devendra-skill-package 1.0.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.github/skills/boiler-project-generator/SKILL.md +103 -0
- package/.github/skills/boiler-project-generator/assets/templates/android/README.md +3 -0
- package/.github/skills/boiler-project-generator/assets/templates/angular/README.md +3 -0
- package/.github/skills/boiler-project-generator/assets/templates/flutter/README.md +3 -0
- package/.github/skills/boiler-project-generator/assets/templates/ios/README.md +3 -0
- package/.github/skills/boiler-project-generator/assets/templates/react/README.md +3 -0
- package/.github/skills/boiler-project-generator/assets/templates/react-native/README.md +3 -0
- package/.github/skills/boiler-project-generator/assets/templates/react-native/api-setup.ts +76 -0
- package/.github/skills/boiler-project-generator/assets/templates/react-native/component-primary-button.tsx +29 -0
- package/.github/skills/boiler-project-generator/assets/templates/react-native/env-config.env +4 -0
- package/.github/skills/boiler-project-generator/assets/templates/react-native/feature-auth-screen.tsx +45 -0
- package/.github/skills/boiler-project-generator/assets/templates/react-native/feature-dashboard-screen.tsx +45 -0
- package/.github/skills/boiler-project-generator/assets/templates/react-native/feature-profile-screen.tsx +45 -0
- package/.github/skills/boiler-project-generator/assets/templates/react-native/hook-use-app-boot.ts +11 -0
- package/.github/skills/boiler-project-generator/assets/templates/react-native/navigation-setup.tsx +25 -0
- package/.github/skills/boiler-project-generator/assets/templates/react-native/project-structure.md +24 -0
- package/.github/skills/boiler-project-generator/assets/templates/react-native/redux-hooks.ts +5 -0
- package/.github/skills/boiler-project-generator/assets/templates/react-native/redux-session-slice.ts +29 -0
- package/.github/skills/boiler-project-generator/assets/templates/react-native/redux-store.ts +15 -0
- package/.github/skills/boiler-project-generator/assets/templates/react-native/theme-index.ts +23 -0
- package/.github/skills/boiler-project-generator/assets/templates/react-native/utils-helpers.ts +7 -0
- package/.github/skills/boiler-project-generator/metadata.yaml +29 -0
- package/.github/skills/boiler-project-generator/references/android.md +19 -0
- package/.github/skills/boiler-project-generator/references/angular.md +14 -0
- package/.github/skills/boiler-project-generator/references/flutter.md +17 -0
- package/.github/skills/boiler-project-generator/references/ios.md +17 -0
- package/.github/skills/boiler-project-generator/references/react-native.md +103 -0
- package/.github/skills/boiler-project-generator/references/react.md +17 -0
- package/.github/skills/boiler-project-generator/scripts/angular.js +43 -0
- package/.github/skills/boiler-project-generator/scripts/generate-project.mjs +107 -0
- package/.github/skills/boiler-project-generator/scripts/init.js +105 -0
- package/.github/skills/boiler-project-generator/scripts/react-native.js +1041 -0
- package/.github/skills/boiler-project-generator/scripts/react.js +32 -0
- package/.github/skills/clean-architecture-generator/SKILL.md +235 -0
- package/.github/skills/clean-architecture-generator/references/architecture-core.md +126 -0
- package/.github/skills/clean-architecture-generator/references/platform-angular.md +374 -0
- package/.github/skills/clean-architecture-generator/references/platform-flutter.md +366 -0
- package/.github/skills/clean-architecture-generator/references/platform-react-native.md +590 -0
- package/.github/skills/clean-architecture-generator/references/platform-react.md +261 -0
- package/.github/skills/code-test-coverage-analyzer/SKILL.md +1358 -0
- package/.github/skills/code-test-coverage-analyzer/assets/config-questionnaire.md +118 -0
- package/.github/skills/code-test-coverage-analyzer/assets/conflict-resolution-protocol.md +99 -0
- package/.github/skills/code-test-coverage-analyzer/assets/coverage-calculation-rules.md +294 -0
- package/.github/skills/code-test-coverage-analyzer/assets/multi-strategy-search.md +145 -0
- package/.github/skills/code-test-coverage-analyzer/assets/output-file-contracts.md +651 -0
- package/.github/skills/code-test-coverage-analyzer/assets/status-definitions.md +273 -0
- package/.github/skills/code-test-coverage-analyzer/examples/example-invocation.md +208 -0
- package/.github/skills/code-test-coverage-analyzer/references/android-patterns.md +229 -0
- package/.github/skills/code-test-coverage-analyzer/references/angular-patterns.md +177 -0
- package/.github/skills/code-test-coverage-analyzer/references/backend-patterns.md +383 -0
- package/.github/skills/code-test-coverage-analyzer/references/flutter-patterns.md +254 -0
- package/.github/skills/code-test-coverage-analyzer/references/ios-patterns.md +228 -0
- package/.github/skills/code-test-coverage-analyzer/references/react-native-patterns.md +431 -0
- package/.github/skills/code-test-coverage-analyzer/references/react-patterns.md +206 -0
- package/.github/skills/code-test-coverage-analyzer/scripts/detect-platform.ps1 +261 -0
- package/.github/skills/code-test-coverage-analyzer/scripts/scan-repository.ps1 +242 -0
- package/.github/skills/code-test-coverage-analyzer/templates/brd-compliance-row.md +107 -0
- package/.github/skills/code-test-coverage-analyzer/templates/test-case-row.md +130 -0
- package/.github/skills/code-test-coverage-analyzer/templates/user-story-compliance-row.md +170 -0
- package/.github/skills/custom-font-integrator/SKILL.md +373 -0
- package/.github/skills/custom-font-integrator/assets/FontTestScreen.js +150 -0
- package/.github/skills/custom-font-integrator/references/example-info-plist.xml +21 -0
- package/.github/skills/custom-font-integrator/scripts/setup-fonts.sh +99 -0
- package/.github/skills/encryption-decryption-utility/Instructions.md +282 -0
- package/.github/skills/encryption-decryption-utility/README.md +222 -0
- package/.github/skills/encryption-decryption-utility/SKILL.md +645 -0
- package/.github/skills/encryption-decryption-utility/assets/encryption-config-template.json +13 -0
- package/.github/skills/encryption-decryption-utility/assets/platform-matrix.json +180 -0
- package/.github/skills/encryption-decryption-utility/metadata.yaml +51 -0
- package/.github/skills/encryption-decryption-utility/references/android-crypto.md +157 -0
- package/.github/skills/encryption-decryption-utility/references/angular-crypto.md +130 -0
- package/.github/skills/encryption-decryption-utility/references/approach-1-webcrypto.md +95 -0
- package/.github/skills/encryption-decryption-utility/references/approach-2-rsa-aes-cbc.md +111 -0
- package/.github/skills/encryption-decryption-utility/references/approach-3-aes-sharedkey.md +114 -0
- package/.github/skills/encryption-decryption-utility/references/architecture.md +233 -0
- package/.github/skills/encryption-decryption-utility/references/backend-alignment.md +506 -0
- package/.github/skills/encryption-decryption-utility/references/dependency-guidance.md +234 -0
- package/.github/skills/encryption-decryption-utility/references/ec-implementation.md +832 -0
- package/.github/skills/encryption-decryption-utility/references/error-handling-playbook.md +234 -0
- package/.github/skills/encryption-decryption-utility/references/flutter-crypto.md +105 -0
- package/.github/skills/encryption-decryption-utility/references/ios-crypto.md +338 -0
- package/.github/skills/encryption-decryption-utility/references/native-rsa-implementation.md +373 -0
- package/.github/skills/encryption-decryption-utility/references/node-crypto.md +86 -0
- package/.github/skills/encryption-decryption-utility/references/react-crypto.md +105 -0
- package/.github/skills/encryption-decryption-utility/references/react-native-crypto.md +1001 -0
- package/.github/skills/encryption-decryption-utility/references/react-web-crypto.md +668 -0
- package/.github/skills/encryption-decryption-utility/references/security-checklist.md +176 -0
- package/.github/skills/encryption-decryption-utility/references/web-crypto.md +74 -0
- package/.github/skills/encryption-decryption-utility/scripts/detect.js +128 -0
- package/.github/skills/encryption-decryption-utility/scripts/install.js +1713 -0
- package/.github/skills/encryption-decryption-utility/scripts/setup.js +800 -0
- package/.github/skills/encryption-decryption-utility/template.md +241 -0
- package/.github/skills/encryption-decryption-utility/templates/config-questionnaire.md +467 -0
- package/.github/skills/encryption-decryption-utility/templates/delivery-checklist.md +206 -0
- package/.github/skills/encryption-decryption-utility/templates/implementation-plan.md +304 -0
- package/.github/skills/feature-generator/SKILL.MD +2741 -0
- package/.github/skills/feature-generator/assets/fingerprint-schema.json +385 -0
- package/.github/skills/feature-generator/assets/spec-template.md +172 -0
- package/.github/skills/feature-generator/assets/transform-rules.json +82 -0
- package/.github/skills/feature-generator/references/api-envelope-patterns.md +327 -0
- package/.github/skills/feature-generator/references/screen-logic-patterns.md +399 -0
- package/.github/skills/feature-generator/references/state-library-patterns.md +464 -0
- package/.github/skills/figma-ui-mapper/README.md +34 -0
- package/.github/skills/figma-ui-mapper/SKILL.md +101 -0
- package/.github/skills/figma-ui-mapper/assets/templates/component-map-template.md +30 -0
- package/.github/skills/figma-ui-mapper/assets/templates/generation-report-template.md +49 -0
- package/.github/skills/figma-ui-mapper/metadata.yaml +22 -0
- package/.github/skills/figma-ui-mapper/references/android.md +11 -0
- package/.github/skills/figma-ui-mapper/references/angular.md +18 -0
- package/.github/skills/figma-ui-mapper/references/capacitor.md +18 -0
- package/.github/skills/figma-ui-mapper/references/common.md +23 -0
- package/.github/skills/figma-ui-mapper/references/expo.md +18 -0
- package/.github/skills/figma-ui-mapper/references/flutter.md +18 -0
- package/.github/skills/figma-ui-mapper/references/frameworks/angular/rules.md +23 -0
- package/.github/skills/figma-ui-mapper/references/frameworks/capacitor/rules.md +23 -0
- package/.github/skills/figma-ui-mapper/references/frameworks/expo/rules.md +23 -0
- package/.github/skills/figma-ui-mapper/references/frameworks/flutter/rules.md +23 -0
