backdot 1.7.0 → 1.8.0

package/README.md

@@ -49,6 +49,12 @@ Prefix a pattern with `!` to exclude matching files:
 }
 ```
 
+## Encryption
+
+To encrypt files before they are pushed to the remote repo, add `"encrypt": true` to your config.
+
+On first backup you'll be prompted for a password and offered to save it to `~/.backdot.key` so that future backups do not prompt for a password.
+
 ## Commands
 
 | Command                        | Description                                    |

package/dist/cli.js

@@ -51,7 +51,8 @@ cli.command("", "").action(() => {
         console.log(`  No config found. Run ${chalk.bold("backdot init")} to get started.\n`);
     }
 });
-cli.help();
+// cac auto-adds a --help flag; remove its redundant section from help output
+cli.help((sections) => sections.filter((s) => !s.body?.includes("--help")));
 cli.version(getVersion());
 async function main() {
     try {
@@ -62,7 +63,8 @@ async function main() {
         const msg = errorMessage(err);
         logger.error(msg);
         console.error(`\n  Error: ${msg}\n`);
-        if (!process.stdout.isTTY) {
+        const isRunningInBackground = !process.stdout.isTTY;
+        if (isRunningInBackground) {
             sendNotification("Backdot", `Backup failed: ${msg}`);
         }
         process.exit(1);

package/dist/commands/backup.js

@@ -1,17 +1,57 @@
+import fs from "node:fs";
+import path from "node:path";
 import ora from "ora";
 import { loadConfig, CONFIG_PATH } from "../config.js";
 import { resolveFiles } from "../resolveFiles.js";
-import { cleanStaging, copyToStaging, writeRepoReadme } from "../staging.js";
+import { cleanStaging, copyToStaging, writeRepoReadme, machineDir } from "../staging.js";
 import { gitPull, gitCommitAndPush } from "../git.js";
 import { logger } from "../log.js";
 import { pluralize } from "../utils.js";
+import { checkRepoVisibility } from "../repoVisibility.js";
+import { decrypt, deriveKey } from "../crypto/encryption.js";
+import { resolvePassword, offerToSaveKeyFile, confirmPassword, ENC_SUFFIX, } from "../crypto/password.js";
+function findEncryptedFile(dir) {
+    if (!fs.existsSync(dir)) {
+        return null;
+    }
+    for (const entry of fs.readdirSync(dir, { withFileTypes: true })) {
+        const fullPath = path.join(dir, entry.name);
+        if (entry.isDirectory()) {
+            const encryptedFile = findEncryptedFile(fullPath);
+            if (encryptedFile) {
+                return encryptedFile;
+            }
+        }
+        else if (entry.name.endsWith(ENC_SUFFIX)) {
+            return fullPath;
+        }
+    }
+    return null;
+}
 export async function backup() {
     logger.info("Starting backup");
     const config = loadConfig();
     logger.info(`Repository: ${config.repository}`);
     logger.info(`Machine: ${config.machine}`);
-    const spinner = ora("Resolving files").start();
+    let password;
+    let derivedKey;
+    let passwordWasInteractive = false;
+    if (config.encrypt) {
+        const result = await resolvePassword();
+        password = result.password;
+        passwordWasInteractive = result.interactive;
+        derivedKey = deriveKey(password);
+    }
+    const spinner = ora("Checking repository visibility").start();
     try {
+        const visibility = await checkRepoVisibility(config.repository);
+        if (visibility === "public") {
+            spinner.fail("Backup refused — repository is public");
+            throw new Error(`Repository "${config.repository}" is publicly accessible.\n` +
+                "Backing up to a public repo would expose sensitive files.\n" +
+                "Make the repository private, then try again.");
+        }
+        spinner.text = "Resolving files";
         const userFiles = resolveFiles(config);
         logger.info(`Resolved ${pluralize(userFiles.length, "file")}`);
         if (userFiles.length === 0) {
@@ -21,10 +61,29 @@ export async function backup() {
