@lifestreamdynamics/vault-cli 1.1.0 → 1.3.0

package/dist/commands/vaults.js

@@ -3,7 +3,7 @@ import { getClientAsync } from '../client.js';
 import { addGlobalFlags, resolveFlags } from '../utils/flags.js';
 import { createOutput, handleError } from '../utils/output.js';
 import { generateVaultKey } from '@lifestreamdynamics/vault-sdk';
-import { createCredentialManager } from '../lib/credential-manager.js';
+import { getCredentialManager } from '../config.js';
 export function registerVaultCommands(program) {
     const vaults = program.command('vaults').description('Create, list, and inspect document vaults');
     addGlobalFlags(vaults.command('list')
@@ -84,7 +84,7 @@ EXAMPLES
             });
             if (isEncrypted) {
                 const key = generateVaultKey();
-                const credManager = createCredentialManager();
+                const credManager = getCredentialManager();
                 await credManager.saveVaultKey(vault.id, key);
                 out.success(`Encrypted vault created: ${chalk.cyan(vault.name)} (${vault.slug})`, {
                     id: vault.id,
@@ -93,10 +93,13 @@ EXAMPLES
                     encrypted: true,
                     vaultKey: key,
                 });
-                out.warn('IMPORTANT: Save this encryption key securely. If lost, your data cannot be recovered.');
-                out.status(`Vault Key: ${chalk.green(key)}`);
-                out.status(chalk.dim('The key has been saved to your credential store.'));
-                out.status(chalk.dim('You can export it later with: lsvault vaults export-key ' + vault.id));
+                // Always write key warning to stderr — even in JSON mode the caller must not miss this.
+                process.stderr.write(chalk.yellow('WARNING: Save this encryption key securely. If lost, your data cannot be recovered.\n'));
+                if (flags.output !== 'json') {
+                    out.status(`Vault Key: ${chalk.green(key)}`);
+                    out.status(chalk.dim('The key has been saved to your credential store.'));
+                    out.status(chalk.dim('You can export it later with: lsvault vaults export-key ' + vault.id));
+                }
                 out.warn('Encrypted vaults disable: full-text search, AI features, hooks, and webhooks.');
             }
             else {
@@ -118,7 +121,7 @@ EXAMPLES
         const flags = resolveFlags(_opts);
         const out = createOutput(flags);
         try {
-            const credManager = createCredentialManager();
+            const credManager = getCredentialManager();
             const key = await credManager.getVaultKey(vaultId);
             if (!key) {
                 out.error('No encryption key found for vault ' + vaultId);
@@ -146,7 +149,7 @@ EXAMPLES
                 process.exitCode = 1;
                 return;
             }
-            const credManager = createCredentialManager();
+            const credManager = getCredentialManager();
             await credManager.saveVaultKey(vaultId, keyValue);
             out.success('Vault encryption key saved successfully.', { vaultId });
         }
@@ -154,4 +157,233 @@ EXAMPLES
             handleError(out, err, 'Failed to import vault key');
         }
     });
+    // vault tree
+    addGlobalFlags(vaults.command('tree')
+        .description('Show vault file tree')
+        .argument('<vaultId>', 'Vault ID'))
+        .action(async (vaultId, _opts) => {
+        const flags = resolveFlags(_opts);
+        const out = createOutput(flags);
+        out.startSpinner('Fetching vault tree...');
+        try {
+            const client = await getClientAsync();
+            const tree = await client.vaults.getTree(vaultId);
+            out.stopSpinner();
+            if (flags.output === 'json') {
+                out.raw(JSON.stringify(tree, null, 2) + '\n');
+            }
+            else {
+                function printNode(node, depth) {
+                    const indent = '  '.repeat(depth);
+                    const icon = node.type === 'directory' ? chalk.yellow('📁') : chalk.cyan('📄');
+                    process.stdout.write(`${indent}${icon} ${node.name}\n`);
+                    if (node.children) {
+                        for (const child of node.children)
+                            printNode(child, depth + 1);
+                    }
+                }
+                for (const node of tree)
+                    printNode(node, 0);
+            }
