backdot 1.7.0 → 1.8.1

package/dist/repoVisibility.d.ts

@@ -0,0 +1,15 @@
+export type RepoVisibility = "public" | "private" | "unknown";
+/**
+ * Converts an SSH or HTTPS repo URL to a credential-free HTTPS URL
+ * for known hosts. Returns `null` for unrecognized hosts.
+ *
+ * Examples:
+ *   git@github.com:user/repo.git  → https://github.com/user/repo.git
+ *   https://github.com/user/repo  → https://github.com/user/repo.git
+ */
+export declare function toHttpsUrl(repository: string): string | null;
+/**
+ * Checks whether `repository` is publicly readable by attempting an
+ * anonymous `git ls-remote` over HTTPS with all credential helpers disabled.
+ */
+export declare function checkRepoVisibility(repository: string): Promise<RepoVisibility>;

package/dist/repoVisibility.js

@@ -0,0 +1,51 @@
+import { execFile } from "node:child_process";
+import { extractRepoPath } from "./utils.js";
+/**
+ * Converts an SSH or HTTPS repo URL to a credential-free HTTPS URL
+ * for known hosts. Returns `null` for unrecognized hosts.
+ *
+ * Examples:
+ *   git@github.com:user/repo.git  → https://github.com/user/repo.git
+ *   https://github.com/user/repo  → https://github.com/user/repo.git
+ */
+export function toHttpsUrl(repository) {
+    const parsed = extractRepoPath(repository);
+    if (!parsed) {
+        return null;
+    }
+    return `https://${parsed.host}/${parsed.repoPath}.git`;
+}
+/**
+ * Checks whether `repository` is publicly readable by attempting an
+ * anonymous `git ls-remote` over HTTPS with all credential helpers disabled.
+ */
+export async function checkRepoVisibility(repository) {
+    const httpsUrl = toHttpsUrl(repository);
+    if (!httpsUrl) {
+        return "unknown";
+    }
+    try {
+        await execGitLsRemote(httpsUrl);
+        return "public";
+    }
+    catch {
+        return "private";
+    }
+}
+function execGitLsRemote(url) {
+    return new Promise((resolve, reject) => {
+        const child = execFile("git", ["-c", "credential.helper=", "ls-remote", "--quiet", url], {
+            timeout: 10_000,
+            env: { ...process.env, GIT_TERMINAL_PROMPT: "0" },
+        }, (error) => {
+            if (error) {
+                reject(error);
+            }
+            else {
+                resolve();
+            }
+        });
+        // Don't let stdin keep the process alive
+        child.stdin?.end();
+    });
+}

package/dist/resolveFiles.js

@@ -20,8 +20,8 @@ const LARGE_FILE_THRESHOLD = 10 * 1024 * 1024; // 10 MB
  * Skips entries that fail resolution and logs warnings.
  */
 export function resolveFiles(config) {
-    const unique = uniq(resolveGlobs(config.paths));
-    return unique.filter((filePath) => {
+    const deduplicatedPaths = uniq(resolveGlobs(config.paths));
+    return deduplicatedPaths.filter((filePath) => {
         try {
             fs.accessSync(filePath, fs.constants.R_OK);
             const stat = fs.statSync(filePath);

package/dist/staging.d.ts

@@ -1,13 +1,19 @@
 import { STAGING_DIR, STAGING_GIT_DIR, machineDir } from "./paths.js";
+import { type DerivedKey } from "./crypto/encryption.js";
 export { STAGING_DIR, STAGING_GIT_DIR, machineDir };
 export declare function getStagedPath(filePath: string, machine: string): string;
 export declare function cleanStaging(machine: string): void;
-export declare function copyToStaging(files: string[], machine: string): void;
+export declare function copyToStaging(files: string[], machine: string, derivedKey?: DerivedKey): void;
 export interface ComparisonResult {
     backedUp: string[];
     modified: string[];
     notBackedUp: string[];
     error?: string;
 }
-export declare function compareFiles(files: string[], machine: string, repository: string): Promise<ComparisonResult>;
-export declare function writeRepoReadme(repository: string): void;
+export declare function compareFiles(opts: {
+    files: string[];
+    machine: string;
+    repository: string;
+    derivedKey?: DerivedKey;
+}): Promise<ComparisonResult>;
+export declare function writeRepoReadme(repository: string, encrypted?: boolean): void;

