002 add pppc keys (#151)

* AI generated removal of the big sur compatibility logic. Needs vetted and tested

* big-sur story/JPCFM-5531 Add minor changes to update minimum supported OS and remove remaining Big Sur things

* big-sur story/JPCFM-5531 Remove swiftlint disable call due to reduced file length

* big-sur story/JPCFM-5531 Add Copilot suggestion for generating test results

* big-sur story/JPCFM-5531 Add Copilot refactor to loadExecutable function

* big-sur story/JPCFM-5531 Remove code coverage addition

* added detailed plan for getting to swift 6 in stages

* Initial plan

* Stage 2: Convert NetworkAuthManager from actor to class

With SWIFT_DEFAULT_ACTOR_ISOLATION = MainActor, all types are MainActor
by default. The actor's synchronization purpose (single-flight token
refresh) is now provided by MainActor serialization.

Changes:
- actor NetworkAuthManager → class NetworkAuthManager
- bearerAuthSupported(): drop async (no longer needed without actor)
- basicAuthString(): drop nonisolated (no longer an actor)
- JamfProAPIClient: drop await from bearerAuthSupported() calls
- NetworkAuthManagerTests: drop await from bearerAuthSupported() calls

Side effect: Resolves Token.isValid cross-isolation warning because
Token and NetworkAuthManager are now both on MainActor.

Agent-Logs-Url: https://github.com/jamf/PPPC-Utility/sessions/4235dbf5-feb0-4744-839d-543eee3b8ee5

Co-authored-by: watkyn <40115+watkyn@users.noreply.github.com>

* Stage 3a: Remove DispatchQueue.main.async wrappers

With MainActor default isolation, manual dispatch to the main thread
is redundant. All three locations are already MainActor-isolated.

Changes:
- Alert.swift: Remove DispatchQueue.main.async wrapper in display()
- OpenViewController.swift: Remove wrapper in tableView selectionIndexes
- SaveViewController.swift: Remove wrapper in savePressed panel callback

Agent-Logs-Url: https://github.com/jamf/PPPC-Utility/sessions/4235dbf5-feb0-4744-839d-543eee3b8ee5

Co-authored-by: watkyn <40115+watkyn@users.noreply.github.com>

* Stage 3b: Convert UploadManager to async throws

Replace Task/completion handler pattern with direct async throws methods.

Changes:
- UploadManager.verifyConnection: async throws -> VerificationInfo
- UploadManager.upload: async throws (no completion handler)
- UploadInfoView.verifyConnection: now async, uses try await
- UploadInfoView.performUpload: now async, uses try await
- Button action bridges to async with Task { await ... }

Agent-Logs-Url: https://github.com/jamf/PPPC-Utility/sessions/4235dbf5-feb0-4744-839d-543eee3b8ee5

Co-authored-by: watkyn <40115+watkyn@users.noreply.github.com>

* Stage 3c: Convert Model.loadExecutable to direct return

Replace completion handler pattern with throws -> Executable since the
work is synchronous (reads bundle info and code requirements).

Changes:
- Model.loadExecutable(url:) now throws -> Executable (no completion)
- Remove LoadExecutableCompletion typealias
- findExecutableOnComputerUsing → findExecutable, returns directly
- getExecutableFrom: uses do/catch instead of completion handler
- getAppleEventChoices: uses do/catch for each loadExecutable call
- TCCProfileViewController: promptForExecutables and acceptDrop updated
- OpenViewController.prompt: updated to use try/catch

Agent-Logs-Url: https://github.com/jamf/PPPC-Utility/sessions/4235dbf5-feb0-4744-839d-543eee3b8ee5

Co-authored-by: watkyn <40115+watkyn@users.noreply.github.com>

* Stage 3d: Convert TCCProfileImporter to direct return

Replace completion handler pattern with throws -> TCCProfile since
the work is synchronous (decode data, read file).

