Add mandatory entitlements check for secure_features as required for Xcode 26+, and rename the mandatory feature to set the minimum required Apple Enhanced Security entitlements to be more significant to end users.

Re-scoped existing TODOs around Apple Enhanced Secuirty support to new issues for tracking.

Cherry-pick: 8134b6a

Author: nglevin

apple/internal/entitlements_support.bzl

@@ -287,6 +287,7 @@ def _process_entitlements(
         # Retrieve the entitlements required by the requested secure features, if there are any.
         secure_features_entitlements = (
             secure_features_support.entitlements_from_secure_features(
+                rule_label = rule_label,
                 secure_features = secure_features,
                 xcode_version = platform_prerequisites.xcode_version_config.xcode_version(),
             )

apple/internal/secure_features_support.bzl

@@ -26,10 +26,7 @@ visibility([
 
 # The name of the secure feature that's required for opting into any set of enhanced security
 # features on Xcode 26.0 or later.
-#
-# TODO: b/449684779 - Use this for a mandatory check for the Xcode 26 opt-in feature, since that
-# should always be set if any entitlements are required.
-_REQUIRED_XCODE_26_OPT_IN = "apple.xcode_26_minimum_opt_in"
+_REQUIRED_XCODE_26_OPT_IN = "apple.enable_enhanced_security"
 
 # A map of all of the secure features that requires crosstool support and the entitlements that they
 # enable. If a secure feature does not enable any entitlements, it should be mapped to an empty
@@ -157,6 +154,7 @@ Either remove the secure feature from the "secure_features" attribute to disable
 
 def _entitlements_from_secure_features(
         *,
+        rule_label,
         secure_features,
         xcode_version):
     if not secure_features:
@@ -169,11 +167,23 @@ def _entitlements_from_secure_features(
 
     # Build a set of all of the entitlements that are required by the requested secure features.
     required_entitlements = dict()
+    has_mandatory_xcode_26_opt_in = False
     for feature_name in secure_features:
+        if feature_name == _REQUIRED_XCODE_26_OPT_IN:
+            has_mandatory_xcode_26_opt_in = True
+            continue
         required_entitlements |= _ENTITLEMENTS_FROM_SECURE_FEATURES[feature_name]
 
-    # TODO: b/449684779 - Add a mandatory check for the Xcode 26 opt-in feature, since that should
-    # always be set if any entitlements are required.
+    if not has_mandatory_xcode_26_opt_in:
+        fail("""
+Apple enhanced security features were requested, but the build is missing the required feature \
+"{required_xcode_26_opt_in}" that is needed to enable required entitlements in Xcode 26.0 or later.
+
+Please add it to the "secure_features" rule attribute at `{rule_label}`.
+        """.format(
+            required_xcode_26_opt_in = _REQUIRED_XCODE_26_OPT_IN,
+            rule_label = str(rule_label),
+        ))
 
     return required_entitlements
 
@@ -182,7 +192,7 @@ def _environment_archs_from_secure_features(
         environment_archs,
         require_pointer_authentication_attribute,
         secure_features):
-    # TODO: b/449684779 - Migrate users to secure_features behind an allowlist when it's ready for
+    # TODO: b/466363339 - Migrate users to secure_features behind an allowlist when it's ready for
     # onboarding. Remove this "require_pointer_authentication_attribute" check once
     # pointer_authentication is onboarded.
     if not require_pointer_authentication_attribute:

test/starlark_tests/apple_dynamic_xcframework_import_tests.bzl

@@ -489,7 +489,7 @@ def apple_dynamic_xcframework_import_test_suite(name):
         name = "{}_secure_features_app_fails_importing_xcframework_with_no_expected_secure_features_test".format(name),
         target_under_test = "//test/starlark_tests/targets_under_test/ios:secure_features_app_with_imported_dynamic_xcframework_and_no_expected_secure_features",
         expected_error = """The precompiled artifact at `//test/starlark_tests/targets_under_test/ios:ios_imported_dynamic_xcframework_with_missing_pointer_authentication_secure_features` was expected to be compatible with the following secure features requested from the build, but they were not indicated as supported by the target's `expected_secure_features` attribute:
-- apple.xcode_26_minimum_opt_in
+- apple.enable_enhanced_security
 
