backdot 1.6.1 → 1.8.0

package/dist/commitUrl.js

@@ -1,7 +1,7 @@
 const PROVIDERS = {
-    "github.com": (p, sha) => `https://github.com/${p}/commit/${sha}`,
-    "gitlab.com": (p, sha) => `https://gitlab.com/${p}/-/commit/${sha}`,
-    "bitbucket.org": (p, sha) => `https://bitbucket.org/${p}/commits/${sha}`,
+    "github.com": (repoPath, sha) => `https://github.com/${repoPath}/commit/${sha}`,
+    "gitlab.com": (repoPath, sha) => `https://gitlab.com/${repoPath}/-/commit/${sha}`,
+    "bitbucket.org": (repoPath, sha) => `https://bitbucket.org/${repoPath}/commits/${sha}`,
 };
 export function getCommitUrl(remoteUrl, sha) {
     for (const [host, buildUrl] of Object.entries(PROVIDERS)) {
@@ -9,7 +9,8 @@ export function getCommitUrl(remoteUrl, sha) {
         if (idx === -1) {
             continue;
         }
-        let repoPath = remoteUrl.slice(idx + host.length + 1).trim();
+        const separatorLength = 1; // skip the ":" (SSH) or "/" (HTTPS) after the hostname
+        let repoPath = remoteUrl.slice(idx + host.length + separatorLength).trim();
         if (repoPath.endsWith(".git")) {
             repoPath = repoPath.slice(0, -4);
         }

package/dist/config.d.ts

@@ -1,10 +1,11 @@
 import { z } from "zod";
 export declare const CONFIG_PATH: string;
-export declare function expandTilde(p: string): string;
+export declare function expandTilde(pattern: string): string;
 declare const ConfigSchema: z.ZodObject<{
     repository: z.ZodString;
     machine: z.ZodString;
     paths: z.ZodArray<z.ZodPipe<z.ZodString, z.ZodTransform<string, string>>>;
+    encrypt: z.ZodDefault<z.ZodOptional<z.ZodBoolean>>;
 }, z.core.$strip>;
 export type Config = z.infer<typeof ConfigSchema>;
 export declare function loadConfig(): Config;

package/dist/config.js

@@ -3,14 +3,15 @@ import path from "node:path";
 import os from "node:os";
 import { z } from "zod";
 export const CONFIG_PATH = path.join(os.homedir(), ".backdot.json");
-export function expandTilde(p) {
-    if (p.startsWith("!")) {
-        return "!" + expandTilde(p.slice(1));
+export function expandTilde(pattern) {
+    // fast-glob uses "!" for negation patterns — preserve the prefix, expand the rest
+    if (pattern.startsWith("!")) {
+        return "!" + expandTilde(pattern.slice(1));
     }
-    if (p.startsWith("~/") || p === "~") {
-        return path.join(os.homedir(), p.slice(1));
+    if (pattern.startsWith("~/") || pattern === "~") {
+        return path.join(os.homedir(), pattern.slice(1));
     }
-    return p;
+    return pattern;
 }
 const ConfigSchema = z.object({
     repository: z.string().min(1),
@@ -18,30 +19,31 @@ const ConfigSchema = z.object({
     paths: z
         .array(z.string().min(1).transform(expandTilde))
         .min(1, '"paths" must be a non-empty array'),
+    encrypt: z.boolean().optional().default(false),
 });
 export function loadConfig() {
     if (!fs.existsSync(CONFIG_PATH)) {
-        throw new Error(`Config file not found: ${CONFIG_PATH}\n  Run "backdot --init" to create it.`);
+        throw new Error(`Config file not found: ${CONFIG_PATH}\n  Run "backdot init" to create it.`);
     }
-    let raw;
+    let rawJson;
     try {
-        raw = fs.readFileSync(CONFIG_PATH, "utf-8");
+        rawJson = fs.readFileSync(CONFIG_PATH, "utf-8");
     }
     catch {
         throw new Error(`Failed to read config file: ${CONFIG_PATH}`);
     }
     let parsed;
     try {
-        parsed = JSON.parse(raw);
+        parsed = JSON.parse(rawJson);
     }
     catch {
         throw new Error(`Invalid JSON in config file: ${CONFIG_PATH}`);
     }
     const result = ConfigSchema.safeParse(parsed);
     if (!result.success) {
-        const messages = result.error.issues.map((i) => {
-            const path = i.path.length > 0 ? `"${i.path.join(".")}"` : "config";
-            return `  - ${path}: ${i.message}`;
+        const messages = result.error.issues.map((issue) => {
+            const field = issue.path.length > 0 ? `"${issue.path.join(".")}"` : "config";
+            return `  - ${field}: ${issue.message}`;
         });
         throw new Error(`Invalid config in ${CONFIG_PATH}:\n${messages.join("\n")}`);
     }

