backdot 1.7.0 → 1.8.0

package/dist/crypto/password.js

@@ -0,0 +1,74 @@
+import fs from "node:fs";
+import path from "node:path";
+import os from "node:os";
+import { password as passwordPrompt, confirm } from "@inquirer/prompts";
+export const KEY_FILE_PATH = path.join(os.homedir(), ".backdot.key");
+export const ENC_SUFFIX = ".encrypted";
+export function checkKeyFilePermissions() {
+    if (process.platform === "win32") {
+        return;
+    }
+    if (!fs.existsSync(KEY_FILE_PATH)) {
+        return;
+    }
+    const stat = fs.statSync(KEY_FILE_PATH);
+    const mode = stat.mode & 0o777;
+    const isAccessibleByGroupOrOthers = (mode & 0o077) !== 0;
+    if (isAccessibleByGroupOrOthers) {
+        throw new Error(`Key file ${KEY_FILE_PATH} has overly permissive permissions (${mode.toString(8)}).\n` +
+            `  Run: chmod 600 ${KEY_FILE_PATH}`);
+    }
+}
+export function saveKeyFile(password) {
+    fs.writeFileSync(KEY_FILE_PATH, password + "\n", { mode: 0o600 });
+}
+function readKeyFile() {
+    if (!fs.existsSync(KEY_FILE_PATH)) {
+        return null;
+    }
+    checkKeyFilePermissions();
+    return fs.readFileSync(KEY_FILE_PATH, "utf-8").trimEnd();
+}
+export async function resolvePassword() {
+    const envPassword = process.env.BACKDOT_PASSWORD;
+    if (envPassword) {
+        return { password: envPassword, interactive: false };
+    }
+    const filePassword = readKeyFile();
+    if (filePassword) {
+        return { password: filePassword, interactive: false };
+    }
+    if (!process.stdin.isTTY) {
+        throw new Error('Encryption is enabled but no password found.\n  Run "backdot backup" interactively to create ~/.backdot.key, or set BACKDOT_PASSWORD.');
+    }
+    const enteredPassword = await passwordPrompt({ message: "Enter encryption password:" });
+    if (!enteredPassword) {
+        throw new Error("No password provided.");
+    }
+    return { password: enteredPassword, interactive: true };
+}
+export async function confirmPassword(password) {
+    const confirmedPassword = await passwordPrompt({ message: "Confirm password:" });
+    if (confirmedPassword !== password) {
+        throw new Error("Passwords do not match.");
+    }
+}
+export async function offerToSaveKeyFile(password) {
+    if (!process.stdin.isTTY) {
+        return;
+    }
+    if (fs.existsSync(KEY_FILE_PATH)) {
+        return;
+    }
+    if (process.env.BACKDOT_PASSWORD) {
+        return;
+    }
+    const save = await confirm({
+        message: "Save password to ~/.backdot.key for automated backups?",
+        default: true,
+    });
+    if (save) {
+        saveKeyFile(password);
+        console.log(`  Created ${KEY_FILE_PATH} (permissions: 600)`);
+    }
+}

package/dist/crypto.d.ts

@@ -0,0 +1,13 @@
+export declare const KEY_FILE_PATH: string;
+export declare const ENC_SUFFIX = ".encrypted";
+export declare function encryptBuffer(plaintext: Buffer, password: string): Buffer;
+export declare function decryptBuffer(data: Buffer, password: string): Buffer;
+export declare function checkKeyFilePermissions(): void;
+export declare function saveKeyFile(password: string): void;
+export interface PasswordResult {
+    password: string;
+    interactive: boolean;
+}
+export declare function resolvePassword(): Promise<PasswordResult>;
+export declare function confirmPassword(password: string): Promise<void>;
+export declare function offerToSaveKeyFile(password: string): Promise<void>;