 Please contact the owner of this target to supply a precompiled artifact (likely a framework or XCFramework) that is built with the required Enhanced Security features enabled, and update the "expected_secure_features" attribute to match.""",
         tags = [name],

test/starlark_tests/apple_static_xcframework_import_tests.bzl

@@ -286,7 +286,7 @@ def apple_static_xcframework_import_test_suite(name):
         name = "{}_secure_features_app_fails_importing_xcframework_with_no_expected_secure_features_test".format(name),
         target_under_test = "//test/starlark_tests/targets_under_test/ios:secure_features_app_with_imported_static_xcframework_and_no_expected_secure_features",
         expected_error = """The precompiled artifact at `//test/starlark_tests/targets_under_test/ios:ios_imported_static_xcframework_with_missing_pointer_authentication_secure_features` was expected to be compatible with the following secure features requested from the build, but they were not indicated as supported by the target's `expected_secure_features` attribute:
-- apple.xcode_26_minimum_opt_in
+- apple.enable_enhanced_security
 
 Please contact the owner of this target to supply a precompiled artifact (likely a framework or XCFramework) that is built with the required Enhanced Security features enabled, and update the "expected_secure_features" attribute to match.""",
         tags = [name],

test/starlark_tests/apple_static_xcframework_tests.bzl

@@ -393,7 +393,7 @@ def apple_static_xcframework_test_suite(name):
         macho_load_commands_contain = ["cmd LC_BUILD_VERSION", "platform IOS"],
         tags = [
             name,
-            # TODO: b/449684779 - Remove this tag once Xcode 26+ is the default Xcode.
+            # TODO: b/466364519 - Remove this tag once Xcode 26+ is the default Xcode.
         ] + common.skip_ci_tags,
     )
     archive_contents_test(
@@ -408,7 +408,7 @@ def apple_static_xcframework_test_suite(name):
         macho_load_commands_contain = ["cmd LC_BUILD_VERSION", "platform IOS"],
         tags = [
             name,
-            # TODO: b/449684779 - Remove this tag once Xcode 26+ is the default Xcode.
+            # TODO: b/466364519 - Remove this tag once Xcode 26+ is the default Xcode.
         ] + common.skip_ci_tags,
     )
 

test/starlark_tests/ios_application_tests.bzl

@@ -1380,7 +1380,7 @@ Found "com.bazel.app.example" which does not match previously defined "com.altba
         },
         tags = [
             name,
-            # TODO: b/449684779 - Remove this tag once Xcode 26+ is the default Xcode.
+            # TODO: b/466364519 - Remove this tag once Xcode 26+ is the default Xcode.
         ] + common.skip_ci_tags,
     )
     apple_verification_test(
@@ -1393,7 +1393,22 @@ Found "com.bazel.app.example" which does not match previously defined "com.altba
         },
         tags = [
             name,
-            # TODO: b/449684779 - Remove this tag once Xcode 26+ is the default Xcode.
+            # TODO: b/466364519 - Remove this tag once Xcode 26+ is the default Xcode.
+        ] + common.skip_ci_tags,
+    )
+
+    # Tests that the rules report a user-actionable error when enhanced security features are
+    # requested without the required Xcode 26 opt-in feature assigned to a target.
+    analysis_failure_message_test(
+        name = "{}_enhanced_security_features_missing_xcode_26_opt_in_fail_test".format(name),
+        target_under_test = "//test/starlark_tests/targets_under_test/ios:simple_enhanced_security_app_without_required_opt_in",
+        expected_error = """
+Apple enhanced security features were requested, but the build is missing the required feature \
+"apple.enable_enhanced_security" that is needed to enable required entitlements in Xcode 26.0 or later.
+""",
+        tags = [
+            name,
+            # TODO: b/466364519 - Remove this tag once Xcode 26+ is the default Xcode.
         ] + common.skip_ci_tags,
     )
 
