v1.2.2: copy fidelity, multi-monitor fix, explicit entitlements

- Fix copy fidelity: store text verbatim (no leading/trailing trim) so
  paste from history reproduces what the user actually copied.
- Fix multi-monitor placement: panel opens on the cursor's screen,
  not NSScreen.main.
- Commit explicit `Clip Board.entitlements` with network.client and
  network.server set to false — reviewers can diff the signed binary
  against a source-controlled entitlements file with
  `codesign -d --entitlements -`.
- Launch-at-login now defaults to OFF on fresh installs and only
  reconciles with SMAppService when the user has explicitly set the
  preference (no silent auto-registration).
- Move ImageStore thumbnail downscale off the main thread.
- Hoist ContentView snapshot off body-recompute path (onChange-driven).
- Tighten logger privacy on error.localizedDescription to `.private`.
- Cap AppIconProvider cache at 200 IDs (was unbounded).
- Cache AppPaths URLs (no per-access fileExists syscall).
- Drop dead HotkeyManager.unregisterHotkey().
- Drop ENABLE_TESTABILITY=YES (no test target consumes it).
- Fix MACOSX_DEPLOYMENT_TARGET inconsistency (project 26.0 → 14.0).
- Drop emoji from CFBundleDisplayName.
- Docs: correct sandboxed app-support path in README; add pasteboard
  plaintext caveat and entitlements verification command in SECURITY.md.

Author: Pandey-Jiii

CHANGELOG.md

@@ -2,6 +2,37 @@
 
 All notable changes to this project are documented here. Format loosely follows [Keep a Changelog](https://keepachangelog.com/en/1.1.0/); versioning follows [Semantic Versioning](https://semver.org/).
 
+## [1.2.2] — 2026-05-30
+
+### Fixed
+
+- **Copy fidelity.** Leading/trailing whitespace on copied text is no longer stripped from the stored item. Previously, copying ` --flag` or ` :` would lose the leading space when pasted back from history; now items are stored byte-identical to what hit the clipboard. (Empty/whitespace-only copies are still skipped, and dedupe still applies — but on the raw value.)
+- **Multi-monitor panel placement.** The floating panel now opens on the screen the cursor is on, not the screen with the key window. Triggering the hotkey from a secondary display no longer clamps the panel onto your primary display.
+- **Thumbnail downscale moved off the main thread.** ImageIO downscale for newly captured screenshots now runs on the persistence I/O queue, eliminating a UI hitch when capturing large images.
+
+### Changed
+
+- **Launch-at-Login defaults to OFF.** Fresh installs no longer silently register themselves as a LaunchServices job; users opt in explicitly via the menu. Existing installs are unaffected (the stored preference takes precedence).
+- **App display name is now plain "Clip Board"** (dropped the `📎` emoji from `CFBundleDisplayName` — it rendered inconsistently in Spotlight/mini-bar contexts).
+- **Snapshot computation hoisted out of view body.** The filter/partition pass now runs only when its inputs (items, search text, visible limit) actually change, instead of on every hover/selection tick.
+
+### Security / hygiene
+
+- **Explicit `Clip Board.entitlements` checked in.** `com.apple.security.network.client` and `com.apple.security.network.server` are now explicitly `false` in a source-controlled file — reviewers can diff the signed binary's entitlements against the repo's source of truth with `codesign -d --entitlements - "Clip Board.app"`.
+- **Logger privacy tightened.** `error.localizedDescription` values are now logged with `privacy: .private` so disk paths or framework-derived text don't appear in system logs as `.public`.
+- **AppIconProvider cache capped** at 200 distinct bundle IDs (was unbounded).
+- **Sandboxed path corrected in docs.** The README and source comments now reflect that history actually lives under the app's sandbox container, not `~/Library/Application Support`.
+- **Pasteboard plaintext caveat** added to `SECURITY.md` (window between auto-paste and the next copy).
+
+### Removed
+
+- Dead `HotkeyManager.unregisterHotkey()` (never called).
+- Unused `import Combine` in `UIViews.swift`.
+- `ENABLE_TESTABILITY = YES` from Debug config (no test target consumes it).
+- Inconsistent `MACOSX_DEPLOYMENT_TARGET = 26.0` at the project level (target was 14.0; project now matches).
+
+[1.2.2]: https://github.com/Light-House-Group/Clip-Board/releases/tag/v1.2.2
+
 ## [1.2.1] — 2026-05-30
 