package/dist/crypto.js

@@ -0,0 +1,129 @@
+import crypto from "node:crypto";
+import fs from "node:fs";
+import path from "node:path";
+import os from "node:os";
+import { password as passwordPrompt, confirm } from "@inquirer/prompts";
+// File-format signature identifying backdot-encrypted files
+const MAGIC = Buffer.from("BDOT");
+const VERSION = 0x01;
+const HEADER_SIZE = MAGIC.length + 1; // 5 bytes: magic + version
+const SALT_SIZE = 32;
+const IV_SIZE = 12;
+const TAG_SIZE = 16;
+const KEY_SIZE = 32;
+export const KEY_FILE_PATH = path.join(os.homedir(), ".backdot.key");
+export const ENC_SUFFIX = ".encrypted";
+function deriveKey(password, salt) {
+    return crypto.scryptSync(password, salt, KEY_SIZE, { N: 2 ** 14, r: 8, p: 1 });
+}
+export function encryptBuffer(plaintext, password) {
+    const salt = crypto.randomBytes(SALT_SIZE);
+    const iv = crypto.randomBytes(IV_SIZE);
+    const key = deriveKey(password, salt);
+    const cipher = crypto.createCipheriv("aes-256-gcm", key, iv);
+    const encrypted = Buffer.concat([cipher.update(plaintext), cipher.final()]);
+    const tag = cipher.getAuthTag();
+    return Buffer.concat([MAGIC, Buffer.from([VERSION]), salt, iv, tag, encrypted]);
+}
+export function decryptBuffer(data, password) {
+    if (!isEncrypted(data)) {
+        throw new Error("File is not encrypted (missing BDOT header).");
+    }
+    const minSize = HEADER_SIZE + SALT_SIZE + IV_SIZE + TAG_SIZE;
+    if (data.length < minSize) {
+        throw new Error("Encrypted file is too short or corrupted.");
+    }
+    let offset = HEADER_SIZE;
+    const salt = data.subarray(offset, offset + SALT_SIZE);
+    offset += SALT_SIZE;
+    const iv = data.subarray(offset, offset + IV_SIZE);
+    offset += IV_SIZE;
+    const tag = data.subarray(offset, offset + TAG_SIZE);
+    offset += TAG_SIZE;
+    const ciphertext = data.subarray(offset);
+    const key = deriveKey(password, salt);
+    const decipher = crypto.createDecipheriv("aes-256-gcm", key, iv);
+    decipher.setAuthTag(tag);
+    try {
+        return Buffer.concat([decipher.update(ciphertext), decipher.final()]);
+    }
+    catch {
+        throw new Error("Decryption failed — wrong password or corrupted file.");
+    }
+}
+function isEncrypted(data) {
+    return (data.length >= HEADER_SIZE &&
+        data[0] === MAGIC[0] &&
+        data[1] === MAGIC[1] &&
+        data[2] === MAGIC[2] &&
+        data[3] === MAGIC[3] &&
+        data[4] === VERSION);
+}
+export function checkKeyFilePermissions() {
+    if (process.platform === "win32") {
+        return;
+    }
+    if (!fs.existsSync(KEY_FILE_PATH)) {
+        return;
+    }
+    const stat = fs.statSync(KEY_FILE_PATH);
+    const mode = stat.mode & 0o777;
+    const isAccessibleByGroupOrOthers = (mode & 0o077) !== 0;
+    if (isAccessibleByGroupOrOthers) {
+        throw new Error(`Key file ${KEY_FILE_PATH} has overly permissive permissions (${mode.toString(8)}).\n` +
+            `  Run: chmod 600 ${KEY_FILE_PATH}`);
+    }
+}
+export function saveKeyFile(password) {
+    fs.writeFileSync(KEY_FILE_PATH, password + "\n", { mode: 0o600 });
+}
+function readKeyFile() {
+    if (!fs.existsSync(KEY_FILE_PATH)) {
+        return null;
+    }
+    checkKeyFilePermissions();
+    return fs.readFileSync(KEY_FILE_PATH, "utf-8").trimEnd();
+}
+export async function resolvePassword() {
+    const envPassword = process.env.BACKDOT_PASSWORD;
+    if (envPassword) {
+        return { password: envPassword, interactive: false };
+    }
+    const filePassword = readKeyFile();
+    if (filePassword) {
+        return { password: filePassword, interactive: false };
+    }
+    if (!process.stdin.isTTY) {
+        throw new Error('Encryption is enabled but no password found.\n  Run "backdot backup" interactively to create ~/.backdot.key, or set BACKDOT_PASSWORD.');
+    }
+    const enteredPassword = await passwordPrompt({ message: "Enter encryption password:" });
+    if (!enteredPassword) {
+        throw new Error("No password provided.");
+    }
+    return { password: enteredPassword, interactive: true };
+}
+export async function confirmPassword(password) {
+    const confirmedPassword = await passwordPrompt({ message: "Confirm password:" });
+    if (confirmedPassword !== password) {
+        throw new Error("Passwords do not match.");
+    }
+}
+export async function offerToSaveKeyFile(password) {
+    if (!process.stdin.isTTY) {
+        return;
+    }
+    if (fs.existsSync(KEY_FILE_PATH)) {
+        return;
+    }
+    if (process.env.BACKDOT_PASSWORD) {
+        return;
+    }
+    const save = await confirm({
+        message: "Save password to ~/.backdot.key for automated backups?",
+        default: true,
+    });
+    if (save) {
+        saveKeyFile(password);
+        console.log(`  Created ${KEY_FILE_PATH} (permissions: 600)`);
+    }
+}

