devendra-skill-package 1.0.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (223) hide show
  1. package/.github/skills/boiler-project-generator/SKILL.md +103 -0
  2. package/.github/skills/boiler-project-generator/assets/templates/android/README.md +3 -0
  3. package/.github/skills/boiler-project-generator/assets/templates/angular/README.md +3 -0
  4. package/.github/skills/boiler-project-generator/assets/templates/flutter/README.md +3 -0
  5. package/.github/skills/boiler-project-generator/assets/templates/ios/README.md +3 -0
  6. package/.github/skills/boiler-project-generator/assets/templates/react/README.md +3 -0
  7. package/.github/skills/boiler-project-generator/assets/templates/react-native/README.md +3 -0
  8. package/.github/skills/boiler-project-generator/assets/templates/react-native/api-setup.ts +76 -0
  9. package/.github/skills/boiler-project-generator/assets/templates/react-native/component-primary-button.tsx +29 -0
  10. package/.github/skills/boiler-project-generator/assets/templates/react-native/env-config.env +4 -0
  11. package/.github/skills/boiler-project-generator/assets/templates/react-native/feature-auth-screen.tsx +45 -0
  12. package/.github/skills/boiler-project-generator/assets/templates/react-native/feature-dashboard-screen.tsx +45 -0
  13. package/.github/skills/boiler-project-generator/assets/templates/react-native/feature-profile-screen.tsx +45 -0
  14. package/.github/skills/boiler-project-generator/assets/templates/react-native/hook-use-app-boot.ts +11 -0
  15. package/.github/skills/boiler-project-generator/assets/templates/react-native/navigation-setup.tsx +25 -0
  16. package/.github/skills/boiler-project-generator/assets/templates/react-native/project-structure.md +24 -0
  17. package/.github/skills/boiler-project-generator/assets/templates/react-native/redux-hooks.ts +5 -0
  18. package/.github/skills/boiler-project-generator/assets/templates/react-native/redux-session-slice.ts +29 -0
  19. package/.github/skills/boiler-project-generator/assets/templates/react-native/redux-store.ts +15 -0
  20. package/.github/skills/boiler-project-generator/assets/templates/react-native/theme-index.ts +23 -0
  21. package/.github/skills/boiler-project-generator/assets/templates/react-native/utils-helpers.ts +7 -0
  22. package/.github/skills/boiler-project-generator/metadata.yaml +29 -0
  23. package/.github/skills/boiler-project-generator/references/android.md +19 -0
  24. package/.github/skills/boiler-project-generator/references/angular.md +14 -0
  25. package/.github/skills/boiler-project-generator/references/flutter.md +17 -0
  26. package/.github/skills/boiler-project-generator/references/ios.md +17 -0
  27. package/.github/skills/boiler-project-generator/references/react-native.md +103 -0
  28. package/.github/skills/boiler-project-generator/references/react.md +17 -0
  29. package/.github/skills/boiler-project-generator/scripts/angular.js +43 -0
  30. package/.github/skills/boiler-project-generator/scripts/generate-project.mjs +107 -0
  31. package/.github/skills/boiler-project-generator/scripts/init.js +105 -0
  32. package/.github/skills/boiler-project-generator/scripts/react-native.js +1041 -0
  33. package/.github/skills/boiler-project-generator/scripts/react.js +32 -0
  34. package/.github/skills/clean-architecture-generator/SKILL.md +235 -0
  35. package/.github/skills/clean-architecture-generator/references/architecture-core.md +126 -0
  36. package/.github/skills/clean-architecture-generator/references/platform-angular.md +374 -0
  37. package/.github/skills/clean-architecture-generator/references/platform-flutter.md +366 -0
  38. package/.github/skills/clean-architecture-generator/references/platform-react-native.md +590 -0
  39. package/.github/skills/clean-architecture-generator/references/platform-react.md +261 -0
  40. package/.github/skills/code-test-coverage-analyzer/SKILL.md +1358 -0
  41. package/.github/skills/code-test-coverage-analyzer/assets/config-questionnaire.md +118 -0
  42. package/.github/skills/code-test-coverage-analyzer/assets/conflict-resolution-protocol.md +99 -0
  43. package/.github/skills/code-test-coverage-analyzer/assets/coverage-calculation-rules.md +294 -0
  44. package/.github/skills/code-test-coverage-analyzer/assets/multi-strategy-search.md +145 -0
  45. package/.github/skills/code-test-coverage-analyzer/assets/output-file-contracts.md +651 -0
  46. package/.github/skills/code-test-coverage-analyzer/assets/status-definitions.md +273 -0
  47. package/.github/skills/code-test-coverage-analyzer/examples/example-invocation.md +208 -0
  48. package/.github/skills/code-test-coverage-analyzer/references/android-patterns.md +229 -0
  49. package/.github/skills/code-test-coverage-analyzer/references/angular-patterns.md +177 -0
  50. package/.github/skills/code-test-coverage-analyzer/references/backend-patterns.md +383 -0
  51. package/.github/skills/code-test-coverage-analyzer/references/flutter-patterns.md +254 -0
  52. package/.github/skills/code-test-coverage-analyzer/references/ios-patterns.md +228 -0
