stegdoc 4.0.0 → 5.0.1

package/src/lib/xlsx-handler.js

@@ -1,416 +1,597 @@
-const ExcelJS = require('exceljs');
-const fs = require('fs');
-const path = require('path');
-const AdmZip = require('adm-zip');
-const { generateDecoyHeaders, generateDecoyData, calculateDecoyRowCount, rowToArray, resetTimeWindow } = require('./decoy-generator');
-const { parseXmlFromZip, ensureArray, extractTextContent } = require('./xml-utils');
-
-// Constants for data storage
-const HIDDEN_SHEET_NAME = 'Data';
-const VISIBLE_SHEET_NAME = 'Server Metrics';
-const CELL_CHUNK_SIZE = 32000; // Max characters per cell (~32KB)
-
-/**
- * Create an XLSX file using streaming WorkbookWriter (v4 format).
- * Memory-efficient: rows are freed after commit.
- * @param {object} options
- * @param {string} options.base64Content - Base64 content to store in this part
- * @param {string} options.encryptionMeta - Packed encryption metadata (iv:salt:authTag) or ''
- * @param {string} options.metadataJson - Serialized metadata JSON string
- * @param {string} options.outputPath - Output file path
- * @returns {Promise<string>} Path to created file
- */
-async function createXlsxPartStreaming(options) {
-  const { base64Content, encryptionMeta, metadataJson, outputPath } = options;
-
-  // Ensure output directory exists
-  const outputDir = path.dirname(outputPath);
-  if (!fs.existsSync(outputDir)) {
-    fs.mkdirSync(outputDir, { recursive: true });
-  }
-
-  const workbook = new ExcelJS.stream.xlsx.WorkbookWriter({
-    filename: outputPath,
-    useSharedStrings: false, // Inline strings for easier post-processing
-  });
-
-  workbook.creator = 'Microsoft Excel';
-  workbook.lastModifiedBy = 'Microsoft Excel';
-  workbook.created = new Date();
-  workbook.modified = new Date();
-
-  // === Sheet 1: Visible decoy data (server metrics) ===
-  const visibleSheet = workbook.addWorksheet(VISIBLE_SHEET_NAME, {
-    properties: { tabColor: { argb: '4472C4' } },
-  });
-
-  // Set column widths before adding rows
-  visibleSheet.columns = [
-    { width: 20 }, // Timestamp
-    { width: 16 }, // Server ID
-    { width: 12 }, // Status
-    { width: 8 },  // CPU %
-    { width: 10 }, // Memory %
-    { width: 8 },  // Disk %
-    { width: 14 }, // Network (MB/s)
-    { width: 10 }, // Requests
-    { width: 14 }, // Resp Time (ms)
-    { width: 12 }, // Uptime (hrs)
-  ];
-
-  // Add headers
-  const headers = generateDecoyHeaders();
-  const headerRow = visibleSheet.addRow(headers);
-
-  const headerCount = headers.length;
-  for (let col = 1; col <= headerCount; col++) {
-    const cell = headerRow.getCell(col);
-    cell.font = { bold: true, size: 11, color: { argb: 'FFFFFF' } };
-    cell.fill = {
-      type: 'pattern',
-      pattern: 'solid',
-      fgColor: { argb: '2E7D32' },
-    };
-  }
-  headerRow.commit();
-
-  // Generate and write decoy data rows, committing each to free memory
-  const payloadSize = base64Content.length;
-  const rowCount = calculateDecoyRowCount(payloadSize);
-  const decoyData = generateDecoyData(rowCount);
-
-  for (const row of decoyData) {
-    const dataRow = visibleSheet.addRow(rowToArray(row));
-    dataRow.commit();
-  }
-
-  // Add filters
-  visibleSheet.autoFilter = {
-    from: 'A1',
-    to: `J${rowCount + 1}`,
-  };
-
-  await visibleSheet.commit();
-
-  // === Sheet 2: Hidden payload (veryHidden) ===
-  const hiddenSheet = workbook.addWorksheet(HIDDEN_SHEET_NAME, {
-    state: 'veryHidden',
-  });
-
-  // Split base64 content into cell-sized chunks
-  const chunks = splitIntoChunks(base64Content, CELL_CHUNK_SIZE);
-
-  // Row 1: metadata
-  const metaRow = hiddenSheet.getRow(1);
-  metaRow.getCell(1).value = encryptionMeta;
-  metaRow.getCell(2).value = metadataJson;
-  metaRow.getCell(3).value = chunks.length.toString();
-  metaRow.commit();
-
-  // Write cell chunks in rows starting from row 2, columns A-Z
-  const totalChunks = chunks.length;
-  const totalRows = Math.ceil(totalChunks / 26);
-
-  for (let rowIdx = 0; rowIdx < totalRows; rowIdx++) {
-    const sheetRow = hiddenSheet.getRow(rowIdx + 2);
-    const startChunk = rowIdx * 26;
-    const endChunk = Math.min(startChunk + 26, totalChunks);
-
-    for (let i = startChunk; i < endChunk; i++) {
-      const col = (i % 26) + 1;
-      sheetRow.getCell(col).value = chunks[i];
-    }
-    sheetRow.commit();
-  }
-
-  await hiddenSheet.commit();
-  await workbook.commit();
-
-  // WorkbookWriter natively supports veryHidden state — no post-processing needed.
