@tom2012/cc-web 2026.4.19-s → 2026.4.19-t

package/backend/dist/routes/sync.js

@@ -0,0 +1,183 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const express_1 = require("express");
+const config_1 = require("../config");
+const sync_config_1 = require("../sync-config");
+const sync_scheduler_1 = require("../sync-scheduler");
+const sync_service_1 = require("../sync-service");
+const router = (0, express_1.Router)();
+const VALID_DIRECTIONS = ['push', 'pull', 'bidirectional'];
+const VALID_AUTH = ['key', 'password'];
+function requireUser(req, res) {
+    const u = req.user?.username;
+    if (!u) {
+        res.status(401).json({ error: 'Unauthenticated' });
+        return null;
+    }
+    return u;
+}
+// GET /api/sync/config  → current user's config (password redacted)
+router.get('/config', (req, res) => {
+    const user = requireUser(req, res);
+    if (!user)
+        return;
+    res.json((0, sync_config_1.publicConfig)((0, sync_config_1.getSyncConfig)(user)));
+});
+// PUT /api/sync/config  body: Partial<SyncConfig> with plain `password` for pw auth
+router.put('/config', (req, res) => {
+    const user = requireUser(req, res);
+    if (!user)
+        return;
+    const body = (req.body ?? {});
+    const existing = (0, sync_config_1.getSyncConfig)(user);
+    const next = { ...existing };
+    if (typeof body.host === 'string')
+        next.host = body.host.trim();
+    if (typeof body.port === 'number' && body.port > 0 && body.port < 65536)
+        next.port = body.port;
+    if (typeof body.user === 'string')
+        next.user = body.user.trim();
+    if (body.authMethod && VALID_AUTH.includes(body.authMethod))
+        next.authMethod = body.authMethod;
+    if (typeof body.keyPath === 'string') {
+        const candidate = body.keyPath.trim();
+        if (candidate && !(0, sync_config_1.isValidKeyPath)(candidate)) {
+            res.status(400).json({ error: 'keyPath 不能包含空格、引号、反斜杠、null 字节，或以 `-` 开头（防止 ssh 参数注入）' });
+            return;
+        }
+        next.keyPath = candidate || undefined;
+    }
+    if (typeof body.remoteRoot === 'string') {
+        const rr = body.remoteRoot.trim().replace(/\/+$/, '');
+        // Remote root should be an absolute path; relative would be interpreted
+        // relative to the ssh user's home, which is easy to misconfigure.
+        if (rr && !rr.startsWith('/')) {
+            res.status(400).json({ error: 'remoteRoot 必须是绝对路径（/ 开头）' });
+            return;
+        }
+        next.remoteRoot = rr;
+    }
+    if (body.direction && VALID_DIRECTIONS.includes(body.direction))
+        next.direction = body.direction;
+    if (Array.isArray(body.defaultExcludes)) {
+        next.defaultExcludes = body.defaultExcludes
+            .filter((v) => typeof v === 'string')
+            .map((s) => s.trim())
+            .filter(Boolean)
+            .slice(0, 200); // prevent DoS via 10K-item excludes
+    }
+    if (body.schedule && typeof body.schedule === 'object') {
+        const sch = body.schedule;
+        const cron = typeof sch.cron === 'string' && sch.cron.trim() ? sch.cron.trim() : existing.schedule.cron;
+        // Validate cron now so silent "enabled but never fires" doesn't happen.
+        const cronErr = (0, sync_scheduler_1.validateCron)(cron);
+        if (cronErr) {
+            res.status(400).json({ error: `cron 表达式无效: ${cronErr}` });
+            return;
+        }
+        next.schedule = { enabled: !!sch.enabled, cron };
+    }
+    if (body.projectExcludes && typeof body.projectExcludes === 'object') {
+        const pe = {};
+        for (const [k, v] of Object.entries(body.projectExcludes)) {
+            if (Array.isArray(v)) {
+                pe[k] = v
+                    .filter((x) => typeof x === 'string')
+                    .map((s) => s.trim())
+                    .filter(Boolean)
+                    .slice(0, 200);
+            }
+        }
+        next.projectExcludes = pe;
+    }
+    // Password: only update if explicitly provided
+    if (typeof body.password === 'string') {
+        if (body.password === '') {
+            next.passwordEnc = undefined;
+            next.passwordFp = undefined;
+        }
+        else {
+            const { enc, fp } = (0, sync_config_1.encryptPassword)(body.password);
+            next.passwordEnc = enc;
+            next.passwordFp = fp;
+        }
+    }
+    (0, sync_config_1.setSyncConfig)(next);
+    res.json((0, sync_config_1.publicConfig)((0, sync_config_1.getSyncConfig)(user)));
+});
+// POST /api/sync/reset — revert to defaults (keeps nothing)
+router.post('/reset', (req, res) => {
+    const user = requireUser(req, res);
+    if (!user)
+        return;
+    (0, sync_config_1.setSyncConfig)({ username: user, ...sync_config_1.DEFAULT_CONFIG });
+    res.json((0, sync_config_1.publicConfig)((0, sync_config_1.getSyncConfig)(user)));
+});
+// POST /api/sync/test — ssh <host> true
+router.post('/test', async (req, res) => {
+    const user = requireUser(req, res);
+    if (!user)
+        return;
+    const result = await (0, sync_service_1.testConnection)(user);
+    res.json(result);
+});
+// POST /api/sync/project/:id  — sync one project using configured direction
+// Optional body: { direction: 'push'|'pull' } to override for this call.
+router.post('/project/:id', async (req, res) => {
+    const user = requireUser(req, res);
+    if (!user)
+        return;
+    const project = (0, config_1.getProject)(req.params.id);
+    if (!project) {
+        res.status(404).json({ error: 'Project not found' });
+        return;
+    }
+    if (!(0, config_1.isProjectOwner)(project, user)) {
+        res.status(403).json({ error: 'Forbidden' });
+        return;
+    }
+    const body = (req.body ?? {});
+    const override = body.direction && VALID_DIRECTIONS.includes(body.direction)
+        ? body.direction
+        : undefined;
+    const result = await (0, sync_service_1.syncProject)(user, project.id, project.name, project.folderPath, override);
+    res.json(result);
+});
+// POST /api/sync/all — sync every owned, non-archived project in sequence.
