shiplint 0.1.0

package/dist/rules/privacy/att-tracking-mismatch.js

@@ -0,0 +1,113 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ATTTrackingMismatchRule = void 0;
+const index_js_1 = require("../../types/index.js");
+const plist_parser_js_1 = require("../../parsers/plist-parser.js");
+const framework_detector_js_1 = require("../../parsers/framework-detector.js");
+const base_js_1 = require("../base.js");
+const TRACKING_USAGE_KEY = 'NSUserTrackingUsageDescription';
+const ATT_FRAMEWORK = 'AppTrackingTransparency';
+exports.ATTTrackingMismatchRule = {
+    id: 'privacy-003-att-tracking-mismatch',
+    name: 'Tracking SDK Without App Tracking Transparency',
+    description: 'Checks for tracking SDKs without proper ATT implementation',
+    category: index_js_1.RuleCategory.Privacy,
+    severity: index_js_1.Severity.Critical,
+    confidence: index_js_1.Confidence.High,
+    guidelineReference: '5.1.2',
+    async evaluate(context) {
+        // Detect tracking SDKs from dependencies
+        const detectedSDKs = (0, framework_detector_js_1.detectTrackingSDKs)(context.dependencies);
+        if (detectedSDKs.length === 0) {
+            return [];
+        }
+        const findings = [];
+        const trackingDescription = context.plistString(TRACKING_USAGE_KEY);
+        const hasTrackingDescription = trackingDescription !== undefined;
+        const hasATTFramework = context.hasFramework(ATT_FRAMEWORK);
+        // Case 1: Missing NSUserTrackingUsageDescription entirely
+        if (!hasTrackingDescription) {
+            findings.push((0, base_js_1.makeFinding)(this, {
+                description: `Your app includes tracking/attribution SDKs (${detectedSDKs.join(', ')}) ` +
+                    `but Info.plist is missing NSUserTrackingUsageDescription. Since iOS 14.5, apps that track ` +
+                    `users must implement App Tracking Transparency and include a purpose string.`,
+                location: 'Info.plist',
+                fixGuidance: `Add NSUserTrackingUsageDescription to your Info.plist:
+
+<key>NSUserTrackingUsageDescription</key>
+<string>We use tracking to show you personalized ads and measure ad effectiveness.</string>
+
+Then implement the ATT prompt in your code:
+
+import AppTrackingTransparency
+
+ATTrackingManager.requestTrackingAuthorization { status in
+    switch status {
+    case .authorized:
+        // Enable tracking
+    default:
+        // Disable tracking
+    }
+}
+
+Important: Only initialize tracking SDKs after the user grants permission.`,
+                documentationURL: 'https://developer.apple.com/documentation/apptrackingtransparency',
+            }));
+        }
+        // Case 2: Description is empty
+        else if (trackingDescription.trim() === '') {
+            findings.push((0, base_js_1.makeFinding)(this, {
+                title: 'Empty Tracking Usage Description',
+                description: `NSUserTrackingUsageDescription exists but is empty. Apple requires a meaningful ` +
+                    `description explaining why your app tracks users.`,
+                location: 'Info.plist',
+                fixGuidance: `Update NSUserTrackingUsageDescription with a clear explanation of your tracking purpose.
+
+Good example: "Allow tracking to receive personalized ads based on your interests."
+Bad example: "" or "For tracking"
+
+Be specific about what data is collected and how it's used.`,
+                documentationURL: 'https://developer.apple.com/documentation/apptrackingtransparency',
+            }));
+        }
+        // Case 3: Description is placeholder
+        else if ((0, plist_parser_js_1.isPlaceholder)(trackingDescription)) {
+            findings.push((0, base_js_1.makeFinding)(this, {
+                title: 'Placeholder Tracking Usage Description',
+                description: `NSUserTrackingUsageDescription appears to contain placeholder text: "${trackingDescription}". ` +
+                    `Apple requires meaningful, user-facing descriptions.`,
+                location: 'Info.plist',
+                fixGuidance: `Replace the placeholder with a real explanation of why your app tracks users.
+
+Current value: "${trackingDescription}"
+
+Users should understand what tracking means for their privacy.`,
+                documentationURL: 'https://developer.apple.com/documentation/apptrackingtransparency',
+            }));
+        }
+        // Case 4: Has description but no ATT framework
+        if (hasTrackingDescription && !hasATTFramework) {
+            findings.push((0, base_js_1.makeCustomFinding)(this, index_js_1.Severity.Medium, index_js_1.Confidence.Medium, {
+                title: 'AppTrackingTransparency Framework Not Linked',
+                description: `Your app has NSUserTrackingUsageDescription but AppTrackingTransparency framework ` +
+                    `does not appear to be linked. This may indicate an incomplete ATT implementation.`,
+                location: 'Project',
+                fixGuidance: `Ensure you're importing AppTrackingTransparency in your code and actually showing ` +
+                    `the tracking permission prompt to users.
+
+import AppTrackingTransparency
+
+// Call this at an appropriate time (not immediately at launch)
+ATTrackingManager.requestTrackingAuthorization { status in
+    // Handle response
+}
+
+Note: If you're using a different approach to ATT (like via a third-party SDK wrapper), ` +
+                    `you can ignore this finding.`,
+                documentationURL: 'https://developer.apple.com/documentation/apptrackingtransparency',
+            }));
+        }
+        return findings;
+    },
+};
+//# sourceMappingURL=att-tracking-mismatch.js.map

