@prasenjeet/shipli 1.2.0 → 1.3.0

package/README.md

@@ -3,6 +3,8 @@
 [![npm version](https://img.shields.io/npm/v/@prasenjeet/shipli)](https://www.npmjs.com/package/@prasenjeet/shipli)
 [![license](https://img.shields.io/npm/l/@prasenjeet/shipli)](LICENSE)
 
+**Website:** [https://prasenjeet-symon.github.io/shipli-ai/](https://prasenjeet-symon.github.io/shipli-ai/)
+
 Store rejections cost days of development time. **Shipli** is a CLI tool that audits your Flutter source code against **Apple App Store** and **Google Play** guidelines using AI.
 
 Catch missing permissions, policy violations, and compliance issues before you submit.
@@ -233,6 +235,24 @@ The assistant will call the appropriate Shipli MCP tool and return the results i
 
 The CLI exits with code `1` on failure, making it easy to gate deployments.
 
+## Telemetry
+
+Shipli collects anonymous usage metrics to help improve the tool. No project data, file contents, API keys, or personally identifiable information is ever collected.
+
+**What's collected:** audit mode, platform, provider, model, pass/fail score, duration, token counts, OS, and CLI version.
+
+**Opt out** using any of these methods:
+
+```bash
+# Environment variable
+export SHIPLI_TELEMETRY=off
+
+# Or use the Do Not Track standard
+export DO_NOT_TRACK=1
+```
+
+Or add `"telemetry": false` to your `~/.shipli` config file.
+
 ## License
 
 MIT

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@prasenjeet/shipli",
-  "version": "1.2.0",
+  "version": "1.3.0",
   "description": "AI-powered App Store review audit for Flutter projects. Catch rejections before you submit.",
   "type": "module",
   "bin": {
@@ -28,9 +28,10 @@
   ],
   "author": "",
   "license": "MIT",
+  "homepage": "https://prasenjeet-symon.github.io/shipli-ai/",
   "repository": {
     "type": "git",
-    "url": ""
+    "url": "https://github.com/prasenjeet-symon/shipli-ai"
   },
   "dependencies": {
     "@modelcontextprotocol/sdk": "^1.27.1",

package/src/auditor.js

@@ -129,11 +129,14 @@ function buildCodePrompt() {
 - Performance optimization for Flutter (build methods, rebuilds, isolates)
 - Dependency management and pub.dev ecosystem health
 
+You have been provided a "FLUTTER_CODE_RULES" section containing a security and code quality rulebook. Use these rules as a baseline checklist: ensure every relevant clause is evaluated against the project evidence. However, you are NOT limited to these rules — also apply your own expertise to identify issues beyond the rulebook.
+
 Focus ONLY on code quality, security, and engineering best practices — not store compliance or legal requirements.
 
 EVIDENCE FORMAT:
 - "PUBSPEC_METADATA": App name, version, and list of pub.dev package dependencies
 - "DART_SKELETONS": Architectural skeleton of Dart files
+- "FLUTTER_CODE_RULES": Security and code quality rulebook with specific vulnerability patterns and mitigations (if available)
 ${CODE_CATEGORIES}
 ${RESPONSE_FORMAT}`;
 }
@@ -184,6 +187,8 @@ function buildBothPrompt(platform) {
 
   const platformLabel = isBoth ? 'Apple App Store and Google Play' : isIos ? 'Apple App Store' : 'Google Play Store';
 
+  evidence.push('- "FLUTTER_CODE_RULES": Security and code quality rulebook with specific vulnerability patterns and mitigations (if available)');
+
   return `You are an experienced ${platformLabel} reviewer AND senior Flutter/Dart engineer conducting a comprehensive audit.
 
 ${guidelinesRef.join('\n')}
@@ -191,6 +196,8 @@ ${guidelinesRef.join('\n')}
 You have deep knowledge of:
 ${knowledge.join('\n')}
 
+You have been provided a "FLUTTER_CODE_RULES" section containing a security and code quality rulebook. Use these rules as a baseline checklist: ensure every relevant clause is evaluated against the project evidence. However, you are NOT limited to these rules — also apply your own expertise to identify issues beyond the rulebook.
+
 Analyze the provided Flutter project evidence and produce a comprehensive audit report covering both store compliance and code quality.
 
