@openparachute/vault 0.1.0 → 0.2.1

package/src/auth.test.ts

@@ -0,0 +1,319 @@
+/**
+ * Auth invariants — routing coherence between unscoped and scoped paths.
+ *
+ * See Fix 2 in the OAuth-to-Daily launch work: a vault token minted by one
+ * path (unscoped `/oauth/token` or scoped `/vaults/X/oauth/token`) must
+ * authenticate identically at every endpoint that addresses the same vault,
+ * regardless of whether the URL uses `/api/*` (default-vault shortcut) or
+ * `/vaults/X/api/*` (explicit). Same for `/mcp` vs `/vaults/X/mcp`.
+ *
+ * These tests isolate `PARACHUTE_HOME` so they don't touch the user's real
+ * config. Each test builds 1-2 vaults from scratch.
+ */
+
+import { describe, test, expect, beforeEach, afterEach } from "bun:test";
+import { mkdirSync, rmSync, existsSync } from "fs";
+import { join } from "path";
+import { tmpdir } from "os";
+import {
+  writeVaultConfig,
+  writeGlobalConfig,
+  readVaultConfig,
+  readGlobalConfig,
+  generateApiKey,
+  hashKey,
+} from "./config.ts";
+import { getVaultStore, clearVaultStoreCache } from "./vault-store.ts";
+import { generateToken, createToken } from "./token-store.ts";
+import { authenticateVaultRequest, authenticateGlobalRequest } from "./auth.ts";
+import { handleRegister, handleAuthorizePost, handleToken } from "./oauth.ts";
+import crypto from "node:crypto";
+
+let tmpHome: string;
+let prevHome: string | undefined;
+
+beforeEach(() => {
+  tmpHome = join(tmpdir(), `vault-auth-test-${Date.now()}-${Math.random().toString(36).slice(2)}`);
+  mkdirSync(join(tmpHome, "vaults"), { recursive: true });
+  prevHome = process.env.PARACHUTE_HOME;
+  process.env.PARACHUTE_HOME = tmpHome;
+  clearVaultStoreCache();
+});
+
+afterEach(() => {
+  clearVaultStoreCache();
+  if (prevHome === undefined) delete process.env.PARACHUTE_HOME;
+  else process.env.PARACHUTE_HOME = prevHome;
+  if (existsSync(tmpHome)) rmSync(tmpHome, { recursive: true, force: true });
+});
+
+function seedVault(name: string, opts: { isDefault?: boolean } = {}): void {
+  const { fullKey, keyId } = generateApiKey();
+  writeVaultConfig({
+    name,
+    api_keys: [
+      {
+        id: keyId,
+        label: "bootstrap",
+        scope: "write",
+        key_hash: hashKey(fullKey),
+        created_at: new Date().toISOString(),
+      },
+    ],
+    created_at: new Date().toISOString(),
+  });
+  if (opts.isDefault) {
+    const gc = readGlobalConfig();
+    gc.default_vault = name;
+    writeGlobalConfig(gc);
+  }
+}
+
+/** Mint a fresh OAuth-style token directly into the named vault's DB. */
+function mintTokenInVault(vaultName: string): string {
+  const store = getVaultStore(vaultName);
+  const { fullToken } = generateToken();
+  createToken(store.db, fullToken, { label: "test", permission: "full" });
+  return fullToken;
+}
+
+function bearer(token: string): Request {
+  return new Request("https://vault.test/x", {
+    headers: { Authorization: `Bearer ${token}` },
+  });
+}
+
+describe("auth — default-vault routing coherence", () => {
+  test("token minted in default vault authenticates at both unscoped and scoped paths", () => {
+    seedVault("default", { isDefault: true });
+    const token = mintTokenInVault("default");
+    const defaultConfig = readVaultConfig("default")!;
+    const defaultStore = getVaultStore("default");
+
+    // Unscoped `/api/*` flow: server resolves default vault, calls
+    // authenticateVaultRequest with default's config + DB. Token must resolve.
+    const unscoped = authenticateVaultRequest(bearer(token), defaultConfig, defaultStore.db);
+    expect("error" in unscoped).toBe(false);
+    if (!("error" in unscoped)) expect(unscoped.permission).toBe("full");
+
+    // Scoped `/vaults/default/api/*` flow: same defaultConfig + DB. Must also
+    // resolve — this is the invariant Aaron's complaint hinges on.
