- Add Capabilities.supportsLockdown (atLeast V2_8_0) and gate the security-screen
lockdown toggle visibility on it, consistent with the other firmware-version
capability flags. SecurityConfigScreen computes Capabilities from the connected
node's firmware_version; LockdownModeSetting takes a `supported` flag.
- Reword the enable-lockdown warning: it's reversible (disable with passphrase, or
a full erase), so drop the inaccurate "permanent/irreversible" framing and the
red error styling; rename strings lockdown_irreversible_* -> lockdown_enable_*.
- Update CapabilitiesTest for the V2_8_0 floor.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Make lockdown a runtime, user-toggleable setting rather than a one-way lock:
- Thread a `disable` flag through the lockdown send path (CommandSender,
LockdownCoordinator, MeshActionHandler, RadioController, AIDL, UIViewModel)
so the app can send LockdownAuth{passphrase, disable=true} to decrypt
storage and leave lockdown.
- Add LockdownState.Disabled and map LockdownStatus.State.DISABLED; clear the
stored passphrase and session authorization when a device reports DISABLED
(or when the user disables it), so we never auto-unlock a disabled device.
- Add a "Lockdown mode" switch to the security settings screen
(LockdownModeSetting): enable from DISABLED via a set-passphrase dialog with
a one-time irreversible-SWD warning + explicit confirm; disable from UNLOCKED
via a passphrase prompt; "Lock now" and session info while unlocked. The
setting is hidden when the device never reports lockdown_status (non-capable).
- Tests for the disable round-trip and DISABLED mapping; refresh fakes/strings.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
End-to-end plumbing for LockdownAuth.max_session_seconds (per-boot
uptime cap on the unlocked session; 0 = unlimited).
Wire:
- CommandSenderImpl populates LockdownAuth.max_session_seconds in the
outbound admin packet (clamped non-negative).
Coordinator + persistence:
- LockdownCoordinator.submitPassphrase gains optional maxSessionSeconds
(default 0); persisted alongside boots/hours and replayed by
auto-unlock so cached sessions keep the operator's cap on reconnect.
- StoredPassphrase gains a new field with a default of 0 so existing
call sites stay source-compatible.
- LockdownPassphraseStore (Android EncryptedSharedPreferences impl):
reads/writes the new field with a `_maxSessionSeconds` key suffix;
legacy entries decode to 0.
- LockdownPassphraseStore (JVM file-backed impl): bumps the per-entry
on-disk serialization from 3-line to 4-line; legacy 3-line entries
still decode (treated as maxSessionSeconds=0).
IPC + radio plumbing:
- IMeshService.sendLockdownUnlock AIDL gains a 4th int parameter.
- MeshService stub, MeshActionHandler, RadioController interface, and
both impls (AndroidRadioControllerImpl, DirectRadioControllerImpl)
thread the field through.
- FakeIMeshService, FakeRadioController, FakeLockdownCoordinator
updated to match.
UI:
- LockdownDialog adds a single optional "Session cap (minutes)" field
below the boots/hours row. Operators enter minutes for ergonomics;
the dialog multiplies by 60 before passing to the coordinator. Blank
or 0 = unlimited (firmware default).
- UIViewModel.sendLockdownUnlock gains the new param with default 0.
- New string resources: lockdown_session_minutes,
lockdown_session_minutes_help. Strings re-sorted via
scripts/sort-strings.py.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- Add LockdownCoordinator state machine with auto-replay, lock-now,
and error-resilient passphrase store calls
- Add EncryptedSharedPreferences-backed Android passphrase store
with nullable fallback on crypto init failure
- Add LockdownDialog (provision/unlock/backoff) with byte-length
passphrase validation and string resources
- Add LockdownSessionStatus composable for token info display
- Gate region-unset banner on sessionAuthorized in ConnectionsScreen
- Wire Lock Now button in SecurityConfigScreen
- Add LockdownCoordinatorImplTest covering all state transitions,
auto-replay, lock-now, error paths, and uint32 overflow
- Add FakeLockdownCoordinator and update test fakes
- Delete unused LockdownUnlockDialog.kt
Introduce the TAK passphrase lockdown abstractions:
- LockdownState sealed class + LockdownTokenInfo for UI to observe.
- LockdownCoordinator interface for the authentication lifecycle
(onConnect/onDisconnect/onConfigComplete/handleLockdownStatus,
plus submitPassphrase/lockNow).
- Add sendLockdownPassphrase/sendLockNow to CommandSender, RadioController.
- Add handleSendLockdownUnlock/handleSendLockNow to MeshActionHandler.
- Add clearRadioConfig to MeshConnectionManager (used during lock-now).
- Add lockdownState/lockdownTokenInfo/sessionAuthorized flows to
ServiceRepository.
handleLockdownStatus consumes the typed firmware LockdownStatus message
from FromRadio (protobufs#911) instead of parsing string-prefixed
ClientNotification messages.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
