The CI shard-core allTests job compiles commonTest for the iosSimulatorArm64
target, which surfaced issues the JVM-only local run missed:
- Update stale test fakes to the current interfaces: FakePassphraseStore
(maxSessionSeconds on savePassphrase) and core/takserver's FakeCommandSender /
FakeServiceRepository (lockdown send + state members). These predate this
change but only the Native test compile catches them.
- Rename the DISABLED test: Kotlin/Native rejects commas in backtick names.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Make lockdown a runtime, user-toggleable setting rather than a one-way lock:
- Thread a `disable` flag through the lockdown send path (CommandSender,
LockdownCoordinator, MeshActionHandler, RadioController, AIDL, UIViewModel)
so the app can send LockdownAuth{passphrase, disable=true} to decrypt
storage and leave lockdown.
- Add LockdownState.Disabled and map LockdownStatus.State.DISABLED; clear the
stored passphrase and session authorization when a device reports DISABLED
(or when the user disables it), so we never auto-unlock a disabled device.
- Add a "Lockdown mode" switch to the security settings screen
(LockdownModeSetting): enable from DISABLED via a set-passphrase dialog with
a one-time irreversible-SWD warning + explicit confirm; disable from UNLOCKED
via a passphrase prompt; "Lock now" and session info while unlocked. The
setting is hidden when the device never reports lockdown_status (non-capable).
- Tests for the disable round-trip and DISABLED mapping; refresh fakes/strings.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
End-to-end plumbing for LockdownAuth.max_session_seconds (per-boot
uptime cap on the unlocked session; 0 = unlimited).
Wire:
- CommandSenderImpl populates LockdownAuth.max_session_seconds in the
outbound admin packet (clamped non-negative).
Coordinator + persistence:
- LockdownCoordinator.submitPassphrase gains optional maxSessionSeconds
(default 0); persisted alongside boots/hours and replayed by
auto-unlock so cached sessions keep the operator's cap on reconnect.
- StoredPassphrase gains a new field with a default of 0 so existing
call sites stay source-compatible.
- LockdownPassphraseStore (Android EncryptedSharedPreferences impl):
reads/writes the new field with a `_maxSessionSeconds` key suffix;
legacy entries decode to 0.
- LockdownPassphraseStore (JVM file-backed impl): bumps the per-entry
on-disk serialization from 3-line to 4-line; legacy 3-line entries
still decode (treated as maxSessionSeconds=0).
IPC + radio plumbing:
- IMeshService.sendLockdownUnlock AIDL gains a 4th int parameter.
- MeshService stub, MeshActionHandler, RadioController interface, and
both impls (AndroidRadioControllerImpl, DirectRadioControllerImpl)
thread the field through.
- FakeIMeshService, FakeRadioController, FakeLockdownCoordinator
updated to match.
UI:
- LockdownDialog adds a single optional "Session cap (minutes)" field
below the boots/hours row. Operators enter minutes for ergonomics;
the dialog multiplies by 60 before passing to the coordinator. Blank
or 0 = unlimited (firmware default).
- UIViewModel.sendLockdownUnlock gains the new param with default 0.
- New string resources: lockdown_session_minutes,
lockdown_session_minutes_help. Strings re-sorted via
scripts/sort-strings.py.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Spec docs:
- lockdown-ui.md: TTL fields now shown in unlock mode, not just provision
- data-model.md: note Lazy<MeshConnectionManager> in relationships
- plan.md: correct module :core:datastore -> :core:service
Tests (2 new):
- NEEDS_PROVISION after lockNow does not trigger LockNowAcknowledged
- UNLOCKED with no deviceAddress skips save but still authorizes
MeshConnectionManagerImpl and LockdownCoordinatorImpl constructor-inject
each other, causing a StackOverflowError at Koin resolution time.
The coordinator only needs MeshConnectionManager in two rare paths
(lock-now-ack and post-unlock config reload), so defer its resolution
with Lazy<T> — matching the existing Lazy<MeshRouter> pattern in
FromRadioPacketHandlerImpl.
- Add LockdownCoordinator state machine with auto-replay, lock-now,
and error-resilient passphrase store calls
- Add EncryptedSharedPreferences-backed Android passphrase store
with nullable fallback on crypto init failure
- Add LockdownDialog (provision/unlock/backoff) with byte-length
passphrase validation and string resources
- Add LockdownSessionStatus composable for token info display
- Gate region-unset banner on sessionAuthorized in ConnectionsScreen
- Wire Lock Now button in SecurityConfigScreen
- Add LockdownCoordinatorImplTest covering all state transitions,
auto-replay, lock-now, error paths, and uint32 overflow
- Add FakeLockdownCoordinator and update test fakes
- Delete unused LockdownUnlockDialog.kt
- Replace java.text.DateFormat/java.util.Date usage in SecurityConfigScreen
(constitution violation: no java.* in commonMain) with simplified Lock Now button
- Replace material.icons imports with MeshtasticIcons in LockdownUnlockDialog
- Proper token info display to be re-implemented in Phase 5 (T025-T026)
- CommandSenderImpl: build AdminMessage.lockdown_auth = LockdownAuth(...)
for provision/unlock and lock_now=true for the lock command.
- FromRadioPacketHandlerImpl: route the new FromRadio.lockdown_status
variant to the coordinator; also notify the coordinator on
config_complete_id.
- MeshActionHandlerImpl: forward handleSendLockdownUnlock/handleSendLockNow
to the coordinator.
- MeshConnectionManagerImpl: call coordinator.onConnect/onDisconnect; add
clearRadioConfig to purge cached config after a lock-now ACK.
- ServiceRepositoryImpl: back the lockdownState/lockdownTokenInfo/
sessionAuthorized flows.
- LockdownHandlerImpl: orchestration. Switches on LockdownStatus.State
(NEEDS_PROVISION / LOCKED / UNLOCKED / UNLOCK_FAILED), auto-replays
stored passphrase on LOCKED, clears stored passphrase on a fresh
UNLOCK_FAILED, surfaces backoff_seconds on rate-limit. Tracks a
wasLockNow flag locally so the next LOCKED status after a lock-now
command is translated to LockdownState.LockNowAcknowledged for an
immediate UI disconnect (the new schema has no explicit ACK type).
- LockdownPassphraseStore: per-device EncryptedSharedPreferences store
for auto-unlock. Not biometric-gated by design.
- Add androidx.security:security-crypto dependency.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
