refactor: extract master-key code into masterkey package (#604)

2026-06-04 19:48:01 +02:00 · 2026-06-01 16:08:32 +08:00
parent b901f7dff0
commit c444314832
50 changed files with 449 additions and 580 deletions
@@ -9,14 +9,12 @@ import (
 	"github.com/moond4rk/hackbrowserdata/browser/chromium"
 	"github.com/moond4rk/hackbrowserdata/browser/firefox"
 	"github.com/moond4rk/hackbrowserdata/browser/safari"
-	"github.com/moond4rk/hackbrowserdata/crypto/keyretriever"
 	"github.com/moond4rk/hackbrowserdata/log"
+	"github.com/moond4rk/hackbrowserdata/masterkey"
 	"github.com/moond4rk/hackbrowserdata/types"
 )

-// Browser is one installation: a single resolved UserDataDir that holds its
-// profiles and, for Chromium, owns the master key shared across them. It is
-// implemented by chromium.Browser, firefox.Browser, and safari.Browser.
+// Browser is one installation: a UserDataDir holding profiles that (for Chromium) share one master key.
 type Browser interface {
 	BrowserName() string
 	UserDataDir() string
@@ -25,31 +23,18 @@ type Browser interface {
 	CountEntries(categories []types.Category) ([]types.CountResult, error)
 }

-// PickOptions configures which browsers to pick.
-type PickOptions struct {
-	Name             string // browser name filter: "all"|"chrome"|"firefox"|...
-	ProfilePath      string // custom profile directory override
+type DiscoverOptions struct {
+	Name             string // "all"|"chrome"|"firefox"|...
+	ProfilePath      string // custom profile dir override
 	KeychainPassword string // macOS only — see browser_darwin.go
 }

-// browserInjector wires decryption credentials (key retrievers and, on macOS,
-// the Keychain password) into a discovered Browser. Its construction is
-// platform-specific; see newCredentialInjector in browser_{darwin,linux,windows}.go.
+// browserInjector injects decryption credentials into a Browser; built per-platform by newCredentialInjector.
 type browserInjector func(Browser)

-// DiscoverBrowsersWithKeys returns installations that are fully wired up for Extract: the
-// key retriever chain and (on macOS) the Keychain password are already
-// injected, so the caller can call b.Extract directly. This is the entry
-// point for extraction workflows like `dump`.
-//
-// On macOS this may trigger an interactive prompt for the login password
-// when the target set includes a Chromium variant or Safari. Commands that
-// only need metadata (name, profile path, per-category counts) should use
-// DiscoverBrowsers instead to skip injection — and thereby the prompt.
-//
-// When Name is "all", all known browsers are tried. ProfilePath overrides
-// the default user data directory (only when targeting a specific browser).
-func DiscoverBrowsersWithKeys(opts PickOptions) ([]Browser, error) {
+// DiscoverBrowsersWithKeys is DiscoverBrowsers plus credential injection, so the returned installations are ready for Extract.
+// On macOS it may prompt for the login password — metadata-only callers should use DiscoverBrowsers to avoid the prompt.
+func DiscoverBrowsersWithKeys(opts DiscoverOptions) ([]Browser, error) {
 	browsers, err := DiscoverBrowsers(opts)
 	if err != nil {
 		return nil, err
@@ -61,24 +46,14 @@ func DiscoverBrowsersWithKeys(opts PickOptions) ([]Browser, error) {
 	return browsers, nil
 }

-// DiscoverBrowsers returns installations for metadata-only workflows — listing,
-// profile paths, per-category counts. Decryption dependencies are NOT
-// injected, so calling b.Extract on the returned browsers will not
-// successfully decrypt protected data (passwords, cookies, credit cards).
-// CountEntries, BrowserName, and Profiles all work correctly without injection.
-//
-// Unlike DiscoverBrowsersWithKeys, DiscoverBrowsers never prompts for the macOS
-// Keychain password, making it the correct choice for `list`-style
-// commands that have no use for the credential.
-func DiscoverBrowsers(opts PickOptions) ([]Browser, error) {
-	return pickFromConfigs(platformBrowsers(), opts)
+// DiscoverBrowsers skips credential injection: metadata (Profiles, CountEntries) works, Extract won't decrypt protected data,
+// and macOS never prompts. Use it for list-style commands.
+func DiscoverBrowsers(opts DiscoverOptions) ([]Browser, error) {
+	return discoverFromConfigs(platformBrowsers(), opts)
 }

-// pickFromConfigs is the testable core of DiscoverBrowsers: it filters the
-// platform browser list and discovers each matching installation (one Browser
-// per UserDataDir, holding its profiles). Dependency injection (key retrievers,
-// keychain credentials) is intentionally NOT done here.
-func pickFromConfigs(configs []types.BrowserConfig, opts PickOptions) ([]Browser, error) {
+// discoverFromConfigs is the testable core of DiscoverBrowsers; it deliberately does no credential injection.
+func discoverFromConfigs(configs []types.BrowserConfig, opts DiscoverOptions) ([]Browser, error) {
 	name := strings.ToLower(opts.Name)
 	if name == "" {
 		name = "all"
@@ -92,7 +67,6 @@ func pickFromConfigs(configs []types.BrowserConfig, opts PickOptions) ([]Browser
 			continue
 		}

-		// Override profile directory when targeting a specific browser.
 		if opts.ProfilePath != "" && name != "all" {
 			if cfg.Kind == types.Firefox {
 				cfg.UserDataDir = filepath.Dir(filepath.Clean(opts.ProfilePath))
@@ -116,10 +90,10 @@ func pickFromConfigs(configs []types.BrowserConfig, opts PickOptions) ([]Browser
 	return browsers, nil
 }

-// KeyManager is implemented by installations that accept externally-provided master-key retrievers (Chromium family only).
+// KeyManager is implemented by installations accepting external master-key retrievers (Chromium only).
 type KeyManager interface {
-	SetKeyRetrievers(keyretriever.Retrievers)
-	ExportKeys() (keyretriever.MasterKeys, error)
+	SetRetrievers(masterkey.Retrievers)
+	ExportKeys() (masterkey.MasterKeys, error)
 }

 // KeychainPasswordReceiver is implemented by installations that need the macOS login password (Safari only).
@@ -127,17 +101,8 @@ type KeychainPasswordReceiver interface {
 	SetKeychainPassword(string)
 }

-// resolveGlobs expands glob patterns in browser configs' UserDataDir.
-// This supports MSIX/UWP browsers on Windows whose package directories
-// contain a dynamic publisher hash suffix (e.g., "TheBrowserCompany.Arc_*").
-//
-// For literal paths (no glob metacharacters), Glob returns the path itself
-// when it exists, so the config passes through unchanged. When a path does
-// not exist and contains no metacharacters, Glob returns nil and the
-// original config is preserved — the main loop handles "not found" as usual.
-//
-// When a glob matches multiple directories, the config is duplicated so
-// each resolved path is treated as a separate browser data directory.
+// resolveGlobs expands UserDataDir glob patterns for Windows MSIX/UWP browsers whose package dirs carry a dynamic
+// publisher-hash suffix (e.g. "TheBrowserCompany.Arc_*"). A glob matching N dirs yields N configs.
 func resolveGlobs(configs []types.BrowserConfig) []types.BrowserConfig {
 	var out []types.BrowserConfig
 	for _, cfg := range configs {
@@ -155,8 +120,7 @@ func resolveGlobs(configs []types.BrowserConfig) []types.BrowserConfig {
 	return out
 }

-// newBrowser dispatches to the correct engine based on BrowserKind and returns
-// one installation, or a nil Browser when no profile was found.
+// newBrowser dispatches on BrowserKind, returning a nil Browser when no profile is found.
 func newBrowser(cfg types.BrowserConfig) (Browser, error) {
 	switch cfg.Kind {
 	case types.Chromium, types.ChromiumYandex, types.ChromiumOpera:
@@ -9,8 +9,8 @@ import (
 	"github.com/moond4rk/keychainbreaker"
 	"golang.org/x/term"

-	"github.com/moond4rk/hackbrowserdata/crypto/keyretriever"
 	"github.com/moond4rk/hackbrowserdata/log"
+	"github.com/moond4rk/hackbrowserdata/masterkey"
 	"github.com/moond4rk/hackbrowserdata/types"
 )

@@ -108,13 +108,8 @@ func platformBrowsers() []types.BrowserConfig {
 	}
 }

-// resolveKeychainPassword returns the keychain password for macOS.
-// If not provided via CLI flag, it prompts interactively when stdin is a TTY.
-// After obtaining the password, it verifies against keychainbreaker; on any
-// failure it returns "" so downstream code enters "no password" mode rather
-// than propagating a known-bad credential. Safari then exports
-// keychain-protected entries as metadata-only via keychainbreaker's partial
-// extraction mode; Chromium falls back to SecurityCmdRetriever.
+// resolveKeychainPassword resolves the macOS login password (CLI flag, else TTY prompt) and verifies it against
+// keychainbreaker. On any failure it returns "" so callers fall back to no-password mode rather than a known-bad credential.
 func resolveKeychainPassword(flagPassword string) string {
 	password := flagPassword
 	if password == "" {
@@ -137,10 +132,6 @@ func resolveKeychainPassword(flagPassword string) string {
 		return ""
 	}

-	// Verify early: try to unlock keychain with keychainbreaker. On failure
-	// return "" so KeychainPasswordRetriever and Safari both skip the credential
-	// and rely on their respective fallback paths (SecurityCmdRetriever for
-	// Chromium, metadata-only export for Safari).
 	kc, err := keychainbreaker.Open()
 	if err != nil {
 		log.Warnf("keychain open failed: %v; keychain-protected data will be exported as metadata only", err)
@@ -157,10 +148,10 @@ func resolveKeychainPassword(flagPassword string) string {

 // newCredentialInjector lazily wires retrievers (and the macOS keychain password) into each Browser;
 // `-b firefox` never triggers a keychain prompt because lazy resolution skips browsers that need neither.
-func newCredentialInjector(opts PickOptions) browserInjector {
+func newCredentialInjector(opts DiscoverOptions) browserInjector {
 	var (
 		password   string
-		retrievers keyretriever.Retrievers
+		retrievers masterkey.Retrievers
 		resolved   bool
 	)
 	return func(b Browser) {
@@ -171,11 +162,11 @@ func newCredentialInjector(opts PickOptions) browserInjector {
 		}
 		if !resolved {
 			password = resolveKeychainPassword(opts.KeychainPassword)
-			retrievers = keyretriever.DefaultRetrievers(password)
+			retrievers = masterkey.DefaultRetrievers(password)
 			resolved = true
 		}
 		if needsRetrievers {
-			km.SetKeyRetrievers(retrievers)
+			km.SetRetrievers(retrievers)
 		}
 		if needsKeychainPassword {
 			kps.SetKeychainPassword(password)
@@ -3,7 +3,7 @@
 package browser

 import (
-	"github.com/moond4rk/hackbrowserdata/crypto/keyretriever"
+	"github.com/moond4rk/hackbrowserdata/masterkey"
 	"github.com/moond4rk/hackbrowserdata/types"
 )

