Claude/investigate android issue r tl yp

.github/workflows/android.yml

@@ -109,6 +109,33 @@ jobs:
           mkdir -p apps/mobile/android/app
           echo "$ANDROID_KEYSTORE_BASE64" | base64 -d > apps/mobile/android/app/release.keystore
 
+      - name: Restore debug keystore
+        # Without this, gradle generates a fresh ~/.android/debug.keystore on
+        # every CI run, so the APK signing cert (and its SHA-256) changes
+        # every build. Storing a stable keystore as a secret keeps the
+        # SHA-256 stable so ANDROID_ASSETLINKS_SHA256 on tempest-web does
+        # not need updating every build. Generate the secret value with
+        # scripts/gen-debug-keystore.sh.
+        env:
+          ANDROID_DEBUG_KEYSTORE_BASE64: ${{ secrets.ANDROID_DEBUG_KEYSTORE_BASE64 }}
+        run: |
+          if [ "$BUILD_TYPE" != "debug" ]; then
+            exit 0
+          fi
+          if [ -z "$ANDROID_DEBUG_KEYSTORE_BASE64" ]; then
+            echo "::warning::ANDROID_DEBUG_KEYSTORE_BASE64 secret is unset;" \
+                 "this debug APK will be signed by a fresh per-runner" \
+                 "keystore, so the SHA-256 changes every run. Run" \
+                 "scripts/gen-debug-keystore.sh, base64 the output, and add" \
+                 "it as the ANDROID_DEBUG_KEYSTORE_BASE64 repo secret to" \
+                 "stabilize it."
+            exit 0
+          fi
+          mkdir -p "$HOME/.android"
+          echo "$ANDROID_DEBUG_KEYSTORE_BASE64" | base64 -d > "$HOME/.android/debug.keystore"
+          chmod 600 "$HOME/.android/debug.keystore"
+          echo "Restored stable debug keystore from secret."
+
       - name: Assemble APK
         working-directory: apps/mobile/android
         env:

.github/workflows/gen-debug-keystore.yml

@@ -0,0 +1,52 @@
+name: gen-debug-keystore
+
+# One-shot helper that generates a stable Android debug keystore so the
+# main android workflow can sign every debug APK with the same cert.
+# Run from GitHub: Actions tab > "gen-debug-keystore" > Run workflow.
+# The run uploads two files as a downloadable artifact and prints the
+# SHA-256 fingerprint as a notice. From there you can:
+#   1. Copy the SHA-256 from the run log into the
+#      ANDROID_ASSETLINKS_SHA256 env var on the tempest-web service.
+#   2. Download the artifact, open debug.keystore.b64 in a text editor,
+#      copy the contents into a new repo secret named
+#      ANDROID_DEBUG_KEYSTORE_BASE64.
+# After that the android workflow uses this stable keystore for every
+# debug build, so the SHA-256 stops changing.
+
+on:
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  generate:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-java@v4
+        with:
+          distribution: temurin
+          java-version: 21
+
+      - name: Generate keystore
+        run: |
+          chmod +x scripts/gen-debug-keystore.sh
+          mkdir -p out
+          scripts/gen-debug-keystore.sh out/debug.keystore | tee out/README.txt
+
+      - name: Print SHA-256 prominently
+        run: |
+          SHA=$(keytool -list -v -keystore out/debug.keystore \
+            -alias androiddebugkey -storepass android -keypass android 2>/dev/null \
+            | awk -F': ' '/SHA256:/{print $2; exit}')
+          echo "::notice::SHA-256 for ANDROID_ASSETLINKS_SHA256: $SHA"
+          echo "$SHA" > out/sha256.txt
+
+      - uses: actions/upload-artifact@v4
+        with:
+          name: tempest-debug-keystore
+          path: out/
+          if-no-files-found: error
+          retention-days: 1

scripts/gen-debug-keystore.sh

@@ -0,0 +1,56 @@
+#!/bin/sh
+# Creates a stable Android debug keystore so CI debug builds produce a
+# fixed signing cert (and therefore a fixed SHA-256 for asset links).
+#
+# Output:
+#   ./debug.keystore                  - the keystore itself
+#   ./debug.keystore.b64              - base64 of the keystore, ready to
+#                                       paste into the
+#                                       ANDROID_DEBUG_KEYSTORE_BASE64
+#                                       repo secret
+#   prints the SHA-256 fingerprint to stdout for use in
+#   ANDROID_ASSETLINKS_SHA256.
+#
+# Uses the standard Android debug-build credentials (alias
+# androiddebugkey, storepass/keypass "android") so gradle's default
+# debug signing config picks it up without further configuration.
+
+set -eu
+
+OUT="${1:-debug.keystore}"
+
+if [ -f "$OUT" ]; then
+  echo "$OUT already exists, refusing to overwrite. Pass a different path or remove it first." >&2
+  exit 1
+fi
+
+keytool -genkeypair -v \
+  -keystore "$OUT" \
+  -storetype PKCS12 \
+  -storepass android \
+  -alias androiddebugkey \
+  -keypass android \
+  -keyalg RSA \
+  -keysize 2048 \
+  -validity 10000 \
+  -dname "CN=Android Debug,O=Android,C=US" >/dev/null
+
+base64 < "$OUT" > "$OUT.b64"
+
+SHA=$(keytool -list -v -keystore "$OUT" -alias androiddebugkey \
+  -storepass android -keypass android 2>/dev/null \
+  | awk -F': ' '/SHA256:/{print $2; exit}')
+
+echo
+echo "Generated $OUT and $OUT.b64."
+echo
+echo "1. Add the contents of $OUT.b64 as a GitHub Actions repo secret:"
+echo "     name:  ANDROID_DEBUG_KEYSTORE_BASE64"
+echo "     value: (paste the entire contents of $OUT.b64)"
+echo
+echo "2. Add this SHA-256 to the ANDROID_ASSETLINKS_SHA256 env var on the"
+echo "   tempest-web Railway service, then redeploy:"
+echo "     $SHA"
+echo
+echo "3. Rebuild the Android app. The signing cert SHA-256 will now stay"
+echo "   the same across runs."