devendra-skill-package 1.0.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.github/skills/boiler-project-generator/SKILL.md +103 -0
- package/.github/skills/boiler-project-generator/assets/templates/android/README.md +3 -0
- package/.github/skills/boiler-project-generator/assets/templates/angular/README.md +3 -0
- package/.github/skills/boiler-project-generator/assets/templates/flutter/README.md +3 -0
- package/.github/skills/boiler-project-generator/assets/templates/ios/README.md +3 -0
- package/.github/skills/boiler-project-generator/assets/templates/react/README.md +3 -0
- package/.github/skills/boiler-project-generator/assets/templates/react-native/README.md +3 -0
- package/.github/skills/boiler-project-generator/assets/templates/react-native/api-setup.ts +76 -0
- package/.github/skills/boiler-project-generator/assets/templates/react-native/component-primary-button.tsx +29 -0
- package/.github/skills/boiler-project-generator/assets/templates/react-native/env-config.env +4 -0
- package/.github/skills/boiler-project-generator/assets/templates/react-native/feature-auth-screen.tsx +45 -0
- package/.github/skills/boiler-project-generator/assets/templates/react-native/feature-dashboard-screen.tsx +45 -0
- package/.github/skills/boiler-project-generator/assets/templates/react-native/feature-profile-screen.tsx +45 -0
- package/.github/skills/boiler-project-generator/assets/templates/react-native/hook-use-app-boot.ts +11 -0
- package/.github/skills/boiler-project-generator/assets/templates/react-native/navigation-setup.tsx +25 -0
- package/.github/skills/boiler-project-generator/assets/templates/react-native/project-structure.md +24 -0
- package/.github/skills/boiler-project-generator/assets/templates/react-native/redux-hooks.ts +5 -0
- package/.github/skills/boiler-project-generator/assets/templates/react-native/redux-session-slice.ts +29 -0
- package/.github/skills/boiler-project-generator/assets/templates/react-native/redux-store.ts +15 -0
- package/.github/skills/boiler-project-generator/assets/templates/react-native/theme-index.ts +23 -0
- package/.github/skills/boiler-project-generator/assets/templates/react-native/utils-helpers.ts +7 -0
- package/.github/skills/boiler-project-generator/metadata.yaml +29 -0
- package/.github/skills/boiler-project-generator/references/android.md +19 -0
- package/.github/skills/boiler-project-generator/references/angular.md +14 -0
- package/.github/skills/boiler-project-generator/references/flutter.md +17 -0
- package/.github/skills/boiler-project-generator/references/ios.md +17 -0
- package/.github/skills/boiler-project-generator/references/react-native.md +103 -0
- package/.github/skills/boiler-project-generator/references/react.md +17 -0
- package/.github/skills/boiler-project-generator/scripts/angular.js +43 -0
- package/.github/skills/boiler-project-generator/scripts/generate-project.mjs +107 -0
- package/.github/skills/boiler-project-generator/scripts/init.js +105 -0
- package/.github/skills/boiler-project-generator/scripts/react-native.js +1041 -0
- package/.github/skills/boiler-project-generator/scripts/react.js +32 -0
- package/.github/skills/clean-architecture-generator/SKILL.md +235 -0
- package/.github/skills/clean-architecture-generator/references/architecture-core.md +126 -0
- package/.github/skills/clean-architecture-generator/references/platform-angular.md +374 -0
- package/.github/skills/clean-architecture-generator/references/platform-flutter.md +366 -0
- package/.github/skills/clean-architecture-generator/references/platform-react-native.md +590 -0
- package/.github/skills/clean-architecture-generator/references/platform-react.md +261 -0
- package/.github/skills/code-test-coverage-analyzer/SKILL.md +1358 -0
- package/.github/skills/code-test-coverage-analyzer/assets/config-questionnaire.md +118 -0
- package/.github/skills/code-test-coverage-analyzer/assets/conflict-resolution-protocol.md +99 -0
- package/.github/skills/code-test-coverage-analyzer/assets/coverage-calculation-rules.md +294 -0
- package/.github/skills/code-test-coverage-analyzer/assets/multi-strategy-search.md +145 -0
- package/.github/skills/code-test-coverage-analyzer/assets/output-file-contracts.md +651 -0
- package/.github/skills/code-test-coverage-analyzer/assets/status-definitions.md +273 -0
- package/.github/skills/code-test-coverage-analyzer/examples/example-invocation.md +208 -0
- package/.github/skills/code-test-coverage-analyzer/references/android-patterns.md +229 -0
- package/.github/skills/code-test-coverage-analyzer/references/angular-patterns.md +177 -0
- package/.github/skills/code-test-coverage-analyzer/references/backend-patterns.md +383 -0
- package/.github/skills/code-test-coverage-analyzer/references/flutter-patterns.md +254 -0
- package/.github/skills/code-test-coverage-analyzer/references/ios-patterns.md +228 -0
- package/.github/skills/code-test-coverage-analyzer/references/react-native-patterns.md +431 -0
- package/.github/skills/code-test-coverage-analyzer/references/react-patterns.md +206 -0
- package/.github/skills/code-test-coverage-analyzer/scripts/detect-platform.ps1 +261 -0
- package/.github/skills/code-test-coverage-analyzer/scripts/scan-repository.ps1 +242 -0
- package/.github/skills/code-test-coverage-analyzer/templates/brd-compliance-row.md +107 -0
- package/.github/skills/code-test-coverage-analyzer/templates/test-case-row.md +130 -0
- package/.github/skills/code-test-coverage-analyzer/templates/user-story-compliance-row.md +170 -0
- package/.github/skills/custom-font-integrator/SKILL.md +373 -0
- package/.github/skills/custom-font-integrator/assets/FontTestScreen.js +150 -0
- package/.github/skills/custom-font-integrator/references/example-info-plist.xml +21 -0
- package/.github/skills/custom-font-integrator/scripts/setup-fonts.sh +99 -0
- package/.github/skills/encryption-decryption-utility/Instructions.md +282 -0
- package/.github/skills/encryption-decryption-utility/README.md +222 -0
- package/.github/skills/encryption-decryption-utility/SKILL.md +645 -0
- package/.github/skills/encryption-decryption-utility/assets/encryption-config-template.json +13 -0
- package/.github/skills/encryption-decryption-utility/assets/platform-matrix.json +180 -0
- package/.github/skills/encryption-decryption-utility/metadata.yaml +51 -0
- package/.github/skills/encryption-decryption-utility/references/android-crypto.md +157 -0
- package/.github/skills/encryption-decryption-utility/references/angular-crypto.md +130 -0
- package/.github/skills/encryption-decryption-utility/references/approach-1-webcrypto.md +95 -0
- package/.github/skills/encryption-decryption-utility/references/approach-2-rsa-aes-cbc.md +111 -0
- package/.github/skills/encryption-decryption-utility/references/approach-3-aes-sharedkey.md +114 -0
- package/.github/skills/encryption-decryption-utility/references/architecture.md +233 -0
- package/.github/skills/encryption-decryption-utility/references/backend-alignment.md +506 -0
- package/.github/skills/encryption-decryption-utility/references/dependency-guidance.md +234 -0
- package/.github/skills/encryption-decryption-utility/references/ec-implementation.md +832 -0
- package/.github/skills/encryption-decryption-utility/references/error-handling-playbook.md +234 -0
- package/.github/skills/encryption-decryption-utility/references/flutter-crypto.md +105 -0
- package/.github/skills/encryption-decryption-utility/references/ios-crypto.md +338 -0
- package/.github/skills/encryption-decryption-utility/references/native-rsa-implementation.md +373 -0
- package/.github/skills/encryption-decryption-utility/references/node-crypto.md +86 -0
- package/.github/skills/encryption-decryption-utility/references/react-crypto.md +105 -0
- package/.github/skills/encryption-decryption-utility/references/react-native-crypto.md +1001 -0
- package/.github/skills/encryption-decryption-utility/references/react-web-crypto.md +668 -0
- package/.github/skills/encryption-decryption-utility/references/security-checklist.md +176 -0
- package/.github/skills/encryption-decryption-utility/references/web-crypto.md +74 -0
- package/.github/skills/encryption-decryption-utility/scripts/detect.js +128 -0
- package/.github/skills/encryption-decryption-utility/scripts/install.js +1713 -0
- package/.github/skills/encryption-decryption-utility/scripts/setup.js +800 -0
- package/.github/skills/encryption-decryption-utility/template.md +241 -0
- package/.github/skills/encryption-decryption-utility/templates/config-questionnaire.md +467 -0
- package/.github/skills/encryption-decryption-utility/templates/delivery-checklist.md +206 -0
- package/.github/skills/encryption-decryption-utility/templates/implementation-plan.md +304 -0
- package/.github/skills/feature-generator/SKILL.MD +2741 -0
- package/.github/skills/feature-generator/assets/fingerprint-schema.json +385 -0
- package/.github/skills/feature-generator/assets/spec-template.md +172 -0
- package/.github/skills/feature-generator/assets/transform-rules.json +82 -0
- package/.github/skills/feature-generator/references/api-envelope-patterns.md +327 -0
- package/.github/skills/feature-generator/references/screen-logic-patterns.md +399 -0
- package/.github/skills/feature-generator/references/state-library-patterns.md +464 -0
- package/.github/skills/figma-ui-mapper/README.md +34 -0
- package/.github/skills/figma-ui-mapper/SKILL.md +101 -0
- package/.github/skills/figma-ui-mapper/assets/templates/component-map-template.md +30 -0
