Auth system (new rust_core/src/auth.rs):
- Secret generated at startup, stored in /data/data/ or /sdcard/Android/data/
(not accessible to other apps). Never exposed via FFI.
- Credentials encrypted with secret, stored in separate `auth` DB table
(modules can't access through kv API)
- HTTP middleware checks Basic auth or Bearer token on /api/* and /ws
- Admin panel Auth tab for setting/clearing credentials
- FFI: rgl_auth_init, rgl_auth_set, rgl_auth_clear, rgl_auth_enabled
Integration tests (28 total, was 7):
- bridge.rs: request/response cycle, unique IDs, timeout, event broadcast
- events.rs: win1251 roundtrip, color parsing, HTML escaping
- auth.rs: XOR roundtrip, secret generation, Basic/Bearer auth
Other fixes:
- Make cjson a hard requirement (remove broken fallback JSON encoder)
- Replace io.popen('ls') with pcall-wrapped list_module_dirs() helper
- Fix console serialize: add local, move above M.init()
- Clear all medium tasks from TASKS.md
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Regela
e6191124ed