Persistent access to security scoped synchronization folders

[i2h3]

To retain access to security scoped locations on a device across sandboxed app launches, their access must be persisted using bookmarks.

Problem

After quitting and launching the client again it no longer could access synchronization folders in the file system.

Solution

Create bookmarks for those security scoped resources and persist them as part of the folder configuration.

[Copilot]

Pull request overview

This PR adds persisted security-scoped bookmark handling on macOS so the client can regain access to user-selected sync folders across app restarts in a sandboxed environment.

Changes:

• Persist per-folder app-scoped security-scoped bookmark data in settings and load it on startup.
• Resolve bookmarks early during folder setup and keep the security-scoped access alive for the folder lifetime.
• Split macOS sandbox helpers into dedicated types and enable the required macOS entitlement.

Reviewed changes

Copilot reviewed 12 out of 12 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
src/gui/folderman.cpp	Resolve persisted bookmarks before filesystem operations; attach access handle to Folder instances.
src/gui/folder.h	Add securityScopedBookmarkData to FolderDefinition; add Folder API/storage for persistent access handle.
src/gui/folder.cpp	Implement storing the persistent access handle; save/load bookmark data in settings.
src/common/utility_mac_sandbox.mm	Add free function to create security-scoped bookmark data from a local path.
src/common/utility_mac_sandbox.h	Expose bookmark-creation helper and include the new sandbox access types.
src/common/macsandboxsecurityscopedaccess.h/.mm	Extract short-lived security-scoped access RAII wrapper into its own type.
src/common/macsandboxpersistentaccess.h/.mm	Add long-lived bookmark resolution + access RAII wrapper for folder lifetime.
src/common/common.cmake	Ensure new macOS sandbox sources are built on Apple platforms.
admin/osx/macosx.entitlements.cmake	Enable app-scope bookmarks entitlement required for persisted bookmarks.
AGENTS.md	Add guidance about splitting types into dedicated source files.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 12 out of 12 changed files in this pull request and generated 1 comment.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[github-actions]

Artifact containing the AppImage: nextcloud-appimage-pr-9438.zip

Digest: sha256:e96bb9cb85997213201be241c95ed096cca1cab35d39336177b57668077182c5

To test this change/fix you can download the above artifact file, unzip it, and run it.

Please make sure to quit your existing Nextcloud app and backup your data.

[sonarqubecloud]

Quality Gate failed

Failed conditions
50.0% Coverage on New Code (required ≥ 80%)
80 New Code Smells (required ≤ 0)
C Maintainability Rating on New Code (required ≥ A)

See analysis details on SonarQube Cloud

Catch issues before they fail your Quality Gate with our IDE extension SonarQube for IDE