native-update 1.3.1 → 1.3.3

package/docs/guides/BACKEND_TEMPLATES_GUIDE.md

@@ -0,0 +1,183 @@
+# Backend Templates Guide
+
+This guide explains the backend templates provided by the native-update CLI and how to customize them for your production environment.
+
+## Overview
+
+The `npx native-update backend create <type>` command generates backend templates for managing OTA updates. These templates are **starting points** that require customization for your specific infrastructure.
+
+## Available Templates
+
+| Template | Command | Use Case |
+|----------|---------|----------|
+| Express.js | `npx native-update backend create express` | Self-hosted Node.js server |
+| Firebase | `npx native-update backend create firebase` | Serverless with Firebase Functions |
+| Vercel | `npx native-update backend create vercel` | Serverless with Vercel Edge Functions |
+
+## Template Structure
+
+Each template includes:
+
+```
+native-update-backend/
+├── src/
+│   ├── routes/
+│   │   ├── updates.js      # Update check/download endpoints
+│   │   └── admin.js        # Admin dashboard routes (if --with-admin)
+│   ├── services/
+│   │   ├── storage.js      # Bundle storage service (CUSTOMIZE THIS)
+│   │   └── database.js     # Metadata storage (CUSTOMIZE THIS)
+│   └── index.js            # Entry point
+├── package.json
+└── README.md
+```
+
+## Understanding Placeholder Code
+
+The generated templates contain placeholder implementations marked with comments explaining what you need to implement. These are **intentional customization points**, not incomplete code.
+
+### Example: Storage Service
+
+```javascript
+// storage.js - CUSTOMIZE FOR YOUR INFRASTRUCTURE
+export async function storeBundle(bundleId, file) {
+  // Implement your storage logic here
+  // Options:
+  // - AWS S3: Use @aws-sdk/client-s3
+  // - Google Cloud Storage: Use @google-cloud/storage
+  // - Azure Blob: Use @azure/storage-blob
+  // - Local filesystem: Use fs/promises
+  throw new Error('Storage not configured - implement storeBundle()');
+}
+
+export async function getBundle(bundleId) {
+  // Implement your retrieval logic here
+  throw new Error('Storage not configured - implement getBundle()');
+}
+```
+
+### Example: Database Service
+
+```javascript
+// database.js - CUSTOMIZE FOR YOUR INFRASTRUCTURE
+export async function saveBundleMetadata(metadata) {
+  // Implement your database logic here
+  // Options:
+  // - PostgreSQL: Use pg or prisma
+  // - MongoDB: Use mongoose
+  // - Firebase Firestore: Use firebase-admin
+  // - MySQL: Use mysql2
+  throw new Error('Database not configured - implement saveBundleMetadata()');
+}
+```
+
+## Customization Guide
+
+### Step 1: Choose Your Storage
+
+| Storage Option | Package | Best For |
+|----------------|---------|----------|
+| AWS S3 | `@aws-sdk/client-s3` | Production, scalable |
+| Google Cloud Storage | `@google-cloud/storage` | GCP infrastructure |
+| Azure Blob | `@azure/storage-blob` | Azure infrastructure |
+| Local Filesystem | `fs/promises` | Development only |
+| Cloudflare R2 | `@aws-sdk/client-s3` | Cost-effective |
+
+### Step 2: Choose Your Database
+
+| Database Option | Package | Best For |
+|----------------|---------|----------|
+| PostgreSQL | `pg`, `prisma` | Production, relational |
+| MongoDB | `mongoose` | Document-based |
+| Firebase Firestore | `firebase-admin` | Serverless |
+| SQLite | `better-sqlite3` | Small deployments |
+| Redis | `ioredis` | Caching, fast reads |
+
+### Step 3: Implement the Services
+
+Replace the placeholder functions with your actual implementations:
+
+```javascript
+// Example: AWS S3 implementation
+import { S3Client, PutObjectCommand, GetObjectCommand } from '@aws-sdk/client-s3';
+
+const s3 = new S3Client({ region: process.env.AWS_REGION });
+
+export async function storeBundle(bundleId, file) {
+  await s3.send(new PutObjectCommand({
+    Bucket: process.env.S3_BUCKET,
+    Key: `bundles/${bundleId}.zip`,
+    Body: file,
+  }));
+  return `bundles/${bundleId}.zip`;
+}
+
+export async function getBundle(bundleId) {
+  const response = await s3.send(new GetObjectCommand({
+    Bucket: process.env.S3_BUCKET,
+    Key: `bundles/${bundleId}.zip`,
+  }));
+  return response.Body;
+}
+```
+
+## Template Options
+
+### --with-admin
+
+Adds an admin dashboard for:
+- Viewing deployed bundles
+- Monitoring update adoption
+- Managing channels
+- Viewing device statistics
+
+### --with-monitoring
+
+Adds monitoring endpoints for:
+- Health checks
+- Prometheus metrics
+- Update success/failure rates
+- Download statistics
+
+## Production Checklist
+
+Before deploying to production:
+
+- [ ] Implement storage service for your cloud provider
+- [ ] Implement database service for metadata
+- [ ] Configure environment variables
+- [ ] Set up authentication for admin endpoints
+- [ ] Configure HTTPS/TLS
+- [ ] Set up rate limiting
+- [ ] Configure logging (Winston, Pino, etc.)
