--- ## Critical UX Update (2026-04-27) **Apple ID App-Specific Password Requirement** The setup flow must include visual tutorial for manual app password generation at appleid.apple.com. ### Corrected Setup Flow #### Step 1: Generate App-Specific Password (iCloud) ``` 1. User visits appleid.apple.com on phone/computer 2. Navigate: Sign-In & Security → App-Specific Passwords 3. Click "Generate" → Name: "Icarus Appliance" 4. Copy 16-character password (format: xxxx-xxxx-xxxx-xxxx) 5. Paste into Icarus onboarding UI 6. Icarus validates format, stores in local secrets ``` **Daedalus UX Requirement:** - Screenshots of appleid.apple.com navigation steps - Step-by-step visual guide (4-6 screens) - Copy/paste helper: detect 16-char format with dashes - Validation: green checkmark on correct format - Security note: "This password only works for Mail. It cannot access your Apple ID." **Rationale:** - ❌ No root Apple ID passwords (2FA blocks custom IMAP clients) - ❌ No automatic app passwords for custom code - ✅ Manual generation required at appleid.apple.com ### IMAP Configuration ``` Host: imap.mail.me.com Port: 993 (SSL/TLS required) User: @icloud.com Pass: <16-char-app-specific-password> Auth: Plain with SSL ``` **Why iCloud Wins:** - No "less secure apps" toggle (unlike Gmail) - No security review triggers (unlike Gmail automation) - Generous IMAP IDLE support for long-lived connections - Privacy-first: no ad scanning, Mail Privacy Protection **Fallback:** Outlook.com with similar manual app password flow if iCloud fails. --- _The appliance must remain a plug-and-play box — but plug-and-play requires clear instructions._