[codex] Add per-database quick unlock selection

[SirAndrosBot]

What changed

• Added an opt-in Use Windows Hello only for selected open databases mode to the plugin options.
• Added a checked list of currently open or locked KeePass databases.
• Gated Windows Hello unlock and key caching by the selected database connection location.
• Preserved existing behavior by default: when the new option is disabled, all databases remain eligible as before.
• Stored selected connection locations as SHA-256 identifiers in KeePass custom configuration rather than storing plaintext paths in the new setting.
• Revoked all cached database keys when the database-selection policy changes.
• Made persistent revocation strict: individual CredDelete failures now propagate, except when the credential is already absent.
• If revocation fails, no selection settings are written and the Options dialog remains open.
• Kept Cancel behavior side-effect free.

Why

Issue #91 asks for biometric quick unlock to be enabled only for selected databases. The plugin previously had one global enable switch and cached every eligible database key after normal unlock.

This implementation adds an explicit opt-in allowlist while preserving the current default for existing users. Enforcement happens both before Windows Hello unlock and before caching a key, including the secure-desktop restart path.

Database identity

KeePassWinHello must decide whether a database is selected before that database is unlocked. A stable internal database UUID is therefore unavailable at the decision point. The implementation uses the exact KeePass connection path/location, hashed before storing it in the new config value.

This is intentionally fail-closed:

• Moving or renaming a database requires selecting it again.
• Equivalent paths with different casing or aliases may require selecting again.
• A remembered selection represents a connection location, not intrinsic database identity.
• Selections for databases that are not currently open/locked remain remembered and are not currently removable individually from this UI.

The existing Credential Manager storage remains path-based and is unchanged.

Security and revocation behavior

Changing the selection policy revokes all cached keys, including persistent Credential Manager entries. This is conservative but prevents deselected databases from retaining usable cached material.

A worker review found that the first implementation could save the new policy after a silent credential-deletion failure. The final implementation checks each deletion, performs revocation before writing settings, and cancels Options closing if revocation fails.

This security/revocation behavior was explicitly approved before publication.

Refs #91

Validation

• Worker subagent implemented the feature in an isolated branch.
• Reviewer subagent performed three review passes.
• Addressed blocking revocation failure handling and per-document reflection isolation.
• Final review found no blocking issues and recommended a draft PR.
• git diff --check passed with only Git LF-to-CRLF working-copy warnings.
• MSBuild.exe src\KeePassWinHello.csproj /t:Rebuild /p:Configuration=Release /p:DefineConstants=MONO /p:FrameworkPathOverride=C:\Windows\Microsoft.NET\Framework\v4.0.30319 /p:ReferencePath=C:\proj\KeePassWinHello\lib passed with 0 warnings and 0 errors.

Manual test required

• Options OK versus Cancel.
• Enabling/disabling selected-only mode.
• Selecting and deselecting open and locked database tabs.
• Local and persistent cache modes.
• Failed Credential Manager deletion while applying policy.
• Secure desktop enabled/disabled.
• RDP behavior.
• Database path casing, rename, move, and URL connection paths.

[sonarqubecloud]

Quality Gate passed

Issues
3 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud