native-update 2.0.0 → 3.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (258) hide show
  1. package/Readme.md +28 -14
  2. package/android/manifest-additions.xml +28 -0
  3. package/android/src/main/AndroidManifest.xml +3 -7
  4. package/android/src/main/java/com/aoneahsan/nativeupdate/BackgroundNotificationManager.kt +21 -13
  5. package/android/src/main/java/com/aoneahsan/nativeupdate/LiveUpdatePlugin.kt +196 -29
  6. package/android/src/main/java/com/aoneahsan/nativeupdate/NativeUpdatePlugin.kt +21 -36
  7. package/cli/AGENTS.md +15 -1
  8. package/cli/CLAUDE.md +15 -1
  9. package/cli/commands/backend-create.js +56 -15
  10. package/cli/commands/bundle-create.js +39 -7
  11. package/cli/commands/monitor.js +72 -51
  12. package/cli/index.js +10 -24
  13. package/cli/package.json +11 -3
  14. package/dist/esm/app-review/app-review-manager.js +0 -1
  15. package/dist/esm/app-review/index.js +0 -1
  16. package/dist/esm/app-review/platform-review-handler.js +0 -1
  17. package/dist/esm/app-review/review-conditions-checker.js +0 -1
  18. package/dist/esm/app-review/review-rate-limiter.js +0 -1
  19. package/dist/esm/app-review/types.js +0 -1
  20. package/dist/esm/app-update/app-update-checker.js +0 -1
  21. package/dist/esm/app-update/app-update-installer.d.ts +1 -0
  22. package/dist/esm/app-update/app-update-installer.js +19 -8
  23. package/dist/esm/app-update/app-update-manager.js +0 -1
  24. package/dist/esm/app-update/app-update-notifier.js +0 -1
  25. package/dist/esm/app-update/index.js +0 -1
  26. package/dist/esm/app-update/platform-app-update.js +12 -3
  27. package/dist/esm/app-update/types.js +0 -1
  28. package/dist/esm/background-update/background-scheduler.js +0 -1
  29. package/dist/esm/background-update/index.js +0 -1
  30. package/dist/esm/background-update/notification-manager.js +0 -1
  31. package/dist/esm/config/support.js +0 -1
  32. package/dist/esm/core/analytics.d.ts +13 -0
  33. package/dist/esm/core/analytics.js +15 -1
  34. package/dist/esm/core/cache-manager.js +0 -1
  35. package/dist/esm/core/config.d.ts +0 -15
  36. package/dist/esm/core/config.js +0 -4
  37. package/dist/esm/core/errors.d.ts +1 -0
  38. package/dist/esm/core/errors.js +1 -1
  39. package/dist/esm/core/event-emitter.d.ts +0 -3
  40. package/dist/esm/core/event-emitter.js +8 -3
  41. package/dist/esm/core/logger.js +0 -1
  42. package/dist/esm/core/performance.js +0 -1
  43. package/dist/esm/core/plugin-manager.js +3 -1
  44. package/dist/esm/core/security.d.ts +11 -0
  45. package/dist/esm/core/security.js +27 -1
  46. package/dist/esm/definitions.d.ts +0 -11
  47. package/dist/esm/definitions.js +0 -1
  48. package/dist/esm/index.d.ts +3 -2
  49. package/dist/esm/index.js +3 -1
  50. package/dist/esm/live-update/bundle-manager.d.ts +8 -0
  51. package/dist/esm/live-update/bundle-manager.js +20 -1
  52. package/dist/esm/live-update/certificate-pinning.js +0 -1
  53. package/dist/esm/live-update/delta-processor.d.ts +1 -1
  54. package/dist/esm/live-update/delta-processor.js +3 -1
  55. package/dist/esm/live-update/download-manager.js +9 -2
  56. package/dist/esm/live-update/rollout-checker.d.ts +1 -1
  57. package/dist/esm/live-update/rollout-checker.js +5 -6
  58. package/dist/esm/live-update/update-manager.js +0 -1
  59. package/dist/esm/live-update/version-manager.d.ts +0 -12
  60. package/dist/esm/live-update/version-manager.js +0 -68
  61. package/dist/esm/plugin.js +69 -43
  62. package/dist/esm/security/crypto.js +11 -7
  63. package/dist/esm/security/validator.js +0 -1
  64. package/dist/esm/types/rollout.d.ts +85 -0
  65. package/dist/esm/types/rollout.js +25 -0
  66. package/dist/esm/web.d.ts +8 -0
  67. package/dist/esm/web.js +148 -54
  68. package/dist/plugin.cjs.js +1 -2
  69. package/dist/plugin.esm.js +1 -2
  70. package/dist/plugin.js +2 -3
  71. package/docs/CHANGELOG.md +124 -0
  72. package/docs/CLAUDE.md +1 -1
  73. package/docs/MANUAL-TASKS.md +17 -0
  74. package/docs/MARKETING_WEBSITE_TRACKER.md +18 -2
  75. package/docs/MIGRATION.md +83 -0
  76. package/docs/PACKAGES.md +167 -0
  77. package/docs/PERFORMANCE.md +110 -0
  78. package/docs/PROJECT_COMPLETION_TRACKER.md +4 -35
  79. package/docs/README.md +0 -1
  80. package/docs/REMAINING_FEATURES.md +123 -76
  81. package/docs/ROADMAP.md +200 -120
  82. package/docs/SECURITY-IF-REPO-PUBLIC.md +232 -0
  83. package/docs/TESTING_REQUIREMENTS.md +1 -112
  84. package/docs/ai-knowledge-base/00-project-profile.md +38 -0
  85. package/docs/ai-knowledge-base/01-features.md +46 -0
  86. package/docs/ai-knowledge-base/02-routes.md +72 -0
  87. package/docs/ai-knowledge-base/03-tech-stack.md +57 -0
  88. package/docs/ai-knowledge-base/README.md +23 -0
  89. package/docs/analytics-tracking.md +37 -0
  90. package/docs/capacitor-official-plugins.md +46 -0
  91. package/docs/capawesome-plugins.md +29 -0
  92. package/docs/deployment/HOSTINGER_DEPLOY.md +75 -34
  93. package/docs/deployment/PRODUCTION-DEPLOY-CHECKLIST.md +184 -0
  94. package/docs/docs-site/plan.md +201 -0
  95. package/docs/docs-site/scope.md +127 -0
  96. package/docs/docs-site/tracker.json +235 -0
  97. package/docs/error-handling-tracking.md +37 -0
  98. package/docs/guides/testing-guide.md +15 -41
  99. package/docs/package-audit.md +41 -0
  100. package/docs/play-store/ASO-METADATA.md +5 -0
  101. package/docs/play-store/DATA-SAFETY.md +5 -0
  102. package/docs/play-store/DECLARATIONS.md +5 -0
  103. package/docs/play-store/README.md +27 -0
  104. package/docs/play-store/RELEASE-NOTES.md +99 -0
  105. package/docs/play-store/RELEASE-STEPS.md +6 -0
  106. package/docs/play-store/STORE-LISTING.md +7 -0
  107. package/docs/play-store/SUBMISSION-CHECKLIST.md +5 -0
  108. package/docs/production-readiness.md +1 -1
  109. package/docs/project-audit/2026-05-16/00-FINALIZATION-PLAN.md +123 -0
  110. package/docs/project-audit/2026-05-16/01-BATCH-PLAN.md +227 -0
  111. package/docs/project-audit/2026-05-16/02-AUDIT-FINDINGS.md +144 -0
  112. package/docs/project-audit/2026-05-16/sessions/batch-01.md +42 -0
  113. package/docs/project-audit/2026-05-16/sessions/batch-02.md +74 -0
  114. package/docs/project-audit/2026-05-16/sessions/batch-03.md +71 -0
  115. package/docs/project-audit/2026-05-16/sessions/batch-04.md +88 -0
  116. package/docs/project-audit/2026-05-16/sessions/batch-05.md +63 -0
  117. package/docs/project-audit/2026-05-16/sessions/batch-06.md +103 -0
  118. package/docs/project-audit/2026-05-16/sessions/batch-07.md +61 -0
  119. package/docs/project-audit/2026-05-16/sessions/batch-08.md +101 -0
  120. package/docs/project-audit/2026-05-16/sessions/batch-09.md +105 -0
  121. package/docs/project-audit/2026-05-16/sessions/batch-10.md +102 -0
  122. package/docs/project-audit/AUDIT-HISTORY.md +74 -0
  123. package/docs/project-audit/BATCH-PLAN.md +168 -0
  124. package/docs/project-audit/MARKETING-WEBSITE-FINDINGS-2026-05-11.md +73 -0
  125. package/docs/project-audit/PRODUCTION-READINESS-AUDIT-2026-05-08.md +275 -0
  126. package/docs/project-finalization/00-tracker.json +60 -0
  127. package/docs/project-knowledge-base/01-system-overview.md +39 -30
  128. package/docs/project-knowledge-base/02-routes-pages-forms-users.md +87 -81
  129. package/docs/project-knowledge-base/03-tech-stack-modules-services.md +140 -108
  130. package/docs/project-knowledge-base/04-data-models-integrations.md +191 -254
  131. package/docs/project-knowledge-base/05-docs-corpus-inventory.md +83 -20
  132. package/docs/project-knowledge-base/06-operations-testing-legal-content.md +67 -29
  133. package/docs/project-knowledge-base/README.md +27 -14
  134. package/docs/project-profiles/native-update-capacitor-update-platform-project-profile-last-updated-2026-05-19.md +81 -0
  135. package/docs/rules-tracker.md +102 -0
  136. package/docs/security/PRE-LAUNCH-PENTEST-CHECKLIST.md +116 -0
  137. package/docs/social-media-marketing/README.md +81 -0
  138. package/docs/social-media-marketing/posts-batch-01.md +613 -0
  139. package/docs/social-media-marketing/posts-batch-02.md +528 -0
  140. package/docs/social-media-marketing/whatsapp-messages-batch-01.md +458 -0
  141. package/docs/social-media-marketing/whatsapp-status-batch-01.md +355 -0
