pi-remote-ios/Sources/Core/Auth/FaceIDGate.swift

// Sources/Core/Auth/FaceIDGate.swift
// T-2.11: Biometric gate — evaluates Face ID if enabled in settings.

import Foundation
import LocalAuthentication

/// Evaluates biometrics if Face ID is enabled in settings.
/// Returns true if auth succeeded or Face ID is disabled.
struct FaceIDGate: Sendable {
    @MainActor
    static func authenticate(reason: String = "Unlock pi remote") async -> Bool {
        guard UserDefaults.standard.bool(forKey: "faceid.enabled") else { return true }
        let context = LAContext()
        var error: NSError?
        guard context.canEvaluatePolicy(.deviceOwnerAuthenticationWithBiometrics, error: &error) else {
            return true  // no biometrics available → allow
        }
        do {
            return try await context.evaluatePolicy(.deviceOwnerAuthenticationWithBiometrics, localizedReason: reason)
        } catch {
            return false
        }
    }
}