diff --git a/.cursor/mcp.json b/.cursor/mcp.json index 2671e172a..8fbf4625b 100644 --- a/.cursor/mcp.json +++ b/.cursor/mcp.json @@ -4,9 +4,13 @@ "command": "npx", "args": [ "-y", - "mcp-remote@latest", + "mcp-remote@1.2.3", "https://mcp.gigamind.dev/mcp" ] } + }, + "settings": { + "disableAutoPRAnalysis": true, + "manualReviewEnabled": true } -} \ No newline at end of file +} diff --git a/.cursor/rules/compliance-verification.mdc b/.cursor/rules/compliance-verification.mdc index 9932014af..c597bb840 100644 --- a/.cursor/rules/compliance-verification.mdc +++ b/.cursor/rules/compliance-verification.mdc @@ -1,7 +1,7 @@ --- -description: Specification for analyzing compliance verification systems including OFAC checks, age verification, and forbidden country validation +description: Critical compliance verification requirements for OFAC checks, age verification, and forbidden country validation version: 1.0.0 -status: draft +status: active owners: - team: compliance-platform - team: mobile-identity @@ -12,107 +12,88 @@ importanceJustification: Direct implementation of critical regulatory compliance contextUsageNote: If this file is used to add in-context notes, include a single italicized line stating what specific information was used from this file in sentence case. --- -# Compliance Verification System Specification - -## 1. Multi-Factor Compliance Verification - -- OFAC (Office of Foreign Assets Control) checks across three dimensions: - * Passport number verification - * Name + Date of Birth verification - * Name + Year of Birth verification -- Age verification with "olderThan" checks and day-level granularity -- Forbidden countries validation using efficient packed lists -- Timestamp-based verification with 24-hour window validation - -### Matching and Normalization Requirements - -- **Names MUST be normalized** prior to matching (case-folding, Unicode NFKC, diacritics removal) and compared using a fuzzy algorithm with a documented threshold (e.g., Jaro–Winkler >= 0.92). Record the algorithm and threshold in circuit public inputs. -- **Date inputs MUST be ISO 8601** (YYYY-MM-DD). For year-of-birth checks, explicitly state whether defaulting to Jan-01 is permitted or whether circuits encode year-only comparisons. -- **Passport numbers MUST be normalized** for whitespace and punctuation and validated against country-specific formats where available. - -### Time and Replay Control - -- All time comparisons MUST use UTC. Define an allowed clock drift (e.g., ±5 minutes) and reject proofs outside the 24-hour window adjusted by drift. -- The timestamp MUST be bound into the proof signature/statement to prevent replay. -- For mobile clients, avoid trusting device wall-clock alone; obtain a trusted time anchor (e.g., server-signed time token or chain block timestamp) and include it in the proof. - -### Privacy and PII Handling - -- No raw PII (names, DoB, passport numbers) may leave the device. PII MUST be committed via domain-separated hashes (e.g., Poseidon("ofac-v1" || value) with per-issuer salt). -- All on-chain data MUST remain non-linkable to the underlying identity; only nullifiers/commitments are published. - -### Forbidden Countries "Packed List" - -- Define the data structure (bitset vs Bloom filter). If Bloom filter is used, specify acceptable false positive rate (e.g., ≤ 1e-6) and version the filter seed. -- Distribution MUST be integrity-protected (JWS/JWT or Merkle root) with key rotation and a KID. Specify update cadence and cache TTL. - -## 2. Document Validation Architecture - -- Enforces date validation within specific time windows -- Validates forbidden countries against predefined restricted lists -- Implements age requirements through date comparison -- Manages multiple verification circuits based on signature types - -### Circuit Catalog and Versioning - -- Maintain a registry of circuit IDs, semantic versions, and public input schemas. Clients fetch the active set via a signed manifest. -- Define an upgrade policy (grace period, deprecation windows) and backward-compatibility expectations. - -### Mobile Proof Generation Constraints - -- Provide target proof generation limits for RN clients (e.g., <60s on mid-tier devices, <300MB peak memory). -- Define a fallback to a remote prover that never receives raw PII/witness; only receives commitments and obtains a zero-knowledge witness via on-device secure enclave or chunked witness encryption. -- Clearly separate on-device vs server responsibilities to minimize battery impact and avoid UI jank (background task, progress events). - -## 3. Verification Rules Engine - -- Custom document verification workflow combining multiple proof types -- Parallel verification paths for different identity document types -- Sequential verification steps through commitment registration -- Integration with external compliance data sources - -### External Data Source Integration - -- Specify SLAs (latency, availability) and client-side retry/backoff policy. All calls MUST be idempotent and resumable. -- Implement signed data snapshots with ETag/versioning for offline-first behavior; cache with explicit TTLs and verify signatures before use. -- Do not transmit any raw PII to external providers; only use hashed/committed forms compatible with the circuits. -- Define