1.7.0-3 Bugfixes

AGENTS.md

@@ -365,6 +365,36 @@ Prefer the executable name when it is available; fall back to the module form wh
 * **Synchronization points:** Keep `custom_components/googlefindmy/manifest.json`, `custom_components/googlefindmy/requirements.txt`, `pyproject.toml`, and `custom_components/googlefindmy/requirements-dev.txt` aligned. When bumping versions, check whether other files (for example, `hacs.json` or helpers under `script/`) must change as well.
 * **Upgrade workflow:** With internet access, perform dependency maintenance via `pip install`, `pip-compile`, `pip-audit`, `poetry update` (if relevant), and `python -m pip list --outdated`. Afterwards rerun tests/linters and document the outcomes.
 * **Change notes:** Record adjusted minimum versions or dropped legacy releases in the PR description and, when needed, in `CHANGELOG.md` or `README.md`.
+
+### Poetry lock file management
+
+**Critical:** After ANY change to `pyproject.toml`, regenerate `poetry.lock` with `poetry lock` before committing. CI will fail with "pyproject.toml changed significantly since poetry.lock was last generated" if the content-hash doesn't match.
+
+**Correct workflow:**
+```bash
+# 1. Edit pyproject.toml (e.g., change dependency version)
+# 2. Regenerate lock file
+poetry lock
+
+# 3. Verify lock is in sync
+poetry check
+
+# 4. Commit BOTH files together
+git add pyproject.toml poetry.lock
+git commit -m "chore: update dependency X to version Y"
+```
+
+**Common mistakes to avoid:**
+- Committing `pyproject.toml` without regenerating `poetry.lock`
+- Running `poetry install` without first running `poetry lock` after `pyproject.toml` changes
+- Using `--no-update` flag when dependencies need updating
+
+**CI failure pattern:**
+```
+pyproject.toml changed significantly since poetry.lock was last generated.
+Run `poetry lock` to fix the lock file.
+```
+
 * **Manifest compatibility (Jan 2025):** The shared CI still ships a `script.hassfest` build that rejects the `homeassistant` manifest key. Until upstream relaxes the schema for custom integrations, do **not** add `"homeassistant": "<version>"` to `custom_components/googlefindmy/manifest.json` or `hacs.json`. Track the minimum supported Home Assistant core release in documentation/tests instead.
 
 ## Maintenance mode
@@ -728,6 +758,16 @@ artifacts remain exempt when explicitly flagged by repo configuration).
 * Repairs/Diagnostics: provide both; redact aggressively.
 * Storage: use `helpers.storage.Store` for tokens/state; throttle writes (batch/merge).
 * System health: prefer the `SystemHealthRegistration` helper (`homeassistant.components.system_health.SystemHealthRegistration`) when available and keep the legacy component import only as a guarded fallback.
+* **Entity naming** (HA Best Practice, ref: [Adopting a new way to name entities](https://developers.home-assistant.io/blog/2022/07/10/entity_naming/)):
+  - Always set `_attr_has_entity_name = True` on entity classes.
+  - **Primary entity** (represents the device itself): set `_attr_name = None` so it inherits only the device name (e.g., "Galaxy S25 Ultra").
+  - **Secondary entities** (additional features): use `translation_key` with a `name` in translations; HA auto-composes the friendly name as "Device Name + Translation" (e.g., "Galaxy S25 Ultra Last location").
+  - **Translation files**: for the primary entity's `translation_key`, **omit** the `"name"` key entirely (presence of `"name"` would append a suffix); for secondary entities, **include** the `"name"` key with the suffix text.
+  - Never set `_attr_name` dynamically at runtime (e.g., in coordinator update callbacks) when using `has_entity_name=True`—the device registry is the single source of truth for the device name.
+  - **CRITICAL: `_attr_name = None` vs. attribute not set** — These behave differently with `has_entity_name=True`:
+    - `_attr_name = None` (explicitly set) → entity inherits **only** the device name, no suffix
+    - `_attr_name` **not set** (attribute doesn't exist) → name comes from `translation_key`
+    - If a parent class sets `_attr_name = None` in `__init__()` and a child class needs the translation-based name, the child must **delete** the attribute after `super().__init__()`: `del self._attr_name`
 
 ### 11.8 Release & operations
 

custom_components/googlefindmy/Auth/aas_token_retrieval.py

@@ -53,7 +53,7 @@
 from .gpsoauth_loader import (
     gpsoauth as _gpsoauth_proxy,
 )
-from .token_cache import TokenCache, async_get_all_cached_values
+from .token_cache import TokenCache
 from .username_provider import username_string
 
 _LOGGER = logging.getLogger(__name__)
@@ -366,29 +366,6 @@ async def _generate_aas_token(*, cache: TokenCache) -> str:  # noqa: PLR0912, PL
                 )
                 break
 
