bard-backup 0.9.1 → 0.10.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 9e6b8c5fc22e116de54fd82fc993bdee128e727c475306b05cfe0241a33a567d
-  data.tar.gz: 32384f16f624b3c0fea64b9d0e89070f85755f4abd94d8ef92813a3ac43c45d8
+  metadata.gz: 79b2f29911f73ce6b73f1adce60d4595854edac99e4d0664a39c1b01c5680076
+  data.tar.gz: 7f17e3ce3ed4c71555039b6b384759d5e5ddd3d3c17085014c3fccc2b41e593e
 SHA512:
-  metadata.gz: 131137228ac376b6ba371d00285eacd77256dc9c5fb78bf0b81a471a6d11cbbe7f5442b3874e1007ddbdcfe03731c899f9b22713e3cb0f53a3cc666c5a192dbc
-  data.tar.gz: eba4898acca3c5da3accb686f04bc29e9b3c79d7b68d43c8940ae7f109c47a7a2187bb45afdd42f45c23a04676bddc847b718ea345c9d610aebbb39a90d27e65
+  metadata.gz: ad7eb50c8781bed4f6ec83359afd2f7d029087e52574678bbed7578dbb64b01e0e9636e65cb98794bae2214a1fea3db956894d803a8af3a29b626cce52d1f692
+  data.tar.gz: 3e0a8974d131887b9da4d5f82a71608f56d28af077a88abd2d03bd267c74769dbeadbe974bb653ec1d433c6fe1956e6367706e6fe53484b93dc3f7cf43a6f39f

data/CLAUDE.md

@@ -0,0 +1,69 @@
+# CLAUDE.md
+
+This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
+
+## Project Overview
+
+bard-backup is a Ruby gem that provides automated backup for Bard projects. It:
+- Dumps the database, uploads to S3, deletes old backups using a retention heuristic (48 hours, 30 days, 26 weeks, 24 months, then yearly), and verifies the previous hour's backup exists.
+- Syncs configured data directories to S3 via a manifest-cached file tree (`Bard::Backup::FileTree`).
+- Optionally encrypts uploaded payloads at rest with AES-256-GCM (`Bard::Backup::Encryptor`).
+
+## Commands
+
+```bash
+# Run the default test suite (Cucumber acceptance tests)
+bundle exec rake
+
+# Run RSpec unit tests
+bundle exec rspec
+
+# Run a single spec file
+bundle exec rspec spec/bard/backup/deleter_spec.rb
+
+# Run Cucumber acceptance tests
+bundle exec cucumber
+
+# Run a specific Cucumber feature
+bundle exec cucumber features/backup.feature
+```
+
+## Test Credentials
+
+Tests require AWS credentials at `spec/support/credentials.json`. In CI, this is generated from GitHub secrets. For local development, create it manually:
+
+```json
+{
+  "access_key_id": "...",
+  "secret_access_key": "...",
+  "region": "..."
+}
+```
+
+## Architecture
+
+**Entry points**:
+- `Bard::Backup.create!` accepts destination configs (or reads from `Bard::Config`) and delegates to destination strategies. Returns a `Bard::Backup` instance with timestamp/size/destinations.
+- `Bard::Backup::FileTree.create!` syncs configured data directories to S3.
+
+**Destination strategy pattern**: `Destination.build(config)` is a factory that picks the right class based on `:type`:
+- `S3Destination` — dumps DB locally via backhoe, uploads to S3, runs `Deleter` for retention, verifies previous hour's backup
+- `UploadDestination` — dumps DB and uploads to presigned URLs (multi-threaded)
+
+**Config DSL** (loaded via `bard/plugins/backup` and `bard/plugins/encrypt`, which extend `Bard::Config`):
+```ruby
+backup do
+  s3 "primary", path: "bucket/subfolder", region: "us-west-2"
+end
+encrypt true  # reads key from config/master.key
+```
+
+**Key classes**:
+- `S3Tree` — `Data.define`-based S3 wrapper used by both `S3Destination` and `FileTree`. Methods: `list_objects`, `put_file`, `put_body`, `get`, `delete_keys`, `mv`, `empty!`. Supports encryption via `Encryptor` and STS `session_token`.
+- `FileTree` — syncs local data paths to S3 using a local `.bard-file-tree-sync.json` manifest (mtime+size fast path, MD5 verification, falls back to remote listing on first run)
+- `Encryptor` — AES-256-GCM with HKDF-derived keys and a deterministic IV (HMAC of plaintext), enabling content-addressable encryption
+- `Deleter` — implements the retention policy via `Filter` structs that check time-based granularities
+- `LocalBackhoe` / `CachedLocalBackhoe` — database dump strategies (cached variant avoids conflicts when running parallel destinations)
+- `LatestFinder` — finds the most recent backup across all configured destinations
+- `BackupConfig` — the `backup do ... end` DSL surface (`bard`, `disabled`, `s3 name, **kwargs`); `create!` reads `bard_config.backup.destinations` from it
+- `Railtie` — loads `tasks.rake` which provides `bard:backup` (DB + data) and `bard:backup:data` (data only) rake tasks in Rails apps

