Native iOS companion app (Liquid Glass) — read-only usage mirror over LAN + iCloud#1979
Native iOS companion app (Liquid Glass) — read-only usage mirror over LAN + iCloud#1979brahimhamichan wants to merge 4 commits into
Conversation
…+ iCloud A read-only iPhone companion (iOS 26) that mirrors the WidgetSnapshot the Mac already aggregates — provider windows, credits, token cost — on the Home Screen, Lock Screen, and (optional, off by default) as a Live Activity. Transport is serverless and user-managed: a LAN fast path (Bonjour + Network.framework) plus a CloudKit private-database backbone that keeps widgets and the Lock Screen fresh in the background. Newest generatedAt wins. No credentials are stored on the phone. macOS side (Sources/CodexBar/MobileSync) is opt-in and a no-op unless `mobileSyncEnabled` is set, so existing users are unaffected. A wire-contract test guards the JSON the phone decodes. Closes steipete#1976. Relates to steipete#439, steipete#319. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
Codex review: needs real behavior proof before merge. Reviewed July 8, 2026, 3:00 AM ET / 07:00 UTC. Summary Reproducibility: yes. for the review findings via source inspection: the Mac publisher sends frames to any ready connection, the iOS provider decoder maps unknown values to Codex, and the Mac CloudKit path checks only ubiquity identity before creating the container. I did not run builds or live provider checks because this is a read-only review. Review metrics: 3 noteworthy metrics.
Root-cause cluster Members:
Proposal only: this assessment does not dispatch repair, suppress jobs, mutate sibling items, close, or merge anything. Merge readiness Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch. Rank-up moves:
Proof guidance:
Risk before merge
Maintainer options:
Next step before merge
Maintainer decision needed
Security Review findings
Review detailsBest possible solution: Keep this draft paused until a maintainer sponsors the iOS scope; then land a narrower implementation with paired encrypted Mac publishing, SettingsStore-backed toggles and entitlements, provider parity tests, and redacted signed end-to-end proof. Do we have a high-confidence way to reproduce the issue? Yes for the review findings via source inspection: the Mac publisher sends frames to any ready connection, the iOS provider decoder maps unknown values to Codex, and the Mac CloudKit path checks only ubiquity identity before creating the container. I did not run builds or live provider checks because this is a read-only review. Is this the best way to solve the issue? No; the read-only mirror direction may be safer than phone-side provider credentials, but this implementation is not the best merge path until maintainer sponsorship, paired Mac publishing, provider parity, entitlement gating, and real behavior proof are in place. Full review comments:
Overall correctness: patch is incorrect AGENTS.md: found and applied where relevant. Codex review notes: model internal, reasoning high; reviewed against aa401f1d8b74. Label changesLabel justifications:
Evidence reviewedSecurity concerns:
What I checked:
Likely related people:
What the crustacean ranks mean
Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics. How this review workflow works
Review history (3 earlier review cycles)
|
… sample data - Refresh control next to Settings triggers a manual CloudKit/LAN pull with a rotating symbol while in flight. - Gate the DEBUG sample seed behind the `-seed` launch arg (screenshots only), so the shipped app shows the honest "Waiting for CodexBar" state until a live snapshot arrives — never fabricated numbers. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…ed LAN Adds a real pairing model so the phone only syncs with *your* Mac and the data is private on shared networks: - Each Mac has a device identity + 256-bit key; the phone enrolls via a QR code (`cbp1.` payload, pattern borrowed from agent-activity) or manual code entry. - Discovery is filtered to paired Macs (device ID advertised in the Bonjour service name), so a stranger's Mac is ignored. - The channel is authenticated + encrypted: the phone sends a nonce, both sides derive an HKDF session key from the shared key, and each snapshot frame is AES-GCM sealed — only the paired Mac can produce readable frames. - Pairing UI (QR scanner + manual entry), Keychain-backed store with an App Group fallback for unsigned builds, and paired-Mac management in Settings. Verified end-to-end: pairing code → filtered discovery → encrypted handshake → decrypt → live usage on device. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…Combined, Switcher) Brings the macOS CodexBar home-screen widgets to iOS so the phone has the same styles. Adds Usage History (Swift Charts), a compact single-metric widget with a metric picker, a Burn Down widget (remaining budget vs ideal steady-burn pace with a Canvas chart and run-out projection), a Combined session+weekly burn tile, and a Switcher showing the most-constrained provider. Home Usage now also supports systemLarge with credits + token costs. All reuse the shared iOS design system and read the App Group snapshot. Also stop tracking the generated ios/CodexBarMobile.xcodeproj (regenerate with `xcodegen generate`) so per-developer signing/bundle-id/App-Group overrides don't land in the repo. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Screenshots
What
A native iOS 26 Liquid Glass companion that mirrors the usage the Mac already aggregates —
provider windows, credits, token cost — on the Home Screen, Lock Screen, and (optional) Live
Activity. It is a read-only mirror: the Mac ships the same
WidgetSnapshot; no providercredentials on the phone. Opposite approach to the earlier POC in #439.
Closes #1976. Relates to #439, #319.
Transport (serverless, user-managed)
_codexbar-sync._tcp(Bonjour) and streams alength-prefixed JSON
SyncEnvelope. Instant on the same Wi-Fi.Screen / Live Activities fresh in the background, anywhere. No server, no CF Worker.
generatedAtwins.Live Activities are off by default (opt-in; no APNs server, so they refresh locally).
Layout
ios/— XcodeGen project (xcodegen generate).Shared/(Foundation-onlyWidgetSnapshotmirror + transport),
CodexBarMobile/(SwiftUI app + Live Activity),CodexBarMobileWidget/(Home + Lock Screen widgets + Live Activity widget). Reuses the CodexBar icon + provider SVGs.
Sources/CodexBar/MobileSync/— macOS publisher (Bonjour listener + CloudKit push), opt-in:a no-op unless
UserDefaults.standard.bool(forKey: "mobileSyncEnabled"). Hooked intoUsageStore.persistWidgetSnapshot(one line).Tests/CodexBarTests/MobileSyncEnvelopeTests.swift— wire-contract guard for the JSON the phone decodes.Testing
swift build(macOS) — Build complete.swift test --filter MobileSyncEnvelopeTests— passes.full-screen on iPhone 17 Pro Max (iOS 26.5).
_codexbar-sync._tcp→ the appdiscovered it and live-replaced its data over the network.
Notes for reviewers / follow-ups
mobileSyncEnabledstill needs wiring intoSettingsStore(currently a bare UserDefaults key).
.entitlementsare empty so unsigned simulator builds stay green. Real device/signedbuilds need App Group + iCloud/CloudKit + Push + Background-remote-notification (+ macOS
network.server) — documented inios/README.md. CloudKit self-gates at runtime by reading theembedded provisioning profile, so an un-entitled build runs (LAN only) without crashing.
allowlist is a sensible follow-up before wider release.