Address PR #76 review feedback: test assertions, unused vars, shared SHA-256 utility, label fix

[Copilot]

Applies all review comments from the Permission Analyzer PR (#76) — covering test quality, misleading labels, unused destructured variables, duplicated hashing logic, and inaccurate migration docs.

Changes

Shared SHA-256 utility

• Extracted HashUtils.sha256Hex(String) into core/security/HashUtils.kt
• Removed duplicate private sha256() from both MalwareRepositoryImpl and PermissionRepositoryImpl

// Before: identical private helpers in two repos
private fun sha256(input: String): String { ... }

// After: single canonical utility
HashUtils.sha256Hex(app.packageName)

PermissionRepositoryImpl

• Destructured unused riskScore with _ — only riskLevel and reasons are used downstream
• Fixed misleading log label: score=$malwareScore → malwareScore=$malwareScore

PermissionRiskScorerTest

• assertTrue(score == 95) → assertEquals(95, score) so failures show expected/actual values
• Renamed test "overrides mathematically to 100" → "yields score of 99" to match the actual assertion
• Destructured unused riskLevel with _ in the critical permissions test

AppCategoryClassifier

• Removed leading space from ANTIVIRUS label: " Security" → "Security"

Documentation

• MIGRATION_10_11 KDoc now explicitly states the migration drops and recreates permission_analysis_cache, clearing all cached rows
• permission_analyzer_commit_summary.md corrected to reflect the destructive migration (previously claimed "without wiping existing data")

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[Copilot]

Just as a heads up, I was blocked by some firewall rules while working on your feedback. Expand below for details.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• dl.google.com
  • Triggering command: /usr/lib/jvm/temurin-17-jdk-amd64/bin/java /usr/lib/jvm/temurin-17-jdk-amd64/bin/java --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.lang.invoke=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.prefs/java.util.prefs=ALL-UNNAMED --add-exports=jdk.compiler/com.sun.tools.javac.api=ALL-UNNAMED --add-exports=jdk.compiler/com.sun.tools.javac.util=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.prefs/java.util.prefs=ALL-UNNAMED --add-opens=java.base/java.nio.charset=ALL-UNNAMED --add-opens=java.base/java.net=ALL-UNNAMED --add-opens=java.base/java.util.concurrent.atomic=ALL-UNNAMED --add-opens=java.xml/javax.xml.namespace=ALL-UNNAMED -Xmx2048m -Dfile.encoding=UTF-8 -Duser.country -Duser.language=en -Duser.variant -cp /home/REDACTED/.gradle/wrapper/dists/gradle-8.11.1-bin/bpt9gzteqjrbo1mjrsomdt32c/gradle-8.11.1/lib/gradle-daemon-main-8.11.1.jar (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)