Changes:
- TCCProfileImporter.decodeTCCProfile(data:) now throws -> TCCProfile
- TCCProfileImporter.decodeTCCProfile(fileUrl:) now throws -> TCCProfile
- Remove TCCProfileImportCompletion typealias
- TCCProfileConfigurationPanel: uses try/catch in panel callback
- TCCProfileImporterTests: updated to use try/catch pattern

Agent-Logs-Url: https://github.com/jamf/PPPC-Utility/sessions/4235dbf5-feb0-4744-839d-543eee3b8ee5

Co-authored-by: watkyn <40115+watkyn@users.noreply.github.com>

* Stage 4: Add @Concurrent for background I/O

Mark SecurityWrapper and Model methods with @Concurrent to move disk
I/O and security operations off MainActor onto the cooperative pool.

Changes:
- SecurityWrapper.copyDesignatedRequirement: @Concurrent async throws
- SecurityWrapper.sign: @Concurrent async throws
- SecurityWrapper.loadSigningIdentities: @Concurrent async throws
- Model.loadExecutable: @Concurrent async throws -> Executable
- Model.getAppleEventChoices: now async (calls loadExecutable)
- Model.getExecutableFrom/findExecutable: now async
- Model.getExecutablesFromAllPolicies: now async
- Model.importProfile: now async
- All callers updated to use Task/await where needed
- ModelTests: updated to async test methods

Agent-Logs-Url: https://github.com/jamf/PPPC-Utility/sessions/4235dbf5-feb0-4744-839d-543eee3b8ee5

Co-authored-by: watkyn <40115+watkyn@users.noreply.github.com>

* Stage 5: Enable Swift 6 language mode

Flip SWIFT_VERSION from 5.0 to 6.0 so all concurrency warnings become
hard errors. Fix override isolation mismatches.

Changes:
- SWIFT_VERSION = 6.0 in all 4 build configurations
- SaveViewController.observeValue: add nonisolated + MainActor.assumeIsolated
- ModelTests.setUp: add nonisolated + MainActor.assumeIsolated
- Update plan document to reflect all stages complete

Agent-Logs-Url: https://github.com/jamf/PPPC-Utility/sessions/4235dbf5-feb0-4744-839d-543eee3b8ee5

Co-authored-by: watkyn <40115+watkyn@users.noreply.github.com>

* create-separate story/JPCFM-5564 Fix failing build and tests

* create-separate story/JPCFM-5564 Fix code signing mistake

* create-separate story/JPCFM-5564 Fix bad syntax in build settings

* create-separate story/JPCFM-5564 Fix bad syntax in project settings for last time

* create-separate story/JPCFM-5564 Try to fix failing tests on GH PR

* create-separate story/JPCFM-5564 Try to fix unit test check issue

* create-separate story/JPCFM-5564 Make actual change with the plan to fix Unit Test issues

* removed some uneeded concurrency annotations

* removed a couple more spots

* Update Source/SwiftUI/UploadInfoView.swift

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* code review changes

* put the apple events selection back onto the main queue

* disabled the drop down until it is populated.

* fixed the sizing issue of the save window

* added width to the save prompt

* changed sequence of model on save

* reverted main story board

* added timing check for apple events loading

* reverted back to sync on the drag drop executables

* try macos 26

* fixed the upload crashes

* claude plan 1

* updated plan and claude.md

* added some simple unit test coverage that was missing

* Phase 2: URLSession injection + MockURLProtocol infrastructure

Production changes:
- Networking.swift: Add session:URLSession parameter (default .shared),
  replace all 5 URLSession.shared calls with injected session
- JamfProAPIClient.swift: Replace URLSession.shared in HTML version
  fallback with inherited session property
- UploadManager.swift: Add session:URLSession parameter, pass through
  to JamfProAPIClient constructors

Test infrastructure:
- MockURLProtocol: Simple URLProtocol subclass with single static
  requestHandler, URLSession.mock(handler:) convenience, and
  HTTPURLResponse.ok/status helpers
- MockURLProtocolTests: 3 tests verifying interception, error status
  codes, and reset behavior (.serialized suite)

Convention updates:
- CLAUDE.md: Add 'always use Swift Concurrency' rule, update mock
  convention to serialized suites with simple static handler
- docs/plans: Matching updates to Phase 2 & 4 descriptions

No behavioral change — URLSession.shared remains the default for all
production paths. 69 tests pass, no new compiler warnings.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* added more networking unit tests

