ledgrab

alexei.dolgolyov/ledgrab

Fork 0

Commit Graph

Author	SHA1	Message	Date
alexei.dolgolyov	ef1f9eade2	feat(android): production-readiness pass — security, perf, compat, UI/UX Multi-axis lift to ship-quality after a full review: Security - ApiKeyManager: per-install random API key, persisted via SharedPreferences with synchronous first-write; threaded into uvicorn via the LEDGRAB_AUTH__API_KEYS env var; embedded in QR as a URL fragment (#k=) so it never appears in HTTP requests or server logs; frontend reads location.hash on first visit and strips it via history.replaceState - Root.runAsRoot(argv: Array<String>) overload with POSIX shell-quoting to eliminate the shell-injection footgun (= excluded from unquoted-safe set) - UsbSerialBridge: ContextCompat.RECEIVER_NOT_EXPORTED + intent.package check in the broadcast receiver for defence-in-depth across API levels - Release builds refuse to silently fall back to debug keystore; require ANDROID_KEYSTORE_* env vars or explicit ANDROID_ALLOW_DEBUG_SIGNED_RELEASE=1 - Crash log retention capped at 10 entries - Fatal-error stack trace hidden behind a toggle on the error screen Performance - ScreenCapture / RootScreenrecord reuse a single RGBA ByteArray per pipeline instead of allocating per frame — eliminates ~15 MB/s GC churn at 30 fps on low-end TV boxes - Frame pacer switched from System.currentTimeMillis() + integer division (~30.3 fps drift) to SystemClock.elapsedRealtimeNanos with a catch-up accumulator - ScreenCapture computes capture dimensions from source aspect ratio so non-16:9 displays don't get squashed - RootScreenrecord input pump backs off 5 ms when MediaCodec is starved, ending a tight spin that burned a CPU core on decoder stalls - QR cached by URL — onResume from background no longer rebuilds the 560×560 bitmap each time - ApiKey commit() pre-warmed off Main on app startup Compatibility - compileSdk / targetSdk bumped to 35 (Play Store requirement) - armeabi-v7a build path added to build script + conditionally included in gradle splits when the matching wheel is present in android/wheels/ - Foreground service type declared as mediaProjection\|specialUse with PROPERTY_SPECIAL_USE_FGS_SUBTYPE rationale; promotion via ServiceCompat.startForeground with the correct type per mode - NetworkUtils picks Ethernet > Wi-Fi > VPN > cellular instead of just activeNetwork — fixes wrong-URL on TV boxes with both Ethernet + Wi-Fi - enableOnBackInvokedCallback=true for Android 15 predictive-back - Splash screen API via androidx.core:core-splashscreen — hides Chaquopy stdlib unpack delay on cold first launch UI / UX - All previously hardcoded English strings (root prompt, permission denial, fatal-error screen, notification text) now localised across en/ru/zh - Monochrome notification icon (was a colored launcher → gray blob in status bar) - 320×180 TV banner (was the square launcher → squashed on Leanback row) - ViewStub-based running panel (deferred inflation) - ObjectAnimator pulse on the Running status dot for liveness feedback - "Starting…" button state while root is being probed - Autostart checkbox hidden entirely on unrooted devices - "No network" status when getLocalIpAddress returns null - QR fallback hint text - Animator cancelled in onStop to avoid leaking view hierarchy Lifecycle hardening (from review) - RootScreenrecord: processLock serialises EOF respawn vs concurrent stop() to prevent orphaned screenrecord processes - CaptureService.restartRootPipeline: publish-before-start under @Synchronized to close the orphan window during watchdog restarts - ScreenCapture.MediaProjection.Callback.onStop just flips running=false instead of calling stop() (which self-joined captureThread and hung 500 ms) - updateUI early-returns when lateinit not initialised (fatal-error path) - Watchdog give-up bound fixed (>= instead of >, was allowing 4 attempts) server/android_entry.py accepts an optional api_key, sets LEDGRAB_AUTH__API_KEYS={"android":<key>} as JSON before any LedGrab import, logs a clear error if pydantic-settings parsing doesn't land the value back in config (defensive guard against future settings behaviour drift). server/static/js/app.ts: bootstrap reads #k= from location.hash, persists to localStorage, then strips via history.replaceState. Two independent code-review passes; 147 relevant server tests still pass; TypeScript and ruff clean.	2026-05-26 12:52:14 +03:00