- package/.github/skills/figma-ui-mapper/assets/templates/generation-report-template.md +49 -0
- package/.github/skills/figma-ui-mapper/metadata.yaml +22 -0
- package/.github/skills/figma-ui-mapper/references/android.md +11 -0
- package/.github/skills/figma-ui-mapper/references/angular.md +18 -0
- package/.github/skills/figma-ui-mapper/references/capacitor.md +18 -0
- package/.github/skills/figma-ui-mapper/references/common.md +23 -0
- package/.github/skills/figma-ui-mapper/references/expo.md +18 -0
- package/.github/skills/figma-ui-mapper/references/flutter.md +18 -0
- package/.github/skills/figma-ui-mapper/references/frameworks/angular/rules.md +23 -0
- package/.github/skills/figma-ui-mapper/references/frameworks/capacitor/rules.md +23 -0
- package/.github/skills/figma-ui-mapper/references/frameworks/expo/rules.md +23 -0
- package/.github/skills/figma-ui-mapper/references/frameworks/flutter/rules.md +23 -0
- package/.github/skills/figma-ui-mapper/references/frameworks/ionic/rules.md +23 -0
- package/.github/skills/figma-ui-mapper/references/frameworks/kotlin-multiplatform/rules.md +23 -0
- package/.github/skills/figma-ui-mapper/references/frameworks/native-android/rules.md +23 -0
- package/.github/skills/figma-ui-mapper/references/frameworks/native-ios/rules.md +23 -0
- package/.github/skills/figma-ui-mapper/references/frameworks/next/rules.md +23 -0
- package/.github/skills/figma-ui-mapper/references/frameworks/nuxt/rules.md +23 -0
- package/.github/skills/figma-ui-mapper/references/frameworks/react/rules.md +19 -0
- package/.github/skills/figma-ui-mapper/references/frameworks/react-native/rules.md +23 -0
- package/.github/skills/figma-ui-mapper/references/frameworks/svelte/rules.md +23 -0
- package/.github/skills/figma-ui-mapper/references/frameworks/vue/rules.md +23 -0
- package/.github/skills/figma-ui-mapper/references/ionic.md +18 -0
- package/.github/skills/figma-ui-mapper/references/ios.md +11 -0
- package/.github/skills/figma-ui-mapper/references/kotlin-multiplatform.md +18 -0
- package/.github/skills/figma-ui-mapper/references/native-android.md +18 -0
- package/.github/skills/figma-ui-mapper/references/native-ios.md +18 -0
- package/.github/skills/figma-ui-mapper/references/next.md +18 -0
- package/.github/skills/figma-ui-mapper/references/nuxt.md +18 -0
- package/.github/skills/figma-ui-mapper/references/react-figma-guideline.md +21 -0
- package/.github/skills/figma-ui-mapper/references/react-native.md +18 -0
- package/.github/skills/figma-ui-mapper/references/react.md +18 -0
- package/.github/skills/figma-ui-mapper/references/script-usage.md +46 -0
- package/.github/skills/figma-ui-mapper/references/svelte.md +18 -0
- package/.github/skills/figma-ui-mapper/references/vue.md +18 -0
- package/.github/skills/figma-ui-mapper/references/workflow.md +74 -0
- package/.github/skills/figma-ui-mapper/scripts/generate-page-through-figma.js +635 -0
- package/.github/skills/figma-ui-mapper/scripts/generate-react-page-through-figma.js +4 -0
- package/.github/skills/frontend-task-breakdown/SKILL.md +734 -0
- package/.github/skills/md-file-converter/SKILL.md +291 -0
- package/.github/skills/md-file-converter/config/formats.json +114 -0
- package/.github/skills/md-file-converter/extractors/extract-docx.sh +120 -0
- package/.github/skills/md-file-converter/extractors/extract-eml.py +108 -0
- package/.github/skills/md-file-converter/extractors/extract-pdf.sh +97 -0
- package/.github/skills/md-file-converter/extractors/extract-pptx.py +143 -0
- package/.github/skills/md-file-converter/extractors/extract-xlsx.py +175 -0
- package/.github/skills/md-file-converter/scripts/check-tools.sh +47 -0
- package/.github/skills/md-file-converter/scripts/extract-archive.sh +83 -0
- package/.github/skills/md-file-converter/scripts/extract-ocr.sh +77 -0
- package/.github/skills/md-file-converter/scripts/get-metadata.sh +57 -0
- package/.github/skills/md-file-converter/templates/output.md +73 -0
- package/.github/skills/md-file-converter/templates/unsupported-object.md +6 -0
- package/.github/skills/mockAPI-contract-generator/SKILL.md +607 -0
- package/.github/skills/test-case-validator/CHANGELOG.md +155 -0
- package/.github/skills/test-case-validator/CONFIGURATION.md +130 -0
- package/.github/skills/test-case-validator/EXAMPLES.md +50 -0
- package/.github/skills/test-case-validator/QUALITY_SCORING.md +98 -0
- package/.github/skills/test-case-validator/README.md +111 -0
- package/.github/skills/test-case-validator/REPORT_TEMPLATE.md +116 -0
- package/.github/skills/test-case-validator/SKILL.md +209 -0
- package/.github/skills/test-case-validator/SYSTEM_PROMPT.md +127 -0
- package/.github/skills/test-case-validator/TRACEABILITY_ENGINE.md +152 -0
- package/.github/skills/test-case-validator/VALIDATION_RULES.md +411 -0
- package/.github/skills/test-case-validator/config/default.config.yaml +62 -0
- package/.github/skills/test-case-validator/docs/ARCHITECTURE.md +66 -0
- package/.github/skills/test-case-validator/docs/EXTENDING.md +85 -0
- package/.github/skills/test-case-validator/docs/FAQ.md +88 -0
- package/.github/skills/test-case-validator/docs/VERSIONING.md +55 -0
- package/.github/skills/test-case-validator/examples/example-1-manual-qa-ecommerce/input-brd.md +43 -0
- package/.github/skills/test-case-validator/examples/example-1-manual-qa-ecommerce/input-test-cases.csv +9 -0
- package/.github/skills/test-case-validator/examples/example-1-manual-qa-ecommerce/input-user-story.md +29 -0
- package/.github/skills/test-case-validator/examples/example-1-manual-qa-ecommerce/output-report.md +303 -0
- package/.github/skills/test-case-validator/examples/example-2-automated-frontend-suite/input-spec.md +43 -0
- package/.github/skills/test-case-validator/examples/example-2-automated-frontend-suite/input-test-files-index.md +56 -0
- package/.github/skills/test-case-validator/examples/example-2-automated-frontend-suite/output-report.md +274 -0
- package/.github/skills/test-case-validator/prompts/00-applicability-resolution.md +61 -0
- package/.github/skills/test-case-validator/prompts/01-extraction-user-story.md +58 -0
- package/.github/skills/test-case-validator/prompts/02-extraction-brd.md +64 -0
- package/.github/skills/test-case-validator/prompts/03-extraction-test-cases.md +92 -0
- package/.github/skills/test-case-validator/prompts/04-traceability-matrix.md +41 -0
- package/.github/skills/test-case-validator/prompts/05-coverage-analysis.md +46 -0
- package/.github/skills/test-case-validator/prompts/06-missing-scenario-detection.md +32 -0
- package/.github/skills/test-case-validator/prompts/07-duplicate-detection.md +36 -0
- package/.github/skills/test-case-validator/prompts/08-risk-analysis.md +39 -0
- package/.github/skills/test-case-validator/prompts/09-gated-wiring-validation.md +53 -0
- package/.github/skills/test-case-validator/prompts/10-observation-report.md +56 -0
- package/.github/skills/test-case-validator/prompts/11-final-report-assembly.md +57 -0
- package/.github/skills/test-case-validator/templates/coverage-table.md +25 -0
- package/.github/skills/test-case-validator/templates/executive-summary.md +38 -0
- package/.github/skills/test-case-validator/templates/final-summary-block.md +87 -0
- package/.github/skills/test-case-validator/templates/observation-entry.md +41 -0
- package/.github/skills/test-case-validator/templates/rtm-row.md +25 -0
- package/.github/skills/validation-engine-builder/README.md +50 -0
- package/.github/skills/validation-engine-builder/SKILL.md +241 -0
- package/.github/skills/validation-engine-builder/references/core.md +158 -0
- package/.github/skills/validation-engine-builder/references/platform-angular.md +166 -0
- package/.github/skills/validation-engine-builder/references/platform-flutter.md +118 -0
- package/.github/skills/validation-engine-builder/references/platform-react-native.md +170 -0
- package/.github/skills/validation-engine-builder/references/platform-react.md +94 -0
- package/.github/skills/validation-engine-builder/scripts/apply-to-project.js +80 -0
- package/.github/skills/validation-engine-builder/scripts/generate-angular.js +271 -0
- package/.github/skills/validation-engine-builder/scripts/generate-flutter.js +298 -0
- package/.github/skills/validation-engine-builder/scripts/generate-react-native.js +217 -0
- package/.github/skills/validation-engine-builder/scripts/generate-react.js +163 -0
- package/.github/skills/validation-engine-builder/scripts/install-deps.js +53 -0
- package/.github/skills/validation-engine-builder/scripts/shared/detect-platform.js +68 -0
- package/.github/skills/validation-engine-builder/scripts/shared/npm-deps.js +103 -0
- package/.github/skills/validation-engine-builder/scripts/shared/rhf-hook.js +43 -0
- package/.github/skills/validation-engine-builder/scripts/shared/ts-messages-regex.js +62 -0
- package/.github/skills/validation-engine-builder/scripts/shared/util.js +44 -0
- package/.github/skills/validation-engine-builder/scripts/shared/yup-schemas.js +80 -0
- package/.github/skills/validation-engine-builder/template.md +73 -0
- package/.github/skills/validation-engine-builder/templates/messages.json +22 -0
- package/.github/skills/validation-engine-builder/templates/regex.json +16 -0
- package/.github/skills/validation-engine-builder/templates/schemas.json +48 -0
- package/bin/index.js +145 -0
- package/package.json +22 -0
- package/readme.md +0 -0
|
@@ -0,0 +1,467 @@
|
|
|
1
|
+
# Config Questionnaire
|
|
2
|
+
|
|
3
|
+
Collect all answers before writing any files.