* Fix sendBearerAuthorized retry bug and add 401 retry tests

Agent-Logs-Url: https://github.com/jamf/PPPC-Utility/sessions/398e2e82-5660-412c-9150-b6c79a4bb21e

Co-authored-by: watkyn <40115+watkyn@users.noreply.github.com>

* Phase 4: Add UploadManager and TCCProfile XML tests

- New UploadManagerTests with verifyConnection tests (mustSign true/false,
  credential errors, unavailability errors) and upload tests verifying
  site XML presence/absence through the full network mock flow
- Expand TCCProfileTests with XML-parsing-based assertions for
  jamfProAPIData structure, site element inclusion, and site exclusion
- 96 tests total, all passing, no new compiler warnings
- App target coverage: 45.03%

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* updated claude.md

* added ui testing plan

* added UI test framework and first test for the main window

* split the UI tests from the unit test

* fixed the project file ref

* trying out speckit on a feature

* finished implementing the spec

* added spec for the 3 new keys

* implemented the spec locally since the agent does not have xcode access

* addressed  copilot comments (except the one about splitting the pr)

---------

Co-authored-by: JJ Pritzl <jj.pritzl@jamf.com>
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: watkyn <40115+watkyn@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Mike Anderson <mike.anderson@jamf.com>

Author: 6 people

.specify/feature.json

@@ -1,3 +1,3 @@
 {
-  "feature_directory": "specs/001-fix-deprecations"
+  "feature_directory": "specs/002-add-pppc-keys"
 }

.specify/memory/constitution.md

@@ -51,6 +51,7 @@ acceptable only for components without adequate SwiftUI coverage.
 
 - Minimum deployment target: macOS 13.0.
 - All interactive UI elements MUST have accessibility identifiers and labels.
+- Service keys in the main window MUST appear in alphabetical order.
 - Profiles MUST be saveable locally (signed or unsigned) and uploadable to
   Jamf Pro (bearer token, basic auth fallback, or OAuth client credentials).
 
@@ -86,4 +87,4 @@ Git) are maintained in `CLAUDE.md`. Amendments require:
 All PRs and code reviews MUST verify compliance with this constitution.
 Complexity violations MUST be justified in the PR description.
 
-**Version**: 1.1.0 | **Ratified**: 2026-04-09 | **Last Amended**: 2026-04-09
+**Version**: 1.2.0 | **Ratified**: 2026-04-09 | **Last Amended**: 2026-04-09

CLAUDE.md

@@ -24,8 +24,16 @@
 - Avoid snake_case in test names (e.g., `generateDisplayName_bundleIdentifier`). If a name is getting long, use a Trait with a sentence-style description instead.
 - For complex tests, use a descriptive `@Test("...")` trait that explains the scenario and expected outcome so the test is understandable without reading the body.
 - Use parameterized tests with Traits where it reduces duplication; 1–2 args is ideal, max 3
+  ```swift
+  @Test("Service key round-trip preserves value", arguments: [
+      ("BluetoothAlways", "Allow"),
+      ("SystemPolicyAppBundles", "Deny")
+  ])
+  func serviceKeyRoundTrip(serviceKey: String, value: String) async { … }
+  ```
 - Beyond 3 params: create separate tests with some values hard-coded
 - Use `deinit` as teardown for repeated cleanup across tests in a suite. Use `class` for suites that need `deinit`; use `struct` otherwise.
+- After adding or refactoring tests, look for duplication or tests that are no longer relevant. Do not add redundant tests.
 
 ## UI Testing Conventions
 
@@ -35,6 +43,14 @@
 - Use accessibility identifiers set in `setupAccessibilityIdentifiers()` to locate UI elements
 - The `-UITestMode` launch argument triggers test-specific setup (e.g., loading a test profile)
 
+## UI Conventions
+
+- Service keys (popup rows) in the main window must appear in alphabetical order.
+
+## Naming
+
+- Avoid "new" in test or function names — it becomes stale quickly. Describe the behavior, not the novelty.
+
 ## Git
 
