@qafka/react-native 2.0.0

package/CHANGELOG.md

@@ -0,0 +1,12 @@
+# Changelog
+
+All notable changes to `@qafka/react-native` are documented here.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
+and this project follows [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [Unreleased]
+
+## [2.0.0] — 2026-05-17
+
+Initial public release. See [README.md](./README.md) for the full feature list and installation instructions.

package/CONTRIBUTING.md

@@ -0,0 +1,92 @@
+# Contributing
+
+Thanks for your interest in Qafka.
+
+## About this repository
+
+This is the official React Native SDK for the [Qafka platform](https://qafka.com). It's MIT-licensed and the source is public — audit it, debug it, pin a specific commit, fork it if you need.
+
+Day-to-day development happens on our internal roadmap, and we accept a curated set of external contributions — see below.
+
+## Reporting bugs
+
+Please use [GitHub Issues](https://github.com/qafka-ai/react-native-qafka/issues) and the bug report template. Helpful reports include:
+
+- SDK version, React Native version, platform (iOS / Android / Expo)
+- A minimal reproduction
+- Logs (with API keys redacted)
+
+For **security issues**, see [SECURITY.md](./SECURITY.md) — please do not file them as public issues.
+
+## Requesting features
+
+Open a [GitHub Issue](https://github.com/qafka-ai/react-native-qafka/issues) describing the use case. We'll respond with whether it fits the roadmap and the likely timing.
+
+**Please do not send feature PRs without a tracking issue and our explicit go-ahead.** We may decline merges that don't fit our direction, even if the code is good — please don't take it personally.
+
+## Pull requests we accept
+
+- 🐛 **Bug fixes** with a reproducing test
+- 📝 **Documentation fixes** — typos, broken links, clarifications
+- 🔧 **Build / tooling fixes** — broken CI, packaging issues
+- ♿ **Accessibility fixes** to the rendered components
+
+## Pull requests we usually decline
+
+- New features without a prior issue
+- Pure refactors / restyles
+- Dependency updates (we manage these on a release cadence)
+- Code style changes that aren't enforced by our linter
+
+## Dev setup
+
+```bash
+git clone https://github.com/qafka-ai/react-native-qafka.git
+cd react-native-qafka
+pnpm install
+pnpm build
+pnpm test
+```
+
+To test changes locally in another app, we use [yalc](https://github.com/wclr/yalc):
+
+```bash
+yalc publish --push --force --private
+# in the consuming app:
+yalc add @qafka/react-native
+```
+
+## Pull request checklist
+
+Before opening a PR:
+
+- [ ] Linked to a tracking issue
+- [ ] Branch is up to date with `main`
+- [ ] Tests added / updated for the change
+- [ ] `pnpm typecheck` passes
+- [ ] `pnpm test` passes
+- [ ] `CHANGELOG.md` updated under `## [Unreleased]`
+- [ ] Commits are signed off (DCO — see below)
+
+## Developer Certificate of Origin (DCO)
+
+We require commits to be signed off with the [Developer Certificate of Origin](https://developercertificate.org/). This is a lightweight assertion that you have the right to submit your contribution.
+
+Sign off by adding `-s` to your commit:
+
+```bash
+git commit -s -m "fix: handle empty tool result"
+```
+
+This appends a `Signed-off-by: Your Name <your.email@example.com>` line to your commit message.
+
+By signing off and contributing, you agree your contributions are licensed under the [MIT License](./LICENSE).
+
+## Code of Conduct
+
+Be respectful in issues, PRs, and discussions. We follow the [Contributor Covenant](https://www.contributor-covenant.org/version/2/1/code_of_conduct/).
+
+## Questions
+
+For product questions, billing, or sales: [qafka.com/contact](https://qafka.com).
+For SDK technical questions: open a [Discussion](https://github.com/qafka-ai/react-native-qafka/discussions) or Issue.