deterministic error codes for user feedback and analytics without leaking sensitive data. - -## 4. Identity Registry Management - -- Maintains Merkle trees for identity commitments and DSC keys -- Implements OFAC compliance checks with multiple verification roots -- Manages nullifier tracking to prevent duplicate registrations -- Handles CSCA root verification for document signing authority - -### Registry Parameters - -- For each Merkle tree, define tree height, hash function (e.g., Poseidon params), and root rotation cadence. Publish active roots and deprecation windows on-chain. -- Specify chain IDs and contract addresses for each environment (dev/test/prod) and the required finality before roots are considered valid. -- Nullifiers MUST be domain-separated by purpose (e.g., "register", "kyc-check") to prevent unintended linkability across workflows. -- Define revocation list handling (CSCA/DSC CRLs), update cadence, and signature verification process. Cache with signed manifests and KID-based key rotation. - -## 5. Implementation Guidelines - -### Circuit Versioning Strategy - -- Use semantic versioning (MAJOR.MINOR.PATCH) for all circuits -- MAJOR version changes require new circuit deployment and client migration -- MINOR version changes maintain backward compatibility -- PATCH version changes are bug fixes only - -### Error Handling and Recovery - -- Implement graceful degradation when external services are unavailable -- Provide clear error messages for users without exposing sensitive data -- Log non-identifying metadata for debugging and analytics -- Implement retry mechanisms with exponential backoff - -### Security Considerations - -- All cryptographic operations must use approved algorithms and key sizes -- Implement proper key management and rotation procedures -- Ensure secure random number generation for all cryptographic operations -- Regular security audits and penetration testing +# Compliance Verification Requirements + +## 1. OFAC Compliance Checks + +### Three-Tier Verification System +- **Passport Number Check**: Direct passport number validation against OFAC lists +- **Name + DOB Check**: Full name with exact date of birth verification +- **Name + Year Check**: Name with year of birth verification (defaults to Jan-01) + +### Data Normalization Requirements +- **Names**: Case-folding, Unicode NFKC normalization, diacritics removal +- **Fuzzy Matching**: Jaro–Winkler algorithm with ≥0.92 threshold +- **Passport Numbers**: Whitespace/punctuation removal, country-specific format validation +- **Dates**: ISO 8601 format (YYYY-MM-DD) required + +### Privacy Protection +- **No Raw PII**: All PII committed via domain-separated hashes (Poseidon("ofac-v1" || value)) +- **Per-Issuer Salt**: Unique salt per issuing country for additional privacy +- **On-Chain Privacy**: Only nullifiers/commitments published, no linkable identity data + +## 2. Age Verification + +### Implementation Requirements +- **Granularity**: Day-level precision for age verification +- **Format**: "olderThan" checks with ISO 8601 date inputs +- **Privacy**: Age verification without revealing actual date of birth +- **Zero-Knowledge**: Proof of age without disclosing DOB + +### Circuit Implementation +- **Location**: `circuits/circuits/disclose/disclose.circom` +- **Input**: Date of birth (private), minimum age (public) +- **Output**: Boolean proof of age requirement satisfaction +- **Validation**: Day-level comparison with proper date arithmetic + +## 3. Forbidden Country Validation + +### Data Structure +- **Implementation**: Bloom filter with ≤1e-6 false positive rate +- **Distribution**: JWS/JWT protected with key rotation and KID +- **Update Cadence**: Weekly updates with 24-hour cache TTL +- **Versioning**: Filter seed versioning for updates + +### Validation Process +- **Country Code**: ISO 3166-1 alpha-3 format validation +- **Zero-Knowledge**: Proof of non-inclusion without revealing country +- **Circuit Integration**: Integrated into disclosure proof circuit +- **Fallback**: Graceful degradation when filter unavailable + +## 4. Time and Replay Control + +### Timestamp Requirements +- **Time Source**: UTC timestamps only +- **Clock Drift**: ±5 minutes tolerance allowed +- **Window**: 24-hour verification window with drift adjustment +- **Binding**: Timestamp bound into proof signature to prevent replay + +### Mobile Client Considerations +- **Trusted Time**: Server-signed time tokens or chain block timestamps +- **Device Clock**: Do not trust device wall-clock alone +- **Time Anchor**: Include trusted time anchor in proof generation +- **Validation**: Verify time anchor authenticity before proof generation + +## 5. Implementation Constraints + +### Performance Requirements +- **Proof Generation**: <60s on mid-tier mobile devices +- **Memory Usage**: <300MB peak memory +- **Network Calls**: Idempotent with exponential backoff +- **Offline Support**: Cached data with ETag/versioning + +### Error Handling +- **Graceful Degradation**: Fallback when external services unavailable +- **Error Codes**: Deterministic error codes without sensitive data +- **Retry Logic**: Exponential backoff with jitter +- **User Feedback**: Clear error messages without PII exposure + +### Security Requirements +- **Cryptographic