 EVIDENCE FORMAT:
@@ -243,6 +250,8 @@ function buildPkgCodePrompt() {
 - Flutter plugin architecture and platform channel patterns
 - Performance and memory management in plugins
 
+You have been provided a "FLUTTER_CODE_RULES" section containing a security and code quality rulebook. Use these rules as a baseline checklist: ensure every relevant clause is evaluated against the project evidence. Not all rules may apply to a standalone package — skip clauses that are not relevant. However, you are NOT limited to these rules — also apply your own expertise to identify issues beyond the rulebook.
+
 Focus ONLY on code quality, API design, and engineering best practices — not store compliance.
 
 EVIDENCE FORMAT:
@@ -250,6 +259,7 @@ EVIDENCE FORMAT:
 - "PLUGIN_PLATFORMS": Supported platforms and native integration classes
 - "DART_SKELETONS": Architectural skeleton of Dart files
 - "EXAMPLE_APP" (if present): Skeleton of the example/ app
+- "FLUTTER_CODE_RULES": Security and code quality rulebook with specific vulnerability patterns and mitigations (if available)
 ${PKG_CODE_CATEGORIES}
 ${RESPONSE_FORMAT}`;
 }
@@ -263,6 +273,8 @@ function buildPkgBothPrompt() {
 - iOS and Android platform integration requirements
 - Privacy and permission implications for consuming apps
 
+You have been provided a "FLUTTER_CODE_RULES" section containing a security and code quality rulebook. Use these rules as a baseline checklist: ensure every relevant clause is evaluated against the project evidence. Not all rules may apply to a standalone package — skip clauses that are not relevant. However, you are NOT limited to these rules — also apply your own expertise to identify issues beyond the rulebook.
+
 Analyze the provided Flutter package/plugin evidence and produce a comprehensive audit report.
 
 EVIDENCE FORMAT:
@@ -270,6 +282,7 @@ EVIDENCE FORMAT:
 - "PLUGIN_PLATFORMS": Supported platforms and native integration classes
 - "DART_SKELETONS": Architectural skeleton of Dart files
 - "EXAMPLE_APP" (if present): Skeleton of the example/ app
+- "FLUTTER_CODE_RULES": Security and code quality rulebook with specific vulnerability patterns and mitigations (if available)
 ${PKG_STORE_CATEGORIES}
 ${PKG_CODE_CATEGORIES}
 ${RESPONSE_FORMAT}`;
@@ -291,7 +304,7 @@ function selectPrompt(projectType, mode, platform) {
 
 // ── Message builder ──
 
-function buildUserMessage({ files, exampleFiles, permissions, androidPermissions, pubspec, plistFound, androidManifestFound, projectType, appleGuidelines, googleGuidelines }) {
+function buildUserMessage({ files, exampleFiles, permissions, androidPermissions, pubspec, plistFound, androidManifestFound, projectType, appleGuidelines, googleGuidelines, codeRules }) {
   const sections = [];
   const isPackage = projectType === 'package';
 
@@ -308,6 +321,12 @@ function buildUserMessage({ files, exampleFiles, permissions, androidPermissions
     sections.push(googleGuidelines.content);
   }
 
+  if (codeRules?.content) {
+    sections.push('\n=== FLUTTER_CODE_RULES ===');
+    sections.push('(Security and code quality rulebook — use as a baseline checklist)');
+    sections.push(codeRules.content);
+  }
+
   sections.push('\n=== PUBSPEC_METADATA ===');
   sections.push(`${isPackage ? 'Package' : 'App'}: ${pubspec.name}${pubspec.version ? ` v${pubspec.version}` : ''}`);
   if (pubspec.description) {

package/src/guidelines.js

@@ -13,6 +13,10 @@ const STORES = {
     file: join(__dirname, 'rules', 'android-rules.md'),
     label: 'Play Store',
   },
+  flutter_code: {
+    file: join(__dirname, 'rules', 'flutter-code-rules.md'),
+    label: 'Flutter Code Rules',
+  },
 };
 
 /**

package/src/index.js

@@ -18,6 +18,7 @@ import { audit } from './auditor.js';
 import { fetchGuidelines } from './guidelines.js';
 import { print as printReport } from './reporter.js';
 import { PROVIDER_DEFAULTS as DEFAULTS, detectPlatform } from './defaults.js';
+import { trackEvent } from './telemetry.js';
 
