@aigne/afs-vault 1.11.0-beta.12

package/LICENSE.md

@@ -0,0 +1,26 @@
+# Proprietary License
+
+Copyright (c) 2024-2025 ArcBlock, Inc. All Rights Reserved.
+
+This software and associated documentation files (the "Software") are proprietary
+and confidential. Unauthorized copying, modification, distribution, or use of
+this Software, via any medium, is strictly prohibited.
+
+The Software is provided for internal use only within ArcBlock, Inc. and its
+authorized affiliates.
+
+## No License Granted
+
+No license, express or implied, is granted to any party for any purpose.
+All rights are reserved by ArcBlock, Inc.
+
+## Public Artifact Distribution
+
+Portions of this Software may be released publicly under separate open-source
+licenses (such as MIT License) through designated public repositories. Such
+public releases are governed by their respective licenses and do not affect
+the proprietary nature of this repository.
+
+## Contact
+
+For licensing inquiries, contact: legal@arcblock.io

package/dist/_virtual/_@oxc-project_runtime@0.108.0/helpers/decorate.cjs

@@ -0,0 +1,11 @@
+
+//#region \0@oxc-project+runtime@0.108.0/helpers/decorate.js
+function __decorate(decorators, target, key, desc) {
+	var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+	if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+	else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+	return c > 3 && r && Object.defineProperty(target, key, r), r;
+}
+
+//#endregion
+exports.__decorate = __decorate;

package/dist/_virtual/_@oxc-project_runtime@0.108.0/helpers/decorate.mjs

@@ -0,0 +1,10 @@
+//#region \0@oxc-project+runtime@0.108.0/helpers/decorate.js
+function __decorate(decorators, target, key, desc) {
+	var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+	if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+	else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+	return c > 3 && r && Object.defineProperty(target, key, r), r;
+}
+
+//#endregion
+export { __decorate };

