LocalData/Sources/LocalData/Models/SecurityPolicy.swift

import Foundation
import CryptoKit
import Security

public enum SecurityPolicy: Sendable {
    case none
    case encrypted(EncryptionPolicy)
    case keychain(accessibility: KeychainAccessibility, accessControl: KeychainAccessControl?)

    public static let recommended: SecurityPolicy = .encrypted(.recommended)

    public enum EncryptionPolicy: Sendable {
        case aes256(keyDerivation: KeyDerivation)
        case chacha20Poly1305(keyDerivation: KeyDerivation)
        case external(source: KeyMaterialSource, keyDerivation: KeyDerivation)

        public static let recommended: EncryptionPolicy = .chacha20Poly1305(keyDerivation: .hkdf())
        public static func external(source: KeyMaterialSource) -> EncryptionPolicy {
            .external(source: source, keyDerivation: .hkdf())
        }
    }

    public enum KeyDerivation: Sendable {
        case pbkdf2(iterations: Int, salt: Data? = nil)
        case hkdf(salt: Data? = nil, info: Data? = nil)
    }
}