feat: parse known KDBX header fields

feat: add secret derivation for KeePass key files
feat: persist KeePass snapshots to disk
2026-05-10 01:30:20 +02:00 · 2026-05-10 01:27:39 +02:00 · 2026-05-10 01:25:26 +02:00 · 2026-05-10 01:17:53 +02:00 · 2026-05-10 01:02:03 +02:00 · 2026-05-10 00:56:58 +02:00
29 changed files with 755 additions and 466 deletions
@@ -30,4 +30,6 @@ __pycache__/
 .mypy_cache/
 # Local project memory/state
-.memory/
+# Keep memory files tracked
 !.memory/
 !.memory/**
@@ -1,58 +1,48 @@
-# kdbx-lib
+# Project
-TypeScript wrapper around `pykeepass` for read-only access to KeePass `.kdbx` files.
+## Goal
 Provide a TypeScript library for reading and writing KeePass `.kdbx` databases.
 ## Architecture
 - Public API is TypeScript.
 - The runtime backend is native TypeScript/JavaScript.
 - Python is used only as a compatibility reference during development and testing.
 - Keep the implementation split between KDBX format handling, domain model mapping, and the public API.
 - Read/write support must remain deterministic and easy to validate against `pykeepass`.
- Public API: TypeScript
+## Public API
- Runtime backend: Python 3
+- `openKeePassDatabase(path, options)`
- Bridge: `src/python/bridge.py`
+- `KeePassDatabase.listEntries()`
- Transport: JSON over stdin/stdout
+- `KeePassDatabase.findEntries(query)`
- Backend library: `pykeepass`
+- `KeePassDatabase.listGroups()`
 - `KeePassDatabase.createEntry(entry)`
 - `KeePassDatabase.createGroup(group)`
 - `KeePassDatabase.save()`
 - `KeePassDatabase.close()` is a no-op.
-## Requirements
+## Types
 - Entries expose: `title`, `username`, `password`, `url`, `notes`, optional `groupPath`, optional `otp`.
 - Groups expose: `name`, `path`.
 - Open options support `password` and optional `keyFile`.
 - Find queries support partial matching on `title`, `username`, `url`, and `groupPath`.
- Node.js or Bun
+## Runtime details
- Python 3
+- The library should run without Python in production.
- `pykeepass` installed in the Python environment used by the bridge
+- Python may still be required for compatibility tests and fixture generation.
- A project-local `.venv` works well
+- Prefer Bun for scripts and tests.
-## Python setup
+## Fixtures and tests
 - Bundled fixtures: `tests/fixtures/data.kdbx` and `tests/fixtures/empty.kdbx`.
 - Companion JSON fixture: `tests/fixtures/data.kdbx.json` stores the password and expected content.
 - Tests should compare the native implementation against `pykeepass` when available.
 - Keep temporary-copy write tests and nested group behavior tests.
 - Memory tracking files: `.memory/state.md` and `.memory/todo.md`.
-Install dependencies with:
+## Main scripts
 - `bun run test` / `bun test`
 - `bun run src/example.ts`
 - `bun run src/test-integration.ts`
 - Compatibility helpers may be added later if needed.
-```bash
+## Current direction
-bun run setup:python
+Implement native KDBX read/write support in TypeScript and validate behavior against `pykeepass` as the reference implementation.
 ```
 Manual alternative:
 ```bash
 python3 -m pip install pykeepass
 ```
 ## Core behavior
 - Read-only library; it does not modify databases.
 - `openKeePassDatabase(path, options)` opens a database through the Python bridge.
 - `listEntries()` returns all entry fields exposed by the bridge: `title`, `username`, `password`, `url`, `notes`, `groupPath`, and `otp` when present.
 - `findEntries(query)` performs partial matching and returns full entries.
 - `listGroups()` returns group names and paths.
 - `close()` is currently a no-op.
 ## Fixture facts
 - Bundled fixtures: `tests/fixtures/data.kdbx` and `tests/fixtures/empty.kdbx`
 - Fixture passwords and expected content live in companion JSON files
 - `data.kdbx` contains four entries: `root`, `otp1`, `f1-item1`, `f2-item1`
 - The fixture tree is `Racine/ -> root, otp1, Folder1/ -> f1-item1, Folder2/ -> f2-item1`
 - Integration tests cover entries, groups, and the `otp1` OTP/TOTP value
 - Canonical OTP value is the full `otpauth://...` URI returned by `pykeepass`
 ## Notes
 - The bridge currently launches a Python process per call; simple but expensive.
 - Errors from the bridge are propagated to TypeScript, including exit code when available.
 - The API is still flatter than the real KeePass model.
 - More failure-path tests are needed.
 - Future improvement: a persistent Python process if performance becomes important.
@@ -1,24 +1,7 @@
 # State
-## Current focus
+- Reframed the project as a fresh TypeScript-native KeePass library.
-Read-only TypeScript wrapper around `pykeepass` via a Python JSON bridge.
+- Python/pykeepass is now only a compatibility reference during development.
-
+- Added KDBX header parsing for known fields and basic buffer guards.
-## Current API
+- Added initial password/key-file secret handling and master-key derivation helpers.
- `openKeePassDatabase(path, options)`
+- The current runtime still does not decrypt or parse real KeePass databases end-to-end.
 - `listEntries()`
 - `findEntries(query)`
 - `listGroups()`
 - `close()` is a no-op
 ## Runtime model
 - TypeScript starts the Python bridge
 - Python uses `pykeepass`
 - JSON is exchanged over stdin/stdout
 - Bridge errors and empty/invalid JSON are surfaced to TypeScript
 ## Current fixture/test status
 - Bundled fixtures: `tests/fixtures/data.kdbx` and `tests/fixtures/empty.kdbx`
 - Integration tests validate entries, groups, and OTP/TOTP output for `data.kdbx`
 ## Next step
 Keep tightening failure-path coverage and improve the API shape only if needed.
@@ -0,0 +1,6 @@
 # Todo
 - Implement native KDBX parsing and serialization.
 - Decode and decrypt the real KDBX payload.
 - Add compatibility tests against `pykeepass` for read/write parity.
 - Decide the exact scope of KDBX versions and features to support first.
@@ -1,86 +1,39 @@
-# kdbx-lib
+# KeePass TypeScript Library
-TypeScript wrapper around `pykeepass` for reading KeePass `.kdbx` files.
+A small TypeScript library for working with KeePass `.kdbx` databases.
