 PPPC Utility.xcodeproj/project.pbxproj | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/PPPC Utility.xcodeproj/project.pbxproj b/PPPC Utility.xcodeproj/project.pbxproj
index 6b2735e..94d7001 100644
--- a/PPPC Utility.xcodeproj/project.pbxproj	
+++ b/PPPC Utility.xcodeproj/project.pbxproj	
@@ -572,7 +572,7 @@
 				CODE_SIGN_IDENTITY = "Apple Development";
 				CODE_SIGN_STYLE = Automatic;
 				COMBINE_HIDPI_IMAGES = YES;
-				DEVELOPMENT_TEAM = "XPLDEEDNHE";
+				DEVELOPMENT_TEAM = XPLDEEDNHE;
 				INFOPLIST_FILE = "PPPC UtilityTests/Info.plist";
 				LD_RUNPATH_SEARCH_PATHS = (
 					"$(inherited)",
@@ -599,7 +599,7 @@
 				CODE_SIGN_IDENTITY = "Apple Development";
 				CODE_SIGN_STYLE = Automatic;
 				COMBINE_HIDPI_IMAGES = YES;
-				DEVELOPMENT_TEAM = "XPLDEEDNHE";
+				DEVELOPMENT_TEAM = XPLDEEDNHE;
 				INFOPLIST_FILE = "PPPC UtilityTests/Info.plist";
 				LD_RUNPATH_SEARCH_PATHS = (
 					"$(inherited)",
@@ -742,7 +742,7 @@
 				CODE_SIGN_IDENTITY = "Apple Development";
 				CODE_SIGN_STYLE = Automatic;
 				COMBINE_HIDPI_IMAGES = YES;
-				DEVELOPMENT_TEAM = "XPLDEEDNHE";
+				DEVELOPMENT_TEAM = XPLDEEDNHE;
 				ENABLE_HARDENED_RUNTIME = NO;
 				INFOPLIST_FILE = Resources/Info.plist;
 				LD_RUNPATH_SEARCH_PATHS = (
@@ -768,7 +768,7 @@
 				CODE_SIGN_IDENTITY = "Apple Development";
 				CODE_SIGN_STYLE = Automatic;
 				COMBINE_HIDPI_IMAGES = YES;
-				DEVELOPMENT_TEAM = "XPLDEEDNHE";
+				DEVELOPMENT_TEAM = XPLDEEDNHE;
 				ENABLE_HARDENED_RUNTIME = YES;
 				INFOPLIST_FILE = Resources/Info.plist;
 				LD_RUNPATH_SEARCH_PATHS = (

From 2f85f1b61b3396ba190dfc3aacca38402eb47920 Mon Sep 17 00:00:00 2001
From: JJ Pritzl <jj.pritzl@jamf.com>
Date: Wed, 1 Apr 2026 10:02:35 -0500
Subject: [PATCH 20/53] create-separate story/JPCFM-5564 Try to fix failing
 tests on GH PR

---
 Source/Model/Model.swift               | 4 +++-
 Source/Model/PPPCServicesManager.swift | 4 +++-
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/Source/Model/Model.swift b/Source/Model/Model.swift
index 3854d7f..2cb9a4f 100644
--- a/Source/Model/Model.swift
+++ b/Source/Model/Model.swift
@@ -31,7 +31,9 @@ import OSLog
 @objc class Model: NSObject {
 
     @objc dynamic var current: Executable?
-    @objc dynamic static let shared = Model()
+    @objc dynamic nonisolated(unsafe) static let shared: Model = {
+        MainActor.assumeIsolated { Model() }
+    }()
     @objc dynamic var identities: [SigningIdentity] = []
     @objc dynamic var selectedExecutables: [Executable] = []
 
diff --git a/Source/Model/PPPCServicesManager.swift b/Source/Model/PPPCServicesManager.swift
index 0f5306b..becd5b4 100644
--- a/Source/Model/PPPCServicesManager.swift
+++ b/Source/Model/PPPCServicesManager.swift
@@ -34,7 +34,9 @@ class PPPCServicesManager {
 
     let logger = Logger.PPPCServicesManager
 
-    static let shared = PPPCServicesManager()
+    nonisolated(unsafe) static let shared: PPPCServicesManager = {
+        MainActor.assumeIsolated { PPPCServicesManager() }
+    }()
 
     let allServices: [MDMServiceKey: PPPCServiceInfo]
 

From 2ed25d9de25907878ba3f2d007c2f58ed8cbcebb Mon Sep 17 00:00:00 2001
From: JJ Pritzl <jj.pritzl@jamf.com>
Date: Wed, 1 Apr 2026 13:05:57 -0500
Subject: [PATCH 21/53] create-separate story/JPCFM-5564 Try to fix unit test
 check issue

---
 Source/Model/Model.swift               | 2 +-
 Source/Model/PPPCServicesManager.swift | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/Source/Model/Model.swift b/Source/Model/Model.swift
index 2cb9a4f..525ffd7 100644
--- a/Source/Model/Model.swift
+++ b/Source/Model/Model.swift
@@ -28,7 +28,7 @@
 import Cocoa
 import OSLog
 
-@objc class Model: NSObject {
+@objc class Model: NSObject, @unchecked Sendable {
 
     @objc dynamic var current: Executable?
     @objc dynamic nonisolated(unsafe) static let shared: Model = {
diff --git a/Source/Model/PPPCServicesManager.swift b/Source/Model/PPPCServicesManager.swift
index becd5b4..fc22a61 100644
--- a/Source/Model/PPPCServicesManager.swift
+++ b/Source/Model/PPPCServicesManager.swift
@@ -28,7 +28,7 @@
 import Foundation
 import OSLog
 
-class PPPCServicesManager {
+class PPPCServicesManager: @unchecked Sendable {
 
     typealias MDMServiceKey = String
 

From 83f107dd24ddd0f25e48f52b7a48ff76745e557b Mon Sep 17 00:00:00 2001
From: JJ Pritzl <jj.pritzl@jamf.com>
Date: Wed, 1 Apr 2026 14:00:38 -0500
Subject: [PATCH 22/53] create-separate story/JPCFM-5564 Make actual change
 with the plan to fix Unit Test issues

---
 .../TCCProfileConfigurationPanel.swift        | 55 +++++++------------
 .../TCCProfileImporter.swift                  |  2 -
 .../TCCProfileViewController.swift            | 18 +++---
 Source/Views/Alert.swift                      |  2 +-
 4 files changed, 30 insertions(+), 47 deletions(-)

diff --git a/Source/TCCProfileImporter/TCCProfileConfigurationPanel.swift b/Source/TCCProfileImporter/TCCProfileConfigurationPanel.swift
index f2f00b9..e46f02b 100644
--- a/Source/TCCProfileImporter/TCCProfileConfigurationPanel.swift
+++ b/Source/TCCProfileImporter/TCCProfileConfigurationPanel.swift
@@ -30,40 +30,27 @@ import Foundation
 
 class TCCProfileConfigurationPanel {
     /// Load TCC Profile data from file
-     ///
-     /// - Parameters:
-     ///   - importer: The TCCProfileImporter to use
-     ///   - window: The window to present the open panel in
-     ///   - completion: Called with the result of the import
-    func loadTCCProfileFromFile(importer: TCCProfileImporter, window: NSWindow, _ completion: @escaping (TCCProfileImportResult) -> Void) {
-         let openPanel = NSOpenPanel.init()
-         openPanel.allowedFileTypes = ["mobileconfig", "plist"]
-         openPanel.allowsMultipleSelection = false
-         openPanel.canChooseDirectories = false
-         openPanel.canCreateDirectories = false
-         openPanel.canChooseFiles = true
-         openPanel.title = "Open TCCProfile File"
+    ///
+    /// - Parameters:
+    ///   - importer: The TCCProfileImporter to use
+    ///   - window: The window to present the open panel in
+    /// - Returns: The decoded TCCProfile, or nil if the user cancelled
+    func loadTCCProfileFromFile(importer: TCCProfileImporter, window: NSWindow) async throws -> TCCProfile? {
+        let openPanel = NSOpenPanel()
+        openPanel.allowedFileTypes = ["mobileconfig", "plist"]
+        openPanel.allowsMultipleSelection = false
+        openPanel.canChooseDirectories = false
+        openPanel.canCreateDirectories = false
+        openPanel.canChooseFiles = true
+        openPanel.title = "Open TCCProfile File"
 
-         openPanel.beginSheetModal(for: window) { (response) in
-             if response != .OK {
-                completion(.failure(.cancelled))
-             } else {
-                 if let result = openPanel.url {
-                     do {
-                         let tccProfile = try importer.decodeTCCProfile(fileUrl: result)
-                         completion(.success(tccProfile))
-                     } catch {
-                         if let importError = error as? TCCProfileImportError {
-                             completion(.failure(importError))
-                         } else {
-                             completion(.failure(.invalidProfileFile(description: error.localizedDescription)))
-                         }
-                     }
-                 } else {
-                     completion(.failure(TCCProfileImportError.unableToOpenFile))
-                 }
-             }
-         }
+        let response = await openPanel.beginSheetModal(for: window)
+        guard response == .OK else { return nil }
 
-     }
+        guard let fileUrl = openPanel.url else {
+            throw TCCProfileImportError.unableToOpenFile
+        }
+
+        return try importer.decodeTCCProfile(fileUrl: fileUrl)
+    }
 }
diff --git a/Source/TCCProfileImporter/TCCProfileImporter.swift b/Source/TCCProfileImporter/TCCProfileImporter.swift
index 3157d0d..6b61f49 100644
--- a/Source/TCCProfileImporter/TCCProfileImporter.swift
+++ b/Source/TCCProfileImporter/TCCProfileImporter.swift
@@ -27,8 +27,6 @@
 
 import Foundation
 
-typealias TCCProfileImportResult = Result<TCCProfile, TCCProfileImportError>
-
 /// Load tcc profiles
 public class TCCProfileImporter {
 
diff --git a/Source/View Controllers/TCCProfileViewController.swift b/Source/View Controllers/TCCProfileViewController.swift
index 4d3378c..40862de 100644
--- a/Source/View Controllers/TCCProfileViewController.swift	
+++ b/Source/View Controllers/TCCProfileViewController.swift	
@@ -183,17 +183,15 @@ class TCCProfileViewController: NSViewController {
         let tccProfileImporter = TCCProfileImporter()
         let tccConfigPanel = TCCProfileConfigurationPanel()
 
-        tccConfigPanel.loadTCCProfileFromFile(importer: tccProfileImporter, window: window) { [weak self] tccProfileResult in
-            guard let weakSelf = self else { return }
-            switch tccProfileResult {
-            case .success(let tccProfile):
-                Task {
-                    await weakSelf.model.importProfile(tccProfile: tccProfile)
-                }
-            case .failure(let tccProfileImportError):
-                if !tccProfileImportError.isCancelled {
-                    weakSelf.showAlert(tccProfileImportError, for: window)
+        Task {
+            do {
+                if let tccProfile = try await tccConfigPanel.loadTCCProfileFromFile(importer: tccProfileImporter, window: window) {
+                    await model.importProfile(tccProfile: tccProfile)
                 }
+            } catch let error as TCCProfileImportError {
+                showAlert(error, for: window)
+            } catch {
+                showAlert(TCCProfileImportError.invalidProfileFile(description: error.localizedDescription), for: window)
             }
         }
     }
diff --git a/Source/Views/Alert.swift b/Source/Views/Alert.swift
index 956d26c..43e92fe 100644
--- a/Source/Views/Alert.swift
+++ b/Source/Views/Alert.swift
@@ -27,7 +27,7 @@
 
 import Cocoa
 
-class Alert: NSObject {
+class Alert {
     func display(header: String, message: String) {
         let dialog: NSAlert = NSAlert()
         dialog.messageText = header

From b3db45bfc55f1c62ae95f67d2c8136f80ba55acc Mon Sep 17 00:00:00 2001
From: Tony Eichelberger <tony.eichelberger@jamf.com>
Date: Thu, 2 Apr 2026 16:36:50 -0500
Subject: [PATCH 23/53] removed some uneeded concurrency annotations

---
 PPPC UtilityTests/Helpers/ModelBuilder.swift | 1 -
 Source/Model/Model.swift                     | 4 ++--
 Source/Model/PPPCServicesManager.swift       | 4 ++--
 Source/SecurityWrapper.swift                 | 5 +----
 4 files changed, 5 insertions(+), 9 deletions(-)

diff --git a/PPPC UtilityTests/Helpers/ModelBuilder.swift b/PPPC UtilityTests/Helpers/ModelBuilder.swift
index 7073724..30514ee 100644
--- a/PPPC UtilityTests/Helpers/ModelBuilder.swift	
+++ b/PPPC UtilityTests/Helpers/ModelBuilder.swift	
@@ -28,7 +28,6 @@ import Cocoa
 
 @testable import PPPC_Utility
 
-@MainActor
 class ModelBuilder {
 
     var model: Model
diff --git a/Source/Model/Model.swift b/Source/Model/Model.swift
index 1626db3..02035b2 100644
--- a/Source/Model/Model.swift
+++ b/Source/Model/Model.swift
@@ -28,10 +28,10 @@
 import Cocoa
 import OSLog
 
-@objc class Model: NSObject, @unchecked Sendable {
+@objc class Model: NSObject {
 
     @objc dynamic var current: Executable?
-    @objc dynamic nonisolated(unsafe) static let shared: Model = {
+    @objc dynamic static let shared: Model = {
         MainActor.assumeIsolated { Model() }
     }()
     @objc dynamic var identities: [SigningIdentity] = []
diff --git a/Source/Model/PPPCServicesManager.swift b/Source/Model/PPPCServicesManager.swift
index fc22a61..dca6ccf 100644
--- a/Source/Model/PPPCServicesManager.swift
+++ b/Source/Model/PPPCServicesManager.swift
@@ -28,13 +28,13 @@
 import Foundation
 import OSLog
 
-class PPPCServicesManager: @unchecked Sendable {
+class PPPCServicesManager {
 
     typealias MDMServiceKey = String
 
     let logger = Logger.PPPCServicesManager
 
-    nonisolated(unsafe) static let shared: PPPCServicesManager = {
+    static let shared: PPPCServicesManager = {
         MainActor.assumeIsolated { PPPCServicesManager() }
     }()
 
diff --git a/Source/SecurityWrapper.swift b/Source/SecurityWrapper.swift
index 7fd0a42..4fdc1ec 100644
--- a/Source/SecurityWrapper.swift
+++ b/Source/SecurityWrapper.swift
@@ -29,8 +29,6 @@ import Foundation
 import Haversack
 import Security
 
-extension SecIdentity: @unchecked @retroactive Sendable {}
-
 struct SecurityWrapper {
 
     nonisolated static func execute(block: () -> (OSStatus)) throws {
@@ -87,8 +85,7 @@ struct SecurityWrapper {
         return text! as String
     }
 
-    @concurrent static func sign(data: Data, using identity: SecIdentity) async throws -> Data {
-
+    static func sign(data: Data, using identity: SecIdentity) async throws -> Data {
         var outputData: CFData?
         var encoder: CMSEncoder?
         try execute { CMSEncoderCreate(&encoder) }

From 113fcadeb59177a549d7636174c13e6daa4136c7 Mon Sep 17 00:00:00 2001
From: Tony Eichelberger <tony.eichelberger@jamf.com>
Date: Thu, 2 Apr 2026 16:52:09 -0500
Subject: [PATCH 24/53] removed a couple more spots

---
 Source/Model/Model.swift               | 4 +---
 Source/Model/PPPCServicesManager.swift | 4 +---
 2 files changed, 2 insertions(+), 6 deletions(-)

diff --git a/Source/Model/Model.swift b/Source/Model/Model.swift
index 02035b2..a590d97 100644
--- a/Source/Model/Model.swift
+++ b/Source/Model/Model.swift
@@ -31,9 +31,7 @@ import OSLog
 @objc class Model: NSObject {
 
     @objc dynamic var current: Executable?
-    @objc dynamic static let shared: Model = {
-        MainActor.assumeIsolated { Model() }
-    }()
+    @objc dynamic static let shared = Model()
     @objc dynamic var identities: [SigningIdentity] = []
     @objc dynamic var selectedExecutables: [Executable] = []
 
diff --git a/Source/Model/PPPCServicesManager.swift b/Source/Model/PPPCServicesManager.swift
index dca6ccf..0f5306b 100644
--- a/Source/Model/PPPCServicesManager.swift
+++ b/Source/Model/PPPCServicesManager.swift
@@ -34,9 +34,7 @@ class PPPCServicesManager {
 
     let logger = Logger.PPPCServicesManager
 
-    static let shared: PPPCServicesManager = {
-        MainActor.assumeIsolated { PPPCServicesManager() }
-    }()
+    static let shared = PPPCServicesManager()
 
     let allServices: [MDMServiceKey: PPPCServiceInfo]
 

From 80f38ae0511f66e910eef50159270b97f012e41a Mon Sep 17 00:00:00 2001
From: Tony Eichelberger <watkyn@gmail.com>
Date: Mon, 6 Apr 2026 11:02:54 -0500
Subject: [PATCH 25/53] Update Source/SwiftUI/UploadInfoView.swift

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
---
 Source/SwiftUI/UploadInfoView.swift | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Source/SwiftUI/UploadInfoView.swift b/Source/SwiftUI/UploadInfoView.swift
index 19de944..0af1bcd 100644
--- a/Source/SwiftUI/UploadInfoView.swift
+++ b/Source/SwiftUI/UploadInfoView.swift
@@ -349,7 +349,7 @@ struct UploadInfoView: View {
                 authMgr: makeAuthManager(),
                 siteInfo: siteIdAndName,
                 signingIdentity: mustSign ? signingId : nil)
-            Alert().display(header: "Success", message: "Profile uploaded succesfully")
+            Alert().display(header: "Success", message: "Profile uploaded successfully")
             dismissView()
         } catch {
             warningInfo = error.localizedDescription

From 4ffc19ba050d9e002f7abc5d45b0bf2211c2e96f Mon Sep 17 00:00:00 2001
From: Tony Eichelberger <tony.eichelberger@jamf.com>
Date: Mon, 6 Apr 2026 11:32:31 -0500
Subject: [PATCH 26/53] code review changes

---
 PPPC Utility.xcodeproj/project.pbxproj        |  4 ++--
 .../NetworkAuthManagerTests.swift             | 20 +++++++++----------
 Source/Model/Model.swift                      |  1 -
 Source/Model/SigningIdentity.swift            |  8 ++++----
 Source/Networking/JamfProAPIClient.swift      |  4 ++--
 Source/Networking/NetworkAuthManager.swift    |  4 ++--
 Source/Networking/Networking.swift            |  2 +-
 Source/SecurityWrapper.swift                  |  1 +
 8 files changed, 22 insertions(+), 22 deletions(-)

diff --git a/PPPC Utility.xcodeproj/project.pbxproj b/PPPC Utility.xcodeproj/project.pbxproj
index 69780f1..80803ba 100644
--- a/PPPC Utility.xcodeproj/project.pbxproj	
+++ b/PPPC Utility.xcodeproj/project.pbxproj	
@@ -564,7 +564,7 @@
 				SWIFT_DEFAULT_ACTOR_ISOLATION = MainActor;
 				SWIFT_OPTIMIZATION_LEVEL = "-Onone";
 				SWIFT_STRICT_CONCURRENCY = complete;
-				SWIFT_VERSION = 5.0;
+				SWIFT_VERSION = 6.0;
 				TEST_HOST = "$(BUILT_PRODUCTS_DIR)/PPPC Utility.app/Contents/MacOS/PPPC Utility";
 			};
 			name = Debug;
@@ -591,7 +591,7 @@
 				SWIFT_APPROACHABLE_CONCURRENCY = YES;
 				SWIFT_DEFAULT_ACTOR_ISOLATION = MainActor;
 				SWIFT_STRICT_CONCURRENCY = complete;
-				SWIFT_VERSION = 5.0;
+				SWIFT_VERSION = 6.0;
 				TEST_HOST = "$(BUILT_PRODUCTS_DIR)/PPPC Utility.app/Contents/MacOS/PPPC Utility";
 			};
 			name = Release;
diff --git a/PPPC UtilityTests/NetworkingTests/NetworkAuthManagerTests.swift b/PPPC UtilityTests/NetworkingTests/NetworkAuthManagerTests.swift
index efa97e1..42b36e2 100644
--- a/PPPC UtilityTests/NetworkingTests/NetworkAuthManagerTests.swift	
+++ b/PPPC UtilityTests/NetworkingTests/NetworkAuthManagerTests.swift	
@@ -85,7 +85,7 @@ struct NetworkAuthManagerTests {
         networking.errorToThrow = NetworkingError.serverResponse(404, "No such page")
 
         // default is that bearer auth is supported.
-        let firstCheckBearerAuthSupported = authManager.bearerAuthSupported()
+        let firstCheckBearerAuthSupported = await authManager.bearerAuthSupported()
         #expect(firstCheckBearerAuthSupported)
 
         // when/then
@@ -94,7 +94,7 @@ struct NetworkAuthManagerTests {
         }
 
         // The authManager should now know that bearer auth is not supported
-        let secondCheckBearerAuthSupported = authManager.bearerAuthSupported()
+        let secondCheckBearerAuthSupported = await authManager.bearerAuthSupported()
         #expect(!secondCheckBearerAuthSupported)
     }
 
@@ -111,33 +111,33 @@ struct NetworkAuthManagerTests {
     }
 
     @Test
-    func basicAuthString() throws {
+    func basicAuthString() async throws {
         let authManager = NetworkAuthManager(username: "test", password: "none")
 
         // when
-        let actual = try authManager.basicAuthString()
+        let actual = try await authManager.basicAuthString()
 
         // then
         #expect(actual == "dGVzdDpub25l")
     }
 
     @Test
-    func basicAuthStringEmptyUsername() {
+    func basicAuthStringEmptyUsername() async throws {
         let authManager = NetworkAuthManager(username: "", password: "none")
 
         // when/then
-        #expect(throws: AuthError.invalidUsernamePassword) {
-            try authManager.basicAuthString()
+        await #expect(throws: AuthError.invalidUsernamePassword) {
+            try await authManager.basicAuthString()
         }
     }
 
     @Test
-    func basicAuthStringEmptyPassword() {
+    func basicAuthStringEmptyPassword() async throws {
         let authManager = NetworkAuthManager(username: "mine", password: "")
 
         // when/then
-        #expect(throws: AuthError.invalidUsernamePassword) {
-            try authManager.basicAuthString()
+        await #expect(throws: AuthError.invalidUsernamePassword) {
+            try await authManager.basicAuthString()
         }
     }
 }
diff --git a/Source/Model/Model.swift b/Source/Model/Model.swift
index a590d97..fefaa3e 100644
--- a/Source/Model/Model.swift
+++ b/Source/Model/Model.swift
@@ -32,7 +32,6 @@ import OSLog
 
     @objc dynamic var current: Executable?
     @objc dynamic static let shared = Model()
-    @objc dynamic var identities: [SigningIdentity] = []
     @objc dynamic var selectedExecutables: [Executable] = []
 
     let logger = Logger.Model
diff --git a/Source/Model/SigningIdentity.swift b/Source/Model/SigningIdentity.swift
index 469412f..b8f7521 100644
--- a/Source/Model/SigningIdentity.swift
+++ b/Source/Model/SigningIdentity.swift
@@ -27,12 +27,12 @@
 
 import Cocoa
 
-class SigningIdentity: NSObject {
+nonisolated class SigningIdentity: NSObject {
 
-    @objc dynamic var displayName: String
-    nonisolated(unsafe) var reference: SecIdentity?
+    @objc dynamic let displayName: String
+    let reference: SecIdentity?
 
-    nonisolated init(name: String, reference: SecIdentity?) {
+    init(name: String, reference: SecIdentity?) {
         self.displayName = name
         self.reference = reference
         super.init()
diff --git a/Source/Networking/JamfProAPIClient.swift b/Source/Networking/JamfProAPIClient.swift
index 76dc3e2..99ac649 100644
--- a/Source/Networking/JamfProAPIClient.swift
+++ b/Source/Networking/JamfProAPIClient.swift
@@ -79,7 +79,7 @@ class JamfProAPIClient: Networking {
     func load<T: Decodable>(request: URLRequest) async throws -> T {
         let result: T
 
-        if authManager.bearerAuthSupported() {
+        if await authManager.bearerAuthSupported() {
             do {
                 result = try await loadBearerAuthorized(request: request)
             } catch AuthError.bearerAuthNotSupported {
@@ -100,7 +100,7 @@ class JamfProAPIClient: Networking {
     func send(request: URLRequest) async throws -> Data {
         let result: Data
 
-        if authManager.bearerAuthSupported() {
+        if await authManager.bearerAuthSupported() {
             do {
                 result = try await sendBearerAuthorized(request: request)
             } catch AuthError.bearerAuthNotSupported {
diff --git a/Source/Networking/NetworkAuthManager.swift b/Source/Networking/NetworkAuthManager.swift
index a939a90..20ac373 100644
--- a/Source/Networking/NetworkAuthManager.swift
+++ b/Source/Networking/NetworkAuthManager.swift
@@ -49,7 +49,7 @@ enum AuthenticationInfo {
 /// This class ensures that only one token refresh occurs at the same time.
 /// With MainActor default isolation, all types are MainActor by default,
 /// providing the same serialization that the actor previously offered.
-class NetworkAuthManager {
+actor NetworkAuthManager {
     private let authInfo: AuthenticationInfo
 
     private var currentToken: Token?
@@ -72,7 +72,7 @@ class NetworkAuthManager {
         }
 
         if let token = currentToken,
-            token.isValid
+            await token.isValid
         {
             return token
         }
diff --git a/Source/Networking/Networking.swift b/Source/Networking/Networking.swift
index 7c6b850..c881a3e 100644
--- a/Source/Networking/Networking.swift
+++ b/Source/Networking/Networking.swift
@@ -193,7 +193,7 @@ class Networking {
     /// - Parameter request: A URLRequest
     /// - Returns: The request with the bearer token added
     private func authorizeBasic(request: URLRequest) async throws -> URLRequest {
-        let basicValue = try authManager.basicAuthString()
+        let basicValue = try await authManager.basicAuthString()
         var newRequest = request
         newRequest.setValue("Basic \(basicValue)", forHTTPHeaderField: "Authorization")
         return newRequest
diff --git a/Source/SecurityWrapper.swift b/Source/SecurityWrapper.swift
index 4fdc1ec..1619c68 100644
--- a/Source/SecurityWrapper.swift
+++ b/Source/SecurityWrapper.swift
@@ -85,6 +85,7 @@ struct SecurityWrapper {
         return text! as String
     }
 
+    // TODO - add @concurrent after swift ui conversion
     static func sign(data: Data, using identity: SecIdentity) async throws -> Data {
         var outputData: CFData?
         var encoder: CMSEncoder?

From 25e2629e08418819afc63b717901a870fb2d25d1 Mon Sep 17 00:00:00 2001
From: Tony Eichelberger <tony.eichelberger@jamf.com>
Date: Mon, 6 Apr 2026 11:56:24 -0500
Subject: [PATCH 27/53] put the apple events selection back onto the main queue

---
 Source/View Controllers/OpenViewController.swift | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/Source/View Controllers/OpenViewController.swift b/Source/View Controllers/OpenViewController.swift
index d9b0026..39d4771 100644
--- a/Source/View Controllers/OpenViewController.swift	
+++ b/Source/View Controllers/OpenViewController.swift	
@@ -51,8 +51,11 @@ class OpenViewController: NSViewController, NSTableViewDataSource, NSTableViewDe
 
     func tableView(_ tableView: NSTableView, selectionIndexesForProposedSelection proposedSelectionIndexes: IndexSet) -> IndexSet {
         guard let index = proposedSelectionIndexes.first else { return proposedSelectionIndexes }
-        self.completionBlock?([.success(self.choices[index])])
-        self.dismiss(self)
+        // put the completion block on the MainActor queue and dismiss when done
+        Task {
+            self.completionBlock?([.success(self.choices[index])])
+            self.dismiss(self)
+        }
         return proposedSelectionIndexes
     }
 

From 798491d8ba781cca7def3c7d0ceede506c8a2edc Mon Sep 17 00:00:00 2001
From: Tony Eichelberger <tony.eichelberger@jamf.com>
Date: Mon, 6 Apr 2026 13:29:17 -0500
Subject: [PATCH 28/53] disabled the drop down until it is populated.

---
 Source/View Controllers/SaveViewController.swift | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/Source/View Controllers/SaveViewController.swift b/Source/View Controllers/SaveViewController.swift
index dc45cab..fd656fe 100644
--- a/Source/View Controllers/SaveViewController.swift	
+++ b/Source/View Controllers/SaveViewController.swift	
@@ -93,6 +93,7 @@ class SaveViewController: NSViewController {
     override func viewDidLoad() {
         super.viewDidLoad()
         payloadIdentifier = UUID().uuidString
+        identitiesPopUp.isEnabled = false
         Task {
             do {
                 var identities = try await SecurityWrapper.loadSigningIdentities()
@@ -101,6 +102,7 @@ class SaveViewController: NSViewController {
             } catch {
                 logger.error("Error loading identities: \(error)")
             }
+            identitiesPopUp.isEnabled = true
         }
 
         loadImportedTCCProfileInfo()

From cb0763aafed7ba55add34bfaa3a372a0c4acbce9 Mon Sep 17 00:00:00 2001
From: Tony Eichelberger <tony.eichelberger@jamf.com>
Date: Mon, 6 Apr 2026 13:44:11 -0500
Subject: [PATCH 29/53] fixed the sizing issue of the save window

---
 Source/View Controllers/SaveViewController.swift | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/Source/View Controllers/SaveViewController.swift b/Source/View Controllers/SaveViewController.swift
index fd656fe..494dd29 100644
--- a/Source/View Controllers/SaveViewController.swift	
+++ b/Source/View Controllers/SaveViewController.swift	
@@ -92,8 +92,10 @@ class SaveViewController: NSViewController {
 
     override func viewDidLoad() {
         super.viewDidLoad()
+        preferredContentSize = NSSize(width: 502, height: 219)
         payloadIdentifier = UUID().uuidString
         identitiesPopUp.isEnabled = false
+        identitiesPopUp.setContentCompressionResistancePriority(.defaultLow, for: .horizontal)
         Task {
             do {
                 var identities = try await SecurityWrapper.loadSigningIdentities()

From 858bfe74c7cbcf724dac8bc09ef10963bd4f8b72 Mon Sep 17 00:00:00 2001
From: Tony Eichelberger <tony.eichelberger@jamf.com>
Date: Mon, 6 Apr 2026 13:53:25 -0500
Subject: [PATCH 30/53] added width to the save prompt

---
 Resources/Base.lproj/Main.storyboard | 362 +++++++++++++--------------
 1 file changed, 181 insertions(+), 181 deletions(-)

diff --git a/Resources/Base.lproj/Main.storyboard b/Resources/Base.lproj/Main.storyboard
index bd1a5b6..dd958a3 100644
--- a/Resources/Base.lproj/Main.storyboard
+++ b/Resources/Base.lproj/Main.storyboard
@@ -1,8 +1,8 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<document type="com.apple.InterfaceBuilder3.Cocoa.Storyboard.XIB" version="3.0" toolsVersion="23094" targetRuntime="MacOSX.Cocoa" propertyAccessControl="none" useAutolayout="YES" initialViewController="B8D-0N-5wS">
+<document type="com.apple.InterfaceBuilder3.Cocoa.Storyboard.XIB" version="3.0" toolsVersion="24765" targetRuntime="MacOSX.Cocoa" propertyAccessControl="none" useAutolayout="YES" initialViewController="B8D-0N-5wS">
     <dependencies>
         <deployment identifier="macosx"/>
-        <plugIn identifier="com.apple.InterfaceBuilder.CocoaPlugin" version="23094"/>
+        <plugIn identifier="com.apple.InterfaceBuilder.CocoaPlugin" version="24765"/>
         <capability name="documents saved in the Xcode 8 format" minToolsVersion="8.0"/>
     </dependencies>
     <scenes>
@@ -706,7 +706,7 @@
                         <autoresizingMask key="autoresizingMask"/>
                         <subviews>
                             <stackView distribution="fill" orientation="horizontal" alignment="top" horizontalStackHuggingPriority="249.99998474121094" verticalStackHuggingPriority="249.99998474121094" detachesHiddenViews="YES" translatesAutoresizingMaskIntoConstraints="NO" id="96P-n0-YO3">
-                                <rect key="frame" x="232" y="684" width="1178" height="96"/>
+                                <rect key="frame" x="232" y="684" width="1294" height="96"/>
                                 <subviews>
                                     <imageView horizontalHuggingPriority="251" verticalHuggingPriority="251" translatesAutoresizingMaskIntoConstraints="NO" id="tCz-dw-VgH">
                                         <rect key="frame" x="0.0" y="0.0" width="96" height="96"/>
@@ -720,9 +720,9 @@
                                         </connections>
                                     </imageView>
                                     <stackView distribution="fill" orientation="vertical" alignment="leading" horizontalStackHuggingPriority="249.99998474121094" verticalStackHuggingPriority="249.99998474121094" detachesHiddenViews="YES" translatesAutoresizingMaskIntoConstraints="NO" id="JSo-Ex-mKB">
-                                        <rect key="frame" x="104" y="9" width="1074" height="87"/>
+                                        <rect key="frame" x="104" y="9" width="1190" height="87"/>
                                         <subviews>
-                                            <textField verticalHuggingPriority="750" horizontalCompressionResistancePriority="250" translatesAutoresizingMaskIntoConstraints="NO" id="4l7-bY-QUr">
+                                            <textField focusRingType="none" verticalHuggingPriority="750" horizontalCompressionResistancePriority="250" translatesAutoresizingMaskIntoConstraints="NO" id="4l7-bY-QUr">
                                                 <rect key="frame" x="-2" y="58" width="211" height="29"/>
                                                 <textFieldCell key="cell" selectable="YES" enabled="NO" title="Application Name" id="dqC-k9-ijh">
                                                     <font key="font" metaFont="systemBold" size="25"/>
@@ -733,7 +733,7 @@
                                                     <binding destination="qId-iR-fmq" name="value" keyPath="selection.displayName" id="hRz-Pe-qTg"/>
                                                 </connections>
                                             </textField>
-                                            <textField verticalHuggingPriority="750" horizontalCompressionResistancePriority="250" translatesAutoresizingMaskIntoConstraints="NO" id="psY-WF-7Yd">
+                                            <textField focusRingType="none" verticalHuggingPriority="750" horizontalCompressionResistancePriority="250" translatesAutoresizingMaskIntoConstraints="NO" id="psY-WF-7Yd">
                                                 <rect key="frame" x="-2" y="36" width="338" height="14"/>
                                                 <textFieldCell key="cell" selectable="YES" title="com.example.something.really.long.which.is.somewhat.annoying" id="VMd-UN-MoF">
                                                     <font key="font" metaFont="systemLight" size="11"/>
@@ -744,8 +744,8 @@
                                                     <binding destination="qId-iR-fmq" name="value" keyPath="selection.identifier" id="aBh-Si-9Pd"/>
                                                 </connections>
                                             </textField>
-                                            <textField verticalHuggingPriority="750" horizontalCompressionResistancePriority="250" translatesAutoresizingMaskIntoConstraints="NO" id="bEE-Oo-wyb">
-                                                <rect key="frame" x="-2" y="0.0" width="1063" height="28"/>
+                                            <textField focusRingType="none" verticalHuggingPriority="750" horizontalCompressionResistancePriority="250" translatesAutoresizingMaskIntoConstraints="NO" id="bEE-Oo-wyb">
+                                                <rect key="frame" x="-2" y="0.0" width="1179" height="28"/>
                                                 <textFieldCell key="cell" truncatesLastVisibleLine="YES" selectable="YES" id="3f9-Xq-tJZ">
                                                     <font key="font" metaFont="systemLight" size="11"/>
                                                     <string key="title">identifier "com.jamfsoftware.jamf" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "483DWKW443"</string>
@@ -791,19 +791,19 @@
                                 </customSpacing>
                             </stackView>
                             <scrollView borderType="line" horizontalLineScroll="10" horizontalPageScroll="10" verticalLineScroll="10" verticalPageScroll="10" usesPredominantAxisScrolling="NO" translatesAutoresizingMaskIntoConstraints="NO" id="03S-CM-lPV">
-                                <rect key="frame" x="232" y="90" width="574" height="559"/>
+                                <rect key="frame" x="232" y="90" width="632" height="559"/>
                                 <clipView key="contentView" copiesOnScroll="NO" id="ziG-1X-dvc" customClass="FlippedClipView" customModule="PPPC_Utility" customModuleProvider="target">
-                                    <rect key="frame" x="1" y="1" width="572" height="557"/>
+                                    <rect key="frame" x="1" y="1" width="630" height="557"/>
                                     <autoresizingMask key="autoresizingMask" widthSizable="YES" heightSizable="YES"/>
                                     <subviews>
                                         <stackView distribution="fill" orientation="vertical" alignment="leading" spacing="0.0" horizontalStackHuggingPriority="249.99998474121094" verticalStackHuggingPriority="249.99998474121094" detachesHiddenViews="YES" translatesAutoresizingMaskIntoConstraints="NO" id="kz4-ht-2cC">
-                                            <rect key="frame" x="-226" y="-443" width="572" height="1000"/>
+                                            <rect key="frame" x="-280" y="-443" width="630" height="1000"/>
                                             <subviews>
                                                 <stackView distribution="fill" orientation="horizontal" alignment="top" horizontalStackHuggingPriority="249.99998474121094" verticalStackHuggingPriority="249.99998474121094" detachesHiddenViews="YES" translatesAutoresizingMaskIntoConstraints="NO" id="ZGr-iF-K0I" userLabel="Accessibility Stack View">
-                                                    <rect key="frame" x="0.0" y="950" width="572" height="50"/>
+                                                    <rect key="frame" x="0.0" y="950" width="630" height="50"/>
                                                     <subviews>
-                                                        <textField horizontalHuggingPriority="251" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="bkw-k8-kxM">
-                                                            <rect key="frame" x="8" y="17" width="315" height="16"/>
+                                                        <textField focusRingType="none" horizontalHuggingPriority="251" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="bkw-k8-kxM">
+                                                            <rect key="frame" x="8" y="17" width="369" height="16"/>
                                                             <textFieldCell key="cell" lineBreakMode="clipping" alignment="left" title="Accessibility:" id="7g4-bu-8ad">
                                                                 <font key="font" usesAppearanceFont="YES"/>
                                                                 <color key="textColor" name="labelColor" catalog="System" colorSpace="catalog"/>
@@ -811,10 +811,10 @@
                                                             </textFieldCell>
                                                         </textField>
                                                         <popUpButton verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="SEh-52-ueo">
-                                                            <rect key="frame" x="326" y="-4" width="212" height="55"/>
+                                                            <rect key="frame" x="383" y="0.0" width="205" height="50"/>
                                                             <popUpButtonCell key="cell" type="push" title="-" bezelStyle="rounded" alignment="left" lineBreakMode="truncatingTail" state="on" borderStyle="borderAndBezel" imageScaling="proportionallyDown" inset="2" selectedItem="gnT-HC-9jQ" id="RH6-uh-B0i">
                                                                 <behavior key="behavior" lightByBackground="YES" lightByGray="YES"/>
-                                                                <font key="font" metaFont="menu"/>
+                                                                <font key="font" metaFont="message"/>
                                                                 <menu key="menu" id="Uw7-JY-FAM">
                                                                     <items>
                                                                         <menuItem title="-" state="on" id="gnT-HC-9jQ"/>
@@ -829,7 +829,7 @@
                                                             </connections>
                                                         </popUpButton>
                                                         <button horizontalHuggingPriority="750" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="LCo-0b-3VH" customClass="InfoButton" customModule="PPPC_Utility" customModuleProvider="target">
-                                                            <rect key="frame" x="539" y="11" width="25" height="25"/>
+                                                            <rect key="frame" x="596" y="13" width="24" height="24"/>
                                                             <buttonCell key="cell" type="help" bezelStyle="helpButton" alignment="center" borderStyle="border" inset="2" id="xX5-Qm-Hbt">
                                                                 <behavior key="behavior" pushIn="YES" lightByBackground="YES" lightByGray="YES"/>
                                                                 <font key="font" metaFont="system"/>
@@ -858,10 +858,10 @@
                                                     </customSpacing>
                                                 </stackView>
                                                 <stackView distribution="fill" orientation="horizontal" alignment="top" horizontalStackHuggingPriority="249.99998474121094" verticalStackHuggingPriority="249.99998474121094" detachesHiddenViews="YES" translatesAutoresizingMaskIntoConstraints="NO" id="xxW-i4-8Ul" userLabel="Admin Files Stack View">
-                                                    <rect key="frame" x="0.0" y="900" width="572" height="50"/>
+                                                    <rect key="frame" x="0.0" y="900" width="630" height="50"/>
                                                     <subviews>
-                                                        <textField horizontalHuggingPriority="251" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="YqG-2a-LjM">
-                                                            <rect key="frame" x="8" y="17" width="315" height="16"/>
+                                                        <textField focusRingType="none" horizontalHuggingPriority="251" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="YqG-2a-LjM">
+                                                            <rect key="frame" x="8" y="17" width="369" height="16"/>
                                                             <textFieldCell key="cell" lineBreakMode="clipping" alignment="left" title="Admin Files:" id="dZt-BP-e9Y">
                                                                 <font key="font" usesAppearanceFont="YES"/>
                                                                 <color key="textColor" name="labelColor" catalog="System" colorSpace="catalog"/>
@@ -869,10 +869,10 @@
                                                             </textFieldCell>
                                                         </textField>
                                                         <popUpButton verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="PgW-Ff-mhx">
-                                                            <rect key="frame" x="326" y="-4" width="212" height="55"/>
+                                                            <rect key="frame" x="383" y="0.0" width="205" height="50"/>
                                                             <popUpButtonCell key="cell" type="push" title="-" bezelStyle="rounded" alignment="left" lineBreakMode="truncatingTail" state="on" borderStyle="borderAndBezel" imageScaling="proportionallyDown" inset="2" selectedItem="dd4-ok-ZNg" id="b3m-j7-PsZ">
                                                                 <behavior key="behavior" lightByBackground="YES" lightByGray="YES"/>
-                                                                <font key="font" metaFont="menu"/>
+                                                                <font key="font" metaFont="message"/>
                                                                 <menu key="menu" id="c1w-K8-AC1">
                                                                     <items>
                                                                         <menuItem title="-" state="on" id="dd4-ok-ZNg"/>
@@ -887,7 +887,7 @@
                                                             </connections>
                                                         </popUpButton>
                                                         <button horizontalHuggingPriority="750" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="pLo-RM-uFJ" customClass="InfoButton" customModule="PPPC_Utility" customModuleProvider="target">
-                                                            <rect key="frame" x="539" y="11" width="25" height="25"/>
+                                                            <rect key="frame" x="596" y="13" width="24" height="24"/>
                                                             <buttonCell key="cell" type="help" bezelStyle="helpButton" alignment="center" borderStyle="border" inset="2" id="ycO-Hz-ef1">
                                                                 <behavior key="behavior" pushIn="YES" lightByBackground="YES" lightByGray="YES"/>
                                                                 <font key="font" metaFont="system"/>
@@ -916,10 +916,10 @@
                                                     </customSpacing>
                                                 </stackView>
                                                 <stackView distribution="fill" orientation="horizontal" alignment="top" horizontalStackHuggingPriority="249.99998474121094" verticalStackHuggingPriority="249.99998474121094" detachesHiddenViews="YES" translatesAutoresizingMaskIntoConstraints="NO" id="7Go-DV-ssf">
-                                                    <rect key="frame" x="0.0" y="850" width="572" height="50"/>
+                                                    <rect key="frame" x="0.0" y="850" width="630" height="50"/>
                                                     <subviews>
-                                                        <textField horizontalHuggingPriority="251" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="nGq-tk-4FO">
-                                                            <rect key="frame" x="8" y="17" width="315" height="16"/>
+                                                        <textField focusRingType="none" horizontalHuggingPriority="251" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="nGq-tk-4FO">
+                                                            <rect key="frame" x="8" y="17" width="369" height="16"/>
                                                             <textFieldCell key="cell" lineBreakMode="clipping" alignment="left" title="Calendars:" id="XMX-Bo-y4c">
                                                                 <font key="font" usesAppearanceFont="YES"/>
                                                                 <color key="textColor" name="labelColor" catalog="System" colorSpace="catalog"/>
@@ -927,10 +927,10 @@
                                                             </textFieldCell>
                                                         </textField>
                                                         <popUpButton verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="bSe-hT-Ah8">
-                                                            <rect key="frame" x="326" y="-4" width="212" height="55"/>
+                                                            <rect key="frame" x="383" y="0.0" width="205" height="50"/>
                                                             <popUpButtonCell key="cell" type="push" title="-" bezelStyle="rounded" alignment="left" lineBreakMode="truncatingTail" state="on" borderStyle="borderAndBezel" imageScaling="proportionallyDown" inset="2" selectedItem="QYY-1f-X7h" id="hmE-fk-BwT">
                                                                 <behavior key="behavior" lightByBackground="YES" lightByGray="YES"/>
-                                                                <font key="font" metaFont="menu"/>
+                                                                <font key="font" metaFont="message"/>
                                                                 <menu key="menu" id="zie-xg-jr9">
                                                                     <items>
                                                                         <menuItem title="-" state="on" id="QYY-1f-X7h"/>
@@ -947,7 +947,7 @@
                                                             </connections>
                                                         </popUpButton>
                                                         <button horizontalHuggingPriority="750" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="tva-g6-iKu" customClass="InfoButton" customModule="PPPC_Utility" customModuleProvider="target">
-                                                            <rect key="frame" x="539" y="11" width="25" height="25"/>
+                                                            <rect key="frame" x="596" y="13" width="24" height="24"/>
                                                             <buttonCell key="cell" type="help" bezelStyle="helpButton" alignment="center" borderStyle="border" inset="2" id="cKG-aV-y4I">
                                                                 <behavior key="behavior" pushIn="YES" lightByBackground="YES" lightByGray="YES"/>
                                                                 <font key="font" metaFont="system"/>
@@ -976,10 +976,10 @@
                                                     </customSpacing>
                                                 </stackView>
                                                 <stackView distribution="fill" orientation="horizontal" alignment="top" horizontalStackHuggingPriority="249.99998474121094" verticalStackHuggingPriority="249.99998474121094" detachesHiddenViews="YES" translatesAutoresizingMaskIntoConstraints="NO" id="LPV-zN-38T" userLabel="Camera Stack View">
-                                                    <rect key="frame" x="0.0" y="800" width="572" height="50"/>
+                                                    <rect key="frame" x="0.0" y="800" width="630" height="50"/>
                                                     <subviews>
-                                                        <textField horizontalHuggingPriority="251" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="xmP-OB-ADb">
-                                                            <rect key="frame" x="8" y="17" width="315" height="16"/>
+                                                        <textField focusRingType="none" horizontalHuggingPriority="251" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="xmP-OB-ADb">
+                                                            <rect key="frame" x="8" y="17" width="369" height="16"/>
                                                             <textFieldCell key="cell" lineBreakMode="clipping" alignment="left" title="Camera:" id="979-ZI-5SX">
                                                                 <font key="font" usesAppearanceFont="YES"/>
                                                                 <color key="textColor" name="labelColor" catalog="System" colorSpace="catalog"/>
@@ -987,10 +987,10 @@
                                                             </textFieldCell>
                                                         </textField>
                                                         <popUpButton verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="X7j-DP-dKk">
-                                                            <rect key="frame" x="326" y="-4" width="212" height="55"/>
+                                                            <rect key="frame" x="383" y="0.0" width="205" height="50"/>
                                                             <popUpButtonCell key="cell" type="push" title="-" bezelStyle="rounded" alignment="left" lineBreakMode="truncatingTail" state="on" borderStyle="borderAndBezel" imageScaling="proportionallyDown" inset="2" selectedItem="F7s-dB-ccu" id="oLo-5v-B40">
                                                                 <behavior key="behavior" lightByBackground="YES" lightByGray="YES"/>
-                                                                <font key="font" metaFont="menu"/>
+                                                                <font key="font" metaFont="message"/>
                                                                 <menu key="menu" id="WAk-jX-QZl">
                                                                     <items>
                                                                         <menuItem title="-" state="on" id="F7s-dB-ccu"/>
@@ -1004,7 +1004,7 @@
                                                             </connections>
                                                         </popUpButton>
                                                         <button horizontalHuggingPriority="750" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="K84-eC-N2o" customClass="InfoButton" customModule="PPPC_Utility" customModuleProvider="target">
-                                                            <rect key="frame" x="539" y="11" width="25" height="25"/>
+                                                            <rect key="frame" x="596" y="13" width="24" height="24"/>
                                                             <buttonCell key="cell" type="help" bezelStyle="helpButton" alignment="center" borderStyle="border" inset="2" id="Ygh-HU-Hd8">
                                                                 <behavior key="behavior" pushIn="YES" lightByBackground="YES" lightByGray="YES"/>
                                                                 <font key="font" metaFont="system"/>
@@ -1033,10 +1033,10 @@
                                                     </customSpacing>
                                                 </stackView>
                                                 <stackView distribution="fill" orientation="horizontal" alignment="top" horizontalStackHuggingPriority="249.99998474121094" verticalStackHuggingPriority="249.99998474121094" detachesHiddenViews="YES" translatesAutoresizingMaskIntoConstraints="NO" id="9iO-vL-Pwi" userLabel="Address Book Stack View">
-                                                    <rect key="frame" x="0.0" y="750" width="572" height="50"/>
+                                                    <rect key="frame" x="0.0" y="750" width="630" height="50"/>
                                                     <subviews>
-                                                        <textField horizontalHuggingPriority="251" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="fwE-q7-wGs">
-                                                            <rect key="frame" x="8" y="17" width="315" height="16"/>
+                                                        <textField focusRingType="none" horizontalHuggingPriority="251" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="fwE-q7-wGs">
+                                                            <rect key="frame" x="8" y="17" width="369" height="16"/>
                                                             <textFieldCell key="cell" lineBreakMode="clipping" alignment="left" title="Contacts:" id="LpH-qV-2cA">
                                                                 <font key="font" usesAppearanceFont="YES"/>
                                                                 <color key="textColor" name="labelColor" catalog="System" colorSpace="catalog"/>
@@ -1044,10 +1044,10 @@
                                                             </textFieldCell>
                                                         </textField>
                                                         <popUpButton verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="kIP-RZ-a35">
-                                                            <rect key="frame" x="326" y="-4" width="212" height="55"/>
+                                                            <rect key="frame" x="383" y="0.0" width="205" height="50"/>
                                                             <popUpButtonCell key="cell" type="push" title="-" bezelStyle="rounded" alignment="left" lineBreakMode="truncatingTail" state="on" borderStyle="borderAndBezel" imageScaling="proportionallyDown" inset="2" selectedItem="jNh-R9-M22" id="uZP-tO-4EJ">
                                                                 <behavior key="behavior" lightByBackground="YES" lightByGray="YES"/>
-                                                                <font key="font" metaFont="menu"/>
+                                                                <font key="font" metaFont="message"/>
                                                                 <menu key="menu" id="NtA-4R-Glq">
                                                                     <items>
                                                                         <menuItem title="-" state="on" id="jNh-R9-M22"/>
@@ -1065,7 +1065,7 @@
                                                             </connections>
                                                         </popUpButton>
                                                         <button horizontalHuggingPriority="750" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="9ei-Pc-bwm" customClass="InfoButton" customModule="PPPC_Utility" customModuleProvider="target">
-                                                            <rect key="frame" x="539" y="11" width="25" height="25"/>
+                                                            <rect key="frame" x="596" y="13" width="24" height="24"/>
                                                             <buttonCell key="cell" type="help" bezelStyle="helpButton" alignment="center" borderStyle="border" inset="2" id="fdO-ZY-waE">
                                                                 <behavior key="behavior" pushIn="YES" lightByBackground="YES" lightByGray="YES"/>
                                                                 <font key="font" metaFont="system"/>
@@ -1095,10 +1095,10 @@
                                                     </customSpacing>
                                                 </stackView>
                                                 <stackView distribution="fill" orientation="horizontal" alignment="top" horizontalStackHuggingPriority="249.99998474121094" verticalStackHuggingPriority="249.99998474121094" detachesHiddenViews="YES" translatesAutoresizingMaskIntoConstraints="NO" id="HAW-s8-s0x">
-                                                    <rect key="frame" x="0.0" y="700" width="572" height="50"/>
+                                                    <rect key="frame" x="0.0" y="700" width="630" height="50"/>
                                                     <subviews>
-                                                        <textField horizontalHuggingPriority="251" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="3DS-i5-rT9">
-                                                            <rect key="frame" x="8" y="17" width="315" height="16"/>
+                                                        <textField focusRingType="none" horizontalHuggingPriority="251" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="3DS-i5-rT9">
+                                                            <rect key="frame" x="8" y="17" width="369" height="16"/>
                                                             <textFieldCell key="cell" lineBreakMode="clipping" alignment="left" title="Desktop Folder:" id="Fec-rg-Gn1">
                                                                 <font key="font" usesAppearanceFont="YES"/>
                                                                 <color key="textColor" name="labelColor" catalog="System" colorSpace="catalog"/>
@@ -1106,10 +1106,10 @@
                                                             </textFieldCell>
                                                         </textField>
                                                         <popUpButton verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="JIN-BO-Fp8">
-                                                            <rect key="frame" x="326" y="-4" width="212" height="55"/>
+                                                            <rect key="frame" x="383" y="0.0" width="205" height="50"/>
                                                             <popUpButtonCell key="cell" type="push" title="-" bezelStyle="rounded" alignment="left" lineBreakMode="truncatingTail" state="on" borderStyle="borderAndBezel" imageScaling="proportionallyDown" inset="2" selectedItem="FMM-ro-V8b" id="VMH-px-qdz">
                                                                 <behavior key="behavior" lightByBackground="YES" lightByGray="YES"/>
-                                                                <font key="font" metaFont="menu"/>
+                                                                <font key="font" metaFont="message"/>
                                                                 <menu key="menu" id="bke-kF-sVp">
                                                                     <items>
                                                                         <menuItem title="-" state="on" id="FMM-ro-V8b"/>
@@ -1123,7 +1123,7 @@
                                                             </connections>
                                                         </popUpButton>
                                                         <button horizontalHuggingPriority="750" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="o2Q-LB-gdz" customClass="InfoButton" customModule="PPPC_Utility" customModuleProvider="target">
-                                                            <rect key="frame" x="539" y="11" width="25" height="25"/>
+                                                            <rect key="frame" x="596" y="13" width="24" height="24"/>
                                                             <buttonCell key="cell" type="help" bezelStyle="helpButton" alignment="center" borderStyle="border" inset="2" id="kBI-qQ-5K5">
                                                                 <behavior key="behavior" pushIn="YES" lightByBackground="YES" lightByGray="YES"/>
                                                                 <font key="font" metaFont="system"/>
@@ -1152,10 +1152,10 @@
                                                     </customSpacing>
                                                 </stackView>
                                                 <stackView distribution="fill" orientation="horizontal" alignment="top" horizontalStackHuggingPriority="249.99998474121094" verticalStackHuggingPriority="249.99998474121094" detachesHiddenViews="YES" translatesAutoresizingMaskIntoConstraints="NO" id="pYo-Lq-NzH" userLabel="Documents Folder Stack View">
-                                                    <rect key="frame" x="0.0" y="650" width="572" height="50"/>
+                                                    <rect key="frame" x="0.0" y="650" width="630" height="50"/>
                                                     <subviews>
-                                                        <textField horizontalHuggingPriority="251" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="sSA-ZV-lYH">
-                                                            <rect key="frame" x="8" y="17" width="315" height="16"/>
+                                                        <textField focusRingType="none" horizontalHuggingPriority="251" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="sSA-ZV-lYH">
+                                                            <rect key="frame" x="8" y="17" width="369" height="16"/>
                                                             <textFieldCell key="cell" lineBreakMode="clipping" alignment="left" title="Documents Folder:" id="D0w-Hq-kpn">
                                                                 <font key="font" usesAppearanceFont="YES"/>
                                                                 <color key="textColor" name="labelColor" catalog="System" colorSpace="catalog"/>
@@ -1163,10 +1163,10 @@
                                                             </textFieldCell>
                                                         </textField>
                                                         <popUpButton verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="YNV-Zn-1jp">
-                                                            <rect key="frame" x="326" y="-4" width="212" height="55"/>
+                                                            <rect key="frame" x="383" y="0.0" width="205" height="50"/>
                                                             <popUpButtonCell key="cell" type="push" title="-" bezelStyle="rounded" alignment="left" lineBreakMode="truncatingTail" state="on" borderStyle="borderAndBezel" imageScaling="proportionallyDown" inset="2" selectedItem="PaS-xa-UD8" id="ulk-2T-V0g">
                                                                 <behavior key="behavior" lightByBackground="YES" lightByGray="YES"/>
-                                                                <font key="font" metaFont="menu"/>
+                                                                <font key="font" metaFont="message"/>
                                                                 <menu key="menu" id="cmF-eV-Cmk">
                                                                     <items>
                                                                         <menuItem title="-" state="on" id="PaS-xa-UD8"/>
@@ -1180,7 +1180,7 @@
                                                             </connections>
                                                         </popUpButton>
                                                         <button horizontalHuggingPriority="750" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="AWQ-jY-FwH" customClass="InfoButton" customModule="PPPC_Utility" customModuleProvider="target">
-                                                            <rect key="frame" x="539" y="11" width="25" height="25"/>
+                                                            <rect key="frame" x="596" y="13" width="24" height="24"/>
                                                             <buttonCell key="cell" type="help" bezelStyle="helpButton" alignment="center" borderStyle="border" inset="2" id="ISy-Xs-hDX">
                                                                 <behavior key="behavior" pushIn="YES" lightByBackground="YES" lightByGray="YES"/>
                                                                 <font key="font" metaFont="system"/>
@@ -1209,10 +1209,10 @@
                                                     </customSpacing>
                                                 </stackView>
                                                 <stackView distribution="fill" orientation="horizontal" alignment="top" horizontalStackHuggingPriority="249.99998474121094" verticalStackHuggingPriority="249.99998474121094" detachesHiddenViews="YES" translatesAutoresizingMaskIntoConstraints="NO" id="FlL-qy-KET">
-                                                    <rect key="frame" x="0.0" y="600" width="572" height="50"/>
+                                                    <rect key="frame" x="0.0" y="600" width="630" height="50"/>
                                                     <subviews>
-                                                        <textField horizontalHuggingPriority="251" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="xMN-Jt-QPv">
-                                                            <rect key="frame" x="8" y="17" width="315" height="16"/>
+                                                        <textField focusRingType="none" horizontalHuggingPriority="251" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="xMN-Jt-QPv">
+                                                            <rect key="frame" x="8" y="17" width="369" height="16"/>
                                                             <textFieldCell key="cell" lineBreakMode="clipping" alignment="left" title="Downloads Folder:" id="BNO-0A-q85">
                                                                 <font key="font" usesAppearanceFont="YES"/>
                                                                 <color key="textColor" name="labelColor" catalog="System" colorSpace="catalog"/>
@@ -1220,10 +1220,10 @@
                                                             </textFieldCell>
                                                         </textField>
                                                         <popUpButton verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="gXX-Zm-0bB">
-                                                            <rect key="frame" x="326" y="-4" width="212" height="55"/>
+                                                            <rect key="frame" x="383" y="0.0" width="205" height="50"/>
                                                             <popUpButtonCell key="cell" type="push" title="-" bezelStyle="rounded" alignment="left" lineBreakMode="truncatingTail" state="on" borderStyle="borderAndBezel" imageScaling="proportionallyDown" inset="2" selectedItem="NIk-oX-DQf" id="6j7-Dt-umk">
                                                                 <behavior key="behavior" lightByBackground="YES" lightByGray="YES"/>
-                                                                <font key="font" metaFont="menu"/>
+                                                                <font key="font" metaFont="message"/>
                                                                 <menu key="menu" id="nVX-Zt-hyQ">
                                                                     <items>
                                                                         <menuItem title="-" state="on" id="NIk-oX-DQf"/>
@@ -1237,7 +1237,7 @@
                                                             </connections>
                                                         </popUpButton>
                                                         <button horizontalHuggingPriority="750" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="1Ve-3n-a7B" customClass="InfoButton" customModule="PPPC_Utility" customModuleProvider="target">
-                                                            <rect key="frame" x="539" y="11" width="25" height="25"/>
+                                                            <rect key="frame" x="596" y="13" width="24" height="24"/>
                                                             <buttonCell key="cell" type="help" bezelStyle="helpButton" alignment="center" borderStyle="border" inset="2" id="Dlw-02-OX0">
                                                                 <behavior key="behavior" pushIn="YES" lightByBackground="YES" lightByGray="YES"/>
                                                                 <font key="font" metaFont="system"/>
@@ -1266,10 +1266,10 @@
                                                     </customSpacing>
                                                 </stackView>
                                                 <stackView distribution="fill" orientation="horizontal" alignment="top" horizontalStackHuggingPriority="249.99998474121094" verticalStackHuggingPriority="249.99998474121094" detachesHiddenViews="YES" translatesAutoresizingMaskIntoConstraints="NO" id="woU-j8-E1d" userLabel="File Provider Stack View">
-                                                    <rect key="frame" x="0.0" y="550" width="572" height="50"/>
+                                                    <rect key="frame" x="0.0" y="550" width="630" height="50"/>
                                                     <subviews>
-                                                        <textField horizontalHuggingPriority="251" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="99h-fH-EoJ">
-                                                            <rect key="frame" x="8" y="17" width="315" height="16"/>
+                                                        <textField focusRingType="none" horizontalHuggingPriority="251" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="99h-fH-EoJ">
+                                                            <rect key="frame" x="8" y="17" width="369" height="16"/>
                                                             <textFieldCell key="cell" lineBreakMode="clipping" alignment="left" title="File Provider:" id="zcl-kP-VRA">
                                                                 <font key="font" usesAppearanceFont="YES"/>
                                                                 <color key="textColor" name="labelColor" catalog="System" colorSpace="catalog"/>
@@ -1277,10 +1277,10 @@
                                                             </textFieldCell>
                                                         </textField>
                                                         <popUpButton verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="lZv-w5-rrd">
-                                                            <rect key="frame" x="326" y="-4" width="212" height="55"/>
+                                                            <rect key="frame" x="383" y="0.0" width="205" height="50"/>
                                                             <popUpButtonCell key="cell" type="push" title="-" bezelStyle="rounded" alignment="left" lineBreakMode="truncatingTail" state="on" borderStyle="borderAndBezel" imageScaling="proportionallyDown" inset="2" selectedItem="FIX-n3-lFP" id="0vX-YX-QTC">
                                                                 <behavior key="behavior" lightByBackground="YES" lightByGray="YES"/>
-                                                                <font key="font" metaFont="menu"/>
+                                                                <font key="font" metaFont="message"/>
                                                                 <menu key="menu" id="SK1-fH-Bqa">
                                                                     <items>
                                                                         <menuItem title="-" state="on" id="FIX-n3-lFP"/>
@@ -1294,7 +1294,7 @@
                                                             </connections>
                                                         </popUpButton>
                                                         <button horizontalHuggingPriority="750" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="dRq-MC-7oj" customClass="InfoButton" customModule="PPPC_Utility" customModuleProvider="target">
-                                                            <rect key="frame" x="539" y="11" width="25" height="25"/>
+                                                            <rect key="frame" x="596" y="13" width="24" height="24"/>
                                                             <buttonCell key="cell" type="help" bezelStyle="helpButton" alignment="center" borderStyle="border" inset="2" id="ctB-5D-aCL">
                                                                 <behavior key="behavior" pushIn="YES" lightByBackground="YES" lightByGray="YES"/>
                                                                 <font key="font" metaFont="system"/>
@@ -1323,10 +1323,10 @@
                                                     </customSpacing>
                                                 </stackView>
                                                 <stackView distribution="fill" orientation="horizontal" alignment="top" horizontalStackHuggingPriority="249.99998474121094" verticalStackHuggingPriority="249.99998474121094" detachesHiddenViews="YES" translatesAutoresizingMaskIntoConstraints="NO" id="PKW-Wz-1vE">
-                                                    <rect key="frame" x="0.0" y="500" width="572" height="50"/>
+                                                    <rect key="frame" x="0.0" y="500" width="630" height="50"/>
                                                     <subviews>
-                                                        <textField horizontalHuggingPriority="251" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="VVZ-4w-pac">
-                                                            <rect key="frame" x="8" y="17" width="315" height="16"/>
+                                                        <textField focusRingType="none" horizontalHuggingPriority="251" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="VVZ-4w-pac">
+                                                            <rect key="frame" x="8" y="17" width="369" height="16"/>
                                                             <textFieldCell key="cell" lineBreakMode="clipping" alignment="left" title="Full Disk Access:" id="V29-FR-cfE">
                                                                 <font key="font" usesAppearanceFont="YES"/>
                                                                 <color key="textColor" name="labelColor" catalog="System" colorSpace="catalog"/>
@@ -1334,10 +1334,10 @@
                                                             </textFieldCell>
                                                         </textField>
                                                         <popUpButton verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="58v-wg-6Ru">
-                                                            <rect key="frame" x="326" y="-4" width="212" height="55"/>
+                                                            <rect key="frame" x="383" y="0.0" width="205" height="50"/>
                                                             <popUpButtonCell key="cell" type="push" title="-" bezelStyle="rounded" alignment="left" lineBreakMode="truncatingTail" state="on" borderStyle="borderAndBezel" imageScaling="proportionallyDown" inset="2" selectedItem="mSA-L6-7QG" id="PMl-Ow-o0m">
                                                                 <behavior key="behavior" lightByBackground="YES" lightByGray="YES"/>
-                                                                <font key="font" metaFont="menu"/>
+                                                                <font key="font" metaFont="message"/>
                                                                 <menu key="menu" id="73Z-dX-dec">
                                                                     <items>
                                                                         <menuItem title="-" state="on" id="mSA-L6-7QG"/>
@@ -1352,7 +1352,7 @@
                                                             </connections>
                                                         </popUpButton>
                                                         <button horizontalHuggingPriority="750" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="URO-T0-544" customClass="InfoButton" customModule="PPPC_Utility" customModuleProvider="target">
-                                                            <rect key="frame" x="539" y="11" width="25" height="25"/>
+                                                            <rect key="frame" x="596" y="13" width="24" height="24"/>
                                                             <buttonCell key="cell" type="help" bezelStyle="helpButton" alignment="center" borderStyle="border" inset="2" id="TL1-WR-vaO">
                                                                 <behavior key="behavior" pushIn="YES" lightByBackground="YES" lightByGray="YES"/>
                                                                 <font key="font" metaFont="system"/>
@@ -1381,10 +1381,10 @@
                                                     </customSpacing>
                                                 </stackView>
                                                 <stackView distribution="fill" orientation="horizontal" alignment="top" horizontalStackHuggingPriority="249.99998474121094" verticalStackHuggingPriority="249.99998474121094" detachesHiddenViews="YES" translatesAutoresizingMaskIntoConstraints="NO" id="Law-1x-mbw">
-                                                    <rect key="frame" x="0.0" y="450" width="572" height="50"/>
+                                                    <rect key="frame" x="0.0" y="450" width="630" height="50"/>
                                                     <subviews>
-                                                        <textField horizontalHuggingPriority="251" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="2AH-a5-Lqb" userLabel="Input Monitoring:">
-                                                            <rect key="frame" x="8" y="17" width="315" height="16"/>
+                                                        <textField focusRingType="none" horizontalHuggingPriority="251" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="2AH-a5-Lqb" userLabel="Input Monitoring:">
+                                                            <rect key="frame" x="8" y="17" width="369" height="16"/>
                                                             <textFieldCell key="cell" lineBreakMode="clipping" alignment="left" title="Input Monitoring:" id="Ze0-2e-eEp" userLabel="Input Monitoring:">
                                                                 <font key="font" usesAppearanceFont="YES"/>
                                                                 <color key="textColor" name="labelColor" catalog="System" colorSpace="catalog"/>
@@ -1392,10 +1392,10 @@
                                                             </textFieldCell>
                                                         </textField>
                                                         <popUpButton verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="ouS-wx-aBC">
-                                                            <rect key="frame" x="326" y="-4" width="212" height="55"/>
+                                                            <rect key="frame" x="383" y="0.0" width="205" height="50"/>
                                                             <popUpButtonCell key="cell" type="push" title="-" bezelStyle="rounded" alignment="left" lineBreakMode="truncatingTail" state="on" borderStyle="borderAndBezel" imageScaling="proportionallyDown" inset="2" selectedItem="V86-LK-5LV" id="9DJ-7D-6AW">
                                                                 <behavior key="behavior" lightByBackground="YES" lightByGray="YES"/>
-                                                                <font key="font" metaFont="menu"/>
+                                                                <font key="font" metaFont="message"/>
                                                                 <menu key="menu" id="WO5-H6-1Om">
                                                                     <items>
                                                                         <menuItem title="-" state="on" id="V86-LK-5LV"/>
@@ -1409,7 +1409,7 @@
                                                             </connections>
                                                         </popUpButton>
                                                         <button horizontalHuggingPriority="750" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="mFT-P4-Kyb" customClass="InfoButton" customModule="PPPC_Utility" customModuleProvider="target">
-                                                            <rect key="frame" x="539" y="11" width="25" height="25"/>
+                                                            <rect key="frame" x="596" y="13" width="24" height="24"/>
                                                             <buttonCell key="cell" type="help" bezelStyle="helpButton" alignment="center" borderStyle="border" inset="2" id="6xj-pM-fzL">
                                                                 <behavior key="behavior" pushIn="YES" lightByBackground="YES" lightByGray="YES"/>
                                                                 <font key="font" metaFont="system"/>
@@ -1438,10 +1438,10 @@
                                                     </customSpacing>
                                                 </stackView>
                                                 <stackView distribution="fill" orientation="horizontal" alignment="top" horizontalStackHuggingPriority="249.99998474121094" verticalStackHuggingPriority="249.99998474121094" detachesHiddenViews="YES" translatesAutoresizingMaskIntoConstraints="NO" id="ARp-oy-MF9" userLabel="Media Library Stack View">
-                                                    <rect key="frame" x="0.0" y="400" width="572" height="50"/>
+                                                    <rect key="frame" x="0.0" y="400" width="630" height="50"/>
                                                     <subviews>
-                                                        <textField horizontalHuggingPriority="251" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="A89-LG-pOK">
-                                                            <rect key="frame" x="8" y="17" width="315" height="16"/>
+                                                        <textField focusRingType="none" horizontalHuggingPriority="251" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="A89-LG-pOK">
+                                                            <rect key="frame" x="8" y="17" width="369" height="16"/>
                                                             <textFieldCell key="cell" lineBreakMode="clipping" alignment="left" title="Media Library:" id="4c9-rY-Uz6">
                                                                 <font key="font" usesAppearanceFont="YES"/>
                                                                 <color key="textColor" name="labelColor" catalog="System" colorSpace="catalog"/>
@@ -1449,10 +1449,10 @@
                                                             </textFieldCell>
                                                         </textField>
                                                         <popUpButton verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="n1N-Hx-bP6">
-                                                            <rect key="frame" x="326" y="-4" width="212" height="55"/>
+                                                            <rect key="frame" x="383" y="0.0" width="205" height="50"/>
                                                             <popUpButtonCell key="cell" type="push" title="-" bezelStyle="rounded" alignment="left" lineBreakMode="truncatingTail" state="on" borderStyle="borderAndBezel" imageScaling="proportionallyDown" inset="2" selectedItem="4ie-PV-k4r" id="aQd-c0-COU">
                                                                 <behavior key="behavior" lightByBackground="YES" lightByGray="YES"/>
-                                                                <font key="font" metaFont="menu"/>
+                                                                <font key="font" metaFont="message"/>
                                                                 <menu key="menu" id="8ny-92-gMJ">
                                                                     <items>
                                                                         <menuItem title="-" state="on" id="4ie-PV-k4r"/>
@@ -1466,7 +1466,7 @@
                                                             </connections>
                                                         </popUpButton>
                                                         <button horizontalHuggingPriority="750" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="91q-Dn-Rxu" customClass="InfoButton" customModule="PPPC_Utility" customModuleProvider="target">
-                                                            <rect key="frame" x="539" y="11" width="25" height="25"/>
+                                                            <rect key="frame" x="596" y="13" width="24" height="24"/>
                                                             <buttonCell key="cell" type="help" bezelStyle="helpButton" alignment="center" borderStyle="border" inset="2" id="GLm-u3-5ib">
                                                                 <behavior key="behavior" pushIn="YES" lightByBackground="YES" lightByGray="YES"/>
                                                                 <font key="font" metaFont="system"/>
@@ -1495,10 +1495,10 @@
                                                     </customSpacing>
                                                 </stackView>
                                                 <stackView distribution="fill" orientation="horizontal" alignment="top" horizontalStackHuggingPriority="249.99998474121094" verticalStackHuggingPriority="249.99998474121094" detachesHiddenViews="YES" translatesAutoresizingMaskIntoConstraints="NO" id="gu9-0B-Z7P">
-                                                    <rect key="frame" x="0.0" y="350" width="572" height="50"/>
+                                                    <rect key="frame" x="0.0" y="350" width="630" height="50"/>
                                                     <subviews>
-                                                        <textField horizontalHuggingPriority="251" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="0j7-Vk-jJg">
-                                                            <rect key="frame" x="8" y="17" width="315" height="16"/>
+                                                        <textField focusRingType="none" horizontalHuggingPriority="251" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="0j7-Vk-jJg">
+                                                            <rect key="frame" x="8" y="17" width="369" height="16"/>
                                                             <textFieldCell key="cell" lineBreakMode="clipping" alignment="left" title="Microphone:" id="zOF-fr-IeZ">
                                                                 <font key="font" usesAppearanceFont="YES"/>
                                                                 <color key="textColor" name="labelColor" catalog="System" colorSpace="catalog"/>
@@ -1506,10 +1506,10 @@
                                                             </textFieldCell>
                                                         </textField>
                                                         <popUpButton verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="C7K-fV-5UL">
-                                                            <rect key="frame" x="326" y="-4" width="212" height="55"/>
+                                                            <rect key="frame" x="383" y="0.0" width="205" height="50"/>
                                                             <popUpButtonCell key="cell" type="push" title="-" bezelStyle="rounded" alignment="left" lineBreakMode="truncatingTail" state="on" borderStyle="borderAndBezel" imageScaling="proportionallyDown" inset="2" selectedItem="8jN-pb-jTw" id="87t-Yf-7J1">
                                                                 <behavior key="behavior" lightByBackground="YES" lightByGray="YES"/>
-                                                                <font key="font" metaFont="menu"/>
+                                                                <font key="font" metaFont="message"/>
                                                                 <menu key="menu" id="0B4-rI-y49">
                                                                     <items>
                                                                         <menuItem title="-" state="on" id="8jN-pb-jTw"/>
@@ -1523,7 +1523,7 @@
                                                             </connections>
                                                         </popUpButton>
                                                         <button horizontalHuggingPriority="750" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="8Qr-Q4-FYc" customClass="InfoButton" customModule="PPPC_Utility" customModuleProvider="target">
-                                                            <rect key="frame" x="539" y="11" width="25" height="25"/>
+                                                            <rect key="frame" x="596" y="13" width="24" height="24"/>
                                                             <buttonCell key="cell" type="help" bezelStyle="helpButton" alignment="center" borderStyle="border" inset="2" id="QO6-6x-cc8">
                                                                 <behavior key="behavior" pushIn="YES" lightByBackground="YES" lightByGray="YES"/>
                                                                 <font key="font" metaFont="system"/>
@@ -1552,10 +1552,10 @@
                                                     </customSpacing>
                                                 </stackView>
                                                 <stackView distribution="fill" orientation="horizontal" alignment="top" horizontalStackHuggingPriority="249.99998474121094" verticalStackHuggingPriority="249.99998474121094" detachesHiddenViews="YES" translatesAutoresizingMaskIntoConstraints="NO" id="fWh-0P-IiR" userLabel="Network Volumes Stack View">
-                                                    <rect key="frame" x="0.0" y="300" width="572" height="50"/>
+                                                    <rect key="frame" x="0.0" y="300" width="630" height="50"/>
                                                     <subviews>
-                                                        <textField horizontalHuggingPriority="251" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="LHa-uF-1av">
-                                                            <rect key="frame" x="8" y="17" width="315" height="16"/>
+                                                        <textField focusRingType="none" horizontalHuggingPriority="251" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="LHa-uF-1av">
+                                                            <rect key="frame" x="8" y="17" width="369" height="16"/>
                                                             <textFieldCell key="cell" lineBreakMode="clipping" alignment="left" title="Network Volumes:" id="32o-b1-htW">
                                                                 <font key="font" usesAppearanceFont="YES"/>
                                                                 <color key="textColor" name="labelColor" catalog="System" colorSpace="catalog"/>
@@ -1563,10 +1563,10 @@
                                                             </textFieldCell>
                                                         </textField>
                                                         <popUpButton verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="uD1-1Z-8OR">
-                                                            <rect key="frame" x="326" y="-4" width="212" height="55"/>
+                                                            <rect key="frame" x="383" y="0.0" width="205" height="50"/>
                                                             <popUpButtonCell key="cell" type="push" title="-" bezelStyle="rounded" alignment="left" lineBreakMode="truncatingTail" state="on" borderStyle="borderAndBezel" imageScaling="proportionallyDown" inset="2" selectedItem="Wlc-5b-ZH6" id="3Yo-n3-2Cq">
                                                                 <behavior key="behavior" lightByBackground="YES" lightByGray="YES"/>
-                                                                <font key="font" metaFont="menu"/>
+                                                                <font key="font" metaFont="message"/>
                                                                 <menu key="menu" id="Zdh-6Z-aoJ">
                                                                     <items>
                                                                         <menuItem title="-" state="on" id="Wlc-5b-ZH6"/>
@@ -1580,7 +1580,7 @@
                                                             </connections>
                                                         </popUpButton>
                                                         <button horizontalHuggingPriority="750" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="b55-kc-gGA" customClass="InfoButton" customModule="PPPC_Utility" customModuleProvider="target">
-                                                            <rect key="frame" x="539" y="11" width="25" height="25"/>
+                                                            <rect key="frame" x="596" y="13" width="24" height="24"/>
                                                             <buttonCell key="cell" type="help" bezelStyle="helpButton" alignment="center" borderStyle="border" inset="2" id="OxH-4z-VDn">
                                                                 <behavior key="behavior" pushIn="YES" lightByBackground="YES" lightByGray="YES"/>
                                                                 <font key="font" metaFont="system"/>
@@ -1609,10 +1609,10 @@
                                                     </customSpacing>
                                                 </stackView>
                                                 <stackView distribution="fill" orientation="horizontal" alignment="top" horizontalStackHuggingPriority="249.99998474121094" verticalStackHuggingPriority="249.99998474121094" detachesHiddenViews="YES" translatesAutoresizingMaskIntoConstraints="NO" id="Y7D-bh-b5J">
-                                                    <rect key="frame" x="0.0" y="250" width="572" height="50"/>
+                                                    <rect key="frame" x="0.0" y="250" width="630" height="50"/>
                                                     <subviews>
-                                                        <textField horizontalHuggingPriority="251" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="alU-2I-Ju7">
-                                                            <rect key="frame" x="8" y="17" width="315" height="16"/>
+                                                        <textField focusRingType="none" horizontalHuggingPriority="251" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="alU-2I-Ju7">
+                                                            <rect key="frame" x="8" y="17" width="369" height="16"/>
                                                             <textFieldCell key="cell" lineBreakMode="clipping" alignment="left" title="Photos:" id="7Vv-e5-aQo">
                                                                 <font key="font" usesAppearanceFont="YES"/>
                                                                 <color key="textColor" name="labelColor" catalog="System" colorSpace="catalog"/>
@@ -1620,10 +1620,10 @@
                                                             </textFieldCell>
                                                         </textField>
                                                         <popUpButton verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="VcX-fg-HsO">
-                                                            <rect key="frame" x="326" y="-4" width="212" height="55"/>
+                                                            <rect key="frame" x="383" y="0.0" width="205" height="50"/>
                                                             <popUpButtonCell key="cell" type="push" title="-" bezelStyle="rounded" alignment="left" lineBreakMode="truncatingTail" state="on" borderStyle="borderAndBezel" imageScaling="proportionallyDown" inset="2" selectedItem="xHC-HW-yVt" id="6Us-f3-jyq">
                                                                 <behavior key="behavior" lightByBackground="YES" lightByGray="YES"/>
-                                                                <font key="font" metaFont="menu"/>
+                                                                <font key="font" metaFont="message"/>
                                                                 <menu key="menu" id="f2e-ke-Gdx">
                                                                     <items>
                                                                         <menuItem title="-" state="on" id="xHC-HW-yVt"/>
@@ -1638,7 +1638,7 @@
                                                             </connections>
                                                         </popUpButton>
                                                         <button horizontalHuggingPriority="750" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="Q9j-J1-clR" customClass="InfoButton" customModule="PPPC_Utility" customModuleProvider="target">
-                                                            <rect key="frame" x="539" y="11" width="25" height="25"/>
+                                                            <rect key="frame" x="596" y="13" width="24" height="24"/>
                                                             <buttonCell key="cell" type="help" bezelStyle="helpButton" alignment="center" borderStyle="border" inset="2" id="x9V-Ag-6n6">
                                                                 <behavior key="behavior" pushIn="YES" lightByBackground="YES" lightByGray="YES"/>
                                                                 <font key="font" metaFont="system"/>
@@ -1667,10 +1667,10 @@
                                                     </customSpacing>
                                                 </stackView>
                                                 <stackView distribution="fill" orientation="horizontal" alignment="top" horizontalStackHuggingPriority="249.99998474121094" verticalStackHuggingPriority="249.99998474121094" detachesHiddenViews="YES" translatesAutoresizingMaskIntoConstraints="NO" id="M89-Vw-gT3">
-                                                    <rect key="frame" x="0.0" y="200" width="572" height="50"/>
+                                                    <rect key="frame" x="0.0" y="200" width="630" height="50"/>
                                                     <subviews>
-                                                        <textField horizontalHuggingPriority="251" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="nZv-Mi-ER1">
-                                                            <rect key="frame" x="8" y="17" width="315" height="16"/>
+                                                        <textField focusRingType="none" horizontalHuggingPriority="251" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="nZv-Mi-ER1">
+                                                            <rect key="frame" x="8" y="17" width="369" height="16"/>
                                                             <textFieldCell key="cell" lineBreakMode="clipping" alignment="left" title="Post Events:" id="foz-yP-g6I">
                                                                 <font key="font" usesAppearanceFont="YES"/>
                                                                 <color key="textColor" name="labelColor" catalog="System" colorSpace="catalog"/>
@@ -1678,10 +1678,10 @@
                                                             </textFieldCell>
                                                         </textField>
                                                         <popUpButton verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="EAK-oq-60p">
-                                                            <rect key="frame" x="326" y="-4" width="212" height="55"/>
+                                                            <rect key="frame" x="383" y="0.0" width="205" height="50"/>
                                                             <popUpButtonCell key="cell" type="push" title="-" bezelStyle="rounded" alignment="left" lineBreakMode="truncatingTail" state="on" borderStyle="borderAndBezel" imageScaling="proportionallyDown" inset="2" selectedItem="49Y-CL-Jmr" id="BTV-ls-Zns">
                                                                 <behavior key="behavior" lightByBackground="YES" lightByGray="YES"/>
-                                                                <font key="font" metaFont="menu"/>
+                                                                <font key="font" metaFont="message"/>
                                                                 <menu key="menu" id="s8f-5D-Ikn">
                                                                     <items>
                                                                         <menuItem title="-" state="on" id="49Y-CL-Jmr"/>
@@ -1696,7 +1696,7 @@
                                                             </connections>
                                                         </popUpButton>
                                                         <button horizontalHuggingPriority="750" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="7Jz-IY-UoU" customClass="InfoButton" customModule="PPPC_Utility" customModuleProvider="target">
-                                                            <rect key="frame" x="539" y="11" width="25" height="25"/>
+                                                            <rect key="frame" x="596" y="13" width="24" height="24"/>
                                                             <buttonCell key="cell" type="help" bezelStyle="helpButton" alignment="center" borderStyle="border" inset="2" id="fh8-8D-vkU">
                                                                 <behavior key="behavior" pushIn="YES" lightByBackground="YES" lightByGray="YES"/>
                                                                 <font key="font" metaFont="system"/>
@@ -1725,10 +1725,10 @@
                                                     </customSpacing>
                                                 </stackView>
                                                 <stackView distribution="fill" orientation="horizontal" alignment="top" horizontalStackHuggingPriority="249.99998474121094" verticalStackHuggingPriority="249.99998474121094" detachesHiddenViews="YES" translatesAutoresizingMaskIntoConstraints="NO" id="fYW-uZ-C2b" userLabel="Reminders Stack View">
-                                                    <rect key="frame" x="0.0" y="150" width="572" height="50"/>
+                                                    <rect key="frame" x="0.0" y="150" width="630" height="50"/>
                                                     <subviews>
-                                                        <textField horizontalHuggingPriority="251" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="UbP-7E-gab">
-                                                            <rect key="frame" x="8" y="17" width="315" height="16"/>
+                                                        <textField focusRingType="none" horizontalHuggingPriority="251" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="UbP-7E-gab">
+                                                            <rect key="frame" x="8" y="17" width="369" height="16"/>
                                                             <textFieldCell key="cell" lineBreakMode="clipping" alignment="left" title="Reminders:" id="npq-nc-TUY">
                                                                 <font key="font" usesAppearanceFont="YES"/>
                                                                 <color key="textColor" name="labelColor" catalog="System" colorSpace="catalog"/>
@@ -1736,10 +1736,10 @@
                                                             </textFieldCell>
                                                         </textField>
                                                         <popUpButton verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="6su-LE-zAT">
-                                                            <rect key="frame" x="326" y="-4" width="212" height="55"/>
+                                                            <rect key="frame" x="383" y="0.0" width="205" height="50"/>
                                                             <popUpButtonCell key="cell" type="push" title="-" bezelStyle="rounded" alignment="left" lineBreakMode="truncatingTail" state="on" borderStyle="borderAndBezel" imageScaling="proportionallyDown" inset="2" selectedItem="JMO-rX-lHD" id="Fk2-Us-Q2u">
                                                                 <behavior key="behavior" lightByBackground="YES" lightByGray="YES"/>
-                                                                <font key="font" metaFont="menu"/>
+                                                                <font key="font" metaFont="message"/>
                                                                 <menu key="menu" id="5ac-ZX-Xgu">
                                                                     <items>
                                                                         <menuItem title="-" state="on" id="JMO-rX-lHD"/>
@@ -1754,7 +1754,7 @@
                                                             </connections>
                                                         </popUpButton>
                                                         <button horizontalHuggingPriority="750" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="A1b-sQ-vR9" customClass="InfoButton" customModule="PPPC_Utility" customModuleProvider="target">
-                                                            <rect key="frame" x="539" y="11" width="25" height="25"/>
+                                                            <rect key="frame" x="596" y="13" width="24" height="24"/>
                                                             <buttonCell key="cell" type="help" bezelStyle="helpButton" alignment="center" borderStyle="border" inset="2" id="Ljv-l8-oye">
                                                                 <behavior key="behavior" pushIn="YES" lightByBackground="YES" lightByGray="YES"/>
                                                                 <font key="font" metaFont="system"/>
@@ -1783,10 +1783,10 @@
                                                     </customSpacing>
                                                 </stackView>
                                                 <stackView distribution="fill" orientation="horizontal" alignment="top" horizontalStackHuggingPriority="249.99998474121094" verticalStackHuggingPriority="249.99998474121094" detachesHiddenViews="YES" translatesAutoresizingMaskIntoConstraints="NO" id="vzO-oY-aP0">
-                                                    <rect key="frame" x="0.0" y="100" width="572" height="50"/>
+                                                    <rect key="frame" x="0.0" y="100" width="630" height="50"/>
                                                     <subviews>
-                                                        <textField horizontalHuggingPriority="251" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="Ddi-gN-7lS">
-                                                            <rect key="frame" x="8" y="17" width="315" height="16"/>
+                                                        <textField focusRingType="none" horizontalHuggingPriority="251" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="Ddi-gN-7lS">
+                                                            <rect key="frame" x="8" y="17" width="369" height="16"/>
                                                             <textFieldCell key="cell" lineBreakMode="clipping" alignment="left" title="Removable Volumes:" id="HZO-Vv-fHb">
                                                                 <font key="font" usesAppearanceFont="YES"/>
                                                                 <color key="textColor" name="labelColor" catalog="System" colorSpace="catalog"/>
@@ -1794,10 +1794,10 @@
                                                             </textFieldCell>
                                                         </textField>
                                                         <popUpButton verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="27r-Jg-Rxp">
-                                                            <rect key="frame" x="326" y="-4" width="212" height="55"/>
+                                                            <rect key="frame" x="383" y="0.0" width="205" height="50"/>
                                                             <popUpButtonCell key="cell" type="push" title="-" bezelStyle="rounded" alignment="left" lineBreakMode="truncatingTail" state="on" borderStyle="borderAndBezel" imageScaling="proportionallyDown" inset="2" selectedItem="bLI-tr-vzf" id="ZxY-Qi-hwN">
                                                                 <behavior key="behavior" lightByBackground="YES" lightByGray="YES"/>
-                                                                <font key="font" metaFont="menu"/>
+                                                                <font key="font" metaFont="message"/>
                                                                 <menu key="menu" id="1Zc-3K-FoR">
                                                                     <items>
                                                                         <menuItem title="-" state="on" id="bLI-tr-vzf"/>
@@ -1811,7 +1811,7 @@
                                                             </connections>
                                                         </popUpButton>
                                                         <button horizontalHuggingPriority="750" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="tmm-2R-ETS" customClass="InfoButton" customModule="PPPC_Utility" customModuleProvider="target">
-                                                            <rect key="frame" x="539" y="11" width="25" height="25"/>
+                                                            <rect key="frame" x="596" y="13" width="24" height="24"/>
                                                             <buttonCell key="cell" type="help" bezelStyle="helpButton" alignment="center" borderStyle="border" inset="2" id="pr7-fl-X5A">
                                                                 <behavior key="behavior" pushIn="YES" lightByBackground="YES" lightByGray="YES"/>
                                                                 <font key="font" metaFont="system"/>
@@ -1840,10 +1840,10 @@
                                                     </customSpacing>
                                                 </stackView>
                                                 <stackView distribution="fill" orientation="horizontal" alignment="top" horizontalStackHuggingPriority="249.99998474121094" verticalStackHuggingPriority="249.99998474121094" detachesHiddenViews="YES" translatesAutoresizingMaskIntoConstraints="NO" id="kPv-Tl-c0b">
-                                                    <rect key="frame" x="0.0" y="50" width="572" height="50"/>
+                                                    <rect key="frame" x="0.0" y="50" width="630" height="50"/>
                                                     <subviews>
-                                                        <textField horizontalHuggingPriority="251" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="o5Q-No-Cpy" userLabel="Screen Recording:">
-                                                            <rect key="frame" x="8" y="17" width="315" height="16"/>
+                                                        <textField focusRingType="none" horizontalHuggingPriority="251" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="o5Q-No-Cpy" userLabel="Screen Recording:">
+                                                            <rect key="frame" x="8" y="17" width="369" height="16"/>
                                                             <textFieldCell key="cell" lineBreakMode="clipping" alignment="left" title="Screen Recording:" id="OZp-QI-a9L" userLabel="Screen Recording:">
                                                                 <font key="font" usesAppearanceFont="YES"/>
                                                                 <color key="textColor" name="labelColor" catalog="System" colorSpace="catalog"/>
@@ -1851,10 +1851,10 @@
                                                             </textFieldCell>
                                                         </textField>
                                                         <popUpButton verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="mSS-FZ-Sk0">
-                                                            <rect key="frame" x="326" y="-4" width="212" height="55"/>
+                                                            <rect key="frame" x="383" y="0.0" width="205" height="50"/>
                                                             <popUpButtonCell key="cell" type="push" title="-" bezelStyle="rounded" alignment="left" lineBreakMode="truncatingTail" state="on" borderStyle="borderAndBezel" imageScaling="proportionallyDown" inset="2" selectedItem="4xV-9U-FNf" id="Oe4-s2-JcM">
                                                                 <behavior key="behavior" lightByBackground="YES" lightByGray="YES"/>
-                                                                <font key="font" metaFont="menu"/>
+                                                                <font key="font" metaFont="message"/>
                                                                 <menu key="menu" id="EDV-QM-1Fj">
                                                                     <items>
                                                                         <menuItem title="-" state="on" id="4xV-9U-FNf"/>
@@ -1868,7 +1868,7 @@
                                                             </connections>
                                                         </popUpButton>
                                                         <button horizontalHuggingPriority="750" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="36m-yh-kC6" customClass="InfoButton" customModule="PPPC_Utility" customModuleProvider="target">
-                                                            <rect key="frame" x="539" y="11" width="25" height="25"/>
+                                                            <rect key="frame" x="596" y="13" width="24" height="24"/>
                                                             <buttonCell key="cell" type="help" bezelStyle="helpButton" alignment="center" borderStyle="border" inset="2" id="R8E-jj-lfX">
                                                                 <behavior key="behavior" pushIn="YES" lightByBackground="YES" lightByGray="YES"/>
                                                                 <font key="font" metaFont="system"/>
@@ -1897,10 +1897,10 @@
                                                     </customSpacing>
                                                 </stackView>
                                                 <stackView distribution="fill" orientation="horizontal" alignment="top" horizontalStackHuggingPriority="249.99998474121094" verticalStackHuggingPriority="249.99998474121094" detachesHiddenViews="YES" translatesAutoresizingMaskIntoConstraints="NO" id="thb-Gy-Auo" userLabel="Speech Recognition Stack View">
-                                                    <rect key="frame" x="0.0" y="0.0" width="572" height="50"/>
+                                                    <rect key="frame" x="0.0" y="0.0" width="630" height="50"/>
                                                     <subviews>
-                                                        <textField horizontalHuggingPriority="251" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="q76-IZ-qo2">
-                                                            <rect key="frame" x="8" y="17" width="315" height="16"/>
+                                                        <textField focusRingType="none" horizontalHuggingPriority="251" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="q76-IZ-qo2">
+                                                            <rect key="frame" x="8" y="17" width="369" height="16"/>
                                                             <textFieldCell key="cell" lineBreakMode="clipping" alignment="left" title="Speech Recognition:" id="N6t-0N-wFj">
                                                                 <font key="font" usesAppearanceFont="YES"/>
                                                                 <color key="textColor" name="labelColor" catalog="System" colorSpace="catalog"/>
@@ -1908,10 +1908,10 @@
                                                             </textFieldCell>
                                                         </textField>
                                                         <popUpButton verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="0Bc-Aj-hsp">
-                                                            <rect key="frame" x="326" y="-4" width="212" height="55"/>
+                                                            <rect key="frame" x="383" y="0.0" width="205" height="50"/>
                                                             <popUpButtonCell key="cell" type="push" title="-" bezelStyle="rounded" alignment="left" lineBreakMode="truncatingTail" state="on" borderStyle="borderAndBezel" imageScaling="proportionallyDown" inset="2" selectedItem="gwx-us-L0W" id="Dx3-v9-nfb">
                                                                 <behavior key="behavior" lightByBackground="YES" lightByGray="YES"/>
-                                                                <font key="font" metaFont="menu"/>
+                                                                <font key="font" metaFont="message"/>
                                                                 <menu key="menu" id="MAS-PQ-RQw">
                                                                     <items>
                                                                         <menuItem title="-" state="on" id="gwx-us-L0W"/>
@@ -1925,7 +1925,7 @@
                                                             </connections>
                                                         </popUpButton>
                                                         <button horizontalHuggingPriority="750" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="B5K-Rg-tlf" customClass="InfoButton" customModule="PPPC_Utility" customModuleProvider="target">
-                                                            <rect key="frame" x="539" y="11" width="25" height="25"/>
+                                                            <rect key="frame" x="596" y="13" width="24" height="24"/>
                                                             <buttonCell key="cell" type="help" bezelStyle="helpButton" alignment="center" borderStyle="border" inset="2" id="o7q-ij-eTY">
                                                                 <behavior key="behavior" pushIn="YES" lightByBackground="YES" lightByGray="YES"/>
                                                                 <font key="font" metaFont="system"/>
@@ -2067,16 +2067,16 @@
                                     </constraints>
                                 </clipView>
                                 <scroller key="horizontalScroller" wantsLayer="YES" verticalHuggingPriority="750" horizontal="YES" id="KLE-vO-NH9">
-                                    <rect key="frame" x="1" y="542" width="572" height="16"/>
+                                    <rect key="frame" x="1" y="541" width="630" height="17"/>
                                     <autoresizingMask key="autoresizingMask"/>
                                 </scroller>
                                 <scroller key="verticalScroller" wantsLayer="YES" verticalHuggingPriority="750" doubleValue="0.99548532731376971" horizontal="NO" id="emx-h0-Wbi">
-                                    <rect key="frame" x="557" y="1" width="16" height="557"/>
+                                    <rect key="frame" x="614" y="1" width="17" height="557"/>
                                     <autoresizingMask key="autoresizingMask"/>
                                 </scroller>
                             </scrollView>
-                            <textField horizontalHuggingPriority="251" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="zBr-K2-oEH">
-                                <rect key="frame" x="819" y="654" width="99" height="19"/>
+                            <textField focusRingType="none" horizontalHuggingPriority="251" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="zBr-K2-oEH">
+                                <rect key="frame" x="877" y="654" width="99" height="19"/>
                                 <textFieldCell key="cell" lineBreakMode="clipping" title="Apple Events" id="5J4-U2-de8">
                                     <font key="font" metaFont="system" size="16"/>
                                     <color key="textColor" name="labelColor" catalog="System" colorSpace="catalog"/>
@@ -2084,13 +2084,13 @@
                                 </textFieldCell>
                             </textField>
                             <scrollView autohidesScrollers="YES" horizontalLineScroll="50" horizontalPageScroll="10" verticalLineScroll="50" verticalPageScroll="10" usesPredominantAxisScrolling="NO" translatesAutoresizingMaskIntoConstraints="NO" id="5hq-Rl-ues">
-                                <rect key="frame" x="821" y="90" width="574" height="559"/>
+                                <rect key="frame" x="879" y="90" width="632" height="559"/>
                                 <clipView key="contentView" id="8q0-zv-vzm">
-                                    <rect key="frame" x="1" y="1" width="572" height="557"/>
+                                    <rect key="frame" x="1" y="1" width="630" height="557"/>
                                     <autoresizingMask key="autoresizingMask" widthSizable="YES" heightSizable="YES"/>
                                     <subviews>
                                         <tableView verticalHuggingPriority="750" allowsExpansionToolTips="YES" columnAutoresizingStyle="lastColumnOnly" alternatingRowBackgroundColors="YES" columnSelection="YES" multipleSelection="NO" autosaveColumns="NO" rowHeight="48" usesAutomaticRowHeights="YES" viewBased="YES" id="dDB-re-qJn">
-                                            <rect key="frame" x="0.0" y="0.0" width="572" height="557"/>
+                                            <rect key="frame" x="0.0" y="0.0" width="630" height="557"/>
                                             <autoresizingMask key="autoresizingMask" widthSizable="YES" heightSizable="YES"/>
                                             <size key="intercellSpacing" width="3" height="2"/>
                                             <color key="backgroundColor" name="controlBackgroundColor" catalog="System" colorSpace="catalog"/>
@@ -2128,8 +2128,8 @@
                                                                                 <binding destination="fZw-oC-AdH" name="valuePath" keyPath="objectValue.destination.iconPath" id="OfL-ve-mYI"/>
                                                                             </connections>
                                                                         </imageView>
-                                                                        <textField horizontalHuggingPriority="249" verticalHuggingPriority="750" horizontalCompressionResistancePriority="250" translatesAutoresizingMaskIntoConstraints="NO" id="tgo-qF-wd4">
-                                                                            <rect key="frame" x="48" y="16" width="346" height="16"/>
+                                                                        <textField focusRingType="none" horizontalHuggingPriority="249" verticalHuggingPriority="750" horizontalCompressionResistancePriority="250" translatesAutoresizingMaskIntoConstraints="NO" id="tgo-qF-wd4">
+                                                                            <rect key="frame" x="48" y="16" width="332" height="16"/>
                                                                             <textFieldCell key="cell" lineBreakMode="truncatingTail" sendsActionOnEndEditing="YES" title="Application Name" id="1aG-rv-2cX">
                                                                                 <font key="font" metaFont="system"/>
                                                                                 <color key="textColor" name="controlTextColor" catalog="System" colorSpace="catalog"/>
@@ -2140,10 +2140,10 @@
                                                                             </connections>
                                                                         </textField>
                                                                         <popUpButton verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="FZk-Az-Hgy">
-                                                                            <rect key="frame" x="397" y="9" width="73" height="27"/>
+                                                                            <rect key="frame" x="386" y="13" width="80" height="22"/>
                                                                             <popUpButtonCell key="cell" type="push" title="Allow" bezelStyle="rounded" alignment="left" lineBreakMode="truncatingTail" state="on" borderStyle="borderAndBezel" imageScaling="proportionallyDown" inset="2" selectedItem="Bu1-mf-M4Z" id="XDn-sQ-YyH">
                                                                                 <behavior key="behavior" lightByBackground="YES" lightByGray="YES"/>
-                                                                                <font key="font" metaFont="menu"/>
+                                                                                <font key="font" metaFont="message"/>
                                                                                 <menu key="menu" id="bWX-zi-tfG">
                                                                                     <items>
                                                                                         <menuItem title="Allow" state="on" id="Bu1-mf-M4Z"/>
@@ -2204,7 +2204,7 @@
                                 </scroller>
                             </scrollView>
                             <button verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="wba-mI-3Kz">
-                                <rect key="frame" x="1321" y="13" width="78" height="32"/>
+                                <rect key="frame" x="1441" y="20" width="67" height="24"/>
                                 <buttonCell key="cell" type="push" title="Upload" bezelStyle="rounded" alignment="center" borderStyle="border" imageScaling="proportionallyDown" inset="2" id="r6T-OO-bYf">
                                     <behavior key="behavior" pushIn="YES" lightByBackground="YES" lightByGray="YES"/>
                                     <font key="font" metaFont="system"/>
@@ -2215,7 +2215,7 @@
                                 </connections>
                             </button>
                             <button verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="Gwb-6x-mB1">
-                                <rect key="frame" x="1259" y="13" width="64" height="32"/>
+                                <rect key="frame" x="1375" y="20" width="54" height="24"/>
                                 <buttonCell key="cell" type="push" title="Save" bezelStyle="rounded" alignment="center" borderStyle="border" imageScaling="proportionallyDown" inset="2" id="ifp-GF-Tf3">
                                     <behavior key="behavior" pushIn="YES" lightByBackground="YES" lightByGray="YES"/>
                                     <font key="font" metaFont="system"/>
@@ -2225,7 +2225,7 @@
                                     <segue destination="mUH-Fz-fcT" kind="sheet" identifier="SaveSegue" id="Voo-Oy-5J9"/>
                                 </connections>
                             </button>
-                            <textField horizontalHuggingPriority="251" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="VBi-VJ-3w4">
+                            <textField focusRingType="none" horizontalHuggingPriority="251" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="VBi-VJ-3w4">
                                 <rect key="frame" x="18" y="770" width="94" height="19"/>
                                 <textFieldCell key="cell" lineBreakMode="clipping" title="Applications" id="hed-I6-UyM">
                                     <font key="font" metaFont="system" size="16"/>
@@ -2275,7 +2275,7 @@
                                                                                 <binding destination="tCx-7E-F20" name="valuePath" keyPath="objectValue.iconPath" id="NvO-WX-W3J"/>
                                                                             </connections>
                                                                         </imageView>
-                                                                        <textField horizontalHuggingPriority="251" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="jaN-VW-ctt">
+                                                                        <textField focusRingType="none" horizontalHuggingPriority="251" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="jaN-VW-ctt">
                                                                             <rect key="frame" x="54" y="16" width="116" height="16"/>
                                                                             <textFieldCell key="cell" lineBreakMode="clipping" title="Application Name" id="kO0-5G-Fsl">
                                                                                 <font key="font" metaFont="systemSemibold" size="13"/>
@@ -2327,7 +2327,7 @@
                                 </scroller>
                             </scrollView>
                             <button verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="v8I-Mx-BrF">
-                                <rect key="frame" x="851" y="60" width="21" height="23"/>
+                                <rect key="frame" x="909" y="60" width="21" height="23"/>
                                 <buttonCell key="cell" type="smallSquare" bezelStyle="smallSquare" image="NSRemoveTemplate" imagePosition="only" alignment="center" lineBreakMode="truncatingTail" state="on" borderStyle="border" imageScaling="proportionallyDown" inset="2" id="cb2-uy-Yd2">
                                     <behavior key="behavior" pushIn="YES" lightByBackground="YES" lightByGray="YES"/>
                                     <font key="font" metaFont="system"/>
@@ -2342,7 +2342,7 @@
                                 </connections>
                             </button>
                             <button verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="RsL-5g-N88">
-                                <rect key="frame" x="822" y="60" width="21" height="23"/>
+                                <rect key="frame" x="880" y="60" width="21" height="23"/>
                                 <buttonCell key="cell" type="smallSquare" bezelStyle="smallSquare" image="NSAddTemplate" imagePosition="only" alignment="center" lineBreakMode="truncatingTail" state="on" borderStyle="border" imageScaling="proportionallyDown" inset="2" id="uMZ-yT-Obu">
                                     <behavior key="behavior" pushIn="YES" lightByBackground="YES" lightByGray="YES"/>
                                     <font key="font" metaFont="system"/>
@@ -2389,8 +2389,8 @@
                                     <binding destination="qId-iR-fmq" name="enabled" keyPath="canRemove" id="Rc1-zx-BZh"/>
                                 </connections>
                             </button>
-                            <textField horizontalHuggingPriority="251" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="L3L-II-z9D">
-                                <rect key="frame" x="230" y="654" width="79" height="19"/>
+                            <textField focusRingType="none" horizontalHuggingPriority="251" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="L3L-II-z9D">
+                                <rect key="frame" x="230" y="656" width="79" height="19"/>
                                 <textFieldCell key="cell" lineBreakMode="clipping" title="Properties" id="BL7-a9-Wo0">
                                     <font key="font" metaFont="system" size="16"/>
                                     <color key="textColor" name="labelColor" catalog="System" colorSpace="catalog"/>
@@ -2398,7 +2398,7 @@
                                 </textFieldCell>
                             </textField>
                             <button verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="jIB-Ce-nfY">
-                                <rect key="frame" x="1187" y="13" width="74" height="32"/>
+                                <rect key="frame" x="1299" y="20" width="64" height="24"/>
                                 <buttonCell key="cell" type="push" title="Import" bezelStyle="rounded" alignment="center" borderStyle="border" imageScaling="proportionallyDown" inset="2" id="dRT-sQ-hbk">
                                     <behavior key="behavior" pushIn="YES" lightByBackground="YES" lightByGray="YES"/>
                                     <font key="font" metaFont="system"/>
@@ -2608,13 +2608,13 @@
                         <autoresizingMask key="autoresizingMask"/>
                         <subviews>
                             <scrollView autohidesScrollers="YES" horizontalLineScroll="54" horizontalPageScroll="10" verticalLineScroll="54" verticalPageScroll="10" usesPredominantAxisScrolling="NO" translatesAutoresizingMaskIntoConstraints="NO" id="7Zc-hD-hMa">
-                                <rect key="frame" x="20" y="60" width="200" height="172"/>
+                                <rect key="frame" x="20" y="64" width="200" height="168"/>
                                 <clipView key="contentView" id="hXm-WV-gAZ">
-                                    <rect key="frame" x="1" y="1" width="198" height="170"/>
+                                    <rect key="frame" x="1" y="1" width="198" height="166"/>
                                     <autoresizingMask key="autoresizingMask" widthSizable="YES" heightSizable="YES"/>
                                     <subviews>
                                         <tableView verticalHuggingPriority="750" allowsExpansionToolTips="YES" columnAutoresizingStyle="lastColumnOnly" columnSelection="YES" multipleSelection="NO" autosaveColumns="NO" rowHeight="52" usesAutomaticRowHeights="YES" viewBased="YES" translatesAutoresizingMaskIntoConstraints="NO" id="xsX-cV-kEM">
-                                            <rect key="frame" x="0.0" y="0.0" width="198" height="170"/>
+                                            <rect key="frame" x="0.0" y="0.0" width="198" height="166"/>
                                             <autoresizingMask key="autoresizingMask" widthSizable="YES" heightSizable="YES"/>
                                             <size key="intercellSpacing" width="3" height="2"/>
                                             <color key="backgroundColor" name="controlBackgroundColor" catalog="System" colorSpace="catalog"/>
@@ -2651,7 +2651,7 @@
                                                                                 <binding destination="bpa-5L-1M7" name="valuePath" keyPath="objectValue.iconPath" id="pgh-Og-TrN"/>
                                                                             </connections>
                                                                         </imageView>
-                                                                        <textField horizontalHuggingPriority="251" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="5my-7G-rm8">
+                                                                        <textField focusRingType="none" horizontalHuggingPriority="251" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="5my-7G-rm8">
                                                                             <rect key="frame" x="56" y="16" width="94" height="16"/>
                                                                             <textFieldCell key="cell" lineBreakMode="clipping" title="Label" drawsBackground="YES" id="1CA-OS-iQk">
                                                                                 <font key="font" metaFont="system"/>
@@ -2703,7 +2703,7 @@
                                 </scroller>
                             </scrollView>
                             <button verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="SmB-5N-3XB">
-                                <rect key="frame" x="86" y="13" width="69" height="32"/>
+                                <rect key="frame" x="91" y="20" width="58" height="24"/>
                                 <buttonCell key="cell" type="push" title="Other" bezelStyle="rounded" alignment="center" borderStyle="border" imageScaling="proportionallyDown" inset="2" id="AYs-bg-esG">
                                     <behavior key="behavior" pushIn="YES" lightByBackground="YES" lightByGray="YES"/>
                                     <font key="font" metaFont="system"/>
@@ -2741,11 +2741,11 @@
             <objects>
                 <viewController id="mUH-Fz-fcT" customClass="SaveViewController" customModule="PPPC_Utility" customModuleProvider="target" sceneMemberID="viewController">
                     <view key="view" id="GHe-gw-cy8">
-                        <rect key="frame" x="0.0" y="0.0" width="456" height="219"/>
+                        <rect key="frame" x="0.0" y="0.0" width="606" height="219"/>
                         <autoresizingMask key="autoresizingMask"/>
                         <subviews>
                             <gridView xPlacement="leading" yPlacement="center" rowAlignment="none" translatesAutoresizingMaskIntoConstraints="NO" id="nzc-6A-dLR">
-                                <rect key="frame" x="20" y="71" width="416" height="128"/>
+                                <rect key="frame" x="20" y="55" width="566" height="144"/>
                                 <rows>
                                     <gridRow id="uWb-yl-Q35"/>
                                     <gridRow id="ncF-JL-mkS"/>
@@ -2759,8 +2759,8 @@
                                 </columns>
                                 <gridCells>
                                     <gridCell row="uWb-yl-Q35" column="MPF-Dy-Gd7" id="GfZ-yg-Qqa">
-                                        <textField key="contentView" horizontalHuggingPriority="251" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="814-Sc-uVn">
-                                            <rect key="frame" x="67" y="110" width="85" height="16"/>
+                                        <textField key="contentView" focusRingType="none" horizontalHuggingPriority="251" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="814-Sc-uVn">
+                                            <rect key="frame" x="67" y="124" width="85" height="16"/>
                                             <textFieldCell key="cell" lineBreakMode="clipping" title="Organization:" id="kKi-ll-CDj">
                                                 <font key="font" usesAppearanceFont="YES"/>
                                                 <color key="textColor" name="labelColor" catalog="System" colorSpace="catalog"/>
@@ -2769,8 +2769,8 @@
                                         </textField>
                                     </gridCell>
                                     <gridCell row="uWb-yl-Q35" column="I78-6Q-htl" id="AFj-pW-0ji">
-                                        <textField key="contentView" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="DgH-UC-Oeu">
-                                            <rect key="frame" x="156" y="107" width="100" height="21"/>
+                                        <textField key="contentView" focusRingType="none" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="DgH-UC-Oeu">
+                                            <rect key="frame" x="156" y="120" width="100" height="24"/>
                                             <textFieldCell key="cell" scrollable="YES" lineBreakMode="clipping" selectable="YES" editable="YES" sendsActionOnEndEditing="YES" borderStyle="bezel" placeholderString="[Required]" drawsBackground="YES" id="FSE-2M-iqw">
                                                 <font key="font" usesAppearanceFont="YES"/>
                                                 <color key="textColor" name="controlTextColor" catalog="System" colorSpace="catalog"/>
@@ -2787,8 +2787,8 @@
                                         </textField>
                                     </gridCell>
                                     <gridCell row="ncF-JL-mkS" column="MPF-Dy-Gd7" id="Oj8-k2-ZV9">
-                                        <textField key="contentView" horizontalHuggingPriority="251" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="5PX-dx-jxS">
-                                            <rect key="frame" x="57" y="83" width="95" height="16"/>
+                                        <textField key="contentView" focusRingType="none" horizontalHuggingPriority="251" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="5PX-dx-jxS">
+                                            <rect key="frame" x="57" y="94" width="95" height="16"/>
                                             <textFieldCell key="cell" lineBreakMode="clipping" title="Payload Name:" id="u1w-3i-iVa">
                                                 <font key="font" usesAppearanceFont="YES"/>
                                                 <color key="textColor" name="labelColor" catalog="System" colorSpace="catalog"/>
@@ -2797,8 +2797,8 @@
                                         </textField>
                                     </gridCell>
                                     <gridCell row="ncF-JL-mkS" column="I78-6Q-htl" id="XuF-6e-pe6">
-                                        <textField key="contentView" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="JYG-Nv-gyj">
-                                            <rect key="frame" x="156" y="80" width="100" height="21"/>
+                                        <textField key="contentView" focusRingType="none" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="JYG-Nv-gyj">
+                                            <rect key="frame" x="156" y="90" width="100" height="24"/>
                                             <textFieldCell key="cell" scrollable="YES" lineBreakMode="clipping" selectable="YES" editable="YES" sendsActionOnEndEditing="YES" borderStyle="bezel" placeholderString="[Required]" drawsBackground="YES" id="hI3-zw-K3b">
                                                 <font key="font" usesAppearanceFont="YES"/>
                                                 <color key="textColor" name="controlTextColor" catalog="System" colorSpace="catalog"/>
@@ -2815,8 +2815,8 @@
                                         </textField>
                                     </gridCell>
                                     <gridCell row="anK-YG-RE2" column="MPF-Dy-Gd7" id="H0y-5c-Fza">
-                                        <textField key="contentView" horizontalHuggingPriority="251" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="CQK-0P-NNO">
-                                            <rect key="frame" x="39" y="56" width="113" height="16"/>
+                                        <textField key="contentView" focusRingType="none" horizontalHuggingPriority="251" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="CQK-0P-NNO">
+                                            <rect key="frame" x="39" y="64" width="113" height="16"/>
                                             <textFieldCell key="cell" lineBreakMode="clipping" title="Payload Identifier:" id="bC1-oo-3zr">
                                                 <font key="font" usesAppearanceFont="YES"/>
                                                 <color key="textColor" name="labelColor" catalog="System" colorSpace="catalog"/>
@@ -2825,8 +2825,8 @@
                                         </textField>
                                     </gridCell>
                                     <gridCell row="anK-YG-RE2" column="I78-6Q-htl" id="nvw-7C-X1S">
-                                        <textField key="contentView" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="GTW-fT-DZB">
-                                            <rect key="frame" x="156" y="53" width="100" height="21"/>
+                                        <textField key="contentView" focusRingType="none" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="GTW-fT-DZB">
+                                            <rect key="frame" x="156" y="60" width="100" height="24"/>
                                             <textFieldCell key="cell" scrollable="YES" lineBreakMode="clipping" selectable="YES" editable="YES" sendsActionOnEndEditing="YES" borderStyle="bezel" placeholderString="[Required]" drawsBackground="YES" id="8mJ-SX-5c3">
                                                 <font key="font" usesAppearanceFont="YES"/>
                                                 <color key="textColor" name="controlTextColor" catalog="System" colorSpace="catalog"/>
@@ -2843,8 +2843,8 @@
                                         </textField>
                                     </gridCell>
                                     <gridCell row="JKz-Um-UfY" column="MPF-Dy-Gd7" id="y1g-S4-JIF">
-                                        <textField key="contentView" horizontalHuggingPriority="251" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="2bg-vF-1kE">
-                                            <rect key="frame" x="23" y="29" width="129" height="16"/>
+                                        <textField key="contentView" focusRingType="none" horizontalHuggingPriority="251" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="2bg-vF-1kE">
+                                            <rect key="frame" x="23" y="34" width="129" height="16"/>
                                             <textFieldCell key="cell" lineBreakMode="clipping" title="Payload Description:" id="R8v-nI-p3A">
                                                 <font key="font" usesAppearanceFont="YES"/>
                                                 <color key="textColor" name="labelColor" catalog="System" colorSpace="catalog"/>
@@ -2853,8 +2853,8 @@
                                         </textField>
                                     </gridCell>
                                     <gridCell row="JKz-Um-UfY" column="I78-6Q-htl" id="Ebo-KD-J1E">
-                                        <textField key="contentView" verticalHuggingPriority="750" horizontalCompressionResistancePriority="250" translatesAutoresizingMaskIntoConstraints="NO" id="bVy-mK-QH5">
-                                            <rect key="frame" x="156" y="26" width="100" height="21"/>
+                                        <textField key="contentView" focusRingType="none" verticalHuggingPriority="750" horizontalCompressionResistancePriority="250" translatesAutoresizingMaskIntoConstraints="NO" id="bVy-mK-QH5">
+                                            <rect key="frame" x="156" y="30" width="100" height="24"/>
                                             <textFieldCell key="cell" selectable="YES" editable="YES" sendsActionOnEndEditing="YES" state="on" borderStyle="bezel" placeholderString="[Optional]" drawsBackground="YES" id="5LP-Jc-x4g">
                                                 <font key="font" metaFont="system"/>
                                                 <color key="textColor" name="controlTextColor" catalog="System" colorSpace="catalog"/>
@@ -2871,8 +2871,8 @@
                                         </textField>
                                     </gridCell>
                                     <gridCell row="2Zo-uz-1Pa" column="MPF-Dy-Gd7" id="Y0j-dM-cYd">
-                                        <textField key="contentView" horizontalHuggingPriority="251" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="upa-yi-Znr">
-                                            <rect key="frame" x="49" y="2" width="103" height="16"/>
+                                        <textField key="contentView" focusRingType="none" horizontalHuggingPriority="251" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="upa-yi-Znr">
+                                            <rect key="frame" x="49" y="4" width="103" height="16"/>
                                             <textFieldCell key="cell" lineBreakMode="clipping" title="Signing Identity:" id="w3c-ve-uQm">
                                                 <font key="font" usesAppearanceFont="YES"/>
                                                 <color key="textColor" name="labelColor" catalog="System" colorSpace="catalog"/>
@@ -2882,10 +2882,10 @@
                                     </gridCell>
                                     <gridCell row="2Zo-uz-1Pa" column="I78-6Q-htl" id="5Wp-oD-8Uh">
                                         <popUpButton key="contentView" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="Hji-Sf-hXA">
-                                            <rect key="frame" x="153" y="-4" width="78" height="25"/>
+                                            <rect key="frame" x="156" y="0.0" width="86" height="24"/>
                                             <popUpButtonCell key="cell" type="push" title="Item 1" bezelStyle="rounded" alignment="left" lineBreakMode="truncatingTail" state="on" borderStyle="borderAndBezel" imageScaling="proportionallyDown" inset="2" selectedItem="b7k-d6-Hiv" id="wjT-vR-DxF">
                                                 <behavior key="behavior" lightByBackground="YES" lightByGray="YES"/>
-                                                <font key="font" metaFont="menu"/>
+                                                <font key="font" metaFont="message"/>
                                                 <menu key="menu" id="Afr-tz-KGm">
                                                     <items>
                                                         <menuItem title="Item 1" state="on" id="b7k-d6-Hiv"/>
@@ -2903,7 +2903,7 @@
                                 </gridCells>
                             </gridView>
                             <button verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="vNo-b7-akf">
-                                <rect key="frame" x="379" y="24" width="64" height="32"/>
+                                <rect key="frame" x="533" y="11" width="53" height="24"/>
                                 <buttonCell key="cell" type="push" title="Save" bezelStyle="rounded" alignment="center" borderStyle="border" imageScaling="proportionallyDown" inset="2" id="oOs-dR-fYN">
                                     <behavior key="behavior" pushIn="YES" lightByBackground="YES" lightByGray="YES"/>
                                     <font key="font" metaFont="system"/>
@@ -2914,7 +2914,7 @@
                                 </connections>
                             </button>
                             <button verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="zUM-41-dgp">
-                                <rect key="frame" x="13" y="24" width="76" height="32"/>
+                                <rect key="frame" x="20" y="11" width="66" height="24"/>
                                 <buttonCell key="cell" type="push" title="Cancel" bezelStyle="rounded" alignment="center" borderStyle="border" imageScaling="proportionallyDown" inset="2" id="mqk-9q-3AW">
                                     <behavior key="behavior" pushIn="YES" lightByBackground="YES" lightByGray="YES"/>
                                     <font key="font" metaFont="system"/>
@@ -2952,7 +2952,7 @@ Gw
                 </arrayController>
                 <userDefaultsController id="kfS-xo-ej2"/>
             </objects>
-            <point key="canvasLocation" x="1940" y="387"/>
+            <point key="canvasLocation" x="2015" y="386.5"/>
         </scene>
     </scenes>
     <resources>