|
|
4
|
+
Apply documented defaults automatically for unanswered non-critical fields.
|
|
5
|
+
Block implementation only when a security-critical value has no safe default (e.g. RSA public key in env mode).
|
|
6
|
+
|
|
7
|
+
> **Questioning rule**: Ask questions **one at a time**. Present a single question, wait for the answer, then proceed to the next. Never bundle multiple questions into a single prompt.
|
|
8
|
+
|
|
9
|
+
---
|
|
10
|
+
|
|
11
|
+
## Pre-Question: React Native Version Check (React Native projects only)
|
|
12
|
+
|
|
13
|
+
Before asking encryption questions, verify the RN version and existing dependencies:
|
|
14
|
+
|
|
15
|
+
```bash
|
|
16
|
+
node -p "require('./package.json').dependencies['react-native']"
|
|
17
|
+
npm ls react-native-quick-crypto react-native-nitro-modules react-native-worklets buffer 2>&1
|
|
18
|
+
```
|
|
19
|
+
|
|
20
|
+
If RN >= 0.76 and quick-crypto >= 1.0: `react-native-nitro-modules` and `react-native-worklets` MUST be installed as peer deps.
|
|
21
|
+
If RN < 0.76 or quick-crypto < 1.0: Nitro Modules is NOT needed.
|
|
22
|
+
|
|
23
|
+
---
|
|
24
|
+
|
|
25
|
+
## Question 0 — Platform (Ask First)
|
|
26
|
+
|
|
27
|
+
Which platform is this project?
|
|
28
|
+
- Default: react-native
|
|
29
|
+
- Options: angular, web, node, android, ios, flutter, react, react-native
|
|
30
|
+
|
|
31
|
+
Validate against `assets/platform-matrix.json` before proceeding.
|
|
32
|
+
|
|
33
|
+
---
|
|
34
|
+
|
|
35
|
+
## Question 0a — React JS Production Mode Detection (React platform only)
|
|
36
|
+
|
|
37
|
+
Is this a React JS (web browser) project that needs production-grade encryption?
|
|
38
|
+
- If yes and user wants full request/response lifecycle with Web Crypto API → **recommend approach 7**
|
|
39
|
+
- If yes and user wants a quick/simple setup → approaches 1, 2, or 3 remain valid
|
|
40
|
+
- Default: if platform is `react` and no preference stated, ask this question before Question 1
|
|
41
|
+
|
|
42
|
+
> Approach 7 uses the built-in Web Crypto API (no extra crypto packages). It handles both request encryption and response decryption, supports RSA-OAEP and ECDH-Session modes, and enforces browser-safe storage — suitable for production deployments.
|
|
43
|
+
|
|
44
|
+
---
|
|
45
|
+
|
|
46
|
+
## Question 0b — Encryption Model (React Native only — ask before approach)
|
|
47
|
+
|
|
48
|
+
Which encryption model should be used?
|
|
49
|
+
- Default: **RSA**
|
|
50
|
+
- **RSA** — AES session key wrapped with server's RSA public key (RSA-OAEP). Proven, PEM format. → approaches 4/5
|
|
51
|
+
- **EC (ECDH)** — AES session key derived via ECDH P-256 + HKDF-SHA256. Ephemeral key pair per request; only the 65-byte uncompressed public key is transmitted — the derived AES key is never sent. → approach 6
|
|
52
|
+
|
|
53
|
+
> If user does not answer, default to **RSA** and proceed.
|
|
54
|
+
|
|
55
|
+
---
|
|
56
|
+
|
|
57
|
+
## Question 1 — Approach
|
|
58
|
+
|
|
59
|
+
Which encryption approach should be used?
|
|
60
|
+
|
|
61
|
+
| # | Mode | Description |
|
|
62
|
+
|---|------|-------------|
|
|
63
|
+
| 1 | RSA-OAEP + AES-256-GCM | Web Crypto API (angular, web, ios) |
|
|
64
|
+
| 2 | RSA + AES-256-CBC | jsencrypt + crypto-js |
|
|
65
|
+
| 3 | AES-256-CBC shared key | crypto-js only |
|
|
66
|
+
| 4 | **Production JS (React Native)** | AES-256-GCM + RSA-OAEP via react-native-quick-crypto, per-request ephemeral keys, response decryption, keychain |
|
|
67
|
+
| 5 | **Production Native (React Native)** | OS-level crypto: javax.crypto.Cipher (Android) + CryptoKit (iOS) |
|
|
68
|
+
| 6 | **EC / ECDH (React Native)** | ECDH P-256 + HKDF-SHA256 + AES-256-GCM; per-request or session-init; EC+Native reuses NativeCryptoModule |
|
|
69
|
+
| 7 | **React JS Web Production** | AES-256-GCM + RSA-OAEP or ECDH-Session via built-in Web Crypto API; per-request ephemeral keys; response decryption; browser-safe storage; zero extra crypto packages |
|
|
70
|
+
|
|
71
|
+
Default (React Native): approach 4
|
|
72
|
+
Default (React / other platforms): lowest valid approach for the platform
|
|
73
|
+
|
|
74
|
+
Validate against `platform.approaches[]` in `platform-matrix.json`.
|
|
75
|
+
|
|
76
|
+
---
|
|
77
|
+
|
|
78
|
+
## Question 2 — Encryption Layer (React Native approaches 4, 5, and 6)
|
|
79
|
+
|
|
80
|
+
Which encryption layer should be used?
|
|
81
|
+
- Default: React Native (JS) → approach 4 (RSA) or 6 (EC)
|
|
82
|
+
- **React Native (JS)** — crypto runs in JavaScript using `react-native-quick-crypto`. Simpler setup.
|
|
83
|
+
- **Native** — AES runs in the OS-level engine. For RSA: `javax.crypto.Cipher` (Android) + CryptoKit (iOS) → approach 5. For EC: ECDH+HKDF run in JS; only AES runs natively (reuses existing `NativeCryptoModule`).
|
|
84
|
+
|
|
85
|
+
If user omits this answer, apply default (React Native JS) and continue.
|
|
86
|
+
|
|
87
|
+
---
|
|
88
|
+
|
|
89
|
+
## Question 3 — RSA Padding (Approaches 1, 2, 4, 5)
|
|
90
|
+
|
|
91
|
+
Which RSA padding should be used?
|
|
92
|
+
- Default: RSA-OAEP
|
|
93
|
+
- **RSA-OAEP** (mandatory — use this unless there is a documented legacy constraint)
|
|
94
|
+
- RSA PKCS1 v1.5 (legacy only — requires explicit written approval; not acceptable for new deployments in 2026)
|
|
95
|
+
|
|
96
|
+
---
|
|
97
|
+
|
|
98
|
+
## Question 4 — RSA Public Key Source (Approaches 1, 2, 4, 5)
|
|
99
|
+
|
|
100
|
+
Where should the RSA public key come from?