+// Sequential (not parallel) because rsync is bandwidth-bound; parallel
+// streams just contend for the same pipe.
+router.post('/all', async (req, res) => {
+    const user = requireUser(req, res);
+    if (!user)
+        return;
+    const projects = (0, config_1.getProjects)().filter((p) => !p.archived && (0, config_1.isProjectOwner)(p, user));
+    const results = [];
+    for (const p of projects) {
+        const r = await (0, sync_service_1.syncProject)(user, p.id, p.name, p.folderPath);
+        results.push({
+            projectId: p.id,
+            name: p.name,
+            ok: r.ok,
+            skipped: r.skipped,
+            reason: r.reason,
+            bytes: r.bytes,
+        });
+    }
+    res.json({ total: projects.length, results });
+});
+// GET /api/sync/status  → { inFlight: string[] }
+router.get('/status', (req, res) => {
+    const user = requireUser(req, res);
+    if (!user)
+        return;
+    res.json({ inFlight: (0, sync_service_1.listInFlight)(user) });
+});
+// GET /api/sync/status/:id  → boolean for a single project
+router.get('/status/:id', (req, res) => {
+    const user = requireUser(req, res);
+    if (!user)
+        return;
+    res.json({ syncing: (0, sync_service_1.isSyncing)(user, req.params.id) });
+});
+exports.default = router;
+//# sourceMappingURL=sync.js.map

package/backend/dist/routes/sync.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sync.js","sourceRoot":"","sources":["../../src/routes/sync.ts"],"names":[],"mappings":";;AAAA,qCAA2C;AAE3C,sCAAoE;AACpE,gDAIwB;AACxB,sDAAiD;AACjD,kDAAuF;AAEvF,MAAM,MAAM,GAAG,IAAA,gBAAM,GAAE,CAAC;AAExB,MAAM,gBAAgB,GAAoB,CAAC,MAAM,EAAE,MAAM,EAAE,eAAe,CAAC,CAAC;AAC5E,MAAM,UAAU,GAAiB,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC;AAErD,SAAS,WAAW,CAAC,GAAgB,EAAE,GAAa;IAClD,MAAM,CAAC,GAAG,GAAG,CAAC,IAAI,EAAE,QAAQ,CAAC;IAC7B,IAAI,CAAC,CAAC,EAAE,CAAC;QAAC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,iBAAiB,EAAE,CAAC,CAAC;QAAC,OAAO,IAAI,CAAC;IAAC,CAAC;IAC5E,OAAO,CAAC,CAAC;AACX,CAAC;AAED,oEAAoE;AACpE,MAAM,CAAC,GAAG,CAAC,SAAS,EAAE,CAAC,GAAgB,EAAE,GAAa,EAAE,EAAE;IACxD,MAAM,IAAI,GAAG,WAAW,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;IACnC,IAAI,CAAC,IAAI;QAAE,OAAO;IAClB,GAAG,CAAC,IAAI,CAAC,IAAA,0BAAY,EAAC,IAAA,2BAAa,EAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAC9C,CAAC,CAAC,CAAC;AAEH,oFAAoF;AACpF,MAAM,CAAC,GAAG,CAAC,SAAS,EAAE,CAAC,GAAgB,EAAE,GAAa,EAAE,EAAE;IACxD,MAAM,IAAI,GAAG,WAAW,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;IACnC,IAAI,CAAC,IAAI;QAAE,OAAO;IAClB,MAAM,IAAI,GAAG,CAAC,GAAG,CAAC,IAAI,IAAI,EAAE,CAAgD,CAAC;IAC7E,MAAM,QAAQ,GAAG,IAAA,2BAAa,EAAC,IAAI,CAAC,CAAC;IAErC,MAAM,IAAI,GAAe,EAAE,GAAG,QAAQ,EAAE,CAAC;IACzC,IAAI,OAAO,IAAI,CAAC,IAAI,KAAK,QAAQ;QAAE,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;IAChE,IAAI,OAAO,IAAI,CAAC,IAAI,KAAK,QAAQ,IAAI,IAAI,CAAC,IAAI,GAAG,CAAC,IAAI,IAAI,CAAC,IAAI,GAAG,KAAK;QAAE,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC;IAC/F,IAAI,OAAO,IAAI,CAAC,IAAI,KAAK,QAAQ;QAAE,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;IAChE,IAAI,IAAI,CAAC,UAAU,IAAI,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,UAAU,CAAC;QAAE,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC,UAAU,CAAC;IAE/F,IAAI,OAAO,IAAI,CAAC,OAAO,KAAK,QAAQ,EAAE,CAAC;QACrC,MAAM,SAAS,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;QACtC,IAAI,SAAS,IAAI,CAAC,IAAA,4BAAc,EAAC,SAAS,CAAC,EAAE,CAAC;YAC5C,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,sDAAsD,EAAE,CAAC,CAAC;YACxF,OAAO;QACT,CAAC;QACD,IAAI,CAAC,OAAO,GAAG,SAAS,IAAI,SAAS,CAAC;IACxC,CAAC;IAED,IAAI,OAAO,IAAI,CAAC,UAAU,KAAK,QAAQ,EAAE,CAAC;QACxC,MAAM,EAAE,GAAG,IAAI,CAAC,UAAU,CAAC,IAAI,EAAE,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;QACtD,wEAAwE;QACxE,kEAAkE;QAClE,IAAI,EAAE,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YAC9B,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,0BAA0B,EAAE,CAAC,CAAC;YAC5D,OAAO;QACT,CAAC;QACD,IAAI,CAAC,UAAU,GAAG,EAAE,CAAC;IACvB,CAAC;IAED,IAAI,IAAI,CAAC,SAAS,IAAI,gBAAgB,CAAC,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC;QAAE,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC;IAEjG,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,eAAe,CAAC,EAAE,CAAC;QACxC,IAAI,CAAC,eAAe,GAAG,IAAI,CAAC,eAAe;aACxC,MAAM,CAAC,CAAC,CAAC,EAAe,EAAE,CAAC,OAAO,CAAC,KAAK,QAAQ,CAAC;aACjD,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;aACpB,MAAM,CAAC,OAAO,CAAC;aACf,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC,oCAAoC;IACxD,CAAC;IAED,IAAI,IAAI,CAAC,QAAQ,IAAI,OAAO,IAAI,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;QACvD,MAAM,GAAG,GAAG,IAAI,CAAC,QAAgD,CAAC;QAClE,MAAM,IAAI,GAAG,OAAO,GAAG,CAAC,IAAI,KAAK,QAAQ,IAAI,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC;QACxG,wEAAwE;QACxE,MAAM,OAAO,GAAG,IAAA,6BAAY,EAAC,IAAI,CAAC,CAAC;QACnC,IAAI,OAAO,EAAE,CAAC;YACZ,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,eAAe,OAAO,EAAE,EAAE,CAAC,CAAC;YAC1D,OAAO;QACT,CAAC;QACD,IAAI,CAAC,QAAQ,GAAG,EAAE,OAAO,EAAE,CAAC,CAAC,GAAG,CAAC,OAAO,EAAE,IAAI,EAAE,CAAC;IACnD,CAAC;IAED,IAAI,IAAI,CAAC,eAAe,IAAI,OAAO,IAAI,CAAC,eAAe,KAAK,QAAQ,EAAE,CAAC;QACrE,MAAM,EAAE,GAA6B,EAAE,CAAC;QACxC,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,eAAe,CAAC,EAAE,CAAC;YAC1D,IAAI,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,CAAC;gBACrB,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC;qBACN,MAAM,CAAC,CAAC,CAAC,EAAe,EAAE,CAAC,OAAO,CAAC,KAAK,QAAQ,CAAC;qBACjD,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;qBACpB,MAAM,CAAC,OAAO,CAAC;qBACf,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;YACnB,CAAC;QACH,CAAC;QACD,IAAI,CAAC,eAAe,GAAG,EAAE,CAAC;IAC5B,CAAC;IAED,+CAA+C;IAC/C,IAAI,OAAO,IAAI,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;QACtC,IAAI,IAAI,CAAC,QAAQ,KAAK,EAAE,EAAE,CAAC;YACzB,IAAI,CAAC,WAAW,GAAG,SAAS,CAAC;YAC7B,IAAI,CAAC,UAAU,GAAG,SAAS,CAAC;QAC9B,CAAC;aAAM,CAAC;YACN,MAAM,EAAE,GAAG,EAAE,EAAE,EAAE,GAAG,IAAA,6BAAe,EAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;YACnD,IAAI,CAAC,WAAW,GAAG,GAAG,CAAC;YACvB,IAAI,CAAC,UAAU,GAAG,EAAE,CAAC;QACvB,CAAC;IACH,CAAC;IAED,IAAA,2BAAa,EAAC,IAAI,CAAC,CAAC;IACpB,GAAG,CAAC,IAAI,CAAC,IAAA,0BAAY,EAAC,IAAA,2BAAa,EAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAC9C,CAAC,CAAC,CAAC;AAEH,4DAA4D;AAC5D,MAAM,CAAC,IAAI,CAAC,QAAQ,EAAE,CAAC,GAAgB,EAAE,GAAa,EAAE,EAAE;IACxD,MAAM,IAAI,GAAG,WAAW,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;IACnC,IAAI,CAAC,IAAI;QAAE,OAAO;IAClB,IAAA,2BAAa,EAAC,EAAE,QAAQ,EAAE,IAAI,EAAE,GAAG,4BAAc,EAAE,CAAC,CAAC;IACrD,GAAG,CAAC,IAAI,CAAC,IAAA,0BAAY,EAAC,IAAA,2BAAa,EAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAC9C,CAAC,CAAC,CAAC;AAEH,wCAAwC;AACxC,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,KAAK,EAAE,GAAgB,EAAE,GAAa,EAAE,EAAE;IAC7D,MAAM,IAAI,GAAG,WAAW,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;IACnC,IAAI,CAAC,IAAI;QAAE,OAAO;IAClB,MAAM,MAAM,GAAG,MAAM,IAAA,6BAAc,EAAC,IAAI,CAAC,CAAC;IAC1C,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;AACnB,CAAC,CAAC,CAAC;AAEH,4EAA4E;AAC5E,yEAAyE;AACzE,MAAM,CAAC,IAAI,CAAC,cAAc,EAAE,KAAK,EAAE,GAAgB,EAAE,GAAa,EAAE,EAAE;IACpE,MAAM,IAAI,GAAG,WAAW,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;IACnC,IAAI,CAAC,IAAI;QAAE,OAAO;IAClB,MAAM,OAAO,GAAG,IAAA,mBAAU,EAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;IAC1C,IAAI,CAAC,OAAO,EAAE,CAAC;QAAC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,mBAAmB,EAAE,CAAC,CAAC;QAAC,OAAO;IAAC,CAAC;IAC/E,IAAI,CAAC,IAAA,uBAAc,EAAC,OAAO,EAAE,IAAI,CAAC,EAAE,CAAC;QAAC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,WAAW,EAAE,CAAC,CAAC;QAAC,OAAO;IAAC,CAAC;IAC7F,MAAM,IAAI,GAAG,CAAC,GAAG,CAAC,IAAI,IAAI,EAAE,CAAkC,CAAC;IAC/D,MAAM,QAAQ,GACZ,IAAI,CAAC,SAAS,IAAI,gBAAgB,CAAC,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC;QACzD,CAAC,CAAC,IAAI,CAAC,SAAS;QAChB,CAAC,CAAC,SAAS,CAAC;IAChB,MAAM,MAAM,GAAG,MAAM,IAAA,0BAAW,EAAC,IAAI,EAAE,OAAO,CAAC,EAAE,EAAE,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,UAAU,EAAE,QAAQ,CAAC,CAAC;IAC/F,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;AACnB,CAAC,CAAC,CAAC;AAEH,2EAA2E;AAC3E,uEAAuE;AACvE,0CAA0C;AAC1C,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,GAAgB,EAAE,GAAa,EAAE,EAAE;IAC5D,MAAM,IAAI,GAAG,WAAW,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