+- [ ] Set up error tracking (Sentry, etc.)
+- [ ] Configure backup strategy for bundles
+
+## Environment Variables
+
+Templates expect these environment variables:
+
+```env
+# Server
+PORT=3000
+NODE_ENV=production
+
+# Storage (example for S3)
+AWS_REGION=us-east-1
+S3_BUCKET=my-update-bundles
+AWS_ACCESS_KEY_ID=xxx
+AWS_SECRET_ACCESS_KEY=xxx
+
+# Database (example for PostgreSQL)
+DATABASE_URL=postgres://user:pass@host:5432/dbname
+
+# Security
+API_KEY=your-admin-api-key
+SIGNING_PUBLIC_KEY_PATH=./keys/public.pem
+```
+
+## Related Documentation
+
+- [Deployment Guide](./deployment-guide.md) - Full deployment instructions
+- [Security Best Practices](./security-best-practices.md) - Security recommendations
+- [Key Management](./key-management.md) - Managing signing keys

package/docs/play-console-rejection-rules.json

@@ -0,0 +1,428 @@
+{
+  "$schema": "play-console-rejection-rules-v1",
+  "version": "1.0.0",
+  "lastUpdated": "2026-01-07",
+  "description": "Google Play Console rejection patterns and compliance rules based on real rejection experiences",
+  "sourceProjects": ["ClearHire"],
+
+  "rejectionReasons": [
+    {
+      "id": 1,
+      "app": "TaxRight",
+      "packageName": "com.aoneahsan.taxright",
+      "category": "metadata",
+      "policy": "Metadata Policy",
+      "issue": "Featured graphic violates policy",
+      "details": "Featured graphic contained promotional content or text not allowed by Google Play policies",
+      "policyUrl": "https://support.google.com/googleplay/android-developer/answer/9898842",
+      "fix": "Remove promotional text, rankings, testimonials from featured graphic"
+    },
+    {
+      "id": 2,
+      "app": "TaxRight",
+      "packageName": "com.aoneahsan.taxright",
+      "category": "metadata",
+      "policy": "Metadata Policy",
+      "issue": "User testimonials in description",
+      "details": "Description contained 'Trusted by 5000+ Clients' which violates metadata policy against user testimonials and user counts",
+      "policyUrl": "https://support.google.com/googleplay/android-developer/answer/9898842",
+      "fix": "Remove all user counts, testimonials, and social proof claims from description"
+    },
+    {
+      "id": 3,
+      "app": "TaxRight",
+      "packageName": "com.aoneahsan.taxright",
+      "category": "misleading_claims",
+      "policy": "Misleading Claims Policy",
+      "issue": "Missing government source links",
+      "details": "App provides government information (tax filing) but lacks clear URL links to original government sources (.gov domains)",
+      "policyUrl": "https://support.google.com/googleplay/android-developer/answer/16680223",
+      "fix": "Add source links to official government websites and include disclaimer that app doesn't represent government entity"
+    },
+    {
+      "id": 4,
+      "app": "PregnancyPal",
+      "packageName": "com.aoneahsan.pregnancypal",
+      "category": "health_apps",
+      "policy": "Health Content and Services Policy",
+      "issue": "Inaccurate Health Apps Declaration",
+      "details": "Health features in app don't match information provided in health declaration. Must declare all applicable categories: Reproductive/Sexual Health, Activity/Fitness, Nutrition, Period Tracking, Stress Management, Diseases Management, Healthcare Services, Medical Reference, Medication Management",
+      "policyUrl": "https://support.google.com/googleplay/android-developer/answer/16679511",
+      "fix": "Update Health apps declaration form to select ALL applicable health feature categories"
+    },
+    {
+      "id": 7,
+      "app": "PregnancyPal",
+      "packageName": "com.aoneahsan.pregnancypal",
+      "category": "broken_functionality",
+      "policy": "Broken Functionality Policy",
+      "issue": "App crashes",
+      "details": "App exhibited crashes or broken functionality during review",
+      "policyUrl": "https://support.google.com/googleplay/android-developer/answer/9888074",
+      "fix": "Test app thoroughly on multiple devices, check Android vitals, fix all crash issues"