-  return outputPath;
-}
-
-/**
- * Create an XLSX file with encrypted base64 content hidden in a veryHidden sheet (legacy v3)
- * @param {object} options - Options for creating the XLSX
- * @param {string} options.base64Content - Encrypted base64 content to store
- * @param {string} options.encryptionMeta - Packed encryption metadata (iv:salt:authTag)
- * @param {object} options.metadata - Metadata object (serialized JSON)
- * @param {string} options.outputPath - Output file path
- * @returns {Promise<string>} Path to created file
- */
-async function createXlsxWithBase64(options) {
-  const { base64Content, encryptionMeta, metadata, outputPath } = options;
-
-  const workbook = new ExcelJS.Workbook();
-
-  // Set workbook properties to look legitimate
-  workbook.creator = 'Microsoft Excel';
-  workbook.lastModifiedBy = 'Microsoft Excel';
-  workbook.created = new Date();
-  workbook.modified = new Date();
-
-  // === Sheet 1: Visible decoy data (server metrics) ===
-  const visibleSheet = workbook.addWorksheet(VISIBLE_SHEET_NAME, {
-    properties: { tabColor: { argb: '4472C4' } },
-  });
-
-  // Add headers
-  const headers = generateDecoyHeaders();
-  const headerRow = visibleSheet.addRow(headers);
-
-  // Style header columns (10 columns for metrics data)
-  const headerCount = headers.length;
-  for (let col = 1; col <= headerCount; col++) {
-    const cell = headerRow.getCell(col);
-    cell.font = { bold: true, size: 11, color: { argb: 'FFFFFF' } };
-    cell.fill = {
-      type: 'pattern',
-      pattern: 'solid',
-      fgColor: { argb: '2E7D32' }, // Green for metrics/monitoring theme
-    };
-  }
-
-  // Calculate decoy row count based on payload size
-  const payloadSize = base64Content.length;
-  const rowCount = calculateDecoyRowCount(payloadSize);
-
-  // Generate and add decoy data
-  const decoyData = generateDecoyData(rowCount);
-  decoyData.forEach((row) => {
-    visibleSheet.addRow(rowToArray(row));
-  });
-
-  // Auto-fit columns for metrics data
-  visibleSheet.columns = [
-    { width: 20 }, // Timestamp
-    { width: 16 }, // Server ID
-    { width: 12 }, // Status
-    { width: 8 },  // CPU %
-    { width: 10 }, // Memory %
-    { width: 8 },  // Disk %
-    { width: 14 }, // Network (MB/s)
-    { width: 10 }, // Requests
-    { width: 14 }, // Resp Time (ms)
-    { width: 12 }, // Uptime (hrs)
-  ];
-
-  // Add filters to look more professional
-  visibleSheet.autoFilter = {
-    from: 'A1',
-    to: `J${rowCount + 1}`,
-  };
-
-  // === Sheet 2: Hidden payload (veryHidden) ===
-  const hiddenSheet = workbook.addWorksheet(HIDDEN_SHEET_NAME, {
-    state: 'veryHidden', // Not visible in Excel UI at all
-  });
-
-  // Store encryption metadata in cell A1
-  hiddenSheet.getCell('A1').value = encryptionMeta;
-
-  // Store serialized metadata in cell B1
-  hiddenSheet.getCell('B1').value = metadata;
-
-  // Split base64 content into chunks and store in cells
-  const chunks = splitIntoChunks(base64Content, CELL_CHUNK_SIZE);
-
-  // Store chunk count in C1 for reconstruction
-  hiddenSheet.getCell('C1').value = chunks.length.toString();
-
-  // Store chunks starting from A2
-  chunks.forEach((chunk, index) => {
-    const row = Math.floor(index / 26) + 2; // Start from row 2
-    const col = (index % 26) + 1; // Columns A-Z
-    hiddenSheet.getCell(row, col).value = chunk;
-  });
-
-  // Ensure output directory exists
-  const outputDir = path.dirname(outputPath);
-  if (!fs.existsSync(outputDir)) {
-    fs.mkdirSync(outputDir, { recursive: true });
-  }
-
-  // Write workbook to file
-  await workbook.xlsx.writeFile(outputPath);
-
-  // Post-process: ensure veryHidden state is set correctly
-  // ExcelJS sometimes has issues with veryHidden, so we fix it via XML
-  await ensureVeryHidden(outputPath);
-
-  return outputPath;
-}
-
-/**
- * Read an XLSX file and extract encrypted base64 content and metadata.
