@aifabrix/server-setup 0.1.0

package/README.md

@@ -0,0 +1,68 @@
+# @aifabrix/server-setup (af-server)
+
+CLI to install, backup, and restore AI Fabrix builder-server over SSH. Runs on your PC or CI; the server does **not** need Node.js or the aifabrix Builder.
+
+- **Backup** = configuration + database only (no workspace or developer code).
+- **Restore** = push backup zip (builder.db + keys) back to server DATA_DIR.
+
+## Commands
+
+Omit `user@host` to run **locally** on the current machine (Ubuntu only). With `user@host`, commands run over SSH.
+
+```bash
+# Install server (Docker, nginx, SSL proxy, sync user, cron).
+af-server install [ user@host ] [ -d DATA_DIR ] [ --dev-domain DOMAIN ] [ --ssl-dir PATH ] [ -i SSH_KEY ]
+
+# On-demand backup: fetch config + DB + keys from server (or local DATA_DIR), save zip.
+af-server backup [ user@host ] [ -d DATA_DIR ] [ -o output.zip ] [ -i SSH_KEY ]
+
+# Install cron backup (daily 02:00, keep last 7).
+af-server backup [ user@host ] --schedule [ --backup-dir PATH ] [ --keep-days N ] [ -i SSH_KEY ]
+
+# Restore backup zip to DATA_DIR.
+af-server restore backup.zip [ user@host ] [ -d DATA_DIR ] [ --force ] [ -i SSH_KEY ]
+
+# ssh-cert: install = append your local SSH public key for passwordless auth; request = stub for future SSH CA.
+af-server ssh-cert request [ --user ID ] [ -i SSH_KEY ]
+af-server ssh-cert install [ user@host ] [ -i SSH_KEY ]
+```
+
+**ssh-cert install:** Appends your **local SSH public key** (from `~/.ssh/id_ed25519.pub` or `id_rsa.pub`, or from `-i key` → `key.pub`) to the server user's `~/.ssh/authorized_keys`. After that, install/backup/restore work without password when using that key or ssh-agent. First run may use password or `-i`. **request** remains a stub for future SSH CA integration.
+
+## Prerequisites
+
+- Node.js >= 18
+- SSH access to the server (key-based auth recommended; use `-i path/to/key`)
+
+The server should have **builder-server** data in either:
+
+- **SQLite** (`DATA_DIR/builder.db`) — after JSON→SQLite migration (see repo plan 006); backup/restore and cron backup use this.
+- **JSON files** — legacy; on-demand backup still works (exports to SQLite inside the zip).
+
+## Backup contents
+
+- `config.json` — DATA_DIR, createdAt, source (builder.db or json)
+- `backup.db` — SQLite (either copy of builder.db or export from JSON)
+- `ca.crt`, `ca.key`, `secrets-encryption.key` — for restore
+
+**Security:** Backups contain secrets. Store them encrypted at rest and restrict filesystem access. Never log key material.
+
+## Cron backup (--schedule)
+
+Installs a shell script on the server that runs daily at 02:00. Requires `builder.db` (SQLite) and `zip` on the server. Keeps the last N backups (default 7). Backup dir default: `/opt/aifabrix/backups`.
+
+## Build and run locally
+
+```bash
+cd server-setup
+npm install
+npm run build
+node dist/cli.js --help
+# or: npm link && af-server --help
+```
+
+## References
+
+- [SETUP.md](../SETUP.md) — server installation and manual prerequisites
+- [builder/builder-server/README.md](../builder/builder-server/README.md) — builder-server data dir and mounts
+- [AI Fabrix Builder CLI](https://github.com/esystemsdev/aifabrix-builder/blob/main/docs/CLI-REFERENCE.md) — for onboarding and certs (talks to builder-server API)

