Release under MIT. Note that the bundled FEST extract stays under DMPs
own open-data terms, not MIT, since it is third-party data shipped in
the APK.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Per request: re-enable allowBackup but scope it to ONE file via
include-rules — files/gbackup/latest.json.age, an age-encrypted export
written only while a backup passphrase is set (never plaintext to
Google; DB/prefs stay excluded). On a new device the OS restores the
blob, the Today screen detects an empty DB + present blob and offers
'Gjenopprett' — which demands the passphrase typed, since the Keystore
key never migrates. Clearing the passphrase deletes the blob.
scrypt work factor dropped 18→15: age's desktop default needs a 256 MiB
working set and OOM-crashed on-device (found the hard way); 15 = 32 MiB,
still real brute-force cost, and largeHeap covers decrypting foreign
files made at 18. Verified by instrumented round-trip tests (write →
empty DB → restore; wrong passphrase keeps DB empty; cleared passphrase
removes blob) — UI automation couldn't drive the multi-field dialog
reliably, so the proof lives in the test instead.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Written for the repo's future reader (mostly me): why each reliability
mechanism exists, how to decrypt a backup off-device with age -d, the
FEST pipeline, and the keystore.properties signing convention. CLAUDE.md
now points at it for architecture detail, per its own placeholder.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>