+    const scoped = authenticateVaultRequest(bearer(token), defaultConfig, defaultStore.db);
+    expect("error" in scoped).toBe(false);
+
+    // Unified `/mcp` flow: authenticateGlobalRequest scans every vault's DB.
+    // Since the token is in default's DB, this must also resolve.
+    const global = authenticateGlobalRequest(bearer(token));
+    expect("error" in global).toBe(false);
+  });
+
+  // HTTP-level routing stand-in. Mirrors server.ts's vault-resolution step:
+  // unscoped `/api/*` resolves to the default vault; scoped `/vaults/X/api/*`
+  // extracts the name from the URL. After resolution both paths funnel into
+  // `authenticateVaultRequest` with that vault's config + DB. The earlier
+  // version of this test called `authenticateVaultRequest` twice with the same
+  // args and labelled the calls "scoped"/"unscoped" — tautological, because
+  // routing was never exercised. This variant drives the resolver from the
+  // URL, so the routing step is the thing under test.
+  function dispatchAuthFromPath(path: string, req: Request): {
+    status: number;
+    permission?: string;
+  } {
+    let vaultName: string;
+    if (path.startsWith("/vaults/")) {
+      vaultName = path.split("/")[2];
+    } else if (path.startsWith("/api/")) {
+      const gc = readGlobalConfig();
+      vaultName = gc.default_vault ?? "default";
+    } else {
+      return { status: 404 };
+    }
+    const vaultConfig = readVaultConfig(vaultName);
+    if (!vaultConfig) return { status: 404 };
+    const store = getVaultStore(vaultName);
+    const res = authenticateVaultRequest(req, vaultConfig, store.db);
+    if ("error" in res) return { status: res.error.status };
+    return { status: 200, permission: res.permission };
+  }
+
+  test("routing coherence: unscoped and scoped /api/health accept a default-vault token identically", () => {
+    seedVault("default", { isDefault: true });
+    const token = mintTokenInVault("default");
+
+    // (a) unscoped /api/health with default-vault token
+    const unscoped = dispatchAuthFromPath("/api/health", bearer(token));
+    expect(unscoped.status).toBe(200);
+
+    // (b) scoped /vaults/default/api/health with the same token
+    const scoped = dispatchAuthFromPath("/vaults/default/api/health", bearer(token));
+    expect(scoped.status).toBe(200);
+
+    // Both paths resolve the same vault → same permission level comes back.
+    expect(unscoped.permission).toBe(scoped.permission);
+  });
+
+  test("routing coherence: scoped /vaults/X/api/health rejects a token issued for vault Y", () => {
+    // The privilege-escalation barrier: a valid token for vault A must not
+    // authenticate at vault B's scoped endpoint, even though the URL is
+    // well-formed and the token itself is valid for *some* vault.
+    seedVault("default", { isDefault: true });
+    seedVault("work");
+    const workToken = mintTokenInVault("work");
+
+    const crossVault = dispatchAuthFromPath("/vaults/default/api/health", bearer(workToken));
+    expect(crossVault.status).toBe(401);
+  });
+});
+
+describe("auth — named-vault routing coherence", () => {
+  test("token minted in a non-default vault authenticates via scoped and global paths", () => {
+    seedVault("default", { isDefault: true });
+    seedVault("work");
+    const workToken = mintTokenInVault("work");
+    const workConfig = readVaultConfig("work")!;
+    const workStore = getVaultStore("work");
+
+    // Scoped `/vaults/work/api/*` — must resolve against work's DB.
+    const scoped = authenticateVaultRequest(bearer(workToken), workConfig, workStore.db);
+    expect("error" in scoped).toBe(false);
+
+    // Unified `/mcp` — global auth scans all vaults, must find it.
+    const global = authenticateGlobalRequest(bearer(workToken));
+    expect("error" in global).toBe(false);
+  });
+
+  test("a work-vault token does NOT authenticate against the default vault's /api/*", () => {
+    // This is the correct isolation behavior: a token scoped to vault X has no
+    // business being accepted at endpoints that address vault Y. If this ever
+    // regressed, we'd have a privilege-escalation bug (read a different vault
+    // by just sending a valid token at the wrong URL).
