devendra-skill-package 1.0.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (223) hide show
  1. package/.github/skills/boiler-project-generator/SKILL.md +103 -0
  2. package/.github/skills/boiler-project-generator/assets/templates/android/README.md +3 -0
  3. package/.github/skills/boiler-project-generator/assets/templates/angular/README.md +3 -0
  4. package/.github/skills/boiler-project-generator/assets/templates/flutter/README.md +3 -0
  5. package/.github/skills/boiler-project-generator/assets/templates/ios/README.md +3 -0
  6. package/.github/skills/boiler-project-generator/assets/templates/react/README.md +3 -0
  7. package/.github/skills/boiler-project-generator/assets/templates/react-native/README.md +3 -0
  8. package/.github/skills/boiler-project-generator/assets/templates/react-native/api-setup.ts +76 -0
  9. package/.github/skills/boiler-project-generator/assets/templates/react-native/component-primary-button.tsx +29 -0
  10. package/.github/skills/boiler-project-generator/assets/templates/react-native/env-config.env +4 -0
  11. package/.github/skills/boiler-project-generator/assets/templates/react-native/feature-auth-screen.tsx +45 -0
  12. package/.github/skills/boiler-project-generator/assets/templates/react-native/feature-dashboard-screen.tsx +45 -0
  13. package/.github/skills/boiler-project-generator/assets/templates/react-native/feature-profile-screen.tsx +45 -0
  14. package/.github/skills/boiler-project-generator/assets/templates/react-native/hook-use-app-boot.ts +11 -0
  15. package/.github/skills/boiler-project-generator/assets/templates/react-native/navigation-setup.tsx +25 -0
  16. package/.github/skills/boiler-project-generator/assets/templates/react-native/project-structure.md +24 -0
  17. package/.github/skills/boiler-project-generator/assets/templates/react-native/redux-hooks.ts +5 -0
  18. package/.github/skills/boiler-project-generator/assets/templates/react-native/redux-session-slice.ts +29 -0
  19. package/.github/skills/boiler-project-generator/assets/templates/react-native/redux-store.ts +15 -0
  20. package/.github/skills/boiler-project-generator/assets/templates/react-native/theme-index.ts +23 -0
  21. package/.github/skills/boiler-project-generator/assets/templates/react-native/utils-helpers.ts +7 -0
  22. package/.github/skills/boiler-project-generator/metadata.yaml +29 -0
  23. package/.github/skills/boiler-project-generator/references/android.md +19 -0
  24. package/.github/skills/boiler-project-generator/references/angular.md +14 -0
  25. package/.github/skills/boiler-project-generator/references/flutter.md +17 -0
  26. package/.github/skills/boiler-project-generator/references/ios.md +17 -0
  27. package/.github/skills/boiler-project-generator/references/react-native.md +103 -0
  28. package/.github/skills/boiler-project-generator/references/react.md +17 -0
  29. package/.github/skills/boiler-project-generator/scripts/angular.js +43 -0
  30. package/.github/skills/boiler-project-generator/scripts/generate-project.mjs +107 -0
  31. package/.github/skills/boiler-project-generator/scripts/init.js +105 -0
  32. package/.github/skills/boiler-project-generator/scripts/react-native.js +1041 -0
  33. package/.github/skills/boiler-project-generator/scripts/react.js +32 -0
  34. package/.github/skills/clean-architecture-generator/SKILL.md +235 -0
  35. package/.github/skills/clean-architecture-generator/references/architecture-core.md +126 -0
  36. package/.github/skills/clean-architecture-generator/references/platform-angular.md +374 -0
  37. package/.github/skills/clean-architecture-generator/references/platform-flutter.md +366 -0
  38. package/.github/skills/clean-architecture-generator/references/platform-react-native.md +590 -0
  39. package/.github/skills/clean-architecture-generator/references/platform-react.md +261 -0
  40. package/.github/skills/code-test-coverage-analyzer/SKILL.md +1358 -0
  41. package/.github/skills/code-test-coverage-analyzer/assets/config-questionnaire.md +118 -0
  42. package/.github/skills/code-test-coverage-analyzer/assets/conflict-resolution-protocol.md +99 -0
  43. package/.github/skills/code-test-coverage-analyzer/assets/coverage-calculation-rules.md +294 -0
  44. package/.github/skills/code-test-coverage-analyzer/assets/multi-strategy-search.md +145 -0
  45. package/.github/skills/code-test-coverage-analyzer/assets/output-file-contracts.md +651 -0
  46. package/.github/skills/code-test-coverage-analyzer/assets/status-definitions.md +273 -0
  47. package/.github/skills/code-test-coverage-analyzer/examples/example-invocation.md +208 -0
  48. package/.github/skills/code-test-coverage-analyzer/references/android-patterns.md +229 -0
  49. package/.github/skills/code-test-coverage-analyzer/references/angular-patterns.md +177 -0
  50. package/.github/skills/code-test-coverage-analyzer/references/backend-patterns.md +383 -0
  51. package/.github/skills/code-test-coverage-analyzer/references/flutter-patterns.md +254 -0
  52. package/.github/skills/code-test-coverage-analyzer/references/ios-patterns.md +228 -0
  53. package/.github/skills/code-test-coverage-analyzer/references/react-native-patterns.md +431 -0
  54. package/.github/skills/code-test-coverage-analyzer/references/react-patterns.md +206 -0
  55. package/.github/skills/code-test-coverage-analyzer/scripts/detect-platform.ps1 +261 -0
  56. package/.github/skills/code-test-coverage-analyzer/scripts/scan-repository.ps1 +242 -0
  57. package/.github/skills/code-test-coverage-analyzer/templates/brd-compliance-row.md +107 -0
  58. package/.github/skills/code-test-coverage-analyzer/templates/test-case-row.md +130 -0
  59. package/.github/skills/code-test-coverage-analyzer/templates/user-story-compliance-row.md +170 -0
  60. package/.github/skills/custom-font-integrator/SKILL.md +373 -0
  61. package/.github/skills/custom-font-integrator/assets/FontTestScreen.js +150 -0
  62. package/.github/skills/custom-font-integrator/references/example-info-plist.xml +21 -0
  63. package/.github/skills/custom-font-integrator/scripts/setup-fonts.sh +99 -0
  64. package/.github/skills/encryption-decryption-utility/Instructions.md +282 -0
  65. package/.github/skills/encryption-decryption-utility/README.md +222 -0
  66. package/.github/skills/encryption-decryption-utility/SKILL.md +645 -0
  67. package/.github/skills/encryption-decryption-utility/assets/encryption-config-template.json +13 -0
  68. package/.github/skills/encryption-decryption-utility/assets/platform-matrix.json +180 -0
  69. package/.github/skills/encryption-decryption-utility/metadata.yaml +51 -0
  70. package/.github/skills/encryption-decryption-utility/references/android-crypto.md +157 -0
  71. package/.github/skills/encryption-decryption-utility/references/angular-crypto.md +130 -0
  72. package/.github/skills/encryption-decryption-utility/references/approach-1-webcrypto.md +95 -0
  73. package/.github/skills/encryption-decryption-utility/references/approach-2-rsa-aes-cbc.md +111 -0
  74. package/.github/skills/encryption-decryption-utility/references/approach-3-aes-sharedkey.md +114 -0
  75. package/.github/skills/encryption-decryption-utility/references/architecture.md +233 -0
  76. package/.github/skills/encryption-decryption-utility/references/backend-alignment.md +506 -0
  77. package/.github/skills/encryption-decryption-utility/references/dependency-guidance.md +234 -0
  78. package/.github/skills/encryption-decryption-utility/references/ec-implementation.md +832 -0
