@capgo/capgo-sec 1.0.4

package/.github/workflows/bump_version.yml

@@ -0,0 +1,83 @@
+name: Bump version
+
+on:
+  push:
+    branches:
+      - main
+
+jobs:
+  test:
+    if: ${{ !startsWith(github.event.head_commit.message, 'chore(release):') }}
+    uses: ./.github/workflows/ci.yml
+
+  bump-version:
+    needs: [test]
+    if: ${{ !startsWith(github.event.head_commit.message, 'chore(release):') }}
+    runs-on: ubuntu-latest
+    name: Bump version and create tag
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          token: '${{ secrets.PERSONAL_ACCESS_TOKEN }}'
+
+      - name: Setup Bun
+        uses: oven-sh/setup-bun@v2
+        with:
+          bun-version: latest
+
+      - name: Install dependencies
+        run: bun install
+
+      - name: Build
+        run: bun run build
+
+      - name: Git config
+        run: |
+          git config --local user.name "github-actions[bot]"
+          git config --local user.email "github-actions[bot]@users.noreply.github.com"
+
+      - name: Create version bump
+        run: bunx standard-version --skip.changelog
+
+      - name: Push to origin
+        run: |
+          CURRENT_BRANCH=$(git rev-parse --abbrev-ref HEAD)
+          remote_repo="https://${GITHUB_ACTOR}:${{ secrets.PERSONAL_ACCESS_TOKEN }}@github.com/${GITHUB_REPOSITORY}.git"
+          git pull $remote_repo $CURRENT_BRANCH
+          git push $remote_repo HEAD:$CURRENT_BRANCH --follow-tags --tags
+
+  publish:
+    needs: [bump-version]
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: main
+          fetch-depth: 0
+
+      - name: Setup Bun
+        uses: oven-sh/setup-bun@v2
+        with:
+          bun-version: latest
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+          registry-url: 'https://registry.npmjs.org'
+
+      - name: Install dependencies
+        run: bun install
+
+      - name: Build
+        run: bun run build
+
+      - name: Publish to npm
+        run: npm publish --provenance --access public
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

package/.github/workflows/ci.yml

@@ -0,0 +1,44 @@
+name: CI
+
+on:
+  workflow_call:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Setup Bun
+        uses: oven-sh/setup-bun@v1
+        with:
+          bun-version: latest
+
+      - name: Install dependencies
+        run: bun install
+
+      - name: Run tests
+        run: bun test
+
+      - name: Build
+        run: bun run build
+
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Setup Bun
+        uses: oven-sh/setup-bun@v1
+        with:
+          bun-version: latest
+
+      - name: Install dependencies
+        run: bun install
+
+      - name: Type check
+        run: bunx tsc --noEmit

