View fixes for policies and web demo fixes

Author: FaserF

src/switchcraft/__init__.py

@@ -3,18 +3,10 @@
 import sys
 # --- WEB / PYODIDE PATCHES (run immediately on package import) ---
 if sys.platform == "emscripten":
-    try:
-        # Patch requests/urllib3 to use browser fetch
-        import pyodide_http
-        pyodide_http.patch_all()
-    except ImportError:
-        pass
-
-    # Mock SSL to prevent import errors in libraries (like urllib3) that expect it
     import types
     if "ssl" not in sys.modules:
         ssl_mock = types.ModuleType("ssl")
-        # Add minimal ssl module attributes that might be checked
+        # Add minimal ssl module attributes that might be checked by urllib3
         ssl_mock.SSLContext = type("SSLContext", (), {"__init__": lambda *a, **kw: None})
         ssl_mock.PROTOCOL_TLS = 2
         ssl_mock.PROTOCOL_TLS_CLIENT = 16
@@ -23,8 +15,16 @@
         ssl_mock.CERT_NONE = 0
         ssl_mock.CERT_OPTIONAL = 1
         ssl_mock.CERT_REQUIRED = 2
+        # Critical: urllib3 checks these version numbers
+        ssl_mock.OPENSSL_VERSION_NUMBER = 0x101010CF  # Fake version >= 3.5.4
+        ssl_mock.OPENSSL_VERSION = "OpenSSL 3.5.4 (Pyodide Mock)"
+        ssl_mock.OPENSSL_VERSION_INFO = (1, 1, 1, 15, 15)
+        ssl_mock.HAS_NEVER_CHECK_COMMON_NAME = True
         sys.modules["ssl"] = ssl_mock
 
-    # Note: In Flet 0.70+, ft.run() is the correct method (ft.app is deprecated)
-    # No patching needed for ft.run - web_entry.py should call it correctly.
-    # The SSL mock above is still needed.
+    try:
+        # Patch requests/urllib3 to use browser fetch
+        import pyodide_http
+        pyodide_http.patch_all()
+    except ImportError:
+        pass

src/switchcraft/assets/lang/de.json

@@ -61,6 +61,8 @@
     "settings_policies": "Richtlinien",
     "active_policies_title": "Aktive Richtlinien",
     "no_policies_found": "Keine aktiven Richtlinien gefunden.",
+    "policies_enforced_msg": "Die folgenden Einstellungen werden von Ihrer Organisation (GPO/Intune) erzwungen und können nicht geändert werden.",
+    "policies_no_gpo_msg": "Es sind derzeit keine GPO- oder Intune-Richtlinien aktiv. Die Einstellungen können frei angepasst werden.",
     "sync_desc": "Synchronisiere deine Einstellungen über Geräte hinweg.",
     "generate_intune_script": "Intune Skript generieren",
     "manual_select": "Datei auswählen",

src/switchcraft/assets/lang/en.json

@@ -61,6 +61,8 @@
     "settings_policies": "Policies",
     "active_policies_title": "Active Policies",
     "no_policies_found": "No active policies found.",
+    "policies_enforced_msg": "The following settings are enforced by your organization (GPO/Intune) and cannot be changed.",
+    "policies_no_gpo_msg": "No GPO or Intune policies are currently enforced. Settings can be freely modified.",
     "sync_desc": "Sync your settings across devices.",
     "ex_dash_filters": "Filters",
     "ex_mail_traffic": "Mail Traffic Statistics",

src/switchcraft/gui_modern/app.py

@@ -980,6 +980,9 @@ def build_ui(self):
                 ft.NavigationRailDestination(
                     icon=ft.Icons.EMAIL_OUTLINED, selected_icon=ft.Icons.EMAIL, label=i18n.get("exchange_title") or "Exchange"
                 ),  # 20 Exchange
+                ft.NavigationRailDestination(
+                    icon=ft.Icons.POLICY_OUTLINED, selected_icon=ft.Icons.POLICY, label=i18n.get("settings_policies") or "Policies"
+                ),  # 21 Policies
             ]
 