package/dist/encrypted-file.cjs

@@ -0,0 +1,157 @@
+let node_crypto = require("node:crypto");
+let node_fs_promises = require("node:fs/promises");
+let node_path = require("node:path");
+
+//#region src/encrypted-file.ts
+/**
+* Encrypted file backend for vault storage.
+*
+* - AES-256-GCM encryption
+* - Master key: 256-bit random or crypto.scrypt-derived from passphrase
+* - File format: JSON header + encrypted blob
+* - File permissions: 0600
+*/
+/** Encryption parameters */
+const KEY_LENGTH = 32;
+const IV_LENGTH = 12;
+const SALT_LENGTH = 32;
+const AUTH_TAG_LENGTH = 16;
+const SCRYPT_N = 2 ** 14;
+const SCRYPT_R = 8;
+const SCRYPT_P = 1;
+const SCRYPT_KEYLEN = KEY_LENGTH;
+const FILE_MODE = 384;
+/** Magic bytes to identify vault files */
+const MAGIC = "AFSVAULT";
+const FORMAT_VERSION = 1;
+/**
+* Generate a random 256-bit master key.
+*/
+function generateMasterKey() {
+	return (0, node_crypto.randomBytes)(KEY_LENGTH);
+}
+/**
+* Derive a master key from a passphrase using crypto.scrypt.
+*/
+function deriveKeyFromPassphrase(passphrase, salt) {
+	return (0, node_crypto.scryptSync)(passphrase, salt, SCRYPT_KEYLEN, {
+		N: SCRYPT_N,
+		r: SCRYPT_R,
+		p: SCRYPT_P
+	});
+}
+/**
+* Encrypt vault data and write to file.
+*/
+async function writeEncryptedVault(filePath, data, masterKey) {
+	const json = JSON.stringify(data);
+	const plaintext = Buffer.from(json, "utf-8");
+	const salt = (0, node_crypto.randomBytes)(SALT_LENGTH);
+	const iv = (0, node_crypto.randomBytes)(IV_LENGTH);
+	const cipher = (0, node_crypto.createCipheriv)("aes-256-gcm", masterKey, iv);
+	const encrypted = Buffer.concat([cipher.update(plaintext), cipher.final()]);
+	const authTag = cipher.getAuthTag();
+	const magic = Buffer.from(MAGIC, "ascii");
+	const version = Buffer.alloc(1);
+	version[0] = FORMAT_VERSION;
+	const fileContent = Buffer.concat([
+		magic,
+		version,
+		salt,
+		iv,
+		authTag,
+		encrypted
+	]);
+	await (0, node_fs_promises.mkdir)((0, node_path.dirname)(filePath), { recursive: true });
+	const tmpPath = `${filePath}.tmp.${process.pid}`;
+	try {
+		await (0, node_fs_promises.writeFile)(tmpPath, fileContent, { mode: FILE_MODE });
+		await (0, node_fs_promises.rename)(tmpPath, filePath);
+	} catch (err) {
+		try {
+			const { unlink } = await import("node:fs/promises");
+			await unlink(tmpPath);
+		} catch {}
+		throw err;
+	}
+	try {
+		if (((await (0, node_fs_promises.stat)(filePath)).mode & 511) !== FILE_MODE) await (0, node_fs_promises.chmod)(filePath, FILE_MODE);
+	} catch {}
+}
+/**
+* Read and decrypt vault data from file.
+* Returns null if file does not exist.
+*/
+async function readEncryptedVault(filePath, masterKey) {
+	let fileContent;
+	try {
+		fileContent = await (0, node_fs_promises.readFile)(filePath);
+	} catch (err) {
+		if (err?.code === "ENOENT") return null;
+		throw err;
+	}
+	const magicLen = 8;
+	const minSize = magicLen + 1 + SALT_LENGTH + IV_LENGTH + AUTH_TAG_LENGTH;
+	if (fileContent.length < minSize) throw new Error("Vault file is corrupted: too small");
+	if (fileContent.subarray(0, magicLen).toString("ascii") !== MAGIC) throw new Error("Not a valid vault file");
+	const version = fileContent[magicLen];
+	if (version !== FORMAT_VERSION) throw new Error(`Unsupported vault format version: ${version}`);
+	let offset = magicLen + 1;
+	fileContent.subarray(offset, offset + SALT_LENGTH);
+	offset += SALT_LENGTH;
+	const iv = fileContent.subarray(offset, offset + IV_LENGTH);
+	offset += IV_LENGTH;
+	const authTag = fileContent.subarray(offset, offset + AUTH_TAG_LENGTH);
+	offset += AUTH_TAG_LENGTH;
+	const ciphertext = fileContent.subarray(offset);
+	const decipher = (0, node_crypto.createDecipheriv)("aes-256-gcm", masterKey, iv);
+	decipher.setAuthTag(authTag);
+	let plaintext;
+	try {
+		plaintext = Buffer.concat([decipher.update(ciphertext), decipher.final()]);
+	} catch {
+		throw new Error("Vault decryption failed: wrong master key or corrupted data");
+	}
+	const json = plaintext.toString("utf-8");
+	try {
+		return JSON.parse(json);
+	} catch {
+		throw new Error("Vault data is corrupted: invalid JSON after decryption");
+	}
+}
+/**
+* Read the per-file salt from a vault file header.
+* Returns null if file does not exist or is not a valid vault file.
+*/
+async function readVaultSalt(filePath) {
+	let fileContent;
+	try {
+		fileContent = await (0, node_fs_promises.readFile)(filePath);
+	} catch {
+		return null;
+	}
+	const magicLen = 8;
+	const minSize = magicLen + 1 + SALT_LENGTH;
+	if (fileContent.length < minSize) return null;
+	if (fileContent.subarray(0, magicLen).toString("ascii") !== MAGIC) return null;
+	return fileContent.subarray(magicLen + 1, magicLen + 1 + SALT_LENGTH);
+}
+/**
+* Check if a vault file exists.
+*/
+async function vaultFileExists(filePath) {
+	try {
+		await (0, node_fs_promises.stat)(filePath);
+		return true;
+	} catch {
+		return false;
+	}
+}
+
+//#endregion
+exports.deriveKeyFromPassphrase = deriveKeyFromPassphrase;
+exports.generateMasterKey = generateMasterKey;
+exports.readEncryptedVault = readEncryptedVault;
+exports.readVaultSalt = readVaultSalt;
+exports.vaultFileExists = vaultFileExists;
+exports.writeEncryptedVault = writeEncryptedVault;