package/AGENTS.md

@@ -0,0 +1,125 @@
+# AGENTS.md
+
+This file provides guidance to AI agents and contributors working on this Capacitor plugin.
+
+## Quick Start
+
+```bash
+# Install dependencies
+bun install
+
+# Build the plugin (TypeScript + Rollup + docgen)
+bun run build
+
+# Full verification (iOS, Android, Web)
+bun run verify
+
+# Format code (ESLint + Prettier + SwiftLint)
+bun run fmt
+
+# Lint without fixing
+bun run lint
+```
+
+## Development Workflow
+
+1. **Install** - `bun install` (never use npm)
+2. **Build** - `bun run build` compiles TypeScript, generates docs, and bundles with Rollup
+3. **Verify** - `bun run verify` builds for iOS, Android, and Web. Always run this before submitting work
+4. **Format** - `bun run fmt` auto-fixes ESLint, Prettier, and SwiftLint issues
+5. **Lint** - `bun run lint` checks code quality without modifying files
+
+### Individual Platform Verification
+
+```bash
+bun run verify:ios
+bun run verify:android
+bun run verify:web
+```
+
+### Example App
+
+If an `example-app/` directory exists, you can test the plugin locally:
+
+```bash
+cd example-app
+bun install
+bun run start
+```
+
+The example app references the plugin via `file:..`. Use `bunx cap sync <platform>` to sync native platforms.
+
+## Project Structure
+
+- `src/definitions.ts` - TypeScript interfaces and types (source of truth for API docs)
+- `src/index.ts` - Plugin registration
+- `src/web.ts` - Web implementation
+- `ios/Sources/` - iOS native code (Swift)
+- `android/src/main/` - Android native code (Java/Kotlin)
+- `dist/` - Generated output (do not edit manually)
+- `Package.swift` - SwiftPM definition
+- `*.podspec` - CocoaPods spec
+
+## iOS Package Management
+
+We always support both **CocoaPods** and **Swift Package Manager (SPM)**. Every plugin must ship a valid `*.podspec` and `Package.swift`. Do not remove or break either integration — users depend on both.
+
+## API Documentation
+
+API docs in the README are auto-generated from JSDoc in `src/definitions.ts`. **Never edit the `<docgen-index>` or `<docgen-api>` sections in README.md directly.** Instead, update `src/definitions.ts` and run `bun run docgen` (also runs as part of `bun run build`).
+
+## Versioning
+
+The plugin major version follows the Capacitor major version (e.g., plugin v8 for Capacitor 8). **We only ship breaking changes when a new Capacitor native major version is released.** All other changes must be backward compatible.
+
+## Changelog
+
+`CHANGELOG.md` is managed automatically by CI/CD. Do not edit it manually.
+
+## Pull Request Guidelines
+
+We welcome contributions, including AI-generated pull requests. Every PR must include:
+
+### Required Sections
+
+1. **What** - What does this PR change?
+2. **Why** - What is the reason for this change?
+3. **How** - How did you approach the implementation?
+4. **Testing** - What did you test? How did you verify it works?
+5. **Not Tested** - What is not yet tested or needs further validation?
+
+### Rules
+
+- **No breaking changes** unless aligned with a new Capacitor major release.
+- Run `bun run verify` and `bun run fmt` before opening a PR. CI will catch failures, but catching them locally saves time.
+- If you are an AI agent, that is perfectly fine. Just be transparent about it. We care that the code is correct and helpful, not who wrote it.
+- We review PRs on a best-effort basis. We may request changes — you are expected to address them for the PR to be merged.
+- We use automated code review tools (CodeRabbit, and others). You will need to respond to their feedback and resolve any issues they raise.
+- We have automatic releases. Once merged, your change will ship in the next release cycle.
+
+### PR Template
+
+```
+## What
+- [Brief description of the change]
+
+## Why
+- [Motivation for this change]
+
+## How
+- [Implementation approach]
+
+## Testing
+- [What was tested and how]
+
+## Not Tested
+- [What still needs testing, if anything]
+```
+
+## Common Pitfalls
+
+- Always rename Swift/Java classes and package IDs when creating a new plugin from a template — leftover names cause registration conflicts.
+- We only use Java 21 for Android builds.
+- Keep temporary files clean: delete or mark with `deleteOnExit` after use.
+- `dist/` is fully regenerated on every build — never edit generated files.
+- Use Bun for everything. Do not use npm or npx. Use `bunx` if you need to run a package binary.

