backdot 1.8.0 → 1.8.2

package/dist/cli.js

@@ -16,8 +16,8 @@ import { sendNotification } from "./notify.js";
 function getVersion() {
     const pkgPath = path.resolve(path.dirname(new URL(import.meta.url).pathname), "../package.json");
     try {
-        const pkg = JSON.parse(fs.readFileSync(pkgPath, "utf-8"));
-        return pkg.version ?? "unknown";
+        const packageJson = JSON.parse(fs.readFileSync(pkgPath, "utf-8"));
+        return packageJson.version ?? "unknown";
     }
     catch {
         return "unknown";
@@ -30,10 +30,17 @@ cli.command("backup", "Run a backup now").action(async () => {
 });
 cli
     .command("restore [url]", "Restore files")
+    .option("--machine <name>", "Restore a specific machine")
     .option("--commit <sha>", "Restore from a specific backup commit")
-    .option("-y, --yes", "Accept defaults without prompting")
+    .option("--no-overwrite", "Restore only new files; never overwrite existing ones (non-interactive)")
     .action(async (url, options) => {
-    await restore({ repoUrl: url, commit: options.commit, yes: !!options.yes });
+    await restore({
+        repoUrl: url,
+        commit: options.commit,
+        // cac defaults `overwrite` to true and `--no-overwrite` flips it to false.
+        skipExisting: options.overwrite === false,
+        machine: options.machine,
+    });
 });
 cli
     .command("history [url]", "List and restore a previous backup")
@@ -51,8 +58,14 @@ cli.command("", "").action(() => {
         console.log(`  No config found. Run ${chalk.bold("backdot init")} to get started.\n`);
     }
 });
-// cac auto-adds a --help flag; remove its redundant section from help output
-cli.help((sections) => sections.filter((s) => !s.body?.includes("--help")));
+cli.help((sections) => sections.filter((section) => {
+    if (!section.body) {
+        return true;
+    }
+    const contentLines = section.body.split("\n").filter((line) => line.trim() !== "");
+    const listsOnlyHelpAndVersion = contentLines.every((line) => /--(help|version)/.test(line));
+    return !listsOnlyHelpAndVersion;
+}));
 cli.version(getVersion());
 async function main() {
     try {

package/dist/commands/backup.js

@@ -2,12 +2,14 @@ import fs from "node:fs";
 import path from "node:path";
 import ora from "ora";
 import { loadConfig, CONFIG_PATH } from "../config.js";
+import { POST_RESTORE_HOOK_PATH } from "../paths.js";
 import { resolveFiles } from "../resolveFiles.js";
 import { cleanStaging, copyToStaging, writeRepoReadme, machineDir } from "../staging.js";
 import { gitPull, gitCommitAndPush } from "../git.js";
 import { logger } from "../log.js";
 import { pluralize } from "../utils.js";
 import { checkRepoVisibility } from "../repoVisibility.js";
+import { confirm } from "@inquirer/prompts";
 import { decrypt, deriveKey } from "../crypto/encryption.js";
 import { resolvePassword, offerToSaveKeyFile, confirmPassword, ENC_SUFFIX, } from "../crypto/password.js";
 function findEncryptedFile(dir) {
@@ -35,11 +37,12 @@ export async function backup() {
     logger.info(`Machine: ${config.machine}`);
     let password;
     let derivedKey;
-    let passwordWasInteractive = false;
     if (config.encrypt) {
         const result = await resolvePassword();
         password = result.password;
-        passwordWasInteractive = result.interactive;
+        if (result.source === "prompt") {
+            await confirmPassword(password);
+        }
         derivedKey = deriveKey(password);
     }
     const spinner = ora("Checking repository visibility").start();
@@ -59,6 +62,10 @@ export async function backup() {
             return;
         }
         const files = [...userFiles, CONFIG_PATH];
+        // Automatically backup the "post-restore" hook if it exists
+        if (fs.existsSync(POST_RESTORE_HOOK_PATH)) {
+            files.push(POST_RESTORE_HOOK_PATH);
+        }
         spinner.text = "Syncing with remote";
         await gitPull(config.repository);
         if (derivedKey) {
@@ -70,15 +77,22 @@ export async function backup() {
                     decrypt(encryptedContent, derivedKey);
                 }
                 catch {
-                    spinner.fail("Backup failed");
-                    throw new Error("Password does not match the existing backup.");
+                    if (!process.stdin.isTTY) {
+                        spinner.fail("Backup failed");
+                        throw new Error("Password does not match the existing backup.\n" +
+                            "Run interactively to re-encrypt with a new password.");
+                    }
+                    spinner.stop();
+                    const shouldReEncrypt = await confirm({
+                        message: "Password does not match the existing backup. Re-encrypt all files with the new password?",
+                        default: false,
+                    });
+                    if (!shouldReEncrypt) {
+                        throw new Error("Backup aborted.");
+                    }
+                    spinner.start();
                 }
             }
-            else if (passwordWasInteractive) {
-                spinner.stop();
-                await confirmPassword(password);
-                spinner.start();
-            }
         }
         spinner.text = `Copying ${pluralize(files.length, "file")} to staging`;
         cleanStaging(config.machine);

