testsAndMisc/docs/superpowers/contracts/phone-curfew-demo-net-stopgap-2026-06-13.json
Krzysztof kuhy Rudnicki 23049f7d45 feat(phone_focus_mode): add on-demand demo curfew + netd-resistant net stopgap
Demo mode: one-tap Start/Stop demo curfew via the companion notification
(CurfewDemoReceiver) and curfew-demo-on/off CLI, driving the curfew_force_on
file so the full stack can be exercised any time with a guaranteed off switch.

Net stopgap: Android netd reasserts the whole filter table ~1-4x/5s, wiping
the custom FOCUS_CURFEW_NET chain; un-waited iptables calls also lost the
xtables lock race and left partial chains. Add an iptw -w lock-wait helper, a
cached UID list, and a 1s watchdog that re-pins the chain when netd flushes it,
plus heartbeat/rebuild logging. Proper netd/eBPF firewall tracked as follow-up.

Verified live on the BL9000 (Android 13): demo on/off engages and fully
restores all layers; chain now full (24 rules) and near-continuous (~98%
steady state) vs intermittent before.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-13 22:01:32 +02:00

21 lines
2.8 KiB
JSON

{
"title": "Phone curfew: on-demand demo mode + netd-resistant net-block stopgap",
"objective": "Make the night curfew testable on demand and fix the internet-curfew layer leaking. (1) Add a 'demo curfew' the user can start/stop with a single notification tap (and CLI) so the full stack can be experienced any time without waiting for 23:00, with a guaranteed one-tap off switch. (2) Diagnose and fix the per-UID iptables net-block, which was only intermittently enforced. Success = demo on/off engages and fully restores all layers on one tap each way, and the FOCUS_CURFEW_NET chain stays present near-continuously while curfew is active instead of flapping.",
"acceptance_criteria": [
"A force-file (curfew_force_on) makes should_act return true regardless of clock/home, and removing it reverts within one enforcer interval; setting force also clears any stale override.",
"The companion notification shows a contextual curfew action: Start demo / Stop demo / Suspend-till-morning / Re-arm depending on current state, wired to CurfewDemoReceiver (force file) and CurfewToggleReceiver (override file).",
"focus_ctl.sh exposes curfew-demo-on / curfew-demo-off mirroring the button.",
"Demo-on applies all active layers (app-disable, grayscale, DND, net); demo-off restores grayscale=0, zen_mode=0, tears down the net chain, removes the UID cache, and leaves the enforcer running.",
"Every iptables/ip6tables call uses a lock-wait (-w) so concurrent netd iptables-restore cannot make our rebuilds silently fail and leave a partial chain.",
"A fast watchdog re-pins the chain from a cached UID list (no pm fork) every CURFEW_NET_REASSERT_INTERVAL seconds while curfew is active, so a netd flush is repaired within <=1s.",
"The enforcer logs a periodic heartbeat and a per-interval watchdog-rebuild count so liveness and netd-flush frequency are visible rather than inferred from silence.",
"The enforcer process survives indefinitely (no set -e abort); restart is clean (single PID via pidfile lock)."
],
"out_of_scope": [
"The proper netd-native per-UID firewall (ndc/eBPF uid maps) that would eliminate the residual sub-second flicker entirely — tracked as a documented follow-up; this commit ships the iptables stopgap chosen by the user.",
"Changing the curfew window, whitelist contents, grayscale/DND mechanics, or the app-disable layer.",
"Persisting iptables rules across reboot (the enforcer rebuilds them; magisk_service starts it at boot)."
],
"verifier": "shellcheck on changed scripts; on-device clean single-enforcer restart on the BL9000 (Android 13) then drive demo-on/off and sample the FOCUS_CURFEW_NET rule count plus the enforcer log over multiple intervals to confirm chain stability, full-chain rebuilds, watchdog repair counts, and clean teardown."
}