Desktop: handle denied Keychain access during safeStorage decrypt without crash-report path

[Copilot]

Startup could fail with safeStorage.decryptString (“Decryption is not available”) when macOS Keychain access is denied at launch. This path currently surfaces as a crash report instead of a targeted user-facing recovery message.

• Keychain-denied error classification

  • Added a dedicated KeychainAccessDeniedError in desktop/src/app.ts.
  • Wrapped safeStorage.encryptString/decryptString calls with a small classifier that maps keychain-unavailable conditions to this explicit error type.

• Startup failure handling

  • Updated initApp startup error handling to intercept KeychainAccessDeniedError.
  • Shows a focused dialog (Keychain access is required) with actionable guidance (allow HomeCloud in system keychain/security settings, then restart), then exits cleanly.
  • Avoids routing this expected-denial case through the generic crash-report dialog.

• Security/identity behavior preserved

  • No plaintext key fallback.
  • No automatic secret/keypair regeneration on decrypt failure (prevents silent identity/fingerprint churn).

try {
  await startApp();
} catch (error) {
  if (error instanceof KeychainAccessDeniedError) {
    dialog.showMessageBoxSync({
      type: 'error',
      title: app.getName(),
      message: 'Keychain access is required',
      detail: error.message,
      buttons: ['OK'],
    });
    app.quit();
    return;
  }
  showCrashDialogAndQuit(error instanceof Error ? error : new Error(String(error)));
}