@matthesketh/fleet 1.8.1 → 1.11.1

package/dist/core/backup/browser-server.js

@@ -0,0 +1,241 @@
+import { existsSync, mkdirSync, statfsSync, readdirSync, statSync, rmSync, appendFileSync, } from 'node:fs';
+import { createServer } from 'node:http';
+import { loadOperator } from '../operator.js';
+import { handle } from './browser-api.js';
+import { listConfiguredApps } from './config.js';
+import { listSnapshots, lsTree, dumpFileSpawn, restore } from './repo.js';
+import { classify } from './sensitive.js';
+import { buildStatusReport } from './status.js';
+const MAX_INFLIGHT = 4;
+let inFlight = 0;
+const AUDIT_LOG = '/var/log/fleet-backup/audit.log';
+/** appends a structured audit line to journald (via stdout) and a log file. */
+function audit(action, detail) {
+    const line = JSON.stringify({ ts: new Date().toISOString(), action, ...detail });
+    // stdout is captured by journald when run as a systemd unit
+    process.stdout.write(`[audit] ${line}\n`);
+    try {
+        appendFileSync(AUDIT_LOG, line + '\n');
+    }
+    catch {
+        /* best effort — never fail a request because the audit file is unwritable */
+    }
+}
+/** recursive byte size of a directory tree. */
+function dirSize(dir) {
+    let total = 0;
+    for (const name of readdirSync(dir)) {
+        const full = `${dir}/${name}`;
+        const st = statSync(full);
+        total += st.isDirectory() ? dirSize(full) : st.size;
+    }
+    return total;
+}
+function humanAge(mtimeMs) {
+    const h = Math.floor((Date.now() - mtimeMs) / 3600_000);
+    return h < 24 ? `${h}h` : `${Math.floor(h / 24)}d`;
+}
+const STAGING_ROOT_DEFAULT = '/var/restore';
+function parseCookies(header) {
+    const out = {};
+    for (const part of (header ?? '').split(';')) {
+        const i = part.indexOf('=');
+        if (i > 0)
+            out[part.slice(0, i).trim()] = part.slice(i + 1).trim();
+    }
+    return out;
+}
+const MAX_BODY_BYTES = 1_000_000;
+function readBody(req) {
+    return new Promise(resolve => {
+        const chunks = [];
+        let size = 0;
+        let aborted = false;
+        req.on('data', c => {
+            if (aborted)
+                return;
+            size += c.length;
+            if (size > MAX_BODY_BYTES) {
+                // cut the slow-loris off at the wire — keeping `req.on('data')`
+                // running for gigabytes just to drop chunks past the cap pins
+                // the handler open and gives the attacker a free socket.
+                aborted = true;
+                req.destroy();
+                resolve(undefined);
+                return;
+            }
+            chunks.push(c);
+        });
+        req.on('end', () => {
+            if (aborted)
+                return;
+            if (chunks.length === 0) {
+                resolve(undefined);
+                return;
+            }
+            try {
+                resolve(JSON.parse(Buffer.concat(chunks).toString('utf-8')));
+            }
+            catch {
+                resolve(undefined);
+            }
+        });
+        req.on('error', () => { if (!aborted)
+            resolve(undefined); });
+    });
+}
+/** restores a single path into a fresh timestamped staging dir. */
+function doRestore(app, snap, path, stagingRoot) {
+    const ts = new Date().toISOString().replace(/[:.]/g, '').slice(0, 15);
+    const target = `${stagingRoot}/${app}-${snap.slice(0, 8)}-${ts}`;
+    // pre-flight: refuse if the filesystem is nearly full
+    const fs = statfsSync(stagingRoot);
+    if (fs.bavail * fs.bsize < 64 * 1024 * 1024) {
+        const e = new Error('insufficient staging space');
+        e.code = 507;
+        throw e;
+    }
+    mkdirSync(target, { recursive: true, mode: 0o700 });
+    const started = Date.now();
+    restore(app, { snapshotId: snap, target, include: [path] });
+    return { target, fileCount: 1, bytes: 0, durationMs: Date.now() - started };
+}
+function buildContext(opts) {
+    const stagingRoot = opts.stagingRoot ?? STAGING_ROOT_DEFAULT;
+    return {
+        now: () => Date.now(),
+        totpSecret: opts.totpSecret,
+        sessionSecret: opts.sessionSecret,
+        sessionTtlMs: opts.sessionTtlMs ?? 12 * 3600_000,
+        domain: loadOperator().domain,
+        listApps: () => listConfiguredApps(),
+        statusReport: () => buildStatusReport(),
+        snapshots: app => listSnapshots(app),
+        lsTree: (app, snap, path) => lsTree(app, snap, path),
+        fileMeta: (app, snap, path) => {
+            // size comes from the parent dir listing; sensitivity from the classifier.
