Skip to content

Commit 7008eed

Browse files
authored
Merge pull request #1 from melodee-project/sph.2026-05-25.01
v1.8.0
2 parents b150ac0 + aecdd1b commit 7008eed

51 files changed

Lines changed: 2081 additions & 1020 deletions

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

.github/FUNDING.yml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
ko_fi: sphildreth

.github/workflows/android.yml

Lines changed: 8 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -15,11 +15,11 @@ jobs:
1515
- name: Checkout
1616
uses: actions/checkout@v4
1717

18-
- name: Set up JDK 17
18+
- name: Set up JDK 21
1919
uses: actions/setup-java@v4
2020
with:
2121
distribution: temurin
22-
java-version: '17'
22+
java-version: '21'
2323

2424
- name: Cache Gradle
2525
uses: actions/cache@v4
@@ -34,6 +34,9 @@ jobs:
3434
- name: Set up Android SDK
3535
uses: android-actions/setup-android@v3
3636

37+
- name: Install Android SDK packages
38+
run: sdkmanager "platforms;android-36" "build-tools;36.0.0" "platform-tools"
39+
3740
- name: Grant execute permission for gradlew
3841
working-directory: src
3942
run: chmod +x gradlew
@@ -44,12 +47,12 @@ jobs:
4447

4548
- name: Run Unit Tests
4649
working-directory: src
47-
run: ./gradlew testDebugUnitTest --stacktrace
50+
run: ./gradlew :app:testDebugUnitTest --stacktrace
4851

4952
- name: Run Instrumented Tests (emulator)
5053
if: false # enable when emulator is set up
5154
working-directory: src
52-
run: ./gradlew connectedDebugAndroidTest --stacktrace
55+
run: ./gradlew :app:connectedDebugAndroidTest --stacktrace
5356

5457
- name: Benchmark (connected)
5558
if: false # enable when device/emulator available
@@ -58,5 +61,4 @@ jobs:
5861

5962
- name: Coverage Report
6063
working-directory: src
61-
run: ./gradlew jacocoTestReport --stacktrace
62-
64+
run: ./gradlew :app:jacocoTestReport --stacktrace

