fix(desktop): select Linux secret storage backend

Author: mwolson

apps/desktop/src/desktopSettings.test.ts

@@ -35,6 +35,7 @@ describe("desktopSettings", () => {
 
   it("defaults packaged nightly builds to the nightly update channel", () => {
     expect(resolveDefaultDesktopSettings("0.0.17-nightly.20260415.1")).toEqual({
+      linuxPasswordStore: "auto",
       serverExposureMode: "local-only",
       tailscaleServeEnabled: false,
       tailscaleServePort: 443,
@@ -47,6 +48,7 @@ describe("desktopSettings", () => {
     const settingsPath = makeSettingsPath();
 
     writeDesktopSettings(settingsPath, {
+      linuxPasswordStore: "gnome-libsecret",
       serverExposureMode: "network-accessible",
       tailscaleServeEnabled: true,
       tailscaleServePort: 8443,
@@ -55,6 +57,7 @@ describe("desktopSettings", () => {
     });
 
     expect(readDesktopSettings(settingsPath, "0.0.17")).toEqual({
+      linuxPasswordStore: "gnome-libsecret",
       serverExposureMode: "network-accessible",
       tailscaleServeEnabled: true,
       tailscaleServePort: 8443,
@@ -67,6 +70,7 @@ describe("desktopSettings", () => {
     expect(
       setDesktopServerExposurePreference(
         {
+          linuxPasswordStore: "auto",
           serverExposureMode: "local-only",
           tailscaleServeEnabled: false,
           tailscaleServePort: 443,
@@ -76,6 +80,7 @@ describe("desktopSettings", () => {
         "network-accessible",
       ),
     ).toEqual({
+      linuxPasswordStore: "auto",
       serverExposureMode: "network-accessible",
       tailscaleServeEnabled: false,
       tailscaleServePort: 443,
@@ -88,6 +93,7 @@ describe("desktopSettings", () => {
     expect(
       setDesktopTailscaleServePreference(
         {
+          linuxPasswordStore: "auto",
           serverExposureMode: "local-only",
           tailscaleServeEnabled: false,
           tailscaleServePort: 443,
@@ -97,6 +103,7 @@ describe("desktopSettings", () => {
         { enabled: true, port: 8443 },
       ),
     ).toEqual({
+      linuxPasswordStore: "auto",
       serverExposureMode: "local-only",
       tailscaleServeEnabled: true,
       tailscaleServePort: 8443,
@@ -109,6 +116,7 @@ describe("desktopSettings", () => {
     expect(
       setDesktopTailscaleServePreference(
         {
+          linuxPasswordStore: "auto",
           serverExposureMode: "local-only",
           tailscaleServeEnabled: false,
           tailscaleServePort: 8443,
@@ -118,6 +126,7 @@ describe("desktopSettings", () => {
         { enabled: true },
       ),
     ).toEqual({
+      linuxPasswordStore: "auto",
       serverExposureMode: "local-only",
       tailscaleServeEnabled: true,
       tailscaleServePort: 8443,
@@ -130,6 +139,7 @@ describe("desktopSettings", () => {
     expect(
       setDesktopUpdateChannelPreference(
         {
+          linuxPasswordStore: "auto",
           serverExposureMode: "local-only",
           tailscaleServeEnabled: false,
           tailscaleServePort: 443,
@@ -139,6 +149,7 @@ describe("desktopSettings", () => {
         "nightly",
       ),
     ).toEqual({
+      linuxPasswordStore: "auto",
       serverExposureMode: "local-only",
       tailscaleServeEnabled: false,
       tailscaleServePort: 443,
@@ -159,6 +170,7 @@ describe("desktopSettings", () => {
     fs.writeFileSync(settingsPath, JSON.stringify({ serverExposureMode: "local-only" }), "utf8");
 
     expect(readDesktopSettings(settingsPath, "0.0.17-nightly.20260415.1")).toEqual({
+      linuxPasswordStore: "auto",
       serverExposureMode: "local-only",
       tailscaleServeEnabled: false,
       tailscaleServePort: 443,
@@ -179,6 +191,7 @@ describe("desktopSettings", () => {
     );
 
