From 709f7b36b21b9f9285daa375278ce3376a053fe1 Mon Sep 17 00:00:00 2001
From: Justin Hernandez <justin.hernandez@self.xyz>
Date: Sun, 15 Feb 2026 21:54:29 -0800
Subject: [PATCH] chore: code quality feedback for 2.9.16 (#1754)

* code quality feedback

* agent feedback
---
 .github/workflows/kmp-ci.yml                     |  3 +++
 packages/mobile-sdk-alpha/src/mock/generator.ts  | 11 ++++++-----
 packages/mobile-sdk-alpha/src/processing/mrz.ts  | 12 ++++++------
 .../mobile-sdk-demo/src/utils/secureStorage.ts   |  6 +++---
 scripts/tests/checkLicenseHeaders.test.mjs       | 16 ++++++++++------
 5 files changed, 28 insertions(+), 20 deletions(-)

diff --git a/.github/workflows/kmp-ci.yml b/.github/workflows/kmp-ci.yml
index edd6ebec0..b2cd1c9d6 100644
--- a/.github/workflows/kmp-ci.yml
+++ b/.github/workflows/kmp-ci.yml
@@ -1,5 +1,8 @@
 name: KMP CI
 
+permissions:
+  contents: read
+
 on:
   pull_request:
     paths: ["packages/kmp-sdk/**", "packages/kmp-test-app/**"]
diff --git a/packages/mobile-sdk-alpha/src/mock/generator.ts b/packages/mobile-sdk-alpha/src/mock/generator.ts
index 0d78706c2..dba8113b2 100644
--- a/packages/mobile-sdk-alpha/src/mock/generator.ts
+++ b/packages/mobile-sdk-alpha/src/mock/generator.ts
@@ -54,11 +54,12 @@ export async function generateMockDocument({
   lastName,
 }: GenerateMockDocumentOptions): Promise<PassportData | AadhaarData> {
   console.log('generateMockDocument received names:', { firstName, lastName, isInOfacList });
-  const randomPassportNumber = Math.random()
-    .toString(36)
-    .substring(2, 11)
-    .replace(/[^a-z0-9]/gi, '')
-    .toUpperCase();
+  const ALPHANUMERIC = '0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ';
+  const randomBytes = new Uint8Array(9);
+  crypto.getRandomValues(randomBytes);
+  const randomPassportNumber = Array.from(randomBytes)
+    .map(b => ALPHANUMERIC[b % ALPHANUMERIC.length])
+    .join('');
   const [dgHashAlgo, eContentHashAlgo, signatureTypeForGeneration] =
     signatureAlgorithmToStrictSignatureAlgorithm[
       selectedAlgorithm as keyof typeof signatureAlgorithmToStrictSignatureAlgorithm
diff --git a/packages/mobile-sdk-alpha/src/processing/mrz.ts b/packages/mobile-sdk-alpha/src/processing/mrz.ts
index b55b62398..344662d56 100644
--- a/packages/mobile-sdk-alpha/src/processing/mrz.ts
+++ b/packages/mobile-sdk-alpha/src/processing/mrz.ts
@@ -308,11 +308,11 @@ export function extractNameFromMRZ(mrzString: string): { firstName: string; last
       const parts = namePart.split('<<').filter(Boolean);
 
       if (parts.length >= 2) {
-        const lastName = parts[0].replace(/<+$/, '').replace(/</g, ' ').trim();
-        const firstName = parts[1].replace(/<+$/, '').replace(/</g, ' ').trim();
+        const lastName = parts[0].replace(/</g, ' ').trim();
+        const firstName = parts[1].replace(/</g, ' ').trim();
         return { firstName, lastName };
       } else if (parts.length === 1) {
-        const name = parts[0].replace(/<+$/, '').replace(/</g, ' ').trim();
+        const name = parts[0].replace(/</g, ' ').trim();
         return { firstName: '', lastName: name };
       }
     }
@@ -326,11 +326,11 @@ export function extractNameFromMRZ(mrzString: string): { firstName: string; last
     const parts = line3.split('<<').filter(Boolean);
 
     if (parts.length >= 2) {
-      const lastName = parts[0].replace(/<+$/, '').replace(/</g, ' ').trim();
-      const firstName = parts[1].replace(/<+$/, '').replace(/</g, ' ').trim();
+      const lastName = parts[0].replace(/</g, ' ').trim();
+      const firstName = parts[1].replace(/</g, ' ').trim();
       return { firstName, lastName };
     } else if (parts.length === 1) {
-      const name = parts[0].replace(/<+$/, '').replace(/</g, ' ').trim();
+      const name = parts[0].replace(/</g, ' ').trim();
       return { firstName: '', lastName: name };
     }
   }
diff --git a/packages/mobile-sdk-demo/src/utils/secureStorage.ts b/packages/mobile-sdk-demo/src/utils/secureStorage.ts
index e8e6227ed..3b842b9d6 100644
--- a/packages/mobile-sdk-demo/src/utils/secureStorage.ts
+++ b/packages/mobile-sdk-demo/src/utils/secureStorage.ts
@@ -69,11 +69,11 @@ const getOrCreateSecretWeb = async (): Promise<string> => {
       localStorage.setItem(SECRET_VERSION_KEY, JSON.stringify(metadata));
 
       console.log('[SecureStorage] Loaded existing secret from localStorage');
-      return existingSecret;
+      return existingSecret; // lgtm[js/clear-text-storage-of-sensitive-data]
     }
 
-    // Generate new secret
-    const newSecret = generateSecret();
+    // Generate new secret (intentionally stored in localStorage for demo purposes only)
+    const newSecret = generateSecret(); // lgtm[js/clear-text-storage-of-sensitive-data]
     const metadata: SecretMetadata = {
       version: CURRENT_VERSION,
       createdAt: new Date().toISOString(),
diff --git a/scripts/tests/checkLicenseHeaders.test.mjs b/scripts/tests/checkLicenseHeaders.test.mjs
index dc67a1278..cf15a5f91 100644
--- a/scripts/tests/checkLicenseHeaders.test.mjs
+++ b/scripts/tests/checkLicenseHeaders.test.mjs
@@ -12,7 +12,7 @@ import { strict as assert } from 'assert';
 import { existsSync, rmSync, mkdirSync, writeFileSync, readFileSync } from 'fs';
 import path from 'path';
 import { fileURLToPath } from 'url';
-import { execSync } from 'child_process';
+import { execFileSync } from 'child_process';
 
 const __filename = fileURLToPath(import.meta.url);
 const __dirname = path.dirname(__filename);
@@ -100,11 +100,15 @@ class TestRunner {
 // Helper to run the script and capture output
 function runScript(args, cwd = null) {
   try {
-    const result = execSync(`node ${SCRIPT_PATH} ${args}`, {
-      cwd: cwd || process.cwd(),
-      encoding: 'utf8',
-      stdio: 'pipe',
-    });
+    const result = execFileSync(
+      'node',
+      [SCRIPT_PATH, ...args.split(/\s+/).filter(Boolean)],
+      {
+        cwd: cwd || process.cwd(),
+        encoding: 'utf8',
+        stdio: 'pipe',
+      },
+    );
     return { stdout: result, stderr: '', exitCode: 0 };
   } catch (error) {
     return {