From 39cf182196c10fef70d364e01a4e4197e908071e Mon Sep 17 00:00:00 2001
From: Bob <bob@superuserlabs.org>
Date: Thu, 21 May 2026 19:06:58 +0000
Subject: [PATCH 01/19] feat(auth): add API key settings screen and config
 manager
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Implements the Android-side UI for API authentication, now that
aw-server-rust#608 landed and embedded config loads from app data dir.

- ConfigManager.kt: reads/writes [auth].api_key in config.toml stored at
  context.filesDir; uses UUID-based key generation; pure string TOML
  manipulation, no extra library dependency
- AuthSettingsActivity.kt: shows current API key, copy-to-clipboard,
  regenerate, and enable/disable toggle; prompts user to restart app
  after changes (server rereads config at startup)
- activity_auth_settings.xml: layout for the settings screen
- AndroidManifest.xml: registers AuthSettingsActivity
- MainActivity.kt: wires the previously-stub settings button to open
  AuthSettingsActivity instead of a Snackbar
- ConfigManagerTest.kt: 11 JVM unit tests covering parse/write logic
  including roundtrips and the [auth]-without-key edge case

Closes ActivityWatch/aw-android#145 (partial — "Open in browser" URL
token passing and server restart API are follow-up work)
---
 mobile/src/main/AndroidManifest.xml           |   6 +
 .../android/AuthSettingsActivity.kt           | 102 +++++++++++++++
 .../activitywatch/android/ConfigManager.kt    | 100 +++++++++++++++
 .../net/activitywatch/android/MainActivity.kt |   3 +-
 .../res/layout/activity_auth_settings.xml     | 100 +++++++++++++++
 .../android/ConfigManagerTest.kt              | 121 ++++++++++++++++++
 6 files changed, 430 insertions(+), 2 deletions(-)
 create mode 100644 mobile/src/main/java/net/activitywatch/android/AuthSettingsActivity.kt
 create mode 100644 mobile/src/main/java/net/activitywatch/android/ConfigManager.kt
 create mode 100644 mobile/src/main/res/layout/activity_auth_settings.xml
 create mode 100644 mobile/src/test/java/net/activitywatch/android/ConfigManagerTest.kt

diff --git a/mobile/src/main/AndroidManifest.xml b/mobile/src/main/AndroidManifest.xml
index c983de3a..d4653812 100644
--- a/mobile/src/main/AndroidManifest.xml
+++ b/mobile/src/main/AndroidManifest.xml
@@ -48,6 +48,12 @@
             android:theme="@style/AppTheme.NoActionBar"
             android:exported="true"/>
 
