Skip to content

fix: persist security store state to prevent lockout bypass #39

Description

@EmeditWeb

Problem

The security.store.ts (37 lines) stores isLocked, failedAttempts, and biometricCheckDone in memory only. After app restart: isLocked is false (app opens unlocked), failedAttempts is 0 (lockout bypassed), biometricCheckDone is false (biometric gate re-runs).

User impact: The auto-lock mechanism is defeated by restarting the app. Security features can be bypassed. After 3 failed biometric attempts → hard logout, but restarting the app resets the counter.

Root Cause

Persistence was not added to the security store because it was deemed "not needed for prototype."

What To Build

  1. Add Zustand persist middleware to security.store.ts
  2. Use SecureStore for storage (security-sensitive data)
  3. Whitelist isLocked and failedAttempts
  4. On sign-out: reset persisted security state
  5. Add loading state during hydration

Files To Touch

  • src/security/security.store.ts — add persist middleware with SecureStore

Acceptance Criteria

  • isLocked survives app restart
  • failedAttempts survives app restart
  • Lockout cannot be bypassed by restarting
  • Biometric check state persists
  • Clean security state on sign-out

Mandatory Checks

  • context/ files read
  • npm test passes
  • PR references this issue

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions