@aifabrix/server-setup 0.1.0

package/dist/backup-db.spec.js

@@ -0,0 +1,260 @@
+/**
+ * Unit tests for backup-db: createBackupDbFromJson and copyBuilderDbAsBackup.
+ * Uses temp dirs and in-memory SQLite where possible; no real secrets.
+ */
+import * as fs from 'fs';
+import * as path from 'path';
+import Database from 'better-sqlite3';
+import { createBackupDbFromJson, copyBuilderDbAsBackup, } from './backup-db.js';
+const TEST_TMP_BASE = path.join(process.cwd(), 'tmp');
+const config = {
+    dataDir: path.join(TEST_TMP_BASE, 'test-data'),
+    createdAt: new Date().toISOString(),
+    source: 'json',
+};
+describe('backup-db', () => {
+    let tmpDir;
+    beforeEach(() => {
+        fs.mkdirSync(TEST_TMP_BASE, { recursive: true });
+        tmpDir = fs.mkdtempSync(path.join(TEST_TMP_BASE, 'af-backup-db-'));
+    });
+    afterEach(() => {
+        fs.rmSync(tmpDir, { recursive: true, force: true });
+    });
+    describe('createBackupDbFromJson', () => {
+        it('creates empty DB when no json files provided', () => {
+            const outPath = path.join(tmpDir, 'out.db');
+            createBackupDbFromJson(outPath, {}, config);
+            expect(fs.existsSync(outPath)).toBe(true);
+            const db = new Database(outPath, { readonly: true });
+            const users = db.prepare('SELECT COUNT(*) as n FROM users').get();
+            expect(users.n).toBe(0);
+            db.close();
+        });
+        it('imports users from users.json shape', () => {
+            const outPath = path.join(tmpDir, 'out.db');
+            const usersJson = JSON.stringify({
+                users: [
+                    { id: '01', name: 'Alice', email: 'a@b.com', createdAt: '2025-01-01T00:00:00Z' },
+                ],
+            });
+            createBackupDbFromJson(outPath, { users: usersJson }, config);
+            const db = new Database(outPath, { readonly: true });
+            const row = db.prepare('SELECT id, name, email FROM users').get();
+            expect(row).toEqual({ id: '01', name: 'Alice', email: 'a@b.com' });
+            db.close();
+        });
+        it('imports users with cert_valid_not_after and groups (snake_case created_at)', () => {
+            const outPath = path.join(tmpDir, 'out.db');
+            const usersJson = JSON.stringify({
+                users: [
+                    {
+                        id: '02',
+                        name: 'Bob',
+                        email: 'b@b.com',
+                        created_at: '2024-06-15T00:00:00Z',
+                        certValidNotAfter: '2026-01-01',
+                        groups: ['admin'],
+                    },
+                ],
+            });
+            createBackupDbFromJson(outPath, { users: usersJson }, config);
+            const db = new Database(outPath, { readonly: true });
+            const row = db.prepare('SELECT id, cert_valid_not_after, groups FROM users').get();
+            expect(row.id).toBe('02');
+            expect(row.cert_valid_not_after).toBe('2026-01-01');
+            expect(JSON.parse(row.groups)).toEqual(['admin']);
+            db.close();
+        });
+        it('imports users when root is array (no .users key)', () => {
+            const outPath = path.join(tmpDir, 'out.db');
+            const usersJson = JSON.stringify([
+                { id: '03', name: 'C', email: 'c@b.com', created_at: '2025-01-01' },
+            ]);
+            createBackupDbFromJson(outPath, { users: usersJson }, config);
+            const db = new Database(outPath, { readonly: true });
+            const row = db.prepare('SELECT id, name FROM users').get();