alexei.dolgolyov	151cea3ecb	ci: Android multi-ABI APK pipeline + pydantic-core wheel rebuild Build Android APK / build-android (push) Failing after 2m31s Details Lint & Test / test (push) Successful in 6m15s Details Adds .gitea/workflows/build-android.yml — Linux runner installs JDK 17, Python 3.11, Android SDK/NDK, symlinks server/src/ledgrab into the Chaquopy python source dir, and runs assembleDebug on master pushes / assembleRelease on v* tags. APK is uploaded as an artifact and attached to the Gitea release on tag push. Conditional signing config in build.gradle.kts reads keystore from env vars (CI secrets) and falls back to debug signing locally. Gradle wrapper (gradlew/gradlew.bat/ gradle-wrapper.jar) committed so CI can drive the build. Rebuilds pydantic-core wheels for arm64-v8a and x86_64 — both were missing libpython3.11.so in NEEDED, which would have crashed at import on real devices. build-pydantic-core.sh rewritten as a multi-ABI builder: selects targets via args, sets RUSTFLAGS=-C link-arg=-Wl,--no-as-needed -C link-arg=-lpython3.11 to force the symbol-resolution dependency, uses the per-ABI sysconfigdata + libpython staged in android/.build-cache/, prefers `py -3.11` on Windows (Git Bash's python3.11 is an MSStore stub), uses the .cmd clang wrapper on Windows (fixes os error 193), and verifies NEEDED via llvm-readelf after each build. abiFilters restored to the full triple in build.gradle.kts; multi-ABI debug APK builds cleanly (~99 MB).	2026-04-14 12:36:13 +03:00
alexei.dolgolyov	8574424fb7	feat: Android TV app embedding Python server via Chaquopy Lint & Test / test (push) Successful in 2m10s Details Adds a native Android TV application that runs the full LedGrab Python server in-process via Chaquopy. Captures the TV box screen using the MediaProjection API and exposes the existing web UI on the device's local network — users configure via phone/tablet browser. Android (new /android/ module): - Kotlin shell: MainActivity, CaptureService (foreground service), ScreenCapture (MediaProjection + ImageReader), PythonBridge (Chaquopy). - Polished Leanback-themed UI with QR code for easy web UI access. - AGP 8.9 + Chaquopy 17 + Gradle 8.11 (avoids the AGP 8.7 thread-lock bug). - Pre-built pydantic-core wheels for arm64-v8a, x86_64, x86 cross-compiled with maturin + Android NDK, linked against Chaquopy's libpython3.11.so. Python server platform guards: - New utils/platform.py with is_android()/is_windows()/is_linux() helpers. - Guard every top-level import of desktop-only packages (mss, psutil, sounddevice, pyserial, PyAudioWPatch, etc.) with try/except ImportError. - Android-incompatible calls gated with None-checks so the server runs on reduced capabilities on Android (no CPU/RAM metrics, no mss displays). - utils/image_codec.py gains a Pillow fallback for resize + JPEG encode when cv2 is unavailable; all internal cv2.resize callers migrated. - New android_entry.py start_server/stop_server invoked from Kotlin. - get_displays API falls back to best available engine when mss fails. New capture engines: - MediaProjectionEngine: receives RGBA frames pushed from Kotlin through a thread-safe queue; caches last frame for static-screen previews. - ScrcpyClientEngine: optional H.264 streaming via scrcpy-client library (priority 10, overrides the ADB-screencap engine when installed). Frontend: - Tab loaders previously required an apiKey; now correctly treat "auth disabled" as authenticated (Android has no auth by default). - Re-trigger the active tab's loader after loadServerInfo resolves authRequired, since initTabs runs earlier. - Add i18n keys for the demo / mediaprojection / scrcpy_client engines. Docs: - TODO.md: follow-ups for multi-ABI wheel rebuilds, CI pipeline, USB serial LED controllers, root-only capture, perf metrics abstraction. - CLAUDE.md: Android dependency sync policy (pip --exclude doesn't exist). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-14 03:11:43 +03:00

