dataforge/fn_registry
1
0
Fork 0
Code Issues Pull Requests 3 Actions Packages Projects Releases Wiki Activity
Files
11e6e27ad19a85b2f06fceb6b4da71be99de1910
fn_registry/cpp/functions/infra/secret_store.md
T
egutierrez 11e6e27ad1 fix(auto): fix secret_store.md YAML — returns/error_type/imports format 
- returns: [] (was empty string)
- error_type: error_go_core (was empty, required for impure)
- imports: [list] (was string)
- Removed stale id: field (auto-computed from filename)
- Added output: field for params_schema

fn index now clean: 1324 functions, 45 apps

Co-Authored-By: fn-orquestador <noreply@fn-registry.local>
2026-05-22 21:48:21 +02:00

2.8 KiB
Raw Blame History

name, kind, lang, domain, version, purity, signature, description, tags, uses_functions, uses_types, returns, returns_optional, error_type, imports, tested, tests, test_file_path, file_path, framework, params, output
name kind lang domain version purity signature description tags uses_functions uses_types returns returns_optional error_type imports tested tests test_file_path file_path framework params output
secret_store function cpp infra 1.0.0 impure fn_secret::encrypt(plaintext) -> vector<uint8_t>; fn_secret::decrypt(blob) -> string; fn_secret::is_strong() -> bool Encrypt/decrypt sensitive strings for local SQLite storage. Windows: DPAPI (user-bound, machine-local, cryptographically strong). Linux/WSL fallback: XOR with per-user seed key (not crypto-secure, shows warning). Used by agents_dashboard to store API keys.
security
credentials
dpapi
encrypt
infra
agents
false error_go_core
infra/secret_store.h
false
cpp/functions/infra/secret_store.cpp
name desc
plaintext Sensitive string to encrypt (API key, password, token).
name desc
blob Opaque byte vector returned by encrypt(), stored as SQLite BLOB column.
encrypt returns vector<uint8_t> blob (empty on failure). decrypt returns plaintext string (empty on failure). is_strong() returns true on Windows (DPAPI), false on Linux (XOR fallback).

secret_store

Encrypt/decrypt sensitive credentials for local SQLite storage.

Ejemplo

#include "infra/secret_store.h"

// Store API key encrypted:
std::vector<uint8_t> blob = fn_secret::encrypt("my-api-key-here");
// Insert blob into SQLite BLOB column via sqlite3_bind_blob()...

// Recover:
std::string key = fn_secret::decrypt(blob);

// Base64 helpers for TEXT columns:
std::string b64 = fn_secret::encrypt_b64("my-api-key-here");
std::string back = fn_secret::decrypt_b64(b64);

// Platform check (show warning on Linux):
if (!fn_secret::is_strong()) {
    fn_log::warn("[security] apikey stored with weak Linux fallback encryption");
}

Cuando usarla

Antes de guardar una API key, token o contrasena en SQLite local. Siempre usar fn::local_path("app.db") para la DB. En Windows (DPAPI) la clave nunca sale de la maquina. En Linux, mostrar aviso en UI de que la proteccion es basica.

Gotchas

  • DPAPI is Windows-only: el blob cifrado en Windows NO se puede descifrar en Linux y viceversa. Si el usuario mueve la DB entre plataformas, las credenciales se pierden — debe reingresar la apikey.
  • Linux fallback NO es criptograficamente seguro: XOR con semilla derivada de username+hostname. Previene lectura casual pero no protege contra atacante con acceso al sistema.
  • CryptProtectData es sincrono: no llamar desde el thread principal con datos grandes. Para una apikey (tipicamente <200 bytes) el coste es despreciable.
  • Linkear crypt32.lib en Windows: el .cpp tiene #pragma comment(lib, "crypt32.lib") — no necesita entry en CMakeLists para MSVC. Con MinGW se enlaza automaticamente si se incluye wincrypt.h.
Reference in New Issue View Git Blame Copy Permalink