@cap-kit/ssl-pinning 8.0.0-next.0

package/dist/plugin.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"plugin.js","sources":["esm/definitions.js","esm/index.js","esm/web.js"],"sourcesContent":["/// <reference types=\"@capacitor/cli\" />\n// -- Enums --\n/**\n * Standardized error codes for programmatic handling of ssl pinning failures.\n * @since 0.0.15\n */\nexport var SSLPinningErrorCode;\n(function (SSLPinningErrorCode) {\n    /** The device does not have the requested hardware. */\n    SSLPinningErrorCode[\"UNAVAILABLE\"] = \"UNAVAILABLE\";\n    /** The user denied the permission or the feature is disabled in settings. */\n    SSLPinningErrorCode[\"PERMISSION_DENIED\"] = \"PERMISSION_DENIED\";\n    /** The ssl pinning failed to initialize (e.g., runtime error or Looper failure). */\n    SSLPinningErrorCode[\"INIT_FAILED\"] = \"INIT_FAILED\";\n    /** The requested ssl pinning type is not valid or not supported by the plugin. */\n    SSLPinningErrorCode[\"UNKNOWN_TYPE\"] = \"UNKNOWN_TYPE\";\n})(SSLPinningErrorCode || (SSLPinningErrorCode = {}));\n//# sourceMappingURL=definitions.js.map","/**\n * Import the `registerPlugin` method from the Capacitor core library.\n * This method is used to register a custom plugin.\n */\nimport { registerPlugin } from '@capacitor/core';\n/**\n * The SSLPinning plugin instance.\n * It automatically lazy-loads the web implementation if running in a browser environment.\n * Use this instance to access all ssl pinning functionality.\n */\nconst SSLPinning = registerPlugin('SSLPinning', {\n    web: () => import('./web').then((m) => new m.SSLPinningWeb()),\n});\nexport * from './definitions';\nexport { SSLPinning };\n//# sourceMappingURL=index.js.map","/**\n * This module provides a web implementation of the SSLPinningPlugin.\n * The functionality is limited in a web context due to the lack of SSL certificate inspection capabilities in browsers.\n *\n * The implementation adheres to the SSLPinningPlugin interface but provides fallback behavior\n * because browsers do not allow direct inspection of SSL certificate details.\n */\nimport { CapacitorException, ExceptionCode, WebPlugin } from '@capacitor/core';\n/**\n * Web implementation of the SSLPinningPlugin interface.\n *\n * This class is intended to be used in a browser environment and handles scenarios where SSL certificate\n * checking is unsupported. It implements the methods defined by the SSLPinningPlugin\n * interface but returns standardized error responses to indicate the lack of functionality in web contexts.\n */\nexport class SSLPinningWeb extends WebPlugin {\n    /**\n     * Checks a single SSL certificate against the expected fingerprint.\n     * @return A promise that resolves to the result of the certificate check.\n     * @throws CapacitorException indicating unimplemented functionality.\n     */\n    async checkCertificate() {\n        throw this.createUnimplementedError();\n    }\n    /**\n     * Checks multiple SSL certificates against their expected fingerprints.\n     * @return A promise that resolves to an array of results for each certificate check.\n     * @throws CapacitorException indicating unimplemented functionality.\n     */\n    async checkCertificates() {\n        throw this.createUnimplementedError();\n    }\n    // --- Plugin Info ---\n    /**\n     * Returns the plugin version.\n     *\n     * @returns The current plugin version.\n     */\n    async getPluginVersion() {\n        return { version: 'web' };\n    }\n    /**\n     * Creates a standardized exception for unimplemented methods.\n     *\n     * This utility method centralizes the creation of exceptions for functionality that is not supported\n     * on the current platform, ensuring consistency in error reporting.\n     *\n     * @returns {CapacitorException} An exception with the code `Unimplemented` and a descriptive message.\n     */\n    createUnimplementedError() {\n        return new CapacitorException('This plugin method is not implemented on this platform.', ExceptionCode.Unimplemented);\n    }\n}\n//# sourceMappingURL=web.js.map"],"names":["SSLPinningErrorCode","registerPlugin","WebPlugin","CapacitorException","ExceptionCode"],"mappings":";;;IAAA;IACA;IACA;IACA;IACA;IACA;AACWA;IACX,CAAC,UAAU,mBAAmB,EAAE;IAChC;IACA,IAAI,mBAAmB,CAAC,aAAa,CAAC,GAAG,aAAa;IACtD;IACA,IAAI,mBAAmB,CAAC,mBAAmB,CAAC,GAAG,mBAAmB;IAClE;IACA,IAAI,mBAAmB,CAAC,aAAa,CAAC,GAAG,aAAa;IACtD;IACA,IAAI,mBAAmB,CAAC,cAAc,CAAC,GAAG,cAAc;IACxD,CAAC,EAAEA,2BAAmB,KAAKA,2BAAmB,GAAG,EAAE,CAAC,CAAC;;IChBrD;IACA;IACA;IACA;IAEA;IACA;IACA;IACA;IACA;AACK,UAAC,UAAU,GAAGC,mBAAc,CAAC,YAAY,EAAE;IAChD,IAAI,GAAG,EAAE,MAAM,mDAAe,CAAC,IAAI,CAAC,CAAC,CAAC,KAAK,IAAI,CAAC,CAAC,aAAa,EAAE,CAAC;IACjE,CAAC;;ICZD;IACA;IACA;IACA;IACA;IACA;IACA;IAEA;IACA;IACA;IACA;IACA;IACA;IACA;IACO,MAAM,aAAa,SAASC,cAAS,CAAC;IAC7C;IACA;IACA;IACA;IACA;IACA,IAAI,MAAM,gBAAgB,GAAG;IAC7B,QAAQ,MAAM,IAAI,CAAC,wBAAwB,EAAE;IAC7C,IAAI;IACJ;IACA;IACA;IACA;IACA;IACA,IAAI,MAAM,iBAAiB,GAAG;IAC9B,QAAQ,MAAM,IAAI,CAAC,wBAAwB,EAAE;IAC7C,IAAI;IACJ;IACA;IACA;IACA;IACA;IACA;IACA,IAAI,MAAM,gBAAgB,GAAG;IAC7B,QAAQ,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE;IACjC,IAAI;IACJ;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA,IAAI,wBAAwB,GAAG;IAC/B,QAAQ,OAAO,IAAIC,uBAAkB,CAAC,yDAAyD,EAAEC,kBAAa,CAAC,aAAa,CAAC;IAC7H,IAAI;IACJ;;;;;;;;;;;;;;;"}