AGENTS.md

Lines changed: 118 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,118 @@
1+
# Coding Agent Instructions
2+
3+
These instructions apply to coding agents working in this repository.
4+
5+
## Project Shape
6+
7+
- The Git repository root is `melodee-player/`, but the Android Gradle project
8+
root is `melodee-player/src/`.
9+
- Run Gradle from `src/`, not from the repository root.
10+
- The app module is `src/app`; the macrobenchmark module is `src/benchmark`.
11+
- The app targets Melodee API v1 and Android SDK 36, with minSdk 23.
12+
- The local Android SDK path used in this workspace is
13+
`/home/steven/Android/Sdk`.
14+
15+
## Change Discipline
16+
17+
- Keep edits scoped to the requested behavior and existing architecture.
18+
- Do not revert user changes or unrelated workspace changes.
19+
- Prefer the existing Kotlin, Compose, Retrofit, Media3, coroutine, and
20+
SharedPreferences patterns before introducing new frameworks.
21+
- Treat authentication, Android Auto, media playback, API models, and Gradle
22+
configuration as high-risk areas. Add or update tests when touching them.
23+
- Do not add local app-data SQLite/Room persistence unless explicitly requested.
24+
Media3 already uses its own SQLite-backed cache metadata internally.
25+
26+
## Changelog
27+
28+
- Update `CHANGELOG.md` for every notable change before finishing work.
29+
- Add new entries under `## [Unreleased]` by default. If the user says the
30+
current version has not been released yet, or the task is explicitly part of
31+
an in-progress release section such as `## [1.8.0]`, update that active
32+
version section instead.
33+
- Follow the existing Keep a Changelog categories: `Added`, `Changed`,
34+
`Deprecated`, `Removed`, `Fixed`, and `Security`.
35+
- Include user-visible behavior changes, API compatibility changes,
36+
authentication/session changes, Android Auto changes, dependency/toolchain
37+
changes, security hardening, and important test coverage additions.
38+
- Do not add changelog entries for purely mechanical formatting changes unless
39+
they materially affect users, maintainers, CI, or release behavior.
40+
- Keep entries concise and factual. Mention the affected subsystem when useful.
41+
- If a task intentionally skips a changelog update, state why in the final
42+
response.
43+
44+
## README And Docs
45+
46+
- Keep `README.md` accurate when setup, build commands, API behavior,
47+
authentication behavior, Android Auto behavior, or project layout changes.
48+
- Some files under `docs/` are historical review/planning artifacts. Do not
49+
treat them as more authoritative than current source, Gradle files,
50+
`README.md`, and `CHANGELOG.md`.
51+
- If docs contradict source code, verify against source before editing.
52+
53+
## Authentication And API
54+
55+
- Preserve refresh tokens when API responses omit rotated refresh-token values.
56+
- Android Auto must be able to restore existing stored authentication without
57+
requiring the user to open the handheld UI again.
58+
- Invalid/rejected refresh tokens may clear authentication; transient refresh
59+
failures should keep stored credentials available for retry.
60+
- API contract changes should be covered by tests under
61+
`src/app/src/test/java/com/melodee/autoplayer/api` or related model tests.
62+
- The current OpenAPI reference used during this work was
63+
`/home/steven/Downloads/v1.json`; verify with the user before assuming that
64+
path is still current in future sessions.
65+
66+
## Android Auto And Playback
67+
68+
- `MusicService` is exported for Android Auto discovery; caller validation must
69+
remain strict before returning browse content.
70+
- Do not trust Android Auto callers by substring package-name checks. Use exact
71+
trusted packages and package/UID ownership checks.
72+
- UI playback state should be driven by service/manager flows where possible,
73+
not by UI-owned polling loops.
74+
- When changing playback state, verify handheld UI and Android Auto behavior:
75+
current song, play/pause, queue, metadata, notification controls, and auth
76+
restoration.
77+
78+
## Validation
79+
80+
- Always run:
81+
82+
```bash
83+
git diff --check
84+
```
85+
86+
- For Markdown-only changes, `git diff --check` is usually enough.
87+
- For test-only changes, run the targeted test class and preferably the full
88+
unit suite:
89+
90+
```bash
91+
cd src
92+
ANDROID_HOME=/home/steven/Android/Sdk ./gradlew testDebugUnitTest --stacktrace
93+
```
94+
95+
- For production Android code, build logic, shared models, authentication,
96+
Android Auto, networking, or playback changes, run the full build:
97+
98+
```bash
99+
cd src
100+
ANDROID_HOME=/home/steven/Android/Sdk ./gradlew build --stacktrace
101+
```
102+
103+
- Connected tests and benchmarks require a device or emulator:
104+
105+
```bash
106+
cd src
107+
ANDROID_HOME=/home/steven/Android/Sdk ./gradlew connectedDebugAndroidTest
108+
ANDROID_HOME=/home/steven/Android/Sdk ./gradlew :benchmark:connectedCheck
109+
```
110+
111+
- If a validation command cannot be run, explain why and report what was run
112+
instead.
113+
114+
## Final Response Expectations
115+
116+
- Summarize what changed, what was verified, and any residual risk.
117+
- Mention skipped validations explicitly.
118+
- Keep file references precise for important source or documentation changes.

