@codyswann/lisa 1.13.0 → 1.15.0

package/cdk/copy-overwrite/jest.cdk.ts

@@ -0,0 +1,71 @@
+/**
+ * This file is managed by Lisa.
+ * Do not edit directly — changes will be overwritten on the next `lisa` run.
+ */
+
+/**
+ * Jest Configuration - CDK Stack
+ *
+ * Provides AWS CDK-specific Jest configuration targeting
+ * the test/ directory with spec and integration-spec patterns.
+ *
+ * Inheritance chain:
+ *   jest.cdk.ts (this file)
+ *   └── jest.base.ts
+ *
+ * @see https://jestjs.io/docs/configuration
+ * @module jest.cdk
+ */
+import type { Config } from "jest";
+
+import {
+  defaultCoverageExclusions,
+  defaultThresholds,
+  mergeConfigs,
+  mergeThresholds,
+} from "./jest.base.ts";
+
+// Re-export base utilities for entry-point configs
+export {
+  defaultCoverageExclusions,
+  defaultThresholds,
+  mergeConfigs,
+  mergeThresholds,
+};
+
+/**
+ * Options for configuring the CDK Jest config factory.
+ */
+interface CdkJestOptions {
+  /** Coverage thresholds (merged defaults + project overrides) */
+  readonly thresholds?: Config["coverageThreshold"];
+}
+
+/**
+ * Creates a Jest configuration for AWS CDK projects.
+ *
+ * @param options - Configuration options for threshold overrides
+ * @param options.thresholds - Coverage thresholds (merged defaults + project overrides)
+ * @returns Jest config object with ts-jest transform, node environment, and CDK-specific paths
+ * @remarks CDK projects typically use CommonJS modules and keep tests in a
+ * separate test/ directory. Coverage is collected only from lib/ and util/
+ * directories since bin/ contains entry-point code with minimal logic.
+ */
+export const getCdkJestConfig = ({
+  thresholds = defaultThresholds,
+}: CdkJestOptions = {}): Config => ({
+  testEnvironment: "node",
+  roots: ["<rootDir>/test"],
+  testRegex: "(.*\\.(spec|integration-spec)\\.ts)$",
+  transform: {
+    "^.+\\.ts$": "ts-jest",
+  },
+  moduleFileExtensions: ["js", "json", "ts"],
+  collectCoverageFrom: [
+    "lib/**/*.ts",
+    "util/**/*.ts",
+    ...defaultCoverageExclusions,
+  ],
+  coverageThreshold: thresholds,
+  testTimeout: 10000,
+});

package/cdk/copy-overwrite/jest.config.ts

@@ -0,0 +1,28 @@
+/**
+ * This file is managed by Lisa.
+ * Do not edit directly — changes will be overwritten on the next `lisa` run.
+ */
+
+/**
+ * Jest Configuration - Main Entry Point (CDK)
+ *
+ * Imports the CDK-specific configuration and project-local customizations.
+ * Do not modify this file directly - use jest.config.local.ts for project-specific settings.
+ *
+ * Inheritance chain:
+ *   jest.config.ts (this file)
+ *   └── jest.cdk.ts
+ *       └── jest.base.ts
+ *
+ * @see https://jestjs.io/docs/configuration
+ * @module jest.config
+ */
+import { mergeConfigs, mergeThresholds } from "./jest.base.ts";
+import { defaultThresholds, getCdkJestConfig } from "./jest.cdk.ts";
+
+import localConfig from "./jest.config.local.ts";
+import thresholdsOverrides from "./jest.thresholds.json" with { type: "json" };
+
+const thresholds = mergeThresholds(defaultThresholds, thresholdsOverrides);
+
+export default mergeConfigs(getCdkJestConfig({ thresholds }), localConfig);

package/cdk/copy-overwrite/tsconfig.cdk.json

@@ -0,0 +1,14 @@
+{
+  "extends": "./tsconfig.base.json",
+  "compilerOptions": {
+    "target": "ES2020",
+    "module": "commonjs",
+    "lib": ["es2020"],
+    "inlineSourceMap": true,
+    "inlineSources": true,
+    "experimentalDecorators": true,
+    "strictPropertyInitialization": false,
+    "noUnusedLocals": false,
+    "noUnusedParameters": false
+  }
+}

