native-update 2.0.0 → 3.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (258) hide show
  1. package/Readme.md +28 -14
  2. package/android/manifest-additions.xml +28 -0
  3. package/android/src/main/AndroidManifest.xml +3 -7
  4. package/android/src/main/java/com/aoneahsan/nativeupdate/BackgroundNotificationManager.kt +21 -13
  5. package/android/src/main/java/com/aoneahsan/nativeupdate/LiveUpdatePlugin.kt +196 -29
  6. package/android/src/main/java/com/aoneahsan/nativeupdate/NativeUpdatePlugin.kt +21 -36
  7. package/cli/AGENTS.md +15 -1
  8. package/cli/CLAUDE.md +15 -1
  9. package/cli/commands/backend-create.js +56 -15
  10. package/cli/commands/bundle-create.js +39 -7
  11. package/cli/commands/monitor.js +72 -51
  12. package/cli/index.js +10 -24
  13. package/cli/package.json +11 -3
  14. package/dist/esm/app-review/app-review-manager.js +0 -1
  15. package/dist/esm/app-review/index.js +0 -1
  16. package/dist/esm/app-review/platform-review-handler.js +0 -1
  17. package/dist/esm/app-review/review-conditions-checker.js +0 -1
  18. package/dist/esm/app-review/review-rate-limiter.js +0 -1
  19. package/dist/esm/app-review/types.js +0 -1
  20. package/dist/esm/app-update/app-update-checker.js +0 -1
  21. package/dist/esm/app-update/app-update-installer.d.ts +1 -0
  22. package/dist/esm/app-update/app-update-installer.js +19 -8
  23. package/dist/esm/app-update/app-update-manager.js +0 -1
  24. package/dist/esm/app-update/app-update-notifier.js +0 -1
  25. package/dist/esm/app-update/index.js +0 -1
  26. package/dist/esm/app-update/platform-app-update.js +12 -3
  27. package/dist/esm/app-update/types.js +0 -1
  28. package/dist/esm/background-update/background-scheduler.js +0 -1
  29. package/dist/esm/background-update/index.js +0 -1
  30. package/dist/esm/background-update/notification-manager.js +0 -1
  31. package/dist/esm/config/support.js +0 -1
  32. package/dist/esm/core/analytics.d.ts +13 -0
  33. package/dist/esm/core/analytics.js +15 -1
  34. package/dist/esm/core/cache-manager.js +0 -1
  35. package/dist/esm/core/config.d.ts +0 -15
  36. package/dist/esm/core/config.js +0 -4
  37. package/dist/esm/core/errors.d.ts +1 -0
  38. package/dist/esm/core/errors.js +1 -1
  39. package/dist/esm/core/event-emitter.d.ts +0 -3
  40. package/dist/esm/core/event-emitter.js +8 -3
  41. package/dist/esm/core/logger.js +0 -1
  42. package/dist/esm/core/performance.js +0 -1
  43. package/dist/esm/core/plugin-manager.js +3 -1
  44. package/dist/esm/core/security.d.ts +11 -0
  45. package/dist/esm/core/security.js +27 -1
  46. package/dist/esm/definitions.d.ts +0 -11
  47. package/dist/esm/definitions.js +0 -1
  48. package/dist/esm/index.d.ts +3 -2
  49. package/dist/esm/index.js +3 -1
  50. package/dist/esm/live-update/bundle-manager.d.ts +8 -0
  51. package/dist/esm/live-update/bundle-manager.js +20 -1
  52. package/dist/esm/live-update/certificate-pinning.js +0 -1
  53. package/dist/esm/live-update/delta-processor.d.ts +1 -1
  54. package/dist/esm/live-update/delta-processor.js +3 -1
  55. package/dist/esm/live-update/download-manager.js +9 -2
  56. package/dist/esm/live-update/rollout-checker.d.ts +1 -1
  57. package/dist/esm/live-update/rollout-checker.js +5 -6
  58. package/dist/esm/live-update/update-manager.js +0 -1
  59. package/dist/esm/live-update/version-manager.d.ts +0 -12
  60. package/dist/esm/live-update/version-manager.js +0 -68
  61. package/dist/esm/plugin.js +69 -43
  62. package/dist/esm/security/crypto.js +11 -7
  63. package/dist/esm/security/validator.js +0 -1
  64. package/dist/esm/types/rollout.d.ts +85 -0
  65. package/dist/esm/types/rollout.js +25 -0
  66. package/dist/esm/web.d.ts +8 -0
  67. package/dist/esm/web.js +148 -54
  68. package/dist/plugin.cjs.js +1 -2
  69. package/dist/plugin.esm.js +1 -2
  70. package/dist/plugin.js +2 -3
  71. package/docs/CHANGELOG.md +124 -0
  72. package/docs/CLAUDE.md +1 -1
  73. package/docs/MANUAL-TASKS.md +17 -0
  74. package/docs/MARKETING_WEBSITE_TRACKER.md +18 -2
  75. package/docs/MIGRATION.md +83 -0
  76. package/docs/PACKAGES.md +167 -0
  77. package/docs/PERFORMANCE.md +110 -0
  78. package/docs/PROJECT_COMPLETION_TRACKER.md +4 -35
  79. package/docs/README.md +0 -1
  80. package/docs/REMAINING_FEATURES.md +123 -76
  81. package/docs/ROADMAP.md +200 -120
  82. package/docs/SECURITY-IF-REPO-PUBLIC.md +232 -0
  83. package/docs/TESTING_REQUIREMENTS.md +1 -112
  84. package/docs/ai-knowledge-base/00-project-profile.md +38 -0
  85. package/docs/ai-knowledge-base/01-features.md +46 -0
  86. package/docs/ai-knowledge-base/02-routes.md +72 -0
  87. package/docs/ai-knowledge-base/03-tech-stack.md +57 -0
  88. package/docs/ai-knowledge-base/README.md +23 -0
  89. package/docs/analytics-tracking.md +37 -0
  90. package/docs/capacitor-official-plugins.md +46 -0
  91. package/docs/capawesome-plugins.md +29 -0
  92. package/docs/deployment/HOSTINGER_DEPLOY.md +75 -34
  93. package/docs/deployment/PRODUCTION-DEPLOY-CHECKLIST.md +184 -0
  94. package/docs/docs-site/plan.md +201 -0
  95. package/docs/docs-site/scope.md +127 -0
  96. package/docs/docs-site/tracker.json +235 -0
  97. package/docs/error-handling-tracking.md +37 -0
  98. package/docs/guides/testing-guide.md +15 -41
  99. package/docs/package-audit.md +41 -0
  100. package/docs/play-store/ASO-METADATA.md +5 -0
  101. package/docs/play-store/DATA-SAFETY.md +5 -0
  102. package/docs/play-store/DECLARATIONS.md +5 -0
  103. package/docs/play-store/README.md +27 -0
  104. package/docs/play-store/RELEASE-NOTES.md +99 -0
  105. package/docs/play-store/RELEASE-STEPS.md +6 -0
  106. package/docs/play-store/STORE-LISTING.md +7 -0
  107. package/docs/play-store/SUBMISSION-CHECKLIST.md +5 -0
  108. package/docs/production-readiness.md +1 -1
  109. package/docs/project-audit/2026-05-16/00-FINALIZATION-PLAN.md +123 -0
  110. package/docs/project-audit/2026-05-16/01-BATCH-PLAN.md +227 -0
  111. package/docs/project-audit/2026-05-16/02-AUDIT-FINDINGS.md +144 -0
  112. package/docs/project-audit/2026-05-16/sessions/batch-01.md +42 -0
  113. package/docs/project-audit/2026-05-16/sessions/batch-02.md +74 -0
  114. package/docs/project-audit/2026-05-16/sessions/batch-03.md +71 -0
  115. package/docs/project-audit/2026-05-16/sessions/batch-04.md +88 -0
  116. package/docs/project-audit/2026-05-16/sessions/batch-05.md +63 -0
  117. package/docs/project-audit/2026-05-16/sessions/batch-06.md +103 -0
  118. package/docs/project-audit/2026-05-16/sessions/batch-07.md +61 -0
  119. package/docs/project-audit/2026-05-16/sessions/batch-08.md +101 -0
  120. package/docs/project-audit/2026-05-16/sessions/batch-09.md +105 -0
  121. package/docs/project-audit/2026-05-16/sessions/batch-10.md +102 -0
  122. package/docs/project-audit/AUDIT-HISTORY.md +74 -0
  123. package/docs/project-audit/BATCH-PLAN.md +168 -0
  124. package/docs/project-audit/MARKETING-WEBSITE-FINDINGS-2026-05-11.md +73 -0
  125. package/docs/project-audit/PRODUCTION-READINESS-AUDIT-2026-05-08.md +275 -0
  126. package/docs/project-finalization/00-tracker.json +60 -0
  127. package/docs/project-knowledge-base/01-system-overview.md +39 -30
  128. package/docs/project-knowledge-base/02-routes-pages-forms-users.md +87 -81
  129. package/docs/project-knowledge-base/03-tech-stack-modules-services.md +140 -108
  130. package/docs/project-knowledge-base/04-data-models-integrations.md +191 -254
  131. package/docs/project-knowledge-base/05-docs-corpus-inventory.md +83 -20
  132. package/docs/project-knowledge-base/06-operations-testing-legal-content.md +67 -29
  133. package/docs/project-knowledge-base/README.md +27 -14
  134. package/docs/project-profiles/native-update-capacitor-update-platform-project-profile-last-updated-2026-05-19.md +81 -0
  135. package/docs/rules-tracker.md +102 -0
  136. package/docs/security/PRE-LAUNCH-PENTEST-CHECKLIST.md +116 -0
  137. package/docs/social-media-marketing/README.md +81 -0
  138. package/docs/social-media-marketing/posts-batch-01.md +613 -0
  139. package/docs/social-media-marketing/posts-batch-02.md +528 -0