|
|
101
|
+
- Default: API
|
|
102
|
+
- **API** (recommended — fetched at runtime, cached in memory, refreshable)
|
|
103
|
+
- Environment variable (embedded as PEM/Base64 in `.env`)
|
|
104
|
+
|
|
105
|
+
---
|
|
106
|
+
|
|
107
|
+
## Question 5 — If API Source Selected
|
|
108
|
+
|
|
109
|
+
a. Public key endpoint URL
|
|
110
|
+
- Default: `<API_BASE_URL>/api/security/public-key`
|
|
111
|
+
|
|
112
|
+
b. Response format
|
|
113
|
+
- Default: `{ public_key: string, key_id: string, expires_at?: string }`
|
|
114
|
+
|
|
115
|
+
c. Cache key in memory?
|
|
116
|
+
- Default: Yes
|
|
117
|
+
|
|
118
|
+
d. Retry count on fetch failure
|
|
119
|
+
- Default: 3
|
|
120
|
+
|
|
121
|
+
---
|
|
122
|
+
|
|
123
|
+
## Question 6 — If Environment Source Selected
|
|
124
|
+
|
|
125
|
+
a. RSA public key value (PEM starting with `-----BEGIN PUBLIC KEY-----`)
|
|
126
|
+
- Default: none — must be provided
|
|
127
|
+
- Validate PEM headers before accepting
|
|
128
|
+
|
|
129
|
+
---
|
|
130
|
+
|
|
131
|
+
## Question 7 — Shared Key (Approach 3 only)
|
|
132
|
+
|
|
133
|
+
Enter the shared secret key.
|
|
134
|
+
- Minimum: 32 characters
|
|
135
|
+
- Default: none — must be provided
|
|
136
|
+
- Validate length before accepting
|
|
137
|
+
|
|
138
|
+
---
|
|
139
|
+
|
|
140
|
+
## Question 8 — API Client Type (Approaches 4 and 5)
|
|
141
|
+
|
|
142
|
+
Which API client is used?
|
|
143
|
+
- Default: Axios
|
|
144
|
+
- Axios
|
|
145
|
+
- Fetch
|
|
146
|
+
- Custom service layer
|
|
147
|
+
|
|
148
|
+
---
|
|
149
|
+
|
|
150
|
+
## Question 9 — API Layer Path (Approaches 4 and 5)
|
|
151
|
+
|
|
152
|
+
Where is the API layer file located?
|
|
153
|
+
- Default: `src/services/api.ts`
|
|
154
|
+
- Validate the path exists in the project before accepting
|
|
155
|
+
|
|
156
|
+
---
|
|
157
|
+
|
|
158
|
+
## Question 10 — Secure Storage (Approaches 4 and 5)
|
|
159
|
+
|
|
160
|
+
Confirm secure storage with react-native-keychain for:
|
|
161
|
+
- Tokens: Default Yes
|
|
162
|
+
- Sensitive persisted data: Default Yes
|
|
163
|
+
|
|
164
|
+
---
|
|
165
|
+
|
|
166
|
+
## Question 11 — Encryption Toggle Policy
|
|
167
|
+
|
|
168
|
+
Should encryption be:
|
|
169
|
+
- Default: Controlled by env flag (`ENCRYPTION_ENABLED`)
|
|
170
|
+
- **Controlled by env flag** (recommended — allows disabling in dev)
|
|
171
|
+
- Always enabled
|
|
172
|
+
|
|
173
|
+
---
|
|
174
|
+
|
|
175
|
+
## Question 12 — Platform Scope (React Native)
|
|
176
|
+
|
|
177
|
+
Which platforms should encryption be applied to?
|
|
178
|
+
- Default: Both Android and iOS
|
|
179
|
+
- Both Android and iOS
|
|
180
|
+
- Android only
|
|
181
|
+
- iOS only
|
|
182
|
+
|
|
183
|
+
---
|
|
184
|
+
|
|
185
|
+
## Question 13 — Minimum iOS Version (Approach 5 only)
|
|
186
|
+
|
|
187
|
+
What is the minimum iOS deployment target?
|
|
188
|
+
- Default: 13 (required for CryptoKit)
|
|
189
|
+
- If below 13: plan CommonCrypto fallback (`CCCryptorGCM` for AES-GCM + `SecKeyCreateEncryptedData` for RSA-OAEP)
|
|
190
|
+
|
|
191
|
+
---
|
|
192
|
+
|
|
193
|
+
## Question 14 — Android Package (Approach 5 only)
|
|
194
|
+
|
|
195
|
+
Android Kotlin package name for NativeCryptoModule.
|
|
196
|
+
- Default: `com.example.security`
|
|
197
|
+
|
|
198
|
+
Also verify `minSdkVersion >= 23` in `android/app/build.gradle` before proceeding.
|
|
199
|
+
|
|
200
|
+
---
|
|
201
|
+
|
|
202
|
+
## Question 15 — HMAC Request Signing
|
|
203
|
+
|
|
204
|
+
Enable HMAC-SHA256 request signing?
|
|
205
|
+
- Default: No
|
|
206
|
+
- If Yes: set `ENCRYPTION_HMAC_SECRET` as an env var at runtime — never hardcode or commit
|
|
207
|
+
|
|
208
|
+
---
|
|
209
|
+
|
|
210
|
+
## Question 16 — URL Exclusions
|
|
211
|
+
|
|
212
|
+
Are there any URL prefixes that should bypass encryption?
|
|
213
|
+
- Default: none
|
|
214
|
+
- Example: `/api/auth/login, /api/health, /api/public`
|
|
215
|
+
|
|
216
|
+
---
|
|
217
|
+
|
|
218
|
+
## Questions for Approach 7 (React JS Web Production Mode)
|
|
219
|
+
|
|
220
|
+
Ask these questions only when `platform = react` and `approach = 7`. Ask one at a time.
|
|
221
|
+
|
|
222
|
+
### Q7-1 — Web Encryption Mode
|
|
223
|
+
|
|
224
|
+
Which encryption mode should be used?
|
|
225
|
+
- Default: **RSA-OAEP**
|
|
226
|
+
- **RSA-OAEP** — per-request ephemeral AES-256-GCM key wrapped with server RSA public key; simpler setup
|
|
227
|
+
- **ECDH-Session** — ECDH P-256 + HKDF-SHA256 + AES-256-GCM; session key derived once at init; cleaner for long-lived sessions
|
|
228
|
+
|
|
229
|
+
### Q7-2 — Framework / Bundler
|
|
230
|
+
|
|
231
|
+
Which framework or bundler is used?
|
|
232
|
+
- Default: none — must be detected or confirmed
|
|
233
|
+
- **Vite** → env prefix `VITE_`
|
|
234
|
+
- **Create React App (CRA)** → env prefix `REACT_APP_`
|
|
235
|
+
- **Next.js** → env prefix `NEXT_PUBLIC_`
|
|
236
|
+
|
|
237
|
+
> This determines the correct env variable prefix for all feature flags.
|
|
238
|
+
|
|
239
|
+
### Q7-3 — Token Storage
|
|
240
|
+
|
|
241
|
+
How should auth tokens be stored?
|
|
242
|
+
- Default: **sessionStorage**
|
|
243
|
+
- **sessionStorage** — clears on tab close; suitable for most SPAs
|
|
244
|
+
- **HTTP-only cookie** — server sets cookie; browser never exposes it to JS; recommended for high-security apps
|
|
245
|
+
- **localStorage** — FORBIDDEN for tokens or session material; never use for approach 7
|
|
246
|
+
|
|
247
|
+
### Q7-4 — RSA Public Key Source (RSA-OAEP mode only)
|
|
248
|
+
|
|
249
|
+
Where should the RSA public key come from?
|
|
250
|
+
- Default: API
|
|
251
|
+
- **API** — fetched at runtime, cached in memory, refreshable
|
|
252
|
+
- **Environment variable** — embedded as PEM/Base64 in `.env.*`
|
|
253
|
+
|
|
254
|
+
### Q7-5 — RSA Public Key Endpoint (RSA-OAEP API source only)
|
|
255
|
+
|
|
256
|
+
What is the public key endpoint URL?
