@lumy-pack/syncpoint 0.0.1

package/dist/index.mjs

@@ -0,0 +1,1018 @@
+// src/core/config.ts
+import { readFile, writeFile } from "fs/promises";
+import { join as join4 } from "path";
+import YAML from "yaml";
+
+// src/constants.ts
+import { join as join2 } from "path";
+
+// src/utils/paths.ts
+import { mkdir, stat } from "fs/promises";
+import { homedir } from "os";
+import { join, normalize, resolve } from "path";
+function getHomeDir() {
+  const envHome = process.env.SYNCPOINT_HOME;
+  if (envHome) {
+    const normalized = normalize(envHome);
+    if (normalized.includes("..")) {
+      throw new Error(`SYNCPOINT_HOME contains path traversal: ${envHome}`);
+    }
+    if (!resolve(normalized).startsWith("/")) {
+      throw new Error(`SYNCPOINT_HOME must be an absolute path: ${envHome}`);
+    }
+    return normalized;
+  }
+  return homedir();
+}
+function expandTilde(p) {
+  if (p === "~") return getHomeDir();
+  if (p.startsWith("~/")) return join(getHomeDir(), p.slice(2));
+  return p;
+}
+function contractTilde(p) {
+  const home = getHomeDir();
+  if (p === home) return "~";
+  if (p.startsWith(home + "/")) return "~" + p.slice(home.length);
+  return p;
+}
+function resolveTargetPath(p) {
+  return resolve(expandTilde(p));
+}
+async function ensureDir(dirPath) {
+  await mkdir(dirPath, { recursive: true });
+}
+async function fileExists(filePath) {
+  try {
+    await stat(filePath);
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+// src/constants.ts
+var APP_NAME = "syncpoint";
+var APP_DIR = `.${APP_NAME}`;
+var CONFIG_FILENAME = "config.yml";
+var METADATA_FILENAME = "_metadata.json";
+var LARGE_FILE_THRESHOLD = 10 * 1024 * 1024;
+var SENSITIVE_PATTERNS = ["id_rsa", "id_ed25519", "*.pem", "*.key"];
+var BACKUPS_DIR = "backups";
+var TEMPLATES_DIR = "templates";
+var SCRIPTS_DIR = "scripts";
+var LOGS_DIR = "logs";
+function getAppDir() {
+  return join2(getHomeDir(), APP_DIR);
+}
+var APP_VERSION = "0.0.1";
+function getSubDir(sub) {
+  return join2(getAppDir(), sub);
+}
+
+// src/schemas/ajv.ts
+import Ajv from "ajv";
+import addFormats from "ajv-formats";
+var ajv = new Ajv({ allErrors: true });
+addFormats(ajv);
+
+// src/schemas/config.schema.ts
+var configSchema = {
+  type: "object",
+  required: ["backup"],
+  properties: {
+    backup: {
+      type: "object",
+      required: ["targets", "exclude", "filename"],
+      properties: {
+        targets: {
+          type: "array",
+          items: { type: "string" }
+        },
+        exclude: {
+          type: "array",
+          items: { type: "string" }
+        },
+        filename: {
+          type: "string",
+          minLength: 1
+        },
+        destination: {
+          type: "string"
+        }
+      },
+      additionalProperties: false
+    },
+    scripts: {
+      type: "object",
+      properties: {
+        includeInBackup: {
+          type: "boolean"
+        }
+      },
+      additionalProperties: false
+    }
+  },
+  additionalProperties: false
+};
+var validate = ajv.compile(configSchema);
+function validateConfig(data) {
+  const valid = validate(data);
+  if (valid) return { valid: true };
+  const errors = validate.errors?.map(
+    (e) => `${e.instancePath || "/"} ${e.message ?? "unknown error"}`
+  );
+  return { valid: false, errors };
+}
+
+// src/utils/assets.ts
+import { existsSync, readFileSync } from "fs";
+import { dirname, join as join3 } from "path";
+import { fileURLToPath } from "url";
+function getPackageRoot() {
+  let dir = dirname(fileURLToPath(import.meta.url));
+  while (dir !== dirname(dir)) {
+    if (existsSync(join3(dir, "package.json"))) return dir;
+    dir = dirname(dir);
+  }
+  throw new Error("Could not find package root");
+}
+function getAssetPath(filename) {
+  return join3(getPackageRoot(), "assets", filename);
+}
+function readAsset(filename) {