package/dist/crypto/encryption.d.ts

@@ -0,0 +1,8 @@
+export interface DerivedKey {
+    password: string;
+    salt: Buffer;
+    key: Buffer;
+}
+export declare function deriveKey(password: string, salt?: Buffer): DerivedKey;
+export declare function encrypt(plaintext: Buffer, derivedKey: DerivedKey): Buffer;
+export declare function decrypt(encrypted: Buffer, derivedKey: DerivedKey): Buffer;

package/dist/crypto/encryption.js

@@ -0,0 +1,54 @@
+import crypto from "node:crypto";
+const ALGORITHM = "aes-256-gcm";
+const SALT_LENGTH = 32;
+const IV_LENGTH = 12;
+const AUTH_TAG_LENGTH = 16;
+const KEY_LENGTH = 32;
+// Higher N = harder to brute-force but slower to encrypt/decrypt (~300ms).
+// 2^17 is the OWASP minimum recommendation for password-based key derivation.
+const SCRYPT_N = 2 ** 17;
+const SCRYPT_R = 8;
+const SCRYPT_PARAMS = {
+    N: SCRYPT_N,
+    r: SCRYPT_R,
+    p: 1,
+    maxmem: 128 * SCRYPT_N * SCRYPT_R * 2, // must exceed 128*N*r
+};
+const OVERHEAD = SALT_LENGTH + IV_LENGTH + AUTH_TAG_LENGTH;
+export function deriveKey(password, salt) {
+    const resolvedSalt = salt ?? crypto.randomBytes(SALT_LENGTH);
+    const key = crypto.scryptSync(password, resolvedSalt, KEY_LENGTH, SCRYPT_PARAMS);
+    return { password, salt: resolvedSalt, key };
+}
+function deriveKeyForSalt(derivedKey, salt) {
+    if (derivedKey.salt.equals(salt)) {
+        return derivedKey.key;
+    }
+    return crypto.scryptSync(derivedKey.password, salt, KEY_LENGTH, SCRYPT_PARAMS);
+}
+export function encrypt(plaintext, derivedKey) {
+    const iv = crypto.randomBytes(IV_LENGTH);
+    const cipher = crypto.createCipheriv(ALGORITHM, derivedKey.key, iv);
+    const ciphertext = Buffer.concat([cipher.update(plaintext), cipher.final()]);
+    const authTag = cipher.getAuthTag();
+    return Buffer.concat([derivedKey.salt, iv, authTag, ciphertext]);
+}
+export function decrypt(encrypted, derivedKey) {
+    if (encrypted.length < OVERHEAD) {
+        throw new Error("Data is too short to be encrypted content.");
+    }
+    let offset = 0;
+    const salt = encrypted.subarray(offset, (offset += SALT_LENGTH));
+    const iv = encrypted.subarray(offset, (offset += IV_LENGTH));
+    const authTag = encrypted.subarray(offset, (offset += AUTH_TAG_LENGTH));
+    const ciphertext = encrypted.subarray(offset);
+    const key = deriveKeyForSalt(derivedKey, salt);
+    const decipher = crypto.createDecipheriv(ALGORITHM, key, iv);
+    decipher.setAuthTag(authTag);
+    try {
+        return Buffer.concat([decipher.update(ciphertext), decipher.final()]);
+    }
+    catch {
+        throw new Error("Decryption failed — wrong password or corrupted data.");
+    }
+}