data/README.md

@@ -1,17 +1,58 @@
 # Bard::Backup
 
-Bard::Backup does 3 things in a bard project
-1. Takes a database dump and uploads it to our s3 bucket
-2. Deletes old backups using a backoff heuristic: 48 hours, 30 days, 26 weeks, 24 months, then yearly
-3. Raises an error if we don't have a backup from the previous hour
+Bard::Backup handles backups for a bard project:
+1. Takes a database dump and uploads it to S3 (or PUTs it to presigned URLs)
+2. Syncs configured data directories to S3 with a local manifest cache
+3. Deletes old database backups using a backoff heuristic: 48 hours, 30 days, 26 weeks, 24 months, then yearly
+4. Raises an error if we don't have a database backup from the previous hour
+5. Optionally encrypts uploaded payloads at rest with AES-256-GCM
 
 ## Installation
 
+Add to your `Gemfile`:
+
+```ruby
+gem "bard-backup"
+```
+
 ## Usage
 
-Run with `Bard::Backup.call path: "s3_bucket/optional_subfolder", access_key_id: "...", secret_access_key: "...", region: "..."`
+In a Rails app, configure destinations in `config/bard.rb` using the `Bard::Config` DSL:
+
+```ruby
+backup do
+  s3 "primary", path: "my-bucket/my-project", region: "us-west-2"
+end
+
+# Optional: encrypt payloads at rest. Reads the key from config/master.key.
+encrypt true
+```
+
+Credentials live in Rails encrypted credentials under `bard_backup` (matched by `name:`):
+
+```yaml
+bard_backup:
+  - name: primary
+    access_key_id: ...
+    secret_access_key: ...
+```
+
+Then run via the rake tasks provided by the bundled Railtie:
+
+```bash
+rake bard:backup        # database backup + data file-tree sync
+rake bard:backup:data   # data file-tree sync only
+```
+
+Or call programmatically:
+
+```ruby
+Bard::Backup.create!(type: :s3, path: "bucket/subfolder",
+                     access_key_id: "...", secret_access_key: "...", region: "...")
+Bard::Backup::FileTree.create!
+```
 
-Or just run via the `bard-rake` gem: `rake db:backup`, which wires up the above for you.
+`UploadDestination` (`type: :upload`, with `urls: [...]`) PUTs the dump to one or more presigned URLs in parallel — useful when the receiver, not the sender, holds the S3 credentials.
 
 ## Development
 
@@ -21,7 +62,7 @@ To install this gem onto your local machine, run `bundle exec rake install`. To
 
 ## Contributing
 
-Bug reports and pull requests are welcome on GitHub at https://github.com/[USERNAME]/bard-backup.
+Bug reports and pull requests are welcome on GitHub at https://github.com/botandrose/bard-backup.
 
 ## License
 

data/lib/bard/backup/cached_local_backhoe.rb

@@ -2,13 +2,13 @@ require "backhoe"
 
 module Bard
   class Backup
-    class CachedLocalBackhoe < Struct.new(:s3_dir, :now)
+    class CachedLocalBackhoe < Struct.new(:s3_tree, :now)
       def self.call *args
         new(*args).call
       end
 
       def call
-        s3_dir.put path
+        s3_tree.put_file(path, File.basename(path))
       end
 