  53. package/.github/skills/code-test-coverage-analyzer/references/react-native-patterns.md +431 -0
  54. package/.github/skills/code-test-coverage-analyzer/references/react-patterns.md +206 -0
  55. package/.github/skills/code-test-coverage-analyzer/scripts/detect-platform.ps1 +261 -0
  56. package/.github/skills/code-test-coverage-analyzer/scripts/scan-repository.ps1 +242 -0
  57. package/.github/skills/code-test-coverage-analyzer/templates/brd-compliance-row.md +107 -0
  58. package/.github/skills/code-test-coverage-analyzer/templates/test-case-row.md +130 -0
  59. package/.github/skills/code-test-coverage-analyzer/templates/user-story-compliance-row.md +170 -0
  60. package/.github/skills/custom-font-integrator/SKILL.md +373 -0
  61. package/.github/skills/custom-font-integrator/assets/FontTestScreen.js +150 -0
  62. package/.github/skills/custom-font-integrator/references/example-info-plist.xml +21 -0
  63. package/.github/skills/custom-font-integrator/scripts/setup-fonts.sh +99 -0
  64. package/.github/skills/encryption-decryption-utility/Instructions.md +282 -0
  65. package/.github/skills/encryption-decryption-utility/README.md +222 -0
  66. package/.github/skills/encryption-decryption-utility/SKILL.md +645 -0
  67. package/.github/skills/encryption-decryption-utility/assets/encryption-config-template.json +13 -0
  68. package/.github/skills/encryption-decryption-utility/assets/platform-matrix.json +180 -0
  69. package/.github/skills/encryption-decryption-utility/metadata.yaml +51 -0
  70. package/.github/skills/encryption-decryption-utility/references/android-crypto.md +157 -0
  71. package/.github/skills/encryption-decryption-utility/references/angular-crypto.md +130 -0
  72. package/.github/skills/encryption-decryption-utility/references/approach-1-webcrypto.md +95 -0
  73. package/.github/skills/encryption-decryption-utility/references/approach-2-rsa-aes-cbc.md +111 -0
  74. package/.github/skills/encryption-decryption-utility/references/approach-3-aes-sharedkey.md +114 -0
  75. package/.github/skills/encryption-decryption-utility/references/architecture.md +233 -0
  76. package/.github/skills/encryption-decryption-utility/references/backend-alignment.md +506 -0
  77. package/.github/skills/encryption-decryption-utility/references/dependency-guidance.md +234 -0
  78. package/.github/skills/encryption-decryption-utility/references/ec-implementation.md +832 -0
  79. package/.github/skills/encryption-decryption-utility/references/error-handling-playbook.md +234 -0
  80. package/.github/skills/encryption-decryption-utility/references/flutter-crypto.md +105 -0
  81. package/.github/skills/encryption-decryption-utility/references/ios-crypto.md +338 -0
  82. package/.github/skills/encryption-decryption-utility/references/native-rsa-implementation.md +373 -0
  83. package/.github/skills/encryption-decryption-utility/references/node-crypto.md +86 -0
  84. package/.github/skills/encryption-decryption-utility/references/react-crypto.md +105 -0
  85. package/.github/skills/encryption-decryption-utility/references/react-native-crypto.md +1001 -0
  86. package/.github/skills/encryption-decryption-utility/references/react-web-crypto.md +668 -0
  87. package/.github/skills/encryption-decryption-utility/references/security-checklist.md +176 -0
  88. package/.github/skills/encryption-decryption-utility/references/web-crypto.md +74 -0
  89. package/.github/skills/encryption-decryption-utility/scripts/detect.js +128 -0
  90. package/.github/skills/encryption-decryption-utility/scripts/install.js +1713 -0
  91. package/.github/skills/encryption-decryption-utility/scripts/setup.js +800 -0
  92. package/.github/skills/encryption-decryption-utility/template.md +241 -0
  93. package/.github/skills/encryption-decryption-utility/templates/config-questionnaire.md +467 -0
  94. package/.github/skills/encryption-decryption-utility/templates/delivery-checklist.md +206 -0
  95. package/.github/skills/encryption-decryption-utility/templates/implementation-plan.md +304 -0
  96. package/.github/skills/feature-generator/SKILL.MD +2741 -0
  97. package/.github/skills/feature-generator/assets/fingerprint-schema.json +385 -0
  98. package/.github/skills/feature-generator/assets/spec-template.md +172 -0
  99. package/.github/skills/feature-generator/assets/transform-rules.json +82 -0
  100. package/.github/skills/feature-generator/references/api-envelope-patterns.md +327 -0
  101. package/.github/skills/feature-generator/references/screen-logic-patterns.md +399 -0
  102. package/.github/skills/feature-generator/references/state-library-patterns.md +464 -0
  103. package/.github/skills/figma-ui-mapper/README.md +34 -0
  104. package/.github/skills/figma-ui-mapper/SKILL.md +101 -0
  105. package/.github/skills/figma-ui-mapper/assets/templates/component-map-template.md +30 -0
  106. package/.github/skills/figma-ui-mapper/assets/templates/generation-report-template.md +49 -0
  107. package/.github/skills/figma-ui-mapper/metadata.yaml +22 -0