package/dist/encryption.d.ts

@@ -0,0 +1,2 @@
+export declare function encrypt(plaintext: Buffer, password: string): Buffer;
+export declare function decrypt(encrypted: Buffer, password: string): Buffer;

package/dist/encryption.js

@@ -0,0 +1,39 @@
+import crypto from "node:crypto";
+const ALGORITHM = "aes-256-gcm";
+const SALT_LENGTH = 32;
+const IV_LENGTH = 12;
+const AUTH_TAG_LENGTH = 16;
+const KEY_LENGTH = 32;
+const SCRYPT_PARAMS = { N: 2 ** 14, r: 8, p: 1 };
+const OVERHEAD = SALT_LENGTH + IV_LENGTH + AUTH_TAG_LENGTH;
+function deriveKey(password, salt) {
+    return crypto.scryptSync(password, salt, KEY_LENGTH, SCRYPT_PARAMS);
+}
+export function encrypt(plaintext, password) {
+    const salt = crypto.randomBytes(SALT_LENGTH);
+    const iv = crypto.randomBytes(IV_LENGTH);
+    const key = deriveKey(password, salt);
+    const cipher = crypto.createCipheriv(ALGORITHM, key, iv);
+    const ciphertext = Buffer.concat([cipher.update(plaintext), cipher.final()]);
+    const authTag = cipher.getAuthTag();
+    return Buffer.concat([salt, iv, authTag, ciphertext]);
+}
+export function decrypt(encrypted, password) {
+    if (encrypted.length < OVERHEAD) {
+        throw new Error("Data is too short to be encrypted content.");
+    }
+    let offset = 0;
+    const salt = encrypted.subarray(offset, (offset += SALT_LENGTH));
+    const iv = encrypted.subarray(offset, (offset += IV_LENGTH));
+    const authTag = encrypted.subarray(offset, (offset += AUTH_TAG_LENGTH));
+    const ciphertext = encrypted.subarray(offset);
+    const key = deriveKey(password, salt);
+    const decipher = crypto.createDecipheriv(ALGORITHM, key, iv);
+    decipher.setAuthTag(authTag);
+    try {
+        return Buffer.concat([decipher.update(ciphertext), decipher.final()]);
+    }
+    catch {
+        throw new Error("Decryption failed — wrong password or corrupted data.");
+    }
+}

package/dist/git.d.ts

@@ -8,7 +8,7 @@ interface FileChangeSummary {
         to: string;
     }>;
 }
-export declare function buildCommitMessage(changes: FileChangeSummary, maxLen?: number): string;
+export declare function buildCommitMessage(changes: FileChangeSummary, maxLength?: number): string;
 export declare function ensureRemoteUrl(repository: string): Promise<void>;
 export declare function getCurrentBranch(git: SimpleGit): Promise<string>;
 export declare function friendlyGitError(raw: string, repository: string): string;