Standards**: Approved algorithms and key sizes +- **Key Management**: Proper rotation and secure storage +- **Randomness**: CSPRNG with entropy validation +- **Audit Trails**: Privacy-preserving audit logs + +This specification focuses on the critical compliance requirements with specific implementation details and constraints. $END$ diff --git a/.cursor/rules/cryptographic-circuits.mdc b/.cursor/rules/cryptographic-circuits.mdc deleted file mode 100644 index 7ab17aba8..000000000 --- a/.cursor/rules/cryptographic-circuits.mdc +++ /dev/null @@ -1,53 +0,0 @@ ---- -description: Technical documentation of the zero-knowledge proof circuits, including register circuits, DSC proofs, and disclosure proofs with their validation mechanisms -version: 1.0.0 -status: draft -owners: - - team: cryptography - - team: mobile-identity -lastUpdated: 2025-01-12 -specId: cryptographic-circuits -importanceScore: 85 -importanceJustification: Core cryptographic implementation specification for zero-knowledge proofs and circuit validation. -contextUsageNote: If this file is used to add in-context notes, include a single italicized line stating what specific information was used from this file in sentence case. ---- - -# Cryptographic Circuits Specification - -## 1. Register Circuits - -### Identity Commitment Generation -- Poseidon hash-based commitment scheme -- Domain separation for different commitment types -- Nullifier generation for duplicate prevention - -### Circuit Parameters -- Field size and security parameters -- Hash function specifications -- Public input validation rules - -## 2. DSC Proofs - -### Document Signer Certificate Validation -- Certificate chain verification -- Signature algorithm support (RSA, ECDSA) -- Revocation list checking - -### Proof Generation Constraints -- Memory and computation limits -- Deterministic randomness requirements -- Proof size optimization - -## 3. Disclosure Proofs - -### Selective Attribute Revelation -- Merkle-based attribute verification -- Privacy-preserving age verification -- Granular field disclosure - -### Circuit Optimization -- Efficient hash function usage -- Minimal public input requirements -- Fast verification algorithms - -$END$ diff --git a/.cursor/rules/data-models.mdc b/.cursor/rules/data-models.mdc deleted file mode 100644 index dda1ade4f..000000000 --- a/.cursor/rules/data-models.mdc +++ /dev/null @@ -1,65 +0,0 @@ ---- -description: Documentation of core data structures including identity commitments, DSC key commitments, nullifier tracking, and verification configurations -version: 1.0.0 -status: draft -owners: - - team: mobile-identity - - team: backend-api -lastUpdated: 2025-01-12 -specId: data-models -importanceScore: 80 -importanceJustification: Core data structure definitions that ensure consistency across the identity verification system. -contextUsageNote: If this file is used to add in-context notes, include a single italicized line stating what specific information was used from this file in sentence case. ---- - -# Data Models Specification - -## 1. Identity Commitments - -### Commitment Structure -- Poseidon hash of identity data -- Domain separation for different commitment types -- Timestamp and version information - -### Commitment Types -- Passport identity commitments -- EU ID card commitments -- Cross-chain commitment linking - -## 2. DSC Key Commitments - -### Key Commitment Format -- Public key hash with domain separation -- Certificate chain validation data -- Revocation status tracking - -### Key Management -- Key rotation procedures -- Backup and recovery mechanisms -- Security parameter specifications - -## 3. Nullifier Tracking - -### Nullifier Generation -- Domain-separated nullifier creation -- Duplicate prevention mechanisms -- Cross-chain nullifier validation - -### Nullifier Storage -- Efficient storage and retrieval -- Privacy-preserving nullifier management -- Audit trail maintenance - -## 4. Verification Configurations - -### Configuration Parameters -- Circuit version specifications -- Verification threshold settings -- Compliance rule configurations - -### Configuration Management -- Version control and updates -- Environment-specific configurations -- Security parameter management - -$END$ diff --git a/.cursor/rules/identity-verification-flow.mdc b/.cursor/rules/identity-verification-flow.mdc deleted file mode 100644 index 37369f5de..000000000 --- a/.cursor/rules/identity-verification-flow.mdc +++ /dev/null @@ -1,61 +0,0 @@ ---- -description: Detailed documentation of the multi-step identity verification process, including passport and EU ID card verification paths, proof verification pipeline, and attestation workflows -version: 1.0.0 -status: draft -owners: - - team: mobile-identity - - team: compliance-platform -lastUpdated: 2025-01-12 -specId: identity-verification-flow -importanceScore: 90 -importanceJustification: Core workflow specification for the identity verification process with multi-step attestation and proof generation. -contextUsageNote: If this file is used to add in-context notes, include a single italicized line stating what specific information was used from this file in sentence case. ---- - -# Identity Verification Flow Specification - -## 1. Multi-Step Verification Process - -### Passport