verseles
diff --git a/‎.gitignore‎
Lines changed: 15 additions & 1 deletion b/‎.gitignore‎
Lines changed: 15 additions & 1 deletion
diff --git a/‎CODEBASE.md‎
Lines changed: 12 additions & 11 deletions b/‎CODEBASE.md‎
Lines changed: 12 additions & 11 deletions
diff --git a/‎Makefile‎
Lines changed: 16 additions & 6 deletions b/‎Makefile‎
Lines changed: 16 additions & 6 deletions
diff --git a/‎SECURITY.md‎
Lines changed: 73 additions & 0 deletions b/‎SECURITY.md‎
Lines changed: 73 additions & 0 deletions
diff --git a/‎analysis_options.yaml‎
Lines changed: 32 additions & 22 deletions b/‎analysis_options.yaml‎
Lines changed: 32 additions & 22 deletions
diff --git a/‎lib/core/di/injection_container.dart‎
Lines changed: 29 additions & 28 deletions b/‎lib/core/di/injection_container.dart‎
Lines changed: 29 additions & 28 deletions
@@ -47,4 +47,18 @@ app.*.map.json
 /android/app/debug
 /android/app/profile
 /android/app/release
-ref2
+
+# Keystore and Secrets
+*.jks
+*.keystore
+key.properties
+android/key.properties
+.env
+.env.*
+
+# Build artifacts
+*.apk
+*.aab
+*.exe
+*.dmg
+*.ipa
@@ -79,6 +79,7 @@ codewalk/
 ├── install.ps1        # Windows installer script
 ├── uninstall.sh       # Unix uninstaller script
 ├── uninstall.ps1      # Windows uninstaller script
+├── SECURITY.md        # Security policy and responsible disclosure
 └── Makefile           # Build automation and packaging gates
 ```
 
@@ -90,7 +91,7 @@ codewalk/
 | `.g.dart` (generated) | 4 | JSON serialization models |
 | `.dart` (tests) | 27 | Test files (unit, widget, integration, support) |
 | `.dart` (total) | 142 | Repository files excluding build artifacts |
-| `.md` (markdown) | 20 | Docs + roadmap + release artifacts |
+| `.md` (markdown) | 21 | Docs + roadmap + release artifacts + SECURITY.md |
 | `.sh` (scripts) | 2 | Unix installer/uninstaller scripts |
 | `.ps1` (scripts) | 2 | Windows PowerShell installer/uninstaller scripts |
 
@@ -338,14 +339,12 @@ Deferred/optional after parity wave:
 
 ### flutter analyze
 
-- **Total issues: 91**
+- **Total issues: ~83** (28 lint rules active)
   - Errors: 0
   - Warnings: 1 (`unnecessary_non_null_assertion`)
-  - Info: 90 (mostly `unnecessary_underscores` in test parameter naming)
-- **Top issue categories:**
-  - `unnecessary_underscores` (majority): test parameter naming conventions
-  - `unnecessary_non_null_assertion` (1): test assertion cleanup opportunity
-- **CI Budget:** 186 issues maximum (enforced via `tool/ci/check_analyze_budget.sh`)
+  - Info: ~82 (mostly `unnecessary_underscores` in test parameter naming, plus a few `unawaited_futures` and `cancel_subscriptions` false positives)
+- **Lint rules:** 28 rules in 3 categories (error prevention, code quality, consistency) beyond `flutter_lints` defaults
+- **CI Budget:** 186 issues maximum (enforced via `tool/ci/check_analyze_budget.sh` with separate error-first detection)
 
 ### flutter test
 
@@ -398,7 +397,8 @@ Deferred/optional after parity wave:
 ### Quality Gates
 
 **Static Analysis (check_analyze_budget.sh):**
-- Maximum 186 issues allowed
+- Fails immediately on any `error •` lines regardless of budget (with `::error::` GitHub Actions annotations)
+- Maximum 186 info/warning issues allowed
 - Parses `flutter analyze` output
 - Fails build if budget exceeded
 
@@ -414,7 +414,7 @@ Deferred/optional after parity wave:
 
 ### Makefile Automation
 
-213-line Makefile with 15 targets:
