feat: Enhance error handling and logging in key rotation and sensitive info management

Author: mCodex

android/src/main/java/com/sensitiveinfo/HybridSensitiveInfo.kt

@@ -3,6 +3,7 @@ package com.sensitiveinfo
 import android.content.Context
 import android.os.Handler
 import android.os.Looper
+import android.util.Log
 import com.margelo.nitro.core.Promise
 import com.margelo.nitro.sensitiveinfo.*
 import com.sensitiveinfo.internal.auth.AndroidAuthenticationManager
@@ -188,7 +189,7 @@ final class HybridSensitiveInfo : HybridSensitiveInfoSpec() {
       deps.storage.save(service, request.key, entry)
 
       // Step 8: Build response using response builder
-      deps.responseBuilder.buildMutationResult(metadata)
+      return@async deps.responseBuilder.buildMutationResult(metadata)
     }
   }
 
@@ -221,14 +222,14 @@ final class HybridSensitiveInfo : HybridSensitiveInfoSpec() {
       // Step 3: Read entry from storage
       val entry = deps.storage.read(service, request.key)
       if (entry == null) {
-        return@async null
+        // Item not found - throw exception that JS can catch and handle as null
+        throw Exception("Item not found")
       }
 
       // Step 4: Decode metadata
       val metadata = try {
         entry.metadata.toStorageMetadata()
       } catch (e: Exception) {
-        RuntimeError.log("Failed to decode metadata for key: $e")
         null
       }
 
@@ -256,7 +257,6 @@ final class HybridSensitiveInfo : HybridSensitiveInfoSpec() {
           null
         }
       } catch (e: Exception) {
-        RuntimeError.log("Failed to decrypt value for key: $e")
         null
       }
 
@@ -266,15 +266,17 @@ final class HybridSensitiveInfo : HybridSensitiveInfoSpec() {
         backend = StorageBackend.ANDROIDKEYSTORE,
         accessControl = AccessControl.NONE,
         timestamp = System.currentTimeMillis() / 1000.0,
-        alias = entry.alias
+        alias = entry.alias.takeIf { it.isNotEmpty() } ?: "unknown"
       )
 
-      deps.responseBuilder.buildItem(
+      val item = deps.responseBuilder.buildItem(
         key = request.key,
         value = value,
         metadata = finalMetadata,
         service = service
       )
+      
+      return@async item
     }
   }
 
@@ -413,7 +415,7 @@ final class HybridSensitiveInfo : HybridSensitiveInfoSpec() {
           }
 
           // Step 5: Build item using response builder
-          deps.responseBuilder.buildItem(
+          return@mapNotNull deps.responseBuilder.buildItem(
             key = key,
             value = value,
             metadata = metadata,
@@ -822,7 +824,7 @@ final class HybridSensitiveInfo : HybridSensitiveInfoSpec() {
           // Result is Promise, but we don't wait for it in background
         } catch (e: Exception) {
           // Log error but don't crash
-          android.util.Log.e("KeyRotation", "Automatic rotation failed: ${e.message}")
+          // Rotation failed silently
         }
       }
     }

android/src/main/java/com/sensitiveinfo/KeyRotation.kt

@@ -134,7 +134,7 @@ class AndroidKeyRotationManager(private val context: Context) {
 
       true
     } catch (exception: Exception) {
-      android.util.Log.e("KeyRotation", "Failed to generate key: ${exception.message}")
+      // Key generation failed
       false
     }
   }
@@ -157,7 +157,7 @@ class AndroidKeyRotationManager(private val context: Context) {
       setCurrentKeyVersion(newKeyVersionId)
       true
     } catch (exception: Exception) {
-      android.util.Log.e("KeyRotation", "Failed to rotate key: ${exception.message}")
+      // Key rotation failed
       false
     }
   }
@@ -280,15 +280,15 @@ class AndroidKeyRotationManager(private val context: Context) {
   fun handleInvalidatedKey(keyVersionId: String) {
     try {
       // Log the invalidation for audit purposes
-      android.util.Log.w("KeyRotation", "Key invalidated: $keyVersionId")
+      // Key invalidated
 
