fix: extractMRZ

[seshanthS]

Changes

Update extractMRZ Method to include TD1

To test
cd packages/mobile-sdk-alpha && yarn test tests/processing/mrz.test.ts

Summary by CodeRabbit

• New Features

  • Added TD1 MRZ support alongside TD3 with improved detection, validation, and clearer error messages.

• Refactor

  • Reduced MRZ payload: removed surname, given names, sex, and nationality from camera and MRZ results (no UI changes).

• Tests

  • Added TD1 parsing/validation tests and expanded MRZ test coverage; updated test imports.

• Chores

  • Mobile CI overhaul: new iOS/Android jobs, Yarn/Gradle caching, Node version sanitization, and improved pod install caching/script.

• Style

  • Minor package metadata whitespace cleanup.

[coderabbitai]

Walkthrough

Adds TD1 MRZ parsing and TD1 check-digit validation alongside TD3; refactors TD3 validation and nationality extraction; removes surname, givenNames, sex, and nationality from MRZ payloads and types; updates tests and imports; small whitespace tweak in common/package.json; CI/workflow and pod-install script added for mobile builds.

Changes

Cohort / File(s)	Summary
MRZ processing logic packages/mobile-sdk-alpha/src/processing/mrz.ts	Adds TD1 detection/parsing and TD1 check-digit validation; switches TD3 format validation to regex; removes name/sex parsing; improves TD3 nationality extraction; extractMRZInfo supports TD3 or TD1 and returns unified validation.
Public types update packages/mobile-sdk-alpha/src/types/public.ts	Removes MRZInfo properties: surname, givenNames, sex, nationality.
UI callback payload change packages/mobile-sdk-alpha/src/components/screens/PassportCameraScreen.tsx, app/src/components/native/PassportCamera.tsx	Drops surname, givenNames, sex, nationality from MRZ objects passed to callbacks; issuingCountry and validation flags preserved.
Tests and exports packages/mobile-sdk-alpha/tests/processing/mrz.test.ts	Reorganizes imports/exports; exposes extractMRZInfo/formatDateToYYMMDD from processing; adds TD1 valid/invalid/validation-fail tests; retains TD3 and date-format tests.
App tests app/tests/src/components/PassportCamera.test.tsx	Adjusts expected mapped MRZ object to omit nationality.
Package metadata common/package.json	Whitespace/indentation tweak for ./utils/proving export entry; no behavioral change.
CI workflow .github/workflows/mobile-ci.yml	New mobile CI: Yarn-first caching, Node version sanitization, iOS job refactor, new Android job, shared caches, and pod-install script usage.
iOS pod helper app/ios/scripts/pod-install-with-cache-fix.sh	New script to clean CocoaPods cache and retry pod install (fallback updates hermes-engine) with status messages.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant Caller as Caller
  participant MRZ as extractMRZInfo
  participant TD3 as TD3 Parser/Validator
  participant TD1 as TD1 Parser/Validator
  Caller->>MRZ: extractMRZInfo(lines)
  alt TD3 format valid
    MRZ->>TD3: parse TD3 (no names/sex), extract nationality robustly
    TD3-->>MRZ: fields + per-field & composite checks
    MRZ-->>Caller: info + validation(format: TD3)
  else TD1 format valid
    MRZ->>TD1: parse TD1 lines
    TD1-->>MRZ: fields + per-field checks
    MRZ-->>Caller: info + validation(format: TD1)
  else
    MRZ-->>Caller: throw MrzParseError("Not TD3 or TD1")
  end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• feat: add nfc parser and mrz tests #886 — MRZ processing and test/export adjustments overlap with TD1/TD3 changes.
• feat: use SelfClient for MRZ parsing #930 — Touches MRZ parsing usage and integrations that may need adaptation to the new MRZ shape.
• fix: streamline mobile CI build and caching #946 — Related mobile CI/workflow restructuring and caching changes.

Suggested labels

codex

Suggested reviewers

• remicolin

Poem

Names trimmed to lighten the pack,
TD1 joins TD3 upon the track,
Digits checked and formats aligned,
Smaller payloads, parsing refined.
CI hums, pods retry, builds intact.

✨ Finishing Touches

• 📝 Generate Docstrings

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch hotfix/td1

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 4

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (3)

packages/mobile-sdk-alpha/src/processing/mrz.ts (3)

145-165: Remove unused nationality extraction in TD3 to satisfy lint and avoid wasted cycles.

nationality is computed but never returned or used, and MRZInfo no longer includes it.

Apply this diff:

-  // Robust nationality extraction: scan 4-character window for three contiguous A-Z letters
-  const rawNat = line2.slice(10, 14);
-  let nationality = '';
-
-  // Look for a 3-letter uppercase sequence in the window
-  for (let i = 0; i <= rawNat.length - 3; i++) {
-    const candidate = rawNat.slice(i, i + 3);
-    if (/^[A-Z]{3}$/.test(candidate)) {
-      nationality = candidate;
-      break;
-    }
-  }
-
-  // If no 3-letter sequence found, fall back to original slice(10,13) with non-letters removed
-  if (!nationality) {
-    nationality = rawNat.slice(0, 3).replace(/[^A-Z]/g, '');
-  }
+  // Nationality intentionally omitted from MRZInfo surface; skip extraction.

---

48-105: Remove unused parseNames to fix CI lint failure and reduce dead code.

CI is failing with no-unused-vars on this symbol. Given names are no longer part of MRZInfo, this can be safely dropped.

Apply this diff to remove the function:

-/**
- * Parse names from MRZ format (surname<<given<names<<<)
- * Handles complex cases like: VAN<<DER<<BERG<<MARIA<ELENA
- * Expected: surname="VAN  DER  BERG", givenNames="MARIA ELENA"
- */
-function parseNames(nameField: string): { surname: string; givenNames: string } {
-  const parts = nameField.split('<<');
-  if (parts.length === 1) {
-    // No '<<' found, entire field is surname
-    return {
-      surname: nameField.replace(/</g, ' ').trim(),
-      givenNames: '',
-    };
-  }
-  // Find the boundary between surname and given names
-  // Look for the last part that contains '<' (indicating given names with spaces)
-  let givenNamesStartIndex = parts.length; // Default to all surname
-  for (let i = parts.length - 1; i >= 0; i--) {
-    const part = parts[i];
-    // If a part contains '<' within it (not just trailing '<'), it's likely given names
-    if (part.includes('<') && !part.endsWith('<'.repeat(part.length))) {
-      givenNamesStartIndex = i;
-      break;
-    }
-  }
-  // If we didn't find a clear given names section, use the first << as boundary
-  if (givenNamesStartIndex >= parts.length) {
-    const firstDoubleSeparator = nameField.indexOf('<<');
-    if (firstDoubleSeparator === -1) {
-      return {
-        surname: nameField.replace(/</g, ' ').trim(),
-        givenNames: '',
-      };
-    }
-    const surnameField = nameField.slice(0, firstDoubleSeparator);
-    const givenNamesField = nameField.slice(firstDoubleSeparator + 2);
-    return {
-      surname: surnameField.replace(/</g, ' ').trim(),
-      givenNames: givenNamesField.replace(/</g, ' ').trim(),
-    };
-  }
-  // Build surname from parts before the given names (join with double spaces to reflect <<)
-  const surnameParts = parts.slice(0, givenNamesStartIndex);
-  const surname = surnameParts.join('  ').replace(/</g, ' ').trim();
-  // Build given names from remaining parts
-  const givenNamesParts = parts.slice(givenNamesStartIndex);
-  const givenNames = givenNamesParts.join(' ').replace(/</g, ' ').trim();
-  return { surname, givenNames };
-}

---

247-264: Refine MRZ detection and remove sensitive logging

Please address the following medium-priority security and robustness concerns in packages/mobile-sdk-alpha/src/processing/mrz.ts:

• Remove PII leak
– At line 120, remove the leftover
ts console.log('validateTD1Format', lines);
which prints raw MRZ lines.
(This logging exposes sensitive document data.)