package/dist/encrypted-file.d.cts

@@ -0,0 +1,44 @@
+//#region src/encrypted-file.d.ts
+/**
+ * Encrypted file backend for vault storage.
+ *
+ * - AES-256-GCM encryption
+ * - Master key: 256-bit random or crypto.scrypt-derived from passphrase
+ * - File format: JSON header + encrypted blob
+ * - File permissions: 0600
+ */
+/** File header layout (binary):
+ *  8 bytes  — magic "AFSVAULT"
+ *  1 byte   — format version
+ *  32 bytes — salt (for passphrase-derived keys; random for direct keys)
+ *  12 bytes — IV
+ *  16 bytes — auth tag
+ *  rest     — ciphertext
+ */
+interface VaultData {
+  secrets: Record<string, Record<string, string>>;
+}
+/**
+ * Generate a random 256-bit master key.
+ */
+declare function generateMasterKey(): Buffer;
+/**
+ * Derive a master key from a passphrase using crypto.scrypt.
+ */
+declare function deriveKeyFromPassphrase(passphrase: string, salt: Buffer): Buffer;
+/**
+ * Encrypt vault data and write to file.
+ */
+declare function writeEncryptedVault(filePath: string, data: VaultData, masterKey: Buffer): Promise<void>;
+/**
+ * Read and decrypt vault data from file.
+ * Returns null if file does not exist.
+ */
+declare function readEncryptedVault(filePath: string, masterKey: Buffer): Promise<VaultData | null>;
+/**
+ * Check if a vault file exists.
+ */
+declare function vaultFileExists(filePath: string): Promise<boolean>;
+//#endregion
+export { VaultData, deriveKeyFromPassphrase, generateMasterKey, readEncryptedVault, vaultFileExists, writeEncryptedVault };
+//# sourceMappingURL=encrypted-file.d.cts.map

package/dist/encrypted-file.d.cts.map

@@ -0,0 +1 @@
+{"version":3,"file":"encrypted-file.d.cts","names":[],"sources":["../src/encrypted-file.ts"],"mappings":";;AAqCA;;;;;;;;;AAYA;;;;;AAOA;UAnBiB,SAAA;EACf,OAAA,EAAS,MAAA,SAAe,MAAA;AAAA;;;AA6B1B;iBAlBgB,iBAAA,CAAA,GAAqB,MAAA;;;;iBAOrB,uBAAA,CAAwB,UAAA,UAAoB,IAAA,EAAM,MAAA,GAAS,MAAA;;;;iBAWrD,mBAAA,CACpB,QAAA,UACA,IAAA,EAAM,SAAA,EACN,SAAA,EAAW,MAAA,GACV,OAAA;;;;;iBAmDmB,kBAAA,CACpB,QAAA,UACA,SAAA,EAAW,MAAA,GACV,OAAA,CAAQ,SAAA;;;;iBA+EW,eAAA,CAAgB,QAAA,WAAmB,OAAA"}

package/dist/encrypted-file.d.mts

@@ -0,0 +1,44 @@
+//#region src/encrypted-file.d.ts
+/**
+ * Encrypted file backend for vault storage.
+ *
+ * - AES-256-GCM encryption
+ * - Master key: 256-bit random or crypto.scrypt-derived from passphrase
+ * - File format: JSON header + encrypted blob
+ * - File permissions: 0600
+ */
+/** File header layout (binary):
+ *  8 bytes  — magic "AFSVAULT"
+ *  1 byte   — format version
+ *  32 bytes — salt (for passphrase-derived keys; random for direct keys)
+ *  12 bytes — IV
+ *  16 bytes — auth tag
+ *  rest     — ciphertext
+ */
+interface VaultData {
+  secrets: Record<string, Record<string, string>>;
+}
+/**
+ * Generate a random 256-bit master key.
+ */
+declare function generateMasterKey(): Buffer;
+/**
+ * Derive a master key from a passphrase using crypto.scrypt.
+ */
+declare function deriveKeyFromPassphrase(passphrase: string, salt: Buffer): Buffer;
+/**
+ * Encrypt vault data and write to file.
+ */
+declare function writeEncryptedVault(filePath: string, data: VaultData, masterKey: Buffer): Promise<void>;
+/**
+ * Read and decrypt vault data from file.
+ * Returns null if file does not exist.
+ */
+declare function readEncryptedVault(filePath: string, masterKey: Buffer): Promise<VaultData | null>;
+/**
+ * Check if a vault file exists.
+ */
+declare function vaultFileExists(filePath: string): Promise<boolean>;
+//#endregion
+export { VaultData, deriveKeyFromPassphrase, generateMasterKey, readEncryptedVault, vaultFileExists, writeEncryptedVault };
+//# sourceMappingURL=encrypted-file.d.mts.map

