egutierrez
61507ee502
DPAPI Windows + XOR Linux fallback para almacenar credentials sensibles en SQLite local. Usado por agents_dashboard para cifrar apikeys. Incluye encrypt/decrypt/is_strong + base64 helpers. Issue: 0129 Co-Authored-By: fn-constructor <noreply@fn-registry.local>
38 lines
1.4 KiB
C++
38 lines
1.4 KiB
C++
// secret_store.h — encrypt/decrypt sensitive strings for local storage.
|
|
//
|
|
// Windows: uses DPAPI (CryptProtectData / CryptUnprotectData).
|
|
// The encrypted blob is bound to the current user account on the local
|
|
// machine. Key never leaves the machine. The blob can be stored in
|
|
// SQLite as a BLOB column.
|
|
//
|
|
// Linux/WSL fallback: XOR-encode with a stable per-user key derived from
|
|
// username + hostname. NOT cryptographically strong — but prevents
|
|
// plaintext credentials sitting in SQLite and shows a warning in the UI.
|
|
// Production use should switch to libsecret / KDE Wallet on Linux.
|
|
//
|
|
// Part of issue 0129 (agents_dashboard credential storage).
|
|
#pragma once
|
|
|
|
#include <string>
|
|
#include <vector>
|
|
|
|
namespace fn_secret {
|
|
|
|
// Encrypt `plaintext` into an opaque blob suitable for storage in a BLOB column.
|
|
// Returns empty vector on failure; never throws.
|
|
std::vector<uint8_t> encrypt(const std::string& plaintext);
|
|
|
|
// Decrypt a blob produced by `encrypt()`.
|
|
// Returns empty string on failure (wrong key, corrupted data, etc.).
|
|
std::string decrypt(const std::vector<uint8_t>& blob);
|
|
|
|
// Convenience: encrypt returns base64 string for TEXT storage.
|
|
std::string encrypt_b64(const std::string& plaintext);
|
|
std::string decrypt_b64(const std::string& b64);
|
|
|
|
// Returns true if running with strong DPAPI encryption (Windows).
|
|
// Returns false on Linux fallback — callers may show a warning.
|
|
bool is_strong();
|
|
|
|
} // namespace fn_secret
|