- Add Capabilities.supportsLockdown (atLeast V2_8_0) and gate the security-screen
lockdown toggle visibility on it, consistent with the other firmware-version
capability flags. SecurityConfigScreen computes Capabilities from the connected
node's firmware_version; LockdownModeSetting takes a `supported` flag.
- Reword the enable-lockdown warning: it's reversible (disable with passphrase, or
a full erase), so drop the inaccurate "permanent/irreversible" framing and the
red error styling; rename strings lockdown_irreversible_* -> lockdown_enable_*.
- Update CapabilitiesTest for the V2_8_0 floor.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Make lockdown a runtime, user-toggleable setting rather than a one-way lock:
- Thread a `disable` flag through the lockdown send path (CommandSender,
LockdownCoordinator, MeshActionHandler, RadioController, AIDL, UIViewModel)
so the app can send LockdownAuth{passphrase, disable=true} to decrypt
storage and leave lockdown.
- Add LockdownState.Disabled and map LockdownStatus.State.DISABLED; clear the
stored passphrase and session authorization when a device reports DISABLED
(or when the user disables it), so we never auto-unlock a disabled device.
- Add a "Lockdown mode" switch to the security settings screen
(LockdownModeSetting): enable from DISABLED via a set-passphrase dialog with
a one-time irreversible-SWD warning + explicit confirm; disable from UNLOCKED
via a passphrase prompt; "Lock now" and session info while unlocked. The
setting is hidden when the device never reports lockdown_status (non-capable).
- Tests for the disable round-trip and DISABLED mapping; refresh fakes/strings.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
End-to-end plumbing for LockdownAuth.max_session_seconds (per-boot
uptime cap on the unlocked session; 0 = unlimited).
Wire:
- CommandSenderImpl populates LockdownAuth.max_session_seconds in the
outbound admin packet (clamped non-negative).
Coordinator + persistence:
- LockdownCoordinator.submitPassphrase gains optional maxSessionSeconds
(default 0); persisted alongside boots/hours and replayed by
auto-unlock so cached sessions keep the operator's cap on reconnect.
- StoredPassphrase gains a new field with a default of 0 so existing
call sites stay source-compatible.
- LockdownPassphraseStore (Android EncryptedSharedPreferences impl):
reads/writes the new field with a `_maxSessionSeconds` key suffix;
legacy entries decode to 0.
- LockdownPassphraseStore (JVM file-backed impl): bumps the per-entry
on-disk serialization from 3-line to 4-line; legacy 3-line entries
still decode (treated as maxSessionSeconds=0).
IPC + radio plumbing:
- IMeshService.sendLockdownUnlock AIDL gains a 4th int parameter.
- MeshService stub, MeshActionHandler, RadioController interface, and
both impls (AndroidRadioControllerImpl, DirectRadioControllerImpl)
thread the field through.
- FakeIMeshService, FakeRadioController, FakeLockdownCoordinator
updated to match.
UI:
- LockdownDialog adds a single optional "Session cap (minutes)" field
below the boots/hours row. Operators enter minutes for ergonomics;
the dialog multiplies by 60 before passing to the coordinator. Blank
or 0 = unlimited (firmware default).
- UIViewModel.sendLockdownUnlock gains the new param with default 0.
- New string resources: lockdown_session_minutes,
lockdown_session_minutes_help. Strings re-sorted via
scripts/sort-strings.py.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Compose Multiplatform stringResource requires positional specifiers
(%1$s, %1$d) — plain %s/%d renders literal format tokens.
Boot TTL and Hour TTL fields are now shown for both provision and
unlock, matching the original implementation. Confirm passphrase
field remains provisioning-only.
- Add LockdownCoordinator state machine with auto-replay, lock-now,
and error-resilient passphrase store calls
- Add EncryptedSharedPreferences-backed Android passphrase store
with nullable fallback on crypto init failure
- Add LockdownDialog (provision/unlock/backoff) with byte-length
passphrase validation and string resources
- Add LockdownSessionStatus composable for token info display
- Gate region-unset banner on sessionAuthorized in ConnectionsScreen
- Wire Lock Now button in SecurityConfigScreen
- Add LockdownCoordinatorImplTest covering all state transitions,
auto-replay, lock-now, error paths, and uint32 overflow
- Add FakeLockdownCoordinator and update test fakes
- Delete unused LockdownUnlockDialog.kt
- T027/T028: Auto-disconnect on LockNowAcknowledged state in app shell
- T020/T021: Confirm passphrase field in provision mode with mismatch validation
- T035/T036: LockdownSessionStatus composable showing boots remaining and expiry
- Wire session status and Lock Now button enabled state based on sessionAuthorized
- Expose lockdownTokenInfo and sessionAuthorized from RadioConfigViewModel
- Replace java.text.DateFormat/java.util.Date usage in SecurityConfigScreen
(constitution violation: no java.* in commonMain) with simplified Lock Now button
- Replace material.icons imports with MeshtasticIcons in LockdownUnlockDialog
- Proper token info display to be re-implemented in Phase 5 (T025-T026)
- LockdownUnlockDialog: passphrase entry with boots / hours TTL inputs.
Shows lock_reason on LOCKED, a backoff countdown on UNLOCK_FAILED with
backoff_seconds > 0 (Submit disabled while in backoff), and switches
the title to "Set Passphrase" on NEEDS_PROVISION.
- Main: collect lockdownState/lockdownTokenInfo, show the dialog,
auto-clear on LockNowAcknowledged so the connection drops without
a dialog flash.
- ConnectionsScreen: gate the "must set region" banner on
isLockdownAuthorized so an unauthorized client isn't told to fix a
region it can't see.
- SecurityConfigItemList: "Lock Now" button under Administration,
labelled with the active session token's boots remaining and (if set)
the wall-clock expiry.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- IMeshService: sendLockdownUnlock(passphrase, bootTtl, hourTtl) and
sendLockNow() AIDL methods.
- MeshService: AIDL stubs forwarding to MeshActionHandler.
- AndroidRadioControllerImpl: forward to meshService over AIDL.
- DirectRadioControllerImpl: forward directly to actionHandler (in-process
non-Android targets).
- FakeIMeshService: test stubs.
- UIViewModel: lockdownState/lockdownTokenInfo flows, sendLockdownUnlock,
sendLockNow, clearLockdownState. Routed through radioController so the
commonMain code does not depend on the AIDL service directly.
- ConnectionsViewModel: expose lockdownState.
- RadioConfigViewModel: lockdownTokenInfo + sendLockNow for the Lock Now
button in security settings.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
