native-update 1.4.9 → 3.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (265) hide show
  1. package/Readme.md +35 -9
  2. package/android/manifest-additions.xml +28 -0
  3. package/android/src/main/AndroidManifest.xml +3 -7
  4. package/android/src/main/java/com/aoneahsan/nativeupdate/BackgroundNotificationManager.kt +21 -13
  5. package/android/src/main/java/com/aoneahsan/nativeupdate/BackgroundUpdatePlugin.kt +15 -0
  6. package/android/src/main/java/com/aoneahsan/nativeupdate/BackgroundUpdateWorker.kt +23 -7
  7. package/android/src/main/java/com/aoneahsan/nativeupdate/LiveUpdatePlugin.kt +346 -31
  8. package/android/src/main/java/com/aoneahsan/nativeupdate/NativeUpdatePlugin.kt +32 -34
  9. package/android/src/main/java/com/aoneahsan/nativeupdate/NotificationActionReceiver.kt +10 -1
  10. package/android/src/main/java/com/aoneahsan/nativeupdate/SecurityManager.kt +18 -18
  11. package/cli/AGENTS.md +43 -0
  12. package/cli/CLAUDE.md +65 -0
  13. package/cli/commands/backend-create.js +56 -15
  14. package/cli/commands/bundle-create.js +39 -7
  15. package/cli/commands/monitor.js +72 -51
  16. package/cli/index.js +10 -24
  17. package/cli/package.json +11 -3
  18. package/dist/esm/app-review/app-review-manager.js +0 -1
  19. package/dist/esm/app-review/index.js +0 -1
  20. package/dist/esm/app-review/platform-review-handler.js +0 -1
  21. package/dist/esm/app-review/review-conditions-checker.js +0 -1
  22. package/dist/esm/app-review/review-rate-limiter.js +0 -1
  23. package/dist/esm/app-review/types.js +0 -1
  24. package/dist/esm/app-update/app-update-checker.js +0 -1
  25. package/dist/esm/app-update/app-update-installer.d.ts +1 -0
  26. package/dist/esm/app-update/app-update-installer.js +19 -8
  27. package/dist/esm/app-update/app-update-manager.js +0 -1
  28. package/dist/esm/app-update/app-update-notifier.js +0 -1
  29. package/dist/esm/app-update/index.js +0 -1
  30. package/dist/esm/app-update/platform-app-update.js +12 -3
  31. package/dist/esm/app-update/types.js +0 -1
  32. package/dist/esm/background-update/background-scheduler.js +0 -1
  33. package/dist/esm/background-update/index.js +0 -1
  34. package/dist/esm/background-update/notification-manager.js +0 -1
  35. package/dist/esm/config/support.js +0 -1
  36. package/dist/esm/core/analytics.d.ts +13 -0
  37. package/dist/esm/core/analytics.js +15 -1
  38. package/dist/esm/core/cache-manager.js +0 -1
  39. package/dist/esm/core/config.d.ts +6 -30
  40. package/dist/esm/core/config.js +1 -8
  41. package/dist/esm/core/errors.d.ts +1 -0
  42. package/dist/esm/core/errors.js +1 -1
  43. package/dist/esm/core/event-emitter.d.ts +0 -3
  44. package/dist/esm/core/event-emitter.js +8 -3
  45. package/dist/esm/core/logger.js +0 -1
  46. package/dist/esm/core/performance.js +0 -1
  47. package/dist/esm/core/plugin-manager.js +3 -1
  48. package/dist/esm/core/security.d.ts +22 -3
  49. package/dist/esm/core/security.js +46 -7
  50. package/dist/esm/definitions.d.ts +13 -40
  51. package/dist/esm/definitions.js +0 -1
  52. package/dist/esm/index.d.ts +3 -4
  53. package/dist/esm/index.js +3 -3
  54. package/dist/esm/live-update/bundle-manager.d.ts +8 -0
  55. package/dist/esm/live-update/bundle-manager.js +20 -1
  56. package/dist/esm/live-update/certificate-pinning.js +0 -1
  57. package/dist/esm/live-update/delta-processor.d.ts +1 -1
  58. package/dist/esm/live-update/delta-processor.js +3 -1
  59. package/dist/esm/live-update/download-manager.d.ts +36 -5
  60. package/dist/esm/live-update/download-manager.js +70 -24
  61. package/dist/esm/live-update/rollout-checker.d.ts +1 -1
  62. package/dist/esm/live-update/rollout-checker.js +5 -6
  63. package/dist/esm/live-update/update-manager.d.ts +12 -1
  64. package/dist/esm/live-update/update-manager.js +38 -11
  65. package/dist/esm/live-update/version-manager.d.ts +9 -12
  66. package/dist/esm/live-update/version-manager.js +40 -68
  67. package/dist/esm/plugin.js +82 -89
  68. package/dist/esm/security/crypto.js +11 -7
  69. package/dist/esm/security/validator.js +0 -1
  70. package/dist/esm/types/rollout.d.ts +85 -0
  71. package/dist/esm/types/rollout.js +25 -0
  72. package/dist/esm/web.d.ts +26 -1
  73. package/dist/esm/web.js +214 -75
  74. package/dist/plugin.cjs.js +1 -2
  75. package/dist/plugin.esm.js +1 -2
  76. package/dist/plugin.js +2 -3
  77. package/docs/AGENTS.md +38 -0
  78. package/docs/CHANGELOG.md +275 -0
  79. package/docs/CLAUDE.md +101 -0
  80. package/docs/MANUAL-TASKS.md +17 -0
  81. package/docs/MARKETING_WEBSITE_TRACKER.md +18 -2
  82. package/docs/MIGRATION.md +170 -0
  83. package/docs/PACKAGES.md +167 -0
  84. package/docs/PERFORMANCE.md +110 -0
  85. package/docs/PROJECT_COMPLETION_TRACKER.md +4 -35
  86. package/docs/README.md +12 -2
  87. package/docs/REMAINING_FEATURES.md +123 -76
  88. package/docs/ROADMAP.md +200 -120
  89. package/docs/SECURITY-IF-REPO-PUBLIC.md +232 -0
  90. package/docs/TESTING_REQUIREMENTS.md +1 -112
  91. package/docs/ai-knowledge-base/00-project-profile.md +38 -0
  92. package/docs/ai-knowledge-base/01-features.md +46 -0
  93. package/docs/ai-knowledge-base/02-routes.md +72 -0
  94. package/docs/ai-knowledge-base/03-tech-stack.md +57 -0
  95. package/docs/ai-knowledge-base/README.md +23 -0
  96. package/docs/analytics-tracking.md +37 -0
  97. package/docs/capacitor-official-plugins.md +46 -0
  98. package/docs/capawesome-plugins.md +29 -0
  99. package/docs/deployment/HOSTINGER_DEPLOY.md +370 -0
  100. package/docs/deployment/PRODUCTION-DEPLOY-CHECKLIST.md +184 -0
  101. package/docs/docs-site/plan.md +201 -0
  102. package/docs/docs-site/scope.md +127 -0
  103. package/docs/docs-site/tracker.json +235 -0
  104. package/docs/error-handling-tracking.md +37 -0
  105. package/docs/features/laravel-nova-backend/ASSESSMENT-SUMMARY.md +96 -0
  106. package/docs/features/laravel-nova-backend/IMPLEMENTATION-PLAN.md +504 -0
  107. package/docs/features/laravel-nova-backend/progress-tracker.json +184 -0
  108. package/docs/guides/testing-guide.md +15 -41
  109. package/docs/package-audit.md +41 -0
  110. package/docs/play-store/ASO-METADATA.md +5 -0
  111. package/docs/play-store/DATA-SAFETY.md +5 -0