package/dist/git.js

@@ -6,44 +6,46 @@ import { logger } from "./log.js";
 import { STAGING_DIR, STAGING_GIT_DIR } from "./paths.js";
 import { getCommitUrl } from "./commitUrl.js";
 import { errorMessage, pluralize, uniq } from "./utils.js";
-export function buildCommitMessage(changes, maxLen = 250) {
-    const unique = (paths) => uniq(paths.map((f) => path.basename(f)));
-    const removed = unique(changes.deleted);
-    const added = unique(changes.created);
-    const modified = unique([...changes.modified, ...changes.renamed.map((r) => r.to)]);
+export function buildCommitMessage(changes, maxLength = 250) {
+    const uniqueBasenames = (paths) => uniq(paths.map((filePath) => path.basename(filePath)));
+    const removed = uniqueBasenames(changes.deleted);
+    const added = uniqueBasenames(changes.created);
+    const modified = uniqueBasenames([...changes.modified, ...changes.renamed.map((r) => r.to)]);
     const categories = [
         { label: "removed", files: removed },
         { label: "added", files: added },
         { label: "modified", files: modified },
-    ].filter((c) => c.files.length > 0);
+    ].filter((category) => category.files.length > 0);
     if (categories.length === 0) {
-        return "backup"; // fallback commit message when no changes are categorized
+        return "backup";
     }
-    function format(cat, listFiles) {
+    function formatCategory(category, listFiles) {
         if (listFiles) {
-            return `${cat.label}: ${cat.files.join(", ")}`;
+            return `${category.label}: ${category.files.join(", ")}`;
         }
-        return `${cat.label}: ${pluralize(cat.files.length, "file")}`;
+        return `${category.label}: ${pluralize(category.files.length, "file")}`;
     }
-    function build(listFlags) {
-        return categories.map((cat, i) => format(cat, listFlags[i])).join("; ");
+    function joinCategories(showFileNames) {
+        return categories.map((category, i) => formatCategory(category, showFileNames[i])).join("; ");
     }
-    const flags = categories.map(() => true);
-    let msg = build(flags);
-    if (msg.length <= maxLen) {
-        return msg;
+    // If the message exceeds maxLength, progressively replace file lists with
+    // counts, starting with the least important category.
+    const showFileNames = categories.map(() => true);
+    let message = joinCategories(showFileNames);
+    if (message.length <= maxLength) {
+        return message;
     }
     for (const label of ["modified", "added", "removed"]) {
-        const idx = categories.findIndex((c) => c.label === label);
-        if (idx !== -1 && flags[idx]) {
-            flags[idx] = false;
-            msg = build(flags);
-            if (msg.length <= maxLen) {
-                return msg;
+        const idx = categories.findIndex((category) => category.label === label);
+        if (idx !== -1 && showFileNames[idx]) {
+            showFileNames[idx] = false;
+            message = joinCategories(showFileNames);
+            if (message.length <= maxLength) {
+                return message;
             }
         }
     }
-    return msg.slice(0, maxLen - 3) + "...";
+    return message.slice(0, maxLength - 3) + "...";
 }
 export async function ensureRemoteUrl(repository) {
     const git = simpleGit(STAGING_DIR);
@@ -56,18 +58,19 @@ export async function getCurrentBranch(git) {
     return (await git.revparse(["--abbrev-ref", "HEAD"])).trim();
 }
 export function friendlyGitError(raw, repository) {
-    const msg = raw.toLowerCase();
-    if (msg.includes("not found") ||
-        msg.includes("does not exist") ||
-        msg.includes("does not appear to be a git repository")) {
+    const normalizedMessage = raw.toLowerCase();
+    if (normalizedMessage.includes("not found") ||
+        normalizedMessage.includes("does not exist") ||
+        normalizedMessage.includes("does not appear to be a git repository")) {
         return `Repository "${repository}" not found. Check the URL and that you have access.`;
     }
-    if (msg.includes("authentication failed") || msg.includes("could not read username")) {
+    if (normalizedMessage.includes("authentication failed") ||
+        normalizedMessage.includes("could not read username")) {
         return `Authentication failed for "${repository}". Check your credentials or SSH key.`;
     }
-    if (msg.includes("could not resolve host") ||
-        msg.includes("connection refused") ||
-        msg.includes("connection timed out")) {
+    if (normalizedMessage.includes("could not resolve host") ||
+        normalizedMessage.includes("connection refused") ||
+        normalizedMessage.includes("connection timed out")) {
         return "Could not connect to remote host. Check your internet connection.";
     }
     return raw;
@@ -82,8 +85,8 @@ export async function gitPull(repository, commit) {
             const git = simpleGit(STAGING_DIR);
             await ensureRemoteUrl(repository);
             await git.fetch("origin");
-            const target = commit ?? `origin/${await getCurrentBranch(git)}`;
-            await git.reset(["--hard", target]);
+            const resetTarget = commit ?? `origin/${await getCurrentBranch(git)}`;
+            await git.reset(["--hard", resetTarget]);
             await git.clean(CleanOptions.FORCE, ["-d"]);
         }
         else {
@@ -152,8 +155,8 @@ export async function gitCommitAndPush() {
         throw gitError(err, remoteUrl);
     }
     logger.info(`Committed and pushed: ${message}`);
-    const sha = (await git.revparse(["HEAD"])).trim();
+    const commitHash = (await git.revparse(["HEAD"])).trim();
     const remoteUrl = (await git.remote(["get-url", "origin"])) ?? "";
-    const commitUrl = getCommitUrl(remoteUrl, sha);
+    const commitUrl = getCommitUrl(remoteUrl, commitHash);
     return { commitUrl };
 }