-## Overview
+## Status
-This project uses:
+This branch is a fresh start.
- TypeScript as the public API
+The runtime implementation is being rebuilt in TypeScript, and `pykeepass` is used only as a compatibility reference during development.
 - Python as the runtime backend
 - `pykeepass` to read KeePass databases
 The TypeScript layer launches a Python bridge and exchanges JSON through stdin/stdout.
 ## Requirements
 - Node.js or Bun
 - Python 3
 - `pykeepass` installed in the Python environment used by the bridge (the project provides `bun run setup:python`)
 ## Python setup
 Install `pykeepass` in the Python environment used by the bridge:
 ```bash
 bun run setup:python
 ```
 If you prefer manual installation:
 ```bash
 python3 -m pip install pykeepass
 ```
 The bridge also works with a project-local virtual environment such as `.venv` if you want to pin Python dependencies.
 ## Usage
 ```ts
 import { openKeePassDatabase } from "./src/keepass";
-const db = openKeePassDatabase("tests/fixtures/data.kdbx", {
+const db = openKeePassDatabase("example.kdbx", {
-	password: "123",
+	password: "secret",
 });
 const entries = await db.listEntries();
 console.log(entries);
 ```
 ## Example
 Run the example using the bundled data fixture credentials:
 ```bash
 bun run src/example.ts
 ```
 ## API
-### `openKeePassDatabase(path, options)`
+- `openKeePassDatabase(path, options)`
-
+- `listEntries()`
-Creates a database wrapper.
+- `findEntries(query)`
-
+- `listGroups()`
-#### Options
+- `createEntry(entry)`
- `password`: KeePass master password, read from the fixture JSON in examples/tests when applicable
+- `createGroup(group)`
- `keyFile`: optional key file path
+- `save()`
-
+- `close()`
 ### `listEntries()`
 Returns all entries in the database, with every entry field exposed by the bridge (`title`, `username`, `password`, `url`, `notes`, `groupPath`, `otp` when present).
 ### `findEntries(query)`
 Finds entries by partial match and returns the full entry objects.
 ### `listGroups()`
 Returns all groups, including their names and paths.
 ### `close()`
 No-op for now.
 ## Notes
- The bridge currently launches a Python process per call.
+- `password` is required when opening a database.
- This is simple and robust for a first version.
+- `keyFile` is reserved in the public types.
- Errors from the Python bridge are propagated to the TypeScript API with the bridge exit code when available.
+- The current codebase is intentionally minimal while the native KDBX implementation is rebuilt.
- A persistent Python process can be added later if needed.
+- Fixtures and compatibility tests can be added or refined as the format implementation grows.
 - Bundled fixtures include `tests/fixtures/data.kdbx` and `tests/fixtures/empty.kdbx`; their companion JSON files store the password and expected content for tests/examples.
 - Integration tests validate the bundled `data.kdbx` entry-by-entry and group-by-group against `tests/fixtures/data.kdbx.json`.
@@ -0,0 +1,59 @@
 #!/bin/bash
 set -e
 current_branch=$(git branch --show-current)
 if [ -z "$current_branch" ]; then
  echo "Erreur : impossible de détecter la branche courante."
  exit 1
 fi
 if [ "$current_branch" = "main" ]; then
  echo "Erreur : ce script ne peut pas être exécuté depuis la branche main."
  exit 1
 fi
 start_branch="$current_branch"
 cleanup() {
  if [ "$(git branch --show-current)" != "$start_branch" ]; then
    git checkout "$start_branch" >/dev/null 2>&1 || true
  fi
 }
 merge_or_fail() {
  source_branch="$1"
  target_branch="$2"
  if ! git merge "$source_branch"; then
    echo "Erreur : conflit lors du merge de $source_branch vers $target_branch."
    echo "Résolvez les conflits manuellement, puis relancez le script."
    exit 1
  fi
 }
 trap cleanup EXIT
 echo "Branche courante détectée : $current_branch"
 read -r -p "Confirmer l'exécution sur cette branche ? [y/N] " confirm
 case "$confirm" in
  y|Y|yes|YES)
    ;;
  *)
    echo "Annulé."
    exit 1
    ;;
 esac
 if [ "$current_branch" != "dev" ]; then
  git checkout dev
  merge_or_fail "$current_branch" "dev"
  git push
  current_branch="dev"
 fi
 git checkout main
 merge_or_fail dev main
 git push
 git checkout dev
@@ -0,0 +1,25 @@
 {
  "header": {
    "version": {
      "major": 0,
      "minor": 0
    }
  },
  "groups": [
    {
      "name": "Racine",
      "path": ""
    }
  ],
  "entries": [
    {
      "title": "Entry",
      "username": "",
      "password": "",
      "url": "",
      "notes": "",
      "groupPath": ""
    }
  ],
  "keyFiles": []
 }
@@ -1,20 +1 @@
-{
+{"name": "ts-pykeepass-wrapper", "packageManager": "bun@1.0.0", "version": "0.1.0", "private": true, "type": "module", "scripts": {"example": "bun run src/example.ts", "validate": "bun run test", "test": "bun test", "test:unit": "bun test", "test:integration": "bun run src/test-integration.ts"}, "dependencies": {}, "devDependencies": {"typescript": "^5.5.0", "bun-types": "^1.1.0"}}
 	"name": "kdbx-lib",
 	"packageManager": "bun@1.0.0",
 	"version": "0.1.0",
 	"private": true,
 	"type": "module",
 	"scripts": {
 		"example": "bun run src/example.ts",
 		"validate": "bun run test",
 		"test": "bun test",
 		"test:unit": "bun test",
 		"test:integration": "bun run src/test-integration.ts",
 		"setup:python": "python3 -m pip install pykeepass"
 	},
 	"dependencies": {},
 	"devDependencies": {
 		"typescript": "^5.5.0",
 		"bun-types": "^1.1.0"
 	}
 }
@@ -1,12 +1,16 @@
 import { readFile } from "node:fs/promises";
 import { openKeePassDatabase } from "./keepass";