+        }
+        catch (err) {
+            handleError(out, err, 'Failed to fetch vault tree');
+        }
+    });
+    // vault archive
+    addGlobalFlags(vaults.command('archive')
+        .description('Archive a vault')
+        .argument('<vaultId>', 'Vault ID'))
+        .action(async (vaultId, _opts) => {
+        const flags = resolveFlags(_opts);
+        const out = createOutput(flags);
+        out.startSpinner('Archiving vault...');
+        try {
+            const client = await getClientAsync();
+            const vault = await client.vaults.archive(vaultId);
+            out.success(`Vault archived: ${vault.name}`, { id: vault.id, name: vault.name, isArchived: vault.isArchived });
+        }
+        catch (err) {
+            handleError(out, err, 'Failed to archive vault');
+        }
+    });
+    // vault unarchive
+    addGlobalFlags(vaults.command('unarchive')
+        .description('Unarchive a vault')
+        .argument('<vaultId>', 'Vault ID'))
+        .action(async (vaultId, _opts) => {
+        const flags = resolveFlags(_opts);
+        const out = createOutput(flags);
+        out.startSpinner('Unarchiving vault...');
+        try {
+            const client = await getClientAsync();
+            const vault = await client.vaults.unarchive(vaultId);
+            out.success(`Vault unarchived: ${vault.name}`, { id: vault.id, name: vault.name, isArchived: vault.isArchived });
+        }
+        catch (err) {
+            handleError(out, err, 'Failed to unarchive vault');
+        }
+    });
+    // vault transfer
+    addGlobalFlags(vaults.command('transfer')
+        .description('Transfer vault ownership to another user')
+        .argument('<vaultId>', 'Vault ID')
+        .argument('<targetEmail>', 'Email of the user to transfer to'))
+        .action(async (vaultId, targetEmail, _opts) => {
+        const flags = resolveFlags(_opts);
+        const out = createOutput(flags);
+        out.startSpinner('Transferring vault...');
+        try {
+            const client = await getClientAsync();
+            const vault = await client.vaults.transfer(vaultId, targetEmail);
+            out.success(`Vault transferred to ${targetEmail}`, { id: vault.id, name: vault.name });
+        }
+        catch (err) {
+            handleError(out, err, 'Failed to transfer vault');
+        }
+    });
+    // vault export-vault subgroup
+    const exportVault = vaults.command('export-vault').description('Vault export operations');
+    addGlobalFlags(exportVault.command('create')
+        .description('Create a vault export')
+        .argument('<vaultId>', 'Vault ID')
+        .option('--metadata', 'Include metadata in export')
+        .option('--format <fmt>', 'Export format', 'zip'))
+        .action(async (vaultId, _opts) => {
+        const flags = resolveFlags(_opts);
+        const out = createOutput(flags);
+        out.startSpinner('Creating export...');
+        try {
+            const client = await getClientAsync();
+            const exp = await client.vaults.createExport(vaultId, {
+                includeMetadata: _opts.metadata === true,
+                format: _opts.format || 'zip',
+            });
+            out.success('Export created', { id: exp.id, status: exp.status, format: exp.format });
+        }
+        catch (err) {
+            handleError(out, err, 'Failed to create export');
+        }
+    });
+    addGlobalFlags(exportVault.command('list')
+        .description('List vault exports')
+        .argument('<vaultId>', 'Vault ID'))
+        .action(async (vaultId, _opts) => {
+        const flags = resolveFlags(_opts);
+        const out = createOutput(flags);
+        out.startSpinner('Fetching exports...');
+        try {
+            const client = await getClientAsync();
+            const exports = await client.vaults.listExports(vaultId);
+            out.stopSpinner();
+            out.list(exports.map(e => ({ id: e.id, status: e.status, format: e.format, createdAt: e.createdAt, completedAt: e.completedAt || '' })), {
+                emptyMessage: 'No exports found.',
+                columns: [
+                    { key: 'id', header: 'ID' },
+                    { key: 'status', header: 'Status' },
+                    { key: 'format', header: 'Format' },
+                    { key: 'createdAt', header: 'Created' },
+                    { key: 'completedAt', header: 'Completed' },
+                ],