;IACnC,IAAI,CAAC,IAAI;QAAE,OAAO;IAClB,MAAM,QAAQ,GAAG,IAAA,oBAAW,GAAE,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,QAAQ,IAAI,IAAA,uBAAc,EAAC,CAAC,EAAE,IAAI,CAAC,CAAC,CAAC;IACrF,MAAM,OAAO,GAA+G,EAAE,CAAC;IAC/H,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;QACzB,MAAM,CAAC,GAAG,MAAM,IAAA,0BAAW,EAAC,IAAI,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,UAAU,CAAC,CAAC;QAC9D,OAAO,CAAC,IAAI,CAAC;YACX,SAAS,EAAE,CAAC,CAAC,EAAE;YACf,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,EAAE,EAAE,CAAC,CAAC,EAAE;YACR,OAAO,EAAE,CAAC,CAAC,OAAO;YAClB,MAAM,EAAE,CAAC,CAAC,MAAM;YAChB,KAAK,EAAE,CAAC,CAAC,KAAK;SACf,CAAC,CAAC;IACL,CAAC;IACD,GAAG,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,QAAQ,CAAC,MAAM,EAAE,OAAO,EAAE,CAAC,CAAC;AAChD,CAAC,CAAC,CAAC;AAEH,iDAAiD;AACjD,MAAM,CAAC,GAAG,CAAC,SAAS,EAAE,CAAC,GAAgB,EAAE,GAAa,EAAE,EAAE;IACxD,MAAM,IAAI,GAAG,WAAW,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;IACnC,IAAI,CAAC,IAAI;QAAE,OAAO;IAClB,GAAG,CAAC,IAAI,CAAC,EAAE,QAAQ,EAAE,IAAA,2BAAY,EAAC,IAAI,CAAC,EAAE,CAAC,CAAC;AAC7C,CAAC,CAAC,CAAC;AAEH,2DAA2D;AAC3D,MAAM,CAAC,GAAG,CAAC,aAAa,EAAE,CAAC,GAAgB,EAAE,GAAa,EAAE,EAAE;IAC5D,MAAM,IAAI,GAAG,WAAW,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;IACnC,IAAI,CAAC,IAAI;QAAE,OAAO;IAClB,GAAG,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,IAAA,wBAAS,EAAC,IAAI,EAAE,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC;AACxD,CAAC,CAAC,CAAC;AAEH,kBAAe,MAAM,CAAC"}

package/backend/dist/sync-config.d.ts

@@ -0,0 +1,62 @@
+/**
+ * Per-user rsync sync configuration.
+ *
+ * Layout: one file per user at `<DATA_DIR>/sync-config/<sha1(username)>.json`.
+ * The filename is a hash of the real username so usernames containing `.`,
+ * spaces, or any non-[A-Za-z0-9_-] character don't round-trip lossily (the
+ * earlier simple-sanitize approach collided `tom.admin` with `tom_admin` and
+ * broke scheduler lookup).  The real username is stored inside the JSON as
+ * `username` so `listUsersWithSyncConfig()` can return the actual strings.
+ *
+ * Passwords are encrypted with AES-256-GCM using a key derived from the
+ * server's JWT secret.  A 4-byte fingerprint of the derived key is stored
+ * alongside `passwordEnc` so a jwtSecret rotation (e.g. user re-runs setup,
+ * config.json regenerated) is detected at read time and the public config
+ * exposes `passwordNeedsReset: true` instead of silently returning the
+ * wedged ciphertext.
+ */
+export type SyncDirection = 'push' | 'pull' | 'bidirectional';
+export type AuthMethod = 'key' | 'password';
+export interface SyncConfig {
+    username: string;
+    host: string;
+    port: number;
+    user: string;
+    authMethod: AuthMethod;
+    keyPath?: string;
+    passwordEnc?: string;
+    passwordFp?: string;
+    remoteRoot: string;
+    direction: SyncDirection;
+    defaultExcludes: string[];
+    schedule: {
+        enabled: boolean;
+        cron: string;
+    };
+    projectExcludes: Record<string, string[]>;
+}
+export declare const DEFAULT_CONFIG: Omit<SyncConfig, 'username'>;
+export declare function encryptPassword(plain: string): {
+    enc: string;
+    fp: string;
+};
+export declare function decryptPassword(blob: string, expectedFp?: string): string;
+export declare function isValidKeyPath(p: string | undefined | null): boolean;
+/** A project folder name used on the remote must not contain path separators
+ *  or start with `.`/`-` so `rsync ... remote:root/<name>/` stays inside
+ *  `remoteRoot`.  `path.posix.join` does not protect against `..`. */
+export declare function sanitizeFolderName(raw: string): string | null;
+export declare function getSyncConfig(username: string): SyncConfig;
+export declare function setSyncConfig(cfg: SyncConfig): void;
+export declare function listUsersWithSyncConfig(): string[];
+/**
+ * Client-safe projection. Never leaks the password ciphertext. Sets
+ * `passwordNeedsReset` when the stored ciphertext was encrypted with a key
+ * the server no longer holds (jwtSecret rotated) — the UI should prompt for
+ * re-entry instead of silently rendering `passwordSet: true`.