package/assets/builder/builder-server/nginx-builder-server.conf.template

@@ -0,0 +1,26 @@
+# Nginx snippet for builder-server onboarding API (https://DEV_DOMAIN_PLACEHOLDER).
+# Generated from template by af-server install (substitutes DEV_DOMAIN, SSL_DIR, BUILDER_SERVER_PORT, DATA_DIR).
+# SSL cert and key from SSL_DIR_PLACEHOLDER (wildcard.crt, wildcard.key).
+# Client cert: ssl_client_certificate uses DATA_DIR_PLACEHOLDER/ca.crt (Builder CA; created by builder-server on first run).
+# Reload nginx after placing: sudo nginx -t && sudo systemctl reload nginx.
+
+server {
+    listen 443 ssl;
+    server_name DEV_DOMAIN_PLACEHOLDER;
+
+    ssl_certificate     SSL_DIR_PLACEHOLDER/wildcard.crt;
+    ssl_certificate_key SSL_DIR_PLACEHOLDER/wildcard.key;
+
+    ssl_client_certificate DATA_DIR_PLACEHOLDER/ca.crt;
+    ssl_verify_client optional;
+
+    location / {
+        proxy_pass http://127.0.0.1:BUILDER_SERVER_PORT_PLACEHOLDER;
+        proxy_http_version 1.1;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Client-Cert $ssl_client_cert;
+    }
+}

package/assets/cron-backup.sh

@@ -0,0 +1,25 @@
+#!/bin/sh
+# Cron backup: copy builder.db + keys to zip in backup dir. Retention: keep last 7.
+# Requires: DATA_DIR and BACKUP_DIR set (or defaults below).
+# Server must have builder.db (SQLite); no Node on server.
+
+set -e
+DATA_DIR="${DATA_DIR:-/opt/aifabrix/builder-server/data}"
+BACKUP_DIR="${BACKUP_DIR:-/opt/aifabrix/backups}"
+KEEP_DAYS="${KEEP_DAYS:-7}"
+STAMP=$(date +%Y%m%d-%H%M)
+ZIP_NAME="aifabrix-backup-${STAMP}.zip"
+TMP_DIR=$(mktemp -d)
+trap 'rm -rf "$TMP_DIR"' EXIT
+
+mkdir -p "$BACKUP_DIR"
+cp -a "$DATA_DIR/builder.db" "$TMP_DIR/backup.db" 2>/dev/null || { echo "builder.db not found"; exit 1; }
+for f in ca.crt ca.key secrets-encryption.key; do
+  [ -f "$DATA_DIR/$f" ] && cp -a "$DATA_DIR/$f" "$TMP_DIR/"
+done
+echo "{\"dataDir\":\"$DATA_DIR\",\"createdAt\":\"$(date -Iseconds)\",\"source\":\"builder.db\"}" > "$TMP_DIR/config.json"
+cd "$TMP_DIR"
+zip -q -r "$BACKUP_DIR/$ZIP_NAME" backup.db config.json ca.crt ca.key secrets-encryption.key 2>/dev/null || true
+[ -f "$BACKUP_DIR/$ZIP_NAME" ] || zip -q -r "$BACKUP_DIR/$ZIP_NAME" backup.db config.json
+# Retention: delete backups older than KEEP_DAYS
+find "$BACKUP_DIR" -name 'aifabrix-backup-*.zip' -mtime +"$KEEP_DAYS" -delete 2>/dev/null || true

