Add automation secure settings controls

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: mamoreau-devolutions

cli-arguments.md

@@ -31,10 +31,15 @@
 | `--automation add-source --manager name --source-name name [--source-url url]` | Adds a known or custom source through the automation service | 2026.1+ |
 | `--automation remove-source --manager name --source-name name [--source-url url]` | Removes a source through the automation service | 2026.1+ |
 | `--automation list-settings` | Lists non-sensitive settings with their current boolean/string state | 2026.1+ |
+| `--automation list-secure-settings [--user name]` | Lists all secure settings for the current user or a specified user in machine-readable form | 2026.1+ |
+| `--automation get-secure-setting --key key [--user name]` | Reads one secure setting for the current user or a specified user | 2026.1+ |
+| `--automation set-secure-setting --key key --enabled true\|false [--user name]` | Enables or disables one secure setting for the current user or a specified user | 2026.1+ |
 | `--automation get-setting --key key` | Reads a single non-sensitive setting through the automation service | 2026.1+ |
 | `--automation set-setting --key key (--enabled true|false \| --value text)` | Sets a boolean or string setting through the automation service | 2026.1+ |
 | `--automation clear-setting --key key` | Clears a string-backed setting through the automation service | 2026.1+ |
 | `--automation reset-settings` | Resets non-secure settings while preserving the active automation session token | 2026.1+ |
+| `--automation set-manager-enabled --manager name --enabled true\|false` | Enables or disables one package manager and reloads it immediately | 2026.1+ |
+| `--automation set-manager-update-notifications --manager name --enabled true\|false` | Enables or suppresses update notifications for one package manager | 2026.1+ |
 | `--automation list-desktop-shortcuts` | Lists tracked desktop shortcuts, their current keep/delete/unknown verdicts, and whether each shortcut still exists on disk | 2026.1+ |
 | `--automation set-desktop-shortcut --path path --status {keep\|delete}` | Marks a tracked shortcut to be kept or deleted; `delete` also removes the shortcut from disk when present | 2026.1+ |
 | `--automation reset-desktop-shortcut --path path` | Clears the stored verdict for one tracked desktop shortcut | 2026.1+ |
@@ -90,7 +95,7 @@
 
 - `dotnet src\UniGetUI.Avalonia\bin\Release\net10.0\UniGetUI.Avalonia.dll --headless` starts the local automation daemon without opening any window or requiring a graphical desktop session.
 - `dotnet src\UniGetUI.Cli\bin\Release\net10.0\UniGetUI.Cli.dll <command>` is the cross-platform CLI wrapper for the automation service. It automatically prepends `--automation`, so `UniGetUI.Cli status` and `UniGetUI.Cli search-packages --manager ".NET Tool" --query dotnetsay` work directly.
-- Current agent-oriented command coverage includes status/version, manager/source inspection plus manager-maintenance and executable-path control, settings inspection and mutation, desktop-shortcut state management, app/history/manager log inspection, local backup creation and GitHub cloud-backup/auth flows, current bundle inspection/import/export/add/remove/install flows, package search/details/version listing, ignored-update management, and package install/update/uninstall flows.
+- Current agent-oriented command coverage includes status/version, manager/source inspection plus manager enablement, notification suppression, manager-maintenance and executable-path control, settings and secure-settings inspection/mutation, desktop-shortcut state management, app/history/manager log inspection, local backup creation and GitHub cloud-backup/auth flows, current bundle inspection/import/export/add/remove/install flows, package search/details/version listing, ignored-update management, and package install/update/uninstall flows.
 
 <br><br>
 # `unigetui://` deep link

src/UniGetUI.Core.SecureSettings/SecureSettings.cs

@@ -48,32 +48,42 @@ public static class Args
 
     public static bool Get(K key)
     {
-        string purifiedSetting = CoreTools.MakeValidFileName(ResolveKey(key));
-        if (_cache.TryGetValue(purifiedSetting, out var value))
+        return GetForUser(Environment.UserName, key);
+    }
+
+    public static bool GetForUser(string username, K key)
+    {
+        return GetForUser(username, ResolveKey(key));
+    }
+
+    public static bool GetForUser(string username, string setting)
+    {
+        string purifiedSetting = CoreTools.MakeValidFileName(setting);
+        string purifiedUser = CoreTools.MakeValidFileName(username);
+        string cacheKey = $"{purifiedUser}|{purifiedSetting}";
+        if (_cache.TryGetValue(cacheKey, out var value))
         {
             return value;
         }
 