package/dist/commands/init.js

@@ -1,5 +1,6 @@
 import { execFileSync } from "node:child_process";
 import fs from "node:fs";
+import path from "node:path";
 import os from "node:os";
 import chalk from "chalk";
 import { CONFIG_PATH } from "../config.js";
@@ -42,6 +43,7 @@ export function init() {
         console.log(`  ${chalk.yellow(`${CONFIG_PATH} already exists — skipping creation.`)}`);
     }
     else {
+        fs.mkdirSync(path.dirname(CONFIG_PATH), { recursive: true });
         fs.writeFileSync(CONFIG_PATH, JSON.stringify(DEFAULT_CONFIG, null, 2) + "\n");
         console.log(`  Created ${CONFIG_PATH} with defaults.`);
     }

package/dist/commands/restore.d.ts

@@ -1,5 +1,6 @@
-export declare function restore({ repoUrl, commit, yes, }?: {
+export declare function restore({ repoUrl, commit, skipExisting, machine: machineOverride, }?: {
     repoUrl?: string;
     commit?: string;
-    yes?: boolean;
+    skipExisting?: boolean;
+    machine?: string;
 }): Promise<void>;

package/dist/commands/restore.js

@@ -1,16 +1,16 @@
 import fs from "node:fs";
 import path from "node:path";
-import os from "node:os";
 import ora from "ora";
 import { checkbox, select, Separator } from "@inquirer/prompts";
 import { loadConfig } from "../config.js";
 import { gitPull } from "../git.js";
-import { STAGING_DIR, machineDir } from "../staging.js";
+import { STAGING_DIR, machineDir, getRestoreTarget, HOME_NAMESPACE, ROOT_NAMESPACE, } from "../staging.js";
+import { POST_RESTORE_HOOK_PATH } from "../paths.js";
+import { runPostRestoreHook } from "../postRestoreHook.js";
 import { logger } from "../log.js";
 import { pluralize } from "../utils.js";
 import { decrypt, deriveKey } from "../crypto/encryption.js";
 import { resolvePassword, offerToSaveKeyFile, ENC_SUFFIX } from "../crypto/password.js";
-const HOME = os.homedir();
 function listFilesRecursively(dir) {
     return fs
         .readdirSync(dir, { withFileTypes: true })
@@ -29,10 +29,15 @@ function listMachines() {
         .filter((entry) => entry.isDirectory() && entry.name !== ".git")
         .map((entry) => entry.name);
 }
-async function resolveRepoAndMachine(repoUrl, commit) {
+function formatMachineList(machines) {
+    return machines.map((machine) => `    - ${machine}`).join("\n");
+}
+async function resolveRepoAndMachine(repoUrl, commit, machineOverride) {
     if (!repoUrl) {
         const config = loadConfig();
-        return { repository: config.repository, machine: config.machine };
+        // An explicit --machine wins over the configured machine; the repository
+        // still comes from config.
+        return { repository: config.repository, machine: machineOverride ?? config.machine };
     }
     const spinner = ora("Cloning backup repository").start();
     try {
@@ -47,24 +52,30 @@ async function resolveRepoAndMachine(repoUrl, commit) {
     if (machines.length === 0) {
         throw new Error("The backup repository is empty (no machine directories found).");
     }
-    let machine;
+    if (machineOverride) {
+        if (!machines.includes(machineOverride)) {
