egutierrez
ca0e6ac584
- cpp/functions/infra/secret_store.cpp - cpp/functions/infra/secret_store.h - cpp/functions/infra/secret_store.md Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
38 lines
1.4 KiB
C++
38 lines
1.4 KiB
C++
// secret_store.h — encrypt/decrypt sensitive strings for local storage.
|
|
//
|
|
// Windows: uses DPAPI (CryptProtectData / CryptUnprotectData).
|
|
// The encrypted blob is bound to the current user account on the local
|
|
// machine. Key never leaves the machine. The blob can be stored in
|
|
// SQLite as a BLOB column.
|
|
//
|
|
// Linux/WSL fallback: XOR-encode with a stable per-user key derived from
|
|
// username + hostname. NOT cryptographically strong — but prevents
|
|
// plaintext credentials sitting in SQLite and shows a warning in the UI.
|
|
// Production use should switch to libsecret / KDE Wallet on Linux.
|
|
//
|
|
// Part of issue 0129 (agents_dashboard credential storage).
|
|
#pragma once
|
|
|
|
#include <string>
|
|
#include <vector>
|
|
|
|
namespace fn_secret {
|
|
|
|
// Encrypt `plaintext` into an opaque blob suitable for storage in a BLOB column.
|
|
// Returns empty vector on failure; never throws.
|
|
std::vector<uint8_t> encrypt(const std::string& plaintext);
|
|
|
|
// Decrypt a blob produced by `encrypt()`.
|
|
// Returns empty string on failure (wrong key, corrupted data, etc.).
|
|
std::string decrypt(const std::vector<uint8_t>& blob);
|
|
|
|
// Convenience: encrypt returns base64 string for TEXT storage.
|
|
std::string encrypt_b64(const std::string& plaintext);
|
|
std::string decrypt_b64(const std::string& b64);
|
|
|
|
// Returns true if running with strong DPAPI encryption (Windows).
|
|
// Returns false on Linux fallback — callers may show a warning.
|
|
bool is_strong();
|
|
|
|
} // namespace fn_secret
|