npm - vaultkeeper - Versions diffs - 0.4.0 → 0.5.1 - Mend

vaultkeeper 0.4.0 → 0.5.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/dist/index.cjs +1150 -51
package/dist/index.cjs.map +1 -1
package/dist/index.d.cts +131 -11
package/dist/index.d.ts +131 -11
package/dist/index.js +1147 -49
package/dist/index.js.map +1 -1
package/dist/one-password-worker.js +104 -0
package/dist/one-password-worker.js.map +1 -0
package/package.json +3 -1

package/dist/index.cjs CHANGED Viewed

@@ -1,13 +1,15 @@
 'use strict';
-var child_process = require('child_process');
-var fs5 = require('fs/promises');
-var path5 = require('path');
+var fs = require('fs/promises');
+var path3 = require('path');
 var os4 = require('os');
-var crypto4 = require('crypto');
+var crypto = require('crypto');
+var child_process = require('child_process');
+var url = require('url');
 var fs4 = require('fs');
 var jose = require('jose');
+var _documentCurrentScript = typeof document !== 'undefined' ? document.currentScript : null;
 function _interopNamespace(e) {
   if (e && e.__esModule) return e;
   var n = Object.create(null);
@@ -26,10 +28,10 @@ function _interopNamespace(e) {
   return Object.freeze(n);
 }
-var fs5__namespace = /*#__PURE__*/_interopNamespace(fs5);
-var path5__namespace = /*#__PURE__*/_interopNamespace(path5);
+var fs__namespace = /*#__PURE__*/_interopNamespace(fs);
+var path3__namespace = /*#__PURE__*/_interopNamespace(path3);
 var os4__namespace = /*#__PURE__*/_interopNamespace(os4);
-var crypto4__namespace = /*#__PURE__*/_interopNamespace(crypto4);
+var crypto__namespace = /*#__PURE__*/_interopNamespace(crypto);
 var fs4__namespace = /*#__PURE__*/_interopNamespace(fs4);
 // src/errors.ts
@@ -162,6 +164,22 @@ var IdentityMismatchError = class extends VaultError {
     this.currentHash = currentHash;
   }
 };
+var InvalidAlgorithmError = class extends VaultError {
+  /**
+   * The algorithm that was requested.
+   */
+  algorithm;
+  /**
+   * The set of algorithms that are allowed.
+   */
+  allowed;
+  constructor(message, algorithm, allowed) {
+    super(message);
+    this.name = "InvalidAlgorithmError";
+    this.algorithm = algorithm;
+    this.allowed = allowed;
+  }
+};
 var SetupError = class extends VaultError {
   /**
    * The name of the dependency that caused the setup failure.
@@ -197,14 +215,10 @@ var RotationInProgressError = class extends VaultError {
   }
 };
-// src/backend/types.ts
-function isListableBackend(backend) {
-  return "list" in backend && typeof backend.list === "function";
-}
 // src/backend/registry.ts
 var BackendRegistry = class {
   static backends = /* @__PURE__ */ new Map();
+  static setups = /* @__PURE__ */ new Map();
   /**
    * Register a backend factory.
    * @param type - Backend type identifier
@@ -216,10 +230,11 @@ var BackendRegistry = class {
   /**
    * Create a backend instance by type.
    * @param type - Backend type identifier
+   * @param config - Optional backend configuration forwarded to the factory
    * @returns A SecretBackend instance
-   * @throws Error if the backend type is not registered
+   * @throws {@link BackendUnavailableError} if the backend type is not registered
    */
-  static create(type) {
+  static create(type, config) {
     const factory = this.backends.get(type);
     if (factory === void 0) {
       throw new BackendUnavailableError(
@@ -228,7 +243,7 @@ var BackendRegistry = class {
         Array.from(this.backends.keys())
       );
     }
-    return factory();
+    return factory(config);
   }
   /**
    * Get all registered backend type identifiers.
@@ -264,18 +279,199 @@ var BackendRegistry = class {
     );
     return results.filter((type) => type !== null);
   }
+  /**
+   * Register a setup factory for a backend type.
+   * @param type - Backend type identifier
+   * @param factory - Factory function that creates a setup generator
+   */
+  static registerSetup(type, factory) {
+    this.setups.set(type, factory);
+  }
+  /**
+   * Get the setup factory for a backend type, if one is registered.
+   * @param type - Backend type identifier
+   * @returns The setup factory, or `undefined` if none is registered
+   */
+  static getSetup(type) {
+    return this.setups.get(type);
+  }
+  /**
+   * Check whether a setup factory is registered for the given backend type.
+   * @param type - Backend type identifier
+   * @returns `true` if a setup factory is registered
+   */
+  static hasSetup(type) {
+    return this.setups.has(type);
+  }
+  /**
+   * Clear all registered backend factories.
+   * Intended for use in tests only.
+   * @internal
+   */
+  static clearBackends() {
+    this.backends.clear();
+  }
+  /**
+   * Clear all registered setup factories.
+   * Intended for use in tests only.
