chore: Using Namespace.so for MacOS Runners

[jcortejoso]

Update CI workflows to include Java setup and modify runner environments:

• Added Java installation checks and setup steps to multiple CI workflows to ensure Java is available for builds.
• Changed runner environments for iOS builds from macos-latest-large to namespace-profile-apple-silicon-6cpu for better resource management.

Changes on triggers for MacOS jobs:

• mobile-ci.yml only run build-ios and build-android with workflow_dispatch trigger. The reason is because the build process is done in a similar way in mobile-e2e.yml workflow.
• mobile-bundle-analysis.yml analyze-ios runs when merged to dev/staging/main or with workflow_dispatch.
• mobile-e2e.yml e2e-ios runs on each PR to dev, staging and main. Also with merges to these branches.
• mobile-sdk-demo-e2e.yml ios-e2e runs when merged to dev/staging/main, with workflow_dispatch.

Namespace MacOS runners offer better execution times and competitive prices compared to GitHub MacOS Runners. reducing 3-4x less time. Examples:

Mobile CI workflow:

Namespace:

GitHub:

Mobile E2E

Namespace:

GitHub:

Mobile Bundle Analysis:

Namespace:

GitHub:

Summary by CodeRabbit

Release Notes

• Chores
  • Optimized CI/CD infrastructure for mobile builds with improved runner configurations
  • Enhanced Java environment detection and setup in build workflows for better reliability
  • Improved native SDK build processes and dependency management
  • Streamlined build authentication for private module access across iOS and Android platforms

_{✏️ Tip: You can customize this high-level summary in your review settings.}

---

Note

Switch CI iOS jobs to Namespace Apple Silicon runners, add conditional Java setup, adjust triggers, and replace ad-hoc submodule updates with a robust setup script for mobile-sdk-native.

• CI Workflows
  • Runners/Triggers: Move iOS jobs from macos-latest-large to namespace-profile-apple-silicon-6cpu; gate some builds behind workflow_dispatch; add push triggers to key branches.
  • Java Setup: Add conditional Java detection/installation across iOS jobs in mobile-bundle-analysis.yml, mobile-ci.yml, mobile-deploy.yml, mobile-e2e.yml, and mobile-sdk-demo-e2e.yml.
  • Other CI tweaks: Add GitHub App token usage to more steps, refine caches/paths, and minor cleanup in npm-publish.yml.
• Lint/Config
  • Add .github/actionlint.yaml registering custom runner labels (namespace-profile-apple-silicon-6cpu, 128ram).
• Mobile SDK (Android)
  • In packages/mobile-sdk-alpha:
    • Replace direct git submodule update with scripts/setup-native-source.cjs to set/add/update mobile-sdk-native submodule (handles HTTPS/SSH, CI tokens, .gitmodules URL updates, empty-dir fixes).
    • Update scripts/build-android.sh to invoke the new setup script before building.
• Docs
  • Update app/fastlane/DEV.md to reflect the new macOS runner label for iOS builds.

^{Written by Cursor Bugbot for commit 20c57b0. This will update automatically on new commits. Configure here.}

[coderabbitai]

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

Walkthrough

Infrastructure consolidation across mobile CI/CD workflows: Apple Silicon runner standardization for iOS builds, conditional Java environment setup, token-based authentication for private dependencies in iOS and Android paths, refactored submodule initialization with CI-aware credential scrubbing, and removal of redundant checkout steps from npm-publish workflow.

Changes

Cohort / File(s)	Summary
Mobile CI/CD Workflow Runners and Triggers .github/workflows/mobile-bundle-analysis.yml, .github/workflows/mobile-ci.yml, .github/workflows/mobile-deploy.yml, .github/workflows/mobile-e2e.yml, .github/workflows/mobile-sdk-demo-e2e.yml	Updated iOS runners from macos-latest-large to namespace-profile-apple-silicon-6cpu; Android bundle analysis runner changed to ubuntu-latest. Added workflow triggers with path filters for app/, packages/mobile-sdk-alpha/, and workflow files.
Conditional Java Environment Setup .github/workflows/mobile-bundle-analysis.yml, .github/workflows/mobile-ci.yml, .github/workflows/mobile-deploy.yml, .github/workflows/mobile-e2e.yml, .github/workflows/mobile-sdk-demo-e2e.yml	Introduced Check Java installation and conditional Setup Java environment steps across all mobile workflows (iOS and Android paths where applicable), using Temurin distribution with configurable JAVA_VERSION.
Token-Based Authentication for Dependencies .github/workflows/mobile-ci.yml	Added cross-repo token generation and authentication for iOS and Android private modules; wired tokens via SELFXYZ_APP_TOKEN environment variable to build dependency steps.
Mobile SDK Native Source Setup packages/mobile-sdk-alpha/scripts/build-android.sh, packages/mobile-sdk-alpha/scripts/setup-native-source.cjs	Replaced direct submodule update with setup-native-source.cjs invocation in build script. Enhanced setup script with CI-aware submodule registration detection, fallback URL configuration, credential scrubbing, and environment-aware initialization routing.
Configuration and Documentation .github/actionlint.yaml, app/fastlane/DEV.md	Added Actionlint config registering custom runner labels (namespace-profile-apple-silicon-6cpu, 128ram). Updated fastlane documentation to reflect new runner configuration.
NPM Publish Workflow Cleanup .github/workflows/npm-publish.yml	Removed redundant Git checkout steps from detect-changes and publish-contracts jobs.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

• packages/mobile-sdk-alpha/scripts/setup-native-source.cjs: Dense refactoring with CI-aware conditional logic, fallback paths, credential scrubbing, and environment-based routing—requires careful validation of submodule registration detection and token/credential handling flows.
• Token authentication wiring in .github/workflows/mobile-ci.yml: Cross-repo token generation and passing patterns need verification for correctness across iOS/Android paths and dependency resolution.
• Runner configuration consistency: Verify Apple Silicon runner (namespace-profile-apple-silicon-6cpu) is properly defined and available across all workflows; check conditional guards (workflow_dispatch, push triggers).
• Java setup ordering: Ensure Java environment steps execute before dependent steps that require Java across all affected workflows.

Possibly related PRs

• Update main with staging 09/21/25 #1108: Modifies same mobile workflows (mobile-ci.yml, mobile-deploy.yml, mobile-e2e.yml, mobile-bundle-analysis.yml) with overlapping runner and Java-setup changes.
• Update main: v2.6.8 #1140: Adds runner configuration updates and CI step modifications to the same set of mobile workflow files.
• chore: fix ios e2e workflow; upgrade to Xcode 16.4 #915: Introduces Java setup and Android NDK/caching steps to mobile CI and E2E workflows.

Suggested labels

codex

Suggested reviewers

• remicolin
• aaronmgdr

Poem

🚀 Runners realigned to Silicon skies,
Java checks keep workflows wise,
Tokens guard the private way,
Submodules scrub credentials' spray,
CI/CD infrastructure shines today ✨

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the primary change: migrating macOS CI runners from GitHub's macos-latest-large to Namespace.so's custom runners.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch jcortejoso/macos-runner

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 6

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/mobile-deploy.yml (1)

391-393: Bundler cache path likely incorrect/out-of-policy (app/ios/vendor/bundle vs unified app/vendor/bundle).
Repo learning indicates iOS+Android now cache gems at app/vendor/bundle; this workflow’s iOS cache still targets app/ios/vendor/bundle, which will reduce cache hits and increase CI time. Based on learnings, align iOS to the unified path.

       - name: Cache Ruby gems
         id: gems-cache
         uses: ./.github/actions/cache-bundler
         with:
-          # TODO(jcortejoso): Confirm the path of the bundle cache
-          path: ${{ env.APP_PATH }}/ios/vendor/bundle
+          path: ${{ env.APP_PATH }}/vendor/bundle
           lock-file: app/Gemfile.lock
           cache-version: ${{ env.GH_CACHE_VERSION }}-${{ env.GH_GEMS_CACHE_VERSION }}-ruby${{ env.RUBY_VERSION }}

🧹 Nitpick comments (3)

.github/workflows/mobile-deploy.yml (1)

435-448: Java setup could be simplified by always running actions/setup-java@v4 for consistency.
actions/setup-java@v4 checks the GitHub runner toolcache first and reuses cached JDKs efficiently; when the requested version is pre-cached (as on GitHub-hosted macOS runners), it completes quickly without downloading. If iOS builds in this job require Java, using the action directly rather than conditional detection avoids logic drift and keeps the configuration straightforward. If they don't, move Java setup only to the steps that need it. Since runners are ephemeral, the condition in the current code is redundant on GitHub-hosted runners.

packages/mobile-sdk-alpha/scripts/setup-native-source.cjs (1)

154-170: Variable shadowing and verbose content logging.

Two concerns here:

1. Line 156 redeclares gitmodulesContent which shadows the outer variable from line 119. This works but is confusing.

2. Lines 157 and 167 log the entire .gitmodules file content to CI logs, which could expose internal repo structure and URLs.

       try {
-        let gitmodulesContent = fs.readFileSync(gitmodulesPath, 'utf8');
-        log(`Current .gitmodules content:\n${gitmodulesContent}`, 'info');
+        let currentContent = fs.readFileSync(gitmodulesPath, 'utf8');
         // Replace the URL for mobile-sdk-native submodule
-        const oldContent = gitmodulesContent;
-        gitmodulesContent = gitmodulesContent.replace(
+        const oldContent = currentContent;
+        currentContent = currentContent.replace(
           /(\[submodule\s+"packages\/mobile-sdk-alpha\/mobile-sdk-native"\]\s+path\s*=\s*packages\/mobile-sdk-alpha\/mobile-sdk-native\s+url\s*=\s*)[^\s]+/,
-          `$1${submoduleUrl}`
+          `$1${submoduleUrl}`,
         );
-        if (oldContent !== gitmodulesContent) {
-          fs.writeFileSync(gitmodulesPath, gitmodulesContent, 'utf8');
+        if (oldContent !== currentContent) {
+          fs.writeFileSync(gitmodulesPath, currentContent, 'utf8');
           log('Updated .gitmodules with new submodule URL', 'success');
-          log(`New .gitmodules content:\n${gitmodulesContent}`, 'info');
         } else {
           log('No changes made to .gitmodules - regex may not match', 'warning');
         }

.github/workflows/mobile-ci.yml (1)

219-221: Add custom runner label to actionlint configuration to prevent CI linting issues.

The custom runner label namespace-profile-apple-silicon-6cpu (Line 220) will be flagged as unknown by actionlint unless explicitly configured. Add an actionlint.yaml file to the repository root with:

self-hosted-runner:
  labels:
    - namespace-profile-apple-silicon-6cpu

This prevents actionlint from failing on unknown runner labels if linting enforcement is enabled in the future.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 529b15f and b2bd843.

📒 Files selected for processing (9)

• .github/workflows/mobile-bundle-analysis.yml (4 hunks)
• .github/workflows/mobile-ci.yml (6 hunks)
• .github/workflows/mobile-deploy.yml (3 hunks)
• .github/workflows/mobile-e2e.yml (3 hunks)
• .github/workflows/mobile-sdk-demo-e2e.yml (3 hunks)
• app/fastlane/DEV.md (1 hunks)
• common/src/utils/proving.ts (1 hunks)
• packages/mobile-sdk-alpha/scripts/build-android.sh (1 hunks)
• packages/mobile-sdk-alpha/scripts/setup-native-source.cjs (3 hunks)

🧰 Additional context used

📓 Path-based instructions (6)

**/*.{js,jsx,ts,tsx}

📄 CodeRabbit inference engine (.cursorrules)

**/*.{js,jsx,ts,tsx}: NEVER log sensitive data including PII (names, DOB, passport numbers, addresses), credentials, tokens, API keys, private keys, or session identifiers.
ALWAYS redact/mask sensitive fields in logs using consistent patterns (e.g., ***-***-1234 for passport numbers, J*** D*** for names).

Files:

• common/src/utils/proving.ts

**/*.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (.cursorrules)

**/*.{ts,tsx,js,jsx}: Use React Navigation with createStaticNavigation for type-safe navigation in React Native applications.
Implement platform-specific handling with Platform.OS === 'ios' ? 'iOS' : 'Android' checks before platform-specific code in React Native.
Initialize native modules with initializeNativeModules() before any native operations in React Native.
Implement lazy loading for screens using React.lazy() in React Native applications.
Implement custom modal system with useModal hook and callback registry in React Native.
Integrate haptic feedback using useHapticNavigation hook in React Native navigation.
Use platform-specific initial routes: web uses 'Home', mobile uses 'Splash' in React Navigation.
Use Zustand for global state management in React Native applications.
Use custom hooks for complex state (useModal, useHapticNavigation) instead of inline logic.
Use AsyncStorage for simple data, SQLite for complex data, and Keychain for sensitive data in React Native.
Use @/ alias for src imports and @tests/ alias for test imports in TypeScript/JavaScript files.
Use conditional rendering with Platform.OS for platform-specific code in React Native.
Use Tamagui for UI components in React Native applications.
Do not log sensitive data in production, including identity verification and passport information.
Use Keychain for secure storage of sensitive data in React Native.
Implement proper cleanup of sensitive data after use.
Implement certificate validation for passport data verification.
Always use try-catch for async operations in React Native and TypeScript code.
Implement graceful degradation when native modules fail in React Native.
Provide user-friendly error messages in UI and error handlers.
Lazy load screens and components to optimize bundle size in React Native.
Prevent memory leaks in native modules in React Native.

Files:

• common/src/utils/proving.ts

**/*.{tsx,jsx,ts,js}

📄 CodeRabbit inference engine (.cursorrules)

Implement proper cleanup in useEffect and component unmount hooks in React.

Files:

• common/src/utils/proving.ts

**/{compliance,ofac,verification,identity,utils}/**/*.{ts,tsx,js,py}

📄 CodeRabbit inference engine (.cursor/rules/compliance-verification.mdc)

Normalize names using case-folding, Unicode NFKC normalization, and diacritics removal for OFAC matching

Files:

• common/src/utils/proving.ts

**/*.{ts,tsx,js}

📄 CodeRabbit inference engine (.cursor/rules/mobile-sdk-migration.mdc)

**/*.{ts,tsx,js}: Never log PII, credentials, or private keys in production code; use DEBUG_SECRETS_TOKEN flag for debug-level secrets
Use consistent redaction patterns for sensitive fields in logs and test data

Files:

• common/src/utils/proving.ts

common/src/**/*.{ts,tsx,js,jsx}

⚙️ CodeRabbit configuration file

common/src/**/*.{ts,tsx,js,jsx}: Review shared utilities for:

• Reusability and modular design
• Type safety and error handling
• Side-effect management
• Documentation and naming clarity

Files:

• common/src/utils/proving.ts

🧠 Learnings (33)

📓 Common learnings

Learnt from: transphorm
Repo: selfxyz/self PR: 1446
File: .github/workflows/mobile-bundle-analysis.yml:117-117
Timestamp: 2025-11-22T23:16:26.719Z
Learning: In the selfxyz/self repository, for mobile workflows (bundle analysis, deployment, CI/CD):
- Both iOS and Android builds now cache Ruby gems at the unified path `app/vendor/bundle`
- The previous separate paths (app/ios/vendor/bundle for iOS) have been deprecated in favor of this unified approach

📚 Learning: 2025-11-25T14:07:55.507Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: .cursor/rules/mobile-sdk-migration.mdc:0-0
Timestamp: 2025-11-25T14:07:55.507Z
Learning: Applies to packages/mobile-sdk-alpha/src/crypto/**/*.{ts,tsx} : Migrate crypto adapters from app/src/utils/ to packages/mobile-sdk-alpha/src/crypto/ with tests for WebCrypto vs noble/* fallback and timing-safe comparisons

Applied to files:

• common/src/utils/proving.ts

📚 Learning: 2025-11-25T14:07:55.507Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: .cursor/rules/mobile-sdk-migration.mdc:0-0
Timestamp: 2025-11-25T14:07:55.507Z
Learning: Applies to packages/mobile-sdk-alpha/src/attestation/**/*.{ts,tsx} : Migrate attestation verification from app/src/utils/ to packages/mobile-sdk-alpha/src/attestation/ with tests for PCR0 validation and certificate chain validation

Applied to files:

• common/src/utils/proving.ts
• packages/mobile-sdk-alpha/scripts/setup-native-source.cjs
• packages/mobile-sdk-alpha/scripts/build-android.sh
• .github/workflows/mobile-sdk-demo-e2e.yml

📚 Learning: 2025-11-25T14:08:34.041Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: noir/AGENTS.md:0-0
Timestamp: 2025-11-25T14:08:34.041Z
Learning: Verify cryptographic properties and confirm no logical errors are introduced after PR reviews

Applied to files:

• common/src/utils/proving.ts

📚 Learning: 2025-11-25T14:07:55.507Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: .cursor/rules/mobile-sdk-migration.mdc:0-0
Timestamp: 2025-11-25T14:07:55.507Z
Learning: Applies to packages/mobile-sdk-alpha/src/proving/**/*.{ts,tsx} : Migrate proof input generation from app/src/utils/proving/ to packages/mobile-sdk-alpha/src/proving/ with tests for register, disclose, and TEE input generation

Applied to files:

• common/src/utils/proving.ts

📚 Learning: 2025-11-25T14:07:28.188Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: .cursor/rules/compliance-verification.mdc:0-0
Timestamp: 2025-11-25T14:07:28.188Z
Learning: Applies to **/{compliance,crypto,security,auth}/**/*.{ts,tsx,js,py} : Use only cryptographically approved algorithms and key sizes for compliance verification security

Applied to files:

• common/src/utils/proving.ts

📚 Learning: 2025-11-25T14:07:55.507Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: .cursor/rules/mobile-sdk-migration.mdc:0-0
Timestamp: 2025-11-25T14:07:55.507Z
Learning: Applies to packages/mobile-sdk-alpha/src/index.ts : Re-export all new migrated modules via packages/mobile-sdk-alpha/src/index.ts and document them in packages/mobile-sdk-alpha/README.md

Applied to files:

• packages/mobile-sdk-alpha/scripts/setup-native-source.cjs
• packages/mobile-sdk-alpha/scripts/build-android.sh

📚 Learning: 2025-11-25T14:07:55.507Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: .cursor/rules/mobile-sdk-migration.mdc:0-0
Timestamp: 2025-11-25T14:07:55.507Z
Learning: Applies to packages/mobile-sdk-alpha/src/artifacts/**/*.{ts,tsx} : Migrate artifact management from app/src/utils/ to packages/mobile-sdk-alpha/src/artifacts/ with tests for manifest validation, CDN downloads, signature verification, and storage

Applied to files:

• packages/mobile-sdk-alpha/scripts/setup-native-source.cjs
• packages/mobile-sdk-alpha/scripts/build-android.sh
• .github/workflows/mobile-e2e.yml
• .github/workflows/mobile-sdk-demo-e2e.yml
• .github/workflows/mobile-bundle-analysis.yml

📚 Learning: 2025-11-25T14:08:23.106Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: app/AGENTS.md:0-0
Timestamp: 2025-11-25T14:08:23.106Z
Learning: Applies to app/{ios,android}/** : Document complex native module changes and explain platform-specific code paths

Applied to files:

• packages/mobile-sdk-alpha/scripts/setup-native-source.cjs
• packages/mobile-sdk-alpha/scripts/build-android.sh
• .github/workflows/mobile-e2e.yml
• .github/workflows/mobile-sdk-demo-e2e.yml
• .github/workflows/mobile-ci.yml
• app/fastlane/DEV.md
• .github/workflows/mobile-deploy.yml
• .github/workflows/mobile-bundle-analysis.yml

📚 Learning: 2025-11-25T14:08:51.177Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: packages/mobile-sdk-alpha/AGENTS.md:0-0
Timestamp: 2025-11-25T14:08:51.177Z
Learning: Applies to packages/mobile-sdk-alpha/**/package.json : Ensure exports are properly configured before publishing the package

Applied to files:

• packages/mobile-sdk-alpha/scripts/setup-native-source.cjs
• packages/mobile-sdk-alpha/scripts/build-android.sh

📚 Learning: 2025-11-25T14:07:55.507Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: .cursor/rules/mobile-sdk-migration.mdc:0-0
Timestamp: 2025-11-25T14:07:55.507Z
Learning: Applies to app/src/**/*.{ts,tsx} : Update app to consume mobile-sdk-alpha modules after migration and validate all existing app tests pass

Applied to files:

• packages/mobile-sdk-alpha/scripts/setup-native-source.cjs
• packages/mobile-sdk-alpha/scripts/build-android.sh
• .github/workflows/mobile-e2e.yml

📚 Learning: 2025-11-25T14:07:55.507Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: .cursor/rules/mobile-sdk-migration.mdc:0-0
Timestamp: 2025-11-25T14:07:55.507Z
Learning: Applies to packages/mobile-sdk-alpha/src/protocol/**/*.{ts,tsx} : Migrate protocol synchronization from app/src/utils/ to packages/mobile-sdk-alpha/src/protocol/ with tests for tree fetching, TTL caching, rate limiting, and memory bounds

Applied to files:

• packages/mobile-sdk-alpha/scripts/setup-native-source.cjs

📚 Learning: 2025-11-25T14:07:55.507Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: .cursor/rules/mobile-sdk-migration.mdc:0-0
Timestamp: 2025-11-25T14:07:55.507Z
Learning: Applies to packages/mobile-sdk-alpha/tests/**/*.{test.ts,test.tsx,spec.ts,spec.tsx} : Mock native dependencies appropriately in tests when testing platform-specific code

Applied to files:

• packages/mobile-sdk-alpha/scripts/setup-native-source.cjs

📚 Learning: 2025-11-25T14:07:55.507Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: .cursor/rules/mobile-sdk-migration.mdc:0-0
Timestamp: 2025-11-25T14:07:55.507Z
Learning: Applies to packages/mobile-sdk-alpha/src/**/*.{ts,tsx} : Ensure all exports in migrated modules support tree shaking for optimal bundle size

Applied to files:

• packages/mobile-sdk-alpha/scripts/setup-native-source.cjs
• packages/mobile-sdk-alpha/scripts/build-android.sh

