fix: pre-initialize mTLS flag from cert SAN/CN to handle TLS session resumption in Wear OS onboarding

When setting up a Wear OS device the mTLS certificate-selection screen
was silently skipped if TLS session resumption occurred, causing the
watch to register without a client certificate and the server to return
HTTP 400.

Root cause: isTLSClientAuthNeeded in TLSWebViewClient is only set inside
onReceivedClientCertRequest. When the onboarding WebView reuses the main
app's existing TLS session (abbreviated handshake), the server never
issues a new CertificateRequest so the callback never fires — even with
ssl_session_tickets disabled on the server, because Android's Chromium
network stack maintains its own in-process TLS session cache.

Fix: add TLSWebViewClient.preInitializeTLSClientAuthState(targetHost)
which inspects the in-memory certificate chain (if any) and checks
whether it covers targetHost by matching the server hostname against
the certificate's Subject Alternative Names (SANs) — both DNS names
with wildcard support (RFC 2818 §3.1) and IP addresses — falling back
to the Common Name (CN) for legacy certificates without SANs.

Matching against the certificate rather than mere private-key presence
eliminates the false positive raised in review: a user with multiple
servers where only Server A requires mTLS will no longer see the cert-
selection screen when onboarding a watch for Server B, because the
loaded certificate will not match Server B's hostname.

ConnectionViewModel.init extracts the hostname from rawUrl and passes
it to preInitializeTLSClientAuthState() before emitting the auth URL
so the navigation layer sees the correct value.

Also updates ConnectionViewModelTest: the two existing private-key-
presence tests are replaced with five cert-host matching tests covering
exact DNS SANs, wildcard DNS SANs, a cert for a different host, no
certificate chain present, and CN-only fallback.

Made-with: Cursor

Author: smhc

.editorconfig

@@ -0,0 +1,30 @@
+root = true
+
+[*]
+charset = utf-8
+indent_size = 4
+indent_style = space
+insert_final_newline = true
+end_of_line = lf
+trim_trailing_whitespace = true
+
+[*.{yml,yaml}]
+indent_size = 2
+ij_yaml_spaces_within_braces = false
+ij_yaml_spaces_within_brackets = false
+
+[*.{kt,kts}]
+ktlint_code_style = android_studio
+# Disable wildcard imports
+ij_kotlin_name_count_to_use_star_import = 9999
+ij_kotlin_name_count_to_use_star_import_for_members = 9999
+# ktlint overrides
+ktlint_function_naming_ignore_when_annotated_with=Composable
+ij_kotlin_allow_trailing_comma_on_call_site = true
+ij_kotlin_allow_trailing_comma = true
+# Disable converting functions to expression bodies
+ktlint_standard_function-expression-body = disabled
+max_line_length = 120
+
+[**/test/**.kt]
+max_line_length = off

.git-blame-ignore-revs

@@ -0,0 +1,8 @@
+# Enforce trailing comma
+93871a5e078ffaf6d7809e298592703f89e78530
+
+# Update dependency org.jlleitschuh.gradle.ktlint to v13 (max line length 120)
+a2eb66ee40bf1d8e4b0624502d1e2668bd7cc447
+
+# Replace android.util.Log with timber.log.Timber
+5c6c6e149fea2c2e406d4d7a53434ff932c40c56

.gitattributes

@@ -0,0 +1,37 @@
+# Set default behavior to automatically normalize line endings
+* text=auto
+
+# Explicitly declare text files you want to always be normalized and converted to native line endings on checkout.
+*.kt text
+*.kts text
+*.xml text
+*.gradle text
+*.md text
+*.json text
+*.yml text
+*.yaml text
+*.toml text
+*.properties text
+*.pro text
+*.txt text
+*.bash text eol=lf
+*.css text diff=css
+*.sh text eol=lf
+
+# Declare binary files to be preserved as-is
+*.png binary
+*.jpg binary
+*.jar binary
+
+# Custom merge driver for Gradle lock files
+gradle.lockfile merge=union
+
+# Ensure shell scripts have UNIX line endings
+*.sh text eol=lf
+
+# Ensure Windows batch files have CRLF line endings
+*.bat text eol=crlf
+
+# Handle Android Studio specific files
+*.iml text
+*.idea/** text