+            expect(row).toEqual({ id: '03', name: 'C' });
+            db.close();
+        });
+        it('imports pins from tokens.json shape', () => {
+            const outPath = path.join(tmpDir, 'out.db');
+            const tokensJson = JSON.stringify({
+                pins: [
+                    {
+                        userId: '01',
+                        pinHash: 'abc123',
+                        expiresAt: '2025-12-31T23:59:59Z',
+                        consumed: false,
+                        createdAt: '2025-01-01T00:00:00Z',
+                    },
+                ],
+            });
+            createBackupDbFromJson(outPath, { tokens: tokensJson }, config);
+            const db = new Database(outPath, { readonly: true });
+            const row = db.prepare('SELECT user_id, pin_hash, consumed FROM pin_tokens').get();
+            expect(row.user_id).toBe('01');
+            expect(row.pin_hash).toBe('abc123');
+            expect(row.consumed).toBe(0);
+            db.close();
+        });
+        it('imports pins with snake_case and consumed true', () => {
+            const outPath = path.join(tmpDir, 'out.db');
+            const tokensJson = JSON.stringify({
+                pins: [
+                    {
+                        user_id: '02',
+                        pin_hash: 'def',
+                        expires_at: '2025-12-31T00:00:00Z',
+                        consumed: true,
+                        created_at: '2025-01-01T00:00:00Z',
+                    },
+                ],
+            });
+            createBackupDbFromJson(outPath, { tokens: tokensJson }, config);
+            const db = new Database(outPath, { readonly: true });
+            const row = db.prepare('SELECT user_id, consumed FROM pin_tokens').get();
+            expect(row.user_id).toBe('02');
+            expect(row.consumed).toBe(1);
+            db.close();
+        });
+        it('imports pins when root is array (no .pins key)', () => {
+            const outPath = path.join(tmpDir, 'pins-array.db');
+            const tokensJson = JSON.stringify([
+                { userId: '03', pinHash: 'x', expiresAt: '2025-12-31', consumed: false, createdAt: '2025-01-01' },
+            ]);
+            createBackupDbFromJson(outPath, { tokens: tokensJson }, config);
+            const db = new Database(outPath, { readonly: true });
+            const row = db.prepare('SELECT user_id FROM pin_tokens').get();
+            expect(row.user_id).toBe('03');
+            db.close();
+        });
+        it('imports secrets from secrets.json shape (camelCase)', () => {
+            const outPath = path.join(tmpDir, 'out.db');
+            const secretsJson = JSON.stringify({
+                secrets: {
+                    mykey: { iv: 'iv1', authTag: 'tag1', cipher: 'cipher1' },
+                },
+            });
+            createBackupDbFromJson(outPath, { secrets: secretsJson }, config);
+            const db = new Database(outPath, { readonly: true });
+            const row = db.prepare('SELECT key, iv, auth_tag, cipher FROM secrets').get();
+            expect(row.key).toBe('mykey');
+            expect(row.iv).toBe('iv1');
+            expect(row.auth_tag).toBe('tag1');
+            expect(row.cipher).toBe('cipher1');
+            db.close();
+        });
+        it('imports secrets from secrets.json shape (snake_case auth_tag)', () => {
+            const outPath = path.join(tmpDir, 'out2.db');
+            const secretsJson = JSON.stringify({
+                secrets: {
+                    key2: { iv: 'iv2', auth_tag: 'tag2', cipher: 'cipher2' },
