// secret_store.h — encrypt/decrypt sensitive strings for local storage.
//
// Windows: uses DPAPI (CryptProtectData / CryptUnprotectData).
//   The encrypted blob is bound to the current user account on the local
//   machine.  Key never leaves the machine.  The blob can be stored in
//   SQLite as a BLOB column.
//
// Linux/WSL fallback: XOR-encode with a stable per-user key derived from
//   username + hostname.  NOT cryptographically strong — but prevents
//   plaintext credentials sitting in SQLite and shows a warning in the UI.
//   Production use should switch to libsecret / KDE Wallet on Linux.
//
// Part of issue 0129 (agents_dashboard credential storage).
#pragma once

#include <string>
#include <vector>

namespace fn_secret {

// Encrypt `plaintext` into an opaque blob suitable for storage in a BLOB column.
// Returns empty vector on failure; never throws.
std::vector<uint8_t> encrypt(const std::string& plaintext);

// Decrypt a blob produced by `encrypt()`.
// Returns empty string on failure (wrong key, corrupted data, etc.).
std::string decrypt(const std::vector<uint8_t>& blob);

// Convenience: encrypt returns base64 string for TEXT storage.
std::string encrypt_b64(const std::string& plaintext);
std::string decrypt_b64(const std::string& b64);

// Returns true if running with strong DPAPI encryption (Windows).
// Returns false on Linux fallback — callers may show a warning.
bool is_strong();

} // namespace fn_secret