package/dist/rules/privacy/att-tracking-mismatch.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"att-tracking-mismatch.js","sourceRoot":"","sources":["../../../src/rules/privacy/att-tracking-mismatch.ts"],"names":[],"mappings":";;;AAUA,mDAA0E;AAC1E,mEAA8D;AAC9D,+EAAyE;AACzE,wCAA4D;AAE5D,MAAM,kBAAkB,GAAG,gCAAgC,CAAC;AAC5D,MAAM,aAAa,GAAG,yBAAyB,CAAC;AAEnC,QAAA,uBAAuB,GAAS;IAC3C,EAAE,EAAE,mCAAmC;IACvC,IAAI,EAAE,gDAAgD;IACtD,WAAW,EAAE,4DAA4D;IACzE,QAAQ,EAAE,uBAAY,CAAC,OAAO;IAC9B,QAAQ,EAAE,mBAAQ,CAAC,QAAQ;IAC3B,UAAU,EAAE,qBAAU,CAAC,IAAI;IAC3B,kBAAkB,EAAE,OAAO;IAE3B,KAAK,CAAC,QAAQ,CAAC,OAAoB;QACjC,yCAAyC;QACzC,MAAM,YAAY,GAAG,IAAA,0CAAkB,EAAC,OAAO,CAAC,YAAY,CAAC,CAAC;QAE9D,IAAI,YAAY,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC9B,OAAO,EAAE,CAAC;QACZ,CAAC;QAED,MAAM,QAAQ,GAAc,EAAE,CAAC;QAE/B,MAAM,mBAAmB,GAAG,OAAO,CAAC,WAAW,CAAC,kBAAkB,CAAC,CAAC;QACpE,MAAM,sBAAsB,GAAG,mBAAmB,KAAK,SAAS,CAAC;QACjE,MAAM,eAAe,GAAG,OAAO,CAAC,YAAY,CAAC,aAAa,CAAC,CAAC;QAE5D,0DAA0D;QAC1D,IAAI,CAAC,sBAAsB,EAAE,CAAC;YAC5B,QAAQ,CAAC,IAAI,CAAC,IAAA,qBAAW,EAAC,IAAI,EAAE;gBAC9B,WAAW,EAAE,gDAAgD,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI;oBACtF,4FAA4F;oBAC5F,8EAA8E;gBAChF,QAAQ,EAAE,YAAY;gBACtB,WAAW,EAAE;;;;;;;;;;;;;;;;;;2EAkBsD;gBACnE,gBAAgB,EAAE,mEAAmE;aACtF,CAAC,CAAC,CAAC;QACN,CAAC;QACD,+BAA+B;aAC1B,IAAI,mBAAmB,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC;YAC3C,QAAQ,CAAC,IAAI,CAAC,IAAA,qBAAW,EAAC,IAAI,EAAE;gBAC9B,KAAK,EAAE,kCAAkC;gBACzC,WAAW,EAAE,kFAAkF;oBAC7F,mDAAmD;gBACrD,QAAQ,EAAE,YAAY;gBACtB,WAAW,EAAE;;;;;4DAKuC;gBACpD,gBAAgB,EAAE,mEAAmE;aACtF,CAAC,CAAC,CAAC;QACN,CAAC;QACD,qCAAqC;aAChC,IAAI,IAAA,+BAAa,EAAC,mBAAmB,CAAC,EAAE,CAAC;YAC5C,QAAQ,CAAC,IAAI,CAAC,IAAA,qBAAW,EAAC,IAAI,EAAE;gBAC9B,KAAK,EAAE,wCAAwC;gBAC/C,WAAW,EAAE,wEAAwE,mBAAmB,KAAK;oBAC3G,sDAAsD;gBACxD,QAAQ,EAAE,YAAY;gBACtB,WAAW,EAAE;;kBAEH,mBAAmB;;+DAE0B;gBACvD,gBAAgB,EAAE,mEAAmE;aACtF,CAAC,CAAC,CAAC;QACN,CAAC;QAED,+CAA+C;QAC/C,IAAI,sBAAsB,IAAI,CAAC,eAAe,EAAE,CAAC;YAC/C,QAAQ,CAAC,IAAI,CAAC,IAAA,2BAAiB,EAAC,IAAI,EAAE,mBAAQ,CAAC,MAAM,EAAE,qBAAU,CAAC,MAAM,EAAE;gBACxE,KAAK,EAAE,8CAA8C;gBACrD,WAAW,EAAE,oFAAoF;oBAC/F,mFAAmF;gBACrF,QAAQ,EAAE,SAAS;gBACnB,WAAW,EAAE,oFAAoF;oBAC/F;;;;;;;;;yFAS+E;oBAC/E,8BAA8B;gBAChC,gBAAgB,EAAE,mEAAmE;aACtF,CAAC,CAAC,CAAC;QACN,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF,CAAC"}

package/dist/rules/privacy/index.d.ts

@@ -0,0 +1,11 @@
+/**
+ * Privacy rules exports
+ */
+export { MissingCameraPurposeRule } from './missing-camera-purpose.js';
+export { MissingLocationPurposeRule } from './missing-location-purpose.js';
+export { LocationAlwaysUnjustifiedRule } from './location-always-unjustified.js';
+export { ATTTrackingMismatchRule } from './att-tracking-mismatch.js';
+export { MissingPhotoLibraryPurposeRule } from './missing-photo-library-purpose.js';
+export { MissingMicrophonePurposeRule } from './missing-microphone-purpose.js';
+export { MissingContactsPurposeRule } from './missing-contacts-purpose.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/rules/privacy/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/rules/privacy/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AACH,OAAO,EAAE,wBAAwB,EAAE,MAAM,6BAA6B,CAAC;AACvE,OAAO,EAAE,0BAA0B,EAAE,MAAM,+BAA+B,CAAC;AAC3E,OAAO,EAAE,6BAA6B,EAAE,MAAM,kCAAkC,CAAC;AACjF,OAAO,EAAE,uBAAuB,EAAE,MAAM,4BAA4B,CAAC;AACrE,OAAO,EAAE,8BAA8B,EAAE,MAAM,oCAAoC,CAAC;AACpF,OAAO,EAAE,4BAA4B,EAAE,MAAM,iCAAiC,CAAC;AAC/E,OAAO,EAAE,0BAA0B,EAAE,MAAM,+BAA+B,CAAC"}

