Phase 1 sync: Accounts UI + Sign in with Apple + Keychain

[Shpigford]

Summary

• New Settings → Account tab with Sign in with Apple + email/password toggle.
• AccountManager (@Observable) tracks currentUser + pendingAppleNonce; bootstrap() reads Keychain and calls /api/v1/me on launch.
• SyncAPI is a thin URLSession client against the Rails backend (/auth/apple, /auth/users, /auth/sessions, /auth/sessions/current, /api/v1/me). Bearer = Authorization: Bearer <Session.token>.
• KeychainStore wraps Security.framework for the session token.
• Entitlement com.apple.developer.applesignin added to Clearly.entitlements and Clearly-AppStore.entitlements; AuthenticationServices.framework added to the Clearly target in project.yml.
• ClearlyApp injects AccountManager.shared into the Settings scene and kicks off bootstrap() from init.

Pairs with the Rails server work in clearlymd/clearly#10.

Test plan

• xcodegen generate && xcodebuild -scheme Clearly -configuration Debug build — green
• Phase-0 regression: open an existing local vault, edit/save/search — still works
• Settings → Account → Sign in with Apple → system sheet → signed-in state shows "Signed in as …"
• Settings → Account → toggle "Create Account" → enter email + password → signed-in
• Settings → Account → Sign Out → form reappears; token gone from Keychain Access.app
• Quit (⌘Q), reopen, Settings → Account → persists as signed-in without prompting (this is the most important check — bootstrap() is doing its job)
• Rails logs show POST /auth/apple 200 (no AppleIdentityToken::Unverified)

Blockers (Josh-side)

• Enable Sign in with Apple capability on App IDs com.sabotage.clearly + com.sabotage.clearly.dev in the Apple Developer portal; regenerate provisioning profiles. Without this, the Debug build fails to code-sign; code itself is green (verified with CODE_SIGNING_ALLOWED=NO).