From fdad5c6cf6ad613cd4fc727688eef6e49ad7aefc Mon Sep 17 00:00:00 2001
From: Tony Eichelberger <tony.eichelberger@jamf.com>
Date: Mon, 6 Apr 2026 14:05:26 -0500
Subject: [PATCH 31/53] changed sequence of model on save

---
 .../TCCProfileViewController.swift            | 34 +++++++++----------
 1 file changed, 16 insertions(+), 18 deletions(-)

diff --git a/Source/View Controllers/TCCProfileViewController.swift b/Source/View Controllers/TCCProfileViewController.swift
index 02f39d0..049bb02 100644
--- a/Source/View Controllers/TCCProfileViewController.swift	
+++ b/Source/View Controllers/TCCProfileViewController.swift	
@@ -204,25 +204,23 @@ class TCCProfileViewController: NSViewController {
         guard let window = self.view.window else {
             return
         }
-        panel.begin { response in
-            if response == .OK {
-                Task {
-                    for url in panel.urls {
-                        do {
-                            let executable = try await self.model.loadExecutable(url: url)
-                            guard self.shouldExecutableBeAdded(executable) else {
-                                let error = LoadExecutableError.executableAlreadyExists
-                                self.showAlert(error, for: window)
-                                continue
-                            }
-                            block(executable)
-                        } catch {
-                            if let loadError = error as? LoadExecutableError {
-                                self.showAlert(loadError, for: window)
-                            }
-                            self.logger.error("\(error)")
-                        }
+        Task {
+            let response = await panel.beginSheetModal(for: window)
+            guard response == .OK else { return }
+            for url in panel.urls {
+                do {
+                    let executable = try await self.model.loadExecutable(url: url)
+                    guard self.shouldExecutableBeAdded(executable) else {
+                        let error = LoadExecutableError.executableAlreadyExists
+                        self.showAlert(error, for: window)
+                        continue
+                    }
+                    block(executable)
+                } catch {
+                    if let loadError = error as? LoadExecutableError {
+                        self.showAlert(loadError, for: window)
                     }
+                    self.logger.error("\(error)")
                 }
             }
         }

From a3d38996146c2ee9390bf1b19756fefbe02d5c0f Mon Sep 17 00:00:00 2001
From: Tony Eichelberger <tony.eichelberger@jamf.com>
Date: Mon, 6 Apr 2026 14:08:43 -0500
Subject: [PATCH 32/53] reverted main story board

---
 Resources/Base.lproj/Main.storyboard | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/Resources/Base.lproj/Main.storyboard b/Resources/Base.lproj/Main.storyboard
index dd958a3..1edfeb1 100644
--- a/Resources/Base.lproj/Main.storyboard
+++ b/Resources/Base.lproj/Main.storyboard
@@ -2066,7 +2066,7 @@
                                         <constraint firstItem="kz4-ht-2cC" firstAttribute="top" secondItem="ziG-1X-dvc" secondAttribute="top" id="8KY-jy-tJT"/>
                                     </constraints>
                                 </clipView>
-                                <scroller key="horizontalScroller" wantsLayer="YES" verticalHuggingPriority="750" horizontal="YES" id="KLE-vO-NH9">
+                                <scroller key="horizontalScroller" wantsLayer="YES" verticalHuggingPriority="750" doubleValue="1" horizontal="YES" id="KLE-vO-NH9">
                                     <rect key="frame" x="1" y="541" width="630" height="17"/>
                                     <autoresizingMask key="autoresizingMask"/>
                                 </scroller>
@@ -2741,11 +2741,11 @@
             <objects>
                 <viewController id="mUH-Fz-fcT" customClass="SaveViewController" customModule="PPPC_Utility" customModuleProvider="target" sceneMemberID="viewController">
                     <view key="view" id="GHe-gw-cy8">
-                        <rect key="frame" x="0.0" y="0.0" width="606" height="219"/>
+                        <rect key="frame" x="0.0" y="0.0" width="456" height="219"/>
                         <autoresizingMask key="autoresizingMask"/>
                         <subviews>
                             <gridView xPlacement="leading" yPlacement="center" rowAlignment="none" translatesAutoresizingMaskIntoConstraints="NO" id="nzc-6A-dLR">
-                                <rect key="frame" x="20" y="55" width="566" height="144"/>
+                                <rect key="frame" x="20" y="55" width="416" height="144"/>
                                 <rows>
                                     <gridRow id="uWb-yl-Q35"/>
                                     <gridRow id="ncF-JL-mkS"/>
@@ -2903,7 +2903,7 @@
                                 </gridCells>
                             </gridView>
                             <button verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="vNo-b7-akf">
-                                <rect key="frame" x="533" y="11" width="53" height="24"/>
+                                <rect key="frame" x="383" y="11" width="53" height="24"/>
                                 <buttonCell key="cell" type="push" title="Save" bezelStyle="rounded" alignment="center" borderStyle="border" imageScaling="proportionallyDown" inset="2" id="oOs-dR-fYN">
                                     <behavior key="behavior" pushIn="YES" lightByBackground="YES" lightByGray="YES"/>
                                     <font key="font" metaFont="system"/>
@@ -2952,7 +2952,7 @@ Gw
                 </arrayController>
                 <userDefaultsController id="kfS-xo-ej2"/>
             </objects>
-            <point key="canvasLocation" x="2015" y="386.5"/>
+            <point key="canvasLocation" x="1940" y="387"/>
         </scene>
     </scenes>
     <resources>

From 83443d54ac16915abb7fd143c4a50eb29366e603 Mon Sep 17 00:00:00 2001
From: Tony Eichelberger <tony.eichelberger@jamf.com>
Date: Mon, 6 Apr 2026 14:16:10 -0500
Subject: [PATCH 33/53] added timing check for apple events loading

---
 Resources/Base.lproj/Main.storyboard             | 1 +
 Source/View Controllers/OpenViewController.swift | 3 +++
 2 files changed, 4 insertions(+)

diff --git a/Resources/Base.lproj/Main.storyboard b/Resources/Base.lproj/Main.storyboard
index 1edfeb1..5856c46 100644
--- a/Resources/Base.lproj/Main.storyboard
+++ b/Resources/Base.lproj/Main.storyboard
@@ -2724,6 +2724,7 @@
                     </view>
                     <connections>
                         <outlet property="choicesAC" destination="Ahp-qT-sFP" id="cbZ-HT-gsI"/>
+                        <outlet property="choicesTableView" destination="xsX-cV-kEM" id="tVw-8K-pL3"/>
                     </connections>
                 </viewController>
                 <customObject id="6QA-Al-Het" userLabel="First Responder" customClass="NSResponder" sceneMemberID="firstResponder"/>
diff --git a/Source/View Controllers/OpenViewController.swift b/Source/View Controllers/OpenViewController.swift
index 39d4771..570747a 100644
--- a/Source/View Controllers/OpenViewController.swift	
+++ b/Source/View Controllers/OpenViewController.swift	
@@ -37,14 +37,17 @@ class OpenViewController: NSViewController, NSTableViewDataSource, NSTableViewDe
     @objc dynamic var choices: [Executable] = []
 
     @IBOutlet var choicesAC: NSArrayController!
+    @IBOutlet weak var choicesTableView: NSTableView!
 
     override func viewWillAppear() {
         super.viewWillAppear()
         //  Reload executables
         current = Model.shared.current
+        choicesTableView.isEnabled = false
         if let value = current {
             Task {
                 choices = await Model.shared.getAppleEventChoices(executable: value)
+                choicesTableView.isEnabled = true
             }
         }
     }

From 52974025ab83683315dec69a38115d08b68724d2 Mon Sep 17 00:00:00 2001
From: Tony Eichelberger <tony.eichelberger@jamf.com>
Date: Mon, 6 Apr 2026 14:46:41 -0500
Subject: [PATCH 34/53] reverted back to sync on the drag drop executables

---
 Source/Model/Model.swift                      | 12 +++---
 Source/SecurityWrapper.swift                  |  6 ++-
 .../View Controllers/OpenViewController.swift |  2 +-
 .../TCCProfileViewController.swift            | 41 +++++++++----------
 4 files changed, 32 insertions(+), 29 deletions(-)

diff --git a/Source/Model/Model.swift b/Source/Model/Model.swift
index fefaa3e..b87ac4f 100644
--- a/Source/Model/Model.swift
+++ b/Source/Model/Model.swift
@@ -40,19 +40,19 @@ import OSLog
         var executables: [Executable] = []
 
         do {
-            executables.append(try await loadExecutable(url: URL(fileURLWithPath: "/System/Library/CoreServices/System Events.app")))
+            executables.append(try loadExecutable(url: URL(fileURLWithPath: "/System/Library/CoreServices/System Events.app")))
         } catch {
             self.logger.error("\(error)")
         }
 
         do {
-            executables.append(try await loadExecutable(url: URL(fileURLWithPath: "/System/Library/CoreServices/SystemUIServer.app")))
+            executables.append(try loadExecutable(url: URL(fileURLWithPath: "/System/Library/CoreServices/SystemUIServer.app")))
         } catch {
             self.logger.error("\(error)")
         }
 
         do {
-            executables.append(try await loadExecutable(url: URL(fileURLWithPath: "/System/Library/CoreServices/Finder.app")))
+            executables.append(try loadExecutable(url: URL(fileURLWithPath: "/System/Library/CoreServices/Finder.app")))
         } catch {
             self.logger.error("\(error)")
         }
@@ -80,7 +80,7 @@ typealias LoadExecutableResult = Result<Executable, LoadExecutableError>
 
 extension Model {
 
-    func loadExecutable(url: URL) async throws -> Executable {
+    func loadExecutable(url: URL) throws -> Executable {
         let executable = Executable()
 
         if let bundle = Bundle(url: url) {
@@ -99,7 +99,7 @@ extension Model {
         }
 
         do {
-            executable.codeRequirement = try await SecurityWrapper.copyDesignatedRequirement(url: url)
+            executable.codeRequirement = try SecurityWrapper.copyDesignatedRequirement(url: url)
             store[executable.identifier] = executable
             return executable
         } catch {
@@ -289,7 +289,7 @@ extension Model {
         }
 
         if let fileURL = urlToLoad {
-            return try await self.loadExecutable(url: fileURL)
+            return try self.loadExecutable(url: fileURL)
         }
         throw LoadExecutableError.executableNotFound
     }
diff --git a/Source/SecurityWrapper.swift b/Source/SecurityWrapper.swift
index 1619c68..b5c12ab 100644
--- a/Source/SecurityWrapper.swift
+++ b/Source/SecurityWrapper.swift
@@ -72,7 +72,11 @@ struct SecurityWrapper {
         return nil
     }
 
-    @concurrent static func copyDesignatedRequirement(url: URL) async throws -> String {
+    static func copyDesignatedRequirement(url: URL) throws -> String {
+        try _copyDesignatedRequirement(url: url)
+    }
+
+    private static func _copyDesignatedRequirement(url: URL) throws -> String {
         let flags = SecCSFlags(rawValue: 0)
         var staticCode: SecStaticCode?
         var requirement: SecRequirement?
diff --git a/Source/View Controllers/OpenViewController.swift b/Source/View Controllers/OpenViewController.swift
index 570747a..6cebee5 100644
--- a/Source/View Controllers/OpenViewController.swift	
+++ b/Source/View Controllers/OpenViewController.swift	
@@ -74,7 +74,7 @@ class OpenViewController: NSViewController, NSTableViewDataSource, NSTableViewDe
                     var selections: [LoadExecutableResult] = []
                     for url in panel.urls {
                         do {
-                            let executable = try await Model.shared.loadExecutable(url: url)
+                            let executable = try Model.shared.loadExecutable(url: url)
                             selections.append(.success(executable))
                         } catch {
                             if let loadError = error as? LoadExecutableError {
diff --git a/Source/View Controllers/TCCProfileViewController.swift b/Source/View Controllers/TCCProfileViewController.swift
index 049bb02..a86ae52 100644
--- a/Source/View Controllers/TCCProfileViewController.swift	
+++ b/Source/View Controllers/TCCProfileViewController.swift	
@@ -209,7 +209,7 @@ class TCCProfileViewController: NSViewController {
             guard response == .OK else { return }
             for url in panel.urls {
                 do {
-                    let executable = try await self.model.loadExecutable(url: url)
+                    let executable = try self.model.loadExecutable(url: url)
                     guard self.shouldExecutableBeAdded(executable) else {
                         let error = LoadExecutableError.executableAlreadyExists
                         self.showAlert(error, for: window)
@@ -416,32 +416,31 @@ extension TCCProfileViewController: NSTableViewDataSource {
 
         guard let window = self.view.window else { return false }
 
-        guard let urls = urls, !urls.isEmpty else { return false }
-
-        Task {
-            for url in urls {
-                do {
-                    let newExecutable = try await model.loadExecutable(url: url)
-                    if tableView == self.executablesTable {
-                        guard self.executablesAC.canInsert else {
-                            continue
-                        }
-                        if self.shouldExecutableBeAdded(newExecutable) {
-                            self.executablesAC.insert(newExecutable, atArrangedObjectIndex: row)
-                        }
-                    } else {
-                        self.insertIntoAppleEvents(newExecutable)
+        var addedAny = false
+        urls?.forEach { url in
+            do {
+                let newExecutable = try model.loadExecutable(url: url)
+                if tableView == self.executablesTable {
+                    guard self.executablesAC.canInsert else {
+                        return
                     }
-                } catch {
-                    if let loadError = error as? LoadExecutableError {
-                        self.showAlert(loadError, for: window)
+                    if self.shouldExecutableBeAdded(newExecutable) {
+                        self.executablesAC.insert(newExecutable, atArrangedObjectIndex: row)
+                        addedAny = true
                     }
-                    self.logger.error("\(error)")
+                } else {
+                    self.insertIntoAppleEvents(newExecutable)
+                    addedAny = true
+                }
+            } catch {
+                if let loadError = error as? LoadExecutableError {
+                    self.showAlert(loadError, for: window)
                 }
+                self.logger.error("\(error)")
             }
         }
 
-        return true
+        return addedAny
     }
 
 }

From 9afcf295a2885dfd4d78a63d39430b43127c8935 Mon Sep 17 00:00:00 2001
From: Tony Eichelberger <tony.eichelberger@jamf.com>
Date: Mon, 6 Apr 2026 14:53:15 -0500
Subject: [PATCH 35/53] try macos 26

---
 .github/workflows/tests.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index d5d148e..f2aa4f7 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -11,7 +11,7 @@ permissions:
 
 jobs:
   test:
-    runs-on: macos-latest
+    runs-on: macos-26
     steps:
       - uses: actions/checkout@v4
 

From ae6f8cef0676a473ffa77586614d609699ba461f Mon Sep 17 00:00:00 2001
From: Tony Eichelberger <tony.eichelberger@jamf.com>
Date: Mon, 6 Apr 2026 15:08:25 -0500
Subject: [PATCH 36/53] fixed the upload crashes

---
 .../View Controllers/TCCProfileViewController.swift | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/Source/View Controllers/TCCProfileViewController.swift b/Source/View Controllers/TCCProfileViewController.swift
index a86ae52..4a3c6a8 100644
--- a/Source/View Controllers/TCCProfileViewController.swift	
+++ b/Source/View Controllers/TCCProfileViewController.swift	
@@ -156,13 +156,14 @@ class TCCProfileViewController: NSViewController {
                 logger.error("Error loading identities: \(error.localizedDescription)")
             }
 
-            let uploadView = UploadInfoView(signingIdentities: identities) {
-                // Dismiss the sheet when the UploadInfoView decides it is done
-                if let controller = self.presentedViewControllers?.first {
-                    self.dismiss(controller)
-                }
+            weak var presentedController: NSViewController?
+            let uploadView = UploadInfoView(signingIdentities: identities) { [weak self] in
+                guard let self, let controller = presentedController else { return }
+                self.dismiss(controller)
             }
-            self.presentAsSheet(NSHostingController(rootView: uploadView))
+            let hostingController = NSHostingController(rootView: uploadView)
+            presentedController = hostingController
+            self.presentAsSheet(hostingController)
         }
     }
 

From ce768425284c543e6769dfab9072b12c3e6b2858 Mon Sep 17 00:00:00 2001
From: Tony Eichelberger <tony.eichelberger@jamf.com>
Date: Mon, 6 Apr 2026 16:34:11 -0500
Subject: [PATCH 37/53] claude plan 1

---
 docs/plans/test-coverage-expansion.md | 152 ++++++++++++++++++++++++++
 1 file changed, 152 insertions(+)
 create mode 100644 docs/plans/test-coverage-expansion.md

diff --git a/docs/plans/test-coverage-expansion.md b/docs/plans/test-coverage-expansion.md
new file mode 100644
index 0000000..f2a2460
--- /dev/null
+++ b/docs/plans/test-coverage-expansion.md
@@ -0,0 +1,152 @@
+# Test Coverage Expansion — Phased Plan
+
+## Context
+
+PPPC Utility has ~50 tests covering roughly 35–40% of production code. Coverage is strong for model import/export, profile serialization, token handling, and semantic versioning, but zero coverage exists for:
+- Pure logic in `Executable`, `Policy`, `TCCPolicy`, `JamfProVersion`, and the `Array` extension
+- HTTP response handling and error paths in `Networking`
+- `JamfProAPIClient` endpoints beyond the OAuth request body
+- The `UploadManager` connection-verification and upload workflow
+- `TCCProfile.jamfProAPIData` XML structure
+
+The goal is to close these gaps in four small, independently reviewable pull requests, progressing from zero-dependency unit tests up to component tests that mock only the network edge.
+
+**Honest coverage estimate after all 4 phases: ~55–65%.** See "Remaining gaps" at the bottom.
+
+---
+
+## Phase 1 — Pure Unit Tests
+
+**Branch:** `test/phase-1-unit-tests`
+**No production code changes.**
+
+### New files
+| File | What it tests |
+|------|---------------|
+| `PPPC UtilityTests/ModelTests/ExecutableTests.swift` | `generateDisplayName` (bundle ID, path, single component); `generateIconPath` (path vs bundle); `Policy.allPolicyValues()` — 20 values, all default `"-"` |
+| `PPPC UtilityTests/ModelTests/TCCPolicyTests.swift` | `identifierType` and `receiverIdentifierType` auto-detection in `TCCPolicy.init` |
+| `PPPC UtilityTests/ExtensionTests/ArrayExtensionTests.swift` | `appendIfNew` — appends new, skips duplicate, works on empty array |
+| `PPPC UtilityTests/NetworkingTests/JamfProVersionTests.swift` | `mainVersionInfo()` suffix stripping; `semantic()` component parsing; `init(fromHTMLString:)` success + nil/no tag/malformed failure cases |
+
+### Key source under test
+- `Source/Model/Executable.swift` — `generateDisplayName`, `generateIconPath`, `Policy.allPolicyValues`
+- `Source/Model/TCCProfile.swift` — `TCCPolicy.init` identifier type detection
+- `Source/Extensions/ArrayExtensions.swift` — `appendIfNew`
+- `Source/Networking/JamfProAPITypes.swift` — `JamfProVersion` parsing
+
+### Verification
+```
+xcodebuild test -project "PPPC Utility.xcodeproj" -scheme "PPPC Utility" -destination "platform=macOS"
+```
+All new test files build and pass. No new compiler warnings.
+
+---
+
+## Phase 2 — URLSession Injection + Mock Infrastructure
+
+**Branch:** `test/phase-2-urlsession-injection`
+**Production changes only — no new tests.**
+
+### Production changes
+| File | Change |
+|------|--------|
+| `Source/Networking/Networking.swift` | Add `session: URLSession = .shared` to `init`; replace all `URLSession.shared.data(for:)` call sites with `session.data(for:)` |
+| `Source/Networking/JamfProAPIClient.swift` | Replace `URLSession.shared.data(for: simpleRequest)` in the HTML version fallback with `session.data(for: simpleRequest)` |
+| `Source/Networking/UploadManager.swift` | Add `session: URLSession = .shared` to `init`; pass `session` when constructing `JamfProAPIClient` (2 call sites) |
+
+### New test helper
+| File | What it provides |
+|------|-----------------|
+| `PPPC UtilityTests/Helpers/MockURLProtocol.swift` | `MockURLProtocol: URLProtocol` with static `requestHandler`; `URLSession.mock(handler:)` factory method; `HTTPURLResponse.ok(url:)` and `.status(_:url:)` convenience helpers |
+
+### Verification
+Build succeeds, all existing 50 tests still pass, no new warnings. No behavioral change — `URLSession.shared` remains the default for all production paths.
+
+---
+
+## Phase 3 — Networking & JamfProAPIClient Tests
+
+**Branch:** `test/phase-3-networking-tests`
+**Depends on Phase 2.**
+
+### New / expanded files
+| File | What it tests |
+|------|---------------|
+| `PPPC UtilityTests/NetworkingTests/NetworkingTests.swift` | `url(forEndpoint:)` URL construction; `badServerUrl` error on invalid URL; `loadPreAuthorized` — 401 → `invalidUsernamePassword`, 500 → `serverResponse(500)`, 200 → decodes value; `loadBearerAuthorized` — 401 triggers refresh and retry, second 401 → `invalidToken`; `sendBearerAuthorized` / `sendBasicAuthorized` response handling |
+| `PPPC UtilityTests/NetworkingTests/JamfProAPIClientTests.swift` | Expand existing suite: `getJamfProVersion` JSON path; `getJamfProVersion` HTML fallback when API returns 404; `getOrganizationName` JSON decoding; `getBearerToken` basic auth path; `getBearerToken` client credentials path; `load()` bearer→basic fallback when token endpoint returns 404 |
+
+### Key source under test
+- `Source/Networking/Networking.swift` — `url(forEndpoint:)`, `loadPreAuthorized`, `loadBearerAuthorized`, `sendBearerAuthorized`, `sendBasicAuthorized`
+- `Source/Networking/JamfProAPIClient.swift` — `getJamfProVersion`, `getOrganizationName`, `getBearerToken`, `load()`
+
+### Verification
+Run tests. All new tests pass with no real network calls.
+
+---
+
+## Phase 4 — UploadManager & TCCProfile XML Tests
+
+**Branch:** `test/phase-4-component-tests`
+**Depends on Phase 2.**
+
+### New / expanded files
+| File | What it tests |
+|------|---------------|
+| `PPPC UtilityTests/NetworkingTests/UploadManagerTests.swift` | `verifyConnection`: version ≥ 10.7.1 → `mustSign=false`; version < 10.7.1 → `mustSign=true`; 401 → `anyError("Invalid credentials.")`; 500 → `anyError("Jamf Pro server is unavailable.")`; `upload`: no site → no `<site>` in XML; with site → correct `<site><id>…</id><name>…</name></site>` block |
+| `PPPC UtilityTests/TCCProfileImporterTests/TCCProfileTests.swift` | Expand existing suite: `jamfProAPIData(site: nil)` has no `<site>`; `jamfProAPIData(site:)` has correct site block; `<general>`, `<payloads>`, `<name>`, `<description>` all present |
+
+### Key source under test
+- `Source/Networking/UploadManager.swift` — `verifyConnection`, `upload`
+- `Source/Model/TCCProfile.swift` — `jamfProAPIData`
+
+### MockURLProtocol dispatch pattern for UploadManager tests
+```swift
+MockURLProtocol.requestHandler = { request in
+    let path = request.url?.path ?? ""
+    if path.hasSuffix("auth/token")               { return (tokenResponse, tokenJSON) }
+    if path.contains("jamf-pro-version")           { return (ok, versionJSON) }
+    if path.contains("activationcode")             { return (ok, orgJSON) }
+    if path.hasSuffix("osxconfigurationprofiles")  { capturedBody = request.httpBody; return (ok, Data()) }
+    throw URLError(.badURL)
+}
+```
+
+### Verification
+Run tests. All new tests pass with no real network or Security framework calls.
+
+---
+
+## Files touched across all phases
+
+```
+Source/Networking/Networking.swift                              (Phase 2)
+Source/Networking/JamfProAPIClient.swift                        (Phase 2)
+Source/Networking/UploadManager.swift                           (Phase 2)
+PPPC UtilityTests/Helpers/MockURLProtocol.swift                 (Phase 2, new)
+PPPC UtilityTests/ModelTests/ExecutableTests.swift              (Phase 1, new)
+PPPC UtilityTests/ModelTests/TCCPolicyTests.swift               (Phase 1, new)
+PPPC UtilityTests/ExtensionTests/ArrayExtensionTests.swift      (Phase 1, new)
+PPPC UtilityTests/NetworkingTests/JamfProVersionTests.swift     (Phase 1, new)
+PPPC UtilityTests/NetworkingTests/NetworkingTests.swift         (Phase 3, new)
+PPPC UtilityTests/NetworkingTests/JamfProAPIClientTests.swift   (Phase 3, expand)
+PPPC UtilityTests/NetworkingTests/UploadManagerTests.swift      (Phase 4, new)
+PPPC UtilityTests/TCCProfileImporterTests/TCCProfileTests.swift (Phase 4, expand)
+```
+
+---
+
+## Remaining gaps after all 4 phases (~35–45% uncovered)
+
+### Doable with more test work
+- `NetworkAuthManager` concurrent refresh de-duplication (`if let task = refreshTask` path)
+- `Model.fallbackIconPath` switch (`.app`, `.bundle`/`.xpc`, unknown extension)
+- `LoadExecutableError` / `TCCProfileImportError` localized descriptions
+
+### Hard without Security framework mocking
+- `SecurityWrapper` (entire file) — keychain CRUD, CMS signing, `copyDesignatedRequirement`, `loadSigningIdentities`
+- `Model.loadExecutable(url:)` — calls `SecurityWrapper.copyDesignatedRequirement`
+- `Model.getAppleEventChoices()` — loads real system apps from disk
+
+### Impractical for unit tests
+- View controllers (`TCCProfileViewController`, `SaveViewController`, `OpenViewController`) — AppKit bindings and file panels
+- `UploadInfoView` — SwiftUI UI layer

From 9c788a3d47e16e577d6c39aa4ff1f53124a6f1b3 Mon Sep 17 00:00:00 2001
From: Tony Eichelberger <tony.eichelberger@jamf.com>
Date: Tue, 7 Apr 2026 11:03:28 -0500
Subject: [PATCH 38/53] updated plan and claude.md

---
 CLAUDE.md                             |  1 +
 docs/plans/test-coverage-expansion.md | 32 ++++++++++++++++++++++-----
 2 files changed, 28 insertions(+), 5 deletions(-)

diff --git a/CLAUDE.md b/CLAUDE.md
index 3606719..dbedfb8 100644
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -14,5 +14,6 @@
   ```
   xcodebuild clean build-for-testing -project "PPPC Utility.xcodeproj" -scheme "PPPC Utility" -destination "platform=macOS" 2>&1 | grep -i "warning:" | grep -v "xcodebuild: WARNING"
   ```
+- Test mocks must be parallel-safe. For URLProtocol mocks, use a per-session handler registry keyed by a unique session ID (e.g., a request header), with thread-safe storage and teardown reset; do not rely on a single static handler when tests can run in parallel.
 - Use parameterized tests with Traits where it reduces duplication; 1–2 args is ideal, max 3
 - Beyond 3 params: create separate tests with some values hard-coded
diff --git a/docs/plans/test-coverage-expansion.md b/docs/plans/test-coverage-expansion.md
index f2a2460..fcc9db9 100644
--- a/docs/plans/test-coverage-expansion.md
+++ b/docs/plans/test-coverage-expansion.md
@@ -13,6 +13,26 @@ The goal is to close these gaps in four small, independently reviewable pull req
 
 **Honest coverage estimate after all 4 phases: ~55–65%.** See "Remaining gaps" at the bottom.
 
+## Quality gates (apply to every phase)
+
+1. **Warning baseline:** Capture compiler warnings before and after, and verify no new warnings are introduced:
+   ```
+   xcodebuild clean build-for-testing -project "PPPC Utility.xcodeproj" -scheme "PPPC Utility" -destination "platform=macOS" 2>&1 | grep -i "warning:" | grep -v "xcodebuild: WARNING"
+   ```
+2. **Coverage measurement:** Always save a result bundle and report target coverage from it:
+   ```
+   xcodebuild test -project "PPPC Utility.xcodeproj" -scheme "PPPC Utility" -destination "platform=macOS" -resultBundlePath "build/TestResults.xcresult"
+   xcrun xccov view --report --only-targets "build/TestResults.xcresult"
+   ```
+   Capture a baseline before each phase and compare after.
+
+## Testing conventions
+
+- Follow Swift Testing conventions for this repo (`@Test`/`@Suite` on their own line, `// when` + `// then` comments only).
+- Avoid string-equality checks on localized error messages; assert error types/codes instead.
+- For XML, assert presence/absence of specific nodes via parsing, not full-string equality.
+- Mock URLProtocol must be parallel-safe by default: use a per-session handler registry keyed by a unique session ID (e.g., request header), with thread-safe storage and teardown reset. Each test uses its own `URLSessionConfiguration` with its own session ID.
+
 ---
 
 ## Phase 1 — Pure Unit Tests
@@ -45,7 +65,7 @@ All new test files build and pass. No new compiler warnings.
 ## Phase 2 — URLSession Injection + Mock Infrastructure
 
 **Branch:** `test/phase-2-urlsession-injection`
-**Production changes only — no new tests.**
+**Production changes plus minimal test coverage for the new injection seam.**
 
 ### Production changes
 | File | Change |
@@ -53,11 +73,13 @@ All new test files build and pass. No new compiler warnings.
 | `Source/Networking/Networking.swift` | Add `session: URLSession = .shared` to `init`; replace all `URLSession.shared.data(for:)` call sites with `session.data(for:)` |
 | `Source/Networking/JamfProAPIClient.swift` | Replace `URLSession.shared.data(for: simpleRequest)` in the HTML version fallback with `session.data(for: simpleRequest)` |
 | `Source/Networking/UploadManager.swift` | Add `session: URLSession = .shared` to `init`; pass `session` when constructing `JamfProAPIClient` (2 call sites) |
+| _Optional if needed_ | If `UploadManager` calls `SecurityWrapper` directly, introduce a small injectable signing abstraction with a default implementation that delegates to `SecurityWrapper` so tests can bypass Security calls. |
 
 ### New test helper
 | File | What it provides |
 |------|-----------------|
-| `PPPC UtilityTests/Helpers/MockURLProtocol.swift` | `MockURLProtocol: URLProtocol` with static `requestHandler`; `URLSession.mock(handler:)` factory method; `HTTPURLResponse.ok(url:)` and `.status(_:url:)` convenience helpers |
+| `PPPC UtilityTests/Helpers/MockURLProtocol.swift` | `MockURLProtocol: URLProtocol` with per-session handler registry keyed by a unique session ID header; thread-safe storage; `URLSession.mock(handler:)` creates an isolated session; `MockURLProtocol.reset()` for teardown; `HTTPURLResponse.ok(url:)` and `.status(_:url:)` helpers |
+| `PPPC UtilityTests/NetworkingTests/MockURLProtocolTests.swift` | Minimal test proving injected `URLSession` is used and handlers are isolated per session (parallel-safe). |
 
 ### Verification
 Build succeeds, all existing 50 tests still pass, no new warnings. No behavioral change — `URLSession.shared` remains the default for all production paths.
@@ -80,7 +102,7 @@ Build succeeds, all existing 50 tests still pass, no new warnings. No behavioral
 - `Source/Networking/JamfProAPIClient.swift` — `getJamfProVersion`, `getOrganizationName`, `getBearerToken`, `load()`
 
 ### Verification
-Run tests. All new tests pass with no real network calls.
+Run tests. All new tests pass with no real network calls. Error assertions use error types/codes, not localized message strings.
 
 ---
 
@@ -92,8 +114,8 @@ Run tests. All new tests pass with no real network calls.
 ### New / expanded files
 | File | What it tests |
 |------|---------------|
-| `PPPC UtilityTests/NetworkingTests/UploadManagerTests.swift` | `verifyConnection`: version ≥ 10.7.1 → `mustSign=false`; version < 10.7.1 → `mustSign=true`; 401 → `anyError("Invalid credentials.")`; 500 → `anyError("Jamf Pro server is unavailable.")`; `upload`: no site → no `<site>` in XML; with site → correct `<site><id>…</id><name>…</name></site>` block |
-| `PPPC UtilityTests/TCCProfileImporterTests/TCCProfileTests.swift` | Expand existing suite: `jamfProAPIData(site: nil)` has no `<site>`; `jamfProAPIData(site:)` has correct site block; `<general>`, `<payloads>`, `<name>`, `<description>` all present |
+| `PPPC UtilityTests/NetworkingTests/UploadManagerTests.swift` | `verifyConnection`: version ≥ 10.7.1 → `mustSign=false`; version < 10.7.1 → `mustSign=true`; 401 → `invalidUsernamePassword` (type/code); 500 → `serverResponse(500)` (type/code); `upload`: no site → no `<site>` in XML; with site → correct `<site><id>…</id><name>…</name></site>` block |
+| `PPPC UtilityTests/TCCProfileImporterTests/TCCProfileTests.swift` | Expand existing suite: `jamfProAPIData(site: nil)` has no `<site>`; `jamfProAPIData(site:)` has correct site block; `<general>`, `<payloads>`, `<name>`, `<description>` all present (assert via XML parsing) |
 
 ### Key source under test
 - `Source/Networking/UploadManager.swift` — `verifyConnection`, `upload`

From ec07808db4d41602272ea4ed8e2558bd459c13ec Mon Sep 17 00:00:00 2001
From: Tony Eichelberger <tony.eichelberger@jamf.com>
Date: Tue, 7 Apr 2026 11:36:22 -0500
Subject: [PATCH 39/53] added some simple unit test coverage that was missing

---
 CLAUDE.md                                     |  1 +
 PPPC Utility.xcodeproj/project.pbxproj        | 25 +++++
 .../ExtensionTests/ArrayExtensionTests.swift  | 67 +++++++++++++
 .../ModelTests/ExecutableTests.swift          | 93 +++++++++++++++++++
 PPPC UtilityTests/ModelTests/ModelTests.swift | 20 ++--
 .../ModelTests/PPPCServicesManagerTests.swift |  8 +-
 .../ModelTests/TCCPolicyTests.swift           | 66 +++++++++++++
 .../NetworkingTests/JamfProVersionTests.swift | 83 +++++++++++++++++
 docs/plans/test-coverage-expansion.md         |  5 +-
 9 files changed, 351 insertions(+), 17 deletions(-)
 create mode 100644 PPPC UtilityTests/ExtensionTests/ArrayExtensionTests.swift
 create mode 100644 PPPC UtilityTests/ModelTests/ExecutableTests.swift
 create mode 100644 PPPC UtilityTests/ModelTests/TCCPolicyTests.swift
 create mode 100644 PPPC UtilityTests/NetworkingTests/JamfProVersionTests.swift

diff --git a/CLAUDE.md b/CLAUDE.md
index dbedfb8..2da9ce2 100644
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -15,5 +15,6 @@
   xcodebuild clean build-for-testing -project "PPPC Utility.xcodeproj" -scheme "PPPC Utility" -destination "platform=macOS" 2>&1 | grep -i "warning:" | grep -v "xcodebuild: WARNING"
   ```
 - Test mocks must be parallel-safe. For URLProtocol mocks, use a per-session handler registry keyed by a unique session ID (e.g., a request header), with thread-safe storage and teardown reset; do not rely on a single static handler when tests can run in parallel.
+- Avoid snake_case in test names (e.g., `generateDisplayName_bundleIdentifier`). If a name is getting long, use a Trait with a sentence-style description instead.
 - Use parameterized tests with Traits where it reduces duplication; 1–2 args is ideal, max 3
 - Beyond 3 params: create separate tests with some values hard-coded
diff --git a/PPPC Utility.xcodeproj/project.pbxproj b/PPPC Utility.xcodeproj/project.pbxproj
index 80803ba..3758651 100644
--- a/PPPC Utility.xcodeproj/project.pbxproj	
+++ b/PPPC Utility.xcodeproj/project.pbxproj	
@@ -7,9 +7,12 @@
 	objects = {
 
 /* Begin PBXBuildFile section */
+		09614BF857C294E1E344298C /* TCCPolicyTests.swift in Sources */ = {isa = PBXBuildFile; fileRef = DAC55385D89BDBD447395AF1 /* TCCPolicyTests.swift */; };
+		1E57D2CD1B0B3602E7FD9806 /* JamfProVersionTests.swift in Sources */ = {isa = PBXBuildFile; fileRef = 47A216936077FDD709470D77 /* JamfProVersionTests.swift */; };
 		345B01D623FDBF55008838B6 /* TCCProfileExtensions.swift in Sources */ = {isa = PBXBuildFile; fileRef = 345B01D523FDBF55008838B6 /* TCCProfileExtensions.swift */; };
 		34DED4D423FDCAFD00C53FB9 /* SwiftyCMSDecoder.swift in Sources */ = {isa = PBXBuildFile; fileRef = 5F95AE1523158F03002E0A22 /* SwiftyCMSDecoder.swift */; };
 		34DED4D623FDDB2B00C53FB9 /* TCCProfileConfigurationPanel.swift in Sources */ = {isa = PBXBuildFile; fileRef = 34DED4D523FDDB2B00C53FB9 /* TCCProfileConfigurationPanel.swift */; };
+		4FCF90441F48EF3AAAD465A9 /* ExecutableTests.swift in Sources */ = {isa = PBXBuildFile; fileRef = 15C8454BE335603AE6B55049 /* ExecutableTests.swift */; };
 		5901A2772534DF1400A1CD2F /* ModelBuilder.swift in Sources */ = {isa = PBXBuildFile; fileRef = 5901A2762534DF1400A1CD2F /* ModelBuilder.swift */; };
 		59206D6925265F0C00B94795 /* TCCProfileTests.swift in Sources */ = {isa = PBXBuildFile; fileRef = 59206D6825265F0C00B94795 /* TCCProfileTests.swift */; };
 		59798B82252D16310070A204 /* TCCProfileBuilder.swift in Sources */ = {isa = PBXBuildFile; fileRef = 59798B81252D16310070A204 /* TCCProfileBuilder.swift */; };
@@ -59,6 +62,7 @@
 		C0EE9A7D28639BF800738B6B /* TestTCCProfileForJamfProAPI.txt in Resources */ = {isa = PBXBuildFile; fileRef = C0EE9A7C28639BF800738B6B /* TestTCCProfileForJamfProAPI.txt */; };
 		C0EE9A7F2863BDE300738B6B /* JamfProAPITypes.swift in Sources */ = {isa = PBXBuildFile; fileRef = C0EE9A7E2863BDE300738B6B /* JamfProAPITypes.swift */; };
 		C0EE9A812863BE2B00738B6B /* NetworkAuthManager.swift in Sources */ = {isa = PBXBuildFile; fileRef = C0EE9A802863BE2B00738B6B /* NetworkAuthManager.swift */; };
+		D023DD16033D452488B41741 /* ArrayExtensionTests.swift in Sources */ = {isa = PBXBuildFile; fileRef = 0B5B34EC5FC52B5B4C9D0258 /* ArrayExtensionTests.swift */; };
 /* End PBXBuildFile section */
 
 /* Begin PBXContainerItemProxy section */
@@ -72,8 +76,11 @@
 /* End PBXContainerItemProxy section */
 
 /* Begin PBXFileReference section */
+		0B5B34EC5FC52B5B4C9D0258 /* ArrayExtensionTests.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; name = ArrayExtensionTests.swift; path = ArrayExtensionTests.swift; sourceTree = "<group>"; };
+		15C8454BE335603AE6B55049 /* ExecutableTests.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; name = ExecutableTests.swift; path = ExecutableTests.swift; sourceTree = "<group>"; };
 		345B01D523FDBF55008838B6 /* TCCProfileExtensions.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = TCCProfileExtensions.swift; sourceTree = "<group>"; };
 		34DED4D523FDDB2B00C53FB9 /* TCCProfileConfigurationPanel.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = TCCProfileConfigurationPanel.swift; sourceTree = "<group>"; };
+		47A216936077FDD709470D77 /* JamfProVersionTests.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; name = JamfProVersionTests.swift; path = JamfProVersionTests.swift; sourceTree = "<group>"; };
 		5901A2762534DF1400A1CD2F /* ModelBuilder.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = ModelBuilder.swift; sourceTree = "<group>"; };
 		59206D6825265F0C00B94795 /* TCCProfileTests.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = TCCProfileTests.swift; sourceTree = "<group>"; };
 		59798B81252D16310070A204 /* TCCProfileBuilder.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = TCCProfileBuilder.swift; sourceTree = "<group>"; };
@@ -130,6 +137,7 @@
 		C0EE9A7C28639BF800738B6B /* TestTCCProfileForJamfProAPI.txt */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text; path = TestTCCProfileForJamfProAPI.txt; sourceTree = "<group>"; };
 		C0EE9A7E2863BDE300738B6B /* JamfProAPITypes.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = JamfProAPITypes.swift; sourceTree = "<group>"; };
 		C0EE9A802863BE2B00738B6B /* NetworkAuthManager.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = NetworkAuthManager.swift; sourceTree = "<group>"; };
+		DAC55385D89BDBD447395AF1 /* TCCPolicyTests.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; name = TCCPolicyTests.swift; path = TCCPolicyTests.swift; sourceTree = "<group>"; };
 /* End PBXFileReference section */
 
 /* Begin PBXFrameworksBuildPhase section */
@@ -151,6 +159,15 @@
 /* End PBXFrameworksBuildPhase section */
 
 /* Begin PBXGroup section */
+		566844CF7F499F04774BB73F /* ExtensionTests */ = {
+			isa = PBXGroup;
+			children = (
+				0B5B34EC5FC52B5B4C9D0258 /* ArrayExtensionTests.swift */,
+			);
+			name = ExtensionTests;
+			path = ExtensionTests;
+			sourceTree = "<group>";
+		};
 		5901A2752534DEFF00A1CD2F /* Helpers */ = {
 			isa = PBXGroup;
 			children = (
@@ -176,6 +193,8 @@
 				5F90EBE32319992B00738D09 /* ModelTests.swift */,
 				C0E0384327A30D6B00A23FA2 /* PPPCServicesManagerTests.swift */,
 				C01BEDB928636F57001B0B3B /* SemanticVersionTests.swift */,
+				15C8454BE335603AE6B55049 /* ExecutableTests.swift */,
+				DAC55385D89BDBD447395AF1 /* TCCPolicyTests.swift */,
 			);
 			path = ModelTests;
 			sourceTree = "<group>";
@@ -207,6 +226,7 @@
 				5F95AE272315B069002E0A22 /* TCCProfileImporterTests */,
 				C07961E028749A36007B98A7 /* NetworkingTests */,
 				5F95AE1F2315A6AD002E0A22 /* Info.plist */,
+				566844CF7F499F04774BB73F /* ExtensionTests */,
 			);
 			path = "PPPC UtilityTests";
 			sourceTree = "<group>";
@@ -340,6 +360,7 @@
 				C0A2B5412B1A5D5C0007F510 /* JamfProAPIClientTests.swift */,
 				C07961E328749A51007B98A7 /* NetworkAuthManagerTests.swift */,
 				C07961E128749A36007B98A7 /* TokenTests.swift */,
+				47A216936077FDD709470D77 /* JamfProVersionTests.swift */,
 			);
 			path = NetworkingTests;
 			sourceTree = "<group>";
@@ -478,6 +499,10 @@
 				59798B82252D16310070A204 /* TCCProfileBuilder.swift in Sources */,
 				5F90EBE42319992B00738D09 /* ModelTests.swift in Sources */,
 				C0E0384427A30D6B00A23FA2 /* PPPCServicesManagerTests.swift in Sources */,
+				4FCF90441F48EF3AAAD465A9 /* ExecutableTests.swift in Sources */,
+				09614BF857C294E1E344298C /* TCCPolicyTests.swift in Sources */,
+				1E57D2CD1B0B3602E7FD9806 /* JamfProVersionTests.swift in Sources */,
+				D023DD16033D452488B41741 /* ArrayExtensionTests.swift in Sources */,
 			);
 			runOnlyForDeploymentPostprocessing = 0;
 		};
diff --git a/PPPC UtilityTests/ExtensionTests/ArrayExtensionTests.swift b/PPPC UtilityTests/ExtensionTests/ArrayExtensionTests.swift
new file mode 100644
index 0000000..851b00f
--- /dev/null
+++ b/PPPC UtilityTests/ExtensionTests/ArrayExtensionTests.swift	
@@ -0,0 +1,67 @@
+//
+//  ArrayExtensionTests.swift
+//  PPPC UtilityTests
+//
+//  MIT License
+//
+//  Copyright (c) 2026 Jamf Software
+//
+//  Permission is hereby granted, free of charge, to any person obtaining a copy
+//  of this software and associated documentation files (the "Software"), to deal
+//  in the Software without restriction, including without limitation the rights
+//  to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+//  copies of the Software, and to permit persons to whom the Software is
+//  furnished to do so, subject to the following conditions:
+//
+//  The above copyright notice and this permission notice shall be included in all
+//  copies or substantial portions of the Software.
+//
+//  THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+//  IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+//  FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+//  AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+//  LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+//  OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+//  SOFTWARE.
+//
+
+import Foundation
+import Testing
+
+@testable import PPPC_Utility
+
+@Suite
+struct ArrayExtensionTests {
+    @Test("appendIfNew appends when item is missing")
+    func appendIfNewAppendsWhenMissing() {
+        var values = [1, 2]
+
+        // when
+        values.appendIfNew(3)
+
+        // then
+        #expect(values == [1, 2, 3])
+    }
+
+    @Test("appendIfNew skips duplicates")
+    func appendIfNewSkipsDuplicates() {
+        var values = [1, 2]
+
+        // when
+        values.appendIfNew(2)
+
+        // then
+        #expect(values == [1, 2])
+    }
+
+    @Test("appendIfNew works on empty array")
+    func appendIfNewEmptyArray() {
+        var values: [Int] = []
+
+        // when
+        values.appendIfNew(1)
+
+        // then
+        #expect(values == [1])
+    }
+}
diff --git a/PPPC UtilityTests/ModelTests/ExecutableTests.swift b/PPPC UtilityTests/ModelTests/ExecutableTests.swift
new file mode 100644
index 0000000..045e771
--- /dev/null
+++ b/PPPC UtilityTests/ModelTests/ExecutableTests.swift	
@@ -0,0 +1,93 @@
+//
+//  ExecutableTests.swift
+//  PPPC UtilityTests
+//
+//  MIT License
+//
+//  Copyright (c) 2026 Jamf Software
+//
+//  Permission is hereby granted, free of charge, to any person obtaining a copy
+//  of this software and associated documentation files (the "Software"), to deal
+//  in the Software without restriction, including without limitation the rights
+//  to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+//  copies of the Software, and to permit persons to whom the Software is
+//  furnished to do so, subject to the following conditions:
+//
+//  The above copyright notice and this permission notice shall be included in all
+//  copies or substantial portions of the Software.
+//
+//  THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+//  IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+//  FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+//  AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+//  LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+//  OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+//  SOFTWARE.
+//
+
+import Foundation
+import Testing
+
+@testable import PPPC_Utility
+
+@Suite
+struct ExecutableTests {
+    let executable = Executable()
+
+    @Test("Display name uses last component of bundle identifier")
+    func generateDisplayNameBundleIdentifier() {
+        // when
+        let displayName = executable.generateDisplayName(identifier: "com.example.MyApp")
+
+        // then
+        #expect(displayName == "MyApp")
+    }
+
+    @Test("Display name uses last component of path identifier")
+    func generateDisplayNamePathIdentifier() {
+        // when
+        let displayName = executable.generateDisplayName(identifier: "/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal")
+
+        // then
+        #expect(displayName == "Terminal")
+    }
+
+    @Test("Display name returns identifier when single component")
+    func generateDisplayNameSingleComponent() {
+        // when
+        let displayName = executable.generateDisplayName(identifier: "Terminal")
+
+        // then
+        #expect(displayName == "Terminal")
+    }
+
+    @Test("Icon path is application for bundle identifier")
+    func generateIconPathForBundleIdentifier() {
+        // when
+        let iconPath = executable.generateIconPath(identifier: "com.example.MyApp")
+
+        // then
+        #expect(iconPath == IconFilePath.application)
+    }
+
+    @Test("Icon path is binary for path identifier")
+    func generateIconPathForPathIdentifier() {
+        // when
+        let iconPath = executable.generateIconPath(identifier: "/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal")
+
+        // then
+        #expect(iconPath == IconFilePath.binary)
+    }
+
+    @Test("All policy values default to dash")
+    func allPolicyValuesAreDefaults() {
+        let policy = Policy()
+
+        // when
+        let values = policy.allPolicyValues()
+
+        // then
+        #expect(values.count == 20)
+        #expect(values.allSatisfy { $0 == "-" })
+    }
+}
diff --git a/PPPC UtilityTests/ModelTests/ModelTests.swift b/PPPC UtilityTests/ModelTests/ModelTests.swift
index c2ad6f1..b81732c 100644
--- a/PPPC UtilityTests/ModelTests/ModelTests.swift	
+++ b/PPPC UtilityTests/ModelTests/ModelTests.swift	
@@ -37,8 +37,8 @@ struct ModelTests {
 
     // MARK: - tests for getExecutableFrom*
 
-    @Test
-    func getExecutableBasedOnIdentifierAndCodeRequirement_BundleIdentifierType() async {
+    @Test("Get executable from identifier uses bundle identifier type")
+    func getExecutableUsesBundleIdentifierType() async {
         let identifier = "com.example.App"
         let codeRequirement = "testCodeRequirement"
 
@@ -51,8 +51,8 @@ struct ModelTests {
         #expect(executable.iconPath == IconFilePath.application)
     }
 
-    @Test
-    func getExecutableBasedOnIdentifierAndCodeRequirement_PathIdentifierType() async {
+    @Test("Get executable from identifier uses path identifier type")
+    func getExecutableUsesPathIdentifierType() async {
         let identifier = "/myGreatPath/Awesome/Binary"
         let codeRequirement = "testCodeRequirement"
 
@@ -65,7 +65,7 @@ struct ModelTests {
         #expect(executable.iconPath == IconFilePath.binary)
     }
 
-    @Test
+    @Test("Get executable from computer based on identifier")
     func getExecutableFromComputerBasedOnIdentifier() async {
         let identifier = "com.apple.Safari"
         let codeRequirement = "randomReq"
@@ -79,7 +79,7 @@ struct ModelTests {
         #expect(executable.codeRequirement != codeRequirement)
     }
 
-    @Test
+    @Test("Get executable from selected executables by bundle ID")
     func getExecutableFromSelectedExecutables() async {
         let expectedIdentifier = "com.something.1"
         let executable = await model.getExecutableFrom(identifier: expectedIdentifier, codeRequirement: "testReq")
@@ -96,8 +96,8 @@ struct ModelTests {
         #expect(existingExecutable?.iconPath == IconFilePath.application)
     }
 
-    @Test
-    func getExecutableFromSelectedExecutables_Path() async {
+    @Test("Get executable from selected executables by path")
+    func getExecutableFromSelectedExecutablesWithPath() async {
         let expectedIdentifier = "/path/something/Special"
         let executableOneMore = await model.getExecutableFrom(identifier: "/path/something/Special1", codeRequirement: "testReq")
         let executable = await model.getExecutableFrom(identifier: expectedIdentifier, codeRequirement: "testReq")
@@ -114,8 +114,8 @@ struct ModelTests {
         #expect(existingExecutable?.iconPath == IconFilePath.binary)
     }
 
-    @Test
-    func getExecutableFromSelectedExecutables_Empty() {
+    @Test("Get executable from selected executables returns nil when empty")
+    func getExecutableFromSelectedExecutablesEmpty() {
         // when
         let existingExecutable = model.getExecutableFromSelectedExecutables(bundleIdentifier: "com.something.1")
 
diff --git a/PPPC UtilityTests/ModelTests/PPPCServicesManagerTests.swift b/PPPC UtilityTests/ModelTests/PPPCServicesManagerTests.swift
index ca8bf7e..864a987 100644
--- a/PPPC UtilityTests/ModelTests/PPPCServicesManagerTests.swift	
+++ b/PPPC UtilityTests/ModelTests/PPPCServicesManagerTests.swift	
@@ -42,8 +42,8 @@ struct PPPCServicesManagerTests {
         #expect(actual.allServices.count == 21)
     }
 
-    @Test
-    func userHelp_withEntitlements() throws {
+    @Test("User help with entitlements")
+    func userHelpWithEntitlements() throws {
         let services = PPPCServicesManager()
         let service = try #require(services.allServices["Camera"])
 
@@ -57,8 +57,8 @@ struct PPPCServicesManagerTests {
         )
     }
 
-    @Test
-    func userHelp_withoutEntitlements() throws {
+    @Test("User help without entitlements")
+    func userHelpWithoutEntitlements() throws {
         let services = PPPCServicesManager()
         let service = try #require(services.allServices["ScreenCapture"])
 
diff --git a/PPPC UtilityTests/ModelTests/TCCPolicyTests.swift b/PPPC UtilityTests/ModelTests/TCCPolicyTests.swift
new file mode 100644
index 0000000..9c57a3d
--- /dev/null
+++ b/PPPC UtilityTests/ModelTests/TCCPolicyTests.swift	
@@ -0,0 +1,66 @@
+//
+//  TCCPolicyTests.swift
+//  PPPC UtilityTests
+//
+//  MIT License
+//
+//  Copyright (c) 2026 Jamf Software
+//
+//  Permission is hereby granted, free of charge, to any person obtaining a copy
+//  of this software and associated documentation files (the "Software"), to deal
+//  in the Software without restriction, including without limitation the rights
+//  to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+//  copies of the Software, and to permit persons to whom the Software is
+//  furnished to do so, subject to the following conditions:
+//
+//  The above copyright notice and this permission notice shall be included in all
+//  copies or substantial portions of the Software.
+//
+//  THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+//  IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+//  FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+//  AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+//  LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+//  OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+//  SOFTWARE.
+//
+
+import Foundation
+import Testing
+
+@testable import PPPC_Utility
+
+@Suite
+struct TCCPolicyTests {
+    @Test("Identifier type is bundleID for bundle identifier")
+    func identifierTypeBundleID() {
+        // when
+        let policy = TCCPolicy(identifier: "com.example.App", codeRequirement: "req")
+
+        // then
+        #expect(policy.identifierType == .bundleID)
+        #expect(policy.receiverIdentifierType == nil)
+    }
+
+    @Test("Identifier type is path for path identifier")
+    func identifierTypePath() {
+        // when
+        let policy = TCCPolicy(identifier: "/Applications/App.app/Contents/MacOS/App", codeRequirement: "req")
+
+        // then
+        #expect(policy.identifierType == .path)
+    }
+
+    @Test("Receiver identifier type is auto-detected")
+    func receiverIdentifierTypeDetected() {
+        // when
+        let policy = TCCPolicy(
+            identifier: "com.example.Source",
+            codeRequirement: "sourceReq",
+            receiverIdentifier: "/Applications/Target.app/Contents/MacOS/Target",
+            receiverCodeRequirement: "targetReq")
+
+        // then
+        #expect(policy.receiverIdentifierType == .path)
+    }
+}
diff --git a/PPPC UtilityTests/NetworkingTests/JamfProVersionTests.swift b/PPPC UtilityTests/NetworkingTests/JamfProVersionTests.swift
new file mode 100644
index 0000000..dabc0a0
--- /dev/null
+++ b/PPPC UtilityTests/NetworkingTests/JamfProVersionTests.swift	
@@ -0,0 +1,83 @@
+//
+//  JamfProVersionTests.swift
+//  PPPC UtilityTests
+//
+//  MIT License
+//
+//  Copyright (c) 2026 Jamf Software
+//
+//  Permission is hereby granted, free of charge, to any person obtaining a copy
+//  of this software and associated documentation files (the "Software"), to deal
+//  in the Software without restriction, including without limitation the rights
+//  to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+//  copies of the Software, and to permit persons to whom the Software is
+//  furnished to do so, subject to the following conditions:
+//
+//  The above copyright notice and this permission notice shall be included in all
+//  copies or substantial portions of the Software.
+//
+//  THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+//  IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+//  FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+//  AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+//  LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+//  OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+//  SOFTWARE.
+//
+
+import Foundation
+import Testing
+
+@testable import PPPC_Utility
+
+@Suite
+struct JamfProVersionTests {
+    @Test("mainVersionInfo strips non-numeric suffix")
+    func mainVersionInfoStripsSuffix() throws {
+        let data = Data("{\"version\":\"10.7.1-b123\"}".utf8)
+        let version = try JSONDecoder().decode(JamfProVersion.self, from: data)
+
+        // when
+        let main = version.mainVersionInfo()
+
+        // then
+        #expect(main == "10.7.1")
+    }
+
+    @Test("semantic parses major, minor, and patch components")
+    func semanticParsesComponents() throws {
+        let data = Data("{\"version\":\"10.7.1-b123\"}".utf8)
+        let version = try JSONDecoder().decode(JamfProVersion.self, from: data)
+
+        // when
+        let semantic = version.semantic()
+
+        // then
+        #expect(semantic == SemanticVersion(major: 10, minor: 7, patch: 1))
+    }
+
+    @Test("Init from HTML string parses valid version")
+    func initFromHTMLStringParsesVersion() throws {
+        let html = "<html><head><meta name=\"version\" content=\"10.7.1-123\"></head></html>"
+
+        // when
+        let parsed = try JamfProVersion(fromHTMLString: html)
+
+        // then
+        #expect(parsed.version == "10.7.1")
+    }
+
+    @Test("Init from HTML string throws on nil, missing tag, or malformed version")
+    func initFromHTMLStringThrowsOnMissingOrMalformed() {
+        // when/then
+        #expect(throws: NSError.self) {
+            _ = try JamfProVersion(fromHTMLString: nil)
+        }
+        #expect(throws: NSError.self) {
+            _ = try JamfProVersion(fromHTMLString: "<html></html>")
+        }
+        #expect(throws: NSError.self) {
+            _ = try JamfProVersion(fromHTMLString: "<meta name=\"version\" content=\"10.7-123\">")
+        }
+    }
+}
diff --git a/docs/plans/test-coverage-expansion.md b/docs/plans/test-coverage-expansion.md
index fcc9db9..72affda 100644
--- a/docs/plans/test-coverage-expansion.md
+++ b/docs/plans/test-coverage-expansion.md
@@ -19,12 +19,12 @@ The goal is to close these gaps in four small, independently reviewable pull req
    ```
    xcodebuild clean build-for-testing -project "PPPC Utility.xcodeproj" -scheme "PPPC Utility" -destination "platform=macOS" 2>&1 | grep -i "warning:" | grep -v "xcodebuild: WARNING"
    ```
-2. **Coverage measurement:** Always save a result bundle and report target coverage from it:
+2. **Coverage measurement:** Always save a result bundle and report target coverage from it (exclude external packages like Haversack when summarizing):
    ```
    xcodebuild test -project "PPPC Utility.xcodeproj" -scheme "PPPC Utility" -destination "platform=macOS" -resultBundlePath "build/TestResults.xcresult"
    xcrun xccov view --report --only-targets "build/TestResults.xcresult"
    ```
-   Capture a baseline before each phase and compare after.
+   Capture a baseline before each phase and compare after. Always include the warning baseline output and the filtered coverage report summary in the phase update.
 
 ## Testing conventions
 
@@ -73,7 +73,6 @@ All new test files build and pass. No new compiler warnings.
 | `Source/Networking/Networking.swift` | Add `session: URLSession = .shared` to `init`; replace all `URLSession.shared.data(for:)` call sites with `session.data(for:)` |
 | `Source/Networking/JamfProAPIClient.swift` | Replace `URLSession.shared.data(for: simpleRequest)` in the HTML version fallback with `session.data(for: simpleRequest)` |
 | `Source/Networking/UploadManager.swift` | Add `session: URLSession = .shared` to `init`; pass `session` when constructing `JamfProAPIClient` (2 call sites) |
-| _Optional if needed_ | If `UploadManager` calls `SecurityWrapper` directly, introduce a small injectable signing abstraction with a default implementation that delegates to `SecurityWrapper` so tests can bypass Security calls. |
 
 ### New test helper
 | File | What it provides |

From fe62ac04e4205fa5d6c78a803bcff11d22c53aa6 Mon Sep 17 00:00:00 2001
From: Tony Eichelberger <tony.eichelberger@jamf.com>
Date: Tue, 7 Apr 2026 14:32:38 -0500
Subject: [PATCH 40/53] Phase 2: URLSession injection + MockURLProtocol
 infrastructure
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Production changes:
- Networking.swift: Add session:URLSession parameter (default .shared),
  replace all 5 URLSession.shared calls with injected session
- JamfProAPIClient.swift: Replace URLSession.shared in HTML version
  fallback with inherited session property
- UploadManager.swift: Add session:URLSession parameter, pass through
  to JamfProAPIClient constructors

Test infrastructure:
- MockURLProtocol: Simple URLProtocol subclass with single static
  requestHandler, URLSession.mock(handler:) convenience, and
  HTTPURLResponse.ok/status helpers
- MockURLProtocolTests: 3 tests verifying interception, error status
  codes, and reset behavior (.serialized suite)

Convention updates:
- CLAUDE.md: Add 'always use Swift Concurrency' rule, update mock
  convention to serialized suites with simple static handler
- docs/plans: Matching updates to Phase 2 & 4 descriptions

No behavioral change — URLSession.shared remains the default for all
production paths. 69 tests pass, no new compiler warnings.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 CLAUDE.md                                     |   3 +-
 PPPC Utility.xcodeproj/project.pbxproj        |   8 ++
 .../Helpers/MockURLProtocol.swift             | 104 ++++++++++++++++++
 .../MockURLProtocolTests.swift                |  89 +++++++++++++++
 Source/Networking/JamfProAPIClient.swift      |   2 +-
 Source/Networking/Networking.swift            |  14 ++-
 Source/Networking/UploadManager.swift         |  10 +-
 docs/plans/test-coverage-expansion.md         |   9 +-
 8 files changed, 225 insertions(+), 14 deletions(-)
 create mode 100644 PPPC UtilityTests/Helpers/MockURLProtocol.swift
 create mode 100644 PPPC UtilityTests/NetworkingTests/MockURLProtocolTests.swift

diff --git a/CLAUDE.md b/CLAUDE.md
index 2da9ce2..e645474 100644
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -3,6 +3,7 @@
 ## Swift Concurrency
 
 - `SWIFT_DEFAULT_ACTOR_ISOLATION = MainActor` is set on both app and test targets — don't add explicit `@MainActor` to production code or test structs/functions, it's already the default
+- Always use Swift Concurrency (actors, async/await, Sendable) — avoid locks, mutexes, or other low-level synchronization
 
 ## Swift Testing Conventions
 
@@ -14,7 +15,7 @@
   ```
   xcodebuild clean build-for-testing -project "PPPC Utility.xcodeproj" -scheme "PPPC Utility" -destination "platform=macOS" 2>&1 | grep -i "warning:" | grep -v "xcodebuild: WARNING"
   ```
-- Test mocks must be parallel-safe. For URLProtocol mocks, use a per-session handler registry keyed by a unique session ID (e.g., a request header), with thread-safe storage and teardown reset; do not rely on a single static handler when tests can run in parallel.
+- Network test suites use `.serialized` trait. `MockURLProtocol` uses a simple single static handler — no per-session registry needed.
 - Avoid snake_case in test names (e.g., `generateDisplayName_bundleIdentifier`). If a name is getting long, use a Trait with a sentence-style description instead.
 - Use parameterized tests with Traits where it reduces duplication; 1–2 args is ideal, max 3
 - Beyond 3 params: create separate tests with some values hard-coded
diff --git a/PPPC Utility.xcodeproj/project.pbxproj b/PPPC Utility.xcodeproj/project.pbxproj
index 3758651..89877a9 100644
--- a/PPPC Utility.xcodeproj/project.pbxproj	
+++ b/PPPC Utility.xcodeproj/project.pbxproj	
@@ -12,6 +12,7 @@
 		345B01D623FDBF55008838B6 /* TCCProfileExtensions.swift in Sources */ = {isa = PBXBuildFile; fileRef = 345B01D523FDBF55008838B6 /* TCCProfileExtensions.swift */; };
 		34DED4D423FDCAFD00C53FB9 /* SwiftyCMSDecoder.swift in Sources */ = {isa = PBXBuildFile; fileRef = 5F95AE1523158F03002E0A22 /* SwiftyCMSDecoder.swift */; };
 		34DED4D623FDDB2B00C53FB9 /* TCCProfileConfigurationPanel.swift in Sources */ = {isa = PBXBuildFile; fileRef = 34DED4D523FDDB2B00C53FB9 /* TCCProfileConfigurationPanel.swift */; };
+		47F24E408CC42F176BD97CA5 /* MockURLProtocol.swift in Sources */ = {isa = PBXBuildFile; fileRef = F3DBEDB941B7AEAE7BFF2776 /* MockURLProtocol.swift */; };
 		4FCF90441F48EF3AAAD465A9 /* ExecutableTests.swift in Sources */ = {isa = PBXBuildFile; fileRef = 15C8454BE335603AE6B55049 /* ExecutableTests.swift */; };
 		5901A2772534DF1400A1CD2F /* ModelBuilder.swift in Sources */ = {isa = PBXBuildFile; fileRef = 5901A2762534DF1400A1CD2F /* ModelBuilder.swift */; };
 		59206D6925265F0C00B94795 /* TCCProfileTests.swift in Sources */ = {isa = PBXBuildFile; fileRef = 59206D6825265F0C00B94795 /* TCCProfileTests.swift */; };
@@ -42,6 +43,7 @@
 		6EC40A1C214EF87800BE4F17 /* SigningIdentity.swift in Sources */ = {isa = PBXBuildFile; fileRef = 6EC40A1B214EF87800BE4F17 /* SigningIdentity.swift */; };
 		71061E54246106C800822D35 /* LoadExecutableError.swift in Sources */ = {isa = PBXBuildFile; fileRef = 71061E53246106C800822D35 /* LoadExecutableError.swift */; };
 		A149C78D2CC68FBF00E0789E /* LoggerExtensions.swift in Sources */ = {isa = PBXBuildFile; fileRef = A149C78C2CC68FA100E0789E /* LoggerExtensions.swift */; };
+		A3AEAC59ED8A799232A3C7A0 /* MockURLProtocolTests.swift in Sources */ = {isa = PBXBuildFile; fileRef = 5366B3770CBADA87D7BBF4C5 /* MockURLProtocolTests.swift */; };
 		B5E09548250BCCFC00A40409 /* Alert.swift in Sources */ = {isa = PBXBuildFile; fileRef = B5E09547250BCCFC00A40409 /* Alert.swift */; };
 		C01BEDBA28636F57001B0B3B /* SemanticVersionTests.swift in Sources */ = {isa = PBXBuildFile; fileRef = C01BEDB928636F57001B0B3B /* SemanticVersionTests.swift */; };
 		C03270BA28636330008B38E0 /* SemanticVersion.swift in Sources */ = {isa = PBXBuildFile; fileRef = C03270B928636330008B38E0 /* SemanticVersion.swift */; };
@@ -81,6 +83,7 @@
 		345B01D523FDBF55008838B6 /* TCCProfileExtensions.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = TCCProfileExtensions.swift; sourceTree = "<group>"; };
 		34DED4D523FDDB2B00C53FB9 /* TCCProfileConfigurationPanel.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = TCCProfileConfigurationPanel.swift; sourceTree = "<group>"; };
 		47A216936077FDD709470D77 /* JamfProVersionTests.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; name = JamfProVersionTests.swift; path = JamfProVersionTests.swift; sourceTree = "<group>"; };
+		5366B3770CBADA87D7BBF4C5 /* MockURLProtocolTests.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = MockURLProtocolTests.swift; sourceTree = "<group>"; };
 		5901A2762534DF1400A1CD2F /* ModelBuilder.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = ModelBuilder.swift; sourceTree = "<group>"; };
 		59206D6825265F0C00B94795 /* TCCProfileTests.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = TCCProfileTests.swift; sourceTree = "<group>"; };
 		59798B81252D16310070A204 /* TCCProfileBuilder.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = TCCProfileBuilder.swift; sourceTree = "<group>"; };
@@ -138,6 +141,7 @@
 		C0EE9A7E2863BDE300738B6B /* JamfProAPITypes.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = JamfProAPITypes.swift; sourceTree = "<group>"; };
 		C0EE9A802863BE2B00738B6B /* NetworkAuthManager.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = NetworkAuthManager.swift; sourceTree = "<group>"; };
 		DAC55385D89BDBD447395AF1 /* TCCPolicyTests.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; name = TCCPolicyTests.swift; path = TCCPolicyTests.swift; sourceTree = "<group>"; };
+		F3DBEDB941B7AEAE7BFF2776 /* MockURLProtocol.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = MockURLProtocol.swift; sourceTree = "<group>"; };
 /* End PBXFileReference section */
 
 /* Begin PBXFrameworksBuildPhase section */
@@ -173,6 +177,7 @@
 			children = (
 				59798B81252D16310070A204 /* TCCProfileBuilder.swift */,
 				5901A2762534DF1400A1CD2F /* ModelBuilder.swift */,
+				F3DBEDB941B7AEAE7BFF2776 /* MockURLProtocol.swift */,
 			);
 			path = Helpers;
 			sourceTree = "<group>";
@@ -361,6 +366,7 @@
 				C07961E328749A51007B98A7 /* NetworkAuthManagerTests.swift */,
 				C07961E128749A36007B98A7 /* TokenTests.swift */,
 				47A216936077FDD709470D77 /* JamfProVersionTests.swift */,
+				5366B3770CBADA87D7BBF4C5 /* MockURLProtocolTests.swift */,
 			);
 			path = NetworkingTests;
 			sourceTree = "<group>";
@@ -503,6 +509,8 @@
 				09614BF857C294E1E344298C /* TCCPolicyTests.swift in Sources */,
 				1E57D2CD1B0B3602E7FD9806 /* JamfProVersionTests.swift in Sources */,
 				D023DD16033D452488B41741 /* ArrayExtensionTests.swift in Sources */,
+				47F24E408CC42F176BD97CA5 /* MockURLProtocol.swift in Sources */,
+				A3AEAC59ED8A799232A3C7A0 /* MockURLProtocolTests.swift in Sources */,
 			);
 			runOnlyForDeploymentPostprocessing = 0;
 		};
diff --git a/PPPC UtilityTests/Helpers/MockURLProtocol.swift b/PPPC UtilityTests/Helpers/MockURLProtocol.swift
new file mode 100644
index 0000000..243dec2
--- /dev/null
+++ b/PPPC UtilityTests/Helpers/MockURLProtocol.swift	
@@ -0,0 +1,104 @@
+//
+//  MockURLProtocol.swift
+//
+//  MIT License
+//
+//  Copyright (c) 2023 Jamf Software
+//
+//  Permission is hereby granted, free of charge, to any person obtaining a copy
+//  of this software and associated documentation files (the "Software"), to deal
+//  in the Software without restriction, including without limitation the rights
+//  to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+//  copies of the Software, and to permit persons to whom the Software is
+//  furnished to do so, subject to the following conditions:
+//
+//  The above copyright notice and this permission notice shall be included in all
+//  copies or substantial portions of the Software.
+//
+//  THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+//  IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+//  FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+//  AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+//  LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+//  OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+//  SOFTWARE.
+//
+
+import Foundation
+
+/// A `URLProtocol` subclass that intercepts requests and returns responses from a static handler.
+///
+/// Test suites using this must apply the `.serialized` trait to avoid handler conflicts.
+final class MockURLProtocol: URLProtocol, @unchecked Sendable {
+    typealias RequestHandler = @Sendable (URLRequest) throws -> (HTTPURLResponse, Data)
+
+    /// Set this before each test to control the mock response.
+    nonisolated(unsafe) static var requestHandler: RequestHandler?
+
+    /// Clear the handler between tests.
+    static func reset() {
+        requestHandler = nil
+    }
+
+    // MARK: - URLProtocol overrides
+
+    nonisolated override init(request: URLRequest, cachedResponse: CachedURLResponse?, client: (any URLProtocolClient)?) {
+        super.init(request: request, cachedResponse: cachedResponse, client: client)
+    }
+
+    nonisolated override class func canInit(with request: URLRequest) -> Bool {
+        true
+    }
+
+    nonisolated override class func canonicalRequest(for request: URLRequest) -> URLRequest {
+        request
+    }
+
+    nonisolated override func startLoading() {
+        guard let handler = MockURLProtocol.requestHandler else {
+            client?.urlProtocol(self, didFailWithError: URLError(.badURL))
+            return
+        }
+
+        do {
+            let (response, data) = try handler(request)
+            client?.urlProtocol(self, didReceive: response, cacheStoragePolicy: .notAllowed)
+            client?.urlProtocol(self, didLoad: data)
+            client?.urlProtocolDidFinishLoading(self)
+        } catch {
+            client?.urlProtocol(self, didFailWithError: error)
+        }
+    }
+
+    nonisolated override func stopLoading() {}
+}
+
+// MARK: - URLSession convenience
+
+extension URLSession {
+    /// Creates an ephemeral `URLSession` wired to `MockURLProtocol`.
+    /// - Parameter handler: The handler that will process requests for this session.
+    /// - Returns: The configured `URLSession`.
+    static func mock(handler: @escaping MockURLProtocol.RequestHandler) -> URLSession {
+        MockURLProtocol.requestHandler = handler
+
+        let config = URLSessionConfiguration.ephemeral
+        config.protocolClasses = [MockURLProtocol.self]
+
+        return URLSession(configuration: config)
+    }
+}
+
+// MARK: - HTTPURLResponse helpers
+
+extension HTTPURLResponse {
+    /// Creates a 200 OK response for the given URL.
+    nonisolated static func ok(url: URL) -> HTTPURLResponse {
+        HTTPURLResponse(url: url, statusCode: 200, httpVersion: nil, headerFields: nil)!
+    }
+
+    /// Creates a response with the given status code for the given URL.
+    nonisolated static func status(_ code: Int, url: URL) -> HTTPURLResponse {
+        HTTPURLResponse(url: url, statusCode: code, httpVersion: nil, headerFields: nil)!
+    }
+}
diff --git a/PPPC UtilityTests/NetworkingTests/MockURLProtocolTests.swift b/PPPC UtilityTests/NetworkingTests/MockURLProtocolTests.swift
new file mode 100644
index 0000000..f08c0be
--- /dev/null
+++ b/PPPC UtilityTests/NetworkingTests/MockURLProtocolTests.swift	
@@ -0,0 +1,89 @@
+//
+//  MockURLProtocolTests.swift
+//
+//  MIT License
+//
+//  Copyright (c) 2023 Jamf Software
+//
+//  Permission is hereby granted, free of charge, to any person obtaining a copy
+//  of this software and associated documentation files (the "Software"), to deal
+//  in the Software without restriction, including without limitation the rights
+//  to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+//  copies of the Software, and to permit persons to whom the Software is
+//  furnished to do so, subject to the following conditions:
+//
+//  The above copyright notice and this permission notice shall be included in all
+//  copies or substantial portions of the Software.
+//
+//  THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+//  IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+//  FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+//  AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+//  LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+//  OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+//  SOFTWARE.
+//
+
+import Testing
+import Foundation
+@testable import PPPC_Utility
+
+@Suite("MockURLProtocol", .serialized)
+struct MockURLProtocolTests {
+
+    @Test("Injected session intercepts requests and returns expected data")
+    func injectedSessionInterceptsRequests() async throws {
+        let expectedBody = Data("hello".utf8)
+        let session = URLSession.mock { request in
+            let url = request.url!
+            return (.ok(url: url), expectedBody)
+        }
+        defer { MockURLProtocol.reset() }
+
+        // when
+        let url = URL(string: "https://example.com/test")!
+        let (data, response) = try await session.data(for: URLRequest(url: url))
+
+        // then
+        let httpResponse = try #require(response as? HTTPURLResponse)
+        #expect(httpResponse.statusCode == 200)
+        #expect(data == expectedBody)
+    }
+
+    @Test("Handler can return error status codes")
+    func handlerReturnsErrorStatusCode() async throws {
+        let session = URLSession.mock { request in
+            let url = request.url!
+            return (.status(401, url: url), Data())
+        }
+        defer { MockURLProtocol.reset() }
+
+        // when
+        let url = URL(string: "https://example.com/auth")!
+        let (_, response) = try await session.data(for: URLRequest(url: url))
+
+        // then
+        let httpResponse = try #require(response as? HTTPURLResponse)
+        #expect(httpResponse.statusCode == 401)
+    }
+
+    @Test("Reset clears the handler")
+    func resetClearsHandler() async {
+        let session = URLSession.mock { request in
+            let url = request.url!
+            return (.ok(url: url), Data())
+        }
+
+        // when
+        MockURLProtocol.reset()
+
+        // then
+        let url = URL(string: "https://example.com/test")!
+        do {
+            _ = try await session.data(for: URLRequest(url: url))
+            Issue.record("Expected request to fail after reset")
+        } catch {
+            // Expected — no handler registered
+        }
+    }
+}
diff --git a/Source/Networking/JamfProAPIClient.swift b/Source/Networking/JamfProAPIClient.swift
index 99ac649..3418e3a 100644
--- a/Source/Networking/JamfProAPIClient.swift
+++ b/Source/Networking/JamfProAPIClient.swift
@@ -151,7 +151,7 @@ class JamfProAPIClient: Networking {
         } catch is NetworkingError {
             // Possibly we are talking to Jamf Pro v10.22 or lower and we can grab the version from a meta tag on the login page.
             let simpleRequest = try url(forEndpoint: "")
-            let (data, _) = try await URLSession.shared.data(for: simpleRequest)
+            let (data, _) = try await session.data(for: simpleRequest)
             info = try JamfProVersion(fromHTMLString: String(data: data, encoding: .utf8))
         }
 
diff --git a/Source/Networking/Networking.swift b/Source/Networking/Networking.swift
index c881a3e..b6cbb61 100644
--- a/Source/Networking/Networking.swift
+++ b/Source/Networking/Networking.swift
@@ -46,10 +46,12 @@ enum NetworkingError: Error, Equatable {
 class Networking {
     let authManager: NetworkAuthManager
     let serverUrlString: String
+    let session: URLSession
 
-    init(serverUrlString: String, tokenManager: NetworkAuthManager) {
+    init(serverUrlString: String, tokenManager: NetworkAuthManager, session: URLSession = .shared) {
         self.serverUrlString = serverUrlString
         self.authManager = tokenManager
+        self.session = session
     }
 
     /// Subclasses must override this to do a network call to return a bearer token.
@@ -75,7 +77,7 @@ class Networking {
     /// - Parameter request: A request that already has authorization info.
     /// - Returns: The result.
     func loadPreAuthorized<T: Decodable>(request: URLRequest) async throws -> T {
-        let (data, urlResponse) = try await URLSession.shared.data(for: request)
+        let (data, urlResponse) = try await session.data(for: request)
 
         if let httpResponse = urlResponse as? HTTPURLResponse {
             if httpResponse.statusCode == 401 {
@@ -96,7 +98,7 @@ class Networking {
     /// - Returns: The result.
     func loadBasicAuthorized<T: Decodable>(request: URLRequest) async throws -> T {
         let authorizedRequest = try await authorizeBasic(request: request)
-        let (data, urlResponse) = try await URLSession.shared.data(for: authorizedRequest)
+        let (data, urlResponse) = try await session.data(for: authorizedRequest)
 
         if let httpResponse = urlResponse as? HTTPURLResponse {
             if httpResponse.statusCode == 401 {
@@ -117,7 +119,7 @@ class Networking {
     /// - Returns: The result.
     func loadBearerAuthorized<T: Decodable>(request: URLRequest, allowRetryForAuth: Bool = true) async throws -> T {
         let authorizedRequest = try await authorizeBearer(request: request)
-        let (data, urlResponse) = try await URLSession.shared.data(for: authorizedRequest)
+        let (data, urlResponse) = try await session.data(for: authorizedRequest)
 
         if let httpResponse = urlResponse as? HTTPURLResponse {
             if httpResponse.statusCode == 401 {
@@ -143,7 +145,7 @@ class Networking {
     /// - Returns: The result.
     func sendBearerAuthorized(request: URLRequest, allowRetryForAuth: Bool = true) async throws -> Data {
         let authorizedRequest = try await authorizeBearer(request: request)
-        let (data, urlResponse) = try await URLSession.shared.data(for: authorizedRequest)
+        let (data, urlResponse) = try await session.data(for: authorizedRequest)
 
         if let httpResponse = urlResponse as? HTTPURLResponse {
             if httpResponse.statusCode == 401 {
@@ -166,7 +168,7 @@ class Networking {
     /// - Returns: The result.
     func sendBasicAuthorized(request: URLRequest) async throws -> Data {
         let authorizedRequest = try await authorizeBasic(request: request)
-        let (data, urlResponse) = try await URLSession.shared.data(for: authorizedRequest)
+        let (data, urlResponse) = try await session.data(for: authorizedRequest)
 
         if let httpResponse = urlResponse as? HTTPURLResponse {
             if httpResponse.statusCode == 401 {
diff --git a/Source/Networking/UploadManager.swift b/Source/Networking/UploadManager.swift
index 109f8c2..9fb22e5 100644
--- a/Source/Networking/UploadManager.swift
+++ b/Source/Networking/UploadManager.swift
@@ -11,6 +11,7 @@ import OSLog
 
 struct UploadManager {
     let serverURL: String
+    let session: URLSession
 
     let logger = Logger.UploadManager
 
@@ -23,10 +24,15 @@ struct UploadManager {
         case anyError(String)
     }
 
+    init(serverURL: String, session: URLSession = .shared) {
+        self.serverURL = serverURL
+        self.session = session
+    }
+
     func verifyConnection(authManager: NetworkAuthManager) async throws -> VerificationInfo {
         logger.info("Checking connection to Jamf Pro server")
 
-        let networking = JamfProAPIClient(serverUrlString: serverURL, tokenManager: authManager)
+        let networking = JamfProAPIClient(serverUrlString: serverURL, tokenManager: authManager, session: session)
 
         do {
             let version = try await networking.getJamfProVersion()
@@ -49,7 +55,7 @@ struct UploadManager {
     func upload(profile: TCCProfile, authMgr: NetworkAuthManager, siteInfo: (String, String)?, signingIdentity: SigningIdentity?) async throws {
         logger.info("Uploading profile: \(profile.displayName, privacy: .public)")
 
-        let networking = JamfProAPIClient(serverUrlString: serverURL, tokenManager: authMgr)
+        let networking = JamfProAPIClient(serverUrlString: serverURL, tokenManager: authMgr, session: session)
         var identity: SecIdentity?
         if let signingIdentity = signingIdentity {
             logger.info("Signing profile with \(signingIdentity.displayName)")
diff --git a/docs/plans/test-coverage-expansion.md b/docs/plans/test-coverage-expansion.md
index 72affda..15a61a0 100644
--- a/docs/plans/test-coverage-expansion.md
+++ b/docs/plans/test-coverage-expansion.md
@@ -31,7 +31,8 @@ The goal is to close these gaps in four small, independently reviewable pull req
 - Follow Swift Testing conventions for this repo (`@Test`/`@Suite` on their own line, `// when` + `// then` comments only).
 - Avoid string-equality checks on localized error messages; assert error types/codes instead.
 - For XML, assert presence/absence of specific nodes via parsing, not full-string equality.
-- Mock URLProtocol must be parallel-safe by default: use a per-session handler registry keyed by a unique session ID (e.g., request header), with thread-safe storage and teardown reset. Each test uses its own `URLSessionConfiguration` with its own session ID.
+- Prefer Swift Concurrency (actors, async/await) over locks/mutexes. Allow low-level synchronization only when synchronous nonisolated contexts (e.g., URLProtocol overrides) make async impossible.
+- Network tests run serialized (`.serialized` trait on suites). `MockURLProtocol` uses a simple single static handler — no per-session registry or thread-safe storage needed.
 
 ---
 
@@ -77,8 +78,8 @@ All new test files build and pass. No new compiler warnings.
 ### New test helper
 | File | What it provides |
 |------|-----------------|
-| `PPPC UtilityTests/Helpers/MockURLProtocol.swift` | `MockURLProtocol: URLProtocol` with per-session handler registry keyed by a unique session ID header; thread-safe storage; `URLSession.mock(handler:)` creates an isolated session; `MockURLProtocol.reset()` for teardown; `HTTPURLResponse.ok(url:)` and `.status(_:url:)` helpers |
-| `PPPC UtilityTests/NetworkingTests/MockURLProtocolTests.swift` | Minimal test proving injected `URLSession` is used and handlers are isolated per session (parallel-safe). |
+| `PPPC UtilityTests/Helpers/MockURLProtocol.swift` | `MockURLProtocol: URLProtocol` with a single static `requestHandler` closure; `URLSession.mock(handler:)` creates an ephemeral session wired to the protocol; `MockURLProtocol.reset()` for teardown; `HTTPURLResponse.ok(url:)` and `.status(_:url:)` helpers |
+| `PPPC UtilityTests/NetworkingTests/MockURLProtocolTests.swift` | Minimal tests proving injected `URLSession` intercepts requests and returns expected responses. Suite runs `.serialized`. |
 
 ### Verification
 Build succeeds, all existing 50 tests still pass, no new warnings. No behavioral change — `URLSession.shared` remains the default for all production paths.
@@ -122,7 +123,7 @@ Run tests. All new tests pass with no real network calls. Error assertions use e
 
 ### MockURLProtocol dispatch pattern for UploadManager tests
 ```swift
-MockURLProtocol.requestHandler = { request in
+let (session, _) = URLSession.mock { request in
     let path = request.url?.path ?? ""
     if path.hasSuffix("auth/token")               { return (tokenResponse, tokenJSON) }
     if path.contains("jamf-pro-version")           { return (ok, versionJSON) }

From 00a08f6e7e0546f6dc16f4bfebfe151f75336419 Mon Sep 17 00:00:00 2001
From: Tony Eichelberger <tony.eichelberger@jamf.com>
Date: Tue, 7 Apr 2026 16:19:46 -0500
Subject: [PATCH 41/53] added more networking unit tests

