From 3cec333d84abf74f1e20239654a340a4621d385e Mon Sep 17 00:00:00 2001
From: DanS <dan-s-dev@proton.me>
Date: Sun, 7 Jun 2026 14:25:44 -0500
Subject: [PATCH] fix(storage): fsync the vault secure-delete overwrite

removeVault() overwrote vault.dat with zeros then unlinked it, but never flushed
to stable storage, so the zeros could stay in the OS cache and never reach disk.
flush + fsync before unlink on POSIX (still best-effort on CoW/SSD, but now does
what it claims).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
 src/util/secure_vault.cpp | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/src/util/secure_vault.cpp b/src/util/secure_vault.cpp
index b56211f..e8a885c 100644
--- a/src/util/secure_vault.cpp
+++ b/src/util/secure_vault.cpp
@@ -13,6 +13,11 @@
 #include <algorithm>
 #include "../util/logger.h"
 
+#ifndef _WIN32
+#include <fcntl.h>
+#include <unistd.h>
+#endif
+
 namespace fs = std::filesystem;
 
 namespace dragonx {
@@ -232,6 +237,15 @@ bool SecureVault::removeVault() {
                 std::ofstream zap(vaultPath, std::ios::binary);
                 if (zap.is_open()) {
                     zap.write(reinterpret_cast<const char*>(zeros.data()), sz);
+                    zap.flush();
+                    zap.close();
+                    // Force the zeros to stable storage before unlinking — otherwise the
+                    // write may never leave the OS cache (best-effort; not a guarantee on
+                    // CoW/journaling filesystems or wear-leveling SSDs).
+#ifndef _WIN32
+                    int fd = ::open(vaultPath.c_str(), O_WRONLY);
+                    if (fd >= 0) { ::fsync(fd); ::close(fd); }
+#endif
                 }
             }
         }