📚 Learning: 2025-11-25T14:07:55.507Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: .cursor/rules/mobile-sdk-migration.mdc:0-0
Timestamp: 2025-11-25T14:07:55.507Z
Learning: Applies to packages/mobile-sdk-alpha/src/tee/**/*.{ts,tsx} : Migrate TEE session management from app/src/utils/ to packages/mobile-sdk-alpha/src/tee/ with tests for WebSocket handling, abort, timeout, and lifecycle events

Applied to files:

• packages/mobile-sdk-alpha/scripts/setup-native-source.cjs

📚 Learning: 2025-11-25T14:07:55.507Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: .cursor/rules/mobile-sdk-migration.mdc:0-0
Timestamp: 2025-11-25T14:07:55.507Z
Learning: Run `yarn test:build` command to validate tests, build dependencies, types, and bundle analysis in both app and mobile-sdk-alpha directories

Applied to files:

• packages/mobile-sdk-alpha/scripts/build-android.sh
• .github/workflows/mobile-ci.yml

📚 Learning: 2025-11-25T14:07:55.507Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: .cursor/rules/mobile-sdk-migration.mdc:0-0
Timestamp: 2025-11-25T14:07:55.507Z
Learning: Applies to packages/mobile-sdk-alpha/demo/**/*.{ts,tsx,js,jsx} : Create an in-SDK lightweight demo in packages/mobile-sdk-alpha/demo/ using embedded React Native with MRZ flow and theming hooks integration

Applied to files:

• packages/mobile-sdk-alpha/scripts/build-android.sh

📚 Learning: 2025-11-25T14:07:55.507Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: .cursor/rules/mobile-sdk-migration.mdc:0-0
Timestamp: 2025-11-25T14:07:55.507Z
Learning: Applies to packages/mobile-sdk-alpha/src/processing/**/*.{ts,tsx} : Migrate MRZ processing helpers from app/src/utils/ to packages/mobile-sdk-alpha/src/processing/ with comprehensive tests for MRZ parsing and cross-platform compatibility

Applied to files:

• packages/mobile-sdk-alpha/scripts/build-android.sh
• .github/workflows/mobile-e2e.yml
• .github/workflows/mobile-sdk-demo-e2e.yml

📚 Learning: 2025-11-25T14:07:55.507Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: .cursor/rules/mobile-sdk-migration.mdc:0-0
Timestamp: 2025-11-25T14:07:55.507Z
Learning: Applies to packages/mobile-sdk-alpha/tests/**/*.{ts,tsx,test.ts,test.tsx} : Create tests BEFORE migrating logic to verify functionality works correctly in the mobile-sdk-alpha package

Applied to files:

• packages/mobile-sdk-alpha/scripts/build-android.sh
• .github/workflows/mobile-sdk-demo-e2e.yml

📚 Learning: 2025-11-22T23:16:26.719Z

Learnt from: transphorm
Repo: selfxyz/self PR: 1446
File: .github/workflows/mobile-bundle-analysis.yml:117-117
Timestamp: 2025-11-22T23:16:26.719Z
Learning: In the selfxyz/self repository, for mobile workflows (bundle analysis, deployment, CI/CD):
- Both iOS and Android builds now cache Ruby gems at the unified path `app/vendor/bundle`
- The previous separate paths (app/ios/vendor/bundle for iOS) have been deprecated in favor of this unified approach

Applied to files:

• .github/workflows/mobile-e2e.yml
• .github/workflows/mobile-sdk-demo-e2e.yml
• .github/workflows/mobile-ci.yml
• app/fastlane/DEV.md
• .github/workflows/mobile-deploy.yml
• .github/workflows/mobile-bundle-analysis.yml

📚 Learning: 2025-11-25T14:07:55.507Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: .cursor/rules/mobile-sdk-migration.mdc:0-0
Timestamp: 2025-11-25T14:07:55.507Z
Learning: Applies to packages/mobile-sdk-alpha/src/**/*.{ts,tsx} : Test platform-specific code paths for React Native (iOS and Android) and web implementations

Applied to files:

• .github/workflows/mobile-e2e.yml
• .github/workflows/mobile-sdk-demo-e2e.yml

📚 Learning: 2025-11-25T14:08:51.177Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: packages/mobile-sdk-alpha/AGENTS.md:0-0
Timestamp: 2025-11-25T14:08:51.177Z
Learning: Applies to packages/mobile-sdk-alpha/**/*.{js,ts,tsx,json,md,yml,yaml} : Use Prettier for code formatting with root Prettier and EditorConfig settings

Applied to files:

• .github/workflows/mobile-e2e.yml
• .github/workflows/mobile-sdk-demo-e2e.yml
• .github/workflows/mobile-bundle-analysis.yml

📚 Learning: 2025-11-25T14:07:55.507Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: .cursor/rules/mobile-sdk-migration.mdc:0-0
Timestamp: 2025-11-25T14:07:55.507Z
Learning: Applies to packages/mobile-sdk-alpha/tests/**/*.integration.{test.ts,test.tsx,spec.ts,spec.tsx} : Test end-to-end flows covering complete user journeys through the identity verification process

Applied to files:

• .github/workflows/mobile-sdk-demo-e2e.yml

📚 Learning: 2025-11-25T14:08:23.106Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: app/AGENTS.md:0-0
Timestamp: 2025-11-25T14:08:23.106Z
Learning: Applies to app/ios/** : iOS build must succeed via `yarn ios` command in target environments

Applied to files:

• .github/workflows/mobile-ci.yml
• app/fastlane/DEV.md
• .github/workflows/mobile-deploy.yml
• .github/workflows/mobile-bundle-analysis.yml

📚 Learning: 2025-11-25T14:08:23.106Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: app/AGENTS.md:0-0
Timestamp: 2025-11-25T14:08:23.106Z
Learning: Ensure CI pipeline passes all stages after PR creation

Applied to files:

• .github/workflows/mobile-ci.yml

📚 Learning: 2025-07-29T01:08:28.530Z

Learnt from: transphorm
Repo: selfxyz/self PR: 795
File: app/android/app/build.gradle:157-158
Timestamp: 2025-07-29T01:08:28.530Z
Learning: For this React Native project, the team prefers build flexibility over fail-fast behavior for release builds in app/android/app/build.gradle. They intentionally allow fallback to debug signing for local development runs, relying on Google Play Console validation to catch any improperly signed releases during upload.

Applied to files:

• .github/workflows/mobile-ci.yml

📚 Learning: 2025-11-25T14:08:23.106Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: app/AGENTS.md:0-0
Timestamp: 2025-11-25T14:08:23.106Z
Learning: Applies to app/android/** : Android build must succeed via `yarn android` command in target environments

Applied to files:

• .github/workflows/mobile-ci.yml
• .github/workflows/mobile-bundle-analysis.yml

📚 Learning: 2025-11-25T14:08:23.106Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: app/AGENTS.md:0-0
Timestamp: 2025-11-25T14:08:23.106Z
Learning: Applies to app/**/*.{test,spec}.{ts,tsx,js,jsx} : Ensure `yarn test` passes (unit tests) before creating a PR

Applied to files:

• .github/workflows/mobile-ci.yml

📚 Learning: 2025-11-25T14:08:23.106Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: app/AGENTS.md:0-0
Timestamp: 2025-11-25T14:08:23.106Z
Learning: Applies to app/web/** : Web build must succeed via `yarn web` command in target environments

Applied to files:

• .github/workflows/mobile-ci.yml
• .github/workflows/mobile-bundle-analysis.yml

📚 Learning: 2025-11-25T14:08:11.887Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-11-25T14:08:11.887Z
Learning: Before committing, run linting and formatting fixes with `yarn workspaces foreach -A -p -v --topological-dev --since=HEAD run nice --if-present`.

Applied to files:

• .github/workflows/mobile-ci.yml

📚 Learning: 2025-11-25T14:08:23.106Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: app/AGENTS.md:0-0
Timestamp: 2025-11-25T14:08:23.106Z
Learning: Applies to app/**/*.{ts,tsx,js,jsx,json,yml,yaml} : Ensure `yarn nice` passes (fixes linting and formatting) before creating a PR

Applied to files:

• .github/workflows/mobile-ci.yml

📚 Learning: 2025-11-25T14:08:11.887Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-11-25T14:08:11.887Z
Learning: Before committing, build all workspaces except `contracts` using `yarn build`, and compile Solidity contracts with `yarn workspace selfxyz/contracts build`.

Applied to files:

• .github/workflows/mobile-ci.yml

📚 Learning: 2025-07-14T09:03:08.292Z

Learnt from: aaronmgdr
Repo: selfxyz/self PR: 763
File: app/.github/workflows/test-coverage.yml:0-0
Timestamp: 2025-07-14T09:03:08.292Z
Learning: Node.js 22 is supported by actions/setup-nodev4 and has been in Active LTS since October 2024. It works on Linux, macOS, and Windows runners (Windows issues were resolved after version 22.8.0).

Applied to files:

• .github/workflows/mobile-bundle-analysis.yml

🪛 actionlint (1.7.9)

.github/workflows/mobile-e2e.yml

242-242: label "namespace-profile-apple-silicon-6cpu" is unknown. available labels are "windows-latest", "windows-latest-8-cores", "windows-2025", "windows-2022", "windows-11-arm", "ubuntu-slim", "ubuntu-latest", "ubuntu-latest-4-cores", "ubuntu-latest-8-cores", "ubuntu-latest-16-cores", "ubuntu-24.04", "ubuntu-24.04-arm", "ubuntu-22.04", "ubuntu-22.04-arm", "macos-latest", "macos-latest-xl", "macos-latest-xlarge", "macos-latest-large", "macos-26-xlarge", "macos-26", "macos-15-intel", "macos-15-xlarge", "macos-15-large", "macos-15", "macos-14-xl", "macos-14-xlarge", "macos-14-large", "macos-14", "macos-13-xl", "macos-13-xlarge", "macos-13-large", "macos-13", "self-hosted", "x64", "arm", "arm64", "linux", "macos", "windows". if it is a custom label for self-hosted runner, set list of labels in actionlint.yaml config file

(runner-label)

.github/workflows/mobile-sdk-demo-e2e.yml

215-215: label "namespace-profile-apple-silicon-6cpu" is unknown. available labels are "windows-latest", "windows-latest-8-cores", "windows-2025", "windows-2022", "windows-11-arm", "ubuntu-slim", "ubuntu-latest", "ubuntu-latest-4-cores", "ubuntu-latest-8-cores", "ubuntu-latest-16-cores", "ubuntu-24.04", "ubuntu-24.04-arm", "ubuntu-22.04", "ubuntu-22.04-arm", "macos-latest", "macos-latest-xl", "macos-latest-xlarge", "macos-latest-large", "macos-26-xlarge", "macos-26", "macos-15-intel", "macos-15-xlarge", "macos-15-large", "macos-15", "macos-14-xl", "macos-14-xlarge", "macos-14-large", "macos-14", "macos-13-xl", "macos-13-xlarge", "macos-13-large", "macos-13", "self-hosted", "x64", "arm", "arm64", "linux", "macos", "windows". if it is a custom label for self-hosted runner, set list of labels in actionlint.yaml config file

(runner-label)

.github/workflows/mobile-ci.yml

220-220: label "namespace-profile-apple-silicon-6cpu" is unknown. available labels are "windows-latest", "windows-latest-8-cores", "windows-2025", "windows-2022", "windows-11-arm", "ubuntu-slim", "ubuntu-latest", "ubuntu-latest-4-cores", "ubuntu-latest-8-cores", "ubuntu-latest-16-cores", "ubuntu-24.04", "ubuntu-24.04-arm", "ubuntu-22.04", "ubuntu-22.04-arm", "macos-latest", "macos-latest-xl", "macos-latest-xlarge", "macos-latest-large", "macos-26-xlarge", "macos-26", "macos-15-intel", "macos-15-xlarge", "macos-15-large", "macos-15", "macos-14-xl", "macos-14-xlarge", "macos-14-large", "macos-14", "macos-13-xl", "macos-13-xlarge", "macos-13-large", "macos-13", "self-hosted", "x64", "arm", "arm64", "linux", "macos", "windows". if it is a custom label for self-hosted runner, set list of labels in actionlint.yaml config file

(runner-label)

.github/workflows/mobile-deploy.yml

270-270: label "namespace-profile-apple-silicon-6cpu" is unknown. available labels are "windows-latest", "windows-latest-8-cores", "windows-2025", "windows-2022", "windows-11-arm", "ubuntu-slim", "ubuntu-latest", "ubuntu-latest-4-cores", "ubuntu-latest-8-cores", "ubuntu-latest-16-cores", "ubuntu-24.04", "ubuntu-24.04-arm", "ubuntu-22.04", "ubuntu-22.04-arm", "macos-latest", "macos-latest-xl", "macos-latest-xlarge", "macos-latest-large", "macos-26-xlarge", "macos-26", "macos-15-intel", "macos-15-xlarge", "macos-15-large", "macos-15", "macos-14-xl", "macos-14-xlarge", "macos-14-large", "macos-14", "macos-13-xl", "macos-13-xlarge", "macos-13-large", "macos-13", "self-hosted", "x64", "arm", "arm64", "linux", "macos", "windows". if it is a custom label for self-hosted runner, set list of labels in actionlint.yaml config file

(runner-label)

.github/workflows/mobile-bundle-analysis.yml

97-97: label "namespace-profile-apple-silicon-6cpu" is unknown. available labels are "windows-latest", "windows-latest-8-cores", "windows-2025", "windows-2022", "windows-11-arm", "ubuntu-slim", "ubuntu-latest", "ubuntu-latest-4-cores", "ubuntu-latest-8-cores", "ubuntu-latest-16-cores", "ubuntu-24.04", "ubuntu-24.04-arm", "ubuntu-22.04", "ubuntu-22.04-arm", "macos-latest", "macos-latest-xl", "macos-latest-xlarge", "macos-latest-large", "macos-26-xlarge", "macos-26", "macos-15-intel", "macos-15-xlarge", "macos-15-large", "macos-15", "macos-14-xl", "macos-14-xlarge", "macos-14-large", "macos-14", "macos-13-xl", "macos-13-xlarge", "macos-13-large", "macos-13", "self-hosted", "x64", "arm", "arm64", "linux", "macos", "windows". if it is a custom label for self-hosted runner, set list of labels in actionlint.yaml config file

(runner-label)

🪛 GitHub Actions: Mobile SDK CI

packages/mobile-sdk-alpha/scripts/setup-native-source.cjs

[warning] 1-1: Code style issues found in the above file. Run Prettier with --write to fix.

🪛 GitHub Check: lint

packages/mobile-sdk-alpha/scripts/setup-native-source.cjs

[warning] 187-187:
Replace ``git·submodule·update·--init·--recursive·packages/mobile-sdk-alpha/mobile-sdk-native,·{},·REPO_ROOT with `⏎··········`git·submodule·update·--init·--recursive·packages/mobile-sdk-alpha/mobile-sdk-native`,⏎··········{},⏎··········REPO_ROOT,⏎········`

---

[warning] 162-162:
Insert ,

---

[warning] 149-149:
Replace ``git·submodule·set-url·packages/mobile-sdk-alpha/mobile-sdk-native·"${submoduleUrl}",·{·stdio:·'pipe'·},·REPO_ROOT with `⏎··········`git·submodule·set-url·packages/mobile-sdk-alpha/mobile-sdk-native·"${submoduleUrl}"`,⏎··········{·stdio:·'pipe'·},⏎··········REPO_ROOT,⏎········`

---

[warning] 124-124:
Replace ``Token·values:·appToken·length=${appToken·?·appToken.length·:·0},·repoToken·length=${repoToken·?·repoToken.length·:·0},·'info' with `⏎······`Token·values:·appToken·length=${appToken·?·appToken.length·:·0},·repoToken·length=${repoToken·?·repoToken.length·:·0}`,⏎······'info',⏎····`

---

[warning] 120-120:
Replace ·gitmodulesExists·&&⏎····· with ⏎······gitmodulesExists·&&

🪛 GitHub Check: workspace-lint

packages/mobile-sdk-alpha/scripts/setup-native-source.cjs

[warning] 187-187:
Replace ``git·submodule·update·--init·--recursive·packages/mobile-sdk-alpha/mobile-sdk-native,·{},·REPO_ROOT with `⏎··········`git·submodule·update·--init·--recursive·packages/mobile-sdk-alpha/mobile-sdk-native`,⏎··········{},⏎··········REPO_ROOT,⏎········`

---

[warning] 162-162:
Insert ,

---

[warning] 149-149:
Replace ``git·submodule·set-url·packages/mobile-sdk-alpha/mobile-sdk-native·"${submoduleUrl}",·{·stdio:·'pipe'·},·REPO_ROOT with `⏎··········`git·submodule·set-url·packages/mobile-sdk-alpha/mobile-sdk-native·"${submoduleUrl}"`,⏎··········{·stdio:·'pipe'·},⏎··········REPO_ROOT,⏎········`

---

[warning] 124-124:
Replace ``Token·values:·appToken·length=${appToken·?·appToken.length·:·0},·repoToken·length=${repoToken·?·repoToken.length·:·0},·'info' with `⏎······`Token·values:·appToken·length=${appToken·?·appToken.length·:·0},·repoToken·length=${repoToken·?·repoToken.length·:·0}`,⏎······'info',⏎····`

---

[warning] 120-120:
Replace ·gitmodulesExists·&&⏎····· with ⏎······gitmodulesExists·&&

⏰ Context from checks skipped due to timeout of 300000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (7)

• GitHub Check: build-android
• GitHub Check: test
• GitHub Check: type-check
• GitHub Check: android-build-test
• GitHub Check: Android E2E Tests Demo App
• GitHub Check: iOS E2E Tests Demo App
• GitHub Check: analyze-android

🔇 Additional comments (10)

app/fastlane/DEV.md (1)

397-404: No issues found. The build-ios runner label in the documentation (namespace-profile-apple-silicon-6cpu) matches the actual workflow configuration in .github/workflows/mobile-deploy.yml (line 270). This label is consistently used across all iOS-related jobs in the repository.

.github/workflows/mobile-deploy.yml (1)

269-270: The namespace-profile-apple-silicon-6cpu runner is already intentionally configured—no changes needed.

This custom runner label was introduced in a recent commit ("chore: update CI workflows to include Java setup and modify runner environments") and is documented in app/fastlane/DEV.md (line 399) as the standard environment for iOS builds. It's consistently used across multiple workflows (mobile-ci.yml, mobile-e2e.yml, mobile-bundle-analysis.yml, etc.), confirming this is an intentional migration from macos-latest-large. No additional configuration or actionlint updates are required.

packages/mobile-sdk-alpha/scripts/build-android.sh (1)

55-57: Clean refactoring to centralized setup script.

Delegating submodule setup to setup-native-source.cjs is a solid approach - keeps this build script focused on AAR building while the Node script handles the complexity of submodule URL management, token handling, and CI-specific logic.

packages/mobile-sdk-alpha/scripts/setup-native-source.cjs (3)

38-44: Good addition of cwd parameter with sensible default.

The optional cwd parameter enables running git commands from the repo root for submodule operations while maintaining backward compatibility. The command sanitization before logging is a good security practice.

---

183-203: Solid submodule initialization logic with proper branching.

The distinction between updating a registered submodule vs adding a new one is correct. Running git submodule update --init --recursive for registered modules and git submodule add for new ones is the right approach. The silent stdio: 'pipe' mode in CI with tokens prevents credential leakage.

---

230-238: Good defensive practice scrubbing credentials post-setup.

The scrubGitRemoteUrl function ensures no token-embedded URLs persist in git config after setup, which is important for CI environments where logs or artifacts might be retained.

common/src/utils/proving.ts (1)

54-84: LGTM! Defensive validation strengthens cryptographic integrity.

The three-tier validation (tag existence → non-empty → 16-byte length) is well-structured and appropriate for cryptographic operations. The explicit checks catch potential issues with the cipher implementation while providing clear debugging information. Tag length validation correctly matches the tagLength: 128 parameter specified on line 50.

Error messages follow secure logging practices with no sensitive data exposure, and existing callers in provingMachine.ts properly handle the new error cases within try-catch blocks with explicit logging.

Minor note: The empty check (line 65) is technically redundant with the length check (line 74), but keeping both provides better error diagnostics for different failure modes.

.github/workflows/mobile-bundle-analysis.yml (1)

95-100: > Likely an incorrect or invalid review comment.

.github/workflows/mobile-sdk-demo-e2e.yml (1)

214-216: Custom runner label is valid and functional; no actionlint linting issues.

The namespace-profile-apple-silicon-6cpu runner label (line 215) is a legitimate self-hosted runner configuration used consistently across multiple workflows in this repository. No actionlint configuration exists in the codebase, and actionlint is not being invoked as part of CI, so there is no actual linting concern. The label works correctly at runtime.

Likely an incorrect or invalid review comment.

.github/workflows/mobile-e2e.yml (1)

241-243: The custom runner label is valid and currently in use. No actionlint configuration exists in the repository, and no actionlint checks are running in CI. This is not a current issue.

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/mobile-deploy.yml (1)

391-392: Fix Ruby gems cache path inconsistency: use unified path for both iOS and Android.

Line 392 caches gems at the deprecated path app/ios/vendor/bundle, but the Android build (line 1027) correctly uses the unified path app/vendor/bundle. Per learnings from PR 1446, both platforms should use the unified path. The TODO comment on line 391 also signals uncertainty—this needs to be resolved.

Apply this fix to align iOS with Android:

- path: ${{ env.APP_PATH }}/ios/vendor/bundle
+ path: ${{ env.APP_PATH }}/vendor/bundle

Remove the TODO comment once confirmed:

- # TODO(jcortejoso): Confirm the path of the bundle cache
  path: ${{ env.APP_PATH }}/vendor/bundle

Based on learnings from PR 1446, both iOS and Android workflows now cache Ruby gems at a unified path.

♻️ Duplicate comments (5)

.github/workflows/mobile-ci.yml (1)

216-220: ⚠️ iOS builds still gated to push/workflow_dispatch only—PR validation gap.

This is a follow-up to the prior review comment. Per the PR objectives, iOS builds are intentionally skipped for pull_request events. While this aligns with the stated goal to "run only when merged," it creates a validation gap: iOS code changes won't be built/tested until after merge.

Trade-off acknowledged: The Namespace runner cost savings likely justify deferring iOS validation to post-merge, but verify that the team accepts the risk of iOS breakage slipping past code review.

