Network: Add authentication

And tick off done tasks

Author: vdavid

docs/features/network-smb/task-list.md

@@ -10,6 +10,7 @@ See [index.md](./index.md) for an overview of this whole feature. It's a helpful
 - 🔄 In progress
 - ✅ Complete
 - 🔬 Spike/research needed
+- ❌ Not needed
 
 ---
 
@@ -64,7 +65,7 @@ See [share-listing.md](./share-listing.md) for details. Decision: [ADR 013](../.
 - ✅ **2.6** Handle guest vs. authenticated enumeration
 - ✅ **2.7** Implement `smbutil` fallback for edge cases
 - ✅ **2.8** Add timeout handling (10–15 second limit)
-- ⬜ **2.9** Implement connection pool (60 sec TTL, max 20 connections)
+- ❌ **2.9** Implement connection pool (60 sec TTL, max 20 connections)
 - ✅ **2.10** Implement auth mode detection (try guest, detect `GuestAllowed` vs `CredsRequired`)
 - ✅ **2.11** Add unit tests with mocked SMB responses
 
@@ -114,23 +115,23 @@ See [authentication.md](./authentication.md) for details.
 
 ### Backend (Rust)
 
-- ⬜ **4.1** Add `security-framework` crate to dependencies
-- ⬜ **4.2** Implement `save_credentials_to_keychain` function
-- ⬜ **4.3** Implement `get_credentials_from_keychain` function
-- ⬜ **4.4** Implement auth options detection (guest/creds/both)
-- ⬜ **4.5** Create Tauri commands: `check_auth_required`, `save_smb_credentials`, `get_smb_credentials`
-- ⬜ **4.6** Add unit tests with mocked Keychain
+- ✅ **4.1** Add `security-framework` crate to dependencies
+- ✅ **4.2** Implement `save_credentials_to_keychain` function
+- ✅ **4.3** Implement `get_credentials_from_keychain` function
+- ✅ **4.4** Implement auth options detection (guest/creds/both)
+- ✅ **4.5** Create Tauri commands: `check_auth_required`, `save_smb_credentials`, `get_smb_credentials`
+- ✅ **4.6** Add unit tests with mocked Keychain
 
 ### Frontend (Svelte)
 
-- ⬜ **4.7** Create `NetworkLoginForm.svelte` component
-- ⬜ **4.8** Integrate login form into `FilePane.svelte` (replaces file list when auth needed)
-- ⬜ **4.9** Implement guest vs. credentials toggle (when both available)
-- ⬜ **4.10** Pre-fill username from known shares store
-- ⬜ **4.11** Handle "Remember in Keychain" checkbox
-- ⬜ **4.12** Show contextual messages when auth options changed
-- ⬜ **4.13** Handle auth errors with re-prompt
-- ⬜ **4.14** Add frontend tests for all auth scenarios
+- ✅ **4.7** Create `NetworkLoginForm.svelte` component
+- ✅ **4.8** Integrate login form into `FilePane.svelte` (replaces file list when auth needed)
+- ✅ **4.9** Implement guest vs. credentials toggle (when both available)
+- ✅ **4.10** Pre-fill username from known shares store
+- ✅ **4.11** Handle "Remember in Keychain" checkbox
+- ✅ **4.12** Show contextual messages when auth options changed
+- ✅ **4.13** Handle auth errors with re-prompt
+- ✅ **4.14** Add frontend tests for all auth scenarios
 
 ---
 
@@ -149,28 +150,28 @@ See [known-shares-store.md](./known-shares-store.md) for details.
 
 ### Frontend (Svelte)
 
-_Note: 5.7-5.9 are blocked until authentication UI (section 4) is implemented._
-
-- ⬜ **5.7** Read known shares for username pre-fill
-- ⬜ **5.8** Update known shares after successful connection
-- ⬜ **5.9** Compare current auth options with stored to detect changes
-- ✅ **5.10** Add frontend tests (type and logic tests added; integration tests blocked on 5.7-5.9)
+- ✅ **5.7** Read known shares for username pre-fill (implemented in `NetworkLoginForm.svelte`)
+- ✅ **5.8** Update known shares after successful connection (implemented in `ShareBrowser.svelte`)
+- ✅ **5.9** Compare current auth options with stored to detect changes (implemented in `NetworkLoginForm.svelte`)
+- ✅ **5.10** Add frontend tests (type and logic tests added)
 
 ---
 
 ## 6. Pre-mounted shares
 
+Pre-mounted SMB shares (e.g., mounted via Finder) appear automatically in the volume selector because the existing volume listing code at `/Volumes/*` picks them up. The macOS APIs return the correct network share icon.
+
 ### Backend (Rust)
 
-- ⬜ **6.1** Detect network mounts in existing volume listing code
-- ⬜ **6.2** Categorize as `NetworkShare` (or refine existing `AttachedVolume` detection)
-- ⬜ **6.3** Add appropriate icon for network shares
-- ⬜ **6.4** Add unit tests
+- ✅ **6.1** Detect network mounts in existing volume listing code (uses `/Volumes/*` enumeration)
+- ✅ **6.2** Categorize as `AttachedVolume` (works correctly, dedicated category not needed)
+- ✅ **6.3** Add appropriate icon for network shares (uses `get_icon_for_path` which returns macOS system icon)
+- ✅ **6.4** Unit tests (covered by existing volume listing tests)
 
