Refactor iOS access control and Keychain handling; add RN Swift module & ObjC bridge; update deps and lockfiles

- Adjust AccessControlResolver flags and security level (remove .userPresence from biometry flags, use .devicePasscode for device passcode, mark secureEnclave policy)
- Disable Secure Enclave usage for generic password items in HybridSensitiveInfo (always false) and remove token handling from KeychainManager
- Improve authentication context handling in KeychainManager (attach LAContext and localizedFallbackTitle to Sec query)
- Add SensitiveInfo React Native Swift module and Objective-C extern bridge (SensitiveInfoModule.swift / .m)
- Bump example and root devDependencies (babel, bob, monorepo-config, lefthook) and regenerate yarn.lock / example/Podfile.lock (SensitiveInfo -> 5.6.0)

Author: mCodex

example/ios/Podfile.lock

@@ -2321,7 +2321,7 @@ PODS:
     - React-perflogger (= 0.82.1)
     - React-utils (= 0.82.1)
     - SocketRocket
-  - SensitiveInfo (5.5.8):
+  - SensitiveInfo (5.6.0):
     - boost
     - DoubleConversion
     - fast_float
@@ -2658,10 +2658,10 @@ SPEC CHECKSUMS:
   ReactAppDependencyProvider: a45ef34bb22dc1c9b2ac1f74167d9a28af961176
   ReactCodegen: 878add6c7d8ff8cea87697c44d29c03b79b6f2d9
   ReactCommon: 804dc80944fa90b86800b43c871742ec005ca424
-  SensitiveInfo: 43398c28c0f14495b190af5d397a889e38799c82
+  SensitiveInfo: e5d1904ea8b2d848a593d01bfd7c3beac5cd304b
   SocketRocket: d4aabe649be1e368d1318fdf28a022d714d65748
   Yoga: 689c8e04277f3ad631e60fe2a08e41d411daf8eb
 
 PODFILE CHECKSUM: 20594f1555ab577d46d74105f279caee68095c24
 
-COCOAPODS: 1.16.2
+COCOAPODS: 1.15.2

example/package.json

@@ -14,8 +14,8 @@
     "react-native": "0.82.1"
   },
   "devDependencies": {
-    "@babel/core": "^7.28.4",
-    "@babel/preset-env": "^7.28.3",
+    "@babel/core": "^7.28.5",
+    "@babel/preset-env": "^7.28.5",
     "@babel/runtime": "^7.28.4",
     "@react-native-community/cli": "20.0.2",
     "@react-native-community/cli-platform-android": "20.0.2",
@@ -24,8 +24,8 @@
     "@react-native/metro-config": "0.82.1",
     "@react-native/typescript-config": "0.82.1",
     "@types/react": "19.1.1",
-    "react-native-builder-bob": "^0.40.13",
-    "react-native-monorepo-config": "^0.2.2"
+    "react-native-builder-bob": "^0.40.14",
+    "react-native-monorepo-config": "^0.3.0"
   },
   "engines": {
     "node": ">=22"

ios/AccessControlResolver.swift

@@ -42,19 +42,19 @@ struct AccessControlResolver {
     static func resolve(_ preference: String?) -> AccessControlConfig {
         switch preference {
         case "secureEnclaveBiometry":
-            // Strongest: Secure Enclave + Biometric
+            // Strongest: Secure Enclave + Biometric (current set)
             return AccessControlConfig(
                 preference: "secureEnclaveBiometry",
-                flags: [.biometryCurrentSet, .userPresence],
+                flags: [.biometryCurrentSet],
                 secureEnclave: true,
                 biometric: true,
-                securityLevel: "biometry"
+                securityLevel: "secureEnclave"
             )
 
         case "biometryCurrentSet":
             return AccessControlConfig(
                 preference: "biometryCurrentSet",
-                flags: [.biometryCurrentSet, .userPresence],
+                flags: [.biometryCurrentSet],
                 secureEnclave: false,
                 biometric: true,
                 securityLevel: "biometry"
@@ -63,7 +63,7 @@ struct AccessControlResolver {
         case "biometryAny":
             return AccessControlConfig(
                 preference: "biometryAny",
-                flags: [.biometryAny, .userPresence],
+                flags: [.biometryAny],
                 secureEnclave: false,
                 biometric: true,
                 securityLevel: "biometry"
@@ -72,7 +72,7 @@ struct AccessControlResolver {
         case "devicePasscode":
             return AccessControlConfig(
                 preference: "devicePasscode",
-                flags: [.userPresence],
+                flags: [.devicePasscode],
                 secureEnclave: false,
                 biometric: false,
                 securityLevel: "deviceCredential"