package/dist/crypto/password.d.ts

@@ -0,0 +1,11 @@
+export declare const KEY_FILE_PATH: string;
+export declare const ENC_SUFFIX = ".encrypted";
+export declare function checkKeyFilePermissions(): void;
+export declare function saveKeyFile(password: string): void;
+export interface PasswordResult {
+    password: string;
+    interactive: boolean;
+}
+export declare function resolvePassword(): Promise<PasswordResult>;
+export declare function confirmPassword(password: string): Promise<void>;
+export declare function offerToSaveKeyFile(password: string): Promise<void>;

package/dist/crypto/password.js

@@ -0,0 +1,74 @@
+import fs from "node:fs";
+import path from "node:path";
+import os from "node:os";
+import { password as passwordPrompt, confirm } from "@inquirer/prompts";
+export const KEY_FILE_PATH = path.join(os.homedir(), ".backdot.key");
+export const ENC_SUFFIX = ".encrypted";
+export function checkKeyFilePermissions() {
+    if (process.platform === "win32") {
+        return;
+    }
+    if (!fs.existsSync(KEY_FILE_PATH)) {
+        return;
+    }
+    const stat = fs.statSync(KEY_FILE_PATH);
+    const mode = stat.mode & 0o777;
+    const isAccessibleByGroupOrOthers = (mode & 0o077) !== 0;
+    if (isAccessibleByGroupOrOthers) {
+        throw new Error(`Key file ${KEY_FILE_PATH} has overly permissive permissions (${mode.toString(8)}).\n` +
+            `  Run: chmod 600 ${KEY_FILE_PATH}`);
+    }
+}
+export function saveKeyFile(password) {
+    fs.writeFileSync(KEY_FILE_PATH, password + "\n", { mode: 0o600 });
+}
+function readKeyFile() {
+    if (!fs.existsSync(KEY_FILE_PATH)) {
+        return null;
+    }
+    checkKeyFilePermissions();
+    return fs.readFileSync(KEY_FILE_PATH, "utf-8").trimEnd();
+}
+export async function resolvePassword() {
+    const envPassword = process.env.BACKDOT_PASSWORD;
+    if (envPassword) {
+        return { password: envPassword, interactive: false };
+    }
+    const filePassword = readKeyFile();
+    if (filePassword) {
+        return { password: filePassword, interactive: false };
+    }
+    if (!process.stdin.isTTY) {
+        throw new Error('Encryption is enabled but no password found.\n  Run "backdot backup" interactively to create ~/.backdot.key, or set BACKDOT_PASSWORD.');
+    }
+    const enteredPassword = await passwordPrompt({ message: "Enter encryption password:" });
+    if (!enteredPassword) {
+        throw new Error("No password provided.");
+    }
+    return { password: enteredPassword, interactive: true };
+}
+export async function confirmPassword(password) {
+    const confirmedPassword = await passwordPrompt({ message: "Confirm password:" });
+    if (confirmedPassword !== password) {
+        throw new Error("Passwords do not match.");
+    }
+}
+export async function offerToSaveKeyFile(password) {
+    if (!process.stdin.isTTY) {
+        return;
+    }
+    if (fs.existsSync(KEY_FILE_PATH)) {
+        return;
+    }
+    if (process.env.BACKDOT_PASSWORD) {
+        return;
+    }
+    const save = await confirm({
+        message: "Save password to ~/.backdot.key for automated backups?",
+        default: true,
+    });
+    if (save) {
+        saveKeyFile(password);
+        console.log(`  Created ${KEY_FILE_PATH} (permissions: 600)`);
+    }
+}

package/dist/crypto.d.ts

@@ -0,0 +1,13 @@
+export declare const KEY_FILE_PATH: string;
+export declare const ENC_SUFFIX = ".encrypted";
+export declare function encryptBuffer(plaintext: Buffer, password: string): Buffer;
+export declare function decryptBuffer(data: Buffer, password: string): Buffer;
+export declare function checkKeyFilePermissions(): void;
+export declare function saveKeyFile(password: string): void;
+export interface PasswordResult {
+    password: string;
+    interactive: boolean;
+}
+export declare function resolvePassword(): Promise<PasswordResult>;
+export declare function confirmPassword(password: string): Promise<void>;
+export declare function offerToSaveKeyFile(password: string): Promise<void>;

