fix(android): use TLS for gRPC connections on port 443

The app was crashing with FRAME_SIZE_ERROR because the gRPC client
was using plaintext mode when connecting to port 443 (TLS endpoint).
This caused the client to receive encrypted data that it couldn't parse.

Fix: Use useTransportSecurity() for port 443, usePlaintext() for other ports.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

.claude/settings.local.json

@@ -507,7 +507,52 @@
       "Bash(powershell -Command \"\n$content = Get-Content ''main.ts'' -Raw\n\n# 修改 threshold 部分\n$old1 = @''\n          threshold: {\n            t: activeCoSignSession?.threshold?.t || 0,\n            n: activeCoSignSession?.threshold?.n || 0,\n          },\n''@\n\n$new1 = @''\n          threshold: {\n            // 优先使用 API 返回的阈值，回退到 activeCoSignSession\n            t: result?.threshold_t || activeCoSignSession?.threshold?.t || 0,\n            n: result?.threshold_n || activeCoSignSession?.threshold?.n || 0,\n          },\n''@\n\n$content = $content.Replace\\($old1, $new1\\)\n\n# 修改 participants 部分\n$old2 = ''participants: result?.parties?.map\\(\\(p: { party_id: string; party_index: number }, idx: number\\) => \\({''\n$new2 = ''participants: \\(\\(result as { participants?: Array<{ party_id: string; party_index: number; status: string }> }\\)?.participants || []\\).map\\(\\(p, idx\\) => \\({''\n\n$content = $content.Replace\\($old2, $new2\\)\n\n# 修改 status 部分\n$old3 = \"\"            status: ''ready'',\"\"\n$new3 = \"\"            status: p.status || ''waiting'',\"\"\n\n$content = $content.Replace\\($old3, $new3\\)\n\n# 修改结尾部分\n$old4 = ''          }\\)\\) || [],''\n$new4 = ''          }\\)\\),''\n\n$content = $content.Replace\\($old4, $new4\\)\n\nSet-Content ''main.ts'' -Value $content -NoNewline\nWrite-Output ''Done''\n\")",
       "Bash(node fix_main.js:*)",
       "Bash(git commit -m \"$\\(cat <<''EOF''\nfeat\\(co-sign\\): add debug logs for auto-join flow in CoSignJoin\n\nAdd console.log statements to trace the auto-join logic:\n- Log loaded shares with sessionId\n- Log auto-select share matching check\n- Log auto-join conditions and share match status\n- Log validateInviteCode results including joinToken\n- Log handleJoinSession parameters\n\n🤖 Generated with [Claude Code]\\(https://claude.com/claude-code\\)\n\nCo-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>\nEOF\n\\)\")",
-      "Bash(git commit -m \"$\\(cat <<''EOF''\nfix\\(co-sign\\): use keygen session threshold_n for TSS signing\n\n- Query keygen session from mpc_sessions table to get correct threshold_n\n- Pass keygenThresholdN to CreateSigningSessionAuto instead of len\\(parties\\)\n- Return parties list and correct threshold values in GetSignSessionByInviteCode\n- This fixes TSS signing failure \"U doesn 't equal T\" caused by mismatched n values\n\n🤖 Generated with [Claude Code]\\(https://claude.com/claude-code\\)\n\nCo-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>\nEOF\n\\)\")"
+      "Bash(git commit -m \"$\\(cat <<''EOF''\nfix\\(co-sign\\): use keygen session threshold_n for TSS signing\n\n- Query keygen session from mpc_sessions table to get correct threshold_n\n- Pass keygenThresholdN to CreateSigningSessionAuto instead of len\\(parties\\)\n- Return parties list and correct threshold values in GetSignSessionByInviteCode\n- This fixes TSS signing failure \"U doesn 't equal T\" caused by mismatched n values\n\n🤖 Generated with [Claude Code]\\(https://claude.com/claude-code\\)\n\nCo-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>\nEOF\n\\)\")",