  142. package/docs/tracking/finalization-2026-05-16-tracker.json +346 -0
  143. package/docs/tracking/full-audit-tracker.json +121 -0
  144. package/docs/tracking/production-readiness-audit-tracker.json +429 -0
  145. package/ios/Plugin/BackgroundUpdate/BackgroundUpdatePlugin.swift +16 -3
  146. package/ios/Plugin/LiveUpdate/LiveUpdatePlugin.swift +71 -47
  147. package/ios/Plugin/NativeUpdatePlugin.swift +14 -9
  148. package/package.json +29 -29
  149. package/cli/node_modules/.yarn-integrity +0 -16
  150. package/cli/node_modules/commander/LICENSE +0 -22
  151. package/cli/node_modules/commander/Readme.md +0 -1148
  152. package/cli/node_modules/commander/esm.mjs +0 -16
  153. package/cli/node_modules/commander/index.js +0 -26
  154. package/cli/node_modules/commander/lib/argument.js +0 -145
  155. package/cli/node_modules/commander/lib/command.js +0 -2179
  156. package/cli/node_modules/commander/lib/error.js +0 -43
  157. package/cli/node_modules/commander/lib/help.js +0 -462
  158. package/cli/node_modules/commander/lib/option.js +0 -329
  159. package/cli/node_modules/commander/lib/suggestSimilar.js +0 -100
  160. package/cli/node_modules/commander/package-support.json +0 -16
  161. package/cli/node_modules/commander/package.json +0 -80
  162. package/cli/node_modules/commander/typings/esm.d.mts +0 -3
  163. package/cli/node_modules/commander/typings/index.d.ts +0 -884
  164. package/cli/yarn.lock +0 -8
  165. package/dist/esm/__tests__/bundle-manager.test.d.ts +0 -1
  166. package/dist/esm/__tests__/bundle-manager.test.js +0 -151
  167. package/dist/esm/__tests__/bundle-manager.test.js.map +0 -1
  168. package/dist/esm/__tests__/config.test.d.ts +0 -1
  169. package/dist/esm/__tests__/config.test.js +0 -70
  170. package/dist/esm/__tests__/config.test.js.map +0 -1
  171. package/dist/esm/__tests__/delta-processor.test.d.ts +0 -1
  172. package/dist/esm/__tests__/delta-processor.test.js +0 -77
  173. package/dist/esm/__tests__/delta-processor.test.js.map +0 -1
  174. package/dist/esm/__tests__/firestore-schema.test.d.ts +0 -1
  175. package/dist/esm/__tests__/firestore-schema.test.js +0 -74
  176. package/dist/esm/__tests__/firestore-schema.test.js.map +0 -1
  177. package/dist/esm/__tests__/integration.test.d.ts +0 -1
  178. package/dist/esm/__tests__/integration.test.js +0 -78
  179. package/dist/esm/__tests__/integration.test.js.map +0 -1
  180. package/dist/esm/__tests__/manifest-reader.test.d.ts +0 -1
  181. package/dist/esm/__tests__/manifest-reader.test.js +0 -271
  182. package/dist/esm/__tests__/manifest-reader.test.js.map +0 -1
  183. package/dist/esm/__tests__/rollout-checker.test.d.ts +0 -1
  184. package/dist/esm/__tests__/rollout-checker.test.js +0 -210
  185. package/dist/esm/__tests__/rollout-checker.test.js.map +0 -1
  186. package/dist/esm/__tests__/security-enforcement.test.d.ts +0 -1
  187. package/dist/esm/__tests__/security-enforcement.test.js +0 -95
  188. package/dist/esm/__tests__/security-enforcement.test.js.map +0 -1
  189. package/dist/esm/__tests__/security.test.d.ts +0 -1
  190. package/dist/esm/__tests__/security.test.js +0 -54
  191. package/dist/esm/__tests__/security.test.js.map +0 -1
  192. package/dist/esm/__tests__/version-manager.test.d.ts +0 -1
  193. package/dist/esm/__tests__/version-manager.test.js +0 -45
  194. package/dist/esm/__tests__/version-manager.test.js.map +0 -1
  195. package/dist/esm/app-review/app-review-manager.js.map +0 -1
  196. package/dist/esm/app-review/index.js.map +0 -1
  197. package/dist/esm/app-review/platform-review-handler.js.map +0 -1
  198. package/dist/esm/app-review/review-conditions-checker.js.map +0 -1
  199. package/dist/esm/app-review/review-rate-limiter.js.map +0 -1
  200. package/dist/esm/app-review/types.js.map +0 -1
  201. package/dist/esm/app-update/app-update-checker.js.map +0 -1
  202. package/dist/esm/app-update/app-update-installer.js.map +0 -1
  203. package/dist/esm/app-update/app-update-manager.js.map +0 -1
  204. package/dist/esm/app-update/app-update-notifier.js.map +0 -1
  205. package/dist/esm/app-update/index.js.map +0 -1
  206. package/dist/esm/app-update/platform-app-update.js.map +0 -1
  207. package/dist/esm/app-update/types.js.map +0 -1
  208. package/dist/esm/background-update/background-scheduler.js.map +0 -1
  209. package/dist/esm/background-update/index.js.map +0 -1
  210. package/dist/esm/background-update/notification-manager.js.map +0 -1
  211. package/dist/esm/config/support.js.map +0 -1
  212. package/dist/esm/core/analytics.js.map +0 -1
  213. package/dist/esm/core/cache-manager.js.map +0 -1
  214. package/dist/esm/core/config.js.map +0 -1
  215. package/dist/esm/core/errors.js.map +0 -1
  216. package/dist/esm/core/event-emitter.js.map +0 -1
  217. package/dist/esm/core/logger.js.map +0 -1
  218. package/dist/esm/core/performance.js.map +0 -1
  219. package/dist/esm/core/plugin-manager.js.map +0 -1
  220. package/dist/esm/core/security.js.map +0 -1
  221. package/dist/esm/definitions.js.map +0 -1
  222. package/dist/esm/firestore/firestore-client.d.ts +0 -109
  223. package/dist/esm/firestore/firestore-client.js +0 -264
  224. package/dist/esm/firestore/firestore-client.js.map +0 -1
  225. package/dist/esm/firestore/index.d.ts +0 -11
  226. package/dist/esm/firestore/index.js +0 -11
  227. package/dist/esm/firestore/index.js.map +0 -1
  228. package/dist/esm/firestore/manifest-reader.d.ts +0 -87
  229. package/dist/esm/firestore/manifest-reader.js +0 -294
  230. package/dist/esm/firestore/manifest-reader.js.map +0 -1
  231. package/dist/esm/firestore/schema.d.ts +0 -507
  232. package/dist/esm/firestore/schema.js +0 -73
  233. package/dist/esm/firestore/schema.js.map +0 -1
  234. package/dist/esm/index.js.map +0 -1
  235. package/dist/esm/live-update/bundle-manager.js.map +0 -1
  236. package/dist/esm/live-update/certificate-pinning.js.map +0 -1
  237. package/dist/esm/live-update/delta-processor.js.map +0 -1
  238. package/dist/esm/live-update/download-manager.js.map +0 -1
  239. package/dist/esm/live-update/rollout-checker.js.map +0 -1
  240. package/dist/esm/live-update/update-manager.js.map +0 -1
  241. package/dist/esm/live-update/version-manager.js.map +0 -1
  242. package/dist/esm/plugin.js.map +0 -1
  243. package/dist/esm/security/crypto.js.map +0 -1
  244. package/dist/esm/security/validator.js.map +0 -1
  245. package/dist/esm/web.js.map +0 -1
  246. package/dist/plugin.cjs.js.map +0 -1
  247. package/dist/plugin.esm.js.map +0 -1
  248. package/dist/plugin.js.map +0 -1
  249. package/docs/FIREBASE_INTEGRATION_TRACKER.md +0 -321
  250. package/docs/FIREBASE_QUERIES_AND_INDEXES_AUDIT.md +0 -221
  251. package/docs/examples/firebase-backend-example.md +0 -27
  252. package/docs/features/laravel-nova-backend/credentials.ignore.md +0 -34
  253. package/docs/guides/no-cost-backend-implementation-plan.md +0 -77
  254. package/docs/guides/no-cost-firestore-google-drive-backend.md +0 -60
  255. package/docs/project-profiles/native-update-capacitor-update-platform-project-profile-last-updated-2026-03-16.md +0 -454
  256. package/docs/project-profiles/native-update-capacitor-update-platform-project-profile-last-updated-2026-03-24.md +0 -66
  257. package/docs/project-profiles/native-update-capacitor-update-platform-project-profile-last-updated-2026-03-25.md +0 -67
  258. /package/docs/{MARKETING_WEBSITE_PLAN.md → archive/MARKETING_WEBSITE_PLAN.md} +0 -0
@@ -0,0 +1,168 @@
1
+ # Production-Readiness Batch Plan
2
+
3
+ **Created:** 2026-05-08
4
+ **Source audit:** `docs/project-audit/PRODUCTION-READINESS-AUDIT-2026-05-08.md`
5
+ **Tracker:** `docs/tracking/production-readiness-audit-tracker.json`
6
+
7
+ ## Batching philosophy
8
+
9
+ Each batch groups items that:
10
+ 1. Share a domain (so context loads once, not many times)
11
+ 2. Can be verified together with one build/test/lint pass
12
+ 3. Aren't too small (wastes overhead) and aren't too large (risks context exhaustion / partial-batch state)
13
+
14
+ Each batch ends with: `yarn lint` + `yarn typecheck` + `yarn build` + `yarn test:run` clean (plus `php artisan test` for backend batches), then ONE commit per batch (per project rule), then tracker update.