- * Always uses direct XML extraction for reliability and memory efficiency.
- * @param {string} xlsxPath - Path to XLSX file
- * @returns {Promise<object>} Object containing base64Content, encryptionMeta, and metadata
- */
-async function readXlsxBase64(xlsxPath) {
-  if (!fs.existsSync(xlsxPath)) {
-    throw new Error(`XLSX file not found: ${xlsxPath}`);
-  }
-
-  return await extractFromXml(xlsxPath);
-}
-
-/**
- * Extract data directly from XLSX XML using proper XML parser
- * Handles any namespace prefix (default, ns0:, ns1:, etc.)
- * @param {string} xlsxPath - Path to XLSX file
- * @returns {Promise<object>} Extracted data
- */
-async function extractFromXml(xlsxPath) {
-  // Parse shared strings using namespace-agnostic parser
-  let sharedStrings = [];
-  const ssParsed = parseXmlFromZip(xlsxPath, 'xl/sharedStrings.xml');
-
-  if (ssParsed && ssParsed.sst && ssParsed.sst.si) {
-    const siArray = ensureArray(ssParsed.sst.si);
-    sharedStrings = siArray.map((si) => extractTextContent(si.t));
-  }
-
-  // Parse the hidden sheet (sheet2.xml is our default location)
-  const sheetParsed = parseXmlFromZip(xlsxPath, 'xl/worksheets/sheet2.xml');
-
-  if (!sheetParsed) {
-    throw new Error('Hidden sheet not found in XLSX file. This may not be a stegdoc-encoded file.');
-  }
-
-  // Build cell map from worksheet > sheetData > row > c
-  const cellValues = new Map();
-  const sheetData = sheetParsed.worksheet?.sheetData;
-
-  if (sheetData && sheetData.row) {
-    const rows = ensureArray(sheetData.row);
-
-    for (const row of rows) {
-      if (!row.c) continue;
-      const cells = ensureArray(row.c);
-
-      for (const cell of cells) {
-        const cellRef = cell['@_r']; // e.g., "A1", "B1"
-        const cellType = cell['@_t']; // "s" for shared string, "inlineStr" for inline
-        const cellValue = cell.v;
-
-        if (cellRef === undefined) continue;
-
-        if (cellType === 's' && cellValue !== undefined) {
-          // Shared string reference
-          const ssIndex = parseInt(cellValue, 10);
-          if (ssIndex < sharedStrings.length) {
-            cellValues.set(cellRef, sharedStrings[ssIndex]);
-          }
-        } else if (cellType === 'inlineStr' && cell.is) {
-          // Inline string (from WorkbookWriter with useSharedStrings: false)
-          const text = extractTextContent(cell.is.t);
-          if (text !== undefined) {
-            cellValues.set(cellRef, text);
-          }
-        } else if (cellValue !== undefined) {
-          cellValues.set(cellRef, String(cellValue));
-        }
-      }
-    }
-  }
-
-  // Extract our data
-  const encryptionMeta = cellValues.get('A1') || ''; // May be empty if unencrypted
-  const metadata = cellValues.get('B1');
-  const chunkCountStr = cellValues.get('C1');
-
-  if (!metadata) {
-    throw new Error('No metadata found in XLSX file.');
-  }
-
-  const chunkCount = parseInt(chunkCountStr, 10);
-  if (isNaN(chunkCount) || chunkCount <= 0) {
-    throw new Error('Invalid chunk count in XLSX file.');
-  }
-
-  // Reconstruct chunks
-  const chunks = [];
-  for (let i = 0; i < chunkCount; i++) {
-    const row = Math.floor(i / 26) + 2;
-    const col = (i % 26) + 1;
-    const cellRef = `${columnToLetter(col)}${row}`;
-    const chunk = cellValues.get(cellRef);
-    if (chunk) {
-      chunks.push(chunk);
-    }
-  }
-
-  return {
-    base64Content: chunks.join(''),
-    encryptionMeta,
-    metadata,
-  };
-}
-
-/**
- * Ensure the hidden sheet is truly veryHidden by modifying the workbook.xml
- * @param {string} xlsxPath - Path to XLSX file
- */
-async function ensureVeryHidden(xlsxPath) {
-  const zip = new AdmZip(xlsxPath);
-
-  // Modify workbook.xml to ensure veryHidden state
-  const workbookEntry = zip.getEntry('xl/workbook.xml');
-  if (workbookEntry) {
-    let workbookXml = workbookEntry.getData().toString('utf8');
-
-    // Find the Data sheet and fix its state to veryHidden
-    // First, remove any existing state attribute from the Data sheet