 - Do not stage or commit changes in terminal sessions

PPPC Utility.xcodeproj/project.pbxproj

@@ -59,6 +59,7 @@
 		C07B1FB82AF596D80075E38B /* UploadManager.swift in Sources */ = {isa = PBXBuildFile; fileRef = C07B1FB72AF596D80075E38B /* UploadManager.swift */; };
 		C0A2B5422B1A5D5C0007F510 /* JamfProAPIClientTests.swift in Sources */ = {isa = PBXBuildFile; fileRef = C0A2B5412B1A5D5C0007F510 /* JamfProAPIClientTests.swift */; };
 		C0A85DB5279873C600086283 /* TestTCCUnsignedProfile-allLower.mobileconfig in Resources */ = {isa = PBXBuildFile; fileRef = C0A85DB4279873C600086283 /* TestTCCUnsignedProfile-allLower.mobileconfig */; };
+		AA002200000000000000002B /* TestTCCUnsignedProfile-Legacy.mobileconfig in Resources */ = {isa = PBXBuildFile; fileRef = AA002200000000000000002A /* TestTCCUnsignedProfile-Legacy.mobileconfig */; };
 		C0DC2BB92B2263FC003A4474 /* Haversack in Frameworks */ = {isa = PBXBuildFile; productRef = C0DC2BB82B2263FC003A4474 /* Haversack */; };
 		C0E0383F27A30C7100A23FA2 /* PPPCServiceInfo.swift in Sources */ = {isa = PBXBuildFile; fileRef = C0E0383D27A30C7100A23FA2 /* PPPCServiceInfo.swift */; };
 		C0E0384027A30C7100A23FA2 /* PPPCServicesManager.swift in Sources */ = {isa = PBXBuildFile; fileRef = C0E0383E27A30C7100A23FA2 /* PPPCServicesManager.swift */; };
@@ -151,6 +152,7 @@
 		C07B1FB72AF596D80075E38B /* UploadManager.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = UploadManager.swift; sourceTree = "<group>"; };
 		C0A2B5412B1A5D5C0007F510 /* JamfProAPIClientTests.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = JamfProAPIClientTests.swift; sourceTree = "<group>"; };
 		C0A85DB4279873C600086283 /* TestTCCUnsignedProfile-allLower.mobileconfig */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.xml; path = "TestTCCUnsignedProfile-allLower.mobileconfig"; sourceTree = "<group>"; };
+		AA002200000000000000002A /* TestTCCUnsignedProfile-Legacy.mobileconfig */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.xml; path = "TestTCCUnsignedProfile-Legacy.mobileconfig"; sourceTree = "<group>"; };
 		C0E0383D27A30C7100A23FA2 /* PPPCServiceInfo.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = PPPCServiceInfo.swift; sourceTree = "<group>"; };
 		C0E0383E27A30C7100A23FA2 /* PPPCServicesManager.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = PPPCServicesManager.swift; sourceTree = "<group>"; };
 		C0E0384127A30D1D00A23FA2 /* PPPCServices.json */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.json; path = PPPCServices.json; sourceTree = "<group>"; };
@@ -266,6 +268,7 @@
 			children = (
 				5F95AE2B2315B172002E0A22 /* TestTCCProfileSigned-Broken.mobileconfig */,
 				C0A85DB4279873C600086283 /* TestTCCUnsignedProfile-allLower.mobileconfig */,
+				AA002200000000000000002A /* TestTCCUnsignedProfile-Legacy.mobileconfig */,
 				5F95AE2A2315B172002E0A22 /* TestTCCUnsignedProfile-Broken.mobileconfig */,
 				5F95AE2C2315B172002E0A22 /* TestTCCUnsignedProfile-Empty.mobileconfig */,
 				5F95AE292315B172002E0A22 /* TestTCCUnsignedProfile.mobileconfig */,
@@ -536,6 +539,7 @@
 				5F95AE312315B172002E0A22 /* TestTCCUnsignedProfile-Empty.mobileconfig in Resources */,
 				5F95AE2F2315B172002E0A22 /* TestTCCUnsignedProfile-Broken.mobileconfig in Resources */,
 				C0A85DB5279873C600086283 /* TestTCCUnsignedProfile-allLower.mobileconfig in Resources */,
+				AA002200000000000000002B /* TestTCCUnsignedProfile-Legacy.mobileconfig in Resources */,
 				C0EE9A7D28639BF800738B6B /* TestTCCProfileForJamfProAPI.txt in Resources */,
 				5F95AE302315B172002E0A22 /* TestTCCProfileSigned-Broken.mobileconfig in Resources */,
 			);

