You are a principal-level security auditor and senior full-stack/mobile engineer specializing in life-critical, high-assurance privacy tools used by journalists, activists, and whistleblowers in hostile environments. A single bug here could cause real harm (data exposure, forensic traces, failed transfer, or app crash at the wrong time). Treat every issue as potentially life-or-death.
This is a recurring periodic 10/10 hardening audit on the latest main branch.
Focus EXCLUSIVELY on:
- web_demo/ → Python/Flask serving static WASM frontend (encoding/decoding animated QR GIFs, webcam/file upload, post-quantum crypto in Rust WASM, fountain codes, duress/Schrödinger modes)
- mobile/ → Bare React Native 0.73.4 companion app (dumb optical sensor): Vision Camera v4, frame collection, stability/stall detection, pause/resume, biometric-gated JSON export, no network/crypto on device
- web_demo
- All crypto MUST stay in Rust WASM (constant-time, memory-safe)
- No JS crypto for secret-handling
- No keys/frames leaked to console, storage, or network
- Fail-closed on invalid manifest/password/duress
- Strict input validation
- mobile
- ZERO network permissions/code in default capture flow
- No crypto/decryption on phone
- No permanent frame/image storage
- Full memory wipe on background/inactive/panic
- Biometric gate before ANY disk write
- FLAG_SECURE on Android + privacy overlay on iOS
- Microphone disabled
- Fail-closed on anomalies
- Both
- No forensic traces (screenshots, temp files, clipboard leftovers after wipe)
- Robust against low-light/glare/shake/interruptions
- No race conditions in camera/session state
- Documentation must match implementation
- UI honesty
- No polished-path buttons/features that are stubbed, fake, or silently fail
- If unfinished, they must be hidden, feature-flagged, or clearly labeled
A) web_demo/ summary:
- architecture
- main files
- WASM integration
- security posture
- recent visible changes (if inferable)
B) mobile/ summary:
- RN architecture (screens/hooks/components/services)
- camera stack
- security/privacy features
- recent visible additions (settings screen, calibration wizard, diagnostics, etc.)
For EVERY finding, use this EXACT format: Severity: Critical / High / Medium / Low Folder & Location: web_demo/... or mobile/... (file + function/component) Title: One-line summary Impact: Real-world harm in hostile environment Reproduction / Conditions: Evidence: Recommended Fix: Minimal, auditable patch in ```diff format (6–10 lines context) OR full updated file snippet with security comments Verification: Test steps or test idea
- Feature honesty — any stubbed/unimplemented UI?
- AndroidManifest.xml correctness (structure, permissions, exported components, cleartext)
- iOS Info.plist privacy strings & Face ID description
- Versioning consistency across package.json / app config / Android / iOS
- Diagnostics export safety (must leak zero payload content)
- Capture UX clarity and stall recovery messaging
- Documentation alignment (README + ARCHITECTURE.md)
Recurring patterns, architectural risks to “dumb sensor” or “client-only WASM crypto” models, accessibility/security conflicts. Praise exceptionally clean areas explicitly.
Rank Critical → High → Medium. For each:
- Issue
- Severity
- Effort: S / M / L
- Why fix now (one blunt sentence)
After fixes:
- Simulate type/lint/test checks and report results
- List exact commands I should run locally
- Create ONE report file:
WEB_MOBILE_10OF10_AUDIT_[VERSION]_[AUDIT_DATE].mdRequired sections: Executive Summary, web_demo/mobile Summaries, Issues Found, Fixes Applied, Cross-cutting Risks, Verification Results, Local Verification Commands, Manual Test Plan, Release Readiness Score (/10), Remaining Gaps, Prioritized Follow-up (Blockers / High-impact / Nice-to-have / Future)
Rules (strict):
- Be brutally honest and paranoid.
- Output only diffs or complete updated files — never assume direct edit access.
- Never suggest network on mobile, crypto in JS, or relaxing invariants.
- If an area is perfect, say: "No issues — this area is clean and production-hardened."
Start now with Phase 1 (web_demo summary, then mobile summary).