Feat/qrcode variant 2

[remicolin]

Description

A brief description of the changes, what and how is being changed.

Tested

Explain how the change has been tested (for example by manual testing, unit tests etc) or why it's not necessary (for example version bump).

How to QA

How can the change be tested in a repeatable manner?

Summary by CodeRabbit

• New Features

  • Added desktop and mobile QR code display variants with responsive layouts
  • Introduced new visual components for improved authentication flows
  • Added comprehensive icon library for UI elements
  • Exported SelfDeepLinkButton component as public API entry point

• Chores

  • Updated build configuration to support PNG asset handling
  • Enhanced CI/CD workflows for improved change detection and targeted testing

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
self-webview-app	Ignored	Preview	Apr 30, 2026 10:00am

[gitguardian]

⚠️ GitGuardian has uncovered 1 secret following the scan of your pull request.

Please consider investigating the findings and remediating the incidents. Failure to do so may lead to compromising the associated services or software components.

🔎 Detected hardcoded secret in your pull request

GitGuardian id	GitGuardian status	Secret	Commit	Filename
19414827	Triggered	Generic Password	a9d87bf	app/ios/PassportReaderCore.swift	View secret

🛠 Guidelines to remediate hardcoded secrets

1. Understand the implications of revoking this secret by investigating where it is used in your code.
2. Replace and store your secret safely. Learn here the best practices.
3. Revoke and rotate this secret.
4. If possible, rewrite git history. Rewriting git history is not a trivial act. You might completely break other contributing developers' workflow and you risk accidentally deleting legitimate data.

To avoid such incidents in the future consider

• following these best practices for managing and storing secrets including API keys and other credentials
• install secret detection on pre-commit to catch secret before it leaves your machine and ease remediation.

---

^{🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.}

[greptile-apps]

Greptile Summary

This PR introduces two new display variants for the @selfxyz/qrcode component — desktop and mobile — alongside the existing hybrid default. The desktop variant wraps the QR code in a branded card with a header (app logo + Self logo), a QR section, and a reactive footer that shows instruction steps or a live proof-status card. The mobile variant replaces the QR code entirely with a phone mockup image and a deep-link CTA button, targeting users who are already on a mobile device. A new SelfDeepLinkButton standalone component is also exported. The changes are additive and backward-compatible (variant defaults to 'hybrid').

Key findings:

• proofStep is accepted but never used in MobileQRcode — the component renders a fully static UI regardless of proof state (connecting, verified, failed). Users on mobile get no visual feedback after returning to the page, and the CTA button remains visible even after a successful or failed verification. The analogous desktop component (DesktopFooter) correctly handles state transitions.
• The "Open Self app" button in MobileQRcode duplicates the markup of the newly exported SelfDeepLinkButton — the component should reuse SelfDeepLinkButton internally.
• getDesktopDescription is imported but unused in MobileQRcode.tsx.
• darkMode is forwarded only to the inner QRCode in the desktop variant; the outer card, header, and footer always render with light-mode colours.

Confidence Score: 3/5

Safe to merge only after the proofStep handling in MobileQRcode is addressed — it currently provides no state feedback on the primary mobile user path.

The desktop variant and overall architecture are well-structured and additive. However, MobileQRcode accepts a proofStep prop but ignores it entirely, meaning the mobile UI never reflects verification progress or outcome. This breaks the primary UX of the mobile variant. The fix is isolated to MobileQRcode and should be straightforward, but it needs to happen before ship.

sdk/qrcode/components/MobileQRcode.tsx requires the most attention — the unused proofStep prop is the single blocking issue.

Important Files Changed

Filename	Overview
sdk/qrcode/components/SelfQRcode.tsx	Adds variant prop ('hybrid'
sdk/qrcode/components/MobileQRcode.tsx	New mobile variant component; proofStep prop is accepted but never consumed — the UI is fully static regardless of proof state, and getDesktopDescription is an unused import.
sdk/qrcode/components/DesktopQRcode.tsx	New desktop variant wrapper; darkMode is forwarded only to the inner QRCode, leaving the card/header/footer always light-themed.
sdk/qrcode/components/DesktopFooter.tsx	Renders instruction steps on initial state and a status card (connecting/verified/failed) on non-initial states — logic mirrors QRcodeSteps correctly.
sdk/qrcode/components/DesktopHeader.tsx	New presentational header component showing app logo, dots separator, and Self logo — looks correct.
sdk/qrcode/components/SelfDeepLinkButton.tsx	New standalone deep-link button component reusing mobile CTA styles; duplicates button markup already present in MobileQRcode.
sdk/qrcode/components/icons.tsx	Adds DownloadIcon, VerifyIcon, ArrowReturnIcon as inline SVGs alongside existing PNG-based icons; consistent interface.
sdk/qrcode/utils/styles.ts	Adds desktop and mobile variant style helpers; fixed-width (373px) consistent with existing design intent.
sdk/qrcode/utils/utils.ts	Adds getDesktopDescription, getDesktopStatusTitle, and getDesktopStatusSubtitle helpers; subtitle is a static string regardless of step.
sdk/qrcode/index.ts	Adds SelfDeepLinkButton export; no other changes.
sdk/qrcode/package.json	Version bump to 1.0.21; no dependency changes.
sdk/qrcode/tsup.config.ts	Adds PNG loader alongside existing SVG loader so new PNG assets are inlined as data URLs in both ESM and CJS builds.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    SelfQRcode["SelfQRcode\n(variant prop)"]
    SelfQRcode -->|variant = 'hybrid'\ndefault| Hybrid["Hybrid layout\nQRCode + StatusBanner"]
    SelfQRcode -->|variant = 'desktop'| DesktopQRcode["DesktopQRcode"]
    SelfQRcode -->|variant = 'mobile'| MobileQRcode["MobileQRcode"]