package/dist/staging.js

@@ -7,42 +7,55 @@ import { logger } from "./log.js";
 import { errorMessage, pluralize } from "./utils.js";
 import { ensureRemoteUrl, getCurrentBranch, gitError } from "./git.js";
 import { STAGING_DIR, STAGING_GIT_DIR, machineDir } from "./paths.js";
+import { encrypt, decrypt } from "./crypto/encryption.js";
+import { KEY_FILE_PATH, ENC_SUFFIX } from "./crypto/password.js";
 export { STAGING_DIR, STAGING_GIT_DIR, machineDir };
 const HOME = os.homedir();
 export function getStagedPath(filePath, machine) {
-    const rel = path.relative(HOME, filePath);
-    const destRel = rel.startsWith("..") ? filePath.slice(1) : rel;
-    return path.join(machineDir(machine), destRel);
+    const relativePath = path.relative(HOME, filePath);
+    // Files outside HOME (e.g. /etc/foo) produce a relative path starting with "..",
+    // which would escape the machine dir. Use the absolute path minus the leading "/" instead.
+    const pathWithinMachineDir = relativePath.startsWith("..") ? filePath.slice(1) : relativePath;
+    return path.join(machineDir(machine), pathWithinMachineDir);
 }
 export function cleanStaging(machine) {
-    const dir = machineDir(machine);
-    if (!fs.existsSync(dir)) {
+    const machineStagingDir = machineDir(machine);
+    if (!fs.existsSync(machineStagingDir)) {
         return;
     }
-    fs.rmSync(dir, { recursive: true, force: true });
+    fs.rmSync(machineStagingDir, { recursive: true, force: true });
     logger.info(`Cleaned staging directory for machine "${machine}"`);
 }
-export function copyToStaging(files, machine) {
-    const dir = machineDir(machine);
-    fs.mkdirSync(dir, { recursive: true });
-    let copied = 0;
-    for (const filePath of files) {
-        const dest = getStagedPath(filePath, machine);
+export function copyToStaging(files, machine, derivedKey) {
+    const machineStagingDir = machineDir(machine);
+    fs.mkdirSync(machineStagingDir, { recursive: true });
+    const filesExcludingKeyFile = files.filter((f) => path.resolve(f) !== path.resolve(KEY_FILE_PATH));
+    let copiedCount = 0;
+    for (const filePath of filesExcludingKeyFile) {
+        const stagedPath = getStagedPath(filePath, machine);
+        const destinationPath = derivedKey ? stagedPath + ENC_SUFFIX : stagedPath;
         try {
-            fs.mkdirSync(path.dirname(dest), { recursive: true });
-            fs.copyFileSync(filePath, dest);
-            copied++;
+            fs.mkdirSync(path.dirname(destinationPath), { recursive: true });
+            if (derivedKey) {
+                const plaintext = fs.readFileSync(filePath);
+                fs.writeFileSync(destinationPath, encrypt(plaintext, derivedKey));
+            }
+            else {
+                fs.copyFileSync(filePath, destinationPath);
+            }
+            copiedCount++;
         }
         catch {
-            logger.warn(`Failed to copy: ${filePath} -> ${dest}`);
+            logger.warn(`Failed to copy: ${filePath} -> ${destinationPath}`);
         }
     }
-    logger.info(`Copied ${pluralize(copied, "file")} to staging`);
+    logger.info(`Copied ${pluralize(copiedCount, "file")} to staging`);
 }
 function failedComparisonResult(err) {
     return { backedUp: [], modified: [], notBackedUp: [], error: errorMessage(err) };
 }
-export async function compareFiles(files, machine, repository) {
+export async function compareFiles(opts) {
+    const { files, machine, repository, derivedKey } = opts;
     if (files.length === 0) {
         return { backedUp: [], modified: [], notBackedUp: [] };
     }
