shiplint 0.1.1 → 1.0.0

package/README.md

@@ -1,107 +1,312 @@
 # ShipLint
 
-🛡️ Catch App Store rejections before they happen.
+**ShipLint is a pre-submission linter for iOS apps that catches App Store rejection reasons before you upload.** It scans your `Info.plist`, entitlements, privacy manifests (`PrivacyInfo.xcprivacy`), and `project.pbxproj` files for issues that would trigger ITMS errors or App Review violations — in seconds, from the command line, with zero configuration.
 
-ShipLint scans your iOS project for App Store Review Guideline violations and tells you exactly how to fix them.
+[![npm version](https://img.shields.io/npm/v/shiplint.svg)](https://www.npmjs.com/package/shiplint)
+[![License](https://img.shields.io/npm/l/shiplint.svg)](https://github.com/Signal26AI/ShipLint/blob/main/LICENSE)
 
-## Installation
+---
 
-```bash
-npm install -g shiplint
-```
+## The Problem
 
-Or with npx (no install required):
+According to [Apple's 2024 App Store Transparency Report](https://www.apple.com/legal/more-resources/docs/2024-App-Store-Transparency-Report.pdf), over **7.7 million app submissions** were reviewed in 2024, and approximately **1.9 million were rejected** — roughly 25% of all submissions. The most common reasons? Missing privacy usage descriptions, incomplete entitlements, and absent privacy manifests. These are configuration issues, not code bugs.
 
-```bash
-npx shiplint scan ./MyApp.xcodeproj
-```
+> "I spent three days trying to figure out why my app kept getting rejected. Turned out I was missing `NSCameraUsageDescription` in my Info.plist. Three days for a one-line fix." — iOS indie developer on r/iOSProgramming
 
-## The Problem
+The rejection feedback loop is brutal: **build → archive → upload to App Store Connect → wait for processing → receive rejection email → fix → rebuild → re-upload**. Each cycle takes 10–30 minutes even when you know the fix. When you don't, it can take days.
+
+### Specific ITMS Errors Developers Hit
+
+- **ITMS-90683**: Missing purpose string (e.g., `NSCameraUsageDescription`, `NSMicrophoneUsageDescription`). This is the single most common first-time submission error. [Apple Technical Note TN2151](https://developer.apple.com/documentation/technotes/tn2151-understanding-and-resolving-issues-with-app-distribution)
+- **ITMS-91053**: Missing `PrivacyInfo.xcprivacy` privacy manifest, required since Spring 2024 for apps using [required reason APIs](https://developer.apple.com/documentation/bundleresources/privacy_manifest_files/describing_use_of_required_reason_api). [WWDC23 Session 10060 — "Get started with privacy manifests"](https://developer.apple.com/videos/play/wwdc2023/10060/)
+- **ITMS-90078**: Missing entitlements for declared capabilities (e.g., Sign in with Apple not configured despite using third-party login). [App Store Review Guideline 4.8](https://developer.apple.com/app-store/review/guidelines/#sign-in-with-apple)
+
+### If You Built Your iOS App with AI Assistance, You're Especially at Risk
+
+Tools like **Cursor**, **GitHub Copilot**, and **Claude** generate syntactically correct Swift code — but they frequently miss platform-level configuration. AI doesn't add `NSCameraUsageDescription` to your `Info.plist` when it generates camera code. It doesn't create a `PrivacyInfo.xcprivacy` when it imports an analytics SDK. The code compiles and runs fine in the simulator, but App Store Connect will reject it.
 
-App Store rejections cost time and money:
-- 2-7 day review delays
-- Missed launch windows
-- Frustrated users waiting for updates
+ShipLint catches exactly these gaps.
 
-Common culprits: missing privacy descriptions, Sign in with Apple requirements, tracking compliance — all preventable.
+---
+
+## Quick Start
+
+**No install needed** — run directly with npx:
+
+```bash
+npx shiplint scan ./YourApp
+```
 
-## The Solution
+**Global install** for regular use:
 
-ShipLint catches these issues **before** you submit:
+```bash
+npm install -g shiplint
+```
+
+Then scan any iOS project directory or `.xcodeproj`:
 
 ```bash
-$ shiplint scan ./MyApp.xcodeproj
+shiplint scan ./MyApp.xcodeproj
+```
 
+### Example Output
+
+```
 🛡️  ShipLint Scan Results
 
-🔍 Found 2 issue(s):
+🔍 Found 3 issue(s):
 
-1. [CRITICAL] Missing Camera Usage Description
-   📍 Info.plist • 📋 Guideline 5.1.1
+1. [CRITICAL] missing-camera-purpose
+   📍 Info.plist • 📋 Guideline 5.1.1 • ⚠️ ITMS-90683
    
-   Your app uses AVFoundation but Info.plist is missing 
-   NSCameraUsageDescription...
+   Your app references AVFoundation but Info.plist is missing
+   NSCameraUsageDescription. Apple requires a human-readable
+   explanation of why your app needs camera access.
    
    How to fix:
-   Add NSCameraUsageDescription to your Info.plist...
+   Add to Info.plist:
+   <key>NSCameraUsageDescription</key>
+   <string>This app uses the camera to scan QR codes.</string>
+
+2. [CRITICAL] missing-privacy-manifest
+   📍 Project • 📋 Required Reason API • ⚠️ ITMS-91053
+   
+   Your project uses APIs that require a privacy manifest
+   (PrivacyInfo.xcprivacy) as of Spring 2024. Without it,
+   App Store Connect will reject your binary.
 
-2. [CRITICAL] Third-Party Login Without Sign in with Apple
+3. [WARNING] third-party-login-no-siwa
    📍 Entitlements • 📋 Guideline 4.8
    
-   Your app includes Google Sign-In but Sign in with Apple 
-   is not configured...
+   Your app includes Google Sign-In but Sign in with Apple
+   is not configured in your entitlements.
 ```
 
-## What We Check
+---
+
+## What ShipLint Catches
+
+ShipLint ships with **15 rules** covering the most common App Store rejection reasons. Each rule maps directly to an Apple guideline and specific ITMS error code.
+
+### Privacy Usage Descriptions — [App Store Review Guideline 5.1.1](https://developer.apple.com/app-store/review/guidelines/#data-collection-and-storage)
+
+These rules prevent **ITMS-90683** ("Missing purpose string in Info.plist"). Apple requires every app that accesses protected resources to declare a human-readable usage description. If you use the API but don't include the string, App Store Connect rejects your binary automatically — no human review needed.
+
+| Rule | Info.plist Key | What It Catches |
+|------|---------------|-----------------|
+| `missing-camera-purpose` | `NSCameraUsageDescription` | App uses AVFoundation/camera APIs without declaring why |
+| `missing-microphone-purpose` | `NSMicrophoneUsageDescription` | App uses audio recording APIs without declaring why |
+| `missing-location-purpose` | `NSLocationWhenInUseUsageDescription` | App uses CoreLocation without declaring why |
+| `missing-photo-library-purpose` | `NSPhotoLibraryUsageDescription` | App accesses Photos without declaring why |
+| `missing-contacts-purpose` | `NSContactsUsageDescription` | App accesses Contacts without declaring why |
+| `missing-bluetooth-purpose` | `NSBluetoothAlwaysUsageDescription` | App uses CoreBluetooth without declaring why |
+| `missing-face-id-purpose` | `NSFaceIDUsageDescription` | App uses LocalAuthentication (Face ID) without declaring why |
+| `location-always-unjustified` | `NSLocationAlwaysAndWhenInUseUsageDescription` | App requests "Always" location without sufficient justification — almost always rejected per [Guideline 5.1.2](https://developer.apple.com/app-store/review/guidelines/#data-use-and-sharing) |
+
+### App Tracking Transparency — [Guideline 5.1.2](https://developer.apple.com/app-store/review/guidelines/#data-use-and-sharing)
+
+| Rule | What It Catches |
+|------|-----------------|
+| `att-tracking-mismatch` | App imports `AdSupport` or `AppTrackingTransparency` framework but `Info.plist` is missing `NSUserTrackingUsageDescription`. Required since iOS 14.5. [Apple ATT documentation](https://developer.apple.com/documentation/apptrackingtransparency) |
 
-| Category | Rules |
-|----------|-------|
-| **Privacy** | Camera, Location, Microphone, Photos, Contacts usage descriptions |
-| **Tracking** | ATT compliance, tracking SDK detection |
-| **Authentication** | Sign in with Apple requirements |
-| **Security** | App Transport Security, Privacy Manifests (iOS 17+) |
+### Sign in with Apple — [Guideline 4.8](https://developer.apple.com/app-store/review/guidelines/#sign-in-with-apple)
 
-10 rules today, more coming weekly.
+| Rule | What It Catches |
+|------|-----------------|
+| `third-party-login-no-siwa` | App uses a third-party login SDK (Google, Facebook, etc.) but Sign in with Apple is not configured. Required since [WWDC19](https://developer.apple.com/videos/play/wwdc2019/706/) for apps offering third-party sign-in. |
 
