chief-helm 0.1.1 → 0.1.3

package/Readme.md

@@ -14,7 +14,7 @@ HELM is how a human operates the CHIEF personal AI operations system. Every flow
 | npm | v9.0.0 | `npm --version` |
 | Git | v2.30.0 | `git --version` |
 
-**Platform:** macOS 12+ or Windows 10+. OS keychain support (macOS Keychain / Windows Credential Manager) is required for credential storage.
+**Platform:** macOS 12+ or Windows 10+.
 
 **Node.js installation:** [nodejs.org](https://nodejs.org) → download the LTS version. This installs both `node` and `npm`.
 
@@ -70,10 +70,10 @@ helm config <n>               # Open config file n in your editor (auto-commits
 
 ### Secrets
 
-Credentials are stored in the OS keychain. Values are never printed, logged, or included in error messages.
+Credentials are encrypted with AES-256-GCM and stored locally. Values are never printed, logged, or included in error messages.
 
 ```bash
-helm secrets set <KEY>        # Masked input → OS keychain
+helm secrets set <KEY>        # Masked input → encrypted local storage
 helm secrets list             # Key names only — values never shown
 helm secrets verify <KEY>     # Confirm a key exists
 helm secrets delete <KEY>     # Remove with confirmation prompt
@@ -172,7 +172,7 @@ The main CHIEF repo is never written to by HELM at runtime.
     ├── core/
     │   ├── repo.ts            conf store, local config, repo validation, setup guard
     │   ├── config.ts          YAML read/write for all instance repo config files
-    │   ├── secrets.ts         keytar wrapper, manifest management
+    │   ├── secrets.ts         AES-256-GCM encrypted storage, manifest management
     │   ├── git.ts             pull, commit, push, status via simple-git
     │   ├── state.ts           last_run.json and other state file I/O
     │   └── inputs.ts          Credential key map and per-input connectivity tests
@@ -206,15 +206,30 @@ Never swallow errors. Never put secret values in error messages.
 
 ### Publishing
 
+Releases are automated via GitHub Actions. The workflow at `/.github/workflows/helm-release.yml` triggers on tags matching `helm-v*`.
+
+**Using the release script:**
+
 ```bash
 cd helm/
-npm version patch       # or minor / major
-npm publish             # prepublishOnly runs tsc automatically
-git push && git push --tags
+./scripts/release.sh 0.2.0    # bumps version, builds, commits, tags
+git push origin main && git push origin helm-v0.2.0   # triggers CI → npm publish + GitHub Release
 ```
 
-`prepublishOnly` compiles TypeScript to `dist/` before every publish. Only `dist/` and `README.md` are included in the published package.
+**Manual process:**
+
+```bash
+cd helm/
+npm version 0.2.0 --no-git-tag-version
+npm run build
+cd ..
+git add helm/package.json helm/package-lock.json
+git commit -m "[helm-release] v0.2.0"
+git tag helm-v0.2.0
+git push origin main && git push origin helm-v0.2.0
+```
 
+`prepublishOnly` compiles TypeScript to `dist/` before every publish. Only `dist/` and `README.md` are included in the published package.
 ---
 
 *HELM is part of the CHIEF personal AI operations system. See [SETUP.md](../SETUP.md) for full system documentation.*

package/dist/commands/secrets.d.ts

@@ -1,10 +1,10 @@
 /**
- * @file helm secrets — OS keychain credential management.
+ * @file helm secrets — encrypted credential management.
  *
  * Subcommands:
- *   helm secrets set <key>      Masked input → stored in OS keychain
+ *   helm secrets set <key>      Masked input → encrypted and stored locally
  *   helm secrets list           Key names only, never values
- *   helm secrets verify <key>   Confirm key exists in keychain
+ *   helm secrets verify <key>   Confirm key exists in encrypted storage
  *   helm secrets delete <key>   Remove with confirmation prompt
  *
  * Secret values are never printed, logged, or included in error messages.

package/dist/commands/secrets.js

@@ -1,10 +1,10 @@
 /**
- * @file helm secrets — OS keychain credential management.
+ * @file helm secrets — encrypted credential management.
  *
  * Subcommands:
- *   helm secrets set <key>      Masked input → stored in OS keychain
+ *   helm secrets set <key>      Masked input → encrypted and stored locally
  *   helm secrets list           Key names only, never values
- *   helm secrets verify <key>   Confirm key exists in keychain
+ *   helm secrets verify <key>   Confirm key exists in encrypted storage
  *   helm secrets delete <key>   Remove with confirmation prompt
  *
  * Secret values are never printed, logged, or included in error messages.
@@ -26,11 +26,11 @@ import { theme, symbol } from "../ui/theme.js";
 export function registerSecretsCommand(program) {
     const secrets = program
         .command("secrets")
-        .description("Manage OS keychain credentials");
+        .description("Manage encrypted local storage credentials");
     // ── set ────────────────────────────────────────────────────────────────────
     secrets
         .command("set <key>")
-        .description("Store a secret in the OS keychain (masked input)")
+        .description("Store a secret in the encrypted local storage (masked input)")
         .action(async (key) => {
         requireSetup();
         const { active_user: username } = getLocalConfig();
@@ -44,7 +44,7 @@ export function registerSecretsCommand(program) {
             },
         ]);
         await setSecret(username, key, value);
-        console.log(`  ${chalk.hex(theme.success)(symbol.success)}  Secret "${key}" stored in OS keychain.`);
+        console.log(`  ${chalk.hex(theme.success)(symbol.success)}  Secret "${key}" stored in encrypted local storage.`);
     });
     // ── list ───────────────────────────────────────────────────────────────────
     secrets
@@ -67,22 +67,22 @@ export function registerSecretsCommand(program) {
     // ── verify ─────────────────────────────────────────────────────────────────
     secrets
         .command("verify <key>")
-        .description("Confirm a secret key exists in the OS keychain")
+        .description("Confirm a secret key exists in the encrypted local storage")
         .action(async (key) => {
         requireSetup();
         const { active_user: username } = getLocalConfig();
         const exists = await verifySecret(username, key);
         if (exists) {
-            console.log(`  ${chalk.hex(theme.success)(symbol.success)}  "${key}" exists in the OS keychain.`);
+            console.log(`  ${chalk.hex(theme.success)(symbol.success)}  "${key}" exists in the encrypted local storage.`);
         }
         else {
-            throw new HelmError(`Secret "${key}" was not found in the OS keychain.`, `Run: helm secrets set ${key}`);
+            throw new HelmError(`Secret "${key}" was not found in the encrypted local storage.`, `Run: helm secrets set ${key}`);
         }
     });
     // ── delete ─────────────────────────────────────────────────────────────────
     secrets
         .command("delete <key>")
-        .description("Remove a secret from the OS keychain")
+        .description("Remove a secret from the encrypted local storage")
         .action(async (key) => {
         requireSetup();
         const { active_user: username } = getLocalConfig();
@@ -90,7 +90,7 @@ export function registerSecretsCommand(program) {
             {
                 type: "confirm",
                 name: "confirmed",
-                message: `  Delete secret "${key}" from the OS keychain?`,
+                message: `  Delete secret "${key}" from the encrypted local storage?`,
                 default: false,
             },
         ]);
@@ -100,10 +100,10 @@ export function registerSecretsCommand(program) {
         }
         const deleted = await deleteSecret(username, key);
         if (deleted) {
-            console.log(`  ${chalk.hex(theme.success)(symbol.success)}  Secret "${key}" deleted from OS keychain.`);
