backdot 1.7.0 → 1.8.1

package/dist/crypto/encryption.js

@@ -0,0 +1,57 @@
+import crypto from "node:crypto";
+const ALGORITHM = "aes-256-gcm";
+const SALT_LENGTH = 32;
+const IV_LENGTH = 12;
+const AUTH_TAG_LENGTH = 16;
+const KEY_LENGTH = 32;
+// Higher N = harder to brute-force but slower to encrypt/decrypt (~300ms).
+// 2^17 is the OWASP minimum recommendation for password-based key derivation.
+const SCRYPT_N = 2 ** 17;
+const SCRYPT_R = 8;
+const SCRYPT_PARAMS = {
+    N: SCRYPT_N,
+    r: SCRYPT_R,
+    p: 1,
+    maxmem: 128 * SCRYPT_N * SCRYPT_R * 2, // must exceed 128*N*r
+};
+const OVERHEAD = SALT_LENGTH + IV_LENGTH + AUTH_TAG_LENGTH;
+export function deriveKey(passwordHash, salt) {
+    const resolvedSalt = salt ?? crypto.randomBytes(SALT_LENGTH);
+    const key = crypto.scryptSync(passwordHash, resolvedSalt, KEY_LENGTH, SCRYPT_PARAMS);
+    return { passwordHash, salt: resolvedSalt, key };
+}
+function deriveKeyForSalt(derivedKey, salt) {
+    if (derivedKey.salt.equals(salt)) {
+        return derivedKey.key;
+    }
+    return crypto.scryptSync(derivedKey.passwordHash, salt, KEY_LENGTH, SCRYPT_PARAMS);
+}
+export function encrypt(plaintext, derivedKey) {
+    const iv = crypto.randomBytes(IV_LENGTH);
+    const cipher = crypto.createCipheriv(ALGORITHM, derivedKey.key, iv);
+    const ciphertext = Buffer.concat([cipher.update(plaintext), cipher.final()]);
+    const authTag = cipher.getAuthTag();
+    return Buffer.concat([derivedKey.salt, iv, authTag, ciphertext]);
+}
+export function decrypt(encryptedPayload, derivedKey) {
+    if (encryptedPayload.length < OVERHEAD) {
+        throw new Error("Data is too short to be encrypted content.");
+    }
+    let offset = 0;
+    const salt = encryptedPayload.subarray(offset, offset + SALT_LENGTH);
+    offset += SALT_LENGTH;
+    const iv = encryptedPayload.subarray(offset, offset + IV_LENGTH);
+    offset += IV_LENGTH;
+    const authTag = encryptedPayload.subarray(offset, offset + AUTH_TAG_LENGTH);
+    offset += AUTH_TAG_LENGTH;
+    const ciphertext = encryptedPayload.subarray(offset);
+    const key = deriveKeyForSalt(derivedKey, salt);
+    const decipher = crypto.createDecipheriv(ALGORITHM, key, iv);
+    decipher.setAuthTag(authTag);
+    try {
+        return Buffer.concat([decipher.update(ciphertext), decipher.final()]);
+    }
+    catch {
+        throw new Error("Decryption failed — wrong password or corrupted data.");
+    }
+}

package/dist/crypto/password.d.ts

@@ -0,0 +1,12 @@
+export declare const KEY_FILE_PATH: string;
+export declare const ENC_SUFFIX = ".encrypted";
+export declare function checkKeyFilePermissions(): void;
+export declare function saveKeyFile(password: string): void;
+export type PasswordSource = "env" | "file" | "prompt";
+export interface PasswordResult {
+    password: string;
+    source: PasswordSource;
+}
+export declare function resolvePassword(): Promise<PasswordResult>;
+export declare function confirmPassword(hashedPassword: string): Promise<void>;
+export declare function offerToSaveKeyFile(password: string): Promise<void>;