+   * @internal
+   */
+  static clearSetups() {
+    this.setups.clear();
+  }
+};
+var STORAGE_DIR_NAME = path3__namespace.join(".vaultkeeper", "file");
+var KEY_FILE = ".key";
+var GCM_IV_BYTES = 12;
+var GCM_KEY_BYTES = 32;
+var GCM_TAG_LENGTH = 128;
+function getStorageDir() {
+  return path3__namespace.join(os4__namespace.homedir(), STORAGE_DIR_NAME);
+}
+function getEntryPath(storageDir, id) {
+  const safeId = Buffer.from(id, "utf8").toString("hex");
+  return path3__namespace.join(storageDir, `${safeId}.enc`);
+}
+async function ensureStorageDir(storageDir) {
+  try {
+    await fs__namespace.mkdir(storageDir, { recursive: true, mode: 448 });
+  } catch (err) {
+    if (err instanceof Error && "code" in err && err.code !== "EEXIST") {
+      throw new FilesystemError(
+        `Failed to create storage directory: ${storageDir}`,
+        storageDir,
+        "rwx"
+      );
+    }
+  }
+}
+async function getOrCreateKey(storageDir) {
+  const keyPath = path3__namespace.join(storageDir, KEY_FILE);
+  try {
+    const data = await fs__namespace.readFile(keyPath);
+    return data;
+  } catch (err) {
+    if (err instanceof Error && "code" in err && err.code === "ENOENT") {
+      const key = crypto__namespace.randomBytes(GCM_KEY_BYTES);
+      await fs__namespace.writeFile(keyPath, key, { mode: 384 });
+      return key;
+    }
+    throw err;
+  }
+}
+function encryptGcm(key, plaintext) {
+  const iv = crypto__namespace.randomBytes(GCM_IV_BYTES);
+  const cipher = crypto__namespace.createCipheriv("aes-256-gcm", key, iv, {
+    authTagLength: GCM_TAG_LENGTH / 8
+  });
+  const encrypted = Buffer.concat([cipher.update(plaintext, "utf8"), cipher.final()]);
+  const authTag = cipher.getAuthTag();
+  return [iv.toString("base64"), authTag.toString("base64"), encrypted.toString("base64")].join(":");
+}
+function decryptGcm(key, encoded) {
+  const parts = encoded.split(":");
+  if (parts.length !== 3) {
+    throw new Error("Invalid encrypted file format: expected iv:authTag:ciphertext");
+  }
+  const [ivB64, authTagB64, ciphertextB64] = parts;
+  if (ivB64 === void 0 || authTagB64 === void 0 || ciphertextB64 === void 0) {
+    throw new Error("Invalid encrypted file format: missing part");
+  }
+  const iv = Buffer.from(ivB64, "base64");
+  const authTag = Buffer.from(authTagB64, "base64");
+  const ciphertext = Buffer.from(ciphertextB64, "base64");
+  const decipher = crypto__namespace.createDecipheriv("aes-256-gcm", key, iv, {
+    authTagLength: GCM_TAG_LENGTH / 8
+  });
+  decipher.setAuthTag(authTag);
+  const decrypted = Buffer.concat([decipher.update(ciphertext), decipher.final()]);
+  return decrypted.toString("utf8");
+}
+var FileBackend = class {
+  type = "file";
+  displayName = "Encrypted File Store";
+  async isAvailable() {
+    try {
+      const storageDir = getStorageDir();
+      await ensureStorageDir(storageDir);
+      return true;
+    } catch {
+      return false;
+    }
+  }
+  async store(id, secret) {
+    const storageDir = getStorageDir();
+    await ensureStorageDir(storageDir);
+    const key = await getOrCreateKey(storageDir);
+    const entryPath = getEntryPath(storageDir, id);
+    const encrypted = encryptGcm(key, secret);
+    await fs__namespace.writeFile(entryPath, encrypted, { mode: 384 });
+  }
+  async retrieve(id) {
+    const storageDir = getStorageDir();
+    const entryPath = getEntryPath(storageDir, id);
+    let encoded;
+    try {
+      encoded = await fs__namespace.readFile(entryPath, "utf8");
+    } catch (err) {
+      if (err instanceof Error && "code" in err && err.code === "ENOENT") {
+        throw new SecretNotFoundError(`Secret not found in file store: ${id}`);
+      }
+      throw err;
+    }
+    const key = await getOrCreateKey(storageDir);
+    try {
+      return decryptGcm(key, encoded);
+    } catch (err) {
+      throw new Error(
+        `Failed to decrypt secret: ${err instanceof Error ? err.message : String(err)}`
+      );
+    }
+  }
+  async delete(id) {
+    const storageDir = getStorageDir();
+    const entryPath = getEntryPath(storageDir, id);
+    try {
+      await fs__namespace.unlink(entryPath);
+    } catch (err) {
+      if (err instanceof Error && "code" in err && err.code === "ENOENT") {
+        throw new SecretNotFoundError(`Secret not found in file store: ${id}`);
+      }
+      throw err;
+    }
+  }
+  async exists(id) {
+    const storageDir = getStorageDir();
+    const entryPath = getEntryPath(storageDir, id);
+    try {
+      await fs__namespace.access(entryPath);
+      return true;
+    } catch {
+      return false;
+    }
+  }
+  async list() {
+    const storageDir = getStorageDir();
+    let entries;
+    try {
+      entries = await fs__namespace.readdir(storageDir);
+    } catch {
+      return [];
+    }
+    return entries.filter((f) => f.endsWith(".enc")).map((f) => Buffer.from(f.slice(0, -4), "hex").toString("utf8"));
+  }
 };
 async function execCommand(command, args, options) {
-  const result = await execCommandFull(command, args);
+  const result = await execCommandFull(command, args, options);
   if (result.exitCode !== 0) {
     throw new Error(`Command failed with exit code ${String(result.exitCode)}: ${result.stderr}`);
   }
   return result.stdout.trim();
 }
 function execCommandFull(command, args, options) {
-  return new Promise((resolve, reject) => {
+  return new Promise((resolve2, reject) => {
     const proc = child_process.spawn(command, args, {
-      stdio: ["ignore", "pipe", "pipe"]
+      stdio: [options?.stdin !== void 0 ? "pipe" : "ignore", "pipe", "pipe"]
     });
     let stdout = "";
     let stderr = "";
@@ -285,25 +481,887 @@ function execCommandFull(command, args, options) {
     proc.stderr?.on("data", (data) => {
       stderr += data.toString();
     });
+    if (options?.stdin !== void 0 && proc.stdin) {
+      proc.stdin.write(options.stdin);
+      proc.stdin.end();
+    }
+    if (options?.timeoutMs !== void 0) {
+      setTimeout(() => {
+        proc.kill("SIGTERM");
+        reject(new Error(`Command timed out after ${String(options.timeoutMs)}ms`));
+      }, options.timeoutMs);
+    }
     proc.on("close", (code) => {
-      resolve({ stdout, stderr, exitCode: code ?? 1 });
+      resolve2({ stdout, stderr, exitCode: code ?? 1 });
     });
     proc.on("error", (error) => {
       reject(error);
     });
   });
 }
-path5__namespace.join(".vaultkeeper", "file");
-path5__namespace.join(".vaultkeeper", "yubikey");
+// src/backend/keychain-backend.ts
+var ACCOUNT = "vaultkeeper";
+var SERVICE_PREFIX = "vaultkeeper:";
+var KeychainBackend = class {
+  type = "keychain";
+  displayName = "macOS Keychain";
+  async isAvailable() {
+    if (process.platform !== "darwin") {
+      return false;
+    }