package/LICENSE

@@ -0,0 +1,22 @@
+MIT License
+
+Copyright (c) 2026 Qafka
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+

package/README.md

@@ -0,0 +1,109 @@
+# @qafka/react-native
+
+[![npm](https://img.shields.io/npm/v/@qafka/react-native.svg)](https://www.npmjs.com/package/@qafka/react-native)
+[![downloads](https://img.shields.io/npm/dm/@qafka/react-native.svg)](https://www.npmjs.com/package/@qafka/react-native)
+[![types](https://img.shields.io/npm/types/@qafka/react-native.svg)](https://www.npmjs.com/package/@qafka/react-native)
+[![license](https://img.shields.io/npm/l/@qafka/react-native.svg)](./LICENSE)
+[![CI](https://github.com/qafka-ai/react-native-qafka/actions/workflows/ci.yml/badge.svg)](https://github.com/qafka-ai/react-native-qafka/actions/workflows/ci.yml)
+
+In-app AI assistant for React Native and Expo. Drop the `<Qafka />` component into your app and your users get a chat + voice interface that understands your screens, runs your tools, and guides them through flows you define in the [Qafka dashboard](https://app.qafka.com).
+
+## Quickstart (recommended)
+
+Install the CLI once, log in, then initialize Qafka in your app:
+
+```bash
+npm install -g qafka
+
+cd your-app
+qafka login
+qafka init
+```
+
+`qafka init` installs the SDK, registers the Expo config plugin (when applicable), pulls your API key from the dashboard, and scaffolds a chat screen wired to your project. Re-run it any time you add tools or screens in the dashboard — it's idempotent and safe.
+
+## Manual installation
+
+If you'd rather wire things up yourself:
+
+```bash
+npm install @qafka/react-native
+# or: pnpm add / yarn add
+```
+
+### Peer dependencies
+
+```bash
+npm install react-native react-native-safe-area-context
+```
+
+`@react-navigation/native` is optional — install it only if you want the SDK to navigate between screens for you.
+
+### Expo
+
+The package ships an Expo config plugin. Add it to your `app.json` / `app.config.js`:
+
+```json
+{
+  "expo": {
+    "plugins": ["@qafka/react-native"]
+  }
+}
+```
+
+Then run `npx expo prebuild` (or rebuild your dev client) so the native module is bundled.
+
+### Bare React Native
+
+```bash
+cd ios && pod install
+```
+
+Android autolinking handles the native module. If you plan to use **voice mode**, add the microphone permission to your app's `android/app/src/main/AndroidManifest.xml`:
+
+```xml
+<uses-permission android:name="android.permission.RECORD_AUDIO" />
+```
+
+Expo users get this automatically via the SDK's config plugin.
+
+## Usage
+
+When your project is initialized with the [Qafka CLI](https://github.com/qafka-ai/qafka-cli) (`qafka init`), the SDK picks up your development key from the CLI-generated runtime config — no extra props needed:
+
+```tsx
+import { Qafka } from '@qafka/react-native';
+
+export default function App() {
+  return <Qafka />;
+}
+```
+
+The component renders a floating button that opens the chat UI. Configure tools, screens, and behavior from the dashboard — most updates need no code changes.
+
+Pass `projectId` when your app has more than one registered project:
+
+```tsx
+<Qafka projectId="proj_abc123" />
+```
+
+## Documentation
+
+Full guides, API reference, theming, voice mode, tools, and advanced configuration:
+
+**→ [app.qafka.com/docs](https://app.qafka.com/docs)**
+
+## Requirements
+
+- React Native ≥ 0.72 (Expo SDK 49+ supported)
+- React ≥ 18
+- iOS 14+ / Android 6+ (API 23+)
+- Node ≥ 20 (for build tooling)
+
+## Contributing
+
+This SDK is the public source for a commercial product — see [CONTRIBUTING.md](./CONTRIBUTING.md) for what we accept and how to file issues. For vulnerabilities, see [SECURITY.md](./SECURITY.md).
+
+## License
+
+MIT © Qafka

