jscrambler-metro-plugin 0.0.0-bulbasaur-20250620144942

package/LICENSE

@@ -0,0 +1,22 @@
+Copyright (c) 2014 Jscrambler
+
+Permission is hereby granted, free of charge, to any person
+obtaining a copy of this software and associated documentation
+files (the "Software"), to deal in the Software without
+restriction, including without limitation the rights to use,
+copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the
+Software is furnished to do so, subject to the following
+conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES
+OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
+HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
+WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
+OTHER DEALINGS IN THE SOFTWARE.

package/README.md

@@ -0,0 +1,61 @@
+# ![Jscrambler](https://media.jscrambler.com/images/logo_500px.png)
+# Jscrambler Code Integrity for React-Native (Metro Bundler)
+
+Jscrambler [Code Integrity](https://jscrambler.com/code-integrity) is a JavaScript protection technology for Web and Mobile Applications. Its main purpose is to enable JavaScript applications to become self-defensive and resilient to tampering and reverse engineering.
+
+If you're looking to gain control over third-party tags and achieve PCI DSS compliance please refer to Jscrambler [Webpage Integrity](https://jscrambler.com/webpage-integrity).
+
+Version Compatibility
+------------------------------------------------------------------------------
+
+The version's compatibility table match your [Jscrambler Version](https://app.jscrambler.com/settings) with the Jscrambler Metro Plugin.
+Please make sure you install the right version, otherwise some functionalities might not work properly.
+
+| _Jscrambler Version_   |      _Client and Integrations_      |
+|:----------:|:-------------:|
+| _<= 7.1_ |  _<= 5.x.x_ |
+| _\>= 7.2_ |   _\>= 6.0.0_ |
+
+# Usage
+
+This metro plugin protects your **React Native** bundle using Jscrambler.
+
+Include the plugin in your `metro.config.js` and add the following code:
+
+```js
+const {resolve} = require('path');
+const jscramblerMetroPlugin = require('jscrambler-metro-plugin')(
+  /* optional */
+  {
+    enable: true,
+    enabledHermes: false, // set if you are using hermes engine
+    ignoreFile: resolve(__dirname, '.jscramblerignore'),
+    params: [
+      {
+        name: 'selfDefending',
+        options: {
+          threshold: 1
+        }
+      }
+    ]
+  }
+);
+
+module.exports = jscramblerMetroPlugin;
+```
+
+You can pass your Jscrambler configuration using the plugin parameter or using
+the usual `.jscramblerrc` file.
+
+If you use a different location for the `.jscramblerignore` file, you can use the `ignoreFile` option to tell Jscrambler the path to the file.
+Otherwise, if a `.jscramblerignore` file is found in a project root folder, it will be considered. You can find more information and examples in Ignoring Files.
+
+By default, Jscrambler protection is **ignored** when bundle mode is set for **Development**. You can override this behavior by setting env variable `JSCRAMBLER_METRO_DEV=true`
+
+In order to activate source map generation effectively, you will need to enable source maps both in the Jscrambler configuration file, by adding the following parameter to said file:
+
+...
+"sourceMaps": true,
+...
+
+and in the [React Native app](https://reactnative.dev/docs/debugging-release-builds?platform=android#enabling-source-maps).

package/lib/constants.js

@@ -0,0 +1,62 @@
+const path = require('path');
+
+const BUNDLE_CMD = 'bundle';
+const BUNDLE_OUTPUT_CLI_ARG = '--bundle-output';
+const BUNDLE_SOURCEMAP_OUTPUT_CLI_ARG = '--sourcemap-output';
+const BUNDLE_DEV_CLI_ARG = '--dev';
+// path.join so it supports both linux and windows fs
+const INIT_CORE_MODULE = path.join(process.platform === 'win32' ? '/' : '', 'node_modules', 'react-native', 'Libraries', 'Core', 'InitializeCore.js');
+const JSCRAMBLER_CLIENT_ID = 6;
+const JSCRAMBLER_IGNORE = '.jscramblerignore';
+const JSCRAMBLER_TEMP_FOLDER = '.jscrambler';
+const JSCRAMBLER_DIST_TEMP_FOLDER = `${JSCRAMBLER_TEMP_FOLDER}/dist`;
+const JSCRAMBLER_SOURCE_MAPS_TEMP_FOLDER = `${JSCRAMBLER_DIST_TEMP_FOLDER}/jscramblerSourceMaps`;
+const JSCRAMBLER_PROTECTION_ID_FILE = `${JSCRAMBLER_TEMP_FOLDER}/protectionId`;
+const JSCRAMBLER_BEG_ANNOTATION = '"JSCRAMBLER-BEG";';
+const JSCRAMBLER_END_ANNOTATION = '"JSCRAMBLER-END";';
+const JSCRAMBLER_EXTS = /.(j|t)s(x)?$/i;
+const JSCRAMBLER_SELF_DEFENDING = 'selfDefending';
+const JSCRAMBLER_ANTI_TAMPERING = 'antiTampering';
+const JSCRAMBLER_SELF_HEALING = "selfHealing";
+const JSCRAMBLER_ANTI_TAMPERING_MODE_RCK = 'RCK';
+const JSCRAMBLER_ANTI_TAMPERING_MODE_SKL = 'SKL';
+const JSCRAMBLER_GLOBAL_VARIABLE_INDIRECTION = 'globalVariableIndirection';
+const JSCRAMBLER_TOLERATE_BENIGN_POISONING = 'tolerateBenignPoisoning';
+const HERMES_SHOW_SOURCE_DIRECTIVE = '"show source";';
+const JSCRAMBLER_HERMES_INCOMPATIBILITIES = [
+  {
+    slugName: JSCRAMBLER_SELF_DEFENDING,
+    errorMessage: `Jscrambler ${JSCRAMBLER_SELF_DEFENDING} transformation is not compatible with Hermes engine. Consider using ${JSCRAMBLER_ANTI_TAMPERING} transformation instead`,
+  },
+];
+const JSCRAMBLER_HERMES_ADD_SHOW_SOURCE_DIRECTIVE = [
+  JSCRAMBLER_ANTI_TAMPERING,
+  JSCRAMBLER_SELF_HEALING
+];
+
+module.exports = {
+  BUNDLE_CMD,
+  BUNDLE_OUTPUT_CLI_ARG,
+  BUNDLE_SOURCEMAP_OUTPUT_CLI_ARG,
+  BUNDLE_DEV_CLI_ARG,
+  INIT_CORE_MODULE,
+  JSCRAMBLER_CLIENT_ID,
+  JSCRAMBLER_IGNORE,
+  JSCRAMBLER_TEMP_FOLDER,
+  JSCRAMBLER_DIST_TEMP_FOLDER,
+  JSCRAMBLER_SOURCE_MAPS_TEMP_FOLDER,
+  JSCRAMBLER_PROTECTION_ID_FILE,
+  JSCRAMBLER_BEG_ANNOTATION,
+  JSCRAMBLER_END_ANNOTATION,
+  JSCRAMBLER_SELF_DEFENDING,
+  JSCRAMBLER_GLOBAL_VARIABLE_INDIRECTION,
+  JSCRAMBLER_TOLERATE_BENIGN_POISONING,
+  JSCRAMBLER_ANTI_TAMPERING,
+  JSCRAMBLER_ANTI_TAMPERING_MODE_RCK,
+  JSCRAMBLER_SELF_HEALING,
+  JSCRAMBLER_HERMES_INCOMPATIBILITIES,
+  JSCRAMBLER_HERMES_ADD_SHOW_SOURCE_DIRECTIVE,
+  JSCRAMBLER_ANTI_TAMPERING_MODE_SKL,
+  HERMES_SHOW_SOURCE_DIRECTIVE,
+  JSCRAMBLER_EXTS
+}

