lsh-framework 3.2.5 → 3.5.0

package/dist/lib/ipfs-secrets-storage.js

@@ -15,6 +15,7 @@ import { createLogger } from './logger.js';
 import { getIPFSSync } from './ipfs-sync.js';
 import { deriveKeyInfo, ensureKeyImported } from './ipns-key-manager.js';
 import { ENV_VARS, DEFAULTS } from '../constants/index.js';
+import { extractErrorMessage } from './lsh-error.js';
 const logger = createLogger('IPFSSecretsStorage');
 /**
  * IPFS Secrets Storage
@@ -107,16 +108,23 @@ export class IPFSSecretsStorage {
                     }
                 }
                 catch (error) {
-                    const err = error;
-                    logger.error(`Content uploaded (CID: ${cid}) but IPNS publish failed: ${err.message}\n` +
+                    logger.error(`Content uploaded (CID: ${cid}) but IPNS publish failed: ${extractErrorMessage(error)}\n` +
                         `Other machines won't find it via 'lsh pull' until you re-push.`);
                 }
             }
+            // Durable remote pin (best-effort): survives this machine going offline.
+            // No-op unless a kubo remote pinning service is configured.
+            const pinnedService = await ipfsSync.addRemotePin(cid, `lsh-${gitRepo || DEFAULTS.DEFAULT_ENVIRONMENT}-${environment}`);
+            if (pinnedService) {
+                logger.info(`   📌 Remote-pinned to "${pinnedService}" (durable)`);
+            }
+            else {
+                logger.warn('No remote pin — content lives only on this machine until a peer caches it. Configure LSH_PIN_SERVICE for durability.');
+            }
             return cid;
         }
         catch (error) {
-            const err = error;
-            logger.error(`Failed to push secrets to IPFS: ${err.message}`);
+            logger.error(`Failed to push secrets to IPFS: ${extractErrorMessage(error)}`);
             throw error;
         }
     }
@@ -155,8 +163,7 @@ export class IPFSSecretsStorage {
                     }
                 }
                 catch (error) {
-                    const err = error;
-                    logger.debug(`   IPNS resolution error: ${err.message}`);
+                    logger.debug(`   IPNS resolution error: ${extractErrorMessage(error)}`);
                 }
             }
             // No fallback to local metadata — IPNS is the source of truth
@@ -185,8 +192,7 @@ export class IPFSSecretsStorage {
                     }
                 }
                 catch (error) {
-                    const err = error;
-                    logger.debug(`   IPFS download failed: ${err.message}`);
+                    logger.debug(`   IPFS download failed: ${extractErrorMessage(error)}`);
                 }
             }
             if (!cachedData) {
@@ -201,8 +207,7 @@ export class IPFSSecretsStorage {
             return secrets;
         }
         catch (error) {
-            const err = error;
-            logger.error(`Failed to pull secrets from IPFS: ${err.message}`);
+            logger.error(`Failed to pull secrets from IPFS: ${extractErrorMessage(error)}`);
             throw error;
         }
     }
@@ -275,19 +280,19 @@ export class IPFSSecretsStorage {
             return JSON.parse(decrypted);
         }
         catch (error) {
-            const err = error;
+            const msg = extractErrorMessage(error);
             // Catch crypto errors (bad decrypt, wrong block length) AND JSON parse errors
             // (wrong key can produce garbage that fails JSON.parse)
-            if (err.message.includes('bad decrypt') ||
-                err.message.includes('wrong final block length') ||
-                err.message.includes('Unexpected token') ||
-                err.message.includes('JSON')) {
+            if (msg.includes('bad decrypt') ||
+                msg.includes('wrong final block length') ||
+                msg.includes('Unexpected token') ||
+                msg.includes('JSON')) {
                 throw new Error('Decryption failed. This usually means:\n' +
                     '  1. You need to set LSH_SECRETS_KEY environment variable\n' +
                     '  2. The key must match the one used during encryption\n' +
