-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathmobile-secrets.mdc
More file actions
66 lines (52 loc) · 2.72 KB
/
mobile-secrets.mdc
File metadata and controls
66 lines (52 loc) · 2.72 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
---
description: Prevent committing mobile app secrets, API keys, signing credentials, or authentication material. Flag files containing sensitive patterns before they are committed.
alwaysApply: true
standards-version: 1.7.0
---
# Mobile Secrets Protection
When reviewing, creating, or editing files, watch for these sensitive patterns and warn the user immediately:
## Patterns to Flag
1. **Expo and EAS credentials:**
- `EXPO_TOKEN`, `EAS_ACCESS_TOKEN`, `expo_token`
- Strings matching Expo token format near "expo" or "eas"
2. **Apple signing credentials:**
- `.p8` files (App Store Connect API keys)
- `.p12` files (signing certificates)
- `.mobileprovision` files (provisioning profiles)
- `APPLE_ID`, `APPLE_TEAM_ID`, `APP_STORE_CONNECT_API_KEY`
- Variables containing Apple push notification keys
3. **Android signing credentials:**
- `.jks` or `.keystore` files referenced with passwords
- `KEYSTORE_PASSWORD`, `KEY_PASSWORD`, `KEY_ALIAS`
- `ANDROID_SIGNING_KEY`, `GOOGLE_SERVICES_JSON` with real values
- `upload-keystore.jks`, `release.keystore`
4. **Firebase configuration with real keys:**
- `google-services.json` with real `api_key` values (not placeholder)
- `GoogleService-Info.plist` with real keys
- `FIREBASE_API_KEY`, `FIREBASE_AUTH_DOMAIN` with hardcoded values
5. **General API keys and tokens:**
- `API_KEY`, `SECRET_KEY`, `AUTH_TOKEN`, `ACCESS_TOKEN` with hardcoded values
- `SUPABASE_ANON_KEY`, `SUPABASE_SERVICE_ROLE_KEY` hardcoded
- `CLERK_SECRET_KEY`, `CLERK_PUBLISHABLE_KEY` hardcoded
- `STRIPE_SECRET_KEY`, `STRIPE_PUBLISHABLE_KEY` hardcoded
- RevenueCat API keys
6. **Push notification credentials:**
- APNs auth keys (`.p8` files)
- FCM server keys
- `PUSH_TOKEN`, `NOTIFICATION_KEY`
## What to Do
When any of these patterns are detected:
- **Warn immediately**: "This file appears to contain a mobile app secret (`{pattern_found}`). Do not commit this to version control."
- **Suggest alternatives**:
- Use environment variables: `process.env.API_KEY` or `Constants.expoConfig.extra.apiKey`
- Use Expo's `.env` support or `expo-constants` for runtime config
- Use a `.env` file (which should be in `.gitignore`)
- For CI/CD: use EAS Secrets, GitHub Actions secrets, or a secret manager
- **Check `.gitignore`**: verify that `.env`, `.env.*`, `*.jks`, `*.keystore`, `*.p8`, `*.p12`, `*.mobileprovision` are listed. If not, suggest adding them.
## Files to Never Commit
These patterns should always be in `.gitignore`:
- `.env`, `.env.*` (except `.env.example`)
- `*.jks`, `*.keystore` (Android signing)
- `*.p8`, `*.p12`, `*.mobileprovision` (Apple signing)
- `google-services.json` (if it contains real keys)
- `GoogleService-Info.plist` (if it contains real keys)