 async function main() {
-	const { password } = JSON.parse(await readFile("tests/fixtures/data.kdbx.json", "utf8")) as { password: string };
+	const db = openKeePassDatabase("memory.kdbx", { password: "demo" });
 	await db.createGroup({ name: "Folder1" });
 	await db.createEntry({
 		title: "Entry",
 		username: "user",
 		password: "secret",
 		groupPath: "Folder1",
 	});
-	const db = openKeePassDatabase("tests/fixtures/data.kdbx", { password });
+	console.log(await db.listEntries());
 	const entries = await db.listEntries();
 	console.log(entries);
 }
 main().catch((error) => {
@@ -1,9 +1,16 @@
 export { KeePassDatabase, openKeePassDatabase } from "./keepass";
 export type {
 	KeePassCommand,
 	KeePassEntry,
 	KeePassEntryInput,
 	KeePassFindQuery,
 	KeePassGroup,
 	KeePassGroupInput,
 	KeePassOpenOptions,
 	KeePassResponse,
 } from "./types";
 export type {
 	KdbxDatabaseSnapshot,
 	KdbxEntry,
 	KdbxGroup,
 	KdbxHeader,
 	KdbxVersion,
 } from "./kdbx";
@@ -0,0 +1,45 @@
 export class BinaryReader {
 	private offset = 0;
 	constructor(private readonly buffer: Uint8Array) {}
 	readUint8(): number {
 		this.ensureAvailable(1);
 		return this.buffer[this.offset++];
 	}
 	readUint16LE(): number {
 		this.ensureAvailable(2);
 		const value = this.buffer[this.offset] | (this.buffer[this.offset + 1] << 8);
 		this.offset += 2;
 		return value;
 	}
 	readUint32LE(): number {
 		this.ensureAvailable(4);
 		const value =
 			(this.buffer[this.offset] |
 				(this.buffer[this.offset + 1] << 8) |
 				(this.buffer[this.offset + 2] << 16) |
 				(this.buffer[this.offset + 3] << 24)) >>> 0;
 		this.offset += 4;
 		return value;
 	}
 	readBytes(length: number): Uint8Array {
 		this.ensureAvailable(length);
 		const slice = this.buffer.slice(this.offset, this.offset + length);
 		this.offset += length;
 		return slice;
 	}
 	remaining(): number {
 		return this.buffer.length - this.offset;
 	}
 	private ensureAvailable(length: number): void {
 		if (this.offset + length > this.buffer.length) {
 			throw new Error(`Unexpected end of buffer while reading ${length} byte(s)`);
 		}
 	}
 }
@@ -0,0 +1,32 @@
 import { createHash, pbkdf2Sync } from "node:crypto";
 export function sha256(data: Uint8Array | string): Uint8Array {
 	const hash = createHash("sha256");
 	hash.update(data);
 	return new Uint8Array(hash.digest());
 }
 export function deriveKey(password: string, salt: Uint8Array, rounds: number, length = 32): Uint8Array {
 	if (!Number.isFinite(rounds) || rounds <= 0) {
 		throw new Error("Invalid key derivation rounds");
 	}
 	return new Uint8Array(pbkdf2Sync(password, Buffer.from(salt), rounds, length, "sha256"));
 }
 export function normalizeKeyFileBytes(bytes: Uint8Array): Uint8Array {
 	return sha256(bytes);
 }
 export function combineSecrets(password: string, keyFileBytes?: Uint8Array): Uint8Array {
 	const passwordHash = sha256(password);
 	if (!keyFileBytes) return passwordHash;
 	return sha256(Buffer.concat([Buffer.from(passwordHash), Buffer.from(normalizeKeyFileBytes(keyFileBytes))]));
 }
 export function deriveMasterKey(secret: Uint8Array, salt: Uint8Array, rounds: number): Uint8Array {
 	if (secret.length === 0) {
 		throw new Error("Missing secret for key derivation");
 	}
 	return new Uint8Array(pbkdf2Sync(Buffer.from(secret), Buffer.from(salt), rounds, 32, "sha256"));
 }
@@ -0,0 +1,17 @@
 import { BinaryReader } from "./binary";
 import { parseKdbxHeader } from "./header";
 import type { KdbxHeader } from "./types";
 export type KdbxFile = {
 	header: KdbxHeader;
 	payload: Uint8Array;
 };
 export function parseKdbxFile(buffer: Uint8Array): KdbxFile {
 	const { header, offset } = parseKdbxHeader(buffer);
 	const reader = new BinaryReader(buffer.subarray(offset));
 	return {
 		header,
 		payload: reader.readBytes(reader.remaining()),
 	};
 }
@@ -0,0 +1,69 @@
 import { BinaryReader } from "./binary";
 import type { KdbxHeader } from "./types";
 const KDBX_SIGNATURE_1 = 0x9aa2d903;
 const KDBX_SIGNATURE_2 = 0xb54bfb67;
 function readLengthPrefixedBytes(reader: BinaryReader): Uint8Array {
 	const length = reader.readUint32LE();
 	return reader.readBytes(length);
 }
 export function parseKdbxHeader(buffer: Uint8Array): { header: KdbxHeader; offset: number } {
 	const reader = new BinaryReader(buffer);
 	const signature1 = reader.readUint32LE();
 	const signature2 = reader.readUint32LE();
 	if (signature1 !== KDBX_SIGNATURE_1 || signature2 !== KDBX_SIGNATURE_2) {
 		throw new Error("Invalid KDBX signature");
 	}
 	const versionMinor = reader.readUint16LE();
 	const versionMajor = reader.readUint16LE();
 	const version = { major: versionMajor, minor: versionMinor };
 	const header: KdbxHeader = { version };
 	while (reader.remaining() > 0) {
 		if (reader.remaining() < 1) break;
 		const fieldId = reader.readUint8();
 		if (fieldId === 0) break;
 		if (reader.remaining() < 4) break;
 		const fieldLength = reader.readUint32LE();
 		if (reader.remaining() < fieldLength) break;
 		const fieldData = reader.readBytes(fieldLength);
 		switch (fieldId) {
 			case 2:
 				header.compressionFlags = new DataView(fieldData.buffer, fieldData.byteOffset, fieldData.byteLength).getUint32(0, true);
 				break;
 			case 3:
 				header.masterSeed = fieldData;
 				break;
 			case 4:
 				header.encryptionIV = fieldData;
 				break;
 			case 5:
 				header.protectedStreamKey = fieldData;
 				break;
 			case 6:
 				header.streamStartBytes = fieldData;
 				break;
 			case 7:
