Reach 1.0.0 — Sparkle UX polish + 10-min update cadence

Highlights

• Static "Check for Updates…" menu item restored. The 0.9.x dynamic-only update affordance was undiscoverable when no update was pending; users had no way to verify a freshly-published release on demand. The static item now sits in the menu bar alongside the dynamic "Update X.Y.Z" action.
• Background update check cadence: 24h → 10 minutes. Trades a small increase in appcast fetch traffic for much faster notification of a new release. The appcast is a static ~5KB XML on GitHub Pages — well within reasonable polling bounds.
• All 0.9.900 changes carry forward: iCloud Auto-Trust auto-refresh (no more manual toggle off→on), Local Network permission runtime probe, viewer cascade LAN→WAN auto-fallback, ConnectionProfile rename + UserDefaults migration.

Compatibility

• macOS 14.0+ (host)
• iOS 17.0+ (viewer 1.0.0 build 4 ships separately on TestFlight)
• Sparkle auto-update from 0.9.x → 1.0.0 supported via the standard appcast path.

Install

• Fresh: drag ReachHost.app from the DMG to /Applications.
• Update from 0.9.900: Sparkle handles automatically once the appcast publishes (within minutes), or use the new menu-bar Check for Updates… item.

Known

• CI host-release job currently fails on a stale provisioning profile (`JumpHost_DeveloperID` from before the bundle ID rename + iCloud capability addition). This 1.0.0 DMG was archived and notarized via Xcode Organizer until the runner profile is refreshed.

Reach 0.9.900 — iCloud Auto-Trust auto-refresh + cascade fallback + permission probe

Highlights

• iCloud Auto-Trust indicator on the Trusted tab now refreshes automatically on app boot, iCloud account change, and Trusted-tab open — no more manual toggle off→on to flip from "Waiting / Sign-in required" to "Connected" when iCloud is healthy. Reentrancy guard prevents UI flicker on launch races (boot + tab open within milliseconds).
• Local Network permission is now probed at runtime via NWBrowser instead of a static "allowed when prompted" bullet. Status tab shows allowed / denied / checking states accurately. Critical fix: the NSLocalNetworkUsageDescription and NSBonjourServices keys were missing from the host Info.plist entirely — without them the system silently denied Bonjour publish without ever prompting the user.
• Profile-tap LAN→WAN auto-fallback (viewer): tapping a saved Mac that's visible on Bonjour now tries LAN first, but on LAN failure (AP client isolation, stale Bonjour cache, host firewall LAN port change) automatically falls back to the saved profile's WAN path within the same connect attempt. Single "Connecting…" status line, no manual retry.
• Saved profile rename (viewer): the data model is now consistently ConnectionProfile (was WANProfile) since profiles carry both WAN routing data and LAN selection-key cache. Includes UserDefaults key migration so existing saved Macs are preserved transparently across the upgrade.

Compatibility

• macOS 14.0+ (host)
• iOS 17.0+ (viewer, ships separately on TestFlight)
• Existing saved profiles in viewer migrate automatically on first launch after upgrade.
• Sparkle auto-update from 0.9.600 → 0.9.900 supported via the standard appcast path.

Install

• Fresh install: drag ReachHost.app from the DMG to /Applications.
• Update from 0.9.600: Sparkle handles automatically once the appcast publishes (within minutes), or use the menu-bar "Check for Updates…" command.

Known

• TestFlight viewer 0.9.900 (build 3) is the matching iPad client.
• CI host-release job currently fails on a stale provisioning profile (JumpHost_DeveloperID from before the bundle ID rename + iCloud capability addition); this 0.9.900 DMG was archived and notarized via Xcode Organizer until the runner profile is refreshed.

Reach 0.9.600 — Privacy + trust + icon polish

Highlights

• Privacy disclosure aligned with actual data collection (CloudKit pairing metadata is now declared honestly; previous "Data Not Collected" framing was wrong).
• Cloudflare bridge trust copy corrected: bridge is opt-in, Cloudflare's edge sees session traffic — host dashboard now surfaces the trade-off when you toggle it.
• TOFU certificate mismatches now surface as a structured failure instead of a generic timeout — you'll see a clear "fingerprint changed" recovery path.
• Host keychain identity policy bumped to v3 with trusted-app path binding (no more spurious keychain password prompts after Sparkle updates / drag-to-Applications moves).
• Viewer keyboard simplified to solid-only (translucent variant removed).
• iOS app icons regenerated as opaque RGB (App Store compliance for the matching viewer 0.9.600 release on TestFlight).

Migration impact

• Existing TOFU-paired iPads need to re-accept the new fingerprint on first connect after upgrading. Same UX as any host identity reset.
• CloudKit-bound iPads re-bind automatically.

Verification

Built locally with Xcode Archive → Developer ID Direct Distribution → Apple notary (ticket stapled). `xcrun stapler validate` and `spctl -a -t install` both pass with "Notarized Developer ID".