    DesktopQRcode --> DesktopHeader["DesktopHeader\n(app logo + Self logo)"]
    DesktopQRcode --> QRCode["QRCode\n(qrcode.react)"]
    DesktopQRcode --> DesktopFooter["DesktopFooter"]

    DesktopFooter -->|initialState| Steps["Instruction steps\n(Scan / Verify / Rescan)"]
    DesktopFooter -->|non-initial| StatusCard["Status card\n(Connecting / Verified / Failed)"]

    MobileQRcode --> DesktopHeader
    MobileQRcode --> PhoneMockup["Phone mockup image"]
    MobileQRcode --> InstructionSteps["Mobile instruction steps\n(Download / Verify / Return)"]
    MobileQRcode --> CTAButton["Deep-link CTA button\n(Open Self app)"]

    style MobileQRcode fill:#FEF3C7,stroke:#F59E0B
    style CTAButton fill:#FEF3C7,stroke:#F59E0B

Loading

_{Reviews (1): Last reviewed commit: "Merge remote-tracking branch 'origin/dev..." | Re-trigger Greptile}

[greptile-apps]

proofStep accepted but never used

proofStep is declared in MobileQRcodeProps and destructured, but it is never referenced in the render. The component always shows the same phone mockup + "Open Self app" CTA regardless of whether proof generation is in progress, has succeeded, or has failed. This means mobile users get no visual feedback after they return to the page — the button remains visible even after a successful or failed verification.

The analogous DesktopFooter component shows a status card (connecting, verified, failed) when proofStep is not an initial state. The mobile variant should do the same — either hide the CTA and show a status message, or at minimum disable/hide the button after verification is complete.

[greptile-apps]

Unused import

getDesktopDescription is imported but never used directly in MobileQRcode. It is used internally by the DesktopHeader component; importing it here is redundant and will trigger lint warnings.

Suggested change

	import { ArrowReturnIcon, DownloadIcon, VerifyIcon } from './icons.js';
	import DesktopHeader from './DesktopHeader.js';

[greptile-apps]

Duplicated deep-link button

The CTA button rendered here (<a href={qrValue} style={mobileCtaButtonStyle()}>…) is nearly identical to the SelfDeepLinkButton component that is already exported from index.ts. Consider reusing SelfDeepLinkButton to avoid divergence between the two implementations — replace the inline <a> block with <SelfDeepLinkButton href={qrValue} />.

[greptile-apps]

darkMode prop not applied to card/header/footer styles

darkMode is forwarded to the inner QRCode component (which changes the QR dot colour) but none of the wrapping elements — desktopCardStyle(), desktopHeaderStyle(), desktopFooterStyle(), etc. — are aware of it. As a result the card always renders with a white background and black text even when darkMode={true} is passed by the consumer.

If dark mode is intentionally out-of-scope for the desktop variant in this PR, consider removing the darkMode prop from DesktopQRcodeProps to signal that clearly, or document the limitation.

[coderabbitai]

Actionable comments posted: 1

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 002eec19-e158-40aa-a486-599303076082

📥 Commits

Reviewing files that changed from the base of the PR and between a825d8f and bcb9331.

⛔ Files ignored due to path filters (9)

• sdk/qrcode/assets/3dots.png is excluded by !**/*.png
• sdk/qrcode/assets/error.png is excluded by !**/*.png
• sdk/qrcode/assets/phone-mockup.png is excluded by !**/*.png
• sdk/qrcode/assets/qrcode.png is excluded by !**/*.png
• sdk/qrcode/assets/shieldcheck.png is excluded by !**/*.png
• sdk/qrcode/assets/shieldcheck2.png is excluded by !**/*.png
• sdk/qrcode/assets/shieldlightning.png is excluded by !**/*.png
• sdk/qrcode/assets/squarecheck.png is excluded by !**/*.png
• sdk/qrcode/assets/warning.png is excluded by !**/*.png

📒 Files selected for processing (16)

• .github/workflows/circuits.yml
• .github/workflows/contracts.yml
• .github/workflows/core-sdk-ci.yml
• .github/workflows/qrcode-sdk-ci.yml
• sdk/qrcode/components/DesktopFooter.tsx
• sdk/qrcode/components/DesktopHeader.tsx
• sdk/qrcode/components/DesktopQRcode.tsx
• sdk/qrcode/components/MobileQRcode.tsx
• sdk/qrcode/components/SelfDeepLinkButton.tsx
• sdk/qrcode/components/SelfQRcode.tsx
• sdk/qrcode/components/icons.tsx
• sdk/qrcode/index.ts
• sdk/qrcode/tsup.config.ts
• sdk/qrcode/types/svg.d.ts
• sdk/qrcode/utils/styles.ts
• sdk/qrcode/utils/utils.ts

[coderabbitai]

⚠️ Potential issue | 🟠 Major

proofStep is accepted but never rendered — status feedback missing on mobile.

The component signature takes proofStep, but it's never read anywhere in the JSX (linter confirms: 'proofStep' is defined but never used). The desktop variant uses proofStep to drive border color and a status card; on mobile, users will get no visual feedback as the proof progresses through MOBILE_CONNECTED → PROOF_GENERATION_STARTED → PROOF_VERIFIED / FAILED. Either wire it up (e.g. swap the footer/CTA for a status card like desktop once proofStep > WAITING_FOR_MOBILE) or drop it from the props so callers don't think it has an effect.

🧰 Tools

🪛 GitHub Check: quality-checks

[failure] 39-39:
'proofStep' is defined but never used