package/dist/launchd.js

@@ -12,8 +12,8 @@ function escapeXml(s) {
         .replace(/>/g, ">")
         .replace(/"/g, """);
 }
-const LABEL = "com.backdot.daemon";
-const PLIST_PATH = path.join(os.homedir(), "Library", "LaunchAgents", `${LABEL}.plist`);
+const LAUNCHD_JOB_LABEL = "com.backdot.daemon";
+const PLIST_PATH = path.join(os.homedir(), "Library", "LaunchAgents", `${LAUNCHD_JOB_LABEL}.plist`);
 function getScriptPath() {
     const currentDir = path.dirname(new URL(import.meta.url).pathname);
     return path.resolve(currentDir, "cli.js");
@@ -28,7 +28,7 @@ function buildPlist() {
 <plist version="1.0">
 <dict>
   <key>Label</key>
-  <string>${LABEL}</string>
+  <string>${LAUNCHD_JOB_LABEL}</string>
   <key>ProgramArguments</key>
   <array>
     <string>${escapeXml(nodePath)}</string>
@@ -58,8 +58,11 @@ export function isScheduled() {
         return false;
     }
     try {
-        const output = execFileSync("launchctl", ["list", LABEL], { encoding: "utf-8", stdio: "pipe" });
-        return output.includes(LABEL);
+        const output = execFileSync("launchctl", ["list", LAUNCHD_JOB_LABEL], {
+            encoding: "utf-8",
+            stdio: "pipe",
+        });
+        return output.includes(LAUNCHD_JOB_LABEL);
     }
     catch {
         return false;
@@ -68,9 +71,9 @@ export function isScheduled() {
 export function setupLaunchd() {
     const spinner = ora("Installing schedule").start();
     const plistContent = buildPlist();
-    const dir = path.dirname(PLIST_PATH);
-    if (!fs.existsSync(dir)) {
-        fs.mkdirSync(dir, { recursive: true });
+    const launchAgentsDir = path.dirname(PLIST_PATH);
+    if (!fs.existsSync(launchAgentsDir)) {
+        fs.mkdirSync(launchAgentsDir, { recursive: true });
     }
     try {
         execFileSync("launchctl", ["unload", PLIST_PATH], { stdio: "pipe" });

