fix(auth): treat authentication cancellations as soft-failures and map native cancel codes

- Add CODE_OF_CONDUCT
- Bump LICENSE copyright range to 2016-2025
- Android:
  - Introduce SensitiveInfoException.AuthenticationCanceled and throw/resume with it when user cancels biometric/device-credential prompts
  - Simplify device credential flow to always return cipher after prompt
- iOS:
  - Map relevant OSStatus values to an E_AUTH_CANCELED runtime error for friendly messaging
- Internal errors:
  - Add AUTH_CANCELED marker and helper hasErrorMarker/isAuthenticationCanceledError
  - Centralize detection of auth-cancelled errors
- Hooks & utilities:
  - Export and use isAuthenticationCanceledError in error-utils
  - Create user-friendly hook error message for canceled auths and export detector
  - Update hooks (useSecretItem, useHasSecret, useSecureOperation, useSecureStorage, useSecurityAvailability) to treat auth cancellations as non-fatal: preserve/clear state appropriately and avoid surfacing HookError when user dismisses prompts
  - Add applyError helper in useSecureStorage to centralize error handling
  - Update hook types and exports
- Nitro/native layers & types:
  - Type and formatting fixes across sensitive-info.nitro.ts, internal/native, options, core/storage and index exports
- Tests & tooling:
  - Apply consistent code style (semicolons, trailing commas) across tests and configs
  - Update many test files to match changes and ensure behavior for canceled auth flows
- Misc:
  - Update package.json description
  - ESLint config formatting fixes

This change makes authentication prompt cancellations explicit (E_AUTH_CANCELED) and prevents noisy error states in hooks when users dismiss biometric / device credential prompts.

Author: mCodex

CODE_OF_CONDUCT.md

@@ -0,0 +1,133 @@
+
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+We as members, contributors, and leaders pledge to make participation in our
+community a harassment-free experience for everyone, regardless of age, body
+size, visible or invisible disability, ethnicity, sex characteristics, gender
+identity and expression, level of experience, education, socio-economic status,
+nationality, personal appearance, race, caste, color, religion, or sexual
+identity and orientation.
+
+We pledge to act and interact in ways that contribute to an open, welcoming,
+diverse, inclusive, and healthy community.
+
+## Our Standards
+
+Examples of behavior that contributes to a positive environment for our
+community include:
+
+* Demonstrating empathy and kindness toward other people
+* Being respectful of differing opinions, viewpoints, and experiences
+* Giving and gracefully accepting constructive feedback
+* Accepting responsibility and apologizing to those affected by our mistakes,
+  and learning from the experience
+* Focusing on what is best not just for us as individuals, but for the overall
+  community
+
+Examples of unacceptable behavior include:
+
+* The use of sexualized language or imagery, and sexual attention or advances of
+  any kind
+* Trolling, insulting or derogatory comments, and personal or political attacks
+* Public or private harassment
+* Publishing others' private information, such as a physical or email address,
+  without their explicit permission
+* Other conduct which could reasonably be considered inappropriate in a
+  professional setting
+
+## Enforcement Responsibilities
+
+Community leaders are responsible for clarifying and enforcing our standards of
+acceptable behavior and will take appropriate and fair corrective action in
+response to any behavior that they deem inappropriate, threatening, offensive,
+or harmful.
+
+Community leaders have the right and responsibility to remove, edit, or reject
+comments, commits, code, wiki edits, issues, and other contributions that are
+not aligned to this Code of Conduct, and will communicate reasons for moderation
+decisions when appropriate.
+
+## Scope
+
+This Code of Conduct applies within all community spaces, and also applies when
+an individual is officially representing the community in public spaces.
+Examples of representing our community include using an official e-mail address,
+posting via an official social media account, or acting as an appointed
+representative at an online or offline event.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported to the community leaders responsible for enforcement at
+[INSERT CONTACT METHOD].
+All complaints will be reviewed and investigated promptly and fairly.
+
+All community leaders are obligated to respect the privacy and security of the
+reporter of any incident.
+
+## Enforcement Guidelines
+
+Community leaders will follow these Community Impact Guidelines in determining
+the consequences for any action they deem in violation of this Code of Conduct:
+
+### 1. Correction
+
+**Community Impact**: Use of inappropriate language or other behavior deemed
+unprofessional or unwelcome in the community.
+
+**Consequence**: A private, written warning from community leaders, providing
+clarity around the nature of the violation and an explanation of why the
+behavior was inappropriate. A public apology may be requested.
+
+### 2. Warning
+
+**Community Impact**: A violation through a single incident or series of
+actions.
+
+**Consequence**: A warning with consequences for continued behavior. No
+interaction with the people involved, including unsolicited interaction with
+those enforcing the Code of Conduct, for a specified period of time. This
+includes avoiding interactions in community spaces as well as external channels
+like social media. Violating these terms may lead to a temporary or permanent
+ban.
+
+### 3. Temporary Ban
+
+**Community Impact**: A serious violation of community standards, including
+sustained inappropriate behavior.
+
+**Consequence**: A temporary ban from any sort of interaction or public
+communication with the community for a specified period of time. No public or
+private interaction with the people involved, including unsolicited interaction
+with those enforcing the Code of Conduct, is allowed during this period.
+Violating these terms may lead to a permanent ban.
+
+### 4. Permanent Ban
+
+**Community Impact**: Demonstrating a pattern of violation of community
+standards, including sustained inappropriate behavior, harassment of an
+individual, or aggression toward or disparagement of classes of individuals.
+
+**Consequence**: A permanent ban from any sort of public interaction within the
+community.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage],
+version 2.1, available at
+[https://www.contributor-covenant.org/version/2/1/code_of_conduct.html][v2.1].
+
+Community Impact Guidelines were inspired by
+[Mozilla's code of conduct enforcement ladder][Mozilla CoC].
+
+For answers to common questions about this code of conduct, see the FAQ at
+[https://www.contributor-covenant.org/faq][FAQ]. Translations are available at
+[https://www.contributor-covenant.org/translations][translations].
+
+[homepage]: https://www.contributor-covenant.org
+[v2.1]: https://www.contributor-covenant.org/version/2/1/code_of_conduct.html
+[Mozilla CoC]: https://github.com/mozilla/diversity
+[FAQ]: https://www.contributor-covenant.org/faq
+[translations]: https://www.contributor-covenant.org/translations