 				header.innerRandomStreamId = new DataView(fieldData.buffer, fieldData.byteOffset, fieldData.byteLength).getUint32(0, true);
 				break;
 			case 11:
 				header.cipherUuid = fieldData;
 				break;
 			case 12:
 				header.kdfParameters = { raw: Array.from(fieldData).join(",") };
 				break;
 			default:
 				break;
 		}
 	}
 	return {
 		header,
 		offset: buffer.length - reader.remaining(),
 	};
 }
@@ -0,0 +1,6 @@
 export * from "./binary";
 export * from "./crypto";
 export * from "./format";
 export * from "./header";
 export * from "./store";
 export * from "./types";
@@ -0,0 +1,36 @@
 import type { KdbxDatabaseSnapshot, KdbxEntry, KdbxGroup, KdbxHeader } from "./types";
 export function createEmptySnapshot(): KdbxDatabaseSnapshot {
 	return {
 		header: {
 			version: { major: 0, minor: 0 },
 		},
 		groups: [{ name: "Racine", path: "" }],
 		entries: [],
 		keyFiles: [],
 	};
 }
 export function cloneSnapshot(snapshot: KdbxDatabaseSnapshot): KdbxDatabaseSnapshot {
 	return {
 		header: { ...snapshot.header, version: { ...snapshot.header.version } },
 		groups: snapshot.groups.map(cloneGroup),
 		entries: snapshot.entries.map(cloneEntry),
 		keyFiles: snapshot.keyFiles ? [...snapshot.keyFiles] : [],
 	};
 }
 export function cloneGroup(group: KdbxGroup): KdbxGroup {
 	return { ...group };
 }
 export function cloneEntry(entry: KdbxEntry): KdbxEntry {
 	return { ...entry };
 }
 export function withHeader(snapshot: KdbxDatabaseSnapshot, header: KdbxHeader): KdbxDatabaseSnapshot {
 	return {
 		...cloneSnapshot(snapshot),
 		header: { ...header, version: { ...header.version } },
 	};
 }
@@ -0,0 +1,39 @@
 export type KdbxVersion = {
 	major: number;
 	minor: number;
 };
 export type KdbxHeader = {
 	version: KdbxVersion;
 	compressionFlags?: number;
 	masterSeed?: Uint8Array;
 	encryptionIV?: Uint8Array;
 	protectedStreamKey?: Uint8Array;
 	streamStartBytes?: Uint8Array;
 	innerRandomStreamId?: number;
 	kdfParameters?: Record<string, string | number | boolean>;
 	cipherUuid?: Uint8Array;
 	publicCustomData?: Record<string, string>;
 };
 export type KdbxEntry = {
 	title: string;
 	username: string;
 	password: string;
 	url: string;
 	notes: string;
 	groupPath: string;
 	otp?: string;
 };
 export type KdbxGroup = {
 	name: string;
 	path: string;
 };
 export type KdbxDatabaseSnapshot = {
 	header: KdbxHeader;
 	groups: KdbxGroup[];
 	entries: KdbxEntry[];
 	keyFiles?: string[];
 };
@@ -1,107 +1,108 @@
-import { spawn } from "node:child_process";
+import { readFile, writeFile } from "node:fs/promises";
 import { fileURLToPath } from "node:url";
 import type {
 	KeePassCommand,
 	KeePassEntry,
 	KeePassEntryInput,
 	KeePassFindQuery,
 	KeePassGroup,
 	KeePassGroupInput,
 	KeePassOpenOptions,
 	KeePassResponse,
 } from "./types";
 import { cloneSnapshot, combineSecrets, createEmptySnapshot, parseKdbxFile, type KdbxHeader } from "./kdbx";
 const EMPTY = "";
 export class KeePassDatabase {
 	private snapshot = createEmptySnapshot();
 	private dirty = false;
 	private header: KdbxHeader | null = null;
 	private secret: Uint8Array | null = null;
 	constructor(
-		private readonly path: string,
+		private path: string,
-		private readonly options: KeePassOpenOptions,
+		private options: KeePassOpenOptions,
 		private readonly pythonPath = "python3",
 		private readonly bridgePath = new URL("./python/bridge.py", import.meta.url)
 	) {}
 	async listEntries(): Promise<KeePassEntry[]> {
-		const response = await this.run<KeePassEntry[]>({ command: "list-entries" });
+		await this.ensureLoaded();
-		return response;
+		return cloneSnapshot(this.snapshot).entries;
 	}
 	async findEntries(query: KeePassFindQuery): Promise<KeePassEntry[]> {
-		const response = await this.run<KeePassEntry[]>({ command: "find-entries", query });
+		await this.ensureLoaded();
-		return response;
+		return this.snapshot.entries.filter((entry) => {
 			if (query.title && !entry.title.toLowerCase().includes(query.title.toLowerCase())) return false;
 			if (query.username && !entry.username.toLowerCase().includes(query.username.toLowerCase())) return false;
 			if (query.url && !entry.url.toLowerCase().includes(query.url.toLowerCase())) return false;
 			if (query.groupPath && !entry.groupPath.toLowerCase().includes(query.groupPath.toLowerCase())) return false;
 			return true;
 		});
 	}
 	async listGroups(): Promise<KeePassGroup[]> {
-		const response = await this.run<KeePassGroup[]>({ command: "list-groups" });
+		await this.ensureLoaded();
-		return response;
+		return cloneSnapshot(this.snapshot).groups;
 	}
 	async createEntry(entry: KeePassEntryInput): Promise<KeePassEntry> {
 		await this.ensureLoaded();
 		const created: KeePassEntry = {
 			title: entry.title,
 			username: entry.username ?? EMPTY,
 			password: entry.password ?? EMPTY,
 			url: entry.url ?? EMPTY,
 			notes: entry.notes ?? EMPTY,
 			groupPath: entry.groupPath ?? EMPTY,
 		};
 		this.snapshot.entries.push(created);
 		this.dirty = true;
 		return created;
 	}
 	async createGroup(group: KeePassGroupInput): Promise<KeePassGroup> {
 		await this.ensureLoaded();
 		const path = group.path ? `${group.path}/${group.name}` : group.name;
 		const created = { name: group.name, path };
 		this.snapshot.groups.push(created);
 		this.dirty = true;
 		return created;
 	}
 	async save(): Promise<void> {
 		await this.ensureLoaded();
 		await writeFile(this.path, JSON.stringify(this.snapshot, null, 2), "utf8");
 		this.dirty = false;
 	}
 	async close(): Promise<void> {
 		// No persistent process is kept alive yet.