-    workbookXml = workbookXml.replace(
-      /(<sheet[^>]*name="Data"[^>]*)\s+state="[^"]*"([^>]*\/>)/gi,
-      '$1 state="veryHidden"$2'
-    );
-
-    // If no state attribute was present, add one
-    if (!workbookXml.match(/<sheet[^>]*name="Data"[^>]*state="/i)) {
-      workbookXml = workbookXml.replace(
-        /(<sheet[^>]*name="Data")([^>]*\/>)/gi,
-        '$1 state="veryHidden"$2'
-      );
-    }
-
-    zip.updateFile('xl/workbook.xml', Buffer.from(workbookXml, 'utf8'));
-    zip.writeZip(xlsxPath);
-  }
-}
-
-/**
- * Split a string into chunks of specified size
- * @param {string} str - String to split
- * @param {number} size - Max chunk size
- * @returns {Array<string>} Array of chunks
- */
-function splitIntoChunks(str, size) {
-  const chunks = [];
-  for (let i = 0; i < str.length; i += size) {
-    chunks.push(str.slice(i, i + size));
-  }
-  return chunks;
-}
-
-/**
- * Convert column number to letter (1=A, 2=B, ..., 27=AA)
- * @param {number} col - Column number (1-based)
- * @returns {string} Column letter
- */
-function columnToLetter(col) {
-  let letter = '';
-  while (col > 0) {
-    const mod = (col - 1) % 26;
-    letter = String.fromCharCode(65 + mod) + letter;
-    col = Math.floor((col - 1) / 26);
-  }
-  return letter;
-}
-
-module.exports = {
-  createXlsxPartStreaming,
-  createXlsxWithBase64,
-  readXlsxBase64,
-};
+const ExcelJS = require('exceljs');
+const fs = require('fs');
+const path = require('path');
+const AdmZip = require('adm-zip');
+const { generateDecoyHeaders, generateDecoyData, calculateDecoyRowCount, rowToArray, resetTimeWindow } = require('./decoy-generator');
+const { generateLogHeaders, encodePayloadToLogLines, decodeLogLines, resetTimeState } = require('./log-generator');
+const { parseXmlFromZip, ensureArray, extractTextContent } = require('./xml-utils');
+
+// Constants for data storage
+const HIDDEN_SHEET_NAME = 'Data';
+const VISIBLE_SHEET_NAME = 'Server Metrics';
+const V5_SHEET_NAME = 'Access Logs';
+const CELL_CHUNK_SIZE = 32000; // Max characters per cell (~32KB)
+
+// ─── v5 Log-Embed Format ───────────────────────────────────────────────────
+
+/**
+ * Create an XLSX file using v5 log-embed format (streaming).
+ * Single sheet "Access Logs" with payload embedded in log line fields.
+ * No hidden sheets.
+ *
+ * @param {object} options
+ * @param {Buffer} options.payloadBuffer - Encrypted binary payload
+ * @param {string} options.encryptionMeta - Packed encryption metadata (iv:salt:authTag) or ''
+ * @param {string} options.metadataJson - Serialized metadata JSON string
+ * @param {string} options.outputPath - Output file path
+ * @returns {Promise<string>} Path to created file
+ */
+async function createXlsxPartV5(options) {
+  const { payloadBuffer, encryptionMeta, metadataJson, outputPath } = options;
+
+  // Ensure output directory exists
+  const outputDir = path.dirname(outputPath);
+  if (!fs.existsSync(outputDir)) {
+    fs.mkdirSync(outputDir, { recursive: true });
+  }
+
+  const workbook = new ExcelJS.stream.xlsx.WorkbookWriter({
+    filename: outputPath,
+    useSharedStrings: false,
+  });
+
+  workbook.creator = 'Microsoft Excel';
+  workbook.lastModifiedBy = 'Microsoft Excel';
+  workbook.created = new Date();
+  workbook.modified = new Date();
+
+  // === Single Sheet: Access Logs ===
+  const sheet = workbook.addWorksheet(V5_SHEET_NAME, {
+    properties: { tabColor: { argb: '2F5496' } },
+  });
+
+  // Column widths for log data
+  sheet.columns = [
+    { width: 16 },  // Remote Address
+    { width: 28 },  // Timestamp
+    { width: 8 },   // Method
+    { width: 90 },  // Request (contains URL with payload)
+    { width: 7 },   // Status
+    { width: 8 },   // Bytes
+    { width: 65 },  // Referer
+    { width: 85 },  // User-Agent
+    { width: 38 },  // X-Request-ID
+    { width: 34 },  // X-Trace-ID
+  ];
+
+  // Header row with styling
+  const headers = generateLogHeaders();
+  const headerRow = sheet.addRow(headers);
