- Add axum middleware layer for auth on all routes (pages, API, WS,
static files). Browser now shows native login dialog on 401.
- Return WWW-Authenticate: Basic realm="ARZ Web Helper" with 401
- WebSocket auth via ?token= query param (checked in middleware)
- Remove per-handler auth checks — middleware covers everything
- Rewrite auth.rs with Mutex<AuthState> instead of OnceLock<String>
to support secret regeneration on reset
- Add rgl_auth_reset FFI: clears credentials + regenerates secret
- Fix imgui admin panel: pass admin_state instead of {} to admin_render
- Admin Auth tab: add Disable + Reset buttons
- Fix web ui_page.html: inputs use oninput (no re-render on type),
collect all input values before POST
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Auth system (new rust_core/src/auth.rs):
- Secret generated at startup, stored in /data/data/ or /sdcard/Android/data/
(not accessible to other apps). Never exposed via FFI.
- Credentials encrypted with secret, stored in separate `auth` DB table
(modules can't access through kv API)
- HTTP middleware checks Basic auth or Bearer token on /api/* and /ws
- Admin panel Auth tab for setting/clearing credentials
- FFI: rgl_auth_init, rgl_auth_set, rgl_auth_clear, rgl_auth_enabled
Integration tests (28 total, was 7):
- bridge.rs: request/response cycle, unique IDs, timeout, event broadcast
- events.rs: win1251 roundtrip, color parsing, HTML escaping
- auth.rs: XOR roundtrip, secret generation, Basic/Bearer auth
Other fixes:
- Make cjson a hard requirement (remove broken fallback JSON encoder)
- Replace io.popen('ls') with pcall-wrapped list_module_dirs() helper
- Fix console serialize: add local, move above M.init()
- Clear all medium tasks from TASKS.md
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Add lock_or_recover() helper in bridge.rs and server.rs to handle
poisoned mutexes gracefully instead of panicking
- Replace expect() in db::init() with proper error logging and early
return so DB init failures don't crash the process
- Replace Response::builder().unwrap() with tuple .into_response()
pattern in server.rs HTTP handlers
- Handle condvar poison in bridge::request_lua_exec_sync_wait
- All errors now logged via logging::log() for visibility in admin panel
- Remove unused `use body::Body` import
- Zero unwrap()/expect() remaining outside #[cfg(test)]
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Rename http_framework/ws_server.lua → rgl_framework.lua and update
all internal references (log path, script name, init message)
- Replace debug eprintln!() in bridge.rs with logging::log() calls
so bridge diagnostics go to log file and admin panel instead of stderr
- Add DEBUG logs: bridge requests/polls, WS connect/disconnect,
API timeout warnings, DB batch JSON parse errors
- Move log file from /sdcard/Download/ to getWorkingDirectory()/logs/
with auto-creation of logs/ directory in logging::init()
- Remove unused debug_pending_count() from bridge.rs
- Add project documentation: CLAUDE.md, docs/MODULE_GUIDE.md,
docs/LIB_REFERENCE.md, docs/TASKS.md
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Regela