+  return readFileSync(getAssetPath(filename), "utf-8");
+}
+
+// src/core/config.ts
+function stripDangerousKeys(obj) {
+  if (obj === null || typeof obj !== "object") return obj;
+  if (Array.isArray(obj)) return obj.map(stripDangerousKeys);
+  const cleaned = {};
+  for (const [key, value] of Object.entries(obj)) {
+    if (["__proto__", "constructor", "prototype"].includes(key)) continue;
+    cleaned[key] = stripDangerousKeys(value);
+  }
+  return cleaned;
+}
+function getConfigPath() {
+  return join4(getAppDir(), CONFIG_FILENAME);
+}
+async function loadConfig() {
+  const configPath = getConfigPath();
+  const exists = await fileExists(configPath);
+  if (!exists) {
+    throw new Error(
+      `Config file not found: ${configPath}
+Run "syncpoint init" first.`
+    );
+  }
+  const raw = await readFile(configPath, "utf-8");
+  const data = stripDangerousKeys(YAML.parse(raw));
+  const result = validateConfig(data);
+  if (!result.valid) {
+    throw new Error(
+      `Invalid config:
+${(result.errors ?? []).join("\n")}`
+    );
+  }
+  return data;
+}
+async function saveConfig(config) {
+  const result = validateConfig(config);
+  if (!result.valid) {
+    throw new Error(
+      `Invalid config:
+${(result.errors ?? []).join("\n")}`
+    );
+  }
+  const configPath = getConfigPath();
+  await ensureDir(getAppDir());
+  const yamlStr = YAML.stringify(config, { indent: 2 });
+  await writeFile(configPath, yamlStr, "utf-8");
+}
+async function initDefaultConfig() {
+  const created = [];
+  const skipped = [];
+  const dirs = [
+    getAppDir(),
+    getSubDir(BACKUPS_DIR),
+    getSubDir(TEMPLATES_DIR),
+    getSubDir(SCRIPTS_DIR),
+    getSubDir(LOGS_DIR)
+  ];
+  for (const dir of dirs) {
+    const exists = await fileExists(dir);
+    if (!exists) {
+      await ensureDir(dir);
+      created.push(dir);
+    } else {
+      skipped.push(dir);
+    }
+  }
+  const configPath = getConfigPath();
+  const configExists = await fileExists(configPath);
+  if (!configExists) {
+    const yamlContent = readAsset("config.default.yml");
+    await writeFile(configPath, yamlContent, "utf-8");
+    created.push(configPath);
+  } else {
+    skipped.push(configPath);
+  }
+  return { created, skipped };
+}
+
+// src/core/backup.ts
+import { readdir } from "fs/promises";
+import { join as join7, basename } from "path";
+import fg from "fast-glob";
+
+// src/utils/system.ts
+import { hostname as osHostname, platform, release, arch } from "os";
+function getHostname() {
+  return osHostname();
+}
+function getSystemInfo() {
+  return {
+    platform: platform(),
+    release: release(),
+    arch: arch()
+  };
+}
+function formatHostname(name) {
+  const raw = name ?? getHostname();
+  return raw.replace(/\s+/g, "-").replace(/\./g, "-").replace(/[^a-zA-Z0-9\-]/g, "").replace(/-+/g, "-").replace(/^-|-$/g, "");
+}
+
+// src/utils/format.ts
+function formatDatetime(date) {
+  const y = date.getFullYear();
+  const m = String(date.getMonth() + 1).padStart(2, "0");
+  const d = String(date.getDate()).padStart(2, "0");
+  const h = String(date.getHours()).padStart(2, "0");
+  const min = String(date.getMinutes()).padStart(2, "0");
+  const s = String(date.getSeconds()).padStart(2, "0");
+  return `${y}-${m}-${d}_${h}${min}${s}`;
+}
+function generateFilename(pattern, options) {
+  const now = options?.date ?? /* @__PURE__ */ new Date();
+  const host = formatHostname(options?.hostname);
+  const y = now.getFullYear();
+  const m = String(now.getMonth() + 1).padStart(2, "0");
+  const d = String(now.getDate()).padStart(2, "0");
+  const h = String(now.getHours()).padStart(2, "0");
+  const min = String(now.getMinutes()).padStart(2, "0");
+  const s = String(now.getSeconds()).padStart(2, "0");
+  let result = pattern.replace(/\{hostname\}/g, host).replace(/\{date\}/g, `${y}-${m}-${d}`).replace(/\{time\}/g, `${h}${min}${s}`).replace(/\{datetime\}/g, `${y}-${m}-${d}_${h}${min}${s}`);
