Signed-off-by: Matt Bruce <mbrucedogs@gmail.com>

Proposal.md

@@ -20,31 +20,41 @@ Create a single, typed, discoverable namespace for persisted app data with consi
 - **StorageKey** protocol - Defines storage configuration for each data type
 - **StorageRouter** actor - Main entry point coordinating all storage operations
 - **StorageProviding** protocol - Abstraction for storage operations
+- **StorageKeyCatalog** protocol - Catalog of keys for auditing/validation
 
 ### Isolated Helper Classes (Actors)
 Each helper is a dedicated actor providing thread-safe access to a specific storage domain:
 
 - **KeychainHelper** - All keychain operations (set, get, delete, exists, deleteAll)
-- **EncryptionHelper** - AES-256-GCM encryption with PBKDF2 key derivation
-- **FileStorageHelper** - File system operations (read, write, delete, list, size)
-- **UserDefaultsHelper** - UserDefaults operations with suite support
+- **EncryptionHelper** - AES-256-GCM or ChaCha20-Poly1305 with PBKDF2/HKDF
+- **FileStorageHelper** - File system operations (read, write, delete, list, size), including App Group containers
+- **UserDefaultsHelper** - UserDefaults operations with suite and App Group support
 - **SyncHelper** - WatchConnectivity sync operations
 
 ### Models
-- **StorageDomain** - userDefaults, keychain, fileSystem, encryptedFileSystem
-- **SecurityPolicy** - none, keychain (with accessibility/accessControl), encrypted (AES-256)
-- **Serializer** - JSON, property list, raw Data, or custom encode/decode
+- **StorageDomain** - userDefaults, appGroupUserDefaults, keychain, fileSystem, encryptedFileSystem, appGroupFileSystem
+- **SecurityPolicy** - none, keychain (with accessibility/accessControl), encrypted (AES-256 or ChaCha20-Poly1305)
+- **Serializer** - JSON, property list, raw Data, or custom encode/decode with named serializer metadata
+- **KeyMaterialSource** - Identifier for external key material providers
 - **PlatformAvailability** - all, phoneOnly, watchOnly, phoneWithWatchSync
 - **SyncPolicy** - never, manual, automaticSmall
 - **KeychainAccessibility** - All 7 iOS options (whenUnlocked, afterFirstUnlock, etc.)
 - **KeychainAccessControl** - All 6 options (userPresence, biometryAny, devicePasscode, etc.)
 - **FileDirectory** - documents, caches, custom URL
 - **StorageError** - Comprehensive error types
+- **StorageKeyDescriptor** - Audit snapshot of a key’s storage metadata
+- **AnyStorageKey** - Type-erased storage key for catalogs
 - **AnyCodable** - Type-erased Codable for mixed-type payloads
 
 ## Usage Pattern
 Apps extend StorageKeys with their own key types and use StorageRouter.shared. This follows the Notification.Name pattern for discoverable keys.
 
+## Audit & Validation
+Apps can register a `StorageKeyCatalog` to generate audit reports and enforce key registration. Registration validates:
+- Duplicate key names
+- Missing descriptions
+- Unregistered keys at runtime (debug assertions)
+
 ## Sync Behavior
 StorageRouter can call WCSession.updateApplicationContext for manual or automaticSmall sync policies when availability allows it. Session activation and receiving data are owned by the app.
 

README.md

@@ -107,6 +107,8 @@ App Group storage is explicit via `StorageDomain.appGroupUserDefaults` and `Stor
 
 Use standard `userDefaults` or `fileSystem` for data that should remain scoped to a single target, even when App Groups are configured.
 
+For app-level configuration (App Group identifiers, keychain service identifiers, etc.), centralize constants in a shared module so keys do not hardcode string literals.
+
 ## Security Options
 
 ### Keychain Accessibility