Feature ID: PF-79Documentation Index
Fetch the complete documentation index at: https://docs.encoreos.io/llms.txt
Use this file to discover all available pages before exploring further.
Status: ✅ Phase 1 & 2 Complete
Spec: PF-79-mobile-app-security-biometric-pin-session-lock.md
Last Updated: 2026-03-13
Overview
PF-79 adds optional app lock (session lock on background/inactivity), app PIN, and device biometric (Face ID / Touch ID) for PWA and mobile. It integrates with existing platform auth and session management; no new event or API contracts. Phase 3 adds WebAuthn enrollment/verification alongside TOTP.Phase Summary
| Phase | Scope | Status |
|---|---|---|
| Phase 1 | Client-side PIN + session lock | ✅ Complete |
| Phase 2 | Device biometric (WebAuthn platform authenticator) | ✅ Complete |
| Phase 3 | WebAuthn MFA enrollment alongside TOTP | 🔲 Not started |
Integration Points (from Spec)
| Dependency | Pattern | Purpose |
|---|---|---|
| PF-49 (Session Management & Device Tracking) | Platform / Context | Session list and device context unchanged; lock is a local UI gate; “Lock and Sign Out” clears tokens when user chooses. |
| Auth.tsx / MfaChallenge / MfaEnrollment | Platform (auth UI) | Lock screen sits in front of authenticated app; after unlock, existing session is used. Phase 3 adds WebAuthn to MFA enrollment and challenge flow. |
| Supabase Auth | Config / API | WebAuthn must be enabled in Supabase (Dashboard) for Phase 3; no change to existing TOTP flow. |
Platform Layer Usage
- Auth: Lock screen component is rendered by app shell when lock policy is active; uses existing
useCurrentUserand Supabase session. No new auth APIs. - Biometric (Phase 2): WebAuthn platform authenticator for local unlock gate. Client-only; no server round-trip. Credential references in sessionStorage.
- Settings (Phase 1.5/2.5): Optional org-level policy (
require_app_lock_mobile,app_lock_timeout_minutes) stored inpf_module_settings; mobile client fetches and applies. RLS and migration per constitution when implemented.
Event / API Contracts
No new event or public API contracts. App lock is client-side only; optional server-driven policy is read frompf_module_settings when Phase 1.5/2.5 is implemented.