+            throw new Error(`No backup found for machine "${machineOverride}".\n  Available machines:\n${formatMachineList(machines)}`);
+        }
+        return { repository: repoUrl, machine: machineOverride };
+    }
     if (machines.length === 1) {
-        machine = machines[0];
+        return { repository: repoUrl, machine: machines[0] };
     }
-    else {
-        machine = await select({
-            message: "Multiple machines found. Which one do you want to restore?",
-            loop: false,
-            choices: machines.map((m) => ({ name: m, value: m })),
-        });
+    if (!process.stdin.isTTY) {
+        throw new Error(`Multiple machines found in the backup repository. Re-run with --machine <name>:\n${formatMachineList(machines)}`);
     }
+    const machine = await select({
+        message: "Multiple machines found. Which one do you want to restore?",
+        loop: false,
+        choices: machines.map((machine) => ({ name: machine, value: machine })),
+    });
     return { repository: repoUrl, machine };
 }
-export async function restore({ repoUrl, commit, yes, } = {}) {
+export async function restore({ repoUrl, commit, skipExisting, machine: machineOverride, } = {}) {
     logger.info("Starting restore");
-    const { repository, machine } = await resolveRepoAndMachine(repoUrl, commit);
+    const { repository, machine } = await resolveRepoAndMachine(repoUrl, commit, machineOverride);
     const spinner = ora("Fetching latest backup").start();
-    const baseDir = machineDir(machine);
+    const machineStagingDir = machineDir(machine);
     try {
         if (!repoUrl) {
             await gitPull(repository, commit);
@@ -75,31 +86,37 @@ export async function restore({ repoUrl, commit, yes, } = {}) {
         throw err;
     }
     spinner.text = "Resolving files";
-    if (!fs.existsSync(baseDir)) {
+    if (!fs.existsSync(machineStagingDir)) {
         spinner.stop();
-        const available = listMachines();
-        if (available.length > 0) {
+        const availableMachines = listMachines();
+        if (availableMachines.length > 0) {
             console.log(`\n  No backup found for machine "${machine}".`);
-            console.log(`  Available machines: ${available.join(", ")}\n`);
+            console.log(`  Available machines: ${availableMachines.join(", ")}\n`);
         }
         else {
             console.log(`\n  No backup found for machine "${machine}". The repository is empty.\n`);
         }
         return;
     }
-    const stagedFiles = listFilesRecursively(baseDir);
-    logger.info(`Found ${pluralize(stagedFiles.length, "file")} in backup repository`);
-    if (stagedFiles.length === 0) {
+    // Restore only the two managed namespaces; anything else in the machine dir
+    // (e.g. a user-authored README.md) is documentation, not a file to restore.
+    const backupFiles = [HOME_NAMESPACE, ROOT_NAMESPACE]
+        .map((namespace) => path.join(machineStagingDir, namespace))
+        .filter((namespaceDir) => fs.existsSync(namespaceDir))
+        .flatMap(listFilesRecursively);
+    logger.info(`Found ${pluralize(backupFiles.length, "file")} in backup repository`);