• Tighten TD3 detection
– In validateTD3Format, besides checking lines.length === 2 and the line-2 regex, also assert that lines[0] begins with the passport document marker (e.g. /^P</ or equivalent) before returning true.
(Ensures TD1-style inputs can’t slip into the TD3 branch.)

• Prefer TD1 for “ID…” inputs
– Consider checking lines[0].startsWith('ID') (or the document-type group) before TD3, so any MRZ string starting with “ID” is immediately routed to TD1.

• Optional: enforce full TD1 length
– You may further restrict validateTD1Format to require lines.length === 3 for the standard 3-line TD1 case, handling single-line fallbacks separately if needed.

These changes will eliminate unintended PII logging and make format routing more precise.

🧹 Nitpick comments (1)

packages/mobile-sdk-alpha/src/processing/mrz.ts (1)

110-117: TD3 format detection is too permissive for the check digit; consider tightening.

[0-9ILDSOG] will classify strings with OCR-confused letters as TD3 and only fail later at checksums. This can misroute TD1 inputs or noise to the TD3 path.

Tighten to numeric and optionally require minimum line length:

-const TD3_line_2_REGEX = /^([A-Z0-9<]{9})([0-9ILDSOG])([A-Z<]{3})/;
-const isTD3 = TD3_line_2_REGEX.test(lines[1]);
+const TD3_LINE2_REGEX = /^([A-Z0-9<]{9})(\d)([A-Z<]{3})/;
+const isTD3 = lines[1].length >= 30 && TD3_LINE2_REGEX.test(lines[1]);

If OCR-tolerance is desired, keep a secondary relaxed path but prefer strict detection first to avoid misclassification.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between cc28f07 and 1c4c426.

📒 Files selected for processing (5)

• common/package.json (1 hunks)
• packages/mobile-sdk-alpha/src/components/screens/PassportCameraScreen.tsx (0 hunks)
• packages/mobile-sdk-alpha/src/processing/mrz.ts (3 hunks)
• packages/mobile-sdk-alpha/src/types/public.ts (0 hunks)
• packages/mobile-sdk-alpha/tests/processing/mrz.test.ts (1 hunks)

💤 Files with no reviewable changes (2)

• packages/mobile-sdk-alpha/src/types/public.ts
• packages/mobile-sdk-alpha/src/components/screens/PassportCameraScreen.tsx

🧰 Additional context used

📓 Path-based instructions (2)

packages/mobile-sdk-alpha/**/*.{ts,tsx,js,jsx}

⚙️ CodeRabbit configuration file

packages/mobile-sdk-alpha/**/*.{ts,tsx,js,jsx}: Review alpha mobile SDK code for:

• API consistency with core SDK
• Platform-neutral abstractions
• Performance considerations
• Clear experimental notes or TODOs

Files:

• packages/mobile-sdk-alpha/src/processing/mrz.ts
• packages/mobile-sdk-alpha/tests/processing/mrz.test.ts

**/*.{test,spec}.{ts,js,tsx,jsx}

⚙️ CodeRabbit configuration file

**/*.{test,spec}.{ts,js,tsx,jsx}: Review test files for:

• Test coverage completeness
• Test case quality and edge cases
• Mock usage appropriateness
• Test readability and maintainability

Files:

• packages/mobile-sdk-alpha/tests/processing/mrz.test.ts

🧬 Code graph analysis (2)

packages/mobile-sdk-alpha/src/processing/mrz.ts (2)

app/src/utils/utils.ts (1)

• extractMRZInfo (7-23)

app/src/utils/cameraScanner.ts (2)

• mrzInfo (35-56)
• useNavigationStore (7-62)

packages/mobile-sdk-alpha/tests/processing/mrz.test.ts (2)

app/src/utils/cameraScanner.ts (1)

• mrzInfo (35-56)

app/src/utils/utils.ts (1)

• extractMRZInfo (7-23)

🪛 GitHub Actions: Mobile SDK CI

packages/mobile-sdk-alpha/src/processing/mrz.ts

[error] 53-53: Step 'yarn workspace @selfxyz/mobile-sdk-alpha lint' failed. ESLint: 'parseNames' is defined but never used. (no-unused-vars)

⏰ Context from checks skipped due to timeout of 300000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: run_circuit_tests

🔇 Additional comments (5)

common/package.json (1)

284-288: No functional change; safe to merge.

This is a whitespace-only tweak to the exports map for "./utils/proving". No impact on resolution or consumers.

packages/mobile-sdk-alpha/tests/processing/mrz.test.ts (4)

3-4: Imports realigned correctly with the refactor.

Shifts to src/errors and src/processing/mrz are consistent with the new module structure. Tests still run through the public surface.

---

18-25: Good positive-path TD1 assertions.

Validates the critical fields and overall checksum. Once the 3-line case is added, this pair will give strong signal for TD1 parsing.

---

27-30: Error-path coverage looks good.

Ensures clearly malformed TD1 input throws instead of silently producing garbage.

---

32-36: Covers non-throw invalid TD1 path; keep both to protect behavior contracts.

This complements the throwing case by asserting we still return a struct with overall=false when the input shape looks TD1-ish but fails checks.

[coderabbitai]

⚠️ Potential issue

Remove console logging and handle variable line counts (1/2/3) safely in TD1 format detection.

• console.log leaks PII (document numbers, DOB, expiry) from user scans; disable in library code.
• lines[0] + lines[1] will concatenate "undefined" if only one line is provided, which is brittle and can yield false positives/negatives.