                     '  3. Generate a shared key with: lsh key\n' +
                     '  4. Add it to your .env: LSH_SECRETS_KEY=<key>\n' +
-                    '\nOriginal error: ' + err.message);
+                    '\nOriginal error: ' + msg, { cause: error });
             }
             throw error;
         }

package/dist/lib/ipfs-sync.js

@@ -14,6 +14,8 @@ import * as fsPromises from 'fs/promises';
 import * as path from 'path';
 import * as os from 'os';
 import { createLogger } from './logger.js';
+import { extractErrorMessage } from './lsh-error.js';
+import { ENV_VARS } from '../constants/config.js';
 const logger = createLogger('IPFSSync');
 /**
  * Native IPFS Sync
@@ -123,8 +125,7 @@ export class IPFSSync {
             return cid;
         }
         catch (error) {
-            const err = error;
-            logger.error(`IPFS upload error: ${err.message}`);
+            logger.error(`IPFS upload error: ${extractErrorMessage(error)}`);
             return null;
         }
     }
@@ -151,6 +152,7 @@ export class IPFSSync {
             logger.debug('Local daemon download failed, trying gateways...');
         }
         // Fall back to public gateways
+        let backoffMs = 1000;
         for (const gatewayTemplate of this.GATEWAYS) {
             const gatewayUrl = gatewayTemplate.replace('{cid}', cid);
             try {
@@ -165,6 +167,8 @@ export class IPFSSync {
             }
             catch {
                 logger.debug(`Gateway ${gatewayUrl} failed, trying next...`);
+                await new Promise((resolve) => { setTimeout(resolve, backoffMs); });
+                backoffMs = Math.min(backoffMs * 2, 10000);
             }
         }
         logger.error(`Failed to download CID: ${cid}`);
@@ -229,8 +233,7 @@ export class IPFSSync {
             return false;
         }
         catch (error) {
-            const err = error;
-            logger.error(`Pin failed: ${err.message}`);
+            logger.error(`Pin failed: ${extractErrorMessage(error)}`);
             return false;
         }
     }
@@ -255,8 +258,7 @@ export class IPFSSync {
             return false;
         }
         catch (error) {
-            const err = error;
-            logger.error(`Unpin failed: ${err.message}`);
+            logger.error(`Unpin failed: ${extractErrorMessage(error)}`);
             return false;
         }
     }
@@ -297,8 +299,7 @@ export class IPFSSync {
             await fsPromises.writeFile(this.historyPath, JSON.stringify(history, null, 2), 'utf-8');
         }
         catch (error) {
-            const err = error;
-            logger.debug(`Failed to save history: ${err.message}`);
+            logger.debug(`Failed to save history: ${extractErrorMessage(error)}`);
         }
     }
     /**
@@ -327,8 +328,7 @@ export class IPFSSync {
             }
         }
         catch (error) {
-            const err = error;
-            logger.error(`Failed to clear history: ${err.message}`);
+            logger.error(`Failed to clear history: ${extractErrorMessage(error)}`);
         }
     }
     /**
@@ -343,6 +343,82 @@ export class IPFSSync {
     getApiUrl() {
         return this.LOCAL_IPFS_API;
     }
+    /**
+     * List the names of remote pinning services configured in the local Kubo
+     * node (via `ipfs pin remote service add`). Returns [] on any error.
+     */
+    async listRemoteServices() {
+        try {
+            const response = await fetch(`${this.LOCAL_IPFS_API}/pin/remote/service/ls`, {
+                method: 'POST',
+                signal: AbortSignal.timeout(5000),
+            });
+            if (!response.ok)
+                return [];
+            const data = await response.json();
+            return (data.RemoteServices || []).map((s) => s.Service).filter(Boolean);
+        }
+        catch {
+            return [];
+        }
+    }
+    /**
+     * Decide which remote pinning service to pin to.
+     * - If LSH_PIN_SERVICE is set, use it only when it is actually configured.
+     * - Otherwise, use the sole configured service when exactly one exists.
+     * - Returns null when nothing is configured or the choice is ambiguous.
