@botbotgo/common 1.0.0

package/dist/security-store/index.js

@@ -0,0 +1,819 @@
+// src/security-store/store.ts
+import crypto from "crypto";
+
+// src/security-store/backends/file/index.ts
+import { chmod, mkdir, readFile, rename, writeFile } from "fs/promises";
+import path2 from "path";
+
+// src/security-store/backends/utils.ts
+import { homedir } from "os";
+import path from "path";
+function buildEntryKey(service, account) {
+  return `${service}:${account}`;
+}
+function sanitizeServiceName(service) {
+  return service.replace(/[^A-Za-z0-9._-]+/g, "_");
+}
+function defaultFileStorePath(service = "default") {
+  return path.join(homedir(), ".botbotgo", "secret-store", `${sanitizeServiceName(service)}.json`);
+}
+
+// src/security-store/backends/file/index.ts
+var FILE_STORE_VERSION = 1;
+function emptyFileStoreData() {
+  return { version: FILE_STORE_VERSION, secrets: {}, masterKeys: {} };
+}
+var FileSecretStoreBackend = class {
+  filePath;
+  data = null;
+  loading = null;
+  writeQueue = Promise.resolve();
+  constructor(options = {}) {
+    this.filePath = options.filePath?.trim() || defaultFileStorePath(options.service);
+  }
+  async init() {
+    await this.ensureLoaded();
+  }
+  async getSecret(service, account) {
+    await this.ensureLoaded();
+    return this.data?.secrets[buildEntryKey(service, account)];
+  }
+  async setSecret(service, account, value) {
+    await this.mutate((data) => {
+      data.secrets[buildEntryKey(service, account)] = value;
+    });
+  }
+  async deleteSecret(service, account) {
+    let deleted = false;
+    await this.mutate((data) => {
+      const key = buildEntryKey(service, account);
+      deleted = Object.hasOwn(data.secrets, key);
+      delete data.secrets[key];
+    });
+    return deleted;
+  }
+  async getMasterKey(context) {
+    await this.ensureLoaded();
+    const encoded = this.data?.masterKeys[buildEntryKey(context.service, context.account)];
+    return encoded ? Buffer.from(encoded, "base64") : null;
+  }
+  async setMasterKey(context, key) {
+    await this.mutate((data) => {
+      data.masterKeys[buildEntryKey(context.service, context.account)] = key.toString("base64");
+    });
+  }
+  async ensureLoaded() {
+    if (this.data) return;
+    if (!this.loading) this.loading = this.load();
+    await this.loading;
+  }
+  async load() {
+    const directory = path2.dirname(this.filePath);
+    await mkdir(directory, { recursive: true });
+    await this.setPermissions(directory, 448);
+    try {
+      const raw = await readFile(this.filePath, "utf8");
+      const parsed = JSON.parse(raw);
+      this.data = {
+        version: FILE_STORE_VERSION,
+        secrets: parsed.secrets ?? {},
+        masterKeys: parsed.masterKeys ?? {}
+      };
+      await this.setPermissions(this.filePath, 384);
+    } catch (error) {
+      const code = error?.code;
+      if (code !== "ENOENT") throw error;
+      this.data = emptyFileStoreData();
+    } finally {
+      this.loading = null;
+    }
+  }
+  async mutate(update) {
+    await this.ensureLoaded();
+    this.writeQueue = this.writeQueue.then(async () => {
+      const current = this.data ?? emptyFileStoreData();
+      const next = {
+        version: current.version,
+        secrets: { ...current.secrets },
+        masterKeys: { ...current.masterKeys }
+      };
+      update(next);
+      await this.persist(next);
+      this.data = next;
+    });
+    await this.writeQueue;
+  }
+  async persist(data) {
+    const directory = path2.dirname(this.filePath);
+    const tempPath = `${this.filePath}.${process.pid}.${Date.now()}.tmp`;
+    await mkdir(directory, { recursive: true });
+    await writeFile(tempPath, `${JSON.stringify(data, null, 2)}
+`, {
+      encoding: "utf8",
+      mode: 384
+    });
+    await rename(tempPath, this.filePath);
+    await this.setPermissions(this.filePath, 384);