     expect(readDesktopSettings(settingsPath, "0.0.17-nightly.20260415.1")).toEqual({
+      linuxPasswordStore: "auto",
       serverExposureMode: "local-only",
       tailscaleServeEnabled: false,
       tailscaleServePort: 443,
@@ -200,6 +213,7 @@ describe("desktopSettings", () => {
     );
 
     expect(readDesktopSettings(settingsPath, "0.0.17-nightly.20260415.1")).toEqual({
+      linuxPasswordStore: "auto",
       serverExposureMode: "local-only",
       tailscaleServeEnabled: false,
       tailscaleServePort: 443,
@@ -220,6 +234,7 @@ describe("desktopSettings", () => {
     );
 
     expect(readDesktopSettings(settingsPath, "0.0.17")).toEqual({
+      linuxPasswordStore: "auto",
       serverExposureMode: "local-only",
       tailscaleServeEnabled: true,
       tailscaleServePort: 443,

apps/desktop/src/desktopSettings.ts

@@ -2,9 +2,15 @@ import * as FS from "node:fs";
 import * as Path from "node:path";
 import type { DesktopServerExposureMode, DesktopUpdateChannel } from "@t3tools/contracts";
 
+import {
+  DEFAULT_LINUX_PASSWORD_STORE,
+  normalizeLinuxPasswordStorePreference,
+  type LinuxPasswordStorePreference,
+} from "./linuxSecretStorage.ts";
 import { resolveDefaultDesktopUpdateChannel } from "./updateChannels.ts";
 
 export interface DesktopSettings {
+  readonly linuxPasswordStore: LinuxPasswordStorePreference;
   readonly serverExposureMode: DesktopServerExposureMode;
   readonly tailscaleServeEnabled: boolean;
   readonly tailscaleServePort: number;
@@ -15,6 +21,7 @@ export interface DesktopSettings {
 export const DEFAULT_TAILSCALE_SERVE_PORT = 443;
 
 export const DEFAULT_DESKTOP_SETTINGS: DesktopSettings = {
+  linuxPasswordStore: DEFAULT_LINUX_PASSWORD_STORE,
   serverExposureMode: "local-only",
   tailscaleServeEnabled: false,
   tailscaleServePort: DEFAULT_TAILSCALE_SERVE_PORT,
@@ -85,6 +92,7 @@ export function readDesktopSettings(settingsPath: string, appVersion: string): D
 
     const raw = FS.readFileSync(settingsPath, "utf8");
     const parsed = JSON.parse(raw) as {
+      readonly linuxPasswordStore?: unknown;
       readonly serverExposureMode?: unknown;
       readonly tailscaleServeEnabled?: unknown;
       readonly tailscaleServePort?: unknown;
@@ -101,6 +109,7 @@ export function readDesktopSettings(settingsPath: string, appVersion: string): D
       (isLegacySettings && parsedUpdateChannel === "nightly");
 
     return {
+      linuxPasswordStore: normalizeLinuxPasswordStorePreference(parsed.linuxPasswordStore),
       serverExposureMode:
         parsed.serverExposureMode === "network-accessible" ? "network-accessible" : "local-only",
       tailscaleServeEnabled: parsed.tailscaleServeEnabled === true,

