Merge branch 'main' into dev

Author: sanchitmonga22

.github/workflows/secret-scan.yml

@@ -0,0 +1,35 @@
+name: Secret Scanning
+
+# =============================================================================
+# Gitleaks Secret Scanning Workflow
+#
+# Scans every push to main and every pull request for leaked secrets,
+# API keys, tokens, and internal URLs. Uses the project-level
+# .gitleaks.toml for RunAnywhere-specific patterns on top of gitleaks'
+# built-in detectors.
+# =============================================================================
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+
+permissions:
+  contents: read
+
+jobs:
+  secret-scan:
+    name: Gitleaks Secret Scan
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Run Gitleaks
+        uses: gitleaks/gitleaks-action@v2
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITLEAKS_CONFIG: .gitleaks.toml

.gitignore

@@ -192,6 +192,12 @@ lint/reports/
 *.rar
 hs_err_pid*
 
+# Node.js / NPM / Yarn
+node_modules/
+.npm
+.yarn/cache
+.yarn/install-state.gz
+
 # Flutter/Dart
 .dart_tool/
 .flutter-plugins
@@ -378,6 +384,8 @@ sdk/runanywhere-flutter/android/*.aar
 
 # React Native - Pre-built xcframeworks (build artifacts)
 sdk/runanywhere-react-native/packages/*/ios/xcframeworks/
+tools/
+sdk/runanywhere-react-native/packages/rag/ios/.testlocal
 
 
 # Node

.gitleaks.toml

@@ -0,0 +1,59 @@
+# =============================================================================
+# Gitleaks Configuration — RunAnywhere SDK Monorepo
+#
+# Custom rules supplement gitleaks' built-in detectors (AWS keys, JWTs, etc.).
+# These catch RunAnywhere-specific secrets and internal infrastructure URLs.
+# =============================================================================
+
+title = "RunAnywhere Secret Scanning"
+
+# -----------------------------------------------------------------------------
+# Custom Rules
+# -----------------------------------------------------------------------------
+
+[[rules]]
+id = "runanywhere-api-key"
+description = "RunAnywhere API key (runa_prod_*, runa_dev_*, runa_staging_*)"
+regex = '''runa_(prod|dev|staging)_[A-Za-z0-9_\-]{10,}'''
+keywords = ["runa_prod", "runa_dev", "runa_staging"]
+
+[[rules]]
+id = "railway-app-url"
+description = "Railway production/staging app URL"
+regex = '''https?://[a-zA-Z0-9\-]+\.up\.railway\.app'''
+keywords = ["railway.app"]
+
+[[rules]]
+id = "supabase-url"
+description = "Supabase project URL (non-placeholder)"
+regex = '''https://[a-z0-9]+\.supabase\.co'''
+keywords = ["supabase.co"]
+
+[[rules]]
+id = "supabase-anon-key"
+description = "Supabase anon/service key"
+regex = '''eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9\.[A-Za-z0-9_\-]{20,}\.[A-Za-z0-9_\-]{20,}'''
+keywords = ["eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9"]
+
+# -----------------------------------------------------------------------------
+# Allowlists — paths and patterns that are safe to ignore
+# -----------------------------------------------------------------------------
+
+[allowlist]
+description = "Global allowlist"
+
+paths = [
+    '''\.gitleaks\.toml$''',
+    '''CLAUDE\.md$''',
+    '''\.cursor/plans/.*\.plan\.md$''',
+    '''thoughts/.*\.md$''',
+]
+
+regexTarget = "line"
+regexes = [
+    '''YOUR_PRODUCTION_API_KEY''',
+    '''YOUR_PRODUCTION_BASE_URL''',
+    '''YOUR_''',
+    '''placeholder''',
+    '''https://placeholder\.supabase\.co''',
+]

.npmrc

@@ -0,0 +1,32 @@
+# pnpm configuration for RunAnywhere monorepo
+
+# Use node-modules linker for better React Native compatibility
+node-linker=node-modules
+
+# Hoist all dependencies to root node_modules for consistency
+shamefully-hoist=true
+
+# Don't fail on missing peer dependencies
+strict-peer-dependencies=false
+
+# Use all available cores for faster installation
+prefer-offline=false
+
+# Verify package integrity
+verify-store-integrity=true
+
+# Use lockfile for reproducible installs
+lockfile=true
+
+# Depth for module hoisting
+hoist-pattern[]=*
+hoist-pattern[]=*/**
+
+# Store location (default is fine)
+# store-dir=.pnpm-store
+
+# For CI/CD environments
+# ci-mode=true
+
+# For development - allow same version installs
+# save-exact=false

.yarnrc.yml

@@ -43,6 +43,12 @@ let useLocalBinaries = true //  Toggle: true for local dev, false for release
 // Updated automatically by CI/CD during releases
 let sdkVersion = "0.19.1"
 