@@ -67,16 +67,13 @@ func platformBrowsers() []types.BrowserConfig {
 	}
 }

-// newCredentialInjector returns a closure that wires the Linux Chromium master-key retrievers into
-// each Browser. Linux has two tiers: V10 uses the "peanuts" hardcoded password (kV10Key); V11
-// uses the D-Bus Secret Service keyring (kV11Key). V20 is nil — App-Bound Encryption is Windows-
-// only. Both V10 and V11 run independently so a profile carrying mixed cipher prefixes decrypts
-// both tiers.
-func newCredentialInjector(_ PickOptions) browserInjector {
-	retrievers := keyretriever.DefaultRetrievers()
+// newCredentialInjector wires the Linux Chromium retrievers: V10 ("peanuts" hardcoded) and V11 (D-Bus Secret Service),
+// run independently for mixed-cipher profiles. V20 is nil — App-Bound Encryption is Windows-only.
+func newCredentialInjector(_ DiscoverOptions) browserInjector {
+	retrievers := masterkey.DefaultRetrievers()
 	return func(b Browser) {
 		if km, ok := b.(KeyManager); ok {
-			km.SetKeyRetrievers(retrievers)
+			km.SetRetrievers(retrievers)
 		}
 	}
 }
@@ -28,7 +28,7 @@ func TestListBrowsers(t *testing.T) {
 type pickTest struct {
 	name         string
 	configs      []types.BrowserConfig
-	opts         PickOptions
+	opts         DiscoverOptions
 	wantNames    []string
 	wantProfiles []string
 }
@@ -37,7 +37,7 @@ func runPickTests(t *testing.T, tests []pickTest) {
 	t.Helper()
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			browsers, err := pickFromConfigs(tt.configs, tt.opts)
+			browsers, err := discoverFromConfigs(tt.configs, tt.opts)
 			require.NoError(t, err)
 			assertBrowsers(t, browsers, tt.wantNames, tt.wantProfiles)
 		})
@@ -90,28 +90,28 @@ func TestPickFromConfigs(t *testing.T) {
 			{
 				name:         "exact match",
 				configs:      nameFilterConfigs,
-				opts:         PickOptions{Name: "chrome"},
+				opts:         DiscoverOptions{Name: "chrome"},
 				wantNames:    []string{"Chrome"},
 				wantProfiles: []string{"Default"},
 			},
 			{
 				name:         "case insensitive",
 				configs:      nameFilterConfigs,
-				opts:         PickOptions{Name: "Chrome"},
+				opts:         DiscoverOptions{Name: "Chrome"},
 				wantNames:    []string{"Chrome"},
 				wantProfiles: []string{"Default"},
 			},
 			{
 				name:         "all returns both",
 				configs:      nameFilterConfigs,
-				opts:         PickOptions{Name: "all"},
+				opts:         DiscoverOptions{Name: "all"},
 				wantNames:    []string{"Chrome", "Edge"},
 				wantProfiles: []string{"Default", "Default"},
 			},
 			{
 				name:    "unknown returns empty",
 				configs: nameFilterConfigs,
-				opts:    PickOptions{Name: "safari"},
+				opts:    DiscoverOptions{Name: "safari"},
 			},
 		})
 	})
@@ -123,7 +123,7 @@ func TestPickFromConfigs(t *testing.T) {
 				configs: []types.BrowserConfig{
 					{Key: "chrome", Name: "Chrome", Kind: types.Chromium, UserDataDir: chromeDir},
 				},
-				opts:         PickOptions{Name: "all"},
+				opts:         DiscoverOptions{Name: "all"},
 				wantNames:    []string{"Chrome", "Chrome"},
 				wantProfiles: []string{"Default", "Profile 1"},
 			},
@@ -132,7 +132,7 @@ func TestPickFromConfigs(t *testing.T) {
 				configs: []types.BrowserConfig{
 					{Key: "firefox", Name: "Firefox", Kind: types.Firefox, UserDataDir: firefoxDir},
 				},
-				opts:         PickOptions{Name: "all"},
+				opts:         DiscoverOptions{Name: "all"},
 				wantNames:    []string{"Firefox"},
 				wantProfiles: []string{"abc123.default-release"},
 			},
@@ -141,7 +141,7 @@ func TestPickFromConfigs(t *testing.T) {
 				configs: []types.BrowserConfig{
 					{Key: "yandex", Name: "Yandex", Kind: types.ChromiumYandex, UserDataDir: yandexDir},
 				},
-				opts:         PickOptions{Name: "all"},
+				opts:         DiscoverOptions{Name: "all"},
 				wantNames:    []string{"Yandex"},
 				wantProfiles: []string{"Default"},
 			},
@@ -150,7 +150,7 @@ func TestPickFromConfigs(t *testing.T) {
 				configs: []types.BrowserConfig{
 					{Key: "chrome", Name: "Chrome", Kind: types.Chromium, UserDataDir: "/nonexistent"},
 				},
-				opts: PickOptions{Name: "all"},
+				opts: DiscoverOptions{Name: "all"},
 			},
 		})
 	})
@@ -162,7 +162,7 @@ func TestPickFromConfigs(t *testing.T) {
 				configs: []types.BrowserConfig{
 					{Key: "chrome", Name: "Chrome", Kind: types.Chromium, UserDataDir: "/wrong"},
 				},
-				opts:         PickOptions{Name: "chrome", ProfilePath: filepath.Join(chromeDir, "Default")},
+				opts:         DiscoverOptions{Name: "chrome", ProfilePath: filepath.Join(chromeDir, "Default")},
 				wantNames:    []string{"Chrome"},
 				wantProfiles: []string{"Default"},
 			},
@@ -171,7 +171,7 @@ func TestPickFromConfigs(t *testing.T) {
 				configs: []types.BrowserConfig{
 					{Key: "firefox", Name: "Firefox", Kind: types.Firefox, UserDataDir: "/wrong"},
 				},
-				opts:         PickOptions{Name: "firefox", ProfilePath: filepath.Join(firefoxDir, "abc123.default-release")},
+				opts:         DiscoverOptions{Name: "firefox", ProfilePath: filepath.Join(firefoxDir, "abc123.default-release")},
 				wantNames:    []string{"Firefox"},
 				wantProfiles: []string{"abc123.default-release"},
 			},
@@ -180,7 +180,7 @@ func TestPickFromConfigs(t *testing.T) {
 				configs: []types.BrowserConfig{
 					{Key: "chrome", Name: "Chrome", Kind: types.Chromium, UserDataDir: chromeDir},
 				},
-				opts:         PickOptions{Name: "all", ProfilePath: "/some/override"},
+				opts:         DiscoverOptions{Name: "all", ProfilePath: "/some/override"},
 				wantNames:    []string{"Chrome", "Chrome"},
 				wantProfiles: []string{"Default", "Profile 1"},
 			},
@@ -194,7 +194,7 @@ func TestPickFromConfigs(t *testing.T) {
 				configs: []types.BrowserConfig{
 					{Key: "solo", Name: "Solo", Kind: types.Chromium, UserDataDir: filepath.Join(globBase, "Solo.Browser_*", "UserData")},
 				},
-				opts:         PickOptions{Name: "all"},
+				opts:         DiscoverOptions{Name: "all"},
 				wantNames:    []string{"Solo"},
 				wantProfiles: []string{"Default"},
 			},
@@ -203,7 +203,7 @@ func TestPickFromConfigs(t *testing.T) {
 				configs: []types.BrowserConfig{
 					{Key: "arc", Name: "Arc", Kind: types.Chromium, UserDataDir: filepath.Join(globBase, "App.Browser_*", "UserData")},
 				},
-				opts:         PickOptions{Name: "all"},
+				opts:         DiscoverOptions{Name: "all"},
 				wantNames:    []string{"Arc", "Arc"},
 				wantProfiles: []string{"Default", "Default"},
 			},
@@ -212,7 +212,7 @@ func TestPickFromConfigs(t *testing.T) {
 				configs: []types.BrowserConfig{
 					{Key: "missing", Name: "Missing", Kind: types.Chromium, UserDataDir: filepath.Join(globBase, "NoSuch_*", "UserData")},
 				},
-				opts: PickOptions{Name: "all"},
+				opts: DiscoverOptions{Name: "all"},
 			},
 			{
 				name: "mixed with literal",
@@ -220,7 +220,7 @@ func TestPickFromConfigs(t *testing.T) {
 					{Key: "chrome", Name: "Chrome", Kind: types.Chromium, UserDataDir: singleDir},
 					{Key: "arc", Name: "Arc", Kind: types.Chromium, UserDataDir: filepath.Join(globBase, "Solo.Browser_*", "UserData")},
 				},
-				opts:         PickOptions{Name: "all"},
+				opts:         DiscoverOptions{Name: "all"},
 				wantNames:    []string{"Arc", "Chrome"},
 				wantProfiles: []string{"Default", "Default"},
 			},
@@ -230,7 +230,7 @@ func TestPickFromConfigs(t *testing.T) {
 					{Key: "chrome", Name: "Chrome", Kind: types.Chromium, UserDataDir: singleDir},
 					{Key: "arc", Name: "Arc", Kind: types.Chromium, UserDataDir: filepath.Join(globBase, "App.Browser_*", "UserData")},
 				},
-				opts:         PickOptions{Name: "arc"},
+				opts:         DiscoverOptions{Name: "arc"},
 				wantNames:    []string{"Arc", "Arc"},
 				wantProfiles: []string{"Default", "Default"},
 			},
@@ -3,7 +3,7 @@
 package browser

 import (
-	"github.com/moond4rk/hackbrowserdata/crypto/keyretriever"
+	"github.com/moond4rk/hackbrowserdata/masterkey"
 	"github.com/moond4rk/hackbrowserdata/types"
 )