+  if (options?.tag) {
+    result = result.replace(/\{tag\}/g, options.tag);
+    if (!pattern.includes("{tag}")) {
+      result += `_${options.tag}`;
+    }
+  } else {
+    result = result.replace(/\{tag\}/g, "").replace(/_+/g, "_").replace(/_$/, "");
+  }
+  return result;
+}
+
+// src/utils/logger.ts
+import { appendFile, mkdir as mkdir2 } from "fs/promises";
+import { join as join5 } from "path";
+import pc from "picocolors";
+var ANSI_RE = /\x1b\[[0-9;]*m/g;
+function stripAnsi(str) {
+  return str.replace(ANSI_RE, "");
+}
+function timestamp() {
+  const now = /* @__PURE__ */ new Date();
+  const h = String(now.getHours()).padStart(2, "0");
+  const m = String(now.getMinutes()).padStart(2, "0");
+  const s = String(now.getSeconds()).padStart(2, "0");
+  return `${h}:${m}:${s}`;
+}
+function dateStamp() {
+  const now = /* @__PURE__ */ new Date();
+  const y = now.getFullYear();
+  const m = String(now.getMonth() + 1).padStart(2, "0");
+  const d = String(now.getDate()).padStart(2, "0");
+  return `${y}-${m}-${d}`;
+}
+var logDirCreated = false;
+async function writeToFile(level, message) {
+  try {
+    const logsDir = join5(getAppDir(), LOGS_DIR);
+    if (!logDirCreated) {
+      await mkdir2(logsDir, { recursive: true });
+      logDirCreated = true;
+    }
+    const logFile = join5(logsDir, `${dateStamp()}.log`);
+    const line = `[${timestamp()}] [${level.toUpperCase()}] ${stripAnsi(message)}
+`;
+    await appendFile(logFile, line, "utf-8");
+  } catch {
+  }
+}
+var logger = {
+  info(message) {
+    console.log(`${pc.blue("info")} ${message}`);
+    void writeToFile("info", message);
+  },
+  success(message) {
+    console.log(`${pc.green("success")} ${message}`);
+    void writeToFile("success", message);
+  },
+  warn(message) {
+    console.warn(`${pc.yellow("warn")} ${message}`);
+    void writeToFile("warn", message);
+  },
+  error(message) {
+    console.error(`${pc.red("error")} ${message}`);
+    void writeToFile("error", message);
+  }
+};
+
+// src/core/metadata.ts
+import { createHash } from "crypto";
+import { readFile as readFile2, lstat } from "fs/promises";
+
+// src/schemas/metadata.schema.ts
+var metadataSchema = {
+  type: "object",
+  required: [
+    "version",
+    "toolVersion",
+    "createdAt",
+    "hostname",
+    "system",
+    "config",
+    "files",
+    "summary"
+  ],
+  properties: {
+    version: { type: "string" },
+    toolVersion: { type: "string" },
+    createdAt: { type: "string" },
+    hostname: { type: "string" },
+    system: {
+      type: "object",
+      required: ["platform", "release", "arch"],
+      properties: {
+        platform: { type: "string" },
+        release: { type: "string" },
+        arch: { type: "string" }
+      },
+      additionalProperties: false
+    },
+    config: {
+      type: "object",
+      required: ["filename"],
+      properties: {
+        filename: { type: "string" },
+        destination: { type: "string" }
+      },
+      additionalProperties: false
+    },
+    files: {
+      type: "array",
+      items: {
+        type: "object",
+        required: ["path", "absolutePath", "size", "hash"],
+        properties: {
+          path: { type: "string" },
+          absolutePath: { type: "string" },
+          size: { type: "number", minimum: 0 },
+          hash: { type: "string" },
+          type: { type: "string" }
+        },
+        additionalProperties: false
+      }
+    },
+    summary: {
+      type: "object",
+      required: ["fileCount", "totalSize"],
+      properties: {
+        fileCount: { type: "integer", minimum: 0 },
+        totalSize: { type: "number", minimum: 0 }
+      },
+      additionalProperties: false
+    }
+  },
+  additionalProperties: false
+};
+var validate2 = ajv.compile(metadataSchema);
