readme.hints.md

# smartsecret hints

## Architecture
- 3-tier backend: macOS Keychain → Linux secret-tool → encrypted file vault
- Zero runtime dependencies (Node.js built-ins only)
- All OS interactions via child_process.execFile (no shell injection)

## File Backend
- Vault: AES-256-GCM, JSON file with { iv, ciphertext, tag } per entry
- Keyfile: auto-generated 32 random bytes at ~/.config/smartsecret/.keyfile (mode 0600)
- Key derivation: PBKDF2 (SHA-512, 100k iterations, service-name salt)
- Atomic writes: write .tmp then rename()
feat(core): initial release with 3-tier secret storage Implements SmartSecret with macOS Keychain, Linux secret-tool, and AES-256-GCM encrypted file fallback backends. Zero runtime dependencies. 2026-02-24 15:40:14 +00:00			`# smartsecret hints`

			`## Architecture`
			`- 3-tier backend: macOS Keychain → Linux secret-tool → encrypted file vault`
			`- Zero runtime dependencies (Node.js built-ins only)`
			`- All OS interactions via child_process.execFile (no shell injection)`

			`## File Backend`
			`- Vault: AES-256-GCM, JSON file with { iv, ciphertext, tag } per entry`
			`- Keyfile: auto-generated 32 random bytes at ~/.config/smartsecret/.keyfile (mode 0600)`
			`- Key derivation: PBKDF2 (SHA-512, 100k iterations, service-name salt)`
			`- Atomic writes: write .tmp then rename()`