15
+
16
+ ---
17
+
18
+ ## Batch 1 — npm-publish + immediate-ship blockers (THIS SESSION)
19
+
20
+ **Goal:** every fix here unblocks shipping v3.0.x.
21
+
22
+ | ID | Severity | Fix |
23
+ |---|---|---|
24
+ | B1 | Blocker | Add `"android/manifest-additions.xml"` to `package.json` `files` array |
25
+ | B3 | Blocker | `cli/commands/monitor.js`: capture interval ID, install SIGINT/SIGTERM handlers, `clearInterval` + `spinner.stop()` on exit, bail on N consecutive failures |
26
+ | B7 | Blocker | Decide example-apps lockfile strategy: declare workspaces in root `package.json` OR document standalone `cd example-apps/react-capacitor && yarn install` flow |
27
+ | B8 | Blocker | Strip `firebase-backend` references from `example-apps/react-capacitor/README.md` (lines 14, 101, 210); replace with `node-express` only |
28
+ | N1 | Nit (free with ✏️) | `rollup.config.js`: remove duplicate `comments` key |
29
+
30
+ **Verification:** `yarn lint && yarn build && yarn test:run` from root + `cd example-apps/react-capacitor && yarn install` succeeds.
31
+ **Commit message:** `fix(release): unblock v3.0.x publish — manifest-additions in files, monitor cleanup, example lockfile, README v3 cleanup`
32
+
33
+ ---
34
+
35
+ ## Batch 2 — Backend security hardening (high-value, single domain)
36
+
37
+ | ID | Severity | Fix |
38
+ |---|---|---|
39
+ | B4 | Blocker | Add Nova policies (`canViewAny`/`canCreate`/`canUpdate`/`canDelete`) for User, App, Build, ApiKey, SigningKey resources; register in `AuthServiceProvider` |
40
+ | I12 | Important | Wrap Nova User admin panels (Suspend, License, Custom Limits) with `canSee(fn ($req) => $req->user()->isAdmin())` |
41
+ | I13 / H1 | Important / Sec-High | Publish `config/cors.php`; lock `paths` to `['api/*']`, `allowed_origins` to explicit list (`nativeupdate.aoneahsan.com` + `localhost:5942`/`5944`/`5946`) |
42
+ | I15 | Important | Confirm + test PayPal webhook is CSRF-exempt; add Feature test that POST to webhook with valid signature succeeds |
43
+
44
+ **Verification:** `cd backend && php artisan test && composer dump-autoload`.
45
+ **Commit message:** `fix(backend): Nova authorization gates, CORS lockdown, PayPal webhook test`
46
+
47
+ ---
48
+
49
+ ## Batch 3 — Backend bundle/license tests + FormRequests + deploy runbook
50
+
51
+ | ID | Severity | Fix |
52
+ |---|---|---|
53
+ | B5 | Blocker | Feature test for bundle upload + signature verify + monotonic version + duplicate detection + chunk merge (`tests/Feature/Build/BundleUploadTest.php`) |
54
+ | I14 | Important | Feature test for `User::hasValidLicense()` and a paid-tier-gated endpoint |
55
+ | I11 | Important | Extract inline validators to `app/Http/Requests/*Request.php`; use `$this->authorize()` |
56
+ | I10 | Important | Add config flag `auth.firebase.auto_create` (default `true` to preserve current behavior); document in deploy runbook |
57
+ | B6 | Blocker | Create `docs/deployment/PRODUCTION-DEPLOY-CHECKLIST.md`: APP_DEBUG=false, LOG_LEVEL=warning, APP_ENV=production, key:generate, config:cache, migrate --force, queue daemon, composer install --no-dev |
58
+ | N4 / N5 | Nit | Add comments in `backend/.env.example` recommending Redis for cache + queue daemon for prod |
59
+
60
+ **Verification:** `cd backend && php artisan test`.
61
+ **Commit message:** `feat(backend): bundle/license tests, FormRequests, production deploy runbook`
62
+
63
+ ---
64
+
65
+ ## Batch 4 — Centralized logger + plugin polish
66
+
67
+ | ID | Severity | Fix |
68
+ |---|---|---|
69
+ | I1 | Important | Replace 18 `console.*` in `src/web.ts` with `Logger.{warn,error}`; replace `console.error` in `src/core/event-emitter.ts:52`. Verify via `grep -rEn "\bconsole\." src --include="*.ts" \| grep -v "src/utils/logger"` returns zero |
70
+ | I2 | Important | Add `// CAPACITOR-SDK-WORKAROUND:` comment block in `ios/Plugin/NativeUpdatePlugin.swift:72-75` referencing Capacitor 8.x |
71
+ | I3 | Important | Reconcile `cli/templates/express/` against `example-apps/node-express/` so the scaffold ships working code |
72
+ | B2 | Blocker | For each TODO in `cli/commands/backend-create.js` (8 sites), either implement or prepend generated file with `// SCAFFOLD — implement before deploying` banner + doc reference |
73
+
74
+ **Verification:** `yarn lint && yarn build && yarn test:run`.
75
+ **Commit message:** `refactor(plugin): centralized logger in web.ts/event-emitter, CLI scaffold parity, iOS workaround docs`
76
+
77
+ ---
78
+
79
+ ## Batch 5 — SEO/AEO content enrichment (3 marketing pages + pricing.md + feed fix)
80
+
81
+ This is the largest batch. Treat as multi-page content batch per global playbook §13.
82
+
83
+ | ID | Severity | Fix |
84
+ |---|---|---|
85
+ | I7 | Important | Rewrite `FeaturesPage.tsx`, `AboutPage.tsx`, `PricingPage.tsx` to ≥1000 unique words each: definition-first intro (80-120 words), 3-5 use cases (50-80 words), 4-6 HowTo steps (30-40 words), 2-3 examples, 5-8 FAQ, 3-6 tips, author + lastUpdated. Wire into `postbuild-seo.ts` so the static HTML carries the same body. Use `ai-seo` + `copywriting` skills. |
86
+ | I8 | Important | Create `website/public/pricing.md` machine-readable file: tiers, limits, FAQ, in plain markdown. Linked from llms.txt. |
87
+ | I9 | Important | Fix `website/scripts/generate-sitemap.mjs` so feed `<lastBuildDate>` and sitemap `<lastmod>` use `new Date().toUTCString()` / `new Date().toISOString()` at build time. |
88
+
89
+ **Verification:** `cd website && yarn build` (postbuild-seo step verifies prerendered HTML); manually open three prerendered HTML pages in `dist/` and confirm `<noscript>` body has the rich content.
90
+ **Commit message:** `feat(seo): per-page rich SEO content for Features/About/Pricing + pricing.md + feed-date fix`
91
+
92
+ ---
93
+
94
+ ## Batch 6 — Website UI/UX polish (a11y dialog + URL state)
95
+
96
+ | ID | Severity | Fix |
97
+ |---|---|---|
98
+ | I4 | Important | Migrate `website/src/components/ui/Dialog.tsx` to `@radix-ui/react-dialog`. Update all import sites. |
99
+ | I5 | Important | Convert `AppsPage.tsx:50,55` and any other dashboard `useState` modal/form state to URL search params (`?deleteId=ID`, `?formMode=create\|edit&appId=ID`). Use the project's `useUrlState` hook family. Sweep all dashboard pages. |
100
+ | I6 | Important | Audit per-page TanStack Query `staleTime`/`gcTime` overrides; document the cache contract in a code comment in `App.tsx`. |
101
+
102
+ **Verification:** `cd website && yarn typecheck && yarn build`; manual: open `/dashboard/apps?deleteId=test` in incognito, confirm dialog opens; reload, confirm dialog still open; close, confirm URL param drops.