       private

data/lib/bard/backup/database.rb

@@ -0,0 +1,33 @@
+require "bard/backup/destination"
+
+module Bard
+  class Backup
+    module Database
+      def self.create!(destination_hashes = nil, **config)
+        if destination_hashes.nil? && !config.empty?
+          destination_hashes = [config]
+        end
+
+        bard_config = defined?(Bard::Config) ? Bard::Config.current : nil
+        destination_hashes ||= bard_config&.backup&.destinations || []
+
+        destinations = if destination_hashes.is_a?(Hash)
+          [destination_hashes]
+        else
+          Array(destination_hashes)
+        end
+
+        encryption_key = bard_config&.respond_to?(:encryption_key) ? bard_config.encryption_key : nil
+        if encryption_key
+          destinations = destinations.map { |h| { encryption_key: encryption_key, **h } }
+        end
+
+        result = nil
+        destinations.each do |hash|
+          result = Backup::Destination.build(hash).call
+        end
+        result
+      end
+    end
+  end
+end

data/lib/bard/backup/deleter.rb

@@ -4,13 +4,13 @@ require "active_support/core_ext/integer/time"
 
 module Bard
   class Backup
-    class Deleter < Struct.new(:s3_dir, :now)
+    class Deleter < Struct.new(:s3_tree, :now)
       def call
-        s3_dir.delete files_to_delete
+        s3_tree.delete_keys files_to_delete
       end
 
       def files_to_delete
-        s3_dir.files.select do |file|
+        s3_tree.list_objects.keys.select do |file|
           [
             Filter.new(now, 48, :hours),
             Filter.new(now, 30, :days),

data/lib/bard/backup/destination/s3_destination.rb

@@ -1,4 +1,4 @@
-require "bard/backup/s3_dir"
+require "bard/backup/s3_tree"
 require "bard/backup/deleter"
 require "bard/backup/local_backhoe"
 require "bard/backup/cached_local_backhoe"
@@ -7,12 +7,12 @@ module Bard
   class Backup
     class S3Destination < Destination
       def call
-        strategy.call(s3_dir, now)
-        Deleter.new(s3_dir, now).call
+        strategy.call(s3_tree, now)
+        Deleter.new(s3_tree, now).call
       end
 
-      def s3_dir
-        @s3_dir ||= S3Dir.new(**config.slice(:endpoint, :path, :access_key_id, :secret_access_key, :region))
+      def s3_tree
+        @s3_tree ||= S3Tree.new(**config.slice(:endpoint, :path, :access_key_id, :secret_access_key, :region, :encryption_key))
       end
 
       def info
@@ -23,15 +23,7 @@ module Bard
 
       def config
         @config ||= begin
-          config = {}
-
-          if defined?(Rails)
-            credentials = Rails.application.credentials.bard_backup || []
-            credentials = [credentials] if credentials.is_a?(Hash)
-            config = credentials.find { |c| c[:name] == super[:name] } || {}
-          end
-
-          config = { type: :s3, region: "us-west-2" }.merge(config).merge(super)
+          config = { type: :s3, region: "us-west-2" }.merge(super)
           config[:endpoint] ||= "https://s3.#{config[:region]}.amazonaws.com"
           config
         end

data/lib/bard/backup/destination/upload_destination.rb

@@ -1,6 +1,7 @@
 require "fileutils"
 require "uri"
 require "net/http"
+require "bard/backup/encryptor"
 
 module Bard
   class Backup
@@ -53,8 +54,12 @@ module Bard
         uri = URI.parse(url)
 
         File.open(file_path, "rb") do |file|
+          body = file.read
+          if config[:encryption_key]
+            body = Encryptor.new(config[:encryption_key]).encrypt(body)
+          end
           request = Net::HTTP::Put.new(uri)
-          request.body = file.read
+          request.body = body
           request.content_type = "application/octet-stream"
 
           response = Net::HTTP.start(uri.hostname, uri.port, use_ssl: uri.scheme == "https") do |http|

data/lib/bard/backup/encryptor.rb

@@ -0,0 +1,39 @@
+require "openssl"
+
+module Bard
+  class Backup
+    class Encryptor
+      def initialize(key)
+        @encrypt_key = derive_key(key, "encryption")
+        @iv_key = derive_key(key, "iv-derivation")
+      end
+
+      def encrypt(data)
+        data = data.b if data.encoding != Encoding::BINARY
+        iv = OpenSSL::HMAC.digest("SHA256", @iv_key, data)[0, 12]
+        cipher = OpenSSL::Cipher.new("aes-256-gcm")
+        cipher.encrypt
+        cipher.key = @encrypt_key
+        cipher.iv = iv
+        ciphertext = cipher.update(data) + cipher.final
+        iv + cipher.auth_tag + ciphertext
+      end
+
+      def decrypt(data)
+        data = data.b if data.encoding != Encoding::BINARY
+        cipher = OpenSSL::Cipher.new("aes-256-gcm")
+        cipher.decrypt
+        cipher.key = @encrypt_key
+        cipher.iv = data[0, 12]
+        cipher.auth_tag = data[12, 16]
+        cipher.update(data[28..]) + cipher.final
+      end
+
+      private
+
+      def derive_key(raw_key, info)
+        OpenSSL::KDF.hkdf(raw_key, salt: "bard-backup-v1", info: info, length: 32, hash: "SHA256")
+      end
+    end
+  end
+end