package/dist/crypto/password.js

@@ -0,0 +1,78 @@
+import crypto from "node:crypto";
+import fs from "node:fs";
+import path from "node:path";
+import os from "node:os";
+import { password as passwordPrompt, confirm } from "@inquirer/prompts";
+export const KEY_FILE_PATH = path.join(os.homedir(), ".backdot.key");
+export const ENC_SUFFIX = ".encrypted";
+function hashPassword(password) {
+    return crypto.createHash("sha256").update(password).digest("hex");
+}
+export function checkKeyFilePermissions() {
+    if (process.platform === "win32") {
+        return;
+    }
+    if (!fs.existsSync(KEY_FILE_PATH)) {
+        return;
+    }
+    const stat = fs.statSync(KEY_FILE_PATH);
+    const mode = stat.mode & 0o777;
+    const isAccessibleByGroupOrOthers = (mode & 0o077) !== 0;
+    if (isAccessibleByGroupOrOthers) {
+        throw new Error(`Key file ${KEY_FILE_PATH} has overly permissive permissions (${mode.toString(8)}).\n` +
+            `  Run: chmod 600 ${KEY_FILE_PATH}`);
+    }
+}
+export function saveKeyFile(password) {
+    fs.writeFileSync(KEY_FILE_PATH, password + "\n", { mode: 0o600 });
+}
+function readKeyFile() {
+    if (!fs.existsSync(KEY_FILE_PATH)) {
+        return null;
+    }
+    checkKeyFilePermissions();
+    return fs.readFileSync(KEY_FILE_PATH, "utf-8").trimEnd();
+}
+export async function resolvePassword() {
+    const envPassword = process.env.BACKDOT_PASSWORD;
+    if (envPassword) {
+        return { password: hashPassword(envPassword), source: "env" };
+    }
+    const filePassword = readKeyFile();
+    if (filePassword) {
+        return { password: filePassword, source: "file" };
+    }
+    if (!process.stdin.isTTY) {
+        throw new Error(`Encryption is enabled but no password found.\n  Run "backdot backup" interactively to create ${KEY_FILE_PATH}, or set BACKDOT_PASSWORD.`);
+    }
+    const enteredPassword = await passwordPrompt({ message: "Enter encryption password:" });
+    if (!enteredPassword) {
+        throw new Error("No password provided.");
+    }
+    return { password: hashPassword(enteredPassword), source: "prompt" };
+}
+export async function confirmPassword(hashedPassword) {
+    const confirmedPassword = await passwordPrompt({ message: "Confirm password:" });
+    if (hashPassword(confirmedPassword) !== hashedPassword) {
+        throw new Error("Passwords do not match.");
+    }
+}
+export async function offerToSaveKeyFile(password) {
+    if (!process.stdin.isTTY) {
+        return;
+    }
+    if (fs.existsSync(KEY_FILE_PATH)) {
+        return;
+    }
+    if (process.env.BACKDOT_PASSWORD) {
+        return;
+    }
+    const save = await confirm({
+        message: `Save password to ${KEY_FILE_PATH} for automated backups?`,
+        default: true,
+    });
+    if (save) {
+        saveKeyFile(password);
+        console.log(`  Created ${KEY_FILE_PATH} (permissions: 600)`);
+    }
+}

package/dist/crypto.d.ts

@@ -0,0 +1,13 @@
+export declare const KEY_FILE_PATH: string;
+export declare const ENC_SUFFIX = ".encrypted";
+export declare function encryptBuffer(plaintext: Buffer, password: string): Buffer;
+export declare function decryptBuffer(data: Buffer, password: string): Buffer;
+export declare function checkKeyFilePermissions(): void;
+export declare function saveKeyFile(password: string): void;
+export interface PasswordResult {
+    password: string;
+    interactive: boolean;
+}
+export declare function resolvePassword(): Promise<PasswordResult>;
+export declare function confirmPassword(password: string): Promise<void>;
+export declare function offerToSaveKeyFile(password: string): Promise<void>;