 ### Changed

Clip Board.xcodeproj/project.pbxproj

@@ -162,7 +162,6 @@
 				DEBUG_INFORMATION_FORMAT = dwarf;
 				DEVELOPMENT_TEAM = 474XD43PW6;
 				ENABLE_STRICT_OBJC_MSGSEND = YES;
-				ENABLE_TESTABILITY = YES;
 				ENABLE_USER_SCRIPT_SANDBOXING = YES;
 				GCC_C_LANGUAGE_STANDARD = gnu17;
 				GCC_DYNAMIC_NO_PIC = NO;
@@ -179,7 +178,7 @@
 				GCC_WARN_UNUSED_FUNCTION = YES;
 				GCC_WARN_UNUSED_VARIABLE = YES;
 				LOCALIZATION_PREFERS_STRING_CATALOGS = YES;
-				MACOSX_DEPLOYMENT_TARGET = 26.0;
+				MACOSX_DEPLOYMENT_TARGET = 14.0;
 				MTL_ENABLE_DEBUG_INFO = INCLUDE_SOURCE;
 				MTL_FAST_MATH = YES;
 				ONLY_ACTIVE_ARCH = YES;
@@ -237,7 +236,7 @@
 				GCC_WARN_UNUSED_FUNCTION = YES;
 				GCC_WARN_UNUSED_VARIABLE = YES;
 				LOCALIZATION_PREFERS_STRING_CATALOGS = YES;
-				MACOSX_DEPLOYMENT_TARGET = 26.0;
+				MACOSX_DEPLOYMENT_TARGET = 14.0;
 				MTL_ENABLE_DEBUG_INFO = NO;
 				MTL_FAST_MATH = YES;
 				SDKROOT = macosx;
@@ -252,17 +251,18 @@
 				ASSETCATALOG_COMPILER_GLOBAL_ACCENT_COLOR_NAME = AccentColor;
 				ASSETCATALOG_COMPILER_INCLUDE_ALL_APPICON_ASSETS = YES;
 				"CODE_SIGN_IDENTITY[sdk=macosx*]" = "-";
+				CODE_SIGN_ENTITLEMENTS = "Clip Board/Clip Board.entitlements";
 				CODE_SIGN_STYLE = Automatic;
 				COMBINE_HIDPI_IMAGES = YES;
-				CURRENT_PROJECT_VERSION = 4;
+				CURRENT_PROJECT_VERSION = 5;
 				DEVELOPMENT_TEAM = 474XD43PW6;
 				ENABLE_APP_SANDBOX = YES;
 				ENABLE_HARDENED_RUNTIME = YES;
 				ENABLE_PREVIEWS = YES;
 				ENABLE_USER_SELECTED_FILES = readonly;
 				GENERATE_INFOPLIST_FILE = YES;
 				INFOPLIST_FILE = "Clip-Board-Info.plist";
-				INFOPLIST_KEY_CFBundleDisplayName = "📎 Clipboard";
+				INFOPLIST_KEY_CFBundleDisplayName = "Clip Board";
 				INFOPLIST_KEY_LSApplicationCategoryType = "public.app-category.developer-tools";
 				INFOPLIST_KEY_LSUIElement = YES;
 				INFOPLIST_KEY_NSHumanReadableCopyright = "";
@@ -271,7 +271,7 @@
 					"@executable_path/../Frameworks",
 				);
 				MACOSX_DEPLOYMENT_TARGET = 14;
-				MARKETING_VERSION = 1.2.1;
+				MARKETING_VERSION = 1.2.2;
 				PRODUCT_BUNDLE_IDENTIFIER = Siddharth.Sangwa.ClipBoard;
 				PRODUCT_NAME = "$(TARGET_NAME)";
 				REGISTER_APP_GROUPS = YES;
@@ -291,17 +291,18 @@
 				ASSETCATALOG_COMPILER_GLOBAL_ACCENT_COLOR_NAME = AccentColor;
 				ASSETCATALOG_COMPILER_INCLUDE_ALL_APPICON_ASSETS = YES;
 				"CODE_SIGN_IDENTITY[sdk=macosx*]" = "-";
+				CODE_SIGN_ENTITLEMENTS = "Clip Board/Clip Board.entitlements";
 				CODE_SIGN_STYLE = Automatic;
 				COMBINE_HIDPI_IMAGES = YES;
-				CURRENT_PROJECT_VERSION = 4;
+				CURRENT_PROJECT_VERSION = 5;
 				DEVELOPMENT_TEAM = 474XD43PW6;
 				ENABLE_APP_SANDBOX = YES;
 				ENABLE_HARDENED_RUNTIME = YES;
 				ENABLE_PREVIEWS = YES;
 				ENABLE_USER_SELECTED_FILES = readonly;
 				GENERATE_INFOPLIST_FILE = YES;
 				INFOPLIST_FILE = "Clip-Board-Info.plist";
-				INFOPLIST_KEY_CFBundleDisplayName = "📎 Clipboard";
+				INFOPLIST_KEY_CFBundleDisplayName = "Clip Board";
 				INFOPLIST_KEY_LSApplicationCategoryType = "public.app-category.developer-tools";
 				INFOPLIST_KEY_LSUIElement = YES;
 				INFOPLIST_KEY_NSHumanReadableCopyright = "";
@@ -310,7 +311,7 @@
 					"@executable_path/../Frameworks",
 				);
 				MACOSX_DEPLOYMENT_TARGET = 14;
-				MARKETING_VERSION = 1.2.1;
+				MARKETING_VERSION = 1.2.2;
 				PRODUCT_BUNDLE_IDENTIFIER = Siddharth.Sangwa.ClipBoard;
 				PRODUCT_NAME = "$(TARGET_NAME)";
 				REGISTER_APP_GROUPS = YES;