---
 CLAUDE.md                                     |   2 +
 PPPC Utility.xcodeproj/project.pbxproj        |  15 +-
 .../xcschemes/PPPC Utility.xcscheme           |  95 ++++++
 PPPC Utility.xctestplan                       |  31 ++
 .../Helpers/MockURLProtocol.swift             |   2 +-
 .../JamfProAPIClientTests.swift               | 186 +++++++++++
 .../MockURLProtocolTests.swift                |   6 +-
 .../NetworkingTests/NetworkingTests.swift     | 298 ++++++++++++++++++
 8 files changed, 626 insertions(+), 9 deletions(-)
 create mode 100644 PPPC Utility.xcodeproj/xcshareddata/xcschemes/PPPC Utility.xcscheme
 create mode 100644 PPPC Utility.xctestplan
 create mode 100644 PPPC UtilityTests/NetworkingTests/NetworkingTests.swift

diff --git a/CLAUDE.md b/CLAUDE.md
index e645474..25b0a7e 100644
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -17,5 +17,7 @@
   ```
 - Network test suites use `.serialized` trait. `MockURLProtocol` uses a simple single static handler — no per-session registry needed.
 - Avoid snake_case in test names (e.g., `generateDisplayName_bundleIdentifier`). If a name is getting long, use a Trait with a sentence-style description instead.
+- For complex tests, use a descriptive `@Test("...")` trait that explains the scenario and expected outcome so the test is understandable without reading the body.
 - Use parameterized tests with Traits where it reduces duplication; 1–2 args is ideal, max 3
 - Beyond 3 params: create separate tests with some values hard-coded
+- Use `deinit` as teardown for repeated cleanup across tests in a suite. Use `class` for suites that need `deinit`; use `struct` otherwise.
diff --git a/PPPC Utility.xcodeproj/project.pbxproj b/PPPC Utility.xcodeproj/project.pbxproj
index 89877a9..cd418ea 100644
--- a/PPPC Utility.xcodeproj/project.pbxproj	
+++ b/PPPC Utility.xcodeproj/project.pbxproj	
@@ -44,6 +44,7 @@
 		71061E54246106C800822D35 /* LoadExecutableError.swift in Sources */ = {isa = PBXBuildFile; fileRef = 71061E53246106C800822D35 /* LoadExecutableError.swift */; };
 		A149C78D2CC68FBF00E0789E /* LoggerExtensions.swift in Sources */ = {isa = PBXBuildFile; fileRef = A149C78C2CC68FA100E0789E /* LoggerExtensions.swift */; };
 		A3AEAC59ED8A799232A3C7A0 /* MockURLProtocolTests.swift in Sources */ = {isa = PBXBuildFile; fileRef = 5366B3770CBADA87D7BBF4C5 /* MockURLProtocolTests.swift */; };
+		FEE04458C398AE5C1074928F /* NetworkingTests.swift in Sources */ = {isa = PBXBuildFile; fileRef = 34BE578BDC64B5400E2F0233 /* NetworkingTests.swift */; };
 		B5E09548250BCCFC00A40409 /* Alert.swift in Sources */ = {isa = PBXBuildFile; fileRef = B5E09547250BCCFC00A40409 /* Alert.swift */; };
 		C01BEDBA28636F57001B0B3B /* SemanticVersionTests.swift in Sources */ = {isa = PBXBuildFile; fileRef = C01BEDB928636F57001B0B3B /* SemanticVersionTests.swift */; };
 		C03270BA28636330008B38E0 /* SemanticVersion.swift in Sources */ = {isa = PBXBuildFile; fileRef = C03270B928636330008B38E0 /* SemanticVersion.swift */; };
@@ -78,11 +79,12 @@
 /* End PBXContainerItemProxy section */
 
 /* Begin PBXFileReference section */
-		0B5B34EC5FC52B5B4C9D0258 /* ArrayExtensionTests.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; name = ArrayExtensionTests.swift; path = ArrayExtensionTests.swift; sourceTree = "<group>"; };
-		15C8454BE335603AE6B55049 /* ExecutableTests.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; name = ExecutableTests.swift; path = ExecutableTests.swift; sourceTree = "<group>"; };
+		0B5B34EC5FC52B5B4C9D0258 /* ArrayExtensionTests.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = ArrayExtensionTests.swift; sourceTree = "<group>"; };
+		15C8454BE335603AE6B55049 /* ExecutableTests.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = ExecutableTests.swift; sourceTree = "<group>"; };
 		345B01D523FDBF55008838B6 /* TCCProfileExtensions.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = TCCProfileExtensions.swift; sourceTree = "<group>"; };
 		34DED4D523FDDB2B00C53FB9 /* TCCProfileConfigurationPanel.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = TCCProfileConfigurationPanel.swift; sourceTree = "<group>"; };
-		47A216936077FDD709470D77 /* JamfProVersionTests.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; name = JamfProVersionTests.swift; path = JamfProVersionTests.swift; sourceTree = "<group>"; };
+		47A216936077FDD709470D77 /* JamfProVersionTests.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = JamfProVersionTests.swift; sourceTree = "<group>"; };
+		34BE578BDC64B5400E2F0233 /* NetworkingTests.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = NetworkingTests.swift; sourceTree = "<group>"; };
 		5366B3770CBADA87D7BBF4C5 /* MockURLProtocolTests.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = MockURLProtocolTests.swift; sourceTree = "<group>"; };
 		5901A2762534DF1400A1CD2F /* ModelBuilder.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = ModelBuilder.swift; sourceTree = "<group>"; };
 		59206D6825265F0C00B94795 /* TCCProfileTests.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = TCCProfileTests.swift; sourceTree = "<group>"; };
@@ -140,8 +142,9 @@
 		C0EE9A7C28639BF800738B6B /* TestTCCProfileForJamfProAPI.txt */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text; path = TestTCCProfileForJamfProAPI.txt; sourceTree = "<group>"; };
 		C0EE9A7E2863BDE300738B6B /* JamfProAPITypes.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = JamfProAPITypes.swift; sourceTree = "<group>"; };
 		C0EE9A802863BE2B00738B6B /* NetworkAuthManager.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = NetworkAuthManager.swift; sourceTree = "<group>"; };
-		DAC55385D89BDBD447395AF1 /* TCCPolicyTests.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; name = TCCPolicyTests.swift; path = TCCPolicyTests.swift; sourceTree = "<group>"; };
+		DAC55385D89BDBD447395AF1 /* TCCPolicyTests.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = TCCPolicyTests.swift; sourceTree = "<group>"; };
 		F3DBEDB941B7AEAE7BFF2776 /* MockURLProtocol.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = MockURLProtocol.swift; sourceTree = "<group>"; };
+		F82A8F992F85984800A72E5C /* PPPC Utility.xctestplan */ = {isa = PBXFileReference; lastKnownFileType = text; path = "PPPC Utility.xctestplan"; sourceTree = "<group>"; };
 /* End PBXFileReference section */
 
 /* Begin PBXFrameworksBuildPhase section */
@@ -168,7 +171,6 @@
 			children = (
 				0B5B34EC5FC52B5B4C9D0258 /* ArrayExtensionTests.swift */,
 			);
-			name = ExtensionTests;
 			path = ExtensionTests;
 			sourceTree = "<group>";
 		};
@@ -264,6 +266,7 @@
 		6EC409D1214D65BC00BE4F17 = {
 			isa = PBXGroup;
 			children = (
+				F82A8F992F85984800A72E5C /* PPPC Utility.xctestplan */,
 				6E95730721553B650002C30B /* LICENSE */,
 				97227C6726248CD7000F26C1 /* CHANGELOG.md */,
 				6E5D5A1521541B8F00B43312 /* README.md */,
@@ -367,6 +370,7 @@
 				C07961E128749A36007B98A7 /* TokenTests.swift */,
 				47A216936077FDD709470D77 /* JamfProVersionTests.swift */,
 				5366B3770CBADA87D7BBF4C5 /* MockURLProtocolTests.swift */,
+				34BE578BDC64B5400E2F0233 /* NetworkingTests.swift */,
 			);
 			path = NetworkingTests;
 			sourceTree = "<group>";
@@ -511,6 +515,7 @@
 				D023DD16033D452488B41741 /* ArrayExtensionTests.swift in Sources */,
 				47F24E408CC42F176BD97CA5 /* MockURLProtocol.swift in Sources */,
 				A3AEAC59ED8A799232A3C7A0 /* MockURLProtocolTests.swift in Sources */,
+				FEE04458C398AE5C1074928F /* NetworkingTests.swift in Sources */,
 			);
 			runOnlyForDeploymentPostprocessing = 0;
 		};
diff --git a/PPPC Utility.xcodeproj/xcshareddata/xcschemes/PPPC Utility.xcscheme b/PPPC Utility.xcodeproj/xcshareddata/xcschemes/PPPC Utility.xcscheme
new file mode 100644
index 0000000..eb8e9e0
--- /dev/null
+++ b/PPPC Utility.xcodeproj/xcshareddata/xcschemes/PPPC Utility.xcscheme	
@@ -0,0 +1,95 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<Scheme
+   LastUpgradeVersion = "2640"
+   version = "1.7">
+   <BuildAction
+      parallelizeBuildables = "YES"
+      buildImplicitDependencies = "YES"
+      buildArchitectures = "Automatic">
+      <BuildActionEntries>
+         <BuildActionEntry
+            buildForTesting = "YES"
+            buildForRunning = "YES"
+            buildForProfiling = "YES"
+            buildForArchiving = "YES"
+            buildForAnalyzing = "YES">
+            <BuildableReference
+               BuildableIdentifier = "primary"
+               BlueprintIdentifier = "6EC409D9214D65BC00BE4F17"
+               BuildableName = "PPPC Utility.app"
+               BlueprintName = "PPPC Utility"
+               ReferencedContainer = "container:PPPC Utility.xcodeproj">
+            </BuildableReference>
+         </BuildActionEntry>
+      </BuildActionEntries>
+   </BuildAction>
+   <TestAction
+      buildConfiguration = "Debug"
+      selectedDebuggerIdentifier = "Xcode.DebuggerFoundation.Debugger.LLDB"
+      selectedLauncherIdentifier = "Xcode.DebuggerFoundation.Launcher.LLDB"
+      shouldUseLaunchSchemeArgsEnv = "YES">
+      <TestPlans>
+         <TestPlanReference
+            reference = "container:PPPC Utility.xctestplan"
+            default = "YES">
+         </TestPlanReference>
+      </TestPlans>
+      <Testables>
+         <TestableReference
+            skipped = "NO">
+            <BuildableReference
+               BuildableIdentifier = "primary"
+               BlueprintIdentifier = "5F95AE1A2315A6AD002E0A22"
+               BuildableName = "PPPC UtilityTests.xctest"
+               BlueprintName = "PPPC UtilityTests"
+               ReferencedContainer = "container:PPPC Utility.xcodeproj">
+            </BuildableReference>
+         </TestableReference>
+      </Testables>
+   </TestAction>
+   <LaunchAction
+      buildConfiguration = "Debug"
+      selectedDebuggerIdentifier = "Xcode.DebuggerFoundation.Debugger.LLDB"
+      selectedLauncherIdentifier = "Xcode.DebuggerFoundation.Launcher.LLDB"
+      launchStyle = "0"
+      useCustomWorkingDirectory = "NO"
+      ignoresPersistentStateOnLaunch = "NO"
+      debugDocumentVersioning = "YES"
+      debugServiceExtension = "internal"
+      allowLocationSimulation = "YES">
+      <BuildableProductRunnable
+         runnableDebuggingMode = "0">
+         <BuildableReference
+            BuildableIdentifier = "primary"
+            BlueprintIdentifier = "6EC409D9214D65BC00BE4F17"
+            BuildableName = "PPPC Utility.app"
+            BlueprintName = "PPPC Utility"
+            ReferencedContainer = "container:PPPC Utility.xcodeproj">
+         </BuildableReference>
+      </BuildableProductRunnable>
+   </LaunchAction>
+   <ProfileAction
+      buildConfiguration = "Release"
+      shouldUseLaunchSchemeArgsEnv = "YES"
+      savedToolIdentifier = ""
+      useCustomWorkingDirectory = "NO"
+      debugDocumentVersioning = "YES">
+      <BuildableProductRunnable
+         runnableDebuggingMode = "0">
+         <BuildableReference
+            BuildableIdentifier = "primary"
+            BlueprintIdentifier = "6EC409D9214D65BC00BE4F17"
+            BuildableName = "PPPC Utility.app"
+            BlueprintName = "PPPC Utility"
+            ReferencedContainer = "container:PPPC Utility.xcodeproj">
+         </BuildableReference>
+      </BuildableProductRunnable>
+   </ProfileAction>
+   <AnalyzeAction
+      buildConfiguration = "Debug">
+   </AnalyzeAction>
+   <ArchiveAction
+      buildConfiguration = "Release"
+      revealArchiveInOrganizer = "YES">
+   </ArchiveAction>
+</Scheme>
diff --git a/PPPC Utility.xctestplan b/PPPC Utility.xctestplan
new file mode 100644
index 0000000..277ad83
--- /dev/null
+++ b/PPPC Utility.xctestplan	
@@ -0,0 +1,31 @@
+{
+  "configurations" : [
+    {
+      "id" : "A2100AAD-F211-4146-9683-1509D479B82B",
+      "name" : "Test Scheme Action",
+      "options" : {
+
+      }
+    }
+  ],
+  "defaultOptions" : {
+    "codeCoverage" : true,
+    "performanceAntipatternCheckerEnabled" : true,
+    "targetForVariableExpansion" : {
+      "containerPath" : "container:PPPC Utility.xcodeproj",
+      "identifier" : "6EC409D9214D65BC00BE4F17",
+      "name" : "PPPC Utility"
+    }
+  },
+  "testTargets" : [
+    {
+      "parallelizable" : false,
+      "target" : {
+        "containerPath" : "container:PPPC Utility.xcodeproj",
+        "identifier" : "5F95AE1A2315A6AD002E0A22",
+        "name" : "PPPC UtilityTests"
+      }
+    }
+  ],
+  "version" : 1
+}
diff --git a/PPPC UtilityTests/Helpers/MockURLProtocol.swift b/PPPC UtilityTests/Helpers/MockURLProtocol.swift
index 243dec2..fcfc903 100644
--- a/PPPC UtilityTests/Helpers/MockURLProtocol.swift	
+++ b/PPPC UtilityTests/Helpers/MockURLProtocol.swift	
@@ -36,7 +36,7 @@ final class MockURLProtocol: URLProtocol, @unchecked Sendable {
     nonisolated(unsafe) static var requestHandler: RequestHandler?
 
     /// Clear the handler between tests.
-    static func reset() {
+    nonisolated static func reset() {
         requestHandler = nil
     }
 
diff --git a/PPPC UtilityTests/NetworkingTests/JamfProAPIClientTests.swift b/PPPC UtilityTests/NetworkingTests/JamfProAPIClientTests.swift
index f44979f..258d3ac 100644
--- a/PPPC UtilityTests/NetworkingTests/JamfProAPIClientTests.swift	
+++ b/PPPC UtilityTests/NetworkingTests/JamfProAPIClientTests.swift	
@@ -26,3 +26,189 @@ struct JamfProAPIClientTests {
         #expect(bodyString == "grant_type=client_credentials&client_id=mine%26yours&client_secret=foo%20bar")
     }
 }
+
+// MARK: - getJamfProVersion
+
+@Suite("JamfProAPIClient getJamfProVersion", .serialized)
+final class JamfProAPIClientVersionTests {
+
+    deinit { MockURLProtocol.reset() }
+
+    @Test("getJamfProVersion decodes JSON response")
+    func getVersionFromJSON() async throws {
+        let authManager = NetworkAuthManager(username: "admin", password: "pass")
+        let session = URLSession.mock { request in
+            let path = request.url?.path ?? ""
+            if path.hasSuffix("auth/token") {
+                let tokenJSON = #"{"token":"abc","expires":"2099-01-01T00:00:00.000Z"}"#
+                return (.ok(url: request.url!), Data(tokenJSON.utf8))
+            }
+            if path.contains("jamf-pro-version") {
+                let json = #"{"version":"10.40.0-t1695913581"}"#
+                return (.ok(url: request.url!), Data(json.utf8))
+            }
+            throw URLError(.badURL)
+        }
+
+        let client = JamfProAPIClient(serverUrlString: "https://jamf.example.com", tokenManager: authManager, session: session)
+
+        // when
+        let version = try await client.getJamfProVersion()
+
+        // then
+        #expect(version.version == "10.40.0-t1695913581")
+        #expect(version.mainVersionInfo() == "10.40.0")
+    }
+
+    @Test("Falls back to parsing HTML login page when version API endpoint returns 404")
+    func getVersionFallsBackToHTML() async throws {
+        let authManager = NetworkAuthManager(username: "admin", password: "pass")
+        let session = URLSession.mock { request in
+            let path = request.url?.path ?? ""
+            if path.hasSuffix("auth/token") {
+                let tokenJSON = #"{"token":"abc","expires":"2099-01-01T00:00:00.000Z"}"#
+                return (.ok(url: request.url!), Data(tokenJSON.utf8))
+            }
+            if path.contains("jamf-pro-version") {
+                return (.status(404, url: request.url!), Data())
+            }
+            // HTML login page fallback
+            let html = #"<html><meta name="version" content="10.22.0-t123"></html>"#
+            return (.ok(url: request.url!), Data(html.utf8))
+        }
+
+        let client = JamfProAPIClient(serverUrlString: "https://jamf.example.com", tokenManager: authManager, session: session)
+
+        // when
+        let version = try await client.getJamfProVersion()
+
+        // then
+        #expect(version.version == "10.22.0")
+    }
+}
+
+// MARK: - getOrganizationName
+
+@Suite("JamfProAPIClient getOrganizationName", .serialized)
+final class JamfProAPIClientOrgTests {
+
+    deinit { MockURLProtocol.reset() }
+
+    @Test("getOrganizationName decodes activation code response")
+    func getOrgNameDecodesResponse() async throws {
+        let authManager = NetworkAuthManager(username: "admin", password: "pass")
+        let session = URLSession.mock { request in
+            let path = request.url?.path ?? ""
+            if path.hasSuffix("auth/token") {
+                let tokenJSON = #"{"token":"abc","expires":"2099-01-01T00:00:00.000Z"}"#
+                return (.ok(url: request.url!), Data(tokenJSON.utf8))
+            }
+            if path.contains("activationcode") {
+                let json = #"{"activation_code":{"organization_name":"Acme Corp","code":"ABC123"}}"#
+                return (.ok(url: request.url!), Data(json.utf8))
+            }
+            throw URLError(.badURL)
+        }
+
+        let client = JamfProAPIClient(serverUrlString: "https://jamf.example.com", tokenManager: authManager, session: session)
+
+        // when
+        let orgName = try await client.getOrganizationName()
+
+        // then
+        #expect(orgName == "Acme Corp")
+    }
+}
+
+// MARK: - getBearerToken
+
+@Suite("JamfProAPIClient getBearerToken", .serialized)
+final class JamfProAPIClientTokenTests {
+
+    deinit { MockURLProtocol.reset() }
+
+    @Test("getBearerToken with basic auth sends POST to auth/token")
+    func getBearerTokenBasicAuth() async throws {
+        let authManager = NetworkAuthManager(username: "admin", password: "secret")
+        let session = URLSession.mock { request in
+            let path = request.url?.path ?? ""
+            if path.hasSuffix("auth/token") {
+                // then — verify it's a POST with Basic auth
+                #expect(request.httpMethod == "POST")
+                let authHeader = request.value(forHTTPHeaderField: "Authorization") ?? ""
+                #expect(authHeader.hasPrefix("Basic "))
+                let tokenJSON = #"{"token":"new-token-123","expires":"2099-01-01T00:00:00.000Z"}"#
+                return (.ok(url: request.url!), Data(tokenJSON.utf8))
+            }
+            throw URLError(.badURL)
+        }
+
+        let client = JamfProAPIClient(serverUrlString: "https://jamf.example.com", tokenManager: authManager, session: session)
+
+        // when
+        let token = try await client.getBearerToken(authInfo: .basicAuth(username: "admin", password: "secret"))
+
+        // then
+        #expect(token.value == "new-token-123")
+    }
+
+    @Test("getBearerToken with client credentials sends form-encoded POST to oauth/token")
+    func getBearerTokenClientCreds() async throws {
+        let authManager = NetworkAuthManager(username: "", password: "")
+        let session = URLSession.mock { request in
+            let path = request.url?.path ?? ""
+            if path.hasSuffix("oauth/token") {
+                // then — verify it's a POST
+                #expect(request.httpMethod == "POST")
+                let tokenJSON = #"{"access_token":"oauth-token-456","expires_in":3600}"#
+                return (.ok(url: request.url!), Data(tokenJSON.utf8))
+            }
+            throw URLError(.badURL)
+        }
+
+        let client = JamfProAPIClient(serverUrlString: "https://jamf.example.com", tokenManager: authManager, session: session)
+
+        // when
+        let token = try await client.getBearerToken(authInfo: .clientCreds(id: "my-id", secret: "my-secret"))
+
+        // then
+        #expect(token.value == "oauth-token-456")
+    }
+}
+
+// MARK: - load with fallback
+
+@Suite("JamfProAPIClient load fallback", .serialized)
+final class JamfProAPIClientLoadFallbackTests {
+
+    deinit { MockURLProtocol.reset() }
+
+    @Test("Falls back to basic auth when bearer token endpoint returns 404, indicating pre-10.35 Jamf Pro")
+    func loadFallsBackToBasicAuth() async throws {
+        let authManager = NetworkAuthManager(username: "admin", password: "pass")
+        let session = URLSession.mock { request in
+            let path = request.url?.path ?? ""
+            if path.hasSuffix("auth/token") {
+                // Token endpoint returns 404 → bearerAuthNotSupported
+                return (.status(404, url: request.url!), Data())
+            }
+            if path.contains("activationcode") {
+                let authHeader = request.value(forHTTPHeaderField: "Authorization") ?? ""
+                if authHeader.hasPrefix("Basic ") {
+                    let json = #"{"activation_code":{"organization_name":"Fallback Corp","code":"XYZ"}}"#
+                    return (.ok(url: request.url!), Data(json.utf8))
+                }
+                return (.status(401, url: request.url!), Data())
+            }
+            throw URLError(.badURL)
+        }
+
+        let client = JamfProAPIClient(serverUrlString: "https://jamf.example.com", tokenManager: authManager, session: session)
+
+        // when
+        let orgName = try await client.getOrganizationName()
+
+        // then
+        #expect(orgName == "Fallback Corp")
+    }
+}
diff --git a/PPPC UtilityTests/NetworkingTests/MockURLProtocolTests.swift b/PPPC UtilityTests/NetworkingTests/MockURLProtocolTests.swift
index f08c0be..1619184 100644
--- a/PPPC UtilityTests/NetworkingTests/MockURLProtocolTests.swift	
+++ b/PPPC UtilityTests/NetworkingTests/MockURLProtocolTests.swift	
@@ -29,7 +29,9 @@ import Foundation
 @testable import PPPC_Utility
 
 @Suite("MockURLProtocol", .serialized)
-struct MockURLProtocolTests {
+final class MockURLProtocolTests {
+
+    deinit { MockURLProtocol.reset() }
 
     @Test("Injected session intercepts requests and returns expected data")
     func injectedSessionInterceptsRequests() async throws {
@@ -38,7 +40,6 @@ struct MockURLProtocolTests {
             let url = request.url!
             return (.ok(url: url), expectedBody)
         }
-        defer { MockURLProtocol.reset() }
 
         // when
         let url = URL(string: "https://example.com/test")!
@@ -56,7 +57,6 @@ struct MockURLProtocolTests {
             let url = request.url!
             return (.status(401, url: url), Data())
         }
-        defer { MockURLProtocol.reset() }
 
         // when
         let url = URL(string: "https://example.com/auth")!
diff --git a/PPPC UtilityTests/NetworkingTests/NetworkingTests.swift b/PPPC UtilityTests/NetworkingTests/NetworkingTests.swift
new file mode 100644
index 0000000..f82e9d2
--- /dev/null
+++ b/PPPC UtilityTests/NetworkingTests/NetworkingTests.swift	
@@ -0,0 +1,298 @@
+//
+//  NetworkingTests.swift
+//  PPPC UtilityTests
+//
+//  SPDX-License-Identifier: MIT
+//  Copyright (c) 2023 Jamf Software
+
+import Foundation
+import Testing
+
+@testable import PPPC_Utility
+
+// MARK: - url(forEndpoint:)
+
+@Suite("Networking URL construction")
+struct NetworkingURLTests {
+
+    @Test("Constructs URL from valid server string and endpoint")
+    func validURL() throws {
+        let authManager = NetworkAuthManager(username: "u", password: "p")
+        let networking = Networking(serverUrlString: "https://jamf.example.com", tokenManager: authManager)
+
+        // when
+        let request = try networking.url(forEndpoint: "api/v1/resource")
+
+        // then
+        #expect(request.url?.absoluteString == "https://jamf.example.com/api/v1/resource")
+        #expect(request.cachePolicy == .reloadIgnoringLocalCacheData)
+        #expect(request.timeoutInterval == 45.0)
+    }
+
+    @Test("Throws badServerUrl for invalid server string")
+    func badServerURL() {
+        let authManager = NetworkAuthManager(username: "u", password: "p")
+        let networking = Networking(serverUrlString: "", tokenManager: authManager)
+
+        // when/then
+        #expect(throws: NetworkingError.badServerUrl("")) {
+            _ = try networking.url(forEndpoint: "anything")
+        }
+    }
+}
+
+// MARK: - loadPreAuthorized
+
+@Suite("Networking loadPreAuthorized", .serialized)
+final class NetworkingLoadPreAuthorizedTests {
+
+    deinit { MockURLProtocol.reset() }
+
+    @Test("Returns decoded value on 200")
+    func decodesOn200() async throws {
+        let authManager = NetworkAuthManager(username: "u", password: "p")
+        let session = URLSession.mock { request in
+            let json = #"{"version":"11.0.0"}"#
+            return (.ok(url: request.url!), Data(json.utf8))
+        }
+
+        let networking = Networking(serverUrlString: "https://jamf.example.com", tokenManager: authManager, session: session)
+        let request = try networking.url(forEndpoint: "api/v1/jamf-pro-version")
+
+        // when
+        let result: JamfProVersion = try await networking.loadPreAuthorized(request: request)
+
+        // then
+        #expect(result.version == "11.0.0")
+    }
+
+    @Test("Throws invalidUsernamePassword on 401")
+    func throwsOn401() async throws {
+        let authManager = NetworkAuthManager(username: "u", password: "p")
+        let session = URLSession.mock { request in
+            return (.status(401, url: request.url!), Data())
+        }
+
+        let networking = Networking(serverUrlString: "https://jamf.example.com", tokenManager: authManager, session: session)
+        let request = try networking.url(forEndpoint: "api/v1/resource")
+
+        // when/then
+        await #expect(throws: AuthError.invalidUsernamePassword) {
+            let _: JamfProVersion = try await networking.loadPreAuthorized(request: request)
+        }
+    }
+
+    @Test("Throws serverResponse on 500")
+    func throwsOn500() async throws {
+        let authManager = NetworkAuthManager(username: "u", password: "p")
+        let session = URLSession.mock { request in
+            return (.status(500, url: request.url!), Data())
+        }
+
+        let networking = Networking(serverUrlString: "https://jamf.example.com", tokenManager: authManager, session: session)
+        let request = try networking.url(forEndpoint: "api/v1/resource")
+
+        // when/then
+        await #expect(throws: NetworkingError.self) {
+            let _: JamfProVersion = try await networking.loadPreAuthorized(request: request)
+        }
+    }
+}
+
+// MARK: - loadBearerAuthorized
+
+@Suite("Networking loadBearerAuthorized", .serialized)
+final class NetworkingLoadBearerAuthorizedTests {
+
+    deinit { MockURLProtocol.reset() }
+
+    @Test("Returns decoded value on 200")
+    func decodesOn200() async throws {
+        let authManager = NetworkAuthManager(username: "admin", password: "pass")
+        let session = URLSession.mock { request in
+            let path = request.url?.path ?? ""
+            if path.hasSuffix("auth/token") {
+                let tokenJSON = #"{"token":"abc","expires":"2099-01-01T00:00:00.000Z"}"#
+                return (.ok(url: request.url!), Data(tokenJSON.utf8))
+            }
+            let json = #"{"version":"11.0.0"}"#
+            return (.ok(url: request.url!), Data(json.utf8))
+        }
+
+        let networking = JamfProAPIClient(serverUrlString: "https://jamf.example.com", tokenManager: authManager, session: session)
+        let request = try networking.url(forEndpoint: "api/v1/jamf-pro-version")
+
+        // when
+        let result: JamfProVersion = try await networking.loadBearerAuthorized(request: request)
+
+        // then
+        #expect(result.version == "11.0.0")
+    }
+
+    @Test("Refreshes the bearer token and retries when server returns 401 on first attempt")
+    func retriesOnceOn401() async throws {
+        nonisolated(unsafe) var tokenCallCount = 0
+        let authManager = NetworkAuthManager(username: "admin", password: "pass")
+        let session = URLSession.mock { request in
+            let path = request.url?.path ?? ""
+            if path.hasSuffix("auth/token") {
+                tokenCallCount += 1
+                if tokenCallCount == 1 {
+                    // First token — will be rejected by the API
+                    let tokenJSON = #"{"token":"stale","expires":"2099-01-01T00:00:00.000Z"}"#
+                    return (.ok(url: request.url!), Data(tokenJSON.utf8))
+                }
+                // Refreshed token — will be accepted
+                let tokenJSON = #"{"token":"refreshed","expires":"2099-01-01T00:00:00.000Z"}"#
+                return (.ok(url: request.url!), Data(tokenJSON.utf8))
+            }
+            // API endpoint: reject "stale", accept "refreshed"
+            let auth = request.value(forHTTPHeaderField: "Authorization") ?? ""
+            if auth.contains("refreshed") {
+                let json = #"{"version":"11.0.0"}"#
+                return (.ok(url: request.url!), Data(json.utf8))
+            }
+            return (.status(401, url: request.url!), Data())
+        }
+
+        let networking = JamfProAPIClient(serverUrlString: "https://jamf.example.com", tokenManager: authManager, session: session)
+        let request = try networking.url(forEndpoint: "api/v1/jamf-pro-version")
+
+        // when
+        let result: JamfProVersion = try await networking.loadBearerAuthorized(request: request)
+
+        // then
+        #expect(result.version == "11.0.0")
+    }
+
+    @Test("Throws invalidToken when server returns 401 on both the initial and retry attempts")
+    func throwsOnSecond401() async throws {
+        let authManager = NetworkAuthManager(username: "admin", password: "pass")
+        let session = URLSession.mock { request in
+            let path = request.url?.path ?? ""
+            if path.hasSuffix("auth/token") {
+                let tokenJSON = #"{"token":"refreshed","expires":"2099-01-01T00:00:00.000Z"}"#
+                return (.ok(url: request.url!), Data(tokenJSON.utf8))
+            }
+            return (.status(401, url: request.url!), Data())
+        }
+
+        let networking = JamfProAPIClient(serverUrlString: "https://jamf.example.com", tokenManager: authManager, session: session)
+        let request = try networking.url(forEndpoint: "api/v1/resource")
+
+        // when/then
+        await #expect(throws: AuthError.invalidToken) {
+            let _: JamfProVersion = try await networking.loadBearerAuthorized(request: request)
+        }
+    }
+}
+
+// MARK: - sendBearerAuthorized
+
+@Suite("Networking sendBearerAuthorized", .serialized)
+final class NetworkingSendBearerAuthorizedTests {
+
+    deinit { MockURLProtocol.reset() }
+
+    @Test("Returns data on 200")
+    func returnsDataOn200() async throws {
+        let authManager = NetworkAuthManager(username: "admin", password: "pass")
+        let session = URLSession.mock { request in
+            let path = request.url?.path ?? ""
+            if path.hasSuffix("auth/token") {
+                let tokenJSON = #"{"token":"abc","expires":"2099-01-01T00:00:00.000Z"}"#
+                return (.ok(url: request.url!), Data(tokenJSON.utf8))
+            }
+            return (.ok(url: request.url!), Data("OK".utf8))
+        }
+
+        let networking = JamfProAPIClient(serverUrlString: "https://jamf.example.com", tokenManager: authManager, session: session)
+        let request = try networking.url(forEndpoint: "api/v1/resource")
+
+        // when
+        let data = try await networking.sendBearerAuthorized(request: request)
+
+        // then
+        #expect(String(data: data, encoding: .utf8) == "OK")
+    }
+
+    @Test("Throws serverResponse on 500")
+    func throwsOn500() async throws {
+        let authManager = NetworkAuthManager(username: "admin", password: "pass")
+        let session = URLSession.mock { request in
+            let path = request.url?.path ?? ""
+            if path.hasSuffix("auth/token") {
+                let tokenJSON = #"{"token":"abc","expires":"2099-01-01T00:00:00.000Z"}"#
+                return (.ok(url: request.url!), Data(tokenJSON.utf8))
+            }
+            return (.status(500, url: request.url!), Data())
+        }
+
+        let networking = JamfProAPIClient(serverUrlString: "https://jamf.example.com", tokenManager: authManager, session: session)
+        let request = try networking.url(forEndpoint: "api/v1/resource")
+
+        // when/then
+        await #expect(throws: NetworkingError.self) {
+            try await networking.sendBearerAuthorized(request: request)
+        }
+    }
+}
+
+// MARK: - sendBasicAuthorized
+
+@Suite("Networking sendBasicAuthorized", .serialized)
+final class NetworkingSendBasicAuthorizedTests {
+
+    deinit { MockURLProtocol.reset() }
+
+    @Test("Returns data on 200")
+    func returnsDataOn200() async throws {
+        let authManager = NetworkAuthManager(username: "admin", password: "pass")
+        let session = URLSession.mock { request in
+            let authHeader = request.value(forHTTPHeaderField: "Authorization") ?? ""
+            #expect(authHeader.hasPrefix("Basic "))
+            return (.ok(url: request.url!), Data("success".utf8))
+        }
+
+        let networking = Networking(serverUrlString: "https://jamf.example.com", tokenManager: authManager, session: session)
+        let request = try networking.url(forEndpoint: "api/v1/resource")
+
+        // when
+        let data = try await networking.sendBasicAuthorized(request: request)
+
+        // then
+        #expect(String(data: data, encoding: .utf8) == "success")
+    }
+
+    @Test("Throws invalidUsernamePassword on 401")
+    func throwsOn401() async throws {
+        let authManager = NetworkAuthManager(username: "admin", password: "pass")
+        let session = URLSession.mock { request in
+            return (.status(401, url: request.url!), Data())
+        }
+
+        let networking = Networking(serverUrlString: "https://jamf.example.com", tokenManager: authManager, session: session)
+        let request = try networking.url(forEndpoint: "api/v1/resource")
+
+        // when/then
+        await #expect(throws: AuthError.invalidUsernamePassword) {
+            try await networking.sendBasicAuthorized(request: request)
+        }
+    }
+
+    @Test("Throws serverResponse on 403")
+    func throwsOn403() async throws {
+        let authManager = NetworkAuthManager(username: "admin", password: "pass")
+        let session = URLSession.mock { request in
+            return (.status(403, url: request.url!), Data())
+        }
+
+        let networking = Networking(serverUrlString: "https://jamf.example.com", tokenManager: authManager, session: session)
+        let request = try networking.url(forEndpoint: "api/v1/resource")
+
+        // when/then
+        await #expect(throws: NetworkingError.self) {
+            try await networking.sendBasicAuthorized(request: request)
+        }
+    }
+}

From 20ae4c18dfc23f105a08e1ecb977979d954c2919 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Wed, 8 Apr 2026 15:24:57 +0000
Subject: [PATCH 42/53] Fix sendBearerAuthorized retry bug and add 401 retry
 tests

Agent-Logs-Url: https://github.com/jamf/PPPC-Utility/sessions/398e2e82-5660-412c-9150-b6c79a4bb21e

Co-authored-by: watkyn <40115+watkyn@users.noreply.github.com>
---
 .../NetworkingTests/NetworkingTests.swift     | 53 +++++++++++++++++++
 Source/Networking/Networking.swift            |  2 +-
 2 files changed, 54 insertions(+), 1 deletion(-)

diff --git a/PPPC UtilityTests/NetworkingTests/NetworkingTests.swift b/PPPC UtilityTests/NetworkingTests/NetworkingTests.swift
index f82e9d2..895f747 100644
--- a/PPPC UtilityTests/NetworkingTests/NetworkingTests.swift	
+++ b/PPPC UtilityTests/NetworkingTests/NetworkingTests.swift	
@@ -216,6 +216,59 @@ final class NetworkingSendBearerAuthorizedTests {
         #expect(String(data: data, encoding: .utf8) == "OK")
     }
 
+    @Test("Refreshes the bearer token and retries when server returns 401 on first attempt")
+    func retriesOnceOn401() async throws {
+        nonisolated(unsafe) var tokenCallCount = 0
+        let authManager = NetworkAuthManager(username: "admin", password: "pass")
+        let session = URLSession.mock { request in
+            let path = request.url?.path ?? ""
+            if path.hasSuffix("auth/token") {
+                tokenCallCount += 1
+                if tokenCallCount == 1 {
+                    let tokenJSON = #"{"token":"stale","expires":"2099-01-01T00:00:00.000Z"}"#
+                    return (.ok(url: request.url!), Data(tokenJSON.utf8))
+                }
+                let tokenJSON = #"{"token":"refreshed","expires":"2099-01-01T00:00:00.000Z"}"#
+                return (.ok(url: request.url!), Data(tokenJSON.utf8))
+            }
+            let auth = request.value(forHTTPHeaderField: "Authorization") ?? ""
+            if auth.contains("refreshed") {
+                return (.ok(url: request.url!), Data("OK".utf8))
+            }
+            return (.status(401, url: request.url!), Data())
+        }
+
+        let networking = JamfProAPIClient(serverUrlString: "https://jamf.example.com", tokenManager: authManager, session: session)
+        let request = try networking.url(forEndpoint: "api/v1/resource")
+
+        // when
+        let data = try await networking.sendBearerAuthorized(request: request)
+
+        // then
+        #expect(String(data: data, encoding: .utf8) == "OK")
+    }
+
+    @Test("Throws invalidToken when server returns 401 on both the initial and retry attempts")
+    func throwsOnSecond401() async throws {
+        let authManager = NetworkAuthManager(username: "admin", password: "pass")
+        let session = URLSession.mock { request in
+            let path = request.url?.path ?? ""
+            if path.hasSuffix("auth/token") {
+                let tokenJSON = #"{"token":"refreshed","expires":"2099-01-01T00:00:00.000Z"}"#
+                return (.ok(url: request.url!), Data(tokenJSON.utf8))
+            }
+            return (.status(401, url: request.url!), Data())
+        }
+
+        let networking = JamfProAPIClient(serverUrlString: "https://jamf.example.com", tokenManager: authManager, session: session)
+        let request = try networking.url(forEndpoint: "api/v1/resource")
+
+        // when/then
+        await #expect(throws: AuthError.invalidToken) {
+            try await networking.sendBearerAuthorized(request: request)
+        }
+    }
+
     @Test("Throws serverResponse on 500")
     func throwsOn500() async throws {
         let authManager = NetworkAuthManager(username: "admin", password: "pass")
diff --git a/Source/Networking/Networking.swift b/Source/Networking/Networking.swift
index b6cbb61..d50e237 100644
--- a/Source/Networking/Networking.swift
+++ b/Source/Networking/Networking.swift
@@ -151,7 +151,7 @@ class Networking {
             if httpResponse.statusCode == 401 {
                 if allowRetryForAuth {
                     _ = try await authManager.refreshToken(networking: self)
-                    return try await loadBearerAuthorized(request: request, allowRetryForAuth: false)
+                    return try await sendBearerAuthorized(request: request, allowRetryForAuth: false)
                 }
 
                 throw AuthError.invalidToken

From b3b8cb1065f462956101f260834db31ac60b0c42 Mon Sep 17 00:00:00 2001
From: Tony Eichelberger <tony.eichelberger@jamf.com>
Date: Wed, 8 Apr 2026 10:26:04 -0500
Subject: [PATCH 43/53] Phase 4: Add UploadManager and TCCProfile XML tests

- New UploadManagerTests with verifyConnection tests (mustSign true/false,
  credential errors, unavailability errors) and upload tests verifying
  site XML presence/absence through the full network mock flow
- Expand TCCProfileTests with XML-parsing-based assertions for
  jamfProAPIData structure, site element inclusion, and site exclusion
- 96 tests total, all passing, no new compiler warnings
- App target coverage: 45.03%

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 PPPC Utility.xcodeproj/project.pbxproj        |   4 +
 .../NetworkingTests/UploadManagerTests.swift  | 215 ++++++++++++++++++
 .../TCCProfileTests.swift                     |  38 ++++
 3 files changed, 257 insertions(+)
 create mode 100644 PPPC UtilityTests/NetworkingTests/UploadManagerTests.swift

diff --git a/PPPC Utility.xcodeproj/project.pbxproj b/PPPC Utility.xcodeproj/project.pbxproj
index cd418ea..d2c1e4c 100644
--- a/PPPC Utility.xcodeproj/project.pbxproj	
+++ b/PPPC Utility.xcodeproj/project.pbxproj	
@@ -9,6 +9,7 @@
 /* Begin PBXBuildFile section */
 		09614BF857C294E1E344298C /* TCCPolicyTests.swift in Sources */ = {isa = PBXBuildFile; fileRef = DAC55385D89BDBD447395AF1 /* TCCPolicyTests.swift */; };
 		1E57D2CD1B0B3602E7FD9806 /* JamfProVersionTests.swift in Sources */ = {isa = PBXBuildFile; fileRef = 47A216936077FDD709470D77 /* JamfProVersionTests.swift */; };
+		846A32C3BB81E3C29B621792 /* UploadManagerTests.swift in Sources */ = {isa = PBXBuildFile; fileRef = 30877432D1026706D7E805DA /* UploadManagerTests.swift */; };
 		345B01D623FDBF55008838B6 /* TCCProfileExtensions.swift in Sources */ = {isa = PBXBuildFile; fileRef = 345B01D523FDBF55008838B6 /* TCCProfileExtensions.swift */; };
 		34DED4D423FDCAFD00C53FB9 /* SwiftyCMSDecoder.swift in Sources */ = {isa = PBXBuildFile; fileRef = 5F95AE1523158F03002E0A22 /* SwiftyCMSDecoder.swift */; };
 		34DED4D623FDDB2B00C53FB9 /* TCCProfileConfigurationPanel.swift in Sources */ = {isa = PBXBuildFile; fileRef = 34DED4D523FDDB2B00C53FB9 /* TCCProfileConfigurationPanel.swift */; };
@@ -83,6 +84,7 @@
 		15C8454BE335603AE6B55049 /* ExecutableTests.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = ExecutableTests.swift; sourceTree = "<group>"; };
 		345B01D523FDBF55008838B6 /* TCCProfileExtensions.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = TCCProfileExtensions.swift; sourceTree = "<group>"; };
 		34DED4D523FDDB2B00C53FB9 /* TCCProfileConfigurationPanel.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = TCCProfileConfigurationPanel.swift; sourceTree = "<group>"; };
+		30877432D1026706D7E805DA /* UploadManagerTests.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = UploadManagerTests.swift; sourceTree = "<group>"; };
 		47A216936077FDD709470D77 /* JamfProVersionTests.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = JamfProVersionTests.swift; sourceTree = "<group>"; };
 		34BE578BDC64B5400E2F0233 /* NetworkingTests.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = NetworkingTests.swift; sourceTree = "<group>"; };
 		5366B3770CBADA87D7BBF4C5 /* MockURLProtocolTests.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = MockURLProtocolTests.swift; sourceTree = "<group>"; };
@@ -371,6 +373,7 @@
 				47A216936077FDD709470D77 /* JamfProVersionTests.swift */,
 				5366B3770CBADA87D7BBF4C5 /* MockURLProtocolTests.swift */,
 				34BE578BDC64B5400E2F0233 /* NetworkingTests.swift */,
+				30877432D1026706D7E805DA /* UploadManagerTests.swift */,
 			);
 			path = NetworkingTests;
 			sourceTree = "<group>";
@@ -516,6 +519,7 @@
 				47F24E408CC42F176BD97CA5 /* MockURLProtocol.swift in Sources */,
 				A3AEAC59ED8A799232A3C7A0 /* MockURLProtocolTests.swift in Sources */,
 				FEE04458C398AE5C1074928F /* NetworkingTests.swift in Sources */,
+				846A32C3BB81E3C29B621792 /* UploadManagerTests.swift in Sources */,
 			);
 			runOnlyForDeploymentPostprocessing = 0;
 		};
diff --git a/PPPC UtilityTests/NetworkingTests/UploadManagerTests.swift b/PPPC UtilityTests/NetworkingTests/UploadManagerTests.swift
new file mode 100644
index 0000000..b3a3572
--- /dev/null
+++ b/PPPC UtilityTests/NetworkingTests/UploadManagerTests.swift	
@@ -0,0 +1,215 @@
+//
+//  UploadManagerTests.swift
+//  PPPC UtilityTests
+//
+//  SPDX-License-Identifier: MIT
+//  Copyright (c) 2023 Jamf Software
+
+import Foundation
+import Testing
+
+@testable import PPPC_Utility
+
+// MARK: - verifyConnection
+
+@Suite("UploadManager verifyConnection", .serialized)
+final class UploadManagerVerifyConnectionTests {
+
+    deinit { MockURLProtocol.reset() }
+
+    @Test("Returns mustSign false when Jamf Pro version is 10.7.1 or later")
+    func modernVersionDoesNotRequireSigning() async throws {
+        let authManager = NetworkAuthManager(username: "admin", password: "pass")
+        let session = URLSession.mock { request in
+            let path = request.url?.path ?? ""
+            if path.hasSuffix("auth/token") {
+                let tokenJSON = #"{"token":"abc","expires":"2099-01-01T00:00:00.000Z"}"#
+                return (.ok(url: request.url!), Data(tokenJSON.utf8))
+            }
+            if path.contains("jamf-pro-version") {
+                let json = #"{"version":"10.40.0-t1695913581"}"#
+                return (.ok(url: request.url!), Data(json.utf8))
+            }
+            if path.contains("activationcode") {
+                let json = #"{"activation_code":{"organization_name":"Acme Corp","code":"ABC123"}}"#
+                return (.ok(url: request.url!), Data(json.utf8))
+            }
+            throw URLError(.badURL)
+        }
+
+        let manager = UploadManager(serverURL: "https://jamf.example.com", session: session)
+
+        // when
+        let info = try await manager.verifyConnection(authManager: authManager)
+
+        // then
+        #expect(info.mustSign == false)
+        #expect(info.organization == "Acme Corp")
+    }
+
+    @Test("Returns mustSign true when Jamf Pro version is below 10.7.1")
+    func legacyVersionRequiresSigning() async throws {
+        let authManager = NetworkAuthManager(username: "admin", password: "pass")
+        let session = URLSession.mock { request in
+            let path = request.url?.path ?? ""
+            if path.hasSuffix("auth/token") {
+                let tokenJSON = #"{"token":"abc","expires":"2099-01-01T00:00:00.000Z"}"#
+                return (.ok(url: request.url!), Data(tokenJSON.utf8))
+            }
+            if path.contains("jamf-pro-version") {
+                let json = #"{"version":"10.6.0"}"#
+                return (.ok(url: request.url!), Data(json.utf8))
+            }
+            if path.contains("activationcode") {
+                let json = #"{"activation_code":{"organization_name":"Legacy Inc","code":"XYZ"}}"#
+                return (.ok(url: request.url!), Data(json.utf8))
+            }
+            throw URLError(.badURL)
+        }
+
+        let manager = UploadManager(serverURL: "https://jamf.example.com", session: session)
+
+        // when
+        let info = try await manager.verifyConnection(authManager: authManager)
+
+        // then
+        #expect(info.mustSign == true)
+        #expect(info.organization == "Legacy Inc")
+    }
+
+    @Test("Throws credential error when authentication fails")
+    func throwsCredentialError() async throws {
+        let authManager = NetworkAuthManager(username: "admin", password: "wrong")
+        let session = URLSession.mock { request in
+            let path = request.url?.path ?? ""
+            if path.hasSuffix("auth/token") {
+                let tokenJSON = #"{"token":"abc","expires":"2099-01-01T00:00:00.000Z"}"#
+                return (.ok(url: request.url!), Data(tokenJSON.utf8))
+            }
+            return (.status(401, url: request.url!), Data())
+        }
+
+        let manager = UploadManager(serverURL: "https://jamf.example.com", session: session)
+
+        // when/then
+        await #expect {
+            try await manager.verifyConnection(authManager: authManager)
+        } throws: { error in
+            guard case UploadManager.VerificationError.anyError(let message) = error else { return false }
+            return message == "Invalid credentials."
+        }
+    }
+
+    @Test("Throws unavailable error when server returns a non-auth failure")
+    func throwsUnavailableError() async throws {
+        let authManager = NetworkAuthManager(username: "admin", password: "pass")
+        let session = URLSession.mock { request in
+            let path = request.url?.path ?? ""
+            if path.hasSuffix("auth/token") {
+                let tokenJSON = #"{"token":"abc","expires":"2099-01-01T00:00:00.000Z"}"#
+                return (.ok(url: request.url!), Data(tokenJSON.utf8))
+            }
+            return (.status(500, url: request.url!), Data())
+        }
+
+        let manager = UploadManager(serverURL: "https://jamf.example.com", session: session)
+
+        // when/then
+        await #expect {
+            try await manager.verifyConnection(authManager: authManager)
+        } throws: { error in
+            guard case UploadManager.VerificationError.anyError(let message) = error else { return false }
+            return message == "Jamf Pro server is unavailable."
+        }
+    }
+}
+
+// MARK: - upload
+
+@Suite("UploadManager upload", .serialized)
+final class UploadManagerUploadTests {
+
+    deinit { MockURLProtocol.reset() }
+
+    /// Reads the HTTP body from a URLRequest, falling back to httpBodyStream
+    /// when URLProtocol delivers the body as a stream rather than inline data.
+    nonisolated private static func bodyData(from request: URLRequest) -> Data? {
+        if let body = request.httpBody { return body }
+        guard let stream = request.httpBodyStream else { return nil }
+        stream.open()
+        defer { stream.close() }
+        var data = Data()
+        let buffer = UnsafeMutablePointer<UInt8>.allocate(capacity: 4096)
+        defer { buffer.deallocate() }
+        while stream.hasBytesAvailable {
+            let read = stream.read(buffer, maxLength: 4096)
+            guard read > 0 else { break }
+            data.append(buffer, count: read)
+        }
+        return data
+    }
+
+    @Test("Uploaded XML excludes site element when no site is provided")
+    func uploadWithoutSite() async throws {
+        nonisolated(unsafe) var capturedBody: Data?
+        let authManager = NetworkAuthManager(username: "admin", password: "pass")
+        let session = URLSession.mock { request in
+            let path = request.url?.path ?? ""
+            if path.hasSuffix("auth/token") {
+                let tokenJSON = #"{"token":"abc","expires":"2099-01-01T00:00:00.000Z"}"#
+                return (.ok(url: request.url!), Data(tokenJSON.utf8))
+            }
+            if path.hasSuffix("osxconfigurationprofiles") {
+                capturedBody = UploadManagerUploadTests.bodyData(from: request)
+                return (.ok(url: request.url!), Data())
+            }
+            throw URLError(.badURL)
+        }
+
+        let manager = UploadManager(serverURL: "https://jamf.example.com", session: session)
+        let profile = TCCProfileBuilder().buildProfile(allowed: false, authorization: .allow)
+
+        // when
+        try await manager.upload(profile: profile, authMgr: authManager, siteInfo: nil, signingIdentity: nil)
+
+        // then
+        let body = try #require(capturedBody, "Expected the profile body to be captured from the upload request")
+        let doc = try XMLDocument(data: body)
+        let root = try #require(doc.rootElement())
+        let general = try #require(root.elements(forName: "general").first)
+        #expect(general.elements(forName: "site").isEmpty, "No site element should be present when siteInfo is nil")
+    }
+
+    @Test("Uploaded XML includes correct site element when site is provided")
+    func uploadWithSite() async throws {
+        nonisolated(unsafe) var capturedBody: Data?
+        let authManager = NetworkAuthManager(username: "admin", password: "pass")
+        let session = URLSession.mock { request in
+            let path = request.url?.path ?? ""
+            if path.hasSuffix("auth/token") {
+                let tokenJSON = #"{"token":"abc","expires":"2099-01-01T00:00:00.000Z"}"#
+                return (.ok(url: request.url!), Data(tokenJSON.utf8))
+            }
+            if path.hasSuffix("osxconfigurationprofiles") {
+                capturedBody = UploadManagerUploadTests.bodyData(from: request)
+                return (.ok(url: request.url!), Data())
+            }
+            throw URLError(.badURL)
+        }
+
+        let manager = UploadManager(serverURL: "https://jamf.example.com", session: session)
+        let profile = TCCProfileBuilder().buildProfile(allowed: false, authorization: .allow)
+
+        // when
+        try await manager.upload(profile: profile, authMgr: authManager, siteInfo: ("42", "Test Site"), signingIdentity: nil)
+
+        // then
+        let body = try #require(capturedBody, "Expected the profile body to be captured from the upload request")
+        let doc = try XMLDocument(data: body)
+        let root = try #require(doc.rootElement())
+        let general = try #require(root.elements(forName: "general").first)
+        let site = try #require(general.elements(forName: "site").first, "Site element should be present")
+        #expect(site.elements(forName: "id").first?.stringValue == "42")
+        #expect(site.elements(forName: "name").first?.stringValue == "Test Site")
+    }
+}
diff --git a/PPPC UtilityTests/TCCProfileImporterTests/TCCProfileTests.swift b/PPPC UtilityTests/TCCProfileImporterTests/TCCProfileTests.swift
index 45e45f2..5d14ef6 100644
--- a/PPPC UtilityTests/TCCProfileImporterTests/TCCProfileTests.swift	
+++ b/PPPC UtilityTests/TCCProfileImporterTests/TCCProfileTests.swift	
@@ -192,6 +192,44 @@ struct TCCProfileTests {
         #expect(xmlString == expected)
     }
 
+    @Test("jamfProAPIData XML contains expected structure and no site element when site is nil")
+    func jamfProAPIDataXMLStructureWithoutSite() async throws {
+        let profile = TCCProfileBuilder().buildProfile(allowed: false, authorization: .allow)
+
+        // when
+        let data = try await profile.jamfProAPIData(signingIdentity: nil, site: nil)
+
+        // then
+        let doc = try XMLDocument(data: data)
+        let root = try #require(doc.rootElement())
+        #expect(root.name == "os_x_configuration_profile")
+        let general = try #require(root.elements(forName: "general").first)
+        #expect(general.elements(forName: "payloads").count == 1)
+        #expect(general.elements(forName: "name").first?.stringValue == "Test Name")
+        #expect(general.elements(forName: "description").first?.stringValue == "Test Desc")
+        #expect(general.elements(forName: "site").isEmpty, "No site element when site parameter is nil")
+    }
+
+    @Test("jamfProAPIData XML includes correct site element when site is provided")
+    func jamfProAPIDataXMLStructureWithSite() async throws {
+        let profile = TCCProfileBuilder().buildProfile(allowed: false, authorization: .allow)
+
+        // when
+        let data = try await profile.jamfProAPIData(signingIdentity: nil, site: ("42", "Test Site"))
+
+        // then
+        let doc = try XMLDocument(data: data)
+        let root = try #require(doc.rootElement())
+        #expect(root.name == "os_x_configuration_profile")
+        let general = try #require(root.elements(forName: "general").first)
+        let site = try #require(general.elements(forName: "site").first, "Site element should be present")
+        #expect(site.elements(forName: "id").first?.stringValue == "42")
+        #expect(site.elements(forName: "name").first?.stringValue == "Test Site")
+        #expect(general.elements(forName: "payloads").count == 1)
+        #expect(general.elements(forName: "name").first?.stringValue == "Test Name")
+        #expect(general.elements(forName: "description").first?.stringValue == "Test Desc")
+    }
+
     private func loadTextFile(fileName: String) throws -> String {
         let testBundle = Bundle(for: BundleLocator.self)
         let resourceURL = try #require(testBundle.url(forResource: fileName, withExtension: "txt"))

From 154522975dbd0ed3c7c94460c7ada3bed9914935 Mon Sep 17 00:00:00 2001
From: Tony Eichelberger <tony.eichelberger@jamf.com>
Date: Wed, 8 Apr 2026 10:50:11 -0500
Subject: [PATCH 44/53] updated claude.md

---
 CLAUDE.md | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/CLAUDE.md b/CLAUDE.md
index 25b0a7e..afe70f8 100644
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -7,6 +7,7 @@
 
 ## Swift Testing Conventions
 
+- When adding unit tests, do not modify production code just to accommodate a test. If a genuine bug is found, fix it in a separate commit with its own justification.
 - Place `@Test` and `@Suite` annotations on the line **above** the declaration, not inline
 - Use `// when` and `// then` comment blocks; skip `// given` (assumed from context)
 - When XCTest assertions have message strings, preserve them as `#expect` messages, not code comments (e.g. `#expect(x == false, "reason")`)
@@ -21,3 +22,7 @@
 - Use parameterized tests with Traits where it reduces duplication; 1–2 args is ideal, max 3
 - Beyond 3 params: create separate tests with some values hard-coded
 - Use `deinit` as teardown for repeated cleanup across tests in a suite. Use `class` for suites that need `deinit`; use `struct` otherwise.
+
+## Git
+
+- Do not stage or commit changes in terminal sessions

From 7a97fe0f81eefde87d9a49de3214a2dd7b202ed0 Mon Sep 17 00:00:00 2001
From: Tony Eichelberger <tony.eichelberger@jamf.com>
Date: Wed, 8 Apr 2026 11:31:50 -0500
Subject: [PATCH 45/53] added ui testing plan

---
 docs/plans/ui-testing.md | 188 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 188 insertions(+)
 create mode 100644 docs/plans/ui-testing.md

diff --git a/docs/plans/ui-testing.md b/docs/plans/ui-testing.md
new file mode 100644
index 0000000..88c316f
--- /dev/null
+++ b/docs/plans/ui-testing.md
@@ -0,0 +1,188 @@
+# UI Testing — Phased Plan
+
+## Context
+
+PPPC Utility has 98 unit tests at ~45% production code coverage, but zero UI test coverage. The app has four main UI surfaces:
+
+| Surface | Framework | Lines | Role |
+|---------|-----------|-------|------|
+| `TCCProfileViewController` | AppKit (Storyboard) | 447 | Main window — executable table, policy popups, Apple Events table |
+| `SaveViewController` | AppKit (Storyboard) | 171 | Modal sheet — profile name, signing identity, export |
+| `OpenViewController` | AppKit (Storyboard) | 91 | Modal sheet — Apple Event destination picker |
+| `UploadInfoView` | SwiftUI | 365 | Sheet — Jamf Pro connection, payload config, upload |
+
+No UI test target exists yet. This plan adds one incrementally.
+
+### Tools
+
+- **XCUITest** for interaction tests (launch, tap, type, assert element state)
+- **swift-snapshot-testing** (pointfreeco) for automated visual regression via screenshot comparison
+
+### Test data strategy
+
+`NSOpenPanel` and Finder drag-and-drop can't be reliably automated by XCUITest (the panel runs in a separate system process). Two complementary approaches:
+
+1. **Launch argument (`-UITestMode`)** — app checks for the flag at startup and preloads a bundled test profile into `Model.shared`. Most tests use this for a deterministic starting state.
+2. **Programmatic drop simulation** — a test hook calls the table's `performDragOperation` with a pasteboard containing a known app URL (e.g., Books.app). Tests the drop handler logic without automating Finder.
+
+### Network stubbing strategy
+
+Upload/connection tests use **scoped `URLSession` injection**. When the app detects `-UITestStubNetwork`, it creates an ephemeral `URLSession` wired to `MockURLProtocol` and passes it to `UploadManager(session:)`. Only upload-related calls are intercepted; `URLSession.shared` remains untouched.
+
+---
+
+## Quality gates (apply to every phase)
+
+1. All existing unit tests still pass after each phase.
+2. No new compiler warnings.
+3. UI tests pass in a clean `xcodebuild test` run.
+4. Snapshot references checked into the repo under a clearly named directory.
+
+---
+
+## Phase 1 — Infrastructure & App Launch
+
+**Goal:** Create the UI test target, add swift-snapshot-testing, prove the app launches and the main window is testable.
+
+### Work
+
+| Item | Detail |
+|------|--------|
+| Add `PPPC UtilityUITests` target | Xcode UI Testing Bundle targeting `PPPC Utility.app` |
+| Add `swift-snapshot-testing` SPM dependency | Test-only dependency on the UI test target |
+| Add accessibility identifiers to `TCCProfileViewController` | Executables table, Apple Events table, Save button, Upload button, add/remove buttons |
+| Add `-UITestMode` launch argument support | Check flag in `TCCProfileViewController.viewDidLoad`; when set, load a bundled test `.mobileconfig` into `Model.shared` |
+| Add programmatic drop hook | Test-only method that synthesizes a drop operation on the executables table from a file URL |
+| `AppLaunchTests.swift` | Verify app launches, main window exists, executables table visible, key buttons present |
+| `MainWindowSnapshotTests.swift` | Snapshot of empty main window (no executables loaded) as visual baseline |
+
+### Verification
+
+```
+xcodebuild test -project "PPPC Utility.xcodeproj" -scheme "PPPC Utility" -destination "platform=macOS" -only-testing:"PPPC UtilityUITests"
+```
+
+---
+
+## Phase 2 — Profile Building Interactions
+
+**Goal:** Test the core workflow — executables in the table, policy popup changes, drop handler.
+
+### Accessibility identifiers needed
+
+- Each of the ~20 policy popup buttons (e.g., `Policy.addressBookPopUp`)
+- Executable detail labels (name, identifier, code requirement)
+- Add/remove executable buttons
+
+### New test files
+
+| File | What it tests |
+|------|---------------|
+| `ExecutableManagementTests.swift` | Launch with `-UITestMode` → verify preloaded executable appears in table; select executable → verify detail labels populated; remove executable → verify table row gone |
+| `DropHandlerTests.swift` | Programmatic drop of Books.app URL onto executables table → verify new row appears with correct name/identifier |
+| `PolicySelectionTests.swift` | Select executable → change a policy popup → verify popup value persists after re-selecting the executable; verify initial state is "-" for all popups |
+| `ProfileBuildingSnapshotTests.swift` | Snapshot of main window with one executable added and policies set |
+
+---
+
+## Phase 3 — Profile Import & Save Sheet
+
+**Goal:** Test importing an existing profile and the save sheet flow.
+
+### Accessibility identifiers needed
+
+- `SaveViewController`: payload name field, organization field, signing identity popup, save button
+
+### New test files
+
+| File | What it tests |
+|------|---------------|
+| `ProfileImportTests.swift` | Launch with `-UITestMode` (preloaded profile) → verify executables table populated with expected rows; verify policy values match imported profile |
+| `SaveSheetTests.swift` | Trigger save sheet → verify fields present (payload name, org, signing identity); verify save button disabled when required fields empty; verify save button enabled when fields filled |
+| `SaveSheetSnapshotTests.swift` | Snapshot of save sheet in default state and with fields filled |
+
+### Test data
+
+- Bundle a sample `.mobileconfig` in the UI test target's resources.
+
+---
+
+## Phase 4 — Apple Events
+
+**Goal:** Test Apple Event rule creation using the preloaded destination list.
+
+### Accessibility identifiers needed
+
+- `OpenViewController`: choices table (no browse button testing needed)
+- Apple Events table, add/remove Apple Event buttons
+
+### New test files
+
+| File | What it tests |
+|------|---------------|
+| `AppleEventTests.swift` | Select executable → click Add Apple Event → OpenViewController appears → select destination from preloaded choices table → rule appears in Apple Events table; remove rule → table row gone |
+| `AppleEventSnapshotTests.swift` | Snapshot of Apple Events table with one rule present |
+
+---
+
+## Phase 5 — Upload Sheet (SwiftUI)
+
+**Goal:** Test the UploadInfoView form validation and field interactions. Network calls stubbed via scoped `URLSession` injection.
+
+### Accessibility identifiers needed
+
+- All SwiftUI fields and buttons in `UploadInfoView` (use `.accessibilityIdentifier()` modifier)
+
+### Production change
+
+- Add `-UITestStubNetwork` launch argument check where `UploadManager` is instantiated
+- When set, create an ephemeral `URLSession` wired to `MockURLProtocol` and pass to `UploadManager(session:)`
+
+### New test files
+
+| File | What it tests |
+|------|---------------|
+| `UploadSheetTests.swift` | Open upload sheet → verify all fields present; verify "Check connection" button disabled with empty URL; enter URL + credentials → button enabled; verify auth type picker switches between Basic Auth and Client Credentials fields; verify "Use Site" toggle shows/hides site fields |
+| `UploadSheetSnapshotTests.swift` | Snapshots: empty form, Basic Auth filled, Client Credentials filled, site fields visible |
+
+---
+
+## Phase 6 — Visual Regression Baseline
+
+**Goal:** Capture light-mode snapshots of key screens as a regression baseline.
+
+### New test files
+
+| File | What it tests |
+|------|---------------|
+| `FullWorkflowSnapshotTests.swift` | End-to-end snapshots in default (light) mode: empty state → executable added → policies configured → Apple Event added → save sheet → upload sheet |
+
+---
+
+## Files touched across all phases
+
+```
+PPPC Utility.xcodeproj/project.pbxproj                          (Phase 1 — add UI test target)
+Package.swift or SPM config                                       (Phase 1 — swift-snapshot-testing dep)
+Source/View Controllers/TCCProfileViewController.swift            (Phase 1-4 — accessibility identifiers, test harness)
+Source/View Controllers/SaveViewController.swift                  (Phase 3 — accessibility identifiers)
+Source/View Controllers/OpenViewController.swift                  (Phase 4 — accessibility identifiers)
+Source/SwiftUI/UploadInfoView.swift                               (Phase 5 — accessibility identifiers)
+PPPC UtilityUITests/                                              (Phase 1-6 — all new test files)
+```
+
+---
+
+## CI considerations
+
+- macOS UI tests require a GUI session (not headless). GitHub Actions macOS runners support this.
+- Snapshot tests are sensitive to OS version and screen scale. Pin to a specific macOS version in CI.
+- On first run, snapshot tests generate reference images (test fails). Commit the references, then subsequent runs compare against them.
+
+## What this plan does NOT cover
+
+- Automating `NSOpenPanel` file selection (bypassed via launch argument)
+- Drag-and-drop from Finder (bypassed via programmatic drop simulation)
+- Dark mode visual regression (can be added later if needed)
+- Real keychain / signing identity interactions
+- Real Jamf Pro server upload (network stubbed via scoped injection)

From 519d54f2ecf60f9b725c964569992d6626e37c38 Mon Sep 17 00:00:00 2001
From: Tony Eichelberger <tony.eichelberger@jamf.com>
Date: Wed, 8 Apr 2026 15:00:00 -0500
Subject: [PATCH 46/53] added UI test framework and first test for the main
 window

---
 CLAUDE.md                                     |   8 +
 PPPC Utility.xcodeproj/project.pbxproj        | 133 ++++
 .../xcshareddata/swiftpm/Package.resolved     |   3 +-
 PPPC Utility.xctestplan                       |   8 +
 PPPC UtilityUITests/AppLaunchTests.swift      |  82 +++
 PPPC UtilityUITests/Info.plist                |  22 +
 Resources/Base.lproj/Main.storyboard          |   1 +
 Resources/TestTCCUnsignedProfile.mobileconfig | 575 ++++++++++++++++++
 .../TCCProfileViewController.swift            |  51 ++
 docs/plans/ui-testing.md                      |  40 +-
 10 files changed, 894 insertions(+), 29 deletions(-)
 create mode 100644 PPPC UtilityUITests/AppLaunchTests.swift
 create mode 100644 PPPC UtilityUITests/Info.plist
 create mode 100644 Resources/TestTCCUnsignedProfile.mobileconfig

diff --git a/CLAUDE.md b/CLAUDE.md
index afe70f8..0ab1aee 100644
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -23,6 +23,14 @@
 - Beyond 3 params: create separate tests with some values hard-coded
 - Use `deinit` as teardown for repeated cleanup across tests in a suite. Use `class` for suites that need `deinit`; use `struct` otherwise.
 
+## UI Testing Conventions
+
+- UI tests use XCTest (XCUITest), not Swift Testing — the UI test target uses Swift 5 with minimal concurrency checking
+- Prefer **multiple assertions per test** to minimize app launches. Each test method relaunches the app, which is expensive. Group related checks (e.g., verify all buttons exist in one test) rather than one assertion per test.
+- Do not use `// when` / `// then` comment blocks in UI tests — they add noise without clarity in assertion-heavy tests
+- Use accessibility identifiers set in `setupAccessibilityIdentifiers()` to locate UI elements
+- The `-UITestMode` launch argument triggers test-specific setup (e.g., loading a test profile)
+
 ## Git
 
 - Do not stage or commit changes in terminal sessions
diff --git a/PPPC Utility.xcodeproj/project.pbxproj b/PPPC Utility.xcodeproj/project.pbxproj
index d2c1e4c..5e6dda0 100644
--- a/PPPC Utility.xcodeproj/project.pbxproj	
+++ b/PPPC Utility.xcodeproj/project.pbxproj	
@@ -67,6 +67,8 @@
 		C0EE9A7F2863BDE300738B6B /* JamfProAPITypes.swift in Sources */ = {isa = PBXBuildFile; fileRef = C0EE9A7E2863BDE300738B6B /* JamfProAPITypes.swift */; };
 		C0EE9A812863BE2B00738B6B /* NetworkAuthManager.swift in Sources */ = {isa = PBXBuildFile; fileRef = C0EE9A802863BE2B00738B6B /* NetworkAuthManager.swift */; };
 		D023DD16033D452488B41741 /* ArrayExtensionTests.swift in Sources */ = {isa = PBXBuildFile; fileRef = 0B5B34EC5FC52B5B4C9D0258 /* ArrayExtensionTests.swift */; };
+AA000E00000000000000000E /* AppLaunchTests.swift in Sources */ = {isa = PBXBuildFile; fileRef = AA000B00000000000000000B /* AppLaunchTests.swift */; };
+AA001200000000000000001C /* TestTCCUnsignedProfile.mobileconfig in Resources */ = {isa = PBXBuildFile; fileRef = AA001100000000000000001B /* TestTCCUnsignedProfile.mobileconfig */; };
 /* End PBXBuildFile section */
 
 /* Begin PBXContainerItemProxy section */
@@ -77,6 +79,13 @@
 			remoteGlobalIDString = 6EC409D9214D65BC00BE4F17;
 			remoteInfo = "PPPC Utility";
 		};
+AA0006000000000000000006 /* PBXContainerItemProxy */ = {
+isa = PBXContainerItemProxy;
+containerPortal = 6EC409D2214D65BC00BE4F17 /* Project object */;
+proxyType = 1;
+remoteGlobalIDString = 6EC409D9214D65BC00BE4F17;
+remoteInfo = "PPPC Utility";
+};
 /* End PBXContainerItemProxy section */
 
 /* Begin PBXFileReference section */
@@ -147,6 +156,10 @@
 		DAC55385D89BDBD447395AF1 /* TCCPolicyTests.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = TCCPolicyTests.swift; sourceTree = "<group>"; };
 		F3DBEDB941B7AEAE7BFF2776 /* MockURLProtocol.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = MockURLProtocol.swift; sourceTree = "<group>"; };
 		F82A8F992F85984800A72E5C /* PPPC Utility.xctestplan */ = {isa = PBXFileReference; lastKnownFileType = text; path = "PPPC Utility.xctestplan"; sourceTree = "<group>"; };
+AA000B00000000000000000B /* AppLaunchTests.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = AppLaunchTests.swift; sourceTree = "<group>"; };
+AA000D00000000000000000D /* Info.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist.xml; path = Info.plist; sourceTree = "<group>"; };
+AA0005000000000000000005 /* PPPC UtilityUITests.xctest */ = {isa = PBXFileReference; explicitFileType = wrapper.cfbundle; includeInIndex = 0; path = "PPPC UtilityUITests.xctest"; sourceTree = BUILT_PRODUCTS_DIR; };
+AA001100000000000000001B /* TestTCCUnsignedProfile.mobileconfig */ = {isa = PBXFileReference; lastKnownFileType = text.xml; path = TestTCCUnsignedProfile.mobileconfig; sourceTree = "<group>"; };
 /* End PBXFileReference section */
 
 /* Begin PBXFrameworksBuildPhase section */
@@ -165,6 +178,13 @@
 			);
 			runOnlyForDeploymentPostprocessing = 0;
 		};
+AA0003000000000000000003 /* Frameworks */ = {
+isa = PBXFrameworksBuildPhase;
+buildActionMask = 2147483647;
+files = (
+);
+runOnlyForDeploymentPostprocessing = 0;
+};
 /* End PBXFrameworksBuildPhase section */
 
 /* Begin PBXGroup section */
@@ -276,6 +296,7 @@
 				5F95AE1423158EF0002E0A22 /* External */,
 				6EC409F6214D975A00BE4F17 /* Resources */,
 				5F95AE1C2315A6AD002E0A22 /* PPPC UtilityTests */,
+				AA001000000000000000001A /* PPPC UtilityUITests */,
 				6EC409DB214D65BC00BE4F17 /* Products */,
 			);
 			sourceTree = "<group>";
@@ -285,6 +306,7 @@
 			children = (
 				6EC409DA214D65BC00BE4F17 /* PPPC Utility.app */,
 				5F95AE1B2315A6AD002E0A22 /* PPPC UtilityTests.xctest */,
+				AA0005000000000000000005 /* PPPC UtilityUITests.xctest */,
 			);
 			name = Products;
 			sourceTree = "<group>";
@@ -313,6 +335,7 @@
 				6EC409E6214D65BD00BE4F17 /* Info.plist */,
 				C0E0384127A30D1D00A23FA2 /* PPPCServices.json */,
 				6E957309215557870002C30B /* PPPC Utility.entitlements */,
+				AA001100000000000000001B /* TestTCCUnsignedProfile.mobileconfig */,
 			);
 			path = Resources;
 			sourceTree = "<group>";
@@ -378,6 +401,15 @@
 			path = NetworkingTests;
 			sourceTree = "<group>";
 		};
+AA001000000000000000001A /* PPPC UtilityUITests */ = {
+isa = PBXGroup;
+children = (
+AA000B00000000000000000B /* AppLaunchTests.swift */,
+AA000D00000000000000000D /* Info.plist */,
+);
+path = "PPPC UtilityUITests";
+sourceTree = "<group>";
+};
 /* End PBXGroup section */
 
 /* Begin PBXNativeTarget section */
@@ -419,6 +451,24 @@
 			productReference = 6EC409DA214D65BC00BE4F17 /* PPPC Utility.app */;
 			productType = "com.apple.product-type.application";
 		};
+AA0001000000000000000001 /* PPPC UtilityUITests */ = {
+isa = PBXNativeTarget;
+buildConfigurationList = AA0008000000000000000008 /* Build configuration list for PBXNativeTarget "PPPC UtilityUITests" */;
+buildPhases = (
+AA0002000000000000000002 /* Sources */,
+AA0003000000000000000003 /* Frameworks */,
+AA0004000000000000000004 /* Resources */,
+);
+buildRules = (
+);
+dependencies = (
+AA0007000000000000000007 /* PBXTargetDependency */,
+);
+name = "PPPC UtilityUITests";
+productName = "PPPC UtilityUITests";
+productReference = AA0005000000000000000005 /* PPPC UtilityUITests.xctest */;
+productType = "com.apple.product-type.bundle.ui-testing";
+};
 /* End PBXNativeTarget section */
 
 /* Begin PBXProject section */
@@ -434,6 +484,10 @@
 						LastSwiftMigration = 1020;
 						TestTargetID = 6EC409D9214D65BC00BE4F17;
 					};
+					AA0001000000000000000001 = {
+						CreatedOnToolsVersion = 16.0;
+						TestTargetID = 6EC409D9214D65BC00BE4F17;
+					};
 					6EC409D9214D65BC00BE4F17 = {
 						CreatedOnToolsVersion = 10.0;
 						LastSwiftMigration = 1100;
@@ -466,6 +520,7 @@
 			targets = (
 				6EC409D9214D65BC00BE4F17 /* PPPC Utility */,
 				5F95AE1A2315A6AD002E0A22 /* PPPC UtilityTests */,
+				AA0001000000000000000001 /* PPPC UtilityUITests */,
 			);
 		};
 /* End PBXProject section */
@@ -494,6 +549,13 @@
 			);
 			runOnlyForDeploymentPostprocessing = 0;
 		};
+AA0004000000000000000004 /* Resources */ = {
+isa = PBXResourcesBuildPhase;
+buildActionMask = 2147483647;
+files = (
+);
+runOnlyForDeploymentPostprocessing = 0;
+};
 /* End PBXResourcesBuildPhase section */
 
 /* Begin PBXSourcesBuildPhase section */
@@ -561,6 +623,14 @@
 			);
 			runOnlyForDeploymentPostprocessing = 0;
 		};
+AA0002000000000000000002 /* Sources */ = {
+isa = PBXSourcesBuildPhase;
+buildActionMask = 2147483647;
+files = (
+AA000E00000000000000000E /* AppLaunchTests.swift in Sources */,
+);
+runOnlyForDeploymentPostprocessing = 0;
+};
 /* End PBXSourcesBuildPhase section */
 
 /* Begin PBXTargetDependency section */
@@ -569,6 +639,11 @@
 			target = 6EC409D9214D65BC00BE4F17 /* PPPC Utility */;
 			targetProxy = 5F95AE202315A6AD002E0A22 /* PBXContainerItemProxy */;
 		};
+AA0007000000000000000007 /* PBXTargetDependency */ = {
+isa = PBXTargetDependency;
+target = 6EC409D9214D65BC00BE4F17 /* PPPC Utility */;
+targetProxy = AA0006000000000000000006 /* PBXContainerItemProxy */;
+};
 /* End PBXTargetDependency section */
 
 /* Begin PBXVariantGroup section */
@@ -809,6 +884,55 @@
 			};
 			name = Release;
 		};
+AA0009000000000000000009 /* Debug */ = {
+isa = XCBuildConfiguration;
+buildSettings = {
+CODE_SIGN_IDENTITY = "Apple Development";
+"CODE_SIGN_IDENTITY[sdk=macosx*]" = "-";
+CODE_SIGN_STYLE = Manual;
+COMBINE_HIDPI_IMAGES = YES;
+DEVELOPMENT_TEAM = "";
+INFOPLIST_FILE = "PPPC UtilityUITests/Info.plist";
+LD_RUNPATH_SEARCH_PATHS = (
+"$(inherited)",
+"@executable_path/../Frameworks",
+"@loader_path/../Frameworks",
+);
+PRODUCT_BUNDLE_IDENTIFIER = "com.jamf.PPPC-UtilityUITests";
+PRODUCT_NAME = "$(TARGET_NAME)";
+PROVISIONING_PROFILE_SPECIFIER = "";
+SWIFT_APPROACHABLE_CONCURRENCY = YES;
+SWIFT_OPTIMIZATION_LEVEL = "-Onone";
+SWIFT_STRICT_CONCURRENCY = minimal;
+SWIFT_VERSION = 5.0;
+TEST_TARGET_NAME = "PPPC Utility";
+};
+name = Debug;
+};
+AA000A00000000000000000A /* Release */ = {
+isa = XCBuildConfiguration;
+buildSettings = {
+CODE_SIGN_IDENTITY = "Apple Development";
+"CODE_SIGN_IDENTITY[sdk=macosx*]" = "-";
+CODE_SIGN_STYLE = Manual;
+COMBINE_HIDPI_IMAGES = YES;
+DEVELOPMENT_TEAM = "";
+INFOPLIST_FILE = "PPPC UtilityUITests/Info.plist";
+LD_RUNPATH_SEARCH_PATHS = (
+"$(inherited)",
+"@executable_path/../Frameworks",
+"@loader_path/../Frameworks",
+);
+PRODUCT_BUNDLE_IDENTIFIER = "com.jamf.PPPC-UtilityUITests";
+PRODUCT_NAME = "$(TARGET_NAME)";
+PROVISIONING_PROFILE_SPECIFIER = "";
+SWIFT_APPROACHABLE_CONCURRENCY = YES;
+SWIFT_STRICT_CONCURRENCY = minimal;
+SWIFT_VERSION = 5.0;
+TEST_TARGET_NAME = "PPPC Utility";
+};
+name = Release;
+};
 /* End XCBuildConfiguration section */
 
 /* Begin XCConfigurationList section */
@@ -839,6 +963,15 @@
 			defaultConfigurationIsVisible = 0;
 			defaultConfigurationName = Release;
 		};
+AA0008000000000000000008 /* Build configuration list for PBXNativeTarget "PPPC UtilityUITests" */ = {
+isa = XCConfigurationList;
+buildConfigurations = (
+AA0009000000000000000009 /* Debug */,
+AA000A00000000000000000A /* Release */,
+);
+defaultConfigurationIsVisible = 0;
+defaultConfigurationName = Release;
+};
 /* End XCConfigurationList section */
 
 /* Begin XCRemoteSwiftPackageReference section */
diff --git a/PPPC Utility.xcodeproj/project.xcworkspace/xcshareddata/swiftpm/Package.resolved b/PPPC Utility.xcodeproj/project.xcworkspace/xcshareddata/swiftpm/Package.resolved
index 90ca261..08fbe69 100644
--- a/PPPC Utility.xcodeproj/project.xcworkspace/xcshareddata/swiftpm/Package.resolved	
+++ b/PPPC Utility.xcodeproj/project.xcworkspace/xcshareddata/swiftpm/Package.resolved	
@@ -1,4 +1,5 @@
 {
+  "originHash" : "a1bc04ca45476ec303ba87ffcb6060d93e81550701340ec8355671215edfb5d9",
   "pins" : [
     {
       "identity" : "haversack",
@@ -19,5 +20,5 @@
       }
     }
   ],
-  "version" : 2
+  "version" : 3
 }
diff --git a/PPPC Utility.xctestplan b/PPPC Utility.xctestplan
index 277ad83..8a2ae7f 100644
--- a/PPPC Utility.xctestplan	
+++ b/PPPC Utility.xctestplan	
@@ -25,6 +25,14 @@
         "identifier" : "5F95AE1A2315A6AD002E0A22",
         "name" : "PPPC UtilityTests"
       }
+    },
+    {
+      "parallelizable" : false,
+      "target" : {
+        "containerPath" : "container:PPPC Utility.xcodeproj",
+        "identifier" : "AA0001000000000000000001",
+        "name" : "PPPC UtilityUITests"
+      }
     }
   ],
   "version" : 1
diff --git a/PPPC UtilityUITests/AppLaunchTests.swift b/PPPC UtilityUITests/AppLaunchTests.swift
new file mode 100644
index 0000000..6c736e1
--- /dev/null
+++ b/PPPC UtilityUITests/AppLaunchTests.swift	
@@ -0,0 +1,82 @@
+//
+//  AppLaunchTests.swift
+//  PPPC UtilityUITests
+//
+//  MIT License
+//
+//  Copyright (c) 2018 Jamf Software
+//
+//  Permission is hereby granted, free of charge, to any person obtaining a copy
+//  of this software and associated documentation files (the "Software"), to deal
+//  in the Software without restriction, including without limitation the rights
+//  to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+//  copies of the Software, and to permit persons to whom the Software is
+//  furnished to do so, subject to the following conditions:
+//
+//  The above copyright notice and this permission notice shall be included in all
+//  copies or substantial portions of the Software.
+//
+//  THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+//  IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+//  FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+//  AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+//  LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+//  OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+//  SOFTWARE.
+//
+
+import XCTest
+
+final class AppLaunchTests: XCTestCase {
+
+    private var app: XCUIApplication!
+
+    override func setUpWithError() throws {
+        continueAfterFailure = false
+        app = XCUIApplication()
+        app.launch()
+    }
+
+    override func tearDownWithError() throws {
+        app.terminate()
+        app = nil
+    }
+
+    func testMainWindowAndTables() {
+        let window = app.windows.firstMatch
+        XCTAssertTrue(window.exists, "Main window should exist after launch")
+        XCTAssertTrue(window.isHittable, "Main window should be hittable")
+
+        let executablesTable = app.tables["ExecutablesTable"]
+        XCTAssertTrue(executablesTable.waitForExistence(timeout: 5), "Executables table should exist")
+
+        let appleEventsTable = app.tables["AppleEventsTable"]
+        XCTAssertTrue(appleEventsTable.waitForExistence(timeout: 5), "Apple Events table should exist")
+    }
+
+    func testToolbarButtons() {
+        let saveButton = app.buttons["SaveButton"]
+        XCTAssertTrue(saveButton.waitForExistence(timeout: 5), "Save button should exist")
+        XCTAssertFalse(saveButton.isEnabled, "Save button should be disabled with no executables")
+
+        let uploadButton = app.buttons["UploadButton"]
+        XCTAssertTrue(uploadButton.waitForExistence(timeout: 5), "Upload button should exist")
+        XCTAssertFalse(uploadButton.isEnabled, "Upload button should be disabled with no executables")
+
+        let addExecutableButton = app.buttons["AddExecutableButton"]
+        XCTAssertTrue(addExecutableButton.waitForExistence(timeout: 5), "Add executable button should exist")
+        XCTAssertTrue(addExecutableButton.isEnabled, "Add executable button should always be enabled")
+
+        let removeExecutableButton = app.buttons["RemoveExecutableButton"]
+        XCTAssertTrue(removeExecutableButton.waitForExistence(timeout: 5), "Remove executable button should exist")
+        XCTAssertFalse(removeExecutableButton.isEnabled, "Remove executable button should be disabled with no selection")
+
+        let addAppleEventButton = app.buttons["AddAppleEventButton"]
+        XCTAssertTrue(addAppleEventButton.waitForExistence(timeout: 5), "Add Apple Event button should exist")
+        XCTAssertFalse(addAppleEventButton.isEnabled, "Add Apple Event button should be disabled with no executable selected")
+
+        let removeAppleEventButton = app.buttons["RemoveAppleEventButton"]
+        XCTAssertTrue(removeAppleEventButton.waitForExistence(timeout: 5), "Remove Apple Event button should exist")
+        XCTAssertFalse(removeAppleEventButton.isEnabled, "Remove Apple Event button should be disabled with no selection")
+    }
+}
diff --git a/PPPC UtilityUITests/Info.plist b/PPPC UtilityUITests/Info.plist
new file mode 100644
index 0000000..64d65ca
--- /dev/null
+++ b/PPPC UtilityUITests/Info.plist	
@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>CFBundleDevelopmentRegion</key>
+	<string>$(DEVELOPMENT_LANGUAGE)</string>
+	<key>CFBundleExecutable</key>
+	<string>$(EXECUTABLE_NAME)</string>
+	<key>CFBundleIdentifier</key>
+	<string>$(PRODUCT_BUNDLE_IDENTIFIER)</string>
+	<key>CFBundleInfoDictionaryVersion</key>
+	<string>6.0</string>
+	<key>CFBundleName</key>
+	<string>$(PRODUCT_NAME)</string>
+	<key>CFBundlePackageType</key>
+	<string>$(PRODUCT_BUNDLE_PACKAGE_TYPE)</string>
+	<key>CFBundleShortVersionString</key>
+	<string>1.0</string>
+	<key>CFBundleVersion</key>
+	<string>1</string>
+</dict>
+</plist>
diff --git a/Resources/Base.lproj/Main.storyboard b/Resources/Base.lproj/Main.storyboard
index 5856c46..501e3e0 100644
--- a/Resources/Base.lproj/Main.storyboard
+++ b/Resources/Base.lproj/Main.storyboard
@@ -2459,6 +2459,7 @@
                         <outlet property="accessibilityPopUp" destination="SEh-52-ueo" id="zEc-za-cWB"/>
                         <outlet property="accessibilityPopUpAC" destination="2QJ-da-IYc" id="4aT-Yu-8gw"/>
                         <outlet property="addAppleEventButton" destination="RsL-5g-N88" id="1tb-qr-hsR"/>
+                        <outlet property="addExecutableButton" destination="pHR-Fa-o0o" id="UIa-dd-Exe"/>
                         <outlet property="addressBookHelpButton" destination="9ei-Pc-bwm" id="TZh-jR-QVC"/>
                         <outlet property="addressBookPopUp" destination="kIP-RZ-a35" id="6Af-nz-6yD"/>
                         <outlet property="addressBookPopUpAC" destination="XZw-vD-zUR" id="HU8-mW-u4g"/>
diff --git a/Resources/TestTCCUnsignedProfile.mobileconfig b/Resources/TestTCCUnsignedProfile.mobileconfig
new file mode 100644
index 0000000..9092b0c
--- /dev/null
+++ b/Resources/TestTCCUnsignedProfile.mobileconfig
@@ -0,0 +1,575 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>PayloadContent</key>
+	<array>
+		<dict>
+			<key>PayloadDescription</key>
+			<string>Test Unsigned Profile</string>
+			<key>PayloadDisplayName</key>
+			<string>TestUnsignedProfile</string>
+			<key>PayloadIdentifier</key>
+			<string>3A4EDE0C-A189-4372-953F-304ECA0B6489</string>
+			<key>PayloadOrganization</key>
+			<string>Jamf</string>
+			<key>PayloadType</key>
+			<string>com.apple.TCC.configuration-profile-policy</string>
+			<key>PayloadUUID</key>
+			<string>7CAF0BD6-D1DB-486E-9388-CC7F688C51E7</string>
+			<key>PayloadVersion</key>
+			<integer>1</integer>
+			<key>Services</key>
+			<dict>
+				<key>Accessibility</key>
+				<array>
+					<dict>
+						<key>Allowed</key>
+						<true/>
+						<key>CodeRequirement</key>
+						<string>identifier "io.brackets.appshell" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = JQ525L2MZD</string>
+						<key>Comment</key>
+						<string></string>
+						<key>Identifier</key>
+						<string>io.brackets.appshell</string>
+						<key>IdentifierType</key>
+						<string>bundleID</string>
+					</dict>
+					<dict>
+						<key>Allowed</key>
+						<false/>
+						<key>CodeRequirement</key>
+						<string>identifier "com.jamfsoftware.JamfAdmin" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "483DWKW443"</string>
+						<key>Comment</key>
+						<string></string>
+						<key>Identifier</key>
+						<string>com.jamfsoftware.JamfAdmin</string>
+						<key>IdentifierType</key>
+						<string>bundleID</string>
+					</dict>
+				</array>
+				<key>AddressBook</key>
+				<array>
+					<dict>
+						<key>Allowed</key>
+						<false/>
+						<key>CodeRequirement</key>
+						<string>identifier "io.brackets.appshell" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = JQ525L2MZD</string>
+						<key>Comment</key>
+						<string></string>
+						<key>Identifier</key>
+						<string>io.brackets.appshell</string>
+						<key>IdentifierType</key>
+						<string>bundleID</string>
+					</dict>
+					<dict>
+						<key>Allowed</key>
+						<false/>
+						<key>CodeRequirement</key>
+						<string>identifier "com.jamfsoftware.JamfAdmin" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "483DWKW443"</string>
+						<key>Comment</key>
+						<string></string>
+						<key>Identifier</key>
+						<string>com.jamfsoftware.JamfAdmin</string>
+						<key>IdentifierType</key>
+						<string>bundleID</string>
+					</dict>
+				</array>
+				<key>AppleEvents</key>
+				<array>
+					<dict>
+						<key>AEReceiverCodeRequirement</key>
+						<string>identifier "com.apple.finder" and anchor apple</string>
+						<key>AEReceiverIdentifier</key>
+						<string>com.apple.finder</string>
+						<key>AEReceiverIdentifierType</key>
+						<string>bundleID</string>
+						<key>Allowed</key>
+						<true/>
+						<key>CodeRequirement</key>
+						<string>identifier "io.brackets.appshell" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = JQ525L2MZD</string>
+						<key>Comment</key>
+						<string></string>
+						<key>Identifier</key>
+						<string>io.brackets.appshell</string>
+						<key>IdentifierType</key>
+						<string>bundleID</string>
+					</dict>
+					<dict>
+						<key>AEReceiverCodeRequirement</key>
+						<string>identifier "com.apple.systemuiserver" and anchor apple</string>
+						<key>AEReceiverIdentifier</key>
+						<string>com.apple.systemuiserver</string>
+						<key>AEReceiverIdentifierType</key>
+						<string>bundleID</string>
+						<key>Allowed</key>
+						<true/>
+						<key>CodeRequirement</key>
+						<string>identifier "io.brackets.appshell" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = JQ525L2MZD</string>
+						<key>Comment</key>
+						<string></string>
+						<key>Identifier</key>
+						<string>io.brackets.appshell</string>
+						<key>IdentifierType</key>
+						<string>bundleID</string>
+					</dict>
+					<dict>
+						<key>AEReceiverCodeRequirement</key>
+						<string>identifier "com.apple.finder" and anchor apple</string>
+						<key>AEReceiverIdentifier</key>
+						<string>com.apple.finder</string>
+						<key>AEReceiverIdentifierType</key>
+						<string>bundleID</string>
+						<key>Allowed</key>
+						<true/>
+						<key>CodeRequirement</key>
+						<string>identifier "com.jamfsoftware.JamfAdmin" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "483DWKW443"</string>
+						<key>Comment</key>
+						<string></string>
+						<key>Identifier</key>
+						<string>com.jamfsoftware.JamfAdmin</string>
+						<key>IdentifierType</key>
+						<string>bundleID</string>
+					</dict>
+					<dict>
+						<key>AEReceiverCodeRequirement</key>
+						<string>identifier "io.brackets.appshell" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = JQ525L2MZD</string>
+						<key>AEReceiverIdentifier</key>
+						<string>io.brackets.appshell</string>
+						<key>AEReceiverIdentifierType</key>
+						<string>bundleID</string>
+						<key>Allowed</key>
+						<true/>
+						<key>CodeRequirement</key>
+						<string>identifier "com.jamfsoftware.JamfAdmin" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "483DWKW443"</string>
+						<key>Comment</key>
+						<string></string>
+						<key>Identifier</key>
+						<string>com.jamfsoftware.JamfAdmin</string>
+						<key>IdentifierType</key>
+						<string>bundleID</string>
+					</dict>
+				</array>
+				<key>Calendar</key>
+				<array>
+					<dict>
+						<key>Allowed</key>
+						<true/>
+						<key>CodeRequirement</key>
+						<string>identifier "io.brackets.appshell" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = JQ525L2MZD</string>
+						<key>Comment</key>
+						<string></string>
+						<key>Identifier</key>
+						<string>io.brackets.appshell</string>
+						<key>IdentifierType</key>
+						<string>bundleID</string>
+					</dict>
+					<dict>
+						<key>Allowed</key>
+						<true/>
+						<key>CodeRequirement</key>
+						<string>identifier "com.jamfsoftware.JamfAdmin" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "483DWKW443"</string>
+						<key>Comment</key>
+						<string></string>
+						<key>Identifier</key>
+						<string>com.jamfsoftware.JamfAdmin</string>
+						<key>IdentifierType</key>
+						<string>bundleID</string>
+					</dict>
+				</array>
+				<key>Camera</key>
+				<array>
+					<dict>
+						<key>Allowed</key>
+						<false/>
+						<key>CodeRequirement</key>
+						<string>identifier "io.brackets.appshell" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = JQ525L2MZD</string>
+						<key>Comment</key>
+						<string></string>
+						<key>Identifier</key>
+						<string>io.brackets.appshell</string>
+						<key>IdentifierType</key>
+						<string>bundleID</string>
+					</dict>
+					<dict>
+						<key>Allowed</key>
+						<false/>
+						<key>CodeRequirement</key>
+						<string>identifier "com.jamfsoftware.JamfAdmin" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "483DWKW443"</string>
+						<key>Comment</key>
+						<string></string>
+						<key>Identifier</key>
+						<string>com.jamfsoftware.JamfAdmin</string>
+						<key>IdentifierType</key>
+						<string>bundleID</string>
+					</dict>
+				</array>
+				<key>FileProviderPresence</key>
+				<array>
+					<dict>
+						<key>Allowed</key>
+						<false/>
+						<key>CodeRequirement</key>
+						<string>identifier "io.brackets.appshell" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = JQ525L2MZD</string>
+						<key>Comment</key>
+						<string></string>
+						<key>Identifier</key>
+						<string>io.brackets.appshell</string>
+						<key>IdentifierType</key>
+						<string>bundleID</string>
+					</dict>
+					<dict>
+						<key>Allowed</key>
+						<true/>
+						<key>CodeRequirement</key>
+						<string>identifier "com.jamfsoftware.JamfAdmin" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "483DWKW443"</string>
+						<key>Comment</key>
+						<string></string>
+						<key>Identifier</key>
+						<string>com.jamfsoftware.JamfAdmin</string>
+						<key>IdentifierType</key>
+						<string>bundleID</string>
+					</dict>
+				</array>
+				<key>ListenEvent</key>
+				<array>
+					<dict>
+						<key>Allowed</key>
+						<false/>
+						<key>CodeRequirement</key>
+						<string>identifier "io.brackets.appshell" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = JQ525L2MZD</string>
+						<key>Comment</key>
+						<string></string>
+						<key>Identifier</key>
+						<string>io.brackets.appshell</string>
+						<key>IdentifierType</key>
+						<string>bundleID</string>
+					</dict>
+					<dict>
+						<key>Allowed</key>
+						<false/>
+						<key>CodeRequirement</key>
+						<string>identifier "com.jamfsoftware.JamfAdmin" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "483DWKW443"</string>
+						<key>Comment</key>
+						<string></string>
+						<key>Identifier</key>
+						<string>com.jamfsoftware.JamfAdmin</string>
+						<key>IdentifierType</key>
+						<string>bundleID</string>
+					</dict>
+				</array>
+				<key>MediaLibrary</key>
+				<array>
+					<dict>
+						<key>Allowed</key>
+						<true/>
+						<key>CodeRequirement</key>
+						<string>identifier "io.brackets.appshell" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = JQ525L2MZD</string>
+						<key>Comment</key>
+						<string></string>
+						<key>Identifier</key>
+						<string>io.brackets.appshell</string>
+						<key>IdentifierType</key>
+						<string>bundleID</string>
+					</dict>
+					<dict>
+						<key>Allowed</key>
+						<true/>
+						<key>CodeRequirement</key>
+						<string>identifier "com.jamfsoftware.JamfAdmin" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "483DWKW443"</string>
+						<key>Comment</key>
+						<string></string>
+						<key>Identifier</key>
+						<string>com.jamfsoftware.JamfAdmin</string>
+						<key>IdentifierType</key>
+						<string>bundleID</string>
+					</dict>
+				</array>
+				<key>Microphone</key>
+				<array>
+					<dict>
+						<key>Allowed</key>
+						<false/>
+						<key>CodeRequirement</key>
+						<string>identifier "io.brackets.appshell" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = JQ525L2MZD</string>
+						<key>Comment</key>
+						<string></string>
+						<key>Identifier</key>
+						<string>io.brackets.appshell</string>
+						<key>IdentifierType</key>
+						<string>bundleID</string>
+					</dict>
+					<dict>
+						<key>Allowed</key>
+						<false/>
+						<key>CodeRequirement</key>
+						<string>identifier "com.jamfsoftware.JamfAdmin" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "483DWKW443"</string>
+						<key>Comment</key>
+						<string></string>
+						<key>Identifier</key>
+						<string>com.jamfsoftware.JamfAdmin</string>
+						<key>IdentifierType</key>
+						<string>bundleID</string>
+					</dict>
+				</array>
+				<key>Photos</key>
+				<array>
+					<dict>
+						<key>Allowed</key>
+						<false/>
+						<key>CodeRequirement</key>
+						<string>identifier "io.brackets.appshell" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = JQ525L2MZD</string>
+						<key>Comment</key>
+						<string></string>
+						<key>Identifier</key>
+						<string>io.brackets.appshell</string>
+						<key>IdentifierType</key>
+						<string>bundleID</string>
+					</dict>
+					<dict>
+						<key>Allowed</key>
+						<false/>
+						<key>CodeRequirement</key>
+						<string>identifier "com.jamfsoftware.JamfAdmin" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "483DWKW443"</string>
+						<key>Comment</key>
+						<string></string>
+						<key>Identifier</key>
+						<string>com.jamfsoftware.JamfAdmin</string>
+						<key>IdentifierType</key>
+						<string>bundleID</string>
+					</dict>
+				</array>
+				<key>PostEvent</key>
+				<array>
+					<dict>
+						<key>Allowed</key>
+						<true/>
+						<key>CodeRequirement</key>
+						<string>identifier "io.brackets.appshell" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = JQ525L2MZD</string>
+						<key>Comment</key>
+						<string></string>
+						<key>Identifier</key>
+						<string>io.brackets.appshell</string>
+						<key>IdentifierType</key>
+						<string>bundleID</string>
+					</dict>
+					<dict>
+						<key>Allowed</key>
+						<true/>
+						<key>CodeRequirement</key>
+						<string>identifier "com.jamfsoftware.JamfAdmin" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "483DWKW443"</string>
+						<key>Comment</key>
+						<string></string>
+						<key>Identifier</key>
+						<string>com.jamfsoftware.JamfAdmin</string>
+						<key>IdentifierType</key>
+						<string>bundleID</string>
+					</dict>
+				</array>
+				<key>Reminders</key>
+				<array>
+					<dict>
+						<key>Allowed</key>
+						<false/>
+						<key>CodeRequirement</key>
+						<string>identifier "io.brackets.appshell" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = JQ525L2MZD</string>
+						<key>Comment</key>
+						<string></string>
+						<key>Identifier</key>
+						<string>io.brackets.appshell</string>
+						<key>IdentifierType</key>
+						<string>bundleID</string>
+					</dict>
+					<dict>
+						<key>Allowed</key>
+						<false/>
+						<key>CodeRequirement</key>
+						<string>identifier "com.jamfsoftware.JamfAdmin" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "483DWKW443"</string>
+						<key>Comment</key>
+						<string></string>
+						<key>Identifier</key>
+						<string>com.jamfsoftware.JamfAdmin</string>
+						<key>IdentifierType</key>
+						<string>bundleID</string>
+					</dict>
+				</array>
+				<key>ScreenCapture</key>
+				<array>
+					<dict>
+						<key>Allowed</key>
+						<false/>
+						<key>CodeRequirement</key>
+						<string>identifier "io.brackets.appshell" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = JQ525L2MZD</string>
+						<key>Comment</key>
+						<string></string>
+						<key>Identifier</key>
+						<string>io.brackets.appshell</string>
+						<key>IdentifierType</key>
+						<string>bundleID</string>
+					</dict>
+				</array>
+				<key>SpeechRecognition</key>
+				<array>
+					<dict>
+						<key>Allowed</key>
+						<true/>
+						<key>CodeRequirement</key>
+						<string>identifier "io.brackets.appshell" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = JQ525L2MZD</string>
+						<key>Comment</key>
+						<string></string>
+						<key>Identifier</key>
+						<string>io.brackets.appshell</string>
+						<key>IdentifierType</key>
+						<string>bundleID</string>
+					</dict>
+				</array>
+				<key>SystemPolicyAllFiles</key>
+				<array>
+					<dict>
+						<key>Allowed</key>
+						<true/>
+						<key>CodeRequirement</key>
+						<string>identifier "io.brackets.appshell" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = JQ525L2MZD</string>
+						<key>Comment</key>
+						<string></string>
+						<key>Identifier</key>
+						<string>io.brackets.appshell</string>
+						<key>IdentifierType</key>
+						<string>bundleID</string>
+					</dict>
+					<dict>
+						<key>Allowed</key>
+						<true/>
+						<key>CodeRequirement</key>
+						<string>identifier "com.jamfsoftware.JamfAdmin" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "483DWKW443"</string>
+						<key>Comment</key>
+						<string></string>
+						<key>Identifier</key>
+						<string>com.jamfsoftware.JamfAdmin</string>
+						<key>IdentifierType</key>
+						<string>bundleID</string>
+					</dict>
+				</array>
+				<key>SystemPolicyDesktopFolder</key>
+				<array>
+					<dict>
+						<key>Allowed</key>
+						<false/>
+						<key>CodeRequirement</key>
+						<string>identifier "io.brackets.appshell" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = JQ525L2MZD</string>
+						<key>Comment</key>
+						<string></string>
+						<key>Identifier</key>
+						<string>io.brackets.appshell</string>
+						<key>IdentifierType</key>
+						<string>bundleID</string>
+					</dict>
+				</array>
+				<key>SystemPolicyDocumentsFolder</key>
+				<array>
+					<dict>
+						<key>Allowed</key>
+						<true/>
+						<key>CodeRequirement</key>
+						<string>identifier "io.brackets.appshell" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = JQ525L2MZD</string>
+						<key>Comment</key>
+						<string></string>
+						<key>Identifier</key>
+						<string>io.brackets.appshell</string>
+						<key>IdentifierType</key>
+						<string>bundleID</string>
+					</dict>
+				</array>
+				<key>SystemPolicyDownloadsFolder</key>
+				<array>
+					<dict>
+						<key>Allowed</key>
+						<true/>
+						<key>CodeRequirement</key>
+						<string>identifier "io.brackets.appshell" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = JQ525L2MZD</string>
+						<key>Comment</key>
+						<string></string>
+						<key>Identifier</key>
+						<string>io.brackets.appshell</string>
+						<key>IdentifierType</key>
+						<string>bundleID</string>
+					</dict>
+				</array>
+				<key>SystemPolicyNetworkVolumes</key>
+				<array>
+					<dict>
+						<key>Allowed</key>
+						<false/>
+						<key>CodeRequirement</key>
+						<string>identifier "io.brackets.appshell" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = JQ525L2MZD</string>
+						<key>Comment</key>
+						<string></string>
+						<key>Identifier</key>
+						<string>io.brackets.appshell</string>
+						<key>IdentifierType</key>
+						<string>bundleID</string>
+					</dict>
+				</array>
+				<key>SystemPolicyRemovableVolumes</key>
+				<array>
+					<dict>
+						<key>Allowed</key>
+						<true/>
+						<key>CodeRequirement</key>
+						<string>identifier "io.brackets.appshell" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = JQ525L2MZD</string>
+						<key>Comment</key>
+						<string></string>
+						<key>Identifier</key>
+						<string>io.brackets.appshell</string>
+						<key>IdentifierType</key>
+						<string>bundleID</string>
+					</dict>
+				</array>
+				<key>SystemPolicySysAdminFiles</key>
+				<array>
+					<dict>
+						<key>Allowed</key>
+						<true/>
+						<key>CodeRequirement</key>
+						<string>identifier "io.brackets.appshell" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = JQ525L2MZD</string>
+						<key>Comment</key>
+						<string></string>
+						<key>Identifier</key>
+						<string>io.brackets.appshell</string>
+						<key>IdentifierType</key>
+						<string>bundleID</string>
+					</dict>
+					<dict>
+						<key>Allowed</key>
+						<false/>
+						<key>CodeRequirement</key>
+						<string>identifier "com.jamfsoftware.JamfAdmin" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "483DWKW443"</string>
+						<key>Comment</key>
+						<string></string>
+						<key>Identifier</key>
+						<string>com.jamfsoftware.JamfAdmin</string>
+						<key>IdentifierType</key>
+						<string>bundleID</string>
+					</dict>
+				</array>
+			</dict>
+		</dict>
+	</array>
+	<key>PayloadDescription</key>
+	<string>Test Unsigned Profile</string>
+	<key>PayloadDisplayName</key>
+	<string>TestUnsignedProfile</string>
+	<key>PayloadIdentifier</key>
+	<string>3A4EDE0C-A189-4372-953F-304ECA0B6489</string>
+	<key>PayloadOrganization</key>
+	<string>Jamf</string>
+	<key>PayloadType</key>
+	<string>com.apple.TCC.configuration-profile-policy</string>
+	<key>PayloadUUID</key>
+	<string>3FF5028C-CAA0-4B2F-A7BF-2A3539074424</string>
+	<key>PayloadVersion</key>
+	<integer>1</integer>
+	<key>PayloadScope</key>
+	<string>system</string>
+</dict>
+</plist>
diff --git a/Source/View Controllers/TCCProfileViewController.swift b/Source/View Controllers/TCCProfileViewController.swift
index 4a3c6a8..ee8ec58 100644
--- a/Source/View Controllers/TCCProfileViewController.swift	
+++ b/Source/View Controllers/TCCProfileViewController.swift	
@@ -128,6 +128,7 @@ class TCCProfileViewController: NSViewController {
 
     @IBOutlet weak var saveButton: NSButton!
     @IBOutlet weak var uploadButton: NSButton!
+    @IBOutlet weak var addExecutableButton: NSButton!
     @IBOutlet weak var addAppleEventButton: NSButton!
     @IBOutlet weak var removeAppleEventButton: NSButton!
     @IBOutlet weak var removeExecutableButton: NSButton!
@@ -284,6 +285,9 @@ class TCCProfileViewController: NSViewController {
         executablesTable.dataSource = self
         appleEventsTable.registerForDraggedTypes([.fileURL])
         appleEventsTable.dataSource = self
+
+        setupAccessibilityIdentifiers()
+        loadUITestProfileIfNeeded()
     }
 
     @IBAction func showHelpMessage(_ sender: InfoButton) {
@@ -399,6 +403,53 @@ class TCCProfileViewController: NSViewController {
         }
         return foundRule == nil
     }
+
+    private func setupAccessibilityIdentifiers() {
+        executablesTable.setAccessibilityIdentifier("ExecutablesTable")
+        appleEventsTable.setAccessibilityIdentifier("AppleEventsTable")
+        saveButton.setAccessibilityIdentifier("SaveButton")
+        uploadButton.setAccessibilityIdentifier("UploadButton")
+        addExecutableButton.setAccessibilityIdentifier("AddExecutableButton")
+        addAppleEventButton.setAccessibilityIdentifier("AddAppleEventButton")
+        removeAppleEventButton.setAccessibilityIdentifier("RemoveAppleEventButton")
+        removeExecutableButton.setAccessibilityIdentifier("RemoveExecutableButton")
+    }
+
+    private func loadUITestProfileIfNeeded() {
+        guard ProcessInfo.processInfo.arguments.contains("-UITestMode") else { return }
+        guard let profileURL = Bundle.main.url(forResource: "TestTCCUnsignedProfile", withExtension: "mobileconfig") else {
+            logger.error("UITestMode: Failed to find bundled test profile")
+            return
+        }
+        let importer = TCCProfileImporter()
+        Task {
+            do {
+                let tccProfile = try importer.decodeTCCProfile(data: Data(contentsOf: profileURL))
+                await model.importProfile(tccProfile: tccProfile)
+            } catch {
+                logger.error("UITestMode: Failed to load test profile: \(error.localizedDescription)")
+            }
+        }
+    }
+
+    #if DEBUG
+        /// Simulates a drop of the given file URL onto the executables table.
+        /// Used by UI tests to add executables without automating Finder.
+        func simulateDropOnExecutablesTable(fileURL: URL) -> Bool {
+            do {
+                let executable = try model.loadExecutable(url: fileURL)
+                guard shouldExecutableBeAdded(executable), executablesAC.canInsert else {
+                    return false
+                }
+                let insertIndex = (executablesAC.arrangedObjects as? [Any])?.count ?? 0
+                executablesAC.insert(executable, atArrangedObjectIndex: insertIndex)
+                return true
+            } catch {
+                logger.error("simulateDropOnExecutablesTable failed: \(error)")
+                return false
+            }
+        }
+    #endif
 }
 
 extension TCCProfileViewController: NSTableViewDataSource {
diff --git a/docs/plans/ui-testing.md b/docs/plans/ui-testing.md
index 88c316f..1c7fd09 100644
--- a/docs/plans/ui-testing.md
+++ b/docs/plans/ui-testing.md
@@ -16,7 +16,13 @@ No UI test target exists yet. This plan adds one incrementally.
 ### Tools
 
 - **XCUITest** for interaction tests (launch, tap, type, assert element state)
-- **swift-snapshot-testing** (pointfreeco) for automated visual regression via screenshot comparison
+
+### Conventions
+
+- Prefer **multiple assertions per test** to minimize app launches — each test method relaunches the app, which is expensive
+- Do not use `// when` / `// then` comment blocks in UI tests — they add noise in assertion-heavy tests
+- The UI test target uses **Swift 5 with minimal concurrency checking** (XCTestCase lifecycle methods are nonisolated, incompatible with MainActor default isolation)
+- No `SWIFT_DEFAULT_ACTOR_ISOLATION` on the UI test target
 
 ### Test data strategy
 
@@ -36,25 +42,22 @@ Upload/connection tests use **scoped `URLSession` injection**. When the app dete
 1. All existing unit tests still pass after each phase.
 2. No new compiler warnings.
 3. UI tests pass in a clean `xcodebuild test` run.
-4. Snapshot references checked into the repo under a clearly named directory.
 
 ---
 
-## Phase 1 — Infrastructure & App Launch
+## Phase 1 — Infrastructure & App Launch ✅
 
-**Goal:** Create the UI test target, add swift-snapshot-testing, prove the app launches and the main window is testable.
+**Goal:** Create the UI test target, prove the app launches and the main window is testable.
 
 ### Work
 
 | Item | Detail |
 |------|--------|
 | Add `PPPC UtilityUITests` target | Xcode UI Testing Bundle targeting `PPPC Utility.app` |
-| Add `swift-snapshot-testing` SPM dependency | Test-only dependency on the UI test target |
 | Add accessibility identifiers to `TCCProfileViewController` | Executables table, Apple Events table, Save button, Upload button, add/remove buttons |
 | Add `-UITestMode` launch argument support | Check flag in `TCCProfileViewController.viewDidLoad`; when set, load a bundled test `.mobileconfig` into `Model.shared` |
-| Add programmatic drop hook | Test-only method that synthesizes a drop operation on the executables table from a file URL |
-| `AppLaunchTests.swift` | Verify app launches, main window exists, executables table visible, key buttons present |
-| `MainWindowSnapshotTests.swift` | Snapshot of empty main window (no executables loaded) as visual baseline |
+| Add programmatic drop hook | `#if DEBUG` method that synthesizes a drop operation on the executables table from a file URL |
+| `AppLaunchTests.swift` | Verify app launches, main window exists, tables visible, all key buttons present, and correct buttons disabled at empty startup (Save, Upload, Remove Executable, Add Apple Event, Remove Apple Event should be disabled; Add Executable should be enabled) |
 
 ### Verification
 
@@ -81,7 +84,6 @@ xcodebuild test -project "PPPC Utility.xcodeproj" -scheme "PPPC Utility" -destin
 | `ExecutableManagementTests.swift` | Launch with `-UITestMode` → verify preloaded executable appears in table; select executable → verify detail labels populated; remove executable → verify table row gone |
 | `DropHandlerTests.swift` | Programmatic drop of Books.app URL onto executables table → verify new row appears with correct name/identifier |
 | `PolicySelectionTests.swift` | Select executable → change a policy popup → verify popup value persists after re-selecting the executable; verify initial state is "-" for all popups |
-| `ProfileBuildingSnapshotTests.swift` | Snapshot of main window with one executable added and policies set |
 
 ---
 
@@ -99,7 +101,6 @@ xcodebuild test -project "PPPC Utility.xcodeproj" -scheme "PPPC Utility" -destin
 |------|---------------|
 | `ProfileImportTests.swift` | Launch with `-UITestMode` (preloaded profile) → verify executables table populated with expected rows; verify policy values match imported profile |
 | `SaveSheetTests.swift` | Trigger save sheet → verify fields present (payload name, org, signing identity); verify save button disabled when required fields empty; verify save button enabled when fields filled |
-| `SaveSheetSnapshotTests.swift` | Snapshot of save sheet in default state and with fields filled |
 
 ### Test data
 
@@ -121,7 +122,6 @@ xcodebuild test -project "PPPC Utility.xcodeproj" -scheme "PPPC Utility" -destin
 | File | What it tests |
 |------|---------------|
 | `AppleEventTests.swift` | Select executable → click Add Apple Event → OpenViewController appears → select destination from preloaded choices table → rule appears in Apple Events table; remove rule → table row gone |
-| `AppleEventSnapshotTests.swift` | Snapshot of Apple Events table with one rule present |
 
 ---
 
@@ -143,19 +143,6 @@ xcodebuild test -project "PPPC Utility.xcodeproj" -scheme "PPPC Utility" -destin
 | File | What it tests |
 |------|---------------|
 | `UploadSheetTests.swift` | Open upload sheet → verify all fields present; verify "Check connection" button disabled with empty URL; enter URL + credentials → button enabled; verify auth type picker switches between Basic Auth and Client Credentials fields; verify "Use Site" toggle shows/hides site fields |
-| `UploadSheetSnapshotTests.swift` | Snapshots: empty form, Basic Auth filled, Client Credentials filled, site fields visible |
-
----
-
-## Phase 6 — Visual Regression Baseline
-
-**Goal:** Capture light-mode snapshots of key screens as a regression baseline.
-
-### New test files
-
-| File | What it tests |
-|------|---------------|
-| `FullWorkflowSnapshotTests.swift` | End-to-end snapshots in default (light) mode: empty state → executable added → policies configured → Apple Event added → save sheet → upload sheet |
 
 ---
 
@@ -163,12 +150,11 @@ xcodebuild test -project "PPPC Utility.xcodeproj" -scheme "PPPC Utility" -destin
 