+ */
+export declare function publicConfig(cfg: SyncConfig): Omit<SyncConfig, 'passwordEnc' | 'passwordFp'> & {
+    passwordSet: boolean;
+    passwordNeedsReset: boolean;
+};
+//# sourceMappingURL=sync-config.d.ts.map

package/backend/dist/sync-config.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sync-config.d.ts","sourceRoot":"","sources":["../src/sync-config.ts"],"names":[],"mappings":"AAKA;;;;;;;;;;;;;;;;GAgBG;AAEH,MAAM,MAAM,aAAa,GAAG,MAAM,GAAG,MAAM,GAAG,eAAe,CAAC;AAC9D,MAAM,MAAM,UAAU,GAAG,KAAK,GAAG,UAAU,CAAC;AAE5C,MAAM,WAAW,UAAU;IACzB,QAAQ,EAAE,MAAM,CAAC;IACjB,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,UAAU,EAAE,UAAU,CAAC;IACvB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,aAAa,CAAC;IACzB,eAAe,EAAE,MAAM,EAAE,CAAC;IAC1B,QAAQ,EAAE;QAAE,OAAO,EAAE,OAAO,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC;IAC7C,eAAe,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC;CAC3C;AAeD,eAAO,MAAM,cAAc,EAAE,IAAI,CAAC,UAAU,EAAE,UAAU,CAUvD,CAAC;AA0BF,wBAAgB,eAAe,CAAC,KAAK,EAAE,MAAM,GAAG;IAAE,GAAG,EAAE,MAAM,CAAC;IAAC,EAAE,EAAE,MAAM,CAAA;CAAE,CAU1E;AAED,wBAAgB,eAAe,CAAC,IAAI,EAAE,MAAM,EAAE,UAAU,CAAC,EAAE,MAAM,GAAG,MAAM,CAezE;AASD,wBAAgB,cAAc,CAAC,CAAC,EAAE,MAAM,GAAG,SAAS,GAAG,IAAI,GAAG,OAAO,CAGpE;AAED;;sEAEsE;AACtE,wBAAgB,kBAAkB,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAO7D;AAID,wBAAgB,aAAa,CAAC,QAAQ,EAAE,MAAM,GAAG,UAAU,CAc1D;AAED,wBAAgB,aAAa,CAAC,GAAG,EAAE,UAAU,GAAG,IAAI,CAInD;AAED,wBAAgB,uBAAuB,IAAI,MAAM,EAAE,CAgBlD;AAED;;;;;GAKG;AACH,wBAAgB,YAAY,CAAC,GAAG,EAAE,UAAU,GAAG,IAAI,CAAC,UAAU,EAAE,aAAa,GAAG,YAAY,CAAC,GAAG;IAC9F,WAAW,EAAE,OAAO,CAAC;IACrB,kBAAkB,EAAE,OAAO,CAAC;CAC7B,CAKA"}

package/backend/dist/sync-config.js

@@ -0,0 +1,207 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DEFAULT_CONFIG = void 0;
+exports.encryptPassword = encryptPassword;
+exports.decryptPassword = decryptPassword;
+exports.isValidKeyPath = isValidKeyPath;
+exports.sanitizeFolderName = sanitizeFolderName;
+exports.getSyncConfig = getSyncConfig;
+exports.setSyncConfig = setSyncConfig;
+exports.listUsersWithSyncConfig = listUsersWithSyncConfig;
+exports.publicConfig = publicConfig;
+const fs = __importStar(require("fs"));
+const path = __importStar(require("path"));
+const crypto = __importStar(require("crypto"));
+const config_1 = require("./config");
+const DEFAULT_EXCLUDES = [
+    '.git/', // full .git (prev only excluded objects/, which left a broken repo)
+    'node_modules/',
+    'dist/',
+    'build/',
+    '.next/',
+    '.venv/',
+    '__pycache__/',
+    '.DS_Store',
+    '*.log',
+    '*.tmp',
+];
+exports.DEFAULT_CONFIG = {
+    host: '',
+    port: 22,
+    user: '',
+    authMethod: 'key',
+    remoteRoot: '',
+    direction: 'push',
+    defaultExcludes: DEFAULT_EXCLUDES,
+    schedule: { enabled: false, cron: '0 3 * * *' },
+    projectExcludes: {},
+};
+const SYNC_DIR = path.join(config_1.DATA_DIR, 'sync-config');
+function ensureDir() {
+    if (!fs.existsSync(SYNC_DIR))
+        fs.mkdirSync(SYNC_DIR, { recursive: true, mode: 0o700 });
+}
+function userFile(username) {
+    // Hash-based filenames: usernames may contain any unicode. sha1 is fine
+    // here because this is a lookup key, not a security token.
+    const hash = crypto.createHash('sha1').update(`ccweb-sync-user:${username}`).digest('hex');
+    return path.join(SYNC_DIR, `${hash}.json`);
+}
+// ── Crypto ───────────────────────────────────────────────────────────────────
+function getKey() {
+    const secret = (0, config_1.getConfig)().jwtSecret;
+    return crypto.createHash('sha256').update(`ccweb-sync:${secret}`).digest();
+}
+function keyFingerprint() {
+    return getKey().subarray(0, 4).toString('hex');
+}
+function encryptPassword(plain) {
+    if (!plain)
+        return { enc: '', fp: '' };
+    const iv = crypto.randomBytes(12);
+    const cipher = crypto.createCipheriv('aes-256-gcm', getKey(), iv);
+    const enc = Buffer.concat([cipher.update(plain, 'utf8'), cipher.final()]);
+    const tag = cipher.getAuthTag();
+    return {
+        enc: Buffer.concat([iv, tag, enc]).toString('base64'),
+        fp: keyFingerprint(),
+    };
+}
+function decryptPassword(blob, expectedFp) {
+    if (!blob)
+        return '';
+    if (expectedFp && expectedFp !== keyFingerprint())
+        return ''; // key rotated — refuse
+    try {
+        const buf = Buffer.from(blob, 'base64');
+        if (buf.length < 28)
+            return '';
+        const iv = buf.subarray(0, 12);
+        const tag = buf.subarray(12, 28);
+        const enc = buf.subarray(28);
+        const decipher = crypto.createDecipheriv('aes-256-gcm', getKey(), iv);
+        decipher.setAuthTag(tag);
+        return Buffer.concat([decipher.update(enc), decipher.final()]).toString('utf8');
+    }
+    catch {
+        return '';
+    }
+}
+// ── Validation ───────────────────────────────────────────────────────────────
+/** Reject paths that would let a user inject ssh options through rsync's
+ *  `-e` string tokenization or ssh's own getopt (keyPath beginning with `-`
+ *  is read as another option). */
+const INVALID_KEYPATH = /[\s'"\\\x00]|^-/;
+function isValidKeyPath(p) {
+    if (!p)
+        return true; // missing is OK (caller decides whether required)
+    return !INVALID_KEYPATH.test(p) && p.length < 512;
+}
+/** A project folder name used on the remote must not contain path separators
+ *  or start with `.`/`-` so `rsync ... remote:root/<name>/` stays inside
+ *  `remoteRoot`.  `path.posix.join` does not protect against `..`. */
+function sanitizeFolderName(raw) {
+    if (!raw)
+        return null;
+    if (raw.includes('/') || raw.includes('\\') || raw.includes('\0'))
+        return null;
+    if (raw === '.' || raw === '..')