+      "Bash(Get-Item \"c:\\\\Users\\\\dong\\\\Desktop\\\\rwadurian\\\\backend\\\\mpc-system\\\\services\\\\service-party-app\\\\bin\\\\win32-x64\\\\tss-party.exe\")",
+      "Bash(Select-Object Name, LastWriteTime, Length)",
+      "Bash(Get-Item \"c:\\\\Users\\\\dong\\\\Desktop\\\\rwadurian\\\\backend\\\\mpc-system\\\\services\\\\service-party-app\\\\release\\\\win-unpacked\\\\resources\\\\bin\\\\tss-party.exe\")",
+      "Bash(git commit -m \"$\\(cat <<''EOF''\nfix\\(tss\\): use BuildLocalSaveDataSubset for threshold signing with party subsets\n\nWhen signing with fewer parties than keygen \\(e.g., 2-of-3 signing with only 2 parties\\),\nthe TSS-lib requires filtered save data containing only the participating parties.\n\nWithout this fix, signing fails with \"U doesn 't equal T\" error because:\n- Keygen creates save data for all N parties \\(e.g., 3 parties with indices 0, 1, 2\\)\n- Sign uses only T parties \\(e.g., 2 parties with indices 1, 2\\)\n- TSS-lib internal index validation fails due to mismatch\n\nChanges:\n- pkg/tss/signing.go: Use len\\(sortedPartyIDs\\) for partyCount and call BuildLocalSaveDataSubset\n- tss-party/main.go: Add BuildLocalSaveDataSubset call for Electron app\n- tss-wasm/main.go: Add BuildLocalSaveDataSubset call for WASM builds\n\nThis fix is backward compatible - when all parties participate, the subset equals the original data.\n\n🤖 Generated with [Claude Code]\\(https://claude.com/claude-code\\)\n\nCo-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>\nEOF\n\\)\")",
+      "Bash(dir \"c:\\\\Android\")",
+      "Bash(dir \"c:\\\\android-sdk\")",
+      "Bash(dir \"%LOCALAPPDATA%\\\\Android\\\\Sdk\")",
+      "Bash(cmd /c \"echo %LOCALAPPDATA%\")",
+      "Bash(powershell:*)",
+      "Bash(dir \"C:\\\\Users\\\\dong\\\\AppData\\\\Local\\\\Android\\\\Sdk\")",
+      "Bash(dir /b C: 2)",
+      "Bash(gradle --version:*)",
+      "Bash(chmod:*)",
+      "Bash(java -version:*)",
+      "Bash(./gradlew assembleDebug:*)",
+      "Bash(go version:*)",
+      "Bash(export PATH=\"$PATH:/c/Users/dong/go/bin\")",
+      "Bash(gomobile version:*)",
+      "Bash(export ANDROID_HOME=\"/c/Android\")",
+      "Bash(gomobile init:*)",
+      "Bash(go install:*)",
+      "Bash(go get:*)",
+      "Bash(cmd /c \"gradlew.bat assembleDebug --no-daemon 2>&1\")",
+      "Bash(./gradlew.bat assembleDebug:*)",
+      "Bash(wc:*)",
+      "Bash(./gradlew assembleRelease:*)",
+      "Bash(./gradlew clean:*)",
+      "Bash(git commit -m \"$\\(cat <<''EOF''\nfeat\\(android\\): add Android TSS Party app with full API implementation\n\nMajor changes:\n- Add complete Android app \\(service-party-android\\) with Jetpack Compose UI\n- Implement real account-service API calls for keygen and sign sessions:\n  - POST /api/v1/co-managed/sessions \\(create keygen session\\)\n  - GET /api/v1/co-managed/sessions/by-invite-code/{code} \\(validate invite\\)\n  - POST /api/v1/co-managed/sessions/{id}/join \\(join keygen session\\)\n  - POST /api/v1/co-managed/sign \\(create sign