  79. package/.github/skills/encryption-decryption-utility/references/error-handling-playbook.md +234 -0
  80. package/.github/skills/encryption-decryption-utility/references/flutter-crypto.md +105 -0
  81. package/.github/skills/encryption-decryption-utility/references/ios-crypto.md +338 -0
  82. package/.github/skills/encryption-decryption-utility/references/native-rsa-implementation.md +373 -0
  83. package/.github/skills/encryption-decryption-utility/references/node-crypto.md +86 -0
  84. package/.github/skills/encryption-decryption-utility/references/react-crypto.md +105 -0
  85. package/.github/skills/encryption-decryption-utility/references/react-native-crypto.md +1001 -0
  86. package/.github/skills/encryption-decryption-utility/references/react-web-crypto.md +668 -0
  87. package/.github/skills/encryption-decryption-utility/references/security-checklist.md +176 -0
  88. package/.github/skills/encryption-decryption-utility/references/web-crypto.md +74 -0
  89. package/.github/skills/encryption-decryption-utility/scripts/detect.js +128 -0
  90. package/.github/skills/encryption-decryption-utility/scripts/install.js +1713 -0
  91. package/.github/skills/encryption-decryption-utility/scripts/setup.js +800 -0
  92. package/.github/skills/encryption-decryption-utility/template.md +241 -0
  93. package/.github/skills/encryption-decryption-utility/templates/config-questionnaire.md +467 -0
  94. package/.github/skills/encryption-decryption-utility/templates/delivery-checklist.md +206 -0
  95. package/.github/skills/encryption-decryption-utility/templates/implementation-plan.md +304 -0
  96. package/.github/skills/feature-generator/SKILL.MD +2741 -0
  97. package/.github/skills/feature-generator/assets/fingerprint-schema.json +385 -0
  98. package/.github/skills/feature-generator/assets/spec-template.md +172 -0
  99. package/.github/skills/feature-generator/assets/transform-rules.json +82 -0
  100. package/.github/skills/feature-generator/references/api-envelope-patterns.md +327 -0
  101. package/.github/skills/feature-generator/references/screen-logic-patterns.md +399 -0
  102. package/.github/skills/feature-generator/references/state-library-patterns.md +464 -0
  103. package/.github/skills/figma-ui-mapper/README.md +34 -0
  104. package/.github/skills/figma-ui-mapper/SKILL.md +101 -0
  105. package/.github/skills/figma-ui-mapper/assets/templates/component-map-template.md +30 -0
  106. package/.github/skills/figma-ui-mapper/assets/templates/generation-report-template.md +49 -0
  107. package/.github/skills/figma-ui-mapper/metadata.yaml +22 -0
  108. package/.github/skills/figma-ui-mapper/references/android.md +11 -0
  109. package/.github/skills/figma-ui-mapper/references/angular.md +18 -0
  110. package/.github/skills/figma-ui-mapper/references/capacitor.md +18 -0
  111. package/.github/skills/figma-ui-mapper/references/common.md +23 -0
  112. package/.github/skills/figma-ui-mapper/references/expo.md +18 -0
  113. package/.github/skills/figma-ui-mapper/references/flutter.md +18 -0
  114. package/.github/skills/figma-ui-mapper/references/frameworks/angular/rules.md +23 -0
  115. package/.github/skills/figma-ui-mapper/references/frameworks/capacitor/rules.md +23 -0
  116. package/.github/skills/figma-ui-mapper/references/frameworks/expo/rules.md +23 -0
  117. package/.github/skills/figma-ui-mapper/references/frameworks/flutter/rules.md +23 -0
  118. package/.github/skills/figma-ui-mapper/references/frameworks/ionic/rules.md +23 -0
  119. package/.github/skills/figma-ui-mapper/references/frameworks/kotlin-multiplatform/rules.md +23 -0
  120. package/.github/skills/figma-ui-mapper/references/frameworks/native-android/rules.md +23 -0
  121. package/.github/skills/figma-ui-mapper/references/frameworks/native-ios/rules.md +23 -0
  122. package/.github/skills/figma-ui-mapper/references/frameworks/next/rules.md +23 -0
  123. package/.github/skills/figma-ui-mapper/references/frameworks/nuxt/rules.md +23 -0
  124. package/.github/skills/figma-ui-mapper/references/frameworks/react/rules.md +19 -0
  125. package/.github/skills/figma-ui-mapper/references/frameworks/react-native/rules.md +23 -0
  126. package/.github/skills/figma-ui-mapper/references/frameworks/svelte/rules.md +23 -0
  127. package/.github/skills/figma-ui-mapper/references/frameworks/vue/rules.md +23 -0
  128. package/.github/skills/figma-ui-mapper/references/ionic.md +18 -0
  129. package/.github/skills/figma-ui-mapper/references/ios.md +11 -0
  130. package/.github/skills/figma-ui-mapper/references/kotlin-multiplatform.md +18 -0
  131. package/.github/skills/figma-ui-mapper/references/native-android.md +18 -0
  132. package/.github/skills/figma-ui-mapper/references/native-ios.md +18 -0
  133. package/.github/skills/figma-ui-mapper/references/next.md +18 -0
  134. package/.github/skills/figma-ui-mapper/references/nuxt.md +18 -0
  135. package/.github/skills/figma-ui-mapper/references/react-figma-guideline.md +21 -0
  136. package/.github/skills/figma-ui-mapper/references/react-native.md +18 -0
  137. package/.github/skills/figma-ui-mapper/references/react.md +18 -0
  138. package/.github/skills/figma-ui-mapper/references/script-usage.md +46 -0
  139. package/.github/skills/figma-ui-mapper/references/svelte.md +18 -0
  140. package/.github/skills/figma-ui-mapper/references/vue.md +18 -0
  141. package/.github/skills/figma-ui-mapper/references/workflow.md +74 -0
  142. package/.github/skills/figma-ui-mapper/scripts/generate-page-through-figma.js +635 -0
  143. package/.github/skills/figma-ui-mapper/scripts/generate-react-page-through-figma.js +4 -0
  144. package/.github/skills/frontend-task-breakdown/SKILL.md +734 -0
  145. package/.github/skills/md-file-converter/SKILL.md +291 -0
  146. package/.github/skills/md-file-converter/config/formats.json +114 -0
  147. package/.github/skills/md-file-converter/extractors/extract-docx.sh +120 -0
  148. package/.github/skills/md-file-converter/extractors/extract-eml.py +108 -0
  149. package/.github/skills/md-file-converter/extractors/extract-pdf.sh +97 -0
  150. package/.github/skills/md-file-converter/extractors/extract-pptx.py +143 -0
  151. package/.github/skills/md-file-converter/extractors/extract-xlsx.py +175 -0
  152. package/.github/skills/md-file-converter/scripts/check-tools.sh +47 -0
  153. package/.github/skills/md-file-converter/scripts/extract-archive.sh +83 -0
  154. package/.github/skills/md-file-converter/scripts/extract-ocr.sh +77 -0
  155. package/.github/skills/md-file-converter/scripts/get-metadata.sh +57 -0
  156. package/.github/skills/md-file-converter/templates/output.md +73 -0
  157. package/.github/skills/md-file-converter/templates/unsupported-object.md +6 -0
  158. package/.github/skills/mockAPI-contract-generator/SKILL.md +607 -0
  159. package/.github/skills/test-case-validator/CHANGELOG.md +155 -0
  160. package/.github/skills/test-case-validator/CONFIGURATION.md +130 -0
  161. package/.github/skills/test-case-validator/EXAMPLES.md +50 -0
  162. package/.github/skills/test-case-validator/QUALITY_SCORING.md +98 -0
  163. package/.github/skills/test-case-validator/README.md +111 -0
  164. package/.github/skills/test-case-validator/REPORT_TEMPLATE.md +116 -0
  165. package/.github/skills/test-case-validator/SKILL.md +209 -0
  166. package/.github/skills/test-case-validator/SYSTEM_PROMPT.md +127 -0
  167. package/.github/skills/test-case-validator/TRACEABILITY_ENGINE.md +152 -0
  168. package/.github/skills/test-case-validator/VALIDATION_RULES.md +411 -0
  169. package/.github/skills/test-case-validator/config/default.config.yaml +62 -0