+                textFn: (e) => `${chalk.cyan(String(e.id))} [${String(e.status)}] ${String(e.format)} created: ${String(e.createdAt)}`,
+            });
+        }
+        catch (err) {
+            handleError(out, err, 'Failed to list exports');
+        }
+    });
+    addGlobalFlags(exportVault.command('download')
+        .description('Download a vault export')
+        .argument('<vaultId>', 'Vault ID')
+        .argument('<exportId>', 'Export ID')
+        .requiredOption('--file <path>', 'Output file path'))
+        .action(async (vaultId, exportId, _opts) => {
+        const flags = resolveFlags(_opts);
+        const out = createOutput(flags);
+        out.startSpinner('Downloading export...');
+        try {
+            const { writeFile } = await import('node:fs/promises');
+            const client = await getClientAsync();
+            const blob = await client.vaults.downloadExport(vaultId, exportId);
+            const buffer = Buffer.from(await blob.arrayBuffer());
+            await writeFile(_opts.file, buffer);
+            out.success(`Export downloaded to ${String(_opts.file)}`, { path: _opts.file, size: buffer.length });
+        }
+        catch (err) {
+            handleError(out, err, 'Failed to download export');
+        }
+    });
+    // vault mfa subgroup
+    const mfa = vaults.command('mfa').description('Vault MFA configuration');
+    addGlobalFlags(mfa.command('get')
+        .description('Get vault MFA configuration')
+        .argument('<vaultId>', 'Vault ID'))
+        .action(async (vaultId, _opts) => {
+        const flags = resolveFlags(_opts);
+        const out = createOutput(flags);
+        out.startSpinner('Fetching MFA config...');
+        try {
+            const client = await getClientAsync();
+            const config = await client.vaults.getMfaConfig(vaultId);
+            out.stopSpinner();
+            out.record({
+                mfaRequired: config.mfaRequired,
+                sessionWindowMinutes: config.sessionWindowMinutes,
+                userVerified: config.userVerified,
+                verificationExpiresAt: config.verificationExpiresAt,
+            });
+        }
+        catch (err) {
+            handleError(out, err, 'Failed to fetch MFA config');
+        }
+    });
+    addGlobalFlags(mfa.command('set')
+        .description('Set vault MFA configuration')
+        .argument('<vaultId>', 'Vault ID')
+        .option('--require', 'Require MFA for vault access')
+        .option('--no-require', 'Disable MFA requirement')
+        .option('--window <minutes>', 'Session window in minutes', '60'))
+        .action(async (vaultId, _opts) => {
+        const flags = resolveFlags(_opts);
+        const out = createOutput(flags);
+        // Require an explicit --require or --no-require flag to avoid silent side-effects.
+        if (_opts.require === undefined) {
+            out.error('You must pass --require or --no-require to set the MFA policy.');
+            process.exitCode = 1;
+            return;
+        }
+        out.startSpinner('Updating MFA config...');
+        try {
+            const client = await getClientAsync();
+            const config = await client.vaults.setMfaConfig(vaultId, {
+                mfaRequired: _opts.require !== false,
+                sessionWindowMinutes: parseInt(String(_opts.window || '60'), 10),
+            });
+            out.success('MFA config updated', { mfaRequired: config.mfaRequired, sessionWindowMinutes: config.sessionWindowMinutes });
+        }
+        catch (err) {
+            handleError(out, err, 'Failed to update MFA config');
+        }
+    });
+    addGlobalFlags(mfa.command('verify')
+        .description('Verify MFA for vault access')
+        .argument('<vaultId>', 'Vault ID')
+        .requiredOption('--method <totp|backup_code>', 'MFA method')
+        .requiredOption('--code <code>', 'MFA code'))
+        .action(async (vaultId, _opts) => {
+        const flags = resolveFlags(_opts);
+        const out = createOutput(flags);
+        out.startSpinner('Verifying MFA...');
+        try {
+            const client = await getClientAsync();
+            const result = await client.vaults.verifyMfa(vaultId, {
+                method: _opts.method,
+                code: _opts.code,
+            });
+            out.success('MFA verified', { verified: result.verified, expiresAt: result.expiresAt });
+        }
+        catch (err) {
+            handleError(out, err, 'Failed to verify MFA');
+        }
+    });
 }