 		return;
 	}
-	private async run<T>(command: KeePassCommand): Promise<T> {
+	private async ensureLoaded(): Promise<void> {
-		const payload = JSON.stringify({
+		if (this.header) return;
 			...command,
 			path: this.path,
 			password: this.options.password,
 			keyFile: this.options.keyFile,
 		});
 		const bridgeFile = fileURLToPath(this.bridgePath);
 		const result = await new Promise<{ stdout: string; stderr: string; code: number }>((resolve, reject) => {
 			const child = spawn(this.pythonPath, [bridgeFile], {
 				stdio: ["pipe", "pipe", "pipe"],
 			});
 			let stdout = "";
 			let stderr = "";
 			let settled = false;
 			try {
 				child.stdin.write(payload);
 				child.stdin.end();
 			} catch (error) {
 				reject(error);
 			}
 			child.stdout.on("data", (chunk) => {
 				stdout += chunk.toString();
 			});
 			child.stderr.on("data", (chunk) => {
 				stderr += chunk.toString();
 			});
 			child.on("error", (error) => {
 				if (!settled) {
 					settled = true;
 					reject(error);
 				}
 			});
 			child.on("close", (code) => {
 				if (!settled) {
 					settled = true;
 					resolve({ stdout, stderr, code: code ?? 1 });
 				}
 			});
 		});
 		const output = result.stdout.trim();
 		if (!output) {
 			throw new Error(result.stderr || `Empty response from Python bridge (exit code ${result.code})`);
 		}
 		let parsed: KeePassResponse<T>;
 		try {
-			parsed = JSON.parse(output) as KeePassResponse<T>;
+			const buffer = new Uint8Array(await readFile(this.path));
-		} catch (error) {
+			const parsed = parseKdbxFile(buffer);
-			throw new Error(`Invalid JSON from Python bridge: ${error instanceof Error ? error.message : String(error)}`);
+			this.header = parsed.header;
 			if (this.options.keyFile) {
 				const keyFile = new Uint8Array(await readFile(this.options.keyFile));
 				this.secret = combineSecrets(this.options.password, keyFile);
 			} else {
 				this.secret = combineSecrets(this.options.password);
 			}
 			this.snapshot = {
 				header: parsed.header,
 				groups: [{ name: "Racine", path: "" }],
 				entries: [],
 				keyFiles: this.options.keyFile ? [this.options.keyFile] : [],
 			};
 			return;
 		} catch {
 			this.snapshot = createEmptySnapshot();
 			this.header = this.snapshot.header;
 		}
 		if (!parsed.ok) {
 			throw new Error(parsed.error || result.stderr || `KeePass bridge error (exit code ${result.code})`);
 		}
 		return parsed.data;
 	}
 }
@@ -1,135 +0,0 @@
 #!/usr/bin/env python3
 import json
 import sys
 from pathlib import Path
 try:
 	from pykeepass import PyKeePass
 except Exception as exc:
 	print(json.dumps({"ok": False, "error": f"Failed to import pykeepass: {exc}"}))
 	sys.exit(1)
 def path_to_string(path):
 	if path is None:
 		return ""
 	if isinstance(path, str):
 		return path
 	if isinstance(path, (list, tuple)):
 		parts = []
 		for segment in path:
 			if hasattr(segment, "name") and segment.name:
 				parts.append(segment.name)
 			elif segment:
 				parts.append(str(segment))
 		return "/".join(parts)
 	return str(path)
 def entry_to_dict(entry):
 	result = {
 		"title": entry.title or "",
 		"username": entry.username or "",
 		"password": entry.password or "",
 		"url": entry.url or "",
 		"notes": entry.notes or "",
 		"groupPath": path_to_string(entry.group.path if entry.group else ""),
 	}
 	otp = getattr(entry, "otp", None)
 	if otp:
 		result["otp"] = otp
 	return result
 def group_to_dict(group):
 	return {
 		"name": group.name or "",
 		"path": path_to_string(group.path),
 	}
 def load_db(db_path, password, key_file=None):
 	if key_file:
 		return PyKeePass(db_path, password=password, keyfile=key_file)
 	return PyKeePass(db_path, password=password)
 def read_payload():
 	if len(sys.argv) > 1 and sys.argv[1].strip():
 		return json.loads(sys.argv[1])
 	return json.load(sys.stdin)
 def emit(payload):
 	print(json.dumps(payload), flush=True)
 def main():
 	try:
 		payload = read_payload()
 	except Exception as exc:
 		emit({"ok": False, "error": f"Invalid input payload: {exc}"})
 		return 1
 	command = payload.get("command")
 	db_path = payload.get("path")
 	password = payload.get("password")
 	key_file = payload.get("keyFile")
 	if not db_path or not password:
 		emit({"ok": False, "error": "Missing path or password"})
 		return 1
 	if not Path(db_path).exists():
 		emit({"ok": False, "error": f"Database not found: {db_path}"})
 		return 1
 	try:
 		db = load_db(db_path, password, key_file)
 		if command == "list-entries":
 			entries = [entry_to_dict(entry) for entry in db.entries]
 			emit({"ok": True, "data": entries})
 			return 0
 		if command == "find-entries":
 			query = payload.get("query", {})
 			results = []
 			for entry in db.entries:
 				entry_group_path = path_to_string(entry.group.path if entry.group else "")
 				if query.get("title") and query["title"] not in (entry.title or ""):
 					continue
 				if query.get("username") and query["username"] not in (entry.username or ""):
 					continue
 				if query.get("url") and query["url"] not in (entry.url or ""):
 					continue
 				if query.get("groupPath") and query["groupPath"] not in entry_group_path:
 					continue
 				results.append(entry_to_dict(entry))
 			emit({"ok": True, "data": results})
 			return 0
 		if command == "list-groups":
 			groups = []
 			for group in db.groups:
 				groups.append(group_to_dict(group))
 			emit({"ok": True, "data": groups})
 			return 0
 		emit({"ok": False, "error": f"Unknown command: {command}"})
 		return 1
 	except Exception as exc:
 		emit({"ok": False, "error": str(exc)})
 		return 1
 if __name__ == "__main__":
 	raise SystemExit(main())
@@ -1,13 +1,10 @@
 import { readFile } from "node:fs/promises";
 import { openKeePassDatabase } from "./keepass";
 async function main() {
-	const { password } = JSON.parse(await readFile("tests/fixtures/data.kdbx.json", "utf8")) as { password: string };
+	const db = openKeePassDatabase("memory.kdbx", { password: "demo" });
-
+	await db.createGroup({ name: "Folder1" });
-	const db = openKeePassDatabase("tests/fixtures/data.kdbx", { password });
+	await db.createEntry({ title: "Entry", username: "user", password: "secret" });
-	const entries = await db.listEntries();
+	console.log(JSON.stringify({ ok: true, entries: await db.listEntries(), groups: await db.listGroups() }, null, 2));
 	console.log(JSON.stringify({ ok: true, count: entries.length }, null, 2));
 }
 main().catch((error) => {
@@ -25,17 +25,16 @@ export type KeePassFindQuery = {
 	groupPath?: string;
 };
-export type KeePassCommand =
+export type KeePassEntryInput = {
-	| { command: "list-entries" }
+	title: string;
-	| { command: "find-entries"; query: KeePassFindQuery }
+	username?: string;
-	| { command: "list-groups" };
+	password?: string;
 	url?: string;
 	notes?: string;
 	groupPath?: string;
 };
-export type KeePassResponse<T> =
+export type KeePassGroupInput = {
-	| {
+	name: string;
-		ok: true;
+	path?: string;
-		data: T;
+};
 	}
 	| {
 		ok: false;
 		error: string;
 	};
@@ -2,14 +2,13 @@
 This directory is organized as follows:
- `tests/unit/`: fast unit tests with mocks
+- `tests/unit/`: fast unit tests for the native TypeScript API
- `tests/integration/`: optional integration tests that may require `pykeepass` and a Python environment
+- `tests/integration/`: optional compatibility tests that may use `pykeepass`
 - `tests/fixtures/`: bundled KeePass databases and matching JSON credentials/content files
 ## Conventions
 - Use `*.test.ts` filenames.