package/dist/rules/privacy/index.js

@@ -0,0 +1,21 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.MissingContactsPurposeRule = exports.MissingMicrophonePurposeRule = exports.MissingPhotoLibraryPurposeRule = exports.ATTTrackingMismatchRule = exports.LocationAlwaysUnjustifiedRule = exports.MissingLocationPurposeRule = exports.MissingCameraPurposeRule = void 0;
+/**
+ * Privacy rules exports
+ */
+var missing_camera_purpose_js_1 = require("./missing-camera-purpose.js");
+Object.defineProperty(exports, "MissingCameraPurposeRule", { enumerable: true, get: function () { return missing_camera_purpose_js_1.MissingCameraPurposeRule; } });
+var missing_location_purpose_js_1 = require("./missing-location-purpose.js");
+Object.defineProperty(exports, "MissingLocationPurposeRule", { enumerable: true, get: function () { return missing_location_purpose_js_1.MissingLocationPurposeRule; } });
+var location_always_unjustified_js_1 = require("./location-always-unjustified.js");
+Object.defineProperty(exports, "LocationAlwaysUnjustifiedRule", { enumerable: true, get: function () { return location_always_unjustified_js_1.LocationAlwaysUnjustifiedRule; } });
+var att_tracking_mismatch_js_1 = require("./att-tracking-mismatch.js");
+Object.defineProperty(exports, "ATTTrackingMismatchRule", { enumerable: true, get: function () { return att_tracking_mismatch_js_1.ATTTrackingMismatchRule; } });
+var missing_photo_library_purpose_js_1 = require("./missing-photo-library-purpose.js");
+Object.defineProperty(exports, "MissingPhotoLibraryPurposeRule", { enumerable: true, get: function () { return missing_photo_library_purpose_js_1.MissingPhotoLibraryPurposeRule; } });
+var missing_microphone_purpose_js_1 = require("./missing-microphone-purpose.js");
+Object.defineProperty(exports, "MissingMicrophonePurposeRule", { enumerable: true, get: function () { return missing_microphone_purpose_js_1.MissingMicrophonePurposeRule; } });
+var missing_contacts_purpose_js_1 = require("./missing-contacts-purpose.js");
+Object.defineProperty(exports, "MissingContactsPurposeRule", { enumerable: true, get: function () { return missing_contacts_purpose_js_1.MissingContactsPurposeRule; } });
+//# sourceMappingURL=index.js.map

package/dist/rules/privacy/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/rules/privacy/index.ts"],"names":[],"mappings":";;;AAAA;;GAEG;AACH,yEAAuE;AAA9D,qIAAA,wBAAwB,OAAA;AACjC,6EAA2E;AAAlE,yIAAA,0BAA0B,OAAA;AACnC,mFAAiF;AAAxE,+IAAA,6BAA6B,OAAA;AACtC,uEAAqE;AAA5D,mIAAA,uBAAuB,OAAA;AAChC,uFAAoF;AAA3E,kJAAA,8BAA8B,OAAA;AACvC,iFAA+E;AAAtE,6IAAA,4BAA4B,OAAA;AACrC,6EAA2E;AAAlE,yIAAA,0BAA0B,OAAA"}

package/dist/rules/privacy/location-always-unjustified.d.ts

@@ -0,0 +1,11 @@
+/**
+ * Rule: Location Always Permission Without Justification
+ *
+ * Detects when an app requests Always location permission but doesn't
+ * have the "location" background mode enabled in UIBackgroundModes.
+ *
+ * App Store Review Guideline: 5.1.1
+ */
+import type { Rule } from '../../types/index.js';
+export declare const LocationAlwaysUnjustifiedRule: Rule;
+//# sourceMappingURL=location-always-unjustified.d.ts.map

package/dist/rules/privacy/location-always-unjustified.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"location-always-unjustified.d.ts","sourceRoot":"","sources":["../../../src/rules/privacy/location-always-unjustified.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AACH,OAAO,KAAK,EAAE,IAAI,EAAwB,MAAM,sBAAsB,CAAC;AAWvE,eAAO,MAAM,6BAA6B,EAAE,IAmG3C,CAAC"}