package/dist/password.d.ts

@@ -0,0 +1,11 @@
+export declare const KEY_FILE_PATH: string;
+export declare const ENC_SUFFIX = ".encrypted";
+export declare function checkKeyFilePermissions(): void;
+export declare function saveKeyFile(password: string): void;
+export interface PasswordResult {
+    password: string;
+    interactive: boolean;
+}
+export declare function resolvePassword(): Promise<PasswordResult>;
+export declare function confirmPassword(password: string): Promise<void>;
+export declare function offerToSaveKeyFile(password: string): Promise<void>;

package/dist/password.js

@@ -0,0 +1,74 @@
+import fs from "node:fs";
+import path from "node:path";
+import os from "node:os";
+import { password as passwordPrompt, confirm } from "@inquirer/prompts";
+export const KEY_FILE_PATH = path.join(os.homedir(), ".backdot.key");
+export const ENC_SUFFIX = ".encrypted";
+export function checkKeyFilePermissions() {
+    if (process.platform === "win32") {
+        return;
+    }
+    if (!fs.existsSync(KEY_FILE_PATH)) {
+        return;
+    }
+    const stat = fs.statSync(KEY_FILE_PATH);
+    const mode = stat.mode & 0o777;
+    const isAccessibleByGroupOrOthers = (mode & 0o077) !== 0;
+    if (isAccessibleByGroupOrOthers) {
+        throw new Error(`Key file ${KEY_FILE_PATH} has overly permissive permissions (${mode.toString(8)}).\n` +
+            `  Run: chmod 600 ${KEY_FILE_PATH}`);
+    }
+}
+export function saveKeyFile(password) {
+    fs.writeFileSync(KEY_FILE_PATH, password + "\n", { mode: 0o600 });
+}
+function readKeyFile() {
+    if (!fs.existsSync(KEY_FILE_PATH)) {
+        return null;
+    }
+    checkKeyFilePermissions();
+    return fs.readFileSync(KEY_FILE_PATH, "utf-8").trimEnd();
+}
+export async function resolvePassword() {
+    const envPassword = process.env.BACKDOT_PASSWORD;
+    if (envPassword) {
+        return { password: envPassword, interactive: false };
+    }
+    const filePassword = readKeyFile();
+    if (filePassword) {
+        return { password: filePassword, interactive: false };
+    }
+    if (!process.stdin.isTTY) {
+        throw new Error('Encryption is enabled but no password found.\n  Run "backdot backup" interactively to create ~/.backdot.key, or set BACKDOT_PASSWORD.');
+    }
+    const enteredPassword = await passwordPrompt({ message: "Enter encryption password:" });
+    if (!enteredPassword) {
+        throw new Error("No password provided.");
+    }
+    return { password: enteredPassword, interactive: true };
+}
+export async function confirmPassword(password) {
+    const confirmedPassword = await passwordPrompt({ message: "Confirm password:" });
+    if (confirmedPassword !== password) {
+        throw new Error("Passwords do not match.");
+    }
+}
+export async function offerToSaveKeyFile(password) {
+    if (!process.stdin.isTTY) {
+        return;
+    }
+    if (fs.existsSync(KEY_FILE_PATH)) {
+        return;
+    }
+    if (process.env.BACKDOT_PASSWORD) {
+        return;
+    }
+    const save = await confirm({
+        message: "Save password to ~/.backdot.key for automated backups?",
+        default: true,
+    });
+    if (save) {
+        saveKeyFile(password);
+        console.log(`  Created ${KEY_FILE_PATH} (permissions: 600)`);
+    }
+}

package/dist/repoVisibility.d.ts

@@ -0,0 +1,15 @@
+export type RepoVisibility = "public" | "private" | "unknown";
+/**
+ * Converts an SSH or HTTPS repo URL to a credential-free HTTPS URL
+ * for known hosts. Returns `null` for unrecognized hosts.
+ *
+ * Examples:
+ *   git@github.com:user/repo.git  → https://github.com/user/repo.git
+ *   https://github.com/user/repo  → https://github.com/user/repo.git
+ */
+export declare function toHttpsUrl(repository: string): string | null;
+/**
+ * Checks whether `repository` is publicly readable by attempting an
+ * anonymous `git ls-remote` over HTTPS with all credential helpers disabled.
+ */
+export declare function checkRepoVisibility(repository: string): Promise<RepoVisibility>;

