Should I take that to mean that the relay validation thing is happening, now? I’ve submitted mine in August; should I submit another one or does my first submission still have a chance to be looked at?

Wow, a) I’d assumed they’d tell me something if I was approved, and b) I cannot believe I got the configuration right on the first try without being able to test 😅

@DTS Engineer I think that was the EXExtensionPointIdentifier in the info.plist of the URL FIlter, not entitlements. @beacham haven’t had a chance to try this, but wouldn’t changing the extension point identifier prevent the extension from being recognized at all? Like, can you upload the app to TestFlight and have the extension function?

Ok, I was able to upload a build containing the extension! I will release it to TestFlight soon, even tho the actual filtering doesn’t work atm, due to the server part. I’m using @ameshkov’s tester (thank you!!) and everything seems to be ok with my server stuff; however when I actually try to turn the feature on I always get this: <NEPIRChecker: 0xd65178d00>: -[NEPIRChecker start:responseQueue:completionHandler:]_block_invoke - PIR status returned error <Error Domain=com.apple.CipherML Code=1100 "Unable to query status due to errors: failed to fetch token key" UserInfo={NSLocalizedDescription=Unable to query status due to errors: failed to fetch token key, NSUnderlyingError=0xd64d70810 {Error Domain=CipherML.AuthenticationError Code=7 "failed to fetch token key" UserInfo={NSLocalizedDescription=failed to fetch token key}}}> Does this mean the server stuff was not certified?

I think I finally did it! I eventually gave up and switched to a different gateway: https://github.com/gruberb/ohttp-gateway Once configured properly, everything started flowing, even from TestFlight (which I hope means that it will be the same from the App Store). Feels kinda unreal that this is actually happening, I had lost hope. Thanks to everyone who helped out!

Of course the new beta would break the whole thing immediately 😅 Now all I get is <NEPIRChecker: 0x6a7057180>: -[NEPIRChecker start:responseQueue:completionHandler:] - failed to register with PIR for Group site.kaylees.Wipr2 usecase site.kaylees.Wipr2.url.filtering even with no errors on the server side. My kingdom for a flag to ignore the PIR server completely and just “fail closed” on the bloom filter. Why do we even need to register with the server in order to enable a “fail closed” filter? I see that pirSkipRegistration flag in the logs, can we have it please? 😬 Or like a normal API with a JSON file like Content Blockers and regex and bundle ID filtering, but I guess that’s asking too much 😬

That’s what was happening last night 😅 Currently (on the latest beta), I always get that error when trying to activate the TestFlight build. However, some testers have reported being able to activate 🤷‍♀️ But (still on the latest beta) versions installed from Xcode eventually activate. They flip many times between “busy” and “error” before tho, but that’s not new. It takes like a minute for the NEURLFilterManager.Status to eventually go to running. Once it does, everything works. I don’t see any new errors on the server side, always the same two that were already common two days ago when everything was working, so I don’t think these are related, but here goes anyway: Gateway: 2026-03-03T13:01:21.886520Z ERROR ThreadId(02) http_request{request_id=508c3c86-e2e2-440b-901e-0041f5928152 method=POST uri=/gateway user_agent=unknown}: ohttp_gateway::handlers::ohttp: Failed to decapsulate OHTTP request: a problem occurred with HPKE: Failed to open ciphertext PIR: 2026-03-03T12:50:16+0000 error id=8836ee4457e3aa7dce6037645e7783cc [PIRService] HTTPError: Bad Request, Evaluation key not found All I see on the server side when trying to activate is a few GETs to /.well-known/private-token-issuer-directory which appear to succeed. I’ve restarted everything on the server but no change. Any guidance in how to debug this would be extremely appreciated!

Still banging my head on this 😬 Thanks to the author of the gateway software I’m using we figured out those errors, and everything seems good on that front. Still getting a lot of Bad Request, Evaluation key not found errors during queries. The sample project documentation says these should happen when the server is restarted bc old keys are cached, but they happen all the time. Still, this is only on the /queries endpoint, which is not involved in setup (afaik). The client is still at times throwing this on TestFlight builds: <NEPIRChecker: 0xbc2c4ae00>: -[NEPIRChecker start:responseQueue:completionHandler:] - failed to register with PIR for Group site.kaylees.Wipr2 usecase site.kaylees.Wipr2.url.filtering The thing is, all other endpoints always work with no issues: /.well-known/private-token-issuer-directory, /token-key-for-user-token, /issue, /config, and /key are always successful. As far as I can tell, this should be enough for registration. What exactly does the failed to register with PIR error mean?

Yes actually! This one 7214 error 19:24:29.268275+0100 framework configureUseCaseGroup(withName:useCaseGroup:) threw an error: CipherML.CipherMLError.unsupportedNetworkURL(url: https://pir.kaylees.site/) or later configureGroupWithName:useCaseGroup:error: Request complete error:Error Domain=com.apple.CipherML Code=1400 "Unable to configure use-case group: unsupported network URL: https://pir.kaylees.site/" UserInfo={NSLocalizedDescription=Unable to configure use-case group: unsupported network URL: https://pir.kaylees.site/, NSUnderlyingError=0x736c3de60 {Error Domain=CipherML.CipherMLError Code=12 "unsupported network URL: https://pir.kaylees.site/" UserInfo={NSLocalizedDescription=unsupported network URL: https://pir.kaylees.site/}}} “unsupported”? As far as I can tell, the device makes no attempt to contact the server. This only happen with TestFlight builds on the latest beta. Every other combination seems to work fine. I would try to debug this but I think it’s private API, and it’s pretty hard if I have to release a new TestFlight build every time 😅

Omg it was the / at the end. I’m gonna send this to the testers and see if that’s it.

Hmm I still don’t think I can ship :/ The “server setup incomplete” issue seems to be mostly solved, but NEURLFilterManager still breaks** in a lot of circumstances: When the device is restarted When the OS is updated (for example, from 26.4 seed 4 to 26.4 RC) When the app is updated using TestFlight When switching from App Store version to TestFlight version And of course these will be blamed on me 😅 For all I know these might be TestFlight quirks that don’t affect the App Store version, but I can’t risk it. ** either by reporting configurationInternalError, or internalError, or by remaining in the starting state forever. I just submitted this as FB22281393, but I’m afraid this won’t be enough info for them to do anything. Any guidance? I don’t think making a sample project would help, since this stuff only happens in TestFlight builds. I guess they can install my TestFlight?

Hmm most of these issues are happening to the testers, but I guess I can try reproducing at least the TestFlight update one on one of my devices. I’ll try and report back. (I had only attached the sysdiagnose because the app made me 😅)

I managed to reproduce one of the issues first try: Update the TestFlight to a newer version -> NEURLFilterManager goes to “starting” forever. I sent the sysdiagnose as instructed (added to the same bug). Hopefully this and the other issues have a common root cause!

Prefetch used to work but it’s been broken for a bit, yeah. I haven’t even reported this yet, there's way worse bugs to fix.

I didn’t!