QinQinChina · QinQinChina · Jun 8, 2026 · Jun 7, 2026
diff --git a/packages/app/src/main/services/LocalSettingsService.ts b/packages/app/src/main/services/LocalSettingsService.ts
@@ -62,13 +62,25 @@ export class LocalSettingsService {
     try {
       const raw = await readFile(this.filePath, "utf8");
       const settings = normalizeUserLocalSettings(tryParseJson(raw));
-      return { exists: true, settings: this.decryptApiKeys(settings) };
+      const decrypted = this.decryptApiKeys(settings);
+      if (this.secureStorage.needsMigration) {
+        this.migrateEncryption(decrypted);
+      }
+      return { exists: true, settings: decrypted };
     } catch (error) {
       logger.info("settings", `settings file not available, using defaults (${this.filePath})`);
       return { exists: false, settings: normalizeUserLocalSettings(DEFAULT_USER_LOCAL_SETTINGS) };
     }
   }
 
+  private migrateEncryption(settings: UserLocalSettings): void {
+    logger.info("settings", "auto-migrating plaintext API keys to encrypted storage");
+    const toWrite = this.encryptApiKeys(settings);
+    mkdir(dirname(this.filePath), { recursive: true })
+      .then(() => writeFile(this.filePath, `${JSON.stringify(toWrite, null, 2)}\n`, "utf8"))
+      .catch((error) => logger.warn("settings", "failed to migrate API key encryption", error));
+  }
+
   async read(): Promise<{ exists: boolean; settings: UserLocalSettings }> {
     await this.writeQueue.catch(() => undefined);
     return this.readFromDisk();

diff --git a/packages/app/src/main/services/SecureStorageService.ts b/packages/app/src/main/services/SecureStorageService.ts
@@ -8,18 +8,25 @@ const ENCRYPTED_PREFIX = "enc:";
  * sensitive strings before persisting them to disk.
  *
  * Encrypted values are stored as "enc:<base64>".
- * Unrecognized values (no prefix) are treated as invalid and discarded.
+ * Legacy plaintext values are accepted on read and will be encrypted
+ * automatically on the next write (auto-migration).
  */
 export class SecureStorageService {
+  private _needsMigration = false;
+
+  get needsMigration(): boolean {
+    return this._needsMigration;
+  }
+
   isAvailable(): boolean {
     return safeStorage.isEncryptionAvailable();
   }
 
   encrypt(plaintext: string | null): string | null {
     if (plaintext == null || plaintext === "") return plaintext;
     if (!this.isAvailable()) {
-      logger.warn("secure-storage", "encryption unavailable, value will not be persisted securely");
-      return null;
+      logger.warn("secure-storage", "encryption unavailable, storing plaintext");
+      return plaintext;
     }
     const encrypted = safeStorage.encryptString(plaintext);
     return `${ENCRYPTED_PREFIX}${encrypted.toString("base64")}`;
@@ -28,8 +35,9 @@ export class SecureStorageService {
   decrypt(stored: string | null): string | null {
     if (stored == null || stored === "") return stored;
     if (!stored.startsWith(ENCRYPTED_PREFIX)) {
-      logger.warn("secure-storage", "discarding unencrypted value — re-enter the key in settings");
-      return null;
+      logger.info("secure-storage", "detected plaintext value, will encrypt on next write");
+      this._needsMigration = true;
+      return stored;
     }
     if (!this.isAvailable()) {
       logger.warn("secure-storage", "decryption unavailable, cannot read encrypted value");