Verification Path -- NFC chip data extraction and validation -- Document Signer Certificate (DSC) verification -- Zero-knowledge proof generation for privacy -- Multi-stage attestation verification -- Cross-chain verification support - -### EU ID Card Verification Path -- Similar process to passport verification -- Additional EU-specific compliance checks -- Regional document format validation - -## 2. Proof Verification Pipeline - -### Register Circuit Verification -- Identity commitment generation and validation -- Nullifier creation to prevent duplicate registrations -- Merkle tree inclusion proofs for privacy - -### DSC Proof Verification -- Document Signer Certificate validation -- Cryptographic signature verification -- Certificate chain validation - -### Disclosure Proof Verification -- Selective attribute revelation -- Privacy-preserving age verification -- Granular document field disclosure - -## 3. Attestation Workflows - -### User Identifier Verification -- User identifier verification through double-hashing with domain separation: - H2 = Hash("IDH" || Hash("IDH" || userIdentifier)) -- Attestation storage with nullifier tracking -- Support for cross-chain verification results - -### Verification Result Management -- Secure storage of verification results -- Privacy-preserving result sharing -- Audit trail maintenance - -$END$ diff --git a/.cursor/rules/technical-specification.mdc b/.cursor/rules/technical-specification.mdc new file mode 100644 index 000000000..c48bba6ac --- /dev/null +++ b/.cursor/rules/technical-specification.mdc @@ -0,0 +1,161 @@ +# Technical Specification: Identity Verification System + +## 1. Zero-Knowledge Proof Circuits + +### Register Circuit Implementation +- **Circuit Location**: `circuits/circuits/register/register.circom` +- **Purpose**: Generate identity commitments and nullifiers for passport/ID verification +- **Input Validation**: + - Passport number: normalized (whitespace/punctuation removed) + - Date of birth: ISO 8601 format (YYYY-MM-DD) + - Expiry date: ISO 8601 format (YYYY-MM-DD) + - Country code: ISO 3166-1 alpha-3 format +- **Output**: Poseidon hash commitment with domain separation `"register-v1"` + +### DSC Proof Circuit +- **Circuit Location**: `circuits/circuits/dsc/dsc.circom` +- **Purpose**: Validate Document Signer Certificate authenticity +- **Validation Steps**: + - Certificate chain verification (CSCA → DSC) + - Signature algorithm support (RSA-2048, ECDSA-P256) + - Revocation list checking via Merkle inclusion +- **Memory Constraints**: <300MB peak memory usage + +### Disclosure Proof Circuit +- **Circuit Location**: `circuits/circuits/disclose/vc_and_disclose.circom` +- **Purpose**: Selective attribute revelation with privacy preservation +- **Supported Disclosures**: + - Age verification: "olderThan" with day granularity + - Country verification: forbidden country checks + - Document type: passport vs EU ID card +- **Privacy**: No raw PII leaves device, only commitments + +## 2. Data Models & Structures + +### Identity Commitment Format +```typescript +interface IdentityCommitment { + commitment: string; // Poseidon hash + nullifier: string; // Domain-separated nullifier + timestamp: number; // UTC timestamp + version: string; // Circuit version + documentType: 'passport' | 'eu_id_card'; +} +``` + +### DSC Key Commitment +```typescript +interface DSCKeyCommitment { + publicKeyHash: string; // Poseidon hash of public key + certificateChain: string[]; // Certificate chain hashes + revocationStatus: boolean; // Revocation list inclusion + issuer: string; // Issuing country code +} +``` + +### Verification Configuration +```typescript +interface VerificationConfig { + circuitVersion: string; // Semantic versioning + complianceRules: ComplianceRule[]; + timeWindow: number; // 24-hour window in seconds + clockDrift: number; // ±5 minutes tolerance + trustAnchors: string[]; // Trusted certificate authority roots + revocationRoots: string[]; // Certificate revocation list roots + timeSource: string; // NTP server for time validation + nullifierScope: string; // Domain separation for nullifiers +} +``` + +## 3. Identity Verification Workflows + +### Passport Verification Path +1. **NFC Data Extraction**: Read passport chip via NFC +2. **MRZ Validation**: Parse and validate Machine Readable Zone +3. **DSC Verification**: Validate Document Signer Certificate +4. **Register Proof**: Generate identity commitment +5. **Compliance Check**: OFAC screening via zero-knowledge proofs +6. **Attestation**: Create privacy-preserving attestation + +### EU ID Card Verification Path +1. **Similar to passport** with EU-specific compliance checks +2. **Additional validation**: EU document format requirements +3. **Regional compliance**: EU-specific forbidden country lists + +### Cross-Chain Verification +- **Commitment linking**: Link commitments across different chains +- **Nullifier tracking**: Prevent duplicate registrations across chains +- **Attestation portability**: Share attestations across ecosystems + +## 4. Implementation Requirements + +### Cryptographic Standards +- **Hash Function**: Poseidon (optimized for ZK circuits) +- **Field Size**: BN254 scalar field (254 bits) +- **Key Sizes**: RSA-2048 minimum, ECDSA-P256 preferred +- **Randomness**: CSPRNG