.github/workflows/mobile-bundle-analysis.yml (1)

96-99: ⚠️ iOS analysis still excluded from pull_request events (duplicate concern from prior review).

The if condition on line 99 restricts analyze-ios to push and workflow_dispatch only, despite the workflow triggering on pull_request (line 21). This means PRs can merge without iOS bundle-analysis feedback, risking undetected bundle size regressions.

Either:

1. Remove the conditional on line 99 to enable iOS analysis on all PR events, or
2. Remove pull_request from the trigger block (lines 21–26) if iOS analysis on PRs is intentionally disabled.

Option 1 is strongly recommended to catch iOS regressions before merge.

.github/workflows/mobile-e2e.yml (1)

239-243: iOS E2E remains gated to push/workflow_dispatch; PRs won't receive coverage.

The explicit if condition on line 243 gates the e2e-ios job to push and workflow_dispatch events only. While the workflow itself triggers on pull_request (line 29), this job will never run for PRs—aligning with the PR's stated intent to skip PRs for iOS jobs, but continuing to deprive contributors of E2E feedback.

This reiterates the concern raised in a previous review: if this is cost-driven, consider running at least on non-fork PRs to maintain signal for trusted contributors.

Confirm this decision is intentional and aligns with your CI cost/performance strategy. If you want to enable E2E for non-fork PRs, apply this change:

-    if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
+    if: github.event_name == 'push' || github.event_name == 'workflow_dispatch' || (github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == false)

.github/workflows/mobile-deploy.yml (1)

78-79: Blocker: test_mode still defaults to true—risks silent test-mode deployments to production.

This is a known issue from the previous review. The workflow allows deployment_track=production with test_mode=true, resulting in silent skipped uploads. While the TODO indicates this is temporary, it must be resolved (set default: false) before merging to prevent accidental production deployments.

Apply this fix:

  test_mode:
    description: "Test mode (skip upload to stores)"
    required: false
    type: boolean
-   # TODO(jcortejoso): Restore to false when testing is done
-   default: true
+   default: false

Consider adding a safety gate if test mode must remain available for manual dispatch:

+ # For testing, use a dedicated test branch or workflow to prevent accidental production runs

packages/mobile-sdk-alpha/scripts/setup-native-source.cjs (1)

123-131: Already flagged: Excessive debug logging.

This concern has been raised in a previous review. The logging of token lengths, environment paths, and detailed state could leak sensitive metadata in CI environments.

🧹 Nitpick comments (3)

.github/workflows/mobile-sdk-demo-e2e.yml (1)

257-270: Java conditional install is fine; make INSTALL_JAVA deterministic to avoid subtle env surprises.

Right now INSTALL_JAVA is only set on the “missing/broken java” path. Setting it explicitly improves debuggability and avoids relying on “unset means false”.

       - name: Check Java installation
         run: |
+          echo "INSTALL_JAVA=false" >> "$GITHUB_ENV"
           if command -v java &> /dev/null && java -version &> /dev/null; then
             echo "Java already installed: $(java -version 2>&1 | head -n 1)"
           else
             echo "Java not found or not working, will install..."
             echo "INSTALL_JAVA=true" >> "$GITHUB_ENV"
           fi

.github/workflows/mobile-deploy.yml (1)

435-448: Document or align Java setup patterns between iOS and Android builds.

The iOS build (lines 435–448) uses a check-then-setup pattern for Java: it first checks if Java is already installed, then conditionally runs setup-java. The Android build (lines 905–910) skips the check and directly invokes setup-java. While this may be intentional (ubuntu-latest typically includes Java; macOS does not), the inconsistency lacks explanation and could confuse future maintainers.

Option A: Add a comment explaining the difference:

+ # Note: Ubuntu runners typically have Java pre-installed; macOS runners do not.
+ # iOS build includes a pre-check to skip redundant setup; Android assumes availability.
  - name: Setup Java environment
    if: inputs.platform != 'ios'
    uses: actions/setup-java@v4

Option B: Standardize on direct setup (idempotent, no harm if already installed):

  - name: Setup Java environment
    if: inputs.platform != 'ios'
    uses: actions/setup-java@v4
    with:
      distribution: "temurin"
      java-version: ${{ env.JAVA_VERSION }}
  
  # Remove the Java check step entirely (lines 435–442)

Option B is simpler and leverages the fact that setup-java is idempotent.

packages/mobile-sdk-alpha/scripts/setup-native-source.cjs (1)

162-180: The .gitmodules regex is functional for the repository's current structure.

The regex pattern successfully matches and replaces the mobile-sdk-native URL in the actual .gitmodules file. The pattern handles tab indentation and newlines correctly, and the validation check (if (oldContent !== gitmodulesContent)) logs a warning if replacement fails, preventing silent corruption.

While the pattern could be more flexible (using an INI parser instead), the current implementation is adequate given the protective validation in place. This is a minor quality-of-life improvement rather than a necessary fix.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between b2bd843 and b47097a.

📒 Files selected for processing (9)

• .github/workflows/mobile-bundle-analysis.yml (4 hunks)
• .github/workflows/mobile-ci.yml (6 hunks)
• .github/workflows/mobile-deploy.yml (3 hunks)
• .github/workflows/mobile-e2e.yml (3 hunks)
• .github/workflows/mobile-sdk-demo-e2e.yml (3 hunks)
• app/fastlane/DEV.md (1 hunks)
• common/src/utils/proving.ts (1 hunks)
• packages/mobile-sdk-alpha/scripts/build-android.sh (1 hunks)
• packages/mobile-sdk-alpha/scripts/setup-native-source.cjs (3 hunks)

🚧 Files skipped from review as they are similar to previous changes (3)

• packages/mobile-sdk-alpha/scripts/build-android.sh
• common/src/utils/proving.ts
• app/fastlane/DEV.md

🧰 Additional context used

🧠 Learnings (44)

📓 Common learnings

Learnt from: transphorm
Repo: selfxyz/self PR: 1446
File: .github/workflows/mobile-bundle-analysis.yml:117-117
Timestamp: 2025-11-22T23:16:26.719Z
Learning: In the selfxyz/self repository, for mobile workflows (bundle analysis, deployment, CI/CD):
- Both iOS and Android builds now cache Ruby gems at the unified path `app/vendor/bundle`
- The previous separate paths (app/ios/vendor/bundle for iOS) have been deprecated in favor of this unified approach

📚 Learning: 2025-11-22T23:16:26.719Z

Learnt from: transphorm
Repo: selfxyz/self PR: 1446
File: .github/workflows/mobile-bundle-analysis.yml:117-117
Timestamp: 2025-11-22T23:16:26.719Z
Learning: In the selfxyz/self repository, for mobile workflows (bundle analysis, deployment, CI/CD):
- Both iOS and Android builds now cache Ruby gems at the unified path `app/vendor/bundle`
- The previous separate paths (app/ios/vendor/bundle for iOS) have been deprecated in favor of this unified approach

Applied to files:

• .github/workflows/mobile-e2e.yml
• .github/workflows/mobile-ci.yml
• .github/workflows/mobile-deploy.yml
• .github/workflows/mobile-sdk-demo-e2e.yml
• .github/workflows/mobile-bundle-analysis.yml

📚 Learning: 2025-11-25T14:07:55.507Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: .cursor/rules/mobile-sdk-migration.mdc:0-0
Timestamp: 2025-11-25T14:07:55.507Z
Learning: Applies to packages/mobile-sdk-alpha/src/artifacts/**/*.{ts,tsx} : Migrate artifact management from app/src/utils/ to packages/mobile-sdk-alpha/src/artifacts/ with tests for manifest validation, CDN downloads, signature verification, and storage

Applied to files:

• .github/workflows/mobile-e2e.yml
• packages/mobile-sdk-alpha/scripts/setup-native-source.cjs
• .github/workflows/mobile-sdk-demo-e2e.yml
• .github/workflows/mobile-bundle-analysis.yml

📚 Learning: 2025-11-25T14:08:23.106Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: app/AGENTS.md:0-0
Timestamp: 2025-11-25T14:08:23.106Z
Learning: Applies to app/{ios,android}/** : Document complex native module changes and explain platform-specific code paths

Applied to files:

• .github/workflows/mobile-e2e.yml
• .github/workflows/mobile-ci.yml
• packages/mobile-sdk-alpha/scripts/setup-native-source.cjs
• .github/workflows/mobile-deploy.yml
• .github/workflows/mobile-sdk-demo-e2e.yml
• .github/workflows/mobile-bundle-analysis.yml

📚 Learning: 2025-11-25T14:07:55.507Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: .cursor/rules/mobile-sdk-migration.mdc:0-0
Timestamp: 2025-11-25T14:07:55.507Z
Learning: Applies to packages/mobile-sdk-alpha/src/**/*.{ts,tsx} : Test platform-specific code paths for React Native (iOS and Android) and web implementations

Applied to files:

• .github/workflows/mobile-e2e.yml
• packages/mobile-sdk-alpha/scripts/setup-native-source.cjs
• .github/workflows/mobile-sdk-demo-e2e.yml

📚 Learning: 2025-11-25T14:07:55.507Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: .cursor/rules/mobile-sdk-migration.mdc:0-0
Timestamp: 2025-11-25T14:07:55.507Z
Learning: Applies to app/src/**/*.{ts,tsx} : Update app to consume mobile-sdk-alpha modules after migration and validate all existing app tests pass

Applied to files:

• .github/workflows/mobile-e2e.yml
• packages/mobile-sdk-alpha/scripts/setup-native-source.cjs
• .github/workflows/mobile-sdk-demo-e2e.yml

📚 Learning: 2025-11-25T14:07:55.507Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: .cursor/rules/mobile-sdk-migration.mdc:0-0
Timestamp: 2025-11-25T14:07:55.507Z
Learning: Applies to packages/mobile-sdk-alpha/src/processing/**/*.{ts,tsx} : Migrate MRZ processing helpers from app/src/utils/ to packages/mobile-sdk-alpha/src/processing/ with comprehensive tests for MRZ parsing and cross-platform compatibility

Applied to files:

• .github/workflows/mobile-e2e.yml
• packages/mobile-sdk-alpha/scripts/setup-native-source.cjs
• .github/workflows/mobile-sdk-demo-e2e.yml

📚 Learning: 2025-11-25T14:07:55.507Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: .cursor/rules/mobile-sdk-migration.mdc:0-0
Timestamp: 2025-11-25T14:07:55.507Z
Learning: Applies to packages/mobile-sdk-alpha/tests/**/*.integration.{test.ts,test.tsx,spec.ts,spec.tsx} : Test end-to-end flows covering complete user journeys through the identity verification process

Applied to files:

• .github/workflows/mobile-e2e.yml
• .github/workflows/mobile-sdk-demo-e2e.yml

📚 Learning: 2025-11-25T14:07:55.507Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: .cursor/rules/mobile-sdk-migration.mdc:0-0
Timestamp: 2025-11-25T14:07:55.507Z
Learning: Applies to packages/mobile-sdk-alpha/tests/**/*.{ts,tsx,test.ts,test.tsx} : Create tests BEFORE migrating logic to verify functionality works correctly in the mobile-sdk-alpha package

Applied to files:

• .github/workflows/mobile-e2e.yml
• packages/mobile-sdk-alpha/scripts/setup-native-source.cjs
• .github/workflows/mobile-sdk-demo-e2e.yml

📚 Learning: 2025-11-25T14:07:55.507Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: .cursor/rules/mobile-sdk-migration.mdc:0-0
Timestamp: 2025-11-25T14:07:55.507Z
Learning: Applies to packages/mobile-sdk-alpha/src/protocol/**/*.{ts,tsx} : Migrate protocol synchronization from app/src/utils/ to packages/mobile-sdk-alpha/src/protocol/ with tests for tree fetching, TTL caching, rate limiting, and memory bounds

Applied to files:

• .github/workflows/mobile-e2e.yml
• packages/mobile-sdk-alpha/scripts/setup-native-source.cjs

📚 Learning: 2025-11-25T14:07:55.507Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: .cursor/rules/mobile-sdk-migration.mdc:0-0
Timestamp: 2025-11-25T14:07:55.507Z
Learning: Applies to packages/mobile-sdk-alpha/src/attestation/**/*.{ts,tsx} : Migrate attestation verification from app/src/utils/ to packages/mobile-sdk-alpha/src/attestation/ with tests for PCR0 validation and certificate chain validation

Applied to files:

• .github/workflows/mobile-e2e.yml
• .github/workflows/mobile-sdk-demo-e2e.yml

📚 Learning: 2025-11-25T14:08:11.887Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-11-25T14:08:11.887Z
Learning: Flag security-sensitive changes for special review in PR descriptions.

Applied to files:

• .github/workflows/mobile-e2e.yml
• .github/workflows/mobile-ci.yml
• .github/workflows/mobile-bundle-analysis.yml

📚 Learning: 2025-09-06T02:14:42.185Z

Learnt from: transphorm
Repo: selfxyz/self PR: 919
File: .github/workflows/mobile-ci.yml:437-439
Timestamp: 2025-09-06T02:14:42.185Z
Learning: When infrastructure issues like NDK version misalignment are identified during feature PRs, the team prefers to defer these to separate follow-up PRs to maintain focused scope and avoid scope creep.

Applied to files:

• .github/workflows/mobile-e2e.yml
• .github/workflows/mobile-ci.yml

📚 Learning: 2025-11-25T14:08:11.887Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-11-25T14:08:11.887Z
Learning: Ensure CI pipeline passes all stages and no new linting/formatting issues are introduced after PR creation.

Applied to files:

• .github/workflows/mobile-e2e.yml
• .github/workflows/mobile-ci.yml
• .github/workflows/mobile-bundle-analysis.yml

📚 Learning: 2025-11-25T14:08:23.106Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: app/AGENTS.md:0-0
Timestamp: 2025-11-25T14:08:23.106Z
Learning: Ensure CI pipeline passes all stages after PR creation

Applied to files:

• .github/workflows/mobile-e2e.yml
• .github/workflows/mobile-ci.yml

📚 Learning: 2025-11-25T14:08:51.177Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: packages/mobile-sdk-alpha/AGENTS.md:0-0
Timestamp: 2025-11-25T14:08:51.177Z
Learning: Applies to packages/mobile-sdk-alpha/**/*.{js,ts,tsx,json,md,yml,yaml} : Use Prettier for code formatting with root Prettier and EditorConfig settings

Applied to files:

• .github/workflows/mobile-e2e.yml
• packages/mobile-sdk-alpha/scripts/setup-native-source.cjs
• .github/workflows/mobile-sdk-demo-e2e.yml
• .github/workflows/mobile-bundle-analysis.yml

📚 Learning: 2025-11-25T14:08:11.887Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-11-25T14:08:11.887Z
Learning: Ensure type checking passes in all affected workspaces and build artifacts are generated successfully after PR creation.

Applied to files:

• .github/workflows/mobile-ci.yml

📚 Learning: 2025-11-25T14:08:23.106Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: app/AGENTS.md:0-0
Timestamp: 2025-11-25T14:08:23.106Z
Learning: Applies to app/ios/** : iOS build must succeed via `yarn ios` command in target environments

Applied to files:

• .github/workflows/mobile-ci.yml
• .github/workflows/mobile-deploy.yml
• .github/workflows/mobile-bundle-analysis.yml

📚 Learning: 2025-07-29T01:08:28.530Z

Learnt from: transphorm
Repo: selfxyz/self PR: 795
File: app/android/app/build.gradle:157-158
Timestamp: 2025-07-29T01:08:28.530Z
Learning: For this React Native project, the team prefers build flexibility over fail-fast behavior for release builds in app/android/app/build.gradle. They intentionally allow fallback to debug signing for local development runs, relying on Google Play Console validation to catch any improperly signed releases during upload.

Applied to files:

• .github/workflows/mobile-ci.yml

📚 Learning: 2025-11-25T14:08:23.106Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: app/AGENTS.md:0-0
Timestamp: 2025-11-25T14:08:23.106Z
Learning: Applies to app/android/** : Android build must succeed via `yarn android` command in target environments

Applied to files:

• .github/workflows/mobile-ci.yml
• .github/workflows/mobile-bundle-analysis.yml

📚 Learning: 2025-11-25T14:07:55.507Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: .cursor/rules/mobile-sdk-migration.mdc:0-0
Timestamp: 2025-11-25T14:07:55.507Z
Learning: Run `yarn test:build` command to validate tests, build dependencies, types, and bundle analysis in both app and mobile-sdk-alpha directories

Applied to files:

• .github/workflows/mobile-ci.yml

📚 Learning: 2025-11-25T14:08:23.106Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: app/AGENTS.md:0-0
Timestamp: 2025-11-25T14:08:23.106Z
Learning: Applies to app/**/*.{test,spec}.{ts,tsx,js,jsx} : Ensure `yarn test` passes (unit tests) before creating a PR

Applied to files:

• .github/workflows/mobile-ci.yml

📚 Learning: 2025-11-25T14:08:23.106Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: app/AGENTS.md:0-0
Timestamp: 2025-11-25T14:08:23.106Z
Learning: Applies to app/web/** : Web build must succeed via `yarn web` command in target environments

Applied to files:

• .github/workflows/mobile-ci.yml
• .github/workflows/mobile-bundle-analysis.yml

📚 Learning: 2025-11-25T14:08:11.887Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-11-25T14:08:11.887Z
Learning: Before committing, run linting and formatting fixes with `yarn workspaces foreach -A -p -v --topological-dev --since=HEAD run nice --if-present`.

Applied to files:

• .github/workflows/mobile-ci.yml
• packages/mobile-sdk-alpha/scripts/setup-native-source.cjs

📚 Learning: 2025-11-25T14:08:23.106Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: app/AGENTS.md:0-0
Timestamp: 2025-11-25T14:08:23.106Z
Learning: Applies to app/**/*.{ts,tsx,js,jsx,json,yml,yaml} : Ensure `yarn nice` passes (fixes linting and formatting) before creating a PR

Applied to files:

• .github/workflows/mobile-ci.yml
• packages/mobile-sdk-alpha/scripts/setup-native-source.cjs

📚 Learning: 2025-11-25T14:08:11.887Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-11-25T14:08:11.887Z
Learning: Before committing, build all workspaces except `contracts` using `yarn build`, and compile Solidity contracts with `yarn workspace selfxyz/contracts build`.

Applied to files:

• .github/workflows/mobile-ci.yml

📚 Learning: 2025-11-25T14:07:55.507Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: .cursor/rules/mobile-sdk-migration.mdc:0-0
Timestamp: 2025-11-25T14:07:55.507Z
Learning: Applies to packages/mobile-sdk-alpha/src/index.ts : Re-export all new migrated modules via packages/mobile-sdk-alpha/src/index.ts and document them in packages/mobile-sdk-alpha/README.md

Applied to files:

• packages/mobile-sdk-alpha/scripts/setup-native-source.cjs

📚 Learning: 2025-11-25T14:08:51.177Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: packages/mobile-sdk-alpha/AGENTS.md:0-0
Timestamp: 2025-11-25T14:08:51.177Z
Learning: Applies to packages/mobile-sdk-alpha/**/package.json : Ensure exports are properly configured before publishing the package

Applied to files:

• packages/mobile-sdk-alpha/scripts/setup-native-source.cjs

📚 Learning: 2025-11-25T14:07:55.507Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: .cursor/rules/mobile-sdk-migration.mdc:0-0
Timestamp: 2025-11-25T14:07:55.507Z
Learning: Applies to packages/mobile-sdk-alpha/tests/**/*.{test.ts,test.tsx,spec.ts,spec.tsx} : Mock native dependencies appropriately in tests when testing platform-specific code

Applied to files:

• packages/mobile-sdk-alpha/scripts/setup-native-source.cjs

📚 Learning: 2025-11-25T14:07:55.507Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: .cursor/rules/mobile-sdk-migration.mdc:0-0
Timestamp: 2025-11-25T14:07:55.507Z
Learning: Applies to packages/mobile-sdk-alpha/src/**/*.{ts,tsx} : Ensure all exports in migrated modules support tree shaking for optimal bundle size

Applied to files:

• packages/mobile-sdk-alpha/scripts/setup-native-source.cjs

📚 Learning: 2025-11-25T14:07:55.507Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: .cursor/rules/mobile-sdk-migration.mdc:0-0
Timestamp: 2025-11-25T14:07:55.507Z
Learning: Applies to packages/mobile-sdk-alpha/src/tee/**/*.{ts,tsx} : Migrate TEE session management from app/src/utils/ to packages/mobile-sdk-alpha/src/tee/ with tests for WebSocket handling, abort, timeout, and lifecycle events

Applied to files:

• packages/mobile-sdk-alpha/scripts/setup-native-source.cjs

📚 Learning: 2025-11-25T14:07:55.507Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: .cursor/rules/mobile-sdk-migration.mdc:0-0
Timestamp: 2025-11-25T14:07:55.507Z
Learning: Applies to packages/mobile-sdk-alpha/src/**/*.{ts,tsx} : Create clear and actionable error messages with descriptive error codes for SDK consumers

Applied to files:

• packages/mobile-sdk-alpha/scripts/setup-native-source.cjs

📚 Learning: 2025-11-25T14:08:51.177Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: packages/mobile-sdk-alpha/AGENTS.md:0-0
Timestamp: 2025-11-25T14:08:51.177Z
Learning: Applies to packages/mobile-sdk-alpha/**/package.json : Verify package conditions are valid before publishing

Applied to files:

• packages/mobile-sdk-alpha/scripts/setup-native-source.cjs

📚 Learning: 2025-11-25T14:07:55.507Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: .cursor/rules/mobile-sdk-migration.mdc:0-0
Timestamp: 2025-11-25T14:07:55.507Z
Learning: Applies to packages/mobile-sdk-alpha/src/**/*.{ts,tsx} : Use async/await patterns for non-blocking operations throughout SDK modules

Applied to files:

• packages/mobile-sdk-alpha/scripts/setup-native-source.cjs

📚 Learning: 2025-11-25T14:07:55.507Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: .cursor/rules/mobile-sdk-migration.mdc:0-0
Timestamp: 2025-11-25T14:07:55.507Z
Learning: Applies to **/*.{ts,tsx,js} : Never log PII, credentials, or private keys in production code; use DEBUG_SECRETS_TOKEN flag for debug-level secrets

Applied to files:

• packages/mobile-sdk-alpha/scripts/setup-native-source.cjs

📚 Learning: 2025-11-25T14:06:55.970Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: .cursorrules:0-0
Timestamp: 2025-11-25T14:06:55.970Z
Learning: Applies to **/*.{js,jsx,ts,tsx} : NEVER log sensitive data including PII (names, DOB, passport numbers, addresses), credentials, tokens, API keys, private keys, or session identifiers.