+    },
+    {
+      "id": 8,
+      "app": "Zeact Native",
+      "packageName": "com.aoneahsan.zeactnative",
+      "category": "data_safety",
+      "policy": "Data Safety Policy",
+      "issue": "Missing Data safety form (app removed)",
+      "details": "App was removed from Play Store due to missing Data safety form",
+      "policyUrl": "https://support.google.com/googleplay/android-developer/answer/10787469",
+      "fix": "Complete Data safety form in Play Console before submission"
+    },
+    {
+      "id": 9,
+      "app": "Mawinga",
+      "packageName": "com.aoneahsan.mawinga",
+      "category": "metadata",
+      "policy": "Metadata Policy",
+      "issue": "Title/description don't match app",
+      "details": "App title and/or description don't accurately reflect app functionality",
+      "policyUrl": "https://support.google.com/googleplay/android-developer/answer/9898842",
+      "fix": "Update title and description to accurately describe current app functionality"
+    },
+    {
+      "id": 10,
+      "app": "Trizlink",
+      "packageName": "com.aoneahsan.trizlink",
+      "category": "data_safety",
+      "policy": "Privacy Policy",
+      "issue": "Invalid Privacy policy URL",
+      "details": "Privacy policy URL doesn't link to a valid, accessible privacy policy. Must be active, publicly accessible, non-geofenced URL (no PDFs)",
+      "policyUrl": "https://support.google.com/googleplay/android-developer/answer/9859455",
+      "fix": "Ensure privacy policy URL is accessible globally, not a PDF, and contains comprehensive privacy information"
+    },
+    {
+      "id": 11,
+      "app": "Zeact Native",
+      "packageName": "com.aoneahsan.zeactnative",
+      "category": "data_safety",
+      "policy": "Data Safety Policy",
+      "issue": "Missing Data safety form",
+      "details": "Data safety form not completed in Play Console",
+      "policyUrl": "https://support.google.com/googleplay/android-developer/answer/10787469",
+      "fix": "Complete Data safety form with ALL data types collected by app"
+    },
+    {
+      "id": 12,
+      "app": "Mawinga",
+      "packageName": "com.aoneahsan.mawinga",
+      "category": "metadata",
+      "policy": "Metadata Policy",
+      "issue": "Screenshots don't accurately describe app",
+      "details": "Screenshots shown in store listing don't accurately represent current app functionality",
+      "policyUrl": "https://support.google.com/googleplay/android-developer/answer/9898842",
+      "fix": "Update screenshots to show actual current app screens and features"
+    },
+    {
+      "id": 13,
+      "app": "Mawinga",
+      "packageName": "com.aoneahsan.mawinga",
+      "category": "user_data",
+      "policy": "User Data Policy",
+      "issue": "Image upload without prominent disclosure",
+      "details": "App requests access to photos/images without prominent disclosure explaining why access is needed",
+      "policyUrl": "https://support.google.com/googleplay/android-developer/answer/9888076",
+      "fix": "Add prominent in-app disclosure before requesting photo/camera permissions explaining purpose"
+    },
+    {
+      "id": 14,
+      "app": "Mawinga",
+      "packageName": "com.aoneahsan.mawinga",
+      "category": "misleading_claims",
+      "policy": "Misleading Claims Policy",
+      "issue": "Screenshots don't match app",
+      "details": "Screenshots shown in store listing don't match actual app UI/functionality",
+      "policyUrl": "https://support.google.com/googleplay/android-developer/answer/16680223",
+      "fix": "Replace screenshots with actual current app screens"
+    },
+    {
+      "id": 15,
+      "app": "Mawinga",
+      "packageName": "com.aoneahsan.mawinga",
+      "category": "news_apps",
+      "policy": "News Policy",
+      "issue": "News app without contact info",
+      "details": "News/magazine app lacks accessible contact information required by policy",
+      "policyUrl": "https://support.google.com/googleplay/android-developer/answer/9935858",