package/ios/Sources/SSLPinningPlugin/SSLPinningConfig.swift

@@ -0,0 +1,79 @@
+import Foundation
+import Capacitor
+
+/**
+ Helper struct to manage the SSLPinning plugin configuration.
+
+ This struct reads static configuration values from `capacitor.config.ts`
+ using the Capacitor plugin instance's built-in config access.
+
+ IMPORTANT:
+ - These values are READ-ONLY at runtime.
+ - JavaScript MUST NOT access them directly.
+ - Actual behavior is implemented in native code only.
+ */
+public struct SSLPinningConfig {
+
+    // MARK: - Configuration Keys
+
+    private struct Keys {
+        static let verboseLogging = "verboseLogging"
+        static let fingerprint = "fingerprint"
+        static let fingerprints = "fingerprints"
+    }
+
+    // MARK: - Public Config Values
+
+    /**
+     Enables verbose native logging.
+
+     When enabled, additional debug information is printed
+     to the Xcode console via the plugin logger.
+
+     Default: false
+     */
+    public let verboseLogging: Bool
+
+    /**
+     Default SHA-256 fingerprint used by `checkCertificate()`
+     when no fingerprint is provided at runtime.
+     */
+    public let fingerprint: String?
+
+    /**
+     Default SHA-256 fingerprints used by `checkCertificates()`
+     when no fingerprints are provided at runtime.
+     */
+    public let fingerprints: [String]
+
+    // MARK: - Private Defaults
+
+    private let defaultVerboseLogging = false
+    private let defaultFingerprint: String? = nil
+    private let defaultFingerprints: [String] = []
+
+    // MARK: - Init
+
+    /**
+     Initializes the configuration by reading values from the Capacitor bridge.
+
+     - Parameter plugin: The CAPPlugin instance used to access typed configuration.
+     */
+    init(plugin: CAPPlugin) {
+        // Use getConfigValue(key) to bypass SPM visibility issues and ensure stability.
+
+        // Bool - Verbose Logging
+        verboseLogging = plugin.getConfigValue(Keys.verboseLogging) as? Bool ?? defaultVerboseLogging
+
+        // Optional String - Single Fingerprint
+        // We validate that it is not empty after casting to avoid using empty strings as valid fingerprints.
+        if let fprt = plugin.getConfigValue(Keys.fingerprint) as? String, !fprt.isEmpty {
+            fingerprint = fprt
+        } else {
+            fingerprint = defaultFingerprint
+        }
+
+        // Array of Strings - Multiple Fingerprints
+        fingerprints = plugin.getConfigValue(Keys.fingerprints) as? [String] ?? defaultFingerprints
+    }
+}