 ### Frontend (Svelte)
 
-- ⬜ **6.5** Display pre-mounted network shares in volume selector
-- ⬜ **6.6** Add frontend tests
+- ✅ **6.5** Display pre-mounted network shares in volume selector (works automatically)
+- ✅ **6.6** Frontend tests (covered by existing tests)
 
 ---
 

docs/todo.md

@@ -20,6 +20,7 @@
 
 ## Cleanup / housekeeping
 
+- Add "prefer const" ESLint rule
 - A round of refactoring is due
 - Mark macOS vs generic code clearer, and add this to the guide. Is there a way to run some coherence checks for
   `#[cfg(target_os = "macos")]` == true/false separately?

src-tauri/Cargo.lock

@@ -59,6 +59,7 @@ objc2-foundation = { version = "0.3", features = [
 smb = "0.11.1"
 smb-rpc = "=0.11.1"
 chrono = "0.4"
+security-framework = "3.2"
 
 [dev-dependencies]
 criterion = { version = "0.8.1", features = ["html_reports"] }

src-tauri/Cargo.toml

@@ -143,3 +143,72 @@ pub fn update_known_share(
 pub fn get_username_hints() -> std::collections::HashMap<String, String> {
     known_shares::get_username_hints()
 }
+
+// --- Keychain Commands ---
+
+use crate::network::keychain::{self, KeychainError, SmbCredentials};
+
+/// Saves SMB credentials to the Keychain.
+/// Credentials are stored under "Rusty Commander" service name.
+#[tauri::command]
+pub fn save_smb_credentials(
+    server: String,
+    share: Option<String>,
+    username: String,
+    password: String,
+) -> Result<(), KeychainError> {
+    keychain::save_credentials(&server, share.as_deref(), &username, &password)
+}
+
+/// Retrieves SMB credentials from the Keychain.
+/// Returns the stored username and password if found.
+#[tauri::command]
+pub fn get_smb_credentials(server: String, share: Option<String>) -> Result<SmbCredentials, KeychainError> {
+    keychain::get_credentials(&server, share.as_deref())
+}
+
+/// Checks if credentials exist in the Keychain for a server/share.
+#[tauri::command]
+pub fn has_smb_credentials(server: String, share: Option<String>) -> bool {
+    keychain::has_credentials(&server, share.as_deref())
+}
+
+/// Deletes SMB credentials from the Keychain.
+#[tauri::command]
+pub fn delete_smb_credentials(server: String, share: Option<String>) -> Result<(), KeychainError> {
+    keychain::delete_credentials(&server, share.as_deref())
+}
+
+/// Lists shares on a host using stored or provided credentials.
+/// This is the main command for authenticated share listing.
+///
+/// # Arguments
+/// * `host_id` - Unique identifier for the host (used for caching)
+/// * `hostname` - Hostname to connect to
+/// * `ip_address` - Optional resolved IP address
+/// * `port` - SMB port
+/// * `username` - Username for authentication (or None for guest)
+/// * `password` - Password for authentication (or None for guest)
+#[tauri::command]
+pub async fn list_shares_with_credentials(
+    host_id: String,
+    hostname: String,
+    ip_address: Option<String>,
+    port: u16,
+    username: Option<String>,
+    password: Option<String>,
+) -> Result<ShareListResult, ShareListError> {
+    let credentials = match (username, password) {
+        (Some(u), Some(p)) => Some((u, p)),
+        _ => None,
+    };
+
+    smb_client::list_shares(
+        &host_id,
+        &hostname,
+        ip_address.as_deref(),
+        port,
+        credentials.as_ref().map(|(u, p)| (u.as_str(), p.as_str())),
+    )
+    .await
+}

src-tauri/src/commands/network.rs

@@ -21,6 +21,9 @@ use tokio as _;
 // chrono is used in network/known_shares.rs for timestamps
 #[cfg(target_os = "macos")]
 use chrono as _;
+// security_framework is used in network/keychain.rs for Keychain integration
+#[cfg(target_os = "macos")]
+use security_framework as _;
 
 pub mod benchmark;
 mod commands;
@@ -215,6 +218,16 @@ pub fn run() {
             #[cfg(target_os = "macos")]
             commands::network::get_username_hints,
             #[cfg(target_os = "macos")]
+            commands::network::save_smb_credentials,
+            #[cfg(target_os = "macos")]
+            commands::network::get_smb_credentials,
+            #[cfg(target_os = "macos")]
+            commands::network::has_smb_credentials,
+            #[cfg(target_os = "macos")]
+            commands::network::delete_smb_credentials,
+            #[cfg(target_os = "macos")]
+            commands::network::list_shares_with_credentials,
+            #[cfg(target_os = "macos")]
             permissions::check_full_disk_access,
             #[cfg(target_os = "macos")]
             permissions::open_privacy_settings