         const files = [...userFiles, CONFIG_PATH];
         spinner.text = "Syncing with remote";
         await gitPull(config.repository);
+        if (derivedKey) {
+            const existingEncryptedFile = findEncryptedFile(machineDir(config.machine));
+            if (existingEncryptedFile) {
+                spinner.text = "Verifying encryption password";
+                const encryptedContent = fs.readFileSync(existingEncryptedFile);
+                try {
+                    decrypt(encryptedContent, derivedKey);
+                }
+                catch {
+                    spinner.fail("Backup failed");
+                    throw new Error("Password does not match the existing backup.");
+                }
+            }
+            else if (passwordWasInteractive) {
+                spinner.stop();
+                await confirmPassword(password);
+                spinner.start();
+            }
+        }
         spinner.text = `Copying ${pluralize(files.length, "file")} to staging`;
         cleanStaging(config.machine);
-        copyToStaging(files, config.machine);
-        writeRepoReadme(config.repository);
+        copyToStaging(files, config.machine, derivedKey);
+        writeRepoReadme(config.repository, config.encrypt);
         spinner.text = "Pushing to remote";
         const result = await gitCommitAndPush();
         const successMsg = result?.commitUrl
@@ -37,5 +96,8 @@ export async function backup() {
         spinner.fail("Backup failed");
         throw err;
     }
+    if (password) {
+        await offerToSaveKeyFile(password);
+    }
     logger.info("Backup complete");
 }

package/dist/commands/history.js

@@ -22,14 +22,17 @@ export async function history(repoUrl) {
         console.log("\n  No backup history found.\n");
         return;
     }
-    const selectedCommit = await select({
+    const selectedCommitHash = await select({
         message: "Select a backup to restore from:",
         loop: false,
-        choices: commits.map((c) => ({
-            name: `${c.hash.slice(0, 7)}  ${c.date.split("T")[0]}  ${c.message}`,
-            value: c.hash,
-        })),
+        choices: commits.map((commit) => {
+            const dateOnly = commit.date.split("T")[0];
+            return {
+                name: `${commit.hash.slice(0, 7)}  ${dateOnly}  ${commit.message}`,
+                value: commit.hash,
+            };
+        }),
     });
     console.log();
-    await restore({ repoUrl, commit: selectedCommit });
+    await restore({ repoUrl, commit: selectedCommitHash });
 }

package/dist/commands/init.js

@@ -17,7 +17,7 @@ function getMachineName() {
     }
     return os.hostname().replace(/\.(local|localdomain)$/, "");
 }
-const TEMPLATE = {
+const DEFAULT_CONFIG = {
     repository: "git@github.com:USERNAME/backdot-backup.git",
     machine: getMachineName(),
     paths: ["~/.zshrc", "~/.gitconfig"],
@@ -42,10 +42,11 @@ export function init() {
         console.log(`  ${chalk.yellow(`${CONFIG_PATH} already exists — skipping creation.`)}`);
     }
     else {
-        fs.writeFileSync(CONFIG_PATH, JSON.stringify(TEMPLATE, null, 2) + "\n");
+        fs.writeFileSync(CONFIG_PATH, JSON.stringify(DEFAULT_CONFIG, null, 2) + "\n");
         console.log(`  Created ${CONFIG_PATH} with defaults.`);
     }
     console.log("  Open it and set your repository URL and files to back up.");
+    console.log(`  To encrypt backups, add ${chalk.bold('"encrypt": true')} to the config.`);
     console.log();
     // Step 3
     console.log(chalk.bold("  Step 3 — Run your first backup"));

package/dist/commands/restore.js

@@ -8,14 +8,16 @@ import { gitPull } from "../git.js";
 import { STAGING_DIR, machineDir } from "../staging.js";
 import { logger } from "../log.js";
 import { pluralize } from "../utils.js";
+import { decrypt, deriveKey } from "../crypto/encryption.js";
+import { resolvePassword, offerToSaveKeyFile, ENC_SUFFIX } from "../crypto/password.js";
 const HOME = os.homedir();