package/ios/Sources/SSLPinningPlugin/SSLPinningDelegate.swift

@@ -0,0 +1,81 @@
+import Foundation
+import Security
+
+final class SSLPinningDelegate: NSObject, URLSessionDelegate {
+
+    /// Initializes the delegate with optional pinned certificates.
+    private let expectedFingerprints: [String]
+
+    /// Completion handler to return the result.
+    private let completion: ([String: Any]) -> Void
+
+    /// Verbose logging flag.
+    private let verboseLogging: Bool
+
+    /// Initializes the SSLPinningDelegate.
+    init(
+        expectedFingerprints: [String],
+        completion: @escaping ([String: Any]) -> Void,
+        verboseLogging: Bool
+    ) {
+        self.expectedFingerprints =
+            expectedFingerprints.map {
+                SSLPinningUtils.normalizeFingerprint($0)
+            }
+        self.completion = completion
+        self.verboseLogging = verboseLogging
+    }
+
+    // MARK: - URLSessionDelegate
+
+    /// Intercepts the TLS authentication challenge to perform
+    /// manual SSL pinning based on certificate fingerprint.
+    ///
+    /// The connection is accepted or rejected solely based on
+    /// fingerprint comparison, not on system trust evaluation.
+    func urlSession(
+        _ session: URLSession,
+        didReceive challenge: URLAuthenticationChallenge,
+        completionHandler: @escaping (URLSession.AuthChallengeDisposition, URLCredential?) -> Void
+    ) {
+        // =========================================================
+        // FINGERPRINT MODE (unchanged behavior)
+        // =========================================================
+        guard let trust = challenge.protectionSpace.serverTrust,
+              let cert = SSLPinningUtils.leafCertificate(from: trust) else {
+
+            completionHandler(.cancelAuthenticationChallenge, nil)
+            completion([
+                "fingerprintMatched": false,
+                "error": "Unable to extract certificate",
+                "errorCode": "INIT_FAILED"
+            ])
+            return
+        }
+
+        let actualFingerprint =
+            SSLPinningUtils.normalizeFingerprint(
+                SSLPinningUtils.sha256Fingerprint(from: cert)
+            )
+
+        let matchedFingerprint =
+            expectedFingerprints.first {
+                $0 == actualFingerprint
+            }
+
+        let matched = matchedFingerprint != nil
+
+        SSLPinningLogger.debug("SSLPinning matched:", "\(matched)")
+
+        completion([
+            "actualFingerprint": actualFingerprint,
+            "fingerprintMatched": matched,
+            "matchedFingerprint": matchedFingerprint as Any
+        ])
+
+        completionHandler(
+            matched ? .useCredential : .cancelAuthenticationChallenge,
+            matched ? URLCredential(trust: trust) : nil
+        )
+    }
+}