+     */
+    async resolveRemoteService() {
+        const services = await this.listRemoteServices();
+        const explicit = process.env[ENV_VARS.LSH_PIN_SERVICE];
+        if (explicit) {
+            return services.includes(explicit) ? explicit : null;
+        }
+        return services.length === 1 ? services[0] : null;
+    }
+    /**
+     * Pin a CID to a configured remote pinning service so the content survives
+     * this machine going offline. This is what makes "pull anywhere, anytime"
+     * real: without it, blocks live only on the pushing node.
+     *
+     * Returns the service name on success, or null when no service is
+     * configured (the common zero-config case) or the pin request failed.
+     * Never throws — durable pinning is best-effort and the caller decides how
+     * loudly to warn.
+     */
+    async addRemotePin(cid, pinName) {
+        try {
+            const service = await this.resolveRemoteService();
+            if (!service)
+                return null;
+            const url = `${this.LOCAL_IPFS_API}/pin/remote/add` +
+                `?arg=${encodeURIComponent(cid)}` +
+                `&service=${encodeURIComponent(service)}` +
+                `&name=${encodeURIComponent(pinName)}` +
+                `&background=true`;
+            const response = await fetch(url, {
+                method: 'POST',
+                signal: AbortSignal.timeout(30000),
+            });
+            if (!response.ok) {
+                const errorText = await response.text();
+                // An already-present pin is reported as an error by some services; treat
+                // a "already pinned"/"duplicate" message as success rather than a failure.
+                if (/already|duplicate|exists/i.test(errorText)) {
+                    logger.info(`📌 Already remote-pinned on "${service}": ${cid}`);
+                    return service;
+                }
+                logger.warn(`Remote pin failed on "${service}": ${errorText}`);
+                return null;
+            }
+            logger.info(`📌 Remote-pinned to "${service}" (durable): ${cid}`);
+            return service;
+        }
+        catch (error) {
+            logger.warn(`Remote pin error: ${extractErrorMessage(error)}`);
+            return null;
+        }
+    }
     /**
      * Publish a CID to IPNS under the given key name.
      * The key must already be imported into Kubo.
@@ -371,8 +447,7 @@ export class IPFSSync {
                 return data.Name;
             }
             catch (error) {
-                const err = error;
-                logger.warn(`IPNS publish error (attempt ${attempt}): ${err.message}`);
+                logger.warn(`IPNS publish error (attempt ${attempt}): ${extractErrorMessage(error)}`);
                 if (attempt === 2) {
                     logger.error(`IPNS publish failed after retry. Content is uploaded (CID: ${cid}) ` +
                         `but other machines won't find it via 'lsh pull' until you re-push.`);
@@ -402,8 +477,7 @@ export class IPFSSync {
             return resolvedCid;
         }
         catch (error) {
-            const err = error;
-            logger.debug(`IPNS resolve error: ${err.message}`);
+            logger.debug(`IPNS resolve error: ${extractErrorMessage(error)}`);
             return null;
         }
     }

package/dist/lib/secrets-manager.js

@@ -3,6 +3,7 @@
  * Sync .env files across machines using encrypted Supabase storage
  */
 import * as fs from 'fs';
+import * as os from 'os';
 import * as path from 'path';
 import * as crypto from 'crypto';
 import { createLogger, LogLevel } from './logger.js';
@@ -10,7 +11,53 @@ import { getGitRepoInfo, hasEnvExample, ensureEnvInGitignore } from './git-utils
 import { IPFSSyncLogger } from './ipfs-sync-logger.js';
 import { IPFSSecretsStorage } from './ipfs-secrets-storage.js';
 import { ENV_VARS } from '../constants/index.js';
+import { extractErrorMessage } from './lsh-error.js';
+import { SyncKeyStore } from './sync-key-store.js';
 const logger = createLogger('SecretsManager');
+/**
+ * Read LSH_SECRETS_KEY from a .env file without loading the entire file into process.env
+ */
+function readKeyFromEnvFile(envPath) {
+    try {
+        if (fs.existsSync(envPath)) {
+            const content = fs.readFileSync(envPath, 'utf8');
+            const match = content.match(/^LSH_SECRETS_KEY=['"]?([^'"\n]+)['"]?/m);
+            if (match)
+                return match[1];
+        }
+    }
+    catch {
+        // Ignore read errors
+    }
+    return null;
+}
+/**
+ * Find LSH_SECRETS_KEY from environment, local .env, global ~/.env,
+ * or the persistent SyncKeyStore at $LSH_HOME/sync_key.json.