-function walkDir(dir) {
+function listFilesRecursively(dir) {
     return fs
         .readdirSync(dir, { withFileTypes: true })
         .filter((entry) => entry.name !== ".git")
         .flatMap((entry) => {
-        const full = path.join(dir, entry.name);
-        return entry.isDirectory() ? walkDir(full) : [full];
+        const fullPath = path.join(dir, entry.name);
+        return entry.isDirectory() ? listFilesRecursively(fullPath) : [fullPath];
     });
 }
 function listMachines() {
@@ -24,8 +26,8 @@ function listMachines() {
     }
     return fs
         .readdirSync(STAGING_DIR, { withFileTypes: true })
-        .filter((e) => e.isDirectory() && e.name !== ".git")
-        .map((e) => e.name);
+        .filter((entry) => entry.isDirectory() && entry.name !== ".git")
+        .map((entry) => entry.name);
 }
 async function resolveRepoAndMachine(repoUrl, commit) {
     if (!repoUrl) {
@@ -85,61 +87,80 @@ export async function restore({ repoUrl, commit, yes, } = {}) {
         }
         return;
     }
-    const stagedFiles = walkDir(baseDir);
+    const stagedFiles = listFilesRecursively(baseDir);
     logger.info(`Found ${pluralize(stagedFiles.length, "file")} in backup repository`);
     if (stagedFiles.length === 0) {
         spinner.stop();
         console.log("No files found in backup repository.");
         return;
     }
-    const fileMappings = stagedFiles.map((src) => {
-        const rel = path.relative(baseDir, src);
-        return { src, dest: path.join(HOME, rel), rel };
+    const fileMappings = stagedFiles.map((stagedFilePath) => {
+        let relativePath = path.relative(baseDir, stagedFilePath);
+        if (relativePath.endsWith(ENC_SUFFIX)) {
+            relativePath = relativePath.slice(0, -ENC_SUFFIX.length);
+        }
+        return { src: stagedFilePath, dest: path.join(HOME, relativePath), rel: relativePath };
     });
-    const existing = fileMappings.filter((f) => fs.existsSync(f.dest));
-    const fresh = fileMappings.filter((f) => !fs.existsSync(f.dest));
-    logger.info(`${fresh.length} new, ${existing.length} already exist`);
+    const filesAlreadyOnDisk = fileMappings.filter((file) => fs.existsSync(file.dest));
+    const newFiles = fileMappings.filter((file) => !fs.existsSync(file.dest));
+    logger.info(`${newFiles.length} new, ${filesAlreadyOnDisk.length} already exist`);
     spinner.stop();
     console.log();
-    let toRestore;
+    let filesToRestore;
     if (yes) {
-        toRestore = fresh;
-        if (existing.length > 0) {
-            console.log(`  Skipped ${pluralize(existing.length, "existing file")}. Run without --yes to select them.`);
+        filesToRestore = newFiles;
+        if (filesAlreadyOnDisk.length > 0) {
+            console.log(`  Skipped ${pluralize(filesAlreadyOnDisk.length, "existing file")}. Run without --yes to select them.`);
             console.log();
         }
     }
     else {
         const choices = [];
-        if (fresh.length > 0) {
-            choices.push(new Separator(`── New files (${fresh.length}) ──`));
-            for (const f of fresh) {
-                choices.push({ name: f.rel, value: f, checked: true });
+        if (newFiles.length > 0) {
+            choices.push(new Separator(`── New files (${newFiles.length}) ──`));
+            for (const file of newFiles) {
+                choices.push({ name: file.rel, value: file, checked: true });
             }
         }
-        if (existing.length > 0) {
-            choices.push(new Separator(`── Existing files — will overwrite (${existing.length}) ──`));
-            for (const f of existing) {
-                choices.push({ name: f.rel, value: f, checked: false });
+        if (filesAlreadyOnDisk.length > 0) {
+            choices.push(new Separator(`── Existing files — will overwrite (${filesAlreadyOnDisk.length}) ──`));
+            for (const file of filesAlreadyOnDisk) {
+                choices.push({ name: file.rel, value: file, checked: false });