package/assets/setup-dev-server-no-node.sh

@@ -0,0 +1,227 @@
+#!/bin/sh
+# Idempotent dev server setup script (no Node/Builder on server). Safe to run multiple times.
+# Run via af-server install user@host. REPO_ROOT must be set to the dir containing builder/builder-server/nginx-builder-server.conf.template.
+# Optional env: DEV_DOMAIN, SSL_DIR, DATA_DIR, SETUP_ADMIN_USER, SYNC_USER, BUILDER_SERVER_PORT, NGINX_CONF_DIR, SETUP_HOSTNAME, INSTALL_PORTAINER=1, SKIP_DOCKER_TLS=1.
+
+set -e
+
+REPO_ROOT="${REPO_ROOT:-$(cd "$(dirname "$0")/.." && pwd)}"
+DATA_DIR="${DATA_DIR:-/opt/aifabrix/builder-server/data}"
+DEV_DOMAIN="${DEV_DOMAIN:-dev.aifabrix.dev}"
+SSL_DIR="${SSL_DIR:-/opt/aifabrix/ssl}"
+SETUP_ADMIN_USER="${SETUP_ADMIN_USER:-serveradmin}"
+SYNC_USER="${SYNC_USER:-aifabrix-sync}"
+BUILDER_SERVER_PORT="${BUILDER_SERVER_PORT:-3000}"
+NGINX_CONF_DIR="${NGINX_CONF_DIR:-/etc/nginx/conf.d}"
+
+# Sanitize user-controlled env to prevent path/command injection
+sanitize_domain() {
+  echo "$1" | grep -q '^[a-zA-Z0-9][a-zA-Z0-9.-]*[a-zA-Z0-9]$' || echo "$1" | grep -q '^[a-zA-Z0-9]$'
+}
+sanitize_path() {
+  case "$1" in
+    *'..'*|*';'*|*'|'*|*'&'*|*'$'*|*'`'*) return 1 ;;
+    *) return 0 ;;
+  esac
+}
+if ! sanitize_domain "$DEV_DOMAIN"; then
+  echo "Invalid DEV_DOMAIN (use only letters, digits, dots, hyphens)."
+  exit 1
+fi
+if ! sanitize_path "$SSL_DIR" || ! sanitize_path "$DATA_DIR" || ! sanitize_path "$NGINX_CONF_DIR"; then
+  echo "Invalid path in SSL_DIR, DATA_DIR, or NGINX_CONF_DIR (no .. or shell metacharacters)."
+  exit 1
+fi
+case "$SETUP_ADMIN_USER" in
+  *'..'*|*';'*|*'|'*|*'&'*|*'$'*|*'`'*) echo "Invalid SETUP_ADMIN_USER."; exit 1 ;;
+esac
+case "$SYNC_USER" in
+  *'..'*|*';'*|*'|'*|*'&'*|*'$'*|*'`'*) echo "Invalid SYNC_USER."; exit 1 ;;
+esac
+
+require_sudo() {
+  if [ "$(id -u)" -ne 0 ]; then
+    echo "This script requires root. Run with sudo or as root."
+    exit 1
+  fi
+}
+require_sudo
+
+# --- Hostname (optional) ---
+if [ -n "$SETUP_HOSTNAME" ]; then
+  current=$(hostname 2>/dev/null || true)
+  if [ "$current" != "$SETUP_HOSTNAME" ]; then
+    hostnamectl set-hostname "$SETUP_HOSTNAME" 2>/dev/null || true
+  fi
+fi
+
+# --- System updates ---
+apt-get update -qq
+DEBIAN_FRONTEND=noninteractive apt-get upgrade -y -qq
+
+# --- Docker ---
+if ! command -v docker >/dev/null 2>&1; then
+  apt-get install -y docker.io
+fi
+systemctl enable docker 2>/dev/null || true
+systemctl start docker 2>/dev/null || true
+
+# --- Admin user: docker group ---
+if getent group docker >/dev/null 2>&1; then
+  if ! id -nG "$SETUP_ADMIN_USER" 2>/dev/null | grep -q docker; then
+    usermod -aG docker "$SETUP_ADMIN_USER" 2>/dev/null || true
+  fi
+fi
+
+# --- Admin user: sudoers ---
+SUDOERS_FILE="/etc/sudoers.d/$SETUP_ADMIN_USER"
+if [ ! -f "$SUDOERS_FILE" ]; then