package/dist/commands/webhooks.js

@@ -119,10 +119,15 @@ export function registerWebhookCommands(program) {
     addGlobalFlags(webhooks.command('delete')
         .description('Delete a webhook')
         .argument('<vaultId>', 'Vault ID')
-        .argument('<webhookId>', 'Webhook ID'))
+        .argument('<webhookId>', 'Webhook ID')
+        .option('-y, --yes', 'Skip confirmation prompt'))
         .action(async (vaultId, webhookId, _opts) => {
         const flags = resolveFlags(_opts);
         const out = createOutput(flags);
+        if (!_opts.yes) {
+            out.status(chalk.yellow(`Pass --yes to delete webhook ${webhookId}.`));
+            return;
+        }
         out.startSpinner('Deleting webhook...');
         try {
             const client = await getClientAsync();

package/dist/config.d.ts

@@ -5,6 +5,8 @@ export interface CliConfig {
     apiKey?: string;
     accessToken?: string;
     refreshToken?: string;
+    /** Per-vault client-side encryption keys, keyed by vaultId */
+    vaultKeys?: Record<string, string>;
 }
 export declare function getCredentialManager(): CredentialManager;
 /**

package/dist/config.js

@@ -71,19 +71,23 @@ export async function loadConfigAsync() {
         const fileConfig = JSON.parse(fs.readFileSync(CONFIG_FILE, 'utf-8'));
         if (fileConfig.apiUrl && !config.apiUrl)
             config.apiUrl = fileConfig.apiUrl;
-        if (fileConfig.apiKey && !config.apiKey)
+        if (fileConfig.apiKey && !config.apiKey) {
             config.apiKey = fileConfig.apiKey;
+            process.stderr.write('\x1b[33mWarning: API key loaded from plaintext config (~/.lsvault/config.json).\n' +
+                'Run `lsvault auth migrate` to migrate to secure storage.\n' +
+                'See: https://docs.lifestreamdynamics.com/migration-to-secure-storage\x1b[0m\n');
+        }
     }
     return config;
 }
 export function saveConfig(config) {
     if (!fs.existsSync(CONFIG_DIR)) {
-        fs.mkdirSync(CONFIG_DIR, { recursive: true });
+        fs.mkdirSync(CONFIG_DIR, { recursive: true, mode: 0o700 });
     }
     let existing = {};
     if (fs.existsSync(CONFIG_FILE)) {
         existing = JSON.parse(fs.readFileSync(CONFIG_FILE, 'utf-8'));
     }
     const merged = { ...existing, ...config };
-    fs.writeFileSync(CONFIG_FILE, JSON.stringify(merged, null, 2) + '\n');
+    fs.writeFileSync(CONFIG_FILE, JSON.stringify(merged, null, 2) + '\n', { mode: 0o600 });
 }

package/dist/index.js

@@ -1,5 +1,14 @@
 #!/usr/bin/env node
+import { createRequire } from 'node:module';
 import { Command } from 'commander';
+import chalk from 'chalk';
+const require = createRequire(import.meta.url);
+const pkg = require('../package.json');
+// Apply --no-color / NO_COLOR at startup so it takes effect for all output,
+// including messages printed before any action handler runs.
+if (process.argv.includes('--no-color') || process.env.NO_COLOR !== undefined) {
+    chalk.level = 0;
+}
 import { registerAuthCommands } from './commands/auth.js';
 import { registerMfaCommands } from './commands/mfa.js';
 import { registerVaultCommands } from './commands/vaults.js';
@@ -21,11 +30,20 @@ import { registerSyncCommands } from './commands/sync.js';
 import { registerVersionCommands } from './commands/versions.js';
 import { registerLinkCommands } from './commands/links.js';
 import { registerCalendarCommands } from './commands/calendar.js';
+import { registerBookingCommands } from './commands/booking.js';
+import { registerAiCommands } from './commands/ai.js';
+import { registerAnalyticsCommands } from './commands/analytics.js';
+import { registerCustomDomainCommands } from './commands/custom-domains.js';
+import { registerPublishVaultCommands } from './commands/publish-vault.js';
+import { registerSamlCommands } from './commands/saml.js';
+import { registerScimCommands } from './commands/scim.js';
+import { registerPluginCommands } from './commands/plugins.js';
+import { registerCompletionCommands } from './commands/completion.js';
 const program = new Command();
 program
     .name('lsvault')
     .description('Lifestream Vault CLI - manage vaults, documents, and settings')
-    .version('0.1.0')
+    .version(pkg.version)
     .addHelpText('after', `
 GETTING STARTED
   lsvault auth login --email <email>         Log in with email/password
@@ -66,4 +84,13 @@ registerSyncCommands(program);
 registerVersionCommands(program);
 registerLinkCommands(program);
 registerCalendarCommands(program);
+registerBookingCommands(program);
+registerAiCommands(program);
+registerAnalyticsCommands(program);
+registerCustomDomainCommands(program);
+registerPublishVaultCommands(program);
+registerSamlCommands(program);
+registerScimCommands(program);
+registerPluginCommands(program);
+registerCompletionCommands(program);
 program.parse();