@@ -64,52 +77,78 @@ export async function compareFiles(files, machine, repository) {
     catch (err) {
         return failedComparisonResult(err);
     }
-    let committedHashes;
+    let remoteBlobHashes;
     try {
         const treeOutput = execFileSync("git", ["ls-tree", "-r", `origin/${branch}`, `${machine}/`], {
             encoding: "utf-8",
             cwd: STAGING_DIR,
         });
-        committedHashes = new Map(treeOutput
+        remoteBlobHashes = new Map(treeOutput
             .split("\n")
             .map((line) => line.match(/^\d+ blob ([0-9a-f]+)\t(.+)$/))
-            .filter((m) => m !== null)
-            .map((m) => [m[2], m[1]]));
+            .filter((match) => match !== null)
+            .map((match) => [match[2], match[1]]));
     }
     catch (err) {
         return failedComparisonResult(err);
     }
-    let sourceHashes;
+    if (derivedKey) {
+        return compareFilesToRemote(files, machine, remoteBlobHashes, ENC_SUFFIX, (file, remoteBlobHash) => {
+            try {
+                const blobContent = execFileSync("git", ["cat-file", "blob", remoteBlobHash], {
+                    cwd: STAGING_DIR,
+                    maxBuffer: 50 * 1024 * 1024,
+                });
+                const decrypted = decrypt(blobContent, derivedKey);
+                const localContent = fs.readFileSync(file);
+                return decrypted.equals(localContent);
+            }
+            catch {
+                return false;
+            }
+        });
+    }
+    let localFileHashes;
     try {
         const hashOutput = execFileSync("git", ["hash-object", "--stdin-paths"], {
             encoding: "utf-8",
             input: files.join("\n") + "\n",
         });
-        sourceHashes = hashOutput.trim().split("\n");
+        localFileHashes = hashOutput.trim().split("\n");
     }
     catch (err) {
         return failedComparisonResult(err);
     }
-    return files.reduce((acc, file, i) => {
-        const repoRelPath = path.relative(STAGING_DIR, getStagedPath(file, machine));
-        const committedHash = committedHashes.get(repoRelPath);
-        if (!committedHash) {
-            acc.notBackedUp.push(file);
+    const localHashByFile = new Map(files.map((file, i) => [file, localFileHashes[i]]));
+    return compareFilesToRemote(files, machine, remoteBlobHashes, "", (file, remoteBlobHash) => {
+        return remoteBlobHash === localHashByFile.get(file);
+    });
+}
+function compareFilesToRemote(files, machine, remoteBlobHashes, pathSuffix, matchesRemote) {
+    const result = { backedUp: [], modified: [], notBackedUp: [] };
+    for (const file of files) {
+        const repoRelativePath = path.relative(STAGING_DIR, getStagedPath(file, machine)) + pathSuffix;
+        const remoteBlobHash = remoteBlobHashes.get(repoRelativePath);
+        if (!remoteBlobHash) {
+            result.notBackedUp.push(file);
         }
-        else if (committedHash === sourceHashes[i]) {
-            acc.backedUp.push(file);
+        else if (matchesRemote(file, remoteBlobHash)) {
+            result.backedUp.push(file);
         }
         else {
-            acc.modified.push(file);
+            result.modified.push(file);
         }
-        return acc;
-    }, { backedUp: [], modified: [], notBackedUp: [] });
+    }
+    return result;
 }
-function repoReadme(repository) {
+function generateReadmeContent(repository, encrypted) {
+    const encryptionNote = encrypted
+        ? "\n> **Note:** Files in this repository are encrypted. You will need the backup password to restore.\n"
+        : "";
     return `# Backdot Backup
 