+    try {
+      const result = await execCommandFull("security", ["version"]);
+      return result.exitCode === 0;
+    } catch {
+      return false;
+    }
+  }
+  async store(id, secret) {
+    const service = `${SERVICE_PREFIX}${id}`;
+    const encoded = Buffer.from(secret, "utf8").toString("base64");
+    await execCommandFull("security", [
+      "delete-generic-password",
+      "-a",
+      ACCOUNT,
+      "-s",
+      service
+    ]);
+    await execCommand("security", [
+      "add-generic-password",
+      "-a",
+      ACCOUNT,
+      "-s",
+      service,
+      "-w",
+      encoded
+    ]);
+  }
+  async retrieve(id) {
+    const service = `${SERVICE_PREFIX}${id}`;
+    const result = await execCommandFull("security", [
+      "find-generic-password",
+      "-a",
+      ACCOUNT,
+      "-s",
+      service,
+      "-w"
+    ]);
+    if (result.exitCode !== 0) {
+      throw new SecretNotFoundError(`Secret not found in macOS Keychain: ${id}`);
+    }
+    const encoded = result.stdout.trim();
+    return Buffer.from(encoded, "base64").toString("utf8");
+  }
+  async delete(id) {
+    const service = `${SERVICE_PREFIX}${id}`;
+    const result = await execCommandFull("security", [
+      "delete-generic-password",
+      "-a",
+      ACCOUNT,
+      "-s",
+      service
+    ]);
+    if (result.exitCode !== 0) {
+      throw new SecretNotFoundError(`Secret not found in macOS Keychain: ${id}`);
+    }
+  }
+  async exists(id) {
+    const service = `${SERVICE_PREFIX}${id}`;
+    const result = await execCommandFull("security", [
+      "find-generic-password",
+      "-a",
+      ACCOUNT,
+      "-s",
+      service
+    ]);
+    return result.exitCode === 0;
+  }
+  async list() {
+    const result = await execCommandFull("security", [
+      "dump-keychain"
+    ]);
+    if (result.exitCode !== 0) {
+      return [];
+    }
+    const ids = [];
+    const servicePattern = /0x00000007 <blob>="vaultkeeper:([^"]+)"/g;
+    let match = servicePattern.exec(result.stdout);
+    while (match !== null) {
+      const id = match[1];
+      if (id !== void 0) {
+        ids.push(id);
+      }
+      match = servicePattern.exec(result.stdout);
+    }
+    return ids;
+  }
+};
+function getStoragePath() {
+  return path3__namespace.join(os4__namespace.homedir(), ".vaultkeeper", "dpapi");
+}
+function getEntryPath2(storageDir, id) {
+  const safeId = Buffer.from(id, "utf8").toString("hex");
+  return path3__namespace.join(storageDir, `${safeId}.enc`);
+}
+var DpapiBackend = class {
+  type = "dpapi";
+  displayName = "Windows DPAPI";
+  async isAvailable() {
+    if (process.platform !== "win32") {
+      return false;
+    }
+    try {
+      const result = await execCommandFull("powershell", [
+        "-NoProfile",
+        "-Command",
+        "[System.Security.Cryptography.ProtectedData] | Out-Null; exit 0"
+      ]);
+      return result.exitCode === 0;
+    } catch {
+      return false;
+    }
+  }
+  async store(id, secret) {
+    const storageDir = getStoragePath();
+    await fs__namespace.mkdir(storageDir, { recursive: true });
+    const entryPath = getEntryPath2(storageDir, id);
+    const script = [
+      "Add-Type -AssemblyName System.Security",
+      `$bytes = [System.Text.Encoding]::UTF8.GetBytes(${JSON.stringify(secret)})`,
+      "$entropy = $null",
+      "$scope = [System.Security.Cryptography.DataProtectionScope]::CurrentUser",
+      "$encrypted = [System.Security.Cryptography.ProtectedData]::Protect($bytes, $entropy, $scope)",
+      `[System.IO.File]::WriteAllBytes(${JSON.stringify(entryPath)}, $encrypted)`
+    ].join("; ");
+    await execCommand("powershell", ["-NoProfile", "-Command", script]);
+  }
+  async retrieve(id) {
+    const storageDir = getStoragePath();
+    const entryPath = getEntryPath2(storageDir, id);
+    try {
+      await fs__namespace.access(entryPath);
+    } catch {
+      throw new SecretNotFoundError(`Secret not found in Windows DPAPI store: ${id}`);
+    }
+    const script = [
+      "Add-Type -AssemblyName System.Security",
+      `$encrypted = [System.IO.File]::ReadAllBytes(${JSON.stringify(entryPath)})`,
+      "$entropy = $null",
+      "$scope = [System.Security.Cryptography.DataProtectionScope]::CurrentUser",
+      "$bytes = [System.Security.Cryptography.ProtectedData]::Unprotect($encrypted, $entropy, $scope)",
+      "Write-Output ([System.Text.Encoding]::UTF8.GetString($bytes))"
+    ].join("; ");
+    return execCommand("powershell", ["-NoProfile", "-Command", script]);
+  }
+  async delete(id) {
+    const storageDir = getStoragePath();
+    const entryPath = getEntryPath2(storageDir, id);
+    try {
+      await fs__namespace.unlink(entryPath);
+    } catch (err) {
+      if (err instanceof Error && "code" in err && err.code === "ENOENT") {
+        throw new SecretNotFoundError(`Secret not found in Windows DPAPI store: ${id}`);
+      }
+      throw err;
+    }
+  }
+  async exists(id) {
+    const storageDir = getStoragePath();
+    const entryPath = getEntryPath2(storageDir, id);
+    try {
+      await fs__namespace.access(entryPath);
+      return true;
+    } catch {
+      return false;
+    }
+  }
+  async list() {
+    const storageDir = getStoragePath();
+    let entries;
+    try {
+      entries = await fs__namespace.readdir(storageDir);
+    } catch {
+      return [];
+    }
+    return entries.filter((f) => f.endsWith(".enc")).map((f) => Buffer.from(f.slice(0, -4), "hex").toString("utf8"));
+  }
+};
+// src/backend/secret-tool-backend.ts
+var ATTRIBUTE_KEY = "vaultkeeper-id";
+var LABEL_PREFIX = "vaultkeeper: ";
+var SecretToolBackend = class {
+  type = "secret-tool";
+  displayName = "Linux Secret Service (secret-tool)";
+  async isAvailable() {
+    if (process.platform !== "linux") {
+      return false;
+    }
+    try {
+      const result = await execCommandFull("secret-tool", ["--version"]);
+      return result.exitCode === 0;
+    } catch {
+      return false;
+    }
+  }
+  async store(id, secret) {
+    const label = `${LABEL_PREFIX}${id}`;
+    await execCommand(
+      "secret-tool",
+      ["store", "--label", label, ATTRIBUTE_KEY, id],
+      { stdin: secret }
+    );
+  }
+  async retrieve(id) {
+    const result = await execCommandFull("secret-tool", ["lookup", ATTRIBUTE_KEY, id]);
+    if (result.exitCode !== 0 || result.stdout.trim() === "") {
+      throw new SecretNotFoundError(`Secret not found in Secret Service: ${id}`);
+    }
+    return result.stdout.trim();
+  }
+  async delete(id) {
+    const result = await execCommandFull("secret-tool", ["clear", ATTRIBUTE_KEY, id]);
+    if (result.exitCode !== 0) {
+      throw new SecretNotFoundError(`Secret not found in Secret Service: ${id}`);
+    }
+  }
+  async exists(id) {