data/lib/bard/backup/file_tree.rb

@@ -0,0 +1,108 @@
+require "json"
+require "digest/md5"
+require "bard/backup/s3_tree"
+
+module Bard
+  class Backup
+    class FileTree
+      MANIFEST_PATH = ".bard-file-tree-sync.json"
+      DEFAULT_BUCKET = "bard-data"
+
+      def self.create!(data_paths: nil, project_name: nil, bucket: DEFAULT_BUCKET, **s3_config)
+        bard_config = defined?(Bard::Config) ? Bard::Config.current : nil
+        data_paths ||= bard_config&.data || []
+        project_name ||= bard_config&.project_name
+        return if data_paths.empty?
+
+        encryption_key = s3_config.delete(:encryption_key)
+        encryption_key ||= bard_config&.respond_to?(:encryption_key) ? bard_config.encryption_key : nil
+
+        s3_tree = S3Tree.new(path: "#{bucket}/#{project_name}", encryption_key: encryption_key, **s3_config)
+        new(s3_tree, data_paths).call
+      end
+
+      def initialize(s3_tree, data_paths)
+        @s3_tree = s3_tree
+        @data_paths = data_paths
+      end
+
+      def call
+        manifest = load_manifest
+        local_files = collect_local_files
+
+        if manifest.empty?
+          sync_from_s3(local_files)
+        else
+          sync_from_manifest(local_files, manifest)
+        end
+      end
+
+      private
+
+      attr_reader :s3_tree, :data_paths
+
+      def sync_from_manifest(local_files, manifest)
+        new_manifest = {}
+
+        local_files.each do |path, stat|
+          cached = manifest[path]
+          if cached && cached["mtime"] == stat[:mtime] && cached["size"] == stat[:size]
+            new_manifest[path] = cached
+          else
+            md5 = Digest::MD5.file(path).hexdigest
+            if cached && cached["md5"] == md5
+              new_manifest[path] = cached.merge("mtime" => stat[:mtime])
+            else
+              s3_tree.put_file(path, path)
+              new_manifest[path] = { "md5" => md5, "mtime" => stat[:mtime], "size" => stat[:size] }
+            end
+          end
+        end
+
+        removed = manifest.keys - local_files.keys
+        s3_tree.delete_keys(removed)
+
+        save_manifest(new_manifest)
+      end
+
+      def sync_from_s3(local_files)
+        remote = s3_tree.list_objects
+        new_manifest = {}
+
+        local_files.each do |path, stat|
+          md5 = Digest::MD5.file(path).hexdigest
+          unless remote[path] == md5
+            s3_tree.put_file(path, path)
+          end
+          new_manifest[path] = { "md5" => md5, "mtime" => stat[:mtime], "size" => stat[:size] }
+        end
+
+        removed = remote.keys - local_files.keys
+        s3_tree.delete_keys(removed)
+
+        save_manifest(new_manifest)
+      end
+
+      def collect_local_files
+        result = {}
+        data_paths.each do |data_path|
+          Dir.glob("#{data_path}/**/*").each do |file|
+            next unless File.file?(file)
+            stat = File.stat(file)
+            result[file] = { mtime: stat.mtime.to_f, size: stat.size }
+          end
+        end
+        result
+      end
+
+      def load_manifest
+        return {} unless File.exist?(MANIFEST_PATH)
+        JSON.parse(File.read(MANIFEST_PATH))
+      end
+
+      def save_manifest(manifest)
+        File.write(MANIFEST_PATH, JSON.pretty_generate(manifest))
+      end
+    end
+  end
+end

data/lib/bard/backup/latest_finder.rb

@@ -11,7 +11,7 @@ module Bard
         end
 
         all_backups = destinations.flat_map do |dest|
-          dest.s3_dir.files.filter_map do |filename|
+          dest.s3_tree.list_objects.keys.filter_map do |filename|
             timestamp = parse_timestamp(filename)
             next unless timestamp
 