+        return null;
+    if (raw.startsWith('.') || raw.startsWith('-'))
+        return null;
+    if (raw.length > 128)
+        return null;
+    return raw;
+}
+// ── Read / Write ─────────────────────────────────────────────────────────────
+function getSyncConfig(username) {
+    ensureDir();
+    const file = userFile(username);
+    if (!fs.existsSync(file))
+        return { username, ...exports.DEFAULT_CONFIG };
+    try {
+        const raw = fs.readFileSync(file, 'utf-8');
+        const parsed = JSON.parse(raw);
+        // username comes from the argument (authoritative) — if the file's
+        // `username` field is missing / stale / tampered, the argument wins.
+        const { username: _ignored, ...rest } = parsed;
+        return { ...exports.DEFAULT_CONFIG, ...rest, username };
+    }
+    catch {
+        return { username, ...exports.DEFAULT_CONFIG };
+    }
+}
+function setSyncConfig(cfg) {
+    ensureDir();
+    (0, config_1.atomicWriteSync)(userFile(cfg.username), JSON.stringify(cfg, null, 2));
+    try {
+        fs.chmodSync(userFile(cfg.username), 0o600);
+    }
+    catch { /* ignore */ }
+}
+function listUsersWithSyncConfig() {
+    ensureDir();
+    try {
+        const files = fs.readdirSync(SYNC_DIR).filter((f) => f.endsWith('.json'));
+        const users = [];
+        for (const f of files) {
+            try {
+                const raw = fs.readFileSync(path.join(SYNC_DIR, f), 'utf-8');
+                const obj = JSON.parse(raw);
+                if (typeof obj.username === 'string' && obj.username)
+                    users.push(obj.username);
+            }
+            catch { /* skip corrupt entries */ }
+        }
+        return users;
+    }
+    catch {
+        return [];
+    }
+}
+/**
+ * Client-safe projection. Never leaks the password ciphertext. Sets
+ * `passwordNeedsReset` when the stored ciphertext was encrypted with a key
+ * the server no longer holds (jwtSecret rotated) — the UI should prompt for
+ * re-entry instead of silently rendering `passwordSet: true`.
+ */
+function publicConfig(cfg) {
+    const { passwordEnc, passwordFp, ...rest } = cfg;
+    const set = !!passwordEnc;
+    const wedged = set && !!passwordFp && passwordFp !== keyFingerprint();
+    return { ...rest, passwordSet: set && !wedged, passwordNeedsReset: wedged };
+}
+//# sourceMappingURL=sync-config.js.map

package/backend/dist/sync-config.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sync-config.js","sourceRoot":"","sources":["../src/sync-config.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA2FA,0CAUC;AAED,0CAeC;AASD,wCAGC;AAKD,gDAOC;AAID,sCAcC;AAED,sCAIC;AAED,0DAgBC;AAQD,oCAQC;AAxMD,uCAAyB;AACzB,2CAA6B;AAC7B,+CAAiC;AACjC,qCAAgE;AAuChE,MAAM,gBAAgB,GAAG;IACvB,OAAO,EAAoB,oEAAoE;IAC/F,eAAe;IACf,OAAO;IACP,QAAQ;IACR,QAAQ;IACR,QAAQ;IACR,cAAc;IACd,WAAW;IACX,OAAO;IACP,OAAO;CACR,CAAC;AAEW,QAAA,cAAc,GAAiC;IAC1D,IAAI,EAAE,EAAE;IACR,IAAI,EAAE,EAAE;IACR,IAAI,EAAE,EAAE;IACR,UAAU,EAAE,KAAK;IACjB,UAAU,EAAE,EAAE;IACd,SAAS,EAAE,MAAM;IACjB,eAAe,EAAE,gBAAgB;IACjC,QAAQ,EAAE,EAAE,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,WAAW,EAAE;IAC/C,eAAe,EAAE,EAAE;CACpB,CAAC;AAEF,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,iBAAQ,EAAE,aAAa,CAAC,CAAC;AAEpD,SAAS,SAAS;IAChB,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC;QAAE,EAAE,CAAC,SAAS,CAAC,QAAQ,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;AACzF,CAAC;AAED,SAAS,QAAQ,CAAC,QAAgB;IAChC,wEAAwE;IACxE,2DAA2D;IAC3D,MAAM,IAAI,GAAG,MAAM,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,mBAAmB,QAAQ,EAAE,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IAC3F,OAAO,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,GAAG,IAAI,OAAO,CAAC,CAAC;AAC7C,CAAC;AAED,gFAAgF;AAEhF,SAAS,MAAM;IACb,MAAM,MAAM,GAAG,IAAA,kBAAS,GAAE,CAAC,SAAS,CAAC;IACrC,OAAO,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,cAAc,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC;AAC7E,CAAC;AAED,SAAS,cAAc;IACrB,OAAO,MAAM,EAAE,CAAC,QAAQ,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;AACjD,CAAC;AAED,SAAgB,eAAe,CAAC,KAAa;IAC3C,IAAI,CAAC,KAAK;QAAE,OAAO,EAAE,GAAG,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,CAAC;IACvC,MAAM,EAAE,GAAG,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC;IAClC,MAAM,MAAM,GAAG,MAAM,CAAC,cAAc,CAAC,aAAa,EAAE,MAAM,EAAE,EAAE,EAAE,CAAC,CAAC;IAClE,MAAM,GAAG,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,KAAK,EAAE,MAAM,CAAC,EAAE,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;IAC1E,MAAM,GAAG,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;IAChC,OAAO;QACL,GAAG,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC,EAAE,EAAE,GAAG,EAAE,GAAG,CAAC,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC;QACrD,EAAE,EAAE,cAAc,EAAE;KACrB,CAAC;AACJ,CAAC;AAED