backdot 1.6.1 → 1.8.0

package/dist/password.js

@@ -0,0 +1,74 @@
+import fs from "node:fs";
+import path from "node:path";
+import os from "node:os";
+import { password as passwordPrompt, confirm } from "@inquirer/prompts";
+export const KEY_FILE_PATH = path.join(os.homedir(), ".backdot.key");
+export const ENC_SUFFIX = ".encrypted";
+export function checkKeyFilePermissions() {
+    if (process.platform === "win32") {
+        return;
+    }
+    if (!fs.existsSync(KEY_FILE_PATH)) {
+        return;
+    }
+    const stat = fs.statSync(KEY_FILE_PATH);
+    const mode = stat.mode & 0o777;
+    const isAccessibleByGroupOrOthers = (mode & 0o077) !== 0;
+    if (isAccessibleByGroupOrOthers) {
+        throw new Error(`Key file ${KEY_FILE_PATH} has overly permissive permissions (${mode.toString(8)}).\n` +
+            `  Run: chmod 600 ${KEY_FILE_PATH}`);
+    }
+}
+export function saveKeyFile(password) {
+    fs.writeFileSync(KEY_FILE_PATH, password + "\n", { mode: 0o600 });
+}
+function readKeyFile() {
+    if (!fs.existsSync(KEY_FILE_PATH)) {
+        return null;
+    }
+    checkKeyFilePermissions();
+    return fs.readFileSync(KEY_FILE_PATH, "utf-8").trimEnd();
+}
+export async function resolvePassword() {
+    const envPassword = process.env.BACKDOT_PASSWORD;
+    if (envPassword) {
+        return { password: envPassword, interactive: false };
+    }
+    const filePassword = readKeyFile();
+    if (filePassword) {
+        return { password: filePassword, interactive: false };
+    }
+    if (!process.stdin.isTTY) {
+        throw new Error('Encryption is enabled but no password found.\n  Run "backdot backup" interactively to create ~/.backdot.key, or set BACKDOT_PASSWORD.');
+    }
+    const enteredPassword = await passwordPrompt({ message: "Enter encryption password:" });
+    if (!enteredPassword) {
+        throw new Error("No password provided.");
+    }
+    return { password: enteredPassword, interactive: true };
+}
+export async function confirmPassword(password) {
+    const confirmedPassword = await passwordPrompt({ message: "Confirm password:" });
+    if (confirmedPassword !== password) {
+        throw new Error("Passwords do not match.");
+    }
+}
+export async function offerToSaveKeyFile(password) {
+    if (!process.stdin.isTTY) {
+        return;
+    }
+    if (fs.existsSync(KEY_FILE_PATH)) {
+        return;
+    }
+    if (process.env.BACKDOT_PASSWORD) {
+        return;
+    }
+    const save = await confirm({
+        message: "Save password to ~/.backdot.key for automated backups?",
+        default: true,
+    });
+    if (save) {
+        saveKeyFile(password);
+        console.log(`  Created ${KEY_FILE_PATH} (permissions: 600)`);
+    }
+}

package/dist/repoVisibility.d.ts

@@ -0,0 +1,15 @@
+export type RepoVisibility = "public" | "private" | "unknown";
+/**
+ * Converts an SSH or HTTPS repo URL to a credential-free HTTPS URL
+ * for known hosts. Returns `null` for unrecognized hosts.
+ *
+ * Examples:
+ *   git@github.com:user/repo.git  → https://github.com/user/repo.git
+ *   https://github.com/user/repo  → https://github.com/user/repo.git
+ */
+export declare function toHttpsUrl(repository: string): string | null;
+/**
+ * Checks whether `repository` is publicly readable by attempting an
+ * anonymous `git ls-remote` over HTTPS with all credential helpers disabled.
+ */
+export declare function checkRepoVisibility(repository: string): Promise<RepoVisibility>;

