fix: pre-initialize mTLS flag from stored alias to handle TLS session resumption in Wear OS onboarding

When setting up a Wear OS device the mTLS certificate-selection screen
was silently skipped if TLS session resumption occurred, causing the
watch to register without a client certificate and the server to return
HTTP 400.

Root cause: isTLSClientAuthNeeded in TLSWebViewClient is only set inside
onReceivedClientCertRequest. When the onboarding WebView reuses the main
app's existing TLS session (abbreviated handshake), the server never
issues a new CertificateRequest so the callback never fires — even with
ssl_session_tickets disabled on the server, because Android's Chromium
network stack maintains its own in-process TLS session cache.

Fix: expose KeyChainRepository.loadAlias() which reads the persisted key
alias from PrefsRepository without requiring load() to have been called
first. Add TLSWebViewClient.preInitializeTLSClientAuthState() which
pre-sets isTLSClientAuthNeeded = true if a stored alias is found.
ConnectionViewModel.init calls this before emitting the auth URL so the
navigation layer sees the correct value regardless of whether the
subsequent WebView connection is a resumed TLS session.

Also adds two unit tests to ConnectionViewModelTest covering the
stored-alias and no-alias cases.

Author: smhc

app/src/main/kotlin/io/homeassistant/companion/android/onboarding/connection/ConnectionViewModel.kt

@@ -116,6 +116,13 @@ internal class ConnectionViewModel @VisibleForTesting constructor(
 
     init {
         viewModelScope.launch {
+            // Pre-set the mTLS flag from any previously stored certificate alias before loading
+            // the auth URL. This handles TLS session resumption: if the main app WebView already
+            // has a live TLS session for this host, the onboarding WebView will resume it and
+            // onReceivedClientCertRequest will never fire — even though the server requires a
+            // client certificate. Without this, the Wear OS mTLS cert-selection screen would be
+            // silently skipped and the watch would register without a certificate.
+            webViewClient.preInitializeTLSClientAuthState()
             buildAuthUrl(rawUrl)
         }
     }

app/src/main/kotlin/io/homeassistant/companion/android/util/TLSWebViewClient.kt

@@ -39,6 +39,33 @@ open class TLSWebViewClient(private var keyChainRepository: KeyChainRepository)
     private var key: PrivateKey? = null
     private var chain: Array<X509Certificate>? = null
 
+    /**
+     * Pre-initializes [isTLSClientAuthNeeded] from persistent storage to handle TLS session
+     * resumption.
+     *
+     * Normally [isTLSClientAuthNeeded] is set when [onReceivedClientCertRequest] fires during
+     * a full TLS handshake. However, when TLS session resumption occurs (the WebView reuses an
+     * existing session from the same process), the server does not issue a new
+     * `CertificateRequest`, so [onReceivedClientCertRequest] is never called — even if the
+     * server requires a client certificate.
+     *
+     * This is the root cause of the Wear OS onboarding mTLS failure: the main HA app WebView
+     * establishes a TLS session, and the onboarding WebView immediately resumes it, bypassing
+     * the callback that would reveal the mTLS requirement to the navigation layer.
+     *
+     * This method reads the persisted key alias via [KeyChainRepository.loadAlias]. If an alias
+     * is found it means the user previously selected a client certificate for this HA instance,
+     * so [isTLSClientAuthNeeded] is pre-set to `true`.
+     *
+     * Must be called **before** the WebView starts loading (i.e. before the URL is emitted).
+     * Idempotent: if the flag is already `true` (set by a real handshake) this is a no-op.
+     */
+    suspend fun preInitializeTLSClientAuthState() {
+        if (!isTLSClientAuthNeeded) {
+            isTLSClientAuthNeeded = keyChainRepository.loadAlias() != null
+        }
+    }
+
     private fun getActivity(context: Context?): Activity? {
         if (context == null) {
             return null

app/src/test/kotlin/io/homeassistant/companion/android/onboarding/connection/ConnectionViewModelTest.kt