+                },
+            });
+            createBackupDbFromJson(outPath, { secrets: secretsJson }, config);
+            const db = new Database(outPath, { readonly: true });
+            const row = db.prepare('SELECT key, iv, auth_tag, cipher FROM secrets').get();
+            expect(row.key).toBe('key2');
+            expect(row.auth_tag).toBe('tag2');
+            db.close();
+        });
+        it('imports ssh_keys from byUser shape', () => {
+            const outPath = path.join(tmpDir, 'out.db');
+            const sshKeysJson = JSON.stringify({
+                byUser: {
+                    '01': [
+                        { publicKey: 'ssh-rsa AAAA...', label: 'laptop', fingerprint: 'fp1' },
+                    ],
+                },
+            });
+            createBackupDbFromJson(outPath, { sshKeys: sshKeysJson }, config);
+            const db = new Database(outPath, { readonly: true });
+            const row = db.prepare('SELECT user_id, public_key, label, fingerprint FROM ssh_keys').get();
+            expect(row.user_id).toBe('01');
+            expect(row.public_key).toBe('ssh-rsa AAAA...');
+            expect(row.label).toBe('laptop');
+            expect(row.fingerprint).toBe('fp1');
+            db.close();
+        });
+        it('imports ssh_keys with snake_case and optional fields', () => {
+            const outPath = path.join(tmpDir, 'ssh2.db');
+            const sshKeysJson = JSON.stringify({
+                byUser: {
+                    '02': [
+                        { public_key: 'ssh-ed25519 BBBB...', created_at: '2025-01-01T00:00:00Z' },
+                    ],
+                },
+            });
+            createBackupDbFromJson(outPath, { sshKeys: sshKeysJson }, config);
+            const db = new Database(outPath, { readonly: true });
+            const row = db.prepare('SELECT user_id, public_key, label, fingerprint, created_at FROM ssh_keys').get();
+            expect(row.user_id).toBe('02');
+            expect(row.public_key).toBe('ssh-ed25519 BBBB...');
+            expect(row.label).toBeNull();
+            expect(row.fingerprint).toBeNull();
+            expect(row.created_at).toBe('2025-01-01T00:00:00Z');
+            db.close();
+        });
+        it('imports ssh_keys when byUser missing uses empty object', () => {
+            const outPath = path.join(tmpDir, 'ssh-empty.db');
+            createBackupDbFromJson(outPath, { sshKeys: '{}' }, config);
+            const db = new Database(outPath, { readonly: true });
+            const count = db.prepare('SELECT COUNT(*) as n FROM ssh_keys').get();
+            expect(count.n).toBe(0);
+            db.close();
+        });
+        it('imports ssh_keys when entries not array treats as empty list', () => {
+            const outPath = path.join(tmpDir, 'ssh-not-array.db');
+            const sshKeysJson = JSON.stringify({ byUser: { '01': 'not-array' } });
+            createBackupDbFromJson(outPath, { sshKeys: sshKeysJson }, config);
+            const db = new Database(outPath, { readonly: true });
+            const count = db.prepare('SELECT COUNT(*) as n FROM ssh_keys').get();
+            expect(count.n).toBe(0);
+            db.close();
+        });
+    });
+    describe('copyBuilderDbAsBackup', () => {
+        it('copies users and pin_tokens from source db to backup', () => {
+            const sourcePath = path.join(tmpDir, 'source.db');
+            const outPath = path.join(tmpDir, 'backup.db');
+            const schema = `
+        CREATE TABLE users (id TEXT PRIMARY KEY, name TEXT NOT NULL, email TEXT NOT NULL, created_at TEXT NOT NULL, cert_valid_not_after TEXT, groups TEXT);