apps/desktop/src/linuxSecretStorage.test.ts

@@ -0,0 +1,98 @@
+import { describe, expect, it } from "vitest";
+
+import {
+  normalizeLinuxPasswordStorePreference,
+  resolveLinuxPasswordStoreSwitch,
+  resolveLinuxSecretStorageUnavailableMessage,
+} from "./linuxSecretStorage.ts";
+
+describe("linuxSecretStorage", () => {
+  it("preserves explicit supported password-store preferences", () => {
+    expect(normalizeLinuxPasswordStorePreference("gnome-libsecret")).toBe("gnome-libsecret");
+    expect(normalizeLinuxPasswordStorePreference("kwallet")).toBe("kwallet");
+    expect(normalizeLinuxPasswordStorePreference("kwallet5")).toBe("kwallet5");
+    expect(normalizeLinuxPasswordStorePreference("kwallet6")).toBe("kwallet6");
+  });
+
+  it("falls back to auto for missing or unsupported preferences", () => {
+    expect(normalizeLinuxPasswordStorePreference(undefined)).toBe("auto");
+    expect(normalizeLinuxPasswordStorePreference("basic")).toBe("auto");
+  });
+
+  it("does not force a password-store for desktops Electron already recognizes", () => {
+    expect(
+      resolveLinuxPasswordStoreSwitch({
+        preference: "auto",
+        env: { XDG_CURRENT_DESKTOP: "GNOME" },
+      }),
+    ).toBeNull();
+    expect(
+      resolveLinuxPasswordStoreSwitch({
+        preference: "auto",
+        env: { XDG_CURRENT_DESKTOP: "KDE", KDE_SESSION_VERSION: "6" },
+      }),
+    ).toBeNull();
+  });
+
+  it("forces gnome-libsecret for unrecognized Linux desktop sessions", () => {
+    expect(
+      resolveLinuxPasswordStoreSwitch({
+        preference: "auto",
+        env: { XDG_CURRENT_DESKTOP: "niri" },
+      }),
+    ).toBe("gnome-libsecret");
+  });
+
+  it("uses explicit preferences instead of the auto heuristic", () => {
+    expect(
+      resolveLinuxPasswordStoreSwitch({
+        preference: "kwallet6",
+        env: { XDG_CURRENT_DESKTOP: "niri" },
+      }),
+    ).toBe("kwallet6");
+  });
+
+  it("uses GNOME Keyring remediation for libsecret and unknown backends", () => {
+    expect(
+      resolveLinuxSecretStorageUnavailableMessage({
+        configuredPreference: "auto",
+        selectedBackend: "gnome_libsecret",
+        env: { XDG_CURRENT_DESKTOP: "niri" },
+      }),
+    ).toContain("GNOME Keyring");
+  });
+
+  it("prefers explicit libsecret selection over KDE desktop heuristics", () => {
+    expect(
+      resolveLinuxSecretStorageUnavailableMessage({
+        configuredPreference: "gnome-libsecret",
+        selectedBackend: "unknown",
+        env: { XDG_CURRENT_DESKTOP: "KDE" },
+      }),
+    ).toContain("GNOME Keyring");
+    expect(
+      resolveLinuxSecretStorageUnavailableMessage({
+        configuredPreference: "auto",
+        selectedBackend: "gnome_libsecret",
+        env: { XDG_CURRENT_DESKTOP: "KDE" },
+      }),
+    ).toContain("GNOME Keyring");
+  });
+
+  it("uses KWallet remediation for KDE desktops and selected backends", () => {
+    expect(
+      resolveLinuxSecretStorageUnavailableMessage({
+        configuredPreference: "auto",
+        selectedBackend: "kwallet6",
+        env: {},
+      }),
+    ).toContain("KWallet");
+    expect(
+      resolveLinuxSecretStorageUnavailableMessage({
+        configuredPreference: "auto",
+        selectedBackend: "unknown",
+        env: { XDG_CURRENT_DESKTOP: "KDE" },
+      }),
+    ).toContain("KWallet");
+  });
+});