+            console.log(`  ${chalk.hex(theme.success)(symbol.success)}  Secret "${key}" deleted from encrypted local storage.`);
         }
         else {
-            throw new HelmError(`Secret "${key}" was not found in the OS keychain.`, `Run: helm secrets list to see what keys are stored.`);
+            throw new HelmError(`Secret "${key}" was not found in the encrypted local storage.`, `Run: helm secrets list to see what keys are stored.`);
         }
     });
 }

package/dist/commands/secrets.js.map

@@ -1 +1 @@
-{"version":3,"file":"secrets.js","sourceRoot":"","sources":["../../src/commands/secrets.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,KAAK,MAAM,OAAO,CAAC;AAC1B,OAAO,QAAQ,MAAM,UAAU,CAAC;AAEhC,OAAO,EAAE,YAAY,EAAE,cAAc,EAAE,MAAM,iBAAiB,CAAC;AAC/D,OAAO,EACL,SAAS,EACT,cAAc,EACd,YAAY,EACZ,YAAY,GACb,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAC;AAC/C,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,gBAAgB,CAAC;AAE/C,iFAAiF;AAEjF;;;;GAIG;AACH,MAAM,UAAU,sBAAsB,CAAC,OAAgB;IACrD,MAAM,OAAO,GAAG,OAAO;SACpB,OAAO,CAAC,SAAS,CAAC;SAClB,WAAW,CAAC,gCAAgC,CAAC,CAAC;IAEjD,8EAA8E;IAE9E,OAAO;SACJ,OAAO,CAAC,WAAW,CAAC;SACpB,WAAW,CAAC,kDAAkD,CAAC;SAC/D,MAAM,CAAC,KAAK,EAAE,GAAW,EAAE,EAAE;QAC5B,YAAY,EAAE,CAAC;QAEf,MAAM,EAAE,WAAW,EAAE,QAAQ,EAAE,GAAG,cAAc,EAAE,CAAC;QAEnD,MAAM,EAAE,KAAK,EAAE,GAAG,MAAM,QAAQ,CAAC,MAAM,CAAoB;YACzD;gBACE,IAAI,EAAE,UAAU;gBAChB,IAAI,EAAE,OAAO;gBACb,OAAO,EAAE,KAAK,GAAG,GAAG;gBACpB,IAAI,EAAE,GAAG;gBACT,QAAQ,EAAE,CAAC,CAAS,EAAE,EAAE,CACtB,CAAC,CAAC,IAAI,EAAE,CAAC,MAAM,GAAG,CAAC,IAAI,wBAAwB;aAClD;SACF,CAAC,CAAC;QAEH,MAAM,SAAS,CAAC,QAAQ,EAAE,GAAG,EAAE,KAAK,CAAC,CAAC;QAEtC,OAAO,CAAC,GAAG,CACT,KAAK,KAAK,CAAC,GAAG,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,aAAa,GAAG,0BAA0B,CACxF,CAAC;IACJ,CAAC,CAAC,CAAC;IAEL,8EAA8E;IAE9E,OAAO;SACJ,OAAO,CAAC,MAAM,CAAC;SACf,WAAW,CAAC,uDAAuD,CAAC;SACpE,MAAM,CAAC,GAAG,EAAE;QACX,YAAY,EAAE,CAAC;QAEf,MAAM,EAAE,WAAW,EAAE,QAAQ,EAAE,GAAG,cAAc,EAAE,CAAC;QACnD,MAAM,IAAI,GAAG,cAAc,CAAC,QAAQ,CAAC,CAAC;QAEtC,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACtB,OAAO,CAAC,GAAG,CACT,KAAK,CAAC,GAAG,CAAC,KAAK,CAAC,KAAK,CAAC,CACpB,2BAA2B,QAAQ,uCAAuC,CAC3E,CACF,CAAC;YACF,OAAO;QACT,CAAC;QAED,OAAO,CAAC,GAAG,CACT,OAAO,KAAK,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,oBAAoB,CAAC,KAAK,KAAK,CAAC,GAAG,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,IAAI,IAAI,CAAC,MAAM,4BAA4B,CAAC,EAAE,CAClI,CAAC;QACF,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;YACvB,OAAO,CAAC,GAAG,CAAC,KAAK,KAAK,CAAC,GAAG,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,KAAK,KAAK,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAC3F,CAAC;QACD,OAAO,CAAC,GAAG,EAAE,CAAC;IAChB,CAAC,CAAC,CAAC;IAEL,8EAA8E;IAE9E,OAAO;SACJ,OAAO,CAAC,cAAc,CAAC;SACvB,WAAW,CAAC,gDAAgD,CAAC;SAC7D,MAAM,CAAC,KAAK,EAAE,GAAW,EAAE,EAAE;QAC5B,YAAY,EAAE,CAAC;QAEf,MAAM,EAAE,WAAW,EAAE,QAAQ,EAAE,GAAG,cAAc,EAAE,CAAC;QACnD,MAAM,MAAM,GAAG,MAAM,YAAY,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;QAEjD,IAAI,MAAM,EAAE,CAAC;YACX,OAAO,CAAC,GAAG,CACT,KAAK,KAAK,CAAC,GAAG,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,MAAM,GAAG,8BAA8B,CACrF,CAAC;QACJ,CAAC;aAAM,CAAC;YACN,MAAM,IAAI,SAAS,CACjB,WAAW,GAAG,qCAAqC,EACnD,yBAAyB,GAAG,EAAE,CAC/B,CAAC;QACJ,CAAC;IACH,CAAC,CAAC,CAAC;IAEL,8EAA8E;IAE9E,OAAO;SACJ,OAAO,CAAC,cAAc,CAAC;SACvB,WAAW,CAAC,sCAAsC,CAAC;SACnD,MAAM,CAAC,KAAK,EAAE,GAAW,EAAE,EAAE;QAC5B,YAAY,EAAE,CAAC;QAEf,MAAM,EAAE,WAAW,EAAE,QAAQ,EAAE,GAAG,cAAc,EAAE,CAAC;QAEnD,MAAM,EAAE,SAAS,EAAE,GAAG,MAAM,QAAQ,CAAC,MAAM,CAAyB;YAClE;gBACE,IAAI,EAAE,SAAS;gBACf,IAAI,EAAE,WAAW;gBACjB,OAAO,EAAE,oBAAoB,GAAG,yBAAyB;gBACzD,OAAO,EAAE,KAAK;aACf;SACF,CAAC,CAAC;QAEH,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,cAAc,CAAC,CAAC,CAAC;YACpD,OAAO;QACT,CAAC;QAED,MAAM,OAAO,GAAG,MAAM,YAAY,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;QAElD,IAAI,OAAO,EAAE,CAAC;YACZ,OAAO,CAAC,GAAG,CACT,KAAK,KAAK,CAAC,GAAG,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,aAAa,GAAG,6BAA6B,CAC3F,CAAC;QACJ,CAAC;aAAM,CAAC;YACN,MAAM,IAAI,SAAS,CACjB,WAAW,GAAG,qCAAqC,EACnD,qDAAqD,CACtD,CAAC;QACJ,CAAC;IACH,CAAC,CAAC,CAAC;AACP,CAAC"}
+{"version":3,"file":"secrets.js","sourceRoot":"","sources":["../../src/commands/secrets.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,KAAK,MAAM,OAAO,CAAC;AAC1B,OAAO,QAAQ,MAAM,UAAU,CAAC;AAEhC,OAAO,EAAE,YAAY,EAAE,cAAc,EAAE,MAAM,iBAAiB,CAAC;AAC/D,OAAO,EACL,SAAS,EACT,cAAc,EACd,YAAY,EACZ,YAAY,GACb,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAC;AAC/C,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,gBAAgB,CAAC;AAE/C,iFAAiF;AAEjF;;;;GAIG;AACH,MAAM,UAAU,sBAAsB,CAAC,OAAgB;IACrD,MAAM,OAAO,GAAG,OAAO;SACpB,OAAO,CAAC,SAAS,CAAC;SAClB,WAAW,CAAC,4CAA4C,CAAC,CAAC;IAE7D,8EAA8E;IAE9E,OAAO;SACJ,OAAO,CAAC,WAAW,CAAC;SACpB,WAAW,CAAC,8DAA8D,CAAC;SAC3E,MAAM,CAAC,KAAK,EAAE,GAAW,EAAE,EAAE;QAC5B,YAAY,EAAE,CAAC;QAEf,MAAM,EAAE,WAAW,EAAE,QAAQ,EAAE,GAAG,cAAc,EAAE,CAAC;QAEnD,MAAM,EAAE,KAAK,EAAE,GAAG,MAAM,QAAQ,CAAC,MAAM,CAAoB;YACzD;gBACE,IAAI,EAAE,UAAU;gBAChB,IAAI,EAAE,OAAO;gBACb,OAAO,EAAE,KAAK,GAAG,GAAG;gBACpB,IAAI,EAAE,GAAG;gBACT,QAAQ,EAAE,CAAC,CAAS,EAAE,EAAE,CACtB,CAAC,CAAC,IAAI,EAAE,CAAC,MAAM,GAAG,CAAC,IAAI,wBAAwB;aAClD;SACF,CAAC,CAAC;QAEH,MAAM,SAAS,CAAC,QAAQ,EAAE,GAAG,EAAE,KAAK,CAAC,CAAC;QAEtC,OAAO,CAAC,GAAG,CACT,KAAK,KAAK,CAAC,GAAG,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,aAAa,GAAG,sCAAsC,CACpG,CAAC;IACJ,CAAC,CAAC,CAAC;IAEL,8EAA8E;IAE9E,OAAO;SACJ,OAAO,CAAC,MAAM,CAAC;SACf,WAAW,CAAC,uDAAuD,CAAC;SACpE,MAAM,CAAC,GAAG,EAAE;QACX,YAAY,EAAE,CAAC;QAEf,MAAM,EAAE,WAAW,EAAE,QAAQ,EAAE,GAAG,cAAc,EAAE,CAAC;QACnD,MAAM,IAAI,GAAG,cAAc,CAAC,QAAQ,CAAC,CAAC;QAEtC,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACtB,OAAO,CAAC,GAAG,CACT,KAAK,CAAC,GAAG,CAAC,KAAK,CAAC,KAAK,CAAC,CACpB,2BAA2B,QAAQ,uCAAuC,CAC3E,CACF,CAAC;YACF,OAAO;QACT,CAAC;QAED,OAAO,CAAC,GAAG,CACT,OAAO,KAAK,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,oBAAoB,CAAC,KAAK,KAAK,CAAC,GAAG,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,IAAI,IAAI,CAAC,MAAM,4BAA4B,CAAC,EAAE,CAClI,CAAC;QACF,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;YACvB,OAAO,CAAC,GAAG,CAAC,KAAK,KAAK,CAAC,GAAG,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,KAAK,KAAK,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAC3F,CAAC;QACD,OAAO,CAAC,GAAG,EAAE,CAAC;IAChB,CAAC,CAAC,CAAC;IAEL,8EAA8E;IAE9E,OAAO;SACJ,OAAO,CAAC,cAAc,CAAC;SACvB,WAAW,CAAC,4DAA4D,CAAC;SACzE,MAAM,CAAC,KAAK,EAAE,GAAW,EAAE,EAAE;QAC5B,YAAY,EAAE,CAAC;QAEf,MAAM,EAAE,WAAW,EAAE,QAAQ,EAAE,GAAG,cAAc,EAAE,CAAC;QACnD,MAAM,MAAM,GAAG,MAAM,YAAY,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;QAEjD,IAAI,MAAM,EAAE,CAAC;YACX,OAAO,CAAC,GAAG,CACT,KAAK,KAAK,CAAC,GAAG,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,MAAM,GAAG,0CAA0C,CACjG,CAAC;QACJ,CAAC;aAAM,CAAC;YACN,MAAM,IAAI,SAAS,CACjB,WAAW,GAAG,iDAAiD,EAC/D,yBAAyB,GAAG,EAAE,CAC/B,CAAC;QACJ,CAAC;IACH,CAAC,CAAC,CAAC;IAEL,8EAA8E;IAE9E,OAAO;SACJ,OAAO,CAAC,cAAc,CAAC;SACvB,WAAW,CAAC,kDAAkD,CAAC;SAC/D,MAAM,CAAC,KAAK,EAAE,GAAW,EAAE,EAAE;QAC5B,YAAY,EAAE,CAAC;QAEf,MAAM,EAAE,WAAW,EAAE,QAAQ,EAAE,GAAG,cAAc,EAAE,CAAC;QAEnD,MAAM,EAAE,SAAS,EAAE,GAAG,MAAM,QAAQ,CAAC,MAAM,CAAyB;YAClE;gBACE,IAAI,EAAE,SAAS;gBACf,IAAI,EAAE,WAAW;gBACjB,OAAO,EAAE,oBAAoB,GAAG,qCAAqC;gBACrE,OAAO,EAAE,KAAK;aACf;SACF,CAAC,CAAC;QAEH,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,cAAc,CAAC,CAAC,CAAC;YACpD,OAAO;QACT,CAAC;QAED,MAAM,OAAO,GAAG,MAAM,YAAY,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;QAElD,IAAI,OAAO,EAAE,CAAC;YACZ,OAAO,CAAC,GAAG,CACT,KAAK,KAAK,CAAC,GAAG,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,aAAa,GAAG,yCAAyC,CACvG,CAAC;QACJ,CAAC;aAAM,CAAC;YACN,MAAM,IAAI,SAAS,CACjB,WAAW,GAAG,iDAAiD,EAC/D,qDAAqD,CACtD,CAAC;QACJ,CAAC;IACH,CAAC,CAAC,CAAC;AACP,CAAC"}

package/dist/commands/setup.js

@@ -187,14 +187,14 @@ async function step2CreateUserIdentity(repoRoot) {
 /**
  * For each input in inputs.yaml, asks whether to enable it. For enabled
  * inputs, collects all required credentials via masked prompts, stores
- * them in the OS keychain, and runs a connectivity test.
