feat(desktop-main): add electron-store and safeStorage wrapper for secrets (#227)

Closes #150

## Summary

- Adds `electron-store ^11.0.2` as the persistent app-state backing
store under `app.getPath('userData')/electron-store.json`
- Introduces `SafeStorageService` wrapping Electron's
`safeStorage.encryptString`/`decryptString` with graceful non-Electron
degradation (plaintext passthrough in CI/tests)
- Introduces `ElectronStoreService` with a typed `AppStoreSchema`
(wizardCompleted, activeCloud, aws.*) and transparent encryption of
secret fields (accessKeyId, secretAccessKey) via SafeStorageService

## Changes

```
app/packages/desktop-main/package.json             |   1 +   electron-store ^11.0.2 added
app/packages/desktop-main/src/app.module.ts        |   4 +   both services registered as providers
src/services/ElectronStoreService.ts               | 161 +++ new service + AppStoreSchema
src/services/SafeStorageService.ts                 | 134 +++ new service
src/services/ElectronStoreService.test.ts          | 233 +++ 12 unit tests
src/services/SafeStorageService.test.ts            | 209 +++ 16 unit tests (inc. keychain-unavailable path)
```

## Test plan

- [x] 553 unit tests pass (`npm run app:test`)
- [x] Lint passes (0 errors)
- [x] TypeScript clean on new files
- [ ] Manual: app state (wizardCompleted, activeCloud,
aws.region/profile) survives an Electron restart
- [ ] Manual: accessKeyId/secretAccessKey unreadable without OS keychain
(base64 blob on disk)
- [ ] Manual: graceful degradation on Linux CI runner without libsecret
(plaintext passthrough with warning log)

## Design notes

- `SafeStorageService.encrypt()`/`decrypt()` gate on `isAvailable()`
(Electron present **and** OS keychain unlocked), not just
`readIsElectron()` — prevents throws on Linux without libsecret
- `aws.region`/`aws.profile` are optional in `AppStoreSchema` so secrets
can be written before the wizard completes region/profile selection
- Outside Electron both services degrade to an in-memory Map; the public
API is identical so callers need no branching

<details>
<summary>Mission log</summary>

```
pre-launch    ✓  6 tasks planned
liftoff       ✓  6/6 tasks passed (Apollo→Faraday)
systems-check ✓  3 findings fixed (Glenn, Hadfield, Irwin)
```

</details>

🤖 Generated via /mission

Author: CoderCoco

app/packages/desktop-main/package.json

@@ -22,6 +22,7 @@
     "@nestjs/core": "^10.4.0",
     "@nestjs/microservices": "^10.4.0",
     "@nestjs/platform-express": "^10.4.0",
+    "electron-store": "^11.0.2",
     "express": "^4.19.2",
     "fix-path": "^4.0.0",
     "nestjs-electron-ipc-transport": "^1.0.2",

app/packages/desktop-main/src/app.module.ts

@@ -15,6 +15,8 @@ import { EnvController } from './controllers/env.controller.js';
 import { DiagnosticsController } from './controllers/diagnostics.controller.js';
 import { ApiTokenGuard } from './guards/api-token.guard.js';
 import { DiagnosticsService, DIAGNOSTICS_LOG_DIR } from './services/DiagnosticsService.js';
+import { SafeStorageService } from './services/SafeStorageService.js';
+import { ElectronStoreService } from './services/ElectronStoreService.js';
 
 /**
  * Root Nest module. Wires the feature modules (`AwsModule`, `DiscordModule`) to
@@ -50,6 +52,8 @@ import { DiagnosticsService, DIAGNOSTICS_LOG_DIR } from './services/DiagnosticsS
       },
     },
     DiagnosticsService,
+    SafeStorageService,
+    ElectronStoreService,
   ],
 })
 export class AppModule {}