+    const result = await execCommandFull("secret-tool", ["lookup", ATTRIBUTE_KEY, id]);
+    return result.exitCode === 0 && result.stdout.trim() !== "";
+  }
+  async list() {
+    const result = await execCommandFull("secret-tool", [
+      "search",
+      ATTRIBUTE_KEY,
+      ""
+    ]);
+    if (result.exitCode !== 0) {
+      return [];
+    }
+    const ids = [];
+    const attrPattern = new RegExp(`attribute\\.${ATTRIBUTE_KEY} = (.+)`, "g");
+    let match = attrPattern.exec(result.stdout);
+    while (match !== null) {
+      const id = match[1];
+      if (id !== void 0) {
+        ids.push(id);
+      }
+      match = attrPattern.exec(result.stdout);
+    }
+    return ids;
+  }
+};
+var INTEGRATION_NAME = "vaultkeeper";
+var cachedVersion;
+function getIntegrationVersion() {
+  if (cachedVersion !== void 0) return cachedVersion;
+  const dir = path3.dirname(url.fileURLToPath((typeof document === 'undefined' ? require('u' + 'rl').pathToFileURL(__filename).href : (_documentCurrentScript && _documentCurrentScript.tagName.toUpperCase() === 'SCRIPT' && _documentCurrentScript.src || new URL('index.cjs', document.baseURI).href))));
+  const candidates = [
+    path3.resolve(dir, "..", "..", "package.json"),
+    path3.resolve(dir, "..", "package.json")
+  ];
+  for (const candidate of candidates) {
+    if (!fs4.existsSync(candidate)) continue;
+    const raw = JSON.parse(fs4.readFileSync(candidate, "utf8"));
+    if (raw !== null && typeof raw === "object" && "version" in raw && typeof raw.version === "string") {
+      cachedVersion = raw.version;
+      return cachedVersion;
+    }
+  }
+  throw new Error(
+    `Could not read version from vaultkeeper package.json. Tried paths: ${candidates.join(", ")}`
+  );
+}
+// src/backend/one-password-backend.ts
+var SDK_INSTALL_URL = "https://developer.1password.com/docs/sdks/";
+var TAG = "vaultkeeper";
+var PASSWORD_FIELD_TITLE = "password";
+var SESSION_TIMEOUT_MS = 3e4;
+function isWorkerSuccess(res) {
+  return "value" in res;
+}
+function isWorkerResponse(value) {
+  if (value === null || typeof value !== "object") return false;
+  if ("value" in value && typeof value.value === "string") return true;
+  if ("error" in value && typeof value.error === "string" && "code" in value && typeof value.code === "string")
+    return true;
+  return false;
+}
+var OnePasswordBackend = class {
+  type = "1password";
+  displayName = "1Password";
+  vaultId;
+  account;
+  serviceAccountToken;
+  accessMode;
+  sessionTimeoutMs;
+  /** In-flight or resolved client promise — prevents duplicate createClient calls. */
+  clientPromise;
+  constructor(options) {
+    if (options.accessMode === "per-access" && options.serviceAccountToken !== void 0) {
+      throw new Error(
+        "per-access mode requires desktop biometric authentication and cannot be used with a service account token"
+      );
+    }
+    if (options.account !== void 0 && options.serviceAccountToken !== void 0) {
+      throw new Error(
+        "account and serviceAccountToken are mutually exclusive \u2014 provide one or the other, not both"
+      );
+    }
+    this.vaultId = options.vault;
+    this.sessionTimeoutMs = options.sessionTimeoutMs ?? SESSION_TIMEOUT_MS;
+    if (options.account !== void 0) {
+      this.account = options.account;
+    }
+    if (options.serviceAccountToken !== void 0) {
+      this.serviceAccountToken = options.serviceAccountToken;
+    }
+    this.accessMode = options.accessMode ?? "session";
+  }
+  async isAvailable() {
+    const sdk = await this.tryLoadSdk();
+    return sdk !== null;
+  }
+  // ---- Session client management ----
+  /**
+   * Dynamically import the SDK. Returns `null` if the SDK is not installed or
+   * the native library cannot be loaded.
+   */
+  async tryLoadSdk() {
+    try {
+      const sdk = await import('@1password/sdk');
+      return sdk;
+    } catch {
+      return null;
+    }
+  }
+  /**
+   * Acquire (or create) a cached SDK client.
+   * Wraps `createClient` with a configurable timeout (default 30 s) to handle
+   * the known beta SDK hang after session expiry.
+   */
+  acquireClient() {
+    this.clientPromise ??= this.createClientInternal().catch((err) => {
+      this.clientPromise = void 0;
+      throw err;
+    });
+    return this.clientPromise;
+  }
+  async createClientInternal() {
+    const sdk = await this.tryLoadSdk();
+    if (sdk === null) {
+      throw new PluginNotFoundError(
+        "1Password SDK (@1password/sdk) is not available. Install it to use this backend.",
+        "@1password/sdk",
+        SDK_INSTALL_URL
+      );
+    }
+    const auth = this.buildAuth(sdk);
+    let timerId;
+    const timeoutPromise = new Promise((_resolve, reject) => {
+      timerId = setTimeout(() => {
+        reject(new BackendLockedError("1Password session timed out waiting for authentication", true));
+      }, this.sessionTimeoutMs);
+    });
+    try {
+      const client = await Promise.race([
+        sdk.createClient({
+          auth,
+          integrationName: INTEGRATION_NAME,
+          integrationVersion: getIntegrationVersion()
+        }),
+        timeoutPromise
+      ]);
+      return client;
+    } catch (err) {
+      if (err instanceof BackendLockedError) {
+        throw err;
+      }
+      if (err instanceof sdk.DesktopSessionExpiredError) {
+        throw new BackendLockedError(
+          "1Password session has expired. Please unlock the app.",
+          true
+        );
+      }
+      throw new AuthorizationDeniedError(
+        `1Password authentication failed: ${String(err)}`
+      );
+    } finally {
+      if (timerId !== void 0) {
+        clearTimeout(timerId);
+      }
+    }
+  }
+  buildAuth(sdk) {
+    if (this.serviceAccountToken !== void 0) {
+      return this.serviceAccountToken;
+    }
+    const accountName = this.account ?? "";
+    return new sdk.DesktopAuth(accountName);
+  }
+  // ---- Helpers for item lookup by title ----
+  /**
+   * List all items in the vault tagged "vaultkeeper" and find one with the
+   * matching title (= secret ID). Returns `undefined` if not found.
+   */
+  async findItemOverview(client, id) {
+    const overviews = await client.items.list(this.vaultId);
+    for (const overview of overviews) {
+      if (overview.title === id && overview.tags.includes(TAG)) {
+        return overview;
+      }
+    }
+    return void 0;
+  }
+  /**
+   * Fetch the full item for a given secret id. Returns `undefined` if not found.
+   */
+  async findItem(client, id) {
+    const overview = await this.findItemOverview(client, id);
+    if (overview === void 0) return void 0;
+    return client.items.get(this.vaultId, overview.id);
+  }
+  /**
+   * Extract the concealed password field value from an item.