@@ -125,15 +125,13 @@ func platformBrowsers() []types.BrowserConfig {
 	}
 }

-// newCredentialInjector returns a closure that wires the Windows v10 (DPAPI) and v20 (ABE) Chromium
-// master-key retrievers into each Browser. Per issue #578 the two tiers are orthogonal — a single
-// Chrome profile upgraded from pre-127 carries v20 cookies alongside v10 passwords — so both
-// retrievers run independently rather than as a first-success chain.
-func newCredentialInjector(_ PickOptions) browserInjector {
-	retrievers := keyretriever.DefaultRetrievers()
+// newCredentialInjector wires the Windows Chromium retrievers: v10 (DPAPI) and v20 (ABE). The two tiers are orthogonal
+// — a pre-127-upgraded profile carries v20 cookies alongside v10 passwords — so both run independently, not as a chain.
+func newCredentialInjector(_ DiscoverOptions) browserInjector {
+	retrievers := masterkey.DefaultRetrievers()
 	return func(b Browser) {
 		if km, ok := b.(KeyManager); ok {
-			km.SetKeyRetrievers(retrievers)
+			km.SetRetrievers(retrievers)
 		}
 	}
 }
@@ -6,9 +6,9 @@ import (
 	"sync"
 	"time"

-	"github.com/moond4rk/hackbrowserdata/crypto/keyretriever"
 	"github.com/moond4rk/hackbrowserdata/filemanager"
 	"github.com/moond4rk/hackbrowserdata/log"
+	"github.com/moond4rk/hackbrowserdata/masterkey"
 	"github.com/moond4rk/hackbrowserdata/types"
 	"github.com/moond4rk/hackbrowserdata/utils/fileutil"
 )
@@ -17,16 +17,15 @@ import (
 // that share a master key. The key is derived once and reused across profiles.
 type Browser struct {
 	cfg        types.BrowserConfig
-	retrievers keyretriever.Retrievers
+	retrievers masterkey.Retrievers
 	profiles   []*profile

 	keysOnce sync.Once
-	keys     keyretriever.MasterKeys
+	keys     masterkey.MasterKeys
 }

-// NewBrowser discovers the Chromium profiles under cfg.UserDataDir and returns
-// the installation, or nil if no profile with resolvable sources exists. Call
-// SetKeyRetrievers before Extract to enable decryption of sensitive data.
+// NewBrowser discovers the profiles under cfg.UserDataDir, or returns nil if none resolve.
+// Call SetRetrievers before Extract to enable decryption.
 func NewBrowser(cfg types.BrowserConfig) (*Browser, error) {
 	sources := sourcesForKind(cfg.Kind)
 	extractors := extractorsForKind(cfg.Kind)
@@ -51,9 +50,9 @@ func NewBrowser(cfg types.BrowserConfig) (*Browser, error) {
 	return &Browser{cfg: cfg, profiles: profiles}, nil
 }

-// SetKeyRetrievers wires the per-tier master-key retrievers (V10/V11/V20) used by
+// SetRetrievers wires the per-tier master-key retrievers (V10/V11/V20) used by
 // Extract; unused tiers stay nil.
-func (b *Browser) SetKeyRetrievers(r keyretriever.Retrievers) { b.retrievers = r }
+func (b *Browser) SetRetrievers(r masterkey.Retrievers) { b.retrievers = r }

 func (b *Browser) BrowserName() string { return b.cfg.Name }
 func (b *Browser) UserDataDir() string { return b.cfg.UserDataDir }
@@ -69,12 +68,12 @@ func (b *Browser) Profiles() []types.Profile {

 // Extract derives the installation's master key once, then extracts every profile.
 func (b *Browser) Extract(categories []types.Category) ([]types.ExtractResult, error) {
-	keys := b.masterKeys()
+	masterKeys := b.masterKeys()
 	results := make([]types.ExtractResult, 0, len(b.profiles))
 	for _, p := range b.profiles {
 		results = append(results, types.ExtractResult{
 			Profile: types.Profile{Name: p.name(), Dir: p.profileDir},
-			Data:    p.extract(keys, categories),
+			Data:    p.extract(masterKeys, categories),
 		})
 	}
 	return results, nil
@@ -92,39 +91,34 @@ func (b *Browser) CountEntries(categories []types.Category) ([]types.CountResult
 	return results, nil
 }

-// ExportKeys derives the installation's master keys without extraction. Returns
-// whatever tiers succeeded plus a joined error describing any failed tiers;
-// callers preserve partial results because a Chrome 127+ installation mixes
-// v10 + v20 ciphertexts and a v20-only failure must not erase a usable v10 key.
-func (b *Browser) ExportKeys() (keyretriever.MasterKeys, error) {
+// ExportKeys derives the master keys without extracting. Returns the tiers that succeeded plus a
+// joined error for those that failed — partial results matter (a v20-only failure keeps the v10 key).
+func (b *Browser) ExportKeys() (masterkey.MasterKeys, error) {
 	session, err := filemanager.NewSession()
 	if err != nil {
-		return keyretriever.MasterKeys{}, err
+		return masterkey.MasterKeys{}, err
 	}
 	defer session.Cleanup()

-	return keyretriever.NewMasterKeys(b.retrievers, b.buildHints(session))
+	return masterkey.NewMasterKeys(b.retrievers, b.buildHints(session))
 }

-// masterKeys derives the installation's keys exactly once and caches them.
-// Because derivation happens a single time per installation, a failure is warned
-// exactly once — no cross-profile dedup state is needed.
-func (b *Browser) masterKeys() keyretriever.MasterKeys {
+// masterKeys derives and caches the installation's keys exactly once (sync.Once), so a failure is
+// warned once — no cross-profile dedup state needed.
+func (b *Browser) masterKeys() masterkey.MasterKeys {
 	b.keysOnce.Do(func() {
-		keys, err := b.ExportKeys()
+		masterKeys, err := b.ExportKeys()
 		if err != nil {
 			log.Warnf("%s: master key retrieval: %v", b.BrowserName(), err)
 		}
-		b.keys = keys
+		b.keys = masterKeys
 	})
 	return b.keys
 }

-// buildHints acquires Local State (into session.TempDir so Windows DPAPI/ABE
-// retrievers can read it from a path the process owns) and assembles per-tier
-// retriever hints. Local State lives at the installation root (cfg.UserDataDir)
-// in both the multi-profile and flat (Opera) layouts.
-func (b *Browser) buildHints(session *filemanager.Session) keyretriever.Hints {
+// buildHints copies Local State into the session temp dir (so Windows DPAPI/ABE retrievers read it
+// from a process-owned path) and assembles the Hints. Local State sits at the installation root.
+func (b *Browser) buildHints(session *filemanager.Session) masterkey.Hints {
 	var localStateDst string
 	candidate := filepath.Join(b.cfg.UserDataDir, "Local State")
 	if fileutil.FileExists(candidate) {
@@ -140,7 +134,7 @@ func (b *Browser) buildHints(session *filemanager.Session) keyretriever.Hints {
 	if b.cfg.WindowsABE {
 		abeKey = b.cfg.Key
 	}
-	return keyretriever.Hints{
+	return masterkey.Hints{
 		KeychainLabel:  b.cfg.KeychainLabel,
 		WindowsABEKey:  abeKey,
 		LocalStatePath: localStateDst,
@@ -9,7 +9,7 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"

-	"github.com/moond4rk/hackbrowserdata/crypto/keyretriever"
+	"github.com/moond4rk/hackbrowserdata/masterkey"
 	"github.com/moond4rk/hackbrowserdata/types"
 )

@@ -380,21 +380,21 @@ func TestLocalStatePath(t *testing.T) {

 // mockRetriever records the arguments passed to RetrieveKey.
 type mockRetriever struct {
-	hints  keyretriever.Hints
+	hints  masterkey.Hints
 	key    []byte
 	err    error
 	called bool
 }

-func (m *mockRetriever) RetrieveKey(hints keyretriever.Hints) ([]byte, error) {
+func (m *mockRetriever) RetrieveKey(hints masterkey.Hints) ([]byte, error) {
 	m.called = true
 	m.hints = hints
 	return m.key, m.err
 }

 func TestGetMasterKeys(t *testing.T) {
-	// getMasterKeys routes through keyretriever.NewMasterKeys on every platform — the V10 mock
-	// wired via SetKeyRetrievers(Retrievers{V10: mock}) is consulted cross-platform.
+	// getMasterKeys routes through masterkey.NewMasterKeys on every platform — the V10 mock
+	// wired via SetRetrievers(Retrievers{V10: mock}) is consulted cross-platform.

 	// Profile directory without Local State file.
 	dirNoLocalState := t.TempDir()
@@ -405,7 +405,7 @@ func TestGetMasterKeys(t *testing.T) {
 		name              string
 		dir               string
 		keychainLabel     string
-		retriever         keyretriever.KeyRetriever // nil → don't call SetKeyRetrievers
+		retriever         masterkey.Retriever // nil → don't call SetRetrievers
 		wantV10           []byte
 		wantKeychainLabel string
 		wantLocalState    bool // whether localStatePath passed to retriever is non-empty
@@ -442,13 +442,13 @@ func TestGetMasterKeys(t *testing.T) {
 			require.NotNil(t, b)

 			if tt.retriever != nil {
-				b.SetKeyRetrievers(keyretriever.Retrievers{V10: tt.retriever})
+				b.SetRetrievers(masterkey.Retrievers{V10: tt.retriever})
 			}

-			keys := b.masterKeys()
-			assert.Equal(t, tt.wantV10, keys.V10)
-			assert.Nil(t, keys.V11, "V11 stays nil when no v11 retriever is wired")
-			assert.Nil(t, keys.V20, "V20 stays nil when no v20 retriever is wired")
+			mk := b.masterKeys()
+			assert.Equal(t, tt.wantV10, mk.V10)
+			assert.Nil(t, mk.V11, "V11 stays nil when no v11 retriever is wired")
+			assert.Nil(t, mk.V20, "V20 stays nil when no v20 retriever is wired")

 			if tt.retriever == nil {
 				return
@@ -470,7 +470,7 @@ func TestGetMasterKeys(t *testing.T) {
 // Before the refactor a Windows-only bypass meant only one tier's retriever was consulted, so a
 // profile mixing prefixes silently lost the un-retrieved tier. After the refactor every
 // configured tier must be called exactly once and its key must land in the matching MasterKeys
-// slot. This catches any future "bypass keyretriever for a faster path" regression and covers the
+// slot. This catches any future "bypass the masterkey package for a faster path" regression and covers the
 // analogous Linux v10/v11 case — no platform silently drops a tier any more.
 func TestGetMasterKeys_AllTiersInvoked(t *testing.T) {
 	v10mock := &mockRetriever{key: []byte("fake-v10-key")}
@@ -483,12 +483,12 @@ func TestGetMasterKeys_AllTiersInvoked(t *testing.T) {
 	require.NoError(t, err)
 	require.NotNil(t, b)