package/dist/encrypted-file.d.mts.map

@@ -0,0 +1 @@
+{"version":3,"file":"encrypted-file.d.mts","names":[],"sources":["../src/encrypted-file.ts"],"mappings":";;AAqCA;;;;;;;;;AAYA;;;;;AAOA;UAnBiB,SAAA;EACf,OAAA,EAAS,MAAA,SAAe,MAAA;AAAA;;;AA6B1B;iBAlBgB,iBAAA,CAAA,GAAqB,MAAA;;;;iBAOrB,uBAAA,CAAwB,UAAA,UAAoB,IAAA,EAAM,MAAA,GAAS,MAAA;;;;iBAWrD,mBAAA,CACpB,QAAA,UACA,IAAA,EAAM,SAAA,EACN,SAAA,EAAW,MAAA,GACV,OAAA;;;;;iBAmDmB,kBAAA,CACpB,QAAA,UACA,SAAA,EAAW,MAAA,GACV,OAAA,CAAQ,SAAA;;;;iBA+EW,eAAA,CAAgB,QAAA,WAAmB,OAAA"}

package/dist/encrypted-file.mjs

@@ -0,0 +1,153 @@
+import { createCipheriv, createDecipheriv, randomBytes, scryptSync } from "node:crypto";
+import { chmod, mkdir, readFile, rename, stat, writeFile } from "node:fs/promises";
+import { dirname } from "node:path";
+
+//#region src/encrypted-file.ts
+/**
+* Encrypted file backend for vault storage.
+*
+* - AES-256-GCM encryption
+* - Master key: 256-bit random or crypto.scrypt-derived from passphrase
+* - File format: JSON header + encrypted blob
+* - File permissions: 0600
+*/
+/** Encryption parameters */
+const KEY_LENGTH = 32;
+const IV_LENGTH = 12;
+const SALT_LENGTH = 32;
+const AUTH_TAG_LENGTH = 16;
+const SCRYPT_N = 2 ** 14;
+const SCRYPT_R = 8;
+const SCRYPT_P = 1;
+const SCRYPT_KEYLEN = KEY_LENGTH;
+const FILE_MODE = 384;
+/** Magic bytes to identify vault files */
+const MAGIC = "AFSVAULT";
+const FORMAT_VERSION = 1;
+/**
+* Generate a random 256-bit master key.
+*/
+function generateMasterKey() {
+	return randomBytes(KEY_LENGTH);
+}
+/**
+* Derive a master key from a passphrase using crypto.scrypt.
+*/
+function deriveKeyFromPassphrase(passphrase, salt) {
+	return scryptSync(passphrase, salt, SCRYPT_KEYLEN, {
+		N: SCRYPT_N,
+		r: SCRYPT_R,
+		p: SCRYPT_P
+	});
+}
+/**
+* Encrypt vault data and write to file.
+*/
+async function writeEncryptedVault(filePath, data, masterKey) {
+	const json = JSON.stringify(data);
+	const plaintext = Buffer.from(json, "utf-8");
+	const salt = randomBytes(SALT_LENGTH);
+	const iv = randomBytes(IV_LENGTH);
+	const cipher = createCipheriv("aes-256-gcm", masterKey, iv);
+	const encrypted = Buffer.concat([cipher.update(plaintext), cipher.final()]);
+	const authTag = cipher.getAuthTag();
+	const magic = Buffer.from(MAGIC, "ascii");
+	const version = Buffer.alloc(1);
+	version[0] = FORMAT_VERSION;
+	const fileContent = Buffer.concat([
+		magic,
+		version,
+		salt,
+		iv,
+		authTag,
+		encrypted
+	]);
+	await mkdir(dirname(filePath), { recursive: true });
+	const tmpPath = `${filePath}.tmp.${process.pid}`;
+	try {
+		await writeFile(tmpPath, fileContent, { mode: FILE_MODE });
+		await rename(tmpPath, filePath);
+	} catch (err) {
+		try {
