Handle integration credential decrypt failures

[brennanb2025]

Summary

Credential decrypt failures for saved Linear and Jira tokens now surface as explicit reconnect/keychain messages instead of being treated like missing credentials, empty results, or auth failures.

• Added shared provider-specific decrypt error messages for Linear and Jira.
• Added a main-process credential reader that preserves safe plaintext fallback behavior but throws on undecryptable binary/control-character token files.
• Threaded credential provenance through Linear and Jira clients so auth failures clear only freshly decrypted tokens, while safe plaintext fallback files are not deleted.
• Updated Linear/Jira active read paths and renderer stores to rethrow credential decrypt errors instead of falling back to stale or empty data.
• Updated TaskPage and issue workspace catch sites to toast/display the canonical decrypt message.

Brennan YOLO Lite Evidence

Design approach:

• The design scoped the fix to Linear/Jira credential file reads, active task-provider calls, renderer store fallback behavior, and user-facing error surfacing.
• It kept provider-specific behavior behind explicit Linear/Jira message mapping and did not add GitHub-only assumptions.
• It preserved plaintext fallback when safeStorage is unavailable or when the raw token is clearly plaintext, while treating undecryptable encrypted-looking files as actionable credential errors.

Design-review outcome:

• A delegated auto-design-review-fix pass completed clean.
• Scratch evidence: temp/credential-decrypt-errors-design.md and temp/credential-decrypt-errors-design-review-report.md in the local worktree only; these are not included in the PR.

Implementation and deviations:

• Implementation followed the reviewed design.
• One additional review-driven change was added: forced active client reads bypass cached plaintext fallback tokens unless the cache came from a successful decrypt, so a later Keychain approval can re-read and decrypt the original file.
• One reviewed non-actionable tradeoff remains by design: auth failure cleanup does not delete plaintext fallback files, including plaintext read after a decrypt failure.

Completeness verification:

• First delegated completeness pass found component catch paths that swallowed decrypt errors.
• Follow-up fixes added toast/message handling in TaskPage, LinearIssueWorkspace, and JiraIssueWorkspace.
• Second pass found two TaskPage metadata refresh paths that still only warned.
• Follow-up fixes added canonical decrypt messages for Linear teams refresh and Jira projects load.
• Final delegated completeness pass returned complete.

Code-review loop:

• Round 1 ran two independent reviewers. One returned clean; one found cached plaintext fallback could prevent later re-decrypt after Keychain approval. Fixed with provenance-aware forced reads and retry tests.
• Round 2 ran two fresh reviewers. One returned clean; one requested clearing plaintext fallback on auth failure. That was classified non-actionable because the reviewed design explicitly preserves plaintext fallback files.
• After the final test-only lint fix from validation, two final reviewers returned clean.

brennan-test-changes result:

• Delegated validation initially reported "land after fixes" because it found and fixed a test-only lint issue in src/main/jira/client.test.ts.
• After that fix, final reviews and validation evidence were clean.
• Electron live validation launched from this exact worktree with isolated HOME and ORCA_DEV_USER_DATA_PATH, verified app identity, seeded fake Linear/Jira encrypted-token failures, and confirmed clear decrypt messages while preserving saved metadata/token files.
• Renderer store probes verified Linear/Jira read APIs rethrow credential decrypt messages for TaskPage and issue workspace surfacing instead of returning empty/stale fallback data.
• Runtime/SSH review: local runtime path was exercised; remote RPC message preservation was verified from code. No SSH code changed, so brennan-test-ssh was not required.

Tests

• pnpm run typecheck
• pnpm run lint (passes with existing React hook dependency warnings in ChecksPanel, Settings, and StatusBar)
• git diff --check
• pnpm vitest run --config config/vitest.config.ts src/main/linear/client.test.ts src/main/jira/client.test.ts src/main/linear/issues.test.ts src/main/jira/issues.test.ts src/main/linear/projects.test.ts src/main/linear/teams.test.ts src/renderer/src/store/slices/linear.test.ts src/renderer/src/store/slices/jira.test.ts
• Electron live validation from this worktree with isolated HOME/userData: verified app identity, seeded fake Linear/Jira encrypted-token failures, confirmed Settings/test paths show clear decrypt messages and preserve saved metadata/token files.
• Renderer store read-path validation: Linear/Jira read APIs rethrow credential decrypt messages for TaskPage/issue-workspace surfacing instead of falling back to empty/stale cache data.
• Runtime/SSH review: local runtime path exercised; remote RPC message preservation verified from code; no SSH code changed, so brennan-test-ssh was not required.

Assumptions And Gaps

• Full visual toast click-through was not performed; component catch sites were code-reviewed and live store-level errors were exercised.
• Jira has a runtime test IPC/store path but no matching integrations-pane test button was found.
• Existing React hook dependency lint warnings are unrelated to this PR.