-        # Fallback 3: Try global cache for ADM tokens if entry cache had none (validation scenario)
-        if not oauth_token and cache:
-            try:
-                all_cached_global = await async_get_all_cached_values()
-                for key, value in all_cached_global.items():
-                    if (
-                        isinstance(key, str)
-                        and key.startswith("adm_token_")
-                        and isinstance(value, str)
-                        and value
-                    ):
-                        oauth_token = value
-                        extracted_username = key.replace("adm_token_", "", 1)
-                        if extracted_username and "@" in extracted_username:
-                            username = extracted_username
-                        _LOGGER.info(
-                            "Using existing ADM token from global cache for OAuth exchange.",
-                            extra={"user": _mask_email_for_logs(username)},
-                        )
-                        break
-            except Exception:  # noqa: BLE001
-                pass
-
     if not oauth_token:
         raise ValueError(
             "No OAuth token available; please configure the integration with a valid token."

custom_components/googlefindmy/Auth/fcm_receiver.py

@@ -155,9 +155,9 @@ def _on_credentials_updated(self, creds: Any) -> None:
         try:
             if self._cache is not None:
                 if creds is None:
-                    self._cache._data.pop("fcm_credentials", None)
+                    self._cache.sync_pop("fcm_credentials")
                 else:
-                    self._cache._data["fcm_credentials"] = creds
+                    self._cache.sync_set("fcm_credentials", creds)
             else:
                 set_cached_value("fcm_credentials", creds)
             self._creds = creds
@@ -203,5 +203,5 @@ def _read_cached_credentials(self) -> Any:
         """Return credentials from the selected cache without raising."""
 
         if self._cache is not None:
-            return self._cache._data.get("fcm_credentials")
+            return self._cache.sync_get("fcm_credentials")
         return get_cached_value("fcm_credentials")

custom_components/googlefindmy/Auth/fcm_receiver_ha.py

@@ -985,7 +985,10 @@ def register_coordinator(self, coordinator: Any) -> None:
 
             pending_creds = self._pending_creds.pop(entry.entry_id, None)
             if pending_creds is not None:
-                asyncio.create_task(cache.set("fcm_credentials", pending_creds))
+                self._dispatch_to_hass_loop(
+                    cache.set("fcm_credentials", pending_creds),
+                    label=f"set_pending_creds_{entry.entry_id}",
+                )
 
             pending_tokens = self._pending_routing_tokens.pop(entry.entry_id, set())
 
@@ -1007,21 +1010,30 @@ async def _flush_tokens() -> None:
                             err,
                         )
 
-                asyncio.create_task(_flush_tokens())
+                self._dispatch_to_hass_loop(
+                    _flush_tokens(),
+                    label=f"flush_pending_tokens_{entry.entry_id}",
+                )
 
         # Mirror any known credentials to this entry cache
         try:
             creds = self.creds.get(entry.entry_id)
             if creds and cache is not None:
-                asyncio.create_task(cache.set("fcm_credentials", creds))
+                self._dispatch_to_hass_loop(
+                    cache.set("fcm_credentials", creds),
+                    label=f"mirror_creds_{entry.entry_id}",
+                )
         except Exception as err:
             _LOGGER.debug("Entry-scoped credentials persistence skipped: %s", err)
 
         # Update routing with any token we already have
         token = self.get_fcm_token(entry.entry_id)
         if token:
             self._update_token_routing(token, {entry.entry_id})
-            asyncio.create_task(self._persist_routing_token(entry.entry_id, token))
+            self._dispatch_to_hass_loop(
+                self._persist_routing_token(entry.entry_id, token),
+                label=f"persist_routing_token_{entry.entry_id}",
+            )
 
         # Load persisted routing tokens for this entry and map them as well
         if cache is not None:
@@ -1040,10 +1052,16 @@ async def _load_tokens() -> None:
                         err,
                     )
 
-            asyncio.create_task(_load_tokens())
+            self._dispatch_to_hass_loop(
+                _load_tokens(),
+                label=f"load_persisted_tokens_{entry.entry_id}",
+            )
 
         # Start supervisor for this entry
-        asyncio.create_task(self._start_supervisor_for_entry(entry.entry_id, cache))
+        self._dispatch_to_hass_loop(
+            self._start_supervisor_for_entry(entry.entry_id, cache),
+            label=f"start_supervisor_{entry.entry_id}",
+        )
 
     def unregister_coordinator(self, coordinator: Any) -> None:
         """Unregister a coordinator (sync; safe for async_on_unload)."""
@@ -1129,6 +1147,18 @@ async def _handle_notification_async(
                 await self._run_callback_async(cb, canonic_id, hex_string)
                 return
 
