Public-flip prep: env-driven keystore, README, hardened cleartext, leaner docs

- app/build.gradle.kts: remove hardcoded keystore password (was 'adacam-varroa-2026' in 4 spots across a duplicated signingConfigs block). Now reads VARROA_KEYSTORE_PATH + VARROA_KEYSTORE_PASSWORD + VARROA_KEY_PASSWORD from env. Password vaulted as 'Varroa — release keystore'. Drops orphan zxing/camera deps that aren't wired up. - app/src/main/res/xml/network_security_config.xml: tighten cleartext scope from global to just 192.168.0.10 (Bee AP). HTTPS strict for everything else. - app/src/main/java/.../api/AdaMapsApiClient.kt: drop apiKey.take(8) in log to apiKey.length — no need to leak prefix to logcat. - README.md: add. Public repo without one was a bad first impression. - docs/BEE-CAMERA.md: rewrite (811→467 lines). Keep all paths, pinouts, bus diagrams, depthai/VPU/xlink details, intercept architecture. Strip Executive-Summary framing, verdict box, phased roadmap, appendices. - docs/AIR-QUALITY-INTEGRATION.md: rewrite (712→369 lines). Keep BOM, sensor comparisons, wiring, IAQ calc, ingest endpoint shape. Strip feasibility-report scaffolding. - docs/AIR-API-PATCH.py: delete. Was a one-shot apply-and-discard patch script, not docs.
2026-05-27 10:30:02 -07:00 · 2026-05-27 10:30:02 -07:00 · 10883ebdb6
commit 10883ebdb6
parent 20e53e7850
7 changed files with 495 additions and 1283 deletions
--- a/app/build.gradle.kts
+++ b/app/build.gradle.kts
@ -11,10 +11,17 @@ android {

    signingConfigs {
        create("release") {
-            storeFile = file("/keystore/varroa-release.keystore")
-            storePassword = "adacam-varroa-2026"
-            keyAlias = "varroa-release"
-            keyPassword = "adacam-varroa-2026"
+            // Set VARROA_KEYSTORE_PATH / VARROA_KEYSTORE_PASSWORD / VARROA_KEY_PASSWORD
+            // before assembleRelease — see vault item "Varroa — release keystore".
+            val ksPath = System.getenv("VARROA_KEYSTORE_PATH")
+            val ksPass = System.getenv("VARROA_KEYSTORE_PASSWORD")
+            val keyPass = System.getenv("VARROA_KEY_PASSWORD") ?: ksPass
+            if (ksPath != null && ksPass != null) {
+                storeFile = file(ksPath)
+                storePassword = ksPass
+                keyAlias = "varroa-release"
+                keyPassword = keyPass
+            }
        }
    }

@ -30,15 +37,6 @@ android {
        }
    }

-    signingConfigs {
-        create("release") {
-            storeFile = file("/keystore/varroa-release.keystore")
-            storePassword = "adacam-varroa-2026"
-            keyAlias = "varroa-release"
-            keyPassword = "adacam-varroa-2026"
-        }
-    }
-
    buildTypes {
        release {
            isMinifyEnabled = false
@ -89,19 +87,9 @@ dependencies {
    implementation(libs.osmdroid.android)
    implementation(libs.datastore.preferences)
    implementation(libs.coil.compose)
-    // Room (local database)
    implementation(libs.room.runtime)
    implementation(libs.room.ktx)
    ksp(libs.room.compiler)
-    // WorkManager (background uploads)
    implementation(libs.work.runtime.ktx)
-    // SSH connectivity for device_id fallback
-
-    // QR Code scanning
-    implementation("com.google.zxing:core:3.5.2")
-    implementation("com.journeyapps:zxing-android-embedded:4.3.0")
-    implementation("androidx.camera:camera-camera2:1.3.0")
-    implementation("androidx.camera:camera-lifecycle:1.3.0")
-    implementation("androidx.camera:camera-view:1.3.0")
    debugImplementation(libs.androidx.ui.tooling)
 }
--- a/app/src/main/java/com/adamaps/varroa/api/AdaMapsApiClient.kt
+++ b/app/src/main/java/com/adamaps/varroa/api/AdaMapsApiClient.kt
@ -57,7 +57,7 @@ class AdaMapsApiClient(

    fun updateConfig(url: String, key: String) {
        val oldUrl = apiUrl
-        val oldKeyPrefix = apiKey.take(8)
+        val oldKeyPrefix = apiKey.length
        apiUrl = url.trimEnd('/')
        apiKey = key
        Log.d(TAG, "AdaMaps config updated - URL: $oldUrl -> $apiUrl, Key: ${oldKeyPrefix}... -> ${key.take(8)}...")
@ -80,7 +80,7 @@ class AdaMapsApiClient(
                .post(body)
                .build()
                
-            Log.d(TAG, "Sending POST request with key: ${apiKey.take(8)}...")
+            Log.d(TAG, "Sending POST request with key: ${apiKey.length}...")
            client.newCall(req).execute().use { resp ->
                val respBody = resp.body?.string() ?: ""
                Log.d(TAG, "HTTP ${resp.code} ${resp.message} - response length: ${respBody.length}")
--- a/app/src/main/res/xml/network_security_config.xml
+++ b/app/src/main/res/xml/network_security_config.xml
@ -1,4 +1,12 @@
 <?xml version="1.0" encoding="utf-8"?>
 <network-security-config>
-    <base-config cleartextTrafficPermitted="true" />
+    <!-- HTTPS strict everywhere by default. -->
+    <base-config cleartextTrafficPermitted="false" />
+
+    <!-- Bee AP runs HTTP on the device-AP subnet — there's no real
+         alternative without breaking the Bee protocol. Scope the
+         cleartext exception to just that one host. -->
+    <domain-config cleartextTrafficPermitted="true">
+        <domain includeSubdomains="false">192.168.0.10</domain>
+    </domain-config>
 </network-security-config>