⚠️ Potential issue | 🟠 Major

CMake install skips on fresh runners

Tying the CMake install step to steps.ndk-cache.outputs.cache-hit means we skip sdkmanager "cmake;3.22.1" whenever the NDK cache restores. Because we only cache ${ANDROID_SDK_ROOT}/ndk/${ANDROID_NDK_VERSION}, new runners start without CMake, the cache still “hits,” and Gradle later fails when it needs that exact CMake version. Please decouple the CMake step from the NDK cache (or add a dedicated cache) so the install always runs when required.

-      - name: Install CMake
-        if: inputs.platform != 'ios' && steps.ndk-cache.outputs.cache-hit != 'true'
+      - name: Install CMake
+        if: inputs.platform != 'ios'
         uses: nick-fields/retry@v3
         with:
           timeout_minutes: 10
           max_attempts: 5
           retry_wait_seconds: 10
           command: sdkmanager "cmake;3.22.1"

.github/workflows/mobile-deploy.yml around lines 1060 to 1076: the CMake install
step is gated on the NDK cache hit which causes CMake to be skipped on fresh
runners even when not present; remove the dependency on
steps.ndk-cache.outputs.cache-hit for the CMake step (i.e. use the same platform
check as NDK: if: inputs.platform != 'ios') or add a separate cache/result check
for a dedicated CMake cache and gate the step on that; ensure the sdkmanager
"cmake;3.22.1" command always runs when CMake might be missing (or when the
cmake-cache indicates a miss).

⚠️ Potential issue | 🔴 Critical

#!/bin/bash
# Examine the authProvider.tsx file around the function and interface definitions
echo "=== Checking lines 204-215 for IAuthContext interface ==="
sed -n '204,215p' app/src/providers/authProvider.tsx

echo -e "\n=== Checking lines 337-359 for getOrGeneratePointsAddress function ==="
sed -n '337,359p' app/src/providers/authProvider.tsx

echo -e "\n=== Checking export status of getOrGeneratePointsAddress ==="
rg -n "export.*getOrGeneratePointsAddress" app/src/providers/authProvider.tsx

echo -e "\n=== Searching for setPointsAddress implementation ==="
rg -n "setPointsAddress" app/src/providers/authProvider.tsx -A 3 -B 3

#!/bin/bash
# Find useSettingStore implementation to understand storage mechanism
echo "=== Locating useSettingStore ==="
fd -t f "*.ts" -o "*.tsx" | xargs rg -l "useSettingStore\s*=" | head -5

echo -e "\n=== Searching for useSettingStore definition ==="
rg -n "export.*useSettingStore|const useSettingStore" --type=ts --type=tsx -A 5 | head -40

echo -e "\n=== Checking if setPointsAddress uses any encryption ==="
rg -n "setPointsAddress" --type=ts --type=tsx -C 5

#!/bin/bash
# Check for any encryption utilities or security measures
echo "=== Searching for encryption or security-related imports ==="
rg -n "encrypt|Encrypt|crypto|Crypto|secure|Secure" app/src/providers/authProvider.tsx

echo -e "\n=== Checking full file structure around lines 200-220 and 330-370 ==="
wc -l app/src/providers/authProvider.tsx

echo -e "\n=== Viewing the area around IAuthContext ==="
sed -n '195,230p' app/src/providers/authProvider.tsx

echo -e "\n=== Viewing the area around getOrGeneratePointsAddress ==="
sed -n '330,370p' app/src/providers/authProvider.tsx

#!/bin/bash
# Examine settingStore to understand storage mechanism
echo "=== Viewing settingStore.ts ==="
cat app/src/stores/settingStore.ts | head -100

echo -e "\n=== Searching for pointsAddress in settingStore ==="
rg -n "pointsAddress" app/src/stores/settingStore.ts -B 3 -A 3