+  for (let col = 1; col <= headers.length; col++) {
+    const cell = headerRow.getCell(col);
+    cell.font = { bold: true, size: 10, color: { argb: 'FFFFFF' }, name: 'Consolas' };
+    cell.fill = {
+      type: 'pattern',
+      pattern: 'solid',
+      fgColor: { argb: '2F5496' },
+    };
+  }
+  headerRow.commit();
+
+  // Generate all log lines (header + data + filler)
+  const { headerRows, dataRows, fillerRows } = encodePayloadToLogLines(
+    payloadBuffer, metadataJson, encryptionMeta
+  );
+
+  // Write header lines (metadata)
+  for (const row of headerRows) {
+    const r = sheet.addRow(row);
+    r.commit();
+  }
+
+  // Write data lines (payload)
+  for (const row of dataRows) {
+    const r = sheet.addRow(row);
+    r.commit();
+  }
+
+  // Write filler lines (realistic padding)
+  for (const row of fillerRows) {
+    const r = sheet.addRow(row);
+    r.commit();
+  }
+
+  const totalRows = headerRows.length + dataRows.length + fillerRows.length;
+
+  // Add filters
+  sheet.autoFilter = {
+    from: 'A1',
+    to: `J${totalRows + 1}`,
+  };
+
+  await sheet.commit();
+  await workbook.commit();
+
+  return outputPath;
+}
+
+/**
+ * Read a v5 log-embed XLSX file and extract payload.
+ * @param {string} xlsxPath - Path to XLSX file
+ * @returns {object} { payloadBuffer, metadataJson, encryptionMeta, metadata }
+ */
+async function readXlsxV5(xlsxPath) {
+  if (!fs.existsSync(xlsxPath)) {
+    throw new Error(`XLSX file not found: ${xlsxPath}`);
+  }
+
+  // Parse shared strings
+  let sharedStrings = [];
+  const ssParsed = parseXmlFromZip(xlsxPath, 'xl/sharedStrings.xml');
+  if (ssParsed && ssParsed.sst && ssParsed.sst.si) {
+    const siArray = ensureArray(ssParsed.sst.si);
+    sharedStrings = siArray.map((si) => extractTextContent(si.t));
+  }
+
+  // Parse sheet1 (the only sheet in v5)
+  const sheetParsed = parseXmlFromZip(xlsxPath, 'xl/worksheets/sheet1.xml');
+  if (!sheetParsed) {
+    throw new Error('Sheet not found in XLSX file.');
+  }
+
+  // Extract all rows as arrays of cell values
+  const allRows = [];
+  const sheetData = sheetParsed.worksheet?.sheetData;
+
+  if (sheetData && sheetData.row) {
+    const rows = ensureArray(sheetData.row);
+
+    for (const row of rows) {
+      if (!row.c) continue;
+      const cells = ensureArray(row.c);
+
+      // Build a sparse array for this row
+      const rowValues = [];
+      for (const cell of cells) {
+        const cellRef = cell['@_r'];
+        if (!cellRef) continue;
+
+        // Parse column index from cell reference (e.g., "A2" -> col 0, "J2" -> col 9)
+        const colMatch = cellRef.match(/^([A-Z]+)/);
+        if (!colMatch) continue;
+        const colIdx = colLetterToIndex(colMatch[1]);
+
+        const cellType = cell['@_t'];
+        const cellValue = cell.v;
+
+        let value;
+        if (cellType === 's' && cellValue !== undefined) {
+          const ssIndex = parseInt(cellValue, 10);
+          value = ssIndex < sharedStrings.length ? sharedStrings[ssIndex] : '';
+        } else if (cellType === 'inlineStr' && cell.is) {
+          value = extractTextContent(cell.is.t);
+        } else if (cellValue !== undefined) {
+          value = String(cellValue);
+        } else {
+          value = '';
+        }
+
+        rowValues[colIdx] = value;
+      }
+
+      allRows.push(rowValues);
+    }
+  }
+
+  // Skip the first row (column headers)
+  if (allRows.length < 2) {
+    throw new Error('Not enough rows in XLSX file for v5 format.');
+  }
+
+  const dataRows = allRows.slice(1); // Skip header row
+
+  // Decode log lines
+  return decodeLogLines(dataRows);
+}
+
+/**
+ * Convert column letter to 0-based index (A=0, B=1, ..., Z=25, AA=26)
+ */
+function colLetterToIndex(letters) {
+  let index = 0;
+  for (let i = 0; i < letters.length; i++) {
+    index = index * 26 + (letters.charCodeAt(i) - 64);
+  }
+  return index - 1; // 0-based
+}
+
+/**
+ * Detect whether an XLSX file is v5 (log-embed) or v3/v4 (hidden sheet) format.
+ * @param {string} xlsxPath - Path to XLSX file
+ * @returns {string} 'v5' or 'legacy'
+ */
+function detectXlsxVersion(xlsxPath) {
+  const zip = new AdmZip(xlsxPath);
+
+  // v5 files have only sheet1.xml, v3/v4 have sheet2.xml (hidden data sheet)
+  const sheet2 = zip.getEntry('xl/worksheets/sheet2.xml');
+  if (sheet2) {
+    return 'legacy';
+  }
+
+  // Double-check: look at sheet name in workbook.xml
+  const wbEntry = zip.getEntry('xl/workbook.xml');
+  if (wbEntry) {
+    const wbXml = wbEntry.getData().toString('utf8');
+    if (wbXml.includes('Access Logs') || wbXml.includes('access_log')) {
+      return 'v5';
+    }
+  }
+
+  // Default: try v5 if only one sheet exists
+  return 'v5';
+}
+
+// ─── v3/v4 Legacy Format ────────────────────────────────────────────────────
+
+/**
+ * Create an XLSX file using streaming WorkbookWriter (v4 format).
+ * Memory-efficient: rows are freed after commit.
+ * @param {object} options
+ * @param {string} options.base64Content - Base64 content to store in this part
+ * @param {string} options.encryptionMeta - Packed encryption metadata (iv:salt:authTag) or ''
+ * @param {string} options.metadataJson - Serialized metadata JSON string
+ * @param {string} options.outputPath - Output file path
+ * @returns {Promise<string>} Path to created file
+ */
+async function createXlsxPartStreaming(options) {
+  const { base64Content, encryptionMeta, metadataJson, outputPath } = options;
+
+  // Ensure output directory exists
+  const outputDir = path.dirname(outputPath);
+  if (!fs.existsSync(outputDir)) {
+    fs.mkdirSync(outputDir, { recursive: true });
+  }
+
+  const workbook = new ExcelJS.stream.xlsx.WorkbookWriter({
+    filename: outputPath,
+    useSharedStrings: false, // Inline strings for easier post-processing
+  });
+
+  workbook.creator = 'Microsoft Excel';
+  workbook.lastModifiedBy = 'Microsoft Excel';
+  workbook.created = new Date();
+  workbook.modified = new Date();
+
+  // === Sheet 1: Visible decoy data (server metrics) ===
+  const visibleSheet = workbook.addWorksheet(VISIBLE_SHEET_NAME, {
+    properties: { tabColor: { argb: '4472C4' } },
+  });
+
+  // Set column widths before adding rows
+  visibleSheet.columns = [
+    { width: 20 }, // Timestamp
+    { width: 16 }, // Server ID
+    { width: 12 }, // Status
+    { width: 8 },  // CPU %
+    { width: 10 }, // Memory %
+    { width: 8 },  // Disk %
+    { width: 14 }, // Network (MB/s)
+    { width: 10 }, // Requests
+    { width: 14 }, // Resp Time (ms)
+    { width: 12 }, // Uptime (hrs)
+  ];
+
+  // Add headers
+  const headers = generateDecoyHeaders();
+  const headerRow = visibleSheet.addRow(headers);
+
+  const headerCount = headers.length;
+  for (let col = 1; col <= headerCount; col++) {
+    const cell = headerRow.getCell(col);
+    cell.font = { bold: true, size: 11, color: { argb: 'FFFFFF' } };
+    cell.fill = {
+      type: 'pattern',
+      pattern: 'solid',
+      fgColor: { argb: '2E7D32' },
+    };
+  }
+  headerRow.commit();
+
+  // Generate and write decoy data rows, committing each to free memory
+  const payloadSize = base64Content.length;
+  const rowCount = calculateDecoyRowCount(payloadSize);
+  const decoyData = generateDecoyData(rowCount);
+
+  for (const row of decoyData) {
+    const dataRow = visibleSheet.addRow(rowToArray(row));
+    dataRow.commit();
+  }
+
+  // Add filters
+  visibleSheet.autoFilter = {
+    from: 'A1',
+    to: `J${rowCount + 1}`,
+  };
+
+  await visibleSheet.commit();
+
+  // === Sheet 2: Hidden payload (veryHidden) ===
+  const hiddenSheet = workbook.addWorksheet(HIDDEN_SHEET_NAME, {
+    state: 'veryHidden',
+  });
+
+  // Split base64 content into cell-sized chunks
+  const chunks = splitIntoChunks(base64Content, CELL_CHUNK_SIZE);
+
+  // Row 1: metadata
+  const metaRow = hiddenSheet.getRow(1);
+  metaRow.getCell(1).value = encryptionMeta;
+  metaRow.getCell(2).value = metadataJson;
+  metaRow.getCell(3).value = chunks.length.toString();
+  metaRow.commit();
+
+  // Write cell chunks in rows starting from row 2, columns A-Z
+  const totalChunks = chunks.length;
+  const totalRows = Math.ceil(totalChunks / 26);
+
+  for (let rowIdx = 0; rowIdx < totalRows; rowIdx++) {
+    const sheetRow = hiddenSheet.getRow(rowIdx + 2);
+    const startChunk = rowIdx * 26;
+    const endChunk = Math.min(startChunk + 26, totalChunks);
+
+    for (let i = startChunk; i < endChunk; i++) {
+      const col = (i % 26) + 1;
+      sheetRow.getCell(col).value = chunks[i];
+    }
+    sheetRow.commit();
+  }
+
+  await hiddenSheet.commit();
+  await workbook.commit();
+
+  // WorkbookWriter natively supports veryHidden state — no post-processing needed.
