native-update 1.4.9 → 3.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (265) hide show
  1. package/Readme.md +35 -9
  2. package/android/manifest-additions.xml +28 -0
  3. package/android/src/main/AndroidManifest.xml +3 -7
  4. package/android/src/main/java/com/aoneahsan/nativeupdate/BackgroundNotificationManager.kt +21 -13
  5. package/android/src/main/java/com/aoneahsan/nativeupdate/BackgroundUpdatePlugin.kt +15 -0
  6. package/android/src/main/java/com/aoneahsan/nativeupdate/BackgroundUpdateWorker.kt +23 -7
  7. package/android/src/main/java/com/aoneahsan/nativeupdate/LiveUpdatePlugin.kt +346 -31
  8. package/android/src/main/java/com/aoneahsan/nativeupdate/NativeUpdatePlugin.kt +32 -34
  9. package/android/src/main/java/com/aoneahsan/nativeupdate/NotificationActionReceiver.kt +10 -1
  10. package/android/src/main/java/com/aoneahsan/nativeupdate/SecurityManager.kt +18 -18
  11. package/cli/AGENTS.md +43 -0
  12. package/cli/CLAUDE.md +65 -0
  13. package/cli/commands/backend-create.js +56 -15
  14. package/cli/commands/bundle-create.js +39 -7
  15. package/cli/commands/monitor.js +72 -51
  16. package/cli/index.js +10 -24
  17. package/cli/package.json +11 -3
  18. package/dist/esm/app-review/app-review-manager.js +0 -1
  19. package/dist/esm/app-review/index.js +0 -1
  20. package/dist/esm/app-review/platform-review-handler.js +0 -1
  21. package/dist/esm/app-review/review-conditions-checker.js +0 -1
  22. package/dist/esm/app-review/review-rate-limiter.js +0 -1
  23. package/dist/esm/app-review/types.js +0 -1
  24. package/dist/esm/app-update/app-update-checker.js +0 -1
  25. package/dist/esm/app-update/app-update-installer.d.ts +1 -0
  26. package/dist/esm/app-update/app-update-installer.js +19 -8
  27. package/dist/esm/app-update/app-update-manager.js +0 -1
  28. package/dist/esm/app-update/app-update-notifier.js +0 -1
  29. package/dist/esm/app-update/index.js +0 -1
  30. package/dist/esm/app-update/platform-app-update.js +12 -3
  31. package/dist/esm/app-update/types.js +0 -1
  32. package/dist/esm/background-update/background-scheduler.js +0 -1
  33. package/dist/esm/background-update/index.js +0 -1
  34. package/dist/esm/background-update/notification-manager.js +0 -1
  35. package/dist/esm/config/support.js +0 -1
  36. package/dist/esm/core/analytics.d.ts +13 -0
  37. package/dist/esm/core/analytics.js +15 -1
  38. package/dist/esm/core/cache-manager.js +0 -1
  39. package/dist/esm/core/config.d.ts +6 -30
  40. package/dist/esm/core/config.js +1 -8
  41. package/dist/esm/core/errors.d.ts +1 -0
  42. package/dist/esm/core/errors.js +1 -1
  43. package/dist/esm/core/event-emitter.d.ts +0 -3
  44. package/dist/esm/core/event-emitter.js +8 -3
  45. package/dist/esm/core/logger.js +0 -1
  46. package/dist/esm/core/performance.js +0 -1
  47. package/dist/esm/core/plugin-manager.js +3 -1
  48. package/dist/esm/core/security.d.ts +22 -3
  49. package/dist/esm/core/security.js +46 -7
  50. package/dist/esm/definitions.d.ts +13 -40
  51. package/dist/esm/definitions.js +0 -1
  52. package/dist/esm/index.d.ts +3 -4
  53. package/dist/esm/index.js +3 -3
  54. package/dist/esm/live-update/bundle-manager.d.ts +8 -0
  55. package/dist/esm/live-update/bundle-manager.js +20 -1
  56. package/dist/esm/live-update/certificate-pinning.js +0 -1
  57. package/dist/esm/live-update/delta-processor.d.ts +1 -1
  58. package/dist/esm/live-update/delta-processor.js +3 -1
  59. package/dist/esm/live-update/download-manager.d.ts +36 -5
  60. package/dist/esm/live-update/download-manager.js +70 -24
  61. package/dist/esm/live-update/rollout-checker.d.ts +1 -1
  62. package/dist/esm/live-update/rollout-checker.js +5 -6
  63. package/dist/esm/live-update/update-manager.d.ts +12 -1
  64. package/dist/esm/live-update/update-manager.js +38 -11
  65. package/dist/esm/live-update/version-manager.d.ts +9 -12
  66. package/dist/esm/live-update/version-manager.js +40 -68
  67. package/dist/esm/plugin.js +82 -89
  68. package/dist/esm/security/crypto.js +11 -7
  69. package/dist/esm/security/validator.js +0 -1
  70. package/dist/esm/types/rollout.d.ts +85 -0
  71. package/dist/esm/types/rollout.js +25 -0
  72. package/dist/esm/web.d.ts +26 -1
  73. package/dist/esm/web.js +214 -75
  74. package/dist/plugin.cjs.js +1 -2
  75. package/dist/plugin.esm.js +1 -2
  76. package/dist/plugin.js +2 -3
  77. package/docs/AGENTS.md +38 -0
  78. package/docs/CHANGELOG.md +275 -0
  79. package/docs/CLAUDE.md +101 -0
  80. package/docs/MANUAL-TASKS.md +17 -0
  81. package/docs/MARKETING_WEBSITE_TRACKER.md +18 -2
  82. package/docs/MIGRATION.md +170 -0
  83. package/docs/PACKAGES.md +167 -0
  84. package/docs/PERFORMANCE.md +110 -0
  85. package/docs/PROJECT_COMPLETION_TRACKER.md +4 -35
  86. package/docs/README.md +12 -2
  87. package/docs/REMAINING_FEATURES.md +123 -76
  88. package/docs/ROADMAP.md +200 -120
  89. package/docs/SECURITY-IF-REPO-PUBLIC.md +232 -0
  90. package/docs/TESTING_REQUIREMENTS.md +1 -112
  91. package/docs/ai-knowledge-base/00-project-profile.md +38 -0
  92. package/docs/ai-knowledge-base/01-features.md +46 -0
  93. package/docs/ai-knowledge-base/02-routes.md +72 -0
  94. package/docs/ai-knowledge-base/03-tech-stack.md +57 -0
  95. package/docs/ai-knowledge-base/README.md +23 -0
  96. package/docs/analytics-tracking.md +37 -0
  97. package/docs/capacitor-official-plugins.md +46 -0
  98. package/docs/capawesome-plugins.md +29 -0
  99. package/docs/deployment/HOSTINGER_DEPLOY.md +370 -0
  100. package/docs/deployment/PRODUCTION-DEPLOY-CHECKLIST.md +184 -0
  101. package/docs/docs-site/plan.md +201 -0
  102. package/docs/docs-site/scope.md +127 -0
  103. package/docs/docs-site/tracker.json +235 -0
  104. package/docs/error-handling-tracking.md +37 -0
  105. package/docs/features/laravel-nova-backend/ASSESSMENT-SUMMARY.md +96 -0
  106. package/docs/features/laravel-nova-backend/IMPLEMENTATION-PLAN.md +504 -0
  107. package/docs/features/laravel-nova-backend/progress-tracker.json +184 -0
  108. package/docs/guides/testing-guide.md +15 -41
  109. package/docs/package-audit.md +41 -0
  110. package/docs/play-store/ASO-METADATA.md +5 -0
  111. package/docs/play-store/DATA-SAFETY.md +5 -0
  112. package/docs/play-store/DECLARATIONS.md +5 -0
  113. package/docs/play-store/README.md +27 -0
  114. package/docs/play-store/RELEASE-NOTES.md +99 -0
  115. package/docs/play-store/RELEASE-STEPS.md +6 -0
  116. package/docs/play-store/STORE-LISTING.md +7 -0