with entropy validation +- **Signature Scheme**: EdDSA over BabyJubJub (zk-friendly) +- **MRZ Validation**: Check digits validation for data integrity +- **Authentication**: Passive/active authentication modes +- **NFC Security**: Secure channel establishment with PACE/BAC + +### Performance Constraints +- **Proof Generation**: <60s on mid-tier mobile devices +- **Memory Usage**: <300MB peak memory +- **Bundle Size**: <2MB SDK bundle size +- **Startup Time**: <1s SDK initialization + +### Security Requirements +- **PII Protection**: No raw PII in logs or network traffic +- **Key Management**: Secure key storage with rotation +- **Audit Trails**: Privacy-preserving audit logs +- **Input Validation**: Comprehensive input sanitization +- **OFAC Anchoring**: Signed list snapshots with freshness guarantees +- **Cross-Chain Privacy**: Domain-separated nullifiers prevent linkability +- **Hardware Security**: Hardware keystore requirements for mobile +- **TLS Pinning**: Certificate pinning for secure communications +- **Telemetry Minimization**: Minimal data collection and transmission + +## 5. Error Handling & Recovery + +### Circuit Errors +- **Invalid Input**: Clear error codes for malformed data +- **Proof Failure**: Graceful degradation with retry logic +- **Memory Limits**: Client-side only - no server-side proving fallback +- **Timeout Handling**: Configurable timeouts with progress events + +### Network Errors +- **Retry Logic**: Exponential backoff with jitter +- **Offline Support**: Cached verification data +- **Graceful Degradation**: Fallback verification methods +- **Error Reporting**: Non-identifying error metadata + +## 6. Testing Requirements + +### Circuit Testing +- **Unit Tests**: Individual circuit component testing +- **Integration Tests**: End-to-end proof generation +- **Performance Tests**: Memory and timing validation +- **Security Tests**: Cryptographic validation + +### SDK Testing +- **Cross-Platform**: iOS, Android, Web compatibility +- **Memory Profiling**: Memory leak detection +- **Bundle Analysis**: Tree-shaking validation +- **Integration Testing**: App integration validation + +## 7. Deployment & Versioning + +### Circuit Versioning +- **Semantic Versioning**: MAJOR.MINOR.PATCH +- **Backward Compatibility**: MINOR versions maintain compatibility +- **Migration Strategy**: Graceful migration with deprecation windows +- **Rollback Plan**: Emergency rollback procedures + +### SDK Distribution +- **Package Management**: npm/yarn distribution +- **Version Compatibility**: Circuit version compatibility matrix +- **Documentation**: Comprehensive API documentation +- **Examples**: Integration examples and demos + +This specification provides concrete implementation guidance for the identity verification system with specific technical requirements, performance constraints, and development patterns. diff --git a/.giga/specifications.json b/.giga/specifications.json index aa55d6e4d..6ebe53021 100644 --- a/.giga/specifications.json +++ b/.giga/specifications.json @@ -1,27 +1,22 @@ [ { "fileName": "main-overview.mdc", - "path": ".cursorrules", + "path": ".cursor/rules", "description": "Complete system overview of the identity verification platform, covering the passport/ID verification workflow, zero-knowledge proof system, and compliance mechanisms" }, { - "fileName": "identity-verification-flow.mdc", - "path": ".cursor/rules/identity-verification-flow.mdc", - "description": "Detailed documentation of the multi-step identity verification process, including passport and EU ID card verification paths, proof verification pipeline, and attestation workflows" + "fileName": "mobile-sdk-migration.mdc", + "path": ".cursor/rules/mobile-sdk-migration.mdc", + "description": "Comprehensive migration strategy and testing-first approach for porting identity verification logic from app to mobile-sdk-alpha package with detailed checklist and validation workflow" }, { - "fileName": "cryptographic-circuits.mdc", - "path": ".cursor/rules/cryptographic-circuits.mdc", - "description": "Technical documentation of the zero-knowledge proof circuits, including register circuits, DSC proofs, and disclosure proofs with their validation mechanisms" - }, - { - "fileName": "data-models.mdc", - "path": ".cursor/rules/data-models.mdc", - "description": "Documentation of core data structures including identity commitments, DSC key commitments, nullifier tracking, and verification configurations" + "fileName": "technical-specification.mdc", + "path": ".cursor/rules/technical-specification.mdc", + "description": "Consolidated technical implementation specification for zero-knowledge proof circuits, data models, verification workflows, and implementation requirements with performance constraints" }, { "fileName": "compliance-verification.mdc", "path": ".cursor/rules/compliance-verification.mdc", - "description": "Details of the compliance verification system including OFAC checks, age verification, forbidden country validation, and timestamp-based verifications" + "description": "Critical compliance verification requirements for OFAC checks, age verification, and forbidden country validation with specific implementation details and constraints" } ] diff --git a/.github/workflows/mobile-ci.yml b/.github/workflows/mobile-ci.yml