-## Usage
+### App Transport Security — [Guideline 2.1](https://developer.apple.com/app-store/review/guidelines/#performance)
+
+| Rule | What It Catches |
+|------|-----------------|
+| `ats-exception-without-justification` | App sets `NSAllowsArbitraryLoads = YES` or declares ATS exceptions without justification. Apple expects all network traffic to use HTTPS. [Apple ATS documentation](https://developer.apple.com/documentation/bundleresources/information_property_list/nsapptransportsecurity) |
+
+### Privacy Manifests (iOS 17+) — [WWDC23](https://developer.apple.com/videos/play/wwdc2023/10060/)
+
+| Rule | What It Catches |
+|------|-----------------|
+| `missing-privacy-manifest` | Project uses [required reason APIs](https://developer.apple.com/documentation/bundleresources/privacy_manifest_files/describing_use_of_required_reason_api) (UserDefaults, file timestamps, etc.) or third-party SDKs that require a `PrivacyInfo.xcprivacy` file. Enforced by App Store Connect since Spring 2024 via **ITMS-91053**. |
+
+### Export Compliance — [Apple Export Compliance](https://developer.apple.com/documentation/bundleresources/information_property_list/itsappusesnonexemptencryption)
+
+| Rule | Info.plist Key | What It Catches |
+|------|---------------|-----------------|
+| `missing-encryption-flag` | `ITSAppUsesNonExemptEncryption` | Missing export compliance declaration. Without this key, App Store Connect prompts for manual compliance answers on every upload — adding friction and potential delays. Set to `false` if your app only uses HTTPS or standard iOS encryption. |
+
+### Launch Configuration — [Guideline 4.0 (Design)](https://developer.apple.com/app-store/review/guidelines/#design)
+
+| Rule | Info.plist Key | What It Catches |
+|------|---------------|-----------------|
+| `missing-launch-storyboard` | `UILaunchStoryboardName` | Missing launch storyboard. Required since April 2020 for all iOS apps to support all screen sizes. Apps without this key are rejected. |
+
+### App Configuration — [Guideline 4.0 (Design)](https://developer.apple.com/app-store/review/guidelines/#design)
+
+| Rule | Info.plist Key | What It Catches |
+|------|---------------|-----------------|
+| `missing-supported-orientations` | `UISupportedInterfaceOrientations` | Missing interface orientation declaration. Apps should explicitly declare which orientations they support to avoid UI issues on different devices. |
+
+---
+
+## How It Works
+
+ShipLint is a **static analysis tool** — it parses your project files directly without building or running your app. A scan completes in under 2 seconds.
+
+**Files ShipLint reads:**
+
+| File | What ShipLint Looks For |
+|------|------------------------|
+| `Info.plist` | Privacy usage descriptions (`NS*UsageDescription`), ATS configuration, tracking declarations |
+| `*.entitlements` | Sign in with Apple capability, associated domains |
+| `project.pbxproj` | Framework imports (AVFoundation, CoreLocation, AdSupport), build settings |
+| `PrivacyInfo.xcprivacy` | Privacy manifest existence and required reason API declarations |
+| `Podfile.lock` / `Package.resolved` | Third-party SDK detection (analytics, login, tracking SDKs) |
+
+**Output formats:**
 
 ```bash
-# Scan an Xcode project
-shiplint scan ./MyApp.xcodeproj
+# Human-readable (default)
+shiplint scan ./MyApp
+
+# JSON (for scripting)
+shiplint scan ./MyApp --format json
+
+# SARIF (for GitHub Code Scanning integration)
+shiplint scan ./MyApp --format sarif
+```
+
+---
+
+## CI/CD Integration
+
+### GitHub Actions
+
+Add ShipLint to your CI pipeline to catch rejection-causing issues on every push:
+
+```yaml
+name: ShipLint
+on: [push, pull_request]
+
+jobs:
+  shiplint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '18'
+      
+      - name: Run ShipLint
+        run: npx shiplint scan ./ios --format sarif > shiplint.sarif
+      
+      - name: Upload SARIF
+        if: always()
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: shiplint.sarif
+```
+
+### Generic CI
+
+```bash
+# Fails with exit code 1 if critical issues found
+npx shiplint scan ./ios --format json
+
+# Use in any CI system
+if ! npx shiplint scan ./ios; then
+  echo "ShipLint found App Store rejection risks. Fix before merging."
+  exit 1
+fi
+```
+
+---
+
+## FAQ
+
+### How is ShipLint different from Fastlane Precheck?
+
+ShipLint and [Fastlane Precheck](https://docs.fastlane.tools/actions/precheck/) solve different problems and work well together. **Fastlane Precheck** validates your App Store Connect metadata — app descriptions, keywords, screenshots, and age ratings. It checks what users *see* on your store listing. **ShipLint** validates your actual Xcode project files — `Info.plist`, entitlements, `PrivacyInfo.xcprivacy`, and `project.pbxproj`. It checks what Apple's automated systems scan in your *binary*. You should use both: ShipLint before you build, Precheck before you submit.
+
+### Does ShipLint replace Xcode's built-in validation?
 
-# Scan a directory
-shiplint scan ./ios
+No. Xcode's "Validate App" runs at archive/upload time, after you've already spent 5–15 minutes building and archiving. It also only catches a subset of issues — it validates the binary but won't flag missing `NSCameraUsageDescription` until App Review. **ShipLint runs in under 2 seconds** against your source files, catching issues before you even open Xcode. Think of it as a linter (like ESLint for JavaScript) versus a compiler — you want both, but the linter saves you from slow feedback loops.
 
-# Output as JSON
-shiplint scan ./MyApp.xcodeproj --format json
+### Can ShipLint check apps built with Cursor, Copilot, or other AI coding tools?
+
+Yes — and this is one of ShipLint's most valuable use cases. AI code generation tools like **Cursor**, **GitHub Copilot**, and **Claude** produce syntactically valid Swift and SwiftUI code, but they routinely miss iOS platform configuration requirements. A typical pattern: the AI generates camera capture code using `AVCaptureSession`, but doesn't add `NSCameraUsageDescription` to `Info.plist`. The code compiles, runs in the simulator, and looks perfect — until App Store Connect rejects it with ITMS-90683. ShipLint catches these configuration gaps automatically.
+
+### What ITMS errors does ShipLint prevent?
+
+ShipLint's rules are designed to prevent the most common automated rejection errors from App Store Connect:
+
+- **ITMS-90683** — Missing purpose string (`NSCameraUsageDescription`, `NSMicrophoneUsageDescription`, `NSLocationWhenInUseUsageDescription`, `NSPhotoLibraryUsageDescription`, `NSContactsUsageDescription`, `NSUserTrackingUsageDescription`). Prevented by ShipLint's six `missing-*-purpose` rules and the `att-tracking-mismatch` rule.
+- **ITMS-91053** — Missing privacy manifest (`PrivacyInfo.xcprivacy`). Prevented by the `missing-privacy-manifest` rule.
+- **ITMS-90078** — Missing or misconfigured entitlements. Prevented by the `third-party-login-no-siwa` rule.
+
+ShipLint also catches issues that trigger human reviewer rejections under Guidelines [2.1](https://developer.apple.com/app-store/review/guidelines/#performance), [4.8](https://developer.apple.com/app-store/review/guidelines/#sign-in-with-apple), and [5.1.1](https://developer.apple.com/app-store/review/guidelines/#data-collection-and-storage).
+
+### Does ShipLint work with React Native, Flutter, or Expo?
+
+ShipLint scans the native iOS project files regardless of what generated them. If your React Native, Flutter, or Expo project has an `ios/` directory with `Info.plist` and `project.pbxproj`, ShipLint can scan it. Point it at your `ios/` folder:
+
+```bash
+npx shiplint scan ./ios
 ```
 
-## Rules (10 and growing)
+### Is ShipLint open source?
 
-**Privacy (Guideline 5.1.1)**
-- `missing-camera-purpose` - Camera usage without NSCameraUsageDescription
-- `missing-microphone-purpose` - Microphone usage without NSMicrophoneUsageDescription  
-- `missing-location-purpose` - Location usage without NSLocationUsageDescription
-- `missing-photo-library-purpose` - Photo library usage without NSPhotoLibraryUsageDescription
-- `missing-contacts-purpose` - Contacts usage without NSContactsUsageDescription
-- `location-always-unjustified` - "Always" location without proper justification
-- `att-tracking-mismatch` - ATT framework without NSUserTrackingUsageDescription
+ShipLint's CLI scanner is distributed via npm. The rule definitions and scanning engine are designed to be transparent — you can see exactly what each rule checks and why. Visit the [GitHub repository](https://github.com/Signal26AI/ShipLint) for source code and issue tracking.
 
-**Authentication (Guideline 4.8)**
-- `third-party-login-no-siwa` - Third-party login without Sign in with Apple
+---
 
-**Security (Guideline 2.1)**
-- `ats-exception-without-justification` - App Transport Security exceptions
+## Comparison: iOS Submission Checking Tools
 
-**Metadata (iOS 17+)**
-- `missing-privacy-manifest` - Missing PrivacyInfo.xcprivacy for required APIs
+Different tools cover different layers of the submission process. Here's where ShipLint fits:
 
-## Coming Soon
+| Capability | ShipLint | Fastlane Precheck | Xcode Validate | Manual Review |
+|---|---|---|---|---|
+| **When it runs** | Before build (2s) | Before submission | At upload (10-30 min) | After upload (1-7 days) |
+| **Privacy usage descriptions** (NSCameraUsageDescription, etc.) | ✅ | ❌ | ❌¹ | ✅ |
+| **Privacy manifest** (PrivacyInfo.xcprivacy) | ✅ | ❌ | ✅ | ✅ |
+| **Sign in with Apple** requirement | ✅ | ❌ | ❌ | ✅ |
+| **App Transport Security** | ✅ | ❌ | ❌ | ✅ |
+| **ATT / Tracking compliance** | ✅ | ❌ | ❌ | ✅ |
+| **App Store metadata** (descriptions, keywords) | ❌ | ✅ | ❌ | ✅ |
+| **Screenshot validation** | ❌ | ✅ | ❌ | ✅ |
+| **Binary architecture** | ❌ | ❌ | ✅ | ❌ |
+| **Code signing** | ❌ | ❌ | ✅ | ❌ |
+| **CI/CD integration** | ✅ | ✅ | ❌ | ❌ |
+| **Works without Xcode** | ✅ | ✅ | ❌ | N/A |
 
-**ShipLint GitHub App** — automatic PR checks, no setup required.
+¹ *Xcode shows warnings at build time for some missing keys but does not block the archive/upload process.*
 
-Join the waitlist: [shiplint.dev](https://shiplint.dev)
+**The ideal pipeline:** ShipLint (project files) → Xcode Validate (binary) → Fastlane Precheck (metadata) → Submit.
 