+			const { unlink } = await import("node:fs/promises");
+			await unlink(tmpPath);
+		} catch {}
+		throw err;
+	}
+	try {
+		if (((await stat(filePath)).mode & 511) !== FILE_MODE) await chmod(filePath, FILE_MODE);
+	} catch {}
+}
+/**
+* Read and decrypt vault data from file.
+* Returns null if file does not exist.
+*/
+async function readEncryptedVault(filePath, masterKey) {
+	let fileContent;
+	try {
+		fileContent = await readFile(filePath);
+	} catch (err) {
+		if (err?.code === "ENOENT") return null;
+		throw err;
+	}
+	const magicLen = 8;
+	const minSize = magicLen + 1 + SALT_LENGTH + IV_LENGTH + AUTH_TAG_LENGTH;
+	if (fileContent.length < minSize) throw new Error("Vault file is corrupted: too small");
+	if (fileContent.subarray(0, magicLen).toString("ascii") !== MAGIC) throw new Error("Not a valid vault file");
+	const version = fileContent[magicLen];
+	if (version !== FORMAT_VERSION) throw new Error(`Unsupported vault format version: ${version}`);
+	let offset = magicLen + 1;
+	fileContent.subarray(offset, offset + SALT_LENGTH);
+	offset += SALT_LENGTH;
+	const iv = fileContent.subarray(offset, offset + IV_LENGTH);
+	offset += IV_LENGTH;
+	const authTag = fileContent.subarray(offset, offset + AUTH_TAG_LENGTH);
+	offset += AUTH_TAG_LENGTH;
+	const ciphertext = fileContent.subarray(offset);
+	const decipher = createDecipheriv("aes-256-gcm", masterKey, iv);
+	decipher.setAuthTag(authTag);
+	let plaintext;
+	try {
+		plaintext = Buffer.concat([decipher.update(ciphertext), decipher.final()]);
+	} catch {
+		throw new Error("Vault decryption failed: wrong master key or corrupted data");
+	}
+	const json = plaintext.toString("utf-8");
+	try {
+		return JSON.parse(json);
+	} catch {
+		throw new Error("Vault data is corrupted: invalid JSON after decryption");
+	}
+}
+/**
+* Read the per-file salt from a vault file header.
+* Returns null if file does not exist or is not a valid vault file.
+*/
+async function readVaultSalt(filePath) {
+	let fileContent;
+	try {
+		fileContent = await readFile(filePath);
+	} catch {
+		return null;
+	}
+	const magicLen = 8;
+	const minSize = magicLen + 1 + SALT_LENGTH;
+	if (fileContent.length < minSize) return null;
+	if (fileContent.subarray(0, magicLen).toString("ascii") !== MAGIC) return null;
+	return fileContent.subarray(magicLen + 1, magicLen + 1 + SALT_LENGTH);
+}
+/**
+* Check if a vault file exists.
+*/
+async function vaultFileExists(filePath) {
+	try {
+		await stat(filePath);
+		return true;
+	} catch {
+		return false;
+	}
+}
+
+//#endregion
+export { deriveKeyFromPassphrase, generateMasterKey, readEncryptedVault, readVaultSalt, vaultFileExists, writeEncryptedVault };
+//# sourceMappingURL=encrypted-file.mjs.map