package/SECURITY.md

@@ -0,0 +1,67 @@
+# Security Policy
+
+Qafka takes security seriously. This document describes how to report vulnerabilities in the **React Native SDK** (`@qafka/react-native`).
+
+## Supported versions
+
+Only the latest published minor version receives security updates. We recommend always running the latest version.
+
+## Reporting a vulnerability
+
+**Please do not report security vulnerabilities through public GitHub issues, discussions, or pull requests.**
+
+Instead, choose one of these private channels:
+
+1. **Email:** [security@qafka.com](mailto:security@qafka.com)
+2. **GitHub Security Advisories:** [Report a vulnerability privately](https://github.com/qafka-ai/react-native-qafka/security/advisories/new)
+
+Please include:
+
+- A clear description of the issue
+- Steps to reproduce (a minimal repo or code snippet helps)
+- Affected SDK version(s) and platforms (iOS / Android / Expo)
+- Potential impact you've identified
+- Any suggested fix, if you have one
+
+If you'd like to encrypt your report, request our PGP key by emailing [security@qafka.com](mailto:security@qafka.com).
+
+## What to expect
+
+- **Acknowledgement:** within 2 business days of your report
+- **Initial assessment:** within 5 business days
+- **Status updates:** at least every 7 days until the issue is resolved
+- **Coordinated disclosure:** we'll work with you on a public disclosure timeline once a fix is ready
+- **Credit:** with your permission, we'll credit you in the release notes and the GitHub Security Advisory
+
+## Scope
+
+### In scope
+
+This policy covers vulnerabilities in this SDK package that could affect customer applications:
+
+- API key, token, or credential handling within the SDK
+- Native module security (iOS Swift / Objective-C, Android Kotlin / Java)
+- Data leakage between sessions, projects, or users on the same device
+- Local storage / cache integrity
+- Bundle / dependency supply-chain issues specific to this package
+- Crash or denial-of-service triggerable from the SDK's public API
+
+### Out of scope
+
+- **Qafka backend (`api.qafka.com`)** — out of scope for this repository. If you find a backend issue, email [security@qafka.com](mailto:security@qafka.com) with `[backend]` in the subject.
+- **Third-party dependencies** — please report to the upstream maintainer. If the issue is exploitable through our usage specifically, we'll accept it here.
+- **Issues requiring a rooted / jailbroken device** or attacker-controlled physical access, unless the impact extends beyond the compromised device.
+- **Social engineering** of Qafka customers or staff.
+- **Outdated documentation** — please file a regular issue.
+
+## Safe harbor
+
+We will not pursue legal action against researchers who:
+
+- Make a good-faith effort to follow this policy
+- Avoid privacy violations, data destruction, and service disruption
+- Give us reasonable time to fix the issue before public disclosure
+
+## Questions
+
+For anything not covered here, email [security@qafka.com](mailto:security@qafka.com).

package/android/build.gradle

@@ -0,0 +1,35 @@
+apply plugin: 'com.android.library'
+apply plugin: 'kotlin-android'
+
+def safeExtGet(prop, fallback) {
+    rootProject.ext.has(prop) ? rootProject.ext.get(prop) : fallback
+}
+
+android {
+    namespace "com.qafka.attestation"
+    compileSdkVersion safeExtGet('compileSdkVersion', 34)
+
+    defaultConfig {
+        minSdkVersion safeExtGet('minSdkVersion', 24)
+        targetSdkVersion safeExtGet('targetSdkVersion', 34)
+    }
+
+    compileOptions {
+        sourceCompatibility JavaVersion.toVersion(safeExtGet('javaVersion', 17))
+        targetCompatibility JavaVersion.toVersion(safeExtGet('javaVersion', 17))
+    }
+
+    kotlinOptions {
+        jvmTarget = safeExtGet('javaVersion', 17).toString()
+    }
+}
+
+repositories {
+    google()
+    mavenCentral()
+}
+
+dependencies {
+    implementation 'com.facebook.react:react-android'
+    implementation 'androidx.security:security-crypto:1.1.0-alpha06'
+}

package/android/src/main/AndroidManifest.xml

@@ -0,0 +1,2 @@
+<manifest xmlns:android="http://schemas.android.com/apk/res/android">
+</manifest>

