Validate Android package names

[jsdavid278-cyber]

Fixes #580.

Changes:

• validate mobile-android packageName as an Android application ID before build/ship
• use the validated packageName for artifact names and Google Play IDs/URLs
• add regression tests for valid IDs, path separators, and single-segment names

Validation:

• vitest run packages/targets/mobile-android/src/index.test.ts
• tsc -p packages/targets/mobile-android/tsconfig.json --noEmit

[greptile-apps]

Greptile Summary

This PR adds Android Application ID validation to the mobile-android target, guarding both build and ship against malformed packageName values such as path-traversal strings or single-segment names.

• Introduces ANDROID_PACKAGE_NAME_RE and requirePackageName, which throw a descriptive error for any ID that doesn't match Java's two-or-more-segment package convention.
• Replaces config.packageName with the validated (trimmed) return value in artifact paths, log lines, and Google Play IDs/URLs.
• Adds three focused regression tests: a valid ID, a path-separator rejection, and a single-segment rejection.

Confidence Score: 4/5

Safe to merge; the validation logic is correct and the tests cover the key rejection paths.

The regex and guard function behave correctly for the documented Android Application ID rules. The only notable gap is that safeFileStem is still called on the already-validated package name, which is harmless but misleading — the two values will always be identical after validation passes.

No files require special attention; both changed files are small and self-contained.

Important Files Changed

Filename	Overview
packages/targets/mobile-android/src/index.ts	Adds ANDROID_PACKAGE_NAME_RE regex and requirePackageName guard called in both build and ship; safeFileStem is now redundant for the package-name argument since all valid characters already satisfy the stem rules
packages/targets/mobile-android/src/index.test.ts	Renames the existing valid-name test and adds two rejection cases covering path separators and single-segment names; coverage is reasonable though missing a case for numeric-leading segments

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A["build / ship called"] --> B["requirePackageName(config)"]
    B --> C{"packageName.trim non-empty?"}
    C -- No --> D["throw Error: invalid Android application ID"]
    C -- Yes --> E{"ANDROID_PACKAGE_NAME_RE matches?"}
    E -- No --> D
    E -- Yes --> F["return trimmed packageName"]
    F --> G["safeFileStem(packageName) - now redundant"]
    G --> H["join outDir artifact path OR upload to Google Play"]

Loading

_{Reviews (1): Last reviewed commit: "Validate Android package names" | Re-trigger Greptile}

[greptile-apps]

After requirePackageName validates successfully, packageName can only contain [a-zA-Z0-9_.] — exactly the characters that safeFileStem preserves unchanged. The replace/trim steps in safeFileStem become no-ops, so wrapping the already-safe string is dead weight. Using packageName directly is clearer and avoids the false impression that the stem might differ from the validated ID.

Suggested change

	return { artifact: join(ctx.outDir, `${safeFileStem(packageName)}-${safeFileStem(ctx.version)}.aab`) };
	return { artifact: join(ctx.outDir, `${packageName}-${safeFileStem(ctx.version)}.aab`) };

Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!