+  }
+  async setPermissions(targetPath, mode) {
+    try {
+      await chmod(targetPath, mode);
+    } catch {
+    }
+  }
+};
+
+// src/security-store/backends/keychain/index.ts
+import { execFile as execFile2 } from "child_process";
+import { promisify as promisify2 } from "util";
+
+// src/security-store/backends/keychain/constants.ts
+var SECURITY_BIN = "/usr/bin/security";
+var CODESIGN_BIN = "/usr/bin/codesign";
+var MASTER_KEY_LENGTH = 32;
+var DEFAULT_BIOMETRIC_PROMPT = "Authenticate to access secure data";
+
+// src/security-store/backends/keychain/keytar.ts
+import { createRequire } from "module";
+
+// src/security-store/backends/keychain/utils.ts
+function assertMacOS() {
+  if (process.platform !== "darwin") {
+    throw new Error("This module is only supported on macOS.");
+  }
+}
+function assertNonEmpty(value, field) {
+  const normalized = value.trim();
+  if (normalized.length === 0) {
+    throw new Error(`${field} must be a non-empty string.`);
+  }
+  return normalized;
+}
+function normalizeAppleDeveloperTeamId(teamId) {
+  const value = teamId?.trim();
+  if (!value) return void 0;
+  if (!/^[A-Za-z0-9]{10}$/.test(value)) {
+    throw new Error("appleDeveloperTeamId must be a 10-character alphanumeric string.");
+  }
+  return value;
+}
+function normalizeBiometricPolicy(policy) {
+  if (!policy) return "none";
+  if (policy === "none" || policy === "auto" || policy === "user-presence" || policy === "biometry-current-set") {
+    return policy;
+  }
+  return "none";
+}
+function resolveSwiftBiometricPolicy(policy) {
+  return policy === "biometry-current-set" ? "biometry-current-set" : "user-presence";
+}
+function isSwiftUnavailableError(error) {
+  const text = error instanceof Error ? `${error.message}` : String(error ?? "");
+  return text.includes("spawn xcrun ENOENT") || text.includes("xcrun: error") || text.includes('unable to find utility "swift"') || text.includes("invalid active developer path") || text.includes("tool 'swift' requires Xcode");
+}
+function isSwiftEntitlementError(error) {
+  const text = error instanceof Error ? `${error.message}` : String(error ?? "");
+  return text.includes("A required entitlement isn't present.") || text.includes("errSecMissingEntitlement");
+}
+function isKeychainNotFoundError(error) {
+  const text = error instanceof Error ? `${error.message}` : String(error ?? "");
+  return text.includes("could not be found") || text.includes("The specified item could not be found");
+}
+function isPackagedApp() {
+  return process.execPath.includes(".app/Contents/MacOS/");
+}
+function resolveAppBinPath(appBinPath) {
+  if (appBinPath) return appBinPath;
+  if (isPackagedApp()) return process.execPath;
+  throw new Error(
+    "appBinPath is required when not running from a packaged .app (process.execPath does not contain .app/Contents/MacOS/)"
+  );
+}
+
+// src/security-store/backends/keychain/keytar.ts
+var require2 = createRequire(import.meta.url);
+var keytar = null;
+function getKeytar() {
+  assertMacOS();
+  if (keytar === null) {
+    try {
+      const loaded = require2("keytar");
+      if (!loaded || typeof loaded.getPassword !== "function") {
+        throw new Error("keytar.getPassword() is unavailable.");
+      }
+      keytar = loaded;
+    } catch {
+      throw new Error(
+        "keytar is not available. Install keytar to use Keychain features on macOS."
+      );
+    }
+  }
+  return keytar;
+}
+
+// src/security-store/backends/keychain/swift-bridge.ts
+import { execFile } from "child_process";
+import { promisify } from "util";
+var execFileAsync = promisify(execFile);
+var SWIFT_KEYCHAIN_BRIDGE = `
+import Foundation
+import Security
+
+func emit(_ obj: [String: Any]) {
+  let data = try! JSONSerialization.data(withJSONObject: obj, options: [])
+  print(String(data: data, encoding: .utf8)!)
