chore: add AGENTS.md (#791)

DorianMazur · web-flow · commit af336c316947 · 2026-03-27T20:45:32.000+01:00
diff --git a/AGENTS.md b/AGENTS.md
@@ -0,0 +1,255 @@
+# Agents.md — AI Coding Agent Guide for react-native-keychain
+
+## Project Overview
+
+**react-native-keychain** is a React Native library that provides secure credential storage using iOS Keychain and Android Keystore. It supports biometric authentication (Face ID, Touch ID, fingerprint), multiple encryption strategies, and both the Old and New (TurboModule/Fabric) React Native architectures.
+
+- **Package name**: `react-native-keychain`
+- **Version**: 10.0.0
+- **License**: MIT
+- **Repository**: https://github.com/oblador/react-native-keychain
+- **Documentation**: https://oblador.github.io/react-native-keychain
+- **Platforms**: iOS 9+, Android API 23+, macOS Catalyst, visionOS 1.0+, tvOS 9+
+
+## Repository Structure
+
+| Directory / File | Purpose |
+|------------------|---------|
+| `src/` | TypeScript source — public API (`index.ts`), enums, types, option normalization, and the TurboModule spec |
+| `lib/` | Build output (commonjs, ESM, type declarations) — generated by `yarn prepare`, do not edit |
+| `android/` | Android native code (Kotlin). Key areas: `KeychainModule.kt` (RN module), `cipherStorage/` (encryption implementations), `resultHandler/` (biometric prompt flow), `exceptions/` |
+| `ios/RNKeychainManager/` | iOS native code (Obj-C++). Single `.h`/`.mm` pair implementing the Keychain bridge |
+| `KeychainExample/` | Example/test app. `src/App.tsx` is the demo UI; `e2e/` contains Detox E2E tests and helpers |
+| `website/` | Docusaurus documentation site with versioned docs and TypeDoc-generated API reference |
+| `.github/workflows/` | GitHub Actions CI/CD (E2E tests, lint, docs deploy, NPM publish) |
+| `RNKeychain.podspec` | CocoaPods spec for iOS/macOS/tvOS/visionOS |
+| `package.json` | Library manifest, workspace config, and react-native-builder-bob build targets |
+
+## Tech Stack
+
+| Layer | Technology |
+|-------|-----------|
+| **JS/TS** | TypeScript (strict mode), React Native TurboModules |
+| **Android** | Kotlin, Android Keystore, AndroidX Biometric (1.1.0), AndroidX DataStore, Coroutines |
+| **iOS** | Objective-C++ (.mm), Security.framework, LocalAuthentication.framework |
+| **Build** | react-native-builder-bob (commonjs + ESM + typedefs) |
+| **Package Manager** | Yarn 3.6.1 (workspaces) |
+| **Tests** | Detox (E2E), Jest |
+| **Docs** | Docusaurus 3 + TypeDoc |
+| **CI/CD** | GitHub Actions |
+| **Codegen** | React Native Codegen (`RNKeychainSpec`) for New Architecture |
+
+## Architecture
+
+### Native Bridge
+
+The library uses React Native's **TurboModule** system (New Architecture) with backward compatibility for the Bridge (Old Architecture):
+
+1. `src/NativeKeychainManager.ts` defines the `Spec` interface via `TurboModuleRegistry.getEnforcing<Spec>('RNKeychainManager')`.
+2. `src/index.ts` wraps all native calls with TypeScript types and option normalization.
+3. On iOS, `RNKeychainManager.mm` conditionally implements `NativeKeychainManagerSpec` (New Arch) or `RCTBridgeModule` (Old Arch).
+4. On Android, `KeychainModule.kt` is a `@ReactModule` supporting both architectures via conditional source sets (`src/newarch` vs `src/oldarch`).
+
+### Android Encryption Strategy
+
+Android uses a pluggable cipher storage system:
+
+- **AES-GCM** (`CipherStorageKeystoreAesGcm`): Primary cipher with optional biometric auth
+- **AES-GCM No Auth** (`CipherStorageKeystoreAesGcm` without auth): For non-biometric storage
+- **RSA-ECB** (`CipherStorageKeystoreRsaEcb`): Asymmetric encryption with biometric auth
+- **AES-CBC** (`CipherStorageKeystoreAesCbc`): Legacy/deprecated
+
+Result handlers manage the biometric prompt flow: `ResultHandlerInteractiveBiometric` for interactive auth, `ResultHandlerNonInteractive` for no-auth operations.