+            const parent = path.slice(0, path.lastIndexOf('/')) || '/';
+            const entry = lsTree(app, snap, parent).find(e => e.path === path);
+            if (!entry)
+                return null;
+            return { size: entry.size, sensitive: classify(path) === 'sensitive' };
+        },
+        restore: (app, snap, path) => doRestore(app, snap, path, stagingRoot),
+        listStaging: () => {
+            if (!existsSync(stagingRoot))
+                return [];
+            return readdirSync(stagingRoot)
+                .map(name => `${stagingRoot}/${name}`)
+                .filter(p => statSync(p).isDirectory())
+                .map(p => ({ path: p, bytes: dirSize(p), age: humanAge(statSync(p).mtimeMs) }));
+        },
+        deleteStaging: (path) => {
+            if (!path.startsWith(stagingRoot + '/')) {
+                throw new Error('refusing to delete outside the staging root');
+            }
+            rmSync(path, { recursive: true, force: true });
+        },
+    };
+}
+function sendResponse(httpRes, apiRes) {
+    if (apiRes.kind === 'json') {
+        const headers = { 'Content-Type': 'application/json' };
+        if (apiRes.setCookie)
+            headers['Set-Cookie'] = apiRes.setCookie;
+        httpRes.writeHead(apiRes.status, headers);
+        httpRes.end(JSON.stringify(apiRes.body));
+        return;
+    }
+    if (apiRes.kind === 'html') {
+        httpRes.writeHead(apiRes.status, { 'Content-Type': 'text/html; charset=utf-8' });
+        httpRes.end(apiRes.body);
+        return;
+    }
+    if (apiRes.kind === 'redirect') {
+        httpRes.writeHead(apiRes.status, { Location: apiRes.location });
+        httpRes.end();
+        return;
+    }
+    // stream: pipe `restic dump` straight to the response
+    const child = dumpFileSpawn(apiRes.app, apiRes.snap, apiRes.path);
+    // strip CR / LF / NUL / other control chars in addition to quotes —
+    // filenames live inside restic-tracked content, so the operator can
+    // restore a path whose basename contains \r\n and inject arbitrary
+    // response headers if we only quote-strip.
+    // eslint-disable-next-line no-control-regex
+    const safeFilename = apiRes.filename.replace(/[\r\n\x00-\x1F"\\]/g, '');
+    httpRes.writeHead(apiRes.status, {
+        'Content-Type': apiRes.contentType,
+        'Content-Disposition': `${apiRes.disposition}; filename="${safeFilename}"`,
+    });
+    child.stdout.pipe(httpRes);
+    child.stderr.on('data', () => { });
+    child.on('error', () => { if (!httpRes.headersSent)
+        httpRes.writeHead(500); httpRes.end(); });
+    child.on('close', code => { if (code !== 0)
+        httpRes.end(); });
+}
+/** starts the explorer http service, resolving once it is bound. the socket
+ *  is localhost-only (nginx fronts it). */
+export function startServer(opts) {
+    const ctx = buildContext(opts);
+    const stagingRoot = opts.stagingRoot ?? STAGING_ROOT_DEFAULT;
+    if (!existsSync(stagingRoot))
+        mkdirSync(stagingRoot, { recursive: true, mode: 0o700 });
+    const server = createServer(async (httpReq, httpRes) => {
+        try {
+            const url = new URL(httpReq.url ?? '/', 'http://localhost');
+            // soft concurrency cap on the heavy routes (streaming a file, running a
+            // restore) — refuse rather than fork unbounded restic processes.