package/cdk/copy-overwrite/tsconfig.eslint.json

@@ -3,9 +3,10 @@
   "compilerOptions": {
     "rootDir": ".",
     "noEmit": true,
+    "allowImportingTsExtensions": true,
     "module": "NodeNext",
     "moduleResolution": "NodeNext"
   },
-  "include": ["lib/**/*", "bin/**/*", "test/**/*", "*.config.ts", "eslint.*.ts"],
+  "include": ["lib/**/*", "bin/**/*", "test/**/*", "*.config.ts", "eslint.*.ts", "jest.*.ts"],
   "exclude": ["node_modules", "dist", "cdk.out"]
 }

package/cdk/copy-overwrite/tsconfig.json

@@ -0,0 +1,3 @@
+{
+  "extends": ["./tsconfig.cdk.json", "./tsconfig.local.json"]
+}

package/cdk/create-only/cdk.json

@@ -0,0 +1,23 @@
+{
+  "app": "npx tsx bin/infrastructure.ts",
+  "watch": {
+    "include": ["**"],
+    "exclude": [
+      "README.md",
+      "cdk*.json",
+      "**/*.d.ts",
+      "**/*.js",
+      "tsconfig.json",
+      "package.json",
+      "yarn.lock",
+      "node_modules",
+      "test"
+    ]
+  },
+  "context": {
+    "@aws-cdk/aws-lambda:recognizeLayerVersion": true,
+    "@aws-cdk/core:checkSecretUsage": true,
+    "@aws-cdk-containers/ecs-service-extensions:enableDefaultLogDriver": true,
+    "@aws-cdk/core:target-partitions": ["aws", "aws-cn"]
+  }
+}

package/cdk/create-only/tsconfig.local.json

@@ -0,0 +1,4 @@
+{
+  "include": ["lib/**/*", "bin/**/*", "test/**/*"],
+  "exclude": ["node_modules", "cdk.out"]
+}

package/expo/copy-overwrite/.claude/skills/owasp-zap/SKILL.md

@@ -0,0 +1,56 @@
+# OWASP ZAP Baseline Scanning
+
+OWASP ZAP (Zed Attack Proxy) performs DAST (Dynamic Application Security Testing) by scanning a running application for common security vulnerabilities from the OWASP Top 10.
+
+## When to Use
+
+- After making changes to HTTP headers, authentication, or security middleware
+- Before deploying to staging or production
+- When reviewing security scan results from CI
+- When triaging ZAP findings from pull request checks
+
+## Running Locally
+
+```bash
+# Requires Docker to be installed and running
+bash scripts/zap-baseline.sh
+```
+
+The scan builds the Expo web export, serves it locally, and runs ZAP against it. Reports are saved to `zap-report.html`, `zap-report.json`, and `zap-report.md`.
+
+## Interpreting Results
+
+ZAP findings are categorized by risk level:
+
+| Risk | Action |
+|------|--------|
+| **High** | Fix immediately — indicates exploitable vulnerability |
+| **Medium** | Fix before deployment — security best practice violation |
+| **Low** | Fix when convenient — minor security improvement |
+| **Informational** | Review — may be false positive or acceptable risk |
+
+## Common Findings and Fixes
+
+### Infrastructure-Level (fix at CDN/hosting, not in code)
+
+- **CSP Header Not Set**: Configure Content-Security-Policy at CDN or hosting platform. Expo web exports need `script-src 'self' 'unsafe-inline'` for hydration.
+- **HSTS Not Set**: Configure Strict-Transport-Security at CDN/load balancer.
+- **X-Frame-Options**: Use `frame-ancestors` in CSP at CDN level.
+
+### Application-Level (fix in code)
+
+- **Cookie flags missing**: Ensure all cookies set `HttpOnly`, `Secure`, and `SameSite` attributes.
+- **Debug error messages**: Ensure error boundaries don't leak stack traces in production.
+- **Server version disclosure**: Remove or mask the `Server` response header.
+
+## Configuration
+
+ZAP scan rules are configured in `.zap/baseline.conf`. Each line controls how ZAP treats a specific rule:
+
+- `IGNORE`: Skip the rule entirely
+- `WARN`: Report finding but don't fail the build
+- `FAIL`: Fail the build if this finding is detected
+
+## CI Integration
+
+ZAP runs automatically in CI via the `zap-baseline.yml` workflow. Results are uploaded as artifacts and the build fails on medium+ severity findings.

