feat(android): Plan C toolchain — Live Reload + CI release builds, no devcontainer SDK

Toolchain decision locked: devcontainer stays lean (no Java, no Android
SDK). Windows host gets JDK 17 + Android command-line tools only (~1GB,
no IDE). Release AABs build in GitHub Actions. No emulator — real Pixel
phone over USB + Capacitor Live Reload.

What's in this commit:

- `capacitor.config.ts` honours `CAP_SERVER_URL` env var so the WebView
  loads from a dev server (Live Reload) instead of the bundled assets.
  Empty in release builds.
- `scripts/android-dev.js` detects the WSL LAN IP and prints the exact
  Powershell commands to `cap sync` + `gradlew installDebug` with the
  dev URL baked in. Plus the optional netsh portproxy + firewall rule
  for stubborn Wi-Fi setups.
- `npm run android:dev` script wires the above.
- `.github/workflows/android-release.yml` — debug APK on every `v*-android`
  tag (always; uploaded as a workflow artifact), signed release AAB only
  when the four ANDROID_* repo secrets are set. The release path is wired
  but dormant until the user generates a keystore.
- `app/android/app/build.gradle` — signingConfigs.release pulls from env
  vars (ANDROID_KEY_ALIAS / _PASSWORD / _STORE_PASSWORD) plus a
  base64-decoded keystore at `keystore/release.keystore`. Falls back to
  the debug key when secrets are absent.
- `app/android/.gitignore` — `*.keystore`, `*.jks`, `keystore/` to make
  sure a decoded keystore can never be committed.
- `docs/dev/android-build-handover.md` rewritten for Plan C: one-time
  Windows host setup, day-to-day Live Reload loop, release-build
  walkthrough, Play / F-Droid status.

Plan C reasoning: emulators on WSL2 are broken (no GPU passthrough), real
meditation-timer testing has to happen on a real phone anyway (OEM
battery quirks are the actual risk we're hardening against), so the
emulator + Android Studio install isn't worth the bloat. Live Reload
keeps the inner loop fast; CI handles the slow-but-rare release path.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: InfantLab

.github/workflows/android-release.yml

@@ -0,0 +1,127 @@
+name: Android Release
+
+on:
+  push:
+    tags:
+      # Build a release AAB on tags like v0.7.0-android, v0.7.1-android, etc.
+      - "v*-android"
+  workflow_dispatch:
+    inputs:
+      apiBaseUrl:
+        description: "API base URL to bake into the APK (default: https://tada.living)"
+        required: false
+        default: "https://tada.living"
+
+permissions:
+  contents: write
+
+concurrency:
+  group: android-release-${{ github.ref }}
+  cancel-in-progress: false
+
+jobs:
+  build:
+    name: Build Android APK + AAB
+    runs-on: ubuntu-latest
+
+    env:
+      NUXT_TYPESCRIPT_TYPECHECK: "false"
+      NUXT_PUBLIC_API_BASE_URL: ${{ github.event.inputs.apiBaseUrl || 'https://tada.living' }}
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Bun
+        uses: oven-sh/setup-bun@v2
+        with:
+          bun-version: latest
+
+      - name: Setup Java 17
+        uses: actions/setup-java@v4
+        with:
+          distribution: temurin
+          java-version: "17"
+
+      - name: Setup Android SDK
+        uses: android-actions/setup-android@v3
+        with:
+          packages: "platform-tools platforms;android-34 build-tools;34.0.0"
+
+      - name: Install dependencies
+        working-directory: ./app
+        run: bun install --frozen-lockfile
+
+      - name: Build static web bundle (build:capacitor)
+        working-directory: ./app
+        run: bun run build:capacitor
+
+      - name: Sync Capacitor → Android project
+        working-directory: ./app
+        run: bunx cap sync android
+
+      - name: Resolve gradle wrapper permissions
+        working-directory: ./app/android
+        run: chmod +x gradlew
+
+      # ── Debug APK ─────────────────────────────────────────────
+      # Always builds; uploads as a CI artifact so we can sideload
+      # it onto a test device without setting up signing secrets.
+      - name: Build debug APK
+        working-directory: ./app/android
+        run: ./gradlew assembleDebug
+
+      - name: Upload debug APK artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: tada-debug-apk
+          path: app/android/app/build/outputs/apk/debug/app-debug.apk
+          retention-days: 14
+
+      # ── Release AAB (only when signing secrets exist) ─────────
+      - name: Decode release keystore
+        if: env.HAS_SIGNING_KEY == 'true'
+        env:
+          HAS_SIGNING_KEY: ${{ secrets.ANDROID_SIGNING_KEY != '' }}
+          ANDROID_SIGNING_KEY: ${{ secrets.ANDROID_SIGNING_KEY }}
+        run: |
+          mkdir -p app/android/app/keystore
+          echo "$ANDROID_SIGNING_KEY" | base64 -d > app/android/app/keystore/release.keystore
+
+      - name: Build release AAB
+        if: env.HAS_SIGNING_KEY == 'true'
+        working-directory: ./app/android
+        env:
+          HAS_SIGNING_KEY: ${{ secrets.ANDROID_SIGNING_KEY != '' }}
+          ANDROID_KEY_ALIAS: ${{ secrets.ANDROID_KEY_ALIAS }}
+          ANDROID_KEY_PASSWORD: ${{ secrets.ANDROID_KEY_PASSWORD }}
+          ANDROID_STORE_PASSWORD: ${{ secrets.ANDROID_STORE_PASSWORD }}
+        run: ./gradlew bundleRelease
+
+      - name: Upload release AAB artifact
+        if: env.HAS_SIGNING_KEY == 'true'
+        env:
+          HAS_SIGNING_KEY: ${{ secrets.ANDROID_SIGNING_KEY != '' }}
+        uses: actions/upload-artifact@v4
+        with:
+          name: tada-release-aab
+          path: app/android/app/build/outputs/bundle/release/app-release.aab
+          retention-days: 90
+
+      - name: Attach artifacts to GitHub release
+        if: startsWith(github.ref, 'refs/tags/v') && env.HAS_SIGNING_KEY == 'true'
+        env:
+          HAS_SIGNING_KEY: ${{ secrets.ANDROID_SIGNING_KEY != '' }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          gh release upload "${{ github.ref_name }}" \
+            app/android/app/build/outputs/bundle/release/app-release.aab \
+            app/android/app/build/outputs/apk/debug/app-debug.apk \
+            --clobber
+
+      - name: Note when release AAB skipped
+        if: env.HAS_SIGNING_KEY != 'true'
+        env:
+          HAS_SIGNING_KEY: ${{ secrets.ANDROID_SIGNING_KEY != '' }}
+        run: |
+          echo "::notice title=Release AAB skipped::Signing secrets (ANDROID_SIGNING_KEY/_ALIAS/_PASSWORD/_STORE_PASSWORD) are not set. Debug APK uploaded as an artifact only."