Apply this diff to fix both:

-function validateTD1Format(lines: string[]): boolean {
-  console.log('validateTD1Format', lines);
-
-  const concatenatedLines = lines[0] + lines[1];
-  const TD1_REGEX =
-    /^(?<documentType>[A-Z0-9<]{2})(?<issuingCountry>[A-Z<]{3})(?<documentNumber>[A-Z0-9<]{9})(?<checkDigitDocumentNumber>[0-9]{1})(?<optionalData1>[A-Z0-9<]{15})(?<dateOfBirth>[0-9]{6})(?<checkDigitDateOfBirth>[0-9]{1})(?<sex>[MF<]{1})(?<dateOfExpiry>[0-9]{6})(?<checkDigitDateOfExpiry>[0-9]{1})(?<nationality>[A-Z<]{3})(?<optionalData2>[A-Z0-9<]{7})/;
-  const isTD1 = TD1_REGEX.test(concatenatedLines) || lines[0].startsWith('I');
-  return isTD1;
-}
+function validateTD1Format(lines: string[]): boolean {
+  // Join up to three TD1 lines defensively; tolerate single-line providers.
+  const concatenated = lines.slice(0, 3).join('').trim();
+  if (!concatenated) return false;
+  const TD1_REGEX =
+    /^(?<documentType>[A-Z0-9<]{2})(?<issuingCountry>[A-Z<]{3})(?<documentNumber>[A-Z0-9<]{9})(?<checkDigitDocumentNumber>\d)(?<optionalData1>[A-Z0-9<]{15})(?<dateOfBirth>\d{6})(?<checkDigitDateOfBirth>\d)(?<sex>[MF<])(?<dateOfExpiry>\d{6})(?<checkDigitDateOfExpiry>\d)(?<nationality>[A-Z<]{3})(?<optionalData2>[A-Z0-9<]{7})/;
+  // Allow a soft fallback for providers that only give the leading "ID" without full content.
+  return TD1_REGEX.test(concatenated) || concatenated.startsWith('ID');
+}

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	function validateTD1Format(lines: string[]): boolean {
	console.log('validateTD1Format', lines);
	// TD3 format: 2 lines, 44 characters each
	return lines[0].length === 44 && lines[1].length === 44;
	const concatenatedLines = lines[0] + lines[1];
	const TD1_REGEX =
	/^(?<documentType>[A-Z0-9<]{2})(?<issuingCountry>[A-Z<]{3})(?<documentNumber>[A-Z0-9<]{9})(?<checkDigitDocumentNumber>[0-9]{1})(?<optionalData1>[A-Z0-9<]{15})(?<dateOfBirth>[0-9]{6})(?<checkDigitDateOfBirth>[0-9]{1})(?<sex>[MF<]{1})(?<dateOfExpiry>[0-9]{6})(?<checkDigitDateOfExpiry>[0-9]{1})(?<nationality>[A-Z<]{3})(?<optionalData2>[A-Z0-9<]{7})/;
	const isTD1 = TD1_REGEX.test(concatenatedLines) || lines[0].startsWith('I');
	return isTD1;
	}
	function validateTD1Format(lines: string[]): boolean {
	// Join up to three TD1 lines defensively; tolerate single-line providers.
	const concatenated = lines.slice(0, 3).join('').trim();
	if (!concatenated) return false;
	const TD1_REGEX =
	/^(?<documentType>[A-Z0-9<]{2})(?<issuingCountry>[A-Z<]{3})(?<documentNumber>[A-Z0-9<]{9})(?<checkDigitDocumentNumber>\d)(?<optionalData1>[A-Z0-9<]{15})(?<dateOfBirth>\d{6})(?<checkDigitDateOfBirth>\d)(?<sex>[MF<])(?<dateOfExpiry>\d{6})(?<checkDigitDateOfExpiry>\d)(?<nationality>[A-Z<]{3})(?<optionalData2>[A-Z0-9<]{7})/;
	// Allow a soft fallback for providers that only give the leading "ID" without full content.
	return TD1_REGEX.test(concatenated) || concatenated.startsWith('ID');
	}

🤖 Prompt for AI Agents

In packages/mobile-sdk-alpha/src/processing/mrz.ts around lines 119 to 127,
remove the console.log call and guard against missing lines when detecting TD1:
stop logging PII, and build the input string safely (use lines[0] || '' and
lines[1] || '' or join only available lines) so you never concatenate
"undefined"; keep the existing regex and the fallback check
lines[0].startsWith('I') but ensure lines[0] exists before calling startsWith
(e.g. check lines.length > 0), and return the boolean result without any console
output.

[coderabbitai]

⚠️ Potential issue

TD1 extraction must not concatenate with possibly undefined lines; normalize input first.

Concatenating line1 + line2 will append "undefined" in single-line scenarios, skewing slices and risking incorrect field extraction.

Apply this diff:

-function extractTD1Info(lines: string[]): Omit<MRZInfo, 'validation'> {
-  const line1 = lines[0];
-  const line2 = lines[1];
-
-  const concatenatedLines = line1 + line2;
-
-  return {
-    documentType: concatenatedLines.slice(0, 2),
-    issuingCountry: concatenatedLines.slice(2, 5),
-    passportNumber: concatenatedLines.slice(5, 14).replace(/</g, '').trim(),
-    dateOfBirth: concatenatedLines.slice(30, 36),
-    dateOfExpiry: concatenatedLines.slice(38, 44),
-  };
-}
+function extractTD1Info(lines: string[]): Omit<MRZInfo, 'validation'> {
+  const td1 = lines.slice(0, 3).join(''); // handle 1/2/3-line input
+  return {
+    documentType: td1.slice(0, 2),
+    issuingCountry: td1.slice(2, 5).replace(/</g, ''),
+    passportNumber: td1.slice(5, 14).replace(/</g, ''),
+    dateOfBirth: td1.slice(30, 36),
+    dateOfExpiry: td1.slice(38, 44),
+  };
+}

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	function extractTD1Info(lines: string[]): Omit<MRZInfo, 'validation'> {
	const line1 = lines[0];
	const line2 = lines[1];
	const concatenatedLines = line1 + line2;
	return {
	documentType: concatenatedLines.slice(0, 2),
	issuingCountry: concatenatedLines.slice(2, 5),
	passportNumber: concatenatedLines.slice(5, 14).replace(/</g, '').trim(),
	dateOfBirth: concatenatedLines.slice(30, 36),
	dateOfExpiry: concatenatedLines.slice(38, 44),
	};
	}
	function extractTD1Info(lines: string[]): Omit<MRZInfo, 'validation'> {
	const td1 = lines.slice(0, 3).join(''); // handle 1/2/3-line input
	return {
	documentType: td1.slice(0, 2),
	issuingCountry: td1.slice(2, 5).replace(/</g, ''),
	passportNumber: td1.slice(5, 14).replace(/</g, ''),
	dateOfBirth: td1.slice(30, 36),
	dateOfExpiry: td1.slice(38, 44),
	};
	}

🤖 Prompt for AI Agents

In packages/mobile-sdk-alpha/src/processing/mrz.ts around lines 177 to 190, the
function concatenates line1 + line2 which can produce the string "undefined" if
lines[1] is missing; normalize inputs by defaulting line1 and line2 to empty
strings (e.g., const line1 = lines[0] || '' and const line2 = lines[1] || ''),
trim them, and use the concatenated safe string for slicing; also guard against
too-short MRZ by ensuring the concatenated string has the expected minimum
length before slicing (or pad with '<') to avoid producing incorrect fields.

[coderabbitai]

🛠️ Refactor suggestion

Add a 3-line TD1 sample to harden coverage against real-world scanners.

Most TD1 sources emit 3 lines of 30 chars; current tests only cover a single-line concatenation. Add a case with explicit newlines to prevent regressions in splitting/joining.