+function validateMetadata(data) {
+  const valid = validate2(data);
+  if (valid) return { valid: true };
+  const errors = validate2.errors?.map(
+    (e) => `${e.instancePath || "/"} ${e.message ?? "unknown error"}`
+  );
+  return { valid: false, errors };
+}
+
+// src/core/metadata.ts
+var METADATA_VERSION = "1.0.0";
+function createMetadata(files, config) {
+  const totalSize = files.reduce((sum, f) => sum + f.size, 0);
+  return {
+    version: METADATA_VERSION,
+    toolVersion: APP_VERSION,
+    createdAt: (/* @__PURE__ */ new Date()).toISOString(),
+    hostname: getHostname(),
+    system: getSystemInfo(),
+    config: {
+      filename: config.backup.filename,
+      destination: config.backup.destination
+    },
+    files,
+    summary: {
+      fileCount: files.length,
+      totalSize
+    }
+  };
+}
+function parseMetadata(data) {
+  const str = typeof data === "string" ? data : data.toString("utf-8");
+  const parsed = JSON.parse(str);
+  const result = validateMetadata(parsed);
+  if (!result.valid) {
+    throw new Error(
+      `Invalid metadata:
+${(result.errors ?? []).join("\n")}`
+    );
+  }
+  return parsed;
+}
+async function computeFileHash(filePath) {
+  const content = await readFile2(filePath);
+  const hash = createHash("sha256").update(content).digest("hex");
+  return `sha256:${hash}`;
+}
+async function collectFileInfo(absolutePath, logicalPath) {
+  const lstats = await lstat(absolutePath);
+  let type;
+  if (lstats.isSymbolicLink()) {
+    type = "symlink";
+  } else if (lstats.isDirectory()) {
+    type = "directory";
+  }
+  let hash;
+  if (lstats.isSymbolicLink()) {
+    hash = `sha256:${createHash("sha256").update(absolutePath).digest("hex")}`;
+  } else {
+    hash = await computeFileHash(absolutePath);
+  }
+  return {
+    path: contractTilde(logicalPath),
+    absolutePath,
+    size: lstats.size,
+    hash,
+    type
+  };
+}
+
+// src/core/storage.ts
+import { mkdir as mkdir3, mkdtemp, readFile as readFile3, rm, writeFile as writeFile2 } from "fs/promises";
+import { tmpdir } from "os";
+import { join as join6, normalize as normalize2 } from "path";
+import * as tar from "tar";
+async function createArchive(files, outputPath) {
+  const tmpDir = await mkdtemp(join6(tmpdir(), "syncpoint-"));
+  try {
+    const fileNames = [];
+    for (const file of files) {
+      const targetPath = join6(tmpDir, file.name);
+      const parentDir = join6(tmpDir, file.name.split("/").slice(0, -1).join("/"));
+      if (parentDir !== tmpDir) {
+        await mkdir3(parentDir, { recursive: true });
+      }
+      if (file.content !== void 0) {
+        await writeFile2(targetPath, file.content);
+      } else if (file.sourcePath) {
+        const data = await readFile3(file.sourcePath);
+        await writeFile2(targetPath, data);
+      }
+      fileNames.push(file.name);
+    }
+    await tar.create(
+      {
+        gzip: true,
+        file: outputPath,
+        cwd: tmpDir
+      },
+      fileNames
+    );
+  } finally {
+    await rm(tmpDir, { recursive: true, force: true });
+  }
+}
+async function extractArchive(archivePath, destDir) {
+  await mkdir3(destDir, { recursive: true });
+  await tar.extract({
+    file: archivePath,
+    cwd: destDir,
+    preservePaths: false,
+    filter: (path, entry) => {
+      const normalizedPath = normalize2(path);
+      if (normalizedPath.includes("..")) return false;
+      if (normalizedPath.startsWith("/")) return false;
+      if (entry.type === "SymbolicLink" || entry.type === "Link") return false;
+      return true;
+    }
+  });
+}
+async function readFileFromArchive(archivePath, filename) {
+  if (filename.includes("..") || filename.startsWith("/")) {
+    throw new Error(`Invalid filename: ${filename}`);
+  }
+  const tmpDir = await mkdtemp(join6(tmpdir(), "syncpoint-read-"));
+  try {
+    await tar.extract({