PPPC UtilityTests/Helpers/TCCProfileBuilder.swift

@@ -47,7 +47,10 @@ class TCCProfileBuilder: NSObject {
     func buildTCCPolicies(allowed: Bool?, authorization: TCCPolicyAuthorizationValue?) -> [String: [TCCPolicy]] {
         return [
             "SystemPolicyAllFiles": [buildTCCPolicy(allowed: allowed, authorization: authorization)],
-            "AppleEvents": [buildTCCPolicy(allowed: allowed, authorization: authorization)]
+            "AppleEvents": [buildTCCPolicy(allowed: allowed, authorization: authorization)],
+            "BluetoothAlways": [buildTCCPolicy(allowed: allowed, authorization: authorization)],
+            "SystemPolicyAppBundles": [buildTCCPolicy(allowed: allowed, authorization: authorization)],
+            "SystemPolicyAppData": [buildTCCPolicy(allowed: allowed, authorization: authorization)]
         ]
     }
 

PPPC UtilityTests/ModelTests/ExecutableTests.swift

@@ -34,60 +34,62 @@ import Testing
 struct ExecutableTests {
     let executable = Executable()
 
-    @Test("Display name uses last component of bundle identifier")
-    func generateDisplayNameBundleIdentifier() {
+    @Test(
+        "Display name uses last component of identifier",
+        arguments: [
+            ("com.example.MyApp", "MyApp"),
+            ("/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal", "Terminal"),
+            ("Terminal", "Terminal")
+        ])
+    func generateDisplayName(identifier: String, expected: String) {
         // when
-        let displayName = executable.generateDisplayName(identifier: "com.example.MyApp")
+        let displayName = executable.generateDisplayName(identifier: identifier)
 
         // then
-        #expect(displayName == "MyApp")
+        #expect(displayName == expected)
     }
 
-    @Test("Display name uses last component of path identifier")
-    func generateDisplayNamePathIdentifier() {
+    @Test(
+        "Icon path matches identifier type",
+        arguments: [
+            ("com.example.MyApp", "/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/GenericApplicationIcon.icns"),
+            ("/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal", "/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/ExecutableBinaryIcon.icns")
+        ])
+    func generateIconPath(identifier: String, expected: String) {
         // when
-        let displayName = executable.generateDisplayName(identifier: "/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal")
+        let iconPath = executable.generateIconPath(identifier: identifier)
 
         // then
-        #expect(displayName == "Terminal")
+        #expect(iconPath == expected)
     }
 
-    @Test("Display name returns identifier when single component")
-    func generateDisplayNameSingleComponent() {
-        // when
-        let displayName = executable.generateDisplayName(identifier: "Terminal")
-
-        // then
-        #expect(displayName == "Terminal")
-    }
-
-    @Test("Icon path is application for bundle identifier")
-    func generateIconPathForBundleIdentifier() {
-        // when
-        let iconPath = executable.generateIconPath(identifier: "com.example.MyApp")
-
-        // then
-        #expect(iconPath == IconFilePath.application)
-    }
-
-    @Test("Icon path is binary for path identifier")
-    func generateIconPathForPathIdentifier() {
-        // when
-        let iconPath = executable.generateIconPath(identifier: "/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal")
-
-        // then
-        #expect(iconPath == IconFilePath.binary)
-    }
-
-    @Test("All policy values default to dash")
-    func allPolicyValuesAreDefaults() {
+    @Test("All policy properties default to dash")
+    func policyPropertiesDefaultToDash() {
         let policy = Policy()
 