+      "fix": "Add accessible contact information (email, website, phone) in app and store listing"
+    },
+    {
+      "id": 16,
+      "app": "Mawinga",
+      "packageName": "com.aoneahsan.mawinga",
+      "category": "misleading_claims",
+      "policy": "Misleading Claims Policy",
+      "issue": "Screenshots don't match app functionality",
+      "details": "Store listing screenshots show features or UI that don't exist in app",
+      "policyUrl": "https://support.google.com/googleplay/android-developer/answer/16680223",
+      "fix": "Update screenshots to reflect only actual implemented features"
+    },
+    {
+      "id": 17,
+      "app": "NukNukApp",
+      "packageName": "com.aoneahsan.nuknukapp",
+      "category": "broken_functionality",
+      "policy": "Broken Functionality Policy",
+      "issue": "App installs but doesn't load",
+      "details": "App installed successfully but failed to load or display content",
+      "policyUrl": "https://support.google.com/googleplay/android-developer/answer/9888074",
+      "fix": "Test app startup on multiple devices, ensure app loads and responds within reasonable time"
+    },
+    {
+      "id": 18,
+      "app": "NukNukApp",
+      "packageName": "com.aoneahsan.nuknukapp",
+      "category": "data_safety",
+      "policy": "Data Safety Form",
+      "issue": "Device IDs not disclosed in data safety",
+      "details": "App collects device IDs but this was not disclosed in Data safety form",
+      "policyUrl": "https://support.google.com/googleplay/android-developer/answer/10787469",
+      "fix": "Update Data safety form to include device identifiers in data collection disclosure"
+    },
+    {
+      "id": 19,
+      "app": "Mawinga",
+      "packageName": "com.aoneahsan.mawinga",
+      "category": "data_safety",
+      "policy": "Data Safety Form",
+      "issue": "Device IDs not disclosed in data safety",
+      "details": "App collects device IDs but this was not disclosed in Data safety form",
+      "policyUrl": "https://support.google.com/googleplay/android-developer/answer/10787469",
+      "fix": "Update Data safety form to include device identifiers in data collection disclosure"
+    },
+    {
+      "id": 20,
+      "app": "Mawinga",
+      "packageName": "com.aoneahsan.mawinga",
+      "category": "broken_functionality",
+      "policy": "Broken Functionality Policy",
+      "issue": "App installs but doesn't load",
+      "details": "App installed successfully but failed to load or display content",
+      "policyUrl": "https://support.google.com/googleplay/android-developer/answer/9888074",
+      "fix": "Test app startup on multiple devices, ensure app loads within 5 seconds"
+    }
+  ],
+
+  "categories": {
+    "broken_functionality": {
+      "name": "Broken Functionality",
+      "description": "App crashes, doesn't load, or functions abnormally",
+      "policyUrl": "https://support.google.com/googleplay/android-developer/answer/9888074",
+      "rules": [
+        "Test app on 3+ real devices before submission",
+        "Ensure app loads within 5 seconds",
+        "Test all user flows end-to-end",
+        "Check Android vitals for crash reports",
+        "Test on minimum supported Android version",
+        "Verify network connectivity handling",
+        "Test offline functionality if applicable"
+      ],
+      "rejectionCount": 3
+    },
+    "data_safety": {
+      "name": "Data Safety & Privacy",
+      "description": "Data safety form, privacy policy, and user data handling",
+      "policyUrl": "https://support.google.com/googleplay/android-developer/answer/10787469",
+      "rules": [
+        "Complete Data safety form in Play Console BEFORE submission",
+        "Disclose ALL data types including device IDs and analytics",
+        "Privacy policy URL must be accessible globally (not geofenced)",
+        "Privacy policy CANNOT be a PDF file",
+        "Add prominent disclosure for sensitive data access",
+        "Request runtime permissions before accessing data",