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2024 Capgo
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,291 @@
+# 🔒 Capsec - Capacitor Security Scanner
+
+[![npm version](https://badge.fury.io/js/capsec.svg)](https://www.npmjs.com/package/capsec)
+[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
+
+Zero-config security scanner for **Capacitor** and **Ionic** apps. Detect vulnerabilities, hardcoded secrets, and security misconfigurations with a single command.
+
+🌐 **Website:** [capacitor-sec.dev](https://capacitor-sec.dev)
+
+## Features
+
+- **🚀 Zero Configuration** - Works out of the box with any Capacitor/Ionic project
+- **🔐 Local Processing** - Your code never leaves your machine
+- **📱 Platform-Specific** - Android and iOS security checks
+- **🔑 Secret Detection** - Detects 30+ types of API keys and secrets
+- **⚡ Fast** - Scans 1000+ files in seconds
+- **📊 Multiple Outputs** - CLI, JSON, and HTML reports
+- **🔄 CI/CD Ready** - GitHub Actions, GitLab CI support
+
+## Quick Start
+
+```bash
+# Run directly with bunx (no installation needed)
+bunx capsec scan
+
+# Or install globally
+bun add -g capsec
+capsec scan
+```
+
+## Security Rules
+
+Capsec includes **63+ security rules** across 13 categories:
+
+| Category | Rules | Description |
+|----------|-------|-------------|
+| 🔑 Secrets | 2 | API keys, tokens, credentials |
+| 💾 Storage | 6 | Preferences, localStorage, SQLite |
+| 🌐 Network | 8 | HTTP, SSL/TLS, WebSocket |
+| ⚡ Capacitor | 10 | Config, plugins, native bridge |
+| 🤖 Android | 8 | Manifest, WebView, permissions |
+| 🍎 iOS | 8 | ATS, Keychain, entitlements |
+| 🔐 Authentication | 6 | JWT, OAuth, biometrics |
+| 🖼️ WebView | 5 | XSS, CSP, iframe security |
+| 🔒 Cryptography | 4 | Algorithms, keys, IV generation |
+| 📝 Logging | 2 | Sensitive data in logs |
+| 🐛 Debug | 3 | Test credentials, dev URLs |
+
+## Usage
+
+### Basic Scan
+
+```bash
+# Scan current directory
+capsec scan
+
+# Scan specific path
+capsec scan ./my-capacitor-app
+```
+
+### Output Formats
+
+```bash
+# CLI output (default)
+capsec scan
+
+# JSON output
+capsec scan --output json --output-file report.json
+
+# HTML report
+capsec scan --output html --output-file report.html
+```
+
+### Filtering
+
+```bash
+# Only critical and high severity
+capsec scan --severity high
+
+# Only specific categories
+capsec scan --categories storage,secrets,network
+
+# Exclude patterns
+capsec scan --exclude "**/test/**,**/demo/**"
+```
+
+### CI/CD Mode
+
+```bash
+# Exit with code 1 if high/critical issues found
+capsec scan --ci
+```
+
+### List Rules
+
+```bash
+# List all rules
+capsec rules
+
+# Filter by category
+capsec rules --category android
+
+# Filter by severity
+capsec rules --severity critical
+```
+
+## CI/CD Integration
+
+### GitHub Actions
+
+```yaml
+name: Security Scan
+
+on: [push, pull_request]
+
+jobs:
+  security:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Setup Bun
+        uses: oven-sh/setup-bun@v1
+
+      - name: Run Security Scan
+        run: bunx capsec scan --ci
+```
+
+### GitLab CI
+
+```yaml
+security-scan:
+  image: oven/bun:latest
+  script:
+    - bunx capsec scan --ci
+  only:
+    - merge_requests
+    - main
+```
+
+## Configuration
+
+Create a `capsec.config.json` file:
+
+```json
+{
+  "exclude": [
+    "**/node_modules/**",
+    "**/dist/**"
+  ],
+  "severity": "low",
+  "categories": [],
+  "rules": {}
+}
+```
+
+Or initialize with:
+
+```bash
+capsec init
+```
+
+## Programmatic Usage
+
+```typescript
+import { SecurityScanner } from 'capsec';
+
+const scanner = new SecurityScanner({
+  path: './my-app',
+  severity: 'medium',
+  categories: ['secrets', 'network']
+});
+
+const result = await scanner.scan();
+console.log(result.summary);
+```
+
+## Rule Categories
+
+### Secrets (SEC)
+- **SEC001** - Hardcoded API Keys & Secrets
+- **SEC002** - Exposed .env File
+
+### Storage (STO)
+- **STO001** - Unencrypted Sensitive Data in Preferences