  140. package/docs/social-media-marketing/whatsapp-messages-batch-01.md +458 -0
  141. package/docs/social-media-marketing/whatsapp-status-batch-01.md +355 -0
  142. package/docs/tracking/finalization-2026-05-16-tracker.json +346 -0
  143. package/docs/tracking/full-audit-tracker.json +121 -0
  144. package/docs/tracking/production-readiness-audit-tracker.json +429 -0
  145. package/ios/Plugin/BackgroundUpdate/BackgroundUpdatePlugin.swift +16 -3
  146. package/ios/Plugin/LiveUpdate/LiveUpdatePlugin.swift +71 -47
  147. package/ios/Plugin/NativeUpdatePlugin.swift +14 -9
  148. package/package.json +29 -29
  149. package/cli/node_modules/.yarn-integrity +0 -16
  150. package/cli/node_modules/commander/LICENSE +0 -22
  151. package/cli/node_modules/commander/Readme.md +0 -1148
  152. package/cli/node_modules/commander/esm.mjs +0 -16
  153. package/cli/node_modules/commander/index.js +0 -26
  154. package/cli/node_modules/commander/lib/argument.js +0 -145
  155. package/cli/node_modules/commander/lib/command.js +0 -2179
  156. package/cli/node_modules/commander/lib/error.js +0 -43
  157. package/cli/node_modules/commander/lib/help.js +0 -462
  158. package/cli/node_modules/commander/lib/option.js +0 -329
  159. package/cli/node_modules/commander/lib/suggestSimilar.js +0 -100
  160. package/cli/node_modules/commander/package-support.json +0 -16
  161. package/cli/node_modules/commander/package.json +0 -80
  162. package/cli/node_modules/commander/typings/esm.d.mts +0 -3
  163. package/cli/node_modules/commander/typings/index.d.ts +0 -884
  164. package/cli/yarn.lock +0 -8
  165. package/dist/esm/__tests__/bundle-manager.test.d.ts +0 -1
  166. package/dist/esm/__tests__/bundle-manager.test.js +0 -151
  167. package/dist/esm/__tests__/bundle-manager.test.js.map +0 -1
  168. package/dist/esm/__tests__/config.test.d.ts +0 -1
  169. package/dist/esm/__tests__/config.test.js +0 -70
  170. package/dist/esm/__tests__/config.test.js.map +0 -1
  171. package/dist/esm/__tests__/delta-processor.test.d.ts +0 -1
  172. package/dist/esm/__tests__/delta-processor.test.js +0 -77
  173. package/dist/esm/__tests__/delta-processor.test.js.map +0 -1
  174. package/dist/esm/__tests__/firestore-schema.test.d.ts +0 -1
  175. package/dist/esm/__tests__/firestore-schema.test.js +0 -74
  176. package/dist/esm/__tests__/firestore-schema.test.js.map +0 -1
  177. package/dist/esm/__tests__/integration.test.d.ts +0 -1
  178. package/dist/esm/__tests__/integration.test.js +0 -78
  179. package/dist/esm/__tests__/integration.test.js.map +0 -1
  180. package/dist/esm/__tests__/manifest-reader.test.d.ts +0 -1
  181. package/dist/esm/__tests__/manifest-reader.test.js +0 -271
  182. package/dist/esm/__tests__/manifest-reader.test.js.map +0 -1
  183. package/dist/esm/__tests__/rollout-checker.test.d.ts +0 -1
  184. package/dist/esm/__tests__/rollout-checker.test.js +0 -210
  185. package/dist/esm/__tests__/rollout-checker.test.js.map +0 -1
  186. package/dist/esm/__tests__/security-enforcement.test.d.ts +0 -1
  187. package/dist/esm/__tests__/security-enforcement.test.js +0 -95
  188. package/dist/esm/__tests__/security-enforcement.test.js.map +0 -1
  189. package/dist/esm/__tests__/security.test.d.ts +0 -1
  190. package/dist/esm/__tests__/security.test.js +0 -54
  191. package/dist/esm/__tests__/security.test.js.map +0 -1
  192. package/dist/esm/__tests__/version-manager.test.d.ts +0 -1
  193. package/dist/esm/__tests__/version-manager.test.js +0 -45
  194. package/dist/esm/__tests__/version-manager.test.js.map +0 -1
  195. package/dist/esm/app-review/app-review-manager.js.map +0 -1
  196. package/dist/esm/app-review/index.js.map +0 -1
  197. package/dist/esm/app-review/platform-review-handler.js.map +0 -1
  198. package/dist/esm/app-review/review-conditions-checker.js.map +0 -1
  199. package/dist/esm/app-review/review-rate-limiter.js.map +0 -1
  200. package/dist/esm/app-review/types.js.map +0 -1
  201. package/dist/esm/app-update/app-update-checker.js.map +0 -1
  202. package/dist/esm/app-update/app-update-installer.js.map +0 -1
  203. package/dist/esm/app-update/app-update-manager.js.map +0 -1
  204. package/dist/esm/app-update/app-update-notifier.js.map +0 -1
  205. package/dist/esm/app-update/index.js.map +0 -1
  206. package/dist/esm/app-update/platform-app-update.js.map +0 -1
  207. package/dist/esm/app-update/types.js.map +0 -1
  208. package/dist/esm/background-update/background-scheduler.js.map +0 -1
  209. package/dist/esm/background-update/index.js.map +0 -1
  210. package/dist/esm/background-update/notification-manager.js.map +0 -1
  211. package/dist/esm/config/support.js.map +0 -1
  212. package/dist/esm/core/analytics.js.map +0 -1
  213. package/dist/esm/core/cache-manager.js.map +0 -1
  214. package/dist/esm/core/config.js.map +0 -1
  215. package/dist/esm/core/errors.js.map +0 -1
  216. package/dist/esm/core/event-emitter.js.map +0 -1
  217. package/dist/esm/core/logger.js.map +0 -1
  218. package/dist/esm/core/performance.js.map +0 -1
  219. package/dist/esm/core/plugin-manager.js.map +0 -1
  220. package/dist/esm/core/security.js.map +0 -1
  221. package/dist/esm/definitions.js.map +0 -1
  222. package/dist/esm/firestore/firestore-client.d.ts +0 -109
  223. package/dist/esm/firestore/firestore-client.js +0 -264
  224. package/dist/esm/firestore/firestore-client.js.map +0 -1
  225. package/dist/esm/firestore/index.d.ts +0 -11
  226. package/dist/esm/firestore/index.js +0 -11
  227. package/dist/esm/firestore/index.js.map +0 -1
  228. package/dist/esm/firestore/manifest-reader.d.ts +0 -87
  229. package/dist/esm/firestore/manifest-reader.js +0 -294
  230. package/dist/esm/firestore/manifest-reader.js.map +0 -1
  231. package/dist/esm/firestore/schema.d.ts +0 -507
  232. package/dist/esm/firestore/schema.js +0 -73
  233. package/dist/esm/firestore/schema.js.map +0 -1
  234. package/dist/esm/index.js.map +0 -1
  235. package/dist/esm/live-update/bundle-manager.js.map +0 -1
  236. package/dist/esm/live-update/certificate-pinning.js.map +0 -1
  237. package/dist/esm/live-update/delta-processor.js.map +0 -1
  238. package/dist/esm/live-update/download-manager.js.map +0 -1
  239. package/dist/esm/live-update/rollout-checker.js.map +0 -1
  240. package/dist/esm/live-update/update-manager.js.map +0 -1
  241. package/dist/esm/live-update/version-manager.js.map +0 -1
  242. package/dist/esm/plugin.js.map +0 -1
  243. package/dist/esm/security/crypto.js.map +0 -1
  244. package/dist/esm/security/validator.js.map +0 -1
  245. package/dist/esm/web.js.map +0 -1
  246. package/dist/plugin.cjs.js.map +0 -1
  247. package/dist/plugin.esm.js.map +0 -1
  248. package/dist/plugin.js.map +0 -1
  249. package/docs/FIREBASE_INTEGRATION_TRACKER.md +0 -321
  250. package/docs/FIREBASE_QUERIES_AND_INDEXES_AUDIT.md +0 -221
  251. package/docs/examples/firebase-backend-example.md +0 -27
  252. package/docs/features/laravel-nova-backend/credentials.ignore.md +0 -34
  253. package/docs/guides/no-cost-backend-implementation-plan.md +0 -77
  254. package/docs/guides/no-cost-firestore-google-drive-backend.md +0 -60
  255. package/docs/project-profiles/native-update-capacitor-update-platform-project-profile-last-updated-2026-03-16.md +0 -454
  256. package/docs/project-profiles/native-update-capacitor-update-platform-project-profile-last-updated-2026-03-24.md +0 -66
  257. package/docs/project-profiles/native-update-capacitor-update-platform-project-profile-last-updated-2026-03-25.md +0 -67
  258. /package/docs/{MARKETING_WEBSITE_PLAN.md → archive/MARKETING_WEBSITE_PLAN.md} +0 -0
@@ -0,0 +1,61 @@
1
+ # Session report — Batch 7
2
+
3
+ **Date:** 2026-05-16
4
+ **Batch:** 7 — Play Store metadata + legal pages cleanup
5
+ **Skill:** `copywriting` (applied principles: clarity, no fabrication, honest claims; brief-lock waived because this is factual cleanup of stale Firebase references, not net-new marketing copy)
6
+ **Outcome:** All deliverables shipped. Zero "Firestore" or "Firebase Auth" references remain in user-facing legal content or Play Store metadata.