+}
+
+func secMessage(_ status: OSStatus) -> String {
+  if let msg = SecCopyErrorMessageString(status, nil) { return msg as String }
+  return "OSStatus \\(status)"
+}
+
+let env = ProcessInfo.processInfo.environment
+let op = env["EASYNET_KC_OP"] ?? ""
+let service = env["EASYNET_KC_SERVICE"] ?? ""
+let account = env["EASYNET_KC_ACCOUNT"] ?? ""
+let secret = env["EASYNET_KC_SECRET"] ?? ""
+let prompt = env["EASYNET_KC_PROMPT"] ?? ""
+let biometric = env["EASYNET_KC_BIOMETRIC"] ?? "none"
+
+if op.isEmpty || service.isEmpty || account.isEmpty {
+  emit(["ok": false, "error": "Missing required env values"])
+  exit(2)
+}
+
+func buildBaseQuery() -> [String: Any] {
+  return [
+    kSecClass as String: kSecClassGenericPassword,
+    kSecAttrService as String: service,
+    kSecAttrAccount as String: account
+  ]
+}
+
+func buildAccessControl(_ policy: String) -> SecAccessControl? {
+  if policy == "none" { return nil }
+  var flags: SecAccessControlCreateFlags = []
+  if policy == "user-presence" {
+    flags.insert(.userPresence)
+  } else if policy == "biometry-current-set" {
+    flags.insert(.biometryCurrentSet)
+  } else {
+    flags.insert(.userPresence)
+  }
+  var err: Unmanaged<CFError>?
+  let ac = SecAccessControlCreateWithFlags(
+    nil,
+    kSecAttrAccessibleWhenUnlockedThisDeviceOnly,
+    flags,
+    &err
+  )
+  return ac
+}
+
+switch op {
+case "set":
+  guard let data = secret.data(using: .utf8) else {
+    emit(["ok": false, "error": "Secret is not valid UTF-8"])
+    exit(2)
+  }
+  var add = buildBaseQuery()
+  add[kSecValueData as String] = data
+
+  if biometric != "none" {
+    guard let ac = buildAccessControl(biometric) else {
+      emit(["ok": false, "error": "Failed to build access control"])
+      exit(1)
+    }
+    add[kSecAttrAccessControl as String] = ac
+    _ = SecItemDelete(buildBaseQuery() as CFDictionary)
+    let status = SecItemAdd(add as CFDictionary, nil)
+    if status != errSecSuccess {
+      emit(["ok": false, "error": secMessage(status)])
+      exit(1)
+    }
+    emit(["ok": true])
+    exit(0)
+  }
+
+  let addStatus = SecItemAdd(add as CFDictionary, nil)
+  if addStatus == errSecSuccess {
+    emit(["ok": true])
+    exit(0)
+  }
+  if addStatus == errSecDuplicateItem {
+    let updateStatus = SecItemUpdate(buildBaseQuery() as CFDictionary, [kSecValueData as String: data] as CFDictionary)
+    if updateStatus == errSecSuccess {
+      emit(["ok": true])
+      exit(0)
+    }
+    emit(["ok": false, "error": secMessage(updateStatus)])
+    exit(1)
+  }
+  emit(["ok": false, "error": secMessage(addStatus)])
+  exit(1)
+
+case "get":
+  var query = buildBaseQuery()
+  query[kSecReturnData as String] = true
+  query[kSecMatchLimit as String] = kSecMatchLimitOne
+  if !prompt.isEmpty {
+    query[kSecUseOperationPrompt as String] = prompt
+  }
+  var item: CFTypeRef?
+  let status = SecItemCopyMatching(query as CFDictionary, &item)
+  if status == errSecItemNotFound {
+    emit(["ok": true, "found": false])
+    exit(0)
+  }
+  if status != errSecSuccess {
+    emit(["ok": false, "error": secMessage(status)])
+    exit(1)
+  }
+  guard let data = item as? Data else {
+    emit(["ok": false, "error": "Unexpected keychain data"])
+    exit(1)
+  }
+  let value = String(data: data, encoding: .utf8) ?? ""
+  emit(["ok": true, "found": true, "value": value])
+  exit(0)
+
+default:
+  emit(["ok": false, "error": "Unsupported operation"])
+  exit(2)
+}
+`;
+async function runSwiftKeychain(op, input) {
+  const env = {
+    ...process.env,
+    EASYNET_KC_OP: op,
+    EASYNET_KC_SERVICE: input.service,
+    EASYNET_KC_ACCOUNT: input.account,
+    EASYNET_KC_SECRET: input.secret ?? "",
+    EASYNET_KC_PROMPT: input.prompt ?? "",
+    EASYNET_KC_BIOMETRIC: normalizeBiometricPolicy(input.biometric)
+  };
+  try {
+    const { stdout } = await execFileAsync("xcrun", ["swift", "-e", SWIFT_KEYCHAIN_BRIDGE], {
+      env,
+      encoding: "utf8",
+      maxBuffer: 1024 * 1024
+    });
+    return JSON.parse(stdout.trim());
+  } catch (error) {
+    const err = error;
+    const stderr = typeof err.stderr === "string" ? err.stderr.trim() : Buffer.isBuffer(err.stderr) ? err.stderr.toString("utf8").trim() : "";
+    const stdout = typeof err.stdout === "string" ? err.stdout.trim() : Buffer.isBuffer(err.stdout) ? err.stdout.toString("utf8").trim() : "";
+    const details = [
+      err.message ?? String(error),
+      stderr ? `stderr: ${stderr}` : "",
+      stdout ? `stdout: ${stdout}` : ""
+    ].filter(Boolean).join("\n");
+    throw new Error(`Swift keychain bridge failed for op=${op}.