+        CREATE TABLE pin_tokens (id INTEGER PRIMARY KEY AUTOINCREMENT, user_id TEXT NOT NULL, pin_hash TEXT NOT NULL, expires_at TEXT NOT NULL, consumed INTEGER NOT NULL DEFAULT 0, created_at TEXT NOT NULL);
+        CREATE TABLE secrets (key TEXT PRIMARY KEY, iv TEXT NOT NULL, auth_tag TEXT NOT NULL, cipher TEXT NOT NULL);
+        CREATE TABLE ssh_keys (id INTEGER PRIMARY KEY AUTOINCREMENT, user_id TEXT NOT NULL, public_key TEXT NOT NULL, label TEXT, fingerprint TEXT, created_at TEXT, UNIQUE(user_id, fingerprint));
+      `;
+            const src = new Database(sourcePath);
+            src.exec(schema);
+            src.prepare("INSERT INTO users (id, name, email, created_at) VALUES ('u1', 'U1', 'u1@x.com', '2025-01-01')").run();
+            src.prepare("INSERT INTO pin_tokens (user_id, pin_hash, expires_at, consumed, created_at) VALUES ('u1', 'h', '2025-12-31', 0, '2025-01-01')").run();
+            src.close();
+            copyBuilderDbAsBackup(sourcePath, outPath);
+            const backup = new Database(outPath, { readonly: true });
+            const user = backup.prepare('SELECT id, name FROM users').get();
+            expect(user).toEqual({ id: 'u1', name: 'U1' });
+            const pin = backup.prepare('SELECT user_id FROM pin_tokens').get();
+            expect(pin.user_id).toBe('u1');
+            backup.close();
+        });
+        it('skips empty tables and tolerates missing tables', () => {
+            const sourcePath = path.join(tmpDir, 'partial.db');
+            const outPath = path.join(tmpDir, 'backup-partial.db');
+            const schema = `
+        CREATE TABLE users (id TEXT PRIMARY KEY, name TEXT NOT NULL, email TEXT NOT NULL, created_at TEXT NOT NULL, cert_valid_not_after TEXT, groups TEXT);
+        CREATE TABLE pin_tokens (id INTEGER PRIMARY KEY AUTOINCREMENT, user_id TEXT NOT NULL, pin_hash TEXT NOT NULL, expires_at TEXT NOT NULL, consumed INTEGER NOT NULL DEFAULT 0, created_at TEXT NOT NULL);
+      `;
+            const src = new Database(sourcePath);
+            src.exec(schema);
+            src.prepare("INSERT INTO users (id, name, email, created_at) VALUES ('u1', 'U1', 'u1@x.com', '2025-01-01')").run();
+            src.close();
+            copyBuilderDbAsBackup(sourcePath, outPath);
+            const backup = new Database(outPath, { readonly: true });
+            const user = backup.prepare('SELECT id FROM users').get();
+            expect(user.id).toBe('u1');
+            const pinCount = backup.prepare('SELECT COUNT(*) as n FROM pin_tokens').get();
+            expect(pinCount.n).toBe(0);
+            backup.close();
+        });
+    });
+});

package/dist/backup-schedule.d.ts

@@ -0,0 +1,17 @@
+/**
+ * Install cron backup on server (or locally): upload shell script and add cron entry.
+ */
+import { type SSHConnectionOptions } from './ssh.js';
+export interface BackupScheduleOptions extends SSHConnectionOptions {
+    dataDir?: string;
+    backupDir?: string;
+    keepDays?: number;
+}
+export interface BackupScheduleLocalOptions {
+    dataDir?: string;
+    backupDir?: string;
+    keepDays?: number;
+}
+export declare function runBackupScheduleInstall(options: BackupScheduleOptions): Promise<void>;
+/** Install cron backup on this machine (no SSH). Call requireUbuntu() before this. */
+export declare function runBackupScheduleInstallLocal(options?: BackupScheduleLocalOptions): void;

package/dist/backup-schedule.js

@@ -0,0 +1,60 @@
+/**
+ * Install cron backup on server (or locally): upload shell script and add cron entry.