Applied to files:

• packages/mobile-sdk-alpha/scripts/setup-native-source.cjs

📚 Learning: 2025-11-25T14:08:23.106Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: app/AGENTS.md:0-0
Timestamp: 2025-11-25T14:08:23.106Z
Learning: Applies to app/**/*.{ts,tsx,js,jsx,swift,kt,java} : Ensure no sensitive data (PII, credentials, tokens) is present in logs

Applied to files:

• packages/mobile-sdk-alpha/scripts/setup-native-source.cjs

📚 Learning: 2025-11-25T14:06:55.970Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: .cursorrules:0-0
Timestamp: 2025-11-25T14:06:55.970Z
Learning: Debug-level secrets require tokenized environment flags (e.g., `DEBUG_SECRETS_TOKEN=abc123`) with approval workflow and limited lifetime (max 24 hours).

Applied to files:

• packages/mobile-sdk-alpha/scripts/setup-native-source.cjs

📚 Learning: 2025-11-25T14:06:55.970Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: .cursorrules:0-0
Timestamp: 2025-11-25T14:06:55.970Z
Learning: Applies to **/*.{ts,tsx,js,jsx} : Do not log sensitive data in production, including identity verification and passport information.

Applied to files:

• packages/mobile-sdk-alpha/scripts/setup-native-source.cjs

📚 Learning: 2025-11-25T14:06:55.970Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: .cursorrules:0-0
Timestamp: 2025-11-25T14:06:55.970Z
Learning: Applies to **/*.{js,jsx,ts,tsx} : ALWAYS redact/mask sensitive fields in logs using consistent patterns (e.g., `***-***-1234` for passport numbers, `J*** D***` for names).

Applied to files:

• packages/mobile-sdk-alpha/scripts/setup-native-source.cjs

📚 Learning: 2025-11-25T14:07:55.507Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: .cursor/rules/mobile-sdk-migration.mdc:0-0
Timestamp: 2025-11-25T14:07:55.507Z
Learning: Applies to **/*.{ts,tsx,js} : Use consistent redaction patterns for sensitive fields in logs and test data

Applied to files:

• packages/mobile-sdk-alpha/scripts/setup-native-source.cjs

📚 Learning: 2025-11-25T14:08:11.887Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-11-25T14:08:11.887Z
Learning: Address CodeRabbitAI feedback or document why not; resolve security warnings; verify performance benchmarks; confirm no sensitive data exposed in logs/comments.

Applied to files:

• packages/mobile-sdk-alpha/scripts/setup-native-source.cjs

📚 Learning: 2025-11-25T14:08:23.106Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: app/AGENTS.md:0-0
Timestamp: 2025-11-25T14:08:23.106Z
Learning: Applies to app/**/*.{ts,tsx,js,jsx,swift,kt,java} : Flag security-sensitive operations and note performance implications in code comments

Applied to files:

• packages/mobile-sdk-alpha/scripts/setup-native-source.cjs

📚 Learning: 2025-11-25T14:07:55.507Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: .cursor/rules/mobile-sdk-migration.mdc:0-0
Timestamp: 2025-11-25T14:07:55.507Z
Learning: Applies to packages/mobile-sdk-alpha/demo/**/*.{ts,tsx,js,jsx} : Create an in-SDK lightweight demo in packages/mobile-sdk-alpha/demo/ using embedded React Native with MRZ flow and theming hooks integration

Applied to files:

• .github/workflows/mobile-sdk-demo-e2e.yml

🧬 Code graph analysis (1)

packages/mobile-sdk-alpha/scripts/setup-native-source.cjs (1)

app/scripts/setup-private-modules.cjs (4)

• isCI (32-32)
• appToken (34-34)
• repoToken (33-33)
• BRANCH (15-15)

🪛 actionlint (1.7.9)

.github/workflows/mobile-e2e.yml

242-242: label "namespace-profile-apple-silicon-6cpu" is unknown. available labels are "windows-latest", "windows-latest-8-cores", "windows-2025", "windows-2022", "windows-11-arm", "ubuntu-slim", "ubuntu-latest", "ubuntu-latest-4-cores", "ubuntu-latest-8-cores", "ubuntu-latest-16-cores", "ubuntu-24.04", "ubuntu-24.04-arm", "ubuntu-22.04", "ubuntu-22.04-arm", "macos-latest", "macos-latest-xl", "macos-latest-xlarge", "macos-latest-large", "macos-26-xlarge", "macos-26", "macos-15-intel", "macos-15-xlarge", "macos-15-large", "macos-15", "macos-14-xl", "macos-14-xlarge", "macos-14-large", "macos-14", "macos-13-xl", "macos-13-xlarge", "macos-13-large", "macos-13", "self-hosted", "x64", "arm", "arm64", "linux", "macos", "windows". if it is a custom label for self-hosted runner, set list of labels in actionlint.yaml config file

(runner-label)

.github/workflows/mobile-ci.yml

220-220: label "namespace-profile-apple-silicon-6cpu" is unknown. available labels are "windows-latest", "windows-latest-8-cores", "windows-2025", "windows-2022", "windows-11-arm", "ubuntu-slim", "ubuntu-latest", "ubuntu-latest-4-cores", "ubuntu-latest-8-cores", "ubuntu-latest-16-cores", "ubuntu-24.04", "ubuntu-24.04-arm", "ubuntu-22.04", "ubuntu-22.04-arm", "macos-latest", "macos-latest-xl", "macos-latest-xlarge", "macos-latest-large", "macos-26-xlarge", "macos-26", "macos-15-intel", "macos-15-xlarge", "macos-15-large", "macos-15", "macos-14-xl", "macos-14-xlarge", "macos-14-large", "macos-14", "macos-13-xl", "macos-13-xlarge", "macos-13-large", "macos-13", "self-hosted", "x64", "arm", "arm64", "linux", "macos", "windows". if it is a custom label for self-hosted runner, set list of labels in actionlint.yaml config file

(runner-label)

.github/workflows/mobile-deploy.yml

270-270: label "namespace-profile-apple-silicon-6cpu" is unknown. available labels are "windows-latest", "windows-latest-8-cores", "windows-2025", "windows-2022", "windows-11-arm", "ubuntu-slim", "ubuntu-latest", "ubuntu-latest-4-cores", "ubuntu-latest-8-cores", "ubuntu-latest-16-cores", "ubuntu-24.04", "ubuntu-24.04-arm", "ubuntu-22.04", "ubuntu-22.04-arm", "macos-latest", "macos-latest-xl", "macos-latest-xlarge", "macos-latest-large", "macos-26-xlarge", "macos-26", "macos-15-intel", "macos-15-xlarge", "macos-15-large", "macos-15", "macos-14-xl", "macos-14-xlarge", "macos-14-large", "macos-14", "macos-13-xl", "macos-13-xlarge", "macos-13-large", "macos-13", "self-hosted", "x64", "arm", "arm64", "linux", "macos", "windows". if it is a custom label for self-hosted runner, set list of labels in actionlint.yaml config file

(runner-label)

.github/workflows/mobile-sdk-demo-e2e.yml

215-215: label "namespace-profile-apple-silicon-6cpu" is unknown. available labels are "windows-latest", "windows-latest-8-cores", "windows-2025", "windows-2022", "windows-11-arm", "ubuntu-slim", "ubuntu-latest", "ubuntu-latest-4-cores", "ubuntu-latest-8-cores", "ubuntu-latest-16-cores", "ubuntu-24.04", "ubuntu-24.04-arm", "ubuntu-22.04", "ubuntu-22.04-arm", "macos-latest", "macos-latest-xl", "macos-latest-xlarge", "macos-latest-large", "macos-26-xlarge", "macos-26", "macos-15-intel", "macos-15-xlarge", "macos-15-large", "macos-15", "macos-14-xl", "macos-14-xlarge", "macos-14-large", "macos-14", "macos-13-xl", "macos-13-xlarge", "macos-13-large", "macos-13", "self-hosted", "x64", "arm", "arm64", "linux", "macos", "windows". if it is a custom label for self-hosted runner, set list of labels in actionlint.yaml config file

(runner-label)

.github/workflows/mobile-bundle-analysis.yml

97-97: label "namespace-profile-apple-silicon-6cpu" is unknown. available labels are "windows-latest", "windows-latest-8-cores", "windows-2025", "windows-2022", "windows-11-arm", "ubuntu-slim", "ubuntu-latest", "ubuntu-latest-4-cores", "ubuntu-latest-8-cores", "ubuntu-latest-16-cores", "ubuntu-24.04", "ubuntu-24.04-arm", "ubuntu-22.04", "ubuntu-22.04-arm", "macos-latest", "macos-latest-xl", "macos-latest-xlarge", "macos-latest-large", "macos-26-xlarge", "macos-26", "macos-15-intel", "macos-15-xlarge", "macos-15-large", "macos-15", "macos-14-xl", "macos-14-xlarge", "macos-14-large", "macos-14", "macos-13-xl", "macos-13-xlarge", "macos-13-large", "macos-13", "self-hosted", "x64", "arm", "arm64", "linux", "macos", "windows". if it is a custom label for self-hosted runner, set list of labels in actionlint.yaml config file

(runner-label)

⏰ Context from checks skipped due to timeout of 300000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (8)

• GitHub Check: test
• GitHub Check: build-android
• GitHub Check: type-check
• GitHub Check: test-common
• GitHub Check: Android E2E Tests Demo App
• GitHub Check: iOS E2E Tests Demo App
• GitHub Check: android-build-test
• GitHub Check: analyze-android

🔇 Additional comments (14)

.github/workflows/mobile-ci.yml (3)

268-281: ✅ Java setup approach is sound.

The defensive check before installation and conditional setup are good practices. This avoids redundant installations on runners that already have Java available.

---

295-300: ✅ Ruby cache path unification is aligned with recent learnings.

The change to the unified app/vendor/bundle path matches the established pattern from PR 1446, where both iOS and Android builds now share the cache directory. This improves cache efficiency.

---

327-334: Token generation and passing looks correct, but verify graceful error handling.

The token is properly threaded through the workflow with an empty-string fallback. However, if token-dependent steps fail silently when the token is empty (e.g., private module clones), debugging becomes difficult.

Verify that downstream steps (pod-install, build-deps) fail loudly with clear error messages if the token is required but missing, rather than hanging or producing cryptic permission errors.

Also applies to: 344-345, 364-365

.github/workflows/mobile-bundle-analysis.yml (4)

11-20: ✅ Push trigger expansion is sound.

The addition of specific branches (dev, staging, main) and paths (app/**, packages/mobile-sdk-alpha/**, workflows, actions) provides controlled execution for bundle analysis. This aligns with the PR objectives to restrict CI runs to relevant changes.

---

31-31: ✅ Android runner migration to ubuntu-latest is correct.

Android builds don't require macOS; this change reduces resource costs and execution time.

---

138-151: ✅ Java installation check is well-structured and defensive.

The check-before-install pattern (lines 138–145) avoids redundant setup steps. Using an environment variable (INSTALL_JAVA) to gate the conditional setup (line 147) is a clean approach.

Minor note: The Temurin distribution and Java 17 version align well with modern mobile development practices.

---

97-97: No action needed—namespace-profile-apple-silicon-6cpu is a documented Namespace Runners provider explicitly configured for iOS builds in this project.

The runner is properly documented in ./app/fastlane/DEV.md under the CI/CD Pipeline section and is used consistently across multiple workflows (mobile-ci, mobile-deploy, mobile-e2e, and mobile-sdk-demo-e2e). This is an intentional setup leveraging a third-party runner provider, not a misconfiguration.

.github/workflows/mobile-e2e.yml (2)

287-300: Java availability check is well-implemented.

The conditional Java setup logic correctly detects installation status before attempting configuration, avoiding unnecessary setup overhead on runners where Java is already present.

---

241-243: Custom runner label is properly documented in project infrastructure.

The namespace-profile-apple-silicon-6cpu runner label is explicitly documented in app/fastlane/DEV.md (line 399) as the configured runner for iOS builds. This custom self-hosted runner label is expected and intentionally configured for your infrastructure.

.github/workflows/mobile-deploy.yml (1)

270-270: Verify the custom Namespace runner is properly configured.

The namespace-profile-apple-silicon-6cpu runner is a custom self-hosted runner not documented in the repository. Ensure this runner is registered in your GitHub organization's Actions settings with appropriate labels, otherwise the job will fail at runtime. If configured at the organization level, add documentation or a comment in the workflow explaining the custom runner setup.

packages/mobile-sdk-alpha/scripts/setup-native-source.cjs (4)

12-12: LGTM: REPO_ROOT and flexible cwd handling.

The addition of REPO_ROOT and the optional cwd parameter to runCommand properly supports running Git commands from the repository root, which is necessary for correct submodule operations. The implementation is clean and maintains backward compatibility with the default SDK_DIR.

Also applies to: 38-41

---

116-122: LGTM: Robust submodule state detection.

The logic correctly checks submodule registration in .gitmodules and handles edge cases like unreadable directories. The try-catch around fs.readdirSync (lines 136-141) prevents crashes when the submodule directory exists but isn't accessible.

Also applies to: 133-143

---

184-188: LGTM: Safe cleanup of empty submodule directory.

The logic correctly handles the edge case where a submodule directory exists but is empty (e.g., from a failed initialization). Using path.relative ensures the correct path is computed, and the rm -rf is safe since PRIVATE_MODULE_PATH is constructed from validated constants.

---

190-214: LGTM: Proper submodule initialization with secure CI handling.

The logic correctly handles both scenarios:

• Registered submodules are updated via git submodule update --init --recursive
• Unregistered submodules are added via git submodule add

Running commands from REPO_ROOT ensures correct Git context, and using stdio: 'pipe' in CI with tokens prevents credential exposure in logs.

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (1)

.github/workflows/mobile-bundle-analysis.yml (1)

86-87: Same actionlint configuration needed here.

The custom runner label namespace-profile-apple-silicon-6cpu will trigger the same actionlint warning. The .github/actionlint.yaml configuration suggested in mobile-e2e.yml will resolve this warning across all workflows.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 5b7c56d and 229ebce.

📒 Files selected for processing (4)

• .github/workflows/mobile-bundle-analysis.yml (3 hunks)
• .github/workflows/mobile-ci.yml (1 hunks)
• .github/workflows/mobile-e2e.yml (2 hunks)
• .github/workflows/mobile-sdk-demo-e2e.yml (2 hunks)

🧰 Additional context used

🧠 Learnings (23)

📓 Common learnings

Learnt from: transphorm
Repo: selfxyz/self PR: 1446
File: .github/workflows/mobile-bundle-analysis.yml:117-117
Timestamp: 2025-11-22T23:16:26.719Z
Learning: In the selfxyz/self repository, for mobile workflows (bundle analysis, deployment, CI/CD):
- Both iOS and Android builds now cache Ruby gems at the unified path `app/vendor/bundle`
- The previous separate paths (app/ios/vendor/bundle for iOS) have been deprecated in favor of this unified approach

Learnt from: CR
Repo: selfxyz/self PR: 0
File: app/AGENTS.md:0-0
Timestamp: 2025-11-25T14:08:23.106Z
Learning: Applies to app/{ios,android}/** : Document complex native module changes and explain platform-specific code paths

📚 Learning: 2025-11-22T23:16:26.719Z

Learnt from: transphorm
Repo: selfxyz/self PR: 1446
File: .github/workflows/mobile-bundle-analysis.yml:117-117
Timestamp: 2025-11-22T23:16:26.719Z
Learning: In the selfxyz/self repository, for mobile workflows (bundle analysis, deployment, CI/CD):
- Both iOS and Android builds now cache Ruby gems at the unified path `app/vendor/bundle`
- The previous separate paths (app/ios/vendor/bundle for iOS) have been deprecated in favor of this unified approach

Applied to files:

• .github/workflows/mobile-ci.yml
• .github/workflows/mobile-bundle-analysis.yml
• .github/workflows/mobile-e2e.yml
• .github/workflows/mobile-sdk-demo-e2e.yml

📚 Learning: 2025-11-25T14:08:23.106Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: app/AGENTS.md:0-0
Timestamp: 2025-11-25T14:08:23.106Z
Learning: Applies to app/{ios,android}/** : Document complex native module changes and explain platform-specific code paths

Applied to files:

• .github/workflows/mobile-ci.yml
• .github/workflows/mobile-bundle-analysis.yml
• .github/workflows/mobile-e2e.yml
• .github/workflows/mobile-sdk-demo-e2e.yml

📚 Learning: 2025-11-25T14:07:55.507Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: .cursor/rules/mobile-sdk-migration.mdc:0-0
Timestamp: 2025-11-25T14:07:55.507Z
Learning: Applies to packages/mobile-sdk-alpha/src/artifacts/**/*.{ts,tsx} : Migrate artifact management from app/src/utils/ to packages/mobile-sdk-alpha/src/artifacts/ with tests for manifest validation, CDN downloads, signature verification, and storage

Applied to files:

• .github/workflows/mobile-ci.yml
• .github/workflows/mobile-sdk-demo-e2e.yml

📚 Learning: 2025-11-25T14:07:55.507Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: .cursor/rules/mobile-sdk-migration.mdc:0-0
Timestamp: 2025-11-25T14:07:55.507Z
Learning: Applies to packages/mobile-sdk-alpha/src/**/*.{ts,tsx} : Test platform-specific code paths for React Native (iOS and Android) and web implementations

Applied to files:

• .github/workflows/mobile-ci.yml
• .github/workflows/mobile-sdk-demo-e2e.yml

📚 Learning: 2025-11-25T14:08:11.887Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-11-25T14:08:11.887Z
Learning: Flag security-sensitive changes for special review in PR descriptions.

Applied to files:

• .github/workflows/mobile-ci.yml
• .github/workflows/mobile-bundle-analysis.yml
• .github/workflows/mobile-e2e.yml
• .github/workflows/mobile-sdk-demo-e2e.yml

📚 Learning: 2025-11-25T14:08:11.887Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-11-25T14:08:11.887Z
Learning: Ensure CI pipeline passes all stages and no new linting/formatting issues are introduced after PR creation.

Applied to files:

• .github/workflows/mobile-ci.yml
• .github/workflows/mobile-bundle-analysis.yml
• .github/workflows/mobile-e2e.yml
• .github/workflows/mobile-sdk-demo-e2e.yml

📚 Learning: 2025-11-25T14:08:11.887Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-11-25T14:08:11.887Z
Learning: Ensure type checking passes in all affected workspaces and build artifacts are generated successfully after PR creation.

Applied to files:

• .github/workflows/mobile-ci.yml
• .github/workflows/mobile-bundle-analysis.yml
• .github/workflows/mobile-sdk-demo-e2e.yml

📚 Learning: 2025-11-25T14:08:23.106Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: app/AGENTS.md:0-0
Timestamp: 2025-11-25T14:08:23.106Z
Learning: Ensure CI pipeline passes all stages after PR creation

Applied to files:

• .github/workflows/mobile-ci.yml
• .github/workflows/mobile-e2e.yml
• .github/workflows/mobile-sdk-demo-e2e.yml

📚 Learning: 2025-11-25T14:08:23.106Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: app/AGENTS.md:0-0
Timestamp: 2025-11-25T14:08:23.106Z
Learning: Applies to app/ios/** : iOS build must succeed via `yarn ios` command in target environments

Applied to files:

• .github/workflows/mobile-ci.yml
• .github/workflows/mobile-bundle-analysis.yml
• .github/workflows/mobile-sdk-demo-e2e.yml

📚 Learning: 2025-09-06T02:14:42.185Z

Learnt from: transphorm
Repo: selfxyz/self PR: 919
File: .github/workflows/mobile-ci.yml:437-439
Timestamp: 2025-09-06T02:14:42.185Z
Learning: When infrastructure issues like NDK version misalignment are identified during feature PRs, the team prefers to defer these to separate follow-up PRs to maintain focused scope and avoid scope creep.

Applied to files:

• .github/workflows/mobile-ci.yml
• .github/workflows/mobile-bundle-analysis.yml
• .github/workflows/mobile-e2e.yml
• .github/workflows/mobile-sdk-demo-e2e.yml

📚 Learning: 2025-11-25T14:07:55.507Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: .cursor/rules/mobile-sdk-migration.mdc:0-0
Timestamp: 2025-11-25T14:07:55.507Z
Learning: Run `yarn test:build` command to validate tests, build dependencies, types, and bundle analysis in both app and mobile-sdk-alpha directories

Applied to files:

• .github/workflows/mobile-ci.yml

📚 Learning: 2025-11-25T14:08:23.106Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: app/AGENTS.md:0-0
Timestamp: 2025-11-25T14:08:23.106Z
Learning: Applies to app/android/** : Android build must succeed via `yarn android` command in target environments

Applied to files:

• .github/workflows/mobile-ci.yml

📚 Learning: 2025-11-25T14:07:55.507Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: .cursor/rules/mobile-sdk-migration.mdc:0-0
Timestamp: 2025-11-25T14:07:55.507Z
Learning: Applies to packages/mobile-sdk-alpha/tests/**/*.integration.{test.ts,test.tsx,spec.ts,spec.tsx} : Test end-to-end flows covering complete user journeys through the identity verification process

Applied to files:

• .github/workflows/mobile-ci.yml
• .github/workflows/mobile-sdk-demo-e2e.yml

📚 Learning: 2025-07-29T01:08:28.530Z

Learnt from: transphorm
Repo: selfxyz/self PR: 795
File: app/android/app/build.gradle:157-158
Timestamp: 2025-07-29T01:08:28.530Z
Learning: For this React Native project, the team prefers build flexibility over fail-fast behavior for release builds in app/android/app/build.gradle. They intentionally allow fallback to debug signing for local development runs, relying on Google Play Console validation to catch any improperly signed releases during upload.