package/dist/crypto.js

@@ -0,0 +1,129 @@
+import crypto from "node:crypto";
+import fs from "node:fs";
+import path from "node:path";
+import os from "node:os";
+import { password as passwordPrompt, confirm } from "@inquirer/prompts";
+// File-format signature identifying backdot-encrypted files
+const MAGIC = Buffer.from("BDOT");
+const VERSION = 0x01;
+const HEADER_SIZE = MAGIC.length + 1; // 5 bytes: magic + version
+const SALT_SIZE = 32;
+const IV_SIZE = 12;
+const TAG_SIZE = 16;
+const KEY_SIZE = 32;
+export const KEY_FILE_PATH = path.join(os.homedir(), ".backdot.key");
+export const ENC_SUFFIX = ".encrypted";
+function deriveKey(password, salt) {
+    return crypto.scryptSync(password, salt, KEY_SIZE, { N: 2 ** 14, r: 8, p: 1 });
+}
+export function encryptBuffer(plaintext, password) {
+    const salt = crypto.randomBytes(SALT_SIZE);
+    const iv = crypto.randomBytes(IV_SIZE);
+    const key = deriveKey(password, salt);
+    const cipher = crypto.createCipheriv("aes-256-gcm", key, iv);
+    const encrypted = Buffer.concat([cipher.update(plaintext), cipher.final()]);
+    const tag = cipher.getAuthTag();
+    return Buffer.concat([MAGIC, Buffer.from([VERSION]), salt, iv, tag, encrypted]);
+}
+export function decryptBuffer(data, password) {
+    if (!isEncrypted(data)) {
+        throw new Error("File is not encrypted (missing BDOT header).");
+    }
+    const minSize = HEADER_SIZE + SALT_SIZE + IV_SIZE + TAG_SIZE;
+    if (data.length < minSize) {
+        throw new Error("Encrypted file is too short or corrupted.");
+    }
+    let offset = HEADER_SIZE;
+    const salt = data.subarray(offset, offset + SALT_SIZE);
+    offset += SALT_SIZE;
+    const iv = data.subarray(offset, offset + IV_SIZE);
+    offset += IV_SIZE;
+    const tag = data.subarray(offset, offset + TAG_SIZE);
+    offset += TAG_SIZE;
+    const ciphertext = data.subarray(offset);
+    const key = deriveKey(password, salt);
+    const decipher = crypto.createDecipheriv("aes-256-gcm", key, iv);
+    decipher.setAuthTag(tag);
+    try {
+        return Buffer.concat([decipher.update(ciphertext), decipher.final()]);
+    }
+    catch {
+        throw new Error("Decryption failed — wrong password or corrupted file.");
+    }
+}
+function isEncrypted(data) {
+    return (data.length >= HEADER_SIZE &&
+        data[0] === MAGIC[0] &&
+        data[1] === MAGIC[1] &&
+        data[2] === MAGIC[2] &&
+        data[3] === MAGIC[3] &&
+        data[4] === VERSION);
+}
+export function checkKeyFilePermissions() {
+    if (process.platform === "win32") {
+        return;
+    }
+    if (!fs.existsSync(KEY_FILE_PATH)) {
+        return;
+    }
+    const stat = fs.statSync(KEY_FILE_PATH);
+    const mode = stat.mode & 0o777;
+    const isAccessibleByGroupOrOthers = (mode & 0o077) !== 0;
+    if (isAccessibleByGroupOrOthers) {
+        throw new Error(`Key file ${KEY_FILE_PATH} has overly permissive permissions (${mode.toString(8)}).\n` +
+            `  Run: chmod 600 ${KEY_FILE_PATH}`);
+    }
+}
+export function saveKeyFile(password) {
+    fs.writeFileSync(KEY_FILE_PATH, password + "\n", { mode: 0o600 });
+}
+function readKeyFile() {
+    if (!fs.existsSync(KEY_FILE_PATH)) {
+        return null;
+    }
+    checkKeyFilePermissions();
+    return fs.readFileSync(KEY_FILE_PATH, "utf-8").trimEnd();
+}
+export async function resolvePassword() {
+    const envPassword = process.env.BACKDOT_PASSWORD;
+    if (envPassword) {
+        return { password: envPassword, interactive: false };
+    }
+    const filePassword = readKeyFile();
+    if (filePassword) {
+        return { password: filePassword, interactive: false };
+    }
+    if (!process.stdin.isTTY) {
+        throw new Error('Encryption is enabled but no password found.\n  Run "backdot backup" interactively to create ~/.backdot.key, or set BACKDOT_PASSWORD.');
+    }
+    const enteredPassword = await passwordPrompt({ message: "Enter encryption password:" });
+    if (!enteredPassword) {
+        throw new Error("No password provided.");
+    }
+    return { password: enteredPassword, interactive: true };
+}
+export async function confirmPassword(password) {
+    const confirmedPassword = await passwordPrompt({ message: "Confirm password:" });
+    if (confirmedPassword !== password) {
+        throw new Error("Passwords do not match.");
+    }
+}
+export async function offerToSaveKeyFile(password) {
+    if (!process.stdin.isTTY) {
+        return;
+    }
+    if (fs.existsSync(KEY_FILE_PATH)) {
+        return;
+    }
+    if (process.env.BACKDOT_PASSWORD) {
+        return;
+    }
+    const save = await confirm({
+        message: "Save password to ~/.backdot.key for automated backups?",
+        default: true,
+    });
+    if (save) {
+        saveKeyFile(password);
+        console.log(`  Created ${KEY_FILE_PATH} (permissions: 600)`);
+    }
+}

