Address two follow-ups from the Tor (arti) MR review.
Supply-chain hardening for the arti-mobile AAR, a native artifact with
network-proxy privileges:
- Pin the gpmaven Maven source to an immutable commit SHA
(guardianproject/gpmaven@b3ee2a6) instead of the mutable `master`
branch, so a force-push or new commit can't silently change what we
resolve.
- Verify the resolved AAR's SHA-256 at build time
(verifyArtiChecksum, wired ahead of assemble/bundle). A mismatch fails
the build before any APK is produced. Scoped to the one privileged
artifact rather than enabling global dependency verification, which
would force-verify every transitive dep.
Reconcile stale "apply on relaunch" / "next app launch" doc comments in
AppContext.ts, tor.ts, useTor.ts, TorController.java, and TorPlugin.java
with the actual behavior: the Advanced Settings toggle activates Tor
live via start/stop (arti starts/stops immediately, relay layer
remounts); the persisted flag only governs cold-launch auto-start.
Adds an opt-in Tor mode that routes all app traffic through a local
SOCKS5 proxy backed by arti (Tor in Rust), bundled via the
org.torproject:arti-mobile:1.7.0.1 AAR.
- TorController starts/stops arti and installs a fail-closed WebView
proxy override (no direct fallback) so traffic can't leak while Tor is
connecting or down. Connectivity is verified against
check.torproject.org (IsTor) and re-checked continuously; the exit IP
is surfaced for verification, and the status isn't latched so a dropped
circuit downgrades honestly.
- TorPlugin bridges enable/disable/status to the Capacitor/JS layer.
Toggling applies live, in place, with no app restart.
- UI: a slim fail-closed status banner (replacing the old full-screen
gate), the Tor toggle in Advanced settings reachable while logged out,
and Settings/Search/About added to the logged-out menu.
- R8 keep rules for org.torproject.arti.** so the JNI native-method
classes aren't stripped/renamed; androidx.webkit on the compile
classpath for the WebView proxy APIs.