@wizzlethorpe/vaults 0.5.0 → 0.6.1

package/dist/sensitive.js

@@ -0,0 +1,60 @@
+import { stat } from "node:fs/promises";
+import { spawn } from "node:child_process";
+import { dirname, join, relative } from "node:path";
+/**
+ * Loud warning when a file that contains secrets is about to be written.
+ * Today's only secrets-bearing file is `.env` (session-signing key,
+ * Patreon client secret); `.vaultrc.json` itself is config-only as of
+ * the secrets split and is intentionally trackable.
+ *
+ * The check is best-effort: if `git` isn't on PATH, or the vault isn't
+ * inside a git repo, we still emit a quieter reminder. Never throws —
+ * a wrong gitignore guess shouldn't block writing the file.
+ */
+export async function warnSensitive(vaultPath, filePath, what = "the session-signing key and (when configured) the Patreon client secret") {
+    const gitRoot = await findGitRoot(vaultPath);
+    if (!gitRoot) {
+        console.warn(`  \x1b[33m⚠\x1b[0m ${filePath} contains ${what}. `
+            + `If you ever put this vault under git, gitignore it first.`);
+        return;
+    }
+    const ignored = await isGitIgnored(gitRoot, vaultPath, filePath);
+    if (ignored)
+        return; // healthy state — silent
+    console.warn(`\n  \x1b[31m⚠ SECURITY:\x1b[0m ${filePath} is NOT gitignored in this repo!`);
+    console.warn(`  This file contains ${what}. Add it to .gitignore before committing.`);
+    console.warn(`    cd ${gitRoot} && echo "${pathRelativeToRepoRoot(gitRoot, vaultPath, filePath)}" >> .gitignore\n`);
+}
+async function findGitRoot(start) {
+    let dir = start;
+    for (let i = 0; i < 32; i++) { // generous loop bound; protects against symlink cycles
+        try {
+            const s = await stat(join(dir, ".git"));
+            if (s.isDirectory() || s.isFile())
+                return dir;
+        }
+        catch { /* keep walking */ }
+        const parent = dirname(dir);
+        if (parent === dir)
+            return null;
+        dir = parent;
+    }
+    return null;
+}
+async function isGitIgnored(gitRoot, vaultPath, filePath) {
+    const fullPath = join(vaultPath, filePath);
+    return new Promise((resolve) => {
+        // `git check-ignore` exits 0 when the path IS ignored, 1 when not, 128
+        // on error. Errors (no git, permissions) → assume not ignored so we
+        // err on the side of warning.
+        const proc = spawn("git", ["-C", gitRoot, "check-ignore", "--quiet", fullPath], {
+            stdio: "ignore",
+        });
+        proc.on("exit", (code) => resolve(code === 0));
+        proc.on("error", () => resolve(false));
+    });
+}
+function pathRelativeToRepoRoot(gitRoot, vaultPath, filePath) {
+    return relative(gitRoot, join(vaultPath, filePath)).split(/[/\\]/).join("/");
+}
+//# sourceMappingURL=sensitive.js.map

package/dist/sensitive.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sensitive.js","sourceRoot":"","sources":["../src/sensitive.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,IAAI,EAAE,MAAM,kBAAkB,CAAC;AACxC,OAAO,EAAE,KAAK,EAAE,MAAM,oBAAoB,CAAC;AAC3C,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,WAAW,CAAC;AAEpD;;;;;;;;;GASG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,SAAiB,EACjB,QAAgB,EAChB,OAAe,yEAAyE;IAExF,MAAM,OAAO,GAAG,MAAM,WAAW,CAAC,SAAS,CAAC,CAAC;IAC7C,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,OAAO,CAAC,IAAI,CACV,sBAAsB,QAAQ,aAAa,IAAI,IAAI;cACjD,2DAA2D,CAC9D,CAAC;QACF,OAAO;IACT,CAAC;IAED,MAAM,OAAO,GAAG,MAAM,YAAY,CAAC,OAAO,EAAE,SAAS,EAAE,QAAQ,CAAC,CAAC;IACjE,IAAI,OAAO;QAAE,OAAO,CAAC,yBAAyB;IAE9C,OAAO,CAAC,IAAI,CACV,kCAAkC,QAAQ,kCAAkC,CAC7E,CAAC;IACF,OAAO,CAAC,IAAI,CAAC,wBAAwB,IAAI,2CAA2C,CAAC,CAAC;IACtF,OAAO,CAAC,IAAI,CACV,UAAU,OAAO,aAAa,sBAAsB,CAAC,OAAO,EAAE,SAAS,EAAE,QAAQ,CAAC,mBAAmB,CACtG,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,WAAW,CAAC,KAAa;IACtC,IAAI,GAAG,GAAG,KAAK,CAAC;IAChB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,uDAAuD;QACpF,IAAI,CAAC;YACH,MAAM,CAAC,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC,CAAC;YACxC,IAAI,CAAC,CAAC,WAAW,EAAE,IAAI,CAAC,CAAC,MAAM,EAAE;gBAAE,OAAO,GAAG,CAAC;QAChD,CAAC;QAAC,MAAM,CAAC,CAAC,kBAAkB,CAAC,CAAC;QAC9B,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC;QAC5B,IAAI,MAAM,KAAK,GAAG;YAAE,OAAO,IAAI,CAAC;QAChC,GAAG,GAAG,MAAM,CAAC;IACf,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,KAAK,UAAU,YAAY,CAAC,OAAe,EAAE,SAAiB,EAAE,QAAgB;IAC9E,MAAM,QAAQ,GAAG,IAAI,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;IAC3C,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE;QAC7B,uEAAuE;QACvE,oEAAoE;QACpE,8BAA8B;QAC9B,MAAM,IAAI,GAAG,KAAK,CAAC,KAAK,EAAE,CAAC,IAAI,EAAE,OAAO,EAAE,cAAc,EAAE,SAAS,EAAE,QAAQ,CAAC,EAAE;YAC9E,KAAK,EAAE,QAAQ;SAChB,CAAC,CAAC;QACH,IAAI,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE,EAAE,CAAC,OAAO,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,CAAC;QAC/C,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC;IACzC,CAAC,CAAC,CAAC;AACL,CAAC;AAED,SAAS,sBAAsB,CAAC,OAAe,EAAE,SAAiB,EAAE,QAAgB;IAClF,OAAO,QAAQ,CAAC,OAAO,EAAE,IAAI,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAC/E,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wizzlethorpe/vaults",
-  "version": "0.5.0",
+  "version": "0.6.1",
   "description": "Sync an Obsidian vault to a Cloudflare-hosted wiki with role-based access. Renders locally, deploys to Cloudflare Pages.",
   "keywords": [
     "obsidian",