-        string purifiedUser = CoreTools.MakeValidFileName(Environment.UserName);
-
         var settingsLocation = Path.Join(GetSecureSettingsRoot(), purifiedUser);
         var settingFile = Path.Join(settingsLocation, purifiedSetting);
 
         if (!Directory.Exists(settingsLocation))
         {
-            _cache[purifiedSetting] = false;
+            _cache[cacheKey] = false;
             return false;
         }
 
         bool exists = File.Exists(settingFile);
-        _cache[purifiedSetting] = exists;
+        _cache[cacheKey] = exists;
         return exists;
     }
 
     public static async Task<bool> TrySet(K key, bool enabled)
     {
         string purifiedSetting = CoreTools.MakeValidFileName(ResolveKey(key));
-        _cache.Remove(purifiedSetting);
+        _cache.Remove($"{CoreTools.MakeValidFileName(Environment.UserName)}|{purifiedSetting}");
 
         string purifiedUser = CoreTools.MakeValidFileName(Environment.UserName);
 
@@ -107,9 +117,8 @@ public static int ApplyForUser(string username, string setting, bool enable)
         try
         {
             string purifiedSetting = CoreTools.MakeValidFileName(setting);
-            _cache.Remove(purifiedSetting);
-
             string purifiedUser = CoreTools.MakeValidFileName(username);
+            _cache.Remove($"{purifiedUser}|{purifiedSetting}");
 
             var settingsLocation = Path.Join(GetSecureSettingsRoot(), purifiedUser);
             var settingFile = Path.Join(settingsLocation, purifiedSetting);

src/UniGetUI.Interface.BackgroundApi/AutomationCliCommandRunner.cs

@@ -107,6 +107,41 @@ await client.RemoveSourceAsync(BuildSourceRequest(args))
                         settings = await client.ListSettingsAsync(),
                     }
                 ),
+                "list-secure-settings" => await WriteJsonAsync(
+                    output,
+                    new
+                    {
+                        status = "success",
+                        settings = await client.ListSecureSettingsAsync(
+                            GetOptionalArgument(args, "--user")
+                        ),
+                    }
+                ),
+                "get-secure-setting" => await WriteJsonAsync(
+                    output,
+                    new
+                    {
+                        status = "success",
+                        setting = await client.GetSecureSettingAsync(
+                            GetRequiredArgument(
+                                args,
+                                "--key",
+                                "The get-secure-setting automation command requires --key."
+                            ),
+                            GetOptionalArgument(args, "--user")
+                        ),
+                    }
+                ),
+                "set-secure-setting" => await WriteJsonAsync(
+                    output,
+                    new
+                    {
+                        status = "success",
+                        setting = await client.SetSecureSettingAsync(
+                            BuildSecureSettingRequest(args)
+                        ),
+                    }
+                ),
                 "get-setting" => await WriteJsonAsync(
                     output,
                     new
@@ -143,6 +178,24 @@ await client.RemoveSourceAsync(BuildSourceRequest(args))
                         ),
                     }
                 ),
+                "set-manager-enabled" => await WriteJsonAsync(
+                    output,
+                    new
+                    {
+                        status = "success",
+                        manager = await client.SetManagerEnabledAsync(BuildManagerToggleRequest(args)),
+                    }
+                ),
+                "set-manager-update-notifications" => await WriteJsonAsync(
+                    output,
+                    new
+                    {
+                        status = "success",
+                        manager = await client.SetManagerUpdateNotificationsAsync(
+                            BuildManagerToggleRequest(args)
+                        ),
+                    }
+                ),
                 "reset-settings" => await WriteJsonAsync(
                     output,
                     await client.ResetSettingsAsync()
@@ -484,6 +537,31 @@ private static AutomationManagerMaintenanceRequest BuildManagerMaintenanceReques
         };
     }
 
+    private static AutomationSecureSettingRequest BuildSecureSettingRequest(
+        IReadOnlyList<string> args
+    )
+    {
+        return new AutomationSecureSettingRequest
+        {
+            SettingKey = GetRequiredArgument(args, "--key", "This automation command requires --key."),
+            UserName = GetOptionalArgument(args, "--user"),
+            Enabled = GetRequiredBoolArgument(args, "--enabled"),
+        };
+    }
+
+    private static AutomationManagerToggleRequest BuildManagerToggleRequest(IReadOnlyList<string> args)
+    {
+        return new AutomationManagerToggleRequest
+        {
+            ManagerName = GetRequiredArgument(
+                args,
+                "--manager",
+                "This automation command requires --manager."
+            ),
+            Enabled = GetRequiredBoolArgument(args, "--enabled"),
+        };
+    }
+
     private static AutomationDesktopShortcutRequest BuildDesktopShortcutRequest(
         IReadOnlyList<string> args,
         bool requireStatus
@@ -677,6 +755,19 @@ string argumentName
         );
     }
 