,SAAgB,eAAe,CAAC,IAAY,EAAE,UAAmB;IAC/D,IAAI,CAAC,IAAI;QAAE,OAAO,EAAE,CAAC;IACrB,IAAI,UAAU,IAAI,UAAU,KAAK,cAAc,EAAE;QAAE,OAAO,EAAE,CAAC,CAAC,uBAAuB;IACrF,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;QACxC,IAAI,GAAG,CAAC,MAAM,GAAG,EAAE;YAAE,OAAO,EAAE,CAAC;QAC/B,MAAM,EAAE,GAAG,GAAG,CAAC,QAAQ,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QAC/B,MAAM,GAAG,GAAG,GAAG,CAAC,QAAQ,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC;QACjC,MAAM,GAAG,GAAG,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;QAC7B,MAAM,QAAQ,GAAG,MAAM,CAAC,gBAAgB,CAAC,aAAa,EAAE,MAAM,EAAE,EAAE,EAAE,CAAC,CAAC;QACtE,QAAQ,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC;QACzB,OAAO,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,QAAQ,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;IAClF,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC;AAED,gFAAgF;AAEhF;;kCAEkC;AAClC,MAAM,eAAe,GAAG,iBAAiB,CAAC;AAE1C,SAAgB,cAAc,CAAC,CAA4B;IACzD,IAAI,CAAC,CAAC;QAAE,OAAO,IAAI,CAAC,CAAC,kDAAkD;IACvE,OAAO,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,MAAM,GAAG,GAAG,CAAC;AACpD,CAAC;AAED;;sEAEsE;AACtE,SAAgB,kBAAkB,CAAC,GAAW;IAC5C,IAAI,CAAC,GAAG;QAAE,OAAO,IAAI,CAAC;IACtB,IAAI,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC;IAC/E,IAAI,GAAG,KAAK,GAAG,IAAI,GAAG,KAAK,IAAI;QAAE,OAAO,IAAI,CAAC;IAC7C,IAAI,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IAC5D,IAAI,GAAG,CAAC,MAAM,GAAG,GAAG;QAAE,OAAO,IAAI,CAAC;IAClC,OAAO,GAAG,CAAC;AACb,CAAC;AAED,gFAAgF;AAEhF,SAAgB,aAAa,CAAC,QAAgB;IAC5C,SAAS,EAAE,CAAC;IACZ,MAAM,IAAI,GAAG,QAAQ,CAAC,QAAQ,CAAC,CAAC;IAChC,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC;QAAE,OAAO,EAAE,QAAQ,EAAE,GAAG,sBAAc,EAAE,CAAC;IACjE,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,EAAE,CAAC,YAAY,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;QAC3C,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAwB,CAAC;QACtD,mEAAmE;QACnE,qEAAqE;QACrE,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,GAAG,IAAI,EAAE,GAAG,MAAM,CAAC;QAC/C,OAAO,EAAE,GAAG,sBAAc,EAAE,GAAG,IAAI,EAAE,QAAQ,EAAE,CAAC;IAClD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,QAAQ,EAAE,GAAG,sBAAc,EAAE,CAAC;IACzC,CAAC;AACH,CAAC;AAED,SAAgB,aAAa,CAAC,GAAe;IAC3C,SAAS,EAAE,CAAC;IACZ,IAAA,wBAAe,EAAC,QAAQ,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,IAAI,CAAC,SAAS,CAAC,GAAG,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;IACtE,IAAI,CAAC;QAAC,EAAE,CAAC,SAAS,CAAC,QAAQ,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,KAAK,CAAC,CAAC;IAAC,CAAC;IAAC,MAAM,CAAC,CAAC,YAAY,CAAC,CAAC;AAC7E,CAAC;AAED,SAAgB,uBAAuB;IACrC,SAAS,EAAE,CAAC;IACZ,IAAI,CAAC;QACH,MAAM,KAAK,GAAG,EAAE,CAAC,WAAW,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC;QAC1E,MAAM,KAAK,GAAa,EAAE,CAAC;QAC3B,KAAK,MAAM,CAAC,IAAI,KAAK,EAAE,CAAC;YACtB,IAAI,CAAC;gBACH,MAAM,GAAG,GAAG,EAAE,CAAC,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC;gBAC7D,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAA0B,CAAC;gBACrD,IAAI,OAAO,GAAG,CAAC,QAAQ,KAAK,QAAQ,IAAI,GAAG,CAAC,QAAQ;oBAAE,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;YACjF,CAAC;YAAC,MAAM,CAAC,CAAC,0BAA0B,CAAC,CAAC;QACxC,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC;AAED;;;;;GAKG;AACH,SAAgB,YAAY,CAAC,GAAe;IAI1C,MAAM,EAAE,WAAW,EAAE,UAAU,EAAE,GAAG,IAAI,EAAE,GAAG,GAAG,CAAC;IACjD,MAAM,GAAG,GAAG,CAAC,CAAC,WAAW,CAAC;IAC1B,MAAM,MAAM,GAAG,GAAG,IAAI,CAAC,CAAC,UAAU,IAAI,UAAU,KAAK,cAAc,EAAE,CAAC;IACtE,OAAO,EAAE,GAAG,IAAI,EAAE,WAAW,EAAE,GAAG,IAAI,CAAC,MAAM,EAAE,kBAAkB,EAAE,MAAM,EAAE,CAAC;AAC9E,CAAC"}

package/backend/dist/sync-scheduler.d.ts

@@ -0,0 +1,7 @@
+/** Human-readable error or `null` if valid. Consumed by `routes/sync.ts` at
+ *  save-time so invalid crons are rejected with a 400 instead of silently
+ *  being "enabled but never fires". */
+export declare function validateCron(expr: string): string | null;
+export declare function startSyncScheduler(): void;
+export declare function stopSyncScheduler(): void;
+//# sourceMappingURL=sync-scheduler.d.ts.map

package/backend/dist/sync-scheduler.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sync-scheduler.d.ts","sourceRoot":"","sources":["../src/sync-scheduler.ts"],"names":[],"mappings":"AAkFA;;uCAEuC;AACvC,wBAAgB,YAAY,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAOxD;AAkDD,wBAAgB,kBAAkB,IAAI,IAAI,CAWzC;AAED,wBAAgB,iBAAiB,IAAI,IAAI,CAIxC"}

package/backend/dist/sync-scheduler.js

@@ -0,0 +1,157 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.validateCron = validateCron;
+exports.startSyncScheduler = startSyncScheduler;
+exports.stopSyncScheduler = stopSyncScheduler;
+const config_1 = require("./config");
+const sync_config_1 = require("./sync-config");
+const sync_service_1 = require("./sync-service");
+/** Return parsed cron or `null` if invalid.  Refuses empty-Set fields (e.g.
