# RAP Android VPN

This is the Android mobile node build with the `vpn-client` service enabled.

Implemented now:

- installation as a first-class fabric node with an embedded QUIC bootstrap
  seed set. The seed set is not a backend selector: it contains every known
  public or local entry candidate that may help the node join the fabric from
  its current network.
- runtime launch uses a persisted `fabric_bootstrap_config`, not a backend API
  URL. The Android node starts by attaching to the fabric through bootstrap
  peers and then discovers/uses services through fabric rules.
- login and trusted-device refresh through the QUIC fabric control channel;
- load organization-scoped VPN client profile through the fabric control channel;
- request Android VPN permission and create a `VpnService` TUN interface;
- run as a normal fabric node with the `vpn-client` service role. The local
  `VpnService` TUN is the IPv4 ingress for that node, and packet channels are
  routed by the farm to an authorized `ipv4-egress` pool. The supported
  dataplane is the QUIC fabric runtime only. HTTP batch forwarding, WebSocket
  packet relay, direct backend packet relay, and old VPN protocols are removed
  from the runtime path.
- user-facing HOME-first screen: connect/disconnect is primary, while backend,
  cluster, organization, login, and password are kept in the settings dialog;
- saved connection settings in app preferences so repeat connects do not require
  retyping the profile.
- encrypted refresh-token storage through Android Keystore. If the trusted
  device session is revoked or expires, the app asks for the password once and
  then rotates the device keys/profile again.
- no separate diagnostic foreground service: runtime status is reported by the
  node/VPN service itself, so the Android build does not keep a parallel legacy
  control process alive.

This is still a lab runtime. The required target model is Android as a farm
node with the `vpn-client` role. The VPN service must attach to the mesh as
that node and route to an authorized IPv4 exit pool; there is no separate VPN
entry point. Exit configuration is always pool based, including pools that
currently contain only one node. A phone installed in a closed network may join
through local seed nodes from that network; it does not need direct Internet
access if a nearby fabric node can route onward.

Current code contract:

- Android control bootstrap field: `fabric_bootstrap_config`
- Android runtime dataplane: QUIC `Fabricvpn` runtime only
- Android runtime status keys: `fabric_transport_*`

Build from this repository on Windows:

```powershell
$env:ANDROID_HOME="C:\Android\Sdk"
$env:ANDROID_SDK_ROOT="C:\Android\Sdk"
pwsh -ExecutionPolicy Bypass -File ..\..\scripts\android\build-android-apk.ps1
adb install -r app/build/outputs/apk/debug/app-debug.apk
```

Or run directly from the project:

```powershell
$env:ANDROID_HOME="C:\Android\Sdk"
$env:ANDROID_SDK_ROOT="C:\Android\Sdk"
gradle assembleDebug
```