feat(core): initial release with 3-tier secret storage

Implements SmartSecret with macOS Keychain, Linux secret-tool, and AES-256-GCM encrypted file fallback backends. Zero runtime dependencies.

ts/smartsecret.backends.linux.ts

@@ -0,0 +1,109 @@
+import * as plugins from './smartsecret.plugins.js';
+import type { ISecretBackend, TBackendType } from './smartsecret.backends.base.js';
+
+function execFile(cmd: string, args: string[]): Promise<{ stdout: string; stderr: string }> {
+  return new Promise((resolve, reject) => {
+    plugins.childProcess.execFile(cmd, args, { encoding: 'utf8' }, (err, stdout, stderr) => {
+      if (err) {
+        reject(Object.assign(err, { stdout, stderr }));
+      } else {
+        resolve({ stdout: stdout as string, stderr: stderr as string });
+      }
+    });
+  });
+}
+
+function spawnWithStdin(cmd: string, args: string[], stdinData: string): Promise<{ stdout: string; stderr: string }> {
+  return new Promise((resolve, reject) => {
+    const child = plugins.childProcess.spawn(cmd, args, { stdio: ['pipe', 'pipe', 'pipe'] });
+    let stdout = '';
+    let stderr = '';
+    child.stdout!.on('data', (chunk: Buffer) => { stdout += chunk.toString(); });
+    child.stderr!.on('data', (chunk: Buffer) => { stderr += chunk.toString(); });
+    child.on('error', reject);
+    child.on('close', (code) => {
+      if (code === 0) {
+        resolve({ stdout, stderr });
+      } else {
+        reject(Object.assign(new Error(`secret-tool exited with code ${code}`), { stdout, stderr }));
+      }
+    });
+    child.stdin!.write(stdinData);
+    child.stdin!.end();
+  });
+}
+
+export class LinuxSecretServiceBackend implements ISecretBackend {
+  public readonly backendType: TBackendType = 'linux-secret-service';
+  private service: string;
+
+  constructor(service: string) {
+    this.service = service;
+  }
+
+  async isAvailable(): Promise<boolean> {
+    if (process.platform !== 'linux') return false;
+    try {
+      await execFile('which', ['secret-tool']);
+      return true;
+    } catch {
+      return false;
+    }
+  }
+
+  async setSecret(account: string, secret: string): Promise<void> {
+    // secret-tool store reads password from stdin
+    await spawnWithStdin('secret-tool', [
+      'store',
+      '--label', `${this.service}:${account}`,
+      'service', this.service,
+      'account', account,
+    ], secret);
+  }
+
+  async getSecret(account: string): Promise<string | null> {
+    try {
+      const { stdout } = await execFile('secret-tool', [
+        'lookup',
+        'service', this.service,
+        'account', account,
+      ]);
+      // secret-tool returns empty string if not found (exit 0) or exits non-zero
+      return stdout.length > 0 ? stdout : null;
+    } catch {
+      return null;
+    }
+  }
+
+  async deleteSecret(account: string): Promise<boolean> {
+    try {
+      await execFile('secret-tool', [
+        'clear',
+        'service', this.service,
+        'account', account,
+      ]);
+      return true;
+    } catch {
+      return false;
+    }
+  }
+
+  async listAccounts(): Promise<string[]> {
+    try {
+      const { stdout } = await execFile('secret-tool', [
+        'search',
+        '--all',
+        'service', this.service,
+      ]);
+      const accounts: string[] = [];
+      const regex = /attribute\.account = (.+)/g;
+      let match: RegExpExecArray | null;
+      while ((match = regex.exec(stdout)) !== null) {
+        accounts.push(match[1].trim());
+      }
+      return [...new Set(accounts)];
+    } catch {
+      return [];
+    }
+  }
+}