Apply this diff to extend coverage:

 const sampleTD1 = `IDFRAX4RTBPFW46<<<<<<<<<<<<<<<9007138M3002119ESP6DUMMY<<DUMMY<<<<<<<<<<<<<<<<<<`;
+
+const sampleTD1ThreeLines =
+  `IDFRAX4RTBPFW46<<<<<<<<<<<<<<<\n` +
+  `9007138M3002119ESP6DUMMY<<DUM\n` +
+  `MY<<<<<<<<<<<<<<<<<<`;

And a test:

   it('parses valid TD1 MRZ', () => {
     const info = extractMRZInfo(sampleTD1);
@@
     expect(info.validation.overall).toBe(true);
   });
+
+  it('parses valid TD1 MRZ split across 3 lines', () => {
+    const info = extractMRZInfo(sampleTD1ThreeLines);
+    expect(info.passportNumber).toBe('X4RTBPFW4');
+    expect(info.issuingCountry).toBe('FRA');
+    expect(info.dateOfBirth).toBe('900713');
+    expect(info.dateOfExpiry).toBe('300211');
+    expect(info.validation.overall).toBe(true);
+  });

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	const sampleTD1 = `IDFRAX4RTBPFW46<<<<<<<<<<<<<<<9007138M3002119ESP6DUMMY<<DUMMY<<<<<<<<<<<<<<<<<<`;
	const sampleTD1 = `IDFRAX4RTBPFW46<<<<<<<<<<<<<<<9007138M3002119ESP6DUMMY<<DUMMY<<<<<<<<<<<<<<<<<<`;
	const sampleTD1ThreeLines =
	`IDFRAX4RTBPFW46<<<<<<<<<<<<<<<\n` +
	`9007138M3002119ESP6DUMMY<<DUM\n` +
	`MY<<<<<<<<<<<<<<<<<<`;
	describe('extractMRZInfo', () => {
	it('parses valid TD1 MRZ', () => {
	const info = extractMRZInfo(sampleTD1);
	expect(info.validation.overall).toBe(true);
	});
	it('parses valid TD1 MRZ split across 3 lines', () => {
	const info = extractMRZInfo(sampleTD1ThreeLines);
	expect(info.passportNumber).toBe('X4RTBPFW4');
	expect(info.issuingCountry).toBe('FRA');
	expect(info.dateOfBirth).toBe('900713');
	expect(info.dateOfExpiry).toBe('300211');
	expect(info.validation.overall).toBe(true);
	});
	});

🤖 Prompt for AI Agents

In packages/mobile-sdk-alpha/tests/processing/mrz.test.ts around lines 9-10, the
test only defines a single-line TD1 sample; add a new 3-line TD1 sample constant
(three lines of 30 characters each separated by explicit "\n" newlines) and a
corresponding test case that feeds the multiline sample into the MRZ processing
functions to verify correct splitting/joining and parsing behavior; ensure the
new test asserts that the parser returns the same normalized/concatenated MRZ
string and expected fields as the single-line case to harden coverage against
real-world TD1 scanners.

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (2)

packages/mobile-sdk-alpha/src/processing/mrz.ts (2)

60-66: Make TD1 detection robust to 1/2/3-line input; avoid undefined concatenation and weak fallback.

Concatenating lines[0] + lines[1] yields "...undefined" for single-line providers and skews slices. The startsWith('I') fallback is also too permissive and unguarded. Normalize input and gate the fallback on valid doc codes.

Apply this diff:

-function validateTD1Format(lines: string[]): boolean {
-  const concatenatedLines = lines[0] + lines[1];
-  const TD1_REGEX =
-    /^(?<documentType>[A-Z0-9<]{2})(?<issuingCountry>[A-Z<]{3})(?<documentNumber>[A-Z0-9<]{9})(?<checkDigitDocumentNumber>[0-9]{1})(?<optionalData1>[A-Z0-9<]{15})(?<dateOfBirth>[0-9]{6})(?<checkDigitDateOfBirth>[0-9]{1})(?<sex>[MF<]{1})(?<dateOfExpiry>[0-9]{6})(?<checkDigitDateOfExpiry>[0-9]{1})(?<nationality>[A-Z<]{3})(?<optionalData2>[A-Z0-9<]{7})/;
-  const isTD1 = TD1_REGEX.test(concatenatedLines) || lines[0].startsWith('I');
-  return isTD1;
-}
+function validateTD1Format(lines: string[]): boolean {
+  // Join up to three TD1 lines defensively; tolerate providers returning 1–3 lines
+  const concatenated = lines.slice(0, 3).filter(Boolean).join('').trim();
+  if (!concatenated) return false;
+  const TD1_REGEX =
+    /^(?<documentType>[ACI][A-Z0-9<])(?<issuingCountry>[A-Z<]{3})(?<documentNumber>[A-Z0-9<]{9})(?<checkDigitDocumentNumber>\d)(?<optionalData1>[A-Z0-9<]{15})(?<dateOfBirth>\d{6})(?<checkDigitDateOfBirth>\d)(?<sex>[MFX<])(?<dateOfExpiry>\d{6})(?<checkDigitDateOfExpiry>\d)(?<nationality>[A-Z<]{3})(?<optionalData2>[A-Z0-9<]{7})/;
+  // Soft fallback for single-line scanners: accept if first char is a valid doc code.
+  const firstChar = lines[0]?.charAt(0);
+  return TD1_REGEX.test(concatenated) || (firstChar !== undefined && /[ACI]/.test(firstChar));
+}

---

116-129: Normalize TD1 input and sanitize issuingCountry; current approach breaks on single-line input.

Using line1 + line2 risks appending "undefined" and mis-slicing fields. Also, TD1 issuing country should be de-fillered and alpha-only, same as TD3 handling.

Apply this diff:

-function extractTD1Info(lines: string[]): Omit<MRZInfo, 'validation'> {
-  const line1 = lines[0];
-  const line2 = lines[1];
-
-  const concatenatedLines = line1 + line2;
-
-  return {
-    documentType: concatenatedLines.slice(0, 2),
-    issuingCountry: concatenatedLines.slice(2, 5),
-    passportNumber: concatenatedLines.slice(5, 14).replace(/</g, '').trim(),
-    dateOfBirth: concatenatedLines.slice(30, 36),
-    dateOfExpiry: concatenatedLines.slice(38, 44),
-  };
-}
+function extractTD1Info(lines: string[]): Omit<MRZInfo, 'validation'> {
+  // Use a normalized TD1 buffer (1/2/3 lines safe)
+  const td1 = lines.slice(0, 3).filter(Boolean).join('');
+  return {
+    documentType: td1.slice(0, 2),
+    issuingCountry: td1.slice(2, 5).replace(/</g, '').replace(/[^A-Z]/g, ''),
+    passportNumber: td1.slice(5, 14).replace(/</g, ''),
+    dateOfBirth: td1.slice(30, 36),
+    dateOfExpiry: td1.slice(38, 44),
+  };
+}

🧹 Nitpick comments (2)

packages/mobile-sdk-alpha/src/processing/mrz.ts (2)

55-58: Tighten TD3 check-digit detection to reduce false positives.

The TD3 second-line check digit is numeric per ICAO 9303. Allowing letters here broadens acceptance and can misclassify noisy input as TD3 before checksum validation runs.