package/expo/copy-overwrite/.claude/skills/testing-library/SKILL.md

@@ -190,17 +190,12 @@ test("sets isSubmitting to true", () => {});
 
 ## Jest Configuration
 
-### Use jest-expo Universal Preset
+### Manual React Native Resolution (No Preset)
 
-Configure Jest to test across all Expo platforms:
-
-```json
-{
-  "jest": {
-    "preset": "jest-expo/universal"
-  }
-}
-```
+Lisa configures Jest manually instead of using the `jest-expo` preset to avoid
+jsdom incompatibility with `react-native/jest/setup.js`. The configuration in
+`jest.expo.ts` provides haste, resolver, transform, and setupFiles that match
+the preset's behavior without redefining `window`.
 
 ### Use Fake Timers with userEvent
 

package/expo/copy-overwrite/.github/workflows/zap-baseline.yml

@@ -0,0 +1,107 @@
+# This file is managed by Lisa.
+# Do not edit directly — changes will be overwritten on the next `lisa` run.
+
+name: ZAP Baseline Scan (Expo)
+
+on:
+  workflow_call:
+    inputs:
+      node_version:
+        description: 'Node.js version to use'
+        required: false
+        default: '22.21.1'
+        type: string
+      package_manager:
+        description: 'Package manager to use (npm, yarn, or bun)'
+        required: false
+        default: 'bun'
+        type: string
+      zap_target_url:
+        description: 'Override URL for ZAP to scan (default: http://localhost:3000)'
+        required: false
+        default: 'http://localhost:3000'
+        type: string
+      zap_rules_file:
+        description: 'Path to ZAP rules configuration file'
+        required: false
+        default: '.zap/baseline.conf'
+        type: string
+
+jobs:
+  zap_baseline:
+    name: ZAP Baseline Scan
+    runs-on: ubuntu-latest
+    timeout-minutes: 20
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: ${{ inputs.node_version }}
+          cache: ${{ inputs.package_manager != 'bun' && inputs.package_manager || '' }}
+
+      - name: Setup Bun
+        if: inputs.package_manager == 'bun'
+        uses: oven-sh/setup-bun@v2
+        with:
+          bun-version: '1.3.8'
+
+      - name: Install dependencies
+        run: |
+          if [ "${{ inputs.package_manager }}" = "npm" ]; then
+            npm ci
+          elif [ "${{ inputs.package_manager }}" = "yarn" ]; then
+            yarn install --frozen-lockfile
+          elif [ "${{ inputs.package_manager }}" = "bun" ]; then
+            bun install --frozen-lockfile
+          fi
+
+      - name: Build web export
+        run: npx expo export --platform web
+
+      - name: Start static server
+        run: |
+          npx serve dist -l 3000 &
+          SERVER_PID=$!
+          echo "SERVER_PID=$SERVER_PID" >> $GITHUB_ENV
+          sleep 5
+          curl -sf http://localhost:3000 > /dev/null || (echo "Static server failed to start" && exit 1)
+
+      - name: Check for ZAP rules file
+        id: check_rules
+        run: |
+          if [ -f "${{ inputs.zap_rules_file }}" ]; then
+            echo "has_rules=true" >> $GITHUB_OUTPUT
+          else
+            echo "has_rules=false" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Run ZAP baseline scan
+        uses: zaproxy/action-baseline@v0.14.0
+        with:
+          target: ${{ inputs.zap_target_url }}
+          rules_file_name: ${{ steps.check_rules.outputs.has_rules == 'true' && inputs.zap_rules_file || '' }}
+          fail_action: true
+          allow_issue_writing: false
+          artifact_name: 'zap-report-expo'
+
+      - name: Stop static server
+        if: always()
+        run: |
+          if [ -n "$SERVER_PID" ]; then
+            kill "$SERVER_PID" 2>/dev/null || true
+          fi
+
+      - name: Upload ZAP report
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: zap-baseline-report-expo-${{ github.run_id }}
+          path: |
+            zap-report.html
+            zap-report.json
+            zap-report.md
+          retention-days: 14