+  echo "$SETUP_ADMIN_USER ALL=(ALL) NOPASSWD:ALL" > "$SUDOERS_FILE"
+  chmod 440 "$SUDOERS_FILE"
+fi
+
+# --- PAM mkhomedir ---
+if ! grep -q mkhomedir /etc/pam.d/common-session 2>/dev/null; then
+  pam-auth-update --enable mkhomedir || true
+fi
+
+# --- Optional: Portainer ---
+if [ "$INSTALL_PORTAINER" = "1" ] && ! docker ps -a --format '{{.Names}}' 2>/dev/null | grep -q '^portainer$'; then
+  docker volume create portainer_data 2>/dev/null || true
+  docker run -d --name portainer --restart=always \
+    -p 9443:9443 \
+    -v /var/run/docker.sock:/var/run/docker.sock \
+    -v portainer_data:/data \
+    portainer/portainer-ce:latest 2>/dev/null || true
+fi
+
+# --- Nginx ---
+if ! command -v nginx >/dev/null 2>&1; then
+  apt-get install -y nginx
+  systemctl enable nginx
+  systemctl start nginx
+fi
+
+NGINX_CONF="$NGINX_CONF_DIR/$DEV_DOMAIN.conf"
+NGINX_TEMPLATE="$REPO_ROOT/builder/builder-server/nginx-builder-server.conf.template"
+if [ ! -f "$NGINX_CONF" ] && [ -f "$NGINX_TEMPLATE" ]; then
+  sed -e "s|DEV_DOMAIN_PLACEHOLDER|$DEV_DOMAIN|g" \
+      -e "s|SSL_DIR_PLACEHOLDER|$SSL_DIR|g" \
+      -e "s|BUILDER_SERVER_PORT_PLACEHOLDER|$BUILDER_SERVER_PORT|g" \
+      -e "s|DATA_DIR_PLACEHOLDER|$DATA_DIR|g" \
+      "$NGINX_TEMPLATE" > "$NGINX_CONF"
+  if nginx -t 2>/dev/null; then
+    systemctl reload nginx
+  fi
+elif [ ! -f "$NGINX_CONF" ]; then
+  echo "Warning: SSL prereqs required. Place $NGINX_CONF (see SETUP.md) and ensure $SSL_DIR/wildcard.crt and $SSL_DIR/wildcard.key exist."
+fi
+
+# --- Mutagen ---
+if ! command -v mutagen >/dev/null 2>&1; then
+  MUTAGEN_VERSION="0.17.2"
+  MUTAGEN_URL="https://github.com/mutagen-io/mutagen/releases/download/v${MUTAGEN_VERSION}/mutagen_linux_amd64_v${MUTAGEN_VERSION}.tar.gz"
+  if command -v wget >/dev/null 2>&1; then
+    (cd /tmp && wget -q -O - "$MUTAGEN_URL" | tar xzf - && mv mutagen /usr/local/bin/ 2>/dev/null) || true
+  fi
+fi
+if command -v mutagen >/dev/null 2>&1; then
+  mutagen daemon start 2>/dev/null || true
+  if [ -d /etc/systemd/system ]; then
+    MUTAGEN_SVC="/etc/systemd/system/mutagen.service"
+    if [ ! -f "$MUTAGEN_SVC" ]; then
+      cat > "$MUTAGEN_SVC" << 'MUTAGEN_EOF'
+[Unit]
+Description=Mutagen daemon
+After=network.target
+
+[Service]
+ExecStart=/usr/local/bin/mutagen daemon run
+Restart=on-failure
+
+[Install]
+WantedBy=multi-user.target
+MUTAGEN_EOF
+      systemctl daemon-reload
+      systemctl enable mutagen 2>/dev/null || true
+    fi
+  fi
+fi
+
+# --- Docker TLS (daemon.json) ---
+if [ "$SKIP_DOCKER_TLS" != "1" ] && [ -d /etc/docker ]; then
+  if [ ! -f /etc/docker/daemon.json ]; then
+    cat > /etc/docker/daemon.json << 'DOCKER_EOF'
+{
+  "tls": true,
+  "tlsverify": true,
+  "tlscacert": "/etc/docker/ca.pem",
+  "tlscert": "/etc/docker/server-cert.pem",