103
+ **Commit message:** `refactor(website): Radix Dialog migration, URL state for dashboard modals, query cache audit`
104
+
105
+ ---
106
+
107
+ ## Batch 7 — env-sync + security preventive docs
108
+
109
+ | ID | Severity | Fix |
110
+ |---|---|---|
111
+ | M1 | Sec-Med | Add one-line "where to get this" note next to each individual PayPal/Google sub-var in `backend/.env.example` |
112
+ | M2 | Sec-Med | Add `VITE_NATIVE_UPDATE_PUBLIC_BACKEND_URL`, `VITE_NATIVE_UPDATE_API_KEY`, `VITE_NATIVE_UPDATE_PUBLIC_KEY` rows (as `[OPTIONAL]`) to `website/.env.example` |
113
+ | H2 | Sec-High preventive | Create `docs/SECURITY-IF-REPO-PUBLIC.md` runbook: rotate every committed secret, add patterns to .gitignore, audit history with git-filter-repo |
114
+
115
+ **Verification:** none beyond docs-only changes; quick grep confirms env-example coverage.
116
+ **Commit message:** `docs(security): env-example sync + repo-public runbook`
117
+
118
+ ---
119
+
120
+ ## Batch 8 — Roadmap features for v3.x release
121
+
122
+ | ID | Severity | Fix |
123
+ |---|---|---|
124
+ | R3 | Roadmap | Create `.github/workflows/release.yml`: on tag, run `yarn build:prod`, `yarn test:run`, then `npm publish --provenance` |
125
+ | R3 | Roadmap | Create `.github/workflows/example-bundle.yml`: scheduled+manual; create signed bundle from `example-apps/react-capacitor`, attach to release |
126
+ | R4 / I16 | Important | Expand `example-apps/react-capacitor/src/App.tsx` to demo: download/apply update, app-update check, app-review prompt, background-update toggle, signature verify. One section per method. |
127
+ | I17 | Important | React 18 vs 19 decision: bump to 19 + verify build (recommended) OR add explicit "stable downstream target" note in README. |
128
+ | R1 | Roadmap | Performance-benchmarking scaffold: `tools/bench/` with Vitest-based microbench for bundle-verify + signature-verify hot paths. Doc in `docs/PERFORMANCE.md`. |
129
+ | R2 | Roadmap | `docs/security/PRE-LAUNCH-PENTEST-CHECKLIST.md`: dep audit, manual auth/CSRF/CORS check, signature-verify fuzz, license-bypass attempts. |
130
+
131
+ **Verification:** `cd example-apps/react-capacitor && yarn build && yarn lint`; root `yarn test:run`; CI workflows: `actionlint .github/workflows/*.yml` if available.
132
+ **Commit message:** `feat(release): GitHub Actions release workflow, example-app coverage, perf bench scaffold, pentest checklist`
133
+
134
+ ---
135
+
136
+ ## Batch 9 — Marketing-website tracker (rendered-on-live-pages items)
137
+
138
+ | ID | Severity | Fix |
139
+ |---|---|---|
140
+ | R5 | Roadmap | Sweep `docs/MARKETING_WEBSITE_TRACKER.md` for `[ ]` items that ARE actually rendered as gaps on live pages (not "future feature ideas"). Convert each to a small per-page issue. Examples to look for: missing screenshots in `Screenshots`/`Demo` section, stale code-snippet copy in `DocsPage`, dashboard onboarding flow polish, footer links to non-existent routes. |
141
+
142
+ **Verification:** depends on what surfaces.
143
+ **Commit message:** `chore(website): close out marketing-tracker rendered-page gaps`
144
+
145
+ ---
146
+
147
+ ## Batch 10 — Final consolidated pass + version bump + portfolio refresh
148
+
149
+ | ID | Fix |
150
+ |---|---|
151
+ | — | Bump root `package.json` version (3.0.0 → 3.0.1 if all batches done; 3.1.0 if any roadmap features added) per project version-cascade rule |
152
+ | — | Update `docs/CHANGELOG.md` + `website` changelog page + portfolio info file (weekly cadence anyway) |
153
+ | — | Final `yarn lint && yarn typecheck && yarn build && yarn test:run` from root, `cd website && yarn build`, `cd backend && php artisan test`. All clean. |
154
+ | — | Update root `CLAUDE.md` + `AGENTS.md` `Audit Record` table; tracker → `status: complete`, `completed_at`, `next_allowed_run_after = +7 days` |
155
+ | — | One commit + push |
156
+
157
+ **Verification:** all green.
158
+ **Commit message:** `chore(release): v3.0.1 — production-readiness audit batches 1-9 complete`
159
+
160
+ ---
161
+
162
+ ## Resume rules (also encoded in tracker JSON)
163
+
164
+ 1. On every run of this prompt, the FIRST action is `cat docs/tracking/production-readiness-audit-tracker.json`.
165
+ 2. If `last_run.status == "complete"` and `today < last_run.next_allowed_run_after`, SKIP. Tell the user the date and what was completed last time. Don't redo finished work.
166
+ 3. If `last_run.status == "in_progress"`, find the lowest-numbered batch with `status != "completed"` and resume there.
167
+ 4. After completing each batch: update tracker `batches[N].status = "completed"`, append a `history` entry, commit.
168
+ 5. After the final batch: set `last_run.status = "complete"`, `last_run.completed_at = today`, `last_run.next_allowed_run_after = today + 7 days`. ONE final commit.
@@ -0,0 +1,73 @@
1
+ # Marketing Website — Per-Page Findings (Batch 9 sweep)
2
+
3
+ This document captures the **rendered-on-live-pages gaps** found by sweeping the React marketing+dashboard site at `website/` on 2026-05-11. It is the deliverable for production-readiness audit Batch 9 (item R5).
4
+
5
+ This is **not** a sweep of `docs/MARKETING_WEBSITE_TRACKER.md` — that file is a stale planning artifact from 2025-12-27 (created before the live site shipped, never updated as features landed; 236 items still marked `[ ]` while the corresponding code is in production). The tracker file is now annotated as superseded — see its header note.
6
+
7
+ The findings below are grouped by page. Each item names the file, the live URL where the gap would be visible to a user today, and a concrete fix. Trivial issues are fixed inline in the Batch 9 commit; non-trivial items are listed as follow-ups for future maintenance.
8
+
9
+ Maintained by Ahsan Mahmood. Audit date: 2026-05-11.
10
+
11
+ ## Fixed in this batch (commit alongside this doc)
12
+
13
+ ### `ExamplesPage.tsx` — stale `firebase-backend` example card
14
+
15
+ - **Live URL**: `https://nativeupdate.aoneahsan.com/examples`
16
+ - **File**: `website/src/pages/ExamplesPage.tsx` lines 189-198 (third entry in the `backendExamples` array)
17
+ - **Problem**: The card advertised an `example-apps/firebase-backend` example with a GitHub source link and an in-app docs link. The underlying directory was removed in v3.0.0 (per audit history 2026-05-04), so the GitHub URL 404s. The description also mentioned "Firestore manifests," contradicting the website's own architecture rule that forbids importing `firebase/firestore` since v3.0.0 (`website/CLAUDE.md`).
18
+ - **Fix applied**: Removed the third entry from the `backendExamples` array. The two canonical v3 examples (React + Capacitor, Node + Express) remain. `Layers` icon import retained — still used elsewhere in the file (line 228).
19
+ - **Risk if left**: Users land on `/examples`, click "View Source on GitHub" for the third card, get a GitHub 404, lose trust.
20
+
21
+ ## Follow-ups (not blocking; track for a future maintenance batch)
22
+
23
+ ### Stale MDX docs files mirrored under `website/public/package-docs/`
24
+
25
+ - **File path**: `website/public/package-docs/docs/examples/firebase-backend-example.md` (plus copies under `website/dist/`, `website/android/app/...`, `website/ios/App/App/...`)
26
+ - **Problem**: The Markdown file documenting the now-removed Firebase backend example is still present in the static-assets pipeline. It is no longer linked from the live React pages (after this batch's ExamplesPage fix), but it is still served at `/package-docs/docs/examples/firebase-backend-example.md` if someone has a direct link.
27
+ - **Recommended action**: Delete the source file at `website/public/package-docs/docs/examples/firebase-backend-example.md`. The `dist/` and platform-mirror copies regenerate from `public/` on every build, so deleting the source clears them downstream. Verify after deletion that the docs-routing index in `DocsMarkdownPage.tsx` doesn't return a broken card for the missing file.
28
+ - **Why deferred**: Touching `public/package-docs/` requires re-running the docs-content sync that produced those files, plus regenerating the Android / iOS asset bundles. That's a larger blast radius than fits in Batch 9.