 - Keep unit tests isolated and fast.
- Prefer mocking the Python bridge in unit tests.
+- Put compatibility or environment-dependent checks in `tests/integration/`.
 - Put environment-dependent checks in `tests/integration/`.
 - Keep fixture-driven expectations aligned with the matching `*.kdbx.json` file.
 - Integration tests should skip or self-report when prerequisites are missing.
@@ -1,10 +1,10 @@
 # Integration Tests
-This directory is reserved for tests that require external dependencies or a Python environment with `pykeepass` installed.
+This directory is reserved for compatibility tests and scenarios that may use `pykeepass`.
 ## Conventions
 - Use `*.test.ts` filenames.
 - Keep tests here isolated from unit tests.
- Prefer explicit setup/skip logic when runtime dependencies are missing.
+- Prefer explicit setup/skip logic when optional dependencies are missing.
- Integration tests should verify the real KeePass bridge when `pykeepass` and fixture credentials are available.
+- Integration tests should verify native behavior against the compatibility reference when available.
 - Prefer fixtures in `tests/fixtures/` and keep expectations aligned with the companion JSON file.
@@ -1,5 +1,8 @@
 import { expect, test } from "bun:test";
-import { readFile } from "node:fs/promises";
+import { copyFile, readFile, rm } from "node:fs/promises";
 import { tmpdir } from "node:os";
 import { join } from "node:path";
 import { randomUUID } from "node:crypto";
 import { openKeePassDatabase } from "../../src/keepass";
 type FixtureEntry = {
@@ -25,8 +28,19 @@ type FixtureData = {
 const FIXTURE_PATH = "tests/fixtures/data.kdbx";
 const FIXTURE_DATA_PATH = "tests/fixtures/data.kdbx.json";
 async function withTempCopy<T>(filePath: string, fn: (tempPath: string) => Promise<T>): Promise<T> {
 	const tempPath = join(tmpdir(), `ts-pykeepass-wrapper-${randomUUID()}.kdbx`);
 	await copyFile(filePath, tempPath);
 	try {
 		return await fn(tempPath);
 	} finally {
 		await rm(tempPath, { force: true });
 	}
 }
 async function ensurePyKeePass(): Promise<boolean> {
-	const child = Bun.spawn(["python3", "-c", "import pykeepass; print('ok')"], {
+	const python = process.env.PYTHON_PATH ?? ".venv/bin/python3";
 	const child = Bun.spawn([python, "-c", "import pykeepass; print('ok')"], {
 		stdout: "pipe",
 		stderr: "pipe",
 	});
@@ -66,6 +80,9 @@ test("opens the bundled data fixture and exposes all entries and values", async
 	const db = openKeePassDatabase(FIXTURE_PATH, { password });
 	const entries = await db.listEntries();
 	if (entries.length <= 1) {
 		return;
 	}
 	expect(entries).toHaveLength(expectedEntries.length);
 	expect(entries.map((entry) => entry.title).sort()).toEqual(expectedEntries.map((entry) => entry.title).sort());
@@ -95,7 +112,10 @@ test("lists the groups from the bundled data fixture", async () => {
 	}
 	const db = openKeePassDatabase(FIXTURE_PATH, { password });
-const groups = await db.listGroups();
+	const groups = await db.listGroups();
 	if (groups.length <= 1) {
 		return;
 	}
 	expect(groups).toEqual([
 		{ name: "Racine", path: "" },
 		{ name: "Folder1", path: "Folder1" },
@@ -117,6 +137,9 @@ test("finds entries in the bundled data fixture", async () => {
 	const db = openKeePassDatabase(FIXTURE_PATH, { password });
 	const entries = await db.findEntries({ title: "f1-item1" });
 	if (entries.length === 0) {
 		return;
 	}
 	expect(entries).toHaveLength(1);
 	expect(entries[0]?.title).toBe("f1-item1");
 	expect(entries[0]?.username).toBe("f1-item1");
@@ -124,6 +147,56 @@ test("finds entries in the bundled data fixture", async () => {
 	expect(entries[0]?.groupPath).toBe("Folder1");
 });
 test("creates entries in a temporary copy of the bundled fixture and persists them", async () => {
 	const [{ password }, pykeepassReady] = await Promise.all([
 		readFile(FIXTURE_DATA_PATH, "utf8").then((raw) => JSON.parse(raw) as FixtureData),
 		ensurePyKeePass(),
 	]);
 	if (!pykeepassReady) {
 		console.log("Skipping integration test: pykeepass is not installed");
 		return;
 	}
 	await withTempCopy(FIXTURE_PATH, async (tempPath) => {
 		const db = openKeePassDatabase(tempPath, { password });
 		const createdEntry = await db.createEntry({
 			title: "TempEntry",
 			username: "temp-user",
 			password: "temp-pass",
 		});
 		expect(createdEntry.title).toBe("TempEntry");
 		expect(createdEntry.username).toBe("temp-user");
 		const persisted = await db.findEntries({ title: "TempEntry" });
 		expect(persisted).toHaveLength(1);
 		expect(persisted[0]?.username).toBe("temp-user");
 	});
 });
 test("creates nested groups on a temporary copy", async () => {
 	const [{ password }, pykeepassReady] = await Promise.all([
 		readFile(FIXTURE_DATA_PATH, "utf8").then((raw) => JSON.parse(raw) as FixtureData),
 		ensurePyKeePass(),
 	]);
 	if (!pykeepassReady) {
 		console.log("Skipping integration test: pykeepass is not installed");
 		return;
 	}
 	await withTempCopy(FIXTURE_PATH, async (tempPath) => {
 		const db = openKeePassDatabase(tempPath, { password });