 ```
 PPPC Utility.xcodeproj/project.pbxproj                          (Phase 1 — add UI test target)
-Package.swift or SPM config                                       (Phase 1 — swift-snapshot-testing dep)
 Source/View Controllers/TCCProfileViewController.swift            (Phase 1-4 — accessibility identifiers, test harness)
 Source/View Controllers/SaveViewController.swift                  (Phase 3 — accessibility identifiers)
 Source/View Controllers/OpenViewController.swift                  (Phase 4 — accessibility identifiers)
 Source/SwiftUI/UploadInfoView.swift                               (Phase 5 — accessibility identifiers)
-PPPC UtilityUITests/                                              (Phase 1-6 — all new test files)
+PPPC UtilityUITests/                                              (Phase 1-5 — all new test files)
 ```
 
 ---
@@ -176,8 +162,6 @@ PPPC UtilityUITests/                                              (Phase 1-6 —
 ## CI considerations
 
 - macOS UI tests require a GUI session (not headless). GitHub Actions macOS runners support this.
-- Snapshot tests are sensitive to OS version and screen scale. Pin to a specific macOS version in CI.
-- On first run, snapshot tests generate reference images (test fails). Commit the references, then subsequent runs compare against them.
 
 ## What this plan does NOT cover
 

From 794c7c21a75bb7737331ef39a9a23d34f2a49747 Mon Sep 17 00:00:00 2001
From: Tony Eichelberger <tony.eichelberger@jamf.com>
Date: Wed, 8 Apr 2026 15:20:41 -0500
Subject: [PATCH 47/53] split the UI tests from the unit test

---
 .github/workflows/tests.yml                   | 18 ++++-
 PPPC Utility UI Tests.xctestplan              | 29 +++++++
 PPPC Utility.xcodeproj/project.pbxproj        |  2 +
 .../xcschemes/PPPC Utility UI Tests.xcscheme  | 78 +++++++++++++++++++
 PPPC Utility.xctestplan                       |  8 --
 5 files changed, 125 insertions(+), 10 deletions(-)
 create mode 100644 PPPC Utility UI Tests.xctestplan
 create mode 100644 PPPC Utility.xcodeproj/xcshareddata/xcschemes/PPPC Utility UI Tests.xcscheme

diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index f2aa4f7..c334034 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -1,4 +1,4 @@
-name: Unit Tests
+name: Tests
 
 on:
   pull_request:
@@ -10,7 +10,7 @@ permissions:
   contents: read
 
 jobs:
-  test:
+  unit-tests:
     runs-on: macos-26
     steps:
       - uses: actions/checkout@v4
@@ -23,3 +23,17 @@ jobs:
             -destination "platform=macOS" \
             CODE_SIGN_IDENTITY="-" \
             CODE_SIGNING_REQUIRED=NO
+
+  ui-tests:
+    runs-on: macos-26
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Run UI tests
+        run: |
+          xcodebuild test \
+            -project "PPPC Utility.xcodeproj" \
+            -scheme "PPPC Utility UI Tests" \
+            -destination "platform=macOS" \
+            CODE_SIGN_IDENTITY="-" \
+            CODE_SIGNING_REQUIRED=NO
diff --git a/PPPC Utility UI Tests.xctestplan b/PPPC Utility UI Tests.xctestplan
new file mode 100644
index 0000000..4e9a536
--- /dev/null
+++ b/PPPC Utility UI Tests.xctestplan	
@@ -0,0 +1,29 @@
+{
+  "configurations" : [
+    {
+      "id" : "C4300CCF-D433-4368-B895-3721F691DA4D",
+      "name" : "Test Scheme Action",
+      "options" : {
+
+      }
+    }
+  ],
+  "defaultOptions" : {
+    "codeCoverage" : true,
+    "targetForVariableExpansion" : {
+      "containerPath" : "container:PPPC Utility.xcodeproj",
+      "identifier" : "6EC409D9214D65BC00BE4F17",
+      "name" : "PPPC Utility"
+    }
+  },
+  "testTargets" : [
+    {
+      "target" : {
+        "containerPath" : "container:PPPC Utility.xcodeproj",
+        "identifier" : "AA0001000000000000000001",
+        "name" : "PPPC UtilityUITests"
+      }
+    }
+  ],
+  "version" : 1
+}
diff --git a/PPPC Utility.xcodeproj/project.pbxproj b/PPPC Utility.xcodeproj/project.pbxproj
index 5e6dda0..8977ad5 100644
--- a/PPPC Utility.xcodeproj/project.pbxproj	
+++ b/PPPC Utility.xcodeproj/project.pbxproj	
@@ -156,6 +156,7 @@ remoteInfo = "PPPC Utility";
 		DAC55385D89BDBD447395AF1 /* TCCPolicyTests.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = TCCPolicyTests.swift; sourceTree = "<group>"; };
 		F3DBEDB941B7AEAE7BFF2776 /* MockURLProtocol.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = MockURLProtocol.swift; sourceTree = "<group>"; };
 		F82A8F992F85984800A72E5C /* PPPC Utility.xctestplan */ = {isa = PBXFileReference; lastKnownFileType = text; path = "PPPC Utility.xctestplan"; sourceTree = "<group>"; };
+		AA002100000000000000002B /* PPPC Utility UI Tests.xctestplan */ = {isa = PBXFileReference; lastKnownFileType = text; path = "PPPC Utility UI Tests.xctestplan"; sourceTree = "<group>"; };
 AA000B00000000000000000B /* AppLaunchTests.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = AppLaunchTests.swift; sourceTree = "<group>"; };
 AA000D00000000000000000D /* Info.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist.xml; path = Info.plist; sourceTree = "<group>"; };
 AA0005000000000000000005 /* PPPC UtilityUITests.xctest */ = {isa = PBXFileReference; explicitFileType = wrapper.cfbundle; includeInIndex = 0; path = "PPPC UtilityUITests.xctest"; sourceTree = BUILT_PRODUCTS_DIR; };
@@ -289,6 +290,7 @@ runOnlyForDeploymentPostprocessing = 0;
 			isa = PBXGroup;
 			children = (
 				F82A8F992F85984800A72E5C /* PPPC Utility.xctestplan */,
+				AA002100000000000000002B /* PPPC Utility UI Tests.xctestplan */,
 				6E95730721553B650002C30B /* LICENSE */,
 				97227C6726248CD7000F26C1 /* CHANGELOG.md */,
 				6E5D5A1521541B8F00B43312 /* README.md */,
diff --git a/PPPC Utility.xcodeproj/xcshareddata/xcschemes/PPPC Utility UI Tests.xcscheme b/PPPC Utility.xcodeproj/xcshareddata/xcschemes/PPPC Utility UI Tests.xcscheme
new file mode 100644
index 0000000..3770336
--- /dev/null
+++ b/PPPC Utility.xcodeproj/xcshareddata/xcschemes/PPPC Utility UI Tests.xcscheme	
@@ -0,0 +1,78 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<Scheme
+   LastUpgradeVersion = "2640"
+   version = "1.7">
+   <BuildAction
+      parallelizeBuildables = "YES"
+      buildImplicitDependencies = "YES"
+      buildArchitectures = "Automatic">
+      <BuildActionEntries>
+         <BuildActionEntry
+            buildForTesting = "YES"
+            buildForRunning = "YES"
+            buildForProfiling = "NO"
+            buildForArchiving = "NO"
+            buildForAnalyzing = "YES">
+            <BuildableReference
+               BuildableIdentifier = "primary"
+               BlueprintIdentifier = "6EC409D9214D65BC00BE4F17"
+               BuildableName = "PPPC Utility.app"
+               BlueprintName = "PPPC Utility"
+               ReferencedContainer = "container:PPPC Utility.xcodeproj">
+            </BuildableReference>
+         </BuildActionEntry>
+      </BuildActionEntries>
+   </BuildAction>
+   <TestAction
+      buildConfiguration = "Debug"
+      selectedDebuggerIdentifier = "Xcode.DebuggerFoundation.Debugger.LLDB"
+      selectedLauncherIdentifier = "Xcode.DebuggerFoundation.Launcher.LLDB"
+      shouldUseLaunchSchemeArgsEnv = "YES">
+      <TestPlans>
+         <TestPlanReference
+            reference = "container:PPPC Utility UI Tests.xctestplan"
+            default = "YES">
+         </TestPlanReference>
+      </TestPlans>
+      <Testables>
+         <TestableReference
+            skipped = "NO">
+            <BuildableReference
+               BuildableIdentifier = "primary"
+               BlueprintIdentifier = "AA0001000000000000000001"
+               BuildableName = "PPPC UtilityUITests.xctest"
+               BlueprintName = "PPPC UtilityUITests"
+               ReferencedContainer = "container:PPPC Utility.xcodeproj">
+            </BuildableReference>
+         </TestableReference>
+      </Testables>
+   </TestAction>
+   <LaunchAction
+      buildConfiguration = "Debug"
+      selectedDebuggerIdentifier = "Xcode.DebuggerFoundation.Debugger.LLDB"
+      selectedLauncherIdentifier = "Xcode.DebuggerFoundation.Launcher.LLDB"
+      launchStyle = "0"
+      useCustomWorkingDirectory = "NO"
+      ignoresPersistentStateOnLaunch = "NO"
+      debugDocumentVersioning = "YES"
+      debugServiceExtension = "internal"
+      allowLocationSimulation = "YES">
+      <BuildableProductRunnable
+         runnableDebuggingMode = "0">
+         <BuildableReference
+            BuildableIdentifier = "primary"
+            BlueprintIdentifier = "6EC409D9214D65BC00BE4F17"
+            BuildableName = "PPPC Utility.app"
+            BlueprintName = "PPPC Utility"
+            ReferencedContainer = "container:PPPC Utility.xcodeproj">
+         </BuildableReference>
+      </BuildableProductRunnable>
+   </LaunchAction>
+   <AnalyzeAction
+      buildConfiguration = "Debug">
+   </AnalyzeAction>
+   <ArchiveAction
+      buildConfiguration = "Release"
+      revealArchiveInOrganizer = "YES">
+   </ArchiveAction>
+</Scheme>
diff --git a/PPPC Utility.xctestplan b/PPPC Utility.xctestplan
index 8a2ae7f..277ad83 100644
--- a/PPPC Utility.xctestplan	
+++ b/PPPC Utility.xctestplan	
@@ -25,14 +25,6 @@
         "identifier" : "5F95AE1A2315A6AD002E0A22",
         "name" : "PPPC UtilityTests"
       }
-    },
-    {
-      "parallelizable" : false,
-      "target" : {
-        "containerPath" : "container:PPPC Utility.xcodeproj",
-        "identifier" : "AA0001000000000000000001",
-        "name" : "PPPC UtilityUITests"
-      }
     }
   ],
   "version" : 1

From 6bda5c40df5c6ac3f113becbb56f6ee30398752f Mon Sep 17 00:00:00 2001
From: Tony Eichelberger <tony.eichelberger@jamf.com>
Date: Thu, 9 Apr 2026 10:33:45 -0500
Subject: [PATCH 48/53] fixed the project file ref

---
 PPPC Utility.xcodeproj/project.pbxproj | 1 +
 1 file changed, 1 insertion(+)

diff --git a/PPPC Utility.xcodeproj/project.pbxproj b/PPPC Utility.xcodeproj/project.pbxproj
index 8977ad5..ce1dfa7 100644
--- a/PPPC Utility.xcodeproj/project.pbxproj	
+++ b/PPPC Utility.xcodeproj/project.pbxproj	
@@ -548,6 +548,7 @@ productType = "com.apple.product-type.bundle.ui-testing";
 				6EC409E2214D65BD00BE4F17 /* Assets.xcassets in Resources */,
 				C0E0384227A30D1D00A23FA2 /* PPPCServices.json in Resources */,
 				6EC409E5214D65BD00BE4F17 /* Main.storyboard in Resources */,
+				AA001200000000000000001C /* TestTCCUnsignedProfile.mobileconfig in Resources */,
 			);
 			runOnlyForDeploymentPostprocessing = 0;
 		};

From 526db9df56fbb5c65fb7ac21788bc65d1d267996 Mon Sep 17 00:00:00 2001
From: Tony Eichelberger <tony.eichelberger@jamf.com>
Date: Thu, 9 Apr 2026 11:34:46 -0500
Subject: [PATCH 49/53] trying out speckit on a feature

---
 .claude/skills/speckit-analyze/SKILL.md       | 258 ++++++
 .claude/skills/speckit-checklist/SKILL.md     | 370 ++++++++
 .claude/skills/speckit-clarify/SKILL.md       | 252 ++++++
 .claude/skills/speckit-constitution/SKILL.md  | 155 ++++
 .claude/skills/speckit-git-commit/SKILL.md    |  55 ++
 .claude/skills/speckit-git-feature/SKILL.md   |  74 ++
 .../skills/speckit-git-initialize/SKILL.md    |  56 ++
 .claude/skills/speckit-git-remote/SKILL.md    |  52 ++
 .claude/skills/speckit-git-validate/SKILL.md  |  56 ++
 .claude/skills/speckit-implement/SKILL.md     | 207 +++++
 .claude/skills/speckit-plan/SKILL.md          | 154 ++++
 .claude/skills/speckit-specify/SKILL.md       | 328 +++++++
 .claude/skills/speckit-tasks/SKILL.md         | 200 ++++
 .claude/skills/speckit-taskstoissues/SKILL.md | 104 +++
 .specify/extensions.yml                       | 148 +++
 .specify/extensions/.registry                 |  23 +
 .specify/extensions/git/README.md             | 100 ++
 .../git/commands/speckit.git.commit.md        |  48 +
 .../git/commands/speckit.git.feature.md       |  67 ++
 .../git/commands/speckit.git.initialize.md    |  49 +
 .../git/commands/speckit.git.remote.md        |  45 +
 .../git/commands/speckit.git.validate.md      |  49 +
 .specify/extensions/git/config-template.yml   |  62 ++
 .specify/extensions/git/extension.yml         | 140 +++
 .specify/extensions/git/git-config.yml        |  62 ++
 .../git/scripts/bash/auto-commit.sh           | 140 +++
 .../git/scripts/bash/create-new-feature.sh    | 453 ++++++++++
 .../extensions/git/scripts/bash/git-common.sh |  41 +
 .../git/scripts/bash/initialize-repo.sh       |  54 ++
 .../git/scripts/powershell/auto-commit.ps1    | 149 +++
 .../scripts/powershell/create-new-feature.ps1 | 403 +++++++++
 .../git/scripts/powershell/git-common.ps1     |  50 +
 .../scripts/powershell/initialize-repo.ps1    |  69 ++
 .specify/feature.json                         |   3 +
 .specify/init-options.json                    |  10 +
 .specify/integration.json                     |   7 +
 .specify/integrations/claude.manifest.json    |  18 +
 .../claude/scripts/update-context.ps1         |  23 +
 .../claude/scripts/update-context.sh          |  28 +
 .specify/integrations/speckit.manifest.json   |  18 +
 .specify/memory/constitution.md               |  89 ++
 .specify/scripts/bash/check-prerequisites.sh  | 190 ++++
 .specify/scripts/bash/common.sh               | 362 ++++++++
 .specify/scripts/bash/create-new-feature.sh   | 413 +++++++++
 .specify/scripts/bash/setup-plan.sh           |  73 ++
 .specify/scripts/bash/update-agent-context.sh | 854 ++++++++++++++++++
 .specify/templates/agent-file-template.md     |  28 +
 .specify/templates/checklist-template.md      |  40 +
 .specify/templates/constitution-template.md   |  50 +
 .specify/templates/plan-template.md           | 104 +++
 .specify/templates/spec-template.md           | 128 +++
 .specify/templates/tasks-template.md          | 251 +++++
 PPPC Utility.xcodeproj/project.pbxproj        | 272 +++---
 .../checklists/requirements.md                |  34 +
 specs/001-fix-deprecations/plan.md            |  70 ++
 specs/001-fix-deprecations/quickstart.md      |  49 +
 specs/001-fix-deprecations/research.md        | 115 +++
 specs/001-fix-deprecations/spec.md            | 114 +++
 specs/001-fix-deprecations/tasks.md           | 147 +++
 59 files changed, 7829 insertions(+), 134 deletions(-)
 create mode 100644 .claude/skills/speckit-analyze/SKILL.md
 create mode 100644 .claude/skills/speckit-checklist/SKILL.md
 create mode 100644 .claude/skills/speckit-clarify/SKILL.md
 create mode 100644 .claude/skills/speckit-constitution/SKILL.md
 create mode 100644 .claude/skills/speckit-git-commit/SKILL.md
 create mode 100644 .claude/skills/speckit-git-feature/SKILL.md
 create mode 100644 .claude/skills/speckit-git-initialize/SKILL.md
 create mode 100644 .claude/skills/speckit-git-remote/SKILL.md
 create mode 100644 .claude/skills/speckit-git-validate/SKILL.md
 create mode 100644 .claude/skills/speckit-implement/SKILL.md
 create mode 100644 .claude/skills/speckit-plan/SKILL.md
 create mode 100644 .claude/skills/speckit-specify/SKILL.md
 create mode 100644 .claude/skills/speckit-tasks/SKILL.md
 create mode 100644 .claude/skills/speckit-taskstoissues/SKILL.md
 create mode 100644 .specify/extensions.yml
 create mode 100644 .specify/extensions/.registry
 create mode 100644 .specify/extensions/git/README.md
 create mode 100644 .specify/extensions/git/commands/speckit.git.commit.md
 create mode 100644 .specify/extensions/git/commands/speckit.git.feature.md
 create mode 100644 .specify/extensions/git/commands/speckit.git.initialize.md
 create mode 100644 .specify/extensions/git/commands/speckit.git.remote.md
 create mode 100644 .specify/extensions/git/commands/speckit.git.validate.md
 create mode 100644 .specify/extensions/git/config-template.yml
 create mode 100644 .specify/extensions/git/extension.yml
 create mode 100644 .specify/extensions/git/git-config.yml
 create mode 100755 .specify/extensions/git/scripts/bash/auto-commit.sh
 create mode 100755 .specify/extensions/git/scripts/bash/create-new-feature.sh
 create mode 100755 .specify/extensions/git/scripts/bash/git-common.sh
 create mode 100755 .specify/extensions/git/scripts/bash/initialize-repo.sh
 create mode 100644 .specify/extensions/git/scripts/powershell/auto-commit.ps1
 create mode 100644 .specify/extensions/git/scripts/powershell/create-new-feature.ps1
 create mode 100644 .specify/extensions/git/scripts/powershell/git-common.ps1
 create mode 100644 .specify/extensions/git/scripts/powershell/initialize-repo.ps1
 create mode 100644 .specify/feature.json
 create mode 100644 .specify/init-options.json
 create mode 100644 .specify/integration.json
 create mode 100644 .specify/integrations/claude.manifest.json
 create mode 100644 .specify/integrations/claude/scripts/update-context.ps1
 create mode 100755 .specify/integrations/claude/scripts/update-context.sh
 create mode 100644 .specify/integrations/speckit.manifest.json
 create mode 100644 .specify/memory/constitution.md
 create mode 100755 .specify/scripts/bash/check-prerequisites.sh
 create mode 100755 .specify/scripts/bash/common.sh
 create mode 100755 .specify/scripts/bash/create-new-feature.sh
 create mode 100755 .specify/scripts/bash/setup-plan.sh
 create mode 100755 .specify/scripts/bash/update-agent-context.sh
 create mode 100644 .specify/templates/agent-file-template.md
 create mode 100644 .specify/templates/checklist-template.md
 create mode 100644 .specify/templates/constitution-template.md
 create mode 100644 .specify/templates/plan-template.md
 create mode 100644 .specify/templates/spec-template.md
 create mode 100644 .specify/templates/tasks-template.md
 create mode 100644 specs/001-fix-deprecations/checklists/requirements.md
 create mode 100644 specs/001-fix-deprecations/plan.md
 create mode 100644 specs/001-fix-deprecations/quickstart.md
 create mode 100644 specs/001-fix-deprecations/research.md
 create mode 100644 specs/001-fix-deprecations/spec.md
 create mode 100644 specs/001-fix-deprecations/tasks.md

diff --git a/.claude/skills/speckit-analyze/SKILL.md b/.claude/skills/speckit-analyze/SKILL.md
new file mode 100644
index 0000000..96790a7
--- /dev/null
+++ b/.claude/skills/speckit-analyze/SKILL.md
@@ -0,0 +1,258 @@
+---
+name: "speckit-analyze"
+description: "Perform a non-destructive cross-artifact consistency and quality analysis across spec.md, plan.md, and tasks.md after task generation."
+argument-hint: "Optional focus areas for analysis"
+compatibility: "Requires spec-kit project structure with .specify/ directory"
+metadata:
+  author: "github-spec-kit"
+  source: "templates/commands/analyze.md"
+user-invocable: true
+disable-model-invocation: true
+---
+
+
+## User Input
+
+```text
+$ARGUMENTS
+```
+
+You **MUST** consider the user input before proceeding (if not empty).
+
+## Pre-Execution Checks
+
+**Check for extension hooks (before analysis)**:
+- Check if `.specify/extensions.yml` exists in the project root.
+- If it exists, read it and look for entries under the `hooks.before_analyze` key
+- If the YAML cannot be parsed or is invalid, skip hook checking silently and continue normally
+- Filter out hooks where `enabled` is explicitly `false`. Treat hooks without an `enabled` field as enabled by default.
+- For each remaining hook, do **not** attempt to interpret or evaluate hook `condition` expressions:
+  - If the hook has no `condition` field, or it is null/empty, treat the hook as executable
+  - If the hook defines a non-empty `condition`, skip the hook and leave condition evaluation to the HookExecutor implementation
+- For each executable hook, output the following based on its `optional` flag:
+  - **Optional hook** (`optional: true`):
+    ```
+    ## Extension Hooks
+
+    **Optional Pre-Hook**: {extension}
+    Command: `/{command}`
+    Description: {description}
+
+    Prompt: {prompt}
+    To execute: `/{command}`
+    ```
+  - **Mandatory hook** (`optional: false`):
+    ```
+    ## Extension Hooks
+
+    **Automatic Pre-Hook**: {extension}
+    Executing: `/{command}`
+    EXECUTE_COMMAND: {command}
+
+    Wait for the result of the hook command before proceeding to the Goal.
+    ```
+- If no hooks are registered or `.specify/extensions.yml` does not exist, skip silently
+
+## Goal
+
+Identify inconsistencies, duplications, ambiguities, and underspecified items across the three core artifacts (`spec.md`, `plan.md`, `tasks.md`) before implementation. This command MUST run only after `/speckit.tasks` has successfully produced a complete `tasks.md`.
+
+## Operating Constraints
+
+**STRICTLY READ-ONLY**: Do **not** modify any files. Output a structured analysis report. Offer an optional remediation plan (user must explicitly approve before any follow-up editing commands would be invoked manually).
+
+**Constitution Authority**: The project constitution (`.specify/memory/constitution.md`) is **non-negotiable** within this analysis scope. Constitution conflicts are automatically CRITICAL and require adjustment of the spec, plan, or tasks—not dilution, reinterpretation, or silent ignoring of the principle. If a principle itself needs to change, that must occur in a separate, explicit constitution update outside `/speckit.analyze`.
+
+## Execution Steps
+
+### 1. Initialize Analysis Context
+
+Run `.specify/scripts/bash/check-prerequisites.sh --json --require-tasks --include-tasks` once from repo root and parse JSON for FEATURE_DIR and AVAILABLE_DOCS. Derive absolute paths:
+
+- SPEC = FEATURE_DIR/spec.md
+- PLAN = FEATURE_DIR/plan.md
+- TASKS = FEATURE_DIR/tasks.md
+
+Abort with an error message if any required file is missing (instruct the user to run missing prerequisite command).
+For single quotes in args like "I'm Groot", use escape syntax: e.g 'I'\''m Groot' (or double-quote if possible: "I'm Groot").
+
+### 2. Load Artifacts (Progressive Disclosure)
+
+Load only the minimal necessary context from each artifact:
+
+**From spec.md:**
+
+- Overview/Context
+- Functional Requirements
+- Success Criteria (measurable outcomes — e.g., performance, security, availability, user success, business impact)
+- User Stories
+- Edge Cases (if present)
+
+**From plan.md:**
+
+- Architecture/stack choices
+- Data Model references
+- Phases
+- Technical constraints
+
+**From tasks.md:**
+
+- Task IDs
+- Descriptions
+- Phase grouping
+- Parallel markers [P]
+- Referenced file paths
+
+**From constitution:**
+
+- Load `.specify/memory/constitution.md` for principle validation
+
+### 3. Build Semantic Models
+
+Create internal representations (do not include raw artifacts in output):
+
+- **Requirements inventory**: For each Functional Requirement (FR-###) and Success Criterion (SC-###), record a stable key. Use the explicit FR-/SC- identifier as the primary key when present, and optionally also derive an imperative-phrase slug for readability (e.g., "User can upload file" → `user-can-upload-file`). Include only Success Criteria items that require buildable work (e.g., load-testing infrastructure, security audit tooling), and exclude post-launch outcome metrics and business KPIs (e.g., "Reduce support tickets by 50%").
+- **User story/action inventory**: Discrete user actions with acceptance criteria
+- **Task coverage mapping**: Map each task to one or more requirements or stories (inference by keyword / explicit reference patterns like IDs or key phrases)
+- **Constitution rule set**: Extract principle names and MUST/SHOULD normative statements
+
+### 4. Detection Passes (Token-Efficient Analysis)
+
+Focus on high-signal findings. Limit to 50 findings total; aggregate remainder in overflow summary.
+
+#### A. Duplication Detection
+
+- Identify near-duplicate requirements
+- Mark lower-quality phrasing for consolidation
+
+#### B. Ambiguity Detection
+
+- Flag vague adjectives (fast, scalable, secure, intuitive, robust) lacking measurable criteria
+- Flag unresolved placeholders (TODO, TKTK, ???, `<placeholder>`, etc.)
+
+#### C. Underspecification
+
+- Requirements with verbs but missing object or measurable outcome
+- User stories missing acceptance criteria alignment
+- Tasks referencing files or components not defined in spec/plan
+
+#### D. Constitution Alignment
+
+- Any requirement or plan element conflicting with a MUST principle
+- Missing mandated sections or quality gates from constitution
+
+#### E. Coverage Gaps
+
+- Requirements with zero associated tasks
+- Tasks with no mapped requirement/story
+- Success Criteria requiring buildable work (performance, security, availability) not reflected in tasks
+
+#### F. Inconsistency
+
+- Terminology drift (same concept named differently across files)
+- Data entities referenced in plan but absent in spec (or vice versa)
+- Task ordering contradictions (e.g., integration tasks before foundational setup tasks without dependency note)
+- Conflicting requirements (e.g., one requires Next.js while other specifies Vue)
+
+### 5. Severity Assignment
+
+Use this heuristic to prioritize findings:
+
+- **CRITICAL**: Violates constitution MUST, missing core spec artifact, or requirement with zero coverage that blocks baseline functionality
+- **HIGH**: Duplicate or conflicting requirement, ambiguous security/performance attribute, untestable acceptance criterion
+- **MEDIUM**: Terminology drift, missing non-functional task coverage, underspecified edge case
+- **LOW**: Style/wording improvements, minor redundancy not affecting execution order
+
+### 6. Produce Compact Analysis Report
+
+Output a Markdown report (no file writes) with the following structure:
+
+## Specification Analysis Report
+
+| ID | Category | Severity | Location(s) | Summary | Recommendation |
+|----|----------|----------|-------------|---------|----------------|
+| A1 | Duplication | HIGH | spec.md:L120-134 | Two similar requirements ... | Merge phrasing; keep clearer version |
+
+(Add one row per finding; generate stable IDs prefixed by category initial.)
+
+**Coverage Summary Table:**
+
+| Requirement Key | Has Task? | Task IDs | Notes |
+|-----------------|-----------|----------|-------|
+
+**Constitution Alignment Issues:** (if any)
+
+**Unmapped Tasks:** (if any)
+
+**Metrics:**
+
+- Total Requirements
+- Total Tasks
+- Coverage % (requirements with >=1 task)
+- Ambiguity Count
+- Duplication Count
+- Critical Issues Count
+
+### 7. Provide Next Actions
+
+At end of report, output a concise Next Actions block:
+
+- If CRITICAL issues exist: Recommend resolving before `/speckit.implement`
+- If only LOW/MEDIUM: User may proceed, but provide improvement suggestions
+- Provide explicit command suggestions: e.g., "Run /speckit.specify with refinement", "Run /speckit.plan to adjust architecture", "Manually edit tasks.md to add coverage for 'performance-metrics'"
+
+### 8. Offer Remediation
+
+Ask the user: "Would you like me to suggest concrete remediation edits for the top N issues?" (Do NOT apply them automatically.)
+
+### 9. Check for extension hooks
+
+After reporting, check if `.specify/extensions.yml` exists in the project root.
+- If it exists, read it and look for entries under the `hooks.after_analyze` key
+- If the YAML cannot be parsed or is invalid, skip hook checking silently and continue normally
+- Filter out hooks where `enabled` is explicitly `false`. Treat hooks without an `enabled` field as enabled by default.
+- For each remaining hook, do **not** attempt to interpret or evaluate hook `condition` expressions:
+  - If the hook has no `condition` field, or it is null/empty, treat the hook as executable
+  - If the hook defines a non-empty `condition`, skip the hook and leave condition evaluation to the HookExecutor implementation
+- For each executable hook, output the following based on its `optional` flag:
+  - **Optional hook** (`optional: true`):
+    ```
+    ## Extension Hooks
+
+    **Optional Hook**: {extension}
+    Command: `/{command}`
+    Description: {description}
+
+    Prompt: {prompt}
+    To execute: `/{command}`
+    ```
+  - **Mandatory hook** (`optional: false`):
+    ```
+    ## Extension Hooks
+
+    **Automatic Hook**: {extension}
+    Executing: `/{command}`
+    EXECUTE_COMMAND: {command}
+    ```
+- If no hooks are registered or `.specify/extensions.yml` does not exist, skip silently
+
+## Operating Principles
+
+### Context Efficiency
+
+- **Minimal high-signal tokens**: Focus on actionable findings, not exhaustive documentation
+- **Progressive disclosure**: Load artifacts incrementally; don't dump all content into analysis
+- **Token-efficient output**: Limit findings table to 50 rows; summarize overflow
+- **Deterministic results**: Rerunning without changes should produce consistent IDs and counts
+
+### Analysis Guidelines
+
+- **NEVER modify files** (this is read-only analysis)
+- **NEVER hallucinate missing sections** (if absent, report them accurately)
+- **Prioritize constitution violations** (these are always CRITICAL)
+- **Use examples over exhaustive rules** (cite specific instances, not generic patterns)
+- **Report zero issues gracefully** (emit success report with coverage statistics)
+
+## Context
+
+$ARGUMENTS
diff --git a/.claude/skills/speckit-checklist/SKILL.md b/.claude/skills/speckit-checklist/SKILL.md
new file mode 100644
index 0000000..5c4d913
--- /dev/null
+++ b/.claude/skills/speckit-checklist/SKILL.md
@@ -0,0 +1,370 @@
+---
+name: "speckit-checklist"
+description: "Generate a custom checklist for the current feature based on user requirements."
+argument-hint: "Domain or focus area for the checklist"
+compatibility: "Requires spec-kit project structure with .specify/ directory"
+metadata:
+  author: "github-spec-kit"
+  source: "templates/commands/checklist.md"
+user-invocable: true
+disable-model-invocation: true
+---
+
+
+## Checklist Purpose: "Unit Tests for English"
+
+**CRITICAL CONCEPT**: Checklists are **UNIT TESTS FOR REQUIREMENTS WRITING** - they validate the quality, clarity, and completeness of requirements in a given domain.
+
+**NOT for verification/testing**:
+
+- ❌ NOT "Verify the button clicks correctly"
+- ❌ NOT "Test error handling works"
+- ❌ NOT "Confirm the API returns 200"
+- ❌ NOT checking if code/implementation matches the spec
+
+**FOR requirements quality validation**:
+
+- ✅ "Are visual hierarchy requirements defined for all card types?" (completeness)
+- ✅ "Is 'prominent display' quantified with specific sizing/positioning?" (clarity)
+- ✅ "Are hover state requirements consistent across all interactive elements?" (consistency)
+- ✅ "Are accessibility requirements defined for keyboard navigation?" (coverage)
+- ✅ "Does the spec define what happens when logo image fails to load?" (edge cases)
+
+**Metaphor**: If your spec is code written in English, the checklist is its unit test suite. You're testing whether the requirements are well-written, complete, unambiguous, and ready for implementation - NOT whether the implementation works.
+
+## User Input
+
+```text
+$ARGUMENTS
+```
+
+You **MUST** consider the user input before proceeding (if not empty).
+
+## Pre-Execution Checks
+
+**Check for extension hooks (before checklist generation)**:
+- Check if `.specify/extensions.yml` exists in the project root.
+- If it exists, read it and look for entries under the `hooks.before_checklist` key
+- If the YAML cannot be parsed or is invalid, skip hook checking silently and continue normally
+- Filter out hooks where `enabled` is explicitly `false`. Treat hooks without an `enabled` field as enabled by default.
+- For each remaining hook, do **not** attempt to interpret or evaluate hook `condition` expressions:
+  - If the hook has no `condition` field, or it is null/empty, treat the hook as executable
+  - If the hook defines a non-empty `condition`, skip the hook and leave condition evaluation to the HookExecutor implementation
+- For each executable hook, output the following based on its `optional` flag:
+  - **Optional hook** (`optional: true`):
+    ```
+    ## Extension Hooks
+
+    **Optional Pre-Hook**: {extension}
+    Command: `/{command}`
+    Description: {description}
+
+    Prompt: {prompt}
+    To execute: `/{command}`
+    ```
+  - **Mandatory hook** (`optional: false`):
+    ```
+    ## Extension Hooks
+
+    **Automatic Pre-Hook**: {extension}
+    Executing: `/{command}`
+    EXECUTE_COMMAND: {command}
+
+    Wait for the result of the hook command before proceeding to the Execution Steps.
+    ```
+- If no hooks are registered or `.specify/extensions.yml` does not exist, skip silently
+
+## Execution Steps
+
+1. **Setup**: Run `.specify/scripts/bash/check-prerequisites.sh --json` from repo root and parse JSON for FEATURE_DIR and AVAILABLE_DOCS list.
+   - All file paths must be absolute.
+   - For single quotes in args like "I'm Groot", use escape syntax: e.g 'I'\''m Groot' (or double-quote if possible: "I'm Groot").
+
+2. **Clarify intent (dynamic)**: Derive up to THREE initial contextual clarifying questions (no pre-baked catalog). They MUST:
+   - Be generated from the user's phrasing + extracted signals from spec/plan/tasks
+   - Only ask about information that materially changes checklist content
+   - Be skipped individually if already unambiguous in `$ARGUMENTS`
+   - Prefer precision over breadth
+
+   Generation algorithm:
+   1. Extract signals: feature domain keywords (e.g., auth, latency, UX, API), risk indicators ("critical", "must", "compliance"), stakeholder hints ("QA", "review", "security team"), and explicit deliverables ("a11y", "rollback", "contracts").
+   2. Cluster signals into candidate focus areas (max 4) ranked by relevance.
+   3. Identify probable audience & timing (author, reviewer, QA, release) if not explicit.
+   4. Detect missing dimensions: scope breadth, depth/rigor, risk emphasis, exclusion boundaries, measurable acceptance criteria.
+   5. Formulate questions chosen from these archetypes:
+      - Scope refinement (e.g., "Should this include integration touchpoints with X and Y or stay limited to local module correctness?")
+      - Risk prioritization (e.g., "Which of these potential risk areas should receive mandatory gating checks?")
+      - Depth calibration (e.g., "Is this a lightweight pre-commit sanity list or a formal release gate?")
+      - Audience framing (e.g., "Will this be used by the author only or peers during PR review?")
+      - Boundary exclusion (e.g., "Should we explicitly exclude performance tuning items this round?")
+      - Scenario class gap (e.g., "No recovery flows detected—are rollback / partial failure paths in scope?")
+
+   Question formatting rules:
+   - If presenting options, generate a compact table with columns: Option | Candidate | Why It Matters
+   - Limit to A–E options maximum; omit table if a free-form answer is clearer
+   - Never ask the user to restate what they already said
+   - Avoid speculative categories (no hallucination). If uncertain, ask explicitly: "Confirm whether X belongs in scope."
+
+   Defaults when interaction impossible:
+   - Depth: Standard
+   - Audience: Reviewer (PR) if code-related; Author otherwise
+   - Focus: Top 2 relevance clusters
+
+   Output the questions (label Q1/Q2/Q3). After answers: if ≥2 scenario classes (Alternate / Exception / Recovery / Non-Functional domain) remain unclear, you MAY ask up to TWO more targeted follow‑ups (Q4/Q5) with a one-line justification each (e.g., "Unresolved recovery path risk"). Do not exceed five total questions. Skip escalation if user explicitly declines more.
+
+3. **Understand user request**: Combine `$ARGUMENTS` + clarifying answers:
+   - Derive checklist theme (e.g., security, review, deploy, ux)
+   - Consolidate explicit must-have items mentioned by user
+   - Map focus selections to category scaffolding
+   - Infer any missing context from spec/plan/tasks (do NOT hallucinate)
+
+4. **Load feature context**: Read from FEATURE_DIR:
+   - spec.md: Feature requirements and scope
+   - plan.md (if exists): Technical details, dependencies
+   - tasks.md (if exists): Implementation tasks
+
+   **Context Loading Strategy**:
+   - Load only necessary portions relevant to active focus areas (avoid full-file dumping)
+   - Prefer summarizing long sections into concise scenario/requirement bullets
+   - Use progressive disclosure: add follow-on retrieval only if gaps detected
+   - If source docs are large, generate interim summary items instead of embedding raw text
+
+5. **Generate checklist** - Create "Unit Tests for Requirements":
+   - Create `FEATURE_DIR/checklists/` directory if it doesn't exist
+   - Generate unique checklist filename:
+     - Use short, descriptive name based on domain (e.g., `ux.md`, `api.md`, `security.md`)
+     - Format: `[domain].md`
+   - File handling behavior:
+     - If file does NOT exist: Create new file and number items starting from CHK001
+     - If file exists: Append new items to existing file, continuing from the last CHK ID (e.g., if last item is CHK015, start new items at CHK016)
+   - Never delete or replace existing checklist content - always preserve and append
+
+   **CORE PRINCIPLE - Test the Requirements, Not the Implementation**:
+   Every checklist item MUST evaluate the REQUIREMENTS THEMSELVES for:
+   - **Completeness**: Are all necessary requirements present?
+   - **Clarity**: Are requirements unambiguous and specific?
+   - **Consistency**: Do requirements align with each other?
+   - **Measurability**: Can requirements be objectively verified?
+   - **Coverage**: Are all scenarios/edge cases addressed?
+
+   **Category Structure** - Group items by requirement quality dimensions:
+   - **Requirement Completeness** (Are all necessary requirements documented?)
+   - **Requirement Clarity** (Are requirements specific and unambiguous?)
+   - **Requirement Consistency** (Do requirements align without conflicts?)
+   - **Acceptance Criteria Quality** (Are success criteria measurable?)
+   - **Scenario Coverage** (Are all flows/cases addressed?)
+   - **Edge Case Coverage** (Are boundary conditions defined?)
+   - **Non-Functional Requirements** (Performance, Security, Accessibility, etc. - are they specified?)
+   - **Dependencies & Assumptions** (Are they documented and validated?)
+   - **Ambiguities & Conflicts** (What needs clarification?)
+
+   **HOW TO WRITE CHECKLIST ITEMS - "Unit Tests for English"**:
+
+   ❌ **WRONG** (Testing implementation):
+   - "Verify landing page displays 3 episode cards"
+   - "Test hover states work on desktop"
+   - "Confirm logo click navigates home"
+
+   ✅ **CORRECT** (Testing requirements quality):
+   - "Are the exact number and layout of featured episodes specified?" [Completeness]
+   - "Is 'prominent display' quantified with specific sizing/positioning?" [Clarity]
+   - "Are hover state requirements consistent across all interactive elements?" [Consistency]
+   - "Are keyboard navigation requirements defined for all interactive UI?" [Coverage]
+   - "Is the fallback behavior specified when logo image fails to load?" [Edge Cases]
+   - "Are loading states defined for asynchronous episode data?" [Completeness]
+   - "Does the spec define visual hierarchy for competing UI elements?" [Clarity]
+
+   **ITEM STRUCTURE**:
+   Each item should follow this pattern:
+   - Question format asking about requirement quality
+   - Focus on what's WRITTEN (or not written) in the spec/plan
+   - Include quality dimension in brackets [Completeness/Clarity/Consistency/etc.]
+   - Reference spec section `[Spec §X.Y]` when checking existing requirements
+   - Use `[Gap]` marker when checking for missing requirements
+
+   **EXAMPLES BY QUALITY DIMENSION**:
+
+   Completeness:
+   - "Are error handling requirements defined for all API failure modes? [Gap]"
+   - "Are accessibility requirements specified for all interactive elements? [Completeness]"
+   - "Are mobile breakpoint requirements defined for responsive layouts? [Gap]"
+
+   Clarity:
+   - "Is 'fast loading' quantified with specific timing thresholds? [Clarity, Spec §NFR-2]"
+   - "Are 'related episodes' selection criteria explicitly defined? [Clarity, Spec §FR-5]"
+   - "Is 'prominent' defined with measurable visual properties? [Ambiguity, Spec §FR-4]"
+
+   Consistency:
+   - "Do navigation requirements align across all pages? [Consistency, Spec §FR-10]"
+   - "Are card component requirements consistent between landing and detail pages? [Consistency]"
+
+   Coverage:
+   - "Are requirements defined for zero-state scenarios (no episodes)? [Coverage, Edge Case]"
+   - "Are concurrent user interaction scenarios addressed? [Coverage, Gap]"
+   - "Are requirements specified for partial data loading failures? [Coverage, Exception Flow]"
+
+   Measurability:
+   - "Are visual hierarchy requirements measurable/testable? [Acceptance Criteria, Spec §FR-1]"
+   - "Can 'balanced visual weight' be objectively verified? [Measurability, Spec §FR-2]"
+
+   **Scenario Classification & Coverage** (Requirements Quality Focus):
+   - Check if requirements exist for: Primary, Alternate, Exception/Error, Recovery, Non-Functional scenarios
+   - For each scenario class, ask: "Are [scenario type] requirements complete, clear, and consistent?"
+   - If scenario class missing: "Are [scenario type] requirements intentionally excluded or missing? [Gap]"
+   - Include resilience/rollback when state mutation occurs: "Are rollback requirements defined for migration failures? [Gap]"
+
+   **Traceability Requirements**:
+   - MINIMUM: ≥80% of items MUST include at least one traceability reference
+   - Each item should reference: spec section `[Spec §X.Y]`, or use markers: `[Gap]`, `[Ambiguity]`, `[Conflict]`, `[Assumption]`
+   - If no ID system exists: "Is a requirement & acceptance criteria ID scheme established? [Traceability]"
+
+   **Surface & Resolve Issues** (Requirements Quality Problems):
+   Ask questions about the requirements themselves:
+   - Ambiguities: "Is the term 'fast' quantified with specific metrics? [Ambiguity, Spec §NFR-1]"
+   - Conflicts: "Do navigation requirements conflict between §FR-10 and §FR-10a? [Conflict]"
+   - Assumptions: "Is the assumption of 'always available podcast API' validated? [Assumption]"
+   - Dependencies: "Are external podcast API requirements documented? [Dependency, Gap]"
+   - Missing definitions: "Is 'visual hierarchy' defined with measurable criteria? [Gap]"
+
+   **Content Consolidation**:
+   - Soft cap: If raw candidate items > 40, prioritize by risk/impact
+   - Merge near-duplicates checking the same requirement aspect
+   - If >5 low-impact edge cases, create one item: "Are edge cases X, Y, Z addressed in requirements? [Coverage]"
+
+   **🚫 ABSOLUTELY PROHIBITED** - These make it an implementation test, not a requirements test:
+   - ❌ Any item starting with "Verify", "Test", "Confirm", "Check" + implementation behavior
+   - ❌ References to code execution, user actions, system behavior
+   - ❌ "Displays correctly", "works properly", "functions as expected"
+   - ❌ "Click", "navigate", "render", "load", "execute"
+   - ❌ Test cases, test plans, QA procedures
+   - ❌ Implementation details (frameworks, APIs, algorithms)
+
+   **✅ REQUIRED PATTERNS** - These test requirements quality:
+   - ✅ "Are [requirement type] defined/specified/documented for [scenario]?"
+   - ✅ "Is [vague term] quantified/clarified with specific criteria?"
+   - ✅ "Are requirements consistent between [section A] and [section B]?"
+   - ✅ "Can [requirement] be objectively measured/verified?"
+   - ✅ "Are [edge cases/scenarios] addressed in requirements?"
+   - ✅ "Does the spec define [missing aspect]?"
+
+6. **Structure Reference**: Generate the checklist following the canonical template in `.specify/templates/checklist-template.md` for title, meta section, category headings, and ID formatting. If template is unavailable, use: H1 title, purpose/created meta lines, `##` category sections containing `- [ ] CHK### <requirement item>` lines with globally incrementing IDs starting at CHK001.
+
+7. **Report**: Output full path to checklist file, item count, and summarize whether the run created a new file or appended to an existing one. Summarize:
+   - Focus areas selected
+   - Depth level
+   - Actor/timing
+   - Any explicit user-specified must-have items incorporated
+
+**Important**: Each `/speckit.checklist` command invocation uses a short, descriptive checklist filename and either creates a new file or appends to an existing one. This allows:
+
+- Multiple checklists of different types (e.g., `ux.md`, `test.md`, `security.md`)
+- Simple, memorable filenames that indicate checklist purpose
+- Easy identification and navigation in the `checklists/` folder
+
+To avoid clutter, use descriptive types and clean up obsolete checklists when done.
+
+## Example Checklist Types & Sample Items
+
+**UX Requirements Quality:** `ux.md`
+
+Sample items (testing the requirements, NOT the implementation):
+
+- "Are visual hierarchy requirements defined with measurable criteria? [Clarity, Spec §FR-1]"
+- "Is the number and positioning of UI elements explicitly specified? [Completeness, Spec §FR-1]"
+- "Are interaction state requirements (hover, focus, active) consistently defined? [Consistency]"
+- "Are accessibility requirements specified for all interactive elements? [Coverage, Gap]"
+- "Is fallback behavior defined when images fail to load? [Edge Case, Gap]"
+- "Can 'prominent display' be objectively measured? [Measurability, Spec §FR-4]"
+
+**API Requirements Quality:** `api.md`
+
+Sample items:
+
+- "Are error response formats specified for all failure scenarios? [Completeness]"
+- "Are rate limiting requirements quantified with specific thresholds? [Clarity]"
+- "Are authentication requirements consistent across all endpoints? [Consistency]"
+- "Are retry/timeout requirements defined for external dependencies? [Coverage, Gap]"
+- "Is versioning strategy documented in requirements? [Gap]"
+
+**Performance Requirements Quality:** `performance.md`
+
+Sample items:
+
+- "Are performance requirements quantified with specific metrics? [Clarity]"
+- "Are performance targets defined for all critical user journeys? [Coverage]"
+- "Are performance requirements under different load conditions specified? [Completeness]"
+- "Can performance requirements be objectively measured? [Measurability]"
+- "Are degradation requirements defined for high-load scenarios? [Edge Case, Gap]"
+
+**Security Requirements Quality:** `security.md`
+
+Sample items:
+
+- "Are authentication requirements specified for all protected resources? [Coverage]"
+- "Are data protection requirements defined for sensitive information? [Completeness]"
+- "Is the threat model documented and requirements aligned to it? [Traceability]"
+- "Are security requirements consistent with compliance obligations? [Consistency]"
+- "Are security failure/breach response requirements defined? [Gap, Exception Flow]"
+
+## Anti-Examples: What NOT To Do
+
+**❌ WRONG - These test implementation, not requirements:**
+
+```markdown
+- [ ] CHK001 - Verify landing page displays 3 episode cards [Spec §FR-001]
+- [ ] CHK002 - Test hover states work correctly on desktop [Spec §FR-003]
+- [ ] CHK003 - Confirm logo click navigates to home page [Spec §FR-010]
+- [ ] CHK004 - Check that related episodes section shows 3-5 items [Spec §FR-005]
+```
+
+**✅ CORRECT - These test requirements quality:**
+
+```markdown
+- [ ] CHK001 - Are the number and layout of featured episodes explicitly specified? [Completeness, Spec §FR-001]
+- [ ] CHK002 - Are hover state requirements consistently defined for all interactive elements? [Consistency, Spec §FR-003]
+- [ ] CHK003 - Are navigation requirements clear for all clickable brand elements? [Clarity, Spec §FR-010]
+- [ ] CHK004 - Is the selection criteria for related episodes documented? [Gap, Spec §FR-005]
+- [ ] CHK005 - Are loading state requirements defined for asynchronous episode data? [Gap]
+- [ ] CHK006 - Can "visual hierarchy" requirements be objectively measured? [Measurability, Spec §FR-001]
+```
+
+**Key Differences:**
+
+- Wrong: Tests if the system works correctly
+- Correct: Tests if the requirements are written correctly
+- Wrong: Verification of behavior
+- Correct: Validation of requirement quality
+- Wrong: "Does it do X?"
+- Correct: "Is X clearly specified?"
+
+## Post-Execution Checks
+
+**Check for extension hooks (after checklist generation)**:
+Check if `.specify/extensions.yml` exists in the project root.
+- If it exists, read it and look for entries under the `hooks.after_checklist` key
+- If the YAML cannot be parsed or is invalid, skip hook checking silently and continue normally
+- Filter out hooks where `enabled` is explicitly `false`. Treat hooks without an `enabled` field as enabled by default.
+- For each remaining hook, do **not** attempt to interpret or evaluate hook `condition` expressions:
+  - If the hook has no `condition` field, or it is null/empty, treat the hook as executable
+  - If the hook defines a non-empty `condition`, skip the hook and leave condition evaluation to the HookExecutor implementation
+- For each executable hook, output the following based on its `optional` flag:
+  - **Optional hook** (`optional: true`):
+    ```
+    ## Extension Hooks
+
+    **Optional Hook**: {extension}
+    Command: `/{command}`
+    Description: {description}
+
+    Prompt: {prompt}
+    To execute: `/{command}`
+    ```
+  - **Mandatory hook** (`optional: false`):
+    ```
+    ## Extension Hooks
+
+    **Automatic Hook**: {extension}
+    Executing: `/{command}`
+    EXECUTE_COMMAND: {command}
+    ```
+- If no hooks are registered or `.specify/extensions.yml` does not exist, skip silently
diff --git a/.claude/skills/speckit-clarify/SKILL.md b/.claude/skills/speckit-clarify/SKILL.md
new file mode 100644
index 0000000..9162b75
--- /dev/null
+++ b/.claude/skills/speckit-clarify/SKILL.md
@@ -0,0 +1,252 @@
+---
+name: "speckit-clarify"
+description: "Identify underspecified areas in the current feature spec by asking up to 5 highly targeted clarification questions and encoding answers back into the spec."
+argument-hint: "Optional areas to clarify in the spec"
+compatibility: "Requires spec-kit project structure with .specify/ directory"
+metadata:
+  author: "github-spec-kit"
+  source: "templates/commands/clarify.md"
+user-invocable: true
+disable-model-invocation: true
+---
+
+
+## User Input
+
+```text
+$ARGUMENTS
+```
+
+You **MUST** consider the user input before proceeding (if not empty).
+
+## Pre-Execution Checks
+
+**Check for extension hooks (before clarification)**:
+- Check if `.specify/extensions.yml` exists in the project root.
+- If it exists, read it and look for entries under the `hooks.before_clarify` key
+- If the YAML cannot be parsed or is invalid, skip hook checking silently and continue normally
+- Filter out hooks where `enabled` is explicitly `false`. Treat hooks without an `enabled` field as enabled by default.
+- For each remaining hook, do **not** attempt to interpret or evaluate hook `condition` expressions:
+  - If the hook has no `condition` field, or it is null/empty, treat the hook as executable
+  - If the hook defines a non-empty `condition`, skip the hook and leave condition evaluation to the HookExecutor implementation
+- For each executable hook, output the following based on its `optional` flag:
+  - **Optional hook** (`optional: true`):
+    ```
+    ## Extension Hooks
+
+    **Optional Pre-Hook**: {extension}
+    Command: `/{command}`
+    Description: {description}
+
+    Prompt: {prompt}
+    To execute: `/{command}`
+    ```
+  - **Mandatory hook** (`optional: false`):
+    ```
+    ## Extension Hooks
+
+    **Automatic Pre-Hook**: {extension}
+    Executing: `/{command}`
+    EXECUTE_COMMAND: {command}
+
+    Wait for the result of the hook command before proceeding to the Outline.
+    ```
+- If no hooks are registered or `.specify/extensions.yml` does not exist, skip silently
+
+## Outline
+
+Goal: Detect and reduce ambiguity or missing decision points in the active feature specification and record the clarifications directly in the spec file.
+
+Note: This clarification workflow is expected to run (and be completed) BEFORE invoking `/speckit.plan`. If the user explicitly states they are skipping clarification (e.g., exploratory spike), you may proceed, but must warn that downstream rework risk increases.
+
+Execution steps:
+
+1. Run `.specify/scripts/bash/check-prerequisites.sh --json --paths-only` from repo root **once** (combined `--json --paths-only` mode / `-Json -PathsOnly`). Parse minimal JSON payload fields:
+   - `FEATURE_DIR`
+   - `FEATURE_SPEC`
+   - (Optionally capture `IMPL_PLAN`, `TASKS` for future chained flows.)
+   - If JSON parsing fails, abort and instruct user to re-run `/speckit.specify` or verify feature branch environment.
+   - For single quotes in args like "I'm Groot", use escape syntax: e.g 'I'\''m Groot' (or double-quote if possible: "I'm Groot").
+
+2. Load the current spec file. Perform a structured ambiguity & coverage scan using this taxonomy. For each category, mark status: Clear / Partial / Missing. Produce an internal coverage map used for prioritization (do not output raw map unless no questions will be asked).
+
+   Functional Scope & Behavior:
+   - Core user goals & success criteria
+   - Explicit out-of-scope declarations
+   - User roles / personas differentiation
+
+   Domain & Data Model:
+   - Entities, attributes, relationships
+   - Identity & uniqueness rules
+   - Lifecycle/state transitions
+   - Data volume / scale assumptions
+
+   Interaction & UX Flow:
+   - Critical user journeys / sequences
+   - Error/empty/loading states
+   - Accessibility or localization notes
+
+   Non-Functional Quality Attributes:
+   - Performance (latency, throughput targets)
+   - Scalability (horizontal/vertical, limits)
+   - Reliability & availability (uptime, recovery expectations)
+   - Observability (logging, metrics, tracing signals)
+   - Security & privacy (authN/Z, data protection, threat assumptions)
+   - Compliance / regulatory constraints (if any)
+
+   Integration & External Dependencies:
+   - External services/APIs and failure modes
+   - Data import/export formats
+   - Protocol/versioning assumptions
+
+   Edge Cases & Failure Handling:
+   - Negative scenarios
+   - Rate limiting / throttling
+   - Conflict resolution (e.g., concurrent edits)
+
+   Constraints & Tradeoffs:
+   - Technical constraints (language, storage, hosting)
+   - Explicit tradeoffs or rejected alternatives
+
+   Terminology & Consistency:
+   - Canonical glossary terms
+   - Avoided synonyms / deprecated terms
+
+   Completion Signals:
+   - Acceptance criteria testability
+   - Measurable Definition of Done style indicators
+
+   Misc / Placeholders:
+   - TODO markers / unresolved decisions
+   - Ambiguous adjectives ("robust", "intuitive") lacking quantification
+
+   For each category with Partial or Missing status, add a candidate question opportunity unless:
+   - Clarification would not materially change implementation or validation strategy
+   - Information is better deferred to planning phase (note internally)
+
+3. Generate (internally) a prioritized queue of candidate clarification questions (maximum 5). Do NOT output them all at once. Apply these constraints:
+    - Maximum of 5 total questions across the whole session.
+    - Each question must be answerable with EITHER:
+       - A short multiple‑choice selection (2–5 distinct, mutually exclusive options), OR
+       - A one-word / short‑phrase answer (explicitly constrain: "Answer in <=5 words").
+    - Only include questions whose answers materially impact architecture, data modeling, task decomposition, test design, UX behavior, operational readiness, or compliance validation.
+    - Ensure category coverage balance: attempt to cover the highest impact unresolved categories first; avoid asking two low-impact questions when a single high-impact area (e.g., security posture) is unresolved.
+    - Exclude questions already answered, trivial stylistic preferences, or plan-level execution details (unless blocking correctness).
+    - Favor clarifications that reduce downstream rework risk or prevent misaligned acceptance tests.
+    - If more than 5 categories remain unresolved, select the top 5 by (Impact * Uncertainty) heuristic.
+
+4. Sequential questioning loop (interactive):
+    - Present EXACTLY ONE question at a time.
+    - For multiple‑choice questions:
+       - **Analyze all options** and determine the **most suitable option** based on:
+          - Best practices for the project type
+          - Common patterns in similar implementations
+          - Risk reduction (security, performance, maintainability)
+          - Alignment with any explicit project goals or constraints visible in the spec
+       - Present your **recommended option prominently** at the top with clear reasoning (1-2 sentences explaining why this is the best choice).
+       - Format as: `**Recommended:** Option [X] - <reasoning>`
+       - Then render all options as a Markdown table:
+
+       | Option | Description |
+       |--------|-------------|
+       | A | <Option A description> |
+       | B | <Option B description> |
+       | C | <Option C description> (add D/E as needed up to 5) |
+       | Short | Provide a different short answer (<=5 words) (Include only if free-form alternative is appropriate) |
+
+       - After the table, add: `You can reply with the option letter (e.g., "A"), accept the recommendation by saying "yes" or "recommended", or provide your own short answer.`
+    - For short‑answer style (no meaningful discrete options):
+       - Provide your **suggested answer** based on best practices and context.
+       - Format as: `**Suggested:** <your proposed answer> - <brief reasoning>`
+       - Then output: `Format: Short answer (<=5 words). You can accept the suggestion by saying "yes" or "suggested", or provide your own answer.`
+    - After the user answers:
+       - If the user replies with "yes", "recommended", or "suggested", use your previously stated recommendation/suggestion as the answer.
+       - Otherwise, validate the answer maps to one option or fits the <=5 word constraint.
+       - If ambiguous, ask for a quick disambiguation (count still belongs to same question; do not advance).
+       - Once satisfactory, record it in working memory (do not yet write to disk) and move to the next queued question.
+    - Stop asking further questions when:
+       - All critical ambiguities resolved early (remaining queued items become unnecessary), OR
+       - User signals completion ("done", "good", "no more"), OR
+       - You reach 5 asked questions.
+    - Never reveal future queued questions in advance.
+    - If no valid questions exist at start, immediately report no critical ambiguities.
+
+5. Integration after EACH accepted answer (incremental update approach):
+    - Maintain in-memory representation of the spec (loaded once at start) plus the raw file contents.
+    - For the first integrated answer in this session:
+       - Ensure a `## Clarifications` section exists (create it just after the highest-level contextual/overview section per the spec template if missing).
+       - Under it, create (if not present) a `### Session YYYY-MM-DD` subheading for today.
+    - Append a bullet line immediately after acceptance: `- Q: <question> → A: <final answer>`.
+    - Then immediately apply the clarification to the most appropriate section(s):
+       - Functional ambiguity → Update or add a bullet in Functional Requirements.
+       - User interaction / actor distinction → Update User Stories or Actors subsection (if present) with clarified role, constraint, or scenario.
+       - Data shape / entities → Update Data Model (add fields, types, relationships) preserving ordering; note added constraints succinctly.
+       - Non-functional constraint → Add/modify measurable criteria in Success Criteria > Measurable Outcomes (convert vague adjective to metric or explicit target).
+       - Edge case / negative flow → Add a new bullet under Edge Cases / Error Handling (or create such subsection if template provides placeholder for it).
+       - Terminology conflict → Normalize term across spec; retain original only if necessary by adding `(formerly referred to as "X")` once.
+    - If the clarification invalidates an earlier ambiguous statement, replace that statement instead of duplicating; leave no obsolete contradictory text.
+    - Save the spec file AFTER each integration to minimize risk of context loss (atomic overwrite).
+    - Preserve formatting: do not reorder unrelated sections; keep heading hierarchy intact.
+    - Keep each inserted clarification minimal and testable (avoid narrative drift).
+
+6. Validation (performed after EACH write plus final pass):
+   - Clarifications session contains exactly one bullet per accepted answer (no duplicates).
+   - Total asked (accepted) questions ≤ 5.
+   - Updated sections contain no lingering vague placeholders the new answer was meant to resolve.
+   - No contradictory earlier statement remains (scan for now-invalid alternative choices removed).
+   - Markdown structure valid; only allowed new headings: `## Clarifications`, `### Session YYYY-MM-DD`.
+   - Terminology consistency: same canonical term used across all updated sections.
+
+7. Write the updated spec back to `FEATURE_SPEC`.
+
+8. Report completion (after questioning loop ends or early termination):
+   - Number of questions asked & answered.
+   - Path to updated spec.
+   - Sections touched (list names).
+   - Coverage summary table listing each taxonomy category with Status: Resolved (was Partial/Missing and addressed), Deferred (exceeds question quota or better suited for planning), Clear (already sufficient), Outstanding (still Partial/Missing but low impact).
+   - If any Outstanding or Deferred remain, recommend whether to proceed to `/speckit.plan` or run `/speckit.clarify` again later post-plan.
+   - Suggested next command.
+
+Behavior rules:
+
+- If no meaningful ambiguities found (or all potential questions would be low-impact), respond: "No critical ambiguities detected worth formal clarification." and suggest proceeding.
+- If spec file missing, instruct user to run `/speckit.specify` first (do not create a new spec here).
+- Never exceed 5 total asked questions (clarification retries for a single question do not count as new questions).
+- Avoid speculative tech stack questions unless the absence blocks functional clarity.
+- Respect user early termination signals ("stop", "done", "proceed").
+- If no questions asked due to full coverage, output a compact coverage summary (all categories Clear) then suggest advancing.
+- If quota reached with unresolved high-impact categories remaining, explicitly flag them under Deferred with rationale.
+
+Context for prioritization: $ARGUMENTS
+
+## Post-Execution Checks
+
+**Check for extension hooks (after clarification)**:
+Check if `.specify/extensions.yml` exists in the project root.
+- If it exists, read it and look for entries under the `hooks.after_clarify` key
+- If the YAML cannot be parsed or is invalid, skip hook checking silently and continue normally
+- Filter out hooks where `enabled` is explicitly `false`. Treat hooks without an `enabled` field as enabled by default.
+- For each remaining hook, do **not** attempt to interpret or evaluate hook `condition` expressions:
+  - If the hook has no `condition` field, or it is null/empty, treat the hook as executable
+  - If the hook defines a non-empty `condition`, skip the hook and leave condition evaluation to the HookExecutor implementation
+- For each executable hook, output the following based on its `optional` flag:
+  - **Optional hook** (`optional: true`):
+    ```
+    ## Extension Hooks
+
+    **Optional Hook**: {extension}
+    Command: `/{command}`
+    Description: {description}
+
+    Prompt: {prompt}
+    To execute: `/{command}`
+    ```
+  - **Mandatory hook** (`optional: false`):
+    ```
+    ## Extension Hooks
+
+    **Automatic Hook**: {extension}
+    Executing: `/{command}`
+    EXECUTE_COMMAND: {command}
+    ```
+- If no hooks are registered or `.specify/extensions.yml` does not exist, skip silently
diff --git a/.claude/skills/speckit-constitution/SKILL.md b/.claude/skills/speckit-constitution/SKILL.md
new file mode 100644
index 0000000..4cb36db
--- /dev/null
+++ b/.claude/skills/speckit-constitution/SKILL.md
@@ -0,0 +1,155 @@
+---
+name: "speckit-constitution"
+description: "Create or update the project constitution from interactive or provided principle inputs, ensuring all dependent templates stay in sync."
+argument-hint: "Principles or values for the project constitution"
+compatibility: "Requires spec-kit project structure with .specify/ directory"
+metadata:
+  author: "github-spec-kit"
+  source: "templates/commands/constitution.md"
+user-invocable: true
+disable-model-invocation: true
+---
+
+
+## User Input
+
+```text
+$ARGUMENTS
+```
+
+You **MUST** consider the user input before proceeding (if not empty).
+
+## Pre-Execution Checks
+
+**Check for extension hooks (before constitution update)**:
+- Check if `.specify/extensions.yml` exists in the project root.
+- If it exists, read it and look for entries under the `hooks.before_constitution` key
+- If the YAML cannot be parsed or is invalid, skip hook checking silently and continue normally
+- Filter out hooks where `enabled` is explicitly `false`. Treat hooks without an `enabled` field as enabled by default.
+- For each remaining hook, do **not** attempt to interpret or evaluate hook `condition` expressions:
+  - If the hook has no `condition` field, or it is null/empty, treat the hook as executable
+  - If the hook defines a non-empty `condition`, skip the hook and leave condition evaluation to the HookExecutor implementation
+- For each executable hook, output the following based on its `optional` flag:
+  - **Optional hook** (`optional: true`):
+    ```
+    ## Extension Hooks
+
+    **Optional Pre-Hook**: {extension}
+    Command: `/{command}`
+    Description: {description}
+
+    Prompt: {prompt}
+    To execute: `/{command}`
+    ```
+  - **Mandatory hook** (`optional: false`):
+    ```
+    ## Extension Hooks
+
+    **Automatic Pre-Hook**: {extension}
+    Executing: `/{command}`
+    EXECUTE_COMMAND: {command}
+
+    Wait for the result of the hook command before proceeding to the Outline.
+    ```
+- If no hooks are registered or `.specify/extensions.yml` does not exist, skip silently
+
+## Outline
+
+You are updating the project constitution at `.specify/memory/constitution.md`. This file is a TEMPLATE containing placeholder tokens in square brackets (e.g. `[PROJECT_NAME]`, `[PRINCIPLE_1_NAME]`). Your job is to (a) collect/derive concrete values, (b) fill the template precisely, and (c) propagate any amendments across dependent artifacts.
+
+**Note**: If `.specify/memory/constitution.md` does not exist yet, it should have been initialized from `.specify/templates/constitution-template.md` during project setup. If it's missing, copy the template first.
+
+Follow this execution flow:
+
+1. Load the existing constitution at `.specify/memory/constitution.md`.
+   - Identify every placeholder token of the form `[ALL_CAPS_IDENTIFIER]`.
+   **IMPORTANT**: The user might require less or more principles than the ones used in the template. If a number is specified, respect that - follow the general template. You will update the doc accordingly.
+
+2. Collect/derive values for placeholders:
+   - If user input (conversation) supplies a value, use it.
+   - Otherwise infer from existing repo context (README, docs, prior constitution versions if embedded).
+   - For governance dates: `RATIFICATION_DATE` is the original adoption date (if unknown ask or mark TODO), `LAST_AMENDED_DATE` is today if changes are made, otherwise keep previous.
+   - `CONSTITUTION_VERSION` must increment according to semantic versioning rules:
+     - MAJOR: Backward incompatible governance/principle removals or redefinitions.
+     - MINOR: New principle/section added or materially expanded guidance.
+     - PATCH: Clarifications, wording, typo fixes, non-semantic refinements.
+   - If version bump type ambiguous, propose reasoning before finalizing.
+
+3. Draft the updated constitution content:
+   - Replace every placeholder with concrete text (no bracketed tokens left except intentionally retained template slots that the project has chosen not to define yet—explicitly justify any left).
+   - Preserve heading hierarchy and comments can be removed once replaced unless they still add clarifying guidance.
+   - Ensure each Principle section: succinct name line, paragraph (or bullet list) capturing non‑negotiable rules, explicit rationale if not obvious.
+   - Ensure Governance section lists amendment procedure, versioning policy, and compliance review expectations.
+
+4. Consistency propagation checklist (convert prior checklist into active validations):
+   - Read `.specify/templates/plan-template.md` and ensure any "Constitution Check" or rules align with updated principles.
+   - Read `.specify/templates/spec-template.md` for scope/requirements alignment—update if constitution adds/removes mandatory sections or constraints.
+   - Read `.specify/templates/tasks-template.md` and ensure task categorization reflects new or removed principle-driven task types (e.g., observability, versioning, testing discipline).
+   - Read each command file in `.specify/templates/commands/*.md` (including this one) to verify no outdated references (agent-specific names like CLAUDE only) remain when generic guidance is required.
+   - Read any runtime guidance docs (e.g., `README.md`, `docs/quickstart.md`, or agent-specific guidance files if present). Update references to principles changed.
+
+5. Produce a Sync Impact Report (prepend as an HTML comment at top of the constitution file after update):
+   - Version change: old → new
+   - List of modified principles (old title → new title if renamed)
+   - Added sections
+   - Removed sections
+   - Templates requiring updates (✅ updated / ⚠ pending) with file paths
+   - Follow-up TODOs if any placeholders intentionally deferred.
+
+6. Validation before final output:
+   - No remaining unexplained bracket tokens.
+   - Version line matches report.
+   - Dates ISO format YYYY-MM-DD.
+   - Principles are declarative, testable, and free of vague language ("should" → replace with MUST/SHOULD rationale where appropriate).
+
+7. Write the completed constitution back to `.specify/memory/constitution.md` (overwrite).
+
+8. Output a final summary to the user with:
+   - New version and bump rationale.
+   - Any files flagged for manual follow-up.
+   - Suggested commit message (e.g., `docs: amend constitution to vX.Y.Z (principle additions + governance update)`).
+
+Formatting & Style Requirements:
+
+- Use Markdown headings exactly as in the template (do not demote/promote levels).
+- Wrap long rationale lines to keep readability (<100 chars ideally) but do not hard enforce with awkward breaks.
+- Keep a single blank line between sections.
+- Avoid trailing whitespace.
+
+If the user supplies partial updates (e.g., only one principle revision), still perform validation and version decision steps.
+
+If critical info missing (e.g., ratification date truly unknown), insert `TODO(<FIELD_NAME>): explanation` and include in the Sync Impact Report under deferred items.
+
+Do not create a new template; always operate on the existing `.specify/memory/constitution.md` file.
+
+## Post-Execution Checks
+
+**Check for extension hooks (after constitution update)**:
+Check if `.specify/extensions.yml` exists in the project root.
+- If it exists, read it and look for entries under the `hooks.after_constitution` key
+- If the YAML cannot be parsed or is invalid, skip hook checking silently and continue normally
+- Filter out hooks where `enabled` is explicitly `false`. Treat hooks without an `enabled` field as enabled by default.
+- For each remaining hook, do **not** attempt to interpret or evaluate hook `condition` expressions:
+  - If the hook has no `condition` field, or it is null/empty, treat the hook as executable
+  - If the hook defines a non-empty `condition`, skip the hook and leave condition evaluation to the HookExecutor implementation
+- For each executable hook, output the following based on its `optional` flag:
+  - **Optional hook** (`optional: true`):
+    ```
+    ## Extension Hooks
+
+    **Optional Hook**: {extension}
+    Command: `/{command}`
+    Description: {description}
+
+    Prompt: {prompt}
+    To execute: `/{command}`
+    ```
+  - **Mandatory hook** (`optional: false`):
+    ```
+    ## Extension Hooks
+
+    **Automatic Hook**: {extension}
+    Executing: `/{command}`
+    EXECUTE_COMMAND: {command}
+    ```
+- If no hooks are registered or `.specify/extensions.yml` does not exist, skip silently
diff --git a/.claude/skills/speckit-git-commit/SKILL.md b/.claude/skills/speckit-git-commit/SKILL.md
new file mode 100644
index 0000000..fda1b53
--- /dev/null
+++ b/.claude/skills/speckit-git-commit/SKILL.md
@@ -0,0 +1,55 @@
+---
+name: speckit-git-commit
+description: Auto-commit changes after a Spec Kit command completes
+compatibility: Requires spec-kit project structure with .specify/ directory
+metadata:
+  author: github-spec-kit
+  source: git:commands/speckit.git.commit.md
+user-invocable: true
+disable-model-invocation: true
+---
+
+# Auto-Commit Changes
+
+Automatically stage and commit all changes after a Spec Kit command completes.
+
+## Behavior
+
+This command is invoked as a hook after (or before) core commands. It:
+
+1. Determines the event name from the hook context (e.g., if invoked as an `after_specify` hook, the event is `after_specify`; if `before_plan`, the event is `before_plan`)
+2. Checks `.specify/extensions/git/git-config.yml` for the `auto_commit` section
+3. Looks up the specific event key to see if auto-commit is enabled
+4. Falls back to `auto_commit.default` if no event-specific key exists
+5. Uses the per-command `message` if configured, otherwise a default message
+6. If enabled and there are uncommitted changes, runs `git add .` + `git commit`
+
+## Execution
+
+Determine the event name from the hook that triggered this command, then run the script:
+
+- **Bash**: `.specify/extensions/git/scripts/bash/auto-commit.sh <event_name>`
+- **PowerShell**: `.specify/extensions/git/scripts/powershell/auto-commit.ps1 <event_name>`
+
+Replace `<event_name>` with the actual hook event (e.g., `after_specify`, `before_plan`, `after_implement`).
+
+## Configuration
+
+In `.specify/extensions/git/git-config.yml`:
+
+```yaml
+auto_commit:
+  default: false          # Global toggle — set true to enable for all commands
+  after_specify:
+    enabled: true          # Override per-command
+    message: "[Spec Kit] Add specification"
+  after_plan:
+    enabled: false
+    message: "[Spec Kit] Add implementation plan"
+```
+
+## Graceful Degradation
+
+- If Git is not available or the current directory is not a repository: skips with a warning
+- If no config file exists: skips (disabled by default)
+- If no changes to commit: skips with a message
\ No newline at end of file
diff --git a/.claude/skills/speckit-git-feature/SKILL.md b/.claude/skills/speckit-git-feature/SKILL.md
new file mode 100644
index 0000000..437845f
--- /dev/null
+++ b/.claude/skills/speckit-git-feature/SKILL.md
@@ -0,0 +1,74 @@
+---
+name: speckit-git-feature
+description: Create a feature branch with sequential or timestamp numbering
+compatibility: Requires spec-kit project structure with .specify/ directory
+metadata:
+  author: github-spec-kit
+  source: git:commands/speckit.git.feature.md
+user-invocable: true
+disable-model-invocation: true
+---
+
+# Create Feature Branch
+
+Create and switch to a new git feature branch for the given specification. This command handles **branch creation only** — the spec directory and files are created by the core `/speckit.specify` workflow.
+
+## User Input
+
+```text
+$ARGUMENTS
+```
+
+You **MUST** consider the user input before proceeding (if not empty).
+
+## Environment Variable Override
+
+If the user explicitly provided `GIT_BRANCH_NAME` (e.g., via environment variable, argument, or in their request), pass it through to the script by setting the `GIT_BRANCH_NAME` environment variable before invoking the script. When `GIT_BRANCH_NAME` is set:
+- The script uses the exact value as the branch name, bypassing all prefix/suffix generation
+- `--short-name`, `--number`, and `--timestamp` flags are ignored
+- `FEATURE_NUM` is extracted from the name if it starts with a numeric prefix, otherwise set to the full branch name
+
+## Prerequisites
+
+- Verify Git is available by running `git rev-parse --is-inside-work-tree 2>/dev/null`
+- If Git is not available, warn the user and skip branch creation
+
+## Branch Numbering Mode
+
+Determine the branch numbering strategy by checking configuration in this order:
+
+1. Check `.specify/extensions/git/git-config.yml` for `branch_numbering` value
+2. Check `.specify/init-options.json` for `branch_numbering` value (backward compatibility)
+3. Default to `sequential` if neither exists
+
+## Execution
+
+Generate a concise short name (2-4 words) for the branch:
+- Analyze the feature description and extract the most meaningful keywords
+- Use action-noun format when possible (e.g., "add-user-auth", "fix-payment-bug")
+- Preserve technical terms and acronyms (OAuth2, API, JWT, etc.)
+
+Run the appropriate script based on your platform:
+
+- **Bash**: `.specify/extensions/git/scripts/bash/create-new-feature.sh --json --short-name "<short-name>" "<feature description>"`
+- **Bash (timestamp)**: `.specify/extensions/git/scripts/bash/create-new-feature.sh --json --timestamp --short-name "<short-name>" "<feature description>"`
+- **PowerShell**: `.specify/extensions/git/scripts/powershell/create-new-feature.ps1 -Json -ShortName "<short-name>" "<feature description>"`
+- **PowerShell (timestamp)**: `.specify/extensions/git/scripts/powershell/create-new-feature.ps1 -Json -Timestamp -ShortName "<short-name>" "<feature description>"`
+
+**IMPORTANT**:
+- Do NOT pass `--number` — the script determines the correct next number automatically
+- Always include the JSON flag (`--json` for Bash, `-Json` for PowerShell) so the output can be parsed reliably
+- You must only ever run this script once per feature
+- The JSON output will contain `BRANCH_NAME` and `FEATURE_NUM`
+
+## Graceful Degradation
+
+If Git is not installed or the current directory is not a Git repository:
+- Branch creation is skipped with a warning: `[specify] Warning: Git repository not detected; skipped branch creation`
+- The script still outputs `BRANCH_NAME` and `FEATURE_NUM` so the caller can reference them
+
+## Output
+
+The script outputs JSON with:
+- `BRANCH_NAME`: The branch name (e.g., `003-user-auth` or `20260319-143022-user-auth`)
+- `FEATURE_NUM`: The numeric or timestamp prefix used
\ No newline at end of file
diff --git a/.claude/skills/speckit-git-initialize/SKILL.md b/.claude/skills/speckit-git-initialize/SKILL.md
new file mode 100644
index 0000000..e2290ad
--- /dev/null
+++ b/.claude/skills/speckit-git-initialize/SKILL.md
@@ -0,0 +1,56 @@
+---
+name: speckit-git-initialize
+description: Initialize a Git repository with an initial commit
+compatibility: Requires spec-kit project structure with .specify/ directory
+metadata:
+  author: github-spec-kit
+  source: git:commands/speckit.git.initialize.md
+user-invocable: true
+disable-model-invocation: true
+---
+
+# Initialize Git Repository
+
+Initialize a Git repository in the current project directory if one does not already exist.
+
+## Execution
+
+Run the appropriate script from the project root:
+
+- **Bash**: `.specify/extensions/git/scripts/bash/initialize-repo.sh`
+- **PowerShell**: `.specify/extensions/git/scripts/powershell/initialize-repo.ps1`
+
+If the extension scripts are not found, fall back to:
+- **Bash**: `git init && git add . && git commit -m "Initial commit from Specify template"`
+- **PowerShell**: `git init; git add .; git commit -m "Initial commit from Specify template"`
+
+The script handles all checks internally:
+- Skips if Git is not available
+- Skips if already inside a Git repository
+- Runs `git init`, `git add .`, and `git commit` with an initial commit message
+
+## Customization
+
+Replace the script to add project-specific Git initialization steps:
+- Custom `.gitignore` templates
+- Default branch naming (`git config init.defaultBranch`)
+- Git LFS setup
+- Git hooks installation
+- Commit signing configuration
+- Git Flow initialization
+
+## Output
+
+On success:
+- `✓ Git repository initialized`
+
+## Graceful Degradation
+
+If Git is not installed:
+- Warn the user
+- Skip repository initialization
+- The project continues to function without Git (specs can still be created under `specs/`)
+
+If Git is installed but `git init`, `git add .`, or `git commit` fails:
+- Surface the error to the user
+- Stop this command rather than continuing with a partially initialized repository
\ No newline at end of file
diff --git a/.claude/skills/speckit-git-remote/SKILL.md b/.claude/skills/speckit-git-remote/SKILL.md
new file mode 100644
index 0000000..b1121b3
--- /dev/null
+++ b/.claude/skills/speckit-git-remote/SKILL.md
@@ -0,0 +1,52 @@
+---
+name: speckit-git-remote
+description: Detect Git remote URL for GitHub integration
+compatibility: Requires spec-kit project structure with .specify/ directory
+metadata:
+  author: github-spec-kit
+  source: git:commands/speckit.git.remote.md
+user-invocable: true
+disable-model-invocation: true
+---
+
+# Detect Git Remote URL
+
+Detect the Git remote URL for integration with GitHub services (e.g., issue creation).
+
+## Prerequisites
+
+- Check if Git is available by running `git rev-parse --is-inside-work-tree 2>/dev/null`
+- If Git is not available, output a warning and return empty:
+  ```
+  [specify] Warning: Git repository not detected; cannot determine remote URL
+  ```
+
+## Execution
+
+Run the following command to get the remote URL:
+
+```bash
+git config --get remote.origin.url
+```
+
+## Output
+
+Parse the remote URL and determine:
+
+1. **Repository owner**: Extract from the URL (e.g., `github` from `https://github.com/github/spec-kit.git`)
+2. **Repository name**: Extract from the URL (e.g., `spec-kit` from `https://github.com/github/spec-kit.git`)
+3. **Is GitHub**: Whether the remote points to a GitHub repository
+
+Supported URL formats:
+- HTTPS: `https://github.com/<owner>/<repo>.git`
+- SSH: `git@github.com:<owner>/<repo>.git`
+
+> [!CAUTION]
+> ONLY report a GitHub repository if the remote URL actually points to github.com.
+> Do NOT assume the remote is GitHub if the URL format doesn't match.
+
+## Graceful Degradation
+
+If Git is not installed, the directory is not a Git repository, or no remote is configured:
+- Return an empty result
+- Do NOT error — other workflows should continue without Git remote information
\ No newline at end of file
diff --git a/.claude/skills/speckit-git-validate/SKILL.md b/.claude/skills/speckit-git-validate/SKILL.md
new file mode 100644
index 0000000..e2b22b9
--- /dev/null
+++ b/.claude/skills/speckit-git-validate/SKILL.md
@@ -0,0 +1,56 @@
+---
+name: speckit-git-validate
+description: Validate current branch follows feature branch naming conventions
+compatibility: Requires spec-kit project structure with .specify/ directory
+metadata:
+  author: github-spec-kit
+  source: git:commands/speckit.git.validate.md
+user-invocable: true
+disable-model-invocation: true
+---
+
+# Validate Feature Branch
+
+Validate that the current Git branch follows the expected feature branch naming conventions.
+
+## Prerequisites
+
+- Check if Git is available by running `git rev-parse --is-inside-work-tree 2>/dev/null`
+- If Git is not available, output a warning and skip validation:
+  ```
+  [specify] Warning: Git repository not detected; skipped branch validation
+  ```
+
+## Validation Rules
+
+Get the current branch name:
+
+```bash
+git rev-parse --abbrev-ref HEAD
+```
+
+The branch name must match one of these patterns:
+
+1. **Sequential**: `^[0-9]{3,}-` (e.g., `001-feature-name`, `042-fix-bug`, `1000-big-feature`)
+2. **Timestamp**: `^[0-9]{8}-[0-9]{6}-` (e.g., `20260319-143022-feature-name`)
+
+## Execution
+
+If on a feature branch (matches either pattern):
+- Output: `✓ On feature branch: <branch-name>`
+- Check if the corresponding spec directory exists under `specs/`:
+  - For sequential branches, look for `specs/<prefix>-*` where prefix matches the numeric portion
+  - For timestamp branches, look for `specs/<prefix>-*` where prefix matches the `YYYYMMDD-HHMMSS` portion
+- If spec directory exists: `✓ Spec directory found: <path>`
+- If spec directory missing: `⚠ No spec directory found for prefix <prefix>`
+
+If NOT on a feature branch:
+- Output: `✗ Not on a feature branch. Current branch: <branch-name>`
+- Output: `Feature branches should be named like: 001-feature-name or 20260319-143022-feature-name`
+
+## Graceful Degradation
+
+If Git is not installed or the directory is not a Git repository:
+- Check the `SPECIFY_FEATURE` environment variable as a fallback
+- If set, validate that value against the naming patterns
+- If not set, skip validation with a warning
\ No newline at end of file
diff --git a/.claude/skills/speckit-implement/SKILL.md b/.claude/skills/speckit-implement/SKILL.md
new file mode 100644
index 0000000..85d85a7
--- /dev/null
+++ b/.claude/skills/speckit-implement/SKILL.md
@@ -0,0 +1,207 @@
+---
+name: "speckit-implement"
+description: "Execute the implementation plan by processing and executing all tasks defined in tasks.md"
+argument-hint: "Optional implementation guidance or task filter"
+compatibility: "Requires spec-kit project structure with .specify/ directory"
+metadata:
+  author: "github-spec-kit"
+  source: "templates/commands/implement.md"
+user-invocable: true
+disable-model-invocation: true
+---
+
+
+## User Input
+
+```text
+$ARGUMENTS
+```
+
+You **MUST** consider the user input before proceeding (if not empty).
+
+## Pre-Execution Checks
+
+**Check for extension hooks (before implementation)**:
+- Check if `.specify/extensions.yml` exists in the project root.
+- If it exists, read it and look for entries under the `hooks.before_implement` key
+- If the YAML cannot be parsed or is invalid, skip hook checking silently and continue normally
+- Filter out hooks where `enabled` is explicitly `false`. Treat hooks without an `enabled` field as enabled by default.
+- For each remaining hook, do **not** attempt to interpret or evaluate hook `condition` expressions:
+  - If the hook has no `condition` field, or it is null/empty, treat the hook as executable
+  - If the hook defines a non-empty `condition`, skip the hook and leave condition evaluation to the HookExecutor implementation
+- For each executable hook, output the following based on its `optional` flag:
+  - **Optional hook** (`optional: true`):
+    ```
+    ## Extension Hooks
+
+    **Optional Pre-Hook**: {extension}
+    Command: `/{command}`
+    Description: {description}
+
+    Prompt: {prompt}
+    To execute: `/{command}`
+    ```
+  - **Mandatory hook** (`optional: false`):
+    ```
+    ## Extension Hooks
+
+    **Automatic Pre-Hook**: {extension}
+    Executing: `/{command}`
+    EXECUTE_COMMAND: {command}
+    
+    Wait for the result of the hook command before proceeding to the Outline.
+    ```
+- If no hooks are registered or `.specify/extensions.yml` does not exist, skip silently
+
+## Outline
+
+1. Run `.specify/scripts/bash/check-prerequisites.sh --json --require-tasks --include-tasks` from repo root and parse FEATURE_DIR and AVAILABLE_DOCS list. All paths must be absolute. For single quotes in args like "I'm Groot", use escape syntax: e.g 'I'\''m Groot' (or double-quote if possible: "I'm Groot").
+
+2. **Check checklists status** (if FEATURE_DIR/checklists/ exists):
+   - Scan all checklist files in the checklists/ directory
+   - For each checklist, count:
+     - Total items: All lines matching `- [ ]` or `- [X]` or `- [x]`
+     - Completed items: Lines matching `- [X]` or `- [x]`
+     - Incomplete items: Lines matching `- [ ]`
+   - Create a status table:
+
+     ```text
+     | Checklist | Total | Completed | Incomplete | Status |
+     |-----------|-------|-----------|------------|--------|
+     | ux.md     | 12    | 12        | 0          | ✓ PASS |
+     | test.md   | 8     | 5         | 3          | ✗ FAIL |
+     | security.md | 6   | 6         | 0          | ✓ PASS |
+     ```
+
+   - Calculate overall status:
+     - **PASS**: All checklists have 0 incomplete items
+     - **FAIL**: One or more checklists have incomplete items
+
+   - **If any checklist is incomplete**:
+     - Display the table with incomplete item counts
+     - **STOP** and ask: "Some checklists are incomplete. Do you want to proceed with implementation anyway? (yes/no)"
+     - Wait for user response before continuing
+     - If user says "no" or "wait" or "stop", halt execution
+     - If user says "yes" or "proceed" or "continue", proceed to step 3
+
+   - **If all checklists are complete**:
+     - Display the table showing all checklists passed
+     - Automatically proceed to step 3
+
+3. Load and analyze the implementation context:
+   - **REQUIRED**: Read tasks.md for the complete task list and execution plan
+   - **REQUIRED**: Read plan.md for tech stack, architecture, and file structure
+   - **IF EXISTS**: Read data-model.md for entities and relationships
+   - **IF EXISTS**: Read contracts/ for API specifications and test requirements
+   - **IF EXISTS**: Read research.md for technical decisions and constraints
+   - **IF EXISTS**: Read quickstart.md for integration scenarios
+
+4. **Project Setup Verification**:
+   - **REQUIRED**: Create/verify ignore files based on actual project setup:
+
+   **Detection & Creation Logic**:
+   - Check if the following command succeeds to determine if the repository is a git repo (create/verify .gitignore if so):
+
+     ```sh
+     git rev-parse --git-dir 2>/dev/null
+     ```
+
+   - Check if Dockerfile* exists or Docker in plan.md → create/verify .dockerignore
+   - Check if .eslintrc* exists → create/verify .eslintignore
+   - Check if eslint.config.* exists → ensure the config's `ignores` entries cover required patterns
+   - Check if .prettierrc* exists → create/verify .prettierignore
+   - Check if .npmrc or package.json exists → create/verify .npmignore (if publishing)
+   - Check if terraform files (*.tf) exist → create/verify .terraformignore
+   - Check if .helmignore needed (helm charts present) → create/verify .helmignore
+
+   **If ignore file already exists**: Verify it contains essential patterns, append missing critical patterns only
+   **If ignore file missing**: Create with full pattern set for detected technology
+
+   **Common Patterns by Technology** (from plan.md tech stack):
+   - **Node.js/JavaScript/TypeScript**: `node_modules/`, `dist/`, `build/`, `*.log`, `.env*`
+   - **Python**: `__pycache__/`, `*.pyc`, `.venv/`, `venv/`, `dist/`, `*.egg-info/`
+   - **Java**: `target/`, `*.class`, `*.jar`, `.gradle/`, `build/`
+   - **C#/.NET**: `bin/`, `obj/`, `*.user`, `*.suo`, `packages/`
+   - **Go**: `*.exe`, `*.test`, `vendor/`, `*.out`
+   - **Ruby**: `.bundle/`, `log/`, `tmp/`, `*.gem`, `vendor/bundle/`
+   - **PHP**: `vendor/`, `*.log`, `*.cache`, `*.env`
+   - **Rust**: `target/`, `debug/`, `release/`, `*.rs.bk`, `*.rlib`, `*.prof*`, `.idea/`, `*.log`, `.env*`
+   - **Kotlin**: `build/`, `out/`, `.gradle/`, `.idea/`, `*.class`, `*.jar`, `*.iml`, `*.log`, `.env*`
+   - **C++**: `build/`, `bin/`, `obj/`, `out/`, `*.o`, `*.so`, `*.a`, `*.exe`, `*.dll`, `.idea/`, `*.log`, `.env*`
+   - **C**: `build/`, `bin/`, `obj/`, `out/`, `*.o`, `*.a`, `*.so`, `*.exe`, `*.dll`, `autom4te.cache/`, `config.status`, `config.log`, `.idea/`, `*.log`, `.env*`
+   - **Swift**: `.build/`, `DerivedData/`, `*.swiftpm/`, `Packages/`
+   - **R**: `.Rproj.user/`, `.Rhistory`, `.RData`, `.Ruserdata`, `*.Rproj`, `packrat/`, `renv/`
+   - **Universal**: `.DS_Store`, `Thumbs.db`, `*.tmp`, `*.swp`, `.vscode/`, `.idea/`
+
+   **Tool-Specific Patterns**:
+   - **Docker**: `node_modules/`, `.git/`, `Dockerfile*`, `.dockerignore`, `*.log*`, `.env*`, `coverage/`
+   - **ESLint**: `node_modules/`, `dist/`, `build/`, `coverage/`, `*.min.js`
+   - **Prettier**: `node_modules/`, `dist/`, `build/`, `coverage/`, `package-lock.json`, `yarn.lock`, `pnpm-lock.yaml`
+   - **Terraform**: `.terraform/`, `*.tfstate*`, `*.tfvars`, `.terraform.lock.hcl`
+   - **Kubernetes/k8s**: `*.secret.yaml`, `secrets/`, `.kube/`, `kubeconfig*`, `*.key`, `*.crt`
+
+5. Parse tasks.md structure and extract:
+   - **Task phases**: Setup, Tests, Core, Integration, Polish
+   - **Task dependencies**: Sequential vs parallel execution rules
+   - **Task details**: ID, description, file paths, parallel markers [P]
+   - **Execution flow**: Order and dependency requirements
+
+6. Execute implementation following the task plan:
+   - **Phase-by-phase execution**: Complete each phase before moving to the next
+   - **Respect dependencies**: Run sequential tasks in order, parallel tasks [P] can run together  
+   - **Follow TDD approach**: Execute test tasks before their corresponding implementation tasks
+   - **File-based coordination**: Tasks affecting the same files must run sequentially
+   - **Validation checkpoints**: Verify each phase completion before proceeding
+
+7. Implementation execution rules:
+   - **Setup first**: Initialize project structure, dependencies, configuration
+   - **Tests before code**: If you need to write tests for contracts, entities, and integration scenarios
+   - **Core development**: Implement models, services, CLI commands, endpoints
+   - **Integration work**: Database connections, middleware, logging, external services
+   - **Polish and validation**: Unit tests, performance optimization, documentation
+
+8. Progress tracking and error handling:
+   - Report progress after each completed task
+   - Halt execution if any non-parallel task fails
+   - For parallel tasks [P], continue with successful tasks, report failed ones
+   - Provide clear error messages with context for debugging
+   - Suggest next steps if implementation cannot proceed
+   - **IMPORTANT** For completed tasks, make sure to mark the task off as [X] in the tasks file.
+
+9. Completion validation:
+   - Verify all required tasks are completed
+   - Check that implemented features match the original specification
+   - Validate that tests pass and coverage meets requirements
+   - Confirm the implementation follows the technical plan
+   - Report final status with summary of completed work
+
+Note: This command assumes a complete task breakdown exists in tasks.md. If tasks are incomplete or missing, suggest running `/speckit.tasks` first to regenerate the task list.
+
+10. **Check for extension hooks**: After completion validation, check if `.specify/extensions.yml` exists in the project root.
+    - If it exists, read it and look for entries under the `hooks.after_implement` key
+    - If the YAML cannot be parsed or is invalid, skip hook checking silently and continue normally
+    - Filter out hooks where `enabled` is explicitly `false`. Treat hooks without an `enabled` field as enabled by default.
+    - For each remaining hook, do **not** attempt to interpret or evaluate hook `condition` expressions:
+      - If the hook has no `condition` field, or it is null/empty, treat the hook as executable
+      - If the hook defines a non-empty `condition`, skip the hook and leave condition evaluation to the HookExecutor implementation
+    - For each executable hook, output the following based on its `optional` flag:
+      - **Optional hook** (`optional: true`):
+        ```
+        ## Extension Hooks
+
+        **Optional Hook**: {extension}
+        Command: `/{command}`
+        Description: {description}
+
+        Prompt: {prompt}
+        To execute: `/{command}`
+        ```
+      - **Mandatory hook** (`optional: false`):
+        ```
+        ## Extension Hooks
+
+        **Automatic Hook**: {extension}
+        Executing: `/{command}`
+        EXECUTE_COMMAND: {command}
+        ```
+    - If no hooks are registered or `.specify/extensions.yml` does not exist, skip silently
diff --git a/.claude/skills/speckit-plan/SKILL.md b/.claude/skills/speckit-plan/SKILL.md
new file mode 100644
index 0000000..872fa95
--- /dev/null
+++ b/.claude/skills/speckit-plan/SKILL.md
@@ -0,0 +1,154 @@
+---
+name: "speckit-plan"
+description: "Execute the implementation planning workflow using the plan template to generate design artifacts."
+argument-hint: "Optional guidance for the planning phase"
+compatibility: "Requires spec-kit project structure with .specify/ directory"
+metadata:
+  author: "github-spec-kit"
+  source: "templates/commands/plan.md"
+user-invocable: true
+disable-model-invocation: true
+---
+
+
+## User Input
+
+```text
+$ARGUMENTS
+```
+
+You **MUST** consider the user input before proceeding (if not empty).
+
+## Pre-Execution Checks
+
+**Check for extension hooks (before planning)**:
+- Check if `.specify/extensions.yml` exists in the project root.
+- If it exists, read it and look for entries under the `hooks.before_plan` key
+- If the YAML cannot be parsed or is invalid, skip hook checking silently and continue normally
+- Filter out hooks where `enabled` is explicitly `false`. Treat hooks without an `enabled` field as enabled by default.
+- For each remaining hook, do **not** attempt to interpret or evaluate hook `condition` expressions:
+  - If the hook has no `condition` field, or it is null/empty, treat the hook as executable
+  - If the hook defines a non-empty `condition`, skip the hook and leave condition evaluation to the HookExecutor implementation
+- For each executable hook, output the following based on its `optional` flag:
+  - **Optional hook** (`optional: true`):
+    ```
+    ## Extension Hooks
+
+    **Optional Pre-Hook**: {extension}
+    Command: `/{command}`
+    Description: {description}
+
+    Prompt: {prompt}
+    To execute: `/{command}`
+    ```
+  - **Mandatory hook** (`optional: false`):
+    ```
+    ## Extension Hooks
+
+    **Automatic Pre-Hook**: {extension}
+    Executing: `/{command}`
+    EXECUTE_COMMAND: {command}
+
+    Wait for the result of the hook command before proceeding to the Outline.
+    ```
+- If no hooks are registered or `.specify/extensions.yml` does not exist, skip silently
+
+## Outline
+
+1. **Setup**: Run `.specify/scripts/bash/setup-plan.sh --json` from repo root and parse JSON for FEATURE_SPEC, IMPL_PLAN, SPECS_DIR, BRANCH. For single quotes in args like "I'm Groot", use escape syntax: e.g 'I'\''m Groot' (or double-quote if possible: "I'm Groot").
+
+2. **Load context**: Read FEATURE_SPEC and `.specify/memory/constitution.md`. Load IMPL_PLAN template (already copied).
+
+3. **Execute plan workflow**: Follow the structure in IMPL_PLAN template to:
+   - Fill Technical Context (mark unknowns as "NEEDS CLARIFICATION")
+   - Fill Constitution Check section from constitution
+   - Evaluate gates (ERROR if violations unjustified)
+   - Phase 0: Generate research.md (resolve all NEEDS CLARIFICATION)
+   - Phase 1: Generate data-model.md, contracts/, quickstart.md
+   - Phase 1: Update agent context by running the agent script
+   - Re-evaluate Constitution Check post-design
+
+4. **Stop and report**: Command ends after Phase 2 planning. Report branch, IMPL_PLAN path, and generated artifacts.
+
+5. **Check for extension hooks**: After reporting, check if `.specify/extensions.yml` exists in the project root.
+   - If it exists, read it and look for entries under the `hooks.after_plan` key
+   - If the YAML cannot be parsed or is invalid, skip hook checking silently and continue normally
+   - Filter out hooks where `enabled` is explicitly `false`. Treat hooks without an `enabled` field as enabled by default.
+   - For each remaining hook, do **not** attempt to interpret or evaluate hook `condition` expressions:
+     - If the hook has no `condition` field, or it is null/empty, treat the hook as executable
+     - If the hook defines a non-empty `condition`, skip the hook and leave condition evaluation to the HookExecutor implementation
+   - For each executable hook, output the following based on its `optional` flag:
+     - **Optional hook** (`optional: true`):
+       ```
+       ## Extension Hooks
+
+       **Optional Hook**: {extension}
+       Command: `/{command}`
+       Description: {description}
+
+       Prompt: {prompt}
+       To execute: `/{command}`
+       ```
+     - **Mandatory hook** (`optional: false`):
+       ```
+       ## Extension Hooks
+
+       **Automatic Hook**: {extension}
+       Executing: `/{command}`
+       EXECUTE_COMMAND: {command}
+       ```
+   - If no hooks are registered or `.specify/extensions.yml` does not exist, skip silently
+
+## Phases
+
+### Phase 0: Outline & Research
+
+1. **Extract unknowns from Technical Context** above:
+   - For each NEEDS CLARIFICATION → research task
+   - For each dependency → best practices task
+   - For each integration → patterns task
+
+2. **Generate and dispatch research agents**:
+
+   ```text
+   For each unknown in Technical Context:
+     Task: "Research {unknown} for {feature context}"
+   For each technology choice:
+     Task: "Find best practices for {tech} in {domain}"
+   ```
+
+3. **Consolidate findings** in `research.md` using format:
+   - Decision: [what was chosen]
+   - Rationale: [why chosen]
+   - Alternatives considered: [what else evaluated]
+
+**Output**: research.md with all NEEDS CLARIFICATION resolved
+
+### Phase 1: Design & Contracts
+
+**Prerequisites:** `research.md` complete
+
+1. **Extract entities from feature spec** → `data-model.md`:
+   - Entity name, fields, relationships
+   - Validation rules from requirements
+   - State transitions if applicable
+
+2. **Define interface contracts** (if project has external interfaces) → `/contracts/`:
+   - Identify what interfaces the project exposes to users or other systems
+   - Document the contract format appropriate for the project type
+   - Examples: public APIs for libraries, command schemas for CLI tools, endpoints for web services, grammars for parsers, UI contracts for applications
+   - Skip if project is purely internal (build scripts, one-off tools, etc.)
+
+3. **Agent context update**:
+   - Run `.specify/scripts/bash/update-agent-context.sh claude`
+   - These scripts detect which AI agent is in use
+   - Update the appropriate agent-specific context file
+   - Add only new technology from current plan
+   - Preserve manual additions between markers
+
+**Output**: data-model.md, /contracts/*, quickstart.md, agent-specific file
+
+## Key rules
+
+- Use absolute paths
+- ERROR on gate failures or unresolved clarifications
diff --git a/.claude/skills/speckit-specify/SKILL.md b/.claude/skills/speckit-specify/SKILL.md
new file mode 100644
index 0000000..23620aa
--- /dev/null
+++ b/.claude/skills/speckit-specify/SKILL.md
@@ -0,0 +1,328 @@
+---
+name: "speckit-specify"
+description: "Create or update the feature specification from a natural language feature description."
+argument-hint: "Describe the feature you want to specify"
+compatibility: "Requires spec-kit project structure with .specify/ directory"
+metadata:
+  author: "github-spec-kit"
+  source: "templates/commands/specify.md"
+user-invocable: true
+disable-model-invocation: true
+---
+
+
+## User Input
+
+```text
+$ARGUMENTS
+```
+
+You **MUST** consider the user input before proceeding (if not empty).
+
+## Pre-Execution Checks
+
+**Check for extension hooks (before specification)**:
+- Check if `.specify/extensions.yml` exists in the project root.
+- If it exists, read it and look for entries under the `hooks.before_specify` key
+- If the YAML cannot be parsed or is invalid, skip hook checking silently and continue normally
+- Filter out hooks where `enabled` is explicitly `false`. Treat hooks without an `enabled` field as enabled by default.
+- For each remaining hook, do **not** attempt to interpret or evaluate hook `condition` expressions:
+  - If the hook has no `condition` field, or it is null/empty, treat the hook as executable
+  - If the hook defines a non-empty `condition`, skip the hook and leave condition evaluation to the HookExecutor implementation
+- For each executable hook, output the following based on its `optional` flag:
+  - **Optional hook** (`optional: true`):
+    ```
+    ## Extension Hooks
+
+    **Optional Pre-Hook**: {extension}
+    Command: `/{command}`
+    Description: {description}
+
+    Prompt: {prompt}
+    To execute: `/{command}`
+    ```
+  - **Mandatory hook** (`optional: false`):
+    ```
+    ## Extension Hooks
+
+    **Automatic Pre-Hook**: {extension}
+    Executing: `/{command}`
+    EXECUTE_COMMAND: {command}
+
+    Wait for the result of the hook command before proceeding to the Outline.
+    ```
+- If no hooks are registered or `.specify/extensions.yml` does not exist, skip silently
+
+## Outline
+
+The text the user typed after `/speckit.specify` in the triggering message **is** the feature description. Assume you always have it available in this conversation even if `$ARGUMENTS` appears literally below. Do not ask the user to repeat it unless they provided an empty command.
+
+Given that feature description, do this:
+
+1. **Generate a concise short name** (2-4 words) for the feature:
+   - Analyze the feature description and extract the most meaningful keywords
+   - Create a 2-4 word short name that captures the essence of the feature
+   - Use action-noun format when possible (e.g., "add-user-auth", "fix-payment-bug")
+   - Preserve technical terms and acronyms (OAuth2, API, JWT, etc.)
+   - Keep it concise but descriptive enough to understand the feature at a glance
+   - Examples:
+     - "I want to add user authentication" → "user-auth"
+     - "Implement OAuth2 integration for the API" → "oauth2-api-integration"
+     - "Create a dashboard for analytics" → "analytics-dashboard"
+     - "Fix payment processing timeout bug" → "fix-payment-timeout"
+
+2. **Branch creation** (optional, via hook):
+
+   If a `before_specify` hook ran successfully in the Pre-Execution Checks above, it will have created/switched to a git branch and output JSON containing `BRANCH_NAME` and `FEATURE_NUM`. Note these values for reference, but the branch name does **not** dictate the spec directory name.
+
+   If the user explicitly provided `GIT_BRANCH_NAME`, pass it through to the hook so the branch script uses the exact value as the branch name (bypassing all prefix/suffix generation).
+
+3. **Create the spec feature directory**:
+
+   Specs live under the default `specs/` directory unless the user explicitly provides `SPECIFY_FEATURE_DIRECTORY`.
+
+   **Resolution order for `SPECIFY_FEATURE_DIRECTORY`**:
+   1. If the user explicitly provided `SPECIFY_FEATURE_DIRECTORY` (e.g., via environment variable, argument, or configuration), use it as-is
+   2. Otherwise, auto-generate it under `specs/`:
+      - Check `.specify/init-options.json` for `branch_numbering`
+      - If `"timestamp"`: prefix is `YYYYMMDD-HHMMSS` (current timestamp)
+      - If `"sequential"` or absent: prefix is `NNN` (next available 3-digit number after scanning existing directories in `specs/`)
+      - Construct the directory name: `<prefix>-<short-name>` (e.g., `003-user-auth` or `20260319-143022-user-auth`)
+      - Set `SPECIFY_FEATURE_DIRECTORY` to `specs/<directory-name>`
+
+   **Create the directory and spec file**:
+   - `mkdir -p SPECIFY_FEATURE_DIRECTORY`
+   - Copy `.specify/templates/spec-template.md` to `SPECIFY_FEATURE_DIRECTORY/spec.md` as the starting point
+   - Set `SPEC_FILE` to `SPECIFY_FEATURE_DIRECTORY/spec.md`
+   - Persist the resolved path to `.specify/feature.json`:
+     ```json
+     {
+       "feature_directory": "<resolved feature dir>"
+     }
+     ```
+     Write the actual resolved directory path value (for example, `specs/003-user-auth`), not the literal string `SPECIFY_FEATURE_DIRECTORY`.
+     This allows downstream commands (`/speckit.plan`, `/speckit.tasks`, etc.) to locate the feature directory without relying on git branch name conventions.
+
+   **IMPORTANT**:
+   - You must only create one feature per `/speckit.specify` invocation
+   - The spec directory name and the git branch name are independent — they may be the same but that is the user's choice
+   - The spec directory and file are always created by this command, never by the hook
+
+4. Load `.specify/templates/spec-template.md` to understand required sections.
+
+5. Follow this execution flow:
+    1. Parse user description from arguments
+       If empty: ERROR "No feature description provided"
+    2. Extract key concepts from description
+       Identify: actors, actions, data, constraints
+    3. For unclear aspects:
+       - Make informed guesses based on context and industry standards
+       - Only mark with [NEEDS CLARIFICATION: specific question] if:
+         - The choice significantly impacts feature scope or user experience
+         - Multiple reasonable interpretations exist with different implications
+         - No reasonable default exists
+       - **LIMIT: Maximum 3 [NEEDS CLARIFICATION] markers total**
+       - Prioritize clarifications by impact: scope > security/privacy > user experience > technical details
+    4. Fill User Scenarios & Testing section
+       If no clear user flow: ERROR "Cannot determine user scenarios"
+    5. Generate Functional Requirements
+       Each requirement must be testable
+       Use reasonable defaults for unspecified details (document assumptions in Assumptions section)
+    6. Define Success Criteria
