test: add macOS-CLI sample to reproduce sandbox profiling issue

[philprime]

Add a sample macOS CLI application to investigate app launch profiling failures in sandboxed environments.

Problem

When using the binary Sentry dependency in a sandboxed macOS CLI application, app launch profiling fails with permission errors when trying to create directories in /Users/.../Library/Caches/. The error occurs because the sandbox restricts file system access.

Investigation Setup

This PR adds a minimal reproduction sample with two executables:

• cli-with-binary: Uses binary Sentry dependency (reproduces the error)
• cli-with-spm: Uses SentrySPM dependency (works correctly)

The sample includes:

• A sandbox configuration (sandbox.sb) that denies access to /Users directory
• Both executables depend on grpc-swift as it's required to trigger the error
• Library evolution disabled for SentrySPM to reproduce the issue

Error Observed

When running make exec-sandboxed-cli-with-binary, the following error occurs:

$ make exec-sandboxed-cli-with-binary 
Building cli-with-binary...
swift build --product cli-with-binary
Building for debugging...
[1/1] Write swift-version--FE76C4972A19952.txt
Build of product 'cli-with-binary' complete! (10.52s)
sandbox-exec -f sandbox.sb -- .build/arm64-apple-macosx/debug/cli-with-binary

[Sentry] [error] [1769525127.039809] [SentryFileManagerHelper:799] Can't create base path to store launch profile config file: Error Domain=SentryErrorDomain Code=108 "Failed to create the directory at path /Users/philip/Library/Caches/cli-with-binary/io.sentry." UserInfo={NSLocalizedDescription=Failed to create the directory at path /Users/philip/Library/Caches/cli-with-binary/io.sentry., NSUnderlyingError=0x1053c7860 {Error Domain=NSCocoaErrorDomain Code=513 "You don’t have permission to save the file “io.sentry” in the folder “cli-with-binary”." UserInfo={NSFilePath=/Users/philip/Library/Caches/cli-with-binary/io.sentry, NSURL=file:///Users/philip/Library/Caches/cli-with-binary/io.sentry, NSUnderlyingError=0x1053c7360 {Error Domain=NSPOSIXErrorDomain Code=1 "Operation not permitted"}}}}
[Sentry] [error] [1769525127.039846] [SentryFileManagerHelper:846] Failed to construct the URL to check for launch profile configs.
Hello World!

The SPM version (cli-with-spm) runs successfully without errors.

$ make exec-sandboxed-cli-with-spm   
Building cli-with-spm...
swift build --product cli-with-spm
[1/1] Planning build
Building for debugging...
[6/6] Applying cli-with-spm
Build of product 'cli-with-spm' complete! (15.73s)
sandbox-exec -f sandbox.sb -- .build/arm64-apple-macosx/debug/cli-with-spm
Hello World!

Next Steps

This sample will help investigate why the binary dependency behaves differently from the SPM dependency in sandboxed environments and determine the appropriate fix.

Closes #7281

[github-actions]

Semver Impact of This PR

⚪ None (no version bump detected)

📋 Changelog Preview

This is how your changes will appear in the changelog.
Entries from this PR are highlighted with a left border (blockquote style).

---

New Features ✨

• Transport logs error message for HTTP 413 responses by philipphofmann in #7261
• Add install_groups support by noahsmartin in #7278

Bug Fixes 🐛

• Prevent deadlock in SentryReachability by notifying observers outside the lock by itaybre in #7246

Internal Changes 🔧

Deps

• Bump ruby/setup-ruby from 1.284.0 to 1.286.0 by dependabot in #7290
• Bump getsentry/craft from 2.19.0 to 2.20.0 by dependabot in #7287
• Bump fastlane from 2.231.0 to 2.231.1 by dependabot in #7286
• Bump getsentry/craft/.github/workflows/changelog-preview.yml from 2.19.0 to 2.20.0 by dependabot in #7288
• Update swiftlint version by github-actions in #7291
• Bump peter-evans/create-pull-request from 8.0.0 to 8.1.0 by dependabot in #7289

Other

• (release) Fix changelog-preview permissions by BYK in #7262
• Convert AutoBreadcrumbTrackingIntegration to Swift by philprime in #7158
• Fix SwiftLint script warning by itaybre in #7267
• Convert SentryNSDataSwizzling and SentryNSFileManagerSwizzling to Swift by itaybre in #7209
• Convert SentrySessionReplayIntegration to Swift by itaybre in #7102
• Fix incomplete comment by itaybre in #7239

Other

• test: add macOS-CLI sample to reproduce sandbox profiling issue by philprime in #7294

• test: Fix SentryDestinationTests to handle array type for tags by itaybre in #7240

---

_{🤖 This preview updates automatically when you update the PR.}

[cursor]

Cursor Bugbot has reviewed your changes and found 2 potential issues.

^{Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.}

[cursor]

Production library evolution flag accidentally disabled in main Package

High Severity

The -enable-library-evolution flag is being commented out in the main Package.swift, affecting the production SentrySwift target used by all SentrySPM consumers. This PR is described as adding a test sample to reproduce an issue, but this change modifies production code and disables Swift library evolution for the entire library. Library evolution provides ABI stability guarantees; disabling it could break binary compatibility for downstream consumers who depend on stable module interfaces.

 

[cursor]

Hardcoded arm64 architecture path excludes Intel Macs

Low Severity

The Makefile hardcodes .build/arm64-apple-macosx/debug/ paths for the executable targets. This path is architecture-specific and won't exist on Intel Macs, where Swift build output goes to .build/x86_64-apple-macosx/debug/ instead. The sample will fail to run on Intel-based macOS systems.

Additional Locations (1)

• Samples/macOS-CLI/Makefile#L12-L13

 

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 84.609%. Comparing base (71d0bfb) to head (11857bc).
⚠️ Report is 3 commits behind head on main.
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@              Coverage Diff              @@
##              main     #7294       +/-   ##
=============================================
- Coverage   85.038%   84.609%   -0.429%     
=============================================
  Files          472       467        -5     
  Lines        28466     28355      -111     
  Branches     12475     12339      -136     
=============================================
- Hits         24207     23991      -216     
- Misses        4212      4315      +103     
- Partials        47        49        +2     

see 24 files with indirect coverage changes

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 71d0bfb...11857bc. Read the comment docs.