<?xml version="1.0" encoding="utf-8"?>
<!--
  Network security configuration for Unspooled.
  
  Base policy: HTTPS-only for all traffic.
  
  Local/development exceptions: Cleartext is permitted for the following
  destinations that require plain-text HTTP during debrid OAuth handshakes,
  addon discovery on the local network, and community microservice resolvers.
  These are explicitly scoped so that production traffic to public APIs
  remains fully encrypted.
-->
<network-security-config>
    <!-- Default: strict HTTPS, system certificate trust anchors only -->
    <base-config cleartextTrafficPermitted="false">
        <trust-anchors>
            <certificates src="system" />
        </trust-anchors>
    </base-config>

    <!--
      Localhost / loopback — used by addon servers running on the device
      itself or on the local network during development/testing.
      Cleartext is permitted here because loopback traffic never
      leaves the device.
    -->
    <domain-config cleartextTrafficPermitted="true">
        <domain includeSubdomains="false">127.0.0.1</domain>
        <domain includeSubdomains="false">::1</domain>
        <domain includeSubdomains="false">localhost</domain>
        <!-- Android emulator host loopback -->
        <domain includeSubdomains="false">10.0.2.2</domain>
    </domain-config>

    <!-- Private LAN ranges for local addon/catalog servers — IP-prefix
         matching via includeSubdomains="true" (Android treats remaining
         octets as DNS subdomains). Also trust user-installed CA certs
         so self-signed certificates (e.g. NexStream internal CA) work
         without having to install them as system CAs.
    -->
    <domain-config cleartextTrafficPermitted="true">
        <domain includeSubdomains="true">10.0.0.0</domain>
        <domain includeSubdomains="true">172.16.0.0</domain>
        <domain includeSubdomains="true">192.168</domain>
        <domain includeSubdomains="true">100</domain>
        <trust-anchors>
            <certificates src="system" />
            <certificates src="user" />
        </trust-anchors>
    </domain-config>

    <!--
      Debrid OAuth redirect endpoints — some device-code flows use
      non-HTTPS redirect URLs for the user-verification step.
      Narrowly scoped to the specific verification paths needed.
    -->
    <domain-config cleartextTrafficPermitted="true">
        <domain includeSubdomains="false">real-debrid.com</domain>
        <domain includeSubdomains="false">alldebrid.com</domain>
    </domain-config>
</network-security-config>