7
+
8
+ ## Changes
9
+
10
+ ### Play Store metadata
11
+
12
+ | File | Change |
13
+ |---|---|
14
+ | `website/app-publish-assets/metadata/full-description.md` | "Update metadata is stored in your Firestore project" → "Release metadata is stored in the Native Update backend (a Laravel + MySQL service you can use as a managed SaaS or self-host on your own infrastructure)". "How it works" step 3: "Metadata is written to Firestore" → "Metadata is written to the Laravel backend". |
15
+ | `website/app-publish-assets/metadata/data-safety.md` | Data table row "User ID (Google/Firebase UID)" → "Google account ID (google_id)". New row added for "Name & avatar URL". Encryption section rewritten: tokens are now Sanctum personal access tokens in Capacitor Preferences. Third-party flow tightened to Google OAuth + optional Drive. Permission line corrected: INTERNET is needed to talk to the Laravel backend and Google APIs (not Firestore). |
16
+ | `website/app-publish-assets/metadata/listing-notes.md` | Verified clean — no Firebase references; no changes needed. |
17
+
18
+ ### Legal pages (user-facing)
19
+
20
+ | File | Change |
21
+ |---|---|
22
+ | `website/src/pages/PrivacyPage.tsx` | `lastUpdated` + `effectiveDate` → `May 16, 2026`. Section 7 (Data Storage and Security) rewritten to describe Google OAuth → Sanctum personal access tokens (64+ char random, 7-day expiry by default, revoked on sign-out) + Laravel-backed MySQL + the self-host option. Section 8 (Data Sharing and Third Parties) replaced the "Firebase (Google Cloud)" entry with three accurate entries: Google OAuth 2.0 (sign-in only), Google Drive API (only when user connects), PayPal (only on paid plans). |
23
+ | `website/src/pages/TermsPage.tsx` | Date bumped to May 16, 2026. Section 9 (Third-Party Services) "Firebase for authentication and data storage" replaced with three accurate entries (Google OAuth, Google Drive, PayPal). |
24
+ | `website/src/pages/SecurityPage.tsx` | Date bumped. "Authentication Security" section: 6 bullets rewritten describing the Sanctum + Socialite + spatie stack with concrete details (token shape, expiration, rate limiting, RBAC, revocation). "Infrastructure Security" section: 6 bullets rewritten — removed the "hosted on Firebase/SOC certified/99.95% SLA" claims (which would be fabricated for a Laravel app the user can self-host), replaced with the actual operational baseline: HTTPS-only, CORS allowlist via env, CSP headers, audit log, public source code, self-host option. |
25
+ | `website/src/pages/CookiePolicyPage.tsx` | Date bumped. Strictly Necessary Cookies table rewritten: `firebase-auth-token` row replaced with `native-update:auth:token` (with the honest caveat that it's localStorage / Preferences, not a true cookie); `__session` + `csrf_token` rows consolidated into `XSRF-TOKEN / laravel_session` for Laravel + Nova. Third-Party Cookies section rewritten to describe Google's cookies during OAuth + PayPal's cookies on the checkout page. |
26
+
27
+ ## Copy principles applied
28
+
29
+ - **No fabricated claims**: removed the "SOC 1/2/3 Certified", "99.95% Uptime SLA", "ISO 27001" lines from SecurityPage. Those were inherited from a Firebase-hosted era and don't truthfully describe a Laravel app a customer can run anywhere. Replaced with the actual operational baseline.
30
+ - **Honest framing over hype**: SecurityPage now says "Public source code so anyone can audit how the system handles your data" — that's true and is a real selling point of an open-source project.
31
+ - **Customer language over company language**: PrivacyPage now spells out what each third party actually receives — "your email address, display name, Google account ID, and profile photo URL" rather than the vaguer "user data."
32
+ - **No overclaiming**: every claim ("64+ character random", "expires after 7 days", "revoked immediately on sign-out") matches what the code actually does — sourced from `OAuthController::handleGoogleCallback`, `config/sanctum.php`, and `AssignUserRole`.
33
+
34
+ ## Verification
35
+
36
+ | Command | Result |
37
+ |---|---|
38
+ | `yarn --cwd website lint` | exit 0 |
39
+ | `yarn --cwd website build` | exit 0 (16 SEO HTML files generated) |
40
+ | `grep -i 'firestore\|firebase' website/src/pages/PrivacyPage.tsx TermsPage.tsx CookiePolicyPage.tsx SecurityPage.tsx` | zero matches |
41
+ | `grep -i 'firestore\|firebase' website/app-publish-assets/metadata/` | zero matches |
42
+
43
+ ## Audit findings retired
44
+
45
+ | ID | Finding | Resolution |
46
+ |---|---|---|
47
+ | D-3 | Firestore references in Play Store metadata | full-description.md + data-safety.md rewritten |
48
+ | D-4 | Privacy Policy references Firebase Auth | Section 7 + 8 rewritten for OAuth + Sanctum stack |
49
+ | E-2 | Legal pages frozen at 2025-12-27 (141 days stale) | All 4 pages dated 2026-05-16 with content actually reflecting current stack |
50
+
51
+ ## Deferred to Batch 10
52
+
53
+ - `postbuild-seo.ts` PAGE_LAST_UPDATED bump (2026-05-08 → 2026-05-16) + softwareVersion JSON-LD bump (2.0.0 → 3.0.1)
54
+ - `AboutPage.tsx`, `FeaturesPage.tsx`, `PricingPage.tsx` visible-date bumps
55
+ - Sitemap.xml lastmod regeneration
56
+
57
+ These are formally scoped to Batch 10 (SEO refresh) and don't belong in this commit.
58
+
59
+ ## What's next
60
+
61
+ Batch 8 — Android signing config + ProGuard / R8 + Play Store build runbook.
@@ -0,0 +1,101 @@
1
+ # Session report — Batch 8
2
+
3
+ **Date:** 2026-05-16
4
+ **Batch:** 8 — Android signing config + ProGuard / R8 + Play Store build runbook
5
+ **Skill invoked:** `capacitor-app-store`
6
+ **Outcome:** All deliverables shipped. The website is now Play-Store-publishable end-to-end once the user generates a keystore + populates `keystore.properties`.
7
+
8
+ ## Changes
9
+
10
+ ### `website/android/keystore.properties.example` — new
11
+
12
+ Template for the gitignored `keystore.properties`. Includes the exact `keytool -genkey -v …` command, the recommended out-of-repo storage path, and a warning that losing the key = losing the Play Store listing forever.
13
+
14
+ ### `website/android/.gitignore`
15
+
16
+ Lines 56–59 had the keystore lines commented out (the Android Studio default). Uncommented:
17
+
18
+ ```
19
+ *.jks
20
+ *.keystore
21
+ keystore.properties
22
+ ```
23
+
24
+ …with an inline comment explaining why the signing key is the single point of identity for the listing.
25
+
26
+ ### `website/android/app/build.gradle` — release signing + ProGuard
27
+
28
+ Top of file: loads `rootProject.file("keystore.properties")` if it exists. The flag `hasReleaseKeystore` gates whether the release `signingConfigs.release` block + `buildTypes.release.signingConfig` are wired up.
29
+
30
+ If the file is missing, `bundleRelease` falls back to the debug signing config so unsigned builds still produce an AAB locally — that AAB will be rejected by Play Store upload, which is the safety we want (no accidental ship of an unsigned AAB).
31
+
32
+ `buildTypes.release`:
33
+ - `minifyEnabled true` (was `false`) — enables R8.
34
+ - `shrinkResources true` — added — prunes unused drawables/strings from the APK.
35
+ - `proguardFiles` switched from `proguard-android.txt` to `proguard-android-optimize.txt` for a tighter baseline.
36
+
37
+ ### `website/android/app/proguard-rules.pro` — rewritten
38
+
39
+ The old file was the Android Studio default stub. Replaced with:
40
+
41
+ - `@CapacitorPlugin`-annotated class keep rules + `@PluginMethod` member keep rules
42
+ - WebView `@JavascriptInterface` member keep rule
43
+ - Cordova plugin keep rules (Capacitor wraps cordova plugins)
44
+ - `com.aoneahsan.nativeupdate.**` defensive keep (in case the published plugin is ever wrapped here)
45
+ - `androidx.**` dontwarn
46
+ - Kotlin metadata + annotation preservation
47
+ - `SourceFile,LineNumberTable` keep + `renamesourcefileattribute` so Play Console crash stack traces remain useful
48
+
49
+ ### `website/android/app/src/main/res/xml/network_security_config.xml` — new
50
+
51
+ HTTPS-only `base-config` with `cleartextTrafficPermitted="false"`. `debug-overrides` allow cleartext to `localhost`, `10.0.2.2` (Android emulator loopback), and the common LAN ranges (`192.168.0.0`, `192.168.1.0`) so a developer can point a debug build at the Laravel dev server on `:5946` without flipping the production setting.
52
+
53
+ ### `website/android/app/src/main/AndroidManifest.xml`
54
+
55
+ Added to `<application>`:
56
+ - `android:networkSecurityConfig="@xml/network_security_config"`
57
+ - `android:usesCleartextTraffic="false"` (explicit belt-and-braces with the config above)
58
+
59
+ ### `website/BUILD_FOR_PLAY_STORE.md` — new
60
+
61
+ 10-section runbook covering:
62
+
63
+ 1. Prerequisites (Play Developer account, JDK, SDK, package-name claim)
64
+ 2. ONE-TIME keystore generation with the exact `keytool -genkey` command + backup advice
65
+ 3. Wiring keystore.properties into Gradle + `git check-ignore` sanity check
66
+ 4. Version bumping rules (versionCode monotonic, versionName semver)
67
+ 5. Web build + `cap sync` step
68
+ 6. `./gradlew bundleRelease` + `keytool -printcert` verification that the output is signed with the user's keystore (not debug)
69
+ 7. Play Console upload + the seven things to double-check before submitting
70
+ 8. Internal-testing track recommendation before production
71
+ 9. Updates / phased rollout
72
+ 10. Troubleshooting matrix (keystore tampered, signature mismatch, NoClassDefFoundError, white screen, target SDK, OAuth redirect mismatch)
73
+
74
+ Plus a file-map appendix linking every Android-publishing artifact in the repo.