+  "tlskey": "/etc/docker/server-key.pem",
+  "hosts": ["tcp://0.0.0.0:2376", "unix:///var/run/docker.sock"]
+}
+DOCKER_EOF
+    echo "Docker TLS daemon.json created. Ensure /etc/docker/ca.pem, server-cert.pem, server-key.pem exist (see SETUP.md Docker API TLS)."
+  fi
+fi
+
+# --- Builder-server data dir and container ---
+mkdir -p "$DATA_DIR"
+chown 1001:65533 "$DATA_DIR"
+if command -v docker >/dev/null 2>&1; then
+  if ! docker ps -a --format '{{.Names}}' 2>/dev/null | grep -q '^builder-server$'; then
+    echo "Builder-server container not found. Build and run manually (see builder/builder-server/README.md):"
+    echo "  docker build -t builder-server:latest -f builder/builder-server/Dockerfile ."
+    echo "  docker run -d --name builder-server --restart unless-stopped -p ${BUILDER_SERVER_PORT}:3000 -v $DATA_DIR:/data -e PORT=3000 builder-server:latest"
+  else
+    docker start builder-server 2>/dev/null || true
+  fi
+fi
+
+# --- Sync user for Mutagen SSH ---
+SYNC_USER_HOME="${DATA_DIR}/.sync-home"
+MANAGED_KEYS_FILE="${DATA_DIR}/sync-authorized-keys"
+if ! getent passwd "$SYNC_USER" >/dev/null 2>&1; then
+  useradd --system --home-dir "$SYNC_USER_HOME" --create-home --shell /bin/bash "$SYNC_USER"
+fi
+mkdir -p "$SYNC_USER_HOME/.ssh"
+chown -R "$SYNC_USER:$SYNC_USER" "$SYNC_USER_HOME"
+chmod 700 "$SYNC_USER_HOME/.ssh"
+if [ ! -f "$SYNC_USER_HOME/.ssh/authorized_keys" ]; then
+  touch "$SYNC_USER_HOME/.ssh/authorized_keys"
+  chown "$SYNC_USER:$SYNC_USER" "$SYNC_USER_HOME/.ssh/authorized_keys"
+  chmod 600 "$SYNC_USER_HOME/.ssh/authorized_keys"
+fi
+
+# --- Workspace dir ---
+mkdir -p "${DATA_DIR}/workspace"
+chown -R "$SYNC_USER:$SYNC_USER" "${DATA_DIR}/workspace" 2>/dev/null || true
+
+# --- Host job: apply managed SSH keys to sync user ---
+APPLY_KEYS_SCRIPT="/usr/local/bin/aifabrix-apply-sync-keys.sh"
+if [ ! -f "$APPLY_KEYS_SCRIPT" ]; then
+  cat > "$APPLY_KEYS_SCRIPT" << APPLY_EOF
+#!/bin/sh
+SYNC_USER="$SYNC_USER"
+DATA_DIR="$DATA_DIR"
+SYNC_HOME="\${DATA_DIR}/.sync-home"
+MANAGED="\${DATA_DIR}/sync-authorized-keys"
+if [ -f "\$MANAGED" ]; then
+  cp "\$MANAGED" "\$SYNC_HOME/.ssh/authorized_keys"
+else
+  touch "\$SYNC_HOME/.ssh/authorized_keys"
+fi
+chown "\$SYNC_USER:\$SYNC_USER" "\$SYNC_HOME/.ssh/authorized_keys"
+chmod 600 "\$SYNC_HOME/.ssh/authorized_keys"
+if [ -d "\${DATA_DIR}/workspace" ]; then
+  chown -R "\$SYNC_USER:\$SYNC_USER" "\${DATA_DIR}/workspace"
+fi
+APPLY_EOF
+  chmod 755 "$APPLY_KEYS_SCRIPT"
+fi
+if [ -d /etc/cron.d ] && [ ! -f /etc/cron.d/aifabrix-sync-keys ]; then
+  echo "*/2 * * * * root $APPLY_KEYS_SCRIPT" > /etc/cron.d/aifabrix-sync-keys
+  chmod 644 /etc/cron.d/aifabrix-sync-keys
+fi
+
+echo "Setup complete. Ensure manual prerequisites (SSL at $SSL_DIR: wildcard.crt, wildcard.key; DNS $DEV_DOMAIN) are done; see SETUP.md."