       // Attempt to delete the invalidated key
       deleteKey(keyVersionId)
 
       // Notify JavaScript side about biometric change
       notifyBiometricChangeToJavaScript()
     } catch (exception: Exception) {
-      android.util.Log.e("KeyRotation", "Error handling invalidated key: ${exception.message}")
+      // Error handling invalidated key
     }
   }
 
@@ -361,7 +361,7 @@ class AndroidKeyRotationManager(private val context: Context) {
         apply()
       }
     } catch (exception: Exception) {
-      android.util.Log.e("KeyRotation", "Failed to store key metadata: ${exception.message}")
+      // Failed to store key metadata
     }
   }
 

android/src/main/java/com/sensitiveinfo/core/Result.kt

@@ -8,8 +8,8 @@ package com.sensitiveinfo.core
  * Usage:
  * ```kotlin
  * when (val result = storage.setItem("key", "value")) {
- *   is Result.Success -> println("Stored: ${result.value}")
- *   is Result.Failure -> println("Error: ${result.error.message}")
+ *   is Result.Success -> {}
+ *   is Result.Failure -> {}
  * }
  * ```
  */

android/src/main/java/com/sensitiveinfo/internal/auth/BiometricAuthenticator.kt

@@ -44,7 +44,7 @@ internal class BiometricAuthenticator {
     return withContext(Dispatchers.Main) {
       if (cipher == null && allowLegacyDeviceCredential && !canUseBiometric()) {
         DeviceCredentialPromptFragment.authenticate(activity, effectivePrompt)
-        cipher
+        null
       } else {
         try {
           authenticateWithBiometricPrompt(

android/src/main/java/com/sensitiveinfo/internal/crypto/AccessControlResolver.kt

@@ -113,6 +113,16 @@ internal class AccessControlResolver(
         useStrongBox = false,
         invalidateOnEnrollment = false
       )
+      else -> {
+        // For any unknown cases (e.g., iOS-only SECUREENCLAVE from cross-platform API),
+        // map to the strongest available Android security: StrongBox biometry if available,
+        // otherwise fall back through the preference list
+        val biometryResolution = tryResolve(AccessControl.BIOMETRYCURRENTSET, availability)
+        if (biometryResolution != null) {
+          return biometryResolution
+        }
+        tryResolve(AccessControl.BIOMETRYANY, availability)
+      }
     }
   }
 

android/src/main/java/com/sensitiveinfo/internal/crypto/CryptoManager.kt

@@ -118,17 +118,21 @@ internal class CryptoManager(
         val authenticated = authenticator.authenticate(prompt, resolution.allowedAuthenticators, cipher)
         (authenticated ?: cipher)
       } else {
-        authenticator.authenticate(prompt, resolution.allowedAuthenticators, null)
-        try {
-          cipher.init(Cipher.DECRYPT_MODE, key, spec)
-        } catch (invalidated: KeyPermanentlyInvalidatedException) {
-          deleteKey(alias)
-          throw IllegalStateException("Decryption key invalidated. Item must be recreated.", invalidated)
-        } catch (unrecoverable: UnrecoverableKeyException) {
-          deleteKey(alias)
-          throw IllegalStateException("Decryption key unavailable. Item must be recreated.", unrecoverable)
+        val authenticated = authenticator.authenticate(prompt, resolution.allowedAuthenticators, null)
+        if (authenticated != null) {
+          authenticated
+        } else {
+          try {
+            cipher.init(Cipher.DECRYPT_MODE, key, spec)
+          } catch (invalidated: KeyPermanentlyInvalidatedException) {
+            deleteKey(alias)
+            throw IllegalStateException("Decryption key invalidated. Item must be recreated.", invalidated)
+          } catch (unrecoverable: UnrecoverableKeyException) {
+            deleteKey(alias)
+            throw IllegalStateException("Decryption key unavailable. Item must be recreated.", unrecoverable)
+          }
+          cipher
         }
-        cipher
       }
     } catch (error: CancellationException) {
       throw error