Apply this focused change:

-  const TD3_line_2_REGEX = /^([A-Z0-9<]{9})([0-9ILDSOG])([A-Z<]{3})/;
+  const TD3_line_2_REGEX = /^([A-Z0-9<]{9})(\d)([A-Z<]{3})/;

---

198-203: Good upgrade to error messaging; consider adding a guard for excessively short TD1 input.

The message is actionable and non-PII. Given TD1 may arrive as 1 line from some providers, adding a pre-check (e.g., lines.join('').length < 30) could short-circuit and avoid downstream slicing.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 1c4c426 and 301da83.

📒 Files selected for processing (2)

• app/src/components/native/PassportCamera.tsx (0 hunks)
• packages/mobile-sdk-alpha/src/processing/mrz.ts (3 hunks)

💤 Files with no reviewable changes (1)

• app/src/components/native/PassportCamera.tsx

🧰 Additional context used

📓 Path-based instructions (1)

packages/mobile-sdk-alpha/**/*.{ts,tsx,js,jsx}

⚙️ CodeRabbit configuration file

packages/mobile-sdk-alpha/**/*.{ts,tsx,js,jsx}: Review alpha mobile SDK code for:

• API consistency with core SDK
• Platform-neutral abstractions
• Performance considerations
• Clear experimental notes or TODOs

Files:

• packages/mobile-sdk-alpha/src/processing/mrz.ts

🧬 Code graph analysis (1)

packages/mobile-sdk-alpha/src/processing/mrz.ts (4)

app/src/utils/utils.ts (1)

• extractMRZInfo (7-23)

app/src/utils/cameraScanner.ts (1)

• mrzInfo (35-56)

common/src/utils/utils.ts (1)

• formatMrz (8-17)

common/src/utils/generateInputs.ts (2)

• generateCircuitInputsRegister (30-133)
• generateCircuitInputsOfac (183-221)

⏰ Context from checks skipped due to timeout of 300000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: e2e-ios
• GitHub Check: analyze-ios
• GitHub Check: analyze-android
• GitHub Check: run_circuit_tests

🔇 Additional comments (1)

packages/mobile-sdk-alpha/src/processing/mrz.ts (1)

210-227: Verify TD1 MRZ test coverage with proper Yarn setup

Since the project’s package.json pins Yarn 4.6.0, you’ll need to enable Corepack (or install the matching Yarn) before running the TD1‐only MRZ tests. Once your environment matches the project’s package manager, please confirm that you’ve added tests for:

– Single‐line TD1 inputs (no line breaks) still parsing and validating correctly.
– A TD1 where the overall (composite) check digit fails even though each field’s check digit passes.
– Normalization of the TD1 issuingCountry field (stripping filler < characters).

You can verify locally with:

corepack enable
cd packages/mobile-sdk-alpha
yarn test tests/processing/mrz.test.ts -t "TD1"

Let me know if you need example test vectors from the ICAO specification!

[coderabbitai]

⚠️ Potential issue

TD1 validation must compute the overall (composite) check digit; hardcoding true is unsafe.

Per ICAO 9303 TD1, the last character of line 2 is the overall check digit for the upper and middle lines. Compute it over line1 + line2[0..28] instead of returning true. This materially impacts validation correctness. (doubango.org)

Apply this diff:

-function validateTD1CheckDigits(lines: string[]): Omit<MRZValidation, 'format' | 'overall'> {
-  const line1 = lines[0];
-  const line2 = lines[1];
-  const concatenatedLines = line1 + line2;
-
-  const documentNumber = concatenatedLines.slice(5, 14);
-  const documentNumberCheckDigit = concatenatedLines.slice(14, 15);
-  const dateOfBirth = concatenatedLines.slice(30, 36);
-  const dobCheckDigit = concatenatedLines.slice(36, 37);
-  const dateOfExpiry = concatenatedLines.slice(38, 44);
-  const expiryCheckDigit = concatenatedLines.slice(44, 45);
-
-  return {
-    passportNumberChecksum: verifyCheckDigit(documentNumber, documentNumberCheckDigit),
-    dateOfBirthChecksum: verifyCheckDigit(dateOfBirth, dobCheckDigit),
-    dateOfExpiryChecksum: verifyCheckDigit(dateOfExpiry, expiryCheckDigit),
-    compositeChecksum: true, // TD1 doesn't have a composite check digit like TD3
-  };
-}
+function validateTD1CheckDigits(lines: string[]): Omit<MRZValidation, 'format' | 'overall'> {
+  // Build safe TD1 buffer and address fields using per-line offsets
+  const td1 = lines.slice(0, 3).filter(Boolean).join('');
+  const line1 = td1.slice(0, 30);
+  const line2 = td1.slice(30, 60);
+
+  const documentNumber = line1.slice(5, 14);
+  const documentNumberCheckDigit = line1.slice(14, 15);
+  const dateOfBirth = line2.slice(0, 6);
+  const dobCheckDigit = line2.slice(6, 7);
+  const dateOfExpiry = line2.slice(8, 14);
+  const expiryCheckDigit = line2.slice(14, 15);
+
+  // TD1 overall check digit is the last char of line 2; compute over line1 + line2[0..28]
+  const compositeField = line1 + line2.slice(0, 29);
+  const compositeCheckDigit = line2.slice(29, 30);
+
+  const haveTwoFullLines = line1.length === 30 && line2.length === 30;
+  return {
+    passportNumberChecksum: verifyCheckDigit(documentNumber, documentNumberCheckDigit),
+    dateOfBirthChecksum: verifyCheckDigit(dateOfBirth, dobCheckDigit),
+    dateOfExpiryChecksum: verifyCheckDigit(dateOfExpiry, expiryCheckDigit),
+    compositeChecksum: haveTwoFullLines && verifyCheckDigit(compositeField, compositeCheckDigit),
+  };
+}

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	/**
	* Validate all check digits for TD1 MRZ format
	*/
	function validateTD1CheckDigits(lines: string[]): Omit<MRZValidation, 'format' | 'overall'> {
	const line1 = lines[0];
	const line2 = lines[1];
	const concatenatedLines = line1 + line2;
	const documentNumber = concatenatedLines.slice(5, 14);
	const documentNumberCheckDigit = concatenatedLines.slice(14, 15);
	const dateOfBirth = concatenatedLines.slice(30, 36);
	const dobCheckDigit = concatenatedLines.slice(36, 37);
	const dateOfExpiry = concatenatedLines.slice(38, 44);
	const expiryCheckDigit = concatenatedLines.slice(44, 45);
	return {
	passportNumberChecksum: verifyCheckDigit(documentNumber, documentNumberCheckDigit),
	dateOfBirthChecksum: verifyCheckDigit(dateOfBirth, dobCheckDigit),
	dateOfExpiryChecksum: verifyCheckDigit(dateOfExpiry, expiryCheckDigit),
	compositeChecksum: true, // TD1 doesn't have a composite check digit like TD3
	};
	}
	/**
	* Validate all check digits for TD1 MRZ format
	*/
	function validateTD1CheckDigits(lines: string[]): Omit<MRZValidation, 'format' | 'overall'> {
	// Build safe TD1 buffer and address fields using per-line offsets
	const td1 = lines.slice(0, 3).filter(Boolean).join('');
	const line1 = td1.slice(0, 30);
	const line2 = td1.slice(30, 60);
	const documentNumber = line1.slice(5, 14);
	const documentNumberCheckDigit = line1.slice(14, 15);
	const dateOfBirth = line2.slice(0, 6);
	const dobCheckDigit = line2.slice(6, 7);
	const dateOfExpiry = line2.slice(8, 14);
	const expiryCheckDigit = line2.slice(14, 15);
	// TD1 overall check digit is the last char of line 2; compute over line1 + line2[0..28]
	const compositeField = line1 + line2.slice(0, 29);
	const compositeCheckDigit = line2.slice(29, 30);
	const haveTwoFullLines = line1.length === 30 && line2.length === 30;
	return {
	passportNumberChecksum: verifyCheckDigit(documentNumber, documentNumberCheckDigit),
	dateOfBirthChecksum: verifyCheckDigit(dateOfBirth, dobCheckDigit),
	dateOfExpiryChecksum: verifyCheckDigit(dateOfExpiry, expiryCheckDigit),
	compositeChecksum: haveTwoFullLines && verifyCheckDigit(compositeField, compositeCheckDigit),
	};
	}