index fd3ef8141..829794b7d 100644 --- a/.github/workflows/mobile-ci.yml +++ b/.github/workflows/mobile-ci.yml @@ -120,12 +120,10 @@ jobs: uses: actions/setup-node@v4 with: node-version: ${{ env.NODE_VERSION }} - - name: Set up Xcode uses: maxim-lobanov/setup-xcode@v1 with: - # some cocoapods won't compile with xcode 16.3 - xcode-version: "16.2" + xcode-version: "16.4" - uses: actions/checkout@v4 - name: Cache Node Modules @@ -152,6 +150,21 @@ jobs: key: ${{ runner.os }}-pods-${{ hashFiles('app/ios/Podfile.lock') }} restore-keys: | ${{ runner.os }}-pods- + - name: Verify CocoaPods Cache + run: | + echo "Checking CocoaPods cache status..." + if [ -d "app/ios/Pods" ] && [ "$(ls -A app/ios/Pods)" ]; then + echo "✅ CocoaPods cache restored successfully" + ls -la app/ios/Pods/ | head -10 + + # Check if key files exist + if [ ! -f "app/ios/Pods/Target Support Files/Pods-Self/Pods-Self.debug.xcconfig" ]; then + echo "⚠️ Key CocoaPods files missing - clearing cache" + rm -rf app/ios/Pods app/ios/Podfile.lock + fi + else + echo "⚠️ CocoaPods cache is empty or missing - will install fresh" + fi - name: Cache Gradle uses: actions/cache@v4 with: @@ -166,6 +179,53 @@ jobs: - name: Build Dependencies run: yarn build:deps working-directory: ./app + - name: Install iOS Dependencies + run: | + echo "Installing iOS dependencies..." + cd app/ios + + # Clean Pods directory if it's corrupted or empty + if [ ! -d "Pods" ] || [ -z "$(ls -A Pods 2>/dev/null)" ]; then + echo "Cleaning empty/corrupted Pods directory..." + rm -rf Pods Podfile.lock + fi + + # Install pods + bundle exec pod install --silent || { echo "❌ Pod install failed"; exit 1; } + echo "✅ Pods installed successfully" + + # Verify installation + if [ ! -d "Pods" ] || [ -z "$(ls -A Pods 2>/dev/null)" ]; then + echo "❌ Pods directory is still empty after installation" + exit 1 + fi + + echo "Pods directory contents:" + ls -la Pods/ | head -10 + + # Verify key files exist + if [ ! -f "Pods/Target Support Files/Pods-Self/Pods-Self.debug.xcconfig" ]; then + echo "❌ Key CocoaPods configuration file missing" + exit 1 + fi + + echo "✅ iOS dependencies installed successfully" + - name: Verify iOS Workspace + run: | + echo "Verifying iOS workspace setup..." + cd app/ios + + if [ ! -f "OpenPassport.xcworkspace/contents.xcworkspacedata" ]; then + echo "❌ OpenPassport.xcworkspace is missing or corrupted" + exit 1 + fi + + if [ ! -d "Pods" ]; then + echo "❌ Pods directory is missing" + exit 1 + fi + + echo "✅ iOS workspace is properly configured" - name: Build iOS run: yarn ios working-directory: ./app diff --git a/.github/workflows/mobile-deploy.yml b/.github/workflows/mobile-deploy.yml index dfb7393a0..9e062cc82 100644 --- a/.github/workflows/mobile-deploy.yml +++ b/.github/workflows/mobile-deploy.yml @@ -118,9 +118,8 @@ jobs: - name: Set up Xcode if: inputs.platform != 'android' uses: maxim-lobanov/setup-xcode@v1 - # with: - # # some cocoapods won't compile with xcode 16.3 - # xcode-version: "16.2" + with: + xcode-version: "16.4" - name: Cache Yarn dependencies id: yarn-cache diff --git a/.github/workflows/mobile-e2e.yml b/.github/workflows/mobile-e2e.yml index 9b6f1d9ab..12ecc39e1 100644 --- a/.github/workflows/mobile-e2e.yml +++ b/.github/workflows/mobile-e2e.yml @@ -202,6 +202,10 @@ jobs: run: curl -Ls "https://get.maestro.mobile.dev" | bash - name: Add Maestro to path run: echo "$HOME/.maestro/bin" >> "$GITHUB_PATH" + - name: Set up Xcode + uses: maxim-lobanov/setup-xcode@v1 + with: + xcode-version: "16.4" - name: Cache Node modules uses: actions/cache@v4 with: @@ -246,9 +250,38 @@ jobs: path: | ~/Library/Developer/CoreSimulator/Devices ~/Library/Developer/Xcode/iOS DeviceSupport - key: ${{ runner.os }}-simulator-${{ hashFiles('app/ios/Podfile.lock') }} + key: ${{ runner.os }}-simulator-v1 restore-keys: | ${{ runner.os }}-simulator- + - name: Install iOS Runtime + run: | + echo "📱 Checking iOS Runtime availability..." + + # List available runtimes + echo "Available iOS runtimes:" + xcrun simctl runtime list + + # Check if we have any iOS runtimes available + IOS_RUNTIMES=$(xcrun simctl runtime list | grep "iOS" | grep "Ready" | wc -l) + + if [ "$IOS_RUNTIMES" -gt 0 ]; then + echo "✅ Found $IOS_RUNTIMES iOS runtime(s) available and ready" + + # Get the latest iOS runtime UUID + LATEST_RUNTIME_UUID=$(xcrun simctl runtime list | grep "iOS" | grep "Ready" | tail -1 | awk '{print $NF}' | tr -d '()') + + if [ -n "$LATEST_RUNTIME_UUID" ]; then + echo "✅ Latest iOS runtime UUID: $LATEST_RUNTIME_UUID" + else + echo "⚠️ Could not determine latest runtime UUID, but runtimes are available" + fi + else + echo "⚠️ No iOS runtimes found, but this might be expected in CI environment" + echo "Continuing with system defaults..." + fi + + echo "Runtime status summary:" + xcrun simctl runtime list | grep "iOS" | head -5 - name: Build dependencies (outside main flow) run: | echo "Building dependencies..." @@ -262,19 +295,73 @@ jobs: - name: Setup iOS Simulator run: | echo "Setting up iOS Simulator..." + + # First, check what simulators are actually available echo "Available simulators:" - xcrun simctl list devices | grep "iPhone 15" + xcrun simctl list devices available || { + echo "❌ Failed to list available devices" + echo "Trying to list all devices:" + xcrun simctl list devices || { + echo "❌ Failed to list any devices" + exit 1 + } + } + + # Find iPhone SE (3rd generation) simulator + echo "Finding iPhone SE (3rd generation) simulator..." + AVAILABLE_SIMULATOR=$(xcrun simctl list devices available | grep "iPhone SE (3rd generation)" | head -1 | sed -E 's/.