package/expo/copy-overwrite/.zap/baseline.conf

@@ -0,0 +1,36 @@
+# OWASP ZAP Baseline Scan Configuration — Expo Web Apps
+# Format: <rule_id> <action> <description>
+# Actions: IGNORE (skip rule), WARN (report but don't fail), FAIL (fail on finding)
+#
+# Tuned for Expo static web exports served behind CDN/reverse proxy in production.
+# Rules that are infrastructure-level (handled by CDN/hosting) are set to WARN.
+
+# CSP header — Expo web exports typically need inline scripts for hydration;
+# CSP is best enforced at the CDN/hosting layer with appropriate nonces.
+10038	WARN	(Content Security Policy (CSP) Header Not Set)
+
+# X-Content-Type-Options — should be set at CDN/hosting layer
+10021	WARN	(X-Content-Type-Options Header Missing)
+
+# Strict-Transport-Security — enforced at CDN/load balancer level
+10035	WARN	(Strict-Transport-Security Header Not Set)
+
+# X-Frame-Options — enforced at CDN/hosting layer; CSP frame-ancestors preferred
+10020	WARN	(X-Frame-Options Header Not Set)
+
+# Permissions-Policy — not critical for most Expo apps but good practice
+10063	WARN	(Permissions Policy Header Not Set)
+
+# Server header disclosure — static server in CI, not production concern
+10036	WARN	(Server Leaks Version Information via "Server" HTTP Response Header Field)
+
+# Cookie flags — Expo static sites typically don't set cookies
+10010	IGNORE	(Cookie No HttpOnly Flag)
+10011	IGNORE	(Cookie Without Secure Flag)
+10054	IGNORE	(Cookie without SameSite Attribute)
+
+# Information disclosure in URL — Expo router may use query params legitimately
+10024	WARN	(Information Disclosure - Sensitive Information in URL)
+
+# Cross-domain JavaScript source — Expo uses CDN-hosted scripts legitimately
+10017	WARN	(Cross-Domain JavaScript Source File Inclusion)

package/expo/copy-overwrite/jest.config.ts

@@ -0,0 +1,28 @@
+/**
+ * This file is managed by Lisa.
+ * Do not edit directly — changes will be overwritten on the next `lisa` run.
+ */
+
+/**
+ * Jest Configuration - Main Entry Point (Expo)
+ *
+ * Imports the Expo-specific configuration and project-local customizations.
+ * Do not modify this file directly - use jest.config.local.ts for project-specific settings.
+ *
+ * Inheritance chain:
+ *   jest.config.ts (this file)
+ *   └── jest.expo.ts
+ *       └── jest.base.ts
+ *
+ * @see https://jestjs.io/docs/configuration
+ * @module jest.config
+ */
+import { mergeConfigs, mergeThresholds } from "./jest.base.ts";
+import { defaultThresholds, getExpoJestConfig } from "./jest.expo.ts";
+
+import localConfig from "./jest.config.local.ts";
+import thresholdsOverrides from "./jest.thresholds.json" with { type: "json" };
+
+const thresholds = mergeThresholds(defaultThresholds, thresholdsOverrides);
+
+export default mergeConfigs(getExpoJestConfig({ thresholds }), localConfig);