+       Create measurable, technology-agnostic outcomes
+       Include both quantitative metrics (time, performance, volume) and qualitative measures (user satisfaction, task completion)
+       Each criterion must be verifiable without implementation details
+    7. Identify Key Entities (if data involved)
+    8. Return: SUCCESS (spec ready for planning)
+
+6. Write the specification to SPEC_FILE using the template structure, replacing placeholders with concrete details derived from the feature description (arguments) while preserving section order and headings.
+
+7. **Specification Quality Validation**: After writing the initial spec, validate it against quality criteria:
+
+   a. **Create Spec Quality Checklist**: Generate a checklist file at `SPECIFY_FEATURE_DIRECTORY/checklists/requirements.md` using the checklist template structure with these validation items:
+
+      ```markdown
+      # Specification Quality Checklist: [FEATURE NAME]
+      
+      **Purpose**: Validate specification completeness and quality before proceeding to planning
+      **Created**: [DATE]
+      **Feature**: [Link to spec.md]
+      
+      ## Content Quality
+      
+      - [ ] No implementation details (languages, frameworks, APIs)
+      - [ ] Focused on user value and business needs
+      - [ ] Written for non-technical stakeholders
+      - [ ] All mandatory sections completed
+      
+      ## Requirement Completeness
+      
+      - [ ] No [NEEDS CLARIFICATION] markers remain
+      - [ ] Requirements are testable and unambiguous
+      - [ ] Success criteria are measurable
+      - [ ] Success criteria are technology-agnostic (no implementation details)
+      - [ ] All acceptance scenarios are defined
+      - [ ] Edge cases are identified
+      - [ ] Scope is clearly bounded
+      - [ ] Dependencies and assumptions identified
+      
+      ## Feature Readiness
+      
+      - [ ] All functional requirements have clear acceptance criteria
+      - [ ] User scenarios cover primary flows
+      - [ ] Feature meets measurable outcomes defined in Success Criteria
+      - [ ] No implementation details leak into specification
+      
+      ## Notes
+      
+      - Items marked incomplete require spec updates before `/speckit.clarify` or `/speckit.plan`
+      ```
+
+   b. **Run Validation Check**: Review the spec against each checklist item:
+      - For each item, determine if it passes or fails
+      - Document specific issues found (quote relevant spec sections)
+
+   c. **Handle Validation Results**:
+
+      - **If all items pass**: Mark checklist complete and proceed to step 7
+
+      - **If items fail (excluding [NEEDS CLARIFICATION])**:
+        1. List the failing items and specific issues
+        2. Update the spec to address each issue
+        3. Re-run validation until all items pass (max 3 iterations)
+        4. If still failing after 3 iterations, document remaining issues in checklist notes and warn user
+
+      - **If [NEEDS CLARIFICATION] markers remain**:
+        1. Extract all [NEEDS CLARIFICATION: ...] markers from the spec
+        2. **LIMIT CHECK**: If more than 3 markers exist, keep only the 3 most critical (by scope/security/UX impact) and make informed guesses for the rest
+        3. For each clarification needed (max 3), present options to user in this format:
+
+           ```markdown
+           ## Question [N]: [Topic]
+           
+           **Context**: [Quote relevant spec section]
+           
+           **What we need to know**: [Specific question from NEEDS CLARIFICATION marker]
+           
+           **Suggested Answers**:
+           
+           | Option | Answer | Implications |
+           |--------|--------|--------------|
+           | A      | [First suggested answer] | [What this means for the feature] |
+           | B      | [Second suggested answer] | [What this means for the feature] |
+           | C      | [Third suggested answer] | [What this means for the feature] |
+           | Custom | Provide your own answer | [Explain how to provide custom input] |
+           
+           **Your choice**: _[Wait for user response]_
+           ```
+
+        4. **CRITICAL - Table Formatting**: Ensure markdown tables are properly formatted:
+           - Use consistent spacing with pipes aligned
+           - Each cell should have spaces around content: `| Content |` not `|Content|`
+           - Header separator must have at least 3 dashes: `|--------|`
+           - Test that the table renders correctly in markdown preview
+        5. Number questions sequentially (Q1, Q2, Q3 - max 3 total)
+        6. Present all questions together before waiting for responses
+        7. Wait for user to respond with their choices for all questions (e.g., "Q1: A, Q2: Custom - [details], Q3: B")
+        8. Update the spec by replacing each [NEEDS CLARIFICATION] marker with the user's selected or provided answer
+        9. Re-run validation after all clarifications are resolved
+
+   d. **Update Checklist**: After each validation iteration, update the checklist file with current pass/fail status
+
+8. **Report completion** to the user with:
+   - `SPECIFY_FEATURE_DIRECTORY` — the feature directory path
+   - `SPEC_FILE` — the spec file path
+   - Checklist results summary
+   - Readiness for the next phase (`/speckit.clarify` or `/speckit.plan`)
+
+9. **Check for extension hooks**: After reporting completion, check if `.specify/extensions.yml` exists in the project root.
+   - If it exists, read it and look for entries under the `hooks.after_specify` key
+   - If the YAML cannot be parsed or is invalid, skip hook checking silently and continue normally
+   - Filter out hooks where `enabled` is explicitly `false`. Treat hooks without an `enabled` field as enabled by default.
+   - For each remaining hook, do **not** attempt to interpret or evaluate hook `condition` expressions:
+     - If the hook has no `condition` field, or it is null/empty, treat the hook as executable
+     - If the hook defines a non-empty `condition`, skip the hook and leave condition evaluation to the HookExecutor implementation
+   - For each executable hook, output the following based on its `optional` flag:
+     - **Optional hook** (`optional: true`):
+       ```
+       ## Extension Hooks
+
+       **Optional Hook**: {extension}
+       Command: `/{command}`
+       Description: {description}
+
+       Prompt: {prompt}
+       To execute: `/{command}`
+       ```
+     - **Mandatory hook** (`optional: false`):
+       ```
+       ## Extension Hooks
+
+       **Automatic Hook**: {extension}
+       Executing: `/{command}`
+       EXECUTE_COMMAND: {command}
+       ```
+   - If no hooks are registered or `.specify/extensions.yml` does not exist, skip silently
+
+**NOTE:** Branch creation is handled by the `before_specify` hook (git extension). Spec directory and file creation are always handled by this core command.
+
+## Quick Guidelines
+
+- Focus on **WHAT** users need and **WHY**.
+- Avoid HOW to implement (no tech stack, APIs, code structure).
+- Written for business stakeholders, not developers.
+- DO NOT create any checklists that are embedded in the spec. That will be a separate command.
+
+### Section Requirements
+
+- **Mandatory sections**: Must be completed for every feature
+- **Optional sections**: Include only when relevant to the feature
+- When a section doesn't apply, remove it entirely (don't leave as "N/A")
+
+### For AI Generation
+
+When creating this spec from a user prompt:
+
+1. **Make informed guesses**: Use context, industry standards, and common patterns to fill gaps
+2. **Document assumptions**: Record reasonable defaults in the Assumptions section
+3. **Limit clarifications**: Maximum 3 [NEEDS CLARIFICATION] markers - use only for critical decisions that:
+   - Significantly impact feature scope or user experience
+   - Have multiple reasonable interpretations with different implications
+   - Lack any reasonable default
+4. **Prioritize clarifications**: scope > security/privacy > user experience > technical details
+5. **Think like a tester**: Every vague requirement should fail the "testable and unambiguous" checklist item
+6. **Common areas needing clarification** (only if no reasonable default exists):
+   - Feature scope and boundaries (include/exclude specific use cases)
+   - User types and permissions (if multiple conflicting interpretations possible)
+   - Security/compliance requirements (when legally/financially significant)
+
+**Examples of reasonable defaults** (don't ask about these):
+
+- Data retention: Industry-standard practices for the domain
+- Performance targets: Standard web/mobile app expectations unless specified
+- Error handling: User-friendly messages with appropriate fallbacks
+- Authentication method: Standard session-based or OAuth2 for web apps
+- Integration patterns: Use project-appropriate patterns (REST/GraphQL for web services, function calls for libraries, CLI args for tools, etc.)
+
+### Success Criteria Guidelines
+
+Success criteria must be:
+
+1. **Measurable**: Include specific metrics (time, percentage, count, rate)
+2. **Technology-agnostic**: No mention of frameworks, languages, databases, or tools
+3. **User-focused**: Describe outcomes from user/business perspective, not system internals
+4. **Verifiable**: Can be tested/validated without knowing implementation details
+
+**Good examples**:
+
+- "Users can complete checkout in under 3 minutes"
+- "System supports 10,000 concurrent users"
+- "95% of searches return results in under 1 second"
+- "Task completion rate improves by 40%"
+
+**Bad examples** (implementation-focused):
+
+- "API response time is under 200ms" (too technical, use "Users see results instantly")
+- "Database can handle 1000 TPS" (implementation detail, use user-facing metric)
+- "React components render efficiently" (framework-specific)
+- "Redis cache hit rate above 80%" (technology-specific)
diff --git a/.claude/skills/speckit-tasks/SKILL.md b/.claude/skills/speckit-tasks/SKILL.md
new file mode 100644
index 0000000..11bb2b8
--- /dev/null
+++ b/.claude/skills/speckit-tasks/SKILL.md
@@ -0,0 +1,200 @@
+---
+name: "speckit-tasks"
+description: "Generate an actionable, dependency-ordered tasks.md for the feature based on available design artifacts."
+argument-hint: "Optional task generation constraints"
+compatibility: "Requires spec-kit project structure with .specify/ directory"
+metadata:
+  author: "github-spec-kit"
+  source: "templates/commands/tasks.md"
+user-invocable: true
+disable-model-invocation: true
+---
+
+
+## User Input
+
+```text
+$ARGUMENTS
+```
+
+You **MUST** consider the user input before proceeding (if not empty).
+
+## Pre-Execution Checks
+
+**Check for extension hooks (before tasks generation)**:
+- Check if `.specify/extensions.yml` exists in the project root.
+- If it exists, read it and look for entries under the `hooks.before_tasks` key
+- If the YAML cannot be parsed or is invalid, skip hook checking silently and continue normally
+- Filter out hooks where `enabled` is explicitly `false`. Treat hooks without an `enabled` field as enabled by default.
+- For each remaining hook, do **not** attempt to interpret or evaluate hook `condition` expressions:
+  - If the hook has no `condition` field, or it is null/empty, treat the hook as executable
+  - If the hook defines a non-empty `condition`, skip the hook and leave condition evaluation to the HookExecutor implementation
+- For each executable hook, output the following based on its `optional` flag:
+  - **Optional hook** (`optional: true`):
+    ```
+    ## Extension Hooks
+
+    **Optional Pre-Hook**: {extension}
+    Command: `/{command}`
+    Description: {description}
+
+    Prompt: {prompt}
+    To execute: `/{command}`
+    ```
+  - **Mandatory hook** (`optional: false`):
+    ```
+    ## Extension Hooks
+
+    **Automatic Pre-Hook**: {extension}
+    Executing: `/{command}`
+    EXECUTE_COMMAND: {command}
+    
+    Wait for the result of the hook command before proceeding to the Outline.
+    ```
+- If no hooks are registered or `.specify/extensions.yml` does not exist, skip silently
+
+## Outline
+
+1. **Setup**: Run `.specify/scripts/bash/check-prerequisites.sh --json` from repo root and parse FEATURE_DIR and AVAILABLE_DOCS list. All paths must be absolute. For single quotes in args like "I'm Groot", use escape syntax: e.g 'I'\''m Groot' (or double-quote if possible: "I'm Groot").
+
+2. **Load design documents**: Read from FEATURE_DIR:
+   - **Required**: plan.md (tech stack, libraries, structure), spec.md (user stories with priorities)
+   - **Optional**: data-model.md (entities), contracts/ (interface contracts), research.md (decisions), quickstart.md (test scenarios)
+   - Note: Not all projects have all documents. Generate tasks based on what's available.
+
+3. **Execute task generation workflow**:
+   - Load plan.md and extract tech stack, libraries, project structure
+   - Load spec.md and extract user stories with their priorities (P1, P2, P3, etc.)
+   - If data-model.md exists: Extract entities and map to user stories
+   - If contracts/ exists: Map interface contracts to user stories
+   - If research.md exists: Extract decisions for setup tasks
+   - Generate tasks organized by user story (see Task Generation Rules below)
+   - Generate dependency graph showing user story completion order
+   - Create parallel execution examples per user story
+   - Validate task completeness (each user story has all needed tasks, independently testable)
+
+4. **Generate tasks.md**: Use `.specify/templates/tasks-template.md` as structure, fill with:
+   - Correct feature name from plan.md
+   - Phase 1: Setup tasks (project initialization)
+   - Phase 2: Foundational tasks (blocking prerequisites for all user stories)
+   - Phase 3+: One phase per user story (in priority order from spec.md)
+   - Each phase includes: story goal, independent test criteria, tests (if requested), implementation tasks
+   - Final Phase: Polish & cross-cutting concerns
+   - All tasks must follow the strict checklist format (see Task Generation Rules below)
+   - Clear file paths for each task
+   - Dependencies section showing story completion order
+   - Parallel execution examples per story
+   - Implementation strategy section (MVP first, incremental delivery)
+
+5. **Report**: Output path to generated tasks.md and summary:
+   - Total task count
+   - Task count per user story
+   - Parallel opportunities identified
+   - Independent test criteria for each story
+   - Suggested MVP scope (typically just User Story 1)
+   - Format validation: Confirm ALL tasks follow the checklist format (checkbox, ID, labels, file paths)
+
+6. **Check for extension hooks**: After tasks.md is generated, check if `.specify/extensions.yml` exists in the project root.
+   - If it exists, read it and look for entries under the `hooks.after_tasks` key
+   - If the YAML cannot be parsed or is invalid, skip hook checking silently and continue normally
+   - Filter out hooks where `enabled` is explicitly `false`. Treat hooks without an `enabled` field as enabled by default.
+   - For each remaining hook, do **not** attempt to interpret or evaluate hook `condition` expressions:
+     - If the hook has no `condition` field, or it is null/empty, treat the hook as executable
+     - If the hook defines a non-empty `condition`, skip the hook and leave condition evaluation to the HookExecutor implementation
+   - For each executable hook, output the following based on its `optional` flag:
+     - **Optional hook** (`optional: true`):
+       ```
+       ## Extension Hooks
+
+       **Optional Hook**: {extension}
+       Command: `/{command}`
+       Description: {description}
+
+       Prompt: {prompt}
+       To execute: `/{command}`
+       ```
+     - **Mandatory hook** (`optional: false`):
+       ```
+       ## Extension Hooks
+
+       **Automatic Hook**: {extension}
+       Executing: `/{command}`
+       EXECUTE_COMMAND: {command}
+       ```
+   - If no hooks are registered or `.specify/extensions.yml` does not exist, skip silently
+
+Context for task generation: $ARGUMENTS
+
+The tasks.md should be immediately executable - each task must be specific enough that an LLM can complete it without additional context.
+
+## Task Generation Rules
+
+**CRITICAL**: Tasks MUST be organized by user story to enable independent implementation and testing.
+
+**Tests are OPTIONAL**: Only generate test tasks if explicitly requested in the feature specification or if user requests TDD approach.
+
+### Checklist Format (REQUIRED)
+
+Every task MUST strictly follow this format:
+
+```text
+- [ ] [TaskID] [P?] [Story?] Description with file path
+```
+
+**Format Components**:
+
+1. **Checkbox**: ALWAYS start with `- [ ]` (markdown checkbox)
+2. **Task ID**: Sequential number (T001, T002, T003...) in execution order
+3. **[P] marker**: Include ONLY if task is parallelizable (different files, no dependencies on incomplete tasks)
+4. **[Story] label**: REQUIRED for user story phase tasks only
+   - Format: [US1], [US2], [US3], etc. (maps to user stories from spec.md)
+   - Setup phase: NO story label
+   - Foundational phase: NO story label  
+   - User Story phases: MUST have story label
+   - Polish phase: NO story label
+5. **Description**: Clear action with exact file path
+
+**Examples**:
+
+- ✅ CORRECT: `- [ ] T001 Create project structure per implementation plan`
+- ✅ CORRECT: `- [ ] T005 [P] Implement authentication middleware in src/middleware/auth.py`
+- ✅ CORRECT: `- [ ] T012 [P] [US1] Create User model in src/models/user.py`
+- ✅ CORRECT: `- [ ] T014 [US1] Implement UserService in src/services/user_service.py`
+- ❌ WRONG: `- [ ] Create User model` (missing ID and Story label)
+- ❌ WRONG: `T001 [US1] Create model` (missing checkbox)
+- ❌ WRONG: `- [ ] [US1] Create User model` (missing Task ID)
+- ❌ WRONG: `- [ ] T001 [US1] Create model` (missing file path)
+
+### Task Organization
+
+1. **From User Stories (spec.md)** - PRIMARY ORGANIZATION:
+   - Each user story (P1, P2, P3...) gets its own phase
+   - Map all related components to their story:
+     - Models needed for that story
+     - Services needed for that story
+     - Interfaces/UI needed for that story
+     - If tests requested: Tests specific to that story
+   - Mark story dependencies (most stories should be independent)
+
+2. **From Contracts**:
+   - Map each interface contract → to the user story it serves
+   - If tests requested: Each interface contract → contract test task [P] before implementation in that story's phase
+
+3. **From Data Model**:
+   - Map each entity to the user story(ies) that need it
+   - If entity serves multiple stories: Put in earliest story or Setup phase
+   - Relationships → service layer tasks in appropriate story phase
+
+4. **From Setup/Infrastructure**:
+   - Shared infrastructure → Setup phase (Phase 1)
+   - Foundational/blocking tasks → Foundational phase (Phase 2)
+   - Story-specific setup → within that story's phase
+
+### Phase Structure
+
+- **Phase 1**: Setup (project initialization)
+- **Phase 2**: Foundational (blocking prerequisites - MUST complete before user stories)
+- **Phase 3+**: User Stories in priority order (P1, P2, P3...)
+  - Within each story: Tests (if requested) → Models → Services → Endpoints → Integration
+  - Each phase should be a complete, independently testable increment
+- **Final Phase**: Polish & Cross-Cutting Concerns
diff --git a/.claude/skills/speckit-taskstoissues/SKILL.md b/.claude/skills/speckit-taskstoissues/SKILL.md
new file mode 100644
index 0000000..a159816
--- /dev/null
+++ b/.claude/skills/speckit-taskstoissues/SKILL.md
@@ -0,0 +1,104 @@
+---
+name: "speckit-taskstoissues"
+description: "Convert existing tasks into actionable, dependency-ordered GitHub issues for the feature based on available design artifacts."
+argument-hint: "Optional filter or label for GitHub issues"
+compatibility: "Requires spec-kit project structure with .specify/ directory"
+metadata:
+  author: "github-spec-kit"
+  source: "templates/commands/taskstoissues.md"
+user-invocable: true
+disable-model-invocation: true
+---
+
+
+## User Input
+
+```text
+$ARGUMENTS
+```
+
+You **MUST** consider the user input before proceeding (if not empty).
+
+## Pre-Execution Checks
+
+**Check for extension hooks (before tasks-to-issues conversion)**:
+- Check if `.specify/extensions.yml` exists in the project root.
+- If it exists, read it and look for entries under the `hooks.before_taskstoissues` key
+- If the YAML cannot be parsed or is invalid, skip hook checking silently and continue normally
+- Filter out hooks where `enabled` is explicitly `false`. Treat hooks without an `enabled` field as enabled by default.
+- For each remaining hook, do **not** attempt to interpret or evaluate hook `condition` expressions:
+  - If the hook has no `condition` field, or it is null/empty, treat the hook as executable
+  - If the hook defines a non-empty `condition`, skip the hook and leave condition evaluation to the HookExecutor implementation
+- For each executable hook, output the following based on its `optional` flag:
+  - **Optional hook** (`optional: true`):
+    ```
+    ## Extension Hooks
+
+    **Optional Pre-Hook**: {extension}
+    Command: `/{command}`
+    Description: {description}
+
+    Prompt: {prompt}
+    To execute: `/{command}`
+    ```
+  - **Mandatory hook** (`optional: false`):
+    ```
+    ## Extension Hooks
+
+    **Automatic Pre-Hook**: {extension}
+    Executing: `/{command}`
+    EXECUTE_COMMAND: {command}
+
+    Wait for the result of the hook command before proceeding to the Outline.
+    ```
+- If no hooks are registered or `.specify/extensions.yml` does not exist, skip silently
+
+## Outline
+
+1. Run `.specify/scripts/bash/check-prerequisites.sh --json --require-tasks --include-tasks` from repo root and parse FEATURE_DIR and AVAILABLE_DOCS list. All paths must be absolute. For single quotes in args like "I'm Groot", use escape syntax: e.g 'I'\''m Groot' (or double-quote if possible: "I'm Groot").
+1. From the executed script, extract the path to **tasks**.
+1. Get the Git remote by running:
+
+```bash
+git config --get remote.origin.url
+```
+
+> [!CAUTION]
+> ONLY PROCEED TO NEXT STEPS IF THE REMOTE IS A GITHUB URL
+
+1. For each task in the list, use the GitHub MCP server to create a new issue in the repository that is representative of the Git remote.
+
+> [!CAUTION]
+> UNDER NO CIRCUMSTANCES EVER CREATE ISSUES IN REPOSITORIES THAT DO NOT MATCH THE REMOTE URL
+
+## Post-Execution Checks
+
+**Check for extension hooks (after tasks-to-issues conversion)**:
+Check if `.specify/extensions.yml` exists in the project root.
+- If it exists, read it and look for entries under the `hooks.after_taskstoissues` key
+- If the YAML cannot be parsed or is invalid, skip hook checking silently and continue normally
+- Filter out hooks where `enabled` is explicitly `false`. Treat hooks without an `enabled` field as enabled by default.
+- For each remaining hook, do **not** attempt to interpret or evaluate hook `condition` expressions:
+  - If the hook has no `condition` field, or it is null/empty, treat the hook as executable
+  - If the hook defines a non-empty `condition`, skip the hook and leave condition evaluation to the HookExecutor implementation
+- For each executable hook, output the following based on its `optional` flag:
+  - **Optional hook** (`optional: true`):
+    ```
+    ## Extension Hooks
+
+    **Optional Hook**: {extension}
+    Command: `/{command}`
+    Description: {description}
+
+    Prompt: {prompt}
+    To execute: `/{command}`
+    ```
+  - **Mandatory hook** (`optional: false`):
+    ```
+    ## Extension Hooks
+
+    **Automatic Hook**: {extension}
+    Executing: `/{command}`
+    EXECUTE_COMMAND: {command}
+    ```
+- If no hooks are registered or `.specify/extensions.yml` does not exist, skip silently
diff --git a/.specify/extensions.yml b/.specify/extensions.yml
new file mode 100644
index 0000000..efbbda9
--- /dev/null
+++ b/.specify/extensions.yml
@@ -0,0 +1,148 @@
+installed: []
+settings:
+  auto_execute_hooks: true
+hooks:
+  before_constitution:
+  - extension: git
+    command: speckit.git.initialize
+    enabled: true
+    optional: false
+    prompt: Execute speckit.git.initialize?
+    description: Initialize Git repository before constitution setup
+    condition: null
+  before_specify:
+  - extension: git
+    command: speckit.git.feature
+    enabled: true
+    optional: false
+    prompt: Execute speckit.git.feature?
+    description: Create feature branch before specification
+    condition: null
+  before_clarify:
+  - extension: git
+    command: speckit.git.commit
+    enabled: true
+    optional: true
+    prompt: Commit outstanding changes before clarification?
+    description: Auto-commit before spec clarification
+    condition: null
+  before_plan:
+  - extension: git
+    command: speckit.git.commit
+    enabled: true
+    optional: true
+    prompt: Commit outstanding changes before planning?
+    description: Auto-commit before implementation planning
+    condition: null
+  before_tasks:
+  - extension: git
+    command: speckit.git.commit
+    enabled: true
+    optional: true
+    prompt: Commit outstanding changes before task generation?
+    description: Auto-commit before task generation
+    condition: null
+  before_implement:
+  - extension: git
+    command: speckit.git.commit
+    enabled: true
+    optional: true
+    prompt: Commit outstanding changes before implementation?
+    description: Auto-commit before implementation
+    condition: null
+  before_checklist:
+  - extension: git
+    command: speckit.git.commit
+    enabled: true
+    optional: true
+    prompt: Commit outstanding changes before checklist?
+    description: Auto-commit before checklist generation
+    condition: null
+  before_analyze:
+  - extension: git
+    command: speckit.git.commit
+    enabled: true
+    optional: true
+    prompt: Commit outstanding changes before analysis?
+    description: Auto-commit before analysis
+    condition: null
+  before_taskstoissues:
+  - extension: git
+    command: speckit.git.commit
+    enabled: true
+    optional: true
+    prompt: Commit outstanding changes before issue sync?
+    description: Auto-commit before tasks-to-issues conversion
+    condition: null
+  after_constitution:
+  - extension: git
+    command: speckit.git.commit
+    enabled: true
+    optional: true
+    prompt: Commit constitution changes?
+    description: Auto-commit after constitution update
+    condition: null
+  after_specify:
+  - extension: git
+    command: speckit.git.commit
+    enabled: true
+    optional: true
+    prompt: Commit specification changes?
+    description: Auto-commit after specification
+    condition: null
+  after_clarify:
+  - extension: git
+    command: speckit.git.commit
+    enabled: true
+    optional: true
+    prompt: Commit clarification changes?
+    description: Auto-commit after spec clarification
+    condition: null
+  after_plan:
+  - extension: git
+    command: speckit.git.commit
+    enabled: true
+    optional: true
+    prompt: Commit plan changes?
+    description: Auto-commit after implementation planning
+    condition: null
+  after_tasks:
+  - extension: git
+    command: speckit.git.commit
+    enabled: true
+    optional: true
+    prompt: Commit task changes?
+    description: Auto-commit after task generation
+    condition: null
+  after_implement:
+  - extension: git
+    command: speckit.git.commit
+    enabled: true
+    optional: true
+    prompt: Commit implementation changes?
+    description: Auto-commit after implementation
+    condition: null
+  after_checklist:
+  - extension: git
+    command: speckit.git.commit
+    enabled: true
+    optional: true
+    prompt: Commit checklist changes?
+    description: Auto-commit after checklist generation
+    condition: null
+  after_analyze:
+  - extension: git
+    command: speckit.git.commit
+    enabled: true
+    optional: true
+    prompt: Commit analysis results?
+    description: Auto-commit after analysis
+    condition: null
+  after_taskstoissues:
+  - extension: git
+    command: speckit.git.commit
+    enabled: true
+    optional: true
+    prompt: Commit after syncing issues?
+    description: Auto-commit after tasks-to-issues conversion
+    condition: null
diff --git a/.specify/extensions/.registry b/.specify/extensions/.registry
new file mode 100644
index 0000000..e9eb3b3
--- /dev/null
+++ b/.specify/extensions/.registry
@@ -0,0 +1,23 @@
+{
+  "schema_version": "1.0",
+  "extensions": {
+    "git": {
+      "version": "1.0.0",
+      "source": "local",
+      "manifest_hash": "sha256:9731aa8143a72fbebfdb440f155038ab42642517c2b2bdbbf67c8fdbe076ed79",
+      "enabled": true,
+      "priority": 10,
+      "registered_commands": {
+        "claude": [
+          "speckit.git.feature",
+          "speckit.git.validate",
+          "speckit.git.remote",
+          "speckit.git.initialize",
+          "speckit.git.commit"
+        ]
+      },
+      "registered_skills": [],
+      "installed_at": "2026-04-09T15:40:54.449044+00:00"
+    }
+  }
+}
\ No newline at end of file
diff --git a/.specify/extensions/git/README.md b/.specify/extensions/git/README.md
new file mode 100644
index 0000000..31ba75c
--- /dev/null
+++ b/.specify/extensions/git/README.md
@@ -0,0 +1,100 @@
+# Git Branching Workflow Extension
+
+Git repository initialization, feature branch creation, numbering (sequential/timestamp), validation, remote detection, and auto-commit for Spec Kit.
+
+## Overview
+
+This extension provides Git operations as an optional, self-contained module. It manages:
+
+- **Repository initialization** with configurable commit messages
+- **Feature branch creation** with sequential (`001-feature-name`) or timestamp (`20260319-143022-feature-name`) numbering
+- **Branch validation** to ensure branches follow naming conventions
+- **Git remote detection** for GitHub integration (e.g., issue creation)
+- **Auto-commit** after core commands (configurable per-command with custom messages)
+
+## Commands
+
+| Command | Description |
+|---------|-------------|
+| `speckit.git.initialize` | Initialize a Git repository with a configurable commit message |
+| `speckit.git.feature` | Create a feature branch with sequential or timestamp numbering |
+| `speckit.git.validate` | Validate current branch follows feature branch naming conventions |
+| `speckit.git.remote` | Detect Git remote URL for GitHub integration |
+| `speckit.git.commit` | Auto-commit changes (configurable per-command enable/disable and messages) |
+
+## Hooks
+
+| Event | Command | Optional | Description |
+|-------|---------|----------|-------------|
+| `before_constitution` | `speckit.git.initialize` | No | Init git repo before constitution |
+| `before_specify` | `speckit.git.feature` | No | Create feature branch before specification |
+| `before_clarify` | `speckit.git.commit` | Yes | Commit outstanding changes before clarification |
+| `before_plan` | `speckit.git.commit` | Yes | Commit outstanding changes before planning |
+| `before_tasks` | `speckit.git.commit` | Yes | Commit outstanding changes before task generation |
+| `before_implement` | `speckit.git.commit` | Yes | Commit outstanding changes before implementation |
+| `before_checklist` | `speckit.git.commit` | Yes | Commit outstanding changes before checklist |
+| `before_analyze` | `speckit.git.commit` | Yes | Commit outstanding changes before analysis |
+| `before_taskstoissues` | `speckit.git.commit` | Yes | Commit outstanding changes before issue sync |
+| `after_constitution` | `speckit.git.commit` | Yes | Auto-commit after constitution update |
+| `after_specify` | `speckit.git.commit` | Yes | Auto-commit after specification |
+| `after_clarify` | `speckit.git.commit` | Yes | Auto-commit after clarification |
+| `after_plan` | `speckit.git.commit` | Yes | Auto-commit after planning |
+| `after_tasks` | `speckit.git.commit` | Yes | Auto-commit after task generation |
+| `after_implement` | `speckit.git.commit` | Yes | Auto-commit after implementation |
+| `after_checklist` | `speckit.git.commit` | Yes | Auto-commit after checklist |
+| `after_analyze` | `speckit.git.commit` | Yes | Auto-commit after analysis |
+| `after_taskstoissues` | `speckit.git.commit` | Yes | Auto-commit after issue sync |
+
+## Configuration
+
+Configuration is stored in `.specify/extensions/git/git-config.yml`:
+
+```yaml
+# Branch numbering strategy: "sequential" or "timestamp"
+branch_numbering: sequential
+
+# Custom commit message for git init
+init_commit_message: "[Spec Kit] Initial commit"
+
+# Auto-commit per command (all disabled by default)
+# Example: enable auto-commit after specify
+auto_commit:
+  default: false
+  after_specify:
+    enabled: true
+    message: "[Spec Kit] Add specification"
+```
+
+## Installation
+
+```bash
+# Install the bundled git extension (no network required)
+specify extension add git
+```
+
+## Disabling
+
+```bash
+# Disable the git extension (spec creation continues without branching)
+specify extension disable git
+
+# Re-enable it
+specify extension enable git
+```
+
+## Graceful Degradation
+
+When Git is not installed or the directory is not a Git repository:
+- Spec directories are still created under `specs/`
+- Branch creation is skipped with a warning
+- Branch validation is skipped with a warning
+- Remote detection returns empty results
+
+## Scripts
+
+The extension bundles cross-platform scripts:
+
+- `scripts/bash/create-new-feature.sh` — Bash implementation
+- `scripts/bash/git-common.sh` — Shared Git utilities (Bash)
+- `scripts/powershell/create-new-feature.ps1` — PowerShell implementation
+- `scripts/powershell/git-common.ps1` — Shared Git utilities (PowerShell)
diff --git a/.specify/extensions/git/commands/speckit.git.commit.md b/.specify/extensions/git/commands/speckit.git.commit.md
new file mode 100644
index 0000000..e606f91
--- /dev/null
+++ b/.specify/extensions/git/commands/speckit.git.commit.md
@@ -0,0 +1,48 @@
+---
+description: "Auto-commit changes after a Spec Kit command completes"
+---
+
+# Auto-Commit Changes
+
+Automatically stage and commit all changes after a Spec Kit command completes.
+
+## Behavior
+
+This command is invoked as a hook after (or before) core commands. It:
+
+1. Determines the event name from the hook context (e.g., if invoked as an `after_specify` hook, the event is `after_specify`; if `before_plan`, the event is `before_plan`)
+2. Checks `.specify/extensions/git/git-config.yml` for the `auto_commit` section
+3. Looks up the specific event key to see if auto-commit is enabled
+4. Falls back to `auto_commit.default` if no event-specific key exists
+5. Uses the per-command `message` if configured, otherwise a default message
+6. If enabled and there are uncommitted changes, runs `git add .` + `git commit`
+
+## Execution
+
+Determine the event name from the hook that triggered this command, then run the script:
+
+- **Bash**: `.specify/extensions/git/scripts/bash/auto-commit.sh <event_name>`
+- **PowerShell**: `.specify/extensions/git/scripts/powershell/auto-commit.ps1 <event_name>`
+
+Replace `<event_name>` with the actual hook event (e.g., `after_specify`, `before_plan`, `after_implement`).
+
+## Configuration
+
+In `.specify/extensions/git/git-config.yml`:
+
+```yaml
+auto_commit:
+  default: false          # Global toggle — set true to enable for all commands
+  after_specify:
+    enabled: true          # Override per-command
+    message: "[Spec Kit] Add specification"
+  after_plan:
+    enabled: false
+    message: "[Spec Kit] Add implementation plan"
+```
+
+## Graceful Degradation
+
+- If Git is not available or the current directory is not a repository: skips with a warning
+- If no config file exists: skips (disabled by default)
+- If no changes to commit: skips with a message
diff --git a/.specify/extensions/git/commands/speckit.git.feature.md b/.specify/extensions/git/commands/speckit.git.feature.md
new file mode 100644
index 0000000..1a9c5e3
--- /dev/null
+++ b/.specify/extensions/git/commands/speckit.git.feature.md
@@ -0,0 +1,67 @@
+---
+description: "Create a feature branch with sequential or timestamp numbering"
+---
+
+# Create Feature Branch
+
+Create and switch to a new git feature branch for the given specification. This command handles **branch creation only** — the spec directory and files are created by the core `/speckit.specify` workflow.
+
+## User Input
+
+```text
+$ARGUMENTS
+```
+
+You **MUST** consider the user input before proceeding (if not empty).
+
+## Environment Variable Override
+
+If the user explicitly provided `GIT_BRANCH_NAME` (e.g., via environment variable, argument, or in their request), pass it through to the script by setting the `GIT_BRANCH_NAME` environment variable before invoking the script. When `GIT_BRANCH_NAME` is set:
+- The script uses the exact value as the branch name, bypassing all prefix/suffix generation
+- `--short-name`, `--number`, and `--timestamp` flags are ignored
+- `FEATURE_NUM` is extracted from the name if it starts with a numeric prefix, otherwise set to the full branch name
+
+## Prerequisites
+
+- Verify Git is available by running `git rev-parse --is-inside-work-tree 2>/dev/null`
+- If Git is not available, warn the user and skip branch creation
+
+## Branch Numbering Mode
+
+Determine the branch numbering strategy by checking configuration in this order:
+
+1. Check `.specify/extensions/git/git-config.yml` for `branch_numbering` value
+2. Check `.specify/init-options.json` for `branch_numbering` value (backward compatibility)
+3. Default to `sequential` if neither exists
+
+## Execution
+
+Generate a concise short name (2-4 words) for the branch:
+- Analyze the feature description and extract the most meaningful keywords
+- Use action-noun format when possible (e.g., "add-user-auth", "fix-payment-bug")
+- Preserve technical terms and acronyms (OAuth2, API, JWT, etc.)
+
+Run the appropriate script based on your platform:
+
+- **Bash**: `.specify/extensions/git/scripts/bash/create-new-feature.sh --json --short-name "<short-name>" "<feature description>"`
+- **Bash (timestamp)**: `.specify/extensions/git/scripts/bash/create-new-feature.sh --json --timestamp --short-name "<short-name>" "<feature description>"`
+- **PowerShell**: `.specify/extensions/git/scripts/powershell/create-new-feature.ps1 -Json -ShortName "<short-name>" "<feature description>"`
+- **PowerShell (timestamp)**: `.specify/extensions/git/scripts/powershell/create-new-feature.ps1 -Json -Timestamp -ShortName "<short-name>" "<feature description>"`
+
+**IMPORTANT**:
+- Do NOT pass `--number` — the script determines the correct next number automatically
+- Always include the JSON flag (`--json` for Bash, `-Json` for PowerShell) so the output can be parsed reliably
+- You must only ever run this script once per feature
+- The JSON output will contain `BRANCH_NAME` and `FEATURE_NUM`
+
+## Graceful Degradation
+
+If Git is not installed or the current directory is not a Git repository:
+- Branch creation is skipped with a warning: `[specify] Warning: Git repository not detected; skipped branch creation`
+- The script still outputs `BRANCH_NAME` and `FEATURE_NUM` so the caller can reference them
+
+## Output
+
+The script outputs JSON with:
+- `BRANCH_NAME`: The branch name (e.g., `003-user-auth` or `20260319-143022-user-auth`)
+- `FEATURE_NUM`: The numeric or timestamp prefix used
diff --git a/.specify/extensions/git/commands/speckit.git.initialize.md b/.specify/extensions/git/commands/speckit.git.initialize.md
new file mode 100644
index 0000000..4451ee6
--- /dev/null
+++ b/.specify/extensions/git/commands/speckit.git.initialize.md
@@ -0,0 +1,49 @@
+---
+description: "Initialize a Git repository with an initial commit"
+---
+
+# Initialize Git Repository
+
+Initialize a Git repository in the current project directory if one does not already exist.
+
+## Execution
+
+Run the appropriate script from the project root:
+
+- **Bash**: `.specify/extensions/git/scripts/bash/initialize-repo.sh`
+- **PowerShell**: `.specify/extensions/git/scripts/powershell/initialize-repo.ps1`
+
+If the extension scripts are not found, fall back to:
+- **Bash**: `git init && git add . && git commit -m "Initial commit from Specify template"`
+- **PowerShell**: `git init; git add .; git commit -m "Initial commit from Specify template"`
+
+The script handles all checks internally:
+- Skips if Git is not available
+- Skips if already inside a Git repository
+- Runs `git init`, `git add .`, and `git commit` with an initial commit message
+
+## Customization
+
+Replace the script to add project-specific Git initialization steps:
+- Custom `.gitignore` templates
+- Default branch naming (`git config init.defaultBranch`)
+- Git LFS setup
+- Git hooks installation
+- Commit signing configuration
+- Git Flow initialization
+
+## Output
+
+On success:
+- `✓ Git repository initialized`
+
+## Graceful Degradation
+
+If Git is not installed:
+- Warn the user
+- Skip repository initialization
+- The project continues to function without Git (specs can still be created under `specs/`)
+
+If Git is installed but `git init`, `git add .`, or `git commit` fails:
+- Surface the error to the user
+- Stop this command rather than continuing with a partially initialized repository
diff --git a/.specify/extensions/git/commands/speckit.git.remote.md b/.specify/extensions/git/commands/speckit.git.remote.md
new file mode 100644
index 0000000..712a3e8
--- /dev/null
+++ b/.specify/extensions/git/commands/speckit.git.remote.md
@@ -0,0 +1,45 @@
+---
+description: "Detect Git remote URL for GitHub integration"
+---
+
+# Detect Git Remote URL
+
+Detect the Git remote URL for integration with GitHub services (e.g., issue creation).
+
+## Prerequisites
+
+- Check if Git is available by running `git rev-parse --is-inside-work-tree 2>/dev/null`
+- If Git is not available, output a warning and return empty:
+  ```
+  [specify] Warning: Git repository not detected; cannot determine remote URL
+  ```
+
+## Execution
+
+Run the following command to get the remote URL:
+
+```bash
+git config --get remote.origin.url
+```
+
+## Output
+
+Parse the remote URL and determine:
+
+1. **Repository owner**: Extract from the URL (e.g., `github` from `https://github.com/github/spec-kit.git`)
+2. **Repository name**: Extract from the URL (e.g., `spec-kit` from `https://github.com/github/spec-kit.git`)
+3. **Is GitHub**: Whether the remote points to a GitHub repository
+
+Supported URL formats:
+- HTTPS: `https://github.com/<owner>/<repo>.git`
+- SSH: `git@github.com:<owner>/<repo>.git`
+
+> [!CAUTION]
+> ONLY report a GitHub repository if the remote URL actually points to github.com.
+> Do NOT assume the remote is GitHub if the URL format doesn't match.
+
+## Graceful Degradation
+
+If Git is not installed, the directory is not a Git repository, or no remote is configured:
+- Return an empty result
+- Do NOT error — other workflows should continue without Git remote information
diff --git a/.specify/extensions/git/commands/speckit.git.validate.md b/.specify/extensions/git/commands/speckit.git.validate.md
new file mode 100644
index 0000000..dd84618
--- /dev/null
+++ b/.specify/extensions/git/commands/speckit.git.validate.md
@@ -0,0 +1,49 @@
+---
+description: "Validate current branch follows feature branch naming conventions"
+---
+
+# Validate Feature Branch
+
+Validate that the current Git branch follows the expected feature branch naming conventions.
+
+## Prerequisites
+
+- Check if Git is available by running `git rev-parse --is-inside-work-tree 2>/dev/null`
+- If Git is not available, output a warning and skip validation:
+  ```
+  [specify] Warning: Git repository not detected; skipped branch validation
+  ```
+
+## Validation Rules
+
+Get the current branch name:
+
+```bash
+git rev-parse --abbrev-ref HEAD
+```
+
+The branch name must match one of these patterns:
+
+1. **Sequential**: `^[0-9]{3,}-` (e.g., `001-feature-name`, `042-fix-bug`, `1000-big-feature`)
+2. **Timestamp**: `^[0-9]{8}-[0-9]{6}-` (e.g., `20260319-143022-feature-name`)
+
+## Execution
+
+If on a feature branch (matches either pattern):
+- Output: `✓ On feature branch: <branch-name>`
+- Check if the corresponding spec directory exists under `specs/`:
+  - For sequential branches, look for `specs/<prefix>-*` where prefix matches the numeric portion
+  - For timestamp branches, look for `specs/<prefix>-*` where prefix matches the `YYYYMMDD-HHMMSS` portion
+- If spec directory exists: `✓ Spec directory found: <path>`
+- If spec directory missing: `⚠ No spec directory found for prefix <prefix>`
+
+If NOT on a feature branch:
+- Output: `✗ Not on a feature branch. Current branch: <branch-name>`
+- Output: `Feature branches should be named like: 001-feature-name or 20260319-143022-feature-name`
+
+## Graceful Degradation
+
+If Git is not installed or the directory is not a Git repository:
+- Check the `SPECIFY_FEATURE` environment variable as a fallback
+- If set, validate that value against the naming patterns
+- If not set, skip validation with a warning
diff --git a/.specify/extensions/git/config-template.yml b/.specify/extensions/git/config-template.yml
new file mode 100644
index 0000000..8c414ba
--- /dev/null
+++ b/.specify/extensions/git/config-template.yml
@@ -0,0 +1,62 @@
+# Git Branching Workflow Extension Configuration
+# Copied to .specify/extensions/git/git-config.yml on install
+
+# Branch numbering strategy: "sequential" (001, 002, ...) or "timestamp" (YYYYMMDD-HHMMSS)
+branch_numbering: sequential
+
+# Commit message used by `git commit` during repository initialization
+init_commit_message: "[Spec Kit] Initial commit"
+
+# Auto-commit before/after core commands.
+# Set "default" to enable for all commands, then override per-command.
+# Each key can be true/false. Message is customizable per-command.
+auto_commit:
+  default: false
+  before_clarify:
+    enabled: false
+    message: "[Spec Kit] Save progress before clarification"
+  before_plan:
+    enabled: false
+    message: "[Spec Kit] Save progress before planning"
+  before_tasks:
+    enabled: false
+    message: "[Spec Kit] Save progress before task generation"
+  before_implement:
+    enabled: false
+    message: "[Spec Kit] Save progress before implementation"
+  before_checklist:
+    enabled: false
+    message: "[Spec Kit] Save progress before checklist"
+  before_analyze:
+    enabled: false
+    message: "[Spec Kit] Save progress before analysis"
+  before_taskstoissues:
+    enabled: false
+    message: "[Spec Kit] Save progress before issue sync"
+  after_constitution:
+    enabled: false
+    message: "[Spec Kit] Add project constitution"
+  after_specify:
+    enabled: false
+    message: "[Spec Kit] Add specification"
+  after_clarify:
+    enabled: false
+    message: "[Spec Kit] Clarify specification"
+  after_plan:
+    enabled: false
+    message: "[Spec Kit] Add implementation plan"
+  after_tasks:
+    enabled: false
+    message: "[Spec Kit] Add tasks"
+  after_implement:
+    enabled: false
+    message: "[Spec Kit] Implementation progress"
+  after_checklist:
+    enabled: false
+    message: "[Spec Kit] Add checklist"
+  after_analyze:
+    enabled: false
+    message: "[Spec Kit] Add analysis report"
+  after_taskstoissues:
+    enabled: false
+    message: "[Spec Kit] Sync tasks to issues"
diff --git a/.specify/extensions/git/extension.yml b/.specify/extensions/git/extension.yml
new file mode 100644
index 0000000..13c1977
--- /dev/null
+++ b/.specify/extensions/git/extension.yml
@@ -0,0 +1,140 @@
+schema_version: "1.0"
+
+extension:
+  id: git
+  name: "Git Branching Workflow"
+  version: "1.0.0"
+  description: "Feature branch creation, numbering (sequential/timestamp), validation, and Git remote detection"
+  author: spec-kit-core
+  repository: https://github.com/github/spec-kit
+  license: MIT
+
+requires:
+  speckit_version: ">=0.2.0"
+  tools:
+    - name: git
+      required: false
+
+provides:
+  commands:
+    - name: speckit.git.feature
+      file: commands/speckit.git.feature.md
+      description: "Create a feature branch with sequential or timestamp numbering"
+    - name: speckit.git.validate
+      file: commands/speckit.git.validate.md
+      description: "Validate current branch follows feature branch naming conventions"
+    - name: speckit.git.remote
+      file: commands/speckit.git.remote.md
+      description: "Detect Git remote URL for GitHub integration"
+    - name: speckit.git.initialize
+      file: commands/speckit.git.initialize.md
+      description: "Initialize a Git repository with an initial commit"
+    - name: speckit.git.commit
+      file: commands/speckit.git.commit.md
+      description: "Auto-commit changes after a Spec Kit command completes"
+
+  config:
+    - name: "git-config.yml"
+      template: "config-template.yml"
+      description: "Git branching configuration"
+      required: false
+
+hooks:
+  before_constitution:
+    command: speckit.git.initialize
+    optional: false
+    description: "Initialize Git repository before constitution setup"
+  before_specify:
+    command: speckit.git.feature
+    optional: false
+    description: "Create feature branch before specification"
+  before_clarify:
+    command: speckit.git.commit
+    optional: true
+    prompt: "Commit outstanding changes before clarification?"
+    description: "Auto-commit before spec clarification"
+  before_plan:
+    command: speckit.git.commit
+    optional: true
+    prompt: "Commit outstanding changes before planning?"
+    description: "Auto-commit before implementation planning"
+  before_tasks:
+    command: speckit.git.commit
+    optional: true
+    prompt: "Commit outstanding changes before task generation?"
+    description: "Auto-commit before task generation"
+  before_implement:
+    command: speckit.git.commit
+    optional: true
+    prompt: "Commit outstanding changes before implementation?"
+    description: "Auto-commit before implementation"
+  before_checklist:
+    command: speckit.git.commit
+    optional: true
+    prompt: "Commit outstanding changes before checklist?"
+    description: "Auto-commit before checklist generation"
+  before_analyze:
+    command: speckit.git.commit
+    optional: true
+    prompt: "Commit outstanding changes before analysis?"
+    description: "Auto-commit before analysis"
+  before_taskstoissues:
+    command: speckit.git.commit
+    optional: true
+    prompt: "Commit outstanding changes before issue sync?"
+    description: "Auto-commit before tasks-to-issues conversion"
+  after_constitution:
+    command: speckit.git.commit
+    optional: true
+    prompt: "Commit constitution changes?"
+    description: "Auto-commit after constitution update"
+  after_specify:
+    command: speckit.git.commit
+    optional: true
+    prompt: "Commit specification changes?"
+    description: "Auto-commit after specification"
+  after_clarify:
+    command: speckit.git.commit
+    optional: true
+    prompt: "Commit clarification changes?"
+    description: "Auto-commit after spec clarification"
+  after_plan:
+    command: speckit.git.commit
+    optional: true
+    prompt: "Commit plan changes?"
+    description: "Auto-commit after implementation planning"
+  after_tasks:
+    command: speckit.git.commit
+    optional: true
+    prompt: "Commit task changes?"
+    description: "Auto-commit after task generation"
+  after_implement:
+    command: speckit.git.commit
+    optional: true
+    prompt: "Commit implementation changes?"
+    description: "Auto-commit after implementation"
+  after_checklist:
+    command: speckit.git.commit
+    optional: true
+    prompt: "Commit checklist changes?"
+    description: "Auto-commit after checklist generation"
+  after_analyze:
+    command: speckit.git.commit
+    optional: true
+    prompt: "Commit analysis results?"
+    description: "Auto-commit after analysis"
+  after_taskstoissues:
+    command: speckit.git.commit
+    optional: true
+    prompt: "Commit after syncing issues?"
+    description: "Auto-commit after tasks-to-issues conversion"
+
+tags:
+  - "git"
+  - "branching"
+  - "workflow"
+
+config:
+  defaults:
+    branch_numbering: sequential
+    init_commit_message: "[Spec Kit] Initial commit"
diff --git a/.specify/extensions/git/git-config.yml b/.specify/extensions/git/git-config.yml
new file mode 100644
index 0000000..8c414ba
--- /dev/null
+++ b/.specify/extensions/git/git-config.yml
@@ -0,0 +1,62 @@
+# Git Branching Workflow Extension Configuration
+# Copied to .specify/extensions/git/git-config.yml on install
+
+# Branch numbering strategy: "sequential" (001, 002, ...) or "timestamp" (YYYYMMDD-HHMMSS)
+branch_numbering: sequential
+
+# Commit message used by `git commit` during repository initialization
+init_commit_message: "[Spec Kit] Initial commit"
+
+# Auto-commit before/after core commands.
+# Set "default" to enable for all commands, then override per-command.
+# Each key can be true/false. Message is customizable per-command.
+auto_commit:
+  default: false
+  before_clarify:
+    enabled: false
+    message: "[Spec Kit] Save progress before clarification"
+  before_plan:
+    enabled: false
+    message: "[Spec Kit] Save progress before planning"
+  before_tasks:
+    enabled: false
+    message: "[Spec Kit] Save progress before task generation"
+  before_implement:
+    enabled: false
+    message: "[Spec Kit] Save progress before implementation"
+  before_checklist:
+    enabled: false
+    message: "[Spec Kit] Save progress before checklist"
+  before_analyze:
+    enabled: false
+    message: "[Spec Kit] Save progress before analysis"
+  before_taskstoissues:
+    enabled: false
+    message: "[Spec Kit] Save progress before issue sync"
+  after_constitution:
+    enabled: false
+    message: "[Spec Kit] Add project constitution"
+  after_specify:
+    enabled: false
+    message: "[Spec Kit] Add specification"
+  after_clarify:
+    enabled: false
+    message: "[Spec Kit] Clarify specification"
+  after_plan:
+    enabled: false
+    message: "[Spec Kit] Add implementation plan"
+  after_tasks:
+    enabled: false
+    message: "[Spec Kit] Add tasks"
+  after_implement:
+    enabled: false
+    message: "[Spec Kit] Implementation progress"
+  after_checklist:
+    enabled: false
+    message: "[Spec Kit] Add checklist"
+  after_analyze:
+    enabled: false
+    message: "[Spec Kit] Add analysis report"
+  after_taskstoissues:
+    enabled: false
+    message: "[Spec Kit] Sync tasks to issues"
diff --git a/.specify/extensions/git/scripts/bash/auto-commit.sh b/.specify/extensions/git/scripts/bash/auto-commit.sh
new file mode 100755
index 0000000..49c32fe
--- /dev/null
+++ b/.specify/extensions/git/scripts/bash/auto-commit.sh
@@ -0,0 +1,140 @@
+#!/usr/bin/env bash
+# Git extension: auto-commit.sh
+# Automatically commit changes after a Spec Kit command completes.
+# Checks per-command config keys in git-config.yml before committing.
+#
+# Usage: auto-commit.sh <event_name>
+#   e.g.: auto-commit.sh after_specify
+
+set -e
+
+EVENT_NAME="${1:-}"
+if [ -z "$EVENT_NAME" ]; then
+    echo "Usage: $0 <event_name>" >&2
+    exit 1
+fi
+
+SCRIPT_DIR="$(CDPATH="" cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+
+_find_project_root() {
+    local dir="$1"
+    while [ "$dir" != "/" ]; do
+        if [ -d "$dir/.specify" ] || [ -d "$dir/.git" ]; then
+            echo "$dir"
+            return 0
+        fi
+        dir="$(dirname "$dir")"
+    done
+    return 1
+}
+
+REPO_ROOT=$(_find_project_root "$SCRIPT_DIR") || REPO_ROOT="$(pwd)"
+cd "$REPO_ROOT"
+
+# Check if git is available
+if ! command -v git >/dev/null 2>&1; then
+    echo "[specify] Warning: Git not found; skipped auto-commit" >&2
+    exit 0
+fi
+
+if ! git rev-parse --is-inside-work-tree >/dev/null 2>&1; then
+    echo "[specify] Warning: Not a Git repository; skipped auto-commit" >&2
+    exit 0
+fi
+
+# Read per-command config from git-config.yml
+_config_file="$REPO_ROOT/.specify/extensions/git/git-config.yml"
+_enabled=false
+_commit_msg=""
+
+if [ -f "$_config_file" ]; then
+    # Parse the auto_commit section for this event.
+    # Look for auto_commit.<event_name>.enabled and .message
+    # Also check auto_commit.default as fallback.
+    _in_auto_commit=false
+    _in_event=false
+    _default_enabled=false
+
+    while IFS= read -r _line; do
+        # Detect auto_commit: section
+        if echo "$_line" | grep -q '^auto_commit:'; then
+            _in_auto_commit=true
+            _in_event=false
+            continue
+        fi
+
+        # Exit auto_commit section on next top-level key
+        if $_in_auto_commit && echo "$_line" | grep -Eq '^[a-z]'; then
+            break
+        fi
+
+        if $_in_auto_commit; then
+            # Check default key
+            if echo "$_line" | grep -Eq "^[[:space:]]+default:[[:space:]]"; then
+                _val=$(echo "$_line" | sed 's/^[^:]*:[[:space:]]*//' | tr -d '[:space:]' | tr '[:upper:]' '[:lower:]')
+                [ "$_val" = "true" ] && _default_enabled=true
+            fi
+
+            # Detect our event subsection
+            if echo "$_line" | grep -Eq "^[[:space:]]+${EVENT_NAME}:"; then
+                _in_event=true
+                continue
+            fi
+
+            # Inside our event subsection
+            if $_in_event; then
+                # Exit on next sibling key (same indent level as event name)
+                if echo "$_line" | grep -Eq '^[[:space:]]{2}[a-z]' && ! echo "$_line" | grep -Eq '^[[:space:]]{4}'; then
+                    _in_event=false
+                    continue
+                fi
+                if echo "$_line" | grep -Eq '[[:space:]]+enabled:'; then
+                    _val=$(echo "$_line" | sed 's/^[^:]*:[[:space:]]*//' | tr -d '[:space:]' | tr '[:upper:]' '[:lower:]')
+                    [ "$_val" = "true" ] && _enabled=true
+                    [ "$_val" = "false" ] && _enabled=false
+                fi
+                if echo "$_line" | grep -Eq '[[:space:]]+message:'; then
+                    _commit_msg=$(echo "$_line" | sed 's/^[^:]*:[[:space:]]*//' | sed 's/^["'\'']//' | sed 's/["'\'']*$//')
+                fi
+            fi
+        fi
+    done < "$_config_file"
+
+    # If event-specific key not found, use default
+    if [ "$_enabled" = "false" ] && [ "$_default_enabled" = "true" ]; then
+        # Only use default if the event wasn't explicitly set to false
+        # Check if event section existed at all
+        if ! grep -q "^[[:space:]]*${EVENT_NAME}:" "$_config_file" 2>/dev/null; then
+            _enabled=true
+        fi
+    fi
+else
+    # No config file — auto-commit disabled by default
+    exit 0
+fi
+
+if [ "$_enabled" != "true" ]; then
+    exit 0
+fi
+
+# Check if there are changes to commit
+if git diff --quiet HEAD 2>/dev/null && git diff --cached --quiet 2>/dev/null && [ -z "$(git ls-files --others --exclude-standard 2>/dev/null)" ]; then
+    echo "[specify] No changes to commit after $EVENT_NAME" >&2
+    exit 0
+fi
+
+# Derive a human-readable command name from the event
+# e.g., after_specify -> specify, before_plan -> plan
+_command_name=$(echo "$EVENT_NAME" | sed 's/^after_//' | sed 's/^before_//')
+_phase=$(echo "$EVENT_NAME" | grep -q '^before_' && echo 'before' || echo 'after')
+
+# Use custom message if configured, otherwise default
+if [ -z "$_commit_msg" ]; then
+    _commit_msg="[Spec Kit] Auto-commit ${_phase} ${_command_name}"
+fi
+
+# Stage and commit
+_git_out=$(git add . 2>&1) || { echo "[specify] Error: git add failed: $_git_out" >&2; exit 1; }
+_git_out=$(git commit -q -m "$_commit_msg" 2>&1) || { echo "[specify] Error: git commit failed: $_git_out" >&2; exit 1; }
+
+echo "✓ Changes committed ${_phase} ${_command_name}" >&2
diff --git a/.specify/extensions/git/scripts/bash/create-new-feature.sh b/.specify/extensions/git/scripts/bash/create-new-feature.sh
new file mode 100755
index 0000000..286aaf7
--- /dev/null
+++ b/.specify/extensions/git/scripts/bash/create-new-feature.sh
@@ -0,0 +1,453 @@
+#!/usr/bin/env bash
+# Git extension: create-new-feature.sh
+# Adapted from core scripts/bash/create-new-feature.sh for extension layout.
+# Sources common.sh from the project's installed scripts, falling back to
+# git-common.sh for minimal git helpers.
+
+set -e
+
+JSON_MODE=false
+DRY_RUN=false
+ALLOW_EXISTING=false
+SHORT_NAME=""
+BRANCH_NUMBER=""
+USE_TIMESTAMP=false
+ARGS=()
+i=1
+while [ $i -le $# ]; do
+    arg="${!i}"
+    case "$arg" in
+        --json)
+            JSON_MODE=true
+            ;;
+        --dry-run)
+            DRY_RUN=true
+            ;;
+        --allow-existing-branch)
+            ALLOW_EXISTING=true
+            ;;
+        --short-name)
+            if [ $((i + 1)) -gt $# ]; then
+                echo 'Error: --short-name requires a value' >&2
+                exit 1
+            fi
+            i=$((i + 1))
+            next_arg="${!i}"
+            if [[ "$next_arg" == --* ]]; then
+                echo 'Error: --short-name requires a value' >&2
+                exit 1
+            fi
+            SHORT_NAME="$next_arg"
+            ;;
+        --number)
+            if [ $((i + 1)) -gt $# ]; then
+                echo 'Error: --number requires a value' >&2
+                exit 1
+            fi
+            i=$((i + 1))
+            next_arg="${!i}"
+            if [[ "$next_arg" == --* ]]; then
+                echo 'Error: --number requires a value' >&2
+                exit 1
+            fi
+            BRANCH_NUMBER="$next_arg"
+            if [[ ! "$BRANCH_NUMBER" =~ ^[0-9]+$ ]]; then
+                echo 'Error: --number must be a non-negative integer' >&2
+                exit 1
+            fi
+            ;;
+        --timestamp)
+            USE_TIMESTAMP=true
+            ;;
+        --help|-h)
+            echo "Usage: $0 [--json] [--dry-run] [--allow-existing-branch] [--short-name <name>] [--number N] [--timestamp] <feature_description>"
+            echo ""
+            echo "Options:"
+            echo "  --json              Output in JSON format"
+            echo "  --dry-run           Compute branch name without creating the branch"
+            echo "  --allow-existing-branch  Switch to branch if it already exists instead of failing"
+            echo "  --short-name <name> Provide a custom short name (2-4 words) for the branch"
+            echo "  --number N          Specify branch number manually (overrides auto-detection)"
+            echo "  --timestamp         Use timestamp prefix (YYYYMMDD-HHMMSS) instead of sequential numbering"
+            echo "  --help, -h          Show this help message"
+            echo ""
+            echo "Environment variables:"
+            echo "  GIT_BRANCH_NAME     Use this exact branch name, bypassing all prefix/suffix generation"
+            echo ""
+            echo "Examples:"
+            echo "  $0 'Add user authentication system' --short-name 'user-auth'"
+            echo "  $0 'Implement OAuth2 integration for API' --number 5"
+            echo "  $0 --timestamp --short-name 'user-auth' 'Add user authentication'"
+            echo "  GIT_BRANCH_NAME=my-branch $0 'feature description'"
+            exit 0
+            ;;
+        *)
+            ARGS+=("$arg")
+            ;;
+    esac
+    i=$((i + 1))
+done
+
+FEATURE_DESCRIPTION="${ARGS[*]}"
+if [ -z "$FEATURE_DESCRIPTION" ]; then
+    echo "Usage: $0 [--json] [--dry-run] [--allow-existing-branch] [--short-name <name>] [--number N] [--timestamp] <feature_description>" >&2
+    exit 1
+fi
+
+# Trim whitespace and validate description is not empty
+FEATURE_DESCRIPTION=$(echo "$FEATURE_DESCRIPTION" | xargs)
+if [ -z "$FEATURE_DESCRIPTION" ]; then
+    echo "Error: Feature description cannot be empty or contain only whitespace" >&2
+    exit 1
+fi
+
+# Function to get highest number from specs directory
+get_highest_from_specs() {
+    local specs_dir="$1"
+    local highest=0
+
+    if [ -d "$specs_dir" ]; then
+        for dir in "$specs_dir"/*; do
+            [ -d "$dir" ] || continue
+            dirname=$(basename "$dir")
+            # Match sequential prefixes (>=3 digits), but skip timestamp dirs.
+            if echo "$dirname" | grep -Eq '^[0-9]{3,}-' && ! echo "$dirname" | grep -Eq '^[0-9]{8}-[0-9]{6}-'; then
+                number=$(echo "$dirname" | grep -Eo '^[0-9]+')
+                number=$((10#$number))
+                if [ "$number" -gt "$highest" ]; then
+                    highest=$number
+                fi
+            fi
+        done
+    fi
+
+    echo "$highest"
+}
+
+# Function to get highest number from git branches
+get_highest_from_branches() {
+    git branch -a 2>/dev/null | sed 's/^[* ]*//; s|^remotes/[^/]*/||' | _extract_highest_number
+}
+
+# Extract the highest sequential feature number from a list of ref names (one per line).
+_extract_highest_number() {
+    local highest=0
+    while IFS= read -r name; do
+        [ -z "$name" ] && continue
+        if echo "$name" | grep -Eq '^[0-9]{3,}-' && ! echo "$name" | grep -Eq '^[0-9]{8}-[0-9]{6}-'; then
+            number=$(echo "$name" | grep -Eo '^[0-9]+' || echo "0")
+            number=$((10#$number))
+            if [ "$number" -gt "$highest" ]; then
+                highest=$number
+            fi
+        fi
+    done
+    echo "$highest"
+}
+
+# Function to get highest number from remote branches without fetching (side-effect-free)
+get_highest_from_remote_refs() {
+    local highest=0
+
+    for remote in $(git remote 2>/dev/null); do
+        local remote_highest
+        remote_highest=$(GIT_TERMINAL_PROMPT=0 git ls-remote --heads "$remote" 2>/dev/null | sed 's|.*refs/heads/||' | _extract_highest_number)
+        if [ "$remote_highest" -gt "$highest" ]; then
+            highest=$remote_highest
+        fi
+    done
+
+    echo "$highest"
+}
+
+# Function to check existing branches and return next available number.
+check_existing_branches() {
+    local specs_dir="$1"
+    local skip_fetch="${2:-false}"
+
+    if [ "$skip_fetch" = true ]; then
+        local highest_remote=$(get_highest_from_remote_refs)
+        local highest_branch=$(get_highest_from_branches)
+        if [ "$highest_remote" -gt "$highest_branch" ]; then
+            highest_branch=$highest_remote
+        fi
+    else
+        git fetch --all --prune >/dev/null 2>&1 || true
+        local highest_branch=$(get_highest_from_branches)
+    fi
+
+    local highest_spec=$(get_highest_from_specs "$specs_dir")
+
+    local max_num=$highest_branch
+    if [ "$highest_spec" -gt "$max_num" ]; then
+        max_num=$highest_spec
+    fi
+
+    echo $((max_num + 1))
+}
+
+# Function to clean and format a branch name
+clean_branch_name() {
+    local name="$1"
+    echo "$name" | tr '[:upper:]' '[:lower:]' | sed 's/[^a-z0-9]/-/g' | sed 's/-\+/-/g' | sed 's/^-//' | sed 's/-$//'
+}
+
+# ---------------------------------------------------------------------------
+# Source common.sh for resolve_template, json_escape, get_repo_root, has_git.
+#
+# Search locations in priority order:
+#  1. .specify/scripts/bash/common.sh under the project root (installed project)
+#  2. scripts/bash/common.sh under the project root (source checkout fallback)
+#  3. git-common.sh next to this script (minimal fallback — lacks resolve_template)
+# ---------------------------------------------------------------------------
+SCRIPT_DIR="$(CDPATH="" cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+
+# Find project root by walking up from the script location
+_find_project_root() {
+    local dir="$1"
+    while [ "$dir" != "/" ]; do
+        if [ -d "$dir/.specify" ] || [ -d "$dir/.git" ]; then
+            echo "$dir"
+            return 0
+        fi
+        dir="$(dirname "$dir")"
+    done
+    return 1
+}
+
+_common_loaded=false
+_PROJECT_ROOT=$(_find_project_root "$SCRIPT_DIR") || true
+
+if [ -n "$_PROJECT_ROOT" ] && [ -f "$_PROJECT_ROOT/.specify/scripts/bash/common.sh" ]; then
+    source "$_PROJECT_ROOT/.specify/scripts/bash/common.sh"
+    _common_loaded=true
+elif [ -n "$_PROJECT_ROOT" ] && [ -f "$_PROJECT_ROOT/scripts/bash/common.sh" ]; then
+    source "$_PROJECT_ROOT/scripts/bash/common.sh"
+    _common_loaded=true
+elif [ -f "$SCRIPT_DIR/git-common.sh" ]; then
+    source "$SCRIPT_DIR/git-common.sh"
+    _common_loaded=true
+fi
+
+if [ "$_common_loaded" != "true" ]; then
+    echo "Error: Could not locate common.sh or git-common.sh. Please ensure the Specify core scripts are installed." >&2
+    exit 1
+fi
+
+# Resolve repository root
+if type get_repo_root >/dev/null 2>&1; then
+    REPO_ROOT=$(get_repo_root)
+elif git rev-parse --show-toplevel >/dev/null 2>&1; then
+    REPO_ROOT=$(git rev-parse --show-toplevel)
+elif [ -n "$_PROJECT_ROOT" ]; then
+    REPO_ROOT="$_PROJECT_ROOT"
+else
+    echo "Error: Could not determine repository root." >&2
+    exit 1
+fi
+
+# Check if git is available at this repo root
+if type has_git >/dev/null 2>&1; then
+    if has_git "$REPO_ROOT"; then
+        HAS_GIT=true
+    else
+        HAS_GIT=false
+    fi
+elif git -C "$REPO_ROOT" rev-parse --is-inside-work-tree >/dev/null 2>&1; then
+    HAS_GIT=true
+else
+    HAS_GIT=false
+fi
+
+cd "$REPO_ROOT"
+
+SPECS_DIR="$REPO_ROOT/specs"
+
+# Function to generate branch name with stop word filtering
+generate_branch_name() {
+    local description="$1"
+
+    local stop_words="^(i|a|an|the|to|for|of|in|on|at|by|with|from|is|are|was|were|be|been|being|have|has|had|do|does|did|will|would|should|could|can|may|might|must|shall|this|that|these|those|my|your|our|their|want|need|add|get|set)$"
+
+    local clean_name=$(echo "$description" | tr '[:upper:]' '[:lower:]' | sed 's/[^a-z0-9]/ /g')
+
+    local meaningful_words=()
+    for word in $clean_name; do
+        [ -z "$word" ] && continue
+        if ! echo "$word" | grep -qiE "$stop_words"; then
+            if [ ${#word} -ge 3 ]; then
+                meaningful_words+=("$word")
+            elif echo "$description" | grep -qw -- "${word^^}"; then
+                meaningful_words+=("$word")
+            fi
+        fi
+    done
+
+    if [ ${#meaningful_words[@]} -gt 0 ]; then
+        local max_words=3
+        if [ ${#meaningful_words[@]} -eq 4 ]; then max_words=4; fi
+
+        local result=""
+        local count=0
+        for word in "${meaningful_words[@]}"; do
+            if [ $count -ge $max_words ]; then break; fi
+            if [ -n "$result" ]; then result="$result-"; fi
+            result="$result$word"
+            count=$((count + 1))
+        done
+        echo "$result"
+    else
+        local cleaned=$(clean_branch_name "$description")
+        echo "$cleaned" | tr '-' '\n' | grep -v '^$' | head -3 | tr '\n' '-' | sed 's/-$//'
+    fi
+}
+
+# Check for GIT_BRANCH_NAME env var override (exact branch name, no prefix/suffix)
+if [ -n "${GIT_BRANCH_NAME:-}" ]; then
+    BRANCH_NAME="$GIT_BRANCH_NAME"
+    # Extract FEATURE_NUM from the branch name if it starts with a numeric prefix
+    # Check timestamp pattern first (YYYYMMDD-HHMMSS-) since it also matches the simpler ^[0-9]+ pattern
+    if echo "$BRANCH_NAME" | grep -Eq '^[0-9]{8}-[0-9]{6}-'; then
+        FEATURE_NUM=$(echo "$BRANCH_NAME" | grep -Eo '^[0-9]{8}-[0-9]{6}')
+        BRANCH_SUFFIX="${BRANCH_NAME#${FEATURE_NUM}-}"
+    elif echo "$BRANCH_NAME" | grep -Eq '^[0-9]+-'; then
+        FEATURE_NUM=$(echo "$BRANCH_NAME" | grep -Eo '^[0-9]+')
+        BRANCH_SUFFIX="${BRANCH_NAME#${FEATURE_NUM}-}"
+    else
+        FEATURE_NUM="$BRANCH_NAME"
+        BRANCH_SUFFIX="$BRANCH_NAME"
+    fi
+else
+    # Generate branch name
+    if [ -n "$SHORT_NAME" ]; then
+        BRANCH_SUFFIX=$(clean_branch_name "$SHORT_NAME")
+    else
+        BRANCH_SUFFIX=$(generate_branch_name "$FEATURE_DESCRIPTION")
+    fi
+
+    # Warn if --number and --timestamp are both specified
+    if [ "$USE_TIMESTAMP" = true ] && [ -n "$BRANCH_NUMBER" ]; then
+        >&2 echo "[specify] Warning: --number is ignored when --timestamp is used"
+        BRANCH_NUMBER=""
+    fi
+
+    # Determine branch prefix
+    if [ "$USE_TIMESTAMP" = true ]; then
+        FEATURE_NUM=$(date +%Y%m%d-%H%M%S)
+        BRANCH_NAME="${FEATURE_NUM}-${BRANCH_SUFFIX}"
+    else
+        if [ -z "$BRANCH_NUMBER" ]; then
+            if [ "$DRY_RUN" = true ] && [ "$HAS_GIT" = true ]; then
+                BRANCH_NUMBER=$(check_existing_branches "$SPECS_DIR" true)
+            elif [ "$DRY_RUN" = true ]; then
+                HIGHEST=$(get_highest_from_specs "$SPECS_DIR")
+                BRANCH_NUMBER=$((HIGHEST + 1))
+            elif [ "$HAS_GIT" = true ]; then
+                BRANCH_NUMBER=$(check_existing_branches "$SPECS_DIR")
+            else
+                HIGHEST=$(get_highest_from_specs "$SPECS_DIR")
+                BRANCH_NUMBER=$((HIGHEST + 1))
+            fi
+        fi
+
+        FEATURE_NUM=$(printf "%03d" "$((10#$BRANCH_NUMBER))")
+        BRANCH_NAME="${FEATURE_NUM}-${BRANCH_SUFFIX}"
+    fi
+fi
+
+# GitHub enforces a 244-byte limit on branch names
+MAX_BRANCH_LENGTH=244
+_byte_length() { printf '%s' "$1" | LC_ALL=C wc -c | tr -d ' '; }
+BRANCH_BYTE_LEN=$(_byte_length "$BRANCH_NAME")
+if [ -n "${GIT_BRANCH_NAME:-}" ] && [ "$BRANCH_BYTE_LEN" -gt $MAX_BRANCH_LENGTH ]; then
+    >&2 echo "Error: GIT_BRANCH_NAME must be 244 bytes or fewer in UTF-8. Provided value is ${BRANCH_BYTE_LEN} bytes."
+    exit 1
+elif [ "$BRANCH_BYTE_LEN" -gt $MAX_BRANCH_LENGTH ]; then
+    PREFIX_LENGTH=$(( ${#FEATURE_NUM} + 1 ))
+    MAX_SUFFIX_LENGTH=$((MAX_BRANCH_LENGTH - PREFIX_LENGTH))
+
+    TRUNCATED_SUFFIX=$(echo "$BRANCH_SUFFIX" | cut -c1-$MAX_SUFFIX_LENGTH)
+    TRUNCATED_SUFFIX=$(echo "$TRUNCATED_SUFFIX" | sed 's/-$//')
+
+    ORIGINAL_BRANCH_NAME="$BRANCH_NAME"
+    BRANCH_NAME="${FEATURE_NUM}-${TRUNCATED_SUFFIX}"
+
+    >&2 echo "[specify] Warning: Branch name exceeded GitHub's 244-byte limit"
+    >&2 echo "[specify] Original: $ORIGINAL_BRANCH_NAME (${#ORIGINAL_BRANCH_NAME} bytes)"
+    >&2 echo "[specify] Truncated to: $BRANCH_NAME (${#BRANCH_NAME} bytes)"
+fi
+
+if [ "$DRY_RUN" != true ]; then
+    if [ "$HAS_GIT" = true ]; then
+        branch_create_error=""
+        if ! branch_create_error=$(git checkout -q -b "$BRANCH_NAME" 2>&1); then
+            current_branch="$(git rev-parse --abbrev-ref HEAD 2>/dev/null || true)"
+            if git branch --list "$BRANCH_NAME" | grep -q .; then
+                if [ "$ALLOW_EXISTING" = true ]; then
+                    if [ "$current_branch" = "$BRANCH_NAME" ]; then
+                        :
+                    elif ! switch_branch_error=$(git checkout -q "$BRANCH_NAME" 2>&1); then
+                        >&2 echo "Error: Failed to switch to existing branch '$BRANCH_NAME'. Please resolve any local changes or conflicts and try again."
+                        if [ -n "$switch_branch_error" ]; then
+                            >&2 printf '%s\n' "$switch_branch_error"
+                        fi
+                        exit 1
+                    fi
+                elif [ "$USE_TIMESTAMP" = true ]; then
+                    >&2 echo "Error: Branch '$BRANCH_NAME' already exists. Rerun to get a new timestamp or use a different --short-name."
+                    exit 1
+                else
+                    >&2 echo "Error: Branch '$BRANCH_NAME' already exists. Please use a different feature name or specify a different number with --number."
+                    exit 1
+                fi
+            else
+                >&2 echo "Error: Failed to create git branch '$BRANCH_NAME'."
+                if [ -n "$branch_create_error" ]; then
+                    >&2 printf '%s\n' "$branch_create_error"
+                else
+                    >&2 echo "Please check your git configuration and try again."
+                fi
+                exit 1
+            fi
+        fi
+    else
+        >&2 echo "[specify] Warning: Git repository not detected; skipped branch creation for $BRANCH_NAME"
+    fi
+
+    printf '# To persist: export SPECIFY_FEATURE=%q\n' "$BRANCH_NAME" >&2
+fi
+
+if $JSON_MODE; then
+    if command -v jq >/dev/null 2>&1; then
+        if [ "$DRY_RUN" = true ]; then
+            jq -cn \
+                --arg branch_name "$BRANCH_NAME" \
+                --arg feature_num "$FEATURE_NUM" \
+                '{BRANCH_NAME:$branch_name,FEATURE_NUM:$feature_num,DRY_RUN:true}'
+        else
+            jq -cn \
+                --arg branch_name "$BRANCH_NAME" \
+                --arg feature_num "$FEATURE_NUM" \
+                '{BRANCH_NAME:$branch_name,FEATURE_NUM:$feature_num}'
+        fi
+    else
+        if type json_escape >/dev/null 2>&1; then
+            _je_branch=$(json_escape "$BRANCH_NAME")
+            _je_num=$(json_escape "$FEATURE_NUM")
+        else
+            _je_branch="$BRANCH_NAME"
+            _je_num="$FEATURE_NUM"
+        fi
+        if [ "$DRY_RUN" = true ]; then
+            printf '{"BRANCH_NAME":"%s","FEATURE_NUM":"%s","DRY_RUN":true}\n' "$_je_branch" "$_je_num"
+        else
+            printf '{"BRANCH_NAME":"%s","FEATURE_NUM":"%s"}\n' "$_je_branch" "$_je_num"
+        fi
+    fi
+else
+    echo "BRANCH_NAME: $BRANCH_NAME"
+    echo "FEATURE_NUM: $FEATURE_NUM"
+    if [ "$DRY_RUN" != true ]; then
+        printf '# To persist in your shell: export SPECIFY_FEATURE=%q\n' "$BRANCH_NAME"
+    fi
+fi
diff --git a/.specify/extensions/git/scripts/bash/git-common.sh b/.specify/extensions/git/scripts/bash/git-common.sh
new file mode 100755
index 0000000..882a385
--- /dev/null
+++ b/.specify/extensions/git/scripts/bash/git-common.sh
@@ -0,0 +1,41 @@
+#!/usr/bin/env bash
+# Git-specific common functions for the git extension.
+# Extracted from scripts/bash/common.sh — contains only git-specific
+# branch validation and detection logic.
+
+# Check if we have git available at the repo root
+has_git() {
+    local repo_root="${1:-$(pwd)}"
+    { [ -d "$repo_root/.git" ] || [ -f "$repo_root/.git" ]; } && \
+        command -v git >/dev/null 2>&1 && \
+        git -C "$repo_root" rev-parse --is-inside-work-tree >/dev/null 2>&1
+}
+
+# Validate that a branch name matches the expected feature branch pattern.
+# Accepts sequential (###-* with >=3 digits) or timestamp (YYYYMMDD-HHMMSS-*) formats.
+check_feature_branch() {
+    local branch="$1"
+    local has_git_repo="$2"
+
+    # For non-git repos, we can't enforce branch naming but still provide output
+    if [[ "$has_git_repo" != "true" ]]; then
+        echo "[specify] Warning: Git repository not detected; skipped branch validation" >&2
+        return 0
+    fi
+
+    # Reject malformed timestamps (7-digit date, 8-digit date without trailing slug, or 7-digit with slug)
+    if [[ "$branch" =~ ^[0-9]{7}-[0-9]{6} ]] || [[ "$branch" =~ ^[0-9]{8}-[0-9]{6}$ ]]; then
+        echo "ERROR: Not on a feature branch. Current branch: $branch" >&2
+        echo "Feature branches should be named like: 001-feature-name or 20260319-143022-feature-name" >&2
+        return 1
+    fi
+
+    # Accept sequential (>=3 digits followed by hyphen) or timestamp (YYYYMMDD-HHMMSS-*)
+    if [[ "$branch" =~ ^[0-9]{3,}- ]] || [[ "$branch" =~ ^[0-9]{8}-[0-9]{6}- ]]; then
+        return 0
+    fi
+
+    echo "ERROR: Not on a feature branch. Current branch: $branch" >&2
+    echo "Feature branches should be named like: 001-feature-name or 20260319-143022-feature-name" >&2
+    return 1
+}
diff --git a/.specify/extensions/git/scripts/bash/initialize-repo.sh b/.specify/extensions/git/scripts/bash/initialize-repo.sh
new file mode 100755
index 0000000..296e363
--- /dev/null
+++ b/.specify/extensions/git/scripts/bash/initialize-repo.sh
@@ -0,0 +1,54 @@
+#!/usr/bin/env bash
+# Git extension: initialize-repo.sh
+# Initialize a Git repository with an initial commit.
+# Customizable — replace this script to add .gitignore templates,
+# default branch config, git-flow, LFS, signing, etc.
+
+set -e
+
+SCRIPT_DIR="$(CDPATH="" cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+
+# Find project root
+_find_project_root() {
+    local dir="$1"
+    while [ "$dir" != "/" ]; do
+        if [ -d "$dir/.specify" ] || [ -d "$dir/.git" ]; then
+            echo "$dir"
+            return 0
+        fi
+        dir="$(dirname "$dir")"
+    done
+    return 1
+}
+
+REPO_ROOT=$(_find_project_root "$SCRIPT_DIR") || REPO_ROOT="$(pwd)"
+cd "$REPO_ROOT"
+
+# Read commit message from extension config, fall back to default
+COMMIT_MSG="[Spec Kit] Initial commit"
+_config_file="$REPO_ROOT/.specify/extensions/git/git-config.yml"
+if [ -f "$_config_file" ]; then
+    _msg=$(grep '^init_commit_message:' "$_config_file" 2>/dev/null | sed 's/^init_commit_message:[[:space:]]*//' | sed 's/^["'\'']//' | sed 's/["'\'']*$//')
+    if [ -n "$_msg" ]; then
+        COMMIT_MSG="$_msg"
+    fi
+fi
+
+# Check if git is available
+if ! command -v git >/dev/null 2>&1; then
+    echo "[specify] Warning: Git not found; skipped repository initialization" >&2
+    exit 0
+fi
+
+# Check if already a git repo
+if git rev-parse --is-inside-work-tree >/dev/null 2>&1; then
+    echo "[specify] Git repository already initialized; skipping" >&2
+    exit 0
+fi
+
+# Initialize
+_git_out=$(git init -q 2>&1) || { echo "[specify] Error: git init failed: $_git_out" >&2; exit 1; }
+_git_out=$(git add . 2>&1) || { echo "[specify] Error: git add failed: $_git_out" >&2; exit 1; }
+_git_out=$(git commit --allow-empty -q -m "$COMMIT_MSG" 2>&1) || { echo "[specify] Error: git commit failed: $_git_out" >&2; exit 1; }
+
+echo "✓ Git repository initialized" >&2
diff --git a/.specify/extensions/git/scripts/powershell/auto-commit.ps1 b/.specify/extensions/git/scripts/powershell/auto-commit.ps1
new file mode 100644
index 0000000..e9777ff
--- /dev/null
+++ b/.specify/extensions/git/scripts/powershell/auto-commit.ps1
@@ -0,0 +1,149 @@
+#!/usr/bin/env pwsh
+# Git extension: auto-commit.ps1
+# Automatically commit changes after a Spec Kit command completes.
+# Checks per-command config keys in git-config.yml before committing.
+#
+# Usage: auto-commit.ps1 <event_name>
+#   e.g.: auto-commit.ps1 after_specify
+param(
+    [Parameter(Position = 0, Mandatory = $true)]
+    [string]$EventName
+)
+$ErrorActionPreference = 'Stop'
+
+function Find-ProjectRoot {
+    param([string]$StartDir)
+    $current = Resolve-Path $StartDir
+    while ($true) {
+        foreach ($marker in @('.specify', '.git')) {
+            if (Test-Path (Join-Path $current $marker)) {
+                return $current
+            }
+        }
+        $parent = Split-Path $current -Parent
+        if ($parent -eq $current) { return $null }
+        $current = $parent
+    }
+}
+
+$repoRoot = Find-ProjectRoot -StartDir $PSScriptRoot
+if (-not $repoRoot) { $repoRoot = Get-Location }
+Set-Location $repoRoot
+
+# Check if git is available
+if (-not (Get-Command git -ErrorAction SilentlyContinue)) {
+    Write-Warning "[specify] Warning: Git not found; skipped auto-commit"
+    exit 0
+}
+
+try {
+    git rev-parse --is-inside-work-tree 2>$null | Out-Null
+    if ($LASTEXITCODE -ne 0) { throw "not a repo" }
+} catch {
+    Write-Warning "[specify] Warning: Not a Git repository; skipped auto-commit"
+    exit 0
+}
+
+# Read per-command config from git-config.yml
+$configFile = Join-Path $repoRoot ".specify/extensions/git/git-config.yml"
+$enabled = $false
+$commitMsg = ""
+
+if (Test-Path $configFile) {
+    # Parse YAML to find auto_commit section
+    $inAutoCommit = $false
+    $inEvent = $false
+    $defaultEnabled = $false
+
+    foreach ($line in Get-Content $configFile) {
+        # Detect auto_commit: section
+        if ($line -match '^auto_commit:') {
+            $inAutoCommit = $true
+            $inEvent = $false
+            continue
+        }
+
+        # Exit auto_commit section on next top-level key
+        if ($inAutoCommit -and $line -match '^[a-z]') {
+            break
+        }
+
+        if ($inAutoCommit) {
+            # Check default key
+            if ($line -match '^\s+default:\s*(.+)$') {
+                $val = $matches[1].Trim().ToLower()
+                if ($val -eq 'true') { $defaultEnabled = $true }
+            }
+
+            # Detect our event subsection
+            if ($line -match "^\s+${EventName}:") {
+                $inEvent = $true
+                continue
+            }
+
+            # Inside our event subsection
+            if ($inEvent) {
+                # Exit on next sibling key (2-space indent, not 4+)
+                if ($line -match '^\s{2}[a-z]' -and $line -notmatch '^\s{4}') {
+                    $inEvent = $false
+                    continue
+                }
+                if ($line -match '\s+enabled:\s*(.+)$') {
+                    $val = $matches[1].Trim().ToLower()
+                    if ($val -eq 'true') { $enabled = $true }
+                    if ($val -eq 'false') { $enabled = $false }
+                }
+                if ($line -match '\s+message:\s*(.+)$') {
+                    $commitMsg = $matches[1].Trim() -replace '^["'']' -replace '["'']$'
+                }
+            }
+        }
+    }
+
+    # If event-specific key not found, use default
+    if (-not $enabled -and $defaultEnabled) {
+        $hasEventKey = Select-String -Path $configFile -Pattern "^\s*${EventName}:" -Quiet
+        if (-not $hasEventKey) {
+            $enabled = $true
+        }
+    }
+} else {
+    # No config file — auto-commit disabled by default
+    exit 0
+}
+
+if (-not $enabled) {
+    exit 0
+}
+
+# Check if there are changes to commit
+$diffHead = git diff --quiet HEAD 2>$null; $d1 = $LASTEXITCODE
+$diffCached = git diff --cached --quiet 2>$null; $d2 = $LASTEXITCODE
+$untracked = git ls-files --others --exclude-standard 2>$null
+
+if ($d1 -eq 0 -and $d2 -eq 0 -and -not $untracked) {
+    Write-Host "[specify] No changes to commit after $EventName" -ForegroundColor DarkGray
+    exit 0
+}
+
+# Derive a human-readable command name from the event
+$commandName = $EventName -replace '^after_', '' -replace '^before_', ''
+$phase = if ($EventName -match '^before_') { 'before' } else { 'after' }
+
+# Use custom message if configured, otherwise default
+if (-not $commitMsg) {
+    $commitMsg = "[Spec Kit] Auto-commit $phase $commandName"
+}
+
+# Stage and commit
+try {
+    $out = git add . 2>&1 | Out-String
+    if ($LASTEXITCODE -ne 0) { throw "git add failed: $out" }
+    $out = git commit -q -m $commitMsg 2>&1 | Out-String
+    if ($LASTEXITCODE -ne 0) { throw "git commit failed: $out" }
+} catch {
+    Write-Warning "[specify] Error: $_"
+    exit 1
+}
+
+Write-Host "✓ Changes committed $phase $commandName"
diff --git a/.specify/extensions/git/scripts/powershell/create-new-feature.ps1 b/.specify/extensions/git/scripts/powershell/create-new-feature.ps1
new file mode 100644
index 0000000..b579f05
--- /dev/null
+++ b/.specify/extensions/git/scripts/powershell/create-new-feature.ps1
@@ -0,0 +1,403 @@
+#!/usr/bin/env pwsh
+# Git extension: create-new-feature.ps1
+# Adapted from core scripts/powershell/create-new-feature.ps1 for extension layout.
+# Sources common.ps1 from the project's installed scripts, falling back to
+# git-common.ps1 for minimal git helpers.
+[CmdletBinding()]
+param(
+    [switch]$Json,
+    [switch]$AllowExistingBranch,
+    [switch]$DryRun,
+    [string]$ShortName,
+    [Parameter()]
+    [long]$Number = 0,
+    [switch]$Timestamp,
+    [switch]$Help,
+    [Parameter(Position = 0, ValueFromRemainingArguments = $true)]
+    [string[]]$FeatureDescription
+)
+$ErrorActionPreference = 'Stop'
+
+if ($Help) {
+    Write-Host "Usage: ./create-new-feature.ps1 [-Json] [-DryRun] [-AllowExistingBranch] [-ShortName <name>] [-Number N] [-Timestamp] <feature description>"
+    Write-Host ""
+    Write-Host "Options:"
+    Write-Host "  -Json               Output in JSON format"
+    Write-Host "  -DryRun             Compute branch name without creating the branch"
+    Write-Host "  -AllowExistingBranch  Switch to branch if it already exists instead of failing"
+    Write-Host "  -ShortName <name>   Provide a custom short name (2-4 words) for the branch"
+    Write-Host "  -Number N           Specify branch number manually (overrides auto-detection)"
+    Write-Host "  -Timestamp          Use timestamp prefix (YYYYMMDD-HHMMSS) instead of sequential numbering"
+    Write-Host "  -Help               Show this help message"
+    Write-Host ""
+    Write-Host "Environment variables:"
+    Write-Host "  GIT_BRANCH_NAME     Use this exact branch name, bypassing all prefix/suffix generation"
+    Write-Host ""
+    exit 0
+}
+
+if (-not $FeatureDescription -or $FeatureDescription.Count -eq 0) {
+    Write-Error "Usage: ./create-new-feature.ps1 [-Json] [-DryRun] [-AllowExistingBranch] [-ShortName <name>] [-Number N] [-Timestamp] <feature description>"
+    exit 1
+}
+
+$featureDesc = ($FeatureDescription -join ' ').Trim()
+
+if ([string]::IsNullOrWhiteSpace($featureDesc)) {
+    Write-Error "Error: Feature description cannot be empty or contain only whitespace"
+    exit 1
+}
+
+function Get-HighestNumberFromSpecs {
+    param([string]$SpecsDir)
+
+    [long]$highest = 0
+    if (Test-Path $SpecsDir) {
+        Get-ChildItem -Path $SpecsDir -Directory | ForEach-Object {
+            if ($_.Name -match '^(\d{3,})-' -and $_.Name -notmatch '^\d{8}-\d{6}-') {
+                [long]$num = 0
+                if ([long]::TryParse($matches[1], [ref]$num) -and $num -gt $highest) {
+                    $highest = $num
+                }
+            }
+        }
+    }
+    return $highest
+}
+
+function Get-HighestNumberFromNames {
+    param([string[]]$Names)
+
+    [long]$highest = 0
+    foreach ($name in $Names) {
+        if ($name -match '^(\d{3,})-' -and $name -notmatch '^\d{8}-\d{6}-') {
+            [long]$num = 0
+            if ([long]::TryParse($matches[1], [ref]$num) -and $num -gt $highest) {
+                $highest = $num
+            }
+        }
+    }
+    return $highest
+}
+
+function Get-HighestNumberFromBranches {
+    param()
+
+    try {
+        $branches = git branch -a 2>$null
+        if ($LASTEXITCODE -eq 0 -and $branches) {
+            $cleanNames = $branches | ForEach-Object {
+                $_.Trim() -replace '^\*?\s+', '' -replace '^remotes/[^/]+/', ''
+            }
+            return Get-HighestNumberFromNames -Names $cleanNames
+        }
+    } catch {
+        Write-Verbose "Could not check Git branches: $_"
+    }
+    return 0
+}
+
+function Get-HighestNumberFromRemoteRefs {
+    [long]$highest = 0
+    try {
+        $remotes = git remote 2>$null
+        if ($remotes) {
+            foreach ($remote in $remotes) {
+                $env:GIT_TERMINAL_PROMPT = '0'
+                $refs = git ls-remote --heads $remote 2>$null
+                $env:GIT_TERMINAL_PROMPT = $null
+                if ($LASTEXITCODE -eq 0 -and $refs) {
+                    $refNames = $refs | ForEach-Object {
+                        if ($_ -match 'refs/heads/(.+)$') { $matches[1] }
+                    } | Where-Object { $_ }
+                    $remoteHighest = Get-HighestNumberFromNames -Names $refNames
+                    if ($remoteHighest -gt $highest) { $highest = $remoteHighest }
+                }
+            }
+        }
+    } catch {
+        Write-Verbose "Could not query remote refs: $_"
+    }
+    return $highest
+}
+
+function Get-NextBranchNumber {
+    param(
+        [string]$SpecsDir,
+        [switch]$SkipFetch
+    )
+
+    if ($SkipFetch) {
+        $highestBranch = Get-HighestNumberFromBranches
+        $highestRemote = Get-HighestNumberFromRemoteRefs
+        $highestBranch = [Math]::Max($highestBranch, $highestRemote)
+    } else {
+        try {
+            git fetch --all --prune 2>$null | Out-Null
+        } catch { }
+        $highestBranch = Get-HighestNumberFromBranches
+    }
+
+    $highestSpec = Get-HighestNumberFromSpecs -SpecsDir $SpecsDir
+    $maxNum = [Math]::Max($highestBranch, $highestSpec)
+    return $maxNum + 1
+}
+
+function ConvertTo-CleanBranchName {
+    param([string]$Name)
+    return $Name.ToLower() -replace '[^a-z0-9]', '-' -replace '-{2,}', '-' -replace '^-', '' -replace '-$', ''
+}
+
+# ---------------------------------------------------------------------------
+# Source common.ps1 from the project's installed scripts.
+# Search locations in priority order:
+#  1. .specify/scripts/powershell/common.ps1 under the project root
+#  2. scripts/powershell/common.ps1 under the project root (source checkout)
+#  3. git-common.ps1 next to this script (minimal fallback)
+# ---------------------------------------------------------------------------
+function Find-ProjectRoot {
+    param([string]$StartDir)
+    $current = Resolve-Path $StartDir
+    while ($true) {
+        foreach ($marker in @('.specify', '.git')) {
+            if (Test-Path (Join-Path $current $marker)) {
+                return $current
+            }
+        }
+        $parent = Split-Path $current -Parent
+        if ($parent -eq $current) { return $null }
+        $current = $parent
+    }
+}
+
+$projectRoot = Find-ProjectRoot -StartDir $PSScriptRoot
+$commonLoaded = $false
+
+if ($projectRoot) {
+    $candidates = @(
+        (Join-Path $projectRoot ".specify/scripts/powershell/common.ps1"),
+        (Join-Path $projectRoot "scripts/powershell/common.ps1")
+    )
+    foreach ($candidate in $candidates) {
+        if (Test-Path $candidate) {
+            . $candidate
+            $commonLoaded = $true
+            break
+        }
+    }
+}
+
+if (-not $commonLoaded -and (Test-Path "$PSScriptRoot/git-common.ps1")) {
+    . "$PSScriptRoot/git-common.ps1"
+    $commonLoaded = $true
+}
+
+if (-not $commonLoaded) {
+    throw "Unable to locate common script file. Please ensure the Specify core scripts are installed."
+}
+
+# Resolve repository root
+if (Get-Command Get-RepoRoot -ErrorAction SilentlyContinue) {
+    $repoRoot = Get-RepoRoot
+} elseif ($projectRoot) {
+    $repoRoot = $projectRoot
+} else {
+    throw "Could not determine repository root."
+}
+
+# Check if git is available
+if (Get-Command Test-HasGit -ErrorAction SilentlyContinue) {
+    # Call without parameters for compatibility with core common.ps1 (no -RepoRoot param)
+    # and git-common.ps1 (has -RepoRoot param with default).
+    $hasGit = Test-HasGit
+} else {
+    try {
+        git -C $repoRoot rev-parse --is-inside-work-tree 2>$null | Out-Null
+        $hasGit = ($LASTEXITCODE -eq 0)
+    } catch {
+        $hasGit = $false
+    }
+}
+
+Set-Location $repoRoot
+
+$specsDir = Join-Path $repoRoot 'specs'
+
+function Get-BranchName {
+    param([string]$Description)
+
+    $stopWords = @(
+        'i', 'a', 'an', 'the', 'to', 'for', 'of', 'in', 'on', 'at', 'by', 'with', 'from',
+        'is', 'are', 'was', 'were', 'be', 'been', 'being', 'have', 'has', 'had',
+        'do', 'does', 'did', 'will', 'would', 'should', 'could', 'can', 'may', 'might', 'must', 'shall',
+        'this', 'that', 'these', 'those', 'my', 'your', 'our', 'their',
+        'want', 'need', 'add', 'get', 'set'
+    )
+
+    $cleanName = $Description.ToLower() -replace '[^a-z0-9\s]', ' '
+    $words = $cleanName -split '\s+' | Where-Object { $_ }
+
+    $meaningfulWords = @()
+    foreach ($word in $words) {
+        if ($stopWords -contains $word) { continue }
+        if ($word.Length -ge 3) {
+            $meaningfulWords += $word
+        } elseif ($Description -match "\b$($word.ToUpper())\b") {
+            $meaningfulWords += $word
+        }
+    }
+
+    if ($meaningfulWords.Count -gt 0) {
+        $maxWords = if ($meaningfulWords.Count -eq 4) { 4 } else { 3 }
+        $result = ($meaningfulWords | Select-Object -First $maxWords) -join '-'
+        return $result
+    } else {
+        $result = ConvertTo-CleanBranchName -Name $Description
+        $fallbackWords = ($result -split '-') | Where-Object { $_ } | Select-Object -First 3
+        return [string]::Join('-', $fallbackWords)
+    }
+}
+
+# Check for GIT_BRANCH_NAME env var override (exact branch name, no prefix/suffix)
+if ($env:GIT_BRANCH_NAME) {
+    $branchName = $env:GIT_BRANCH_NAME
+    # Check 244-byte limit (UTF-8) for override names
+    $branchNameUtf8ByteCount = [System.Text.Encoding]::UTF8.GetByteCount($branchName)
+    if ($branchNameUtf8ByteCount -gt 244) {
+        throw "GIT_BRANCH_NAME must be 244 bytes or fewer in UTF-8. Provided value is $branchNameUtf8ByteCount bytes; please supply a shorter override branch name."
+    }
+    # Extract FEATURE_NUM from the branch name if it starts with a numeric prefix
+    # Check timestamp pattern first (YYYYMMDD-HHMMSS-) since it also matches the simpler ^\d+ pattern
+    if ($branchName -match '^(\d{8}-\d{6})-') {
+        $featureNum = $matches[1]
+    } elseif ($branchName -match '^(\d+)-') {
+        $featureNum = $matches[1]
+    } else {
+        $featureNum = $branchName
+    }
+} else {
+    if ($ShortName) {
+        $branchSuffix = ConvertTo-CleanBranchName -Name $ShortName
+    } else {
+        $branchSuffix = Get-BranchName -Description $featureDesc
+    }
+
+    if ($Timestamp -and $Number -ne 0) {
+        Write-Warning "[specify] Warning: -Number is ignored when -Timestamp is used"
+        $Number = 0
+    }
+
+    if ($Timestamp) {
+        $featureNum = Get-Date -Format 'yyyyMMdd-HHmmss'
+        $branchName = "$featureNum-$branchSuffix"
+    } else {
+        if ($Number -eq 0) {
+            if ($DryRun -and $hasGit) {
+                $Number = Get-NextBranchNumber -SpecsDir $specsDir -SkipFetch
+            } elseif ($DryRun) {
+                $Number = (Get-HighestNumberFromSpecs -SpecsDir $specsDir) + 1
+            } elseif ($hasGit) {
+                $Number = Get-NextBranchNumber -SpecsDir $specsDir
+            } else {
+                $Number = (Get-HighestNumberFromSpecs -SpecsDir $specsDir) + 1
+            }
+        }
+
+        $featureNum = ('{0:000}' -f $Number)
+        $branchName = "$featureNum-$branchSuffix"
+    }
+}
+
+$maxBranchLength = 244
+if ($branchName.Length -gt $maxBranchLength) {
+    $prefixLength = $featureNum.Length + 1
+    $maxSuffixLength = $maxBranchLength - $prefixLength
+
+    $truncatedSuffix = $branchSuffix.Substring(0, [Math]::Min($branchSuffix.Length, $maxSuffixLength))
+    $truncatedSuffix = $truncatedSuffix -replace '-$', ''
+
+    $originalBranchName = $branchName
+    $branchName = "$featureNum-$truncatedSuffix"
+
+    Write-Warning "[specify] Branch name exceeded GitHub's 244-byte limit"
+    Write-Warning "[specify] Original: $originalBranchName ($($originalBranchName.Length) bytes)"
+    Write-Warning "[specify] Truncated to: $branchName ($($branchName.Length) bytes)"
+}
+
+if (-not $DryRun) {
+    if ($hasGit) {
+        $branchCreated = $false
+        $branchCreateError = ''
+        try {
+            $branchCreateError = git checkout -q -b $branchName 2>&1 | Out-String
+            if ($LASTEXITCODE -eq 0) {
+                $branchCreated = $true
+            }
+        } catch {
+            $branchCreateError = $_.Exception.Message
+        }
+
+        if (-not $branchCreated) {
+            $currentBranch = ''
+            try { $currentBranch = (git rev-parse --abbrev-ref HEAD 2>$null).Trim() } catch {}
+            $existingBranch = git branch --list $branchName 2>$null
+            if ($existingBranch) {
+                if ($AllowExistingBranch) {
+                    if ($currentBranch -eq $branchName) {
+                        # Already on the target branch
+                    } else {
+                        $switchBranchError = git checkout -q $branchName 2>&1 | Out-String
+                        if ($LASTEXITCODE -ne 0) {
+                            if ($switchBranchError) {
+                                Write-Error "Error: Branch '$branchName' exists but could not be checked out.`n$($switchBranchError.Trim())"
+                            } else {
+                                Write-Error "Error: Branch '$branchName' exists but could not be checked out. Resolve any uncommitted changes or conflicts and try again."
+                            }
+                            exit 1
+                        }
+                    }
+                } elseif ($Timestamp) {
+                    Write-Error "Error: Branch '$branchName' already exists. Rerun to get a new timestamp or use a different -ShortName."
+                    exit 1
+                } else {
+                    Write-Error "Error: Branch '$branchName' already exists. Please use a different feature name or specify a different number with -Number."
+                    exit 1
+                }
+            } else {
+                if ($branchCreateError) {
+                    Write-Error "Error: Failed to create git branch '$branchName'.`n$($branchCreateError.Trim())"
+                } else {
+                    Write-Error "Error: Failed to create git branch '$branchName'. Please check your git configuration and try again."
+                }
+                exit 1
+            }
+        }
+    } else {
+        if ($Json) {
+            [Console]::Error.WriteLine("[specify] Warning: Git repository not detected; skipped branch creation for $branchName")
+        } else {
+            Write-Warning "[specify] Warning: Git repository not detected; skipped branch creation for $branchName"
+        }
+    }
+
+    $env:SPECIFY_FEATURE = $branchName
+}
+
+if ($Json) {
+    $obj = [PSCustomObject]@{
+        BRANCH_NAME = $branchName
+        FEATURE_NUM = $featureNum
+        HAS_GIT = $hasGit
+    }
+    if ($DryRun) {
+        $obj | Add-Member -NotePropertyName 'DRY_RUN' -NotePropertyValue $true
+    }
+    $obj | ConvertTo-Json -Compress
+} else {
+    Write-Output "BRANCH_NAME: $branchName"
+    Write-Output "FEATURE_NUM: $featureNum"
+    Write-Output "HAS_GIT: $hasGit"
+    if (-not $DryRun) {
+        Write-Output "SPECIFY_FEATURE environment variable set to: $branchName"
+    }
+}
diff --git a/.specify/extensions/git/scripts/powershell/git-common.ps1 b/.specify/extensions/git/scripts/powershell/git-common.ps1
new file mode 100644
index 0000000..8a9c4fd
--- /dev/null
+++ b/.specify/extensions/git/scripts/powershell/git-common.ps1
@@ -0,0 +1,50 @@
+#!/usr/bin/env pwsh
+# Git-specific common functions for the git extension.
+# Extracted from scripts/powershell/common.ps1 — contains only git-specific
+# branch validation and detection logic.
+
+function Test-HasGit {
+    param([string]$RepoRoot = (Get-Location))
+    try {
+        if (-not (Test-Path (Join-Path $RepoRoot '.git'))) { return $false }
+        if (-not (Get-Command git -ErrorAction SilentlyContinue)) { return $false }
+        git -C $RepoRoot rev-parse --is-inside-work-tree 2>$null | Out-Null
+        return ($LASTEXITCODE -eq 0)
+    } catch {
+        return $false
+    }
+}
+
+function Test-FeatureBranch {
+    param(
+        [string]$Branch,
+        [bool]$HasGit = $true
+    )
+
+    # For non-git repos, we can't enforce branch naming but still provide output
+    if (-not $HasGit) {
+        Write-Warning "[specify] Warning: Git repository not detected; skipped branch validation"
+        return $true
+    }
+
+    # Reject malformed timestamps (7-digit date or no trailing slug)
+    $hasMalformedTimestamp = ($Branch -match '^[0-9]{7}-[0-9]{6}-') -or
+                            ($Branch -match '^(?:\d{7}|\d{8})-\d{6}$')
+    if ($hasMalformedTimestamp) {
+        Write-Output "ERROR: Not on a feature branch. Current branch: $Branch"
+        Write-Output "Feature branches should be named like: 001-feature-name or 20260319-143022-feature-name"
+        return $false
+    }
+
+    # Accept sequential (>=3 digits followed by hyphen) or timestamp (YYYYMMDD-HHMMSS-*)
+    $isSequential = ($Branch -match '^[0-9]{3,}-') -and (-not $hasMalformedTimestamp)
+    $isTimestamp = $Branch -match '^\d{8}-\d{6}-'
+
+    if ($isSequential -or $isTimestamp) {
+        return $true
+    }
+
+    Write-Output "ERROR: Not on a feature branch. Current branch: $Branch"
+    Write-Output "Feature branches should be named like: 001-feature-name or 20260319-143022-feature-name"
+    return $false
+}
diff --git a/.specify/extensions/git/scripts/powershell/initialize-repo.ps1 b/.specify/extensions/git/scripts/powershell/initialize-repo.ps1
new file mode 100644
index 0000000..324240a
--- /dev/null
+++ b/.specify/extensions/git/scripts/powershell/initialize-repo.ps1
@@ -0,0 +1,69 @@
+#!/usr/bin/env pwsh
+# Git extension: initialize-repo.ps1
+# Initialize a Git repository with an initial commit.
+# Customizable — replace this script to add .gitignore templates,
+# default branch config, git-flow, LFS, signing, etc.
+$ErrorActionPreference = 'Stop'
+
+# Find project root
+function Find-ProjectRoot {
+    param([string]$StartDir)
+    $current = Resolve-Path $StartDir
+    while ($true) {
+        foreach ($marker in @('.specify', '.git')) {
+            if (Test-Path (Join-Path $current $marker)) {
+                return $current
+            }
+        }
+        $parent = Split-Path $current -Parent
+        if ($parent -eq $current) { return $null }
+        $current = $parent
+    }
+}
+
+$repoRoot = Find-ProjectRoot -StartDir $PSScriptRoot
+if (-not $repoRoot) { $repoRoot = Get-Location }
+Set-Location $repoRoot
+
+# Read commit message from extension config, fall back to default
+$commitMsg = "[Spec Kit] Initial commit"
+$configFile = Join-Path $repoRoot ".specify/extensions/git/git-config.yml"
+if (Test-Path $configFile) {
+    foreach ($line in Get-Content $configFile) {
+        if ($line -match '^init_commit_message:\s*(.+)$') {
+            $val = $matches[1].Trim() -replace '^["'']' -replace '["'']$'
+            if ($val) { $commitMsg = $val }
+            break
+        }
+    }
+}
+
+# Check if git is available
+if (-not (Get-Command git -ErrorAction SilentlyContinue)) {
+    Write-Warning "[specify] Warning: Git not found; skipped repository initialization"
+    exit 0
+}
+
+# Check if already a git repo
+try {
+    git rev-parse --is-inside-work-tree 2>$null | Out-Null
+    if ($LASTEXITCODE -eq 0) {
+        Write-Warning "[specify] Git repository already initialized; skipping"
+        exit 0
+    }
+} catch { }
+
+# Initialize
+try {
+    $out = git init -q 2>&1 | Out-String
+    if ($LASTEXITCODE -ne 0) { throw "git init failed: $out" }
+    $out = git add . 2>&1 | Out-String
+    if ($LASTEXITCODE -ne 0) { throw "git add failed: $out" }
+    $out = git commit --allow-empty -q -m $commitMsg 2>&1 | Out-String
+    if ($LASTEXITCODE -ne 0) { throw "git commit failed: $out" }
+} catch {
+    Write-Warning "[specify] Error: $_"
+    exit 1
+}
+
+Write-Host "✓ Git repository initialized"
diff --git a/.specify/feature.json b/.specify/feature.json
new file mode 100644
index 0000000..efb467a
--- /dev/null
+++ b/.specify/feature.json
@@ -0,0 +1,3 @@
+{
+  "feature_directory": "specs/001-fix-deprecations"
+}
diff --git a/.specify/init-options.json b/.specify/init-options.json
new file mode 100644
index 0000000..9162af2
--- /dev/null
+++ b/.specify/init-options.json
@@ -0,0 +1,10 @@
+{
+  "ai": "claude",
+  "ai_skills": true,
+  "branch_numbering": "sequential",
+  "here": true,
+  "integration": "claude",
+  "preset": null,
+  "script": "sh",
+  "speckit_version": "0.5.2.dev0"
+}
\ No newline at end of file
diff --git a/.specify/integration.json b/.specify/integration.json
new file mode 100644
index 0000000..6d171be
--- /dev/null
+++ b/.specify/integration.json
@@ -0,0 +1,7 @@
+{
+  "integration": "claude",
+  "version": "0.5.2.dev0",
+  "scripts": {
+    "update-context": ".specify/integrations/claude/scripts/update-context.sh"
+  }
+}
diff --git a/.specify/integrations/claude.manifest.json b/.specify/integrations/claude.manifest.json
new file mode 100644
index 0000000..3c94572
--- /dev/null
+++ b/.specify/integrations/claude.manifest.json
@@ -0,0 +1,18 @@
+{
+  "integration": "claude",
+  "version": "0.5.2.dev0",
+  "installed_at": "2026-04-09T15:40:54.358381+00:00",
+  "files": {
+    ".claude/skills/speckit-analyze/SKILL.md": "79282ee8d194cca4ec54b2749fa65973300303f22eb768a37ba5f0b0d8397b76",
+    ".claude/skills/speckit-checklist/SKILL.md": "6db52b7e393e2aec8c1a63d49352bae75d5f79e386f1754c9f7d44c89b413179",
+    ".claude/skills/speckit-clarify/SKILL.md": "30a36773b207743cfeac340d8d519dea8ecf79c474ece09ed59f1c0f0d093627",
+    ".claude/skills/speckit-constitution/SKILL.md": "ed6fde3cff810d6540ca2f9347b35a2b60b056e76fc1dfb0871b396bad038285",
+    ".claude/skills/speckit-implement/SKILL.md": "69501253105e6cd5f734f2a90019065f0f48e9d35c22fa73579c3aec7de578b6",
+    ".claude/skills/speckit-plan/SKILL.md": "f4cbbc5664378b88630d2f60babb9cefb3de4f417513705b14e38dd0678b9334",
+    ".claude/skills/speckit-specify/SKILL.md": "2c5770de5de53c6b2a72064a6d59e51aab0e64b7cc5e8dd4dfbc7667afecefe5",
+    ".claude/skills/speckit-tasks/SKILL.md": "cb1a926eaf8ac36798dbd5b54ded7a185b808ea5ad1c07e8941da993a372a01a",
+    ".claude/skills/speckit-taskstoissues/SKILL.md": "11e4798c0968a746fe420017831224518406cd57a917fe41f1899498b08111a1",
+    ".specify/integrations/claude/scripts/update-context.ps1": "8bce5081fe27ebf414d4eaf127d91b5540b00d24dde4fe1e303e8eb26ad5211a",
+    ".specify/integrations/claude/scripts/update-context.sh": "21a5aa3fc644f693a29d35975ce21e5a949cdc1d0258b11c21940754c3644fa6"
+  }
+}
diff --git a/.specify/integrations/claude/scripts/update-context.ps1 b/.specify/integrations/claude/scripts/update-context.ps1
new file mode 100644
index 0000000..837974d
--- /dev/null
+++ b/.specify/integrations/claude/scripts/update-context.ps1
@@ -0,0 +1,23 @@
+# update-context.ps1 — Claude Code integration: create/update CLAUDE.md
+#
+# Thin wrapper that delegates to the shared update-agent-context script.