+    private static bool GetRequiredBoolArgument(IReadOnlyList<string> arguments, string argumentName)
+    {
+        bool? value = GetOptionalBoolArgument(arguments, argumentName);
+        if (!value.HasValue)
+        {
+            throw new InvalidOperationException(
+                $"This automation command requires {argumentName} with a value of true or false."
+            );
+        }
+
+        return value.Value;
+    }
+
     private static async Task<int> WriteJsonAsync<T>(TextWriter output, T value)
     {
         await output.WriteLineAsync(

src/UniGetUI.Interface.BackgroundApi/AutomationManagerMaintenanceApi.cs

@@ -21,6 +21,7 @@ public sealed class AutomationManagerMaintenanceInfo
     public bool? UseBundledWinGet { get; set; }
     public bool? UseSystemChocolatey { get; set; }
     public bool? ScoopCleanupOnLaunch { get; set; }
+    public bool UpdateNotificationsSuppressed { get; set; }
     public string? DefaultVcpkgTriplet { get; set; }
     public IReadOnlyList<string> AvailableVcpkgTriplets { get; set; } = [];
     public string? CustomVcpkgRoot { get; set; }
@@ -281,6 +282,10 @@ private static AutomationManagerMaintenanceInfo ToMaintenanceInfo(IPackageManage
             ScoopCleanupOnLaunch = manager.Name.Equals("Scoop", StringComparison.OrdinalIgnoreCase)
                 ? Settings.Get(Settings.K.EnableScoopCleanup)
                 : null,
+            UpdateNotificationsSuppressed = Settings.GetDictionaryItem<string, bool>(
+                Settings.K.DisabledPackageManagerNotifications,
+                manager.Name
+            ),
             DefaultVcpkgTriplet = manager.Name.Equals("vcpkg", StringComparison.OrdinalIgnoreCase)
                 ? Settings.GetValue(Settings.K.DefaultVcpkgTriplet)
                 : null,

src/UniGetUI.Interface.BackgroundApi/AutomationManagerSettingsApi.cs

@@ -30,6 +30,7 @@ public sealed class AutomationManagerInfo
     public string DisplayName { get; set; } = "";
     public bool Enabled { get; set; }
     public bool Ready { get; set; }
+    public bool NotificationsSuppressed { get; set; }
     public string ExecutablePath { get; set; } = "";
     public string ExecutableArguments { get; set; } = "";
     public AutomationManagerCapabilitiesInfo Capabilities { get; set; } = new();
@@ -80,6 +81,12 @@ public sealed class AutomationSettingValueRequest
     public string? Value { get; set; }
 }
 
+public sealed class AutomationManagerToggleRequest
+{
+    public string ManagerName { get; set; } = "";
+    public bool Enabled { get; set; }
+}
+
 public static class AutomationManagerSettingsApi
 {
     private static readonly HashSet<Settings.K> HiddenSettings =
@@ -190,6 +197,31 @@ public static void ResetSettingsPreservingSession()
         }
     }
 
+    public static async Task<AutomationManagerInfo> SetManagerEnabledAsync(
+        AutomationManagerToggleRequest request
+    )
+    {
+        ArgumentNullException.ThrowIfNull(request);
+        var manager = ResolveManager(request.ManagerName);
+        Settings.SetDictionaryItem(Settings.K.DisabledManagers, manager.Name, !request.Enabled);
+        await Task.Run(manager.Initialize);
+        return ToManagerInfo(manager);
+    }
+
+    public static AutomationManagerInfo SetManagerNotifications(
+        AutomationManagerToggleRequest request
+    )
+    {
+        ArgumentNullException.ThrowIfNull(request);
+        var manager = ResolveManager(request.ManagerName);
+        Settings.SetDictionaryItem(
+            Settings.K.DisabledPackageManagerNotifications,
+            manager.Name,
+            !request.Enabled
+        );
+        return ToManagerInfo(manager);
+    }
+
     private static AutomationManagerInfo ToManagerInfo(IPackageManager manager)
     {
         return new AutomationManagerInfo
@@ -198,6 +230,10 @@ private static AutomationManagerInfo ToManagerInfo(IPackageManager manager)
             DisplayName = manager.DisplayName,
             Enabled = manager.IsEnabled(),
             Ready = manager.IsReady(),
+            NotificationsSuppressed = Settings.GetDictionaryItem<string, bool>(
+                Settings.K.DisabledPackageManagerNotifications,
+                manager.Name
+            ),
             ExecutablePath = manager.Status.ExecutablePath,
             ExecutableArguments = manager.Status.ExecutableCallArgs,
             Capabilities = new AutomationManagerCapabilitiesInfo