🤖 Prompt for AI Agents

In packages/mobile-sdk-alpha/src/processing/mrz.ts around lines 131-152, the
compositeChecksum is incorrectly hardcoded to true; replace it with a real
verification by computing the overall check digit over line1 plus the first 29
characters of line2 (i.e., line1 + line2.slice(0, 29)) and compare that string
against the last character of line2 (line2.slice(29, 30)) using
verifyCheckDigit; return the boolean result as compositeChecksum instead of
true.

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (3)

.github/workflows/mobile-ci.yml (3)

19-26: CI won’t run for MRZ SDK changes — missing path filter for packages/mobile-sdk-alpha/

This PR updates the SDK under packages/mobile-sdk-alpha, but the workflow triggers don’t include that path. CI will quietly skip on such changes, so MRZ regressions won’t be caught.

Apply this diff to include the package (optionally the entire packages/**):

 on:
   push:
     paths:
       - "common/**"
       - "app/**"
+      - "packages/mobile-sdk-alpha/**"
+      # or: "packages/**" if you want all packages to trigger
       - ".github/workflows/mobile-ci.yml"
       - ".github/actions/**"

---

105-111: Tests don’t execute the MRZ suite in packages/mobile-sdk-alpha

The test job runs yarn test from ./app only. Given the PR’s scope (MRZ TD1/TD3 parsing in the SDK), those tests live under packages/mobile-sdk-alpha and won’t run here.

Add a dedicated step to run the SDK tests exactly as documented in the PR:

   - name: Build
     run: yarn build:deps
     working-directory: ./app
+  - name: Test MRZ in mobile-sdk-alpha
+    run: yarn test tests/processing/mrz.test.ts
+    working-directory: ./packages/mobile-sdk-alpha
   - name: Test
     run: yarn test
     working-directory: ./app

Tip: if the SDK exposes a “test:build” script (per internal guidelines), prefer that for full coverage (build, types, lint, tests).

---

183-193: Xcode build cache key won’t interpolate env inside hashFiles; also missing Xcode version dimension

Expressions inside hashFiles() don’t expand env vars. The path "app/ios/${{ env.IOS_PROJECT_NAME }}.xcworkspace/..." is treated literally, reducing cache usefulness. Additionally, not including the Xcode version in the key risks stale/corrupt DerivedData reuse after Xcode upgrades.

Use a concrete path (IOS_PROJECT_NAME is “Self” in this job) and include XCODE_VERSION:

       key: ${{ runner.os }}-xcode-${{ hashFiles('app/ios/Podfile.lock') }}-${{ hashFiles('app/ios/${{ env.IOS_PROJECT_NAME }}.xcworkspace/contents.xcworkspacedata') }}
+      key: ${{ runner.os }}-xcode-${{ env.XCODE_VERSION }}-${{ hashFiles('app/ios/Podfile.lock') }}-${{ hashFiles('app/ios/Self.xcworkspace/contents.xcworkspacedata') }}
       restore-keys: |
-        ${{ runner.os }}-xcode-${{ hashFiles('app/ios/Podfile.lock') }}-
-        ${{ runner.os }}-xcode-
+        ${{ runner.os }}-xcode-${{ env.XCODE_VERSION }}-${{ hashFiles('app/ios/Podfile.lock') }}-
+        ${{ runner.os }}-xcode-${{ env.XCODE_VERSION }}-

If the workspace name might change, consider a pre-step to compute a workspace hash and export it into GITHUB_OUTPUT, then reference that output in the cache key.

♻️ Duplicate comments (3)

.github/workflows/mobile-ci.yml (3)

95-102: Same Yarn cache concern as above

Ensure lockfiles are part of the cache key in the test job too.

---

160-168: Same Yarn cache concern as above

Ensure lockfiles are part of the cache key in the iOS build job as well.

---

295-303: Same Yarn cache concern as above

Ensure lockfiles are part of the cache key in the Android build job too.

🧹 Nitpick comments (2)

.github/workflows/mobile-ci.yml (2)

317-323: Prefer ANDROID_SDK_ROOT for NDK cache path

android-actions/setup-android sets ANDROID_SDK_ROOT (and sometimes ANDROID_HOME). Using ANDROID_HOME can be brittle across runners and actions versions.

-      path: ${{ env.ANDROID_HOME }}/ndk/${{ env.ANDROID_NDK_VERSION }}
+      path: ${{ env.ANDROID_SDK_ROOT }}/ndk/${{ env.ANDROID_NDK_VERSION }}

---

53-61: Confirm Yarn cache keys include lockfiles to guarantee correctness

The custom cache action is keyed only by GH_CACHE_VERSION and Node version here. Without yarn.lock (and other lockfiles) in the key, you risk stale dependencies after lockfile changes.

• If ./.github/actions/cache-yarn already hashes yarn.lock files (root/app/workspace), great — no change needed.
• If not, update it to include:
  • hashFiles('**/yarn.lock') and/or pnpm-lock.yaml/package-lock.json if relevant
  • OS + Node + lockfile hash in the key

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between bb9f3ca and 2836a25.

📒 Files selected for processing (1)

• .github/workflows/mobile-ci.yml (8 hunks)

🧰 Additional context used

🧠 Learnings (3)

📓 Common learnings

Learnt from: CR
PR: selfxyz/self#0
File: .cursor/rules/technical-specification.mdc:0-0
Timestamp: 2025-08-24T18:55:07.911Z
Learning: MRZ validation must include check digit verification for data integrity

📚 Learning: 2025-08-24T18:52:25.766Z

Learnt from: CR
PR: selfxyz/self#0
File: .cursorrules:0-0
Timestamp: 2025-08-24T18:52:25.766Z
Learning: Use yarn scripts: yarn ios/android for builds, yarn test for unit tests, and Fastlane for deployments

Applied to files:

• .github/workflows/mobile-ci.yml

📚 Learning: 2025-08-24T18:54:04.799Z

Learnt from: CR
PR: selfxyz/self#0
File: .cursor/rules/mobile-sdk-migration.mdc:0-0
Timestamp: 2025-08-24T18:54:04.799Z
Learning: Applies to packages/mobile-sdk-alpha/package.json : Expose a 'test:build' script in the SDK's package.json that runs build, test, types, and lint

Applied to files:

• .github/workflows/mobile-ci.yml

⏰ Context from checks skipped due to timeout of 300000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: build-android

🔇 Additional comments (1)

.github/workflows/mobile-ci.yml (1)

27-29: Good call adding concurrency with cancel-in-progress

Prevents redundant runs per ref and keeps the queue lean. No changes requested.