package/dist/repoVisibility.js

@@ -0,0 +1,58 @@
+import { execFile } from "node:child_process";
+const KNOWN_HOSTS = ["github.com", "gitlab.com", "bitbucket.org"];
+/**
+ * Converts an SSH or HTTPS repo URL to a credential-free HTTPS URL
+ * for known hosts. Returns `null` for unrecognized hosts.
+ *
+ * Examples:
+ *   git@github.com:user/repo.git  → https://github.com/user/repo.git
+ *   https://github.com/user/repo  → https://github.com/user/repo.git
+ */
+export function toHttpsUrl(repository) {
+    for (const host of KNOWN_HOSTS) {
+        const idx = repository.indexOf(host);
+        if (idx === -1) {
+            continue;
+        }
+        let repoPath = repository.slice(idx + host.length + 1).trim();
+        if (!repoPath.endsWith(".git")) {
+            repoPath += ".git";
+        }
+        return `https://${host}/${repoPath}`;
+    }
+    return null;
+}
+/**
+ * Checks whether `repository` is publicly readable by attempting an
+ * anonymous `git ls-remote` over HTTPS with all credential helpers disabled.
+ */
+export async function checkRepoVisibility(repository) {
+    const httpsUrl = toHttpsUrl(repository);
+    if (!httpsUrl) {
+        return "unknown";
+    }
+    try {
+        await execGitLsRemote(httpsUrl);
+        return "public";
+    }
+    catch {
+        return "private";
+    }
+}
+function execGitLsRemote(url) {
+    return new Promise((resolve, reject) => {
+        const child = execFile("git", ["-c", "credential.helper=", "ls-remote", "--quiet", url], {
+            timeout: 10_000,
+            env: { ...process.env, GIT_TERMINAL_PROMPT: "0" },
+        }, (error) => {
+            if (error) {
+                reject(error);
+            }
+            else {
+                resolve();
+            }
+        });
+        // Don't let stdin keep the process alive
+        child.stdin?.end();
+    });
+}

package/dist/resolveFiles.js

@@ -20,8 +20,8 @@ const LARGE_FILE_THRESHOLD = 10 * 1024 * 1024; // 10 MB
  * Skips entries that fail resolution and logs warnings.
  */
 export function resolveFiles(config) {
-    const unique = uniq(resolveGlobs(config.paths));
-    return unique.filter((filePath) => {
+    const deduplicatedPaths = uniq(resolveGlobs(config.paths));
+    return deduplicatedPaths.filter((filePath) => {
         try {
             fs.accessSync(filePath, fs.constants.R_OK);
             const stat = fs.statSync(filePath);

package/dist/staging.d.ts

@@ -1,13 +1,19 @@
 import { STAGING_DIR, STAGING_GIT_DIR, machineDir } from "./paths.js";
+import { type DerivedKey } from "./crypto/encryption.js";
 export { STAGING_DIR, STAGING_GIT_DIR, machineDir };
 export declare function getStagedPath(filePath: string, machine: string): string;
 export declare function cleanStaging(machine: string): void;
-export declare function copyToStaging(files: string[], machine: string): void;
+export declare function copyToStaging(files: string[], machine: string, derivedKey?: DerivedKey): void;
 export interface ComparisonResult {
     backedUp: string[];
     modified: string[];
     notBackedUp: string[];
     error?: string;
 }
-export declare function compareFiles(files: string[], machine: string, repository: string): Promise<ComparisonResult>;
-export declare function writeRepoReadme(repository: string): void;
+export declare function compareFiles(opts: {
+    files: string[];
+    machine: string;
+    repository: string;
+    derivedKey?: DerivedKey;
+}): Promise<ComparisonResult>;
+export declare function writeRepoReadme(repository: string, encrypted?: boolean): void;

