react-native-dev-guard 1.0.0 → 1.0.1

package/lib/services/GuardEnforcement.js

@@ -1,29 +1,48 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.GuardEnforcement = void 0;
+const react_native_1 = require("react-native");
+const obf_1 = require("../internal/obf");
+const { DevGuard: DevGuardNative } = react_native_1.NativeModules;
 /**
  * Client-side policy enforcement applied to a server response before it is
- * shown to the user. Mirrors the Flutter plugin's `GuardEnforcement` so both
- * platforms behave identically.
+ * shown to the user. Mirrors Flutter `GuardEnforcement` + native `dg_e1`.
  */
 class GuardEnforcement {
-    /**
-     * Applies enforcement rules to a fresh server response.
-     *
-     * - `blockEmulators`: if the project blocks emulators and the current device
-     *   is not a physical device, the response is overridden to LOCKED.
-     *
-     * @param response The parsed server response (mutated copy returned).
-     * @param metadata The device metadata collected for this sync.
-     */
-    static apply(response, metadata) {
-        if (response?.blockEmulators === true && metadata?.isPhysicalDevice === false) {
+    static async evaluatePolicy(blockEmulators, isPhysicalDevice, isCompromised) {
+        if (typeof DevGuardNative?.evaluatePolicy === 'function') {
+            try {
+                return await DevGuardNative.evaluatePolicy(blockEmulators, isPhysicalDevice, isCompromised);
+            }
+            catch {
+                // Fall through to JS fallback when native bridge unavailable (e.g. tests).
+            }
+        }
+        if (isCompromised)
+            return obf_1.PolicyLock.compromised;
+        if (blockEmulators && !isPhysicalDevice)
+            return obf_1.PolicyLock.emulator;
+        return obf_1.PolicyLock.allow;
+    }
+    static async apply(response, metadata, isCompromised = false) {
+        const isPhysical = metadata?.isPhysicalDevice !== false;
+        const code = await this.evaluatePolicy(response?.blockEmulators === true, isPhysical, isCompromised);
+        if (code === obf_1.PolicyLock.compromised) {
+            console.warn(obf_1.Obf.compromisedLog);
+            return {
+                ...response,
+                status: 'LOCKED',
+                title: obf_1.Obf.securityTitle,
+                message: obf_1.Obf.compromisedMessage,
+            };
+        }
+        if (code === obf_1.PolicyLock.emulator) {
             console.warn('DevGuard: Emulator blocked by project policy.');
             return {
                 ...response,
                 status: 'LOCKED',
-                title: 'Emulator Detected',
-                message: 'This application cannot run on emulators or simulators for security reasons.',
+                title: obf_1.Obf.emulatorTitle,
+                message: obf_1.Obf.emulatorMessage,
             };
         }
         return response;

package/lib/services/cacheCrypto.d.ts

@@ -0,0 +1,6 @@
+/**
+ * AES-CBC with key/IV derived from projectId — no OpenSSL random salt (RN-safe).
+ * Parity with DevGuardLogger vault key derivation; avoids Node crypto RNG on Android/Hermes.
+ */
+export declare function encryptCachePayload(projectId: string, plainText: string): string;
+export declare function decryptCachePayload(projectId: string, cipherText: string): string | null;

package/lib/services/cacheCrypto.js

@@ -0,0 +1,40 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.encryptCachePayload = encryptCachePayload;
+exports.decryptCachePayload = decryptCachePayload;
+const crypto_js_1 = __importDefault(require("crypto-js"));
+const CACHE_KEY_SALT = 'dg_cache_key_v1';
+const CACHE_IV_SALT = 'dg_cache_iv_v1';
+/** OpenSSL salted ciphertext prefix (legacy passphrase-based AES). */
+const LEGACY_OPENSSL_PREFIX = 'U2FsdGVk';
+function deriveCacheKeyIv(projectId) {
+    const keyHex = crypto_js_1.default.SHA256(`${projectId}_${CACHE_KEY_SALT}`).toString(crypto_js_1.default.enc.Hex);
+    const ivHex = crypto_js_1.default.SHA256(`${projectId}_${CACHE_IV_SALT}`).toString(crypto_js_1.default.enc.Hex);
+    return {
+        key: crypto_js_1.default.enc.Hex.parse(keyHex),
+        iv: crypto_js_1.default.enc.Hex.parse(ivHex.substring(0, 32)),
+    };
+}
+/**
+ * AES-CBC with key/IV derived from projectId — no OpenSSL random salt (RN-safe).
+ * Parity with DevGuardLogger vault key derivation; avoids Node crypto RNG on Android/Hermes.
+ */
+function encryptCachePayload(projectId, plainText) {
+    const { key, iv } = deriveCacheKeyIv(projectId);
+    return crypto_js_1.default.AES.encrypt(plainText, key, { iv }).toString();
+}
+function decryptCachePayload(projectId, cipherText) {
+    const { key, iv } = deriveCacheKeyIv(projectId);
+    const decrypted = crypto_js_1.default.AES.decrypt(cipherText, key, { iv }).toString(crypto_js_1.default.enc.Utf8);
+    if (decrypted)
+        return decrypted;
+    // Legacy entries used passphrase mode (random salt → needs native crypto RNG).
+    if (cipherText.startsWith(LEGACY_OPENSSL_PREFIX)) {
+        const legacy = crypto_js_1.default.AES.decrypt(cipherText, projectId).toString(crypto_js_1.default.enc.Utf8);
+        return legacy || null;
+    }
+    return null;
+}