 // Read package version
 const __dirname = dirname(fileURLToPath(import.meta.url));
@@ -113,6 +114,7 @@ program
 
     const platformLabel = { ios: 'iOS', android: 'Android', both: 'iOS + Android' }[platform];
     let spinner = ora({ text: `Scanning Flutter project (${platformLabel})...`, color: 'cyan' }).start();
+    const startTime = Date.now();
 
     try {
       // 1. Read pubspec.yaml first (needed for type detection)
@@ -174,7 +176,18 @@ program
         }
       }
 
-      // 7. Run AI audit
+      // 7. Load code review rules (for code and both modes)
+      let codeRules = null;
+      if (mode !== 'store') {
+        spinner.text = 'Loading code review rules...';
+        codeRules = await fetchGuidelines('flutter_code');
+        if (codeRules.warning) {
+          spinner.warn(chalk.yellow(codeRules.warning));
+          spinner = ora({ text: '', color: 'cyan' }).start();
+        }
+      }
+
+      // 8. Run AI audit
       const modeLabel = { store: 'store compliance', code: 'code quality', both: 'full' }[mode];
       spinner.text = `Running ${modeLabel} audit with ${provider}/${model}...`;
       const result = await audit(
@@ -189,6 +202,7 @@ program
           projectType,
           appleGuidelines,
           googleGuidelines,
+          codeRules,
         },
         { apiKey, model, provider, mode, platform },
       );
@@ -205,11 +219,23 @@ program
         platform,
       });
 
-      // 9. Exit with appropriate code
-      process.exit(result.score === 'FAIL' ? 1 : 0);
+      // 9. Track and exit
+      trackEvent('audit_completed', {
+        source: 'cli', mode, platform, provider, model,
+        project_type: projectType, score: result.score,
+        duration_ms: Date.now() - startTime,
+        tokens_input: result._tokens?.actual?.input ?? null,
+        tokens_output: result._tokens?.actual?.output ?? null,
+      });
+      process.exitCode = result.score === 'FAIL' ? 1 : 0;
     } catch (err) {
       spinner.fail(chalk.red(err.message));
-      process.exit(1);
+      trackEvent('audit_error', {
+        source: 'cli', mode, platform, provider, model,
+        duration_ms: Date.now() - startTime,
+        error_message: err.message.slice(0, 200),
+      });
+      process.exitCode = 1;
     }
   });
 

package/src/mcp-server.js

@@ -15,6 +15,7 @@ import { fetchGuidelines } from './guidelines.js';
 import { audit } from './auditor.js';
 import { loadConfig } from './config.js';
 import { PROVIDER_DEFAULTS, detectPlatform } from './defaults.js';
+import { trackEvent } from './telemetry.js';
 
 // ── Read package version ──
 
@@ -72,6 +73,7 @@ server.tool(
     platform: z.enum(['ios', 'android', 'both']).optional().describe('Target platform: "ios" (App Store only), "android" (Play Store only), or "both" (both stores). Auto-detected from ios/ and android/ directory presence if omitted.'),
   },
   async ({ projectDir, platform }) => {
+    const startTime = Date.now();
     try {
       const dir = validateProject(projectDir);
       const { provider, model, apiKey } = resolveConfig(dir);
@@ -124,10 +126,23 @@ server.tool(
         { apiKey, model, provider, mode: 'store', platform: resolvedPlatform },
       );
 
+      trackEvent('audit_completed', {
+        source: 'mcp', mode: 'store', platform: resolvedPlatform,
+        provider, model, project_type: projectType, score: result.score,
+        duration_ms: Date.now() - startTime,
+        tokens_input: result._tokens?.actual?.input ?? null,
+        tokens_output: result._tokens?.actual?.output ?? null,
+      });
+
       return {
         content: [{ type: 'text', text: JSON.stringify(result, null, 2) }],
       };
     } catch (err) {
+      trackEvent('audit_error', {
+        source: 'mcp', mode: 'store',
+        duration_ms: Date.now() - startTime,
+        error_message: err.message.slice(0, 200),
+      });
       return {
         content: [{ type: 'text', text: `Error: ${err.message}` }],
         isError: true,
@@ -145,6 +160,7 @@ server.tool(
     projectDir: z.string().describe('Absolute path to the Flutter project root directory. Must contain a pubspec.yaml and a lib/ folder. Example: "/Users/you/projects/my-flutter-app"'),
   },
   async ({ projectDir }) => {
+    const startTime = Date.now();
     try {
       const dir = validateProject(projectDir);
       const { provider, model, apiKey } = resolveConfig(dir);
@@ -160,6 +176,8 @@ server.tool(
         exampleFiles = exampleResult.files;
       }
 