             }
         }
-        toRestore = await checkbox({
+        filesToRestore = await checkbox({
             message: "Select files to restore:",
             loop: false,
             choices,
         });
         console.log();
     }
-    if (toRestore.length === 0) {
+    if (filesToRestore.length === 0) {
         console.log("No files selected for restore.");
         return;
     }
-    const copySpinner = ora("Restoring files").start();
-    for (const { src, dest } of toRestore) {
+    let password;
+    const hasEncryptedFiles = filesToRestore.some(({ src }) => src.endsWith(ENC_SUFFIX));
+    if (hasEncryptedFiles) {
+        const result = await resolvePassword();
+        password = result.password;
+    }
+    const derivedKey = password ? deriveKey(password) : undefined;
+    const restoreSpinner = ora("Restoring files").start();
+    for (const { src, dest } of filesToRestore) {
         fs.mkdirSync(path.dirname(dest), { recursive: true });
-        fs.copyFileSync(src, dest);
+        if (derivedKey && src.endsWith(ENC_SUFFIX)) {
+            const content = fs.readFileSync(src);
+            fs.writeFileSync(dest, decrypt(content, derivedKey));
+        }
+        else {
+            fs.copyFileSync(src, dest);
+        }
     }
-    copySpinner.succeed(`Restored ${pluralize(toRestore.length, "file")}`);
+    restoreSpinner.succeed(`Restored ${pluralize(filesToRestore.length, "file")}`);
     console.log();
-    logger.info(`Restored ${pluralize(toRestore.length, "file")}`);
+    if (password) {
+        await offerToSaveKeyFile(password);
+    }
+    logger.info(`Restored ${pluralize(filesToRestore.length, "file")}`);
 }

package/dist/commands/schedule.js

@@ -1,4 +1,8 @@
+import fs from "node:fs";
+import chalk from "chalk";
 import { setupLaunchd, uninstallLaunchd } from "../launchd.js";
+import { loadConfig } from "../config.js";
+import { KEY_FILE_PATH } from "../crypto/password.js";
 function requireMacOS() {
     if (process.platform !== "darwin") {
         throw new Error("Scheduling is only supported on macOS (launchd). Use cron or systemd on Linux.");
@@ -7,6 +11,16 @@ function requireMacOS() {
 export function schedule() {
     requireMacOS();
     setupLaunchd();
+    try {
+        const config = loadConfig();
+        if (config.encrypt && !fs.existsSync(KEY_FILE_PATH)) {
+            console.log(chalk.yellow(`  Encryption is enabled. Run ${chalk.bold("backdot backup")} once to create ~/.backdot.key,\n` +
+                `  or set ${chalk.bold("BACKDOT_PASSWORD")} in your environment.\n`));
+        }
+    }
+    catch {
+        // Config may not exist yet; ignore
+    }
 }
 export function unschedule() {
     requireMacOS();

package/dist/commands/status.js

@@ -6,17 +6,47 @@ import { resolveFiles } from "../resolveFiles.js";
 import { compareFiles } from "../staging.js";
 import { isScheduled } from "../launchd.js";
 import { pluralize } from "../utils.js";
-function tildePath(filePath) {
+import { checkRepoVisibility } from "../repoVisibility.js";
+import { deriveKey } from "../crypto/encryption.js";
+import { resolvePassword } from "../crypto/password.js";
+function abbreviateHomePath(filePath) {
     const home = os.homedir();
     return filePath.startsWith(home) ? "~" + filePath.slice(home.length) : filePath;
 }
+function formatVisibility(visibility) {
+    switch (visibility) {
+        case "public":
+            return chalk.red.bold("public (backup disabled)");
+        case "private":
+            return chalk.green("private");
+        case "unknown":
+            return chalk.yellow("unknown (could not verify)");
+    }
+}
 export async function status() {
     const scheduled = isScheduled();
     console.log();
-    console.log(`  Schedule:  ${scheduled ? "active (daily at 02:00)" : `not active  (run ${chalk.bold("backdot schedule")} to enable)`}`);
+    console.log(`  Schedule:    ${scheduled ? "active (daily at 02:00)" : `not active  (run ${chalk.bold("backdot schedule")} to enable)`}`);