package/lib/types/branding.d.ts

@@ -0,0 +1,21 @@
+export interface LockScreenBranding {
+    brandName?: string | null;
+    logoUrl?: string | null;
+    primaryColor?: string;
+    accentColor?: string | null;
+    websiteUrl?: string | null;
+    hidePoweredBy?: boolean;
+}
+/** Default lock-screen palette when API sends no branding colors (Flutter PaymentWall parity). */
+export declare const DEFAULT_LOCK_PRIMARY = "#d32f2f";
+export declare const DEFAULT_LOCK_ACCENT = "#b71c1c";
+export declare function parseHexColor(hex?: string | null, fallback?: string): string;
+export declare function resolveBrandingFooter(branding?: LockScreenBranding | null): {
+    hasCustom: boolean;
+    label: string;
+    brand: string;
+    url: string;
+    hidePoweredBy: boolean;
+    primaryColor: string;
+    accentColor: string;
+};

package/lib/types/branding.js

@@ -0,0 +1,30 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DEFAULT_LOCK_ACCENT = exports.DEFAULT_LOCK_PRIMARY = void 0;
+exports.parseHexColor = parseHexColor;
+exports.resolveBrandingFooter = resolveBrandingFooter;
+/** Default lock-screen palette when API sends no branding colors (Flutter PaymentWall parity). */
+exports.DEFAULT_LOCK_PRIMARY = '#d32f2f';
+exports.DEFAULT_LOCK_ACCENT = '#b71c1c';
+function parseHexColor(hex, fallback = exports.DEFAULT_LOCK_PRIMARY) {
+    if (!hex)
+        return fallback;
+    const normalized = hex.startsWith('#') ? hex : `#${hex}`;
+    return /^#[0-9A-Fa-f]{6}$/.test(normalized) ? normalized : fallback;
+}
+function resolveBrandingFooter(branding) {
+    const hasCustom = !!branding && (!!branding.brandName?.trim() || !!branding.logoUrl?.trim());
+    return {
+        hasCustom,
+        label: hasCustom ? 'Powered by' : 'Secured by',
+        brand: hasCustom
+            ? branding?.brandName?.trim() || 'DevGuard'
+            : 'DevGuard',
+        url: hasCustom && branding?.websiteUrl?.trim()
+            ? branding.websiteUrl.trim()
+            : 'https://devguard.uk',
+        hidePoweredBy: branding?.hidePoweredBy === true,
+        primaryColor: parseHexColor(branding?.primaryColor, exports.DEFAULT_LOCK_PRIMARY),
+        accentColor: parseHexColor(branding?.accentColor || branding?.primaryColor, exports.DEFAULT_LOCK_ACCENT),
+    };
+}

package/lib/utils/contactUrls.d.ts

@@ -0,0 +1,4 @@
+/** Build contact deep-links for lock-screen support buttons (Flutter ContactButton parity). */
+export declare function buildWhatsAppUrl(raw: string): string;
+export declare function buildMailtoUrl(raw: string): string;
+export declare function buildTelUrl(raw: string): string;

package/lib/utils/contactUrls.js

@@ -0,0 +1,18 @@
+"use strict";
+/** Build contact deep-links for lock-screen support buttons (Flutter ContactButton parity). */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.buildWhatsAppUrl = buildWhatsAppUrl;
+exports.buildMailtoUrl = buildMailtoUrl;
+exports.buildTelUrl = buildTelUrl;
+function buildWhatsAppUrl(raw) {
+    const digits = raw.replace(/[^0-9]/g, '');
+    return digits ? `https://wa.me/${digits}` : '';
+}
+function buildMailtoUrl(raw) {
+    const email = raw.trim();
+    return email ? `mailto:${email}` : '';
+}
+function buildTelUrl(raw) {
+    const phone = raw.replace(/[^\d+]/g, '');
+    return phone ? `tel:${phone}` : '';
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "react-native-dev-guard",
-  "version": "1.0.0",
+  "version": "1.0.1",
   "description": "DevGuard protection for React Native apps",
   "license": "MIT",
   "author": "DevGuard-uk",
@@ -31,9 +31,11 @@
   ],
   "scripts": {
     "clean": "rimraf lib",
-    "build:ts": "tsc",
+    "gen:obf": "node tool/genObf.js",
+    "build:ts": "npm run gen:obf && tsc",
     "build:obfuscate": "echo 'Skipping obfuscator for RN bundle compat'",
     "build": "npm-run-all clean build:ts build:obfuscate",
+    "test": "npm run build && node --test test/branding.test.js test/obf.test.js",
     "prepublishOnly": "npm run build",
     "verify:versions": "node -e \"const rn=require('react-native/package.json');const r=require('react/package.json');console.log('react-native',rn.version,'react',r.version);\""
   },
@@ -41,7 +43,7 @@
     "crypto-js": "^4.2.0",
     "pako": "^2.1.0",
     "react-native-safe-area-context": "^5.5.2",
-    "react-native-vault-logger": "^0.1.2"
+    "react-native-vault-logger": "^0.1.3"
   },
   "devDependencies": {
     "@types/crypto-js": "^4.2.2",
@@ -73,5 +75,9 @@
     "react-native-permissions": {
       "optional": true
     }
+  },
+  "overrides": {
+    "image-size": "2.0.2",
+    "shell-quote": "1.8.4"
   }
 }