app/android/.gitignore

@@ -6,6 +6,11 @@
 *.ap_
 *.aab
 
+# Signing keystores — never commit
+*.keystore
+*.jks
+keystore/
+
 # Files for the ART/Dalvik VM
 *.dex
 

app/android/app/build.gradle

@@ -16,10 +16,33 @@ android {
             ignoreAssetsPattern = '!.svn:!.git:!.ds_store:!*.scc:.*:!CVS:!thumbs.db:!picasa.ini:!*~'
         }
     }
+    // Release signing pulled from env vars so the keystore never lives in
+    // source. CI sets ANDROID_SIGNING_KEY (base64-decoded into
+    // keystore/release.keystore) plus ANDROID_KEY_ALIAS/_PASSWORD/_STORE_PASSWORD.
+    // Locally, leave them unset and assembleRelease will use the debug key.
+    signingConfigs {
+        release {
+            def keystoreFile = file("keystore/release.keystore")
+            if (keystoreFile.exists()
+                && System.getenv("ANDROID_KEY_ALIAS")
+                && System.getenv("ANDROID_KEY_PASSWORD")
+                && System.getenv("ANDROID_STORE_PASSWORD")) {
+                storeFile = keystoreFile
+                keyAlias = System.getenv("ANDROID_KEY_ALIAS")
+                keyPassword = System.getenv("ANDROID_KEY_PASSWORD")
+                storePassword = System.getenv("ANDROID_STORE_PASSWORD")
+            }
+        }
+    }
     buildTypes {
         release {
             minifyEnabled false
             proguardFiles getDefaultProguardFile('proguard-android.txt'), 'proguard-rules.pro'
+            // Only attach the release signing config when the keystore is present.
+            if (file("keystore/release.keystore").exists()
+                && System.getenv("ANDROID_KEY_ALIAS")) {
+                signingConfig = signingConfigs.release
+            }
         }
     }
 }

app/capacitor.config.ts

@@ -26,6 +26,17 @@ const config: CapacitorConfig = {
     // self-hosters add their own at first-run via the API server picker
     // (Phase 2.4); we whitelist tada.living up-front for the default flow.
     allowNavigation: ["tada.living", "*.tada.living"],
+    // Live Reload during development: set CAP_SERVER_URL to point the
+    // WebView at a Nuxt dev server (e.g. on the WSL devcontainer LAN
+    // address). When set, Capacitor loads from that URL instead of the
+    // bundled `webDir`, so HMR pushes JS/CSS changes straight to the
+    // phone. Empty in release builds — use only via `npm run android:dev`.
+    ...(process.env["CAP_SERVER_URL"]
+      ? {
+          url: process.env["CAP_SERVER_URL"],
+          cleartext: true,
+        }
+      : {}),
   },
 