+      const codeRules = await fetchGuidelines('flutter_code');
+
       const result = await audit(
         {
           files,
@@ -172,14 +190,28 @@ server.tool(
           projectType,
           appleGuidelines: null,
           googleGuidelines: null,
+          codeRules,
         },
         { apiKey, model, provider, mode: 'code', platform: 'both' },
       );
 
+      trackEvent('audit_completed', {
+        source: 'mcp', mode: 'code', platform: 'both',
+        provider, model, project_type: projectType, score: result.score,
+        duration_ms: Date.now() - startTime,
+        tokens_input: result._tokens?.actual?.input ?? null,
+        tokens_output: result._tokens?.actual?.output ?? null,
+      });
+
       return {
         content: [{ type: 'text', text: JSON.stringify(result, null, 2) }],
       };
     } catch (err) {
+      trackEvent('audit_error', {
+        source: 'mcp', mode: 'code',
+        duration_ms: Date.now() - startTime,
+        error_message: err.message.slice(0, 200),
+      });
       return {
         content: [{ type: 'text', text: `Error: ${err.message}` }],
         isError: true,

package/src/rules/flutter-code-rules.md

@@ -0,0 +1,247 @@
+## Clause I: Security Anti-Patterns and Cryptographic Vulnerabilities
+
+### Sub-Clause 1.1: Insecure Data Persistence and Secret Management
+- Developers routinely misuse **SharedPreferences** (and iOS **UserDefaults**) to store sensitive data such as OAuth tokens, session identifiers, credentials, and encryption keys.  
+- These libraries store data in plaintext XML/plist files, easily extractable if the device is rooted/jailbroken or exploited.  
+- Consequence: stolen tokens permit indefinite impersonation due to lack of backend token rotation.  
+- **Mitigation**: use **flutter_secure_storage**, which leverages Android Keystore/iOS Keychain with hardware-backed cryptographic enclaves.  
+
+Hardcoding API keys and credentials in Dart source code is another critical failing. Automated decompilation tools can extract these secrets from compiled binaries.  
+- **Mitigation**: inject secrets via secure environment variables during CI/CD, retrieve dynamically from backend secret management services.
+
+---
+
+### Sub-Clause 1.2: Cryptographic Implementation Flaws and Algorithmic Misuse
+- Developers often misuse cryptographic primitives due to lack of expertise.  
+- Common flaws:
+  - Using weak PRNGs (`Math.random()`), leading to predictable entropy.  
+  - Inconsistent RSA key lengths.  
+  - Failure to destroy seeds post-generation.  
+  - Vulnerable AES-CBC with PKCS padding without MACs → padding oracle attacks.  
+- **Mitigation**: use NIST-approved authenticated encryption (AES-GCM) via vetted packages (`encrypt`, `crypto`).
+
+---
+
+### Sub-Clause 1.3: Token Lifecycle and Session Management Deficiencies
+- Refresh tokens not invalidated post-use.  
+- Access tokens not revoked on logout.  
+- Orphaned tokens hijacked by malware or physical access.  
+- **Mitigation**:
+  - Short-lived access tokens.  
+  - Backend expiry enforcement.  
+  - Immediate local purging and backend revocation on logout.  
+  - Risk-based verification for sensitive actions.
+
+---
+
+### Cryptographic Vulnerability Table
+
+| Vulnerability              | Root Cause Mechanism                                    | Architectural Remediation Strategy |
+|-----------------------------|--------------------------------------------------------|------------------------------------|
+| Plaintext Secret Exposure   | SharedPreferences for API keys/tokens                  | Use flutter_secure_storage (Keystore/Keychain) |
+| RNG Bias & Key Predictability | Dart Math.random() for entropy                        | Use secure PRNGs, destroy seeds |
+| Padding Oracle Vulnerabilities | AES-CBC without MAC                                  | Use AES-GCM via vetted packages |
+| Orphaned Session Tokens     | Tokens not purged/revoked on logout                    | Local purge + backend revocation |
+
+---
+
+## Clause II: Network Security and Transport Layer Exploitations
+
+### Sub-Clause 2.1: Certificate Pinning and MITM Attack Vectors
+- Relying solely on device CA trust store is insecure.  
+- Malicious root certificates allow interception of HTTPS traffic.  
+- **Mitigation**: implement strict certificate pinning (e.g., `flutter_ssl_pinning`, `http_certificate_pinner`).  
+
+---
+
+### Sub-Clause 2.2: Application-Layer Payload Encryption
+- TLS alone is insufficient in zero-trust architectures.  
+- Sensitive payloads (KYC, banking, PII) must be encrypted before transmission.  
+- **Mitigation**: AES payload encryption with symmetric key coordination.
+