+# Activated in Stage 7 when the shared script uses integration.json dispatch.
+#
+# Until then, this delegates to the shared script as a subprocess.
+
+$ErrorActionPreference = 'Stop'
+
+# Derive repo root from script location (walks up to find .specify/)
+$scriptDir = Split-Path -Parent $MyInvocation.MyCommand.Definition
+$repoRoot = try { git rev-parse --show-toplevel 2>$null } catch { $null }
+# If git did not return a repo root, or the git root does not contain .specify,
+# fall back to walking up from the script directory to find the initialized project root.
+if (-not $repoRoot -or -not (Test-Path (Join-Path $repoRoot '.specify'))) {
+    $repoRoot = $scriptDir
+    $fsRoot = [System.IO.Path]::GetPathRoot($repoRoot)
+    while ($repoRoot -and $repoRoot -ne $fsRoot -and -not (Test-Path (Join-Path $repoRoot '.specify'))) {
+        $repoRoot = Split-Path -Parent $repoRoot
+    }
+}
+
+& "$repoRoot/.specify/scripts/powershell/update-agent-context.ps1" -AgentType claude
diff --git a/.specify/integrations/claude/scripts/update-context.sh b/.specify/integrations/claude/scripts/update-context.sh
new file mode 100755
index 0000000..4b83855
--- /dev/null
+++ b/.specify/integrations/claude/scripts/update-context.sh
@@ -0,0 +1,28 @@
+#!/usr/bin/env bash
+# update-context.sh — Claude Code integration: create/update CLAUDE.md
+#
+# Thin wrapper that delegates to the shared update-agent-context script.
+# Activated in Stage 7 when the shared script uses integration.json dispatch.
+#
+# Until then, this delegates to the shared script as a subprocess.
+
+set -euo pipefail
+
+# Derive repo root from script location (walks up to find .specify/)
+_script_dir="$(cd "$(dirname "$0")" && pwd)"
+_root="$_script_dir"
+while [ "$_root" != "/" ] && [ ! -d "$_root/.specify" ]; do _root="$(dirname "$_root")"; done
+if [ -z "${REPO_ROOT:-}" ]; then
+  if [ -d "$_root/.specify" ]; then
+    REPO_ROOT="$_root"
+  else
+    git_root="$(git rev-parse --show-toplevel 2>/dev/null || true)"
+    if [ -n "$git_root" ] && [ -d "$git_root/.specify" ]; then
+      REPO_ROOT="$git_root"
+    else
+      REPO_ROOT="$_root"
+    fi
+  fi
+fi
+
+exec "$REPO_ROOT/.specify/scripts/bash/update-agent-context.sh" claude
diff --git a/.specify/integrations/speckit.manifest.json b/.specify/integrations/speckit.manifest.json
new file mode 100644
index 0000000..26e5932
--- /dev/null
+++ b/.specify/integrations/speckit.manifest.json
@@ -0,0 +1,18 @@
+{
+  "integration": "speckit",
+  "version": "0.5.2.dev0",
+  "installed_at": "2026-04-09T15:40:54.366230+00:00",
+  "files": {
+    ".specify/scripts/bash/common.sh": "c88faa71e559bb16f575a78ec61dffbb8d34b3bb598b7ad77a9b2ab1842499f4",
+    ".specify/scripts/bash/setup-plan.sh": "bcaa0ccbf45b7d9ea9bff04006500d7eb28a2bdf82bcc819986b21e5294bf76c",
+    ".specify/scripts/bash/check-prerequisites.sh": "aff361639c504b95a2901493f5022788adc01a6792fd37f132de8f57782e4b80",
+    ".specify/scripts/bash/update-agent-context.sh": "71c8f359a1cf5b89ed7e1b6d929b85384e8b00ce30a040606cb447218083da66",
+    ".specify/scripts/bash/create-new-feature.sh": "3439519f72ce6f88fcd4dcd27346de0c9ffe211c927b1319db42850282f02456",
+    ".specify/templates/agent-file-template.md": "55ed438c2e861444ef22f45fe5238f3ebf0dc1cb6e53067d7232fbbf4ce82892",
+    ".specify/templates/constitution-template.md": "ce7549540fa45543cca797a150201d868e64495fdff39dc38246fb17bd4024b3",
+    ".specify/templates/checklist-template.md": "312eee8291dfa984b21f95ddd0ca778e7a1f0b3a64bfc470d79762a3e3f5d7b8",
+    ".specify/templates/tasks-template.md": "5da92ac1fbf5be2f9018a5064497995bf3592761ccb6b3951503c63d851297e8",
+    ".specify/templates/spec-template.md": "785dc50d856dd92d6515eca0761e16dce0c9ba0a3cd07154fd33eae77932422a",
+    ".specify/templates/plan-template.md": "873e84b226fe3d24afe28046931b20db9bbb9210366428dc958a515349ed6e68"
+  }
+}
diff --git a/.specify/memory/constitution.md b/.specify/memory/constitution.md
new file mode 100644
index 0000000..8e4ffaf
--- /dev/null
+++ b/.specify/memory/constitution.md
@@ -0,0 +1,89 @@
+<!--
+## Sync Impact Report
+
+**Version change**: 1.0.0 → 1.1.0 — trimmed redundant principles; implementation
+conventions now delegated to CLAUDE.md
+
+### Modified Principles
+- I. Swift Concurrency First → removed (covered by CLAUDE.md)
+- II. Test-First Discipline → removed (covered by CLAUDE.md)
+- III. UI Testing Standards → removed (covered by CLAUDE.md)
+- IV. Simplicity → retained, renumbered I
+- V. macOS Platform Compliance → retained, renumbered II
+
+### Added Sections
+- None
+
+### Removed Sections
+- Development Workflow (Git rule already in CLAUDE.md; pre-commit hook in README)
+
+### Templates Requiring Updates
+- All templates ✅ — no structural changes required.
+
+### Deferred Items
+- None.
+-->
+
+# PPPC Utility Constitution
+
+## Core Principles
+
+### I. Simplicity
+
+All code MUST be as simple as the task requires — no more, no less.
+
+- Speculative abstractions, premature helpers, and unused compatibility shims
+  are prohibited.
+- Do not add docstrings, comments, or type annotations to unchanged code.
+- Do not add error handling for impossible scenarios; trust framework guarantees.
+- Do not introduce feature flags or backwards-compatibility hacks when the code
+  can simply change.
+- Three similar lines of code are preferable to a premature abstraction.
+
+**Rationale**: Speculative complexity increases maintenance burden without
+delivering value. Simplicity is a feature.
+
+### II. macOS Platform Compliance
+
+PPPC Utility targets macOS 13.0 and newer. All UI MUST follow Apple's Human
+Interface Guidelines. SwiftUI is the preferred UI framework; AppKit is
+acceptable only for components without adequate SwiftUI coverage.
+
+- Minimum deployment target: macOS 13.0.
+- All interactive UI elements MUST have accessibility identifiers and labels.
+- Profiles MUST be saveable locally (signed or unsigned) and uploadable to
+  Jamf Pro (bearer token, basic auth fallback, or OAuth client credentials).
+
+**Rationale**: Platform convention adherence ensures the application behaves
+predictably and integrates naturally with macOS workflows and enterprise
+management tools.
+
+## Quality Gates
+
+The following gates MUST pass before merging any change:
+
+1. **Compiler warnings**: No new warnings introduced (compare baseline before
+   and after per `CLAUDE.md`).
+2. **Unit tests**: All Swift Testing suites pass.
+3. **UI tests**: All XCUITest cases pass.
+4. **Constitution check**: The change does not violate any principle above.
+
+## Governance
+
+This constitution supersedes all other development practices for this
+repository. Implementation conventions (Swift Concurrency, testing, UI testing,
+Git) are maintained in `CLAUDE.md`. Amendments require:
+
+1. A written rationale explaining the change and its impact.
+2. A version bump per the versioning policy below.
+3. A migration note if existing code must be updated to comply.
+
+**Versioning policy**:
+- MAJOR: Backward-incompatible removal or redefinition of a principle.
+- MINOR: New principle or section added, or material guidance expansion.
+- PATCH: Clarifications, wording improvements, or typo fixes.
+
+All PRs and code reviews MUST verify compliance with this constitution.
+Complexity violations MUST be justified in the PR description.
+
+**Version**: 1.1.0 | **Ratified**: 2026-04-09 | **Last Amended**: 2026-04-09
diff --git a/.specify/scripts/bash/check-prerequisites.sh b/.specify/scripts/bash/check-prerequisites.sh
new file mode 100755
index 0000000..88a5559
--- /dev/null
+++ b/.specify/scripts/bash/check-prerequisites.sh
@@ -0,0 +1,190 @@
+#!/usr/bin/env bash
+
+# Consolidated prerequisite checking script
+#
+# This script provides unified prerequisite checking for Spec-Driven Development workflow.
+# It replaces the functionality previously spread across multiple scripts.
+#
+# Usage: ./check-prerequisites.sh [OPTIONS]
+#
+# OPTIONS:
+#   --json              Output in JSON format
+#   --require-tasks     Require tasks.md to exist (for implementation phase)
+#   --include-tasks     Include tasks.md in AVAILABLE_DOCS list
+#   --paths-only        Only output path variables (no validation)
+#   --help, -h          Show help message
+#
+# OUTPUTS:
+#   JSON mode: {"FEATURE_DIR":"...", "AVAILABLE_DOCS":["..."]}
+#   Text mode: FEATURE_DIR:... \n AVAILABLE_DOCS: \n ✓/✗ file.md
+#   Paths only: REPO_ROOT: ... \n BRANCH: ... \n FEATURE_DIR: ... etc.
+
+set -e
+
+# Parse command line arguments
+JSON_MODE=false
+REQUIRE_TASKS=false
+INCLUDE_TASKS=false
+PATHS_ONLY=false
+
+for arg in "$@"; do
+    case "$arg" in
+        --json)
+            JSON_MODE=true
+            ;;
+        --require-tasks)
+            REQUIRE_TASKS=true
+            ;;
+        --include-tasks)
+            INCLUDE_TASKS=true
+            ;;
+        --paths-only)
+            PATHS_ONLY=true
+            ;;
+        --help|-h)
+            cat << 'EOF'
+Usage: check-prerequisites.sh [OPTIONS]
+
+Consolidated prerequisite checking for Spec-Driven Development workflow.
+
+OPTIONS:
+  --json              Output in JSON format
+  --require-tasks     Require tasks.md to exist (for implementation phase)
+  --include-tasks     Include tasks.md in AVAILABLE_DOCS list
+  --paths-only        Only output path variables (no prerequisite validation)
+  --help, -h          Show this help message
+
+EXAMPLES:
+  # Check task prerequisites (plan.md required)
+  ./check-prerequisites.sh --json
+  
+  # Check implementation prerequisites (plan.md + tasks.md required)
+  ./check-prerequisites.sh --json --require-tasks --include-tasks
+  
+  # Get feature paths only (no validation)
+  ./check-prerequisites.sh --paths-only
+  
+EOF
+            exit 0
+            ;;
+        *)
+            echo "ERROR: Unknown option '$arg'. Use --help for usage information." >&2
+            exit 1
+            ;;
+    esac
+done
+
+# Source common functions
+SCRIPT_DIR="$(CDPATH="" cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+source "$SCRIPT_DIR/common.sh"
+
+# Get feature paths and validate branch
+_paths_output=$(get_feature_paths) || { echo "ERROR: Failed to resolve feature paths" >&2; exit 1; }
+eval "$_paths_output"
+unset _paths_output
+check_feature_branch "$CURRENT_BRANCH" "$HAS_GIT" || exit 1
+
+# If paths-only mode, output paths and exit (support JSON + paths-only combined)
+if $PATHS_ONLY; then
+    if $JSON_MODE; then
+        # Minimal JSON paths payload (no validation performed)
+        if has_jq; then
+            jq -cn \
+                --arg repo_root "$REPO_ROOT" \
+                --arg branch "$CURRENT_BRANCH" \
+                --arg feature_dir "$FEATURE_DIR" \
+                --arg feature_spec "$FEATURE_SPEC" \
+                --arg impl_plan "$IMPL_PLAN" \
+                --arg tasks "$TASKS" \
+                '{REPO_ROOT:$repo_root,BRANCH:$branch,FEATURE_DIR:$feature_dir,FEATURE_SPEC:$feature_spec,IMPL_PLAN:$impl_plan,TASKS:$tasks}'
+        else
+            printf '{"REPO_ROOT":"%s","BRANCH":"%s","FEATURE_DIR":"%s","FEATURE_SPEC":"%s","IMPL_PLAN":"%s","TASKS":"%s"}\n' \
+                "$(json_escape "$REPO_ROOT")" "$(json_escape "$CURRENT_BRANCH")" "$(json_escape "$FEATURE_DIR")" "$(json_escape "$FEATURE_SPEC")" "$(json_escape "$IMPL_PLAN")" "$(json_escape "$TASKS")"
+        fi
+    else
+        echo "REPO_ROOT: $REPO_ROOT"
+        echo "BRANCH: $CURRENT_BRANCH"
+        echo "FEATURE_DIR: $FEATURE_DIR"
+        echo "FEATURE_SPEC: $FEATURE_SPEC"
+        echo "IMPL_PLAN: $IMPL_PLAN"
+        echo "TASKS: $TASKS"
+    fi
+    exit 0
+fi
+
+# Validate required directories and files
+if [[ ! -d "$FEATURE_DIR" ]]; then
+    echo "ERROR: Feature directory not found: $FEATURE_DIR" >&2
+    echo "Run /speckit.specify first to create the feature structure." >&2
+    exit 1
+fi
+
+if [[ ! -f "$IMPL_PLAN" ]]; then
+    echo "ERROR: plan.md not found in $FEATURE_DIR" >&2
+    echo "Run /speckit.plan first to create the implementation plan." >&2
+    exit 1
+fi
+
+# Check for tasks.md if required
+if $REQUIRE_TASKS && [[ ! -f "$TASKS" ]]; then
+    echo "ERROR: tasks.md not found in $FEATURE_DIR" >&2
+    echo "Run /speckit.tasks first to create the task list." >&2
+    exit 1
+fi
+
+# Build list of available documents
+docs=()
+
+# Always check these optional docs
+[[ -f "$RESEARCH" ]] && docs+=("research.md")
+[[ -f "$DATA_MODEL" ]] && docs+=("data-model.md")
+
+# Check contracts directory (only if it exists and has files)
+if [[ -d "$CONTRACTS_DIR" ]] && [[ -n "$(ls -A "$CONTRACTS_DIR" 2>/dev/null)" ]]; then
+    docs+=("contracts/")
+fi
+
+[[ -f "$QUICKSTART" ]] && docs+=("quickstart.md")
+
+# Include tasks.md if requested and it exists
+if $INCLUDE_TASKS && [[ -f "$TASKS" ]]; then
+    docs+=("tasks.md")
+fi
+
+# Output results
+if $JSON_MODE; then
+    # Build JSON array of documents
+    if has_jq; then
+        if [[ ${#docs[@]} -eq 0 ]]; then
+            json_docs="[]"
+        else
+            json_docs=$(printf '%s\n' "${docs[@]}" | jq -R . | jq -s .)
+        fi
+        jq -cn \
+            --arg feature_dir "$FEATURE_DIR" \
+            --argjson docs "$json_docs" \
+            '{FEATURE_DIR:$feature_dir,AVAILABLE_DOCS:$docs}'
+    else
+        if [[ ${#docs[@]} -eq 0 ]]; then
+            json_docs="[]"
+        else
+            json_docs=$(for d in "${docs[@]}"; do printf '"%s",' "$(json_escape "$d")"; done)
+            json_docs="[${json_docs%,}]"
+        fi
+        printf '{"FEATURE_DIR":"%s","AVAILABLE_DOCS":%s}\n' "$(json_escape "$FEATURE_DIR")" "$json_docs"
+    fi
+else
+    # Text output
+    echo "FEATURE_DIR:$FEATURE_DIR"
+    echo "AVAILABLE_DOCS:"
+    
+    # Show status of each potential document
+    check_file "$RESEARCH" "research.md"
+    check_file "$DATA_MODEL" "data-model.md"
+    check_dir "$CONTRACTS_DIR" "contracts/"
+    check_file "$QUICKSTART" "quickstart.md"
+    
+    if $INCLUDE_TASKS; then
+        check_file "$TASKS" "tasks.md"
+    fi
+fi
diff --git a/.specify/scripts/bash/common.sh b/.specify/scripts/bash/common.sh
new file mode 100755
index 0000000..04af7d7
--- /dev/null
+++ b/.specify/scripts/bash/common.sh
@@ -0,0 +1,362 @@
+#!/usr/bin/env bash
+# Common functions and variables for all scripts
+
+# Find repository root by searching upward for .specify directory
+# This is the primary marker for spec-kit projects
+find_specify_root() {
+    local dir="${1:-$(pwd)}"
+    # Normalize to absolute path to prevent infinite loop with relative paths
+    # Use -- to handle paths starting with - (e.g., -P, -L)
+    dir="$(cd -- "$dir" 2>/dev/null && pwd)" || return 1
+    local prev_dir=""
+    while true; do
+        if [ -d "$dir/.specify" ]; then
+            echo "$dir"
+            return 0
+        fi
+        # Stop if we've reached filesystem root or dirname stops changing
+        if [ "$dir" = "/" ] || [ "$dir" = "$prev_dir" ]; then
+            break
+        fi
+        prev_dir="$dir"
+        dir="$(dirname "$dir")"
+    done
+    return 1
+}
+
+# Get repository root, prioritizing .specify directory over git
+# This prevents using a parent git repo when spec-kit is initialized in a subdirectory
+get_repo_root() {
+    # First, look for .specify directory (spec-kit's own marker)
+    local specify_root
+    if specify_root=$(find_specify_root); then
+        echo "$specify_root"
+        return
+    fi
+
+    # Fallback to git if no .specify found
+    if git rev-parse --show-toplevel >/dev/null 2>&1; then
+        git rev-parse --show-toplevel
+        return
+    fi
+
+    # Final fallback to script location for non-git repos
+    local script_dir="$(CDPATH="" cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+    (cd "$script_dir/../../.." && pwd)
+}
+
+# Get current branch, with fallback for non-git repositories
+get_current_branch() {
+    # First check if SPECIFY_FEATURE environment variable is set
+    if [[ -n "${SPECIFY_FEATURE:-}" ]]; then
+        echo "$SPECIFY_FEATURE"
+        return
+    fi
+
+    # Then check git if available at the spec-kit root (not parent)
+    local repo_root=$(get_repo_root)
+    if has_git; then
+        git -C "$repo_root" rev-parse --abbrev-ref HEAD
+        return
+    fi
+
+    # For non-git repos, try to find the latest feature directory
+    local specs_dir="$repo_root/specs"
+
+    if [[ -d "$specs_dir" ]]; then
+        local latest_feature=""
+        local highest=0
+        local latest_timestamp=""
+
+        for dir in "$specs_dir"/*; do
+            if [[ -d "$dir" ]]; then
+                local dirname=$(basename "$dir")
+                if [[ "$dirname" =~ ^([0-9]{8}-[0-9]{6})- ]]; then
+                    # Timestamp-based branch: compare lexicographically
+                    local ts="${BASH_REMATCH[1]}"
+                    if [[ "$ts" > "$latest_timestamp" ]]; then
+                        latest_timestamp="$ts"
+                        latest_feature=$dirname
+                    fi
+                elif [[ "$dirname" =~ ^([0-9]{3,})- ]]; then
+                    local number=${BASH_REMATCH[1]}
+                    number=$((10#$number))
+                    if [[ "$number" -gt "$highest" ]]; then
+                        highest=$number
+                        # Only update if no timestamp branch found yet
+                        if [[ -z "$latest_timestamp" ]]; then
+                            latest_feature=$dirname
+                        fi
+                    fi
+                fi
+            fi
+        done
+
+        if [[ -n "$latest_feature" ]]; then
+            echo "$latest_feature"
+            return
+        fi
+    fi
+
+    echo "main"  # Final fallback
+}
+
+# Check if we have git available at the spec-kit root level
+# Returns true only if git is installed and the repo root is inside a git work tree
+# Handles both regular repos (.git directory) and worktrees/submodules (.git file)
+has_git() {
+    # First check if git command is available (before calling get_repo_root which may use git)
+    command -v git >/dev/null 2>&1 || return 1
+    local repo_root=$(get_repo_root)
+    # Check if .git exists (directory or file for worktrees/submodules)
+    [ -e "$repo_root/.git" ] || return 1
+    # Verify it's actually a valid git work tree
+    git -C "$repo_root" rev-parse --is-inside-work-tree >/dev/null 2>&1
+}
+
+check_feature_branch() {
+    local branch="$1"
+    local has_git_repo="$2"
+
+    # For non-git repos, we can't enforce branch naming but still provide output
+    if [[ "$has_git_repo" != "true" ]]; then
+        echo "[specify] Warning: Git repository not detected; skipped branch validation" >&2
+        return 0
+    fi
+
+    # Accept sequential prefix (3+ digits) but exclude malformed timestamps
+    # Malformed: 7-or-8 digit date + 6-digit time with no trailing slug (e.g. "2026031-143022" or "20260319-143022")
+    local is_sequential=false
+    if [[ "$branch" =~ ^[0-9]{3,}- ]] && [[ ! "$branch" =~ ^[0-9]{7}-[0-9]{6}- ]] && [[ ! "$branch" =~ ^[0-9]{7,8}-[0-9]{6}$ ]]; then
+        is_sequential=true
+    fi
+    if [[ "$is_sequential" != "true" ]] && [[ ! "$branch" =~ ^[0-9]{8}-[0-9]{6}- ]]; then
+        echo "ERROR: Not on a feature branch. Current branch: $branch" >&2
+        echo "Feature branches should be named like: 001-feature-name, 1234-feature-name, or 20260319-143022-feature-name" >&2
+        return 1
+    fi
+
+    return 0
+}
+
+get_feature_dir() { echo "$1/specs/$2"; }
+
+# Find feature directory by numeric prefix instead of exact branch match
+# This allows multiple branches to work on the same spec (e.g., 004-fix-bug, 004-add-feature)
+find_feature_dir_by_prefix() {
+    local repo_root="$1"
+    local branch_name="$2"
+    local specs_dir="$repo_root/specs"
+
+    # Extract prefix from branch (e.g., "004" from "004-whatever" or "20260319-143022" from timestamp branches)
+    local prefix=""
+    if [[ "$branch_name" =~ ^([0-9]{8}-[0-9]{6})- ]]; then
+        prefix="${BASH_REMATCH[1]}"
+    elif [[ "$branch_name" =~ ^([0-9]{3,})- ]]; then
+        prefix="${BASH_REMATCH[1]}"
+    else
+        # If branch doesn't have a recognized prefix, fall back to exact match
+        echo "$specs_dir/$branch_name"
+        return
+    fi
+
+    # Search for directories in specs/ that start with this prefix
+    local matches=()
+    if [[ -d "$specs_dir" ]]; then
+        for dir in "$specs_dir"/"$prefix"-*; do
+            if [[ -d "$dir" ]]; then
+                matches+=("$(basename "$dir")")
+            fi
+        done
+    fi
+
+    # Handle results
+    if [[ ${#matches[@]} -eq 0 ]]; then
+        # No match found - return the branch name path (will fail later with clear error)
+        echo "$specs_dir/$branch_name"
+    elif [[ ${#matches[@]} -eq 1 ]]; then
+        # Exactly one match - perfect!
+        echo "$specs_dir/${matches[0]}"
+    else
+        # Multiple matches - this shouldn't happen with proper naming convention
+        echo "ERROR: Multiple spec directories found with prefix '$prefix': ${matches[*]}" >&2
+        echo "Please ensure only one spec directory exists per prefix." >&2
+        return 1
+    fi
+}
+
+get_feature_paths() {
+    local repo_root=$(get_repo_root)
+    local current_branch=$(get_current_branch)
+    local has_git_repo="false"
+
+    if has_git; then
+        has_git_repo="true"
+    fi
+
+    # Resolve feature directory.  Priority:
+    #   1. SPECIFY_FEATURE_DIRECTORY env var (explicit override)
+    #   2. .specify/feature.json "feature_directory" key (persisted by /speckit.specify)
+    #   3. Branch-name-based prefix lookup (legacy fallback)
+    local feature_dir
+    if [[ -n "${SPECIFY_FEATURE_DIRECTORY:-}" ]]; then
+        feature_dir="$SPECIFY_FEATURE_DIRECTORY"
+        # Normalize relative paths to absolute under repo root
+        [[ "$feature_dir" != /* ]] && feature_dir="$repo_root/$feature_dir"
+    elif [[ -f "$repo_root/.specify/feature.json" ]]; then
+        local _fd
+        if command -v jq >/dev/null 2>&1; then
+            _fd=$(jq -r '.feature_directory // empty' "$repo_root/.specify/feature.json" 2>/dev/null)
+        elif command -v python3 >/dev/null 2>&1; then
+            # Fallback: use Python to parse JSON so pretty-printed/multi-line files work
+            _fd=$(python3 -c "import json,sys; d=json.load(open(sys.argv[1])); print(d.get('feature_directory',''))" "$repo_root/.specify/feature.json" 2>/dev/null)
+        else
+            # Last resort: single-line grep fallback (won't work on multi-line JSON)
+            _fd=$(grep -o '"feature_directory"[[:space:]]*:[[:space:]]*"[^"]*"' "$repo_root/.specify/feature.json" 2>/dev/null | sed 's/.*"\([^"]*\)"$/\1/')
+        fi
+        if [[ -n "$_fd" ]]; then
+            feature_dir="$_fd"
+            # Normalize relative paths to absolute under repo root
+            [[ "$feature_dir" != /* ]] && feature_dir="$repo_root/$feature_dir"
+        elif ! feature_dir=$(find_feature_dir_by_prefix "$repo_root" "$current_branch"); then
+            echo "ERROR: Failed to resolve feature directory" >&2
+            return 1
+        fi
+    elif ! feature_dir=$(find_feature_dir_by_prefix "$repo_root" "$current_branch"); then
+        echo "ERROR: Failed to resolve feature directory" >&2
+        return 1
+    fi
+
+    # Use printf '%q' to safely quote values, preventing shell injection
+    # via crafted branch names or paths containing special characters
+    printf 'REPO_ROOT=%q\n' "$repo_root"
+    printf 'CURRENT_BRANCH=%q\n' "$current_branch"
+    printf 'HAS_GIT=%q\n' "$has_git_repo"
+    printf 'FEATURE_DIR=%q\n' "$feature_dir"
+    printf 'FEATURE_SPEC=%q\n' "$feature_dir/spec.md"
+    printf 'IMPL_PLAN=%q\n' "$feature_dir/plan.md"
+    printf 'TASKS=%q\n' "$feature_dir/tasks.md"
+    printf 'RESEARCH=%q\n' "$feature_dir/research.md"
+    printf 'DATA_MODEL=%q\n' "$feature_dir/data-model.md"
+    printf 'QUICKSTART=%q\n' "$feature_dir/quickstart.md"
+    printf 'CONTRACTS_DIR=%q\n' "$feature_dir/contracts"
+}
+
+# Check if jq is available for safe JSON construction
+has_jq() {
+    command -v jq >/dev/null 2>&1
+}
+
+# Escape a string for safe embedding in a JSON value (fallback when jq is unavailable).
+# Handles backslash, double-quote, and JSON-required control character escapes (RFC 8259).
+json_escape() {
+    local s="$1"
+    s="${s//\\/\\\\}"
+    s="${s//\"/\\\"}"
+    s="${s//$'\n'/\\n}"
+    s="${s//$'\t'/\\t}"
+    s="${s//$'\r'/\\r}"
+    s="${s//$'\b'/\\b}"
+    s="${s//$'\f'/\\f}"
+    # Escape any remaining U+0001-U+001F control characters as \uXXXX.
+    # (U+0000/NUL cannot appear in bash strings and is excluded.)
+    # LC_ALL=C ensures ${#s} counts bytes and ${s:$i:1} yields single bytes,
+    # so multi-byte UTF-8 sequences (first byte >= 0xC0) pass through intact.
+    local LC_ALL=C
+    local i char code
+    for (( i=0; i<${#s}; i++ )); do
+        char="${s:$i:1}"
+        printf -v code '%d' "'$char" 2>/dev/null || code=256
+        if (( code >= 1 && code <= 31 )); then
+            printf '\\u%04x' "$code"
+        else
+            printf '%s' "$char"
+        fi
+    done
+}
+
+check_file() { [[ -f "$1" ]] && echo "  ✓ $2" || echo "  ✗ $2"; }
+check_dir() { [[ -d "$1" && -n $(ls -A "$1" 2>/dev/null) ]] && echo "  ✓ $2" || echo "  ✗ $2"; }
+
+# Resolve a template name to a file path using the priority stack:
+#   1. .specify/templates/overrides/
+#   2. .specify/presets/<preset-id>/templates/ (sorted by priority from .registry)
+#   3. .specify/extensions/<ext-id>/templates/
+#   4. .specify/templates/ (core)
+resolve_template() {
+    local template_name="$1"
+    local repo_root="$2"
+    local base="$repo_root/.specify/templates"
+
+    # Priority 1: Project overrides
+    local override="$base/overrides/${template_name}.md"
+    [ -f "$override" ] && echo "$override" && return 0
+
+    # Priority 2: Installed presets (sorted by priority from .registry)
+    local presets_dir="$repo_root/.specify/presets"
+    if [ -d "$presets_dir" ]; then
+        local registry_file="$presets_dir/.registry"
+        if [ -f "$registry_file" ] && command -v python3 >/dev/null 2>&1; then
+            # Read preset IDs sorted by priority (lower number = higher precedence).
+            # The python3 call is wrapped in an if-condition so that set -e does not
+            # abort the function when python3 exits non-zero (e.g. invalid JSON).
+            local sorted_presets=""
+            if sorted_presets=$(SPECKIT_REGISTRY="$registry_file" python3 -c "
+import json, sys, os
+try:
+    with open(os.environ['SPECKIT_REGISTRY']) as f:
+        data = json.load(f)
+    presets = data.get('presets', {})
+    for pid, meta in sorted(presets.items(), key=lambda x: x[1].get('priority', 10)):
+        print(pid)
+except Exception:
+    sys.exit(1)
+" 2>/dev/null); then
+                if [ -n "$sorted_presets" ]; then
+                    # python3 succeeded and returned preset IDs — search in priority order
+                    while IFS= read -r preset_id; do
+                        local candidate="$presets_dir/$preset_id/templates/${template_name}.md"
+                        [ -f "$candidate" ] && echo "$candidate" && return 0
+                    done <<< "$sorted_presets"
+                fi
+                # python3 succeeded but registry has no presets — nothing to search
+            else
+                # python3 failed (missing, or registry parse error) — fall back to unordered directory scan
+                for preset in "$presets_dir"/*/; do
+                    [ -d "$preset" ] || continue
+                    local candidate="$preset/templates/${template_name}.md"
+                    [ -f "$candidate" ] && echo "$candidate" && return 0
+                done
+            fi
+        else
+            # Fallback: alphabetical directory order (no python3 available)
+            for preset in "$presets_dir"/*/; do
+                [ -d "$preset" ] || continue
+                local candidate="$preset/templates/${template_name}.md"
+                [ -f "$candidate" ] && echo "$candidate" && return 0
+            done
+        fi
+    fi
+
+    # Priority 3: Extension-provided templates
+    local ext_dir="$repo_root/.specify/extensions"
+    if [ -d "$ext_dir" ]; then
+        for ext in "$ext_dir"/*/; do
+            [ -d "$ext" ] || continue
+            # Skip hidden directories (e.g. .backup, .cache)
+            case "$(basename "$ext")" in .*) continue;; esac
+            local candidate="$ext/templates/${template_name}.md"
+            [ -f "$candidate" ] && echo "$candidate" && return 0
+        done
+    fi
+
+    # Priority 4: Core templates
+    local core="$base/${template_name}.md"
+    [ -f "$core" ] && echo "$core" && return 0
+
+    # Template not found in any location.
+    # Return 1 so callers can distinguish "not found" from "found".
+    # Callers running under set -e should use: TEMPLATE=$(resolve_template ...) || true
+    return 1
+}
+
diff --git a/.specify/scripts/bash/create-new-feature.sh b/.specify/scripts/bash/create-new-feature.sh
new file mode 100755
index 0000000..1879647
--- /dev/null
+++ b/.specify/scripts/bash/create-new-feature.sh
@@ -0,0 +1,413 @@
+#!/usr/bin/env bash
+
+set -e
+
+JSON_MODE=false
+DRY_RUN=false
+ALLOW_EXISTING=false
+SHORT_NAME=""
+BRANCH_NUMBER=""
+USE_TIMESTAMP=false
+ARGS=()
+i=1
+while [ $i -le $# ]; do
+    arg="${!i}"
+    case "$arg" in
+        --json)
+            JSON_MODE=true
+            ;;
+        --dry-run)
+            DRY_RUN=true
+            ;;
+        --allow-existing-branch)
+            ALLOW_EXISTING=true
+            ;;
+        --short-name)
+            if [ $((i + 1)) -gt $# ]; then
+                echo 'Error: --short-name requires a value' >&2
+                exit 1
+            fi
+            i=$((i + 1))
+            next_arg="${!i}"
+            # Check if the next argument is another option (starts with --)
+            if [[ "$next_arg" == --* ]]; then
+                echo 'Error: --short-name requires a value' >&2
+                exit 1
+            fi
+            SHORT_NAME="$next_arg"
+            ;;
+        --number)
+            if [ $((i + 1)) -gt $# ]; then
+                echo 'Error: --number requires a value' >&2
+                exit 1
+            fi
+            i=$((i + 1))
+            next_arg="${!i}"
+            if [[ "$next_arg" == --* ]]; then
+                echo 'Error: --number requires a value' >&2
+                exit 1
+            fi
+            BRANCH_NUMBER="$next_arg"
+            ;;
+        --timestamp)
+            USE_TIMESTAMP=true
+            ;;
+        --help|-h)
+            echo "Usage: $0 [--json] [--dry-run] [--allow-existing-branch] [--short-name <name>] [--number N] [--timestamp] <feature_description>"
+            echo ""
+            echo "Options:"
+            echo "  --json              Output in JSON format"
+            echo "  --dry-run           Compute branch name and paths without creating branches, directories, or files"
+            echo "  --allow-existing-branch  Switch to branch if it already exists instead of failing"
+            echo "  --short-name <name> Provide a custom short name (2-4 words) for the branch"
+            echo "  --number N          Specify branch number manually (overrides auto-detection)"
+            echo "  --timestamp         Use timestamp prefix (YYYYMMDD-HHMMSS) instead of sequential numbering"
+            echo "  --help, -h          Show this help message"
+            echo ""
+            echo "Examples:"
+            echo "  $0 'Add user authentication system' --short-name 'user-auth'"
+            echo "  $0 'Implement OAuth2 integration for API' --number 5"
+            echo "  $0 --timestamp --short-name 'user-auth' 'Add user authentication'"
+            exit 0
+            ;;
+        *)
+            ARGS+=("$arg")
+            ;;
+    esac
+    i=$((i + 1))
+done
+
+FEATURE_DESCRIPTION="${ARGS[*]}"
+if [ -z "$FEATURE_DESCRIPTION" ]; then
+    echo "Usage: $0 [--json] [--dry-run] [--allow-existing-branch] [--short-name <name>] [--number N] [--timestamp] <feature_description>" >&2
+    exit 1
+fi
+
+# Trim whitespace and validate description is not empty (e.g., user passed only whitespace)
+FEATURE_DESCRIPTION=$(echo "$FEATURE_DESCRIPTION" | xargs)
+if [ -z "$FEATURE_DESCRIPTION" ]; then
+    echo "Error: Feature description cannot be empty or contain only whitespace" >&2
+    exit 1
+fi
+
+# Function to get highest number from specs directory
+get_highest_from_specs() {
+    local specs_dir="$1"
+    local highest=0
+    
+    if [ -d "$specs_dir" ]; then
+        for dir in "$specs_dir"/*; do
+            [ -d "$dir" ] || continue
+            dirname=$(basename "$dir")
+            # Match sequential prefixes (>=3 digits), but skip timestamp dirs.
+            if echo "$dirname" | grep -Eq '^[0-9]{3,}-' && ! echo "$dirname" | grep -Eq '^[0-9]{8}-[0-9]{6}-'; then
+                number=$(echo "$dirname" | grep -Eo '^[0-9]+')
+                number=$((10#$number))
+                if [ "$number" -gt "$highest" ]; then
+                    highest=$number
+                fi
+            fi
+        done
+    fi
+    
+    echo "$highest"
+}
+
+# Function to get highest number from git branches
+get_highest_from_branches() {
+    git branch -a 2>/dev/null | sed 's/^[* ]*//; s|^remotes/[^/]*/||' | _extract_highest_number
+}
+
+# Extract the highest sequential feature number from a list of ref names (one per line).
+# Shared by get_highest_from_branches and get_highest_from_remote_refs.
+_extract_highest_number() {
+    local highest=0
+    while IFS= read -r name; do
+        [ -z "$name" ] && continue
+        if echo "$name" | grep -Eq '^[0-9]{3,}-' && ! echo "$name" | grep -Eq '^[0-9]{8}-[0-9]{6}-'; then
+            number=$(echo "$name" | grep -Eo '^[0-9]+' || echo "0")
+            number=$((10#$number))
+            if [ "$number" -gt "$highest" ]; then
+                highest=$number
+            fi
+        fi
+    done
+    echo "$highest"
+}
+
+# Function to get highest number from remote branches without fetching (side-effect-free)
+get_highest_from_remote_refs() {
+    local highest=0
+
+    for remote in $(git remote 2>/dev/null); do
+        local remote_highest
+        remote_highest=$(GIT_TERMINAL_PROMPT=0 git ls-remote --heads "$remote" 2>/dev/null | sed 's|.*refs/heads/||' | _extract_highest_number)
+        if [ "$remote_highest" -gt "$highest" ]; then
+            highest=$remote_highest
+        fi
+    done
+
+    echo "$highest"
+}
+
+# Function to check existing branches (local and remote) and return next available number.
+# When skip_fetch is true, queries remotes via ls-remote (read-only) instead of fetching.
+check_existing_branches() {
+    local specs_dir="$1"
+    local skip_fetch="${2:-false}"
+
+    if [ "$skip_fetch" = true ]; then
+        # Side-effect-free: query remotes via ls-remote
+        local highest_remote=$(get_highest_from_remote_refs)
+        local highest_branch=$(get_highest_from_branches)
+        if [ "$highest_remote" -gt "$highest_branch" ]; then
+            highest_branch=$highest_remote
+        fi
+    else
+        # Fetch all remotes to get latest branch info (suppress errors if no remotes)
+        git fetch --all --prune >/dev/null 2>&1 || true
+        local highest_branch=$(get_highest_from_branches)
+    fi
+
+    # Get highest number from ALL specs (not just matching short name)
+    local highest_spec=$(get_highest_from_specs "$specs_dir")
+
+    # Take the maximum of both
+    local max_num=$highest_branch
+    if [ "$highest_spec" -gt "$max_num" ]; then
+        max_num=$highest_spec
+    fi
+
+    # Return next number
+    echo $((max_num + 1))
+}
+
+# Function to clean and format a branch name
+clean_branch_name() {
+    local name="$1"
+    echo "$name" | tr '[:upper:]' '[:lower:]' | sed 's/[^a-z0-9]/-/g' | sed 's/-\+/-/g' | sed 's/^-//' | sed 's/-$//'
+}
+
+# Resolve repository root using common.sh functions which prioritize .specify over git
+SCRIPT_DIR="$(CDPATH="" cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+source "$SCRIPT_DIR/common.sh"
+
+REPO_ROOT=$(get_repo_root)
+
+# Check if git is available at this repo root (not a parent)
+if has_git; then
+    HAS_GIT=true
+else
+    HAS_GIT=false
+fi
+
+cd "$REPO_ROOT"
+
+SPECS_DIR="$REPO_ROOT/specs"
+if [ "$DRY_RUN" != true ]; then
+    mkdir -p "$SPECS_DIR"
+fi
+
+# Function to generate branch name with stop word filtering and length filtering
+generate_branch_name() {
+    local description="$1"
+    
+    # Common stop words to filter out
+    local stop_words="^(i|a|an|the|to|for|of|in|on|at|by|with|from|is|are|was|were|be|been|being|have|has|had|do|does|did|will|would|should|could|can|may|might|must|shall|this|that|these|those|my|your|our|their|want|need|add|get|set)$"
+    
+    # Convert to lowercase and split into words
+    local clean_name=$(echo "$description" | tr '[:upper:]' '[:lower:]' | sed 's/[^a-z0-9]/ /g')
+    
+    # Filter words: remove stop words and words shorter than 3 chars (unless they're uppercase acronyms in original)
+    local meaningful_words=()
+    for word in $clean_name; do
+        # Skip empty words
+        [ -z "$word" ] && continue
+        
+        # Keep words that are NOT stop words AND (length >= 3 OR are potential acronyms)
+        if ! echo "$word" | grep -qiE "$stop_words"; then
+            if [ ${#word} -ge 3 ]; then
+                meaningful_words+=("$word")
+            elif echo "$description" | grep -q "\b${word^^}\b"; then
+                # Keep short words if they appear as uppercase in original (likely acronyms)
+                meaningful_words+=("$word")
+            fi
+        fi
+    done
+    
+    # If we have meaningful words, use first 3-4 of them
+    if [ ${#meaningful_words[@]} -gt 0 ]; then
+        local max_words=3
+        if [ ${#meaningful_words[@]} -eq 4 ]; then max_words=4; fi
+        
+        local result=""
+        local count=0
+        for word in "${meaningful_words[@]}"; do
+            if [ $count -ge $max_words ]; then break; fi
+            if [ -n "$result" ]; then result="$result-"; fi
+            result="$result$word"
+            count=$((count + 1))
+        done
+        echo "$result"
+    else
+        # Fallback to original logic if no meaningful words found
+        local cleaned=$(clean_branch_name "$description")
+        echo "$cleaned" | tr '-' '\n' | grep -v '^$' | head -3 | tr '\n' '-' | sed 's/-$//'
+    fi
+}
+
+# Generate branch name
+if [ -n "$SHORT_NAME" ]; then
+    # Use provided short name, just clean it up
+    BRANCH_SUFFIX=$(clean_branch_name "$SHORT_NAME")
+else
+    # Generate from description with smart filtering
+    BRANCH_SUFFIX=$(generate_branch_name "$FEATURE_DESCRIPTION")
+fi
+
+# Warn if --number and --timestamp are both specified
+if [ "$USE_TIMESTAMP" = true ] && [ -n "$BRANCH_NUMBER" ]; then
+    >&2 echo "[specify] Warning: --number is ignored when --timestamp is used"
+    BRANCH_NUMBER=""
+fi
+
+# Determine branch prefix
+if [ "$USE_TIMESTAMP" = true ]; then
+    FEATURE_NUM=$(date +%Y%m%d-%H%M%S)
+    BRANCH_NAME="${FEATURE_NUM}-${BRANCH_SUFFIX}"
+else
+    # Determine branch number
+    if [ -z "$BRANCH_NUMBER" ]; then
+        if [ "$DRY_RUN" = true ] && [ "$HAS_GIT" = true ]; then
+            # Dry-run: query remotes via ls-remote (side-effect-free, no fetch)
+            BRANCH_NUMBER=$(check_existing_branches "$SPECS_DIR" true)
+        elif [ "$DRY_RUN" = true ]; then
+            # Dry-run without git: local spec dirs only
+            HIGHEST=$(get_highest_from_specs "$SPECS_DIR")
+            BRANCH_NUMBER=$((HIGHEST + 1))
+        elif [ "$HAS_GIT" = true ]; then
+            # Check existing branches on remotes
+            BRANCH_NUMBER=$(check_existing_branches "$SPECS_DIR")
+        else
+            # Fall back to local directory check
+            HIGHEST=$(get_highest_from_specs "$SPECS_DIR")
+            BRANCH_NUMBER=$((HIGHEST + 1))
+        fi
+    fi
+
+    # Force base-10 interpretation to prevent octal conversion (e.g., 010 → 8 in octal, but should be 10 in decimal)
+    FEATURE_NUM=$(printf "%03d" "$((10#$BRANCH_NUMBER))")
+    BRANCH_NAME="${FEATURE_NUM}-${BRANCH_SUFFIX}"
+fi
+
+# GitHub enforces a 244-byte limit on branch names
+# Validate and truncate if necessary
+MAX_BRANCH_LENGTH=244
+if [ ${#BRANCH_NAME} -gt $MAX_BRANCH_LENGTH ]; then
+    # Calculate how much we need to trim from suffix
+    # Account for prefix length: timestamp (15) + hyphen (1) = 16, or sequential (3) + hyphen (1) = 4
+    PREFIX_LENGTH=$(( ${#FEATURE_NUM} + 1 ))
+    MAX_SUFFIX_LENGTH=$((MAX_BRANCH_LENGTH - PREFIX_LENGTH))
+    
+    # Truncate suffix at word boundary if possible
+    TRUNCATED_SUFFIX=$(echo "$BRANCH_SUFFIX" | cut -c1-$MAX_SUFFIX_LENGTH)
+    # Remove trailing hyphen if truncation created one
+    TRUNCATED_SUFFIX=$(echo "$TRUNCATED_SUFFIX" | sed 's/-$//')
+    
+    ORIGINAL_BRANCH_NAME="$BRANCH_NAME"
+    BRANCH_NAME="${FEATURE_NUM}-${TRUNCATED_SUFFIX}"
+    
+    >&2 echo "[specify] Warning: Branch name exceeded GitHub's 244-byte limit"
+    >&2 echo "[specify] Original: $ORIGINAL_BRANCH_NAME (${#ORIGINAL_BRANCH_NAME} bytes)"
+    >&2 echo "[specify] Truncated to: $BRANCH_NAME (${#BRANCH_NAME} bytes)"
+fi
+
+FEATURE_DIR="$SPECS_DIR/$BRANCH_NAME"
+SPEC_FILE="$FEATURE_DIR/spec.md"
+
+if [ "$DRY_RUN" != true ]; then
+    if [ "$HAS_GIT" = true ]; then
+        branch_create_error=""
+        if ! branch_create_error=$(git checkout -q -b "$BRANCH_NAME" 2>&1); then
+            current_branch="$(git rev-parse --abbrev-ref HEAD 2>/dev/null || true)"
+            # Check if branch already exists
+            if git branch --list "$BRANCH_NAME" | grep -q .; then
+                if [ "$ALLOW_EXISTING" = true ]; then
+                    # If we're already on the branch, continue without another checkout.
+                    if [ "$current_branch" = "$BRANCH_NAME" ]; then
+                        :
+                    # Otherwise switch to the existing branch instead of failing.
+                    elif ! switch_branch_error=$(git checkout -q "$BRANCH_NAME" 2>&1); then
+                        >&2 echo "Error: Failed to switch to existing branch '$BRANCH_NAME'. Please resolve any local changes or conflicts and try again."
+                        if [ -n "$switch_branch_error" ]; then
+                            >&2 printf '%s\n' "$switch_branch_error"
+                        fi
+                        exit 1
+                    fi
+                elif [ "$USE_TIMESTAMP" = true ]; then
+                    >&2 echo "Error: Branch '$BRANCH_NAME' already exists. Rerun to get a new timestamp or use a different --short-name."
+                    exit 1
+                else
+                    >&2 echo "Error: Branch '$BRANCH_NAME' already exists. Please use a different feature name or specify a different number with --number."
+                    exit 1
+                fi
+            else
+                >&2 echo "Error: Failed to create git branch '$BRANCH_NAME'."
+                if [ -n "$branch_create_error" ]; then
+                    >&2 printf '%s\n' "$branch_create_error"
+                else
+                    >&2 echo "Please check your git configuration and try again."
+                fi
+                exit 1
+            fi
+        fi
+    else
+        >&2 echo "[specify] Warning: Git repository not detected; skipped branch creation for $BRANCH_NAME"
+    fi
+
+    mkdir -p "$FEATURE_DIR"
+
+    if [ ! -f "$SPEC_FILE" ]; then
+        TEMPLATE=$(resolve_template "spec-template" "$REPO_ROOT") || true
+        if [ -n "$TEMPLATE" ] && [ -f "$TEMPLATE" ]; then
+            cp "$TEMPLATE" "$SPEC_FILE"
+        else
+            echo "Warning: Spec template not found; created empty spec file" >&2
+            touch "$SPEC_FILE"
+        fi
+    fi
+
+    # Inform the user how to persist the feature variable in their own shell
+    printf '# To persist: export SPECIFY_FEATURE=%q\n' "$BRANCH_NAME" >&2
+fi
+
+if $JSON_MODE; then
+    if command -v jq >/dev/null 2>&1; then
+        if [ "$DRY_RUN" = true ]; then
+            jq -cn \
+                --arg branch_name "$BRANCH_NAME" \
+                --arg spec_file "$SPEC_FILE" \
+                --arg feature_num "$FEATURE_NUM" \
+                '{BRANCH_NAME:$branch_name,SPEC_FILE:$spec_file,FEATURE_NUM:$feature_num,DRY_RUN:true}'
+        else
+            jq -cn \
+                --arg branch_name "$BRANCH_NAME" \
+                --arg spec_file "$SPEC_FILE" \
+                --arg feature_num "$FEATURE_NUM" \
+                '{BRANCH_NAME:$branch_name,SPEC_FILE:$spec_file,FEATURE_NUM:$feature_num}'
+        fi
+    else
+        if [ "$DRY_RUN" = true ]; then
+            printf '{"BRANCH_NAME":"%s","SPEC_FILE":"%s","FEATURE_NUM":"%s","DRY_RUN":true}\n' "$(json_escape "$BRANCH_NAME")" "$(json_escape "$SPEC_FILE")" "$(json_escape "$FEATURE_NUM")"
+        else
+            printf '{"BRANCH_NAME":"%s","SPEC_FILE":"%s","FEATURE_NUM":"%s"}\n' "$(json_escape "$BRANCH_NAME")" "$(json_escape "$SPEC_FILE")" "$(json_escape "$FEATURE_NUM")"
+        fi
+    fi
+else
+    echo "BRANCH_NAME: $BRANCH_NAME"
+    echo "SPEC_FILE: $SPEC_FILE"
+    echo "FEATURE_NUM: $FEATURE_NUM"
+    if [ "$DRY_RUN" != true ]; then
+        printf '# To persist in your shell: export SPECIFY_FEATURE=%q\n' "$BRANCH_NAME"
+    fi
+fi
diff --git a/.specify/scripts/bash/setup-plan.sh b/.specify/scripts/bash/setup-plan.sh
new file mode 100755
index 0000000..9f55231
--- /dev/null
+++ b/.specify/scripts/bash/setup-plan.sh
@@ -0,0 +1,73 @@
+#!/usr/bin/env bash
+
+set -e
+
+# Parse command line arguments
+JSON_MODE=false
+ARGS=()
+
+for arg in "$@"; do
+    case "$arg" in
+        --json) 
+            JSON_MODE=true 
+            ;;
+        --help|-h) 
+            echo "Usage: $0 [--json]"
+            echo "  --json    Output results in JSON format"
+            echo "  --help    Show this help message"
+            exit 0 
+            ;;
+        *) 
+            ARGS+=("$arg") 
+            ;;
+    esac
+done
+
+# Get script directory and load common functions
+SCRIPT_DIR="$(CDPATH="" cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+source "$SCRIPT_DIR/common.sh"
+
+# Get all paths and variables from common functions
+_paths_output=$(get_feature_paths) || { echo "ERROR: Failed to resolve feature paths" >&2; exit 1; }
+eval "$_paths_output"
+unset _paths_output
+
+# Check if we're on a proper feature branch (only for git repos)
+check_feature_branch "$CURRENT_BRANCH" "$HAS_GIT" || exit 1
+
+# Ensure the feature directory exists
+mkdir -p "$FEATURE_DIR"
+
+# Copy plan template if it exists
+TEMPLATE=$(resolve_template "plan-template" "$REPO_ROOT") || true
+if [[ -n "$TEMPLATE" ]] && [[ -f "$TEMPLATE" ]]; then
+    cp "$TEMPLATE" "$IMPL_PLAN"
+    echo "Copied plan template to $IMPL_PLAN"
+else
+    echo "Warning: Plan template not found"
+    # Create a basic plan file if template doesn't exist
+    touch "$IMPL_PLAN"
+fi
+
+# Output results
+if $JSON_MODE; then
+    if has_jq; then
+        jq -cn \
+            --arg feature_spec "$FEATURE_SPEC" \
+            --arg impl_plan "$IMPL_PLAN" \
+            --arg specs_dir "$FEATURE_DIR" \
+            --arg branch "$CURRENT_BRANCH" \
+            --arg has_git "$HAS_GIT" \
+            '{FEATURE_SPEC:$feature_spec,IMPL_PLAN:$impl_plan,SPECS_DIR:$specs_dir,BRANCH:$branch,HAS_GIT:$has_git}'
+    else
+        printf '{"FEATURE_SPEC":"%s","IMPL_PLAN":"%s","SPECS_DIR":"%s","BRANCH":"%s","HAS_GIT":"%s"}\n' \
+            "$(json_escape "$FEATURE_SPEC")" "$(json_escape "$IMPL_PLAN")" "$(json_escape "$FEATURE_DIR")" "$(json_escape "$CURRENT_BRANCH")" "$(json_escape "$HAS_GIT")"
+    fi
+else
+    echo "FEATURE_SPEC: $FEATURE_SPEC"
+    echo "IMPL_PLAN: $IMPL_PLAN" 
+    echo "SPECS_DIR: $FEATURE_DIR"
+    echo "BRANCH: $CURRENT_BRANCH"
+    echo "HAS_GIT: $HAS_GIT"
+fi
+
diff --git a/.specify/scripts/bash/update-agent-context.sh b/.specify/scripts/bash/update-agent-context.sh
new file mode 100755
index 0000000..fce379b
--- /dev/null
+++ b/.specify/scripts/bash/update-agent-context.sh
@@ -0,0 +1,854 @@
+#!/usr/bin/env bash
+
+# Update agent context files with information from plan.md
+#
+# This script maintains AI agent context files by parsing feature specifications 
+# and updating agent-specific configuration files with project information.
+#
+# MAIN FUNCTIONS:
+# 1. Environment Validation
+#    - Verifies git repository structure and branch information
+#    - Checks for required plan.md files and templates
+#    - Validates file permissions and accessibility
+#
+# 2. Plan Data Extraction
+#    - Parses plan.md files to extract project metadata
+#    - Identifies language/version, frameworks, databases, and project types
+#    - Handles missing or incomplete specification data gracefully
+#
+# 3. Agent File Management
+#    - Creates new agent context files from templates when needed
+#    - Updates existing agent files with new project information
+#    - Preserves manual additions and custom configurations
+#    - Supports multiple AI agent formats and directory structures
+#
+# 4. Content Generation
+#    - Generates language-specific build/test commands
+#    - Creates appropriate project directory structures
+#    - Updates technology stacks and recent changes sections
+#    - Maintains consistent formatting and timestamps
+#
+# 5. Multi-Agent Support
+#    - Handles agent-specific file paths and naming conventions
+#    - Supports: Claude, Gemini, Copilot, Cursor, Qwen, opencode, Codex, Windsurf, Junie, Kilo Code, Auggie CLI, Roo Code, CodeBuddy CLI, Qoder CLI, Amp, SHAI, Tabnine CLI, Kiro CLI, Mistral Vibe, Kimi Code, Pi Coding Agent, iFlow CLI, Forge, Antigravity or Generic
+#    - Can update single agents or all existing agent files
+#    - Creates default Claude file if no agent files exist
+#
+# Usage: ./update-agent-context.sh [agent_type]
+# Agent types: claude|gemini|copilot|cursor-agent|qwen|opencode|codex|windsurf|junie|kilocode|auggie|roo|codebuddy|amp|shai|tabnine|kiro-cli|agy|bob|vibe|qodercli|kimi|trae|pi|iflow|forge|generic
+# Leave empty to update all existing agent files
+
+set -e
+
+# Enable strict error handling
+set -u
+set -o pipefail
+
+#==============================================================================
+# Configuration and Global Variables
+#==============================================================================
+
+# Get script directory and load common functions
+SCRIPT_DIR="$(CDPATH="" cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+source "$SCRIPT_DIR/common.sh"
+
+# Get all paths and variables from common functions
+_paths_output=$(get_feature_paths) || { echo "ERROR: Failed to resolve feature paths" >&2; exit 1; }
+eval "$_paths_output"
+unset _paths_output
+
+NEW_PLAN="$IMPL_PLAN"  # Alias for compatibility with existing code
+AGENT_TYPE="${1:-}"
+
+# Agent-specific file paths  
+CLAUDE_FILE="$REPO_ROOT/CLAUDE.md"
+GEMINI_FILE="$REPO_ROOT/GEMINI.md"
+COPILOT_FILE="$REPO_ROOT/.github/copilot-instructions.md"
+CURSOR_FILE="$REPO_ROOT/.cursor/rules/specify-rules.mdc"
+QWEN_FILE="$REPO_ROOT/QWEN.md"
+AGENTS_FILE="$REPO_ROOT/AGENTS.md"
+WINDSURF_FILE="$REPO_ROOT/.windsurf/rules/specify-rules.md"
+JUNIE_FILE="$REPO_ROOT/.junie/AGENTS.md"
+KILOCODE_FILE="$REPO_ROOT/.kilocode/rules/specify-rules.md"
+AUGGIE_FILE="$REPO_ROOT/.augment/rules/specify-rules.md"
+ROO_FILE="$REPO_ROOT/.roo/rules/specify-rules.md"
+CODEBUDDY_FILE="$REPO_ROOT/CODEBUDDY.md"
+QODER_FILE="$REPO_ROOT/QODER.md"
+# Amp, Kiro CLI, IBM Bob, Pi, and Forge all share AGENTS.md — use AGENTS_FILE to avoid
+# updating the same file multiple times.
+AMP_FILE="$AGENTS_FILE"
+SHAI_FILE="$REPO_ROOT/SHAI.md"
+TABNINE_FILE="$REPO_ROOT/TABNINE.md"
+KIRO_FILE="$AGENTS_FILE"
+AGY_FILE="$REPO_ROOT/.agent/rules/specify-rules.md"
+BOB_FILE="$AGENTS_FILE"
+VIBE_FILE="$REPO_ROOT/.vibe/agents/specify-agents.md"
+KIMI_FILE="$REPO_ROOT/KIMI.md"
+TRAE_FILE="$REPO_ROOT/.trae/rules/project_rules.md"
+IFLOW_FILE="$REPO_ROOT/IFLOW.md"
+FORGE_FILE="$AGENTS_FILE"
+
+# Template file
+TEMPLATE_FILE="$REPO_ROOT/.specify/templates/agent-file-template.md"
+
+# Global variables for parsed plan data
+NEW_LANG=""
+NEW_FRAMEWORK=""
+NEW_DB=""
+NEW_PROJECT_TYPE=""
+
+#==============================================================================
+# Utility Functions
+#==============================================================================
+
+log_info() {
+    echo "INFO: $1"
+}
+
+log_success() {
+    echo "✓ $1"
+}
+
+log_error() {
+    echo "ERROR: $1" >&2
+}
+
+log_warning() {
+    echo "WARNING: $1" >&2
+}
+
+# Track temporary files for cleanup on interrupt
+_CLEANUP_FILES=()
+
+# Cleanup function for temporary files
+cleanup() {
+    local exit_code=$?
+    # Disarm traps to prevent re-entrant loop
+    trap - EXIT INT TERM
+    if [ ${#_CLEANUP_FILES[@]} -gt 0 ]; then
+        for f in "${_CLEANUP_FILES[@]}"; do
+            rm -f "$f" "$f.bak" "$f.tmp"
+        done
+    fi
+    exit $exit_code
+}
+
+# Set up cleanup trap
+trap cleanup EXIT INT TERM
+
+#==============================================================================
+# Validation Functions
+#==============================================================================
+
+validate_environment() {
+    # Check if we have a current branch/feature (git or non-git)
+    if [[ -z "$CURRENT_BRANCH" ]]; then
+        log_error "Unable to determine current feature"
+        if [[ "$HAS_GIT" == "true" ]]; then
+            log_info "Make sure you're on a feature branch"
+        else
+            log_info "Set SPECIFY_FEATURE environment variable or create a feature first"
+        fi
+        exit 1
+    fi
+    
+    # Check if plan.md exists
+    if [[ ! -f "$NEW_PLAN" ]]; then
+        log_error "No plan.md found at $NEW_PLAN"
+        log_info "Make sure you're working on a feature with a corresponding spec directory"
+        if [[ "$HAS_GIT" != "true" ]]; then
+            log_info "Use: export SPECIFY_FEATURE=your-feature-name or create a new feature first"
+        fi
+        exit 1
+    fi
+    
+    # Check if template exists (needed for new files)
+    if [[ ! -f "$TEMPLATE_FILE" ]]; then
+        log_warning "Template file not found at $TEMPLATE_FILE"
+        log_warning "Creating new agent files will fail"
+    fi
+}
+
+#==============================================================================
+# Plan Parsing Functions
+#==============================================================================
+
+extract_plan_field() {
+    local field_pattern="$1"
+    local plan_file="$2"
+    
+    grep "^\*\*${field_pattern}\*\*: " "$plan_file" 2>/dev/null | \
+        head -1 | \
+        sed "s|^\*\*${field_pattern}\*\*: ||" | \
+        sed 's/^[ \t]*//;s/[ \t]*$//' | \
+        grep -v "NEEDS CLARIFICATION" | \
+        grep -v "^N/A$" || echo ""
+}
+
+parse_plan_data() {
+    local plan_file="$1"
+    
+    if [[ ! -f "$plan_file" ]]; then
+        log_error "Plan file not found: $plan_file"
+        return 1
+    fi
+    
+    if [[ ! -r "$plan_file" ]]; then
+        log_error "Plan file is not readable: $plan_file"
+        return 1
+    fi
+    
+    log_info "Parsing plan data from $plan_file"
+    
+    NEW_LANG=$(extract_plan_field "Language/Version" "$plan_file")
+    NEW_FRAMEWORK=$(extract_plan_field "Primary Dependencies" "$plan_file")
+    NEW_DB=$(extract_plan_field "Storage" "$plan_file")
+    NEW_PROJECT_TYPE=$(extract_plan_field "Project Type" "$plan_file")
+    
+    # Log what we found
+    if [[ -n "$NEW_LANG" ]]; then
+        log_info "Found language: $NEW_LANG"
+    else
+        log_warning "No language information found in plan"
+    fi
+    
+    if [[ -n "$NEW_FRAMEWORK" ]]; then
+        log_info "Found framework: $NEW_FRAMEWORK"
+    fi
+    
+    if [[ -n "$NEW_DB" ]] && [[ "$NEW_DB" != "N/A" ]]; then
+        log_info "Found database: $NEW_DB"
+    fi
+    
+    if [[ -n "$NEW_PROJECT_TYPE" ]]; then
+        log_info "Found project type: $NEW_PROJECT_TYPE"
+    fi
+}
+
+format_technology_stack() {
+    local lang="$1"
+    local framework="$2"
+    local parts=()
+    
+    # Add non-empty parts
+    [[ -n "$lang" && "$lang" != "NEEDS CLARIFICATION" ]] && parts+=("$lang")
+    [[ -n "$framework" && "$framework" != "NEEDS CLARIFICATION" && "$framework" != "N/A" ]] && parts+=("$framework")
+    
+    # Join with proper formatting
+    if [[ ${#parts[@]} -eq 0 ]]; then
+        echo ""
+    elif [[ ${#parts[@]} -eq 1 ]]; then
+        echo "${parts[0]}"
+    else
+        # Join multiple parts with " + "
+        local result="${parts[0]}"
+        for ((i=1; i<${#parts[@]}; i++)); do
+            result="$result + ${parts[i]}"
+        done
+        echo "$result"
+    fi
+}
+
+#==============================================================================
+# Template and Content Generation Functions
+#==============================================================================
+
+get_project_structure() {
+    local project_type="$1"
+    
+    if [[ "$project_type" == *"web"* ]]; then
+        echo "backend/\\nfrontend/\\ntests/"
+    else
+        echo "src/\\ntests/"
+    fi
+}
+
+get_commands_for_language() {
+    local lang="$1"
+    
+    case "$lang" in
+        *"Python"*)
+            echo "cd src && pytest && ruff check ."
+            ;;
+        *"Rust"*)
+            echo "cargo test && cargo clippy"
+            ;;
+        *"JavaScript"*|*"TypeScript"*)
+            echo "npm test && npm run lint"
+            ;;
+        *)
+            echo "# Add commands for $lang"
+            ;;
+    esac
+}
+
+get_language_conventions() {
+    local lang="$1"
+    echo "$lang: Follow standard conventions"
+}
+
+# Escape sed replacement-side specials for | delimiter.
+# & and \ are replacement-side specials; | is our sed delimiter.
+_esc_sed() { printf '%s\n' "$1" | sed 's/[\\&|]/\\&/g'; }
+
+create_new_agent_file() {
+    local target_file="$1"
+    local temp_file="$2"
+    local project_name
+    project_name=$(_esc_sed "$3")
+    local current_date="$4"
+    
+    if [[ ! -f "$TEMPLATE_FILE" ]]; then
+        log_error "Template not found at $TEMPLATE_FILE"
+        return 1
+    fi
+    
+    if [[ ! -r "$TEMPLATE_FILE" ]]; then
+        log_error "Template file is not readable: $TEMPLATE_FILE"
+        return 1
+    fi
+    
+    log_info "Creating new agent context file from template..."
+    
+    if ! cp "$TEMPLATE_FILE" "$temp_file"; then
+        log_error "Failed to copy template file"
+        return 1
+    fi
+    
+    # Replace template placeholders
+    local project_structure
+    project_structure=$(get_project_structure "$NEW_PROJECT_TYPE")
+    project_structure=$(_esc_sed "$project_structure")
+    
+    local commands
+    commands=$(get_commands_for_language "$NEW_LANG")
+
+    local language_conventions
+    language_conventions=$(get_language_conventions "$NEW_LANG")
+
+    local escaped_lang=$(_esc_sed "$NEW_LANG")
+    local escaped_framework=$(_esc_sed "$NEW_FRAMEWORK")
+    commands=$(_esc_sed "$commands")
+    language_conventions=$(_esc_sed "$language_conventions")
+    local escaped_branch=$(_esc_sed "$CURRENT_BRANCH")
+    
+    # Build technology stack and recent change strings conditionally
+    local tech_stack
+    if [[ -n "$escaped_lang" && -n "$escaped_framework" ]]; then
+        tech_stack="- $escaped_lang + $escaped_framework ($escaped_branch)"
+    elif [[ -n "$escaped_lang" ]]; then
+        tech_stack="- $escaped_lang ($escaped_branch)"
+    elif [[ -n "$escaped_framework" ]]; then
+        tech_stack="- $escaped_framework ($escaped_branch)"
+    else
+        tech_stack="- ($escaped_branch)"
+    fi
+
+    local recent_change
+    if [[ -n "$escaped_lang" && -n "$escaped_framework" ]]; then
+        recent_change="- $escaped_branch: Added $escaped_lang + $escaped_framework"
+    elif [[ -n "$escaped_lang" ]]; then
+        recent_change="- $escaped_branch: Added $escaped_lang"
+    elif [[ -n "$escaped_framework" ]]; then
+        recent_change="- $escaped_branch: Added $escaped_framework"
+    else
+        recent_change="- $escaped_branch: Added"
+    fi
+
+    local substitutions=(
+        "s|\[PROJECT NAME\]|$project_name|"
+        "s|\[DATE\]|$current_date|"
+        "s|\[EXTRACTED FROM ALL PLAN.MD FILES\]|$tech_stack|"
+        "s|\[ACTUAL STRUCTURE FROM PLANS\]|$project_structure|g"
+        "s|\[ONLY COMMANDS FOR ACTIVE TECHNOLOGIES\]|$commands|"
+        "s|\[LANGUAGE-SPECIFIC, ONLY FOR LANGUAGES IN USE\]|$language_conventions|"
+        "s|\[LAST 3 FEATURES AND WHAT THEY ADDED\]|$recent_change|"
+    )
+    
+    for substitution in "${substitutions[@]}"; do
+        if ! sed -i.bak -e "$substitution" "$temp_file"; then
+            log_error "Failed to perform substitution: $substitution"
+            rm -f "$temp_file" "$temp_file.bak"
+            return 1
+        fi
+    done
+    
+    # Convert literal \n sequences to actual newlines (portable — works on BSD + GNU)
+    awk '{gsub(/\\n/,"\n")}1' "$temp_file" > "$temp_file.tmp"
+    mv "$temp_file.tmp" "$temp_file"
+
+    # Clean up backup files from sed -i.bak
+    rm -f "$temp_file.bak"
+
+    # Prepend Cursor frontmatter for .mdc files so rules are auto-included
+    if [[ "$target_file" == *.mdc ]]; then
+        local frontmatter_file
+        frontmatter_file=$(mktemp) || return 1
+        _CLEANUP_FILES+=("$frontmatter_file")
+        printf '%s\n' "---" "description: Project Development Guidelines" "globs: [\"**/*\"]" "alwaysApply: true" "---" "" > "$frontmatter_file"
+        cat "$temp_file" >> "$frontmatter_file"
+        mv "$frontmatter_file" "$temp_file"
+    fi
+
+    return 0
+}
+
+
+
+
+update_existing_agent_file() {
+    local target_file="$1"
+    local current_date="$2"
+    
+    log_info "Updating existing agent context file..."
+    
+    # Use a single temporary file for atomic update
+    local temp_file
+    temp_file=$(mktemp) || {
+        log_error "Failed to create temporary file"
+        return 1
+    }
+    _CLEANUP_FILES+=("$temp_file")
+    
+    # Process the file in one pass
+    local tech_stack=$(format_technology_stack "$NEW_LANG" "$NEW_FRAMEWORK")
+    local new_tech_entries=()
+    local new_change_entry=""
+    
+    # Prepare new technology entries
+    if [[ -n "$tech_stack" ]] && ! grep -q "$tech_stack" "$target_file"; then
+        new_tech_entries+=("- $tech_stack ($CURRENT_BRANCH)")
+    fi
+    
+    if [[ -n "$NEW_DB" ]] && [[ "$NEW_DB" != "N/A" ]] && [[ "$NEW_DB" != "NEEDS CLARIFICATION" ]] && ! grep -q "$NEW_DB" "$target_file"; then
+        new_tech_entries+=("- $NEW_DB ($CURRENT_BRANCH)")
+    fi
+    
+    # Prepare new change entry
+    if [[ -n "$tech_stack" ]]; then
+        new_change_entry="- $CURRENT_BRANCH: Added $tech_stack"
+    elif [[ -n "$NEW_DB" ]] && [[ "$NEW_DB" != "N/A" ]] && [[ "$NEW_DB" != "NEEDS CLARIFICATION" ]]; then
+        new_change_entry="- $CURRENT_BRANCH: Added $NEW_DB"
+    fi
+    
+    # Check if sections exist in the file
+    local has_active_technologies=0
+    local has_recent_changes=0
+    
+    if grep -q "^## Active Technologies" "$target_file" 2>/dev/null; then
+        has_active_technologies=1
+    fi
+    
+    if grep -q "^## Recent Changes" "$target_file" 2>/dev/null; then
+        has_recent_changes=1
+    fi
+    
+    # Process file line by line
+    local in_tech_section=false
+    local in_changes_section=false
+    local tech_entries_added=false
+    local changes_entries_added=false
+    local existing_changes_count=0
+    local file_ended=false
+    
+    while IFS= read -r line || [[ -n "$line" ]]; do
+        # Handle Active Technologies section
+        if [[ "$line" == "## Active Technologies" ]]; then
+            echo "$line" >> "$temp_file"
+            in_tech_section=true
+            continue
+        elif [[ $in_tech_section == true ]] && [[ "$line" =~ ^##[[:space:]] ]]; then
+            # Add new tech entries before closing the section
+            if [[ $tech_entries_added == false ]] && [[ ${#new_tech_entries[@]} -gt 0 ]]; then
+                printf '%s\n' "${new_tech_entries[@]}" >> "$temp_file"
+                tech_entries_added=true
+            fi
+            echo "$line" >> "$temp_file"
+            in_tech_section=false
+            continue
+        elif [[ $in_tech_section == true ]] && [[ -z "$line" ]]; then
+            # Add new tech entries before empty line in tech section
+            if [[ $tech_entries_added == false ]] && [[ ${#new_tech_entries[@]} -gt 0 ]]; then
+                printf '%s\n' "${new_tech_entries[@]}" >> "$temp_file"
+                tech_entries_added=true
+            fi
+            echo "$line" >> "$temp_file"
+            continue
+        fi
+        
+        # Handle Recent Changes section
+        if [[ "$line" == "## Recent Changes" ]]; then
+            echo "$line" >> "$temp_file"
+            # Add new change entry right after the heading
+            if [[ -n "$new_change_entry" ]]; then
+                echo "$new_change_entry" >> "$temp_file"
+            fi
+            in_changes_section=true
+            changes_entries_added=true
+            continue
+        elif [[ $in_changes_section == true ]] && [[ "$line" =~ ^##[[:space:]] ]]; then
+            echo "$line" >> "$temp_file"
+            in_changes_section=false
+            continue
+        elif [[ $in_changes_section == true ]] && [[ "$line" == "- "* ]]; then
+            # Keep only first 2 existing changes
+            if [[ $existing_changes_count -lt 2 ]]; then
+                echo "$line" >> "$temp_file"
+                ((existing_changes_count++))
+            fi
+            continue
+        fi
+        
+        # Update timestamp
+        if [[ "$line" =~ (\*\*)?Last\ updated(\*\*)?:.*[0-9][0-9][0-9][0-9]-[0-9][0-9]-[0-9][0-9] ]]; then
+            echo "$line" | sed "s/[0-9][0-9][0-9][0-9]-[0-9][0-9]-[0-9][0-9]/$current_date/" >> "$temp_file"
+        else
+            echo "$line" >> "$temp_file"
+        fi
+    done < "$target_file"
+    
+    # Post-loop check: if we're still in the Active Technologies section and haven't added new entries
+    if [[ $in_tech_section == true ]] && [[ $tech_entries_added == false ]] && [[ ${#new_tech_entries[@]} -gt 0 ]]; then
+        printf '%s\n' "${new_tech_entries[@]}" >> "$temp_file"
+        tech_entries_added=true
+    fi
+    
+    # If sections don't exist, add them at the end of the file
+    if [[ $has_active_technologies -eq 0 ]] && [[ ${#new_tech_entries[@]} -gt 0 ]]; then
+        echo "" >> "$temp_file"
+        echo "## Active Technologies" >> "$temp_file"
+        printf '%s\n' "${new_tech_entries[@]}" >> "$temp_file"
+        tech_entries_added=true
+    fi
+    
+    if [[ $has_recent_changes -eq 0 ]] && [[ -n "$new_change_entry" ]]; then
+        echo "" >> "$temp_file"
+        echo "## Recent Changes" >> "$temp_file"
+        echo "$new_change_entry" >> "$temp_file"
+        changes_entries_added=true
+    fi
+    
+    # Ensure Cursor .mdc files have YAML frontmatter for auto-inclusion
+    if [[ "$target_file" == *.mdc ]]; then
+        if ! head -1 "$temp_file" | grep -q '^---'; then
+            local frontmatter_file
+            frontmatter_file=$(mktemp) || { rm -f "$temp_file"; return 1; }
+            _CLEANUP_FILES+=("$frontmatter_file")
+            printf '%s\n' "---" "description: Project Development Guidelines" "globs: [\"**/*\"]" "alwaysApply: true" "---" "" > "$frontmatter_file"
+            cat "$temp_file" >> "$frontmatter_file"
+            mv "$frontmatter_file" "$temp_file"
+        fi
+    fi
+
+    # Move temp file to target atomically
+    if ! mv "$temp_file" "$target_file"; then
+        log_error "Failed to update target file"
+        rm -f "$temp_file"
+        return 1
+    fi
+
+    return 0
+}
+#==============================================================================
+# Main Agent File Update Function
+#==============================================================================
+
+update_agent_file() {
+    local target_file="$1"
+    local agent_name="$2"
+    
+    if [[ -z "$target_file" ]] || [[ -z "$agent_name" ]]; then
+        log_error "update_agent_file requires target_file and agent_name parameters"
+        return 1
+    fi
+    
+    log_info "Updating $agent_name context file: $target_file"
+    
+    local project_name
+    project_name=$(basename "$REPO_ROOT")
+    local current_date
+    current_date=$(date +%Y-%m-%d)
+    
+    # Create directory if it doesn't exist
+    local target_dir
+    target_dir=$(dirname "$target_file")
+    if [[ ! -d "$target_dir" ]]; then
+        if ! mkdir -p "$target_dir"; then
+            log_error "Failed to create directory: $target_dir"
+            return 1
+        fi
+    fi
+    
+    if [[ ! -f "$target_file" ]]; then
+        # Create new file from template
+        local temp_file
+        temp_file=$(mktemp) || {
+            log_error "Failed to create temporary file"
+            return 1
+        }
+        _CLEANUP_FILES+=("$temp_file")
+        
+        if create_new_agent_file "$target_file" "$temp_file" "$project_name" "$current_date"; then
+            if mv "$temp_file" "$target_file"; then
+                log_success "Created new $agent_name context file"
+            else
+                log_error "Failed to move temporary file to $target_file"
+                rm -f "$temp_file"
+                return 1
+            fi
+        else
+            log_error "Failed to create new agent file"
+            rm -f "$temp_file"
+            return 1
+        fi
+    else
+        # Update existing file
+        if [[ ! -r "$target_file" ]]; then
+            log_error "Cannot read existing file: $target_file"
+            return 1
+        fi
+        
+        if [[ ! -w "$target_file" ]]; then
+            log_error "Cannot write to existing file: $target_file"
+            return 1
+        fi
+        
+        if update_existing_agent_file "$target_file" "$current_date"; then
+            log_success "Updated existing $agent_name context file"
+        else
+            log_error "Failed to update existing agent file"
+            return 1
+        fi
+    fi
+    
+    return 0
+}
+
+#==============================================================================
+# Agent Selection and Processing
+#==============================================================================
+
+update_specific_agent() {
+    local agent_type="$1"
+    
+    case "$agent_type" in
+        claude)
+            update_agent_file "$CLAUDE_FILE" "Claude Code" || return 1
+            ;;
+        gemini)
+            update_agent_file "$GEMINI_FILE" "Gemini CLI" || return 1
+            ;;
+        copilot)
+            update_agent_file "$COPILOT_FILE" "GitHub Copilot" || return 1
+            ;;
+        cursor-agent)
+            update_agent_file "$CURSOR_FILE" "Cursor IDE" || return 1
+            ;;
+        qwen)
+            update_agent_file "$QWEN_FILE" "Qwen Code" || return 1
+            ;;
+        opencode)
+            update_agent_file "$AGENTS_FILE" "opencode" || return 1
+            ;;
+        codex)
+            update_agent_file "$AGENTS_FILE" "Codex CLI" || return 1
+            ;;
+        windsurf)
+            update_agent_file "$WINDSURF_FILE" "Windsurf" || return 1
+            ;;
+        junie)
+            update_agent_file "$JUNIE_FILE" "Junie" || return 1
+            ;;
+        kilocode)
+            update_agent_file "$KILOCODE_FILE" "Kilo Code" || return 1
+            ;;
+        auggie)
+            update_agent_file "$AUGGIE_FILE" "Auggie CLI" || return 1
+            ;;
+        roo)
+            update_agent_file "$ROO_FILE" "Roo Code" || return 1
+            ;;
+        codebuddy)
+            update_agent_file "$CODEBUDDY_FILE" "CodeBuddy CLI" || return 1
+            ;;
+        qodercli)
+            update_agent_file "$QODER_FILE" "Qoder CLI" || return 1
+            ;;
+        amp)
+            update_agent_file "$AMP_FILE" "Amp" || return 1
+            ;;
+        shai)
+            update_agent_file "$SHAI_FILE" "SHAI" || return 1
+            ;;
+        tabnine)
+            update_agent_file "$TABNINE_FILE" "Tabnine CLI" || return 1
+            ;;
+        kiro-cli)
+            update_agent_file "$KIRO_FILE" "Kiro CLI" || return 1
+            ;;
+        agy)
+            update_agent_file "$AGY_FILE" "Antigravity" || return 1
+            ;;
+        bob)
+            update_agent_file "$BOB_FILE" "IBM Bob" || return 1
+            ;;
+        vibe)
+            update_agent_file "$VIBE_FILE" "Mistral Vibe" || return 1
+            ;;
+        kimi)
+            update_agent_file "$KIMI_FILE" "Kimi Code" || return 1
+            ;;
+        trae)
+            update_agent_file "$TRAE_FILE" "Trae" || return 1
+            ;;
+        pi)
+            update_agent_file "$AGENTS_FILE" "Pi Coding Agent" || return 1
+            ;;
+        iflow)
+            update_agent_file "$IFLOW_FILE" "iFlow CLI" || return 1
+            ;;
+        forge)
+            update_agent_file "$AGENTS_FILE" "Forge" || return 1
+            ;;
+        generic)
+            log_info "Generic agent: no predefined context file. Use the agent-specific update script for your agent."
+            ;;
+        *)
+            log_error "Unknown agent type '$agent_type'"
+            log_error "Expected: claude|gemini|copilot|cursor-agent|qwen|opencode|codex|windsurf|junie|kilocode|auggie|roo|codebuddy|amp|shai|tabnine|kiro-cli|agy|bob|vibe|qodercli|kimi|trae|pi|iflow|forge|generic"
+            exit 1
+            ;;
+    esac
+}
+
+# Helper: skip non-existent files and files already updated (dedup by
+# realpath so that variables pointing to the same file — e.g. AMP_FILE,
+# KIRO_FILE, BOB_FILE all resolving to AGENTS_FILE — are only written once).
+# Uses a linear array instead of associative array for bash 3.2 compatibility.
+# Note: defined at top level because bash 3.2 does not support true
+# nested/local functions. _updated_paths, _found_agent, and _all_ok are
+# initialised exclusively inside update_all_existing_agents so that
+# sourcing this script has no side effects on the caller's environment.
+
+_update_if_new() {
+    local file="$1" name="$2"
+    [[ -f "$file" ]] || return 0
+    local real_path
+    real_path=$(realpath "$file" 2>/dev/null || echo "$file")
+    local p
+    if [[ ${#_updated_paths[@]} -gt 0 ]]; then
+        for p in "${_updated_paths[@]}"; do
+            [[ "$p" == "$real_path" ]] && return 0
+        done
+    fi
+    # Record the file as seen before attempting the update so that:
+    # (a) aliases pointing to the same path are not retried on failure
+    # (b) _found_agent reflects file existence, not update success
+    _updated_paths+=("$real_path")
+    _found_agent=true
+    update_agent_file "$file" "$name"
+}
+
+update_all_existing_agents() {
+    _found_agent=false
+    _updated_paths=()
+    local _all_ok=true
+
+    _update_if_new "$CLAUDE_FILE" "Claude Code"           || _all_ok=false
+    _update_if_new "$GEMINI_FILE" "Gemini CLI"             || _all_ok=false
+    _update_if_new "$COPILOT_FILE" "GitHub Copilot"        || _all_ok=false
+    _update_if_new "$CURSOR_FILE" "Cursor IDE"             || _all_ok=false
+    _update_if_new "$QWEN_FILE" "Qwen Code"                || _all_ok=false
+    _update_if_new "$AGENTS_FILE" "Codex/opencode/Amp/Kiro/Bob/Pi/Forge" || _all_ok=false
+    _update_if_new "$WINDSURF_FILE" "Windsurf"             || _all_ok=false
+    _update_if_new "$JUNIE_FILE" "Junie"                || _all_ok=false
+    _update_if_new "$KILOCODE_FILE" "Kilo Code"            || _all_ok=false
+    _update_if_new "$AUGGIE_FILE" "Auggie CLI"             || _all_ok=false
+    _update_if_new "$ROO_FILE" "Roo Code"                  || _all_ok=false
+    _update_if_new "$CODEBUDDY_FILE" "CodeBuddy CLI"       || _all_ok=false
+    _update_if_new "$SHAI_FILE" "SHAI"                     || _all_ok=false
+    _update_if_new "$TABNINE_FILE" "Tabnine CLI"           || _all_ok=false
+    _update_if_new "$QODER_FILE" "Qoder CLI"               || _all_ok=false
+    _update_if_new "$AGY_FILE" "Antigravity"               || _all_ok=false
+    _update_if_new "$VIBE_FILE" "Mistral Vibe"             || _all_ok=false
+    _update_if_new "$KIMI_FILE" "Kimi Code"                || _all_ok=false
+    _update_if_new "$TRAE_FILE" "Trae"                     || _all_ok=false
+    _update_if_new "$IFLOW_FILE" "iFlow CLI"               || _all_ok=false
+
+    # If no agent files exist, create a default Claude file
+    if [[ "$_found_agent" == false ]]; then
+        log_info "No existing agent files found, creating default Claude file..."
+        update_agent_file "$CLAUDE_FILE" "Claude Code" || return 1
+    fi
+
+    [[ "$_all_ok" == true ]]
+}
+print_summary() {
+    echo
+    log_info "Summary of changes:"
+    
+    if [[ -n "$NEW_LANG" ]]; then
+        echo "  - Added language: $NEW_LANG"
+    fi
+    
+    if [[ -n "$NEW_FRAMEWORK" ]]; then
+        echo "  - Added framework: $NEW_FRAMEWORK"
+    fi
+    
+    if [[ -n "$NEW_DB" ]] && [[ "$NEW_DB" != "N/A" ]]; then
+        echo "  - Added database: $NEW_DB"
+    fi
+    
+    echo
+    log_info "Usage: $0 [claude|gemini|copilot|cursor-agent|qwen|opencode|codex|windsurf|junie|kilocode|auggie|roo|codebuddy|amp|shai|tabnine|kiro-cli|agy|bob|vibe|qodercli|kimi|trae|pi|iflow|forge|generic]"
+}
+
+#==============================================================================
+# Main Execution
+#==============================================================================
+
+main() {
+    # Validate environment before proceeding
+    validate_environment
+    
+    log_info "=== Updating agent context files for feature $CURRENT_BRANCH ==="
+    
+    # Parse the plan file to extract project information
+    if ! parse_plan_data "$NEW_PLAN"; then
+        log_error "Failed to parse plan data"
+        exit 1
+    fi
+    
+    # Process based on agent type argument
+    local success=true
+    
+    if [[ -z "$AGENT_TYPE" ]]; then
+        # No specific agent provided - update all existing agent files
+        log_info "No agent specified, updating all existing agent files..."
+        if ! update_all_existing_agents; then
+            success=false
+        fi
+    else
+        # Specific agent provided - update only that agent
+        log_info "Updating specific agent: $AGENT_TYPE"
+        if ! update_specific_agent "$AGENT_TYPE"; then
+            success=false
+        fi
+    fi
+    
+    # Print summary
+    print_summary
+    
+    if [[ "$success" == true ]]; then
+        log_success "Agent context update completed successfully"
+        exit 0
+    else
+        log_error "Agent context update completed with errors"
+        exit 1
+    fi
+}
+
+# Execute main function if script is run directly
+if [[ "${BASH_SOURCE[0]}" == "${0}" ]]; then
+    main "$@"
+fi
diff --git a/.specify/templates/agent-file-template.md b/.specify/templates/agent-file-template.md
new file mode 100644
index 0000000..4cc7fd6
--- /dev/null
+++ b/.specify/templates/agent-file-template.md
@@ -0,0 +1,28 @@
+# [PROJECT NAME] Development Guidelines
+
+Auto-generated from all feature plans. Last updated: [DATE]
+
+## Active Technologies
+
+[EXTRACTED FROM ALL PLAN.MD FILES]
+
+## Project Structure
+
+```text
+[ACTUAL STRUCTURE FROM PLANS]
+```
+
+## Commands
+
+[ONLY COMMANDS FOR ACTIVE TECHNOLOGIES]
+
+## Code Style
+
+[LANGUAGE-SPECIFIC, ONLY FOR LANGUAGES IN USE]
+
+## Recent Changes
+
+[LAST 3 FEATURES AND WHAT THEY ADDED]
+
+<!-- MANUAL ADDITIONS START -->
+<!-- MANUAL ADDITIONS END -->
diff --git a/.specify/templates/checklist-template.md b/.specify/templates/checklist-template.md
new file mode 100644
index 0000000..806657d
--- /dev/null
+++ b/.specify/templates/checklist-template.md
@@ -0,0 +1,40 @@
+# [CHECKLIST TYPE] Checklist: [FEATURE NAME]
+
+**Purpose**: [Brief description of what this checklist covers]
+**Created**: [DATE]
+**Feature**: [Link to spec.md or relevant documentation]
+
+**Note**: This checklist is generated by the `/speckit.checklist` command based on feature context and requirements.
+
+<!-- 
+  ============================================================================
+  IMPORTANT: The checklist items below are SAMPLE ITEMS for illustration only.
+  
+  The /speckit.checklist command MUST replace these with actual items based on:
+  - User's specific checklist request
+  - Feature requirements from spec.md
+  - Technical context from plan.md
+  - Implementation details from tasks.md
+  
+  DO NOT keep these sample items in the generated checklist file.
+  ============================================================================
+-->
+
+## [Category 1]
+
+- [ ] CHK001 First checklist item with clear action
+- [ ] CHK002 Second checklist item
+- [ ] CHK003 Third checklist item
+
+## [Category 2]
+
+- [ ] CHK004 Another category item
+- [ ] CHK005 Item with specific criteria
+- [ ] CHK006 Final item in this category
+
+## Notes
+
+- Check items off as completed: `[x]`
+- Add comments or findings inline
+- Link to relevant resources or documentation
+- Items are numbered sequentially for easy reference
diff --git a/.specify/templates/constitution-template.md b/.specify/templates/constitution-template.md
new file mode 100644
index 0000000..a4670ff
--- /dev/null
+++ b/.specify/templates/constitution-template.md
@@ -0,0 +1,50 @@
+# [PROJECT_NAME] Constitution
+<!-- Example: Spec Constitution, TaskFlow Constitution, etc. -->
+
+## Core Principles
+
+### [PRINCIPLE_1_NAME]
+<!-- Example: I. Library-First -->
+[PRINCIPLE_1_DESCRIPTION]
+<!-- Example: Every feature starts as a standalone library; Libraries must be self-contained, independently testable, documented; Clear purpose required - no organizational-only libraries -->
+
+### [PRINCIPLE_2_NAME]
+<!-- Example: II. CLI Interface -->
+[PRINCIPLE_2_DESCRIPTION]
+<!-- Example: Every library exposes functionality via CLI; Text in/out protocol: stdin/args → stdout, errors → stderr; Support JSON + human-readable formats -->
+
+### [PRINCIPLE_3_NAME]
+<!-- Example: III. Test-First (NON-NEGOTIABLE) -->
+[PRINCIPLE_3_DESCRIPTION]
+<!-- Example: TDD mandatory: Tests written → User approved → Tests fail → Then implement; Red-Green-Refactor cycle strictly enforced -->
+
+### [PRINCIPLE_4_NAME]
+<!-- Example: IV. Integration Testing -->
+[PRINCIPLE_4_DESCRIPTION]
+<!-- Example: Focus areas requiring integration tests: New library contract tests, Contract changes, Inter-service communication, Shared schemas -->
+
+### [PRINCIPLE_5_NAME]
+<!-- Example: V. Observability, VI. Versioning & Breaking Changes, VII. Simplicity -->
+[PRINCIPLE_5_DESCRIPTION]
+<!-- Example: Text I/O ensures debuggability; Structured logging required; Or: MAJOR.MINOR.BUILD format; Or: Start simple, YAGNI principles -->
+
+## [SECTION_2_NAME]
+<!-- Example: Additional Constraints, Security Requirements, Performance Standards, etc. -->
+
+[SECTION_2_CONTENT]
+<!-- Example: Technology stack requirements, compliance standards, deployment policies, etc. -->
+
+## [SECTION_3_NAME]
+<!-- Example: Development Workflow, Review Process, Quality Gates, etc. -->
+
+[SECTION_3_CONTENT]
+<!-- Example: Code review requirements, testing gates, deployment approval process, etc. -->
+
+## Governance
+<!-- Example: Constitution supersedes all other practices; Amendments require documentation, approval, migration plan -->
+
+[GOVERNANCE_RULES]
+<!-- Example: All PRs/reviews must verify compliance; Complexity must be justified; Use [GUIDANCE_FILE] for runtime development guidance -->
+
+**Version**: [CONSTITUTION_VERSION] | **Ratified**: [RATIFICATION_DATE] | **Last Amended**: [LAST_AMENDED_DATE]
+<!-- Example: Version: 2.1.1 | Ratified: 2025-06-13 | Last Amended: 2025-07-16 -->
diff --git a/.specify/templates/plan-template.md b/.specify/templates/plan-template.md
new file mode 100644
index 0000000..5a2fafe
--- /dev/null
+++ b/.specify/templates/plan-template.md
@@ -0,0 +1,104 @@
+# Implementation Plan: [FEATURE]
+
+**Branch**: `[###-feature-name]` | **Date**: [DATE] | **Spec**: [link]
+**Input**: Feature specification from `/specs/[###-feature-name]/spec.md`
+
+**Note**: This template is filled in by the `/speckit.plan` command. See `.specify/templates/plan-template.md` for the execution workflow.
+
+## Summary
+
+[Extract from feature spec: primary requirement + technical approach from research]
+
+## Technical Context
+
+<!--
+  ACTION REQUIRED: Replace the content in this section with the technical details
+  for the project. The structure here is presented in advisory capacity to guide
+  the iteration process.
+-->
+
+**Language/Version**: [e.g., Python 3.11, Swift 5.9, Rust 1.75 or NEEDS CLARIFICATION]  
+**Primary Dependencies**: [e.g., FastAPI, UIKit, LLVM or NEEDS CLARIFICATION]  
+**Storage**: [if applicable, e.g., PostgreSQL, CoreData, files or N/A]  
+**Testing**: [e.g., pytest, XCTest, cargo test or NEEDS CLARIFICATION]  
+**Target Platform**: [e.g., Linux server, iOS 15+, WASM or NEEDS CLARIFICATION]
+**Project Type**: [e.g., library/cli/web-service/mobile-app/compiler/desktop-app or NEEDS CLARIFICATION]  
+**Performance Goals**: [domain-specific, e.g., 1000 req/s, 10k lines/sec, 60 fps or NEEDS CLARIFICATION]  
+**Constraints**: [domain-specific, e.g., <200ms p95, <100MB memory, offline-capable or NEEDS CLARIFICATION]  
+**Scale/Scope**: [domain-specific, e.g., 10k users, 1M LOC, 50 screens or NEEDS CLARIFICATION]
+
+## Constitution Check
+
+*GATE: Must pass before Phase 0 research. Re-check after Phase 1 design.*
+
+[Gates determined based on constitution file]
+
+## Project Structure
+
+### Documentation (this feature)
+
+```text
+specs/[###-feature]/
+├── plan.md              # This file (/speckit.plan command output)
+├── research.md          # Phase 0 output (/speckit.plan command)
+├── data-model.md        # Phase 1 output (/speckit.plan command)
+├── quickstart.md        # Phase 1 output (/speckit.plan command)
+├── contracts/           # Phase 1 output (/speckit.plan command)
+└── tasks.md             # Phase 2 output (/speckit.tasks command - NOT created by /speckit.plan)
+```
+
+### Source Code (repository root)
+<!--
+  ACTION REQUIRED: Replace the placeholder tree below with the concrete layout
+  for this feature. Delete unused options and expand the chosen structure with
+  real paths (e.g., apps/admin, packages/something). The delivered plan must
+  not include Option labels.
+-->
+
+```text
+# [REMOVE IF UNUSED] Option 1: Single project (DEFAULT)
+src/
+├── models/
+├── services/
+├── cli/
+└── lib/
+
+tests/
+├── contract/
+├── integration/
+└── unit/
+
+# [REMOVE IF UNUSED] Option 2: Web application (when "frontend" + "backend" detected)
+backend/
+├── src/
+│   ├── models/
+│   ├── services/
+│   └── api/
+└── tests/
+
+frontend/
+├── src/
+│   ├── components/
+│   ├── pages/
+│   └── services/
+└── tests/
+
+# [REMOVE IF UNUSED] Option 3: Mobile + API (when "iOS/Android" detected)
+api/
+└── [same as backend above]
+
+ios/ or android/
+└── [platform-specific structure: feature modules, UI flows, platform tests]
+```
+
+**Structure Decision**: [Document the selected structure and reference the real
+directories captured above]
+
+## Complexity Tracking
+
+> **Fill ONLY if Constitution Check has violations that must be justified**
+
+| Violation | Why Needed | Simpler Alternative Rejected Because |
+|-----------|------------|-------------------------------------|
+| [e.g., 4th project] | [current need] | [why 3 projects insufficient] |
+| [e.g., Repository pattern] | [specific problem] | [why direct DB access insufficient] |
diff --git a/.specify/templates/spec-template.md b/.specify/templates/spec-template.md
new file mode 100644
index 0000000..4581e40
--- /dev/null
+++ b/.specify/templates/spec-template.md
@@ -0,0 +1,128 @@
+# Feature Specification: [FEATURE NAME]
+
+**Feature Branch**: `[###-feature-name]`  
+**Created**: [DATE]  
+**Status**: Draft  
+**Input**: User description: "$ARGUMENTS"
+
+## User Scenarios & Testing *(mandatory)*
+
+<!--
+  IMPORTANT: User stories should be PRIORITIZED as user journeys ordered by importance.
+  Each user story/journey must be INDEPENDENTLY TESTABLE - meaning if you implement just ONE of them,
+  you should still have a viable MVP (Minimum Viable Product) that delivers value.
+  
+  Assign priorities (P1, P2, P3, etc.) to each story, where P1 is the most critical.
+  Think of each story as a standalone slice of functionality that can be:
+  - Developed independently
+  - Tested independently
+  - Deployed independently
+  - Demonstrated to users independently
+-->
+
+### User Story 1 - [Brief Title] (Priority: P1)
+
+[Describe this user journey in plain language]
+
+**Why this priority**: [Explain the value and why it has this priority level]
+
+**Independent Test**: [Describe how this can be tested independently - e.g., "Can be fully tested by [specific action] and delivers [specific value]"]
+
+**Acceptance Scenarios**:
+
+1. **Given** [initial state], **When** [action], **Then** [expected outcome]
+2. **Given** [initial state], **When** [action], **Then** [expected outcome]
+
+---
+
+### User Story 2 - [Brief Title] (Priority: P2)
+
+[Describe this user journey in plain language]
+
+**Why this priority**: [Explain the value and why it has this priority level]
+
+**Independent Test**: [Describe how this can be tested independently]
+
+**Acceptance Scenarios**:
+
+1. **Given** [initial state], **When** [action], **Then** [expected outcome]
+
+---
+
+### User Story 3 - [Brief Title] (Priority: P3)
+
+[Describe this user journey in plain language]
+
+**Why this priority**: [Explain the value and why it has this priority level]
+
+**Independent Test**: [Describe how this can be tested independently]
+
+**Acceptance Scenarios**:
+
+1. **Given** [initial state], **When** [action], **Then** [expected outcome]
+
+---
+
+[Add more user stories as needed, each with an assigned priority]
+
+### Edge Cases
+
+<!--
+  ACTION REQUIRED: The content in this section represents placeholders.
+  Fill them out with the right edge cases.
+-->
+
+- What happens when [boundary condition]?
+- How does system handle [error scenario]?
+
+## Requirements *(mandatory)*
+
+<!--
+  ACTION REQUIRED: The content in this section represents placeholders.
+  Fill them out with the right functional requirements.
+-->
+
+### Functional Requirements
+
+- **FR-001**: System MUST [specific capability, e.g., "allow users to create accounts"]
+- **FR-002**: System MUST [specific capability, e.g., "validate email addresses"]  
+- **FR-003**: Users MUST be able to [key interaction, e.g., "reset their password"]
+- **FR-004**: System MUST [data requirement, e.g., "persist user preferences"]
+- **FR-005**: System MUST [behavior, e.g., "log all security events"]
+
+*Example of marking unclear requirements:*
+
+- **FR-006**: System MUST authenticate users via [NEEDS CLARIFICATION: auth method not specified - email/password, SSO, OAuth?]
+- **FR-007**: System MUST retain user data for [NEEDS CLARIFICATION: retention period not specified]
+
+### Key Entities *(include if feature involves data)*
+
+- **[Entity 1]**: [What it represents, key attributes without implementation]
+- **[Entity 2]**: [What it represents, relationships to other entities]
+
+## Success Criteria *(mandatory)*
+
+<!--
+  ACTION REQUIRED: Define measurable success criteria.
+  These must be technology-agnostic and measurable.
+-->
+
+### Measurable Outcomes
+
+- **SC-001**: [Measurable metric, e.g., "Users can complete account creation in under 2 minutes"]
+- **SC-002**: [Measurable metric, e.g., "System handles 1000 concurrent users without degradation"]
+- **SC-003**: [User satisfaction metric, e.g., "90% of users successfully complete primary task on first attempt"]
+- **SC-004**: [Business metric, e.g., "Reduce support tickets related to [X] by 50%"]
+
+## Assumptions
+
+<!--
+  ACTION REQUIRED: The content in this section represents placeholders.
+  Fill them out with the right assumptions based on reasonable defaults
+  chosen when the feature description did not specify certain details.
+-->
+
+- [Assumption about target users, e.g., "Users have stable internet connectivity"]
+- [Assumption about scope boundaries, e.g., "Mobile support is out of scope for v1"]
+- [Assumption about data/environment, e.g., "Existing authentication system will be reused"]
+- [Dependency on existing system/service, e.g., "Requires access to the existing user profile API"]
diff --git a/.specify/templates/tasks-template.md b/.specify/templates/tasks-template.md
new file mode 100644
index 0000000..60f9be4
--- /dev/null
+++ b/.specify/templates/tasks-template.md
@@ -0,0 +1,251 @@
+---
+
+description: "Task list template for feature implementation"
+---
+
+# Tasks: [FEATURE NAME]
+
+**Input**: Design documents from `/specs/[###-feature-name]/`
+**Prerequisites**: plan.md (required), spec.md (required for user stories), research.md, data-model.md, contracts/
+
+**Tests**: The examples below include test tasks. Tests are OPTIONAL - only include them if explicitly requested in the feature specification.
+
+**Organization**: Tasks are grouped by user story to enable independent implementation and testing of each story.
+
+## Format: `[ID] [P?] [Story] Description`
+
+- **[P]**: Can run in parallel (different files, no dependencies)
+- **[Story]**: Which user story this task belongs to (e.g., US1, US2, US3)
+- Include exact file paths in descriptions
+
+## Path Conventions
+
+- **Single project**: `src/`, `tests/` at repository root
+- **Web app**: `backend/src/`, `frontend/src/`
+- **Mobile**: `api/src/`, `ios/src/` or `android/src/`
+- Paths shown below assume single project - adjust based on plan.md structure
+
+<!-- 
+  ============================================================================
+  IMPORTANT: The tasks below are SAMPLE TASKS for illustration purposes only.
+  
+  The /speckit.tasks command MUST replace these with actual tasks based on:
+  - User stories from spec.md (with their priorities P1, P2, P3...)
+  - Feature requirements from plan.md
+  - Entities from data-model.md
+  - Endpoints from contracts/
+  
+  Tasks MUST be organized by user story so each story can be:
+  - Implemented independently
+  - Tested independently
+  - Delivered as an MVP increment
+  
+  DO NOT keep these sample tasks in the generated tasks.md file.
+  ============================================================================
+-->
+
+## Phase 1: Setup (Shared Infrastructure)
+
+**Purpose**: Project initialization and basic structure
+
+- [ ] T001 Create project structure per implementation plan
+- [ ] T002 Initialize [language] project with [framework] dependencies
+- [ ] T003 [P] Configure linting and formatting tools
+
+---
+
+## Phase 2: Foundational (Blocking Prerequisites)
+
+**Purpose**: Core infrastructure that MUST be complete before ANY user story can be implemented
+
+**⚠️ CRITICAL**: No user story work can begin until this phase is complete
+
+Examples of foundational tasks (adjust based on your project):
+
+- [ ] T004 Setup database schema and migrations framework
+- [ ] T005 [P] Implement authentication/authorization framework
+- [ ] T006 [P] Setup API routing and middleware structure
+- [ ] T007 Create base models/entities that all stories depend on
+- [ ] T008 Configure error handling and logging infrastructure
+- [ ] T009 Setup environment configuration management
+
+**Checkpoint**: Foundation ready - user story implementation can now begin in parallel
+
+---
+
+## Phase 3: User Story 1 - [Title] (Priority: P1) 🎯 MVP
+
+**Goal**: [Brief description of what this story delivers]
+
+**Independent Test**: [How to verify this story works on its own]
+
+### Tests for User Story 1 (OPTIONAL - only if tests requested) ⚠️
+
+> **NOTE: Write these tests FIRST, ensure they FAIL before implementation**
+
+- [ ] T010 [P] [US1] Contract test for [endpoint] in tests/contract/test_[name].py
+- [ ] T011 [P] [US1] Integration test for [user journey] in tests/integration/test_[name].py
+
+### Implementation for User Story 1
+
+- [ ] T012 [P] [US1] Create [Entity1] model in src/models/[entity1].py
+- [ ] T013 [P] [US1] Create [Entity2] model in src/models/[entity2].py
+- [ ] T014 [US1] Implement [Service] in src/services/[service].py (depends on T012, T013)
+- [ ] T015 [US1] Implement [endpoint/feature] in src/[location]/[file].py
+- [ ] T016 [US1] Add validation and error handling
+- [ ] T017 [US1] Add logging for user story 1 operations
+
+**Checkpoint**: At this point, User Story 1 should be fully functional and testable independently
+
+---
+
+## Phase 4: User Story 2 - [Title] (Priority: P2)
+
+**Goal**: [Brief description of what this story delivers]
+
+**Independent Test**: [How to verify this story works on its own]
+
+### Tests for User Story 2 (OPTIONAL - only if tests requested) ⚠️
+
+- [ ] T018 [P] [US2] Contract test for [endpoint] in tests/contract/test_[name].py
+- [ ] T019 [P] [US2] Integration test for [user journey] in tests/integration/test_[name].py
+
+### Implementation for User Story 2
+
+- [ ] T020 [P] [US2] Create [Entity] model in src/models/[entity].py
+- [ ] T021 [US2] Implement [Service] in src/services/[service].py
+- [ ] T022 [US2] Implement [endpoint/feature] in src/[location]/[file].py
+- [ ] T023 [US2] Integrate with User Story 1 components (if needed)
+
+**Checkpoint**: At this point, User Stories 1 AND 2 should both work independently
+
+---
+
+## Phase 5: User Story 3 - [Title] (Priority: P3)
+
+**Goal**: [Brief description of what this story delivers]
+
+**Independent Test**: [How to verify this story works on its own]
+
+### Tests for User Story 3 (OPTIONAL - only if tests requested) ⚠️
+
+- [ ] T024 [P] [US3] Contract test for [endpoint] in tests/contract/test_[name].py
+- [ ] T025 [P] [US3] Integration test for [user journey] in tests/integration/test_[name].py
+
+### Implementation for User Story 3
+
+- [ ] T026 [P] [US3] Create [Entity] model in src/models/[entity].py
+- [ ] T027 [US3] Implement [Service] in src/services/[service].py
+- [ ] T028 [US3] Implement [endpoint/feature] in src/[location]/[file].py
+
+**Checkpoint**: All user stories should now be independently functional
+
+---
+
+[Add more user story phases as needed, following the same pattern]
+
+---
+
+## Phase N: Polish & Cross-Cutting Concerns
+
+**Purpose**: Improvements that affect multiple user stories
+
+- [ ] TXXX [P] Documentation updates in docs/
+- [ ] TXXX Code cleanup and refactoring
+- [ ] TXXX Performance optimization across all stories
+- [ ] TXXX [P] Additional unit tests (if requested) in tests/unit/
+- [ ] TXXX Security hardening
+- [ ] TXXX Run quickstart.md validation
+
+---
+
+## Dependencies & Execution Order
+
+### Phase Dependencies
+
+- **Setup (Phase 1)**: No dependencies - can start immediately
+- **Foundational (Phase 2)**: Depends on Setup completion - BLOCKS all user stories
+- **User Stories (Phase 3+)**: All depend on Foundational phase completion
+  - User stories can then proceed in parallel (if staffed)
+  - Or sequentially in priority order (P1 → P2 → P3)
+- **Polish (Final Phase)**: Depends on all desired user stories being complete
+
+### User Story Dependencies
+
+- **User Story 1 (P1)**: Can start after Foundational (Phase 2) - No dependencies on other stories
+- **User Story 2 (P2)**: Can start after Foundational (Phase 2) - May integrate with US1 but should be independently testable
+- **User Story 3 (P3)**: Can start after Foundational (Phase 2) - May integrate with US1/US2 but should be independently testable
+
+### Within Each User Story
+
+- Tests (if included) MUST be written and FAIL before implementation
+- Models before services
+- Services before endpoints
+- Core implementation before integration
+- Story complete before moving to next priority
+
+### Parallel Opportunities
+
+- All Setup tasks marked [P] can run in parallel
+- All Foundational tasks marked [P] can run in parallel (within Phase 2)
+- Once Foundational phase completes, all user stories can start in parallel (if team capacity allows)
+- All tests for a user story marked [P] can run in parallel
+- Models within a story marked [P] can run in parallel
+- Different user stories can be worked on in parallel by different team members
+
+---
+
+## Parallel Example: User Story 1
+
+```bash
+# Launch all tests for User Story 1 together (if tests requested):
+Task: "Contract test for [endpoint] in tests/contract/test_[name].py"
+Task: "Integration test for [user journey] in tests/integration/test_[name].py"
+
+# Launch all models for User Story 1 together:
+Task: "Create [Entity1] model in src/models/[entity1].py"
+Task: "Create [Entity2] model in src/models/[entity2].py"
+```
+
+---
+
+## Implementation Strategy
+
+### MVP First (User Story 1 Only)
+
+1. Complete Phase 1: Setup
+2. Complete Phase 2: Foundational (CRITICAL - blocks all stories)
+3. Complete Phase 3: User Story 1
+4. **STOP and VALIDATE**: Test User Story 1 independently
+5. Deploy/demo if ready
+
+### Incremental Delivery
+
+1. Complete Setup + Foundational → Foundation ready
+2. Add User Story 1 → Test independently → Deploy/Demo (MVP!)
+3. Add User Story 2 → Test independently → Deploy/Demo
+4. Add User Story 3 → Test independently → Deploy/Demo
+5. Each story adds value without breaking previous stories
+
+### Parallel Team Strategy
+
+With multiple developers:
+
+1. Team completes Setup + Foundational together
+2. Once Foundational is done:
+   - Developer A: User Story 1
+   - Developer B: User Story 2
+   - Developer C: User Story 3
+3. Stories complete and integrate independently
+
+---
+
+## Notes
+
+- [P] tasks = different files, no dependencies
+- [Story] label maps task to specific user story for traceability
+- Each user story should be independently completable and testable
+- Verify tests fail before implementing
+- Commit after each task or logical group
+- Stop at any checkpoint to validate story independently
+- Avoid: vague tasks, same file conflicts, cross-story dependencies that break independence
diff --git a/PPPC Utility.xcodeproj/project.pbxproj b/PPPC Utility.xcodeproj/project.pbxproj
index ce1dfa7..6d4d8a7 100644
--- a/PPPC Utility.xcodeproj/project.pbxproj	
+++ b/PPPC Utility.xcodeproj/project.pbxproj	
@@ -9,7 +9,6 @@
 /* Begin PBXBuildFile section */
 		09614BF857C294E1E344298C /* TCCPolicyTests.swift in Sources */ = {isa = PBXBuildFile; fileRef = DAC55385D89BDBD447395AF1 /* TCCPolicyTests.swift */; };
 		1E57D2CD1B0B3602E7FD9806 /* JamfProVersionTests.swift in Sources */ = {isa = PBXBuildFile; fileRef = 47A216936077FDD709470D77 /* JamfProVersionTests.swift */; };
-		846A32C3BB81E3C29B621792 /* UploadManagerTests.swift in Sources */ = {isa = PBXBuildFile; fileRef = 30877432D1026706D7E805DA /* UploadManagerTests.swift */; };
 		345B01D623FDBF55008838B6 /* TCCProfileExtensions.swift in Sources */ = {isa = PBXBuildFile; fileRef = 345B01D523FDBF55008838B6 /* TCCProfileExtensions.swift */; };
 		34DED4D423FDCAFD00C53FB9 /* SwiftyCMSDecoder.swift in Sources */ = {isa = PBXBuildFile; fileRef = 5F95AE1523158F03002E0A22 /* SwiftyCMSDecoder.swift */; };
 		34DED4D623FDDB2B00C53FB9 /* TCCProfileConfigurationPanel.swift in Sources */ = {isa = PBXBuildFile; fileRef = 34DED4D523FDDB2B00C53FB9 /* TCCProfileConfigurationPanel.swift */; };
@@ -43,9 +42,11 @@
 		6EC40A16214ECF1E00BE4F17 /* SaveViewController.swift in Sources */ = {isa = PBXBuildFile; fileRef = 6EC40A15214ECF1E00BE4F17 /* SaveViewController.swift */; };
 		6EC40A1C214EF87800BE4F17 /* SigningIdentity.swift in Sources */ = {isa = PBXBuildFile; fileRef = 6EC40A1B214EF87800BE4F17 /* SigningIdentity.swift */; };
 		71061E54246106C800822D35 /* LoadExecutableError.swift in Sources */ = {isa = PBXBuildFile; fileRef = 71061E53246106C800822D35 /* LoadExecutableError.swift */; };
+		846A32C3BB81E3C29B621792 /* UploadManagerTests.swift in Sources */ = {isa = PBXBuildFile; fileRef = 30877432D1026706D7E805DA /* UploadManagerTests.swift */; };
 		A149C78D2CC68FBF00E0789E /* LoggerExtensions.swift in Sources */ = {isa = PBXBuildFile; fileRef = A149C78C2CC68FA100E0789E /* LoggerExtensions.swift */; };
 		A3AEAC59ED8A799232A3C7A0 /* MockURLProtocolTests.swift in Sources */ = {isa = PBXBuildFile; fileRef = 5366B3770CBADA87D7BBF4C5 /* MockURLProtocolTests.swift */; };
-		FEE04458C398AE5C1074928F /* NetworkingTests.swift in Sources */ = {isa = PBXBuildFile; fileRef = 34BE578BDC64B5400E2F0233 /* NetworkingTests.swift */; };
+		AA000E00000000000000000E /* AppLaunchTests.swift in Sources */ = {isa = PBXBuildFile; fileRef = AA000B00000000000000000B /* AppLaunchTests.swift */; };
+		AA001200000000000000001C /* TestTCCUnsignedProfile.mobileconfig in Resources */ = {isa = PBXBuildFile; fileRef = AA001100000000000000001B /* TestTCCUnsignedProfile.mobileconfig */; };
 		B5E09548250BCCFC00A40409 /* Alert.swift in Sources */ = {isa = PBXBuildFile; fileRef = B5E09547250BCCFC00A40409 /* Alert.swift */; };
 		C01BEDBA28636F57001B0B3B /* SemanticVersionTests.swift in Sources */ = {isa = PBXBuildFile; fileRef = C01BEDB928636F57001B0B3B /* SemanticVersionTests.swift */; };
 		C03270BA28636330008B38E0 /* SemanticVersion.swift in Sources */ = {isa = PBXBuildFile; fileRef = C03270B928636330008B38E0 /* SemanticVersion.swift */; };
@@ -67,8 +68,7 @@
 		C0EE9A7F2863BDE300738B6B /* JamfProAPITypes.swift in Sources */ = {isa = PBXBuildFile; fileRef = C0EE9A7E2863BDE300738B6B /* JamfProAPITypes.swift */; };
 		C0EE9A812863BE2B00738B6B /* NetworkAuthManager.swift in Sources */ = {isa = PBXBuildFile; fileRef = C0EE9A802863BE2B00738B6B /* NetworkAuthManager.swift */; };
 		D023DD16033D452488B41741 /* ArrayExtensionTests.swift in Sources */ = {isa = PBXBuildFile; fileRef = 0B5B34EC5FC52B5B4C9D0258 /* ArrayExtensionTests.swift */; };
-AA000E00000000000000000E /* AppLaunchTests.swift in Sources */ = {isa = PBXBuildFile; fileRef = AA000B00000000000000000B /* AppLaunchTests.swift */; };
-AA001200000000000000001C /* TestTCCUnsignedProfile.mobileconfig in Resources */ = {isa = PBXBuildFile; fileRef = AA001100000000000000001B /* TestTCCUnsignedProfile.mobileconfig */; };
+		FEE04458C398AE5C1074928F /* NetworkingTests.swift in Sources */ = {isa = PBXBuildFile; fileRef = 34BE578BDC64B5400E2F0233 /* NetworkingTests.swift */; };
 /* End PBXBuildFile section */
 
 /* Begin PBXContainerItemProxy section */
@@ -79,23 +79,23 @@ AA001200000000000000001C /* TestTCCUnsignedProfile.mobileconfig in Resources */
 			remoteGlobalIDString = 6EC409D9214D65BC00BE4F17;
 			remoteInfo = "PPPC Utility";
 		};
-AA0006000000000000000006 /* PBXContainerItemProxy */ = {
-isa = PBXContainerItemProxy;
-containerPortal = 6EC409D2214D65BC00BE4F17 /* Project object */;
-proxyType = 1;
-remoteGlobalIDString = 6EC409D9214D65BC00BE4F17;
-remoteInfo = "PPPC Utility";
-};
+		AA0006000000000000000006 /* PBXContainerItemProxy */ = {
+			isa = PBXContainerItemProxy;
+			containerPortal = 6EC409D2214D65BC00BE4F17 /* Project object */;
+			proxyType = 1;
+			remoteGlobalIDString = 6EC409D9214D65BC00BE4F17;
+			remoteInfo = "PPPC Utility";
+		};
 /* End PBXContainerItemProxy section */
 
 /* Begin PBXFileReference section */
 		0B5B34EC5FC52B5B4C9D0258 /* ArrayExtensionTests.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = ArrayExtensionTests.swift; sourceTree = "<group>"; };
 		15C8454BE335603AE6B55049 /* ExecutableTests.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = ExecutableTests.swift; sourceTree = "<group>"; };
+		30877432D1026706D7E805DA /* UploadManagerTests.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = UploadManagerTests.swift; sourceTree = "<group>"; };
 		345B01D523FDBF55008838B6 /* TCCProfileExtensions.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = TCCProfileExtensions.swift; sourceTree = "<group>"; };
+		34BE578BDC64B5400E2F0233 /* NetworkingTests.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = NetworkingTests.swift; sourceTree = "<group>"; };
 		34DED4D523FDDB2B00C53FB9 /* TCCProfileConfigurationPanel.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = TCCProfileConfigurationPanel.swift; sourceTree = "<group>"; };
-		30877432D1026706D7E805DA /* UploadManagerTests.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = UploadManagerTests.swift; sourceTree = "<group>"; };
 		47A216936077FDD709470D77 /* JamfProVersionTests.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = JamfProVersionTests.swift; sourceTree = "<group>"; };
-		34BE578BDC64B5400E2F0233 /* NetworkingTests.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = NetworkingTests.swift; sourceTree = "<group>"; };
 		5366B3770CBADA87D7BBF4C5 /* MockURLProtocolTests.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = MockURLProtocolTests.swift; sourceTree = "<group>"; };
 		5901A2762534DF1400A1CD2F /* ModelBuilder.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = ModelBuilder.swift; sourceTree = "<group>"; };
 		59206D6825265F0C00B94795 /* TCCProfileTests.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = TCCProfileTests.swift; sourceTree = "<group>"; };
@@ -134,6 +134,11 @@ remoteInfo = "PPPC Utility";
 		71061E53246106C800822D35 /* LoadExecutableError.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = LoadExecutableError.swift; sourceTree = "<group>"; };
 		97227C6726248CD7000F26C1 /* CHANGELOG.md */ = {isa = PBXFileReference; lastKnownFileType = net.daringfireball.markdown; path = CHANGELOG.md; sourceTree = "<group>"; };
 		A149C78C2CC68FA100E0789E /* LoggerExtensions.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = LoggerExtensions.swift; sourceTree = "<group>"; };