package/expo/copy-overwrite/jest.expo.ts

@@ -0,0 +1,119 @@
+/**
+ * This file is managed by Lisa.
+ * Do not edit directly — changes will be overwritten on the next `lisa` run.
+ */
+
+/**
+ * Jest Configuration - Expo Stack
+ *
+ * Provides Expo/React Native-specific Jest configuration without using
+ * the `jest-expo` preset directly. The preset's `setupFiles` include
+ * `react-native/jest/setup.js` which redefines `window` via
+ * `Object.defineProperties` — incompatible with jsdom's non-configurable
+ * `window` property, causing "Cannot redefine property: window" errors.
+ *
+ * Instead, this config manually replicates the preset's resolution,
+ * transform, and haste settings while using only `jest-expo/src/preset/setup.js`
+ * (the safe subset) in `setupFiles`.
+ *
+ * Coverage collection is scoped to standard Expo source directories
+ * rather than a catch-all glob, preventing config files, scripts, and
+ * plugins from distorting coverage numbers.
+ *
+ * Inheritance chain:
+ *   jest.expo.ts (this file)
+ *   └── jest.base.ts
+ *
+ * @see https://jestjs.io/docs/configuration
+ * @see https://github.com/expo/expo/issues/40184
+ * @module jest.expo
+ */
+import type { Config } from "jest";
+
+import {
+  defaultCoverageExclusions,
+  defaultThresholds,
+  mergeConfigs,
+  mergeThresholds,
+} from "./jest.base.ts";
+
+// Re-export base utilities for entry-point configs
+export {
+  defaultCoverageExclusions,
+  defaultThresholds,
+  mergeConfigs,
+  mergeThresholds,
+};
+
+/**
+ * Options for configuring the Expo Jest config factory.
+ */
+interface ExpoJestOptions {
+  /** Coverage thresholds (merged defaults + project overrides) */
+  readonly thresholds?: Config["coverageThreshold"];
+}
+
+/**
+ * Creates a Jest configuration for Expo/React Native projects.
+ *
+ * @param options - Configuration options for threshold overrides
+ * @param options.thresholds - Coverage thresholds (merged defaults + project overrides)
+ * @returns Jest config object with jsdom environment, babel-jest transform, and React Native resolver
+ * @remarks Avoids `jest-expo` preset to prevent jsdom + `react-native/jest/setup.js`
+ * incompatibility. Manually configures haste, resolver, transform, and setupFiles
+ * to match the preset's behavior without the problematic window redefinition.
+ */
+export const getExpoJestConfig = ({
+  thresholds = defaultThresholds,
+}: ExpoJestOptions = {}): Config => ({
+  testEnvironment: "jsdom",
+  haste: {
+    defaultPlatform: "ios",
+    platforms: ["android", "ios", "native"],
+  },
+  resolver: "react-native/jest/resolver.js",
+  setupFiles: ["jest-expo/src/preset/setup.js"],
+  transform: {
+    "\\.[jt]sx?$": [
+      "babel-jest",
+      {
+        caller: {
+          name: "metro",
+          bundler: "metro",
+          platform: "ios",
+        },
+      },
+    ],
+    "^.+\\.(bmp|gif|jpg|jpeg|mp4|png|psd|svg|webp|ttf|otf|woff|woff2)$":
+      "jest-expo/src/preset/assetFileTransformer.js",
+  },
+  testMatch: [
+    "<rootDir>/**/*.test.ts",
+    "<rootDir>/**/*.test.tsx",
+    "<rootDir>/**/__tests__/**/*.ts",
+    "<rootDir>/**/__tests__/**/*.tsx",
+  ],
+  testPathIgnorePatterns: ["/node_modules/", "/dist/", "/.expo/"],
+  transformIgnorePatterns: [
+    "node_modules/(?!((jest-)?react-native|@react-native(-community)?)|expo(nent)?|@expo(nent)?/.*|@expo-google-fonts/.*|react-navigation|@react-navigation/.*|@sentry/react-native|native-base|react-native-svg|@gluestack-ui/.*|@gluestack-style/.*|nativewind|react-native-css-interop)",
+  ],
+  moduleFileExtensions: ["ts", "tsx", "js", "jsx", "json", "node"],
+  collectCoverageFrom: [
+    "app/**/*.{ts,tsx}",
+    "components/**/*.{ts,tsx}",
+    "config/**/*.{ts,tsx}",
+    "constants/**/*.{ts,tsx}",
+    "features/**/*.{ts,tsx}",
+    "hooks/**/*.{ts,tsx}",
+    "lib/**/*.{ts,tsx}",
+    "providers/**/*.{ts,tsx}",
+    "shared/**/*.{ts,tsx}",
+    "stores/**/*.{ts,tsx}",
+    "types/**/*.{ts,tsx}",
+    "utils/**/*.{ts,tsx}",
+    "!**/*.d.ts",
+    ...defaultCoverageExclusions,
+  ],
+  coverageThreshold: thresholds,
+  testTimeout: 10000,
+});

