feat(core): initial release with 3-tier secret storage

Implements SmartSecret with macOS Keychain, Linux secret-tool, and AES-256-GCM encrypted file fallback backends. Zero runtime dependencies.
2026-02-24 15:40:14 +00:00
commit 7a19f01def
18 changed files with 10842 additions and 0 deletions
--- a/ts/smartsecret.backends.file.ts
+++ b/ts/smartsecret.backends.file.ts
@@ -0,0 +1,153 @@
+import * as plugins from './smartsecret.plugins.js';
+import type { ISecretBackend, TBackendType } from './smartsecret.backends.base.js';
+
+interface IVaultEntry {
+  iv: string;       // hex
+  ciphertext: string; // hex
+  tag: string;       // hex
+}
+
+interface IVaultData {
+  [key: string]: IVaultEntry;
+}
+
+export class FileEncryptedBackend implements ISecretBackend {
+  public readonly backendType: TBackendType = 'file-encrypted';
+  private service: string;
+  private vaultPath: string;
+  private keyfilePath: string;
+
+  constructor(service: string, vaultPath?: string) {
+    this.service = service;
+    const configDir = vaultPath
+      ? plugins.path.dirname(vaultPath)
+      : plugins.path.join(plugins.os.homedir(), '.config', 'smartsecret');
+    this.vaultPath = vaultPath || plugins.path.join(configDir, 'vault.json');
+    this.keyfilePath = plugins.path.join(configDir, '.keyfile');
+  }
+
+  async isAvailable(): Promise<boolean> {
+    return true; // File backend is always available
+  }
+
+  async setSecret(account: string, secret: string): Promise<void> {
+    const key = await this.deriveKey();
+    const vault = await this.readVault();
+    const vaultKey = `${this.service}:${account}`;
+
+    const iv = plugins.crypto.randomBytes(12);
+    const cipher = plugins.crypto.createCipheriv('aes-256-gcm', key, iv);
+    const encrypted = Buffer.concat([cipher.update(secret, 'utf8'), cipher.final()]);
+    const tag = cipher.getAuthTag();
+
+    vault[vaultKey] = {
+      iv: iv.toString('hex'),
+      ciphertext: encrypted.toString('hex'),
+      tag: tag.toString('hex'),
+    };
+
+    await this.writeVault(vault);
+  }
+
+  async getSecret(account: string): Promise<string | null> {
+    const key = await this.deriveKey();
+    const vault = await this.readVault();
+    const vaultKey = `${this.service}:${account}`;
+
+    const entry = vault[vaultKey];
+    if (!entry) return null;
+
+    try {
+      const iv = Buffer.from(entry.iv, 'hex');
+      const ciphertext = Buffer.from(entry.ciphertext, 'hex');
+      const tag = Buffer.from(entry.tag, 'hex');
+
+      const decipher = plugins.crypto.createDecipheriv('aes-256-gcm', key, iv);
+      decipher.setAuthTag(tag);
+      const decrypted = Buffer.concat([decipher.update(ciphertext), decipher.final()]);
+      return decrypted.toString('utf8');
+    } catch {
+      return null;
+    }
+  }
+
+  async deleteSecret(account: string): Promise<boolean> {
+    const vault = await this.readVault();
+    const vaultKey = `${this.service}:${account}`;
+
+    if (!(vaultKey in vault)) return false;
+
+    delete vault[vaultKey];
+    await this.writeVault(vault);
+    return true;
+  }
+
+  async listAccounts(): Promise<string[]> {
+    const vault = await this.readVault();
+    const prefix = `${this.service}:`;
+    return Object.keys(vault)
+      .filter((k) => k.startsWith(prefix))
+      .map((k) => k.slice(prefix.length));
+  }
+
+  private async deriveKey(): Promise<Buffer> {
+    const keyfileContent = await this.ensureKeyfile();
+    return new Promise((resolve, reject) => {
+      plugins.crypto.pbkdf2(
+        keyfileContent,
+        `smartsecret:${this.service}`,
+        100_000,
+        32,
+        'sha512',
+        (err, derivedKey) => {
+          if (err) reject(err);
+          else resolve(derivedKey);
+        },
+      );
+    });
+  }
+
+  private async ensureKeyfile(): Promise<Buffer> {
+    const dir = plugins.path.dirname(this.keyfilePath);
+    try {
+      await plugins.fs.promises.mkdir(dir, { recursive: true });
+    } catch {
+      // Already exists
+    }
+
+    try {
+      const content = await plugins.fs.promises.readFile(this.keyfilePath);
+      return content;
+    } catch {
+      // Generate new keyfile
+      const key = plugins.crypto.randomBytes(32);
+      await plugins.fs.promises.writeFile(this.keyfilePath, key, { mode: 0o600 });
+      return key;
+    }
+  }
+
+  private async readVault(): Promise<IVaultData> {
+    try {
+      const content = await plugins.fs.promises.readFile(this.vaultPath, 'utf8');
+      return JSON.parse(content) as IVaultData;
+    } catch {
+      return {};
+    }
+  }
+
+  private async writeVault(vault: IVaultData): Promise<void> {
+    const dir = plugins.path.dirname(this.vaultPath);
+    try {
+      await plugins.fs.promises.mkdir(dir, { recursive: true });
+    } catch {
+      // Already exists
+    }
+
+    const tmpPath = this.vaultPath + '.tmp';
+    await plugins.fs.promises.writeFile(tmpPath, JSON.stringify(vault, null, 2), {
+      encoding: 'utf8',
+      mode: 0o600,
+    });
+    await plugins.fs.promises.rename(tmpPath, this.vaultPath);
+  }
+}