package/dist/encrypted-file.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"encrypted-file.mjs","names":[],"sources":["../src/encrypted-file.ts"],"sourcesContent":["/**\n * Encrypted file backend for vault storage.\n *\n * - AES-256-GCM encryption\n * - Master key: 256-bit random or crypto.scrypt-derived from passphrase\n * - File format: JSON header + encrypted blob\n * - File permissions: 0600\n */\n\nimport { createCipheriv, createDecipheriv, randomBytes, scryptSync } from \"node:crypto\";\nimport { chmod, mkdir, readFile, rename, stat, writeFile } from \"node:fs/promises\";\nimport { dirname } from \"node:path\";\n\n/** Encryption parameters */\nconst KEY_LENGTH = 32; // 256 bits\nconst IV_LENGTH = 12; // 96 bits for GCM\nconst SALT_LENGTH = 32;\nconst AUTH_TAG_LENGTH = 16;\nconst SCRYPT_N = 2 ** 14; // 16384 — compatible with Bun's BoringSSL limits\nconst SCRYPT_R = 8;\nconst SCRYPT_P = 1;\nconst SCRYPT_KEYLEN = KEY_LENGTH;\nconst FILE_MODE = 0o600;\n\n/** Magic bytes to identify vault files */\nconst MAGIC = \"AFSVAULT\";\nconst FORMAT_VERSION = 1;\n\n/** File header layout (binary):\n *  8 bytes  — magic \"AFSVAULT\"\n *  1 byte   — format version\n *  32 bytes — salt (for passphrase-derived keys; random for direct keys)\n *  12 bytes — IV\n *  16 bytes — auth tag\n *  rest     — ciphertext\n */\n\nexport interface VaultData {\n  secrets: Record<string, Record<string, string>>;\n}\n\nexport interface EncryptedFileOptions {\n  /** Path to vault.enc file */\n  path: string;\n}\n\n/**\n * Generate a random 256-bit master key.\n */\nexport function generateMasterKey(): Buffer {\n  return randomBytes(KEY_LENGTH);\n}\n\n/**\n * Derive a master key from a passphrase using crypto.scrypt.\n */\nexport function deriveKeyFromPassphrase(passphrase: string, salt: Buffer): Buffer {\n  return scryptSync(passphrase, salt, SCRYPT_KEYLEN, {\n    N: SCRYPT_N,\n    r: SCRYPT_R,\n    p: SCRYPT_P,\n  }) as Buffer;\n}\n\n/**\n * Encrypt vault data and write to file.\n */\nexport async function writeEncryptedVault(\n  filePath: string,\n  data: VaultData,\n  masterKey: Buffer,\n): Promise<void> {\n  const json = JSON.stringify(data);\n  const plaintext = Buffer.from(json, \"utf-8\");\n\n  const salt = randomBytes(SALT_LENGTH);\n  const iv = randomBytes(IV_LENGTH);\n\n  const cipher = createCipheriv(\"aes-256-gcm\", masterKey, iv);\n  const encrypted = Buffer.concat([cipher.update(plaintext), cipher.final()]);\n  const authTag = cipher.getAuthTag();\n\n  // Build file content\n  const magic = Buffer.from(MAGIC, \"ascii\");\n  const version = Buffer.alloc(1);\n  version[0] = FORMAT_VERSION;\n\n  const fileContent = Buffer.concat([magic, version, salt, iv, authTag, encrypted]);\n\n  // Atomic write\n  const dir = dirname(filePath);\n  await mkdir(dir, { recursive: true });\n\n  const tmpPath = `${filePath}.tmp.