+      file: archivePath,
+      cwd: tmpDir,
+      filter: (path) => {
+        const normalized = path.replace(/^\.\//, "");
+        return normalized === filename;
+      }
+    });
+    const extractedPath = join6(tmpDir, filename);
+    try {
+      return await readFile3(extractedPath);
+    } catch {
+      return null;
+    }
+  } finally {
+    await rm(tmpDir, { recursive: true, force: true });
+  }
+}
+
+// src/core/backup.ts
+function isSensitiveFile(filePath) {
+  const name = basename(filePath);
+  return SENSITIVE_PATTERNS.some((pattern) => {
+    if (pattern.startsWith("*")) {
+      return name.endsWith(pattern.slice(1));
+    }
+    return name === pattern || filePath.includes(pattern);
+  });
+}
+async function scanTargets(config) {
+  const found = [];
+  const missing = [];
+  for (const target of config.backup.targets) {
+    const expanded = expandTilde(target);
+    if (expanded.includes("*") || expanded.includes("?") || expanded.includes("{")) {
+      const matches = await fg(expanded, {
+        dot: true,
+        absolute: true,
+        ignore: config.backup.exclude,
+        onlyFiles: true
+      });
+      for (const match of matches) {
+        const entry = await collectFileInfo(match, match);
+        found.push(entry);
+      }
+    } else {
+      const absPath = resolveTargetPath(target);
+      const exists = await fileExists(absPath);
+      if (!exists) {
+        missing.push(target);
+        continue;
+      }
+      const entry = await collectFileInfo(absPath, absPath);
+      if (entry.size > LARGE_FILE_THRESHOLD) {
+        logger.warn(
+          `Large file (>${Math.round(LARGE_FILE_THRESHOLD / 1024 / 1024)}MB): ${target}`
+        );
+      }
+      if (isSensitiveFile(absPath)) {
+        logger.warn(`Sensitive file detected: ${target}`);
+      }
+      found.push(entry);
+    }
+  }
+  return { found, missing };
+}
+async function collectScripts() {
+  const scriptsDir = getSubDir(SCRIPTS_DIR);
+  const exists = await fileExists(scriptsDir);
+  if (!exists) return [];
+  const entries = [];
+  try {
+    const files = await readdir(scriptsDir, { withFileTypes: true });
+    for (const file of files) {
+      if (file.isFile() && file.name.endsWith(".sh")) {
+        const absPath = join7(scriptsDir, file.name);
+        const entry = await collectFileInfo(absPath, absPath);
+        entries.push(entry);
+      }
+    }
+  } catch {
+    logger.info("Skipping unreadable scripts directory");
+  }
+  return entries;
+}
+async function createBackup(config, options = {}) {
+  const { found, missing } = await scanTargets(config);
+  for (const m of missing) {
+    logger.warn(`File not found, skipping: ${m}`);
+  }
+  let allFiles = [...found];
+  if (config.scripts.includeInBackup) {
+    const scripts = await collectScripts();
+    allFiles = [...allFiles, ...scripts];
+  }
+  if (allFiles.length === 0) {
+    throw new Error("No files found to backup.");
+  }
+  const metadata = createMetadata(allFiles, config);
+  const filename = generateFilename(config.backup.filename, {
+    tag: options.tag
+  });
+  const archiveFilename = `${filename}.tar.gz`;
+  const destDir = config.backup.destination ? resolveTargetPath(config.backup.destination) : getSubDir(BACKUPS_DIR);
+  await ensureDir(destDir);
+  const archivePath = join7(destDir, archiveFilename);
+  if (options.dryRun) {
+    return { archivePath, metadata };
+  }
+  const archiveFiles = [];
+  archiveFiles.push({
+    name: METADATA_FILENAME,
+    content: JSON.stringify(metadata, null, 2)
+  });
+  for (const file of allFiles) {
+    archiveFiles.push({
+      name: file.path.startsWith("~/") ? file.path.slice(2) : file.path,
+      sourcePath: file.absolutePath
+    });
+  }
+  await createArchive(archiveFiles, archivePath);
+  logger.success(`Backup created: ${archivePath}`);
+  return { archivePath, metadata };