  117. package/docs/play-store/SUBMISSION-CHECKLIST.md +5 -0
  118. package/docs/production-readiness.md +1 -1
  119. package/docs/project-audit/2026-05-16/00-FINALIZATION-PLAN.md +123 -0
  120. package/docs/project-audit/2026-05-16/01-BATCH-PLAN.md +227 -0
  121. package/docs/project-audit/2026-05-16/02-AUDIT-FINDINGS.md +144 -0
  122. package/docs/project-audit/2026-05-16/sessions/batch-01.md +42 -0
  123. package/docs/project-audit/2026-05-16/sessions/batch-02.md +74 -0
  124. package/docs/project-audit/2026-05-16/sessions/batch-03.md +71 -0
  125. package/docs/project-audit/2026-05-16/sessions/batch-04.md +88 -0
  126. package/docs/project-audit/2026-05-16/sessions/batch-05.md +63 -0
  127. package/docs/project-audit/2026-05-16/sessions/batch-06.md +103 -0
  128. package/docs/project-audit/2026-05-16/sessions/batch-07.md +61 -0
  129. package/docs/project-audit/2026-05-16/sessions/batch-08.md +101 -0
  130. package/docs/project-audit/2026-05-16/sessions/batch-09.md +105 -0
  131. package/docs/project-audit/2026-05-16/sessions/batch-10.md +102 -0
  132. package/docs/project-audit/AUDIT-HISTORY.md +74 -0
  133. package/docs/project-audit/BATCH-PLAN.md +168 -0
  134. package/docs/project-audit/MARKETING-WEBSITE-FINDINGS-2026-05-11.md +73 -0
  135. package/docs/project-audit/PRODUCTION-READINESS-AUDIT-2026-05-08.md +275 -0
  136. package/docs/project-finalization/00-tracker.json +60 -0
  137. package/docs/project-knowledge-base/01-system-overview.md +227 -0
  138. package/docs/project-knowledge-base/02-routes-pages-forms-users.md +352 -0
  139. package/docs/project-knowledge-base/03-tech-stack-modules-services.md +379 -0
  140. package/docs/project-knowledge-base/04-data-models-integrations.md +244 -0
  141. package/docs/project-knowledge-base/05-docs-corpus-inventory.md +256 -0
  142. package/docs/project-knowledge-base/06-operations-testing-legal-content.md +208 -0
  143. package/docs/project-knowledge-base/README.md +103 -0
  144. package/docs/project-profiles/native-update-capacitor-update-platform-project-profile-last-updated-2026-05-19.md +81 -0
  145. package/docs/rules-tracker.md +102 -0
  146. package/docs/security/PRE-LAUNCH-PENTEST-CHECKLIST.md +116 -0
  147. package/docs/seo-aeo-rules.json +3043 -0
  148. package/docs/social-media-marketing/README.md +81 -0
  149. package/docs/social-media-marketing/posts-batch-01.md +613 -0
  150. package/docs/social-media-marketing/posts-batch-02.md +528 -0
  151. package/docs/social-media-marketing/whatsapp-messages-batch-01.md +458 -0
  152. package/docs/social-media-marketing/whatsapp-status-batch-01.md +355 -0
  153. package/docs/tracking/finalization-2026-05-16-tracker.json +346 -0
  154. package/docs/tracking/full-audit-tracker.json +121 -0
  155. package/docs/tracking/production-readiness-audit-tracker.json +429 -0
  156. package/docs/tracking/seo-checklist-tracker.json +333 -0
  157. package/ios/Plugin/BackgroundUpdate/BackgroundUpdatePlugin.swift +66 -9
  158. package/ios/Plugin/LiveUpdate/LiveUpdatePlugin.swift +306 -52
  159. package/ios/Plugin/NativeUpdatePlugin.swift +22 -9
  160. package/ios/Plugin/Security/SecurityManager.swift +13 -14
  161. package/package.json +37 -38
  162. package/cli/node_modules/.yarn-integrity +0 -16
  163. package/cli/node_modules/commander/LICENSE +0 -22
  164. package/cli/node_modules/commander/Readme.md +0 -1148
  165. package/cli/node_modules/commander/esm.mjs +0 -16
  166. package/cli/node_modules/commander/index.js +0 -26
  167. package/cli/node_modules/commander/lib/argument.js +0 -145
  168. package/cli/node_modules/commander/lib/command.js +0 -2179
  169. package/cli/node_modules/commander/lib/error.js +0 -43
  170. package/cli/node_modules/commander/lib/help.js +0 -462
  171. package/cli/node_modules/commander/lib/option.js +0 -329
  172. package/cli/node_modules/commander/lib/suggestSimilar.js +0 -100
  173. package/cli/node_modules/commander/package-support.json +0 -16
  174. package/cli/node_modules/commander/package.json +0 -80
  175. package/cli/node_modules/commander/typings/esm.d.mts +0 -3
  176. package/cli/node_modules/commander/typings/index.d.ts +0 -884
  177. package/cli/yarn.lock +0 -8
  178. package/dist/esm/__tests__/bundle-manager.test.d.ts +0 -1
  179. package/dist/esm/__tests__/bundle-manager.test.js +0 -151
  180. package/dist/esm/__tests__/bundle-manager.test.js.map +0 -1
  181. package/dist/esm/__tests__/config.test.d.ts +0 -1
  182. package/dist/esm/__tests__/config.test.js +0 -70
  183. package/dist/esm/__tests__/config.test.js.map +0 -1
  184. package/dist/esm/__tests__/delta-processor.test.d.ts +0 -1
  185. package/dist/esm/__tests__/delta-processor.test.js +0 -77
  186. package/dist/esm/__tests__/delta-processor.test.js.map +0 -1
  187. package/dist/esm/__tests__/firestore-schema.test.d.ts +0 -1
  188. package/dist/esm/__tests__/firestore-schema.test.js +0 -74
  189. package/dist/esm/__tests__/firestore-schema.test.js.map +0 -1
  190. package/dist/esm/__tests__/integration.test.d.ts +0 -1
  191. package/dist/esm/__tests__/integration.test.js +0 -78
  192. package/dist/esm/__tests__/integration.test.js.map +0 -1
  193. package/dist/esm/__tests__/manifest-reader.test.d.ts +0 -1
  194. package/dist/esm/__tests__/manifest-reader.test.js +0 -271
  195. package/dist/esm/__tests__/manifest-reader.test.js.map +0 -1
  196. package/dist/esm/__tests__/rollout-checker.test.d.ts +0 -1
  197. package/dist/esm/__tests__/rollout-checker.test.js +0 -210
  198. package/dist/esm/__tests__/rollout-checker.test.js.map +0 -1
  199. package/dist/esm/__tests__/security.test.d.ts +0 -1
  200. package/dist/esm/__tests__/security.test.js +0 -54
  201. package/dist/esm/__tests__/security.test.js.map +0 -1
  202. package/dist/esm/__tests__/version-manager.test.d.ts +0 -1
  203. package/dist/esm/__tests__/version-manager.test.js +0 -45
  204. package/dist/esm/__tests__/version-manager.test.js.map +0 -1
  205. package/dist/esm/app-review/app-review-manager.js.map +0 -1
  206. package/dist/esm/app-review/index.js.map +0 -1
  207. package/dist/esm/app-review/platform-review-handler.js.map +0 -1
  208. package/dist/esm/app-review/review-conditions-checker.js.map +0 -1
  209. package/dist/esm/app-review/review-rate-limiter.js.map +0 -1
  210. package/dist/esm/app-review/types.js.map +0 -1
  211. package/dist/esm/app-update/app-update-checker.js.map +0 -1
  212. package/dist/esm/app-update/app-update-installer.js.map +0 -1
  213. package/dist/esm/app-update/app-update-manager.js.map +0 -1