+Makefile with 15 targets and TTY-aware output suppression (verbose output redirected to log in non-interactive mode, shown on failure only):
 
 | Target | Description |
 |--------|-------------|
@@ -723,17 +723,18 @@ lcov_branch_coverage=0  # Disable branch coverage, focus on line coverage
 
 | File | Purpose |
 |------|---------|
-| `analysis_options.yaml` | Flutter/Dart linter configuration |
+| `analysis_options.yaml` | Flutter/Dart linter configuration (28 rules in 3 categories) |
 | `dart_test.yaml` | Test tags (requires_server, hardware) |
 | `.lcovrc` | LCOV coverage options (branch coverage disabled) |
 | `codecov.yml` | Codecov integration (35% project, 30% patch) |
 | `pubspec.yaml` | Dependency and version management |
-| `Makefile` | Build automation (15 targets, 213 lines) |
+| `Makefile` | Build automation (15 targets, TTY-aware output suppression) |
 | `.github/workflows/ci.yml` | CI/CD pipeline (5 jobs) |
 | `.github/workflows/release.yml` | GitHub Release automation (5 jobs: Linux/Windows/macOS/Android builds + release creation) |
 | `CONTRIBUTING.md` | Contribution guidelines and standards |
 | `QA.feat016.release-readiness.md` | Feature 016 QA matrix, platform smoke, and defect triage |
 | `RELEASE_NOTES.md` | Release signoff checklist and known limitations |
+| `SECURITY.md` | Security policy and responsible disclosure guidelines |
 
 ## Recent Changes Since Previous Baseline
 
 
@@ -6,6 +6,16 @@ ANALYZE_LOG = /tmp/flutter_analyze.log
 TDL_CHANNEL = VerselesBot
 TDL_TARGET = 6
 
+# TTY detection: suppress verbose output in non-interactive mode (CI/agents)
+ifneq ($(shell test -t 1 && echo yes),yes)
+    LOG = /tmp/codewalk-make.log
+    QUIET = > $(LOG) 2>&1 || (cat $(LOG) && exit 1)
+else ifdef VERBOSE
+    QUIET =
+else
+    QUIET =
+endif
+
 help:
 	@echo "CodeWalk Make Targets"
 	@echo ""
@@ -25,10 +35,10 @@ help:
 	@echo "  make clean      Clean and restore dependencies"
 
 deps:
-	flutter pub get
+	flutter pub get $(QUIET)
 
 gen:
-	dart run build_runner build --delete-conflicting-outputs
+	dart run build_runner build --delete-conflicting-outputs $(QUIET)
 
 icons:
 	@if [ ! -f "assets/images/original.png" ]; then \
@@ -124,14 +134,14 @@ icons-check:
 	@echo "Icon checks passed."
 
 analyze:
-	flutter analyze --no-fatal-infos --no-fatal-warnings 2>&1 | tee $(ANALYZE_LOG)
+	flutter analyze --no-fatal-infos --no-fatal-warnings 2>&1 | tee $(ANALYZE_LOG) $(QUIET)
 	bash tool/ci/check_analyze_budget.sh $(ANALYZE_LOG) 186
 
 test:
-	flutter test
+	flutter test $(QUIET)
 
 coverage:
-	flutter test --coverage
+	flutter test --coverage $(QUIET)
 	bash tool/ci/check_coverage.sh coverage/lcov.info 35
 
 smoke:
@@ -159,7 +169,7 @@ desktop:
 	fi
 
 android:
-	flutter build apk --release --target-platform android-arm64
+	flutter build apk --release --target-platform android-arm64 $(QUIET)
 	@if [ -f "$(APK_DIR)/app-release.apk" ]; then \
 		mv -f "$(APK_DIR)/app-release.apk" "$(APK_PATH)"; \
 		echo "APK ready: $(APK_PATH)"; \
 
@@ -0,0 +1,73 @@
+# Security Policy
+
+## Supported Versions
+
+| Version | Supported          |
+| ------- | ------------------ |
+| 1.x.x   | :white_check_mark: |
+| < 1.0   | :x:                |
+
+## Reporting a Vulnerability
+
+We take security seriously. If you discover a security vulnerability in CodeWalk, please report it responsibly.
+
+### How to Report
+
+**DO NOT** open a public GitHub issue for security vulnerabilities.