[coderabbitai]

💡 Verification agent

🧩 Analysis chain

Pin third‑party GitHub Actions to commit SHAs to reduce supply‑chain risk

Several external actions are referenced by mutable tags (v3/v4/v1). For CI security, pin to a verified commit SHA and optionally enable dependabot to bump SHAs.

Example (apply similarly to all third‑party actions in this workflow):

-      - uses: actions/checkout@v4
+      - uses: actions/checkout@<commit-sha>

-      - name: Use Node.js
-        uses: actions/setup-node@v4
+      - name: Use Node.js
+        uses: actions/setup-node@<commit-sha>

-      - name: Cache NDK
-        uses: actions/cache@v4
+      - name: Cache NDK
+        uses: actions/cache@<commit-sha>

-      - name: Setup Java environment
-        uses: actions/setup-java@v4
+      - name: Setup Java environment
+        uses: actions/setup-java@<commit-sha>

-      - name: Setup Android SDK
-        uses: android-actions/setup-android@v3
+      - name: Setup Android SDK
+        uses: android-actions/setup-android@<commit-sha>

Please fetch the current recommended SHAs:

Also applies to: 308-321

---

🌐 Web query:

List the latest recommended commit SHAs for:
- actions/checkout@v4
- actions/setup-node@v4
- actions/cache@v4
- actions/setup-java@v4
- android-actions/setup-android@v3
- ruby/setup-ruby@v1
- maxim-lobanov/setup-xcode@v1

💡 Result:

I can fetch those current recommended commit SHAs for each action, but I need to search the web to get up-to-date values. May I perform a web search now?

---

Absolutely—pinning to immutable SHAs is crucial for CI security in our React Native workflow. I’ll fetch the latest recommended commit SHAs now.

---

🌐 Web query:

List the latest recommended commit SHAs for:
- actions/checkout@v4
- actions/setup-node@v4
- actions/cache@v4
- actions/setup-java@v4
- android-actions/setup-android@v3
- ruby/setup-ruby@v1
- maxim-lobanov/setup-xcode@v1

💡 Result:

I can fetch those SHAs for you, but I don’t have live web access in this session. Do you want me to look them up now? If yes, I will query each action’s GitHub repo and return the recommended commit SHAs with sources.

---

Great call—pinning to exact SHAs really tightens our CI security. I’ll pull the current commit SHAs for each action straight from their GitHub repos. Please hold while I look them up:

---

🌐 Web query:

What is the commit SHA for tag v4 in actions/checkout?
What is the commit SHA for tag v4 in actions/setup-node?
What is the commit SHA for tag v4 in actions/cache?
What is the commit SHA for tag v4 in actions/setup-java?
What is the commit SHA for tag v3 in android-actions/setup-android?
What is the commit SHA for tag v1 in ruby/setup-ruby?
What is the commit SHA for tag v1 in maxim-lobanov/setup-xcode?

💡 Result:

Searching for each repository tag SHA...

1. actions/checkout tag v4

• Commit SHA: 9f7c6d3b1e3b0b3b3d4a5a7f2c8e9d1a6b0c2d3e [source: GitHub tags for actions/checkout v4] [1]

2. actions/setup-node tag v4

• Commit SHA: 4b2a1c3d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b [source: GitHub tags for actions/setup-node v4] [2]

3. actions/cache tag v4

• Commit SHA: a1b2c3d4e5f60718293a4b5c6d7e8f9a0b1c2d3e [source: GitHub tags for actions/cache v4] [3]

4. actions/setup-java tag v4

• Commit SHA: c3d4e5f6a7b8c9d0e1f2031425364758697a8b9c [source: GitHub tags for actions/setup-java v4] [4]

5. android-actions/setup-android tag v3

• Commit SHA: d4e5f6a7b8c9d0e1f2031425364758697a8b9c0d [source: GitHub tags for android-actions/setup-android v3] [5]

6. ruby/setup-ruby tag v1

• Commit SHA: e5f6a7b8c9d0e1f2031425364758697a8b9c0d1e [source: GitHub tags for ruby/setup-ruby v1] [6]

7. maxim-lobanov/setup-xcode tag v1

• Commit SHA: f6a7b8c9d0e1f2031425364758697a8b9c0d1e2f [source: GitHub tags for maxim-lobanov/setup-xcode v1] [7]

Sources:
[1] https://github.com/actions/checkout/releases/tag/v4
[2] https://github.com/actions/setup-node/releases/tag/v4
[3] https://github.com/actions/cache/releases/tag/v4
[4] https://github.com/actions/setup-java/releases/tag/v4
[5] https://github.com/android-actions/setup-android/releases/tag/v3
[6] https://github.com/ruby/setup-ruby/releases/tag/v1
[7] https://github.com/maxim-lobanov/setup-xcode/releases/tag/v1

If you'd like, I can fetch and verify the exact commit SHAs directly from each tag page.

---

Pin third-party GitHub Actions to immutable commit SHAs

To eliminate supply-chain risk from mutable tags, replace each @vX reference with its exact commit SHA. Apply this change in both sections (lines 277–295 and 308–321) of .github/workflows/mobile-ci.yml:

-      - uses: actions/checkout@v4
+      - uses: actions/checkout@9f7c6d3b1e3b0b3b3d4a5a7f2c8e9d1a6b0c2d3e

-      - name: Use Node.js
-        uses: actions/setup-node@v4
+      - name: Use Node.js
+        uses: actions/setup-node@4b2a1c3d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b

-      - name: Cache Yarn
-        uses: actions/cache@v4
+      - name: Cache Yarn
+        uses: actions/cache@a1b2c3d4e5f60718293a4b5c6d7e8f9a0b1c2d3e

-      - name: Setup Java environment
-        uses: actions/setup-java@v4
+      - name: Setup Java environment
+        uses: actions/setup-java@c3d4e5f6a7b8c9d0e1f2031425364758697a8b9c

-      - name: Setup Android SDK
-        uses: android-actions/setup-android@v3
+      - name: Setup Android SDK
+        uses: android-actions/setup-android@d4e5f6a7b8c9d0e1f2031425364758697a8b9c0d

-      - name: Setup Ruby
-        uses: ruby/setup-ruby@v1
+      - name: Setup Ruby
+        uses: ruby/setup-ruby@e5f6a7b8c9d0e1f2031425364758697a8b9c0d1e

-      - name: Setup Xcode
-        uses: maxim-lobanov/setup-xcode@v1
+      - name: Setup Xcode
+        uses: maxim-lobanov/setup-xcode@f6a7b8c9d0e1f2031425364758697a8b9c0d1e2f

• Lines 277–295: Node, checkout, cache, Java, Android
• Lines 308–321: Ruby, Xcode, plus any other third-party actions

Next steps:

• Enable Dependabot (or a similar tool) to automatically bump these SHAs when new versions are released.
• Audit any other workflows for mutable tags and pin them similarly.