@@ -1410,7 +1425,7 @@ Found "com.bazel.app.example" which does not match previously defined "com.altba
         macho_load_commands_contain = ["cmd LC_BUILD_VERSION", "platform IOS"],
         tags = [
             name,
-            # TODO: b/449684779 - Remove this tag once Xcode 26+ is the default Xcode.
+            # TODO: b/466364519 - Remove this tag once Xcode 26+ is the default Xcode.
         ] + common.skip_ci_tags,
     )
     apple_verification_test(
@@ -1423,7 +1438,7 @@ Found "com.bazel.app.example" which does not match previously defined "com.altba
         },
         tags = [
             name,
-            # TODO: b/449684779 - Remove this tag once Xcode 26+ is the default Xcode.
+            # TODO: b/466364519 - Remove this tag once Xcode 26+ is the default Xcode.
         ] + common.skip_ci_tags,
     )
     apple_verification_test(
@@ -1436,7 +1451,7 @@ Found "com.bazel.app.example" which does not match previously defined "com.altba
         },
         tags = [
             name,
-            # TODO: b/449684779 - Remove this tag once Xcode 26+ is the default Xcode.
+            # TODO: b/466364519 - Remove this tag once Xcode 26+ is the default Xcode.
         ] + common.skip_ci_tags,
     )
 
@@ -1453,7 +1468,7 @@ Found "com.bazel.app.example" which does not match previously defined "com.altba
         macho_load_commands_contain = ["cmd LC_BUILD_VERSION", "platform IOS"],
         tags = [
             name,
-            # TODO: b/449684779 - Remove this tag once Xcode 26+ is the default Xcode.
+            # TODO: b/466364519 - Remove this tag once Xcode 26+ is the default Xcode.
         ] + common.skip_ci_tags,
     )
 
@@ -1471,7 +1486,7 @@ Found "com.bazel.app.example" which does not match previously defined "com.altba
         macho_load_commands_contain = ["cmd LC_BUILD_VERSION", "platform IOS"],
         tags = [
             name,
-            # TODO: b/449684779 - Remove this tag once Xcode 26+ is the default Xcode.
+            # TODO: b/466364519 - Remove this tag once Xcode 26+ is the default Xcode.
         ] + common.skip_ci_tags,
     )
     apple_verification_test(
@@ -1486,7 +1501,7 @@ Found "com.bazel.app.example" which does not match previously defined "com.altba
         },
         tags = [
             name,
-            # TODO: b/449684779 - Remove this tag once Xcode 26+ is the default Xcode.
+            # TODO: b/466364519 - Remove this tag once Xcode 26+ is the default Xcode.
         ] + common.skip_ci_tags,
     )
     apple_verification_test(
@@ -1501,7 +1516,7 @@ Found "com.bazel.app.example" which does not match previously defined "com.altba
         },
         tags = [
             name,
-            # TODO: b/449684779 - Remove this tag once Xcode 26+ is the default Xcode.
+            # TODO: b/466364519 - Remove this tag once Xcode 26+ is the default Xcode.
         ] + common.skip_ci_tags,
     )
 
@@ -1518,7 +1533,7 @@ Found "com.bazel.app.example" which does not match previously defined "com.altba
         macho_load_commands_contain = ["cmd LC_BUILD_VERSION", "platform IOS"],
         tags = [
             name,
-            # TODO: b/449684779 - Remove this tag once Xcode 26+ is the default Xcode.
+            # TODO: b/466364519 - Remove this tag once Xcode 26+ is the default Xcode.
         ] + common.skip_ci_tags,
     )
     apple_verification_test(
@@ -1532,7 +1547,7 @@ Found "com.bazel.app.example" which does not match previously defined "com.altba
         },
         tags = [
             name,
-            # TODO: b/449684779 - Remove this tag once Xcode 26+ is the default Xcode.
+            # TODO: b/466364519 - Remove this tag once Xcode 26+ is the default Xcode.
         ] + common.skip_ci_tags,
     )
     apple_verification_test(
@@ -1546,7 +1561,7 @@ Found "com.bazel.app.example" which does not match previously defined "com.altba
         },
         tags = [
             name,
-            # TODO: b/449684779 - Remove this tag once Xcode 26+ is the default Xcode.
+            # TODO: b/466364519 - Remove this tag once Xcode 26+ is the default Xcode.
         ] + common.skip_ci_tags,
     )
 
