SMB: Reuse saved password instead of re-prompting on every connect

Two QA follow-ups, both rooted in credentials Cmdr already had but never used:
- Credential entries are now keyed by server identity, not the raw name string. `make_account_name` runs the server through `server_identity::credential_key` (bare instance name), so a password the frontend saves under `Naspolya` is found when the OS-mount upgrade path looks it up by the `statfs` service name `Naspolya._smb._tcp.local`. Before, the two never matched: a saved password was invisible on the next launch, leaving a stale `os_mount` (yellow) dot.
- The share-activation gate now tries Cmdr's stored password before showing the login form. The share list often loads via the system Keychain (`smbutil`) without exercising Cmdr's own creds, so the gate kept re-prompting even with a working password saved. Stale stored creds fall through to the existing mount-failure login form.

Author: vdavid

apps/desktop/src-tauri/src/network/CLAUDE.md

@@ -217,7 +217,7 @@ server+share+port already mounted, skipping NetFS entirely.
 - **Auth mode is a guess**: `GuestAllowed` means "guest worked, creds might also work." `CredsRequired` means "guest failed, must have creds." Can't detect guest-only vs guest-or-creds without trying both.
 - **NetFS error 17 (EEXIST) is success** (macOS): Share already mounted. Return existing mount path, set `already_mounted: true`. Not an error.
 - **mDNS service type must include `.local.`**: `mdns-sd` requires full form `"_smb._tcp.local."` (trailing dot). Without it, browse() fails silently.
-- **Account name is lowercase**: `make_account_name` lowercases server name for consistency. Prevents duplicate entries for "SERVER" vs "server".
+- **Account name is keyed by server identity, not the raw string**: `make_account_name` runs the server through `server_identity::credential_key` (lowercase + strip the mDNS service suffix / `.local` down to the bare instance name), so `Naspolya`, `naspolya.local`, and `Naspolya._smb._tcp.local` all key the same entry. Without this the frontend saved under the mDNS instance name while the OS-mount upgrade path looked up by the `statfs` service name, so a just-saved password was never found on the next connect (the picker kept showing the `os_mount` dot and re-prompted). IP literals have no bare form and pass through unchanged.
 - **Linux `gio mount` requires GVFS**: The `gvfs-smb` package must be installed. Standard on Ubuntu/Fedora GNOME desktops. KDE desktops may need it explicitly.
 - **`ShareListError` uses internally tagged serde format** (`#[serde(tag = "type")]`) with struct variants. This keeps a flat JSON shape (`{ "type": "protocol_error", "message": "..." }`). The `MissingDependency` variant adds an optional `installCommand` field. When adding new variants, use struct syntax (not tuple).
 - **macOS smbutil and NetFSMountURLSync fail with loopback IP + non-standard port**: `//127.0.0.1:10480` gives "Broken pipe", but `//localhost:10480` works. `build_smbutil_url` and `NetworkMountView.svelte` both fall back to hostname when IP is `127.0.0.1` or `::1`. This matters for E2E testing against Docker containers on localhost.

apps/desktop/src-tauri/src/network/keychain.rs

@@ -61,10 +61,17 @@ impl From<SecretStoreError> for KeychainError {
 
 /// Creates the account name used for credential storage.
 /// Format: "smb://{server}/{share}" or "smb://{server}" for server-level credentials.
+///
+/// The server is collapsed to its stable identity via
+/// [`crate::network::server_identity::credential_key`] so that every name form of one
+/// server (mDNS instance name, `.local` hostname, `statfs` service name) keys the same
+/// entry. Without this, a password saved by the frontend under `Naspolya` is invisible
+/// to the upgrade path looking up `Naspolya._smb._tcp.local`.
 fn make_account_name(server: &str, share: Option<&str>) -> String {
+    let key = crate::network::server_identity::credential_key(server);
     match share {
-        Some(s) => format!("smb://{}/{}", server.to_lowercase(), s),
-        None => format!("smb://{}", server.to_lowercase()),
+        Some(s) => format!("smb://{}/{}", key, s),
+        None => format!("smb://{}", key),
     }
 }
 
@@ -187,6 +194,17 @@ mod tests {
         assert_eq!(account1, account2);
     }
 
+    /// All name forms of one server must produce the same account, so a password saved
+    /// under the mDNS instance name is found when the upgrade path looks it up by the
+    /// `statfs` service name or the resolved hostname.
+    #[test]
+    fn test_make_account_name_collapses_server_name_forms() {
+        let saved = make_account_name("Naspolya", None);
+        assert_eq!(saved, "smb://naspolya");
+        assert_eq!(make_account_name("Naspolya.local", None), saved);
+        assert_eq!(make_account_name("Naspolya._smb._tcp.local", None), saved);
+    }
+
     #[test]
     fn test_parse_password_entry() {
         let entry = make_password_entry("david", "secret123");

apps/desktop/src-tauri/src/network/server_identity.rs

@@ -33,6 +33,19 @@ fn normalize(s: &str) -> String {
     s.trim_end_matches('.').to_lowercase()
 }
 
