fix(mobile): gate iOS browser entrypoints (#3693)

* fix(mobile): gate iOS browser entrypoints

* fix(mobile): simplify denied auth copy

* fix(mobile): simplify iOS KiloClaw access state

* fix(auth): derive device auth app mode

* fix(web): reuse privacy policy content

* Revert "fix(web): reuse privacy policy content"

This reverts commit 841e26c.

* fix(web): add privacy policy fallback

* fix(web): avoid privacy fallback email literal

Author: iscekic

apps/mobile/src/components/consent/consent-card.tsx

@@ -10,11 +10,12 @@ import { type ConsentMode, getConsentActions } from '@/components/consent/consen
 import { Button } from '@/components/ui/button';
 import { Text } from '@/components/ui/text';
 import { useAuth } from '@/lib/auth/auth-context';
+import { WEB_BASE_URL } from '@/lib/config';
 import { acceptConsent, revokeConsent } from '@/lib/consent';
 import { useCurrentUserId } from '@/lib/hooks/use-current-user-id';
 import { useThemeColors } from '@/lib/hooks/use-theme-colors';
 
-const PRIVACY_URL = 'https://kilo.ai/privacy';
+const PRIVACY_URL = `${WEB_BASE_URL}/privacy-app`;
 
 type ConsentCardProps = {
   readonly mode?: ConsentMode;

apps/mobile/src/components/consent/consent-details.tsx

@@ -7,8 +7,9 @@ import { Section } from '@/components/consent/section';
 import { ScreenHeader } from '@/components/screen-header';
 import { Button } from '@/components/ui/button';
 import { Text } from '@/components/ui/text';
+import { WEB_BASE_URL } from '@/lib/config';
 
-const PRIVACY_URL = 'https://kilo.ai/privacy';
+const PRIVACY_URL = `${WEB_BASE_URL}/privacy-app`;
 
 export function ConsentDetails() {
   const router = useRouter();

apps/mobile/src/components/kiloclaw/access-required-screen.tsx

@@ -8,7 +8,7 @@ import {
   ShieldAlert,
 } from 'lucide-react-native';
 import { useEffect, useRef } from 'react';
-import { Linking, View } from 'react-native';
+import { Linking, Platform, View } from 'react-native';
 
 import { Button, type ButtonProps } from '@/components/ui/button';
 import { Text } from '@/components/ui/text';
@@ -22,67 +22,67 @@ import { WEB_BASE_URL } from '@/lib/config';
 import { useThemeColors } from '@/lib/hooks/use-theme-colors';
 import { cn } from '@/lib/utils';
 
-type CtaVariant = Extract<ButtonProps['variant'], 'default' | 'outline'>;
-
 export type { AccessRequiredSubcase };
 
+type CtaVariant = Extract<ButtonProps['variant'], 'default' | 'outline'>;
+
 type SubcaseContent = {
-  icon: LucideIcon;
-  tone: ToneKey;
-  title: string;
   body: string;
   ctaLabel: string;
   ctaVariant: CtaVariant;
+  icon: LucideIcon;
+  title: string;
+  tone: ToneKey;
 };
 