     const config = loadConfig();
-    console.log(`  Repo:      ${config.repository}`);
-    console.log(`  Machine:   ${config.machine}`);
+    console.log(`  Repo:        ${config.repository}`);
+    console.log(`  Machine:     ${config.machine}`);
+    if (config.encrypt) {
+        console.log(`  Encryption:  ${chalk.green("enabled")}`);
+    }
+    const visibilitySpinner = ora("Checking repository visibility").start();
+    const visibility = await checkRepoVisibility(config.repository);
+    visibilitySpinner.stop();
+    if (visibility !== "private") {
+        console.log(`  Visibility:  ${formatVisibility(visibility)}`);
+    }
+    if (visibility === "public") {
+        console.log();
+        console.log(chalk.red("  ⚠ Repository is public. Backup is disabled to prevent leaking sensitive files.\n" +
+            "    Make the repository private, then try again."));
+        console.log();
+        return;
+    }
+    const derivedKey = config.encrypt ? deriveKey((await resolvePassword()).password) : undefined;
     console.log();
     const spinner = ora("Resolving files").start();
     try {
@@ -28,7 +58,12 @@ export async function status() {
         }
         const files = [...userFiles, CONFIG_PATH];
         spinner.text = "Comparing with remote backup";
-        const { backedUp, modified, notBackedUp, error } = await compareFiles(files, config.machine, config.repository);
+        const { backedUp, modified, notBackedUp, error } = await compareFiles({
+            files,
+            machine: config.machine,
+            repository: config.repository,
+            derivedKey,
+        });
         spinner.stop();
         if (error) {
             console.log(chalk.yellow(`  Could not fetch status: ${error}`));
@@ -40,22 +75,22 @@ export async function status() {
         else {
             if (modified.length > 0) {
                 console.log(chalk.yellow(`  Modified since last backup (${modified.length}):`));
-                for (const f of modified) {
-                    console.log(`        ${tildePath(f)}`);
+                for (const filePath of modified) {
+                    console.log(`        ${abbreviateHomePath(filePath)}`);
                 }
                 console.log();
             }
             if (notBackedUp.length > 0) {
                 console.log(chalk.red(`  Not yet backed up (${notBackedUp.length}):`));
-                for (const f of notBackedUp) {
-                    console.log(`        ${tildePath(f)}`);
+                for (const filePath of notBackedUp) {
+                    console.log(`        ${abbreviateHomePath(filePath)}`);
                 }
                 console.log();
             }
             if (backedUp.length > 0) {
                 console.log(chalk.green(`  Backed up (${backedUp.length}):`));
-                for (const f of backedUp) {
-                    console.log(`        ${tildePath(f)}`);
+                for (const filePath of backedUp) {
+                    console.log(`        ${abbreviateHomePath(filePath)}`);
                 }
                 console.log();
             }

package/dist/commitUrl.js

@@ -1,7 +1,7 @@
 const PROVIDERS = {
-    "github.com": (p, sha) => `https://github.com/${p}/commit/${sha}`,
-    "gitlab.com": (p, sha) => `https://gitlab.com/${p}/-/commit/${sha}`,
-    "bitbucket.org": (p, sha) => `https://bitbucket.org/${p}/commits/${sha}`,
+    "github.com": (repoPath, sha) => `https://github.com/${repoPath}/commit/${sha}`,
+    "gitlab.com": (repoPath, sha) => `https://gitlab.com/${repoPath}/-/commit/${sha}`,
+    "bitbucket.org": (repoPath, sha) => `https://bitbucket.org/${repoPath}/commits/${sha}`,
 };
 export function getCommitUrl(remoteUrl, sha) {
     for (const [host, buildUrl] of Object.entries(PROVIDERS)) {
@@ -9,7 +9,8 @@ export function getCommitUrl(remoteUrl, sha) {
         if (idx === -1) {
             continue;