package/android/src/main/java/com/qafka/attestation/QafkaAttestationModule.kt

@@ -0,0 +1,92 @@
+package com.qafka.attestation
+
+import android.os.Build
+import android.security.keystore.KeyGenParameterSpec
+import android.security.keystore.KeyProperties
+import android.util.Base64
+import com.facebook.react.bridge.*
+import java.security.KeyPairGenerator
+import java.security.KeyStore
+import java.security.cert.Certificate
+
+class QafkaAttestationModule(reactContext: ReactApplicationContext) :
+    ReactContextBaseJavaModule(reactContext) {
+
+    override fun getName(): String = "QafkaAttestation"
+
+    override fun getConstants(): MutableMap<String, Any> {
+        val context = reactApplicationContext
+        val bundleId = context.packageName ?: ""
+        val appVersion = try {
+            context.packageManager.getPackageInfo(context.packageName, 0).versionName ?: ""
+        } catch (e: Exception) {
+            ""
+        }
+        val deviceModel = "${Build.MANUFACTURER} ${Build.MODEL}".trim()
+        return mutableMapOf(
+            "bundleId" to bundleId,
+            "appVersion" to appVersion,
+            "deviceModel" to deviceModel,
+        )
+    }
+
+    @ReactMethod
+    fun isSupported(promise: Promise) {
+        // Key Attestation requires Android 8.0+ (API 26) for hardware-backed
+        promise.resolve(Build.VERSION.SDK_INT >= Build.VERSION_CODES.O)
+    }
+
+    @ReactMethod
+    fun generateKeyPair(alias: String, challengeBase64: String, promise: Promise) {
+        try {
+            val challenge = Base64.decode(challengeBase64, Base64.DEFAULT)
+
+            // Delete existing key if any
+            val keyStore = KeyStore.getInstance("AndroidKeyStore")
+            keyStore.load(null)
+            if (keyStore.containsAlias(alias)) {
+                keyStore.deleteEntry(alias)
+            }
+
+            val keyPairGenerator = KeyPairGenerator.getInstance(
+                KeyProperties.KEY_ALGORITHM_EC,
+                "AndroidKeyStore"
+            )
+
+            val builder = KeyGenParameterSpec.Builder(alias,
+                KeyProperties.PURPOSE_SIGN or KeyProperties.PURPOSE_VERIFY
+            )
+                .setDigests(KeyProperties.DIGEST_SHA256)
+                .setAttestationChallenge(challenge)
+
+            keyPairGenerator.initialize(builder.build())
+            keyPairGenerator.generateKeyPair()
+
+            promise.resolve(null)
+        } catch (e: Exception) {
+            promise.reject("KEY_GEN_FAILED", e.message, e)
+        }
+    }
+
+    @ReactMethod
+    fun getAttestationCertChain(alias: String, promise: Promise) {
+        try {
+            val keyStore = KeyStore.getInstance("AndroidKeyStore")
+            keyStore.load(null)
+
+            val chain: Array<Certificate> = keyStore.getCertificateChain(alias)
+                ?: throw Exception("No certificate chain found for alias: $alias")
+
+            val result = Arguments.createArray()
+            for (cert in chain) {
+                val encoded = cert.encoded
+                val base64 = Base64.encodeToString(encoded, Base64.NO_WRAP)
+                result.pushString(base64)
+            }
+
+            promise.resolve(result)
+        } catch (e: Exception) {
+            promise.reject("CERT_CHAIN_FAILED", e.message, e)
+        }
+    }
+}

package/android/src/main/java/com/qafka/attestation/QafkaAttestationPackage.kt

@@ -0,0 +1,22 @@
+package com.qafka.attestation
+
+import com.facebook.react.ReactPackage
+import com.facebook.react.bridge.NativeModule
+import com.facebook.react.bridge.ReactApplicationContext
+import com.facebook.react.uimanager.ViewManager
+import com.qafka.audio.QafkaAudioModule
+import com.qafka.clipboard.QafkaClipboardModule
+import com.qafka.storage.QafkaStorageModule
+
+class QafkaAttestationPackage : ReactPackage {
+    override fun createNativeModules(reactContext: ReactApplicationContext): List<NativeModule> =
+        listOf(
+            QafkaAttestationModule(reactContext),
+            QafkaAudioModule(reactContext),
+            QafkaClipboardModule(reactContext),
+            QafkaStorageModule(reactContext),
+        )
+
+    override fun createViewManagers(reactContext: ReactApplicationContext): List<ViewManager<*, *>> =
+        emptyList()
+}