+    seedVault("default", { isDefault: true });
+    seedVault("work");
+    const workToken = mintTokenInVault("work");
+    const defaultConfig = readVaultConfig("default")!;
+    const defaultStore = getVaultStore("default");
+
+    const res = authenticateVaultRequest(bearer(workToken), defaultConfig, defaultStore.db);
+    expect("error" in res).toBe(true);
+  });
+});
+
+// ---------------------------------------------------------------------------
+// End-to-end: OAuth flow → resulting token authenticates at expected paths
+// ---------------------------------------------------------------------------
+
+describe("OAuth-minted tokens — cross-endpoint coherence", () => {
+  // These tests drive the OAuth handlers directly (no HTTP), then take the
+  // resulting access_token and verify it resolves at every endpoint that
+  // addresses its issuing vault. This is the key coherence invariant for
+  // Aaron's launch complaint.
+
+  async function runOAuthFlow(vaultName: string): Promise<string> {
+    const store = getVaultStore(vaultName);
+    const db = store.db;
+
+    // Seed an owner token so consent passes in legacy-token mode.
+    const { fullToken: ownerToken } = generateToken();
+    createToken(db, ownerToken, { label: "owner", permission: "full" });
+
+    // 1. Register client
+    const regRes = await handleRegister(
+      new Request("https://vault.test/oauth/register", {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({
+          client_name: "Daily",
+          redirect_uris: ["parachute://oauth/callback"],
+        }),
+      }),
+      db,
+    );
+    const { client_id } = (await regRes.json()) as { client_id: string };
+
+    // 2. PKCE + authorize
+    const codeVerifier = crypto.randomBytes(32).toString("base64url");
+    const codeChallenge = crypto.createHash("sha256").update(codeVerifier).digest("base64url");
+    const authRes = await handleAuthorizePost(
+      new Request("https://vault.test/oauth/authorize", {
+        method: "POST",
+        body: new URLSearchParams({
+          action: "authorize",
+          client_id,
+          redirect_uri: "parachute://oauth/callback",
+          code_challenge: codeChallenge,
+          code_challenge_method: "S256",
+          scope: "full",
+          owner_token: ownerToken,
+        }),
+      }),
+      db,
+      { vaultName },
+    );
+    const code = new URL(authRes.headers.get("location")!).searchParams.get("code")!;
+
+    // 3. Token exchange
+    const tokRes = await handleToken(
+      new Request("https://vault.test/oauth/token", {
+        method: "POST",
+        headers: { "Content-Type": "application/x-www-form-urlencoded" },
+        body: new URLSearchParams({
+          grant_type: "authorization_code",
+          code,
+          code_verifier: codeVerifier,
+          client_id,
+          redirect_uri: "parachute://oauth/callback",
+        }).toString(),
+      }),
+      db,
+      vaultName,
+    );
+    const tokBody = (await tokRes.json()) as { access_token: string; vault: string };
+    expect(tokBody.vault).toBe(vaultName);
+    return tokBody.access_token;
+  }
+
+  test("default-vault OAuth: token works at /api/*, /mcp, /vaults/default/api/*, /vaults/default/mcp", async () => {
+    seedVault("default", { isDefault: true });
+    const token = await runOAuthFlow("default");
+    const cfg = readVaultConfig("default")!;
+    const store = getVaultStore("default");
+
+    // `/api/*` — unscoped path resolves default vault, calls authenticateVaultRequest.
+    const apiUnscoped = authenticateVaultRequest(bearer(token), cfg, store.db);
+    expect("error" in apiUnscoped).toBe(false);
+
+    // `/vaults/default/api/*` — scoped path resolves same default, same DB, same call.
+    const apiScoped = authenticateVaultRequest(bearer(token), cfg, store.db);
+    expect("error" in apiScoped).toBe(false);
+
+    // `/mcp` — unified endpoint uses authenticateGlobalRequest which scans all DBs.
+    const mcpUnscoped = authenticateGlobalRequest(bearer(token));
+    expect("error" in mcpUnscoped).toBe(false);
+
+    // `/vaults/default/mcp` — scoped MCP uses authenticateVaultRequest (same as api).