Applied to files:

• .github/workflows/mobile-ci.yml

📚 Learning: 2025-11-25T14:06:55.970Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: .cursorrules:0-0
Timestamp: 2025-11-25T14:06:55.970Z
Learning: Use Maestro for E2E testing with platform-specific flows for iOS and Android.

Applied to files:

• .github/workflows/mobile-ci.yml

📚 Learning: 2025-11-25T14:08:11.887Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-11-25T14:08:11.887Z
Learning: Before committing, build all workspaces except `contracts` using `yarn build`, and compile Solidity contracts with `yarn workspace selfxyz/contracts build`.

Applied to files:

• .github/workflows/mobile-ci.yml

📚 Learning: 2025-11-25T14:07:55.507Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: .cursor/rules/mobile-sdk-migration.mdc:0-0
Timestamp: 2025-11-25T14:07:55.507Z
Learning: Applies to packages/mobile-sdk-alpha/tests/**/*.{ts,tsx,test.ts,test.tsx} : Create tests BEFORE migrating logic to verify functionality works correctly in the mobile-sdk-alpha package

Applied to files:

• .github/workflows/mobile-ci.yml
• .github/workflows/mobile-sdk-demo-e2e.yml

📚 Learning: 2025-11-25T14:08:11.887Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-11-25T14:08:11.887Z
Learning: Before creating a PR, ensure `yarn types` passes across the repo.

Applied to files:

• .github/workflows/mobile-e2e.yml
• .github/workflows/mobile-sdk-demo-e2e.yml

📚 Learning: 2025-11-25T14:07:55.507Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: .cursor/rules/mobile-sdk-migration.mdc:0-0
Timestamp: 2025-11-25T14:07:55.507Z
Learning: Applies to app/src/**/*.{ts,tsx} : Update app to consume mobile-sdk-alpha modules after migration and validate all existing app tests pass

Applied to files:

• .github/workflows/mobile-sdk-demo-e2e.yml

📚 Learning: 2025-11-25T14:07:55.507Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: .cursor/rules/mobile-sdk-migration.mdc:0-0
Timestamp: 2025-11-25T14:07:55.507Z
Learning: Applies to packages/mobile-sdk-alpha/src/attestation/**/*.{ts,tsx} : Migrate attestation verification from app/src/utils/ to packages/mobile-sdk-alpha/src/attestation/ with tests for PCR0 validation and certificate chain validation

Applied to files:

• .github/workflows/mobile-sdk-demo-e2e.yml

📚 Learning: 2025-11-25T14:07:55.507Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: .cursor/rules/mobile-sdk-migration.mdc:0-0
Timestamp: 2025-11-25T14:07:55.507Z
Learning: Applies to packages/mobile-sdk-alpha/src/processing/**/*.{ts,tsx} : Migrate MRZ processing helpers from app/src/utils/ to packages/mobile-sdk-alpha/src/processing/ with comprehensive tests for MRZ parsing and cross-platform compatibility

Applied to files:

• .github/workflows/mobile-sdk-demo-e2e.yml

📚 Learning: 2025-11-25T14:07:28.188Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: .cursor/rules/compliance-verification.mdc:0-0
Timestamp: 2025-11-25T14:07:28.188Z
Learning: Applies to **/{mobile,client,app,proof,zk}/**/*.{ts,tsx,js,swift,kt} : Achieve proof generation in <60 seconds on mid-tier mobile devices

Applied to files:

• .github/workflows/mobile-sdk-demo-e2e.yml

🪛 actionlint (1.7.9)

.github/workflows/mobile-bundle-analysis.yml

87-87: label "namespace-profile-apple-silicon-6cpu" is unknown. available labels are "windows-latest", "windows-latest-8-cores", "windows-2025", "windows-2022", "windows-11-arm", "ubuntu-slim", "ubuntu-latest", "ubuntu-latest-4-cores", "ubuntu-latest-8-cores", "ubuntu-latest-16-cores", "ubuntu-24.04", "ubuntu-24.04-arm", "ubuntu-22.04", "ubuntu-22.04-arm", "macos-latest", "macos-latest-xl", "macos-latest-xlarge", "macos-latest-large", "macos-26-xlarge", "macos-26", "macos-15-intel", "macos-15-xlarge", "macos-15-large", "macos-15", "macos-14-xl", "macos-14-xlarge", "macos-14-large", "macos-14", "macos-13-xl", "macos-13-xlarge", "macos-13-large", "macos-13", "self-hosted", "x64", "arm", "arm64", "linux", "macos", "windows". if it is a custom label for self-hosted runner, set list of labels in actionlint.yaml config file

(runner-label)

.github/workflows/mobile-e2e.yml

233-233: label "namespace-profile-apple-silicon-6cpu" is unknown. available labels are "windows-latest", "windows-latest-8-cores", "windows-2025", "windows-2022", "windows-11-arm", "ubuntu-slim", "ubuntu-latest", "ubuntu-latest-4-cores", "ubuntu-latest-8-cores", "ubuntu-latest-16-cores", "ubuntu-24.04", "ubuntu-24.04-arm", "ubuntu-22.04", "ubuntu-22.04-arm", "macos-latest", "macos-latest-xl", "macos-latest-xlarge", "macos-latest-large", "macos-26-xlarge", "macos-26", "macos-15-intel", "macos-15-xlarge", "macos-15-large", "macos-15", "macos-14-xl", "macos-14-xlarge", "macos-14-large", "macos-14", "macos-13-xl", "macos-13-xlarge", "macos-13-large", "macos-13", "self-hosted", "x64", "arm", "arm64", "linux", "macos", "windows". if it is a custom label for self-hosted runner, set list of labels in actionlint.yaml config file

(runner-label)

.github/workflows/mobile-sdk-demo-e2e.yml

206-206: label "namespace-profile-apple-silicon-6cpu" is unknown. available labels are "windows-latest", "windows-latest-8-cores", "windows-2025", "windows-2022", "windows-11-arm", "ubuntu-slim", "ubuntu-latest", "ubuntu-latest-4-cores", "ubuntu-latest-8-cores", "ubuntu-latest-16-cores", "ubuntu-24.04", "ubuntu-24.04-arm", "ubuntu-22.04", "ubuntu-22.04-arm", "macos-latest", "macos-latest-xl", "macos-latest-xlarge", "macos-latest-large", "macos-26-xlarge", "macos-26", "macos-15-intel", "macos-15-xlarge", "macos-15-large", "macos-15", "macos-14-xl", "macos-14-xlarge", "macos-14-large", "macos-14", "macos-13-xl", "macos-13-xlarge", "macos-13-large", "macos-13", "self-hosted", "x64", "arm", "arm64", "linux", "macos", "windows". if it is a custom label for self-hosted runner, set list of labels in actionlint.yaml config file

(runner-label)

⏰ Context from checks skipped due to timeout of 300000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (8)

• GitHub Check: test
• GitHub Check: test-common
• GitHub Check: type-check
• GitHub Check: Android E2E Tests Demo App
• GitHub Check: iOS E2E Tests Demo App
• GitHub Check: analyze-android
• GitHub Check: e2e-ios
• GitHub Check: android-build-test

🔇 Additional comments (5)

.github/workflows/mobile-sdk-demo-e2e.yml (2)

205-206: Runner migration looks good.

The switch to namespace-profile-apple-silicon-6cpu aligns with the PR's performance optimization goals. Retaining the previous runner as a comment is helpful for reference and potential rollback if needed.

---

248-262: Smart optimization: conditional Java installation.

The Java availability check before running setup-java is a solid performance optimization. The logic correctly detects whether Java is already installed and skips the setup action when unnecessary, reducing build time on runners with Java pre-installed.

.github/workflows/mobile-e2e.yml (1)

277-291: Java bootstrap logic is sound.

The conditional Java installation optimizes setup time by detecting pre-installed Java on the runner. The pattern is consistent across workflows and uses proper validation with both command -v and java -version checks.

.github/workflows/mobile-ci.yml (1)

206-208: Build delegation to mobile-e2e.yml clarifies workflow separation.

Moving iOS and Android builds to the E2E workflow consolidates platform validation and reduces duplication. The mobile-ci.yml now focuses on dependency builds, linting, type checking, and unit tests, while mobile-e2e.yml handles platform builds and integration testing.

.github/workflows/mobile-bundle-analysis.yml (1)

126-140: Java bootstrap logic matches mobile-e2e.yml pattern.

The conditional Java installation follows the same sound pattern as mobile-e2e.yml, optimizing setup time while ensuring Java availability.

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (1)

.github/workflows/mobile-ci.yml (1)

427-428: PR coverage risk: Android build also won't run on pull_request events.

Same issue as the iOS job - the workflow_dispatch restriction prevents Android builds from running on PRs, which could allow Android breakage to slip through.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 229ebce and e1a9a99.

📒 Files selected for processing (1)

• .github/workflows/mobile-ci.yml (6 hunks)

🧰 Additional context used

🧠 Learnings (19)

📓 Common learnings

Learnt from: transphorm
Repo: selfxyz/self PR: 1446
File: .github/workflows/mobile-bundle-analysis.yml:117-117
Timestamp: 2025-11-22T23:16:26.719Z
Learning: In the selfxyz/self repository, for mobile workflows (bundle analysis, deployment, CI/CD):
- Both iOS and Android builds now cache Ruby gems at the unified path `app/vendor/bundle`
- The previous separate paths (app/ios/vendor/bundle for iOS) have been deprecated in favor of this unified approach

Learnt from: CR
Repo: selfxyz/self PR: 0
File: app/AGENTS.md:0-0
Timestamp: 2025-11-25T14:08:23.106Z
Learning: Applies to app/{ios,android}/** : Document complex native module changes and explain platform-specific code paths

📚 Learning: 2025-11-22T23:16:26.719Z

Learnt from: transphorm
Repo: selfxyz/self PR: 1446
File: .github/workflows/mobile-bundle-analysis.yml:117-117
Timestamp: 2025-11-22T23:16:26.719Z
Learning: In the selfxyz/self repository, for mobile workflows (bundle analysis, deployment, CI/CD):
- Both iOS and Android builds now cache Ruby gems at the unified path `app/vendor/bundle`
- The previous separate paths (app/ios/vendor/bundle for iOS) have been deprecated in favor of this unified approach

Applied to files:

• .github/workflows/mobile-ci.yml

📚 Learning: 2025-11-25T14:08:23.106Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: app/AGENTS.md:0-0
Timestamp: 2025-11-25T14:08:23.106Z
Learning: Applies to app/{ios,android}/** : Document complex native module changes and explain platform-specific code paths

Applied to files:

• .github/workflows/mobile-ci.yml

📚 Learning: 2025-11-25T14:08:23.106Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: app/AGENTS.md:0-0
Timestamp: 2025-11-25T14:08:23.106Z
Learning: Applies to app/ios/** : iOS build must succeed via `yarn ios` command in target environments

Applied to files:

• .github/workflows/mobile-ci.yml

📚 Learning: 2025-11-25T14:08:23.106Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: app/AGENTS.md:0-0
Timestamp: 2025-11-25T14:08:23.106Z
Learning: Applies to app/android/** : Android build must succeed via `yarn android` command in target environments

Applied to files:

• .github/workflows/mobile-ci.yml

📚 Learning: 2025-11-25T14:08:11.887Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-11-25T14:08:11.887Z
Learning: Flag security-sensitive changes for special review in PR descriptions.

Applied to files:

• .github/workflows/mobile-ci.yml

📚 Learning: 2025-11-25T14:08:11.887Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-11-25T14:08:11.887Z
Learning: Ensure CI pipeline passes all stages and no new linting/formatting issues are introduced after PR creation.

Applied to files:

• .github/workflows/mobile-ci.yml

📚 Learning: 2025-11-25T14:08:11.887Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-11-25T14:08:11.887Z
Learning: Ensure type checking passes in all affected workspaces and build artifacts are generated successfully after PR creation.

Applied to files:

• .github/workflows/mobile-ci.yml

📚 Learning: 2025-11-25T14:08:23.106Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: app/AGENTS.md:0-0
Timestamp: 2025-11-25T14:08:23.106Z
Learning: Ensure CI pipeline passes all stages after PR creation

Applied to files:

• .github/workflows/mobile-ci.yml

📚 Learning: 2025-09-06T02:14:42.185Z

Learnt from: transphorm
Repo: selfxyz/self PR: 919
File: .github/workflows/mobile-ci.yml:437-439
Timestamp: 2025-09-06T02:14:42.185Z
Learning: When infrastructure issues like NDK version misalignment are identified during feature PRs, the team prefers to defer these to separate follow-up PRs to maintain focused scope and avoid scope creep.

Applied to files:

• .github/workflows/mobile-ci.yml

📚 Learning: 2025-11-25T14:07:55.507Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: .cursor/rules/mobile-sdk-migration.mdc:0-0
Timestamp: 2025-11-25T14:07:55.507Z
Learning: Run `yarn test:build` command to validate tests, build dependencies, types, and bundle analysis in both app and mobile-sdk-alpha directories

Applied to files:

• .github/workflows/mobile-ci.yml

📚 Learning: 2025-11-25T14:07:55.507Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: .cursor/rules/mobile-sdk-migration.mdc:0-0
Timestamp: 2025-11-25T14:07:55.507Z
Learning: Applies to packages/mobile-sdk-alpha/src/**/*.{ts,tsx} : Test platform-specific code paths for React Native (iOS and Android) and web implementations

Applied to files:

• .github/workflows/mobile-ci.yml

📚 Learning: 2025-11-25T14:08:23.106Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: app/AGENTS.md:0-0
Timestamp: 2025-11-25T14:08:23.106Z
Learning: Applies to app/**/*.{test,spec}.{ts,tsx,js,jsx} : Ensure `yarn test` passes (unit tests) before creating a PR

Applied to files:

• .github/workflows/mobile-ci.yml

📚 Learning: 2025-11-25T14:07:55.507Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: .cursor/rules/mobile-sdk-migration.mdc:0-0
Timestamp: 2025-11-25T14:07:55.507Z
Learning: Applies to packages/mobile-sdk-alpha/tests/**/*.integration.{test.ts,test.tsx,spec.ts,spec.tsx} : Test end-to-end flows covering complete user journeys through the identity verification process

Applied to files:

• .github/workflows/mobile-ci.yml

📚 Learning: 2025-11-25T14:07:55.507Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: .cursor/rules/mobile-sdk-migration.mdc:0-0
Timestamp: 2025-11-25T14:07:55.507Z
Learning: Applies to packages/mobile-sdk-alpha/tests/**/*.{test.ts,test.tsx,spec.ts,spec.tsx} : Use Vitest for testing in the mobile-sdk-alpha package with Node environment configured in vitest.config.ts

Applied to files:

• .github/workflows/mobile-ci.yml

📚 Learning: 2025-11-25T14:07:55.507Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: .cursor/rules/mobile-sdk-migration.mdc:0-0
Timestamp: 2025-11-25T14:07:55.507Z
Learning: Applies to packages/mobile-sdk-alpha/tests/**/*.{test.ts,test.tsx,spec.ts,spec.tsx} : Mock native dependencies appropriately in tests when testing platform-specific code

Applied to files:

• .github/workflows/mobile-ci.yml

📚 Learning: 2025-11-25T14:07:55.507Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: .cursor/rules/mobile-sdk-migration.mdc:0-0
Timestamp: 2025-11-25T14:07:55.507Z
Learning: Applies to packages/mobile-sdk-alpha/tests/**/*.{ts,tsx,test.ts,test.tsx} : Create tests BEFORE migrating logic to verify functionality works correctly in the mobile-sdk-alpha package

Applied to files:

• .github/workflows/mobile-ci.yml

📚 Learning: 2025-11-25T14:08:23.106Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: app/AGENTS.md:0-0
Timestamp: 2025-11-25T14:08:23.106Z
Learning: Applies to app/web/** : Web build must succeed via `yarn web` command in target environments

Applied to files:

• .github/workflows/mobile-ci.yml

📚 Learning: 2025-11-25T14:08:11.887Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-11-25T14:08:11.887Z
Learning: Before committing, build all workspaces except `contracts` using `yarn build`, and compile Solidity contracts with `yarn workspace selfxyz/contracts build`.

Applied to files:

• .github/workflows/mobile-ci.yml

🪛 actionlint (1.7.9)

.github/workflows/mobile-ci.yml

209-209: label "namespace-profile-apple-silicon-6cpu" is unknown. available labels are "windows-latest", "windows-latest-8-cores", "windows-2025", "windows-2022", "windows-11-arm", "ubuntu-slim", "ubuntu-latest", "ubuntu-latest-4-cores", "ubuntu-latest-8-cores", "ubuntu-latest-16-cores", "ubuntu-24.04", "ubuntu-24.04-arm", "ubuntu-22.04", "ubuntu-22.04-arm", "macos-latest", "macos-latest-xl", "macos-latest-xlarge", "macos-latest-large", "macos-26-xlarge", "macos-26", "macos-15-intel", "macos-15-xlarge", "macos-15-large", "macos-15", "macos-14-xl", "macos-14-xlarge", "macos-14-large", "macos-14", "macos-13-xl", "macos-13-xlarge", "macos-13-large", "macos-13", "self-hosted", "x64", "arm", "arm64", "linux", "macos", "windows". if it is a custom label for self-hosted runner, set list of labels in actionlint.yaml config file

(runner-label)

⏰ Context from checks skipped due to timeout of 300000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (8)

• GitHub Check: test
• GitHub Check: test-common
• GitHub Check: type-check
• GitHub Check: iOS E2E Tests Demo App
• GitHub Check: Android E2E Tests Demo App
• GitHub Check: android-build-test
• GitHub Check: e2e-ios
• GitHub Check: analyze-android

🔇 Additional comments (3)

.github/workflows/mobile-ci.yml (3)

288-288: LGTM! Unified Ruby cache path.

This correctly updates to the unified app/vendor/bundle path for Ruby gems, consistent with the repository's caching strategy. Based on learnings, this path is now used for both iOS and Android builds.

---

317-324: LGTM! Proper security for private repository access.

The token generation with fork protection is correctly implemented. The condition ensures secrets aren't exposed to forked PRs, and the configure-netrc setup enables authenticated Git operations for private dependencies.

---

334-335: LGTM! Token properly wired to dependency build.

The token is correctly passed to the build step with an appropriate empty-string fallback for scenarios where token generation is skipped (e.g., forked PRs).

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (2)

.github/workflows/mobile-e2e.yml (1)

294-308: Java version check doesn't verify the required version.

Same issue as in mobile-bundle-analysis.yml: the check only confirms Java exists but doesn't validate the version matches JAVA_VERSION (17). This could cause build failures if a different Java version is pre-installed on the namespace runner.

Apply the same fix as suggested for mobile-bundle-analysis.yml to verify the Java version explicitly.

.github/workflows/mobile-sdk-demo-e2e.yml (1)

265-279: Java version check doesn't verify the required version.

This is the third occurrence of the same pattern across the workflow files. The check doesn't validate that the installed Java version matches JAVA_VERSION (17).

Apply the same version verification fix suggested for mobile-bundle-analysis.yml to ensure version compatibility.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between e1a9a99 and aa90e99.

📒 Files selected for processing (3)

• .github/workflows/mobile-bundle-analysis.yml (4 hunks)
• .github/workflows/mobile-e2e.yml (4 hunks)
• .github/workflows/mobile-sdk-demo-e2e.yml (4 hunks)

🧰 Additional context used

🧠 Learnings (18)

📓 Common learnings

Learnt from: transphorm
Repo: selfxyz/self PR: 1446
File: .github/workflows/mobile-bundle-analysis.yml:117-117
Timestamp: 2025-11-22T23:16:26.719Z
Learning: In the selfxyz/self repository, for mobile workflows (bundle analysis, deployment, CI/CD):
- Both iOS and Android builds now cache Ruby gems at the unified path `app/vendor/bundle`
- The previous separate paths (app/ios/vendor/bundle for iOS) have been deprecated in favor of this unified approach

📚 Learning: 2025-11-22T23:16:26.719Z

Learnt from: transphorm
Repo: selfxyz/self PR: 1446
File: .github/workflows/mobile-bundle-analysis.yml:117-117
Timestamp: 2025-11-22T23:16:26.719Z
Learning: In the selfxyz/self repository, for mobile workflows (bundle analysis, deployment, CI/CD):
- Both iOS and Android builds now cache Ruby gems at the unified path `app/vendor/bundle`
- The previous separate paths (app/ios/vendor/bundle for iOS) have been deprecated in favor of this unified approach

Applied to files:

• .github/workflows/mobile-e2e.yml
• .github/workflows/mobile-sdk-demo-e2e.yml
• .github/workflows/mobile-bundle-analysis.yml

📚 Learning: 2025-11-25T14:07:55.507Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: .cursor/rules/mobile-sdk-migration.mdc:0-0
Timestamp: 2025-11-25T14:07:55.507Z
Learning: Applies to packages/mobile-sdk-alpha/src/artifacts/**/*.{ts,tsx} : Migrate artifact management from app/src/utils/ to packages/mobile-sdk-alpha/src/artifacts/ with tests for manifest validation, CDN downloads, signature verification, and storage

Applied to files:

• .github/workflows/mobile-e2e.yml
• .github/workflows/mobile-sdk-demo-e2e.yml

📚 Learning: 2025-11-25T14:08:23.106Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: app/AGENTS.md:0-0
Timestamp: 2025-11-25T14:08:23.106Z
Learning: Applies to app/{ios,android}/** : Document complex native module changes and explain platform-specific code paths

Applied to files:

• .github/workflows/mobile-e2e.yml
• .github/workflows/mobile-sdk-demo-e2e.yml
• .github/workflows/mobile-bundle-analysis.yml

📚 Learning: 2025-11-25T14:07:55.507Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: .cursor/rules/mobile-sdk-migration.mdc:0-0
Timestamp: 2025-11-25T14:07:55.507Z
Learning: Applies to app/src/**/*.{ts,tsx} : Update app to consume mobile-sdk-alpha modules after migration and validate all existing app tests pass

Applied to files:

• .github/workflows/mobile-e2e.yml

📚 Learning: 2025-11-25T14:08:11.887Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-11-25T14:08:11.887Z
Learning: Flag security-sensitive changes for special review in PR descriptions.

