Replace the WebView SPA handoff with the app's own native screens that call the
same JSON API — hitting the on-device server in local mode or the remote server
in server mode (same code, base URL switches). Uses the api.ts client built earlier.
- api.ts: typed getTracker/toggleBillPaid/createBill/logout + a shared authed
mutate() helper (fetches + echoes the CSRF token); SessionUser type.
- TrackerScreen.tsx: native monthly Tracker — month header, Paid/Needs-action/Bills/
Remaining stat tiles, prev/next month nav, and bill rows with a one-tap mark-paid
toggle that re-fetches. Loading/error/empty states. Currency + dates via Intl in
the WebView (Chromium — full ICU, unlike the embedded server).
- MainApp.tsx + app.css: native app shell (top bar + avatar) and a bottom tab bar
(Tracker built; Calendar/Insights/Account are placeholders/account for now).
- App.tsx: renders MainApp instead of window.location.replace to the SPA; native
auth for both modes (local login shows 'this device'); 401 bounces to login.
Verified on the x86_64 emulator: two-doors setup -> native login -> native Tracker
with live bills -> tap to mark paid -> tiles + row update. No WebView.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Unify the native shell and harden it:
- src/config.ts: single source for local host/port, preference keys, secure-storage
key, timeouts, and CSRF constants (dedupes LOCAL_URL etc. across App/LoadingScreen).
- src/api.ts: one HTTP client — credentials mode, AbortController timeouts, and error
normalization into user-facing messages (network/timeout/401/403/429/5xx), with typed
auth responses.
- Batch 10 CSRF fix: /api/auth/totp/challenge is not CSRF-exempt, so the native TOTP
step now fetches GET /api/auth/csrf-token and echoes it as x-csrf-token (mirrors the
web client); TOTP login no longer breaks for 2FA users.
- Error-handling / boot robustness: LoadingScreen gets a health-poll timeout and
surfaces main.js's {type:'serverError'} channel messages instead of spinning forever;
App.tsx bootstrap and the encryption-key fetch now .catch to a visible state; crypto.ts
reports secure-storage failures.
- Data safety: move the SQLite DB, backups, and tmp OUT of nodejs-project into the app's
filesDir (bt-data). nodejs-mobile re-copies nodejs-project on every app update, which was
silently wiping local-mode data. Verified on the emulator: create data -> bump versionCode
-> reinstall -> migrations skipped, no re-seed, data persists.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>