@wizzlethorpe/vaults 0.1.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 wizzlethorpe
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

package/README.md

@@ -0,0 +1,125 @@
+# vaults
+
+Sync an Obsidian vault to a Cloudflare-hosted wiki. The CLI renders your notes locally to HTML and deploys them to your own Cloudflare Pages account. Supports role-based access (public, patron, dm, …) so different parts of the same vault can be visible to different audiences.
+
+## Install
+
+```bash
+npm install -g @wizzlethorpe/vaults
+```
+
+Requires Node.js 22 or newer. Works on macOS, Linux, and Windows.
+
+## Quickstart
+
+From any Obsidian vault:
+
+```bash
+cd ~/Documents/MyVault
+
+vaults init                          # write a settings.md the renderer will read
+vaults role add public               # default tier (anyone can read)
+vaults role add patron               # tier above public, password-gated
+vaults role add dm                   # top tier
+vaults password patron               # set a password
+vaults password dm
+vaults push                          # render + deploy to Cloudflare Pages
+```
+
+The first push prompts for a Pages project name and runs `wrangler login` if you aren't authenticated. After that it just renders and deploys.
+
+## How it works
+
+```
+~/MyVault/                 ← Obsidian vault (source of truth)
+   │  vaults push
+   ▼
+Cloudflare Pages           ← per-user, your account
+   ├── _variants/<role>/   ← rendered HTML, scoped by access tier
+   ├── styles.css, login.html
+   └── functions/_middleware.js   ← auth gate (cookie/bearer based)
+```
+
+- **Per-tier deploys.** A page tagged `role: dm` in its frontmatter only ships to the dm variant. Public visitors *cannot* fetch it — the file structurally doesn't exist in their variant.
+- **Images are gated too.** Only images embedded by visible pages are copied into a given variant.
+- **Incremental sync.** External clients (the [Foundry VTT module](https://github.com/wizzlethorpe/vaults-foundry)) can pull changes via `/_manifest.json` + `/_batch` endpoints — the CLI computes content hashes so the diff is minimal.
+
+## Commands
+
+| Command | What it does |
+|---|---|
+| `vaults init` | Write a `settings.md` with sensible defaults. |
+| `vaults build` | Render the vault to a local directory (no deploy). |
+| `vaults preview` | Render + serve locally via `wrangler pages dev` so you can click around with auth working. |
+| `vaults push` | Render + deploy to Cloudflare Pages. |
+| `vaults role add <name>` | Add an access tier. The first role becomes the default (no password). |
+| `vaults role remove <name>` | Remove an access tier. |
+| `vaults role list` | List configured roles. |
+| `vaults role promote <name>` / `demote <name>` | Reorder tiers. |
+| `vaults password <role>` | Set or change a role's password (PBKDF2-SHA256). |
+| `vaults push --rotate-secret` | Generate a fresh `SESSION_SECRET`, invalidating every issued auth token at once. |
+| `vaults push --all-warnings` / `vaults build --all-warnings` | Don't truncate the broken-link / missing-image report. |
+
+Run any command with `--help` for the full flag list.
+
+## Settings
+
+`settings.md` lives at the root of your vault and is the single user-editable config:
+
+```yaml
+---
+vault_name: My Wiki
+default_role: public
+accent_color: "#7a4a8c"
+accent_color_dark: "#b58af5"
+favicon: assets/icons/wiki.png
+inline_title: true
+default_image_width: 50vw
+center_images: true
+ignore:
+  - Templates/**
+  - "*.draft.md"
+---
+```
+
+Open it in Obsidian — the frontmatter shows up as a Properties form.
+
+## Page frontmatter
+
+A page's frontmatter controls its access tier and how it's surfaced:
+
+```yaml
+---
+role: dm                          # required to view; default is settings.default_role
+title: Optional override          # default: filename or first H1
+aliases:                          # extra names that resolve to this page from wikilinks
+  - Pale Mountains
+  - The Pale Mountains
+---
+```
+
+Wikilinks (`[[Page]]`, `[[Page|alias]]`, `[[NPCs/Page#section]]`), image embeds (`![[image.png]]`), transclusions (`![[Page]]`), and Obsidian callouts all render the same way they do in Obsidian.
+
+## Auth
+
+Multi-role deploys ship with a small Cloudflare Pages Function (`_middleware.js`) that:
+
+- **Gates per-role variants** via a signed cookie (`SameSite=None; Secure; Partitioned`).
+- **Issues bearer tokens** through an OAuth-style `/connect` flow used by the [Foundry module](https://github.com/wizzlethorpe/vaults-foundry).
+- **Exposes** `/_batch` (text) and `/_batch-images` (binary) for bulk content sync.
+
+Tokens are stateless HMAC-signed JWTs; revocation = rotate `SESSION_SECRET` via `vaults push --rotate-secret`.
+
+## Files this CLI manages locally
+
+| File | Tracked in git? | What it holds |
+|---|---|---|
+| `settings.md` | yes | User-editable settings. |
+| `.vaultrc.json` | **no** | CLI-managed: `SESSION_SECRET`, role password hashes, project name, cached settings. |
+| `.vault-cache/` | **no** | Build cache: rendered output, image webp cache. |
+
+`vaults init` adds `.vaultrc.json` and `.vault-cache` to `.gitignore` if your vault is a git repo.
+
+## License
+
+MIT