package/dist/repoVisibility.js

@@ -0,0 +1,58 @@
+import { execFile } from "node:child_process";
+const KNOWN_HOSTS = ["github.com", "gitlab.com", "bitbucket.org"];
+/**
+ * Converts an SSH or HTTPS repo URL to a credential-free HTTPS URL
+ * for known hosts. Returns `null` for unrecognized hosts.
+ *
+ * Examples:
+ *   git@github.com:user/repo.git  → https://github.com/user/repo.git
+ *   https://github.com/user/repo  → https://github.com/user/repo.git
+ */
+export function toHttpsUrl(repository) {
+    for (const host of KNOWN_HOSTS) {
+        const idx = repository.indexOf(host);
+        if (idx === -1) {
+            continue;
+        }
+        let repoPath = repository.slice(idx + host.length + 1).trim();
+        if (!repoPath.endsWith(".git")) {
+            repoPath += ".git";
+        }
+        return `https://${host}/${repoPath}`;
+    }
+    return null;
+}
+/**
+ * Checks whether `repository` is publicly readable by attempting an
+ * anonymous `git ls-remote` over HTTPS with all credential helpers disabled.
+ */
+export async function checkRepoVisibility(repository) {
+    const httpsUrl = toHttpsUrl(repository);
+    if (!httpsUrl) {
+        return "unknown";
+    }
+    try {
+        await execGitLsRemote(httpsUrl);
+        return "public";
+    }
+    catch {
+        return "private";
+    }
+}
+function execGitLsRemote(url) {
+    return new Promise((resolve, reject) => {
+        const child = execFile("git", ["-c", "credential.helper=", "ls-remote", "--quiet", url], {
+            timeout: 10_000,
+            env: { ...process.env, GIT_TERMINAL_PROMPT: "0" },
+        }, (error) => {
+            if (error) {
+                reject(error);
+            }
+            else {
+                resolve();
+            }
+        });
+        // Don't let stdin keep the process alive
+        child.stdin?.end();
+    });
+}

package/dist/resolveFiles.js

@@ -20,8 +20,8 @@ const LARGE_FILE_THRESHOLD = 10 * 1024 * 1024; // 10 MB
  * Skips entries that fail resolution and logs warnings.
  */
 export function resolveFiles(config) {
-    const unique = uniq(resolveGlobs(config.paths));
-    return unique.filter((filePath) => {
+    const deduplicatedPaths = uniq(resolveGlobs(config.paths));
+    return deduplicatedPaths.filter((filePath) => {
         try {
             fs.accessSync(filePath, fs.constants.R_OK);
             const stat = fs.statSync(filePath);

package/dist/staging.d.ts

@@ -1,13 +1,19 @@
 import { STAGING_DIR, STAGING_GIT_DIR, machineDir } from "./paths.js";
+import { type DerivedKey } from "./crypto/encryption.js";
 export { STAGING_DIR, STAGING_GIT_DIR, machineDir };
 export declare function getStagedPath(filePath: string, machine: string): string;
 export declare function cleanStaging(machine: string): void;
-export declare function copyToStaging(files: string[], machine: string): void;
+export declare function copyToStaging(files: string[], machine: string, derivedKey?: DerivedKey): void;
 export interface ComparisonResult {
     backedUp: string[];
     modified: string[];
     notBackedUp: string[];
     error?: string;
 }
-export declare function compareFiles(files: string[], machine: string, repository: string): Promise<ComparisonResult>;
-export declare function writeRepoReadme(repository: string): void;
+export declare function compareFiles(opts: {
+    files: string[];
+    machine: string;
+    repository: string;
+    derivedKey?: DerivedKey;
+}): Promise<ComparisonResult>;
+export declare function writeRepoReadme(repository: string, encrypted?: boolean): void;