 ---
 
-© 2026 Signal26. All rights reserved.
+## Requirements
+
+- **Node.js** 18 or later
+- Works on macOS, Linux, and Windows (CI-friendly — no Xcode required)
+
+---
+
+## Links
+
+- 🌐 **Website:** [shiplint.app](https://shiplint.app)
+- 📦 **npm:** [npmjs.com/package/shiplint](https://www.npmjs.com/package/shiplint)
+- 💻 **GitHub:** [github.com/Signal26AI/ShipLint](https://github.com/Signal26AI/ShipLint)
+- 🐛 **Issues:** [github.com/Signal26AI/ShipLint/issues](https://github.com/Signal26AI/ShipLint/issues)
+
+---
+
+## Contributing
+
+Found a rule that's missing? An ITMS error you keep hitting? [Open an issue](https://github.com/Signal26AI/ShipLint/issues) — we add new rules based on real-world rejection patterns.
+
+---
+
+## License
+
+© 2025–2026 [Signal26](https://signal26.dev). All rights reserved.

package/dist/rules/config/index.d.ts

@@ -2,4 +2,6 @@
  * Config rules exports
  */
 export { ATSExceptionWithoutJustificationRule } from './ats-exception-without-justification.js';
+export { MissingEncryptionFlagRule } from './missing-encryption-flag.js';
+export { MissingLaunchStoryboardRule } from './missing-launch-storyboard.js';
 //# sourceMappingURL=index.d.ts.map

package/dist/rules/config/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/rules/config/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AACH,OAAO,EAAE,oCAAoC,EAAE,MAAM,0CAA0C,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/rules/config/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AACH,OAAO,EAAE,oCAAoC,EAAE,MAAM,0CAA0C,CAAC;AAChG,OAAO,EAAE,yBAAyB,EAAE,MAAM,8BAA8B,CAAC;AACzE,OAAO,EAAE,2BAA2B,EAAE,MAAM,gCAAgC,CAAC"}

package/dist/rules/config/index.js

@@ -1,9 +1,13 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.ATSExceptionWithoutJustificationRule = void 0;
+exports.MissingLaunchStoryboardRule = exports.MissingEncryptionFlagRule = exports.ATSExceptionWithoutJustificationRule = void 0;
 /**
  * Config rules exports
  */
 var ats_exception_without_justification_js_1 = require("./ats-exception-without-justification.js");
 Object.defineProperty(exports, "ATSExceptionWithoutJustificationRule", { enumerable: true, get: function () { return ats_exception_without_justification_js_1.ATSExceptionWithoutJustificationRule; } });
+var missing_encryption_flag_js_1 = require("./missing-encryption-flag.js");
+Object.defineProperty(exports, "MissingEncryptionFlagRule", { enumerable: true, get: function () { return missing_encryption_flag_js_1.MissingEncryptionFlagRule; } });
+var missing_launch_storyboard_js_1 = require("./missing-launch-storyboard.js");
+Object.defineProperty(exports, "MissingLaunchStoryboardRule", { enumerable: true, get: function () { return missing_launch_storyboard_js_1.MissingLaunchStoryboardRule; } });
 //# sourceMappingURL=index.js.map

package/dist/rules/config/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/rules/config/index.ts"],"names":[],"mappings":";;;AAAA;;GAEG;AACH,mGAAgG;AAAvF,8JAAA,oCAAoC,OAAA"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/rules/config/index.ts"],"names":[],"mappings":";;;AAAA;;GAEG;AACH,mGAAgG;AAAvF,8JAAA,oCAAoC,OAAA;AAC7C,2EAAyE;AAAhE,uIAAA,yBAAyB,OAAA;AAClC,+EAA6E;AAApE,2IAAA,2BAA2B,OAAA"}

package/dist/rules/config/missing-encryption-flag.d.ts

@@ -0,0 +1,12 @@
+/**
+ * Rule: Missing Export Compliance Flag
+ *
+ * Detects when an app is missing the ITSAppUsesNonExemptEncryption key
+ * in Info.plist. Without this key, App Store Connect prompts for export
+ * compliance information on every upload, causing friction and delays.
+ *
+ * Export Compliance Documentation
+ */
+import type { Rule } from '../../types/index.js';
+export declare const MissingEncryptionFlagRule: Rule;
+//# sourceMappingURL=missing-encryption-flag.d.ts.map

package/dist/rules/config/missing-encryption-flag.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"missing-encryption-flag.d.ts","sourceRoot":"","sources":["../../../src/rules/config/missing-encryption-flag.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AACH,OAAO,KAAK,EAAE,IAAI,EAAwB,MAAM,sBAAsB,CAAC;AAIvE,eAAO,MAAM,yBAAyB,EAAE,IAmCvC,CAAC"}

package/dist/rules/config/missing-encryption-flag.js

@@ -0,0 +1,40 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.MissingEncryptionFlagRule = void 0;
+const index_js_1 = require("../../types/index.js");
+const base_js_1 = require("../base.js");
+exports.MissingEncryptionFlagRule = {
+    id: 'config-002-missing-encryption-flag',
+    name: 'Missing Export Compliance Flag',
+    description: 'Checks for missing ITSAppUsesNonExemptEncryption in Info.plist',
+    category: index_js_1.RuleCategory.Config,
+    severity: index_js_1.Severity.Medium,
+    confidence: index_js_1.Confidence.High,
+    guidelineReference: 'Export Compliance',
+    async evaluate(context) {
+        // If the key exists (true or false), the developer has declared their intent
+        if (context.hasPlistKey('ITSAppUsesNonExemptEncryption')) {
+            return [];
+        }
+        return [
+            (0, base_js_1.makeFinding)(this, {
+                description: `Your Info.plist is missing the ITSAppUsesNonExemptEncryption key. ` +
+                    `Without this key, App Store Connect will prompt you to answer export compliance ` +
+                    `questions manually on every single upload. This causes friction and potential delays ` +
+                    `in your submission workflow.`,
+                location: 'Info.plist',
+                fixGuidance: `Add the ITSAppUsesNonExemptEncryption key to your Info.plist. If your app ` +
+                    `only uses HTTPS/URLSession or standard iOS encryption (most apps), set it to false:
+
+<key>ITSAppUsesNonExemptEncryption</key>
+<false/>
+
+Set it to true only if your app uses custom encryption algorithms beyond standard HTTPS ` +
+                    `(e.g., proprietary encryption, custom TLS implementations). In that case, you'll also ` +
+                    `need to submit export compliance documentation to Apple.`,
+                documentationURL: 'https://developer.apple.com/documentation/bundleresources/information_property_list/itsappusesnonexemptencryption',
+            }),
+        ];
+    },
+};
+//# sourceMappingURL=missing-encryption-flag.js.map

package/dist/rules/config/missing-encryption-flag.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"missing-encryption-flag.js","sourceRoot":"","sources":["../../../src/rules/config/missing-encryption-flag.ts"],"names":[],"mappings":";;;AAUA,mDAA0E;AAC1E,wCAAyC;AAE5B,QAAA,yBAAyB,GAAS;IAC7C,EAAE,EAAE,oCAAoC;IACxC,IAAI,EAAE,gCAAgC;IACtC,WAAW,EAAE,gEAAgE;IAC7E,QAAQ,EAAE,uBAAY,CAAC,MAAM;IAC7B,QAAQ,EAAE,mBAAQ,CAAC,MAAM;IACzB,UAAU,EAAE,qBAAU,CAAC,IAAI;IAC3B,kBAAkB,EAAE,mBAAmB;IAEvC,KAAK,CAAC,QAAQ,CAAC,OAAoB;QACjC,6EAA6E;QAC7E,IAAI,OAAO,CAAC,WAAW,CAAC,+BAA+B,CAAC,EAAE,CAAC;YACzD,OAAO,EAAE,CAAC;QACZ,CAAC;QAED,OAAO;YACL,IAAA,qBAAW,EAAC,IAAI,EAAE;gBAChB,WAAW,EAAE,oEAAoE;oBAC/E,kFAAkF;oBAClF,uFAAuF;oBACvF,8BAA8B;gBAChC,QAAQ,EAAE,YAAY;gBACtB,WAAW,EAAE,4EAA4E;oBACvF;;;;;yFAK+E;oBAC/E,wFAAwF;oBACxF,0DAA0D;gBAC5D,gBAAgB,EAAE,mHAAmH;aACtI,CAAC;SACH,CAAC;IACJ,CAAC;CACF,CAAC"}

package/dist/rules/config/missing-launch-storyboard.d.ts

@@ -0,0 +1,12 @@
+/**
+ * Rule: Missing Launch Storyboard
+ *
+ * Detects when an app is missing UILaunchStoryboardName in Info.plist.
+ * Since April 2020, all apps submitted to the App Store must use a
+ * launch storyboard to support all screen sizes.
+ *
+ * App Store Review Guideline: 4.0 (Design)
+ */
+import type { Rule } from '../../types/index.js';
+export declare const MissingLaunchStoryboardRule: Rule;
+//# sourceMappingURL=missing-launch-storyboard.d.ts.map

package/dist/rules/config/missing-launch-storyboard.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"missing-launch-storyboard.d.ts","sourceRoot":"","sources":["../../../src/rules/config/missing-launch-storyboard.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AACH,OAAO,KAAK,EAAE,IAAI,EAAwB,MAAM,sBAAsB,CAAC;AAIvE,eAAO,MAAM,2BAA2B,EAAE,IAqCzC,CAAC"}

package/dist/rules/config/missing-launch-storyboard.js

@@ -0,0 +1,42 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.MissingLaunchStoryboardRule = void 0;
+const index_js_1 = require("../../types/index.js");
+const base_js_1 = require("../base.js");
+exports.MissingLaunchStoryboardRule = {
+    id: 'config-003-missing-launch-storyboard',
+    name: 'Missing Launch Storyboard',
+    description: 'Checks for missing UILaunchStoryboardName in Info.plist',
+    category: index_js_1.RuleCategory.Config,
+    severity: index_js_1.Severity.Critical,
+    confidence: index_js_1.Confidence.High,
+    guidelineReference: '4.0',
+    async evaluate(context) {
+        // Only flag if the key is completely absent.
+        // An empty string is valid (SwiftUI lifecycle apps use empty UILaunchStoryboardName).
+        if (context.hasPlistKey('UILaunchStoryboardName')) {
+            return [];
+        }
+        return [
+            (0, base_js_1.makeFinding)(this, {
+                description: `Your Info.plist is missing the UILaunchStoryboardName key. Since April 2020, ` +
+                    `all apps submitted to the App Store must include a launch storyboard to support ` +
+                    `all device screen sizes. Apps without a launch storyboard will be rejected.`,
+                location: 'Info.plist',
+                fixGuidance: `Add UILaunchStoryboardName to your Info.plist pointing to your launch storyboard:
+
+<key>UILaunchStoryboardName</key>
+<string>LaunchScreen</string>
+
+If you're using a SwiftUI app lifecycle, set it to an empty string — Xcode typically ` +
+                    `handles this automatically. Make sure a corresponding LaunchScreen.storyboard file ` +
+                    `exists in your project.
+
+Note: Launch images (UILaunchImages / asset catalog launch images) are no longer accepted ` +
+                    `as a substitute for launch storyboards.`,
+                documentationURL: 'https://developer.apple.com/documentation/bundleresources/information_property_list/uilaunchstoryboardname',
+            }),
+        ];
+    },
+};
+//# sourceMappingURL=missing-launch-storyboard.js.map

