dev/hass-west-wood
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Expand AGENTS.md: checks, brand assets, decompiled-APK note

Browse Source 
Add a Checks section (`py_compile` + `nix build`), note the `brand/` assets
and their source, broaden the backtick-quoting rule, refine the token-expiry
guidance, and explain using decompiled APK output if provided.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
Jack O'Sullivan
2026-06-14 02:42:03 +01:00
parent 73cf5d2ce4
commit 07804e8ae8
1 changed files with 26 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files
AGENTS.md
+26 -6
View File
@@ -16,6 +16,8 @@ token helper, and the Home Assistant custom component itself (see Integration).
endpoints are mapped. endpoints are mapped.
- `get-token.py` — logs in and prints a bearer token to stdout (stdlib only). - `get-token.py` — logs in and prints a bearer token to stdout (stdlib only).
- `custom_components/west_wood_club/` — the Home Assistant integration. - `custom_components/west_wood_club/` — the Home Assistant integration.
Its `brand/` dir holds the integration icon/logo, extracted from the capture's
`westwoodclub-ie.png` asset.
- `android-flows.mitm` — mitmproxy capture of the app's traffic. **Gitignored and - `android-flows.mitm` — mitmproxy capture of the app's traffic. **Gitignored and
untracked**: it contains real credentials and a bearer token in cleartext. Never untracked**: it contains real credentials and a bearer token in cleartext. Never
commit it or copy its secrets into tracked files. commit it or copy its secrets into tracked files.
@@ -50,8 +52,9 @@ Python uses **single-quoted strings** (`'...'`). Reformat with
`nix run nixpkgs#ruff`). Docstrings stay triple-double-quoted (`"""`). `nix run nixpkgs#ruff`). Docstrings stay triple-double-quoted (`"""`).
In prose (commit messages, docs, comments), backtick-quote anything code-like — In prose (commit messages, docs, comments), backtick-quote anything code-like —
paths, filenames, identifiers, commands, endpoints — rather than plain or paths, filenames, identifiers, commands, endpoints, HTTP headers, field/JSON
double-quoted text. keys, UUIDs/IDs, env vars — rather than plain or double-quoted text. If in doubt
and it's a literal token from code or an API, backtick it.
## Working with the capture ## Working with the capture
@@ -61,23 +64,30 @@ Read flows with the mitmproxy Python API:
from mitmproxy.io import FlowReader from mitmproxy.io import FlowReader
from mitmproxy.http import HTTPFlow from mitmproxy.http import HTTPFlow
with open("/abs/path/android-flows.mitm", "rb") as f: with open('/abs/path/android-flows.mitm', 'rb') as f:
for flow in FlowReader(f).stream(): for flow in FlowReader(f).stream():
if isinstance(flow, HTTPFlow) and "perfectgym.com" in flow.request.host: if isinstance(flow, HTTPFlow) and 'perfectgym.com' in flow.request.host:
... # flow.request / flow.response ... # flow.request / flow.response
``` ```
When dumping flows, redact `Authorization` / `Cookie` headers and the login body When dumping flows, redact `Authorization` / `Cookie` headers and the login body
(email + password) before writing anything to a tracked file. (email + password) before writing anything to a tracked file.
Some questions the capture can't answer (token lifecycle, the white-label ID,
error codes) need the app itself. If you're pointed at **decompiled APK output**
(e.g. apktool `smali/`), grep it there — but it's R8-obfuscated: class names are
mangled and library types (e.g. OkHttp) may be shrunk/repackaged, so a missing
grep hit is not proof of absence. No such decompilation lives in this repo.
## API essentials ## API essentials
Full detail in `api.md`. Quick reference: Full detail in `api.md`. Quick reference:
- Responses are wrapped `{ "data": ..., "errors": ... }`; `errors` is `null` on success. - Responses are wrapped `{ "data": ..., "errors": ... }`; `errors` is `null` on success.
- **Auth:** `POST /v1/Authorize/LogInWithEmail` (white-label ID goes in the body) - **Auth:** `POST /v1/Authorize/LogInWithEmail` (white-label ID goes in the body)
→ reuse the returned `bearer <token>` as the `Authorization` header. Token → reuse the returned `bearer <token>` as the `Authorization` header. The token
expiry is unconfirmed (`expireTime` was `null`). most likely doesn't expire (no refresh token in the response, app appears to
store no credentials); on `401`/`403` get a fresh one. See `api.md`.
- Authenticated endpoints need **only** the `Authorization` header — the `X-Go-*` - Authenticated endpoints need **only** the `Authorization` header — the `X-Go-*`
headers and app `User-Agent` the app sends are not required (verified against headers and app `User-Agent` the app sends are not required (verified against
the clubs endpoint). the clubs endpoint).
@@ -107,6 +117,16 @@ Full detail in `api.md`. Quick reference:
`manifest.json` and the flake on code changes. The integration has **no** `manifest.json` and the flake on code changes. The integration has **no**
external `requirements`, so no extra Nix packaging is needed. external `requirements`, so no extra Nix packaging is needed.
## Checks
There is no test suite. Verify changes with:
- `direnv exec . python -m py_compile custom_components/west_wood_club/*.py` — fast
syntax check of the component.
- `nix build .#west_wood_club` — builds the component and runs nixpkgs' manifest
and import checks (the closest thing to CI here). Remember to `git add` new files
first, or the flake won't see them.
## Security ## Security
The capture and `token.txt` hold live credentials/tokens. Keep them gitignored, The capture and `token.txt` hold live credentials/tokens. Keep them gitignored,