Dev

.cursorignore

@@ -191,8 +191,6 @@ circuits/tests/**/test_cases.ts
 
 # iOS
 *.xcworkspace/
-*.xcodeproj/
-*.pbxproj
 app/ios/App Thinning Size Report.txt
 
 # Android
@@ -278,6 +276,9 @@ circuits/ptau/
 !**/*.sol
 !**/*.circom
 
+# Exception for specific private module setup script
+!app/scripts/setup-private-modules.cjs
+
 # But exclude generated TypeScript declaration files
 **/*.d.ts
 !**/types/*.d.ts

.cursorrules

@@ -48,7 +48,6 @@
 ## Core Workflows
 
 1. Document Verification Flow
-- NFC chip data extraction and validation
 - Zero-knowledge proof generation for privacy
 - Multi-stage attestation verification
 - Cross-chain verification support
@@ -128,25 +127,6 @@ This is a React Native identity verification app with NFC passport reading, zero
 - Test utilities in `tests/__setup__/databaseMocks.ts`
 - Mock database instance for testing
 
-## NFC Implementation
-
-### Cross-Platform Architecture
-- iOS: Custom PassportReader Swift module
-- Android: Custom RNPassportReaderModule Kotlin implementation
-- Unified JavaScript interface with platform detection
-
-### Authentication Methods
-- MRZ Key: Derived from passport number, DOB, and expiry date
-- CAN (Card Access Number): 6-digit number for PACE authentication
-- PACE: Password Authenticated Connection Establishment
-- BAC fallback when PACE fails
-
-### Error Handling
-- Multiple BAC attempts with delays
-- Graceful degradation from PACE to BAC
-- Real-time status updates and haptic feedback
-- Comprehensive error boundaries
-
 ## Code Organization
 
 ### File Structure

.github/actions/clone-android-passport-reader/action.yml

@@ -0,0 +1,50 @@
+name: Clone android-passport-reader
+description: "Clones the android-passport-reader repository if it does not exist"
+
+inputs:
+  working_directory:
+    description: "Working directory path (where android/ subdirectory is located)"
+    required: false
+    default: "."
+  selfxyz_internal_pat:
+    description: "SELFXYZ internal repository PAT for private repository access"
+    required: false
+
+runs:
+  using: "composite"
+  steps:
+    - name: Clone android-passport-reader
+      shell: bash
+      run: |
+        set -euo pipefail
+        # Check if PAT is available for private module cloning
+        if [ -z "${{ inputs.selfxyz_internal_pat }}" ]; then
+          echo "🔒 Skipping private module cloning (no PAT provided)"
+          echo "ℹ️  This is expected for forked PRs - build will continue without private modules"
+          exit 0
+        fi
+
+        cd "${{ inputs.working_directory }}"
+
+        if [ ! -d "android/android-passport-reader" ]; then
+          echo "📦 Cloning android-passport-reader for build..."
+          cd android
+
+          # Clone using PAT (embed temporarily, then scrub)
+          if git clone --depth 1 --quiet "https://${{ inputs.selfxyz_internal_pat }}@github.com/selfxyz/android-passport-reader.git"; then
+            echo "✅ android-passport-reader cloned successfully"
+            # Immediately scrub the credential from remote URL for security
+            git -C android-passport-reader remote set-url origin https://github.com/selfxyz/android-passport-reader.git || true
+          else
+            echo "❌ Failed to clone android-passport-reader"
+            echo "Please ensure a valid SELFXYZ internal PAT is provided to this action"
+            exit 1
+          fi
+        elif [ "$CI" = "true" ]; then
+          echo "⚠️  android-passport-reader exists in CI - this is unexpected"
+          echo "📁 Directory contents:"
+          ls -la android/android-passport-reader/ || true
+        else
+          echo "📁 android-passport-reader already exists - preserving existing directory"
+          echo "ℹ️  Local development environment detected - your changes are safe"
+        fi

.github/actions/mobile-setup/action.yml

@@ -78,12 +78,12 @@ runs:
         fi
 
         # Run mobile-specific installation
-        if [[ "${{ runner.os }}" == "macOS" ]]; then
-          yarn install-app:mobile-deploy:ios
-        else
-          yarn install-app:mobile-deploy
-        fi
+        yarn install-app:mobile-deploy
 
+    - name: Install Ruby dependencies
+      shell: bash
+      run: |
+        cd ${{ inputs.app_path }}
         # Install Ruby gems with bundler (respecting cache)
         echo "📦 Installing Ruby gems with strict lock file..."
         if ! bundle install --jobs 4 --retry 3; then

