fixup! crypto: support OpenSSL STORE private keys

Author: panva

doc/api/cli.md

@@ -191,6 +191,28 @@ This behavior also applies to `child_process.spawn()`, but in that case, the
 flags are propagated via the `NODE_OPTIONS` environment variable rather than
 directly through the process arguments.
 
+### `--allow-crypto-store`
+
+<!-- YAML
+added: REPLACEME
+-->
+
+> Stability: 1.1 - Active development
+
+When using the [Permission Model][], the process will not be able to load
+private keys from OpenSSL STORE provider URLs by default. Attempts to do so
+will throw an `ERR_ACCESS_DENIED` unless the user explicitly passes the
+`--allow-crypto-store` flag when starting Node.js.
+
+This permission only applies to OpenSSL STORE provider URLs accepted by
+[`crypto.createPrivateKey()`][]. It does not grant access to Node.js file
+system or network APIs. Configured OpenSSL providers may still perform their
+own I/O, credential handling, hardware access, or daemon communication outside
+of Node.js `fs` and `net` permission scopes.
+
+Node.js does not pass URL input to OpenSSL's built-in `default` or `base` STORE
+loaders, so local file STORE loading is not exposed through this API.
+
 ### `--allow-ffi`
 
 <!-- YAML
@@ -329,28 +351,6 @@ Error: connect ERR_ACCESS_DENIED Access to this API has been restricted. Use --a
 }
 ```
 
-### `--allow-crypto-store`
-
-<!-- YAML
-added: REPLACEME
--->
-
-> Stability: 1.1 - Active development
-
-When using the [Permission Model][], the process will not be able to load
-private keys from OpenSSL STORE provider URLs by default. Attempts to do so
-will throw an `ERR_ACCESS_DENIED` unless the user explicitly passes the
-`--allow-crypto-store` flag when starting Node.js.
-
-This permission only applies to OpenSSL STORE provider URLs accepted by
-[`crypto.createPrivateKey()`][]. It does not grant access to Node.js file
-system or network APIs. Configured OpenSSL providers may still perform their
-own I/O, credential handling, hardware access, or daemon communication outside
-of Node.js `fs` and `net` permission scopes.
-
-Node.js does not pass URL input to OpenSSL's built-in `default` or `base` STORE
-loaders, so local file STORE loading is not exposed through this API.
-
 ### `--allow-net`
 
 <!-- YAML

doc/node.1

@@ -135,6 +135,20 @@ This behavior also applies to \fBchild_process.spawn()\fR, but in that case, the
 flags are propagated via the \fBNODE_OPTIONS\fR environment variable rather than
 directly through the process arguments.
 .
+.It Fl -allow-crypto-store
+When using the Permission Model, the process will not be able to load private
+keys from OpenSSL STORE provider URLs by default.
+Attempts to do so will throw an \fBERR_ACCESS_DENIED\fR unless the user
+explicitly passes the \fB--allow-crypto-store\fR flag when starting Node.js.
+This permission only applies to OpenSSL STORE provider URLs accepted by
+\fBcrypto.createPrivateKey()\fR. It does not grant access to Node.js file system
+or network APIs. Configured OpenSSL providers may still perform their own I/O,
+credential handling, hardware access, or daemon communication outside of
+Node.js \fBfs\fR and \fBnet\fR permission scopes.
+Node.js does not pass URL input to OpenSSL's built-in \fBdefault\fR or
+\fBbase\fR STORE loaders, so local file STORE loading is not exposed through
+this API.
+.
 .It Fl -allow-ffi
 When using the Permission Model, the process will not be able to use
 \fBnode:ffi\fR by default.
@@ -1152,6 +1166,8 @@ File System - manageable through
 .It
 Network - manageable through \fB--allow-net\fR flag
 .It
+OpenSSL STORE - manageable through \fB--allow-crypto-store\fR flag
+.It
 Child Process - manageable through \fB--allow-child-process\fR flag
 .It
 Worker Threads - manageable through \fB--allow-worker\fR flag
@@ -1875,6 +1891,8 @@ one is included in the list below.
 .It
 \fB--allow-child-process\fR
 .It
+\fB--allow-crypto-store\fR
+.It
 \fB--allow-ffi\fR
 .It
 \fB--allow-fs-read\fR