  112. package/docs/play-store/DECLARATIONS.md +5 -0
  113. package/docs/play-store/README.md +27 -0
  114. package/docs/play-store/RELEASE-NOTES.md +99 -0
  115. package/docs/play-store/RELEASE-STEPS.md +6 -0
  116. package/docs/play-store/STORE-LISTING.md +7 -0
  117. package/docs/play-store/SUBMISSION-CHECKLIST.md +5 -0
  118. package/docs/production-readiness.md +1 -1
  119. package/docs/project-audit/2026-05-16/00-FINALIZATION-PLAN.md +123 -0
  120. package/docs/project-audit/2026-05-16/01-BATCH-PLAN.md +227 -0
  121. package/docs/project-audit/2026-05-16/02-AUDIT-FINDINGS.md +144 -0
  122. package/docs/project-audit/2026-05-16/sessions/batch-01.md +42 -0
  123. package/docs/project-audit/2026-05-16/sessions/batch-02.md +74 -0
  124. package/docs/project-audit/2026-05-16/sessions/batch-03.md +71 -0
  125. package/docs/project-audit/2026-05-16/sessions/batch-04.md +88 -0
  126. package/docs/project-audit/2026-05-16/sessions/batch-05.md +63 -0
  127. package/docs/project-audit/2026-05-16/sessions/batch-06.md +103 -0
  128. package/docs/project-audit/2026-05-16/sessions/batch-07.md +61 -0
  129. package/docs/project-audit/2026-05-16/sessions/batch-08.md +101 -0
  130. package/docs/project-audit/2026-05-16/sessions/batch-09.md +105 -0
  131. package/docs/project-audit/2026-05-16/sessions/batch-10.md +102 -0
  132. package/docs/project-audit/AUDIT-HISTORY.md +74 -0
  133. package/docs/project-audit/BATCH-PLAN.md +168 -0
  134. package/docs/project-audit/MARKETING-WEBSITE-FINDINGS-2026-05-11.md +73 -0
  135. package/docs/project-audit/PRODUCTION-READINESS-AUDIT-2026-05-08.md +275 -0
  136. package/docs/project-finalization/00-tracker.json +60 -0
  137. package/docs/project-knowledge-base/01-system-overview.md +227 -0
  138. package/docs/project-knowledge-base/02-routes-pages-forms-users.md +352 -0
  139. package/docs/project-knowledge-base/03-tech-stack-modules-services.md +379 -0
  140. package/docs/project-knowledge-base/04-data-models-integrations.md +244 -0
  141. package/docs/project-knowledge-base/05-docs-corpus-inventory.md +256 -0
  142. package/docs/project-knowledge-base/06-operations-testing-legal-content.md +208 -0
  143. package/docs/project-knowledge-base/README.md +103 -0
  144. package/docs/project-profiles/native-update-capacitor-update-platform-project-profile-last-updated-2026-05-19.md +81 -0
  145. package/docs/rules-tracker.md +102 -0
  146. package/docs/security/PRE-LAUNCH-PENTEST-CHECKLIST.md +116 -0
  147. package/docs/seo-aeo-rules.json +3043 -0
  148. package/docs/social-media-marketing/README.md +81 -0
  149. package/docs/social-media-marketing/posts-batch-01.md +613 -0
  150. package/docs/social-media-marketing/posts-batch-02.md +528 -0
  151. package/docs/social-media-marketing/whatsapp-messages-batch-01.md +458 -0
  152. package/docs/social-media-marketing/whatsapp-status-batch-01.md +355 -0
  153. package/docs/tracking/finalization-2026-05-16-tracker.json +346 -0
  154. package/docs/tracking/full-audit-tracker.json +121 -0
  155. package/docs/tracking/production-readiness-audit-tracker.json +429 -0
  156. package/docs/tracking/seo-checklist-tracker.json +333 -0
  157. package/ios/Plugin/BackgroundUpdate/BackgroundUpdatePlugin.swift +66 -9
  158. package/ios/Plugin/LiveUpdate/LiveUpdatePlugin.swift +306 -52
  159. package/ios/Plugin/NativeUpdatePlugin.swift +22 -9
  160. package/ios/Plugin/Security/SecurityManager.swift +13 -14
  161. package/package.json +37 -38
  162. package/cli/node_modules/.yarn-integrity +0 -16
  163. package/cli/node_modules/commander/LICENSE +0 -22
  164. package/cli/node_modules/commander/Readme.md +0 -1148
  165. package/cli/node_modules/commander/esm.mjs +0 -16
  166. package/cli/node_modules/commander/index.js +0 -26
  167. package/cli/node_modules/commander/lib/argument.js +0 -145
  168. package/cli/node_modules/commander/lib/command.js +0 -2179
  169. package/cli/node_modules/commander/lib/error.js +0 -43
  170. package/cli/node_modules/commander/lib/help.js +0 -462
  171. package/cli/node_modules/commander/lib/option.js +0 -329
  172. package/cli/node_modules/commander/lib/suggestSimilar.js +0 -100
  173. package/cli/node_modules/commander/package-support.json +0 -16
  174. package/cli/node_modules/commander/package.json +0 -80
  175. package/cli/node_modules/commander/typings/esm.d.mts +0 -3
  176. package/cli/node_modules/commander/typings/index.d.ts +0 -884
  177. package/cli/yarn.lock +0 -8
  178. package/dist/esm/__tests__/bundle-manager.test.d.ts +0 -1
  179. package/dist/esm/__tests__/bundle-manager.test.js +0 -151
  180. package/dist/esm/__tests__/bundle-manager.test.js.map +0 -1
  181. package/dist/esm/__tests__/config.test.d.ts +0 -1
  182. package/dist/esm/__tests__/config.test.js +0 -70
  183. package/dist/esm/__tests__/config.test.js.map +0 -1
  184. package/dist/esm/__tests__/delta-processor.test.d.ts +0 -1
  185. package/dist/esm/__tests__/delta-processor.test.js +0 -77
  186. package/dist/esm/__tests__/delta-processor.test.js.map +0 -1
  187. package/dist/esm/__tests__/firestore-schema.test.d.ts +0 -1
  188. package/dist/esm/__tests__/firestore-schema.test.js +0 -74
  189. package/dist/esm/__tests__/firestore-schema.test.js.map +0 -1
  190. package/dist/esm/__tests__/integration.test.d.ts +0 -1
  191. package/dist/esm/__tests__/integration.test.js +0 -78
  192. package/dist/esm/__tests__/integration.test.js.map +0 -1
  193. package/dist/esm/__tests__/manifest-reader.test.d.ts +0 -1
  194. package/dist/esm/__tests__/manifest-reader.test.js +0 -271
  195. package/dist/esm/__tests__/manifest-reader.test.js.map +0 -1
  196. package/dist/esm/__tests__/rollout-checker.test.d.ts +0 -1
  197. package/dist/esm/__tests__/rollout-checker.test.js +0 -210
  198. package/dist/esm/__tests__/rollout-checker.test.js.map +0 -1
  199. package/dist/esm/__tests__/security.test.d.ts +0 -1
  200. package/dist/esm/__tests__/security.test.js +0 -54
  201. package/dist/esm/__tests__/security.test.js.map +0 -1
  202. package/dist/esm/__tests__/version-manager.test.d.ts +0 -1
  203. package/dist/esm/__tests__/version-manager.test.js +0 -45
  204. package/dist/esm/__tests__/version-manager.test.js.map +0 -1
