native-update 1.4.8 → 2.0.0

package/docs/deployment/HOSTINGER_DEPLOY.md

@@ -0,0 +1,329 @@
+# Hostinger Deployment Guide
+
+Step-by-step deploy of the Laravel + Nova backend to Hostinger Business
+(shared hosting, SSH-enabled). Target URL:
+**https://nativeupdatebe.aoneahsan.com**.
+
+Tested against Hostinger hPanel, shared Business plan, PHP 8.2, MySQL.
+
+---
+
+## 0. What you need before starting
+
+| Item | Where to get it |
+|---|---|
+| Hostinger SSH access | hPanel → Advanced → SSH Access → "Enable" |
+| MySQL database | hPanel → Databases → MySQL Databases → Create |
+| Nova license key | nova.laravel.com (account → licenses) |
+| PayPal Live credentials | developer.paypal.com → My Apps & Credentials → Live |
+| PayPal subscription plans | PayPal Dashboard → Subscriptions → Plans (create Pro + Enterprise, copy the `P-...` IDs) |
+| PayPal webhook ID | Set up in step 4, skip for now |
+| FilesHub API key | fileshub.zaions.com admin |
+| Firebase service account JSON | console.firebase.google.com → Project settings → Service accounts → Generate private key |
+| Google OAuth client | console.cloud.google.com → APIs & Services → Credentials |
+
+---
+
+## 1. Build the production zip (local machine)
+
+Already built by the maintainer. Current artifact lives at:
+
+```
+production-deploy/nu-backend-YYYYMMDD-HHMMSS.zip
+```
+
+If you need to rebuild:
+
+```bash
+cd /home/ahsan/Documents/01-code/projects/native-update/backend
+
+# Ensure Nova + PayPal deps resolve
+composer install
+composer update --no-interaction
+
+# Production-only deps + Vite build
+php artisan optimize:clear
+composer install --no-dev --optimize-autoloader --classmap-authoritative
+npm run build
+
+# Produce the zip
+mkdir -p ../production-deploy
+zip -qr "../production-deploy/nu-backend-$(date +%Y%m%d-%H%M%S).zip" . \
+  -x "node_modules/*" ".git/*" "tests/*" ".env" ".env.*" \
+     "storage/logs/*.log" "storage/framework/cache/data/*" \
+     "storage/framework/sessions/*" "storage/framework/views/*.php" \
+     "*.sqlite" ".phpunit.result.cache" "*.DS_Store"
+
+# Restore dev deps locally
+composer install
+```
+
+The zip is ~67 MB. Upload it to Hostinger via SFTP to `~/uploads/`.
+
+---
+
+## 2. Hostinger hPanel one-time setup
+
+1. **Subdomain**. hPanel → Domains → Subdomains → Create:
+   - Subdomain: `nativeupdatebe`
+   - Domain: `aoneahsan.com`
+   - Document root: leave as Hostinger's default for now; we'll symlink
+     it to Laravel's `public/` in step 3.
+
+2. **Database**. hPanel → Databases → MySQL Databases → Create:
+   - DB name: `nativeupdate_backend` (Hostinger will prefix with your user)
+   - User: `nativeupdate_user`
+   - Password: generate a strong one; save it.
+
+3. **SSH**. hPanel → Advanced → SSH Access → Enable (if not already).
+   Note the port (usually 65002) and username.
+
+4. **Upload secrets** via hPanel File Manager (or SFTP):
+   - Upload `firebase-credentials.json` to `~/` (not public_html). We'll
+     move it in step 3.
+
+---
+
+## 3. SSH deploy (first time)
+
+SSH in:
+
+```bash
+ssh -p 65002 <USER>@<HOST>
+```
+
+Create the app directory one level above `public_html` and extract:
+
+```bash
+cd ~/domains/nativeupdatebe.aoneahsan.com
+mkdir -p app && cd app
+unzip -q ~/uploads/nu-backend-*.zip -d .