Applied to files:

• .github/workflows/mobile-e2e.yml
• .github/workflows/mobile-sdk-demo-e2e.yml
• .github/workflows/mobile-bundle-analysis.yml

📚 Learning: 2025-11-25T14:08:11.887Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-11-25T14:08:11.887Z
Learning: Ensure CI pipeline passes all stages and no new linting/formatting issues are introduced after PR creation.

Applied to files:

• .github/workflows/mobile-e2e.yml
• .github/workflows/mobile-sdk-demo-e2e.yml
• .github/workflows/mobile-bundle-analysis.yml

📚 Learning: 2025-09-06T02:14:42.185Z

Learnt from: transphorm
Repo: selfxyz/self PR: 919
File: .github/workflows/mobile-ci.yml:437-439
Timestamp: 2025-09-06T02:14:42.185Z
Learning: When infrastructure issues like NDK version misalignment are identified during feature PRs, the team prefers to defer these to separate follow-up PRs to maintain focused scope and avoid scope creep.

Applied to files:

• .github/workflows/mobile-e2e.yml
• .github/workflows/mobile-sdk-demo-e2e.yml
• .github/workflows/mobile-bundle-analysis.yml

📚 Learning: 2025-11-25T14:08:23.106Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: app/AGENTS.md:0-0
Timestamp: 2025-11-25T14:08:23.106Z
Learning: Ensure CI pipeline passes all stages after PR creation

Applied to files:

• .github/workflows/mobile-e2e.yml
• .github/workflows/mobile-sdk-demo-e2e.yml

📚 Learning: 2025-11-25T14:08:11.887Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-11-25T14:08:11.887Z
Learning: Ensure type checking passes in all affected workspaces and build artifacts are generated successfully after PR creation.

Applied to files:

• .github/workflows/mobile-e2e.yml
• .github/workflows/mobile-sdk-demo-e2e.yml
• .github/workflows/mobile-bundle-analysis.yml

📚 Learning: 2025-11-25T14:08:51.177Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: packages/mobile-sdk-alpha/AGENTS.md:0-0
Timestamp: 2025-11-25T14:08:51.177Z
Learning: Applies to packages/mobile-sdk-alpha/**/*.{js,ts,tsx,json,md,yml,yaml} : Use Prettier for code formatting with root Prettier and EditorConfig settings

Applied to files:

• .github/workflows/mobile-e2e.yml
• .github/workflows/mobile-sdk-demo-e2e.yml
• .github/workflows/mobile-bundle-analysis.yml

📚 Learning: 2025-11-25T14:08:23.106Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: app/AGENTS.md:0-0
Timestamp: 2025-11-25T14:08:23.106Z
Learning: Applies to app/android/** : Android build must succeed via `yarn android` command in target environments

Applied to files:

• .github/workflows/mobile-e2e.yml
• .github/workflows/mobile-bundle-analysis.yml

📚 Learning: 2025-11-25T14:07:55.507Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: .cursor/rules/mobile-sdk-migration.mdc:0-0
Timestamp: 2025-11-25T14:07:55.507Z
Learning: Applies to packages/mobile-sdk-alpha/src/**/*.{ts,tsx} : Test platform-specific code paths for React Native (iOS and Android) and web implementations

Applied to files:

• .github/workflows/mobile-e2e.yml
• .github/workflows/mobile-sdk-demo-e2e.yml

📚 Learning: 2025-11-25T14:08:23.106Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: app/AGENTS.md:0-0
Timestamp: 2025-11-25T14:08:23.106Z
Learning: Applies to app/ios/** : iOS build must succeed via `yarn ios` command in target environments

Applied to files:

• .github/workflows/mobile-sdk-demo-e2e.yml
• .github/workflows/mobile-bundle-analysis.yml

📚 Learning: 2025-11-25T14:07:55.507Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: .cursor/rules/mobile-sdk-migration.mdc:0-0
Timestamp: 2025-11-25T14:07:55.507Z
Learning: Applies to packages/mobile-sdk-alpha/tests/**/*.integration.{test.ts,test.tsx,spec.ts,spec.tsx} : Test end-to-end flows covering complete user journeys through the identity verification process

Applied to files:

• .github/workflows/mobile-sdk-demo-e2e.yml

📚 Learning: 2025-11-25T14:07:55.507Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: .cursor/rules/mobile-sdk-migration.mdc:0-0
Timestamp: 2025-11-25T14:07:55.507Z
Learning: Applies to packages/mobile-sdk-alpha/tests/**/*.{ts,tsx,test.ts,test.tsx} : Create tests BEFORE migrating logic to verify functionality works correctly in the mobile-sdk-alpha package

Applied to files:

• .github/workflows/mobile-sdk-demo-e2e.yml

📚 Learning: 2025-11-25T14:07:55.507Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: .cursor/rules/mobile-sdk-migration.mdc:0-0
Timestamp: 2025-11-25T14:07:55.507Z
Learning: Applies to packages/mobile-sdk-alpha/demo/**/*.{ts,tsx,js,jsx} : Create an in-SDK lightweight demo in packages/mobile-sdk-alpha/demo/ using embedded React Native with MRZ flow and theming hooks integration

Applied to files:

• .github/workflows/mobile-sdk-demo-e2e.yml

📚 Learning: 2025-11-25T14:08:23.106Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: app/AGENTS.md:0-0
Timestamp: 2025-11-25T14:08:23.106Z
Learning: Applies to app/web/** : Web build must succeed via `yarn web` command in target environments

Applied to files:

• .github/workflows/mobile-bundle-analysis.yml

🪛 actionlint (1.7.9)

.github/workflows/mobile-e2e.yml

244-244: label "namespace-profile-apple-silicon-6cpu" is unknown. available labels are "windows-latest", "windows-latest-8-cores", "windows-2025", "windows-2022", "windows-11-arm", "ubuntu-slim", "ubuntu-latest", "ubuntu-latest-4-cores", "ubuntu-latest-8-cores", "ubuntu-latest-16-cores", "ubuntu-24.04", "ubuntu-24.04-arm", "ubuntu-22.04", "ubuntu-22.04-arm", "macos-latest", "macos-latest-xl", "macos-latest-xlarge", "macos-latest-large", "macos-26-xlarge", "macos-26", "macos-15-intel", "macos-15-xlarge", "macos-15-large", "macos-15", "macos-14-xl", "macos-14-xlarge", "macos-14-large", "macos-14", "macos-13-xl", "macos-13-xlarge", "macos-13-large", "macos-13", "self-hosted", "x64", "arm", "arm64", "linux", "macos", "windows". if it is a custom label for self-hosted runner, set list of labels in actionlint.yaml config file

(runner-label)

.github/workflows/mobile-sdk-demo-e2e.yml

217-217: label "namespace-profile-apple-silicon-6cpu" is unknown. available labels are "windows-latest", "windows-latest-8-cores", "windows-2025", "windows-2022", "windows-11-arm", "ubuntu-slim", "ubuntu-latest", "ubuntu-latest-4-cores", "ubuntu-latest-8-cores", "ubuntu-latest-16-cores", "ubuntu-24.04", "ubuntu-24.04-arm", "ubuntu-22.04", "ubuntu-22.04-arm", "macos-latest", "macos-latest-xl", "macos-latest-xlarge", "macos-latest-large", "macos-26-xlarge", "macos-26", "macos-15-intel", "macos-15-xlarge", "macos-15-large", "macos-15", "macos-14-xl", "macos-14-xlarge", "macos-14-large", "macos-14", "macos-13-xl", "macos-13-xlarge", "macos-13-large", "macos-13", "self-hosted", "x64", "arm", "arm64", "linux", "macos", "windows". if it is a custom label for self-hosted runner, set list of labels in actionlint.yaml config file

(runner-label)

.github/workflows/mobile-bundle-analysis.yml

102-102: label "namespace-profile-apple-silicon-6cpu" is unknown. available labels are "windows-latest", "windows-latest-8-cores", "windows-2025", "windows-2022", "windows-11-arm", "ubuntu-slim", "ubuntu-latest", "ubuntu-latest-4-cores", "ubuntu-latest-8-cores", "ubuntu-latest-16-cores", "ubuntu-24.04", "ubuntu-24.04-arm", "ubuntu-22.04", "ubuntu-22.04-arm", "macos-latest", "macos-latest-xl", "macos-latest-xlarge", "macos-latest-large", "macos-26-xlarge", "macos-26", "macos-15-intel", "macos-15-xlarge", "macos-15-large", "macos-15", "macos-14-xl", "macos-14-xlarge", "macos-14-large", "macos-14", "macos-13-xl", "macos-13-xlarge", "macos-13-large", "macos-13", "self-hosted", "x64", "arm", "arm64", "linux", "macos", "windows". if it is a custom label for self-hosted runner, set list of labels in actionlint.yaml config file

(runner-label)

⏰ Context from checks skipped due to timeout of 300000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (5)

• GitHub Check: test
• GitHub Check: type-check
• GitHub Check: analyze-android
• GitHub Check: android-build-test
• GitHub Check: Android E2E Tests Demo App

🔇 Additional comments (6)

.github/workflows/mobile-bundle-analysis.yml (2)

11-30: Workflow triggers look comprehensive.

Both push and pull_request triggers are configured with appropriate branch and path filters, ensuring the workflow runs for relevant changes.

---

35-35: Good choice for Android builds.

Using ubuntu-latest for Android analysis is cost-effective and appropriate, as Android builds don't require macOS infrastructure.

.github/workflows/mobile-e2e.yml (2)

20-39: Enhanced trigger configuration enables flexible E2E execution.

The addition of push and issue_comment triggers provides multiple ways to run iOS E2E tests: automatic on protected branches, manual via workflow dispatch, or on-demand via PR comments containing /run-ios-e2e.

---

243-250: iOS E2E conditional execution logic is well-designed.

The job runs on workflow dispatch, push events, or when triggered by issue comments containing /run-ios-e2e on PRs. This provides flexibility while optimizing resource usage.

.github/workflows/mobile-sdk-demo-e2e.yml (2)

22-41: Trigger configuration mirrors E2E workflow patterns effectively.

The combination of push, pull_request, and issue_comment triggers provides appropriate coverage for the mobile SDK demo E2E testing, with paths correctly scoped to relevant packages.

---

216-223: SDK-specific trigger logic is appropriately differentiated.

The conditional uses /run-ios-sdk as the comment trigger, which appropriately distinguishes SDK demo E2E runs from main app E2E runs (/run-ios-e2e).

[jcortejoso]

/run-ios-e2e

[cursor]

This is the final PR Bugbot will review for you during this billing cycle

Your free Bugbot reviews will reset on January 17

Details

Your team is on the Bugbot Free tier. On this plan, Bugbot will review limited PRs each billing cycle for each member of your team.

To receive Bugbot reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial.

[cursor]

Timestamp interpretation changed from seconds to milliseconds

The returnNewDateString function changed from new Date(+timestamp * 1000) to new Date(+timestamp). This silently changes the expected timestamp format from Unix seconds to milliseconds. If any callers pass Unix timestamps in seconds (e.g., "1735000000"), they will now produce dates from 1970 instead of 2025. This function is called by createCustomV2TestData and generateTestData, which accept optional timestamp parameters from external callers, making this a potentially breaking change for Aadhaar test data generation.

 

[coderabbitai]

Actionable comments posted: 4

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

packages/mobile-sdk-alpha/src/components/buttons/HeldPrimaryButtonProveScreen.tsx (1)

137-154: Add guard to exit 'ready' state when document expires.

The 'ready' state has guards to prevent entering when isDocumentExpired is true (lines 95, 114, 133), but lacks a guard to exit if the document expires while already in the 'ready' state. This could allow the button to remain enabled if a document expires at midnight while the user is viewing the ProveScreen.

🔎 Recommended fix

     ready: {
       on: {
         VERIFY: 'verifying',
       },
       always: [
         {
           target: 'waitingForSession',
           guard: ({ context }) => !context.selectedAppSessionId,
         },
         {
           target: 'needsScroll',
           guard: ({ context }) => !context.hasScrolledToBottom,
         },
         {
           target: 'preparing',
-          guard: ({ context }) => !context.isReadyToProve,
+          guard: ({ context }) => !context.isReadyToProve || context.isDocumentExpired,
         },
       ],
     },

♻️ Duplicate comments (1)

.github/workflows/mobile-e2e.yml (1)

242-243: Actionlint configuration for custom runner label.

The custom runner namespace-profile-apple-silicon-6cpu requires actionlint configuration to suppress the linter warning. This was already flagged in previous reviews with a solution: create .github/actionlint.yaml with the custom label.

🧹 Nitpick comments (5)

packages/mobile-sdk-alpha/src/flows/onboarding/country-picker-screen.tsx (1)

77-77: LGTM! Info icon successfully hidden.

The addition of showInfoIcon={false} correctly hides the info icon from the country picker UI. Note that the onInfoPress callback on line 75 becomes unreachable with the icon hidden—if this is a permanent change, that prop could be removed for cleaner code.

app/src/screens/account/settings/SettingsScreen.tsx (1)

165-178: Consider adding unmount guard for async state updates.

If the user navigates away before loadDocumentCatalog completes, setHasRealDocument could be called on an unmounted component. While React 18 handles this more gracefully, adding a cleanup guard is a best practice to prevent potential memory leaks.

Additionally, the catch block discards the error details which could aid debugging.

🔎 Proposed refactor with unmount guard and error logging

 const refreshDocumentAvailability = useCallback(async () => {
+  let isMounted = true;
   try {
     const catalog = await loadDocumentCatalog();
+    if (!isMounted) return;
     if (!catalog?.documents || !Array.isArray(catalog.documents)) {
       console.warn('SettingsScreen: invalid catalog structure');
       setHasRealDocument(false);
       return;
     }
     setHasRealDocument(catalog.documents.some(doc => !doc.mock));
-  } catch {
+  } catch (error) {
-    console.warn('SettingsScreen: failed to load document catalog');
+    console.warn('SettingsScreen: failed to load document catalog', error);
+    if (!isMounted) return;
     setHasRealDocument(false);
   }
+  return () => {
+    isMounted = false;
+  };
 }, [loadDocumentCatalog]);

Alternatively, use an AbortController or a ref-based mounted flag if this pattern is common across the codebase.

.github/workflows/mobile-e2e.yml (1)

287-295: Consider verifying Java version, not just presence.

The current check confirms Java is installed but doesn't verify it matches JAVA_VERSION: 17. If the Namespace runner has a different Java version pre-installed (e.g., Java 11), the build will fail later with less clear diagnostics.

🔎 Optional: Enhanced Java version check

       - name: Check Java installation
         run: |
           echo "INSTALL_JAVA=false" >> "$GITHUB_ENV"
-          if command -v java &> /dev/null && java -version &> /dev/null; then
-            echo "Java already installed: $(java -version 2>&1 | head -n 1)"
+          if command -v java &> /dev/null; then
+            JAVA_MAJOR_VERSION=$(java -version 2>&1 | head -n 1 | sed -E 's/.*version "([0-9]+).*/\1/')
+            if [ "$JAVA_MAJOR_VERSION" = "${{ env.JAVA_VERSION }}" ]; then
+              echo "Java $JAVA_MAJOR_VERSION already installed and matches required version"
+            else
+              echo "Java $JAVA_MAJOR_VERSION found but Java ${{ env.JAVA_VERSION }} required, will install..."
+              echo "INSTALL_JAVA=true" >> "$GITHUB_ENV"
+            fi
           else
             echo "Java not found or not working, will install..."
             echo "INSTALL_JAVA=true" >> "$GITHUB_ENV"
           fi

app/src/screens/documents/aadhaar/AadhaarUploadErrorScreen.tsx (1)

98-107: Consider removing commented code.

The "Need Help?" button is commented out with a TODO. Since this is a deliberate UI simplification, consider removing the commented code entirely rather than leaving it in the codebase.

🔎 Proposed cleanup

         </YStack>
-          {/* <YStack flex={1}>
-            <SecondaryButton
-              onPress={() => {
-                trackEvent(AadhaarEvents.HELP_BUTTON_PRESSED, { errorType });
-                // TODO: Implement help functionality
-              }}
-            >
-              Need Help?
-            </SecondaryButton>
-          </YStack> */}
       </XStack>

app/tests/src/services/logging.test.ts (1)

97-117: Consider using waitFor or flushPromises for more deterministic timing.

The hardcoded setTimeout(..., 10) delays work but can be flaky in slower CI environments. Consider using a flushPromises utility or increasing the timeout if flakiness occurs.

🔎 Example utility

// Add to test file or shared test utils
const flushPromises = () => new Promise(resolve => setImmediate(resolve));

// Usage in tests
await flushPromises();

Also applies to: 160-179

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

fd sentry.ts -t f app/

Repository: selfxyz/self

Length of output: 80

---

🏁 Script executed:

if [ -f app/src/config/sentry.ts ]; then
  wc -l app/src/config/sentry.ts
  sed -n '150,180p' app/src/config/sentry.ts
fi

Repository: selfxyz/self

Length of output: 914

---

🏁 Script executed:

cat app/package.json | grep -A 2 -B 2 '@sentry/react-native'

Repository: selfxyz/self

Length of output: 248

---

Set maskAllImages and maskAllVectors to true for passport data protection.

With replaysOnErrorSampleRate: 1.0, the SDK records and aggressively masks all text, images, and webviews by default. However, setting maskAllImages: false and maskAllVectors: false means unmasked images of passports and identity documents will be captured in replays when errors occur during scanning. This setting is not to be used on applications with sensitive data.

🤖 Prompt for AI Agents

In app/src/config/sentry.ts around lines 168 to 172, the mobileReplayIntegration
options currently set maskAllImages: false and maskAllVectors: false which
allows unmasked images/webviews (e.g., passport scans) to be captured; change
both options to true to ensure images and vector content are masked. Update the
mobileReplayIntegration call to set maskAllImages: true and maskAllVectors: true
so replays cannot capture sensitive passport/identity images or vector content.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Missing export for LoggingSeverity type.

The type is imported in app/tests/src/services/logging.test.ts at line 9 but isn't exported here. This will cause a TypeScript compilation error.

🔎 Proposed fix

-type LoggingSeverity = 'debug' | 'info' | 'warn' | 'error';
+export type LoggingSeverity = 'debug' | 'info' | 'warn' | 'error';

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	type LoggingSeverity = 'debug' | 'info' | 'warn' | 'error';
	export type LoggingSeverity = 'debug' | 'info' | 'warn' | 'error';

🤖 Prompt for AI Agents

In app/src/stores/settingStore.ts around line 9, the type alias LoggingSeverity
is declared but not exported, causing import failures elsewhere; export it by
changing the declaration to an exported type (e.g., add "export" before the type
alias) so other modules/tests can import it, and run TypeScript build to confirm
the import in app/tests/src/services/logging.test.ts resolves.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Search for PCR0_MANAGER_ADDRESS references in codebase
echo "=== Searching for PCR0_MANAGER_ADDRESS references ==="
rg -n "PCR0_MANAGER_ADDRESS" --type=ts --type=tsx -C2 || echo "No matches found"

echo -e "\n=== Searching for the old address references ==="
rg -n "0x9743fe2C1c3D2b068c56dE314e9B10DA9c904717" --type=ts --type=tsx || echo "No matches found"

echo -e "\n=== Searching for the new address references ==="
rg -n "0xE36d4EE5Fd3916e703A46C21Bb3837dB7680C8B8" --type=ts --type=tsx || echo "No matches found"

echo -e "\n=== Looking for PCR0-related test files ==="
fd -e test.ts -e spec.ts | xargs grep -l "PCR0\|attestation" 2>/dev/null || echo "No test files found"

echo -e "\n=== Checking for constants.ts file ==="
find . -name "constants.ts" -type f

Repository: selfxyz/self

Length of output: 1549

---

🏁 Script executed:

#!/bin/bash
# Read the constants.ts file around line 164
echo "=== Reading common/src/constants/constants.ts ==="
wc -l ./common/src/constants/constants.ts

echo -e "\n=== Lines 150-175 of constants.ts ==="
sed -n '150,175p' ./common/src/constants/constants.ts

echo -e "\n=== Searching for PCR0 references in contracts test directory ==="
grep -r "PCR0" contracts/test/ --include="*.ts" -l

echo -e "\n=== Reading PCR0Manager.test.ts ==="
head -100 ./contracts/test/unit/PCR0Manager.test.ts

echo -e "\n=== Checking deployment configs ==="
find . -name "*.env*" -o -name "deploy*.ts" -o -name "config*.ts" | head -20

Repository: selfxyz/self

Length of output: 6203

---

🏁 Script executed:

#!/bin/bash
# Check the deployment script for PCR0
echo "=== Reading deployPCR0.ts ==="
cat ./contracts/ignition/modules/utils/deployPCR0.ts

echo -e "\n=== Searching for any environment variables or network configs ==="
grep -r "PCR0_MANAGER" contracts/ --include="*.ts" --include="*.js" --include="*.env*" 2>/dev/null || echo "No PCR0_MANAGER vars found"

echo -e "\n=== Looking for any references to the constant in app or sdk ==="
grep -r "PCR0_MANAGER_ADDRESS\|0xE36d4EE5Fd3916e703A46C21Bb3837dB7680C8B8" app/ sdk/ 2>/dev/null || echo "No references in app/sdk"

echo -e "\n=== Checking git log for recent changes to constants.ts ==="
git log --oneline -20 -- ./common/src/constants/constants.ts 2>/dev/null || echo "Git history not available"

echo -e "\n=== Checking if there are multiple network configs ==="
find . -name "*.ts" -o -name "*.js" | xargs grep -l "mainnet\|testnet\|alfajores" 2>/dev/null | head -10

Repository: selfxyz/self

Length of output: 953

---

🏁 Script executed:

#!/bin/bash
# Look for any hardcoded contract addresses to understand the pattern
echo "=== Checking REGISTER_CONTRACT_ADDRESS usage ==="
grep -r "REGISTER_CONTRACT_ADDRESS" --include="*.ts" --include="*.tsx" -B2 -A2 | head -30

echo -e "\n=== Checking full context of constants imports ==="
grep -r "from.*constants" app/ sdk/ common/ --include="*.ts" --include="*.tsx" | grep -E "PCR0|REGISTER" | head -20

echo -e "\n=== Looking for attestation or contract initialization patterns ==="
find . -name "*.ts" -path "*/src/*" | xargs grep -l "PCR0\|attestation.*manager\|pcr0" 2>/dev/null | head -10

echo -e "\n=== Check contracts/hardhat.config.ts for network configs ==="
grep -A30 "networks:" ./contracts/hardhat.config.ts

Repository: selfxyz/self

Length of output: 1762

---

🏁 Script executed:

#!/bin/bash
# Check how PCR0_MANAGER_ADDRESS is actually used
echo "=== Reading common/src/utils/attest.ts ==="
cat ./common/src/utils/attest.ts

echo -e "\n=== Check for test files using attest functions ==="
find . -name "*.test.ts" -o -name "*.spec.ts" | xargs grep -l "attest\|PCR0_MANAGER" 2>/dev/null | head -10

Repository: selfxyz/self

Length of output: 8686

---

Integration testing required for PCR0Manager contract on mainnet.