package/dist/encryption.d.ts

@@ -0,0 +1,2 @@
+export declare function encrypt(plaintext: Buffer, password: string): Buffer;
+export declare function decrypt(encrypted: Buffer, password: string): Buffer;

package/dist/encryption.js

@@ -0,0 +1,39 @@
+import crypto from "node:crypto";
+const ALGORITHM = "aes-256-gcm";
+const SALT_LENGTH = 32;
+const IV_LENGTH = 12;
+const AUTH_TAG_LENGTH = 16;
+const KEY_LENGTH = 32;
+const SCRYPT_PARAMS = { N: 2 ** 14, r: 8, p: 1 };
+const OVERHEAD = SALT_LENGTH + IV_LENGTH + AUTH_TAG_LENGTH;
+function deriveKey(password, salt) {
+    return crypto.scryptSync(password, salt, KEY_LENGTH, SCRYPT_PARAMS);
+}
+export function encrypt(plaintext, password) {
+    const salt = crypto.randomBytes(SALT_LENGTH);
+    const iv = crypto.randomBytes(IV_LENGTH);
+    const key = deriveKey(password, salt);
+    const cipher = crypto.createCipheriv(ALGORITHM, key, iv);
+    const ciphertext = Buffer.concat([cipher.update(plaintext), cipher.final()]);
+    const authTag = cipher.getAuthTag();
+    return Buffer.concat([salt, iv, authTag, ciphertext]);
+}
+export function decrypt(encrypted, password) {
+    if (encrypted.length < OVERHEAD) {
+        throw new Error("Data is too short to be encrypted content.");
+    }
+    let offset = 0;
+    const salt = encrypted.subarray(offset, (offset += SALT_LENGTH));
+    const iv = encrypted.subarray(offset, (offset += IV_LENGTH));
+    const authTag = encrypted.subarray(offset, (offset += AUTH_TAG_LENGTH));
+    const ciphertext = encrypted.subarray(offset);
+    const key = deriveKey(password, salt);
+    const decipher = crypto.createDecipheriv(ALGORITHM, key, iv);
+    decipher.setAuthTag(authTag);
+    try {
+        return Buffer.concat([decipher.update(ciphertext), decipher.final()]);
+    }
+    catch {
+        throw new Error("Decryption failed — wrong password or corrupted data.");
+    }
+}

package/dist/git.d.ts

@@ -8,10 +8,10 @@ interface FileChangeSummary {
         to: string;
     }>;
 }
-export declare function buildCommitMessage(changes: FileChangeSummary, maxLen?: number): string;
+export declare function buildCommitMessage(changes: FileChangeSummary, maxLength?: number): string;
 export declare function ensureRemoteUrl(repository: string): Promise<void>;
 export declare function getCurrentBranch(git: SimpleGit): Promise<string>;
-export declare function friendlyGitError(raw: string, repository: string): string;
+export declare function friendlyGitError(rawErrorMessage: string, repository: string): string;
 export declare function gitError(err: unknown, repository: string): Error;
 export declare function gitPull(repository: string, commit?: string): Promise<void>;
 export declare function gitLog(limit?: number): Promise<Array<{