  108. package/.github/skills/figma-ui-mapper/references/android.md +11 -0
  109. package/.github/skills/figma-ui-mapper/references/angular.md +18 -0
  110. package/.github/skills/figma-ui-mapper/references/capacitor.md +18 -0
  111. package/.github/skills/figma-ui-mapper/references/common.md +23 -0
  112. package/.github/skills/figma-ui-mapper/references/expo.md +18 -0
  113. package/.github/skills/figma-ui-mapper/references/flutter.md +18 -0
  114. package/.github/skills/figma-ui-mapper/references/frameworks/angular/rules.md +23 -0
  115. package/.github/skills/figma-ui-mapper/references/frameworks/capacitor/rules.md +23 -0
  116. package/.github/skills/figma-ui-mapper/references/frameworks/expo/rules.md +23 -0
  117. package/.github/skills/figma-ui-mapper/references/frameworks/flutter/rules.md +23 -0
  118. package/.github/skills/figma-ui-mapper/references/frameworks/ionic/rules.md +23 -0
  119. package/.github/skills/figma-ui-mapper/references/frameworks/kotlin-multiplatform/rules.md +23 -0
  120. package/.github/skills/figma-ui-mapper/references/frameworks/native-android/rules.md +23 -0
  121. package/.github/skills/figma-ui-mapper/references/frameworks/native-ios/rules.md +23 -0
  122. package/.github/skills/figma-ui-mapper/references/frameworks/next/rules.md +23 -0
  123. package/.github/skills/figma-ui-mapper/references/frameworks/nuxt/rules.md +23 -0
  124. package/.github/skills/figma-ui-mapper/references/frameworks/react/rules.md +19 -0
  125. package/.github/skills/figma-ui-mapper/references/frameworks/react-native/rules.md +23 -0
  126. package/.github/skills/figma-ui-mapper/references/frameworks/svelte/rules.md +23 -0
  127. package/.github/skills/figma-ui-mapper/references/frameworks/vue/rules.md +23 -0
  128. package/.github/skills/figma-ui-mapper/references/ionic.md +18 -0
  129. package/.github/skills/figma-ui-mapper/references/ios.md +11 -0
  130. package/.github/skills/figma-ui-mapper/references/kotlin-multiplatform.md +18 -0
  131. package/.github/skills/figma-ui-mapper/references/native-android.md +18 -0
  132. package/.github/skills/figma-ui-mapper/references/native-ios.md +18 -0
  133. package/.github/skills/figma-ui-mapper/references/next.md +18 -0
  134. package/.github/skills/figma-ui-mapper/references/nuxt.md +18 -0
  135. package/.github/skills/figma-ui-mapper/references/react-figma-guideline.md +21 -0
  136. package/.github/skills/figma-ui-mapper/references/react-native.md +18 -0
  137. package/.github/skills/figma-ui-mapper/references/react.md +18 -0
  138. package/.github/skills/figma-ui-mapper/references/script-usage.md +46 -0
  139. package/.github/skills/figma-ui-mapper/references/svelte.md +18 -0
  140. package/.github/skills/figma-ui-mapper/references/vue.md +18 -0
  141. package/.github/skills/figma-ui-mapper/references/workflow.md +74 -0
  142. package/.github/skills/figma-ui-mapper/scripts/generate-page-through-figma.js +635 -0
  143. package/.github/skills/figma-ui-mapper/scripts/generate-react-page-through-figma.js +4 -0
  144. package/.github/skills/frontend-task-breakdown/SKILL.md +734 -0
  145. package/.github/skills/md-file-converter/SKILL.md +291 -0
  146. package/.github/skills/md-file-converter/config/formats.json +114 -0
  147. package/.github/skills/md-file-converter/extractors/extract-docx.sh +120 -0
  148. package/.github/skills/md-file-converter/extractors/extract-eml.py +108 -0
  149. package/.github/skills/md-file-converter/extractors/extract-pdf.sh +97 -0
  150. package/.github/skills/md-file-converter/extractors/extract-pptx.py +143 -0
  151. package/.github/skills/md-file-converter/extractors/extract-xlsx.py +175 -0
  152. package/.github/skills/md-file-converter/scripts/check-tools.sh +47 -0
  153. package/.github/skills/md-file-converter/scripts/extract-archive.sh +83 -0
  154. package/.github/skills/md-file-converter/scripts/extract-ocr.sh +77 -0
  155. package/.github/skills/md-file-converter/scripts/get-metadata.sh +57 -0
  156. package/.github/skills/md-file-converter/templates/output.md +73 -0
  157. package/.github/skills/md-file-converter/templates/unsupported-object.md +6 -0
  158. package/.github/skills/mockAPI-contract-generator/SKILL.md +607 -0
  159. package/.github/skills/test-case-validator/CHANGELOG.md +155 -0
  160. package/.github/skills/test-case-validator/CONFIGURATION.md +130 -0
  161. package/.github/skills/test-case-validator/EXAMPLES.md +50 -0
  162. package/.github/skills/test-case-validator/QUALITY_SCORING.md +98 -0
  163. package/.github/skills/test-case-validator/README.md +111 -0
  164. package/.github/skills/test-case-validator/REPORT_TEMPLATE.md +116 -0
  165. package/.github/skills/test-case-validator/SKILL.md +209 -0
  166. package/.github/skills/test-case-validator/SYSTEM_PROMPT.md +127 -0
  167. package/.github/skills/test-case-validator/TRACEABILITY_ENGINE.md +152 -0
  168. package/.github/skills/test-case-validator/VALIDATION_RULES.md +411 -0
  169. package/.github/skills/test-case-validator/config/default.config.yaml +62 -0
