alexei.dolgolyov
123da1b5c4
Security: - Force API key auth for LAN (non-loopback) requests; remove shipped dev key - Block path-traversal in backup restore; require auth on backup endpoints - SSRF protection: DNS resolve + private/loopback/link-local IP rejection - AES-256-GCM encryption for HA tokens and MQTT passwords with auto-migration - WebSocket auth migrated from query-string to first-message protocol - Asset upload: extension allowlist, server-side mime, Content-Disposition - Update installer: SHA256 verification, tar/zip member validation - Tightened CORS (explicit methods/headers, no credentials) - ADB serial regex allowlist, webhook rate-limit key fix, log scrubbing Android: - Root-capture: ordered teardown, screenrecord respawn watchdog, child reaping - USB permission blocking API via CompletableDeferred - Python init crash guard with fatal-error screen - Moved root grant + QR generation off Main thread - Cached PyObject engine for per-frame bridge calls - Ordered ScreenCapture resource cleanup, allowBackup=false Python: - Replaced all asyncio.get_event_loop() with get_running_loop/to_thread - Split color_strip_sources.py (1683->5 files) and color_strip_stream.py (1324->7 files) into packages - Extracted FrameLimiter utility, migrated 9 stream loops - Provider base-class reuse, WLED state caching + URL normalization - Narrowed broad except-pass in WS routes, threading fixes in BaseStore Frontend: - XSS fix: escapeHtml on dynamic option labels, reconcile-based list renders - Typed DOM helpers, safe localStorage access, AbortController listener hygiene - openAuthedWs helper for first-message WS auth protocol - Migrated remaining plain <select>s to IconSelect/EntitySelect Design: - WCAG AA primary color on light theme (#2e7d32, 5.4:1 contrast) - Android TV 10-foot breakpoint (tv.css) - Consolidated z-index tokens, unified easing, card-running GPU hints
28 lines
1.1 KiB
Prolog
28 lines
1.1 KiB
Prolog
# LedGrab ProGuard / R8 rules.
|
|
#
|
|
# IMPORTANT: Chaquopy resolves Java/Kotlin classes and static methods by
|
|
# name from Python (e.g. UsbSerialBridge.INSTANCE.listDevices()) via
|
|
# reflection. Anything reachable through PyObject must be kept by name
|
|
# or the release build will throw NoSuchMethod / ClassNotFound at
|
|
# runtime — silently, only on the user's device.
|
|
#
|
|
# Keep ALL of com.ledgrab.android.* members for safety. The app is
|
|
# small enough that the size win from stripping these isn't worth the
|
|
# fragility.
|
|
-keep class com.ledgrab.android.** { *; }
|
|
|
|
# Chaquopy runtime itself.
|
|
-keep class com.chaquo.python.** { *; }
|
|
-dontwarn com.chaquo.python.**
|
|
|
|
# usb-serial-for-android — driver classes are loaded via the prober's
|
|
# default device-id list, which uses reflection in some chip drivers.
|
|
-keep class com.hoho.android.usbserial.driver.** { *; }
|
|
-dontwarn com.hoho.android.usbserial.**
|
|
|
|
# Kotlin coroutines — keep the debug agent off and the metadata intact.
|
|
-dontwarn kotlinx.coroutines.**
|
|
|
|
# Standard Android best-practice keeps.
|
|
-keepattributes Signature, InnerClasses, EnclosingMethod, *Annotation*
|