+
+Instead, please report security issues by emailing:
+
+**security@verseles.com**
+
+Or use GitHub's private vulnerability reporting:
+
+1. Go to the [Security tab](https://github.com/verseles/codewalk/security) of the repository
+2. Click "Report a vulnerability"
+3. Fill out the form with details
+
+### What to Include
+
+- **Description**: A clear description of the vulnerability
+- **Impact**: What an attacker could accomplish by exploiting it
+- **Steps to Reproduce**: Detailed steps to reproduce the issue
+- **Affected Versions**: Which versions are affected
+- **Possible Fix**: If you have suggestions for how to fix the issue
+- **Your Contact**: How we can reach you for follow-up questions
+
+### Response Timeline
+
+- **Acknowledgment**: We will acknowledge receipt of your report within **48 hours**
+- **Initial Assessment**: We will provide an initial assessment within **7 days**
+- **Resolution**: We aim to resolve critical vulnerabilities within **30 days**
+- **Disclosure**: We will coordinate disclosure timing with you
+
+### What to Expect
+
+1. **Confirmation**: We'll confirm we received your report
+2. **Communication**: We'll keep you updated on our progress
+3. **Credit**: With your permission, we'll credit you in the security advisory
+4. **No Legal Action**: We will not pursue legal action against researchers who follow responsible disclosure
+
+## Security Considerations
+
+### Server Connection
+
+CodeWalk connects to OpenCode-compatible servers over HTTP/SSE. Users should:
+
+- **Use trusted servers only**: The app sends prompts and receives code over the connection
+- **Prefer HTTPS**: When connecting to remote servers, always use HTTPS endpoints
+- **Avoid public networks**: Server credentials transit the connection
+
+### Local Storage
+
+- Server URLs and connection settings are stored in `SharedPreferences` (platform default)
+- No API keys or tokens are stored by the app itself (authentication is server-side)
+- Session data and chat history remain on the server
+
+## Contact
+
+For security concerns: **security@verseles.com**
+
+For general questions: [GitHub Discussions](https://github.com/verseles/codewalk/discussions)
+
+For bug reports: [GitHub Issues](https://github.com/verseles/codewalk/issues)
@@ -1,12 +1,3 @@
-# This file configures the analyzer, which statically analyzes Dart code to
-# check for errors, warnings, and lints.
-#
-# The issues identified by the analyzer are surfaced in the UI of Dart-enabled
-# IDEs (https://dart.dev/tools#ides-and-editors). The analyzer can also be
-# invoked from the command line by running `flutter analyze`.
-
-# The following line activates a set of recommended lints for Flutter apps,
-# packages, and plugins designed to encourage good coding practices.
 include: package:flutter_lints/flutter.yaml
 
 analyzer:
@@ -15,18 +6,37 @@ analyzer:
     - "**/generated_plugin_registrant.dart"
 
 linter:
-  # The lint rules applied to this project can be customized in the
-  # section below to disable rules from the `package:flutter_lints/flutter.yaml`
-  # included above or to enable additional rules. A list of all available lints
-  # and their documentation is published at https://dart.dev/lints.
-  #
-  # Instead of disabling a lint rule for the entire project in the
-  # section below, it can also be suppressed for a single line of code
-  # or a specific dart file by using the `// ignore: name_of_lint` and
-  # `// ignore_for_file: name_of_lint` syntax on the line or in the file
-  # producing the lint.
   rules:
-    avoid_print: true
+    # Error prevention
+    - avoid_print
+    - avoid_slow_async_io
+    - cancel_subscriptions
+    - close_sinks
+    - unawaited_futures
+    - use_build_context_synchronously
+    - await_only_futures
+    - avoid_returning_null_for_future
+    - control_flow_in_finally
+    - throw_in_finally
+
+    # Code quality
+    - always_declare_return_types
+    - prefer_single_quotes
+    - prefer_const_constructors
+    - prefer_const_declarations
+    - prefer_const_literals_to_create_immutables
+    - prefer_final_locals
+    - prefer_final_in_for_each
+    - prefer_final_fields
+    - sort_constructors_first
+    - sort_child_properties_last
 
-# Additional information about this file can be found at
-# https://dart.dev/guides/language/analysis-options
+    # Consistency
+    - directives_ordering
+    - prefer_relative_imports
+    - omit_local_variable_types
+    - use_super_parameters
+    - unnecessary_late
+    - unnecessary_lambdas
+    - unnecessary_raw_strings
+    - unnecessary_statements
@@ -1,54 +1,55 @@
-import 'package:get_it/get_it.dart';
 import 'dart:convert';
+
+import 'package:get_it/get_it.dart';
 import 'package:shared_preferences/shared_preferences.dart';
-import '../network/dio_client.dart';
 