package/dist/staging.js

@@ -7,47 +7,60 @@ import { logger } from "./log.js";
 import { errorMessage, pluralize } from "./utils.js";
 import { ensureRemoteUrl, getCurrentBranch, gitError } from "./git.js";
 import { STAGING_DIR, STAGING_GIT_DIR, machineDir } from "./paths.js";
+import { encrypt, decrypt } from "./crypto/encryption.js";
+import { KEY_FILE_PATH, ENC_SUFFIX } from "./crypto/password.js";
 export { STAGING_DIR, STAGING_GIT_DIR, machineDir };
 const HOME = os.homedir();
 export function getStagedPath(filePath, machine) {
-    const rel = path.relative(HOME, filePath);
-    const destRel = rel.startsWith("..") ? filePath.slice(1) : rel;
-    return path.join(machineDir(machine), destRel);
+    const relativePath = path.relative(HOME, filePath);
+    // Files outside HOME (e.g. /etc/foo) produce a relative path starting with "..",
+    // which would escape the machine dir. Use the absolute path minus the leading "/" instead.
+    const pathWithinMachineDir = relativePath.startsWith("..") ? filePath.slice(1) : relativePath;
+    return path.join(machineDir(machine), pathWithinMachineDir);
 }
 export function cleanStaging(machine) {
-    const dir = machineDir(machine);
-    if (!fs.existsSync(dir)) {
+    const machineStagingDir = machineDir(machine);
+    if (!fs.existsSync(machineStagingDir)) {
         return;
     }
-    fs.rmSync(dir, { recursive: true, force: true });
+    fs.rmSync(machineStagingDir, { recursive: true, force: true });
     logger.info(`Cleaned staging directory for machine "${machine}"`);
 }
-export function copyToStaging(files, machine) {
-    const dir = machineDir(machine);
-    fs.mkdirSync(dir, { recursive: true });
-    let copied = 0;
-    for (const filePath of files) {
-        const dest = getStagedPath(filePath, machine);
+export function copyToStaging(files, machine, derivedKey) {
+    const machineStagingDir = machineDir(machine);
+    fs.mkdirSync(machineStagingDir, { recursive: true });
+    const filesExcludingKeyFile = files.filter((f) => path.resolve(f) !== path.resolve(KEY_FILE_PATH));
+    let copiedCount = 0;
+    for (const filePath of filesExcludingKeyFile) {
+        const stagedPath = getStagedPath(filePath, machine);
+        const destinationPath = derivedKey ? stagedPath + ENC_SUFFIX : stagedPath;
         try {
-            fs.mkdirSync(path.dirname(dest), { recursive: true });
-            fs.copyFileSync(filePath, dest);
-            copied++;
+            fs.mkdirSync(path.dirname(destinationPath), { recursive: true });
+            if (derivedKey) {
+                const plaintext = fs.readFileSync(filePath);
+                fs.writeFileSync(destinationPath, encrypt(plaintext, derivedKey));
+            }
+            else {
+                fs.copyFileSync(filePath, destinationPath);
+            }
+            copiedCount++;
         }
         catch {
-            logger.warn(`Failed to copy: ${filePath} -> ${dest}`);
+            logger.warn(`Failed to copy: ${filePath} -> ${destinationPath}`);
         }
     }
-    logger.info(`Copied ${pluralize(copied, "file")} to staging`);
+    logger.info(`Copied ${pluralize(copiedCount, "file")} to staging`);
 }
 function failedComparisonResult(err) {
     return { backedUp: [], modified: [], notBackedUp: [], error: errorMessage(err) };
 }
-export async function compareFiles(files, machine, repository) {
+export async function compareFiles(opts) {
+    const { files, machine, repository, derivedKey } = opts;
     if (files.length === 0) {
         return { backedUp: [], modified: [], notBackedUp: [] };
     }
     if (!fs.existsSync(STAGING_GIT_DIR)) {
-        return failedComparisonResult(new Error("Backup repository not found. Run backdot --backup first."));
+        return failedComparisonResult(new Error('Backup repository not found. Run "backdot backup" first.'));
     }
     const git = simpleGit(STAGING_DIR);
     try {
@@ -64,62 +77,97 @@ export async function compareFiles(files, machine, repository) {
     catch (err) {
         return failedComparisonResult(err);
     }
-    let committedHashes;
+    let remoteBlobHashes;
     try {
         const treeOutput = execFileSync("git", ["ls-tree", "-r", `origin/${branch}`, `${machine}/`], {
             encoding: "utf-8",
             cwd: STAGING_DIR,
         });
-        committedHashes = new Map(treeOutput
+        remoteBlobHashes = new Map(treeOutput
             .split("\n")
             .map((line) => line.match(/^\d+ blob ([0-9a-f]+)\t(.+)$/))
-            .filter((m) => m !== null)
-            .map((m) => [m[2], m[1]]));
+            .filter((match) => match !== null)
+            .map((match) => [match[2], match[1]]));
     }
     catch (err) {
         return failedComparisonResult(err);
     }
-    let sourceHashes;
+    if (derivedKey) {
+        return compareFilesEncrypted(files, machine, remoteBlobHashes, derivedKey);
+    }
+    let localFileHashes;
     try {
         const hashOutput = execFileSync("git", ["hash-object", "--stdin-paths"], {
             encoding: "utf-8",
             input: files.join("\n") + "\n",
         });
-        sourceHashes = hashOutput.trim().split("\n");
+        localFileHashes = hashOutput.trim().split("\n");
     }
     catch (err) {
         return failedComparisonResult(err);
     }
-    return files.reduce((acc, file, i) => {
+    return files.reduce((result, file, i) => {
         const repoRelPath = path.relative(STAGING_DIR, getStagedPath(file, machine));
-        const committedHash = committedHashes.get(repoRelPath);
-        if (!committedHash) {
-            acc.notBackedUp.push(file);
+        const remoteBlobHash = remoteBlobHashes.get(repoRelPath);
+        if (!remoteBlobHash) {
+            result.notBackedUp.push(file);
         }
-        else if (committedHash === sourceHashes[i]) {
-            acc.backedUp.push(file);
+        else if (remoteBlobHash === localFileHashes[i]) {
+            result.backedUp.push(file);
         }
         else {
-            acc.modified.push(file);
+            result.modified.push(file);
         }
-        return acc;
+        return result;
     }, { backedUp: [], modified: [], notBackedUp: [] });
 }
-function repoReadme(repository) {
+function compareFilesEncrypted(files, machine, remoteBlobHashes, derivedKey) {
+    const result = { backedUp: [], modified: [], notBackedUp: [] };
+    for (const file of files) {
+        const repoRelPath = path.relative(STAGING_DIR, getStagedPath(file, machine)) + ENC_SUFFIX;
+        const remoteBlobHash = remoteBlobHashes.get(repoRelPath);
+        if (!remoteBlobHash) {
+            result.notBackedUp.push(file);
+            continue;
+        }
+        try {
+            const blobContent = execFileSync("git", ["cat-file", "blob", remoteBlobHash], {
+                cwd: STAGING_DIR,
+                maxBuffer: 50 * 1024 * 1024,
+            });
+            const decrypted = decrypt(blobContent, derivedKey);
+            const localContent = fs.readFileSync(file);
+            if (decrypted.equals(localContent)) {
+                result.backedUp.push(file);
+            }
+            else {
+                result.modified.push(file);
+            }
+        }
+        catch {
+            result.modified.push(file);
+        }
+    }
+    return result;
+}
+function generateReadmeContent(repository, encrypted) {
+    const encryptionNote = encrypted
+        ? "\n> **Note:** Files in this repository are encrypted. You will need the backup password to restore.\n"
+        : "";
     return `# Backdot Backup
 