${process.pid}`;\n  try {\n    await writeFile(tmpPath, fileContent, { mode: FILE_MODE });\n    await rename(tmpPath, filePath);\n  } catch (err) {\n    try {\n      const { unlink } = await import(\"node:fs/promises\");\n      await unlink(tmpPath);\n    } catch {\n      // ignore cleanup errors\n    }\n    throw err;\n  }\n\n  // Ensure permissions on first creation\n  try {\n    const s = await stat(filePath);\n    if ((s.mode & 0o777) !== FILE_MODE) {\n      await chmod(filePath, FILE_MODE);\n    }\n  } catch {\n    // ignore stat errors\n  }\n}\n\n/**\n * Read and decrypt vault data from file.\n * Returns null if file does not exist.\n */\nexport async function readEncryptedVault(\n  filePath: string,\n  masterKey: Buffer,\n): Promise<VaultData | null> {\n  let fileContent: Buffer;\n  try {\n    fileContent = await readFile(filePath);\n  } catch (err: any) {\n    if (err?.code === \"ENOENT\") return null;\n    throw err;\n  }\n\n  // Parse header\n  const magicLen = MAGIC.length;\n  const minSize = magicLen + 1 + SALT_LENGTH + IV_LENGTH + AUTH_TAG_LENGTH;\n  if (fileContent.length < minSize) {\n    throw new Error(\"Vault file is corrupted: too small\");\n  }\n\n  const magic = fileContent.subarray(0, magicLen).toString(\"ascii\");\n  if (magic !== MAGIC) {\n    throw new Error(\"Not a valid vault file\");\n  }\n\n  const version = fileContent[magicLen];\n  if (version !== FORMAT_VERSION) {\n    throw new Error(`Unsupported vault format version: ${version}`);\n  }\n\n  let offset = magicLen + 1;\n  const _salt = fileContent.subarray(offset, offset + SALT_LENGTH);\n  offset += SALT_LENGTH;\n  const iv = fileContent.subarray(offset, offset + IV_LENGTH);\n  offset += IV_LENGTH;\n  const authTag = fileContent.subarray(offset, offset + AUTH_TAG_LENGTH);\n  offset += AUTH_TAG_LENGTH;\n  const ciphertext = fileContent.subarray(offset);\n\n  // Decrypt\n  const decipher = createDecipheriv(\"aes-256-gcm\", masterKey, iv);\n  decipher.setAuthTag(authTag);\n\n  let plaintext: Buffer;\n  try {\n    plaintext = Buffer.concat([decipher.update(ciphertext), decipher.final()]);\n  } catch {\n    throw new Error(\"Vault decryption failed: wrong master key or corrupted data\");\n  }\n\n  const json = plaintext.toString(\"utf-8\");\n  try {\n    return JSON.parse(json) as VaultData;\n  } catch {\n    throw new Error(\"Vault data is corrupted: invalid JSON after decryption\");\n  }\n}\n\n/**\n * Read the per-file salt from a vault file header.\n * Returns null if file does not exist or is not a valid vault file.\n */\nexport async function readVaultSalt(filePath: string): Promise<Buffer | null> {\n  let fileContent: Buffer;\n  try {\n    fileContent = await readFile(filePath);\n  } catch {\n    return null;\n  }\n\n  const magicLen = MAGIC.length;\n  const minSize = magicLen + 1 + SALT_LENGTH;\n  if (fileContent.length < minSize) return null;\n\n  const magic = fileContent.subarray(0, magicLen).toString(\"ascii\");\n  if (magic !