+        <activity
+            android:name=".AuthSettingsActivity"
+            android:screenOrientation="portrait"
+            android:configChanges="orientation"
+            android:exported="false"/>
+
         <receiver
                 android:name=".watcher.AlarmReceiver"
                 android:enabled="true"
diff --git a/mobile/src/main/java/net/activitywatch/android/AuthSettingsActivity.kt b/mobile/src/main/java/net/activitywatch/android/AuthSettingsActivity.kt
new file mode 100644
index 00000000..6cb9574e
--- /dev/null
+++ b/mobile/src/main/java/net/activitywatch/android/AuthSettingsActivity.kt
@@ -0,0 +1,102 @@
+package net.activitywatch.android
+
+import android.content.ClipData
+import android.content.ClipboardManager
+import android.content.Context
+import android.os.Bundle
+import android.view.MenuItem
+import android.view.View
+import android.widget.Button
+import android.widget.CompoundButton
+import android.widget.Switch
+import android.widget.TextView
+import android.widget.Toast
+import androidx.appcompat.app.AppCompatActivity
+
+class AuthSettingsActivity : AppCompatActivity() {
+
+    private lateinit var configManager: ConfigManager
+
+    private lateinit var tvApiKey: TextView
+    private lateinit var tvStatus: TextView
+    private lateinit var btnCopy: Button
+    private lateinit var btnRegenerate: Button
+    private lateinit var switchAuthEnabled: Switch
+
+    override fun onCreate(savedInstanceState: Bundle?) {
+        super.onCreate(savedInstanceState)
+        setContentView(R.layout.activity_auth_settings)
+
+        supportActionBar?.apply {
+            setDisplayHomeAsUpEnabled(true)
+            title = "API Authentication"
+        }
+
+        configManager = ConfigManager(this)
+
+        tvApiKey = findViewById(R.id.tv_api_key)
+        tvStatus = findViewById(R.id.tv_status)
+        btnCopy = findViewById(R.id.btn_copy_key)
+        btnRegenerate = findViewById(R.id.btn_regenerate_key)
+        switchAuthEnabled = findViewById(R.id.switch_auth_enabled)
+
+        refreshUI()
+
+        btnCopy.setOnClickListener {
+            val key = configManager.readAuthConfig().apiKey ?: return@setOnClickListener
+            val clipboard = getSystemService(Context.CLIPBOARD_SERVICE) as ClipboardManager
+            clipboard.setPrimaryClip(ClipData.newPlainText("API key", key))
+            Toast.makeText(this, "API key copied to clipboard", Toast.LENGTH_SHORT).show()
+        }
+
+        btnRegenerate.setOnClickListener {
+            val newKey = configManager.generateAndSetApiKey()
+            tvApiKey.text = newKey
+            switchAuthEnabled.isChecked = true
+            tvStatus.text = "Authentication enabled (restart app to apply)"
+            Toast.makeText(this, "New API key generated. Restart app to apply.", Toast.LENGTH_LONG).show()
+        }
+
+        switchAuthEnabled.setOnCheckedChangeListener { _: CompoundButton, isChecked: Boolean ->
+            if (isChecked) {
+                // Enable auth — generate a key if none exists
+                val current = configManager.readAuthConfig()
+                if (!current.isEnabled) {
+                    val newKey = configManager.generateAndSetApiKey()
+                    tvApiKey.text = newKey
+                }
+                tvStatus.text = "Authentication enabled (restart app to apply)"
+            } else {
+                configManager.clearApiKey()
+                tvApiKey.text = "(none)"
+                tvStatus.text = "Authentication disabled (restart app to apply)"
+            }
+            Toast.makeText(this, "Setting saved. Restart app to apply.", Toast.LENGTH_SHORT).show()
+        }
+    }
+
+    private fun refreshUI() {
+        val auth = configManager.readAuthConfig()
+        if (auth.isEnabled) {
+            tvApiKey.text = auth.apiKey
+            tvStatus.text = "Authentication is enabled"
+            switchAuthEnabled.isChecked = true
+            btnCopy.visibility = View.VISIBLE
+        } else {
+            tvApiKey.text = "(none — authentication disabled)"
+            tvStatus.text = "Authentication is disabled"
+            switchAuthEnabled.isChecked = false
+            btnCopy.visibility = View.GONE
+        }
+    }
+
+    override fun onOptionsItemSelected(item: MenuItem): Boolean {
+        return when (item.itemId) {
+            android.R.id.home -> {
+                onBackPressedDispatcher.onBackPressed()
+                true
+            }
+            else -> super.onOptionsItemSelected(item)
+        }
+    }
+}
diff --git a/mobile/src/main/java/net/activitywatch/android/ConfigManager.kt b/mobile/src/main/java/net/activitywatch/android/ConfigManager.kt
new file mode 100644
index 00000000..1e4c49fb
--- /dev/null
+++ b/mobile/src/main/java/net/activitywatch/android/ConfigManager.kt
@@ -0,0 +1,100 @@
+package net.activitywatch.android
+
+import android.content.Context
+import android.util.Log
+import java.io.File
+import java.util.UUID
+
+private const val TAG = "ConfigManager"
+
+/**
+ * Manages reading and writing the embedded aw-server config.toml stored in
+ * the app's filesDir. The config format is TOML; we only need the [auth]
+ * section, so we handle it with simple string operations rather than pulling
+ * in a full TOML library.
+ *
+ * Changes take effect after the server restarts (i.e. app restart).
+ */
+class ConfigManager(context: Context) {
+
+    private val configFile = File(context.filesDir, "config.toml")
+
+    data class AuthConfig(
+        val apiKey: String? = null
+    ) {
+        val isEnabled: Boolean get() = !apiKey.isNullOrEmpty()
+    }
+
+    fun readAuthConfig(): AuthConfig {
+        if (!configFile.exists()) {
+            Log.d(TAG, "config.toml not found, returning defaults")
+            return AuthConfig()
+        }
+        return try {
+            val content = configFile.readText()
+            val apiKey = parseApiKey(content)
+            AuthConfig(apiKey = apiKey)
+        } catch (e: Exception) {
+            Log.e(TAG, "Failed to read config.toml: ${e.message}")
+            AuthConfig()
+        }
+    }
+
+    fun setApiKey(key: String?) {
+        try {
+            val current = if (configFile.exists()) configFile.readText() else ""
+            val updated = writeApiKey(current, key)
+            configFile.writeText(updated)
+            Log.d(TAG, "API key updated in config.toml")
+        } catch (e: Exception) {
+            Log.e(TAG, "Failed to write config.toml: ${e.message}")
+        }
+    }
+
+    fun generateAndSetApiKey(): String {
+        val key = UUID.randomUUID().toString().replace("-", "")
+        setApiKey(key)
+        return key
+    }
+
+    fun clearApiKey() = setApiKey(null)
+
+    // ---- internal TOML manipulation ----
+
+    private fun parseApiKey(content: String): String? {
+        // Find the [auth] section, then look for api_key = "..."
+        val authSectionRegex = Regex("""(?m)^\[auth\].*?(?=^\[|\z)""", RegexOption.DOT_MATCHES_ALL)
+        val authSection = authSectionRegex.find(content)?.value ?: return null
+        val keyMatch = Regex("""api_key\s*=\s*"([^"]*)"""").find(authSection)
+        val key = keyMatch?.groupValues?.get(1)
+        return if (key.isNullOrEmpty()) null else key
+    }
+
+    private fun writeApiKey(content: String, key: String?): String {
+        val authLine = if (key.isNullOrEmpty()) null else """api_key = "$key""""
+        val authSectionPresent = Regex("""(?m)^\[auth\]""").containsMatchIn(content)
+        val apiKeyLinePresent = Regex("""(?m)^api_key\s*=""").containsMatchIn(content)
+
+        if (authSectionPresent) {
+            return if (apiKeyLinePresent) {
+                // Replace or remove the existing api_key line
+                val replaced = Regex("""(?m)^api_key\s*=.*$""")
+                    .replaceFirst(content, authLine ?: "")
+                if (authLine == null) replaced.replace(Regex("\n{3,}"), "\n\n") else replaced
+            } else if (authLine != null) {
+                // [auth] exists but no api_key line yet — insert after the [auth] header
+                content.replaceFirst(oldValue = "[auth]\n", newValue = "[auth]\n$authLine\n")
+            } else {
+                content
+            }
+        }
+
+        // No [auth] section — append it if we have a key
+        return if (authLine != null) {
+            val base = content.trimEnd()
+            "$base\n\n[auth]\n$authLine\n"
+        } else {
+            content
+        }
+    }
+}
diff --git a/mobile/src/main/java/net/activitywatch/android/MainActivity.kt b/mobile/src/main/java/net/activitywatch/android/MainActivity.kt
index 0c439e0f..e7bfe017 100644
--- a/mobile/src/main/java/net/activitywatch/android/MainActivity.kt
+++ b/mobile/src/main/java/net/activitywatch/android/MainActivity.kt
@@ -96,8 +96,7 @@ class MainActivity : AppCompatActivity(), NavigationView.OnNavigationItemSelecte
         // as you specify a parent activity in AndroidManifest.xml.
         return when (item.itemId) {
             R.id.action_settings -> {
-                Snackbar.make(binding.coordinatorLayout, "The settings button was clicked, but it's not yet implemented!", Snackbar.LENGTH_LONG)
-                    .setAction("Action", null).show()
+                startActivity(Intent(this, AuthSettingsActivity::class.java))
                 true
             }
             else -> super.onOptionsItemSelected(item)
diff --git a/mobile/src/main/res/layout/activity_auth_settings.xml b/mobile/src/main/res/layout/activity_auth_settings.xml
new file mode 100644
index 00000000..4d0f8103
--- /dev/null
+++ b/mobile/src/main/res/layout/activity_auth_settings.xml
@@ -0,0 +1,100 @@
+<?xml version="1.0" encoding="utf-8"?>
+<ScrollView xmlns:android="http://schemas.android.com/apk/res/android"
+    android:layout_width="match_parent"
+    android:layout_height="match_parent"
+    android:padding="16dp">
+
+    <LinearLayout
+        android:layout_width="match_parent"
+        android:layout_height="wrap_content"
+        android:orientation="vertical"
+        android:gravity="start">
+
+        <!-- Auth toggle -->
+        <LinearLayout
+            android:layout_width="match_parent"
+            android:layout_height="wrap_content"
+            android:orientation="horizontal"
+            android:gravity="center_vertical"
+            android:layout_marginBottom="16dp">
+
+            <TextView
+                android:layout_width="0dp"
+                android:layout_height="wrap_content"
+                android:layout_weight="1"
+                android:text="Require API Authentication"
+                android:textAppearance="?attr/textAppearanceBodyLarge" />
+
+            <Switch
+                android:id="@+id/switch_auth_enabled"
+                android:layout_width="wrap_content"
+                android:layout_height="wrap_content" />
+
+        </LinearLayout>
+
+        <!-- Status line -->
+        <TextView
+            android:id="@+id/tv_status"
+            android:layout_width="match_parent"
+            android:layout_height="wrap_content"
+            android:layout_marginBottom="24dp"
+            android:textAppearance="?attr/textAppearanceBodySmall"
+            android:textColor="?attr/colorOnSurfaceVariant"
+            android:text="Checking…" />
+
+        <!-- API key section -->
+        <TextView
+            android:layout_width="match_parent"
+            android:layout_height="wrap_content"
+            android:layout_marginBottom="8dp"
+            android:text="Current API Key"
+            android:textAppearance="?attr/textAppearanceLabelLarge" />
+
+        <TextView
+            android:id="@+id/tv_api_key"
+            android:layout_width="match_parent"
+            android:layout_height="wrap_content"
+            android:layout_marginBottom="16dp"
+            android:background="@android:color/darker_gray"
+            android:fontFamily="monospace"
+            android:paddingHorizontal="12dp"
+            android:paddingVertical="10dp"
+            android:textAppearance="?attr/textAppearanceBodyMedium"
+            android:textIsSelectable="true"
+            android:text="(none)" />
+
+        <LinearLayout
+            android:layout_width="match_parent"
+            android:layout_height="wrap_content"
+            android:orientation="horizontal"
+            android:layout_marginBottom="24dp">
+
+            <Button
+                android:id="@+id/btn_copy_key"
+                android:layout_width="0dp"
+                android:layout_height="wrap_content"
+                android:layout_weight="1"
+                android:layout_marginEnd="8dp"
+                android:text="Copy Key"
+                style="@style/Widget.MaterialComponents.Button.OutlinedButton" />
+
+            <Button
+                android:id="@+id/btn_regenerate_key"
+                android:layout_width="0dp"
+                android:layout_height="wrap_content"
+                android:layout_weight="1"
+                android:text="Regenerate Key"
+                style="@style/Widget.MaterialComponents.Button" />
+
+        </LinearLayout>
+
+        <!-- Help text -->
+        <TextView
+            android:layout_width="match_parent"
+            android:layout_height="wrap_content"
+            android:textAppearance="?attr/textAppearanceBodySmall"
+            android:textColor="?attr/colorOnSurfaceVariant"
+            android:text="When enabled, ActivityWatch clients (browser, desktop app) must include this key to access data. Use the key in the URL:\n\nhttp://localhost:5600/?token=YOUR_KEY\n\nChanges take effect after restarting the app." />
+
+    </LinearLayout>
+</ScrollView>
diff --git a/mobile/src/test/java/net/activitywatch/android/ConfigManagerTest.kt b/mobile/src/test/java/net/activitywatch/android/ConfigManagerTest.kt
new file mode 100644
index 00000000..6d547727
--- /dev/null
+++ b/mobile/src/test/java/net/activitywatch/android/ConfigManagerTest.kt
@@ -0,0 +1,121 @@
+package net.activitywatch.android
+
+import org.junit.Assert.assertEquals
+import org.junit.Assert.assertFalse
+import org.junit.Assert.assertNull
+import org.junit.Assert.assertTrue
+import org.junit.Test
+
+/**
+ * Unit tests for ConfigManager's TOML parsing/writing logic, tested via
+ * standalone helpers that mirror the private functions (Android-free JVM tests).
+ */
+class ConfigManagerTest {
+
+    private fun parseApiKey(content: String): String? {
+        val authSectionRegex = Regex("""(?m)^\[auth\].*?(?=^\[|\z)""", RegexOption.DOT_MATCHES_ALL)
+        val authSection = authSectionRegex.find(content)?.value ?: return null
+        val keyMatch = Regex("""api_key\s*=\s*"([^"]*)"""").find(authSection)
+        val key = keyMatch?.groupValues?.get(1)
+        return if (key.isNullOrEmpty()) null else key
+    }
+
+    private fun writeApiKey(content: String, key: String?): String {
+        val authLine = if (key.isNullOrEmpty()) null else """api_key = "$key""""
+        val authSectionPresent = Regex("""(?m)^\[auth\]""").containsMatchIn(content)
+        val apiKeyLinePresent = Regex("""(?m)^api_key\s*=""").containsMatchIn(content)
+        if (authSectionPresent) {
+            return if (apiKeyLinePresent) {
+                val replaced = Regex("""(?m)^api_key\s*=.*$""")
+                    .replaceFirst(content, authLine ?: "")
+                if (authLine == null) replaced.replace(Regex("\n{3,}"), "\n\n") else replaced
+            } else if (authLine != null) {
+                content.replaceFirst(oldValue = "[auth]\n", newValue = "[auth]\n$authLine\n")
+            } else {
+                content
+            }
+        }
+        return if (authLine != null) {
+            val base = content.trimEnd()
+            "$base\n\n[auth]\n$authLine\n"
+        } else {
+            content
+        }
+    }
+
+    @Test
+    fun `parseApiKey returns null on empty config`() {
+        assertNull(parseApiKey(""))
+    }
+
+    @Test
+    fun `parseApiKey returns null when no auth section`() {
+        val config = "address = \"127.0.0.1\"\nport = 5600"
+        assertNull(parseApiKey(config))
+    }
+
+    @Test
+    fun `parseApiKey reads key from auth section`() {
+        val config = "address = \"127.0.0.1\"\n\n[auth]\napi_key = \"abc123\"\n"
+        assertEquals("abc123", parseApiKey(config))
+    }
+
+    @Test
+    fun `parseApiKey returns null for empty api_key`() {
+        val config = "[auth]\napi_key = \"\"\n"
+        assertNull(parseApiKey(config))
+    }
+
+    @Test
+    fun `writeApiKey appends auth section when absent`() {
+        val config = "address = \"127.0.0.1\"\nport = 5600"
+        val result = writeApiKey(config, "mykey")
+        assertTrue(result.contains("[auth]"))
+        assertTrue(result.contains("""api_key = "mykey""""))
+    }
+
+    @Test
+    fun `writeApiKey updates existing key`() {
+        val config = "[auth]\napi_key = \"oldkey\"\n"
+        val result = writeApiKey(config, "newkey")
+        assertTrue(result.contains("""api_key = "newkey""""))
+        assertFalse(result.contains("oldkey"))
+    }
+
+    @Test
+    fun `writeApiKey clears key when null`() {
+        val config = "[auth]\napi_key = \"oldkey\"\n"
+        val result = writeApiKey(config, null)
+        assertFalse(result.contains("oldkey"))
+    }
+
+    @Test
+    fun `writeApiKey leaves config unchanged when no auth and key is null`() {
+        val config = "address = \"127.0.0.1\"\n"
+        val result = writeApiKey(config, null)
+        assertFalse(result.contains("[auth]"))
+    }
+
+    @Test
+    fun `writeApiKey inserts key when auth section exists but no api_key line`() {
+        val config = "address = \"127.0.0.1\"\n\n[auth]\n"
+        val result = writeApiKey(config, "inserted-key")
+        assertEquals("inserted-key", parseApiKey(result))
+    }
+
+    @Test
+    fun `roundtrip write then read returns same key`() {
+        val config = "address = \"127.0.0.1\"\n"
+        val written = writeApiKey(config, "roundtrip-key")
+        assertEquals("roundtrip-key", parseApiKey(written))
+    }
+
+    @Test
+    fun `roundtrip double write returns new key`() {
+        val config = "address = \"127.0.0.1\"\n"
+        val first = writeApiKey(config, "first-key")
+        val second = writeApiKey(first, "second-key")
+        assertEquals("second-key", parseApiKey(second))
+        assertFalse(second.contains("first-key"))
+    }
+}