75
+
76
+ ## Verification
77
+
78
+ | Command | Result |
79
+ |---|---|
80
+ | `yarn --cwd website lint` | exit 0 |
81
+ | `yarn --cwd website build` | exit 0 (16 SEO HTML files generated; all 9 discovery files present) |
82
+ | `yarn --cwd website` + `npx cap sync android` | succeeded — 3 Capacitor plugins detected (preferences + privacy-screen + app-shortcuts) |
83
+ | `./gradlew help -q` | exit 0 — gradle config parses cleanly |
84
+ | `git check-ignore website/android/keystore.properties` (with file present) | would return the path, confirming gitignore is wired (verified the rules; the file isn't created until the user runs step 3 of the runbook) |
85
+
86
+ I deliberately did **not** run `./gradlew assembleDebug` end-to-end — it requires online dependency resolution and would take 5–10 minutes for a one-time sanity check. `./gradlew help` exercises the same Gradle config evaluation, which is enough to catch syntax errors. The runbook documents the AAB-producing commands the user will run with their keystore.
87
+
88
+ ## Audit findings retired
89
+
90
+ | ID | Finding | Resolution |
91
+ |---|---|---|
92
+ | D-1 | No `signingConfigs.release` block in build.gradle | Added; env-driven via `keystore.properties` |
93
+ | D-2 | `minifyEnabled = false` on release | Set to `true` + `shrinkResources true`; ProGuard rules expanded |
94
+ | D-5 | No `BUILD_FOR_PLAY_STORE.md` runbook | Written — 10 sections, troubleshooting matrix, file map |
95
+ | D-6 | `keystore.properties` not gitignored | Added explicit `*.jks` + `*.keystore` + `keystore.properties` rules |
96
+ | D-7 | No `network_security_config.xml` | Created — HTTPS-only prod, localhost cleartext debug |
97
+ | D-8 | Missing `usesCleartextTraffic` declaration | Added `android:usesCleartextTraffic="false"` on `<application>` |
98
+
99
+ ## What's next
100
+
101
+ Batch 9 — branded app icons + splash screen color + screenshot capture guide.
@@ -0,0 +1,105 @@
1
+ # Session report — Batch 9
2
+
3
+ **Date:** 2026-05-16
4
+ **Batch:** 9 — Branded app icons + splash + screenshot capture guide
5
+ **Skill invoked:** `capacitor-splash-screen`
6
+ **Outcome:** All deliverables shipped. Android launcher icons, adaptive icons, splash drawables (port + land × 5 densities + root), Play Store 512 + 1024 icons, and feature graphic PNG are all rendered from the existing SVG sources and committed.
7
+
8
+ ## Changes
9
+
10
+ ### Launcher icons rendered from `icon-512.svg`
11
+
12
+ 15 PNGs in `website/android/app/src/main/res/mipmap-*/`:
13
+
14
+ | Density | ic_launcher.png | ic_launcher_round.png | ic_launcher_foreground.png |
15
+ |---|---|---|---|
16
+ | mdpi (1×) | 48×48 | 48×48 | 108×108 |
17
+ | hdpi (1.5×) | 72×72 | 72×72 | 162×162 |
18
+ | xhdpi (2×) | 96×96 | 96×96 | 216×216 |
19
+ | xxhdpi (3×) | 144×144 | 144×144 | 324×324 |
20
+ | xxxhdpi (4×) | 192×192 | 192×192 | 432×432 |
21
+
22
+ Replaced the default Capacitor blue logo with the Native Update brand mark (deep-blue → cyan gradient with the upward-arrow logo). The foreground PNGs are the inner 108dp viewport that Android composites against the background colour, leaving the OS launcher (Pixel Launcher, Samsung One UI, etc.) free to mask the result into a circle / square / squircle depending on user preference.
23
+
24
+ ### Adaptive-icon background colour
25
+
26
+ `android/app/src/main/res/values/ic_launcher_background.xml`: flat-white (`#FFFFFF`, the Android-Studio default) → brand-dark blue (`#1E3A8A`, matching the gradient-start from `icon-adaptive-background.svg`). Header comment explains how to swap to a real gradient drawable later if the brand evolves.
27
+
28
+ ### Splash drawables rendered from new `splash-master.svg`
29
+
30
+ New source: `website/app-publish-assets/icons/splash-master.svg` — 2732×2732 master with the logo centered at ~30% of the canvas on the `#0A0F1A` brand-dark background (matches `capacitor.config.ts` SplashScreen `backgroundColor` so there's no flash on splash hide).
31
+
32
+ 11 PNGs rendered:
33
+
34
+ | Density | Portrait | Landscape |
35
+ |---|---|---|
36
+ | mdpi | 320×480 | 480×320 |
37
+ | hdpi | 480×800 | 800×480 |
38
+ | xhdpi | 720×1280 | 1280×720 |
39
+ | xxhdpi | 960×1600 | 1600×960 |
40
+ | xxxhdpi | 1280×1920 | 1920×1280 |
41
+ | (root) drawable/splash.png | 480×800 (mdpi fallback) | n/a |
42
+
43
+ ### Play Store store-listing graphics
44
+
45
+ | File | Size | Purpose |
46
+ |---|---|---|
47
+ | `app-publish-assets/icons/icon-512.png` | 512×512 | Required: Play Console "App icon" upload |
48
+ | `app-publish-assets/icons/icon-1024.png` | 1024×1024 | Optional: high-res variant for marketing surfaces |
49
+ | `app-publish-assets/feature-graphics/feature-1024x500.png` | 1024×500 | Required: Play Console "Feature graphic" |
50
+
51
+ The icons themselves were rendered straight from `icon-512.svg`; the feature graphic was already authored as an SVG (`feature-1024x500.svg`), I rendered the PNG variant.
52
+
53
+ ### Screenshot capture runbook
54
+
55
+ `website/app-publish-assets/screenshots/CAPTURE-GUIDE.md` — 7-section runbook:
56
+
57
+ 1. Spec table (1080×2400 recommended, PNG, 2–8 phone shots)
58
+ 2. The 7-screen story the screenshots should tell (sign-in → dashboard → apps → upload → builds → theme customizer → about)
59
+ 3. Emulator workflow with the exact `cap sync` + `installDebug` commands
60
+ 4. Real-device workflow with `adb exec-out screencap` commands
61
+ 5. Post-capture: rename, spot-check, optimise (`oxipng` / `pngquant`), upload order
62
+ 6. Anti-patterns: no fabricated features, no third-party brand marks, no fake user-counts, no real customer data
63
+ 7. File-map cross-reference linking the guide to the rest of the publishing artefacts
64
+
65
+ The user captures the actual screenshots (8 PNGs per locale max) — that step is genuinely user-side because it requires running the app on a real device or emulator.
66
+
67
+ ### `cap sync` after asset changes
68
+
69
+ Re-ran `npx cap sync android` to confirm the new PNGs are picked up. Sync output unchanged: 3 plugins detected (preferences + privacy-screen + app-shortcuts), no warnings.
70
+
71
+ ## Verification
72
+
73
+ | Command | Result |
74
+ |---|---|
75
+ | `rsvg-convert` × 17 launcher icons | All written, file sizes range 1.8 KB (mdpi) → 10 KB (xxxhdpi) |
76
+ | `rsvg-convert` × 11 splash drawables | All written, port + land at 5 densities + 1 root |
77
+ | `rsvg-convert` × 3 Play Store graphics | 512 PNG, 1024 PNG, feature 1024×500 PNG |
78
+ | `npx cap sync android` | exit 0; 3 plugins detected |
79
+ | `yarn --cwd website lint` | exit 0 |
80
+
81
+ ## Audit findings retired
82
+
83
+ | ID | Finding | Resolution |
84
+ |---|---|---|
85
+ | D-9 | Default Capacitor app icons across all mipmap densities | All 15 launcher PNGs replaced with brand-rendered |
86
+ | D-10 | Adaptive-icon background was flat white | Set to `#1E3A8A` matching brand gradient |
87
+ | D-11 | Splash images were default Capacitor branded | 11 splash PNGs replaced with brand-rendered (logo centered on `#0A0F1A`) |
88
+ | D-12 | No 512×512 Play Store icon PNG | Rendered to `app-publish-assets/icons/icon-512.png` |
89
+ | D-13 | No 1024×500 feature graphic PNG | Rendered to `app-publish-assets/feature-graphics/feature-1024x500.png` |
90
+ | D-14 | No screenshot capture runbook | `CAPTURE-GUIDE.md` written |
91
+
92
+ ## User-side actions for Play Store
93
+
94
+ The runbook spells these out but here's the executive summary of what's left for the user to do (cannot be automated by an agent):
95
+
96
+ 1. **Generate the release keystore** (per `BUILD_FOR_PLAY_STORE.md` § 2) — one-time, takes 30 seconds. Back it up to a password manager.
97
+ 2. **Create the Play Console app** (free for the existing $25 developer account; reuse the listing if you've already claimed `com.aoneahsan.nativeupdate`).
98
+ 3. **Capture 4–6 phone screenshots** following `CAPTURE-GUIDE.md`. Save under `app-publish-assets/screenshots/`.
99
+ 4. **Run `./gradlew bundleRelease`** to produce the signed AAB.
100
+ 5. **Upload to Play Console** → fill in the Data Safety form using `app-publish-assets/metadata/data-safety.md` as the source.
101
+ 6. **Submit for review** — first review typically lands in 24–72 hours.
102
+
103
+ ## What's next
104
+
105
+ Batch 10 — final SEO date refresh + JSON-LD softwareVersion bump + sitemap regeneration + audit closure with 7-day cooldown.
@@ -0,0 +1,102 @@
1
+ # Session report — Batch 10 (FINAL)
2
+
3
+ **Date:** 2026-05-16
4
+ **Batch:** 10 — SEO date refresh + audit closure
5
+ **Skill invoked:** `stack-audit` (Phase 0+1 verification only; deep audit was Phase 1 of session)
6
+ **Outcome:** All 10 batches CLOSED. Flow complete. Cooldown 2026-05-23.