package/lib/index.js

@@ -0,0 +1,377 @@
+const {copy, emptyDir, mkdirp, readFile, writeFile} = require('fs-extra');
+const jscrambler = require('jscrambler').default;
+const fs = require('fs');
+const path = require('path');
+const generateSourceMaps = require('./sourceMaps');
+const globalThisPolyfill = require('./polyfills/globalThis');
+
+const {
+  INIT_CORE_MODULE,
+  JSCRAMBLER_CLIENT_ID,
+  JSCRAMBLER_TEMP_FOLDER,
+  JSCRAMBLER_IGNORE,
+  JSCRAMBLER_DIST_TEMP_FOLDER,
+  JSCRAMBLER_PROTECTION_ID_FILE,
+  JSCRAMBLER_BEG_ANNOTATION,
+  JSCRAMBLER_END_ANNOTATION,
+  BUNDLE_SOURCEMAP_OUTPUT_CLI_ARG,
+  HERMES_SHOW_SOURCE_DIRECTIVE,
+  JSCRAMBLER_EXTS
+} = require('./constants');
+const {
+  buildModuleSourceMap,
+  buildNormalizePath,
+  extractLocs,
+  getBundlePath,
+  isFileReadable,
+  skipObfuscation,
+  stripEntryPointTags,
+  stripJscramblerTags,
+  addBundleArgsToExcludeList,
+  handleExcludeList,
+  injectTolerateBegninPoisoning,
+  handleAntiTampering,
+  addHermesShowSourceDirective,
+  handleHermesIncompatibilities,
+  wrapCodeWithTags
+} = require('./utils');
+
+const debug = !!process.env.DEBUG;
+
+function logSourceMapsWarning(hasMetroSourceMaps, hasJscramblerSourceMaps) {
+  if (hasMetroSourceMaps) {
+    console.log(`warning: Jscrambler source-maps are DISABLED. Check how to activate them in https://docs.jscrambler.com/code-integrity/documentation/source-maps/api`);
+  } else if (hasJscramblerSourceMaps) {
+    console.log(`warning: Jscrambler source-maps were not generated. Missing metro source-maps (${BUNDLE_SOURCEMAP_OUTPUT_CLI_ARG} is required)`);
+  }
+}
+
+async function obfuscateBundle(
+  {bundlePath, bundleSourceMapPath},
+  {fileNames, entryPointCode},
+  sourceMapFiles,
+  config,
+  projectRoot
+) {
+  await emptyDir(JSCRAMBLER_TEMP_FOLDER);
+
+  const metroBundle = await readFile(bundlePath, 'utf8');
+  const metroBundleLocs = await extractLocs(metroBundle);
+  let processedMetroBundle = metroBundle;
+  let filteredFileNames = fileNames;
+  const excludeList = [];
+
+  const supportsEntryPoint = await jscrambler.introspectFieldOnMethod.call(
+    jscrambler,
+    config,
+    "mutation",
+    "createApplicationProtection",
+    "entryPoint"
+  );
+
+  // ignore entrypoint obfuscation if its not supported
+  if (!supportsEntryPoint) {
+    delete config.entryPoint;
+    if (typeof entryPointCode === 'string' && entryPointCode.length > 0) {
+      debug && console.log('debug Jscrambler entrypoint option not supported');
+      try {
+        filteredFileNames = fileNames.filter(
+          name => !name.includes(INIT_CORE_MODULE)
+        );
+        processedMetroBundle = stripEntryPointTags(
+          metroBundle,
+          entryPointCode
+        );
+      } catch (err) {
+        console.log("Error processing entry point.");
+        process.exit(-1);
+      }
+    }
+  }
+
+  const metroBundleChunks = processedMetroBundle.split(
+    JSCRAMBLER_BEG_ANNOTATION
+  );
+  addBundleArgsToExcludeList(metroBundleChunks[0], excludeList);
+  const metroUserFilesOnly = metroBundleChunks.slice(1).map((c, i) => {
+    const s = c.split(JSCRAMBLER_END_ANNOTATION);
+    // We don't want to extract args from last chunk
+    if (i < metroBundleChunks.length - 2) {
+      addBundleArgsToExcludeList(s[1], excludeList);
+    }
+    return s[0];
+  });
+
+  const sources = [];
+  // .jscramblerignore
+  const defaultJscramblerIgnorePath = path.join(projectRoot, JSCRAMBLER_IGNORE);
+
+  if (typeof config.ignoreFile === 'string') {
+    if (!await isFileReadable(config.ignoreFile)) {
+      console.error(`The *ignoreFile* "${config.ignoreFile}" was not found or is not readable!`);
+      process.exit(-1);
+    }
+    sources.push({ filename: JSCRAMBLER_IGNORE, content: await readFile(config.ignoreFile) })
+  } else if (await isFileReadable(defaultJscramblerIgnorePath)) {
+    sources.push({ filename: JSCRAMBLER_IGNORE, content: await readFile(defaultJscramblerIgnorePath) })
+  }
+
+  // push user files to sources array
+  for (let i = 0; i < metroUserFilesOnly.length; i += 1) {
+    sources.push({
+      filename: filteredFileNames[i], content: metroUserFilesOnly[i]
+    })
+  }
+
+  // Source map files (only for Instrumentation process)