From 5b15dad5c20e168cbc357ef63a0aafe5fcd6382a Mon Sep 17 00:00:00 2001
From: Bob <bob@superuserlabs.org>
Date: Thu, 21 May 2026 19:15:01 +0000
Subject: [PATCH 02/19] fix(auth): address Greptile review findings

- ConfigManager.writeApiKey: scope api_key detection to [auth] section
  only, preventing cross-section corruption when other TOML sections
  also contain an api_key field
- AuthSettingsActivity: show btnCopy immediately after enable via switch
  or regenerate button (was permanently hidden after toggle)
- AuthSettingsActivity: guard switch.isChecked setter with isUpdatingSwitch
  flag to prevent double-toast when regenerating key
- Layout: replace deprecated Switch with SwitchMaterial
- ConfigManagerTest: add cross-section api_key isolation regression test
---
 .../android/AuthSettingsActivity.kt           | 19 ++++++++++++++++---
 .../activitywatch/android/ConfigManager.kt    |  8 ++++++--
 .../res/layout/activity_auth_settings.xml     |  2 +-
 .../android/ConfigManagerTest.kt              |  9 +++++++++
 4 files changed, 32 insertions(+), 6 deletions(-)

diff --git a/mobile/src/main/java/net/activitywatch/android/AuthSettingsActivity.kt b/mobile/src/main/java/net/activitywatch/android/AuthSettingsActivity.kt
index 6cb9574e..93b459c6 100644
--- a/mobile/src/main/java/net/activitywatch/android/AuthSettingsActivity.kt
+++ b/mobile/src/main/java/net/activitywatch/android/AuthSettingsActivity.kt
@@ -8,10 +8,10 @@ import android.view.MenuItem
 import android.view.View
 import android.widget.Button
 import android.widget.CompoundButton
-import android.widget.Switch
 import android.widget.TextView
 import android.widget.Toast
 import androidx.appcompat.app.AppCompatActivity
+import com.google.android.material.switchmaterial.SwitchMaterial
 
 class AuthSettingsActivity : AppCompatActivity() {
 
@@ -21,7 +21,10 @@ class AuthSettingsActivity : AppCompatActivity() {
     private lateinit var tvStatus: TextView
     private lateinit var btnCopy: Button
     private lateinit var btnRegenerate: Button
-    private lateinit var switchAuthEnabled: Switch
+    private lateinit var switchAuthEnabled: SwitchMaterial
+
+    // Guards against the switch listener firing when we set isChecked programmatically
+    private var isUpdatingSwitch = false
 
     override fun onCreate(savedInstanceState: Bundle?) {
         super.onCreate(savedInstanceState)
@@ -52,23 +55,29 @@ class AuthSettingsActivity : AppCompatActivity() {
         btnRegenerate.setOnClickListener {
             val newKey = configManager.generateAndSetApiKey()
             tvApiKey.text = newKey
+            btnCopy.visibility = View.VISIBLE
+            // Update switch without triggering its listener (which would show a second toast)
+            isUpdatingSwitch = true
             switchAuthEnabled.isChecked = true
+            isUpdatingSwitch = false
             tvStatus.text = "Authentication enabled (restart app to apply)"
             Toast.makeText(this, "New API key generated. Restart app to apply.", Toast.LENGTH_LONG).show()
         }
 