.github/workflows/mobile-bundle-analysis.yml

@@ -17,7 +17,7 @@ on:
 
 jobs:
   analyze-android:
-    runs-on: macos-14
+    runs-on: macos-latest-large
     steps:
       - uses: actions/checkout@v4
       - name: Read and sanitize Node.js version
@@ -80,7 +80,7 @@ jobs:
         working-directory: ./app
 
   analyze-ios:
-    runs-on: macos-14
+    runs-on: macos-latest-large
     steps:
       - uses: actions/checkout@v4
       - name: Read and sanitize Node.js version

.github/workflows/mobile-ci.yml

@@ -36,6 +36,7 @@ concurrency:
 jobs:
   build-deps:
     runs-on: macos-latest-large
+    timeout-minutes: 60
     steps:
       - uses: actions/checkout@v4
       - name: Read and sanitize Node.js version
@@ -92,6 +93,7 @@ jobs:
   test:
     runs-on: macos-latest-large
     needs: build-deps
+    timeout-minutes: 60
     steps:
       - uses: actions/checkout@v4
       - name: Read and sanitize Node.js version
@@ -193,6 +195,7 @@ jobs:
   build-ios:
     runs-on: macos-latest-large
     needs: build-deps
+    timeout-minutes: 60
     env:
       # iOS project configuration - hardcoded for CI stability
       IOS_PROJECT_NAME: "Self"
@@ -381,6 +384,7 @@ jobs:
   build-android:
     runs-on: ubuntu-latest
     needs: build-deps
+    timeout-minutes: 60
     steps:
       - uses: actions/checkout@v4
       - name: Read and sanitize Node.js version
@@ -444,6 +448,11 @@ jobs:
         run: |
           echo "Cache miss for built dependencies. Building now..."
           yarn workspace @selfxyz/mobile-app run build:deps
+      - name: Clone android-passport-reader
+        uses: ./.github/actions/clone-android-passport-reader
+        with:
+          working_directory: ${{ env.APP_PATH }}
+          selfxyz_internal_pat: ${{ secrets.SELFXYZ_INTERNAL_REPO_PAT }}
       - name: Build Android (with AAPT2 symlink fix)
         run: yarn android:ci
         working-directory: ./app

.github/workflows/mobile-deploy.yml

@@ -223,8 +223,19 @@ jobs:
 
           echo "✅ Lock files exist"
 
-      - name: Install Mobile Dependencies
-        if: inputs.platform != 'android'
+      - name: Install Mobile Dependencies (main repo)
+        if: inputs.platform != 'android' && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false)
+        uses: ./.github/actions/mobile-setup
+        with:
+          app_path: ${{ env.APP_PATH }}
+          node_version: ${{ env.NODE_VERSION }}
+          ruby_version: ${{ env.RUBY_VERSION }}
+          workspace: ${{ env.WORKSPACE }}
+        env:
+          SELFXYZ_INTERNAL_REPO_PAT: ${{ secrets.SELFXYZ_INTERNAL_REPO_PAT }}
+
+      - name: Install Mobile Dependencies (forked PRs - no secrets)
+        if: inputs.platform != 'android' && github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == true
         uses: ./.github/actions/mobile-setup
         with:
           app_path: ${{ env.APP_PATH }}
@@ -774,6 +785,9 @@ jobs:
           node_version: ${{ env.NODE_VERSION }}
           ruby_version: ${{ env.RUBY_VERSION }}
           workspace: ${{ env.WORKSPACE }}
+        env:
+          SELFXYZ_INTERNAL_REPO_PAT: ${{ secrets.SELFXYZ_INTERNAL_REPO_PAT }}
+          PLATFORM: ${{ inputs.platform }}
 
       # android specific steps
 
@@ -840,6 +854,13 @@ jobs:
           python -m pip install --upgrade pip
           pip install google-auth google-auth-oauthlib google-auth-httplib2 google-api-python-client
 
+      - name: Clone android-passport-reader
+        if: inputs.platform != 'ios'
+        uses: ./.github/actions/clone-android-passport-reader
+        with:
+          working_directory: ${{ env.APP_PATH }}
+          selfxyz_internal_pat: ${{ secrets.SELFXYZ_INTERNAL_REPO_PAT }}
+
       - name: Build Dependencies (Android)
         if: inputs.platform != 'ios'
         run: |