feat: firmware lockdown mode (provision / unlock / lock-now)

.specify/feature.json

@@ -1 +1,3 @@
-{"feature_directory":"specs/20260513-160000-m3-expressive-adoption"}
+{
+  "feature_directory": "specs/20260513-075218-lockdown-mode"
+}

AGENTS.md

@@ -49,5 +49,5 @@ You are an expert Android/KMP engineer. Maintain architectural boundaries, use M
 <!-- SPECKIT START -->
 For additional context about technologies to be used, project structure,
 shell commands, and other important information, read the current plan
-at `specs/20260513-160000-m3-expressive-adoption/plan.md`
+at `specs/20260513-075218-lockdown-mode/plan.md`
 <!-- SPECKIT END -->

androidApp/src/main/kotlin/org/meshtastic/app/ui/Main.kt

@@ -32,6 +32,7 @@ import co.touchlab.kermit.Logger
 import org.koin.compose.viewmodel.koinViewModel
 import org.meshtastic.app.BuildConfig
 import org.meshtastic.core.model.ConnectionState
+import org.meshtastic.core.model.service.LockdownState
 import org.meshtastic.core.navigation.NodesRoute
 import org.meshtastic.core.navigation.TopLevelDestination
 import org.meshtastic.core.navigation.rememberMultiBackstack
@@ -48,6 +49,7 @@ import org.meshtastic.feature.firmware.navigation.firmwareGraph
 import org.meshtastic.feature.map.navigation.mapGraph
 import org.meshtastic.feature.messaging.navigation.contactsGraph
 import org.meshtastic.feature.node.navigation.nodesGraph
+import org.meshtastic.feature.settings.lockdown.LockdownDialog
 import org.meshtastic.feature.settings.navigation.settingsGraph
 import org.meshtastic.feature.settings.radio.channel.channelsGraph
 import org.meshtastic.feature.wifiprovision.navigation.wifiProvisionGraph
@@ -68,6 +70,21 @@ fun MainScreen() {
 
     AndroidAppVersionCheck(viewModel)
 
+    val lockdownState by viewModel.lockdownState.collectAsStateWithLifecycle()
+    LockdownDialog(
+        lockdownState = lockdownState,
+        onSubmit = { passphrase, boots, hours, sessionMinutes ->
+            viewModel.sendLockdownUnlock(passphrase, boots, hours, sessionMinutes * SECONDS_PER_MINUTE)
+        },
+        onDisconnect = { viewModel.setDeviceAddress("n") },
+    )
+    // Auto-disconnect when firmware acknowledges Lock Now
+    LaunchedEffect(lockdownState) {
+        if (lockdownState is LockdownState.LockNowAcknowledged) {
+            viewModel.setDeviceAddress("n")
+        }
+    }
+
     MeshtasticAppShell(multiBackstack = multiBackstack, uiViewModel = viewModel, hostModifier = Modifier) {
         MeshtasticNavigationSuite(
             multiBackstack = multiBackstack,
@@ -132,3 +149,5 @@ private fun AndroidAppVersionCheck(viewModel: UIViewModel) {
         }
     }
 }
+
+private const val SECONDS_PER_MINUTE = 60

core/api/src/main/aidl/org/meshtastic/core/service/IMeshService.aidl

@@ -204,4 +204,10 @@ interface IMeshService {
     * hash is the 32-byte firmware SHA256 hash (optional, can be null)
     */
     void requestRebootOta(in int requestId, in int destNum, in int mode, in byte []hash);
+
+    /// Send a lockdown passphrase to authenticate with a TAK-locked device
+    void sendLockdownUnlock(in String passphrase, in int bootTtl, in int hourTtl, in int maxSessionSeconds);
+
+    /// Send a Lock Now command to the connected TAK-enabled device
+    void sendLockNow();
 }

core/data/src/commonMain/kotlin/org/meshtastic/core/data/manager/CommandSenderImpl.kt

@@ -49,13 +49,15 @@ import org.meshtastic.proto.EnvironmentMetrics
 import org.meshtastic.proto.HostMetrics
 import org.meshtastic.proto.LocalConfig
 import org.meshtastic.proto.LocalStats
+import org.meshtastic.proto.LockdownAuth
 import org.meshtastic.proto.MeshPacket
 import org.meshtastic.proto.Neighbor
 import org.meshtastic.proto.NeighborInfo
 import org.meshtastic.proto.Paxcount
 import org.meshtastic.proto.PortNum
 import org.meshtastic.proto.PowerMetrics
 import org.meshtastic.proto.Telemetry
+import org.meshtastic.proto.ToRadio
 import kotlin.math.absoluteValue
 import kotlin.random.Random
 import kotlin.time.Duration.Companion.hours
@@ -373,6 +375,43 @@ class CommandSenderImpl(
         }
     }
 