+---
+
+### Sub-Clause 2.3: Deep Link Hijacking & WebView Vulnerabilities
+- Custom URL schemes without validation allow hijacking.  
+- Malicious apps intercept OAuth codes, reset tokens, etc.  
+- Developers often pipe unvalidated deep link parameters into SQLite, WebViews, or API calls → SQL injection, code execution.  
+- **Mitigation**: validate parameters against allowlists, verify authentication before rendering sensitive screens.  
+
+WebViews introduce XSS/CSRF risks if unrestricted JavaScript execution is enabled.  
+- **Mitigation**: sandbox WebViews, restrict JS interfaces, deny local storage access.
+
+---
+
+## Clause III: System Integrity, Reverse Engineering, and Native Interop Exploits
+
+### Sub-Clause 3.1: Obfuscation, Minification, and Tamper Resilience
+- Failure to use `--obfuscate` and `--split-debug-info` exposes readable binaries.  
+- Lack of Runtime Application Self-Protection (RASP).  
+- **Mitigation**: enforce obfuscation, detect rooted/jailbroken devices, terminate execution in insecure environments.
+
+---
+
+### Sub-Clause 3.2: Native Memory Manipulation and FFI Vulnerabilities
+- FFI bypasses Dart’s memory safety.  
+- Developers fail to deallocate native memory → leaks, buffer overflows, use-after-free.  
+- Linked binaries often lack protections (RELRO, stack canaries).  
+- **Mitigation**: strict manual deallocation, compile with fortified functions.
+
+---
+
+### Sub-Clause 3.3: Background Snapshots and Logging Hygiene
+- Developers leave `print()` statements in production → leaks sensitive data via logcat/console.  
+- OS snapshots expose sensitive UI in app switcher.  
+- **Mitigation**: use `dart:developer log`, redact sensitive strings, enforce `FLAG_SECURE` (Android) or `applicationWillResignActive` (iOS).
+
+---
+
+### System Integrity Table
+
+| Vector                     | Anti-Pattern                                | Mitigation Strategy |
+|-----------------------------|---------------------------------------------|---------------------|
+| Binary Reverse Engineering | No obfuscation                              | Use `--obfuscate`, `--split-debug-info` |
+| Native Interop (FFI)       | Unmanaged malloc, missing protections        | Manual deallocation, enforce RELRO/stack canaries |
+| Logcat/Console Leaks       | `print()` for sensitive data                 | Use `dart:developer log`, redact |
+| Background Snapshots       | Sensitive UI visible in app switcher         | Use FLAG_SECURE / lifecycle masking |
+
+---
+
+## Clause IV: Memory Management Deficiencies and Resource Leaks
+
+### Sub-Clause 4.1: Dart GC vs Native Resource Allocation
+- Dart GC manages heap objects but not native resources.  
+- Abandoned Dart proxies → orphaned native resources (graphics buffers, sockets).  
+- **Mitigation**: explicitly destruct native resources.
+
+---
+
+### Sub-Clause 4.2: Controller, Listener, and Ticker Retention
+- Failure to dispose controllers (AnimationController, TextEditingController, etc.) keeps them active post-widget removal.  
+- Leads to CPU drain, battery drain, GC retention.  
+- **Mitigation**: always call `.dispose()` in widget lifecycle.
+
+---
+
+### Sub-Clause 4.3: Unmanaged Stream Subscriptions & Async Context Retention
+- StreamSubscriptions not canceled → background callbacks persist.  
+- Can crash app if `setState()` called on unmounted widget.  
+- **Mitigation**: assign subscriptions to variables, cancel in `dispose()`, use `StreamBuilder`.  
+
+Misuse of BuildContext across async gaps → runtime crashes.  
+- **Mitigation**: check `mounted` property before using context post-await.
+
+---
+
+### Sub-Clause 4.4: Timer Leaks and Background Isolate Memory
+- Timers not canceled → callbacks persist indefinitely.  
+- Background isolates not closing network/database connections → orphaned sockets.  
+- **Mitigation**: cancel timers, close connections before isolate termination.
+
+---
+
+## Clause V: Memory Bloat and Asset Optimization Anti-Patterns
+
+### Sub-Clause 5.1: High-Resolution Bitmap Decoding and Heap Exhaustion
+- When developers load standard, high-resolution images (such as 4K photographs from a device camera or a network CDN) into image widgets designed for small UI avatars or thumbnails, they trigger a catastrophic memory event.  
+- The Flutter engine does not natively scale the image down before placing it in memory; instead, it mathematically decodes the entire high-resolution image into a raw, uncompressed bitmap directly into the device's precious RAM.  
+- A single, unoptimized multi-megapixel image can effortlessly consume tens to hundreds of megabytes of memory.  