-	b.SetKeyRetrievers(keyretriever.Retrievers{V10: v10mock, V11: v11mock, V20: v20mock})
+	b.SetRetrievers(masterkey.Retrievers{V10: v10mock, V11: v11mock, V20: v20mock})

-	keys := b.masterKeys()
-	assert.Equal(t, []byte("fake-v10-key"), keys.V10, "V10 slot must be populated")
-	assert.Equal(t, []byte("fake-v11-key"), keys.V11, "V11 slot must be populated")
-	assert.Equal(t, []byte("fake-v20-key"), keys.V20, "V20 slot must be populated")
+	mk := b.masterKeys()
+	assert.Equal(t, []byte("fake-v10-key"), mk.V10, "V10 slot must be populated")
+	assert.Equal(t, []byte("fake-v11-key"), mk.V11, "V11 slot must be populated")
+	assert.Equal(t, []byte("fake-v20-key"), mk.V20, "V20 slot must be populated")
 	assert.True(t, v10mock.called, "V10 retriever must be called — no silent bypass")
 	assert.True(t, v11mock.called, "V11 retriever must be called — no silent bypass")
 	assert.True(t, v20mock.called, "V20 retriever must be called — no silent bypass")
@@ -521,7 +521,7 @@ func TestGetMasterKeys_WindowsABEThreading(t *testing.T) {
 			require.NoError(t, err)
 			require.NotNil(t, b)

-			b.SetKeyRetrievers(keyretriever.Retrievers{V20: mock})
+			b.SetRetrievers(masterkey.Retrievers{V20: mock})

 			b.masterKeys()
 			assert.Equal(t, tt.wantABEKey, mock.hints.WindowsABEKey)
@@ -540,8 +540,8 @@ func TestExtract(t *testing.T) {

 	tests := []struct {
 		name          string
-		retriever     keyretriever.KeyRetriever // nil → don't call SetRetriever
-		wantRetriever bool                      // whether retriever should be called
+		retriever     masterkey.Retriever // nil → don't call SetRetriever
+		wantRetriever bool                // whether retriever should be called
 	}{
 		{
 			name: "without retriever extracts unencrypted data",
@@ -562,7 +562,7 @@ func TestExtract(t *testing.T) {
 			require.NotNil(t, b)

 			if tt.retriever != nil {
-				b.SetKeyRetrievers(keyretriever.Retrievers{V10: tt.retriever})
+				b.SetRetrievers(masterkey.Retrievers{V10: tt.retriever})
 			}

 			results, err := b.Extract([]types.Category{types.History})
@@ -629,13 +629,13 @@ func TestCountEntries_NoRetrieverNeeded(t *testing.T) {
 }

 // ---------------------------------------------------------------------------
-// SetKeyRetrievers: verify *Browser satisfies the interface used by
-// browser.pickFromConfigs for post-construction retriever injection.
+// SetRetrievers: verify *Browser satisfies the interface used by
+// browser.discoverFromConfigs for post-construction retriever injection.
 // ---------------------------------------------------------------------------

-func TestSetKeyRetrievers_SatisfiesInterface(t *testing.T) {
+func TestSetRetrievers_SatisfiesInterface(t *testing.T) {
 	var _ interface {
-		SetKeyRetrievers(keyretriever.Retrievers)
+		SetRetrievers(masterkey.Retrievers)
 	} = (*Browser)(nil)
 }

@@ -4,21 +4,21 @@ import (
 	"fmt"

 	"github.com/moond4rk/hackbrowserdata/crypto"
-	"github.com/moond4rk/hackbrowserdata/crypto/keyretriever"
+	"github.com/moond4rk/hackbrowserdata/masterkey"
 )

 // decryptValue decrypts a Chromium-encrypted value by dispatching on the ciphertext's version
-// prefix to the matching tier in keys:
+// prefix to the matching tier in masterKeys:
 //
-//   - v10 → keys.V10 (Windows DPAPI / macOS Keychain / Linux peanuts kV10Key)
-//   - v11 → keys.V11 (Linux keyring kV11Key; nil on Windows/macOS — Chromium doesn't emit v11 there)
-//   - v20 → keys.V20 (Windows ABE; nil on non-Windows — Chromium doesn't emit v20 there)
+//   - v10 → masterKeys.V10 (Windows DPAPI / macOS Keychain / Linux peanuts kV10Key)
+//   - v11 → masterKeys.V11 (Linux keyring kV11Key; nil on Windows/macOS — Chromium doesn't emit v11 there)
+//   - v20 → masterKeys.V20 (Windows ABE; nil on non-Windows — Chromium doesn't emit v20 there)
 //
 // A single profile can carry mixed prefixes (Chrome 127+ upgrades on Windows; Linux session-mode
 // changes), so every applicable key must be populated upstream for lossless extraction. Missing
 // tier keys surface as decrypt errors at the ciphertext level; the extract layer treats those as
 // empty plaintexts rather than fatal errors.
-func decryptValue(keys keyretriever.MasterKeys, ciphertext []byte) ([]byte, error) {
+func decryptValue(masterKeys masterkey.MasterKeys, ciphertext []byte) ([]byte, error) {
 	if len(ciphertext) == 0 {
 		return nil, nil
 	}
@@ -26,16 +26,16 @@ func decryptValue(keys keyretriever.MasterKeys, ciphertext []byte) ([]byte, erro
 	version := crypto.DetectVersion(ciphertext)
 	switch version {
 	case crypto.CipherV10:
-		return crypto.DecryptChromium(keys.V10, ciphertext)
+		return crypto.DecryptChromium(masterKeys.V10, ciphertext)
 	case crypto.CipherV11:
 		// v11 is Linux-only and shares v10's AES-CBC path, but uses the keyring-derived kV11Key
 		// rather than the peanuts-derived kV10Key — so a Linux profile with both prefixes needs
 		// distinct per-tier keys to decrypt everything.
-		return crypto.DecryptChromium(keys.V11, ciphertext)
+		return crypto.DecryptChromium(masterKeys.V11, ciphertext)
 	case crypto.CipherV20:
 		// v20 is cross-platform AES-GCM; routed through a dedicated function so Linux/macOS CI can
 		// exercise the same decryption path as Windows.
-		return crypto.DecryptChromiumV20(keys.V20, ciphertext)
+		return crypto.DecryptChromiumV20(masterKeys.V20, ciphertext)
 	case crypto.CipherV12:
 		// Chromium's SecretPortalKeyProvider (Flatpak / xdg-desktop-portal) — HKDF-SHA256 +
 		// AES-256-GCM with a secret retrieved via org.freedesktop.portal.Desktop. Recognized here
@@ -8,7 +8,7 @@ import (
 	"github.com/stretchr/testify/require"

 	"github.com/moond4rk/hackbrowserdata/crypto"
-	"github.com/moond4rk/hackbrowserdata/crypto/keyretriever"
+	"github.com/moond4rk/hackbrowserdata/masterkey"
 )

 // TestDecryptValue_MixedTier is the regression test for mixed-cipher profiles (issue #578 on
@@ -33,7 +33,7 @@ func TestDecryptValue_MixedTier(t *testing.T) {
 	v20Ciphertext := append([]byte("v20"), append(nonce, gcmEnc...)...)

 	t.Run("all tiers populated: v20 picks V20, decrypts", func(t *testing.T) {
-		got, err := decryptValue(keyretriever.MasterKeys{V10: k10, V11: k11, V20: k20}, v20Ciphertext)
+		got, err := decryptValue(masterkey.MasterKeys{V10: k10, V11: k11, V20: k20}, v20Ciphertext)
 		require.NoError(t, err)
 		assert.Equal(t, plaintext, got)
 	})
@@ -41,20 +41,20 @@ func TestDecryptValue_MixedTier(t *testing.T) {
 	t.Run("V20 holds wrong key: v20 still picks V20 slot (not V10/V11), errors", func(t *testing.T) {
 		// If the dispatcher incorrectly fell back to V10 or V11 when V20 had a wrong key, this
 		// would succeed. Proves the router uses prefix-based selection, not first-usable-key.
-		_, err := decryptValue(keyretriever.MasterKeys{V10: k20, V11: k20, V20: k10}, v20Ciphertext)
+		_, err := decryptValue(masterkey.MasterKeys{V10: k20, V11: k20, V20: k10}, v20Ciphertext)
 		require.Error(t, err)
 	})

 	t.Run("only V20 populated: v20 still decrypts", func(t *testing.T) {
 		// The pre-#578 symmetric regression: when DPAPI/keyring failed and only V20 was retrieved,
 		// v20 cookies had to still decrypt. This asserts V10 and V11 being nil doesn't block v20.
-		got, err := decryptValue(keyretriever.MasterKeys{V20: k20}, v20Ciphertext)
+		got, err := decryptValue(masterkey.MasterKeys{V20: k20}, v20Ciphertext)
 		require.NoError(t, err)
 		assert.Equal(t, plaintext, got)
 	})

 	t.Run("V20 slot unpopulated: v20 errors (no key to use)", func(t *testing.T) {
-		_, err := decryptValue(keyretriever.MasterKeys{V10: k10, V11: k11}, v20Ciphertext)
+		_, err := decryptValue(masterkey.MasterKeys{V10: k10, V11: k11}, v20Ciphertext)
 		require.Error(t, err)
 	})
 }
@@ -10,7 +10,7 @@ import (
 	"github.com/stretchr/testify/require"

 	"github.com/moond4rk/hackbrowserdata/crypto"
-	"github.com/moond4rk/hackbrowserdata/crypto/keyretriever"
+	"github.com/moond4rk/hackbrowserdata/masterkey"
 )

 func TestDecryptValue_V10(t *testing.T) {
@@ -40,7 +40,7 @@ func TestDecryptValue_V10(t *testing.T) {

 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			got, err := decryptValue(keyretriever.MasterKeys{V10: tt.key}, v10Ciphertext)
+			got, err := decryptValue(masterkey.MasterKeys{V10: tt.key}, v10Ciphertext)
 			if tt.wantErrMsg != "" {
 				require.Error(t, err)
 				assert.Contains(t, err.Error(), tt.wantErrMsg)
@@ -61,7 +61,7 @@ func TestDecryptValue_V11(t *testing.T) {
 	v11Ciphertext := append([]byte("v11"), cbcEncrypted...)