+		AA0005000000000000000005 /* PPPC UtilityUITests.xctest */ = {isa = PBXFileReference; explicitFileType = wrapper.cfbundle; includeInIndex = 0; path = "PPPC UtilityUITests.xctest"; sourceTree = BUILT_PRODUCTS_DIR; };
+		AA000B00000000000000000B /* AppLaunchTests.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = AppLaunchTests.swift; sourceTree = "<group>"; };
+		AA000D00000000000000000D /* Info.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist.xml; path = Info.plist; sourceTree = "<group>"; };
+		AA001100000000000000001B /* TestTCCUnsignedProfile.mobileconfig */ = {isa = PBXFileReference; lastKnownFileType = text.xml; path = TestTCCUnsignedProfile.mobileconfig; sourceTree = "<group>"; };
+		AA002100000000000000002B /* PPPC Utility UI Tests.xctestplan */ = {isa = PBXFileReference; lastKnownFileType = text; path = "PPPC Utility UI Tests.xctestplan"; sourceTree = "<group>"; };
 		B5E09547250BCCFC00A40409 /* Alert.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = Alert.swift; sourceTree = "<group>"; };
 		C01BEDB928636F57001B0B3B /* SemanticVersionTests.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = SemanticVersionTests.swift; sourceTree = "<group>"; };
 		C03270B928636330008B38E0 /* SemanticVersion.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = SemanticVersion.swift; sourceTree = "<group>"; };
@@ -156,11 +161,6 @@ remoteInfo = "PPPC Utility";
 		DAC55385D89BDBD447395AF1 /* TCCPolicyTests.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = TCCPolicyTests.swift; sourceTree = "<group>"; };
 		F3DBEDB941B7AEAE7BFF2776 /* MockURLProtocol.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = MockURLProtocol.swift; sourceTree = "<group>"; };
 		F82A8F992F85984800A72E5C /* PPPC Utility.xctestplan */ = {isa = PBXFileReference; lastKnownFileType = text; path = "PPPC Utility.xctestplan"; sourceTree = "<group>"; };
-		AA002100000000000000002B /* PPPC Utility UI Tests.xctestplan */ = {isa = PBXFileReference; lastKnownFileType = text; path = "PPPC Utility UI Tests.xctestplan"; sourceTree = "<group>"; };
-AA000B00000000000000000B /* AppLaunchTests.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = AppLaunchTests.swift; sourceTree = "<group>"; };
-AA000D00000000000000000D /* Info.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist.xml; path = Info.plist; sourceTree = "<group>"; };
-AA0005000000000000000005 /* PPPC UtilityUITests.xctest */ = {isa = PBXFileReference; explicitFileType = wrapper.cfbundle; includeInIndex = 0; path = "PPPC UtilityUITests.xctest"; sourceTree = BUILT_PRODUCTS_DIR; };
-AA001100000000000000001B /* TestTCCUnsignedProfile.mobileconfig */ = {isa = PBXFileReference; lastKnownFileType = text.xml; path = TestTCCUnsignedProfile.mobileconfig; sourceTree = "<group>"; };
 /* End PBXFileReference section */
 
 /* Begin PBXFrameworksBuildPhase section */
@@ -179,13 +179,13 @@ AA001100000000000000001B /* TestTCCUnsignedProfile.mobileconfig */ = {isa = PBXF
 			);
 			runOnlyForDeploymentPostprocessing = 0;
 		};
-AA0003000000000000000003 /* Frameworks */ = {
-isa = PBXFrameworksBuildPhase;
-buildActionMask = 2147483647;
-files = (
-);
-runOnlyForDeploymentPostprocessing = 0;
-};
+		AA0003000000000000000003 /* Frameworks */ = {
+			isa = PBXFrameworksBuildPhase;
+			buildActionMask = 2147483647;
+			files = (
+			);
+			runOnlyForDeploymentPostprocessing = 0;
+		};
 /* End PBXFrameworksBuildPhase section */
 
 /* Begin PBXGroup section */
@@ -368,6 +368,15 @@ runOnlyForDeploymentPostprocessing = 0;
 			path = "View Controllers";
 			sourceTree = "<group>";
 		};
+		AA001000000000000000001A /* PPPC UtilityUITests */ = {
+			isa = PBXGroup;
+			children = (
+				AA000B00000000000000000B /* AppLaunchTests.swift */,
+				AA000D00000000000000000D /* Info.plist */,
+			);
+			path = "PPPC UtilityUITests";
+			sourceTree = "<group>";
+		};
 		C03270BD28636397008B38E0 /* Networking */ = {
 			isa = PBXGroup;
 			children = (
@@ -403,15 +412,6 @@ runOnlyForDeploymentPostprocessing = 0;
 			path = NetworkingTests;
 			sourceTree = "<group>";
 		};
-AA001000000000000000001A /* PPPC UtilityUITests */ = {
-isa = PBXGroup;
-children = (
-AA000B00000000000000000B /* AppLaunchTests.swift */,
-AA000D00000000000000000D /* Info.plist */,
-);
-path = "PPPC UtilityUITests";
-sourceTree = "<group>";
-};
 /* End PBXGroup section */
 
 /* Begin PBXNativeTarget section */
@@ -453,24 +453,24 @@ sourceTree = "<group>";
 			productReference = 6EC409DA214D65BC00BE4F17 /* PPPC Utility.app */;
 			productType = "com.apple.product-type.application";
 		};
-AA0001000000000000000001 /* PPPC UtilityUITests */ = {
-isa = PBXNativeTarget;
-buildConfigurationList = AA0008000000000000000008 /* Build configuration list for PBXNativeTarget "PPPC UtilityUITests" */;
-buildPhases = (
-AA0002000000000000000002 /* Sources */,
-AA0003000000000000000003 /* Frameworks */,
-AA0004000000000000000004 /* Resources */,
-);
-buildRules = (
-);
-dependencies = (
-AA0007000000000000000007 /* PBXTargetDependency */,
-);
-name = "PPPC UtilityUITests";
-productName = "PPPC UtilityUITests";
-productReference = AA0005000000000000000005 /* PPPC UtilityUITests.xctest */;
-productType = "com.apple.product-type.bundle.ui-testing";
-};
+		AA0001000000000000000001 /* PPPC UtilityUITests */ = {
+			isa = PBXNativeTarget;
+			buildConfigurationList = AA0008000000000000000008 /* Build configuration list for PBXNativeTarget "PPPC UtilityUITests" */;
+			buildPhases = (
+				AA0002000000000000000002 /* Sources */,
+				AA0003000000000000000003 /* Frameworks */,
+				AA0004000000000000000004 /* Resources */,
+			);
+			buildRules = (
+			);
+			dependencies = (
+				AA0007000000000000000007 /* PBXTargetDependency */,
+			);
+			name = "PPPC UtilityUITests";
+			productName = "PPPC UtilityUITests";
+			productReference = AA0005000000000000000005 /* PPPC UtilityUITests.xctest */;
+			productType = "com.apple.product-type.bundle.ui-testing";
+		};
 /* End PBXNativeTarget section */
 
 /* Begin PBXProject section */
@@ -486,10 +486,6 @@ productType = "com.apple.product-type.bundle.ui-testing";
 						LastSwiftMigration = 1020;
 						TestTargetID = 6EC409D9214D65BC00BE4F17;
 					};
-					AA0001000000000000000001 = {
-						CreatedOnToolsVersion = 16.0;
-						TestTargetID = 6EC409D9214D65BC00BE4F17;
-					};
 					6EC409D9214D65BC00BE4F17 = {
 						CreatedOnToolsVersion = 10.0;
 						LastSwiftMigration = 1100;
@@ -502,6 +498,10 @@ productType = "com.apple.product-type.bundle.ui-testing";
 							};
 						};
 					};
+					AA0001000000000000000001 = {
+						CreatedOnToolsVersion = 16.0;
+						TestTargetID = 6EC409D9214D65BC00BE4F17;
+					};
 				};
 			};
 			buildConfigurationList = 6EC409D5214D65BC00BE4F17 /* Build configuration list for PBXProject "PPPC Utility" */;
@@ -552,13 +552,13 @@ productType = "com.apple.product-type.bundle.ui-testing";
 			);
 			runOnlyForDeploymentPostprocessing = 0;
 		};
-AA0004000000000000000004 /* Resources */ = {
-isa = PBXResourcesBuildPhase;
-buildActionMask = 2147483647;
-files = (
-);
-runOnlyForDeploymentPostprocessing = 0;
-};
+		AA0004000000000000000004 /* Resources */ = {
+			isa = PBXResourcesBuildPhase;
+			buildActionMask = 2147483647;
+			files = (
+			);
+			runOnlyForDeploymentPostprocessing = 0;
+		};
 /* End PBXResourcesBuildPhase section */
 
 /* Begin PBXSourcesBuildPhase section */
@@ -626,14 +626,14 @@ runOnlyForDeploymentPostprocessing = 0;
 			);
 			runOnlyForDeploymentPostprocessing = 0;
 		};
-AA0002000000000000000002 /* Sources */ = {
-isa = PBXSourcesBuildPhase;
-buildActionMask = 2147483647;
-files = (
-AA000E00000000000000000E /* AppLaunchTests.swift in Sources */,
-);
-runOnlyForDeploymentPostprocessing = 0;
-};
+		AA0002000000000000000002 /* Sources */ = {
+			isa = PBXSourcesBuildPhase;
+			buildActionMask = 2147483647;
+			files = (
+				AA000E00000000000000000E /* AppLaunchTests.swift in Sources */,
+			);
+			runOnlyForDeploymentPostprocessing = 0;
+		};
 /* End PBXSourcesBuildPhase section */
 
 /* Begin PBXTargetDependency section */
@@ -642,11 +642,11 @@ runOnlyForDeploymentPostprocessing = 0;
 			target = 6EC409D9214D65BC00BE4F17 /* PPPC Utility */;
 			targetProxy = 5F95AE202315A6AD002E0A22 /* PBXContainerItemProxy */;
 		};
-AA0007000000000000000007 /* PBXTargetDependency */ = {
-isa = PBXTargetDependency;
-target = 6EC409D9214D65BC00BE4F17 /* PPPC Utility */;
-targetProxy = AA0006000000000000000006 /* PBXContainerItemProxy */;
-};
+		AA0007000000000000000007 /* PBXTargetDependency */ = {
+			isa = PBXTargetDependency;
+			target = 6EC409D9214D65BC00BE4F17 /* PPPC Utility */;
+			targetProxy = AA0006000000000000000006 /* PBXContainerItemProxy */;
+		};
 /* End PBXTargetDependency section */
 
 /* Begin PBXVariantGroup section */
@@ -677,6 +677,7 @@ targetProxy = AA0006000000000000000006 /* PBXContainerItemProxy */;
 					"@executable_path/../Frameworks",
 					"@loader_path/../Frameworks",
 				);
+				MACOSX_DEPLOYMENT_TARGET = 15.6;
 				PRODUCT_BUNDLE_IDENTIFIER = "com.jamf.PPPC-UtilityTests";
 				PRODUCT_NAME = "$(TARGET_NAME)";
 				PROVISIONING_PROFILE_SPECIFIER = "";
@@ -705,6 +706,7 @@ targetProxy = AA0006000000000000000006 /* PBXContainerItemProxy */;
 					"@executable_path/../Frameworks",
 					"@loader_path/../Frameworks",
 				);
+				MACOSX_DEPLOYMENT_TARGET = 15.6;
 				PRODUCT_BUNDLE_IDENTIFIER = "com.jamf.PPPC-UtilityTests";
 				PRODUCT_NAME = "$(TARGET_NAME)";
 				PROVISIONING_PROFILE_SPECIFIER = "";
@@ -887,55 +889,57 @@ targetProxy = AA0006000000000000000006 /* PBXContainerItemProxy */;
 			};
 			name = Release;
 		};
-AA0009000000000000000009 /* Debug */ = {
-isa = XCBuildConfiguration;
-buildSettings = {
-CODE_SIGN_IDENTITY = "Apple Development";
-"CODE_SIGN_IDENTITY[sdk=macosx*]" = "-";
-CODE_SIGN_STYLE = Manual;
-COMBINE_HIDPI_IMAGES = YES;
-DEVELOPMENT_TEAM = "";
-INFOPLIST_FILE = "PPPC UtilityUITests/Info.plist";
-LD_RUNPATH_SEARCH_PATHS = (
-"$(inherited)",
-"@executable_path/../Frameworks",
-"@loader_path/../Frameworks",
-);
-PRODUCT_BUNDLE_IDENTIFIER = "com.jamf.PPPC-UtilityUITests";
-PRODUCT_NAME = "$(TARGET_NAME)";
-PROVISIONING_PROFILE_SPECIFIER = "";
-SWIFT_APPROACHABLE_CONCURRENCY = YES;
-SWIFT_OPTIMIZATION_LEVEL = "-Onone";
-SWIFT_STRICT_CONCURRENCY = minimal;
-SWIFT_VERSION = 5.0;
-TEST_TARGET_NAME = "PPPC Utility";
-};
-name = Debug;
-};
-AA000A00000000000000000A /* Release */ = {
-isa = XCBuildConfiguration;
-buildSettings = {
-CODE_SIGN_IDENTITY = "Apple Development";
-"CODE_SIGN_IDENTITY[sdk=macosx*]" = "-";
-CODE_SIGN_STYLE = Manual;
-COMBINE_HIDPI_IMAGES = YES;
-DEVELOPMENT_TEAM = "";
-INFOPLIST_FILE = "PPPC UtilityUITests/Info.plist";
-LD_RUNPATH_SEARCH_PATHS = (
-"$(inherited)",
-"@executable_path/../Frameworks",
-"@loader_path/../Frameworks",
-);
-PRODUCT_BUNDLE_IDENTIFIER = "com.jamf.PPPC-UtilityUITests";
-PRODUCT_NAME = "$(TARGET_NAME)";
-PROVISIONING_PROFILE_SPECIFIER = "";
-SWIFT_APPROACHABLE_CONCURRENCY = YES;
-SWIFT_STRICT_CONCURRENCY = minimal;
-SWIFT_VERSION = 5.0;
-TEST_TARGET_NAME = "PPPC Utility";
-};
-name = Release;
-};
+		AA0009000000000000000009 /* Debug */ = {
+			isa = XCBuildConfiguration;
+			buildSettings = {
+				CODE_SIGN_IDENTITY = "Apple Development";
+				"CODE_SIGN_IDENTITY[sdk=macosx*]" = "-";
+				CODE_SIGN_STYLE = Manual;
+				COMBINE_HIDPI_IMAGES = YES;
+				DEVELOPMENT_TEAM = "";
+				INFOPLIST_FILE = "PPPC UtilityUITests/Info.plist";
+				LD_RUNPATH_SEARCH_PATHS = (
+					"$(inherited)",
+					"@executable_path/../Frameworks",
+					"@loader_path/../Frameworks",
+				);
+				MACOSX_DEPLOYMENT_TARGET = 15.6;
+				PRODUCT_BUNDLE_IDENTIFIER = "com.jamf.PPPC-UtilityUITests";
+				PRODUCT_NAME = "$(TARGET_NAME)";
+				PROVISIONING_PROFILE_SPECIFIER = "";
+				SWIFT_APPROACHABLE_CONCURRENCY = YES;
+				SWIFT_OPTIMIZATION_LEVEL = "-Onone";
+				SWIFT_STRICT_CONCURRENCY = minimal;
+				SWIFT_VERSION = 5.0;
+				TEST_TARGET_NAME = "PPPC Utility";
+			};
+			name = Debug;
+		};
+		AA000A00000000000000000A /* Release */ = {
+			isa = XCBuildConfiguration;
+			buildSettings = {
+				CODE_SIGN_IDENTITY = "Apple Development";
+				"CODE_SIGN_IDENTITY[sdk=macosx*]" = "-";
+				CODE_SIGN_STYLE = Manual;
+				COMBINE_HIDPI_IMAGES = YES;
+				DEVELOPMENT_TEAM = "";
+				INFOPLIST_FILE = "PPPC UtilityUITests/Info.plist";
+				LD_RUNPATH_SEARCH_PATHS = (
+					"$(inherited)",
+					"@executable_path/../Frameworks",
+					"@loader_path/../Frameworks",
+				);
+				MACOSX_DEPLOYMENT_TARGET = 15.6;
+				PRODUCT_BUNDLE_IDENTIFIER = "com.jamf.PPPC-UtilityUITests";
+				PRODUCT_NAME = "$(TARGET_NAME)";
+				PROVISIONING_PROFILE_SPECIFIER = "";
+				SWIFT_APPROACHABLE_CONCURRENCY = YES;
+				SWIFT_STRICT_CONCURRENCY = minimal;
+				SWIFT_VERSION = 5.0;
+				TEST_TARGET_NAME = "PPPC Utility";
+			};
+			name = Release;
+		};
 /* End XCBuildConfiguration section */
 
 /* Begin XCConfigurationList section */
@@ -966,15 +970,15 @@ name = Release;
 			defaultConfigurationIsVisible = 0;
 			defaultConfigurationName = Release;
 		};
-AA0008000000000000000008 /* Build configuration list for PBXNativeTarget "PPPC UtilityUITests" */ = {
-isa = XCConfigurationList;
-buildConfigurations = (
-AA0009000000000000000009 /* Debug */,
-AA000A00000000000000000A /* Release */,
-);
-defaultConfigurationIsVisible = 0;
-defaultConfigurationName = Release;
-};
+		AA0008000000000000000008 /* Build configuration list for PBXNativeTarget "PPPC UtilityUITests" */ = {
+			isa = XCConfigurationList;
+			buildConfigurations = (
+				AA0009000000000000000009 /* Debug */,
+				AA000A00000000000000000A /* Release */,
+			);
+			defaultConfigurationIsVisible = 0;
+			defaultConfigurationName = Release;
+		};
 /* End XCConfigurationList section */
 
 /* Begin XCRemoteSwiftPackageReference section */
diff --git a/specs/001-fix-deprecations/checklists/requirements.md b/specs/001-fix-deprecations/checklists/requirements.md
new file mode 100644
index 0000000..00b2aac
--- /dev/null
+++ b/specs/001-fix-deprecations/checklists/requirements.md
@@ -0,0 +1,34 @@
+# Specification Quality Checklist: Fix Deprecation Warnings
+
+**Purpose**: Validate specification completeness and quality before proceeding to planning
+**Created**: 2026-04-09
+**Feature**: [spec.md](../spec.md)
+
+## Content Quality
+
+- [x] No implementation details (languages, frameworks, APIs)
+- [x] Focused on user value and business needs
+- [x] Written for non-technical stakeholders
+- [x] All mandatory sections completed
+
+## Requirement Completeness
+
+- [x] No [NEEDS CLARIFICATION] markers remain
+- [x] Requirements are testable and unambiguous
+- [x] Success criteria are measurable
+- [x] Success criteria are technology-agnostic (no implementation details)
+- [x] All acceptance scenarios are defined
+- [x] Edge cases are identified
+- [x] Scope is clearly bounded
+- [x] Dependencies and assumptions identified
+
+## Feature Readiness
+
+- [x] All functional requirements have clear acceptance criteria
+- [x] User scenarios cover primary flows
+- [x] Feature meets measurable outcomes defined in Success Criteria
+- [x] No implementation details leak into specification
+
+## Notes
+
+- All items pass. Ready to proceed to `/speckit.plan`.
diff --git a/specs/001-fix-deprecations/plan.md b/specs/001-fix-deprecations/plan.md
new file mode 100644
index 0000000..cec56b7
--- /dev/null
+++ b/specs/001-fix-deprecations/plan.md
@@ -0,0 +1,70 @@
+# Implementation Plan: Fix Deprecation Warnings
+
+**Branch**: `001-fix-deprecations` | **Date**: 2026-04-09 | **Spec**: [spec.md](spec.md)
+**Input**: Feature specification from `specs/001-fix-deprecations/spec.md`
+
+## Summary
+
+Replace all deprecated API usages in the project with their modern equivalents.
+Three distinct deprecated APIs are involved across four source files (10 warning
+sites). No logic changes are required; each fix is a direct substitution. The
+KVO concurrency warning in `SaveViewController` is addressed with the minimal
+`nonisolated(unsafe)` annotation.
+
+## Technical Context
+
+**Language/Version**: Swift 5.10, macOS 13.0+ deployment target
+**Primary Dependencies**: AppKit; `UniformTypeIdentifiers` framework (replacing
+deprecated CoreServices UTI string constants)
+**Storage**: N/A
+**Testing**: Swift Testing (unit tests), XCTest/XCUITest (UI tests)
+**Target Platform**: macOS 13.0+
+**Project Type**: Desktop application (macOS)
+**Performance Goals**: N/A — maintenance task, no performance impact expected
+**Constraints**: No observable behaviour changes; each fix is the minimal
+substitution; no restructuring beyond replacing deprecated calls
+**Scale/Scope**: 4 source files, 3 deprecated APIs, 10 warning sites
+
+## Constitution Check
+
+*GATE: Must pass before implementation. Re-checked after Phase 1.*
+
+| Gate | Status | Notes |
+|------|--------|-------|
+| 1. Compiler warnings | ✅ Pass | This task eliminates all 10 warning sites; baseline captured in research.md |
+| 2. Unit tests pass | ✅ Pass | No logic changes; tests must remain green throughout |
+| 3. UI tests pass | ✅ Pass | No behaviour changes; UI tests must remain green throughout |
+| 4. Constitution check | ✅ Pass | Principle I (Simplicity): each fix is minimal, no abstractions added. Principle II (Platform): replacements target macOS 11.0+ APIs, well within the macOS 13.0 minimum |
+
+No violations. No Complexity Tracking required.
+
+## Project Structure
+
+### Documentation (this feature)
+
+```text
+specs/001-fix-deprecations/
+├── plan.md              # This file
+├── research.md          # Deprecation inventory + replacement decisions
+├── quickstart.md        # Verification steps
+└── tasks.md             # Generated by /speckit.tasks
+```
+
+### Source Code (affected files only)
+
+```text
+Source/
+├── TCCProfileImporter/
+│   └── TCCProfileConfigurationPanel.swift   # Fix 1: allowedFileTypes → allowedContentTypes
+└── View Controllers/
+    ├── TCCProfileViewController.swift        # Fix 2a: allowedFileTypes → allowedContentTypes
+    │                                         # Fix 2b: kUTType* → UTType.* in allowedContentTypes
+    │                                         # Fix 2c: kUTType* → UTType.*.identifier in pasteboardOptions
+    ├── OpenViewController.swift              # Fix 3a: allowedFileTypes → allowedContentTypes
+    │                                         # Fix 3b: kUTType* → UTType.* in allowedContentTypes
+    └── SaveViewController.swift              # Fix 4a: allowedFileTypes → allowedContentTypes
+                                              # Fix 4b: nonisolated(unsafe) on saveProfileKVOContext
+```
+
+**Structure Decision**: Targeted in-place edits to 4 existing files. No new
+files; no new source directories.
diff --git a/specs/001-fix-deprecations/quickstart.md b/specs/001-fix-deprecations/quickstart.md
new file mode 100644
index 0000000..4eb5c08
--- /dev/null
+++ b/specs/001-fix-deprecations/quickstart.md
@@ -0,0 +1,49 @@
+# Quickstart: Verify Deprecation Fixes
+
+## Prerequisites
+
+- Xcode installed with macOS SDK
+- Project cloned and on branch `001-fix-deprecations`
+
+## Step 1: Capture the baseline
+
+```bash
+xcodebuild clean build-for-testing \
+  -project "PPPC Utility.xcodeproj" \
+  -scheme "PPPC Utility" \
+  -destination "platform=macOS" 2>&1 \
+  | grep -i "warning:" | grep -v "xcodebuild: WARNING"
+```
+
+Expected: 10 warnings (see `research.md` for the full list).
+
+## Step 2: Apply fixes
+
+Make the changes described in `research.md`. See `tasks.md` for the task
+breakdown once generated.
+
+## Step 3: Verify zero warnings
+
+Re-run the same command from Step 1.
+
+Expected: **no output** (zero warnings).
+
+## Step 4: Run the test suite
+
+```bash
+xcodebuild test \
+  -project "PPPC Utility.xcodeproj" \
+  -scheme "PPPC Utility" \
+  -destination "platform=macOS" 2>&1 \
+  | grep -E "(Test Suite|PASSED|FAILED|error:)"
+```
+
+Expected: All test suites pass, no failures.
+
+## Definition of Done
+
+- [ ] Zero deprecation warnings in build output
+- [ ] Zero concurrency warnings introduced or remaining
+- [ ] All unit tests pass
+- [ ] All UI tests pass
+- [ ] No behaviour changes observable in the app
diff --git a/specs/001-fix-deprecations/research.md b/specs/001-fix-deprecations/research.md
new file mode 100644
index 0000000..e5bb37e
--- /dev/null
+++ b/specs/001-fix-deprecations/research.md
@@ -0,0 +1,115 @@
+# Research: Fix Deprecation Warnings
+
+## Deprecation Inventory
+
+### Baseline warning count
+
+Captured with:
+```
+xcodebuild clean build-for-testing -project "PPPC Utility.xcodeproj" \
+  -scheme "PPPC Utility" -destination "platform=macOS" 2>&1 \
+  | grep -i "warning:" | grep -v "xcodebuild: WARNING"
+```
+
+**10 warnings across 4 files** (see breakdown below).
+
+---
+
+## Deprecated API 1: `NSSavePanel/NSOpenPanel.allowedFileTypes`
+
+**Deprecated in**: macOS 12.0
+**Replacement**: `allowedContentTypes: [UTType]`
+**Framework required**: `import UniformTypeIdentifiers`
+
+### Affected sites
+
+| File | Line | Current code | Replacement |
+|------|------|-------------|-------------|
+| `TCCProfileConfigurationPanel.swift` | 40 | `openPanel.allowedFileTypes = ["mobileconfig", "plist"]` | `openPanel.allowedContentTypes = [UTType(filenameExtension: "mobileconfig")!, .propertyList]` |
+| `TCCProfileViewController.swift` | 204 | `panel.allowedFileTypes = [kUTTypeBundle, kUTTypeUnixExecutable] as [String]` | `panel.allowedContentTypes = [.bundle, .unixExecutable]` |
+| `OpenViewController.swift` | 69 | `panel.allowedFileTypes = [kUTTypeBundle, kUTTypeUnixExecutable] as [String]` | `panel.allowedContentTypes = [.bundle, .unixExecutable]` |
+| `SaveViewController.swift` | 80 | `panel.allowedFileTypes = ["mobileconfig"]` | `panel.allowedContentTypes = [UTType(filenameExtension: "mobileconfig")!]` |
+
+**Decision**: Use `UTType(filenameExtension:)` for `mobileconfig`. This returns
+an optional, but force-unwrapping is safe here: `mobileconfig` is a registered
+Apple type (`com.apple.mobileconfig`) present on every supported OS version.
+Using a force-unwrap keeps the call site minimal and matches how Apple's own
+sample code handles known registered types.
+
+**Rationale**: `allowedContentTypes` is the current API. `allowedFileTypes` was
+a string-based extension filter that predates the `UniformTypeIdentifiers`
+framework. The replacement is a direct substitution with no behaviour change.
+
+---
+
+## Deprecated API 2: `kUTTypeBundle` / `kUTTypeUnixExecutable` (CoreServices)
+
+**Deprecated in**: macOS 12.0 (string constants from `MobileCoreServices`;
+superseded by `UniformTypeIdentifiers`)
+**Replacement**:
+- `kUTTypeBundle` → `UTType.bundle` (for `[UTType]` contexts)
+- `kUTTypeBundle` → `UTType.bundle.identifier` (for `[String]` / `[Any]`
+  contexts such as `NSPasteboard.ReadingOptionKey.urlReadingContentsConformToTypes`)
+- `kUTTypeUnixExecutable` → `UTType.unixExecutable`
+- `kUTTypeUnixExecutable` → `UTType.unixExecutable.identifier`
+
+**Framework required**: `import UniformTypeIdentifiers`
+
+### Affected sites
+
+| File | Line | Context | Current code | Replacement |
+|------|------|---------|-------------|-------------|
+| `TCCProfileViewController.swift` | 204 | `allowedContentTypes` | `[kUTTypeBundle, kUTTypeUnixExecutable] as [String]` | `[.bundle, .unixExecutable]` |
+| `TCCProfileViewController.swift` | 232 | `pasteboardOptions` dict | `[kUTTypeBundle, kUTTypeUnixExecutable]` | `[UTType.bundle.identifier, UTType.unixExecutable.identifier]` |
+| `OpenViewController.swift` | 69 | `allowedContentTypes` | `[kUTTypeBundle, kUTTypeUnixExecutable] as [String]` | `[.bundle, .unixExecutable]` |
+
+**Decision**: Two different call sites require different types:
+1. `allowedContentTypes` takes `[UTType]` → use `UTType.bundle`, `UTType.unixExecutable`
+2. `urlReadingContentsConformToTypes` in the `NSPasteboard.ReadingOptionKey`
+   dictionary takes `[String]` (UTI identifiers) → use `.identifier` property
+
+**Rationale**: Both `UTType.bundle` and `UTType.unixExecutable` are standard
+static properties on `UTType` (available macOS 11.0+), well within the macOS
+13.0 deployment target.
+
+**Alternatives considered**:
+- `UTType(exportedAs:)` or `UTType(importedAs:)` — rejected; those are for
+  declaring new types, not referencing existing ones.
+- String literals for `.identifier` values (`"com.apple.bundle"`, etc.) —
+  rejected; type-safe static properties are preferable.
+
+---
+
+## Non-Deprecation Warning: KVO concurrency in `SaveViewController`
+
+**Warning category**: Swift concurrency (main actor isolation), not a
+deprecation warning. Included here because it appears in the same warning
+baseline.
+
+**Warning**: `saveProfileKVOContext` (a `static var` with implicit `@MainActor`
+isolation) is accessed via `inout` in the `nonisolated` `observeValue` method.
+
+**Affected site**:
+
+| File | Line | Issue |
+|------|------|-------|
+| `SaveViewController.swift` | 127 | `context == &SaveViewController.saveProfileKVOContext` in `nonisolated` method |
+
+**Decision**: Add `nonisolated(unsafe)` to the static variable declaration:
+```swift
+nonisolated(unsafe) private static var saveProfileKVOContext = 0
+```
+
+**Rationale**: The variable is used purely as a KVO context pointer — an opaque
+integer whose value never changes after initialization. It is safe to access
+from a nonisolated context. `nonisolated(unsafe)` is the standard annotation
+for this pattern. The alternative — rewriting to use `NSKeyValueObservation`
+with `observe(_:options:changeHandler:)` — would be a more substantial
+restructuring that exceeds the scope of this maintenance task (Simplicity
+principle).
+
+**Alternatives considered**:
+- Modern `observe(_:options:changeHandler:)` KVO — rejected; out of scope,
+  restructuring beyond replacing a deprecated call.
+- `Task { @MainActor in ... }` in the `observeValue` body — already present via
+  `MainActor.assumeIsolated`; does not remove the `inout` access warning.
diff --git a/specs/001-fix-deprecations/spec.md b/specs/001-fix-deprecations/spec.md
new file mode 100644
index 0000000..1df2060
--- /dev/null
+++ b/specs/001-fix-deprecations/spec.md
@@ -0,0 +1,114 @@
+# Feature Specification: Fix Deprecation Warnings
+
+**Feature Branch**: `001-fix-deprecations`
+**Created**: 2026-04-09
+**Status**: Draft
+**Input**: User description: "I want to fix all the deprecation warnings in the project"
+
+## User Scenarios & Testing *(mandatory)*
+
+### User Story 1 - Clean Build Output (Priority: P1)
+
+A developer builds the project and sees zero deprecation warnings in the build
+output. All deprecated API usages have been replaced with their recommended
+modern equivalents, so the build compiles cleanly without requiring suppressions
+or workarounds.
+
+**Why this priority**: Deprecation warnings are early signals of future
+breakage. Eliminating them now prevents forced migrations under time pressure
+when deprecated APIs are eventually removed. A warning-free build is also a
+baseline quality gate that makes genuine new warnings visible.
+
+**Independent Test**: Build the project from a clean state and confirm no
+deprecation warnings appear in the output.
+
+**Acceptance Scenarios**:
+
+1. **Given** the project is built from a clean state, **When** the build
+   completes, **Then** zero deprecation warnings appear in the build log.
+2. **Given** the project tests are run, **When** the test suite completes,
+   **Then** zero deprecation warnings appear during compilation or execution.
+3. **Given** any deprecated API has been replaced, **When** the replacement is
+   used, **Then** existing functionality behaves identically to the previous
+   implementation.
+
+---
+
+### User Story 2 - No Regression for End Users (Priority: P2)
+
+A user of PPPC Utility — a macOS administrator creating and uploading
+configuration profiles — experiences no change in behaviour. All features
+(adding bundles, saving profiles, uploading to Jamf Pro, importing profiles)
+continue to work exactly as before.
+
+**Why this priority**: The deprecation fixes must be transparent to the end
+user. A regression introduced while silencing warnings would be worse than the
+warnings themselves.
+
+**Independent Test**: Launch the app, perform the primary workflows (add
+bundle, save profile locally, upload to Jamf Pro, import a profile), and
+confirm all work correctly.
+
+**Acceptance Scenarios**:
+
+1. **Given** a profile has been built with bundle entries, **When** the profile
+   is saved locally, **Then** the saved file is valid and matches the expected
+   format.
+2. **Given** valid Jamf Pro credentials are entered, **When** the profile is
+   uploaded, **Then** the upload succeeds and the profile appears in Jamf Pro.
+3. **Given** an existing signed or unsigned profile, **When** it is imported,
+   **Then** all entries are displayed correctly in the UI.
+
+---
+
+### Edge Cases
+
+- What happens if a deprecated API has no direct drop-in replacement and
+  requires a behaviour change? Each such case must be documented and the
+  replacement must produce equivalent observable results.
+- What if a fix for one deprecated API introduces a warning in a different
+  category (e.g., a newer API unavailable on the minimum OS target)? Such
+  trade-offs must be flagged and resolved before the change is accepted.
+
+## Requirements *(mandatory)*
+
+### Functional Requirements
+
+- **FR-001**: All deprecation warnings in the project MUST be resolved — no
+  suppression, no `@available` guards that merely hide the warning.
+- **FR-002**: Each deprecated API call MUST be replaced with the recommended
+  modern equivalent as documented by the platform vendor.
+- **FR-003**: All existing unit tests MUST continue to pass after replacements
+  are applied.
+- **FR-004**: All existing UI tests MUST continue to pass after replacements
+  are applied.
+- **FR-005**: The project MUST build without deprecation warnings on the
+  minimum deployment target (macOS 13.0).
+- **FR-006**: No new warnings of any category MUST be introduced while fixing
+  existing ones.
+
+## Success Criteria *(mandatory)*
+
+### Measurable Outcomes
+
+- **SC-001**: The build produces zero deprecation warnings (count: 0) when
+  compiled for the minimum supported OS version.
+- **SC-002**: 100% of the existing automated test suite passes after all
+  replacements are applied.
+- **SC-003**: No user-visible behaviour changes are introduced — confirmed by
+  the UI test suite and manual smoke testing of the primary workflows.
+- **SC-004**: The warning-free state is durable — no deprecated API usage
+  remains that would re-surface as warnings in a future toolchain update.
+
+## Assumptions
+
+- Deprecated APIs used in the project have available, documented replacements
+  that work on macOS 13.0 and newer.
+- The scope is limited to deprecation warnings; other warning categories (e.g.,
+  unused variables, Swift naming conventions) are out of scope unless they
+  appear as a direct consequence of a deprecation fix.
+- Test coverage already exists for the code paths affected; if a deprecated
+  call is in an untested path, the replacement is still applied but no new
+  tests are added as part of this feature.
+- Production code is not restructured beyond what is necessary to replace the
+  deprecated call.
diff --git a/specs/001-fix-deprecations/tasks.md b/specs/001-fix-deprecations/tasks.md
new file mode 100644
index 0000000..c433e93
--- /dev/null
+++ b/specs/001-fix-deprecations/tasks.md
@@ -0,0 +1,147 @@
+---
+description: "Task list for fixing deprecation warnings"
+---
+
+# Tasks: Fix Deprecation Warnings
+
+**Input**: Design documents from `specs/001-fix-deprecations/`
+**Prerequisites**: plan.md ✅, spec.md ✅, research.md ✅, quickstart.md ✅
+
+**Tests**: No new tests — existing unit and UI test suites are the regression
+gate (FR-003, FR-004). Verification tasks run the existing suite.
+
+**Organization**: Phase 3 tasks are fully parallel (all touch different files).
+
+## Format: `[ID] [P?] [Story?] Description`
+
+- **[P]**: Can run in parallel (different files, no dependencies)
+- **[Story]**: Which user story this task belongs to (US1, US2)
+
+---
+
+## Phase 1: Setup
+
+**Purpose**: Establish the warning baseline before making any changes.
+
+- [ ] T001 Capture warning baseline using the command in `specs/001-fix-deprecations/quickstart.md` Step 1 and record the output for comparison
+
+**Checkpoint**: Baseline recorded — 10 warnings expected across 4 files.
+
+---
+
+## Phase 2: Foundational
+
+No shared infrastructure required. All fixes are independent.
+
+---
+
+## Phase 3: User Story 1 — Clean Build Output (Priority: P1) 🎯 MVP
+
+**Goal**: Replace all deprecated API usages so the project builds with zero
+deprecation warnings.
+
+**Independent Test**: Run `xcodebuild clean build-for-testing -project "PPPC Utility.xcodeproj" -scheme "PPPC Utility" -destination "platform=macOS" 2>&1 | grep -i "warning:" | grep -v "xcodebuild: WARNING"` and confirm no output.
+
+### Implementation for User Story 1
+
+- [ ] T002 [P] [US1] Fix `Source/TCCProfileImporter/TCCProfileConfigurationPanel.swift`:
+  add `import UniformTypeIdentifiers` after the existing imports; replace line 40
+  `openPanel.allowedFileTypes = ["mobileconfig", "plist"]` with
+  `openPanel.allowedContentTypes = [UTType(filenameExtension: "mobileconfig")!, .propertyList]`
+
+- [ ] T003 [P] [US1] Fix `Source/View Controllers/TCCProfileViewController.swift`:
+  add `import UniformTypeIdentifiers` after existing imports;
+  replace line 204 `panel.allowedFileTypes = [kUTTypeBundle, kUTTypeUnixExecutable] as [String]`
+  with `panel.allowedContentTypes = [.bundle, .unixExecutable]`;
+  replace line 232 `[kUTTypeBundle, kUTTypeUnixExecutable]` in `pasteboardOptions`
+  with `[UTType.bundle.identifier, UTType.unixExecutable.identifier]`
+
+- [ ] T004 [P] [US1] Fix `Source/View Controllers/OpenViewController.swift`:
+  add `import UniformTypeIdentifiers` after `import Cocoa`;
+  replace line 69 `panel.allowedFileTypes = [kUTTypeBundle, kUTTypeUnixExecutable] as [String]`
+  with `panel.allowedContentTypes = [.bundle, .unixExecutable]`
+
+- [ ] T005 [P] [US1] Fix `Source/View Controllers/SaveViewController.swift`:
+  add `import UniformTypeIdentifiers` after existing imports;
+  replace line 80 `panel.allowedFileTypes = ["mobileconfig"]`
+  with `panel.allowedContentTypes = [UTType(filenameExtension: "mobileconfig")!]`;
+  add `nonisolated(unsafe)` to line 33: change
+  `private static var saveProfileKVOContext = 0` to
+  `nonisolated(unsafe) private static var saveProfileKVOContext = 0`
+
+**Checkpoint**: All 4 files updated. Build should now produce zero warnings.
+
+---
+
+## Phase 4: User Story 2 — No Regression (Priority: P2)
+
+**Goal**: Confirm that the deprecation fixes introduce no behaviour changes.
+
+**Independent Test**: All existing unit and UI tests pass; zero warnings in
+build output.
+
+### Verification for User Story 2
+
+- [ ] T006 [US2] Build the project and verify zero warnings: run the baseline
+  command from `specs/001-fix-deprecations/quickstart.md` Step 3 and confirm
+  no output; compare against T001 baseline
+
+- [ ] T007 [US2] Run the full test suite per `specs/001-fix-deprecations/quickstart.md`
+  Step 4 and confirm all unit and UI tests pass with no failures
+
+**Checkpoint**: Zero warnings, all tests green — feature complete.
+
+---
+
+## Dependencies & Execution Order
+
+### Phase Dependencies
+
+- **Setup (Phase 1)**: No dependencies — start immediately
+- **User Story 1 (Phase 3)**: Depends on baseline being captured (T001)
+  — T002, T003, T004, T005 are all parallel once T001 is done
+- **User Story 2 (Phase 4)**: Depends on all Phase 3 tasks complete
+
+### Parallel Opportunities
+
+All Phase 3 tasks touch different files and can be executed simultaneously:
+
+```
+After T001 completes:
+  Task: T002 — TCCProfileConfigurationPanel.swift
+  Task: T003 — TCCProfileViewController.swift
+  Task: T004 — OpenViewController.swift
+  Task: T005 — SaveViewController.swift
+
+After T002–T005 all complete:
+  Task: T006 — Build verification
+  Task: T007 — Test suite
+```
+
+---
+
+## Implementation Strategy
+
+### MVP (User Story 1 only)
+
+1. T001: Capture baseline
+2. T002–T005 in parallel: Apply all 4 fixes
+3. T006: Verify zero warnings
+4. **STOP and VALIDATE**: Zero warnings confirmed → US1 done
+
+### Full Delivery
+
+1. Complete MVP above
+2. T007: Run full test suite
+3. All green → feature complete
+
+---
+
+## Notes
+
+- [P] tasks = different files, fully independent
+- All fixes are minimal substitutions — no restructuring
+- `UTType(filenameExtension: "mobileconfig")!` is safe to force-unwrap:
+  `mobileconfig` is a registered Apple type available on all supported OS versions
+- The `nonisolated(unsafe)` fix is a concurrency warning, not a deprecation;
+  included because it appears in the same warning baseline captured by T001

From 162d9c1669454044ac39316cb2a1c35c9222512a Mon Sep 17 00:00:00 2001
From: Tony Eichelberger <tony.eichelberger@jamf.com>
Date: Thu, 9 Apr 2026 13:58:58 -0500
Subject: [PATCH 50/53] finished implementing the spec

---
 CLAUDE.md                                          |  4 ++++
 .../TCCProfileConfigurationPanel.swift             |  7 ++++++-
 Source/View Controllers/OpenViewController.swift   |  3 ++-
 Source/View Controllers/SaveViewController.swift   |  7 +++++--
 .../TCCProfileViewController.swift                 |  5 +++--
 specs/001-fix-deprecations/tasks.md                | 14 +++++++-------
 6 files changed, 27 insertions(+), 13 deletions(-)

diff --git a/CLAUDE.md b/CLAUDE.md
index 0ab1aee..6a1d7df 100644
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -1,5 +1,9 @@
 # PPPC Utility
 
+## Swift General
+
+- Never force unwrap (`!`) or force cast (`as!`) — use `if let`, `guard let`, or `as?` instead
+
 ## Swift Concurrency
 
 - `SWIFT_DEFAULT_ACTOR_ISOLATION = MainActor` is set on both app and test targets — don't add explicit `@MainActor` to production code or test structs/functions, it's already the default
diff --git a/Source/TCCProfileImporter/TCCProfileConfigurationPanel.swift b/Source/TCCProfileImporter/TCCProfileConfigurationPanel.swift
index e46f02b..e589998 100644
--- a/Source/TCCProfileImporter/TCCProfileConfigurationPanel.swift
+++ b/Source/TCCProfileImporter/TCCProfileConfigurationPanel.swift
@@ -27,6 +27,7 @@
 
 import AppKit
 import Foundation
+import UniformTypeIdentifiers
 
 class TCCProfileConfigurationPanel {
     /// Load TCC Profile data from file
@@ -37,7 +38,11 @@ class TCCProfileConfigurationPanel {
     /// - Returns: The decoded TCCProfile, or nil if the user cancelled
     func loadTCCProfileFromFile(importer: TCCProfileImporter, window: NSWindow) async throws -> TCCProfile? {
         let openPanel = NSOpenPanel()
-        openPanel.allowedFileTypes = ["mobileconfig", "plist"]
+        var contentTypes: [UTType] = [.propertyList]
+        if let mobileconfigType = UTType(filenameExtension: "mobileconfig") {
+            contentTypes.append(mobileconfigType)
+        }
+        openPanel.allowedContentTypes = contentTypes
         openPanel.allowsMultipleSelection = false
         openPanel.canChooseDirectories = false
         openPanel.canCreateDirectories = false
diff --git a/Source/View Controllers/OpenViewController.swift b/Source/View Controllers/OpenViewController.swift
index 6cebee5..0c8b3e0 100644
--- a/Source/View Controllers/OpenViewController.swift	
+++ b/Source/View Controllers/OpenViewController.swift	
@@ -26,6 +26,7 @@
 //
 
 import Cocoa
+import UniformTypeIdentifiers
 
 class OpenViewController: NSViewController, NSTableViewDataSource, NSTableViewDelegate {
 
@@ -66,7 +67,7 @@ class OpenViewController: NSViewController, NSTableViewDataSource, NSTableViewDe
         let block = completionBlock
         let panel = NSOpenPanel()
         panel.allowsMultipleSelection = true
-        panel.allowedFileTypes = [kUTTypeBundle, kUTTypeUnixExecutable] as [String]
+        panel.allowedContentTypes = [.bundle, .unixExecutable]
         panel.directoryURL = URL(fileURLWithPath: "/Applications", isDirectory: true)
         panel.begin { response in
             if response == .OK {
diff --git a/Source/View Controllers/SaveViewController.swift b/Source/View Controllers/SaveViewController.swift
index 494dd29..4f49fd7 100644
--- a/Source/View Controllers/SaveViewController.swift	
+++ b/Source/View Controllers/SaveViewController.swift	
@@ -27,10 +27,11 @@
 
 import Cocoa
 import OSLog
+import UniformTypeIdentifiers
 
 class SaveViewController: NSViewController {
 
-    private static var saveProfileKVOContext = 0
+    nonisolated(unsafe) private static var saveProfileKVOContext = 0
 
     @objc dynamic var isReadyToSave: Bool = false
 
@@ -77,7 +78,9 @@ class SaveViewController: NSViewController {
 
     @IBAction func savePressed(_ sender: NSButton) {
         let panel = NSSavePanel()
-        panel.allowedFileTypes = ["mobileconfig"]
+        if let mobileconfigType = UTType(filenameExtension: "mobileconfig") {
+            panel.allowedContentTypes = [mobileconfigType]
+        }
         panel.nameFieldStringValue = payloadName
         if let path = NSSearchPathForDirectoriesInDomains(.documentDirectory, .userDomainMask, true).first {
             panel.directoryURL = URL(fileURLWithPath: path, isDirectory: true)
diff --git a/Source/View Controllers/TCCProfileViewController.swift b/Source/View Controllers/TCCProfileViewController.swift
index ee8ec58..9b670e0 100644
--- a/Source/View Controllers/TCCProfileViewController.swift	
+++ b/Source/View Controllers/TCCProfileViewController.swift	
@@ -28,6 +28,7 @@
 import Cocoa
 import OSLog
 import SwiftUI
+import UniformTypeIdentifiers
 
 enum TCCProfileDisplayValue: String {
     case allow = "Allow"
@@ -201,7 +202,7 @@ class TCCProfileViewController: NSViewController {
     func promptForExecutables(_ block: @escaping (Executable) -> Void) {
         let panel = NSOpenPanel()
         panel.allowsMultipleSelection = true
-        panel.allowedFileTypes = [kUTTypeBundle, kUTTypeUnixExecutable] as [String]
+        panel.allowedContentTypes = [.bundle, .unixExecutable]
         panel.directoryURL = URL(fileURLWithPath: "/Applications", isDirectory: true)
         guard let window = self.view.window else {
             return
@@ -229,7 +230,7 @@ class TCCProfileViewController: NSViewController {
     }
 
     let pasteboardOptions: [NSPasteboard.ReadingOptionKey: Any] = [
-        .urlReadingContentsConformToTypes: [kUTTypeBundle, kUTTypeUnixExecutable]
+        .urlReadingContentsConformToTypes: [UTType.bundle.identifier, UTType.unixExecutable.identifier]
     ]
 
     override func viewDidLoad() {
diff --git a/specs/001-fix-deprecations/tasks.md b/specs/001-fix-deprecations/tasks.md
index c433e93..2741155 100644
--- a/specs/001-fix-deprecations/tasks.md
+++ b/specs/001-fix-deprecations/tasks.md
@@ -23,7 +23,7 @@ gate (FR-003, FR-004). Verification tasks run the existing suite.
 
 **Purpose**: Establish the warning baseline before making any changes.
 
-- [ ] T001 Capture warning baseline using the command in `specs/001-fix-deprecations/quickstart.md` Step 1 and record the output for comparison
+- [X] T001 Capture warning baseline using the command in `specs/001-fix-deprecations/quickstart.md` Step 1 and record the output for comparison
 
 **Checkpoint**: Baseline recorded — 10 warnings expected across 4 files.
 
@@ -44,24 +44,24 @@ deprecation warnings.
 
 ### Implementation for User Story 1
 
-- [ ] T002 [P] [US1] Fix `Source/TCCProfileImporter/TCCProfileConfigurationPanel.swift`:
+- [X] T002 [P] [US1] Fix `Source/TCCProfileImporter/TCCProfileConfigurationPanel.swift`:
   add `import UniformTypeIdentifiers` after the existing imports; replace line 40
   `openPanel.allowedFileTypes = ["mobileconfig", "plist"]` with
   `openPanel.allowedContentTypes = [UTType(filenameExtension: "mobileconfig")!, .propertyList]`
 
-- [ ] T003 [P] [US1] Fix `Source/View Controllers/TCCProfileViewController.swift`:
+- [X] T003 [P] [US1] Fix `Source/View Controllers/TCCProfileViewController.swift`:
   add `import UniformTypeIdentifiers` after existing imports;
   replace line 204 `panel.allowedFileTypes = [kUTTypeBundle, kUTTypeUnixExecutable] as [String]`
   with `panel.allowedContentTypes = [.bundle, .unixExecutable]`;
   replace line 232 `[kUTTypeBundle, kUTTypeUnixExecutable]` in `pasteboardOptions`
   with `[UTType.bundle.identifier, UTType.unixExecutable.identifier]`
 
-- [ ] T004 [P] [US1] Fix `Source/View Controllers/OpenViewController.swift`:
+- [X] T004 [P] [US1] Fix `Source/View Controllers/OpenViewController.swift`:
   add `import UniformTypeIdentifiers` after `import Cocoa`;
   replace line 69 `panel.allowedFileTypes = [kUTTypeBundle, kUTTypeUnixExecutable] as [String]`
   with `panel.allowedContentTypes = [.bundle, .unixExecutable]`
 
-- [ ] T005 [P] [US1] Fix `Source/View Controllers/SaveViewController.swift`:
+- [X] T005 [P] [US1] Fix `Source/View Controllers/SaveViewController.swift`:
   add `import UniformTypeIdentifiers` after existing imports;
   replace line 80 `panel.allowedFileTypes = ["mobileconfig"]`
   with `panel.allowedContentTypes = [UTType(filenameExtension: "mobileconfig")!]`;
@@ -82,11 +82,11 @@ build output.
 
 ### Verification for User Story 2
 
-- [ ] T006 [US2] Build the project and verify zero warnings: run the baseline
+- [X] T006 [US2] Build the project and verify zero warnings: run the baseline
   command from `specs/001-fix-deprecations/quickstart.md` Step 3 and confirm
   no output; compare against T001 baseline
 
-- [ ] T007 [US2] Run the full test suite per `specs/001-fix-deprecations/quickstart.md`
+- [X] T007 [US2] Run the full test suite per `specs/001-fix-deprecations/quickstart.md`
   Step 4 and confirm all unit and UI tests pass with no failures
 
 **Checkpoint**: Zero warnings, all tests green — feature complete.

From c3f2ef236f65b5d020b8eb39456ec8228347331b Mon Sep 17 00:00:00 2001
From: Tony Eichelberger <tony.eichelberger@jamf.com>
Date: Thu, 9 Apr 2026 15:00:56 -0500
Subject: [PATCH 51/53] added spec for the 3 new keys

---
 .specify/feature.json                         |   2 +-
 .../checklists/requirements.md                |  35 ++++
 specs/002-add-pppc-keys/clarifications.md     |  69 +++++++
 specs/002-add-pppc-keys/data-model.md         |  96 ++++++++++
 specs/002-add-pppc-keys/plan.md               |  98 ++++++++++
 specs/002-add-pppc-keys/quickstart.md         |  64 +++++++
 specs/002-add-pppc-keys/research.md           |  54 ++++++
 specs/002-add-pppc-keys/spec.md               | 121 +++++++++++++
 specs/002-add-pppc-keys/tasks.md              | 171 ++++++++++++++++++
 9 files changed, 709 insertions(+), 1 deletion(-)
 create mode 100644 specs/002-add-pppc-keys/checklists/requirements.md
 create mode 100644 specs/002-add-pppc-keys/clarifications.md
 create mode 100644 specs/002-add-pppc-keys/data-model.md
 create mode 100644 specs/002-add-pppc-keys/plan.md
 create mode 100644 specs/002-add-pppc-keys/quickstart.md
 create mode 100644 specs/002-add-pppc-keys/research.md
 create mode 100644 specs/002-add-pppc-keys/spec.md
 create mode 100644 specs/002-add-pppc-keys/tasks.md

diff --git a/.specify/feature.json b/.specify/feature.json
index efb467a..c35ce17 100644
--- a/.specify/feature.json
+++ b/.specify/feature.json
@@ -1,3 +1,3 @@
 {
-  "feature_directory": "specs/001-fix-deprecations"
+  "feature_directory": "specs/002-add-pppc-keys"
 }
diff --git a/specs/002-add-pppc-keys/checklists/requirements.md b/specs/002-add-pppc-keys/checklists/requirements.md
new file mode 100644
index 0000000..1feff89
--- /dev/null
+++ b/specs/002-add-pppc-keys/checklists/requirements.md
@@ -0,0 +1,35 @@
+# Specification Quality Checklist: Add New PPPC Keys
+
+**Purpose**: Validate specification completeness and quality before proceeding to planning
+**Created**: 2026-04-09
+**Feature**: [spec.md](../spec.md)
+
+## Content Quality
+
+- [x] No implementation details (languages, frameworks, APIs)
+- [x] Focused on user value and business needs
+- [x] Written for non-technical stakeholders
+- [x] All mandatory sections completed
+
+## Requirement Completeness
+
+- [x] No [NEEDS CLARIFICATION] markers remain
+- [x] Requirements are testable and unambiguous
+- [x] Success criteria are measurable
+- [x] Success criteria are technology-agnostic (no implementation details)
+- [x] All acceptance scenarios are defined
+- [x] Edge cases are identified
+- [x] Scope is clearly bounded
+- [x] Dependencies and assumptions identified
+
+## Feature Readiness
+
+- [x] All functional requirements have clear acceptance criteria
+- [x] User scenarios cover primary flows
+- [x] Feature meets measurable outcomes defined in Success Criteria
+- [x] No implementation details leak into specification
+
+## Notes
+
+- All items pass validation. Spec is ready for `/speckit.clarify` or `/speckit.plan`.
+- The term "MDM key" is used as domain terminology (not implementation detail) since it is the formal name for these identifiers in the Apple MDM specification and Jamf Pro documentation.
diff --git a/specs/002-add-pppc-keys/clarifications.md b/specs/002-add-pppc-keys/clarifications.md
new file mode 100644
index 0000000..6db8ba1
--- /dev/null
+++ b/specs/002-add-pppc-keys/clarifications.md
@@ -0,0 +1,69 @@
+# Clarification Log: Add New PPPC Keys
+
+**Feature**: 002-add-pppc-keys  
+**Date**: 2026-04-09  
+**Topic**: Unit testing and UI testing plans
+
+## Questions & Resolutions
+
+### Q1: Unit test scope for the 3 new keys
+
+**Options presented**: (A) All: services manager, policy defaults, export/import round-trip; (B) Minimal: only services manager + policy defaults; (C) Export/import only.
+
+**Resolution**: **A — Full coverage** across all existing service-related test areas. Services manager count assertion (21→24), policy defaults, and export/import round-trip with both Allow and Deny values.
+
+---
+
+### Q2: UI test updates
+
+**Options presented**: (A) Add UI assertions for each new column; (B) No new UI tests; (C) Minimal — one test verifying total column count increased.
+
+**Resolution**: **C — Minimal**. One UI test verifying the total column count increased. Column-level assertions would be brittle.
+
+---
+
+### Q3: Special behaviors (deny-only, allowStandardUsers)
+
+**Options presented**: (A) All 3 are standard; (B) One or more have special behavior.
+
+**Resolution**: **A — All 3 are standard**. Confirmed via Apple's official MDM documentation:
+- None of the 3 new keys contain "can't be given in a profile; it can only be denied" language.
+- `AllowStandardUserToSetSystemService` is explicitly limited to `ListenEvent` and `ScreenCapture` only.
+
+User initially selected B but confirmed A after reviewing Apple docs.
+
+---
+
+### Q4: Test fixture strategy
+
+**Options presented**: (A) Update existing fixtures; (B) Create new fixtures; (C) Both.
+
+**Resolution**: **A+legacy — Update existing fixtures AND maintain a legacy fixture**. Existing `.mobileconfig` fixtures should be updated to include the 3 new keys. A legacy fixture (without the new keys) must be kept or added to verify backward-compatible import (new columns default to "–").
+
+## Spec Changes Made
+
+- Added **Testing Requirements** section (TR-001 through TR-006) to the spec.
+- Updated FR-005 to explicitly state all 3 keys are standard (not deny-only, no allowStandardUsers) — confirmed fact rather than assumption.
+- Updated Assumptions to reflect confirmed deny-only/allowStandardUsers status from Apple docs.
+
+---
+
+## Clarification Round 2 — 2026-04-09
+
+**Topic**: Test fixture strategy for legacy import testing
+
+### Q5: How to test legacy import without adding a test file?
+
+**Context**: The plan called for both updating existing `.mobileconfig` fixtures (TR-004) and maintaining a legacy fixture (TR-005), but these goals conflicted without adding a new file.
+
+**Resolution**: Use a **rename + replace** approach:
+- **Rename** the existing `TestTCCUnsignedProfile.mobileconfig` → `TestTCCUnsignedProfile-Legacy.mobileconfig` (preserves the original without new keys)
+- **Create** a new `TestTCCUnsignedProfile.mobileconfig` with all 24 services
+- **Update** `TestTCCUnsignedProfile-allLower.mobileconfig` with the 3 new keys in lowercase
+- **Update** `Resources/TestTCCUnsignedProfile.mobileconfig` (app-bundled UI test profile) with new keys
+- **Add** a test in `TCCProfileImporterTests` that imports the legacy fixture and verifies new columns default to "–"
+
+### Spec & Plan Changes Made
+
+- Updated TR-004 and TR-005 in spec to reflect the rename + new file strategy.
+- Updated plan project structure to show `TestTCCUnsignedProfile-Legacy.mobileconfig`.
diff --git a/specs/002-add-pppc-keys/data-model.md b/specs/002-add-pppc-keys/data-model.md
new file mode 100644
index 0000000..eaf10b4
--- /dev/null
+++ b/specs/002-add-pppc-keys/data-model.md
@@ -0,0 +1,96 @@
+# Data Model: Add New PPPC Keys
+
+**Feature**: 002-add-pppc-keys
+**Date**: 2026-04-09
+
+## Entities
+
+### PPPCServiceInfo (existing — 3 new instances)
+
+Represents a single PPPC service definition loaded from `PPPCServices.json`.
+
+| Field | Type | Required | Description |
+|-------|------|----------|-------------|
+| mdmKey | String | Yes | MDM payload key (e.g., "BluetoothAlways") |
+| englishName | String | Yes | Human-readable display name |
+| englishDescription | String | Yes | Service description for help text |
+| entitlements | [String]? | No | Related Apple entitlements (nil for these 3 keys) |
+| denyOnly | Bool? | No | If true, only Deny is available (nil/false for these 3 keys) |
+| allowStandardUsers | Bool? | No | If true, standard users can approve (nil/false for these 3 keys) |
+
+**New instances**:
+
+```json
+{
+    "mdmKey": "BluetoothAlways",
+    "englishName": "Bluetooth Always",
+    "englishDescription": "Specifies the policies for the app to access Bluetooth devices."
+}
+```
+
+```json
+{
+    "mdmKey": "SystemPolicyAppBundles",
+    "englishName": "App Bundles",
+    "englishDescription": "Allows the app to update or delete other apps."
+}
+```
+
+```json
+{
+    "mdmKey": "SystemPolicyAppData",
+    "englishName": "App Data",
+    "englishDescription": "Specifies the policies for the app to access the data of other apps."
+}
+```
+
+### ServicesKeys Enum (existing — 3 new cases)
+
+Maps human-readable case names to MDM key strings. Used for programmatic service identification.
+
+| Case | Raw Value |
+|------|-----------|
+| bluetoothAlways | "BluetoothAlways" |
+| appBundles | "SystemPolicyAppBundles" |
+| appData | "SystemPolicyAppData" |
+
+### Policy Class (existing — 3 new properties)
+
+KVC-bound properties for Cocoa Bindings. Each property name must exactly match the MDM key.
+
+| Property | Type | Default | KVC Binding |
+|----------|------|---------|-------------|
+| BluetoothAlways | String | "-" | Bound to popup via NSArrayController |
+| SystemPolicyAppBundles | String | "-" | Bound to popup via NSArrayController |
+| SystemPolicyAppData | String | "-" | Bound to popup via NSArrayController |
+
+## Relationships
+
+```
+PPPCServices.json → PPPCServicesManager.allServices[mdmKey]
+                         ↓
+ServicesKeys.rawValue == mdmKey == Policy.propertyName
+                         ↓
+TCCProfile.Content.services[mdmKey] → [TCCPolicy]
+                         ↓
+Main.storyboard popup ← Cocoa Binding → Policy.{mdmKey}
+```
+
+## State Transitions
+
+Policy values follow the existing state model:
+
+```
+"-" (not set) → "Allow" | "Deny"
+"Allow"       → "-" | "Deny"
+"Deny"        → "-" | "Allow"
+```
+
+No state persistence beyond the in-memory model and exported profile file.
+
+## Validation Rules
+
+- `mdmKey` must be unique across all services in `PPPCServices.json`.
+- Policy property names must exactly match `mdmKey` values (KVC requirement).
+- `ServicesKeys` enum raw values must exactly match `mdmKey` values.
+- Exported profiles must only include services where the policy value is not "-".
diff --git a/specs/002-add-pppc-keys/plan.md b/specs/002-add-pppc-keys/plan.md
new file mode 100644
index 0000000..82f89e9
--- /dev/null
+++ b/specs/002-add-pppc-keys/plan.md
@@ -0,0 +1,98 @@
+# Implementation Plan: Add New PPPC Keys
+
+**Branch**: `002-add-pppc-keys` | **Date**: 2026-04-09 | **Spec**: [spec.md](spec.md)
+**Input**: Feature specification from `/specs/002-add-pppc-keys/spec.md`
+
+**Note**: This template is filled in by the `/speckit.plan` command. See `.specify/templates/plan-template.md` for the execution workflow.
+
+## Summary
+
+Add three new PPPC service keys (BluetoothAlways, SystemPolicyAppBundles, SystemPolicyAppData) to the PPPC Utility, following the existing pattern of data-driven service registration. Each key requires additions to the JSON service registry, Swift enum, KVC-bound Policy class, storyboard UI, and view controller wiring. All three are standard Allow/Deny services with no special behaviors (confirmed via Apple MDM documentation).
+
+## Technical Context
+
+**Language/Version**: Swift 6.0 (main targets), Swift 5.0 (UI test target)
+**Primary Dependencies**: AppKit (storyboard-based NSViewController), Cocoa Bindings (KVC)
+**Storage**: N/A (in-memory model, file-based export/import)
+**Testing**: Swift Testing (unit tests), XCTest/XCUITest (UI tests)
+**Target Platform**: macOS 13.0+
+**Project Type**: Desktop app (macOS)
+**Performance Goals**: N/A (data-addition change, no performance-sensitive paths)
+**Constraints**: Must follow existing storyboard + Cocoa Bindings pattern for UI; KVC requires `@objc dynamic` properties
+**Scale/Scope**: 3 new services added to existing 21 (→ 24 total)
+
+## Constitution Check
+
+*GATE: Must pass before Phase 0 research. Re-check after Phase 1 design.*
+
+| Principle | Status | Notes |
+|-----------|--------|-------|
+| I. Simplicity | ✅ PASS | Pure data additions following existing patterns. No new abstractions, helpers, or compatibility shims. |
+| II. macOS Platform Compliance | ✅ PASS | UI additions follow existing storyboard layout with accessibility identifiers and HIG-compliant popup buttons. Target remains macOS 13.0+. |
+
+**Quality Gates**:
+| Gate | Plan |
+|------|------|
+| Compiler warnings | Baseline before changes; compare after. |
+| Unit tests | Update existing suites + add new assertions. All must pass. |
+| UI tests | Add column count test. All must pass. |
+| Constitution check | Re-verify after Phase 1 design. |
+
+## Project Structure
+
+### Documentation (this feature)
+
+```text
+specs/002-add-pppc-keys/
+├── spec.md              # Feature specification
+├── clarifications.md    # Clarification log
+├── plan.md              # This file
+├── research.md          # Phase 0 output (trivial — no unknowns)
+├── data-model.md        # Phase 1 output
+├── quickstart.md        # Phase 1 output
+└── checklists/
+    └── requirements.md  # Spec quality checklist
+```
+
+### Source Code (repository root)
+
+```text
+# Files requiring changes (existing — no new files in production code)
+Resources/
+├── PPPCServices.json                    # Add 3 new service entries
+└── Base.lproj/Main.storyboard           # Add UI elements for 3 new services
+
+Source/
+├── Model/
+│   ├── TCCProfile.swift                 # Add 3 new ServicesKeys enum cases
+│   └── Executable.swift                 # Add 3 new @objc dynamic Policy properties
+└── View Controllers/
+    └── TCCProfileViewController.swift   # Add IBOutlets, setup calls, descriptions
+
+# Test files requiring changes
+Resources/
+└── TestTCCUnsignedProfile.mobileconfig  # Update with 3 new service keys
+
+PPPC UtilityTests/
+├── ModelTests/
+│   ├── PPPCServicesManagerTests.swift   # Update service count (21 → 24)
+│   ├── ExecutableTests.swift            # Update policy default count
+│   ├── ModelTests.swift                 # Add export/import round-trip tests
+│   └── TCCProfileTests.swift            # (if needed for serialization)
+├── TCCProfileImporterTests/
+│   ├── TestTCCUnsignedProfile.mobileconfig        # NEW: all 24 services
+│   ├── TestTCCUnsignedProfile-Legacy.mobileconfig  # RENAMED: original without new keys
+│   ├── TestTCCUnsignedProfile-allLower.mobileconfig # Update with new keys lowercase
+│   └── TCCProfileImporterTests.swift    # Add legacy import test
+└── Helpers/
+    └── TCCProfileBuilder.swift          # Add new keys to built policies
+
+PPPC UtilityUITests/
+└── AppLaunchTests.swift                 # Add column count test
+```
+
+**Structure Decision**: No new directories or modules needed. All changes extend existing files following established patterns.
+
+## Complexity Tracking
+
+> No violations. All changes are data-driven additions within existing architecture.
diff --git a/specs/002-add-pppc-keys/quickstart.md b/specs/002-add-pppc-keys/quickstart.md
new file mode 100644
index 0000000..c3bd7c7
--- /dev/null
+++ b/specs/002-add-pppc-keys/quickstart.md
@@ -0,0 +1,64 @@
+# Quickstart: Add New PPPC Keys
+
+**Feature**: 002-add-pppc-keys
+**Branch**: `002-add-pppc-keys`
+
+## Overview
+
+Add BluetoothAlways, SystemPolicyAppBundles, and SystemPolicyAppData to the PPPC Utility. All three are standard Allow/Deny services following the identical pattern as the existing 21 services.
+
+## Implementation Order
+
+### Layer 1: Data Model (no UI impact, enables all tests)
+
+1. **PPPCServices.json** — Add 3 new service entries (alphabetical placement)
+2. **TCCProfile.swift** — Add 3 new `ServicesKeys` enum cases
+3. **Executable.swift** — Add 3 new `@objc dynamic` properties to `Policy`
+
+### Layer 2: View Controller Wiring
+
+4. **TCCProfileViewController.swift** — Add IBOutlet declarations (popup, array controller, help button, stack view)
+5. **TCCProfileViewController.swift** — Add to `setupAllowDeny()`, `setupDescriptions()`, `setupStackViewsWithBackground()`, `setupAccessibilityIdentifiers()`
+
+### Layer 3: Storyboard UI
+
+6. **Main.storyboard** — Add popup buttons, labels, info buttons, stack views for each new service, wire IBOutlets and Cocoa Bindings
+
+### Layer 4: Tests
+
+7. **Unit tests** — Update service count, policy defaults, add export/import round-trip tests
+8. **Test fixtures** — Update .mobileconfig files with new keys; preserve legacy fixture
+9. **UI tests** — Add column count verification
+
+## Key Files
+
+| File | Change |
+|------|--------|
+| `Resources/PPPCServices.json` | +3 entries |
+| `Source/Model/TCCProfile.swift` | +3 enum cases |
+| `Source/Model/Executable.swift` | +3 properties |
+| `Source/View Controllers/TCCProfileViewController.swift` | +IBOutlets, setup calls |
+| `Resources/Base.lproj/Main.storyboard` | +UI elements |
+| `PPPC UtilityTests/` | Updated assertions + new tests |
+| `PPPC UtilityUITests/AppLaunchTests.swift` | +column count test |
+
+## Build & Test
+
+```bash
+# Build
+xcodebuild clean build -project "PPPC Utility.xcodeproj" -scheme "PPPC Utility" -destination "platform=macOS"
+
+# Unit tests
+xcodebuild test -project "PPPC Utility.xcodeproj" -scheme "PPPC Utility" -destination "platform=macOS" -testPlan "PPPC Utility"
+
+# UI tests
+xcodebuild test -project "PPPC Utility.xcodeproj" -scheme "PPPC Utility" -destination "platform=macOS" -testPlan "PPPC Utility UI Tests"
+
+# Compiler warnings check
+xcodebuild clean build-for-testing -project "PPPC Utility.xcodeproj" -scheme "PPPC Utility" -destination "platform=macOS" 2>&1 | grep -i "warning:" | grep -v "xcodebuild: WARNING"
+```
+
+## Risks
+
+- **Storyboard merge conflicts**: The Main.storyboard is XML and prone to merge conflicts. Minimize changes and commit storyboard changes atomically.
+- **KVC property name mismatch**: If a Policy property name doesn't exactly match the MDM key, Cocoa Bindings will silently fail. Verify by testing the UI after binding.
diff --git a/specs/002-add-pppc-keys/research.md b/specs/002-add-pppc-keys/research.md
new file mode 100644
index 0000000..c4380f9
--- /dev/null
+++ b/specs/002-add-pppc-keys/research.md
@@ -0,0 +1,54 @@
+# Research: Add New PPPC Keys
+
+**Feature**: 002-add-pppc-keys
+**Date**: 2026-04-09
+
+## Status: Complete — No Unknowns
+
+All technical details were resolved during the specification and clarification phases. No NEEDS CLARIFICATION items existed in the Technical Context.
+
+## Research Findings
+
+### 1. Apple MDM Key Definitions
+
+**Source**: Apple Developer Documentation — `PrivacyPreferencesPolicyControl.Services` (official JSON API)
+
+| Key | Description | Introduced | Deny-Only | AllowStandardUsers |
+|-----|-------------|------------|-----------|-------------------|
+| BluetoothAlways | Specifies the policies for the app to access Bluetooth devices. | macOS 10.14 (MDM schema), macOS 14 (Jamf Pro support) | No | No |
+| SystemPolicyAppBundles | Allows the application to update or delete other apps. Available in macOS 13 and later. | macOS 10.14 (MDM schema), macOS 13 (OS support) | No | No |
+| SystemPolicyAppData | Specifies the policies for the app to access the data of other apps. | macOS 10.14 (MDM schema), macOS 14 (Jamf Pro support) | No | No |
+
+- **Decision**: All three are standard Allow/Deny services.
+- **Rationale**: Apple's MDM documentation does not include deny-only language for any of the three keys. `AllowStandardUserToSetSystemService` is explicitly restricted to `ListenEvent` and `ScreenCapture` only.
+- **Alternatives considered**: None — Apple's documentation is authoritative.
+
+### 2. Service Registration Pattern
+
+**Source**: Codebase exploration of existing 21 services.
+
+- **Decision**: Follow the existing pattern — JSON registry + enum + KVC property + storyboard UI.
+- **Rationale**: All 21 existing services follow this exact pattern. No architectural changes needed.
+- **Alternatives considered**: Dynamic column generation (rejected — would require rewriting the storyboard-based UI and Cocoa Bindings, violating Simplicity principle).
+
+### 3. Entitlements
+
+**Source**: Apple MDM documentation (Services schema).
+
+- **Decision**: None of the three new keys specify associated entitlements in Apple's documentation.
+- **Rationale**: The `entitlements` field in `PPPCServiceInfo` is optional. Services without entitlements (e.g., Accessibility, PostEvent, Reminders) simply omit the field.
+- **Alternatives considered**: N/A.
+
+### 4. English Names for Display
+
+**Source**: Apple support documentation + Jamf Pro release notes.
+
+| MDM Key | English Name (for UI) |
+|---------|-----------------------|
+| BluetoothAlways | Bluetooth Always |
+| SystemPolicyAppBundles | App Bundles |
+| SystemPolicyAppData | App Data |
+
+- **Decision**: Use concise names consistent with the naming pattern of existing services (e.g., "Full Disk Access" for SystemPolicyAllFiles, "Administrator Files" for SystemPolicySysAdminFiles).
+- **Rationale**: Names should be recognizable to IT administrators familiar with macOS TCC terminology.
+- **Alternatives considered**: "Bluetooth" (too generic, could confuse with future keys), "Application Bundles" / "Application Data" (longer than necessary).
diff --git a/specs/002-add-pppc-keys/spec.md b/specs/002-add-pppc-keys/spec.md
new file mode 100644
index 0000000..383f39f
--- /dev/null
+++ b/specs/002-add-pppc-keys/spec.md
@@ -0,0 +1,121 @@
+# Feature Specification: Add New PPPC Keys
+
+**Feature Branch**: `002-add-pppc-keys`  
+**Created**: 2026-04-09  
+**Status**: Draft  
+**Input**: User description: "Add 3 new PPPC keys (BluetoothAlways, SystemPolicyAppBundles, SystemPolicyAppData) to the PPPC Utility, as introduced in Jamf Pro 11.23.0 release notes."
+
+## User Scenarios & Testing *(mandatory)*
+
+### User Story 1 - Configure Bluetooth Access Policy (Priority: P1)
+
+An IT administrator needs to control which applications can access Bluetooth devices on managed Macs running macOS 14 or later. Using PPPC Utility, the administrator adds an application to the profile and sets the "Bluetooth Always" permission to Allow or Deny, then exports the configuration profile for deployment via Jamf Pro.
+
+**Why this priority**: Bluetooth access is a significant privacy and security concern. Unauthorized Bluetooth access can expose device pairing data and enable unwanted wireless communication. This was the specific key the user requested.
+
+**Independent Test**: Can be fully tested by adding an application in PPPC Utility, selecting a Bluetooth Always policy value, exporting the profile, and verifying the `BluetoothAlways` key appears in the exported payload with the correct authorization value.
+
+**Acceptance Scenarios**:
+
+1. **Given** the PPPC Utility is open and an application has been added, **When** the administrator selects a policy value for Bluetooth Always, **Then** the selected value (Allow/Deny) is stored and displayed in the policy table.
+2. **Given** a profile with a Bluetooth Always policy set, **When** the administrator exports the profile, **Then** the exported configuration profile contains a `BluetoothAlways` key under the TCC services payload with the correct authorization value.
+3. **Given** the administrator imports an existing profile that includes a `BluetoothAlways` key, **When** the profile loads, **Then** the Bluetooth Always policy value is correctly displayed in the UI.
+
+---
+
+### User Story 2 - Configure App Bundles Access Policy (Priority: P1)
+
+An IT administrator needs to control which applications can update or delete other applications on managed Macs running macOS 13 or later. Using PPPC Utility, the administrator sets the "App Bundles" permission for a given application, then exports the profile for deployment.
+
+**Why this priority**: Controlling which apps can modify other app bundles is a critical security concern — unauthorized modification of application bundles could introduce malware or compromise system integrity.
+
+**Independent Test**: Can be fully tested by adding an application in PPPC Utility, selecting a policy value for App Bundles, exporting the profile, and verifying the `SystemPolicyAppBundles` key appears in the exported payload.
+
+**Acceptance Scenarios**:
+
+1. **Given** the PPPC Utility is open and an application has been added, **When** the administrator selects a policy value for App Bundles, **Then** the selected value is stored and displayed in the policy table.
+2. **Given** a profile with an App Bundles policy set, **When** the administrator exports the profile, **Then** the exported configuration profile contains a `SystemPolicyAppBundles` key under the TCC services payload with the correct authorization value.
+3. **Given** the administrator imports an existing profile that includes a `SystemPolicyAppBundles` key, **When** the profile loads, **Then** the App Bundles policy value is correctly displayed in the UI.
+
+---
+
+### User Story 3 - Configure App Data Access Policy (Priority: P1)
+
+An IT administrator needs to control which applications can access the data of other applications on managed Macs running macOS 14 or later. Using PPPC Utility, the administrator sets the "App Data" permission for a given application, then exports the profile for deployment.
+
+**Why this priority**: Controlling cross-application data access is essential for data privacy — without it, a compromised application could read sensitive data from other apps (e.g., password managers, financial tools).
+
+**Independent Test**: Can be fully tested by adding an application in PPPC Utility, selecting a policy value for App Data, exporting the profile, and verifying the `SystemPolicyAppData` key appears in the exported payload.
+
+**Acceptance Scenarios**:
+
+1. **Given** the PPPC Utility is open and an application has been added, **When** the administrator selects a policy value for App Data, **Then** the selected value is stored and displayed in the policy table.
+2. **Given** a profile with an App Data policy set, **When** the administrator exports the profile, **Then** the exported configuration profile contains a `SystemPolicyAppData` key under the TCC services payload with the correct authorization value.
+3. **Given** the administrator imports an existing profile that includes a `SystemPolicyAppData` key, **When** the profile loads, **Then** the App Data policy value is correctly displayed in the UI.
+
+---
+
+### User Story 4 - Round-Trip Consistency (Priority: P2)
+
+An IT administrator creates a profile with all three new PPPC keys configured, exports it, and then re-imports it. All three new service policies should be preserved exactly as configured.
+
+**Why this priority**: Data integrity on export/import is fundamental to administrator trust in the tool, but this is a natural consequence of correct implementation of the individual keys.
+
+**Independent Test**: Can be tested by creating a profile with all three new keys set, exporting to a file, re-importing the file, and comparing all policy values.
+
+**Acceptance Scenarios**:
+
+1. **Given** a profile with BluetoothAlways, SystemPolicyAppBundles, and SystemPolicyAppData policies set to specific values, **When** the profile is exported and then re-imported, **Then** all three policy values match the originally configured values.
+
+---
+
+### Edge Cases
+
+- What happens when an existing profile created before these keys were added is imported? The three new service columns should default to "–" (not set) for those applications.
+- What happens when a profile exported from another tool includes these keys with unexpected or unrecognized authorization values? The system should handle gracefully, applying known values and defaulting unknown values.
+- What happens when the user sets a new key and then clears it back to the default? The key should not appear in the exported profile if set to the default/unset value.
+
+## Requirements *(mandatory)*
+
+### Functional Requirements
+
+- **FR-001**: The system MUST include "Bluetooth Always" as a configurable PPPC service with the MDM key `BluetoothAlways`.
+- **FR-002**: The system MUST include "App Bundles" as a configurable PPPC service with the MDM key `SystemPolicyAppBundles`.
+- **FR-003**: The system MUST include "App Data" as a configurable PPPC service with the MDM key `SystemPolicyAppData`.
+- **FR-004**: Each new service MUST appear in the policy table as a selectable column alongside existing services.
+- **FR-005**: Each new service MUST support Allow, Deny, and "not set" policy values. None of the three new keys are deny-only or support allowStandardUsers (confirmed via Apple MDM documentation).
+- **FR-006**: Exported configuration profiles MUST include the correct MDM key and authorization value for each new service when a policy value has been set.
+- **FR-007**: Imported configuration profiles containing any of the three new MDM keys MUST correctly parse and display the policy values in the UI.
+- **FR-008**: The service description for each new key MUST accurately describe what the permission controls, consistent with Apple's MDM documentation.
+
+### Testing Requirements
+
+- **TR-001**: Unit tests MUST verify the services manager loads all services including the 3 new keys (expected count increases from 21 to 24).
+- **TR-002**: Unit tests MUST verify that each new key's Policy property defaults to "–" (not set) on a new Executable.
+- **TR-003**: Unit tests MUST verify export/import round-trip fidelity for each of the 3 new keys with both Allow and Deny authorization values.
+- **TR-004**: A new `TestTCCUnsignedProfile.mobileconfig` fixture MUST be created in TCCProfileImporterTests/ containing all 24 services (21 existing + 3 new keys). The `TestTCCUnsignedProfile-allLower.mobileconfig` fixture MUST also be updated with the 3 new keys in lowercase. The `Resources/TestTCCUnsignedProfile.mobileconfig` (app-bundled UI test profile) MUST be updated with the 3 new keys.
+- **TR-005**: The original `TestTCCUnsignedProfile.mobileconfig` fixture (without the new keys) MUST be preserved as `TestTCCUnsignedProfile-Legacy.mobileconfig` in TCCProfileImporterTests/. A test MUST verify that importing this legacy fixture defaults the 3 new service columns to "–" (not set) without errors.
+- **TR-006**: One UI test MUST be added (or an existing test updated) to verify the total column count in the policy table has increased to reflect the 3 new services.
+
+### Key Entities
+
+- **PPPC Service (BluetoothAlways)**: Controls app access to Bluetooth devices. MDM key: `BluetoothAlways`. Description: Specifies the policies for the app to access Bluetooth devices.
+- **PPPC Service (SystemPolicyAppBundles)**: Controls whether an app can update or delete other applications. MDM key: `SystemPolicyAppBundles`. Description: Allows the app to update or delete other apps.
+- **PPPC Service (SystemPolicyAppData)**: Controls whether an app can access data belonging to other applications. MDM key: `SystemPolicyAppData`. Description: Specifies the policies for the app to access the data of other apps.
+
+## Success Criteria *(mandatory)*
+
+### Measurable Outcomes
+
+- **SC-001**: All three new PPPC services are visible and configurable in the PPPC Utility policy table without requiring any workaround by the administrator.
+- **SC-002**: A configuration profile exported with any of the three new keys set produces a valid payload that Jamf Pro accepts and deploys successfully.
+- **SC-003**: 100% round-trip fidelity — any profile created with the new keys, exported, and re-imported retains all configured values.
+- **SC-004**: Existing profiles without the new keys import without errors or data loss; the new service columns default to "not set."
+
+## Assumptions
+
+- The three new keys follow the same TCC payload structure (`com.apple.TCC.configuration-profile-policy`) as existing PPPC services — no new payload types or structures are required.
+- BluetoothAlways and SystemPolicyAppData require macOS 14 or later; SystemPolicyAppBundles requires macOS 13 or later. The PPPC Utility does not enforce minimum OS version per service (consistent with existing behavior).
+- The existing service infrastructure (service registry, policy model, profile export/import) supports adding new services without architectural changes — only data additions are needed.
+- None of the three new services are "deny only" or "allow standard users" — confirmed via Apple's official MDM documentation (the `AllowStandardUserToSetSystemService` authorization value is explicitly limited to `ListenEvent` and `ScreenCapture` only).
+- The alphabetical or categorical ordering of services in the UI will incorporate the new services naturally based on existing sort logic.
diff --git a/specs/002-add-pppc-keys/tasks.md b/specs/002-add-pppc-keys/tasks.md
new file mode 100644
index 0000000..33970c2
--- /dev/null
+++ b/specs/002-add-pppc-keys/tasks.md
@@ -0,0 +1,171 @@
+# Tasks: Add New PPPC Keys
+
+**Input**: Design documents from `/specs/002-add-pppc-keys/`
+**Prerequisites**: plan.md, spec.md, data-model.md, research.md, quickstart.md
+
+**Tests**: Included — explicitly requested in spec (TR-001 through TR-006).
+
+**Organization**: US1 (BluetoothAlways), US2 (SystemPolicyAppBundles), and US3 (SystemPolicyAppData) all modify the same files and are implemented together in shared phases. US4 (Round-Trip Consistency) is a separate testing phase.
+
+## Format: `[ID] [P?] [Story] Description`
+
+- **[P]**: Can run in parallel (different files, no dependencies)
+- **[Story]**: Which user story this task belongs to (e.g., US1, US2, US3)
+- Include exact file paths in descriptions
+
+## Path Conventions
+
+- **Desktop app (macOS)**: `Source/`, `Resources/`, tests at `PPPC UtilityTests/`, `PPPC UtilityUITests/`
+
+---
+
+## Phase 1: Setup
+
+**Purpose**: Capture baseline before any changes
+
+- [ ] T001 Capture baseline compiler warnings by running: `xcodebuild clean build-for-testing -project "PPPC Utility.xcodeproj" -scheme "PPPC Utility" -destination "platform=macOS" 2>&1 | grep -i "warning:" | grep -v "xcodebuild: WARNING"`
+- [ ] T002 Run existing unit tests to confirm green baseline: `xcodebuild test -project "PPPC Utility.xcodeproj" -scheme "PPPC Utility" -destination "platform=macOS" -testPlan "PPPC Utility"`
+- [ ] T003 Run existing UI tests to confirm green baseline: `xcodebuild test -project "PPPC Utility.xcodeproj" -scheme "PPPC Utility" -destination "platform=macOS" -testPlan "PPPC Utility UI Tests"`
+
+---
+
+## Phase 2: Foundational — Data Model (All 3 Keys)
+
+**Purpose**: Add BluetoothAlways, SystemPolicyAppBundles, and SystemPolicyAppData to the data layer. MUST be complete before UI or test work can begin.
+
+**⚠️ CRITICAL**: No UI or test work can begin until this phase is complete.
+
+- [ ] T004 [P] [US1] [US2] [US3] Add 3 new service entries to `Resources/PPPCServices.json` — insert `BluetoothAlways` (after Accessibility, alphabetically), `SystemPolicyAppBundles` (after SystemPolicyAllFiles), and `SystemPolicyAppData` (after SystemPolicyAppBundles). Each entry has `mdmKey`, `englishName`, and `englishDescription` per data-model.md. No `entitlements`, `denyOnly`, or `allowStandardUsers` fields.
+- [ ] T005 [P] [US1] [US2] [US3] Add 3 new enum cases to `ServicesKeys` in `Source/Model/TCCProfile.swift` — add `case bluetoothAlways = "BluetoothAlways"`, `case appBundles = "SystemPolicyAppBundles"`, `case appData = "SystemPolicyAppData"`.
+- [ ] T006 [P] [US1] [US2] [US3] Add 3 new `@objc dynamic` properties to the `Policy` class in `Source/Model/Executable.swift` — add `@objc dynamic var BluetoothAlways: String = "-"`, `@objc dynamic var SystemPolicyAppBundles: String = "-"`, `@objc dynamic var SystemPolicyAppData: String = "-"`. Property names MUST exactly match MDM key strings (KVC requirement).
+
+**Checkpoint**: Data model complete. Build should succeed with no new warnings. Existing tests may now fail (service count assertions) — expected.
+
+---
+
+## Phase 3: US1+US2+US3 — View Controller & Storyboard UI
+
+**Goal**: Make all 3 new services visible and configurable in the PPPC Utility UI.
+
+**Independent Test**: Open the app, add an executable, verify Bluetooth Always / App Bundles / App Data popups appear with Allow/Deny options.
+
+### Implementation
+
+- [ ] T007 [US1] [US2] [US3] Add IBOutlet declarations for all 3 new services in `Source/View Controllers/TCCProfileViewController.swift` — for each service, add: `NSPopUpButton` outlet, `NSArrayController` outlet, `InfoButton` outlet, and `NSStackView` outlet. Follow the naming pattern of existing outlets (e.g., `bluetoothAlwaysPopUp`, `bluetoothAlwaysPopUpAC`, `bluetoothAlwaysHelpButton`, `bluetoothAlwaysStackView`).
+- [ ] T008 [US1] [US2] [US3] Wire new services into setup methods in `Source/View Controllers/TCCProfileViewController.swift` — add the 3 new `NSArrayController` outlets to the `setupAllowDeny()` call in `viewDidLoad()`. Add the 3 new `InfoButton` outlets to `setupDescriptions()` with their MDM keys. Add the 3 new `NSStackView` outlets to `setupStackViewsWithBackground()` (for alternating row backgrounds). Add accessibility identifiers for the 3 new popups in `setupAccessibilityIdentifiers()`.
+- [ ] T009 [US1] [US2] [US3] Add UI elements for all 3 new services in `Resources/Base.lproj/Main.storyboard` — for each service, duplicate an existing service row (e.g., the Reminders row pattern) and update: label text, popup button binding to the corresponding `Policy` property via Cocoa Bindings, NSArrayController connection, InfoButton connection, and NSStackView connection. Wire all IBOutlets to the view controller.
+
+**Checkpoint**: All 3 services visible in UI. Build and launch app to verify popups appear. Cocoa Bindings functional (selecting Allow/Deny updates the Policy object).
+
+---
+
+## Phase 4: US1+US2+US3 — Unit Tests
+
+**Goal**: Verify data model correctness for all 3 new keys via automated tests.
+
+### Tests
+
+- [ ] T010 [P] [US1] [US2] [US3] Update service count assertion in `PPPC UtilityTests/ModelTests/PPPCServicesManagerTests.swift` — change expected `allServices.count` from 21 to 24. Add assertions that `allServices["BluetoothAlways"]`, `allServices["SystemPolicyAppBundles"]`, and `allServices["SystemPolicyAppData"]` are non-nil with correct `englishName` values. (Satisfies TR-001)
+- [ ] T011 [P] [US1] [US2] [US3] Update policy defaults test in `PPPC UtilityTests/ModelTests/ExecutableTests.swift` — verify that a new `Executable`'s `policy.BluetoothAlways`, `policy.SystemPolicyAppBundles`, and `policy.SystemPolicyAppData` all default to `"-"`. Update any existing count-based assertions for total policy properties. (Satisfies TR-002)
+- [ ] T012 [P] [US1] [US2] [US3] Add new keys to `buildTCCPolicies()` in `PPPC UtilityTests/Helpers/TCCProfileBuilder.swift` — add `"BluetoothAlways"`, `"SystemPolicyAppBundles"`, and `"SystemPolicyAppData"` entries to the returned dictionary so round-trip tests exercise the new keys.
+- [ ] T013 [US1] [US2] [US3] Add export/import round-trip tests in `PPPC UtilityTests/ModelTests/ModelTests.swift` — add tests verifying that for each of the 3 new keys, setting a policy to Allow or Deny, exporting, and re-importing preserves the value. Use `ModelBuilder` to create executables with specific policy settings. (Satisfies TR-003)
+
+**Checkpoint**: Run unit test plan — all tests pass including updated service count, defaults, and round-trip assertions.
+
+---
+
+## Phase 5: US4 — Import Testing & Legacy Fixtures
+
+**Goal**: Verify round-trip fidelity and backward-compatible import of older profiles.
+
+**Independent Test**: Import a legacy profile (without new keys) — new columns default to "–". Import a modern profile (with new keys) — values correctly displayed.
+
+### Test Fixtures
+
+- [ ] T014 [P] [US4] Rename existing fixture `PPPC UtilityTests/TCCProfileImporterTests/TestTCCUnsignedProfile.mobileconfig` to `TestTCCUnsignedProfile-Legacy.mobileconfig` — this preserves the original file (without new keys) as the legacy import fixture. Update the Xcode project file if the resource is referenced by name.
+- [ ] T015 [P] [US4] Create new `PPPC UtilityTests/TCCProfileImporterTests/TestTCCUnsignedProfile.mobileconfig` — copy from the legacy file and add `BluetoothAlways`, `SystemPolicyAppBundles`, and `SystemPolicyAppData` service entries with test policy dictionaries (Allowed: true, Identifier, CodeRequirement, IdentifierType, Comment). Follow the exact XML plist structure of existing service entries.
+- [ ] T016 [P] [US4] Update `PPPC UtilityTests/TCCProfileImporterTests/TestTCCUnsignedProfile-allLower.mobileconfig` — add `bluetoothalways`, `systempolicyappbundles`, and `systempolicyappdata` entries (lowercase keys) following the existing lowercase pattern.
+- [ ] T017 [P] [US4] Update `Resources/TestTCCUnsignedProfile.mobileconfig` — add the 3 new service entries (same as T015) so the app-bundled UI test profile includes all 24 services.
+
+### Tests
+
+- [ ] T018 [US4] Add legacy import test in `PPPC UtilityTests/TCCProfileImporterTests/TCCProfileImporterTests.swift` — add a test that imports `TestTCCUnsignedProfile-Legacy.mobileconfig`, feeds it through `Model.importProfile()`, and verifies the 3 new policy columns default to `"-"` on all imported executables. (Satisfies TR-005)
+- [ ] T019 [US4] Verify existing `correctUnsignedProfileContentData` test passes with the new fixture in `PPPC UtilityTests/TCCProfileImporterTests/TCCProfileImporterTests.swift` — the test should now import a profile with all 24 services and succeed. (Satisfies TR-004)
+
+**Checkpoint**: All importer tests pass. Legacy profile imports cleanly. Modern profile imports with all 24 services.
+
+---
+
+## Phase 6: Polish & Cross-Cutting Concerns
+
+**Purpose**: UI test, final validation, quality gate checks
+
+- [ ] T020 [US1] [US2] [US3] Add or update a UI test in `PPPC UtilityUITests/AppLaunchTests.swift` to verify the policy table column count reflects the 3 new services. Use the `-UITestMode` launch argument (which loads the test profile) and assert expected popup/column count. (Satisfies TR-006)
+- [ ] T021 Compare compiler warnings against T001 baseline — verify no new warnings introduced by running the same command and diffing output.
+- [ ] T022 Run full unit test plan and verify all tests pass: `xcodebuild test -project "PPPC Utility.xcodeproj" -scheme "PPPC Utility" -destination "platform=macOS" -testPlan "PPPC Utility"`
+- [ ] T023 Run full UI test plan and verify all tests pass: `xcodebuild test -project "PPPC Utility.xcodeproj" -scheme "PPPC Utility" -destination "platform=macOS" -testPlan "PPPC Utility UI Tests"`
+- [ ] T024 Validate quickstart.md build and test commands still work per `specs/002-add-pppc-keys/quickstart.md`
+
+---
+
+## Dependencies & Execution Order
+
+### Phase Dependencies
+
+- **Setup (Phase 1)**: No dependencies — start immediately
+- **Foundational (Phase 2)**: Depends on Setup (T001-T003) — BLOCKS all subsequent phases
+- **View Controller & UI (Phase 3)**: Depends on Phase 2 (data model must exist for bindings)
+- **Unit Tests (Phase 4)**: Depends on Phase 2 (data model). Can overlap with Phase 3 (different files).
+- **Import Testing (Phase 5)**: Depends on Phase 2 (data model). Can overlap with Phase 3 and 4 (different files).
+- **Polish (Phase 6)**: Depends on Phases 3, 4, 5 all complete
+
+### User Story Dependencies
+
+- **US1, US2, US3 (all P1)**: Implemented together — same files, same pattern, no benefit to separation. All depend on Phase 2.
+- **US4 (P2)**: Depends on Phase 2 data model only. Can be worked in parallel with Phase 3 (UI) and Phase 4 (unit tests).
+
+### Within-Phase Task Dependencies
+
+- **Phase 2**: T004, T005, T006 are all [P] — different files, run in parallel
+- **Phase 3**: T007 → T008 → T009 (sequential within same files)
+- **Phase 4**: T010, T011, T012 are [P] — different files. T013 depends on T012 (builder)
+- **Phase 5**: T014, T015, T016, T017 are [P] — different files. T018, T019 depend on T014+T015
+
+### Parallel Opportunities
+
+```text
+Phase 2 (all parallel):
+  T004 (PPPCServices.json) ║ T005 (TCCProfile.swift) ║ T006 (Executable.swift)
+
+Phase 4 + Phase 5 fixtures (overlap with Phase 3):
+  T010 (ServicesManagerTests) ║ T011 (ExecutableTests) ║ T012 (TCCProfileBuilder)
+  T014 (rename fixture) ║ T015 (new fixture) ║ T016 (allLower fixture) ║ T017 (Resources fixture)
+```
+
+---
+
+## Implementation Strategy
+
+### MVP First (Phase 1 + 2 + 3)
+
+1. Complete Phase 1: Capture baselines
+2. Complete Phase 2: Data model (3 parallel tasks)
+3. Complete Phase 3: View controller + storyboard
+4. **STOP and VALIDATE**: Launch app, add an executable, verify all 3 new popups appear with Allow/Deny
+
+### Incremental Delivery
+
+1. Setup + Foundational → Data model ready
+2. View Controller + UI → All 3 services visible and functional (MVP!)
+3. Unit Tests → Automated verification of data model
+4. Import Tests + Legacy → Backward compatibility verified
+5. Polish → Quality gates pass, ready to merge
+
+---
+
+## Notes
+
+- [P] tasks = different files, no dependencies
+- US1+US2+US3 are co-implemented because they share all files (PPPCServices.json, TCCProfile.swift, Executable.swift, TCCProfileViewController.swift, Main.storyboard). Splitting them would create constant same-file conflicts with no benefit.
+- Storyboard changes (T009) are the highest-risk task due to XML merge fragility — do this in a focused commit.
+- KVC property names in Policy class MUST exactly match MDM key strings — a mismatch causes silent binding failure.

From 9df88ba982c8f5b24ea8eb7048faf4739ad7ce57 Mon Sep 17 00:00:00 2001
From: Tony Eichelberger <tony.eichelberger@jamf.com>
Date: Thu, 9 Apr 2026 16:20:23 -0500
Subject: [PATCH 52/53] implemented the spec locally since the agent does not
 have xcode access

---
 .specify/memory/constitution.md               |   3 +-
 CLAUDE.md                                     |  16 +
 PPPC Utility.xcodeproj/project.pbxproj        |   4 +
 .../Helpers/TCCProfileBuilder.swift           |   5 +-
 .../ModelTests/ExecutableTests.swift          |  86 +--
 PPPC UtilityTests/ModelTests/ModelTests.swift |  49 +-
 .../ModelTests/PPPCServicesManagerTests.swift |  17 +-
 .../TCCProfileImporterTests.swift             |  19 +
 .../TCCProfileTests.swift                     |  38 +-
 .../TestTCCProfileForJamfProAPI.txt           |  69 +++
 ...TestTCCUnsignedProfile-Legacy.mobileconfig | 575 ++++++++++++++++++
 ...stTCCUnsignedProfile-allLower.mobileconfig |  49 +-
 .../TestTCCUnsignedProfile.mobileconfig       |  85 ++-
 PPPC UtilityUITests/AppLaunchTests.swift      |  41 ++
 Resources/Base.lproj/Main.storyboard          | 204 +++++++
 Resources/PPPCServices.json                   |  15 +
 Resources/TestTCCUnsignedProfile.mobileconfig |  85 ++-
 Source/Model/Executable.swift                 |   3 +
 Source/Model/TCCProfile.swift                 |  29 +-
 .../TCCProfileViewController.swift            | 154 +++--
 specs/002-add-pppc-keys/quickstart.md         |   2 +-
 specs/002-add-pppc-keys/tasks.md              |  48 +-
 22 files changed, 1396 insertions(+), 200 deletions(-)
 create mode 100644 PPPC UtilityTests/TCCProfileImporterTests/TestTCCUnsignedProfile-Legacy.mobileconfig

diff --git a/.specify/memory/constitution.md b/.specify/memory/constitution.md
index 8e4ffaf..fe90d77 100644
--- a/.specify/memory/constitution.md
+++ b/.specify/memory/constitution.md
@@ -51,6 +51,7 @@ acceptable only for components without adequate SwiftUI coverage.
 
 - Minimum deployment target: macOS 13.0.
 - All interactive UI elements MUST have accessibility identifiers and labels.
+- Service keys in the main window MUST appear in alphabetical order.
 - Profiles MUST be saveable locally (signed or unsigned) and uploadable to
   Jamf Pro (bearer token, basic auth fallback, or OAuth client credentials).
 
@@ -86,4 +87,4 @@ Git) are maintained in `CLAUDE.md`. Amendments require:
 All PRs and code reviews MUST verify compliance with this constitution.
 Complexity violations MUST be justified in the PR description.
 
-**Version**: 1.1.0 | **Ratified**: 2026-04-09 | **Last Amended**: 2026-04-09
+**Version**: 1.2.0 | **Ratified**: 2026-04-09 | **Last Amended**: 2026-04-09
diff --git a/CLAUDE.md b/CLAUDE.md
index 6a1d7df..e9dfa48 100644
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -24,8 +24,16 @@
 - Avoid snake_case in test names (e.g., `generateDisplayName_bundleIdentifier`). If a name is getting long, use a Trait with a sentence-style description instead.
 - For complex tests, use a descriptive `@Test("...")` trait that explains the scenario and expected outcome so the test is understandable without reading the body.
 - Use parameterized tests with Traits where it reduces duplication; 1–2 args is ideal, max 3
+  ```swift
+  @Test("Service key round-trip preserves value", arguments: [
+      ("BluetoothAlways", "Allow"),
+      ("SystemPolicyAppBundles", "Deny")
+  ])
+  func serviceKeyRoundTrip(serviceKey: String, value: String) async { … }
+  ```
 - Beyond 3 params: create separate tests with some values hard-coded
 - Use `deinit` as teardown for repeated cleanup across tests in a suite. Use `class` for suites that need `deinit`; use `struct` otherwise.
+- After adding or refactoring tests, look for duplication or tests that are no longer relevant. Do not add redundant tests.
 
 ## UI Testing Conventions
 
@@ -35,6 +43,14 @@
 - Use accessibility identifiers set in `setupAccessibilityIdentifiers()` to locate UI elements
 - The `-UITestMode` launch argument triggers test-specific setup (e.g., loading a test profile)
 
+## UI Conventions
+
+- Service keys (popup rows) in the main window must appear in alphabetical order.
+
+## Naming
+
+- Avoid "new" in test or function names — it becomes stale quickly. Describe the behavior, not the novelty.
+
 ## Git
 
 - Do not stage or commit changes in terminal sessions
diff --git a/PPPC Utility.xcodeproj/project.pbxproj b/PPPC Utility.xcodeproj/project.pbxproj
index 6d4d8a7..368b377 100644
--- a/PPPC Utility.xcodeproj/project.pbxproj	
+++ b/PPPC Utility.xcodeproj/project.pbxproj	
@@ -59,6 +59,7 @@
 		C07B1FB82AF596D80075E38B /* UploadManager.swift in Sources */ = {isa = PBXBuildFile; fileRef = C07B1FB72AF596D80075E38B /* UploadManager.swift */; };
 		C0A2B5422B1A5D5C0007F510 /* JamfProAPIClientTests.swift in Sources */ = {isa = PBXBuildFile; fileRef = C0A2B5412B1A5D5C0007F510 /* JamfProAPIClientTests.swift */; };
 		C0A85DB5279873C600086283 /* TestTCCUnsignedProfile-allLower.mobileconfig in Resources */ = {isa = PBXBuildFile; fileRef = C0A85DB4279873C600086283 /* TestTCCUnsignedProfile-allLower.mobileconfig */; };
+		AA002200000000000000002B /* TestTCCUnsignedProfile-Legacy.mobileconfig in Resources */ = {isa = PBXBuildFile; fileRef = AA002200000000000000002A /* TestTCCUnsignedProfile-Legacy.mobileconfig */; };
 		C0DC2BB92B2263FC003A4474 /* Haversack in Frameworks */ = {isa = PBXBuildFile; productRef = C0DC2BB82B2263FC003A4474 /* Haversack */; };
 		C0E0383F27A30C7100A23FA2 /* PPPCServiceInfo.swift in Sources */ = {isa = PBXBuildFile; fileRef = C0E0383D27A30C7100A23FA2 /* PPPCServiceInfo.swift */; };
 		C0E0384027A30C7100A23FA2 /* PPPCServicesManager.swift in Sources */ = {isa = PBXBuildFile; fileRef = C0E0383E27A30C7100A23FA2 /* PPPCServicesManager.swift */; };
@@ -151,6 +152,7 @@
 		C07B1FB72AF596D80075E38B /* UploadManager.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = UploadManager.swift; sourceTree = "<group>"; };
 		C0A2B5412B1A5D5C0007F510 /* JamfProAPIClientTests.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = JamfProAPIClientTests.swift; sourceTree = "<group>"; };
 		C0A85DB4279873C600086283 /* TestTCCUnsignedProfile-allLower.mobileconfig */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.xml; path = "TestTCCUnsignedProfile-allLower.mobileconfig"; sourceTree = "<group>"; };
+		AA002200000000000000002A /* TestTCCUnsignedProfile-Legacy.mobileconfig */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.xml; path = "TestTCCUnsignedProfile-Legacy.mobileconfig"; sourceTree = "<group>"; };
 		C0E0383D27A30C7100A23FA2 /* PPPCServiceInfo.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = PPPCServiceInfo.swift; sourceTree = "<group>"; };
 		C0E0383E27A30C7100A23FA2 /* PPPCServicesManager.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = PPPCServicesManager.swift; sourceTree = "<group>"; };
 		C0E0384127A30D1D00A23FA2 /* PPPCServices.json */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.json; path = PPPCServices.json; sourceTree = "<group>"; };
@@ -266,6 +268,7 @@
 			children = (
 				5F95AE2B2315B172002E0A22 /* TestTCCProfileSigned-Broken.mobileconfig */,
 				C0A85DB4279873C600086283 /* TestTCCUnsignedProfile-allLower.mobileconfig */,
+				AA002200000000000000002A /* TestTCCUnsignedProfile-Legacy.mobileconfig */,
 				5F95AE2A2315B172002E0A22 /* TestTCCUnsignedProfile-Broken.mobileconfig */,
 				5F95AE2C2315B172002E0A22 /* TestTCCUnsignedProfile-Empty.mobileconfig */,
 				5F95AE292315B172002E0A22 /* TestTCCUnsignedProfile.mobileconfig */,
@@ -536,6 +539,7 @@
 				5F95AE312315B172002E0A22 /* TestTCCUnsignedProfile-Empty.mobileconfig in Resources */,
 				5F95AE2F2315B172002E0A22 /* TestTCCUnsignedProfile-Broken.mobileconfig in Resources */,
 				C0A85DB5279873C600086283 /* TestTCCUnsignedProfile-allLower.mobileconfig in Resources */,
+				AA002200000000000000002B /* TestTCCUnsignedProfile-Legacy.mobileconfig in Resources */,
 				C0EE9A7D28639BF800738B6B /* TestTCCProfileForJamfProAPI.txt in Resources */,
 				5F95AE302315B172002E0A22 /* TestTCCProfileSigned-Broken.mobileconfig in Resources */,
 			);
diff --git a/PPPC UtilityTests/Helpers/TCCProfileBuilder.swift b/PPPC UtilityTests/Helpers/TCCProfileBuilder.swift
index 9d120e2..b6aaf9f 100644
--- a/PPPC UtilityTests/Helpers/TCCProfileBuilder.swift	
+++ b/PPPC UtilityTests/Helpers/TCCProfileBuilder.swift	
@@ -47,7 +47,10 @@ class TCCProfileBuilder: NSObject {
     func buildTCCPolicies(allowed: Bool?, authorization: TCCPolicyAuthorizationValue?) -> [String: [TCCPolicy]] {
         return [
             "SystemPolicyAllFiles": [buildTCCPolicy(allowed: allowed, authorization: authorization)],
-            "AppleEvents": [buildTCCPolicy(allowed: allowed, authorization: authorization)]
+            "AppleEvents": [buildTCCPolicy(allowed: allowed, authorization: authorization)],
+            "BluetoothAlways": [buildTCCPolicy(allowed: allowed, authorization: authorization)],
+            "SystemPolicyAppBundles": [buildTCCPolicy(allowed: allowed, authorization: authorization)],
+            "SystemPolicyAppData": [buildTCCPolicy(allowed: allowed, authorization: authorization)]
         ]
     }
 
diff --git a/PPPC UtilityTests/ModelTests/ExecutableTests.swift b/PPPC UtilityTests/ModelTests/ExecutableTests.swift
index 045e771..7d7f902 100644
--- a/PPPC UtilityTests/ModelTests/ExecutableTests.swift	
+++ b/PPPC UtilityTests/ModelTests/ExecutableTests.swift	
@@ -34,60 +34,62 @@ import Testing
 struct ExecutableTests {
     let executable = Executable()
 
-    @Test("Display name uses last component of bundle identifier")
-    func generateDisplayNameBundleIdentifier() {
+    @Test(
+        "Display name uses last component of identifier",
+        arguments: [
+            ("com.example.MyApp", "MyApp"),
+            ("/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal", "Terminal"),
+            ("Terminal", "Terminal")
+        ])
+    func generateDisplayName(identifier: String, expected: String) {
         // when
-        let displayName = executable.generateDisplayName(identifier: "com.example.MyApp")
+        let displayName = executable.generateDisplayName(identifier: identifier)
 
         // then
-        #expect(displayName == "MyApp")
+        #expect(displayName == expected)
     }
 
-    @Test("Display name uses last component of path identifier")
-    func generateDisplayNamePathIdentifier() {
+    @Test(
+        "Icon path matches identifier type",
+        arguments: [
+            ("com.example.MyApp", "/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/GenericApplicationIcon.icns"),
+            ("/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal", "/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/ExecutableBinaryIcon.icns")
+        ])
+    func generateIconPath(identifier: String, expected: String) {
         // when
-        let displayName = executable.generateDisplayName(identifier: "/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal")
+        let iconPath = executable.generateIconPath(identifier: identifier)
 
         // then
-        #expect(displayName == "Terminal")
+        #expect(iconPath == expected)
     }
 
-    @Test("Display name returns identifier when single component")
-    func generateDisplayNameSingleComponent() {
-        // when
-        let displayName = executable.generateDisplayName(identifier: "Terminal")
-
-        // then
-        #expect(displayName == "Terminal")
-    }
-
-    @Test("Icon path is application for bundle identifier")
-    func generateIconPathForBundleIdentifier() {
-        // when
-        let iconPath = executable.generateIconPath(identifier: "com.example.MyApp")
-
-        // then
-        #expect(iconPath == IconFilePath.application)
-    }
-
-    @Test("Icon path is binary for path identifier")
-    func generateIconPathForPathIdentifier() {
-        // when
-        let iconPath = executable.generateIconPath(identifier: "/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal")
-
-        // then
-        #expect(iconPath == IconFilePath.binary)
-    }
-
-    @Test("All policy values default to dash")
-    func allPolicyValuesAreDefaults() {
+    @Test("All policy properties default to dash")
+    func policyPropertiesDefaultToDash() {
         let policy = Policy()
 
-        // when
-        let values = policy.allPolicyValues()
-
         // then
-        #expect(values.count == 20)
-        #expect(values.allSatisfy { $0 == "-" })
+        #expect(policy.Accessibility == "-")
+        #expect(policy.AddressBook == "-")
+        #expect(policy.BluetoothAlways == "-")
+        #expect(policy.Calendar == "-")
+        #expect(policy.Camera == "-")
+        #expect(policy.FileProviderPresence == "-")
+        #expect(policy.ListenEvent == "-")
+        #expect(policy.MediaLibrary == "-")
+        #expect(policy.Microphone == "-")
+        #expect(policy.Photos == "-")
+        #expect(policy.PostEvent == "-")
+        #expect(policy.Reminders == "-")
+        #expect(policy.ScreenCapture == "-")
+        #expect(policy.SpeechRecognition == "-")
+        #expect(policy.SystemPolicyAllFiles == "-")
+        #expect(policy.SystemPolicyAppBundles == "-")
+        #expect(policy.SystemPolicyAppData == "-")
+        #expect(policy.SystemPolicyDesktopFolder == "-")
+        #expect(policy.SystemPolicyDocumentsFolder == "-")
+        #expect(policy.SystemPolicyDownloadsFolder == "-")
+        #expect(policy.SystemPolicyNetworkVolumes == "-")
+        #expect(policy.SystemPolicyRemovableVolumes == "-")
+        #expect(policy.SystemPolicySysAdminFiles == "-")
     }
 }
diff --git a/PPPC UtilityTests/ModelTests/ModelTests.swift b/PPPC UtilityTests/ModelTests/ModelTests.swift
index b81732c..84385f0 100644
--- a/PPPC UtilityTests/ModelTests/ModelTests.swift	
+++ b/PPPC UtilityTests/ModelTests/ModelTests.swift	
@@ -267,39 +267,46 @@ struct ModelTests {
         #expect(model.selectedExecutables.first?.policy.SystemPolicyAllFiles == "Deny")
     }
 
-    // MARK: - tests for policyFromString
-
-    @Test
-    func policyWhenUsingAllow() {
-        let app = Executable(identifier: "id", codeRequirement: "req")
+    // MARK: - Service key round-trips
+
+    @Test(
+        "Service key round-trip preserves value",
+        arguments: [
+            ("BluetoothAlways", "Allow"),
+            ("SystemPolicyAppBundles", "Deny"),
+            ("SystemPolicyAppData", "Allow")
+        ])
+    func serviceKeyRoundTrip(serviceKey: String, value: String) async {
+        let model = ModelBuilder()
+            .addExecutable(settings: [serviceKey: value])
+            .build()
 
         // when
-        let policy = model.policyFromString(executable: app, value: "Allow")
+        let profile = model.exportProfile(organization: "Org", identifier: "ID", displayName: "Name", payloadDescription: "Desc")
+        await model.importProfile(tccProfile: profile)
 
         // then
-        #expect(policy?.authorization == .allow)
+        let result = model.selectedExecutables.last?.policy.value(forKey: serviceKey) as? String
+        #expect(result == value)
     }
 
-    @Test
-    func policyWhenUsingDeny() {
-        let app = Executable(identifier: "id", codeRequirement: "req")
-
-        // when
-        let policy = model.policyFromString(executable: app, value: "Deny")
-
-        // then
-        #expect(policy?.authorization == .deny)
-    }
+    // MARK: - tests for policyFromString
 
-    @Test
-    func policyWhenUsingAllowForStandardUsers() {
+    @Test(
+        "policyFromString maps display value to authorization",
+        arguments: [
+            ("Allow", TCCPolicyAuthorizationValue.allow),
+            ("Deny", TCCPolicyAuthorizationValue.deny),
+            ("Let Standard Users Approve", TCCPolicyAuthorizationValue.allowStandardUserToSetSystemService)
+        ])
+    func policyFromStringAuthorization(value: String, expected: String) {
         let app = Executable(identifier: "id", codeRequirement: "req")
 
         // when
-        let policy = model.policyFromString(executable: app, value: "Let Standard Users Approve")
+        let policy = model.policyFromString(executable: app, value: value)
 
         // then
-        #expect(policy?.authorization == .allowStandardUserToSetSystemService)
+        #expect(policy?.authorization == expected)
     }
 
     @Test
diff --git a/PPPC UtilityTests/ModelTests/PPPCServicesManagerTests.swift b/PPPC UtilityTests/ModelTests/PPPCServicesManagerTests.swift
index 864a987..f944225 100644
--- a/PPPC UtilityTests/ModelTests/PPPCServicesManagerTests.swift	
+++ b/PPPC UtilityTests/ModelTests/PPPCServicesManagerTests.swift	
@@ -39,7 +39,22 @@ struct PPPCServicesManagerTests {
         let actual = PPPCServicesManager()
 
         // then
-        #expect(actual.allServices.count == 21)
+        #expect(actual.allServices.count == 24)
+    }
+
+    @Test(
+        "Service is loaded with correct English name",
+        arguments: [
+            ("BluetoothAlways", "Bluetooth Always"),
+            ("SystemPolicyAppBundles", "App Bundles"),
+            ("SystemPolicyAppData", "App Data")
+        ])
+    func serviceIsLoaded(key: String, expectedName: String) throws {
+        let services = PPPCServicesManager()
+        let service = try #require(services.allServices[key])
+
+        // then
+        #expect(service.englishName == expectedName)
     }
 
     @Test("User help with entitlements")
diff --git a/PPPC UtilityTests/TCCProfileImporterTests/TCCProfileImporterTests.swift b/PPPC UtilityTests/TCCProfileImporterTests/TCCProfileImporterTests.swift
index 042d5ac..e930452 100644
--- a/PPPC UtilityTests/TCCProfileImporterTests/TCCProfileImporterTests.swift	
+++ b/PPPC UtilityTests/TCCProfileImporterTests/TCCProfileImporterTests.swift	
@@ -73,6 +73,25 @@ struct TCCProfileImporterTests {
         let tccProfile = try tccProfileImporter.decodeTCCProfile(fileUrl: resourceURL)
         #expect(!tccProfile.content.isEmpty)
         #expect(!tccProfile.content[0].services.isEmpty)
+        #expect(tccProfile.content[0].services.count >= 24, "Profile should contain at least 24 services including 3 new keys")
+    }
+
+    @Test("Legacy profile without new keys imports with dash defaults")
+    func legacyProfileImportsWithDashDefaults() async throws {
+        let tccProfileImporter = TCCProfileImporter()
+        let resourceURL = try getResourceProfile(fileName: "TestTCCUnsignedProfile-Legacy")
+        let tccProfile = try tccProfileImporter.decodeTCCProfile(fileUrl: resourceURL)
+
+        // when
+        let model = Model()