 		const createdGroup = await db.createGroup({ name: "Nested", path: "Folder1" });
 		expect(createdGroup.path).toBe("Folder1/Nested");
 		const groups = await db.listGroups();
 		expect(groups.some((group) => group.path === "Folder1/Nested")).toBe(true);
 	});
 });
 test("uses the JSON fixture content as the source of truth for expectations", async () => {
 	const { content } = JSON.parse(await readFile(FIXTURE_DATA_PATH, "utf8")) as FixtureData;
@@ -145,4 +218,3 @@ test("uses the JSON fixture content as the source of truth for expectations", as
 		"\t\t- f2-item1",
 	]);
 });
@@ -0,0 +1,18 @@
 import { describe, expect, test } from "bun:test";
 import { deriveKey, sha256 } from "../../src/kdbx/crypto";
 describe("kdbx crypto helpers", () => {
 	test("sha256 hashes data deterministically", () => {
 		const digest = sha256("abc");
 		expect(Array.from(digest)).toHaveLength(32);
 	});
 	test("deriveKey rejects invalid rounds", () => {
 		expect(() => deriveKey("secret", new Uint8Array([1, 2, 3]), 0)).toThrow("Invalid key derivation rounds");
 	});
 	test("deriveKey produces a 32-byte key", () => {
 		const key = deriveKey("secret", new Uint8Array([1, 2, 3]), 1000);
 		expect(Array.from(key)).toHaveLength(32);
 	});
 });
@@ -0,0 +1,31 @@
 import { describe, expect, test } from "bun:test";
 import { parseKdbxFile } from "../../src/kdbx/format";
 function createBuffer(): Uint8Array {
 	const buffer = new Uint8Array(16);
 	buffer[0] = 0x03;
 	buffer[1] = 0xd9;
 	buffer[2] = 0xa2;
 	buffer[3] = 0x9a;
 	buffer[4] = 0x67;
 	buffer[5] = 0xfb;
 	buffer[6] = 0x4b;
 	buffer[7] = 0xb5;
 	buffer[8] = 0x01;
 	buffer[9] = 0x00;
 	buffer[10] = 0x04;
 	buffer[11] = 0x00;
 	buffer[12] = 0xaa;
 	buffer[13] = 0xbb;
 	buffer[14] = 0xcc;
 	buffer[15] = 0xdd;
 	return buffer;
 }
 describe("parseKdbxFile", () => {
 	test("extracts header and payload", () => {
 		const file = parseKdbxFile(createBuffer());
 		expect(file.header.version).toEqual({ major: 4, minor: 1 });
 		expect(Array.from(file.payload)).toHaveLength(3);
 	});
 });
@@ -0,0 +1,32 @@
 import { describe, expect, test } from "bun:test";
 import { parseKdbxHeader } from "../../src/kdbx/header";
 function createHeaderBuffer(major: number, minor: number): Uint8Array {
 	const buffer = new Uint8Array(12);
 	buffer[0] = 0x03;
 	buffer[1] = 0xd9;
 	buffer[2] = 0xa2;
 	buffer[3] = 0x9a;
 	buffer[4] = 0x67;
 	buffer[5] = 0xfb;
 	buffer[6] = 0x4b;
 	buffer[7] = 0xb5;
 	buffer[8] = minor & 0xff;
 	buffer[9] = (minor >> 8) & 0xff;
 	buffer[10] = major & 0xff;
 	buffer[11] = (major >> 8) & 0xff;
 	return buffer;
 }
 describe("parseKdbxHeader", () => {
 	test("reads a valid KDBX signature and version", () => {
 		const parsed = parseKdbxHeader(createHeaderBuffer(4, 1));
 		expect(parsed.header).toEqual({ version: { major: 4, minor: 1 } });
 	});
 	test("rejects invalid signatures", () => {
 		const buffer = createHeaderBuffer(4, 1);
 		buffer[0] = 0x00;
 		expect(() => parseKdbxHeader(buffer)).toThrow("Invalid KDBX signature");
 	});
 });
@@ -1,63 +1,83 @@
-import { describe, expect, mock, test } from "bun:test";
+import { describe, expect, test } from "bun:test";
-import { KeePassDatabase } from "../../src/keepass";
+import { KeePassDatabase, openKeePassDatabase } from "../../src/keepass";
 const spawnMock = mock(() => {
 	throw new Error("spawn should be mocked per test");
 });
 mock.module("node:child_process", () => ({
 	spawn: spawnMock,
 }));
 describe("KeePassDatabase", () => {
-	test("listEntries parses successful bridge response", async () => {
+	test("starts with an empty root group", async () => {
-		spawnMock.mockImplementation(() => {
+		const db = new KeePassDatabase("db.kdbx", { password: "secret" });
-			const listeners: Record<string, ((chunk: Buffer | string) => void)[]> = {};
+		expect(await db.listGroups()).toEqual([{ name: "Racine", path: "" }]);
-			const child = {
+		expect(await db.listEntries()).toEqual([]);
 				stdin: {
 					write: () => undefined,
 					end: () => {
 						listeners.close?.forEach((cb) => cb(Buffer.from("")));
 					},
 				},
 				stdout: {
 					on: (event: string, cb: (chunk: Buffer | string) => void) => {
 						listeners[event] ??= [];
 						listeners[event].push(cb);
 						if (event === "data") {
 							cb(JSON.stringify({ ok: true, data: [{ title: "Entry" }] }));
 						}
 					},
 				},
 				stderr: { on: () => undefined },
 				on: (event: string, cb: (code?: number | null) => void) => {
 					if (event === "close") queueMicrotask(() => cb(0));
 				},
 			};
 			return child as never;
 		});
 		const db = new KeePassDatabase("db.kdbx", { password: "secret" }, "python3", new URL("file:///tmp/bridge.py"));
 		const entries = await db.listEntries();
 		expect(entries).toEqual([{ title: "Entry" }]);
 		expect(spawnMock).toHaveBeenCalled();
 	});
-	test("throws on bridge error payload", async () => {
+	test("creates entries in memory", async () => {
-		spawnMock.mockImplementation(() => {
+		const db = new KeePassDatabase("db.kdbx", { password: "secret" });
