Summary

Three fixes to "Import from Other App", all surfaced when importing from TablePlus:

1. TablePlus passwords import again. A regression that shipped in 0.43.0 changed the keychain service TablePro queries from com.tableplus.TablePlus to com.tinyapp.TablePlus (TablePlus's bundle id). TablePlus stores secrets under com.tableplus.TablePlus, so every lookup returned errSecItemNotFound: no keychain prompt, blank passwords, and no warning banner. Verified against a live keychain (security find-generic-password -s com.tableplus.TablePlus -a "{UUID}_database" exists; the tinyapp service has zero items). The correct service is restored and kept as a named constant next to appBundleIdentifier so the two are visibly distinct.

2. No more fake SSH key paths or empty TLS paths. When no key is selected, TablePlus stores the literal placeholder Import a private key... in ServerPrivateKeyName while leaving isUsePrivateKey true. The importer turned that into ~/.ssh/Import a private key.... Now a private key path is kept only if it resolves to a file that exists on disk, which works for any placeholder wording, not just the current English string. Empty TLS certificate paths now import as none instead of blank strings.

3. No misleading keychain prompt for DBeaver. The "macOS will ask for your login password" alert fired for every importer, including DBeaver, which reads passwords from its own file and never touches the keychain. A new readsPasswordsFromKeychain flag on the importer protocol gates the alert, so it only shows for keychain-based importers (TablePlus, Sequel Ace, DataGrip).

Root cause

The keychain bug came from commit b08186c, which "aligned" the keychain service to the bundle id. TablePlus uses two different reverse-DNS identifiers on purpose: bundle id and Application Support folder are com.tinyapp.TablePlus (legacy domain), but the keychain service is com.tableplus.TablePlus (newer domain). The SSH and TLS bugs are the same family: TablePlus persists placeholder or empty sentinel values, and the importer assumed every stored value was real.

Tests

• Regression tests pin the keychain coordinates via an injected reader (service com.tableplus.TablePlus, accounts {id}_database / _server / _server_key) and verify the password reaches the import envelope. They would have caught b08186c.
• Coverage for the cancelled-prompt-aborts path and the nothing-stored path.
• New SSH/TLS tests: placeholder key drops to empty, a real on-disk key is kept, empty TLS paths map to nil.
• Each importer's readsPasswordsFromKeychain value is asserted.

Out of scope (pre-existing, not touched)

These look like they belong to the DataGrip import PR (#1374):

• The registry test asserts count == 4, but there are 5 importers now (DataGrip).
• CockroachDB maps to CockroachDB in source but the test expects PostgreSQL.
• A few pre-existing swiftlint --strict number-separator and import-sort violations in the TablePlus test file.

Verification

• swiftlint lint --strict clean on changed files (no new violations introduced).
• Build and full test run pending in Xcode.