29
+
30
+ ### HomePage has no Screenshots / Demo section
31
+
32
+ - **Live URL**: `https://nativeupdate.aoneahsan.com/`
33
+ - **File**: `website/src/pages/HomePage.tsx`
34
+ - **Observation**: The 393-line HomePage renders Hero → Features → How-It-Works → CTA. There is no `Screenshots` or `Demo` section. Zero `<img>` or `<video>` tags in the entire file.
35
+ - **Why this is a gap**: The marketing site is selling a UI-heavy product (a dashboard, OTA progress on a device). Visitors who don't already know what the dashboard looks like leave without seeing the actual product surface. This pattern is the single highest-converting block on competitive SaaS landing pages.
36
+ - **Recommended action**: Add a "See it in action" section between How-It-Works and CTA. Three SVG-only mockup tiles is enough: a dashboard "uploads" view, a device showing the in-app update prompt, and a Nova admin panel snapshot. SVG keeps file sizes small and avoids the PNG/JPG-screenshot maintenance treadmill that breaks on every UI tweak.
37
+ - **Why deferred**: Building three good-looking SVG mockup tiles is a half-day of design work, not a Batch 9 inline fix. Logging as a follow-up so it's not lost.
38
+
39
+ ### `DocsPage.tsx` is 1,406 lines
40
+
41
+ - **Live URL**: `https://nativeupdate.aoneahsan.com/docs`
42
+ - **File**: `website/src/pages/DocsPage.tsx`
43
+ - **Observation**: The file violates the project-wide "Max 500 lines/file" rule from the global CLAUDE.md. Most of the content is large code-snippet string literals — ~10 large snippets embedded inline rather than imported from separate files.
44
+ - **Recommended action**: Extract code-snippet strings into `website/src/data/docs-snippets/` (one file per snippet). The page then becomes a thin renderer over the data. This reduces churn on the page when snippets change.
45
+ - **Why deferred**: Not a rendered-page gap — visitors don't see the line count. Pure maintainability concern; lower priority than the user-facing items above.
46
+
47
+ ## Items reviewed and confirmed healthy (no action needed)
48
+
49
+ The sweep also confirmed the following are NOT gaps:
50
+
51
+ | Surface | Status |
52
+ |---|---|
53
+ | Header.tsx internal links | All 4 `<Link to=...>` targets (`/dashboard`, `/login`, `/signup`) resolve to registered routes in `src/router.tsx`. |
54
+ | Footer.tsx internal links | All 19 `<Link to=...>` targets resolve to registered routes. Includes `/sitemap`, `/feed`, `/security`, `/permissions`, `/data-deletion`, `/cookies`, `/privacy`, `/terms` — every legal page is wired up. |
55
+ | Dashboard empty states | 6 dashboard pages (AppsPage, AppDetailPage, DashboardOverview, ConfigPage, UploadPage) have explicit empty-state UI with "create your first app" / "upload your first build" copy. Onboarding flow exists. |
56
+ | `firebase-backend` references in user-facing copy | Only one remaining in `AboutPage.tsx` line 57-58 — a FAQ entry "Why build another OTA solution? What about CodePush?" mentioning CodePush, not firebase-backend. Correct (CodePush is a real third-party reference, not a deleted internal example). |
57
+ | CodePush references | All current and contextually correct (the migration story is part of the marketing message; CodePush's March 2025 retirement is fact). |
58
+ | Version strings in JSON-LD | Audit Record entry 2026-05-02 confirms softwareVersion was bumped to current. |
59
+ | `console.*` calls in src/ | Audit Record entry 2026-05-02 confirms migration to `src/lib/logger.ts`. |
60
+
61
+ ## How to use this doc
62
+
63
+ This is a snapshot. Re-run the per-page sweep when:
64
+
65
+ - A new public page ships (re-check footer + sitemap coverage)
66
+ - A feature is removed (re-grep for any references that point at it)
67
+ - Before a major release (it pairs with the [Pre-Launch Pentest Checklist](/home/ahsan/Documents/01-code/projects/native-update/docs/security/PRE-LAUNCH-PENTEST-CHECKLIST.md))
68
+
69
+ The findings format intentionally avoids GitHub issue creation here — when the project goes public, items in the "Follow-ups" section above are good first issues to open against the public repo.
70
+
71
+ ## Authored by
72
+
73
+ Ahsan Mahmood — author and maintainer of `native-update`.
@@ -0,0 +1,275 @@
1
+ # Production-Readiness Audit — native-update Monorepo
2
+
3
+ **Date:** 2026-05-08
4
+ **Auditor:** Claude Code (Opus 4.7, 1M context)
5
+ **Scope:** Whole monorepo (root plugin + cli + android + ios + backend + website + example-apps + docs)
6
+ **Method:** Six parallel scoped audit agents (plugin/native, website UI, SEO/AEO, backend, examples+roadmap, security/env). Findings cross-verified against source files before recording here.
7
+ **Companion files:**
8
+ - Batch plan: `docs/project-audit/BATCH-PLAN.md`
9
+ - Tracker (resumeable, 7-day cooldown): `docs/tracking/production-readiness-audit-tracker.json`
10
+
11
+ ---
12
+
13
+ ## Verdict
14
+
15
+ The monorepo is **~85% production-ready**. Three real npm-publish-blockers + several backend hardening gaps + per-page SEO content gaps are the main risks. No active secret exposure, no banned packages, no broken builds in the root plugin or website.
16
+
17
+ **Severity legend:** **B** = Blocker (must fix before next release / public push). **I** = Important (fix before production cutover). **N** = Nit / polish.
18
+
19
+ ---
20
+
21
+ ## 1. Banned-Package Phase 0 Check
22
+
23
+ `grep -nE "@capacitor-firebase/(crashlytics|performance)|@capawesome/capacitor-torch" package.json **/package.json` → **zero matches**. ✅ No bans violated.
24
+
25
+ ---
26
+
27
+ ## 2. Findings — Plugin Source / CLI / Native (root, src/, cli/, android/, ios/)
28
+
29
+ ### Blockers
30
+
31
+ - **B1 — `package.json` `files` array is missing `android/manifest-additions.xml`**
32
+ File: `package.json:13-26`. The file exists at `android/manifest-additions.xml` and is required at install-time by Capacitor's manifest merger. Without it in the npm package, downstream Android builds will be missing the additions block. **Fix:** add `"android/manifest-additions.xml"` to the `files` array.
33
+
34
+ - **B2 — `cli/commands/backend-create.js` ships placeholder TODOs in scaffolded backend templates**
35
+ File: `cli/commands/backend-create.js:144,176,177,290,309,310,493,494`. Eight `TODO` markers in Express/Vercel/Firebase scaffolding for: bundle lookup, file storage, DB save. The CLI generates these as ready-to-deploy code, but they are not. **Fix:** either (a) implement the missing logic and wire to `node-express` example as the canonical scaffold, or (b) prepend each generated file with a clear `// SCAFFOLD — implement before deploying` banner and document expected wiring.
36
+
37
+ - **B3 — `cli/commands/monitor.js` has unmanaged `setInterval` + spinner-leak on exit**
38
+ File: `cli/commands/monitor.js:14-62`. `setInterval` fires every 5s with an async callback; failures stack indefinitely. `ora` spinner is started but never stopped on exit/failure — terminal is left in undefined state. **Fix:** capture interval ID, install `SIGINT`/`SIGTERM` handlers that `clearInterval` + `spinner.stop()`; bail the loop on consecutive failures.
39
+
40
+ ### Important
41
+
42
+ - **I1 — Direct `console.*` in plugin source (violates centralized-logger convention)**
43
+ Files: `src/web.ts` (18 calls), `src/core/event-emitter.ts:52`. Plugin already has a `Logger` singleton; security paths (checksum, signature) and event-emitter error path bypass it. **Fix:** replace `console.{warn,error,log}` with `Logger.{warn,error,info}` everywhere outside the logger module itself. Note: this is the *plugin's* logger, separate from website logger.
44
+
45
+ - **I2 — `ios/Plugin/NativeUpdatePlugin.swift:72-75` calls `disableBackgroundUpdatesInternal()` to bypass inaccessible Capacitor SDK constructors**
46
+ Workaround for SDK API surface, fragile if the SDK changes. **Fix:** add a `// CAPACITOR-SDK-WORKAROUND:` comment block referencing the SDK version this assumes, and a `// TODO: revisit on Capacitor 8.x update` line so future bumps don't silently break.
47
+
48
+ - **I3 — `cli/commands/backend-create.js` file-list completeness vs `node-express` template**
49
+ Several runtime concerns (signature verify, rollout cohort logic, channel filtering) live in docs only, not in the scaffold. **Fix (low-risk):** ensure `cli/templates/express/` mirrors `example-apps/node-express/` structure 1:1 so users get a working scaffold by default.
50
+
51
+ ### Nits
52
+
53
+ - **N1 — `rollup.config.js:61,63` duplicate `comments` key in terser format**
54
+ Line 63 silently overrides line 61. Functional but a typo. **Fix:** delete the earlier line.