 const SUBCASE_CONTENT: Record<AccessRequiredSubcase, SubcaseContent> = {
   trial_expired: {
-    icon: Clock,
-    tone: 'warn',
-    title: 'Subscribe on the web',
     body: "To keep using KiloClaw, go to kilo.ai/claw from your browser. You can't subscribe in the app.",
     ctaLabel: 'Open kilo.ai/claw',
     ctaVariant: 'default',
+    icon: Clock,
+    title: 'Subscribe on the web',
+    tone: 'warn',
   },
   subscription_canceled: {
-    icon: PauseCircle,
-    tone: 'warn',
-    title: 'Subscribe on the web',
     body: "To use KiloClaw, go to kilo.ai/claw from your browser. You can't subscribe in the app.",
     ctaLabel: 'Open kilo.ai/claw',
     ctaVariant: 'default',
+    icon: PauseCircle,
+    title: 'Subscribe on the web',
+    tone: 'warn',
   },
   subscription_past_due: {
-    icon: AlertTriangle,
-    tone: 'danger',
-    title: 'Update payment on the web',
     body: "We had trouble with your most recent payment. Go to kilo.ai/claw from your browser to update it. You can't manage billing in the app.",
     ctaLabel: 'Open kilo.ai/claw',
     ctaVariant: 'default',
+    icon: AlertTriangle,
+    title: 'Update payment on the web',
+    tone: 'danger',
   },
   quarantined: {
-    icon: ShieldAlert,
-    tone: 'danger',
-    title: 'Instance needs remediation',
     body: "Your KiloClaw instance is in a quarantined state and can't be used right now. Our team needs to help restore it.",
     ctaLabel: 'Continue on kilo.ai',
     ctaVariant: 'outline',
+    icon: ShieldAlert,
+    title: 'Instance needs remediation',
+    tone: 'danger',
   },
   multiple_current_conflict: {
-    icon: AlertTriangle,
-    tone: 'warn',
-    title: 'Account needs review',
     body: "We found more than one active subscription on your account, so we've paused things to avoid double-billing you.",
     ctaLabel: 'Continue on kilo.ai',
     ctaVariant: 'outline',
+    icon: AlertTriangle,
+    title: 'Account needs review',
+    tone: 'warn',
   },
   non_canonical_earlybird: {
-    icon: LifeBuoy,
-    tone: 'warn',
-    title: 'Legacy plan detected',
     body: 'Your early-access plan needs a manual review before it can be used on mobile.',
     ctaLabel: 'Continue on kilo.ai',
     ctaVariant: 'outline',
+    icon: LifeBuoy,
+    title: 'Legacy plan detected',
+    tone: 'warn',
   },
 };
 
@@ -119,6 +119,31 @@ export function AccessRequiredScreen({ subcase }: Readonly<AccessRequiredScreenP
     void Linking.openURL(target);
   };
 
+  if (Platform.OS === 'ios') {
+    const iosTint = toneColor('warn');
+    const iosIconColor = colors[iosTint.hueThemeKey];
+
+    return (
+      <View className="w-full flex-1 items-center justify-center gap-6 px-6">
+        <View
+          className={cn(
+            'h-24 w-24 items-center justify-center rounded-3xl border',
+            iosTint.tileBgClass,
+            iosTint.tileBorderClass
+          )}
+        >
+          <AlertTriangle size={40} color={iosIconColor} />
+        </View>
+        <View className="items-center gap-2">
+          <Text className="text-center text-2xl font-semibold">KiloClaw unavailable in iOS</Text>
+          <Text variant="muted" className="text-center text-base">
+            KiloClaw access is managed outside the iOS app for this account.
+          </Text>
+        </View>
+      </View>
+    );
+  }
+
   return (
     <View className="w-full flex-1 items-center justify-center gap-6 px-6">
       <View

apps/mobile/src/components/login-screen.tsx

@@ -19,7 +19,7 @@ function errorMessage(status: string, fallback: string | undefined) {
       return 'Your sign-in code has expired. Please try again.';
     }
     case 'denied': {
-      return 'Access was denied. Please contact your administrator.';
+      return 'Access was denied.';
     }
     default: {
       return fallback ?? 'Something went wrong. Please try again.';

apps/mobile/src/lib/auth/use-device-auth.ts

@@ -127,7 +127,7 @@ export function useDeviceAuth(): DeviceAuthResult {
       });
 
       try {
-        const response = await fetch(`${API_BASE_URL}/api/device-auth/codes`, {
+        const response = await fetch(`${API_BASE_URL}/api/device-auth/codes?app=1`, {
           method: 'POST',
           headers: { 'Content-Type': 'application/json' },
         });
@@ -156,7 +156,7 @@ export function useDeviceAuth(): DeviceAuthResult {
         const browserUrl =
           mode === 'signup'
             ? `${WEB_BASE_URL}/users/sign_in?${new URLSearchParams({
-                callbackPath: `/device-auth?code=${data.code}`,
+                callbackPath: `/device-auth?code=${data.code}&app=1`,
                 signup: 'true',
               }).toString()}`
             : data.verificationUrl;

apps/mobile/src/lib/kilo-pass/subscription-card-state.test.ts

@@ -24,6 +24,46 @@ describe('getKiloPassSubscriptionCardState', () => {
     });
   });
 