package/dist/git.js

@@ -6,44 +6,46 @@ import { logger } from "./log.js";
 import { STAGING_DIR, STAGING_GIT_DIR } from "./paths.js";
 import { getCommitUrl } from "./commitUrl.js";
 import { errorMessage, pluralize, uniq } from "./utils.js";
-export function buildCommitMessage(changes, maxLen = 250) {
-    const unique = (paths) => uniq(paths.map((f) => path.basename(f)));
-    const removed = unique(changes.deleted);
-    const added = unique(changes.created);
-    const modified = unique([...changes.modified, ...changes.renamed.map((r) => r.to)]);
+export function buildCommitMessage(changes, maxLength = 250) {
+    const uniqueBasenames = (paths) => uniq(paths.map((filePath) => path.basename(filePath)));
+    const removed = uniqueBasenames(changes.deleted);
+    const added = uniqueBasenames(changes.created);
+    const modified = uniqueBasenames([...changes.modified, ...changes.renamed.map((r) => r.to)]);
     const categories = [
         { label: "removed", files: removed },
         { label: "added", files: added },
         { label: "modified", files: modified },
-    ].filter((c) => c.files.length > 0);
+    ].filter((category) => category.files.length > 0);
     if (categories.length === 0) {
-        return "backup"; // fallback commit message when no changes are categorized
+        return "backup";
     }
-    function format(cat, listFiles) {
+    function formatCategory(category, listFiles) {
         if (listFiles) {
-            return `${cat.label}: ${cat.files.join(", ")}`;
+            return `${category.label}: ${category.files.join(", ")}`;
         }
-        return `${cat.label}: ${pluralize(cat.files.length, "file")}`;
+        return `${category.label}: ${pluralize(category.files.length, "file")}`;
     }
-    function build(listFlags) {
-        return categories.map((cat, i) => format(cat, listFlags[i])).join("; ");
+    function joinCategories(showFileNames) {
+        return categories.map((category, i) => formatCategory(category, showFileNames[i])).join("; ");
     }
-    const flags = categories.map(() => true);
-    let msg = build(flags);
-    if (msg.length <= maxLen) {
-        return msg;
+    // If the message exceeds maxLength, progressively replace file lists with
+    // counts, starting with the least important category.
+    const showFileNames = categories.map(() => true);
+    let message = joinCategories(showFileNames);
+    if (message.length <= maxLength) {
+        return message;
     }
     for (const label of ["modified", "added", "removed"]) {
-        const idx = categories.findIndex((c) => c.label === label);
-        if (idx !== -1 && flags[idx]) {
-            flags[idx] = false;
-            msg = build(flags);
-            if (msg.length <= maxLen) {
-                return msg;
+        const idx = categories.findIndex((category) => category.label === label);
+        if (idx !== -1 && showFileNames[idx]) {
+            showFileNames[idx] = false;
+            message = joinCategories(showFileNames);
+            if (message.length <= maxLength) {
+                return message;
             }
         }
     }
-    return msg.slice(0, maxLen - 3) + "...";
+    return message.slice(0, maxLength - 3) + "...";
 }
 export async function ensureRemoteUrl(repository) {
     const git = simpleGit(STAGING_DIR);
@@ -55,22 +57,23 @@ export async function ensureRemoteUrl(repository) {
 export async function getCurrentBranch(git) {
     return (await git.revparse(["--abbrev-ref", "HEAD"])).trim();
 }
-export function friendlyGitError(raw, repository) {
-    const msg = raw.toLowerCase();
-    if (msg.includes("not found") ||
-        msg.includes("does not exist") ||
-        msg.includes("does not appear to be a git repository")) {
+export function friendlyGitError(rawErrorMessage, repository) {
+    const normalizedMessage = rawErrorMessage.toLowerCase();
+    if (normalizedMessage.includes("not found") ||
+        normalizedMessage.includes("does not exist") ||
+        normalizedMessage.includes("does not appear to be a git repository")) {
         return `Repository "${repository}" not found. Check the URL and that you have access.`;
     }
-    if (msg.includes("authentication failed") || msg.includes("could not read username")) {
+    if (normalizedMessage.includes("authentication failed") ||
+        normalizedMessage.includes("could not read username")) {
         return `Authentication failed for "${repository}". Check your credentials or SSH key.`;
     }
-    if (msg.includes("could not resolve host") ||
-        msg.includes("connection refused") ||
-        msg.includes("connection timed out")) {
+    if (normalizedMessage.includes("could not resolve host") ||
+        normalizedMessage.includes("connection refused") ||
+        normalizedMessage.includes("connection timed out")) {
         return "Could not connect to remote host. Check your internet connection.";
     }
-    return raw;
+    return rawErrorMessage;
 }
 export function gitError(err, repository) {
     const raw = errorMessage(err);
@@ -82,8 +85,8 @@ export async function gitPull(repository, commit) {
             const git = simpleGit(STAGING_DIR);
             await ensureRemoteUrl(repository);
             await git.fetch("origin");
-            const target = commit ?? `origin/${await getCurrentBranch(git)}`;
-            await git.reset(["--hard", target]);
+            const resetTarget = commit ?? `origin/${await getCurrentBranch(git)}`;
+            await git.reset(["--hard", resetTarget]);
             await git.clean(CleanOptions.FORCE, ["-d"]);
         }
         else {
@@ -113,8 +116,8 @@ export async function gitPull(repository, commit) {
 }
 export async function gitLog(limit = 20) {
     const git = simpleGit(STAGING_DIR);
-    const log = await git.log({ maxCount: limit });
-    return log.all.map((entry) => ({
+    const logResult = await git.log({ maxCount: limit });
+    return logResult.all.map((entry) => ({
         hash: entry.hash,
         date: entry.date,
         message: entry.message,
@@ -130,6 +133,7 @@ export async function gitCommitAndPush() {
     }
     const message = buildCommitMessage(status);
     await git.commit(message);
+    const remoteUrl = ((await git.remote(["get-url", "origin"])) ?? "").trim();
     try {
         await pRetry(async () => git.push(["-u", "origin", "HEAD"]), {
             retries: 5,
@@ -148,12 +152,10 @@ export async function gitCommitAndPush() {
         });
     }
     catch (err) {
-        const remoteUrl = ((await git.remote(["get-url", "origin"])) ?? "").trim();
         throw gitError(err, remoteUrl);
     }
     logger.info(`Committed and pushed: ${message}`);
-    const sha = (await git.revparse(["HEAD"])).trim();
-    const remoteUrl = (await git.remote(["get-url", "origin"])) ?? "";
-    const commitUrl = getCommitUrl(remoteUrl, sha);
+    const commitHash = (await git.revparse(["HEAD"])).trim();
+    const commitUrl = getCommitUrl(remoteUrl, commitHash);
     return { commitUrl };
 }