+ * them in the encrypted local storage, and runs a connectivity test.
  *
  * Updates the `enabled` and `configured` fields in inputs.yaml after
  * each input is processed. This ensures partial progress is persisted
  * even if the wizard is interrupted.
  *
  * @param repoRoot - Absolute path to the instance repo.
- * @param username - Active username for keychain scoping.
+ * @param username - Active username for secret scoping.
  */
 async function step3ConnectInputs(repoRoot, username) {
     printStep(3, "Connect inputs");

package/dist/core/inputs.d.ts

@@ -12,13 +12,13 @@
  * and instructs the user to refresh it via helm secrets set. No silent
  * token refresh is attempted in Phase 1 — that is Phase 2 scope.
  *
- * Secret values retrieved from the keychain are used directly in HTTP
+ * Secret values retrieved from encrypted local storage are used directly in HTTP
  * Authorization headers and are never included in any log output or
  * error message.
  */
 import type { InputTestResult } from "../types/index.js";
 /**
- * Ordered list of OS keychain key names required by each input.
+ * Ordered list of secret key names required by each input.
  * Used during helm setup to prompt for each credential and during
  * helm inputs test to retrieve them for connectivity checks.
  *

package/dist/core/inputs.js

@@ -12,14 +12,14 @@
  * and instructs the user to refresh it via helm secrets set. No silent
  * token refresh is attempted in Phase 1 — that is Phase 2 scope.
  *
- * Secret values retrieved from the keychain are used directly in HTTP
+ * Secret values retrieved from encrypted local storage are used directly in HTTP
  * Authorization headers and are never included in any log output or
  * error message.
  */
 import { getSecret } from "./secrets.js";
 // ─── Credential Key Definitions ───────────────────────────────────────────────
 /**
- * Ordered list of OS keychain key names required by each input.
+ * Ordered list of secret key names required by each input.
  * Used during helm setup to prompt for each credential and during
  * helm inputs test to retrieve them for connectivity checks.
  *

package/dist/core/repo.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"repo.d.ts","sourceRoot":"","sources":["../../src/core/repo.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAKH,OAAO,IAAI,MAAM,MAAM,CAAC;AACxB,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAgDrD;;;;;;;;;GASG;AACH,eAAO,MAAM,UAAU,mBAIrB,CAAC;AAIH;;;;GAIG;AACH,wBAAgB,cAAc,IAAI,WAAW,CAE5C;AAED;;;GAGG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,OAAO,CAAC,WAAW,CAAC,GAAG,IAAI,CAIrE;AAID;;;;;;;;GAQG;AACH,wBAAgB,YAAY,IAAI,IAAI,CASnC;AAID;;;;;;;GAOG;AACH,wBAAgB,oBAAoB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAY9D;AAED;;;;;;;;GAQG;AACH,wBAAgB,QAAQ,CAAC,GAAG,QAAQ,EAAE,MAAM,EAAE,GAAG,MAAM,CAGtD;AAED;;;GAGG;AACH,wBAAgB,cAAc,CAAC,SAAS,EAAE,MAAM,GAAG,MAAM,CAKxD"}
+{"version":3,"file":"repo.d.ts","sourceRoot":"","sources":["../../src/core/repo.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAKH,OAAO,IAAI,MAAM,MAAM,CAAC;AACxB,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAiDrD;;;;;;;;;GASG;AACH,eAAO,MAAM,UAAU,mBAIrB,CAAC;AAIH;;;;GAIG;AACH,wBAAgB,cAAc,IAAI,WAAW,CAE5C;AAED;;;GAGG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,OAAO,CAAC,WAAW,CAAC,GAAG,IAAI,CAIrE;AAID;;;;;;;;GAQG;AACH,wBAAgB,YAAY,IAAI,IAAI,CASnC;AAID;;;;;;;GAOG;AACH,wBAAgB,oBAAoB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAY9D;AAED;;;;;;;;GAQG;AACH,wBAAgB,QAAQ,CAAC,GAAG,QAAQ,EAAE,MAAM,EAAE,GAAG,MAAM,CAGtD;AAED;;;GAGG;AACH,wBAAgB,cAAc,CAAC,SAAS,EAAE,MAAM,GAAG,MAAM,CAKxD"}

package/dist/core/repo.js

@@ -54,6 +54,7 @@ const LOCAL_CONFIG_DEFAULTS = {
     setup_complete: false,
     last_sync: "",
     secrets_manifest: [],
+    encrypted_secrets: {},
 };
 /**
  * Singleton conf store backed by ~/.chief/config.json.

package/dist/core/repo.js.map

@@ -1 +1 @@
-{"version":3,"file":"repo.js","sourceRoot":"","sources":["../../src/core/repo.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,EAAE,MAAM,IAAI,CAAC;AACpB,OAAO,IAAI,MAAM,MAAM,CAAC;AACxB,OAAO,EAAE,MAAM,IAAI,CAAC;AACpB,OAAO,IAAI,MAAM,MAAM,CAAC;AAExB,OAAO,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAC;AAE/C,iFAAiF;AAEjF;;;GAGG;AACH,MAAM,kBAAkB,GAAG;IACzB,QAAQ;IACR,OAAO;IACP,cAAc;IACd,WAAW;IACX,SAAS;IACT,SAAS;IACT,OAAO;IACP,MAAM;IACN,WAAW;CACH,CAAC;AAEX;;;GAGG;AACH,MAAM,qBAAqB,GAAG;IAC5B,aAAa;IACb,aAAa;IACb,YAAY;IACZ,eAAe;CACP,CAAC;AAEX,iFAAiF;AAEjF;;;;GAIG;AACH,MAAM,qBAAqB,GAAgB;IACzC,kBAAkB,EAAE,EAAE;IACtB,WAAW,EAAE,EAAE;IACf,MAAM,EAAE,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,MAAM;IACvC,cAAc,EAAE,KAAK;IACrB,SAAS,EAAE,EAAE;IACb,gBAAgB,EAAE,EAAE;CACrB,CAAC;AAEF;;;;;;;;;GASG;AACH,MAAM,CAAC,MAAM,UAAU,GAAG,IAAI,IAAI,CAAc;IAC9C,WAAW,EAAE,OAAO;IACpB,GAAG,EAAE,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,QAAQ,CAAC;IACtC,QAAQ,EAAE,qBAAqB;CAChC,CAAC,CAAC;AAEH,iFAAiF;AAEjF;;;;GAIG;AACH,MAAM,UAAU,cAAc;IAC5B,OAAO,UAAU,CAAC,KAAoB,CAAC;AACzC,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,iBAAiB,CAAC,OAA6B;IAC7D,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAA0D,EAAE,CAAC;QAC5G,UAAU,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;IAC7B,CAAC;AACH,CAAC;AAED,iFAAiF;AAEjF;;;;;;;;GAQG;AACH,MAAM,UAAU,YAAY;IAC1B,MAAM,MAAM,GAAG,cAAc,EAAE,CAAC;IAEhC,IAAI,CAAC,MAAM,CAAC,cAAc,IAAI,MAAM,CAAC,kBAAkB,KAAK,EAAE,EAAE,CAAC;QAC/D,MAAM,IAAI,SAAS,CACjB,2CAA2C,EAC3C,iBAAiB,CAClB,CAAC;IACJ,CAAC;AACH,CAAC;AAED,iFAAiF;AAEjF;;;;;;;GAOG;AACH,MAAM,UAAU,oBAAoB,CAAC,QAAgB;IACnD,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC;QAAE,OAAO,KAAK,CAAC;IAE3C,KAAK,MAAM,GAAG,IAAI,kBAAkB,EAAE,CAAC;QACrC,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;YAAE,OAAO,KAAK,CAAC;IAC7D,CAAC;IAED,KAAK,MAAM,IAAI,IAAI,qBAAqB,EAAE,CAAC;QACzC,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,QAAQ,EAAE,IAAI,CAAC,CAAC;YAAE,OAAO,KAAK,CAAC;IACxE,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,QAAQ,CAAC,GAAG,QAAkB;IAC5C,MAAM,IAAI,GAAG,UAAU,CAAC,GAAG,CAAC,oBAAoB,CAAW,CAAC;IAC5D,OAAO,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,GAAG,QAAQ,CAAC,CAAC;AACtC,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,cAAc,CAAC,SAAiB;IAC9C,IAAI,SAAS,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;QAC/B,OAAO,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,SAAS,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;IACrD,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC"}
+{"version":3,"file":"repo.js","sourceRoot":"","sources":["../../src/core/repo.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,EAAE,MAAM,IAAI,CAAC;AACpB,OAAO,IAAI,MAAM,MAAM,CAAC;AACxB,OAAO,EAAE,MAAM,IAAI,CAAC;AACpB,OAAO,IAAI,MAAM,MAAM,CAAC;AAExB,OAAO,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAC;AAE/C,iFAAiF;AAEjF;;;GAGG;AACH,MAAM,kBAAkB,GAAG;IACzB,QAAQ;IACR,OAAO;IACP,cAAc;IACd,WAAW;IACX,SAAS;IACT,SAAS;IACT,OAAO;IACP,MAAM;IACN,WAAW;CACH,CAAC;AAEX;;;GAGG;AACH,MAAM,qBAAqB,GAAG;IAC5B,aAAa;IACb,aAAa;IACb,YAAY;IACZ,eAAe;CACP,CAAC;AAEX,iFAAiF;AAEjF;;;;GAIG;AACH,MAAM,qBAAqB,GAAgB;IACzC,kBAAkB,EAAE,EAAE;IACtB,WAAW,EAAE,EAAE;IACf,MAAM,EAAE,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,MAAM;IACvC,cAAc,EAAE,KAAK;IACrB,SAAS,EAAE,EAAE;IACb,gBAAgB,EAAE,EAAE;IACpB,iBAAiB,EAAE,EAAE;CACtB,CAAC;AAEF;;;;;;;;;GASG;AACH,MAAM,CAAC,MAAM,UAAU,GAAG,IAAI,IAAI,CAAc;IAC9C,WAAW,EAAE,OAAO;IACpB,GAAG,EAAE,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,QAAQ,CAAC;IACtC,QAAQ,EAAE,qBAAqB;CAChC,CAAC,CAAC;AAEH,iFAAiF;AAEjF;;;;GAIG;AACH,MAAM,UAAU,cAAc;IAC5B,OAAO,UAAU,CAAC,KAAoB,CAAC;AACzC,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,iBAAiB,CAAC,OAA6B;IAC7D,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAA0D,EAAE,CAAC;QAC5G,UAAU,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;IAC7B,CAAC;AACH,CAAC;AAED,iFAAiF;AAEjF;;;;;;;;GAQG;AACH,MAAM,UAAU,YAAY;IAC1B,MAAM,MAAM,GAAG,cAAc,EAAE,CAAC;IAEhC,IAAI,CAAC,MAAM,CAAC,cAAc,IAAI,MAAM,CAAC,kBAAkB,KAAK,EAAE,EAAE,CAAC;QAC/D,MAAM,IAAI,SAAS,CACjB,2CAA2C,EAC3C,iBAAiB,CAClB,CAAC;IACJ,CAAC;AACH,CAAC;AAED,iFAAiF;AAEjF;;;;;;;GAOG;AACH,MAAM,UAAU,oBAAoB,CAAC,QAAgB;IACnD,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC;QAAE,OAAO,KAAK,CAAC;IAE3C,KAAK,MAAM,GAAG,IAAI,kBAAkB,EAAE,CAAC;QACrC,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;YAAE,OAAO,KAAK,CAAC;IAC7D,CAAC;IAED,KAAK,MAAM,IAAI,IAAI,qBAAqB,EAAE,CAAC;QACzC,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,QAAQ,EAAE,IAAI,CAAC,CAAC;YAAE,OAAO,KAAK,CAAC;IACxE,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,QAAQ,CAAC,GAAG,QAAkB;IAC5C,MAAM,IAAI,GAAG,UAAU,CAAC,GAAG,CAAC,oBAAoB,CAAW,CAAC;IAC5D,OAAO,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,GAAG,QAAQ,CAAC,CAAC;AACtC,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,cAAc,CAAC,SAAiB;IAC9C,IAAI,SAAS,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;QAC/B,OAAO,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,SAAS,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;IACrD,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC"}