package/dist/rules/privacy/location-always-unjustified.js

@@ -0,0 +1,102 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.LocationAlwaysUnjustifiedRule = void 0;
+const index_js_1 = require("../../types/index.js");
+const base_js_1 = require("../base.js");
+const ALWAYS_KEYS = [
+    'NSLocationAlwaysUsageDescription',
+    'NSLocationAlwaysAndWhenInUseUsageDescription',
+];
+const BACKGROUND_MODES_KEY = 'UIBackgroundModes';
+const LOCATION_BACKGROUND_MODE = 'location';
+exports.LocationAlwaysUnjustifiedRule = {
+    id: 'entitlements-001-location-always-unjustified',
+    name: 'Location Always Permission Without Justification',
+    description: 'Checks for Always location permission without background mode or proper justification',
+    category: index_js_1.RuleCategory.Privacy,
+    severity: index_js_1.Severity.Critical,
+    confidence: index_js_1.Confidence.Medium,
+    guidelineReference: '5.1.1',
+    async evaluate(context) {
+        // Check if app requests Always location permission
+        const hasAlwaysPermission = ALWAYS_KEYS.some(key => context.hasPlistKey(key));
+        if (!hasAlwaysPermission) {
+            return [];
+        }
+        // Check if background location mode is enabled
+        const backgroundModes = context.plistArray(BACKGROUND_MODES_KEY) ?? [];
+        const hasLocationBackgroundMode = backgroundModes.includes(LOCATION_BACKGROUND_MODE);
+        const findings = [];
+        // Case 1: Always permission without background location mode
+        if (!hasLocationBackgroundMode) {
+            const presentKeys = ALWAYS_KEYS.filter(key => context.hasPlistKey(key));
+            findings.push((0, base_js_1.makeFinding)(this, {
+                description: `Your app requests Always location permission (${presentKeys.join(', ')}) ` +
+                    `but UIBackgroundModes does not include "location". This configuration strongly suggests ` +
+                    `your app doesn't have a legitimate continuous location feature, which Apple will ` +
+                    `likely question during review.`,
+                location: 'Info.plist',
+                fixGuidance: `You have two options:
+
+**Option 1: If you DO need Always permission (navigation, fitness, geofencing):**
+
+Add "location" to UIBackgroundModes in Info.plist:
+
+<key>UIBackgroundModes</key>
+<array>
+    <string>location</string>
+</array>
+
+Also ensure your app has a visible, user-initiated feature that uses continuous location ` +
+                    `(like run tracking or turn-by-turn navigation).
+
+**Option 2: If you DON'T need Always permission (most apps):**
+
+Switch to When In Use permission instead. Remove the Always description keys and ` +
+                    `use requestWhenInUseAuthorization() instead of requestAlwaysAuthorization().
+
+When In Use permission has a much higher approval rate and is sufficient for most ` +
+                    `location features.
+
+Note: Always permission is heavily scrutinized. Be prepared to justify your use case ` +
+                    `in App Store Review notes.`,
+                documentationURL: 'https://developer.apple.com/documentation/corelocation/choosing_the_location_services_authorization_to_request',
+            }));
+        }
+        // Case 2: Has background mode but check for suspicious patterns
+        else {
+            const alwaysDesc = context.plistString('NSLocationAlwaysAndWhenInUseUsageDescription') ??
+                context.plistString('NSLocationAlwaysUsageDescription');
+            if (alwaysDesc) {
+                const lowercased = alwaysDesc.toLowerCase();
+                const vaguePatterns = ['nearby', 'location services', 'your location', 'we need', 'is required'];
+                const legitimatePatterns = ['track', 'background', 'navigation', 'running', 'workout', 'geofence', 'alert'];
+                const seemsVague = vaguePatterns.some(p => lowercased.includes(p)) &&
+                    !legitimatePatterns.some(p => lowercased.includes(p));
+                if (seemsVague) {
+                    findings.push((0, base_js_1.makeCustomFinding)(this, index_js_1.Severity.Medium, index_js_1.Confidence.Low, {
+                        title: 'Always Location Description May Be Insufficient',
+                        description: `Your Always location description doesn't clearly explain a continuous ` +
+                            `location feature: "${alwaysDesc}". Apple expects clear justification for ` +
+                            `Always permission.`,
+                        location: 'Info.plist',
+                        fixGuidance: `Update your description to clearly explain the continuous location feature:
+
+Good examples:
+- "Track your runs in the background so you can see your complete route."
+- "Provide turn-by-turn directions even when the screen is off."
+- "Send alerts when you arrive at or leave saved locations."
+
+Bad examples:
+- "We use your location" (too vague)
+- "Location is required" (doesn't explain feature)
+- "Show nearby places" (doesn't justify Always)`,
+                        documentationURL: 'https://developer.apple.com/documentation/corelocation/choosing_the_location_services_authorization_to_request',
+                    }));
+                }
+            }
+        }
+        return findings;
+    },
+};
+//# sourceMappingURL=location-always-unjustified.js.map