+ *  `9-5` with A>B) and invalid step (`*\/0`) rather than silently accepting
+ *  them as "never fires" / "every minute". */
+function parseField(raw, min, max) {
+    const out = new Set();
+    for (const segment of raw.split(',')) {
+        const part = segment.trim();
+        if (!part)
+            return null;
+        let step = 1;
+        let rangePart = part;
+        const slashIdx = part.indexOf('/');
+        if (slashIdx >= 0) {
+            const stepRaw = part.slice(slashIdx + 1);
+            const parsed = parseInt(stepRaw, 10);
+            if (!Number.isFinite(parsed) || parsed <= 0)
+                return null;
+            step = parsed;
+            rangePart = part.slice(0, slashIdx);
+        }
+        let start = min;
+        let end = max;
+        if (rangePart === '*') {
+            /* full range */
+        }
+        else if (rangePart.includes('-')) {
+            const [aStr, bStr] = rangePart.split('-');
+            const a = parseInt(aStr, 10);
+            const b = parseInt(bStr, 10);
+            if (!Number.isFinite(a) || !Number.isFinite(b))
+                return null;
+            if (a > b)
+                return null; // A>B would yield empty Set
+            if (a < min || b > max)
+                return null; // out-of-range
+            start = a;
+            end = b;
+        }
+        else {
+            const n = parseInt(rangePart, 10);
+            if (!Number.isFinite(n) || n < min || n > max)
+                return null;
+            start = end = n;
+        }
+        for (let v = start; v <= end; v += step) {
+            if (v >= min && v <= max)
+                out.add(v);
+        }
+    }
+    if (out.size === 0)
+        return null;
+    return out;
+}
+function parseCron(expr) {
+    const parts = expr.trim().split(/\s+/);
+    if (parts.length !== 5)
+        return null;
+    const [m, h, dom, mo, dow] = parts;
+    const minute = parseField(m, 0, 59);
+    const hour = parseField(h, 0, 23);
+    const domS = parseField(dom, 1, 31);
+    const month = parseField(mo, 1, 12);
+    const dowS = parseField(dow, 0, 6);
+    if (!minute || !hour || !domS || !month || !dowS)
+        return null;
+    return { minute, hour, dom: domS, month, dow: dowS };
+}
+/** Human-readable error or `null` if valid. Consumed by `routes/sync.ts` at
+ *  save-time so invalid crons are rejected with a 400 instead of silently
+ *  being "enabled but never fires". */
+function validateCron(expr) {
+    if (!expr || !expr.trim())
+        return '空表达式';
+    const parts = expr.trim().split(/\s+/);
+    if (parts.length !== 5)
+        return `必须是 5 段（分 时 日 月 周），当前 ${parts.length} 段`;
+    const parsed = parseCron(expr);
+    if (!parsed)
+        return '包含无效字段、空范围（如 9-5）、或步长为 0';
+    return null;
+}
+function matches(cron, now) {
+    return (cron.minute.has(now.getMinutes()) &&
+        cron.hour.has(now.getHours()) &&
+        cron.dom.has(now.getDate()) &&
+        cron.month.has(now.getMonth() + 1) &&
+        cron.dow.has(now.getDay()));
+}
+// ── Scheduler state ─────────────────────────────────────────────────────────
+let interval = null;
+let timeoutHandle = null;
+/** Keyed by username — the last `YYYYMMDDHHMM` key at which we fired.  Guards
+ *  against DST fall-back double-fires (same minute + hour twice in one day)
+ *  and any scheduler-tick drift. */
+const lastRunKey = new Map();
+function minuteKey(d) {
+    const pad = (n) => String(n).padStart(2, '0');
+    return `${d.getFullYear()}${pad(d.getMonth() + 1)}${pad(d.getDate())}${pad(d.getHours())}${pad(d.getMinutes())}`;
+}
+async function runScheduledOnce(now) {
+    const currentKey = minuteKey(now);
+    const users = (0, sync_config_1.listUsersWithSyncConfig)();
+    for (const username of users) {
+        const cfg = (0, sync_config_1.getSyncConfig)(username);
+        if (!cfg.schedule.enabled || !cfg.schedule.cron)
+            continue;
+        const parsed = parseCron(cfg.schedule.cron);
+        if (!parsed || !matches(parsed, now))
+            continue;
+        // De-dupe per-minute (DST + tick jitter)
+        if (lastRunKey.get(username) === currentKey)
+            continue;
+        lastRunKey.set(username, currentKey);
+        const projects = (0, config_1.getProjects)().filter((p) => !p.archived && (0, config_1.isProjectOwner)(p, username));
+        for (const p of projects) {
+            try {
+                await (0, sync_service_1.syncProject)(username, p.id, p.name, p.folderPath);
+            }
+            catch (err) {
+                console.error(`[sync-scheduler] ${username}/${p.name} failed:`, err.message);
+            }
+        }
+    }
+}
+function startSyncScheduler() {
+    if (interval || timeoutHandle)
+        return;
+    // Align to top of minute: wait until seconds == 0, then fire every 60s.
+    const alignDelay = (60 - new Date().getSeconds()) * 1000;
+    timeoutHandle = setTimeout(() => {
+        timeoutHandle = null;
+        void runScheduledOnce(new Date()).catch(() => { });
+        interval = setInterval(() => {
+            void runScheduledOnce(new Date()).catch(() => { });
+        }, 60000);
+    }, alignDelay);
+}
+function stopSyncScheduler() {
+    if (timeoutHandle) {
+        clearTimeout(timeoutHandle);
+        timeoutHandle = null;
+    }
+    if (interval) {
+        clearInterval(interval);
+        interval = null;
+    }
+    lastRunKey.clear();
+}
+//# sourceMappingURL=sync-scheduler.js.map