+```
+
+Point `public_html` at Laravel's `public/`:
+
+```bash
+cd ~/domains/nativeupdatebe.aoneahsan.com
+rm -rf public_html
+ln -s app/public public_html
+```
+
+Drop in the Firebase credentials file:
+
+```bash
+mkdir -p ~/domains/nativeupdatebe.aoneahsan.com/app/storage
+mv ~/firebase-credentials.json ~/domains/nativeupdatebe.aoneahsan.com/app/storage/
+chmod 600 ~/domains/nativeupdatebe.aoneahsan.com/app/storage/firebase-credentials.json
+```
+
+Configure the environment:
+
+```bash
+cd ~/domains/nativeupdatebe.aoneahsan.com/app
+cp .env.example .env
+nano .env
+```
+
+Fill in the following (paste real values for each `_________` placeholder):
+
+```dotenv
+APP_NAME="Native Update"
+APP_ENV=production
+APP_KEY=               # php artisan key:generate runs next
+APP_DEBUG=false
+APP_TIMEZONE=UTC
+APP_URL=https://nativeupdatebe.aoneahsan.com
+
+LOG_CHANNEL=daily
+LOG_LEVEL=warning
+
+# MySQL from step 2
+DB_CONNECTION=mysql
+DB_HOST=127.0.0.1
+DB_PORT=3306
+DB_DATABASE=_________
+DB_USERNAME=_________
+DB_PASSWORD=_________
+
+# FilesHub
+FILESHUB_BASE_URL=https://fileshub.zaions.com
+FILESHUB_API_KEY=_________
+FILESHUB_APP_ID=native-update
+
+# Firebase
+FIREBASE_PROJECT_ID=_________
+FIREBASE_CREDENTIALS_PATH=storage/firebase-credentials.json
+
+# Google OAuth (for Google Drive integration in dashboard)
+GOOGLE_CLIENT_ID=_________
+GOOGLE_CLIENT_SECRET=_________
+GOOGLE_REDIRECT_URI=${APP_URL}/api/dashboard/google-drive/callback
+
+# PayPal (live)
+PAYPAL_MODE=live
+PAYPAL_LIVE_CLIENT_ID=_________
+PAYPAL_LIVE_CLIENT_SECRET=_________
+PAYPAL_PLAN_PRO=P-_________
+PAYPAL_PLAN_ENTERPRISE=P-_________
+PAYPAL_WEBHOOK_ID=                  # fill in step 4
+
+# Nova
+NOVA_LICENSE_KEY=_________
+
+# Admin
+ADMIN_EMAILS=aoneahsan@gmail.com
+```
+
+Generate APP_KEY and lock down permissions:
+
+```bash
+php artisan key:generate --force
+
+find . -type d -exec chmod 755 {} \;
+find . -type f -exec chmod 644 {} \;
+chmod -R 775 storage bootstrap/cache
+chmod 600 .env storage/firebase-credentials.json
+```
+
+Run migrations and cache config for production:
+
+```bash
+php artisan migrate --force
+php artisan storage:link
+php artisan config:cache
+php artisan route:cache
+php artisan view:cache
+php artisan nova:publish
+```
+
+Smoke-test:
+
+```bash
+curl -sS https://nativeupdatebe.aoneahsan.com/api/health
+# Expected: {"status":"ok","app":"Native Update","env":"production","time":"..."}
+```
+
+Log in to Nova at `https://nativeupdatebe.aoneahsan.com/nova` with an
+email listed in `ADMIN_EMAILS` (Firebase-authenticated via the website
+dashboard) and verify the Apps / Builds / ApiKeys / SigningKeys /
+Subscriptions resources render.