The PCR0_MANAGER_ADDRESS constant is actively used in common/src/utils/attest.ts to verify attestation PCR0 values against a contract instance on Celo mainnet. However, existing unit tests in contracts/test/unit/PCR0Manager.test.ts deploy fresh contract instances locally and don't validate the actual deployed contract at this address.

Before merging, confirm:

• Integration tests exist that verify the deployed contract at 0xE36d4EE5Fd3916e703A46C21Bb3837dB7680C8B8 on mainnet is functional
• The address is correctly registered in any network configuration or deployment documentation
• This address corresponds to the coordinated smart contract deployment

🤖 Prompt for AI Agents

In common/src/constants/constants.ts at line 164, the PCR0_MANAGER_ADDRESS
constant points to a mainnet contract but there are no integration checks
against that deployed address; add an integration test that (1) connects to Celo
mainnet (or a mainnet fork) using the project's network config, instantiates the
PCR0Manager ABI at 0xE36d4EE5Fd3916e703A46C21Bb3837dB7680C8B8, and calls the
same public getter(s) used in common/src/utils/attest.ts to verify expected
behavior; (2) gate the test behind an env flag (e.g., RUN_INTEGRATION_TESTS) so
it does not run in unit CI; (3) verify and/or add the address into the
network/deployment configuration and deployment docs so it’s clearly recorded
and sourced from the coordinated deployment; and (4) fail the test if the
contract is not reachable or returns unexpected values so the constant is
validated before merging.

[cursor]

Missing if condition for e2e-ios job trigger control

The e2e-ios job is missing an if condition to restrict when it runs. Per the PR description, this job should only execute on push (when merged to dev/staging/main), workflow_dispatch, or via /run-ios-e2e comment trigger. However, without an if condition, it will run on all triggers including every pull_request event. The similar ios-e2e job in mobile-sdk-demo-e2e.yml correctly includes if: github.event_name == 'workflow_dispatch' || github.event_name == 'push', but this was not added here.

 

[jcortejoso]

Update description with new functionality.

[coderabbitai]

Actionable comments posted: 0

♻️ Duplicate comments (6)

.github/workflows/mobile-e2e.yml (1)

242-243: Runner migration looks good; actionlint config remains pending.

The switch to Namespace Apple Silicon runners is working as intended. The actionlint warning is expected for custom runner labels and was already flagged in previous reviews with a solution (create .github/actionlint.yaml with the custom label).

.github/workflows/mobile-bundle-analysis.yml (2)

101-102: Custom runner requires actionlint configuration.

Add namespace-profile-apple-silicon-6cpu to .github/actionlint.yaml to suppress the linting warning for this custom runner.

---

141-155: Java version check doesn't validate the required version.

The check confirms Java is installed but doesn't verify it matches JAVA_VERSION (17). If a different Java version is pre-installed, the setup step will be skipped, potentially causing build failures.

🔎 Proposed fix to verify Java version

      - name: Check Java installation
        run: |
          echo "INSTALL_JAVA=false" >> "$GITHUB_ENV"
-          if command -v java &> /dev/null && java -version &> /dev/null; then
-            echo "Java already installed: $(java -version 2>&1 | head -n 1)"
-          else
+          if command -v java &> /dev/null; then
+            INSTALLED_VERSION=$(java -version 2>&1 | head -n 1 | grep -oP '(?<=version ")\d+' || echo "0")
+            echo "Java already installed: $(java -version 2>&1 | head -n 1)"
+            if [ "$INSTALLED_VERSION" != "${{ env.JAVA_VERSION }}" ]; then
+              echo "Java version mismatch (installed: $INSTALLED_VERSION, required: ${{ env.JAVA_VERSION }}), will reinstall..."
+              echo "INSTALL_JAVA=true" >> "$GITHUB_ENV"
+            fi
+          else
            echo "Java not found or not working, will install..."
            echo "INSTALL_JAVA=true" >> "$GITHUB_ENV"
          fi

.github/workflows/mobile-ci.yml (2)

207-209: iOS build limited to manual workflow_dispatch by design.

The comment (line 207) indicates iOS builds are intentionally restricted to workflow_dispatch since mobile-e2e.yml provides coverage. While this reduces CI costs, it means PRs won't validate iOS builds until E2E runs.

Also, add namespace-profile-apple-silicon-6cpu to .github/actionlint.yaml to suppress the linting warning for this custom runner.

---

257-271: Java setup may be unnecessary in iOS-only job, and version check is incomplete.

A previous review comment noted that Java is not required for iOS builds (which use Xcode and CocoaPods). Unless Java is genuinely needed for shared dependencies, consider removing these steps from the iOS job.

Additionally, the version check doesn't validate that the installed Java version matches JAVA_VERSION (17), which could lead to build failures if a different version is pre-installed.

🔎 Option 1: Remove Java setup from iOS job (if not needed)

-      - name: Check Java installation
-        run: |
-          echo "INSTALL_JAVA=false" >> "$GITHUB_ENV"
-          if command -v java &> /dev/null && java -version &> /dev/null; then
-            echo "Java already installed: $(java -version 2>&1 | head -n 1)"
-          else
-            echo "Java not found or not working, will install..."
-            echo "INSTALL_JAVA=true" >> "$GITHUB_ENV"
-          fi
-      - name: Setup Java environment
-        if: env.INSTALL_JAVA == 'true'
-        uses: actions/setup-java@v4
-        with:
-          distribution: "temurin"
-          java-version: ${{ env.JAVA_VERSION }}

🔎 Option 2: Fix version validation (if Java is needed)

      - name: Check Java installation
        run: |
          echo "INSTALL_JAVA=false" >> "$GITHUB_ENV"
-          if command -v java &> /dev/null && java -version &> /dev/null; then
-            echo "Java already installed: $(java -version 2>&1 | head -n 1)"
-          else
+          if command -v java &> /dev/null; then
+            INSTALLED_VERSION=$(java -version 2>&1 | head -n 1 | grep -oP '(?<=version ")\d+' || echo "0")
+            echo "Java already installed: $(java -version 2>&1 | head -n 1)"
+            if [ "$INSTALLED_VERSION" != "${{ env.JAVA_VERSION }}" ]; then
+              echo "Java version mismatch (installed: $INSTALLED_VERSION, required: ${{ env.JAVA_VERSION }}), will reinstall..."
+              echo "INSTALL_JAVA=true" >> "$GITHUB_ENV"
+            fi
+          else
            echo "Java not found or not working, will install..."
            echo "INSTALL_JAVA=true" >> "$GITHUB_ENV"
          fi

.github/workflows/mobile-deploy.yml (1)

434-448: Java version check doesn't validate the required version.

The check confirms Java is installed but doesn't verify it matches JAVA_VERSION (17). If the namespace runner has a different Java version pre-installed, the setup step will be skipped, potentially causing build failures downstream.

🔎 Proposed fix to verify Java version

      - name: Check Java installation
        run: |
          echo "INSTALL_JAVA=false" >> "$GITHUB_ENV"
-          if command -v java &> /dev/null && java -version &> /dev/null; then
-            echo "Java already installed: $(java -version 2>&1 | head -n 1)"
-          else
+          if command -v java &> /dev/null; then
+            INSTALLED_VERSION=$(java -version 2>&1 | head -n 1 | grep -oP '(?<=version ")\d+' || echo "0")
+            echo "Java already installed: $(java -version 2>&1 | head -n 1)"
+            if [ "$INSTALLED_VERSION" != "${{ env.JAVA_VERSION }}" ]; then
+              echo "Java version mismatch (installed: $INSTALLED_VERSION, required: ${{ env.JAVA_VERSION }}), will reinstall..."
+              echo "INSTALL_JAVA=true" >> "$GITHUB_ENV"
+            fi
+          else
            echo "Java not found or not working, will install..."
            echo "INSTALL_JAVA=true" >> "$GITHUB_ENV"
          fi

🧹 Nitpick comments (4)

.github/workflows/mobile-e2e.yml (1)

287-301: Remove Java setup from iOS job—it's not required for Xcode/CocoaPods builds.

iOS builds use Xcode and CocoaPods (Ruby-based), not Java. Gradle requires JVM, which explains why the Android job already sets up Java. Removing the Java check from the iOS workflow simplifies it and reduces unnecessary setup time without impacting the build.

packages/mobile-sdk-alpha/scripts/setup-native-source.cjs (1)

121-121: Hardcoded submodule path reduces maintainability.

The submodule path packages/mobile-sdk-alpha/mobile-sdk-native is hardcoded in multiple locations, while PRIVATE_MODULE_PATH is constructed dynamically. If the script is relocated or the SDK directory structure changes, these references would need manual updates.

Consider deriving the relative submodule path programmatically to improve robustness.

🔎 Proposed refactor to compute path dynamically

Add a constant near the top of the file:

 const SDK_DIR = path.dirname(SCRIPT_DIR);
 const REPO_ROOT = path.resolve(SDK_DIR, '../../');
 const PRIVATE_MODULE_PATH = path.join(SDK_DIR, 'mobile-sdk-native');
+const SUBMODULE_PATH_RELATIVE = path.relative(REPO_ROOT, PRIVATE_MODULE_PATH);

Then replace the hardcoded strings:

-    const isSubmoduleRegistered =
-      gitmodulesExists && gitmodulesContent.includes('[submodule "packages/mobile-sdk-alpha/mobile-sdk-native"]');
+    const isSubmoduleRegistered =
+      gitmodulesExists && gitmodulesContent.includes(`[submodule "${SUBMODULE_PATH_RELATIVE}"]`);

Apply similar replacements at lines 148, 163, 190, and 202.

Also applies to: 190-190, 202-202

Also applies to: 148-148, 163-163

.github/workflows/mobile-deploy.yml (1)

268-269: Custom runner requires actionlint configuration to suppress warning.

The namespace-profile-apple-silicon-6cpu label is flagged by actionlint because it's not in the standard GitHub runner list. Since this is a custom Namespace.so runner, add it to your .github/actionlint.yaml to suppress the warning:

self-hosted-runner:
  labels:
    - namespace-profile-apple-silicon-6cpu

.github/workflows/mobile-bundle-analysis.yml (1)

11-20: iOS bundle analysis won't run for pull requests by design.

While push triggers were added (lines 11-20), the analyze-ios job is gated to workflow_dispatch or push only (line 100), excluding pull_request events. This means PRs won't receive iOS bundle analysis feedback before merge—analysis only runs after merging to dev/staging/main.

This appears intentional per the PR objectives, but it creates a gap where iOS bundle size regressions could merge before detection.

Also applies to: 100-100

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between b28e7a0 and 20c57b0.

📒 Files selected for processing (10)

• .github/actionlint.yaml
• .github/workflows/mobile-bundle-analysis.yml
• .github/workflows/mobile-ci.yml
• .github/workflows/mobile-deploy.yml
• .github/workflows/mobile-e2e.yml
• .github/workflows/mobile-sdk-demo-e2e.yml
• .github/workflows/npm-publish.yml
• app/fastlane/DEV.md
• packages/mobile-sdk-alpha/scripts/build-android.sh
• packages/mobile-sdk-alpha/scripts/setup-native-source.cjs

💤 Files with no reviewable changes (1)

• .github/workflows/npm-publish.yml

🚧 Files skipped from review as they are similar to previous changes (3)

• app/fastlane/DEV.md
• .github/actionlint.yaml
• packages/mobile-sdk-alpha/scripts/build-android.sh

🧰 Additional context used

🧠 Learnings (46)

📓 Common learnings

Learnt from: transphorm
Repo: selfxyz/self PR: 1446
File: .github/workflows/mobile-bundle-analysis.yml:117-117
Timestamp: 2025-11-22T23:16:26.719Z
Learning: In the selfxyz/self repository, for mobile workflows (bundle analysis, deployment, CI/CD):
- Both iOS and Android builds now cache Ruby gems at the unified path `app/vendor/bundle`
- The previous separate paths (app/ios/vendor/bundle for iOS) have been deprecated in favor of this unified approach

Learnt from: CR
Repo: selfxyz/self PR: 0
File: .cursor/rules/mobile-sdk-migration.mdc:0-0
Timestamp: 2025-11-25T14:07:55.507Z
Learning: Applies to packages/mobile-sdk-alpha/src/artifacts/**/*.{ts,tsx} : Migrate artifact management from app/src/utils/ to packages/mobile-sdk-alpha/src/artifacts/ with tests for manifest validation, CDN downloads, signature verification, and storage

Learnt from: CR
Repo: selfxyz/self PR: 0
File: app/AGENTS.md:0-0
Timestamp: 2025-11-25T14:08:23.106Z
Learning: Applies to app/{ios,android}/** : Document complex native module changes and explain platform-specific code paths

Learnt from: CR
Repo: selfxyz/self PR: 0
File: app/AGENTS.md:0-0
Timestamp: 2025-11-25T14:08:23.106Z
Learning: Applies to app/ios/** : iOS build must succeed via `yarn ios` command in target environments

📚 Learning: 2025-11-25T14:07:55.507Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: .cursor/rules/mobile-sdk-migration.mdc:0-0
Timestamp: 2025-11-25T14:07:55.507Z
Learning: Applies to packages/mobile-sdk-alpha/src/index.ts : Re-export all new migrated modules via packages/mobile-sdk-alpha/src/index.ts and document them in packages/mobile-sdk-alpha/README.md

Applied to files:

• packages/mobile-sdk-alpha/scripts/setup-native-source.cjs

📚 Learning: 2025-11-25T14:07:55.507Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: .cursor/rules/mobile-sdk-migration.mdc:0-0
Timestamp: 2025-11-25T14:07:55.507Z
Learning: Applies to packages/mobile-sdk-alpha/src/artifacts/**/*.{ts,tsx} : Migrate artifact management from app/src/utils/ to packages/mobile-sdk-alpha/src/artifacts/ with tests for manifest validation, CDN downloads, signature verification, and storage

Applied to files:

• packages/mobile-sdk-alpha/scripts/setup-native-source.cjs
• .github/workflows/mobile-bundle-analysis.yml
• .github/workflows/mobile-sdk-demo-e2e.yml
• .github/workflows/mobile-e2e.yml

📚 Learning: 2025-11-25T14:08:23.106Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: app/AGENTS.md:0-0
Timestamp: 2025-11-25T14:08:23.106Z
Learning: Applies to app/{ios,android}/** : Document complex native module changes and explain platform-specific code paths

Applied to files:

• packages/mobile-sdk-alpha/scripts/setup-native-source.cjs
• .github/workflows/mobile-ci.yml
• .github/workflows/mobile-bundle-analysis.yml
• .github/workflows/mobile-sdk-demo-e2e.yml
• .github/workflows/mobile-e2e.yml

📚 Learning: 2025-11-25T14:07:55.507Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: .cursor/rules/mobile-sdk-migration.mdc:0-0
Timestamp: 2025-11-25T14:07:55.507Z
Learning: Applies to packages/mobile-sdk-alpha/src/protocol/**/*.{ts,tsx} : Migrate protocol synchronization from app/src/utils/ to packages/mobile-sdk-alpha/src/protocol/ with tests for tree fetching, TTL caching, rate limiting, and memory bounds

Applied to files:

• packages/mobile-sdk-alpha/scripts/setup-native-source.cjs

📚 Learning: 2025-11-25T14:07:55.507Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: .cursor/rules/mobile-sdk-migration.mdc:0-0
Timestamp: 2025-11-25T14:07:55.507Z
Learning: Applies to app/src/**/*.{ts,tsx} : Update app to consume mobile-sdk-alpha modules after migration and validate all existing app tests pass

Applied to files:

• packages/mobile-sdk-alpha/scripts/setup-native-source.cjs
• .github/workflows/mobile-e2e.yml

📚 Learning: 2025-11-25T14:07:55.507Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: .cursor/rules/mobile-sdk-migration.mdc:0-0
Timestamp: 2025-11-25T14:07:55.507Z
Learning: Applies to packages/mobile-sdk-alpha/tests/**/*.{test.ts,test.tsx,spec.ts,spec.tsx} : Mock native dependencies appropriately in tests when testing platform-specific code

Applied to files:

• packages/mobile-sdk-alpha/scripts/setup-native-source.cjs
• .github/workflows/mobile-ci.yml

📚 Learning: 2025-11-25T14:08:51.177Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: packages/mobile-sdk-alpha/AGENTS.md:0-0
Timestamp: 2025-11-25T14:08:51.177Z
Learning: Applies to packages/mobile-sdk-alpha/**/package.json : Ensure exports are properly configured before publishing the package

Applied to files:

• packages/mobile-sdk-alpha/scripts/setup-native-source.cjs

📚 Learning: 2025-11-25T14:07:55.507Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: .cursor/rules/mobile-sdk-migration.mdc:0-0
Timestamp: 2025-11-25T14:07:55.507Z
Learning: Applies to packages/mobile-sdk-alpha/src/tee/**/*.{ts,tsx} : Migrate TEE session management from app/src/utils/ to packages/mobile-sdk-alpha/src/tee/ with tests for WebSocket handling, abort, timeout, and lifecycle events

Applied to files:

• packages/mobile-sdk-alpha/scripts/setup-native-source.cjs

📚 Learning: 2025-11-22T23:16:26.719Z

Learnt from: transphorm
Repo: selfxyz/self PR: 1446
File: .github/workflows/mobile-bundle-analysis.yml:117-117
Timestamp: 2025-11-22T23:16:26.719Z
Learning: In the selfxyz/self repository, for mobile workflows (bundle analysis, deployment, CI/CD):
- Both iOS and Android builds now cache Ruby gems at the unified path `app/vendor/bundle`
- The previous separate paths (app/ios/vendor/bundle for iOS) have been deprecated in favor of this unified approach

Applied to files:

• packages/mobile-sdk-alpha/scripts/setup-native-source.cjs
• .github/workflows/mobile-ci.yml
• .github/workflows/mobile-deploy.yml
• .github/workflows/mobile-bundle-analysis.yml
• .github/workflows/mobile-sdk-demo-e2e.yml
• .github/workflows/mobile-e2e.yml

📚 Learning: 2025-11-25T14:07:55.507Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: .cursor/rules/mobile-sdk-migration.mdc:0-0
Timestamp: 2025-11-25T14:07:55.507Z
Learning: Applies to packages/mobile-sdk-alpha/src/crypto/**/*.{ts,tsx} : Migrate crypto adapters from app/src/utils/ to packages/mobile-sdk-alpha/src/crypto/ with tests for WebCrypto vs noble/* fallback and timing-safe comparisons

Applied to files:

• packages/mobile-sdk-alpha/scripts/setup-native-source.cjs

📚 Learning: 2025-11-25T14:08:51.177Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: packages/mobile-sdk-alpha/AGENTS.md:0-0
Timestamp: 2025-11-25T14:08:51.177Z
Learning: Applies to packages/mobile-sdk-alpha/**/*.{js,ts,tsx,json,md,yml,yaml} : Use Prettier for code formatting with root Prettier and EditorConfig settings

Applied to files:

• packages/mobile-sdk-alpha/scripts/setup-native-source.cjs
• .github/workflows/mobile-bundle-analysis.yml
• .github/workflows/mobile-sdk-demo-e2e.yml
• .github/workflows/mobile-e2e.yml

📚 Learning: 2025-11-25T14:07:55.507Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: .cursor/rules/mobile-sdk-migration.mdc:0-0
Timestamp: 2025-11-25T14:07:55.507Z
Learning: Applies to packages/mobile-sdk-alpha/src/**/*.{ts,tsx} : Create clear and actionable error messages with descriptive error codes for SDK consumers

Applied to files:

• packages/mobile-sdk-alpha/scripts/setup-native-source.cjs

📚 Learning: 2025-11-25T14:08:51.177Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: packages/mobile-sdk-alpha/AGENTS.md:0-0
Timestamp: 2025-11-25T14:08:51.177Z
Learning: Applies to packages/mobile-sdk-alpha/**/package.json : Verify package conditions are valid before publishing

Applied to files:

• packages/mobile-sdk-alpha/scripts/setup-native-source.cjs

📚 Learning: 2025-11-25T14:08:11.887Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-11-25T14:08:11.887Z
Learning: Before committing, run linting and formatting fixes with `yarn workspaces foreach -A -p -v --topological-dev --since=HEAD run nice --if-present`.