+${details}`);
+  }
+}
+async function runSwiftKeychainWithFallback(op, input) {
+  const policy = resolveSwiftBiometricPolicy(input.biometric);
+  try {
+    return await runSwiftKeychain(op, { ...input, biometric: policy });
+  } catch (error) {
+    if (isSwiftUnavailableError(error)) return void 0;
+    if (input.biometric === "auto" && isSwiftEntitlementError(error)) return void 0;
+    throw error;
+  }
+}
+function resolvePrompt(prompt) {
+  return prompt?.trim() || DEFAULT_BIOMETRIC_PROMPT;
+}
+
+// src/security-store/backends/keychain/index.ts
+var execFileAsync2 = promisify2(execFile2);
+async function getSecretViaSecurityCli(service, account) {
+  try {
+    const { stdout } = await execFileAsync2(SECURITY_BIN, [
+      "find-generic-password",
+      "-s",
+      service,
+      "-a",
+      account,
+      "-w"
+    ]);
+    const value = (typeof stdout === "string" ? stdout : String(stdout)).replace(/\r?\n$/, "");
+    return value.length > 0 ? value : null;
+  } catch (error) {
+    if (isKeychainNotFoundError(error)) return null;
+    throw error;
+  }
+}
+function isKeytarUnavailable(error) {
+  const text = error instanceof Error ? error.message : String(error ?? "");
+  return text.includes("keytar is not available");
+}
+async function getPasswordViaKeytarOrCli(service, account) {
+  try {
+    return await getKeytar().getPassword(service, account);
+  } catch (error) {
+    if (!isKeytarUnavailable(error)) throw error;
+    return getSecretViaSecurityCli(service, account);
+  }
+}
+function buildAddGenericPasswordArgs(service, account, value, appBinPath) {
+  return [
+    "add-generic-password",
+    "-s",
+    service,
+    "-a",
+    account,
+    "-w",
+    value,
+    ...appBinPath ? ["-T", appBinPath] : [],
+    "-U"
+  ];
+}
+async function getKeychainPassword(service, account, biometric, prompt) {
+  if (biometric === "none") return getPasswordViaKeytarOrCli(service, account);
+  const result = await runSwiftKeychainWithFallback("get", {
+    service,
+    account,
+    prompt: resolvePrompt(prompt),
+    biometric
+  });
+  if (!result) return getPasswordViaKeytarOrCli(service, account);
+  if (!result.ok) throw new Error(result.error ?? "Failed to get key from keychain.");
+  return result.found ? result.value ?? "" : null;
+}
+async function getKeyFromKeychain(service, account, options = {}) {
+  const normalizedService = assertNonEmpty(service, "service");
+  const normalizedAccount = assertNonEmpty(account, "account");
+  const biometric = normalizeBiometricPolicy(options.biometric);
+  const password = await getKeychainPassword(
+    normalizedService,
+    normalizedAccount,
+    biometric,
+    options.prompt
+  );
+  if (!password) return null;
+  const buf = Buffer.from(password, "base64");
+  if (buf.length !== MASTER_KEY_LENGTH) return null;
+  return buf;
+}
+async function getSecretFromKeychain(service, account) {
+  const normalizedService = assertNonEmpty(service, "service");
+  const normalizedAccount = assertNonEmpty(account, "account");
+  return getPasswordViaKeytarOrCli(normalizedService, normalizedAccount);
+}
+async function getTeamIdFromBinary(appBinPath) {
+  assertMacOS();
+  const normalizedPath = assertNonEmpty(appBinPath, "appBinPath");
+  try {
+    const { stdout, stderr } = await execFileAsync2(CODESIGN_BIN, ["-dvvv", normalizedPath], {
+      encoding: "utf8",
+      maxBuffer: 64 * 1024
+    });
+    const combined = `${stdout ?? ""}
+${stderr ?? ""}`;
+    const match = /TeamIdentifier=(.+)/.exec(combined);
+    if (!match) return null;
+    const raw = match[1].trim();
+    if (!raw || /^not\s+set$/i.test(raw)) return null;
+    const normalized = raw.match(/^[A-Za-z0-9]+$/)?.[0] ?? "";
+    return normalized || null;
+  } catch {
+    return null;
+  }
+}