ios/HybridSensitiveInfo.swift

@@ -159,15 +159,15 @@ struct HybridSensitiveInfo {
         try await ensureAuthenticationIfNeeded(config: config, prompt: authenticationPrompt)
 
         let now = currentTimestamp()
-        let secureEnclaveEnabled = config.secureEnclave && isSecureEnclaveAvailable()
+        // Generic password items cannot opt into Secure Enclave directly; Keychain falls back to biometry.
+        let secureEnclaveEnabled = false
         let metadata = config.metadata(timestamp: now, secureEnclaveActive: secureEnclaveEnabled)
 
         let keychain = keychain(for: service)
         try keychain.set(
             key: key,
             value: value,
             accessControl: control,
-            useSecureEnclave: secureEnclaveEnabled,
             metadata: metadata
         )
 

ios/KeychainManager.swift

@@ -1,5 +1,6 @@
 import Security
 import Foundation
+import LocalAuthentication
 
 /**
  * KeychainManager.swift
@@ -51,7 +52,6 @@ struct KeychainManager {
      * - Parameter key: Unique key within service
      * - Parameter value: Value to store (encrypted by Keychain)
     * - Parameter accessControl: Access control policy (nil for software-only)
-    * - Parameter useSecureEnclave: Requests Secure Enclave token (if available)
     * - Parameter metadata: Additional metadata stored alongside value
      * - Throws: KeychainError if operation fails
      *
@@ -70,7 +70,6 @@ struct KeychainManager {
         key: String,
         value: String,
         accessControl: SecAccessControl?,
-        useSecureEnclave: Bool,
         metadata: KeychainItemMetadata?
     ) throws {
         let valueData = value.data(using: .utf8) ?? Data()
@@ -86,10 +85,6 @@ struct KeychainManager {
             addQuery[kSecAttrAccessible as String] = kSecAttrAccessibleWhenUnlockedThisDeviceOnly
         }
 
-        if useSecureEnclave {
-            addQuery[kSecAttrTokenID as String] = kSecAttrTokenIDSecureEnclave
-        }
-
         if let encodedMetadata = metadata?.encoded() {
             addQuery[kSecAttrGeneric as String] = encodedMetadata
         }
@@ -158,6 +153,9 @@ struct KeychainManager {
         query[kSecUseDataProtectionKeychain as String] = true
 
         if let prompt = prompt {
+            let context = LAContext()
+            context.localizedFallbackTitle = prompt.cancel
+            query[kSecUseAuthenticationContext as String] = context
             query[kSecUseOperationPrompt as String] = prompt.localizedReason
         }
 

ios/SensitiveInfoModule.m

@@ -0,0 +1,37 @@
+#import <React/RCTBridgeModule.h>
+
+@interface RCT_EXTERN_MODULE(SensitiveInfo, NSObject)
+
+RCT_EXTERN_METHOD(setItem:(NSString *)key
+                  value:(NSString *)value
+                  options:(NSDictionary *)options
+                  resolver:(RCTPromiseResolveBlock)resolver
+                  rejecter:(RCTPromiseRejectBlock)rejecter)
+
+RCT_EXTERN_METHOD(getItem:(NSString *)key
+                  options:(NSDictionary *)options
+                  resolver:(RCTPromiseResolveBlock)resolver
+                  rejecter:(RCTPromiseRejectBlock)rejecter)
+
+RCT_EXTERN_METHOD(hasItem:(NSString *)key
+                  options:(NSDictionary *)options
+                  resolver:(RCTPromiseResolveBlock)resolver
+                  rejecter:(RCTPromiseRejectBlock)rejecter)
+
+RCT_EXTERN_METHOD(deleteItem:(NSString *)key
+                  options:(NSDictionary *)options
+                  resolver:(RCTPromiseResolveBlock)resolver
+                  rejecter:(RCTPromiseRejectBlock)rejecter)
+
+RCT_EXTERN_METHOD(getAllItems:(NSDictionary *)options
+                  resolver:(RCTPromiseResolveBlock)resolver
+                  rejecter:(RCTPromiseRejectBlock)rejecter)
+
+RCT_EXTERN_METHOD(clearService:(NSDictionary *)options
+                  resolver:(RCTPromiseResolveBlock)resolver
+                  rejecter:(RCTPromiseRejectBlock)rejecter)
+
+RCT_EXTERN_METHOD(getSupportedSecurityLevels:(RCTPromiseResolveBlock)resolver
+                  rejecter:(RCTPromiseRejectBlock)rejecter)
+
+@end