Update main with staging 09/21/25

.coderabbit.yaml

@@ -15,7 +15,7 @@ reviews:
   auto_review:
     enabled: true
     drafts: false
-    base_branches: ["main", "dev"]
+    base_branches: ["main", "dev", "staging"]
   tools:
     github-checks:
       timeout_ms: 300000

.cursorignore

@@ -191,8 +191,6 @@ circuits/tests/**/test_cases.ts
 
 # iOS
 *.xcworkspace/
-*.xcodeproj/
-*.pbxproj
 app/ios/App Thinning Size Report.txt
 
 # Android
@@ -278,6 +276,9 @@ circuits/ptau/
 !**/*.sol
 !**/*.circom
 
+# Exception for specific private module setup script
+!app/scripts/setup-private-modules.cjs
+
 # But exclude generated TypeScript declaration files
 **/*.d.ts
 !**/types/*.d.ts

.cursorrules

@@ -48,7 +48,6 @@
 ## Core Workflows
 
 1. Document Verification Flow
-- NFC chip data extraction and validation
 - Zero-knowledge proof generation for privacy
 - Multi-stage attestation verification
 - Cross-chain verification support
@@ -128,25 +127,6 @@ This is a React Native identity verification app with NFC passport reading, zero
 - Test utilities in `tests/__setup__/databaseMocks.ts`
 - Mock database instance for testing
 
-## NFC Implementation
-
-### Cross-Platform Architecture
-- iOS: Custom PassportReader Swift module
-- Android: Custom RNPassportReaderModule Kotlin implementation
-- Unified JavaScript interface with platform detection
-
-### Authentication Methods
-- MRZ Key: Derived from passport number, DOB, and expiry date
-- CAN (Card Access Number): 6-digit number for PACE authentication
-- PACE: Password Authenticated Connection Establishment
-- BAC fallback when PACE fails
-
-### Error Handling
-- Multiple BAC attempts with delays
-- Graceful degradation from PACE to BAC
-- Real-time status updates and haptic feedback
-- Comprehensive error boundaries
-
 ## Code Organization
 
 ### File Structure

.gitguardian.yml

@@ -1,4 +1,44 @@
-version: 2
-exclusion_globs:
+# GitGuardian configuration for ggshield
+# This file configures which files and secrets to ignore during scanning
+
+# Ignore specific file patterns
+paths-ignore:
+  # Mock certificates for testing (these are intentionally committed test data)
+  - "**/mock_certificates/**/*.key"
+  - "**/mock_certificates/**/*.crt"
+  - "**/mock_certificates/**/*.pem"
+  - "**/constants/mockCertificates.ts"
   - "common/src/mock_certificates/**"
-  - "common/src/constants/mockCertificates.ts"
+  - "common/src/mock_certificates/aadhaar/mockAadhaarCert.ts"
+  - "common/src/utils/passports/genMockIdDoc.ts"
+
+  # Test data files
+  - "**/test/**/*.key"
+  - "**/test/**/*.crt"
+  - "**/test/**/*.pem"
+  - "**/tests/**/*.key"
+  - "**/tests/**/*.crt"
+  - "**/tests/**/*.pem"
+
+  # Mock data files
+  - "**/mock/**/*.key"
+  - "**/mock/**/*.crt"
+  - "**/mock/**/*.pem"
+
+  # Demo app test data
+  - "**/demo-app/**/mock/**"
+  - "**/demo-app/**/test-data/**"
+  - "**/test-data/**"
+  - "**/mock-data/**"
+
+  # Generated test files
+  - "**/generated/**/*.key"
+  - "**/generated/**/*.crt"
+  - "**/generated/**/*.pem"
+
+# Ignore specific secret types for mock files
+secrets-ignore:
+  - "Generic Private Key" # For mock certificate keys
+  - "Generic Certificate" # For mock certificates
+  - "RSA Private Key" # For mock RSA keys
+  - "EC Private Key" # For mock EC keys