  170. package/.github/skills/test-case-validator/docs/ARCHITECTURE.md +66 -0
  171. package/.github/skills/test-case-validator/docs/EXTENDING.md +85 -0
  172. package/.github/skills/test-case-validator/docs/FAQ.md +88 -0
  173. package/.github/skills/test-case-validator/docs/VERSIONING.md +55 -0
  174. package/.github/skills/test-case-validator/examples/example-1-manual-qa-ecommerce/input-brd.md +43 -0
  175. package/.github/skills/test-case-validator/examples/example-1-manual-qa-ecommerce/input-test-cases.csv +9 -0
  176. package/.github/skills/test-case-validator/examples/example-1-manual-qa-ecommerce/input-user-story.md +29 -0
  177. package/.github/skills/test-case-validator/examples/example-1-manual-qa-ecommerce/output-report.md +303 -0
  178. package/.github/skills/test-case-validator/examples/example-2-automated-frontend-suite/input-spec.md +43 -0
  179. package/.github/skills/test-case-validator/examples/example-2-automated-frontend-suite/input-test-files-index.md +56 -0
  180. package/.github/skills/test-case-validator/examples/example-2-automated-frontend-suite/output-report.md +274 -0
  181. package/.github/skills/test-case-validator/prompts/00-applicability-resolution.md +61 -0
  182. package/.github/skills/test-case-validator/prompts/01-extraction-user-story.md +58 -0
  183. package/.github/skills/test-case-validator/prompts/02-extraction-brd.md +64 -0
  184. package/.github/skills/test-case-validator/prompts/03-extraction-test-cases.md +92 -0
  185. package/.github/skills/test-case-validator/prompts/04-traceability-matrix.md +41 -0
  186. package/.github/skills/test-case-validator/prompts/05-coverage-analysis.md +46 -0
  187. package/.github/skills/test-case-validator/prompts/06-missing-scenario-detection.md +32 -0
  188. package/.github/skills/test-case-validator/prompts/07-duplicate-detection.md +36 -0
  189. package/.github/skills/test-case-validator/prompts/08-risk-analysis.md +39 -0
  190. package/.github/skills/test-case-validator/prompts/09-gated-wiring-validation.md +53 -0
  191. package/.github/skills/test-case-validator/prompts/10-observation-report.md +56 -0
  192. package/.github/skills/test-case-validator/prompts/11-final-report-assembly.md +57 -0
  193. package/.github/skills/test-case-validator/templates/coverage-table.md +25 -0
  194. package/.github/skills/test-case-validator/templates/executive-summary.md +38 -0
  195. package/.github/skills/test-case-validator/templates/final-summary-block.md +87 -0
  196. package/.github/skills/test-case-validator/templates/observation-entry.md +41 -0
  197. package/.github/skills/test-case-validator/templates/rtm-row.md +25 -0
  198. package/.github/skills/validation-engine-builder/README.md +50 -0
  199. package/.github/skills/validation-engine-builder/SKILL.md +241 -0
  200. package/.github/skills/validation-engine-builder/references/core.md +158 -0
  201. package/.github/skills/validation-engine-builder/references/platform-angular.md +166 -0
  202. package/.github/skills/validation-engine-builder/references/platform-flutter.md +118 -0
  203. package/.github/skills/validation-engine-builder/references/platform-react-native.md +170 -0
  204. package/.github/skills/validation-engine-builder/references/platform-react.md +94 -0
  205. package/.github/skills/validation-engine-builder/scripts/apply-to-project.js +80 -0
  206. package/.github/skills/validation-engine-builder/scripts/generate-angular.js +271 -0
  207. package/.github/skills/validation-engine-builder/scripts/generate-flutter.js +298 -0
  208. package/.github/skills/validation-engine-builder/scripts/generate-react-native.js +217 -0
  209. package/.github/skills/validation-engine-builder/scripts/generate-react.js +163 -0
  210. package/.github/skills/validation-engine-builder/scripts/install-deps.js +53 -0
  211. package/.github/skills/validation-engine-builder/scripts/shared/detect-platform.js +68 -0
  212. package/.github/skills/validation-engine-builder/scripts/shared/npm-deps.js +103 -0
  213. package/.github/skills/validation-engine-builder/scripts/shared/rhf-hook.js +43 -0
  214. package/.github/skills/validation-engine-builder/scripts/shared/ts-messages-regex.js +62 -0
  215. package/.github/skills/validation-engine-builder/scripts/shared/util.js +44 -0
  216. package/.github/skills/validation-engine-builder/scripts/shared/yup-schemas.js +80 -0
  217. package/.github/skills/validation-engine-builder/template.md +73 -0
  218. package/.github/skills/validation-engine-builder/templates/messages.json +22 -0
  219. package/.github/skills/validation-engine-builder/templates/regex.json +16 -0
  220. package/.github/skills/validation-engine-builder/templates/schemas.json +48 -0
  221. package/bin/index.js +145 -0
  222. package/package.json +22 -0
  223. package/readme.md +0 -0
@@ -0,0 +1,467 @@
1
+ # Config Questionnaire
2
+
3
+ Collect all answers before writing any files.
4
+ Apply documented defaults automatically for unanswered non-critical fields.
5
+ Block implementation only when a security-critical value has no safe default (e.g. RSA public key in env mode).
6
+
7
+ > **Questioning rule**: Ask questions **one at a time**. Present a single question, wait for the answer, then proceed to the next. Never bundle multiple questions into a single prompt.
8
+
9
+ ---
10
+
11
+ ## Pre-Question: React Native Version Check (React Native projects only)
12
+
13
+ Before asking encryption questions, verify the RN version and existing dependencies:
14
+
15
+ ```bash
16
+ node -p "require('./package.json').dependencies['react-native']"
17
+ npm ls react-native-quick-crypto react-native-nitro-modules react-native-worklets buffer 2>&1
18
+ ```
19
+
20
+ If RN >= 0.76 and quick-crypto >= 1.0: `react-native-nitro-modules` and `react-native-worklets` MUST be installed as peer deps.
21
+ If RN < 0.76 or quick-crypto < 1.0: Nitro Modules is NOT needed.
22
+
23
+ ---
24
+
25
+ ## Question 0 — Platform (Ask First)
26
+
27
+ Which platform is this project?
28
+ - Default: react-native
29
+ - Options: angular, web, node, android, ios, flutter, react, react-native
30
+
31
+ Validate against `assets/platform-matrix.json` before proceeding.
32
+
33
+ ---
34
+
35
+ ## Question 0a — React JS Production Mode Detection (React platform only)
36
+
37
+ Is this a React JS (web browser) project that needs production-grade encryption?
38
+ - If yes and user wants full request/response lifecycle with Web Crypto API → **recommend approach 7**
39
+ - If yes and user wants a quick/simple setup → approaches 1, 2, or 3 remain valid
40
+ - Default: if platform is `react` and no preference stated, ask this question before Question 1
41
+
42
+ > Approach 7 uses the built-in Web Crypto API (no extra crypto packages). It handles both request encryption and response decryption, supports RSA-OAEP and ECDH-Session modes, and enforces browser-safe storage — suitable for production deployments.
43
+
44
+ ---
45
+
46
+ ## Question 0b — Encryption Model (React Native only — ask before approach)
47
+
48
+ Which encryption model should be used?
49
+ - Default: **RSA**
50
+ - **RSA** — AES session key wrapped with server's RSA public key (RSA-OAEP). Proven, PEM format. → approaches 4/5
51
+ - **EC (ECDH)** — AES session key derived via ECDH P-256 + HKDF-SHA256. Ephemeral key pair per request; only the 65-byte uncompressed public key is transmitted — the derived AES key is never sent. → approach 6
52
+
53
+ > If user does not answer, default to **RSA** and proceed.