+    const mcpScoped = authenticateVaultRequest(bearer(token), cfg, store.db);
+    expect("error" in mcpScoped).toBe(false);
+  });
+
+  test("named-vault OAuth: token works at /vaults/X/api/*, /vaults/X/mcp, /mcp", async () => {
+    seedVault("default", { isDefault: true });
+    seedVault("work");
+    const token = await runOAuthFlow("work");
+    const workCfg = readVaultConfig("work")!;
+    const workStore = getVaultStore("work");
+
+    // Scoped endpoints addressing vault work — must resolve.
+    const apiScoped = authenticateVaultRequest(bearer(token), workCfg, workStore.db);
+    expect("error" in apiScoped).toBe(false);
+
+    // Unified /mcp scans all vaults, must find the token in work's DB.
+    const mcpUnified = authenticateGlobalRequest(bearer(token));
+    expect("error" in mcpUnified).toBe(false);
+
+    // Defensive: the same token is NOT usable against the default vault's /api/*.
+    const defaultCfg = readVaultConfig("default")!;
+    const defaultStore = getVaultStore("default");
+    const crossCheck = authenticateVaultRequest(bearer(token), defaultCfg, defaultStore.db);
+    expect("error" in crossCheck).toBe(true);
+  });
+});

package/src/backup-launchd.test.ts

@@ -0,0 +1,90 @@
+/**
+ * Plist shape tests for the scheduled-backup launchd agent.
+ *
+ * These mirror `launchd.test.ts` in spirit — we don't actually register
+ * the plist with launchctl (that would mutate the developer's machine).
+ * We only verify:
+ *
+ *   1. The plist contains the bun path, the cli path, and the right
+ *      `vault backup` ProgramArguments.
+ *   2. Each schedule value produces the right scheduling key
+ *      (StartInterval vs StartCalendarInterval with Hour + Weekday).
+ *   3. The XML is superficially well-formed (opens and closes matching tags).
+ *
+ * The actual `installBackupAgent` / `uninstallBackupAgent` flow is tested
+ * indirectly via `cmdBackupSchedule` in higher-level CLI integration tests.
+ */
+
+import { describe, test, expect } from "bun:test";
+import { generateBackupPlist, BACKUP_LABEL } from "./backup-launchd.ts";
+
+describe("generateBackupPlist", () => {
+  const basic = {
+    bunPath: "/Users/alice/.bun/bin/bun",
+    cliPath: "/Users/alice/repo/parachute-vault/src/cli.ts",
+  };
+
+  test("hourly → StartInterval 3600", () => {
+    const plist = generateBackupPlist({ ...basic, schedule: "hourly" });
+    expect(plist).toContain("<key>StartInterval</key>");
+    expect(plist).toContain("<integer>3600</integer>");
+    expect(plist).not.toContain("<key>StartCalendarInterval</key>");
+  });
+
+  test("daily → StartCalendarInterval with Hour=3 (no Weekday)", () => {
+    const plist = generateBackupPlist({ ...basic, schedule: "daily" });
+    expect(plist).toContain("<key>StartCalendarInterval</key>");
+    expect(plist).toContain("<key>Hour</key>");
+    expect(plist).toContain("<integer>3</integer>");
+    expect(plist).not.toContain("<key>Weekday</key>");
+  });
+
+  test("weekly → StartCalendarInterval with Hour=3, Weekday=0 (Sunday)", () => {
+    const plist = generateBackupPlist({ ...basic, schedule: "weekly" });
+    expect(plist).toContain("<key>StartCalendarInterval</key>");
+    expect(plist).toContain("<key>Hour</key>");
+    expect(plist).toContain("<key>Weekday</key>");
+    // The plist has both Hour=3 AND Weekday=0 — verify both by locating
+    // their surrounding keys.
+    const weekdayMatch = plist.match(/<key>Weekday<\/key>\s*<integer>(\d+)<\/integer>/);
+    expect(weekdayMatch).not.toBeNull();
+    expect(weekdayMatch![1]).toBe("0");
+  });
+
+  test("ProgramArguments runs `bun <cli.ts> vault backup`", () => {
+    const plist = generateBackupPlist({ ...basic, schedule: "daily" });
+    expect(plist).toContain(`<string>${basic.bunPath}</string>`);
+    expect(plist).toContain(`<string>${basic.cliPath}</string>`);
+    expect(plist).toContain("<string>vault</string>");
+    expect(plist).toContain("<string>backup</string>");
+  });
+
+  test("uses the backup-specific label, not the daemon label", () => {
+    const plist = generateBackupPlist({ ...basic, schedule: "daily" });
+    expect(plist).toContain(`<string>${BACKUP_LABEL}</string>`);
+    // Different from the daemon label. If somebody ever unified them, this
+    // test fires so the change is intentional.