#!/bin/bash
# Check if AsyncStorage is used and any encryption
echo "=== Checking for AsyncStorage usage in settingStore ==="
rg -n "AsyncStorage" app/src/stores/settingStore.ts

echo -e "\n=== Checking for encryption utilities ==="
rg -n "encrypt|Encrypt" app/src/stores/settingStore.ts

echo -e "\n=== Full settingStore file ==="
cat app/src/stores/settingStore.ts

#!/bin/bash
# Verify if any other security measures are applied to address storage
echo "=== Checking usage of getOrGeneratePointsAddress ==="
rg -n "getOrGeneratePointsAddress" --type=ts --type=js -B 2 -A 2

echo -e "\n=== Checking if pointsAddress is used on-chain ==="
rg -n "pointsAddress" --type=ts --type=js -B 1 -A 1 | head -50

Add getOrGeneratePointsAddress to IAuthContext interface and either encrypt pointsAddress storage or regenerate on-demand.

Two issues need resolution:

1. Export inconsistency (line 337): getOrGeneratePointsAddress is publicly exported but missing from IAuthContext interface (lines 204-215). Either add it to the interface as a public API method or prefix with underscore if intended as internal-only.

2. Plaintext address storage (line 357): The derived address is persisted to AsyncStorage via useSettingStore.setPointsAddress() without encryption, contradicting the store's own guidance: "Dont store anything sensative here" (settingStore.ts comment). While biometric auth protects the mnemonic derivation, the resulting address remains unencrypted and extractable from device backups. If on-chain activity privacy is a concern, either: encrypt before storage, regenerate on-demand from the keychain-protected mnemonic, or document this as an accepted tradeoff.

⚠️ Potential issue | 🟠 Major

Block invalid hub addresses during initialization.

Line 112: __SelfVerificationRoot_init accepts any address, so a rushed or adversarial initializer can set the hub to address(0) or an EOA. That permanently bricks verifySelfProof (every call reverts) or hands control to an attacker-controlled proxy that can spoof onVerificationSuccess. Reject zero addresses and require deployed bytecode before storing the hub reference. Solidity 0.8.28 exposes address.code.length, so you can enforce this without extra helpers.(docs.soliditylang.org)

Apply this diff to harden the initializer:

@@
-    error InvalidDataFormat();
+    error InvalidDataFormat();
+
+    /// @notice Error thrown when the hub address is invalid
+    error InvalidHubAddress();
@@
     function __SelfVerificationRoot_init(
         address identityVerificationHubV2Address,
         string memory scopeSeed
     ) internal onlyInitializing {
         SelfVerificationRootStorage storage $ = _getSelfVerificationRootStorage();
 
+        if (identityVerificationHubV2Address == address(0) || identityVerificationHubV2Address.code.length == 0) {
+            revert InvalidHubAddress();
+        }
+
         $._identityVerificationHubV2 = IIdentityVerificationHubV2(identityVerificationHubV2Address);
         $._scope = _calculateScope(address(this), scopeSeed, _getPoseidonAddress());
     }

Committable suggestion skipped: line range outside the PR's diff.

In contracts/contracts/abstract/SelfVerificationRootUpgradeable.sol around lines
107 to 114, the initializer currently accepts any address for
identityVerificationHubV2Address which can be zero or an EOA; add validation
before storing the reference: require(identityVerificationHubV2Address !=
address(0), "Invalid hub: zero address") and
require(identityVerificationHubV2Address.code.length > 0, "Invalid hub: no
contract code") so only deployed contracts are accepted, then proceed to cast
and store the IIdentityVerificationHubV2 reference and compute the scope as
before.

cc: @Nesopie

Seems like the humans are having a chat. I'll hop back into my burrow for now. If you need me again, just tag @coderabbitai in a new comment, and I'll come hopping out!

⚠️ Potential issue | 🔴 Critical

Registered users can never claim

customVerificationHook registers users under output.userIdentifier, but claim checks _registeredUserIdentifiers[uint256(uint160(msg.sender))]. Those keys never match (userIdentifier is a hash, not the raw address), so every claim reverts with NotRegistered. We need to persist registration by address (or otherwise bridge the mapping) when verifying.

