feat(lock): implement application lock functionality with IPC integration

.editorconfig

@@ -12,5 +12,8 @@ insert_final_newline = true
 indent_style = space
 indent_size = 2
 
+[*.json]
+insert_final_newline = false
+
 [*.md]
 trim_trailing_whitespace = false

rollup.config.mjs

@@ -108,6 +108,40 @@ export default [
       },
     ],
   },
+  {
+    // Lock screen renderer bundle
+    external: [
+      ...builtinModules,
+      ...Object.keys(appManifest.dependencies),
+      ...Object.keys(appManifest.devDependencies),
+    ].filter((moduleName) => moduleName !== '@bugsnag/js'),
+    input: 'src/lockScreen/lock-screen.tsx',
+    preserveEntrySignatures: 'strict',
+    plugins: [
+      json(),
+      replace({
+        'process.env.NODE_ENV': JSON.stringify(NODE_ENV),
+        'preventAssignment': true,
+      }),
+      babel({
+        babelHelpers: 'bundled',
+        extensions,
+      }),
+      nodeResolve({
+        browser: true,
+        extensions,
+      }),
+      commonjs(),
+    ],
+    output: [
+      {
+        dir: 'app',
+        format: 'cjs',
+        sourcemap: 'inline',
+        interop: 'auto',
+      },
+    ],
+  },
   {
     external: [
       ...builtinModules,

src/app/PersistableValues.ts

@@ -91,9 +91,22 @@ type PersistableValues_4_9_0 = PersistableValues_4_7_2 & {
   isVideoCallScreenCaptureFallbackEnabled: boolean;
 };
 
+// Add screen lock persisted settings: timeout (seconds) and passwordHash (now an object with algorithm, hash, salt, params)
+export type ScreenLockPasswordStored = {
+  algorithm: string; // e.g. 'scrypt', 'pbkdf2', 'legacy-sha256'
+  hash: string; // base64 encoded derived key or legacy hex encoded then base64
+  salt: string; // base64 encoded salt (or empty string for legacy where salt wasn't used)
+  params?: Record<string, any>; // algorithm-specific params (iterations, keylen, maxmem, digest, etc.)
+};
+
+type PersistableValues_5_0_0 = PersistableValues_4_9_0 & {
+  screenLockTimeoutSeconds: number; // 0 = disabled
+  screenLockPasswordHash: ScreenLockPasswordStored | null;
+};
+
 export type PersistableValues = Pick<
-  PersistableValues_4_9_0,
-  keyof PersistableValues_4_9_0
+  PersistableValues_5_0_0,
+  keyof PersistableValues_5_0_0
 >;
 
 export const migrations = {
@@ -171,4 +184,80 @@ export const migrations = {
     ...before,
     isVideoCallScreenCaptureFallbackEnabled: false,
   }),
+  // New migration for screen lock defaults (initial addition)
+  '>=5.0.0': (before: PersistableValues_4_9_0): PersistableValues_5_0_0 => ({
+    ...before,
+    screenLockTimeoutSeconds: 0,
+    screenLockPasswordHash: null,
+  }),
+  // Convert older plain sha256 hex or legacy pbkdf2 string into structured object
+  '>=5.0.1': (before: any): PersistableValues_5_0_0 => {
+    // If there is no prior screen lock value, keep as null
+    const raw = (before && before.screenLockPasswordHash) || null;
+
+    if (!raw) {
+      return {
+        ...before,
+        screenLockTimeoutSeconds: before.screenLockTimeoutSeconds ?? 0,
+        screenLockPasswordHash: null,
+      };
+    }
+
+    // If already an object with algorithm, assume it's in new format
+    if (typeof raw === 'object' && raw.algorithm) {
+      return {
+        ...before,
+        screenLockTimeoutSeconds: before.screenLockTimeoutSeconds ?? 0,
+        screenLockPasswordHash: raw as ScreenLockPasswordStored,
+      };
+    }
+
+    // If string: could be legacy sha256 hex (64 hex chars) or our old pbkdf2$... encoded string
+    if (typeof raw === 'string') {
+      // pbkdf2 encoded string format: pbkdf2$<digest>$i=<iterations>$s=<saltHex>$d=<derivedHex>
+      const pbkdf2Match =
+        /^pbkdf2\$(\w+)\$i=(\d+)\$s=([0-9a-f]+)\$d=([0-9a-f]+)$/.exec(raw);
+      if (pbkdf2Match) {
+        const [, digest, itStr, saltHex, derivedHex] = pbkdf2Match;
+        const saltBuf = Buffer.from(saltHex, 'hex');
+        const derivedBuf = Buffer.from(derivedHex, 'hex');
+        return {
+          ...before,
+          screenLockTimeoutSeconds: before.screenLockTimeoutSeconds ?? 0,
+          screenLockPasswordHash: {
+            algorithm: 'pbkdf2',
+            hash: derivedBuf.toString('base64'),
+            salt: saltBuf.toString('base64'),
+            params: {
+              iterations: Number(itStr),
+              digest,
+              keylen: derivedBuf.length,
+            },
+          },
+        };
+      }
+
+      // legacy unsalted sha256 hex
+      if (/^[0-9a-f]{64}$/.test(raw)) {
+        const buf = Buffer.from(raw, 'hex');
+        return {
+          ...before,
+          screenLockTimeoutSeconds: before.screenLockTimeoutSeconds ?? 0,
+          screenLockPasswordHash: {
+            algorithm: 'legacy-sha256',
+            hash: buf.toString('base64'),
+            salt: '',
+            params: {},
+          },
+        };
+      }
+    }
+
+    // Unknown format — drop it and require user to reset password
+    return {
+      ...before,
+      screenLockTimeoutSeconds: before.screenLockTimeoutSeconds ?? 0,
+      screenLockPasswordHash: null,
+    };
+  },
 };