Author

SHA1

Message

Date

alexei.dolgolyov

ef1f9eade2

feat(android): production-readiness pass — security, perf, compat, UI/UX

Multi-axis lift to ship-quality after a full review:

Security
- ApiKeyManager: per-install random API key, persisted via SharedPreferences
  with synchronous first-write; threaded into uvicorn via the
  LEDGRAB_AUTH__API_KEYS env var; embedded in QR as a URL fragment (#k=)
  so it never appears in HTTP requests or server logs; frontend reads
  location.hash on first visit and strips it via history.replaceState
- Root.runAsRoot(argv: Array<String>) overload with POSIX shell-quoting to
  eliminate the shell-injection footgun (= excluded from unquoted-safe set)
- UsbSerialBridge: ContextCompat.RECEIVER_NOT_EXPORTED + intent.package
  check in the broadcast receiver for defence-in-depth across API levels
- Release builds refuse to silently fall back to debug keystore; require
  ANDROID_KEYSTORE_* env vars or explicit
  ANDROID_ALLOW_DEBUG_SIGNED_RELEASE=1
- Crash log retention capped at 10 entries
- Fatal-error stack trace hidden behind a toggle on the error screen

Performance
- ScreenCapture / RootScreenrecord reuse a single RGBA ByteArray per
  pipeline instead of allocating per frame — eliminates ~15 MB/s GC churn
  at 30 fps on low-end TV boxes
- Frame pacer switched from System.currentTimeMillis() + integer division
  (~30.3 fps drift) to SystemClock.elapsedRealtimeNanos with a catch-up
  accumulator
- ScreenCapture computes capture dimensions from source aspect ratio so
  non-16:9 displays don't get squashed
- RootScreenrecord input pump backs off 5 ms when MediaCodec is starved,
  ending a tight spin that burned a CPU core on decoder stalls
- QR cached by URL — onResume from background no longer rebuilds the
  560×560 bitmap each time
- ApiKey commit() pre-warmed off Main on app startup

Compatibility
- compileSdk / targetSdk bumped to 35 (Play Store requirement)
- armeabi-v7a build path added to build script + conditionally included
  in gradle splits when the matching wheel is present in android/wheels/
- Foreground service type declared as mediaProjection|specialUse with
  PROPERTY_SPECIAL_USE_FGS_SUBTYPE rationale; promotion via
  ServiceCompat.startForeground with the correct type per mode
- NetworkUtils picks Ethernet > Wi-Fi > VPN > cellular instead of just
  activeNetwork — fixes wrong-URL on TV boxes with both Ethernet + Wi-Fi
- enableOnBackInvokedCallback=true for Android 15 predictive-back
- Splash screen API via androidx.core:core-splashscreen — hides Chaquopy
  stdlib unpack delay on cold first launch

UI / UX
- All previously hardcoded English strings (root prompt, permission
  denial, fatal-error screen, notification text) now localised across
  en/ru/zh
- Monochrome notification icon (was a colored launcher → gray blob in
  status bar)
- 320×180 TV banner (was the square launcher → squashed on Leanback row)
- ViewStub-based running panel (deferred inflation)
- ObjectAnimator pulse on the Running status dot for liveness feedback
- "Starting…" button state while root is being probed
- Autostart checkbox hidden entirely on unrooted devices
- "No network" status when getLocalIpAddress returns null
- QR fallback hint text
- Animator cancelled in onStop to avoid leaking view hierarchy

Lifecycle hardening (from review)
- RootScreenrecord: processLock serialises EOF respawn vs concurrent
  stop() to prevent orphaned screenrecord processes
- CaptureService.restartRootPipeline: publish-before-start under
  @Synchronized to close the orphan window during watchdog restarts
- ScreenCapture.MediaProjection.Callback.onStop just flips
  running=false instead of calling stop() (which self-joined
  captureThread and hung 500 ms)
- updateUI early-returns when lateinit not initialised (fatal-error path)
- Watchdog give-up bound fixed (>= instead of >, was allowing 4 attempts)

server/android_entry.py accepts an optional api_key, sets
LEDGRAB_AUTH__API_KEYS={"android":<key>} as JSON before any LedGrab
import, logs a clear error if pydantic-settings parsing doesn't land
the value back in config (defensive guard against future settings
behaviour drift).

server/static/js/app.ts: bootstrap reads #k= from location.hash,
persists to localStorage, then strips via history.replaceState.

Two independent code-review passes; 147 relevant server tests still
pass; TypeScript and ruff clean.

