* feat(mobile): add transaction metadata editing
* fix(mobile): preserve explicit metadata clears
* fix(mobile): derive persisted tag metadata state
* fix(mobile): avoid logging transaction details
* fix(mobile): harden transaction edit sync
Pass the edited transaction context through provider updates, refresh or fall back after empty update responses, surface field-level API errors, and avoid forced metadata refetches on every edit screen open.
* fix(mobile): keep transaction edit selects ci-compatible
Use the DropdownButtonFormField API supported by the Flutter version pinned in upstream mobile CI.
* Add mobile custom proxy headers
* Clear login placeholders on focus
Email/password fields ship with example values pre-filled. Tapping the
field now clears the placeholder so users don't have to delete it
manually. Skips clearing if the user has already edited the value.
* Push Configuration as a route from Sign in
Opening Configuration from the Sign in screen now uses Navigator.push
instead of toggling a state flag, so Android back returns to Sign in
instead of quitting the app. Saving the URL auto-pops the route.
* Address PR review on custom proxy headers
- Test Connection no longer leaves global ApiConfig headers mutated;
unsaved edits are restored in a finally block after the probe.
- _loadSavedUrl / _loadCustomHeaders wrap storage reads in try/catch and
always finish initialization with sensible defaults.
- Sanitization is now a single CustomProxyHeader.sanitize() reused by
ApiConfig.setCustomProxyHeaders and CustomProxyHeadersService.
- Brief comment on redactedValue explaining the length-obscuring design.
* Harden custom proxy header validation and load path
- validateValue now rejects ASCII control characters (CR/LF/tab/etc.)
to prevent header-injection via crafted values.
- loadHeaders moves the secure-storage read inside the try block so
platform exceptions are caught the same way JSON parse errors are.