*\(([A-F0-9-]+)\).*/\1/') + + if [ -z "$AVAILABLE_SIMULATOR" ]; then + echo "iPhone SE (3rd generation) not found, trying any iPhone SE..." + AVAILABLE_SIMULATOR=$(xcrun simctl list devices available | grep "iPhone SE" | head -1 | sed -E 's/.*\(([A-F0-9-]+)\).*/\1/') + fi + + if [ -z "$AVAILABLE_SIMULATOR" ]; then + echo "No iPhone SE found, trying any iPhone..." + AVAILABLE_SIMULATOR=$(xcrun simctl list devices available | grep "iPhone" | head -1 | sed -E 's/.*\(([A-F0-9-]+)\).*/\1/') + fi + + if [ -z "$AVAILABLE_SIMULATOR" ]; then + echo "❌ No available iPhone simulator found" + echo "Creating a new iPhone SE (3rd generation) simulator..." + # Create a new iPhone SE (3rd generation) simulator with the latest iOS version + xcrun simctl create "iPhone SE (3rd generation)" "iPhone SE (3rd generation)" "iOS17.5" || { + echo "❌ Failed to create iPhone SE (3rd generation) simulator" + echo "Trying to create any iPhone SE simulator..." + xcrun simctl create "iPhone SE" "iPhone SE" "iOS17.5" || { + echo "❌ Failed to create simulator" + exit 1 + } + } + AVAILABLE_SIMULATOR=$(xcrun simctl list devices | grep "iPhone SE" | sed -E 's/.*\(([A-F0-9-]+)\).*/\1/') + fi + + echo "Using simulator: $AVAILABLE_SIMULATOR" + + # Get simulator name for display + SIMULATOR_NAME=$(xcrun simctl list devices | grep "$AVAILABLE_SIMULATOR" | sed -E 's/^[[:space:]]*([^(]+).*/\1/' | xargs) + echo "Simulator name: $SIMULATOR_NAME" # Boot simulator and wait for it to be ready - xcrun simctl boot "iPhone 15" || true - xcrun simctl bootstatus "iPhone 15" -b + echo "Booting simulator..." + xcrun simctl boot "$AVAILABLE_SIMULATOR" || { + echo "❌ Failed to boot simulator" + exit 1 + } - # Wait for simulator to be fully ready echo "Waiting for simulator to be ready..." - sleep 10 + xcrun simctl bootstatus "$AVAILABLE_SIMULATOR" -b + + # Wait for simulator to be fully ready + echo "Waiting for simulator to be fully ready..." + sleep 15 echo "Simulator status:" - xcrun simctl list devices | grep "iPhone 15" + xcrun simctl list devices | grep "$AVAILABLE_SIMULATOR" + + # Store simulator ID for later use + echo "IOS_SIMULATOR_ID=$AVAILABLE_SIMULATOR" >> $GITHUB_ENV + echo "IOS_SIMULATOR_NAME=$SIMULATOR_NAME" >> $GITHUB_ENV - name: Build iOS App run: | echo "Building iOS app..." @@ -293,18 +380,22 @@ jobs: [ -z "$IOS_BUNDLE_ID" ] && { echo "❌ Could not determine bundle ID from $APP_PATH/Info.plist"; exit 1; } echo "✅ App Bundle ID: $IOS_BUNDLE_ID" + # Use the dynamic simulator ID + SIMULATOR_ID="${IOS_SIMULATOR_ID:-iPhone SE (3rd generation)}" + echo "Installing on simulator: $SIMULATOR_ID" + echo "Removing any existing app installation..." - xcrun simctl uninstall "iPhone 15" "$IOS_BUNDLE_ID" 2>/dev/null || true + xcrun simctl uninstall "$SIMULATOR_ID" "$IOS_BUNDLE_ID" 2>/dev/null || true echo "Installing app..." - xcrun simctl install "iPhone 15" "$APP_PATH" + xcrun simctl install "$SIMULATOR_ID" "$APP_PATH" if [ $? -ne 0 ]; then echo "❌ iOS app installation failed" exit 1 fi echo "Verifying app installation..." - if xcrun simctl listapps "iPhone 15" | grep -q "$IOS_BUNDLE_ID"; then + if xcrun simctl listapps "$SIMULATOR_ID" | grep -q "$IOS_BUNDLE_ID"; then echo "✅ App successfully installed" else echo "❌ App installation verification failed" @@ -312,13 +403,13 @@ jobs: fi echo "🚀 Testing app launch capability..." - xcrun simctl launch "iPhone 15" "$IOS_BUNDLE_ID" || { + xcrun simctl launch "$SIMULATOR_ID" "$IOS_BUNDLE_ID" || { echo "⚠️ Direct app launch test failed - this might be expected." } echo "⏰ Checking simulator readiness..." sleep 10 - xcrun simctl listapps "iPhone 15" > /dev/null || sleep 5 + xcrun simctl listapps "$SIMULATOR_ID" > /dev/null || sleep 5 echo "Running Maestro tests..." echo "Starting test execution..." diff --git a/.gitignore b/.gitignore index 7e70b4b89..e3cfb66e2 100644 --- a/.gitignore +++ b/.gitignore @@ -10,3 +10,6 @@ showcase output/* *.tsbuildinfo .yarnrc.yml + +# PR Action Items - prevent accidental commits +PR_*_ACTION_ITEMS.md diff --git a/docs/templates/pr-action-items-template.md b/docs/templates/pr-action-items-template.md new file mode 100644 index 000000000..ff6dcdcd5 --- /dev/null +++ b/docs/templates/pr-action-items-template.md @@ -0,0 +1,216 @@ +# PR {{PR_NUMBER}} - Action Items Template + +## PR Overview +**Title:** {{PR_TITLE}} +**Author:** {{AUTHOR}} +**Status:** {{STATUS}} +**Created:** {{DATE}} +**Branch:** {{BRANCH}} + +## Summary +{{PR_SUMMARY}} + +## Key Changes +- {{CHANGE_1}} +- {{CHANGE_2}} +- {{CHANGE_3}} + +## Action Items + +### 🔧 Critical Issues (High Priority) +*Security vulnerabilities, breaking changes, critical bugs* + +#### 1. {{CRITICAL_ISSUE_TITLE}} +**Status:** 🔴 Critical Issues Identified +**Files:** {{FILE_PATHS}} + +**Issues:** +- [ ] **Security Risk:** {{SECURITY_DESCRIPTION}} +- [ ] **Cache Key Problems:** {{CACHE_DESCRIPTION}} +- [ ] **Missing Validation:** {{VALIDATION_DESCRIPTION}} + +**Required Actions:** +```bash +# Specific code examples for fixes +{{CODE_EXAMPLE}} +``` + +#### 