/** * Credential Encryption — AES-256-GCM for sensitive config fields. * * Encryption is ALWAYS ON for local mode: * - If CREDENTIAL_ENCRYPTION_KEY is set, uses that * - Otherwise, auto-generates a key and stores it in ~/.personal-suite/.key * * For SaaS mode, CREDENTIAL_ENCRYPTION_KEY env var is REQUIRED. * * Encrypted values are prefixed with "enc:" to distinguish from plaintext. */ export declare const SENSITIVE_FIELDS: Set; /** * Check if a config key name is sensitive (should be encrypted). */ export declare function isSensitiveField(key: string): boolean; export declare function encrypt(text: string): string; export declare function decrypt(data: string): string; /** * Encrypt all sensitive fields in a config object (recursive). * Call before saving to disk/DB. */ export declare function encryptConfig(obj: Record): Record; /** * Decrypt all sensitive fields in a config object (recursive). * Call after loading from disk/DB. */ export declare function decryptConfig(obj: Record): Record; //# sourceMappingURL=crypto.d.ts.map