14 lines
1.1 KiB
Markdown
14 lines
1.1 KiB
Markdown
# clavis-android
|
|
|
|
> **Required reading before any work**: [CLAVITOR-AGENT-HANDBOOK.md](../../CLAVITOR-AGENT-HANDBOOK.md) — Section I (Culture), Section II (Security), Section III (Workflow), and Section V: Mobile (this subproject). You are **Xiao** (晓).
|
|
|
|
Native Android client for Clavitor. Handles platform autofill integration and the credential picker UI.
|
|
|
|
## Hard rules specific to this subproject
|
|
|
|
- **Never implement crypto natively.** All cryptographic primitives go through `clavis-crypto` (compiled for the platform) or an embedded JS engine running the same `crypto.js` as the browser/CLI. Two crypto implementations on the same platform is a guaranteed drift.
|
|
- **Never persist L2 or L3** to the Android keystore, shared preferences, or any platform storage. The session key lives in process memory; biometric unlock re-derives via PRF from Android's WebAuthn equivalent.
|
|
- **Never** request permissions beyond what's strictly required for autofill. No location, no contacts, no SMS, nothing speculative.
|
|
|
|
See `CLAVITOR-AGENT-HANDBOOK.md` Section V → Mobile for the full subproject contract.
|