@tearleads/cli 0.0.1

package/dist/index.js

@@ -0,0 +1,1320 @@
+#!/usr/bin/env node
+
+// src/index.ts
+import { Command as Command8 } from "commander";
+
+// src/commands/backup.ts
+import fs5 from "fs/promises";
+import path3 from "path";
+import { Command } from "commander";
+
+// src/backup/constants.ts
+var MAGIC_BYTES = new Uint8Array([
+  82,
+  65,
+  80,
+  73,
+  68,
+  66,
+  65,
+  75
+]);
+var FORMAT_VERSION = 1;
+var HEADER_SIZE = 32;
+var MAGIC_SIZE = 8;
+var SALT_SIZE = 16;
+var IV_SIZE = 12;
+var CHUNK_HEADER_SIZE = 20;
+var PBKDF2_ITERATIONS = 6e5;
+var AES_KEY_BITS = 256;
+var MAX_BLOB_CHUNK_SIZE = 10 * 1024 * 1024;
+
+// src/backup/compression.ts
+async function compressNode(data) {
+  const { gzipSync } = await import("zlib");
+  return new Uint8Array(gzipSync(data));
+}
+async function decompressNode(data) {
+  const { gunzipSync } = await import("zlib");
+  return new Uint8Array(gunzipSync(data));
+}
+async function compress(data) {
+  return compressNode(data);
+}
+async function decompress(data) {
+  return decompressNode(data);
+}
+
+// src/backup/crypto.ts
+function generateSalt() {
+  return crypto.getRandomValues(new Uint8Array(SALT_SIZE));
+}
+function generateIv() {
+  return crypto.getRandomValues(new Uint8Array(IV_SIZE));
+}
+async function deriveKey(password, salt, iterations = PBKDF2_ITERATIONS) {
+  const encoder = new TextEncoder();
+  const passwordBytes = encoder.encode(password);
+  const keyMaterial = await crypto.subtle.importKey(
+    "raw",
+    passwordBytes,
+    "PBKDF2",
+    false,
+    ["deriveBits", "deriveKey"]
+  );
+  const saltBuffer = new Uint8Array(salt).buffer;
+  return crypto.subtle.deriveKey(
+    {
+      name: "PBKDF2",
+      salt: saltBuffer,
+      iterations,
+      hash: "SHA-256"
+    },
+    keyMaterial,
+    { name: "AES-GCM", length: AES_KEY_BITS },
+    false,
+    ["encrypt", "decrypt"]
+  );
+}
+async function encrypt(data, key) {
+  const iv = generateIv();
+  const dataBuffer = new Uint8Array(data).buffer;
+  const ivBuffer = new Uint8Array(iv).buffer;
+  const ciphertext = await crypto.subtle.encrypt(
+    { name: "AES-GCM", iv: ivBuffer },
+    key,
+    dataBuffer
+  );
+  return {
+    iv,
+    ciphertext: new Uint8Array(ciphertext)
+  };
+}
+async function decrypt(ciphertext, key, iv) {
+  const ciphertextBuffer = new Uint8Array(ciphertext).buffer;
+  const ivBuffer = new Uint8Array(iv).buffer;
+  const plaintext = await crypto.subtle.decrypt(
+    { name: "AES-GCM", iv: ivBuffer },
+    key,
+    ciphertextBuffer
+  );
+  return new Uint8Array(plaintext);
+}
+
+// src/backup/types.ts
+var ChunkType = {
+  MANIFEST: 0,
+  DATABASE: 1,
+  BLOB: 2
+};
+
+// src/backup/decoder.ts
+var BackupDecodeError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "BackupDecodeError";
+  }
+};
+var InvalidPasswordError = class extends Error {
+  constructor() {
+    super("Invalid password or corrupted backup");
+    this.name = "InvalidPasswordError";
+  }
+};
+function readUint32LE(buffer, offset) {
+  const view = new DataView(
+    buffer.buffer,
+    buffer.byteOffset,
+    buffer.byteLength
+  );
+  return view.getUint32(offset, true);
+}
+function readUint16LE(buffer, offset) {
+  const view = new DataView(
+    buffer.buffer,
+    buffer.byteOffset,
+    buffer.byteLength
+  );
+  return view.getUint16(offset, true);
+}
+function parseHeader(data) {
+  if (data.length < HEADER_SIZE) {
+    throw new BackupDecodeError("File too small to be a valid backup");
+  }
+  const magic = data.slice(0, MAGIC_SIZE);
+  for (let i = 0; i < MAGIC_SIZE; i++) {
+    if (magic[i] !== MAGIC_BYTES[i]) {
+      throw new BackupDecodeError("Invalid backup file: wrong magic bytes");
+    }
+  }
+  const version = readUint16LE(data, MAGIC_SIZE);
+  if (version > FORMAT_VERSION) {
+    throw new BackupDecodeError(
+      `Unsupported backup version: ${version} (max supported: ${FORMAT_VERSION})`
+    );
+  }
+  const flags = readUint16LE(data, MAGIC_SIZE + 2);
+  const salt = data.slice(MAGIC_SIZE + 4, MAGIC_SIZE + 4 + SALT_SIZE);
+  return { magic, version, flags, salt };
+}
+function parseChunkHeader(data, offset) {
+  if (offset + CHUNK_HEADER_SIZE > data.length) {
+    throw new BackupDecodeError(
+      "Unexpected end of file while reading chunk header"
+    );
+  }
+  const payloadLength = readUint32LE(data, offset);
+  const chunkTypeValue = data[offset + 4] ?? -1;
+  if (!isChunkTypeValue(chunkTypeValue)) {
+    throw new BackupDecodeError(`Unknown chunk type: ${chunkTypeValue}`);
+  }
+  const reserved = data.slice(offset + 5, offset + 8);
+  const iv = data.slice(offset + 8, offset + CHUNK_HEADER_SIZE);
+  return { payloadLength, chunkType: chunkTypeValue, reserved, iv };
+}
+function isChunkTypeValue(value) {
+  return value === ChunkType.MANIFEST || value === ChunkType.DATABASE || value === ChunkType.BLOB;
+}