-        // when
-        let values = policy.allPolicyValues()
-
         // then
-        #expect(values.count == 20)
-        #expect(values.allSatisfy { $0 == "-" })
+        #expect(policy.Accessibility == "-")
+        #expect(policy.AddressBook == "-")
+        #expect(policy.BluetoothAlways == "-")
+        #expect(policy.Calendar == "-")
+        #expect(policy.Camera == "-")
+        #expect(policy.FileProviderPresence == "-")
+        #expect(policy.ListenEvent == "-")
+        #expect(policy.MediaLibrary == "-")
+        #expect(policy.Microphone == "-")
+        #expect(policy.Photos == "-")
+        #expect(policy.PostEvent == "-")
+        #expect(policy.Reminders == "-")
+        #expect(policy.ScreenCapture == "-")
+        #expect(policy.SpeechRecognition == "-")
+        #expect(policy.SystemPolicyAllFiles == "-")
+        #expect(policy.SystemPolicyAppBundles == "-")
+        #expect(policy.SystemPolicyAppData == "-")
+        #expect(policy.SystemPolicyDesktopFolder == "-")
+        #expect(policy.SystemPolicyDocumentsFolder == "-")
+        #expect(policy.SystemPolicyDownloadsFolder == "-")
+        #expect(policy.SystemPolicyNetworkVolumes == "-")
+        #expect(policy.SystemPolicyRemovableVolumes == "-")
+        #expect(policy.SystemPolicySysAdminFiles == "-")
     }
 }

PPPC UtilityTests/ModelTests/ModelTests.swift

@@ -267,39 +267,46 @@ struct ModelTests {
         #expect(model.selectedExecutables.first?.policy.SystemPolicyAllFiles == "Deny")
     }
 
-    // MARK: - tests for policyFromString
-
-    @Test
-    func policyWhenUsingAllow() {
-        let app = Executable(identifier: "id", codeRequirement: "req")
+    // MARK: - Service key round-trips
+
+    @Test(
+        "Service key round-trip preserves value",
+        arguments: [
+            ("BluetoothAlways", "Allow"),
+            ("SystemPolicyAppBundles", "Deny"),
+            ("SystemPolicyAppData", "Allow")
+        ])
+    func serviceKeyRoundTrip(serviceKey: String, value: String) async {
+        let model = ModelBuilder()
+            .addExecutable(settings: [serviceKey: value])
+            .build()
 
         // when
-        let policy = model.policyFromString(executable: app, value: "Allow")
+        let profile = model.exportProfile(organization: "Org", identifier: "ID", displayName: "Name", payloadDescription: "Desc")
+        await model.importProfile(tccProfile: profile)
 
         // then
-        #expect(policy?.authorization == .allow)
+        let result = model.selectedExecutables.last?.policy.value(forKey: serviceKey) as? String
+        #expect(result == value)
     }
 
-    @Test
-    func policyWhenUsingDeny() {
-        let app = Executable(identifier: "id", codeRequirement: "req")
-
-        // when
-        let policy = model.policyFromString(executable: app, value: "Deny")
-
-        // then
-        #expect(policy?.authorization == .deny)
-    }
+    // MARK: - tests for policyFromString
 
-    @Test
-    func policyWhenUsingAllowForStandardUsers() {
+    @Test(
+        "policyFromString maps display value to authorization",
+        arguments: [
+            ("Allow", TCCPolicyAuthorizationValue.allow),
+            ("Deny", TCCPolicyAuthorizationValue.deny),
+            ("Let Standard Users Approve", TCCPolicyAuthorizationValue.allowStandardUserToSetSystemService)
+        ])
+    func policyFromStringAuthorization(value: String, expected: String) {
         let app = Executable(identifier: "id", codeRequirement: "req")
 
         // when
-        let policy = model.policyFromString(executable: app, value: "Let Standard Users Approve")
+        let policy = model.policyFromString(executable: app, value: value)
 
         // then
-        #expect(policy?.authorization == .allowStandardUserToSetSystemService)
+        #expect(policy?.authorization == expected)
     }
 
     @Test

PPPC UtilityTests/ModelTests/PPPCServicesManagerTests.swift

@@ -39,7 +39,22 @@ struct PPPCServicesManagerTests {
         let actual = PPPCServicesManager()
 