54
+
55
+ ---
56
+
57
+ ## Question 1 — Approach
58
+
59
+ Which encryption approach should be used?
60
+
61
+ | # | Mode | Description |
62
+ |---|------|-------------|
63
+ | 1 | RSA-OAEP + AES-256-GCM | Web Crypto API (angular, web, ios) |
64
+ | 2 | RSA + AES-256-CBC | jsencrypt + crypto-js |
65
+ | 3 | AES-256-CBC shared key | crypto-js only |
66
+ | 4 | **Production JS (React Native)** | AES-256-GCM + RSA-OAEP via react-native-quick-crypto, per-request ephemeral keys, response decryption, keychain |
67
+ | 5 | **Production Native (React Native)** | OS-level crypto: javax.crypto.Cipher (Android) + CryptoKit (iOS) |
68
+ | 6 | **EC / ECDH (React Native)** | ECDH P-256 + HKDF-SHA256 + AES-256-GCM; per-request or session-init; EC+Native reuses NativeCryptoModule |
69
+ | 7 | **React JS Web Production** | AES-256-GCM + RSA-OAEP or ECDH-Session via built-in Web Crypto API; per-request ephemeral keys; response decryption; browser-safe storage; zero extra crypto packages |
70
+
71
+ Default (React Native): approach 4
72
+ Default (React / other platforms): lowest valid approach for the platform
73
+
74
+ Validate against `platform.approaches[]` in `platform-matrix.json`.
75
+
76
+ ---
77
+
78
+ ## Question 2 — Encryption Layer (React Native approaches 4, 5, and 6)
79
+
80
+ Which encryption layer should be used?
81
+ - Default: React Native (JS) → approach 4 (RSA) or 6 (EC)
82
+ - **React Native (JS)** — crypto runs in JavaScript using `react-native-quick-crypto`. Simpler setup.
83
+ - **Native** — AES runs in the OS-level engine. For RSA: `javax.crypto.Cipher` (Android) + CryptoKit (iOS) → approach 5. For EC: ECDH+HKDF run in JS; only AES runs natively (reuses existing `NativeCryptoModule`).
84
+
85
+ If user omits this answer, apply default (React Native JS) and continue.
86
+
87
+ ---
88
+
89
+ ## Question 3 — RSA Padding (Approaches 1, 2, 4, 5)
90
+
91
+ Which RSA padding should be used?
92
+ - Default: RSA-OAEP
93
+ - **RSA-OAEP** (mandatory — use this unless there is a documented legacy constraint)
94
+ - RSA PKCS1 v1.5 (legacy only — requires explicit written approval; not acceptable for new deployments in 2026)
95
+
96
+ ---
97
+
98
+ ## Question 4 — RSA Public Key Source (Approaches 1, 2, 4, 5)
99
+
100
+ Where should the RSA public key come from?
101
+ - Default: API
102
+ - **API** (recommended — fetched at runtime, cached in memory, refreshable)
103
+ - Environment variable (embedded as PEM/Base64 in `.env`)
104
+
105
+ ---
106
+
107
+ ## Question 5 — If API Source Selected
108
+
109
+ a. Public key endpoint URL
110
+ - Default: `<API_BASE_URL>/api/security/public-key`
111
+
112
+ b. Response format
113
+ - Default: `{ public_key: string, key_id: string, expires_at?: string }`
114
+
115
+ c. Cache key in memory?
116
+ - Default: Yes
117
+
118
+ d. Retry count on fetch failure
119
+ - Default: 3
120
+
121
+ ---
122
+
123
+ ## Question 6 — If Environment Source Selected
124
+
125
+ a. RSA public key value (PEM starting with `-----BEGIN PUBLIC KEY-----`)
126
+ - Default: none — must be provided
127
+ - Validate PEM headers before accepting
128
+
129
+ ---
130
+
131
+ ## Question 7 — Shared Key (Approach 3 only)
132
+
133
+ Enter the shared secret key.
134
+ - Minimum: 32 characters
135
+ - Default: none — must be provided
136
+ - Validate length before accepting
137
+
138
+ ---
139
+
140
+ ## Question 8 — API Client Type (Approaches 4 and 5)
141
+
142
+ Which API client is used?
143
+ - Default: Axios
144
+ - Axios
145
+ - Fetch
146
+ - Custom service layer
147
+
148
+ ---
149
+
150
+ ## Question 9 — API Layer Path (Approaches 4 and 5)
151
+
152
+ Where is the API layer file located?
153
+ - Default: `src/services/api.ts`
154
+ - Validate the path exists in the project before accepting
155
+
156
+ ---
157
+
158
+ ## Question 10 — Secure Storage (Approaches 4 and 5)
159
+
160
+ Confirm secure storage with react-native-keychain for:
161
+ - Tokens: Default Yes
162
+ - Sensitive persisted data: Default Yes
163
+
164
+ ---
165
+
166
+ ## Question 11 — Encryption Toggle Policy
167
+
168
+ Should encryption be:
169
+ - Default: Controlled by env flag (`ENCRYPTION_ENABLED`)
170
+ - **Controlled by env flag** (recommended — allows disabling in dev)
171
+ - Always enabled
172
+
173
+ ---
174
+
175
+ ## Question 12 — Platform Scope (React Native)
176
+
177
+ Which platforms should encryption be applied to?
178
+ - Default: Both Android and iOS
179
+ - Both Android and iOS
180
+ - Android only
181
+ - iOS only
182
+
183
+ ---
184
+
185
+ ## Question 13 — Minimum iOS Version (Approach 5 only)
186
+
187
+ What is the minimum iOS deployment target?
188
+ - Default: 13 (required for CryptoKit)
189
+ - If below 13: plan CommonCrypto fallback (`CCCryptorGCM` for AES-GCM + `SecKeyCreateEncryptedData` for RSA-OAEP)
190
+
191
+ ---
192
+
193
+ ## Question 14 — Android Package (Approach 5 only)
194
+
195
+ Android Kotlin package name for NativeCryptoModule.
196
+ - Default: `com.example.security`
197
+
198
+ Also verify `minSdkVersion >= 23` in `android/app/build.gradle` before proceeding.
199
+
200
+ ---
201
+
202
+ ## Question 15 — HMAC Request Signing
203
+
204
+ Enable HMAC-SHA256 request signing?
205
+ - Default: No
206
+ - If Yes: set `ENCRYPTION_HMAC_SECRET` as an env var at runtime — never hardcode or commit
207
+
208
+ ---
209
+
210
+ ## Question 16 — URL Exclusions
211
+
212
+ Are there any URL prefixes that should bypass encryption?
213
+ - Default: none
214
+ - Example: `/api/auth/login, /api/health, /api/public`
215
+
216
+ ---
217
+
218
+ ## Questions for Approach 7 (React JS Web Production Mode)
219
+
220
+ Ask these questions only when `platform = react` and `approach = 7`. Ask one at a time.
221
+
222
+ ### Q7-1 — Web Encryption Mode
223
+
224
+ Which encryption mode should be used?
225
+ - Default: **RSA-OAEP**
226
+ - **RSA-OAEP** — per-request ephemeral AES-256-GCM key wrapped with server RSA public key; simpler setup
227
+ - **ECDH-Session** — ECDH P-256 + HKDF-SHA256 + AES-256-GCM; session key derived once at init; cleaner for long-lived sessions
228
+
229
+ ### Q7-2 — Framework / Bundler
230
+
231
+ Which framework or bundler is used?
232
+ - Default: none — must be detected or confirmed
233
+ - **Vite** → env prefix `VITE_`
234
+ - **Create React App (CRA)** → env prefix `REACT_APP_`
235
+ - **Next.js** → env prefix `NEXT_PUBLIC_`
236
+
237
+ > This determines the correct env variable prefix for all feature flags.
