Add AuthGuard for inactivity locking and CLI lock command

src/tests/test_inactivity_lock.py

@@ -91,3 +91,32 @@ def test_input_timeout_triggers_lock(monkeypatch):
 
     assert locked["locked"] == 1
     assert locked["unlocked"] == 1
+
+
+def test_update_activity_checks_timeout(monkeypatch):
+    """AuthGuard in update_activity locks the vault after inactivity."""
+    import seedpass.core.manager as manager
+
+    now = {"val": 0.0}
+    monkeypatch.setattr(manager.time, "time", lambda: now["val"])
+
+    pm = manager.PasswordManager.__new__(manager.PasswordManager)
+    pm.inactivity_timeout = 0.5
+    pm.last_activity = 0.0
+    pm.locked = False
+    called = {}
+
+    def lock():
+        called["locked"] = True
+        pm.locked = True
+
+    pm.lock_vault = lock
+    pm.auth_guard = manager.AuthGuard(pm, time_fn=lambda: now["val"])
+
+    now["val"] = 0.4
+    pm.update_activity()
+    assert not called
+
+    now["val"] = 1.1
+    pm.update_activity()
+    assert called["locked"] is True

src/tests/test_typer_cli.py

@@ -153,6 +153,23 @@ def test_vault_lock(monkeypatch):
     assert pm.locked is True
 
 
+def test_root_lock(monkeypatch):
+    called = {}
+
+    def lock():
+        called["locked"] = True
+        pm.locked = True
+
+    pm = SimpleNamespace(
+        lock_vault=lock, locked=False, select_fingerprint=lambda fp: None
+    )
+    monkeypatch.setattr(cli, "PasswordManager", lambda: pm)
+    result = runner.invoke(app, ["lock"])
+    assert result.exit_code == 0
+    assert called.get("locked") is True
+    assert pm.locked is True
+
+
 def test_vault_reveal_parent_seed(monkeypatch, tmp_path):
     called = {}