+ */
+import * as path from 'path';
+import * as fs from 'fs';
+import { execSync } from 'child_process';
+import { fileURLToPath } from 'url';
+import { createSSHClient, writeFile, exec, close } from './ssh.js';
+const scriptDir = path.dirname(fileURLToPath(import.meta.url));
+const ASSETS_DIR = path.resolve(scriptDir, '..', 'assets');
+const DEFAULT_DATA_DIR = '/opt/aifabrix/builder-server/data';
+const DEFAULT_BACKUP_DIR = '/opt/aifabrix/backups';
+export async function runBackupScheduleInstall(options) {
+    const dataDir = options.dataDir ?? DEFAULT_DATA_DIR;
+    const backupDir = options.backupDir ?? DEFAULT_BACKUP_DIR;
+    const keepDays = options.keepDays ?? 7;
+    const scriptPath = path.join(ASSETS_DIR, 'cron-backup.sh');
+    const scriptBody = fs.readFileSync(scriptPath, 'utf8');
+    const conn = await createSSHClient(options);
+    try {
+        const remoteScript = '/usr/local/bin/aifabrix-cron-backup.sh';
+        await writeFile(conn, remoteScript, scriptBody);
+        await exec(conn, `sudo chmod 755 ${remoteScript}`);
+        await exec(conn, `sudo mkdir -p ${backupDir}`);
+        const cronLine = `0 2 * * * root DATA_DIR=${dataDir} BACKUP_DIR=${backupDir} KEEP_DAYS=${keepDays} ${remoteScript}\n`;
+        const tmpCron = '/tmp/aifabrix-backup-cron';
+        await writeFile(conn, tmpCron, cronLine);
+        await exec(conn, `sudo mv ${tmpCron} /etc/cron.d/aifabrix-backup && sudo chmod 644 /etc/cron.d/aifabrix-backup`);
+    }
+    finally {
+        close(conn);
+    }
+}
+/** Install cron backup on this machine (no SSH). Call requireUbuntu() before this. */
+export function runBackupScheduleInstallLocal(options = {}) {
+    const dataDir = options.dataDir ?? DEFAULT_DATA_DIR;
+    const backupDir = options.backupDir ?? DEFAULT_BACKUP_DIR;
+    const keepDays = options.keepDays ?? 7;
+    const scriptPath = path.join(ASSETS_DIR, 'cron-backup.sh');
+    const scriptBody = fs.readFileSync(scriptPath, 'utf8');
+    const remoteScript = '/usr/local/bin/aifabrix-cron-backup.sh';
+    const tmpScript = `/tmp/aifabrix-cron-backup-${Date.now()}.sh`;
+    fs.writeFileSync(tmpScript, scriptBody);
+    try {
+        execSync(`sudo cp ${tmpScript} ${remoteScript} && sudo chmod 755 ${remoteScript}`);
+        execSync(`sudo mkdir -p ${backupDir}`);
+        const cronLine = `0 2 * * * root DATA_DIR=${dataDir} BACKUP_DIR=${backupDir} KEEP_DAYS=${keepDays} ${remoteScript}\n`;
+        const tmpCron = '/tmp/aifabrix-backup-cron';
+        fs.writeFileSync(tmpCron, cronLine);
+        execSync(`sudo mv ${tmpCron} /etc/cron.d/aifabrix-backup && sudo chmod 644 /etc/cron.d/aifabrix-backup`);
+    }
+    finally {
+        try {
+            fs.unlinkSync(tmpScript);
+        }
+        catch {
+            // ignore
+        }
+    }
+}

package/dist/backup.d.ts

@@ -0,0 +1,15 @@
+/**
+ * On-demand backup: SSH to server, fetch config + builder.db or JSON + keys, build zip locally.
+ */
+import { type SSHConnectionOptions } from './ssh.js';
+export interface BackupOptions extends SSHConnectionOptions {
+    dataDir?: string;
+    outputPath?: string;
+}
+export interface BackupLocalOptions {
+    dataDir?: string;
+    outputPath?: string;
+}
+export declare function runBackup(options: BackupOptions): Promise<string>;
+/** Run backup from local DATA_DIR (no SSH). Call requireUbuntu() before this. */
+export declare function runBackupLocal(options?: BackupLocalOptions): Promise<string>;

package/dist/backup.js

@@ -0,0 +1,184 @@
+/**
+ * On-demand backup: SSH to server, fetch config + builder.db or JSON + keys, build zip locally.