@@ -25,7 +25,7 @@ module Bard
 
         Bard::Backup.new(
           timestamp: latest[:timestamp],
-          size: get_file_size(latest[:destination].s3_dir, latest[:filename]),
+          size: get_file_size(latest[:destination].s3_tree, latest[:filename]),
           destinations: all_backups
             .select { |b| b[:timestamp] == latest[:timestamp] }
             .map { |b| b[:destination].info }
@@ -38,9 +38,9 @@ module Bard
         filename =~ /^(\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}Z)/ ? Time.parse($1) : nil
       end
 
-      def get_file_size(s3_dir, filename)
-        key = [s3_dir.folder_prefix, filename].compact.join("/")
-        s3_dir.send(:client).head_object(bucket: s3_dir.bucket_name, key: key).content_length
+      def get_file_size(s3_tree, filename)
+        key = [s3_tree.folder_prefix, filename].compact.join("/")
+        s3_tree.send(:client).head_object(bucket: s3_tree.bucket_name, key: key).content_length
       end
     end
   end

data/lib/bard/backup/local_backhoe.rb

@@ -3,11 +3,11 @@ require "backhoe"
 module Bard
   class Backup
     class LocalBackhoe
-      def self.call s3_dir, now
+      def self.call s3_tree, now
         filename = "#{now.iso8601}.sql.gz"
         path = "/tmp/#{filename}"
         Backhoe.dump path
-        s3_dir.mv path
+        s3_tree.mv path
       end
     end
   end

data/lib/bard/backup/rails_credentials.rb

@@ -0,0 +1,19 @@
+module Bard
+  class Backup
+    module RailsCredentials
+      def self.find(name: nil)
+        entries = all
+        return {} if entries.empty?
+        return entries.first if name.nil?
+        entries.find { |c| c[:name] == name } || {}
+      end
+
+      def self.all
+        return [] unless defined?(Rails)
+        creds = Rails.application.credentials.bard_backup
+        return [] unless creds
+        creds.is_a?(Hash) ? [creds] : Array(creds)
+      end
+    end
+  end
+end

data/lib/bard/backup/s3_tree.rb

@@ -0,0 +1,114 @@
+require "aws-sdk-s3"
+require "fileutils"
+require "bard/backup/encryptor"
+
+module Bard
+  class Backup
+    class S3Tree < Data.define(:endpoint, :path, :access_key_id, :secret_access_key, :region, :session_token, :encryption_key)
+      def initialize(**kwargs)
+        kwargs[:endpoint] ||= "https://s3.#{kwargs[:region]}.amazonaws.com"
+        kwargs[:session_token] ||= nil
+        kwargs[:encryption_key] ||= nil
+        super
+      end
+
+      def list_objects
+        result = {}
+        continuation_token = nil
+
+        loop do
+          response = client.list_objects_v2({
+            bucket: bucket_name,
+            prefix: folder_prefix ? "#{folder_prefix}/" : nil,
+            continuation_token: continuation_token,
+          }.compact)
+
+          response.contents.each do |object|
+            key = folder_prefix ? object.key.sub("#{folder_prefix}/", "") : object.key
+            result[key] = object.etag.tr('"', "")
+          end
+
+          break unless response.is_truncated
+          continuation_token = response.next_continuation_token
+        end
+
+        result
+      end
+
+      def put_file(local_path, remote_key)
+        put_body(remote_key, File.binread(local_path))
+      end
+
+      def put_body(remote_key, body)
+        body = encryptor.encrypt(body) if encryptor
+        client.put_object({
+          bucket: bucket_name,
+          key: [folder_prefix, remote_key].compact.join("/"),
+          body: body,
+        })
+      end
+
+      def mv(local_path)
+        put_file(local_path, File.basename(local_path))
+        FileUtils.rm(local_path)
+      end
+
+      def get(remote_key)
+        response = client.get_object({
+          bucket: bucket_name,
+          key: [folder_prefix, remote_key].compact.join("/"),
+        })
+        body = response.body.read
+        body = encryptor.decrypt(body) if encryptor
+        body
+      end
+
+      def delete_keys(keys)
+        return if keys.empty?
+        keys.each_slice(1000) do |batch|
+          objects_to_delete = batch.map do |key|
+            { key: [folder_prefix, key].compact.join("/") }
+          end
+          client.delete_objects({
+            bucket: bucket_name,
+            delete: {
+              objects: objects_to_delete,
+              quiet: true,
+            },
+          })
+        end
+      end
+
+      def empty!
+        list_objects.keys.each_slice(1000) do |batch|
+          delete_keys(batch)
+        end
+      end
+
+      def bucket_name
+        path.split("/").first
+      end
+
+      def folder_prefix
+        return nil if !path.include?("/")
+        path.split("/")[1..].join("/")
+      end
+
+      private
+
+      def encryptor
+        Encryptor.new(encryption_key) if encryption_key
+      end
+
+      def client
+        Aws::S3::Client.new({
+          endpoint: endpoint,
+          region: region,
+          access_key_id: access_key_id,
+          secret_access_key: secret_access_key,
+          session_token: session_token,
+        }.compact)
+      end
+    end
+  end
+end