LICENSE

@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2025 Mateus Andrade
+Copyright (c) 2016-2025 Mateus Andrade
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

android/src/main/java/com/sensitiveinfo/internal/auth/BiometricAuthenticator.kt

@@ -10,6 +10,7 @@ import kotlinx.coroutines.Dispatchers
 import kotlinx.coroutines.suspendCancellableCoroutine
 import kotlinx.coroutines.withContext
 import com.sensitiveinfo.internal.util.ReactContextHolder
+import com.sensitiveinfo.internal.util.SensitiveInfoException
 import javax.crypto.Cipher
 import kotlin.coroutines.cancellation.CancellationException
 import kotlin.coroutines.resume
@@ -42,11 +43,8 @@ internal class BiometricAuthenticator {
 
     return withContext(Dispatchers.Main) {
       if (cipher == null && allowLegacyDeviceCredential && !canUseBiometric()) {
-        if (DeviceCredentialPromptFragment.authenticate(activity, effectivePrompt)) {
-          cipher
-        } else {
-          throw IllegalStateException("Device credential authentication canceled.")
-        }
+        DeviceCredentialPromptFragment.authenticate(activity, effectivePrompt)
+        cipher
       } else {
         try {
           authenticateWithBiometricPrompt(
@@ -59,9 +57,8 @@ internal class BiometricAuthenticator {
         } catch (error: Throwable) {
           if (error is CancellationException) throw error
           if (allowLegacyDeviceCredential) {
-            if (DeviceCredentialPromptFragment.authenticate(activity, effectivePrompt)) {
-              return@withContext cipher
-            }
+            DeviceCredentialPromptFragment.authenticate(activity, effectivePrompt)
+            return@withContext cipher
           }
           throw error
         }
@@ -86,11 +83,12 @@ internal class BiometricAuthenticator {
         }
 
         override fun onAuthenticationError(errorCode: Int, errString: CharSequence) {
-          if (errorCode == BiometricPrompt.ERROR_CANCELED ||
+          if (
+            errorCode == BiometricPrompt.ERROR_CANCELED ||
             errorCode == BiometricPrompt.ERROR_USER_CANCELED ||
             errorCode == BiometricPrompt.ERROR_NEGATIVE_BUTTON
           ) {
-            continuation.cancel()
+            continuation.resumeWithException(SensitiveInfoException.AuthenticationCanceled())
           } else {
             continuation.resumeWithException(IllegalStateException(errString.toString()))
           }

android/src/main/java/com/sensitiveinfo/internal/auth/DeviceCredentialPromptFragment.kt

@@ -8,6 +8,7 @@ import android.os.Build
 import androidx.fragment.app.Fragment
 import androidx.fragment.app.FragmentActivity
 import com.margelo.nitro.sensitiveinfo.AuthenticationPrompt
+import com.sensitiveinfo.internal.util.SensitiveInfoException
 import kotlin.coroutines.resume
 import kotlin.coroutines.resumeWithException
 import kotlinx.coroutines.CancellableContinuation
@@ -58,7 +59,7 @@ internal class DeviceCredentialPromptFragment : Fragment() {
     if (resultCode == Activity.RESULT_OK) {
       cont.resume(true)
     } else {
-      cont.cancel()
+      cont.resumeWithException(SensitiveInfoException.AuthenticationCanceled())
     }
     cleanup()
   }