  214. package/dist/esm/app-update/app-update-notifier.js.map +0 -1
  215. package/dist/esm/app-update/index.js.map +0 -1
  216. package/dist/esm/app-update/platform-app-update.js.map +0 -1
  217. package/dist/esm/app-update/types.js.map +0 -1
  218. package/dist/esm/background-update/background-scheduler.js.map +0 -1
  219. package/dist/esm/background-update/index.js.map +0 -1
  220. package/dist/esm/background-update/notification-manager.js.map +0 -1
  221. package/dist/esm/config/support.js.map +0 -1
  222. package/dist/esm/core/analytics.js.map +0 -1
  223. package/dist/esm/core/cache-manager.js.map +0 -1
  224. package/dist/esm/core/config.js.map +0 -1
  225. package/dist/esm/core/errors.js.map +0 -1
  226. package/dist/esm/core/event-emitter.js.map +0 -1
  227. package/dist/esm/core/logger.js.map +0 -1
  228. package/dist/esm/core/performance.js.map +0 -1
  229. package/dist/esm/core/plugin-manager.js.map +0 -1
  230. package/dist/esm/core/security.js.map +0 -1
  231. package/dist/esm/definitions.js.map +0 -1
  232. package/dist/esm/firestore/firestore-client.d.ts +0 -109
  233. package/dist/esm/firestore/firestore-client.js +0 -264
  234. package/dist/esm/firestore/firestore-client.js.map +0 -1
  235. package/dist/esm/firestore/index.d.ts +0 -11
  236. package/dist/esm/firestore/index.js +0 -11
  237. package/dist/esm/firestore/index.js.map +0 -1
  238. package/dist/esm/firestore/manifest-reader.d.ts +0 -87
  239. package/dist/esm/firestore/manifest-reader.js +0 -294
  240. package/dist/esm/firestore/manifest-reader.js.map +0 -1
  241. package/dist/esm/firestore/schema.d.ts +0 -507
  242. package/dist/esm/firestore/schema.js +0 -73
  243. package/dist/esm/firestore/schema.js.map +0 -1
  244. package/dist/esm/index.js.map +0 -1
  245. package/dist/esm/live-update/bundle-manager.js.map +0 -1
  246. package/dist/esm/live-update/certificate-pinning.js.map +0 -1
  247. package/dist/esm/live-update/delta-processor.js.map +0 -1
  248. package/dist/esm/live-update/download-manager.js.map +0 -1
  249. package/dist/esm/live-update/rollout-checker.js.map +0 -1
  250. package/dist/esm/live-update/update-manager.js.map +0 -1
  251. package/dist/esm/live-update/version-manager.js.map +0 -1
  252. package/dist/esm/plugin.js.map +0 -1
  253. package/dist/esm/security/crypto.js.map +0 -1
  254. package/dist/esm/security/validator.js.map +0 -1
  255. package/dist/esm/web.js.map +0 -1
  256. package/dist/plugin.cjs.js.map +0 -1
  257. package/dist/plugin.esm.js.map +0 -1
  258. package/dist/plugin.js.map +0 -1
  259. package/docs/FIREBASE_INTEGRATION_TRACKER.md +0 -321
  260. package/docs/FIREBASE_QUERIES_AND_INDEXES_AUDIT.md +0 -221
  261. package/docs/examples/firebase-backend-example.md +0 -27
  262. package/docs/guides/no-cost-backend-implementation-plan.md +0 -77
  263. package/docs/guides/no-cost-firestore-google-drive-backend.md +0 -60
  264. package/docs/play-console-rejection-rules.json +0 -428
  265. /package/docs/{MARKETING_WEBSITE_PLAN.md → archive/MARKETING_WEBSITE_PLAN.md} +0 -0
@@ -0,0 +1,275 @@
1
+ # Production-Readiness Audit — native-update Monorepo
2
+
3
+ **Date:** 2026-05-08
4
+ **Auditor:** Claude Code (Opus 4.7, 1M context)
5
+ **Scope:** Whole monorepo (root plugin + cli + android + ios + backend + website + example-apps + docs)
6
+ **Method:** Six parallel scoped audit agents (plugin/native, website UI, SEO/AEO, backend, examples+roadmap, security/env). Findings cross-verified against source files before recording here.
7
+ **Companion files:**
8
+ - Batch plan: `docs/project-audit/BATCH-PLAN.md`
9
+ - Tracker (resumeable, 7-day cooldown): `docs/tracking/production-readiness-audit-tracker.json`
10
+
11
+ ---
12
+
13
+ ## Verdict
14
+
15
+ The monorepo is **~85% production-ready**. Three real npm-publish-blockers + several backend hardening gaps + per-page SEO content gaps are the main risks. No active secret exposure, no banned packages, no broken builds in the root plugin or website.
16
+
17
+ **Severity legend:** **B** = Blocker (must fix before next release / public push). **I** = Important (fix before production cutover). **N** = Nit / polish.
18
+
19
+ ---
20
+
21
+ ## 1. Banned-Package Phase 0 Check
22
+
23
+ `grep -nE "@capacitor-firebase/(crashlytics|performance)|@capawesome/capacitor-torch" package.json **/package.json` → **zero matches**. ✅ No bans violated.
24
+
25
+ ---
26
+
27
+ ## 2. Findings — Plugin Source / CLI / Native (root, src/, cli/, android/, ios/)
28
+
29
+ ### Blockers
30
+
31
+ - **B1 — `package.json` `files` array is missing `android/manifest-additions.xml`**
32
+ File: `package.json:13-26`. The file exists at `android/manifest-additions.xml` and is required at install-time by Capacitor's manifest merger. Without it in the npm package, downstream Android builds will be missing the additions block. **Fix:** add `"android/manifest-additions.xml"` to the `files` array.
33
+
34
+ - **B2 — `cli/commands/backend-create.js` ships placeholder TODOs in scaffolded backend templates**
35
+ File: `cli/commands/backend-create.js:144,176,177,290,309,310,493,494`. Eight `TODO` markers in Express/Vercel/Firebase scaffolding for: bundle lookup, file storage, DB save. The CLI generates these as ready-to-deploy code, but they are not. **Fix:** either (a) implement the missing logic and wire to `node-express` example as the canonical scaffold, or (b) prepend each generated file with a clear `// SCAFFOLD — implement before deploying` banner and document expected wiring.
36
+
37
+ - **B3 — `cli/commands/monitor.js` has unmanaged `setInterval` + spinner-leak on exit**
38
+ File: `cli/commands/monitor.js:14-62`. `setInterval` fires every 5s with an async callback; failures stack indefinitely. `ora` spinner is started but never stopped on exit/failure — terminal is left in undefined state. **Fix:** capture interval ID, install `SIGINT`/`SIGTERM` handlers that `clearInterval` + `spinner.stop()`; bail the loop on consecutive failures.
39
+
40
+ ### Important
41
+
42
+ - **I1 — Direct `console.*` in plugin source (violates centralized-logger convention)**
43
+ Files: `src/web.ts` (18 calls), `src/core/event-emitter.ts:52`. Plugin already has a `Logger` singleton; security paths (checksum, signature) and event-emitter error path bypass it. **Fix:** replace `console.{warn,error,log}` with `Logger.{warn,error,info}` everywhere outside the logger module itself. Note: this is the *plugin's* logger, separate from website logger.