 	// v11 ciphertexts route to the V11 slot (Linux's keyring-derived kV11Key) — not V10 (peanuts).
-	got, err := decryptValue(keyretriever.MasterKeys{V11: testAESKey}, v11Ciphertext)
+	got, err := decryptValue(masterkey.MasterKeys{V11: testAESKey}, v11Ciphertext)
 	require.NoError(t, err)
 	assert.Equal(t, plaintext, got)
 }
@@ -87,22 +87,22 @@ func TestDecryptValue_V10_V11_SlotSeparation(t *testing.T) {
 	require.NoError(t, err)
 	v11Ciphertext := append([]byte("v11"), v11Enc...)

-	keys := keyretriever.MasterKeys{V10: k10, V11: k11}
+	mk := masterkey.MasterKeys{V10: k10, V11: k11}

 	t.Run("v10 ciphertext decrypts via V10 slot", func(t *testing.T) {
-		got, err := decryptValue(keys, v10Ciphertext)
+		got, err := decryptValue(mk, v10Ciphertext)
 		require.NoError(t, err)
 		assert.Equal(t, v10plain, got)
 	})

 	t.Run("v11 ciphertext decrypts via V11 slot", func(t *testing.T) {
-		got, err := decryptValue(keys, v11Ciphertext)
+		got, err := decryptValue(mk, v11Ciphertext)
 		require.NoError(t, err)
 		assert.Equal(t, v11plain, got)
 	})

 	t.Run("swapped keys fail both directions", func(t *testing.T) {
-		swapped := keyretriever.MasterKeys{V10: k11, V11: k10}
+		swapped := masterkey.MasterKeys{V10: k11, V11: k10}
 		_, err := decryptValue(swapped, v10Ciphertext)
 		require.Error(t, err, "v10 with V11's key must fail")
 		_, err = decryptValue(swapped, v11Ciphertext)
@@ -7,7 +7,7 @@ import (
 	"github.com/stretchr/testify/require"

 	"github.com/moond4rk/hackbrowserdata/crypto"
-	"github.com/moond4rk/hackbrowserdata/crypto/keyretriever"
+	"github.com/moond4rk/hackbrowserdata/masterkey"
 )

 // TestDecryptValue_V20 is cross-platform because v20's ciphertext format
@@ -24,13 +24,13 @@ func TestDecryptValue_V20(t *testing.T) {
 	// v20 layout: "v20" (3B) + nonce (12B) + ciphertext+tag
 	ciphertext := append([]byte("v20"), append(nonce, gcm...)...)

-	got, err := decryptValue(keyretriever.MasterKeys{V20: testAESKey}, ciphertext)
+	got, err := decryptValue(masterkey.MasterKeys{V20: testAESKey}, ciphertext)
 	require.NoError(t, err)
 	assert.Equal(t, plaintext, got)
 }

 func TestDecryptValue_V20_ShortCiphertext(t *testing.T) {
 	// Missing nonce (prefix only) must error, not panic.
-	_, err := decryptValue(keyretriever.MasterKeys{V20: testAESKey}, []byte("v20"))
+	_, err := decryptValue(masterkey.MasterKeys{V20: testAESKey}, []byte("v20"))
 	require.Error(t, err)
 }
@@ -12,7 +12,7 @@ import (
 	"github.com/stretchr/testify/require"

 	"github.com/moond4rk/hackbrowserdata/crypto"
-	"github.com/moond4rk/hackbrowserdata/crypto/keyretriever"
+	"github.com/moond4rk/hackbrowserdata/masterkey"
 )

 // encryptWithDPAPI encrypts data using Windows DPAPI (CryptProtectData).
@@ -64,7 +64,7 @@ func TestDecryptValue_V10_Windows(t *testing.T) {
 	// v10 format on Windows: "v10" + nonce(12) + encrypted
 	ciphertext := append([]byte("v10"), append(nonce, gcmEncrypted...)...)

-	got, err := decryptValue(keyretriever.MasterKeys{V10: testAESKey}, ciphertext)
+	got, err := decryptValue(masterkey.MasterKeys{V10: testAESKey}, ciphertext)
 	require.NoError(t, err)
 	assert.Equal(t, plaintext, got)
 }
@@ -78,7 +78,7 @@ func TestDecryptValue_DPAPI_Windows(t *testing.T) {
 	require.NotEmpty(t, encrypted)

 	// No v10/v20 prefix → decryptValue routes to DPAPI path; no per-tier key needed.
-	got, err := decryptValue(keyretriever.MasterKeys{}, encrypted)
+	got, err := decryptValue(masterkey.MasterKeys{}, encrypted)
 	require.NoError(t, err)
 	assert.Equal(t, plaintext, got)
 }
@@ -6,7 +6,7 @@ import (
 	"database/sql"
 	"sort"

-	"github.com/moond4rk/hackbrowserdata/crypto/keyretriever"
+	"github.com/moond4rk/hackbrowserdata/masterkey"
 	"github.com/moond4rk/hackbrowserdata/types"
 	"github.com/moond4rk/hackbrowserdata/utils/sqliteutil"
 )
@@ -18,7 +18,7 @@ const (
 	countCookieQuery = `SELECT COUNT(*) FROM cookies`
 )

-func extractCookies(keys keyretriever.MasterKeys, path string) ([]types.CookieEntry, error) {
+func extractCookies(masterKeys masterkey.MasterKeys, path string) ([]types.CookieEntry, error) {
 	cookies, err := sqliteutil.QueryRows(path, false, defaultCookieQuery,
 		func(rows *sql.Rows) (types.CookieEntry, error) {
 			var (
@@ -34,7 +34,7 @@ func extractCookies(keys keyretriever.MasterKeys, path string) ([]types.CookieEn
 				return types.CookieEntry{}, err
 			}

-			value, _ := decryptValue(keys, encryptedValue)
+			value, _ := decryptValue(masterKeys, encryptedValue)
 			value = stripCookieHash(value, host)
 			return types.CookieEntry{
 				Name:         name,
@@ -7,7 +7,7 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"

-	"github.com/moond4rk/hackbrowserdata/crypto/keyretriever"
+	"github.com/moond4rk/hackbrowserdata/masterkey"
 )

 func setupCookieDB(t *testing.T) string {
@@ -21,7 +21,7 @@ func setupCookieDB(t *testing.T) string {
 func TestExtractCookies(t *testing.T) {
 	path := setupCookieDB(t)

-	got, err := extractCookies(keyretriever.MasterKeys{}, path)
+	got, err := extractCookies(masterkey.MasterKeys{}, path)
 	require.NoError(t, err)
 	require.Len(t, got, 2)

@@ -6,8 +6,8 @@ import (
 	"errors"

 	"github.com/moond4rk/hackbrowserdata/crypto"
-	"github.com/moond4rk/hackbrowserdata/crypto/keyretriever"
 	"github.com/moond4rk/hackbrowserdata/log"
+	"github.com/moond4rk/hackbrowserdata/masterkey"
 	"github.com/moond4rk/hackbrowserdata/types"
 	"github.com/moond4rk/hackbrowserdata/utils/sqliteutil"
 )
@@ -36,7 +36,7 @@ type yandexPrivateData struct {
 	SecretComment  string `json:"secret_comment"`
 }

-func extractCreditCards(keys keyretriever.MasterKeys, path string) ([]types.CreditCardEntry, error) {
+func extractCreditCards(masterKeys masterkey.MasterKeys, path string) ([]types.CreditCardEntry, error) {
 	cards, err := sqliteutil.QueryRows(path, false, defaultCreditCardQuery,
 		func(rows *sql.Rows) (types.CreditCardEntry, error) {
 			var guid, name, month, year, nickname, address string
@@ -44,7 +44,7 @@ func extractCreditCards(keys keyretriever.MasterKeys, path string) ([]types.Cred
 			if err := rows.Scan(&guid, &name, &month, &year, &encNumber, &nickname, &address); err != nil {
 				return types.CreditCardEntry{}, err
 			}
-			number, _ := decryptValue(keys, encNumber)
+			number, _ := decryptValue(masterKeys, encNumber)
 			return types.CreditCardEntry{
 				GUID:     guid,
 				Name:     name,
@@ -62,8 +62,8 @@ func extractCreditCards(keys keyretriever.MasterKeys, path string) ([]types.Cred
 }

 // extractYandexCreditCards reads the records table (not Chromium's credit_cards). AAD = guid. See RFC-012 §4.
-func extractYandexCreditCards(keys keyretriever.MasterKeys, path string) ([]types.CreditCardEntry, error) {
-	dataKey, err := loadYandexDataKey(path, keys.V10)
+func extractYandexCreditCards(masterKeys masterkey.MasterKeys, path string) ([]types.CreditCardEntry, error) {
+	dataKey, err := loadYandexDataKey(path, masterKeys.V10)
 	if err != nil {
 		if errors.Is(err, errYandexMasterPasswordSet) {
 			log.Warnf("%s: %v", path, err)
@@ -7,7 +7,7 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"

-	"github.com/moond4rk/hackbrowserdata/crypto/keyretriever"
+	"github.com/moond4rk/hackbrowserdata/masterkey"
 )

 func setupCreditCardDB(t *testing.T) string {
@@ -21,7 +21,7 @@ func setupCreditCardDB(t *testing.T) string {
 func TestExtractCreditCards(t *testing.T) {
 	path := setupCreditCardDB(t)

-	got, err := extractCreditCards(keyretriever.MasterKeys{}, path)
+	got, err := extractCreditCards(masterkey.MasterKeys{}, path)
 	require.NoError(t, err)
 	require.Len(t, got, 2)

@@ -80,7 +80,7 @@ func TestExtractYandexCreditCards(t *testing.T) {
 		},
 	)

-	got, err := extractYandexCreditCards(keyretriever.MasterKeys{V10: masterKey}, path)
+	got, err := extractYandexCreditCards(masterkey.MasterKeys{V10: masterKey}, path)
 	require.NoError(t, err)
 	require.Len(t, got, 2)

@@ -128,7 +128,7 @@ func TestExtractYandexCreditCards_WrongMasterKey(t *testing.T) {
 		yandexCreditCard{GUID: "g1", FullCardNumber: "4111"},
 	)

-	_, err := extractYandexCreditCards(keyretriever.MasterKeys{V10: wrongKey}, path)
+	_, err := extractYandexCreditCards(masterkey.MasterKeys{V10: wrongKey}, path)
 	require.Error(t, err)
 }

@@ -6,8 +6,8 @@ import (
 	"sort"