+            const heavy = url.pathname === '/api/file' || url.pathname === '/api/restore';
+            if (heavy) {
+                if (inFlight >= MAX_INFLIGHT) {
+                    httpRes.writeHead(429, { 'Content-Type': 'application/json' });
+                    httpRes.end(JSON.stringify({ error: 'too many concurrent operations' }));
+                    return;
+                }
+                inFlight++;
+                httpRes.on('close', () => { inFlight--; });
+            }
+            const query = {};
+            url.searchParams.forEach((v, k) => { query[k] = v; });
+            const headers = {};
+            for (const [k, v] of Object.entries(httpReq.headers)) {
+                if (typeof v === 'string')
+                    headers[k.toLowerCase()] = v;
+            }
+            const apiReq = {
+                method: httpReq.method ?? 'GET',
+                path: url.pathname,
+                query,
+                headers,
+                cookies: parseCookies(httpReq.headers['cookie']),
+                body: httpReq.method === 'POST' ? await readBody(httpReq) : undefined,
+            };
+            const apiRes = handle(apiReq, ctx);
+            // audit the security-relevant actions (view/download, restore, delete).
+            if (apiRes.status < 400) {
+                if (url.pathname === '/api/file') {
+                    audit('view', { app: query.app, snap: query.snap, path: query.path, dl: query.dl === '1' });
+                }
+                else if (url.pathname === '/api/restore') {
+                    const b = (apiReq.body ?? {});
+                    audit('restore', { app: b.app, snap: b.snap, path: b.path });
+                }
+                else if (url.pathname === '/api/staging' && apiReq.method === 'DELETE') {
+                    audit('staging-delete', { path: query.path });
+                }
+            }
+            sendResponse(httpRes, apiRes);
+        }
+        catch (e) {
+            if (!httpRes.headersSent)
+                httpRes.writeHead(500, { 'Content-Type': 'application/json' });
+            httpRes.end(JSON.stringify({ error: e.message }));
+        }
+    });
+    return new Promise((resolve, reject) => {
+        server.once('error', reject);
+        server.listen(opts.port, '127.0.0.1', () => resolve(server));
+    });
+}

package/dist/core/backup/browser-ui.d.ts

@@ -0,0 +1,5 @@
+/** server-rendered html for the backup explorer. self-contained — inline
+ *  css + vanilla js, no build step, no external assets. all routes are
+ *  served under the /backups/ prefix by nginx. */
+export declare function renderLoginPage(): string;
+export declare function renderExplorerPage(): string;

package/dist/core/backup/browser-ui.js

@@ -0,0 +1,268 @@
+/** server-rendered html for the backup explorer. self-contained — inline
+ *  css + vanilla js, no build step, no external assets. all routes are
+ *  served under the /backups/ prefix by nginx. */
+const SHARED_CSS = `
+  :root { color-scheme: dark; }
+  * { box-sizing: border-box; }
+  body { margin: 0; padding: 2rem; background: #0d1117; color: #c9d1d9;
+    font: 14px/1.5 ui-monospace, SFMono-Regular, Menlo, monospace; }
+  a { color: #58a6ff; text-decoration: none; }
+  h1 { font-size: 1.1rem; margin: 0 0 1rem; color: #e6edf3; }
+  button, select, input {
+    font: inherit; background: #161b22; color: #c9d1d9;
+    border: 1px solid #30363d; border-radius: 6px; padding: 0.35rem 0.6rem; }
+  button { cursor: pointer; }
+  button:hover { border-color: #58a6ff; }
+  .err { background: #3d1418; border: 1px solid #f85149; color: #ffa198;
+    padding: 0.5rem 0.8rem; border-radius: 6px; margin: 0.75rem 0; }
+`;