|
|
257
|
+
- Default: `<API_BASE_URL>/api/security/public-key`
|
|
258
|
+
- Response format default: `{ public_key: string, key_id: string, expires_at?: string }`
|
|
259
|
+
|
|
260
|
+
### Q7-6 — ECDH-Session Blocking Questions (ECDH-Session mode only)
|
|
261
|
+
|
|
262
|
+
ALL fields are backend-specific and have no safe defaults. Ask each one individually and do not proceed until all are provided:
|
|
263
|
+
|
|
264
|
+
- Q7-6a: Session init endpoint URL
|
|
265
|
+
- Q7-6b: HKDF `info` string (do NOT assume `'enc'`)
|
|
266
|
+
- Q7-6c: AAD required? If yes, provide the canonical JSON shape (alphabetically sorted key order)
|
|
267
|
+
- Q7-6d: Response encoding (standard base64 or base64url)
|
|
268
|
+
- Q7-6e: Device ID source (how `device_id` is generated or retrieved)
|
|
269
|
+
- Q7-6f: Session restore strategy (reload from `sessionStorage` JWK or re-initiate session)
|
|
270
|
+
|
|
271
|
+
---
|
|
272
|
+
|
|
273
|
+
## Confirmed Configuration Snapshot
|
|
274
|
+
|
|
275
|
+
Record before implementation:
|
|
276
|
+
|
|
277
|
+
| Field | Value |
|
|
278
|
+
|-------|-------|
|
|
279
|
+
| Platform | |
|
|
280
|
+
| Approach | |
|
|
281
|
+
| Encryption layer (RN only) | |
|
|
282
|
+
| RSA padding | RSA-OAEP |
|
|
283
|
+
| RSA key source | API |
|
|
284
|
+
| RSA key endpoint | `<API_BASE_URL>/api/security/public-key` |
|
|
285
|
+
| RSA key retries | 3 |
|
|
286
|
+
| API client | Axios |
|
|
287
|
+
| API layer path | src/services/api.ts |
|
|
288
|
+
| Encryption toggle | env-flag |
|
|
289
|
+
| HMAC signing | No |
|
|
290
|
+
| URL exclusions | (none) |
|
|
291
|
+
| Min iOS version (approach 5) | 13 |
|
|
292
|
+
| Android package (approach 5) | com.example.security |
|
|
293
|
+
| Encryption model (approach 6) | ec |
|
|
294
|
+
| EC contract type (approach 6) | per-request |
|
|
295
|
+
| EC key endpoint (approach 6) | `<API_BASE_URL>/api/security/ec-public-key` |
|
|
296
|
+
| EC HKDF info string (session-init only) | **no default — must be confirmed** |
|
|
297
|
+
| EC nonce format/length (session-init only) | **no default — must be confirmed** |
|
|
298
|
+
| EC AAD required + shape (session-init only) | **no default — must be confirmed** |
|
|
299
|
+
| EC response IV source (session-init only) | **no default — must be confirmed** |
|
|
300
|
+
| Web encryption mode (approach 7) | RSA-OAEP |
|
|
301
|
+
| Framework/bundler (approach 7) | **must be detected or confirmed** |
|
|
302
|
+
| Token storage (approach 7) | sessionStorage |
|
|
303
|
+
| RSA key endpoint (approach 7) | `<API_BASE_URL>/api/security/public-key` |
|
|
304
|
+
| ECDH session init URL (approach 7, ECDH-Session) | **no default — must be confirmed** |
|
|
305
|
+
| ECDH HKDF info string (approach 7, ECDH-Session) | **no default — must be confirmed** |
|
|
306
|
+
| ECDH AAD shape (approach 7, ECDH-Session) | **no default — must be confirmed** |
|
|
307
|
+
|
|
308
|
+
---
|
|
309
|
+
|
|
310
|
+
## Required Answers — EC + React Native JS mode (Approach 6 / encryptionModel = ec)
|
|
311
|
+
|
|
312
|
+
1. EC curve selection
|
|
313
|
+
- Default: P-256 (secp256r1)
|
|
314
|
+
- Options: P-256 / P-384 / P-521
|
|
315
|
+
|
|
316
|
+
1a. EC contract type
|
|
317
|
+
- Default: per-request
|
|
318
|
+
- **Per-request EC** — fresh ephemeral key pair per API call; HKDF salt = per-request nonce
|
|
319
|
+
- **Session-init EC** — shared session AES key derived once at login; reused across requests
|
|
320
|
+
|
|
321
|
+
1b. If session-init EC selected (ALL fields are blocking — ask each one individually, no defaults):
|
|
322
|
+
|
|
323
|
+
- Q-SI-1: Session init endpoint URL
|
|
324
|
+
- Q-SI-2: Token/session endpoint URL
|
|
325
|
+
- Q-SI-3: Required API call order (default: initEncryptionSession → createSession → encrypted business APIs)
|
|
326
|
+
- Q-SI-4: Is `encrypted_shared_aes_key` from the init response used or ignored by the reference client?
|
|
327
|
+
- Q-SI-5: Exact HKDF `info` string (backend-specific — do NOT assume `'enc'`)
|
|
328
|
+
- Q-SI-6: Exact AAD JSON shape (if AAD is required by AES-GCM)
|
|
329
|
+
- Q-SI-7: Response IV source (nonce-as-IV, separate `iv` field, or other)
|
|
330
|
+
- Q-SI-8: Response payload encoding (standard base64 or base64url)
|
|
331
|
+
- Q-SI-9: Response payload structure (ciphertext \|\| tag, or IV \|\| ciphertext \|\| tag)
|
|
332
|
+
- Q-SI-10: Nonce format
|
|
333
|
+
- Q-SI-11: Nonce length
|
|
334
|
+
- Q-SI-12: Nonce character set restrictions
|
|
335
|
+
- Q-SI-13: Is there a reference client (Flutter, web, etc.) to verify against?
|
|
336
|
+
- Q-SI-14: Which `Buffer` package is installed: (verify `npm ls buffer`)
|
|
337
|
+
- Q-SI-15: `DEVICE_ID_SOURCE` — how is the stable `device_id` generated or retrieved
|
|
338
|
+
|
|
339
|
+
2. EC public key source
|
|
340
|
+
- Default: API
|
|
341
|
+
- API or Environment variable
|
|
342
|
+
|
|
343
|
+
3. If API source selected:
|
|
344
|
+
- Endpoint URL: default `<API_BASE_URL>/api/security/ec-public-key`
|
|
345
|
+
- Response format: default `{ public_key: string, key_id: string, expires_at?: string }` where `public_key` is base64(65-byte uncompressed P-256 point)
|
|
346
|
+
- Cache in memory: default Yes
|
|
347
|
+
- Retry count: default 3
|
|
348
|
+
|
|
349
|
+
4. If Environment source selected:
|
|
350
|
+
- EC public key value (base64, 65 bytes, first decoded byte must be `0x04`):
|
|
351
|
+
- Format validated: default Yes
|
|
352
|
+
|
|
353
|
+
5. API client type: default Axios
|
|
354
|
+
6. API layer path: default `src/services/api.ts`
|
|
355
|
+
7. Secure storage (react-native-keychain): default Yes
|
|
356
|
+
8. Encryption toggle: default env-controlled (`ENCRYPTION_MODEL=ec`)
|
|
357
|
+
9. Platform scope: default Android + iOS
|
|
358
|
+
10. HMAC signing: default No
|
|
359
|
+
|
|
360
|
+
## Validation Status — EC + JS mode
|
|
361
|
+
|
|
362
|
+
- [ ] Encryption model: EC
|
|
363
|
+
- [ ] EC contract type confirmed: per-request / session-init
|
|
364
|
+
- [ ] EC public key format valid (65 bytes, first byte 0x04)
|
|
365
|
+
- [ ] EC public key endpoint is HTTPS (if API source)
|
|
366
|
+
- [ ] Session-init: HKDF `info` string confirmed
|
|
367
|
+
- [ ] Session-init: AAD shape confirmed or confirmed not required
|
|
368
|
+
- [ ] Session-init: nonce length/format confirmed
|
|
369
|
+
- [ ] Session-init: response IV source confirmed
|
|
370
|
+
- [ ] API layer path exists in project
|
|
371
|
+
- [ ] All required answers received
|
|
372
|
+
- [ ] Approved to proceed: Yes
|
|
373
|
+
|
|
374
|
+
---
|
|
375
|
+
|
|
376
|
+
## Required Answers — EC + Native mode (Approach 6 + encryptionLayer = native)
|
|
377
|
+
|
|
378
|
+
1. EC curve selection
|
|
379
|
+
- Default: P-256 (secp256r1)
|
|
380
|
+
|
|
381
|
+
1a. EC contract type
|
|
382
|
+
- **REQUIRED — ask developer, no default**
|
|
383
|
+
- Per-request EC or session-init EC
|
|
384
|
+
|
|
385
|
+
1b. If session-init EC selected (ALL fields are blocking — ask each one individually, no defaults):
|
|
386
|
+
|
|
387
|
+
- Q-SI-1: Session init endpoint URL (`SESSION_INIT_ENDPOINT`): must be provided
|
|
388
|
+
- Q-SI-2: Token/session endpoint URL (`CREATE_SESSION_ENDPOINT`): must be provided
|
|
389
|
+
- Q-SI-3: Required API call order (default: initEncryptionSession → createSession → encrypted business APIs)
|
|
390
|
+
- Q-SI-4: Exact HKDF `info` string (`HKDF_INFO`): must be provided — do NOT assume `'enc'`
|
|
391
|
+
- Q-SI-5: Exact AAD JSON shape (`AAD_SHAPE`): must be provided if AAD is required
|
|
392
|
+
- Q-SI-6: Response IV source (nonce-as-IV, separate `iv` field, or other): must be provided
|
|
393
|
+
- Q-SI-7: Response payload encoding (`RESPONSE_ENCODING` — standard base64 or base64url): must be confirmed
|
|
394
|
+
- Q-SI-8: Response payload structure (ciphertext \|\| tag, or IV \|\| ciphertext \|\| tag): must be provided
|
|
395
|
+
- Q-SI-9: Nonce format (`NONCE_FORMAT`): must be provided explicitly
|
|
396
|
+
- Q-SI-10: Nonce length: must be provided explicitly
|
|
397
|
+
- Q-SI-11: Nonce character set restrictions: must be provided explicitly
|
|
398
|
+
- Q-SI-12: `DEVICE_ID_SOURCE` — how is the stable `device_id` generated or retrieved: must be provided
|
|
399
|
+
- Q-SI-13: `encrypted_shared_aes_key` handling (used / ignored): must be confirmed
|
|
400
|
+
- Q-SI-14: Which `Buffer` package is installed: (verify `npm ls buffer`)
|
|
401
|
+
- Q-SI-15: Is there a reference client (Flutter, web, etc.) to verify against: ask backend team
|
|
402
|
+
|
|
403
|
+
2. EC public key source: default API
|
|
404
|
+
3. If API source selected: endpoint URL, response format `{ public_key, key_id, expires_at? }`, cache (yes), retries (3)
|
|
405
|
+
4. If Environment source selected: base64 65-byte uncompressed P-256 point, first byte must be `0x04`
|
|
406
|
+
5. Minimum iOS version: default 13 (CryptoKit)
|
|
407
|
+
6. API client type: default Axios
|
|
408
|
+
7. API layer path: default `src/services/api.ts`
|
|
409
|
+
8. Secure storage: default Yes (react-native-keychain)
|
|
410
|
+
9. Encryption toggle: default env-controlled (`ENCRYPTION_MODEL=ec`, `ENCRYPTION_LAYER=native`)
|
|
411
|
+
10. Platform scope: default Android + iOS
|
|
412
|
+
11. HMAC signing: default No
|
|
413
|
+
|
|
414
|
+
> Note: EC + Native does NOT require new Kotlin/Swift files. ECDH + HKDF run in JS; only AES runs in the existing NativeCryptoModule.