package/dist/rules/config/missing-launch-storyboard.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"missing-launch-storyboard.js","sourceRoot":"","sources":["../../../src/rules/config/missing-launch-storyboard.ts"],"names":[],"mappings":";;;AAUA,mDAA0E;AAC1E,wCAAyC;AAE5B,QAAA,2BAA2B,GAAS;IAC/C,EAAE,EAAE,sCAAsC;IAC1C,IAAI,EAAE,2BAA2B;IACjC,WAAW,EAAE,yDAAyD;IACtE,QAAQ,EAAE,uBAAY,CAAC,MAAM;IAC7B,QAAQ,EAAE,mBAAQ,CAAC,QAAQ;IAC3B,UAAU,EAAE,qBAAU,CAAC,IAAI;IAC3B,kBAAkB,EAAE,KAAK;IAEzB,KAAK,CAAC,QAAQ,CAAC,OAAoB;QACjC,6CAA6C;QAC7C,sFAAsF;QACtF,IAAI,OAAO,CAAC,WAAW,CAAC,wBAAwB,CAAC,EAAE,CAAC;YAClD,OAAO,EAAE,CAAC;QACZ,CAAC;QAED,OAAO;YACL,IAAA,qBAAW,EAAC,IAAI,EAAE;gBAChB,WAAW,EAAE,+EAA+E;oBAC1F,kFAAkF;oBAClF,6EAA6E;gBAC/E,QAAQ,EAAE,YAAY;gBACtB,WAAW,EAAE;;;;;sFAKiE;oBAC5E,qFAAqF;oBACrF;;2FAEiF;oBACjF,yCAAyC;gBAC3C,gBAAgB,EAAE,4GAA4G;aAC/H,CAAC;SACH,CAAC;IACJ,CAAC;CACF,CAAC"}

package/dist/rules/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/rules/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AACH,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,mBAAmB,CAAC;AAG9C,cAAc,oBAAoB,CAAC;AAGnC,cAAc,iBAAiB,CAAC;AAGhC,cAAc,qBAAqB,CAAC;AAGpC,cAAc,mBAAmB,CAAC;AAGlC,cAAc,WAAW,CAAC;AAc1B;;GAEG;AACH,eAAO,MAAM,QAAQ,EAAE,IAAI,EAW1B,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,YAAY,EAAE,GAAG,CAAC,MAAM,EAAE,IAAI,CAE1C,CAAC;AAEF;;GAEG;AACH,wBAAgB,OAAO,CAAC,EAAE,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,CAEpD;AAED;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,KAAK,EAAE,IAAI,EAAE,CAAC;IACd,UAAU,EAAE,MAAM,EAAE,CAAC;CACtB;AAED;;;GAGG;AACH,wBAAgB,sBAAsB,CAAC,GAAG,CAAC,EAAE,MAAM,EAAE,GAAG,gBAAgB,CAkBvE;AAED;;;GAGG;AACH,wBAAgB,QAAQ,CAAC,GAAG,CAAC,EAAE,MAAM,EAAE,GAAG,IAAI,EAAE,CAE/C;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,UAAU,EAAE,MAAM,EAAE,GAAG,IAAI,EAAE,CAG9D"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/rules/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AACH,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,mBAAmB,CAAC;AAG9C,cAAc,oBAAoB,CAAC;AAGnC,cAAc,iBAAiB,CAAC;AAGhC,cAAc,qBAAqB,CAAC;AAGpC,cAAc,mBAAmB,CAAC;AAGlC,cAAc,WAAW,CAAC;AAmB1B;;GAEG;AACH,eAAO,MAAM,QAAQ,EAAE,IAAI,EAgB1B,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,YAAY,EAAE,GAAG,CAAC,MAAM,EAAE,IAAI,CAE1C,CAAC;AAEF;;GAEG;AACH,wBAAgB,OAAO,CAAC,EAAE,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,CAEpD;AAED;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,KAAK,EAAE,IAAI,EAAE,CAAC;IACd,UAAU,EAAE,MAAM,EAAE,CAAC;CACtB;AAED;;;GAGG;AACH,wBAAgB,sBAAsB,CAAC,GAAG,CAAC,EAAE,MAAM,EAAE,GAAG,gBAAgB,CAkBvE;AAED;;;GAGG;AACH,wBAAgB,QAAQ,CAAC,GAAG,CAAC,EAAE,MAAM,EAAE,GAAG,IAAI,EAAE,CAE/C;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,UAAU,EAAE,MAAM,EAAE,GAAG,IAAI,EAAE,CAG9D"}

package/dist/rules/index.js

@@ -40,6 +40,11 @@ const missing_contacts_purpose_js_1 = require("./privacy/missing-contacts-purpos
 const third_party_login_no_siwa_js_1 = require("./auth/third-party-login-no-siwa.js");
 const missing_privacy_manifest_js_1 = require("./metadata/missing-privacy-manifest.js");
 const ats_exception_without_justification_js_1 = require("./config/ats-exception-without-justification.js");
+const missing_encryption_flag_js_1 = require("./config/missing-encryption-flag.js");
+const missing_launch_storyboard_js_1 = require("./config/missing-launch-storyboard.js");
+const missing_bluetooth_purpose_js_1 = require("./privacy/missing-bluetooth-purpose.js");
+const missing_face_id_purpose_js_1 = require("./privacy/missing-face-id-purpose.js");
+const missing_supported_orientations_js_1 = require("./metadata/missing-supported-orientations.js");
 /**
  * All available rules
  */
@@ -51,9 +56,14 @@ exports.allRules = [
     missing_photo_library_purpose_js_1.MissingPhotoLibraryPurposeRule,
     missing_microphone_purpose_js_1.MissingMicrophonePurposeRule,
     missing_contacts_purpose_js_1.MissingContactsPurposeRule,
+    missing_bluetooth_purpose_js_1.MissingBluetoothPurposeRule,
+    missing_face_id_purpose_js_1.MissingFaceIdPurposeRule,
     third_party_login_no_siwa_js_1.ThirdPartyLoginNoSIWARule,
     missing_privacy_manifest_js_1.MissingPrivacyManifestRule,
+    missing_supported_orientations_js_1.MissingSupportedOrientationsRule,
     ats_exception_without_justification_js_1.ATSExceptionWithoutJustificationRule,
+    missing_encryption_flag_js_1.MissingEncryptionFlagRule,
+    missing_launch_storyboard_js_1.MissingLaunchStoryboardRule,
 ];
 /**
  * Rule registry - maps rule IDs to rule instances

package/dist/rules/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/rules/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;AA0DA,0BAEC;AAcD,wDAkBC;AAMD,4BAEC;AAKD,8CAGC;AAvGD,gBAAgB;AAChB,qDAAmC;AAEnC,aAAa;AACb,kDAAgC;AAEhC,iBAAiB;AACjB,sDAAoC;AAEpC,eAAe;AACf,oDAAkC;AAElC,iBAAiB;AACjB,4CAA0B;AAE1B,gCAAgC;AAChC,mFAA+E;AAC/E,uFAAmF;AACnF,6FAAyF;AACzF,iFAA6E;AAC7E,iGAA4F;AAC5F,2FAAuF;AACvF,uFAAmF;AACnF,sFAAgF;AAChF,wFAAoF;AACpF,4GAAuG;AAEvG;;GAEG;AACU,QAAA,QAAQ,GAAW;IAC9B,oDAAwB;IACxB,wDAA0B;IAC1B,8DAA6B;IAC7B,kDAAuB;IACvB,iEAA8B;IAC9B,4DAA4B;IAC5B,wDAA0B;IAC1B,wDAAyB;IACzB,wDAA0B;IAC1B,6EAAoC;CACrC,CAAC;AAEF;;GAEG;AACU,QAAA,YAAY,GAAsB,IAAI,GAAG,CACpD,gBAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,EAAE,EAAE,IAAI,CAAC,CAAC,CACtC,CAAC;AAEF;;GAEG;AACH,SAAgB,OAAO,CAAC,EAAU;IAChC,OAAO,oBAAY,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;AAC9B,CAAC;AAUD;;;GAGG;AACH,SAAgB,sBAAsB,CAAC,GAAc;IACnD,IAAI,CAAC,GAAG,IAAI,GAAG,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC7B,OAAO,EAAE,KAAK,EAAE,gBAAQ,EAAE,UAAU,EAAE,EAAE,EAAE,CAAC;IAC7C,CAAC;IAED,MAAM,KAAK,GAAW,EAAE,CAAC;IACzB,MAAM,UAAU,GAAa,EAAE,CAAC;IAEhC,KAAK,MAAM,EAAE,IAAI,GAAG,EAAE,CAAC;QACrB,MAAM,IAAI,GAAG,oBAAY,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAClC,IAAI,IAAI,EAAE,CAAC;YACT,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACnB,CAAC;aAAM,CAAC;YACN,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACtB,CAAC;IACH,CAAC;IAED,OAAO,EAAE,KAAK,EAAE,UAAU,EAAE,CAAC;AAC/B,CAAC;AAED;;;GAGG;AACH,SAAgB,QAAQ,CAAC,GAAc;IACrC,OAAO,sBAAsB,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC;AAC3C,CAAC;AAED;;GAEG;AACH,SAAgB,iBAAiB,CAAC,UAAoB;IACpD,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC,UAAU,CAAC,CAAC;IACvC,OAAO,gBAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC;AAC3D,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/rules/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;AAoEA,0BAEC;AAcD,wDAkBC;AAMD,4BAEC;AAKD,8CAGC;AAjHD,gBAAgB;AAChB,qDAAmC;AAEnC,aAAa;AACb,kDAAgC;AAEhC,iBAAiB;AACjB,sDAAoC;AAEpC,eAAe;AACf,oDAAkC;AAElC,iBAAiB;AACjB,4CAA0B;AAE1B,gCAAgC;AAChC,mFAA+E;AAC/E,uFAAmF;AACnF,6FAAyF;AACzF,iFAA6E;AAC7E,iGAA4F;AAC5F,2FAAuF;AACvF,uFAAmF;AACnF,sFAAgF;AAChF,wFAAoF;AACpF,4GAAuG;AACvG,oFAAgF;AAChF,wFAAoF;AACpF,yFAAqF;AACrF,qFAAgF;AAChF,oGAAgG;AAEhG;;GAEG;AACU,QAAA,QAAQ,GAAW;IAC9B,oDAAwB;IACxB,wDAA0B;IAC1B,8DAA6B;IAC7B,kDAAuB;IACvB,iEAA8B;IAC9B,4DAA4B;IAC5B,wDAA0B;IAC1B,0DAA2B;IAC3B,qDAAwB;IACxB,wDAAyB;IACzB,wDAA0B;IAC1B,oEAAgC;IAChC,6EAAoC;IACpC,sDAAyB;IACzB,0DAA2B;CAC5B,CAAC;AAEF;;GAEG;AACU,QAAA,YAAY,GAAsB,IAAI,GAAG,CACpD,gBAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,EAAE,EAAE,IAAI,CAAC,CAAC,CACtC,CAAC;AAEF;;GAEG;AACH,SAAgB,OAAO,CAAC,EAAU;IAChC,OAAO,oBAAY,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;AAC9B,CAAC;AAUD;;;GAGG;AACH,SAAgB,sBAAsB,CAAC,GAAc;IACnD,IAAI,CAAC,GAAG,IAAI,GAAG,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC7B,OAAO,EAAE,KAAK,EAAE,gBAAQ,EAAE,UAAU,EAAE,EAAE,EAAE,CAAC;IAC7C,CAAC;IAED,MAAM,KAAK,GAAW,EAAE,CAAC;IACzB,MAAM,UAAU,GAAa,EAAE,CAAC;IAEhC,KAAK,MAAM,EAAE,IAAI,GAAG,EAAE,CAAC;QACrB,MAAM,IAAI,GAAG,oBAAY,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAClC,IAAI,IAAI,EAAE,CAAC;YACT,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACnB,CAAC;aAAM,CAAC;YACN,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACtB,CAAC;IACH,CAAC;IAED,OAAO,EAAE,KAAK,EAAE,UAAU,EAAE,CAAC;AAC/B,CAAC;AAED;;;GAGG;AACH,SAAgB,QAAQ,CAAC,GAAc;IACrC,OAAO,sBAAsB,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC;AAC3C,CAAC;AAED;;GAEG;AACH,SAAgB,iBAAiB,CAAC,UAAoB;IACpD,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC,UAAU,CAAC,CAAC;IACvC,OAAO,gBAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC;AAC3D,CAAC"}