+}
+
+// src/core/restore.ts
+import { copyFile, lstat as lstat2, readdir as readdir2, stat as stat2 } from "fs/promises";
+import { join as join8, dirname as dirname2 } from "path";
+async function getBackupList(config) {
+  const backupDir = config?.backup.destination ? resolveTargetPath(config.backup.destination) : getSubDir(BACKUPS_DIR);
+  const exists = await fileExists(backupDir);
+  if (!exists) return [];
+  const entries = await readdir2(backupDir, { withFileTypes: true });
+  const backups = [];
+  for (const entry of entries) {
+    if (!entry.isFile() || !entry.name.endsWith(".tar.gz")) continue;
+    const fullPath = join8(backupDir, entry.name);
+    const fileStat = await stat2(fullPath);
+    let hostname;
+    let fileCount;
+    try {
+      const metaBuf = await readFileFromArchive(fullPath, METADATA_FILENAME);
+      if (metaBuf) {
+        const meta = parseMetadata(metaBuf);
+        hostname = meta.hostname;
+        fileCount = meta.summary.fileCount;
+      }
+    } catch {
+      logger.info(`Could not read metadata from: ${entry.name}`);
+    }
+    backups.push({
+      filename: entry.name,
+      path: fullPath,
+      size: fileStat.size,
+      createdAt: fileStat.mtime,
+      hostname,
+      fileCount
+    });
+  }
+  backups.sort((a, b) => b.createdAt.getTime() - a.createdAt.getTime());
+  return backups;
+}
+async function getRestorePlan(archivePath) {
+  const metaBuf = await readFileFromArchive(archivePath, METADATA_FILENAME);
+  if (!metaBuf) {
+    throw new Error(
+      `No metadata found in archive: ${archivePath}
+This may not be a valid syncpoint backup.`
+    );
+  }
+  const metadata = parseMetadata(metaBuf);
+  const actions = [];
+  for (const file of metadata.files) {
+    const absPath = resolveTargetPath(file.path);
+    const exists = await fileExists(absPath);
+    if (!exists) {
+      actions.push({
+        path: file.path,
+        action: "create",
+        backupSize: file.size,
+        reason: "File does not exist on this machine"
+      });
+      continue;
+    }
+    const currentHash = await computeFileHash(absPath);
+    const currentStat = await stat2(absPath);
+    if (currentHash === file.hash) {
+      actions.push({
+        path: file.path,
+        action: "skip",
+        currentSize: currentStat.size,
+        backupSize: file.size,
+        reason: "File is identical (same hash)"
+      });
+    } else {
+      actions.push({
+        path: file.path,
+        action: "overwrite",
+        currentSize: currentStat.size,
+        backupSize: file.size,
+        reason: "File has been modified"
+      });
+    }
+  }
+  return { metadata, actions };
+}
+async function createSafetyBackup(filePaths) {
+  const now = /* @__PURE__ */ new Date();
+  const filename = `_pre-restore_${formatDatetime(now)}.tar.gz`;
+  const backupDir = getSubDir(BACKUPS_DIR);
+  await ensureDir(backupDir);
+  const archivePath = join8(backupDir, filename);
+  const files = [];
+  for (const fp of filePaths) {
+    const absPath = resolveTargetPath(fp);
+    const exists = await fileExists(absPath);
+    if (!exists) continue;
+    const archiveName = fp.startsWith("~/") ? fp.slice(2) : fp;
+    files.push({ name: archiveName, sourcePath: absPath });
+  }
+  if (files.length === 0) {
+    logger.info("No existing files to safety-backup.");
+    return archivePath;
+  }
+  await createArchive(files, archivePath);
+  logger.info(`Safety backup created: ${archivePath}`);
+  return archivePath;
+}
+async function restoreBackup(archivePath, options = {}) {
+  const plan = await getRestorePlan(archivePath);
+  const restoredFiles = [];
+  const skippedFiles = [];
+  const overwritePaths = plan.actions.filter((a) => a.action === "overwrite").map((a) => a.path);
+  let safetyBackupPath;
+  if (overwritePaths.length > 0 && !options.dryRun) {