         // then
-        #expect(actual.allServices.count == 21)
+        #expect(actual.allServices.count == 24)
+    }
+
+    @Test(
+        "Service is loaded with correct English name",
+        arguments: [
+            ("BluetoothAlways", "Bluetooth Always"),
+            ("SystemPolicyAppBundles", "App Bundles"),
+            ("SystemPolicyAppData", "App Data")
+        ])
+    func serviceIsLoaded(key: String, expectedName: String) throws {
+        let services = PPPCServicesManager()
+        let service = try #require(services.allServices[key])
+
+        // then
+        #expect(service.englishName == expectedName)
     }
 
     @Test("User help with entitlements")

PPPC UtilityTests/TCCProfileImporterTests/TCCProfileImporterTests.swift

@@ -72,7 +72,31 @@ struct TCCProfileImporterTests {
 
         let tccProfile = try tccProfileImporter.decodeTCCProfile(fileUrl: resourceURL)
         #expect(!tccProfile.content.isEmpty)
-        #expect(!tccProfile.content[0].services.isEmpty)
+        let services = tccProfile.content[0].services
+        #expect(!services.isEmpty)
+        #expect(services.count == 24, "Profile should contain exactly 24 services")
+        #expect(services["BluetoothAlways"] != nil, "BluetoothAlways service should exist")
+        #expect(services["SystemPolicyAppBundles"] != nil, "SystemPolicyAppBundles service should exist")
+        #expect(services["SystemPolicyAppData"] != nil, "SystemPolicyAppData service should exist")
+    }
+
+    @Test("Legacy profile without new keys imports with dash defaults")
+    func legacyProfileImportsWithDashDefaults() async throws {
+        let tccProfileImporter = TCCProfileImporter()
+        let resourceURL = try getResourceProfile(fileName: "TestTCCUnsignedProfile-Legacy")
+        let tccProfile = try tccProfileImporter.decodeTCCProfile(fileUrl: resourceURL)
+
+        // when
+        let model = Model()
+        await model.importProfile(tccProfile: tccProfile)
+
+        // then
+        #expect(!model.selectedExecutables.isEmpty, "Legacy profile should import at least one executable")
+        for executable in model.selectedExecutables {
+            #expect(executable.policy.BluetoothAlways == "-", "BluetoothAlways should default to dash for legacy profiles")
+            #expect(executable.policy.SystemPolicyAppBundles == "-", "SystemPolicyAppBundles should default to dash for legacy profiles")
+            #expect(executable.policy.SystemPolicyAppData == "-", "SystemPolicyAppData should default to dash for legacy profiles")
+        }
     }
 
     @Test

PPPC UtilityTests/TCCProfileImporterTests/TCCProfileTests.swift

@@ -63,7 +63,7 @@ struct TCCProfileTests {
             #expect(content.version == 1)
 
             // then verify the services key
-            #expect(content.services.count == 2)
+            #expect(content.services.count == 5)
             let allFiles = content.services["SystemPolicyAllFiles"]
             #expect(allFiles?.count == 1)
             allFiles?.forEach { policy in
@@ -77,6 +77,9 @@ struct TCCProfileTests {
                 #expect(policy.receiverIdentifierType == "policy receiver id type")
                 #expect(policy.receiverCodeRequirement == "policy receiver code req")
             }
+            #expect(content.services["BluetoothAlways"] != nil, "BluetoothAlways should be included")
+            #expect(content.services["SystemPolicyAppBundles"] != nil, "SystemPolicyAppBundles should be included")
+            #expect(content.services["SystemPolicyAppData"] != nil, "SystemPolicyAppData should be included")
         }
     }
 
@@ -108,7 +111,7 @@ struct TCCProfileTests {
             #expect(content.version == 1)
 
             // then verify the services key
-            #expect(content.services.count == 2)
+            #expect(content.services.count == 5)
             let allFiles = content.services["SystemPolicyAllFiles"]
             #expect(allFiles?.count == 1)
             allFiles?.forEach { policy in
@@ -141,13 +144,7 @@ struct TCCProfileTests {
             #expect(content.version == 1)
 
             // then verify the services key
-            #expect(content.services.count == 2)
-            let allFiles = content.services["SystemPolicyAllFiles"]
-            #expect(allFiles?.count == 1)
-            allFiles?.forEach { policy in
-                #expect(policy.allowed == false)
-                #expect(policy.authorization == .allow)
-            }
+            #expect(content.services.count == 5)
         }
     }