package/ios/Sources/SSLPinningPlugin/SSLPinningImpl.swift

@@ -0,0 +1,111 @@
+import Foundation
+import Security
+
+final class SSLPinningImpl {
+
+    /// Cached configuration.
+    private var config: SSLPinningConfig?
+
+    /// Applies the given configuration.
+    func applyConfig(_ config: SSLPinningConfig) {
+        self.config = config
+    }
+
+    // MARK: - Single fingerprint
+
+    /// Validates multiple SSL certificates for a given URL.
+    func checkCertificate(
+        urlString: String,
+        fingerprintFromArgs: String?,
+        completion: @escaping ([String: Any]) -> Void
+    ) {
+        let fingerprint =
+            fingerprintFromArgs ??
+            config?.fingerprint
+
+        guard let expectedFingerprint = fingerprint else {
+            completion([
+                "fingerprintMatched": false,
+                "error": "No fingerprint provided (args or config)",
+                "errorCode": "UNAVAILABLE"
+            ])
+            return
+        }
+
+        performCheck(
+            urlString: urlString,
+            fingerprints: [expectedFingerprint],
+            completion: completion
+        )
+    }
+
+    // MARK: - Multiple fingerprints
+
+    /// Validates multiple SSL certificates for a given URL.
+    func checkCertificates(
+        urlString: String,
+        fingerprintsFromArgs: [String]?,
+        completion: @escaping ([String: Any]) -> Void
+    ) {
+        let fingerprints =
+            fingerprintsFromArgs ??
+            config?.fingerprints
+
+        guard let fingerprints, !fingerprints.isEmpty else {
+            completion([
+                "fingerprintMatched": false,
+                "error": "No fingerprints provided (args or config)",
+                "errorCode": "UNAVAILABLE"
+            ])
+            return
+        }
+
+        performCheck(
+            urlString: urlString,
+            fingerprints: fingerprints,
+            completion: completion
+        )
+    }
+
+    // MARK: - Shared implementation
+
+    /// Performs the actual SSL pinning validation.
+    ///
+    /// This method:
+    /// - Creates an ephemeral URLSession
+    /// - Intercepts the TLS handshake via URLSessionDelegate
+    /// - Extracts the server leaf certificate
+    /// - Compares its SHA-256 fingerprint against the expected ones
+    ///
+    /// IMPORTANT:
+    /// - The system trust chain is NOT evaluated
+    /// - Only fingerprint matching determines acceptance
+    private func performCheck(
+        urlString: String,
+        fingerprints: [String],
+        completion: @escaping ([String: Any]) -> Void
+    ) {
+        guard let url = SSLPinningUtils.httpsURL(from: urlString) else {
+            completion([
+                "fingerprintMatched": false,
+                "error": "Invalid HTTPS URL",
+                "errorCode": "UNKNOWN_TYPE"
+            ])
+            return
+        }
+
+        let delegate = SSLPinningDelegate(
+            expectedFingerprints: fingerprints,
+            completion: completion,
+            verboseLogging: config?.verboseLogging ?? false
+        )
+
+        let session = URLSession(
+            configuration: .ephemeral,
+            delegate: delegate,
+            delegateQueue: nil
+        )
+
+        session.dataTask(with: url).resume()
+    }
+}