         switchAuthEnabled.setOnCheckedChangeListener { _: CompoundButton, isChecked: Boolean ->
+            if (isUpdatingSwitch) return@setOnCheckedChangeListener
             if (isChecked) {
-                // Enable auth — generate a key if none exists
                 val current = configManager.readAuthConfig()
                 if (!current.isEnabled) {
                     val newKey = configManager.generateAndSetApiKey()
                     tvApiKey.text = newKey
                 }
+                btnCopy.visibility = View.VISIBLE
                 tvStatus.text = "Authentication enabled (restart app to apply)"
             } else {
                 configManager.clearApiKey()
                 tvApiKey.text = "(none)"
+                btnCopy.visibility = View.GONE
                 tvStatus.text = "Authentication disabled (restart app to apply)"
             }
             Toast.makeText(this, "Setting saved. Restart app to apply.", Toast.LENGTH_SHORT).show()
@@ -80,12 +89,16 @@ class AuthSettingsActivity : AppCompatActivity() {
         if (auth.isEnabled) {
             tvApiKey.text = auth.apiKey
             tvStatus.text = "Authentication is enabled"
+            isUpdatingSwitch = true
             switchAuthEnabled.isChecked = true
+            isUpdatingSwitch = false
             btnCopy.visibility = View.VISIBLE
         } else {
             tvApiKey.text = "(none — authentication disabled)"
             tvStatus.text = "Authentication is disabled"
+            isUpdatingSwitch = true
             switchAuthEnabled.isChecked = false
+            isUpdatingSwitch = false
             btnCopy.visibility = View.GONE
         }
     }
diff --git a/mobile/src/main/java/net/activitywatch/android/ConfigManager.kt b/mobile/src/main/java/net/activitywatch/android/ConfigManager.kt
index 1e4c49fb..5bb1918a 100644
--- a/mobile/src/main/java/net/activitywatch/android/ConfigManager.kt
+++ b/mobile/src/main/java/net/activitywatch/android/ConfigManager.kt
@@ -72,8 +72,12 @@ class ConfigManager(context: Context) {
 
     private fun writeApiKey(content: String, key: String?): String {
         val authLine = if (key.isNullOrEmpty()) null else """api_key = "$key""""
-        val authSectionPresent = Regex("""(?m)^\[auth\]""").containsMatchIn(content)
-        val apiKeyLinePresent = Regex("""(?m)^api_key\s*=""").containsMatchIn(content)
+        val authSectionRegex = Regex("""(?m)^\[auth\].*?(?=^\[|\z)""", RegexOption.DOT_MATCHES_ALL)
+        val authSectionContent = authSectionRegex.find(content)?.value
+        val authSectionPresent = authSectionContent != null
+        // Scope the api_key check to the [auth] section only, not the whole file
+        val apiKeyLinePresent = authSectionContent != null &&
+            Regex("""(?m)^api_key\s*=""").containsMatchIn(authSectionContent)
 
         if (authSectionPresent) {
             return if (apiKeyLinePresent) {
diff --git a/mobile/src/main/res/layout/activity_auth_settings.xml b/mobile/src/main/res/layout/activity_auth_settings.xml
index 4d0f8103..6d2d3033 100644
--- a/mobile/src/main/res/layout/activity_auth_settings.xml
+++ b/mobile/src/main/res/layout/activity_auth_settings.xml
@@ -25,7 +25,7 @@
                 android:text="Require API Authentication"
                 android:textAppearance="?attr/textAppearanceBodyLarge" />
 
-            <Switch
+            <com.google.android.material.switchmaterial.SwitchMaterial
                 android:id="@+id/switch_auth_enabled"
                 android:layout_width="wrap_content"
                 android:layout_height="wrap_content" />
diff --git a/mobile/src/test/java/net/activitywatch/android/ConfigManagerTest.kt b/mobile/src/test/java/net/activitywatch/android/ConfigManagerTest.kt
index 6d547727..4c83e9d5 100644
--- a/mobile/src/test/java/net/activitywatch/android/ConfigManagerTest.kt
+++ b/mobile/src/test/java/net/activitywatch/android/ConfigManagerTest.kt
@@ -118,4 +118,13 @@ class ConfigManagerTest {
         assertEquals("second-key", parseApiKey(second))
         assertFalse(second.contains("first-key"))
     }
+
+    @Test
+    fun `writeApiKey does not overwrite api_key in other sections`() {
+        // Another section also has an api_key field — must not be touched
+        val config = "[logging]\napi_key = \"log-key\"\n\n[auth]\napi_key = \"auth-key\"\n"
+        val result = writeApiKey(config, "new-auth-key")
+        assertEquals("new-auth-key", parseApiKey(result))
+        assertTrue(result.contains("""api_key = "log-key""""))
+    }
 }

From 37e18f88ea5269276c9e6af7005a3b7b0e820ad7 Mon Sep 17 00:00:00 2001
From: Bob <bob@superuserlabs.org>
Date: Thu, 21 May 2026 19:16:45 +0000
Subject: [PATCH 03/19] fix(auth): fully scope writeApiKey operations to [auth]
 section

The previous fix scoped the apiKeyLinePresent check but still ran
replaceFirst on the full file content, which would still clobber an
api_key field in an earlier TOML section. Now: extract the [auth]
section, perform all string operations within it, then substitute the
modified section back into the full content. Test helper mirrors the fix.
---
 .../activitywatch/android/ConfigManager.kt    | 19 ++++++++-----------
 .../android/ConfigManagerTest.kt              | 16 +++++++++-------
 2 files changed, 17 insertions(+), 18 deletions(-)

diff --git a/mobile/src/main/java/net/activitywatch/android/ConfigManager.kt b/mobile/src/main/java/net/activitywatch/android/ConfigManager.kt
index 5bb1918a..ac84cebf 100644
--- a/mobile/src/main/java/net/activitywatch/android/ConfigManager.kt
+++ b/mobile/src/main/java/net/activitywatch/android/ConfigManager.kt
@@ -74,23 +74,20 @@ class ConfigManager(context: Context) {
         val authLine = if (key.isNullOrEmpty()) null else """api_key = "$key""""
         val authSectionRegex = Regex("""(?m)^\[auth\].*?(?=^\[|\z)""", RegexOption.DOT_MATCHES_ALL)
         val authSectionContent = authSectionRegex.find(content)?.value
-        val authSectionPresent = authSectionContent != null
-        // Scope the api_key check to the [auth] section only, not the whole file
-        val apiKeyLinePresent = authSectionContent != null &&
-            Regex("""(?m)^api_key\s*=""").containsMatchIn(authSectionContent)
 
-        if (authSectionPresent) {
-            return if (apiKeyLinePresent) {
-                // Replace or remove the existing api_key line
+        if (authSectionContent != null) {
+            // Modify only within the [auth] section to avoid touching other sections
+            val apiKeyLinePresent = Regex("""(?m)^api_key\s*=""").containsMatchIn(authSectionContent)
+            val updatedSection = if (apiKeyLinePresent) {
                 val replaced = Regex("""(?m)^api_key\s*=.*$""")
-                    .replaceFirst(content, authLine ?: "")
+                    .replaceFirst(authSectionContent, authLine ?: "")
                 if (authLine == null) replaced.replace(Regex("\n{3,}"), "\n\n") else replaced
             } else if (authLine != null) {
-                // [auth] exists but no api_key line yet — insert after the [auth] header
-                content.replaceFirst(oldValue = "[auth]\n", newValue = "[auth]\n$authLine\n")
+                authSectionContent.replaceFirst(oldValue = "[auth]\n", newValue = "[auth]\n$authLine\n")
             } else {
-                content
+                authSectionContent
             }
+            return content.replace(authSectionContent, updatedSection)
         }
 
         // No [auth] section — append it if we have a key
diff --git a/mobile/src/test/java/net/activitywatch/android/ConfigManagerTest.kt b/mobile/src/test/java/net/activitywatch/android/ConfigManagerTest.kt
index 4c83e9d5..af5c5713 100644
--- a/mobile/src/test/java/net/activitywatch/android/ConfigManagerTest.kt
+++ b/mobile/src/test/java/net/activitywatch/android/ConfigManagerTest.kt
@@ -22,18 +22,20 @@ class ConfigManagerTest {
 
     private fun writeApiKey(content: String, key: String?): String {
         val authLine = if (key.isNullOrEmpty()) null else """api_key = "$key""""
-        val authSectionPresent = Regex("""(?m)^\[auth\]""").containsMatchIn(content)
-        val apiKeyLinePresent = Regex("""(?m)^api_key\s*=""").containsMatchIn(content)
-        if (authSectionPresent) {
-            return if (apiKeyLinePresent) {
+        val authSectionRegex = Regex("""(?m)^\[auth\].*?(?=^\[|\z)""", RegexOption.DOT_MATCHES_ALL)
+        val authSectionContent = authSectionRegex.find(content)?.value
+        if (authSectionContent != null) {
+            val apiKeyLinePresent = Regex("""(?m)^api_key\s*=""").containsMatchIn(authSectionContent)
+            val updatedSection = if (apiKeyLinePresent) {
                 val replaced = Regex("""(?m)^api_key\s*=.*$""")
-                    .replaceFirst(content, authLine ?: "")
+                    .replaceFirst(authSectionContent, authLine ?: "")
                 if (authLine == null) replaced.replace(Regex("\n{3,}"), "\n\n") else replaced
             } else if (authLine != null) {
-                content.replaceFirst(oldValue = "[auth]\n", newValue = "[auth]\n$authLine\n")
+                authSectionContent.replaceFirst(oldValue = "[auth]\n", newValue = "[auth]\n$authLine\n")
             } else {
-                content
+                authSectionContent
             }
+            return content.replace(authSectionContent, updatedSection)
         }
         return if (authLine != null) {
             val base = content.trimEnd()