+    safetyBackupPath = await createSafetyBackup(overwritePaths);
+  }
+  if (options.dryRun) {
+    return {
+      restoredFiles: plan.actions.filter((a) => a.action !== "skip").map((a) => a.path),
+      skippedFiles: plan.actions.filter((a) => a.action === "skip").map((a) => a.path),
+      safetyBackupPath
+    };
+  }
+  const { mkdtemp: mkdtemp2, rm: rm2 } = await import("fs/promises");
+  const { tmpdir: tmpdir2 } = await import("os");
+  const tmpDir = await mkdtemp2(join8(tmpdir2(), "syncpoint-restore-"));
+  try {
+    await extractArchive(archivePath, tmpDir);
+    for (const action of plan.actions) {
+      if (action.action === "skip") {
+        skippedFiles.push(action.path);
+        continue;
+      }
+      const archiveName = action.path.startsWith("~/") ? action.path.slice(2) : action.path;
+      const extractedPath = join8(tmpDir, archiveName);
+      const destPath = resolveTargetPath(action.path);
+      const extractedExists = await fileExists(extractedPath);
+      if (!extractedExists) {
+        logger.warn(`File not found in archive: ${archiveName}`);
+        skippedFiles.push(action.path);
+        continue;
+      }
+      await ensureDir(dirname2(destPath));
+      try {
+        const destStat = await lstat2(destPath);
+        if (destStat.isSymbolicLink()) {
+          logger.warn(`Skipping symlink target: ${action.path}`);
+          skippedFiles.push(action.path);
+          continue;
+        }
+      } catch (err) {
+        if (err.code !== "ENOENT") throw err;
+      }
+      await copyFile(extractedPath, destPath);
+      restoredFiles.push(action.path);
+    }
+  } finally {
+    await rm2(tmpDir, { recursive: true, force: true });
+  }
+  return { restoredFiles, skippedFiles, safetyBackupPath };
+}
+
+// src/core/provision.ts
+import { exec } from "child_process";
+import { readFile as readFile4, readdir as readdir3 } from "fs/promises";
+import { join as join9 } from "path";
+import YAML2 from "yaml";
+
+// src/schemas/template.schema.ts
+var templateSchema = {
+  type: "object",
+  required: ["name", "steps"],
+  properties: {
+    name: { type: "string", minLength: 1 },
+    description: { type: "string" },
+    backup: { type: "string" },
+    sudo: { type: "boolean" },
+    steps: {
+      type: "array",
+      minItems: 1,
+      items: {
+        type: "object",
+        required: ["name", "command"],
+        properties: {
+          name: { type: "string", minLength: 1 },
+          description: { type: "string" },
+          command: { type: "string", minLength: 1 },
+          skip_if: { type: "string" },
+          continue_on_error: { type: "boolean" }
+        },
+        additionalProperties: false
+      }
+    }
+  },
+  additionalProperties: false
+};
+var validate3 = ajv.compile(templateSchema);
+function validateTemplate(data) {
+  const valid = validate3(data);
+  if (valid) return { valid: true };
+  const errors = validate3.errors?.map(
+    (e) => `${e.instancePath || "/"} ${e.message ?? "unknown error"}`
+  );
+  return { valid: false, errors };
+}
+
+// src/core/provision.ts
+var REMOTE_SCRIPT_PATTERNS = [
+  /curl\s.*\|\s*(ba)?sh/,
+  /wget\s.*\|\s*(ba)?sh/,
+  /curl\s.*\|\s*python/,
+  /wget\s.*\|\s*python/
+];
+function containsRemoteScriptPattern(command) {
+  return REMOTE_SCRIPT_PATTERNS.some((p) => p.test(command));
+}
+function sanitizeErrorOutput(output) {
+  return output.replace(/\/Users\/[^\s/]+/g, "/Users/***").replace(/\/home\/[^\s/]+/g, "/home/***").replace(/(password|token|key|secret)[=:]\s*\S+/gi, "$1=***").slice(0, 500);
+}
+async function loadTemplate(templatePath) {
+  const exists = await fileExists(templatePath);
+  if (!exists) {
+    throw new Error(`Template not found: ${templatePath}`);
+  }
+  const raw = await readFile4(templatePath, "utf-8");
+  const data = YAML2.parse(raw);
+  const result = validateTemplate(data);