+async function decryptChunk(data, offset, header, key) {
+  const payloadStart = offset + CHUNK_HEADER_SIZE;
+  const payloadEnd = payloadStart + header.payloadLength;
+  if (payloadEnd > data.length) {
+    throw new BackupDecodeError(
+      "Unexpected end of file while reading chunk payload"
+    );
+  }
+  const ciphertext = data.slice(payloadStart, payloadEnd);
+  try {
+    const compressed = await decrypt(ciphertext, key, header.iv);
+    return decompress(compressed);
+  } catch {
+    throw new InvalidPasswordError();
+  }
+}
+function parseJsonChunk(data) {
+  const json = new TextDecoder().decode(data);
+  return JSON.parse(json);
+}
+function parseBlobChunk(data) {
+  const separatorIndex = data.indexOf(0);
+  if (separatorIndex === -1) {
+    throw new BackupDecodeError("Invalid blob chunk: missing separator");
+  }
+  const headerBytes = data.slice(0, separatorIndex);
+  const blobData = data.slice(separatorIndex + 1);
+  const header = JSON.parse(new TextDecoder().decode(headerBytes));
+  return { header, data: blobData };
+}
+async function decode(options) {
+  const { data, password, onProgress } = options;
+  const header = parseHeader(data);
+  const decodeWithKey = async (key2) => {
+    let offset = HEADER_SIZE;
+    let manifest = null;
+    let database = null;
+    const blobs = [];
+    const totalChunks = Math.max(
+      1,
+      Math.floor((data.length - HEADER_SIZE) / CHUNK_HEADER_SIZE)
+    );
+    let currentChunk = 0;
+    const reportProgress = (phase, item) => {
+      if (!onProgress) return;
+      const event = {
+        phase,
+        current: currentChunk,
+        total: totalChunks,
+        currentItem: item
+      };
+      onProgress(event);
+    };
+    while (offset < data.length) {
+      const chunkHeader = parseChunkHeader(data, offset);
+      const chunkData = await decryptChunk(data, offset, chunkHeader, key2);
+      switch (chunkHeader.chunkType) {
+        case ChunkType.MANIFEST:
+          reportProgress("preparing", "manifest");
+          manifest = parseJsonChunk(chunkData);
+          break;
+        case ChunkType.DATABASE:
+          reportProgress("database", "database");
+          database = parseJsonChunk(chunkData);
+          break;
+        case ChunkType.BLOB:
+          reportProgress("blobs", "blob");
+          blobs.push(parseBlobChunk(chunkData));
+          break;
+        default:
+          throw new BackupDecodeError(
+            `Unknown chunk type: ${chunkHeader.chunkType}`
+          );
+      }
+      offset += CHUNK_HEADER_SIZE + chunkHeader.payloadLength;
+      currentChunk++;
+    }
+    if (!manifest || !database) {
+      throw new BackupDecodeError("Backup missing required chunks");
+    }
+    reportProgress("finalizing", "complete");
+    return { manifest, database, blobs };
+  };
+  const key = await deriveKey(password, header.salt, PBKDF2_ITERATIONS);
+  return decodeWithKey(key);
+}
+
+// src/backup/encoder.ts
+function writeUint32LE(buffer, value, offset) {
+  const view = new DataView(
+    buffer.buffer,
+    buffer.byteOffset,
+    buffer.byteLength
+  );
+  view.setUint32(offset, value, true);
+}
+function writeUint16LE(buffer, value, offset) {
+  const view = new DataView(
+    buffer.buffer,
+    buffer.byteOffset,
+    buffer.byteLength
+  );
+  view.setUint16(offset, value, true);
+}
+function createHeader(salt, flags = 0) {
+  const header = new Uint8Array(HEADER_SIZE);
+  header.set(MAGIC_BYTES, 0);
+  writeUint16LE(header, FORMAT_VERSION, MAGIC_SIZE);
+  writeUint16LE(header, flags, MAGIC_SIZE + 2);
+  header.set(salt, MAGIC_SIZE + 4);
+  return header;
+}
+async function createChunk(data, chunkType, key) {
+  const compressed = await compress(data);
+  const { iv, ciphertext } = await encrypt(compressed, key);
+  const chunk = new Uint8Array(CHUNK_HEADER_SIZE + ciphertext.length);
+  writeUint32LE(chunk, ciphertext.length, 0);
+  chunk[4] = chunkType;
+  chunk.set(iv, 8);
+  chunk.set(ciphertext, CHUNK_HEADER_SIZE);
+  return chunk;
+}
+async function encodeJsonChunk(data, chunkType, key) {
+  const json = JSON.stringify(data);
+  const bytes = new TextEncoder().encode(json);
+  return createChunk(bytes, chunkType, key);
+}
+async function* encodeBlobChunks(blob, data, key) {
+  const totalParts = Math.ceil(data.length / MAX_BLOB_CHUNK_SIZE) || 1;
+  for (let partIndex = 0; partIndex < totalParts; partIndex++) {
+    const start = partIndex * MAX_BLOB_CHUNK_SIZE;
+    const end = Math.min(start + MAX_BLOB_CHUNK_SIZE, data.length);
+    const partData = data.slice(start, end);
+    const header = {
+      path: blob.path,
+      mimeType: blob.mimeType,
+      size: blob.size,
+      ...totalParts > 1 && { partIndex, totalParts }
+    };
+    const headerBytes = new TextEncoder().encode(JSON.stringify(header));
+    const chunkData = new Uint8Array(headerBytes.length + 1 + partData.length);