238
+
239
+ ### Q7-3 — Token Storage
240
+
241
+ How should auth tokens be stored?
242
+ - Default: **sessionStorage**
243
+ - **sessionStorage** — clears on tab close; suitable for most SPAs
244
+ - **HTTP-only cookie** — server sets cookie; browser never exposes it to JS; recommended for high-security apps
245
+ - **localStorage** — FORBIDDEN for tokens or session material; never use for approach 7
246
+
247
+ ### Q7-4 — RSA Public Key Source (RSA-OAEP mode only)
248
+
249
+ Where should the RSA public key come from?
250
+ - Default: API
251
+ - **API** — fetched at runtime, cached in memory, refreshable
252
+ - **Environment variable** — embedded as PEM/Base64 in `.env.*`
253
+
254
+ ### Q7-5 — RSA Public Key Endpoint (RSA-OAEP API source only)
255
+
256
+ What is the public key endpoint URL?
257
+ - Default: `<API_BASE_URL>/api/security/public-key`
258
+ - Response format default: `{ public_key: string, key_id: string, expires_at?: string }`
259
+
260
+ ### Q7-6 — ECDH-Session Blocking Questions (ECDH-Session mode only)
261
+
262
+ ALL fields are backend-specific and have no safe defaults. Ask each one individually and do not proceed until all are provided:
263
+
264
+ - Q7-6a: Session init endpoint URL
265
+ - Q7-6b: HKDF `info` string (do NOT assume `'enc'`)
266
+ - Q7-6c: AAD required? If yes, provide the canonical JSON shape (alphabetically sorted key order)
267
+ - Q7-6d: Response encoding (standard base64 or base64url)
268
+ - Q7-6e: Device ID source (how `device_id` is generated or retrieved)
269
+ - Q7-6f: Session restore strategy (reload from `sessionStorage` JWK or re-initiate session)
270
+
271
+ ---
272
+
273
+ ## Confirmed Configuration Snapshot
274
+
275
+ Record before implementation:
276
+
277
+ | Field | Value |
278
+ |-------|-------|
279
+ | Platform | |
280
+ | Approach | |
281
+ | Encryption layer (RN only) | |
282
+ | RSA padding | RSA-OAEP |
283
+ | RSA key source | API |
284
+ | RSA key endpoint | `<API_BASE_URL>/api/security/public-key` |
285
+ | RSA key retries | 3 |
286
+ | API client | Axios |
287
+ | API layer path | src/services/api.ts |
288
+ | Encryption toggle | env-flag |
289
+ | HMAC signing | No |
290
+ | URL exclusions | (none) |
291
+ | Min iOS version (approach 5) | 13 |
292
+ | Android package (approach 5) | com.example.security |
293
+ | Encryption model (approach 6) | ec |
294
+ | EC contract type (approach 6) | per-request |
295
+ | EC key endpoint (approach 6) | `<API_BASE_URL>/api/security/ec-public-key` |
296
+ | EC HKDF info string (session-init only) | **no default — must be confirmed** |
297
+ | EC nonce format/length (session-init only) | **no default — must be confirmed** |
298
+ | EC AAD required + shape (session-init only) | **no default — must be confirmed** |
299
+ | EC response IV source (session-init only) | **no default — must be confirmed** |
300
+ | Web encryption mode (approach 7) | RSA-OAEP |
301
+ | Framework/bundler (approach 7) | **must be detected or confirmed** |
302
+ | Token storage (approach 7) | sessionStorage |
303
+ | RSA key endpoint (approach 7) | `<API_BASE_URL>/api/security/public-key` |
304
+ | ECDH session init URL (approach 7, ECDH-Session) | **no default — must be confirmed** |
305
+ | ECDH HKDF info string (approach 7, ECDH-Session) | **no default — must be confirmed** |
306
+ | ECDH AAD shape (approach 7, ECDH-Session) | **no default — must be confirmed** |
307
+
308
+ ---
309
+
310
+ ## Required Answers — EC + React Native JS mode (Approach 6 / encryptionModel = ec)
311
+
312
+ 1. EC curve selection
313
+ - Default: P-256 (secp256r1)
314
+ - Options: P-256 / P-384 / P-521
315
+
316
+ 1a. EC contract type
317
+ - Default: per-request
318
+ - **Per-request EC** — fresh ephemeral key pair per API call; HKDF salt = per-request nonce
319
+ - **Session-init EC** — shared session AES key derived once at login; reused across requests
320
+
321
+ 1b. If session-init EC selected (ALL fields are blocking — ask each one individually, no defaults):
322
+
323
+ - Q-SI-1: Session init endpoint URL
324
+ - Q-SI-2: Token/session endpoint URL
325
+ - Q-SI-3: Required API call order (default: initEncryptionSession → createSession → encrypted business APIs)
326
+ - Q-SI-4: Is `encrypted_shared_aes_key` from the init response used or ignored by the reference client?
327
+ - Q-SI-5: Exact HKDF `info` string (backend-specific — do NOT assume `'enc'`)
328
+ - Q-SI-6: Exact AAD JSON shape (if AAD is required by AES-GCM)
329
+ - Q-SI-7: Response IV source (nonce-as-IV, separate `iv` field, or other)
330
+ - Q-SI-8: Response payload encoding (standard base64 or base64url)
331
+ - Q-SI-9: Response payload structure (ciphertext \|\| tag, or IV \|\| ciphertext \|\| tag)
332
+ - Q-SI-10: Nonce format
333
+ - Q-SI-11: Nonce length
334
+ - Q-SI-12: Nonce character set restrictions
335
+ - Q-SI-13: Is there a reference client (Flutter, web, etc.) to verify against?