+// RAG binary is only available in local dev mode until the release artifact is published.
+// In remote mode, the RAG xcframework zip + checksum don't exist yet, so including the
+// binary target would block ALL SPM package resolution (not just RAG).
+// Set to true once RABackendRAG-v<version>.zip is published to GitHub releases.
+let ragRemoteBinaryAvailable = false
+
 let package = Package(
     name: "runanywhere-sdks",
     platforms: [
@@ -73,7 +79,8 @@ let package = Package(
             name: "RunAnywhereLlamaCPP",
             targets: ["LlamaCPPRuntime"]
         ),
-    ],
+
+    ] + ragProducts(),
     dependencies: [
         .package(url: "https://github.com/apple/swift-crypto.git", from: "3.0.0"),
         .package(url: "https://github.com/Alamofire/Alamofire.git", from: "5.9.0"),
@@ -111,7 +118,7 @@ let package = Package(
         // =================================================================
         .target(
             name: "ONNXBackend",
-            dependencies: ["RABackendONNXBinary", "ONNXRuntimeBinary"],
+            dependencies: ["RABackendONNXBinary"],
             path: "sdk/runanywhere-swift/Sources/ONNXRuntime/include",
             publicHeadersPath: "."
         ),
@@ -132,7 +139,7 @@ let package = Package(
                 .product(name: "StableDiffusion", package: "ml-stable-diffusion"),
                 "CRACommons",
                 "RACommonsBinary",
-            ],
+            ] + ragCoreDependencies(),
             path: "sdk/runanywhere-swift/Sources/RunAnywhere",
             exclude: ["CRACommons"],
             swiftSettings: [
@@ -194,9 +201,61 @@ let package = Package(
             path: "sdk/runanywhere-swift/Tests/RunAnywhereTests"
         ),
 
-    ] + binaryTargets()
+    ] + ragTargets() + binaryTargets()
 )
 
+// =============================================================================
+// RAG TARGET HELPERS
+// =============================================================================
+// RAG targets are gated because the remote binary artifact doesn't exist yet.
+// Including a binary target with a placeholder checksum blocks ALL SPM resolution.
+
+/// RAG product (library) — only included when the binary is available
+func ragProducts() -> [Product] {
+    guard useLocalBinaries || ragRemoteBinaryAvailable else { return [] }
+    return [
+        .library(
+            name: "RunAnywhereRAG",
+            targets: ["RAGRuntime"]
+        ),
+    ]
+}
+
+/// RAG dependency for the RunAnywhere core target
+func ragCoreDependencies() -> [Target.Dependency] {
+    guard useLocalBinaries || ragRemoteBinaryAvailable else { return [] }
+    return [
+        "RAGBackend",
+    ]
+}
+
+/// RAG-related targets (C bridge + Swift runtime)
+func ragTargets() -> [Target] {
+    guard useLocalBinaries || ragRemoteBinaryAvailable else { return [] }
+    return [
+        // C Bridge Module - RAG Backend Headers
+        .target(
+            name: "RAGBackend",
+            dependencies: ["RABackendRAGBinary"],
+            path: "sdk/runanywhere-swift/Sources/RAGRuntime/include",
+            publicHeadersPath: "."
+        ),
+        // RAG Runtime Backend
+        .target(
+            name: "RAGRuntime",
+            dependencies: [
+                "RunAnywhere",
+                "RAGBackend",
+            ],
+            path: "sdk/runanywhere-swift/Sources/RAGRuntime",
+            exclude: ["include"],
+            linkerSettings: [
+                .linkedLibrary("c++"),
+            ]
+        ),
+    ]
+}
+
 // =============================================================================
 // BINARY TARGET SELECTION
 // =============================================================================
@@ -224,16 +283,20 @@ func binaryTargets() -> [Target] {
                 name: "RABackendONNXBinary",
                 path: "sdk/runanywhere-swift/Binaries/RABackendONNX.xcframework"
             ),
+            .binaryTarget(
+                name: "RABackendRAGBinary",
+                path: "sdk/runanywhere-swift/Binaries/RABackendRAG.xcframework"
+            ),
         ]
 
         // Local combined ONNX Runtime xcframework (iOS + macOS)
         // Created by: cd sdk/runanywhere-swift && ./scripts/create-onnxruntime-xcframework.sh
-        targets.append(
-            .binaryTarget(
-                name: "ONNXRuntimeBinary",
-                path: "sdk/runanywhere-swift/Binaries/onnxruntime.xcframework"
-            )
-        )
+        // targets.append(
+        //     .binaryTarget(
+        //         name: "ONNXRuntimeBinary",
+        //         path: "sdk/runanywhere-swift/Binaries/onnxruntime.xcframework"
+        //     )
+        // )
 
         return targets
     } else {
@@ -242,7 +305,7 @@ func binaryTargets() -> [Target] {
         // Download XCFrameworks from GitHub releases
         // All xcframeworks include iOS + macOS slices (v0.19.0+)
         // =====================================================================
-        return [
+        var targets: [Target] = [
             .binaryTarget(
                 name: "RACommonsBinary",
                 url: "https://github.com/RunanywhereAI/runanywhere-sdks/releases/download/v\(sdkVersion)/RACommons-v\(sdkVersion).zip",
@@ -264,5 +327,18 @@ func binaryTargets() -> [Target] {
                 checksum: "e0180262bd1b10fcda95aaf9aac595af5e6819bd454312b6fc8ffc3828db239f"
             ),
         ]
+
+        // Only include RAG binary when the release artifact is available
+        if ragRemoteBinaryAvailable {
+            targets.append(
+                .binaryTarget(
+                    name: "RABackendRAGBinary",
+                    url: "https://github.com/RunanywhereAI/runanywhere-sdks/releases/download/v\(sdkVersion)/RABackendRAG-v\(sdkVersion).zip",
+                    checksum: "0000000000000000000000000000000000000000000000000000000000000000" // Replace with actual checksum
+                )
+            )
+        }
+
+        return targets
     }
-}
+}