fix(android): report weak-only biometrics as unavailable for strong auth

[Lukhaas25]

What

• Align Android isAvailable() with verifyIdentity() by requiring BIOMETRIC_STRONG unless fallback is requested and available.
• Keep weak biometric methods visible through biometryType/authenticationStrength docs, but avoid returning isAvailable=true for weak-only face unlock paths that cannot satisfy the strong CryptoObject prompt.
• Regenerate README API docs from src/definitions.ts.

Why

• Fixes bug: Biometric Plugin not returning right value when Fingerprint not enabled on Android #56, where devices without enrolled fingerprint/strong biometric could report available even though verifyIdentity() later failed.

How

• Removed the weak-biometric branch that set isAvailable=true in the Android availability check.
• Documented the Android strong-biometric behavior on AvailableResult.isAvailable.

Testing

• bun install --frozen-lockfile
• bun run verify:web
• git diff --check

Not Tested

• Android Gradle tests locally: blocked by missing Android SDK/ANDROID_HOME in this Windows environment.

AI-assisted with Codex; I reviewed the patch and kept it scoped.

Summary by CodeRabbit

• Bug Fixes

  • Tightened biometric availability: weak-only biometrics no longer mark devices available; availability now requires strong biometrics or an enabled fallback.

• Documentation

  • Expanded docs to explain Android strong-vs-weak biometric behavior, that fallback can make isAvailable true, and that the verifyIdentity flow on Android ignores the useFallback option.

• Chores

  • Packaging scripts now conditionally add/sync platforms and run platform build steps; example app dependency versions pinned.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 2513b37c-b60a-40bb-814f-8a6c041fb8b4

📥 Commits

Reviewing files that changed from the base of the PR and between f661c48 and c5ff15b.

⛔ Files ignored due to path filters (1)

• example-app/bun.lock is excluded by !**/*.lock

📒 Files selected for processing (5)

• .github/scripts/verify-packed-example.sh
• README.md
• android/src/main/java/ee/forgr/biometric/NativeBiometric.java
• example-app/package.json
• src/definitions.ts

💤 Files with no reviewable changes (1)

• android/src/main/java/ee/forgr/biometric/NativeBiometric.java

✅ Files skipped from review due to trivial changes (2)

• example-app/package.json
• README.md

---

📝 Walkthrough

Walkthrough

Restricts Android biometric availability so only strong biometrics or enabled credential fallback set isAvailable = true. Updates TypeScript JSDoc and README to document BIOMETRIC_STRONG semantics and adjusts the example verification script and example app dependency pins.

Changes

Android biometric availability enforcement

Layer / File(s)	Summary
Availability JSDoc and definitions src/definitions.ts	JSDoc for IsAvailableOptions.useFallback and AvailableResult.isAvailable updated to describe Android semantics: fallback availability is useFallback && deviceIsSecure, and verifyIdentity() uses a CryptoObject backed by BIOMETRIC_STRONG (weak-only biometrics may not make isAvailable true).
Android strong biometric requirement android/src/main/java/ee/forgr/biometric/NativeBiometric.java	checkBiometryAvailability() no longer treats weak-only biometrics as sufficient; isAvailable is true only for strong biometrics or when fallback is enabled and device credentials are secure, with authenticationStrength set to weak in the fallback case.
README updates README.md	Documentation table rows for AvailableResult.isAvailable and IsAvailableOptions.useFallback rewritten to reflect Android BIOMETRIC_STRONG behavior and that useFallback can make isAvailable() true while verifyIdentity() on Android ignores the option.
CI script and example app dependency pins .github/scripts/verify-packed-example.sh, example-app/package.json	CI script now gates bunx cap add <platform> behind directory checks and runs bunx cap sync android before Android build/test; example app pins @capacitor/camera and @capacitor/splash-screen to explicit semver ranges.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 A tiny hop, a clearer tune,
Strong proofs shine beneath the moon.
Weak paths tucked out of sight,
Fallbacks stand ready overnight.
I nibble bugs and make things right.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Out of Scope Changes check	❓ Inconclusive	Documentation updates and build script improvements are supporting changes. However, the example-app package.json dependency version updates to Capacitor packages lack clear connection to the core issue fix.	Clarify whether the Capacitor dependency version changes in example-app/package.json are necessary for this fix or represent separate maintenance work.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: fixing Android to report weak-only biometrics as unavailable when strong authentication is required.
Linked Issues check	✅ Passed	The PR addresses issue #56 by aligning Android isAvailable() with verifyIdentity() requirements, ensuring weak-only biometrics are reported as unavailable for strong auth, matching the expected behavior.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Beta npm build

This PR comes from a fork, so beta publish is disabled for security.

If you need a beta package, move the branch into this repository first.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/definitions.ts`:
- Around line 79-86: Update the IsAvailableOptions.useFallback doc to state that
useFallback affects isAvailable() on Android but is ignored for
verifyIdentity(): change the lines describing IsAvailableOptions.useFallback
(referencing IsAvailableOptions.useFallback) to note that on Android useFallback
will be considered by isAvailable() (see isAvailable()) because the native code
computes fallbackAvailable = useFallback && deviceIsSecure in
NativeBiometric.java, but the BiometricPrompt-based verifyIdentity() flow does
not support fallback (so useFallback is ignored for verifyIdentity()). Ensure
the wording clearly distinguishes the two behaviors (availability vs
authentication) and removes the current claim that the option is entirely
ignored on Android.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 21d8fc7f-c25a-49a7-9696-e3f718fed0c4

📥 Commits

Reviewing files that changed from the base of the PR and between f94b2a3 and 212bdeb.

📒 Files selected for processing (3)

• README.md
• android/src/main/java/ee/forgr/biometric/NativeBiometric.java
• src/definitions.ts

💤 Files with no reviewable changes (1)

• android/src/main/java/ee/forgr/biometric/NativeBiometric.java

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	typescript@​5.9.3

View full report

[Lukhaas25]

Pushed a follow-up commit (c5ff15b) refining the IsAvailableOptions.useFallback JSDoc to address the CodeRabbit review note — now explicitly distinguishes the iOS vs Android behavior for isAvailable() vs verifyIdentity() and references the native fallbackAvailable = useFallback && deviceIsSecure check.