Clip Board/AppAndCrypto.swift

@@ -57,14 +57,19 @@ final class Preferences {
     }
 
     var launchAtLogin: Bool {
-        get { defaults.object(forKey: Keys.launchAtLogin) as? Bool ?? true }
+        get { defaults.object(forKey: Keys.launchAtLogin) as? Bool ?? false }
         set {
             defaults.set(newValue, forKey: Keys.launchAtLogin)
             applyLaunchAtLogin(newValue)
         }
     }
 
+    /// Reconcile the SMAppService registration with the stored preference, but only when
+    /// the user has *explicitly* set a value. A fresh install must not silently register
+    /// itself with LaunchServices — that's exactly the kind of invisible-install behavior
+    /// the rest of this app is built to avoid.
     func syncLaunchAtLoginOnStartup() {
+        guard defaults.object(forKey: Keys.launchAtLogin) != nil else { return }
         applyLaunchAtLogin(launchAtLogin)
     }
 
@@ -76,7 +81,7 @@ final class Preferences {
             if on { try SMAppService.mainApp.register() }
             else  { try SMAppService.mainApp.unregister() }
         } catch {
-            Log.app.error("Launch-at-login toggle failed: \(error.localizedDescription, privacy: .public)")
+            Log.app.error("Launch-at-login toggle failed: \(error.localizedDescription, privacy: .private)")
         }
     }
 }
@@ -185,23 +190,29 @@ final class KeyManager {
 
 // MARK: - App Support Paths
 
-/// Centralized on-disk locations, each created with tight permissions on first access.
+/// Centralized on-disk locations, each created with tight permissions once at first use.
+///
+/// Under the app sandbox, `applicationSupportDirectory` resolves to the container path
+/// (`~/Library/Containers/<bundle-id>/Data/Library/Application Support/ClipboardManager`),
+/// not the global `~/Library/Application Support`. Either way, it's per-user and
+/// inaccessible to other apps without the user explicitly granting access.
 enum AppPaths {
-    /// `~/Library/Application Support/ClipboardManager` (0700).
-    static var base: URL {
+    /// `…/Application Support/ClipboardManager` (0700). Cached — created once.
+    static let base: URL = {
         let fm = FileManager.default
-        let appSupport = fm.urls(for: .applicationSupportDirectory, in: .userDomainMask).first!
+        let appSupport = fm.urls(for: .applicationSupportDirectory, in: .userDomainMask).first
+            ?? fm.temporaryDirectory
         let folder = appSupport.appendingPathComponent("ClipboardManager", isDirectory: true)
         ensureDirectory(folder)
         return folder
-    }
+    }()
 