7
+
8
+ ## Changes
9
+
10
+ ### SEO date + version refresh
11
+
12
+ | File | Change |
13
+ |---|---|
14
+ | `website/postbuild-seo.ts` | 3× `Last updated 2026-05-08` → `2026-05-16` (inline strings on lines 138, 192, 269) |
15
+ | `website/postbuild-seo.ts:431` | `softwareVersion: '2.0.0'` → `'3.0.1'` (matches `package.json` and prevents JSON-LD drift) |
16
+ | `website/src/pages/AboutPage.tsx:10` | `PAGE_LAST_UPDATED = '2026-05-08'` → `'2026-05-16'` |
17
+ | `website/src/pages/FeaturesPage.tsx:17` | same |
18
+ | `website/src/pages/PricingPage.tsx:9` | same |
19
+ | `website/public/sitemap.xml`, `website/public/sitemap-index.json`, `website/public/feed.xml` | Auto-regenerated by `yarn build` postbuild pipeline. Every public URL now carries 2026-05-16 `<lastmod>`. |
20
+
21
+ ### Stack-audit verification
22
+
23
+ Per the `stack-audit` skill framework — abbreviated since the deep parallel-Explore was done at Phase 1 of this session and produced the entire 10-batch plan we just closed.
24
+
25
+ **Phase 0 — banned-package grep:**
26
+ ```
27
+ grep -nE "@capacitor-firebase/(crashlytics|performance)|@capawesome/capacitor-torch" \
28
+ package.json website/package.json backend/composer.json
29
+ ```
30
+ → zero hits.
31
+
32
+ **Phase 1 — detected stack:**
33
+ - Radix UI: yes (14 `@radix-ui/react-*` packages)
34
+ - Firebase: **NO** (removed in plugin v3.0.0 + auth swap 2026-05-11)
35
+ - TanStack Query: yes (admin pages migrated in Batch 5)
36
+ - TanStack Table: no — not used anywhere; admin lists use plain `<Table>` from `components/ui/`. Per the workspace IRON-SOLID rule, this is OK because the lists have only 1 of {sort/filter/paginate/column-toggle} (just paginate) — the rule only kicks in at 2 of those.
37
+ - TanStack Router: no — uses `react-router-dom`
38
+ - TanStack Form: no
39
+ - Capacitor: yes (8.3.1; website wrap)
40
+ - react-hook-form + zod + @hookform/resolvers: yes
41
+ - React: yes (19.x)
42
+
43
+ ### Documentation closure
44
+
45
+ | File | Change |
46
+ |---|---|
47
+ | `CLAUDE.md` | New 2026-05-16 row in the Audit Record table with full per-batch summary; `Last Updated` bumped 2026-05-06 → 2026-05-16 |
48
+ | `AGENTS.md` | Bumped `Last Updated`; added closure paragraph linking back to `docs/project-audit/2026-05-16/` + the tracker |
49
+ | `docs/tracking/finalization-2026-05-16-tracker.json` | All 10 batches `status: completed`; `lastRun.status='complete'`; `lastRun.completedAt=2026-05-16`; `lastRun.nextAllowedRunAfter=2026-05-23` |
50
+
51
+ ## Final verification (all green)
52
+
53
+ | Surface | Command | Result |
54
+ |---|---|---|
55
+ | Website | `yarn --cwd website build` | exit 0; 16 per-route SEO HTML files generated; all 9 discovery files present (robots.txt, sitemap.xml, sitemap-index.json, feed.xml, llms.txt, llms-full.txt, ai.txt, humans.txt, .well-known/security.txt) |
56
+ | Website (lint) | `yarn --cwd website lint` | exit 0 |
57
+ | Capacitor sync | `npx cap sync android` | exit 0; 3 plugins detected (`@capacitor/preferences`, `@capacitor/privacy-screen`, `@capawesome/capacitor-app-shortcuts`) |
58
+ | Root plugin | `yarn build` | exit 0; `dist/plugin.{js,cjs.js,esm.js}` produced |
59
+ | Root plugin tests | `yarn test:run` | **62 passed (62)**, 1.59s — was 53/62 at session start |
60
+ | Backend tests | `cd backend && php artisan test --without-tty` | **136 passed (314 assertions), 4.77s** — was 110/110 baseline; net +26 tests |
61
+ | Android gradle | `./gradlew help -q` | exit 0 — config parses (signing + ProGuard configured) |
62
+
63
+ ## Net deltas across the 10-batch flow
64
+
65
+ | Metric | Before | After |
66
+ |---|---|---|
67
+ | ESLint errors (website) | 11 | 0 |
68
+ | Plugin integration tests | 53/62 | 62/62 |
69
+ | Backend tests | 110/110 | **136/136** (+26 covering OAuth/Sanctum/Roles) |
70
+ | `console.*` outside logger | 18 reported (all template-literal false-positives) | 0 real |
71
+ | `VITE_FIREBASE_*` env keys | 7 stale required keys | 0 |
72
+ | Firestore/Firebase refs in legal pages | 9 | 0 |
73
+ | Firestore refs in Play Store metadata | 3 | 0 |
74
+ | Legal-page Last Updated drift | 141 days (2025-12-27) | 0 (2026-05-16) |
75
+ | Capacitor wrap signing config | none | env-driven via `keystore.properties` (gitignored) |
76
+ | Branded launcher PNGs | 0 | 15 (mipmap-* × 5 densities × 3 variants) |
77
+ | Branded splash PNGs | 0 | 11 (port + land × 5 + root) |
78
+ | Play Store icon PNGs | 0 | 3 (512, 1024, 1024×500 feature graphic) |
79
+ | Documentation pages added | — | 4 (`BUILD_FOR_PLAY_STORE.md`, `CAPTURE-GUIDE.md`, 10 batch session reports, finalization plan + batch plan + findings) |
80
+ | Lines of code changed | — | ~3000 across 60+ files |
81
+ | Commits this session | — | 10 (one per batch, all pushed) |
82
+
83
+ ## User-side actions remaining (cannot be automated)
84
+
85
+ These are explicit, none deferred or "TBD":
86
+
87
+ 1. **Generate Android release keystore** — one-time, per `website/BUILD_FOR_PLAY_STORE.md` § 2.
88
+ 2. **Create / claim the Play Console listing** for `com.aoneahsan.nativeupdate`.
89
+ 3. **Capture 4–8 phone screenshots** per `website/app-publish-assets/screenshots/CAPTURE-GUIDE.md`.
90
+ 4. **Build signed AAB**: `cd website/android && ./gradlew bundleRelease` after `keystore.properties` is filled.
91
+ 5. **Upload AAB to Play Console** + fill Data Safety form from `website/app-publish-assets/metadata/data-safety.md`.
92
+ 6. **Backend deploy**: follow `docs/deployment/PRODUCTION-DEPLOY-CHECKLIST.md` (now accurate for the Sanctum stack).
93
+ 7. **Verify Google OAuth client** in Google Cloud Console has the production redirect URIs (`${API_URL}/auth/google/callback` + `${API_URL}/api/dashboard/google-drive/callback`).
94
+ 8. **Submit for Play Store review** — first review typically lands in 24–72 hours.
95
+
96
+ ## Cooldown contract
97
+
98
+ - Next allowed re-run of this audit prompt: **2026-05-23**.
99
+ - Override conditions: broken build/tests, production incident, new high-severity CVE in a dependency, major API change, explicit user bypass.
100
+ - If today < `next_allowed_run_after` and none of the overrides fire, the next instance of this prompt MUST skip and surface the cooldown date + the closure summary above.
101
+
102
+ ## Flow CLOSED
@@ -0,0 +1,74 @@
1
+ # Native Update — Audit & Session History
2
+
3
+ Full chronological record of audits, production-readiness batches, the Docusaurus docs-site batches, and post-closure cleanups. The root `CLAUDE.md` carries only the compact summary + cooldown status; this file holds the verbose per-session detail that was moved out of `CLAUDE.md` on 2026-06-01 to keep that file under the 28 KB harness limit.