+   */
+  extractSecret(item, id) {
+    for (const field of item.fields) {
+      if (field.title === PASSWORD_FIELD_TITLE) {
+        return field.value;
+      }
+    }
+    throw new SecretNotFoundError(
+      `Secret found in 1Password but missing password field: ${id}`
+    );
+  }
+  // ---- SecretBackend / ListableBackend implementation ----
+  async store(id, secret) {
+    const { ItemCategory, ItemFieldType } = await this.requireSdk();
+    const client = await this.acquireClient();
+    const existing = await this.findItem(client, id);
+    if (existing !== void 0) {
+      const hasPasswordField = existing.fields.some((f) => f.title === PASSWORD_FIELD_TITLE);
+      const updatedFields = hasPasswordField ? existing.fields.map((f) => {
+        if (f.title === PASSWORD_FIELD_TITLE) {
+          return { ...f, value: secret };
+        }
+        return f;
+      }) : [
+        ...existing.fields,
+        {
+          id: "password",
+          title: PASSWORD_FIELD_TITLE,
+          fieldType: ItemFieldType.Concealed,
+          value: secret
+        }
+      ];
+      await client.items.put({ ...existing, fields: updatedFields });
+    } else {
+      await client.items.create({
+        category: ItemCategory.Password,
+        vaultId: this.vaultId,
+        title: id,
+        tags: [TAG],
+        fields: [
+          {
+            id: "password",
+            title: PASSWORD_FIELD_TITLE,
+            fieldType: ItemFieldType.Concealed,
+            value: secret
+          }
+        ]
+      });
+    }
+  }
+  async retrieve(id) {
+    if (this.accessMode === "per-access") {
+      return this.retrieveViaWorker(id);
+    }
+    return this.retrieveViaSession(id);
+  }
+  async retrieveViaSession(id) {
+    const client = await this.acquireClient();
+    const item = await this.findItem(client, id);
+    if (item === void 0) {
+      throw new SecretNotFoundError(`Secret not found in 1Password: ${id}`);
+    }
+    return this.extractSecret(item, id);
+  }
+  /**
+   * Spawn the per-access worker script that triggers a fresh biometric prompt
+   * for each retrieval, then returns the secret from its stdout.
+   */
+  retrieveViaWorker(id) {
+    return new Promise((resolve2, reject) => {
+      const workerPath = path3.join(
+        path3.dirname(url.fileURLToPath((typeof document === 'undefined' ? require('u' + 'rl').pathToFileURL(__filename).href : (_documentCurrentScript && _documentCurrentScript.tagName.toUpperCase() === 'SCRIPT' && _documentCurrentScript.src || new URL('index.cjs', document.baseURI).href)))),
+        "one-password-worker.js"
+      );
+      const accountArg = this.account ?? "";
+      const child = child_process.spawn(
+        process.execPath,
+        [workerPath, accountArg, this.vaultId, id],
+        { stdio: ["ignore", "pipe", "pipe"] }
+      );
+      const stdoutChunks = [];
+      const stderrChunks = [];
+      child.stdout.on("data", (chunk) => {
+        stdoutChunks.push(chunk);
+      });
+      child.stderr.on("data", (chunk) => {
+        stderrChunks.push(chunk);
+      });
+      child.on("close", (code) => {
+        const raw = Buffer.concat(stdoutChunks).toString("utf8").trim();
+        if (raw === "") {
+          const stderr = Buffer.concat(stderrChunks).toString("utf8").trim();
+          const detail = stderr !== "" ? stderr : `exit code ${String(code)}`;
+          reject(new Error(`1Password per-access worker crashed for secret ${id}: ${detail}`));
+          return;
+        }
+        let parsed;
+        try {
+          parsed = JSON.parse(raw);
+        } catch {
+          reject(new SecretNotFoundError(`Worker returned unparseable output for secret: ${id}`));
+          return;
+        }
+        if (!isWorkerResponse(parsed)) {
+          reject(new SecretNotFoundError(`Worker returned unexpected response shape for secret: ${id}`));
+          return;
+        }
+        if (isWorkerSuccess(parsed)) {
+          resolve2(parsed.value);
+        } else {
+          switch (parsed.code) {
+            case "NOT_FOUND":
+              reject(new SecretNotFoundError(`Secret not found in 1Password: ${id}`));
+              break;
+            case "AUTH_DENIED":
+              reject(new AuthorizationDeniedError("1Password authentication was denied"));
+              break;
+            case "LOCKED":
+              reject(new BackendLockedError("1Password is locked. Please unlock and retry.", true));
+              break;
+            default:
+              reject(new SecretNotFoundError(`Worker failed for secret ${id}: ${parsed.error}`));
+          }
+        }
+      });
+      child.on("error", (err) => {
+        reject(new Error(
+          `Failed to spawn 1Password per-access worker at ${workerPath}: ${String(err)}`
+        ));
+      });
+    });
+  }
+  async delete(id) {
+    const client = await this.acquireClient();
+    const overview = await this.findItemOverview(client, id);
+    if (overview === void 0) {
+      throw new SecretNotFoundError(`Secret not found in 1Password: ${id}`);
+    }
+    await client.items.delete(this.vaultId, overview.id);
+  }
+  async exists(id) {
+    const client = await this.acquireClient();
+    const overview = await this.findItemOverview(client, id);
+    return overview !== void 0;
+  }
+  async list() {
+    const client = await this.acquireClient();
+    const overviews = await client.items.list(this.vaultId);
+    const ids = [];
+    for (const overview of overviews) {
+      if (overview.tags.includes(TAG)) {
+        ids.push(overview.title);
+      }
+    }
+    return ids;
+  }
+  // ---- Private helpers ----
+  /** Load SDK and throw PluginNotFoundError if unavailable. */
+  async requireSdk() {
+    const sdk = await this.tryLoadSdk();
+    if (sdk === null) {
+      throw new PluginNotFoundError(
+        "1Password SDK (@1password/sdk) is not available.",
+        "@1password/sdk",
+        SDK_INSTALL_URL
+      );
+    }
+    return sdk;
+  }
+};
+var YKMAN_INSTALL_URL = "https://developers.yubico.com/yubikey-manager/";
+var STORAGE_DIR_NAME2 = path3__namespace.join(".vaultkeeper", "yubikey");
+var METADATA_FILE = "metadata.json";
+var DEVICE_TIMEOUT_MS = 5e3;
+var GCM_IV_BYTES2 = 12;
+var GCM_KEY_BYTES2 = 32;
+var GCM_TAG_LENGTH_BITS = 128;
+var FORMAT_VERSION = "1";
+function getStorageDir2() {
+  return path3__namespace.join(os4__namespace.homedir(), STORAGE_DIR_NAME2);
+}
+function getEntryPath3(storageDir, id) {
+  const safeId = Buffer.from(id, "utf8").toString("hex");
+  return path3__namespace.join(storageDir, `${safeId}.enc`);
+}
+function isStringRecord(value) {
+  if (value === null || typeof value !== "object") {
+    return false;
+  }
+  return Object.values(value).every((v) => typeof v === "string");
+}
+async function loadMetadata(storageDir) {
+  const metaPath = path3__namespace.join(storageDir, METADATA_FILE);
+  try {
+    const raw = await fs__namespace.readFile(metaPath, "utf8");
+    const parsed = JSON.parse(raw);
+    if (parsed !== null && typeof parsed === "object" && "entries" in parsed && isStringRecord(parsed.entries)) {
+      return { entries: parsed.entries };
+    }
+    return { entries: {} };
+  } catch {
+    return { entries: {} };
+  }
+}
+async function saveMetadata(storageDir, metadata) {
+  const metaPath = path3__namespace.join(storageDir, METADATA_FILE);
+  await fs__namespace.writeFile(metaPath, JSON.stringify(metadata, null, 2), { mode: 384 });