-    /// `…/ClipboardManager/images` (0700) — encrypted per-image files.
-    static var imagesFolder: URL {
+    /// `…/ClipboardManager/images` (0700) — encrypted per-image files. Cached.
+    static let imagesFolder: URL = {
         let folder = base.appendingPathComponent("images", isDirectory: true)
         ensureDirectory(folder)
         return folder
-    }
+    }()
 
     private static func ensureDirectory(_ url: URL) {
         let fm = FileManager.default
@@ -210,7 +221,7 @@ enum AppPaths {
             try fm.createDirectory(at: url, withIntermediateDirectories: true,
                                    attributes: [.posixPermissions: 0o700])
         } catch {
-            Log.persistence.error("Failed to create \(url.lastPathComponent, privacy: .public): \(error.localizedDescription, privacy: .public)")
+            Log.persistence.error("Failed to create \(url.lastPathComponent, privacy: .public): \(error.localizedDescription, privacy: .private)")
         }
     }
 }
@@ -249,21 +260,25 @@ final class ImageStore {
     }
 
     /// Encrypts and writes PNG bytes asynchronously (file mode 0600). Seeds the in-memory
-    /// caches synchronously so the new item is renderable before the write completes.
+    /// `pendingPNG` synchronously so the new item is already renderable (decode via
+    /// `loadPNG`) before the write lands; the ImageIO thumbnail downscale runs on `ioQueue`
+    /// (large screenshots are too heavy to decode on main).
     func save(png: Data, fileName: String) {
         pendingLock.lock(); pendingPNG[fileName] = png; pendingLock.unlock()
-        if let thumb = Self.makeThumbnail(from: png, maxPixelSize: 800) {
-            thumbnailCache.setObject(thumb, forKey: cacheKey(fileName, 800))
-        }
 
         let url = url(for: fileName)
+        let thumbKey = cacheKey(fileName, 800)
         ioQueue.async {
+            // NSCache is thread-safe; populate the thumbnail off-main.
+            if let thumb = Self.makeThumbnail(from: png, maxPixelSize: 800) {
+                self.thumbnailCache.setObject(thumb, forKey: thumbKey)
+            }
             do {
                 let encrypted = try KeyManager.shared.encrypt(data: png)
                 try encrypted.write(to: url, options: .atomic)
                 try? FileManager.default.setAttributes([.posixPermissions: 0o600], ofItemAtPath: url.path)
             } catch {
-                Log.persistence.error("Image save failed: \(error.localizedDescription, privacy: .public)")
+                Log.persistence.error("Image save failed: \(error.localizedDescription, privacy: .private)")
             }
             self.pendingLock.lock(); self.pendingPNG[fileName] = nil; self.pendingLock.unlock()
         }
@@ -378,7 +393,7 @@ final class PersistenceManager {
                 try encrypted.write(to: url, options: .atomic)
                 try? FileManager.default.setAttributes([.posixPermissions: 0o600], ofItemAtPath: url.path)
             } catch {
-                Log.persistence.error("Save failed: \(error.localizedDescription, privacy: .public)")
+                Log.persistence.error("Save failed: \(error.localizedDescription, privacy: .private)")
             }
         }
     }
@@ -390,14 +405,14 @@ final class PersistenceManager {
         do {
             data = try Data(contentsOf: url)
         } catch {
-            Log.persistence.error("Failed to read history file: \(error.localizedDescription, privacy: .public)")
+            Log.persistence.error("Failed to read history file: \(error.localizedDescription, privacy: .private)")
             return []
         }
         let decrypted: Data
         do {
             decrypted = try KeyManager.shared.decrypt(data)
         } catch {
-            Log.persistence.error("Decrypt failed; quarantining file. \(error.localizedDescription, privacy: .public)")
+            Log.persistence.error("Decrypt failed; quarantining file. \(error.localizedDescription, privacy: .private)")
             quarantine(url: url)
             return []
         }
@@ -418,9 +433,9 @@ final class PersistenceManager {
         let target = url.deletingLastPathComponent().appendingPathComponent("history.broken-\(ts)")
         do {
             try FileManager.default.moveItem(at: url, to: target)
-            Log.persistence.info("Quarantined corrupt history to \(target.lastPathComponent, privacy: .public)")
+            Log.persistence.info("Quarantined corrupt history to \(target.lastPathComponent, privacy: .private)")
         } catch {
-            Log.persistence.error("Quarantine failed: \(error.localizedDescription, privacy: .public)")
+            Log.persistence.error("Quarantine failed: \(error.localizedDescription, privacy: .private)")
         }
     }
 }
@@ -434,7 +449,7 @@ final class AppDelegate: NSObject, NSApplicationDelegate {
     func applicationDidFinishLaunching(_ notification: Notification) {
         // 1. Encryption key must exist before persistence load.
         do { try KeyManager.shared.ensureKeyExists() }
-        catch { Log.crypto.error("ensureKeyExists failed: \(error.localizedDescription, privacy: .public)") }
+        catch { Log.crypto.error("ensureKeyExists failed: \(error.localizedDescription, privacy: .private)") }
 