+  for (const { filename, content } of sourceMapFiles) {
+    sources.push({
+      filename, content
+    })
+  }
+
+  // adapt configs for react-native
+  config.sources = sources;
+  config.filesDest = JSCRAMBLER_DIST_TEMP_FOLDER;
+  config.clientId = JSCRAMBLER_CLIENT_ID;
+
+  const supportsExcludeList = await jscrambler.introspectFieldOnMethod.call(
+    jscrambler,
+    config,
+    "mutation",
+    "createApplicationProtection",
+    "excludeList"
+  );
+
+  handleExcludeList(config, {supportsExcludeList, excludeList});
+
+  injectTolerateBegninPoisoning(config);
+
+  if (bundleSourceMapPath && typeof config.sourceMaps === 'undefined') {
+    console.error(`error Metro is generating source maps that won't be useful after Jscrambler protection.
+  If this is not a problem, you can either:
+    1) Disable source maps in metro bundler
+    2) Explicitly disable Jscrambler source maps by adding 'sourceMaps: false' in the Jscrambler config file
+
+  If you want valid source maps, make sure you have access to the feature and enable it in Jscrambler config file by adding 'sourceMaps: true'`
+    );
+    process.exit(-1);
+  }
+
+  const requireStartAtFirstColumn = handleAntiTampering(
+    config,
+    processedMetroBundle,
+  );
+
+  const addShowSource = addHermesShowSourceDirective(config);
+
+  if (addShowSource) {
+    console.log(
+      `info Jscrambler ${HERMES_SHOW_SOURCE_DIRECTIVE} directive added`,
+    );
+  }
+
+  const shouldGenerateSourceMaps = config.sourceMaps && bundleSourceMapPath;
+
+  const jscramblerOp = !!config.instrument
+    ? jscrambler.instrumentAndDownload
+    : jscrambler.protectAndDownload;
+
+  // obfuscate or instrument
+  const protectionId = await jscramblerOp.call(jscrambler, config);
+
+  // store protection id
+  await writeFile(JSCRAMBLER_PROTECTION_ID_FILE, protectionId);
+
+  // read obfuscated user files
+  const obfusctedUserFiles = await Promise.all(metroUserFilesOnly.map((c, i) =>
+    readFile(`${JSCRAMBLER_DIST_TEMP_FOLDER}/${filteredFileNames[i]}`, 'utf8')
+  ));
+
+  // build final bundle (with JSCRAMBLER TAGS still)
+  const finalBundle = metroBundleChunks.reduce((acc, c, i) => {
+    if (i === 0) {
+      const chunks = c.split('\n');
+      return [`${chunks[0]}${globalThisPolyfill}`, ...chunks.slice(1)].join('\n');
+    }
+
+    let showSource = addShowSource;
+    let startAtFirstColumn = requireStartAtFirstColumn;
+
+    const obfuscatedCode = obfusctedUserFiles[i - 1];
+    const sourceFileIgnored = metroUserFilesOnly[i - 1] === obfuscatedCode;
+
+    if (sourceFileIgnored) {
+      // restore excluded files
+      showSource = false;
+      startAtFirstColumn = false;
+      debug && console.log(`debug Jscrambler File ${fileNames[i - 1]} was excluded`);
+    }
+
+    const tillCodeEnd = c.substr(
+      c.indexOf(JSCRAMBLER_END_ANNOTATION),
+      c.length
+    );
+    return `${acc}${JSCRAMBLER_BEG_ANNOTATION}${
+      showSource ? HERMES_SHOW_SOURCE_DIRECTIVE : ''
+    }${startAtFirstColumn ? '\n' : ''}${obfuscatedCode}${tillCodeEnd}`;
+  }, '');
+
+  await writeFile(bundlePath, stripJscramblerTags(finalBundle));
+  if(!shouldGenerateSourceMaps) {
+    logSourceMapsWarning(bundleSourceMapPath, config.sourceMaps);
+    // nothing more to do
+    return;
+  }
+
+  // process Jscrambler SourceMaps
+  const shouldAddSourceContent = typeof config.sourceMaps === 'object' ? config.sourceMaps.sourceContent : false;
+  console.log(`info Jscrambler Source Maps (${shouldAddSourceContent ? "with" : "no"} source content)`);
+  const finalSourceMap = await generateSourceMaps({
+    jscrambler,
+    config,
+    shouldAddSourceContent,
+    protectionId,
+    metroUserFilesOnly,
+    fileNames: filteredFileNames,
+    bundlePath,
+    bundleSourceMapPath,
+    finalBundle,
+    projectRoot,
+    debug,
+    metroBundleLocs
+  });
+  await writeFile(bundleSourceMapPath, finalSourceMap);
+}
+
+function fileExists(modulePath) {
+  return fs.existsSync(modulePath);
+}
+
+function isValidExtension(modulePath) {
+  return path.extname(modulePath).match(JSCRAMBLER_EXTS);
+}
+
+function validateModule(modulePath, config, projectRoot) {
+  const instrument = !!config.instrument;
+
+  if (