+- If these unoptimized images are rendered within an infinite ListView without aggressive lazy loading, the rapid, successive instantiation of these massive bitmaps instantaneously overwhelms the heap, leading to Out-Of-Memory (OOM) crashes.  
+
+---
+
+### Sub-Clause 5.2: Asset Preloading and Cache Saturation
+- Developers frequently preload massive asset bundles (images, fonts, audio files) into memory at application startup.  
+- While intended to reduce runtime latency, this practice saturates the cache and consumes memory unnecessarily.  
+- **Mitigation**: implement lazy loading strategies, load assets only when required, and leverage caching libraries with eviction policies.
+
+---
+
+### Sub-Clause 5.3: Inefficient Image Resizing and Format Misuse
+- Using uncompressed formats (e.g., PNG) for large assets instead of optimized formats (e.g., WebP, JPEG) leads to excessive memory consumption.  
+- Developers often resize images at runtime rather than preprocessing them, causing repeated decoding overhead.  
+- **Mitigation**: preprocess images to appropriate resolutions, use efficient formats, and apply compression pipelines before bundling.
+
+---
+
+### Sub-Clause 5.4: Animated Asset Overconsumption
+- Excessive use of GIFs or unoptimized Lottie animations consumes CPU and memory.  
+- Continuous decoding of animation frames leads to performance degradation.  
+- **Mitigation**: prefer vector-based animations, optimize frame rates, and limit animation scope.
+
+---
+
+### Memory Bloat Table
+
+| Anti-Pattern                     | Root Cause Mechanism                          | Mitigation Strategy |
+|----------------------------------|-----------------------------------------------|---------------------|
+| High-Res Bitmap Decoding         | Full 4K decode into RAM                       | Pre-scale images, lazy load |
+| Asset Preloading                 | Loading all assets at startup                 | Lazy load, cache eviction |
+| Format Misuse                    | PNG for large assets                          | Use WebP/JPEG, preprocess |
+| Animated Asset Overconsumption   | GIF/Lottie overuse                            | Optimize animations, prefer vectors |
+
+---
+
+## Clause VI: State Management Fragmentation
+
+### Sub-Clause 6.1: Improper Global State Retention
+- Developers often rely on global variables or singletons to manage state.  
+- This leads to memory retention, race conditions, and unpredictable behavior.  
+- **Mitigation**: adopt structured state management frameworks (e.g., Provider, Riverpod, Bloc).
+
+---
+
+### Sub-Clause 6.2: Redundant Rebuilds and Render-Tree Thrashing
+- Misuse of `setState()` triggers unnecessary widget rebuilds.  
+- Causes UI jank, battery drain, and degraded performance.  
+- **Mitigation**: use `ValueNotifier`, `ChangeNotifier`, or memoization to minimize rebuilds.
+
+---
+
+### Sub-Clause 6.3: Fragmented State Across Multiple Layers
+- Mixing multiple state management solutions (e.g., Redux + Provider + custom streams) creates fragmentation.  
+- Leads to debugging complexity and inconsistent lifecycle handling.  
+- **Mitigation**: enforce a single, unified state management approach.
+
+---
+
+## Clause VII: Continuous Integration and Governance Failures
+
+### Sub-Clause 7.1: Insecure CI/CD Pipelines
+- Secrets often hardcoded in pipeline scripts.  
+- Build artifacts not signed or verified.  
+- **Mitigation**: use secret managers, enforce artifact signing, and implement reproducible builds.
+
+---
+
+### Sub-Clause 7.2: Lack of Automated Security Testing
+- Developers neglect static analysis, dependency scanning, and penetration testing.  
+- Vulnerabilities persist into production.  
+- **Mitigation**: integrate automated tools (e.g., SonarQube, OWASP Dependency-Check) into CI/CD.
+
+---
+
+### Sub-Clause 7.3: Insufficient Governance Policies
+- Teams fail to enforce coding standards, secure review processes, and compliance audits.  
+- **Mitigation**: establish governance frameworks, enforce peer review, and conduct periodic audits.
+
+---
+
+## Clause VIII: Advanced Threat Modeling and Enterprise Recommendations
+
+### Sub-Clause 8.1: Threat Modeling Oversights
+- Developers rarely conduct structured threat modeling for Flutter apps.  
+- Attack surfaces (FFI, deep links, WebViews) remain unaddressed.  
+- **Mitigation**: adopt STRIDE/DREAD methodologies, simulate adversarial scenarios.
+
+---
+
+### Sub-Clause 8.2: Enterprise-Grade Security Baselines
+- Enterprises must enforce:
+  - Hardware-backed secure storage.  
+  - Certificate pinning.  
+  - Obfuscation and RASP.  
+  - Memory leak detection tools.  
+- These baselines ensure resilience against systemic vulnerabilities.
+
+---

