Auth system (new rust_core/src/auth.rs):
- Secret generated at startup, stored in /data/data/ or /sdcard/Android/data/
(not accessible to other apps). Never exposed via FFI.
- Credentials encrypted with secret, stored in separate `auth` DB table
(modules can't access through kv API)
- HTTP middleware checks Basic auth or Bearer token on /api/* and /ws
- Admin panel Auth tab for setting/clearing credentials
- FFI: rgl_auth_init, rgl_auth_set, rgl_auth_clear, rgl_auth_enabled
Integration tests (28 total, was 7):
- bridge.rs: request/response cycle, unique IDs, timeout, event broadcast
- events.rs: win1251 roundtrip, color parsing, HTML escaping
- auth.rs: XOR roundtrip, secret generation, Basic/Bearer auth
Other fixes:
- Make cjson a hard requirement (remove broken fallback JSON encoder)
- Replace io.popen('ls') with pcall-wrapped list_module_dirs() helper
- Fix console serialize: add local, move above M.init()
- Clear all medium tasks from TASKS.md
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Sandbox each module via setfenv(): writes go to per-module environment,
reads proxy to _G. Modules can no longer accidentally overwrite each
other's globals or framework internals. Sandbox is GC'd on unload.
- Add dynamic window registry (fw.register_window/toggle_window/
show_window/hide_window) so modules can create imgui windows without
editing the framework. Replace hardcoded BTC OnFrame with generic handler.
- Make admin_visible local (was global)
- Fix console serialize: add local, move above M.init() for correct scoping
- Expand .gitignore: target/, build/, *.so, *.log, rgl_data.db, env.fish
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Add lock_or_recover() helper in bridge.rs and server.rs to handle
poisoned mutexes gracefully instead of panicking
- Replace expect() in db::init() with proper error logging and early
return so DB init failures don't crash the process
- Replace Response::builder().unwrap() with tuple .into_response()
pattern in server.rs HTTP handlers
- Handle condvar poison in bridge::request_lua_exec_sync_wait
- All errors now logged via logging::log() for visibility in admin panel
- Remove unused `use body::Body` import
- Zero unwrap()/expect() remaining outside #[cfg(test)]
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Rename http_framework/ws_server.lua → rgl_framework.lua and update
all internal references (log path, script name, init message)
- Replace debug eprintln!() in bridge.rs with logging::log() calls
so bridge diagnostics go to log file and admin panel instead of stderr
- Add DEBUG logs: bridge requests/polls, WS connect/disconnect,
API timeout warnings, DB batch JSON parse errors
- Move log file from /sdcard/Download/ to getWorkingDirectory()/logs/
with auto-creation of logs/ directory in logging::init()
- Remove unused debug_pending_count() from bridge.rs
- Add project documentation: CLAUDE.md, docs/MODULE_GUIDE.md,
docs/LIB_REFERENCE.md, docs/TASKS.md
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Regela