package/dist/crypto.js

@@ -0,0 +1,129 @@
+import crypto from "node:crypto";
+import fs from "node:fs";
+import path from "node:path";
+import os from "node:os";
+import { password as passwordPrompt, confirm } from "@inquirer/prompts";
+// File-format signature identifying backdot-encrypted files
+const MAGIC = Buffer.from("BDOT");
+const VERSION = 0x01;
+const HEADER_SIZE = MAGIC.length + 1; // 5 bytes: magic + version
+const SALT_SIZE = 32;
+const IV_SIZE = 12;
+const TAG_SIZE = 16;
+const KEY_SIZE = 32;
+export const KEY_FILE_PATH = path.join(os.homedir(), ".backdot.key");
+export const ENC_SUFFIX = ".encrypted";
+function deriveKey(password, salt) {
+    return crypto.scryptSync(password, salt, KEY_SIZE, { N: 2 ** 14, r: 8, p: 1 });
+}
+export function encryptBuffer(plaintext, password) {
+    const salt = crypto.randomBytes(SALT_SIZE);
+    const iv = crypto.randomBytes(IV_SIZE);
+    const key = deriveKey(password, salt);
+    const cipher = crypto.createCipheriv("aes-256-gcm", key, iv);
+    const encrypted = Buffer.concat([cipher.update(plaintext), cipher.final()]);
+    const tag = cipher.getAuthTag();
+    return Buffer.concat([MAGIC, Buffer.from([VERSION]), salt, iv, tag, encrypted]);
+}
+export function decryptBuffer(data, password) {
+    if (!isEncrypted(data)) {
+        throw new Error("File is not encrypted (missing BDOT header).");
+    }
+    const minSize = HEADER_SIZE + SALT_SIZE + IV_SIZE + TAG_SIZE;
+    if (data.length < minSize) {
+        throw new Error("Encrypted file is too short or corrupted.");
+    }
+    let offset = HEADER_SIZE;
+    const salt = data.subarray(offset, offset + SALT_SIZE);
+    offset += SALT_SIZE;
+    const iv = data.subarray(offset, offset + IV_SIZE);
+    offset += IV_SIZE;
+    const tag = data.subarray(offset, offset + TAG_SIZE);
+    offset += TAG_SIZE;
+    const ciphertext = data.subarray(offset);
+    const key = deriveKey(password, salt);
+    const decipher = crypto.createDecipheriv("aes-256-gcm", key, iv);
+    decipher.setAuthTag(tag);
+    try {
+        return Buffer.concat([decipher.update(ciphertext), decipher.final()]);
+    }
+    catch {
+        throw new Error("Decryption failed — wrong password or corrupted file.");
+    }
+}
+function isEncrypted(data) {
+    return (data.length >= HEADER_SIZE &&
+        data[0] === MAGIC[0] &&
+        data[1] === MAGIC[1] &&
+        data[2] === MAGIC[2] &&
+        data[3] === MAGIC[3] &&
+        data[4] === VERSION);
+}
+export function checkKeyFilePermissions() {
+    if (process.platform === "win32") {
+        return;
+    }
+    if (!fs.existsSync(KEY_FILE_PATH)) {
+        return;
+    }
+    const stat = fs.statSync(KEY_FILE_PATH);
+    const mode = stat.mode & 0o777;
+    const isAccessibleByGroupOrOthers = (mode & 0o077) !== 0;
+    if (isAccessibleByGroupOrOthers) {
+        throw new Error(`Key file ${KEY_FILE_PATH} has overly permissive permissions (${mode.toString(8)}).\n` +
+            `  Run: chmod 600 ${KEY_FILE_PATH}`);
+    }
+}
+export function saveKeyFile(password) {
+    fs.writeFileSync(KEY_FILE_PATH, password + "\n", { mode: 0o600 });
+}
+function readKeyFile() {
+    if (!fs.existsSync(KEY_FILE_PATH)) {
+        return null;
+    }
+    checkKeyFilePermissions();
+    return fs.readFileSync(KEY_FILE_PATH, "utf-8").trimEnd();
+}
+export async function resolvePassword() {
+    const envPassword = process.env.BACKDOT_PASSWORD;
+    if (envPassword) {
+        return { password: envPassword, interactive: false };
+    }
+    const filePassword = readKeyFile();
+    if (filePassword) {
+        return { password: filePassword, interactive: false };
+    }
+    if (!process.stdin.isTTY) {
+        throw new Error('Encryption is enabled but no password found.\n  Run "backdot backup" interactively to create ~/.backdot.key, or set BACKDOT_PASSWORD.');
+    }
+    const enteredPassword = await passwordPrompt({ message: "Enter encryption password:" });
+    if (!enteredPassword) {
+        throw new Error("No password provided.");
+    }
+    return { password: enteredPassword, interactive: true };
+}
+export async function confirmPassword(password) {
+    const confirmedPassword = await passwordPrompt({ message: "Confirm password:" });
+    if (confirmedPassword !== password) {
+        throw new Error("Passwords do not match.");
+    }
+}
+export async function offerToSaveKeyFile(password) {
+    if (!process.stdin.isTTY) {
+        return;
+    }
+    if (fs.existsSync(KEY_FILE_PATH)) {
+        return;
+    }
+    if (process.env.BACKDOT_PASSWORD) {
+        return;
+    }
+    const save = await confirm({
+        message: "Save password to ~/.backdot.key for automated backups?",
+        default: true,
+    });
+    if (save) {
+        saveKeyFile(password);
+        console.log(`  Created ${KEY_FILE_PATH} (permissions: 600)`);
+    }
+}