package/dist/rules/metadata/index.d.ts

@@ -2,4 +2,5 @@
  * Metadata rules exports
  */
 export { MissingPrivacyManifestRule } from './missing-privacy-manifest.js';
+export { MissingSupportedOrientationsRule } from './missing-supported-orientations.js';
 //# sourceMappingURL=index.d.ts.map

package/dist/rules/metadata/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/rules/metadata/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AACH,OAAO,EAAE,0BAA0B,EAAE,MAAM,+BAA+B,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/rules/metadata/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AACH,OAAO,EAAE,0BAA0B,EAAE,MAAM,+BAA+B,CAAC;AAC3E,OAAO,EAAE,gCAAgC,EAAE,MAAM,qCAAqC,CAAC"}

package/dist/rules/metadata/index.js

@@ -1,9 +1,11 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.MissingPrivacyManifestRule = void 0;
+exports.MissingSupportedOrientationsRule = exports.MissingPrivacyManifestRule = void 0;
 /**
  * Metadata rules exports
  */
 var missing_privacy_manifest_js_1 = require("./missing-privacy-manifest.js");
 Object.defineProperty(exports, "MissingPrivacyManifestRule", { enumerable: true, get: function () { return missing_privacy_manifest_js_1.MissingPrivacyManifestRule; } });
+var missing_supported_orientations_js_1 = require("./missing-supported-orientations.js");
+Object.defineProperty(exports, "MissingSupportedOrientationsRule", { enumerable: true, get: function () { return missing_supported_orientations_js_1.MissingSupportedOrientationsRule; } });
 //# sourceMappingURL=index.js.map

package/dist/rules/metadata/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/rules/metadata/index.ts"],"names":[],"mappings":";;;AAAA;;GAEG;AACH,6EAA2E;AAAlE,yIAAA,0BAA0B,OAAA"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/rules/metadata/index.ts"],"names":[],"mappings":";;;AAAA;;GAEG;AACH,6EAA2E;AAAlE,yIAAA,0BAA0B,OAAA;AACnC,yFAAuF;AAA9E,qJAAA,gCAAgC,OAAA"}

package/dist/rules/metadata/missing-supported-orientations.d.ts

@@ -0,0 +1,12 @@
+/**
+ * Rule: Missing Supported Orientations
+ *
+ * Detects when an app is missing UISupportedInterfaceOrientations in Info.plist.
+ * Apps must declare supported orientations to ensure correct behavior across
+ * all device types and screen sizes.
+ *
+ * App Store Review Guideline: 4.0 (Design)
+ */
+import type { Rule } from '../../types/index.js';
+export declare const MissingSupportedOrientationsRule: Rule;
+//# sourceMappingURL=missing-supported-orientations.d.ts.map

package/dist/rules/metadata/missing-supported-orientations.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"missing-supported-orientations.d.ts","sourceRoot":"","sources":["../../../src/rules/metadata/missing-supported-orientations.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AACH,OAAO,KAAK,EAAE,IAAI,EAAwB,MAAM,sBAAsB,CAAC;AAIvE,eAAO,MAAM,gCAAgC,EAAE,IAiE9C,CAAC"}

package/dist/rules/metadata/missing-supported-orientations.js

@@ -0,0 +1,68 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.MissingSupportedOrientationsRule = void 0;
+const index_js_1 = require("../../types/index.js");
+const base_js_1 = require("../base.js");
+exports.MissingSupportedOrientationsRule = {
+    id: 'metadata-002-missing-supported-orientations',
+    name: 'Missing Supported Orientations',
+    description: 'Checks for missing UISupportedInterfaceOrientations in Info.plist',
+    category: index_js_1.RuleCategory.Metadata,
+    severity: index_js_1.Severity.Medium,
+    confidence: index_js_1.Confidence.High,
+    guidelineReference: '4.0',
+    async evaluate(context) {
+        const orientations = context.plistArray('UISupportedInterfaceOrientations');
+        // Case 1: Key completely missing
+        if (orientations === undefined) {
+            return [
+                (0, base_js_1.makeFinding)(this, {
+                    description: `Your Info.plist is missing the UISupportedInterfaceOrientations key. ` +
+                        `Apps should declare which interface orientations they support to ensure correct ` +
+                        `behavior across all device types. Without this key, Apple's defaults may not match ` +
+                        `your app's intended behavior, which can lead to UI issues and potential rejection.`,
+                    location: 'Info.plist',
+                    fixGuidance: `Add UISupportedInterfaceOrientations to your Info.plist with the orientations ` +
+                        `your app supports:
+
+<key>UISupportedInterfaceOrientations</key>
+<array>
+    <string>UIInterfaceOrientationPortrait</string>
+</array>
+
+Common orientation values:
+- UIInterfaceOrientationPortrait
+- UIInterfaceOrientationPortraitUpsideDown
+- UIInterfaceOrientationLandscapeLeft
+- UIInterfaceOrientationLandscapeRight
+
+For iPad, also consider adding UISupportedInterfaceOrientations~ipad with ` +
+                        `all four orientations (iPad apps are expected to support all orientations).`,
+                    documentationURL: 'https://developer.apple.com/documentation/bundleresources/information_property_list/uisupportedinterfaceorientations',
+                }),
+            ];
+        }
+        // Case 2: Empty array
+        if (orientations.length === 0) {
+            return [
+                (0, base_js_1.makeFinding)(this, {
+                    title: 'Empty Supported Orientations',
+                    description: `UISupportedInterfaceOrientations exists in Info.plist but is an empty array. ` +
+                        `Your app must declare at least one supported orientation.`,
+                    location: 'Info.plist',
+                    fixGuidance: `Add at least one orientation to UISupportedInterfaceOrientations:
+
+<key>UISupportedInterfaceOrientations</key>
+<array>
+    <string>UIInterfaceOrientationPortrait</string>
+</array>
+
+Most apps should support at minimum UIInterfaceOrientationPortrait.`,
+                    documentationURL: 'https://developer.apple.com/documentation/bundleresources/information_property_list/uisupportedinterfaceorientations',
+                }),
+            ];
+        }
+        return [];
+    },
+};
+//# sourceMappingURL=missing-supported-orientations.js.map

package/dist/rules/metadata/missing-supported-orientations.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"missing-supported-orientations.js","sourceRoot":"","sources":["../../../src/rules/metadata/missing-supported-orientations.ts"],"names":[],"mappings":";;;AAUA,mDAA0E;AAC1E,wCAAyC;AAE5B,QAAA,gCAAgC,GAAS;IACpD,EAAE,EAAE,6CAA6C;IACjD,IAAI,EAAE,gCAAgC;IACtC,WAAW,EAAE,mEAAmE;IAChF,QAAQ,EAAE,uBAAY,CAAC,QAAQ;IAC/B,QAAQ,EAAE,mBAAQ,CAAC,MAAM;IACzB,UAAU,EAAE,qBAAU,CAAC,IAAI;IAC3B,kBAAkB,EAAE,KAAK;IAEzB,KAAK,CAAC,QAAQ,CAAC,OAAoB;QACjC,MAAM,YAAY,GAAG,OAAO,CAAC,UAAU,CAAC,kCAAkC,CAAC,CAAC;QAE5E,iCAAiC;QACjC,IAAI,YAAY,KAAK,SAAS,EAAE,CAAC;YAC/B,OAAO;gBACL,IAAA,qBAAW,EAAC,IAAI,EAAE;oBAChB,WAAW,EAAE,uEAAuE;wBAClF,kFAAkF;wBAClF,qFAAqF;wBACrF,oFAAoF;oBACtF,QAAQ,EAAE,YAAY;oBACtB,WAAW,EAAE,gFAAgF;wBAC3F;;;;;;;;;;;;;2EAa+D;wBAC/D,6EAA6E;oBAC/E,gBAAgB,EAAE,sHAAsH;iBACzI,CAAC;aACH,CAAC;QACJ,CAAC;QAED,sBAAsB;QACtB,IAAI,YAAY,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC9B,OAAO;gBACL,IAAA,qBAAW,EAAC,IAAI,EAAE;oBAChB,KAAK,EAAE,8BAA8B;oBACrC,WAAW,EAAE,+EAA+E;wBAC1F,2DAA2D;oBAC7D,QAAQ,EAAE,YAAY;oBACtB,WAAW,EAAE;;;;;;;oEAO6C;oBAC1D,gBAAgB,EAAE,sHAAsH;iBACzI,CAAC;aACH,CAAC;QACJ,CAAC;QAED,OAAO,EAAE,CAAC;IACZ,CAAC;CACF,CAAC"}

package/dist/rules/privacy/index.d.ts

@@ -8,4 +8,6 @@ export { ATTTrackingMismatchRule } from './att-tracking-mismatch.js';
 export { MissingPhotoLibraryPurposeRule } from './missing-photo-library-purpose.js';
 export { MissingMicrophonePurposeRule } from './missing-microphone-purpose.js';
 export { MissingContactsPurposeRule } from './missing-contacts-purpose.js';
+export { MissingBluetoothPurposeRule } from './missing-bluetooth-purpose.js';
+export { MissingFaceIdPurposeRule } from './missing-face-id-purpose.js';
 //# sourceMappingURL=index.d.ts.map