+    !fileExists(modulePath) ||
+    !isValidExtension(modulePath) ||
+    typeof modulePath !== "string"
+  ) {
+    return false;
+  } else if (modulePath.includes(INIT_CORE_MODULE) && !instrument) {
+    // This is the entrypoint file
+    config.entryPoint = buildNormalizePath(modulePath, projectRoot);
+    return true;
+  } else if (modulePath.includes("node_modules")) {
+    return false;
+  } else {
+    return true;
+  }
+}
+
+/**
+ * Add serialize.processModuleFilter option to metro and attach listener to beforeExit event.
+ * *config.fileSrc* and *config.filesDest* will be ignored.
+ * @param {{enable: boolean, enabledHermes: boolean }} _config
+ * @param {string} [projectRoot=process.cwd()]
+ * @returns {{serializer: {processModuleFilter(*): boolean}}}
+ */
+module.exports = function (_config = {}, projectRoot = process.cwd()) {
+  const skipReason = skipObfuscation(_config);
+  if (skipReason) {
+    console.log(`warning: Jscrambler Obfuscation SKIPPED [${skipReason}]`);
+    return {};
+  }
+
+  const bundlePath = getBundlePath();
+  // make sure jscrambler-metro-plugin is properly configure on metro bundler
+  let calledByMetro = false;
+  const fileNames = new Set();
+  const sourceMapFiles = [];
+  const config = Object.assign({}, jscrambler.config, _config);
+  const instrument = !!config.instrument;
+  let entryPointCode;
+
+  if (config.filesDest || config.filesSrc) {
+    console.warn('warning: Jscrambler fields filesDest and fileSrc were ignored. Using input/output values of the metro bundler.')
+  }
+
+  if (!Array.isArray(config.params) || config.params.length === 0) {
+    console.warn('warning: Jscrambler recommends you to declare your transformations list on the configuration file.')
+  }
+
+  process.on('beforeExit', async function (exitCode) {
+    try{
+      if (!calledByMetro) {
+        throw new Error('*jscrambler-metro-plugin* was not properly configured on metro.config.js file. Please verify our documentation in https://docs.jscrambler.com/code-integrity/frameworks-and-libraries/react-native/integration.');
+      }
+
+      console.log(
+        instrument
+          ? 'info Jscrambler Instrumenting Code'
+          : `info Jscrambler Obfuscating Code ${
+              config.enabledHermes
+                ? "(Using Hermes Engine)"
+                : "(If you are using Hermes Engine set enabledHermes=true)"
+            }`,
+      );
+
+      // check for incompatible transformations and turn off code hardening
+      handleHermesIncompatibilities(config);
+
+      // start obfuscation
+      await obfuscateBundle(bundlePath, {fileNames: Array.from(fileNames), entryPointCode}, sourceMapFiles, config, projectRoot);
+    } catch(err) {
+      console.error(err);
+      process.exit(1);
+    } finally {
+      process.exit(exitCode)
+    }
+  });
+
+  return {
+    serializer: {
+      /**
+       * Select user files ONLY (no vendor) to be obfuscated. That code should be tagged with
+       * {@JSCRAMBLER_BEG_ANNOTATION} and {@JSCRAMBLER_END_ANNOTATION}.
+       * Also gather metro source-maps in case of instrumentation process.
+       * @param {{output: Array<*>, path: string, getSource: function():Buffer}} _module
+       * @returns {boolean}
+       */
+      processModuleFilter(_module) {
+        calledByMetro = true;
+
+        const modulePath = _module.path;
+        const shouldSkipModule = !validateModule(modulePath, config, projectRoot);
+
+        if (shouldSkipModule) {
+          return true;
+        }
+
+        const normalizePath = buildNormalizePath(modulePath, projectRoot);
+        fileNames.add(normalizePath);
+
+        _module.output.forEach(({data}) => {
+          if (instrument && Array.isArray(data.map)) {
+            sourceMapFiles.push({
+              filename: `${normalizePath}.map`,
+              content: buildModuleSourceMap(
+                data,
+                normalizePath,
+                _module.getSource().toString()
+              )
+            });
+          }
+          if (modulePath.includes(INIT_CORE_MODULE)){
+            entryPointCode = data.code;
+          }
+          data.code = wrapCodeWithTags(data.code);
+        });
+        return true;
+      }
+    }
+  };
+};