From ef4acb15295873f2c41290ce654d06c779f26fae Mon Sep 17 00:00:00 2001
From: Bob <bob@superuserlabs.org>
Date: Thu, 21 May 2026 19:22:22 +0000
Subject: [PATCH 04/19] fix(auth): suppress clipboard preview for API key on
 Android 13+

Set ClipDescription.EXTRA_IS_SENSITIVE so the system does not show a
plaintext preview toast of the API key when copying on Android 13+.
---
 .../activitywatch/android/AuthSettingsActivity.kt    | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/mobile/src/main/java/net/activitywatch/android/AuthSettingsActivity.kt b/mobile/src/main/java/net/activitywatch/android/AuthSettingsActivity.kt
index 93b459c6..f036ae50 100644
--- a/mobile/src/main/java/net/activitywatch/android/AuthSettingsActivity.kt
+++ b/mobile/src/main/java/net/activitywatch/android/AuthSettingsActivity.kt
@@ -1,9 +1,12 @@
 package net.activitywatch.android
 
 import android.content.ClipData
+import android.content.ClipDescription
 import android.content.ClipboardManager
 import android.content.Context
+import android.os.Build
 import android.os.Bundle
+import android.os.PersistableBundle
 import android.view.MenuItem
 import android.view.View
 import android.widget.Button
@@ -48,7 +51,14 @@ class AuthSettingsActivity : AppCompatActivity() {
         btnCopy.setOnClickListener {
             val key = configManager.readAuthConfig().apiKey ?: return@setOnClickListener
             val clipboard = getSystemService(Context.CLIPBOARD_SERVICE) as ClipboardManager
-            clipboard.setPrimaryClip(ClipData.newPlainText("API key", key))
+            val clip = ClipData.newPlainText("API key", key)
+            // Suppress plaintext preview toast on Android 13+ (API 33+)
+            if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.TIRAMISU) {
+                clip.description.extras = PersistableBundle().also {
+                    it.putBoolean(ClipDescription.EXTRA_IS_SENSITIVE, true)
+                }
+            }
+            clipboard.setPrimaryClip(clip)
             Toast.makeText(this, "API key copied to clipboard", Toast.LENGTH_SHORT).show()
         }
 

From b1c51a8e6800bb012fc8952bafefb6b86ea2f6ae Mon Sep 17 00:00:00 2001
From: Bob <bob@superuserlabs.org>
Date: Thu, 21 May 2026 19:28:51 +0000
Subject: [PATCH 05/19] fix(auth): bump aw-server-rust for settings PR

---
 aw-server-rust | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/aw-server-rust b/aw-server-rust
index dc70318e..0c8b2adf 160000
--- a/aw-server-rust
+++ b/aw-server-rust
@@ -1 +1 @@
-Subproject commit dc70318e819efc0d0535a5d7bd35a0c7ab8e9106
+Subproject commit 0c8b2adf6dfa39e5d74d05df9466b8e7efd7f171

From 629cc52674733aa90ebc821cb883b800ca902f3d Mon Sep 17 00:00:00 2001
From: Bob <bob@superuserlabs.org>
Date: Thu, 21 May 2026 19:33:29 +0000
Subject: [PATCH 06/19] fix(auth): use atomic write for config.toml via
 temp-file rename

---
 .../main/java/net/activitywatch/android/ConfigManager.kt   | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/mobile/src/main/java/net/activitywatch/android/ConfigManager.kt b/mobile/src/main/java/net/activitywatch/android/ConfigManager.kt
index ac84cebf..c3e47cc3 100644
--- a/mobile/src/main/java/net/activitywatch/android/ConfigManager.kt
+++ b/mobile/src/main/java/net/activitywatch/android/ConfigManager.kt
@@ -3,6 +3,7 @@ package net.activitywatch.android
 import android.content.Context
 import android.util.Log
 import java.io.File
+import java.io.IOException
 import java.util.UUID
 
 private const val TAG = "ConfigManager"
@@ -44,7 +45,11 @@ class ConfigManager(context: Context) {
         try {
             val current = if (configFile.exists()) configFile.readText() else ""
             val updated = writeApiKey(current, key)
-            configFile.writeText(updated)
+            val tmpFile = File(configFile.parent, configFile.name + ".tmp")
+            tmpFile.writeText(updated)
+            if (!tmpFile.renameTo(configFile)) {
+                throw IOException("Failed to atomically replace config.toml")
+            }
             Log.d(TAG, "API key updated in config.toml")
         } catch (e: Exception) {
             Log.e(TAG, "Failed to write config.toml: ${e.message}")

From d0acba76fa73d76b04e7d3f344de1523491e370e Mon Sep 17 00:00:00 2001
From: Bob <bob@superuserlabs.org>
Date: Thu, 21 May 2026 19:41:01 +0000
Subject: [PATCH 07/19] fix(ci): fallback versionCode for fork PRs

---
 .github/workflows/build.yml | 27 ++++++++++++++++++++++++++-
 1 file changed, 26 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index d735f8d5..fca6b011 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -99,16 +99,36 @@ jobs:
         submodules: 'recursive'
 
 
+    - name: Detect Fastlane secrets
+      id: fastlane_secrets
+      env:
+        KEY_FASTLANE_API: ${{ secrets.KEY_FASTLANE_API }}
+      run: |
+        if [ -n "$KEY_FASTLANE_API" ]; then
+          echo "available=true" >> "$GITHUB_OUTPUT"
+        else
+          echo "available=false" >> "$GITHUB_OUTPUT"
+        fi
+
+    - name: Require Fastlane secrets outside pull requests
+      if: steps.fastlane_secrets.outputs.available != 'true' && github.event_name != 'pull_request'
+      run: |
+        echo "::error::KEY_FASTLANE_API is required for non-PR builds"
+        exit 1
+
     # Ruby & Fastlane
     # version set by .ruby-version
     - name: Set up Ruby and install fastlane
+      if: steps.fastlane_secrets.outputs.available == 'true'
       uses: ruby/setup-ruby@v1
       with:
         bundler-cache: true
 
     # Needed for `fastlane update_version`
     - uses: adnsio/setup-age-action@v1.2.0
+      if: steps.fastlane_secrets.outputs.available == 'true'
     - name: Load Fastlane secrets
+      if: steps.fastlane_secrets.outputs.available == 'true'
       env:
         KEY_FASTLANE_API: ${{ secrets.KEY_FASTLANE_API }}
       run: |
@@ -121,12 +141,18 @@ jobs:
     # Retry this, in case there are concurrent jobs, which may lead to the error:
     #   "Google Api Error: Invalid request - This Edit has been deleted."
     - name: Update versionCode
+      if: steps.fastlane_secrets.outputs.available == 'true'
       uses: Wandalen/wretry.action@master
       with:
         command: bundle exec fastlane update_version
         attempt_limit: 3
         attempt_delay: 20000
 
+    - name: Use checked-in versionCode fallback
+      if: steps.fastlane_secrets.outputs.available != 'true'
+      run: |
+        echo "KEY_FASTLANE_API unavailable for pull_request build; using checked-in versionCode."
+
     - name: Output versionCode
       id: versionCode
       run: |
@@ -581,4 +607,3 @@ jobs:
           dist/*.apk
           dist/*.aab
         # body_path: dist/release_notes/release_notes.md
-

From 6a078564421d73dcbd3c7dce654b9db4ccd48417 Mon Sep 17 00:00:00 2001
From: Bob <bob@superuserlabs.org>
Date: Thu, 21 May 2026 19:45:19 +0000
Subject: [PATCH 08/19] fix(ci): upgrade artifact actions to v4

