selfxyz · remicolin · Sep 20, 2025 · Sep 13, 2025 · Sep 14, 2025 · Sep 14, 2025
diff --git a/.cursor/rules/technical-specification.mdc b/.cursor/rules/technical-specification.mdc
diff --git a/.cursorignore b/.cursorignore
@@ -191,8 +191,6 @@ circuits/tests/**/test_cases.ts
 
 # iOS
 *.xcworkspace/
-*.xcodeproj/
-*.pbxproj
 app/ios/App Thinning Size Report.txt
 
 # Android
@@ -278,6 +276,9 @@ circuits/ptau/
 !**/*.sol
 !**/*.circom
 
+# Exception for specific private module setup script
+!app/scripts/setup-private-modules.cjs
+
 # But exclude generated TypeScript declaration files
 **/*.d.ts
 !**/types/*.d.ts

diff --git a/.cursorrules b/.cursorrules
@@ -48,7 +48,6 @@
 ## Core Workflows
 
 1. Document Verification Flow
-- NFC chip data extraction and validation
 - Zero-knowledge proof generation for privacy
 - Multi-stage attestation verification
 - Cross-chain verification support
@@ -128,25 +127,6 @@ This is a React Native identity verification app with NFC passport reading, zero
 - Test utilities in `tests/__setup__/databaseMocks.ts`
 - Mock database instance for testing
 
-## NFC Implementation
-
-### Cross-Platform Architecture
-- iOS: Custom PassportReader Swift module
-- Android: Custom RNPassportReaderModule Kotlin implementation
-- Unified JavaScript interface with platform detection
-
-### Authentication Methods
-- MRZ Key: Derived from passport number, DOB, and expiry date
-- CAN (Card Access Number): 6-digit number for PACE authentication
-- PACE: Password Authenticated Connection Establishment
-- BAC fallback when PACE fails
-
-### Error Handling
-- Multiple BAC attempts with delays
-- Graceful degradation from PACE to BAC
-- Real-time status updates and haptic feedback
-- Comprehensive error boundaries
-
 ## Code Organization
 
 ### File Structure

diff --git a/.gitguardian.yml b/.gitguardian.yml
@@ -1,12 +1,16 @@
-version: 2
+# GitGuardian configuration for ggshield
+# This file configures which files and secrets to ignore during scanning
 
-# Ignore specific file patterns (newer format)
-ignore:
+# Ignore specific file patterns
+paths-ignore:
   # Mock certificates for testing (these are intentionally committed test data)
   - "**/mock_certificates/**/*.key"
   - "**/mock_certificates/**/*.crt"
   - "**/mock_certificates/**/*.pem"
   - "**/constants/mockCertificates.ts"
+  - "common/src/mock_certificates/**"
+  - "common/src/mock_certificates/aadhaar/mockAadhaarCert.ts"
+  - "common/src/utils/passports/genMockIdDoc.ts"
 
   # Test data files
   - "**/test/**/*.key"
@@ -24,45 +28,17 @@ ignore:
   # Demo app test data
   - "**/demo-app/**/mock/**"
   - "**/demo-app/**/test-data/**"
-
-# Keep the old format for backward compatibility
-exclusion_globs:
-  # Mock certificates for testing (these are intentionally committed test data)
-  - "common/src/mock_certificates/**"
-  - "common/src/constants/mockCertificates.ts"
   - "**/test-data/**"
   - "**/mock-data/**"
 
-  # Test files with mock certificates
-  - "**/test/**/*.key"
-  - "**/test/**/*.crt"
-  - "**/test/**/*.pem"
-  - "**/tests/**/*.key"
-  - "**/tests/**/*.crt"
-  - "**/tests/**/*.pem"
-
-  # Demo app test data
-  - "**/demo-app/**/mock/**"
-  - "**/demo-app/**/test-data/**"
-
   # Generated test files
   - "**/generated/**/*.key"
   - "**/generated/**/*.crt"
   - "**/generated/**/*.pem"
 