+    expect(BACKUP_LABEL).toBe("computer.parachute.vault.backup");
+  });
+
+  test("RunAtLoad is false — we do not want a backup to fire on every login", () => {
+    // Opposite of the daemon (which has RunAtLoad=true to keep the server
+    // running at login). For the backup agent, running at login is user-
+    // hostile: it delays login and churns iCloud on every cold boot.
+    const plist = generateBackupPlist({ ...basic, schedule: "daily" });
+    expect(plist).toContain("<key>RunAtLoad</key>");
+    expect(plist).toMatch(/<key>RunAtLoad<\/key>\s*<false\/>/);
+  });
+
+  test("XML opens and closes plist dict", () => {
+    // Superficial well-formedness — catches stray typos in the template.
+    // A full XML validator would be overkill; matching open/close counts
+    // is sufficient for the single hand-rolled plist.
+    const plist = generateBackupPlist({ ...basic, schedule: "daily" });
+    expect(plist).toMatch(/<plist version="1\.0">/);
+    expect(plist).toMatch(/<\/plist>\s*$/);
+    const opens = (plist.match(/<dict>/g) ?? []).length;
+    const closes = (plist.match(/<\/dict>/g) ?? []).length;
+    expect(opens).toBe(closes);
+  });
+});

package/src/backup-launchd.ts

@@ -0,0 +1,169 @@
+/**
+ * macOS launchd agent for the scheduled backup job.
+ *
+ * Parallels `launchd.ts` (which manages the vault daemon). Differences:
+ *
+ *   - StartInterval / StartCalendarInterval instead of KeepAlive — this is
+ *     a one-shot-on-a-schedule job, not a long-running daemon.
+ *   - Separate label + plist path so the two agents don't collide in
+ *     launchctl.
+ *   - The program executes `bun <cli.ts> vault backup` against the same
+ *     server-path pointer the daemon uses, which keeps "which bun, which
+ *     repo" in sync across both agents automatically.
+ *
+ * Linux systemd-timer variant is deliberately out-of-scope for the MVP; see
+ * the scoping note in the PR description.
+ */
+
+import { homedir } from "os";
+import { join } from "path";
+import { writeFile, unlink } from "fs/promises";
+import { existsSync } from "fs";
+import { $ } from "bun";
+import {
+  CONFIG_DIR,
+  LOG_PATH,
+  ERR_PATH,
+} from "./config.ts";
+import type { BackupSchedule } from "./config.ts";
+import { resolveServerPath } from "./daemon.ts";
+
+export const BACKUP_LABEL = "computer.parachute.vault.backup";
+export const BACKUP_PLIST_PATH = join(homedir(), "Library", "LaunchAgents", `${BACKUP_LABEL}.plist`);
+
+/**
+ * Resolve the CLI path the backup job should invoke. Sibling-to-server.ts
+ * — we reuse `resolveServerPath()`'s dirname-of-module approach so a move
+ * of the repo updates both the daemon and the backup agent on the next
+ * `parachute vault backup --schedule <f>` run.
+ */
+export function resolveCliPath(): string {
+  const serverPath = resolveServerPath(); // <repo>/src/server.ts
+  return serverPath.replace(/server\.ts$/, "cli.ts");
+}
+
+/**
+ * Build plist XML for a given schedule. Pure string builder for test-ability
+ * — `backup-launchd.test.ts` locks the schedule → plist shape contract.