 

src/switchcraft/gui_modern/views/category_view.py

@@ -36,7 +36,9 @@
     "Gruppen-Manager": "desc_groups",
     "Winget Creator": "desc_wingetcreate",
     "Help & Resources": "desc_help",
-    "Hilfe & Ressourcen": "desc_help"
+    "Hilfe & Ressourcen": "desc_help",
+    "Policies": "desc_policies",
+    "Richtlinien": "desc_policies"
 }
 
 class CategoryView(ft.Container):

src/switchcraft/gui_modern/views/settings_view.py

@@ -108,36 +108,52 @@ def _create_managed_control(self, control: ft.Control, key: str) -> ft.Control:
         return control
 
     def _build_policies_tab(self):
-        """Builds a read-only view of all managed settings."""
+        """Builds a read-only view of managed settings (GPO/Intune only, not user preferences)."""
         managed_settings = []
         # List of known keys to check
         known_keys = [
             "CompanyName", "UpdateChannel", "EnableWinget",
             "GraphTenantId", "GraphClientId", "IntuneToolPath",
             "GitRepoPath", "CustomTemplatePath", "SignScripts",
             "CodeSigningCertThumbprint", "CodeSigningCertPath",
-            "AIProvider", "DebugMode"
+            "AIProvider", "DebugMode", "GraphClientSecret", "AIKey"
+        ]
+
+        # Keys that contain secrets - these should be masked
+        secret_keys = ["GraphClientSecret", "AIKey", "IntuneClientSecret"]
+
+        # Sources that indicate organizational management (NOT user preferences)
+        managed_sources = [
+            "GPO (Local Machine)",
+            "GPO (Current User)",
+            "Intune OMA-URI",
+            "System Registry (HKLM)"
         ]
 
         # Scan for managed keys
         for key in known_keys:
             res = SwitchCraftConfig.get_value_with_source(key)
             if res:
-                # If managed, the source will be one of the GPO or Intune ones
-                # But even if it's just 'System Registry', we show it if it's considered 'managed' or if we want to show all sources
-                # The user specifically asked to show GPO, Systemregistry, Userregistry, Intune OMA URI
-                managed_settings.append({
-                    "Setting": key,
-                    "Value": str(res["value"]),
-                    "Source": res["source"]
-                })
+                source = res["source"]
+                # Only include if it's from a managed source (not user registry)
+                if source in managed_sources:
+                    # Mask secret values
+                    value = str(res["value"])
+                    if key in secret_keys and value:
+                        value = "**** hidden ****"
+
+                    managed_settings.append({
+                        "Setting": key,
+                        "Value": value,
+                        "Source": source
+                    })
 
         if not managed_settings:
             return ft.Container(
                 content=ft.Column([
                     ft.Icon(ft.Icons.POLICY, size=50, color="GREEN"),
                     ft.Text(i18n.get("no_policies_found") or "No active policies found.", size=20),
-                    ft.Text("Settings can be freely modified.", color="ON_SURFACE_VARIANT")
+                    ft.Text(i18n.get("policies_no_gpo_msg") or "No GPO or Intune policies are currently enforced. Settings can be freely modified.", color="ON_SURFACE_VARIANT")
                 ], alignment=ft.MainAxisAlignment.CENTER, horizontal_alignment=ft.CrossAxisAlignment.CENTER),
                 expand=True,
                 alignment=ft.Alignment(0, 0)
@@ -165,7 +181,7 @@ def _build_policies_tab(self):
 
         return ft.ListView([
             ft.Text(i18n.get("active_policies_title") or "Active Policies", size=24, weight=ft.FontWeight.BOLD),
-            ft.Text("The following settings are enforced by your organization and cannot be changed.", color="ON_SURFACE_VARIANT"),
+            ft.Text(i18n.get("policies_enforced_msg") or "The following settings are enforced by your organization (GPO/Intune) and cannot be changed.", color="ON_SURFACE_VARIANT"),
             ft.Divider(),
             dt
         ], padding=20)
@@ -490,7 +506,11 @@ def pick_intune_tool(e):
         client.on_change=lambda e: SwitchCraftConfig.set_user_preference("GraphClientId", e.control.value)
         client_ctrl = self._create_managed_control(client, "GraphClientId")
 
-        secret = ft.TextField(label=i18n.get("settings_entra_secret") or "Entra Client Secret", value=SwitchCraftConfig.get_secure_value("GraphClientSecret") or "", password=True, can_reveal_password=True)
+        # Debug: Log what we get from secure storage
+        secret_value = SwitchCraftConfig.get_secure_value("GraphClientSecret")
+        logger.debug(f"Loading GraphClientSecret from config: {repr(secret_value[:4] + '***' if secret_value else None)}")
+
+        secret = ft.TextField(label=i18n.get("settings_entra_secret") or "Entra Client Secret", value=secret_value or "", password=True, can_reveal_password=True)
         secret.on_change=lambda e: SwitchCraftConfig.set_secret("GraphClientSecret", e.control.value)
 
         self.raw_tenant_field = tenant