+/// The stable key for a server's stored credentials.
+///
+/// The same NAS reaches the credential store under different names depending on the
+/// caller: the frontend saves under the mDNS instance name (`Naspolya`), while the
+/// OS-mount upgrade path looks up by the `statfs` server (`Naspolya._smb._tcp.local`)
+/// or the resolved hostname (`naspolya.local`). Keying credentials on the raw string
+/// splits one server's password across several entries, so a password saved on mount
+/// is never found on the next connect. `credential_key` collapses every name form to
+/// the same bare identity (IP literals pass through unchanged — they have no bare form).
+pub fn credential_key(server: &str) -> String {
+    bare_name(&normalize(server))
+}
+
 /// Extracts the bare name from any of the forms a server name arrives in:
 /// `Naspolya._smb._tcp.local` → `naspolya`, `naspolya.local` → `naspolya`,
 /// `naspolya` → `naspolya`. Input must already be normalized.
@@ -156,4 +169,25 @@ mod tests {
         assert!(same_server("192.168.1.111", "192.168.1.111", &[]));
         assert!(same_server("some-nas", "some-nas", &[]));
     }
+
+    /// Every name form of one server must produce the SAME credential key, so a password
+    /// saved by the frontend (mDNS instance name) is found by the upgrade path (`statfs`
+    /// service name / resolved hostname). This is the keying split-brain that left a
+    /// just-saved Naspolya password unusable on the next connect.
+    #[test]
+    fn test_credential_key_collapses_name_forms() {
+        assert_eq!(credential_key("Naspolya"), "naspolya");
+        assert_eq!(credential_key("Naspolya.local"), "naspolya");
+        assert_eq!(credential_key("Naspolya.local."), "naspolya");
+        assert_eq!(credential_key("Naspolya._smb._tcp.local"), "naspolya");
+        assert_eq!(credential_key("Naspolya._smb._tcp.local."), "naspolya");
+    }
+
+    /// IP literals have no bare form; they pass through (lowercased) unchanged so two
+    /// different hosts can't collide on one credential entry.
+    #[test]
+    fn test_credential_key_passes_ip_through() {
+        assert_eq!(credential_key("192.168.1.111"), "192.168.1.111");
+        assert_eq!(credential_key("localhost"), "localhost");
+    }
 }

apps/desktop/src/lib/file-explorer/network/CLAUDE.md

@@ -102,13 +102,15 @@ Rendered after user selects a host. Auth flow on mount:
 `authenticatedCredentials` is passed to `onShareSelect` so the caller can mount the share without re-prompting.
 
 **Credential gate on share activation** (`activateShare`): every activation path (Enter, double-click, auto-mount)
-checks `authMode === 'creds_required' && !authenticatedCredentials` and shows the login form (with the share name in the
-title) instead of firing `onShareSelect` with null credentials. This combination is real: on macOS the share-listing
-fallback (`smbutil view -N`) authenticates via the SYSTEM Keychain, which Cmdr can't reuse for mounting, so the list
-renders fine while Cmdr holds no credentials — activating a share used to fire a doomed guest mount. The gated share
-waits in `pendingMountShare`; after a successful sign-in, `connectWithCredentials` fires
-`onShareSelect(pending, authenticatedCredentials)`. Cancel on a gated form returns to the share list (the list behind it
-is loaded and fine), not the host list. Pinned by `ShareBrowser.test.ts`.
+checks `authMode === 'creds_required' && !authenticatedCredentials`. When it trips, it first tries Cmdr's stored
+password (`loadStoredCredentials` → `getSmbCredentials`) and, if found, mounts with it silently; only if none is saved
+does it show the login form (with the share name in the title). This matters because the share list often loads via the
+SYSTEM Keychain (`smbutil view -N`) without ever exercising Cmdr's own creds, so `authenticatedCredentials` is null even
+when a working password is saved — without the stored-creds attempt the user got re-prompted on every visit. Stale
+stored creds aren't validated here; the mount fails and `NetworkMountView` surfaces the login form (see its
+mount-failure handler). The gated share waits in `pendingMountShare`; after a successful sign-in,
+`connectWithCredentials` fires `onShareSelect(pending, authenticatedCredentials)`. Cancel on a gated form returns to the
+share list (the list behind it is loaded and fine), not the host list. Pinned by `ShareBrowser.test.ts`.
 
 When `authenticatedCredentials` is set (stored creds were used), a "Forget saved password" button appears in the header
 row. Clicking it calls `forgetCredentials` and clears `authenticatedCredentials`.

