fix(desktop): Select Linux secret storage backend

[mwolson]

Summary

Closes #2539.
Closes #2880.

This selects an encrypted Linux safeStorage backend before Electron is ready, so desktop SSH environment credentials can be persisted on Linux sessions Electron does not recognize automatically.

Problem and Fix

Problem and Why it Happened	Fix
Electron 41 can fall back to basic_text on Linux sessions such as Niri or unversioned KDE/Plasma because the desktop name is not one of Electron's recognized backend selectors.	Resolve a Linux password-store switch before app.ready and default unknown non-KDE sessions to gnome-libsecret, while using KWallet for KDE/Plasma sessions.
The desktop app did not have a pre-ready settings path for a user-selected Linux password-store override.	Read the persisted linuxPasswordStore setting synchronously during early Electron startup, with unsupported values normalized to auto without dropping unrelated settings.
AppImage sessions can start without the session bus and desktop environment variables needed by Linux secret stores.	Hydrate Linux session environment values from the login shell before re-resolving the runtime password-store switch.

Defensive Fixes

Problem and Why it Happened	Fix
The desktop file protocol scheme registration was Effect-scoped, but Electron requires privileged scheme registration before ready.	Sequence scheme privilege registration and pre-ready command-line switch setup before the broader desktop runtime layer can build.
Safe-storage failures were hard to diagnose on Linux.	Log the configured password-store decision before ready and the selected backend after ready, without probing keyring availability during startup.

Application Startup Sequence

Before this change, main.ts only serialized scheme privilege registration before the broader runtime:

DesktopApp.program
  |
  v
ElectronProtocol.layerSchemePrivileges
  |
  |  serial barrier: scheme privileges registered first
  v
rest of desktop runtime

After this change, main.ts also requires the pre-ready command-line switch work to finish before the broader runtime:

DesktopApp.program
  |
  v
desktopElectronPreReadyLayer
  |
  +-- ElectronProtocol.layerSchemePrivileges
  +-- configureElectronBeforeReady
        |
        +-- read existing --password-store
        +-- read early Linux settings
        +-- append pre-ready command-line switches
        +-- provide DesktopPreReadyElectronOptions
  |
  |  serial barrier: all pre-ready setup completes before broader runtime
  v
rest of desktop runtime

Validation

• bun fmt
• bun lint
• bun typecheck
• bun run --filter @t3tools/desktop test -- linuxSecretStorage DesktopEarlyElectronStartup DesktopAppSettings DesktopShellEnvironment DesktopSavedEnvironments

Checklist

• This PR is small and focused
• I explained what changed and why
• I included before/after screenshots for any UI changes: N/A, desktop startup and persistence behavior
• I included a video for animation/interaction changes: N/A

---

Note

Medium Risk
Touches credential encryption and early Electron bootstrap on Linux; wrong backend or switch timing could still break secret persistence, but CLI overrides are respected and changes are covered by targeted tests.

Overview
Linux desktop now picks Electron safeStorage / --password-store before app.ready, so encrypted credentials work on sessions Electron does not auto-detect (e.g. Niri, unversioned KDE).

Startup is split into a pre-ready layer (main.ts): privileged scheme registration plus synchronous reads of desktop-settings.json for linuxPasswordStore, WM class, and optional --password-store (skipped when the user already passed --password-store on the CLI). After login-shell env hydration, DesktopApp can remove/re-apply password-store from persisted settings and logs the chosen backend before/after ready.

New linuxSecretStorage heuristics map auto → gnome-libsecret or kwallet from desktop env vars; DesktopAppSettings persists linuxPasswordStore (default auto, invalid values normalized). DesktopShellEnvironment pulls more Linux session vars (including DBUS_SESSION_BUS_ADDRESS fallback via /run/user/$UID/bus). ElectronApp gains removeCommandLineSwitch; ElectronSafeStorage exposes selectedStorageBackend on Linux for diagnostics.

^{Reviewed by Cursor Bugbot for commit e9f8d2e. Bugbot is set up for automated code reviews on this repo. Configure here.}

Note

Select Linux secret storage backend via pre-ready Electron command-line configuration

• Adds resolveEarlyLinuxElectronOptions to compute the password-store and wmClass command-line switches before Electron is ready, by reading desktop-settings.json synchronously from the resolved state directory.
• Introduces a linuxPasswordStore setting (default 'auto') to DesktopSettings, persisted and normalized via normalizeLinuxPasswordStorePreference.
• Adds resolveLinuxPasswordStoreSwitch heuristic to choose between kwallet, gnome-libsecret, or no override depending on the detected desktop environment and user preference.
• Extends ElectronApp with removeCommandLineSwitch and ElectronSafeStorage with selectedStorageBackend (Linux only) to support runtime inspection and reconfiguration.
• Expands POSIX environment propagation in DesktopShellEnvironment to include XDG/Wayland/D-Bus variables, and auto-infers DBUS_SESSION_BUS_ADDRESS on Linux when unset.
• Behavioral Change: the password-store command-line switch is now removed and re-applied on each startup based on resolved settings, overriding any previously set value unless already specified via CLI.

^{Macroscope summarized e9f8d2e.}

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 0098132c-2baa-4079-a108-6bf94125c558

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[macroscopeapp]

Approvability

Verdict: Needs human review

This PR introduces a new Linux feature for secret storage backend selection, including new settings, desktop environment detection heuristics, D-Bus integration, and changes to Electron initialization. The scope and behavioral impact warrant human review despite the 'fix' prefix.

^{You can customize Macroscope's approvability policy. Learn more.}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 7704609. Configure here.}