- package/.github/skills/figma-ui-mapper/references/frameworks/ionic/rules.md +23 -0
- package/.github/skills/figma-ui-mapper/references/frameworks/kotlin-multiplatform/rules.md +23 -0
- package/.github/skills/figma-ui-mapper/references/frameworks/native-android/rules.md +23 -0
- package/.github/skills/figma-ui-mapper/references/frameworks/native-ios/rules.md +23 -0
- package/.github/skills/figma-ui-mapper/references/frameworks/next/rules.md +23 -0
- package/.github/skills/figma-ui-mapper/references/frameworks/nuxt/rules.md +23 -0
- package/.github/skills/figma-ui-mapper/references/frameworks/react/rules.md +19 -0
- package/.github/skills/figma-ui-mapper/references/frameworks/react-native/rules.md +23 -0
- package/.github/skills/figma-ui-mapper/references/frameworks/svelte/rules.md +23 -0
- package/.github/skills/figma-ui-mapper/references/frameworks/vue/rules.md +23 -0
- package/.github/skills/figma-ui-mapper/references/ionic.md +18 -0
- package/.github/skills/figma-ui-mapper/references/ios.md +11 -0
- package/.github/skills/figma-ui-mapper/references/kotlin-multiplatform.md +18 -0
- package/.github/skills/figma-ui-mapper/references/native-android.md +18 -0
- package/.github/skills/figma-ui-mapper/references/native-ios.md +18 -0
- package/.github/skills/figma-ui-mapper/references/next.md +18 -0
- package/.github/skills/figma-ui-mapper/references/nuxt.md +18 -0
- package/.github/skills/figma-ui-mapper/references/react-figma-guideline.md +21 -0
- package/.github/skills/figma-ui-mapper/references/react-native.md +18 -0
- package/.github/skills/figma-ui-mapper/references/react.md +18 -0
- package/.github/skills/figma-ui-mapper/references/script-usage.md +46 -0
- package/.github/skills/figma-ui-mapper/references/svelte.md +18 -0
- package/.github/skills/figma-ui-mapper/references/vue.md +18 -0
- package/.github/skills/figma-ui-mapper/references/workflow.md +74 -0
- package/.github/skills/figma-ui-mapper/scripts/generate-page-through-figma.js +635 -0
- package/.github/skills/figma-ui-mapper/scripts/generate-react-page-through-figma.js +4 -0
- package/.github/skills/frontend-task-breakdown/SKILL.md +734 -0
- package/.github/skills/md-file-converter/SKILL.md +291 -0
- package/.github/skills/md-file-converter/config/formats.json +114 -0
- package/.github/skills/md-file-converter/extractors/extract-docx.sh +120 -0
- package/.github/skills/md-file-converter/extractors/extract-eml.py +108 -0
- package/.github/skills/md-file-converter/extractors/extract-pdf.sh +97 -0
- package/.github/skills/md-file-converter/extractors/extract-pptx.py +143 -0
- package/.github/skills/md-file-converter/extractors/extract-xlsx.py +175 -0
- package/.github/skills/md-file-converter/scripts/check-tools.sh +47 -0
- package/.github/skills/md-file-converter/scripts/extract-archive.sh +83 -0
- package/.github/skills/md-file-converter/scripts/extract-ocr.sh +77 -0
- package/.github/skills/md-file-converter/scripts/get-metadata.sh +57 -0
- package/.github/skills/md-file-converter/templates/output.md +73 -0
- package/.github/skills/md-file-converter/templates/unsupported-object.md +6 -0
- package/.github/skills/mockAPI-contract-generator/SKILL.md +607 -0
- package/.github/skills/test-case-validator/CHANGELOG.md +155 -0
- package/.github/skills/test-case-validator/CONFIGURATION.md +130 -0
- package/.github/skills/test-case-validator/EXAMPLES.md +50 -0
- package/.github/skills/test-case-validator/QUALITY_SCORING.md +98 -0
- package/.github/skills/test-case-validator/README.md +111 -0
- package/.github/skills/test-case-validator/REPORT_TEMPLATE.md +116 -0
- package/.github/skills/test-case-validator/SKILL.md +209 -0
- package/.github/skills/test-case-validator/SYSTEM_PROMPT.md +127 -0
- package/.github/skills/test-case-validator/TRACEABILITY_ENGINE.md +152 -0
- package/.github/skills/test-case-validator/VALIDATION_RULES.md +411 -0
- package/.github/skills/test-case-validator/config/default.config.yaml +62 -0
- package/.github/skills/test-case-validator/docs/ARCHITECTURE.md +66 -0
- package/.github/skills/test-case-validator/docs/EXTENDING.md +85 -0
- package/.github/skills/test-case-validator/docs/FAQ.md +88 -0
- package/.github/skills/test-case-validator/docs/VERSIONING.md +55 -0
- package/.github/skills/test-case-validator/examples/example-1-manual-qa-ecommerce/input-brd.md +43 -0
- package/.github/skills/test-case-validator/examples/example-1-manual-qa-ecommerce/input-test-cases.csv +9 -0
- package/.github/skills/test-case-validator/examples/example-1-manual-qa-ecommerce/input-user-story.md +29 -0
- package/.github/skills/test-case-validator/examples/example-1-manual-qa-ecommerce/output-report.md +303 -0
- package/.github/skills/test-case-validator/examples/example-2-automated-frontend-suite/input-spec.md +43 -0
- package/.github/skills/test-case-validator/examples/example-2-automated-frontend-suite/input-test-files-index.md +56 -0
- package/.github/skills/test-case-validator/examples/example-2-automated-frontend-suite/output-report.md +274 -0
- package/.github/skills/test-case-validator/prompts/00-applicability-resolution.md +61 -0
- package/.github/skills/test-case-validator/prompts/01-extraction-user-story.md +58 -0
- package/.github/skills/test-case-validator/prompts/02-extraction-brd.md +64 -0
- package/.github/skills/test-case-validator/prompts/03-extraction-test-cases.md +92 -0
- package/.github/skills/test-case-validator/prompts/04-traceability-matrix.md +41 -0
- package/.github/skills/test-case-validator/prompts/05-coverage-analysis.md +46 -0
- package/.github/skills/test-case-validator/prompts/06-missing-scenario-detection.md +32 -0
- package/.github/skills/test-case-validator/prompts/07-duplicate-detection.md +36 -0
- package/.github/skills/test-case-validator/prompts/08-risk-analysis.md +39 -0
- package/.github/skills/test-case-validator/prompts/09-gated-wiring-validation.md +53 -0
- package/.github/skills/test-case-validator/prompts/10-observation-report.md +56 -0
- package/.github/skills/test-case-validator/prompts/11-final-report-assembly.md +57 -0
- package/.github/skills/test-case-validator/templates/coverage-table.md +25 -0
- package/.github/skills/test-case-validator/templates/executive-summary.md +38 -0
- package/.github/skills/test-case-validator/templates/final-summary-block.md +87 -0
- package/.github/skills/test-case-validator/templates/observation-entry.md +41 -0
- package/.github/skills/test-case-validator/templates/rtm-row.md +25 -0
- package/.github/skills/validation-engine-builder/README.md +50 -0
- package/.github/skills/validation-engine-builder/SKILL.md +241 -0
- package/.github/skills/validation-engine-builder/references/core.md +158 -0
- package/.github/skills/validation-engine-builder/references/platform-angular.md +166 -0
- package/.github/skills/validation-engine-builder/references/platform-flutter.md +118 -0
- package/.github/skills/validation-engine-builder/references/platform-react-native.md +170 -0
- package/.github/skills/validation-engine-builder/references/platform-react.md +94 -0
- package/.github/skills/validation-engine-builder/scripts/apply-to-project.js +80 -0
- package/.github/skills/validation-engine-builder/scripts/generate-angular.js +271 -0
- package/.github/skills/validation-engine-builder/scripts/generate-flutter.js +298 -0
- package/.github/skills/validation-engine-builder/scripts/generate-react-native.js +217 -0
- package/.github/skills/validation-engine-builder/scripts/generate-react.js +163 -0
- package/.github/skills/validation-engine-builder/scripts/install-deps.js +53 -0
- package/.github/skills/validation-engine-builder/scripts/shared/detect-platform.js +68 -0
- package/.github/skills/validation-engine-builder/scripts/shared/npm-deps.js +103 -0
- package/.github/skills/validation-engine-builder/scripts/shared/rhf-hook.js +43 -0
- package/.github/skills/validation-engine-builder/scripts/shared/ts-messages-regex.js +62 -0
- package/.github/skills/validation-engine-builder/scripts/shared/util.js +44 -0
- package/.github/skills/validation-engine-builder/scripts/shared/yup-schemas.js +80 -0
- package/.github/skills/validation-engine-builder/template.md +73 -0
- package/.github/skills/validation-engine-builder/templates/messages.json +22 -0
- package/.github/skills/validation-engine-builder/templates/regex.json +16 -0
- package/.github/skills/validation-engine-builder/templates/schemas.json +48 -0
- package/bin/index.js +145 -0
- package/package.json +22 -0
- package/readme.md +0 -0
|
@@ -0,0 +1,645 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: encryption-decryption-utility
|
|
3
|
+
description: Generate and install transparent encryption/decryption scaffolding for any supported platform (Angular, Web, Node.js, Android, iOS, Flutter, React, React Native). Produces a platform-appropriate config file, service, interceptor/middleware, and module wiring patch. Supports seven cryptographic approaches: RSA-OAEP+AES-256-GCM (Web Crypto), RSA+AES-256-CBC (jsencrypt/crypto-js), AES-256-CBC shared key (crypto-js), React Native JS production mode (AES-256-GCM + RSA-OAEP via react-native-quick-crypto with per-request ephemeral keys, response decryption, keychain storage), React Native Native mode (OS-level crypto via javax.crypto.Cipher on Android + CryptoKit on iOS), EC (ECDH+AES-256-GCM) mode for React Native (both JS and Native layers, per-request and session-init variants), and React JS web production mode (AES-256-GCM + RSA-OAEP or ECDH-Session via built-in Web Crypto API, per-request ephemeral keys, response decryption, browser-safe storage — no extra crypto packages). Includes HMAC signing support and per-URL exclusion lists. All scripts are zero-dependency Node.js (built-ins only).
|
|
4
|
+
---
|
|
5
|
+
|
|
6
|
+
# Purpose
|
|
7
|
+
|
|
8
|
+
Generate a complete, platform-appropriate encryption/decryption scaffold for a target project.
|
|
9
|
+
The skill detects existing encryption code, prompts for configuration, writes all required files,
|
|
10
|
+
patches module wiring, and validates via a build run.
|
|
11
|
+
The generated code is deterministic: the same config always produces the same files.
|
|
12
|
+
|
|
13
|
+
> **CRITICAL — Common Misinterpretation to Avoid**
|
|
14
|
+
>
|
|
15
|
+
> The scan detection step (Step 2) is a **shell-script gate**, not a feature to implement.