336
+ - Q-SI-14: Which `Buffer` package is installed: (verify `npm ls buffer`)
337
+ - Q-SI-15: `DEVICE_ID_SOURCE` — how is the stable `device_id` generated or retrieved
338
+
339
+ 2. EC public key source
340
+ - Default: API
341
+ - API or Environment variable
342
+
343
+ 3. If API source selected:
344
+ - Endpoint URL: default `<API_BASE_URL>/api/security/ec-public-key`
345
+ - Response format: default `{ public_key: string, key_id: string, expires_at?: string }` where `public_key` is base64(65-byte uncompressed P-256 point)
346
+ - Cache in memory: default Yes
347
+ - Retry count: default 3
348
+
349
+ 4. If Environment source selected:
350
+ - EC public key value (base64, 65 bytes, first decoded byte must be `0x04`):
351
+ - Format validated: default Yes
352
+
353
+ 5. API client type: default Axios
354
+ 6. API layer path: default `src/services/api.ts`
355
+ 7. Secure storage (react-native-keychain): default Yes
356
+ 8. Encryption toggle: default env-controlled (`ENCRYPTION_MODEL=ec`)
357
+ 9. Platform scope: default Android + iOS
358
+ 10. HMAC signing: default No
359
+
360
+ ## Validation Status — EC + JS mode
361
+
362
+ - [ ] Encryption model: EC
363
+ - [ ] EC contract type confirmed: per-request / session-init
364
+ - [ ] EC public key format valid (65 bytes, first byte 0x04)
365
+ - [ ] EC public key endpoint is HTTPS (if API source)
366
+ - [ ] Session-init: HKDF `info` string confirmed
367
+ - [ ] Session-init: AAD shape confirmed or confirmed not required
368
+ - [ ] Session-init: nonce length/format confirmed
369
+ - [ ] Session-init: response IV source confirmed
370
+ - [ ] API layer path exists in project
371
+ - [ ] All required answers received
372
+ - [ ] Approved to proceed: Yes
373
+
374
+ ---
375
+
376
+ ## Required Answers — EC + Native mode (Approach 6 + encryptionLayer = native)
377
+
378
+ 1. EC curve selection
379
+ - Default: P-256 (secp256r1)
380
+
381
+ 1a. EC contract type
382
+ - **REQUIRED — ask developer, no default**
383
+ - Per-request EC or session-init EC
384
+
385
+ 1b. If session-init EC selected (ALL fields are blocking — ask each one individually, no defaults):
386
+
387
+ - Q-SI-1: Session init endpoint URL (`SESSION_INIT_ENDPOINT`): must be provided
388
+ - Q-SI-2: Token/session endpoint URL (`CREATE_SESSION_ENDPOINT`): must be provided
389
+ - Q-SI-3: Required API call order (default: initEncryptionSession → createSession → encrypted business APIs)
390
+ - Q-SI-4: Exact HKDF `info` string (`HKDF_INFO`): must be provided — do NOT assume `'enc'`
391
+ - Q-SI-5: Exact AAD JSON shape (`AAD_SHAPE`): must be provided if AAD is required
392
+ - Q-SI-6: Response IV source (nonce-as-IV, separate `iv` field, or other): must be provided
393
+ - Q-SI-7: Response payload encoding (`RESPONSE_ENCODING` — standard base64 or base64url): must be confirmed
394
+ - Q-SI-8: Response payload structure (ciphertext \|\| tag, or IV \|\| ciphertext \|\| tag): must be provided
395
+ - Q-SI-9: Nonce format (`NONCE_FORMAT`): must be provided explicitly
396
+ - Q-SI-10: Nonce length: must be provided explicitly
397
+ - Q-SI-11: Nonce character set restrictions: must be provided explicitly
398
+ - Q-SI-12: `DEVICE_ID_SOURCE` — how is the stable `device_id` generated or retrieved: must be provided
399
+ - Q-SI-13: `encrypted_shared_aes_key` handling (used / ignored): must be confirmed
400
+ - Q-SI-14: Which `Buffer` package is installed: (verify `npm ls buffer`)
401
+ - Q-SI-15: Is there a reference client (Flutter, web, etc.) to verify against: ask backend team
402
+
403
+ 2. EC public key source: default API
404
+ 3. If API source selected: endpoint URL, response format `{ public_key, key_id, expires_at? }`, cache (yes), retries (3)
405
+ 4. If Environment source selected: base64 65-byte uncompressed P-256 point, first byte must be `0x04`
406
+ 5. Minimum iOS version: default 13 (CryptoKit)
407
+ 6. API client type: default Axios
408
+ 7. API layer path: default `src/services/api.ts`
409
+ 8. Secure storage: default Yes (react-native-keychain)
410
+ 9. Encryption toggle: default env-controlled (`ENCRYPTION_MODEL=ec`, `ENCRYPTION_LAYER=native`)
411
+ 10. Platform scope: default Android + iOS
412
+ 11. HMAC signing: default No
413
+
414
+ > Note: EC + Native does NOT require new Kotlin/Swift files. ECDH + HKDF run in JS; only AES runs in the existing NativeCryptoModule.
415
+
416
+ ## Validation Status — EC + Native mode
417
+
418
+ - [ ] Android minSdkVersion >= 23
419
+ - [ ] iOS deployment target >= 13.0 confirmed
420
+ - [ ] Existing NativeCryptoModule confirmed accessible from JS
421
+ - [ ] EC public key format valid (65 bytes, first byte 0x04)
422
+ - [ ] EC public key source URL is HTTPS (if API)
423
+ - [ ] EC contract type confirmed (per-request / session-init)
424
+ - [ ] Session-init endpoints confirmed (if session-init): SESSION_INIT_ENDPOINT / CREATE_SESSION_ENDPOINT
425
+ - [ ] HKDF `info` string confirmed (if session-init)
426
+ - [ ] AAD contract confirmed (if session-init)
427
+ - [ ] Nonce length/format confirmed (if session-init)
428
+ - [ ] Response encoding confirmed (if session-init)
429
+ - [ ] DEVICE_ID_SOURCE confirmed (if session-init)
430
+ - [ ] All required answers received
431
+ - [ ] Approved to proceed: Yes
432
+
433
+ ---
434
+
435
+ ## Validation Status (All other platforms / approaches 1–5)
436
+
437
+ - [ ] Platform confirmed and exists in `platform-matrix.json`
438
+ - [ ] Approach valid for this platform
439
+ - [ ] All RSA key source inputs validated (HTTPS URLs, PEM headers if env mode)
440
+ - [ ] Shared key >= 32 characters (approach 3)
441
+ - [ ] API layer path exists in project
442
+ - [ ] Android `minSdkVersion >= 23` confirmed (approach 5)
443
+ - [ ] iOS deployment target confirmed / fallback planned (approach 5)
444
+ - [ ] `privateKeyPem` refused for angular/web platforms
445
+ - [ ] Approved to proceed with implementation: Yes
446
+
447
+ ---
448
+
449
+ ## Validation Status — React JS Web Production Mode (Approach 7)
450
+
451
+ - [ ] Platform confirmed: `react`
452
+ - [ ] Approach 7 valid for react platform (check `platform-matrix.json`)
453
+ - [ ] App is served over HTTPS or localhost (`crypto.subtle` unavailable on plain HTTP)
454
+ - [ ] Framework/bundler detected: Vite / CRA / Next.js (env prefix confirmed)
455
+ - [ ] `tsconfig.json` includes `"DOM"` in `lib`
456
+ - [ ] Web encryption mode confirmed: RSA-OAEP / ECDH-Session
457
+ - [ ] RSA-OAEP: public key endpoint is HTTPS (if API source)
458
+ - [ ] RSA-OAEP: PEM headers valid (if env source)
459
+ - [ ] No `crypto-js`, `node-forge`, or Buffer polyfill in dependencies
460
+ - [ ] Token storage confirmed: sessionStorage / HTTP-only cookie (localStorage rejected)
461
+ - [ ] ECDH-Session: session init URL confirmed (if ECDH-Session mode)
462
+ - [ ] ECDH-Session: HKDF `info` string confirmed (if ECDH-Session mode)
463
+ - [ ] ECDH-Session: AAD shape confirmed or confirmed not required (if ECDH-Session mode)
464
+ - [ ] ECDH-Session: device ID source confirmed (if ECDH-Session mode)
465
+ - [ ] HMAC secret in env var only — never hardcoded
466
+ - [ ] All required answers received
467
+ - [ ] Approved to proceed: Yes
@@ -0,0 +1,206 @@
1
+ # Delivery Checklist
2
+
3
+ Mark each item complete before marking the implementation finished.
4
+
5
+ ---
6
+
7
+ ## Setup
8
+
9
+ - [ ] `detect.js` ran and result noted (FOUND / NOT_FOUND).
10
+ - [ ] Detection mode selected: replace / reuse / refactor.
11
+ - [ ] Platform confirmed and validated against `platform-matrix.json`.
12
+ - [ ] Approach confirmed and validated against allowed approaches for the platform.
13
+ - [ ] All required inputs collected and validated (PEM format, key length, HTTPS URLs).
14
+ - [ ] Encryption model confirmed (RSA / EC).
15
+ - [ ] Encryption layer confirmed (React Native JS / Native).
16
+
17
+ ---
18
+
19
+ ## Dependencies (React Native JS Mode — all approaches)
20
+
21
+ - [ ] react-native-quick-crypto installed and verified.
22
+ - [ ] react-native-nitro-modules installed explicitly (required peer dep of quick-crypto >= 1.0 / RN >= 0.76).
23
+ - [ ] react-native-worklets installed explicitly (required peer dep of quick-crypto >= 1.0 / RN >= 0.76).
24
+ - [ ] react-native-quick-base64 present (auto-installed by quick-crypto — verify with `npm ls react-native-quick-base64`).
25
+ - [ ] buffer package installed (>= 6.0.0) — required for EC mode and session-init helpers.
26
+ - [ ] `npm ls react-native-nitro-modules` does NOT show `UNMET PEER DEP`.