+async function setKeyInKeychainWithAcl(service, account, keyBuffer, appBinPath, appleDeveloperTeamId, options = {}) {
+  assertMacOS();
+  const normalizedService = assertNonEmpty(service, "service");
+  const normalizedAccount = assertNonEmpty(account, "account");
+  const normalizedAppBinPath = assertNonEmpty(appBinPath, "appBinPath");
+  const biometric = normalizeBiometricPolicy(options.biometric);
+  if (keyBuffer.length !== MASTER_KEY_LENGTH) {
+    throw new Error(`Master key must be ${MASTER_KEY_LENGTH} bytes, got ${keyBuffer.length}`);
+  }
+  const b64 = keyBuffer.toString("base64");
+  if (biometric === "none") {
+    await execFileAsync2(
+      SECURITY_BIN,
+      buildAddGenericPasswordArgs(
+        normalizedService,
+        normalizedAccount,
+        b64,
+        normalizedAppBinPath
+      )
+    );
+  } else {
+    const result = await runSwiftKeychainWithFallback("set", {
+      service: normalizedService,
+      account: normalizedAccount,
+      secret: b64,
+      biometric
+    });
+    if (!result) {
+      await execFileAsync2(
+        SECURITY_BIN,
+        buildAddGenericPasswordArgs(
+          normalizedService,
+          normalizedAccount,
+          b64,
+          normalizedAppBinPath
+        )
+      );
+    } else if (!result.ok) {
+      throw new Error(result.error ?? "Failed to store key in keychain.");
+    }
+  }
+  const normalizedTeamId = normalizeAppleDeveloperTeamId(appleDeveloperTeamId);
+  if (normalizedTeamId) {
+    try {
+      await execFileAsync2(SECURITY_BIN, [
+        "set-generic-password-partition-list",
+        "-s",
+        normalizedService,
+        "-a",
+        normalizedAccount,
+        "-S",
+        `teamid:${normalizedTeamId}`
+      ]);
+    } catch {
+    }
+  }
+}
+async function setSecretInKeychain(service, account, value) {
+  assertMacOS();
+  const normalizedService = assertNonEmpty(service, "service");
+  const normalizedAccount = assertNonEmpty(account, "account");
+  await execFileAsync2(
+    SECURITY_BIN,
+    buildAddGenericPasswordArgs(normalizedService, normalizedAccount, value)
+  );
+}
+async function deleteSecretFromKeychain(service, account) {
+  assertMacOS();
+  const normalizedService = assertNonEmpty(service, "service");
+  const normalizedAccount = assertNonEmpty(account, "account");
+  try {
+    await execFileAsync2(SECURITY_BIN, [
+      "delete-generic-password",
+      "-s",
+      normalizedService,
+      "-a",
+      normalizedAccount
+    ]);
+    return true;
+  } catch (error) {
+    if (isKeychainNotFoundError(error)) return false;
+    throw error;
+  }
+}
+var KeychainSecretStoreBackend = class {
+  async getSecret(service, account) {
+    return await getSecretFromKeychain(service, account) ?? void 0;
+  }
+  async setSecret(service, account, value) {
+    await setSecretInKeychain(service, account, value);
+  }
+  async deleteSecret(service, account) {
+    return deleteSecretFromKeychain(service, account);
+  }
+  async getMasterKey(context) {
+    return getKeyFromKeychain(context.service, context.account, {
+      biometric: context.biometric,
+      prompt: context.prompt
+    });
+  }
+  async setMasterKey(context, key) {
+    const appPath = resolveAppBinPath(context.appBinPath);
+    const teamId = context.appleDeveloperTeamId ?? await getTeamIdFromBinary(appPath);
+    await setKeyInKeychainWithAcl(context.service, context.account, key, appPath, teamId, {
+      biometric: context.biometric,
+      prompt: context.prompt
+    });
+  }
+};
+
+// src/security-store/backends/memory/index.ts
+var MemorySecretStoreBackend = class {
+  secrets = /* @__PURE__ */ new Map();
+  masterKeys = /* @__PURE__ */ new Map();
+  async getSecret(service, account) {
+    return this.secrets.get(buildEntryKey(service, account));
+  }
+  async setSecret(service, account, value) {
+    this.secrets.set(buildEntryKey(service, account), value);