package/dist/lib/credential-manager.js

@@ -1,13 +1,38 @@
+import fs from 'node:fs';
+import path from 'node:path';
+import crypto from 'node:crypto';
+import os from 'node:os';
 import { createKeychainBackend } from './keychain.js';
 import { createEncryptedConfigBackend } from './encrypted-config.js';
-// Default passphrase for encrypted config when no interactive prompt is available.
-// This provides basic obfuscation — the real security benefit is file permissions (0600)
-// and the fact that credentials aren't in a JSON file that's easy to grep for API keys.
-const DEFAULT_PASSPHRASE = 'lsvault-cli-local-encryption-key';
+/**
+ * Returns the machine-specific passphrase used to encrypt the local credential
+ * store.  On first call it generates a cryptographically random 32-byte hex
+ * string, writes it to `~/.lsvault/.passphrase` (mode 0o600, directory 0o700),
+ * and returns it.  Subsequent calls read the stored value.
+ *
+ * This replaces the old hardcoded `DEFAULT_PASSPHRASE` constant so that the
+ * passphrase is never present in source code or version control.
+ */
+function getOrCreatePassphrase() {
+    const configDir = path.join(os.homedir(), '.lsvault');
+    const passphrasePath = path.join(configDir, '.passphrase');
+    try {
+        return fs.readFileSync(passphrasePath, 'utf-8').trim();
+    }
+    catch {
+        // File does not exist yet — generate a new one.
+        const passphrase = crypto.randomBytes(32).toString('hex');
+        fs.mkdirSync(configDir, { recursive: true, mode: 0o700 });
+        fs.writeFileSync(passphrasePath, passphrase, { mode: 0o600 });
+        return passphrase;
+    }
+}
 export function createCredentialManager(options = {}) {
     const keychain = options.keychain ?? createKeychainBackend();
     const encryptedConfig = options.encryptedConfig ?? createEncryptedConfigBackend();
-    const passphrase = options.passphrase ?? DEFAULT_PASSPHRASE;
+    // Use the caller-supplied passphrase (tests pass one explicitly) or lazily
+    // generate / load the per-machine passphrase from ~/.lsvault/.passphrase.
+    const passphrase = options.passphrase ?? getOrCreatePassphrase();
     return {
         async getCredentials() {
             const result = {};
@@ -87,13 +112,13 @@ export function createCredentialManager(options = {}) {
         async saveVaultKey(vaultId, keyHex) {
             // Read existing config, merge vault key, save
             const existing = encryptedConfig.getCredentials(passphrase) ?? {};
-            const vaultKeys = existing.vaultKeys ?? {};
+            const vaultKeys = { ...(existing.vaultKeys ?? {}) };
             vaultKeys[vaultId] = keyHex;
             encryptedConfig.saveCredentials({ ...existing, vaultKeys }, passphrase);
         },
         async deleteVaultKey(vaultId) {
             const existing = encryptedConfig.getCredentials(passphrase) ?? {};
-            const vaultKeys = existing.vaultKeys ?? {};
+            const vaultKeys = { ...(existing.vaultKeys ?? {}) };
             delete vaultKeys[vaultId];
             encryptedConfig.saveCredentials({ ...existing, vaultKeys }, passphrase);
         },

package/dist/lib/migration.js

@@ -85,8 +85,8 @@ export async function migrateCredentials(credentialManager, promptFn) {
 export async function checkAndPromptMigration(credentialManager) {
     if (!hasPlaintextCredentials())
         return false;
-    console.log(chalk.yellow('\nWarning: API key found in plaintext config (~/.lsvault/config.json)'));
-    console.log(chalk.yellow('Run `lsvault auth migrate` to migrate to secure storage.\n'));
+    process.stderr.write(chalk.yellow('\nWarning: API key found in plaintext config (~/.lsvault/config.json)') + '\n');
+    process.stderr.write(chalk.yellow('Run `lsvault auth migrate` to migrate to secure storage.\n') + '\n');
     return false;
 }
 export { CONFIG_FILE, CONFIG_DIR };