apps/desktop/src/linuxSecretStorage.ts

@@ -0,0 +1,108 @@
+export type LinuxPasswordStorePreference =
+  | "auto"
+  | "gnome-libsecret"
+  | "kwallet"
+  | "kwallet5"
+  | "kwallet6";
+export type LinuxPasswordStoreSwitch = Exclude<LinuxPasswordStorePreference, "auto">;
+
+export const DEFAULT_LINUX_PASSWORD_STORE: LinuxPasswordStorePreference = "auto";
+
+const ELECTRON_LIBSECRET_DESKTOPS = new Set([
+  "deepin",
+  "gnome",
+  "pantheon",
+  "ukui",
+  "unity",
+  "x-cinnamon",
+  "xfce",
+]);
+
+const KDE_DESKTOPS = new Set(["kde", "kde4", "kde5", "kde6", "plasma"]);
+
+export function normalizeLinuxPasswordStorePreference(
+  value: unknown,
+): LinuxPasswordStorePreference {
+  return value === "gnome-libsecret" ||
+    value === "kwallet" ||
+    value === "kwallet5" ||
+    value === "kwallet6"
+    ? value
+    : DEFAULT_LINUX_PASSWORD_STORE;
+}
+
+export function resolveLinuxPasswordStoreSwitch(input: {
+  readonly preference: LinuxPasswordStorePreference;
+  readonly env: NodeJS.ProcessEnv;
+}): LinuxPasswordStoreSwitch | null {
+  if (input.preference !== "auto") {
+    return input.preference;
+  }
+
+  return isElectronKnownLinuxSecretStorageDesktop(input.env) ? null : "gnome-libsecret";
+}
+
+export function resolveLinuxSecretStorageUnavailableMessage(input: {
+  readonly configuredPreference: LinuxPasswordStorePreference;
+  readonly selectedBackend: string | null;
+  readonly env: NodeJS.ProcessEnv;
+}): string {
+  const backend = normalizeSelectedStorageBackend(input.selectedBackend);
+  if (input.configuredPreference === "gnome-libsecret" || backend === "gnome-libsecret") {
+    return getGnomeKeyringRemediationMessage();
+  }
+
+  if (
+    input.configuredPreference === "kwallet" ||
+    input.configuredPreference === "kwallet5" ||
+    input.configuredPreference === "kwallet6" ||
+    backend === "kwallet" ||
+    backend === "kwallet5" ||
+    backend === "kwallet6" ||
+    isKdeDesktop(input.env)
+  ) {
+    return "T3 Code could not access KWallet to save this environment credential. Enable the KDE wallet subsystem in System Settings, then restart T3 Code.";
+  }
+
+  return getGnomeKeyringRemediationMessage();
+}
+
+function getGnomeKeyringRemediationMessage(): string {
+  return "T3 Code could not access GNOME Keyring to save this environment credential. Install and start GNOME Keyring, then restart T3 Code.";
+}
+
+function isElectronKnownLinuxSecretStorageDesktop(env: NodeJS.ProcessEnv): boolean {
+  return resolveLinuxDesktopNames(env).some(
+    (name) => ELECTRON_LIBSECRET_DESKTOPS.has(name) || KDE_DESKTOPS.has(name),
+  );
+}
+
+function isKdeDesktop(env: NodeJS.ProcessEnv): boolean {
+  return resolveLinuxDesktopNames(env).some((name) => KDE_DESKTOPS.has(name));
+}
+
+function resolveLinuxDesktopNames(env: NodeJS.ProcessEnv): string[] {
+  return [
+    ...splitDesktopNameList(env.XDG_CURRENT_DESKTOP),
+    env.DESKTOP_SESSION,
+    env.GDMSESSION,
+    env.KDE_SESSION_VERSION ? `kde${env.KDE_SESSION_VERSION}` : undefined,
+  ].flatMap((entry) => {
+    const normalized = normalizeDesktopName(entry);
+    return normalized ? [normalized] : [];
+  });
+}
+
+function splitDesktopNameList(value: string | undefined): string[] {
+  return value?.split(":") ?? [];
+}
+
+function normalizeDesktopName(value: string | undefined): string | null {
+  const normalized = value?.trim().toLowerCase();
+  return normalized && normalized.length > 0 ? normalized : null;
+}
+
+function normalizeSelectedStorageBackend(value: string | null): string | null {
+  const normalized = value?.trim().toLowerCase().replace(/_/gu, "-");
+  return normalized && normalized.length > 0 ? normalized : null;
+}