@@ -1563,7 +1578,7 @@ Found "com.bazel.app.example" which does not match previously defined "com.altba
         macho_load_commands_contain = ["cmd LC_BUILD_VERSION", "platform IOS"],
         tags = [
             name,
-            # TODO: b/449684779 - Remove this tag once Xcode 26+ is the default Xcode.
+            # TODO: b/466364519 - Remove this tag once Xcode 26+ is the default Xcode.
         ] + common.skip_ci_tags,
     )
 
@@ -1580,7 +1595,7 @@ Found "com.bazel.app.example" which does not match previously defined "com.altba
         macho_load_commands_contain = ["cmd LC_BUILD_VERSION", "platform IOS"],
         tags = [
             name,
-            # TODO: b/449684779 - Remove this tag once Xcode 26+ is the default Xcode.
+            # TODO: b/466364519 - Remove this tag once Xcode 26+ is the default Xcode.
         ] + common.skip_ci_tags,
     )
     apple_verification_test(
@@ -1594,7 +1609,7 @@ Found "com.bazel.app.example" which does not match previously defined "com.altba
         },
         tags = [
             name,
-            # TODO: b/449684779 - Remove this tag once Xcode 26+ is the default Xcode.
+            # TODO: b/466364519 - Remove this tag once Xcode 26+ is the default Xcode.
         ] + common.skip_ci_tags,
     )
     apple_verification_test(
@@ -1608,7 +1623,7 @@ Found "com.bazel.app.example" which does not match previously defined "com.altba
         },
         tags = [
             name,
-            # TODO: b/449684779 - Remove this tag once Xcode 26+ is the default Xcode.
+            # TODO: b/466364519 - Remove this tag once Xcode 26+ is the default Xcode.
         ] + common.skip_ci_tags,
     )
 
@@ -1625,7 +1640,7 @@ Found "com.bazel.app.example" which does not match previously defined "com.altba
         macho_load_commands_contain = ["cmd LC_BUILD_VERSION", "platform IOS"],
         tags = [
             name,
-            # TODO: b/449684779 - Remove this tag once Xcode 26+ is the default Xcode.
+            # TODO: b/466364519 - Remove this tag once Xcode 26+ is the default Xcode.
         ] + common.skip_ci_tags,
     )
 
@@ -1643,7 +1658,7 @@ Found "com.bazel.app.example" which does not match previously defined "com.altba
         macho_load_commands_contain = ["cmd LC_BUILD_VERSION", "platform IOS"],
         tags = [
             name,
-            # TODO: b/449684779 - Remove this tag once Xcode 26+ is the default Xcode.
+            # TODO: b/466364519 - Remove this tag once Xcode 26+ is the default Xcode.
         ] + common.skip_ci_tags,
     )
     apple_verification_test(
@@ -1658,7 +1673,7 @@ Found "com.bazel.app.example" which does not match previously defined "com.altba
         },
         tags = [
             name,
-            # TODO: b/449684779 - Remove this tag once Xcode 26+ is the default Xcode.
+            # TODO: b/466364519 - Remove this tag once Xcode 26+ is the default Xcode.
         ] + common.skip_ci_tags,
     )
     apple_verification_test(
@@ -1673,7 +1688,7 @@ Found "com.bazel.app.example" which does not match previously defined "com.altba
         },
         tags = [
             name,
-            # TODO: b/449684779 - Remove this tag once Xcode 26+ is the default Xcode.
+            # TODO: b/466364519 - Remove this tag once Xcode 26+ is the default Xcode.
         ] + common.skip_ci_tags,
     )
 
@@ -1690,7 +1705,7 @@ Found "com.bazel.app.example" which does not match previously defined "com.altba
         macho_load_commands_contain = ["cmd LC_BUILD_VERSION", "platform IOS"],
         tags = [
             name,
-            # TODO: b/449684779 - Remove this tag once Xcode 26+ is the default Xcode.
+            # TODO: b/466364519 - Remove this tag once Xcode 26+ is the default Xcode.
         ] + common.skip_ci_tags,
     )
     apple_verification_test(
@@ -1704,7 +1719,7 @@ Found "com.bazel.app.example" which does not match previously defined "com.altba
         },
         tags = [
             name,
-            # TODO: b/449684779 - Remove this tag once Xcode 26+ is the default Xcode.
+            # TODO: b/466364519 - Remove this tag once Xcode 26+ is the default Xcode.
         ] + common.skip_ci_tags,
     )
     apple_verification_test(
@@ -1718,7 +1733,7 @@ Found "com.bazel.app.example" which does not match previously defined "com.altba
         },
         tags = [
             name,
-            # TODO: b/449684779 - Remove this tag once Xcode 26+ is the default Xcode.
+            # TODO: b/466364519 - Remove this tag once Xcode 26+ is the default Xcode.
         ] + common.skip_ci_tags,
     )
 