package/dist/core/secrets.d.ts

@@ -1,39 +1,42 @@
 /**
- * @file OS keychain integration for HELM.
+ * @file Encrypted local secret storage for HELM.
  *
  * All secret storage and retrieval is routed through this module.
  * Secret values are handled as transiently as possible:
  *
- *   - Values are never written to any file, log, or error message.
+ *   - Values are never written to any file, log, or error message in plaintext.
  *   - The only moment a value appears in memory outside this module is
  *     during the masked inquirer prompt in the setup wizard and
  *     helm secrets set — immediately passed to setSecret() and discarded.
  *   - listSecretKeys() returns key names only. Values are never returned
  *     to callers that don't explicitly call getSecret().
  *
- * A manifest of key names (not values) is stored in the local conf store
- * at ~/.chief/config.json because the OS keychain API does not provide
- * an enumeration method. The manifest is always kept in sync with the
- * keychain by setSecret() and deleteSecret().
+ * Secrets are encrypted with AES-256-GCM using a key derived via PBKDF2
+ * from machine-specific entropy (hostname + OS username). Encrypted values
+ * are stored in the local conf store at ~/.chief/config.json under the
+ * `encrypted_secrets` key. A manifest of key names (not values) is stored
+ * separately under `secrets_manifest` for enumeration.
  *
- * Keychain service name: "chief"
- * Account format: "[username]/[KEY_NAME]"
+ * Encrypted value format: "iv:authTag:ciphertext" (all hex-encoded).
+ *
+ * Account format in manifest: "[username]/[KEY_NAME]"
  */
 /**
- * Stores a secret value in the OS keychain and records the key name
- * in the local manifest.
+ * Encrypts and stores a secret value in the local conf store, and records
+ * the key name in the manifest.
  *
- * The value is accepted as a parameter and immediately forwarded to
- * keytar. Callers must not retain the value after this call returns.
+ * The value is encrypted immediately upon receipt and discarded from
+ * this function's scope. Callers must not retain the value after this
+ * call returns.
  *
  * @param username - Active username (used as the account prefix).
- * @param key      - Secret key name, e.g. "GMAIL_CLIENT_ID".
- * @param value    - The secret value. Never logged.
- * @throws {HelmError} If the keychain write fails.
+ * @param key - Secret key name, e.g. "GMAIL_CLIENT_ID".
+ * @param value - The secret value. Never logged or stored in plaintext.
+ * @throws {HelmError} If encryption fails.
  */
 export declare function setSecret(username: string, key: string, value: string): Promise<void>;
 /**
- * Retrieves a secret value from the OS keychain.
+ * Retrieves and decrypts a secret value from the local conf store.
  *
  * Returns null if the key does not exist. Callers must handle the null
  * case by throwing an appropriate HelmError naming the missing key and
@@ -43,37 +46,38 @@ export declare function setSecret(username: string, key: string, value: string):
  * user-facing string.
  *
  * @param username - Active username.
- * @param key      - Secret key name to retrieve.
- * @throws {HelmError} If the keychain read fails unexpectedly.
+ * @param key - Secret key name to retrieve.
+ * @returns The decrypted secret value, or null if not found.
+ * @throws {HelmError} If decryption fails.
  */
 export declare function getSecret(username: string, key: string): Promise<string | null>;
 /**
  * Returns the list of secret key names stored for the given username.
  * Values are never returned — only names.
  *
- * Reads from the local manifest rather than querying the keychain
- * directly, because the keychain API does not support enumeration.
+ * Reads from the local manifest rather than iterating encrypted entries.
  *
  * @param username - Active username to filter by.
+ * @returns Sorted array of key names (without the username prefix).
  */
 export declare function listSecretKeys(username: string): string[];
 /**
  * Returns true if a secret with the given key name exists in the
- * OS keychain for the given username.
+ * local conf store for the given username.
  *
  * @param username - Active username.
- * @param key      - Secret key name to check.
- * @throws {HelmError} If the keychain read fails.
+ * @param key - Secret key name to check.
+ * @returns True if the secret exists and can be decrypted.
+ * @throws {HelmError} If decryption fails.
  */
 export declare function verifySecret(username: string, key: string): Promise<boolean>;
 /**
- * Removes a secret from the OS keychain and removes its name from the
- * local manifest.
+ * Removes an encrypted secret from the local conf store and removes its
+ * name from the manifest.
  *
  * @param username - Active username.
- * @param key      - Secret key name to delete.
+ * @param key - Secret key name to delete.
  * @returns True if the key existed and was deleted; false if it did not exist.
- * @throws {HelmError} If the keychain deletion fails.
  */
 export declare function deleteSecret(username: string, key: string): Promise<boolean>;
 //# sourceMappingURL=secrets.d.ts.map

package/dist/core/secrets.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"secrets.d.ts","sourceRoot":"","sources":["../../src/core/secrets.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AAiEH;;;;;;;;;;;GAWG;AACH,wBAAsB,SAAS,CAC7B,QAAQ,EAAE,MAAM,EAChB,GAAG,EAAE,MAAM,EACX,KAAK,EAAE,MAAM,GACZ,OAAO,CAAC,IAAI,CAAC,CAcf;AAED;;;;;;;;;;;;;GAaG;AACH,wBAAsB,SAAS,CAC7B,QAAQ,EAAE,MAAM,EAChB,GAAG,EAAE,MAAM,GACV,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAYxB;AAED;;;;;;;;GAQG;AACH,wBAAgB,cAAc,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,EAAE,CAQzD;AAED;;;;;;;GAOG;AACH,wBAAsB,YAAY,CAChC,QAAQ,EAAE,MAAM,EAChB,GAAG,EAAE,MAAM,GACV,OAAO,CAAC,OAAO,CAAC,CAGlB;AAED;;;;;;;;GAQG;AACH,wBAAsB,YAAY,CAChC,QAAQ,EAAE,MAAM,EAChB,GAAG,EAAE,MAAM,GACV,OAAO,CAAC,OAAO,CAAC,CAuBlB"}
+{"version":3,"file":"secrets.d.ts","sourceRoot":"","sources":["../../src/core/secrets.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;GAsBG;AA6IH;;;;;;;;;;;;GAYG;AACH,wBAAsB,SAAS,CAC7B,QAAQ,EAAE,MAAM,EAChB,GAAG,EAAE,MAAM,EACX,KAAK,EAAE,MAAM,GACZ,OAAO,CAAC,IAAI,CAAC,CAkBf;AAED;;;;;;;;;;;;;;GAcG;AACH,wBAAsB,SAAS,CAC7B,QAAQ,EAAE,MAAM,EAChB,GAAG,EAAE,MAAM,GACV,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAmBxB;AAED;;;;;;;;GAQG;AACH,wBAAgB,cAAc,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,EAAE,CAQzD;AAED;;;;;;;;GAQG;AACH,wBAAsB,YAAY,CAChC,QAAQ,EAAE,MAAM,EAChB,GAAG,EAAE,MAAM,GACV,OAAO,CAAC,OAAO,CAAC,CAGlB;AAED;;;;;;;GAOG;AACH,wBAAsB,YAAY,CAChC,QAAQ,EAAE,MAAM,EAChB,GAAG,EAAE,MAAM,GACV,OAAO,CAAC,OAAO,CAAC,CAalB"}

package/dist/core/secrets.js

@@ -1,52 +1,112 @@
 /**
- * @file OS keychain integration for HELM.