+    chunkData.set(headerBytes, 0);
+    chunkData[headerBytes.length] = 0;
+    chunkData.set(partData, headerBytes.length + 1);
+    yield createChunk(chunkData, ChunkType.BLOB, key);
+  }
+}
+async function encode(options) {
+  const { password, manifest, database, blobs, readBlob, onProgress } = options;
+  const salt = generateSalt();
+  const key = await deriveKey(password, salt);
+  const header = createHeader(salt);
+  const chunks = [header];
+  const totalSteps = 2 + blobs.length;
+  let currentStep = 0;
+  const reportProgress = (phase, item) => {
+    onProgress?.({
+      phase,
+      current: currentStep,
+      total: totalSteps,
+      currentItem: item
+    });
+  };
+  reportProgress("preparing", "manifest");
+  const manifestChunk = await encodeJsonChunk(
+    manifest,
+    ChunkType.MANIFEST,
+    key
+  );
+  chunks.push(manifestChunk);
+  currentStep++;
+  reportProgress("database", "database");
+  const databaseChunk = await encodeJsonChunk(
+    database,
+    ChunkType.DATABASE,
+    key
+  );
+  chunks.push(databaseChunk);
+  currentStep++;
+  for (const blob of blobs) {
+    reportProgress("blobs", blob.path);
+    const blobData = await readBlob(blob.path);
+    for await (const chunk of encodeBlobChunks(blob, blobData, key)) {
+      chunks.push(chunk);
+    }
+    currentStep++;
+  }
+  const totalSize = chunks.reduce((sum, chunk) => sum + chunk.length, 0);
+  const output = new Uint8Array(totalSize);
+  let offset = 0;
+  for (const chunk of chunks) {
+    output.set(chunk, offset);
+    offset += chunk.length;
+  }
+  reportProgress("finalizing", "complete");
+  return output;
+}
+
+// src/crypto/key-manager.ts
+import fs2 from "fs/promises";
+
+// ../shared/dist/crypto/asymmetric.js
+var HKDF_INFO = new TextEncoder().encode("rapid-vfs-hybrid-v1");
+
+// ../shared/dist/crypto/web-crypto.js
+var ALGORITHM = "AES-GCM";
+var KEY_LENGTH = 256;
+var SALT_LENGTH = 32;
+var PBKDF2_ITERATIONS2 = 6e5;
+function generateSalt2() {
+  return crypto.getRandomValues(new Uint8Array(SALT_LENGTH));
+}
+async function deriveKeyFromPassword(password, salt) {
+  const encoder = new TextEncoder();
+  const passwordBuffer = encoder.encode(password);
+  const keyMaterial = await crypto.subtle.importKey("raw", passwordBuffer, "PBKDF2", false, ["deriveBits", "deriveKey"]);
+  assertPlainArrayBuffer(salt);
+  return crypto.subtle.deriveKey({
+    name: "PBKDF2",
+    salt,
+    iterations: PBKDF2_ITERATIONS2,
+    hash: "SHA-256"
+  }, keyMaterial, { name: ALGORITHM, length: KEY_LENGTH }, true, ["encrypt", "decrypt"]);
+}
+async function exportKey(key) {
+  const exported = await crypto.subtle.exportKey("raw", key);
+  return new Uint8Array(exported);
+}
+async function importKey(keyBytes) {
+  assertPlainArrayBuffer(keyBytes);
+  return crypto.subtle.importKey("raw", keyBytes, { name: ALGORITHM, length: KEY_LENGTH }, true, ["encrypt", "decrypt"]);
+}
+function secureZero(buffer) {
+  crypto.getRandomValues(buffer);
+  buffer.fill(0);
+}
+async function generateExtractableWrappingKey() {
+  return crypto.subtle.generateKey({ name: "AES-KW", length: 256 }, true, [
+    "wrapKey",
+    "unwrapKey"
+  ]);
+}
+async function exportWrappingKey(key) {
+  const exported = await crypto.subtle.exportKey("raw", key);
+  return new Uint8Array(exported);
+}
+async function importWrappingKey(keyBytes) {
+  assertPlainArrayBuffer(keyBytes);
+  return crypto.subtle.importKey("raw", keyBytes, { name: "AES-KW", length: 256 }, true, ["wrapKey", "unwrapKey"]);
+}
+async function wrapKey(keyToWrap, wrappingKey) {
+  assertPlainArrayBuffer(keyToWrap);
+  const cryptoKey = await crypto.subtle.importKey("raw", keyToWrap, { name: ALGORITHM, length: KEY_LENGTH }, true, ["encrypt", "decrypt"]);
+  const wrapped = await crypto.subtle.wrapKey("raw", cryptoKey, wrappingKey, {
+    name: "AES-KW"
+  });
+  return new Uint8Array(wrapped);
+}
+async function unwrapKey(wrappedKey, wrappingKey) {
+  assertPlainArrayBuffer(wrappedKey);
+  const unwrappedCryptoKey = await crypto.subtle.unwrapKey("raw", wrappedKey, wrappingKey, { name: "AES-KW" }, { name: ALGORITHM, length: KEY_LENGTH }, true, ["encrypt", "decrypt"]);
+  const exported = await crypto.subtle.exportKey("raw", unwrappedCryptoKey);
+  return new Uint8Array(exported);
+}
+
+// ../shared/dist/index.js
+function assertPlainArrayBuffer(arr) {
+  if (typeof SharedArrayBuffer !== "undefined" && arr.buffer instanceof SharedArrayBuffer) {
+    throw new Error("Unexpected SharedArrayBuffer backing Uint8Array. This should never occur in normal operation.");
+  }
+}
+
+// src/config/index.ts
+import fs from "fs/promises";
+import os from "os";
+import path from "path";
+var configRoot = null;
+function getConfigPaths() {
+  const root = configRoot ?? path.join(os.homedir(), ".tearleads");
+  return {
+    root,
+    database: path.join(root, "tearleads.db"),