+}
+var HMAC_RESPONSE_HEX_LENGTH = 40;
+var HMAC_RESPONSE_RE = /^[0-9a-fA-F]{40}$/;
+function deriveKey(hmacResponse, id) {
+  const trimmed = hmacResponse.trim();
+  if (!HMAC_RESPONSE_RE.test(trimmed)) {
+    throw new Error(
+      `Invalid YubiKey HMAC response: expected exactly ${String(HMAC_RESPONSE_HEX_LENGTH)} hex characters (20 bytes), got ${String(trimmed.length)} characters`
+    );
+  }
+  const ikm = Buffer.from(trimmed, "hex");
+  const info = Buffer.from(`vaultkeeper-yubikey:${id}`, "utf8");
+  const keyMaterial = crypto__namespace.hkdfSync("sha256", ikm, Buffer.alloc(0), info, GCM_KEY_BYTES2);
+  return Buffer.from(keyMaterial);
+}
+function encryptGcm2(key, plaintext) {
+  const iv = crypto__namespace.randomBytes(GCM_IV_BYTES2);
+  let encrypted;
+  let authTag;
+  try {
+    const cipher = crypto__namespace.createCipheriv("aes-256-gcm", key, iv, {
+      authTagLength: GCM_TAG_LENGTH_BITS / 8
+    });
+    encrypted = Buffer.concat([cipher.update(plaintext, "utf8"), cipher.final()]);
+    authTag = cipher.getAuthTag();
+    return [
+      FORMAT_VERSION,
+      iv.toString("base64"),
+      authTag.toString("base64"),
+      encrypted.toString("base64")
+    ].join(":");
+  } finally {
+    key.fill(0);
+    iv.fill(0);
+    encrypted?.fill(0);
+    authTag?.fill(0);
+  }
+}
+function decryptGcm2(key, encoded) {
+  const parts = encoded.split(":");
+  const versionSegment = parts[0] ?? "";
+  const parsedVersion = parseInt(versionSegment, 10);
+  const isNumericVersion = String(parsedVersion) === versionSegment && !Number.isNaN(parsedVersion);
+  if (!isNumericVersion) {
+    key.fill(0);
+    throw new Error(
+      "Encrypted file uses a legacy format (AES-256-CBC). Delete the secret and re-store it to migrate to AES-256-GCM."
+    );
+  }
+  if (versionSegment !== FORMAT_VERSION) {
+    key.fill(0);
+    throw new Error(
+      `Unsupported encrypted file version: ${versionSegment}. This vaultkeeper build only supports version ${FORMAT_VERSION}. Upgrade vaultkeeper to read this secret.`
+    );
+  }
+  if (parts.length !== 4) {
+    key.fill(0);
+    throw new Error(
+      `Invalid encrypted file format: expected ${FORMAT_VERSION}:iv:authTag:ciphertext`
+    );
+  }
+  const [_version, ivB64, authTagB64, ciphertextB64] = parts;
+  if (ivB64 === void 0 || authTagB64 === void 0 || ciphertextB64 === void 0) {
+    key.fill(0);
+    throw new Error("Invalid encrypted file format: missing part");
+  }
+  let decrypted;
+  try {
+    const iv = Buffer.from(ivB64, "base64");
+    const authTag = Buffer.from(authTagB64, "base64");
+    const ciphertext = Buffer.from(ciphertextB64, "base64");
+    const decipher = crypto__namespace.createDecipheriv("aes-256-gcm", key, iv, {
+      authTagLength: GCM_TAG_LENGTH_BITS / 8
+    });
+    decipher.setAuthTag(authTag);
+    try {
+      decrypted = Buffer.concat([decipher.update(ciphertext), decipher.final()]);
+    } catch (err) {
+      throw new Error(
+        `GCM authentication failed \u2014 ciphertext may be tampered: ${err instanceof Error ? err.message : String(err)}`
+      );
+    }
+    const plaintext = decrypted.toString("utf8");
+    return plaintext;
+  } finally {
+    key.fill(0);
+    decrypted?.fill(0);
+  }
+}
+var YubikeyBackend = class {
+  type = "yubikey";
+  displayName = "YubiKey";
+  async isAvailable() {
+    try {
+      const result = await execCommandFull("ykman", ["--version"]);
+      if (result.exitCode !== 0) {
+        return false;
+      }
+      const listResult = await execCommandFull("ykman", ["list"]);
+      return listResult.exitCode === 0 && listResult.stdout.trim() !== "";
+    } catch {
+      return false;
+    }
+  }
+  async requireDevice() {
+    const available = await this.isAvailable();
+    if (!available) {
+      const hasYkman = await execCommandFull("ykman", ["--version"]).then(
+        (r) => r.exitCode === 0,
+        () => false
+      );
+      if (!hasYkman) {
+        throw new PluginNotFoundError("ykman is not installed", "ykman", YKMAN_INSTALL_URL);
+      }
+      throw new DeviceNotPresentError("No YubiKey device detected", DEVICE_TIMEOUT_MS);
+    }
+  }
+  /**
+   * Perform the YubiKey HMAC-SHA1 challenge-response for `id` and return the
+   * raw hex response string. Throws on device failure.
+   */
+  async challengeResponse(id) {
+    const challenge = Buffer.from(`vaultkeeper:${id}`, "utf8").toString("hex");
+    const responseResult = await execCommandFull("ykman", ["otp", "calculate", "2", challenge]);
+    if (responseResult.exitCode !== 0) {
+      throw new Error(`YubiKey challenge-response failed: ${responseResult.stderr}`);
+    }
+    return responseResult.stdout.trim();
+  }
+  async store(id, secret) {
+    await this.requireDevice();
+    const storageDir = getStorageDir2();
+    await fs__namespace.mkdir(storageDir, { recursive: true, mode: 448 });
+    const hmacResponse = await this.challengeResponse(id);
+    const key = deriveKey(hmacResponse, id);
+    const encrypted = encryptGcm2(key, secret);
+    const entryPath = getEntryPath3(storageDir, id);
+    await fs__namespace.writeFile(entryPath, encrypted, { mode: 384 });
+    const metadata = await loadMetadata(storageDir);
+    metadata.entries[id] = entryPath;
+    await saveMetadata(storageDir, metadata);
+  }
+  async retrieve(id) {
+    await this.requireDevice();
+    const storageDir = getStorageDir2();
+    const entryPath = getEntryPath3(storageDir, id);
+    try {
+      await fs__namespace.access(entryPath);
+    } catch {
+      throw new SecretNotFoundError(`Secret not found in YubiKey store: ${id}`);
+    }
+    const encoded = await fs__namespace.readFile(entryPath, "utf8");
+    const hmacResponse = await this.challengeResponse(id);
+    const key = deriveKey(hmacResponse, id);
+    return decryptGcm2(key, encoded);
+  }
+  async delete(id) {
+    await this.requireDevice();
+    const storageDir = getStorageDir2();
+    const entryPath = getEntryPath3(storageDir, id);
+    try {
+      await fs__namespace.unlink(entryPath);
+    } catch (err) {
+      if (err instanceof Error && "code" in err && err.code === "ENOENT") {
+        throw new SecretNotFoundError(`Secret not found in YubiKey store: ${id}`);
+      }
+      throw err;
+    }
+    const metadata = await loadMetadata(storageDir);
+    delete metadata.entries[id];
+    await saveMetadata(storageDir, metadata);
+  }
+  async exists(id) {
+    const storageDir = getStorageDir2();
+    const entryPath = getEntryPath3(storageDir, id);
+    try {
+      await fs__namespace.access(entryPath);
+      return true;
+    } catch {
+      return false;
+    }
+  }
+  async list() {
+    const storageDir = getStorageDir2();
+    const metadata = await loadMetadata(storageDir);
+    return Object.keys(metadata.entries);
+  }
+};
+// src/backend/register-builtins.ts
+function registerBuiltinBackends() {
+  BackendRegistry.register("file", () => new FileBackend());
+  BackendRegistry.register("keychain", () => new KeychainBackend());
+  BackendRegistry.register("dpapi", () => new DpapiBackend());
+  BackendRegistry.register("secret-tool", () => new SecretToolBackend());
+  BackendRegistry.register("1password", (config) => {
+    const opts = config?.options;
+    const vaultId = opts?.vault ?? "";
+    const opOptions = {
+      vault: vaultId,
+      // 'session' is the safer default — 'per-access' re-prompts on every read.
