fix: client api security improvements

[pandeymangg]

ports the recent security improvement changes made to the js-core package in formbricks to the android sdk from this PR:
formbricks/formbricks#7931

[coderabbitai]

Walkthrough

This PR refactors the Segment model from a comprehensive client-side filter evaluation structure to a minimal public API representation with only id and hasFilters. The Survey data class removes the serialized name field. Gson configuration is updated in SurveyManager and FormbricksApiService to use the new SegmentDeserializer. Survey filtering logic adapts to use the simplified segment shape. All test code removes name field assignments from Survey objects. HTTPS URL validation in Formbricks.setup is disabled to permit local development URLs.

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 75.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Title check	❓ Inconclusive	The title 'fix: client api security improvements' is vague and does not clearly convey the specific technical changes made in the changeset.	Consider a more specific title that highlights the main changes, such as 'fix: remove name field from Survey and simplify Segment model' or 'fix: disable HTTPS URL validation and refactor segment filtering logic'.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description check	✅ Passed	The description relates to the changeset by referencing the upstream PR that inspired the changes, though it lacks specific details about the actual modifications made.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@android/src/main/java/com/formbricks/android/Formbricks.kt`:
- Around line 72-77: Re-enable the HTTPS URL validation for config.appUrl in
Formbricks.kt but gate it so production builds remain protected: either check
BuildConfig (import com.formbricks.android.BuildConfig) and only bypass the
HTTPS requirement for debug/dev builds, or add a new boolean flag
allowInsecureConnections to FormbricksConfig (default false) and honor that flag
when deciding to enforce the startsWith("https://") check; update the existing
commented-out validation logic around config.appUrl and ensure any bypass path
logs a clear warning and requires explicit opt-in via BuildConfig or the new
FormbricksConfig flag.

In `@android/src/main/java/com/formbricks/android/model/workspace/Segment.kt`:
- Around line 34-39: The current hasFilters initializer in Segment.kt (val
hasFilters = when { ... }) defaults to false in the else branch, which is
fail-open; change the fallback to true so that when a segment JSON object exists
but neither "hasFilters" nor a concrete "filters" array are present we treat it
as having filters. Locate the val hasFilters declaration in the Segment class
(or companion/object parsing logic) and replace the else -> false branch with
else -> true, preserving the existing checks for obj.has("hasFilters") and
obj.has("filters") so only the ambiguous case flips to true.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 870e7e07-d372-4017-833b-a5b68b63653e

📥 Commits

Reviewing files that changed from the base of the PR and between b022ef3 and 18677b6.

📒 Files selected for processing (8)

• android/src/androidTest/java/com/formbricks/android/manager/SurveyManagerInstrumentedTest.kt
• android/src/androidTest/java/com/formbricks/android/webview/FormbricksViewModelInstrumentedTest.kt
• android/src/main/java/com/formbricks/android/Formbricks.kt
• android/src/main/java/com/formbricks/android/manager/SurveyManager.kt
• android/src/main/java/com/formbricks/android/model/workspace/Segment.kt
• android/src/main/java/com/formbricks/android/model/workspace/SegmentFilterResourceDeserializer.kt
• android/src/main/java/com/formbricks/android/model/workspace/Survey.kt
• android/src/main/java/com/formbricks/android/network/FormbricksApiService.kt

💤 Files with no reviewable changes (3)

• android/src/main/java/com/formbricks/android/model/workspace/SegmentFilterResourceDeserializer.kt
• android/src/androidTest/java/com/formbricks/android/webview/FormbricksViewModelInstrumentedTest.kt
• android/src/androidTest/java/com/formbricks/android/manager/SurveyManagerInstrumentedTest.kt

[sonarqubecloud]

Quality Gate failed

Failed conditions
50.0% Coverage on New Code (required ≥ 80%)

See analysis details on SonarQube Cloud