()
| 335 | let cachedSalt: string | null = null; |
| 336 | |
| 337 | function getDeviceSalt(): string { |
| 338 | if (cachedSalt) return cachedSalt; |
| 339 | try { |
| 340 | if (fs.existsSync(SALT_FILE)) { |
| 341 | cachedSalt = fs.readFileSync(SALT_FILE, 'utf8').trim(); |
| 342 | return cachedSalt; |
| 343 | } |
| 344 | } catch { |
| 345 | // fall through to generate |
| 346 | } |
| 347 | try { |
| 348 | mkdirSecure(SECURITY_DIR); |
| 349 | } catch {} |
| 350 | cachedSalt = randomBytes(16).toString('hex'); |
| 351 | try { |
| 352 | writeSecureFile(SALT_FILE, cachedSalt); |
| 353 | } catch { |
| 354 | // Can't persist (read-only fs, disk full). Keep the in-memory salt |
| 355 | // for this process so cross-log correlation still works within a |
| 356 | // session. Next process gets a new salt, but that's a degraded-mode |
| 357 | // acceptable cost. |
| 358 | } |
| 359 | return cachedSalt; |
| 360 | } |
| 361 | |
| 362 | export function hashPayload(payload: string): string { |
| 363 | const salt = getDeviceSalt(); |
no test coverage detected