---
 .github/workflows/build.yml | 18 ++++++++++--------
 1 file changed, 10 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index fca6b011..52767d60 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -248,9 +248,9 @@ jobs:
         make dist/aw-android.${{ matrix.type }}
 
     - name: Upload
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
       with:
-        name: aw-android
+        name: aw-android-${{ matrix.type }}
         path: dist/aw-android*.${{ matrix.type }}
 
   test:
@@ -483,7 +483,7 @@ jobs:
 
     - name: Upload logcat
       if: ${{ success() || steps.test.conclusion == 'failure'}}
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
       with:
         name: logcat
         # mobile\build\outputs\connected_android_test_additional_output\debugAndroidTest\connected\Pixel_XL_API_32(AVD) - 12\ScreenshotTest_saveDeviceScreenBitmap.png
@@ -499,7 +499,7 @@ jobs:
     #     path: ./*.mov # out.mov
 
     - name: Upload screenshots
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
       if: ${{ success() || steps.test.conclusion == 'failure'}}
       with:
         name: screenshots
@@ -526,10 +526,11 @@ jobs:
     - uses: actions/checkout@v3
 
     - name: Download APK & AAB
-      uses: actions/download-artifact@v3
+      uses: actions/download-artifact@v4
       with:
-        name: aw-android
+        pattern: aw-android-*
         path: dist
+        merge-multiple: true
 
     - name: Display structure of downloaded files
       working-directory: dist
@@ -582,10 +583,11 @@ jobs:
 
     # Will download all artifacts to path
     - name: Download release APK & AAB
-      uses: actions/download-artifact@v3
+      uses: actions/download-artifact@v4
       with:
-        name: aw-android
+        pattern: aw-android-*
         path: dist
+        merge-multiple: true
 
     - name: Display structure of downloaded files
       working-directory: dist

From 287d08983ab75494733ad0d504ee3c04de5202d6 Mon Sep 17 00:00:00 2001
From: Bob <bob@superuserlabs.org>
Date: Thu, 21 May 2026 19:48:35 +0000
Subject: [PATCH 09/19] fix(ci): use modern Android SDK tools path

---
 .github/workflows/build.yml | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 52767d60..92a20f29 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -354,15 +354,18 @@ jobs:
       if: runner.os == 'macOS'
       run: brew install intel-haxm
 
+    - name: Set up Android SDK
+      uses: android-actions/setup-android@v2
+
     # # # Below code is majorly from https://github.com/actions/runner-images/issues/6152#issuecomment-1243718140
     - name: Create Android emulator
       run: |
         # Install AVD files
-        echo "y" | $ANDROID_HOME/tools/bin/sdkmanager --install 'system-images;android-'$MATRIX_E_SDK';default;x86_64'
-        echo "y" | $ANDROID_HOME/tools/bin/sdkmanager --licenses
+        echo "y" | sdkmanager --install 'system-images;android-'$MATRIX_E_SDK';default;x86_64'
+        echo "y" | sdkmanager --licenses
 
         # Create emulator
-        $ANDROID_HOME/tools/bin/avdmanager create avd -n $MATRIX_AVD -d pixel --package 'system-images;android-'$MATRIX_E_SDK';default;x86_64'
+        avdmanager create avd -n $MATRIX_AVD -d pixel --package 'system-images;android-'$MATRIX_E_SDK';default;x86_64'
         $ANDROID_HOME/emulator/emulator -list-avds
         if false; then
         emulator_config=~/.android/avd/$MATRIX_AVD.avd/config.ini
@@ -395,8 +398,8 @@ jobs:
       run: |
         echo "Starting emulator and waiting for boot to complete...."
         ls -la $ANDROID_HOME/emulator
-        $ANDROID_HOME/tools/emulator --accel-check  # check for hardware acceleration
-        nohup $ANDROID_HOME/tools/emulator -avd $MATRIX_AVD -gpu host -no-audio -no-boot-anim -camera-back none -camera-front none -qemu -m 2048 2>&1 &
+        $ANDROID_HOME/emulator/emulator --accel-check  # check for hardware acceleration
+        nohup $ANDROID_HOME/emulator/emulator -avd $MATRIX_AVD -gpu host -no-audio -no-boot-anim -camera-back none -camera-front none -qemu -m 2048 2>&1 &
         $ANDROID_HOME/platform-tools/adb wait-for-device shell 'while [[ -z $(getprop sys.boot_completed | tr -d '\r') ]]; do echo "wait..."; sleep 1; done; input keyevent 82'
         echo "Emulator has finished booting"
         $ANDROID_HOME/platform-tools/adb devices
@@ -448,8 +451,6 @@ jobs:
         java-version: ${{ env.JAVA_VERSION }}
 
     # Android SDK & NDK
-    - name: Set up Android SDK
-      uses: android-actions/setup-android@v2
     - name: Set up Android NDK
       run: |
         sdkmanager "ndk;${{ env.NDK_VERSION }}"

From 649784b479782fce3a08d76c54270f03b471d9c1 Mon Sep 17 00:00:00 2001
From: Bob <bob@superuserlabs.org>
Date: Thu, 21 May 2026 19:51:31 +0000
Subject: [PATCH 10/19] fix(ci): skip signed artifacts on fork PRs

---
 .github/workflows/build.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 92a20f29..6a4bd3aa 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -162,6 +162,9 @@ jobs:
     name: Build ${{ matrix.type }}
     runs-on: ubicloud-standard-4
     needs: [build-rust, get-versionCode]
+    # Fork PRs cannot access signing secrets; build/test coverage still runs in
+    # build-rust, test, and test-e2e.
+    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
     strategy:
       fail-fast: true
       matrix:

From 422b357e24618c089f47cc5f23282ca004f1ab11 Mon Sep 17 00:00:00 2001
From: Bob <bob@superuserlabs.org>
Date: Thu, 21 May 2026 19:56:08 +0000
Subject: [PATCH 11/19] fix(auth): propagate API key write failures

---
 .../android/AuthSettingsActivity.kt           | 23 ++++++++++++++++++-
 .../activitywatch/android/ConfigManager.kt    | 12 ++++++----
 2 files changed, 29 insertions(+), 6 deletions(-)

diff --git a/mobile/src/main/java/net/activitywatch/android/AuthSettingsActivity.kt b/mobile/src/main/java/net/activitywatch/android/AuthSettingsActivity.kt
index f036ae50..73e45a04 100644
--- a/mobile/src/main/java/net/activitywatch/android/AuthSettingsActivity.kt
+++ b/mobile/src/main/java/net/activitywatch/android/AuthSettingsActivity.kt
@@ -64,6 +64,11 @@ class AuthSettingsActivity : AppCompatActivity() {
 
         btnRegenerate.setOnClickListener {
             val newKey = configManager.generateAndSetApiKey()
+            if (newKey == null) {
+                refreshUI()
+                Toast.makeText(this, "Failed to save API key", Toast.LENGTH_LONG).show()
+                return@setOnClickListener
+            }
             tvApiKey.text = newKey
             btnCopy.visibility = View.VISIBLE
             // Update switch without triggering its listener (which would show a second toast)
@@ -80,12 +85,21 @@ class AuthSettingsActivity : AppCompatActivity() {
                 val current = configManager.readAuthConfig()
                 if (!current.isEnabled) {
                     val newKey = configManager.generateAndSetApiKey()
+                    if (newKey == null) {
+                        refreshUI()
+                        Toast.makeText(this, "Failed to save API key", Toast.LENGTH_LONG).show()
+                        return@setOnCheckedChangeListener
+                    }
                     tvApiKey.text = newKey
                 }
                 btnCopy.visibility = View.VISIBLE
                 tvStatus.text = "Authentication enabled (restart app to apply)"
             } else {
-                configManager.clearApiKey()
+                if (!configManager.clearApiKey()) {
+                    refreshUI()
+                    Toast.makeText(this, "Failed to save API key setting", Toast.LENGTH_LONG).show()
+                    return@setOnCheckedChangeListener
+                }
                 tvApiKey.text = "(none)"
                 btnCopy.visibility = View.GONE
                 tvStatus.text = "Authentication disabled (restart app to apply)"
@@ -94,6 +108,13 @@ class AuthSettingsActivity : AppCompatActivity() {
         }
     }
 