+    if (backupFiles.length === 0) {
         spinner.stop();
         console.log("No files found in backup repository.");
         return;
     }
-    const fileMappings = stagedFiles.map((stagedFilePath) => {
-        let relativePath = path.relative(baseDir, stagedFilePath);
-        if (relativePath.endsWith(ENC_SUFFIX)) {
-            relativePath = relativePath.slice(0, -ENC_SUFFIX.length);
+    const fileMappings = backupFiles.map((backupFilePath) => {
+        let machineRelativePath = path.relative(machineStagingDir, backupFilePath);
+        if (machineRelativePath.endsWith(ENC_SUFFIX)) {
+            machineRelativePath = machineRelativePath.slice(0, -ENC_SUFFIX.length);
         }
-        return { src: stagedFilePath, dest: path.join(HOME, relativePath), rel: relativePath };
+        const { destination, displayPath } = getRestoreTarget(machineRelativePath);
+        return { src: backupFilePath, dest: destination, displayPath };
     });
     const filesAlreadyOnDisk = fileMappings.filter((file) => fs.existsSync(file.dest));
     const newFiles = fileMappings.filter((file) => !fs.existsSync(file.dest));
@@ -107,10 +124,10 @@ export async function restore({ repoUrl, commit, yes, } = {}) {
     spinner.stop();
     console.log();
     let filesToRestore;
-    if (yes) {
+    if (skipExisting) {
         filesToRestore = newFiles;
         if (filesAlreadyOnDisk.length > 0) {
-            console.log(`  Skipped ${pluralize(filesAlreadyOnDisk.length, "existing file")}. Run without --yes to select them.`);
+            console.log(`  Skipped ${pluralize(filesAlreadyOnDisk.length, "existing file")}. Run without --no-overwrite to select them.`);
             console.log();
         }
     }
@@ -119,13 +136,13 @@ export async function restore({ repoUrl, commit, yes, } = {}) {
         if (newFiles.length > 0) {
             choices.push(new Separator(`── New files (${newFiles.length}) ──`));
             for (const file of newFiles) {
-                choices.push({ name: file.rel, value: file, checked: true });
+                choices.push({ name: file.displayPath, value: file, checked: true });
             }
         }
         if (filesAlreadyOnDisk.length > 0) {
             choices.push(new Separator(`── Existing files — will overwrite (${filesAlreadyOnDisk.length}) ──`));
             for (const file of filesAlreadyOnDisk) {
-                choices.push({ name: file.rel, value: file, checked: false });
+                choices.push({ name: file.displayPath, value: file, checked: false });
             }
         }
         filesToRestore = await checkbox({
@@ -163,4 +180,9 @@ export async function restore({ repoUrl, commit, yes, } = {}) {
         await offerToSaveKeyFile(password);
     }
     logger.info(`Restored ${pluralize(filesToRestore.length, "file")}`);
+    // Run the hook only if it was among the files just restored, so we
+    // never execute a stale on-disk script the user chose not to restore.
+    if (filesToRestore.some(({ dest }) => dest === POST_RESTORE_HOOK_PATH)) {
+        runPostRestoreHook();
+    }
 }

