Add native invoke bridge and slim down install()

[seokju-na]

Summary

• Native invoke bridge — adds window.wvbAndroid so web invoke(name, params) calls reach native handlers, with built-in source/remote/updater commands (Bridge, BridgeCodec, BridgeError, WebViewBundleBridge, Log).
• install() only adds bundle behavior — InstallOptions no longer mutates the host's WebView settings; the host owns them. WebViewSetup.kt folded into WebViewBundle.kt.
• R8 safety — ships consumer-rules.pro so @JavascriptInterface bridge methods aren't stripped/renamed in minified consumer apps.
• testapp / assets — host applies its own WebView settings, back-key, and debugging; e2e modules and builtin bundles refreshed.

🤖 Generated with Claude Code

---

Summary by cubic

Adds a native web-to-Android invoke bridge and makes install() only wire bundle behavior. Web apps can call invoke(name, params) via window.wvbAndroid, and hosts now own all WebView settings.

• New Features

  • Native window.wvbAndroid bridge for invoke() with JSON encode/decode, background handlers, and main-thread replies; attaches via WebMessageListener when supported (logs and skips if not).
  • Built-in commands expose source, remote, and updater via WebViewBundleBridge.
  • install() now only sets the client and optional bridge; returns a closeable handle. New InstallOptions: delegate, disableBridge, and bridge { ... }.
  • Added R8 consumer rules to keep @JavascriptInterface methods. WebViewBundle.getInstance(...) (and wvb(...)/webViewBundle(...)) provides a process-wide singleton.

• Migration

  • Configure your own WebView settings and debugging (removed: applyRecommendedSettings, webContentsDebuggingEnabled, installServiceWorker, and configureWebView). If you need Service Worker interception, set it up with ServiceWorkerControllerCompat.
  • Update calls to install(webView) { delegate = ...; bridge { /* handlers */ } } or set disableBridge = true if not using the native bridge.
  • Use WebViewBundle.getInstance(context, config) to reuse the shared instance; call close() only when you need to drop it.

^{Written for commit 9f78ea8. Summary will update on new commits.}

[cubic-dev-ai]

2 issues found across 18 files

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="lib/src/main/kotlin/dev/wvb/WebViewBundleBridge.kt">

<violation number="1" location="lib/src/main/kotlin/dev/wvb/WebViewBundleBridge.kt:105">
P1: Privileged bundle-management handlers are exposed without caller authorization. Any untrusted page loaded as main frame can trigger local bundle mutation/download/install operations.</violation>
</file>

<sub>Reply with feedback, questions, or to request a fix.

Re-trigger cubic</sub>

[cubic-dev-ai]

P1: Privileged bundle-management handlers are exposed without caller authorization. Any untrusted page loaded as main frame can trigger local bundle mutation/download/install operations.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At lib/src/main/kotlin/dev/wvb/WebViewBundleBridge.kt, line 105:

<comment>Privileged bundle-management handlers are exposed without caller authorization. Any untrusted page loaded as main frame can trigger local bundle mutation/download/install operations.</comment>

<file context>
@@ -0,0 +1,119 @@
+                p.requireString("bundleName"), p.optionalString("version")
+            ).toJson()
+        }
+        bridge.handler("updaterInstall") { params ->
+            val p = BridgeCodec.params(params)
+            requireUpdater().install(p.requireString("bundleName"), p.requireString("version"))
</file context>