package/ios/Sources/SSLPinningPlugin/SSLPinningPlugin.swift

@@ -0,0 +1,116 @@
+import Foundation
+import Capacitor
+
+/**
+ * @file SSLPinningPlugin.swift
+ * This file defines the implementation of the Capacitor plugin `SSLPinningPlugin` for iOS.
+ * The plugin provides an interface between JavaScript and native iOS code, allowing Capacitor applications
+ * to interact with SSL certificate verification functionality.
+ *
+ * Documentation Reference: https://capacitorjs.com/docs/plugins/ios
+ */
+
+@objc(SSLPinningPlugin)
+public class SSLPinningPlugin: CAPPlugin, CAPBridgedPlugin {
+
+    // Configuration instance
+    private var config: SSLPinningConfig?
+
+    /// An instance of the implementation class that contains the plugin's core functionality.
+    private let implementation = SSLPinningImpl()
+
+    /// The unique identifier for the plugin, used by Capacitor's internal mechanisms.
+    public let identifier = "SSLPinningPlugin"
+
+    /// The JavaScript name used to reference this plugin in Capacitor applications.
+    public let jsName = "SSLPinning"
+
+    /**
+     * A list of methods exposed by this plugin. These methods can be called from the JavaScript side.
+     * - `checkCertificate`: Validates an SSL certificate for a given URL.
+     * - `checkCertificates`: Validates multiple SSL certificates for given URLs.
+     * - `getPluginVersion`: Retrieves the current version of the plugin.
+     */
+    public let pluginMethods: [CAPPluginMethod] = [
+        CAPPluginMethod(name: "checkCertificate", returnType: CAPPluginReturnPromise),
+        CAPPluginMethod(name: "checkCertificates", returnType: CAPPluginReturnPromise),
+        CAPPluginMethod(name: "getPluginVersion", returnType: CAPPluginReturnPromise)
+    ]
+
+    /**
+     Plugin initialization.
+     Loads config and sets up lifecycle observers.
+     */
+    override public func load() {
+        let cfg = SSLPinningConfig(plugin: self)
+        self.config = cfg
+        implementation.applyConfig(cfg)
+    }
+
+    // MARK: - SSL Pinning Methods
+
+    /**
+     Validates an SSL certificate for a given URL.
+     - Parameters:
+     - call: The CAPPluginCall object containing the call details from JavaScript.
+     */
+    @objc func checkCertificate(_ call: CAPPluginCall) {
+        let url = call.getString("url", "")
+        let fingerprintValue = call.getString("fingerprint", "")
+        let fingerprintArg = fingerprintValue.isEmpty ? nil : fingerprintValue
+
+        if url.isEmpty {
+            call.resolve([
+                "fingerprintMatched": false,
+                "error": "Missing url"
+            ])
+            return
+        }
+
+        implementation.checkCertificate(
+            urlString: url,
+            fingerprintFromArgs: fingerprintArg
+        ) { result in
+            call.resolve(result)
+        }
+    }
+
+    /**
+     Validates multiple SSL certificates for given URLs.
+     - Parameters:
+     - call: The CAPPluginCall object containing the call details from JavaScript.
+     */
+    @objc func checkCertificates(_ call: CAPPluginCall) {
+        let url = call.getString("url", "")
+
+        let fingerprints = call
+            .getArray("fingerprints", [])
+            .compactMap { $0 as? String }
+
+        if url.isEmpty {
+            call.resolve([
+                "fingerprintMatched": false,
+                "error": "Missing url"
+            ])
+            return
+        }
+
+        implementation.checkCertificates(
+            urlString: url,
+            fingerprintsFromArgs: fingerprints.isEmpty ? nil : fingerprints
+        ) { result in
+            call.resolve(result)
+        }
+    }
+
+    // MARK: - Version
+
+    /// Retrieves the plugin version synchronized from package.json.
+    @objc func getPluginVersion(_ call: CAPPluginCall) {
+        // Standardized enum name across all CapKit plugins
+        call.resolve([
+            "version": PluginVersion.number
+        ])
+    }
+
+}

package/ios/Sources/SSLPinningPlugin/Utils/SSLPinningLogger.swift

@@ -0,0 +1,57 @@
+import Capacitor
+
+/**
+ Centralized logger for the SSLPinning plugin.
+
+ This logger mirrors the Android Logger pattern and provides:
+ - a single logging entry point
+ - runtime-controlled verbose logging
+ - consistent log formatting
+
+ Business logic MUST NOT perform configuration checks directly.
+ */
+enum SSLPinningLogger {
+
+    /**
+     Controls whether debug logs are printed.
+
+     This value is set once during plugin load
+     based on configuration values.
+     */
+    static var verbose: Bool = false
+
+    /**
+     Prints a verbose / debug log message.
+
+     This method is intended for development-time diagnostics
+     and is automatically silenced when verbose logging is disabled.
+     */
+    static func debug(_ items: Any...) {
+        guard verbose else { return }
+        log(items)
+    }
+
+    /**
+     Prints an error log message.
+
+     Error logs are always printed regardless of verbosity.
+     */
+    static func error(_ items: Any...) {
+        log(items)
+    }
+}
+
+/**
+ Low-level log printer with a consistent prefix.
+
+ This function should not be used directly outside this file.
+ */
+private func log(_ items: Any..., separator: String = " ", terminator: String = "\n") {
+    CAPLog.print("⚡️  SSLPinning -", terminator: separator)
+    for (itemIndex, item) in items.enumerated() {
+        CAPLog.print(
+            item,
+            terminator: itemIndex == items.count - 1 ? terminator : separator
+        )
+    }
+}