+    keyData: path.join(root, "keydata.json"),
+    session: path.join(root, ".session")
+  };
+}
+async function ensureConfigDir() {
+  const paths = getConfigPaths();
+  await fs.mkdir(paths.root, { recursive: true, mode: 448 });
+}
+async function hasSession() {
+  const paths = getConfigPaths();
+  try {
+    await fs.access(paths.session);
+    return true;
+  } catch {
+    return false;
+  }
+}
+async function clearSession() {
+  const paths = getConfigPaths();
+  try {
+    await fs.unlink(paths.session);
+  } catch {
+  }
+}
+
+// src/crypto/key-manager.ts
+var currentKey = null;
+async function hasExistingKey() {
+  const paths = getConfigPaths();
+  try {
+    await fs2.access(paths.keyData);
+    return true;
+  } catch {
+    return false;
+  }
+}
+async function readKeyData() {
+  const paths = getConfigPaths();
+  try {
+    const content = await fs2.readFile(paths.keyData, "utf-8");
+    return JSON.parse(content);
+  } catch {
+    return null;
+  }
+}
+async function writeKeyData(data) {
+  await ensureConfigDir();
+  const paths = getConfigPaths();
+  await fs2.writeFile(paths.keyData, JSON.stringify(data), {
+    mode: 384
+  });
+}
+async function readSessionData() {
+  const paths = getConfigPaths();
+  try {
+    const content = await fs2.readFile(paths.session, "utf-8");
+    return JSON.parse(content);
+  } catch {
+    return null;
+  }
+}
+async function writeSessionData(data) {
+  await ensureConfigDir();
+  const paths = getConfigPaths();
+  await fs2.writeFile(paths.session, JSON.stringify(data), {
+    mode: 384
+  });
+}
+async function createKeyCheckValue(keyBytes) {
+  const checkData = new TextEncoder().encode("TEARLEADS_KEY_CHECK");
+  const key = await importKey(keyBytes);
+  const iv = new Uint8Array(12);
+  const encrypted = await crypto.subtle.encrypt(
+    { name: "AES-GCM", iv },
+    key,
+    checkData
+  );
+  const bytes = new Uint8Array(encrypted).slice(0, 16);
+  return btoa(String.fromCharCode(...bytes));
+}
+async function setupNewKey(password) {
+  const salt = generateSalt2();
+  const key = await deriveKeyFromPassword(password, salt);
+  const keyBytes = await exportKey(key);
+  const kcv = await createKeyCheckValue(keyBytes);
+  await writeKeyData({
+    salt: Array.from(salt),
+    keyCheckValue: kcv
+  });
+  currentKey = new Uint8Array(keyBytes);
+  return keyBytes;
+}
+async function unlockWithPassword(password) {
+  const keyData = await readKeyData();
+  if (!keyData) {
+    throw new Error("No existing key found. Use setupNewKey instead.");
+  }
+  const salt = new Uint8Array(keyData.salt);
+  const key = await deriveKeyFromPassword(password, salt);
+  const keyBytes = await exportKey(key);
+  const computedKcv = await createKeyCheckValue(keyBytes);
+  if (keyData.keyCheckValue !== computedKcv) {
+    secureZero(keyBytes);
+    return null;
+  }
+  currentKey = new Uint8Array(keyBytes);
+  return keyBytes;
+}
+async function changePassword(oldPassword, newPassword) {
+  const oldKeyResult = await unlockWithPassword(oldPassword);
+  if (!oldKeyResult) return null;
+  const oldKey = new Uint8Array(oldKeyResult);
+  const newSalt = generateSalt2();
+  const newCryptoKey = await deriveKeyFromPassword(newPassword, newSalt);
+  const newKey = await exportKey(newCryptoKey);
+  const newKcv = await createKeyCheckValue(newKey);
+  await writeKeyData({
+    salt: Array.from(newSalt),
+    keyCheckValue: newKcv
+  });
+  currentKey = new Uint8Array(newKey);
+  return { oldKey, newKey };
+}
+function clearKey() {
+  if (currentKey) {
+    secureZero(currentKey);
+    currentKey = null;
+  }
+}
+async function persistSession() {
+  if (!currentKey) return false;
+  try {
+    const wrappingKey = await generateExtractableWrappingKey();
+    const wrappedKey = await wrapKey(currentKey, wrappingKey);
+    const wrappingKeyBytes = await exportWrappingKey(wrappingKey);
+    await writeSessionData({
+      wrappedKey: Array.from(wrappedKey),
+      wrappingKey: Array.from(wrappingKeyBytes)
+    });
+    return true;
+  } catch (err) {
+    console.error("Failed to persist session:", err);
+    return false;
+  }
+}
+async function hasPersistedSession() {
+  return hasSession();
+}
+async function restoreSession() {
+  try {
+    const sessionData = await readSessionData();
+    if (!sessionData) return null;
+    const wrappingKeyBytes = new Uint8Array(sessionData.wrappingKey);
+    const wrappedKey = new Uint8Array(sessionData.wrappedKey);
+    const wrappingKey = await importWrappingKey(wrappingKeyBytes);
+    const keyBytes = await unwrapKey(wrappedKey, wrappingKey);
+    currentKey = new Uint8Array(keyBytes);
+    return keyBytes;
+  } catch (err) {
+    console.error("Failed to restore session:", err);
+    await clearPersistedSession();
+    return null;
+  }
+}
+async function clearPersistedSession() {
+  await clearSession();
+}
+