+ */
+import * as path from 'path';
+import * as fs from 'fs';
+import archiver from 'archiver';
+import { createSSHClient, readFile, exec, close } from './ssh.js';
+import { DATA_DIR_DEFAULT, BUILDER_DB, BACKUP_DB, CONFIG_JSON, KEY_FILES, JSON_FILES, } from './config.js';
+import { createBackupDbFromJson } from './backup-db.js';
+function defaultOutputPath() {
+    const now = new Date();
+    const y = now.getFullYear();
+    const m = String(now.getMonth() + 1).padStart(2, '0');
+    const d = String(now.getDate()).padStart(2, '0');
+    const h = String(now.getHours()).padStart(2, '0');
+    const min = String(now.getMinutes()).padStart(2, '0');
+    return `./aifabrix-backup-${y}${m}${d}-${h}${min}.zip`;
+}
+export async function runBackup(options) {
+    const dataDir = options.dataDir ?? DATA_DIR_DEFAULT;
+    const outputPath = options.outputPath ?? defaultOutputPath();
+    const resolvedOut = path.resolve(process.cwd(), outputPath);
+    const conn = await createSSHClient(options);
+    try {
+        const config = {
+            dataDir,
+            createdAt: new Date().toISOString(),
+            source: 'builder.db',
+        };
+        const tmpDir = path.join(process.cwd(), `.af-backup-${Date.now()}`);
+        fs.mkdirSync(tmpDir, { recursive: true });
+        const dbPath = path.join(tmpDir, BACKUP_DB);
+        try {
+            const hasBuilderDb = await exec(conn, `test -f ${dataDir}/${BUILDER_DB} && echo 1 || echo 0`);
+            const useSqlite = hasBuilderDb.stdout.trim() === '1';
+            if (useSqlite) {
+                const buf = await readFile(conn, `${dataDir}/${BUILDER_DB}`);
+                fs.writeFileSync(dbPath, buf);
+                config.source = 'builder.db';
+            }
+            else {
+                const jsonFiles = {};
+                for (const f of JSON_FILES) {
+                    try {
+                        const buf = await readFile(conn, `${dataDir}/${f}`);
+                        const str = buf.toString('utf8');
+                        if (f === 'users.json')
+                            jsonFiles.users = str;
+                        else if (f === 'tokens.json')
+                            jsonFiles.tokens = str;
+                        else if (f === 'secrets.json')
+                            jsonFiles.secrets = str;
+                        else if (f === 'ssh-public-keys.json')
+                            jsonFiles.sshKeys = str;
+                    }
+                    catch {
+                        if (f === 'users.json')
+                            jsonFiles.users = '{"users":[]}';
+                        else if (f === 'tokens.json')
+                            jsonFiles.tokens = '{"pins":[]}';
+                        else if (f === 'secrets.json')
+                            jsonFiles.secrets = '{"secrets":{}}';
+                        else if (f === 'ssh-public-keys.json')
+                            jsonFiles.sshKeys = '{"byUser":{}}';
+                    }
+                }
+                createBackupDbFromJson(dbPath, jsonFiles, config);
+                config.source = 'json';
+            }
+            fs.writeFileSync(path.join(tmpDir, CONFIG_JSON), JSON.stringify(config, null, 2));
+            for (const k of KEY_FILES) {
+                try {
+                    const buf = await readFile(conn, `${dataDir}/${k}`);
+                    fs.writeFileSync(path.join(tmpDir, k), buf, { mode: 0o600 });
+                }
+                catch {
+                    // key file may not exist
+                }
+            }
+            const archive = archiver('zip', { zlib: { level: 6 } });
+            const out = fs.createWriteStream(resolvedOut);
+            const pipe = new Promise((resolve, reject) => {
+                out.on('close', () => resolve());
+                archive.on('error', reject);
+            });
+            archive.pipe(out);
+            archive.file(path.join(tmpDir, BACKUP_DB), { name: BACKUP_DB });