package/dist/lib/profiles.js

@@ -29,9 +29,9 @@ export function getActiveProfile() {
  */
 export function setActiveProfile(name) {
     if (!fs.existsSync(CONFIG_DIR)) {
-        fs.mkdirSync(CONFIG_DIR, { recursive: true });
+        fs.mkdirSync(CONFIG_DIR, { recursive: true, mode: 0o700 });
     }
-    fs.writeFileSync(ACTIVE_PROFILE_FILE, name + '\n');
+    fs.writeFileSync(ACTIVE_PROFILE_FILE, name + '\n', { mode: 0o600 });
 }
 /**
  * Loads a profile's configuration. Returns an empty object if the profile
@@ -54,11 +54,11 @@ export function loadProfile(name) {
  */
 export function setProfileValue(name, key, value) {
     if (!fs.existsSync(PROFILES_DIR)) {
-        fs.mkdirSync(PROFILES_DIR, { recursive: true });
+        fs.mkdirSync(PROFILES_DIR, { recursive: true, mode: 0o700 });
     }
     const config = loadProfile(name);
     config[key] = value;
-    fs.writeFileSync(getProfilePath(name), JSON.stringify(config, null, 2) + '\n');
+    fs.writeFileSync(getProfilePath(name), JSON.stringify(config, null, 2) + '\n', { mode: 0o600 });
 }
 /**
  * Gets a single value from a profile.

package/dist/sync/config.js

@@ -31,9 +31,9 @@ export function loadSyncConfigs() {
  */
 export function saveSyncConfigs(configs) {
     if (!fs.existsSync(CONFIG_DIR)) {
-        fs.mkdirSync(CONFIG_DIR, { recursive: true });
+        fs.mkdirSync(CONFIG_DIR, { recursive: true, mode: 0o700 });
     }
-    fs.writeFileSync(SYNCS_FILE, JSON.stringify(configs, null, 2) + '\n');
+    fs.writeFileSync(SYNCS_FILE, JSON.stringify(configs, null, 2) + '\n', { mode: 0o600 });
 }
 /**
  * Find a sync config by its ID.

package/dist/sync/daemon-worker.js

@@ -8,7 +8,7 @@ import { resolveIgnorePatterns } from './ignore.js';
 import { createWatcher } from './watcher.js';
 import { createRemotePoller } from './remote-poller.js';
 import { removePid } from './daemon.js';
-import { loadConfig } from '../config.js';
+import { loadConfigAsync } from '../config.js';
 import { LifestreamVaultClient } from '@lifestreamdynamics/vault-sdk';
 import { scanLocalFiles, scanRemoteFiles, computePushDiff, computePullDiff, executePush, executePull } from './engine.js';
 import { loadSyncState } from './state.js';
@@ -17,10 +17,17 @@ function log(msg) {
     const ts = new Date().toISOString();
     process.stdout.write(`[${ts}] ${msg}\n`);
 }
-function createClient() {
-    const config = loadConfig();
-    if (!config.apiKey) {
-        throw new Error('No API key configured. Run `lsvault auth login` first.');
+async function createClient() {
+    const config = await loadConfigAsync();
+    if (!config.apiKey && !config.accessToken) {
+        throw new Error('No credentials configured. Run `lsvault auth login` first.');
+    }
+    if (config.accessToken) {
+        return new LifestreamVaultClient({
+            baseUrl: config.apiUrl,
+            accessToken: config.accessToken,
+            refreshToken: config.refreshToken,
+        });
     }
     return new LifestreamVaultClient({
         baseUrl: config.apiUrl,
@@ -36,7 +43,7 @@ async function start() {
         process.exit(0);
     }
     log(`Found ${configs.length} auto-sync configuration(s)`);
-    const client = createClient();
+    const client = await createClient();
     // Startup reconciliation: catch changes made while daemon was stopped
     for (const config of configs) {
         try {

package/dist/sync/daemon.js

@@ -137,7 +137,8 @@ export function startDaemon(logFile) {
     rotateLogIfNeeded(targetLog);
     const logFd = fs.openSync(targetLog, 'a');
     // Spawn the daemon worker as a detached process
-    const workerPath = path.join(import.meta.dirname, 'daemon-worker.js');
+    // Use URL constructor for Node 20.0-20.10 compatibility (import.meta.dirname was added in 20.11).
+    const workerPath = path.join(path.dirname(new URL(import.meta.url).pathname), 'daemon-worker.js');
     const child = spawn(process.execPath, [workerPath], {
         detached: true,
         stdio: ['ignore', logFd, logFd],