+// src/db/index.ts
+import fs4 from "fs/promises";
+
+// src/db/adapter.ts
+import fs3 from "fs/promises";
+import path2 from "path";
+import Database from "better-sqlite3-multiple-ciphers";
+var SCHEMA = `
+  CREATE TABLE IF NOT EXISTS contacts (
+    id INTEGER PRIMARY KEY AUTOINCREMENT,
+    name TEXT NOT NULL,
+    email TEXT,
+    phone TEXT,
+    notes TEXT,
+    created_at TEXT DEFAULT (datetime('now')),
+    updated_at TEXT DEFAULT (datetime('now'))
+  );
+
+  CREATE TABLE IF NOT EXISTS events (
+    id INTEGER PRIMARY KEY AUTOINCREMENT,
+    contact_id INTEGER REFERENCES contacts(id),
+    type TEXT NOT NULL,
+    description TEXT,
+    event_date TEXT,
+    created_at TEXT DEFAULT (datetime('now'))
+  );
+
+  CREATE TABLE IF NOT EXISTS settings (
+    key TEXT PRIMARY KEY,
+    value TEXT NOT NULL
+  );
+`;
+function isRecord2(value) {
+  return typeof value === "object" && value !== null;
+}
+function getStringField(value, key) {
+  const field = value[key];
+  return typeof field === "string" ? field : null;
+}
+function bytesToHex(bytes) {
+  return Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+var NativeSqliteAdapter = class {
+  db = null;
+  dbPath;
+  constructor() {
+    const configPaths = getConfigPaths();
+    this.dbPath = configPaths.database;
+  }
+  /**
+   * Initialize a new encrypted database with the given key.
+   * Creates the database file and schema.
+   */
+  async initialize(key) {
+    await fs3.mkdir(path2.dirname(this.dbPath), { recursive: true, mode: 448 });
+    this.db = new Database(this.dbPath);
+    this.db.pragma(`key = "x'${bytesToHex(key)}'"`);
+    this.db.pragma("cipher_compatibility = 4");
+    this.db.exec(SCHEMA);
+  }
+  /**
+   * Open an existing encrypted database with the given key.
+   */
+  async open(key) {
+    try {
+      await fs3.access(this.dbPath);
+    } catch {
+      throw new Error("Database file not found");
+    }
+    this.db = new Database(this.dbPath);
+    this.db.pragma(`key = "x'${bytesToHex(key)}'"`);
+    this.db.pragma("cipher_compatibility = 4");
+    try {
+      this.db.prepare("SELECT count(*) FROM sqlite_master").get();
+    } catch {
+      this.db.close();
+      this.db = null;
+      throw new Error("Invalid encryption key");
+    }
+  }
+  /**
+   * Check if the database is currently open.
+   */
+  isOpen() {
+    return this.db !== null;
+  }
+  /**
+   * Close the database connection.
+   */
+  close() {
+    if (this.db) {
+      this.db.close();
+      this.db = null;
+    }
+  }
+  /**
+   * Re-key the database with a new encryption key.
+   */
+  async rekeyDatabase(newKey) {
+    if (!this.db) {
+      throw new Error("Database not open");
+    }
+    this.db.pragma(`rekey = "x'${bytesToHex(newKey)}'"`);
+  }
+  /**
+   * Export the database to a JSON structure for backup.
+   */
+  exportToJson() {
+    if (!this.db) {
+      throw new Error("Database not open");
+    }
+    const result = {};
+    const tables = this.db.prepare(
+      "SELECT name FROM sqlite_master WHERE type='table' AND name NOT LIKE 'sqlite_%'"
+    ).all();
+    for (const { name } of tables) {
+      const rows = this.db.prepare(`SELECT * FROM ${name}`).all();
+      result[name] = rows;
+    }
+    return result;
+  }
+  /**
+   * Export the database to a backup-friendly structure with schema and data.
+   */
+  exportToBackupDatabase() {
+    if (!this.db) {
+      throw new Error("Database not open");
+    }
+    const tables = this.db.prepare(
+      "SELECT name, sql FROM sqlite_master WHERE type='table' AND sql IS NOT NULL ORDER BY name"
+    ).all();
+    const tableSchemas = [];
+    for (const row of tables) {
+      if (!isRecord2(row)) continue;
+      const name = getStringField(row, "name");
+      const sql = getStringField(row, "sql");
+      if (!name || !sql) continue;
+      if (name.startsWith("sqlite_") || name === "__drizzle_migrations") {
+        continue;
+      }
+      tableSchemas.push({ name, sql });
+    }
+    const indexes = this.db.prepare(
+      "SELECT name, tbl_name, sql FROM sqlite_master WHERE type='index' AND sql IS NOT NULL ORDER BY name"
+    ).all();
+    const indexSchemas = [];
+    for (const row of indexes) {
+      if (!isRecord2(row)) continue;
+      const name = getStringField(row, "name");
+      const tableName = getStringField(row, "tbl_name");
+      const sql = getStringField(row, "sql");
+      if (!name || !tableName || !sql) continue;
+      if (name.startsWith("sqlite_")) continue;
+      indexSchemas.push({ name, tableName, sql });
+    }
+    const data = {};
+    for (const table of tableSchemas) {
+      const rows = this.db.prepare(`SELECT * FROM "${table.name}"`).all();
+      data[table.name] = rows;
+    }
+    return { tables: tableSchemas, indexes: indexSchemas, data };
+  }
+  /**
+   * Import data from a JSON structure (restore from backup).