2. {{SECOND_CRITICAL_ISSUE}} +**Status:** 🟡 Investigation Required +**Files:** {{FILE_PATHS}} + +**Issue:** {{ISSUE_DESCRIPTION}} + +**Actions:** +- [ ] {{ACTION_1}} +- [ ] {{ACTION_2}} +- [ ] {{ACTION_3}} + +### 📦 Functional Issues (Medium Priority) +*Bugs, missing features, incorrect behavior* + +#### 3. {{FUNCTIONAL_ISSUE_TITLE}} +**Status:** 🟡 Missing Dependencies +**Files:** {{FILE_PATHS}} + +**Issue:** {{ISSUE_DESCRIPTION}} + +**Actions:** +- [ ] {{ACTION_1}} +- [ ] {{ACTION_2}} +- [ ] {{ACTION_3}} + +#### 4. {{WORKFLOW_ISSUE_TITLE}} +**Status:** 🟡 Workflow Optimization +**Files:** {{WORKFLOW_FILES}} + +**Issue:** {{WORKFLOW_DESCRIPTION}} + +**Actions:** +- [ ] {{WORKFLOW_ACTION_1}} +- [ ] {{WORKFLOW_ACTION_2}} +- [ ] {{WORKFLOW_ACTION_3}} + +### 🧪 Testing & Validation (High Priority) + +#### 5. Fix Failing Tests +**Status:** 🔴 Blocking Issues +**Files:** {{TEST_FILES}} + +**Known Failures:** +- [ ] **{{TEST_TYPE}}:** {{FAILURE_DESCRIPTION}} +- [ ] **{{TEST_TYPE_2}}:** {{FAILURE_DESCRIPTION_2}} + +**Actions:** +- [ ] Investigate {{ISSUE_TYPE}} configuration issues +- [ ] Check {{COMPATIBILITY}} compatibility +- [ ] Update test configurations if needed +- [ ] Verify test environment setup + +#### 6. Comprehensive Test Suite +**Status:** 🟡 Verification Required + +**Actions:** +- [ ] Run `yarn workspace @selfxyz/{{WORKSPACE_1}} test` +- [ ] Run `yarn workspace @selfxyz/{{WORKSPACE_2}} test` +- [ ] Run `yarn workspace @selfxyz/{{WORKSPACE_3}} test` +- [ ] Run `yarn types` +- [ ] Run `yarn build` +- [ ] Run `yarn lint` +- [ ] Run `yarn workspace @selfxyz/{{WORKSPACE_4}} build` + +### 🔍 Code Review Tasks + +#### 7. Review Security Changes +**Status:** 🟡 Review Required + +**Actions:** +- [ ] Review all {{CHANGE_TYPE}} changes for security implications +- [ ] Verify {{CONSISTENCY}} is consistent across all {{SCOPE}} +- [ ] Check that {{CONFIGURATION}} is properly updated +- [ ] Ensure {{ACTIONS}} are properly configured +- [ ] Verify sanitization prevents injection attacks +- [ ] Confirm all workflows use consistent patterns + +#### 8. Review Workflow Changes +**Status:** 🟡 Review Required + +**Actions:** +- [ ] Review {{WORKFLOW_TYPE}} workflow changes +- [ ] Verify {{WORKFLOW_STEP}} is appropriately implemented +- [ ] Check that {{WORKFLOW_PROCESS}} is properly streamlined +- [ ] Ensure no functionality was lost in optimizations + +### 🚀 Deployment Considerations + +#### 9. Pre-deployment Checklist +**Status:** 🟡 Planning Required + +**Actions:** +- [ ] Test CI/CD pipeline with new {{FEATURE}} handling +- [ ] Verify all workflows pass with {{CHANGES}} changes +- [ ] Test {{RESOLUTION}} resolution in all environments +- [ ] Validate build artifacts are consistent +- [ ] Test {{SPECIFIC_FEATURE}} functionality +- [ ] Verify {{WORKFLOW_TYPE}} workflows work correctly + +## Risk Assessment + +### High Risk +- **{{RISK_1}}:** {{RISK_1_DESCRIPTION}} +- **{{RISK_2}}:** {{RISK_2_DESCRIPTION}} +- **{{RISK_3}}:** {{RISK_3_DESCRIPTION}} + +### Medium Risk +- **{{RISK_4}}:** {{RISK_4_DESCRIPTION}} +- **{{RISK_5}}:** {{RISK_5_DESCRIPTION}} +- **{{RISK_6}}:** {{RISK_6_DESCRIPTION}} + +### Low Risk +- **{{RISK_7}}:** {{RISK_7_DESCRIPTION}} +- **{{RISK_8}}:** {{RISK_8_DESCRIPTION}} + +## Success Criteria + +- [ ] All CI workflows pass consistently +- [ ] No security vulnerabilities in {{FILES}} +- [ ] All tests pass across all workspaces +- [ ] {{DEPENDENCIES}} versions are properly aligned +- [ ] {{FEATURE}} handling is robust and secure +- [ ] {{CACHE}} keys prevent {{MISMATCH}} mismatches +- [ ] {{WORKFLOW_TYPE}} workflows are optimized and functional +- [ ] {{SPECIFIC_FEATURE}} works correctly in all environments + +## Additional Considerations + +### Edge Cases & Future Improvements + +#### 10. Monitoring & Alerting +**Status:** 🟡 Future Enhancement + +**Considerations:** +- [ ] Monitor for {{MONITORING_ITEM_1}} +- [ ] Set up alerts for {{ALERT_TYPE}} failures +- [ ] Track {{METRIC}} to ensure {{FEATURE}} is working +- [ ] Monitor for any security issues with {{SECURITY_FEATURE}} + +#### 11. Documentation Updates +**Status:** 🟡 Future Enhancement + +**Actions:** +- [ ] Update {{DOC_TYPE}} documentation to reflect new {{FEATURE}} +- [ ] Document the {{PROCESS}} process +- [ ] Update developer onboarding for {{REQUIREMENT}} +- [ ] Document {{STRATEGY}} strategy for future additions + +#### 12. Rollback Plan +**Status:** 🟡 Planning Required + +**Actions:** +- [ ] Document rollback procedure if {{CHANGE}} causes issues +- [ ] Identify which {{COMPONENTS}} can be quickly reverted +- [ ] Plan for emergency fixes if {{VALIDATION}} causes failures +- [ ] Prepare fallback strategy for critical deployments + +## Notes + +- **{{ANALYSIS_TOOL}} Analysis:** {{ANALYSIS_SUMMARY}} +- **Testing Status:** {{TESTING_STATUS}} +- **Security Concerns:** {{SECURITY_CONCERNS}} +- **Dependencies:** {{DEPENDENCY_ISSUES}} +- **Workflow Improvements:** {{WORKFLOW_IMPROVEMENTS}} +- **Cache Optimization:** {{CACHE_OPTIMIZATION}} +- **Comprehensive Coverage:** {{COVERAGE_SUMMARY}} + +## Timeline Estimate + +- **Critical Fixes:** {{TIMELINE_1}} +- **Testing & Validation:** {{TIMELINE_2}} +- **Code Review:** {{TIMELINE_3}} +- **Deployment:** {{TIMELINE_4}} + +**Total Estimated Time:** {{TOTAL_TIMELINE}} + +--- + +**Last Updated:** {{DATE}}