  170. package/.github/skills/test-case-validator/docs/ARCHITECTURE.md +66 -0
  171. package/.github/skills/test-case-validator/docs/EXTENDING.md +85 -0
  172. package/.github/skills/test-case-validator/docs/FAQ.md +88 -0
  173. package/.github/skills/test-case-validator/docs/VERSIONING.md +55 -0
  174. package/.github/skills/test-case-validator/examples/example-1-manual-qa-ecommerce/input-brd.md +43 -0
  175. package/.github/skills/test-case-validator/examples/example-1-manual-qa-ecommerce/input-test-cases.csv +9 -0
  176. package/.github/skills/test-case-validator/examples/example-1-manual-qa-ecommerce/input-user-story.md +29 -0
  177. package/.github/skills/test-case-validator/examples/example-1-manual-qa-ecommerce/output-report.md +303 -0
  178. package/.github/skills/test-case-validator/examples/example-2-automated-frontend-suite/input-spec.md +43 -0
  179. package/.github/skills/test-case-validator/examples/example-2-automated-frontend-suite/input-test-files-index.md +56 -0
  180. package/.github/skills/test-case-validator/examples/example-2-automated-frontend-suite/output-report.md +274 -0
  181. package/.github/skills/test-case-validator/prompts/00-applicability-resolution.md +61 -0
  182. package/.github/skills/test-case-validator/prompts/01-extraction-user-story.md +58 -0
  183. package/.github/skills/test-case-validator/prompts/02-extraction-brd.md +64 -0
  184. package/.github/skills/test-case-validator/prompts/03-extraction-test-cases.md +92 -0
  185. package/.github/skills/test-case-validator/prompts/04-traceability-matrix.md +41 -0
  186. package/.github/skills/test-case-validator/prompts/05-coverage-analysis.md +46 -0
  187. package/.github/skills/test-case-validator/prompts/06-missing-scenario-detection.md +32 -0
  188. package/.github/skills/test-case-validator/prompts/07-duplicate-detection.md +36 -0
  189. package/.github/skills/test-case-validator/prompts/08-risk-analysis.md +39 -0
  190. package/.github/skills/test-case-validator/prompts/09-gated-wiring-validation.md +53 -0
  191. package/.github/skills/test-case-validator/prompts/10-observation-report.md +56 -0
  192. package/.github/skills/test-case-validator/prompts/11-final-report-assembly.md +57 -0
  193. package/.github/skills/test-case-validator/templates/coverage-table.md +25 -0
  194. package/.github/skills/test-case-validator/templates/executive-summary.md +38 -0
  195. package/.github/skills/test-case-validator/templates/final-summary-block.md +87 -0
  196. package/.github/skills/test-case-validator/templates/observation-entry.md +41 -0
  197. package/.github/skills/test-case-validator/templates/rtm-row.md +25 -0
  198. package/.github/skills/validation-engine-builder/README.md +50 -0
  199. package/.github/skills/validation-engine-builder/SKILL.md +241 -0
  200. package/.github/skills/validation-engine-builder/references/core.md +158 -0
  201. package/.github/skills/validation-engine-builder/references/platform-angular.md +166 -0
  202. package/.github/skills/validation-engine-builder/references/platform-flutter.md +118 -0
  203. package/.github/skills/validation-engine-builder/references/platform-react-native.md +170 -0
  204. package/.github/skills/validation-engine-builder/references/platform-react.md +94 -0
  205. package/.github/skills/validation-engine-builder/scripts/apply-to-project.js +80 -0
  206. package/.github/skills/validation-engine-builder/scripts/generate-angular.js +271 -0
  207. package/.github/skills/validation-engine-builder/scripts/generate-flutter.js +298 -0
  208. package/.github/skills/validation-engine-builder/scripts/generate-react-native.js +217 -0
  209. package/.github/skills/validation-engine-builder/scripts/generate-react.js +163 -0
  210. package/.github/skills/validation-engine-builder/scripts/install-deps.js +53 -0
  211. package/.github/skills/validation-engine-builder/scripts/shared/detect-platform.js +68 -0
  212. package/.github/skills/validation-engine-builder/scripts/shared/npm-deps.js +103 -0
  213. package/.github/skills/validation-engine-builder/scripts/shared/rhf-hook.js +43 -0
  214. package/.github/skills/validation-engine-builder/scripts/shared/ts-messages-regex.js +62 -0
  215. package/.github/skills/validation-engine-builder/scripts/shared/util.js +44 -0
  216. package/.github/skills/validation-engine-builder/scripts/shared/yup-schemas.js +80 -0
  217. package/.github/skills/validation-engine-builder/template.md +73 -0
  218. package/.github/skills/validation-engine-builder/templates/messages.json +22 -0
  219. package/.github/skills/validation-engine-builder/templates/regex.json +16 -0
  220. package/.github/skills/validation-engine-builder/templates/schemas.json +48 -0
  221. package/bin/index.js +145 -0
  222. package/package.json +22 -0
  223. package/readme.md +0 -0
@@ -0,0 +1,111 @@
1
+ # Approach 2 — RSA + AES-256-CBC (jsencrypt + crypto-js)
2
+
3
+ ## Overview
4
+
5
+ Uses **jsencrypt** for RSA key wrapping and **crypto-js** for AES-256-CBC.
6
+ Supported on all 6 platforms via equivalent library bindings.
7
+ Requires a generated RSA key pair.