44
+
45
+ - **I2 — `ios/Plugin/NativeUpdatePlugin.swift:72-75` calls `disableBackgroundUpdatesInternal()` to bypass inaccessible Capacitor SDK constructors**
46
+ Workaround for SDK API surface, fragile if the SDK changes. **Fix:** add a `// CAPACITOR-SDK-WORKAROUND:` comment block referencing the SDK version this assumes, and a `// TODO: revisit on Capacitor 8.x update` line so future bumps don't silently break.
47
+
48
+ - **I3 — `cli/commands/backend-create.js` file-list completeness vs `node-express` template**
49
+ Several runtime concerns (signature verify, rollout cohort logic, channel filtering) live in docs only, not in the scaffold. **Fix (low-risk):** ensure `cli/templates/express/` mirrors `example-apps/node-express/` structure 1:1 so users get a working scaffold by default.
50
+
51
+ ### Nits
52
+
53
+ - **N1 — `rollup.config.js:61,63` duplicate `comments` key in terser format**
54
+ Line 63 silently overrides line 61. Functional but a typo. **Fix:** delete the earlier line.
55
+
56
+ ### State-vs-claim notes
57
+
58
+ - All 28+ public methods in `src/definitions.ts` have matching implementations in `src/web.ts`, `ios/Plugin/`, `android/src/main/`. **API parity ✓**.
59
+ - HTTPS enforcement, SHA-256 checksum + RSA/ECDSA signature paths are well-implemented and fail-closed. **Crypto correct ✓**.
60
+ - TypeScript `strict: true`, Vitest 89/89 green. **Build clean ✓**.
61
+
62
+ ---
63
+
64
+ ## 3. Findings — Website (`website/`)
65
+
66
+ ### Blockers
67
+
68
+ None. `yarn typecheck` + `yarn build` complete cleanly; sitemap + postbuild SEO HTML generation succeed across all 16 routes.
69
+
70
+ ### Important
71
+
72
+ - **I4 — Custom `Dialog.tsx` lacks key a11y primitives**
73
+ File: `website/src/components/ui/Dialog.tsx`. Missing `role="dialog"` + `aria-modal="true"` on `DialogContent`, no ESC-key handler on overlay, no focus restore on close, no focus trap. **Fix:** either migrate to `@radix-ui/react-dialog` (already a transitive dep via other Radix primitives in package.json) — strongly recommended per project's Radix-first rule — or harden the custom one with `aria-labelledby`, ESC handler, focus trap, focus restore.
74
+
75
+ - **I5 — Dashboard dialog state held in `useState` instead of URL search params (violates URL-State-Preservation rule)**
76
+ File: `website/src/pages/dashboard/AppsPage.tsx:50,55`. `deleteDialog` and `formDialog` open-state both in `useState`. Refresh closes them — wrong UX. **Fix:** convert to `?deleteId=ID` and `?formMode=create|edit&appId=ID` per project rule. Audit all other dashboard pages for the same pattern.
77
+
78
+ - **I6 — TanStack Query: per-page `staleTime` overrides not audited**
79
+ Global default in `App.tsx` is 30s + `gcTime: 5m`. Spot-check individual `useQuery` sites in `src/hooks/` and `src/pages/dashboard/` for ad-hoc overrides that disable cache. **Fix:** sweep, document the project-wide cache contract, set `queryKey` factories per resource (already mostly done).
80
+
81
+ ### Nits
82
+
83
+ - BootLoader present (✓), 7-option Theme Customizer present (✓), URL state hooks present (`useUrlState.ts`-style), 47 aria-* attributes across components.
84
+ - `vite-env.d.ts` is minimal (only `__APP_VERSION__`) — env types are validated through `src/config/env.ts` `getMissingRequiredEnv()` at boot. ✓.
85
+
86
+ ---
87
+
88
+ ## 4. Findings — SEO / AEO / AIO (`website/`)
89
+
90
+ Today is 2026-05-08; last full SEO pass was 2026-04-24 (14 days ago — within commit-delta gate window).
91
+
92
+ ### Blockers
93
+
94
+ None on infrastructure — robots.txt allows GPTBot/ClaudeBot/PerplexityBot/Google-Extended/Bingbot/etc., sitemap.xml + feed.xml + llms.txt + llms-full.txt + ai.txt + humans.txt + security.txt all present.
95
+
96
+ ### Important
97
+
98
+ - **I7 — Per-page-uniqueness floor not met on three core marketing pages**
99
+ Files: `website/src/pages/FeaturesPage.tsx` (~150 words, 0 FAQ, 0 use cases, 0 HowTo), `website/src/pages/AboutPage.tsx` (~400 words, 0 FAQ), `website/src/pages/PricingPage.tsx` (~100 words, 0 FAQ). Global rule (`~/.claude/rules/seo-aeo-ranking.md` §2) requires ≥1000 unique words + 5–8 FAQ + 3–5 use cases + 4–6 HowTo steps + 2–3 examples + 3–6 tips + author + lastUpdated per page. **Fix:** rewrite via `ai-seo` + `copywriting` skills; treat as one batch, not per-page commits.
100
+
101
+ - **I8 — `pricing.md` machine-readable file missing at site root**
102
+ Global rule §5 requires `/pricing.md` for AI buying agents when paid tiers exist. Project has Free + Pro + Enterprise (PayPal plans referenced in backend/.env.example). **Fix:** create `website/public/pricing.md` with tiers, limits, features, FAQ in plain markdown.
103
+
104
+ - **I9 — `feed.xml` `<lastBuildDate>` lags actual build**
105
+ Generator emits a stale date instead of `new Date().toUTCString()` at run time. **Fix:** in `website/scripts/generate-sitemap.mjs` (or wherever feed is emitted), replace literal date with runtime stamp; ensure sitemap `<lastmod>` does the same.
106
+
107
+ ### Nits
108
+
109
+ - **N2 — Docs sub-routes (`/docs/*`) lack per-route static prerender** — they rely on runtime SEO + Googlebot JS rendering; AI crawlers may not render JS. Tracked in `seo-url-coverage.json` already as a known issue. **Fix (later):** extend `postbuild-seo.ts` to walk `public/package-docs/` and emit `dist/docs/<slug>/index.html`.
110
+ - **N3 — `og:image` is the same `/og-image.svg` site-wide.** Per-page OG images would lift social sharing. Defer.
111
+ - All discovery-file dates timestamped 2026-05-02 (6 days old — within 14-day spec, refresh on next batch commit).
112
+
113
+ ---
114
+
115
+ ## 5. Findings — Backend (Laravel 11 + Nova 5, `backend/`)
116
+
117
+ ### Blockers
118
+
119
+ - **B4 — Nova resources lack policy-backed authorization gates**
120
+ Files: `backend/app/Nova/*.php` (User, App, Build, ApiKey, SigningKey). Missing `canViewAny()`, `canCreate()`, `canUpdate()`, `canDelete()` guards backed by App\Policies. **Fix:** add per-Resource policies + register in `AuthServiceProvider`; reject non-admin / non-owner access on each verb.
121
+
122
+ - **B5 — No Feature test for the bundle-upload + signature-verify flow**
123
+ Folder: `backend/tests/Feature/`. The most security-critical endpoint (build upload) has no test for: signature verify, monotonic version enforcement, channel scoping, duplicate detection, chunk merging. **Fix:** add `tests/Feature/Build/BundleUploadTest.php` covering the full path.