+export function renderLoginPage() {
+    return `<!doctype html>
+<html lang="en"><head>
+<meta charset="utf-8"><meta name="viewport" content="width=device-width, initial-scale=1">
+<title>fleet backups — login</title>
+<style>${SHARED_CSS}
+  .box { max-width: 320px; margin: 12vh auto; }
+  #code { width: 100%; text-align: center; letter-spacing: 0.3em; font-size: 1.4rem; margin: 0.75rem 0; }
+</style></head><body>
+  <div class="box">
+    <h1>fleet backups</h1>
+    <p>enter your authenticator code</p>
+    <input id="code" inputmode="numeric" maxlength="6" autocomplete="one-time-code" autofocus>
+    <button id="go" style="width:100%">unlock</button>
+    <div id="err" class="err" style="display:none"></div>
+  </div>
+<script>
+  const code = document.getElementById('code');
+  const err = document.getElementById('err');
+  async function submit() {
+    err.style.display = 'none';
+    const res = await fetch('/backups/api/login', {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json', 'X-Fleet-Backup': '1' },
+      body: JSON.stringify({ code: code.value.trim() }),
+    });
+    if (res.ok) { location.href = '/backups/'; return; }
+    err.textContent = 'invalid code';
+    err.style.display = 'block';
+    code.value = '';
+    code.focus();
+  }
+  document.getElementById('go').onclick = submit;
+  code.addEventListener('keydown', e => { if (e.key === 'Enter') submit(); });
+</script>
+</body></html>`;
+}
+export function renderExplorerPage() {
+    return `<!doctype html>
+<html lang="en"><head>
+<meta charset="utf-8"><meta name="viewport" content="width=device-width, initial-scale=1">
+<title>fleet backups — explorer</title>
+<style>${SHARED_CSS}
+  .bar { display: flex; gap: 0.5rem; align-items: center; flex-wrap: wrap; margin-bottom: 1rem; }
+  .crumbs { margin: 0.5rem 0; color: #8b949e; }
+  .crumbs a { margin: 0 0.15rem; }
+  table { border-collapse: collapse; width: 100%; max-width: 960px; }
+  th, td { text-align: left; padding: 0.4rem 0.7rem; border-bottom: 1px solid #21262d; }
+  th { color: #8b949e; font-size: 0.78rem; text-transform: uppercase; }
+  td.num { text-align: right; font-variant-numeric: tabular-nums; }
+  tr.locked td.name { color: #6e7681; }
+  .lock { color: #d29922; }
+  .acts button { padding: 0.15rem 0.45rem; font-size: 0.8rem; }
+  #staging { margin-top: 1.5rem; max-width: 960px; }
+  #staging summary { cursor: pointer; color: #8b949e; }
+  #viewer { margin-top: 1rem; max-width: 960px; }
+  #viewer pre { background: #161b22; border: 1px solid #30363d; padding: 0.8rem;
+    border-radius: 6px; overflow: auto; max-height: 60vh; }
+  .spin { color: #8b949e; }
+</style></head><body>
+  <h1>fleet backups — explorer</h1>
+  <div class="bar">
+    <select id="app"></select>
+    <select id="snap"></select>
+  </div>
+  <div id="crumbs" class="crumbs"></div>
+  <div id="err" class="err" style="display:none"></div>
+  <div id="tree"><span class="spin">loading…</span></div>
+  <div id="viewer"></div>
+  <details id="staging"><summary>staging restores</summary><div id="stagingBody"></div></details>
+<script>
+  const API = '/backups/api/';
+  const H = { 'X-Fleet-Backup': '1' };
+  const $ = id => document.getElementById(id);
+  const err = msg => { const e = $('err'); e.textContent = msg; e.style.display = 'block'; };
+  const clearErr = () => { $('err').style.display = 'none'; };
+  let state = { app: '', snap: '', path: '/' };
+
+  async function api(path, opts) {
+    const res = await fetch(API + path, { headers: H, ...opts });
+    if (res.status === 401) { location.href = '/backups/login'; throw new Error('auth'); }
+    return res;
+  }
+  const fmtSize = n => n < 1024 ? n + ' B'
+    : n < 1048576 ? (n/1024).toFixed(1) + ' KB'