+
+### iOS Keychain Integration
+
+iOS uses Security.framework directly:
+- `kSecClassGenericPassword` for generic passwords
+- `kSecClassInternetPassword` for internet credentials
+- Supports all `kSecAttrAccessible*` levels and `SecAccessControl` for biometric gates
+- Safari shared web credentials via `SecRequestSharedWebCredential` / `SecAddSharedWebCredential`
+
+## Public API
+
+All functions are exported from `src/index.ts`:
+
+| Function | Description |
+|----------|-------------|
+| `setGenericPassword(username, password, options?)` | Store credentials by service |
+| `getGenericPassword(options?)` | Retrieve credentials by service |
+| `hasGenericPassword(options?)` | Check if credentials exist |
+| `resetGenericPassword(options?)` | Delete credentials by service |
+| `getAllGenericPasswordServices(options?)` | List all service keys |
+| `setInternetCredentials(server, username, password, options?)` | Store credentials by server URL |
+| `getInternetCredentials(server, options?)` | Retrieve credentials by server |
+| `hasInternetCredentials(options)` | Check if internet credentials exist |
+| `resetInternetCredentials(options)` | Delete internet credentials |
+| `getSupportedBiometryType()` | Get device biometry type |
+| `canImplyAuthentication(options?)` | Check auth policy support (iOS) |
+| `getSecurityLevel(options?)` | Get security level (Android) |
+| `isPasscodeAuthAvailable()` | Check passcode auth availability |
+| `requestSharedWebCredentials()` | Get Safari shared credentials (iOS) |
+| `setSharedWebCredentials(server, username, password?)` | Set Safari shared credentials (iOS) |
+
+### Key Enums
+
+- **`ACCESSIBLE`**: When keychain items are accessible (e.g., `WHEN_UNLOCKED`, `AFTER_FIRST_UNLOCK`)
+- **`ACCESS_CONTROL`**: Auth gates (e.g., `BIOMETRY_ANY`, `DEVICE_PASSCODE`, `BIOMETRY_ANY_OR_DEVICE_PASSCODE`)
+- **`AUTHENTICATION_TYPE`**: Biometrics vs passcode authentication
+- **`SECURITY_LEVEL`**: Android security level (`ANY`, `SECURE_SOFTWARE`, `SECURE_HARDWARE`)
+- **`STORAGE_TYPE`**: Android cipher type (`AES_GCM`, `AES_GCM_NO_AUTH`, `RSA`, `AES_CBC`)
+- **`BIOMETRY_TYPE`**: Device biometry (`TOUCH_ID`, `FACE_ID`, `OPTIC_ID`, `FINGERPRINT`, `FACE`, `IRIS`)
+- **`ERROR_CODE`**: Standardized error codes (`PASSCODE_NOT_SET`, `BIOMETRIC_NOT_ENROLLED`, etc.)
+
+### Key Types
+
+- **`SetOptions`**: `accessible`, `securityLevel`, `storage`, `accessControl`, `authenticationPrompt`, `service`, `cloudSync`, `accessGroup`
+- **`GetOptions`**: `accessControl`, `authenticationPrompt`, `service`
+- **`BaseOptions`**: `service`, `server`, `cloudSync`, `accessGroup`
+- **`Result`**: `{ service, storage }`
+- **`UserCredentials`**: `{ username, password, service, storage }`
+- **`AuthenticationPrompt`**: `{ title?, subtitle?, description?, cancel? }`
+
+## Development
+
+### Prerequisites
+
+- Node.js >= 16
+- Yarn 3.6.1 (uses workspaces)
+- Xcode (for iOS)
+- Android SDK with API 23+ (for Android)
+- CocoaPods (for iOS)
+
+### Setup
+
+```bash
+# Install dependencies (all workspaces)
+yarn install
+
+# Build the library (TypeScript → lib/)
+yarn prepare
+
+# Run typecheck
+yarn typecheck
+
+# Run linter
+yarn lint
+
+# Format code
+yarn format
+```
+
+### Example App
+
+```bash
+cd KeychainExample
+
+# iOS
+pod install --project-directory=ios
+yarn start    # Metro bundler
+# Build & run via Xcode or react-native run-ios
+
+# Android
+yarn start    # Metro bundler
+# Build & run via Android Studio or react-native run-android
+```
+
+### Running E2E Tests
+
+Tests use **Detox** with physical emulator/simulator:
+
+```bash
+cd KeychainExample
+
+# iOS
+yarn test:ios     # Builds + runs Detox tests
+
+# Android
+yarn test:android # Builds + runs Detox tests
+```
+
+Test specs are in `KeychainExample/e2e/testCases/`. They cover:
+- Access control (passcode, biometric) for both credential types
+- Storage types (AES-CBC, AES-GCM, AES-GCM-NO-AUTH, RSA) — Android only
+- Security levels (Any, Software, Hardware) — Android only
+
+E2E tests use biometric simulation: `device.matchFace()` on iOS, ADB fingerprint touch on Android. Passcode on Android is `1111`.