@@ -17,6 +17,7 @@ import io.homeassistant.companion.android.testing.unit.ConsoleLogExtension
 import io.homeassistant.companion.android.testing.unit.MainDispatcherJUnit5Extension
 import io.homeassistant.companion.android.util.HAWebViewClient
 import io.homeassistant.companion.android.util.HAWebViewClientFactory
+import io.mockk.coEvery
 import io.mockk.every
 import io.mockk.mockk
 import io.mockk.mockkStatic
@@ -417,4 +418,32 @@ class ConnectionViewModelTest {
         assertEquals("class java.lang.UnsatisfiedLinkError", error.rawErrorType)
         verify(exactly = 1) { connectivityCheckRepository.runChecks(rawUrl) }
     }
+
+    @Test
+    fun `Given a stored key alias when initializing then isTLSClientAuthNeeded is pre-set to true`() = runTest {
+        coEvery { keyChainRepository.loadAlias() } returns "my-cert-alias"
+
+        val viewModel = ConnectionViewModel(
+            "http://homeassistant.local:8123",
+            webViewClientFactory,
+            connectivityCheckRepository,
+        )
+        advanceUntilIdle()
+
+        assertTrue(viewModel.webViewClient.isTLSClientAuthNeeded)
+    }
+
+    @Test
+    fun `Given no stored key alias when initializing then isTLSClientAuthNeeded remains false`() = runTest {
+        coEvery { keyChainRepository.loadAlias() } returns null
+
+        val viewModel = ConnectionViewModel(
+            "http://homeassistant.local:8123",
+            webViewClientFactory,
+            connectivityCheckRepository,
+        )
+        advanceUntilIdle()
+
+        assertFalse(viewModel.webViewClient.isTLSClientAuthNeeded)
+    }
 }

common/src/main/kotlin/io/homeassistant/companion/android/common/data/keychain/KeyChainRepository.kt

@@ -29,6 +29,15 @@ interface KeyChainRepository {
 
     suspend fun setData(alias: String, privateKey: PrivateKey, certificateChain: Array<X509Certificate>)
 
+    /**
+     * Loads the stored key alias from persistent storage, if available, without loading the
+     * full key material. Unlike [getAlias], this reads from persistent storage and does not
+     * require [load] to have been called first (e.g. works after a cold start or force-stop).
+     *
+     * Returns the alias string if one was previously stored and is non-empty, otherwise `null`.
+     */
+    suspend fun loadAlias(): String?
+
     fun getAlias(): String?
 
     fun getPrivateKey(): PrivateKey?

common/src/main/kotlin/io/homeassistant/companion/android/common/data/keychain/KeyChainRepositoryImpl.kt

@@ -39,6 +39,17 @@ internal class KeyChainRepositoryImpl @Inject constructor(private val prefsRepos
         throw UnsupportedOperationException("setData not supported for KeyChainRepositoryImpl")
     }
 
+    override suspend fun loadAlias(): String? {
+        // Read directly from persistent storage so this works even when load() has not yet
+        // been called (e.g. after a force-stop / cold restart of the application).
+        val stored = prefsRepository.getKeyAlias()
+        // Populate the in-memory alias as a side-effect so subsequent getAlias() calls work.
+        if (stored?.isNotEmpty() == true && alias == null) {
+            alias = stored
+        }
+        return stored?.takeIf { it.isNotEmpty() }
+    }
+
     override fun getAlias(): String? {
         return alias
     }

common/src/main/kotlin/io/homeassistant/companion/android/common/data/keychain/KeyStoreRepositoryImpl.kt

@@ -47,6 +47,10 @@ internal class KeyStoreRepositoryImpl @Inject constructor() : KeyChainRepository
             doLoad()
         }
 
+    // KeyStoreRepositoryImpl does not persist the alias to PrefsRepository; the alias is
+    // always supplied via load(context, alias) or setData(). Return the in-memory value.
+    override suspend fun loadAlias(): String? = alias?.takeIf { it.isNotEmpty() }
+
     override fun getAlias(): String? {
         return alias
     }