+ * @file Encrypted local secret storage for HELM.
  *
  * All secret storage and retrieval is routed through this module.
  * Secret values are handled as transiently as possible:
  *
- *   - Values are never written to any file, log, or error message.
+ *   - Values are never written to any file, log, or error message in plaintext.
  *   - The only moment a value appears in memory outside this module is
  *     during the masked inquirer prompt in the setup wizard and
  *     helm secrets set — immediately passed to setSecret() and discarded.
  *   - listSecretKeys() returns key names only. Values are never returned
  *     to callers that don't explicitly call getSecret().
  *
- * A manifest of key names (not values) is stored in the local conf store
- * at ~/.chief/config.json because the OS keychain API does not provide
- * an enumeration method. The manifest is always kept in sync with the
- * keychain by setSecret() and deleteSecret().
+ * Secrets are encrypted with AES-256-GCM using a key derived via PBKDF2
+ * from machine-specific entropy (hostname + OS username). Encrypted values
+ * are stored in the local conf store at ~/.chief/config.json under the
+ * `encrypted_secrets` key. A manifest of key names (not values) is stored
+ * separately under `secrets_manifest` for enumeration.
  *
- * Keychain service name: "chief"
- * Account format: "[username]/[KEY_NAME]"
+ * Encrypted value format: "iv:authTag:ciphertext" (all hex-encoded).
+ *
+ * Account format in manifest: "[username]/[KEY_NAME]"
  */
-import keytar from "keytar";
-import chalk from "chalk";
+import { randomBytes, pbkdf2Sync, createCipheriv, createDecipheriv } from "node:crypto";
+import os from "node:os";
 import { localStore } from "./repo.js";
 import { HelmError } from "../utils/errors.js";
-/** Service name used for all entries in the OS keychain. */
-const KEYCHAIN_SERVICE = "chief";
-// ─── Keychain Heads-Up ────────────────────────────────────────────────────────
+// ─── Encryption Constants ─────────────────────────────────────────────────────
+/** AES-256-GCM cipher algorithm identifier. */
+const CIPHER_ALGORITHM = "aes-256-gcm";
+/** Length in bytes of the initialisation vector for AES-GCM. */
+const IV_LENGTH = 16;
+/** Length in bytes of the GCM authentication tag. */
+const AUTH_TAG_LENGTH = 16;
+/** Length in bytes of the derived encryption key (256 bits for AES-256). */
+const KEY_LENGTH = 32;
+/** PBKDF2 iteration count. OWASP recommends >= 600,000 for SHA-256. */
+const PBKDF2_ITERATIONS = 600_000;
+/** PBKDF2 digest algorithm. */
+const PBKDF2_DIGEST = "sha256";
+/**
+ * Static salt prefix combined with machine-specific entropy.
+ * Changing this value invalidates all previously encrypted secrets.
+ */
+const SALT_PREFIX = "chief-helm-secrets";
+// ─── Key Derivation ───────────────────────────────────────────────────────────
+/**
+ * Derives a 256-bit encryption key from machine-specific entropy using PBKDF2.
+ *
+ * The derivation input combines a static salt prefix with the machine's
+ * hostname and OS-level username. This ties encrypted secrets to the
+ * specific machine and OS user account, preventing portability of the
+ * encrypted config file to a different machine without re-entering secrets.
+ *
+ * @returns A 32-byte Buffer suitable for use as an AES-256 key.
+ */
+function deriveEncryptionKey() {
+    const machineEntropy = `${SALT_PREFIX}:${os.hostname()}:${os.userInfo().username}`;
+    return pbkdf2Sync(machineEntropy, SALT_PREFIX, PBKDF2_ITERATIONS, KEY_LENGTH, PBKDF2_DIGEST);
+}
+// ─── Encrypt / Decrypt ────────────────────────────────────────────────────────
 /**
- * Module-level flag ensuring the macOS keychain access prompt
- * explanation is printed only once per process invocation.
+ * Encrypts a plaintext string using AES-256-GCM.
+ *
+ * @param plaintext - The secret value to encrypt.
+ * @returns A colon-delimited string: "iv:authTag:ciphertext" (all hex-encoded).
  */
-let keychainHeadsUpShown = false;
+function encrypt(plaintext) {
+    const key = deriveEncryptionKey();
+    const iv = randomBytes(IV_LENGTH);
+    const cipher = createCipheriv(CIPHER_ALGORITHM, key, iv, { authTagLength: AUTH_TAG_LENGTH });
+    const encrypted = Buffer.concat([cipher.update(plaintext, "utf8"), cipher.final()]);
+    const authTag = cipher.getAuthTag();
+    return `${iv.toString("hex")}:${authTag.toString("hex")}:${encrypted.toString("hex")}`;
+}
 /**
- * Prints a one-line notice before the first keychain operation in a
- * process. macOS will show a native permission dialog the first time
- * an app accesses the keychain; without this notice users may be
- * confused or alarmed by the unexpected OS popup.
+ * Decrypts a value previously encrypted by {@link encrypt}.
+ *
+ * @param encryptedValue - Colon-delimited string: "iv:authTag:ciphertext" (hex-encoded).
+ * @returns The original plaintext string.
+ * @throws {HelmError} If the encrypted value format is invalid or decryption fails.
  */
-function ensureKeychainHeadsUp() {
-    if (!keychainHeadsUpShown) {
-        process.stdout.write(chalk.dim("  ℹ  Your OS may prompt you to allow keychain access — this is expected.\n"));
-        keychainHeadsUpShown = true;
+function decrypt(encryptedValue) {
+    const parts = encryptedValue.split(":");
+    if (parts.length !== 3) {
+        throw new HelmError("Encrypted secret has an invalid format.", "Re-store the secret with: helm secrets set <KEY>");
+    }
+    const [ivHex, authTagHex, ciphertextHex] = parts;
+    const key = deriveEncryptionKey();
+    const iv = Buffer.from(ivHex, "hex");
+    const authTag = Buffer.from(authTagHex, "hex");
+    const ciphertext = Buffer.from(ciphertextHex, "hex");
+    const decipher = createDecipheriv(CIPHER_ALGORITHM, key, iv, { authTagLength: AUTH_TAG_LENGTH });
+    decipher.setAuthTag(authTag);
+    try {
+        const decrypted = Buffer.concat([decipher.update(ciphertext), decipher.final()]);
+        return decrypted.toString("utf8");
+    }
+    catch {
+        throw new HelmError("Failed to decrypt secret. The encryption key may have changed (hostname or OS user changed).", "Re-store the secret with: helm secrets set <KEY>");
     }
 }
 // ─── Manifest Helpers ─────────────────────────────────────────────────────────
 /**
  * Adds a fully-qualified key name ("[username]/[KEY_NAME]") to the
  * manifest in local config if it is not already present.
+ *
+ * @param username - Active username.
+ * @param key - Secret key name, e.g. "GMAIL_CLIENT_ID".
  */
 function addToManifest(username, key) {
     const fullKey = `${username}/${key}`;
@@ -58,6 +118,9 @@ function addToManifest(username, key) {
 /**
  * Removes a fully-qualified key name from the manifest in local config.
  * No-op if the key is not present.
+ *
+ * @param username - Active username.
+ * @param key - Secret key name to remove.
  */
 function removeFromManifest(username, key) {
     const fullKey = `${username}/${key}`;
@@ -66,30 +129,36 @@ function removeFromManifest(username, key) {
 }
 // ─── Public API ───────────────────────────────────────────────────────────────
 /**
- * Stores a secret value in the OS keychain and records the key name
- * in the local manifest.
+ * Encrypts and stores a secret value in the local conf store, and records
+ * the key name in the manifest.
  *
- * The value is accepted as a parameter and immediately forwarded to
- * keytar. Callers must not retain the value after this call returns.
+ * The value is encrypted immediately upon receipt and discarded from
+ * this function's scope. Callers must not retain the value after this
+ * call returns.
  *
  * @param username - Active username (used as the account prefix).
- * @param key      - Secret key name, e.g. "GMAIL_CLIENT_ID".
- * @param value    - The secret value. Never logged.
- * @throws {HelmError} If the keychain write fails.
+ * @param key - Secret key name, e.g. "GMAIL_CLIENT_ID".
+ * @param value - The secret value. Never logged or stored in plaintext.
+ * @throws {HelmError} If encryption fails.
  */
 export async function setSecret(username, key, value) {
-    ensureKeychainHeadsUp();
+    const fullKey = `${username}/${key}`;
     try {
-        await keytar.setPassword(KEYCHAIN_SERVICE, `${username}/${key}`, value);
+        const encryptedValue = encrypt(value);
+        const secrets = localStore.get("encrypted_secrets") ?? {};
+        secrets[fullKey] = encryptedValue;
+        localStore.set("encrypted_secrets", secrets);
     }
     catch (err) {
+        if (err instanceof HelmError)
+            throw err;
         const detail = err instanceof Error ? err.message : String(err);
-        throw new HelmError(`Failed to store secret "${key}" in the OS keychain: ${detail}`, "Ensure your OS keychain is accessible and try again.");
+        throw new HelmError(`Failed to encrypt and store secret "${key}": ${detail}`, "Ensure your system supports AES-256-GCM and try again.");
     }
     addToManifest(username, key);
 }
 /**
- * Retrieves a secret value from the OS keychain.
+ * Retrieves and decrypts a secret value from the local conf store.
  *
  * Returns null if the key does not exist. Callers must handle the null
  * case by throwing an appropriate HelmError naming the missing key and
@@ -99,27 +168,35 @@ export async function setSecret(username, key, value) {
  * user-facing string.
  *
  * @param username - Active username.
- * @param key      - Secret key name to retrieve.
- * @throws {HelmError} If the keychain read fails unexpectedly.