|
|
16
|
+
> Do NOT create source files, types, protocols, use cases, or architecture layers for scanning or conflict resolution.
|
|
17
|
+
> Do NOT produce `ScanEncryptionUseCase`, `EncryptionLocation`, `ConflictResolutionChoice`, or any equivalent.
|
|
18
|
+
> Those are implementation details of the install script, not app code.
|
|
19
|
+
> The only source files this skill writes are: the config, the shared service, and the interceptor/middleware.
|
|
20
|
+
|
|
21
|
+
## Skill Assets
|
|
22
|
+
|
|
23
|
+
Use these bundled files during execution:
|
|
24
|
+
|
|
25
|
+
- `template.md` — execution template (layer selection gate, config snapshot, project analysis)
|
|
26
|
+
- `references/architecture.md` — Mode A/B architecture, request contract, security constraints
|
|
27
|
+
- `references/backend-alignment.md` — backend contract spec (approaches 4 and 5)
|
|
28
|
+
- `references/dependency-guidance.md` — library selection, version compatibility, install rules
|
|
29
|
+
- `references/security-checklist.md` — security gates to verify before delivery
|
|
30
|
+
- `references/error-handling-playbook.md` — failure paths for all platforms
|
|
31
|
+
- `references/ec-implementation.md` — ECDH+AES-256-GCM implementation reference: per-request and session-init EC, Hermes Buffer compatibility helpers, HKDF-SHA256, EC key service, EC wiring into api.ts
|
|
32
|
+
- `references/native-rsa-implementation.md` — RSA + Native layer reference: full Kotlin/Swift NativeCryptoModule with detailed inline comments, registration steps, JS bridge
|
|
33
|
+
- `Instructions.md` — how to copy and run this skill in a new project; execution breakdown, dependency install order, TypeScript verification, backend alignment
|
|
34
|
+
- `templates/config-questionnaire.md` — full numbered questionnaire with defaults
|
|
35
|
+
- `templates/implementation-plan.md` — fill out before writing any files
|
|
36
|
+
- `templates/delivery-checklist.md` — confirm all items before final delivery
|
|
37
|
+
|
|
38
|
+
Recommended order:
|
|
39
|
+
1. Use `templates/config-questionnaire.md` to collect and validate all inputs.
|
|
40
|
+
2. Use `templates/implementation-plan.md` to map implementation to existing project structure.
|
|
41
|
+
3. Use `references/dependency-guidance.md` before any package install.
|
|
42
|
+
4. Use `references/architecture.md` during module and interceptor integration.
|
|
43
|
+
5. Use `references/backend-alignment.md` to share the backend contract with the server team.
|
|
44
|
+
6. Use `references/error-handling-playbook.md` for secure failure paths.
|
|
45
|
+
7. Use `references/security-checklist.md` and `templates/delivery-checklist.md` before finalizing.
|
|
46
|
+
|
|
47
|
+
## Scope
|
|
48
|
+
|
|
49
|
+
- Analyze existing project structure first and follow established conventions.
|
|
50
|
+
- Integrate encryption/decryption into the existing API layer with minimal disruption.
|
|
51
|
+
- Use secure storage for tokens and sensitive user data.
|
|
52
|
+
- Keep ephemeral cryptographic material in memory only.
|
|
53
|
+
- Do not create unnecessary folders or duplicate existing modules.
|
|
54
|
+
|
|
55
|
+
## Mandatory Rule: Ask Questions First
|
|
56
|
+
|
|
57
|
+
Before writing any code or files, collect all required configuration answers using `templates/config-questionnaire.md` and wait for responses.
|
|
58
|
+
Do not generate files until every required answer is received and validated.
|
|
59
|
+
Apply documented defaults automatically for unanswered non-critical fields.
|
|
60
|
+
|
|
61
|
+
---
|
|
62
|
+
|
|
63
|
+
# One-Run Execution Contract
|
|
64
|
+
|
|
65
|
+
This skill must complete in a single end-to-end run whenever the required inputs are provided.
|
|
66
|
+
|
|
67
|
+
- Ask questions **one at a time** — each question is a single prompt; wait for the answer before asking the next.
|
|
68
|
+
- Do not bundle multiple questions into a single prompt.
|
|
69
|
+
- Do not split implementation into staged "continue" steps.
|
|
70
|
+
- If a field has a documented default, apply the default and continue without asking.
|
|
71
|
+
- Ask follow-up questions only when a security-critical value is missing and has no safe default.
|
|
72
|
+
- After all answers are available, complete all implementation, integration wiring, env updates, and validation in the same run.
|
|
73
|
+
- Return one consolidated setup report at the end.
|
|
74
|
+
|
|
75
|
+
**Minimum completion scope (React Native JS mode — approach 4):**
|
|
76
|
+
1. Crypto modules (encrypt/decrypt via react-native-quick-crypto)
|
|
77
|
+
2. RSA key retrieval/cache/retry
|
|
78
|
+
3. API interceptor integration (request + response)
|
|
79
|
+
4. In-memory request key mapping + guaranteed cleanup
|
|
80
|
+
5. Secure token/data storage via keychain
|
|
81
|
+
6. Runtime boot wiring so token state and encryption flags are initialized before first API call
|
|
82
|
+
7. Feature flags and env values
|
|
83
|
+
8. HMAC signing when enabled
|
|
84
|
+
9. Compile/lint validation relevant to changed files
|
|
85
|
+
|
|
86
|
+
**Minimum completion scope (Native mode — approach 5, all of above plus):**
|
|
87
|
+
1. Native crypto bridge (NativeCryptoModule.kt + NativeCryptoPackage.kt, NativeCryptoModule.swift + .m bridge)
|
|
88
|
+
2. JS bridge interface (native-crypto.module.ts)
|
|
89
|
+
3. Interceptors updated to use native bridge calls
|
|
90
|
+
4. ENCRYPTION_LAYER env flag wired
|
|
91
|
+
5. NativeModules.NativeCryptoModule availability validated at JS startup
|
|
92
|
+
6. Compile/lint validation relevant to changed files
|
|
93
|
+
|
|
94
|
+
**Minimum completion scope (EC mode — approach 6):**
|
|
95
|
+
1. EC types added to `types.ts` (EcPublicKeyResponse, EcEncryptedEnvelope, RequestCryptoMaterial)
|
|
96
|
+
2. `ec-key.service.ts` — EC public key fetch/validate (65-byte, first byte 0x04)/cache/retry
|
|
97
|
+
3. `ec-crypto.util.ts` — Hermes-safe helpers (toBase64, byteCopy, QCBuffer), HKDF-SHA256, ecEncryptPayload + ecDeriveKey (per-request) OR deriveSessionKey + sessionEncrypt + sessionDecrypt (session-init)
|
|
98
|
+
4. `encryption-config.ts` — ENCRYPTION_MODEL=ec, EC_PUBLIC_KEY_ENDPOINT, EC_KEY_RETRY
|
|
99
|
+
5. `api.ts` patched with ENCRYPTION_MODEL routing (EC branch + RSA branch)
|
|
100
|
+
6. Per-request AES keys derived via HKDF and stored in in-memory request map; deleted after response
|
|
101
|
+
7. `keychain.service.ts` for token storage
|
|
102
|
+
8. `index.js` polyfill prepended
|
|
103
|
+
9. Feature flags and env values
|
|
104
|
+
10. Compile/lint validation relevant to changed files
|
|
105
|
+
|
|
106
|
+
**Minimum completion scope (React JS web production mode — approach 7):**
|
|
107
|
+
1. `crypto-utils.ts` — Base64 utilities, nonce generator (no Buffer dependency, pure browser APIs)
|
|
108
|
+
2. `aes.service.ts` — AES-256-GCM key generation, encrypt, decrypt via `crypto.subtle`
|
|
109
|
+
3. `rsa.service.ts` — RSA public key import (`importKey('spki')`) + RSA-OAEP encrypt via `crypto.subtle`
|
|
110
|
+
4. `rsa-key.service.ts` — RSA key fetch/cache/retry service (or ECDH session service for ECDH-Session mode)
|
|
111
|
+
5. `encryption.interceptor.ts` — Axios request + response interceptors with in-memory request key map
|
|
112
|
+
6. `storage.service.ts` — `sessionStorage` wrapper or HTTP-only cookie guidance
|
|
113
|
+
7. `encryption-config.ts` — feature flags + env values with correct framework prefix
|
|
114
|
+
8. `types.ts` — `EncryptedEnvelope`, `EncryptedResponse` TypeScript types
|
|
115
|
+
9. `axiosInstance.ts` wired with `applyProductionEncryptionInterceptor` + bootstrap call
|
|
116
|
+
10. Feature flags and `.env.*` files with correct prefix (VITE_ / REACT_APP_ / NEXT_PUBLIC_)
|
|
117
|
+
11. TypeScript/lint validation relevant to changed files
|
|
118
|
+
12. (ECDH-Session sub-mode only) `base64url.ts`, `aad.ts`, `ecdhSession.ts`, `aesGcm.ts`, `ecdhSessionService.ts`
|
|
119
|
+
|
|
120
|
+
---
|
|
121
|
+
|
|
122
|
+
# When to Trigger This Skill
|
|
123
|
+
|
|
124
|
+
- User wants to add end-to-end request encryption to a project
|
|
125
|
+
- User wants to migrate a project to a stronger cryptographic approach
|
|
126
|
+
- User asks to generate or scaffold `EncryptionService`, `EncryptionInterceptor`, or `EncryptionConfig`
|
|
127
|
+
- User asks to enable HMAC signing on API requests
|
|
128
|
+
- User asks to exclude specific URLs from encryption
|
|
129
|
+
|
|
130
|
+
---
|
|
131
|
+
|
|
132
|
+
# When NOT to Use
|
|
133
|
+
|
|
134
|
+
- When only decryption on the backend is needed (backend-only work — no frontend scaffolding required)
|
|
135
|
+
- When the project already has a complete, tested encryption layer (run detect.js first to confirm)
|
|
136
|
+
- When a platform not listed in `assets/platform-matrix.json` is requested
|
|
137
|
+
|
|
138
|
+
> **What this skill does NOT produce:**
|
|
139
|
+
> Scan-related domain types, use cases, conflict-resolution enums, reporter classes, or any other non-encryption-service source files.
|
|
140
|
+
> The end state is always: one config, one service, one interceptor/middleware — wired and building.