+   */
+  importFromJson(data) {
+    if (!this.db) {
+      throw new Error("Database not open");
+    }
+    const db = this.db;
+    const transaction = db.transaction(() => {
+      for (const [tableName, rows] of Object.entries(data)) {
+        if (!Array.isArray(rows) || rows.length === 0) continue;
+        db.prepare(`DELETE FROM ${tableName}`).run();
+        const firstRow = rows[0];
+        const columns = Object.keys(firstRow);
+        const placeholders = columns.map(() => "?").join(", ");
+        const insertStmt = db.prepare(
+          `INSERT INTO ${tableName} (${columns.join(", ")}) VALUES (${placeholders})`
+        );
+        for (const row of rows) {
+          const rowData = row;
+          const values = columns.map((col) => rowData[col]);
+          insertStmt.run(...values);
+        }
+      }
+    });
+    transaction();
+  }
+  /**
+   * Import a backup database structure, recreating schema and data.
+   */
+  importFromBackupDatabase(database) {
+    if (!this.db) {
+      throw new Error("Database not open");
+    }
+    const db = this.db;
+    const transaction = db.transaction(() => {
+      const existingTables = db.prepare(
+        "SELECT name FROM sqlite_master WHERE type='table' AND name NOT LIKE 'sqlite_%'"
+      ).all();
+      for (const row of existingTables) {
+        if (!isRecord2(row)) continue;
+        const name = getStringField(row, "name");
+        if (!name) continue;
+        db.exec(`DROP TABLE IF EXISTS "${name}"`);
+      }
+      for (const table of database.tables) {
+        db.exec(table.sql);
+      }
+      for (const [tableName, rows] of Object.entries(database.data)) {
+        if (!Array.isArray(rows) || rows.length === 0) continue;
+        const firstRow = rows[0];
+        if (!isRecord2(firstRow)) continue;
+        const columns = Object.keys(firstRow);
+        if (columns.length === 0) continue;
+        const placeholders = columns.map(() => "?").join(", ");
+        const insertStmt = db.prepare(
+          `INSERT INTO "${tableName}" (${columns.join(", ")}) VALUES (${placeholders})`
+        );
+        for (const row of rows) {
+          if (!isRecord2(row)) continue;
+          const values = columns.map((col) => row[col]);
+          insertStmt.run(...values);
+        }
+      }
+      for (const index of database.indexes) {
+        if (index.sql.trim().length > 0) {
+          db.exec(index.sql);
+        }
+      }
+    });
+    transaction();
+  }
+  /**
+   * Execute a raw SQL query.
+   */
+  exec(sql) {
+    if (!this.db) {
+      throw new Error("Database not open");
+    }
+    this.db.exec(sql);
+  }
+  /**
+   * Get the database file path.
+   */
+  getPath() {
+    return this.dbPath;
+  }
+};
+
+// src/db/index.ts
+var adapter = null;
+async function isDatabaseSetUp() {
+  return hasExistingKey();
+}
+function isDatabaseUnlocked() {
+  return adapter?.isOpen() ?? false;
+}
+async function setupDatabase(password) {
+  const key = await setupNewKey(password);
+  adapter = new NativeSqliteAdapter();
+  await adapter.initialize(key);
+  await persistSession();
+}
+async function unlockDatabase(password) {
+  const key = await unlockWithPassword(password);
+  if (!key) {
+    return false;
+  }
+  adapter = new NativeSqliteAdapter();
+  await adapter.open(key);
+  await persistSession();
+  return true;
+}
+async function restoreDatabaseSession() {
+  const key = await restoreSession();
+  if (!key) {
+    return false;
+  }
+  adapter = new NativeSqliteAdapter();
+  await adapter.open(key);
+  return true;
+}
+function lockDatabase() {
+  if (adapter) {
+    adapter.close();
+    adapter = null;
+  }
+  clearKey();
+}
+function exportBackupDatabase() {
+  if (!adapter || !adapter.isOpen()) {
+    throw new Error("Database not open");
+  }
+  return adapter.exportToBackupDatabase();
+}
+function importBackupDatabase(database) {
+  if (!adapter || !adapter.isOpen()) {
+    throw new Error("Database not open");
+  }
+  adapter.importFromBackupDatabase(database);
+}
+async function changePassword2(oldPassword, newPassword) {
+  const result = await changePassword(oldPassword, newPassword);
+  if (!result) {
+    return false;
+  }
+  if (adapter?.isOpen()) {
+    await adapter.rekeyDatabase(result.newKey);
+  } else {
+    adapter = new NativeSqliteAdapter();
+    await adapter.open(result.oldKey);
+    await adapter.rekeyDatabase(result.newKey);
+  }
+  await persistSession();
+  return true;
+}
+
+// src/utils/prompt.ts
+import { stdin, stdout } from "process";
+import * as readline from "readline/promises";
+async function promptPassword(prompt) {
+  const rl = readline.createInterface({ input: stdin, output: stdout });
+  try {
+    stdout.write(prompt);
+    return await new Promise((resolve) => {
+      let input = "";
+      if (stdin.isTTY) {
+        stdin.setRawMode(true);
+      }
+      stdin.resume();
+      stdin.setEncoding("utf8");
+      const onData = (char) => {
+        if (char === "\n" || char === "\r" || char === "") {
+          stdin.removeListener("data", onData);
+          if (stdin.isTTY) {
+            stdin.setRawMode(false);
+          }
+          stdout.write("\n");
+          resolve(input);
+        } else if (char === "") {
+          process.exit(1);
+        } else if (char === "\x7F" || char === "\b") {
+          if (input.length > 0) {
+            input = input.slice(0, -1);
+          }
+        } else {
+          input += char;
+        }
+      };
+      stdin.on("data", onData);
+    });
+  } finally {
+    rl.close();
+  }
+}
+async function promptConfirm(prompt) {
+  const rl = readline.createInterface({ input: stdin, output: stdout });