+ * @param key - Secret key name to retrieve.
+ * @returns The decrypted secret value, or null if not found.
+ * @throws {HelmError} If decryption fails.
  */
 export async function getSecret(username, key) {
-    ensureKeychainHeadsUp();
+    const fullKey = `${username}/${key}`;
+    const secrets = localStore.get("encrypted_secrets") ?? {};
+    const encryptedValue = secrets[fullKey];
+    if (encryptedValue === undefined) {
+        return null;
+    }
     try {
-        return await keytar.getPassword(KEYCHAIN_SERVICE, `${username}/${key}`);
+        return decrypt(encryptedValue);
     }
     catch (err) {
+        if (err instanceof HelmError)
+            throw err;
         const detail = err instanceof Error ? err.message : String(err);
-        throw new HelmError(`Failed to read secret "${key}" from the OS keychain: ${detail}`, "Ensure your OS keychain is accessible and try again.");
+        throw new HelmError(`Failed to decrypt secret "${key}": ${detail}`, "Re-store the secret with: helm secrets set " + key);
     }
 }
 /**
  * Returns the list of secret key names stored for the given username.
  * Values are never returned — only names.
  *
- * Reads from the local manifest rather than querying the keychain
- * directly, because the keychain API does not support enumeration.
+ * Reads from the local manifest rather than iterating encrypted entries.
  *
  * @param username - Active username to filter by.
+ * @returns Sorted array of key names (without the username prefix).
  */
 export function listSecretKeys(username) {
     const manifest = localStore.get("secrets_manifest") ?? [];
@@ -131,38 +208,34 @@ export function listSecretKeys(username) {
 }
 /**
  * Returns true if a secret with the given key name exists in the
- * OS keychain for the given username.
+ * local conf store for the given username.
  *
  * @param username - Active username.
- * @param key      - Secret key name to check.
- * @throws {HelmError} If the keychain read fails.
+ * @param key - Secret key name to check.
+ * @returns True if the secret exists and can be decrypted.
+ * @throws {HelmError} If decryption fails.
  */
 export async function verifySecret(username, key) {
     const value = await getSecret(username, key);
     return value !== null;
 }
 /**
- * Removes a secret from the OS keychain and removes its name from the
- * local manifest.
+ * Removes an encrypted secret from the local conf store and removes its
+ * name from the manifest.
  *
  * @param username - Active username.
- * @param key      - Secret key name to delete.
+ * @param key - Secret key name to delete.
  * @returns True if the key existed and was deleted; false if it did not exist.
- * @throws {HelmError} If the keychain deletion fails.
  */
 export async function deleteSecret(username, key) {
-    ensureKeychainHeadsUp();
-    let deleted;
-    try {
-        deleted = await keytar.deletePassword(KEYCHAIN_SERVICE, `${username}/${key}`);
-    }
-    catch (err) {
-        const detail = err instanceof Error ? err.message : String(err);
-        throw new HelmError(`Failed to delete secret "${key}" from the OS keychain: ${detail}`, "Ensure your OS keychain is accessible and try again.");
-    }
-    if (deleted) {
-        removeFromManifest(username, key);
+    const fullKey = `${username}/${key}`;
+    const secrets = localStore.get("encrypted_secrets") ?? {};
+    if (secrets[fullKey] === undefined) {
+        return false;
     }
-    return deleted;
+    delete secrets[fullKey];
+    localStore.set("encrypted_secrets", secrets);
+    removeFromManifest(username, key);
+    return true;
 }
 //# sourceMappingURL=secrets.js.map

package/dist/core/secrets.js.map

@@ -1 +1 @@
-{"version":3,"file":"secrets.js","sourceRoot":"","sources":["../../src/core/secrets.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AAEH,OAAO,MAAM,MAAM,QAAQ,CAAC;AAC5B,OAAO,KAAK,MAAM,OAAO,CAAC;AAC1B,OAAO,EAAE,UAAU,EAAE,MAAM,WAAW,CAAC;AACvC,OAAO,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAC;AAE/C,4DAA4D;AAC5D,MAAM,gBAAgB,GAAG,OAAO,CAAC;AAEjC,iFAAiF;AAEjF;;;GAGG;AACH,IAAI,oBAAoB,GAAG,KAAK,CAAC;AAEjC;;;;;GAKG;AACH,SAAS,qBAAqB;IAC5B,IAAI,CAAC,oBAAoB,EAAE,CAAC;QAC1B,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,KAAK,CAAC,GAAG,CACP,4EAA4E,CAC7E,CACF,CAAC;QACF,oBAAoB,GAAG,IAAI,CAAC;IAC9B,CAAC;AACH,CAAC;AAED,iFAAiF;AAEjF;;;GAGG;AACH,SAAS,aAAa,CAAC,QAAgB,EAAE,GAAW;IAClD,MAAM,OAAO,GAAG,GAAG,QAAQ,IAAI,GAAG,EAAE,CAAC;IACrC,MAAM,QAAQ,GAAI,UAAU,CAAC,GAAG,CAAC,kBAAkB,CAAc,IAAI,EAAE,CAAC;IAExE,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;QAChC,UAAU,CAAC,GAAG,CAAC,kBAAkB,EAAE,CAAC,GAAG,QAAQ,EAAE,OAAO,CAAC,CAAC,CAAC;IAC7D,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,SAAS,kBAAkB,CAAC,QAAgB,EAAE,GAAW;IACvD,MAAM,OAAO,GAAG,GAAG,QAAQ,IAAI,GAAG,EAAE,CAAC;IACrC,MAAM,QAAQ,GAAI,UAAU,CAAC,GAAG,CAAC,kBAAkB,CAAc,IAAI,EAAE,CAAC;IACxE,UAAU,CAAC,GAAG,CACZ,kBAAkB,EAClB,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,KAAK,OAAO,CAAC,CACtC,CAAC;AACJ,CAAC;AAED,iFAAiF;AAEjF;;;;;;;;;;;GAWG;AACH,MAAM,CAAC,KAAK,UAAU,SAAS,CAC7B,QAAgB,EAChB,GAAW,EACX,KAAa;IAEb,qBAAqB,EAAE,CAAC;IAExB,IAAI,CAAC;QACH,MAAM,MAAM,CAAC,WAAW,CAAC,gBAAgB,EAAE,GAAG,QAAQ,IAAI,GAAG,EAAE,EAAE,KAAK,CAAC,CAAC;IAC1E,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,MAAM,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAChE,MAAM,IAAI,SAAS,CACjB,2BAA2B,GAAG,yBAAyB,MAAM,EAAE,EAC/D,sDAAsD,CACvD,CAAC;IACJ,CAAC;IAED,aAAa,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;AAC/B,CAAC;AAED;;;;;;;;;;;;;GAaG;AACH,MAAM,CAAC,KAAK,UAAU,SAAS,CAC7B,QAAgB,EAChB,GAAW;IAEX,qBAAqB,EAAE,CAAC;IAExB,IAAI,CAAC;QACH,OAAO,MAAM,MAAM,CAAC,WAAW,CAAC,gBAAgB,EAAE,GAAG,QAAQ,IAAI,GAAG,EAAE,CAAC,CAAC;IAC1E,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,MAAM,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAChE,MAAM,IAAI,SAAS,CACjB,0BAA0B,GAAG,2BAA2B,MAAM,EAAE,EAChE,sDAAsD,CACvD,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,cAAc,CAAC,QAAgB;IAC7C,MAAM,QAAQ,GAAI,UAAU,CAAC,GAAG,CAAC,kBAAkB,CAAc,IAAI,EAAE,CAAC;IACxE,MAAM,MAAM,GAAG,GAAG,QAAQ,GAAG,CAAC;IAE9B,OAAO,QAAQ;SACZ,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC;SACnC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;SAClC,IAAI,EAAE,CAAC;AACZ,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,QAAgB,EAChB,GAAW;IAEX,MAAM,KAAK,GAAG,MAAM,SAAS,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;IAC7C,OAAO,KAAK,KAAK,IAAI,CAAC;AACxB,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,QAAgB,EAChB,GAAW;IAEX,qBAAqB,EAAE,CAAC;IAExB,IAAI,OAAgB,CAAC;IAErB,IAAI,CAAC;QACH,OAAO,GAAG,MAAM,MAAM,CAAC,cAAc,CACnC,gBAAgB,EAChB,GAAG,QAAQ,IAAI,GAAG,EAAE,CACrB,CAAC;IACJ,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,MAAM,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAChE,MAAM,IAAI,SAAS,CACjB,4BAA4B,GAAG,2BAA2B,MAAM,EAAE,EAClE,sDAAsD,CACvD,CAAC;IACJ,CAAC;IAED,IAAI,OAAO,EAAE,CAAC;QACZ,kBAAkB,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;IACpC,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC"}