 	"github.com/moond4rk/hackbrowserdata/crypto"
-	"github.com/moond4rk/hackbrowserdata/crypto/keyretriever"
 	"github.com/moond4rk/hackbrowserdata/log"
+	"github.com/moond4rk/hackbrowserdata/masterkey"
 	"github.com/moond4rk/hackbrowserdata/types"
 	"github.com/moond4rk/hackbrowserdata/utils/sqliteutil"
 )
@@ -20,11 +20,11 @@ const (
 		password_element, password_value, signon_realm, date_created FROM logins`
 )

-func extractPasswords(keys keyretriever.MasterKeys, path string) ([]types.LoginEntry, error) {
-	return extractPasswordsWithQuery(keys, path, defaultLoginQuery)
+func extractPasswords(masterKeys masterkey.MasterKeys, path string) ([]types.LoginEntry, error) {
+	return extractPasswordsWithQuery(masterKeys, path, defaultLoginQuery)
 }

-func extractPasswordsWithQuery(keys keyretriever.MasterKeys, path, query string) ([]types.LoginEntry, error) {
+func extractPasswordsWithQuery(masterKeys masterkey.MasterKeys, path, query string) ([]types.LoginEntry, error) {
 	logins, err := sqliteutil.QueryRows(path, false, query,
 		func(rows *sql.Rows) (types.LoginEntry, error) {
 			var url, username string
@@ -33,7 +33,7 @@ func extractPasswordsWithQuery(keys keyretriever.MasterKeys, path, query string)
 			if err := rows.Scan(&url, &username, &pwd, &created); err != nil {
 				return types.LoginEntry{}, err
 			}
-			password, _ := decryptValue(keys, pwd)
+			password, _ := decryptValue(masterKeys, pwd)
 			return types.LoginEntry{
 				URL:       url,
 				Username:  username,
@@ -53,8 +53,8 @@ func extractPasswordsWithQuery(keys keyretriever.MasterKeys, path, query string)

 // extractYandexPasswords walks Ya Passman Data; protocol in RFC-012 §4.
 // Note: URL column is origin_url — it's what the per-row AAD is computed over (not action_url).
-func extractYandexPasswords(keys keyretriever.MasterKeys, path string) ([]types.LoginEntry, error) {
-	dataKey, err := loadYandexDataKey(path, keys.V10)
+func extractYandexPasswords(masterKeys masterkey.MasterKeys, path string) ([]types.LoginEntry, error) {
+	dataKey, err := loadYandexDataKey(path, masterKeys.V10)
 	if err != nil {
 		if errors.Is(err, errYandexMasterPasswordSet) {
 			log.Warnf("%s: %v", path, err)
@@ -8,7 +8,7 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"

-	"github.com/moond4rk/hackbrowserdata/crypto/keyretriever"
+	"github.com/moond4rk/hackbrowserdata/masterkey"
 )

 func setupLoginDB(t *testing.T) string {
@@ -22,7 +22,7 @@ func setupLoginDB(t *testing.T) string {
 func TestExtractPasswords(t *testing.T) {
 	path := setupLoginDB(t)

-	got, err := extractPasswords(keyretriever.MasterKeys{}, path)
+	got, err := extractPasswords(masterkey.MasterKeys{}, path)
 	require.NoError(t, err)
 	require.Len(t, got, 2)

@@ -70,7 +70,7 @@ func TestExtractYandexPasswords(t *testing.T) {
 		},
 	)

-	got, err := extractYandexPasswords(keyretriever.MasterKeys{V10: masterKey}, path)
+	got, err := extractYandexPasswords(masterkey.MasterKeys{V10: masterKey}, path)
 	require.NoError(t, err)
 	require.Len(t, got, 2)

@@ -93,7 +93,7 @@ func TestExtractYandexPasswords_MasterPasswordSkipped(t *testing.T) {
 		},
 	)

-	got, err := extractYandexPasswords(keyretriever.MasterKeys{V10: masterKey}, path)
+	got, err := extractYandexPasswords(masterkey.MasterKeys{V10: masterKey}, path)
 	require.NoError(t, err)
 	assert.Empty(t, got, "master-password profiles should be skipped in v1")
 }
@@ -112,7 +112,7 @@ func TestExtractYandexPasswords_WrongMasterKey(t *testing.T) {

 	// A wrong master key fails at the intermediate step, surfacing as an error
 	// from the extractor.
-	_, err := extractYandexPasswords(keyretriever.MasterKeys{V10: wrongKey}, path)
+	_, err := extractYandexPasswords(masterkey.MasterKeys{V10: wrongKey}, path)
 	require.Error(t, err)
 }

@@ -3,9 +3,9 @@ package chromium
 import (
 	"path/filepath"

-	"github.com/moond4rk/hackbrowserdata/crypto/keyretriever"
 	"github.com/moond4rk/hackbrowserdata/filemanager"
 	"github.com/moond4rk/hackbrowserdata/log"
+	"github.com/moond4rk/hackbrowserdata/masterkey"
 	"github.com/moond4rk/hackbrowserdata/types"
 )

@@ -30,7 +30,7 @@ func (p *profile) label() string { return p.browserName + "/" + p.name() }

 // extract copies the profile's source files to a temp directory and extracts the
 // requested categories, decrypting with the installation's master keys.
-func (p *profile) extract(keys keyretriever.MasterKeys, categories []types.Category) *types.BrowserData {
+func (p *profile) extract(masterKeys masterkey.MasterKeys, categories []types.Category) *types.BrowserData {
 	session, err := filemanager.NewSession()
 	if err != nil {
 		log.Debugf("new session for %s: %v", p.label(), err)
@@ -45,7 +45,7 @@ func (p *profile) extract(keys keyretriever.MasterKeys, categories []types.Categ
 		if !ok {
 			continue
 		}
-		p.extractCategory(data, cat, keys, path)
+		p.extractCategory(data, cat, masterKeys, path)
 	}
 	return data
 }
@@ -91,9 +91,9 @@ func (p *profile) acquireFiles(session *filemanager.Session, categories []types.

 // extractCategory calls the appropriate extract function for a category. A custom
 // extractor (registered via extractorsForKind) takes precedence over the switch.
-func (p *profile) extractCategory(data *types.BrowserData, cat types.Category, keys keyretriever.MasterKeys, path string) {
+func (p *profile) extractCategory(data *types.BrowserData, cat types.Category, masterKeys masterkey.MasterKeys, path string) {
 	if ext, ok := p.extractors[cat]; ok {
-		if err := ext.extract(keys, path, data); err != nil {
+		if err := ext.extract(masterKeys, path, data); err != nil {
 			log.Debugf("extract %s for %s: %v", cat, p.label(), err)
 		}
 		return
@@ -102,9 +102,9 @@ func (p *profile) extractCategory(data *types.BrowserData, cat types.Category, k
 	var err error
 	switch cat {
 	case types.Password:
-		data.Passwords, err = extractPasswords(keys, path)
+		data.Passwords, err = extractPasswords(masterKeys, path)
 	case types.Cookie:
-		data.Cookies, err = extractCookies(keys, path)
+		data.Cookies, err = extractCookies(masterKeys, path)
 	case types.History:
 		data.Histories, err = extractHistories(path)
 	case types.Download:
@@ -112,7 +112,7 @@ func (p *profile) extractCategory(data *types.BrowserData, cat types.Category, k
 	case types.Bookmark:
 		data.Bookmarks, err = extractBookmarks(path)
 	case types.CreditCard:
-		data.CreditCards, err = extractCreditCards(keys, path)
+		data.CreditCards, err = extractCreditCards(masterKeys, path)
 	case types.Extension:
 		data.Extensions, err = extractExtensions(path)
 	case types.LocalStorage:
@@ -8,8 +8,8 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"

-	"github.com/moond4rk/hackbrowserdata/crypto/keyretriever"
 	"github.com/moond4rk/hackbrowserdata/filemanager"
+	"github.com/moond4rk/hackbrowserdata/masterkey"
 	"github.com/moond4rk/hackbrowserdata/types"
 )

@@ -32,7 +32,7 @@ func TestExtractCategory_CustomExtractor(t *testing.T) {
 	}

 	data := &types.BrowserData{}
-	p.extractCategory(data, types.Extension, keyretriever.MasterKeys{}, "unused-path")
+	p.extractCategory(data, types.Extension, masterkey.MasterKeys{}, "unused-path")

 	assert.True(t, called, "custom extractor should be called")
 	require.Len(t, data.Extensions, 1)
@@ -51,7 +51,7 @@ func TestExtractCategory_DefaultFallback(t *testing.T) {
 	}

 	data := &types.BrowserData{}
-	p.extractCategory(data, types.History, keyretriever.MasterKeys{}, path)
+	p.extractCategory(data, types.History, masterkey.MasterKeys{}, path)

 	require.Len(t, data.Histories, 1)
 	assert.Equal(t, "Example", data.Histories[0].Title)
@@ -3,7 +3,7 @@ package chromium
 import (
 	"path/filepath"

-	"github.com/moond4rk/hackbrowserdata/crypto/keyretriever"
+	"github.com/moond4rk/hackbrowserdata/masterkey"
 	"github.com/moond4rk/hackbrowserdata/types"
 )

@@ -51,17 +51,17 @@ func sourcesForKind(kind types.BrowserKind) map[types.Category][]sourcePath {
 // switch logic, enabling browser-specific parsing (e.g. Opera's opsettings
 // for extensions, Yandex's credit card table, QBCI-encrypted bookmarks).
 type categoryExtractor interface {
-	extract(keys keyretriever.MasterKeys, path string, data *types.BrowserData) error
+	extract(masterKeys masterkey.MasterKeys, path string, data *types.BrowserData) error
 }

 // passwordExtractor wraps a custom password extract function.
 type passwordExtractor struct {
-	fn func(keys keyretriever.MasterKeys, path string) ([]types.LoginEntry, error)
+	fn func(masterKeys masterkey.MasterKeys, path string) ([]types.LoginEntry, error)
 }

-func (e passwordExtractor) extract(keys keyretriever.MasterKeys, path string, data *types.BrowserData) error {
+func (e passwordExtractor) extract(masterKeys masterkey.MasterKeys, path string, data *types.BrowserData) error {
 	var err error
-	data.Passwords, err = e.fn(keys, path)
+	data.Passwords, err = e.fn(masterKeys, path)
 	return err
 }

@@ -70,7 +70,7 @@ type extensionExtractor struct {
 	fn func(path string) ([]types.ExtensionEntry, error)
 }