src/UniGetUI.Interface.BackgroundApi/AutomationSecureSettingsApi.cs

@@ -0,0 +1,105 @@
+using UniGetUI.Core.SettingsEngine.SecureSettings;
+
+namespace UniGetUI.Interface;
+
+public sealed class AutomationSecureSettingInfo
+{
+    public string Key { get; set; } = "";
+    public string Name { get; set; } = "";
+    public string UserName { get; set; } = "";
+    public bool IsCurrentUser { get; set; }
+    public bool Enabled { get; set; }
+}
+
+public sealed class AutomationSecureSettingRequest
+{
+    public string SettingKey { get; set; } = "";
+    public string? UserName { get; set; }
+    public bool Enabled { get; set; }
+}
+
+public static class AutomationSecureSettingsApi
+{
+    public static IReadOnlyList<AutomationSecureSettingInfo> ListSettings(string? userName = null)
+    {
+        string resolvedUser = ResolveUserName(userName);
+        return Enum.GetValues<SecureSettings.K>()
+            .Where(key => key != SecureSettings.K.Unset)
+            .OrderBy(key => key.ToString(), StringComparer.OrdinalIgnoreCase)
+            .Select(key => ToSecureSettingInfo(key, resolvedUser))
+            .ToArray();
+    }
+
+    public static AutomationSecureSettingInfo GetSetting(string settingKey, string? userName = null)
+    {
+        return ToSecureSettingInfo(ResolveSettingKey(settingKey), ResolveUserName(userName));
+    }
+
+    public static async Task<AutomationSecureSettingInfo> SetSettingAsync(
+        AutomationSecureSettingRequest request
+    )
+    {
+        ArgumentNullException.ThrowIfNull(request);
+        var key = ResolveSettingKey(request.SettingKey);
+        string userName = ResolveUserName(request.UserName);
+
+        bool success = userName.Equals(Environment.UserName, StringComparison.OrdinalIgnoreCase)
+            ? await SecureSettings.TrySet(key, request.Enabled)
+            : SecureSettings.ApplyForUser(userName, SecureSettings.ResolveKey(key), request.Enabled) == 0;
+
+        if (!success)
+        {
+            throw new InvalidOperationException(
+                $"Could not update secure setting \"{SecureSettings.ResolveKey(key)}\" for user \"{userName}\"."
+            );
+        }
+
+        return ToSecureSettingInfo(key, userName);
+    }
+
+    private static AutomationSecureSettingInfo ToSecureSettingInfo(
+        SecureSettings.K key,
+        string userName
+    )
+    {
+        return new AutomationSecureSettingInfo
+        {
+            Key = key.ToString(),
+            Name = SecureSettings.ResolveKey(key),
+            UserName = userName,
+            IsCurrentUser = userName.Equals(Environment.UserName, StringComparison.OrdinalIgnoreCase),
+            Enabled = SecureSettings.GetForUser(userName, key),
+        };
+    }
+
+    private static SecureSettings.K ResolveSettingKey(string settingKey)
+    {
+        if (string.IsNullOrWhiteSpace(settingKey))
+        {
+            throw new InvalidOperationException("The secure setting key parameter is required.");
+        }
+
+        if (Enum.TryParse(settingKey, true, out SecureSettings.K enumKey) && enumKey != SecureSettings.K.Unset)
+        {
+            return enumKey;
+        }
+
+        foreach (var key in Enum.GetValues<SecureSettings.K>())
+        {
+            if (
+                key != SecureSettings.K.Unset
+                && SecureSettings.ResolveKey(key).Equals(settingKey, StringComparison.OrdinalIgnoreCase)
+            )
+            {
+                return key;
+            }
+        }
+
+        throw new InvalidOperationException($"No secure setting matching \"{settingKey}\" was found.");
+    }
+
+    private static string ResolveUserName(string? userName)
+    {
+        return string.IsNullOrWhiteSpace(userName) ? Environment.UserName : userName.Trim();
+    }
+}