+  it('keeps Stripe-managed Kilo Pass inert on iOS', () => {
+    expect(
+      getKiloPassSubscriptionCardState(
+        {
+          cancelAtPeriodEnd: false,
+          currentPeriodBaseCreditsUsd: 49,
+          paymentProvider: 'stripe',
+          refillAt: '2026-06-08T15:21:05.000Z',
+          status: 'active',
+        },
+        { platformOS: 'ios' }
+      )
+    ).toEqual({
+      action: 'none',
+      actionLabel: null,
+      description: '$49 monthly credits · This Kilo Pass is managed on web',
+      title: 'Kilo Pass active',
+    });
+  });
+
+  it('keeps canceling Stripe-managed Kilo Pass inert on iOS', () => {
+    expect(
+      getKiloPassSubscriptionCardState(
+        {
+          cancelAtPeriodEnd: true,
+          currentPeriodBaseCreditsUsd: 49,
+          paymentProvider: 'stripe',
+          refillAt: '2026-06-08T15:21:05.000Z',
+          status: 'active',
+        },
+        { platformOS: 'ios' }
+      )
+    ).toEqual({
+      action: 'none',
+      actionLabel: null,
+      description: '$49 monthly credits · Ends June 8, 2026 · This Kilo Pass is managed on web',
+      title: 'Kilo Pass canceling',
+    });
+  });
+
   it('keeps unsubscribed users on the App Store purchase path', () => {
     expect(getKiloPassSubscriptionCardState(null)).toEqual({
       action: 'open-store-sheet',

apps/mobile/src/lib/kilo-pass/subscription-card-state.ts

@@ -239,6 +239,17 @@ export function getKiloPassSubscriptionCardState(
     });
   }
 
+  if (options.platformOS === 'ios') {
+    return {
+      action: 'none',
+      actionLabel: null,
+      description: subscription.cancelAtPeriodEnd
+        ? `${credits} · Ends ${formatSubscriptionEndDate(subscription.refillAt)} · This Kilo Pass is managed on web`
+        : `${credits} · This Kilo Pass is managed on web`,
+      title: subscription.cancelAtPeriodEnd ? 'Kilo Pass canceling' : 'Kilo Pass active',
+    };
+  }
+
   if (subscription.cancelAtPeriodEnd) {
     return {
       action: 'open-web-management',

apps/web/src/app/api/device-auth/codes/route.ts

@@ -2,8 +2,12 @@ import { NextResponse } from 'next/server';
 import { createDeviceAuthRequest } from '@/lib/device-auth/device-auth';
 import { headers } from 'next/headers';
 import { APP_URL } from '@/lib/constants';
+import {
+  buildDeviceAuthVerificationUrl,
+  getDeviceAuthAppModeFromRequestUrl,
+} from '@/app/device-auth/device-auth-url';
 
-export async function POST(_request: Request) {
+export async function POST(request: Request) {
   const headersList = await headers();
   const userAgent = headersList.get('user-agent') || undefined;
   const ipAddress = headersList.get('x-forwarded-for') || undefined;
@@ -13,7 +17,9 @@ export async function POST(_request: Request) {
     ipAddress,
   });
 