+ * Returns null if no explicit key is found (does not generate a fallback).
+ */
+export function findEncryptionKey() {
+    // 1. Check environment variable
+    const envKey = process.env[ENV_VARS.LSH_SECRETS_KEY];
+    if (envKey)
+        return envKey;
+    // 2. Check local .env
+    const localKey = readKeyFromEnvFile(path.join(process.cwd(), '.env'));
+    if (localKey)
+        return localKey;
+    // 3. Check global ~/.env
+    const home = process.env[ENV_VARS.HOME] || process.env[ENV_VARS.USERPROFILE] || '';
+    if (home) {
+        const globalKey = readKeyFromEnvFile(path.join(home, '.env'));
+        if (globalKey)
+            return globalKey;
+    }
+    // 4. Check persistent sync key store ($LSH_HOME/sync_key.json)
+    const stored = new SyncKeyStore().get();
+    if (stored)
+        return stored;
+    return null;
+}
 export class SecretsManager {
     storage;
     encryptionKey;
@@ -73,57 +120,85 @@ export class SecretsManager {
      * Get default encryption key from environment or machine
      */
     getDefaultEncryptionKey() {
-        // Check for explicit key
-        const envKey = process.env[ENV_VARS.LSH_SECRETS_KEY];
-        if (envKey) {
-            return envKey;
-        }
-        // Generate from machine ID and user
-        const machineId = process.env[ENV_VARS.HOSTNAME] || 'localhost';
-        const user = process.env[ENV_VARS.USER] || 'unknown';
-        const seed = `${machineId}-${user}-lsh-secrets`;
+        // Check environment, local .env, and global ~/.env
+        const explicitKey = findEncryptionKey();
+        if (explicitKey)
+            return explicitKey;
+        logger.warn('No explicit LSH_SECRETS_KEY found. Generating machine-derived fallback key.');
+        logger.warn('Set LSH_SECRETS_KEY in your environment for portable, secure encryption.');
+        // Generate from multiple machine-specific entropy sources
+        const hostname = os.hostname();
+        const uid = String(os.userInfo().uid);
+        const homedir = os.homedir();
+        // Try to read /etc/machine-id (Linux) for additional entropy
+        let machineSpecific;
+        try {
+            machineSpecific = fs.readFileSync('/etc/machine-id', 'utf8').trim();
+        }
+        catch {
+            // Fallback to CPU model on macOS / systems without machine-id
+            machineSpecific = os.cpus()[0]?.model || 'no-cpu-info';
+        }
+        const seed = `${hostname}-${uid}-${homedir}-${machineSpecific}-lsh-secrets`;
         // Create deterministic key
         return crypto.createHash('sha256').update(seed).digest('hex');
     }
     /**
-     * Encrypt a value
+     * Encrypt a value using AES-256-GCM with authentication tag
      */
     encrypt(text) {
-        const iv = crypto.randomBytes(16);
+        const iv = crypto.randomBytes(12); // 96-bit IV recommended for GCM
         const key = Buffer.from(this.encryptionKey, 'hex');
-        const cipher = crypto.createCipheriv('aes-256-cbc', key.slice(0, 32), iv);
+        const cipher = crypto.createCipheriv('aes-256-gcm', key.slice(0, 32), iv);
         let encrypted = cipher.update(text, 'utf8', 'hex');
         encrypted += cipher.final('hex');
-        return iv.toString('hex') + ':' + encrypted;
+        const authTag = cipher.getAuthTag();
+        // Format: iv:authTag:encrypted (3-part GCM format)
+        return iv.toString('hex') + ':' + authTag.toString('hex') + ':' + encrypted;
     }
     /**
-     * Decrypt a value
+     * Decrypt a value (supports both AES-256-GCM and legacy AES-256-CBC)
      */
     decrypt(text) {
         try {
             const parts = text.split(':');
-            if (parts.length !== 2) {
+            const key = Buffer.from(this.encryptionKey, 'hex');
+            if (parts.length === 3) {
+                // AES-256-GCM format: iv:authTag:encrypted
+                const iv = Buffer.from(parts[0], 'hex');
+                const authTag = Buffer.from(parts[1], 'hex');
+                const encryptedText = parts[2];
+                const decipher = crypto.createDecipheriv('aes-256-gcm', key.slice(0, 32), iv);