|
|
415
|
+
|
|
416
|
+
## Validation Status — EC + Native mode
|
|
417
|
+
|
|
418
|
+
- [ ] Android minSdkVersion >= 23
|
|
419
|
+
- [ ] iOS deployment target >= 13.0 confirmed
|
|
420
|
+
- [ ] Existing NativeCryptoModule confirmed accessible from JS
|
|
421
|
+
- [ ] EC public key format valid (65 bytes, first byte 0x04)
|
|
422
|
+
- [ ] EC public key source URL is HTTPS (if API)
|
|
423
|
+
- [ ] EC contract type confirmed (per-request / session-init)
|
|
424
|
+
- [ ] Session-init endpoints confirmed (if session-init): SESSION_INIT_ENDPOINT / CREATE_SESSION_ENDPOINT
|
|
425
|
+
- [ ] HKDF `info` string confirmed (if session-init)
|
|
426
|
+
- [ ] AAD contract confirmed (if session-init)
|
|
427
|
+
- [ ] Nonce length/format confirmed (if session-init)
|
|
428
|
+
- [ ] Response encoding confirmed (if session-init)
|
|
429
|
+
- [ ] DEVICE_ID_SOURCE confirmed (if session-init)
|
|
430
|
+
- [ ] All required answers received
|
|
431
|
+
- [ ] Approved to proceed: Yes
|
|
432
|
+
|
|
433
|
+
---
|
|
434
|
+
|
|
435
|
+
## Validation Status (All other platforms / approaches 1–5)
|
|
436
|
+
|
|
437
|
+
- [ ] Platform confirmed and exists in `platform-matrix.json`
|
|
438
|
+
- [ ] Approach valid for this platform
|
|
439
|
+
- [ ] All RSA key source inputs validated (HTTPS URLs, PEM headers if env mode)
|
|
440
|
+
- [ ] Shared key >= 32 characters (approach 3)
|
|
441
|
+
- [ ] API layer path exists in project
|
|
442
|
+
- [ ] Android `minSdkVersion >= 23` confirmed (approach 5)
|
|
443
|
+
- [ ] iOS deployment target confirmed / fallback planned (approach 5)
|
|
444
|
+
- [ ] `privateKeyPem` refused for angular/web platforms
|
|
445
|
+
- [ ] Approved to proceed with implementation: Yes
|
|
446
|
+
|
|
447
|
+
---
|
|
448
|
+
|
|
449
|
+
## Validation Status — React JS Web Production Mode (Approach 7)
|
|
450
|
+
|
|
451
|
+
- [ ] Platform confirmed: `react`
|
|
452
|
+
- [ ] Approach 7 valid for react platform (check `platform-matrix.json`)
|
|
453
|
+
- [ ] App is served over HTTPS or localhost (`crypto.subtle` unavailable on plain HTTP)
|
|
454
|
+
- [ ] Framework/bundler detected: Vite / CRA / Next.js (env prefix confirmed)
|
|
455
|
+
- [ ] `tsconfig.json` includes `"DOM"` in `lib`
|
|
456
|
+
- [ ] Web encryption mode confirmed: RSA-OAEP / ECDH-Session
|
|
457
|
+
- [ ] RSA-OAEP: public key endpoint is HTTPS (if API source)
|
|
458
|
+
- [ ] RSA-OAEP: PEM headers valid (if env source)
|
|
459
|
+
- [ ] No `crypto-js`, `node-forge`, or Buffer polyfill in dependencies
|
|
460
|
+
- [ ] Token storage confirmed: sessionStorage / HTTP-only cookie (localStorage rejected)
|
|
461
|
+
- [ ] ECDH-Session: session init URL confirmed (if ECDH-Session mode)
|
|
462
|
+
- [ ] ECDH-Session: HKDF `info` string confirmed (if ECDH-Session mode)
|
|
463
|
+
- [ ] ECDH-Session: AAD shape confirmed or confirmed not required (if ECDH-Session mode)
|
|
464
|
+
- [ ] ECDH-Session: device ID source confirmed (if ECDH-Session mode)
|
|
465
|
+
- [ ] HMAC secret in env var only — never hardcoded
|
|
466
|
+
- [ ] All required answers received
|
|
467
|
+
- [ ] Approved to proceed: Yes
|
|
@@ -0,0 +1,206 @@
|
|
|
1
|
+
# Delivery Checklist
|
|
2
|
+
|
|
3
|
+
Mark each item complete before marking the implementation finished.
|
|
4
|
+
|
|
5
|
+
---
|
|
6
|
+
|
|
7
|
+
## Setup
|
|
8
|
+
|
|
9
|
+
- [ ] `detect.js` ran and result noted (FOUND / NOT_FOUND).
|
|
10
|
+
- [ ] Detection mode selected: replace / reuse / refactor.
|
|
11
|
+
- [ ] Platform confirmed and validated against `platform-matrix.json`.
|
|
12
|
+
- [ ] Approach confirmed and validated against allowed approaches for the platform.
|
|
13
|
+
- [ ] All required inputs collected and validated (PEM format, key length, HTTPS URLs).
|
|
14
|
+
- [ ] Encryption model confirmed (RSA / EC).
|
|
15
|
+
- [ ] Encryption layer confirmed (React Native JS / Native).
|
|
16
|
+
|
|
17
|
+
---
|
|
18
|
+
|
|
19
|
+
## Dependencies (React Native JS Mode — all approaches)
|
|
20
|
+
|
|
21
|
+
- [ ] react-native-quick-crypto installed and verified.
|
|
22
|
+
- [ ] react-native-nitro-modules installed explicitly (required peer dep of quick-crypto >= 1.0 / RN >= 0.76).
|
|
23
|
+
- [ ] react-native-worklets installed explicitly (required peer dep of quick-crypto >= 1.0 / RN >= 0.76).
|
|
24
|
+
- [ ] react-native-quick-base64 present (auto-installed by quick-crypto — verify with `npm ls react-native-quick-base64`).
|
|
25
|
+
- [ ] buffer package installed (>= 6.0.0) — required for EC mode and session-init helpers.
|
|
26
|
+
- [ ] `npm ls react-native-nitro-modules` does NOT show `UNMET PEER DEP`.
|
|
27
|
+
- [ ] Android `.cxx` cache cleared after native module changes.
|
|
28
|
+
- [ ] Android clean build completed successfully.
|
|
29
|
+
- [ ] iOS pod install completed successfully.
|
|
30
|
+
|
|
31
|
+
---
|
|
32
|
+
|
|
33
|
+
## Implementation — All Platforms
|
|
34
|
+
|
|
35
|
+
- [ ] Config file written (`encryption.config.ts` / `EncryptionConfig.kt` / `EncryptionConfig.swift` / `EncryptionConfig.dart`).