package/expo/copy-overwrite/scripts/zap-baseline.sh

@@ -0,0 +1,92 @@
+#!/usr/bin/env bash
+# OWASP ZAP Baseline Scan — Expo Web Export
+# Builds the Expo web export, serves it locally, and runs a ZAP baseline scan via Docker.
+# Outputs an HTML report to zap-report.html in the project root.
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+PROJECT_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
+TARGET_URL="${ZAP_TARGET_URL:-http://host.docker.internal:3000}"
+ZAP_RULES_FILE="${ZAP_RULES_FILE:-.zap/baseline.conf}"
+REPORT_FILE="zap-report.html"
+
+cd "$PROJECT_ROOT"
+
+# Verify Docker is available
+if ! command -v docker &> /dev/null; then
+  echo "Error: Docker is required but not installed."
+  echo "Install Docker from https://docs.docker.com/get-docker/"
+  exit 1
+fi
+
+if ! docker info &> /dev/null 2>&1; then
+  echo "Error: Docker daemon is not running."
+  exit 1
+fi
+
+# Detect package manager
+if [ -f "bun.lockb" ]; then
+  PKG_MGR="bun"
+elif [ -f "yarn.lock" ]; then
+  PKG_MGR="yarn"
+elif [ -f "pnpm-lock.yaml" ]; then
+  PKG_MGR="pnpm"
+else
+  PKG_MGR="npm"
+fi
+
+echo "==> Building Expo web export..."
+npx expo export --platform web
+
+echo "==> Starting static server on port 3000..."
+npx serve dist -l 3000 &
+SERVER_PID=$!
+
+cleanup() {
+  echo "==> Cleaning up..."
+  if [ -n "${SERVER_PID:-}" ]; then
+    kill "$SERVER_PID" 2>/dev/null || true
+  fi
+}
+trap cleanup EXIT
+
+sleep 3
+if ! curl -sf http://localhost:3000 > /dev/null 2>&1; then
+  echo "Error: Static server failed to start"
+  exit 1
+fi
+
+echo "==> Running OWASP ZAP baseline scan..."
+ZAP_ARGS="-t $TARGET_URL"
+
+if [ -f "$ZAP_RULES_FILE" ]; then
+  echo "    Using rules file: $ZAP_RULES_FILE"
+  ZAP_ARGS="$ZAP_ARGS -c /zap/wrk/$(basename "$ZAP_RULES_FILE")"
+  MOUNT_RULES="-v $(dirname "$(realpath "$ZAP_RULES_FILE")"):/zap/wrk:ro"
+else
+  MOUNT_RULES=""
+fi
+
+docker run --rm \
+  --add-host=host.docker.internal:host-gateway \
+  -v "$(pwd)":/zap/wrk/:rw \
+  $MOUNT_RULES \
+  ghcr.io/zaproxy/zaproxy:stable \
+  zap-baseline.py $ZAP_ARGS \
+  -r "$REPORT_FILE" \
+  -J zap-report.json \
+  -w zap-report.md \
+  -l WARN || ZAP_EXIT=$?
+
+echo ""
+if [ -f "$REPORT_FILE" ]; then
+  echo "ZAP report saved to: $REPORT_FILE"
+fi
+
+if [ "${ZAP_EXIT:-0}" -ne 0 ]; then
+  echo "ZAP found medium+ severity findings (exit code: $ZAP_EXIT)"
+  echo "Review $REPORT_FILE for details."
+  exit "$ZAP_EXIT"
+else
+  echo "ZAP baseline scan passed — no medium+ severity findings."
+fi

package/expo/copy-overwrite/tsconfig.eslint.json

@@ -2,7 +2,8 @@
   "extends": "./tsconfig.json",
   "compilerOptions": {
     "rootDir": ".",
-    "noEmit": true
+    "noEmit": true,
+    "allowImportingTsExtensions": true
   },
   "include": [
     "app/**/*",

package/expo/copy-overwrite/tsconfig.expo.json

@@ -0,0 +1,12 @@
+{
+  "extends": ["expo/tsconfig.base", "./tsconfig.base.json"],
+  "compilerOptions": {
+    "strict": true,
+    "jsx": "react-native",
+    "baseUrl": "./",
+    "paths": {
+      "@/*": ["./*"]
+    },
+    "moduleSuffixes": [".ios", ".android", ".native", ".web", ""]
+  }
+}

package/expo/copy-overwrite/tsconfig.json

@@ -0,0 +1,5 @@
+{
+  "extends": ["./tsconfig.expo.json", "./tsconfig.local.json"],
+  "include": ["**/*.ts", "**/*.tsx"],
+  "exclude": ["node_modules", "dist", "web-build"]
+}

package/expo/create-only/.github/workflows/ci.yml

@@ -25,6 +25,14 @@ jobs:
       node_version: '22.21.1'
       package_manager: 'bun'
 
+  zap:
+    name: 🕷️ ZAP Baseline Scan
+    needs: [quality]
+    uses: ./.github/workflows/zap-baseline.yml
+    with:
+      node_version: '22.21.1'
+      package_manager: 'bun'
+
   create_issue_on_failure:
     name: 📌 Create Issue on Failure
     needs: [quality]

package/expo/create-only/tsconfig.local.json

@@ -0,0 +1,3 @@
+{
+  "compilerOptions": {}
+}