package/dist/rules/privacy/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/rules/privacy/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AACH,OAAO,EAAE,wBAAwB,EAAE,MAAM,6BAA6B,CAAC;AACvE,OAAO,EAAE,0BAA0B,EAAE,MAAM,+BAA+B,CAAC;AAC3E,OAAO,EAAE,6BAA6B,EAAE,MAAM,kCAAkC,CAAC;AACjF,OAAO,EAAE,uBAAuB,EAAE,MAAM,4BAA4B,CAAC;AACrE,OAAO,EAAE,8BAA8B,EAAE,MAAM,oCAAoC,CAAC;AACpF,OAAO,EAAE,4BAA4B,EAAE,MAAM,iCAAiC,CAAC;AAC/E,OAAO,EAAE,0BAA0B,EAAE,MAAM,+BAA+B,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/rules/privacy/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AACH,OAAO,EAAE,wBAAwB,EAAE,MAAM,6BAA6B,CAAC;AACvE,OAAO,EAAE,0BAA0B,EAAE,MAAM,+BAA+B,CAAC;AAC3E,OAAO,EAAE,6BAA6B,EAAE,MAAM,kCAAkC,CAAC;AACjF,OAAO,EAAE,uBAAuB,EAAE,MAAM,4BAA4B,CAAC;AACrE,OAAO,EAAE,8BAA8B,EAAE,MAAM,oCAAoC,CAAC;AACpF,OAAO,EAAE,4BAA4B,EAAE,MAAM,iCAAiC,CAAC;AAC/E,OAAO,EAAE,0BAA0B,EAAE,MAAM,+BAA+B,CAAC;AAC3E,OAAO,EAAE,2BAA2B,EAAE,MAAM,gCAAgC,CAAC;AAC7E,OAAO,EAAE,wBAAwB,EAAE,MAAM,8BAA8B,CAAC"}

package/dist/rules/privacy/index.js

@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.MissingContactsPurposeRule = exports.MissingMicrophonePurposeRule = exports.MissingPhotoLibraryPurposeRule = exports.ATTTrackingMismatchRule = exports.LocationAlwaysUnjustifiedRule = exports.MissingLocationPurposeRule = exports.MissingCameraPurposeRule = void 0;
+exports.MissingFaceIdPurposeRule = exports.MissingBluetoothPurposeRule = exports.MissingContactsPurposeRule = exports.MissingMicrophonePurposeRule = exports.MissingPhotoLibraryPurposeRule = exports.ATTTrackingMismatchRule = exports.LocationAlwaysUnjustifiedRule = exports.MissingLocationPurposeRule = exports.MissingCameraPurposeRule = void 0;
 /**
  * Privacy rules exports
  */
@@ -18,4 +18,8 @@ var missing_microphone_purpose_js_1 = require("./missing-microphone-purpose.js")
 Object.defineProperty(exports, "MissingMicrophonePurposeRule", { enumerable: true, get: function () { return missing_microphone_purpose_js_1.MissingMicrophonePurposeRule; } });
 var missing_contacts_purpose_js_1 = require("./missing-contacts-purpose.js");
 Object.defineProperty(exports, "MissingContactsPurposeRule", { enumerable: true, get: function () { return missing_contacts_purpose_js_1.MissingContactsPurposeRule; } });
+var missing_bluetooth_purpose_js_1 = require("./missing-bluetooth-purpose.js");
+Object.defineProperty(exports, "MissingBluetoothPurposeRule", { enumerable: true, get: function () { return missing_bluetooth_purpose_js_1.MissingBluetoothPurposeRule; } });
+var missing_face_id_purpose_js_1 = require("./missing-face-id-purpose.js");
+Object.defineProperty(exports, "MissingFaceIdPurposeRule", { enumerable: true, get: function () { return missing_face_id_purpose_js_1.MissingFaceIdPurposeRule; } });
 //# sourceMappingURL=index.js.map

package/dist/rules/privacy/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/rules/privacy/index.ts"],"names":[],"mappings":";;;AAAA;;GAEG;AACH,yEAAuE;AAA9D,qIAAA,wBAAwB,OAAA;AACjC,6EAA2E;AAAlE,yIAAA,0BAA0B,OAAA;AACnC,mFAAiF;AAAxE,+IAAA,6BAA6B,OAAA;AACtC,uEAAqE;AAA5D,mIAAA,uBAAuB,OAAA;AAChC,uFAAoF;AAA3E,kJAAA,8BAA8B,OAAA;AACvC,iFAA+E;AAAtE,6IAAA,4BAA4B,OAAA;AACrC,6EAA2E;AAAlE,yIAAA,0BAA0B,OAAA"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/rules/privacy/index.ts"],"names":[],"mappings":";;;AAAA;;GAEG;AACH,yEAAuE;AAA9D,qIAAA,wBAAwB,OAAA;AACjC,6EAA2E;AAAlE,yIAAA,0BAA0B,OAAA;AACnC,mFAAiF;AAAxE,+IAAA,6BAA6B,OAAA;AACtC,uEAAqE;AAA5D,mIAAA,uBAAuB,OAAA;AAChC,uFAAoF;AAA3E,kJAAA,8BAA8B,OAAA;AACvC,iFAA+E;AAAtE,6IAAA,4BAA4B,OAAA;AACrC,6EAA2E;AAAlE,yIAAA,0BAA0B,OAAA;AACnC,+EAA6E;AAApE,2IAAA,2BAA2B,OAAA;AACpC,2EAAwE;AAA/D,sIAAA,wBAAwB,OAAA"}

package/dist/rules/privacy/missing-bluetooth-purpose.d.ts

@@ -0,0 +1,11 @@
+/**
+ * Rule: Missing Bluetooth Usage Description
+ *
+ * Detects when an app uses CoreBluetooth but is missing
+ * the required NSBluetoothAlwaysUsageDescription in Info.plist.
+ *
+ * App Store Review Guideline: 5.1.1
+ */
+import type { Rule } from '../../types/index.js';
+export declare const MissingBluetoothPurposeRule: Rule;
+//# sourceMappingURL=missing-bluetooth-purpose.d.ts.map

package/dist/rules/privacy/missing-bluetooth-purpose.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"missing-bluetooth-purpose.d.ts","sourceRoot":"","sources":["../../../src/rules/privacy/missing-bluetooth-purpose.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AACH,OAAO,KAAK,EAAE,IAAI,EAAwB,MAAM,sBAAsB,CAAC;AAOvE,eAAO,MAAM,2BAA2B,EAAE,IA8EzC,CAAC"}

package/dist/rules/privacy/missing-bluetooth-purpose.js

@@ -0,0 +1,80 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.MissingBluetoothPurposeRule = void 0;
+const index_js_1 = require("../../types/index.js");
+const plist_parser_js_1 = require("../../parsers/plist-parser.js");
+const base_js_1 = require("../base.js");
+const BLUETOOTH_FRAMEWORKS = ['CoreBluetooth'];
+exports.MissingBluetoothPurposeRule = {
+    id: 'privacy-008-missing-bluetooth-purpose',
+    name: 'Missing Bluetooth Usage Description',
+    description: 'Checks for Bluetooth framework usage without NSBluetoothAlwaysUsageDescription',
+    category: index_js_1.RuleCategory.Privacy,
+    severity: index_js_1.Severity.Critical,
+    confidence: index_js_1.Confidence.High,
+    guidelineReference: '5.1.1',
+    async evaluate(context) {
+        const detectedFrameworks = BLUETOOTH_FRAMEWORKS.filter(f => context.hasFramework(f));
+        if (detectedFrameworks.length === 0) {
+            return [];
+        }
+        const bluetoothDescription = context.plistString('NSBluetoothAlwaysUsageDescription');
+        // Case 1: Completely missing
+        if (bluetoothDescription === undefined) {
+            return [
+                (0, base_js_1.makeFinding)(this, {
+                    description: `Your app links against Bluetooth frameworks (${detectedFrameworks.join(', ')}) ` +
+                        `but Info.plist is missing NSBluetoothAlwaysUsageDescription. Apps that access Bluetooth ` +
+                        `must provide a purpose string explaining why access is needed.`,
+                    location: 'Info.plist',
+                    fixGuidance: `Add NSBluetoothAlwaysUsageDescription to your Info.plist with a clear, user-facing ` +
+                        `explanation of why your app needs Bluetooth access. For example:
+
+<key>NSBluetoothAlwaysUsageDescription</key>
+<string>We use Bluetooth to connect to your fitness tracker and sync workout data.</string>
+
+The description should explain the specific feature that uses Bluetooth and ` +
+                        `be written from the user's perspective.`,
+                    documentationURL: 'https://developer.apple.com/documentation/bundleresources/information_property_list/nsbluetoothalwaysusagedescription',
+                }),
+            ];
+        }
+        // Case 2: Empty or whitespace only
+        if (bluetoothDescription.trim() === '') {
+            return [
+                (0, base_js_1.makeFinding)(this, {
+                    title: 'Empty Bluetooth Usage Description',
+                    description: `NSBluetoothAlwaysUsageDescription exists in Info.plist but is empty. ` +
+                        `Apple requires a meaningful description explaining why your app needs Bluetooth access.`,
+                    location: 'Info.plist',
+                    fixGuidance: `Update NSBluetoothAlwaysUsageDescription with a clear, specific explanation of why ` +
+                        `your app needs Bluetooth access. Generic or empty descriptions may be rejected.
+
+Good example: "We use Bluetooth to connect to your heart rate monitor."
+Bad example: "Bluetooth access required" or ""`,
+                    documentationURL: 'https://developer.apple.com/documentation/bundleresources/information_property_list/nsbluetoothalwaysusagedescription',
+                }),
+            ];
+        }
+        // Case 3: Placeholder text detected
+        if ((0, plist_parser_js_1.isPlaceholder)(bluetoothDescription)) {
+            return [
+                (0, base_js_1.makeFinding)(this, {
+                    title: 'Placeholder Bluetooth Usage Description',
+                    description: `NSBluetoothAlwaysUsageDescription appears to contain placeholder text: "${bluetoothDescription}". ` +
+                        `Apple requires meaningful, user-facing descriptions.`,
+                    location: 'Info.plist',
+                    fixGuidance: `Replace the placeholder text with a clear explanation of why your app needs Bluetooth access. ` +
+                        `The description should be specific to your app's features.
+
+Current value: "${bluetoothDescription}"
+
+Write a description that helps users understand what feature uses Bluetooth and why.`,
+                    documentationURL: 'https://developer.apple.com/documentation/bundleresources/information_property_list/nsbluetoothalwaysusagedescription',
+                }),
+            ];
+        }
+        return [];
+    },
+};
+//# sourceMappingURL=missing-bluetooth-purpose.js.map