-func (e extensionExtractor) extract(_ keyretriever.MasterKeys, path string, data *types.BrowserData) error {
+func (e extensionExtractor) extract(_ masterkey.MasterKeys, path string, data *types.BrowserData) error {
 	var err error
 	data.Extensions, err = e.fn(path)
 	return err
@@ -79,12 +79,12 @@ func (e extensionExtractor) extract(_ keyretriever.MasterKeys, path string, data
 // creditCardExtractor wraps a custom credit-card extract function, used by Yandex whose Ya Credit Cards DB stores
 // rows as records(guid, public_data, private_data) with JSON blobs rather than Chromium's flat credit_cards table.
 type creditCardExtractor struct {
-	fn func(keys keyretriever.MasterKeys, path string) ([]types.CreditCardEntry, error)
+	fn func(masterKeys masterkey.MasterKeys, path string) ([]types.CreditCardEntry, error)
 }

-func (e creditCardExtractor) extract(keys keyretriever.MasterKeys, path string, data *types.BrowserData) error {
+func (e creditCardExtractor) extract(masterKeys masterkey.MasterKeys, path string, data *types.BrowserData) error {
 	var err error
-	data.CreditCards, err = e.fn(keys, path)
+	data.CreditCards, err = e.fn(masterKeys, path)
 	return err
 }

@@ -3,39 +3,36 @@ package browser
 import (
 	"runtime"

-	"github.com/moond4rk/hackbrowserdata/crypto/keyretriever"
 	"github.com/moond4rk/hackbrowserdata/log"
+	"github.com/moond4rk/hackbrowserdata/masterkey"
 )

-// BuildDump exports per-installation master keys. Each Browser is one installation,
-// so this is a straight one-Vault-per-installation map: ExportKeys is invoked once
-// per installation. Installations without KeyManager (Firefox/Safari) are skipped.
-// Partial results (e.g. V10 retrieved, V20 failed) keep the usable tiers rather than
-// discarding the vault — a Chrome 127+ profile mixes v10 + v20 ciphertexts and a
-// v20-only failure must not erase a usable v10 key.
-func BuildDump(browsers []Browser) keyretriever.Dump {
-	dump := keyretriever.NewDump()
+// BuildDump exports one Vault per installation (Firefox/Safari, lacking KeyManager, are skipped).
+// Partial results are kept — a Chrome 127+ profile mixes v10+v20, so a v20-only failure must not
+// discard a usable v10 key.
+func BuildDump(browsers []Browser) masterkey.Dump {
+	dump := masterkey.NewDump()
 	for _, b := range browsers {
 		km, ok := b.(KeyManager)
 		if !ok {
 			continue
 		}
-		keys, err := km.ExportKeys()
+		mk, err := km.ExportKeys()
 		if err != nil {
 			status := "partial"
-			if !keys.HasAny() {
+			if !mk.HasAny() {
 				status = "failed"
 			}
 			log.Warnf("dump-keys: %s %s: %v", b.BrowserName(), status, err)
 		}
-		if !keys.HasAny() {
+		if !mk.HasAny() {
 			continue
 		}
-		dump.Vaults = append(dump.Vaults, keyretriever.Vault{
+		dump.Vaults = append(dump.Vaults, masterkey.Vault{
 			Browser:     b.BrowserName(),
 			UserDataDir: b.UserDataDir(),
 			Profiles:    profileNames(b),
-			Keys:        keys,
+			Keys:        mk,
 		})
 	}
 	return dump
@@ -50,21 +47,17 @@ func profileNames(b Browser) []string {
 	return names
 }

-// ApplyDump installs master keys from dump onto matching installations, replacing
-// each installation's default platform-native retrievers with StaticProviders
-// backed by the Dump's bytes. Matching is by (BrowserName, UserDataDir) — the same
-// key BuildDump emits. When exact match fails (commonly a cross-host path mismatch:
-// Windows backslash vs POSIX, or a relocated User Data dir via -p), falls back to
-// the sole vault for that browser name when one exists. Installations without a
-// matching vault are warned and left untouched; non-KeyManager installations
-// (Firefox/Safari) are skipped silently.
-func ApplyDump(browsers []Browser, dump keyretriever.Dump) {
+// ApplyDump overlays StaticRetrievers from dump onto matching installations (Firefox/Safari skipped).
+// Match is by (BrowserName, UserDataDir); on miss — commonly a cross-host path mismatch (Windows vs
+// POSIX, or a relocated dir via -p) — it falls back to the sole vault for that browser name. No match
+// → warn and leave the platform retrievers in place.
+func ApplyDump(browsers []Browser, dump masterkey.Dump) {
 	if dump.Host.OS != "" && dump.Host.OS != runtime.GOOS {
 		log.Infof("apply-keys: dump created on %s/%s; current host is %s/%s",
 			dump.Host.OS, dump.Host.Arch, runtime.GOOS, runtime.GOARCH)
 	}
-	vaultIndex := make(map[string]*keyretriever.Vault, len(dump.Vaults))
-	vaultsByBrowser := make(map[string][]*keyretriever.Vault)
+	vaultIndex := make(map[string]*masterkey.Vault, len(dump.Vaults))
+	vaultsByBrowser := make(map[string][]*masterkey.Vault)
 	for i := range dump.Vaults {
 		v := &dump.Vaults[i]
 		vaultIndex[v.Browser+"|"+v.UserDataDir] = v
@@ -88,19 +81,19 @@ func ApplyDump(browsers []Browser, dump keyretriever.Dump) {
 			log.Warnf("apply-keys: %s no matching vault in dump", b.BrowserName())
 			continue
 		}
-		km.SetKeyRetrievers(keyretriever.Retrievers{
-			V10: maybeStaticProvider(v.Keys.V10),
-			V11: maybeStaticProvider(v.Keys.V11),
-			V20: maybeStaticProvider(v.Keys.V20),
+		km.SetRetrievers(masterkey.Retrievers{
+			V10: maybeStaticRetriever(v.Keys.V10),
+			V11: maybeStaticRetriever(v.Keys.V11),
+			V20: maybeStaticRetriever(v.Keys.V20),
 		})
 	}
 }

-// maybeStaticProvider wraps non-empty key bytes as a StaticProvider; an empty/nil key returns nil
+// maybeStaticRetriever wraps non-empty key bytes as a StaticRetriever; an empty/nil key returns nil
 // to preserve the "tier not applicable" signal NewMasterKeys expects.
-func maybeStaticProvider(key []byte) keyretriever.KeyRetriever {
+func maybeStaticRetriever(key []byte) masterkey.Retriever {
 	if len(key) == 0 {
 		return nil
 	}
-	return keyretriever.NewStaticProvider(key)
+	return masterkey.NewStaticRetriever(key)
 }
@@ -6,7 +6,7 @@ import (
 	"runtime"
 	"testing"

-	"github.com/moond4rk/hackbrowserdata/crypto/keyretriever"
+	"github.com/moond4rk/hackbrowserdata/masterkey"
 	"github.com/moond4rk/hackbrowserdata/types"
 )

@@ -44,25 +44,25 @@ func (m *mockBrowser) CountEntries(_ []types.Category) ([]types.CountResult, err

 type mockChromiumBrowser struct {
 	mockBrowser
-	keys               keyretriever.MasterKeys
+	keys               masterkey.MasterKeys
 	exportErr          error
 	calls              int
-	receivedRetrievers keyretriever.Retrievers
+	receivedRetrievers masterkey.Retrievers
 }

-func (m *mockChromiumBrowser) SetKeyRetrievers(r keyretriever.Retrievers) {
+func (m *mockChromiumBrowser) SetRetrievers(r masterkey.Retrievers) {
 	m.receivedRetrievers = r
 }

-func (m *mockChromiumBrowser) ExportKeys() (keyretriever.MasterKeys, error) {
+func (m *mockChromiumBrowser) ExportKeys() (masterkey.MasterKeys, error) {
 	m.calls++
 	return m.keys, m.exportErr
 }

 func TestBuildDump_Empty(t *testing.T) {
 	dump := BuildDump(nil)
-	if dump.Version != keyretriever.DumpVersion {
-		t.Errorf("Version = %q, want %q", dump.Version, keyretriever.DumpVersion)
+	if dump.Version != masterkey.DumpVersion {
+		t.Errorf("Version = %q, want %q", dump.Version, masterkey.DumpVersion)
 	}
 	if dump.Host.OS != runtime.GOOS {
 		t.Errorf("Host.OS = %q, want %q", dump.Host.OS, runtime.GOOS)
@@ -75,7 +75,7 @@ func TestBuildDump_Empty(t *testing.T) {
 func TestBuildDump_SingleChromium(t *testing.T) {
 	b := &mockChromiumBrowser{
 		mockBrowser: mockBrowser{name: chromeName, userDataDir: testUDD, profiles: []string{testProfileDefault}},
-		keys:        keyretriever.MasterKeys{V10: []byte("v10-key")},
+		keys:        masterkey.MasterKeys{V10: []byte("v10-key")},
 	}

 	dump := BuildDump([]Browser{b})
@@ -101,7 +101,7 @@ func TestBuildDump_SingleChromium(t *testing.T) {
 func TestBuildDump_MultipleProfilesOneVault(t *testing.T) {
 	b := &mockChromiumBrowser{
 		mockBrowser: mockBrowser{name: chromeName, userDataDir: testUDD, profiles: []string{testProfileDefault, testProfile1}},
-		keys:        keyretriever.MasterKeys{V10: []byte("v10")},
+		keys:        masterkey.MasterKeys{V10: []byte("v10")},
 	}

 	dump := BuildDump([]Browser{b})
@@ -120,7 +120,7 @@ func TestBuildDump_MultipleProfilesOneVault(t *testing.T) {
 func TestBuildDump_SkipsNonKeyManager(t *testing.T) {
 	chrome := &mockChromiumBrowser{
 		mockBrowser: mockBrowser{name: chromeName, userDataDir: "/chrome", profiles: []string{testProfileDefault}},
-		keys:        keyretriever.MasterKeys{V10: []byte("v10")},
+		keys:        masterkey.MasterKeys{V10: []byte("v10")},
 	}
 	firefox := &mockBrowser{name: firefoxName, userDataDir: "/ff", profiles: []string{"default-release"}}

