Move each app onto its own private keychain access group

[crazytonyli]

Note

Last of a three-PR stack, on top of #25649. This is the PR that changes runtime behavior.

Description

1. Each app family gets its own private keychain access group (3TMU3BH3NK.org.wordpress.wordpress, .jetpack, .reader), listed first in the entitlements so it becomes the default write target; the legacy shared group stays second for the migration contract. The Jetpack share, draft action, and notification service extension targets get their own entitlements files, since they previously reused the WordPress ones.
2. KeychainGroupMigrator runs at launch in both apps: a one-time copy of existing items into the private group, then the coordinated sweep of the shared group once both apps have copied.
3. Reader stops inheriting the Jetpack session: it gets only its private group and its own auth service name. Existing Reader installs (internal TestFlight) are signed out on update. This is deliberate.

Two transition tradeoffs are deliberate and documented in the code:

• The pre-change WordPress token stays in the shared group until the user logs out. The sweep preserves that item because it is the migration handoff: old WordPress versions cannot republish it, and deleting it would break migrating to Jetpack from an old install. It gets cleaned up at logout, or in a later cleanup phase once pre-change versions are negligible.
• While the counterpart app still runs a pre-change version, a credential it rewrites in the shared group (for example a changed self-hosted password) is shadowed by this app's private copy until re-entered. The copy is insert-only because the alternative, overwriting on retry, could revert credentials written after the update.

No Apple Developer portal or provisioning changes are needed: the profiles grant keychain-access-groups as a team-prefix wildcard, which covers the new groups.

Testing instructions

Device only, the simulator ignores keychain access groups:

• Update signed-in builds of both apps to this branch; confirm neither logs out.
• Run the WordPress-to-Jetpack migration, including from a new WordPress build to an App Store Jetpack build (the handoff token must land where old versions look for it).
• After updating without launching the app, send a push; the notification service extension must still render content.

[dangermattic]

	1 Message
📖	This PR is still a Draft: some checks will be skipped.

Generated by 🚫 Danger

[wpmobilebot]

📲 You can test the changes from this Pull Request in WordPress by scanning the QR code below to install the corresponding build.

	App Name	WordPress
	Configuration	Release-Alpha
	Build Number	32588
	Version	PR #25650
	Bundle ID	org.wordpress.alpha
	Commit	89dec53
	Installation URL	5buhg4bhnjdmo

Automatticians: You can use our internal self-serve MC tool to give yourself access to those builds if needed.

[wpmobilebot]

📲 You can test the changes from this Pull Request in Jetpack by scanning the QR code below to install the corresponding build.

	App Name	Jetpack
	Configuration	Release-Alpha
	Build Number	32588
	Version	PR #25650
	Bundle ID	com.jetpack.alpha
	Commit	89dec53
	Installation URL	6tt5g7qm5g2co

Automatticians: You can use our internal self-serve MC tool to give yourself access to those builds if needed.

[wpmobilebot]

🤖 Build Failure Analysis

This build has failures. Claude has analyzed them - check the build annotations for details.