55
+
56
+ ### State-vs-claim notes
57
+
58
+ - All 28+ public methods in `src/definitions.ts` have matching implementations in `src/web.ts`, `ios/Plugin/`, `android/src/main/`. **API parity ✓**.
59
+ - HTTPS enforcement, SHA-256 checksum + RSA/ECDSA signature paths are well-implemented and fail-closed. **Crypto correct ✓**.
60
+ - TypeScript `strict: true`, Vitest 89/89 green. **Build clean ✓**.
61
+
62
+ ---
63
+
64
+ ## 3. Findings — Website (`website/`)
65
+
66
+ ### Blockers
67
+
68
+ None. `yarn typecheck` + `yarn build` complete cleanly; sitemap + postbuild SEO HTML generation succeed across all 16 routes.
69
+
70
+ ### Important
71
+
72
+ - **I4 — Custom `Dialog.tsx` lacks key a11y primitives**
73
+ File: `website/src/components/ui/Dialog.tsx`. Missing `role="dialog"` + `aria-modal="true"` on `DialogContent`, no ESC-key handler on overlay, no focus restore on close, no focus trap. **Fix:** either migrate to `@radix-ui/react-dialog` (already a transitive dep via other Radix primitives in package.json) — strongly recommended per project's Radix-first rule — or harden the custom one with `aria-labelledby`, ESC handler, focus trap, focus restore.
74
+
75
+ - **I5 — Dashboard dialog state held in `useState` instead of URL search params (violates URL-State-Preservation rule)**
76
+ File: `website/src/pages/dashboard/AppsPage.tsx:50,55`. `deleteDialog` and `formDialog` open-state both in `useState`. Refresh closes them — wrong UX. **Fix:** convert to `?deleteId=ID` and `?formMode=create|edit&appId=ID` per project rule. Audit all other dashboard pages for the same pattern.
77
+
78
+ - **I6 — TanStack Query: per-page `staleTime` overrides not audited**
79
+ Global default in `App.tsx` is 30s + `gcTime: 5m`. Spot-check individual `useQuery` sites in `src/hooks/` and `src/pages/dashboard/` for ad-hoc overrides that disable cache. **Fix:** sweep, document the project-wide cache contract, set `queryKey` factories per resource (already mostly done).
80
+
81
+ ### Nits
82
+
83
+ - BootLoader present (✓), 7-option Theme Customizer present (✓), URL state hooks present (`useUrlState.ts`-style), 47 aria-* attributes across components.
84
+ - `vite-env.d.ts` is minimal (only `__APP_VERSION__`) — env types are validated through `src/config/env.ts` `getMissingRequiredEnv()` at boot. ✓.
85
+
86
+ ---
87
+
88
+ ## 4. Findings — SEO / AEO / AIO (`website/`)
89
+
90
+ Today is 2026-05-08; last full SEO pass was 2026-04-24 (14 days ago — within commit-delta gate window).
91
+
92
+ ### Blockers
93
+
94
+ None on infrastructure — robots.txt allows GPTBot/ClaudeBot/PerplexityBot/Google-Extended/Bingbot/etc., sitemap.xml + feed.xml + llms.txt + llms-full.txt + ai.txt + humans.txt + security.txt all present.
95
+
96
+ ### Important
97
+
98
+ - **I7 — Per-page-uniqueness floor not met on three core marketing pages**
99
+ Files: `website/src/pages/FeaturesPage.tsx` (~150 words, 0 FAQ, 0 use cases, 0 HowTo), `website/src/pages/AboutPage.tsx` (~400 words, 0 FAQ), `website/src/pages/PricingPage.tsx` (~100 words, 0 FAQ). Global rule (`~/.claude/rules/seo-aeo-ranking.md` §2) requires ≥1000 unique words + 5–8 FAQ + 3–5 use cases + 4–6 HowTo steps + 2–3 examples + 3–6 tips + author + lastUpdated per page. **Fix:** rewrite via `ai-seo` + `copywriting` skills; treat as one batch, not per-page commits.
100
+
101
+ - **I8 — `pricing.md` machine-readable file missing at site root**
102
+ Global rule §5 requires `/pricing.md` for AI buying agents when paid tiers exist. Project has Free + Pro + Enterprise (PayPal plans referenced in backend/.env.example). **Fix:** create `website/public/pricing.md` with tiers, limits, features, FAQ in plain markdown.
103
+
104
+ - **I9 — `feed.xml` `<lastBuildDate>` lags actual build**
105
+ Generator emits a stale date instead of `new Date().toUTCString()` at run time. **Fix:** in `website/scripts/generate-sitemap.mjs` (or wherever feed is emitted), replace literal date with runtime stamp; ensure sitemap `<lastmod>` does the same.
106
+
107
+ ### Nits
108
+
109
+ - **N2 — Docs sub-routes (`/docs/*`) lack per-route static prerender** — they rely on runtime SEO + Googlebot JS rendering; AI crawlers may not render JS. Tracked in `seo-url-coverage.json` already as a known issue. **Fix (later):** extend `postbuild-seo.ts` to walk `public/package-docs/` and emit `dist/docs/<slug>/index.html`.
110
+ - **N3 — `og:image` is the same `/og-image.svg` site-wide.** Per-page OG images would lift social sharing. Defer.
111
+ - All discovery-file dates timestamped 2026-05-02 (6 days old — within 14-day spec, refresh on next batch commit).
112
+
113
+ ---
114
+
115
+ ## 5. Findings — Backend (Laravel 11 + Nova 5, `backend/`)
116
+
117
+ ### Blockers
118
+
119
+ - **B4 — Nova resources lack policy-backed authorization gates**
120
+ Files: `backend/app/Nova/*.php` (User, App, Build, ApiKey, SigningKey). Missing `canViewAny()`, `canCreate()`, `canUpdate()`, `canDelete()` guards backed by App\Policies. **Fix:** add per-Resource policies + register in `AuthServiceProvider`; reject non-admin / non-owner access on each verb.
121
+
122
+ - **B5 — No Feature test for the bundle-upload + signature-verify flow**
123
+ Folder: `backend/tests/Feature/`. The most security-critical endpoint (build upload) has no test for: signature verify, monotonic version enforcement, channel scoping, duplicate detection, chunk merging. **Fix:** add `tests/Feature/Build/BundleUploadTest.php` covering the full path.
124
+
125
+ - **B6 — `backend/.env` (local) has `APP_DEBUG=true` + `LOG_LEVEL=debug`** *(documentation gap, not active leak)*
126
+ This is correct for local dev, BUT no deployment runbook documents flipping these for production. `.env.example` correctly defaults to `APP_DEBUG=false`/`LOG_LEVEL=warning`. **Fix:** add `backend/docs/DEPLOYMENT-CHECKLIST.md` listing `APP_DEBUG=false`, `LOG_LEVEL=warning`, `APP_ENV=production`, `php artisan config:cache`, `migrate --force`, `composer install --no-dev`, queue worker daemonization.
127
+
128
+ ### Important
129
+
130
+ - **I10 — `ValidateFirebaseToken` middleware auto-creates User on first valid token**
131
+ File: `backend/app/Http/Middleware/ValidateFirebaseToken.php:41-48`. `firstOrCreate` is open-signup; fine for free tier, risky for invite-only / enterprise. **Fix:** keep open by default but document; add config flag `auth.firebase.auto_create=true|false`.
132
+
133
+ - **I11 — Controllers validate inline; no FormRequest classes**
134
+ Files: `backend/app/Http/Controllers/Dashboard/*.php`. Reduces reuse + makes policy gating awkward. **Fix:** extract validators into `app/Http/Requests/*Request.php`; use `$this->authorize()` from inside the request.
135
+
136
+ - **I12 — Nova User admin panels (Suspend, License, Custom Limits) lack `canSee` gates**
137
+ File: `backend/app/Nova/User.php:64-65`. Any Nova-authenticated user could touch admin fields. **Fix:** wrap with `Panel::make(...)->canSee(fn ($req) => $req->user()->isAdmin())`.
138
+
139
+ - **I13 — No `config/cors.php` — relies on Laravel default**
140
+ Production must lock origins to `nativeupdate.aoneahsan.com` (and dashboard host). **Fix:** publish CORS config, set `paths` → `['api/*']`, `allowed_origins` → explicit list, `supports_credentials` → true.
141
+
142
+ - **I14 — License-check tests missing**
143
+ `User::hasValidLicense()` and license-expiry enforcement on API endpoints are not exercised by tests. **Fix:** add Feature test wrapping a paid-tier endpoint.
144
+
145
+ - **I15 — PayPal webhook CSRF status not explicit**
146
+ File: `backend/routes/api.php:155-156`. Confirm webhook is in CSRF exception list (Laravel 11 default API routes are CSRF-exempt because they're stateless, but document this and add test).
147
+
148
+ ### Nits
149
+
150
+ - **N4 — `CACHE_STORE=database` in `.env.example`** — fine for boot, but Redis is recommended for production rate-limiting performance. Add a `# Recommended for production: CACHE_STORE=redis` comment.