8
+
9
+ ---
10
+
11
+ ## Payload Shape
12
+
13
+ ```json
14
+ {
15
+ "encryptedKey": "<base64 RSA-encrypted AES key bytes>",
16
+ "iv": "<base64 16-byte IV>",
17
+ "salt": "<base64 8-byte PBKDF2 salt>",
18
+ "encryptedData": "<base64 AES-CBC ciphertext>"
19
+ }
20
+ ```
21
+
22
+ ---
23
+
24
+ ## Encryption Flow (TypeScript/JavaScript)
25
+
26
+ ```ts
27
+ import JSEncrypt from 'jsencrypt';
28
+ import CryptoJS from 'crypto-js';
29
+
30
+ function encrypt(body: object, publicKeyPem: string): object {
31
+ // 1. Generate random AES key + IV + salt
32
+ const aesKey = CryptoJS.lib.WordArray.random(32); // 256-bit
33
+ const iv = CryptoJS.lib.WordArray.random(16);
34
+ const salt = CryptoJS.lib.WordArray.random(8);
35
+
36
+ // 2. AES-256-CBC encrypt
37
+ const plaintext = JSON.stringify(body);
38
+ const encrypted = CryptoJS.AES.encrypt(plaintext, aesKey, { iv, mode: CryptoJS.mode.CBC, padding: CryptoJS.pad.Pkcs7 });
39
+
40
+ // 3. RSA-encrypt the AES key bytes
41
+ const jsEncrypt = new JSEncrypt();
42
+ jsEncrypt.setPublicKey(publicKeyPem);
43
+ const encryptedKey = jsEncrypt.encrypt(CryptoJS.enc.Base64.stringify(aesKey));
44
+
45
+ return {
46
+ encryptedKey: encryptedKey || '',
47
+ iv: CryptoJS.enc.Base64.stringify(iv),
48
+ salt: CryptoJS.enc.Base64.stringify(salt),
49
+ encryptedData: encrypted.toString(),
50
+ };
51
+ }
52
+ ```
53
+
54
+ ---
55
+
56
+ ## Decryption Flow (backend — Java/Spring example)
57
+
58
+ ```java
59
+ import javax.crypto.Cipher;
60
+ import javax.crypto.spec.IvParameterSpec;
61
+ import javax.crypto.spec.SecretKeySpec;
62
+ import java.security.PrivateKey;
63
+ import java.util.Base64;
64
+
65
+ public String decrypt(Map<String,String> payload, PrivateKey privateKey) throws Exception {
66
+ byte[] encryptedKeyBytes = Base64.getDecoder().decode(payload.get("encryptedKey"));
67
+ Cipher rsaCipher = Cipher.getInstance("RSA/ECB/PKCS1Padding");
68
+ rsaCipher.init(Cipher.DECRYPT_MODE, privateKey);
69
+ byte[] aesKeyBytes = rsaCipher.doFinal(encryptedKeyBytes);
70
+
71
+ byte[] iv = Base64.getDecoder().decode(payload.get("iv"));
72
+ byte[] encryptedData = Base64.getDecoder().decode(payload.get("encryptedData"));
73
+
74
+ SecretKeySpec aesKey = new SecretKeySpec(aesKeyBytes, "AES");
75
+ Cipher aesCipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
76
+ aesCipher.init(Cipher.DECRYPT_MODE, aesKey, new IvParameterSpec(iv));
77
+ return new String(aesCipher.doFinal(encryptedData), "UTF-8");
78
+ }
79
+ ```
80
+
81
+ ---
82
+
83
+ ## Key Generation (OpenSSL)
84
+
85
+ ```bash
86
+ openssl genrsa -out private.pem 2048
87
+ openssl rsa -in private.pem -pubout -out public.pem
88
+ ```
89
+
90
+ ---
91
+
92
+ ## Required Config Fields
93
+
94
+ | Field | Required | Notes |
95
+ |---------------|----------|-------------------------------|
96
+ | approach | Yes | Must be `2` |
97
+ | publicKeyPem | Yes | PEM string |
98
+ | privateKeyPem | No | Only if response is encrypted |
99
+
100
+ ---
101
+
102
+ ## Platform Dependencies (install.js uses platform-matrix.json)
103
+
104
+ | Platform | Packages |
105
+ |-----------|------------------------------------|
106
+ | angular | `jsencrypt`, `crypto-js` |
107
+ | web | `jsencrypt`, `crypto-js` |
108
+ | node | `jsencrypt`, `crypto-js` |
109
+ | android | Built-in `javax.crypto` |
110
+ | ios | `CryptoSwift` or `CommonCrypto` |
111
+ | flutter | `encrypt`, `pointycastle` |
@@ -0,0 +1,114 @@
1
+ # Approach 3 — AES-256-CBC Shared Key (crypto-js)
2
+
3
+ ## Overview
4
+
5
+ Symmetric-only approach. Both client and server share the same secret key.
6
+ No RSA key pair required.
7
+ Supported on all 6 platforms.
8
+ Simplest to set up; suitable when PKI infrastructure is not available.
9
+
10
+ ---
11
+
12
+ ## Payload Shape
13
+
14
+ ```json
15
+ {
16
+ "iv": "<base64 16-byte IV>",
17
+ "encryptedData": "<base64 AES-CBC ciphertext>"
18
+ }
19
+ ```
20
+
21
+ ---
22
+
23
+ ## Encryption Flow (TypeScript/JavaScript via crypto-js)
24
+
25
+ ```ts
26
+ import CryptoJS from 'crypto-js';
27
+
28
+ function encrypt(body: object, sharedKey: string): object {
29
+ // 1. Derive a 256-bit key from the shared secret via SHA-256
30
+ const key = CryptoJS.SHA256(sharedKey);
31
+
32
+ // 2. Generate a random 16-byte IV
33
+ const iv = CryptoJS.lib.WordArray.random(16);
34
+
35
+ // 3. AES-256-CBC encrypt
36
+ const encrypted = CryptoJS.AES.encrypt(
37
+ JSON.stringify(body),
38
+ key,
39
+ { iv, mode: CryptoJS.mode.CBC, padding: CryptoJS.pad.Pkcs7 }
40
+ );
41
+
42
+ return {
43
+ iv: CryptoJS.enc.Base64.stringify(iv),
44
+ encryptedData: encrypted.toString(),
45
+ };
46
+ }
47
+
48
+ function decrypt(payload: { iv: string; encryptedData: string }, sharedKey: string): object {
49
+ const key = CryptoJS.SHA256(sharedKey);
50
+ const iv = CryptoJS.enc.Base64.parse(payload.iv);
51
+ const decrypted = CryptoJS.AES.decrypt(payload.encryptedData, key, { iv, mode: CryptoJS.mode.CBC });
52
+ return JSON.parse(decrypted.toString(CryptoJS.enc.Utf8));
53
+ }
54
+ ```
55
+
56
+ ---
57
+
58
+ ## Decryption Flow (backend — Node.js)
59
+
60
+ ```js
61
+ const crypto = require('crypto');
62
+
63
+ function decrypt(payload, sharedKey) {
64
+ const key = crypto.createHash('sha256').update(sharedKey).digest();
65
+ const iv = Buffer.from(payload.iv, 'base64');
66
+ const enc = Buffer.from(payload.encryptedData, 'base64');
67
+
68
+ const decipher = crypto.createDecipheriv('aes-256-cbc', key, iv);
69
+ const decrypted = Buffer.concat([decipher.update(enc), decipher.final()]);
70
+ return JSON.parse(decrypted.toString('utf8'));
71
+ }
72
+ ```
73
+
74
+ ---
75
+
76
+ ## Shared Key Generation (OpenSSL)
77
+
78
+ ```bash
79
+ # Generate a 256-bit (32-byte) random key and encode as base64
80
+ openssl rand -base64 32
81
+ ```
82
+
83
+ Store this value as `sharedKey` in both the config and the server environment.