app/packages/desktop-main/src/services/ElectronStoreService.test.ts

@@ -0,0 +1,233 @@
+/**
+ * Unit tests for ElectronStoreService.
+ *
+ * `electron-store` is mocked at the module level so no real disk I/O or
+ * Electron native modules are ever touched.  Protected methods
+ * (`readIsElectron`, `createStore`) are stubbed via `vi.spyOn` on the
+ * prototype before each Electron-path construction so the constructor takes
+ * the right branch.
+ */
+import 'reflect-metadata';
+import { describe, it, expect, vi, beforeEach } from 'vitest';
+import type Store from 'electron-store';
+
+vi.mock('../logger.js', () => ({
+  logger: { debug: vi.fn(), info: vi.fn(), warn: vi.fn(), error: vi.fn() },
+}));
+
+vi.mock('electron-store', () => {
+  const MockStore = vi.fn().mockImplementation(() => ({
+    get: vi.fn(),
+    set: vi.fn(),
+  }));
+  return { default: MockStore };
+});
+
+import { ElectronStoreService, type AppStoreSchema } from './ElectronStoreService.js';
+import { SafeStorageService } from './SafeStorageService.js';
+
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+
+/**
+ * Creates a `SafeStorageService` whose `encrypt` / `decrypt` methods are
+ * identity functions by default (outside-Electron degraded path).
+ */
+function makeSafeStorage(): SafeStorageService {
+  return new SafeStorageService();
+}
+
+/**
+ * Builds a minimal mock `Store<AppStoreSchema>` compatible with what
+ * `ElectronStoreService` calls on it.
+ */
+function makeMockStore(): Store<AppStoreSchema> {
+  return {
+    get: vi.fn(),
+    set: vi.fn(),
+  } as unknown as Store<AppStoreSchema>;
+}
+
+// ---------------------------------------------------------------------------
+// Non-Electron path (Map fallback)
+// ---------------------------------------------------------------------------
+
+describe('ElectronStoreService — non-Electron path (Map fallback)', () => {
+  let service: ElectronStoreService;
+  let safeStorage: SafeStorageService;
+
+  beforeEach(() => {
+    safeStorage = makeSafeStorage();
+    // process.versions['electron'] is not set in Vitest/Node, so the Map
+    // fallback is used automatically — no spy needed.
+    service = new ElectronStoreService(safeStorage);
+    vi.clearAllMocks();
+  });
+
+  it('should use Map fallback when not running in Electron', () => {
+    expect(service.isElectron()).toBe(false);
+    expect(service.get('wizardCompleted')).toBeUndefined();
+  });
+
+  it('should store and retrieve a value in Map fallback', () => {
+    service.set('wizardCompleted', true);
+
+    expect(service.get('wizardCompleted')).toBe(true);
+  });
+
+  it('should store and retrieve a nested object in Map fallback', () => {
+    const awsValue: AppStoreSchema['aws'] = { region: 'us-east-1', profile: 'default' };
+    service.set('aws', awsValue);
+
+    expect(service.get('aws')).toEqual(awsValue);
+  });
+});
+
+// ---------------------------------------------------------------------------
+// Electron path (mocked Store)
+// ---------------------------------------------------------------------------
+
+describe('ElectronStoreService — Electron path (mocked Store)', () => {
+  let service: ElectronStoreService;
+  let safeStorage: SafeStorageService;
+  let mockStore: Store<AppStoreSchema>;
+
+  beforeEach(() => {
+    safeStorage = makeSafeStorage();
+    mockStore = makeMockStore();
+
+    // Stub prototype BEFORE construction so the constructor takes the Electron branch.
+    vi.spyOn(
+      ElectronStoreService.prototype as unknown as { readIsElectron(): boolean },
+      'readIsElectron',
+    ).mockReturnValue(true);
+    vi.spyOn(
+      ElectronStoreService.prototype as unknown as { createStore(): Store<AppStoreSchema> },
+      'createStore',
+    ).mockReturnValue(mockStore);
+
+    service = new ElectronStoreService(safeStorage);
+    vi.clearAllMocks();
+  });
+
+  it('should call store.get when running in Electron', () => {
+    (mockStore.get as ReturnType<typeof vi.fn>).mockReturnValue(true);
+
+    const result = service.get('wizardCompleted');
+
+    expect(mockStore.get).toHaveBeenCalledWith('wizardCompleted');