+                decipher.setAuthTag(authTag);
+                let decrypted = decipher.update(encryptedText, 'hex', 'utf8');
+                decrypted += decipher.final('utf8');
+                return decrypted;
+            }
+            else if (parts.length === 2) {
+                // Legacy AES-256-CBC format: iv:encrypted
+                const iv = Buffer.from(parts[0], 'hex');
+                const encryptedText = parts[1];
+                const decipher = crypto.createDecipheriv('aes-256-cbc', key.slice(0, 32), iv);
+                let decrypted = decipher.update(encryptedText, 'hex', 'utf8');
+                decrypted += decipher.final('utf8');
+                return decrypted;
+            }
+            else {
                 throw new Error('Invalid encrypted format');
             }
-            const iv = Buffer.from(parts[0], 'hex');
-            const encryptedText = parts[1];
-            const key = Buffer.from(this.encryptionKey, 'hex');
-            const decipher = crypto.createDecipheriv('aes-256-cbc', key.slice(0, 32), iv);
-            let decrypted = decipher.update(encryptedText, 'hex', 'utf8');
-            decrypted += decipher.final('utf8');
-            return decrypted;
         }
         catch (error) {
-            const err = error;
-            if (err.message.includes('bad decrypt') || err.message.includes('wrong final block length')) {
+            const msg = extractErrorMessage(error);
+            if (msg.includes('bad decrypt') || msg.includes('wrong final block length') ||
+                msg.includes('Unsupported state') || msg.includes('unable to authenticate')) {
                 throw new Error('Decryption failed. This usually means:\n' +
                     '  1. You need to set LSH_SECRETS_KEY environment variable\n' +
                     '  2. The key must match the one used during encryption\n' +
                     '  3. Generate a shared key with: lsh secrets key\n' +
                     '  4. Add it to your .env: LSH_SECRETS_KEY=<key>\n' +
-                    '\nOriginal error: ' + err.message);
+                    '\nOriginal error: ' + msg, { cause: error });
             }
-            throw err;
+            throw error;
         }
     }
     /**
@@ -243,8 +318,8 @@ export class SecretsManager {
         }
         // Get the effective environment name (repo-aware)
         const effectiveEnv = this.getRepoAwareEnvironment(environment);
-        // Warn if using default key
-        if (!process.env[ENV_VARS.LSH_SECRETS_KEY]) {
+        // Warn if using machine-derived fallback key (no explicit key found anywhere)
+        if (!findEncryptionKey()) {
             logger.warn('⚠️  Warning: No LSH_SECRETS_KEY set. Using machine-specific key.');
             logger.warn('   To share secrets across machines, generate a key with: lsh key');
             logger.warn('   Then add LSH_SECRETS_KEY=<key> to your .env on all machines');
@@ -277,10 +352,9 @@ export class SecretsManager {
                 }
             }
             catch (error) {
-                const err = error;
                 // Re-throw destructive change errors
-                if (err.message.includes('Destructive change')) {
-                    throw err;
+                if (extractErrorMessage(error).includes('Destructive change')) {
+                    throw error;
                 }
                 // Ignore other errors (like missing secrets) and proceed
             }
@@ -357,8 +431,8 @@ export class SecretsManager {
         const finalEnv = { ...pulledEnv, ...localLshKeys };
         // Convert to .env format
         const envContent = this.formatEnvFile(finalEnv);
-        // Write new .env
-        fs.writeFileSync(envFilePath, envContent, 'utf8');
+        // Write new .env with restrictive permissions (owner read/write only)
+        fs.writeFileSync(envFilePath, envContent, { encoding: 'utf8', mode: 0o600 });
         logger.info(`✅ Pulled ${secrets.length} secrets from IPFS`);
         // Get metadata for CID display