84
+
85
+ ---
86
+
87
+ ## Required Config Fields
88
+
89
+ | Field | Required | Notes |
90
+ |------------|----------|-------------------------------------|
91
+ | approach | Yes | Must be `3` |
92
+ | sharedKey | Yes | 32+ character string or base64 key |
93
+
94
+ ---
95
+
96
+ ## Security Considerations
97
+
98
+ - The shared key must NEVER be committed to source control
99
+ - Use environment variables or a secrets manager (Azure Key Vault, AWS Secrets Manager)
100
+ - Rotate the key whenever a team member with access leaves
101
+ - Use different keys per environment (dev/staging/prod)
102
+
103
+ ---
104
+
105
+ ## Platform Dependencies (install.js uses platform-matrix.json)
106
+
107
+ | Platform | Packages |
108
+ |-----------|----------------------------------|
109
+ | angular | `crypto-js` |
110
+ | web | `crypto-js` |
111
+ | node | `crypto-js` or built-in `crypto` |
112
+ | android | Built-in `javax.crypto` |
113
+ | ios | Built-in `CommonCrypto` |
114
+ | flutter | `encrypt`, `pointycastle` |
@@ -0,0 +1,233 @@
1
+ # Architecture Reference
2
+
3
+ This skill supports two production crypto backend modes for React Native (approaches 4 and 5).
4
+ The interceptor layer, key management contract, request envelope shape, and secure storage are
5
+ identical across both modes. Only the crypto primitives change.
6
+
7
+ For all other platforms (Angular, Web, Node.js, Android, iOS, Flutter) using approaches 1–3,
8
+ the architecture is simpler: a single interceptor/middleware wraps an `EncryptionService` that
9
+ performs AES-CBC or RSA+AES-CBC synchronously. See the platform-specific reference files.
10
+
11
+ ---
12
+
13
+ ## Mode A: React Native JS (Approach 4 — Current Default)
14
+
15
+ Crypto runs inside JavaScript using `react-native-quick-crypto`. No native module changes required.
16
+
17
+ ### Core Components
18
+
19
+ - **Encryption service** (`src/services/security/encryption.service.ts`)
20
+ - Creates a per-request AES key (32 bytes) and IV (12 bytes) using JS `randomBytes`.
21
+ - Encrypts payload with AES-256-GCM in JS.
22
+ - Produces ciphertext + 16-byte auth tag (appended), Base64-encoded.
23
+ - Runs asynchronously — never blocks the UI thread.
24
+ - **RSA key service** (`src/services/security/rsa-key.service.ts`)
25
+ - Fetches or loads the server RSA public key.
26
+ - Default padding: RSA-OAEP (SHA-256). PKCS1 v1.5 only with explicit written approval for legacy systems.
27
+ - Caches the key in memory only.
28
+ - Retries key fetch with bounded strategy (default 3 attempts).
29
+ - Provides `invalidateRsaKey()` for key rotation handling.
30
+ - **API interceptor** (`src/services/security/encryption.interceptor.ts`)
31
+ - Request interceptor: encrypts eligible methods (POST, PUT, PATCH) asynchronously.
32
+ - Response interceptor: decrypts using in-memory request mapping (`requestId → { aesKey, iv }`).
33
+ - Clears the mapping immediately after each response (success or failure).
34
+ - On `KEY_ID_NOT_FOUND` (401): refreshes RSA key and retries the request exactly once.
35
+ - **Decryption service** (`src/services/security/decryption.service.ts`)
36
+ - Splits auth tag (last 16 bytes) from ciphertext.
37
+ - Decrypts using AES-256-GCM with the per-request AES key and the response IV.
38
+ - **Secure storage** (`src/services/security/keychain.service.ts`)
39
+ - Stores long-lived tokens and sensitive persisted fields via `react-native-keychain`.
40
+ - Never stores AES keys, IVs, or decrypted response payloads.
41
+ - **HMAC service** (`src/services/security/hmac.service.ts`)
42
+ - HMAC-SHA256 request signing when enabled.
43
+ - Secret read from `ENCRYPTION_HMAC_SECRET` env var at runtime — never written to disk.
44
+ - **Config** (`src/services/security/encryption-config.ts`)
45
+ - Feature flags: `ENCRYPTION_ENABLED`, `HMAC_ENABLED`, `ENCRYPTION_LAYER`.
46
+ - `EXCLUDED_PATHS` list for endpoints that bypass encryption.
47
+ - `RSA_KEY_ENDPOINT` for server key fetch URL.
48
+
49
+ ---
50
+
51
+ ## Mode B: React Native Native (Approach 5)
52
+
53
+ Crypto operations run inside the device's OS-level crypto engine (`javax.crypto.Cipher` on
54
+ Android, `CryptoKit` on iOS). The per-request AES key is generated in JS using `randomBytes(32)`
55
+ and passed into every native encrypt/decrypt call as a base64 parameter — it is ephemeral and
56
+ lives only in the JS request map. No RSA key material is stored on the client.