+    override fun sendLockdownPassphrase(passphrase: String, boots: Int, hours: Int, maxSessionSeconds: Int) {
+        val validUntilEpoch =
+            if (hours > 0) {
+                (nowMillis / MILLIS_PER_SECOND + hours.toLong() * SECONDS_PER_HOUR).toInt()
+            } else {
+                0
+            }
+        val lockdownAuth =
+            LockdownAuth(
+                passphrase = passphrase.encodeToByteArray().toByteString(),
+                boots_remaining = boots.coerceAtLeast(0),
+                valid_until_epoch = validUntilEpoch,
+                max_session_seconds = maxSessionSeconds.coerceAtLeast(0),
+            )
+        sendLockdownAdmin(AdminMessage(lockdown_auth = lockdownAuth))
+    }
+
+    override fun sendLockNow() {
+        sendLockdownAdmin(AdminMessage(lockdown_auth = LockdownAuth(lock_now = true)))
+    }
+
+    private fun sendLockdownAdmin(adminMessage: AdminMessage) {
+        val myNum = nodeManager.myNodeNum.value ?: return
+        val packet =
+            MeshPacket(
+                to = myNum,
+                id = generatePacketId(),
+                channel = 0,
+                want_ack = true,
+                hop_limit = DEFAULT_HOP_LIMIT,
+                hop_start = DEFAULT_HOP_LIMIT,
+                priority = MeshPacket.Priority.RELIABLE,
+                decoded = Data(portnum = PortNum.ADMIN_APP, payload = adminMessage.encode().toByteString()),
+            )
+        packetHandler.sendToRadio(ToRadio(packet = packet))
+    }
+
     fun resolveNodeNum(toId: String): Int = when (toId) {
         DataPacket.ID_BROADCAST -> DataPacket.NODENUM_BROADCAST
 
@@ -462,5 +501,8 @@ class CommandSenderImpl(
         private const val HEX_RADIX = 16
 
         private const val DEFAULT_HOP_LIMIT = 3
+
+        private const val MILLIS_PER_SECOND = 1000L
+        private const val SECONDS_PER_HOUR = 3600
     }
 }

core/data/src/commonMain/kotlin/org/meshtastic/core/data/manager/FromRadioPacketHandlerImpl.kt

@@ -23,6 +23,7 @@ import org.koin.core.annotation.Single
 import org.meshtastic.core.common.util.handledLaunch
 import org.meshtastic.core.common.util.ioDispatcher
 import org.meshtastic.core.repository.FromRadioPacketHandler
+import org.meshtastic.core.repository.LockdownCoordinator
 import org.meshtastic.core.repository.MeshRouter
 import org.meshtastic.core.repository.MqttManager
 import org.meshtastic.core.repository.Notification
@@ -48,6 +49,7 @@ class FromRadioPacketHandlerImpl(
     private val mqttManager: MqttManager,
     private val packetHandler: PacketHandler,
     private val notificationManager: NotificationManager,
+    private val lockdownCoordinator: LockdownCoordinator,
 ) : FromRadioPacketHandler {
 
     // Application-scoped coroutine context for suspend work (e.g. getStringSuspend).
@@ -69,6 +71,7 @@ class FromRadioPacketHandlerImpl(
         val deviceUIConfig = proto.deviceuiConfig
         val fileInfo = proto.fileInfo
         val xmodemPacket = proto.xmodemPacket
+        val lockdownStatus = proto.lockdown_status
 
         when {
             myInfo != null -> router.value.configFlowManager.handleMyInfo(myInfo)
@@ -84,7 +87,10 @@ class FromRadioPacketHandlerImpl(
                 serviceRepository.setConnectionProgress("Nodes (${router.value.configFlowManager.newNodeCount})")
             }
 
-            configCompleteId != null -> router.value.configFlowManager.handleConfigComplete(configCompleteId)
+            configCompleteId != null -> {
+                router.value.configFlowManager.handleConfigComplete(configCompleteId)
+                lockdownCoordinator.onConfigComplete()
+            }
 
             mqttProxyMessage != null -> mqttManager.handleMqttProxyMessage(mqttProxyMessage)
 
@@ -100,6 +106,8 @@ class FromRadioPacketHandlerImpl(
 
             xmodemPacket != null -> router.value.xmodemManager.handleIncomingXModem(xmodemPacket)
 
+            lockdownStatus != null -> lockdownCoordinator.handleLockdownStatus(lockdownStatus)
+
             clientNotification != null -> handleClientNotification(clientNotification)
 
             // Firmware rebooted without a transport-level disconnect (common on serial/TCP).