+{"version":3,"file":"secrets.js","sourceRoot":"","sources":["../../src/core/secrets.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;GAsBG;AAEH,OAAO,EAAE,WAAW,EAAE,UAAU,EAAE,cAAc,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AACxF,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,EAAE,UAAU,EAAE,MAAM,WAAW,CAAC;AACvC,OAAO,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAC;AAE/C,iFAAiF;AAEjF,+CAA+C;AAC/C,MAAM,gBAAgB,GAAG,aAAsB,CAAC;AAEhD,gEAAgE;AAChE,MAAM,SAAS,GAAG,EAAE,CAAC;AAErB,qDAAqD;AACrD,MAAM,eAAe,GAAG,EAAE,CAAC;AAE3B,4EAA4E;AAC5E,MAAM,UAAU,GAAG,EAAE,CAAC;AAEtB,uEAAuE;AACvE,MAAM,iBAAiB,GAAG,OAAO,CAAC;AAElC,+BAA+B;AAC/B,MAAM,aAAa,GAAG,QAAiB,CAAC;AAExC;;;GAGG;AACH,MAAM,WAAW,GAAG,oBAA6B,CAAC;AAElD,iFAAiF;AAEjF;;;;;;;;;GASG;AACH,SAAS,mBAAmB;IAC1B,MAAM,cAAc,GAAG,GAAG,WAAW,IAAI,EAAE,CAAC,QAAQ,EAAE,IAAI,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,EAAE,CAAC;IACnF,OAAO,UAAU,CAAC,cAAc,EAAE,WAAW,EAAE,iBAAiB,EAAE,UAAU,EAAE,aAAa,CAAC,CAAC;AAC/F,CAAC;AAED,iFAAiF;AAEjF;;;;;GAKG;AACH,SAAS,OAAO,CAAC,SAAiB;IAChC,MAAM,GAAG,GAAG,mBAAmB,EAAE,CAAC;IAClC,MAAM,EAAE,GAAG,WAAW,CAAC,SAAS,CAAC,CAAC;IAClC,MAAM,MAAM,GAAG,cAAc,CAAC,gBAAgB,EAAE,GAAG,EAAE,EAAE,EAAE,EAAE,aAAa,EAAE,eAAe,EAAE,CAAC,CAAC;IAE7F,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,MAAM,CAAC,EAAE,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;IACpF,MAAM,OAAO,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;IAEpC,OAAO,GAAG,EAAE,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;AACzF,CAAC;AAED;;;;;;GAMG;AACH,SAAS,OAAO,CAAC,cAAsB;IACrC,MAAM,KAAK,GAAG,cAAc,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IACxC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvB,MAAM,IAAI,SAAS,CACjB,yCAAyC,EACzC,kDAAkD,CACnD,CAAC;IACJ,CAAC;IAED,MAAM,CAAC,KAAK,EAAE,UAAU,EAAE,aAAa,CAAC,GAAG,KAAiC,CAAC;IAC7E,MAAM,GAAG,GAAG,mBAAmB,EAAE,CAAC;IAClC,MAAM,EAAE,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;IACrC,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,UAAU,EAAE,KAAK,CAAC,CAAC;IAC/C,MAAM,UAAU,GAAG,MAAM,CAAC,IAAI,CAAC,aAAa,EAAE,KAAK,CAAC,CAAC;IAErD,MAAM,QAAQ,GAAG,gBAAgB,CAAC,gBAAgB,EAAE,GAAG,EAAE,EAAE,EAAE,EAAE,aAAa,EAAE,eAAe,EAAE,CAAC,CAAC;IACjG,QAAQ,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC;IAE7B,IAAI,CAAC;QACH,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,UAAU,CAAC,EAAE,QAAQ,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;QACjF,OAAO,SAAS,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;IACpC,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,SAAS,CACjB,8FAA8F,EAC9F,kDAAkD,CACnD,CAAC;IACJ,CAAC;AACH,CAAC;AAED,iFAAiF;AAEjF;;;;;;GAMG;AACH,SAAS,aAAa,CAAC,QAAgB,EAAE,GAAW;IAClD,MAAM,OAAO,GAAG,GAAG,QAAQ,IAAI,GAAG,EAAE,CAAC;IACrC,MAAM,QAAQ,GAAI,UAAU,CAAC,GAAG,CAAC,kBAAkB,CAAc,IAAI,EAAE,CAAC;IAExE,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;QAChC,UAAU,CAAC,GAAG,CAAC,kBAAkB,EAAE,CAAC,GAAG,QAAQ,EAAE,OAAO,CAAC,CAAC,CAAC;IAC7D,CAAC;AACH,CAAC;AAED;;;;;;GAMG;AACH,SAAS,kBAAkB,CAAC,QAAgB,EAAE,GAAW;IACvD,MAAM,OAAO,GAAG,GAAG,QAAQ,IAAI,GAAG,EAAE,CAAC;IACrC,MAAM,QAAQ,GAAI,UAAU,CAAC,GAAG,CAAC,kBAAkB,CAAc,IAAI,EAAE,CAAC;IACxE,UAAU,CAAC,GAAG,CACZ,kBAAkB,EAClB,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,KAAK,OAAO,CAAC,CACtC,CAAC;AACJ,CAAC;AAED,iFAAiF;AAEjF;;;;;;;;;;;;GAYG;AACH,MAAM,CAAC,KAAK,UAAU,SAAS,CAC7B,QAAgB,EAChB,GAAW,EACX,KAAa;IAEb,MAAM,OAAO,GAAG,GAAG,QAAQ,IAAI,GAAG,EAAE,CAAC;IAErC,IAAI,CAAC;QACH,MAAM,cAAc,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC;QACtC,MAAM,OAAO,GAAI,UAAU,CAAC,GAAG,CAAC,mBAAmB,CAA4B,IAAI,EAAE,CAAC;QACtF,OAAO,CAAC,OAAO,CAAC,GAAG,cAAc,CAAC;QAClC,UAAU,CAAC,GAAG,CAAC,mBAAmB,EAAE,OAAO,CAAC,CAAC;IAC/C,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,GAAG,YAAY,SAAS;YAAE,MAAM,GAAG,CAAC;QACxC,MAAM,MAAM,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAChE,MAAM,IAAI,SAAS,CACjB,uCAAuC,GAAG,MAAM,MAAM,EAAE,EACxD,wDAAwD,CACzD,CAAC;IACJ,CAAC;IAED,aAAa,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;AAC/B,CAAC;AAED;;;;;;;;;;;;;;GAcG;AACH,MAAM,CAAC,KAAK,UAAU,SAAS,CAC7B,QAAgB,EAChB,GAAW;IAEX,MAAM,OAAO,GAAG,GAAG,QAAQ,IAAI,GAAG,EAAE,CAAC;IACrC,MAAM,OAAO,GAAI,UAAU,CAAC,GAAG,CAAC,mBAAmB,CAA4B,IAAI,EAAE,CAAC;IACtF,MAAM,cAAc,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IAExC,IAAI,cAAc,KAAK,SAAS,EAAE,CAAC;QACjC,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,CAAC;QACH,OAAO,OAAO,CAAC,cAAc,CAAC,CAAC;IACjC,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,GAAG,YAAY,SAAS;YAAE,MAAM,GAAG,CAAC;QACxC,MAAM,MAAM,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAChE,MAAM,IAAI,SAAS,CACjB,6BAA6B,GAAG,MAAM,MAAM,EAAE,EAC9C,6CAA6C,GAAG,GAAG,CACpD,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,cAAc,CAAC,QAAgB;IAC7C,MAAM,QAAQ,GAAI,UAAU,CAAC,GAAG,CAAC,kBAAkB,CAAc,IAAI,EAAE,CAAC;IACxE,MAAM,MAAM,GAAG,GAAG,QAAQ,GAAG,CAAC;IAE9B,OAAO,QAAQ;SACZ,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC;SACnC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;SAClC,IAAI,EAAE,CAAC;AACZ,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,QAAgB,EAChB,GAAW;IAEX,MAAM,KAAK,GAAG,MAAM,SAAS,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;IAC7C,OAAO,KAAK,KAAK,IAAI,CAAC;AACxB,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,QAAgB,EAChB,GAAW;IAEX,MAAM,OAAO,GAAG,GAAG,QAAQ,IAAI,GAAG,EAAE,CAAC;IACrC,MAAM,OAAO,GAAI,UAAU,CAAC,GAAG,CAAC,mBAAmB,CAA4B,IAAI,EAAE,CAAC;IAEtF,IAAI,OAAO,CAAC,OAAO,CAAC,KAAK,SAAS,EAAE,CAAC;QACnC,OAAO,KAAK,CAAC;IACf,CAAC;IAED,OAAO,OAAO,CAAC,OAAO,CAAC,CAAC;IACxB,UAAU,CAAC,GAAG,CAAC,mBAAmB,EAAE,OAAO,CAAC,CAAC;IAC7C,kBAAkB,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;IAElC,OAAO,IAAI,CAAC;AACd,CAAC"}

package/dist/types/index.d.ts

@@ -155,11 +155,16 @@ export interface LocalConfig {
     /** ISO 8601 timestamp of the last successful helm sync. */
     last_sync: string;
     /**
-     * List of secret key names stored in the OS keychain for this machine.
+     * List of secret key names stored on this machine.
      * Format: "[username]/[KEY_NAME]". Values are never stored here — only names.
-     * This manifest exists because the OS keychain API does not support enumeration.
      */
     secrets_manifest: string[];
+    /**
+     * AES-256-GCM encrypted secret values keyed by "[username]/[KEY_NAME]".
+     * Each value is a colon-delimited string: "iv:authTag:ciphertext" (all hex-encoded).
+     * Decrypted at runtime using a PBKDF2-derived key from machine-specific entropy.
+     */
+    encrypted_secrets: Record<string, string>;
 }
 /**
  * A single flow's last execution record.

