kaizen-app/LATER.md
Bruno Deanoz 44c17b6f9f feat: wire chat to the real Kaizen backend (in-app login + streaming)
Replaces the Phase-0 fakeReply mock with the real v1 API. Deployment-agnostic:
one binary, one Authorization: Bearer contract, server-URL field switches between
the official instance and any self-host.

- auth/LoginScreen: server-URL + email + password -> POST /api/v1/auth/token
- net/SecureStore: kzn_ token in EncryptedSharedPreferences (KeyStore AES-256-GCM)
- net/SessionViewModel: snapshot-state login/logout routing, restores on launch
- net/KaizenApi: POST /api/v1/chat streaming + GET /api/v1/me for the default model
- net/StreamConsumer: Kotlin port of lib/chat/stream-consumer.ts (JVM-unit-tested)
- deps: okhttp, kotlinx-serialization, security-crypto; INTERNET permission

Code-complete; not yet built/run on device (no Android SDK on the dev Mac).
2026-06-19 01:04:55 +02:00

5.4 KiB

Kaizen App — Future Implementation & Architecture Roadmap (LATER)

This document serves as a persistent repository of high-level architectural blueprints, native security concepts, and backend orchestration models for the Kaizen Native Android App.

To maintain clean execution and avoid technical debt, backend-dependent features and device-level hardware cryptography are documented here for implementation in later phases.


🛡️ 1. Native Hardware Cryptography & Security

When transitioning from the Web PWA to the native Android App, we can leverage Android OS-level hardware security that is completely unavailable to standard webbrowsers.

A. Android KeyStore System (API 23+) — DONE (Phase 1)

Implemented in net/SecureStore.kt: the kzn_ bearer token is stored in EncryptedSharedPreferences (AES-256-GCM, KeyStore-backed). Only this item graduated — biometrics binding (§C) and FLAG_SECURE (§B) stay deferred.

  • Concept: Instead of storing API keys or session tokens in plain-text SharedPreferences (which are readable on rooted devices), we will use Android's EncryptedSharedPreferences.
  • Mechanism:
    • Uses the hardware-backed KeyStore (StrongBox / Secure Enclave on flagship devices like the S25 Ultra or Google Pixel 10).
    • Automatically encrypts keys and values using AES-256-GCM.
    • Encryption keys are kept inside the hardware chip and cannot be leaked even if the OS is compromised or rooted.
  • Orchestration with Backend:
    • Since the Web app encrypts API keys using AES-256 in PostgreSQL, the Android app can either query the decrypted key securely via HTTPS from the backend during a chat leg (if the server acts as the API proxy), OR store a copy of the key locally encrypted in the Android KeyStore for offline direct client-side requests.

B. Prevention of Screen Scraping (FLAG_SECURE)

  • Concept: Prevent malware, unauthorized users, or background tasks from taking screenshots or recording the screen on sensitive areas of the app (e.g., chat logs, settings, API-key inputs).
  • Implementation:
    • Set the secure flag dynamically on the Window inside activities or specific composables:
      activity?.window?.addFlags(WindowManager.LayoutParams.FLAG_SECURE)
      
    • System-wide screenshots are instantly blocked (generates a black image), and the app's preview in the system app-switcher/task-manager is automatically blanked/censored.

C. Keystore-Biometrics Binding

  • Concept: Tie the decryption of chat databases or API keys directly to a successful biometrics authorization.
  • Mechanism:
    • Generate an AES key in the KeyStore that is specifically configured to require biometrics (setUserAuthenticationRequired(true)).
    • The Android CPU's Secure Enclave will literally refuse to release the decryption key to memory unless the native BiometricPrompt returns a hardware-validated success signal.

🔑 2. Biometric Lockscreen & Auth-Sync

The biometric lockscreen is delayed until the backend sync logic is built, as it requires a secure session verification handshake.

A. Instant Biometric Prompt

  • API: androidx.biometric.BiometricPrompt
  • Flow: On app launch or when selecting a locked chat from the sidebar:
    1. Trigger the native system Biometric prompt (supporting Fingerprint on S25 Ultra, Face Unlock, or PIN fallback).
    2. On success, use the returned cryptographic Cipher to decrypt the local DB or session token.
    3. Seamlessly slide into the main interface.

B. Translucent Glass PIN-Pad Fallback

  • Design: For devices without biometrics or on fallback, render a custom, highly blurred frosted-glass PIN-pad.
  • Haptics: Synchronize each button press with a native, precise tactile click vibration.
  • Visuals: The KaizenOrb floats dynamically above the PIN-pad, glowing red on locked state, breathing in amber on typing, and flashing in bright emerald/amber on successful unlock.

🌐 3. Backend Synchronization & Streaming Orchestration

  • Challenge: The web app uses Auth.js (NextAuth) with secure httpOnly cookies.
  • Solution:
    • The Android app's HTTP client (e.g., Ktor or Retrofit) will maintain a persistent CookieJar.
    • When logging in via credentials or native Passkeys, the backend sets the Auth.js session cookie, which is automatically attached to subsequent API calls.

B. High-Speed WebSocket Streaming

  • Concept: Instead of polling or standard server-sent events (SSE) which can be unstable on mobile networks, establish a dedicated WebSocket channel for the chat stream.
  • Advantages: Extremely low latency, full-duplex communication (allows instant interrupt/Stop signals from the client), and perfect synchronization with the breathing frequency of the KaizenOrb.

📈 4. Progressive High-End Visuals

A. Ultra HDR with Gainmaps (Android 14+ / API 34)

  • Concept: Boost highlights (like the shiny glint of the KaizenOrb or glowing buttons) to actual HDR peak brightness (up to 1000+ nits) on high-end AMOLED screens.
  • Implementation: Enable ActivityInfo.COLOR_MODE_HDR on the window and write custom AGSL shaders for the glowing canvases.

B. Gyroscope-Responsive 3D Parallax

  • Optimization: Keep the gyroscope tilt listener running on UI thread delays (SENSOR_DELAY_UI) and clamp tilt limits tightly. Ensure a complete unregister listener call on app pause to conserve 100% battery efficiency.