//! # idfoto-core
//!
//! Platform-agnostic core library for the idfoto password manager.
//!
//! This crate is intentionally **bytes-in/bytes-out** -- it performs no filesystem
//! access, no network I/O, and no git operations. All inputs arrive as byte slices
//! or typed structs, and all outputs are returned as byte vectors or typed structs.
//! This design makes the crate portable to WASM, Android (via JNI/UniFFI), and iOS
//! without any conditional compilation or platform shims.
//!
//! ## Modules
//!
//! - [`error`] -- The unified error type ([`IdfotoError`]) used across the crate.
//! - [`crypto`] -- Argon2id key derivation and XChaCha20-Poly1305 authenticated
//!   encryption. This is the low-level "encrypt bytes / decrypt bytes" layer.
//! - [`entry`] -- The vault data model: [`Entry`] (full credential),
//!   [`ManifestEntry`] (searchable index metadata), and [`Manifest`] (the entry
//!   index that lets you list/search without decrypting every entry).
//! - [`vault`] -- Typed wrappers around [`crypto`] that serialize structs to JSON
//!   before encrypting, and deserialize after decrypting.
//! - [`imgsecret`] -- DCT-based steganography for embedding and extracting a
//!   256-bit secret in a JPEG image. This is the novel component that provides the
//!   second authentication factor.
//!
//! ## Crypto pipeline
//!
//! ```text
//! passphrase (UTF-8 bytes) || image_secret (32 bytes from reference JPEG)
//!   -> Argon2id(salt=vault_salt, m=64MiB, t=3, p=4)
//!   -> master_key (32 bytes)
//!   -> XChaCha20-Poly1305(nonce=random 24 bytes)
//!   -> encrypted entry/manifest
//! ```

pub mod error;
pub use error::{IdfotoError, Result};

pub mod crypto;
pub use crypto::{decrypt, derive_master_key, encrypt, KdfParams};

pub mod entry;
pub use entry::{generate_entry_id, Entry, Manifest, ManifestEntry};

pub mod vault;
pub use vault::{decrypt_entry, decrypt_manifest, encrypt_entry, encrypt_manifest};

pub mod imgsecret;