package/dist/encryption.d.ts

@@ -0,0 +1,2 @@
+export declare function encrypt(plaintext: Buffer, password: string): Buffer;
+export declare function decrypt(encrypted: Buffer, password: string): Buffer;

package/dist/encryption.js

@@ -0,0 +1,39 @@
+import crypto from "node:crypto";
+const ALGORITHM = "aes-256-gcm";
+const SALT_LENGTH = 32;
+const IV_LENGTH = 12;
+const AUTH_TAG_LENGTH = 16;
+const KEY_LENGTH = 32;
+const SCRYPT_PARAMS = { N: 2 ** 14, r: 8, p: 1 };
+const OVERHEAD = SALT_LENGTH + IV_LENGTH + AUTH_TAG_LENGTH;
+function deriveKey(password, salt) {
+    return crypto.scryptSync(password, salt, KEY_LENGTH, SCRYPT_PARAMS);
+}
+export function encrypt(plaintext, password) {
+    const salt = crypto.randomBytes(SALT_LENGTH);
+    const iv = crypto.randomBytes(IV_LENGTH);
+    const key = deriveKey(password, salt);
+    const cipher = crypto.createCipheriv(ALGORITHM, key, iv);
+    const ciphertext = Buffer.concat([cipher.update(plaintext), cipher.final()]);
+    const authTag = cipher.getAuthTag();
+    return Buffer.concat([salt, iv, authTag, ciphertext]);
+}
+export function decrypt(encrypted, password) {
+    if (encrypted.length < OVERHEAD) {
+        throw new Error("Data is too short to be encrypted content.");
+    }
+    let offset = 0;
+    const salt = encrypted.subarray(offset, (offset += SALT_LENGTH));
+    const iv = encrypted.subarray(offset, (offset += IV_LENGTH));
+    const authTag = encrypted.subarray(offset, (offset += AUTH_TAG_LENGTH));
+    const ciphertext = encrypted.subarray(offset);
+    const key = deriveKey(password, salt);
+    const decipher = crypto.createDecipheriv(ALGORITHM, key, iv);
+    decipher.setAuthTag(authTag);
+    try {
+        return Buffer.concat([decipher.update(ciphertext), decipher.final()]);
+    }
+    catch {
+        throw new Error("Decryption failed — wrong password or corrupted data.");
+    }
+}

package/dist/git.d.ts

@@ -8,7 +8,7 @@ interface FileChangeSummary {
         to: string;
     }>;
 }
-export declare function buildCommitMessage(changes: FileChangeSummary, maxLen?: number): string;
+export declare function buildCommitMessage(changes: FileChangeSummary, maxLength?: number): string;
 export declare function ensureRemoteUrl(repository: string): Promise<void>;
 export declare function getCurrentBranch(git: SimpleGit): Promise<string>;
 export declare function friendlyGitError(raw: string, repository: string): string;