|
|
141
|
+
|
|
142
|
+
---
|
|
143
|
+
|
|
144
|
+
# Inputs
|
|
145
|
+
|
|
146
|
+
| Input | Source | Required | Notes |
|
|
147
|
+
|--------------------|---------------------------|----------|--------------------------------------------------------------------------------|
|
|
148
|
+
| `projectPath` | `--project-path` CLI arg | Yes | Absolute path to the target project root |
|
|
149
|
+
| `platform` | Interactive prompt | Yes | One of: angular, web, node, android, ios, flutter, react, react-native |
|
|
150
|
+
| `approach` | Interactive prompt | Yes | 1–6 or 7; valid range depends on platform (see platform-matrix.json) |
|
|
151
|
+
| `publicKeyPem` | Interactive prompt | Cond. | Required for approaches 1, 2, 4, 5 |
|
|
152
|
+
| `privateKeyPem` | Interactive prompt | No | Only if response bodies are also encrypted (approaches 1/2 non-RN only) |
|
|
153
|
+
| `sharedKey` | Interactive prompt | Cond. | Required for approach 3 |
|
|
154
|
+
| `rsaKeyEndpoint` | Interactive prompt | Cond. | Approach 4/5: URL of RSA public key endpoint; default `<API_BASE_URL>/api/security/public-key` |
|
|
155
|
+
| `rsaKeySource` | Interactive prompt | Cond. | Approach 4/5: `api` (default) or `env` |
|
|
156
|
+
| `rsaResponseFormat` | Interactive prompt | Cond. | Approach 4/5 api mode: expected shape of RSA key endpoint response; default `{ public_key: string, key_id: string, expires_at?: string }` |
|
|
157
|
+
| `rsaKeyCachePolicy` | Interactive prompt | Cond. | Approach 4/5: key caching policy; default `in-memory only` (never persist RSA key to disk or storage) |
|
|
158
|
+
| `encryptionLayer` | Interactive prompt | Cond. | React Native only: `rn` (default, approach 4) or `native` (approach 5) |
|
|
159
|
+
| `encryptionModel` | Interactive prompt | Cond. | React Native only: `rsa` (default) or `ec` (ECDH+AES-256-GCM, approach 6) |
|
|
160
|
+
| `ecKeyEndpoint` | Interactive prompt | Cond. | Approach 6: URL of EC public key endpoint; default `<API_BASE_URL>/api/security/ec-public-key` |
|
|
161
|
+
| `ecContractType` | Interactive prompt | Cond. | Approach 6: `per-request` (default) or `session-init` |
|
|
162
|
+
| `ecCreateSessionEndpoint` | Interactive prompt | Cond. | Approach 6 session-init: token/session endpoint URL after init; no default — must be confirmed |
|
|
163
|
+
| `ecDeviceIdSource` | Interactive prompt | Cond. | Approach 6 session-init: how the stable `device_id` is generated/retrieved; no default |
|
|
164
|
+
| `ecResponseEncoding` | Interactive prompt | Cond. | Approach 6 session-init: response encoding (`standard-base64` or `base64url`); no default |
|
|
165
|
+
| `ecEncryptedAesKeyHandling` | Interactive prompt | Cond. | Approach 6 session-init: whether `encrypted_shared_aes_key` from backend is `used` or `ignored`|
|
|
166
|
+
| `minIosVersion` | Interactive prompt | Cond. | Native mode only: minimum iOS version; default 13 (CryptoKit); < 13 → CommonCrypto fallback |
|
|
167
|
+
| `apiClientType` | Interactive prompt | Cond. | Approach 4/5: `axios` (default), `fetch`, or `custom` |
|
|
168
|
+
| `encryptionToggle` | Interactive prompt | Cond. | Approach 4/5: `env-flag` (default) or `always-on` |
|
|
169
|
+
| `hmac` | Interactive prompt | No | Enable HMAC signing; secret set as `ENCRYPTION_HMAC_SECRET` env var |
|
|
170
|
+
| `excludeUrls` | Interactive prompt | No | Comma-separated URL prefixes to skip |
|
|
171
|
+
| `webEncryptionMode` | Interactive prompt | Cond. | Approach 7: `rsa-oaep` (default) or `ecdh-session` |
|
|
172
|
+
| `framework` | Interactive prompt | Cond. | Approach 7: `vite`, `cra`, or `nextjs` — determines env variable prefix |
|
|
173
|
+
| `tokenStorage` | Interactive prompt | Cond. | Approach 7: `session-storage` (default) or `http-only-cookie` |
|
|
174
|
+
| `ecdhSessionInitUrl` | Interactive prompt | Cond. | Approach 7 ECDH-Session: session init endpoint URL; no default — must be confirmed |
|
|
175
|
+
| `ecdhHkdfInfo` | Interactive prompt | Cond. | Approach 7 ECDH-Session: HKDF `info` string (backend-specific); no default |
|
|
176
|
+
| `ecdhAadShape` | Interactive prompt | Cond. | Approach 7 ECDH-Session: canonical AAD JSON shape (alphabetically sorted keys); no default if AAD required |
|
|
177
|
+
|
|
178
|
+
---
|
|
179
|
+
|
|
180
|
+
# Outputs
|
|
181
|
+
|
|
182
|
+
| Output | Description |
|
|
183
|
+
|-----------------------------|------------------------------------------------------------------------------------|
|
|
184
|
+
| Config file | Platform-specific encryption settings file |
|
|
185
|
+
| Service file | `EncryptionService` with encrypt/decrypt methods |
|
|
186
|
+
| Interceptor/middleware file | HTTP layer integration (interceptor or middleware) |
|
|
187
|
+
| Module wiring patch | Patched registration in AppModule/NetworkModule/axiosInstance |
|
|
188
|
+
| RSA key service | (Approach 4/5 only) Fetch, cache, retry RSA public key from API or env |
|
|
189
|
+
| Response decryption | (Approach 4/5 only) Response interceptor with request-scoped AES key map |
|
|
190
|
+
| Keychain storage module | (Approach 4/5 only) Secure token/data storage via react-native-keychain |
|
|
191
|
+
| Native crypto bridge | (Approach 5 only) NativeCryptoModule.kt, NativeCryptoPackage.kt, NativeCryptoModule.swift, NativeCryptoModule.m |
|
|
192
|
+
| Envelope type definitions | (Approach 4/5 only) `EncryptedEnvelope` and `EncryptedResponse` TypeScript types |
|
|
193
|
+
| EC type definitions | (Approach 6 only) `EcPublicKeyResponse`, `EcEncryptedEnvelope`, `RequestCryptoMaterial` TypeScript types |
|
|
194
|
+
| EC key service | (Approach 6 only) Fetch, validate (65-byte P-256), cache, retry EC public key |
|
|
195
|
+
| EC crypto utility | (Approach 6 only) `ecEncryptPayload`/`ecDeriveKey` (per-request) or `deriveSessionKey`/`sessionEncrypt`/`sessionDecrypt` (session-init), Hermes-safe helpers |
|
|
196
|
+
| Web crypto utilities | (Approach 7 only) `crypto-utils.ts`, `aes.service.ts`, `rsa.service.ts`, `rsa-key.service.ts` — zero npm packages, pure Web Crypto API |
|
|
197
|
+
| Browser storage module | (Approach 7 only) `storage.service.ts` — `sessionStorage` wrapper or HTTP-only cookie guidance |
|
|
198
|
+
| Web encryption interceptor | (Approach 7 only) Axios request + response interceptors with in-memory request key map and guaranteed cleanup |
|
|
199
|
+
| ECDH-Session modules | (Approach 7 ECDH-Session sub-mode only) `base64url.ts`, `aad.ts`, `ecdhSession.ts`, `aesGcm.ts`, `ecdhSessionService.ts` |
|
|
200
|
+
| Backend alignment spec | (Approach 4/5 only) Specification document for the backend team; Part B for approach 6 (EC) |
|
|
201
|
+
| Setup report | 6-field deterministic summary printed to stdout |
|
|
202
|
+
|
|
203
|
+
---
|
|
204
|
+
|
|
205
|
+
# Dependencies
|
|
206
|
+
|
|
207
|
+
| Dependency | Purpose |
|
|
208
|
+
|------------------------------------------|--------------------------------------------------------------------------------------|
|
|
209
|
+
| `assets/platform-matrix.json` | Platform compatibility and file paths |
|
|
210
|
+
| `assets/encryption-config-template.json` | Default config values |
|
|
211
|
+
| `scripts/detect.js` | Scan project for existing encryption code |
|
|
212
|
+
| `scripts/install.js` | Write generated files to the target project |
|
|
213
|
+
| `scripts/setup.js` | Interactive wizard and orchestrator |
|
|
214
|
+
| `references/approach-1-webcrypto.md` | Web Crypto API flow, payload shape, iOS mapping |
|
|
215
|
+
| `references/approach-2-rsa-aes-cbc.md` | jsencrypt+crypto-js flow, Java backend example |
|
|
216
|
+
| `references/approach-3-aes-sharedkey.md`| AES-CBC shared key flow, key generation |
|
|
217
|
+
| `references/angular-crypto.md` | Angular interceptor wiring and file paths |
|
|
218
|
+
| `references/web-crypto.md` | Web fetch wrapper wiring and file paths |
|
|
219
|
+
| `references/node-crypto.md` | Node.js middleware wiring and file paths |
|
|
220
|
+
| `references/android-crypto.md` | Android OkHttp interceptor wiring and file paths |
|
|
221
|
+
| `references/ios-crypto.md` | iOS URLRequest mutator wiring and file paths |
|
|
222
|
+
| `references/flutter-crypto.md` | Flutter Dio interceptor wiring and file paths |
|
|
223
|
+
| `references/react-crypto.md` | React Axios interceptor wiring and file paths (approaches 1–3) |
|
|
224
|
+
| `references/react-web-crypto.md` | React JS web production mode: approach 7 implementation reference (RSA-OAEP and ECDH-Session via built-in Web Crypto API, browser-safe storage, no Buffer) |
|
|
225
|
+
| `references/architecture.md` | Mode A (JS) and Mode B (Native) architecture: component breakdown, data flow, request/response contract, security constraints |
|
|
226
|
+
| `references/react-native-crypto.md` | React Native production-grade crypto: AES-256-GCM, per-request keys, RSA key service, response decryption, keychain storage, native bridge (approaches 4 & 5) |
|
|
227
|
+
| `references/backend-alignment.md` | Backend contract spec for approaches 4 & 5: envelope format, decryption steps, nonce validation, key rotation, error codes, integration test scenarios |
|
|
228
|
+
| `references/dependency-guidance.md` | Library selection for all platforms, RN version compatibility table, install rules, conflict handling, post-install verification |
|
|
229
|
+
| `references/security-checklist.md` | Security checklist covering all platforms and approaches — run before marking implementation complete |
|
|
230
|
+
| `references/error-handling-playbook.md` | Error handling playbook for all platforms: key fetch failure, auth tag mismatch, missing request map, storage failure, native module failures (approach 5) |
|
|
231
|
+
| `references/ec-implementation.md` | EC (ECDH+AES-256-GCM) full implementation: per-request and session-init variants, Hermes Buffer compatibility helpers (`toBase64`, `byteCopy`, `QCBuffer`), HKDF-SHA256, EC key service with 65-byte point validation, EC wiring in api.ts, environment variables, deliverables table |
|
|
232
|
+
| `references/native-rsa-implementation.md`| RSA + Native layer reference with full Kotlin/Swift NativeCryptoModule code, registration in MainApplication, ObjC bridge, JS bridge interface — load when approach 5 is selected |
|
|
233
|
+
| `Instructions.md` | How to run this skill in a new project: prerequisites, execution breakdown, dependency install order, TypeScript verification steps, backend alignment, adapting to non-Axios clients |
|
|
234
|
+
| `template.md` | Execution template — layer selection gate, config snapshot, project analysis; fill out at the start of each run |
|
|
235
|
+
| `templates/config-questionnaire.md` | Full numbered questionnaire with documented defaults — use in Step 5 to collect and validate all inputs before writing any files |
|
|
236
|
+
| `templates/delivery-checklist.md` | Delivery checklist — all items that must be confirmed before final delivery |
|
|
237
|
+
| `templates/implementation-plan.md` | Implementation plan template — fill out before writing any files |
|
|
238
|
+
| Node.js >= 18, built-in modules only | `fs`, `path`, `readline`, `child_process` |
|
|
239
|
+
|
|
240
|
+
---
|
|
241
|
+
|
|
242
|
+
# Execution Steps
|
|
243
|
+
|
|
244
|
+
Follow these steps in order. Do not skip steps.