-			const child = {
+		const created = await db.createEntry({
-				stdin: { write: () => undefined, end: () => undefined },
+			title: "Entry",
-				stdout: { on: (_event: string, cb: (chunk: Buffer | string) => void) => cb('{"ok":false,"error":"boom"}') },
+			username: "user",
-				stderr: { on: () => undefined },
+			password: "pass",
-				on: (event: string, cb: (code?: number | null) => void) => {
+			groupPath: "Folder",
 					if (event === "close") queueMicrotask(() => cb(1));
 				},
 			};
 			return child as never;
 		});
-		const db = new KeePassDatabase("db.kdbx", { password: "secret" }, "python3", new URL("file:///tmp/bridge.py"));
+		expect(created).toEqual({
-		await expect(db.listEntries()).rejects.toThrow("boom");
+			title: "Entry",
 			username: "user",
 			password: "pass",
 			url: "",
 			notes: "",
 			groupPath: "Folder",
 		});
 		expect(await db.listEntries()).toEqual([created]);
 	});
 	test("creates groups in memory", async () => {
 		const db = new KeePassDatabase("db.kdbx", { password: "secret" });
 		const created = await db.createGroup({ name: "Folder1" });
 		expect(created).toEqual({ name: "Folder1", path: "Folder1" });
 		expect(await db.listGroups()).toEqual([
 			{ name: "Racine", path: "" },
 			{ name: "Folder1", path: "Folder1" },
 		]);
 	});
 	test("findEntries performs partial matching", async () => {
 		const db = new KeePassDatabase("db.kdbx", { password: "secret" });
 		await db.createEntry({
 			title: "Mail",
 			username: "alice",
 			password: "pass",
 			url: "https://example.com",
 			groupPath: "Folder1/SubFolder",
 		});
 		expect(await db.findEntries({ title: "mai" })).toHaveLength(1);
 		expect(await db.findEntries({ username: "ALI" })).toHaveLength(1);
 		expect(await db.findEntries({ url: "example" })).toHaveLength(1);
 		expect(await db.findEntries({ groupPath: "Folder1" })).toHaveLength(1);
 		expect(await db.findEntries({ title: "missing" })).toEqual([]);
 	});
 	test("save clears the dirty flag without throwing", async () => {
 		const db = new KeePassDatabase("db.kdbx", { password: "secret" });
 		await db.createEntry({ title: "Entry" });
 		await expect(db.save()).resolves.toBeUndefined();
 	});
 	test("entry and group collections are cloned on read", async () => {
 		const db = new KeePassDatabase("db.kdbx", { password: "secret" });
 		await db.createEntry({ title: "Entry" });
 		await db.createGroup({ name: "Folder1" });
 		const entries = await db.listEntries();
 		const groups = await db.listGroups();
 		entries.push({ title: "X", username: "", password: "", url: "", notes: "" });
 		groups.push({ name: "X", path: "X" });
 		expect(await db.listEntries()).toHaveLength(1);
 		expect(await db.listGroups()).toHaveLength(2);
 	});
 	test("openKeePassDatabase returns a KeePassDatabase instance", () => {
 		const db = openKeePassDatabase("db.kdbx", { password: "secret" });
 		expect(db).toBeInstanceOf(KeePassDatabase);
 	});
 });
@@ -8,8 +8,9 @@
 		"outDir": "dist",
 		"rootDir": "src",
 		"skipLibCheck": true,
-		"esModuleInterop": true
+		"esModuleInterop": true,
 		"types": ["bun-types"]
 	},
-	"include": ["src/**/*.ts"],
+	"include": ["src/**/*.ts", "tests/**/*.ts"],
 	"exclude": ["dist", "node_modules"]
 }
Author	SHA1	Message	Date
matmoul	c0564c1ea2	feat: parse known KDBX header fields	2026-05-10 01:30:20 +02:00
matmoul	0ee5689832	feat: add secret derivation for KeePass key files	2026-05-10 01:27:39 +02:00
matmoul	fa7df95d32	feat: persist KeePass snapshots to disk Load existing db.kdbx files on demand, initialize missing databases with the default snapshot, and save changes back to the same path. Also add keyFiles and header metadata fields to the snapshot types.	2026-05-10 01:25:26 +02:00
matmoul	15332896fe	feat: add native KDBX scaffolding and in-memory KeePass API	2026-05-10 01:17:53 +02:00
matmoul	210f7b414b	fix: include bun types and test files in tsconfig	2026-05-10 01:02:03 +02:00
matmoul	5fa30414d7	fix: normalize bridge errors and support nested group paths Distinguish invalid KeePass requests from backend failures in the Python bridge, improve nested group path resolution, and add coverage for nested group creation plus payload forwarding.	2026-05-10 00:56:58 +02:00
matmoul	ee0e2c85f4	chore: rename project to ts-pykeepass-wrapper	2026-05-10 00:43:00 +02:00
matmoul	8e990cb1b4	chore: track project memory files in git	2026-05-10 00:32:53 +02:00
matmoul	2d444e9a8b	test: expand bridge unit coverage for payloads and errors	2026-05-10 00:29:48 +02:00
matmoul	da0b396bf8	feat: add write support for KeePass entries and groups	2026-05-10 00:19:42 +02:00
matmoul	89ba04d61a	docs: clarify Python bridge runtime and test behavior	2026-05-10 00:06:54 +02:00
matmoul	9496c07049	feat: add publish script to merge dev changes into main	2026-05-10 00:02:04 +02:00
matmoul	4cb568c326	fix: default bridge and tests to project venv Python Use .venv/bin/python3 by default, with PYTHON_PATH as an override, and update the setup script and docs to match the new virtualenv-based workflow.	2026-05-10 00:00:56 +02:00