|
|
36
|
+
- [ ] Service file written (`EncryptionService` with `encrypt` method, and `decrypt` where applicable).
|
|
37
|
+
- [ ] Interceptor / middleware written and wired into the HTTP layer.
|
|
38
|
+
- [ ] Module wiring patched (AppModule / axiosInstance / OkHttpClient / Podfile / Dio).
|
|
39
|
+
- [ ] `ENCRYPTION_INTERCEPTOR_PLACEHOLDER` marker present (for future patching).
|
|
40
|
+
|
|
41
|
+
## Implementation — React Native Approaches 4 and 5
|
|
42
|
+
|
|
43
|
+
- [ ] `src/services/security/types.ts` written (`EncryptedEnvelope`, `EncryptedResponse`).
|
|
44
|
+
- [ ] `src/services/security/encryption.service.ts` written (AES-256-GCM per-request encrypt).
|
|
45
|
+
- [ ] `src/services/security/decryption.service.ts` written (AES-256-GCM decrypt + auth tag split).
|
|
46
|
+
- [ ] `src/services/security/rsa-key.service.ts` written (fetch / cache / retry).
|
|
47
|
+
- [ ] `src/services/security/keychain.service.ts` written (`react-native-keychain` wrapper).
|
|
48
|
+
- [ ] `src/services/security/hmac.service.ts` written (even if HMAC disabled — ready for activation).
|
|
49
|
+
- [ ] `src/services/security/encryption-config.ts` written (feature flags + env references).
|
|
50
|
+
- [ ] Request interceptor written (encrypt POST/PUT/PATCH, store in request map, set `X-Request-Id`).
|
|
51
|
+
- [ ] Response interceptor written (decrypt using request map key, clean up map on success and failure).
|
|
52
|
+
- [ ] `index.js` patched with `react-native-get-random-values` polyfill as first import.
|
|
53
|
+
- [ ] `axiosInstance.ts` wired with `applyProductionEncryptionInterceptor`.
|
|
54
|
+
|
|
55
|
+
## Implementation — Native Mode (Approach 5) Additional
|
|
56
|
+
|
|
57
|
+
- [ ] `NativeCryptoModule.kt` created (`encryptAES`, `decryptAES`, `encryptRSA`).
|
|
58
|
+
- [ ] `NativeCryptoPackage.kt` created and `NativeCryptoPackage` registered in `MainApplication`.
|
|
59
|
+
- [ ] `NativeCryptoModule.swift` created using `do/try/catch` — no `try!` allowed.
|
|
60
|
+
- [ ] `NativeCryptoModule.m` Objective-C bridge file created.
|
|
61
|
+
- [ ] `src/services/security/native-crypto.module.ts` JS bridge interface created.
|
|
62
|
+
- [ ] Interceptors updated to call `nativeEncryptAES` / `nativeDecryptAES` / `nativeEncryptRSA`.
|
|
63
|
+
- [ ] `ENCRYPTION_LAYER=native` added to `.env`.
|
|
64
|
+
- [ ] Pod install completed (iOS).
|
|
65
|
+
- [ ] Gradle sync completed (Android).
|
|
66
|
+
- [ ] `NativeModules.NativeCryptoModule` confirmed accessible from JS.
|
|
67
|
+
|
|
68
|
+
## Implementation — EC + React Native JS Mode (Approach 6, per-request)
|
|
69
|
+
|
|
70
|
+
- [ ] `EcPublicKeyResponse`, `EcEncryptedEnvelope`, and `RequestCryptoMaterial` types added to `types.ts`.
|
|
71
|
+
- [ ] `ec-key.service.ts` created (EC public key fetch / validate / cache / retry with 65-byte point check).
|
|
72
|
+
- [ ] `ec-crypto.util.ts` created (`ecEncryptPayload`, `ecDeriveKey`, HKDF-SHA256).
|
|
73
|
+
- [ ] `toBase64()`, `toBuffer()`, `byteCopy()` helpers included — NOT using `Buffer.toString('base64')` on Hermes.
|
|
74
|
+
- [ ] Dual Buffer imports: `Buffer from 'buffer'` + `Buffer as QCBuffer from 'react-native-quick-crypto'`.
|
|
75
|
+
- [ ] `ENCRYPTION_MODEL` routing added to `api.ts` (rsa vs ec branches).
|
|
76
|
+
- [ ] `KEY_ID_NOT_FOUND` (401) handler routes to `EcKeyService.refreshPublicKey` when EC model.
|
|
77
|
+
- [ ] Ephemeral EC key pair discarded immediately after `computeSecret()`.
|
|
78
|
+
- [ ] Derived AES key is NEVER transmitted — only `ephemeral_public_key` sent in envelope.
|
|
79
|
+
- [ ] Feature flags wired: `ENCRYPTION_MODEL=ec`, `EC_PUBLIC_KEY_ENDPOINT`, `EC_KEY_RETRY`.
|
|
80
|
+
- [ ] `[If HMAC_ENABLED=true]` `hmac.service.ts` injected into request interceptor after envelope is built.
|
|
81
|
+
|
|
82
|
+
## Implementation — EC + React Native JS Mode (Approach 6, session-init)
|
|
83
|
+
|
|
84
|
+
- [ ] All items from per-request EC section above.
|
|
85
|
+
- [ ] Stateful auth service class created, holding `sessionAesKey`, `encryptionKeyId`, `sessionDeviceId`.
|
|
86
|
+
- [ ] `deriveSessionKey()` uses backend-confirmed HKDF info string (NOT hardcoded `'enc'`).
|
|
87
|
+
- [ ] `buildSessionAad()` uses canonical JSON with alphabetically sorted keys.
|
|
88
|
+
- [ ] `sessionEncrypt()` uses nonce-as-IV and AAD (confirmed from backend contract).
|
|
89
|
+
- [ ] `sessionDecrypt()` uses correct IV source (confirmed from backend contract or reference client).
|
|
90
|
+
- [ ] `urlSafeBase64ToStd()` applied to all base64url fields received from server.
|
|
91
|
+
- [ ] `initEncryptionSession` sends real freshly-generated `client_ecdh_pub` from the same ECDH instance used for derivation.
|
|
92
|
+
- [ ] `createSession` runs only after `initEncryptionSession` succeeds and uses the returned `key_id`.
|
|
93
|
+
- [ ] Nonce generator uses CSPRNG (`randomBytes`) — NOT `Math.random()` — nonce IS the AES-GCM IV.
|
|
94
|
+
- [ ] Nonce format/length matches backend contract exactly.
|
|
95
|
+
- [ ] `encrypted_shared_aes_key` handling confirmed (used vs ignored).
|
|
96
|
+
- [ ] `device_id` is stable and consistent across init, HKDF context, AAD, and encrypted requests.
|
|
97
|
+
- [ ] Token persistence is separate from session key lifetime (app restart requires re-init if key not stored).
|
|
98
|
+
- [ ] Dead debug code removed (unwrapSessionKey, tryAesGcmDecrypt, hkdfExpandOnly, hkdfSwapped) if present.
|
|
99
|
+
|
|
100
|
+
## Implementation — EC + Native Mode (Approach 6 + encryptionLayer = native)
|
|
101
|
+
|
|
102
|
+
- [ ] All EC + JS items above.
|
|
103
|
+
- [ ] `ecDeriveKey()` helper returns `{ derivedAesKeyBase64, ephemeralPublicKeyBase64 }` without AES.
|
|
104
|
+
- [ ] Interceptor calls `ecDeriveKey` in JS, then passes `derivedAesKeyBase64` to existing `nativeEncryptAES`.
|
|
105
|
+
- [ ] Response decryption calls `nativeDecryptAES` with same `derivedAesKeyBase64` from request map.
|
|
106
|
+
- [ ] No new Kotlin/Swift files added — existing `NativeCryptoModule` is reused.
|
|
107
|
+
- [ ] `ENCRYPTION_MODEL=ec` and `ENCRYPTION_LAYER=native` env flags wired.
|
|
108
|
+
|
|
109
|
+
## Implementation — React JS Web Production Mode, RSA-OAEP (Approach 7)
|
|
110
|
+
|
|
111
|
+
- [ ] App confirmed served over HTTPS or localhost (crypto.subtle unavailable on plain HTTP).
|
|
112
|
+
- [ ] `tsconfig.json` `"lib"` includes `"DOM"` — patched if missing.
|
|
113
|
+
- [ ] `axios` present in package.json — installed if missing.
|
|
114
|
+
- [ ] No `crypto-js`, `node-forge`, Buffer polyfill, or `react-native-*` packages added.
|
|
115
|
+
- [ ] `crypto-utils.ts` written (Base64 helpers, nonce generator using `crypto.getRandomValues`).