27
+ - [ ] Android `.cxx` cache cleared after native module changes.
28
+ - [ ] Android clean build completed successfully.
29
+ - [ ] iOS pod install completed successfully.
30
+
31
+ ---
32
+
33
+ ## Implementation — All Platforms
34
+
35
+ - [ ] Config file written (`encryption.config.ts` / `EncryptionConfig.kt` / `EncryptionConfig.swift` / `EncryptionConfig.dart`).
36
+ - [ ] Service file written (`EncryptionService` with `encrypt` method, and `decrypt` where applicable).
37
+ - [ ] Interceptor / middleware written and wired into the HTTP layer.
38
+ - [ ] Module wiring patched (AppModule / axiosInstance / OkHttpClient / Podfile / Dio).
39
+ - [ ] `ENCRYPTION_INTERCEPTOR_PLACEHOLDER` marker present (for future patching).
40
+
41
+ ## Implementation — React Native Approaches 4 and 5
42
+
43
+ - [ ] `src/services/security/types.ts` written (`EncryptedEnvelope`, `EncryptedResponse`).
44
+ - [ ] `src/services/security/encryption.service.ts` written (AES-256-GCM per-request encrypt).
45
+ - [ ] `src/services/security/decryption.service.ts` written (AES-256-GCM decrypt + auth tag split).
46
+ - [ ] `src/services/security/rsa-key.service.ts` written (fetch / cache / retry).
47
+ - [ ] `src/services/security/keychain.service.ts` written (`react-native-keychain` wrapper).
48
+ - [ ] `src/services/security/hmac.service.ts` written (even if HMAC disabled — ready for activation).
49
+ - [ ] `src/services/security/encryption-config.ts` written (feature flags + env references).
50
+ - [ ] Request interceptor written (encrypt POST/PUT/PATCH, store in request map, set `X-Request-Id`).
51
+ - [ ] Response interceptor written (decrypt using request map key, clean up map on success and failure).
52
+ - [ ] `index.js` patched with `react-native-get-random-values` polyfill as first import.
53
+ - [ ] `axiosInstance.ts` wired with `applyProductionEncryptionInterceptor`.
54
+
55
+ ## Implementation — Native Mode (Approach 5) Additional
56
+
57
+ - [ ] `NativeCryptoModule.kt` created (`encryptAES`, `decryptAES`, `encryptRSA`).
58
+ - [ ] `NativeCryptoPackage.kt` created and `NativeCryptoPackage` registered in `MainApplication`.
59
+ - [ ] `NativeCryptoModule.swift` created using `do/try/catch` — no `try!` allowed.
60
+ - [ ] `NativeCryptoModule.m` Objective-C bridge file created.
61
+ - [ ] `src/services/security/native-crypto.module.ts` JS bridge interface created.
62
+ - [ ] Interceptors updated to call `nativeEncryptAES` / `nativeDecryptAES` / `nativeEncryptRSA`.
63
+ - [ ] `ENCRYPTION_LAYER=native` added to `.env`.
64
+ - [ ] Pod install completed (iOS).
65
+ - [ ] Gradle sync completed (Android).
66
+ - [ ] `NativeModules.NativeCryptoModule` confirmed accessible from JS.
67
+
68
+ ## Implementation — EC + React Native JS Mode (Approach 6, per-request)
69
+
70
+ - [ ] `EcPublicKeyResponse`, `EcEncryptedEnvelope`, and `RequestCryptoMaterial` types added to `types.ts`.
71
+ - [ ] `ec-key.service.ts` created (EC public key fetch / validate / cache / retry with 65-byte point check).
72
+ - [ ] `ec-crypto.util.ts` created (`ecEncryptPayload`, `ecDeriveKey`, HKDF-SHA256).
73
+ - [ ] `toBase64()`, `toBuffer()`, `byteCopy()` helpers included — NOT using `Buffer.toString('base64')` on Hermes.
74
+ - [ ] Dual Buffer imports: `Buffer from 'buffer'` + `Buffer as QCBuffer from 'react-native-quick-crypto'`.
75
+ - [ ] `ENCRYPTION_MODEL` routing added to `api.ts` (rsa vs ec branches).
76
+ - [ ] `KEY_ID_NOT_FOUND` (401) handler routes to `EcKeyService.refreshPublicKey` when EC model.
77
+ - [ ] Ephemeral EC key pair discarded immediately after `computeSecret()`.
78
+ - [ ] Derived AES key is NEVER transmitted — only `ephemeral_public_key` sent in envelope.
79
+ - [ ] Feature flags wired: `ENCRYPTION_MODEL=ec`, `EC_PUBLIC_KEY_ENDPOINT`, `EC_KEY_RETRY`.
80
+ - [ ] `[If HMAC_ENABLED=true]` `hmac.service.ts` injected into request interceptor after envelope is built.
81
+
82
+ ## Implementation — EC + React Native JS Mode (Approach 6, session-init)
83
+
84
+ - [ ] All items from per-request EC section above.
85
+ - [ ] Stateful auth service class created, holding `sessionAesKey`, `encryptionKeyId`, `sessionDeviceId`.
86
+ - [ ] `deriveSessionKey()` uses backend-confirmed HKDF info string (NOT hardcoded `'enc'`).
87
+ - [ ] `buildSessionAad()` uses canonical JSON with alphabetically sorted keys.
88
+ - [ ] `sessionEncrypt()` uses nonce-as-IV and AAD (confirmed from backend contract).
89
+ - [ ] `sessionDecrypt()` uses correct IV source (confirmed from backend contract or reference client).
90
+ - [ ] `urlSafeBase64ToStd()` applied to all base64url fields received from server.
91
+ - [ ] `initEncryptionSession` sends real freshly-generated `client_ecdh_pub` from the same ECDH instance used for derivation.
92
+ - [ ] `createSession` runs only after `initEncryptionSession` succeeds and uses the returned `key_id`.
93
+ - [ ] Nonce generator uses CSPRNG (`randomBytes`) — NOT `Math.random()` — nonce IS the AES-GCM IV.
94
+ - [ ] Nonce format/length matches backend contract exactly.
95
+ - [ ] `encrypted_shared_aes_key` handling confirmed (used vs ignored).
96
+ - [ ] `device_id` is stable and consistent across init, HKDF context, AAD, and encrypted requests.
97
+ - [ ] Token persistence is separate from session key lifetime (app restart requires re-init if key not stored).
98
+ - [ ] Dead debug code removed (unwrapSessionKey, tryAesGcmDecrypt, hkdfExpandOnly, hkdfSwapped) if present.
99
+
100
+ ## Implementation — EC + Native Mode (Approach 6 + encryptionLayer = native)
101
+
102
+ - [ ] All EC + JS items above.
103
+ - [ ] `ecDeriveKey()` helper returns `{ derivedAesKeyBase64, ephemeralPublicKeyBase64 }` without AES.
104
+ - [ ] Interceptor calls `ecDeriveKey` in JS, then passes `derivedAesKeyBase64` to existing `nativeEncryptAES`.
105
+ - [ ] Response decryption calls `nativeDecryptAES` with same `derivedAesKeyBase64` from request map.
106
+ - [ ] No new Kotlin/Swift files added — existing `NativeCryptoModule` is reused.
107
+ - [ ] `ENCRYPTION_MODEL=ec` and `ENCRYPTION_LAYER=native` env flags wired.
108
+
109
+ ## Implementation — React JS Web Production Mode, RSA-OAEP (Approach 7)
110
+
111
+ - [ ] App confirmed served over HTTPS or localhost (crypto.subtle unavailable on plain HTTP).
112
+ - [ ] `tsconfig.json` `"lib"` includes `"DOM"` — patched if missing.
113
+ - [ ] `axios` present in package.json — installed if missing.
114
+ - [ ] No `crypto-js`, `node-forge`, Buffer polyfill, or `react-native-*` packages added.