-    mapping(uint256 userIdentifier => bool registered) internal _registeredUserIdentifiers;
+    mapping(uint256 userIdentifier => bool registered) internal _registeredUserIdentifiers;
+    mapping(address account => bool registered) internal _registeredAccounts;
@@
-    function isRegistered(address registeredAddress) external view returns (bool) {
-        return _registeredUserIdentifiers[uint256(uint160(registeredAddress))];
+    function isRegistered(address registeredAddress) external view returns (bool) {
+        return _registeredAccounts[registeredAddress];
@@
-        if (_registeredUserIdentifiers[uint256(uint160(msg.sender))]) revert NotRegistered(msg.sender);
+        if (!_registeredAccounts[msg.sender]) revert NotRegistered(msg.sender);
@@
-        _registeredUserIdentifiers[output.userIdentifier] = true;
+        _registeredUserIdentifiers[output.userIdentifier] = true;
+        _registeredAccounts[msg.sender] = true;

cc: @Nesopie

Seems like the humans are having a chat. I'll hop back into my burrow for now. If you need me again, just tag @coderabbitai in a new comment, and I'll come hopping out!

⚠️ Potential issue | 🔴 Critical

CRITICAL: Fallback to dummy private key creates deployment risk.

The current implementation silently falls back to a publicly known dummy key when PRIVATE_KEY is not set. This creates serious risks:

• Production deployment failure: If the environment variable is misconfigured, deployments will use the dummy key without warning
• Fund loss: The dummy key address is publicly known—any funds sent during deployment could be intercepted
• Silent failure: No validation warns operators that the dummy key is being used

Apply this diff to fail fast when the private key is missing:

-// Use a dummy private key for CI/local development (not used for actual deployments)
-const DUMMY_PRIVATE_KEY = "0x0000000000000000000000000000000000000000000000000000000000000001";
-const PRIVATE_KEY = process.env.PRIVATE_KEY || DUMMY_PRIVATE_KEY;
+const PRIVATE_KEY = process.env.PRIVATE_KEY;
+
+if (!PRIVATE_KEY) {
+  throw new Error("PRIVATE_KEY environment variable is required for network deployments");
+}

For CI/local development that doesn't require deployments, configure Hardhat to skip network account validation or use the built-in hardhat network with test mnemonics.

In contracts/hardhat.config.ts around lines 11-13, remove the unconditional
fallback to the public dummy private key and enforce fail-fast behavior: require
process.env.PRIVATE_KEY and if missing throw an error (or process.exit(1)) with
a clear message instructing to set PRIVATE_KEY or enable a deliberate
non-production flag; alternatively allow an explicit opt-in (e.g.,
ALLOW_DUMMY_KEY=true) for local/CI only, and document using the built-in hardhat
network or test mnemonics for CI instead of providing a dummy key.

⚠️ Potential issue | 🔴 Critical

Blocker: missing opensslconf.h stops the build.

The compile step fails because <openssl/opensslconf.h> is not present in the XCFramework include set (clang reports 'openssl/opensslconf.h' file not found). We either need to ship that header in Headers/openssl/opensslconf.h or adjust the include to an existing location; otherwise any consumer including idea.h will fail to build.

packages/mobile-sdk-alpha/ios/Frameworks/OpenSSL.xcframework/ios-arm64_x86_64-maccatalyst/OpenSSL.framework/Headers/idea.h
(line 13): the current include uses <openssl/opensslconf.h> which is not present
in the XCFramework and breaks consumer builds; fix by either adding the missing
header into the framework include tree at Headers/openssl/opensslconf.h
(ensuring it’s packaged in the .xcframework and exported in the framework header
map/umbrella) or change the include to a path that exists inside the framework
(for example include "opensslconf.h" or the correct relative path) and update
the framework header exports and podspec/packaging so clang can resolve it;
after change, rebuild the XCFramework and verify a simple consumer target can
include idea.h without errors.

⚠️ Potential issue | 🔴 Critical

Ship kdferr.h with this drop or the build breaks.

kdf.h still depends on <openssl/kdferr.h>, but that header is absent from the xcframework (clang already fails with “‘openssl/kdferr.h’ file not found”). Until you package that dependency alongside kdf.h (or adjust the include to a header you do ship), anything touching HKDF/TLS PRF will fail to compile. Please add the missing header before promoting to staging.