package/dist/commands/schedule.js

@@ -14,7 +14,7 @@ export function schedule() {
     try {
         const config = loadConfig();
         if (config.encrypt && !fs.existsSync(KEY_FILE_PATH)) {
-            console.log(chalk.yellow(`  Encryption is enabled. Run ${chalk.bold("backdot backup")} once to create ~/.backdot.key,\n` +
+            console.log(chalk.yellow(`  Encryption is enabled. Run ${chalk.bold("backdot backup")} once to create ${KEY_FILE_PATH},\n` +
                 `  or set ${chalk.bold("BACKDOT_PASSWORD")} in your environment.\n`));
         }
     }

package/dist/commands/status.js

@@ -1,3 +1,4 @@
+import fs from "node:fs";
 import os from "node:os";
 import chalk from "chalk";
 import ora from "ora";
@@ -24,6 +25,11 @@ function formatVisibility(visibility) {
     }
 }
 export async function status() {
+    if (!fs.existsSync(CONFIG_PATH)) {
+        console.log();
+        console.log(`  No config found. Run ${chalk.bold("backdot init")} to get started.\n`);
+        return;
+    }
     const scheduled = isScheduled();
     console.log();
     console.log(`  Schedule:    ${scheduled ? "active (daily at 02:00)" : `not active  (run ${chalk.bold("backdot schedule")} to enable)`}`);
@@ -46,29 +52,35 @@ export async function status() {
         console.log();
         return;
     }
-    const derivedKey = config.encrypt ? deriveKey((await resolvePassword()).password) : undefined;
+    const resolveKey = config.encrypt
+        ? async () => deriveKey((await resolvePassword()).password)
+        : undefined;
     console.log();
     const spinner = ora("Resolving files").start();
     try {
         const userFiles = resolveFiles(config);
         if (userFiles.length === 0) {
-            spinner.warn("No files resolved. Check your ~/.backdot.json entries.");
+            spinner.warn("No files resolved. Check your ~/.backdot/config.json entries.");
             console.log();
             return;
         }
         const files = [...userFiles, CONFIG_PATH];
         spinner.text = "Comparing with remote backup";
-        const { backedUp, modified, notBackedUp, error } = await compareFiles({
+        const { backedUp, modified, notBackedUp, remoteIsEmpty, error } = await compareFiles({
             files,
             machine: config.machine,
             repository: config.repository,
-            derivedKey,
+            resolveKey,
         });
         spinner.stop();
         if (error) {
             console.log(chalk.yellow(`  Could not fetch status: ${error}`));
             return;
         }
+        if (remoteIsEmpty) {
+            console.log(`  No backup yet — showing what ${chalk.bold("backdot backup")} would back up.`);
+            console.log();
+        }
         if (modified.length === 0 && notBackedUp.length === 0) {
             console.log(chalk.green(`  All ${pluralize(files.length, "file")} are backed up ✓`));
         }

package/dist/commitUrl.js

@@ -1,20 +1,17 @@
+import { extractRepoPath } from "./utils.js";
 const PROVIDERS = {
     "github.com": (repoPath, sha) => `https://github.com/${repoPath}/commit/${sha}`,
     "gitlab.com": (repoPath, sha) => `https://gitlab.com/${repoPath}/-/commit/${sha}`,
     "bitbucket.org": (repoPath, sha) => `https://bitbucket.org/${repoPath}/commits/${sha}`,
 };
 export function getCommitUrl(remoteUrl, sha) {
-    for (const [host, buildUrl] of Object.entries(PROVIDERS)) {
-        const idx = remoteUrl.indexOf(host);
-        if (idx === -1) {
-            continue;
-        }
-        const separatorLength = 1; // skip the ":" (SSH) or "/" (HTTPS) after the hostname
-        let repoPath = remoteUrl.slice(idx + host.length + separatorLength).trim();
-        if (repoPath.endsWith(".git")) {
-            repoPath = repoPath.slice(0, -4);
-        }
-        return buildUrl(repoPath, sha);
+    const parsed = extractRepoPath(remoteUrl);
+    if (!parsed) {
+        return null;
     }
-    return null;
+    const buildUrl = PROVIDERS[parsed.host];
+    if (!buildUrl) {
+        return null;
+    }
+    return buildUrl(parsed.repoPath, sha);
 }

package/dist/config.d.ts

@@ -1,5 +1,6 @@
 import { z } from "zod";
-export declare const CONFIG_PATH: string;
+import { CONFIG_PATH } from "./paths.js";
+export { CONFIG_PATH };
 export declare function expandTilde(pattern: string): string;
 declare const ConfigSchema: z.ZodObject<{
     repository: z.ZodString;
@@ -9,4 +10,3 @@ declare const ConfigSchema: z.ZodObject<{
 }, z.core.$strip>;
 export type Config = z.infer<typeof ConfigSchema>;
 export declare function loadConfig(): Config;
-export {};