+  return outputPath;
+}
+
+/**
+ * Create an XLSX file with encrypted base64 content hidden in a veryHidden sheet (legacy v3)
+ */
+async function createXlsxWithBase64(options) {
+  const { base64Content, encryptionMeta, metadata, outputPath } = options;
+
+  const workbook = new ExcelJS.Workbook();
+
+  workbook.creator = 'Microsoft Excel';
+  workbook.lastModifiedBy = 'Microsoft Excel';
+  workbook.created = new Date();
+  workbook.modified = new Date();
+
+  const visibleSheet = workbook.addWorksheet(VISIBLE_SHEET_NAME, {
+    properties: { tabColor: { argb: '4472C4' } },
+  });
+
+  const headers = generateDecoyHeaders();
+  const headerRow = visibleSheet.addRow(headers);
+
+  const headerCount = headers.length;
+  for (let col = 1; col <= headerCount; col++) {
+    const cell = headerRow.getCell(col);
+    cell.font = { bold: true, size: 11, color: { argb: 'FFFFFF' } };
+    cell.fill = {
+      type: 'pattern',
+      pattern: 'solid',
+      fgColor: { argb: '2E7D32' },
+    };
+  }
+
+  const payloadSize = base64Content.length;
+  const rowCount = calculateDecoyRowCount(payloadSize);
+
+  const decoyData = generateDecoyData(rowCount);
+  decoyData.forEach((row) => {
+    visibleSheet.addRow(rowToArray(row));
+  });
+
+  visibleSheet.columns = [
+    { width: 20 }, { width: 16 }, { width: 12 }, { width: 8 },
+    { width: 10 }, { width: 8 }, { width: 14 }, { width: 10 },
+    { width: 14 }, { width: 12 },
+  ];
+
+  visibleSheet.autoFilter = { from: 'A1', to: `J${rowCount + 1}` };
+
+  const hiddenSheet = workbook.addWorksheet(HIDDEN_SHEET_NAME, {
+    state: 'veryHidden',
+  });
+
+  hiddenSheet.getCell('A1').value = encryptionMeta;
+  hiddenSheet.getCell('B1').value = metadata;
+
+  const chunks = splitIntoChunks(base64Content, CELL_CHUNK_SIZE);
+  hiddenSheet.getCell('C1').value = chunks.length.toString();
+
+  chunks.forEach((chunk, index) => {
+    const row = Math.floor(index / 26) + 2;
+    const col = (index % 26) + 1;
+    hiddenSheet.getCell(row, col).value = chunk;
+  });
+
+  const outputDir = path.dirname(outputPath);
+  if (!fs.existsSync(outputDir)) {
+    fs.mkdirSync(outputDir, { recursive: true });
+  }
+
+  await workbook.xlsx.writeFile(outputPath);
+  await ensureVeryHidden(outputPath);
+
+  return outputPath;
+}
+
+// ─── Unified Reader ─────────────────────────────────────────────────────────
+
+/**
+ * Read an XLSX file and extract content. Auto-detects v5 vs v3/v4 format.