4
+
5
+ ## Quick status (as of last close)
6
+
7
+ | Flow | Status | Cooldown lifts |
8
+ |------|--------|----------------|
9
+ | Production-readiness audit (10 batches) | COMPLETE — shipped 2026-05-08 → 2026-05-11 | 2026-05-18 |
10
+ | Public Docusaurus docs site (10 batches) | COMPLETE — shipped 2026-05-11 | 2026-05-18 |
11
+ | 2026-05-16 Finalization audit (10 batches, Play Store) | COMPLETE | 2026-05-23 |
12
+ | 2026-05-18 Phase A post-closure Firebase/Firestore purge | COMPLETE | n/a (cleanup, not an audit batch) |
13
+
14
+ Authoritative trackers:
15
+ - `docs/tracking/production-readiness-audit-tracker.json` (replaces retired `docs/tracking/full-audit-tracker.json`)
16
+ - `docs/tracking/finalization-2026-05-16-tracker.json`
17
+ - `docs/docs-site/tracker.json` (Docusaurus site)
18
+ - Audit findings: `docs/project-audit/PRODUCTION-READINESS-AUDIT-2026-05-08.md`
19
+ - Batch plan: `docs/project-audit/BATCH-PLAN.md`
20
+ - 2026-05-16 plan + sessions: `docs/project-audit/2026-05-16/`
21
+
22
+ ## Audit Record (full history)
23
+
24
+ | Date | Type | Status |
25
+ |------|------|--------|
26
+ | 2026-05-29 | **Weekly portfolio refresh + dependency pass.** Ran `npx npm-check-updates -u` per workspace. Root plugin: `@typescript-eslint/*` 8.59.4→8.60.0 applied; `commander` 14→15 deliberately held at `^14.0.3` because commander v15 raises its Node floor to `>=22.12.0` while this published package advertises `engines.node >=18` — bumping would silently drop Node 18/20 consumers. Backend (`backend/package.json`): `concurrently` 9.2.1→10.0.0 (dev-only Vite runner). Verification: root `yarn tsc` exit 0, `yarn build` (Rollup → 3 dist bundles) exit 0, `yarn lint` exit 0; root + backend `yarn install` reconciled. Fixed stale CLAUDE.md/AGENTS.md facts: yarn `4.10.3`→`4.14.1`, example-apps `3`→`2` (firebase-backend removed in v3.0.0), AGENTS overview `v3.0.0`→`v3.0.1`. New portfolio file written to `ahsan-notebook/.../packages/NATIVE-UPDATE_portfolio-info_2026-05-29.md`. | **COMPLETE (deps current, build/lint/tsc green)** |
27
+ | 2026-05-18 | **Phase A post-closure cleanup — Firebase/Firestore residue purge.** Single-commit follow-up to commits `3a8dda6` / `336f647` / `77b150c`, completing the v3.0.0 architecture decision (Laravel + MySQL is the only backend). Scope: (1) `website/src/pages/ExamplesPage.tsx` — `CODE_FIRESTORE_BACKEND` constant replaced with `CODE_SELF_HOSTED_BACKEND` (Express manifest-endpoint snippet); "Firestore Backend Pattern" entry renamed to "Self-Hosted Backend Pattern" pointing at Express/Laravel/Django/Rails; `usePageSEO` description rewritten. (2) `website/postbuild-seo.ts` — `/examples` description + keywords stripped of "Firestore + Google Drive" / "firestore google drive backend"; replaced with self-hosted manifest backend + laravel backend. (3) Deleted 4 archived no-cost-Firestore guide files: canonical `docs/guides/no-cost-firestore-google-drive-backend.md` + `no-cost-backend-implementation-plan.md` + their `website/public/package-docs/docs/guides/` mirrors. (4) Full rewrite of `docs/project-knowledge-base/{README,01-system-overview,02-routes-pages-forms-users,03-tech-stack-modules-services,04-data-models-integrations,05-docs-corpus-inventory,06-operations-testing-legal-content}.md` — all 7 files refreshed from 2026-03-16 stale-snapshot to 2026-05-18 truth (Sanctum + Laravel + Spatie RBAC + MySQL schema + Nova admin); all `users/{uid}` Firestore doc language replaced with `users` MySQL row keyed by `google_id`; ProtectedRoute/AdminRoute docs updated for Sanctum bearer + `can:` middleware enforcement. (5) `docs/rules-tracker.md` — R-033-FIRESTORE-RULES-INDEXES converted to permanent N/A with justification; R-023/R-024/R-030 dates bumped and stale "Firebase Analytics" / "Firebase Google popup auth" descriptions corrected; sub-project map updated to remove `example-apps/firebase-backend/`; tracker run-history row added for today. Verification: `yarn lint` exit 0 (root + website), `yarn build` exit 0 (root plugin Rollup + website Vite + postbuild-seo 16 per-route HTML + 9 discovery files). Final-pass grep confirms only explicit negative/historical Firebase mentions remain ("no Firestore branch", "do not propose Firebase Storage", `.firebase/hosting.*` gitignore note for Firebase Hosting cache). 2026-05-16 finalization-audit cooldown (until 2026-05-23) unaffected — this is post-closure stale-content cleanup, not a new audit batch. | **COMPLETE (Phase A purge — 0 Firebase/Firestore live references remaining)** |
28
+ | 2026-05-16 | **Finalization audit for Play Store publishing — ALL 10 BATCHES COMPLETE.** User-authorised cooldown bypass of the 2026-05-11 production-readiness audit (override condition #1) to make the website Capacitor-wrapped Play Store publishable + Laravel backend deploy-ready + plugin polished. Scope: every batch from `docs/project-audit/2026-05-16/01-BATCH-PLAN.md`. Batch 1 (backend Sanctum/LOG_LEVEL/Firebase docblock cleanup; 110/110 tests). Batch 2 (11 ESLint rules-of-hooks errors fixed across 8 files + plugin `getLocalStorage()` safe-accessor → 62/62 tests, was 53/62). Batch 3 (auth-token.ts rewritten with @capacitor/preferences + in-memory cache + event-driven 401 auto-redirect). Batch 4 (26 new backend tests across OAuth + Sanctum + Spatie + UpdateBuildRequest FormRequest → 136/136 backend tests). Batch 5 (4 admin pages migrated to TanStack Query with hierarchical keys + URL-state pagination + keepPreviousData). Batch 6 (VITE_FIREBASE_* dropped + Firebase comment sweep + HomePage step-02 fixed). Batch 7 (Play Store full-description.md + data-safety.md rewritten + 4 legal pages updated for Sanctum stack + unverifiable SOC/ISO/SLA claims removed from SecurityPage). Batch 8 (signingConfigs.release + ProGuard/R8 + network_security_config.xml + 10-section BUILD_FOR_PLAY_STORE.md runbook). Batch 9 (15 branded launcher PNGs + 11 splash PNGs + 3 Play Store graphics rendered from SVG via rsvg-convert + screenshots/CAPTURE-GUIDE.md). Batch 10 (PAGE_LAST_UPDATED + JSON-LD softwareVersion 2.0.0→3.0.1 + sitemap regen). Final verification: yarn build (root plugin + website) exit 0, yarn lint exit 0, root yarn test:run 62/62, backend php artisan test 136/136 (+26 over baseline), npx cap sync android clean, gradle config parses. Plan: `docs/project-audit/2026-05-16/00-FINALIZATION-PLAN.md`. Tracker: `docs/tracking/finalization-2026-05-16-tracker.json`. Per-batch session reports under `docs/project-audit/2026-05-16/sessions/batch-01.md` through `batch-10.md`. **Flow CLOSED.** Next allowed re-run: 2026-05-23 (7-day cooldown). Override conditions: broken build/tests, production incident, new high-severity CVE, major API change, explicit user bypass. | **COMPLETE (10/10 — 7-day cooldown until 2026-05-23)** |
29
+ | 2026-05-11 | Production-readiness audit Batch 10 — Final closure + v3.0.1 cut (flow COMPLETE). package.json 3.0.0 → 3.0.1 (patch bump — audit added docs+tooling without changing plugin's public API; SemVer-correct). docs/CHANGELOG.md: new [3.0.1] entry above the existing 3.0.0 entry, with Added (docs site / pentest checklist / perf bench / example-bundle CI / example-app capability cards), Fixed (stale firebase-backend card on ExamplesPage), Documentation (marketing-website findings / MARKETING_WEBSITE_TRACKER supersession / React 18-vs-19 reasoning), Closed (production-readiness audit with 7-day cooldown) sections. Audit tracker last_run.status flipped 'in_progress' → 'complete'; completed_at=2026-05-11; next_allowed_run_after=2026-05-18 (7-day cooldown). All 10 batch entries (1-9 + 5b + 10) carry status='completed'. Verification: yarn lint exit 0; yarn build exit 0 (root plugin); website tsc + build verified at Batch 9 commit. 9 pre-existing test failures in src/__tests__/integration.test.ts persist (vitest node env lacks localStorage; not blocking per fix-only override conditions). Portfolio-info weekly refresh deferred to its own cadence; website in-page changelog deferred to next website touch under the SEO 3-day-plus-commit-delta gate. **Audit flow CLOSED.** Next allowed re-run: 2026-05-18. Override conditions: broken build/tests, production incident, new high-severity CVE, major API change. | **COMPLETE (Audit 10/10 — 7-day cooldown until 2026-05-18)** |
30
+ | 2026-05-11 | Production-readiness audit Batch 9 — Marketing-website tracker close-out (R5). website/src/pages/ExamplesPage.tsx: removed third backendExamples entry advertising the deleted example-apps/firebase-backend (GitHub link 404'd, description contradicted website's own v3 architecture rule); two canonical examples (React + Capacitor, Node + Express) kept; Layers icon import retained (used elsewhere). docs/MARKETING_WEBSITE_TRACKER.md: marked SUPERSEDED with redirect block pointing to current findings doc + per-route SEO coverage tracker + website CLAUDE.md SEO history (file kept for history archaeology, not deleted). docs/project-audit/MARKETING-WEBSITE-FINDINGS-2026-05-11.md: new per-page findings doc — 1 inline fix (ExamplesPage card), 3 deferred follow-ups (stale MDX docs mirror at website/public/package-docs/docs/examples/firebase-backend-example.md, HomePage missing Screenshots/Demo section, DocsPage.tsx 1,406-line size violation), 7 surfaces explicitly cleared (Header/Footer internal links resolve to all registered routes, dashboard empty states across 6 pages, AboutPage CodePush references are correct, JSON-LD version current, console.* migrated to logger). Website tsc --noEmit exit 0; yarn build exit 0 (16 per-route SEO HTML files; 9 discovery files). | In progress (Audit Batch 9/10) |
31