package/dist/launchd.js

@@ -5,15 +5,15 @@ import os from "node:os";
 import ora from "ora";
 import { logger } from "./log.js";
 import { errorMessage } from "./utils.js";
-function escapeXml(s) {
-    return s
+function escapeXml(text) {
+    return text
         .replace(/&/g, "&")
         .replace(/</g, "&lt;")
         .replace(/>/g, "&gt;")
         .replace(/"/g, "&quot;");
 }
-const LABEL = "com.backdot.daemon";
-const PLIST_PATH = path.join(os.homedir(), "Library", "LaunchAgents", `${LABEL}.plist`);
+const LAUNCHD_JOB_LABEL = "com.backdot.daemon";
+const PLIST_PATH = path.join(os.homedir(), "Library", "LaunchAgents", `${LAUNCHD_JOB_LABEL}.plist`);
 function getScriptPath() {
     const currentDir = path.dirname(new URL(import.meta.url).pathname);
     return path.resolve(currentDir, "cli.js");
@@ -28,7 +28,7 @@ function buildPlist() {
 <plist version="1.0">
 <dict>
   <key>Label</key>
-  <string>${LABEL}</string>
+  <string>${LAUNCHD_JOB_LABEL}</string>
   <key>ProgramArguments</key>
   <array>
     <string>${escapeXml(nodePath)}</string>
@@ -58,8 +58,11 @@ export function isScheduled() {
         return false;
     }
     try {
-        const output = execFileSync("launchctl", ["list", LABEL], { encoding: "utf-8", stdio: "pipe" });
-        return output.includes(LABEL);
+        const output = execFileSync("launchctl", ["list", LAUNCHD_JOB_LABEL], {
+            encoding: "utf-8",
+            stdio: "pipe",
+        });
+        return output.includes(LAUNCHD_JOB_LABEL);
     }
     catch {
         return false;
@@ -68,9 +71,9 @@ export function isScheduled() {
 export function setupLaunchd() {
     const spinner = ora("Installing schedule").start();
     const plistContent = buildPlist();
-    const dir = path.dirname(PLIST_PATH);
-    if (!fs.existsSync(dir)) {
-        fs.mkdirSync(dir, { recursive: true });
+    const launchAgentsDir = path.dirname(PLIST_PATH);
+    if (!fs.existsSync(launchAgentsDir)) {
+        fs.mkdirSync(launchAgentsDir, { recursive: true });
     }
     try {
         execFileSync("launchctl", ["unload", PLIST_PATH], { stdio: "pipe" });