         const metadata = this.storage.getMetadata(environment, this.gitInfo?.repoName);
@@ -430,7 +504,7 @@ export class SecretsManager {
             cloudExists: false,
             cloudKeys: 0,
             cloudModified: undefined,
-            keySet: !!process.env[ENV_VARS.LSH_SECRETS_KEY],
+            keySet: !!findEncryptionKey(),
             keyMatches: undefined,
             suggestions: [],
         };
@@ -518,7 +592,7 @@ export class SecretsManager {
      * Generate encryption key if not set
      */
     async ensureEncryptionKey() {
-        if (process.env[ENV_VARS.LSH_SECRETS_KEY]) {
+        if (findEncryptionKey()) {
             return true; // Key already set
         }
         logger.warn('⚠️  No encryption key found. Generating a new key...');
@@ -540,7 +614,7 @@ export class SecretsManager {
             else {
                 content += `\n# LSH Secrets Encryption Key (do not commit!)\nLSH_SECRETS_KEY=${key}\n`;
             }
-            fs.writeFileSync(envPath, content, 'utf8');
+            fs.writeFileSync(envPath, content, { encoding: 'utf8', mode: 0o600 });
             // Set in current process
             process.env[ENV_VARS.LSH_SECRETS_KEY] = key;
             this.encryptionKey = key;
@@ -549,8 +623,7 @@ export class SecretsManager {
             return true;
         }
         catch (error) {
-            const _err = error;
-            logger.error(`Failed to save encryption key: ${_err.message}`);
+            logger.error(`Failed to save encryption key: ${extractErrorMessage(error)}`);
             logger.info('Please set it manually:');
             logger.info(`export LSH_SECRETS_KEY=${key}`);
             return false;
@@ -581,13 +654,12 @@ LSH_SECRETS_KEY=${this.encryptionKey}
 # Add your environment variables below
 `;
             try {
-                fs.writeFileSync(envFilePath, template, 'utf8');
+                fs.writeFileSync(envFilePath, template, { encoding: 'utf8', mode: 0o600 });
                 logger.info(`✅ Created ${envFilePath} from template`);
                 return true;
             }
             catch (error) {
-                const _err = error;
-                logger.error(`Failed to create ${envFilePath}: ${_err.message}`);
+                logger.error(`Failed to create ${envFilePath}: ${extractErrorMessage(error)}`);
                 return false;
             }
         }
@@ -599,13 +671,12 @@ LSH_SECRETS_KEY=${this.encryptionKey}
             if (!content.includes('LSH_SECRETS_KEY')) {
                 newContent += `\n# LSH Secrets Encryption Key (auto-generated)\nLSH_SECRETS_KEY=${this.encryptionKey}\n`;
             }
-            fs.writeFileSync(envFilePath, newContent, 'utf8');
+            fs.writeFileSync(envFilePath, newContent, { encoding: 'utf8', mode: 0o600 });
             logger.info(`✅ Created ${envFilePath} from ${path.basename(examplePath)}`);
             return true;
         }
         catch (error) {
-            const _err = error;
-            logger.error(`Failed to create ${envFilePath}: ${_err.message}`);
+            logger.error(`Failed to create ${envFilePath}: ${extractErrorMessage(error)}`);
             return false;
         }
     }
@@ -679,7 +750,7 @@ LSH_SECRETS_KEY=${this.encryptionKey}
                 out();
             }
             // Step 1: Ensure encryption key exists
-            if (!process.env[ENV_VARS.LSH_SECRETS_KEY]) {
+            if (!findEncryptionKey()) {
                 logger.info('🔑 No encryption key found...');
                 await this.ensureEncryptionKey();
                 out();
@@ -982,8 +1053,7 @@ LSH_SECRETS_KEY=${this.encryptionKey}
         }
         catch (error) {
             // Don't fail operation if IPFS logging fails
-            const err = error;
-            logger.warn(`⚠️  Could not log to IPFS: ${err.message}`);
+            logger.warn(`⚠️  Could not log to IPFS: ${extractErrorMessage(error)}`);
         }
     }
 }

package/dist/lib/sync-key-store.js

@@ -0,0 +1,87 @@
+/**
+ * Persistent storage for the LSH sync secret.