+      accessMode: opts?.accessMode === "per-access" ? "per-access" : "session"
+    };
+    const account = opts?.account;
+    if (account !== void 0) {
+      opOptions.account = account;
+    }
+    const serviceAccountToken = opts?.serviceAccountToken;
+    if (serviceAccountToken !== void 0) {
+      opOptions.serviceAccountToken = serviceAccountToken;
+    }
+    return new OnePasswordBackend(opOptions);
+  });
+  BackendRegistry.register("yubikey", () => new YubikeyBackend());
+}
+registerBuiltinBackends();
+// src/backend/types.ts
+function isListableBackend(backend) {
+  return "list" in backend && typeof backend.list === "function";
+}
 function hashExecutable(filePath) {
-  return new Promise((resolve, reject) => {
-    const hash = crypto4__namespace.createHash("sha256");
+  return new Promise((resolve2, reject) => {
+    const hash = crypto__namespace.createHash("sha256");
     const stream = fs4__namespace.createReadStream(filePath);
     stream.on("data", (chunk) => {
       hash.update(chunk);
     });
     stream.on("end", () => {
-      resolve(hash.digest("hex"));
+      resolve2(hash.digest("hex"));
     });
     stream.on("error", (err) => {
       reject(err);
@@ -326,10 +1384,10 @@ function isTrustManifestEntry(value) {
   return true;
 }
 async function loadManifest(configDir) {
-  const manifestPath = path5__namespace.join(configDir, MANIFEST_FILENAME);
+  const manifestPath = path3__namespace.join(configDir, MANIFEST_FILENAME);
   let rawText;
   try {
-    rawText = await fs5__namespace.readFile(manifestPath, "utf8");
+    rawText = await fs__namespace.readFile(manifestPath, "utf8");
   } catch (err) {
     if (typeof err === "object" && err !== null && "code" in err && err.code === "ENOENT") {
       return /* @__PURE__ */ new Map();
@@ -349,14 +1407,14 @@ async function loadManifest(configDir) {
   return manifest;
 }
 async function saveManifest(configDir, manifest) {
-  await fs5__namespace.mkdir(configDir, { recursive: true });
+  await fs__namespace.mkdir(configDir, { recursive: true });
   const entries = {};
   for (const [namespace, entry] of manifest) {
     entries[namespace] = entry;
   }
   const raw = { version: 1, entries };
-  const manifestPath = path5__namespace.join(configDir, MANIFEST_FILENAME);
-  await fs5__namespace.writeFile(manifestPath, JSON.stringify(raw, null, 2), "utf8");
+  const manifestPath = path3__namespace.join(configDir, MANIFEST_FILENAME);
+  await fs__namespace.writeFile(manifestPath, JSON.stringify(raw, null, 2), "utf8");
 }
 function addTrustedHash(manifest, namespace, hash) {
   const next = new Map(manifest);
@@ -467,14 +1525,18 @@ function validateCapabilityToken(token) {
   return claims;
 }
 function getDefaultConfigDir() {
+  const envOverride = process.env.VAULTKEEPER_CONFIG_DIR;
+  if (envOverride !== void 0 && envOverride !== "") {
+    return envOverride;
+  }
   if (process.platform === "win32") {
     const appData = process.env.APPDATA;
     if (appData !== void 0) {
-      return path5__namespace.join(appData, "vaultkeeper");
+      return path3__namespace.join(appData, "vaultkeeper");
     }
-    return path5__namespace.join(os4__namespace.homedir(), "AppData", "Roaming", "vaultkeeper");
+    return path3__namespace.join(os4__namespace.homedir(), "AppData", "Roaming", "vaultkeeper");
   }
-  return path5__namespace.join(os4__namespace.homedir(), ".config", "vaultkeeper");
+  return path3__namespace.join(os4__namespace.homedir(), ".config", "vaultkeeper");
 }
 function defaultConfig() {
   return {
@@ -513,6 +1575,21 @@ function validateBackendEntry(entry, index) {
     }
     result.path = entry.path;
   }
+  if (entry.options !== void 0) {
+    if (!isObject(entry.options)) {
+      throw new Error(`backends[${String(index)}].options must be an object`);
+    }
+    const opts = {};
+    for (const [k, v] of Object.entries(entry.options)) {
+      if (typeof v !== "string") {
+        throw new Error(
+          `backends[${String(index)}].options["${k}"] must be a string`
+        );
+      }
+      opts[k] = v;
+    }
+    result.options = opts;
+  }
   return result;
 }
 function validateConfig(config) {
@@ -575,10 +1652,10 @@ function validateConfig(config) {
 }
 async function loadConfig(configDir) {
   const dir = configDir ?? getDefaultConfigDir();
-  const configPath = path5__namespace.join(dir, "config.json");
+  const configPath = path3__namespace.join(dir, "config.json");
   let raw;
   try {
-    raw = await fs5__namespace.readFile(configPath, "utf-8");
+    raw = await fs__namespace.readFile(configPath, "utf-8");
   } catch {
     return defaultConfig();
   }
@@ -597,10 +1674,10 @@ var KeyManager = class {
   #rotating = false;
   /** Generate a new 32-byte key with a timestamp-based id. */
   generateKey() {
-    const randomSuffix = crypto4__namespace.randomBytes(4).toString("hex");
+    const randomSuffix = crypto__namespace.randomBytes(4).toString("hex");
     return {
       id: `k-${String(Date.now())}-${randomSuffix}`,
-      key: new Uint8Array(crypto4__namespace.randomBytes(32)),
+      key: new Uint8Array(crypto__namespace.randomBytes(32)),
       createdAt: /* @__PURE__ */ new Date()
     };
   }
@@ -902,7 +1979,7 @@ function replaceInRecord2(record, secret) {
 function delegatedExec(secret, request) {
   const args = (request.args ?? []).map((arg) => replacePlaceholder2(arg, secret));
   const env = request.env !== void 0 ? replaceInRecord2(request.env, secret) : void 0;
-  return new Promise((resolve, reject) => {
+  return new Promise((resolve2, reject) => {
     const spawnOptions = {
       stdio: ["ignore", "pipe", "pipe"]
     };
@@ -922,7 +1999,7 @@ function delegatedExec(secret, request) {
