🏠 Overview ✅ Implementation Tasks ✅ epic-biometric-session-authentication-foundation-task-012

Document secure storage and local auth integration APIs

epic-biometric-session-authentication-foundation-task-012 — Write inline Dart documentation for all public methods and classes in SecureSessionStorage and LocalAuthIntegration. Create a brief developer-facing README section covering: how to read and write a session, how to check biometric availability, how to handle LocalAuthFailure codes, and the platform configuration requirements (Info.plist key, AndroidManifest permissions). This documentation unblocks higher-level epics that depend on these components.

medium priority low complexity documentation pending documentor Tier 4

Acceptance Criteria

Every public method and class in SecureSessionStorage has a complete Dart `///` doc comment covering purpose, parameters, return value, and thrown exceptions
Every public method and class in LocalAuthIntegration has a complete Dart `///` doc comment including platform-specific behavior differences (iOS vs Android)
README section titled 'Secure Session Storage & Local Auth — Developer Guide' is present and covers all four required topics: read/write session, check biometric availability, handle LocalAuthFailure codes, platform configuration
LocalAuthFailure codes are listed exhaustively with plain-language descriptions and recommended handling per code (e.g. notEnrolled → redirect to credential login, locked → show lockout message)
iOS platform configuration section specifies the exact Info.plist key (NSFaceIDUsageDescription) and the required string value pattern
Android platform configuration section lists all required AndroidManifest permissions (USE_BIOMETRIC, USE_FINGERPRINT) and the minimum API level required
All code examples in documentation are valid Dart and use actual method signatures from the implemented classes
dart doc generates no warnings when run against the documented files

Technical Requirements

frameworks
Flutter
Dart
apis
flutter_local_auth (iOS LocalAuthentication / Android BiometricPrompt)
performance requirements
Documentation must not add runtime overhead — pure source-level comments only
security requirements
Documentation must explicitly warn that session tokens must never be logged or printed to console
README must note that flutter_secure_storage writes to iOS Keychain / Android Keystore and must never be replaced with SharedPreferences
LocalAuthFailure handling examples must not suggest bypassing biometric failure without routing to full credential login

Execution Context

Execution Tier
Tier 4

Tier 4 - 323 tasks

Can start after Tier 3 completes

Implementation Notes

Read both implemented files fully before writing documentation — do not write docs from memory. Use `/// {@template}` blocks for shared parameter descriptions (e.g. sessionKey appears in both read and write methods). In the README, use fenced code blocks with `dart` syntax highlighting.

Group LocalAuthFailure codes into three categories for readability: enrollment errors, hardware errors, and user-cancellation errors. Note the platform asymmetry: iOS Face ID requires NSFaceIDUsageDescription even if the device uses Touch ID, because the permission dialog text is set at build time. Android requires both USE_BIOMETRIC (API 28+) and USE_FINGERPRINT (API 23–27) for full device coverage. Keep the README section under 400 lines — it is a quick-start guide, not a specification.

Testing Requirements

No runtime tests required for documentation task. Verification is: (1) run `dart doc` and confirm zero warnings or errors on both SecureSessionStorage and LocalAuthIntegration files; (2) peer review by one other developer to confirm README instructions are followable end-to-end on a fresh checkout; (3) confirm all LocalAuthFailure codes documented match the actual enum values in the implementation.

Component
Secure Session Storage
data low
Dependencies (2)
Write flutter_test unit tests for SecureSessionStorage using a mocked FlutterSecureStorage. Cover: writeSession persists all fields under correct keys, readSession deserializes stored values to StoredSession, clearSession removes all keys, writeBiometricPreference stores correct boolean string, readBiometricPreference returns null when absent. Verify Keychain/Keystore options are set per platform using argument captors. epic-biometric-session-authentication-foundation-task-010 Write flutter_test unit tests for LocalAuthIntegration using a mocked LocalAuthentication. Cover: isAvailable returns false when device has no biometrics, getAvailableBiometrics maps local_auth enums to domain BiometricType correctly, authenticate returns success on happy path, all LocalAuthException subtypes map to correct LocalAuthFailure domain codes, authenticate returns LocalAuthFailure.cancelled on user cancel. epic-biometric-session-authentication-foundation-task-011
Epic Risks (3)
high impact medium prob technical

iOS Keychain access requires correct entitlement configuration and provisioning profile setup. Misconfigured entitlements cause silent failures in CI/CD and on physical devices, where the plugin appears to work in the simulator but fails at runtime. This can delay foundation delivery and block all downstream epics.

Mitigation & Contingency

Mitigation: Add a dedicated integration test running on a physical iOS device early in the epic. Document required entitlements and provisioning steps in a developer runbook. Validate Keychain access in the CI pipeline using an iOS simulator with correct entitlements enabled.

Contingency: If Keychain entitlements cannot be resolved quickly, temporarily use in-memory storage behind the SecureSessionStorage interface to unblock downstream epics, then resolve the Keychain issue in a hotfix before release.

medium impact medium prob dependency

The Flutter local_auth plugin has a history of breaking API changes between major versions, and its Android implementation depends on BiometricPrompt which behaves differently across Android API levels (23-34). An incompatible plugin version or unexpected Android API behaviour can cause authentication failures on a significant portion of the target device fleet.

Mitigation & Contingency

Mitigation: Pin local_auth to a specific stable version in pubspec.yaml. Test against Android API levels 23, 28, and 33 in the CI matrix. Review the plugin changelog and migration guide before adopting any version bump.

Contingency: If the pinned version proves incompatible with target devices, evaluate flutter_local_auth_android as a replacement or fork the plugin adapter to isolate the breaking surface.

high impact low prob security

If users upgrade from a version of the app that stored session data in non-encrypted storage (SharedPreferences), a migration path is required. Failing to migrate silently leaves old tokens in plain storage, creating a security gap and potentially causing confusing authentication state on first launch of the new version.

Mitigation & Contingency

Mitigation: Audit existing storage usage across the codebase before writing SecureSessionStorage. If legacy plain storage keys exist, implement a one-time migration routine that reads from SharedPreferences, writes to Keychain/Keystore, and deletes the plain-text entry.

Contingency: If migration is discovered late, ship the migration as a mandatory patch release before the biometric feature is enabled for users, and add a startup check that blocks biometric opt-in until migration is confirmed complete.

Quick Links
All Tasks Execution Plan