package/dist/config.js

@@ -2,7 +2,8 @@ import fs from "node:fs";
 import path from "node:path";
 import os from "node:os";
 import { z } from "zod";
-export const CONFIG_PATH = path.join(os.homedir(), ".backdot.json");
+import { CONFIG_PATH } from "./paths.js";
+export { CONFIG_PATH };
 export function expandTilde(pattern) {
     // fast-glob uses "!" for negation patterns — preserve the prefix, expand the rest
     if (pattern.startsWith("!")) {
@@ -32,14 +33,14 @@ export function loadConfig() {
     catch {
         throw new Error(`Failed to read config file: ${CONFIG_PATH}`);
     }
-    let parsed;
+    let parsedJson;
     try {
-        parsed = JSON.parse(rawJson);
+        parsedJson = JSON.parse(rawJson);
     }
     catch {
         throw new Error(`Invalid JSON in config file: ${CONFIG_PATH}`);
     }
-    const result = ConfigSchema.safeParse(parsed);
+    const result = ConfigSchema.safeParse(parsedJson);
     if (!result.success) {
         const messages = result.error.issues.map((issue) => {
             const field = issue.path.length > 0 ? `"${issue.path.join(".")}"` : "config";

package/dist/crypto/encryption.d.ts

@@ -1,8 +1,9 @@
+/** An encryption key derived from the user's password via scrypt. */
 export interface DerivedKey {
-    password: string;
+    passwordHash: string;
     salt: Buffer;
     key: Buffer;
 }
-export declare function deriveKey(password: string, salt?: Buffer): DerivedKey;
+export declare function deriveKey(passwordHash: string, salt?: Buffer): DerivedKey;
 export declare function encrypt(plaintext: Buffer, derivedKey: DerivedKey): Buffer;
-export declare function decrypt(encrypted: Buffer, derivedKey: DerivedKey): Buffer;
+export declare function decrypt(encryptedPayload: Buffer, derivedKey: DerivedKey): Buffer;

package/dist/crypto/encryption.js

@@ -15,16 +15,16 @@ const SCRYPT_PARAMS = {
     maxmem: 128 * SCRYPT_N * SCRYPT_R * 2, // must exceed 128*N*r
 };
 const OVERHEAD = SALT_LENGTH + IV_LENGTH + AUTH_TAG_LENGTH;
-export function deriveKey(password, salt) {
+export function deriveKey(passwordHash, salt) {
     const resolvedSalt = salt ?? crypto.randomBytes(SALT_LENGTH);
-    const key = crypto.scryptSync(password, resolvedSalt, KEY_LENGTH, SCRYPT_PARAMS);
-    return { password, salt: resolvedSalt, key };
+    const key = crypto.scryptSync(passwordHash, resolvedSalt, KEY_LENGTH, SCRYPT_PARAMS);
+    return { passwordHash, salt: resolvedSalt, key };
 }
 function deriveKeyForSalt(derivedKey, salt) {
     if (derivedKey.salt.equals(salt)) {
         return derivedKey.key;
     }
-    return crypto.scryptSync(derivedKey.password, salt, KEY_LENGTH, SCRYPT_PARAMS);
+    return crypto.scryptSync(derivedKey.passwordHash, salt, KEY_LENGTH, SCRYPT_PARAMS);
 }
 export function encrypt(plaintext, derivedKey) {
     const iv = crypto.randomBytes(IV_LENGTH);
@@ -33,15 +33,18 @@ export function encrypt(plaintext, derivedKey) {
     const authTag = cipher.getAuthTag();
     return Buffer.concat([derivedKey.salt, iv, authTag, ciphertext]);
 }
-export function decrypt(encrypted, derivedKey) {
-    if (encrypted.length < OVERHEAD) {
+export function decrypt(encryptedPayload, derivedKey) {
+    if (encryptedPayload.length < OVERHEAD) {
         throw new Error("Data is too short to be encrypted content.");
     }
     let offset = 0;
-    const salt = encrypted.subarray(offset, (offset += SALT_LENGTH));
-    const iv = encrypted.subarray(offset, (offset += IV_LENGTH));
-    const authTag = encrypted.subarray(offset, (offset += AUTH_TAG_LENGTH));
-    const ciphertext = encrypted.subarray(offset);
+    const salt = encryptedPayload.subarray(offset, offset + SALT_LENGTH);
+    offset += SALT_LENGTH;
+    const iv = encryptedPayload.subarray(offset, offset + IV_LENGTH);
+    offset += IV_LENGTH;
+    const authTag = encryptedPayload.subarray(offset, offset + AUTH_TAG_LENGTH);
+    offset += AUTH_TAG_LENGTH;
+    const ciphertext = encryptedPayload.subarray(offset);
     const key = deriveKeyForSalt(derivedKey, salt);
     const decipher = crypto.createDecipheriv(ALGORITHM, key, iv);
     decipher.setAuthTag(authTag);

