Strip READ_PHONE_STATE from merged manifest

[Wavesonics]

Summary

• A transitive dependency (likely ML Kit com.google.mlkit:face-detection in the full flavor, which pulls Play Services Basement) was injecting android.permission.READ_PHONE_STATE into the merged manifest.
• The app doesn't use telephony state — strip it with tools:node="remove", matching the existing pattern already in place for INTERNET and ACCESS_NETWORK_STATE.

Notes

• Source manifests (main, oss, full) never declared this permission; only manifest merging from a dependency was adding it.
• I wasn't able to confirm via a local build in this environment (Google's Maven repo isn't reachable here), so please verify locally by checking app/build/outputs/apk/full/debug/ with aapt dump permissions — or inspect app/build/intermediates/merged_manifests/fullDebug/AndroidManifest.xml.

Test plan

• ./gradlew assembleFullDebug succeeds
• aapt dump permissions app/build/outputs/apk/full/debug/app-full-debug.apk no longer lists READ_PHONE_STATE
• Same check for assembleOssDebug (should already be clean, but verify nothing regressed)
• Smoke test the app: camera capture, face-detection feature (full flavor) still works

---

Generated by Claude Code

[codacy-production]

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

_{NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.}