package/src/telemetry.js

@@ -0,0 +1,83 @@
+import { createHash } from 'node:crypto';
+import { hostname, userInfo, platform, arch } from 'node:os';
+import { readFileSync } from 'node:fs';
+import { join } from 'node:path';
+import { homedir } from 'node:os';
+import { fileURLToPath } from 'node:url';
+import { dirname } from 'node:path';
+
+const __dirname = dirname(fileURLToPath(import.meta.url));
+const pkg = JSON.parse(readFileSync(join(__dirname, '..', 'package.json'), 'utf-8'));
+
+const POSTHOG_ENDPOINT = 'https://us.i.posthog.com/capture';
+const POSTHOG_API_KEY = 'phc_JcSoYrxMXvJjCtlePCFI6UuhNbwq33WXNeUKmDB6Msz';
+
+// ── Opt-out check (lazy, cached) ──
+
+let _disabled = null;
+
+function isDisabled() {
+  if (_disabled !== null) return _disabled;
+
+  const envVal = (process.env.SHIPLI_TELEMETRY || '').toLowerCase();
+  if (['off', 'false', '0', 'no'].includes(envVal)) {
+    _disabled = true;
+    return true;
+  }
+
+  if (process.env.DO_NOT_TRACK === '1') {
+    _disabled = true;
+    return true;
+  }
+
+  try {
+    const raw = readFileSync(join(homedir(), '.shipli'), 'utf-8');
+    const config = JSON.parse(raw);
+    if (config.telemetry === false) {
+      _disabled = true;
+      return true;
+    }
+  } catch {
+    // No config file or invalid JSON — telemetry stays on
+  }
+
+  _disabled = false;
+  return false;
+}
+
+// ── Anonymous device ID ──
+
+function getAnonymousId() {
+  try {
+    const raw = `${hostname()}:${userInfo().username}`;
+    return createHash('sha256').update(raw).digest('hex').slice(0, 16);
+  } catch {
+    return createHash('sha256').update(hostname()).digest('hex').slice(0, 16);
+  }
+}
+
+// ── Fire-and-forget event dispatch ──
+
+export function trackEvent(name, properties = {}) {
+  if (isDisabled()) return;
+
+  const payload = {
+    api_key: POSTHOG_API_KEY,
+    event: name,
+    distinct_id: getAnonymousId(),
+    properties: {
+      ...properties,
+      cli_version: pkg.version,
+      node_version: process.version,
+      os: platform(),
+      arch: arch(),
+    },
+  };
+
+  fetch(POSTHOG_ENDPOINT, {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json' },
+    body: JSON.stringify(payload),
+    signal: AbortSignal.timeout(3000),
+  }).catch(() => {});
+}