   android: {

app/package.json

@@ -10,6 +10,7 @@
     "build:docker": "node scripts/capture-git-info.js && NUXT_TYPESCRIPT_TYPECHECK=false nuxt build",
     "build:capacitor": "node scripts/capture-git-info.js && NUXT_TYPESCRIPT_TYPECHECK=false NUXT_PUBLIC_API_BASE_URL=${NUXT_PUBLIC_API_BASE_URL:-https://tada.living} nuxt generate",
     "android:sync": "npm run build:capacitor && npx cap sync android",
+    "android:dev": "node scripts/android-dev.js",
     "android:open": "npx cap open android",
     "android:run": "npx cap run android",
     "android:assets": "npx @capacitor/assets generate --android --assetPath assets/capacitor --iconBackgroundColor #10b981 --iconBackgroundColorDark #10b981 --splashBackgroundColor #10b981 --splashBackgroundColorDark #0c8e6f",

app/scripts/android-dev.js

@@ -0,0 +1,84 @@
+#!/usr/bin/env node
+/**
+ * Prints the LAN address the Capacitor WebView should point at and the
+ * Windows-side commands to wire it up.
+ *
+ * Plan C workflow (see memory: v0.7.0 Android toolchain decision):
+ *
+ *   1. WSL devcontainer runs `bun run dev` on port 3000.
+ *   2. Phone (on the same Wi-Fi) needs to load the WSL IP.
+ *   3. The Windows host runs `cap sync android` + `gradlew installDebug`
+ *      with CAP_SERVER_URL pointing at this address, so the installed APK
+ *      points to the dev server.
+ *   4. Save a file in the devcontainer → HMR pushes to the phone.
+ *
+ * This script just figures out the right URL and prints copy-pasteable
+ * commands. The actual installDebug runs on Windows.
+ */
+
+import { execSync } from "node:child_process";
+import { networkInterfaces } from "node:os";
+
+const port = process.env.PORT ?? "3000";
+
+function detectLanIp() {
+  // Try the WSL-detected ethernet first.
+  const ifaces = networkInterfaces();
+  for (const name of Object.keys(ifaces)) {
+    if (name === "lo" || name.startsWith("docker") || name.startsWith("br-")) continue;
+    for (const addr of ifaces[name] ?? []) {
+      if (addr.family === "IPv4" && !addr.internal) return addr.address;
+    }
+  }
+
+  // Fallback: ask ip route.
+  try {
+    const out = execSync("ip route get 1.1.1.1", { encoding: "utf8" });
+    const match = out.match(/src\s+(\d+\.\d+\.\d+\.\d+)/);
+    if (match) return match[1];
+  } catch {
+    // ignore
+  }
+
+  return null;
+}
+
+const ip = detectLanIp();
+if (!ip) {
+  console.error("Could not detect a LAN IP. Run `ip addr` and set CAP_SERVER_URL manually.");
+  process.exit(1);
+}
+
+const url = `http://${ip}:${port}`;
+
+console.log("");
+console.log("─ Capacitor Live Reload — Plan C workflow ─────────────────────────");
+console.log("");
+console.log(`Dev-server URL the phone WebView should load:  ${url}`);
+console.log("");
+console.log("Step 1. In this devcontainer, in another terminal:");
+console.log("");
+console.log("    bun run dev");
+console.log("");
+console.log("Step 2. On Windows (Powershell, in the app/ directory):");
+console.log("");
+console.log(`    $env:CAP_SERVER_URL = "${url}"`);
+console.log("    bunx cap sync android");
+console.log("    cd android");
+console.log("    ./gradlew installDebug");
+console.log("");
+console.log("Step 3. Open Ta-Da! on your phone. It will load from the WSL");
+console.log("        dev server, with HMR. Save a file here → phone updates.");
+console.log("");
+console.log("─ Notes ────────────────────────────────────────────────────────────");
+console.log("");
+console.log("• Phone must be on the same Wi-Fi as the laptop.");
+console.log("• WSL2 needs to expose port 3000 to the LAN. If your laptop's");
+console.log("  firewall blocks it, run this in elevated Powershell once:");
+console.log("");
+console.log(`    netsh interface portproxy add v4tov4 listenport=${port} listenaddress=0.0.0.0 connectport=${port} connectaddress=${ip}`);
+console.log(`    New-NetFirewallRule -DisplayName "WSL Nuxt dev" -Direction Inbound -Action Allow -Protocol TCP -LocalPort ${port}`);
+console.log("");
+console.log("• To go back to a self-contained debug APK (no Live Reload),");
+console.log("  unset CAP_SERVER_URL before running cap sync.");
+console.log("");