package/dist/rules/privacy/missing-bluetooth-purpose.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"missing-bluetooth-purpose.js","sourceRoot":"","sources":["../../../src/rules/privacy/missing-bluetooth-purpose.ts"],"names":[],"mappings":";;;AASA,mDAA0E;AAC1E,mEAA8D;AAC9D,wCAAyC;AAEzC,MAAM,oBAAoB,GAAG,CAAC,eAAe,CAAC,CAAC;AAElC,QAAA,2BAA2B,GAAS;IAC/C,EAAE,EAAE,uCAAuC;IAC3C,IAAI,EAAE,qCAAqC;IAC3C,WAAW,EAAE,gFAAgF;IAC7F,QAAQ,EAAE,uBAAY,CAAC,OAAO;IAC9B,QAAQ,EAAE,mBAAQ,CAAC,QAAQ;IAC3B,UAAU,EAAE,qBAAU,CAAC,IAAI;IAC3B,kBAAkB,EAAE,OAAO;IAE3B,KAAK,CAAC,QAAQ,CAAC,OAAoB;QACjC,MAAM,kBAAkB,GAAG,oBAAoB,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,CAAC;QAErF,IAAI,kBAAkB,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACpC,OAAO,EAAE,CAAC;QACZ,CAAC;QAED,MAAM,oBAAoB,GAAG,OAAO,CAAC,WAAW,CAAC,mCAAmC,CAAC,CAAC;QAEtF,6BAA6B;QAC7B,IAAI,oBAAoB,KAAK,SAAS,EAAE,CAAC;YACvC,OAAO;gBACL,IAAA,qBAAW,EAAC,IAAI,EAAE;oBAChB,WAAW,EAAE,gDAAgD,kBAAkB,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI;wBAC5F,0FAA0F;wBAC1F,gEAAgE;oBAClE,QAAQ,EAAE,YAAY;oBACtB,WAAW,EAAE,qFAAqF;wBAChG;;;;;6EAKiE;wBACjE,yCAAyC;oBAC3C,gBAAgB,EAAE,uHAAuH;iBAC1I,CAAC;aACH,CAAC;QACJ,CAAC;QAED,mCAAmC;QACnC,IAAI,oBAAoB,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC;YACvC,OAAO;gBACL,IAAA,qBAAW,EAAC,IAAI,EAAE;oBAChB,KAAK,EAAE,mCAAmC;oBAC1C,WAAW,EAAE,uEAAuE;wBAClF,yFAAyF;oBAC3F,QAAQ,EAAE,YAAY;oBACtB,WAAW,EAAE,qFAAqF;wBAChG;;;+CAGmC;oBACrC,gBAAgB,EAAE,uHAAuH;iBAC1I,CAAC;aACH,CAAC;QACJ,CAAC;QAED,oCAAoC;QACpC,IAAI,IAAA,+BAAa,EAAC,oBAAoB,CAAC,EAAE,CAAC;YACxC,OAAO;gBACL,IAAA,qBAAW,EAAC,IAAI,EAAE;oBAChB,KAAK,EAAE,yCAAyC;oBAChD,WAAW,EAAE,2EAA2E,oBAAoB,KAAK;wBAC/G,sDAAsD;oBACxD,QAAQ,EAAE,YAAY;oBACtB,WAAW,EAAE,gGAAgG;wBAC3G;;kBAEM,oBAAoB;;qFAE+C;oBAC3E,gBAAgB,EAAE,uHAAuH;iBAC1I,CAAC;aACH,CAAC;QACJ,CAAC;QAED,OAAO,EAAE,CAAC;IACZ,CAAC;CACF,CAAC"}

package/dist/rules/privacy/missing-camera-purpose.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"missing-camera-purpose.d.ts","sourceRoot":"","sources":["../../../src/rules/privacy/missing-camera-purpose.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AACH,OAAO,KAAK,EAAE,IAAI,EAAwB,MAAM,sBAAsB,CAAC;AAOvE,eAAO,MAAM,wBAAwB,EAAE,IAiFtC,CAAC"}
+{"version":3,"file":"missing-camera-purpose.d.ts","sourceRoot":"","sources":["../../../src/rules/privacy/missing-camera-purpose.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AACH,OAAO,KAAK,EAAE,IAAI,EAAwB,MAAM,sBAAsB,CAAC;AAWvE,eAAO,MAAM,wBAAwB,EAAE,IAiFtC,CAAC"}

package/dist/rules/privacy/missing-camera-purpose.js

@@ -4,7 +4,11 @@ exports.MissingCameraPurposeRule = void 0;
 const index_js_1 = require("../../types/index.js");
 const plist_parser_js_1 = require("../../parsers/plist-parser.js");
 const base_js_1 = require("../base.js");
-const CAMERA_FRAMEWORKS = ['AVFoundation', 'AVKit', 'VisionKit'];
+// Note: VisionKit is NOT included here because it's often used for ImageAnalyzer
+// (Live Text on existing images) which doesn't require camera access. Only
+// DataScannerViewController and VNDocumentCameraViewController in VisionKit
+// require camera permission, and detecting those requires deeper source analysis.
+const CAMERA_FRAMEWORKS = ['AVFoundation', 'AVKit'];
 exports.MissingCameraPurposeRule = {
     id: 'privacy-001-missing-camera-purpose',
     name: 'Missing Camera Usage Description',

package/dist/rules/privacy/missing-camera-purpose.js.map

@@ -1 +1 @@
-{"version":3,"file":"missing-camera-purpose.js","sourceRoot":"","sources":["../../../src/rules/privacy/missing-camera-purpose.ts"],"names":[],"mappings":";;;AASA,mDAA0E;AAC1E,mEAA8D;AAC9D,wCAAyC;AAEzC,MAAM,iBAAiB,GAAG,CAAC,cAAc,EAAE,OAAO,EAAE,WAAW,CAAC,CAAC;AAEpD,QAAA,wBAAwB,GAAS;IAC5C,EAAE,EAAE,oCAAoC;IACxC,IAAI,EAAE,kCAAkC;IACxC,WAAW,EAAE,oEAAoE;IACjF,QAAQ,EAAE,uBAAY,CAAC,OAAO;IAC9B,QAAQ,EAAE,mBAAQ,CAAC,QAAQ;IAC3B,UAAU,EAAE,qBAAU,CAAC,IAAI;IAC3B,kBAAkB,EAAE,OAAO;IAE3B,KAAK,CAAC,QAAQ,CAAC,OAAoB;QACjC,kDAAkD;QAClD,MAAM,kBAAkB,GAAG,iBAAiB,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,CAAC;QAElF,IAAI,kBAAkB,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACpC,mDAAmD;YACnD,OAAO,EAAE,CAAC;QACZ,CAAC;QAED,MAAM,iBAAiB,GAAG,OAAO,CAAC,WAAW,CAAC,0BAA0B,CAAC,CAAC;QAE1E,6BAA6B;QAC7B,IAAI,iBAAiB,KAAK,SAAS,EAAE,CAAC;YACpC,OAAO;gBACL,IAAA,qBAAW,EAAC,IAAI,EAAE;oBAChB,WAAW,EAAE,qDAAqD,kBAAkB,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI;wBACjG,uFAAuF;wBACvF,2DAA2D;oBAC7D,QAAQ,EAAE,YAAY;oBACtB,WAAW,EAAE,wFAAwF;wBACnG;;;;;8EAKkE;wBAClE,yCAAyC;oBAC3C,gBAAgB,EAAE,8GAA8G;iBACjI,CAAC;aACH,CAAC;QACJ,CAAC;QAED,mCAAmC;QACnC,IAAI,iBAAiB,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC;YACpC,OAAO;gBACL,IAAA,qBAAW,EAAC,IAAI,EAAE;oBAChB,KAAK,EAAE,gCAAgC;oBACvC,WAAW,EAAE,8DAA8D;wBACzE,sFAAsF;oBACxF,QAAQ,EAAE,YAAY;oBACtB,WAAW,EAAE,qFAAqF;wBAChG;;;4CAGgC;oBAClC,gBAAgB,EAAE,8GAA8G;iBACjI,CAAC;aACH,CAAC;QACJ,CAAC;QAED,oCAAoC;QACpC,IAAI,IAAA,+BAAa,EAAC,iBAAiB,CAAC,EAAE,CAAC;YACrC,OAAO;gBACL,IAAA,qBAAW,EAAC,IAAI,EAAE;oBAChB,KAAK,EAAE,sCAAsC;oBAC7C,WAAW,EAAE,kEAAkE,iBAAiB,KAAK;wBACnG,sDAAsD;oBACxD,QAAQ,EAAE,YAAY;oBACtB,WAAW,EAAE,6FAA6F;wBACxG;;kBAEM,iBAAiB;;sFAEmD;oBAC5E,gBAAgB,EAAE,8GAA8G;iBACjI,CAAC;aACH,CAAC;QACJ,CAAC;QAED,oBAAoB;QACpB,OAAO,EAAE,CAAC;IACZ,CAAC;CACF,CAAC"}
+{"version":3,"file":"missing-camera-purpose.js","sourceRoot":"","sources":["../../../src/rules/privacy/missing-camera-purpose.ts"],"names":[],"mappings":";;;AASA,mDAA0E;AAC1E,mEAA8D;AAC9D,wCAAyC;AAEzC,iFAAiF;AACjF,2EAA2E;AAC3E,4EAA4E;AAC5E,kFAAkF;AAClF,MAAM,iBAAiB,GAAG,CAAC,cAAc,EAAE,OAAO,CAAC,CAAC;AAEvC,QAAA,wBAAwB,GAAS;IAC5C,EAAE,EAAE,oCAAoC;IACxC,IAAI,EAAE,kCAAkC;IACxC,WAAW,EAAE,oEAAoE;IACjF,QAAQ,EAAE,uBAAY,CAAC,OAAO;IAC9B,QAAQ,EAAE,mBAAQ,CAAC,QAAQ;IAC3B,UAAU,EAAE,qBAAU,CAAC,IAAI;IAC3B,kBAAkB,EAAE,OAAO;IAE3B,KAAK,CAAC,QAAQ,CAAC,OAAoB;QACjC,kDAAkD;QAClD,MAAM,kBAAkB,GAAG,iBAAiB,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,CAAC;QAElF,IAAI,kBAAkB,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACpC,mDAAmD;YACnD,OAAO,EAAE,CAAC;QACZ,CAAC;QAED,MAAM,iBAAiB,GAAG,OAAO,CAAC,WAAW,CAAC,0BAA0B,CAAC,CAAC;QAE1E,6BAA6B;QAC7B,IAAI,iBAAiB,KAAK,SAAS,EAAE,CAAC;YACpC,OAAO;gBACL,IAAA,qBAAW,EAAC,IAAI,EAAE;oBAChB,WAAW,EAAE,qDAAqD,kBAAkB,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI;wBACjG,uFAAuF;wBACvF,2DAA2D;oBAC7D,QAAQ,EAAE,YAAY;oBACtB,WAAW,EAAE,wFAAwF;wBACnG;;;;;8EAKkE;wBAClE,yCAAyC;oBAC3C,gBAAgB,EAAE,8GAA8G;iBACjI,CAAC;aACH,CAAC;QACJ,CAAC;QAED,mCAAmC;QACnC,IAAI,iBAAiB,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC;YACpC,OAAO;gBACL,IAAA,qBAAW,EAAC,IAAI,EAAE;oBAChB,KAAK,EAAE,gCAAgC;oBACvC,WAAW,EAAE,8DAA8D;wBACzE,sFAAsF;oBACxF,QAAQ,EAAE,YAAY;oBACtB,WAAW,EAAE,qFAAqF;wBAChG;;;4CAGgC;oBAClC,gBAAgB,EAAE,8GAA8G;iBACjI,CAAC;aACH,CAAC;QACJ,CAAC;QAED,oCAAoC;QACpC,IAAI,IAAA,+BAAa,EAAC,iBAAiB,CAAC,EAAE,CAAC;YACrC,OAAO;gBACL,IAAA,qBAAW,EAAC,IAAI,EAAE;oBAChB,KAAK,EAAE,sCAAsC;oBAC7C,WAAW,EAAE,kEAAkE,iBAAiB,KAAK;wBACnG,sDAAsD;oBACxD,QAAQ,EAAE,YAAY;oBACtB,WAAW,EAAE,6FAA6F;wBACxG;;kBAEM,iBAAiB;;sFAEmD;oBAC5E,gBAAgB,EAAE,8GAA8G;iBACjI,CAAC;aACH,CAAC;QACJ,CAAC;QAED,oBAAoB;QACpB,OAAO,EAAE,CAAC;IACZ,CAAC;CACF,CAAC"}