+
+---
+
+## 4. Register the PayPal webhook
+
+In PayPal Dashboard → Webhooks → Add Webhook:
+
+- URL: `https://nativeupdatebe.aoneahsan.com/api/webhooks/paypal`
+- Events (minimum):
+  - `BILLING.SUBSCRIPTION.ACTIVATED`
+  - `BILLING.SUBSCRIPTION.CANCELLED`
+  - `BILLING.SUBSCRIPTION.SUSPENDED`
+  - `BILLING.SUBSCRIPTION.EXPIRED`
+  - `BILLING.SUBSCRIPTION.PAYMENT.FAILED`
+  - `PAYMENT.SALE.COMPLETED`
+
+Copy the webhook ID PayPal assigns (starts with `WH-`). SSH back in:
+
+```bash
+cd ~/domains/nativeupdatebe.aoneahsan.com/app
+sed -i 's|^PAYPAL_WEBHOOK_ID=.*|PAYPAL_WEBHOOK_ID=WH-xxxxxxxxxxxx|' .env
+php artisan config:cache
+```
+
+Run PayPal's Webhook Simulator from the dashboard to fire a
+`BILLING.SUBSCRIPTION.ACTIVATED` event. Expected response: `200 ok`.
+Check the logs:
+
+```bash
+tail -n 100 ~/domains/nativeupdatebe.aoneahsan.com/app/storage/logs/laravel-*.log
+```
+
+Should contain `PayPal webhook received` or `PayPal subscription activated`.
+
+---
+
+## 5. (Optional) Cron for scheduled tasks
+
+The current backend has no scheduled jobs. Add a cron only if/when
+`app/Console/Kernel.php` grows `$schedule` entries.
+
+hPanel → Advanced → Cron Jobs → Add:
+
+```
+* * * * * cd ~/domains/nativeupdatebe.aoneahsan.com/app && php artisan schedule:run >/dev/null 2>&1
+```
+
+---
+
+## 6. Re-deploys
+
+For each subsequent release:
+
+1. Rebuild the zip locally (see step 1).
+2. SFTP it to `~/uploads/nu-backend-NEW.zip`.
+3. SSH in and atomic-swap:
+
+```bash
+cd ~/domains/nativeupdatebe.aoneahsan.com
+mv app app.old
+mkdir app && cd app
+unzip -q ~/uploads/nu-backend-NEW.zip -d .
+
+# Carry over secrets + credentials
+cp ../app.old/.env .env
+cp ../app.old/storage/firebase-credentials.json storage/firebase-credentials.json
+cp -a ../app.old/storage/app storage/ 2>/dev/null || true
+
+# Fix perms
+find . -type d -exec chmod 755 {} \;
+find . -type f -exec chmod 644 {} \;
+chmod -R 775 storage bootstrap/cache
+chmod 600 .env storage/firebase-credentials.json
+
+# Rebuild caches + apply migrations
+php artisan migrate --force
+php artisan config:cache
+php artisan route:cache
+php artisan view:cache
+
+# Re-point public_html (only needed if symlink was lost)
+cd ..
+rm -rf public_html && ln -s app/public public_html
+
+# Smoke-test then clean up old release
+curl -sS https://nativeupdatebe.aoneahsan.com/api/health
+rm -rf app.old
+```
+
+---
+
+## 7. Rollback
+
+If a deploy breaks things and you didn't delete `app.old` yet:
+
+```bash
+cd ~/domains/nativeupdatebe.aoneahsan.com
+rm -rf app
+mv app.old app
+rm -rf public_html && ln -s app/public public_html
+php artisan config:cache
+curl -sS https://nativeupdatebe.aoneahsan.com/api/health
+```
+
+Migrations that were applied on the new release may need a manual
+`php artisan migrate:rollback --step=N` depending on what they changed.
+
+---
+
+## 8. Known Hostinger constraints
+
+- **No persistent queue workers.** The backend uses `QUEUE_CONNECTION=database`
+  and currently dispatches nothing async. If that changes, add a 1-minute
+  cron running `php artisan queue:work --stop-when-empty`.
