fix: gate resumeWorkflow with waitForKeys, prevent crypto migration loop

- Add waitForKeys() to resumeWorkflow() (4th public entry point missed)
- Split writeEncryptedKeys (UI setter, plaintext fallback) from
  tryMigrateToEncrypted (migration only, no-op on crypto failure)
- Prevents repeated failed migration attempts on every page load when
  SubtleCrypto/IndexedDB is unavailable

Author: RobThePCGuy

src/core/run-controller.ts

@@ -367,6 +367,7 @@ class RunController {
 
   async resumeWorkflow(workflowPath: string): Promise<void> {
     if (this.state.isRunning) return;
+    await this.waitForKeys();
 
     const content = vfsStore.getState().read(workflowPath);
     if (!content) return;

src/stores/use-stores.ts

@@ -126,17 +126,30 @@ async function loadCryptoKey(): Promise<CryptoKey> {
   if (!_cryptoKey) _cryptoKey = await getOrCreateKey();
   return _cryptoKey;
 }
+/** Write keys to localStorage, encrypted if possible, plaintext as fallback. */
 async function writeEncryptedKeys(keys: Record<string, string>): Promise<void> {
   try {
     const key = await loadCryptoKey();
     const encrypted = await encryptValue(key, JSON.stringify(keys));
     localStorage.setItem('mas-provider-api-keys', encrypted);
   } catch {
-    // SubtleCrypto/IndexedDB unavailable — write plaintext as fallback
+    // SubtleCrypto/IndexedDB unavailable — write plaintext so key changes aren't lost
     try { localStorage.setItem('mas-provider-api-keys', JSON.stringify(keys)); } catch { /* */ }
   }
 }
 
+/** Attempt to encrypt existing plaintext keys. Returns true if migration succeeded. */
+async function tryMigrateToEncrypted(keys: Record<string, string>): Promise<boolean> {
+  try {
+    const key = await loadCryptoKey();
+    const encrypted = await encryptValue(key, JSON.stringify(keys));
+    localStorage.setItem('mas-provider-api-keys', encrypted);
+    return true;
+  } catch {
+    return false;
+  }
+}
+
 export const uiStore = createStore<UIState>((set) => ({
   selectedAgentId: null,
   selectedFilePath: null,
@@ -238,8 +251,9 @@ export const uiStore = createStore<UIState>((set) => ({
         state.setProviderApiKeys(keys);
       }
     } else if (_rawProviderApiKeys) {
-      // Stored value is plaintext JSON — migrate to encrypted
-      await writeEncryptedKeys(persistedProviderApiKeys);
+      // Stored value is plaintext JSON — try to migrate to encrypted.
+      // If crypto is unavailable, leave plaintext as-is (no-op, no loop on next load).
+      await tryMigrateToEncrypted(persistedProviderApiKeys);
     }
   } catch (err) {
     uiStore.getState().setKeysError(