57
+
58
+ ### Core Components
59
+
60
+ All of Mode A, plus:
61
+
62
+ - **NativeCryptoModule (Android)** (`android/.../NativeCryptoModule.kt`)
63
+ - Registered via `NativeCryptoPackage.kt` in `MainApplication`.
64
+ - `encryptAES(plaintext, keyBase64)` — `Cipher.getInstance("AES/GCM/NoPadding")` using caller-provided key; returns `{ ciphertext, iv }` where ciphertext includes the appended 16-byte GCM auth tag, all Base64.
65
+ - `decryptAES(ciphertextBase64, ivBase64, keyBase64)` — `Cipher.DECRYPT_MODE` with `GCMParameterSpec`; GCM verifies auth tag automatically.
66
+ - `encryptRSA(publicKeyPEM, dataBase64)` — `Cipher.getInstance("RSA/ECB/OAEPWithSHA-256AndMGF1Padding")` using the server's PEM public key.
67
+ - **NativeCryptoModule (iOS)** (`ios/NativeCryptoModule.swift`)
68
+ - Bridged via `ios/NativeCryptoModule.m`.
69
+ - `encryptAES(plaintext, keyBase64)` — `CryptoKit.AES.GCM.seal` (iOS 13+) using caller-provided key; returns `{ ciphertext, iv }` where ciphertext includes the appended auth tag, all Base64.
70
+ - `decryptAES(ciphertextBase64, ivBase64, keyBase64)` — `CryptoKit.AES.GCM.open`; splits last 16 bytes as auth tag.
71
+ - `encryptRSA(publicKeyPEM, dataBase64)` — `SecKeyCreateEncryptedData` with `.rsaEncryptionOAEPSHA256`.
72
+ - All methods use `do/try/catch` — `try!` is **never** used.
73
+ - **JS Bridge Interface** (`src/services/security/native-crypto.module.ts`)
74
+ - Exposes `nativeEncryptAES`, `nativeDecryptAES`, `nativeEncryptRSA` to the JS codebase.
75
+ - Same function signatures used in the interceptor regardless of which native platform is running.
76
+ - **API interceptor** (same structure as Mode A)
77
+ - Request interceptor calls `nativeEncryptAES` + `nativeEncryptRSA` instead of JS equivalents.
78
+ - Response interceptor calls `nativeDecryptAES`.
79
+ - Request mapping and cleanup are identical to Mode A.
80
+
81
+ ### Native Data Flow
82
+
83
+ 1. App startup: native module registered; RSA public key loaded and cached.
84
+ 2. Outbound request (POST/PUT/PATCH):
85
+ - JS interceptor generates `aesKey = randomBytes(32)` and `requestId = randomBytes(16).toString('hex')`.
86
+ - Calls `nativeEncryptAES(plaintext, aesKey.toString('base64'))` → `{ ciphertext, iv }`.
87
+ - Calls `nativeEncryptRSA(publicKeyPEM, aesKey.toString('base64'))` → `encryptedKey`.
88
+ - Stores `requestId → { aesKeyBase64, iv }` in request map.
89
+ - Sends envelope `{ data, key, iv, nonce, key_id }` over HTTPS.
90
+ 3. Response:
91
+ - Interceptor retrieves `{ aesKeyBase64, iv }` from request map by `requestId`.
92
+ - Calls `nativeDecryptAES(encResp.data, encResp.iv, aesKeyBase64)` → plaintext.
93
+ - Deletes request map entry immediately.
94
+
95
+ ### Feature Flag
96
+
97
+ ```
98
+ ENCRYPTION_ENABLED=true
99
+ ENCRYPTION_LAYER=native # or: rn (React Native JS mode)
100
+ ```
101
+
102
+ The interceptor reads `ENCRYPTION_LAYER` to decide which crypto path to use.
103
+
104
+ ---
105
+
106
+ ## Request Contract (Both Modes — Identical Envelope)
107
+
108
+ ```json
109
+ {
110
+ "data": "base64(ciphertext + 16-byte GCM auth_tag)",
111
+ "key": "base64(RSA-OAEP encrypted AES key bytes)",
112
+ "iv": "base64(12-byte IV)",
113
+ "nonce": "appId^unix_timestamp_ms.random_hex_16",
114
+ "key_id": "v1"
115
+ }
116
+ ```
117
+
118
+ ## Response Contract (Both Modes — When Response Is Encrypted)
119
+
120
+ ```json
121
+ {
122
+ "data": "base64(ciphertext + 16-byte GCM auth_tag)",
123
+ "iv": "base64(fresh 12-byte IV — server-generated, never the request IV)",
124
+ "nonce": "server_nonce"
125
+ }
126
+ ```
127
+
128
+ ---
129
+
130
+ ## Security Constraints (Both Modes)
131
+
132
+ - Never persist AES keys or IVs.
133
+ - Never reuse IVs (response must use a fresh server-generated IV).
134
+ - Never log cryptographic secrets.
135
+ - Fail secure on auth tag mismatch — trigger session reset/force logout.
136
+ - Block encrypted endpoints when RSA key is unavailable (after retries exhausted).
137
+ - Clear request key mapping immediately after response processing (success or failure).
138
+ - All crypto operations must be asynchronous and non-blocking.
139
+ - SSL pinning recommended for high-security environments (pin current + backup fingerprints).
140
+ - On `KEY_ID_NOT_FOUND`: refresh RSA key and retry exactly once. No retry loop.
141
+
142
+ ### Additional Constraints — Native Mode Only
143
+
144
+ - Per-request AES keys are ephemeral: generated in JS, passed to native as parameters, and discarded after response. They are **never stored in Android Keystore or iOS Secure Enclave**.
145
+ - Android Keystore is for persistent long-lived keys, not per-request ephemeral keys.