 This repository contains files backed up automatically using [backdot](https://github.com/sorenlouv/backdot).
-
+${encryptionNote}
 ## Restore
 
 \`\`\`bash
-npx backdot --restore ${repository}
+npx backdot restore ${repository}
 \`\`\`
 
 For full documentation, configuration options, and scheduling, see the [official README](https://github.com/sorenlouv/backdot).
 `;
 }
-export function writeRepoReadme(repository) {
-    fs.writeFileSync(path.join(STAGING_DIR, "README.md"), repoReadme(repository));
+export function writeRepoReadme(repository, encrypted = false) {
+    fs.writeFileSync(path.join(STAGING_DIR, "README.md"), generateReadmeContent(repository, encrypted));
     logger.info("Wrote README.md to staging directory");
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "backdot",
-  "version": "1.6.1",
+  "version": "1.8.0",
   "description": "Lightweight CLI to backup dotfiles and gitignored files to a Git repo on a daily schedule",
   "type": "module",
   "license": "MIT",
@@ -41,6 +41,7 @@
   },
   "dependencies": {
     "@inquirer/prompts": "^8.3.0",
+    "cac": "^7.0.0",
     "chalk": "^5.6.2",
     "fast-glob": "^3.3.3",
     "ora": "^9.3.0",
@@ -52,20 +53,12 @@
   "engines": {
     "node": ">=18"
   },
-  "lint-staged": {
-    "*.{ts,js}": [
-      "prettier --write",
-      "eslint --fix"
-    ],
-    "*.{json,md,yml}": "prettier --write"
-  },
   "devDependencies": {
     "@eslint/js": "^10.0.1",
     "@types/node": "^22.13.5",
     "eslint": "^10.0.2",
     "eslint-config-prettier": "^10.1.8",
     "husky": "^9.1.7",
-    "lint-staged": "^16.2.7",
     "prettier": "^3.8.1",
     "typescript": "^5.7.3",
     "typescript-eslint": "^8.56.1",