v0.16.4 - Config flow fix, phantom ring fix, FCM hardening
Stable release consolidating the 0.16.4 betas. Verified on a live Home Assistant instance.
Fixed
- Config flow could not render on recent Home Assistant versions (#8, #9, #10, #11) — the credentials form used a custom callable HTTPS validator that
voluptuous_serializecannot convert (ValueError: Unable to convert schema: <function _https_url ...>), blocking login entirely. URL fields are now plain strings in the form schema and HTTPS validation runs after submit, returning a translatedinvalid_urlerror in all 10 languages. Contributed by @pespinel (#7) — thank you! - Phantom doorbell ring on Home Assistant restart — event entities (doorbell ring, door opened, camera on) inherited their availability from the device
connection_state. A transient intercom disconnect, or the brief window during an HA restart, flapped them tounavailableand back; on recovery theEventEntityrestores its last event (e.g.ring) and Home Assistant fires state triggers, so doorbell automations ran with no push notification involved. Event availability is now decoupled from connectivity, eliminating the flap. Real doorbell rings still fire normally. - Hardened the FCM push client against firebase-messaging reconnect storms (#12) — a poisoned
StreamReaderin the upstream_listenloop re-raises the same exception object every iteration, growing its traceback whilelogging.exceptionformats it inside the HA event loop; on Python 3.14 this is quadratic and pegs the core until the Supervisor watchdog kills HA.- A
logging.Filteron thefirebase_messaging.fcmpushclientlogger stripsexc_infoafter 3 tracebacks per 5-minute window, defusing the CPU bomb even while the upstream loop spins. abort_on_sequential_error_countis bounded (3) so the client gives up instead of spinning; the watchdog restarts it with a delayed, doubling backoff (5 → 15 min cap) that resets once the listener is healthy. A persistent server-side failure now means "push down for a while" instead of a crash loop.
- A
- OAuth authentication diagnostics — non-JSON responses, HTTP errors, OAuth error payloads, and missing
access_tokenare handled explicitly with safe, redacted log messages;invalid_clienterrors point to the OAuth Basic header instead of the user's credentials (#7). - APK credential extraction —
scripts/extract_credentials.pyignores unrelatedBasicheaders from tracing/telemetry code and generates the OAuth header fromOAuthUtils.java+Urls.clientId()/Urls.clientSecret(), detecting the production environment; extracted secrets are redacted in console output (#7).
Upgrade
Update via HACS and restart Home Assistant. The login/credentials form now renders correctly on HA 2026.x.