package/dist/notify.js

@@ -8,12 +8,12 @@ export function sendNotification(title, message) {
     if (process.platform !== "darwin") {
         return;
     }
-    const escaped = escapeAppleScript(message);
-    const titleEscaped = escapeAppleScript(title);
+    const escapedMessage = escapeAppleScript(message);
+    const escapedTitle = escapeAppleScript(title);
     try {
         execFileSync("osascript", [
             "-e",
-            `display notification "${escaped}" with title "${titleEscaped}" subtitle "Scheduled backup failed"`,
+            `display notification "${escapedMessage}" with title "${escapedTitle}" subtitle "Scheduled backup failed"`,
         ], { stdio: "pipe" });
     }
     catch (err) {

package/dist/password.d.ts

@@ -0,0 +1,11 @@
+export declare const KEY_FILE_PATH: string;
+export declare const ENC_SUFFIX = ".encrypted";
+export declare function checkKeyFilePermissions(): void;
+export declare function saveKeyFile(password: string): void;
+export interface PasswordResult {
+    password: string;
+    interactive: boolean;
+}
+export declare function resolvePassword(): Promise<PasswordResult>;
+export declare function confirmPassword(password: string): Promise<void>;
+export declare function offerToSaveKeyFile(password: string): Promise<void>;

package/dist/password.js

@@ -0,0 +1,74 @@
+import fs from "node:fs";
+import path from "node:path";
+import os from "node:os";
+import { password as passwordPrompt, confirm } from "@inquirer/prompts";
+export const KEY_FILE_PATH = path.join(os.homedir(), ".backdot.key");
+export const ENC_SUFFIX = ".encrypted";
+export function checkKeyFilePermissions() {
+    if (process.platform === "win32") {
+        return;
+    }
+    if (!fs.existsSync(KEY_FILE_PATH)) {
+        return;
+    }
+    const stat = fs.statSync(KEY_FILE_PATH);
+    const mode = stat.mode & 0o777;
+    const isAccessibleByGroupOrOthers = (mode & 0o077) !== 0;
+    if (isAccessibleByGroupOrOthers) {
+        throw new Error(`Key file ${KEY_FILE_PATH} has overly permissive permissions (${mode.toString(8)}).\n` +
+            `  Run: chmod 600 ${KEY_FILE_PATH}`);
+    }
+}
+export function saveKeyFile(password) {
+    fs.writeFileSync(KEY_FILE_PATH, password + "\n", { mode: 0o600 });
+}
+function readKeyFile() {
+    if (!fs.existsSync(KEY_FILE_PATH)) {
+        return null;
+    }
+    checkKeyFilePermissions();
+    return fs.readFileSync(KEY_FILE_PATH, "utf-8").trimEnd();
+}
+export async function resolvePassword() {
+    const envPassword = process.env.BACKDOT_PASSWORD;
+    if (envPassword) {
+        return { password: envPassword, interactive: false };
+    }
+    const filePassword = readKeyFile();
+    if (filePassword) {
+        return { password: filePassword, interactive: false };
+    }
+    if (!process.stdin.isTTY) {
+        throw new Error('Encryption is enabled but no password found.\n  Run "backdot backup" interactively to create ~/.backdot.key, or set BACKDOT_PASSWORD.');
+    }
+    const enteredPassword = await passwordPrompt({ message: "Enter encryption password:" });
+    if (!enteredPassword) {
+        throw new Error("No password provided.");
+    }
+    return { password: enteredPassword, interactive: true };
+}
+export async function confirmPassword(password) {
+    const confirmedPassword = await passwordPrompt({ message: "Confirm password:" });
+    if (confirmedPassword !== password) {
+        throw new Error("Passwords do not match.");
+    }
+}
+export async function offerToSaveKeyFile(password) {
+    if (!process.stdin.isTTY) {
+        return;
+    }
+    if (fs.existsSync(KEY_FILE_PATH)) {
+        return;
+    }
+    if (process.env.BACKDOT_PASSWORD) {
+        return;
+    }
+    const save = await confirm({
+        message: "Save password to ~/.backdot.key for automated backups?",
+        default: true,
+    });
+    if (save) {
+        saveKeyFile(password);
+        console.log(`  Created ${KEY_FILE_PATH} (permissions: 600)`);
+    }
+}