login through /auth/login;
trusted-device reconnect through /auth/refresh without retyping the password while the device session is valid;
load organization-scoped VPN client profile from /clusters/{clusterID}/vpn/client-profile;
request Android VPN permission and create a VpnService TUN interface;
run as a normal fabric node with the vpn-client service role. The local VpnService TUN is the IPv4 ingress for that node, and packet channels are routed by the farm to an authorized ipv4-egress pool. HTTP batch fallback and old VPN protocols are not part of the supported test path.
user-facing HOME-first screen: connect/disconnect is primary, while backend, cluster, organization, login, and password are kept in the settings dialog;
saved connection settings in app preferences so repeat connects do not require retyping the profile.
encrypted refresh-token storage through Android Keystore. If the trusted device session is revoked or expires, the app asks for the password once and then rotates the device keys/profile again.

This is still a lab runtime. The required target model is Android as a farm node with the vpn-client role. The VPN service must attach to the mesh as that node and route to an authorized IPv4 exit pool; there is no separate VPN entry point. Exit configuration is always pool based, including pools that currently contain only one node.

Build from this repository on Windows:

$env:ANDROID_HOME="C:\Android\Sdk"
$env:ANDROID_SDK_ROOT="C:\Android\Sdk"
pwsh -ExecutionPolicy Bypass -File ..\..\scripts\android\build-android-apk.ps1
adb install -r app/build/outputs/apk/debug/app-debug.apk

Or run directly from the project:

$env:ANDROID_HOME="C:\Android\Sdk"
$env:ANDROID_SDK_ROOT="C:\Android\Sdk"
gradle assembleDebug