124
+
125
+ - **B6 — `backend/.env` (local) has `APP_DEBUG=true` + `LOG_LEVEL=debug`** *(documentation gap, not active leak)*
126
+ This is correct for local dev, BUT no deployment runbook documents flipping these for production. `.env.example` correctly defaults to `APP_DEBUG=false`/`LOG_LEVEL=warning`. **Fix:** add `backend/docs/DEPLOYMENT-CHECKLIST.md` listing `APP_DEBUG=false`, `LOG_LEVEL=warning`, `APP_ENV=production`, `php artisan config:cache`, `migrate --force`, `composer install --no-dev`, queue worker daemonization.
127
+
128
+ ### Important
129
+
130
+ - **I10 — `ValidateFirebaseToken` middleware auto-creates User on first valid token**
131
+ File: `backend/app/Http/Middleware/ValidateFirebaseToken.php:41-48`. `firstOrCreate` is open-signup; fine for free tier, risky for invite-only / enterprise. **Fix:** keep open by default but document; add config flag `auth.firebase.auto_create=true|false`.
132
+
133
+ - **I11 — Controllers validate inline; no FormRequest classes**
134
+ Files: `backend/app/Http/Controllers/Dashboard/*.php`. Reduces reuse + makes policy gating awkward. **Fix:** extract validators into `app/Http/Requests/*Request.php`; use `$this->authorize()` from inside the request.
135
+
136
+ - **I12 — Nova User admin panels (Suspend, License, Custom Limits) lack `canSee` gates**
137
+ File: `backend/app/Nova/User.php:64-65`. Any Nova-authenticated user could touch admin fields. **Fix:** wrap with `Panel::make(...)->canSee(fn ($req) => $req->user()->isAdmin())`.
138
+
139
+ - **I13 — No `config/cors.php` — relies on Laravel default**
140
+ Production must lock origins to `nativeupdate.aoneahsan.com` (and dashboard host). **Fix:** publish CORS config, set `paths` → `['api/*']`, `allowed_origins` → explicit list, `supports_credentials` → true.
141
+
142
+ - **I14 — License-check tests missing**
143
+ `User::hasValidLicense()` and license-expiry enforcement on API endpoints are not exercised by tests. **Fix:** add Feature test wrapping a paid-tier endpoint.
144
+
145
+ - **I15 — PayPal webhook CSRF status not explicit**
146
+ File: `backend/routes/api.php:155-156`. Confirm webhook is in CSRF exception list (Laravel 11 default API routes are CSRF-exempt because they're stateless, but document this and add test).
147
+
148
+ ### Nits
149
+
150
+ - **N4 — `CACHE_STORE=database` in `.env.example`** — fine for boot, but Redis is recommended for production rate-limiting performance. Add a `# Recommended for production: CACHE_STORE=redis` comment.
151
+ - **N5 — `QUEUE_CONNECTION=database`** — requires `php artisan queue:work` daemon. Document in deployment checklist.
152
+
153
+ ### Notes
154
+
155
+ - All models use `$fillable` (not `$guarded`); secrets (`password`, `google_drive_token`, `key_hash`) are in `$hidden`. ✓
156
+ - Migration timestamps clean, no out-of-order. ✓
157
+ - File storage uses FilesHub via `FilesHubService` (no AWS S3 hardcoded). ✓
158
+ - `composer.lock` present + reproducible. ✓
159
+ - `.env.example` has [REQUIRED] tags on most blocks. Some PayPal/Google sub-vars could use a one-line reason each (minor).
160
+
161
+ ---
162
+
163
+ ## 6. Findings — Example Apps (`example-apps/`)
164
+
165
+ ### Blockers
166
+
167
+ - **B7 — `example-apps/react-capacitor` `yarn build` fails (lockfile / workspace ref unresolved)**
168
+ Error: "This package doesn't seem to be present in your lockfile". Yarn 4 + workspace pointer `"native-update": "file:../.."` not registered in root lockfile. **Fix:** run `yarn install` at root with the example workspaces included; verify root `package.json` declares workspaces (it currently does NOT — example-apps live as ad-hoc projects). Either declare workspaces or document that `cd example-apps/react-capacitor && yarn install` is required separately.
169
+
170
+ - **B8 — Stale `firebase-backend/` references in `example-apps/react-capacitor/README.md`**
171
+ Lines: `14`, `101`, `210`. `firebase-backend` was deleted in v3.0.0 but README still recommends it as an option. **Fix:** delete those lines / replace with `node-express` only.
172
+
173
+ ### Important
174
+
175
+ - **I16 — `react-capacitor` example demos only `checkForUpdate()`**
176
+ File: `example-apps/react-capacitor/src/App.tsx:1-72`. v3 plugin has 28+ public methods; example covers ~5%. **Fix (incremental):** add tabs/sections demonstrating: `downloadUpdate`, `applyUpdate`, app-update check, app-review prompt, background-update toggle, signature verification of a downloaded bundle. One section per method; gated by feature-flag if Android/iOS-only.
177
+
178
+ - **I17 — `react-capacitor` pinned to React 18 while `website/` is React 19**
179
+ Files: `example-apps/react-capacitor/package.json:20`. **Fix:** decide intent. Either bump to 19 to track current website + plugin tests, or add a comment in README declaring 18 is the "stable downstream" target.
180
+
181
+ ### Notes
182
+
183
+ - `node-express` correctly implements the v3 HTTP-only backend contract. ✓
184
+ - `node_modules` of `react-capacitor` contains stale `native-update@1.3.1` tarball — harmless but worth cleaning on next install.
185
+
186
+ ---
187
+
188
+ ## 7. Findings — Security / Secrets / Env (cross-cutting)
189
+
190
+ ### Critical
191
+
192
+ None. `yarn npm audit --severity high --recursive` → "No audit suggestions". No hardcoded secrets in source (only in non-public-checked-in `.env` files; root `.gitignore` declares the repo as private with intentional .env-in-git policy — mirror this in any future public split).
193
+
194
+ ### High
195
+
196
+ - **H1 — Backend has no `config/cors.php`** (duplicates I13). Must lock origins before public deploy.
197
+ - **H2 — Repo is private with `.env` in git.** If repo ever flips public, immediately add `*.env`, `*.env.local`, `*.env.production`, `backend/storage/firebase-credentials.json`, `android/keystores/` to `.gitignore` and rotate every committed secret. **Fix (preventive):** add `docs/SECURITY-IF-REPO-PUBLIC.md` runbook so this isn't forgotten under pressure.
198
+
199
+ ### Medium
200
+
201
+ - **M1 — `backend/.env.example` `[REQUIRED]` reason comments** — present on FilesHub/Firebase/Google/PayPal blocks (✓). Minor: each *individual sub-var* (e.g. `PAYPAL_LIVE_APP_ID`) could use a one-line "where to find it" note for first-time deployers.
202
+ - **M2 — `website/.env.example` missing two optional docs-snippet vars** that exist in `ConfigPage.tsx`: `VITE_NATIVE_UPDATE_PUBLIC_BACKEND_URL`, `VITE_NATIVE_UPDATE_API_KEY`, `VITE_NATIVE_UPDATE_PUBLIC_KEY`. **Fix:** add as `[OPTIONAL]` rows.
203
+
204
+ ### Notes
205
+
206
+ - Firebase Web API keys (in website/.env) are PUBLIC by design — not a leak.
207
+ - Auth tokens stored only in Firebase SDK in-memory — no localStorage leak.
208
+ - `firestore.rules` properly tiered (auth-required + admin-via-custom-claim, with public read only on `/manifests/{id}` which is intentional).