package/lib/polyfills/globalThis.js

@@ -0,0 +1 @@
+module.exports = "!(function(o){o.globalThis=o})('undefined'!=typeof globalThis?globalThis:'undefined'!=typeof global?global:'undefined'!=typeof window?window:this);";

package/lib/sourceMaps.js

@@ -0,0 +1,179 @@
+const {readFile} = require('fs-extra');
+const sourceMap = require('source-map');
+const {
+  buildNormalizePath,
+  extractLocs
+} = require('./utils');
+const {
+  JSCRAMBLER_SOURCE_MAPS_TEMP_FOLDER
+} = require('./constants');
+
+/**
+ * Merge jscrambler source-maps with metro source-map.
+ * Control start/end line of each obfuscated source and calculate amount of lines that needs to
+ * be shifted for none-obfuscated code.
+ * @param {object} payload
+ * @returns {Promise<string>}
+ */
+module.exports = async function generateSourceMaps(payload) {
+  const {
+    jscrambler,
+    config,
+    shouldAddSourceContent,
+    protectionId,
+    metroUserFilesOnly,
+    fileNames,
+    debug,
+    bundlePath,
+    bundleSourceMapPath,
+    finalBundle,
+    projectRoot,
+    metroBundleLocs
+  } = payload;
+
+  // download sourcemaps
+  delete config.filesSrc;
+  await jscrambler.downloadSourceMaps(Object.assign({protectionId}, config));
+
+  // read obfuscated source-map from filesystem
+  const obfuscatedSourceMaps = await Promise.all(
+    metroUserFilesOnly.map((c, i) =>
+      readFile(
+        `${JSCRAMBLER_SOURCE_MAPS_TEMP_FOLDER}/${fileNames[i]}.map`,
+        'utf8',
+      ).catch((e) => {
+        if (e.code === 'ENOENT') {
+          // when a source file is excluded, the sourcemap is not produced
+          return null;
+        }
+        throw e;
+      }),
+    ),
+  );
+
+  // read metro source-map
+  const metroSourceMap = await readFile(bundleSourceMapPath, 'utf8');
+  const finalBundleLocs = await extractLocs(finalBundle);
+
+  const metroSourceMapConsumer = new sourceMap.SourceMapConsumer(
+    metroSourceMap,
+  );
+  // extra source map params that are not processed by the source-map package
+  const metroSourceMapExtraParams = [
+    'x_facebook_sources', // added x_facebook_sources to prevent the third party sources to come back with null values
+    // for when react native debugIds are necessary in the sourcemaps (upload to sentry for example)
+    // needs to be added at the end of this file since the debugIds are not in SourceMapGenerator type
+    'debugId',
+    'debug_id',
+  ];
+  // retrieve debug ids and facebook sources after the validation by the sourcemap package
+  const JSONMetroSourceMap = JSON.parse(metroSourceMap);
+  const finalSourceMapGenerator = new sourceMap.SourceMapGenerator({
+    file: bundlePath,
+  });
+  const ofuscatedSourceMapConsumers = obfuscatedSourceMaps.map((map) =>
+    // when a source file is excluded, the sourcemap is not produced
+    map ? new sourceMap.SourceMapConsumer(map) : null,
+  );
+
+  // add all original sources and sourceContents
+  metroSourceMapConsumer.sources.forEach(function (sourceFile) {
+    finalSourceMapGenerator._sources.add(sourceFile)
+    var sourceContent = metroSourceMapConsumer.sourceContentFor(sourceFile);
+    if (shouldAddSourceContent && sourceContent != null) {
+      finalSourceMapGenerator.setSourceContent(sourceFile, sourceContent)
+    }
+  });
+
+  let shiftLines = 0;
+  let tmpShiftLine = 0;
+  let currSource;
+  metroSourceMapConsumer.eachMapping(mapping => {
+    const original = mapping.originalLine ? {line: mapping.originalLine, column: mapping.originalColumn} : null;
+    let newMappings = [{
+      original,
+      source: mapping.source,
+      name: mapping.name,
+      generated: {
+        line: mapping.generatedLine,
+        column: mapping.generatedColumn
+      }
+    }];
+    const normalizePath = buildNormalizePath(mapping.source, projectRoot);
+    const fileNamesIndex = fileNames.indexOf(normalizePath);
+
+    if (currSource !== normalizePath) {
+      // next source
+      currSource = normalizePath;
+      shiftLines = tmpShiftLine;
+    }
+
+    if (
+      fileNamesIndex !== -1 &&
+      /* check if sourceMap was loaded */
+      ofuscatedSourceMapConsumers[fileNamesIndex]
+    ) {
+      /* jscrambler obfuscated files */
+      const {lineStart, lineEnd, columnStart} = metroBundleLocs[fileNamesIndex];
+      const {
+        lineStart: finalLineStart,
+        lineEnd: finalLineEnd,
+        columnStart: finalColumnStart,
+      } = finalBundleLocs[fileNamesIndex];
+      const allGeneratedPositionsFor = ofuscatedSourceMapConsumers[fileNamesIndex].allGeneratedPositionsFor({
+        source: normalizePath,
+        line: mapping.generatedLine - lineStart + 1 /* avoid line=0 */,
+        column:
+          mapping.generatedColumn -
+          (mapping.generatedLine === lineStart
+            ? columnStart /* column start should be applied only to the first line */
+            : 0),
+      });
+
+      if (allGeneratedPositionsFor.length === 0) {
+        // no match
+        return;
+      }
+
+      newMappings = allGeneratedPositionsFor.map(({line: obfLine, column: obfColumn}) => {
+        const calcFinalLine = finalLineStart + obfLine - 1;
+        // add columnStart only on the first line
+        const calcFinalColumn = obfLine === 1 ? finalColumnStart + obfColumn : obfColumn;
+
+        debug && console.log('original', original, '->', 'final', {line: calcFinalLine, column: calcFinalColumn});
+
+        return Object.assign({}, newMappings[0], {
+          generated: {
+            line: calcFinalLine,
+            column: calcFinalColumn
+          }
+        });
+      });
+
+      // shift lines on next files
+      tmpShiftLine = finalLineEnd - lineEnd;
+    } else {
+      /* vendor code */
+      newMappings[0].generated.line += shiftLines;
+
+      // when the original line/column can't be found, it means that there isn't a real source file associated.
+      // Thus, if source file name exists it must be cleaned (f.e ".") to avoid an invalid mapping error
+      if (newMappings[0].original === null && newMappings[0].source) {
+        newMappings[0].source = null;
+      }
+    }
+
+    newMappings.forEach((newMapping) =>
+      finalSourceMapGenerator.addMapping(newMapping),
+    );
+  })
+
+  const finalSourceMaps = finalSourceMapGenerator.toString();
+  const finalSourceMapsJson = JSON.parse(finalSourceMaps);
+
+  for (const param of metroSourceMapExtraParams) {
+    finalSourceMapsJson[param] = JSONMetroSourceMap[param];
+  }
+
+  return JSON.stringify(finalSourceMapsJson);
+};

