# API
## Types
- `EncryptedStore`: sled-backed encrypted key-value store.
- `MasterKey`: 32-byte key that zeroizes on drop.
- `KeyProvider`: trait returning or creating a `MasterKey`.
## Open
`EncryptedStore::open(path, namespace, provider)` opens or initializes a store at `path`, binds encryption to `namespace`, and retrieves a master key from `provider`.
## Operations
- `put(key, value)`: encrypts and stores `value`. Keys must be non-empty, at most 256 bytes, and contain no control characters.
- `get(key) -> Option<Vec<u8>>`: decrypts and returns the stored value if present.
- `delete(key) -> bool`: removes a key and returns whether it existed.
- `flush()`: forces the backend to persist changes.
## Key providers
- File-sealed (`provider-file-sealed`): sealed blob plus salt in the storage directory.
- Password-wrapped (`provider-password`): wraps the master key with an Argon2id-derived key using application-supplied password bytes.
- Foreign (`provider-foreign`): application supplies the master key from an external source (mobile keystore, HSM, or KMS).
- OS vault providers (optional features per platform): DPAPI, macOS Keychain, Linux Secret Service.
## Errors
All functions return `Result<T, EnigmaStorageError>`. Providers and storage code avoid panics; errors are explicit and recoverable where possible.