         }
-        let repoPath = remoteUrl.slice(idx + host.length + 1).trim();
+        const separatorLength = 1; // skip the ":" (SSH) or "/" (HTTPS) after the hostname
+        let repoPath = remoteUrl.slice(idx + host.length + separatorLength).trim();
         if (repoPath.endsWith(".git")) {
             repoPath = repoPath.slice(0, -4);
         }

package/dist/config.d.ts

@@ -1,10 +1,11 @@
 import { z } from "zod";
 export declare const CONFIG_PATH: string;
-export declare function expandTilde(p: string): string;
+export declare function expandTilde(pattern: string): string;
 declare const ConfigSchema: z.ZodObject<{
     repository: z.ZodString;
     machine: z.ZodString;
     paths: z.ZodArray<z.ZodPipe<z.ZodString, z.ZodTransform<string, string>>>;
+    encrypt: z.ZodDefault<z.ZodOptional<z.ZodBoolean>>;
 }, z.core.$strip>;
 export type Config = z.infer<typeof ConfigSchema>;
 export declare function loadConfig(): Config;

package/dist/config.js

@@ -3,14 +3,15 @@ import path from "node:path";
 import os from "node:os";
 import { z } from "zod";
 export const CONFIG_PATH = path.join(os.homedir(), ".backdot.json");
-export function expandTilde(p) {
-    if (p.startsWith("!")) {
-        return "!" + expandTilde(p.slice(1));
+export function expandTilde(pattern) {
+    // fast-glob uses "!" for negation patterns — preserve the prefix, expand the rest
+    if (pattern.startsWith("!")) {
+        return "!" + expandTilde(pattern.slice(1));
     }
-    if (p.startsWith("~/") || p === "~") {
-        return path.join(os.homedir(), p.slice(1));
+    if (pattern.startsWith("~/") || pattern === "~") {
+        return path.join(os.homedir(), pattern.slice(1));
     }
-    return p;
+    return pattern;
 }
 const ConfigSchema = z.object({
     repository: z.string().min(1),
@@ -18,30 +19,31 @@ const ConfigSchema = z.object({
     paths: z
         .array(z.string().min(1).transform(expandTilde))
         .min(1, '"paths" must be a non-empty array'),
+    encrypt: z.boolean().optional().default(false),
 });
 export function loadConfig() {
     if (!fs.existsSync(CONFIG_PATH)) {
         throw new Error(`Config file not found: ${CONFIG_PATH}\n  Run "backdot init" to create it.`);
     }
-    let raw;
+    let rawJson;
     try {
-        raw = fs.readFileSync(CONFIG_PATH, "utf-8");
+        rawJson = fs.readFileSync(CONFIG_PATH, "utf-8");
     }
     catch {
         throw new Error(`Failed to read config file: ${CONFIG_PATH}`);
     }
     let parsed;
     try {
-        parsed = JSON.parse(raw);
+        parsed = JSON.parse(rawJson);
     }
     catch {
         throw new Error(`Invalid JSON in config file: ${CONFIG_PATH}`);
     }
     const result = ConfigSchema.safeParse(parsed);
     if (!result.success) {
-        const messages = result.error.issues.map((i) => {
-            const path = i.path.length > 0 ? `"${i.path.join(".")}"` : "config";
-            return `  - ${path}: ${i.message}`;
+        const messages = result.error.issues.map((issue) => {
+            const field = issue.path.length > 0 ? `"${issue.path.join(".")}"` : "config";
+            return `  - ${field}: ${issue.message}`;
         });
         throw new Error(`Invalid config in ${CONFIG_PATH}:\n${messages.join("\n")}`);
     }

package/dist/crypto/encryption.d.ts

@@ -0,0 +1,8 @@
+export interface DerivedKey {
+    password: string;
+    salt: Buffer;
+    key: Buffer;
+}
+export declare function deriveKey(password: string, salt?: Buffer): DerivedKey;
+export declare function encrypt(plaintext: Buffer, derivedKey: DerivedKey): Buffer;
+export declare function decrypt(encrypted: Buffer, derivedKey: DerivedKey): Buffer;

package/dist/crypto/encryption.js

@@ -0,0 +1,54 @@
+import crypto from "node:crypto";
+const ALGORITHM = "aes-256-gcm";
+const SALT_LENGTH = 32;
+const IV_LENGTH = 12;
+const AUTH_TAG_LENGTH = 16;
+const KEY_LENGTH = 32;
+// Higher N = harder to brute-force but slower to encrypt/decrypt (~300ms).