|
|
245
|
+
|
|
246
|
+
## Step 1 — Validate inputs
|
|
247
|
+
|
|
248
|
+
1. Read `assets/platform-matrix.json`. Confirm the file exists and is valid JSON.
|
|
249
|
+
2. Read `assets/encryption-config-template.json`. Confirm it is valid JSON.
|
|
250
|
+
3. Confirm `scripts/detect.js`, `scripts/install.js`, and `scripts/setup.js` exist and are executable.
|
|
251
|
+
|
|
252
|
+
## Step 2 — Detect existing encryption
|
|
253
|
+
|
|
254
|
+
1. Run: `node scripts/detect.js --project-path <projectPath>`
|
|
255
|
+
2. If exit code = 2 (error): Report the error and halt.
|
|
256
|
+
3. If exit code = 1 (FOUND): Print the matched files, then display the following prompt exactly and wait for user input. Do NOT continue until the user selects an option:
|
|
257
|
+
|
|
258
|
+
```
|
|
259
|
+
Existing encryption logic detected. Choose how to proceed:
|
|
260
|
+
1. Reuse existing logic (use existing service/interceptor, generate only missing parts)
|
|
261
|
+
2. Replace with new implementation
|
|
262
|
+
3. Refactor and centralize existing logic (scaffold common module, do not overwrite existing)
|
|
263
|
+
4. Cancel setup
|
|
264
|
+
```
|
|
265
|
+
|
|
266
|
+
- Option 1 (reuse): Pass `--detection-mode reuse` to `install.js`. Existing files are skipped; only missing files are generated. Wiring file is patched normally.
|
|
267
|
+
- Option 2 (replace): Pass `--detection-mode replace` to `install.js`. Existing behavior — all files are overwritten.
|
|
268
|
+
- Option 3 (refactor): Pass `--detection-mode refactor` to `install.js`. Scaffold files (`*.scaffold.*`) are written alongside existing files. No files are overwritten. Wiring file is NOT patched. Migration instructions are printed.
|
|
269
|
+
- Option 4 (cancel): Halt immediately. Exit code 2.
|
|
270
|
+
|
|
271
|
+
## Step 3 — Resolve platform and approach
|
|
272
|
+
|
|
273
|
+
1. Confirm `platform` is a key in `assets/platform-matrix.json`.
|
|
274
|
+
2. Confirm `approach` is listed in `platform.approaches[]` for the selected platform.
|
|
275
|
+
3. If the combination is blocked (e.g. node+approach1): Explain the constraint and ask the user to choose a valid approach.
|
|
276
|
+
Reference `assets/platform-matrix.json` for the definitive compatibility list.
|
|
277
|
+
|
|
278
|
+
## Step 4 — Load reference files
|
|
279
|
+
|
|
280
|
+
1. Load the approach reference file that matches approach:
|
|
281
|
+
- approach 1 → `references/approach-1-webcrypto.md`
|
|
282
|
+
- approach 2 → `references/approach-2-rsa-aes-cbc.md`
|
|
283
|
+
- approach 3 → `references/approach-3-aes-sharedkey.md`
|
|
284
|
+
- approach 4 → `references/react-native-crypto.md` (section: RN JS production mode)
|
|
285
|
+
- approach 5 → `references/react-native-crypto.md` (section: Native mode)
|
|
286
|
+
- approach 6 → `references/ec-implementation.md` (per-request or session-init ECDH+AES-256-GCM)
|
|
287
|
+
- approach 7 → `references/react-web-crypto.md` (React JS Web Crypto API production mode)
|
|
288
|
+
2. Load the platform reference file that matches platform:
|
|
289
|
+
- `references/<platform>-crypto.md`
|
|
290
|
+
3. For `react-native` with approaches 4 or 5, also load:
|
|
291
|
+
- `references/backend-alignment.md` — envelope format, decryption steps, nonce rules, error codes
|
|
292
|
+
- `references/security-checklist.md` — security gates to verify before delivery
|
|
293
|
+
- `references/error-handling-playbook.md` — failure paths including native mode
|
|
294
|
+
4. For `react-native` with approach 5, additionally load:
|
|
295
|
+
- `references/native-rsa-implementation.md` — full Kotlin/Swift NativeCryptoModule with registration steps
|
|
296
|
+
5. For `react-native` with approach 6, additionally load:
|
|
297
|
+
- `references/ec-implementation.md` — EC key service, HKDF-SHA256, Hermes Buffer helpers, per-request and session-init patterns
|
|
298
|
+
- `references/backend-alignment.md` — Part B (EC contract)
|
|
299
|
+
- `references/security-checklist.md` — EC section
|
|
300
|
+
- `references/error-handling-playbook.md`
|
|
301
|
+
6. For `react` with approach 7, additionally load:
|
|
302
|
+
- `references/react-web-crypto.md` — Web Crypto API production mode, RSA-OAEP and ECDH-Session implementations, framework detection, browser storage rules
|
|
303
|
+
- `references/security-checklist.md` — Web section
|
|
304
|
+
- `references/error-handling-playbook.md` — Web Crypto API error scenarios
|
|
305
|
+
7. Before writing any files, fill out `templates/implementation-plan.md` mentally (project discovery, dependency plan, file list, runtime behaviour).
|
|
306
|
+
|
|
307
|
+
## Step 5 — Collect key material
|
|
308
|
+
|
|
309
|
+
1. Collect all inputs as defined in the Inputs table.
|
|
310
|
+
2. Identify project structure (API client location, interceptor location, config/env module, token storage module, app startup file) before writing any files — do not duplicate existing modules; extend them.
|
|
311
|
+
3. If approach 1 or 2 and no `publicKeyPem` provided, warn the user that encryption cannot function.
|
|
312
|
+
4. If approach 3 and no `sharedKey` provided, warn the user.
|
|
313
|
+
4. **Approach 4 (React Native JS production mode):**
|
|
314
|
+
- Ask the layer selection question first: `Which encryption layer? [rn (default) / native]`
|
|
315
|
+
- If `rn` selected → approach 4. Collect:
|
|
316
|
+
- RSA padding: default RSA-OAEP (recommend; PKCS1 v1.5 requires explicit approval)
|
|
317
|
+
- RSA public key source: `api` (default) or `env`
|
|
318
|
+
- If `api`: confirm endpoint URL (default `<API_BASE_URL>/api/security/public-key`), retry count (default 3), response format (default `{ public_key: string, key_id: string, expires_at?: string }`), key caching policy (default: in-memory only — never persist RSA key to disk or storage)
|
|
319
|
+
- If `env`: collect and validate PEM/Base64 key value
|
|
320
|
+
- RSA padding: default RSA-OAEP (PKCS1 v1.5 requires explicit written approval; not acceptable for new deployments in 2026)
|
|
321
|
+
- API client: Axios (default), Fetch, or Custom
|
|
322
|
+
- API layer path: default `src/services/api.ts`
|
|
323
|
+
- Enable secure keychain storage for tokens: default Yes
|
|
324
|
+
- Encryption toggle: `env-flag` (default) or `always-on`
|
|
325
|
+
- Platform scope: Android + iOS (default)
|
|
326
|
+
- HMAC signing: default No
|
|
327
|
+
- Exclude URL prefixes: optional
|
|
328
|
+
- If `native` selected → approach 5. Collect same as approach 4, plus:
|
|
329
|
+
- Minimum iOS version (default 13 for CryptoKit; if < 13, use CommonCrypto fallback — `CCCryptorGCM` for AES-256-GCM + `SecKeyCreateEncryptedData` for RSA-OAEP)
|
|
330
|
+
- Verify Android minSdkVersion >= 23 in project `android/app/build.gradle` before proceeding; halt with guidance if below
|
|
331
|
+
5. **Approach 6 (EC / ECDH+AES-256-GCM):**
|
|
332
|
+
- Ask questions **one at a time** — each question is a single prompt; wait for the answer before asking the next.
|
|
333
|
+
- Ask EC contract type first: `per-request` (default) or `session-init`
|
|
334
|
+
- EC public key source: `api` (default) or `env`
|
|
335
|
+
- If `api`: confirm endpoint URL (default `<API_BASE_URL>/api/security/ec-public-key`), retry count (default 3)
|
|
336
|
+
- If `env`: collect and validate the key (must be 65-byte uncompressed P-256 point in base64)
|
|
337
|
+
- Session-init additional questions (ALL are blocking — no safe defaults — ask each individually):
|
|
338
|
+
1. Session init endpoint URL (`SESSION_INIT_ENDPOINT`)
|
|
339
|
+
2. Token/session endpoint URL (`CREATE_SESSION_ENDPOINT`) — credential exchange after encryption session init
|
|
340
|
+
3. HKDF `info` string (backend-specific — do NOT assume `'enc'`)
|
|
341
|
+
4. Nonce format
|
|
342
|
+
5. Nonce length
|
|
343
|
+
6. Nonce character set restrictions
|
|
344
|
+
7. Response encoding: standard base64 or base64url
|
|
345
|
+
8. Whether AAD is required, and if yes, the canonical JSON shape (alphabetically sorted keys)
|
|
346
|
+
9. Response IV source (nonce-as-IV, separate `iv` field, or other)
|
|
347
|
+
10. `DEVICE_ID_SOURCE` — how the stable `device_id` is generated/retrieved
|
|
348
|
+
11. Whether `encrypted_shared_aes_key` returned by backend should be `used` or `ignored`
|
|
349
|
+
- API client: Axios (default), Fetch, or Custom
|
|
350
|
+
- API layer path: default `src/services/api.ts`
|
|
351
|
+
- Encryption layer: `rn` (default, JS crypto) or `native` (ECDH in JS, AES in native)
|
|
352
|
+
- HMAC signing: default No
|
|
353
|
+
- Exclude URL prefixes: optional
|
|
354
|
+
- **All session-init EC contract questions are blocking** — they have no safe defaults. Do not proceed until the user provides all items above.