.github/ISSUE_TEMPLATE/Bug_report.md

@@ -0,0 +1,44 @@
+---
+name: Bug report
+about: Create a report to help us improve
+title: ''
+labels: bug
+assignees: ''
+
+---
+
+<!-- READ THIS FIRST:
+- Make sure you run the latest version of the Android app
+- Make sure you run the latest version of Home Assistant
+- Make sure to check the Companion docs for troubleshooting and configuration: https://companion.home-assistant.io/
+- Make sure the bug you found is not already reported, we love to put work in bugfixes instead of closing duplicate bug reports
+  DO NOT DELETE ANY TEXT from this template! All requested information is important.
+-->
+
+<!-- If you are reporting an issue for Wear OS please list both devices for the below 3 fields -->
+**Home Assistant Android app version(s):**
+
+**Android version(s):**
+
+**Device model(s):**
+
+**Home Assistant version:**
+
+**Last working Home Assistant release (if known):**
+
+**Description of problem, include YAML if issue is related to notifications:**
+
+<!--
+- For Wear OS devices we will need the LogCat logs from the device.
+- For Android Auto the logs can be retrieved from the connected device.
+- Logs from the device can be taken from Settings > Companion App Troubleshooting > Show and Share Logs
+-->
+**Companion App Logs:**
+
+```
+
+```
+
+**Screenshot or video of problem:**
+
+**Additional information:**

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,20 @@
+blank_issues_enabled: false
+contact_links:
+  - name: Issue or suggestion for the app documentation
+    url: https://github.com/home-assistant/companion.home-assistant/issues
+    about: Please report any errors, missing information, or suggestions for the companion app documentation here.
+  - name: Issue or suggestion for the developer documentation
+    url: https://github.com/home-assistant/developers.home-assistant/issues
+    about: Please report any errors, missing information, or suggestions for the developer documentation here.
+  - name: Request a feature for the Android application
+    url: https://github.com/orgs/home-assistant/discussions/new?category=android
+    about: Request a new feature for the Android application.
+  - name: Problem with your dashboard
+    url: https://github.com/home-assistant/frontend/issues
+    about: Most of the app's interface is provided by the Home Assistant frontend (WebView). Please report dashboard issues here.
+  - name: I have a question or need support
+    url: https://www.home-assistant.io/help
+    about: GitHub is for tracking bugs and feature requests. For help and support, please visit our help page.
+  - name: I'm not sure where to go
+    url: https://www.home-assistant.io/join-chat
+    about: If you're unsure where to report your issue or ask your question, join our chat and we'll help

.github/ISSUE_TEMPLATE/task.yml

@@ -0,0 +1,53 @@
+name: Task
+description: For staff only - Create a task
+type: Task
+body:
+  - type: markdown
+    attributes:
+      value: |
+        ## ⚠️ RESTRICTED ACCESS
+
+        **This form is restricted to Open Home Foundation staff and authorized contributors only.**
+
+        If you are a community member wanting to contribute, please:
+        - For bug reports: Use the [bug report form](https://github.com/home-assistant/android/issues/new?template=Bug_report.md)
+        - For feature requests: Submit to [Feature Requests](https://github.com/orgs/home-assistant/discussions)
+
+        ---
+
+        ### For authorized contributors
+
+        Use this form to create tasks for development work, improvements, or other actionable items that need to be tracked.
+  - type: textarea
+    id: description
+    attributes:
+      label: Description
+      description: |
+        Provide a clear and detailed description of the task that needs to be accomplished.
+
+        Be specific about what needs to be done, why it's important, and any constraints or requirements.
+      placeholder: |
+        Describe the task, including:
+        - What needs to be done
+        - Why this task is needed
+        - Expected outcome
+        - Any constraints or requirements
+    validations:
+      required: true
+  - type: textarea
+    id: additional_context
+    attributes:
+      label: Additional context
+      description: |
+        Any additional information, links, research, or context that would be helpful.
+
+        Include links to related issues, research, prototypes, roadmap opportunities etc.
+      placeholder: |
+        - Roadmap opportunity: [link]
+        - Epic: [link]
+        - Feature request: [link]
+        - Technical design documents: [link]
+        - Prototype/mockup: [link]
+        - Dependencies: [links]
+    validations:
+      required: false