         // 2. Load persisted history.
         itemsVM = ItemsViewModel()

Clip Board/Clip Board.entitlements

@@ -0,0 +1,24 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>com.apple.security.app-sandbox</key>
+	<true/>
+	<key>com.apple.security.network.client</key>
+	<false/>
+	<key>com.apple.security.network.server</key>
+	<false/>
+	<key>com.apple.security.device.audio-input</key>
+	<false/>
+	<key>com.apple.security.device.camera</key>
+	<false/>
+	<key>com.apple.security.personal-information.location</key>
+	<false/>
+	<key>com.apple.security.personal-information.addressbook</key>
+	<false/>
+	<key>com.apple.security.personal-information.calendars</key>
+	<false/>
+	<key>com.apple.security.files.user-selected.read-only</key>
+	<true/>
+</dict>
+</plist>

Clip Board/History.swift

@@ -81,18 +81,20 @@ final class ItemsViewModel: ObservableObject {
 
     private func scheduleSave() { saveSubject.send(()) }
 
-    /// Adds a text item; preserves internal whitespace/newlines, only trims leading/trailing,
-    /// and truncates beyond `maxItemChars`. Dedupes by exact equality of the stored text
-    /// (an existing match moves to the top and refreshes its date + source app).
+    /// Adds a text item. Stores the copied text **verbatim** (whitespace preserved) so that
+    /// pasting from history reproduces what the user actually copied — important for things
+    /// like ` --flag`, ` :`, or anything where a leading/trailing space carries meaning.
+    /// Truncates beyond `maxItemChars`. Dedupes by exact-equal stored text (an existing match
+    /// moves to the top and refreshes its date + source app).
     func addText(_ text: String, sourceBundleID: String? = nil, sourceAppName: String? = nil) {
-        let trimmed = text.trimmingCharacters(in: .whitespacesAndNewlines)
-        guard !trimmed.isEmpty else { return }
+        // Skip all-whitespace copies, but DO NOT mutate the stored value with trim.
+        guard !text.trimmingCharacters(in: .whitespacesAndNewlines).isEmpty else { return }
 
         let stored: String
-        if trimmed.count > Self.maxItemChars {
-            stored = String(trimmed.prefix(Self.maxItemChars)) + Self.truncationMarker
+        if text.count > Self.maxItemChars {
+            stored = String(text.prefix(Self.maxItemChars)) + Self.truncationMarker
         } else {
-            stored = trimmed
+            stored = text
         }
 
         if let existingIndex = items.firstIndex(where: { !$0.isImage && $0.text == stored }) {
@@ -391,18 +393,6 @@ final class HotkeyManager {
         }
     }
 
-    func unregisterHotkey() {
-        if let ref = hotKeyRef {
-            let status = UnregisterEventHotKey(ref)
-            if status != noErr { Log.hotkey.error("Unregister hotkey failed: \(status)") }
-            hotKeyRef = nil
-        }
-        if let handlerRef = eventHandlerRef {
-            RemoveEventHandler(handlerRef)
-            eventHandlerRef = nil
-        }
-        handler = nil
-    }
 }
 
 // MARK: - Auto Paster
@@ -518,8 +508,12 @@ final class AutoPaster {
 
 /// Resolves and caches app icons by bundle identifier, for the per-item source-app chip.
 /// Main-thread only (NSWorkspace); cheap and cached, so safe to call during view body.
+/// Capped at `cacheLimit` distinct bundle IDs — well above any realistic distinct-app
+/// count for one user's clipboard history, but bounded so a long-lived session can't grow
+/// without limit.
 enum AppIconProvider {
     private static var cache: [String: NSImage] = [:]
+    private static let cacheLimit = 200
 
     static func icon(forBundleID id: String?) -> NSImage? {
         guard let id, !id.isEmpty else { return nil }
@@ -530,7 +524,10 @@ enum AppIconProvider {
         } else if let url = NSWorkspace.shared.urlForApplication(withBundleIdentifier: id) {
             icon = NSWorkspace.shared.icon(forFile: url.path)
         }
-        if let icon { cache[id] = icon }
+        if let icon {
+            if cache.count >= cacheLimit { cache.removeAll(keepingCapacity: true) }
+            cache[id] = icon
+        }
         return icon
     }
 }