209
+ - LICENSE present (MIT) and consistent. ✓
210
+ - Capacitor `appId` stable: `com.aoneahsan.nativeupdate`. ✓
211
+ - No keystores committed (`android/keystores/` does not exist yet). ✓
212
+
213
+ ---
214
+
215
+ ## 8. Roadmap Delta (Planned Features Not Yet Done — Practical-for-Release)
216
+
217
+ Mined from `docs/REMAINING_FEATURES.md`, `docs/ROADMAP.md`, `docs/PROJECT_COMPLETION_TRACKER.md`, `docs/MARKETING_WEBSITE_TRACKER.md`, `docs/plans/`, `docs/features/laravel-nova-backend/IMPLEMENTATION-PLAN.md`.
218
+
219
+ ### Practical for v3.x release (this audit will tackle in batches)
220
+
221
+ - **R1** — Performance benchmarking suite scaffold (placeholder exists; needed for SaaS credibility claims).
222
+ - **R2** — Pre-launch security pen-test checklist (light: dependency scan + manual review; not a paid pentest).
223
+ - **R3** — CI/CD integration templates (GitHub Actions): release workflow for the npm plugin + bundle-create + sign + upload step.
224
+ - **R4** — Expand `react-capacitor` example coverage (also tracked as I16 above).
225
+ - **R5** — Marketing-website tracker: 50+ items still `[ ]` in `docs/MARKETING_WEBSITE_TRACKER.md`. Filter for ones that are actually rendered on live pages but unfinished (e.g. screenshots, code-snippet copy refresh, dashboard onboarding flow polish).
226
+
227
+ ### Defer to v3.1+ (not blocking release)
228
+
229
+ - A/B testing support
230
+ - Staged rollouts with percentage targeting (DB schema exists in backend; UI/CLI surfaces incomplete)
231
+ - Geographic targeting
232
+ - Update scheduling
233
+ - Delta-update WASM optimization
234
+ - Multi-tenant SaaS, enterprise SSO, SLA monitoring
235
+ - Vue / Angular / Svelte / Python / Java example apps
236
+ - Video tutorials, community plugins directory
237
+
238
+ ---
239
+
240
+ ## 9. Verification Commands
241
+
242
+ After each batch, run from repo root:
243
+
244
+ ```bash
245
+ # Plugin
246
+ yarn lint
247
+ yarn typecheck # alias for `yarn tsc`
248
+ yarn build
249
+ yarn test:run
250
+
251
+ # Website
252
+ cd website && yarn typecheck && yarn lint && yarn build && cd ..
253
+
254
+ # Backend (Laravel)
255
+ cd backend && composer install --no-interaction && php artisan test && cd ..
256
+
257
+ # Cross-cutting
258
+ grep -rEn "TODO|FIXME" src/ cli/ website/src/ backend/app/ --include="*.ts" --include="*.tsx" --include="*.js" --include="*.php" | wc -l # track count down over batches
259
+ yarn npm audit --severity high --recursive
260
+ ```
261
+
262
+ ---
263
+
264
+ ## 10. Total Issue Count
265
+
266
+ | Severity | Plugin | Website | SEO | Backend | Examples | Security | Roadmap | **Total** |
267
+ |---|---|---|---|---|---|---|---|---|
268
+ | Blocker | 3 | 0 | 0 | 3 | 2 | 0 | 0 | **8** |
269
+ | Important | 3 | 3 | 3 | 6 | 2 | 0 | 0 | **17** |
270
+ | Nit | 1 | 0 | 2 | 2 | 0 | 0 | 0 | **5** |
271
+ | Sec High | — | — | — | — | — | 2 | — | **2** |
272
+ | Sec Med | — | — | — | — | — | 2 | — | **2** |
273
+ | Roadmap | — | — | — | — | — | — | 5 | **5** |
274
+
275
+ Grand total: **39 actionable items** across the audit + 5 roadmap items. See `BATCH-PLAN.md` for the execution plan.
@@ -0,0 +1,60 @@
1
+ {
2
+ "$schema": "project-finalization-tracker",
3
+ "description": "Resumable production-finalization tracker for native-update (Capacitor OTA plugin + Laravel/Nova SaaS backend + React marketing site/dashboard + CLI + Docusaurus docs site). The first phase/sub-task with status 'pending' or 'in_progress' is the next thing to work on.",
4
+ "project": "native-update",
5
+ "type": "capacitor-plugin-monorepo + saas-backend + marketing-website + cli + docs-site",
6
+ "repo": "github.com/aoneahsan/native-update (PRIVATE)",
7
+ "docsRepo": "github.com/aoneahsan/native-update-docs (PRIVATE)",
8
+ "npm": "native-update@3.1.0 (published)",
9
+ "homepage": "https://nativeupdate.aoneahsan.com",
10
+ "createdAt": "2026-06-22",
11
+ "lastUpdated": "2026-07-02",
12
+ "readiness": 99,
13
+ "stackOverride": {
14
+ "note": "The fleet finalization spec assumes a Firestore + Google Drive website backend. native-update DELIBERATELY chose a Laravel 13 + Nova 5 + MySQL + Google Drive backend (v3.0.0+). Per the Per-Project Stack Override rule, the project's chosen stack wins. Zero-cost / no-Firebase-Functions still honored: this project's own backend uses NO Firebase Functions/Storage (the CLI's firebase-functions strings live only inside a user-choice backend-template GENERATOR).",
15
+ "websiteBackend": "Laravel 13 + Nova 5 + MySQL + Google Drive (NOT Firestore)",
16
+ "auth": "Laravel Socialite (Google OAuth) + Sanctum tokens + spatie/laravel-permission RBAC (Firebase Auth removed in v3.0.0)"
17
+ },
18
+ "verifyGates": {
19
+ "pluginBuild": "yarn build -> 0 errors (clean + tsc + rollup, ~4s)",
20
+ "pluginTypecheck": "yarn tsc --noEmit -> 0 errors",
21
+ "pluginLint": "yarn lint -> 0 warnings",
22
+ "websiteTypecheck": "yarn typecheck (tsc -b) -> 0 errors",
23
+ "websiteBuild": "yarn build -> 0 errors (61-URL sitemap + feed + 16 SEO routes + 9 discovery files)",
24
+ "websiteLint": "yarn lint -> 0 warnings",
25
+ "docsBuild": "native-update-docs: yarn build (Docusaurus) -> see runHistory",
26
+ "verifiedAt": "2026-06-22"
27
+ },
28
+ "phases": [
29
+ { "id": "phase0", "title": "Setup: skills, remote/branch, read scope, scaffold tracker + MANUAL-TASKS, refresh CLAUDE/AGENTS", "status": "complete", "completedAt": "2026-06-22" },
30
+ { "id": "phase1", "title": "Privacy gate + env/secret audit (repo PRIVATE; force-add git-ignored env; never keystores)", "status": "complete", "completedAt": "2026-06-22",
31
+ "subTasks": [
32
+ { "id": "phase1.1", "title": "gh repo view: main + docs repos confirmed PRIVATE", "status": "complete" },
33
+ { "id": "phase1.2", "title": "Force-add git-ignored backend/.env + website/.env (private repo; root .gitignore documents team-access intent; never published to npm via files[])", "status": "complete" },
34
+ { "id": "phase1.3", "title": "No keystores in tree; none added", "status": "complete" }
35
+ ] },
36
+ { "id": "phase2", "title": "Gap audit: real code vs intended scope + docs promises", "status": "complete", "completedAt": "2026-06-22",
37
+ "subTasks": [
38
+ { "id": "phase2.1", "title": "Plugin src/ TODO/stub scan: clean (3 false positives — field names + a docstring)", "status": "complete" },
39
+ { "id": "phase2.2", "title": "CLI scaffolding TODO[SCAFFOLD-IMPLEMENT-BEFORE-DEPLOY] markers are INTENTIONAL generated-template placeholders (BACKEND_TEMPLATES_GUIDE.md) — by design, not a gap", "status": "complete" },
40
+ { "id": "phase2.3", "title": "Website console.* hits are inside documentation code-example strings, not real logging; no innerHTML in new code", "status": "complete" }
41
+ ] },
42
+ { "id": "phase3", "title": "Build automatable gaps", "status": "complete", "completedAt": "2026-06-22",
43