+ | 2026-05-11 | Production-readiness audit Batch 8 — Roadmap features for v3.x (R3 second half + R1 + R2 + R4/I16 + I17). .github/workflows/example-bundle.yml (release+manual+weekly-cron — build example app, sign, attach signed zip + .sig + metadata to GitHub Release; ephemeral-key fallback with warning when NATIVE_UPDATE_EXAMPLE_PRIVATE_KEY secret missing; concurrency-grouped per tag). docs/PERFORMANCE.md (what-dominates-real-world-OTA framing, microbenchmark targets, regression workflow, hot-paths map, what-NOT-covered block). tools/bench/ Vitest microbenchmark scaffold — verify-checksum.bench.ts (SHA-256 over 1/5/20 MB), verify-signature.bench.ts (RSA-2048 + RSA-4096 SHA-256 verify over 5 MB), tools/bench/README.md (3-section methodology). docs/security/PRE-LAUNCH-PENTEST-CHECKLIST.md (~10-section DIY pentest checklist — dep hygiene, authN/authZ, CORS/CSRF, bundle integrity, file safety, data handling, operational safety, mobile platform, 9 specific attack paths). example-apps/react-capacitor/src/App.tsx — 3 new capability cards (App Update getAppUpdateInfo+openAppStore, App Review canRequestReview+requestReview, Background Update toggle with allowMeteredConnection+nextCheckTime status) wired with 5 useState + 3 useCallback + data-testid hooks; App.css extended with .capability-card visual language. example-apps/react-capacitor/README.md — new "React 18 vs React 19" section explaining stable-downstream-target reasoning. eslint.config.js — added tools/bench/** to ignores (bench files are vitest-bench, not production source). yarn lint clean; yarn build clean; example-app tsc + vite build clean (after 3 type-fixes during integration: BackgroundUpdateType.LIVE_UPDATE enum reference, nextCheckTime field, allowMeteredConnection field). Discovered pre-existing finding: 9 src/__tests__/integration.test.ts failures predate this batch (NativeUpdateWeb.loadStoredData reads localStorage in constructor; vitest node env lacks it). Verified via git-stash baseline — NOT a regression. Logged for a future test-infrastructure batch (likely Batch 10 cleanup). | In progress (Audit Batch 8/10) |
32
+ | 2026-05-11 | Docs site Batch 10 — SEO + Firebase deploy + GitHub publish (final batch, flow CLOSED). static/robots.txt with 30+ AI-bot allow list (GPTBot, ClaudeBot, PerplexityBot, Google-Extended, Applebot-Extended, OAI-SearchBot, anthropic-ai, Claude-Web, Perplexity-User, YouBot, CCBot, Diffbot, cohere-ai, Meta-ExternalAgent, FacebookBot, Amazonbot, MistralAI-User, +traditional search bots) + 8-bot block list; static/llms.txt (9.6KB llmstxt.org index of all 58 pages by Diátaxis quadrant); static/llms-full.txt (15.4KB long-form LLM summary); static/humans.txt; static/.well-known/security.txt (RFC 9116 with 2027 Expires + inline responsible-disclosure policy); static/sitemap-index.json (machine-readable section index complementing sitemap.xml). docusaurus.config.ts: headTags with 3 JSON-LD blocks (WebSite + SoftwareApplication softwareVersion 3.0.0 + Organization), canonical link, theme-color, application-name; themeConfig.metadata extended with description fallback, expanded keywords, max-image-preview:large robots meta, twitter:site, og:locale, og:image:width/height. firebase.json (public=build, cleanUrls, immutable asset Cache-Control, HSTS+CSP-lite security headers); .firebaserc; package.json firebase:emulate/deploy/preview yarn scripts. DEPLOY.md 6-section runbook (gh repo create + Firebase project create + custom domain DNS + recurring deploy + GSC/Bing submission + troubleshooting). yarn typecheck + yarn build green; all 7 discovery files in build/; 3 JSON-LD blocks verified in built index.html. **Docs site flow CLOSED.** tracker.json last_run.status='complete', completed_at=2026-05-11, next_allowed_run_after=2026-05-18 (7-day cooldown). Firebase deploy + GitHub repo creation are documented user-actions in DEPLOY.md (require user-account auth — cannot be agent-automated). | **COMPLETE (Docs site 10/10 — 7-day cooldown until 2026-05-18)** |
33
+ | 2026-05-11 | Docs site Batch 9 — Concepts & explanations (6 pages, ~12,000 words). how-ota-updates-work.md (five-moving-parts framing + 11-step lifecycle + why-this-design covering integrity/atomicity/reversibility); bundle-integrity-and-signing.md (envelope-and-bag metaphor, SHA-256 vs RSA-SHA256 layer split, five-entity trust chain, what signing does NOT protect, RSA algorithm-choice rationale); update-strategies-compared.md (4-strategy comparison + one-line decision tree, per-strategy deep dives, background-orthogonal-to-strategies, what's-not-in-the-model); architecture.md (5-component overview + 3 mermaid diagrams (build-time flowchart, deploy-time sequence, runtime sequence) + trust-boundaries diagram with 4-zone breakdown + SDK-vs-backend versioning intersection rule); security-model.md (3-class threat model, 3-layer defense, explicit in-scope vs out-of-scope, 6 operational assumptions, regulated-industries note); error-handling-philosophy.md (fail-closed-on-correctness vs fail-open-on-availability framing, typed-error-codes everywhere, host-app-must-keep-running rule with safeBootstrapOta pattern, calibration rationale for 60s notifyAppReady window + 30min signed-URL TTL). sidebars.ts wired; commented Batch-9 placeholder removed. yarn build green; all 6 .html files generated under build/concepts/; mermaid theme already enabled. Docs site total now 58 pages (all content sections complete — only final SEO+deploy batch remains). | In progress (Docs site Batch 9/10) |
34
+ | 2026-05-11 | Docs site Batch 8 — Tutorials & How-to guides (8 pages, ~12,800 words). Tutorials: first-ota-update.md (10-step happy-path from install → keypair → bundle → sign → SaaS upload → device verify → ship a visible-change update) and backend-first-walkthrough.md (13-step self-hosted Laravel + Nova: clone/install/migrate/serve/Nova-login/seed-admin-via-tinker/first-App/first-ApiKey/first-SigningKey/wire-app-to-LAN/bundle-sign-upload/device verify). How-to: manage-channels (channel model + setChannel runtime switch + promote patterns); rotate-signing-keys (scheduled multi-key transition with publicKey-as-array + 95%-app-store-adoption gate; emergency-revoke path with expedited-review note; 3 anti-patterns); roll-back-bundle (3-layer: auto crash-rollback via notifyAppReady 60s window, cohort-wide via Rollout%/Is_Active/downgrade-as-latest, explicit per-device rollback API); migrate-from-codepush (App Center retirement, concept-mapping table, 6-step side-by-side migration, sync-option mapping); ci-cd-github-actions (full production workflow with concurrency + umask + verify-as-release-gate + cleanup-always + manual-approval via GitHub Environments); test-bundles-locally (3 loops in increasing fidelity: bundle-verify smoke / dev server / full LAN test). sidebars.ts wired with both new categories; commented Batch-8 placeholders removed. yarn build green; all 8 .html files generated under build/tutorials + build/how-to. Docs site total now 52 pages (only Concepts + final SEO/deploy batches remain). | In progress (Docs site Batch 8/10) |
35
+ | 2026-05-11 | Docs site Batch 7 — Platform guides (3 pages, ~6,000 words). android.md (6 required permissions with sensitive vs non-sensitive breakdown + tools:node='remove' opt-out, manifest-additions <service> + <receiver>, WorkManager constraints NetworkType.UNMETERED/setRequiresBatteryNotLow/setRequiresCharging with Doze + App Standby caveats, Play Core + Play Review with internal-testing-track gotcha, network security config for localhost cleartext, ProGuard rules + likely failure modes, Play Console rejection rules for merged-manifest sensitive permissions + foreground-service notification requirement, smoke tests with adb logcat filters); ios.md (deployment target iOS 14, SPM vs CocoaPods, BGTaskSchedulerPermittedIdentifiers, UIBackgroundModes, NSAppTransportSecurity with localhost exception, PrivacyInfo.xcprivacy template covering UserDefaults CA92.1 + FileTimestamp C617.1, SKStoreReviewController throttling (Apple 3/365 + plugin's knobs), App Store Review Guideline 2.5.2 compliance with WKWebView carve-out and rejection-reason examples, Keychain accessibility level, TestFlight + Xcode debugging including BGTaskScheduler LLDB simulate command); web.md (what-works method-by-method, service-worker update path with full message-passing code, three legitimate use cases, three when-NOT-to-use callouts, browser-support matrix). sidebars.ts wired; commented Batch-7 placeholder removed. yarn build green; all 3 .html files generated under build/platforms/. Docs site total now 44 pages (SDK + CLI + Backend + Platforms sections complete). | In progress (Docs site Batch 7/10) |
36
+ | 2026-05-11 | Docs site Batch 6 — Backend setup guides (5 pages, ~9,200 words). overview.md (when-to-self-host vs SaaS, 3-option matrix, what-stays-the-same invariants); laravel-nova-self-host.md (full env walk-through, ~14-table schema notes, queue-worker systemd unit, 4 storage backends, Firebase token verification + clock-skew gotcha, smoke-test commands); node-express-minimal.md (~160-line ref dissected, contract-mapping with code snippets, what's-missing-for-production callouts); api-contract.md (full wire spec for 6 endpoints with auth/headers/response shapes, error envelope convention, 11 canonical field names callout); nova-admin-overview.md (Content vs Security groups, 5-resource tour with fields/actions/use-cases, 10 Nova Actions table, admin-bypass `before`-hook policy pattern). sidebars.ts wired; commented Batch-6 placeholder removed. yarn build green; all 5 .html files generated under build/backend/. Docs site total now 41 pages (SDK + CLI + Backend sections complete). | In progress (Docs site Batch 6/10) |