2026-05-26 12:52:14 +03:00

alexei.dolgolyov

151cea3ecb

ci: Android multi-ABI APK pipeline + pydantic-core wheel rebuild

Build Android APK / build-android (push) Failing after 2m31s

Details

Lint & Test / test (push) Successful in 6m15s

Details

Adds .gitea/workflows/build-android.yml — Linux runner installs JDK 17,
Python 3.11, Android SDK/NDK, symlinks server/src/ledgrab into the
Chaquopy python source dir, and runs assembleDebug on master pushes /
assembleRelease on v* tags. APK is uploaded as an artifact and attached
to the Gitea release on tag push. Conditional signing config in
build.gradle.kts reads keystore from env vars (CI secrets) and falls
back to debug signing locally. Gradle wrapper (gradlew/gradlew.bat/
gradle-wrapper.jar) committed so CI can drive the build.

Rebuilds pydantic-core wheels for arm64-v8a and x86_64 — both were
missing libpython3.11.so in NEEDED, which would have crashed at import
on real devices. build-pydantic-core.sh rewritten as a multi-ABI builder:
selects targets via args, sets RUSTFLAGS=-C link-arg=-Wl,--no-as-needed
-C link-arg=-lpython3.11 to force the symbol-resolution dependency,
uses the per-ABI sysconfigdata + libpython staged in
android/.build-cache/, prefers `py -3.11` on Windows (Git Bash's
python3.11 is an MSStore stub), uses the .cmd clang wrapper on Windows
(fixes os error 193), and verifies NEEDED via llvm-readelf after each
build. abiFilters restored to the full triple in build.gradle.kts;
multi-ABI debug APK builds cleanly (~99 MB).

2026-04-14 12:36:13 +03:00

alexei.dolgolyov

8574424fb7

feat: Android TV app embedding Python server via Chaquopy

Lint & Test / test (push) Successful in 2m10s

Details

Adds a native Android TV application that runs the full LedGrab Python
server in-process via Chaquopy. Captures the TV box screen using the
MediaProjection API and exposes the existing web UI on the device's
local network — users configure via phone/tablet browser.

Android (new /android/ module):
- Kotlin shell: MainActivity, CaptureService (foreground service),
  ScreenCapture (MediaProjection + ImageReader), PythonBridge (Chaquopy).
- Polished Leanback-themed UI with QR code for easy web UI access.
- AGP 8.9 + Chaquopy 17 + Gradle 8.11 (avoids the AGP 8.7 thread-lock bug).
- Pre-built pydantic-core wheels for arm64-v8a, x86_64, x86 cross-compiled
  with maturin + Android NDK, linked against Chaquopy's libpython3.11.so.

Python server platform guards:
- New utils/platform.py with is_android()/is_windows()/is_linux() helpers.
- Guard every top-level import of desktop-only packages (mss, psutil,
  sounddevice, pyserial, PyAudioWPatch, etc.) with try/except ImportError.
- Android-incompatible calls gated with None-checks so the server runs on
  reduced capabilities on Android (no CPU/RAM metrics, no mss displays).
- utils/image_codec.py gains a Pillow fallback for resize + JPEG encode
  when cv2 is unavailable; all internal cv2.resize callers migrated.
- New android_entry.py start_server/stop_server invoked from Kotlin.
- get_displays API falls back to best available engine when mss fails.

New capture engines:
- MediaProjectionEngine: receives RGBA frames pushed from Kotlin through
  a thread-safe queue; caches last frame for static-screen previews.
- ScrcpyClientEngine: optional H.264 streaming via scrcpy-client library
  (priority 10, overrides the ADB-screencap engine when installed).

Frontend:
- Tab loaders previously required an apiKey; now correctly treat
  "auth disabled" as authenticated (Android has no auth by default).
- Re-trigger the active tab's loader after loadServerInfo resolves
  authRequired, since initTabs runs earlier.
- Add i18n keys for the demo / mediaprojection / scrcpy_client engines.

Docs:
- TODO.md: follow-ups for multi-ABI wheel rebuilds, CI pipeline, USB
  serial LED controllers, root-only capture, perf metrics abstraction.
- CLAUDE.md: Android dependency sync policy (pip --exclude doesn't exist).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

2026-04-14 03:11:43 +03:00

3 Commits