.github/actions/cache-built-deps/action.yml

@@ -0,0 +1,30 @@
+name: cache-built-deps
+description: Cache built JS artifacts (common + mobile-sdk-alpha)
+inputs:
+  cache-version:
+    description: Cache version string for cache key
+    required: true
+outputs:
+  cache-hit:
+    description: Whether cache was hit during restore
+    value: ${{ steps.restore.outputs.cache-hit }}
+runs:
+  using: composite
+  steps:
+    - id: restore
+      name: Restore Built Dependencies
+      uses: actions/cache/restore@v4
+      with:
+        path: |
+          common/dist
+          packages/mobile-sdk-alpha/dist
+        key: built-deps-${{ inputs.cache-version }}-${{ hashFiles('common/**/*', 'packages/mobile-sdk-alpha/**/*', '!common/dist/**', '!packages/mobile-sdk-alpha/dist/**') }}
+        fail-on-cache-miss: false
+    - name: Save Built Dependencies
+      if: steps.restore.outputs.cache-hit != 'true'
+      uses: actions/cache/save@v4
+      with:
+        path: |
+          common/dist
+          packages/mobile-sdk-alpha/dist
+        key: built-deps-${{ inputs.cache-version }}-${{ hashFiles('common/**/*', 'packages/mobile-sdk-alpha/**/*', '!common/dist/**', '!packages/mobile-sdk-alpha/dist/**') }}

.github/actions/clone-android-passport-reader/action.yml

@@ -0,0 +1,50 @@
+name: Clone android-passport-reader
+description: "Clones the android-passport-reader repository if it does not exist"
+
+inputs:
+  working_directory:
+    description: "Working directory path (where android/ subdirectory is located)"
+    required: false
+    default: "."
+  selfxyz_internal_pat:
+    description: "SELFXYZ internal repository PAT for private repository access"
+    required: false
+
+runs:
+  using: "composite"
+  steps:
+    - name: Clone android-passport-reader
+      shell: bash
+      run: |
+        set -euo pipefail
+        # Check if PAT is available for private module cloning
+        if [ -z "${{ inputs.selfxyz_internal_pat }}" ]; then
+          echo "🔒 Skipping private module cloning (no PAT provided)"
+          echo "ℹ️  This is expected for forked PRs - build will continue without private modules"
+          exit 0
+        fi
+
+        cd "${{ inputs.working_directory }}"
+
+        if [ ! -d "android/android-passport-reader" ]; then
+          echo "📦 Cloning android-passport-reader for build..."
+          cd android
+
+          # Clone using PAT (embed temporarily, then scrub)
+          if git clone --depth 1 --quiet "https://${{ inputs.selfxyz_internal_pat }}@github.com/selfxyz/android-passport-reader.git"; then
+            echo "✅ android-passport-reader cloned successfully"
+            # Immediately scrub the credential from remote URL for security
+            git -C android-passport-reader remote set-url origin https://github.com/selfxyz/android-passport-reader.git || true
+          else
+            echo "❌ Failed to clone android-passport-reader"
+            echo "Please ensure a valid SELFXYZ internal PAT is provided to this action"
+            exit 1
+          fi
+        elif [ "$CI" = "true" ]; then
+          echo "⚠️  android-passport-reader exists in CI - this is unexpected"
+          echo "📁 Directory contents:"
+          ls -la android/android-passport-reader/ || true
+        else
+          echo "📁 android-passport-reader already exists - preserving existing directory"
+          echo "ℹ️  Local development environment detected - your changes are safe"
+        fi

.github/actions/mobile-setup/action.yml

@@ -62,7 +62,7 @@ runs:
         yarn set version 4.6.0
 
         echo "📦 Installing JavaScript dependencies with strict lock file..."
-        if ! yarn install --immutable; then
+        if ! yarn install --immutable --inline-builds; then
           echo ""
           echo "❌ ERROR: yarn.lock is out of date!"
           echo ""
@@ -78,12 +78,12 @@ runs:
         fi
 
         # Run mobile-specific installation
-        if [[ "${{ runner.os }}" == "macOS" ]]; then
-          yarn install-app:mobile-deploy:ios
-        else
-          yarn install-app:mobile-deploy
-        fi
+        yarn install-app:mobile-deploy
 
+    - name: Install Ruby dependencies
+      shell: bash
+      run: |
+        cd ${{ inputs.app_path }}
         # Install Ruby gems with bundler (respecting cache)
         echo "📦 Installing Ruby gems with strict lock file..."
         if ! bundle install --jobs 4 --retry 3; then