package/lib/utils.js

@@ -0,0 +1,401 @@
+const fs = require('fs');
+const readline = require('readline');
+const {Command} = require('commander');
+const {Readable} = require('stream');
+const { sep } = require('path');
+const metroSourceMap = require('metro-source-map');
+const {
+  JSCRAMBLER_EXTS,
+  JSCRAMBLER_END_ANNOTATION,
+  JSCRAMBLER_BEG_ANNOTATION,
+  JSCRAMBLER_SELF_DEFENDING,
+  JSCRAMBLER_ANTI_TAMPERING,
+  JSCRAMBLER_HERMES_INCOMPATIBILITIES,
+  JSCRAMBLER_HERMES_ADD_SHOW_SOURCE_DIRECTIVE,
+  JSCRAMBLER_ANTI_TAMPERING_MODE_SKL,
+  JSCRAMBLER_ANTI_TAMPERING_MODE_RCK,
+  JSCRAMBLER_TOLERATE_BENIGN_POISONING,
+  JSCRAMBLER_GLOBAL_VARIABLE_INDIRECTION,
+  BUNDLE_OUTPUT_CLI_ARG,
+  BUNDLE_SOURCEMAP_OUTPUT_CLI_ARG,
+  BUNDLE_DEV_CLI_ARG,
+  HERMES_SHOW_SOURCE_DIRECTIVE,
+  BUNDLE_CMD
+} = require('./constants');
+
+/**
+ * Only 'bundle' command triggers obfuscation.
+ * Development bundles will be ignored (--dev true). Use JSCRAMBLER_METRO_DEV to override this behaviour.
+ * @returns {string} skip reason. If falsy value dont skip obfuscation
+ */
+function skipObfuscation(config) {
+  if (
+    typeof config === 'object' &&
+    config !== null &&
+    config.enable === false
+  ) {
+    return 'Explicitly Disabled';
+  }
+
+  let isBundleCmd = false;
+  const command = new Command();
+  command
+    .command(BUNDLE_CMD)
+    .allowUnknownOption()
+    .action(() => (isBundleCmd = true));
+  command.option(`${BUNDLE_DEV_CLI_ARG} <boolean>`).parse(process.argv);
+  if (!isBundleCmd) {
+    return 'Not a *bundle* command';
+  }
+  if (command.dev === 'true') {
+    return (
+      process.env.JSCRAMBLER_METRO_DEV !== 'true' &&
+      'Development mode. Override with JSCRAMBLER_METRO_DEV=true environment variable'
+    );
+  }
+  return null;
+}
+
+/**
+ * Get bundle path based CLI arguments
+ * @returns {{bundlePath: string, bundleSourceMapPath: string}}
+ * @throws {Error} when bundle output was not found
+ */
+function getBundlePath() {
+  const command = new Command();
+  command
+    .option(`${BUNDLE_OUTPUT_CLI_ARG} <string>`)
+    .option(`${BUNDLE_SOURCEMAP_OUTPUT_CLI_ARG} <string>`)
+    .parse(process.argv);
+  if (command.bundleOutput) {
+    return {
+      bundlePath: command.bundleOutput,
+      bundleSourceMapPath: command.sourcemapOutput
+    };
+  }
+  console.error('Bundle output path not found.');
+  return process.exit(-1);
+}
+
+/**
+ * Extract the lines of code for a given string.
+ * @param {string} inputStr
+ * @returns {Promise<[{lineStart: number, columnStart: number, lineEnd: number}]>}
+ */
+function extractLocs(inputStr) {
+  let locs = [];
+  let lines = 0;
+  return new Promise((res, rej) =>
+    readline.createInterface({
+      input: new Readable({
+        read() {
+          this.push(this.sent ? null : inputStr);
+          this.sent = true;
+        }
+      }),
+      crlfDelay: Infinity,
+      terminal: false,
+      historySize: 0
+    })
+      .on('line', line => {
+        lines++;
+        const startTagIndex = line.indexOf(JSCRAMBLER_BEG_ANNOTATION);
+        if (startTagIndex !== -1) {
+          const columnStart = line.includes(
+            `${JSCRAMBLER_BEG_ANNOTATION}${HERMES_SHOW_SOURCE_DIRECTIVE}`,
+          )
+            ? HERMES_SHOW_SOURCE_DIRECTIVE.length + startTagIndex
+            : startTagIndex;
+          // occurs with Anti-tampering SKL mode
+          const startAtFirstColumn = line.includes(
+            `${JSCRAMBLER_BEG_ANNOTATION}\n`,
+          );
+
+          locs.push({
+            lineStart: lines,
+            columnStart,
+            startAtFirstColumn,
+          });
+        }
+
+        if (line.indexOf(JSCRAMBLER_END_ANNOTATION) !== -1) {
+          locs[locs.length - 1].lineEnd = lines;
+        }
+      })
+      .on('close', () => res(locs))
+      .on('error', rej)
+  )
+}
+
+/**
+ * Strip all Jscrambler tags from code
+ * @param {string} code
+ * @returns {string}
+ */
+function stripJscramblerTags(code) {
+  return code.replace(new RegExp(JSCRAMBLER_BEG_ANNOTATION, 'g'), '')
+    .replace(new RegExp(JSCRAMBLER_END_ANNOTATION, 'g'), '')
+}
+
+/**
+ * When next character is a new line (\n or \r\n),
+ * we should increment startIndex to avoid user code starting with a new line.
+ * @param {string} startIndex
+ * @param {string} code
+ * @returns {number}
+ * @example
+ *    __d(function(g,r,i,a,m,e,d){(detect new line here and start below)
+ *      // user code
+ *      ...
+ *    }
+ */