|
|
355
|
+
6. **Approach 4/5/6 input validation:**
|
|
356
|
+
- Validate all user-provided URLs are HTTPS.
|
|
357
|
+
- Validate RSA public key PEM format if provided via env (approach 4/5).
|
|
358
|
+
- Validate EC public key is a 65-byte uncompressed P-256 point (first byte `0x04`) if provided via env (approach 6).
|
|
359
|
+
- Validate API layer path exists in the project before editing.
|
|
360
|
+
|
|
361
|
+
## Input Validation Requirements (All Platforms)
|
|
362
|
+
|
|
363
|
+
- Validate all user-provided URLs are HTTPS.
|
|
364
|
+
- Validate RSA public key format — PEM headers (`-----BEGIN PUBLIC KEY-----`) must be present.
|
|
365
|
+
- Validate selected API layer path exists in the project before editing.
|
|
366
|
+
- Validate platform scope against current project targets.
|
|
367
|
+
- Shared key must be at least 32 characters (approach 3). Reject and re-prompt on failure.
|
|
368
|
+
- If any required answer is missing and has no safe default, ask one follow-up batch and wait.
|
|
369
|
+
- If a safe default exists, apply it automatically and continue without asking.
|
|
370
|
+
- The only question that remains blocking without a default is the RSA public key value when env mode is explicitly chosen.
|
|
371
|
+
|
|
372
|
+
## Step 6 — Generate and install files
|
|
373
|
+
|
|
374
|
+
1. Build a resolved config object from `assets/encryption-config-template.json` merged with collected inputs.
|
|
375
|
+
2. Write the resolved config to a temporary file (do not persist).
|
|
376
|
+
3. Run: `node scripts/install.js --config-json <tempFile>`
|
|
377
|
+
4. Delete the temp file immediately after install.js exits, regardless of exit code.
|
|
378
|
+
5. On exit code 0: Continue to Step 6a.
|
|
379
|
+
6. On exit code 1 or 2: Report the error and halt.
|
|
380
|
+
|
|
381
|
+
## Step 6a — Standalone Angular wiring (NgModule-free projects)
|
|
382
|
+
|
|
383
|
+
Applies only when `platform = angular`.
|
|
384
|
+
|
|
385
|
+
1. Check if `src/app/app.module.ts` exists in the project.
|
|
386
|
+
2. If it does NOT exist, the project uses the standalone component model (no NgModule).
|
|
387
|
+
- `install.js` will automatically patch `src/app/app.config.ts` using `standaloneWiringFile` from `platform-matrix.json`.
|
|
388
|
+
- Verify `app.config.ts` contains `provideHttpClient(withInterceptorsFromDi())` and the `HTTP_INTERCEPTORS` provider after patching.
|
|
389
|
+
- Add `allowedCommonJsDependencies` for `crypto-js` / `jsencrypt` to `angular.json` (approaches 2/3) — read values from `platform-matrix.json[platform].allowedCommonJsDependencies`.
|
|
390
|
+
|
|
391
|
+
## Step 6b — React Native production wiring (approaches 4, 5, and 6)
|
|
392
|
+
|
|
393
|
+
Applies only when `platform = react-native` and `approach = 4`, `5`, or `6`.
|
|
394
|
+
|
|
395
|
+
1. **Analyze project structure** before writing any file:
|
|
396
|
+
- Identify existing API client location, interceptor location, config/env module, storage module, app startup file.
|
|
397
|
+
- Do not duplicate existing modules; extend them.
|
|
398
|
+
2. **Install dependencies** (check React Native version from `package.json` first):
|
|
399
|
+
- Approach 4: `react-native-quick-crypto`, compatible RSA library, `react-native-keychain`
|
|
400
|
+
- Approach 5: `react-native-aes-crypto`, `react-native-rsa-native`, `react-native-keychain`
|
|
401
|
+
- Approach 6: `react-native-quick-crypto` (provides `createECDH`, `createCipheriv`, `createHmac`, `randomBytes`), `react-native-keychain`, `buffer` package (standard polyfill)
|
|
402
|
+
- Verify Android `minSdkVersion >= 23` for approach 5; halt with guidance if below.
|
|
403
|
+
- Verify iOS deployment target `>= 13.0` for CryptoKit (approach 5); plan CommonCrypto fallback if below.
|
|
404
|
+
3. `install.js` writes the following files for approach 4:
|
|
405
|
+
- `src/services/security/types.ts` — `EncryptedEnvelope` and `EncryptedResponse` TypeScript interfaces
|
|
406
|
+
- `src/services/security/encryption.service.ts` — per-request AES-256-GCM encrypt using `react-native-quick-crypto`
|
|
407
|
+
- `src/services/security/decryption.service.ts` — AES-256-GCM decrypt + auth tag split
|
|
408
|
+
- `src/services/security/rsa-key.service.ts` — fetch/cache/retry RSA public key from endpoint or env
|
|
409
|
+
- `src/services/security/keychain.service.ts` — `react-native-keychain` wrapper for token storage
|
|
410
|
+
- `src/services/security/hmac.service.ts` — HMAC-SHA256 signing (when HMAC enabled)
|
|
411
|
+
- `src/services/security/encryption-config.ts` — `EXCLUDED_PATHS`, feature flags, env references
|
|
412
|
+
- Updated request interceptor + response interceptor with in-memory request map and guaranteed cleanup
|
|
413
|
+
- Updated `index.js` — `ENCRYPTION_ENABLED` env bootstrap
|
|
414
|
+
4. `install.js` writes the following **additional** files for approach 5 (all of approach 4, plus):
|
|
415
|
+
- `android/app/src/main/java/.../NativeCryptoModule.kt` — `encryptAES`, `decryptAES`, `encryptRSA` via `javax.crypto.Cipher`
|
|
416
|
+
- `android/app/src/main/java/.../NativeCryptoPackage.kt` — package registration
|
|
417
|
+
- `ios/NativeCryptoModule.swift` — CryptoKit `AES.GCM` + `SecKeyCreateEncryptedData` (no `try!`)
|
|
418
|
+
- `ios/NativeCryptoModule.m` — ObjC bridge file
|
|
419
|
+
- `src/services/security/native-crypto.module.ts` — JS bridge interface (`nativeEncryptAES`, `nativeDecryptAES`, `nativeEncryptRSA`)
|
|
420
|
+
- Updated `.env` with `ENCRYPTION_LAYER=native`
|
|
421
|
+
5. `install.js` writes the following files for approach 6 (EC mode):
|
|
422
|
+
- `src/services/security/types.ts` — add `EcPublicKeyResponse`, `EcEncryptedEnvelope`, `RequestCryptoMaterial` alongside existing RSA types
|
|
423
|
+
- `src/services/security/ec-key.service.ts` — EC public key fetch/cache/retry with 65-byte point validation
|
|
424
|
+
- `src/services/security/ec-crypto.util.ts` — `ecEncryptPayload` (per-request) or `deriveSessionKey`/`sessionEncrypt`/`sessionDecrypt` (session-init), plus Hermes-safe helpers (`toBase64`, `byteCopy`, `QCBuffer`), HKDF-SHA256
|
|
425
|
+
- `src/services/security/keychain.service.ts` — same as approach 4
|
|
426
|
+
- `src/services/security/hmac.service.ts` — HMAC-SHA256 signing (when HMAC enabled)
|
|
427
|
+
- `src/services/security/encryption-config.ts` — `ENCRYPTION_MODEL=ec`, `EC_PUBLIC_KEY_ENDPOINT`, `ENCRYPTION_LAYER`, feature flags
|
|
428
|
+
- Updated `src/services/api.ts` — patch to add `ENCRYPTION_MODEL` routing: EC branch uses `ecKeyService` + `ecEncryptPayload`/`ecDeriveKey`; RSA branch unchanged
|
|
429
|
+
- For EC + Native: `ecDeriveKey` (ECDH in JS) + existing `NativeCryptoModule` for AES (no new Kotlin/Swift files)
|
|
430
|
+
- Updated `.env` / `.env.example` with `ENCRYPTION_MODEL=ec`, `EC_PUBLIC_KEY_ENDPOINT`
|
|
431
|
+
6. **AES key lifecycle rule (approaches 4, 5, and 6 per-request):** Per-request AES keys/derived keys are generated in JS using `randomBytes(32)` (or HKDF), stored in-memory in a request map keyed by `requestId`, passed into encrypt/decrypt calls, and **deleted immediately after response processing** — success or failure. Never written to storage.
|
|
432
|
+
7. **Response interceptor rule:** On `KEY_ID_NOT_FOUND` (401): refresh the active key service (RSA or EC) and retry exactly once. On auth tag mismatch: trigger force logout/session reset. On missing request map entry: fail securely without retry.
|
|
433
|
+
8. **Session-init EC rule:** After session init, the derived session AES key is held in memory only. If the app restarts and only the token is stored, the encryption session must be re-established before encrypted APIs can work. Persist only the auth token.
|
|
434
|
+
9. **Backend alignment spec:** Print the full backend contract from `references/backend-alignment.md` so the user can share it with their server team. For EC, print Part B (EC contract). Include: envelope format, decryption steps, nonce validation, error codes, and pre-integration questions.
|
|
435
|
+
10. After all files are written, run the build verification step (Step 7) then verify every item in `references/security-checklist.md` (React Native section) and `templates/delivery-checklist.md` before printing the setup report.
|
|
436
|
+
|
|
437
|
+
## Step 6c — React JS web production wiring (approach 7)
|
|
438
|
+
|
|
439
|
+
Applies only when `platform = react` and `approach = 7`.
|
|
440
|
+
|
|
441
|
+
1. **Verify secure origin** before proceeding: confirm the app is served over HTTPS or localhost. `crypto.subtle` is `undefined` on plain HTTP origins — warn the user and halt if the deployment target is plain HTTP.
