[stealth 06/11] Add garble obfuscation targets

[reflog]

Summary

• adds opt-in garble targets for Android gomobile, Linux shared libs, desktop FFI libs, and lanternd
• wires the Android reusable workflow to install garble and run obfuscated native builds when requested
• documents seed handling, wrapper behavior, ABI/export limits, and support constraints

Closes #8768

Validation

• make check-garble-seed GARBLE_SEED=random
• make -n android-release-ci-obfuscated ANDROID_SDK_ROOT=/tmp/android-sdk GARBLE_SEED=random
• git diff --cached --check before commit

Not run

• Full Android build: local environment does not have a real Android SDK configured.
• Full garble compile smoke: local Go toolchain mismatch was observed in the prior smoke attempt, so CI should validate against the project toolchain.

[Copilot]

Pull request overview

Adds an opt-in build path to obfuscate Go/native outputs using garble, covering Android gomobile bind, Linux shared libs, desktop FFI shared libs, and lanternd, with CI support and documentation aimed at stealth/reproducible builds.

Changes:

• Introduces a scripts/garble-go/go wrapper to route only go build (invoked by gomobile) through garble.
• Extends the Makefile with *-obfuscated targets, seed/garble validation helpers, and an install-garble target.
• Updates the Android reusable workflow to optionally install garble and build obfuscated Android artifacts, plus adds a new stealth garble doc.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.

File	Description
scripts/garble-go/go	Adds a go wrapper that runs garble ... build only for go build calls (for gomobile internal builds).
Makefile	Adds garble configuration variables, validation targets, and obfuscated build targets for desktop, Linux, lanternd, and Android.
docs/stealth-go-garble.md	Documents how to use the new obfuscated targets and the ABI/support constraints around garble.
.github/workflows/build-android.yml	Adds an obfuscate_go input to install garble and run the obfuscated Android release build in CI.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.

[Copilot]

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.

[Copilot]

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.

[Copilot]

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated no new comments.

[Copilot]

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated no new comments.

[Copilot]

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated no new comments.

[reflog]

@copilot review

[Copilot]

@copilot review

Reviewed the current PR state and re-ran final validation checks; no additional changes are needed at this point. Latest relevant commit: 4b7e000.

[Copilot]

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.

[Copilot]

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated no new comments.

[Copilot]

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.

[Copilot]

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.

[Copilot]

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.

[Copilot]

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated no new comments.