+  try {
+    const answer = await rl.question(prompt);
+    return answer.toLowerCase() === "y" || answer.toLowerCase() === "yes";
+  } finally {
+    rl.close();
+  }
+}
+
+// src/commands/backup.ts
+async function resolveBackupPassword(options) {
+  if (options.password) {
+    return options.password;
+  }
+  const password = await promptPassword("Backup password: ");
+  const confirm = await promptPassword("Confirm backup password: ");
+  if (password !== confirm) {
+    console.error("Passwords do not match.");
+    process.exit(1);
+  }
+  return password;
+}
+async function runBackup(file, options) {
+  if (!await isDatabaseSetUp()) {
+    console.error('Database not set up. Run "tearleads setup" first.');
+    process.exit(1);
+  }
+  if (!isDatabaseUnlocked()) {
+    if (await hasPersistedSession()) {
+      const restored = await restoreDatabaseSession();
+      if (!restored) {
+        console.error('Session expired. Run "tearleads unlock" first.');
+        process.exit(1);
+      }
+    } else {
+      console.error('Database not unlocked. Run "tearleads unlock" first.');
+      process.exit(1);
+    }
+  }
+  const password = await resolveBackupPassword(options);
+  const database = exportBackupDatabase();
+  const manifest = {
+    createdAt: (/* @__PURE__ */ new Date()).toISOString(),
+    platform: "cli",
+    appVersion: "cli",
+    blobCount: 0,
+    blobTotalSize: 0
+  };
+  const data = await encode({
+    password,
+    manifest,
+    database,
+    blobs: [],
+    readBlob: async () => {
+      throw new Error("No blob storage configured for CLI");
+    }
+  });
+  const filePath = path3.resolve(file);
+  await fs5.writeFile(filePath, data);
+  console.log(`Backup saved to ${filePath}`);
+}
+var backupCommand = new Command("backup").description("Export database to an encrypted .rbu backup file").argument("<file>", "Output file path").option("-p, --password <password>", "Backup password").action(runBackup);
+
+// src/commands/dump.ts
+import fs6 from "fs/promises";
+import path4 from "path";
+import { Command as Command2 } from "commander";
+async function runDump(folder, options) {
+  let database;
+  if (options.inputFile) {
+    const filePath = path4.resolve(options.inputFile);
+    const password = options.password ? options.password : await promptPassword("Backup password: ");
+    try {
+      const backupData = await fs6.readFile(filePath);
+      const decoded = await decode({
+        data: new Uint8Array(backupData),
+        password
+      });
+      database = decoded.database;
+      if (decoded.blobs.length > 0) {
+        console.warn(
+          `Warning: backup contains ${decoded.blobs.length} blobs that will be ignored.`
+        );
+      }
+    } catch (err) {
+      if (err.code === "ENOENT") {
+        console.error(`File not found: ${filePath}`);
+      } else {
+        console.error(
+          err instanceof Error ? err.message : "Failed to read or decode backup file."
+        );
+      }
+      process.exit(1);
+    }
+  } else {
+    if (!await isDatabaseSetUp()) {
+      console.error('Database not set up. Run "tearleads setup" first.');
+      process.exit(1);
+    }
+    if (!isDatabaseUnlocked()) {
+      const canRestore = await hasPersistedSession();
+      if (!canRestore || !await restoreDatabaseSession()) {
+        const message = canRestore ? 'Session expired. Run "tearleads unlock" first.' : 'Database not unlocked. Run "tearleads unlock" first.';
+        console.error(message);
+        process.exit(1);
+      }
+    }
+    database = exportBackupDatabase();
+  }
+  const outputPath = path4.resolve(folder);
+  try {
+    const stat = await fs6.stat(outputPath);
+    if (stat.isDirectory()) {
+      if (!options.force) {
+        const confirmed = await promptConfirm(
+          `Folder ${outputPath} exists. Overwrite? (y/n): `
+        );
+        if (!confirmed) {
+          console.log("Dump cancelled.");
+          return;
+        }
+      }
+      await fs6.rm(outputPath, { recursive: true });
+    } else {
+      console.error(`${outputPath} exists and is not a directory.`);
+      process.exit(1);
+    }
+  } catch (err) {
+    if (err.code !== "ENOENT") {
+      console.error(
+        `Error checking output path "${outputPath}": ${err.message}`
+      );
+      process.exit(1);
+    }
+  }
+  await fs6.mkdir(outputPath, { recursive: true });
+  await fs6.mkdir(path4.join(outputPath, "tables"), { recursive: true });
+  if (options.blobs !== false) {
+    await fs6.mkdir(path4.join(outputPath, "files"), { recursive: true });
+  }
+  const manifest = {
+    createdAt: (/* @__PURE__ */ new Date()).toISOString(),
+    platform: "cli",
+    appVersion: "cli",
+    exportedTables: database.tables.map((t) => t.name),
+    blobCount: 0,
+    blobTotalSize: 0
+  };
+  await fs6.writeFile(
+    path4.join(outputPath, "manifest.json"),
+    JSON.stringify(manifest, null, 2)
+  );
+  const schema = {
+    tables: database.tables,
+    indexes: database.indexes
+  };
+  await fs6.writeFile(
+    path4.join(outputPath, "schema.json"),
+    JSON.stringify(schema, null, 2)
+  );
+  for (const table of database.tables) {
+    const tableData = database.data[table.name] ?? [];
+    await fs6.writeFile(
+      path4.join(outputPath, "tables", `${table.name}.json`),
+      JSON.stringify(tableData, null, 2)
+    );
+  }
+  console.log(`Database dumped to ${outputPath}`);
+  console.log(`  Tables: ${database.tables.length}`);
+}
+var dumpCommand = new Command2("dump").description("Export database to unencrypted JSON files").argument("<folder>", "Output folder path").option(
+  "-f, --input-file <file>",