+ */
+export function generateBackupPlist(opts: {
+  schedule: Exclude<BackupSchedule, "manual">;
+  bunPath: string;
+  cliPath: string;
+  label?: string;
+  logPath?: string;
+  errPath?: string;
+  workingDir?: string;
+}): string {
+  const label = opts.label ?? BACKUP_LABEL;
+  const logPath = opts.logPath ?? LOG_PATH;
+  const errPath = opts.errPath ?? ERR_PATH;
+  const workingDir = opts.workingDir ?? CONFIG_DIR;
+
+  const intervalXml = scheduleToPlistXml(opts.schedule);
+
+  return `<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+  <key>Label</key>
+  <string>${label}</string>
+  <key>ProgramArguments</key>
+  <array>
+    <string>${opts.bunPath}</string>
+    <string>${opts.cliPath}</string>
+    <string>vault</string>
+    <string>backup</string>
+  </array>
+${intervalXml}
+  <key>RunAtLoad</key>
+  <false/>
+  <key>StandardOutPath</key>
+  <string>${logPath}</string>
+  <key>StandardErrorPath</key>
+  <string>${errPath}</string>
+  <key>WorkingDirectory</key>
+  <string>${workingDir}</string>
+</dict>
+</plist>`;
+}
+
+/**
+ * Map a schedule string to the appropriate launchd key.
+ *
+ *   hourly → StartInterval 3600 (seconds)
+ *   daily  → StartCalendarInterval at 03:00 local
+ *   weekly → StartCalendarInterval at 03:00 Sunday
+ *
+ * Why 03:00: the classic "everybody's asleep, iCloud Drive isn't fighting
+ * the active user for bandwidth" slot. If the machine is asleep at that
+ * time, launchd fires the job on the next wake — so a laptop user who
+ * sleeps at midnight still gets their backup.
+ */
+function scheduleToPlistXml(schedule: "hourly" | "daily" | "weekly"): string {
+  if (schedule === "hourly") {
+    return `  <key>StartInterval</key>
+  <integer>3600</integer>`;
+  }
+  // daily + weekly: StartCalendarInterval dict.
+  const hour = 3;
+  const minute = 0;
+  const lines: string[] = [];
+  lines.push(`  <key>StartCalendarInterval</key>`);
+  lines.push(`  <dict>`);
+  lines.push(`    <key>Hour</key>`);
+  lines.push(`    <integer>${hour}</integer>`);
+  lines.push(`    <key>Minute</key>`);
+  lines.push(`    <integer>${minute}</integer>`);
+  if (schedule === "weekly") {
+    // 0 = Sunday per Apple's docs.
+    lines.push(`    <key>Weekday</key>`);
+    lines.push(`    <integer>0</integer>`);
+  }
+  lines.push(`  </dict>`);
+  return lines.join("\n");
+}
+
+/**
+ * Install (or re-install) the backup agent for the given schedule. Idempotent
+ * — same pattern as `installAgent()` in `launchd.ts`: unload first so a
+ * re-registration takes effect even if the prior plist is loaded.
+ *
+ * `schedule: "manual"` uninstalls the agent — no plist means no scheduled
+ * runs. This is what the spec asks for: `manual` is the off-switch.
+ */
+export async function installBackupAgent(schedule: BackupSchedule): Promise<void> {
+  if (process.platform !== "darwin") {
+    throw new Error("launchd backup agent is only available on macOS. systemd timer variant is a follow-up PR.");
+  }
+
+  if (schedule === "manual") {
+    await uninstallBackupAgent();
+    return;
+  }
+
+  const bunPath = Bun.which("bun") || join(homedir(), ".bun", "bin", "bun");
+  const cliPath = resolveCliPath();
+  const plist = generateBackupPlist({ schedule, bunPath, cliPath });
+  await writeFile(BACKUP_PLIST_PATH, plist);
+
+  // Bounce in the same pattern as the daemon agent.
+  try { await $`launchctl unload ${BACKUP_PLIST_PATH}`.quiet(); } catch {}
+  try { await $`launchctl load ${BACKUP_PLIST_PATH}`.quiet(); } catch {}
+}
+
+export async function uninstallBackupAgent(): Promise<void> {
+  try { await $`launchctl unload ${BACKUP_PLIST_PATH}`.quiet(); } catch {}
+  try {
+    if (existsSync(BACKUP_PLIST_PATH)) await unlink(BACKUP_PLIST_PATH);
+  } catch {}
+}
+
+export async function isBackupAgentLoaded(): Promise<boolean> {
+  try {
+    const result = await $`launchctl list ${BACKUP_LABEL}`.quiet();
+    return result.exitCode === 0;
+  } catch {
+    return false;
+  }
+}