+function shiftStartIndexOnNewLine(startIndex, code) {
+  switch (code[startIndex + 1]) {
+    case '\r':
+      startIndex++;
+      return shiftStartIndexOnNewLine(startIndex, code);
+    case '\n':
+      startIndex++;
+      break;
+  }
+  return startIndex;
+}
+
+/**
+ * Wrap code with Jscrambler TAGS {JSCRAMBLER_BEG_ANNOTATION and JSCRAMBLER_END_ANNOTATION}
+ * @param {string} code
+ */
+function wrapCodeWithTags(code) {
+  let startIndex = code.indexOf('{');
+  const endIndex = code.lastIndexOf('}');
+  startIndex = shiftStartIndexOnNewLine(startIndex, code);
+  const init = code.substring(0, startIndex + 1);
+  const clientCode = code.substring(startIndex + 1, endIndex);
+  const end = code.substr(endIndex, code.length);
+  const codeWithTags = init + JSCRAMBLER_BEG_ANNOTATION + clientCode + JSCRAMBLER_END_ANNOTATION + end;
+
+  return codeWithTags;
+}
+
+/**
+ * Use 'metro-source-map' to build a standard source-map from raw mappings
+ * @param {{code: string, map: Array.<Array<number>>}} output
+ * @param {string} modulePath
+ * @param {string} source
+ * @returns {string}
+ */
+function buildModuleSourceMap(output, modulePath, source) {
+  return metroSourceMap
+    .fromRawMappings([
+      {
+        ...output,
+        source,
+        path: modulePath
+      }
+    ])
+    .toString(modulePath);
+}
+
+/**
+ * @param {string} path
+ * @param {string} projectRoot
+ * @returns {string} undefined if path is empty or invalid
+ *
+ * @example
+ *    <project_root>/react-native0.59-grocery-list/App/index.js -> App/index.js
+ *    <project_root>/react-native0.59-grocery-list/App/index.ts -> App/index.js
+ */
+function buildNormalizePath(path, projectRoot) {
+  if (typeof path !== 'string' || path.trim().length === 0) {
+    return;
+  }
+  const relativePath = path.replace(projectRoot, '');
+  let relativePathWithLeadingSlash = relativePath.replace(JSCRAMBLER_EXTS, '.js');
+  if (relativePathWithLeadingSlash.startsWith(sep)) {
+    relativePathWithLeadingSlash = relativePathWithLeadingSlash.substring(1 /* remove leading separator */);
+  }
+  return relativePathWithLeadingSlash.replace(/\\/g, '/'); // replace win32 separator by linux one
+}
+
+function getCodeBody(code) {
+  const bodyBegIndex = code.indexOf("{");
+  const bodyEndIndex = code.lastIndexOf("}");
+  // +1 to include last '}'
+  return code.substring(bodyBegIndex, bodyEndIndex + 1);
+}
+
+function stripEntryPointTags(metroBundle, entryPointMinified) {
+  const entryPointBody = getCodeBody(entryPointMinified);
+  const entryPointBodyWithTags = wrapCodeWithTags(entryPointBody);
+  const metroChunksByEntrypoint = metroBundle.split(entryPointBodyWithTags);
+  // restore entrypoint original code
+  metroChunksByEntrypoint.splice(1, 0, entryPointBody);
+  return metroChunksByEntrypoint.join('');
+}
+
+/**
+ * Check if some file is readable
+ * @param {string} path filename path to be tested
+ * @returns {Promise<boolean>} true if readable, otherwise false
+ */
+const isFileReadable = (path) => new Promise((resolve) => {
+  fs.access(path, fs.constants.F_OK | fs.constants.R_OK, error => resolve(!error))
+})
+
+const addBundleArgsToExcludeList = (chunk, excludeList) => {
+  const regex = /\(([0-9a-zA-Z_,$ ]+)\)[ ]?{$/gm;
+  const m = regex.exec(chunk);
+  if (Array.isArray(m) && m.length > 1) {
+    for (const arg of m[m.length - 1].split(",")) {
+      if (!excludeList.includes(arg.trim())) {
+        excludeList.push(arg.trim());
+      }
+    }
+    return;
+  }
+
+  console.error(`Unable to add global variables to the exclude list.`);
+  process.exit(1);
+};
+
+function handleExcludeList(config, {supportsExcludeList, excludeList}) {
+  if (supportsExcludeList) {
+    config.excludeList = excludeList;
+  } else {
+    // add excludeList to gvi in case the api does not support global excludeList
+    if (Array.isArray(config.params)) {
+      const gvi = config.params.find(
+        (param) => param.name === JSCRAMBLER_GLOBAL_VARIABLE_INDIRECTION
+      );
+      if (gvi) {
+        gvi.options = gvi.options || {};
+        const mixedList = [
+          ...new Set(excludeList.concat(gvi.options.excludeList || [])),
+        ];
+        gvi.options.excludeList = mixedList;
+      }
+    }
+  }
+}
+
+function injectTolerateBegninPoisoning(config) {
+  if (Array.isArray(config.params)) {
+    const sd = config.params.find(
+      (param) => param.name === JSCRAMBLER_SELF_DEFENDING
+    );
+    if (sd) {
+      sd.options = sd.options || {};