  205. package/dist/esm/app-review/app-review-manager.js.map +0 -1
  206. package/dist/esm/app-review/index.js.map +0 -1
  207. package/dist/esm/app-review/platform-review-handler.js.map +0 -1
  208. package/dist/esm/app-review/review-conditions-checker.js.map +0 -1
  209. package/dist/esm/app-review/review-rate-limiter.js.map +0 -1
  210. package/dist/esm/app-review/types.js.map +0 -1
  211. package/dist/esm/app-update/app-update-checker.js.map +0 -1
  212. package/dist/esm/app-update/app-update-installer.js.map +0 -1
  213. package/dist/esm/app-update/app-update-manager.js.map +0 -1
  214. package/dist/esm/app-update/app-update-notifier.js.map +0 -1
  215. package/dist/esm/app-update/index.js.map +0 -1
  216. package/dist/esm/app-update/platform-app-update.js.map +0 -1
  217. package/dist/esm/app-update/types.js.map +0 -1
  218. package/dist/esm/background-update/background-scheduler.js.map +0 -1
  219. package/dist/esm/background-update/index.js.map +0 -1
  220. package/dist/esm/background-update/notification-manager.js.map +0 -1
  221. package/dist/esm/config/support.js.map +0 -1
  222. package/dist/esm/core/analytics.js.map +0 -1
  223. package/dist/esm/core/cache-manager.js.map +0 -1
  224. package/dist/esm/core/config.js.map +0 -1
  225. package/dist/esm/core/errors.js.map +0 -1
  226. package/dist/esm/core/event-emitter.js.map +0 -1
  227. package/dist/esm/core/logger.js.map +0 -1
  228. package/dist/esm/core/performance.js.map +0 -1
  229. package/dist/esm/core/plugin-manager.js.map +0 -1
  230. package/dist/esm/core/security.js.map +0 -1
  231. package/dist/esm/definitions.js.map +0 -1
  232. package/dist/esm/firestore/firestore-client.d.ts +0 -109
  233. package/dist/esm/firestore/firestore-client.js +0 -264
  234. package/dist/esm/firestore/firestore-client.js.map +0 -1
  235. package/dist/esm/firestore/index.d.ts +0 -11
  236. package/dist/esm/firestore/index.js +0 -11
  237. package/dist/esm/firestore/index.js.map +0 -1
  238. package/dist/esm/firestore/manifest-reader.d.ts +0 -87
  239. package/dist/esm/firestore/manifest-reader.js +0 -294
  240. package/dist/esm/firestore/manifest-reader.js.map +0 -1
  241. package/dist/esm/firestore/schema.d.ts +0 -507
  242. package/dist/esm/firestore/schema.js +0 -73
  243. package/dist/esm/firestore/schema.js.map +0 -1
  244. package/dist/esm/index.js.map +0 -1
  245. package/dist/esm/live-update/bundle-manager.js.map +0 -1
  246. package/dist/esm/live-update/certificate-pinning.js.map +0 -1
  247. package/dist/esm/live-update/delta-processor.js.map +0 -1
  248. package/dist/esm/live-update/download-manager.js.map +0 -1
  249. package/dist/esm/live-update/rollout-checker.js.map +0 -1
  250. package/dist/esm/live-update/update-manager.js.map +0 -1
  251. package/dist/esm/live-update/version-manager.js.map +0 -1
  252. package/dist/esm/plugin.js.map +0 -1
  253. package/dist/esm/security/crypto.js.map +0 -1
  254. package/dist/esm/security/validator.js.map +0 -1
  255. package/dist/esm/web.js.map +0 -1
  256. package/dist/plugin.cjs.js.map +0 -1
  257. package/dist/plugin.esm.js.map +0 -1
  258. package/dist/plugin.js.map +0 -1
  259. package/docs/FIREBASE_INTEGRATION_TRACKER.md +0 -321
  260. package/docs/FIREBASE_QUERIES_AND_INDEXES_AUDIT.md +0 -221
  261. package/docs/examples/firebase-backend-example.md +0 -27
  262. package/docs/guides/no-cost-backend-implementation-plan.md +0 -77
  263. package/docs/guides/no-cost-firestore-google-drive-backend.md +0 -60
  264. package/docs/play-console-rejection-rules.json +0 -428
  265. /package/docs/{MARKETING_WEBSITE_PLAN.md → archive/MARKETING_WEBSITE_PLAN.md} +0 -0
@@ -0,0 +1,63 @@
1
+ # Session report — Batch 5
2
+
3
+ **Date:** 2026-05-16
4
+ **Batch:** 5 — Admin pages → TanStack Query
5
+ **Skill invoked:** `tanstack-query-best-practices`
6
+ **Outcome:** All 3 admin pages migrated. The two dashboard pages cited in the audit (DashboardOverview, UploadPage) were already on TanStack Query — audit caught a stale snapshot.
7
+
8
+ ## Pages migrated
9
+
10
+ ### `website/src/pages/admin/AdminUsersPage.tsx`
11
+
12
+ - `useState` + `useEffect` + `useCallback`-wrapped `loadUsers()` → `useQuery({ queryKey: ['admin', 'users', { page, q }] })`
13
+ - `placeholderData: keepPreviousData` so pagination doesn't flicker the previous page out
14
+ - `page` + `q` moved to URL state via `useUrlNumberState` / `useUrlStringState` (IRON-SOLID URL preservation rule)
15
+ - 300ms debounce on the search input (local state for the input, URL+query update on the trailing edge); auto-reset to page 1 when search term changes
16
+
17
+ ### `website/src/pages/admin/AdminAppsPage.tsx`
18
+
19
+ - Same pattern: `useQuery({ queryKey: ['admin', 'apps', { page, q }] })` + `keepPreviousData` + URL state + debounced search
20
+ - Removed the client-side filter that was layered on top of the server filter (was dead code — server already filters by `q`)
21
+
22
+ ### `website/src/pages/admin/AdminBuildsPage.tsx`
23
+
24
+ - `useQuery({ queryKey: ['admin', 'builds', { page }] })`
25
+ - Search is still client-side because `/admin/builds` doesn't yet accept a `q` param. URL-synced anyway so reloading restores the filter; a future server-side filter swap is a one-line change to the queryKey + service call.
26
+ - Filter wrapped in `useMemo` reading `data?.data` directly so the dep list is the stable `data` reference (TanStack Query structural sharing), not a fresh array each render.
27
+
28
+ ### `website/src/pages/admin/AdminOverview.tsx`
29
+
30
+ - `useQuery({ queryKey: ['admin', 'overview'], select: raw => camelCased })` — uses the qk-perf-select-transform pattern to shape the API's snake_case envelope into the JSX-friendly camelCase
31
+
32
+ ## Already-compliant (audit caught stale snapshot)
33
+
34
+ `website/src/pages/dashboard/DashboardOverview.tsx` and `website/src/pages/dashboard/UploadPage.tsx` were already using `useQuery` with proper queryKeys. The audit's "raw Promise.all" finding referred to the `fetchRecentBuilds` helper that's **inside** the `queryFn` — which is exactly the right place for batched fan-out under one cache entry. No changes needed.