+    : n < 1073741824 ? (n/1048576).toFixed(1) + ' MB'
+    : (n/1073741824).toFixed(2) + ' GB';
+
+  async function loadApps() {
+    const r = await api('apps');
+    const data = await r.json();
+    const sel = $('app');
+    sel.innerHTML = '';
+    for (const a of data.apps) {
+      const o = document.createElement('option');
+      o.value = a.app; o.textContent = a.app;
+      sel.appendChild(o);
+    }
+    const qp = new URLSearchParams(location.search).get('app');
+    if (qp) sel.value = qp;
+    state.app = sel.value;
+    await loadSnapshots();
+  }
+
+  async function loadSnapshots() {
+    const r = await api('snapshots?app=' + encodeURIComponent(state.app));
+    const data = await r.json();
+    const sel = $('snap');
+    sel.innerHTML = '';
+    for (const s of data.snapshots) {
+      const o = document.createElement('option');
+      o.value = s.shortId;
+      o.textContent = s.shortId + '  ' + (s.time || '').slice(0, 19) + '  ' + (s.tags || []).join(',');
+      sel.appendChild(o);
+    }
+    state.snap = sel.value || '';
+    state.path = '/';
+    await loadTree();
+  }
+
+  function renderCrumbs() {
+    const c = $('crumbs');
+    c.innerHTML = '';
+    const parts = state.path.split('/').filter(Boolean);
+    const root = document.createElement('a');
+    root.textContent = '/'; root.href = '#';
+    root.onclick = e => { e.preventDefault(); state.path = '/'; loadTree(); };
+    c.appendChild(root);
+    let acc = '';
+    for (const p of parts) {
+      acc += '/' + p;
+      const seg = acc;
+      const a = document.createElement('a');
+      a.textContent = p; a.href = '#';
+      a.onclick = e => { e.preventDefault(); state.path = seg; loadTree(); };
+      c.appendChild(document.createTextNode(' / '));
+      c.appendChild(a);
+    }
+  }
+
+  async function loadTree() {
+    clearErr();
+    $('viewer').innerHTML = '';
+    $('tree').innerHTML = '<span class="spin">loading…</span>';
+    renderCrumbs();
+    let data;
+    try {
+      const r = await api('ls?app=' + encodeURIComponent(state.app)
+        + '&snap=' + encodeURIComponent(state.snap)
+        + '&path=' + encodeURIComponent(state.path));
+      if (!r.ok) { err((await r.json()).error || 'ls failed'); $('tree').innerHTML=''; return; }
+      data = await r.json();
+    } catch (e) { return; }
+    const rows = data.entries.map(e => {
+      const lock = e.sensitive ? '<span class="lock" title="locked — restore only">&#128274;</span> ' : '';
+      const nameCell = e.type === 'dir'
+        ? '<a href="#" data-dir="' + encodeURIComponent(e.path) + '">' + lock + e.name + '/</a>'
+        : (e.sensitive ? lock + e.name
+            : '<a href="#" data-file="' + encodeURIComponent(e.path) + '">' + lock + e.name + '</a>');
+      return '<tr class="' + (e.sensitive ? 'locked' : '') + '">'
+        + '<td class="name">' + nameCell + '</td>'
+        + '<td>' + e.type + '</td>'
+        + '<td class="num">' + (e.type === 'file' ? fmtSize(e.size) : '') + '</td>'
+        + '<td>' + (e.mtime || '').slice(0, 19) + '</td>'
+        + '<td class="acts">'
+        + (e.type === 'file' && !e.sensitive
+            ? '<button data-dl="' + encodeURIComponent(e.path) + '">download</button> ' : '')
+        + '<button data-restore="' + encodeURIComponent(e.path) + '">restore</button>'
+        + '</td></tr>';
+    }).join('');
+    $('tree').innerHTML = '<table><thead><tr><th>name</th><th>type</th>'
+      + '<th class="num">size</th><th>modified</th><th>actions</th></tr></thead><tbody>'
+      + rows + '</tbody></table>';
+    bindRows();
+  }
+
+  function bindRows() {
+    document.querySelectorAll('[data-dir]').forEach(a => a.onclick = e => {