+ *
+ * Mirrors the design of mcli's `mcli sync key` store: a single 64-char
+ * hex value kept in ``$LSH_HOME/sync_key.json`` (default
+ * ``~/.config/lsh/sync_key.json``) with mode 0600. The
+ * ``LSH_SECRETS_KEY`` environment variable still wins when set; the
+ * store is only consulted as a fallback so users do not have to re-paste
+ * their secret on every shell.
+ */
+import * as crypto from 'crypto';
+import * as fs from 'fs';
+import * as os from 'os';
+import * as path from 'path';
+export const HEX64_REGEX = /^[0-9a-fA-F]{64}$/;
+const FILENAME = 'sync_key.json';
+/** Resolve the directory where lsh stores its config (`$LSH_HOME` or `~/.config/lsh`). */
+export function getLshHome() {
+    const overridden = process.env.LSH_HOME;
+    if (overridden && overridden.trim().length > 0)
+        return overridden;
+    return path.join(os.homedir(), '.config', 'lsh');
+}
+/** Return a freshly-generated 64-char hex secret without persisting it. */
+export function generateKey() {
+    return crypto.randomBytes(32).toString('hex');
+}
+/**
+ * Persistent on-disk store for the LSH sync secret.
+ */
+export class SyncKeyStore {
+    /** Absolute path to the on-disk key file. */
+    get path() {
+        return path.join(getLshHome(), FILENAME);
+    }
+    /** Read the persisted key, or `null` if none is configured / file is malformed. */
+    get() {
+        const file = this.path;
+        if (!fs.existsSync(file))
+            return null;
+        try {
+            const raw = fs.readFileSync(file, 'utf-8');
+            const parsed = JSON.parse(raw);
+            if (typeof parsed.key === 'string' && HEX64_REGEX.test(parsed.key)) {
+                return parsed.key;
+            }
+        }
+        catch {
+            // fall through to null
+        }
+        return null;
+    }
+    /** Validate and persist a key. Throws on invalid input. */
+    set(key) {
+        if (typeof key !== 'string' || !HEX64_REGEX.test(key)) {
+            throw new Error('sync key must be a 64-char hex string');
+        }
+        this.write(key);
+    }
+    /** Generate a new key and persist it. Refuses to overwrite unless `force=true`. */
+    generate(force = false) {
+        if (fs.existsSync(this.path) && !force) {
+            throw new Error(`sync key already exists at ${this.path}; use force=true to overwrite`);
+        }
+        const key = generateKey();
+        this.write(key);
+        return key;
+    }
+    /** Delete the persisted key, if any. No-op when the file is absent. */
+    clear() {
+        try {
+            fs.unlinkSync(this.path);
+        }
+        catch (err) {
+            const e = err;
+            if (e.code !== 'ENOENT')
+                throw err;
+        }
+    }
+    write(key) {
+        const dir = path.dirname(this.path);
+        fs.mkdirSync(dir, { recursive: true });
+        // Write first, then chmod, so the secret is never world-readable.
+        fs.writeFileSync(this.path, JSON.stringify({ key }));
+        fs.chmodSync(this.path, 0o600);
+    }
+}