+// 2^17 is the OWASP minimum recommendation for password-based key derivation.
+const SCRYPT_N = 2 ** 17;
+const SCRYPT_R = 8;
+const SCRYPT_PARAMS = {
+    N: SCRYPT_N,
+    r: SCRYPT_R,
+    p: 1,
+    maxmem: 128 * SCRYPT_N * SCRYPT_R * 2, // must exceed 128*N*r
+};
+const OVERHEAD = SALT_LENGTH + IV_LENGTH + AUTH_TAG_LENGTH;
+export function deriveKey(password, salt) {
+    const resolvedSalt = salt ?? crypto.randomBytes(SALT_LENGTH);
+    const key = crypto.scryptSync(password, resolvedSalt, KEY_LENGTH, SCRYPT_PARAMS);
+    return { password, salt: resolvedSalt, key };
+}
+function deriveKeyForSalt(derivedKey, salt) {
+    if (derivedKey.salt.equals(salt)) {
+        return derivedKey.key;
+    }
+    return crypto.scryptSync(derivedKey.password, salt, KEY_LENGTH, SCRYPT_PARAMS);
+}
+export function encrypt(plaintext, derivedKey) {
+    const iv = crypto.randomBytes(IV_LENGTH);
+    const cipher = crypto.createCipheriv(ALGORITHM, derivedKey.key, iv);
+    const ciphertext = Buffer.concat([cipher.update(plaintext), cipher.final()]);
+    const authTag = cipher.getAuthTag();
+    return Buffer.concat([derivedKey.salt, iv, authTag, ciphertext]);
+}
+export function decrypt(encrypted, derivedKey) {
+    if (encrypted.length < OVERHEAD) {
+        throw new Error("Data is too short to be encrypted content.");
+    }
+    let offset = 0;
+    const salt = encrypted.subarray(offset, (offset += SALT_LENGTH));
+    const iv = encrypted.subarray(offset, (offset += IV_LENGTH));
+    const authTag = encrypted.subarray(offset, (offset += AUTH_TAG_LENGTH));
+    const ciphertext = encrypted.subarray(offset);
+    const key = deriveKeyForSalt(derivedKey, salt);
+    const decipher = crypto.createDecipheriv(ALGORITHM, key, iv);
+    decipher.setAuthTag(authTag);
+    try {
+        return Buffer.concat([decipher.update(ciphertext), decipher.final()]);
+    }
+    catch {
+        throw new Error("Decryption failed — wrong password or corrupted data.");
+    }
+}

package/dist/crypto/password.d.ts

@@ -0,0 +1,11 @@
+export declare const KEY_FILE_PATH: string;
+export declare const ENC_SUFFIX = ".encrypted";
+export declare function checkKeyFilePermissions(): void;
+export declare function saveKeyFile(password: string): void;
+export interface PasswordResult {
+    password: string;
+    interactive: boolean;
+}
+export declare function resolvePassword(): Promise<PasswordResult>;
+export declare function confirmPassword(password: string): Promise<void>;
+export declare function offerToSaveKeyFile(password: string): Promise<void>;