+      e.preventDefault();
+      state.path = decodeURIComponent(a.dataset.dir);
+      loadTree();
+    });
+    document.querySelectorAll('[data-file]').forEach(a => a.onclick = e => {
+      e.preventDefault();
+      viewFile(decodeURIComponent(a.dataset.file));
+    });
+    document.querySelectorAll('[data-dl]').forEach(b => b.onclick = () => {
+      const p = decodeURIComponent(b.dataset.dl);
+      location.href = API + 'file?app=' + encodeURIComponent(state.app)
+        + '&snap=' + encodeURIComponent(state.snap)
+        + '&path=' + encodeURIComponent(p) + '&dl=1';
+    });
+    document.querySelectorAll('[data-restore]').forEach(b => b.onclick = () =>
+      doRestore(decodeURIComponent(b.dataset.restore)));
+  }
+
+  async function viewFile(path) {
+    const url = API + 'file?app=' + encodeURIComponent(state.app)
+      + '&snap=' + encodeURIComponent(state.snap)
+      + '&path=' + encodeURIComponent(path);
+    const r = await api(url.replace(API, ''));
+    if (!r.ok) { err((await r.json()).error || 'view failed'); return; }
+    const ct = r.headers.get('Content-Type') || '';
+    const v = $('viewer');
+    if (ct.startsWith('image/')) {
+      v.innerHTML = '<img src="' + url + '" style="max-width:100%">';
+    } else if (ct.startsWith('text/') || ct.startsWith('application/json')) {
+      const txt = await r.text();
+      v.innerHTML = '<pre></pre>';
+      v.querySelector('pre').textContent = txt;
+    } else {
+      v.innerHTML = '<embed src="' + url + '" style="width:100%;height:60vh">';
+    }
+  }
+
+  async function doRestore(path) {
+    if (!confirm('Restore to a staging dir?\\n\\nsnapshot: ' + state.snap + '\\npath: ' + path)) return;
+    clearErr();
+    const r = await api('restore', {
+      method: 'POST',
+      headers: { ...H, 'Content-Type': 'application/json' },
+      body: JSON.stringify({ app: state.app, snap: state.snap, path }),
+    });
+    const data = await r.json();
+    if (!r.ok) { err(data.error || 'restore failed'); return; }
+    alert('restored ' + data.fileCount + ' file(s) to:\\n' + data.target);
+    loadStaging();
+  }
+
+  async function loadStaging() {
+    const r = await api('staging');
+    const data = await r.json();
+    const body = $('stagingBody');
+    const dirs = data.staging || [];
+    body.innerHTML = dirs.length
+      ? dirs.map(d => '<div>' + d.path + ' — ' + fmtSize(d.bytes) + ' — ' + d.age
+          + ' <button data-del="' + encodeURIComponent(d.path) + '">delete</button></div>').join('')
+      : '<div class="spin">none</div>';
+    body.querySelectorAll('[data-del]').forEach(b => b.onclick = async () => {
+      await api('staging?path=' + encodeURIComponent(decodeURIComponent(b.dataset.del)), { method: 'DELETE' });
+      loadStaging();
+    });
+  }
+
+  $('app').onchange = () => { state.app = $('app').value; loadSnapshots(); };
+  $('snap').onchange = () => { state.snap = $('snap').value; state.path = '/'; loadTree(); };
+  loadApps().then(loadStaging).catch(() => {});
+</script>
+</body></html>`;
+}

package/dist/core/backup/cloudflare.d.ts

@@ -0,0 +1,7 @@
+import { FleetError } from '../errors.js';
+export declare class CloudflareError extends FleetError {
+}
+/** export every zone's DNS records + page rules. returns a json blob suitable
+ * for restic stdin. used by the `system` backup so we can rebuild dns from
+ * a single file even if cloudflare account access is lost. */
+export declare function exportAllZones(): string;

package/dist/core/backup/cloudflare.js

@@ -0,0 +1,82 @@
+import { existsSync, readFileSync } from 'node:fs';
+import { requireEnv } from '../env.js';
+import { FleetError } from '../errors.js';
+import { execSafe } from '../exec.js';
