Critical UX Update (2026-04-27)

Apple ID App-Specific Password Requirement

The setup flow must include visual tutorial for manual app password generation at appleid.apple.com.

Corrected Setup Flow

Step 1: Generate App-Specific Password (iCloud)

1. User visits appleid.apple.com on phone/computer
2. Navigate: Sign-In & Security → App-Specific Passwords
3. Click "Generate" → Name: "Icarus Appliance"
4. Copy 16-character password (format: xxxx-xxxx-xxxx-xxxx)
5. Paste into Icarus onboarding UI
6. Icarus validates format, stores in local secrets

Daedalus UX Requirement:
- Screenshots of appleid.apple.com navigation steps
- Step-by-step visual guide (4-6 screens)
- Copy/paste helper: detect 16-char format with dashes
- Validation: green checkmark on correct format
- Security note: "This password only works for Mail. It cannot access your Apple ID."

Rationale:
- ❌ No root Apple ID passwords (2FA blocks custom IMAP clients)
- ❌ No automatic app passwords for custom code
- ✅ Manual generation required at appleid.apple.com

IMAP Configuration

Host: imap.mail.me.com
Port: 993 (SSL/TLS required)
User: <icloud-email>@icloud.com
Pass: <16-char-app-specific-password>
Auth: Plain with SSL

Why iCloud Wins:
- No "less secure apps" toggle (unlike Gmail)
- No security review triggers (unlike Gmail automation)
- Generous IMAP IDLE support for long-lived connections
- Privacy-first: no ad scanning, Mail Privacy Protection

Fallback: Outlook.com with similar manual app password flow if iCloud fails.

The appliance must remain a plug-and-play box — but plug-and-play requires clear instructions.