package/dist/rules/privacy/missing-face-id-purpose.d.ts

@@ -0,0 +1,11 @@
+/**
+ * Rule: Missing Face ID Usage Description
+ *
+ * Detects when an app uses LocalAuthentication but is missing
+ * the required NSFaceIDUsageDescription in Info.plist.
+ *
+ * App Store Review Guideline: 5.1.1
+ */
+import type { Rule } from '../../types/index.js';
+export declare const MissingFaceIdPurposeRule: Rule;
+//# sourceMappingURL=missing-face-id-purpose.d.ts.map

package/dist/rules/privacy/missing-face-id-purpose.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"missing-face-id-purpose.d.ts","sourceRoot":"","sources":["../../../src/rules/privacy/missing-face-id-purpose.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AACH,OAAO,KAAK,EAAE,IAAI,EAAwB,MAAM,sBAAsB,CAAC;AAOvE,eAAO,MAAM,wBAAwB,EAAE,IA8EtC,CAAC"}

package/dist/rules/privacy/missing-face-id-purpose.js

@@ -0,0 +1,80 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.MissingFaceIdPurposeRule = void 0;
+const index_js_1 = require("../../types/index.js");
+const plist_parser_js_1 = require("../../parsers/plist-parser.js");
+const base_js_1 = require("../base.js");
+const FACE_ID_FRAMEWORKS = ['LocalAuthentication'];
+exports.MissingFaceIdPurposeRule = {
+    id: 'privacy-009-missing-face-id-purpose',
+    name: 'Missing Face ID Usage Description',
+    description: 'Checks for LocalAuthentication framework usage without NSFaceIDUsageDescription',
+    category: index_js_1.RuleCategory.Privacy,
+    severity: index_js_1.Severity.Critical,
+    confidence: index_js_1.Confidence.High,
+    guidelineReference: '5.1.1',
+    async evaluate(context) {
+        const detectedFrameworks = FACE_ID_FRAMEWORKS.filter(f => context.hasFramework(f));
+        if (detectedFrameworks.length === 0) {
+            return [];
+        }
+        const faceIdDescription = context.plistString('NSFaceIDUsageDescription');
+        // Case 1: Completely missing
+        if (faceIdDescription === undefined) {
+            return [
+                (0, base_js_1.makeFinding)(this, {
+                    description: `Your app links against biometric authentication frameworks (${detectedFrameworks.join(', ')}) ` +
+                        `but Info.plist is missing NSFaceIDUsageDescription. Apps that use Face ID ` +
+                        `must provide a purpose string explaining why biometric authentication is needed.`,
+                    location: 'Info.plist',
+                    fixGuidance: `Add NSFaceIDUsageDescription to your Info.plist with a clear, user-facing ` +
+                        `explanation of why your app needs Face ID access. For example:
+
+<key>NSFaceIDUsageDescription</key>
+<string>We use Face ID to securely authenticate you for quick access to your account.</string>
+
+The description should explain what feature uses Face ID and ` +
+                        `be written from the user's perspective.`,
+                    documentationURL: 'https://developer.apple.com/documentation/bundleresources/information_property_list/nsfaceidusagedescription',
+                }),
+            ];
+        }
+        // Case 2: Empty or whitespace only
+        if (faceIdDescription.trim() === '') {
+            return [
+                (0, base_js_1.makeFinding)(this, {
+                    title: 'Empty Face ID Usage Description',
+                    description: `NSFaceIDUsageDescription exists in Info.plist but is empty. ` +
+                        `Apple requires a meaningful description explaining why your app needs Face ID access.`,
+                    location: 'Info.plist',
+                    fixGuidance: `Update NSFaceIDUsageDescription with a clear, specific explanation of why ` +
+                        `your app needs Face ID access. Generic or empty descriptions may be rejected.
+
+Good example: "We use Face ID to securely log you in without a password."
+Bad example: "Face ID access required" or ""`,
+                    documentationURL: 'https://developer.apple.com/documentation/bundleresources/information_property_list/nsfaceidusagedescription',
+                }),
+            ];
+        }
+        // Case 3: Placeholder text detected
+        if ((0, plist_parser_js_1.isPlaceholder)(faceIdDescription)) {
+            return [
+                (0, base_js_1.makeFinding)(this, {
+                    title: 'Placeholder Face ID Usage Description',
+                    description: `NSFaceIDUsageDescription appears to contain placeholder text: "${faceIdDescription}". ` +
+                        `Apple requires meaningful, user-facing descriptions.`,
+                    location: 'Info.plist',
+                    fixGuidance: `Replace the placeholder text with a clear explanation of why your app needs Face ID access. ` +
+                        `The description should be specific to your app's features.
+
+Current value: "${faceIdDescription}"
+
+Write a description that helps users understand what feature uses Face ID and why.`,
+                    documentationURL: 'https://developer.apple.com/documentation/bundleresources/information_property_list/nsfaceidusagedescription',
+                }),
+            ];
+        }
+        return [];
+    },
+};
+//# sourceMappingURL=missing-face-id-purpose.js.map

package/dist/rules/privacy/missing-face-id-purpose.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"missing-face-id-purpose.js","sourceRoot":"","sources":["../../../src/rules/privacy/missing-face-id-purpose.ts"],"names":[],"mappings":";;;AASA,mDAA0E;AAC1E,mEAA8D;AAC9D,wCAAyC;AAEzC,MAAM,kBAAkB,GAAG,CAAC,qBAAqB,CAAC,CAAC;AAEtC,QAAA,wBAAwB,GAAS;IAC5C,EAAE,EAAE,qCAAqC;IACzC,IAAI,EAAE,mCAAmC;IACzC,WAAW,EAAE,iFAAiF;IAC9F,QAAQ,EAAE,uBAAY,CAAC,OAAO;IAC9B,QAAQ,EAAE,mBAAQ,CAAC,QAAQ;IAC3B,UAAU,EAAE,qBAAU,CAAC,IAAI;IAC3B,kBAAkB,EAAE,OAAO;IAE3B,KAAK,CAAC,QAAQ,CAAC,OAAoB;QACjC,MAAM,kBAAkB,GAAG,kBAAkB,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,CAAC;QAEnF,IAAI,kBAAkB,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACpC,OAAO,EAAE,CAAC;QACZ,CAAC;QAED,MAAM,iBAAiB,GAAG,OAAO,CAAC,WAAW,CAAC,0BAA0B,CAAC,CAAC;QAE1E,6BAA6B;QAC7B,IAAI,iBAAiB,KAAK,SAAS,EAAE,CAAC;YACpC,OAAO;gBACL,IAAA,qBAAW,EAAC,IAAI,EAAE;oBAChB,WAAW,EAAE,+DAA+D,kBAAkB,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI;wBAC3G,4EAA4E;wBAC5E,kFAAkF;oBACpF,QAAQ,EAAE,YAAY;oBACtB,WAAW,EAAE,4EAA4E;wBACvF;;;;;8DAKkD;wBAClD,yCAAyC;oBAC3C,gBAAgB,EAAE,8GAA8G;iBACjI,CAAC;aACH,CAAC;QACJ,CAAC;QAED,mCAAmC;QACnC,IAAI,iBAAiB,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC;YACpC,OAAO;gBACL,IAAA,qBAAW,EAAC,IAAI,EAAE;oBAChB,KAAK,EAAE,iCAAiC;oBACxC,WAAW,EAAE,8DAA8D;wBACzE,uFAAuF;oBACzF,QAAQ,EAAE,YAAY;oBACtB,WAAW,EAAE,4EAA4E;wBACvF;;;6CAGiC;oBACnC,gBAAgB,EAAE,8GAA8G;iBACjI,CAAC;aACH,CAAC;QACJ,CAAC;QAED,oCAAoC;QACpC,IAAI,IAAA,+BAAa,EAAC,iBAAiB,CAAC,EAAE,CAAC;YACrC,OAAO;gBACL,IAAA,qBAAW,EAAC,IAAI,EAAE;oBAChB,KAAK,EAAE,uCAAuC;oBAC9C,WAAW,EAAE,kEAAkE,iBAAiB,KAAK;wBACnG,sDAAsD;oBACxD,QAAQ,EAAE,YAAY;oBACtB,WAAW,EAAE,8FAA8F;wBACzG;;kBAEM,iBAAiB;;mFAEgD;oBACzE,gBAAgB,EAAE,8GAA8G;iBACjI,CAAC;aACH,CAAC;QACJ,CAAC;QAED,OAAO,EAAE,CAAC;IACZ,CAAC;CACF,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "shiplint",
-  "version": "0.1.1",
+  "version": "1.0.0",
   "description": "Catch App Store rejections before they happen. Pre-submission linter for iOS apps.",
   "main": "dist/index.js",
   "bin": {