package/dist/backup-db.d.ts

@@ -0,0 +1,13 @@
+/**
+ * Create or copy SQLite backup from server data (builder.db or JSON files).
+ * Schema matches builder-server (users, pin_tokens, secrets, ssh_keys).
+ * Never log key material or secret values.
+ */
+import type { BackupConfig } from './config.js';
+export declare function createBackupDbFromJson(outPath: string, jsonFiles: {
+    users?: string;
+    tokens?: string;
+    secrets?: string;
+    sshKeys?: string;
+}, _config: BackupConfig): void;
+export declare function copyBuilderDbAsBackup(builderDbPath: string, outPath: string): void;

package/dist/backup-db.js

@@ -0,0 +1,125 @@
+/**
+ * Create or copy SQLite backup from server data (builder.db or JSON files).
+ * Schema matches builder-server (users, pin_tokens, secrets, ssh_keys).
+ * Never log key material or secret values.
+ */
+import Database from 'better-sqlite3';
+const SCHEMA_SQL = `
+CREATE TABLE IF NOT EXISTS users (
+  id TEXT PRIMARY KEY,
+  name TEXT NOT NULL,
+  email TEXT NOT NULL,
+  created_at TEXT NOT NULL,
+  cert_valid_not_after TEXT,
+  groups TEXT
+);
+CREATE TABLE IF NOT EXISTS pin_tokens (
+  id INTEGER PRIMARY KEY AUTOINCREMENT,
+  user_id TEXT NOT NULL,
+  pin_hash TEXT NOT NULL,
+  expires_at TEXT NOT NULL,
+  consumed INTEGER NOT NULL DEFAULT 0,
+  created_at TEXT NOT NULL
+);
+CREATE TABLE IF NOT EXISTS secrets (
+  key TEXT PRIMARY KEY,
+  iv TEXT NOT NULL,
+  auth_tag TEXT NOT NULL,
+  cipher TEXT NOT NULL
+);
+CREATE TABLE IF NOT EXISTS ssh_keys (
+  id INTEGER PRIMARY KEY AUTOINCREMENT,
+  user_id TEXT NOT NULL,
+  public_key TEXT NOT NULL,
+  label TEXT,
+  fingerprint TEXT,
+  created_at TEXT,
+  UNIQUE(user_id, fingerprint)
+);
+`.trim();
+export function createBackupDbFromJson(outPath, jsonFiles, _config) {
+    const db = new Database(outPath);
+    db.exec(SCHEMA_SQL);
+    if (jsonFiles.users) {
+        const data = JSON.parse(jsonFiles.users);
+        const users = data.users ?? (Array.isArray(data) ? data : []);
+        const stmt = db.prepare(`INSERT INTO users (id, name, email, created_at, cert_valid_not_after, groups) VALUES (?, ?, ?, ?, ?, ?)`);
+        for (const u of users) {
+            const id = String(u.id ?? '');
+            const name = String(u.name ?? '');
+            const email = String(u.email ?? '');
+            const createdAt = String(u.createdAt ?? u.created_at ?? new Date().toISOString());
+            const certValidNotAfter = u.certValidNotAfter != null ? String(u.certValidNotAfter) : null;
+            const groups = u.groups != null ? JSON.stringify(u.groups) : null;
+            stmt.run(id, name, email, createdAt, certValidNotAfter, groups);
+        }
+    }
+    if (jsonFiles.tokens) {
+        const data = JSON.parse(jsonFiles.tokens);
+        const pins = data.pins ?? (Array.isArray(data) ? data : []);
+        const stmt = db.prepare(`INSERT INTO pin_tokens (user_id, pin_hash, expires_at, consumed, created_at) VALUES (?, ?, ?, ?, ?)`);
+        for (const p of pins) {
+            const userId = String(p.userId ?? p.user_id ?? '');
+            const pinHash = String(p.pinHash ?? p.pin_hash ?? '');