 This repository contains files backed up automatically using [backdot](https://github.com/sorenlouv/backdot).
-
+${encryptionNote}
 ## Restore
 
 \`\`\`bash
@@ -119,7 +158,7 @@ npx backdot restore ${repository}
 For full documentation, configuration options, and scheduling, see the [official README](https://github.com/sorenlouv/backdot).
 `;
 }
-export function writeRepoReadme(repository) {
-    fs.writeFileSync(path.join(STAGING_DIR, "README.md"), repoReadme(repository));
+export function writeRepoReadme(repository, encrypted = false) {
+    fs.writeFileSync(path.join(STAGING_DIR, "README.md"), generateReadmeContent(repository, encrypted));
     logger.info("Wrote README.md to staging directory");
 }

package/dist/utils.d.ts

@@ -1,3 +1,11 @@
 export declare function errorMessage(err: unknown): string;
+/**
+ * Extracts the repo path (e.g. "user/repo") from an SSH or HTTPS URL
+ * for known hosts. Returns `null` for unrecognized hosts.
+ */
+export declare function extractRepoPath(url: string): {
+    host: string;
+    repoPath: string;
+} | null;
 export declare function uniq<T>(items: T[]): T[];
 export declare function pluralize(count: number, word: string): string;

package/dist/utils.js

@@ -1,6 +1,26 @@
 export function errorMessage(err) {
     return err instanceof Error ? err.message : String(err);
 }
+const KNOWN_HOSTS = ["github.com", "gitlab.com", "bitbucket.org"];
+/**
+ * Extracts the repo path (e.g. "user/repo") from an SSH or HTTPS URL
+ * for known hosts. Returns `null` for unrecognized hosts.
+ */
+export function extractRepoPath(url) {
+    for (const host of KNOWN_HOSTS) {
+        const idx = url.indexOf(host);
+        if (idx === -1) {
+            continue;
+        }
+        const separatorLength = 1; // skip ":" (SSH) or "/" (HTTPS) after hostname
+        let repoPath = url.slice(idx + host.length + separatorLength).trim();
+        if (repoPath.endsWith(".git")) {
+            repoPath = repoPath.slice(0, -4);
+        }
+        return { host, repoPath };
+    }
+    return null;
+}
 export function uniq(items) {
     return [...new Set(items)];
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "backdot",
-  "version": "1.7.0",
+  "version": "1.8.1",
   "description": "Lightweight CLI to backup dotfiles and gitignored files to a Git repo on a daily schedule",
   "type": "module",
   "license": "MIT",
@@ -26,18 +26,18 @@
   "scripts": {
     "build": "tsc",
     "build:watch": "tsc --watch",
-    "release": "./scripts/release.sh",
-    "start": "node dist/cli.js",
+    "fmt": "prettier --write src/",
+    "fmt:check": "prettier --check src/",
     "lint": "eslint src/",
     "lint:fix": "eslint src/ --fix",
-    "format": "prettier --write src/",
-    "format:check": "prettier --check src/",
+    "prepare": "husky",
+    "release": "./scripts/release.sh",
+    "start": "node dist/cli.js",
     "test": "vitest run --exclude src/e2e.test.ts --exclude src/git.integration.test.ts",
-    "test:integration": "vitest run src/git.integration.test.ts",
-    "test:e2e": "npm run build && vitest run src/e2e.test.ts",
     "test:all": "npm run build && vitest run",
-    "test:watch": "vitest",
-    "prepare": "husky"
+    "test:e2e": "npm run build && vitest run src/e2e.test.ts",
+    "test:integration": "vitest run src/git.integration.test.ts",
+    "test:watch": "vitest"
   },
   "dependencies": {
     "@inquirer/prompts": "^8.3.0",
@@ -53,20 +53,12 @@
   "engines": {
     "node": ">=18"
   },
-  "lint-staged": {
-    "*.{ts,js}": [
-      "prettier --write",
-      "eslint --fix"
-    ],
-    "*.{json,md,yml}": "prettier --write"
-  },
   "devDependencies": {
     "@eslint/js": "^10.0.1",
     "@types/node": "^22.13.5",
     "eslint": "^10.0.2",
     "eslint-config-prettier": "^10.1.8",
     "husky": "^9.1.7",
-    "lint-staged": "^16.2.7",
     "prettier": "^3.8.1",
     "typescript": "^5.7.3",
     "typescript-eslint": "^8.56.1",