.github/actions/create-release-notes/action.yml

@@ -0,0 +1,61 @@
+name: "Create Release Notes"
+description: "Creates the current releases release notes"
+inputs:
+  tag-name:
+    description: "Name of the tag that will be used for this release"
+    required: true
+  gh-token:
+    description: "The GitHub token used to get details from the API"
+    required: true
+runs:
+  using: "composite"
+  steps:
+    - name: Get Previous Release Tag
+      uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+      id: latest-release-tag
+      with:
+        github-token: ${{ inputs.gh-token }}
+        result-encoding: string
+        script: |
+          const { data } = await github.rest.repos.getLatestRelease({
+            owner: context.repo.owner,
+            repo: context.repo.repo,
+          })
+          return data.tag_name
+    - name: Get Generated Release Notes
+      uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+      id: generate-notes
+      env:
+        TAG_NAME: ${{ inputs.tag-name }}
+        PREVIOUS_TAG: ${{ steps.latest-release-tag.outputs.result }}
+      with:
+        github-token: ${{ inputs.gh-token }}
+        result-encoding: string
+        script: |
+          const { data } = await github.rest.repos.generateReleaseNotes({
+            owner: context.repo.owner,
+            repo: context.repo.repo,
+            tag_name: process.env.TAG_NAME,
+            target_commitish: 'main',
+            previous_tag_name: process.env.PREVIOUS_TAG,
+          })
+          return data.body.replaceAll('`', '\'').replaceAll('"', '\'')
+    - name: Generate Release Notes
+      id: version-generator
+      shell: bash
+      env:
+        PREVIOUS_TAG: ${{ steps.latest-release-tag.outputs.result }}
+        CHANGELOG: ${{ steps.generate-notes.outputs.result }}
+      run: |
+        mkdir -p ./app/build/outputs/
+
+        echo "Previous Release Tag:"
+        echo "$PREVIOUS_TAG"
+
+        echo "Full Changelog:"
+        echo -e "$CHANGELOG"
+        printf "%s" "$CHANGELOG" > ./app/build/outputs/changelogGithub
+
+        echo "Beta Changelog:"
+        git log --format="* %s" HEAD^..HEAD
+        git log --format="* %s" HEAD^..HEAD > ./app/build/outputs/changelogBeta

.github/actions/create-release-number/action.yml

@@ -0,0 +1,27 @@
+name: "Create Release Numbers"
+description: "Creates the current release number based on checked out code"
+outputs:
+  version-code:
+    description: "The numeric app version"
+    value: ${{ steps.version-generator.outputs.version-code }}
+  version:
+    description: "The app version"
+    value: ${{ steps.version-generator.outputs.version }}
+runs:
+  using: "composite"
+  steps:
+    - name: Set Build Number
+      id: version-generator
+      shell: bash
+      run: |
+        ./gradlew versionFile
+        COMMITS=`git rev-list --count HEAD`
+        TAGS=`git tag | grep -v beta | wc -l`
+        VC=$((((COMMITS+TAGS) * 3) << 1))
+        echo Number Commits $COMMITS
+        echo Number Tags $TAGS
+        echo Version Code $VC
+        echo "version-code=$VC" >> $GITHUB_OUTPUT
+        VERSION=`cat version.txt`
+        echo Version $VERSION
+        echo "version=$VERSION" >> $GITHUB_OUTPUT

.github/actions/download-translations/action.yml

@@ -0,0 +1,56 @@
+name: "Download Translations"
+description: "Reaches out to Lokalise to download the latest translations."
+inputs:
+  lokalise-project:
+    description: "The project id in lokalise"
+    required: true
+  lokalise-token:
+    description: "An API token that has read access to the desired project"
+    required: true
+runs:
+  using: "composite"
+  steps:
+    - name: Get Translations
+      id: translations
+      shell: bash
+      env:
+        LOKALISE_PROJECT: ${{ inputs.lokalise-project }}
+        LOKALISE_TOKEN: ${{ inputs.lokalise-token }}
+      run: |
+        ZIP=`\
+          curl --location --request POST "https://api.lokalise.com/api2/projects/${LOKALISE_PROJECT}/files/download" \
+            --header "X-Api-Token: ${LOKALISE_TOKEN}" \
+            --header 'Content-Type: application/json' \
+            --data-raw '{
+                "format": "xml",
+                "original_filenames": false,
+                "bundle_structure": "common/src/main/res/values-%LANG_ISO%/strings.%FORMAT%",
+                "add_newline_eof": true,
+                "replace_breaks": true,
+                "export_empty_as": "skip"
+            }' \
+          | jq -r '.bundle_url' \
+        `
+
+        echo "Download Ready: $ZIP"
+
+        curl "$ZIP" --output strings.zip
+
+        echo "Download Complete, unzipping"
+        unzip -n strings.zip
+        echo "Unzipped strings, generating locales_config.xml"
+
+        XML_START='<?xml version="1.0" encoding="utf-8"?>\n<locale-config xmlns:android="http://schemas.android.com/apk/res/android">\n'
+        XML_LOCALES=''
+        XML_END='</locale-config>'
+        for i in common/src/main/res/values*/strings.xml; do
+          FOLDER="$(basename $(dirname $i))"
+          CODE="${FOLDER#*-}" # remove "values-"
+          CODE="${CODE/-r/-}" # replace region "-rXX" with "-XX"
+          if [ "$CODE" == "values" ]; then CODE="en"; fi
+          XML_LOCALES="$XML_LOCALES    <locale android:name=\"$CODE\"/>\n"
+        done
+        printf "$XML_START$XML_LOCALES$XML_END" > app/src/main/res/xml/locales_config.xml
+        printf "$XML_START$XML_LOCALES$XML_END" > wear/src/main/res/xml/locales_config.xml
+
+        echo "Complete"