CHANGELOG.md

Lines changed: 115 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,115 @@
1+
# Changelog
2+
3+
This file records notable project changes. It follows the
4+
[Keep a Changelog](https://keepachangelog.com/en/1.0.0/) format and uses
5+
[Semantic Versioning](https://semver.org/spec/v2.0.0.html).
6+
7+
## [1.8.0] - 2026-06-17
8+
9+
### Added
10+
11+
- Added encrypted SharedPreferences storage for authentication tokens, including
12+
migration of existing access-token, refresh-token, and refresh-token-expiry
13+
values out of the regular settings file.
14+
- Added refresh-token expiry persistence so refreshed authentication state can
15+
be saved alongside rotated access and refresh tokens.
16+
- Added an OkHttp `Authenticator`-based token refresh flow that retries 401
17+
responses with a refreshed access token and distinguishes invalid credentials
18+
from transient network or server failures.
19+
- Added a separate unauthenticated Retrofit/OkHttp client for refresh-token
20+
requests to avoid recursive authorization handling.
21+
- Added service-side playlist and search queue APIs so bound UI ViewModels can
22+
hand queues directly to `MusicService` without large Parcelable intent
23+
payloads.
24+
- Added playlist page-size tracking, in-flight next-page fetch reuse, and
25+
proactive page prefetching when playback nears the end of the current queue.
26+
- Added MediaBrowser caller validation for the exported Android Auto media
27+
service before exposing browse content.
28+
- Added debug-symbol keep rules for native libraries used by AndroidX graphics,
29+
benchmark, DataStore, and tracing dependencies.
30+
- Added focused authentication persistence tests for omitted refresh-token
31+
responses, refresh-token expiry retention, transient refresh failures, invalid
32+
refresh failures, and Android Auto service-side authentication restoration.
33+
- Added OpenAPI v1 contract tests covering authentication, refresh-token
34+
requests, playlist and favorite route placeholders, scrobble payloads and
35+
error responses, nullable refresh-token fields, and artist genre arrays.
36+
- Added repository instructions for coding agents requiring changelog updates
37+
for notable code, behavior, dependency, security, and documentation changes.
38+
- Added project-specific coding-agent guidance for nested Gradle usage,
39+
validation, authentication, API contracts, Android Auto, playback, and
40+
documentation expectations.
41+
42+
### Changed
43+
44+
- Updated the Android project version from `1.7.3` to `1.8.0`.
45+
- Raised the Android platform requirements from min SDK 21 / target SDK 35 to
46+
min SDK 23 / target SDK 36.
47+
- Updated the build toolchain to Gradle 9.5.1, Android Gradle Plugin 9.2.1, and
48+
JDK 21 in CI.
49+
- Updated Kotlin plugin usage for Kotlin 2.3.21 and Compose compiler plugin
50+
integration.
51+
- Updated major Android and Kotlin dependencies, including Compose BOM
52+
2026.05.01, Media3 1.10.1, Retrofit 3.0.0, OkHttp 5.3.2, Coroutines 1.11.0,
53+
Lifecycle 2.10.0, AndroidX media 1.8.0, Firebase BOM 34.13.0, and current
54+
test libraries.
55+
- Reduced HTTP logging in app and image-loading clients, redacted authorization
56+
headers, and disabled verbose request logging for non-debuggable builds.
57+
- Changed authentication failure handling so only non-recoverable refresh
58+
failures clear stored credentials, while transient refresh failures leave
59+
credentials available for later retries.
60+
- Changed single-song, playlist, search-result, and album playback setup to use
61+
service methods when the playback service is already bound.
62+
- Changed playlist playback intents to send playlist references and start
63+
metadata instead of serializing full song lists through intent extras.
64+
- Aligned the Retrofit v1 API contract with the current OpenAPI spec, including
65+
refresh-token authentication, playlist pagination query names, album-song
66+
browsing, scrobble requests, and v1 error payload parsing.
67+
- Updated README, documentation, review notes, and prompt artifacts for the
68+
SDK 36, JDK 21, Gradle 9.5.1, and dependency-version changes.
69+
- Updated the benchmark module to compile and target SDK 36 with the same JDK
70+
21 toolchain configuration as the app module.
71+
- Updated `HomeViewModel` and `PlaylistViewModel` to collect playback state,
72+
current song, playback context, duration, and position from service-backed
73+
flows instead of running UI-owned polling loops.
74+
- Updated `MusicService` and `MusicPlaybackManager` to expose and maintain
75+
flow-backed playback progress for bound UI consumers.
76+
- Updated the README to document current setup, API v1 authentication behavior,
77+
Android Auto behavior, testing commands, and repository layout.
78+
- Cleaned Android Studio commit-inspection warnings in playback, playlist,
79+
home, service, and model serialization code by removing dead helpers,
80+
simplifying redundant conditions, and keeping only intentional Android
81+
lifecycle suppressions.
82+
- Updated Android CI to explicitly install Android SDK 36 and run app-qualified
83+
unit-test and JaCoCo tasks from the nested Gradle project.
84+
85+
### Fixed
86+
87+
- Fixed token value leakage in logs by logging token presence instead of token
88+
prefixes.
89+
- Fixed refresh-token rotation persistence by saving new refresh tokens and
90+
refresh-token expiry values from network refresh callbacks.
91+
- Fixed Android Auto playlist continuation to avoid starting duplicate next-page
92+
fetches when playback reaches a queue boundary during an active prefetch.
93+
- Fixed queue navigation state updates by separating next/previous queue
94+
movement from immediate playback commands in the consolidated playback
95+
manager.
96+
- Fixed logout flow to route through `AuthenticationManager` when available so
97+
stored settings, network authentication state, and UI authentication state stay
98+
synchronized.
99+
- Fixed nullable refresh-token response handling so login and token refresh
100+
persistence tolerate v1 responses that omit rotated refresh-token values.
101+
- Fixed the JaCoCo report task so CI coverage uses debug unit-test execution
102+
data and non-instrumented app classes instead of requiring connected Android
103+
coverage.
104+
105+
### Security
106+
107+
- Moved sensitive authentication tokens from regular SharedPreferences to
108+
encrypted SharedPreferences when the platform keystore-backed implementation
109+
is available.
110+
- Reduced sensitive network logging by redacting authorization headers and
111+
disabling OkHttp body logging.
112+
- Kept the media browser service exported for Android Auto discovery while
113+
adding caller checks before returning a browser root.
114+
- Tightened Android Auto media browser caller classification by replacing
115+
package-name substring trust with exact trusted package matching.

0 commit comments

Comments
 (0)