package/dist/api.js

@@ -0,0 +1,42 @@
+export class ApiClient {
+    cfg;
+    constructor(cfg) {
+        this.cfg = cfg;
+    }
+    async getManifest() {
+        const res = await fetch(this.url("/api/manifest"), { headers: this.headers() });
+        if (!res.ok)
+            throw new Error(`GET /api/manifest failed: ${res.status} ${await res.text()}`);
+        const { files } = (await res.json());
+        return files;
+    }
+    async putSource(path, body, contentType) {
+        const res = await fetch(this.url(`/admin/source/${encodePath(path)}`), {
+            method: "PUT",
+            headers: { ...this.headers(), "Content-Type": contentType },
+            body: new Uint8Array(body),
+        });
+        if (!res.ok)
+            throw new Error(`PUT ${path} failed: ${res.status} ${await res.text()}`);
+    }
+    async deleteSource(path) {
+        const res = await fetch(this.url(`/admin/source/${encodePath(path)}`), {
+            method: "DELETE",
+            headers: this.headers(),
+        });
+        if (!res.ok && res.status !== 404) {
+            throw new Error(`DELETE ${path} failed: ${res.status} ${await res.text()}`);
+        }
+    }
+    url(path) {
+        const base = this.cfg.url.replace(/\/$/, "");
+        return `${base}${path}`;
+    }
+    headers() {
+        return { Authorization: `Bearer ${this.cfg.apiKey}` };
+    }
+}
+function encodePath(path) {
+    return path.split("/").map(encodeURIComponent).join("/");
+}
+//# sourceMappingURL=api.js.map

package/dist/api.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"api.js","sourceRoot":"","sources":["../src/api.ts"],"names":[],"mappings":"AAUA,MAAM,OAAO,SAAS;IACA;IAApB,YAAoB,GAAgB;QAAhB,QAAG,GAAH,GAAG,CAAa;IAAG,CAAC;IAExC,KAAK,CAAC,WAAW;QACf,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,eAAe,CAAC,EAAE,EAAE,OAAO,EAAE,IAAI,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;QAChF,IAAI,CAAC,GAAG,CAAC,EAAE;YAAE,MAAM,IAAI,KAAK,CAAC,6BAA6B,GAAG,CAAC,MAAM,IAAI,MAAM,GAAG,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;QAC5F,MAAM,EAAE,KAAK,EAAE,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAA+B,CAAC;QACnE,OAAO,KAAK,CAAC;IACf,CAAC;IAED,KAAK,CAAC,SAAS,CAAC,IAAY,EAAE,IAAyB,EAAE,WAAmB;QAC1E,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,iBAAiB,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE;YACrE,MAAM,EAAE,KAAK;YACb,OAAO,EAAE,EAAE,GAAG,IAAI,CAAC,OAAO,EAAE,EAAE,cAAc,EAAE,WAAW,EAAE;YAC3D,IAAI,EAAE,IAAI,UAAU,CAAC,IAAI,CAAC;SAC3B,CAAC,CAAC;QACH,IAAI,CAAC,GAAG,CAAC,EAAE;YAAE,MAAM,IAAI,KAAK,CAAC,OAAO,IAAI,YAAY,GAAG,CAAC,MAAM,IAAI,MAAM,GAAG,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;IACxF,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,IAAY;QAC7B,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,iBAAiB,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE;YACrE,MAAM,EAAE,QAAQ;YAChB,OAAO,EAAE,IAAI,CAAC,OAAO,EAAE;SACxB,CAAC,CAAC;QACH,IAAI,CAAC,GAAG,CAAC,EAAE,IAAI,GAAG,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;YAClC,MAAM,IAAI,KAAK,CAAC,UAAU,IAAI,YAAY,GAAG,CAAC,MAAM,IAAI,MAAM,GAAG,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;QAC9E,CAAC;IACH,CAAC;IAEO,GAAG,CAAC,IAAY;QACtB,MAAM,IAAI,GAAG,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;QAC7C,OAAO,GAAG,IAAI,GAAG,IAAI,EAAE,CAAC;IAC1B,CAAC;IAEO,OAAO;QACb,OAAO,EAAE,aAAa,EAAE,UAAU,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,EAAE,CAAC;IACxD,CAAC;CACF;AAED,SAAS,UAAU,CAAC,IAAY;IAC9B,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,kBAAkB,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAC3D,CAAC"}

