Struct PrivacyVault 

pub struct PrivacyVault {
    pub keys: MasterKeySet,
    pub state: ClientStateTable,
    pub config: VolumeConfig,
}

Fields

keys: MasterKeySet

state: ClientStateTable

config: VolumeConfig

Implementations

impl PrivacyVault

pub fn new( password: &str, salt: &[u8; 16], config: VolumeConfig, ) -> Result<Self, VaultError>

Create a new vault from a user password and a 16-byte random salt.

The salt must be generated once and stored alongside the encrypted state blob — it is NOT secret, but it must be consistent across sessions.

use rose_squared_sdk::PrivacyVault;
use rand::RngCore;
let mut salt = [0u8; 16];
rand::thread_rng().fill_bytes(&mut salt);
let vault = PrivacyVault::new("correct-horse-battery-staple", &salt, Default::default());

pub fn from_exported( password: &str, salt: &[u8; 16], blob: &[u8], config: VolumeConfig, ) -> Result<Self, VaultError>

Restore a vault from a previously exported state blob.

pub async fn add_document<S: EncryptedStore>( &mut self, keywords: &[&str], doc_id: Uuid, store: &S, ) -> Result<(), VaultError>

Index a document under one or more keywords.

Sends one EDB entry per keyword to the store. The store never sees the keywords or the document ID in plaintext.

doc_id should be your application’s stable identifier for the document (e.g., the UUID of the file in your encrypted document store).

pub async fn delete_document<S: EncryptedStore>( &mut self, keyword: &str, doc_id: Uuid, store: &S, ) -> Result<(usize, usize), VaultError>

Remove a document from one keyword’s result set.

This performs a Backward-Security Type-II delete: • The epoch for this keyword is bumped. • All surviving entries are atomically re-written under the new epoch. • Old epoch entries are deleted.

After this call, any previously issued search tokens for this keyword are invalid — they address old-epoch tags which are now gone.

pub async fn search<S: EncryptedStore>( &self, keyword: &str, store: &S, ) -> Result<Vec<Uuid>, VaultError>

Search for all documents indexed under keyword.

The keyword never leaves the client in plaintext. The server returns opaque ciphertexts; the client decrypts them here.

Returns document UUIDs sorted newest-first.

With SWiSSSE enabled (default), every search fetches exactly n_max tags from the server, hiding the true result count.

pub async fn search_with_metadata<S: EncryptedStore>( &self, keyword: &str, store: &S, ) -> Result<Vec<SearchResult>, VaultError>

Search and return full SearchResult (doc_id + timestamp).

pub fn export_state(&self) -> Result<Vec<u8>, VaultError>

Export the encrypted client state as a byte blob.

Store this in IndexedDB, a file, or any persistent medium. It is AES-256-GCM encrypted with K_state — safe to store in the cloud.