package/dist/rules/privacy/location-always-unjustified.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"location-always-unjustified.js","sourceRoot":"","sources":["../../../src/rules/privacy/location-always-unjustified.ts"],"names":[],"mappings":";;;AASA,mDAA0E;AAC1E,wCAA4D;AAE5D,MAAM,WAAW,GAAG;IAClB,kCAAkC;IAClC,8CAA8C;CAC/C,CAAC;AACF,MAAM,oBAAoB,GAAG,mBAAmB,CAAC;AACjD,MAAM,wBAAwB,GAAG,UAAU,CAAC;AAE/B,QAAA,6BAA6B,GAAS;IACjD,EAAE,EAAE,8CAA8C;IAClD,IAAI,EAAE,kDAAkD;IACxD,WAAW,EAAE,uFAAuF;IACpG,QAAQ,EAAE,uBAAY,CAAC,OAAO;IAC9B,QAAQ,EAAE,mBAAQ,CAAC,QAAQ;IAC3B,UAAU,EAAE,qBAAU,CAAC,MAAM;IAC7B,kBAAkB,EAAE,OAAO;IAE3B,KAAK,CAAC,QAAQ,CAAC,OAAoB;QACjC,mDAAmD;QACnD,MAAM,mBAAmB,GAAG,WAAW,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,OAAO,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC;QAE9E,IAAI,CAAC,mBAAmB,EAAE,CAAC;YACzB,OAAO,EAAE,CAAC;QACZ,CAAC;QAED,+CAA+C;QAC/C,MAAM,eAAe,GAAI,OAAO,CAAC,UAAU,CAAC,oBAAoB,CAAc,IAAI,EAAE,CAAC;QACrF,MAAM,yBAAyB,GAAG,eAAe,CAAC,QAAQ,CAAC,wBAAwB,CAAC,CAAC;QAErF,MAAM,QAAQ,GAAc,EAAE,CAAC;QAE/B,6DAA6D;QAC7D,IAAI,CAAC,yBAAyB,EAAE,CAAC;YAC/B,MAAM,WAAW,GAAG,WAAW,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,OAAO,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC;YAExE,QAAQ,CAAC,IAAI,CAAC,IAAA,qBAAW,EAAC,IAAI,EAAE;gBAC9B,WAAW,EAAE,iDAAiD,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI;oBACtF,0FAA0F;oBAC1F,mFAAmF;oBACnF,gCAAgC;gBAClC,QAAQ,EAAE,YAAY;gBACtB,WAAW,EAAE;;;;;;;;;;;0FAWqE;oBAChF;;;;kFAIwE;oBACxE;;mFAEyE;oBACzE;;sFAE4E;oBAC5E,4BAA4B;gBAC9B,gBAAgB,EAAE,gHAAgH;aACnI,CAAC,CAAC,CAAC;QACN,CAAC;QACD,gEAAgE;aAC3D,CAAC;YACJ,MAAM,UAAU,GAAG,OAAO,CAAC,WAAW,CAAC,8CAA8C,CAAC;gBACnE,OAAO,CAAC,WAAW,CAAC,kCAAkC,CAAC,CAAC;YAE3E,IAAI,UAAU,EAAE,CAAC;gBACf,MAAM,UAAU,GAAG,UAAU,CAAC,WAAW,EAAE,CAAC;gBAC5C,MAAM,aAAa,GAAG,CAAC,QAAQ,EAAE,mBAAmB,EAAE,eAAe,EAAE,SAAS,EAAE,aAAa,CAAC,CAAC;gBACjG,MAAM,kBAAkB,GAAG,CAAC,OAAO,EAAE,YAAY,EAAE,YAAY,EAAE,SAAS,EAAE,SAAS,EAAE,UAAU,EAAE,OAAO,CAAC,CAAC;gBAE5G,MAAM,UAAU,GAAG,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC;oBAChD,CAAC,kBAAkB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC;gBAExE,IAAI,UAAU,EAAE,CAAC;oBACf,QAAQ,CAAC,IAAI,CAAC,IAAA,2BAAiB,EAAC,IAAI,EAAE,mBAAQ,CAAC,MAAM,EAAE,qBAAU,CAAC,GAAG,EAAE;wBACrE,KAAK,EAAE,iDAAiD;wBACxD,WAAW,EAAE,wEAAwE;4BACnF,sBAAsB,UAAU,2CAA2C;4BAC3E,oBAAoB;wBACtB,QAAQ,EAAE,YAAY;wBACtB,WAAW,EAAE;;;;;;;;;;gDAUuB;wBACpC,gBAAgB,EAAE,gHAAgH;qBACnI,CAAC,CAAC,CAAC;gBACN,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF,CAAC"}

package/dist/rules/privacy/missing-camera-purpose.d.ts

@@ -0,0 +1,11 @@
+/**
+ * Rule: Missing Camera Usage Description
+ *
+ * Detects when an app uses camera-related frameworks but is missing
+ * the required NSCameraUsageDescription in Info.plist.
+ *
+ * App Store Review Guideline: 5.1.1
+ */
+import type { Rule } from '../../types/index.js';
+export declare const MissingCameraPurposeRule: Rule;
+//# sourceMappingURL=missing-camera-purpose.d.ts.map

package/dist/rules/privacy/missing-camera-purpose.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"missing-camera-purpose.d.ts","sourceRoot":"","sources":["../../../src/rules/privacy/missing-camera-purpose.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AACH,OAAO,KAAK,EAAE,IAAI,EAAwB,MAAM,sBAAsB,CAAC;AAOvE,eAAO,MAAM,wBAAwB,EAAE,IAiFtC,CAAC"}