+      sd.options.options = sd.options.options || [];
+      if (
+        Array.isArray(sd.options.options) &&
+        !sd.options.options.includes(JSCRAMBLER_TOLERATE_BENIGN_POISONING)
+      ) {
+        console.log(`info Jscrambler Tolerate benign poisoning option was automatically added to Self-Defending.`);
+        sd.options.options.push(JSCRAMBLER_TOLERATE_BENIGN_POISONING)
+      }
+    }
+  }
+}
+
+/**
+ * @param {object} config
+ * @param {string} processedMetroBundle
+ * @returns {boolean} if true the code must start in the first column
+ */
+function handleAntiTampering(config, processedMetroBundle) {
+  let requireStartAtFirstColumn = false
+  if (Array.isArray(config.params)) {
+    const antiTampering = config.params.find(
+      (param) => param.name === JSCRAMBLER_ANTI_TAMPERING
+    );
+    if (antiTampering) {
+      antiTampering.options = antiTampering.options || {};
+      antiTampering.options.mode = antiTampering.options.mode || [JSCRAMBLER_ANTI_TAMPERING_MODE_RCK, JSCRAMBLER_ANTI_TAMPERING_MODE_SKL];
+      if (config.enabledHermes) {
+        if (
+          Array.isArray(antiTampering.options.mode) &&
+          antiTampering.options.mode.includes(JSCRAMBLER_ANTI_TAMPERING_MODE_SKL)
+        ) {
+          console.log(`info Jscrambler Anti-Tampering Mode SKL can not be used in hermes engine. RCK mode was SET.`);
+          antiTampering.options.mode = [JSCRAMBLER_ANTI_TAMPERING_MODE_RCK];
+        }
+      }
+
+      if (antiTampering.options.mode.includes(JSCRAMBLER_ANTI_TAMPERING_MODE_SKL)) {
+        const singleLineModule = processedMetroBundle.match(RegExp(`\n\\S+${JSCRAMBLER_BEG_ANNOTATION}`, 'm'));
+        if (singleLineModule !== null) {
+          requireStartAtFirstColumn = true;
+        }
+      }
+    }
+  }
+  return requireStartAtFirstColumn;
+}
+
+/**
+ * @param {object} config
+ * @returns {boolean} if true 'show source' directive is added
+ */
+function addHermesShowSourceDirective(config) {
+  if (!config.enabledHermes) {
+    return false;
+  }
+
+  for (const slugName of JSCRAMBLER_HERMES_ADD_SHOW_SOURCE_DIRECTIVE) {
+    if (Array.isArray(config.params)) {
+      const showSource = config.params.find((param) => param.name === slugName);
+      if (showSource) {
+        return true;
+      }
+    }
+  }
+
+  return false;
+}
+
+/**
+ * @param config
+ * @exception {Error} If an incompatible transformation was selected
+ */
+function handleHermesIncompatibilities(config) {
+  if (!config.enabledHermes) {
+    return;
+  }
+
+  if (config.codeHardeningThreshold === undefined) {
+    console.log(`info Jscrambler Code Hardening ignored, as it is incompatible with hermes engine.`);
+  }
+  config.codeHardeningThreshold = 999999999;
+
+  for (const {
+    slugName,
+    errorMessage,
+  } of JSCRAMBLER_HERMES_INCOMPATIBILITIES) {
+    if (Array.isArray(config.params)) {
+      const usingIncompatible = config.params.find(
+        (param) => param.name === slugName,
+      );
+      if (usingIncompatible) {
+        throw new Error(errorMessage);
+      }
+    }
+  }
+}
+
+module.exports = {
+  buildModuleSourceMap,
+  buildNormalizePath,
+  extractLocs,
+  getBundlePath,
+  isFileReadable,
+  skipObfuscation,
+  stripEntryPointTags,
+  stripJscramblerTags,
+  addBundleArgsToExcludeList,
+  handleExcludeList,
+  injectTolerateBegninPoisoning,
+  handleAntiTampering,
+  addHermesShowSourceDirective,
+  handleHermesIncompatibilities,
+  wrapCodeWithTags
+};

package/package.json

@@ -0,0 +1,41 @@
+{
+  "name": "jscrambler-metro-plugin",
+  "version": "0.0.0-bulbasaur-20250620144942",
+  "description": "A plugin to use metro with Jscrambler Code Integrity",
+  "exports": "./lib/index.js",
+  "peerDependencies": {
+    "metro-source-map": "0.x"
+  },
+  "dependencies": {
+    "commander": "^2.20.0",
+    "fs-extra": "^8.0.1",
+    "jscrambler": "0.0.0-bulbasaur-20250620144942"
+  },
+  "keywords": [
+    "jscrambler",
+    "javascript",
+    "react-native",
+    "metro",
+    "obfuscate",
+    "protect",
+    "js"
+  ],
+  "files": [
+    "lib"
+  ],
+  "author": "Jscrambler <support@jscrambler.com>",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/jscrambler/jscrambler.git",
+    "directory": "packages/jscrambler-metro-plugin"
+  },
+  "publishConfig": {
+    "access": "public",
+    "registry": "https://registry.npmjs.org/"
+  },
+  "scripts": {
+    "eslint": "eslint lib/",
+    "eslint:fix": "pnpm run eslint --fix"
+  }
+}