+ "note": "No automatable code gaps found. The project is genuinely production-complete (v3.1.0 on npm, 134 backend PHPUnit tests, complete iOS/Android/CLI/website/backend/docs). The only real fix was doc-drift: REMAINING_FEATURES.md item #5 (DocsPage.tsx 1406-line refactor) was already done (now 166 lines + docs-page/sections/)." },
44
+ { "id": "phaseD", "title": "Verify/finish native-update-docs (Docusaurus, sibling repo)", "status": "complete", "completedAt": "2026-06-22" },
45
+ { "id": "phaseN1", "title": "Manual-task consolidation (npm publish, deploys, device verify, backend DB/test verify)", "status": "complete", "completedAt": "2026-06-22" },
46
+ { "id": "phaseN2", "title": "Finalize: final verify gates + tracker + git in-sync (both repos)", "status": "complete", "completedAt": "2026-06-22" }
47
+ ],
48
+ "gapInventory": [
49
+ { "id": "G1", "title": "Delta-update WASM (bsdiff/bspatch) optimization", "classification": "ROADMAP-OPTIONAL", "status": "deferred", "note": "delta-processor.ts already ships a working JS-level file-patching strategy; WASM is a performance enhancement, not a missing feature. Documented in REMAINING_FEATURES.md." },
50
+ { "id": "G2", "title": "A/B testing, calendar update scheduling, geographic targeting", "classification": "PRODUCT-DECISION", "status": "deferred", "note": "Large speculative features the user has not scoped. Percentage rollouts + pause/resume + targetSegments already shipped on the builds table." },
51
+ { "id": "G3", "title": "Additional framework example apps (Vue / Angular / Svelte / Python / Java)", "classification": "PRODUCT-DECISION", "status": "deferred", "note": "React+Capacitor and Node/Express examples already ship. Which (if any) to add next is a product decision." },
52
+ { "id": "G4", "title": "Enterprise: multi-tenant/org accounts, SAML/OIDC SSO, white-label branding, audit-log UI", "classification": "PRODUCT-DECISION", "status": "deferred", "note": "Roadmap; current model is single-user. Raw audit events already persist via analytics_events + Nova." },
53
+ { "id": "G5", "title": "website page components marginally over 500-line soft guideline (FeaturesPage 578, ExamplesPage 523, AnalyticsPage 519)", "classification": "COSMETIC-OPTIONAL", "status": "deferred", "note": "500 lines is a soft guideline; these are cohesive content-heavy single pages that build clean. Not a finalization blocker." }
54
+ ],
55
+ "runHistory": [
56
+ { "date": "2026-06-22", "phase": "all", "summary": "Owner-agent finalization pass. Verified package (build/tsc/lint = 0), website (typecheck/build/lint = 0; 61-URL sitemap + 16 SEO routes), and docs site build. Confirmed both repos PRIVATE; force-added git-ignored backend/.env + website/.env (never published to npm). Plugin/native/CLI/backend genuinely complete; no automatable code gaps. Fixed stale REMAINING_FEATURES.md DocsPage item. Scaffolded this tracker; refreshed CLAUDE.md/AGENTS.md + MANUAL-TASKS + sitemap/feed lastmod to 2026-06-22.", "commit": "pending" },
57
+ { "date": "2026-07-02", "phase": "v3.1.0-release", "summary": "v3.1.0 audit + optimize + release session (Fable 5 plan + Opus 4.8 execution). Plugin: package.json exports map, web.ts validateUpdate reuses downloaded bytes (no double download), 10 dead comment lines removed, cli 3.1.0. Website: HomePage LazyMotion (framer-motion off first-paint), .env.production (prod backend URL always baked), root firebase.json consolidated w/ cache headers (website/firebase.json+.firebaserc deleted), 9 dead Firebase-era env keys removed. Backend: update-check writes deferred to dispatch()->afterResponse(), App::getLatestBuildForChannel cached 45s w/ Build model-event invalidation, additive covering index builds(app_id,channel,status,created_at), analytics:cleanup now prunes analytics_events, CORS supports_credentials=false, 2 scaffold ExampleTests removed (134 PHPUnit pass). Docs: CHANGELOG + RELEASE-NOTES 3.1.0, Laravel-11->13 / Pest->PHPUnit / api-host drift fixed, HOSTINGER deploy notes refreshed (PHP>=8.3, scheduler required, v3.1.0 migration, X-Sendfile note). Released: npm publish native-update@3.1.0 + firebase deploy website. INCIDENT: live backend https://nativeupdatebe.aoneahsan.com returns HTTP 500 on all routes (pre-existing, deploy-side — flagged as MANUAL-TASKS row 1, likely PHP<8.3). Deferred: native streaming-hash perf, file splits, X-Sendfile impl, docs-site deploy.", "commit": "pending" }
58
+ ],
59
+ "resumeInstructions": "1) Read this tracker. 2) All phases complete. 3) If re-run: confirm verify gates still pass, check whether the user has scoped any gapInventory ROADMAP/PRODUCT-DECISION item, and update lastUpdated. NEVER auto-build the deferred product-decision features without the user scoping them."
60
+ }
@@ -0,0 +1,227 @@
1
+ # Native Update System Overview
2
+
3
+ ## Metadata
4
+
5
+ - **Reference Date:** 2026-05-18
6
+ - **Last Updated:** 2026-05-18
7
+
8
+ ## Project Identity
9
+
10
+ - **Name:** Native Update
11
+ - **Package:** `native-update`
12
+ - **Type:** Open-source Capacitor plugin plus self-hostable update management platform
13
+ - **Primary Creator:** Ahsan Mahmood
14
+ - **Primary Contact:** aoneahsan@gmail.com
15
+ - **License:** MIT
16
+
17
+ ## Core Mission
18
+
19
+ Native Update exists to reduce the operational complexity of shipping updates in Capacitor apps. It unifies OTA updates, native app update flows, in-app reviews, release manifests, rollout controls, and management tooling into one ecosystem.
20
+
21
+ ## Core Product Layers
22
+
23
+ ### 1. Plugin Layer
24
+
25
+ The plugin provides the runtime capabilities inside a Capacitor app:
26
+
27
+ - OTA/live update checks and bundle handling
28
+ - app update checks and prompts
29
+ - in-app review requests
30
+ - background update scheduling
31
+ - security validation logic (SHA-256 checksums + RSA-SHA256 signatures)
32
+ - HTTP-based manifest reading from any user-controlled backend
33
+
34
+ ### 2. Dashboard Layer
35
+
36
+ The website provides a management surface for:
37
+
38
+ - user auth (Google OAuth via Laravel Socialite + Sanctum bearer tokens)
39
+ - app creation and app management
40
+ - build uploads (browser → Laravel → Google Drive)
41
+ - rollout visibility and control
42
+ - analytics review
43
+ - Google Drive connection and storage management
44
+ - configuration generation
45
+ - admin-only oversight pages (Spatie permission-gated)
46
+
47
+ ### 3. Docs Layer
48
+
49
+ The docs explain:
50
+
51
+ - installation and setup
52
+ - features and APIs
53
+ - examples and advanced scenarios
54
+ - security, deployment, testing, and troubleshooting
55
+ - migration from other approaches (CodePush, Capacitor Live Updates)
56
+ - planning, tracking, roadmap, audit, and report history
57
+
58
+ In addition to the in-repo `/docs` folder, a public Docusaurus site lives at the sibling repo `native-update-docs` and is deployed to Firebase Hosting (hosting-only — no Firebase backend).