|
|
442
|
+
2. **Detect framework/bundler** (ask if not yet answered):
|
|
443
|
+
- Vite → env prefix `VITE_`
|
|
444
|
+
- Create React App → env prefix `REACT_APP_`
|
|
445
|
+
- Next.js → env prefix `NEXT_PUBLIC_`
|
|
446
|
+
3. **Check `tsconfig.json`**: confirm `"lib"` includes `"DOM"` (required for `crypto.subtle` typings). Patch if missing.
|
|
447
|
+
4. **Install dependencies** — approach 7 requires no crypto packages:
|
|
448
|
+
- Confirm `axios` is present; install if missing.
|
|
449
|
+
- Never install `crypto-js`, `node-forge`, Buffer polyfill, or any `react-native-*` package.
|
|
450
|
+
5. **RSA-OAEP mode** (`webEncryptionMode = rsa-oaep`, default) — `install.js` writes:
|
|
451
|
+
- `src/services/security/crypto-utils.ts` — Base64 encode/decode (`btoa`/`atob`/`TextEncoder`/`Uint8Array`), nonce generator (`crypto.getRandomValues`)
|
|
452
|
+
- `src/services/security/aes.service.ts` — `generateAESKey` (`crypto.subtle.generateKey`), `encryptAESGCM`, `decryptAESGCM` (tagLength 128)
|
|
453
|
+
- `src/services/security/rsa.service.ts` — `importRSAPublicKey` (`importKey('spki', ...)` from PEM after stripping headers), `encryptRSAOAEP`
|
|
454
|
+
- `src/services/security/rsa-key.service.ts` — fetch, cache (in-memory), retry (3× default), `KEY_ID_NOT_FOUND` refresh + single retry
|
|
455
|
+
- `src/services/security/hmac.service.ts` — HMAC-SHA256 via `crypto.subtle` (when HMAC enabled)
|
|
456
|
+
- `src/services/security/storage.service.ts` — `sessionStorage` wrapper for non-token data; HTTP-only cookie guidance for auth tokens; `localStorage` forbidden for sensitive data
|
|
457
|
+
- `src/services/security/encryption-config.ts` — `ENCRYPTION_ENABLED`, `RSA_PUBLIC_KEY_ENDPOINT`, `ENCRYPTION_HMAC_SECRET` with correct framework env prefix
|
|
458
|
+
- `src/services/security/types.ts` — `EncryptedEnvelope`, `EncryptedResponse` TypeScript interfaces
|
|
459
|
+
- `src/services/security/encryption.interceptor.ts` — request interceptor (generate AES key, store in `Map<requestId, {cryptoKey, iv}>`, attach envelope); response interceptor (decrypt + cleanup map entry); guaranteed cleanup on both success and error
|
|
460
|
+
- `src/api/axiosInstance.ts` — patched with `applyProductionEncryptionInterceptor` + `bootstrapEncryption()` call before first request
|
|
461
|
+
- `.env.example` / `.env.local` — feature flag env vars with correct prefix
|
|
462
|
+
6. **ECDH-Session mode** (`webEncryptionMode = ecdh-session`) — collect blocking inputs first (ask one at a time, no defaults):
|
|
463
|
+
- Session init endpoint URL
|
|
464
|
+
- HKDF `info` string (backend-specific — do NOT assume `'enc'`)
|
|
465
|
+
- AAD requirement and canonical JSON shape (alphabetically sorted keys; use template literal, not `JSON.stringify`)
|
|
466
|
+
- Response encoding (standard base64 or base64url)
|
|
467
|
+
- Device ID source
|
|
468
|
+
Then `install.js` writes all of RSA-OAEP files above (except `rsa.service.ts`, `rsa-key.service.ts`) plus:
|
|
469
|
+
- `src/core/security/ecdh-session/base64url.ts` — Base64URL encode/decode (no Buffer)
|
|
470
|
+
- `src/core/security/ecdh-session/aad.ts` — AAD builder (alphabetical key order enforced)
|
|
471
|
+
- `src/core/security/ecdh-session/ecdhSession.ts` — `generateECDHKeyPair`, `exportPublicKey`, `deriveSessionKey` via `crypto.subtle.generateKey` + `crypto.subtle.deriveKey` (HKDF-SHA256, native — no manual HMAC chain); private key exported as JWK for `sessionStorage` restore; derived AES key `extractable: false`, never stored
|
|
472
|
+
- `src/core/security/ecdh-session/aesGcm.ts` — AES-256-GCM encrypt/decrypt with AAD
|
|
473
|
+
- `src/core/security/ecdh-session/ecdhSessionService.ts` — session init, session restore from `sessionStorage`, `clearSession` (called on 401 or `DECRYPTION_FAILED`)
|
|
474
|
+
- Updated `encryption.interceptor.ts` — ECDH-Session variant with `X-Request-ID` (UUID), `X-Nonce` (12-byte Base64URL), `X-Timestamp` (ISO 8601 UTC) headers on every request
|
|
475
|
+
7. **AES key lifecycle rule (approach 7):** Per-request AES keys are generated per request, stored in-memory in a `Map<requestId, {cryptoKey: CryptoKey; iv: Uint8Array}>`, and deleted immediately after response processing — success or failure. Never written to storage.
|
|
476
|
+
8. **Response interceptor rule (approach 7):** On `KEY_ID_NOT_FOUND` (401): refresh RSA key and retry exactly once (no retry loop). On `DOMException` (auth tag mismatch) during decryption: fail securely — do not fall back to unencrypted response. On missing request map entry: log a warning and pass the response through without decryption.
|
|
477
|
+
9. **ECDH-Session error handling:** 401 response → `clearSession()` + `ERR_SESSION_EXPIRED`. `DECRYPTION_FAILED`/`INVALID_PAYLOAD` (400) → `clearSession()` + `ERR_CRYPTO_REJECTED`. 500 responses → pass through without session invalidation.
|
|
478
|
+
10. After all files are written, run the build verification step (Step 7) then verify every item in `references/security-checklist.md` (Web section) and `templates/delivery-checklist.md` before printing the setup report.
|
|
479
|
+
|
|
480
|
+
## Step 7 — Run build verification
|
|
481
|
+
|
|
482
|
+
1. Read `buildCommand` for the platform from `assets/platform-matrix.json`.
|
|
483
|
+
2. Run the build command in the project root.
|
|
484
|
+
3. On failure: Retry up to 3 times, then report exit code 4.
|
|
485
|
+
4. On success: Continue to Step 8.
|
|
486
|
+
|
|
487
|
+
## Step 8 — Print setup report
|
|
488
|
+
|
|
489
|
+
Print the setup report as defined in Output Format.
|
|
490
|
+
|
|
491
|
+
---
|
|
492
|
+
|
|
493
|
+
# Rules
|
|
494
|
+
|
|
495
|
+
1. **Never hardcode** file paths, package names, or build commands — always read from `assets/platform-matrix.json`.
|
|
496
|
+
2. **Never print** the HMAC secret or any private key material to stdout or disk. HMAC secret is read at runtime from `ENCRYPTION_HMAC_SECRET` environment variable.
|
|
497
|
+
3. **Validate inputs**: `publicKeyPem` must contain valid PEM headers; `sharedKey` must be at least 32 characters. Reject and re-prompt on failure.
|
|
498
|
+
4. **Block `privateKeyPem` for browser platforms**: Never accept or store `privateKeyPem` for `angular` or `web` platforms. Private keys must stay on the server. If the user provides one, warn them and set `privateKeyPem: null` in the generated config.
|
|
499
|
+
5. **Idempotent**: Running setup.js with the same inputs must always produce the same files.
|
|
500
|
+
6. **Skip FormData**: Never encrypt multipart/form-data — always pass through.
|
|
501
|
+
7. **Catch errors silently in interceptors (approaches 1–3)**: Encryption failure must never cause a request to fail; fall back to sending unencrypted and log at debug level only.
|
|
502
|
+
8. **Never overwrite module wiring**: Use `patchFile()` (marker-based append) — never replace the entire file.
|
|
503
|
+
9. **Approach 4/5 — AES keys are ephemeral**: Never persist AES keys or IVs. Never reuse IVs. Clear request map immediately after each response (success or failure).
|
|
504
|
+
10. **Approach 4/5 — Fail secure on auth tag mismatch**: Invalid GCM auth tag must trigger session reset/force logout — not a silent fallback.
|
|
505
|
+
11. **Approach 4/5 — RSA key retry is bounded**: Retry at most 3 times (configurable); block encrypted calls if key is unavailable after retries.
|
|
506
|
+
12. **Approach 4/5 — KEY_ID_NOT_FOUND**: Refresh RSA key and retry exactly once. No retry loop.
|
|
507
|
+
13. **Approach 4/5 — No sensitive logging**: Never log AES keys, IVs, auth tags, plaintext payloads, or RSA key material.
|
|
508
|
+
14. **Approach 5 — Ephemeral AES keys are NOT stored in Android Keystore**: Android Keystore is for persistent long-lived keys. Per-request AES keys live only in the JS memory map.
|
|
509
|
+
15. **Approach 5 — `try!` is forbidden**: All Swift CryptoKit code must use `do/try/catch`. Never use `try!` in production.
|
|
510
|
+
16. **Approach 4/5 — PKCS1 v1.5 is rejected for new deployments**: RSA-OAEP SHA-256 is mandatory. PKCS1 v1.5 requires explicit written approval and is not acceptable for new deployments in 2026.
|
|
511
|
+
17. **Approach 4/5 — RSA key endpoint must be HTTPS**: Never fetch the public key over HTTP. Validate URL scheme at setup time.
|
|
512
|
+
18. **Approach 4/5 — SSL pinning recommended**: For high-security environments, configure certificate pinning with a current and backup fingerprint before deploying to production.
|
|
513
|
+
19. **Approach 4/5 — Never mix JS and Native crypto in the same request lifecycle**: The encryption layer (JS or Native) must be consistent for the full request/response cycle. Do not call JS crypto for encryption and native crypto for decryption, or vice versa.
|
|
514
|
+
20. **All platforms — Never bypass existing API architecture**: Extend the existing interceptor/client; never replace it or create a parallel HTTP layer that bypasses auth, logging, or error handling.
|
|
515
|
+
21. **Approach 6 — EC public key must be validated on every fetch**: decoded length must equal 65 bytes and first byte must be `0x04` (uncompressed P-256 point). Reject and retry if invalid.
|
|
516
|
+
22. **Approach 6 — Ephemeral EC private key is discarded immediately after `computeSecret()`**: Never store the ECDH private key in memory beyond the single key derivation call.
|
|
517
|
+
23. **Approach 6 — Derived AES key is never transmitted**: Only the 65-byte ephemeral public key is sent in the envelope. The AES key lives only in the in-memory request map.