+  }
+  async deleteSecret(service, account) {
+    return this.secrets.delete(buildEntryKey(service, account));
+  }
+  async getMasterKey(context) {
+    const key = this.masterKeys.get(buildEntryKey(context.service, context.account));
+    return key ? Buffer.from(key) : null;
+  }
+  async setMasterKey(context, key) {
+    this.masterKeys.set(buildEntryKey(context.service, context.account), Buffer.from(key));
+  }
+};
+
+// src/security-store/backends/index.ts
+function createSecretStoreBackend(backend = "keychain", options = {}) {
+  if (backend === "keychain") return new KeychainSecretStoreBackend();
+  if (backend === "memory") return new MemorySecretStoreBackend();
+  if (backend === "file") {
+    return new FileSecretStoreBackend({ service: options.service });
+  }
+  return backend;
+}
+
+// src/security-store/store.ts
+var PREFIX = "enc:v1:";
+var NONCE_LENGTH = 12;
+var TAG_LENGTH = 16;
+function decodeBase64Strict(input) {
+  const trimmed = input.trim();
+  if (!/^[A-Za-z0-9+/]*={0,2}$/.test(trimmed) || trimmed.length % 4 !== 0) {
+    throw new Error("Invalid base64 in encrypted payload");
+  }
+  const decoded = Buffer.from(trimmed, "base64");
+  if (decoded.toString("base64") !== trimmed) {
+    throw new Error("Invalid base64 in encrypted payload");
+  }
+  return decoded;
+}
+function assertNonEmpty2(value, field) {
+  const normalized = value.trim();
+  if (normalized.length === 0) {
+    throw new Error(`${field} must be a non-empty string.`);
+  }
+  return normalized;
+}
+var CryptoManager = class {
+  allowPlaintextFallback;
+  masterKeyStore;
+  masterKey = null;
+  constructor(options) {
+    this.allowPlaintextFallback = options.allowPlaintextFallback !== false;
+    this.masterKeyStore = options.masterKeyStore ?? null;
+    if (options.masterKey != null) {
+      if (options.masterKey.length !== MASTER_KEY_LENGTH) {
+        throw new Error(
+          `masterKey must be ${MASTER_KEY_LENGTH} bytes, got ${options.masterKey.length}`
+        );
+      }
+      this.masterKey = Buffer.from(options.masterKey);
+    }
+  }
+  async init() {
+    if (this.masterKey != null && this.masterKey.length === MASTER_KEY_LENGTH) return;
+    if (this.masterKeyStore == null) {
+      throw new Error("CryptoManager requires either masterKey or masterKeyStore.");
+    }
+    if (this.masterKeyStore.init) await this.masterKeyStore.init();
+    let key = await this.masterKeyStore.get();
+    if (key != null) {
+      this.masterKey = key;
+      return;
+    }
+    const newKey = crypto.randomBytes(MASTER_KEY_LENGTH);
+    await this.masterKeyStore.set(newKey);
+    key = await this.masterKeyStore.get();
+    if (key == null || key.length !== MASTER_KEY_LENGTH) {
+      throw new Error("Master key write succeeded but readback failed.");
+    }
+    this.masterKey = key;
+  }
+  encrypt(plainText) {
+    if (this.masterKey == null) {
+      throw new Error("CryptoManager not initialized. Call init() first.");
+    }
+    const nonce = crypto.randomBytes(NONCE_LENGTH);
+    const cipher = crypto.createCipheriv("aes-256-gcm", this.masterKey, nonce);
+    const enc = Buffer.concat([cipher.update(plainText, "utf8"), cipher.final()]);
+    const tag = cipher.getAuthTag();
+    const payload = Buffer.concat([nonce, tag, enc]);
+    return PREFIX + payload.toString("base64");
+  }
+  decrypt(cipherText) {
+    if (this.masterKey == null) {
+      throw new Error("CryptoManager not initialized. Call init() first.");
+    }
+    if (!cipherText.startsWith(PREFIX)) {
+      if (this.allowPlaintextFallback) return cipherText;
+      throw new Error("Input is not an encrypted string (missing enc:v1: prefix)");
+    }
+    const payload = decodeBase64Strict(cipherText.slice(PREFIX.length));
+    if (payload.length < NONCE_LENGTH + TAG_LENGTH) {