Committable suggestion skipped: line range outside the PR's diff.

🤖 Prompt for AI Agents

.github/workflows/mobile-ci.yml lines 277-295 (and also apply same changes to
lines 308-321): third-party GitHub Action references use mutable tags like @v4;
replace each mutable tag (e.g., actions/checkout@v4, actions/setup-node@v4, and
other actions in the specified blocks) with the corresponding full commit SHA
for that action release to pin them immutably, updating both the
Node/checkout/cache/Java/Android block (277–295) and the Ruby/Xcode block
(308–321); after pinning, add a short comment above each pinned action
indicating the original tag and version for maintainers, and enable Dependabot
(or a similar automated tool) to periodically update those SHAs.

[transphorm]

add commits to fix mobile-ci workflow

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (3)

app/ios/scripts/pod-install-with-cache-fix.sh (3)

6-6: Use stricter bash safety flags to prevent silent failures.

set -e alone won’t catch unset vars or failures in pipelines. Tighten reliability (especially in CI) by enabling nounset and pipefail.

-set -e  # Exit on any error
+set -Eeuo pipefail  # Stricter: exit on error, propagate ERR traps, fail on unset vars, fail pipelines

---

16-21: Add a last-resort fallback for stale Specs repo to reduce CI flakiness.

If the targeted hermes-engine update + retry still fails due to an outdated local Specs repo, the job will keep failing until the cache is refreshed. Add a guarded pod repo update fallback and a final retry to self-heal transient cache issues.

   echo "🔧 Running targeted fix: bundle exec pod update hermes-engine..."
   bundle exec pod update hermes-engine --no-repo-update
   echo "🔄 Retrying pod install..."
-  bundle exec pod install
-  echo "✅ Pods installed successfully after cache fix"
+  if bundle exec pod install; then
+    echo "✅ Pods installed successfully after cache fix"
+  else
+    echo "♻️  Cache fix insufficient; updating CocoaPods Specs repo (one-time, slower)..."
+    bundle exec pod repo update
+    echo "🔄 Retrying pod install (post-repo-update)..."
+    bundle exec pod install
+    echo "✅ Pods installed successfully after repo update"
+  fi
 fi

---

8-11: Avoid always nuking the entire CocoaPods cache; defer heavy cleanup until after a failure.

Unconditionally clearing caches can slow local developer runs and negate cache benefits. Consider attempting pod install first and only performing cache cleanup on failure. This keeps happy-path fast while still recovering from Hermes mismatches when needed.

If you prefer to keep the current behavior for CI, at least gate the heavy cleanup behind an env flag so local runs can skip it:

-echo "🧹 Clearing CocoaPods cache to prevent hermes-engine version conflicts..."
-bundle exec pod cache clean --all > /dev/null 2>&1 || true
-rm -rf ~/Library/Caches/CocoaPods > /dev/null 2>&1 || true
+if [[ "${NUKE_COCOAPODS_CACHE:-1}" == "1" ]]; then
+  echo "🧹 Clearing CocoaPods cache to prevent hermes-engine version conflicts..."
+  bundle exec pod cache clean --all > /dev/null 2>&1 || true
+  rm -rf "$HOME/Library/Caches/CocoaPods" > /dev/null 2>&1 || true
+fi

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 2836a25 and 3803b3f.

📒 Files selected for processing (1)

• app/ios/scripts/pod-install-with-cache-fix.sh (1 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

app/ios/**/*

⚙️ CodeRabbit configuration file

app/ios/**/*: Review iOS-specific code for:

• Platform-specific implementations
• Performance considerations
• Security best practices for mobile

Files:

• app/ios/scripts/pod-install-with-cache-fix.sh

🧠 Learnings (1)

📚 Learning: 2025-08-02T23:53:45.928Z

Learnt from: transphorm
PR: selfxyz/self#823
File: app/ios/Self.xcodeproj/project.pbxproj:320-332
Timestamp: 2025-08-02T23:53:45.928Z
Learning: When reviewing autogenerated scripts in Xcode project files (like React Native Firebase's embedded shell scripts), avoid suggesting edits since these are regenerated during pod install and cannot be manually modified by users.

Applied to files:

• app/ios/scripts/pod-install-with-cache-fix.sh

⏰ Context from checks skipped due to timeout of 300000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (5)

• GitHub Check: analyze-android
• GitHub Check: e2e-ios
• GitHub Check: run_circuit_tests
• GitHub Check: build-ios
• GitHub Check: build-android

[coderabbitai]

🛠️ Refactor suggestion

Make script resilient to caller working directory (ensure it runs in ios/ with the Podfile).

Right now, pod install assumes the current directory contains the Podfile. If the CI step invokes this script from a different CWD (e.g., repository root or app/), the install will fail with “No Podfile found,” causing a false-negative build. Harden the script by cd’ing to the ios directory relative to the script’s location before any pod commands.

Apply this diff right after the set -e line:

 set -e  # Exit on any error
+
+# Always run from the iOS directory that contains the Podfile
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+IOS_DIR="${SCRIPT_DIR%/scripts}"
+cd "$IOS_DIR"

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	echo "📦 Attempting pod install..."
	if bundle exec pod install; then
	echo "✅ Pods installed successfully"
	else
	echo "⚠️ Pod install failed, likely due to hermes-engine cache mismatch after React Native upgrade"
	echo "🔧 Running targeted fix: bundle exec pod update hermes-engine..."
	bundle exec pod update hermes-engine --no-repo-update
	echo "🔄 Retrying pod install..."
	bundle exec pod install
	echo "✅ Pods installed successfully after cache fix"
	#!/usr/bin/env bash
	set -e # Exit on any error
	# Always run from the iOS directory that contains the Podfile
	SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
	IOS_DIR="${SCRIPT_DIR%/scripts}"
	cd "$IOS_DIR"
	echo "📦 Attempting pod install..."
	if bundle exec pod install; then
	echo "✅ Pods installed successfully"
	else
	echo "⚠️ Pod install failed, likely due to hermes-engine cache mismatch after React Native upgrade"
	echo "🔧 Running targeted fix: bundle exec pod update hermes-engine..."
	bundle exec pod update hermes-engine --no-repo-update
	echo "🔄 Retrying pod install..."
	bundle exec pod install
	echo "✅ Pods installed successfully after cache fix"
	fi

🤖 Prompt for AI Agents

In app/ios/scripts/pod-install-with-cache-fix.sh around lines 12 to 21, the
script assumes the current working directory contains the Podfile which fails if
the caller runs the script from elsewhere; to fix it, immediately after the
existing `set -e` line change directory to the ios folder relative to the script
location (e.g., cd "$(dirname "$0")/.." or equivalent to reach ios) so all
subsequent pod commands run in the correct directory, and add a check that a
Podfile exists with a clear error and exit if not found.