+            const expiresAt = String(p.expiresAt ?? p.expires_at ?? '');
+            const consumed = (p.consumed ?? p.consumed) === true ? 1 : 0;
+            const createdAt = String(p.createdAt ?? p.created_at ?? new Date().toISOString());
+            stmt.run(userId, pinHash, expiresAt, consumed, createdAt);
+        }
+    }
+    if (jsonFiles.secrets) {
+        const data = JSON.parse(jsonFiles.secrets);
+        const secrets = data.secrets ?? {};
+        const stmt = db.prepare(`INSERT INTO secrets (key, iv, auth_tag, cipher) VALUES (?, ?, ?, ?)`);
+        for (const [key, val] of Object.entries(secrets)) {
+            if (val && typeof val.iv === 'string' && typeof val.authTag === 'string' && typeof val.cipher === 'string') {
+                stmt.run(key, val.iv, val.authTag, val.cipher);
+            }
+            else if (val && 'iv' in val && 'auth_tag' in val && 'cipher' in val) {
+                const v = val;
+                stmt.run(key, v.iv, v.auth_tag, v.cipher);
+            }
+        }
+    }
+    if (jsonFiles.sshKeys) {
+        const data = JSON.parse(jsonFiles.sshKeys);
+        const byUser = data.byUser ?? {};
+        const stmt = db.prepare(`INSERT INTO ssh_keys (user_id, public_key, label, fingerprint, created_at) VALUES (?, ?, ?, ?, ?)`);
+        for (const [userId, entries] of Object.entries(byUser)) {
+            const list = Array.isArray(entries) ? entries : [];
+            for (const e of list) {
+                const publicKey = String(e.publicKey ?? e.public_key ?? '');
+                const label = e.label != null ? String(e.label) : null;
+                const fingerprint = e.fingerprint != null ? String(e.fingerprint) : null;
+                const createdAt = e.createdAt ?? e.created_at != null ? String(e.createdAt ?? e.created_at) : null;
+                stmt.run(userId, publicKey, label, fingerprint, createdAt);
+            }
+        }
+    }
+    db.close();
+}
+export function copyBuilderDbAsBackup(builderDbPath, outPath) {
+    const db = new Database(builderDbPath, { readonly: true });
+    const backup = new Database(outPath);
+    backup.exec(SCHEMA_SQL);
+    const tables = ['users', 'pin_tokens', 'secrets', 'ssh_keys'];
+    for (const table of tables) {
+        try {
+            const rows = db.prepare(`SELECT * FROM ${table}`).all();
+            if (rows.length === 0)
+                continue;
+            const first = rows[0];
+            const cols = Object.keys(first).join(', ');
+            const placeholders = Object.keys(first).map(() => '?').join(', ');
+            const stmt = backup.prepare(`INSERT INTO ${table} (${cols}) VALUES (${placeholders})`);
+            for (const row of rows) {
+                stmt.run(...Object.values(row));
+            }
+        }
+        catch {
+            // table might not exist or be empty
+        }
+    }
+    db.close();
+    backup.close();
+}

package/dist/backup-db.spec.d.ts

@@ -0,0 +1,5 @@
+/**
+ * Unit tests for backup-db: createBackupDbFromJson and copyBuilderDbAsBackup.
+ * Uses temp dirs and in-memory SQLite where possible; no real secrets.
+ */
+export {};