-import '../../data/datasources/app_remote_datasource.dart';
 import '../../data/datasources/app_local_datasource.dart';
+import '../../data/datasources/app_remote_datasource.dart';
+import '../../data/datasources/chat_remote_datasource.dart';
+import '../../data/datasources/project_remote_datasource.dart';
 import '../../data/repositories/app_repository_impl.dart';
+import '../../data/repositories/chat_repository_impl.dart';
+import '../../data/repositories/project_repository_impl.dart';
 import '../../domain/repositories/app_repository.dart';
-import '../../domain/usecases/get_app_info.dart';
-import '../../domain/usecases/check_connection.dart';
-import '../../domain/usecases/update_server_config.dart';
+import '../../domain/repositories/chat_repository.dart';
+import '../../domain/repositories/project_repository.dart';
 import '../../domain/usecases/abort_chat_session.dart';
-import '../../domain/usecases/summarize_chat_session.dart';
-import '../../domain/usecases/send_chat_message.dart';
-import '../../domain/usecases/get_chat_sessions.dart';
+import '../../domain/usecases/check_connection.dart';
 import '../../domain/usecases/create_chat_session.dart';
-import '../../domain/usecases/get_chat_messages.dart';
-import '../../domain/usecases/get_chat_message.dart';
-import '../../domain/usecases/get_agents.dart';
-import '../../domain/usecases/get_providers.dart';
 import '../../domain/usecases/delete_chat_session.dart';
 import '../../domain/usecases/fork_chat_session.dart';
+import '../../domain/usecases/get_agents.dart';
+import '../../domain/usecases/get_app_info.dart';
+import '../../domain/usecases/get_chat_message.dart';
+import '../../domain/usecases/get_chat_messages.dart';
+import '../../domain/usecases/get_chat_sessions.dart';
+import '../../domain/usecases/get_providers.dart';
 import '../../domain/usecases/get_session_children.dart';
 import '../../domain/usecases/get_session_diff.dart';
 import '../../domain/usecases/get_session_status.dart';
 import '../../domain/usecases/get_session_todo.dart';
-import '../../domain/usecases/watch_chat_events.dart';
-import '../../domain/usecases/watch_global_chat_events.dart';
 import '../../domain/usecases/list_pending_permissions.dart';
-import '../../domain/usecases/reply_permission.dart';
 import '../../domain/usecases/list_pending_questions.dart';
-import '../../domain/usecases/reply_question.dart';
 import '../../domain/usecases/reject_question.dart';
+import '../../domain/usecases/reply_permission.dart';
+import '../../domain/usecases/reply_question.dart';
+import '../../domain/usecases/send_chat_message.dart';
 import '../../domain/usecases/share_chat_session.dart';
+import '../../domain/usecases/summarize_chat_session.dart';
 import '../../domain/usecases/unshare_chat_session.dart';
 import '../../domain/usecases/update_chat_session.dart';
-import '../../data/datasources/chat_remote_datasource.dart';
-import '../../data/repositories/chat_repository_impl.dart';
-import '../../domain/repositories/chat_repository.dart';
-import '../../data/datasources/project_remote_datasource.dart';
-import '../../data/repositories/project_repository_impl.dart';
-import '../../domain/repositories/project_repository.dart';
+import '../../domain/usecases/update_server_config.dart';
+import '../../domain/usecases/watch_chat_events.dart';
+import '../../domain/usecases/watch_global_chat_events.dart';
 import '../../presentation/providers/app_provider.dart';
 import '../../presentation/providers/chat_provider.dart';
 import '../../presentation/providers/project_provider.dart';
 import '../../presentation/providers/settings_provider.dart';
-import '../../presentation/services/event_feedback_dispatcher.dart';
 import '../../presentation/services/chat_title_generator.dart';
+import '../../presentation/services/event_feedback_dispatcher.dart';
 import '../../presentation/services/notification_service.dart';
 import '../../presentation/services/sound_service.dart';
+import '../network/dio_client.dart';
 
 final sl = GetIt.instance;
 
@@ -59,7 +60,7 @@ Future<void> init() async {
   sl.registerLazySingleton(() => sharedPreferences);
 
   // Network
-  sl.registerLazySingleton(() => DioClient());
+  sl.registerLazySingleton(DioClient.new);
 
   // Data sources
   sl.registerLazySingleton<AppRemoteDataSource>(
@@ -78,9 +79,9 @@ Future<void> init() async {
     () => ProjectRemoteDataSourceImpl(dio: sl<DioClient>().dio),
   );
 
-  sl.registerLazySingleton(() => NotificationService());
-  sl.registerLazySingleton(() => SoundService());
-  sl.registerLazySingleton<ChatTitleGenerator>(() => ChatAtTitleGenerator());
+  sl.registerLazySingleton(NotificationService.new);
+  sl.registerLazySingleton(SoundService.new);
+  sl.registerLazySingleton<ChatTitleGenerator>(ChatAtTitleGenerator.new);
 
   // Repositories
   sl.registerLazySingleton<AppRepository>(