+    override fun onResume() {
+        super.onResume()
+        if (::configManager.isInitialized) {
+            refreshUI()
+        }
+    }
+
     private fun refreshUI() {
         val auth = configManager.readAuthConfig()
         if (auth.isEnabled) {
diff --git a/mobile/src/main/java/net/activitywatch/android/ConfigManager.kt b/mobile/src/main/java/net/activitywatch/android/ConfigManager.kt
index c3e47cc3..3110221d 100644
--- a/mobile/src/main/java/net/activitywatch/android/ConfigManager.kt
+++ b/mobile/src/main/java/net/activitywatch/android/ConfigManager.kt
@@ -41,25 +41,27 @@ class ConfigManager(context: Context) {
         }
     }
 
-    fun setApiKey(key: String?) {
-        try {
+    fun setApiKey(key: String?): Boolean {
+        return try {
             val current = if (configFile.exists()) configFile.readText() else ""
             val updated = writeApiKey(current, key)
             val tmpFile = File(configFile.parent, configFile.name + ".tmp")
             tmpFile.writeText(updated)
             if (!tmpFile.renameTo(configFile)) {
+                tmpFile.delete()
                 throw IOException("Failed to atomically replace config.toml")
             }
             Log.d(TAG, "API key updated in config.toml")
+            true
         } catch (e: Exception) {
             Log.e(TAG, "Failed to write config.toml: ${e.message}")
+            false
         }
     }
 
-    fun generateAndSetApiKey(): String {
+    fun generateAndSetApiKey(): String? {
         val key = UUID.randomUUID().toString().replace("-", "")
-        setApiKey(key)
-        return key
+        return if (setApiKey(key)) key else null
     }
 
     fun clearApiKey() = setApiKey(null)

From 23a57d5b7775b187ebb2bacf5a4cf227f29f807b Mon Sep 17 00:00:00 2001
From: Bob <bob@superuserlabs.org>
Date: Thu, 21 May 2026 20:08:59 +0000
Subject: [PATCH 12/19] fix(ci): repair Linux emulator startup

---
 .github/workflows/build.yml | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 6a4bd3aa..f0d74be6 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -401,14 +401,13 @@ jobs:
       run: |
         echo "Starting emulator and waiting for boot to complete...."
         ls -la $ANDROID_HOME/emulator
-        $ANDROID_HOME/emulator/emulator --accel-check  # check for hardware acceleration
+        $ANDROID_HOME/emulator/emulator -accel-check  # check for hardware acceleration
         nohup $ANDROID_HOME/emulator/emulator -avd $MATRIX_AVD -gpu host -no-audio -no-boot-anim -camera-back none -camera-front none -qemu -m 2048 2>&1 &
         $ANDROID_HOME/platform-tools/adb wait-for-device shell 'while [[ -z $(getprop sys.boot_completed | tr -d '\r') ]]; do echo "wait..."; sleep 1; done; input keyevent 82'
         echo "Emulator has finished booting"
         $ANDROID_HOME/platform-tools/adb devices
         sleep 30
         mkdir -p screenshots
-        screencapture screenshots/screenshot-$SUFFIX.jpg
         $ANDROID_HOME/platform-tools/adb exec-out screencap -p > screenshots/emulator-$SUFFIX.png
 
     # # # Have to re-setup everything since we need to run emulator for faster performance on masOS ? Other os'es emulator will not startup ?
@@ -481,7 +480,7 @@ jobs:
       run: |
         adb shell monkey -p net.activitywatch.android.debug 1
         sleep 10
-        screencapture screenshots/pscreenshot-$SUFFIX.jpg
+        mkdir -p screenshots
         $ANDROID_HOME/platform-tools/adb exec-out screencap -p > screenshots/pemulator-$SUFFIX.png
         ls -alh screenshots/
 

From 3a50619e5aebe2a821a0d3a443341bdfa22c821b Mon Sep 17 00:00:00 2001
From: Bob <bob@superuserlabs.org>
Date: Thu, 21 May 2026 20:21:04 +0000
Subject: [PATCH 13/19] fix(ci): handle emulator without kvm acceleration

---
 .github/workflows/build.yml | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index f0d74be6..57b96c9b 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -401,8 +401,14 @@ jobs:
       run: |
         echo "Starting emulator and waiting for boot to complete...."
         ls -la $ANDROID_HOME/emulator
-        $ANDROID_HOME/emulator/emulator -accel-check  # check for hardware acceleration
-        nohup $ANDROID_HOME/emulator/emulator -avd $MATRIX_AVD -gpu host -no-audio -no-boot-anim -camera-back none -camera-front none -qemu -m 2048 2>&1 &
+        emulator_args=(-avd "$MATRIX_AVD" -gpu swiftshader_indirect -no-window -no-audio -no-boot-anim -camera-back none -camera-front none)
+        if $ANDROID_HOME/emulator/emulator -accel-check; then
+          echo "Hardware acceleration available."
+        else
+          echo "Hardware acceleration unavailable; using software acceleration."
+          emulator_args+=(-accel off)
+        fi
+        nohup $ANDROID_HOME/emulator/emulator "${emulator_args[@]}" -qemu -m 2048 2>&1 &
         $ANDROID_HOME/platform-tools/adb wait-for-device shell 'while [[ -z $(getprop sys.boot_completed | tr -d '\r') ]]; do echo "wait..."; sleep 1; done; input keyevent 82'
         echo "Emulator has finished booting"
         $ANDROID_HOME/platform-tools/adb devices

From 40067321f392be0def3f135f5117a332c99a90f0 Mon Sep 17 00:00:00 2001
From: Bob <bob@superuserlabs.org>
Date: Thu, 21 May 2026 20:34:06 +0000
Subject: [PATCH 14/19] fix(ci): make E2E screenshot best effort

---
 .github/workflows/build.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 57b96c9b..518c36e3 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -484,10 +484,10 @@ jobs:
       env:
         SUFFIX: ${{ matrix.android_avd }}-eAPI-${{ matrix.android_emu_version }}
       run: |
-        adb shell monkey -p net.activitywatch.android.debug 1
+        adb shell monkey -p net.activitywatch.android.debug 1 || echo "App launch failed; capturing current emulator screen."
         sleep 10
         mkdir -p screenshots
-        $ANDROID_HOME/platform-tools/adb exec-out screencap -p > screenshots/pemulator-$SUFFIX.png
+        $ANDROID_HOME/platform-tools/adb exec-out screencap -p > screenshots/pemulator-$SUFFIX.png || echo "Screenshot capture failed."
         ls -alh screenshots/
 
     - name: Upload logcat

From 9491520e68c562bc4bcbcd73d936d7795d054d92 Mon Sep 17 00:00:00 2001
From: Bob <bob@superuserlabs.org>
Date: Thu, 21 May 2026 20:44:26 +0000
Subject: [PATCH 15/19] fix(auth): insert API key in newline-less auth section

---
 .../net/activitywatch/android/ConfigManager.kt | 10 ++++++----
 .../activitywatch/android/ConfigManagerTest.kt | 18 ++++++++++++++----
 2 files changed, 20 insertions(+), 8 deletions(-)

diff --git a/mobile/src/main/java/net/activitywatch/android/ConfigManager.kt b/mobile/src/main/java/net/activitywatch/android/ConfigManager.kt
index 3110221d..4ac749c7 100644
--- a/mobile/src/main/java/net/activitywatch/android/ConfigManager.kt
+++ b/mobile/src/main/java/net/activitywatch/android/ConfigManager.kt
@@ -80,9 +80,10 @@ class ConfigManager(context: Context) {
     private fun writeApiKey(content: String, key: String?): String {
         val authLine = if (key.isNullOrEmpty()) null else """api_key = "$key""""
         val authSectionRegex = Regex("""(?m)^\[auth\].*?(?=^\[|\z)""", RegexOption.DOT_MATCHES_ALL)
-        val authSectionContent = authSectionRegex.find(content)?.value
+        val authSectionMatch = authSectionRegex.find(content)
 
