# vault: Cryptographic Vault for Native and WASM

`vault` provides a secure, async, and cross-platform cryptographic key management system. It leverages the `kvstore` crate for persistent storage and supports both native (desktop/server) and WASM (browser) environments.

## Features
- **Keyspace management**: Create, unlock, and manage encrypted keyspaces.
- **Keypair operations**: Add, remove, list, export, and use keypairs for signing and verification.
- **End-to-end encryption**: All key material is encrypted at rest using modern ciphers (ChaCha20Poly1305, AES-GCM).
- **Async API**: All operations are async and runtime-agnostic.
- **Cross-platform**: Native uses `sled` via `kvstore::native::NativeStore`, WASM uses IndexedDB via `kvstore::wasm::WasmStore`.
- **Pluggable logging**: Uses the standard `log` crate for logging, with recommended backends for native (`env_logger`) and WASM (`console_log`).

## Logging Best Practices

This crate uses the [`log`](https://docs.rs/log) crate for logging. For native tests, use [`env_logger`](https://docs.rs/env_logger); for WASM tests, use [`console_log`](https://docs.rs/console_log).

- Native (in tests):
  ```rust
  let _ = env_logger::builder().is_test(true).try_init();
  log::info!("test started");
  ```
- WASM (in tests):
  ```rust
  console_log::init_with_level(log::Level::Debug).expect("error initializing logger");
  log::debug!("wasm test started");
  ```

Use `log::debug!`, `log::info!`, `log::error!`, etc., throughout the codebase for consistent and idiomatic logging. Do not prefix messages with [DEBUG], [ERROR], etc. The log level is handled by the logger.

## Usage Example

```rust
use vault::{Vault, KeyType, KeyMetadata};
use kvstore::native::NativeStore;

#[tokio::main]
async fn main() {
    let store = NativeStore::open("/tmp/vaultdb").unwrap();
    let mut vault = Vault::new(store);
    let keyspace = "myspace";
    let password = b"secret";
    vault.create_keyspace(keyspace, password, "pbkdf2", "chacha20poly1305", None).await.unwrap();
    let key_id = vault.add_keypair(keyspace, password, KeyType::Ed25519, None).await.unwrap();
    println!("Created keypair: {}", key_id);
}
```

For WASM/browser, use `kvstore::wasm::WasmStore` and initialize logging with `console_log`.

## Testing

### Native
```sh
cargo test -p vault --features native
```

### WASM
```sh
wasm-pack test --headless --firefox
```

## Security Notes
- All cryptographic operations use vetted RustCrypto crates.
- Password-based key derivation uses PBKDF2 by default (10,000 iterations).
- All sensitive data is encrypted before storage.

## License
MIT OR Apache-2.0