package/ios/Sources/SSLPinningPlugin/Utils/SSLPinningUtils.swift

@@ -0,0 +1,47 @@
+import Foundation
+import CryptoKit
+import Security
+
+/// Utility helpers for SSL Pinning logic.
+/// Pure Swift — no Capacitor dependency.
+struct SSLPinningUtils {
+
+    /// Validates and returns a HTTPS URL.
+    static func httpsURL(from value: String) -> URL? {
+        guard let url = URL(string: value),
+              url.scheme?.lowercased() == "https" else {
+            return nil
+        }
+        return url
+    }
+
+    /// Normalizes a fingerprint string (removes colons, lowercases).
+    /// Example: "AA:BB:CC" → "aabbcc"
+    static func normalizeFingerprint(_ value: String) -> String {
+        value
+            .replacingOccurrences(of: ":", with: "")
+            .lowercased()
+    }
+
+    /// Computes the SHA-256 fingerprint from a SecCertificate.
+    /// Output format: "aa:bb:cc:dd"
+    static func sha256Fingerprint(from certificate: SecCertificate) -> String {
+        let data = SecCertificateCopyData(certificate) as Data
+        let hash = SHA256.hash(data: data)
+        return hash
+            .map { String(format: "%02x", $0) }
+            .joined(separator: ":")
+    }
+
+    /// Extracts the leaf certificate from a SecTrust, handling iOS <15 and ≥15.
+    static func leafCertificate(from trust: SecTrust) -> SecCertificate? {
+        if #available(iOS 15.0, *) {
+            if let chain = SecTrustCopyCertificateChain(trust) as? [SecCertificate] {
+                return chain.first
+            }
+            return nil
+        } else {
+            return SecTrustGetCertificateAtIndex(trust, 0)
+        }
+    }
+}

package/ios/Sources/SSLPinningPlugin/Version.swift

@@ -0,0 +1,16 @@
+// This file is automatically generated. Do not modify manually.
+import Foundation
+
+/**
+  Container for the plugin's version information.
+  This enum provides a centralized, single source of truth for the native 
+  version string, synchronized directly from the project's 'package.json'.
+  It ensures parity across JavaScript, Android, and iOS platforms.
+ */
+public enum PluginVersion {
+    /**
+      The semantic version string of the plugin.
+      Value synchronized from package.json: "8.0.0-next.0"
+     */
+    public static let number = "8.0.0-next.0"
+}

package/ios/Tests/SSLPinningPluginTests/SSLPinningPluginTests.swift

@@ -0,0 +1,5 @@
+import XCTest
+@testable import SSLPinningPlugin
+
+class SSLPinningTests: XCTestCase {
+}