package/dist/sync/remote-poller.js

@@ -63,7 +63,9 @@ export function createRemotePoller(client, config, options) {
                         if (resolution === 'remote') {
                             conflictFile = createConflictFile(config.localPath, doc.path, localContent, 'local');
                             onLocalWrite?.(doc.path);
-                            fs.writeFileSync(localFile, content, 'utf-8');
+                            const tmpConflict = localFile + '.tmp';
+                            fs.writeFileSync(tmpConflict, content, 'utf-8');
+                            fs.renameSync(tmpConflict, localFile);
                             log(`Conflict: ${doc.path} — used remote, saved local as ${conflictFile}`);
                         }
                         else {
@@ -80,13 +82,15 @@ export function createRemotePoller(client, config, options) {
                         continue;
                     }
                 }
-                // No conflict — download the file
+                // No conflict — download the file atomically
                 const dir = path.dirname(localFile);
                 if (!fs.existsSync(dir)) {
                     fs.mkdirSync(dir, { recursive: true });
                 }
                 onLocalWrite?.(doc.path);
-                fs.writeFileSync(localFile, content, 'utf-8');
+                const tmpFile = localFile + '.tmp';
+                fs.writeFileSync(tmpFile, content, 'utf-8');
+                fs.renameSync(tmpFile, localFile);
                 log(`Pulled: ${doc.path}`);
                 changes++;
                 state.local[doc.path] = {

package/dist/sync/state.js

@@ -43,10 +43,10 @@ export function loadSyncState(syncId) {
  */
 export function saveSyncState(state) {
     if (!fs.existsSync(STATE_DIR)) {
-        fs.mkdirSync(STATE_DIR, { recursive: true });
+        fs.mkdirSync(STATE_DIR, { recursive: true, mode: 0o700 });
     }
     state.updatedAt = new Date().toISOString();
-    fs.writeFileSync(stateFilePath(state.syncId), JSON.stringify(state, null, 2) + '\n');
+    fs.writeFileSync(stateFilePath(state.syncId), JSON.stringify(state, null, 2) + '\n', { mode: 0o600 });
 }
 /**
  * Delete sync state for a given sync configuration.

package/dist/utils/confirm.d.ts

@@ -0,0 +1,11 @@
+/**
+ * Prompt the user to confirm a destructive action.
+ *
+ * @param message - The confirmation message to display (without " [y/N] " suffix)
+ * @param options.yes - If true, skip the prompt and return true immediately (e.g. --yes flag)
+ * @returns Promise resolving to true if confirmed, false if declined
+ * @throws Error if stdin is not a TTY and --yes was not provided
+ */
+export declare function confirmAction(message: string, options?: {
+    yes?: boolean;
+}): Promise<boolean>;

package/dist/utils/confirm.js

@@ -0,0 +1,23 @@
+import readline from 'node:readline';
+/**
+ * Prompt the user to confirm a destructive action.
+ *
+ * @param message - The confirmation message to display (without " [y/N] " suffix)
+ * @param options.yes - If true, skip the prompt and return true immediately (e.g. --yes flag)
+ * @returns Promise resolving to true if confirmed, false if declined
+ * @throws Error if stdin is not a TTY and --yes was not provided
+ */
+export async function confirmAction(message, options) {
+    if (options?.yes)
+        return true;
+    if (!process.stdin.isTTY) {
+        throw new Error('Cannot prompt for confirmation in non-interactive mode. Use --yes to skip confirmation.');
+    }
+    const rl = readline.createInterface({ input: process.stdin, output: process.stderr });
+    return new Promise((resolve) => {
+        rl.question(`${message} [y/N] `, (answer) => {
+            rl.close();
+            resolve(answer.toLowerCase() === 'y' || answer.toLowerCase() === 'yes');
+        });
+    });
+}

package/dist/utils/format.js

@@ -1,5 +1,5 @@
 export function formatBytes(bytes) {
-    if (bytes === 0)
+    if (bytes <= 0)
         return '0 B';
     const units = ['B', 'KB', 'MB', 'GB', 'TB'];
     const i = Math.floor(Math.log(bytes) / Math.log(1024));