Applied to files:

• packages/mobile-sdk-alpha/scripts/setup-native-source.cjs

📚 Learning: 2025-11-25T14:08:23.106Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: app/AGENTS.md:0-0
Timestamp: 2025-11-25T14:08:23.106Z
Learning: Applies to app/**/*.{ts,tsx,js,jsx,json,yml,yaml} : Ensure `yarn nice` passes (fixes linting and formatting) before creating a PR

Applied to files:

• packages/mobile-sdk-alpha/scripts/setup-native-source.cjs

📚 Learning: 2025-11-25T14:07:55.507Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: .cursor/rules/mobile-sdk-migration.mdc:0-0
Timestamp: 2025-11-25T14:07:55.507Z
Learning: Applies to packages/mobile-sdk-alpha/src/**/*.{ts,tsx} : Use async/await patterns for non-blocking operations throughout SDK modules

Applied to files:

• packages/mobile-sdk-alpha/scripts/setup-native-source.cjs

📚 Learning: 2025-11-25T14:07:55.507Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: .cursor/rules/mobile-sdk-migration.mdc:0-0
Timestamp: 2025-11-25T14:07:55.507Z
Learning: Applies to packages/mobile-sdk-alpha/tests/**/*.{ts,tsx,test.ts,test.tsx} : Create tests BEFORE migrating logic to verify functionality works correctly in the mobile-sdk-alpha package

Applied to files:

• packages/mobile-sdk-alpha/scripts/setup-native-source.cjs
• .github/workflows/mobile-ci.yml
• .github/workflows/mobile-sdk-demo-e2e.yml
• .github/workflows/mobile-e2e.yml

📚 Learning: 2025-11-25T14:07:55.507Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: .cursor/rules/mobile-sdk-migration.mdc:0-0
Timestamp: 2025-11-25T14:07:55.507Z
Learning: Applies to packages/mobile-sdk-alpha/src/processing/**/*.{ts,tsx} : Migrate MRZ processing helpers from app/src/utils/ to packages/mobile-sdk-alpha/src/processing/ with comprehensive tests for MRZ parsing and cross-platform compatibility

Applied to files:

• packages/mobile-sdk-alpha/scripts/setup-native-source.cjs
• .github/workflows/mobile-bundle-analysis.yml

📚 Learning: 2025-11-25T14:07:55.507Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: .cursor/rules/mobile-sdk-migration.mdc:0-0
Timestamp: 2025-11-25T14:07:55.507Z
Learning: Applies to packages/mobile-sdk-alpha/src/**/*.{ts,tsx} : Test platform-specific code paths for React Native (iOS and Android) and web implementations

Applied to files:

• packages/mobile-sdk-alpha/scripts/setup-native-source.cjs
• .github/workflows/mobile-ci.yml
• .github/workflows/mobile-sdk-demo-e2e.yml
• .github/workflows/mobile-e2e.yml

📚 Learning: 2025-11-25T14:07:55.507Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: .cursor/rules/mobile-sdk-migration.mdc:0-0
Timestamp: 2025-11-25T14:07:55.507Z
Learning: Applies to **/*.{ts,tsx,js} : Never log PII, credentials, or private keys in production code; use DEBUG_SECRETS_TOKEN flag for debug-level secrets

Applied to files:

• packages/mobile-sdk-alpha/scripts/setup-native-source.cjs

📚 Learning: 2025-11-25T14:06:55.970Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: .cursorrules:0-0
Timestamp: 2025-11-25T14:06:55.970Z
Learning: Applies to **/*.{js,jsx,ts,tsx} : NEVER log sensitive data including PII (names, DOB, passport numbers, addresses), credentials, tokens, API keys, private keys, or session identifiers.

Applied to files:

• packages/mobile-sdk-alpha/scripts/setup-native-source.cjs

📚 Learning: 2025-11-25T14:08:23.106Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: app/AGENTS.md:0-0
Timestamp: 2025-11-25T14:08:23.106Z
Learning: Applies to app/**/*.{ts,tsx,js,jsx,swift,kt,java} : Ensure no sensitive data (PII, credentials, tokens) is present in logs

Applied to files:

• packages/mobile-sdk-alpha/scripts/setup-native-source.cjs

📚 Learning: 2025-11-25T14:06:55.970Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: .cursorrules:0-0
Timestamp: 2025-11-25T14:06:55.970Z
Learning: Debug-level secrets require tokenized environment flags (e.g., `DEBUG_SECRETS_TOKEN=abc123`) with approval workflow and limited lifetime (max 24 hours).

Applied to files:

• packages/mobile-sdk-alpha/scripts/setup-native-source.cjs

📚 Learning: 2025-11-25T14:06:55.970Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: .cursorrules:0-0
Timestamp: 2025-11-25T14:06:55.970Z
Learning: Applies to **/*.{ts,tsx,js,jsx} : Do not log sensitive data in production, including identity verification and passport information.

Applied to files:

• packages/mobile-sdk-alpha/scripts/setup-native-source.cjs

📚 Learning: 2025-11-25T14:06:55.970Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: .cursorrules:0-0
Timestamp: 2025-11-25T14:06:55.970Z
Learning: Applies to **/*.{js,jsx,ts,tsx} : ALWAYS redact/mask sensitive fields in logs using consistent patterns (e.g., `***-***-1234` for passport numbers, `J*** D***` for names).

Applied to files:

• packages/mobile-sdk-alpha/scripts/setup-native-source.cjs

📚 Learning: 2025-11-25T14:07:55.507Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: .cursor/rules/mobile-sdk-migration.mdc:0-0
Timestamp: 2025-11-25T14:07:55.507Z
Learning: Applies to **/*.{ts,tsx,js} : Use consistent redaction patterns for sensitive fields in logs and test data

Applied to files:

• packages/mobile-sdk-alpha/scripts/setup-native-source.cjs

📚 Learning: 2025-11-25T14:08:11.887Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-11-25T14:08:11.887Z
Learning: Address CodeRabbitAI feedback or document why not; resolve security warnings; verify performance benchmarks; confirm no sensitive data exposed in logs/comments.

Applied to files:

• packages/mobile-sdk-alpha/scripts/setup-native-source.cjs

📚 Learning: 2025-11-25T14:08:11.887Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-11-25T14:08:11.887Z
Learning: Flag security-sensitive changes for special review in PR descriptions.

Applied to files:

• .github/workflows/mobile-ci.yml
• .github/workflows/mobile-bundle-analysis.yml
• .github/workflows/mobile-sdk-demo-e2e.yml
• .github/workflows/mobile-e2e.yml

📚 Learning: 2025-11-25T14:08:11.887Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-11-25T14:08:11.887Z
Learning: Ensure CI pipeline passes all stages and no new linting/formatting issues are introduced after PR creation.

Applied to files:

• .github/workflows/mobile-ci.yml
• .github/workflows/mobile-bundle-analysis.yml
• .github/workflows/mobile-sdk-demo-e2e.yml
• .github/workflows/mobile-e2e.yml

📚 Learning: 2025-11-25T14:08:11.887Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-11-25T14:08:11.887Z
Learning: Ensure type checking passes in all affected workspaces and build artifacts are generated successfully after PR creation.

Applied to files:

• .github/workflows/mobile-ci.yml
• .github/workflows/mobile-bundle-analysis.yml
• .github/workflows/mobile-sdk-demo-e2e.yml
• .github/workflows/mobile-e2e.yml

📚 Learning: 2025-11-25T14:08:23.106Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: app/AGENTS.md:0-0
Timestamp: 2025-11-25T14:08:23.106Z
Learning: Ensure CI pipeline passes all stages after PR creation

Applied to files:

• .github/workflows/mobile-ci.yml
• .github/workflows/mobile-sdk-demo-e2e.yml
• .github/workflows/mobile-e2e.yml

📚 Learning: 2025-11-25T14:08:23.106Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: app/AGENTS.md:0-0
Timestamp: 2025-11-25T14:08:23.106Z
Learning: Applies to app/ios/** : iOS build must succeed via `yarn ios` command in target environments

Applied to files:

• .github/workflows/mobile-ci.yml
• .github/workflows/mobile-deploy.yml
• .github/workflows/mobile-bundle-analysis.yml
• .github/workflows/mobile-sdk-demo-e2e.yml

📚 Learning: 2025-09-06T02:14:42.185Z

Learnt from: transphorm
Repo: selfxyz/self PR: 919
File: .github/workflows/mobile-ci.yml:437-439
Timestamp: 2025-09-06T02:14:42.185Z
Learning: When infrastructure issues like NDK version misalignment are identified during feature PRs, the team prefers to defer these to separate follow-up PRs to maintain focused scope and avoid scope creep.

Applied to files:

• .github/workflows/mobile-ci.yml
• .github/workflows/mobile-bundle-analysis.yml
• .github/workflows/mobile-sdk-demo-e2e.yml
• .github/workflows/mobile-e2e.yml

📚 Learning: 2025-08-02T23:53:45.928Z

Learnt from: transphorm
Repo: selfxyz/self PR: 823
File: app/ios/Self.xcodeproj/project.pbxproj:320-332
Timestamp: 2025-08-02T23:53:45.928Z
Learning: When reviewing autogenerated scripts in Xcode project files (like React Native Firebase's embedded shell scripts), avoid suggesting edits since these are regenerated during pod install and cannot be manually modified by users.

Applied to files:

• .github/workflows/mobile-ci.yml

📚 Learning: 2025-11-25T14:07:55.507Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: .cursor/rules/mobile-sdk-migration.mdc:0-0
Timestamp: 2025-11-25T14:07:55.507Z
Learning: Run `yarn test:build` command to validate tests, build dependencies, types, and bundle analysis in both app and mobile-sdk-alpha directories

Applied to files:

• .github/workflows/mobile-ci.yml
• .github/workflows/mobile-sdk-demo-e2e.yml
• .github/workflows/mobile-e2e.yml

📚 Learning: 2025-11-25T14:08:23.106Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: app/AGENTS.md:0-0
Timestamp: 2025-11-25T14:08:23.106Z
Learning: Applies to app/**/*.{test,spec}.{ts,tsx,js,jsx} : Ensure `yarn test` passes (unit tests) before creating a PR

Applied to files:

• .github/workflows/mobile-ci.yml

📚 Learning: 2025-11-25T14:08:23.106Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: app/AGENTS.md:0-0
Timestamp: 2025-11-25T14:08:23.106Z
Learning: Applies to app/android/** : Android build must succeed via `yarn android` command in target environments

Applied to files:

• .github/workflows/mobile-ci.yml
• .github/workflows/mobile-bundle-analysis.yml
• .github/workflows/mobile-sdk-demo-e2e.yml
• .github/workflows/mobile-e2e.yml

📚 Learning: 2025-11-25T14:07:55.507Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: .cursor/rules/mobile-sdk-migration.mdc:0-0
Timestamp: 2025-11-25T14:07:55.507Z
Learning: Applies to packages/mobile-sdk-alpha/tests/**/*.integration.{test.ts,test.tsx,spec.ts,spec.tsx} : Test end-to-end flows covering complete user journeys through the identity verification process

Applied to files:

• .github/workflows/mobile-ci.yml
• .github/workflows/mobile-sdk-demo-e2e.yml
• .github/workflows/mobile-e2e.yml

📚 Learning: 2025-11-25T14:07:55.507Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: .cursor/rules/mobile-sdk-migration.mdc:0-0
Timestamp: 2025-11-25T14:07:55.507Z
Learning: Applies to packages/mobile-sdk-alpha/tests/**/*.{test.ts,test.tsx,spec.ts,spec.tsx} : Use Vitest for testing in the mobile-sdk-alpha package with Node environment configured in vitest.config.ts

Applied to files:

• .github/workflows/mobile-ci.yml
• .github/workflows/mobile-sdk-demo-e2e.yml
• .github/workflows/mobile-e2e.yml

📚 Learning: 2025-11-25T14:08:23.106Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: app/AGENTS.md:0-0
Timestamp: 2025-11-25T14:08:23.106Z
Learning: Applies to app/web/** : Web build must succeed via `yarn web` command in target environments

Applied to files:

• .github/workflows/mobile-ci.yml
• .github/workflows/mobile-bundle-analysis.yml

📚 Learning: 2025-11-25T14:08:11.887Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-11-25T14:08:11.887Z
Learning: Before committing, build all workspaces except `contracts` using `yarn build`, and compile Solidity contracts with `yarn workspace selfxyz/contracts build`.

Applied to files:

• .github/workflows/mobile-ci.yml

📚 Learning: 2025-11-25T14:07:55.507Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: .cursor/rules/mobile-sdk-migration.mdc:0-0
Timestamp: 2025-11-25T14:07:55.507Z
Learning: Monitor and optimize SDK bundle size during migration using bundle analysis

Applied to files:

• .github/workflows/mobile-bundle-analysis.yml

📚 Learning: 2025-11-25T14:07:55.507Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: .cursor/rules/mobile-sdk-migration.mdc:0-0
Timestamp: 2025-11-25T14:07:55.507Z
Learning: Applies to packages/mobile-sdk-alpha/demo/**/*.{ts,tsx,js,jsx} : Create an in-SDK lightweight demo in packages/mobile-sdk-alpha/demo/ using embedded React Native with MRZ flow and theming hooks integration

Applied to files:

• .github/workflows/mobile-sdk-demo-e2e.yml
• .github/workflows/mobile-e2e.yml

📚 Learning: 2025-11-25T14:07:55.507Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: .cursor/rules/mobile-sdk-migration.mdc:0-0
Timestamp: 2025-11-25T14:07:55.507Z
Learning: Applies to packages/mobile-sdk-alpha/samples/**/*.{ts,tsx,js,jsx} : Create sample React Native and web applications in packages/mobile-sdk-alpha/samples/ demonstrating MRZ parsing, proof flow, and iOS URL scheme integration

Applied to files:

• .github/workflows/mobile-sdk-demo-e2e.yml
• .github/workflows/mobile-e2e.yml

📚 Learning: 2025-11-25T14:07:55.507Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: .cursor/rules/mobile-sdk-migration.mdc:0-0
Timestamp: 2025-11-25T14:07:55.507Z
Learning: Applies to packages/mobile-sdk-alpha/src/attestation/**/*.{ts,tsx} : Migrate attestation verification from app/src/utils/ to packages/mobile-sdk-alpha/src/attestation/ with tests for PCR0 validation and certificate chain validation

Applied to files:

• .github/workflows/mobile-e2e.yml

🧬 Code graph analysis (1)

packages/mobile-sdk-alpha/scripts/setup-native-source.cjs (1)

app/scripts/setup-private-modules.cjs (4)

• isCI (32-32)
• appToken (34-34)
• repoToken (33-33)
• BRANCH (15-15)

🪛 actionlint (1.7.9)

.github/workflows/mobile-ci.yml

209-209: label "namespace-profile-apple-silicon-6cpu" is unknown. available labels are "windows-latest", "windows-latest-8-cores", "windows-2025", "windows-2022", "windows-11-arm", "ubuntu-slim", "ubuntu-latest", "ubuntu-latest-4-cores", "ubuntu-latest-8-cores", "ubuntu-latest-16-cores", "ubuntu-24.04", "ubuntu-24.04-arm", "ubuntu-22.04", "ubuntu-22.04-arm", "macos-latest", "macos-latest-xl", "macos-latest-xlarge", "macos-latest-large", "macos-26-xlarge", "macos-26", "macos-15-intel", "macos-15-xlarge", "macos-15-large", "macos-15", "macos-14-xl", "macos-14-xlarge", "macos-14-large", "macos-14", "macos-13-xl", "macos-13-xlarge", "macos-13-large", "macos-13", "self-hosted", "x64", "arm", "arm64", "linux", "macos", "windows". if it is a custom label for self-hosted runner, set list of labels in actionlint.yaml config file

(runner-label)

.github/workflows/mobile-deploy.yml

269-269: label "namespace-profile-apple-silicon-6cpu" is unknown. available labels are "windows-latest", "windows-latest-8-cores", "windows-2025", "windows-2022", "windows-11-arm", "ubuntu-slim", "ubuntu-latest", "ubuntu-latest-4-cores", "ubuntu-latest-8-cores", "ubuntu-latest-16-cores", "ubuntu-24.04", "ubuntu-24.04-arm", "ubuntu-22.04", "ubuntu-22.04-arm", "macos-latest", "macos-latest-xl", "macos-latest-xlarge", "macos-latest-large", "macos-26-xlarge", "macos-26", "macos-15-intel", "macos-15-xlarge", "macos-15-large", "macos-15", "macos-14-xl", "macos-14-xlarge", "macos-14-large", "macos-14", "macos-13-xl", "macos-13-xlarge", "macos-13-large", "macos-13", "self-hosted", "x64", "arm", "arm64", "linux", "macos", "windows". if it is a custom label for self-hosted runner, set list of labels in actionlint.yaml config file

(runner-label)

.github/workflows/mobile-bundle-analysis.yml

102-102: label "namespace-profile-apple-silicon-6cpu" is unknown. available labels are "windows-latest", "windows-latest-8-cores", "windows-2025", "windows-2022", "windows-11-arm", "ubuntu-slim", "ubuntu-latest", "ubuntu-latest-4-cores", "ubuntu-latest-8-cores", "ubuntu-latest-16-cores", "ubuntu-24.04", "ubuntu-24.04-arm", "ubuntu-22.04", "ubuntu-22.04-arm", "macos-latest", "macos-latest-xl", "macos-latest-xlarge", "macos-latest-large", "macos-26-xlarge", "macos-26", "macos-15-intel", "macos-15-xlarge", "macos-15-large", "macos-15", "macos-14-xl", "macos-14-xlarge", "macos-14-large", "macos-14", "macos-13-xl", "macos-13-xlarge", "macos-13-large", "macos-13", "self-hosted", "x64", "arm", "arm64", "linux", "macos", "windows". if it is a custom label for self-hosted runner, set list of labels in actionlint.yaml config file

(runner-label)

.github/workflows/mobile-sdk-demo-e2e.yml

216-216: label "namespace-profile-apple-silicon-6cpu" is unknown. available labels are "windows-latest", "windows-latest-8-cores", "windows-2025", "windows-2022", "windows-11-arm", "ubuntu-slim", "ubuntu-latest", "ubuntu-latest-4-cores", "ubuntu-latest-8-cores", "ubuntu-latest-16-cores", "ubuntu-24.04", "ubuntu-24.04-arm", "ubuntu-22.04", "ubuntu-22.04-arm", "macos-latest", "macos-latest-xl", "macos-latest-xlarge", "macos-latest-large", "macos-26-xlarge", "macos-26", "macos-15-intel", "macos-15-xlarge", "macos-15-large", "macos-15", "macos-14-xl", "macos-14-xlarge", "macos-14-large", "macos-14", "macos-13-xl", "macos-13-xlarge", "macos-13-large", "macos-13", "self-hosted", "x64", "arm", "arm64", "linux", "macos", "windows". if it is a custom label for self-hosted runner, set list of labels in actionlint.yaml config file

(runner-label)

.github/workflows/mobile-e2e.yml

243-243: label "namespace-profile-apple-silicon-6cpu" is unknown. available labels are "windows-latest", "windows-latest-8-cores", "windows-2025", "windows-2022", "windows-11-arm", "ubuntu-slim", "ubuntu-latest", "ubuntu-latest-4-cores", "ubuntu-latest-8-cores", "ubuntu-latest-16-cores", "ubuntu-24.04", "ubuntu-24.04-arm", "ubuntu-22.04", "ubuntu-22.04-arm", "macos-latest", "macos-latest-xl", "macos-latest-xlarge", "macos-latest-large", "macos-26-xlarge", "macos-26", "macos-15-intel", "macos-15-xlarge", "macos-15-large", "macos-15", "macos-14-xl", "macos-14-xlarge", "macos-14-large", "macos-14", "macos-13-xl", "macos-13-xlarge", "macos-13-large", "macos-13", "self-hosted", "x64", "arm", "arm64", "linux", "macos", "windows". if it is a custom label for self-hosted runner, set list of labels in actionlint.yaml config file

(runner-label)

⏰ Context from checks skipped due to timeout of 300000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (7)

• GitHub Check: test
• GitHub Check: type-check
• GitHub Check: Cursor Bugbot
• GitHub Check: analyze-android
• GitHub Check: e2e-ios
• GitHub Check: android-build-test
• GitHub Check: Android E2E Tests Demo App

🔇 Additional comments (10)

.github/workflows/mobile-e2e.yml (1)

20-28: LGTM! Improved trigger conditions.

The addition of push triggers for protected branches with appropriate path filters, plus workflow_dispatch for manual runs, improves the CI workflow flexibility and efficiency.

Also applies to: 38-38

packages/mobile-sdk-alpha/scripts/setup-native-source.cjs (4)

12-12: Well-structured additions for repo-wide operations.

The REPO_ROOT constant and enhanced runCommand signature with cwd parameter enable the submodule commands to run at the repository root level, which is essential for proper .gitmodules handling. The default of SDK_DIR maintains backward compatibility for existing calls.

Also applies to: 38-41

---

123-126: DEBUG-gated logging addresses prior security concern.

The conditional logging behind DEBUG_SETUP and boolean token indicators (hasAppToken, hasRepoToken) properly limit exposure of sensitive environment details.

---

185-208: Proper credential protection in CI submodule operations.

The use of stdio: 'pipe' for token-authenticated git operations (lines 189, 205) prevents credential leakage in CI logs, while commands without tokens use default output for troubleshooting visibility. The REPO_ROOT cwd ensures commands operate at the correct repository level.

---

236-244: Credential scrubbing and validation complete the secure setup flow.

The scrubGitRemoteUrl function removes embedded credentials after successful setup (line 260), and validateSetup ensures the submodule contents are valid before completion. The conditional execution based on isDryRun and setup success provides good safety guardrails.

Also applies to: 258-266

.github/workflows/mobile-sdk-demo-e2e.yml (1)

261-275: LGTM! Conditional Java setup is well-implemented.

The Java presence check and conditional installation logic is sound:

• Properly detects if Java is installed and functional
• Only installs Java when needed, saving time on runners with Java pre-installed
• Uses correct GitHub Actions syntax for env var conditionals

This optimization is particularly valuable for the Namespace runners which may not have Java pre-installed. While iOS builds traditionally don't require Java, the monorepo likely needs it for shared build tooling or React Native dependencies.

.github/workflows/mobile-bundle-analysis.yml (1)

35-35: Good optimization: Android analysis on Ubuntu.

Moving Android bundle analysis to ubuntu-latest is appropriate since Android builds don't require macOS. This saves resources while the namespace runner is reserved for iOS-specific tasks.

.github/workflows/mobile-ci.yml (3)

288-288: Cache path correctly unified per repository standards.

The Ruby gems cache path is now unified at app/vendor/bundle for both iOS and Android builds, deprecating the previous iOS-specific path app/ios/vendor/bundle.

Based on learnings, this aligns with the repository's standardized caching approach.

---

317-324: Token-based authentication correctly implemented for private repositories.

The GitHub App token generation and usage pattern properly handles authenticated access to private repositories:

• Token generated only for non-forked PRs (line 318)
• Scoped token from GitHub App (more secure than PAT)
• Token passed to dependency builds (line 335) and iOS dependencies (line 355)
• Graceful fallback with || '' for forked PRs

This aligns with the cross-repo authentication strategy documented in the PR.

Also applies to: 334-335

---

427-428: Android build limited to manual workflow_dispatch, consistent with iOS.

Like the iOS build, Android is intentionally restricted to workflow_dispatch since mobile-e2e.yml provides coverage. This maintains a consistent CI strategy across both platforms while reducing costs.