+  if (!result.valid) {
+    throw new Error(
+      `Invalid template ${templatePath}:
+${(result.errors ?? []).join("\n")}`
+    );
+  }
+  return data;
+}
+async function listTemplates() {
+  const templatesDir = getSubDir(TEMPLATES_DIR);
+  const exists = await fileExists(templatesDir);
+  if (!exists) return [];
+  const entries = await readdir3(templatesDir, { withFileTypes: true });
+  const templates = [];
+  for (const entry of entries) {
+    if (!entry.isFile() || !entry.name.endsWith(".yml") && !entry.name.endsWith(".yaml")) {
+      continue;
+    }
+    const fullPath = join9(templatesDir, entry.name);
+    try {
+      const config = await loadTemplate(fullPath);
+      templates.push({
+        name: entry.name.replace(/\.ya?ml$/, ""),
+        path: fullPath,
+        config
+      });
+    } catch {
+      logger.warn(`Skipping invalid template: ${entry.name}`);
+    }
+  }
+  return templates;
+}
+function execAsync(command) {
+  return new Promise((resolve2, reject) => {
+    exec(
+      command,
+      { shell: "/bin/bash", timeout: 3e5 },
+      (error, stdout, stderr) => {
+        if (error) {
+          reject(
+            Object.assign(error, {
+              stdout: stdout?.toString() ?? "",
+              stderr: stderr?.toString() ?? ""
+            })
+          );
+        } else {
+          resolve2({
+            stdout: stdout?.toString() ?? "",
+            stderr: stderr?.toString() ?? ""
+          });
+        }
+      }
+    );
+  });
+}
+async function evaluateSkipIf(command, stepName) {
+  if (containsRemoteScriptPattern(command)) {
+    throw new Error(`Blocked dangerous remote script pattern in skip_if: ${stepName}`);
+  }
+  try {
+    await execAsync(command);
+    return true;
+  } catch {
+    return false;
+  }
+}
+async function executeStep(step) {
+  const startTime = Date.now();
+  if (containsRemoteScriptPattern(step.command)) {
+    throw new Error(`Blocked dangerous remote script pattern in command: ${step.name}`);
+  }
+  if (step.skip_if) {
+    const shouldSkip = await evaluateSkipIf(step.skip_if, step.name);
+    if (shouldSkip) {
+      return {
+        name: step.name,
+        status: "skipped",
+        duration: Date.now() - startTime
+      };
+    }
+  }
+  try {
+    const { stdout, stderr } = await execAsync(step.command);
+    const output = [stdout, stderr].filter(Boolean).join("\n").trim();
+    return {
+      name: step.name,
+      status: "success",
+      duration: Date.now() - startTime,
+      output: output || void 0
+    };
+  } catch (err) {
+    const error = err;
+    const errorOutput = [error.stdout, error.stderr, error.message].filter(Boolean).join("\n").trim();
+    return {
+      name: step.name,
+      status: "failed",
+      duration: Date.now() - startTime,
+      error: sanitizeErrorOutput(errorOutput)
+    };
+  }
+}
+async function* runProvision(templatePath, options = {}) {
+  const template = await loadTemplate(templatePath);
+  for (const step of template.steps) {
+    if (options.dryRun) {
+      let status = "pending";
+      if (step.skip_if) {
+        const shouldSkip = await evaluateSkipIf(step.skip_if, step.name);
+        if (shouldSkip) status = "skipped";
+      }
+      yield {
+        name: step.name,
+        status
+      };
+      continue;
+    }
+    yield {
+      name: step.name,
+      status: "running"
+    };
+    const result = await executeStep(step);
+    yield result;
+    if (result.status === "failed" && !step.continue_on_error) {
+      logger.error(
+        `Step "${step.name}" failed. Stopping provisioning.`
+      );
+      return;
+    }
+  }
+}
+export {
+  createBackup,
+  getBackupList,
+  getRestorePlan,
+  initDefaultConfig,
+  listTemplates,
+  loadConfig,
+  loadTemplate,
+  restoreBackup,
+  runProvision,
+  saveConfig,
+  scanTargets
+};