elias/everything-claude-code
1
0
Fork 0
mirror of https://github.com/affaan-m/everything-claude-code.git synced 2026-06-30 19:00:57 +08:00
Code Issues Packages Projects Releases Wiki Activity
everything-claude-code/rules/react-native/security.md
Yeris Rifan a141db3ad2
feat(rules,skills): add React Native / Expo rules pack and react-native-patterns skill (#2275) 
* feat(rules,skills): add React Native / Expo rules pack and react-native-patterns skill

* fix(rules,skills): address review feedback — safeParse nav example, drop deprecated sentry-expo, memoize list renderItem, clarify New Architecture SDK support

* fix(rules,skills): drop deprecated Flipper, surface permission-denied state in location hook
2026-06-29 19:22:48 -07:00

1.9 KiB
Raw Blame History

paths
paths
**/*.ts
**/*.tsx

React Native / Expo Security

This file extends common/security.md with React Native / Expo specific content. The mandatory pre-commit checklist and Security Response Protocol from common/security.md still apply.

The Bundle Is Public

Treat everything shipped in the app as readable by an attacker. A mobile binary can be unpacked.

  • NEVER ship real secrets (private API keys, service-role keys, signing secrets) in the JS bundle or app.config.
  • Public/anon keys (e.g. Supabase anon key, Firebase config) are acceptable ONLY when protected by server-side rules (RLS, security rules). Enforce authorization on the backend, never in the client.
  • Keep privileged operations behind your own server / edge functions.

Secret & Token Storage

  • Store auth tokens and sensitive values in expo-secure-store (Keychain / Keystore) — never in AsyncStorage or plain MMKV.
  • Do not persist secrets in Redux/Zustand state that may be serialized to disk.

Configuration

  • Read environment via expo-constants / app.config.ts extra, and EXPO_PUBLIC_* only for genuinely public values.
  • Keep build secrets in EAS secrets, not in the repo.

Network & Data

  • HTTPS only; reject cleartext. Consider certificate pinning for high-risk apps.
  • Validate ALL external data (API responses, deep-link params, push payloads) with Zod before use.
  • Validate and sanitize deep links and universal links — never route or grant access based on unvalidated params.

Permissions & Privacy

  • Request the minimum device permissions, at the moment they are needed, with clear rationale.
  • Declare data collection accurately for App Store / Play Store privacy disclosures.

Dependencies

  • Run expo-doctor and npm audit regularly; keep the Expo SDK and native deps current.
  • Use /security-scan (AgentShield) on the agent configuration itself.