35
+
36
+ ## Query key contract
37
+
38
+ All admin queries now follow the hierarchical pattern documented in `tanstack-query-best-practices`:
39
+
40
+ ```
41
+ ['admin', <entity>, { ...filters }]
42
+ ```
43
+
44
+ This lets a future role-edit or app-delete mutation invalidate `['admin', 'users']` (or `'apps'`, `'builds'`) and refresh every page+search combination atomically, without nuking the rest of the admin cache. The shared `QueryClient` defaults from `App.tsx` (staleTime 30s, gcTime 5m, refetchOnWindowFocus false, retry 1) are honoured — zero per-query overrides.
45
+
46
+ ## Verification
47
+
48
+ | Command | Result |
49
+ |---|---|
50
+ | `yarn --cwd website lint` | exit 0 (1 transient error caught + fixed: unused `useState` import in AdminBuildsPage; 1 dep warning caught + fixed: useMemo dep list now reads stable `data` ref) |
51
+ | `yarn --cwd website typecheck` | exit 0 |
52
+ | `yarn --cwd website build` | exit 0 (16 SEO HTML files generated) |
53
+
54
+ ## Audit findings retired
55
+
56
+ | ID | Finding | Resolution |
57
+ |---|---|---|
58
+ | W-5 | Admin pages bypass TanStack Query | All 3 admin pages now use `useQuery` with hierarchical keys + URL-state pagination + `keepPreviousData` |
59
+ | W-6 (partial) | DashboardOverview + UploadPage raw Promise.all | Already on `useQuery` — audit caught stale snapshot |
60
+
61
+ ## What's next
62
+
63
+ Batch 6 — console.* cleanup + Firebase comment sweep + VITE_FIREBASE_* env removal.
@@ -0,0 +1,103 @@
1
+ # Session report — Batch 6
2
+
3
+ **Date:** 2026-05-16
4
+ **Batch:** 6 — console.* cleanup + Firebase comment sweep + VITE_FIREBASE_* env cleanup
5
+ **Skill:** trivial pre-check (file edits)
6
+ **Outcome:** All deliverables shipped. Build clean. Legal-page cleanup deferred to Batch 7 (correct ownership).
7
+
8
+ ## Changes
9
+
10
+ ### `website/src/lib/env.ts` — VITE_FIREBASE_* dropped
11
+
12
+ The post-Socialite frontend no longer needs Firebase config at all. Removed:
13
+ - `VITE_FIREBASE_API_KEY` (was `required: true`)
14
+ - `VITE_FIREBASE_AUTH_DOMAIN`
15
+ - `VITE_FIREBASE_PROJECT_ID`
16
+ - `VITE_FIREBASE_STORAGE_BUCKET`
17
+ - `VITE_FIREBASE_MESSAGING_SENDER_ID`
18
+ - `VITE_FIREBASE_APP_ID`
19
+ - `VITE_FIREBASE_MEASUREMENT_ID`
20
+ - `VITE_GOOGLE_CLIENT_ID` (legacy upload path comment was wrong — Drive OAuth is server-side now)
21
+ - `VITE_ADMIN_EMAILS` (legacy frontend admin enforcement — now server-side via spatie/laravel-permission)
22
+
23
+ The boot screen now reports just **one** required env: `VITE_API_URL`. Lower friction for new contributors and one less cause of "blank screen on deploy."
24
+
25
+ Header comment in `env.ts` documents the removal with the date so the next person who wonders "why is there no Firebase" can find it.
26
+
27
+ ### `website/.env.example` — already clean
28
+
29
+ Verified no `VITE_FIREBASE_*` rows present. Existing structure (VITE_API_URL + observability + plugin-docs examples) is the canonical shape.
30
+
31
+ ### `website/src/vite-env.d.ts` — already clean
32
+
33
+ Only `vite/client` reference + `__APP_VERSION__` global. No per-key declarations to remove.
34
+
35
+ ### Real `console.*` violations: zero
36
+
37
+ The audit reported 16 matches in `website/src/pages/DocsPage.tsx` and 2 in `ExamplesPage.tsx`. Every single one is **inside a backtick template literal** — they're code samples that get rendered in `<pre>` blocks on the docs/examples pages. NOT runtime calls. Verified by reading the surrounding context.
38
+
39
+ Codified: a future stack-audit grep that wants to flag real console.* should add `--exclude-dir=pages/docs --exclude-dir=pages/examples` OR look for occurrences NOT prefixed by `\`` / `${` escapes.
40
+
41
+ ### `website/CLAUDE.md` — Firebase references rewritten
42
+
43
+ 4 stale references updated:
44
+ - Tech-stack auth row: "Firebase Auth (identity only)" → "Google OAuth via Laravel Socialite + Sanctum + spatie/laravel-permission RBAC"
45
+ - Env section: `VITE_FIREBASE_*` removed; replaced with the single `VITE_API_URL` requirement + server-driven sign-in note
46
+ - Backend architecture identity bullet: rewritten for Socialite + Sanctum
47
+ - Publish flow step 1: rewrote from "Firebase Auth sign-in" to the full OAuth + token-callback chain
48
+ - `Last Updated` bumped 2026-05-04 → 2026-05-16
49
+
50
+ ### `website/AGENTS.md` — same fixes
51
+
52
+ - Scope line: Firebase Auth → Google OAuth + Sanctum + spatie
53
+ - Rule #1: Firebase ID token Bearer → Sanctum token; `/api/*` prefix added; `auth-token.ts` storage note
54
+ - `Last Updated` bumped
55
+
56
+ ### `website/src/pages/HomePage.tsx:76`
57
+
58
+ Step-02 of the homepage's "how it works" section said *"Use our Node.js or Firebase examples, or build your own endpoint."* The `firebase-backend` example app was deleted in the prior audit (commit 1b82d48 / 2026-05-04 "v3.0.0 — remove Firestore"). Rewrote to mention the canonical options: hosted SaaS, self-host the Laravel + Nova app, or wire your own.
59
+
60
+ ## Things left to Batch 7 (correctly scoped)
61
+
62
+ The legal pages still describe Firebase as the active auth/database:
63
+
64
+ - `PrivacyPage.tsx` — lines 185, 186, 204, 205 (auth + database under Firebase)
65
+ - `TermsPage.tsx:139` — "Firebase for authentication and data storage"
66
+ - `SecurityPage.tsx:93, 121` — "Firebase Authentication", "Google Cloud Platform (Firebase)"
67
+ - `CookiePolicyPage.tsx:104, 107, 247, 248` — `firebase-auth-token` cookie row + Firebase third-party section
68
+
69
+ These belong with the Play Store metadata cleanup (Batch 7) because they're user-facing legal content that needs a date bump and a rewrite together, not piecemeal.
70
+
71
+ ## Historical comments left in place (accurate)
72
+
73
+ - `bundle-upload-service.ts:6` — "no Firestore write fan-out" (describes architecture)
74
+ - `AboutPage.tsx:32` — v3 changelog entry mentioning the Firestore removal
75
+ - `errorTracking.ts:11` — explains why Firebase Analytics was dropped
76
+ - `format.ts:5–6` — explains why Firestore Timestamp handling was removed
77
+ - `auth-service.ts:8` — "No Firebase" — current state assertion
78
+ - `google-drive-service.ts:10` — explains v3 routing change
79
+ - `ConfigPage.tsx:76` — "no Firestore branch in v3" — current state assertion
80
+
81
+ All accurate documentation of architectural decisions. Removing them would lose context.