data/lib/bard/backup/tasks.rake

@@ -1,7 +1,22 @@
+require "bard/backup/rails_credentials"
+
 namespace :bard do
-  desc "Backup the database to configured destinations"
+  desc "Backup the database and file trees to configured destinations"
   task :backup => :environment do
     require "bard/backup"
-    Bard::Backup.create!
+
+    destinations = Bard::Config.current.backup.destinations.map do |dest|
+      Bard::Backup::RailsCredentials.find(name: dest[:name]).merge(dest)
+    end
+
+    Bard::Backup.create!(destinations, **Bard::Backup::RailsCredentials.find)
+  end
+
+  namespace :backup do
+    desc "Backup file trees to S3"
+    task :data => :environment do
+      require "bard/backup"
+      Bard::Backup::FileTree.create!(**Bard::Backup::RailsCredentials.find)
+    end
   end
 end

data/lib/bard/backup/version.rb

@@ -1,6 +1,6 @@
 module Bard
   class Backup
-    VERSION = "0.9.1"
+    VERSION = "0.10.0"
   end
 end
 

data/lib/bard/backup.rb

@@ -1,26 +1,17 @@
-require "bard/backup/destination"
+require "bard/backup/database"
+require "bard/backup/file_tree"
 require "bard/backup/latest_finder"
+require "bard"
 require "bard/backup/railtie" if defined?(Rails)
 
 module Bard
   class Backup
-    def self.create!(destination_hashes = nil, **config)
-      if destination_hashes.nil? && !config.empty?
-        destination_hashes = [config]
-      end
-      destination_hashes ||= Bard::Config.current.backup.destinations
-
-      destinations = if destination_hashes.is_a?(Hash)
-        [destination_hashes]
-      else
-        Array(destination_hashes)
-      end
+    FILE_TREE_KEYS = [:access_key_id, :secret_access_key, :session_token, :region, :encryption_key].freeze
 
-      result = nil
-      destinations.each do |hash|
-        result = Destination.build(hash).call
-      end
-      result
+    def self.create!(destination_hashes = nil, **config)
+      backup = Database.create!(destination_hashes, **config)
+      FileTree.create!(**config.slice(*FILE_TREE_KEYS))
+      backup
     end
 
     def self.latest

data/lib/bard/plugins/backup.rb

@@ -0,0 +1,62 @@
+require "bard/config"
+
+module Bard
+  class BackupConfig
+    attr_reader :destinations
+
+    def initialize(&block)
+      @destinations = []
+      instance_eval(&block) if block_given?
+    end
+
+    def bard
+      @bard = true
+    end
+
+    def bard?
+      !!@bard
+    end
+
+    def disabled
+      @disabled = true
+    end
+
+    def disabled?
+      !!@disabled
+    end
+
+    def enabled?
+      !disabled?
+    end
+
+    def s3(name, **kwargs)
+      @destinations << {
+        name: name,
+        type: :s3,
+        **kwargs,
+      }
+    end
+
+    def self_managed?
+      @destinations.any?
+    end
+  end
+end
+
+class Bard::Config
+  def backup(value = nil, &block)
+    if block
+      @backup = Bard::BackupConfig.new(&block)
+    elsif value == false
+      @backup = Bard::BackupConfig.new { disabled }
+    elsif value.nil?
+      @backup ||= Bard::BackupConfig.new { bard }
+    else
+      raise ArgumentError, "backup accepts false or a block"
+    end
+  end
+
+  def backup_enabled?
+    backup == true
+  end
+end

data/lib/bard/plugins/encrypt.rb

@@ -0,0 +1,16 @@
+require "bard/config"
+
+class Bard::Config
+  def encrypt(value = nil)
+    if value.nil?
+      @encrypt
+    else
+      @encrypt = value
+    end
+  end
+
+  def encryption_key
+    return nil unless encrypt
+    File.read("config/master.key").strip
+  end
+end

