fix(desktop): Select Linux secret storage backend

[mwolson]

Summary

Closes #2539.
Closes #2880.

This selects an encrypted Linux safeStorage backend before Electron is ready, so desktop SSH environment credentials can be persisted on Linux sessions Electron does not recognize automatically.

Problem and Fix

Problem and Why it Happened	Fix
Electron 41 can fall back to basic_text on Linux sessions such as Niri or unversioned KDE/Plasma because the desktop name is not one of Electron's recognized backend selectors.	Resolve a Linux password-store switch before app.ready and default unknown non-KDE sessions to gnome-libsecret, while using KWallet for KDE/Plasma sessions.
The desktop app did not have a pre-ready settings path for a user-selected Linux password-store override.	Read the persisted linuxPasswordStore setting synchronously during early Electron startup, with unsupported values normalized to auto without dropping unrelated settings.
AppImage sessions can start without the session bus and desktop environment variables needed by Linux secret stores.	Hydrate Linux session environment values from the login shell before re-resolving the runtime password-store switch.

Defensive Fixes

Problem and Why it Happened	Fix
The desktop file protocol scheme registration was Effect-scoped, but Electron requires privileged scheme registration before ready.	Sequence scheme privilege registration and pre-ready command-line switch setup before the broader desktop runtime layer can build.
Safe-storage failures were hard to diagnose on Linux.	Log the configured password-store decision before ready and the selected backend after ready, without probing keyring availability during startup.

Application Startup Sequence

Before this change, main.ts only serialized scheme privilege registration before the broader runtime:

DesktopApp.program
  |
  v
ElectronProtocol.layerSchemePrivileges
  |
  |  serial barrier: scheme privileges registered first
  v
rest of desktop runtime

After this change, main.ts also requires the pre-ready command-line switch work to finish before the broader runtime:

DesktopApp.program
  |
  v
desktopElectronPreReadyLayer
  |
  +-- ElectronProtocol.layerSchemePrivileges
  +-- configureElectronBeforeReady
        |
        +-- read existing --password-store
        +-- read early Linux settings
        +-- append pre-ready command-line switches
        +-- provide DesktopPreReadyElectronOptions
  |
  |  serial barrier: all pre-ready setup completes before broader runtime
  v
rest of desktop runtime

Validation

• bun fmt
• bun lint
• bun typecheck
• bun run --filter @t3tools/desktop test -- linuxSecretStorage DesktopEarlyElectronStartup DesktopAppSettings DesktopShellEnvironment DesktopSavedEnvironments

Checklist

• This PR is small and focused
• I explained what changed and why
• I included before/after screenshots for any UI changes: N/A, desktop startup and persistence behavior
• I included a video for animation/interaction changes: N/A

---

Note

Medium Risk
Touches credential encryption and early Electron startup order; wrong backend choice could break saving SSH secrets on Linux, though CLI overrides and extensive tests reduce exposure.

Overview
Fixes Linux desktop safeStorage falling back to unencrypted storage on sessions Electron does not recognize (e.g. Niri, unversioned KDE/Plasma) by choosing the --password-store switch before app.ready.

Adds linuxPasswordStore to desktop settings (default auto) and reads it synchronously from desktop-settings.json during early startup, including JSONC and invalid-value normalization. linuxSecretStorage.ts maps auto to no switch on known GNOME/KDE desktops, kwallet on KDE/Plasma heuristics, and gnome-libsecret otherwise; explicit CLI --password-store wins and is not overridden.

main.ts wires a desktopElectronPreReadyLayer that registers scheme privileges and applies pre-ready switches (WM class + password store) alongside DesktopPreReadyElectronOptions. After login-shell hydration, DesktopApp can remove/re-append password-store when env or settings change, and logs the configured choice plus safeStorage.getSelectedStorageBackend() on Linux.

DesktopShellEnvironment now pulls Linux session vars (including DBUS_SESSION_BUS_ADDRESS, XDG/Wayland) from the login shell and can set D-Bus from the default runtime socket when missing. ElectronApp.removeCommandLineSwitch and selectedStorageBackend support the new flow; remediation copy for failed secret storage is added in linuxSecretStorage for follow-on credential errors.

^{Reviewed by Cursor Bugbot for commit 7de405c. Bugbot is set up for automated code reviews on this repo. Configure here.}

Note

Select Linux secret storage backend based on desktop environment and user preference

• Adds linuxPasswordStore to desktop settings (default: auto) and normalizes it via normalizeLinuxPasswordStorePreference in linuxSecretStorage.ts.
• Resolves the correct --password-store Electron command-line switch before app readiness using desktop environment heuristics (KDE → kwallet, others → gnome-libsecret); explicit preferences bypass the heuristic.
• Introduces resolveEarlyLinuxElectronOptions and DesktopPreReadyElectronOptions so the password-store and WM class switches are set during early startup, before Electron fires ready.
• Expands installPosixEnvironment to propagate XDG_CURRENT_DESKTOP, WAYLAND_DISPLAY, DBUS_SESSION_BUS_ADDRESS, and related vars; auto-sets DBUS_SESSION_BUS_ADDRESS on Linux when the default socket exists.
• Adds ElectronSafeStorage.selectedStorageBackend and logs the selected backend after readiness for diagnostics.
• Risk: the password-store switch is removed and re-appended at startup if settings differ from what was on the command line; launching with an explicit --password-store CLI flag takes precedence and is preserved.

^{Macroscope summarized 7de405c.}

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 3beb3e70-3d69-46ad-8dec-6de3eed7507b

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[macroscopeapp]

Approvability

Verdict: Needs human review

This PR introduces new Linux secret storage backend selection with substantial new logic affecting credential storage configuration. The changes are security-adjacent and modify app initialization behavior. Additionally, an unresolved review comment identifies a potential bug where early DBUS configuration could prevent proper session bus detection.

^{You can customize Macroscope's approvability policy. Learn more.}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 9bf124e. Configure here.}