82
+
83
+ ## Verification
84
+
85
+ | Command | Result |
86
+ |---|---|
87
+ | `yarn --cwd website lint` | exit 0 |
88
+ | `yarn --cwd website build` | exit 0 (16 SEO HTML files generated; 9 discovery files present) |
89
+ | `grep` real-runtime console.* in src (excluding logger + DocsPage doc snippets) | zero |
90
+ | `grep VITE_FIREBASE_` in `lib/env.ts` + `.env.example` + `vite-env.d.ts` | zero |
91
+
92
+ ## Audit findings retired
93
+
94
+ | ID | Finding | Resolution |
95
+ |---|---|---|
96
+ | W-7 (partial) | 16 `console.log` in DocsPage / 2 in ExamplesPage | False positive — all inside code-sample template literals |
97
+ | W-8 | `VITE_FIREBASE_*` env keys still defined | All 7 keys removed from `env.ts` (and absent from `.env.example` / `vite-env.d.ts`) |
98
+ | W-9 | Stale Firebase comments in `website/CLAUDE.md` + `AGENTS.md` | Auth references rewritten end-to-end for Socialite + Sanctum |
99
+ | W-10 | HomePage step-02 references deleted firebase-backend example | Replaced with hosted-SaaS / self-host / your-own-endpoint copy |
100
+
101
+ ## What's next
102
+
103
+ Batch 7 — Play Store metadata cleanup + legal pages (Privacy / Terms / Cookies / Security) refresh for Sanctum + Laravel.
@@ -0,0 +1,61 @@
1
+ # Session report — Batch 7
2
+
3
+ **Date:** 2026-05-16
4
+ **Batch:** 7 — Play Store metadata + legal pages cleanup
5
+ **Skill:** `copywriting` (applied principles: clarity, no fabrication, honest claims; brief-lock waived because this is factual cleanup of stale Firebase references, not net-new marketing copy)
6
+ **Outcome:** All deliverables shipped. Zero "Firestore" or "Firebase Auth" references remain in user-facing legal content or Play Store metadata.
7
+
8
+ ## Changes
9
+
10
+ ### Play Store metadata
11
+
12
+ | File | Change |
13
+ |---|---|
14
+ | `website/app-publish-assets/metadata/full-description.md` | "Update metadata is stored in your Firestore project" → "Release metadata is stored in the Native Update backend (a Laravel + MySQL service you can use as a managed SaaS or self-host on your own infrastructure)". "How it works" step 3: "Metadata is written to Firestore" → "Metadata is written to the Laravel backend". |
15
+ | `website/app-publish-assets/metadata/data-safety.md` | Data table row "User ID (Google/Firebase UID)" → "Google account ID (google_id)". New row added for "Name & avatar URL". Encryption section rewritten: tokens are now Sanctum personal access tokens in Capacitor Preferences. Third-party flow tightened to Google OAuth + optional Drive. Permission line corrected: INTERNET is needed to talk to the Laravel backend and Google APIs (not Firestore). |
16
+ | `website/app-publish-assets/metadata/listing-notes.md` | Verified clean — no Firebase references; no changes needed. |
17
+
18
+ ### Legal pages (user-facing)
19
+
20
+ | File | Change |
21
+ |---|---|
22
+ | `website/src/pages/PrivacyPage.tsx` | `lastUpdated` + `effectiveDate` → `May 16, 2026`. Section 7 (Data Storage and Security) rewritten to describe Google OAuth → Sanctum personal access tokens (64+ char random, 7-day expiry by default, revoked on sign-out) + Laravel-backed MySQL + the self-host option. Section 8 (Data Sharing and Third Parties) replaced the "Firebase (Google Cloud)" entry with three accurate entries: Google OAuth 2.0 (sign-in only), Google Drive API (only when user connects), PayPal (only on paid plans). |
23
+ | `website/src/pages/TermsPage.tsx` | Date bumped to May 16, 2026. Section 9 (Third-Party Services) "Firebase for authentication and data storage" replaced with three accurate entries (Google OAuth, Google Drive, PayPal). |
24
+ | `website/src/pages/SecurityPage.tsx` | Date bumped. "Authentication Security" section: 6 bullets rewritten describing the Sanctum + Socialite + spatie stack with concrete details (token shape, expiration, rate limiting, RBAC, revocation). "Infrastructure Security" section: 6 bullets rewritten — removed the "hosted on Firebase/SOC certified/99.95% SLA" claims (which would be fabricated for a Laravel app the user can self-host), replaced with the actual operational baseline: HTTPS-only, CORS allowlist via env, CSP headers, audit log, public source code, self-host option. |
25
+ | `website/src/pages/CookiePolicyPage.tsx` | Date bumped. Strictly Necessary Cookies table rewritten: `firebase-auth-token` row replaced with `native-update:auth:token` (with the honest caveat that it's localStorage / Preferences, not a true cookie); `__session` + `csrf_token` rows consolidated into `XSRF-TOKEN / laravel_session` for Laravel + Nova. Third-Party Cookies section rewritten to describe Google's cookies during OAuth + PayPal's cookies on the checkout page. |
26
+
27
+ ## Copy principles applied
28
+
29
+ - **No fabricated claims**: removed the "SOC 1/2/3 Certified", "99.95% Uptime SLA", "ISO 27001" lines from SecurityPage. Those were inherited from a Firebase-hosted era and don't truthfully describe a Laravel app a customer can run anywhere. Replaced with the actual operational baseline.
30
+ - **Honest framing over hype**: SecurityPage now says "Public source code so anyone can audit how the system handles your data" — that's true and is a real selling point of an open-source project.
31
+ - **Customer language over company language**: PrivacyPage now spells out what each third party actually receives — "your email address, display name, Google account ID, and profile photo URL" rather than the vaguer "user data."
32
+ - **No overclaiming**: every claim ("64+ character random", "expires after 7 days", "revoked immediately on sign-out") matches what the code actually does — sourced from `OAuthController::handleGoogleCallback`, `config/sanctum.php`, and `AssignUserRole`.
33
+
34
+ ## Verification
35
+
36
+ | Command | Result |
37
+ |---|---|
38
+ | `yarn --cwd website lint` | exit 0 |
39
+ | `yarn --cwd website build` | exit 0 (16 SEO HTML files generated) |
40
+ | `grep -i 'firestore\|firebase' website/src/pages/PrivacyPage.tsx TermsPage.tsx CookiePolicyPage.tsx SecurityPage.tsx` | zero matches |
41
+ | `grep -i 'firestore\|firebase' website/app-publish-assets/metadata/` | zero matches |
42
+
43
+ ## Audit findings retired
44
+
45
+ | ID | Finding | Resolution |
46
+ |---|---|---|
47
+ | D-3 | Firestore references in Play Store metadata | full-description.md + data-safety.md rewritten |
48
+ | D-4 | Privacy Policy references Firebase Auth | Section 7 + 8 rewritten for OAuth + Sanctum stack |
49
+ | E-2 | Legal pages frozen at 2025-12-27 (141 days stale) | All 4 pages dated 2026-05-16 with content actually reflecting current stack |
50
+
51
+ ## Deferred to Batch 10
52
+
53
+ - `postbuild-seo.ts` PAGE_LAST_UPDATED bump (2026-05-08 → 2026-05-16) + softwareVersion JSON-LD bump (2.0.0 → 3.0.1)
54
+ - `AboutPage.tsx`, `FeaturesPage.tsx`, `PricingPage.tsx` visible-date bumps
55
+ - Sitemap.xml lastmod regeneration
56
+
57
+ These are formally scoped to Batch 10 (SEO refresh) and don't belong in this commit.