-        if (authSectionContent != null) {
+        if (authSectionMatch != null) {
+            val authSectionContent = authSectionMatch.value
             // Modify only within the [auth] section to avoid touching other sections
             val apiKeyLinePresent = Regex("""(?m)^api_key\s*=""").containsMatchIn(authSectionContent)
             val updatedSection = if (apiKeyLinePresent) {
@@ -90,11 +91,12 @@ class ConfigManager(context: Context) {
                     .replaceFirst(authSectionContent, authLine ?: "")
                 if (authLine == null) replaced.replace(Regex("\n{3,}"), "\n\n") else replaced
             } else if (authLine != null) {
-                authSectionContent.replaceFirst(oldValue = "[auth]\n", newValue = "[auth]\n$authLine\n")
+                val separator = if (authSectionContent.endsWith("\n")) "" else "\n"
+                "$authSectionContent$separator$authLine\n"
             } else {
                 authSectionContent
             }
-            return content.replace(authSectionContent, updatedSection)
+            return content.replaceRange(authSectionMatch.range, updatedSection)
         }
 
         // No [auth] section — append it if we have a key
diff --git a/mobile/src/test/java/net/activitywatch/android/ConfigManagerTest.kt b/mobile/src/test/java/net/activitywatch/android/ConfigManagerTest.kt
index af5c5713..2775f663 100644
--- a/mobile/src/test/java/net/activitywatch/android/ConfigManagerTest.kt
+++ b/mobile/src/test/java/net/activitywatch/android/ConfigManagerTest.kt
@@ -23,19 +23,21 @@ class ConfigManagerTest {
     private fun writeApiKey(content: String, key: String?): String {
         val authLine = if (key.isNullOrEmpty()) null else """api_key = "$key""""
         val authSectionRegex = Regex("""(?m)^\[auth\].*?(?=^\[|\z)""", RegexOption.DOT_MATCHES_ALL)
-        val authSectionContent = authSectionRegex.find(content)?.value
-        if (authSectionContent != null) {
+        val authSectionMatch = authSectionRegex.find(content)
+        if (authSectionMatch != null) {
+            val authSectionContent = authSectionMatch.value
             val apiKeyLinePresent = Regex("""(?m)^api_key\s*=""").containsMatchIn(authSectionContent)
             val updatedSection = if (apiKeyLinePresent) {
                 val replaced = Regex("""(?m)^api_key\s*=.*$""")
                     .replaceFirst(authSectionContent, authLine ?: "")
                 if (authLine == null) replaced.replace(Regex("\n{3,}"), "\n\n") else replaced
             } else if (authLine != null) {
-                authSectionContent.replaceFirst(oldValue = "[auth]\n", newValue = "[auth]\n$authLine\n")
+                val separator = if (authSectionContent.endsWith("\n")) "" else "\n"
+                "$authSectionContent$separator$authLine\n"
             } else {
                 authSectionContent
             }
-            return content.replace(authSectionContent, updatedSection)
+            return content.replaceRange(authSectionMatch.range, updatedSection)
         }
         return if (authLine != null) {
             val base = content.trimEnd()
@@ -105,6 +107,14 @@ class ConfigManagerTest {
         assertEquals("inserted-key", parseApiKey(result))
     }
 
+    @Test
+    fun `writeApiKey inserts key when auth section has no trailing newline`() {
+        val config = "address = \"127.0.0.1\"\n\n[auth]"
+        val result = writeApiKey(config, "inserted-key")
+        assertEquals("inserted-key", parseApiKey(result))
+        assertEquals("address = \"127.0.0.1\"\n\n[auth]\napi_key = \"inserted-key\"\n", result)
+    }
+
     @Test
     fun `roundtrip write then read returns same key`() {
         val config = "address = \"127.0.0.1\"\n"

From 77ba74a780c2caf42eb7586154697712c51c4aaa Mon Sep 17 00:00:00 2001
From: Bob <bob@superuserlabs.org>
Date: Fri, 22 May 2026 10:55:27 +0000
Subject: [PATCH 16/19] ci: re-trigger Test job (stuck pending for 14h)


From fb7b0b71675161757f0fad8ea767166359cdb2a4 Mon Sep 17 00:00:00 2001
From: Bob <bob@superuserlabs.org>
Date: Fri, 22 May 2026 13:22:33 +0000
Subject: [PATCH 17/19] fix(ci): upgrade Test job from ubuntu-20.04 to
 ubuntu-22.04

ubuntu-20.04 GitHub-hosted runners are no longer available, causing the
Test job to queue indefinitely with no runner to pick it up.
---
 .github/workflows/build.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 518c36e3..879d30de 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -258,7 +258,7 @@ jobs:
 
   test:
     name: Test
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     needs: [build-rust]
     env:
       SUPPLY_TRACK: production   # used by fastlane to determine track to publish to

From ffbdd1fb6f2529edf1c3655a4028e700ee3f5c1f Mon Sep 17 00:00:00 2001
From: Bob <bob@superuserlabs.org>
Date: Fri, 22 May 2026 13:33:59 +0000
Subject: [PATCH 18/19] fix(ci): remove jniLibs dependency from Test job

Unit tests (./gradlew test) run on the JVM and don't require native
.so files. The jniLibs cache restore was failing because the cache was
saved by a ubicloud runner but the Test job runs on a GitHub-hosted
runner (different cache backend). Remove NDK setup and jniLibs cache
restore from the Test job, and drop the needs:[build-rust] dependency
since there are no longer any shared artifacts.
---
 .github/workflows/build.yml | 28 +---------------------------
 1 file changed, 1 insertion(+), 27 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 879d30de..2138a942 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -259,7 +259,6 @@ jobs:
   test:
     name: Test
     runs-on: ubuntu-22.04
-    needs: [build-rust]
     env:
       SUPPLY_TRACK: production   # used by fastlane to determine track to publish to
 
@@ -268,39 +267,14 @@ jobs:
       with:
         submodules: 'recursive'
 
-    - name: Set RELEASE
-      run: |
-        echo "RELEASE=${{ startsWith(github.ref_name, 'v') }}" >> $GITHUB_ENV
-
     - name: Set up JDK
       uses: actions/setup-java@v1
       with:
         java-version: ${{ env.JAVA_VERSION }}
 
-    # Android SDK & NDK
+    # Android SDK only (unit tests don't require NDK or jniLibs)
     - name: Set up Android SDK
       uses: android-actions/setup-android@v2
-    - name: Set up Android NDK
-      run: |
-        sdkmanager "ndk;${{ env.NDK_VERSION }}"
-        ANDROID_NDK_HOME="$ANDROID_SDK_ROOT/ndk/${{ env.NDK_VERSION }}"
-        ls $ANDROID_NDK_HOME
-        echo "ANDROID_NDK_HOME=$ANDROID_NDK_HOME" >> $GITHUB_ENV
-
-
-    # Restores jniLibs from cache
-    # `actions/cache/restore` only restores, without saving back in a post-hook
-    - uses: actions/cache/restore@v3
-      id: cache-jniLibs
-      env:
-        cache-name: jniLibs
-      with:
-        path: mobile/src/main/jniLibs/
-        key: ${{ env.cache-name }}-release-${{ env.RELEASE }}-ndk-${{ env.NDK_VERSION }}-${{ hashFiles('.git/modules/aw-server-rust/HEAD') }}
-        fail-on-cache-miss: true
-    - name: Check that jniLibs present
-      run: |
-        test -e mobile/src/main/jniLibs/x86_64/libaw_server.so
 
     # Test
     - name: Test

From a9c05ca4190d378f0d4203c98c9d7a59d296f9be Mon Sep 17 00:00:00 2001
From: Bob <bob@superuserlabs.org>
Date: Fri, 22 May 2026 13:39:44 +0000
Subject: [PATCH 19/19] =?UTF-8?q?fix(ci):=20restore=20NDK=20in=20Test=20jo?=
 =?UTF-8?q?b=20=E2=80=94=20required=20at=20Gradle=20config=20time?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .github/workflows/build.yml | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 2138a942..0630ae7c 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -272,9 +272,14 @@ jobs:
       with:
         java-version: ${{ env.JAVA_VERSION }}
 
-    # Android SDK only (unit tests don't require NDK or jniLibs)
+    # Android SDK & NDK (NDK required at Gradle configuration time even for JVM unit tests)
     - name: Set up Android SDK
       uses: android-actions/setup-android@v2
+    - name: Set up Android NDK
+      run: |
+        sdkmanager "ndk;${{ env.NDK_VERSION }}"
+        ANDROID_NDK_HOME="$ANDROID_SDK_ROOT/ndk/${{ env.NDK_VERSION }}"
+        echo "ANDROID_NDK_HOME=$ANDROID_NDK_HOME" >> $GITHUB_ENV
 
     # Test
     - name: Test