151
+ - **N5 — `QUEUE_CONNECTION=database`** — requires `php artisan queue:work` daemon. Document in deployment checklist.
152
+
153
+ ### Notes
154
+
155
+ - All models use `$fillable` (not `$guarded`); secrets (`password`, `google_drive_token`, `key_hash`) are in `$hidden`. ✓
156
+ - Migration timestamps clean, no out-of-order. ✓
157
+ - File storage uses FilesHub via `FilesHubService` (no AWS S3 hardcoded). ✓
158
+ - `composer.lock` present + reproducible. ✓
159
+ - `.env.example` has [REQUIRED] tags on most blocks. Some PayPal/Google sub-vars could use a one-line reason each (minor).
160
+
161
+ ---
162
+
163
+ ## 6. Findings — Example Apps (`example-apps/`)
164
+
165
+ ### Blockers
166
+
167
+ - **B7 — `example-apps/react-capacitor` `yarn build` fails (lockfile / workspace ref unresolved)**
168
+ Error: "This package doesn't seem to be present in your lockfile". Yarn 4 + workspace pointer `"native-update": "file:../.."` not registered in root lockfile. **Fix:** run `yarn install` at root with the example workspaces included; verify root `package.json` declares workspaces (it currently does NOT — example-apps live as ad-hoc projects). Either declare workspaces or document that `cd example-apps/react-capacitor && yarn install` is required separately.
169
+
170
+ - **B8 — Stale `firebase-backend/` references in `example-apps/react-capacitor/README.md`**
171
+ Lines: `14`, `101`, `210`. `firebase-backend` was deleted in v3.0.0 but README still recommends it as an option. **Fix:** delete those lines / replace with `node-express` only.
172
+
173
+ ### Important
174
+
175
+ - **I16 — `react-capacitor` example demos only `checkForUpdate()`**
176
+ File: `example-apps/react-capacitor/src/App.tsx:1-72`. v3 plugin has 28+ public methods; example covers ~5%. **Fix (incremental):** add tabs/sections demonstrating: `downloadUpdate`, `applyUpdate`, app-update check, app-review prompt, background-update toggle, signature verification of a downloaded bundle. One section per method; gated by feature-flag if Android/iOS-only.
177
+
178
+ - **I17 — `react-capacitor` pinned to React 18 while `website/` is React 19**
179
+ Files: `example-apps/react-capacitor/package.json:20`. **Fix:** decide intent. Either bump to 19 to track current website + plugin tests, or add a comment in README declaring 18 is the "stable downstream" target.
180
+
181
+ ### Notes
182
+
183
+ - `node-express` correctly implements the v3 HTTP-only backend contract. ✓
184
+ - `node_modules` of `react-capacitor` contains stale `native-update@1.3.1` tarball — harmless but worth cleaning on next install.
185
+
186
+ ---
187
+
188
+ ## 7. Findings — Security / Secrets / Env (cross-cutting)
189
+
190
+ ### Critical
191
+
192
+ None. `yarn npm audit --severity high --recursive` → "No audit suggestions". No hardcoded secrets in source (only in non-public-checked-in `.env` files; root `.gitignore` declares the repo as private with intentional .env-in-git policy — mirror this in any future public split).
193
+
194
+ ### High
195
+
196
+ - **H1 — Backend has no `config/cors.php`** (duplicates I13). Must lock origins before public deploy.
197
+ - **H2 — Repo is private with `.env` in git.** If repo ever flips public, immediately add `*.env`, `*.env.local`, `*.env.production`, `backend/storage/firebase-credentials.json`, `android/keystores/` to `.gitignore` and rotate every committed secret. **Fix (preventive):** add `docs/SECURITY-IF-REPO-PUBLIC.md` runbook so this isn't forgotten under pressure.
198
+
199
+ ### Medium
200
+
201
+ - **M1 — `backend/.env.example` `[REQUIRED]` reason comments** — present on FilesHub/Firebase/Google/PayPal blocks (✓). Minor: each *individual sub-var* (e.g. `PAYPAL_LIVE_APP_ID`) could use a one-line "where to find it" note for first-time deployers.
202
+ - **M2 — `website/.env.example` missing two optional docs-snippet vars** that exist in `ConfigPage.tsx`: `VITE_NATIVE_UPDATE_PUBLIC_BACKEND_URL`, `VITE_NATIVE_UPDATE_API_KEY`, `VITE_NATIVE_UPDATE_PUBLIC_KEY`. **Fix:** add as `[OPTIONAL]` rows.
203
+
204
+ ### Notes
205
+
206
+ - Firebase Web API keys (in website/.env) are PUBLIC by design — not a leak.
207
+ - Auth tokens stored only in Firebase SDK in-memory — no localStorage leak.
208
+ - `firestore.rules` properly tiered (auth-required + admin-via-custom-claim, with public read only on `/manifests/{id}` which is intentional).
209
+ - LICENSE present (MIT) and consistent. ✓
210
+ - Capacitor `appId` stable: `com.aoneahsan.nativeupdate`. ✓
211
+ - No keystores committed (`android/keystores/` does not exist yet). ✓
212
+
213
+ ---
214
+
215
+ ## 8. Roadmap Delta (Planned Features Not Yet Done — Practical-for-Release)
216
+
217
+ Mined from `docs/REMAINING_FEATURES.md`, `docs/ROADMAP.md`, `docs/PROJECT_COMPLETION_TRACKER.md`, `docs/MARKETING_WEBSITE_TRACKER.md`, `docs/plans/`, `docs/features/laravel-nova-backend/IMPLEMENTATION-PLAN.md`.
218
+
219
+ ### Practical for v3.x release (this audit will tackle in batches)
220
+
221
+ - **R1** — Performance benchmarking suite scaffold (placeholder exists; needed for SaaS credibility claims).
222
+ - **R2** — Pre-launch security pen-test checklist (light: dependency scan + manual review; not a paid pentest).
223
+ - **R3** — CI/CD integration templates (GitHub Actions): release workflow for the npm plugin + bundle-create + sign + upload step.
224
+ - **R4** — Expand `react-capacitor` example coverage (also tracked as I16 above).
225
+ - **R5** — Marketing-website tracker: 50+ items still `[ ]` in `docs/MARKETING_WEBSITE_TRACKER.md`. Filter for ones that are actually rendered on live pages but unfinished (e.g. screenshots, code-snippet copy refresh, dashboard onboarding flow polish).
226
+
227
+ ### Defer to v3.1+ (not blocking release)
228
+
229
+ - A/B testing support
230
+ - Staged rollouts with percentage targeting (DB schema exists in backend; UI/CLI surfaces incomplete)
231
+ - Geographic targeting
232
+ - Update scheduling
233
+ - Delta-update WASM optimization
234
+ - Multi-tenant SaaS, enterprise SSO, SLA monitoring
235
+ - Vue / Angular / Svelte / Python / Java example apps
236
+ - Video tutorials, community plugins directory
237
+
238
+ ---
239
+
240
+ ## 9. Verification Commands
241
+
242
+ After each batch, run from repo root:
243
+
244
+ ```bash
245
+ # Plugin
246
+ yarn lint
247
+ yarn typecheck # alias for `yarn tsc`
248
+ yarn build
249
+ yarn test:run
250
+
251
+ # Website
252
+ cd website && yarn typecheck && yarn lint && yarn build && cd ..
253
+
254
+ # Backend (Laravel)
255
+ cd backend && composer install --no-interaction && php artisan test && cd ..
256
+
257
+ # Cross-cutting
258
+ grep -rEn "TODO|FIXME" src/ cli/ website/src/ backend/app/ --include="*.ts" --include="*.tsx" --include="*.js" --include="*.php" | wc -l # track count down over batches
259
+ yarn npm audit --severity high --recursive
260
+ ```
261
+
262
+ ---
263
+
264
+ ## 10. Total Issue Count
265
+
266
+ | Severity | Plugin | Website | SEO | Backend | Examples | Security | Roadmap | **Total** |
267
+ |---|---|---|---|---|---|---|---|---|
268
+ | Blocker | 3 | 0 | 0 | 3 | 2 | 0 | 0 | **8** |
269
+ | Important | 3 | 3 | 3 | 6 | 2 | 0 | 0 | **17** |
270
+ | Nit | 1 | 0 | 2 | 2 | 0 | 0 | 0 | **5** |
271
+ | Sec High | — | — | — | — | — | 2 | — | **2** |
272
+ | Sec Med | — | — | — | — | — | 2 | — | **2** |
273
+ | Roadmap | — | — | — | — | — | — | 5 | **5** |
274
+
275
+ Grand total: **39 actionable items** across the audit + 5 roadmap items. See `BATCH-PLAN.md` for the execution plan.