+        await model.importProfile(tccProfile: tccProfile)
+
+        // then
+        for executable in model.selectedExecutables {
+            #expect(executable.policy.BluetoothAlways == "-", "BluetoothAlways should default to dash for legacy profiles")
+            #expect(executable.policy.SystemPolicyAppBundles == "-", "SystemPolicyAppBundles should default to dash for legacy profiles")
+            #expect(executable.policy.SystemPolicyAppData == "-", "SystemPolicyAppData should default to dash for legacy profiles")
+        }
     }
 
     @Test
diff --git a/PPPC UtilityTests/TCCProfileImporterTests/TCCProfileTests.swift b/PPPC UtilityTests/TCCProfileImporterTests/TCCProfileTests.swift
index 5d14ef6..4a907cb 100644
--- a/PPPC UtilityTests/TCCProfileImporterTests/TCCProfileTests.swift	
+++ b/PPPC UtilityTests/TCCProfileImporterTests/TCCProfileTests.swift	
@@ -63,20 +63,7 @@ struct TCCProfileTests {
             #expect(content.version == 1)
 
             // then verify the services key
-            #expect(content.services.count == 2)
-            let allFiles = content.services["SystemPolicyAllFiles"]
-            #expect(allFiles?.count == 1)
-            allFiles?.forEach { policy in
-                #expect(policy.identifier == "policy id")
-                #expect(policy.identifierType == "policy id type")
-                #expect(policy.codeRequirement == "policy code req")
-                #expect(policy.allowed == nil)
-                #expect(policy.authorization == .allowStandardUserToSetSystemService)
-                #expect(policy.comment == "policy comment")
-                #expect(policy.receiverIdentifier == "policy receiver id")
-                #expect(policy.receiverIdentifierType == "policy receiver id type")
-                #expect(policy.receiverCodeRequirement == "policy receiver code req")
-            }
+            #expect(content.services.count == 5)
         }
     }
 
@@ -108,20 +95,7 @@ struct TCCProfileTests {
             #expect(content.version == 1)
 
             // then verify the services key
-            #expect(content.services.count == 2)
-            let allFiles = content.services["SystemPolicyAllFiles"]
-            #expect(allFiles?.count == 1)
-            allFiles?.forEach { policy in
-                #expect(policy.identifier == "policy id")
-                #expect(policy.identifierType == "policy id type")
-                #expect(policy.codeRequirement == "policy code req")
-                #expect(policy.allowed == true)
-                #expect(policy.authorization == nil)
-                #expect(policy.comment == "policy comment")
-                #expect(policy.receiverIdentifier == "policy receiver id")
-                #expect(policy.receiverIdentifierType == "policy receiver id type")
-                #expect(policy.receiverCodeRequirement == "policy receiver code req")
-            }
+            #expect(content.services.count == 5)
         }
     }
 
@@ -141,13 +115,7 @@ struct TCCProfileTests {
             #expect(content.version == 1)
 
             // then verify the services key
-            #expect(content.services.count == 2)
-            let allFiles = content.services["SystemPolicyAllFiles"]
-            #expect(allFiles?.count == 1)
-            allFiles?.forEach { policy in
-                #expect(policy.allowed == false)
-                #expect(policy.authorization == .allow)
-            }
+            #expect(content.services.count == 5)
         }
     }
 
diff --git a/PPPC UtilityTests/TCCProfileImporterTests/TestTCCProfileForJamfProAPI.txt b/PPPC UtilityTests/TCCProfileImporterTests/TestTCCProfileForJamfProAPI.txt
index 67e8d75..68e278c 100644
--- a/PPPC UtilityTests/TCCProfileImporterTests/TestTCCProfileForJamfProAPI.txt	
+++ b/PPPC UtilityTests/TCCProfileImporterTests/TestTCCProfileForJamfProAPI.txt	
@@ -44,6 +44,29 @@
 						&lt;string&gt;policy id type&lt;/string&gt;
 					&lt;/dict&gt;
 				&lt;/array&gt;
+				&lt;key&gt;BluetoothAlways&lt;/key&gt;
+				&lt;array&gt;
+					&lt;dict&gt;
+						&lt;key&gt;AEReceiverCodeRequirement&lt;/key&gt;
+						&lt;string&gt;policy receiver code req&lt;/string&gt;
+						&lt;key&gt;AEReceiverIdentifier&lt;/key&gt;
+						&lt;string&gt;policy receiver id&lt;/string&gt;
+						&lt;key&gt;AEReceiverIdentifierType&lt;/key&gt;
+						&lt;string&gt;policy receiver id type&lt;/string&gt;
+						&lt;key&gt;Allowed&lt;/key&gt;
+						&lt;false/&gt;
+						&lt;key&gt;Authorization&lt;/key&gt;
+						&lt;string&gt;Allow&lt;/string&gt;
+						&lt;key&gt;CodeRequirement&lt;/key&gt;
+						&lt;string&gt;policy code req&lt;/string&gt;
+						&lt;key&gt;Comment&lt;/key&gt;
+						&lt;string&gt;policy comment&lt;/string&gt;
+						&lt;key&gt;Identifier&lt;/key&gt;
+						&lt;string&gt;policy id&lt;/string&gt;
+						&lt;key&gt;IdentifierType&lt;/key&gt;
+						&lt;string&gt;policy id type&lt;/string&gt;
+					&lt;/dict&gt;
+				&lt;/array&gt;
 				&lt;key&gt;SystemPolicyAllFiles&lt;/key&gt;
 				&lt;array&gt;
 					&lt;dict&gt;
@@ -67,6 +90,52 @@
 						&lt;string&gt;policy id type&lt;/string&gt;
 					&lt;/dict&gt;
 				&lt;/array&gt;
+				&lt;key&gt;SystemPolicyAppBundles&lt;/key&gt;
+				&lt;array&gt;
+					&lt;dict&gt;
+						&lt;key&gt;AEReceiverCodeRequirement&lt;/key&gt;
+						&lt;string&gt;policy receiver code req&lt;/string&gt;
+						&lt;key&gt;AEReceiverIdentifier&lt;/key&gt;
+						&lt;string&gt;policy receiver id&lt;/string&gt;
+						&lt;key&gt;AEReceiverIdentifierType&lt;/key&gt;
+						&lt;string&gt;policy receiver id type&lt;/string&gt;
+						&lt;key&gt;Allowed&lt;/key&gt;
+						&lt;false/&gt;
+						&lt;key&gt;Authorization&lt;/key&gt;
+						&lt;string&gt;Allow&lt;/string&gt;
+						&lt;key&gt;CodeRequirement&lt;/key&gt;
+						&lt;string&gt;policy code req&lt;/string&gt;
+						&lt;key&gt;Comment&lt;/key&gt;
+						&lt;string&gt;policy comment&lt;/string&gt;
+						&lt;key&gt;Identifier&lt;/key&gt;
+						&lt;string&gt;policy id&lt;/string&gt;
+						&lt;key&gt;IdentifierType&lt;/key&gt;
+						&lt;string&gt;policy id type&lt;/string&gt;
+					&lt;/dict&gt;
+				&lt;/array&gt;
+				&lt;key&gt;SystemPolicyAppData&lt;/key&gt;
+				&lt;array&gt;
+					&lt;dict&gt;
+						&lt;key&gt;AEReceiverCodeRequirement&lt;/key&gt;
+						&lt;string&gt;policy receiver code req&lt;/string&gt;
+						&lt;key&gt;AEReceiverIdentifier&lt;/key&gt;
+						&lt;string&gt;policy receiver id&lt;/string&gt;
+						&lt;key&gt;AEReceiverIdentifierType&lt;/key&gt;
+						&lt;string&gt;policy receiver id type&lt;/string&gt;
+						&lt;key&gt;Allowed&lt;/key&gt;
+						&lt;false/&gt;
+						&lt;key&gt;Authorization&lt;/key&gt;
+						&lt;string&gt;Allow&lt;/string&gt;
+						&lt;key&gt;CodeRequirement&lt;/key&gt;
+						&lt;string&gt;policy code req&lt;/string&gt;
+						&lt;key&gt;Comment&lt;/key&gt;
+						&lt;string&gt;policy comment&lt;/string&gt;
+						&lt;key&gt;Identifier&lt;/key&gt;
+						&lt;string&gt;policy id&lt;/string&gt;
+						&lt;key&gt;IdentifierType&lt;/key&gt;
+						&lt;string&gt;policy id type&lt;/string&gt;
+					&lt;/dict&gt;
+				&lt;/array&gt;
 			&lt;/dict&gt;
 		&lt;/dict&gt;
 	&lt;/array&gt;
diff --git a/PPPC UtilityTests/TCCProfileImporterTests/TestTCCUnsignedProfile-Legacy.mobileconfig b/PPPC UtilityTests/TCCProfileImporterTests/TestTCCUnsignedProfile-Legacy.mobileconfig
new file mode 100644
index 0000000..9092b0c
--- /dev/null
+++ b/PPPC UtilityTests/TCCProfileImporterTests/TestTCCUnsignedProfile-Legacy.mobileconfig	
@@ -0,0 +1,575 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>PayloadContent</key>
+	<array>
+		<dict>
+			<key>PayloadDescription</key>
+			<string>Test Unsigned Profile</string>
+			<key>PayloadDisplayName</key>
+			<string>TestUnsignedProfile</string>
+			<key>PayloadIdentifier</key>
+			<string>3A4EDE0C-A189-4372-953F-304ECA0B6489</string>
+			<key>PayloadOrganization</key>
+			<string>Jamf</string>
+			<key>PayloadType</key>
+			<string>com.apple.TCC.configuration-profile-policy</string>
+			<key>PayloadUUID</key>
+			<string>7CAF0BD6-D1DB-486E-9388-CC7F688C51E7</string>
+			<key>PayloadVersion</key>
+			<integer>1</integer>
+			<key>Services</key>
+			<dict>
+				<key>Accessibility</key>
+				<array>
+					<dict>
+						<key>Allowed</key>
+						<true/>
+						<key>CodeRequirement</key>
+						<string>identifier "io.brackets.appshell" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = JQ525L2MZD</string>
+						<key>Comment</key>
+						<string></string>
+						<key>Identifier</key>
+						<string>io.brackets.appshell</string>
+						<key>IdentifierType</key>
+						<string>bundleID</string>
+					</dict>
+					<dict>
+						<key>Allowed</key>
+						<false/>
+						<key>CodeRequirement</key>
+						<string>identifier "com.jamfsoftware.JamfAdmin" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "483DWKW443"</string>
+						<key>Comment</key>
+						<string></string>
+						<key>Identifier</key>
+						<string>com.jamfsoftware.JamfAdmin</string>
+						<key>IdentifierType</key>
+						<string>bundleID</string>
+					</dict>
+				</array>
+				<key>AddressBook</key>
+				<array>
+					<dict>
+						<key>Allowed</key>
+						<false/>
+						<key>CodeRequirement</key>
+						<string>identifier "io.brackets.appshell" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = JQ525L2MZD</string>
+						<key>Comment</key>
+						<string></string>
+						<key>Identifier</key>
+						<string>io.brackets.appshell</string>
+						<key>IdentifierType</key>
+						<string>bundleID</string>
+					</dict>
+					<dict>
+						<key>Allowed</key>
+						<false/>
+						<key>CodeRequirement</key>
+						<string>identifier "com.jamfsoftware.JamfAdmin" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "483DWKW443"</string>
+						<key>Comment</key>
+						<string></string>
+						<key>Identifier</key>
+						<string>com.jamfsoftware.JamfAdmin</string>
+						<key>IdentifierType</key>
+						<string>bundleID</string>
+					</dict>
+				</array>
+				<key>AppleEvents</key>
+				<array>
+					<dict>
+						<key>AEReceiverCodeRequirement</key>
+						<string>identifier "com.apple.finder" and anchor apple</string>
+						<key>AEReceiverIdentifier</key>
+						<string>com.apple.finder</string>
+						<key>AEReceiverIdentifierType</key>
+						<string>bundleID</string>
+						<key>Allowed</key>
+						<true/>
+						<key>CodeRequirement</key>
+						<string>identifier "io.brackets.appshell" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = JQ525L2MZD</string>
+						<key>Comment</key>
+						<string></string>
+						<key>Identifier</key>
+						<string>io.brackets.appshell</string>
+						<key>IdentifierType</key>
+						<string>bundleID</string>
+					</dict>
+					<dict>
+						<key>AEReceiverCodeRequirement</key>
+						<string>identifier "com.apple.systemuiserver" and anchor apple</string>
+						<key>AEReceiverIdentifier</key>
+						<string>com.apple.systemuiserver</string>
+						<key>AEReceiverIdentifierType</key>
+						<string>bundleID</string>
+						<key>Allowed</key>
+						<true/>
+						<key>CodeRequirement</key>
+						<string>identifier "io.brackets.appshell" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = JQ525L2MZD</string>
+						<key>Comment</key>
+						<string></string>
+						<key>Identifier</key>
+						<string>io.brackets.appshell</string>
+						<key>IdentifierType</key>
+						<string>bundleID</string>
+					</dict>
+					<dict>
+						<key>AEReceiverCodeRequirement</key>
+						<string>identifier "com.apple.finder" and anchor apple</string>
+						<key>AEReceiverIdentifier</key>
+						<string>com.apple.finder</string>
+						<key>AEReceiverIdentifierType</key>
+						<string>bundleID</string>
+						<key>Allowed</key>
+						<true/>
+						<key>CodeRequirement</key>
+						<string>identifier "com.jamfsoftware.JamfAdmin" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "483DWKW443"</string>
+						<key>Comment</key>
+						<string></string>
+						<key>Identifier</key>
+						<string>com.jamfsoftware.JamfAdmin</string>
+						<key>IdentifierType</key>
+						<string>bundleID</string>
+					</dict>
+					<dict>
+						<key>AEReceiverCodeRequirement</key>
+						<string>identifier "io.brackets.appshell" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = JQ525L2MZD</string>
+						<key>AEReceiverIdentifier</key>
+						<string>io.brackets.appshell</string>
+						<key>AEReceiverIdentifierType</key>
+						<string>bundleID</string>
+						<key>Allowed</key>
+						<true/>
+						<key>CodeRequirement</key>
+						<string>identifier "com.jamfsoftware.JamfAdmin" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "483DWKW443"</string>
+						<key>Comment</key>
+						<string></string>
+						<key>Identifier</key>
+						<string>com.jamfsoftware.JamfAdmin</string>
+						<key>IdentifierType</key>
+						<string>bundleID</string>
+					</dict>
+				</array>
+				<key>Calendar</key>
+				<array>
+					<dict>
+						<key>Allowed</key>
+						<true/>
+						<key>CodeRequirement</key>
+						<string>identifier "io.brackets.appshell" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = JQ525L2MZD</string>
+						<key>Comment</key>
+						<string></string>
+						<key>Identifier</key>
+						<string>io.brackets.appshell</string>
+						<key>IdentifierType</key>
+						<string>bundleID</string>
+					</dict>
+					<dict>
+						<key>Allowed</key>
+						<true/>
+						<key>CodeRequirement</key>
+						<string>identifier "com.jamfsoftware.JamfAdmin" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "483DWKW443"</string>
+						<key>Comment</key>
+						<string></string>
+						<key>Identifier</key>
+						<string>com.jamfsoftware.JamfAdmin</string>
+						<key>IdentifierType</key>
+						<string>bundleID</string>
+					</dict>
+				</array>
+				<key>Camera</key>
+				<array>
+					<dict>
+						<key>Allowed</key>
+						<false/>
+						<key>CodeRequirement</key>
+						<string>identifier "io.brackets.appshell" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = JQ525L2MZD</string>
+						<key>Comment</key>
+						<string></string>
+						<key>Identifier</key>
+						<string>io.brackets.appshell</string>
+						<key>IdentifierType</key>
+						<string>bundleID</string>
+					</dict>
+					<dict>
+						<key>Allowed</key>
+						<false/>
+						<key>CodeRequirement</key>
+						<string>identifier "com.jamfsoftware.JamfAdmin" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "483DWKW443"</string>
+						<key>Comment</key>
+						<string></string>
+						<key>Identifier</key>
+						<string>com.jamfsoftware.JamfAdmin</string>
+						<key>IdentifierType</key>
+						<string>bundleID</string>
+					</dict>
+				</array>
+				<key>FileProviderPresence</key>
+				<array>
+					<dict>
+						<key>Allowed</key>
+						<false/>
+						<key>CodeRequirement</key>
+						<string>identifier "io.brackets.appshell" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = JQ525L2MZD</string>
+						<key>Comment</key>
+						<string></string>
+						<key>Identifier</key>
+						<string>io.brackets.appshell</string>
+						<key>IdentifierType</key>
+						<string>bundleID</string>
+					</dict>
+					<dict>
+						<key>Allowed</key>
+						<true/>
+						<key>CodeRequirement</key>
+						<string>identifier "com.jamfsoftware.JamfAdmin" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "483DWKW443"</string>
+						<key>Comment</key>
+						<string></string>
+						<key>Identifier</key>
+						<string>com.jamfsoftware.JamfAdmin</string>
+						<key>IdentifierType</key>
+						<string>bundleID</string>
+					</dict>
+				</array>
+				<key>ListenEvent</key>
+				<array>
+					<dict>
+						<key>Allowed</key>
+						<false/>
+						<key>CodeRequirement</key>
+						<string>identifier "io.brackets.appshell" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = JQ525L2MZD</string>
+						<key>Comment</key>
+						<string></string>
+						<key>Identifier</key>
+						<string>io.brackets.appshell</string>
+						<key>IdentifierType</key>
+						<string>bundleID</string>
+					</dict>
+					<dict>
+						<key>Allowed</key>
+						<false/>
+						<key>CodeRequirement</key>
+						<string>identifier "com.jamfsoftware.JamfAdmin" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "483DWKW443"</string>
+						<key>Comment</key>
+						<string></string>
+						<key>Identifier</key>
+						<string>com.jamfsoftware.JamfAdmin</string>
+						<key>IdentifierType</key>
+						<string>bundleID</string>
+					</dict>
+				</array>
+				<key>MediaLibrary</key>
+				<array>
+					<dict>
+						<key>Allowed</key>
+						<true/>
+						<key>CodeRequirement</key>
+						<string>identifier "io.brackets.appshell" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = JQ525L2MZD</string>
+						<key>Comment</key>
+						<string></string>
+						<key>Identifier</key>
+						<string>io.brackets.appshell</string>
+						<key>IdentifierType</key>
+						<string>bundleID</string>
+					</dict>
+					<dict>
+						<key>Allowed</key>
+						<true/>
+						<key>CodeRequirement</key>
+						<string>identifier "com.jamfsoftware.JamfAdmin" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "483DWKW443"</string>
+						<key>Comment</key>
+						<string></string>
+						<key>Identifier</key>
+						<string>com.jamfsoftware.JamfAdmin</string>
+						<key>IdentifierType</key>
+						<string>bundleID</string>
+					</dict>
+				</array>
+				<key>Microphone</key>
+				<array>
+					<dict>
+						<key>Allowed</key>
+						<false/>
+						<key>CodeRequirement</key>
+						<string>identifier "io.brackets.appshell" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = JQ525L2MZD</string>
+						<key>Comment</key>
+						<string></string>
+						<key>Identifier</key>
+						<string>io.brackets.appshell</string>
+						<key>IdentifierType</key>
+						<string>bundleID</string>
+					</dict>
+					<dict>
+						<key>Allowed</key>
+						<false/>
+						<key>CodeRequirement</key>
+						<string>identifier "com.jamfsoftware.JamfAdmin" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "483DWKW443"</string>
+						<key>Comment</key>
+						<string></string>
+						<key>Identifier</key>
+						<string>com.jamfsoftware.JamfAdmin</string>
+						<key>IdentifierType</key>
+						<string>bundleID</string>
+					</dict>
+				</array>
+				<key>Photos</key>
+				<array>
+					<dict>
+						<key>Allowed</key>
+						<false/>
+						<key>CodeRequirement</key>
+						<string>identifier "io.brackets.appshell" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = JQ525L2MZD</string>
+						<key>Comment</key>
+						<string></string>
+						<key>Identifier</key>
+						<string>io.brackets.appshell</string>
+						<key>IdentifierType</key>
+						<string>bundleID</string>
+					</dict>
+					<dict>
+						<key>Allowed</key>
+						<false/>
+						<key>CodeRequirement</key>
+						<string>identifier "com.jamfsoftware.JamfAdmin" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "483DWKW443"</string>
+						<key>Comment</key>
+						<string></string>
+						<key>Identifier</key>
+						<string>com.jamfsoftware.JamfAdmin</string>
+						<key>IdentifierType</key>
+						<string>bundleID</string>
+					</dict>
+				</array>
+				<key>PostEvent</key>
+				<array>
+					<dict>
+						<key>Allowed</key>
+						<true/>
+						<key>CodeRequirement</key>
+						<string>identifier "io.brackets.appshell" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = JQ525L2MZD</string>
+						<key>Comment</key>
+						<string></string>
+						<key>Identifier</key>
+						<string>io.brackets.appshell</string>
+						<key>IdentifierType</key>
+						<string>bundleID</string>
+					</dict>
+					<dict>
+						<key>Allowed</key>
+						<true/>
+						<key>CodeRequirement</key>
+						<string>identifier "com.jamfsoftware.JamfAdmin" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "483DWKW443"</string>
+						<key>Comment</key>
+						<string></string>
+						<key>Identifier</key>
+						<string>com.jamfsoftware.JamfAdmin</string>
+						<key>IdentifierType</key>
+						<string>bundleID</string>
+					</dict>
+				</array>
+				<key>Reminders</key>
+				<array>
+					<dict>
+						<key>Allowed</key>
+						<false/>
+						<key>CodeRequirement</key>
+						<string>identifier "io.brackets.appshell" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = JQ525L2MZD</string>
+						<key>Comment</key>
+						<string></string>
+						<key>Identifier</key>
+						<string>io.brackets.appshell</string>
+						<key>IdentifierType</key>
+						<string>bundleID</string>
+					</dict>
+					<dict>
+						<key>Allowed</key>
+						<false/>
+						<key>CodeRequirement</key>
+						<string>identifier "com.jamfsoftware.JamfAdmin" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "483DWKW443"</string>
+						<key>Comment</key>
+						<string></string>
+						<key>Identifier</key>
+						<string>com.jamfsoftware.JamfAdmin</string>
+						<key>IdentifierType</key>
+						<string>bundleID</string>
+					</dict>
+				</array>
+				<key>ScreenCapture</key>
+				<array>
+					<dict>
+						<key>Allowed</key>
+						<false/>
+						<key>CodeRequirement</key>
+						<string>identifier "io.brackets.appshell" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = JQ525L2MZD</string>
+						<key>Comment</key>
+						<string></string>
+						<key>Identifier</key>
+						<string>io.brackets.appshell</string>
+						<key>IdentifierType</key>
+						<string>bundleID</string>
+					</dict>
+				</array>
+				<key>SpeechRecognition</key>
+				<array>
+					<dict>
+						<key>Allowed</key>
+						<true/>
+						<key>CodeRequirement</key>
+						<string>identifier "io.brackets.appshell" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = JQ525L2MZD</string>
+						<key>Comment</key>
+						<string></string>
+						<key>Identifier</key>
+						<string>io.brackets.appshell</string>
+						<key>IdentifierType</key>
+						<string>bundleID</string>
+					</dict>
+				</array>
+				<key>SystemPolicyAllFiles</key>
+				<array>
+					<dict>
+						<key>Allowed</key>
+						<true/>
+						<key>CodeRequirement</key>
+						<string>identifier "io.brackets.appshell" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = JQ525L2MZD</string>
+						<key>Comment</key>
+						<string></string>
+						<key>Identifier</key>
+						<string>io.brackets.appshell</string>
+						<key>IdentifierType</key>
+						<string>bundleID</string>
+					</dict>
+					<dict>
+						<key>Allowed</key>
+						<true/>
+						<key>CodeRequirement</key>
+						<string>identifier "com.jamfsoftware.JamfAdmin" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "483DWKW443"</string>
+						<key>Comment</key>
+						<string></string>
+						<key>Identifier</key>
+						<string>com.jamfsoftware.JamfAdmin</string>
+						<key>IdentifierType</key>
+						<string>bundleID</string>
+					</dict>
+				</array>
+				<key>SystemPolicyDesktopFolder</key>
+				<array>
+					<dict>
+						<key>Allowed</key>
+						<false/>
+						<key>CodeRequirement</key>
+						<string>identifier "io.brackets.appshell" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = JQ525L2MZD</string>
+						<key>Comment</key>
+						<string></string>
+						<key>Identifier</key>
+						<string>io.brackets.appshell</string>
+						<key>IdentifierType</key>
+						<string>bundleID</string>
+					</dict>
+				</array>
+				<key>SystemPolicyDocumentsFolder</key>
+				<array>
+					<dict>
+						<key>Allowed</key>
+						<true/>
+						<key>CodeRequirement</key>
+						<string>identifier "io.brackets.appshell" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = JQ525L2MZD</string>
+						<key>Comment</key>
+						<string></string>
+						<key>Identifier</key>
+						<string>io.brackets.appshell</string>
+						<key>IdentifierType</key>
+						<string>bundleID</string>
+					</dict>
+				</array>
+				<key>SystemPolicyDownloadsFolder</key>
+				<array>
+					<dict>
+						<key>Allowed</key>
+						<true/>
+						<key>CodeRequirement</key>
+						<string>identifier "io.brackets.appshell" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = JQ525L2MZD</string>
+						<key>Comment</key>
+						<string></string>
+						<key>Identifier</key>
+						<string>io.brackets.appshell</string>
+						<key>IdentifierType</key>
+						<string>bundleID</string>
+					</dict>
+				</array>
+				<key>SystemPolicyNetworkVolumes</key>
+				<array>
+					<dict>
+						<key>Allowed</key>
+						<false/>
+						<key>CodeRequirement</key>
+						<string>identifier "io.brackets.appshell" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = JQ525L2MZD</string>
+						<key>Comment</key>
+						<string></string>
+						<key>Identifier</key>
+						<string>io.brackets.appshell</string>
+						<key>IdentifierType</key>
+						<string>bundleID</string>
+					</dict>
+				</array>
+				<key>SystemPolicyRemovableVolumes</key>
+				<array>
+					<dict>
+						<key>Allowed</key>
+						<true/>
+						<key>CodeRequirement</key>
+						<string>identifier "io.brackets.appshell" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = JQ525L2MZD</string>
+						<key>Comment</key>
+						<string></string>
+						<key>Identifier</key>
+						<string>io.brackets.appshell</string>
+						<key>IdentifierType</key>
+						<string>bundleID</string>
+					</dict>
+				</array>
+				<key>SystemPolicySysAdminFiles</key>
+				<array>
+					<dict>
+						<key>Allowed</key>
+						<true/>
+						<key>CodeRequirement</key>
+						<string>identifier "io.brackets.appshell" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = JQ525L2MZD</string>
+						<key>Comment</key>
+						<string></string>
+						<key>Identifier</key>
+						<string>io.brackets.appshell</string>
+						<key>IdentifierType</key>
+						<string>bundleID</string>
+					</dict>
+					<dict>
+						<key>Allowed</key>
+						<false/>
+						<key>CodeRequirement</key>
+						<string>identifier "com.jamfsoftware.JamfAdmin" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "483DWKW443"</string>
+						<key>Comment</key>
+						<string></string>
+						<key>Identifier</key>
+						<string>com.jamfsoftware.JamfAdmin</string>
+						<key>IdentifierType</key>
+						<string>bundleID</string>
+					</dict>
+				</array>
+			</dict>
+		</dict>
+	</array>
+	<key>PayloadDescription</key>
+	<string>Test Unsigned Profile</string>
+	<key>PayloadDisplayName</key>
+	<string>TestUnsignedProfile</string>
+	<key>PayloadIdentifier</key>
+	<string>3A4EDE0C-A189-4372-953F-304ECA0B6489</string>
+	<key>PayloadOrganization</key>
+	<string>Jamf</string>
+	<key>PayloadType</key>
+	<string>com.apple.TCC.configuration-profile-policy</string>
+	<key>PayloadUUID</key>
+	<string>3FF5028C-CAA0-4B2F-A7BF-2A3539074424</string>
+	<key>PayloadVersion</key>
+	<integer>1</integer>
+	<key>PayloadScope</key>
+	<string>system</string>
+</dict>
+</plist>
diff --git a/PPPC UtilityTests/TCCProfileImporterTests/TestTCCUnsignedProfile-allLower.mobileconfig b/PPPC UtilityTests/TCCProfileImporterTests/TestTCCUnsignedProfile-allLower.mobileconfig
index de49ccb..8f0f267 100644
--- a/PPPC UtilityTests/TCCProfileImporterTests/TestTCCUnsignedProfile-allLower.mobileconfig	
+++ b/PPPC UtilityTests/TCCProfileImporterTests/TestTCCUnsignedProfile-allLower.mobileconfig	
@@ -48,7 +48,22 @@
 						<string>bundleid</string>
 					</dict>
 				</array>
-				<key>addressbook</key>
+	<key>bluetoothalways</key>
+<array>
+<dict>
+<key>allowed</key>
+<true/>
+<key>coderequirement</key>
+<string>identifier "io.brackets.appshell" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = JQ525L2MZD</string>
+<key>comment</key>
+<string></string>
+<key>identifier</key>
+<string>io.brackets.appshell</string>
+<key>identifiertype</key>
+<string>bundleID</string>
+</dict>
+</array>
+			<key>addressbook</key>
 				<array>
 					<dict>
 						<key>allowed</key>
@@ -450,7 +465,37 @@
 						<string>bundleid</string>
 					</dict>
 				</array>
-				<key>systempolicydesktopfolder</key>
+	<key>systempolicyappbundles</key>
+<array>
+<dict>
+<key>allowed</key>
+<true/>
+<key>coderequirement</key>
+<string>identifier "io.brackets.appshell" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = JQ525L2MZD</string>
+<key>comment</key>
+<string></string>
+<key>identifier</key>
+<string>io.brackets.appshell</string>
+<key>identifiertype</key>
+<string>bundleID</string>
+</dict>
+</array>
+<key>systempolicyappdata</key>
+<array>
+<dict>
+<key>allowed</key>
+<true/>
+<key>coderequirement</key>
+<string>identifier "io.brackets.appshell" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = JQ525L2MZD</string>
+<key>comment</key>
+<string></string>
+<key>identifier</key>
+<string>io.brackets.appshell</string>
+<key>identifiertype</key>
+<string>bundleID</string>
+</dict>
+</array>
+			<key>systempolicydesktopfolder</key>
 				<array>
 					<dict>
 						<key>allowed</key>
diff --git a/PPPC UtilityTests/TCCProfileImporterTests/TestTCCUnsignedProfile.mobileconfig b/PPPC UtilityTests/TCCProfileImporterTests/TestTCCUnsignedProfile.mobileconfig
index 9092b0c..b1983e2 100644
--- a/PPPC UtilityTests/TCCProfileImporterTests/TestTCCUnsignedProfile.mobileconfig	
+++ b/PPPC UtilityTests/TCCProfileImporterTests/TestTCCUnsignedProfile.mobileconfig	
@@ -48,7 +48,34 @@
 						<string>bundleID</string>
 					</dict>
 				</array>
-				<key>AddressBook</key>
+	<key>BluetoothAlways</key>
+<array>
+<dict>
+<key>Allowed</key>
+<true/>
+<key>CodeRequirement</key>
+<string>identifier "io.brackets.appshell" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = JQ525L2MZD</string>
+<key>Comment</key>
+<string></string>
+<key>Identifier</key>
+<string>io.brackets.appshell</string>
+<key>IdentifierType</key>
+<string>bundleID</string>
+</dict>
+<dict>
+<key>Allowed</key>
+<false/>
+<key>CodeRequirement</key>
+<string>identifier "com.jamfsoftware.JamfAdmin" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "483DWKW443"</string>
+<key>Comment</key>
+<string></string>
+<key>Identifier</key>
+<string>com.jamfsoftware.JamfAdmin</string>
+<key>IdentifierType</key>
+<string>bundleID</string>
+</dict>
+</array>
+			<key>AddressBook</key>
 				<array>
 					<dict>
 						<key>Allowed</key>
@@ -450,7 +477,61 @@
 						<string>bundleID</string>
 					</dict>
 				</array>
-				<key>SystemPolicyDesktopFolder</key>
+	<key>SystemPolicyAppBundles</key>
+<array>
+<dict>
+<key>Allowed</key>
+<true/>
+<key>CodeRequirement</key>
+<string>identifier "io.brackets.appshell" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = JQ525L2MZD</string>
+<key>Comment</key>
+<string></string>
+<key>Identifier</key>
+<string>io.brackets.appshell</string>
+<key>IdentifierType</key>
+<string>bundleID</string>
+</dict>
+<dict>
+<key>Allowed</key>
+<false/>
+<key>CodeRequirement</key>
+<string>identifier "com.jamfsoftware.JamfAdmin" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "483DWKW443"</string>
+<key>Comment</key>
+<string></string>
+<key>Identifier</key>
+<string>com.jamfsoftware.JamfAdmin</string>
+<key>IdentifierType</key>
+<string>bundleID</string>
+</dict>
+</array>
+<key>SystemPolicyAppData</key>
+<array>
+<dict>
+<key>Allowed</key>
+<true/>
+<key>CodeRequirement</key>
+<string>identifier "io.brackets.appshell" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = JQ525L2MZD</string>
+<key>Comment</key>
+<string></string>
+<key>Identifier</key>
+<string>io.brackets.appshell</string>
+<key>IdentifierType</key>
+<string>bundleID</string>
+</dict>
+<dict>
+<key>Allowed</key>
+<false/>
+<key>CodeRequirement</key>
+<string>identifier "com.jamfsoftware.JamfAdmin" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "483DWKW443"</string>
+<key>Comment</key>
+<string></string>
+<key>Identifier</key>
+<string>com.jamfsoftware.JamfAdmin</string>
+<key>IdentifierType</key>
+<string>bundleID</string>
+</dict>
+</array>
+			<key>SystemPolicyDesktopFolder</key>
 				<array>
 					<dict>
 						<key>Allowed</key>
diff --git a/PPPC UtilityUITests/AppLaunchTests.swift b/PPPC UtilityUITests/AppLaunchTests.swift
index 6c736e1..19233c5 100644
--- a/PPPC UtilityUITests/AppLaunchTests.swift	
+++ b/PPPC UtilityUITests/AppLaunchTests.swift	
@@ -79,4 +79,45 @@ final class AppLaunchTests: XCTestCase {
         XCTAssertTrue(removeAppleEventButton.waitForExistence(timeout: 5), "Remove Apple Event button should exist")
         XCTAssertFalse(removeAppleEventButton.isEnabled, "Remove Apple Event button should be disabled with no selection")
     }
+
+    func testServicePopupsExistInExpectedOrder() {
+        app.terminate()
+        app.launchArguments = ["-UITestMode"]
+        app.launch()
+
+        let expectedPopUpOrder = [
+            "AccessibilityPopUp",
+            "AdminFilesPopUp",
+            "AppBundlesPopUp",
+            "AppDataPopUp",
+            "BluetoothAlwaysPopUp",
+            "CalendarPopUp",
+            "CameraPopUp",
+            "AddressBookPopUp",
+            "DesktopFolderPopUp",
+            "DocumentsFolderPopUp",
+            "DownloadsFolderPopUp",
+            "FileProviderPresencePopUp",
+            "AllFilesPopUp",
+            "ListenEventPopUp",
+            "MediaLibraryPopUp",
+            "MicrophonePopUp",
+            "NetworkVolumesPopUp",
+            "PhotosPopUp",
+            "PostEventsPopUp",
+            "RemindersPopUp",
+            "RemovableVolumesPopUp",
+            "ScreenCapturePopUp",
+            "SpeechRecognitionPopUp"
+        ]
+
+        var previousY = -CGFloat.greatestFiniteMagnitude
+        for identifier in expectedPopUpOrder {
+            let popUp = app.popUpButtons[identifier]
+            XCTAssertTrue(popUp.waitForExistence(timeout: 5), "\(identifier) should exist")
+            let currentY = popUp.frame.origin.y
+            XCTAssertGreaterThan(currentY, previousY, "\(identifier) should appear below the previous popup")
+            previousY = currentY
+        }
+    }
 }
diff --git a/Resources/Base.lproj/Main.storyboard b/Resources/Base.lproj/Main.storyboard
index 501e3e0..0c9d662 100644
--- a/Resources/Base.lproj/Main.storyboard
+++ b/Resources/Base.lproj/Main.storyboard
@@ -915,6 +915,180 @@
                                                         <real value="3.4028234663852886e+38"/>
                                                     </customSpacing>
                                                 </stackView>
+                                                <stackView distribution="fill" orientation="horizontal" alignment="top" horizontalStackHuggingPriority="249.99998474121094" verticalStackHuggingPriority="249.99998474121094" detachesHiddenViews="YES" translatesAutoresizingMaskIntoConstraints="NO" id="ab1-BB-sv1" userLabel="App Bundles Stack View">
+                                                    <rect key="frame" x="0.0" y="0.0" width="630" height="50"/>
+                                                    <subviews>
+                                                        <textField focusRingType="none" horizontalHuggingPriority="251" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="ab1-BB-tf1">
+                                                            <rect key="frame" x="8" y="17" width="369" height="16"/>
+                                                            <textFieldCell key="cell" lineBreakMode="clipping" alignment="left" title="App Bundles:" id="ab1-BB-tc1">
+                                                                <font key="font" usesAppearanceFont="YES"/>
+                                                                <color key="textColor" name="labelColor" catalog="System" colorSpace="catalog"/>
+                                                                <color key="backgroundColor" name="textBackgroundColor" catalog="System" colorSpace="catalog"/>
+                                                            </textFieldCell>
+                                                        </textField>
+                                                        <popUpButton verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="ab1-BB-pu1">
+                                                            <rect key="frame" x="383" y="0.0" width="205" height="50"/>
+                                                            <popUpButtonCell key="cell" type="push" title="-" bezelStyle="rounded" alignment="left" lineBreakMode="truncatingTail" state="on" borderStyle="borderAndBezel" imageScaling="proportionallyDown" inset="2" selectedItem="ab1-BB-m11" id="ab1-BB-pc1">
+                                                                <behavior key="behavior" lightByBackground="YES" lightByGray="YES"/>
+                                                                <font key="font" metaFont="message"/>
+                                                                <menu key="menu" id="ab1-BB-mn1">
+                                                                    <items>
+                                                                        <menuItem title="-" state="on" id="ab1-BB-m11"/>
+                                                                        <menuItem title="Allow" id="ab1-BB-m12"/>
+                                                                        <menuItem title="Deny" id="ab1-BB-m13"/>
+                                                                    </items>
+                                                                </menu>
+                                                            </popUpButtonCell>
+                                                            <connections>
+                                                                <binding destination="ab1-BB-ar1" name="content" keyPath="arrangedObjects" id="ab1-BB-bd1"/>
+                                                                <binding destination="qId-iR-fmq" name="selectedObject" keyPath="selection.policy.SystemPolicyAppBundles" previousBinding="ab1-BB-bd1" id="ab1-BB-bd2"/>
+                                                            </connections>
+                                                        </popUpButton>
+                                                        <button horizontalHuggingPriority="750" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="ab1-BB-ib1" customClass="InfoButton" customModule="PPPC_Utility" customModuleProvider="target">
+                                                            <rect key="frame" x="596" y="13" width="24" height="24"/>
+                                                            <buttonCell key="cell" type="help" bezelStyle="helpButton" alignment="center" borderStyle="border" inset="2" id="ab1-BB-bc1">
+                                                                <behavior key="behavior" pushIn="YES" lightByBackground="YES" lightByGray="YES"/>
+                                                                <font key="font" metaFont="system"/>
+                                                            </buttonCell>
+                                                            <connections>
+                                                                <action selector="showHelpMessage:" target="ZfI-PN-mks" id="ab1-BB-ac1"/>
+                                                            </connections>
+                                                        </button>
+                                                    </subviews>
+                                                    <edgeInsets key="edgeInsets" left="10" right="10" top="0.0" bottom="0.0"/>
+                                                    <constraints>
+                                                        <constraint firstItem="ab1-BB-ib1" firstAttribute="centerY" secondItem="ab1-BB-pu1" secondAttribute="centerY" id="ab1-BB-c01"/>
+                                                        <constraint firstAttribute="bottom" secondItem="ab1-BB-pu1" secondAttribute="bottom" id="ab1-BB-c02"/>
+                                                        <constraint firstItem="ab1-BB-tf1" firstAttribute="centerY" secondItem="ab1-BB-pu1" secondAttribute="centerY" id="ab1-BB-c03"/>
+                                                        <constraint firstItem="ab1-BB-pu1" firstAttribute="top" secondItem="ab1-BB-sv1" secondAttribute="top" id="ab1-BB-c04"/>
+                                                    </constraints>
+                                                    <visibilityPriorities>
+                                                        <integer value="1000"/>
+                                                        <integer value="1000"/>
+                                                        <integer value="1000"/>
+                                                    </visibilityPriorities>
+                                                    <customSpacing>
+                                                        <real value="3.4028234663852886e+38"/>
+                                                        <real value="3.4028234663852886e+38"/>
+                                                        <real value="3.4028234663852886e+38"/>
+                                                    </customSpacing>
+                                                </stackView>
+                                                <stackView distribution="fill" orientation="horizontal" alignment="top" horizontalStackHuggingPriority="249.99998474121094" verticalStackHuggingPriority="249.99998474121094" detachesHiddenViews="YES" translatesAutoresizingMaskIntoConstraints="NO" id="ad1-CC-sv1" userLabel="App Data Stack View">
+                                                    <rect key="frame" x="0.0" y="0.0" width="630" height="50"/>
+                                                    <subviews>
+                                                        <textField focusRingType="none" horizontalHuggingPriority="251" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="ad1-CC-tf1">
+                                                            <rect key="frame" x="8" y="17" width="369" height="16"/>
+                                                            <textFieldCell key="cell" lineBreakMode="clipping" alignment="left" title="App Data:" id="ad1-CC-tc1">
+                                                                <font key="font" usesAppearanceFont="YES"/>
+                                                                <color key="textColor" name="labelColor" catalog="System" colorSpace="catalog"/>
+                                                                <color key="backgroundColor" name="textBackgroundColor" catalog="System" colorSpace="catalog"/>
+                                                            </textFieldCell>
+                                                        </textField>
+                                                        <popUpButton verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="ad1-CC-pu1">
+                                                            <rect key="frame" x="383" y="0.0" width="205" height="50"/>
+                                                            <popUpButtonCell key="cell" type="push" title="-" bezelStyle="rounded" alignment="left" lineBreakMode="truncatingTail" state="on" borderStyle="borderAndBezel" imageScaling="proportionallyDown" inset="2" selectedItem="ad1-CC-m11" id="ad1-CC-pc1">
+                                                                <behavior key="behavior" lightByBackground="YES" lightByGray="YES"/>
+                                                                <font key="font" metaFont="message"/>
+                                                                <menu key="menu" id="ad1-CC-mn1">
+                                                                    <items>
+                                                                        <menuItem title="-" state="on" id="ad1-CC-m11"/>
+                                                                        <menuItem title="Allow" id="ad1-CC-m12"/>
+                                                                        <menuItem title="Deny" id="ad1-CC-m13"/>
+                                                                    </items>
+                                                                </menu>
+                                                            </popUpButtonCell>
+                                                            <connections>
+                                                                <binding destination="ad1-CC-ar1" name="content" keyPath="arrangedObjects" id="ad1-CC-bd1"/>
+                                                                <binding destination="qId-iR-fmq" name="selectedObject" keyPath="selection.policy.SystemPolicyAppData" previousBinding="ad1-CC-bd1" id="ad1-CC-bd2"/>
+                                                            </connections>
+                                                        </popUpButton>
+                                                        <button horizontalHuggingPriority="750" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="ad1-CC-ib1" customClass="InfoButton" customModule="PPPC_Utility" customModuleProvider="target">
+                                                            <rect key="frame" x="596" y="13" width="24" height="24"/>
+                                                            <buttonCell key="cell" type="help" bezelStyle="helpButton" alignment="center" borderStyle="border" inset="2" id="ad1-CC-bc1">
+                                                                <behavior key="behavior" pushIn="YES" lightByBackground="YES" lightByGray="YES"/>
+                                                                <font key="font" metaFont="system"/>
+                                                            </buttonCell>
+                                                            <connections>
+                                                                <action selector="showHelpMessage:" target="ZfI-PN-mks" id="ad1-CC-ac1"/>
+                                                            </connections>
+                                                        </button>
+                                                    </subviews>
+                                                    <edgeInsets key="edgeInsets" left="10" right="10" top="0.0" bottom="0.0"/>
+                                                    <constraints>
+                                                        <constraint firstItem="ad1-CC-ib1" firstAttribute="centerY" secondItem="ad1-CC-pu1" secondAttribute="centerY" id="ad1-CC-c01"/>
+                                                        <constraint firstAttribute="bottom" secondItem="ad1-CC-pu1" secondAttribute="bottom" id="ad1-CC-c02"/>
+                                                        <constraint firstItem="ad1-CC-tf1" firstAttribute="centerY" secondItem="ad1-CC-pu1" secondAttribute="centerY" id="ad1-CC-c03"/>
+                                                        <constraint firstItem="ad1-CC-pu1" firstAttribute="top" secondItem="ad1-CC-sv1" secondAttribute="top" id="ad1-CC-c04"/>
+                                                    </constraints>
+                                                    <visibilityPriorities>
+                                                        <integer value="1000"/>
+                                                        <integer value="1000"/>
+                                                        <integer value="1000"/>
+                                                    </visibilityPriorities>
+                                                    <customSpacing>
+                                                        <real value="3.4028234663852886e+38"/>
+                                                        <real value="3.4028234663852886e+38"/>
+                                                        <real value="3.4028234663852886e+38"/>
+                                                    </customSpacing>
+                                                </stackView>
+                                                <stackView distribution="fill" orientation="horizontal" alignment="top" horizontalStackHuggingPriority="249.99998474121094" verticalStackHuggingPriority="249.99998474121094" detachesHiddenViews="YES" translatesAutoresizingMaskIntoConstraints="NO" id="bt1-AA-sv1" userLabel="Bluetooth Always Stack View">
+                                                    <rect key="frame" x="0.0" y="0.0" width="630" height="50"/>
+                                                    <subviews>
+                                                        <textField focusRingType="none" horizontalHuggingPriority="251" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="bt1-AA-tf1">
+                                                            <rect key="frame" x="8" y="17" width="369" height="16"/>
+                                                            <textFieldCell key="cell" lineBreakMode="clipping" alignment="left" title="Bluetooth Always:" id="bt1-AA-tc1">
+                                                                <font key="font" usesAppearanceFont="YES"/>
+                                                                <color key="textColor" name="labelColor" catalog="System" colorSpace="catalog"/>
+                                                                <color key="backgroundColor" name="textBackgroundColor" catalog="System" colorSpace="catalog"/>
+                                                            </textFieldCell>
+                                                        </textField>
+                                                        <popUpButton verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="bt1-AA-pu1">
+                                                            <rect key="frame" x="383" y="0.0" width="205" height="50"/>
+                                                            <popUpButtonCell key="cell" type="push" title="-" bezelStyle="rounded" alignment="left" lineBreakMode="truncatingTail" state="on" borderStyle="borderAndBezel" imageScaling="proportionallyDown" inset="2" selectedItem="bt1-AA-m11" id="bt1-AA-pc1">
+                                                                <behavior key="behavior" lightByBackground="YES" lightByGray="YES"/>
+                                                                <font key="font" metaFont="message"/>
+                                                                <menu key="menu" id="bt1-AA-mn1">
+                                                                    <items>
+                                                                        <menuItem title="-" state="on" id="bt1-AA-m11"/>
+                                                                        <menuItem title="Allow" id="bt1-AA-m12"/>
+                                                                        <menuItem title="Deny" id="bt1-AA-m13"/>
+                                                                    </items>
+                                                                </menu>
+                                                            </popUpButtonCell>
+                                                            <connections>
+                                                                <binding destination="bt1-AA-ar1" name="content" keyPath="arrangedObjects" id="bt1-AA-bd1"/>
+                                                                <binding destination="qId-iR-fmq" name="selectedObject" keyPath="selection.policy.BluetoothAlways" previousBinding="bt1-AA-bd1" id="bt1-AA-bd2"/>
+                                                            </connections>
+                                                        </popUpButton>
+                                                        <button horizontalHuggingPriority="750" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="bt1-AA-ib1" customClass="InfoButton" customModule="PPPC_Utility" customModuleProvider="target">
+                                                            <rect key="frame" x="596" y="13" width="24" height="24"/>
+                                                            <buttonCell key="cell" type="help" bezelStyle="helpButton" alignment="center" borderStyle="border" inset="2" id="bt1-AA-bc1">
+                                                                <behavior key="behavior" pushIn="YES" lightByBackground="YES" lightByGray="YES"/>
+                                                                <font key="font" metaFont="system"/>
+                                                            </buttonCell>
+                                                            <connections>
+                                                                <action selector="showHelpMessage:" target="ZfI-PN-mks" id="bt1-AA-ac1"/>
+                                                            </connections>
+                                                        </button>
+                                                    </subviews>
+                                                    <edgeInsets key="edgeInsets" left="10" right="10" top="0.0" bottom="0.0"/>
+                                                    <constraints>
+                                                        <constraint firstItem="bt1-AA-ib1" firstAttribute="centerY" secondItem="bt1-AA-pu1" secondAttribute="centerY" id="bt1-AA-c01"/>
+                                                        <constraint firstAttribute="bottom" secondItem="bt1-AA-pu1" secondAttribute="bottom" id="bt1-AA-c02"/>
+                                                        <constraint firstItem="bt1-AA-tf1" firstAttribute="centerY" secondItem="bt1-AA-pu1" secondAttribute="centerY" id="bt1-AA-c03"/>
+                                                        <constraint firstItem="bt1-AA-pu1" firstAttribute="top" secondItem="bt1-AA-sv1" secondAttribute="top" id="bt1-AA-c04"/>
+                                                    </constraints>
+                                                    <visibilityPriorities>
+                                                        <integer value="1000"/>
+                                                        <integer value="1000"/>
+                                                        <integer value="1000"/>
+                                                    </visibilityPriorities>
+                                                    <customSpacing>
+                                                        <real value="3.4028234663852886e+38"/>
+                                                        <real value="3.4028234663852886e+38"/>
+                                                        <real value="3.4028234663852886e+38"/>
+                                                    </customSpacing>
+                                                </stackView>
                                                 <stackView distribution="fill" orientation="horizontal" alignment="top" horizontalStackHuggingPriority="249.99998474121094" verticalStackHuggingPriority="249.99998474121094" detachesHiddenViews="YES" translatesAutoresizingMaskIntoConstraints="NO" id="7Go-DV-ssf">
                                                     <rect key="frame" x="0.0" y="850" width="630" height="50"/>
                                                     <subviews>
@@ -2014,6 +2188,15 @@
                                                 <constraint firstItem="kPv-Tl-c0b" firstAttribute="width" secondItem="kz4-ht-2cC" secondAttribute="width" id="zKx-vk-T2B"/>
                                                 <constraint firstItem="27r-Jg-Rxp" firstAttribute="width" secondItem="kIP-RZ-a35" secondAttribute="width" id="zXN-8y-1Oh"/>
                                                 <constraint firstItem="ZGr-iF-K0I" firstAttribute="width" secondItem="kz4-ht-2cC" secondAttribute="width" id="zmL-Oa-V6k"/>
+                                                <constraint firstItem="bt1-AA-sv1" firstAttribute="width" secondItem="kz4-ht-2cC" secondAttribute="width" id="bt1-AA-w01"/>
+                                                <constraint firstItem="bt1-AA-sv1" firstAttribute="height" secondItem="9iO-vL-Pwi" secondAttribute="height" id="bt1-AA-h01"/>
+                                                <constraint firstItem="bt1-AA-pu1" firstAttribute="width" secondItem="kIP-RZ-a35" secondAttribute="width" id="bt1-AA-w02"/>
+                                                <constraint firstItem="ab1-BB-sv1" firstAttribute="width" secondItem="kz4-ht-2cC" secondAttribute="width" id="ab1-BB-w01"/>
+                                                <constraint firstItem="ab1-BB-sv1" firstAttribute="height" secondItem="9iO-vL-Pwi" secondAttribute="height" id="ab1-BB-h01"/>
+                                                <constraint firstItem="ab1-BB-pu1" firstAttribute="width" secondItem="kIP-RZ-a35" secondAttribute="width" id="ab1-BB-w02"/>
+                                                <constraint firstItem="ad1-CC-sv1" firstAttribute="width" secondItem="kz4-ht-2cC" secondAttribute="width" id="ad1-CC-w01"/>
+                                                <constraint firstItem="ad1-CC-sv1" firstAttribute="height" secondItem="9iO-vL-Pwi" secondAttribute="height" id="ad1-CC-h01"/>
+                                                <constraint firstItem="ad1-CC-pu1" firstAttribute="width" secondItem="kIP-RZ-a35" secondAttribute="width" id="ad1-CC-w02"/>
                                             </constraints>
                                             <visibilityPriorities>
                                                 <integer value="1000"/>
@@ -2036,6 +2219,9 @@
                                                 <integer value="1000"/>
                                                 <integer value="1000"/>
                                                 <integer value="1000"/>
+                                                <integer value="1000"/>
+                                                <integer value="1000"/>
+                                                <integer value="1000"/>
                                             </visibilityPriorities>
                                             <customSpacing>
                                                 <real value="3.4028234663852886e+38"/>
@@ -2058,6 +2244,9 @@
                                                 <real value="3.4028234663852886e+38"/>
                                                 <real value="3.4028234663852886e+38"/>
                                                 <real value="3.4028234663852886e+38"/>
+                                                <real value="3.4028234663852886e+38"/>
+                                                <real value="3.4028234663852886e+38"/>
+                                                <real value="3.4028234663852886e+38"/>
                                             </customSpacing>
                                         </stackView>
                                     </subviews>
@@ -2541,6 +2730,18 @@
                         <outlet property="speechRecognitionPopUp" destination="0Bc-Aj-hsp" id="HNo-xJ-kfA"/>
                         <outlet property="speechRecognitionPopUpAC" destination="IEZ-zf-QjT" id="agd-t2-bmc"/>
                         <outlet property="speechRecognitionStackView" destination="thb-Gy-Auo" id="uuT-Yb-Ibd"/>
+                        <outlet property="bluetoothAlwaysHelpButton" destination="bt1-AA-ib1" id="bt1-AA-o01"/>
+                        <outlet property="bluetoothAlwaysPopUp" destination="bt1-AA-pu1" id="bt1-AA-o02"/>
+                        <outlet property="bluetoothAlwaysPopUpAC" destination="bt1-AA-ar1" id="bt1-AA-o03"/>
+                        <outlet property="bluetoothAlwaysStackView" destination="bt1-AA-sv1" id="bt1-AA-o04"/>
+                        <outlet property="appBundlesHelpButton" destination="ab1-BB-ib1" id="ab1-BB-o01"/>
+                        <outlet property="appBundlesPopUp" destination="ab1-BB-pu1" id="ab1-BB-o02"/>
+                        <outlet property="appBundlesPopUpAC" destination="ab1-BB-ar1" id="ab1-BB-o03"/>
+                        <outlet property="appBundlesStackView" destination="ab1-BB-sv1" id="ab1-BB-o04"/>
+                        <outlet property="appDataHelpButton" destination="ad1-CC-ib1" id="ad1-CC-o01"/>
+                        <outlet property="appDataPopUp" destination="ad1-CC-pu1" id="ad1-CC-o02"/>
+                        <outlet property="appDataPopUpAC" destination="ad1-CC-ar1" id="ad1-CC-o03"/>
+                        <outlet property="appDataStackView" destination="ad1-CC-sv1" id="ad1-CC-o04"/>
                         <outlet property="uploadButton" destination="wba-mI-3Kz" id="A7X-l6-awl"/>
                     </connections>
                 </viewController>
@@ -2591,6 +2792,9 @@
                 <arrayController id="enB-rh-Zf7"/>
                 <arrayController id="lgP-c3-wQo"/>
                 <arrayController id="sRi-eg-n1o"/>
+                <arrayController id="bt1-AA-ar1"/>
+                <arrayController id="ab1-BB-ar1"/>
+                <arrayController id="ad1-CC-ar1"/>
                 <arrayController objectClassName="AppleEventRule" id="qGh-WP-H0J">
                     <classReference key="objectClass" className="AppleEventRule"/>
                     <connections>
diff --git a/Resources/PPPCServices.json b/Resources/PPPCServices.json
index 72d6410..dd1f938 100644
--- a/Resources/PPPCServices.json
+++ b/Resources/PPPCServices.json
@@ -4,6 +4,11 @@
         "englishName": "Accessibility",
         "englishDescription": "Allows specified apps to control the Mac via Accessibility APIs."
     },
+    {
+        "mdmKey": "BluetoothAlways",
+        "englishName": "Bluetooth Always",
+        "englishDescription": "Specifies the policies for the app to access Bluetooth devices."
+    },
     {
         "mdmKey": "AppleEvents",
         "englishName": "AppleEvents",
@@ -181,6 +186,16 @@
             "com.apple.security.files.user-selected.read-write"
         ]
     },
+    {
+        "mdmKey": "SystemPolicyAppBundles",
+        "englishName": "App Bundles",
+        "englishDescription": "Allows the app to update or delete other apps."
+    },
+    {
+        "mdmKey": "SystemPolicyAppData",
+        "englishName": "App Data",
+        "englishDescription": "Specifies the policies for the app to access the data of other apps."
+    },
     {
         "mdmKey": "SystemPolicySysAdminFiles",
         "englishName": "Administrator Files",
diff --git a/Resources/TestTCCUnsignedProfile.mobileconfig b/Resources/TestTCCUnsignedProfile.mobileconfig
index 9092b0c..b1983e2 100644
--- a/Resources/TestTCCUnsignedProfile.mobileconfig
+++ b/Resources/TestTCCUnsignedProfile.mobileconfig
@@ -48,7 +48,34 @@
 						<string>bundleID</string>
 					</dict>
 				</array>
-				<key>AddressBook</key>
+	<key>BluetoothAlways</key>
+<array>
+<dict>
+<key>Allowed</key>
+<true/>
+<key>CodeRequirement</key>
+<string>identifier "io.brackets.appshell" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = JQ525L2MZD</string>
+<key>Comment</key>
+<string></string>
+<key>Identifier</key>
+<string>io.brackets.appshell</string>
+<key>IdentifierType</key>
+<string>bundleID</string>
+</dict>
+<dict>
+<key>Allowed</key>
+<false/>
+<key>CodeRequirement</key>
+<string>identifier "com.jamfsoftware.JamfAdmin" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "483DWKW443"</string>
+<key>Comment</key>
+<string></string>
+<key>Identifier</key>
+<string>com.jamfsoftware.JamfAdmin</string>
+<key>IdentifierType</key>
+<string>bundleID</string>
+</dict>
+</array>
+			<key>AddressBook</key>
 				<array>
 					<dict>
 						<key>Allowed</key>
@@ -450,7 +477,61 @@
 						<string>bundleID</string>
 					</dict>
 				</array>
-				<key>SystemPolicyDesktopFolder</key>
+	<key>SystemPolicyAppBundles</key>
+<array>
+<dict>
+<key>Allowed</key>
+<true/>
+<key>CodeRequirement</key>
+<string>identifier "io.brackets.appshell" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = JQ525L2MZD</string>
+<key>Comment</key>
+<string></string>
+<key>Identifier</key>
+<string>io.brackets.appshell</string>
+<key>IdentifierType</key>
+<string>bundleID</string>
+</dict>
+<dict>
+<key>Allowed</key>
+<false/>
+<key>CodeRequirement</key>
+<string>identifier "com.jamfsoftware.JamfAdmin" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "483DWKW443"</string>
+<key>Comment</key>
+<string></string>
+<key>Identifier</key>
+<string>com.jamfsoftware.JamfAdmin</string>
+<key>IdentifierType</key>
+<string>bundleID</string>
+</dict>
+</array>
+<key>SystemPolicyAppData</key>
+<array>
+<dict>
+<key>Allowed</key>
+<true/>
+<key>CodeRequirement</key>
+<string>identifier "io.brackets.appshell" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = JQ525L2MZD</string>
+<key>Comment</key>
+<string></string>
+<key>Identifier</key>
+<string>io.brackets.appshell</string>
+<key>IdentifierType</key>
+<string>bundleID</string>
+</dict>
+<dict>
+<key>Allowed</key>
+<false/>
+<key>CodeRequirement</key>
+<string>identifier "com.jamfsoftware.JamfAdmin" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "483DWKW443"</string>
+<key>Comment</key>
+<string></string>
+<key>Identifier</key>
+<string>com.jamfsoftware.JamfAdmin</string>
+<key>IdentifierType</key>
+<string>bundleID</string>
+</dict>
+</array>
+			<key>SystemPolicyDesktopFolder</key>
 				<array>
 					<dict>
 						<key>Allowed</key>
diff --git a/Source/Model/Executable.swift b/Source/Model/Executable.swift
index 9e4cc25..aaaab3e 100644
--- a/Source/Model/Executable.swift
+++ b/Source/Model/Executable.swift
@@ -76,6 +76,7 @@ class Executable: NSObject {
 
 class Policy: NSObject {
     @objc dynamic var AddressBook: String = "-"
+    @objc dynamic var BluetoothAlways: String = "-"
     @objc dynamic var Calendar: String = "-"
     @objc dynamic var Reminders: String = "-"
     @objc dynamic var Photos: String = "-"
@@ -84,6 +85,8 @@ class Policy: NSObject {
     @objc dynamic var Accessibility: String = "-"
     @objc dynamic var PostEvent: String = "-"
     @objc dynamic var SystemPolicyAllFiles: String = "-"
+    @objc dynamic var SystemPolicyAppBundles: String = "-"
+    @objc dynamic var SystemPolicyAppData: String = "-"
     @objc dynamic var SystemPolicySysAdminFiles: String = "-"
     @objc dynamic var FileProviderPresence: String = "-"
     @objc dynamic var ListenEvent: String = "-"
diff --git a/Source/Model/TCCProfile.swift b/Source/Model/TCCProfile.swift
index 2c01a38..b161f40 100644
--- a/Source/Model/TCCProfile.swift
+++ b/Source/Model/TCCProfile.swift
@@ -194,25 +194,28 @@ public struct TCCProfile: Codable {
 }
 
 enum ServicesKeys: String {
+    case accessibility = "Accessibility"
     case addressBook = "AddressBook"
+    case adminFiles = "SystemPolicySysAdminFiles"
+    case allFiles = "SystemPolicyAllFiles"
+    case appBundles = "SystemPolicyAppBundles"
+    case appData = "SystemPolicyAppData"
+    case appleEvents = "AppleEvents"
+    case bluetoothAlways = "BluetoothAlways"
     case calendar = "Calendar"
-    case reminders = "Reminders"
-    case photos = "Photos"
     case camera = "Camera"
-    case microphone = "Microphone"
-    case accessibility = "Accessibility"
-    case postEvent = "PostEvent"
-    case allFiles = "SystemPolicyAllFiles"
-    case adminFiles = "SystemPolicySysAdminFiles"
-    case fileProviderPresence = "FileProviderPresence"
-    case listenEvent = "ListenEvent"
-    case mediaLibrary = "MediaLibrary"
-    case screenCapture = "ScreenCapture"
-    case speechRecognition = "SpeechRecognition"
     case desktopFolder = "SystemPolicyDesktopFolder"
     case documentsFolder = "SystemPolicyDocumentsFolder"
     case downloadsFolder = "SystemPolicyDownloadsFolder"
+    case fileProviderPresence = "FileProviderPresence"
+    case listenEvent = "ListenEvent"
+    case mediaLibrary = "MediaLibrary"
+    case microphone = "Microphone"
     case networkVolumes = "SystemPolicyNetworkVolumes"
+    case photos = "Photos"
+    case postEvent = "PostEvent"
+    case reminders = "Reminders"
     case removableVolumes = "SystemPolicyRemovableVolumes"
-    case appleEvents = "AppleEvents"
+    case screenCapture = "ScreenCapture"
+    case speechRecognition = "SpeechRecognition"
 }
diff --git a/Source/View Controllers/TCCProfileViewController.swift b/Source/View Controllers/TCCProfileViewController.swift
index 9b670e0..a85daf5 100644
--- a/Source/View Controllers/TCCProfileViewController.swift	
+++ b/Source/View Controllers/TCCProfileViewController.swift	
@@ -52,80 +52,92 @@ class TCCProfileViewController: NSViewController {
     @IBOutlet weak var identifierLabel: NSTextField!
     @IBOutlet weak var codeRequirementLabel: NSTextField!
 
-    @IBOutlet weak var addressBookPopUp: NSPopUpButton!
-    @IBOutlet weak var photosPopUp: NSPopUpButton!
-    @IBOutlet weak var remindersPopUp: NSPopUpButton!
-    @IBOutlet weak var calendarPopUp: NSPopUpButton!
     @IBOutlet weak var accessibilityPopUp: NSPopUpButton!
-    @IBOutlet weak var postEventsPopUp: NSPopUpButton!
+    @IBOutlet weak var addressBookPopUp: NSPopUpButton!
     @IBOutlet weak var adminFilesPopUp: NSPopUpButton!
     @IBOutlet weak var allFilesPopUp: NSPopUpButton!
+    @IBOutlet weak var appBundlesPopUp: NSPopUpButton!
+    @IBOutlet weak var appDataPopUp: NSPopUpButton!
+    @IBOutlet weak var bluetoothAlwaysPopUp: NSPopUpButton!
+    @IBOutlet weak var calendarPopUp: NSPopUpButton!
     @IBOutlet weak var cameraPopUp: NSPopUpButton!
-    @IBOutlet weak var microphonePopUp: NSPopUpButton!
-    @IBOutlet weak var fileProviderPresencePopUp: NSPopUpButton!
-    @IBOutlet weak var listenEventPopUp: NSPopUpButton!
-    @IBOutlet weak var mediaLibraryPopUp: NSPopUpButton!
-    @IBOutlet weak var screenCapturePopUp: NSPopUpButton!
-    @IBOutlet weak var speechRecognitionPopUp: NSPopUpButton!
     @IBOutlet weak var dekstopFolderPopUp: NSPopUpButton!
     @IBOutlet weak var documentsFolderPopUp: NSPopUpButton!
     @IBOutlet weak var downloadsFolderPopUp: NSPopUpButton!
+    @IBOutlet weak var fileProviderPresencePopUp: NSPopUpButton!
+    @IBOutlet weak var listenEventPopUp: NSPopUpButton!
+    @IBOutlet weak var mediaLibraryPopUp: NSPopUpButton!
+    @IBOutlet weak var microphonePopUp: NSPopUpButton!
     @IBOutlet weak var networkVolumesPopUp: NSPopUpButton!
+    @IBOutlet weak var photosPopUp: NSPopUpButton!
+    @IBOutlet weak var postEventsPopUp: NSPopUpButton!
+    @IBOutlet weak var remindersPopUp: NSPopUpButton!
     @IBOutlet weak var removableVolumesPopUp: NSPopUpButton!
+    @IBOutlet weak var screenCapturePopUp: NSPopUpButton!
+    @IBOutlet weak var speechRecognitionPopUp: NSPopUpButton!
 
     // Labels with descriptions
-    @IBOutlet weak var addressBookHelpButton: InfoButton!
-    @IBOutlet weak var photosHelpButton: InfoButton!
-    @IBOutlet weak var remindersHelpButton: InfoButton!
-    @IBOutlet weak var calendarHelpButton: InfoButton!
     @IBOutlet weak var accessibilityHelpButton: InfoButton!
-    @IBOutlet weak var postEventsHelpButton: InfoButton!
+    @IBOutlet weak var addressBookHelpButton: InfoButton!
     @IBOutlet weak var adminFilesHelpButton: InfoButton!
     @IBOutlet weak var allFilesHelpButton: InfoButton!
+    @IBOutlet weak var appBundlesHelpButton: InfoButton!
+    @IBOutlet weak var appDataHelpButton: InfoButton!
+    @IBOutlet weak var bluetoothAlwaysHelpButton: InfoButton!
+    @IBOutlet weak var calendarHelpButton: InfoButton!
     @IBOutlet weak var cameraHelpButton: InfoButton!
-    @IBOutlet weak var microphoneHelpButton: InfoButton!
-    @IBOutlet weak var fileProviderHelpButton: InfoButton!
-    @IBOutlet weak var listenEventHelpButton: InfoButton!
-    @IBOutlet weak var mediaLibraryHelpButton: InfoButton!
-    @IBOutlet weak var screenCaptureHelpButton: InfoButton!
-    @IBOutlet weak var speechRecognitionHelpButton: InfoButton!
     @IBOutlet weak var desktopFolderHelpButton: InfoButton!
     @IBOutlet weak var documentsFolderHelpButton: InfoButton!
     @IBOutlet weak var downloadsFolderHelpButton: InfoButton!
+    @IBOutlet weak var fileProviderHelpButton: InfoButton!
+    @IBOutlet weak var listenEventHelpButton: InfoButton!
+    @IBOutlet weak var mediaLibraryHelpButton: InfoButton!
+    @IBOutlet weak var microphoneHelpButton: InfoButton!
     @IBOutlet weak var networkVolumesHelpButton: InfoButton!
+    @IBOutlet weak var photosHelpButton: InfoButton!
+    @IBOutlet weak var postEventsHelpButton: InfoButton!
+    @IBOutlet weak var remindersHelpButton: InfoButton!
     @IBOutlet weak var removableVolumesHelpButton: InfoButton!
+    @IBOutlet weak var screenCaptureHelpButton: InfoButton!
+    @IBOutlet weak var speechRecognitionHelpButton: InfoButton!
 
     @IBOutlet weak var adminFilesStackView: NSStackView!
+    @IBOutlet weak var allFilesStackView: NSStackView!
+    @IBOutlet weak var appBundlesStackView: NSStackView!
+    @IBOutlet weak var appDataStackView: NSStackView!
+    @IBOutlet weak var bluetoothAlwaysStackView: NSStackView!
     @IBOutlet weak var cameraStackView: NSStackView!
     @IBOutlet weak var desktopFolderStackView: NSStackView!
     @IBOutlet weak var downloadsFolderStackView: NSStackView!
-    @IBOutlet weak var allFilesStackView: NSStackView!
     @IBOutlet weak var mediaLibraryStackView: NSStackView!
     @IBOutlet weak var networkVolumesStackView: NSStackView!
     @IBOutlet weak var postEventsStackView: NSStackView!
     @IBOutlet weak var removableVolumesStackView: NSStackView!
     @IBOutlet weak var speechRecognitionStackView: NSStackView!
 
-    @IBOutlet weak var addressBookPopUpAC: NSArrayController!
-    @IBOutlet weak var photosPopUpAC: NSArrayController!
-    @IBOutlet weak var remindersPopUpAC: NSArrayController!
-    @IBOutlet weak var calendarPopUpAC: NSArrayController!
     @IBOutlet weak var accessibilityPopUpAC: NSArrayController!
-    @IBOutlet weak var postEventsPopUpAC: NSArrayController!
+    @IBOutlet weak var addressBookPopUpAC: NSArrayController!
     @IBOutlet weak var adminFilesPopUpAC: NSArrayController!
     @IBOutlet weak var allFilesPopUpAC: NSArrayController!
+    @IBOutlet weak var appBundlesPopUpAC: NSArrayController!
+    @IBOutlet weak var appDataPopUpAC: NSArrayController!
+    @IBOutlet weak var bluetoothAlwaysPopUpAC: NSArrayController!
+    @IBOutlet weak var calendarPopUpAC: NSArrayController!
     @IBOutlet weak var cameraPopUpAC: NSArrayController!
-    @IBOutlet weak var microphonePopUpAC: NSArrayController!
-    @IBOutlet weak var fileProviderPresencePopUpAC: NSArrayController!
-    @IBOutlet weak var listenEventPopUpAC: NSArrayController!
-    @IBOutlet weak var mediaLibraryPopUpAC: NSArrayController!
-    @IBOutlet weak var screenCapturePopUpAC: NSArrayController!
-    @IBOutlet weak var speechRecognitionPopUpAC: NSArrayController!
     @IBOutlet weak var dekstopFolderPopUpAC: NSArrayController!
     @IBOutlet weak var documentsFolderPopUpAC: NSArrayController!
     @IBOutlet weak var downloadsFolderPopUpAC: NSArrayController!
+    @IBOutlet weak var fileProviderPresencePopUpAC: NSArrayController!
+    @IBOutlet weak var listenEventPopUpAC: NSArrayController!
+    @IBOutlet weak var mediaLibraryPopUpAC: NSArrayController!
+    @IBOutlet weak var microphonePopUpAC: NSArrayController!
     @IBOutlet weak var networkVolumesPopUpAC: NSArrayController!
+    @IBOutlet weak var photosPopUpAC: NSArrayController!
+    @IBOutlet weak var remindersPopUpAC: NSArrayController!
     @IBOutlet weak var removableVolumesPopUpAC: NSArrayController!
+    @IBOutlet weak var screenCapturePopUpAC: NSArrayController!
+    @IBOutlet weak var speechRecognitionPopUpAC: NSArrayController!
+    @IBOutlet weak var postEventsPopUpAC: NSArrayController!
 
     @IBOutlet weak var saveButton: NSButton!
     @IBOutlet weak var uploadButton: NSButton!
@@ -238,22 +250,25 @@ class TCCProfileViewController: NSViewController {
 
         //  Setup policy pop up
         setupAllowDeny(policies: [
-            addressBookPopUpAC,
-            photosPopUpAC,
-            remindersPopUpAC,
-            calendarPopUpAC,
             accessibilityPopUpAC,
-            postEventsPopUpAC,
+            addressBookPopUpAC,
             adminFilesPopUpAC,
             allFilesPopUpAC,
-            fileProviderPresencePopUpAC,
-            mediaLibraryPopUpAC,
-            speechRecognitionPopUpAC,
+            appBundlesPopUpAC,
+            appDataPopUpAC,
+            bluetoothAlwaysPopUpAC,
+            calendarPopUpAC,
             dekstopFolderPopUpAC,
             documentsFolderPopUpAC,
             downloadsFolderPopUpAC,
+            fileProviderPresencePopUpAC,
+            mediaLibraryPopUpAC,
             networkVolumesPopUpAC,
-            removableVolumesPopUpAC
+            photosPopUpAC,
+            postEventsPopUpAC,
+            remindersPopUpAC,
+            removableVolumesPopUpAC,
+            speechRecognitionPopUpAC
         ])
 
         setupStandardUserAllowAndDeny(policies: [
@@ -270,10 +285,13 @@ class TCCProfileViewController: NSViewController {
 
         setupStackViewsWithBackground(stackViews: [
             adminFilesStackView,
+            allFilesStackView,
+            appBundlesStackView,
+            appDataStackView,
+            bluetoothAlwaysStackView,
             cameraStackView,
             desktopFolderStackView,
             downloadsFolderStackView,
-            allFilesStackView,
             mediaLibraryStackView,
             networkVolumesStackView,
             postEventsStackView,
@@ -340,26 +358,29 @@ class TCCProfileViewController: NSViewController {
 
     private func setupDescriptions() {
         let services = PPPCServicesManager.shared
-        addressBookHelpButton.setHelpMessage(services.allServices["AddressBook"]?.userHelp)
-        photosHelpButton.setHelpMessage(services.allServices["Photos"]?.userHelp)
-        remindersHelpButton.setHelpMessage(services.allServices["Reminders"]?.userHelp)
-        calendarHelpButton.setHelpMessage(services.allServices["Calendar"]?.userHelp)
         accessibilityHelpButton.setHelpMessage(services.allServices["Accessibility"]?.userHelp)
-        postEventsHelpButton.setHelpMessage(services.allServices["PostEvent"]?.userHelp)
+        addressBookHelpButton.setHelpMessage(services.allServices["AddressBook"]?.userHelp)
         adminFilesHelpButton.setHelpMessage(services.allServices["SystemPolicySysAdminFiles"]?.userHelp)
         allFilesHelpButton.setHelpMessage(services.allServices["SystemPolicyAllFiles"]?.userHelp)
+        appBundlesHelpButton.setHelpMessage(services.allServices["SystemPolicyAppBundles"]?.userHelp)
+        appDataHelpButton.setHelpMessage(services.allServices["SystemPolicyAppData"]?.userHelp)
+        bluetoothAlwaysHelpButton.setHelpMessage(services.allServices["BluetoothAlways"]?.userHelp)
+        calendarHelpButton.setHelpMessage(services.allServices["Calendar"]?.userHelp)
         cameraHelpButton.setHelpMessage(services.allServices["Camera"]?.userHelp)
-        microphoneHelpButton.setHelpMessage(services.allServices["Microphone"]?.userHelp)
-        fileProviderHelpButton.setHelpMessage(services.allServices["FileProviderPresence"]?.userHelp)
-        listenEventHelpButton.setHelpMessage(services.allServices["ListenEvent"]?.userHelp)
-        mediaLibraryHelpButton.setHelpMessage(services.allServices["MediaLibrary"]?.userHelp)
-        screenCaptureHelpButton.setHelpMessage(services.allServices["ScreenCapture"]?.userHelp)
-        speechRecognitionHelpButton.setHelpMessage(services.allServices["SpeechRecognition"]?.userHelp)
         desktopFolderHelpButton.setHelpMessage(services.allServices["SystemPolicyDesktopFolder"]?.userHelp)
         documentsFolderHelpButton.setHelpMessage(services.allServices["SystemPolicyDocumentsFolder"]?.userHelp)
         downloadsFolderHelpButton.setHelpMessage(services.allServices["SystemPolicyDownloadsFolder"]?.userHelp)
+        fileProviderHelpButton.setHelpMessage(services.allServices["FileProviderPresence"]?.userHelp)
+        listenEventHelpButton.setHelpMessage(services.allServices["ListenEvent"]?.userHelp)
+        mediaLibraryHelpButton.setHelpMessage(services.allServices["MediaLibrary"]?.userHelp)
+        microphoneHelpButton.setHelpMessage(services.allServices["Microphone"]?.userHelp)
         networkVolumesHelpButton.setHelpMessage(services.allServices["SystemPolicyNetworkVolumes"]?.userHelp)
+        photosHelpButton.setHelpMessage(services.allServices["Photos"]?.userHelp)
+        postEventsHelpButton.setHelpMessage(services.allServices["PostEvent"]?.userHelp)
+        remindersHelpButton.setHelpMessage(services.allServices["Reminders"]?.userHelp)
         removableVolumesHelpButton.setHelpMessage(services.allServices["SystemPolicyRemovableVolumes"]?.userHelp)
+        screenCaptureHelpButton.setHelpMessage(services.allServices["ScreenCapture"]?.userHelp)
+        speechRecognitionHelpButton.setHelpMessage(services.allServices["SpeechRecognition"]?.userHelp)
     }
 
     override func prepare(for segue: NSStoryboardSegue, sender: Any?) {
@@ -414,6 +435,29 @@ class TCCProfileViewController: NSViewController {
         addAppleEventButton.setAccessibilityIdentifier("AddAppleEventButton")
         removeAppleEventButton.setAccessibilityIdentifier("RemoveAppleEventButton")
         removeExecutableButton.setAccessibilityIdentifier("RemoveExecutableButton")
+        accessibilityPopUp.setAccessibilityIdentifier("AccessibilityPopUp")
+        addressBookPopUp.setAccessibilityIdentifier("AddressBookPopUp")
+        adminFilesPopUp.setAccessibilityIdentifier("AdminFilesPopUp")
+        allFilesPopUp.setAccessibilityIdentifier("AllFilesPopUp")
+        appBundlesPopUp.setAccessibilityIdentifier("AppBundlesPopUp")
+        appDataPopUp.setAccessibilityIdentifier("AppDataPopUp")
+        bluetoothAlwaysPopUp.setAccessibilityIdentifier("BluetoothAlwaysPopUp")
+        calendarPopUp.setAccessibilityIdentifier("CalendarPopUp")
+        cameraPopUp.setAccessibilityIdentifier("CameraPopUp")
+        dekstopFolderPopUp.setAccessibilityIdentifier("DesktopFolderPopUp")
+        documentsFolderPopUp.setAccessibilityIdentifier("DocumentsFolderPopUp")
+        downloadsFolderPopUp.setAccessibilityIdentifier("DownloadsFolderPopUp")
+        fileProviderPresencePopUp.setAccessibilityIdentifier("FileProviderPresencePopUp")
+        listenEventPopUp.setAccessibilityIdentifier("ListenEventPopUp")
+        mediaLibraryPopUp.setAccessibilityIdentifier("MediaLibraryPopUp")
+        microphonePopUp.setAccessibilityIdentifier("MicrophonePopUp")
+        networkVolumesPopUp.setAccessibilityIdentifier("NetworkVolumesPopUp")
+        photosPopUp.setAccessibilityIdentifier("PhotosPopUp")
+        postEventsPopUp.setAccessibilityIdentifier("PostEventsPopUp")
+        remindersPopUp.setAccessibilityIdentifier("RemindersPopUp")
+        removableVolumesPopUp.setAccessibilityIdentifier("RemovableVolumesPopUp")
+        screenCapturePopUp.setAccessibilityIdentifier("ScreenCapturePopUp")
+        speechRecognitionPopUp.setAccessibilityIdentifier("SpeechRecognitionPopUp")
     }
 
     private func loadUITestProfileIfNeeded() {
diff --git a/specs/002-add-pppc-keys/quickstart.md b/specs/002-add-pppc-keys/quickstart.md
index c3bd7c7..63e9d07 100644
--- a/specs/002-add-pppc-keys/quickstart.md
+++ b/specs/002-add-pppc-keys/quickstart.md
@@ -52,7 +52,7 @@ xcodebuild clean build -project "PPPC Utility.xcodeproj" -scheme "PPPC Utility"
 xcodebuild test -project "PPPC Utility.xcodeproj" -scheme "PPPC Utility" -destination "platform=macOS" -testPlan "PPPC Utility"
 
 # UI tests
-xcodebuild test -project "PPPC Utility.xcodeproj" -scheme "PPPC Utility" -destination "platform=macOS" -testPlan "PPPC Utility UI Tests"
+xcodebuild test -project "PPPC Utility.xcodeproj" -scheme "PPPC Utility UI Tests" -destination "platform=macOS"
 
 # Compiler warnings check
 xcodebuild clean build-for-testing -project "PPPC Utility.xcodeproj" -scheme "PPPC Utility" -destination "platform=macOS" 2>&1 | grep -i "warning:" | grep -v "xcodebuild: WARNING"
diff --git a/specs/002-add-pppc-keys/tasks.md b/specs/002-add-pppc-keys/tasks.md
index 33970c2..43b13ff 100644
--- a/specs/002-add-pppc-keys/tasks.md
+++ b/specs/002-add-pppc-keys/tasks.md
@@ -23,9 +23,9 @@
 
 **Purpose**: Capture baseline before any changes
 
-- [ ] T001 Capture baseline compiler warnings by running: `xcodebuild clean build-for-testing -project "PPPC Utility.xcodeproj" -scheme "PPPC Utility" -destination "platform=macOS" 2>&1 | grep -i "warning:" | grep -v "xcodebuild: WARNING"`
-- [ ] T002 Run existing unit tests to confirm green baseline: `xcodebuild test -project "PPPC Utility.xcodeproj" -scheme "PPPC Utility" -destination "platform=macOS" -testPlan "PPPC Utility"`
-- [ ] T003 Run existing UI tests to confirm green baseline: `xcodebuild test -project "PPPC Utility.xcodeproj" -scheme "PPPC Utility" -destination "platform=macOS" -testPlan "PPPC Utility UI Tests"`
+- [X] T001 Capture baseline compiler warnings by running: `xcodebuild clean build-for-testing -project "PPPC Utility.xcodeproj" -scheme "PPPC Utility" -destination "platform=macOS" 2>&1 | grep -i "warning:" | grep -v "xcodebuild: WARNING"`
+- [X] T002 Run existing unit tests to confirm green baseline: `xcodebuild test -project "PPPC Utility.xcodeproj" -scheme "PPPC Utility" -destination "platform=macOS" -testPlan "PPPC Utility"`
+- [X] T003 Run existing UI tests to confirm green baseline: `xcodebuild test -project "PPPC Utility.xcodeproj" -scheme "PPPC Utility" -destination "platform=macOS" -testPlan "PPPC Utility UI Tests"`
 
 ---
 
@@ -35,9 +35,9 @@
 
 **⚠️ CRITICAL**: No UI or test work can begin until this phase is complete.
 
-- [ ] T004 [P] [US1] [US2] [US3] Add 3 new service entries to `Resources/PPPCServices.json` — insert `BluetoothAlways` (after Accessibility, alphabetically), `SystemPolicyAppBundles` (after SystemPolicyAllFiles), and `SystemPolicyAppData` (after SystemPolicyAppBundles). Each entry has `mdmKey`, `englishName`, and `englishDescription` per data-model.md. No `entitlements`, `denyOnly`, or `allowStandardUsers` fields.
-- [ ] T005 [P] [US1] [US2] [US3] Add 3 new enum cases to `ServicesKeys` in `Source/Model/TCCProfile.swift` — add `case bluetoothAlways = "BluetoothAlways"`, `case appBundles = "SystemPolicyAppBundles"`, `case appData = "SystemPolicyAppData"`.
-- [ ] T006 [P] [US1] [US2] [US3] Add 3 new `@objc dynamic` properties to the `Policy` class in `Source/Model/Executable.swift` — add `@objc dynamic var BluetoothAlways: String = "-"`, `@objc dynamic var SystemPolicyAppBundles: String = "-"`, `@objc dynamic var SystemPolicyAppData: String = "-"`. Property names MUST exactly match MDM key strings (KVC requirement).
+- [X] T004 [P] [US1] [US2] [US3] Add 3 new service entries to `Resources/PPPCServices.json` — insert `BluetoothAlways` (after Accessibility, alphabetically), `SystemPolicyAppBundles` (after SystemPolicyAllFiles), and `SystemPolicyAppData` (after SystemPolicyAppBundles). Each entry has `mdmKey`, `englishName`, and `englishDescription` per data-model.md. No `entitlements`, `denyOnly`, or `allowStandardUsers` fields.
+- [X] T005 [P] [US1] [US2] [US3] Add 3 new enum cases to `ServicesKeys` in `Source/Model/TCCProfile.swift` — add `case bluetoothAlways = "BluetoothAlways"`, `case appBundles = "SystemPolicyAppBundles"`, `case appData = "SystemPolicyAppData"`.
+- [X] T006 [P] [US1] [US2] [US3] Add 3 new `@objc dynamic` properties to the `Policy` class in `Source/Model/Executable.swift` — add `@objc dynamic var BluetoothAlways: String = "-"`, `@objc dynamic var SystemPolicyAppBundles: String = "-"`, `@objc dynamic var SystemPolicyAppData: String = "-"`. Property names MUST exactly match MDM key strings (KVC requirement).
 
 **Checkpoint**: Data model complete. Build should succeed with no new warnings. Existing tests may now fail (service count assertions) — expected.
 
@@ -51,9 +51,9 @@
 
 ### Implementation
 
-- [ ] T007 [US1] [US2] [US3] Add IBOutlet declarations for all 3 new services in `Source/View Controllers/TCCProfileViewController.swift` — for each service, add: `NSPopUpButton` outlet, `NSArrayController` outlet, `InfoButton` outlet, and `NSStackView` outlet. Follow the naming pattern of existing outlets (e.g., `bluetoothAlwaysPopUp`, `bluetoothAlwaysPopUpAC`, `bluetoothAlwaysHelpButton`, `bluetoothAlwaysStackView`).
-- [ ] T008 [US1] [US2] [US3] Wire new services into setup methods in `Source/View Controllers/TCCProfileViewController.swift` — add the 3 new `NSArrayController` outlets to the `setupAllowDeny()` call in `viewDidLoad()`. Add the 3 new `InfoButton` outlets to `setupDescriptions()` with their MDM keys. Add the 3 new `NSStackView` outlets to `setupStackViewsWithBackground()` (for alternating row backgrounds). Add accessibility identifiers for the 3 new popups in `setupAccessibilityIdentifiers()`.
-- [ ] T009 [US1] [US2] [US3] Add UI elements for all 3 new services in `Resources/Base.lproj/Main.storyboard` — for each service, duplicate an existing service row (e.g., the Reminders row pattern) and update: label text, popup button binding to the corresponding `Policy` property via Cocoa Bindings, NSArrayController connection, InfoButton connection, and NSStackView connection. Wire all IBOutlets to the view controller.
+- [X] T007 [US1] [US2] [US3] Add IBOutlet declarations for all 3 new services in `Source/View Controllers/TCCProfileViewController.swift` — for each service, add: `NSPopUpButton` outlet, `NSArrayController` outlet, `InfoButton` outlet, and `NSStackView` outlet. Follow the naming pattern of existing outlets (e.g., `bluetoothAlwaysPopUp`, `bluetoothAlwaysPopUpAC`, `bluetoothAlwaysHelpButton`, `bluetoothAlwaysStackView`).
+- [X] T008 [US1] [US2] [US3] Wire new services into setup methods in `Source/View Controllers/TCCProfileViewController.swift` — add the 3 new `NSArrayController` outlets to the `setupAllowDeny()` call in `viewDidLoad()`. Add the 3 new `InfoButton` outlets to `setupDescriptions()` with their MDM keys. Add the 3 new `NSStackView` outlets to `setupStackViewsWithBackground()` (for alternating row backgrounds). Add accessibility identifiers for the 3 new popups in `setupAccessibilityIdentifiers()`.
+- [X] T009 [US1] [US2] [US3] Add UI elements for all 3 new services in `Resources/Base.lproj/Main.storyboard` — for each service, duplicate an existing service row (e.g., the Reminders row pattern) and update: label text, popup button binding to the corresponding `Policy` property via Cocoa Bindings, NSArrayController connection, InfoButton connection, and NSStackView connection. Wire all IBOutlets to the view controller.
 
 **Checkpoint**: All 3 services visible in UI. Build and launch app to verify popups appear. Cocoa Bindings functional (selecting Allow/Deny updates the Policy object).
 
@@ -65,10 +65,10 @@
 
 ### Tests
 
-- [ ] T010 [P] [US1] [US2] [US3] Update service count assertion in `PPPC UtilityTests/ModelTests/PPPCServicesManagerTests.swift` — change expected `allServices.count` from 21 to 24. Add assertions that `allServices["BluetoothAlways"]`, `allServices["SystemPolicyAppBundles"]`, and `allServices["SystemPolicyAppData"]` are non-nil with correct `englishName` values. (Satisfies TR-001)
-- [ ] T011 [P] [US1] [US2] [US3] Update policy defaults test in `PPPC UtilityTests/ModelTests/ExecutableTests.swift` — verify that a new `Executable`'s `policy.BluetoothAlways`, `policy.SystemPolicyAppBundles`, and `policy.SystemPolicyAppData` all default to `"-"`. Update any existing count-based assertions for total policy properties. (Satisfies TR-002)
-- [ ] T012 [P] [US1] [US2] [US3] Add new keys to `buildTCCPolicies()` in `PPPC UtilityTests/Helpers/TCCProfileBuilder.swift` — add `"BluetoothAlways"`, `"SystemPolicyAppBundles"`, and `"SystemPolicyAppData"` entries to the returned dictionary so round-trip tests exercise the new keys.
-- [ ] T013 [US1] [US2] [US3] Add export/import round-trip tests in `PPPC UtilityTests/ModelTests/ModelTests.swift` — add tests verifying that for each of the 3 new keys, setting a policy to Allow or Deny, exporting, and re-importing preserves the value. Use `ModelBuilder` to create executables with specific policy settings. (Satisfies TR-003)
+- [X] T010 [P] [US1] [US2] [US3] Update service count assertion in `PPPC UtilityTests/ModelTests/PPPCServicesManagerTests.swift` — change expected `allServices.count` from 21 to 24. Add assertions that `allServices["BluetoothAlways"]`, `allServices["SystemPolicyAppBundles"]`, and `allServices["SystemPolicyAppData"]` are non-nil with correct `englishName` values. (Satisfies TR-001)
+- [X] T011 [P] [US1] [US2] [US3] Update policy defaults test in `PPPC UtilityTests/ModelTests/ExecutableTests.swift` — verify that a new `Executable`'s `policy.BluetoothAlways`, `policy.SystemPolicyAppBundles`, and `policy.SystemPolicyAppData` all default to `"-"`. Update any existing count-based assertions for total policy properties. (Satisfies TR-002)
+- [X] T012 [P] [US1] [US2] [US3] Add new keys to `buildTCCPolicies()` in `PPPC UtilityTests/Helpers/TCCProfileBuilder.swift` — add `"BluetoothAlways"`, `"SystemPolicyAppBundles"`, and `"SystemPolicyAppData"` entries to the returned dictionary so round-trip tests exercise the new keys.
+- [X] T013 [US1] [US2] [US3] Add export/import round-trip tests in `PPPC UtilityTests/ModelTests/ModelTests.swift` — add tests verifying that for each of the 3 new keys, setting a policy to Allow or Deny, exporting, and re-importing preserves the value. Use `ModelBuilder` to create executables with specific policy settings. (Satisfies TR-003)
 
 **Checkpoint**: Run unit test plan — all tests pass including updated service count, defaults, and round-trip assertions.
 
@@ -82,15 +82,15 @@
 
 ### Test Fixtures
 
-- [ ] T014 [P] [US4] Rename existing fixture `PPPC UtilityTests/TCCProfileImporterTests/TestTCCUnsignedProfile.mobileconfig` to `TestTCCUnsignedProfile-Legacy.mobileconfig` — this preserves the original file (without new keys) as the legacy import fixture. Update the Xcode project file if the resource is referenced by name.
-- [ ] T015 [P] [US4] Create new `PPPC UtilityTests/TCCProfileImporterTests/TestTCCUnsignedProfile.mobileconfig` — copy from the legacy file and add `BluetoothAlways`, `SystemPolicyAppBundles`, and `SystemPolicyAppData` service entries with test policy dictionaries (Allowed: true, Identifier, CodeRequirement, IdentifierType, Comment). Follow the exact XML plist structure of existing service entries.
-- [ ] T016 [P] [US4] Update `PPPC UtilityTests/TCCProfileImporterTests/TestTCCUnsignedProfile-allLower.mobileconfig` — add `bluetoothalways`, `systempolicyappbundles`, and `systempolicyappdata` entries (lowercase keys) following the existing lowercase pattern.
-- [ ] T017 [P] [US4] Update `Resources/TestTCCUnsignedProfile.mobileconfig` — add the 3 new service entries (same as T015) so the app-bundled UI test profile includes all 24 services.
+- [X] T014 [P] [US4] Rename existing fixture `PPPC UtilityTests/TCCProfileImporterTests/TestTCCUnsignedProfile.mobileconfig` to `TestTCCUnsignedProfile-Legacy.mobileconfig` — this preserves the original file (without new keys) as the legacy import fixture. Update the Xcode project file if the resource is referenced by name.
+- [X] T015 [P] [US4] Create new `PPPC UtilityTests/TCCProfileImporterTests/TestTCCUnsignedProfile.mobileconfig` — copy from the legacy file and add `BluetoothAlways`, `SystemPolicyAppBundles`, and `SystemPolicyAppData` service entries with test policy dictionaries (Allowed: true, Identifier, CodeRequirement, IdentifierType, Comment). Follow the exact XML plist structure of existing service entries.
+- [X] T016 [P] [US4] Update `PPPC UtilityTests/TCCProfileImporterTests/TestTCCUnsignedProfile-allLower.mobileconfig` — add `bluetoothalways`, `systempolicyappbundles`, and `systempolicyappdata` entries (lowercase keys) following the existing lowercase pattern.
+- [X] T017 [P] [US4] Update `Resources/TestTCCUnsignedProfile.mobileconfig` — add the 3 new service entries (same as T015) so the app-bundled UI test profile includes all 24 services.
 
 ### Tests
 
-- [ ] T018 [US4] Add legacy import test in `PPPC UtilityTests/TCCProfileImporterTests/TCCProfileImporterTests.swift` — add a test that imports `TestTCCUnsignedProfile-Legacy.mobileconfig`, feeds it through `Model.importProfile()`, and verifies the 3 new policy columns default to `"-"` on all imported executables. (Satisfies TR-005)
-- [ ] T019 [US4] Verify existing `correctUnsignedProfileContentData` test passes with the new fixture in `PPPC UtilityTests/TCCProfileImporterTests/TCCProfileImporterTests.swift` — the test should now import a profile with all 24 services and succeed. (Satisfies TR-004)
+- [X] T018 [US4] Add legacy import test in `PPPC UtilityTests/TCCProfileImporterTests/TCCProfileImporterTests.swift` — add a test that imports `TestTCCUnsignedProfile-Legacy.mobileconfig`, feeds it through `Model.importProfile()`, and verifies the 3 new policy columns default to `"-"` on all imported executables. (Satisfies TR-005)
+- [X] T019 [US4] Verify existing `correctUnsignedProfileContentData` test passes with the new fixture in `PPPC UtilityTests/TCCProfileImporterTests/TCCProfileImporterTests.swift` — the test should now import a profile with all 24 services and succeed. (Satisfies TR-004)
 
 **Checkpoint**: All importer tests pass. Legacy profile imports cleanly. Modern profile imports with all 24 services.
 
@@ -100,11 +100,11 @@
 
 **Purpose**: UI test, final validation, quality gate checks
 
-- [ ] T020 [US1] [US2] [US3] Add or update a UI test in `PPPC UtilityUITests/AppLaunchTests.swift` to verify the policy table column count reflects the 3 new services. Use the `-UITestMode` launch argument (which loads the test profile) and assert expected popup/column count. (Satisfies TR-006)
-- [ ] T021 Compare compiler warnings against T001 baseline — verify no new warnings introduced by running the same command and diffing output.
-- [ ] T022 Run full unit test plan and verify all tests pass: `xcodebuild test -project "PPPC Utility.xcodeproj" -scheme "PPPC Utility" -destination "platform=macOS" -testPlan "PPPC Utility"`
-- [ ] T023 Run full UI test plan and verify all tests pass: `xcodebuild test -project "PPPC Utility.xcodeproj" -scheme "PPPC Utility" -destination "platform=macOS" -testPlan "PPPC Utility UI Tests"`
-- [ ] T024 Validate quickstart.md build and test commands still work per `specs/002-add-pppc-keys/quickstart.md`
+- [X] T020 [US1] [US2] [US3] Add or update a UI test in `PPPC UtilityUITests/AppLaunchTests.swift` to verify the policy table column count reflects the 3 new services. Use the `-UITestMode` launch argument (which loads the test profile) and assert expected popup/column count. (Satisfies TR-006)
+- [X] T021 Compare compiler warnings against T001 baseline — verify no new warnings introduced by running the same command and diffing output.
+- [X] T022 Run full unit test plan and verify all tests pass: `xcodebuild test -project "PPPC Utility.xcodeproj" -scheme "PPPC Utility" -destination "platform=macOS" -testPlan "PPPC Utility"`
+- [X] T023 Run full UI test plan and verify all tests pass: `xcodebuild test -project "PPPC Utility.xcodeproj" -scheme "PPPC Utility" -destination "platform=macOS" -testPlan "PPPC Utility UI Tests"`
+- [X] T024 Validate quickstart.md build and test commands still work per `specs/002-add-pppc-keys/quickstart.md`
 
 ---
 

From 10bdab1349240fba13a696a82dab4ba4e0a4328c Mon Sep 17 00:00:00 2001
From: Mike Anderson <mike.anderson@jamf.com>
Date: Mon, 13 Apr 2026 12:24:18 -0500
Subject: [PATCH 53/53] addressed  copilot comments (except the one about
 splitting the pr)

---
 .../TCCProfileImporterTests.swift             |  9 +-
 .../TCCProfileTests.swift                     | 29 ++++++
 ...stTCCUnsignedProfile-allLower.mobileconfig | 94 +++++++++----------
 PPPC UtilityUITests/AppLaunchTests.swift      | 32 +------
 4 files changed, 87 insertions(+), 77 deletions(-)

diff --git a/PPPC UtilityTests/TCCProfileImporterTests/TCCProfileImporterTests.swift b/PPPC UtilityTests/TCCProfileImporterTests/TCCProfileImporterTests.swift
index e930452..f8a653c 100644
--- a/PPPC UtilityTests/TCCProfileImporterTests/TCCProfileImporterTests.swift	
+++ b/PPPC UtilityTests/TCCProfileImporterTests/TCCProfileImporterTests.swift	
@@ -72,8 +72,12 @@ struct TCCProfileImporterTests {
 
         let tccProfile = try tccProfileImporter.decodeTCCProfile(fileUrl: resourceURL)
         #expect(!tccProfile.content.isEmpty)
-        #expect(!tccProfile.content[0].services.isEmpty)
-        #expect(tccProfile.content[0].services.count >= 24, "Profile should contain at least 24 services including 3 new keys")
+        let services = tccProfile.content[0].services
+        #expect(!services.isEmpty)
+        #expect(services.count == 24, "Profile should contain exactly 24 services")
+        #expect(services["BluetoothAlways"] != nil, "BluetoothAlways service should exist")
+        #expect(services["SystemPolicyAppBundles"] != nil, "SystemPolicyAppBundles service should exist")
+        #expect(services["SystemPolicyAppData"] != nil, "SystemPolicyAppData service should exist")
     }
 
     @Test("Legacy profile without new keys imports with dash defaults")
@@ -87,6 +91,7 @@ struct TCCProfileImporterTests {
         await model.importProfile(tccProfile: tccProfile)
 
         // then
+        #expect(!model.selectedExecutables.isEmpty, "Legacy profile should import at least one executable")
         for executable in model.selectedExecutables {
             #expect(executable.policy.BluetoothAlways == "-", "BluetoothAlways should default to dash for legacy profiles")
             #expect(executable.policy.SystemPolicyAppBundles == "-", "SystemPolicyAppBundles should default to dash for legacy profiles")
diff --git a/PPPC UtilityTests/TCCProfileImporterTests/TCCProfileTests.swift b/PPPC UtilityTests/TCCProfileImporterTests/TCCProfileTests.swift
index 4a907cb..4845730 100644
--- a/PPPC UtilityTests/TCCProfileImporterTests/TCCProfileTests.swift	
+++ b/PPPC UtilityTests/TCCProfileImporterTests/TCCProfileTests.swift	
@@ -64,6 +64,22 @@ struct TCCProfileTests {
 
             // then verify the services key
             #expect(content.services.count == 5)
+            let allFiles = content.services["SystemPolicyAllFiles"]
+            #expect(allFiles?.count == 1)
+            allFiles?.forEach { policy in
+                #expect(policy.identifier == "policy id")
+                #expect(policy.identifierType == "policy id type")
+                #expect(policy.codeRequirement == "policy code req")
+                #expect(policy.allowed == nil)
+                #expect(policy.authorization == .allowStandardUserToSetSystemService)
+                #expect(policy.comment == "policy comment")
+                #expect(policy.receiverIdentifier == "policy receiver id")
+                #expect(policy.receiverIdentifierType == "policy receiver id type")
+                #expect(policy.receiverCodeRequirement == "policy receiver code req")
+            }
+            #expect(content.services["BluetoothAlways"] != nil, "BluetoothAlways should be included")
+            #expect(content.services["SystemPolicyAppBundles"] != nil, "SystemPolicyAppBundles should be included")
+            #expect(content.services["SystemPolicyAppData"] != nil, "SystemPolicyAppData should be included")
         }
     }
 
@@ -96,6 +112,19 @@ struct TCCProfileTests {
 
             // then verify the services key
             #expect(content.services.count == 5)
+            let allFiles = content.services["SystemPolicyAllFiles"]
+            #expect(allFiles?.count == 1)
+            allFiles?.forEach { policy in
+                #expect(policy.identifier == "policy id")
+                #expect(policy.identifierType == "policy id type")
+                #expect(policy.codeRequirement == "policy code req")
+                #expect(policy.allowed == true)
+                #expect(policy.authorization == nil)
+                #expect(policy.comment == "policy comment")
+                #expect(policy.receiverIdentifier == "policy receiver id")
+                #expect(policy.receiverIdentifierType == "policy receiver id type")
+                #expect(policy.receiverCodeRequirement == "policy receiver code req")
+            }
         }
     }
 
diff --git a/PPPC UtilityTests/TCCProfileImporterTests/TestTCCUnsignedProfile-allLower.mobileconfig b/PPPC UtilityTests/TCCProfileImporterTests/TestTCCUnsignedProfile-allLower.mobileconfig
index 8f0f267..21ccbbb 100644
--- a/PPPC UtilityTests/TCCProfileImporterTests/TestTCCUnsignedProfile-allLower.mobileconfig	
+++ b/PPPC UtilityTests/TCCProfileImporterTests/TestTCCUnsignedProfile-allLower.mobileconfig	
@@ -48,22 +48,22 @@
 						<string>bundleid</string>
 					</dict>
 				</array>
-	<key>bluetoothalways</key>
-<array>
-<dict>
-<key>allowed</key>
-<true/>
-<key>coderequirement</key>
-<string>identifier "io.brackets.appshell" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = JQ525L2MZD</string>
-<key>comment</key>
-<string></string>
-<key>identifier</key>
-<string>io.brackets.appshell</string>
-<key>identifiertype</key>
-<string>bundleID</string>
-</dict>
-</array>
-			<key>addressbook</key>
+				<key>bluetoothalways</key>
+					<array>
+						<dict>
+							<key>allowed</key>
+							<true/>
+							<key>coderequirement</key>
+							<string>identifier "io.brackets.appshell" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.ou] = jq525l2mzd</string>
+							<key>comment</key>
+							<string></string>
+							<key>identifier</key>
+							<string>io.brackets.appshell</string>
+							<key>identifiertype</key>
+							<string>bundleid</string>
+						</dict>
+					</array>
+				<key>addressbook</key>
 				<array>
 					<dict>
 						<key>allowed</key>
@@ -465,37 +465,37 @@
 						<string>bundleid</string>
 					</dict>
 				</array>
-	<key>systempolicyappbundles</key>
-<array>
-<dict>
-<key>allowed</key>
-<true/>
-<key>coderequirement</key>
-<string>identifier "io.brackets.appshell" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = JQ525L2MZD</string>
-<key>comment</key>
-<string></string>
-<key>identifier</key>
-<string>io.brackets.appshell</string>
-<key>identifiertype</key>
-<string>bundleID</string>
-</dict>
-</array>
-<key>systempolicyappdata</key>
-<array>
-<dict>
-<key>allowed</key>
-<true/>
-<key>coderequirement</key>
-<string>identifier "io.brackets.appshell" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = JQ525L2MZD</string>
-<key>comment</key>
-<string></string>
-<key>identifier</key>
-<string>io.brackets.appshell</string>
-<key>identifiertype</key>
-<string>bundleID</string>
-</dict>
-</array>
-			<key>systempolicydesktopfolder</key>
+				<key>systempolicyappbundles</key>
+					<array>
+						<dict>
+							<key>allowed</key>
+							<true/>
+							<key>coderequirement</key>
+							<string>identifier "io.brackets.appshell" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.ou] = jq525l2mzd</string>
+							<key>comment</key>
+							<string></string>
+							<key>identifier</key>
+							<string>io.brackets.appshell</string>
+							<key>identifiertype</key>
+							<string>bundleid</string>
+						</dict>
+					</array>
+				<key>systempolicyappdata</key>
+					<array>
+						<dict>
+							<key>allowed</key>
+							<true/>
+							<key>coderequirement</key>
+							<string>identifier "io.brackets.appshell" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.ou] = jq525l2mzd</string>
+							<key>comment</key>
+							<string></string>
+							<key>identifier</key>
+							<string>io.brackets.appshell</string>
+							<key>identifiertype</key>
+							<string>bundleid</string>
+						</dict>
+					</array>
+				<key>systempolicydesktopfolder</key>
 				<array>
 					<dict>
 						<key>allowed</key>
diff --git a/PPPC UtilityUITests/AppLaunchTests.swift b/PPPC UtilityUITests/AppLaunchTests.swift
index 19233c5..7334829 100644
--- a/PPPC UtilityUITests/AppLaunchTests.swift	
+++ b/PPPC UtilityUITests/AppLaunchTests.swift	
@@ -80,44 +80,20 @@ final class AppLaunchTests: XCTestCase {
         XCTAssertFalse(removeAppleEventButton.isEnabled, "Remove Apple Event button should be disabled with no selection")
     }
 
-    func testServicePopupsExistInExpectedOrder() {
+    func testServicePopupsExist() {
         app.terminate()
         app.launchArguments = ["-UITestMode"]
         app.launch()
 
-        let expectedPopUpOrder = [
-            "AccessibilityPopUp",
-            "AdminFilesPopUp",
+        let newServicePopUps = [
             "AppBundlesPopUp",
             "AppDataPopUp",
-            "BluetoothAlwaysPopUp",
-            "CalendarPopUp",
-            "CameraPopUp",
-            "AddressBookPopUp",
-            "DesktopFolderPopUp",
-            "DocumentsFolderPopUp",
-            "DownloadsFolderPopUp",
-            "FileProviderPresencePopUp",
-            "AllFilesPopUp",
-            "ListenEventPopUp",
-            "MediaLibraryPopUp",
-            "MicrophonePopUp",
-            "NetworkVolumesPopUp",
-            "PhotosPopUp",
-            "PostEventsPopUp",
-            "RemindersPopUp",
-            "RemovableVolumesPopUp",
-            "ScreenCapturePopUp",
-            "SpeechRecognitionPopUp"
+            "BluetoothAlwaysPopUp"
         ]
 
-        var previousY = -CGFloat.greatestFiniteMagnitude
-        for identifier in expectedPopUpOrder {
+        for identifier in newServicePopUps {
             let popUp = app.popUpButtons[identifier]
             XCTAssertTrue(popUp.waitForExistence(timeout: 5), "\(identifier) should exist")
-            let currentY = popUp.frame.origin.y
-            XCTAssertGreaterThan(currentY, previousY, "\(identifier) should appear below the previous popup")
-            previousY = currentY
         }
     }
 }