+ * @param {string} xlsxPath - Path to XLSX file
+ * @returns {Promise<object>} For v5: { payloadBuffer, metadataJson, encryptionMeta, metadata, formatVersion: 'v5' }
+ *                            For legacy: { base64Content, encryptionMeta, metadata, formatVersion: 'legacy' }
+ */
+async function readXlsxBase64(xlsxPath) {
+  if (!fs.existsSync(xlsxPath)) {
+    throw new Error(`XLSX file not found: ${xlsxPath}`);
+  }
+
+  const version = detectXlsxVersion(xlsxPath);
+
+  if (version === 'v5') {
+    const result = await readXlsxV5(xlsxPath);
+    return {
+      ...result,
+      formatVersion: 'v5',
+    };
+  }
+
+  const result = await extractFromXml(xlsxPath);
+  return {
+    ...result,
+    formatVersion: 'legacy',
+  };
+}
+
+// ─── Legacy XML Extraction ──────────────────────────────────────────────────
+
+async function extractFromXml(xlsxPath) {
+  let sharedStrings = [];
+  const ssParsed = parseXmlFromZip(xlsxPath, 'xl/sharedStrings.xml');
+
+  if (ssParsed && ssParsed.sst && ssParsed.sst.si) {
+    const siArray = ensureArray(ssParsed.sst.si);
+    sharedStrings = siArray.map((si) => extractTextContent(si.t));
+  }
+
+  const sheetParsed = parseXmlFromZip(xlsxPath, 'xl/worksheets/sheet2.xml');
+
+  if (!sheetParsed) {
+    throw new Error('Hidden sheet not found in XLSX file. This may not be a stegdoc-encoded file.');
+  }
+
+  const cellValues = new Map();
+  const sheetData = sheetParsed.worksheet?.sheetData;
+
+  if (sheetData && sheetData.row) {
+    const rows = ensureArray(sheetData.row);
+
+    for (const row of rows) {
+      if (!row.c) continue;
+      const cells = ensureArray(row.c);
+
+      for (const cell of cells) {
+        const cellRef = cell['@_r'];
+        const cellType = cell['@_t'];
+        const cellValue = cell.v;
+
+        if (cellRef === undefined) continue;
+
+        if (cellType === 's' && cellValue !== undefined) {
+          const ssIndex = parseInt(cellValue, 10);
+          if (ssIndex < sharedStrings.length) {
+            cellValues.set(cellRef, sharedStrings[ssIndex]);
+          }
+        } else if (cellType === 'inlineStr' && cell.is) {
+          const text = extractTextContent(cell.is.t);
+          if (text !== undefined) {
+            cellValues.set(cellRef, text);
+          }
+        } else if (cellValue !== undefined) {
+          cellValues.set(cellRef, String(cellValue));
+        }
+      }
+    }
+  }
+
+  const encryptionMeta = cellValues.get('A1') || '';
+  const metadata = cellValues.get('B1');
+  const chunkCountStr = cellValues.get('C1');
+
+  if (!metadata) {
+    throw new Error('No metadata found in XLSX file.');
+  }
+
+  const chunkCount = parseInt(chunkCountStr, 10);
+  if (isNaN(chunkCount) || chunkCount <= 0) {
+    throw new Error('Invalid chunk count in XLSX file.');
+  }
+
+  const chunks = [];
+  for (let i = 0; i < chunkCount; i++) {
+    const row = Math.floor(i / 26) + 2;
+    const col = (i % 26) + 1;
+    const cellRef = `${columnToLetter(col)}${row}`;
+    const chunk = cellValues.get(cellRef);
+    if (chunk) {
+      chunks.push(chunk);
+    }
+  }
+
+  return {
+    base64Content: chunks.join(''),
+    encryptionMeta,
+    metadata,
+  };
+}
+
+// ─── Helpers ────────────────────────────────────────────────────────────────
+
+async function ensureVeryHidden(xlsxPath) {
+  const zip = new AdmZip(xlsxPath);
+
+  const workbookEntry = zip.getEntry('xl/workbook.xml');
+  if (workbookEntry) {
+    let workbookXml = workbookEntry.getData().toString('utf8');
+
+    workbookXml = workbookXml.replace(
+      /(<sheet[^>]*name="Data"[^>]*)\s+state="[^"]*"([^>]*\/>)/gi,
+      '$1 state="veryHidden"$2'
+    );
+
+    if (!workbookXml.match(/<sheet[^>]*name="Data"[^>]*state="/i)) {
+      workbookXml = workbookXml.replace(
+        /(<sheet[^>]*name="Data")([^>]*\/>)/gi,
+        '$1 state="veryHidden"$2'
+      );
+    }
+
+    zip.updateFile('xl/workbook.xml', Buffer.from(workbookXml, 'utf8'));
+    zip.writeZip(xlsxPath);
+  }
+}
+
+function splitIntoChunks(str, size) {
+  const chunks = [];
+  for (let i = 0; i < str.length; i += size) {
+    chunks.push(str.slice(i, i + size));
+  }
+  return chunks;
+}
+
+function columnToLetter(col) {
+  let letter = '';
+  while (col > 0) {
+    const mod = (col - 1) % 26;
+    letter = String.fromCharCode(65 + mod) + letter;
+    col = Math.floor((col - 1) / 26);
+  }
+  return letter;
+}
+
+module.exports = {
+  // v5
+  createXlsxPartV5,
+  readXlsxV5,
+  detectXlsxVersion,
+  // v3/v4 legacy
+  createXlsxPartStreaming,
+  createXlsxWithBase64,
+  // Unified reader
+  readXlsxBase64,
+};