+- **STO002** - localStorage Usage for Sensitive Data
+- **STO003** - SQLite Database Without Encryption
+- **STO004** - Filesystem Storage of Sensitive Data
+- **STO005** - Insecure Data Caching
+- **STO006** - Keychain/Keystore Not Used for Credentials
+
+### Network (NET)
+- **NET001** - HTTP Cleartext Traffic
+- **NET002** - SSL/TLS Certificate Pinning Missing
+- **NET003** - Capacitor Server Cleartext Enabled
+- **NET004** - Insecure WebSocket Connection
+- **NET005** - CORS Wildcard Configuration
+- **NET006** - Insecure Deep Link Validation
+- **NET007** - Capacitor HTTP Plugin Misuse
+- **NET008** - Sensitive Data in URL Parameters
+
+### Capacitor (CAP)
+- **CAP001** - WebView Debug Mode Enabled
+- **CAP002** - Insecure Plugin Configuration
+- **CAP003** - Verbose Logging in Production
+- **CAP004** - Insecure allowNavigation
+- **CAP005** - Native Bridge Exposure
+- **CAP006** - Eval Usage with User Input
+- **CAP007** - Missing Root/Jailbreak Detection
+- **CAP008** - Insecure Plugin Import
+- **CAP009** - Live Update Security
+- **CAP010** - Insecure postMessage Handler
+
+### Android (AND)
+- **AND001** - Android Cleartext Traffic Allowed
+- **AND002** - Android Debug Mode Enabled
+- **AND003** - Insecure Android Permissions
+- **AND004** - Android Backup Allowed
+- **AND005** - Exported Components Without Permission
+- **AND006** - WebView JavaScript Enabled Without Safeguards
+- **AND007** - Insecure WebView addJavascriptInterface
+- **AND008** - Hardcoded Signing Key
+
+### iOS (IOS)
+- **IOS001** - App Transport Security Disabled
+- **IOS002** - Insecure Keychain Access
+- **IOS003** - URL Scheme Without Validation
+- **IOS004** - iOS Pasteboard Sensitive Data
+- **IOS005** - Insecure iOS Entitlements
+- **IOS006** - Background App Refresh Data Exposure
+- **IOS007** - Missing iOS Jailbreak Detection
+- **IOS008** - Screenshots Not Disabled for Sensitive Screens
+
+### Authentication (AUTH)
+- **AUTH001** - Weak JWT Validation
+- **AUTH002** - Insecure Biometric Implementation
+- **AUTH003** - Weak Random Number Generation
+- **AUTH004** - Missing Session Timeout
+- **AUTH005** - OAuth State Parameter Missing
+- **AUTH006** - Hardcoded Credentials in Auth
+
+### WebView (WEB)
+- **WEB001** - WebView JavaScript Injection
+- **WEB002** - Unsafe iframe Configuration
+- **WEB003** - External Script Loading
+- **WEB004** - Content Security Policy Missing
+- **WEB005** - Target _blank Without noopener
+
+### Cryptography (CRY)
+- **CRY001** - Weak Cryptographic Algorithm
+- **CRY002** - Hardcoded Encryption Key
+- **CRY003** - Insecure Random IV Generation
+- **CRY004** - Weak Password Hashing
+
+### Logging (LOG)
+- **LOG001** - Sensitive Data in Console Logs
+- **LOG002** - Console Logs in Production
+
+### Debug (DBG)
+- **DBG001** - Debugger Statement
+- **DBG002** - Test Credentials in Code
+- **DBG003** - Development URL in Production
+
+## Contributing
+
+Contributions are welcome! Please read our [Contributing Guide](CONTRIBUTING.md) for details.
+
+## License
+
+MIT License - see [LICENSE](LICENSE) for details.
+
+## Related
+
+- [Capgo](https://capgo.app) - Live updates for Capacitor apps
+- [Capacitor](https://capacitorjs.com) - Build cross-platform apps
+- [Ionic](https://ionicframework.com) - Mobile UI framework
+
+---
+
+Built with ❤️ by the [Capgo](https://capgo.app) team
+
+## Compatibility
+
+| Plugin version | Capacitor compatibility | Maintained |
+| -------------- | ----------------------- | ---------- |
+| v8.\*.\*       | v8.\*.\*                | ✅          |
+| v7.\*.\*       | v7.\*.\*                | On demand   |
+| v6.\*.\*       | v6.\*.\*                | ❌          |
+| v5.\*.\*       | v5.\*.\*                | ❌          |
+
+> **Note:** The major version of this plugin follows the major version of Capacitor. Use the version that matches your Capacitor installation (e.g., plugin v8 for Capacitor 8). Only the latest major version is actively maintained.