@@ -137,7 +137,7 @@ func TestBuildDump_SkipsNonKeyManager(t *testing.T) {
 func TestBuildDump_SkipsExportError(t *testing.T) {
 	good := &mockChromiumBrowser{
 		mockBrowser: mockBrowser{name: chromeName, userDataDir: "/chrome", profiles: []string{testProfileDefault}},
-		keys:        keyretriever.MasterKeys{V10: []byte("v10")},
+		keys:        masterkey.MasterKeys{V10: []byte("v10")},
 	}
 	failing := &mockChromiumBrowser{
 		mockBrowser: mockBrowser{name: testEdgeName, userDataDir: "/edge", profiles: []string{testProfileDefault}},
@@ -157,7 +157,7 @@ func TestBuildDump_SkipsExportError(t *testing.T) {
 func TestBuildDump_JSONRoundTrip(t *testing.T) {
 	b := &mockChromiumBrowser{
 		mockBrowser: mockBrowser{name: chromeName, userDataDir: testUDD, profiles: []string{testProfileDefault}},
-		keys:        keyretriever.MasterKeys{V10: []byte{0x01, 0x02, 0x03}, V20: []byte{0xff, 0xee}},
+		keys:        masterkey.MasterKeys{V10: []byte{0x01, 0x02, 0x03}, V20: []byte{0xff, 0xee}},
 	}

 	dump := BuildDump([]Browser{b})
@@ -167,7 +167,7 @@ func TestBuildDump_JSONRoundTrip(t *testing.T) {
 		t.Fatalf("WriteJSON: %v", err)
 	}

-	parsed, err := keyretriever.ReadJSON(&buf)
+	parsed, err := masterkey.ReadJSON(&buf)
 	if err != nil {
 		t.Fatalf("ReadJSON: %v", err)
 	}
@@ -192,7 +192,7 @@ func TestBuildDump_JSONRoundTrip(t *testing.T) {
 func TestBuildDump_PartialKeys(t *testing.T) {
 	b := &mockChromiumBrowser{
 		mockBrowser: mockBrowser{name: chromeName, userDataDir: testUDD, profiles: []string{testProfileDefault}},
-		keys:        keyretriever.MasterKeys{V10: []byte("v10")},
+		keys:        masterkey.MasterKeys{V10: []byte("v10")},
 		exportErr:   errors.New("v20: ABE failed"),
 	}

@@ -213,9 +213,9 @@ func TestApplyDump_Match(t *testing.T) {
 	b := &mockChromiumBrowser{
 		mockBrowser: mockBrowser{name: chromeName, userDataDir: testUDD, profiles: []string{testProfileDefault}},
 	}
-	dump := keyretriever.Dump{
-		Vaults: []keyretriever.Vault{
-			{Browser: chromeName, UserDataDir: testUDD, Keys: keyretriever.MasterKeys{V10: []byte("v10-from-dump")}},
+	dump := masterkey.Dump{
+		Vaults: []masterkey.Vault{
+			{Browser: chromeName, UserDataDir: testUDD, Keys: masterkey.MasterKeys{V10: []byte("v10-from-dump")}},
 		},
 	}
 	ApplyDump([]Browser{b}, dump)
@@ -223,7 +223,7 @@ func TestApplyDump_Match(t *testing.T) {
 	if b.receivedRetrievers.V10 == nil {
 		t.Fatal("V10 retriever should be set from matching vault")
 	}
-	got, err := b.receivedRetrievers.V10.RetrieveKey(keyretriever.Hints{})
+	got, err := b.receivedRetrievers.V10.RetrieveKey(masterkey.Hints{})
 	if err != nil || string(got) != "v10-from-dump" {
 		t.Errorf("V10.RetrieveKey() = %q, err = %v, want %q", got, err, "v10-from-dump")
 	}
@@ -236,9 +236,9 @@ func TestApplyDump_MissingVault(t *testing.T) {
 	b := &mockChromiumBrowser{
 		mockBrowser: mockBrowser{name: chromeName, userDataDir: testUDD, profiles: []string{testProfileDefault}},
 	}
-	dump := keyretriever.Dump{
-		Vaults: []keyretriever.Vault{
-			{Browser: testEdgeName, UserDataDir: "/edge", Keys: keyretriever.MasterKeys{V10: []byte("v10")}},
+	dump := masterkey.Dump{
+		Vaults: []masterkey.Vault{
+			{Browser: testEdgeName, UserDataDir: "/edge", Keys: masterkey.MasterKeys{V10: []byte("v10")}},
 		},
 	}
 	ApplyDump([]Browser{b}, dump)
@@ -250,9 +250,9 @@ func TestApplyDump_MissingVault(t *testing.T) {

 func TestApplyDump_NonKeyManagerSkipped(t *testing.T) {
 	firefox := &mockBrowser{name: firefoxName, userDataDir: "/ff", profiles: []string{"default-release"}}
-	dump := keyretriever.Dump{
-		Vaults: []keyretriever.Vault{
-			{Browser: firefoxName, UserDataDir: "/ff", Keys: keyretriever.MasterKeys{V10: []byte("v10")}},
+	dump := masterkey.Dump{
+		Vaults: []masterkey.Vault{
+			{Browser: firefoxName, UserDataDir: "/ff", Keys: masterkey.MasterKeys{V10: []byte("v10")}},
 		},
 	}
 	// firefox does not implement KeyManager; ApplyDump must not panic and must not attempt injection.
@@ -262,7 +262,7 @@ func TestApplyDump_NonKeyManagerSkipped(t *testing.T) {
 func TestApplyDump_RoundTrip(t *testing.T) {
 	src := &mockChromiumBrowser{
 		mockBrowser: mockBrowser{name: chromeName, userDataDir: testUDD, profiles: []string{testProfileDefault}},
-		keys:        keyretriever.MasterKeys{V10: []byte("v10-rt"), V20: []byte("v20-rt")},
+		keys:        masterkey.MasterKeys{V10: []byte("v10-rt"), V20: []byte("v20-rt")},
 	}
 	dump := BuildDump([]Browser{src})

@@ -271,11 +271,11 @@ func TestApplyDump_RoundTrip(t *testing.T) {
 	}
 	ApplyDump([]Browser{dst}, dump)

-	v10, _ := dst.receivedRetrievers.V10.RetrieveKey(keyretriever.Hints{})
+	v10, _ := dst.receivedRetrievers.V10.RetrieveKey(masterkey.Hints{})
 	if string(v10) != "v10-rt" {
 		t.Errorf("V10 round-trip: got %q, want v10-rt", v10)
 	}
-	v20, _ := dst.receivedRetrievers.V20.RetrieveKey(keyretriever.Hints{})
+	v20, _ := dst.receivedRetrievers.V20.RetrieveKey(masterkey.Hints{})
 	if string(v20) != "v20-rt" {
 		t.Errorf("V20 round-trip: got %q, want v20-rt", v20)
 	}
@@ -291,12 +291,12 @@ func TestApplyDump_FallbackOnPathMismatch(t *testing.T) {
 	b := &mockChromiumBrowser{
 		mockBrowser: mockBrowser{name: chromeName, userDataDir: "/local/chrome", profiles: []string{testProfileDefault}},
 	}
-	dump := keyretriever.Dump{
-		Vaults: []keyretriever.Vault{
+	dump := masterkey.Dump{
+		Vaults: []masterkey.Vault{
 			{
 				Browser:     chromeName,
 				UserDataDir: `C:\Users\foo\AppData\Local\Google\Chrome\User Data`,
-				Keys:        keyretriever.MasterKeys{V10: []byte("v10-fallback")},
+				Keys:        masterkey.MasterKeys{V10: []byte("v10-fallback")},
 			},
 		},
 	}
@@ -305,7 +305,7 @@ func TestApplyDump_FallbackOnPathMismatch(t *testing.T) {
 	if b.receivedRetrievers.V10 == nil {
 		t.Fatal("V10 retriever should be set via single-vault fallback")
 	}
-	got, err := b.receivedRetrievers.V10.RetrieveKey(keyretriever.Hints{})
+	got, err := b.receivedRetrievers.V10.RetrieveKey(masterkey.Hints{})
 	if err != nil || string(got) != "v10-fallback" {
 		t.Errorf("V10.RetrieveKey() = %q, err = %v, want %q", got, err, "v10-fallback")
 	}
@@ -317,10 +317,10 @@ func TestApplyDump_NoFallbackWhenAmbiguous(t *testing.T) {
 	b := &mockChromiumBrowser{
 		mockBrowser: mockBrowser{name: chromeName, userDataDir: "/local/chrome", profiles: []string{testProfileDefault}},
 	}
-	dump := keyretriever.Dump{
-		Vaults: []keyretriever.Vault{
-			{Browser: chromeName, UserDataDir: "/path/a", Keys: keyretriever.MasterKeys{V10: []byte("a")}},
-			{Browser: chromeName, UserDataDir: "/path/b", Keys: keyretriever.MasterKeys{V10: []byte("b")}},
+	dump := masterkey.Dump{
+		Vaults: []masterkey.Vault{
+			{Browser: chromeName, UserDataDir: "/path/a", Keys: masterkey.MasterKeys{V10: []byte("a")}},
+			{Browser: chromeName, UserDataDir: "/path/b", Keys: masterkey.MasterKeys{V10: []byte("b")}},
 		},
 	}
 	ApplyDump([]Browser{b}, dump)
@@ -45,16 +45,9 @@ func countPasswords(keychainPassword string) (int, error) {
 	return len(passwords), nil
 }

-// getInternetPasswords reads InternetPassword records directly from the
-// macOS login keychain. See rfcs/006-key-retrieval-mechanisms.md §7 for why
-// Safari owns this path instead of routing through crypto/keyretriever.
-//
-// TryUnlock is always invoked — with the user-supplied password when one is
-// available, otherwise with no options — to enable keychainbreaker's partial
-// extraction mode. With a valid password we get fully decrypted entries; with
-// empty or wrong password we still get metadata records (URL, account,
-// timestamps) and PlainPassword left blank, which Safari can export as
-// metadata-only output instead of failing with ErrLocked.
+// getInternetPasswords reads InternetPassword records straight from the macOS login keychain (Safari owns its own key
+// path, separate from the masterkey package). TryUnlock always runs — even without a password — so a locked keychain
+// still yields metadata-only records (URL, account, blank password) instead of failing with ErrLocked.
 func getInternetPasswords(keychainPassword string) ([]keychainbreaker.InternetPassword, error) {
 	kc, err := keychainbreaker.Open()
 	if err != nil {
@@ -82,8 +75,7 @@ func buildURL(protocol, server string, port uint32, path string) string {
 		return ""
 	}

-	// Convert macOS Keychain FourCC protocol code to URL scheme.
-	// Only "htps" needs special mapping; others just need space trimming.
+	// macOS Keychain stores the protocol as a FourCC code; only "htps" needs remapping, others just trim padding.
 	scheme := strings.TrimRight(protocol, " ")
 	if scheme == "" || scheme == "htps" {
 		scheme = "https"