@@ -0,0 +1,60 @@
1
+ {
2
+ "$schema": "project-finalization-tracker",
3
+ "description": "Resumable production-finalization tracker for native-update (Capacitor OTA plugin + Laravel/Nova SaaS backend + React marketing site/dashboard + CLI + Docusaurus docs site). The first phase/sub-task with status 'pending' or 'in_progress' is the next thing to work on.",
4
+ "project": "native-update",
5
+ "type": "capacitor-plugin-monorepo + saas-backend + marketing-website + cli + docs-site",
6
+ "repo": "github.com/aoneahsan/native-update (PRIVATE)",
7
+ "docsRepo": "github.com/aoneahsan/native-update-docs (PRIVATE)",
8
+ "npm": "native-update@3.1.0 (published)",
9
+ "homepage": "https://nativeupdate.aoneahsan.com",
10
+ "createdAt": "2026-06-22",
11
+ "lastUpdated": "2026-07-02",
12
+ "readiness": 99,
13
+ "stackOverride": {
14
+ "note": "The fleet finalization spec assumes a Firestore + Google Drive website backend. native-update DELIBERATELY chose a Laravel 13 + Nova 5 + MySQL + Google Drive backend (v3.0.0+). Per the Per-Project Stack Override rule, the project's chosen stack wins. Zero-cost / no-Firebase-Functions still honored: this project's own backend uses NO Firebase Functions/Storage (the CLI's firebase-functions strings live only inside a user-choice backend-template GENERATOR).",
15
+ "websiteBackend": "Laravel 13 + Nova 5 + MySQL + Google Drive (NOT Firestore)",
16
+ "auth": "Laravel Socialite (Google OAuth) + Sanctum tokens + spatie/laravel-permission RBAC (Firebase Auth removed in v3.0.0)"
17
+ },
18
+ "verifyGates": {
19
+ "pluginBuild": "yarn build -> 0 errors (clean + tsc + rollup, ~4s)",
20
+ "pluginTypecheck": "yarn tsc --noEmit -> 0 errors",
21
+ "pluginLint": "yarn lint -> 0 warnings",
22
+ "websiteTypecheck": "yarn typecheck (tsc -b) -> 0 errors",
23
+ "websiteBuild": "yarn build -> 0 errors (61-URL sitemap + feed + 16 SEO routes + 9 discovery files)",
24
+ "websiteLint": "yarn lint -> 0 warnings",
25
+ "docsBuild": "native-update-docs: yarn build (Docusaurus) -> see runHistory",
26
+ "verifiedAt": "2026-06-22"
27
+ },
28
+ "phases": [
29
+ { "id": "phase0", "title": "Setup: skills, remote/branch, read scope, scaffold tracker + MANUAL-TASKS, refresh CLAUDE/AGENTS", "status": "complete", "completedAt": "2026-06-22" },
30
+ { "id": "phase1", "title": "Privacy gate + env/secret audit (repo PRIVATE; force-add git-ignored env; never keystores)", "status": "complete", "completedAt": "2026-06-22",
31
+ "subTasks": [
32
+ { "id": "phase1.1", "title": "gh repo view: main + docs repos confirmed PRIVATE", "status": "complete" },
33
+ { "id": "phase1.2", "title": "Force-add git-ignored backend/.env + website/.env (private repo; root .gitignore documents team-access intent; never published to npm via files[])", "status": "complete" },
34
+ { "id": "phase1.3", "title": "No keystores in tree; none added", "status": "complete" }
35
+ ] },
36
+ { "id": "phase2", "title": "Gap audit: real code vs intended scope + docs promises", "status": "complete", "completedAt": "2026-06-22",
37
+ "subTasks": [
38
+ { "id": "phase2.1", "title": "Plugin src/ TODO/stub scan: clean (3 false positives — field names + a docstring)", "status": "complete" },
39
+ { "id": "phase2.2", "title": "CLI scaffolding TODO[SCAFFOLD-IMPLEMENT-BEFORE-DEPLOY] markers are INTENTIONAL generated-template placeholders (BACKEND_TEMPLATES_GUIDE.md) — by design, not a gap", "status": "complete" },
40
+ { "id": "phase2.3", "title": "Website console.* hits are inside documentation code-example strings, not real logging; no innerHTML in new code", "status": "complete" }
41
+ ] },
42
+ { "id": "phase3", "title": "Build automatable gaps", "status": "complete", "completedAt": "2026-06-22",
43
+ "note": "No automatable code gaps found. The project is genuinely production-complete (v3.1.0 on npm, 134 backend PHPUnit tests, complete iOS/Android/CLI/website/backend/docs). The only real fix was doc-drift: REMAINING_FEATURES.md item #5 (DocsPage.tsx 1406-line refactor) was already done (now 166 lines + docs-page/sections/)." },
44
+ { "id": "phaseD", "title": "Verify/finish native-update-docs (Docusaurus, sibling repo)", "status": "complete", "completedAt": "2026-06-22" },
45
+ { "id": "phaseN1", "title": "Manual-task consolidation (npm publish, deploys, device verify, backend DB/test verify)", "status": "complete", "completedAt": "2026-06-22" },
46
+ { "id": "phaseN2", "title": "Finalize: final verify gates + tracker + git in-sync (both repos)", "status": "complete", "completedAt": "2026-06-22" }
47
+ ],
48
+ "gapInventory": [
49
+ { "id": "G1", "title": "Delta-update WASM (bsdiff/bspatch) optimization", "classification": "ROADMAP-OPTIONAL", "status": "deferred", "note": "delta-processor.ts already ships a working JS-level file-patching strategy; WASM is a performance enhancement, not a missing feature. Documented in REMAINING_FEATURES.md." },
50
+ { "id": "G2", "title": "A/B testing, calendar update scheduling, geographic targeting", "classification": "PRODUCT-DECISION", "status": "deferred", "note": "Large speculative features the user has not scoped. Percentage rollouts + pause/resume + targetSegments already shipped on the builds table." },
51
+ { "id": "G3", "title": "Additional framework example apps (Vue / Angular / Svelte / Python / Java)", "classification": "PRODUCT-DECISION", "status": "deferred", "note": "React+Capacitor and Node/Express examples already ship. Which (if any) to add next is a product decision." },
52
+ { "id": "G4", "title": "Enterprise: multi-tenant/org accounts, SAML/OIDC SSO, white-label branding, audit-log UI", "classification": "PRODUCT-DECISION", "status": "deferred", "note": "Roadmap; current model is single-user. Raw audit events already persist via analytics_events + Nova." },
53
+ { "id": "G5", "title": "website page components marginally over 500-line soft guideline (FeaturesPage 578, ExamplesPage 523, AnalyticsPage 519)", "classification": "COSMETIC-OPTIONAL", "status": "deferred", "note": "500 lines is a soft guideline; these are cohesive content-heavy single pages that build clean. Not a finalization blocker." }
54
+ ],
55
+ "runHistory": [
56
+ { "date": "2026-06-22", "phase": "all", "summary": "Owner-agent finalization pass. Verified package (build/tsc/lint = 0), website (typecheck/build/lint = 0; 61-URL sitemap + 16 SEO routes), and docs site build. Confirmed both repos PRIVATE; force-added git-ignored backend/.env + website/.env (never published to npm). Plugin/native/CLI/backend genuinely complete; no automatable code gaps. Fixed stale REMAINING_FEATURES.md DocsPage item. Scaffolded this tracker; refreshed CLAUDE.md/AGENTS.md + MANUAL-TASKS + sitemap/feed lastmod to 2026-06-22.", "commit": "pending" },
57
+ { "date": "2026-07-02", "phase": "v3.1.0-release", "summary": "v3.1.0 audit + optimize + release session (Fable 5 plan + Opus 4.8 execution). Plugin: package.json exports map, web.ts validateUpdate reuses downloaded bytes (no double download), 10 dead comment lines removed, cli 3.1.0. Website: HomePage LazyMotion (framer-motion off first-paint), .env.production (prod backend URL always baked), root firebase.json consolidated w/ cache headers (website/firebase.json+.firebaserc deleted), 9 dead Firebase-era env keys removed. Backend: update-check writes deferred to dispatch()->afterResponse(), App::getLatestBuildForChannel cached 45s w/ Build model-event invalidation, additive covering index builds(app_id,channel,status,created_at), analytics:cleanup now prunes analytics_events, CORS supports_credentials=false, 2 scaffold ExampleTests removed (134 PHPUnit pass). Docs: CHANGELOG + RELEASE-NOTES 3.1.0, Laravel-11->13 / Pest->PHPUnit / api-host drift fixed, HOSTINGER deploy notes refreshed (PHP>=8.3, scheduler required, v3.1.0 migration, X-Sendfile note). Released: npm publish native-update@3.1.0 + firebase deploy website. INCIDENT: live backend https://nativeupdatebe.aoneahsan.com returns HTTP 500 on all routes (pre-existing, deploy-side — flagged as MANUAL-TASKS row 1, likely PHP<8.3). Deferred: native streaming-hash perf, file splits, X-Sendfile impl, docs-site deploy.", "commit": "pending" }
58
+ ],
59
+ "resumeInstructions": "1) Read this tracker. 2) All phases complete. 3) If re-run: confirm verify gates still pass, check whether the user has scoped any gapInventory ROADMAP/PRODUCT-DECISION item, and update lastUpdated. NEVER auto-build the deferred product-decision features without the user scoping them."
60
+ }