package/dist/crypto/password.d.ts

@@ -1,11 +1,14 @@
-export declare const KEY_FILE_PATH: string;
+import { KEY_FILE_PATH } from "../paths.js";
+export { KEY_FILE_PATH };
 export declare const ENC_SUFFIX = ".encrypted";
+export declare function hashPassword(password: string): string;
 export declare function checkKeyFilePermissions(): void;
 export declare function saveKeyFile(password: string): void;
+export type PasswordSource = "env" | "file" | "prompt";
 export interface PasswordResult {
     password: string;
-    interactive: boolean;
+    source: PasswordSource;
 }
 export declare function resolvePassword(): Promise<PasswordResult>;
-export declare function confirmPassword(password: string): Promise<void>;
+export declare function confirmPassword(hashedPassword: string): Promise<void>;
 export declare function offerToSaveKeyFile(password: string): Promise<void>;

package/dist/crypto/password.js

@@ -1,9 +1,12 @@
+import crypto from "node:crypto";
 import fs from "node:fs";
-import path from "node:path";
-import os from "node:os";
 import { password as passwordPrompt, confirm } from "@inquirer/prompts";
-export const KEY_FILE_PATH = path.join(os.homedir(), ".backdot.key");
+import { KEY_FILE_PATH } from "../paths.js";
+export { KEY_FILE_PATH };
 export const ENC_SUFFIX = ".encrypted";
+export function hashPassword(password) {
+    return crypto.createHash("sha256").update(password).digest("hex");
+}
 export function checkKeyFilePermissions() {
     if (process.platform === "win32") {
         return;
@@ -32,24 +35,24 @@ function readKeyFile() {
 export async function resolvePassword() {
     const envPassword = process.env.BACKDOT_PASSWORD;
     if (envPassword) {
-        return { password: envPassword, interactive: false };
+        return { password: hashPassword(envPassword), source: "env" };
     }
     const filePassword = readKeyFile();
     if (filePassword) {
-        return { password: filePassword, interactive: false };
+        return { password: filePassword, source: "file" };
     }
     if (!process.stdin.isTTY) {
-        throw new Error('Encryption is enabled but no password found.\n  Run "backdot backup" interactively to create ~/.backdot.key, or set BACKDOT_PASSWORD.');
+        throw new Error(`Encryption is enabled but no password found.\n  Run "backdot backup" interactively to create ${KEY_FILE_PATH}, or set BACKDOT_PASSWORD.`);
     }
     const enteredPassword = await passwordPrompt({ message: "Enter encryption password:" });
     if (!enteredPassword) {
         throw new Error("No password provided.");
     }
-    return { password: enteredPassword, interactive: true };
+    return { password: hashPassword(enteredPassword), source: "prompt" };
 }
-export async function confirmPassword(password) {
+export async function confirmPassword(hashedPassword) {
     const confirmedPassword = await passwordPrompt({ message: "Confirm password:" });
-    if (confirmedPassword !== password) {
+    if (hashPassword(confirmedPassword) !== hashedPassword) {
         throw new Error("Passwords do not match.");
     }
 }
@@ -64,7 +67,7 @@ export async function offerToSaveKeyFile(password) {
         return;
     }
     const save = await confirm({
-        message: "Save password to ~/.backdot.key for automated backups?",
+        message: `Save password to ${KEY_FILE_PATH} for automated backups?`,
         default: true,
     });
     if (save) {