package/dist/rules/privacy/missing-camera-purpose.js

@@ -0,0 +1,83 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.MissingCameraPurposeRule = void 0;
+const index_js_1 = require("../../types/index.js");
+const plist_parser_js_1 = require("../../parsers/plist-parser.js");
+const base_js_1 = require("../base.js");
+const CAMERA_FRAMEWORKS = ['AVFoundation', 'AVKit', 'VisionKit'];
+exports.MissingCameraPurposeRule = {
+    id: 'privacy-001-missing-camera-purpose',
+    name: 'Missing Camera Usage Description',
+    description: 'Checks for camera framework usage without NSCameraUsageDescription',
+    category: index_js_1.RuleCategory.Privacy,
+    severity: index_js_1.Severity.Critical,
+    confidence: index_js_1.Confidence.High,
+    guidelineReference: '5.1.1',
+    async evaluate(context) {
+        // Check if any camera-related framework is linked
+        const detectedFrameworks = CAMERA_FRAMEWORKS.filter(f => context.hasFramework(f));
+        if (detectedFrameworks.length === 0) {
+            // No camera framework detected, rule doesn't apply
+            return [];
+        }
+        const cameraDescription = context.plistString('NSCameraUsageDescription');
+        // Case 1: Completely missing
+        if (cameraDescription === undefined) {
+            return [
+                (0, base_js_1.makeFinding)(this, {
+                    description: `Your app links against camera-related frameworks (${detectedFrameworks.join(', ')}) ` +
+                        `but Info.plist is missing NSCameraUsageDescription. Apps that access the camera must ` +
+                        `provide a purpose string explaining why access is needed.`,
+                    location: 'Info.plist',
+                    fixGuidance: `Add NSCameraUsageDescription to your Info.plist with a clear, user-facing explanation ` +
+                        `of why your app needs camera access. For example:
+
+<key>NSCameraUsageDescription</key>
+<string>We need access to your camera to take photos for your profile.</string>
+
+The description should explain the specific feature that uses the camera and ` +
+                        `be written from the user's perspective.`,
+                    documentationURL: 'https://developer.apple.com/documentation/bundleresources/information_property_list/nscamerausagedescription',
+                }),
+            ];
+        }
+        // Case 2: Empty or whitespace only
+        if (cameraDescription.trim() === '') {
+            return [
+                (0, base_js_1.makeFinding)(this, {
+                    title: 'Empty Camera Usage Description',
+                    description: `NSCameraUsageDescription exists in Info.plist but is empty. ` +
+                        `Apple requires a meaningful description explaining why your app needs camera access.`,
+                    location: 'Info.plist',
+                    fixGuidance: `Update NSCameraUsageDescription with a clear, specific explanation of why your app ` +
+                        `needs camera access. Generic or empty descriptions may be rejected.
+
+Good example: "We use your camera to scan QR codes for quick login."
+Bad example: "Camera access required" or ""`,
+                    documentationURL: 'https://developer.apple.com/documentation/bundleresources/information_property_list/nscamerausagedescription',
+                }),
+            ];
+        }
+        // Case 3: Placeholder text detected
+        if ((0, plist_parser_js_1.isPlaceholder)(cameraDescription)) {
+            return [
+                (0, base_js_1.makeFinding)(this, {
+                    title: 'Placeholder Camera Usage Description',
+                    description: `NSCameraUsageDescription appears to contain placeholder text: "${cameraDescription}". ` +
+                        `Apple requires meaningful, user-facing descriptions.`,
+                    location: 'Info.plist',
+                    fixGuidance: `Replace the placeholder text with a clear explanation of why your app needs camera access. ` +
+                        `The description should be specific to your app's features.
+
+Current value: "${cameraDescription}"
+
+Write a description that helps users understand what feature uses the camera and why.`,
+                    documentationURL: 'https://developer.apple.com/documentation/bundleresources/information_property_list/nscamerausagedescription',
+                }),
+            ];
+        }
+        // All checks passed
+        return [];
+    },
+};
+//# sourceMappingURL=missing-camera-purpose.js.map

package/dist/rules/privacy/missing-camera-purpose.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"missing-camera-purpose.js","sourceRoot":"","sources":["../../../src/rules/privacy/missing-camera-purpose.ts"],"names":[],"mappings":";;;AASA,mDAA0E;AAC1E,mEAA8D;AAC9D,wCAAyC;AAEzC,MAAM,iBAAiB,GAAG,CAAC,cAAc,EAAE,OAAO,EAAE,WAAW,CAAC,CAAC;AAEpD,QAAA,wBAAwB,GAAS;IAC5C,EAAE,EAAE,oCAAoC;IACxC,IAAI,EAAE,kCAAkC;IACxC,WAAW,EAAE,oEAAoE;IACjF,QAAQ,EAAE,uBAAY,CAAC,OAAO;IAC9B,QAAQ,EAAE,mBAAQ,CAAC,QAAQ;IAC3B,UAAU,EAAE,qBAAU,CAAC,IAAI;IAC3B,kBAAkB,EAAE,OAAO;IAE3B,KAAK,CAAC,QAAQ,CAAC,OAAoB;QACjC,kDAAkD;QAClD,MAAM,kBAAkB,GAAG,iBAAiB,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,CAAC;QAElF,IAAI,kBAAkB,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACpC,mDAAmD;YACnD,OAAO,EAAE,CAAC;QACZ,CAAC;QAED,MAAM,iBAAiB,GAAG,OAAO,CAAC,WAAW,CAAC,0BAA0B,CAAC,CAAC;QAE1E,6BAA6B;QAC7B,IAAI,iBAAiB,KAAK,SAAS,EAAE,CAAC;YACpC,OAAO;gBACL,IAAA,qBAAW,EAAC,IAAI,EAAE;oBAChB,WAAW,EAAE,qDAAqD,kBAAkB,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI;wBACjG,uFAAuF;wBACvF,2DAA2D;oBAC7D,QAAQ,EAAE,YAAY;oBACtB,WAAW,EAAE,wFAAwF;wBACnG;;;;;8EAKkE;wBAClE,yCAAyC;oBAC3C,gBAAgB,EAAE,8GAA8G;iBACjI,CAAC;aACH,CAAC;QACJ,CAAC;QAED,mCAAmC;QACnC,IAAI,iBAAiB,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC;YACpC,OAAO;gBACL,IAAA,qBAAW,EAAC,IAAI,EAAE;oBAChB,KAAK,EAAE,gCAAgC;oBACvC,WAAW,EAAE,8DAA8D;wBACzE,sFAAsF;oBACxF,QAAQ,EAAE,YAAY;oBACtB,WAAW,EAAE,qFAAqF;wBAChG;;;4CAGgC;oBAClC,gBAAgB,EAAE,8GAA8G;iBACjI,CAAC;aACH,CAAC;QACJ,CAAC;QAED,oCAAoC;QACpC,IAAI,IAAA,+BAAa,EAAC,iBAAiB,CAAC,EAAE,CAAC;YACrC,OAAO;gBACL,IAAA,qBAAW,EAAC,IAAI,EAAE;oBAChB,KAAK,EAAE,sCAAsC;oBAC7C,WAAW,EAAE,kEAAkE,iBAAiB,KAAK;wBACnG,sDAAsD;oBACxD,QAAQ,EAAE,YAAY;oBACtB,WAAW,EAAE,6FAA6F;wBACxG;;kBAEM,iBAAiB;;sFAEmD;oBAC5E,gBAAgB,EAAE,8GAA8G;iBACjI,CAAC;aACH,CAAC;QACJ,CAAC;QAED,oBAAoB;QACpB,OAAO,EAAE,CAAC;IACZ,CAAC;CACF,CAAC"}