package/dist/auth.js

@@ -0,0 +1,62 @@
+import { webcrypto } from "node:crypto";
+// Password hashing: PBKDF2-SHA256. The Cloudflare Workers runtime caps
+// PBKDF2 iterations at 100k (NotSupportedError above that), so we hash at
+// 100k here too — the CLI and the edge Function must use the same algorithm
+// for stored hashes to verify.
+const ITERATIONS = 100_000;
+const SALT_BYTES = 16;
+const HASH_BYTES = 32; // SHA-256 output length
+export async function hashPassword(password) {
+    const salt = webcrypto.getRandomValues(new Uint8Array(SALT_BYTES));
+    const hash = await pbkdf2(password, salt, ITERATIONS);
+    return `${ITERATIONS}:${toHex(salt)}:${toHex(hash)}`;
+}
+export async function verifyPassword(password, encoded) {
+    const parsed = parseEncoded(encoded);
+    if (!parsed)
+        return false;
+    const salt = fromHex(parsed.saltHex);
+    const expected = fromHex(parsed.hashHex);
+    const actual = await pbkdf2(password, salt, parsed.iterations);
+    return constantTimeEqual(actual, expected);
+}
+function parseEncoded(encoded) {
+    const parts = encoded.split(":");
+    if (parts.length !== 3)
+        return null;
+    const iterations = Number(parts[0]);
+    if (!Number.isFinite(iterations) || iterations < 1000)
+        return null;
+    return { iterations, saltHex: parts[1], hashHex: parts[2] };
+}
+async function pbkdf2(password, salt, iterations) {
+    const key = await webcrypto.subtle.importKey("raw", new TextEncoder().encode(password), { name: "PBKDF2" }, false, ["deriveBits"]);
+    const bits = await webcrypto.subtle.deriveBits({ name: "PBKDF2", salt: salt, hash: "SHA-256", iterations }, key, HASH_BYTES * 8);
+    return new Uint8Array(bits);
+}
+function toHex(bytes) {
+    return Array.from(bytes, (b) => b.toString(16).padStart(2, "0")).join("");
+}
+function fromHex(hex) {
+    const out = new Uint8Array(hex.length / 2);
+    for (let i = 0; i < out.length; i++)
+        out[i] = parseInt(hex.slice(i * 2, i * 2 + 2), 16);
+    return out;
+}
+function constantTimeEqual(a, b) {
+    if (a.length !== b.length)
+        return false;
+    let diff = 0;
+    for (let i = 0; i < a.length; i++)
+        diff |= a[i] ^ b[i];
+    return diff === 0;
+}
+/**
+ * Generate a random secret used to sign session tokens. Stored as a wrangler
+ * secret on push, never in settings.md or the static deployment.
+ */
+export function generateSessionSecret() {
+    const bytes = webcrypto.getRandomValues(new Uint8Array(32));
+    return toHex(bytes);
+}
+//# sourceMappingURL=auth.js.map