 # Ignore specific secret types for mock files
-ignore_secrets:
+secrets-ignore:
   - "Generic Private Key" # For mock certificate keys
   - "Generic Certificate" # For mock certificates
   - "RSA Private Key" # For mock RSA keys
   - "EC Private Key" # For mock EC keys
-
-# Advanced: Ignore based on file content patterns
-ignore_patterns:
-  # Ignore files that contain "mock" in the path and have key/cert content
-  - pattern: "mock.*\\.(key|crt|pem)$"
-    reason: "Mock certificate files for testing"
-
-  # Ignore TypeScript files that export mock data
-  - pattern: ".*mock.*\\.ts$"
-    reason: "Mock data export files for testing"
diff --git a/.github/actions/clone-android-passport-reader/action.yml b/.github/actions/clone-android-passport-reader/action.yml
@@ -0,0 +1,50 @@
+name: Clone android-passport-reader
+description: "Clones the android-passport-reader repository if it does not exist"
+
+inputs:
+  working_directory:
+    description: "Working directory path (where android/ subdirectory is located)"
+    required: false
+    default: "."
+  selfxyz_internal_pat:
+    description: "SELFXYZ internal repository PAT for private repository access"
+    required: false
+
+runs:
+  using: "composite"
+  steps:
+    - name: Clone android-passport-reader
+      shell: bash
+      run: |
+        set -euo pipefail
+        # Check if PAT is available for private module cloning
+        if [ -z "${{ inputs.selfxyz_internal_pat }}" ]; then
+          echo "🔒 Skipping private module cloning (no PAT provided)"
+          echo "ℹ️  This is expected for forked PRs - build will continue without private modules"
+          exit 0
+        fi
+
+        cd "${{ inputs.working_directory }}"
+
+        if [ ! -d "android/android-passport-reader" ]; then
+          echo "📦 Cloning android-passport-reader for build..."
+          cd android
+
+          # Clone using PAT (embed temporarily, then scrub)
+          if git clone --depth 1 --quiet "https://${{ inputs.selfxyz_internal_pat }}@github.com/selfxyz/android-passport-reader.git"; then
+            echo "✅ android-passport-reader cloned successfully"
+            # Immediately scrub the credential from remote URL for security
+            git -C android-passport-reader remote set-url origin https://github.com/selfxyz/android-passport-reader.git || true
+          else
+            echo "❌ Failed to clone android-passport-reader"
+            echo "Please ensure a valid SELFXYZ internal PAT is provided to this action"
+            exit 1
+          fi
+        elif [ "$CI" = "true" ]; then
+          echo "⚠️  android-passport-reader exists in CI - this is unexpected"
+          echo "📁 Directory contents:"
+          ls -la android/android-passport-reader/ || true
+        else
+          echo "📁 android-passport-reader already exists - preserving existing directory"
+          echo "ℹ️  Local development environment detected - your changes are safe"
+        fi
diff --git a/.github/actions/mobile-setup/action.yml b/.github/actions/mobile-setup/action.yml
@@ -78,12 +78,12 @@ runs:
         fi
 
         # Run mobile-specific installation
-        if [[ "${{ runner.os }}" == "macOS" ]]; then
-          yarn install-app:mobile-deploy:ios
-        else
-          yarn install-app:mobile-deploy
-        fi
+        yarn install-app:mobile-deploy
 
+    - name: Install Ruby dependencies
+      shell: bash
+      run: |
+        cd ${{ inputs.app_path }}
         # Install Ruby gems with bundler (respecting cache)
         echo "📦 Installing Ruby gems with strict lock file..."
         if ! bundle install --jobs 4 --retry 3; then

diff --git a/.github/workflows/mobile-bundle-analysis.yml b/.github/workflows/mobile-bundle-analysis.yml
@@ -17,7 +17,7 @@ on:
 
 jobs:
   analyze-android:
-    runs-on: macos-14
+    runs-on: macos-latest-large
     steps:
       - uses: actions/checkout@v4
       - name: Read and sanitize Node.js version
@@ -80,7 +80,7 @@ jobs:
         working-directory: ./app
 
   analyze-ios:
-    runs-on: macos-14
+    runs-on: macos-latest-large
     steps:
       - uses: actions/checkout@v4
       - name: Read and sanitize Node.js version