alexei.dolgolyov
123da1b5c4
Security: - Force API key auth for LAN (non-loopback) requests; remove shipped dev key - Block path-traversal in backup restore; require auth on backup endpoints - SSRF protection: DNS resolve + private/loopback/link-local IP rejection - AES-256-GCM encryption for HA tokens and MQTT passwords with auto-migration - WebSocket auth migrated from query-string to first-message protocol - Asset upload: extension allowlist, server-side mime, Content-Disposition - Update installer: SHA256 verification, tar/zip member validation - Tightened CORS (explicit methods/headers, no credentials) - ADB serial regex allowlist, webhook rate-limit key fix, log scrubbing Android: - Root-capture: ordered teardown, screenrecord respawn watchdog, child reaping - USB permission blocking API via CompletableDeferred - Python init crash guard with fatal-error screen - Moved root grant + QR generation off Main thread - Cached PyObject engine for per-frame bridge calls - Ordered ScreenCapture resource cleanup, allowBackup=false Python: - Replaced all asyncio.get_event_loop() with get_running_loop/to_thread - Split color_strip_sources.py (1683->5 files) and color_strip_stream.py (1324->7 files) into packages - Extracted FrameLimiter utility, migrated 9 stream loops - Provider base-class reuse, WLED state caching + URL normalization - Narrowed broad except-pass in WS routes, threading fixes in BaseStore Frontend: - XSS fix: escapeHtml on dynamic option labels, reconcile-based list renders - Typed DOM helpers, safe localStorage access, AbortController listener hygiene - openAuthedWs helper for first-message WS auth protocol - Migrated remaining plain <select>s to IconSelect/EntitySelect Design: - WCAG AA primary color on light theme (#2e7d32, 5.4:1 contrast) - Android TV 10-foot breakpoint (tv.css) - Consolidated z-index tokens, unified easing, card-running GPU hints
138 lines
5.4 KiB
Kotlin
138 lines
5.4 KiB
Kotlin
plugins {
|
|
id("com.android.application")
|
|
id("org.jetbrains.kotlin.android")
|
|
id("com.chaquo.python")
|
|
}
|
|
|
|
android {
|
|
namespace = "com.ledgrab.android"
|
|
compileSdk = 34
|
|
|
|
defaultConfig {
|
|
applicationId = "com.ledgrab.android"
|
|
minSdk = 24 // Android 7.0 — covers nearly all TV boxes
|
|
targetSdk = 34
|
|
versionCode = 1
|
|
versionName = "0.3.0"
|
|
|
|
ndk {
|
|
// All three ABIs: arm64-v8a (real TV hardware), x86_64 (modern
|
|
// emulators), x86 (legacy emulators). Wheels in android/wheels/
|
|
// must be kept in sync — see build-scripts/build-pydantic-core.sh.
|
|
abiFilters += listOf("arm64-v8a", "x86_64", "x86")
|
|
}
|
|
}
|
|
|
|
// Signing config from env vars (CI) — only registered when all four are set.
|
|
// Local release builds fall back to the debug signing config.
|
|
val ciKeystorePath = System.getenv("ANDROID_KEYSTORE_PATH")
|
|
val ciKeystorePassword = System.getenv("ANDROID_KEYSTORE_PASSWORD")
|
|
val ciKeyAlias = System.getenv("ANDROID_KEY_ALIAS")
|
|
val ciKeyPassword = System.getenv("ANDROID_KEY_PASSWORD")
|
|
val hasCiSigning = listOf(ciKeystorePath, ciKeystorePassword, ciKeyAlias, ciKeyPassword)
|
|
.all { !it.isNullOrBlank() } && file(ciKeystorePath!!).exists()
|
|
|
|
signingConfigs {
|
|
if (hasCiSigning) {
|
|
create("release") {
|
|
storeFile = file(ciKeystorePath!!)