android/src/main/java/com/sensitiveinfo/internal/util/SensitiveInfoExceptions.kt

@@ -12,5 +12,10 @@ sealed class SensitiveInfoException(
     code = "E_NOT_FOUND",
     message = "[E_NOT_FOUND] No secret found for key \"$key\" in service \"$service\"."
   )
+
+  class AuthenticationCanceled : SensitiveInfoException(
+    code = "E_AUTH_CANCELED",
+    message = "[E_AUTH_CANCELED] Authentication prompt canceled by the user."
+  )
 }
 

eslint.config.mts

@@ -1,24 +1,24 @@
-import { fixupPluginRules } from '@eslint/compat'
-import { FlatCompat } from '@eslint/eslintrc'
-import js from '@eslint/js'
-import typescriptEslint from '@typescript-eslint/eslint-plugin'
-import tsParser from '@typescript-eslint/parser'
-import importHelpers from 'eslint-plugin-import-helpers'
-import prettier from 'eslint-plugin-prettier'
-import react from 'eslint-plugin-react'
-import reactHooks from 'eslint-plugin-react-hooks'
-import globals from 'globals'
-import path from 'node:path'
-import { fileURLToPath } from 'node:url'
+import { fixupPluginRules } from '@eslint/compat';
+import { FlatCompat } from '@eslint/eslintrc';
+import js from '@eslint/js';
+import typescriptEslint from '@typescript-eslint/eslint-plugin';
+import tsParser from '@typescript-eslint/parser';
+import importHelpers from 'eslint-plugin-import-helpers';
+import prettier from 'eslint-plugin-prettier';
+import react from 'eslint-plugin-react';
+import reactHooks from 'eslint-plugin-react-hooks';
+import globals from 'globals';
+import path from 'node:path';
+import { fileURLToPath } from 'node:url';
 
-const __filename = fileURLToPath(import.meta.url)
-const __dirname = path.dirname(__filename)
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = path.dirname(__filename);
 
 const compat = new FlatCompat({
   baseDirectory: __dirname,
   recommendedConfig: js.configs.recommended,
   allConfig: js.configs.all,
-})
+});
 
 export default [
   ...compat.extends(
@@ -66,4 +66,4 @@ export default [
       'import/extensions': 'off',
     },
   },
-]
+];

ios/HybridSensitiveInfo.swift

@@ -378,7 +378,19 @@ final class HybridSensitiveInfo: HybridSensitiveInfoSpec {
   }
 
   private func runtimeError(for status: OSStatus, operation: String) -> RuntimeError {
+    if isAuthenticationCanceled(status: status) {
+      return RuntimeError.error(withMessage: "[E_AUTH_CANCELED] Authentication prompt canceled by the user.")
+    }
     let message = SecCopyErrorMessageString(status, nil) as String? ?? "OSStatus(\(status))"
     return RuntimeError.error(withMessage: "Keychain \(operation) failed: \(message)")
   }
+
+  private func isAuthenticationCanceled(status: OSStatus) -> Bool {
+    switch status {
+    case errSecUserCanceled, errSecInteractionNotAllowed:
+      return true
+    default:
+      return false
+    }
+  }
 }

package.json

@@ -1,7 +1,7 @@
 {
   "name": "react-native-sensitive-info",
   "version": "6.0.0-rc.8",
-  "description": "react-native-sensitive-info is a react native package built with Nitro",
+  "description": "🔐 React Native secure storage, rebuilt with Nitro Modules ⚡️ Biometric-ready, StrongBox-aware, and metadata-rich for modern mobile apps",
   "main": "./lib/commonjs/index.js",
   "module": "./lib/module/index.js",
   "types": "./lib/typescript/src/index.d.ts",

src/__tests__/__mocks__/react-native-nitro-modules.ts

@@ -1,23 +1,23 @@
 export class MockHybridObject {
-  static instances: MockHybridObject[] = []
+  static instances: MockHybridObject[] = [];
 
   constructor() {
-    MockHybridObject.instances.push(this)
+    MockHybridObject.instances.push(this);
   }
 }
 
 export const getHybridObjectConstructor = jest
   .fn(() => MockHybridObject)
-  .mockName('getHybridObjectConstructor')
+  .mockName('getHybridObjectConstructor');
 
 export const __resetMocks = () => {
-  MockHybridObject.instances = []
-  getHybridObjectConstructor.mockReset()
-  getHybridObjectConstructor.mockReturnValue(MockHybridObject)
-}
+  MockHybridObject.instances = [];
+  getHybridObjectConstructor.mockReset();
+  getHybridObjectConstructor.mockReturnValue(MockHybridObject);
+};
 
-__resetMocks()
+__resetMocks();
 
 export default {
   getHybridObjectConstructor,
-}
+};

src/__tests__/__mocks__/react-native.ts

@@ -1,5 +1,5 @@
-export const NativeModules = {}
+export const NativeModules = {};
 
 export default {
   NativeModules,
-}
+};