-  const verificationUrl = `${APP_URL}/device-auth?code=${code}`;
+  const verificationUrl = buildDeviceAuthVerificationUrl(APP_URL, code, {
+    app: getDeviceAuthAppModeFromRequestUrl(request.url),
+  });
 
   return NextResponse.json({
     code,

apps/web/src/app/device-auth/DeviceAuthClient.test.ts

@@ -1,6 +1,12 @@
 import { describe, expect, test } from '@jest/globals';
 
-import { getDeviceAuthSignInUrl } from './DeviceAuthClient';
+import {
+  buildDeviceAuthVerificationUrl,
+  closeDeviceAuthWindowIfAppMode,
+  getDeviceAuthAppModeFromRequestUrl,
+  getDeviceAuthSignInUrl,
+  getDeviceAuthShellClassName,
+} from './device-auth-url';
 
 describe('getDeviceAuthSignInUrl', () => {
   test('preserves the device auth code through sign in', () => {
@@ -14,4 +20,79 @@ describe('getDeviceAuthSignInUrl', () => {
       '/users/sign_in?callbackPath=%2Fdevice-auth%3Fcode%3Dabc%2B123'
     );
   });
+
+  test('preserves app mode through sign in', () => {
+    expect(getDeviceAuthSignInUrl('ABC-123', { app: true })).toBe(
+      '/users/sign_in?callbackPath=%2Fdevice-auth%3Fcode%3DABC-123%26app%3D1'
+    );
+  });
+});
+
+describe('buildDeviceAuthVerificationUrl', () => {
+  test('omits app mode by default for non-app callers', () => {
+    expect(buildDeviceAuthVerificationUrl('https://app.kilo.ai', 'ABC-123')).toBe(
+      'https://app.kilo.ai/device-auth?code=ABC-123'
+    );
+  });
+
+  test('adds the app mode query parameter for mobile browser launches', () => {
+    expect(buildDeviceAuthVerificationUrl('https://app.kilo.ai', 'ABC-123', { app: true })).toBe(
+      'https://app.kilo.ai/device-auth?code=ABC-123&app=1'
+    );
+  });
+});
+
+describe('getDeviceAuthAppModeFromRequestUrl', () => {
+  test('derives app mode from the API request URL', () => {
+    expect(
+      getDeviceAuthAppModeFromRequestUrl('https://app.kilo.ai/api/device-auth/codes?app=1')
+    ).toBe(true);
+  });
+
+  test('leaves app mode off unless explicitly requested', () => {
+    expect(getDeviceAuthAppModeFromRequestUrl('https://app.kilo.ai/api/device-auth/codes')).toBe(
+      false
+    );
+  });
+});
+
+describe('getDeviceAuthShellClassName', () => {
+  test('uses page padding by default', () => {
+    expect(getDeviceAuthShellClassName(false)).toContain('p-4');
+  });
+
+  test('removes top and bottom page padding in app mode', () => {
+    expect(getDeviceAuthShellClassName(true)).not.toContain('p-4');
+    expect(getDeviceAuthShellClassName(true)).toContain('py-0');
+    expect(getDeviceAuthShellClassName(true)).toContain('px-4');
+  });
+
+  test('uses the dynamic viewport height to center app-mode authorization content', () => {
+    expect(getDeviceAuthShellClassName(true)).toContain('h-dvh');
+    expect(getDeviceAuthShellClassName(true)).toContain('w-full');
+    expect(getDeviceAuthShellClassName(true)).toContain('items-center');
+    expect(getDeviceAuthShellClassName(true)).toContain('justify-center');
+  });
+});
+
+describe('closeDeviceAuthWindowIfAppMode', () => {
+  test('attempts to close the window in app mode', () => {
+    let closeCount = 0;
+
+    closeDeviceAuthWindowIfAppMode(true, () => {
+      closeCount++;
+    });
+
+    expect(closeCount).toBe(1);
+  });
+
+  test('does not close the window outside app mode', () => {
+    let closeCount = 0;
+
+    closeDeviceAuthWindowIfAppMode(false, () => {
+      closeCount++;
+    });
+
+    expect(closeCount).toBe(0);
+  });
 });