feat: Add admin-controlled access for instance selector using Firebase Installation ID

- Add FeatureAccessManager to control feature access based on build variant/flavor
- Debug builds and demo flavor: Always allow access
- Production flavor: Check Firebase Remote Config for allowed device/user IDs
- Use Firebase Installation ID for cross-platform device identification
- Add BuildConfig interface for build variant and flavor detection
- Add DeviceInfoProvider using Firebase Installations API
- Add InstanceSelectorAccessControl model for Remote Config
- Update InstanceConfigLoader to fetch access control configuration

This allows admins to grant access to specific users by adding their
Firebase Installation ID to Remote Config without app updates.

Author: claude

core/common/src/androidMain/kotlin/org/mifospay/core/common/BuildConfig.android.kt

@@ -0,0 +1,30 @@
+/*
+ * Copyright 2024 Mifos Initiative
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See https://github.com/openMF/mobile-wallet/blob/master/LICENSE.md
+ */
+package org.mifospay.core.common
+
+/**
+ * Android implementation of BuildConfig
+ */
+class AndroidBuildConfig : BuildConfig {
+    override val isDebug: Boolean
+        get() = org.mifospay.BuildConfig.DEBUG
+
+    override val buildType: String
+        get() = org.mifospay.BuildConfig.BUILD_TYPE
+
+    override val flavor: String
+        get() = org.mifospay.BuildConfig.FLAVOR
+
+    override val versionName: String
+        get() = org.mifospay.BuildConfig.VERSION_NAME
+
+    override val versionCode: Int
+        get() = org.mifospay.BuildConfig.VERSION_CODE
+}

core/common/src/androidMain/kotlin/org/mifospay/core/common/DeviceInfoProvider.android.kt

@@ -0,0 +1,37 @@
+/*
+ * Copyright 2024 Mifos Initiative
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See https://github.com/openMF/mobile-wallet/blob/master/LICENSE.md
+ */
+package org.mifospay.core.common
+
+import android.os.Build
+import dev.gitlive.firebase.Firebase
+import dev.gitlive.firebase.installations.installations
+
+/**
+ * Android implementation of DeviceInfoProvider using Firebase Installation ID
+ */
+class AndroidDeviceInfoProvider : DeviceInfoProvider {
+    private val installations = Firebase.installations
+
+    override suspend fun getDeviceId(): String {
+        return try {
+            installations.id
+        } catch (e: Exception) {
+            "unknown"
+        }
+    }
+
+    override fun getDeviceModel(): String {
+        return "${Build.MANUFACTURER} ${Build.MODEL}"
+    }
+
+    override fun getOsVersion(): String {
+        return "Android ${Build.VERSION.RELEASE} (API ${Build.VERSION.SDK_INT})"
+    }
+}

core/common/src/commonMain/kotlin/org/mifospay/core/common/BuildConfig.kt

@@ -0,0 +1,37 @@
+/*
+ * Copyright 2024 Mifos Initiative
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See https://github.com/openMF/mobile-wallet/blob/master/LICENSE.md
+ */
+package org.mifospay.core.common
+
+/**
+ * Build configuration information
+ */
+interface BuildConfig {
+    val isDebug: Boolean
+    val buildType: String
+    val flavor: String
+    val versionName: String
+    val versionCode: Int
+}
+
+/**
+ * Product flavors
+ */
+object ProductFlavor {
+    const val DEMO = "demo"
+    const val PRODUCTION = "prod"
+}
+
+/**
+ * Build types
+ */
+object BuildType {
+    const val DEBUG = "debug"
+    const val RELEASE = "release"
+}

core/common/src/commonMain/kotlin/org/mifospay/core/common/DeviceInfoProvider.kt

@@ -0,0 +1,62 @@
+/*
+ * Copyright 2024 Mifos Initiative
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See https://github.com/openMF/mobile-wallet/blob/master/LICENSE.md
+ */
+package org.mifospay.core.common
+
+import dev.gitlive.firebase.Firebase
+import dev.gitlive.firebase.installations.installations
+
+/**
+ * Provides device-specific information for feature access control
+ * Uses Firebase Installation ID for cross-platform device identification
+ */
+class DeviceInfoProvider {
+    private val installations = Firebase.installations
+
+    /**
+     * Returns Firebase Installation ID as unique device identifier
+     * This can be shared with admins to grant access
+     */
+    suspend fun getDeviceId(): String {
+        return try {
+            installations.id
+        } catch (e: Exception) {
+            "unknown"
+        }
+    }
+
+    /**
+     * Returns the device model/name
+     */
+    fun getDeviceModel(): String = getPlatformDeviceModel()
+
+    /**
+     * Returns the OS version
+     */
+    fun getOsVersion(): String = getPlatformOsVersion()
+}
+
+/**
+ * Platform-specific device model
+ */
+internal expect fun getPlatformDeviceModel(): String
+
+/**
+ * Platform-specific OS version
+ */
+internal expect fun getPlatformOsVersion(): String
+
+/**
+ * Data class containing device information for sharing with admins
+ */
+data class DeviceInfo(
+    val deviceId: String,
+    val deviceModel: String,
+    val osVersion: String,
+)

