diff --git a/cpp/functions/infra/secret_store.md b/cpp/functions/infra/secret_store.md
index d08db9f6..b6ff2bf5 100644
--- a/cpp/functions/infra/secret_store.md
+++ b/cpp/functions/infra/secret_store.md
@@ -1,41 +1,30 @@
 ---
-id: secret_store_cpp_infra
 name: secret_store
 kind: function
 lang: cpp
 domain: infra
-version: 1.0.0
+version: "1.0.0"
 purity: impure
-signature: "fn_secret::encrypt(plaintext) -> blob; fn_secret::decrypt(blob) -> string; fn_secret::is_strong() -> bool"
+signature: "fn_secret::encrypt(plaintext) -> vector<uint8_t>; fn_secret::decrypt(blob) -> string; fn_secret::is_strong() -> bool"
 description: "Encrypt/decrypt sensitive strings for local SQLite storage. Windows: DPAPI (user-bound, machine-local, cryptographically strong). Linux/WSL fallback: XOR with per-user seed key (not crypto-secure, shows warning). Used by agents_dashboard to store API keys."
 tags: [security, credentials, dpapi, encrypt, infra, agents]
 uses_functions: []
 uses_types: []
-returns: ""
+returns: []
 returns_optional: false
-error_type: ""
-imports: "infra/secret_store.h"
-example: |
-  #include "infra/secret_store.h"
-
-  // Encrypt an API key before storing in SQLite:
-  std::string apikey = "sk-mykey-123";
-  auto blob = fn_secret::encrypt(apikey);
-  // store blob in SQLite BLOB column...
-
-  // Decrypt when needed:
-  std::string recovered = fn_secret::decrypt(blob);
-  assert(recovered == apikey);
-
-  // Check platform strength:
-  if (!fn_secret::is_strong()) {
-      // Show warning: Linux fallback is NOT crypto-secure
-  }
+error_type: "error_go_core"
+imports: [infra/secret_store.h]
 tested: false
 tests: []
 test_file_path: ""
 file_path: "cpp/functions/infra/secret_store.cpp"
-params_schema: '{"params":[{"name":"plaintext","desc":"Sensitive string to encrypt (API key, password, token)."},{"name":"blob","desc":"Opaque byte vector returned by encrypt(), stored as SQLite BLOB."}],"output":"encrypt returns vector<uint8_t> blob (empty on failure). decrypt returns plaintext string (empty on failure). is_strong() returns true on Windows (DPAPI), false on Linux (XOR fallback)."}'
+framework: ""
+params:
+  - name: plaintext
+    desc: "Sensitive string to encrypt (API key, password, token)."
+  - name: blob
+    desc: "Opaque byte vector returned by encrypt(), stored as SQLite BLOB column."
+output: "encrypt returns vector<uint8_t> blob (empty on failure). decrypt returns plaintext string (empty on failure). is_strong() returns true on Windows (DPAPI), false on Linux (XOR fallback)."
 ---
 
 # secret_store