== MAGIC) return null;\n\n  return fileContent.subarray(magicLen + 1, magicLen + 1 + SALT_LENGTH);\n}\n\n/**\n * Check if a vault file exists.\n */\nexport async function vaultFileExists(filePath: string): Promise<boolean> {\n  try {\n    await stat(filePath);\n    return true;\n  } catch {\n    return false;\n  }\n}\n"],"mappings":";;;;;;;;;;;;;;AAcA,MAAM,aAAa;AACnB,MAAM,YAAY;AAClB,MAAM,cAAc;AACpB,MAAM,kBAAkB;AACxB,MAAM,WAAW,KAAK;AACtB,MAAM,WAAW;AACjB,MAAM,WAAW;AACjB,MAAM,gBAAgB;AACtB,MAAM,YAAY;;AAGlB,MAAM,QAAQ;AACd,MAAM,iBAAiB;;;;AAuBvB,SAAgB,oBAA4B;AAC1C,QAAO,YAAY,WAAW;;;;;AAMhC,SAAgB,wBAAwB,YAAoB,MAAsB;AAChF,QAAO,WAAW,YAAY,MAAM,eAAe;EACjD,GAAG;EACH,GAAG;EACH,GAAG;EACJ,CAAC;;;;;AAMJ,eAAsB,oBACpB,UACA,MACA,WACe;CACf,MAAM,OAAO,KAAK,UAAU,KAAK;CACjC,MAAM,YAAY,OAAO,KAAK,MAAM,QAAQ;CAE5C,MAAM,OAAO,YAAY,YAAY;CACrC,MAAM,KAAK,YAAY,UAAU;CAEjC,MAAM,SAAS,eAAe,eAAe,WAAW,GAAG;CAC3D,MAAM,YAAY,OAAO,OAAO,CAAC,OAAO,OAAO,UAAU,EAAE,OAAO,OAAO,CAAC,CAAC;CAC3E,MAAM,UAAU,OAAO,YAAY;CAGnC,MAAM,QAAQ,OAAO,KAAK,OAAO,QAAQ;CACzC,MAAM,UAAU,OAAO,MAAM,EAAE;AAC/B,SAAQ,KAAK;CAEb,MAAM,cAAc,OAAO,OAAO;EAAC;EAAO;EAAS;EAAM;EAAI;EAAS;EAAU,CAAC;AAIjF,OAAM,MADM,QAAQ,SAAS,EACZ,EAAE,WAAW,MAAM,CAAC;CAErC,MAAM,UAAU,GAAG,SAAS,OAAO,QAAQ;AAC3C,KAAI;AACF,QAAM,UAAU,SAAS,aAAa,EAAE,MAAM,WAAW,CAAC;AAC1D,QAAM,OAAO,SAAS,SAAS;UACxB,KAAK;AACZ,MAAI;GACF,MAAM,EAAE,WAAW,MAAM,OAAO;AAChC,SAAM,OAAO,QAAQ;UACf;AAGR,QAAM;;AAIR,KAAI;AAEF,QADU,MAAM,KAAK,SAAS,EACvB,OAAO,SAAW,UACvB,OAAM,MAAM,UAAU,UAAU;SAE5B;;;;;;AASV,eAAsB,mBACpB,UACA,WAC2B;CAC3B,IAAI;AACJ,KAAI;AACF,gBAAc,MAAM,SAAS,SAAS;UAC/B,KAAU;AACjB,MAAI,KAAK,SAAS,SAAU,QAAO;AACnC,QAAM;;CAIR,MAAM,WAAW;CACjB,MAAM,UAAU,WAAW,IAAI,cAAc,YAAY;AACzD,KAAI,YAAY,SAAS,QACvB,OAAM,IAAI,MAAM,qCAAqC;AAIvD,KADc,YAAY,SAAS,GAAG,SAAS,CAAC,SAAS,QAAQ,KACnD,MACZ,OAAM,IAAI,MAAM,yBAAyB;CAG3C,MAAM,UAAU,YAAY;AAC5B,KAAI,YAAY,eACd,OAAM,IAAI,MAAM,qCAAqC,UAAU;CAGjE,IAAI,SAAS,WAAW;AACV,aAAY,SAAS,QAAQ,SAAS,YAAY;AAChE,WAAU;CACV,MAAM,KAAK,YAAY,SAAS,QAAQ,SAAS,UAAU;AAC3D,WAAU;CACV,MAAM,UAAU,YAAY,SAAS,QAAQ,SAAS,gBAAgB;AACtE,WAAU;CACV,MAAM,aAAa,YAAY,SAAS,OAAO;CAG/C,MAAM,WAAW,iBAAiB,eAAe,WAAW,GAAG;AAC/D,UAAS,WAAW,QAAQ;CAE5B,IAAI;AACJ,KAAI;AACF,cAAY,OAAO,OAAO,CAAC,SAAS,OAAO,WAAW,EAAE,SAAS,OAAO,CAAC,CAAC;SACpE;AACN,QAAM,IAAI,MAAM,8DAA8D;;CAGhF,MAAM,OAAO,UAAU,SAAS,QAAQ;AACxC,KAAI;AACF,SAAO,KAAK,MAAM,KAAK;SACjB;AACN,QAAM,IAAI,MAAM,yDAAyD;;;;;;;AAQ7E,eAAsB,cAAc,UAA0C;CAC5E,IAAI;AACJ,KAAI;AACF,gBAAc,MAAM,SAAS,SAAS;SAChC;AACN,SAAO;;CAGT,MAAM,WAAW;CACjB,MAAM,UAAU,WAAW,IAAI;AAC/B,KAAI,YAAY,SAAS,QAAS,QAAO;AAGzC,KADc,YAAY,SAAS,GAAG,SAAS,CAAC,SAAS,QAAQ,KACnD,MAAO,QAAO;AAE5B,QAAO,YAAY,SAAS,WAAW,GAAG,WAAW,IAAI,YAAY;;;;;AAMvE,eAAsB,gBAAgB,UAAoC;AACxE,KAAI;AACF,QAAM,KAAK,SAAS;AACpB,SAAO;SACD;AACN,SAAO"}