In
packages/mobile-sdk-alpha/ios/Frameworks/OpenSSL.xcframework/ios-arm64_x86_64-maccatalyst/OpenSSL.framework/Headers/kdf.h
around lines 13 to 31, kdf.h includes <openssl/kdferr.h> which is not present in
the xcframework causing clang “‘openssl/kdferr.h’ file not found”; fix by either
adding and shipping the missing kdferr.h into the Frameworks/.../Headers
directory (and update the xcframework packaging manifest to include it) or
change the include to an existing header you do ship and update any
symbol/constant definitions accordingly; after adding or changing the include,
rebuild the xcframework and verify compilation of HKDF/TLS PRF-related sources.

⚠️ Potential issue | 🔴 Critical

Ship openssl/symhacks.h alongside this header.

Line 15 pulls in <openssl/symhacks.h>, but the xcframework doesn’t ship that header (Clang already emits 'openssl/symhacks.h' file not found). Any consumer that imports kdferr.h will fail to compile. Please bundle the rest of the openssl/ header tree (keeping the directory structure) or adjust the include to point at the location you actually deliver. Until that happens this header is unusable.

In
packages/mobile-sdk-alpha/ios/Frameworks/OpenSSL.xcframework/ios-arm64_x86_64-maccatalyst/OpenSSL.framework/Headers/kdferr.h
around lines 14–16, the file includes <openssl/symhacks.h> but that header is
not shipped, causing compilation failures; fix by either bundling the missing
openssl/ header tree (include symhacks.h in the
OpenSSL.framework/Headers/openssl/ path so the include <openssl/symhacks.h>
resolves) or change the include to the actual shipped relative path (e.g., use a
local header location and update header search paths and the xcframework header
layout accordingly); ensure the directory structure is preserved or the include
path and framework headers map are updated so consumers can compile.

⚠️ Potential issue | 🔴 Critical

Respect the openssl/ folder structure when exporting headers.

lhash.h includes <openssl/e_os2.h> (Line 18), but in this xcframework e_os2.h lives at the top level. Because the openssl/ directory isn’t present, consumers hit 'openssl/e_os2.h' file not found. Please move the headers under Headers/openssl/ (or supply a header map/module map that mirrors the expected layout) so the standard OpenSSL include paths resolve.

packages/mobile-sdk-alpha/ios/Frameworks/OpenSSL.xcframework/ios-arm64_x86_64-maccatalyst/OpenSSL.framework/Headers/lhash.h
lines 17-28: lhash.h includes <openssl/e_os2.h> but the xcframework exposes
headers at top-level, causing 'openssl/e_os2.h' not found; fix by reorganizing
the framework Headers to preserve OpenSSL's expected include path (move e_os2.h
and other OpenSSL headers into Headers/openssl/ so the header hierarchy matches
#include "openssl/..." usage) or alternatively add a header map/module map in
the framework that maps openssl/* to the current top-level headers and update
the framework's umbrella/module map accordingly so consumers can #include
<openssl/e_os2.h> without errors.

⚠️ Potential issue | 🔴 Critical

Umbrella header can’t compile as-is.

Including <OpenSSL/ssl.h> (and the rest of this list) currently fails—clang reports 'OpenSSL/ssl.h' file not found. Until the xcframework exports a matching OpenSSL/ include root or header map, every consumer pulling in this umbrella header will break. Please wire up the header search paths before promoting this release.

In
packages/mobile-sdk-alpha/ios/Frameworks/OpenSSL.xcframework/ios-arm64_x86_64-maccatalyst/OpenSSL.framework/Headers/OpenSSL.h
lines 2-111, the umbrella header currently includes headers like <OpenSSL/ssl.h>
but consumers get "OpenSSL/ssl.h file not found"; fix by making the xcframework
actually export an OpenSSL/ include root or adjusting the umbrella to match
exported layout: (a) ensure the framework's Headers directory (or an exported
header map) contains an OpenSSL/ subfolder with all public headers (or create a
header symlink/copy), (b) add the include path to the framework's public header
search paths/exported header map (or update module.modulemap to point to the
real header locations), and (c) rebuild the xcframework so the umbrella header
resolves when the framework is integrated.