package/dist/rules/privacy/missing-contacts-purpose.d.ts

@@ -0,0 +1,11 @@
+/**
+ * Rule: Missing Contacts Usage Description
+ *
+ * Detects when an app uses Contacts framework without the required
+ * NSContactsUsageDescription in Info.plist.
+ *
+ * App Store Review Guideline: 5.1.1
+ */
+import type { Rule } from '../../types/index.js';
+export declare const MissingContactsPurposeRule: Rule;
+//# sourceMappingURL=missing-contacts-purpose.d.ts.map

package/dist/rules/privacy/missing-contacts-purpose.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"missing-contacts-purpose.d.ts","sourceRoot":"","sources":["../../../src/rules/privacy/missing-contacts-purpose.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AACH,OAAO,KAAK,EAAE,IAAI,EAAwB,MAAM,sBAAsB,CAAC;AAQvE,eAAO,MAAM,0BAA0B,EAAE,IAkFxC,CAAC"}

package/dist/rules/privacy/missing-contacts-purpose.js

@@ -0,0 +1,85 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.MissingContactsPurposeRule = void 0;
+const index_js_1 = require("../../types/index.js");
+const plist_parser_js_1 = require("../../parsers/plist-parser.js");
+const base_js_1 = require("../base.js");
+const CONTACTS_FRAMEWORKS = ['Contacts', 'ContactsUI'];
+const CONTACTS_KEY = 'NSContactsUsageDescription';
+exports.MissingContactsPurposeRule = {
+    id: 'privacy-006-missing-contacts-purpose',
+    name: 'Missing Contacts Usage Description',
+    description: 'Checks for Contacts framework usage without NSContactsUsageDescription',
+    category: index_js_1.RuleCategory.Privacy,
+    severity: index_js_1.Severity.Critical,
+    confidence: index_js_1.Confidence.High,
+    guidelineReference: '5.1.1',
+    async evaluate(context) {
+        // Check if any Contacts-related framework is linked
+        const detectedFrameworks = CONTACTS_FRAMEWORKS.filter(f => context.hasFramework(f));
+        if (detectedFrameworks.length === 0) {
+            return [];
+        }
+        const contactsDescription = context.plistString(CONTACTS_KEY);
+        // Case 1: Completely missing
+        if (contactsDescription === undefined) {
+            return [
+                (0, base_js_1.makeFinding)(this, {
+                    description: `Your app links against contacts frameworks (${detectedFrameworks.join(', ')}) ` +
+                        `but Info.plist is missing NSContactsUsageDescription. Apps that access the user's contacts ` +
+                        `must provide a purpose string explaining why access is needed.`,
+                    location: 'Info.plist',
+                    fixGuidance: `Add NSContactsUsageDescription to your Info.plist with a clear, user-facing explanation ` +
+                        `of why your app needs contacts access. For example:
+
+<key>NSContactsUsageDescription</key>
+<string>We use your contacts to help you find friends who are also using the app.</string>
+
+Important: Contact data is considered highly sensitive. Apple scrutinizes apps that request 
+contacts access, so ensure you have a legitimate user-facing feature that requires it.`,
+                    documentationURL: 'https://developer.apple.com/documentation/bundleresources/information_property_list/nscontactsusagedescription',
+                }),
+            ];
+        }
+        // Case 2: Empty or whitespace only
+        if (contactsDescription.trim() === '') {
+            return [
+                (0, base_js_1.makeFinding)(this, {
+                    title: 'Empty Contacts Usage Description',
+                    description: `NSContactsUsageDescription exists in Info.plist but is empty. ` +
+                        `Apple requires a meaningful description explaining why your app needs contacts access.`,
+                    location: 'Info.plist',
+                    fixGuidance: `Update NSContactsUsageDescription with a clear, specific explanation of why your app ` +
+                        `needs contacts access. Generic or empty descriptions will be rejected.
+
+Good example: "Find friends in your contacts who use the app."
+Bad example: "Contacts access required" or ""
+
+Note: Contacts are sensitive data. Only request access if you have a clear user-facing need.`,
+                    documentationURL: 'https://developer.apple.com/documentation/bundleresources/information_property_list/nscontactsusagedescription',
+                }),
+            ];
+        }
+        // Case 3: Placeholder text detected
+        if ((0, plist_parser_js_1.isPlaceholder)(contactsDescription)) {
+            return [
+                (0, base_js_1.makeFinding)(this, {
+                    title: 'Placeholder Contacts Usage Description',
+                    description: `NSContactsUsageDescription appears to contain placeholder text: "${contactsDescription}". ` +
+                        `Apple requires meaningful, user-facing descriptions.`,
+                    location: 'Info.plist',
+                    fixGuidance: `Replace the placeholder text with a clear explanation of why your app needs contacts access. ` +
+                        `The description should be specific to your app's features.
+
+Current value: "${contactsDescription}"
+
+Write a description that helps users understand what feature uses contacts and why.`,
+                    documentationURL: 'https://developer.apple.com/documentation/bundleresources/information_property_list/nscontactsusagedescription',
+                }),
+            ];
+        }
+        // All checks passed
+        return [];
+    },
+};
+//# sourceMappingURL=missing-contacts-purpose.js.map

