Honor requireBiometric in VaultStorage MasterKey construction

[Copilot]

initializeKeystore() was suppressing requireBiometric as an unused parameter while buildMasterKey() unconditionally produced a non-auth-required key, silently breaking callers that pass requireBiometric = true to VaultManager.createVault().

Changes

• buildMasterKey(context, requireBiometric: Boolean) — now accepts the flag and applies setUserAuthenticationRequired(true, AUTH_VALIDITY_DURATION_SECS) when true; stale-key cleanup is scoped to requireBiometric = false only (previously it would unconditionally delete auth-required keys, defeating the whole point)
• getMasterKey(context) — new retrieval-only helper used by storeSeed/retrieveSeed; deliberately skips stale-key cleanup so encrypt/decrypt operations cannot silently downgrade the key's auth properties
• masterKeyBuilder(context) — shared MasterKey.Builder base eliminates duplication between the two paths
• AUTH_VALIDITY_DURATION_SECS = 3600 — named constant replaces the magic number; 1-hour window after device authentication

// initializeKeystore now correctly creates an auth-gated key
MasterKey.Builder(context, MASTER_KEY_ALIAS)
    .setKeyScheme(MasterKey.KeyScheme.AES256_GCM)
    .apply {
        if (requireBiometric) {
            setUserAuthenticationRequired(true, AUTH_VALIDITY_DURATION_SECS)
        }
    }
    .build()

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[Copilot]

Just as a heads up, I was blocked by some firewall rules while working on your feedback. Expand below for details.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• dl.google.com
  • Triggering command: /usr/lib/jvm/temurin-17-jdk-amd64/bin/java /usr/lib/jvm/temurin-17-jdk-amd64/bin/java --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.lang.invoke=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.prefs/java.util.prefs=ALL-UNNAMED --add-exports=jdk.compiler/com.sun.tools.javac.api=ALL-UNNAMED --add-exports=jdk.compiler/com.sun.tools.javac.util=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.prefs/java.util.prefs=ALL-UNNAMED --add-opens=java.base/java.nio.charset=ALL-UNNAMED --add-opens=java.base/java.net=ALL-UNNAMED --add-opens=java.base/java.util.concurrent=ALL-UNNAMED --add-opens=java.base/java.util.concurrent.atomic=ALL-UNNAMED --add-opens=java.xml/javax.xml.namespace=ALL-UNNAMED --add-opens=java.base/java.time=ALL-UNNAMED -Xmx2048m -Dfile.encoding=UTF-8 -Duser.country -Duser.language=en -Duser.variant (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)