core/common/src/nativeMain/kotlin/org/mifospay/core/common/BuildConfig.native.kt

@@ -0,0 +1,37 @@
+/*
+ * Copyright 2024 Mifos Initiative
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See https://github.com/openMF/mobile-wallet/blob/master/LICENSE.md
+ */
+package org.mifospay.core.common
+
+/**
+ * iOS/Native implementation of BuildConfig
+ */
+class NativeBuildConfig : BuildConfig {
+    override val isDebug: Boolean
+        get() = Platform.isDebugBinary
+
+    override val buildType: String
+        get() = if (Platform.isDebugBinary) BuildType.DEBUG else BuildType.RELEASE
+
+    override val flavor: String
+        get() = ProductFlavor.PRODUCTION // iOS doesn't have flavors by default
+
+    override val versionName: String
+        get() = "1.0.0" // TODO: Get from iOS bundle
+
+    override val versionCode: Int
+        get() = 1 // TODO: Get from iOS bundle
+}
+
+/**
+ * Platform utilities for native platforms
+ */
+internal expect object Platform {
+    val isDebugBinary: Boolean
+}

core/model/src/commonMain/kotlin/org/mifospay/core/model/instance/InstanceSelectorAccessControl.kt

@@ -0,0 +1,19 @@
+/*
+ * Copyright 2024 Mifos Initiative
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See https://github.com/openMF/mobile-wallet/blob/master/LICENSE.md
+ */
+package org.mifospay.core.model.instance
+
+import kotlinx.serialization.Serializable
+
+@Serializable
+data class InstanceSelectorAccessControl(
+    val enabled: Boolean = true,
+    val allowedDeviceIds: List<String> = emptyList(),
+    val allowedUserIds: List<String> = emptyList(),
+)

core/network/src/commonMain/kotlin/org/mifospay/core/network/config/FeatureAccessManager.kt

@@ -0,0 +1,119 @@
+/*
+ * Copyright 2024 Mifos Initiative
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See https://github.com/openMF/mobile-wallet/blob/master/LICENSE.md
+ */
+package org.mifospay.core.network.config
+
+import org.mifospay.core.common.BuildConfig
+import org.mifospay.core.common.BuildType
+import org.mifospay.core.common.DeviceInfoProvider
+import org.mifospay.core.common.ProductFlavor
+import org.mifospay.core.datastore.UserPreferencesRepository
+import org.mifospay.core.model.instance.InstanceSelectorAccessControl
+
+/**
+ * Manages access control for the instance selector feature
+ *
+ * Access Rules:
+ * 1. Debug build variant: Always allowed
+ * 2. Demo product flavor: Always allowed
+ * 3. Production flavor + Release build: Controlled by Firebase Remote Config
+ */
+class FeatureAccessManager(
+    private val buildConfig: BuildConfig,
+    private val deviceInfoProvider: DeviceInfoProvider,
+    private val instanceConfigLoader: InstanceConfigLoader,
+    private val userPreferencesRepository: UserPreferencesRepository,
+) {
+    /**
+     * Check if the instance selector feature is accessible
+     */
+    suspend fun canAccessInstanceSelector(): Boolean {
+        // Debug builds: Always allow
+        if (buildConfig.isDebug || buildConfig.buildType == BuildType.DEBUG) {
+            return true
+        }
+
+        // Demo flavor: Always allow
+        if (buildConfig.flavor == ProductFlavor.DEMO) {
+            return true
+        }
+
+        // Production flavor: Check Remote Config
+        return checkRemoteConfigAccess()
+    }
+
+    /**
+     * Get the device identifier that can be shared with admin
+     */
+    suspend fun getDeviceIdentifier(): String {
+        return deviceInfoProvider.getDeviceId()
+    }
+
+    /**
+     * Get the user identifier (if logged in) that can be shared with admin
+     */
+    suspend fun getUserIdentifier(): String? {
+        val clientId = userPreferencesRepository.clientId.value
+        return clientId?.toString()
+    }
+
+    /**
+     * Get device information for sharing with admin
+     */
+    suspend fun getDeviceInfo(): DeviceInfo {
+        return DeviceInfo(
+            deviceId = getDeviceIdentifier(),
+            userId = getUserIdentifier(),
+            deviceModel = deviceInfoProvider.getDeviceModel(),
+            osVersion = deviceInfoProvider.getOsVersion(),
+            buildType = buildConfig.buildType,
+            flavor = buildConfig.flavor,
+            versionName = buildConfig.versionName,
+        )
+    }
+
+    private suspend fun checkRemoteConfigAccess(): Boolean {
+        val accessControl = instanceConfigLoader.fetchAccessControl()
+
+        // If feature is globally disabled, deny access
+        if (!accessControl.enabled) {
+            return false
+        }
+
+        val deviceId = getDeviceIdentifier()
+        val userId = getUserIdentifier()
+
+        // Check if device ID is in allowed list
+        if (accessControl.allowedDeviceIds.contains(deviceId)) {
+            return true
+        }
+
+        // Check if user ID is in allowed list
+        if (userId != null && accessControl.allowedUserIds.contains(userId)) {
+            return true
+        }
+
+        // If no restrictions (empty lists), allow all
+        if (accessControl.allowedDeviceIds.isEmpty() && accessControl.allowedUserIds.isEmpty()) {
+            return true
+        }
+
+        return false
+    }
+}
+
+data class DeviceInfo(
+    val deviceId: String,
+    val userId: String?,
+    val deviceModel: String,
+    val osVersion: String,
+    val buildType: String,
+    val flavor: String,
+    val versionName: String,
+)