+
+### Build Output
+
+`yarn prepare` (via react-native-builder-bob) generates:
+- `lib/commonjs/` — CommonJS modules (with ESM interop)
+- `lib/module/` — ES modules
+- `lib/typescript/` — Type declarations
+
+## CI/CD Pipelines
+
+| Workflow | Trigger | What it does |
+|----------|---------|-------------|
+| `e2e_tests.yaml` | Push/PR to master | Builds APKs + iOS app, runs Detox E2E tests on Android API 33/34/35 emulators and iOS simulator |
+| `lint_and_types.yaml` | Push/PR to master | Runs ESLint + TypeScript typecheck |
+| `docs.yaml` | Release created | Builds Docusaurus site, deploys to GitHub Pages |
+| `deploy.yaml` | Release created | Builds library via bob, publishes to NPM |
+
+## Coding Conventions
+
+- **TypeScript**: Strict mode, no unused locals/parameters, `verbatimModuleSyntax`, ESNext target
+- **Android**: Kotlin with coroutines, Java 17 compatibility, AndroidX libraries
+- **iOS**: Objective-C++ (.mm files), supports both TurboModule and Bridge
+- **Formatting**: Prettier for JS/TS/JSON/MD files
+- **Linting**: ESLint with `@react-native/eslint-config`
+- **Option normalization**: All public functions normalize options through `normalizeAuthPrompt()` which sets default `title` and `cancel` for auth prompts
+
+## Error Handling
+
+Both platforms use standardized error codes (defined in `ERROR_CODE` enum):
+
+| Code | Meaning |
+|------|---------|
+| `E_PASSCODE_NOT_SET` | Device has no passcode/PIN configured |
+| `E_BIOMETRIC_NOT_ENROLLED` | No biometrics enrolled on device |
+| `E_BIOMETRIC_UNAVAILABLE` | Biometric hardware unavailable |
+| `E_BIOMETRIC_LOCKOUT` | Too many failed biometric attempts |
+| `E_AUTH_CANCELED` | User canceled authentication |
+| `E_AUTH_ERROR` | General authentication error |
+| `E_INVALID_PARAMETERS` | Invalid parameters passed |
+| `E_STORAGE_ACCESS_ERROR` | Keychain/Keystore access error |
+| `E_INTERNAL_ERROR` | Unexpected internal error |
+
+## Common Tasks for Agents
+
+### Adding a new public API method
+
+1. Add the method signature to `src/NativeKeychainManager.ts` (`Spec` interface)
+2. Implement the TypeScript wrapper in `src/index.ts` with JSDoc
+3. Add relevant types to `src/types.ts` if needed
+4. Implement the native method in `ios/RNKeychainManager/RNKeychainManager.mm`
+5. Implement the native method in `android/src/main/java/com/oblador/keychain/KeychainModule.kt`
+6. Add to the default export object in `src/index.ts`
+7. Run `yarn typecheck` to validate TypeScript
+8. Add E2E test coverage in `KeychainExample/e2e/testCases/`
+
+### Adding a new enum value
+
+1. Add the value to the relevant enum in `src/enums.ts`
+2. Handle the new value in the corresponding native code (iOS `.mm` and/or Android `.kt`)
+3. Update the example app (`KeychainExample/src/App.tsx`) if it has a selector for that enum
+
+### Adding a new Android cipher storage
+
+1. Create a new class in `android/src/main/java/com/oblador/keychain/cipherStorage/` implementing `CipherStorage`
+2. Register it in `KeychainModule.kt`
+3. Add a corresponding `STORAGE_TYPE` enum value in `src/enums.ts`
+4. Add E2E test in `storageTypesTest.spec.js`
+
+### Modifying iOS Keychain behavior
+
+1. Edit `ios/RNKeychainManager/RNKeychainManager.mm`
+2. Map any new error domains to standardized `ERROR_CODE` values
+3. Guard platform-specific code with `TARGET_OS_IOS`, `TARGET_OS_VISION`, or `TARGET_OS_UIKITFORMAC`
+
+### Updating documentation
+
+1. Edit Markdown files in `website/docs/`
+2. API docs are auto-generated from TSDoc comments in `src/index.ts` via TypeDoc
+3. For new versions, use Docusaurus versioning (existing versions: 9.0.x, 9.1.x, 9.2.x)
