Wrap ZitiIdentity.key and its tests with CZITI_TEST_INSECURE_KEYS

Author: smilindave26

CZitiTests/ZitiIdentityTests.swift

@@ -86,6 +86,7 @@ class ZitiIdentityTests: XCTestCase {
         XCTAssertEqual(decoded.startDisabled, true)
     }
 
+#if CZITI_TEST_INSECURE_KEYS
     func testKeyDefaultsToNil() throws {
         let id = ZitiIdentity(id: "x", ztAPIs: ["https://ctrl:1280"])
         XCTAssertNil(id.key)
@@ -104,6 +105,7 @@ class ZitiIdentityTests: XCTestCase {
         let decoded = try JSONDecoder().decode(ZitiIdentity.self, from: data)
         XCTAssertEqual(decoded.key, pem)
     }
+#endif
 
     func testDecodeOldZidWithoutKeyField() throws {
         // Existing .zid files in the wild never have a key field. Must still decode.
@@ -112,6 +114,5 @@ class ZitiIdentityTests: XCTestCase {
         """
         let decoded = try JSONDecoder().decode(ZitiIdentity.self, from: json.data(using: .utf8)!)
         XCTAssertEqual(decoded.id, "legacy")
-        XCTAssertNil(decoded.key)
     }
 }

lib/ZitiIdentity.swift

@@ -53,14 +53,12 @@ import Foundation
     /// Certificates (PEM)
     @objc public var certs:String?
 
-    /// Private key (PEM).
-    ///
-    /// Only populated by builds compiled with `CZITI_TEST_INSECURE_KEYS`. Release builds
-    /// keep the private key in the keychain and leave this field nil. If this field is
-    /// populated in a loaded identity, `Ziti.run()` (in an insecure-keys build) will use
-    /// it directly instead of reading from the keychain. This field is never populated
-    /// or read by release builds.
+#if CZITI_TEST_INSECURE_KEYS
+    /// Private key (PEM). Only present in builds compiled with `CZITI_TEST_INSECURE_KEYS`.
+    /// The enrollment flow writes the ephemeral key here so `Ziti.run()` can use it
+    /// without touching the data protection keychain.
     @objc public var key:String?
+#endif
 
     /// CA pool verified as part of enrollment that can be used to establish trust with of the  Ziti controller
     @objc public var ca:String?