package/dist/git.d.ts

@@ -11,7 +11,7 @@ interface FileChangeSummary {
 export declare function buildCommitMessage(changes: FileChangeSummary, maxLength?: number): string;
 export declare function ensureRemoteUrl(repository: string): Promise<void>;
 export declare function getCurrentBranch(git: SimpleGit): Promise<string>;
-export declare function friendlyGitError(raw: string, repository: string): string;
+export declare function friendlyGitError(rawErrorMessage: string, repository: string): string;
 export declare function gitError(err: unknown, repository: string): Error;
 export declare function gitPull(repository: string, commit?: string): Promise<void>;
 export declare function gitLog(limit?: number): Promise<Array<{

package/dist/git.js

@@ -57,8 +57,8 @@ export async function ensureRemoteUrl(repository) {
 export async function getCurrentBranch(git) {
     return (await git.revparse(["--abbrev-ref", "HEAD"])).trim();
 }
-export function friendlyGitError(raw, repository) {
-    const normalizedMessage = raw.toLowerCase();
+export function friendlyGitError(rawErrorMessage, repository) {
+    const normalizedMessage = rawErrorMessage.toLowerCase();
     if (normalizedMessage.includes("not found") ||
         normalizedMessage.includes("does not exist") ||
         normalizedMessage.includes("does not appear to be a git repository")) {
@@ -73,7 +73,7 @@ export function friendlyGitError(raw, repository) {
         normalizedMessage.includes("connection timed out")) {
         return "Could not connect to remote host. Check your internet connection.";
     }
-    return raw;
+    return rawErrorMessage;
 }
 export function gitError(err, repository) {
     const raw = errorMessage(err);
@@ -116,8 +116,8 @@ export async function gitPull(repository, commit) {
 }
 export async function gitLog(limit = 20) {
     const git = simpleGit(STAGING_DIR);
-    const log = await git.log({ maxCount: limit });
-    return log.all.map((entry) => ({
+    const logResult = await git.log({ maxCount: limit });
+    return logResult.all.map((entry) => ({
         hash: entry.hash,
         date: entry.date,
         message: entry.message,
@@ -133,6 +133,7 @@ export async function gitCommitAndPush() {
     }
     const message = buildCommitMessage(status);
     await git.commit(message);
+    const remoteUrl = ((await git.remote(["get-url", "origin"])) ?? "").trim();
     try {
         await pRetry(async () => git.push(["-u", "origin", "HEAD"]), {
             retries: 5,
@@ -151,12 +152,10 @@ export async function gitCommitAndPush() {
         });
     }
     catch (err) {
-        const remoteUrl = ((await git.remote(["get-url", "origin"])) ?? "").trim();
         throw gitError(err, remoteUrl);
     }
     logger.info(`Committed and pushed: ${message}`);
     const commitHash = (await git.revparse(["HEAD"])).trim();
-    const remoteUrl = (await git.remote(["get-url", "origin"])) ?? "";
     const commitUrl = getCommitUrl(remoteUrl, commitHash);
     return { commitUrl };
 }