feat(mobile): store API key securely using expo-secure-store

- Add expo-secure-store dependency for iOS Keychain/Android Keystore
- Store API key in secure storage instead of AsyncStorage
- Update tunnelPersistence.ts to use SecureStore for apiKey field
- Clear secure key on tunnel metadata clear
- Fix isCloudflareTunnel type from string to boolean

Author: Ubuntu

apps/mobile/package.json

@@ -24,6 +24,7 @@
     "expo-speech": "~14.0.7",
     "expo-speech-recognition": "^2.1.2",
     "expo-status-bar": "~3.0.8",
+    "expo-secure-store": "~14.0.8",
     "react": "19.1.0",
     "react-dom": "19.1.0",
     "react-native": "0.81.4",

apps/mobile/src/lib/tunnelPersistence.ts

@@ -1,15 +1,18 @@
 import AsyncStorage from '@react-native-async-storage/async-storage';
+import * as SecureStore from 'expo-secure-store';
 
 const TUNNEL_METADATA_KEY = 'speakmcp_tunnel_metadata_v1';
+const API_KEY_SECURE_KEY = 'speakmcp_api_key_secure';
 
 /**
  * Tunnel metadata for connection persistence.
  * Stores information needed to resume or reconnect to a tunnel.
+ * API key is stored securely using expo-secure-store (iOS Keychain/Android Keystore).
  */
 export interface TunnelMetadata {
   /** The base URL of the tunnel endpoint */
   baseUrl: string;
-  /** API key for authentication */
+  /** API key for authentication - stored in secure storage */
   apiKey: string;
   /** Timestamp of last successful connection */
   lastConnectedAt: number;
@@ -23,19 +26,27 @@ export interface TunnelMetadata {
 
 /**
  * Save tunnel metadata for later reconnection.
- *
- * TODO: Security enhancement - Consider storing the apiKey in secure storage
- * (expo-secure-store for iOS Keychain/Android Keystore) instead of AsyncStorage
- * for production deployments where the API key grants sensitive access.
+ * API key is stored securely using expo-secure-store.
  */
 export async function saveTunnelMetadata(metadata: TunnelMetadata): Promise<void> {
   try {
-    await AsyncStorage.setItem(TUNNEL_METADATA_KEY, JSON.stringify(metadata));
+    // Store apiKey securely using expo-secure-store (iOS Keychain/Android Keystore)
+    if (metadata.apiKey) {
+      await SecureStore.setItemAsync(API_KEY_SECURE_KEY, metadata.apiKey, {
+        requireAuthentication: false,
+      });
+    }
+
+    // Store non-sensitive metadata in AsyncStorage
+    const { apiKey, ...safeMetadata } = metadata;
+    await AsyncStorage.setItem(TUNNEL_METADATA_KEY, JSON.stringify(safeMetadata));
+
     console.log('[TunnelPersistence] Saved tunnel metadata:', {
       baseUrl: metadata.baseUrl,
       hasApiKey: !!metadata.apiKey,
       hasSessionId: !!metadata.sessionId,
       hasResumeToken: !!metadata.resumeToken,
+      secureStorageUsed: true,
     });
   } catch (error) {
     console.error('[TunnelPersistence] Failed to save tunnel metadata:', error);
@@ -45,27 +56,39 @@ export async function saveTunnelMetadata(metadata: TunnelMetadata): Promise<void
 /**
  * Load previously saved tunnel metadata.
  * Returns null if no metadata exists or if it's invalid.
+ * API key is retrieved from secure storage.
  */
 export async function loadTunnelMetadata(): Promise<TunnelMetadata | null> {
   try {
+    // Load non-sensitive metadata from AsyncStorage
     const stored = await AsyncStorage.getItem(TUNNEL_METADATA_KEY);
     if (!stored) {
       return null;
     }
 
     const parsed = JSON.parse(stored);
 
-    // Validate required fields exist and have correct types
+    // Validate required fields exist and have correct types (except apiKey)
     if (
       typeof parsed.baseUrl !== 'string' ||
-      typeof parsed.apiKey !== 'string' ||
       typeof parsed.lastConnectedAt !== 'number'
     ) {
       console.warn('[TunnelPersistence] Invalid stored metadata: missing required fields or incorrect types');
       return null;
     }
 
-    return parsed as TunnelMetadata;
+    // Retrieve apiKey from secure storage
+    const apiKey = await SecureStore.getItemAsync(API_KEY_SECURE_KEY);
+
+    if (!apiKey) {
+      console.warn('[TunnelPersistence] API key not found in secure storage');
+      return null;
+    }
+
+    return {
+      ...parsed,
+      apiKey,
+    } as TunnelMetadata;
   } catch (error) {
     console.error('[TunnelPersistence] Failed to load tunnel metadata:', error);
     return null;
@@ -96,11 +119,13 @@ export async function updateTunnelMetadata(
 
 /**
  * Clear tunnel metadata (for logout or reset scenarios).
+ * Also clears the secure-stored API key.
  */
 export async function clearTunnelMetadata(): Promise<void> {
   try {
     await AsyncStorage.removeItem(TUNNEL_METADATA_KEY);
-    console.log('[TunnelPersistence] Cleared tunnel metadata');
+    await SecureStore.deleteItemAsync(API_KEY_SECURE_KEY);
+    console.log('[TunnelPersistence] Cleared tunnel metadata and secure API key');
   } catch (error) {
     console.error('[TunnelPersistence] Failed to clear tunnel metadata:', error);
   }
@@ -127,4 +152,3 @@ export async function isTunnelMetadataFresh(maxAgeMs: number = 24 * 60 * 60 * 10
   const age = Date.now() - metadata.lastConnectedAt;
   return age < maxAgeMs;
 }
-