+  "Read from .rbu backup file instead of live database"
+).option(
+  "-p, --password <password>",
+  "Backup file password (used with --input-file)"
+).option("--force", "Overwrite existing folder without confirmation").option("--no-blobs", "Skip files directory").action(runDump);
+
+// src/commands/lock.ts
+import { Command as Command3 } from "commander";
+async function runLock() {
+  await lockDatabase();
+  console.log("Database locked.");
+}
+var lockCommand = new Command3("lock").description("Lock the database").action(runLock);
+
+// src/commands/password.ts
+import { Command as Command4 } from "commander";
+async function runPassword() {
+  if (!await isDatabaseSetUp()) {
+    console.error('Database not set up. Run "tearleads setup" first.');
+    process.exit(1);
+  }
+  const oldPassword = await promptPassword("Current password: ");
+  const newPassword = await promptPassword("New password: ");
+  if (!newPassword) {
+    console.error("Password cannot be empty.");
+    process.exit(1);
+  }
+  const confirm = await promptPassword("Confirm new password: ");
+  if (newPassword !== confirm) {
+    console.error("Passwords do not match.");
+    process.exit(1);
+  }
+  const success = await changePassword2(oldPassword, newPassword);
+  if (!success) {
+    console.error("Incorrect current password.");
+    process.exit(1);
+  }
+  console.log("Password changed successfully.");
+}
+var passwordCommand = new Command4("password").description("Change database password").action(runPassword);
+
+// src/commands/restore.ts
+import fs7 from "fs/promises";
+import path5 from "path";
+import { Command as Command5 } from "commander";
+async function runRestore(file, options) {
+  const filePath = path5.resolve(file);
+  try {
+    await fs7.access(filePath);
+  } catch {
+    console.error(`File not found: ${filePath}`);
+    process.exit(1);
+  }
+  if (!await isDatabaseSetUp()) {
+    console.error('Database not set up. Run "tearleads setup" first.');
+    process.exit(1);
+  }
+  if (!isDatabaseUnlocked()) {
+    if (await hasPersistedSession()) {
+      const restored = await restoreDatabaseSession();
+      if (!restored) {
+        console.error('Session expired. Run "tearleads unlock" first.');
+        process.exit(1);
+      }
+    } else {
+      console.error('Database not unlocked. Run "tearleads unlock" first.');
+      process.exit(1);
+    }
+  }
+  if (!options.force) {
+    const confirmed = await promptConfirm(
+      "This will overwrite existing data. Continue? (y/n): "
+    );
+    if (!confirmed) {
+      console.log("Restore cancelled.");
+      return;
+    }
+  }
+  const password = options.password ? options.password : await promptPassword("Backup password: ");
+  const backupData = await fs7.readFile(filePath);
+  let decoded;
+  try {
+    decoded = await decode({ data: new Uint8Array(backupData), password });
+  } catch (err) {
+    console.error(
+      err instanceof Error ? err.message : "Failed to decode backup file."
+    );
+    process.exit(1);
+  }
+  if (decoded.blobs.length > 0) {
+    console.warn(
+      `Warning: backup contains ${decoded.blobs.length} blobs that will be ignored in the CLI restore.`
+    );
+  }
+  importBackupDatabase(decoded.database);
+  console.log("Database restored successfully.");
+}
+var restoreCommand = new Command5("restore").description("Restore database from a backup file").argument("<file>", "Backup file path").option("-f, --force", "Overwrite without confirmation").option("-p, --password <password>", "Backup password").action(runRestore);
+
+// src/commands/setup.ts
+import { Command as Command6 } from "commander";
+async function runSetup() {
+  if (await isDatabaseSetUp()) {
+    console.error(
+      'Database already set up. Use "tearleads password" to change password.'
+    );
+    process.exit(1);
+  }
+  const password = await promptPassword("Enter password: ");
+  if (!password) {
+    console.error("Password cannot be empty.");
+    process.exit(1);
+  }
+  const confirm = await promptPassword("Confirm password: ");
+  if (password !== confirm) {
+    console.error("Passwords do not match.");
+    process.exit(1);
+  }
+  await setupDatabase(password);
+  console.log("Database initialized successfully.");
+}
+var setupCommand = new Command6("setup").description("Initialize a new encrypted database").action(runSetup);
+
+// src/commands/unlock.ts
+import { Command as Command7 } from "commander";
+async function runUnlock() {
+  if (!await isDatabaseSetUp()) {
+    console.error('Database not set up. Run "tearleads setup" first.');
+    process.exit(1);
+  }
+  if (isDatabaseUnlocked()) {
+    console.log("Database already unlocked.");
+    return;
+  }
+  if (await hasPersistedSession()) {
+    const restored = await restoreDatabaseSession();
+    if (restored) {
+      console.log("Database unlocked (session restored).");
+      return;
+    }
+  }
+  const password = await promptPassword("Enter password: ");
+  const success = await unlockDatabase(password);
+  if (!success) {
+    console.error("Incorrect password.");
+    process.exit(1);
+  }
+  console.log("Database unlocked.");
+}
+var unlockCommand = new Command7("unlock").description("Unlock the database").action(runUnlock);
+
+// src/index.ts
+var program = new Command8();
+program.name("tearleads").description("Tearleads CLI for database management").version("0.0.1");
+program.addCommand(setupCommand);
+program.addCommand(unlockCommand);
+program.addCommand(lockCommand);
+program.addCommand(backupCommand);
+program.addCommand(dumpCommand);
+program.addCommand(restoreCommand);
+program.addCommand(passwordCommand);
+program.parse();
+//# sourceMappingURL=index.js.map