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: bard-backup
 version: !ruby/object:Gem::Version
-  version: 0.9.1
+  version: 0.10.0
 platform: ruby
 authors:
 - Micah Geisel
 bindir: exe
 cert_chain: []
-date: 2025-12-15 00:00:00.000000000 Z
+date: 2026-05-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: backhoe
@@ -88,6 +88,7 @@ files:
 - ".rspec"
 - ".ruby-gemset"
 - ".ruby-version"
+- CLAUDE.md
 - LICENSE.txt
 - README.md
 - Rakefile
@@ -95,16 +96,22 @@ files:
 - lib/bard-backup.rb
 - lib/bard/backup.rb
 - lib/bard/backup/cached_local_backhoe.rb
+- lib/bard/backup/database.rb
 - lib/bard/backup/deleter.rb
 - lib/bard/backup/destination.rb
 - lib/bard/backup/destination/s3_destination.rb
 - lib/bard/backup/destination/upload_destination.rb
+- lib/bard/backup/encryptor.rb
+- lib/bard/backup/file_tree.rb
 - lib/bard/backup/latest_finder.rb
 - lib/bard/backup/local_backhoe.rb
+- lib/bard/backup/rails_credentials.rb
 - lib/bard/backup/railtie.rb
-- lib/bard/backup/s3_dir.rb
+- lib/bard/backup/s3_tree.rb
 - lib/bard/backup/tasks.rake
 - lib/bard/backup/version.rb
+- lib/bard/plugins/backup.rb
+- lib/bard/plugins/encrypt.rb
 - sig/bard/backup.rbs
 homepage: https://github.com/botandrose/bard-backup
 licenses:

data/lib/bard/backup/s3_dir.rb

@@ -1,86 +0,0 @@
-require "aws-sdk-s3"
-require "rexml"
-
-module Bard
-  class Backup
-    class S3Dir < Data.define(:endpoint, :path, :access_key_id, :secret_access_key, :region)
-      def initialize **kwargs
-        kwargs[:endpoint] ||= "https://s3.#{kwargs[:region]}.amazonaws.com"
-        super
-      end
-
-      def files
-        response = client.list_objects_v2({
-          bucket: bucket_name,
-          prefix: folder_prefix,
-        })
-        raise if response.is_truncated
-        response.contents.map do |object|
-          object.key.sub("#{folder_prefix}/", "")
-        end
-      end
-
-      def put file_path, body: File.read(file_path)
-        client.put_object({
-          bucket: bucket_name,
-          key: [folder_prefix, File.basename(file_path)].compact.join("/"),
-          body: body,
-        })
-      end
-
-      def presigned_url file_path
-        presigner = Aws::S3::Presigner.new(client: client)
-        presigner.presigned_url(
-          :put_object,
-          bucket: bucket_name,
-          key: [folder_prefix, File.basename(file_path)].compact.join("/"),
-        )
-      end
-
-      def mv file_path, body: File.read(file_path)
-        put file_path, body: body
-        FileUtils.rm file_path
-      end
-
-      def delete file_paths
-        return if file_paths.empty?
-        objects_to_delete = Array(file_paths).map do |file_path|
-          { key: [folder_prefix, File.basename(file_path)].compact.join("/") }
-        end
-        client.delete_objects({
-          bucket: bucket_name,
-          delete: {
-            objects: objects_to_delete,
-            quiet: true,
-          }
-        })
-      end
-
-      def empty!
-        files.each_slice(1000) do |batch|
-          delete batch
-        end
-      end
-
-      def bucket_name
-        path.split("/").first
-      end
-
-      def folder_prefix
-        return nil if !path.include?("/")
-        path.split("/")[1..].join("/")
-      end
-
-      private
-
-      def client
-        Aws::S3::Client.new({
-          endpoint: endpoint,
-          region: region,
-          access_key_id: access_key_id,
-          secret_access_key: secret_access_key,
-        })
-      end
-    end
-  end
-end