apps/desktop/src/lib/file-explorer/network/ShareBrowser.svelte

@@ -116,7 +116,7 @@
             (s) => s.name.localeCompare(shareName, undefined, { sensitivity: 'base' }) === 0,
         )
         if (match) {
-            activateShare(match)
+            void activateShare(match)
         } else {
             addToast(`Share '${shareName}' not found on ${host.name}`, { level: 'warn' })
         }
@@ -130,8 +130,19 @@
      * which Cmdr can't reuse for mounting, so the list renders fine while
      * `authenticatedCredentials` stays null.
      */
-    function activateShare(share: ShareInfo) {
+    async function activateShare(share: ShareInfo) {
         if (authMode === 'creds_required' && !authenticatedCredentials) {
+            // Try Cmdr's stored password before prompting. The share list often loads
+            // via the system Keychain (smbutil) without ever exercising our own creds,
+            // so we may already have a working password saved. If the stored creds turn
+            // out to be stale, the mount fails and NetworkMountView surfaces the login
+            // form (see its mount-failure handler), so we don't need to validate here.
+            const stored = await loadStoredCredentials()
+            if (stored) {
+                authenticatedCredentials = stored
+                onShareSelect?.(share, stored)
+                return
+            }
             pendingMountShare = share
             loginError = undefined
             showLoginForm = true
@@ -140,6 +151,16 @@
         onShareSelect?.(share, authenticatedCredentials)
     }
 
+    /** Reads Cmdr's stored credentials for this host, or null if none are saved. */
+    async function loadStoredCredentials(): Promise<{ username: string; password: string } | null> {
+        try {
+            const creds = await getSmbCredentials(host.name, null)
+            return { username: creds.username, password: creds.password }
+        } catch {
+            return null
+        }
+    }
+
     /** Sync share list to MCP so agents see the same data as the UI. */
     async function syncPaneStateToMcp() {
         if (!paneId) return
@@ -385,7 +406,7 @@
     // noinspection JSUnusedGlobalSymbols -- used dynamically by NetworkMountView / MCP
     export function openCursorItem(): void {
         if (cursorIndex >= 0 && cursorIndex < sortedShares.length) {
-            activateShare(sortedShares[cursorIndex])
+            void activateShare(sortedShares[cursorIndex])
         }
     }
 
@@ -395,7 +416,7 @@
 
     function handleShareDoubleClick(index: number) {
         if (index >= 0 && index < sortedShares.length) {
-            activateShare(sortedShares[index])
+            void activateShare(sortedShares[index])
         }
     }
 
@@ -473,7 +494,7 @@
         if (e.key === 'Enter') {
             e.preventDefault()
             if (cursorIndex >= 0 && cursorIndex < sortedShares.length) {
-                activateShare(sortedShares[cursorIndex])
+                void activateShare(sortedShares[cursorIndex])
             }
             return true
         }

apps/desktop/src/lib/file-explorer/network/ShareBrowser.test.ts

@@ -104,7 +104,9 @@ describe('ShareBrowser credential gate', () => {
     await waitForShareList(target)
 
     api.openCursorItem()
-    await tick()
+    await vi.waitFor(() => {
+      expect(target.querySelector('.login-title')).toBeTruthy()
+    })
 
     expect(onShareSelect).not.toHaveBeenCalled()
     const title = must(target.querySelector('.login-title'), 'the login form')
@@ -113,6 +115,27 @@ describe('ShareBrowser credential gate', () => {
     await unmount(component)
   })
 
+  it('uses stored credentials silently when creds are required (no prompt)', async () => {
+    // The listing came back creds_required (it succeeded via the system Keychain), but
+    // Cmdr has the password saved. Activating the share must reuse it, not re-prompt.
+    h.fetchShares.mockResolvedValue({ shares: [naspi], authMode: 'creds_required', fromCache: false })
+    h.getSmbCredentials.mockResolvedValue({ username: 'david', password: 'hunter2' })
+    const onShareSelect = vi.fn()
+    const { target, component, api } = mountBrowser(onShareSelect)
+    await waitForShareList(target)
+
+    api.openCursorItem()
+    await vi.waitFor(() => {
+      expect(onShareSelect).toHaveBeenCalledWith(expect.objectContaining({ name: 'naspi' }), {
+        username: 'david',
+        password: 'hunter2',
+      })
+    })
+    expect(target.querySelector('.login-title'), 'must not prompt when stored creds exist').toBeNull()
+
+    await unmount(component)
+  })
+
   it('selects the pending share with the entered credentials after a successful sign-in', async () => {
     h.fetchShares.mockResolvedValue({ shares: [naspi], authMode: 'creds_required', fromCache: false })
     h.listSharesWithCredentials.mockResolvedValue({ shares: [naspi], authMode: 'creds_required', fromCache: false })
@@ -121,7 +144,9 @@ describe('ShareBrowser credential gate', () => {
     await waitForShareList(target)
 
     api.openCursorItem()
-    await tick()
+    await vi.waitFor(() => {
+      expect(target.querySelector('#username')).toBeTruthy()
+    })
 
     const usernameInput = must(target.querySelector<HTMLInputElement>('#username'), 'the username input')
     const passwordInput = must(target.querySelector<HTMLInputElement>('#password'), 'the password input')
@@ -153,8 +178,9 @@ describe('ShareBrowser credential gate', () => {
     await waitForShareList(target)
 
     api.openCursorItem()
-    await tick()
-    expect(target.querySelector('.login-title')).toBeTruthy()
+    await vi.waitFor(() => {
+      expect(target.querySelector('.login-title')).toBeTruthy()
+    })
 
     // Cancel: the share list is loaded and fine, so stay on it.
     const cancelButton = must(