package/dist/git.js

@@ -6,44 +6,46 @@ import { logger } from "./log.js";
 import { STAGING_DIR, STAGING_GIT_DIR } from "./paths.js";
 import { getCommitUrl } from "./commitUrl.js";
 import { errorMessage, pluralize, uniq } from "./utils.js";
-export function buildCommitMessage(changes, maxLen = 250) {
-    const unique = (paths) => uniq(paths.map((f) => path.basename(f)));
-    const removed = unique(changes.deleted);
-    const added = unique(changes.created);
-    const modified = unique([...changes.modified, ...changes.renamed.map((r) => r.to)]);
+export function buildCommitMessage(changes, maxLength = 250) {
+    const uniqueBasenames = (paths) => uniq(paths.map((filePath) => path.basename(filePath)));
+    const removed = uniqueBasenames(changes.deleted);
+    const added = uniqueBasenames(changes.created);
+    const modified = uniqueBasenames([...changes.modified, ...changes.renamed.map((r) => r.to)]);
     const categories = [
         { label: "removed", files: removed },
         { label: "added", files: added },
         { label: "modified", files: modified },
-    ].filter((c) => c.files.length > 0);
+    ].filter((category) => category.files.length > 0);
     if (categories.length === 0) {
-        return "backup"; // fallback commit message when no changes are categorized
+        return "backup";
     }
-    function format(cat, listFiles) {
+    function formatCategory(category, listFiles) {
         if (listFiles) {
-            return `${cat.label}: ${cat.files.join(", ")}`;
+            return `${category.label}: ${category.files.join(", ")}`;
         }
-        return `${cat.label}: ${pluralize(cat.files.length, "file")}`;
+        return `${category.label}: ${pluralize(category.files.length, "file")}`;
     }
-    function build(listFlags) {
-        return categories.map((cat, i) => format(cat, listFlags[i])).join("; ");
+    function joinCategories(showFileNames) {
+        return categories.map((category, i) => formatCategory(category, showFileNames[i])).join("; ");
     }
-    const flags = categories.map(() => true);
-    let msg = build(flags);
-    if (msg.length <= maxLen) {
-        return msg;
+    // If the message exceeds maxLength, progressively replace file lists with
+    // counts, starting with the least important category.
+    const showFileNames = categories.map(() => true);
+    let message = joinCategories(showFileNames);
+    if (message.length <= maxLength) {
+        return message;
     }
     for (const label of ["modified", "added", "removed"]) {
-        const idx = categories.findIndex((c) => c.label === label);
-        if (idx !== -1 && flags[idx]) {
-            flags[idx] = false;
-            msg = build(flags);
-            if (msg.length <= maxLen) {
-                return msg;
+        const idx = categories.findIndex((category) => category.label === label);
+        if (idx !== -1 && showFileNames[idx]) {
+            showFileNames[idx] = false;
+            message = joinCategories(showFileNames);
+            if (message.length <= maxLength) {
+                return message;
             }
         }
     }
-    return msg.slice(0, maxLen - 3) + "...";
+    return message.slice(0, maxLength - 3) + "...";
 }
 export async function ensureRemoteUrl(repository) {
     const git = simpleGit(STAGING_DIR);
@@ -56,18 +58,19 @@ export async function getCurrentBranch(git) {
     return (await git.revparse(["--abbrev-ref", "HEAD"])).trim();
 }
 export function friendlyGitError(raw, repository) {
-    const msg = raw.toLowerCase();
-    if (msg.includes("not found") ||
-        msg.includes("does not exist") ||
-        msg.includes("does not appear to be a git repository")) {
+    const normalizedMessage = raw.toLowerCase();
+    if (normalizedMessage.includes("not found") ||
+        normalizedMessage.includes("does not exist") ||
+        normalizedMessage.includes("does not appear to be a git repository")) {
         return `Repository "${repository}" not found. Check the URL and that you have access.`;
     }
-    if (msg.includes("authentication failed") || msg.includes("could not read username")) {
+    if (normalizedMessage.includes("authentication failed") ||
+        normalizedMessage.includes("could not read username")) {
         return `Authentication failed for "${repository}". Check your credentials or SSH key.`;
     }
-    if (msg.includes("could not resolve host") ||
-        msg.includes("connection refused") ||
-        msg.includes("connection timed out")) {
+    if (normalizedMessage.includes("could not resolve host") ||
+        normalizedMessage.includes("connection refused") ||
+        normalizedMessage.includes("connection timed out")) {
         return "Could not connect to remote host. Check your internet connection.";
     }
     return raw;
@@ -82,8 +85,8 @@ export async function gitPull(repository, commit) {
             const git = simpleGit(STAGING_DIR);
             await ensureRemoteUrl(repository);
             await git.fetch("origin");
-            const target = commit ?? `origin/${await getCurrentBranch(git)}`;
-            await git.reset(["--hard", target]);
+            const resetTarget = commit ?? `origin/${await getCurrentBranch(git)}`;
+            await git.reset(["--hard", resetTarget]);
             await git.clean(CleanOptions.FORCE, ["-d"]);
         }
         else {
@@ -152,8 +155,8 @@ export async function gitCommitAndPush() {
         throw gitError(err, remoteUrl);
     }
     logger.info(`Committed and pushed: ${message}`);
-    const sha = (await git.revparse(["HEAD"])).trim();
+    const commitHash = (await git.revparse(["HEAD"])).trim();
     const remoteUrl = (await git.remote(["get-url", "origin"])) ?? "";
-    const commitUrl = getCommitUrl(remoteUrl, sha);
+    const commitUrl = getCommitUrl(remoteUrl, commitHash);
     return { commitUrl };
 }