package/dist/rules/privacy/missing-contacts-purpose.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"missing-contacts-purpose.js","sourceRoot":"","sources":["../../../src/rules/privacy/missing-contacts-purpose.ts"],"names":[],"mappings":";;;AASA,mDAA0E;AAC1E,mEAA8D;AAC9D,wCAAyC;AAEzC,MAAM,mBAAmB,GAAG,CAAC,UAAU,EAAE,YAAY,CAAC,CAAC;AACvD,MAAM,YAAY,GAAG,4BAA4B,CAAC;AAErC,QAAA,0BAA0B,GAAS;IAC9C,EAAE,EAAE,sCAAsC;IAC1C,IAAI,EAAE,oCAAoC;IAC1C,WAAW,EAAE,wEAAwE;IACrF,QAAQ,EAAE,uBAAY,CAAC,OAAO;IAC9B,QAAQ,EAAE,mBAAQ,CAAC,QAAQ;IAC3B,UAAU,EAAE,qBAAU,CAAC,IAAI;IAC3B,kBAAkB,EAAE,OAAO;IAE3B,KAAK,CAAC,QAAQ,CAAC,OAAoB;QACjC,oDAAoD;QACpD,MAAM,kBAAkB,GAAG,mBAAmB,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,CAAC;QAEpF,IAAI,kBAAkB,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACpC,OAAO,EAAE,CAAC;QACZ,CAAC;QAED,MAAM,mBAAmB,GAAG,OAAO,CAAC,WAAW,CAAC,YAAY,CAAC,CAAC;QAE9D,6BAA6B;QAC7B,IAAI,mBAAmB,KAAK,SAAS,EAAE,CAAC;YACtC,OAAO;gBACL,IAAA,qBAAW,EAAC,IAAI,EAAE;oBAChB,WAAW,EAAE,+CAA+C,kBAAkB,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI;wBAC3F,6FAA6F;wBAC7F,gEAAgE;oBAClE,QAAQ,EAAE,YAAY;oBACtB,WAAW,EAAE,0FAA0F;wBACrG;;;;;;uFAM2E;oBAC7E,gBAAgB,EAAE,gHAAgH;iBACnI,CAAC;aACH,CAAC;QACJ,CAAC;QAED,mCAAmC;QACnC,IAAI,mBAAmB,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC;YACtC,OAAO;gBACL,IAAA,qBAAW,EAAC,IAAI,EAAE;oBAChB,KAAK,EAAE,kCAAkC;oBACzC,WAAW,EAAE,gEAAgE;wBAC3E,wFAAwF;oBAC1F,QAAQ,EAAE,YAAY;oBACtB,WAAW,EAAE,uFAAuF;wBAClG;;;;;6FAKiF;oBACnF,gBAAgB,EAAE,gHAAgH;iBACnI,CAAC;aACH,CAAC;QACJ,CAAC;QAED,oCAAoC;QACpC,IAAI,IAAA,+BAAa,EAAC,mBAAmB,CAAC,EAAE,CAAC;YACvC,OAAO;gBACL,IAAA,qBAAW,EAAC,IAAI,EAAE;oBAChB,KAAK,EAAE,wCAAwC;oBAC/C,WAAW,EAAE,oEAAoE,mBAAmB,KAAK;wBACvG,sDAAsD;oBACxD,QAAQ,EAAE,YAAY;oBACtB,WAAW,EAAE,+FAA+F;wBAC1G;;kBAEM,mBAAmB;;oFAE+C;oBAC1E,gBAAgB,EAAE,gHAAgH;iBACnI,CAAC;aACH,CAAC;QACJ,CAAC;QAED,oBAAoB;QACpB,OAAO,EAAE,CAAC;IACZ,CAAC;CACF,CAAC"}

package/dist/rules/privacy/missing-location-purpose.d.ts

@@ -0,0 +1,12 @@
+/**
+ * Rule: Missing Location Usage Description
+ *
+ * Detects when an app uses location-related frameworks but is missing
+ * the required NSLocationWhenInUseUsageDescription or
+ * NSLocationAlwaysAndWhenInUseUsageDescription in Info.plist.
+ *
+ * App Store Review Guideline: 5.1.1
+ */
+import type { Rule } from '../../types/index.js';
+export declare const MissingLocationPurposeRule: Rule;
+//# sourceMappingURL=missing-location-purpose.d.ts.map

package/dist/rules/privacy/missing-location-purpose.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"missing-location-purpose.d.ts","sourceRoot":"","sources":["../../../src/rules/privacy/missing-location-purpose.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AACH,OAAO,KAAK,EAAE,IAAI,EAAwB,MAAM,sBAAsB,CAAC;AAUvE,eAAO,MAAM,0BAA0B,EAAE,IAqIxC,CAAC"}