package/dist/types/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/types/index.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAIH;;;GAGG;AACH,MAAM,WAAW,KAAK;IACpB,+CAA+C;IAC/C,EAAE,EAAE,MAAM,CAAC;IACX,oCAAoC;IACpC,KAAK,EAAE,MAAM,CAAC;IACd,oDAAoD;IACpD,OAAO,EAAE,OAAO,CAAC;IACjB;;;OAGG;IACH,UAAU,EAAE,OAAO,CAAC;IACpB,iEAAiE;IACjE,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;IACjB,yEAAyE;IACzE,WAAW,EAAE,MAAM,CAAC;IACpB;;;;OAIG;IACH,eAAe,EAAE,MAAM,CAAC;CACzB;AAED;;;GAGG;AACH,MAAM,WAAW,KAAK;IACpB,uDAAuD;IACvD,EAAE,EAAE,MAAM,CAAC;IACX,oCAAoC;IACpC,KAAK,EAAE,MAAM,CAAC;IACd,yEAAyE;IACzE,OAAO,EAAE,OAAO,CAAC;IACjB,mEAAmE;IACnE,gBAAgB,EAAE,MAAM,CAAC;IACzB,kDAAkD;IAClD,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,yDAAyD;IACzD,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,wEAAwE;IACxE,YAAY,EAAE,MAAM,EAAE,CAAC;IACvB;;;OAGG;IACH,WAAW,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,GAAG,MAAM,CAAC,CAAC;CAChD;AAED;;;GAGG;AACH,MAAM,WAAW,IAAI;IACnB,kDAAkD;IAClD,EAAE,EAAE,MAAM,CAAC;IACX,oCAAoC;IACpC,KAAK,EAAE,MAAM,CAAC;IACd,0CAA0C;IAC1C,OAAO,EAAE,OAAO,CAAC;IACjB,kEAAkE;IAClE,gBAAgB,EAAE,MAAM,CAAC;IACzB,qDAAqD;IACrD,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,kEAAkE;IAClE,eAAe,EAAE,MAAM,EAAE,CAAC;IAC1B,mEAAmE;IACnE,wBAAwB,EAAE,OAAO,CAAC;IAClC,gEAAgE;IAChE,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB;;;OAGG;IACH,eAAe,CAAC,EAAE,MAAM,CAAC;CAC1B;AAED;;;GAGG;AACH,MAAM,WAAW,OAAO;IACtB,iCAAiC;IACjC,EAAE,EAAE,MAAM,CAAC;IACX,oCAAoC;IACpC,KAAK,EAAE,MAAM,CAAC;IACd,sCAAsC;IACtC,OAAO,EAAE,OAAO,CAAC;IACjB,8BAA8B;IAC9B,IAAI,EAAE,WAAW,GAAG,QAAQ,CAAC;IAC7B,2DAA2D;IAC3D,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,8EAA8E;IAC9E,QAAQ,CAAC,EAAE,SAAS,GAAG,OAAO,CAAC;IAC/B,iEAAiE;IACjE,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,6CAA6C;IAC7C,IAAI,EAAE,MAAM,CAAC;IACb,mEAAmE;IACnE,UAAU,EAAE,OAAO,CAAC;CACrB;AAED;;;GAGG;AACH,MAAM,WAAW,YAAY;IAC3B,2CAA2C;IAC3C,OAAO,EAAE,MAAM,CAAC;IAChB,oDAAoD;IACpD,WAAW,EAAE,MAAM,CAAC;CACrB;AAED;;;GAGG;AACH,MAAM,WAAW,YAAY;IAC3B;;;OAGG;IACH,MAAM,EAAE,aAAa,GAAG,eAAe,CAAC;IACxC,+DAA+D;IAC/D,OAAO,EAAE,MAAM,CAAC;IAChB,6DAA6D;IAC7D,eAAe,EAAE,MAAM,CAAC;IACxB;;;OAGG;IACH,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAID;;;GAGG;AACH,MAAM,WAAW,WAAW;IAC1B,gEAAgE;IAChE,kBAAkB,EAAE,MAAM,CAAC;IAC3B,gFAAgF;IAChF,WAAW,EAAE,MAAM,CAAC;IACpB,uEAAuE;IACvE,MAAM,EAAE,MAAM,CAAC;IACf,4EAA4E;IAC5E,cAAc,EAAE,OAAO,CAAC;IACxB,2DAA2D;IAC3D,SAAS,EAAE,MAAM,CAAC;IAClB;;;;OAIG;IACH,gBAAgB,EAAE,MAAM,EAAE,CAAC;CAC5B;AAID;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,gDAAgD;IAChD,SAAS,EAAE,MAAM,CAAC;IAClB,uCAAuC;IACvC,MAAM,EAAE,SAAS,GAAG,QAAQ,CAAC;CAC9B;AAED;;;GAGG;AACH,MAAM,MAAM,YAAY,GAAG,MAAM,CAAC,MAAM,EAAE,aAAa,CAAC,CAAC;AAIzD;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,gCAAgC;IAChC,OAAO,EAAE,MAAM,CAAC;IAChB,uCAAuC;IACvC,EAAE,EAAE,OAAO,CAAC;IACZ;;;OAGG;IACH,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB;;;OAGG;IACH,KAAK,CAAC,EAAE,MAAM,CAAC;IACf;;OAEG;IACH,GAAG,CAAC,EAAE,MAAM,CAAC;CACd;AAED;;GAEG;AACH,MAAM,WAAW,UAAU;IACzB,2DAA2D;IAC3D,KAAK,EAAE,OAAO,CAAC;IACf,kEAAkE;IAClE,SAAS,EAAE,MAAM,CAAC;CACnB"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/types/index.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAIH;;;GAGG;AACH,MAAM,WAAW,KAAK;IACpB,+CAA+C;IAC/C,EAAE,EAAE,MAAM,CAAC;IACX,oCAAoC;IACpC,KAAK,EAAE,MAAM,CAAC;IACd,oDAAoD;IACpD,OAAO,EAAE,OAAO,CAAC;IACjB;;;OAGG;IACH,UAAU,EAAE,OAAO,CAAC;IACpB,iEAAiE;IACjE,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;IACjB,yEAAyE;IACzE,WAAW,EAAE,MAAM,CAAC;IACpB;;;;OAIG;IACH,eAAe,EAAE,MAAM,CAAC;CACzB;AAED;;;GAGG;AACH,MAAM,WAAW,KAAK;IACpB,uDAAuD;IACvD,EAAE,EAAE,MAAM,CAAC;IACX,oCAAoC;IACpC,KAAK,EAAE,MAAM,CAAC;IACd,yEAAyE;IACzE,OAAO,EAAE,OAAO,CAAC;IACjB,mEAAmE;IACnE,gBAAgB,EAAE,MAAM,CAAC;IACzB,kDAAkD;IAClD,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,yDAAyD;IACzD,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,wEAAwE;IACxE,YAAY,EAAE,MAAM,EAAE,CAAC;IACvB;;;OAGG;IACH,WAAW,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,GAAG,MAAM,CAAC,CAAC;CAChD;AAED;;;GAGG;AACH,MAAM,WAAW,IAAI;IACnB,kDAAkD;IAClD,EAAE,EAAE,MAAM,CAAC;IACX,oCAAoC;IACpC,KAAK,EAAE,MAAM,CAAC;IACd,0CAA0C;IAC1C,OAAO,EAAE,OAAO,CAAC;IACjB,kEAAkE;IAClE,gBAAgB,EAAE,MAAM,CAAC;IACzB,qDAAqD;IACrD,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,kEAAkE;IAClE,eAAe,EAAE,MAAM,EAAE,CAAC;IAC1B,mEAAmE;IACnE,wBAAwB,EAAE,OAAO,CAAC;IAClC,gEAAgE;IAChE,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB;;;OAGG;IACH,eAAe,CAAC,EAAE,MAAM,CAAC;CAC1B;AAED;;;GAGG;AACH,MAAM,WAAW,OAAO;IACtB,iCAAiC;IACjC,EAAE,EAAE,MAAM,CAAC;IACX,oCAAoC;IACpC,KAAK,EAAE,MAAM,CAAC;IACd,sCAAsC;IACtC,OAAO,EAAE,OAAO,CAAC;IACjB,8BAA8B;IAC9B,IAAI,EAAE,WAAW,GAAG,QAAQ,CAAC;IAC7B,2DAA2D;IAC3D,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,8EAA8E;IAC9E,QAAQ,CAAC,EAAE,SAAS,GAAG,OAAO,CAAC;IAC/B,iEAAiE;IACjE,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,6CAA6C;IAC7C,IAAI,EAAE,MAAM,CAAC;IACb,mEAAmE;IACnE,UAAU,EAAE,OAAO,CAAC;CACrB;AAED;;;GAGG;AACH,MAAM,WAAW,YAAY;IAC3B,2CAA2C;IAC3C,OAAO,EAAE,MAAM,CAAC;IAChB,oDAAoD;IACpD,WAAW,EAAE,MAAM,CAAC;CACrB;AAED;;;GAGG;AACH,MAAM,WAAW,YAAY;IAC3B;;;OAGG;IACH,MAAM,EAAE,aAAa,GAAG,eAAe,CAAC;IACxC,+DAA+D;IAC/D,OAAO,EAAE,MAAM,CAAC;IAChB,6DAA6D;IAC7D,eAAe,EAAE,MAAM,CAAC;IACxB;;;OAGG;IACH,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAID;;;GAGG;AACH,MAAM,WAAW,WAAW;IAC1B,gEAAgE;IAChE,kBAAkB,EAAE,MAAM,CAAC;IAC3B,gFAAgF;IAChF,WAAW,EAAE,MAAM,CAAC;IACpB,uEAAuE;IACvE,MAAM,EAAE,MAAM,CAAC;IACf,4EAA4E;IAC5E,cAAc,EAAE,OAAO,CAAC;IACxB,2DAA2D;IAC3D,SAAS,EAAE,MAAM,CAAC;IAClB;;;OAGG;IACH,gBAAgB,EAAE,MAAM,EAAE,CAAC;IAC3B;;;;OAIG;IACH,iBAAiB,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAC3C;AAID;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,gDAAgD;IAChD,SAAS,EAAE,MAAM,CAAC;IAClB,uCAAuC;IACvC,MAAM,EAAE,SAAS,GAAG,QAAQ,CAAC;CAC9B;AAED;;;GAGG;AACH,MAAM,MAAM,YAAY,GAAG,MAAM,CAAC,MAAM,EAAE,aAAa,CAAC,CAAC;AAIzD;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,gCAAgC;IAChC,OAAO,EAAE,MAAM,CAAC;IAChB,uCAAuC;IACvC,EAAE,EAAE,OAAO,CAAC;IACZ;;;OAGG;IACH,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB;;;OAGG;IACH,KAAK,CAAC,EAAE,MAAM,CAAC;IACf;;OAEG;IACH,GAAG,CAAC,EAAE,MAAM,CAAC;CACd;AAED;;GAEG;AACH,MAAM,WAAW,UAAU;IACzB,2DAA2D;IAC3D,KAAK,EAAE,OAAO,CAAC;IACf,kEAAkE;IAClE,SAAS,EAAE,MAAM,CAAC;CACnB"}

package/package.json

@@ -1,7 +1,12 @@
 {
   "name": "chief-helm",
-  "version": "0.1.1",
+  "version": "0.1.3",
   "description": "CLI for CHIEF — Personal AI Operations System",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/joselvelez/CHIEF.git",
+    "directory": "helm"
+  },
   "type": "module",
   "bin": {
     "helm": "./dist/index.js"
@@ -35,7 +40,6 @@
     "ink": "^5.1.4",
     "inquirer": "^13.3.0",
     "js-yaml": "^4.1.0",
-    "keytar": "^7.9.0",
     "open": "^10.1.0",
     "ora": "^8.0.1",
     "react": "^18.3.1",