+            # Log FCM pushes that have no registered callback (e.g. sound
+            # confirmations, device status updates).  This fires only in
+            # response to a user-initiated action (Play Sound button etc.)
+            # so it does not create log spam during normal operation.
+            _LOGGER.debug(
+                "FCM push for %s has no registered callback "
+                "(may be action confirmation): payload_len=%d, hex_prefix=%s",
+                canonic_id[:8],
+                len(hex_string),
+                hex_string[:120] if hex_string else "(empty)",
+            )
+
             tracked = [
                 c for c in target_coordinators if self._is_tracked(c, canonic_id)
             ]
@@ -1668,12 +1698,18 @@ def _on_credentials_updated_for_entry(self, entry_id: str, creds: Any) -> None:
         token = self.get_fcm_token(entry_id)
         if token:
             self._update_token_routing(token, {entry_id})
-            asyncio.create_task(self._persist_routing_token(entry_id, token))
+            self._dispatch_to_hass_loop(
+                self._persist_routing_token(entry_id, token),
+                label=f"persist_routing_token_{entry_id}",
+            )
         self._clear_fatal_error_for_entry(
             entry_id, reason="Credentials updated for entry"
         )
 
-        asyncio.create_task(self._async_save_credentials_for_entry(entry_id))
+        self._dispatch_to_hass_loop(
+            self._async_save_credentials_for_entry(entry_id),
+            label=f"save_credentials_{entry_id}",
+        )
         _LOGGER.info("[entry=%s] FCM credentials updated", entry_id)
 
     async def _async_save_credentials_for_entry(self, entry_id: str) -> None:
@@ -1755,7 +1791,7 @@ async def async_stop(self, timeout: float = 5.0) -> None:
                     eid,
                     timeout,
                 )
-            except (ConnectionError, TimeoutError) as err:
+            except ConnectionError as err:
                 _LOGGER.debug("[entry=%s] FCM client stop network error: %s", eid, err)
             except Exception as err:  # noqa: BLE001
                 _LOGGER.debug(

custom_components/googlefindmy/Auth/firebase_messaging/fcmpushclient.py

@@ -43,7 +43,6 @@
 from typing import TYPE_CHECKING, Any, cast
 
 from aiohttp import ClientSession
-from cryptography.hazmat.backends import default_backend
 from cryptography.hazmat.primitives.serialization import load_der_private_key
 
 import http_ece
@@ -435,8 +434,8 @@ def _decrypt_raw_data(
         salt_str: str,
         raw_data: bytes,
     ) -> bytes:
-        crypto_key = urlsafe_b64decode(crypto_key_str.encode("ascii"))
-        salt = urlsafe_b64decode(salt_str.encode("ascii"))
+        crypto_key = urlsafe_b64decode(crypto_key_str.encode("ascii") + b"=" * (-len(crypto_key_str) % 4))
+        salt = urlsafe_b64decode(salt_str.encode("ascii") + b"=" * (-len(salt_str) % 4))
 
         keys_section = credentials.get("keys")
         if not isinstance(keys_section, Mapping):
@@ -447,11 +446,9 @@ def _decrypt_raw_data(
         if not (isinstance(private_value, str) and isinstance(secret_value, str)):
             raise ValueError("Invalid key values in credential payload")
 
-        der_data = urlsafe_b64decode(private_value.encode("ascii") + b"========")
-        secret = urlsafe_b64decode(secret_value.encode("ascii") + b"========")
-        privkey = load_der_private_key(
-            der_data, password=None, backend=default_backend()
-        )
+        der_data = urlsafe_b64decode(private_value.encode("ascii") + b"=" * (-len(private_value) % 4))
+        secret = urlsafe_b64decode(secret_value.encode("ascii") + b"=" * (-len(secret_value) % 4))
+        privkey = load_der_private_key(der_data, password=None)
         decrypted = http_decrypt(
             raw_data,
             salt=salt,
@@ -473,6 +470,20 @@ def _app_data_by_key(
             return ""
         raise RuntimeError(f"couldn't find in app_data {key}")
 
+    @staticmethod
+    def _extract_header_param(header: str, param: str) -> str:
+        """Extract a named parameter from a semicolon-separated header value.
+
+        FCM headers like crypto-key and encryption use the format
+        ``key=value;key2=value2``.  Blindly slicing off a fixed prefix
+        breaks when extra parameters (e.g. ``p256ecdsa=...``) are present.
+        """
+        for part in header.split(";"):
+            key, _, value = part.strip().partition("=")
+            if key == param:
+                return value
+        raise ValueError(f"Parameter '{param}' not found in header: {header}")
+
     def _handle_data_message(
         self,
         msg: DataMessageStanza,
@@ -490,8 +501,12 @@ def _handle_data_message(
         ):
             # The deleted_messages message does not contain data.
             return
-        crypto_key = self._app_data_by_key(msg, "crypto-key")[3:]  # strip dh=
-        salt = self._app_data_by_key(msg, "encryption")[5:]  # strip salt=
+        crypto_key = self._extract_header_param(
+            self._app_data_by_key(msg, "crypto-key"), "dh"
+        )
+        salt = self._extract_header_param(
+            self._app_data_by_key(msg, "encryption"), "salt"
+        )
         subtype = self._app_data_by_key(msg, "subtype")
         if TYPE_CHECKING:
             assert self.credentials