37
+ | 2026-05-11 | Docs site Batch 5 — CLI Reference (9 pages, ~6,500 words). overview.md (install, when-to-use matrix, quick-start workflow, exit codes, default-artifact-locations, what-CLI-does-NOT-do, FAQ); init.md (4-prompt interactive flow, generated config shape, common errors); keys-generate.md (RSA 2048/4096 + EC P-256/P-384 matrix, chmod 600 private key, rotation guidance); bundle-create.md (flags, refused-bundle list for safety, success output sample, reproducibility note); bundle-sign.md (RSA-SHA256, .sig sidecar JSON shape, CI workflow, PEM-error catalogue); bundle-verify.md (sidecar lookup convention, CI release-gate pattern, step-by-step verification flow); server-start.md (4 endpoints documented, localhost-vs-LAN caveat for devices); monitor.md (dashboard preview, /api/stats response shape, 5s polling + 5-failure bail, SIGINT/SIGTERM handling); backend-create.md (express/firebase/vercel, SCAFFOLD_BANNER explained, TODO[SCAFFOLD-IMPLEMENT-BEFORE-DEPLOY] grep workflow, when-NOT-to-use guidance pointing to example-apps/node-express + backend/). sidebars.ts wired; commented Batch-5 placeholder removed. yarn build green; all 9 .html files generated under build/reference/cli/. Docs site total now 36 pages. | In progress (Docs site Batch 5/10) |
38
+ | 2026-05-08 | Batch 7 — env-sync + repo-public runbook + URL-state sweep + CI yarn fix + release workflow. backend/.env.example per-var GOOGLE/PAYPAL comments; website/.env.example + 3 `VITE_NATIVE_UPDATE_*` rows; new `docs/SECURITY-IF-REPO-PUBLIC.md` (preventive runbook ~250 lines); 4 dashboard pages migrated to URL state via `lib/hooks/useUrlState.ts` (extended with useUrlEnumState + useClearUrlParams); duplicate hook removed via consolidation. `.github/workflows/ci.yml` rewritten npm→yarn (corepack, node 20, yarn 4); `.github/workflows/release.yml` created (tag-driven npm publish with provenance + GitHub Release). | In progress (Batch 7/10) |
39
+ | 2026-05-08 | Batch 6 — website UI/UX polish (I4 + I5 + I6). Dialog.tsx migrated to @radix-ui/react-dialog (public API preserved across all 6 call sites; gains role/aria-modal/focus-trap/ESC/portal for free). New `src/hooks/useUrlState.ts` (5 helpers); AppsPage delete + form dialogs converted from useState to `?formMode/?editId/?deleteId` URL state. Zero per-page Query overrides confirmed via grep; canonical cache-contract doc in App.tsx. yarn typecheck + yarn build green. | In progress (Batch 6/10) |
40
+ | 2026-05-08 | Batch 5b — AboutPage rewrite + postbuild-seo body-injection. AboutPage extended to ≥1000 words with definition-first intro, project history timeline, audience cards, 7-entry FAQ, tips, author/date, plus AboutPage+Person+FAQPage JSON-LD. postbuild-seo gained a `bodyContent` field that injects a semantic-HTML `<noscript>` block right after `<div id="root">` so AI crawlers without JS see real content. Static HTML word counts: /features 1492→1956, /pricing 1457→1897, /about (thin)→1913. | In progress (Batch 5b/10) |
41
+ | 2026-05-08 | Batch 5 — SEO/AEO content enrichment (I7 partial, I8, I9). FeaturesPage + PricingPage rewritten to ≥1000 unique words each with definition-first intro, use cases, HowTo steps, FAQ (7+8), tips, author, lastUpdated, plus JSON-LD (SoftwareApplication / FAQPage / HowTo / Product with 3 Offers showing real $0/$29/$199 tiers). Created `website/public/pricing.md` machine-readable pricing. Feed.xml `lastBuildDate` now emits runtime stamp. AboutPage rewrite + postbuild-seo body-injection deferred to Batch 5b. Static HTML: /features 1492 words, /pricing 1457 words. | In progress (Batch 5/10) |
42
+ | 2026-05-08 | Batch 4 — centralized logger + plugin polish + CLI scaffold (I1, I2, I3, B2). 9 live `console.*` in src/web.ts + src/core/event-emitter.ts → Logger; ConsoleAnalyticsProvider documented as architectural exception. iOS Capacitor SDK workaround comment added. CLI backend-create.js: 8 TODOs → `TODO[SCAFFOLD-IMPLEMENT-BEFORE-DEPLOY]` greppable markers; SCAFFOLD_BANNER injected into 3 entry-point templates; post-generation warning. yarn lint+build exit 0, 62/62 tests still pass. | In progress (Batch 4/10) |
43
+ | 2026-05-08 | Batch 3 — backend tests + FormRequests + auto-create flag (B5, I14, I11, I10) + pre-existing test fix + storage_path bug fix. New: 4 FormRequest classes, 2 test files (BundleUploadTest 7 cases + UserLicenseTest 5 cases), `native_update.firebase_auto_create` config flag. Refactored AppController/ApiKeyController/BuildController to use FormRequests. php artisan test 117/117 passing (was 104/105). | In progress (Batch 3/10) |
44
+ | 2026-05-08 | Batch 2 — backend security hardening + deploy runbook (B4, I12, I13, H1, I15, B6, N4, N5). New policies (User/Build/ApiKey/SigningKey/App admin-bypass) + AuthServiceProvider; Nova/User.php canSee guards; backend/config/cors.php with env-driven allowlist; PayPal webhook Feature test (4 cases); docs/deployment/PRODUCTION-DEPLOY-CHECKLIST.md. php artisan test 104/105 passing (1 pre-existing failure unrelated to this batch). yarn lint exit 0, 62/62 plugin tests still passing. | In progress (Batch 2/10) |
45
+ | 2026-05-08 | Production-readiness audit kickoff + Batch 1 — created `docs/project-audit/PRODUCTION-READINESS-AUDIT-2026-05-08.md` (39 items + 5 roadmap), `docs/project-audit/BATCH-PLAN.md` (10 batches), `docs/tracking/production-readiness-audit-tracker.json` (resumeable, 7-day cooldown). Retired `docs/tracking/full-audit-tracker.json`. Batch 1 fixes: package.json `files` += android/manifest-additions.xml; cli/commands/monitor.js (interval/spinner cleanup, signal handlers, failure bail); rollup.config.js duplicate `comments` key removed; example-apps/react-capacitor/README.md firebase-backend refs replaced with node-express + Laravel pointers + standalone-install instructions. yarn lint exit 0, yarn build exit 0, 62/62 tests pass. | In progress (Batch 1/10) |
46
+ | 2026-05-04 | v3.0.0 — Firestore removed from plugin SDK + website; Laravel-only backend; +preferences/me/analytics/rollouts dashboard endpoints; deleted `example-apps/firebase-backend/`, `src/firestore/`, `website/src/types/firestore.ts`, `website/src/types/index.ts`. yarn build + 62/62 tests + website tsc all green. Commits 1b82d48, 4ce5a78. | Passed |
47
+ | 2026-05-03 | Full audit re-run requested → SKIPPED (7-day cooldown, last run 2026-05-02) | Skipped |
48
+ | 2026-05-02 | Full audit + fixes (code, SEO, AEO, content) | Passed |
49
+ | 2026-04-25 | Generic Project Rules Master Pass (R-001→R-039) | Passed |
50
+ | 2026-04-24 | Website SEO/AEO/AIO Full Pass | Passed |
51
+ | 2026-03-28 | Laravel Backend + Nova | Passed |
52
+ | 2026-03-24 | Portfolio + Docs Refresh | Passed |
53
+ | 2026-02-02 | Package Update | Passed |
54
+ | 2026-01-23 | Full Audit | Passed |
55
+
56
+ **Last Audit Details (pre-v3 baseline):** Package manager (yarn confirmed), Build (0 errors), TypeScript (0 errors), Tests (89/89 passing), Features (all complete), TODOs (none found). Code/SEO/Content audit found and fixed: Firestore disconnectDrive atomicity, console.* → logger across services + dashboard pages, ExamplesPage route + nav + sitemap wiring, dead GitHub link, stale humans.txt/llms-full.txt/security.txt/robots.txt dates, broken icon refs in index.html + manifest.json, stale 1.4.9 → 2.0.0 in JSON-LD softwareVersion. Generic Project Rules tracker at `docs/rules-tracker.md`.
57
+ **Last Verified:** 2026-05-02 | **Next Audit Due:** 2026-05-16
58
+
59
+ ## Re-run procedures (moved from CLAUDE.md)
60
+
61
+ ### Production-readiness audit
62
+ - Read `docs/tracking/production-readiness-audit-tracker.json` FIRST. If `last_run.status == "complete"` AND today < `last_run.next_allowed_run_after`, SKIP — tell the user the date and what completed. If `in_progress`, find the lowest-numbered batch with `status != "completed"` in `batches[]` and resume there. Do NOT redo earlier batches.
63
+ - Per-batch: invoke RULE #0 skills → apply fixes per `BATCH-PLAN.md` → run that batch's verification → ONE commit per batch → update tracker.
64
+ - Final closure: set `last_run.status = "complete"`, `completed_at = today`, `next_allowed_run_after = today + 7 days`. Sync this history + CLAUDE.md summary in the same commit.
65
+ - Override conditions: explicit user bypass, broken build/tests, production incident, critical-dep CVE.
66
+
67
+ ### Public Docusaurus docs site
68
+ - Sibling repo: `/home/ahsan/Documents/01-code/projects/native-update-docs/` (remote `github.com/aoneahsan/native-update-docs`, created by user via `gh repo create`).
69
+ - Hosting: Firebase Hosting project `native-update-docs` (deployed by user via `yarn firebase:deploy`).
70
+ - Dev port: 5960 (preview 5961) — registered in `~/.dev-ports.json` as `native-update-docs`.
71
+ - Tracker: `docs/docs-site/tracker.json`; scope: `docs/docs-site/scope.md`; plan: `docs/docs-site/plan.md` (10 batches); deploy runbook: `native-update-docs/DEPLOY.md`.
72
+ - Re-run protocol: read tracker FIRST; same cooldown/resume logic as the production audit. ONE commit per batch in each affected repo.
73
+ - Why a separate repo: plugin source GitHub is private; a public docs repo gives an additional indexable surface, satisfies AI-bot crawl access, and lets contributors propose doc fixes without plugin-source access.
74
+ - Site totals at last close (Batch 10): 58 pages, ~76k words, full Diátaxis coverage (Tutorials + How-to + Reference + Explanation), 7 discovery files (robots/llms/llms-full/humans/security/sitemap-index/sitemap), 3 JSON-LD blocks per page (WebSite + SoftwareApplication + Organization), Firebase Hosting deploy-ready.