146
+ - Native modules must be registered in `MainApplication.java` / `MainApplication.kt` (Android) and the Xcode `.m` bridge file (iOS) before the first encrypted request.
147
+ - Validate that `NativeModules.NativeCryptoModule` is accessible from JS at startup.
148
+
149
+ ---
150
+
151
+ ## Backend Integration
152
+
153
+ For the full specification the backend team must implement, see `references/backend-alignment.md`.
154
+
155
+ ---
156
+
157
+ ## Model B: EC — ECDH + HKDF-SHA256 (Key Derivation, Approach 6)
158
+
159
+ AES session key is derived via ECDH between a per-request ephemeral EC key pair (client) and the server's static EC public key. HKDF-SHA256 is applied to the shared secret to produce a 32-byte AES key. The derived key is **never transmitted** — only the 65-byte uncompressed ephemeral public key goes in the envelope.
160
+
161
+ ### Key Exchange Flow
162
+
163
+ 1. Client fetches server's static EC public key (base64, 65-byte uncompressed P-256 point) from API endpoint and caches it in memory.
164
+ 2. Per request: client generates a fresh ephemeral EC key pair (P-256).
165
+ 3. ECDH: `sharedSecret = ecdh.computeSecret(serverPublicKey)` → 32-byte shared secret.
166
+ 4. HKDF-SHA256: `aesKey = HKDF(IKM=sharedSecret, salt=nonceBytes, info='enc')` → 32 bytes.
167
+ 5. AES-256-GCM: encrypt payload with `aesKey` and fresh 12-byte IV.
168
+ 6. Ephemeral public key and ciphertext go into the envelope. Ephemeral private key is discarded.
169
+ 7. `aesKey` is stored in the in-memory request map for response decryption, then cleared immediately after.
170
+
171
+ ### Request Envelope (EC)
172
+
173
+ ```json
174
+ {
175
+ "data": "base64(ciphertext+tag)",
176
+ "ephemeral_public_key": "base64(65-byte uncompressed P-256 ephemeral public key)",
177
+ "iv": "base64(12-byte IV)",
178
+ "nonce": "appId^timestamp_ms.random_hex",
179
+ "key_id": "v1"
180
+ }
181
+ ```
182
+
183
+ Note: **no `key` field** — the AES key is derived by both sides independently via ECDH+HKDF.
184
+
185
+ ### EC Key Service
186
+
187
+ - `ec-key.service.ts` — mirrors `RsaKeyService`. Fetches server's static EC public key from `/api/security/ec-public-key`. Validates decoded length is 65 bytes and first byte is `0x04`. Caches in memory. Retries with bounded policy.
188
+ - On `KEY_ID_NOT_FOUND` (401): refresh EC key and retry the original request exactly once.
189
+
190
+ ### EC Crypto Utility
191
+
192
+ ```
193
+ ec-crypto.util.ts
194
+ — Helpers (exported) —
195
+ toBase64() — Hermes-safe base64 encoder (btoa-based); use everywhere instead of Buffer.toString('base64')
196
+ toBuffer() — Convert quick-crypto output to standard Buffer
197
+ byteCopy() — Copy Buffer slice into fresh Uint8Array before passing to quick-crypto native code
198
+ urlSafeBase64ToStd() — Normalize base64url → standard base64 with padding
199
+
200
+ — Per-request EC —
201
+ ecEncryptPayload() — ECDH + HKDF-SHA256 + AES-256-GCM; returns envelope + RequestCryptoMaterial
202
+ ecDecryptResponse() — Decrypt server response using stored AES key + nonce-as-IV
203
+ ecDeriveKey() — ECDH + HKDF-SHA256 only (for EC + Native mode; no AES)
204
+ hkdfSha256() — HKDF-Extract + single-block HKDF-Expand using HMAC-SHA256
205
+
206
+ — Session-init EC —
207
+ deriveSessionKey() — ECDH + HKDF with backend-specific info string; called once after session init
208
+ buildSessionAad() — Build canonical JSON AAD buffer with alphabetically sorted keys
209
+ sessionEncrypt() — AES-256-GCM encrypt using session key + nonce-as-IV + AAD
210
+ sessionDecrypt() — AES-256-GCM decrypt with strategy probe (hardcode once confirmed)
211
+ ```
212
+
213
+ ### EC Native Mode
214
+
215
+ - **No new native modules required** if `NativeCryptoModule` already exists.
216
+ - ECDH + HKDF-SHA256 run in JS (`react-native-quick-crypto`) to produce `derivedAesKeyBase64`.
217
+ - `derivedAesKeyBase64` is passed into existing `nativeEncryptAES` / `nativeDecryptAES` as the key parameter.
218
+ - The interceptor calls `ecDeriveKey()` in JS first, then calls `nativeEncryptAES` with the derived key.
219
+ - `ENCRYPTION_LAYER=native` + `ENCRYPTION_MODEL=ec` env flags route to this path.
220
+
221
+ ---
222
+
223
+ ## HMAC Request Signing (When Enabled)
224
+
225
+ When `HMAC_ENABLED=true`, sign each request **after** the encrypted envelope is built. The HMAC secret comes from the env (`ENCRYPTION_HMAC_SECRET`) — never hardcoded.
226
+
227
+ ### Canonical String Format
228
+
229
+ ```
230
+ METHOD|url|nonce|keyId|data|iv|key
231
+ ```
232
+
233
+ Where `key` is the RSA-wrapped AES key field (RSA mode) or an **empty string** for EC mode (no `key` field). The trailing separator IS included in EC mode: `METHOD|url|nonce|keyId|data|iv|`. Both the client and the backend MUST use this same canonical string format including the trailing `|` when no `key` field exists, otherwise HMAC verification will always fail for EC mode.