package/package.json

@@ -0,0 +1,117 @@
+{
+  "name": "@cap-kit/ssl-pinning",
+  "version": "8.0.0-next.0",
+  "description": "Capacitor plugin for runtime SSL certificate fingerprint pinning on iOS and Android",
+  "type": "module",
+  "private": false,
+  "engines": {
+    "node": ">=24.0.0",
+    "pnpm": ">=10.0.0"
+  },
+  "main": "dist/plugin.cjs.js",
+  "module": "dist/esm/index.js",
+  "types": "dist/esm/index.d.ts",
+  "unpkg": "dist/plugin.js",
+  "files": [
+    "android/src/main/",
+    "android/build.gradle",
+    "dist/",
+    "ios/Sources",
+    "ios/Tests",
+    "Package.swift",
+    "CapKitSSLPinning.podspec",
+    "LICENSE",
+    "bin/",
+    "scripts/"
+  ],
+  "author": "CapKit Team",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/cap-kit/capacitor-plugins.git",
+    "directory": "packages/ssl-pinning"
+  },
+  "bugs": {
+    "url": "https://github.com/cap-kit/capacitor-plugins/issues"
+  },
+  "homepage": "https://github.com/cap-kit/capacitor-plugins/tree/main/packages/ssl-pinning#readme",
+  "keywords": [
+    "capacitor",
+    "capacitor-plugin",
+    "mobile",
+    "native",
+    "cap-kit",
+    "ios",
+    "android",
+    "ssl",
+    "https",
+    "ssl-pinning",
+    "certificate-fingerprint",
+    "fingerprint-pinning",
+    "runtime-security",
+    "mitm"
+  ],
+  "bin": {
+    "ssl-fingerprint": "./dist/cli/fingerprint.js",
+    "capacitor-ssl-fingerprint": "./dist/cli/fingerprint.js"
+  },
+  "publishConfig": {
+    "access": "public"
+  },
+  "dependencies": {
+    "yargs": "^18.0.0"
+  },
+  "devDependencies": {
+    "@capacitor/android": "^8.0.2",
+    "@capacitor/cli": "^8.0.2",
+    "@capacitor/core": "^8.0.2",
+    "@capacitor/docgen": "^0.3.1",
+    "@capacitor/ios": "^8.0.2",
+    "@eslint/eslintrc": "^3.3.3",
+    "@eslint/js": "^9.39.2",
+    "eslint": "^9.39.2",
+    "eslint-plugin-import": "^2.32.0",
+    "@types/node": "^25.0.10",
+    "@types/yargs": "^17.0.35",
+    "globals": "^17.2.0",
+    "prettier": "^3.8.1",
+    "prettier-plugin-java": "^2.8.1",
+    "rimraf": "^6.1.2",
+    "rollup": "^4.57.0",
+    "swiftlint": "^2.0.0",
+    "typescript": "~5.9.3",
+    "typescript-eslint": "^8.54.0"
+  },
+  "peerDependencies": {
+    "@capacitor/core": "^8.0.2"
+  },
+  "capacitor": {
+    "ios": {
+      "src": "ios"
+    },
+    "android": {
+      "src": "android"
+    }
+  },
+  "scripts": {
+    "verify": "pnpm run verify:ios && pnpm run verify:android && pnpm run verify:web",
+    "verify:ios": "node ./scripts/sync-version.js && xcodebuild -scheme CapKitSslPinning -destination generic/platform=iOS",
+    "verify:android": "cd android && ./gradlew clean build && cd ..",
+    "verify:web": "pnpm run build",
+    "lint:android": "cd android && ./gradlew ktlintCheck",
+    "fmt:android": "cd android && ./gradlew ktlintFormat",
+    "lint": "pnpm run eslint . && pnpm run swiftlint lint --strict || true && pnpm run lint:android || true",
+    "format:check": "prettier --check \"**/*.{css,html,ts,js,java}\" --plugin=prettier-plugin-java",
+    "format": "eslint --fix . && prettier --write \"**/*.{css,html,ts,js,java}\" --plugin=prettier-plugin-java && pnpm run swiftlint --fix --format && pnpm run fmt:android",
+    "eslint": "eslint",
+    "prettier": "prettier \"**/*.{css,html,ts,js,java}\" --plugin=prettier-plugin-java",
+    "swiftlint": "node-swiftlint lint ios/Sources",
+    "docgen": "docgen --api SSLPinningPlugin --output-readme README.md --output-json dist/docs.json",
+    "build": "node ./scripts/sync-version.js && pnpm run clean && pnpm run docgen && tsc && rollup -c rollup.config.mjs && node scripts/chmod.js",
+    "clean": "rimraf ./dist",
+    "watch": "tsc --watch",
+    "test": "pnpm run verify",
+    "removePacked": "rimraf -g cap-kit-ssl-pinning-*.tgz",
+    "publish:locally": "pnpm run removePacked && pnpm run build && pnpm pack"
+  }
+}

package/scripts/chmod.js

@@ -0,0 +1,34 @@
+import fs from 'node:fs';
+import path from 'node:path';
+import { fileURLToPath } from 'node:url';
+
+// Reconstruct __dirname, which does not exist in ESM
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = path.dirname(__filename);
+
+// Correct path to the compiled CLI
+const cliPath = path.resolve(__dirname, '../dist/cli/fingerprint.js');
+
+try {
+  if (fs.existsSync(cliPath)) {
+    // 1. Read the file contents
+    let content = fs.readFileSync(cliPath, 'utf8');
+
+    // 2. Add shebang if missing
+    if (!content.startsWith('#!/usr/bin/env node')) {
+      content = '#!/usr/bin/env node\n' + content;
+      fs.writeFileSync(cliPath, content);
+      console.log('✅ Shebang added to CLI.');
+    }
+
+    // 3. Make the file executable
+    fs.chmodSync(cliPath, '755');
+    console.log('✅ CLI permissions set to 755.');
+  } else {
+    console.error(`❌ CLI file not found at: ${cliPath}`);
+    // Do not fail the build if the file does not exist yet, just warn
+  }
+} catch (err) {
+  console.error('❌ Error setting permissions:', err);
+  process.exit(1);
+}