session\\)\n  - GET /api/v1/co-managed/sign/by-invite-code/{code} \\(validate sign invite\\)\n  - POST /api/v1/co-managed/sign/{id}/join \\(join sign session\\)\n- Add QR code generation and scanning for session invites\n- Remove password requirement \\(use empty string\\)\n- Add floating action button for wallet creation\n- Add network type aware explorer links \\(mainnet/testnet\\)\n\nNetwork configuration:\n- Change default network to Kava mainnet for both Electron and Android apps\n- Electron: main.ts, transaction.ts, Settings.tsx, Layout.tsx\n- Android: Models.kt \\(NetworkType.MAINNET default\\)\n\nFeatures:\n- Full TSS keygen and sign protocol via gomobile bindings\n- gRPC message routing for multi-party communication\n- Cross-platform compatibility with service-party-app \\(Electron\\)\n\n🤖 Generated with [Claude Code]\\(https://claude.com/claude-code\\)\n\nCo-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>\nEOF\n\\)\")",
+      "Bash(cmd /c \"build-apk.bat help\")",
+      "Bash(go clean:*)",
+      "Bash(gomobile bind:*)",
+      "Bash(GOPROXY=https://proxy.golang.org,direct go get:*)",
+      "Bash(go mod download:*)",
+      "Bash(go env:*)",
+      "Bash(cmd /c \"set GOFLAGS=-mod=mod && go get golang.org/x/mobile/bind && go mod tidy && gomobile bind -v -target=android -androidapi 21 -o ..\\\\app\\\\libs\\\\tsslib.aar .\")",
+      "Bash(\"/c/Users/dong/go/bin/go1.22.10.exe\" download)",
+      "Bash(\"/c/Users/dong/go/bin/go1.22.10.exe\" version)",
+      "Bash(\"/c/Users/dong/go/bin/go1.22.10.exe\" install golang.org/x/mobile/cmd/gomobile@latest)",
+      "Bash(\"/c/Users/dong/go/bin/go1.22.10.exe\" install golang.org/x/mobile/cmd/gobind@latest)",
+      "Bash(\"/c/Users/dong/go/bin/go1.22.10.exe\" install golang.org/x/mobile/cmd/gomobile@v0.0.0-20250807114141-395d808d53cd)",
+      "Bash(\"/c/Users/dong/go/bin/go1.22.10.exe\" install golang.org/x/mobile/cmd/gomobile@v0.0.0-20250808145247-395d808d53cd)",
+      "Bash(\"/c/Users/dong/go/bin/go1.22.10.exe\" install golang.org/x/mobile/cmd/gomobile@c31d5b91ecc32c0d598b8fe8457d244ca0b4e815)",
+      "Bash(\"/c/Users/dong/go/bin/go1.22.10.exe\" install golang.org/x/mobile/cmd/gobind@c31d5b91ecc32c0d598b8fe8457d244ca0b4e815)",
+      "Bash(\"/c/Users/dong/go/bin/go1.22.10.exe\" mod tidy)",
+      "Bash(adb devices:*)"
     ],
     "deny": [],
     "ask": []

backend/mpc-system/services/service-party-android/app/src/main/java/com/durian/tssparty/data/remote/GrpcClient.kt

@@ -31,12 +31,19 @@ class GrpcClient @Inject constructor() {
     fun connect(host: String, port: Int) {
         disconnect()
 
-        channel = ManagedChannelBuilder
+        val builder = ManagedChannelBuilder
             .forAddress(host, port)
-            .usePlaintext()  // TODO: Use TLS in production
             .keepAliveTime(30, TimeUnit.SECONDS)
             .keepAliveTimeout(10, TimeUnit.SECONDS)
-            .build()
+
+        // Use TLS for port 443, plaintext for other ports (like local development)
+        if (port == 443) {
+            builder.useTransportSecurity()
+        } else {
+            builder.usePlaintext()
+        }
+
+        channel = builder.build()
 
         stub = MessageRouterGrpc.newBlockingStub(channel)
         asyncStub = MessageRouterGrpc.newStub(channel)