+    expect(result).toBe(true);
+  });
+
+  it('should call store.set when running in Electron', () => {
+    service.set('wizardCompleted', true);
+
+    expect(mockStore.set).toHaveBeenCalledWith('wizardCompleted', true);
+  });
+});
+
+// ---------------------------------------------------------------------------
+// Secret field — setSecretAccessKeyId / getSecretAccessKeyId
+// ---------------------------------------------------------------------------
+
+describe('ElectronStoreService — setSecretAccessKeyId / getSecretAccessKeyId', () => {
+  let service: ElectronStoreService;
+  let safeStorage: SafeStorageService;
+
+  beforeEach(() => {
+    safeStorage = makeSafeStorage();
+    service = new ElectronStoreService(safeStorage);
+    vi.clearAllMocks();
+  });
+
+  it('should encrypt accessKeyId before storing', () => {
+    vi.spyOn(safeStorage, 'encrypt').mockReturnValue('enc-key-id');
+
+    service.setSecretAccessKeyId('AKID123');
+
+    expect(safeStorage.encrypt).toHaveBeenCalledWith('AKID123');
+    const stored = service.get('aws');
+    expect(stored?.accessKeyId).toBe('enc-key-id');
+  });
+
+  it('should decrypt accessKeyId when reading', () => {
+    service.set('aws', { region: 'us-east-1', profile: 'default', accessKeyId: 'enc-key-id' });
+    vi.spyOn(safeStorage, 'decrypt').mockReturnValue('AKID123');
+
+    const result = service.getSecretAccessKeyId();
+
+    expect(safeStorage.decrypt).toHaveBeenCalledWith('enc-key-id');
+    expect(result).toBe('AKID123');
+  });
+
+  it('should return undefined for accessKeyId when not stored', () => {
+    expect(service.getSecretAccessKeyId()).toBeUndefined();
+  });
+});
+
+// ---------------------------------------------------------------------------
+// Secret field — setSecretAccessKey / getSecretAccessKey
+// ---------------------------------------------------------------------------
+
+describe('ElectronStoreService — setSecretAccessKey / getSecretAccessKey', () => {
+  let service: ElectronStoreService;
+  let safeStorage: SafeStorageService;
+
+  beforeEach(() => {
+    safeStorage = makeSafeStorage();
+    service = new ElectronStoreService(safeStorage);
+    vi.clearAllMocks();
+  });
+
+  it('should encrypt secretAccessKey before storing', () => {
+    vi.spyOn(safeStorage, 'encrypt').mockReturnValue('enc-secret-key');
+
+    service.setSecretAccessKey('MY_SECRET');
+
+    expect(safeStorage.encrypt).toHaveBeenCalledWith('MY_SECRET');
+    const stored = service.get('aws');
+    expect(stored?.secretAccessKey).toBe('enc-secret-key');
+  });
+
+  it('should decrypt secretAccessKey when reading', () => {
+    service.set('aws', { region: 'us-east-1', profile: 'default', secretAccessKey: 'enc-secret-key' });
+    vi.spyOn(safeStorage, 'decrypt').mockReturnValue('MY_SECRET');
+
+    const result = service.getSecretAccessKey();
+
+    expect(safeStorage.decrypt).toHaveBeenCalledWith('enc-secret-key');
+    expect(result).toBe('MY_SECRET');
+  });
+
+  it('should return undefined for secretAccessKey when not stored', () => {
+    expect(service.getSecretAccessKey()).toBeUndefined();
+  });
+});
+
+// ---------------------------------------------------------------------------
+// Round-trip
+// ---------------------------------------------------------------------------
+
+describe('ElectronStoreService — round-trip', () => {
+  let service: ElectronStoreService;
+  let safeStorage: SafeStorageService;
+
+  beforeEach(() => {
+    safeStorage = makeSafeStorage();
+    service = new ElectronStoreService(safeStorage);
+    vi.clearAllMocks();
+  });
+
+  it('should encrypt and decrypt accessKeyId in a round-trip', () => {
+    vi.spyOn(safeStorage, 'encrypt').mockImplementation((plaintext: string) => `enc-${plaintext}`);
+    vi.spyOn(safeStorage, 'decrypt').mockImplementation((ciphertext: string) =>
+      ciphertext.startsWith('enc-') ? ciphertext.slice(4) : ciphertext,
+    );
+
+    service.setSecretAccessKeyId('AKID123');
+    const result = service.getSecretAccessKeyId();
+
+    expect(result).toBe('AKID123');
+  });
+});