Linux: encrypted file fallback for cred storage

- When no system keyring (GNOME Keyring / KDE Wallet) is available, credentials now fall back to an encrypted file at ~/.local/share/cmdr/credentials.enc
- Uses cocoon crate (Chacha20-Poly1305) with /etc/machine-id as key, 0600 file permissions
- All operations try Secret Service first, file backend second
- Corrupted credential files recover gracefully (start fresh, log warning)
- New is_using_credential_file_fallback Tauri command for frontend toast notification
- Add "Credentials stored locally (no system keyring detected)" toast

Author: vdavid

Cargo.lock

@@ -87,6 +87,8 @@ tauri-plugin-window-state = "2"
 trash = "5.2"
 # Credential storage via Linux secret service (GNOME Keyring / KDE Wallet)
 keyring = "3"
+# Encrypted file-based credential storage fallback when no secret service is available
+cocoon = "0.4"
 # D-Bus client for XDG Desktop Portal (accent color, appearance settings)
 zbus = "5"
 

apps/desktop/src-tauri/Cargo.lock

@@ -202,6 +202,14 @@ pub fn delete_smb_credentials(server: String, share: Option<String>) -> Result<(
     keychain::delete_credentials(&server, share.as_deref())
 }
 
+/// Returns whether credential storage is using an encrypted file fallback
+/// instead of the system keyring. The frontend can use this to show a one-time
+/// info toast when the user first saves credentials without a system keyring.
+#[tauri::command]
+pub fn is_using_credential_file_fallback() -> bool {
+    keychain::is_using_file_fallback()
+}
+
 /// Lists shares on a host using stored or provided credentials.
 /// This is the main command for authenticated share listing.
 ///

apps/desktop/src-tauri/Cargo.toml

@@ -36,6 +36,10 @@ use trash as _;
 // keyring crate is used in network/keychain_linux.rs for credential storage (Linux only)
 #[cfg(target_os = "linux")]
 use keyring as _;
+//noinspection ALL
+// cocoon is used in network/keychain_linux.rs for encrypted file-based credential fallback
+#[cfg(target_os = "linux")]
+use cocoon as _;
 
 //noinspection ALL
 // MCP Bridge is only used in debug builds, so silence the warning in release builds
@@ -672,6 +676,8 @@ pub fn run() {
             #[cfg(any(target_os = "macos", target_os = "linux"))]
             commands::network::delete_smb_credentials,
             #[cfg(any(target_os = "macos", target_os = "linux"))]
+            commands::network::is_using_credential_file_fallback,
+            #[cfg(any(target_os = "macos", target_os = "linux"))]
             commands::network::list_shares_with_credentials,
             #[cfg(any(target_os = "macos", target_os = "linux"))]
             commands::network::mount_network_share,
@@ -704,6 +710,8 @@ pub fn run() {
             #[cfg(not(any(target_os = "macos", target_os = "linux")))]
             stubs::network::delete_smb_credentials,
             #[cfg(not(any(target_os = "macos", target_os = "linux")))]
+            stubs::network::is_using_credential_file_fallback,
+            #[cfg(not(any(target_os = "macos", target_os = "linux")))]
             stubs::network::list_shares_with_credentials,
             #[cfg(not(any(target_os = "macos", target_os = "linux")))]
             stubs::network::mount_network_share,

apps/desktop/src-tauri/src/commands/network.rs

@@ -17,7 +17,7 @@ Discover, browse, and mount SMB network shares. Works on macOS and Linux.
   - `mount_linux.rs` — Linux `gio mount` for GVFS-based user-space mounts
 - **Auth** (platform-specific via `#[path]` in `mod.rs`):
   - `keychain.rs` — macOS Keychain via `security-framework`
-  - `keychain_linux.rs` — Linux secret service via `keyring` crate (GNOME Keyring / KDE Wallet)
+  - `keychain_linux.rs` — Two-tier: Secret Service via `keyring` crate → encrypted file via `cocoon` crate
 - **State**: `known_shares.rs` — Connection history in `known-shares.json` (usernames, last auth mode, timestamps).
 
 ## Platform strategy
@@ -27,7 +27,7 @@ Discover, browse, and mount SMB network shares. Works on macOS and Linux.
 | mDNS discovery | `mdns-sd` (pure Rust) | `mdns-sd` (same) |
 | SMB share listing | `smb` + `smb-rpc` crates | `smb` + `smb-rpc` (same) |
 | smbutil fallback | `smbutil view -G` | Not available (returns error, smb-rs handles most cases) |
-| Credential storage | `security-framework` (macOS Keychain) | `keyring` crate (secret service D-Bus API) |
+| Credential storage | `security-framework` (macOS Keychain) | `keyring` (Secret Service) → `cocoon` encrypted file fallback |
 | Mounting | `NetFSMountURLSync` → `/Volumes/` | `gio mount` → `/run/user/<uid>/gvfs/` |
 
 ## Key decisions
@@ -55,6 +55,10 @@ smb-rs connections are lightweight and created on-demand. Caching is at the shar
 
 After first credential fetch, credentials cached in `CREDENTIAL_CACHE` (LazyLock + RwLock). Prevents repeated Keychain/secret-service round-trips during session. Cache keyed by `"smb://{server}/{share}"`.
 
+### Linux credential storage fallback
+
+On Linux, `keychain_linux.rs` tries Secret Service (GNOME Keyring / KDE Wallet) first. If unavailable (no D-Bus service, headless server, minimal DE), it falls back to an encrypted file at `~/.local/share/cmdr/credentials.enc`. The file is encrypted with `cocoon` (Chacha20-Poly1305) using `/etc/machine-id` as the password, with 0600 file permissions. A static `USING_FILE_FALLBACK` flag tracks whether the fallback is active for the frontend to show a one-time info toast. Corrupted credential files are handled gracefully (start fresh, log warning).
+
 ### Linux mounting via GVFS
 
 `gio mount` is used for user-space SMB mounting on Linux. It requires the `gvfs-smb` package. If `gio` is not available, a helpful error message is returned. Mounts appear under `/run/user/<uid>/gvfs/`.

apps/desktop/src-tauri/src/lib.rs

@@ -206,6 +206,11 @@ pub fn has_credentials(server: &str, share: Option<&str>) -> bool {
     get_credentials(server, share).is_ok()
 }
 
+/// Always returns false on macOS (macOS Keychain is always available).
+pub fn is_using_file_fallback() -> bool {
+    false
+}
+
 #[cfg(test)]
 mod tests {
     use super::*;