feat: add password protection UI and fix launch flow

- Password management UI in settings (set/change/remove password)
- Shield icon on play button for protected identities
- Interactive password popup on launch with inline error display
- Fix: re-throw password errors instead of falling to local tokens
- Fix: password popup properly cleans up on success/cancel
- Fix: expose updatePasswordShieldIcon for cross-module access

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

main.js

@@ -530,7 +530,26 @@ ipcMain.handle('launch-game', async (event, playerName, javaPath, installPath, g
       }
     };
 
-    const result = await launchGameWithVersionCheck(playerName, progressCallback, javaPath, installPath, gpuPreference);
+    // Check if UUID has password before launching
+    let launchOptions = {};
+    try {
+      const { getAuthServerUrl } = require('./backend/core/config');
+      const { getUuidForUser } = require('./backend/core/config');
+      const uuid = getUuidForUser(playerName);
+      const authServerUrl = getAuthServerUrl();
+      const statusResp = await fetch(`${authServerUrl}/player/password/status/${uuid}`);
+      if (statusResp.ok) {
+        const status = await statusResp.json();
+        if (status.hasPassword) {
+          // Return to renderer to prompt for password
+          return { success: false, passwordRequired: true, uuid };
+        }
+      }
+    } catch (pwErr) {
+      console.log('[Launch] Password check skipped:', pwErr.message);
+    }
+
+    const result = await launchGameWithVersionCheck(playerName, progressCallback, javaPath, installPath, gpuPreference, null, launchOptions);
 
     if (result.success && result.launched) {
       const closeOnStart = loadCloseLauncherOnStart();
@@ -554,10 +573,62 @@ ipcMain.handle('launch-game', async (event, playerName, javaPath, installPath, g
       }, 2000);
     }
 
+    if (error.passwordRequired) {
+      return { success: false, passwordRequired: true, error: 'Password required' };
+    }
+    if (error.lockedOut) {
+      return { success: false, error: 'Too many failed attempts. Try again in ' + Math.ceil((error.lockoutSeconds || 900) / 60) + ' minutes.' };
+    }
+    if (error.usernameTaken) {
+      return { success: false, usernameTaken: true, error: errorMessage };
+    }
+
     return { success: false, error: errorMessage };
   }
 });
 
+ipcMain.handle('launch-game-with-password', async (event, playerName, javaPath, installPath, gpuPreference, password) => {
+  try {
+    const progressCallback = (message, percent, speed, downloaded, total, retryState) => {
+      if (mainWindow && !mainWindow.isDestroyed()) {
+        mainWindow.webContents.send('progress-update', {
+          message: message || null,
+          percent: percent !== null && percent !== undefined ? Math.min(100, Math.max(0, percent)) : null,
+          speed: speed !== null && speed !== undefined ? speed : null,
+          downloaded: downloaded !== null && downloaded !== undefined ? downloaded : null,
+          total: total !== null && total !== undefined ? total : null,
+          retryState: retryState || null
+        });
+      }
+    };
+
+    const result = await launchGameWithVersionCheck(playerName, progressCallback, javaPath, installPath, gpuPreference, null, { password });
+
+    if (result.success && result.launched) {
+      const closeOnStart = loadCloseLauncherOnStart();
+      if (closeOnStart) {
+        setTimeout(() => { app.quit(); }, 1000);
+      }
+    }
+    return result;
+  } catch (error) {
+    console.error('Launch with password error:', error);
+    if (mainWindow && !mainWindow.isDestroyed()) {
+      setTimeout(() => { mainWindow.webContents.send('progress-complete'); }, 2000);
+    }
+    if (error.passwordRequired) {
+      return { success: false, passwordRequired: true, error: 'Incorrect password. ' + (error.attemptsRemaining != null ? error.attemptsRemaining + ' attempts remaining.' : '') };
+    }
+    if (error.lockedOut) {
+      return { success: false, error: 'Too many failed attempts. Try again in ' + Math.ceil((error.lockoutSeconds || 900) / 60) + ' minutes.' };
+    }
+    if (error.usernameTaken) {
+      return { success: false, usernameTaken: true, error: error.message || error.toString() };
+    }
+    return { success: false, error: error.message || error.toString() };
+  }
+});
+
 ipcMain.handle('install-game', async (event, playerName, javaPath, installPath, branch) => {
   try {
     console.log(`[IPC] install-game called with parameters:`);
@@ -1391,6 +1462,88 @@ ipcMain.handle('reset-current-user-uuid', async () => {
   }
 });
 
+// Password Management IPC handlers
+ipcMain.handle('check-password-status', async (event, uuid) => {
+  try {
+    const { getAuthServerUrl } = require('./backend/core/config');
+    const authServerUrl = getAuthServerUrl();
+    const response = await fetch(`${authServerUrl}/player/password/status/${uuid}`);
+    if (!response.ok) return { hasPassword: false };
+    return await response.json();
+  } catch (error) {
+    console.error('Error checking password status:', error);
+    return { hasPassword: false, error: error.message };
+  }
+});
+
+ipcMain.handle('set-player-password', async (event, uuid, password, currentPassword) => {
+  try {
+    const { getAuthServerUrl } = require('./backend/core/config');
+    const { getUuidForUser, loadUsername } = require('./backend/core/config');
+    const authServerUrl = getAuthServerUrl();
+    // First get a bearer token for auth
+    const name = loadUsername() || 'Player';
+    const tokenResp = await fetch(`${authServerUrl}/game-session/child`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ uuid, name, password: currentPassword || undefined })
+    });
+    if (!tokenResp.ok) {
+      const err = await tokenResp.json().catch(() => ({}));
+      return { success: false, error: err.error || 'Failed to authenticate' };
+    }
+    const tokenData = await tokenResp.json();
+    const bearerToken = tokenData.identityToken || tokenData.IdentityToken;
+
+    const response = await fetch(`${authServerUrl}/player/password/set`, {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json',
+        'Authorization': `Bearer ${bearerToken}`
+      },
+      body: JSON.stringify({ uuid, password, currentPassword: currentPassword || undefined })
+    });
+    return await response.json();
+  } catch (error) {
+    console.error('Error setting password:', error);
+    return { success: false, error: error.message };
+  }
+});
+
+ipcMain.handle('remove-player-password', async (event, uuid, currentPassword) => {
+  try {
+    const { getAuthServerUrl } = require('./backend/core/config');
+    const { loadUsername } = require('./backend/core/config');
+    const authServerUrl = getAuthServerUrl();
+    const name = loadUsername() || 'Player';
+    // Get bearer token with current password
+    const tokenResp = await fetch(`${authServerUrl}/game-session/child`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ uuid, name, password: currentPassword })
+    });
+    if (!tokenResp.ok) {
+      const err = await tokenResp.json().catch(() => ({}));
+      return { success: false, error: err.error || 'Failed to authenticate' };
+    }
+    const tokenData = await tokenResp.json();
+    const bearerToken = tokenData.identityToken || tokenData.IdentityToken;
+
+    const response = await fetch(`${authServerUrl}/player/password/remove`, {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json',
+        'Authorization': `Bearer ${bearerToken}`
+      },
+      body: JSON.stringify({ uuid, currentPassword })
+    });
+    return await response.json();
+  } catch (error) {
+    console.error('Error removing password:', error);
+    return { success: false, error: error.message };
+  }
+});
+
 ipcMain.handle('get-recent-logs', async (event, maxLines = 100) => {
   try {
     const logDir = logger.getLogDirectory();