+- **No Redis.** Cache + sessions use the MySQL `CACHE_STORE=database` driver.
+- **PHP 8.2 is the stable default.** PHP 8.3 is available but untested.
+- **Node/npm are not available via SSH on all plans.** The Vite build step
+  runs locally; the zip ships pre-built `public/build/` assets.
+- **Nova admin assets** are served from `public/vendor/nova/...` after
+  `php artisan nova:publish` — re-run after every deploy.

package/docs/features/laravel-nova-backend/ASSESSMENT-SUMMARY.md

@@ -0,0 +1,96 @@
+# Native Update - Assessment Summary
+
+**Date:** 2026-03-28
+**Assessed By:** Claude Code
+
+---
+
+## Plugin Assessment: PRODUCTION READY
+
+### TypeScript/Web Core
+| Area | Rating | Notes |
+|------|--------|-------|
+| Security | 5/5 | SHA-256 checksums, RSA-PSS signatures, AES-256-GCM encryption |
+| Architecture | 5/5 | Well-structured, modular, clean separation |
+| Error Handling | 5/5 | Comprehensive error types, proper propagation |
+| Testing | 4/5 | 81 tests passing |
+| Rollback | 5/5 | Atomic updates with backup/restore |
+
+### Android Native
+| Area | Rating | Notes |
+|------|--------|-------|
+| Security | 4/5 | EncryptedSharedPreferences, certificate pinning |
+| Implementation | 5/5 | Full feature parity |
+| Minor Issues | - | Timestamp bundle IDs (should use UUID) |
+
+### iOS Native
+| Area | Rating | Notes |
+|------|--------|-------|
+| Security | 4/5 | Keychain storage, TLS 1.2+ enforcement |
+| Implementation | 5/5 | Full feature parity |
+| Minor Issues | - | In-memory file loading for large checksums |
+
+---
+
+## Current Architecture Assessment: WORKING WELL
+
+The no-cost architecture (Firebase + Firestore + Google Drive) works correctly but lacks:
+- Server-side key validation (licensing)
+- Payment processing (Stripe)
+- Secure authenticated downloads
+- Server-held signing keys
+- MAU-based billing
+
+---
+
+## Laravel + Nova: REQUIRED
+
+### Why Backend Is Needed
+
+| Requirement | Why Server Needed |
+|-------------|-------------------|
+| **Licensing** | API keys must be validated server-side |
+| **Stripe Payments** | Webhooks require server endpoint |
+| **Secure Downloads** | Signed URLs need server generation |
+| **Bundle Signing** | Private RSA keys must stay server-side |
+| **MAU Billing** | Server aggregates device activity |
+| **Rate Limiting** | Must be enforced server-side |
+
+### Architecture Decision
+
+- **Keep:** Firebase Auth (working), React frontend
+- **Add:** Laravel API, MySQL, S3/R2 storage
+- **Nova:** Admin panel for user/subscription management
+
+---
+
+## Implementation Estimate
+
+| Phase | Duration |
+|-------|----------|
+| Laravel Setup | 1 week |
+| APIs + Stripe | 1.5 weeks |
+| Security + Signing | 1 week |
+| Nova Admin | 1 week |
+| Testing + Migration | 0.5 week |
+| **Total** | **5 weeks** |
+
+---
+
+## Files Created
+
+1. `/docs/features/laravel-nova-backend/IMPLEMENTATION-PLAN.md` - Full plan
+2. `/docs/features/laravel-nova-backend/progress-tracker.json` - Task tracker
+3. `/docs/features/laravel-nova-backend/ASSESSMENT-SUMMARY.md` - This file
+
+---
+
+## Ready to Proceed
+
+The native-update plugin is production-ready. The Laravel + Nova backend will enable:
+
+1. Paid SaaS model (like Ionic AppFlow)
+2. API key-based licensing
+3. Stripe subscriptions with MAU billing
+4. Secure bundle distribution
+5. Full admin panel for management