115
+ - [ ] `crypto-utils.ts` written (Base64 helpers, nonce generator using `crypto.getRandomValues`).
116
+ - [ ] `aes.service.ts` written (`generateAESKey`, `encryptAESGCM`, `decryptAESGCM` via `crypto.subtle`, tagLength 128).
117
+ - [ ] `rsa.service.ts` written (`importRSAPublicKey` using `importKey('spki', ...)` after stripping PEM headers, `encryptRSAOAEP`).
118
+ - [ ] `rsa-key.service.ts` written (fetch / cache / retry; `KEY_ID_NOT_FOUND` refreshes key + retries exactly once).
119
+ - [ ] `hmac.service.ts` written using `crypto.subtle` HMAC-SHA256.
120
+ - [ ] `storage.service.ts` written (`sessionStorage` wrapper; HTTP-only cookie guidance; `localStorage` explicitly blocked).
121
+ - [ ] `encryption.interceptor.ts` written:
122
+ - [ ] Request: generates AES key, stores in `Map<requestId, {cryptoKey, iv}>`, attaches envelope.
123
+ - [ ] Response: decrypts using map entry, deletes entry immediately on success and error.
124
+ - [ ] `DOMException` on decrypt → `ERR_CRYPTO_REJECTED`, no plaintext fallback.
125
+ - [ ] `encryption-config.ts` written with correct framework env prefix (VITE_ / REACT_APP_ / NEXT_PUBLIC_).
126
+ - [ ] `types.ts` written (`EncryptedEnvelope`, `EncryptedResponse`).
127
+ - [ ] `axiosInstance.ts` patched with `applyProductionEncryptionInterceptor` + `bootstrapEncryption()` bootstrap call.
128
+ - [ ] `.env.example` includes all required env variables with correct prefix.
129
+ - [ ] RSA public key endpoint is HTTPS (if API source).
130
+ - [ ] RSA-OAEP padding confirmed — PKCS1 v1.5 not used.
131
+
132
+ ## Implementation — React JS ECDH-Session Sub-Mode (Approach 7)
133
+
134
+ - [ ] All RSA-OAEP items above (except `rsa.service.ts`, `rsa-key.service.ts` replaced by ECDH services).
135
+ - [ ] `base64url.ts` written (Base64URL encode/decode, no Buffer).
136
+ - [ ] `aad.ts` written (AAD builder with alphabetical key order, template literal not `JSON.stringify`).
137
+ - [ ] `ecdhSession.ts` written:
138
+ - [ ] ECDH P-256 key pair via `crypto.subtle.generateKey`.
139
+ - [ ] `deriveSessionKey` uses `crypto.subtle.deriveKey` with HKDF-SHA256 — no manual HMAC chain.
140
+ - [ ] Derived AES key is `extractable: false` — never stored.
141
+ - [ ] ECDH private key exported as JWK for `sessionStorage` restore.
142
+ - [ ] `aesGcm.ts` written (AES-256-GCM encrypt/decrypt with AAD).
143
+ - [ ] `ecdhSessionService.ts` written (init, restore from `sessionStorage`, `clearSession`).
144
+ - [ ] `clearSession()` called on 401 → surfaces `ERR_SESSION_EXPIRED`.
145
+ - [ ] `clearSession()` called on 400 DECRYPTION_FAILED / INVALID_PAYLOAD → surfaces `ERR_CRYPTO_REJECTED`.
146
+ - [ ] 500 responses pass through without session invalidation.
147
+ - [ ] ECDH-Session interceptor adds `X-Request-ID`, `X-Nonce` (12-byte Base64URL), `X-Timestamp` (ISO 8601 UTC) to every request.
148
+ - [ ] HKDF `info` string matches backend contract (NOT assumed to be `'enc'`).
149
+ - [ ] AAD canonical JSON shape confirmed with backend team.
150
+ - [ ] Session init URL is HTTPS.
151
+ - [ ] Device ID source confirmed and consistent across all encrypted requests.
152
+
153
+ ---
154
+
155
+ ## Security
156
+
157
+ - [ ] No sensitive logging (no AES keys, IVs, auth tags, plaintext payloads, or key material).
158
+ - [ ] No persistent AES key/IV storage.
159
+ - [ ] HTTPS enforced for key endpoint and all API traffic.
160
+ - [ ] Auth tag verification enforced (AES-GCM modes).
161
+ - [ ] FormData excluded from encryption.
162
+ - [ ] `ENCRYPTION_ENABLED=false` is the safe default.
163
+ - [ ] [Native mode] AES key never written to Android Keystore or iOS Secure Enclave.
164
+ - [ ] [Native mode] `try!` not present anywhere in Swift bridge code.
165
+ - [ ] [Approach 3] Shared key is at least 32 characters.
166
+ - [ ] [Angular/Web] `privateKeyPem` not accepted — private keys stay on the server.
167
+ - [ ] [EC] EC public key validated on every fetch: 65 bytes, first byte `0x04`.
168
+ - [ ] [EC] Ephemeral EC key pair discarded immediately after `computeSecret()`.
169
+ - [ ] [EC] Derived AES key never transmitted — only `ephemeral_public_key` in envelope.
170
+ - [ ] [EC session-init] Nonce generator uses CSPRNG (`randomBytes`) — NOT `Math.random()`.
171
+ - [ ] [Approach 7] `crypto.subtle` availability check at bootstrap — surfaces error before any API call.
172
+ - [ ] [Approach 7] No `Math.random()` for any cryptographic purpose — all nonce/key generation uses Web Crypto API.
173
+ - [ ] [Approach 7] No `localStorage` for tokens or session material.
174
+ - [ ] [Approach 7 ECDH-Session] Derived AES key is `extractable: false` — never stored or exported.
175
+ - [ ] [Approach 7 ECDH-Session] ECDH private key stored only as JWK in `sessionStorage`; cleared on `clearSession()`.
176
+ - [ ] [Approach 7] HMAC secret in env var only — never hardcoded, never committed to source.
177
+
178
+ ---
179
+
180
+ ## Operational
181
+
182
+ - [ ] Concurrent request safety verified (request map keyed by unique `requestId`).
183
+ - [ ] Missing RSA key / refetch flow handled (bounded retry, fail-safe on exhaustion).
184
+ - [ ] Invalid auth tag triggers session reset (not silent fallback).
185
+ - [ ] Build passes after all files are written.
186
+ - [ ] Temp config file (`.encryption-resolved-config.tmp.json`) deleted after install.
187
+
188
+ ---
189
+
190
+ ## Final Output
191
+
192
+ - [ ] List of all files written/patched included in report.
193
+ - [ ] List of all packages installed included in report.
194
+ - [ ] Encryption approach, model, and layer recorded.
195
+ - [ ] HMAC status recorded.
196
+ - [ ] URL exclusions recorded.
197
+ - [ ] Envelope shape documented:
198
+ - RSA: `{ data, key, iv, nonce, key_id }`
199
+ - EC per-request: `{ data, ephemeral_public_key, iv, nonce, key_id }`
200
+ - EC session-init: backend-specific (confirm shape with backend team)
201
+ - Approach 7 RSA-OAEP: `{ data, key, iv, nonce, key_id }` (wire-compatible with React Native)
202
+ - Approach 7 ECDH-Session: backend-specific (confirm with backend team; see `references/react-web-crypto.md`)
203
+ - [ ] Backend alignment spec printed/referenced (approaches 4/5: Part A RSA; approach 6: Part B EC).
204
+ - [ ] [Approach 7] CORS headers confirmed: `Access-Control-Allow-Headers` includes `X-Request-ID`, `X-Nonce`, `X-Request-Signature`, `X-Device-ID`, `X-Timestamp`.
205
+ - [ ] Any residual risks or manual steps noted.
206
+ - [ ] Suggested next validation steps included.