Make lockdown a runtime, user-toggleable setting rather than a one-way lock:
- Thread a `disable` flag through the lockdown send path (CommandSender,
LockdownCoordinator, MeshActionHandler, RadioController, AIDL, UIViewModel)
so the app can send LockdownAuth{passphrase, disable=true} to decrypt
storage and leave lockdown.
- Add LockdownState.Disabled and map LockdownStatus.State.DISABLED; clear the
stored passphrase and session authorization when a device reports DISABLED
(or when the user disables it), so we never auto-unlock a disabled device.
- Add a "Lockdown mode" switch to the security settings screen
(LockdownModeSetting): enable from DISABLED via a set-passphrase dialog with
a one-time irreversible-SWD warning + explicit confirm; disable from UNLOCKED
via a passphrase prompt; "Lock now" and session info while unlocked. The
setting is hidden when the device never reports lockdown_status (non-capable).
- Tests for the disable round-trip and DISABLED mapping; refresh fakes/strings.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
End-to-end plumbing for LockdownAuth.max_session_seconds (per-boot
uptime cap on the unlocked session; 0 = unlimited).
Wire:
- CommandSenderImpl populates LockdownAuth.max_session_seconds in the
outbound admin packet (clamped non-negative).
Coordinator + persistence:
- LockdownCoordinator.submitPassphrase gains optional maxSessionSeconds
(default 0); persisted alongside boots/hours and replayed by
auto-unlock so cached sessions keep the operator's cap on reconnect.
- StoredPassphrase gains a new field with a default of 0 so existing
call sites stay source-compatible.
- LockdownPassphraseStore (Android EncryptedSharedPreferences impl):
reads/writes the new field with a `_maxSessionSeconds` key suffix;
legacy entries decode to 0.
- LockdownPassphraseStore (JVM file-backed impl): bumps the per-entry
on-disk serialization from 3-line to 4-line; legacy 3-line entries
still decode (treated as maxSessionSeconds=0).
IPC + radio plumbing:
- IMeshService.sendLockdownUnlock AIDL gains a 4th int parameter.
- MeshService stub, MeshActionHandler, RadioController interface, and
both impls (AndroidRadioControllerImpl, DirectRadioControllerImpl)
thread the field through.
- FakeIMeshService, FakeRadioController, FakeLockdownCoordinator
updated to match.
UI:
- LockdownDialog adds a single optional "Session cap (minutes)" field
below the boots/hours row. Operators enter minutes for ergonomics;
the dialog multiplies by 60 before passing to the coordinator. Blank
or 0 = unlimited (firmware default).
- UIViewModel.sendLockdownUnlock gains the new param with default 0.
- New string resources: lockdown_session_minutes,
lockdown_session_minutes_help. Strings re-sorted via
scripts/sort-strings.py.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- IMeshService: sendLockdownUnlock(passphrase, bootTtl, hourTtl) and
sendLockNow() AIDL methods.
- MeshService: AIDL stubs forwarding to MeshActionHandler.
- AndroidRadioControllerImpl: forward to meshService over AIDL.
- DirectRadioControllerImpl: forward directly to actionHandler (in-process
non-Android targets).
- FakeIMeshService: test stubs.
- UIViewModel: lockdownState/lockdownTokenInfo flows, sendLockdownUnlock,
sendLockNow, clearLockdownState. Routed through radioController so the
commonMain code does not depend on the AIDL service directly.
- ConnectionsViewModel: expose lockdownState.
- RadioConfigViewModel: lockdownTokenInfo + sendLockNow for the Lock Now
button in security settings.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