       stderr += data.toString();
     });
     proc.on("close", (code) => {
-      resolve({ stdout, stderr, exitCode: code ?? 1 });
+      resolve2({ stdout, stderr, exitCode: code ?? 1 });
     });
     proc.on("error", (error) => {
       reject(error);
@@ -1023,10 +2100,12 @@ function resolveAlgorithmForKey(key, override) {
   if (keyType === "ed25519" || keyType === "ed448") {
     return { signAlg: null, label: keyType };
   }
-  const alg = override ?? "sha256";
+  const alg = (override ?? "sha256").toLowerCase();
   if (!ALLOWED_ALGORITHMS.has(alg)) {
-    throw new VaultError(
-      `Unsupported signing algorithm '${alg}'. Allowed: ${[...ALLOWED_ALGORITHMS].join(", ")}`
+    throw new InvalidAlgorithmError(
+      `Unsupported algorithm '${alg}'. Allowed: ${[...ALLOWED_ALGORITHMS].join(", ")}`,
+      alg,
+      [...ALLOWED_ALGORITHMS]
     );
   }
   return { signAlg: alg, label: alg };
@@ -1034,10 +2113,10 @@ function resolveAlgorithmForKey(key, override) {
 // src/access/delegated-sign.ts
 function delegatedSign(secretPem, request) {
-  const key = crypto4__namespace.createPrivateKey(secretPem);
+  const key = crypto__namespace.createPrivateKey(secretPem);
   const { signAlg, label } = resolveAlgorithmForKey(key, request.algorithm);
   const data = Buffer.isBuffer(request.data) ? request.data : Buffer.from(request.data);
-  const signature = crypto4__namespace.sign(signAlg, data, key);
+  const signature = crypto__namespace.sign(signAlg, data, key);
   return {
     signature: signature.toString("base64"),
     algorithm: label
@@ -1046,15 +2125,18 @@ function delegatedSign(secretPem, request) {
 function delegatedVerify(request) {
   let key;
   try {
-    key = crypto4__namespace.createPublicKey(request.publicKey);
+    key = crypto__namespace.createPublicKey(request.publicKey);
   } catch {
     return false;
   }
+  if (typeof request.publicKey === "string" && request.publicKey.includes("PRIVATE KEY")) {
+    return false;
+  }
   const { signAlg } = resolveAlgorithmForKey(key, request.algorithm);
   const sig = Buffer.from(request.signature, "base64");
   try {
     const data = Buffer.isBuffer(request.data) ? request.data : Buffer.from(request.data);
-    return crypto4__namespace.verify(signAlg, data, key, sig);
+    return crypto__namespace.verify(signAlg, data, key, sig);
   } catch {
     return false;
   }
@@ -1191,7 +2273,17 @@ function currentPlatform() {
 // src/doctor/runner.ts
 async function runDoctor(options) {
-  const platform = currentPlatform();
+  let platform;
+  try {
+    platform = options?.platform ?? currentPlatform();
+  } catch {
+    return {
+      checks: [],
+      ready: false,
+      warnings: [],
+      nextSteps: ["Unsupported platform. vaultkeeper supports macOS, Linux, and Windows."]
+    };
+  }
   const entries = buildCheckList(platform);
   const resolved = await Promise.all(
     entries.map(async ({ check, required }) => {
@@ -1280,7 +2372,7 @@ var VaultKeeper = class _VaultKeeper {
     return runDoctor();
   }
   /**
-   * Store a secret and return a JWE token that encapsulates it.
+   * Retrieve a secret from the backend and return a JWE token that encapsulates it.
    *
    * @param secretName - Identifier for the secret
    * @param options - Setup options
@@ -1312,7 +2404,7 @@ var VaultKeeper = class _VaultKeeper {
     }
     const now = Math.floor(Date.now() / 1e3);
     const claims = {
-      jti: crypto4__namespace.randomUUID(),
+      jti: crypto__namespace.randomUUID(),
       exp: now + ttlMinutes * 60,
       iat: now,
       sub: secretName,
@@ -1431,6 +2523,8 @@ var VaultKeeper = class _VaultKeeper {
    *   with the vault metadata (`vaultResponse`).
    * @throws {VaultError} If `token` is invalid or was not created by this
    *   vault instance.
+   * @throws {InvalidAlgorithmError} If `request.algorithm` is not in the
+   *   allowed set (e.g. `'md5'`).
    */
   async sign(token, request) {
     const claims = validateCapabilityToken(token);
@@ -1448,8 +2542,11 @@ var VaultKeeper = class _VaultKeeper {
    * capability tokens are required. It is safe to call from CI or any
    * context that has access to public key material.
    *
-   * Never throws. Returns `false` for invalid key material, malformed
-   * signatures, or any verification failure.
+   * Returns `false` for invalid key material, malformed signatures, or
+   * any verification failure (except disallowed algorithms, which throw).
+   *
+   * @throws {InvalidAlgorithmError} If `request.algorithm` is not in the
+   *   allowed set (e.g. `'md5'`).
    *
    * @param request - The data, signature, public key, and optional
    *   algorithm override.
@@ -1533,7 +2630,7 @@ var VaultKeeper = class _VaultKeeper {
         []
       );
     }
-    return BackendRegistry.create(firstEnabled.type);
+    return BackendRegistry.create(firstEnabled.type, firstEnabled);
   }
   #requireBackend() {
     if (this.#backend === void 0) {
@@ -1582,6 +2679,7 @@ exports.CapabilityToken = CapabilityToken;
 exports.DeviceNotPresentError = DeviceNotPresentError;
 exports.FilesystemError = FilesystemError;
 exports.IdentityMismatchError = IdentityMismatchError;
+exports.InvalidAlgorithmError = InvalidAlgorithmError;
 exports.KeyRevokedError = KeyRevokedError;
 exports.KeyRotatedError = KeyRotatedError;
 exports.PluginNotFoundError = PluginNotFoundError;
@@ -1594,5 +2692,6 @@ exports.UsageLimitExceededError = UsageLimitExceededError;
 exports.VaultError = VaultError;
 exports.VaultKeeper = VaultKeeper;
 exports.isListableBackend = isListableBackend;
+exports.runDoctor = runDoctor;
 //# sourceMappingURL=index.cjs.map
 //# sourceMappingURL=index.cjs.map