# smartsecret hints

## Architecture
- 3-tier backend: macOS Keychain → Linux secret-tool → encrypted file vault
- Zero runtime dependencies (Node.js built-ins only)
- All OS interactions via child_process.execFile (no shell injection)

## File Backend
- Vault: AES-256-GCM, JSON file with { iv, ciphertext, tag } per entry
- Keyfile: auto-generated 32 random bytes at ~/.config/smartsecret/.keyfile (mode 0600)
- Key derivation: PBKDF2 (SHA-512, 100k iterations, service-name salt)
- Atomic writes: write .tmp then rename()