+      throw new Error("Encrypted payload too short");
+    }
+    const nonce = payload.subarray(0, NONCE_LENGTH);
+    const tag = payload.subarray(NONCE_LENGTH, NONCE_LENGTH + TAG_LENGTH);
+    const ciphertext = payload.subarray(NONCE_LENGTH + TAG_LENGTH);
+    const decipher = crypto.createDecipheriv("aes-256-gcm", this.masterKey, nonce);
+    decipher.setAuthTag(tag);
+    return decipher.update(ciphertext, void 0, "utf8") + decipher.final("utf8");
+  }
+  static isEncrypted(value) {
+    return value.startsWith(PREFIX);
+  }
+};
+var SecretStore = class {
+  manager;
+  dataService;
+  backend;
+  initializeBackend;
+  initialized = false;
+  initializing = null;
+  constructor(options) {
+    const service = assertNonEmpty2(options.service, "service");
+    const masterAccount = options.masterAccount?.trim() || "master-key";
+    this.dataService = options.dataService?.trim() || `${service}.data`;
+    this.backend = createSecretStoreBackend(options.backend, { service });
+    const backend = this.backend;
+    let backendInitPromise = null;
+    this.initializeBackend = async () => {
+      if (!backend.init) return;
+      if (!backendInitPromise) backendInitPromise = backend.init();
+      await backendInitPromise;
+    };
+    const backendContext = {
+      service,
+      account: masterAccount,
+      appBinPath: options.appBinPath,
+      appleDeveloperTeamId: options.appleDeveloperTeamId,
+      biometric: options.biometric,
+      prompt: options.prompt
+    };
+    this.manager = new CryptoManager({
+      service,
+      account: masterAccount,
+      allowPlaintextFallback: true,
+      masterKey: options.masterKey,
+      masterKeyStore: options.masterKey ? void 0 : {
+        init: this.initializeBackend,
+        get: async () => {
+          if (!backend.getMasterKey) {
+            throw new Error(
+              "Secret store backend does not support master key storage. Pass masterKey or implement getMasterKey/setMasterKey."
+            );
+          }
+          return backend.getMasterKey(backendContext);
+        },
+        set: async (key) => {
+          if (!backend.setMasterKey) {
+            throw new Error(
+              "Secret store backend does not support master key storage. Pass masterKey or implement getMasterKey/setMasterKey."
+            );
+          }
+          await backend.setMasterKey(backendContext, key);
+        }
+      }
+    });
+  }
+  async init() {
+    if (this.initialized) return;
+    if (this.initializing) {
+      await this.initializing;
+      return;
+    }
+    this.initializing = (async () => {
+      await this.initializeBackend();
+      await this.manager.init();
+      this.initialized = true;
+    })();
+    try {
+      await this.initializing;
+    } finally {
+      this.initializing = null;
+    }
+  }
+  async set(key, value) {
+    await this.ensureInitialized();
+    const account = assertNonEmpty2(key, "key");
+    const ciphertext = this.manager.encrypt(value);
+    await this.backend.setSecret(this.dataService, account, ciphertext);
+  }
+  async get(key) {
+    await this.ensureInitialized();
+    const account = assertNonEmpty2(key, "key");
+    const ciphertext = await this.backend.getSecret(this.dataService, account);
+    if (!ciphertext) return void 0;
+    return this.manager.decrypt(ciphertext);
+  }
+  async delete(key) {
+    await this.ensureInitialized();
+    const account = assertNonEmpty2(key, "key");
+    return this.backend.deleteSecret(this.dataService, account);
+  }
+  async ensureInitialized() {
+    if (this.initialized) return;
+    await this.init();
+  }
+};
+async function createSecretStore(options) {
+  const store = new SecretStore(options);
+  await store.init();
+  return store;
+}
+export {
+  createSecretStore
+};
+//# sourceMappingURL=index.js.map