@@ -1736,7 +1751,7 @@ Found "com.bazel.app.example" which does not match previously defined "com.altba
         macho_load_commands_contain = ["cmd LC_BUILD_VERSION", "platform WATCHOS"],
         tags = [
             name,
-            # TODO: b/449684779 - Remove this tag once Xcode 26+ is the default Xcode.
+            # TODO: b/466364519 - Remove this tag once Xcode 26+ is the default Xcode.
         ] + common.skip_ci_tags,
     )
     apple_verification_test(
@@ -1751,7 +1766,7 @@ Found "com.bazel.app.example" which does not match previously defined "com.altba
         },
         tags = [
             name,
-            # TODO: b/449684779 - Remove this tag once Xcode 26+ is the default Xcode.
+            # TODO: b/466364519 - Remove this tag once Xcode 26+ is the default Xcode.
         ] + common.skip_ci_tags,
     )
     apple_verification_test(
@@ -1766,7 +1781,7 @@ Found "com.bazel.app.example" which does not match previously defined "com.altba
         },
         tags = [
             name,
-            # TODO: b/449684779 - Remove this tag once Xcode 26+ is the default Xcode.
+            # TODO: b/466364519 - Remove this tag once Xcode 26+ is the default Xcode.
         ] + common.skip_ci_tags,
     )
 
@@ -1783,7 +1798,7 @@ Found "com.bazel.app.example" which does not match previously defined "com.altba
         macho_load_commands_contain = ["cmd LC_BUILD_VERSION", "platform WATCHOS"],
         tags = [
             name,
-            # TODO: b/449684779 - Remove this tag once Xcode 26+ is the default Xcode.
+            # TODO: b/466364519 - Remove this tag once Xcode 26+ is the default Xcode.
         ] + common.skip_ci_tags,
     )
     apple_verification_test(
@@ -1797,7 +1812,7 @@ Found "com.bazel.app.example" which does not match previously defined "com.altba
         },
         tags = [
             name,
-            # TODO: b/449684779 - Remove this tag once Xcode 26+ is the default Xcode.
+            # TODO: b/466364519 - Remove this tag once Xcode 26+ is the default Xcode.
         ] + common.skip_ci_tags,
     )
     apple_verification_test(
@@ -1811,7 +1826,7 @@ Found "com.bazel.app.example" which does not match previously defined "com.altba
         },
         tags = [
             name,
-            # TODO: b/449684779 - Remove this tag once Xcode 26+ is the default Xcode.
+            # TODO: b/466364519 - Remove this tag once Xcode 26+ is the default Xcode.
         ] + common.skip_ci_tags,
     )
 

test/starlark_tests/ios_static_framework_tests.bzl

@@ -307,7 +307,7 @@ def ios_static_framework_test_suite(name):
         macho_load_commands_contain = ["cmd LC_BUILD_VERSION", "platform IOS"],
         tags = [
             name,
-            # TODO: b/449684779 - Remove this tag once Xcode 26+ is the default Xcode.
+            # TODO: b/466364519 - Remove this tag once Xcode 26+ is the default Xcode.
         ] + common.skip_ci_tags,
     )
     archive_contents_test(
@@ -322,7 +322,7 @@ def ios_static_framework_test_suite(name):
         macho_load_commands_contain = ["cmd LC_BUILD_VERSION", "platform IOS"],
         tags = [
             name,
-            # TODO: b/449684779 - Remove this tag once Xcode 26+ is the default Xcode.
+            # TODO: b/466364519 - Remove this tag once Xcode 26+ is the default Xcode.
         ] + common.skip_ci_tags,
     )