+        "Include device identifiers if using Firebase/analytics"
+      ],
+      "rejectionCount": 6
+    },
+    "metadata": {
+      "name": "Metadata Policy",
+      "description": "App title, description, screenshots, icons, and graphics",
+      "policyUrl": "https://support.google.com/googleplay/android-developer/answer/9898842",
+      "rules": [
+        "Screenshots MUST match current app version exactly",
+        "NO user testimonials or user counts in description",
+        "NO store performance claims (Best, #1, Top, Leading)",
+        "NO promotional language (Free, Discount, Sale, New)",
+        "Title must be 30 characters or less",
+        "NO emojis in title, icon, or developer name",
+        "Description must accurately describe app functionality",
+        "Feature graphic must not contain promotional text"
+      ],
+      "rejectionCount": 4
+    },
+    "misleading_claims": {
+      "name": "Misleading Claims",
+      "description": "False claims about app functionality or affiliations",
+      "policyUrl": "https://support.google.com/googleplay/android-developer/answer/16680223",
+      "rules": [
+        "Provide source links for ALL government information",
+        "Include disclaimer if not government-affiliated",
+        "Screenshots must match actual current app UI",
+        "Don't claim features that don't exist",
+        "Don't claim affiliation without proper authorization",
+        "Update screenshots after every app update"
+      ],
+      "rejectionCount": 4
+    },
+    "health_apps": {
+      "name": "Health Content & Services",
+      "description": "Health app declarations and content",
+      "policyUrl": "https://support.google.com/googleplay/android-developer/answer/16679511",
+      "rules": [
+        "Complete Health apps declaration accurately in Play Console",
+        "Select ALL applicable health categories",
+        "Include medical disclaimer if not a medical device",
+        "App must NOT diagnose/treat/cure without authorization",
+        "Provide comprehensive health data privacy policy",
+        "Categories: Reproductive, Activity, Nutrition, Period Tracking, Stress, Diseases, Healthcare Services, Medical Reference, Medication Management"
+      ],
+      "rejectionCount": 1
+    },
+    "news_apps": {
+      "name": "News & Magazine Apps",
+      "description": "Requirements for news/magazine category apps",
+      "policyUrl": "https://support.google.com/googleplay/android-developer/answer/9935858",
+      "rules": [
+        "Provide accessible contact information in app AND store listing",
+        "Include source attribution for all articles",
+        "Disclose if news is aggregated from third parties",
+        "Update content regularly"
+      ],
+      "rejectionCount": 1
+    },
+    "user_data": {
+      "name": "User Data Policy",
+      "description": "Collection and handling of user data",
+      "policyUrl": "https://support.google.com/googleplay/android-developer/answer/9888076",
+      "rules": [
+        "Prominent disclosure BEFORE accessing photos/camera/files",
+        "Runtime permission request before data access",
+        "Clear explanation of WHY data is needed",
+        "User consent required before collection",
+        "Disclosure must be visible and not hidden in settings"
+      ],
+      "rejectionCount": 1
+    }
+  },
+
+  "quickChecklist": {
+    "beforeSubmission": [
+      "App tested on 3+ real devices without crashes",
+      "App loads and responds within 5 seconds",
+      "Data safety form complete with ALL data types",
+      "Device IDs disclosed if using Firebase/analytics",
+      "Privacy policy URL accessible globally (not PDF)",
+      "Screenshots match current app version EXACTLY",
+      "No promotional/testimonial language in metadata",
+      "Title is 30 characters or less, no emojis",
+      "Feature graphic has no promotional text",
+      "Health declaration matches features (if applicable)",
+      "Government sources linked with disclaimer (if applicable)",