|
|
116
|
+
- [ ] `aes.service.ts` written (`generateAESKey`, `encryptAESGCM`, `decryptAESGCM` via `crypto.subtle`, tagLength 128).
|
|
117
|
+
- [ ] `rsa.service.ts` written (`importRSAPublicKey` using `importKey('spki', ...)` after stripping PEM headers, `encryptRSAOAEP`).
|
|
118
|
+
- [ ] `rsa-key.service.ts` written (fetch / cache / retry; `KEY_ID_NOT_FOUND` refreshes key + retries exactly once).
|
|
119
|
+
- [ ] `hmac.service.ts` written using `crypto.subtle` HMAC-SHA256.
|
|
120
|
+
- [ ] `storage.service.ts` written (`sessionStorage` wrapper; HTTP-only cookie guidance; `localStorage` explicitly blocked).
|
|
121
|
+
- [ ] `encryption.interceptor.ts` written:
|
|
122
|
+
- [ ] Request: generates AES key, stores in `Map<requestId, {cryptoKey, iv}>`, attaches envelope.
|
|
123
|
+
- [ ] Response: decrypts using map entry, deletes entry immediately on success and error.
|
|
124
|
+
- [ ] `DOMException` on decrypt → `ERR_CRYPTO_REJECTED`, no plaintext fallback.
|
|
125
|
+
- [ ] `encryption-config.ts` written with correct framework env prefix (VITE_ / REACT_APP_ / NEXT_PUBLIC_).
|
|
126
|
+
- [ ] `types.ts` written (`EncryptedEnvelope`, `EncryptedResponse`).
|
|
127
|
+
- [ ] `axiosInstance.ts` patched with `applyProductionEncryptionInterceptor` + `bootstrapEncryption()` bootstrap call.
|
|
128
|
+
- [ ] `.env.example` includes all required env variables with correct prefix.
|
|
129
|
+
- [ ] RSA public key endpoint is HTTPS (if API source).
|
|
130
|
+
- [ ] RSA-OAEP padding confirmed — PKCS1 v1.5 not used.
|
|
131
|
+
|
|
132
|
+
## Implementation — React JS ECDH-Session Sub-Mode (Approach 7)
|
|
133
|
+
|
|
134
|
+
- [ ] All RSA-OAEP items above (except `rsa.service.ts`, `rsa-key.service.ts` replaced by ECDH services).
|
|
135
|
+
- [ ] `base64url.ts` written (Base64URL encode/decode, no Buffer).
|
|
136
|
+
- [ ] `aad.ts` written (AAD builder with alphabetical key order, template literal not `JSON.stringify`).
|
|
137
|
+
- [ ] `ecdhSession.ts` written:
|
|
138
|
+
- [ ] ECDH P-256 key pair via `crypto.subtle.generateKey`.
|
|
139
|
+
- [ ] `deriveSessionKey` uses `crypto.subtle.deriveKey` with HKDF-SHA256 — no manual HMAC chain.
|
|
140
|
+
- [ ] Derived AES key is `extractable: false` — never stored.
|
|
141
|
+
- [ ] ECDH private key exported as JWK for `sessionStorage` restore.
|
|
142
|
+
- [ ] `aesGcm.ts` written (AES-256-GCM encrypt/decrypt with AAD).
|
|
143
|
+
- [ ] `ecdhSessionService.ts` written (init, restore from `sessionStorage`, `clearSession`).
|
|
144
|
+
- [ ] `clearSession()` called on 401 → surfaces `ERR_SESSION_EXPIRED`.
|
|
145
|
+
- [ ] `clearSession()` called on 400 DECRYPTION_FAILED / INVALID_PAYLOAD → surfaces `ERR_CRYPTO_REJECTED`.
|
|
146
|
+
- [ ] 500 responses pass through without session invalidation.
|
|
147
|
+
- [ ] ECDH-Session interceptor adds `X-Request-ID`, `X-Nonce` (12-byte Base64URL), `X-Timestamp` (ISO 8601 UTC) to every request.
|
|
148
|
+
- [ ] HKDF `info` string matches backend contract (NOT assumed to be `'enc'`).
|
|
149
|
+
- [ ] AAD canonical JSON shape confirmed with backend team.
|
|
150
|
+
- [ ] Session init URL is HTTPS.
|
|
151
|
+
- [ ] Device ID source confirmed and consistent across all encrypted requests.
|
|
152
|
+
|
|
153
|
+
---
|
|
154
|
+
|
|
155
|
+
## Security
|
|
156
|
+
|
|
157
|
+
- [ ] No sensitive logging (no AES keys, IVs, auth tags, plaintext payloads, or key material).
|
|
158
|
+
- [ ] No persistent AES key/IV storage.
|
|
159
|
+
- [ ] HTTPS enforced for key endpoint and all API traffic.
|
|
160
|
+
- [ ] Auth tag verification enforced (AES-GCM modes).
|
|
161
|
+
- [ ] FormData excluded from encryption.
|
|
162
|
+
- [ ] `ENCRYPTION_ENABLED=false` is the safe default.
|
|
163
|
+
- [ ] [Native mode] AES key never written to Android Keystore or iOS Secure Enclave.
|
|
164
|
+
- [ ] [Native mode] `try!` not present anywhere in Swift bridge code.
|
|
165
|
+
- [ ] [Approach 3] Shared key is at least 32 characters.
|
|
166
|
+
- [ ] [Angular/Web] `privateKeyPem` not accepted — private keys stay on the server.
|
|
167
|
+
- [ ] [EC] EC public key validated on every fetch: 65 bytes, first byte `0x04`.
|
|
168
|
+
- [ ] [EC] Ephemeral EC key pair discarded immediately after `computeSecret()`.
|
|
169
|
+
- [ ] [EC] Derived AES key never transmitted — only `ephemeral_public_key` in envelope.
|
|
170
|
+
- [ ] [EC session-init] Nonce generator uses CSPRNG (`randomBytes`) — NOT `Math.random()`.
|
|
171
|
+
- [ ] [Approach 7] `crypto.subtle` availability check at bootstrap — surfaces error before any API call.
|
|
172
|
+
- [ ] [Approach 7] No `Math.random()` for any cryptographic purpose — all nonce/key generation uses Web Crypto API.
|
|
173
|
+
- [ ] [Approach 7] No `localStorage` for tokens or session material.
|
|
174
|
+
- [ ] [Approach 7 ECDH-Session] Derived AES key is `extractable: false` — never stored or exported.
|
|
175
|
+
- [ ] [Approach 7 ECDH-Session] ECDH private key stored only as JWK in `sessionStorage`; cleared on `clearSession()`.
|
|
176
|
+
- [ ] [Approach 7] HMAC secret in env var only — never hardcoded, never committed to source.
|
|
177
|
+
|
|
178
|
+
---
|
|
179
|
+
|
|
180
|
+
## Operational
|
|
181
|
+
|
|
182
|
+
- [ ] Concurrent request safety verified (request map keyed by unique `requestId`).
|
|
183
|
+
- [ ] Missing RSA key / refetch flow handled (bounded retry, fail-safe on exhaustion).
|
|
184
|
+
- [ ] Invalid auth tag triggers session reset (not silent fallback).
|
|
185
|
+
- [ ] Build passes after all files are written.
|
|
186
|
+
- [ ] Temp config file (`.encryption-resolved-config.tmp.json`) deleted after install.
|
|
187
|
+
|
|
188
|
+
---
|
|
189
|
+
|
|
190
|
+
## Final Output
|
|
191
|
+
|
|
192
|
+
- [ ] List of all files written/patched included in report.
|
|
193
|
+
- [ ] List of all packages installed included in report.
|
|
194
|
+
- [ ] Encryption approach, model, and layer recorded.
|
|
195
|
+
- [ ] HMAC status recorded.
|
|
196
|
+
- [ ] URL exclusions recorded.
|
|
197
|
+
- [ ] Envelope shape documented:
|
|
198
|
+
- RSA: `{ data, key, iv, nonce, key_id }`
|
|
199
|
+
- EC per-request: `{ data, ephemeral_public_key, iv, nonce, key_id }`
|
|
200
|
+
- EC session-init: backend-specific (confirm shape with backend team)
|
|
201
|
+
- Approach 7 RSA-OAEP: `{ data, key, iv, nonce, key_id }` (wire-compatible with React Native)
|
|
202
|
+
- Approach 7 ECDH-Session: backend-specific (confirm with backend team; see `references/react-web-crypto.md`)
|
|
203
|
+
- [ ] Backend alignment spec printed/referenced (approaches 4/5: Part A RSA; approach 6: Part B EC).
|
|
204
|
+
- [ ] [Approach 7] CORS headers confirmed: `Access-Control-Allow-Headers` includes `X-Request-ID`, `X-Nonce`, `X-Request-Signature`, `X-Device-ID`, `X-Timestamp`.
|
|
205
|
+
- [ ] Any residual risks or manual steps noted.
|
|
206
|
+
- [ ] Suggested next validation steps included.
|