59
+
60
+ ### 4. Tooling Layer
61
+
62
+ The project includes:
63
+
64
+ - CLI commands (`init`, `bundle-create`, `bundle-sign`, `bundle-verify`, `keys-generate`, `backend-create`, `server-start`, `monitor`)
65
+ - bundle creation/signing/verification utilities
66
+ - backend scaffolding templates
67
+ - local development server
68
+
69
+ ## What The Product Solves
70
+
71
+ Capacitor teams often need several disconnected systems to handle:
72
+
73
+ - web asset updates
74
+ - store version upgrades
75
+ - review prompts
76
+ - release rollout control
77
+ - security verification
78
+ - app/build administration
79
+
80
+ Native Update consolidates those concerns into one project with a common mental model.
81
+
82
+ ## Main Feature Areas
83
+
84
+ ### Live / OTA Updates
85
+
86
+ - Deliver JavaScript, HTML, and CSS changes without app store review
87
+ - Support update channels (production / staging / development)
88
+ - Manage version checks and bundle downloads
89
+ - Support checksum and signature validation
90
+ - Enable rollback-aware update flows
91
+ - Support delta patch concepts and file manifests
92
+
93
+ ### Native App Updates
94
+
95
+ - Check for newer native binary versions
96
+ - Support immediate and flexible update strategies
97
+ - Integrate with Android Play Core update + iOS App Store update behavior
98
+
99
+ ### In-App Reviews
100
+
101
+ - Request native reviews via Play Review API + StoreKit `SKStoreReviewController`
102
+ - respect timing/rate limiting logic
103
+ - support user-experience-aware prompting
104
+
105
+ ### Background Updates
106
+
107
+ - Schedule checks while app is not active (Android WorkManager, iOS BGTaskScheduler)
108
+ - support native notification behavior
109
+ - provide background configuration hooks
110
+
111
+ ### Security
112
+
113
+ - RSA-SHA256 signing of bundles
114
+ - SHA-256 checksum verification
115
+ - HTTPS-first posture
116
+ - certificate pinning support
117
+ - validation helpers
118
+ - fail-closed on integrity violations
119
+
120
+ ### Release Operations
121
+
122
+ - upload build ZIPs through the dashboard
123
+ - generate file manifests
124
+ - publish app-facing manifests
125
+ - configure rollout percentages
126
+ - manage app/channel/build metadata via Nova admin or REST API
127
+
128
+ ## Current Product Surfaces
129
+
130
+ ### Public Website
131
+
132
+ - `/`
133
+ - `/features`
134
+ - `/pricing`
135
+ - `/docs`
136
+ - `/docs/*`
137
+ - `/examples`
138
+ - `/about`
139
+ - `/contact`
140
+ - `/privacy`
141
+ - `/terms`
142
+ - `/data-deletion`
143
+ - `/cookies`
144
+ - `/security`
145
+ - `/sitemap`
146
+ - `/feed`
147
+
148
+ ### Auth Pages
149
+
150
+ - `/login` (Google sign-in via Laravel Socialite redirect)
151
+ - `/signup` (same flow as `/login`; account is created on first callback)
152
+ - `/auth/callback` (SPA receives the Sanctum token from the Laravel OAuth callback)
153
+
154
+ ### Protected Dashboard
155
+
156
+ - `/dashboard`
157
+ - `/dashboard/apps`
158
+ - `/dashboard/apps/:appId`
159
+ - `/dashboard/builds`
160
+ - `/dashboard/builds/:buildId`
161
+ - `/dashboard/upload`
162
+ - `/dashboard/drive`
163
+ - `/dashboard/config`
164
+ - `/dashboard/settings`
165
+ - `/dashboard/rollouts`
166
+ - `/dashboard/analytics`
167
+
168
+ ### Admin Area
169
+
170
+ - `/admin`
171
+ - `/admin/users`
172
+ - `/admin/apps`
173
+ - `/admin/builds`
174
+ - Laravel Nova admin lives at `/nova` on the backend host (separate UI; same MySQL store)
175
+
176
+ ## User Types
177
+
178
+ ### Public Visitor
179
+
180
+ Can browse marketing, docs, legal, contact, sitemap, and feed pages.
181
+
182
+ ### Authenticated User
183
+
184
+ Holds a Sanctum personal access token, has a row in the MySQL `users` table keyed by `google_id`, and the `user` role from `spatie/laravel-permission`. Can manage their own apps, builds, Drive connection, settings, and release operations.
185
+
186
+ ### Admin User
187
+
188
+ A signed-in user assigned the `admin` or `super-admin` role in MySQL via `spatie/laravel-permission`. Super-admins bypass all `can:` middleware checks via a `Gate::before` hook. Admin assignment happens via `php artisan native-update:role-assign <email> <role>` or automatically when the email is in the `ADMIN_EMAILS` env list.
189
+
190
+ ### Mobile App Client
191
+
192
+ Not a dashboard user, but an app-side runtime consumer of manifests, update metadata, and plugin APIs. Authenticates with the mobile API plane via a per-app API key (separate from Sanctum).
193
+
194
+ ### Developer / Maintainer
195
+
196
+ Works in the codebase, docs, CLI, native code, example apps, and release infrastructure.
197
+
198
+ ## Access Model
199
+
200
+ - Public routes are open.
201
+ - Dashboard routes are wrapped by `ProtectedRoute` on the SPA AND protected by `auth:sanctum` middleware on every Laravel `/api/dashboard/*` route.
202
+ - Admin routes are wrapped by `AdminRoute` on the SPA AND protected by `can:<permission>` middleware on every Laravel `/api/admin/*` route.
203
+ - Google sign-in (via Laravel Socialite) is the only auth flow.
204
+ - Admin privilege comes from Spatie role assignment, not a `users.is_admin` boolean.
205
+
206
+ ## Product Positioning Notes
207
+
208
+ - The repo positions Native Update as more than a plugin; it is a platform direction.
209
+ - The website presents a complete update solution with dashboard and docs.
210
+ - The repo also contains older historical docs from pre-production phases. These should be treated as timeline artifacts, not always the newest truth.
211
+ - All mentions of "Firebase Auth", "Firestore", or "Firebase backend" in older docs are historical — the architecture switched to Laravel + Sanctum on 2026-05-11.
212
+
213
+ ## Recommended Decision Assumptions For AI Tools
214
+
215
+ - Treat the project as a cross-platform mobile infrastructure product.
216
+ - Treat the website as both a marketing site and operations dashboard.
217
+ - Treat the Laravel backend at `backend/` as the canonical persistence + auth layer for the dashboard.
218
+ - Treat Google Drive as the canonical storage destination for uploaded bundle ZIPs; tokens are encrypted server-side by Laravel.
219
+ - Treat the dashboard as owner/operator tooling, not end-user mobile UI.
220
+ - Treat security, rollout control, and documentation quality as important project values.
221
+
222
+ ## Important Known Context
223
+
224
+ - The project contains current docs plus historical reports and planning files.
225
+ - Some documents disagree on production readiness because they were written at different times.
226
+ - For technical state, prefer current source code, route definitions, type definitions, package files, and newer roadmap/report files.
227
+ - The "no-cost Firestore + Google Drive backend" architecture was deliberately abandoned in v3.0.0 (2026-05-04). Any document still describing it is historical-only.