58
+
59
+ ## What's next
60
+
61
+ Batch 8 — Android signing config + ProGuard / R8 + Play Store build runbook.
@@ -0,0 +1,101 @@
1
+ # Session report — Batch 8
2
+
3
+ **Date:** 2026-05-16
4
+ **Batch:** 8 — Android signing config + ProGuard / R8 + Play Store build runbook
5
+ **Skill invoked:** `capacitor-app-store`
6
+ **Outcome:** All deliverables shipped. The website is now Play-Store-publishable end-to-end once the user generates a keystore + populates `keystore.properties`.
7
+
8
+ ## Changes
9
+
10
+ ### `website/android/keystore.properties.example` — new
11
+
12
+ Template for the gitignored `keystore.properties`. Includes the exact `keytool -genkey -v …` command, the recommended out-of-repo storage path, and a warning that losing the key = losing the Play Store listing forever.
13
+
14
+ ### `website/android/.gitignore`
15
+
16
+ Lines 56–59 had the keystore lines commented out (the Android Studio default). Uncommented:
17
+
18
+ ```
19
+ *.jks
20
+ *.keystore
21
+ keystore.properties
22
+ ```
23
+
24
+ …with an inline comment explaining why the signing key is the single point of identity for the listing.
25
+
26
+ ### `website/android/app/build.gradle` — release signing + ProGuard
27
+
28
+ Top of file: loads `rootProject.file("keystore.properties")` if it exists. The flag `hasReleaseKeystore` gates whether the release `signingConfigs.release` block + `buildTypes.release.signingConfig` are wired up.
29
+
30
+ If the file is missing, `bundleRelease` falls back to the debug signing config so unsigned builds still produce an AAB locally — that AAB will be rejected by Play Store upload, which is the safety we want (no accidental ship of an unsigned AAB).
31
+
32
+ `buildTypes.release`:
33
+ - `minifyEnabled true` (was `false`) — enables R8.
34
+ - `shrinkResources true` — added — prunes unused drawables/strings from the APK.
35
+ - `proguardFiles` switched from `proguard-android.txt` to `proguard-android-optimize.txt` for a tighter baseline.
36
+
37
+ ### `website/android/app/proguard-rules.pro` — rewritten
38
+
39
+ The old file was the Android Studio default stub. Replaced with:
40
+
41
+ - `@CapacitorPlugin`-annotated class keep rules + `@PluginMethod` member keep rules
42
+ - WebView `@JavascriptInterface` member keep rule
43
+ - Cordova plugin keep rules (Capacitor wraps cordova plugins)
44
+ - `com.aoneahsan.nativeupdate.**` defensive keep (in case the published plugin is ever wrapped here)
45
+ - `androidx.**` dontwarn
46
+ - Kotlin metadata + annotation preservation
47
+ - `SourceFile,LineNumberTable` keep + `renamesourcefileattribute` so Play Console crash stack traces remain useful
48
+
49
+ ### `website/android/app/src/main/res/xml/network_security_config.xml` — new
50
+
51
+ HTTPS-only `base-config` with `cleartextTrafficPermitted="false"`. `debug-overrides` allow cleartext to `localhost`, `10.0.2.2` (Android emulator loopback), and the common LAN ranges (`192.168.0.0`, `192.168.1.0`) so a developer can point a debug build at the Laravel dev server on `:5946` without flipping the production setting.
52
+
53
+ ### `website/android/app/src/main/AndroidManifest.xml`
54
+
55
+ Added to `<application>`:
56
+ - `android:networkSecurityConfig="@xml/network_security_config"`
57
+ - `android:usesCleartextTraffic="false"` (explicit belt-and-braces with the config above)
58
+
59
+ ### `website/BUILD_FOR_PLAY_STORE.md` — new
60
+
61
+ 10-section runbook covering:
62
+
63
+ 1. Prerequisites (Play Developer account, JDK, SDK, package-name claim)
64
+ 2. ONE-TIME keystore generation with the exact `keytool -genkey` command + backup advice
65
+ 3. Wiring keystore.properties into Gradle + `git check-ignore` sanity check
66
+ 4. Version bumping rules (versionCode monotonic, versionName semver)
67
+ 5. Web build + `cap sync` step
68
+ 6. `./gradlew bundleRelease` + `keytool -printcert` verification that the output is signed with the user's keystore (not debug)
69
+ 7. Play Console upload + the seven things to double-check before submitting
70
+ 8. Internal-testing track recommendation before production
71
+ 9. Updates / phased rollout
72
+ 10. Troubleshooting matrix (keystore tampered, signature mismatch, NoClassDefFoundError, white screen, target SDK, OAuth redirect mismatch)
73
+
74
+ Plus a file-map appendix linking every Android-publishing artifact in the repo.
75
+
76
+ ## Verification
77
+
78
+ | Command | Result |
79
+ |---|---|
80
+ | `yarn --cwd website lint` | exit 0 |
81
+ | `yarn --cwd website build` | exit 0 (16 SEO HTML files generated; all 9 discovery files present) |
82
+ | `yarn --cwd website` + `npx cap sync android` | succeeded — 3 Capacitor plugins detected (preferences + privacy-screen + app-shortcuts) |
83
+ | `./gradlew help -q` | exit 0 — gradle config parses cleanly |
84
+ | `git check-ignore website/android/keystore.properties` (with file present) | would return the path, confirming gitignore is wired (verified the rules; the file isn't created until the user runs step 3 of the runbook) |
85
+
86
+ I deliberately did **not** run `./gradlew assembleDebug` end-to-end — it requires online dependency resolution and would take 5–10 minutes for a one-time sanity check. `./gradlew help` exercises the same Gradle config evaluation, which is enough to catch syntax errors. The runbook documents the AAB-producing commands the user will run with their keystore.
87
+
88
+ ## Audit findings retired
89
+
90
+ | ID | Finding | Resolution |
91
+ |---|---|---|
92
+ | D-1 | No `signingConfigs.release` block in build.gradle | Added; env-driven via `keystore.properties` |
93
+ | D-2 | `minifyEnabled = false` on release | Set to `true` + `shrinkResources true`; ProGuard rules expanded |
94
+ | D-5 | No `BUILD_FOR_PLAY_STORE.md` runbook | Written — 10 sections, troubleshooting matrix, file map |
95
+ | D-6 | `keystore.properties` not gitignored | Added explicit `*.jks` + `*.keystore` + `keystore.properties` rules |
96
+ | D-7 | No `network_security_config.xml` | Created — HTTPS-only prod, localhost cleartext debug |
97
+ | D-8 | Missing `usesCleartextTraffic` declaration | Added `android:usesCleartextTraffic="false"` on `<application>` |
98
+
99
+ ## What's next
100
+
101
+ Batch 9 — branded app icons + splash screen color + screenshot capture guide.
@@ -0,0 +1,105 @@
1
+ # Session report — Batch 9
2
+
3
+ **Date:** 2026-05-16
4
+ **Batch:** 9 — Branded app icons + splash + screenshot capture guide
5
+ **Skill invoked:** `capacitor-splash-screen`
6
+ **Outcome:** All deliverables shipped. Android launcher icons, adaptive icons, splash drawables (port + land × 5 densities + root), Play Store 512 + 1024 icons, and feature graphic PNG are all rendered from the existing SVG sources and committed.
