backdot 1.8.0 → 1.8.2

package/dist/crypto.js

@@ -1,129 +0,0 @@
-import crypto from "node:crypto";
-import fs from "node:fs";
-import path from "node:path";
-import os from "node:os";
-import { password as passwordPrompt, confirm } from "@inquirer/prompts";
-// File-format signature identifying backdot-encrypted files
-const MAGIC = Buffer.from("BDOT");
-const VERSION = 0x01;
-const HEADER_SIZE = MAGIC.length + 1; // 5 bytes: magic + version
-const SALT_SIZE = 32;
-const IV_SIZE = 12;
-const TAG_SIZE = 16;
-const KEY_SIZE = 32;
-export const KEY_FILE_PATH = path.join(os.homedir(), ".backdot.key");
-export const ENC_SUFFIX = ".encrypted";
-function deriveKey(password, salt) {
-    return crypto.scryptSync(password, salt, KEY_SIZE, { N: 2 ** 14, r: 8, p: 1 });
-}
-export function encryptBuffer(plaintext, password) {
-    const salt = crypto.randomBytes(SALT_SIZE);
-    const iv = crypto.randomBytes(IV_SIZE);
-    const key = deriveKey(password, salt);
-    const cipher = crypto.createCipheriv("aes-256-gcm", key, iv);
-    const encrypted = Buffer.concat([cipher.update(plaintext), cipher.final()]);
-    const tag = cipher.getAuthTag();
-    return Buffer.concat([MAGIC, Buffer.from([VERSION]), salt, iv, tag, encrypted]);
-}
-export function decryptBuffer(data, password) {
-    if (!isEncrypted(data)) {
-        throw new Error("File is not encrypted (missing BDOT header).");
-    }
-    const minSize = HEADER_SIZE + SALT_SIZE + IV_SIZE + TAG_SIZE;
-    if (data.length < minSize) {
-        throw new Error("Encrypted file is too short or corrupted.");
-    }
-    let offset = HEADER_SIZE;
-    const salt = data.subarray(offset, offset + SALT_SIZE);
-    offset += SALT_SIZE;
-    const iv = data.subarray(offset, offset + IV_SIZE);
-    offset += IV_SIZE;
-    const tag = data.subarray(offset, offset + TAG_SIZE);
-    offset += TAG_SIZE;
-    const ciphertext = data.subarray(offset);
-    const key = deriveKey(password, salt);
-    const decipher = crypto.createDecipheriv("aes-256-gcm", key, iv);
-    decipher.setAuthTag(tag);
-    try {
-        return Buffer.concat([decipher.update(ciphertext), decipher.final()]);
-    }
-    catch {
-        throw new Error("Decryption failed — wrong password or corrupted file.");
-    }
-}
-function isEncrypted(data) {
-    return (data.length >= HEADER_SIZE &&
-        data[0] === MAGIC[0] &&
-        data[1] === MAGIC[1] &&
-        data[2] === MAGIC[2] &&
-        data[3] === MAGIC[3] &&
-        data[4] === VERSION);
-}
-export function checkKeyFilePermissions() {
-    if (process.platform === "win32") {
-        return;
-    }
-    if (!fs.existsSync(KEY_FILE_PATH)) {
-        return;
-    }
-    const stat = fs.statSync(KEY_FILE_PATH);
-    const mode = stat.mode & 0o777;
-    const isAccessibleByGroupOrOthers = (mode & 0o077) !== 0;
-    if (isAccessibleByGroupOrOthers) {
-        throw new Error(`Key file ${KEY_FILE_PATH} has overly permissive permissions (${mode.toString(8)}).\n` +
-            `  Run: chmod 600 ${KEY_FILE_PATH}`);
-    }
-}
-export function saveKeyFile(password) {
-    fs.writeFileSync(KEY_FILE_PATH, password + "\n", { mode: 0o600 });
-}
-function readKeyFile() {
-    if (!fs.existsSync(KEY_FILE_PATH)) {
-        return null;
-    }
-    checkKeyFilePermissions();
-    return fs.readFileSync(KEY_FILE_PATH, "utf-8").trimEnd();
-}
-export async function resolvePassword() {
-    const envPassword = process.env.BACKDOT_PASSWORD;
-    if (envPassword) {
-        return { password: envPassword, interactive: false };
-    }
-    const filePassword = readKeyFile();
-    if (filePassword) {
-        return { password: filePassword, interactive: false };
-    }
-    if (!process.stdin.isTTY) {
-        throw new Error('Encryption is enabled but no password found.\n  Run "backdot backup" interactively to create ~/.backdot.key, or set BACKDOT_PASSWORD.');
-    }
-    const enteredPassword = await passwordPrompt({ message: "Enter encryption password:" });
-    if (!enteredPassword) {
-        throw new Error("No password provided.");
-    }
-    return { password: enteredPassword, interactive: true };
-}
-export async function confirmPassword(password) {
-    const confirmedPassword = await passwordPrompt({ message: "Confirm password:" });
-    if (confirmedPassword !== password) {
-        throw new Error("Passwords do not match.");
-    }
-}
-export async function offerToSaveKeyFile(password) {
-    if (!process.stdin.isTTY) {
-        return;
-    }
-    if (fs.existsSync(KEY_FILE_PATH)) {
-        return;
-    }
-    if (process.env.BACKDOT_PASSWORD) {
-        return;
-    }
-    const save = await confirm({
-        message: "Save password to ~/.backdot.key for automated backups?",
-        default: true,
-    });
-    if (save) {
-        saveKeyFile(password);
-        console.log(`  Created ${KEY_FILE_PATH} (permissions: 600)`);
-    }
-}