+            archive.file(path.join(tmpDir, CONFIG_JSON), { name: CONFIG_JSON });
+            for (const k of KEY_FILES) {
+                const fp = path.join(tmpDir, k);
+                if (fs.existsSync(fp))
+                    archive.file(fp, { name: k });
+            }
+            await archive.finalize();
+            await pipe;
+        }
+        finally {
+            fs.rmSync(tmpDir, { recursive: true, force: true });
+        }
+        return resolvedOut;
+    }
+    finally {
+        close(conn);
+    }
+}
+/** Run backup from local DATA_DIR (no SSH). Call requireUbuntu() before this. */
+export async function runBackupLocal(options = {}) {
+    const dataDir = options.dataDir ?? DATA_DIR_DEFAULT;
+    const outputPath = options.outputPath ?? defaultOutputPath();
+    const resolvedOut = path.resolve(process.cwd(), outputPath);
+    const config = {
+        dataDir,
+        createdAt: new Date().toISOString(),
+        source: 'builder.db',
+    };
+    const tmpDir = path.join(process.cwd(), `.af-backup-${Date.now()}`);
+    fs.mkdirSync(tmpDir, { recursive: true });
+    const dbPath = path.join(tmpDir, BACKUP_DB);
+    try {
+        const builderDbPath = path.join(dataDir, BUILDER_DB);
+        const useSqlite = fs.existsSync(builderDbPath);
+        if (useSqlite) {
+            fs.copyFileSync(builderDbPath, dbPath);
+            config.source = 'builder.db';
+        }
+        else {
+            const jsonFiles = {};
+            for (const f of JSON_FILES) {
+                const fp = path.join(dataDir, f);
+                try {
+                    const str = fs.readFileSync(fp, 'utf8');
+                    if (f === 'users.json')
+                        jsonFiles.users = str;
+                    else if (f === 'tokens.json')
+                        jsonFiles.tokens = str;
+                    else if (f === 'secrets.json')
+                        jsonFiles.secrets = str;
+                    else if (f === 'ssh-public-keys.json')
+                        jsonFiles.sshKeys = str;
+                }
+                catch {
+                    if (f === 'users.json')
+                        jsonFiles.users = '{"users":[]}';
+                    else if (f === 'tokens.json')
+                        jsonFiles.tokens = '{"pins":[]}';
+                    else if (f === 'secrets.json')
+                        jsonFiles.secrets = '{"secrets":{}}';
+                    else if (f === 'ssh-public-keys.json')
+                        jsonFiles.sshKeys = '{"byUser":{}}';
+                }
+            }
+            createBackupDbFromJson(dbPath, jsonFiles, config);
+            config.source = 'json';
+        }
+        fs.writeFileSync(path.join(tmpDir, CONFIG_JSON), JSON.stringify(config, null, 2));
+        for (const k of KEY_FILES) {
+            const fp = path.join(dataDir, k);
+            if (fs.existsSync(fp)) {
+                fs.copyFileSync(fp, path.join(tmpDir, k));
+                fs.chmodSync(path.join(tmpDir, k), 0o600);
+            }
+        }
+        const archive = archiver('zip', { zlib: { level: 6 } });
+        const out = fs.createWriteStream(resolvedOut);
+        const pipe = new Promise((resolve, reject) => {
+            out.on('close', () => resolve());
+            archive.on('error', reject);
+        });
+        archive.pipe(out);
+        archive.file(path.join(tmpDir, BACKUP_DB), { name: BACKUP_DB });
+        archive.file(path.join(tmpDir, CONFIG_JSON), { name: CONFIG_JSON });
+        for (const k of KEY_FILES) {
+            const fp = path.join(tmpDir, k);
+            if (fs.existsSync(fp))
+                archive.file(fp, { name: k });
+        }
+        await archive.finalize();
+        await pipe;
+        return resolvedOut;
+    }
+    finally {
+        fs.rmSync(tmpDir, { recursive: true, force: true });
+    }
+}

package/dist/backup.spec.d.ts

@@ -0,0 +1,4 @@
+/**
+ * Tests for runBackup with mocked SSH (no real connections).
+ */
+export {};