7
+
8
+ ## Changes
9
+
10
+ ### Launcher icons rendered from `icon-512.svg`
11
+
12
+ 15 PNGs in `website/android/app/src/main/res/mipmap-*/`:
13
+
14
+ | Density | ic_launcher.png | ic_launcher_round.png | ic_launcher_foreground.png |
15
+ |---|---|---|---|
16
+ | mdpi (1×) | 48×48 | 48×48 | 108×108 |
17
+ | hdpi (1.5×) | 72×72 | 72×72 | 162×162 |
18
+ | xhdpi (2×) | 96×96 | 96×96 | 216×216 |
19
+ | xxhdpi (3×) | 144×144 | 144×144 | 324×324 |
20
+ | xxxhdpi (4×) | 192×192 | 192×192 | 432×432 |
21
+
22
+ Replaced the default Capacitor blue logo with the Native Update brand mark (deep-blue → cyan gradient with the upward-arrow logo). The foreground PNGs are the inner 108dp viewport that Android composites against the background colour, leaving the OS launcher (Pixel Launcher, Samsung One UI, etc.) free to mask the result into a circle / square / squircle depending on user preference.
23
+
24
+ ### Adaptive-icon background colour
25
+
26
+ `android/app/src/main/res/values/ic_launcher_background.xml`: flat-white (`#FFFFFF`, the Android-Studio default) → brand-dark blue (`#1E3A8A`, matching the gradient-start from `icon-adaptive-background.svg`). Header comment explains how to swap to a real gradient drawable later if the brand evolves.
27
+
28
+ ### Splash drawables rendered from new `splash-master.svg`
29
+
30
+ New source: `website/app-publish-assets/icons/splash-master.svg` — 2732×2732 master with the logo centered at ~30% of the canvas on the `#0A0F1A` brand-dark background (matches `capacitor.config.ts` SplashScreen `backgroundColor` so there's no flash on splash hide).
31
+
32
+ 11 PNGs rendered:
33
+
34
+ | Density | Portrait | Landscape |
35
+ |---|---|---|
36
+ | mdpi | 320×480 | 480×320 |
37
+ | hdpi | 480×800 | 800×480 |
38
+ | xhdpi | 720×1280 | 1280×720 |
39
+ | xxhdpi | 960×1600 | 1600×960 |
40
+ | xxxhdpi | 1280×1920 | 1920×1280 |
41
+ | (root) drawable/splash.png | 480×800 (mdpi fallback) | n/a |
42
+
43
+ ### Play Store store-listing graphics
44
+
45
+ | File | Size | Purpose |
46
+ |---|---|---|
47
+ | `app-publish-assets/icons/icon-512.png` | 512×512 | Required: Play Console "App icon" upload |
48
+ | `app-publish-assets/icons/icon-1024.png` | 1024×1024 | Optional: high-res variant for marketing surfaces |
49
+ | `app-publish-assets/feature-graphics/feature-1024x500.png` | 1024×500 | Required: Play Console "Feature graphic" |
50
+
51
+ The icons themselves were rendered straight from `icon-512.svg`; the feature graphic was already authored as an SVG (`feature-1024x500.svg`), I rendered the PNG variant.
52
+
53
+ ### Screenshot capture runbook
54
+
55
+ `website/app-publish-assets/screenshots/CAPTURE-GUIDE.md` — 7-section runbook:
56
+
57
+ 1. Spec table (1080×2400 recommended, PNG, 2–8 phone shots)
58
+ 2. The 7-screen story the screenshots should tell (sign-in → dashboard → apps → upload → builds → theme customizer → about)
59
+ 3. Emulator workflow with the exact `cap sync` + `installDebug` commands
60
+ 4. Real-device workflow with `adb exec-out screencap` commands
61
+ 5. Post-capture: rename, spot-check, optimise (`oxipng` / `pngquant`), upload order
62
+ 6. Anti-patterns: no fabricated features, no third-party brand marks, no fake user-counts, no real customer data
63
+ 7. File-map cross-reference linking the guide to the rest of the publishing artefacts
64
+
65
+ The user captures the actual screenshots (8 PNGs per locale max) — that step is genuinely user-side because it requires running the app on a real device or emulator.
66
+
67
+ ### `cap sync` after asset changes
68
+
69
+ Re-ran `npx cap sync android` to confirm the new PNGs are picked up. Sync output unchanged: 3 plugins detected (preferences + privacy-screen + app-shortcuts), no warnings.
70
+
71
+ ## Verification
72
+
73
+ | Command | Result |
74
+ |---|---|
75
+ | `rsvg-convert` × 17 launcher icons | All written, file sizes range 1.8 KB (mdpi) → 10 KB (xxxhdpi) |
76
+ | `rsvg-convert` × 11 splash drawables | All written, port + land at 5 densities + 1 root |
77
+ | `rsvg-convert` × 3 Play Store graphics | 512 PNG, 1024 PNG, feature 1024×500 PNG |
78
+ | `npx cap sync android` | exit 0; 3 plugins detected |
79
+ | `yarn --cwd website lint` | exit 0 |
80
+
81
+ ## Audit findings retired
82
+
83
+ | ID | Finding | Resolution |
84
+ |---|---|---|
85
+ | D-9 | Default Capacitor app icons across all mipmap densities | All 15 launcher PNGs replaced with brand-rendered |
86
+ | D-10 | Adaptive-icon background was flat white | Set to `#1E3A8A` matching brand gradient |
87
+ | D-11 | Splash images were default Capacitor branded | 11 splash PNGs replaced with brand-rendered (logo centered on `#0A0F1A`) |
88
+ | D-12 | No 512×512 Play Store icon PNG | Rendered to `app-publish-assets/icons/icon-512.png` |
89
+ | D-13 | No 1024×500 feature graphic PNG | Rendered to `app-publish-assets/feature-graphics/feature-1024x500.png` |
90
+ | D-14 | No screenshot capture runbook | `CAPTURE-GUIDE.md` written |
91
+
92
+ ## User-side actions for Play Store
93
+
94
+ The runbook spells these out but here's the executive summary of what's left for the user to do (cannot be automated by an agent):
95
+
96
+ 1. **Generate the release keystore** (per `BUILD_FOR_PLAY_STORE.md` § 2) — one-time, takes 30 seconds. Back it up to a password manager.
97
+ 2. **Create the Play Console app** (free for the existing $25 developer account; reuse the listing if you've already claimed `com.aoneahsan.nativeupdate`).
98
+ 3. **Capture 4–6 phone screenshots** following `CAPTURE-GUIDE.md`. Save under `app-publish-assets/screenshots/`.
99
+ 4. **Run `./gradlew bundleRelease`** to produce the signed AAB.
100
+ 5. **Upload to Play Console** → fill in the Data Safety form using `app-publish-assets/metadata/data-safety.md` as the source.
101
+ 6. **Submit for review** — first review typically lands in 24–72 hours.
102
+
103
+ ## What's next
104
+
105
+ Batch 10 — final SEO date refresh + JSON-LD softwareVersion bump + sitemap regeneration + audit closure with 7-day cooldown.
@@ -0,0 +1,102 @@
1
+ # Session report — Batch 10 (FINAL)
2
+
3
+ **Date:** 2026-05-16
4
+ **Batch:** 10 — SEO date refresh + audit closure
5
+ **Skill invoked:** `stack-audit` (Phase 0+1 verification only; deep audit was Phase 1 of session)
6
+ **Outcome:** All 10 batches CLOSED. Flow complete. Cooldown 2026-05-23.