|
|
518
|
+
24. **Approach 6 — Never use `Buffer.toString('base64')` on Hermes**: Use the `toBase64()` helper from `ec-crypto.util.ts`. Hermes typed arrays break the standard base64 polyfill.
|
|
519
|
+
25. **Approach 6 — Never use `Buffer.slice()` views with quick-crypto native code**: Always call `byteCopy()` before passing any sliced buffer to a cipher, HMAC, or HKDF call.
|
|
520
|
+
26. **Approach 6 — Session-init blocking questions**: All of the following are backend-specific and have no safe defaults. Ask each **one at a time** and do not proceed until the user provides all: (1) session init endpoint URL, (2) token/session endpoint URL, (3) HKDF `info` string, (4) nonce format, (5) nonce length, (6) nonce character set, (7) response encoding (standard-base64 vs base64url), (8) AAD requirement and canonical JSON shape, (9) response IV source, (10) `DEVICE_ID_SOURCE`, (11) `encrypted_shared_aes_key` handling (used/ignored).
|
|
521
|
+
27. **Approach 6 — EC key endpoint must be HTTPS**: Validate URL scheme at setup time. Same rule as RSA (Rule 17).
|
|
522
|
+
28. **Approach 7 — `crypto.subtle` requires a secure origin**: The Web Crypto API is `undefined` on plain HTTP origins. The app must be served over HTTPS or `localhost`. Check at startup and surface a clear error if unavailable — never silently swallow the failure.
|
|
523
|
+
29. **Approach 7 — No Buffer polyfill, no `crypto-js`, no `node-forge`**: All crypto operations use the built-in Web Crypto API (`window.crypto.subtle`). Never install or import these packages for approach 7.
|
|
524
|
+
30. **Approach 7 — RSA-OAEP is mandatory**: Same rule as Rule 16. PKCS1 v1.5 requires explicit written approval and is not acceptable for new deployments in 2026.
|
|
525
|
+
31. **Approach 7 — RSA public key import uses `'spki'` format**: Strip PEM headers before passing to `crypto.subtle.importKey`. Never pass the raw PEM string to the API.
|
|
526
|
+
32. **Approach 7 — AES keys are ephemeral, never stored**: Per-request AES key and IV live only in the in-memory `Map<requestId, {cryptoKey, iv}>`. Delete the map entry immediately after response processing, success or failure.
|
|
527
|
+
33. **Approach 7 — Derived AES key must be non-extractable (ECDH-Session)**: Pass `extractable: false` to `crypto.subtle.deriveKey`. Never store the derived AES key anywhere, including `sessionStorage`. Only the ECDH private key (as JWK) may be stored in `sessionStorage` for session restore.
|
|
528
|
+
34. **Approach 7 — `localStorage` is forbidden for tokens or session material**: Use `sessionStorage` for non-critical state or HTTP-only cookies for auth tokens. Never store token, session key, or AES key in `localStorage`.
|
|
529
|
+
35. **Approach 7 — Never use `Math.random()` for cryptographic purposes**: All nonce and key generation must use `crypto.getRandomValues()` or Web Crypto API key generation. `Math.random()` is not cryptographically secure.
|
|
530
|
+
36. **Approach 7 — HMAC secret must come from env var at runtime**: Never hardcode `ENCRYPTION_HMAC_SECRET` in source files or commit it to version control. Read it from the framework-prefixed env var at runtime only.
|
|
531
|
+
37. **Approach 7 — `DOMException` on decryption is a hard failure**: An AES-GCM authentication tag mismatch throws `DOMException`. Treat this as a security failure — do not fall back to returning the raw ciphertext. Propagate as `ERR_CRYPTO_REJECTED`.
|
|
532
|
+
38. **Approach 7 — ECDH-Session blocking questions have no safe defaults**: HKDF `info` string, AAD shape, session init URL, and device ID source are all backend-specific. Ask each one at a time and do not proceed until all are provided.
|
|
533
|
+
39. **Approach 7 — `tsconfig.json` must include `"DOM"` in `lib`**: Without it, `crypto.subtle` TypeScript types are unavailable and compilation will fail. Patch `tsconfig.json` automatically if this lib is missing.
|
|
534
|
+
40. **Approach 7 — CORS headers must include custom encryption headers**: `Access-Control-Allow-Headers` on the backend must allow `X-Request-ID`, `X-Nonce`, `X-Request-Signature`, `X-Device-ID`, and `X-Timestamp`. Include this requirement in backend alignment guidance.
|
|
535
|
+
|
|
536
|
+
---
|
|
537
|
+
|
|
538
|
+
# Output Format
|
|
539
|
+
|
|
540
|
+
## Setup report (stdout, always)
|
|
541
|
+
```
|
|
542
|
+
=== SETUP REPORT ===
|
|
543
|
+
Platform : <platform>
|
|
544
|
+
Approach : <approach>
|
|
545
|
+
HMAC enabled : <true|false>
|
|
546
|
+
URL exclusions : <comma-separated list or blank>
|
|
547
|
+
Files written/patched : <integer>
|
|
548
|
+
Build status : <PASS|FAIL>
|
|
549
|
+
====================
|
|
550
|
+
```
|
|
551
|
+
|
|
552
|
+
## Per-file output (from install.js)
|
|
553
|
+
```
|
|
554
|
+
WROTE <absolute path>
|
|
555
|
+
PATCHED <absolute path>
|
|
556
|
+
INSTALL_RESULT : SUCCESS
|
|
557
|
+
```
|
|
558
|
+
|
|
559
|
+
---
|
|
560
|
+
|
|
561
|
+
# Final State Checklist
|
|
562
|
+
|
|
563
|
+
After a successful run, verify:
|
|
564
|
+
- [ ] One centralized config file exists with encryption settings
|
|
565
|
+
- [ ] One shared EncryptionService exists with encrypt and decrypt methods (existing one reused if previously centralized)
|
|
566
|
+
- [ ] One interceptor/middleware exists that calls EncryptionService transparently
|
|
567
|
+
- [ ] The network/HTTP layer is patched to use the interceptor
|
|
568
|
+
- [ ] Build passes with zero errors
|
|
569
|
+
- [ ] **No scan-related types, use cases, or reporter classes exist in the output**
|
|
570
|
+
- [ ] **No conflict-resolution enums or domain layer abstractions exist in the output**
|
|
571
|
+
- [ ] **No duplicate EncryptionService files — exactly one per project**
|
|
572
|
+
|
|
573
|
+
---
|
|
574
|
+
|
|
575
|
+
# Example 1 — Angular + Approach 1 (RSA-OAEP + AES-256-GCM)
|
|
576
|
+
|
|
577
|
+
```bash
|
|
578
|
+
node scripts/setup.js --project-path /projects/my-angular-app
|
|
579
|
+
```
|
|
580
|
+
|
|
581
|
+
Prompts:
|
|
582
|
+
```
|
|
583
|
+
Select platform [angular/web/node/android/ios/flutter]: angular
|
|
584
|
+
Select approach [1/2/3]: 1
|
|
585
|
+
Enter public key PEM: <paste RSA-2048 public key>
|
|
586
|
+
Decrypt responses too? (yes/no) [no]: no
|
|
587
|
+
Enable HMAC signing? (yes/no) [no]: no
|
|
588
|
+
HMAC enabled. Set the ENCRYPTION_HMAC_SECRET environment variable in your app before running.
|
|
589
|
+
Exclude any URL prefixes from encryption? (comma-separated, or leave blank):
|
|
590
|
+
```
|
|
591
|
+
|
|
592
|
+
Expected output snippets:
|
|
593
|
+
```
|
|
594
|
+
WROTE /projects/my-angular-app/src/environments/environment.ts
|
|
595
|
+
WROTE /projects/my-angular-app/src/app/core/encryption/encryption.service.ts
|
|
596
|
+
WROTE /projects/my-angular-app/src/app/core/encryption/encryption.interceptor.ts
|
|
597
|
+
PATCHED /projects/my-angular-app/src/app/app.config.ts
|
|
598
|
+
NOTE Angular standalone project detected. Patched app.config.ts instead of app.module.ts.
|
|
599
|
+
INSTALL_RESULT : SUCCESS
|
|
600
|
+
|
|
601
|
+
=== SETUP REPORT ===
|
|
602
|
+
Platform : angular
|
|
603
|
+
Approach : 1
|
|
604
|
+
HMAC enabled : false
|
|
605
|
+
URL exclusions :
|
|
606
|
+
Files written/patched : 4
|
|
607
|
+
Build status : PASS
|
|
608
|
+
====================
|
|
609
|
+
```
|
|
610
|
+
|
|
611
|
+
---
|
|
612
|
+
|
|
613
|
+
# Example 2 — Android + Approach 3 (AES-256-CBC shared key)
|
|
614
|
+
|
|
615
|
+
```bash
|
|
616
|
+
node scripts/setup.js --project-path /projects/my-android-app
|
|
617
|
+
```
|
|
618
|
+
|
|
619
|
+
Prompts:
|
|
620
|
+
```
|
|
621
|
+
Select platform [angular/web/node/android/ios/flutter]: android
|
|
622
|
+
Select approach [2/3]: 3
|
|
623
|
+
Enter shared secret key (32+ chars recommended): <paste secret>
|
|
624
|
+
Enable HMAC signing? (yes/no) [no]: yes
|
|
625
|
+
HMAC enabled. Set the ENCRYPTION_HMAC_SECRET environment variable in your app before running.
|
|
626
|
+
Exclude any URL prefixes from encryption? (comma-separated, or leave blank): /api/health,/api/status
|
|
627
|
+
```
|
|
628
|
+
|
|
629
|
+
Expected output snippets:
|
|
630
|
+
```
|
|
631
|
+
WROTE /projects/my-android-app/app/src/main/java/com/example/encryption/EncryptionConfig.kt
|
|
632
|
+
WROTE /projects/my-android-app/app/src/main/java/com/example/encryption/EncryptionService.kt
|
|
633
|
+
WROTE /projects/my-android-app/app/src/main/java/com/example/encryption/EncryptionInterceptor.kt
|
|
634
|
+
PATCHED /projects/my-android-app/app/src/main/java/com/example/network/NetworkModule.kt
|
|
635
|
+
INSTALL_RESULT : SUCCESS
|
|
636
|
+
|
|
637
|
+
=== SETUP REPORT ===
|
|
638
|
+
Platform : android
|
|
639
|
+
Approach : 3
|
|
640
|
+
HMAC enabled : true
|
|
641
|
+
URL exclusions : /api/health, /api/status
|
|
642
|
+
Files written/patched : 4
|
|
643
|
+
Build status : PASS
|
|
644
|
+
====================
|
|
645
|
+
```
|