|
|
storePassword = ciKeystorePassword
|
|
keyAlias = ciKeyAlias
|
|
keyPassword = ciKeyPassword
|
|
}
|
|
}
|
|
}
|
|
|
|
buildTypes {
|
|
release {
|
|
// TODO(minify): keep R8 disabled until Chaquopy reflection is
|
|
// verified end-to-end. Chaquopy resolves Kotlin classes & static
|
|
// methods (PythonBridge, UsbSerialBridge, Root) by name from
|
|
// Python via PyObject — silent stripping breaks the app at
|
|
// runtime, after release. proguard-rules.pro contains keep
|
|
// rules covering the known entry points, but until we have
|
|
// a release smoke test that exercises every PyObject path we
|
|
// do NOT ship a minified release.
|
|
isMinifyEnabled = false
|
|
proguardFiles(
|
|
getDefaultProguardFile("proguard-android-optimize.txt"),
|
|
"proguard-rules.pro",
|
|
)
|
|
signingConfig = if (hasCiSigning) {
|
|
signingConfigs.getByName("release")
|
|
} else {
|
|
signingConfigs.getByName("debug")
|
|
}
|
|
}
|
|
}
|
|
|
|
compileOptions {
|
|
sourceCompatibility = JavaVersion.VERSION_17
|
|
targetCompatibility = JavaVersion.VERSION_17
|
|
}
|
|
|
|
kotlinOptions {
|
|
jvmTarget = "17"
|
|
}
|
|
}
|
|
|
|
chaquopy {
|
|
defaultConfig {
|
|
version = "3.11"
|
|
|
|
pip {
|
|
// Pre-built wheels directory (for pydantic-core etc.)
|
|
// Must use absolute file:// URI with forward slashes
|
|
options("--find-links", "file:///${rootDir.absolutePath.replace("\\", "/")}/wheels/")
|
|
|
|
// ── Android-compatible dependencies ─────────────────
|
|
// Listed explicitly because pyproject.toml includes
|
|
// desktop-only packages with no Android wheels.
|
|
// See CLAUDE.md "Android Dependency Sync" for policy.
|
|
install("fastapi")
|
|
install("uvicorn") // without [standard] — no uvloop/httptools
|
|
install("httpx")
|
|
install("numpy")
|
|
install("pydantic") // needs pydantic-core wheel in wheels/
|
|
install("pydantic-settings")
|
|
install("PyYAML")
|
|
install("structlog")
|
|
install("python-json-logger")
|
|
install("python-dateutil")
|
|
install("python-multipart")
|
|
install("jinja2")
|
|
install("zeroconf")
|
|
install("aiomqtt")
|
|
install("openrgb-python")
|
|
// opencv-python-headless: no cp311 Android wheel on Chaquopy.
|
|
// LedGrab's cv2 usage is guarded with try/except ImportError
|
|
// and falls back to numpy/Pillow alternatives on Android.
|
|
install("Pillow")
|
|
install("websockets")
|
|
install("cryptography") // AES-GCM secret-box for HA/MQTT credentials
|
|
}
|
|
}
|
|
}
|
|
|
|
// LedGrab Python source is included via a directory junction:
|
|
// android/app/src/main/python/ledgrab -> server/src/ledgrab
|
|
// This is the standard Chaquopy way to include local Python packages.
|
|
// Create the junction (run from repo root, no admin needed):
|
|
// cmd /c "mklink /J android\app\src\main\python\ledgrab server\src\ledgrab"
|
|
|
|
|
|
dependencies {
|
|
implementation("androidx.core:core-ktx:1.13.1")
|
|
implementation("androidx.appcompat:appcompat:1.7.0")
|
|
implementation("androidx.leanback:leanback:1.0.0")
|
|
implementation("com.google.android.material:material:1.12.0")
|
|
implementation("androidx.lifecycle:lifecycle-service:2.8.7")
|
|
implementation("androidx.lifecycle:lifecycle-runtime-ktx:2.8.7")
|
|
implementation("org.jetbrains.kotlinx:kotlinx-coroutines-android:1.8.1")
|
|
// QR code generation for displaying server URL on TV
|
|
implementation("com.google.zxing:core:3.5.3")
|
|
// USB-serial drivers (CH340, CP2102, FTDI, Prolific, CDC-ACM) for
|
|
// driving Adalight/AmbiLED controllers plugged into Android TV boxes.
|
|
implementation("com.github.mik3y:usb-serial-for-android:3.8.1")
|
|
}
|