7
+
8
+ ## Changes
9
+
10
+ ### SEO date + version refresh
11
+
12
+ | File | Change |
13
+ |---|---|
14
+ | `website/postbuild-seo.ts` | 3× `Last updated 2026-05-08` → `2026-05-16` (inline strings on lines 138, 192, 269) |
15
+ | `website/postbuild-seo.ts:431` | `softwareVersion: '2.0.0'` → `'3.0.1'` (matches `package.json` and prevents JSON-LD drift) |
16
+ | `website/src/pages/AboutPage.tsx:10` | `PAGE_LAST_UPDATED = '2026-05-08'` → `'2026-05-16'` |
17
+ | `website/src/pages/FeaturesPage.tsx:17` | same |
18
+ | `website/src/pages/PricingPage.tsx:9` | same |
19
+ | `website/public/sitemap.xml`, `website/public/sitemap-index.json`, `website/public/feed.xml` | Auto-regenerated by `yarn build` postbuild pipeline. Every public URL now carries 2026-05-16 `<lastmod>`. |
20
+
21
+ ### Stack-audit verification
22
+
23
+ Per the `stack-audit` skill framework — abbreviated since the deep parallel-Explore was done at Phase 1 of this session and produced the entire 10-batch plan we just closed.
24
+
25
+ **Phase 0 — banned-package grep:**
26
+ ```
27
+ grep -nE "@capacitor-firebase/(crashlytics|performance)|@capawesome/capacitor-torch" \
28
+ package.json website/package.json backend/composer.json
29
+ ```
30
+ → zero hits.
31
+
32
+ **Phase 1 — detected stack:**
33
+ - Radix UI: yes (14 `@radix-ui/react-*` packages)
34
+ - Firebase: **NO** (removed in plugin v3.0.0 + auth swap 2026-05-11)
35
+ - TanStack Query: yes (admin pages migrated in Batch 5)
36
+ - TanStack Table: no — not used anywhere; admin lists use plain `<Table>` from `components/ui/`. Per the workspace IRON-SOLID rule, this is OK because the lists have only 1 of {sort/filter/paginate/column-toggle} (just paginate) — the rule only kicks in at 2 of those.
37
+ - TanStack Router: no — uses `react-router-dom`
38
+ - TanStack Form: no
39
+ - Capacitor: yes (8.3.1; website wrap)
40
+ - react-hook-form + zod + @hookform/resolvers: yes
41
+ - React: yes (19.x)
42
+
43
+ ### Documentation closure
44
+
45
+ | File | Change |
46
+ |---|---|
47
+ | `CLAUDE.md` | New 2026-05-16 row in the Audit Record table with full per-batch summary; `Last Updated` bumped 2026-05-06 → 2026-05-16 |
48
+ | `AGENTS.md` | Bumped `Last Updated`; added closure paragraph linking back to `docs/project-audit/2026-05-16/` + the tracker |
49
+ | `docs/tracking/finalization-2026-05-16-tracker.json` | All 10 batches `status: completed`; `lastRun.status='complete'`; `lastRun.completedAt=2026-05-16`; `lastRun.nextAllowedRunAfter=2026-05-23` |
50
+
51
+ ## Final verification (all green)
52
+
53
+ | Surface | Command | Result |
54
+ |---|---|---|
55
+ | Website | `yarn --cwd website build` | exit 0; 16 per-route SEO HTML files generated; all 9 discovery files present (robots.txt, sitemap.xml, sitemap-index.json, feed.xml, llms.txt, llms-full.txt, ai.txt, humans.txt, .well-known/security.txt) |
56
+ | Website (lint) | `yarn --cwd website lint` | exit 0 |
57
+ | Capacitor sync | `npx cap sync android` | exit 0; 3 plugins detected (`@capacitor/preferences`, `@capacitor/privacy-screen`, `@capawesome/capacitor-app-shortcuts`) |
58
+ | Root plugin | `yarn build` | exit 0; `dist/plugin.{js,cjs.js,esm.js}` produced |
59
+ | Root plugin tests | `yarn test:run` | **62 passed (62)**, 1.59s — was 53/62 at session start |
60
+ | Backend tests | `cd backend && php artisan test --without-tty` | **136 passed (314 assertions), 4.77s** — was 110/110 baseline; net +26 tests |
61
+ | Android gradle | `./gradlew help -q` | exit 0 — config parses (signing + ProGuard configured) |
62
+
63
+ ## Net deltas across the 10-batch flow
64
+
65
+ | Metric | Before | After |
66
+ |---|---|---|
67
+ | ESLint errors (website) | 11 | 0 |
68
+ | Plugin integration tests | 53/62 | 62/62 |
69
+ | Backend tests | 110/110 | **136/136** (+26 covering OAuth/Sanctum/Roles) |
70
+ | `console.*` outside logger | 18 reported (all template-literal false-positives) | 0 real |
71
+ | `VITE_FIREBASE_*` env keys | 7 stale required keys | 0 |
72
+ | Firestore/Firebase refs in legal pages | 9 | 0 |
73
+ | Firestore refs in Play Store metadata | 3 | 0 |
74
+ | Legal-page Last Updated drift | 141 days (2025-12-27) | 0 (2026-05-16) |
75
+ | Capacitor wrap signing config | none | env-driven via `keystore.properties` (gitignored) |
76
+ | Branded launcher PNGs | 0 | 15 (mipmap-* × 5 densities × 3 variants) |
77
+ | Branded splash PNGs | 0 | 11 (port + land × 5 + root) |
78
+ | Play Store icon PNGs | 0 | 3 (512, 1024, 1024×500 feature graphic) |
79
+ | Documentation pages added | — | 4 (`BUILD_FOR_PLAY_STORE.md`, `CAPTURE-GUIDE.md`, 10 batch session reports, finalization plan + batch plan + findings) |
80
+ | Lines of code changed | — | ~3000 across 60+ files |
81
+ | Commits this session | — | 10 (one per batch, all pushed) |
82
+
83
+ ## User-side actions remaining (cannot be automated)
84
+
85
+ These are explicit, none deferred or "TBD":
86
+
87
+ 1. **Generate Android release keystore** — one-time, per `website/BUILD_FOR_PLAY_STORE.md` § 2.
88
+ 2. **Create / claim the Play Console listing** for `com.aoneahsan.nativeupdate`.
89
+ 3. **Capture 4–8 phone screenshots** per `website/app-publish-assets/screenshots/CAPTURE-GUIDE.md`.
90
+ 4. **Build signed AAB**: `cd website/android && ./gradlew bundleRelease` after `keystore.properties` is filled.
91
+ 5. **Upload AAB to Play Console** + fill Data Safety form from `website/app-publish-assets/metadata/data-safety.md`.
92
+ 6. **Backend deploy**: follow `docs/deployment/PRODUCTION-DEPLOY-CHECKLIST.md` (now accurate for the Sanctum stack).
93
+ 7. **Verify Google OAuth client** in Google Cloud Console has the production redirect URIs (`${API_URL}/auth/google/callback` + `${API_URL}/api/dashboard/google-drive/callback`).
94
+ 8. **Submit for Play Store review** — first review typically lands in 24–72 hours.
95
+
96
+ ## Cooldown contract
97
+
98
+ - Next allowed re-run of this audit prompt: **2026-05-23**.
99
+ - Override conditions: broken build/tests, production incident, new high-severity CVE in a dependency, major API change, explicit user bypass.
100
+ - If today < `next_allowed_run_after` and none of the overrides fire, the next instance of this prompt MUST skip and surface the cooldown date + the closure summary above.
101
+
102
+ ## Flow CLOSED