+      "Contact info provided (if news/magazine app)"
+    ],
+    "metadataCheck": [
+      "Title ≤30 characters, no emojis",
+      "No user counts ('5000+ users', 'Million downloads')",
+      "No ranking claims ('Best', '#1', 'Top', 'Leading')",
+      "No promotional words ('Free', 'Sale', 'New', 'Discount')",
+      "No testimonials ('Users love', '5-star rated')",
+      "Screenshots reflect actual current app",
+      "Feature graphic clean (no promo text)",
+      "Description accurately describes functionality"
+    ],
+    "privacyCheck": [
+      "Privacy policy URL works and loads globally",
+      "Privacy policy is NOT a PDF",
+      "Privacy policy is NOT geofenced",
+      "Data safety form complete in Play Console",
+      "ALL data types disclosed (including device IDs)",
+      "Prominent disclosure for sensitive data access"
+    ],
+    "healthAppsCheck": [
+      "Health apps declaration completed",
+      "ALL health categories selected that apply",
+      "Medical disclaimer included if not a medical device",
+      "Health data handling disclosed in privacy policy"
+    ]
+  },
+
+  "prohibitedWords": {
+    "rankings": [
+      "Best",
+      "#1",
+      "Top",
+      "Leading",
+      "Premium",
+      "Ultimate",
+      "Superior",
+      "Number 1",
+      "Highest rated"
+    ],
+    "promotional": [
+      "Free",
+      "Discount",
+      "Sale",
+      "New",
+      "Cheap",
+      "Deal",
+      "Limited time",
+      "Exclusive",
+      "Special offer"
+    ],
+    "testimonials": [
+      "users love",
+      "5-star",
+      "rated",
+      "trusted by",
+      "downloads",
+      "users worldwide",
+      "million users",
+      "satisfied customers",
+      "people use"
+    ],
+    "performance": [
+      "Fastest",
+      "Most downloaded",
+      "Award-winning",
+      "Featured",
+      "Editor's choice",
+      "Staff pick"
+    ]
+  },
+
+  "policyReferences": {
+    "metadata": "https://support.google.com/googleplay/android-developer/answer/9898842",
+    "misleadingClaims": "https://support.google.com/googleplay/android-developer/answer/16680223",
+    "dataSafety": "https://support.google.com/googleplay/android-developer/answer/10787469",
+    "privacyPolicy": "https://support.google.com/googleplay/android-developer/answer/9859455",
+    "brokenFunctionality": "https://support.google.com/googleplay/android-developer/answer/9888074",
+    "healthApps": "https://support.google.com/googleplay/android-developer/answer/16679511",
+    "newsApps": "https://support.google.com/googleplay/android-developer/answer/9935858",
+    "userData": "https://support.google.com/googleplay/android-developer/answer/9888076",
+    "deceptiveBehavior": "https://support.google.com/googleplay/android-developer/answer/16680223"
+  },
+
+  "statistics": {
+    "totalRejections": 18,
+    "byCategory": {
+      "data_safety": 6,
+      "metadata": 4,
+      "misleading_claims": 4,
+      "broken_functionality": 3,
+      "health_apps": 1,
+      "news_apps": 1,
+      "user_data": 1
+    },
+    "byApp": {
+      "Mawinga": 8,
+      "TaxRight": 3,
+      "NukNukApp": 2,
+      "Zeact Native": 2,
+      "PregnancyPal": 2,
+      "Trizlink": 1
+    }
+  }
+}

package/docs/reports/COMPLETE_VERIFICATION.md

@@ -17,7 +17,7 @@
 2. **Development Tools** ✅
    - Bundle creation utility (`tools/bundle-creator.js`)
    - Bundle signing tool (`tools/bundle-signer.js`)
-   - CLI tool (`cli/cap-update.js`)
+   - CLI tool (`cli/index.js`)
    - Testing framework with Vitest
    - Unit and integration tests
 

package/docs/reports/PRODUCTION_STATUS.md

@@ -20,7 +20,7 @@ This document summarizes the current production readiness status of the capacito
 - Bundle creation utility (`tools/bundle-creator.js`)
 - Bundle signing tool (`tools/bundle-signer.js`)
 - Minimal backend server template (`backend-template/`)
-- CLI tool for easier usage (`cli/cap-update.js`)
+- CLI tool for easier usage (`cli/index.js`)
 
 ### Core Features ✅
 - Client-side signature verification using Web Crypto API