+/** path to the cloudflare credentials ini. */
+function cfCredIni() { return requireEnv('FLEET_CF_CRED'); }
+export class CloudflareError extends FleetError {
+}
+function loadCreds() {
+    const credPath = cfCredIni();
+    if (!existsSync(credPath))
+        return {};
+    const lines = readFileSync(credPath, 'utf-8').split('\n');
+    const out = {};
+    for (const line of lines) {
+        const t = line.trim();
+        if (!t || t.startsWith('#') || t.startsWith('['))
+            continue;
+        const eq = t.indexOf('=');
+        if (eq < 1)
+            continue;
+        const k = t.slice(0, eq).trim().toLowerCase().replace(/[_-]/g, '');
+        const v = t.slice(eq + 1).trim();
+        if (k === 'dnscloudflareapitoken' || k === 'cfapitoken' || k === 'apitoken') {
+            out.apiToken = v;
+        }
+        else if (k === 'dnscloudflareemail' || k === 'email') {
+            out.email = v;
+        }
+        else if (k === 'dnscloudflareapikey' || k === 'apikey') {
+            out.apiKey = v;
+        }
+    }
+    return out;
+}
+function cfCurl(path, creds) {
+    const headers = [];
+    if (creds.apiToken) {
+        headers.push('-H', `Authorization: Bearer ${creds.apiToken}`);
+    }
+    else if (creds.email && creds.apiKey) {
+        headers.push('-H', `X-Auth-Email: ${creds.email}`);
+        headers.push('-H', `X-Auth-Key: ${creds.apiKey}`);
+    }
+    else {
+        return { ok: false, stdout: '', stderr: 'no cloudflare credentials found' };
+    }
+    const r = execSafe('curl', [
+        '-sS', '-m', '30',
+        ...headers,
+        `https://api.cloudflare.com/client/v4${path}`,
+    ], { timeout: 35_000 });
+    return r;
+}
+/** export every zone's DNS records + page rules. returns a json blob suitable
+ * for restic stdin. used by the `system` backup so we can rebuild dns from
+ * a single file even if cloudflare account access is lost. */
+export function exportAllZones() {
+    const creds = loadCreds();
+    if (!creds.apiToken && !(creds.email && creds.apiKey)) {
+        throw new CloudflareError(`no cloudflare credentials at ${cfCredIni()}`);
+    }
+    const zonesResp = cfCurl('/zones?per_page=200', creds);
+    if (!zonesResp.ok)
+        throw new CloudflareError(`zone list failed: ${zonesResp.stderr}`);
+    const zones = JSON.parse(zonesResp.stdout).result;
+    const out = { exportedAt: new Date().toISOString(), zones: [] };
+    const zonesOut = out.zones;
+    for (const z of zones) {
+        const dns = cfCurl(`/zones/${z.id}/dns_records?per_page=1000`, creds);
+        const pageRules = cfCurl(`/zones/${z.id}/pagerules?per_page=200`, creds);
+        const settings = cfCurl(`/zones/${z.id}/settings`, creds);
+        zonesOut.push({
+            id: z.id,
+            name: z.name,
+            dnsRecords: dns.ok ? JSON.parse(dns.stdout).result : { error: dns.stderr },
+            pageRules: pageRules.ok ? JSON.parse(pageRules.stdout).result : { error: pageRules.stderr },
+            settings: settings.ok ? JSON.parse(settings.stdout).result : { error: settings.stderr },
+        });
+    }
+    return JSON.stringify(out, null, 2);
+}

package/dist/core/backup/config.d.ts

@@ -0,0 +1,9 @@
+import { AppBackupConfig, Retention } from './types.js';
+export declare function backupConfigDir(): string;
+export declare function backupVaultDir(): string;
+export declare const DEFAULT_RETENTION: Retention;
+export declare const DEFAULT_EXCLUDES: string[];
+export declare function loadConfig(app: string): AppBackupConfig | null;
+export declare function saveConfig(cfg: AppBackupConfig): void;
+export declare function listConfiguredApps(): string[];
+export declare function validateAppName(app: string): void;