package/dist/auth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.js","sourceRoot":"","sources":["../src/auth.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AAExC,uEAAuE;AACvE,0EAA0E;AAC1E,4EAA4E;AAC5E,+BAA+B;AAE/B,MAAM,UAAU,GAAG,OAAO,CAAC;AAC3B,MAAM,UAAU,GAAG,EAAE,CAAC;AACtB,MAAM,UAAU,GAAG,EAAE,CAAC,CAAC,wBAAwB;AAQ/C,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,QAAgB;IACjD,MAAM,IAAI,GAAG,SAAS,CAAC,eAAe,CAAC,IAAI,UAAU,CAAC,UAAU,CAAC,CAAC,CAAC;IACnE,MAAM,IAAI,GAAG,MAAM,MAAM,CAAC,QAAQ,EAAE,IAAI,EAAE,UAAU,CAAC,CAAC;IACtD,OAAO,GAAG,UAAU,IAAI,KAAK,CAAC,IAAI,CAAC,IAAI,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC;AACvD,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,QAAgB,EAAE,OAAe;IACpE,MAAM,MAAM,GAAG,YAAY,CAAC,OAAO,CAAC,CAAC;IACrC,IAAI,CAAC,MAAM;QAAE,OAAO,KAAK,CAAC;IAC1B,MAAM,IAAI,GAAG,OAAO,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IACrC,MAAM,QAAQ,GAAG,OAAO,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IACzC,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,QAAQ,EAAE,IAAI,EAAE,MAAM,CAAC,UAAU,CAAC,CAAC;IAC/D,OAAO,iBAAiB,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;AAC7C,CAAC;AAED,SAAS,YAAY,CAAC,OAAe;IACnC,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IACjC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACpC,MAAM,UAAU,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;IACpC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,UAAU,GAAG,IAAI;QAAE,OAAO,IAAI,CAAC;IACnE,OAAO,EAAE,UAAU,EAAE,OAAO,EAAE,KAAK,CAAC,CAAC,CAAE,EAAE,OAAO,EAAE,KAAK,CAAC,CAAC,CAAE,EAAE,CAAC;AAChE,CAAC;AAED,KAAK,UAAU,MAAM,CAAC,QAAgB,EAAE,IAAgB,EAAE,UAAkB;IAC1E,MAAM,GAAG,GAAG,MAAM,SAAS,CAAC,MAAM,CAAC,SAAS,CAC1C,KAAK,EACL,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,EAClC,EAAE,IAAI,EAAE,QAAQ,EAAE,EAClB,KAAK,EACL,CAAC,YAAY,CAAC,CACf,CAAC;IACF,MAAM,IAAI,GAAG,MAAM,SAAS,CAAC,MAAM,CAAC,UAAU,CAC5C,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,IAAoB,EAAE,IAAI,EAAE,SAAS,EAAE,UAAU,EAAE,EAC3E,GAAG,EACH,UAAU,GAAG,CAAC,CACf,CAAC;IACF,OAAO,IAAI,UAAU,CAAC,IAAI,CAAC,CAAC;AAC9B,CAAC;AAED,SAAS,KAAK,CAAC,KAAiB;IAC9B,OAAO,KAAK,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;AAC5E,CAAC;AAED,SAAS,OAAO,CAAC,GAAW;IAC1B,MAAM,GAAG,GAAG,IAAI,UAAU,CAAC,GAAG,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IAC3C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,GAAG,CAAC,MAAM,EAAE,CAAC,EAAE;QAAE,GAAG,CAAC,CAAC,CAAC,GAAG,QAAQ,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IACxF,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,iBAAiB,CAAC,CAAa,EAAE,CAAa;IACrD,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC,CAAC,MAAM;QAAE,OAAO,KAAK,CAAC;IACxC,IAAI,IAAI,GAAG,CAAC,CAAC;IACb,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,EAAE;QAAE,IAAI,IAAI,CAAC,CAAC,CAAC,CAAE,GAAG,CAAC,CAAC,CAAC,CAAE,CAAC;IACzD,OAAO,IAAI,KAAK,CAAC,CAAC;AACpB,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,qBAAqB;IACnC,MAAM,KAAK,GAAG,SAAS,CAAC,eAAe,CAAC,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC,CAAC;IAC5D,OAAO,KAAK,CAAC,KAAK,CAAC,CAAC;AACtB,CAAC"}