package/dist/launchd.js

@@ -12,8 +12,8 @@ function escapeXml(s) {
         .replace(/>/g, ">")
         .replace(/"/g, """);
 }
-const LABEL = "com.backdot.daemon";
-const PLIST_PATH = path.join(os.homedir(), "Library", "LaunchAgents", `${LABEL}.plist`);
+const LAUNCHD_JOB_LABEL = "com.backdot.daemon";
+const PLIST_PATH = path.join(os.homedir(), "Library", "LaunchAgents", `${LAUNCHD_JOB_LABEL}.plist`);
 function getScriptPath() {
     const currentDir = path.dirname(new URL(import.meta.url).pathname);
     return path.resolve(currentDir, "cli.js");
@@ -28,12 +28,12 @@ function buildPlist() {
 <plist version="1.0">
 <dict>
   <key>Label</key>
-  <string>${LABEL}</string>
+  <string>${LAUNCHD_JOB_LABEL}</string>
   <key>ProgramArguments</key>
   <array>
     <string>${escapeXml(nodePath)}</string>
     <string>${escapeXml(scriptPath)}</string>
-    <string>--backup</string>
+    <string>backup</string>
   </array>
   <key>WorkingDirectory</key>
   <string>${escapeXml(workingDir)}</string>
@@ -58,8 +58,11 @@ export function isScheduled() {
         return false;
     }
     try {
-        const output = execFileSync("launchctl", ["list", LABEL], { encoding: "utf-8", stdio: "pipe" });
-        return output.includes(LABEL);
+        const output = execFileSync("launchctl", ["list", LAUNCHD_JOB_LABEL], {
+            encoding: "utf-8",
+            stdio: "pipe",
+        });
+        return output.includes(LAUNCHD_JOB_LABEL);
     }
     catch {
         return false;
@@ -68,9 +71,9 @@ export function isScheduled() {
 export function setupLaunchd() {
     const spinner = ora("Installing schedule").start();
     const plistContent = buildPlist();
-    const dir = path.dirname(PLIST_PATH);
-    if (!fs.existsSync(dir)) {
-        fs.mkdirSync(dir, { recursive: true });
+    const launchAgentsDir = path.dirname(PLIST_PATH);
+    if (!fs.existsSync(launchAgentsDir)) {
+        fs.mkdirSync(launchAgentsDir, { recursive: true });
     }
     try {
         execFileSync("launchctl", ["unload", PLIST_PATH], { stdio: "pipe" });

package/dist/password.d.ts

@@ -0,0 +1,11 @@
+export declare const KEY_FILE_PATH: string;
+export declare const ENC_SUFFIX = ".encrypted";
+export declare function checkKeyFilePermissions(): void;
+export declare function saveKeyFile(password: string): void;
+export interface PasswordResult {
+    password: string;
+    interactive: boolean;
+}
+export declare function resolvePassword(): Promise<PasswordResult>;
+export declare function confirmPassword(password: string): Promise<void>;
+export declare function offerToSaveKeyFile(password: string): Promise<void>;