From b69a94d8469f953ec69443a60f8cffc354161487 Mon Sep 17 00:00:00 2001
From: Aaron Rainbolt <arraybolt3@gmail.com>
Date: Tue, 24 Feb 2026 22:45:52 -0500
Subject: [PATCH] Add property-set:template handler, refactor to reduce
 redundancy

Now when a user sets an AppVM to be based on a Kicksecure
template, it will automatically be tagged appropriately.

Fixes: https://github.com/QubesOS/qubes-issues/issues/10645
---
 qubeskicksecure/__init__.py | 34 +++++++++++++++++++++++++---------
 1 file changed, 25 insertions(+), 9 deletions(-)

diff --git a/qubeskicksecure/__init__.py b/qubeskicksecure/__init__.py
index 60cbc74..934e272 100644
--- a/qubeskicksecure/__init__.py
+++ b/qubeskicksecure/__init__.py
@@ -27,18 +27,28 @@
 class QubesKicksecureExtension(qubes.ext.Extension):
     """qubes-core-admin extension for handling Kicksecure related settings"""
 
+    def apply_tags(self, vm):
+        """Apply the appropriate tags to Kicksecure VMs."""
+        if not isinstance(vm, qubes.vm.LocalVM):
+            return
+
+        if vm.features.check_with_template(
+            "whonix-gw", None
+        ) or vm.features.check_with_template("whonix-ws", None):
+            return
+
+        if vm.features.check_with_template("kicksecure", None):
+            vm.tags.add("sdwdate-gui-client")
+        else:
+            vm.tags.discard("sdwdate-gui-client")
+
     @qubes.ext.handler("domain-add", system=True)
     def on_domain_add(self, app, _event, vm, **_kwargs):
         """Handle new AppVM created on kicksecure template and adjust its
         default settings
         """
         # pylint: disable=unused-argument
-        template = getattr(vm, "template", None)
-        if template is None:
-            return
-
-        if "kicksecure" in template.features:
-            vm.tags.add("sdwdate-gui-client")
+        self.apply_tags(vm)
 
     @qubes.ext.handler("features-request")
     def on_features_request(self, vm, _event, untrusted_features):
@@ -53,6 +63,12 @@ def on_features_request(self, vm, _event, untrusted_features):
     @qubes.ext.handler("domain-load")
     def on_domain_load(self, vm, _event):
         """Retroactively add tags to kicksecure."""
-        if vm.features.check_with_template("kicksecure", None):
-            if "sdwdate-gui-client" not in vm.tags:
-                vm.tags.add("sdwdate-gui-client")
+        self.apply_tags(vm)
+
+    @qubes.ext.handler("property-set:template")
+    def on_property_set_template(
+        self, vm, event, name, newvalue, oldvalue=None
+    ):
+        # pylint: disable=too-many-positional-arguments, unused-argument
+        """Add tags to AppVMs that become based upon Kicksecure."""
+        self.apply_tags(vm)