package/dist/encryption.d.ts

@@ -1,2 +0,0 @@
-export declare function encrypt(plaintext: Buffer, password: string): Buffer;
-export declare function decrypt(encrypted: Buffer, password: string): Buffer;

package/dist/encryption.js

@@ -1,39 +0,0 @@
-import crypto from "node:crypto";
-const ALGORITHM = "aes-256-gcm";
-const SALT_LENGTH = 32;
-const IV_LENGTH = 12;
-const AUTH_TAG_LENGTH = 16;
-const KEY_LENGTH = 32;
-const SCRYPT_PARAMS = { N: 2 ** 14, r: 8, p: 1 };
-const OVERHEAD = SALT_LENGTH + IV_LENGTH + AUTH_TAG_LENGTH;
-function deriveKey(password, salt) {
-    return crypto.scryptSync(password, salt, KEY_LENGTH, SCRYPT_PARAMS);
-}
-export function encrypt(plaintext, password) {
-    const salt = crypto.randomBytes(SALT_LENGTH);
-    const iv = crypto.randomBytes(IV_LENGTH);
-    const key = deriveKey(password, salt);
-    const cipher = crypto.createCipheriv(ALGORITHM, key, iv);
-    const ciphertext = Buffer.concat([cipher.update(plaintext), cipher.final()]);
-    const authTag = cipher.getAuthTag();
-    return Buffer.concat([salt, iv, authTag, ciphertext]);
-}
-export function decrypt(encrypted, password) {
-    if (encrypted.length < OVERHEAD) {
-        throw new Error("Data is too short to be encrypted content.");
-    }
-    let offset = 0;
-    const salt = encrypted.subarray(offset, (offset += SALT_LENGTH));
-    const iv = encrypted.subarray(offset, (offset += IV_LENGTH));
-    const authTag = encrypted.subarray(offset, (offset += AUTH_TAG_LENGTH));
-    const ciphertext = encrypted.subarray(offset);
-    const key = deriveKey(password, salt);
-    const decipher = crypto.createDecipheriv(ALGORITHM, key, iv);
-    decipher.setAuthTag(authTag);
-    try {
-        return Buffer.concat([decipher.update(ciphertext), decipher.final()]);
-    }
-    catch {
-        throw new Error("Decryption failed — wrong password or corrupted data.");
-    }
-}

package/dist/errorMessage.d.ts

@@ -1 +0,0 @@
-export declare function errorMessage(err: unknown): string;

package/dist/errorMessage.js

@@ -1,3 +0,0 @@
-export function errorMessage(err) {
-    return err instanceof Error ? err.message : String(err);
-}

package/dist/password.d.ts

@@ -1,11 +0,0 @@
-export declare const KEY_FILE_PATH: string;
-export declare const ENC_SUFFIX = ".encrypted";
-export declare function checkKeyFilePermissions(): void;
-export declare function saveKeyFile(password: string): void;
-export interface PasswordResult {
-    password: string;
-    interactive: boolean;
-}
-export declare function resolvePassword(): Promise<PasswordResult>;
-export declare function confirmPassword(password: string): Promise<void>;
-export declare function offerToSaveKeyFile(password: string): Promise<void>;

package/dist/password.js

@@ -1,74 +0,0 @@
-import fs from "node:fs";
-import path from "node:path";
-import os from "node:os";
-import { password as passwordPrompt, confirm } from "@inquirer/prompts";
-export const KEY_FILE_PATH = path.join(os.homedir(), ".backdot.key");
-export const ENC_SUFFIX = ".encrypted";
-export function checkKeyFilePermissions() {
-    if (process.platform === "win32") {
-        return;
-    }
-    if (!fs.existsSync(KEY_FILE_PATH)) {
-        return;
-    }
-    const stat = fs.statSync(KEY_FILE_PATH);
-    const mode = stat.mode & 0o777;
-    const isAccessibleByGroupOrOthers = (mode & 0o077) !== 0;
-    if (isAccessibleByGroupOrOthers) {
-        throw new Error(`Key file ${KEY_FILE_PATH} has overly permissive permissions (${mode.toString(8)}).\n` +
-            `  Run: chmod 600 ${KEY_FILE_PATH}`);
-    }
-}
-export function saveKeyFile(password) {
-    fs.writeFileSync(KEY_FILE_PATH, password + "\n", { mode: 0o600 });
-}
-function readKeyFile() {
-    if (!fs.existsSync(KEY_FILE_PATH)) {
-        return null;
-    }
-    checkKeyFilePermissions();
-    return fs.readFileSync(KEY_FILE_PATH, "utf-8").trimEnd();
-}
-export async function resolvePassword() {
-    const envPassword = process.env.BACKDOT_PASSWORD;
-    if (envPassword) {
-        return { password: envPassword, interactive: false };
-    }
-    const filePassword = readKeyFile();
-    if (filePassword) {
-        return { password: filePassword, interactive: false };
-    }
-    if (!process.stdin.isTTY) {
-        throw new Error('Encryption is enabled but no password found.\n  Run "backdot backup" interactively to create ~/.backdot.key, or set BACKDOT_PASSWORD.');
-    }
-    const enteredPassword = await passwordPrompt({ message: "Enter encryption password:" });
-    if (!enteredPassword) {
-        throw new Error("No password provided.");
-    }
-    return { password: enteredPassword, interactive: true };
-}
-export async function confirmPassword(password) {
-    const confirmedPassword = await passwordPrompt({ message: "Confirm password:" });
-    if (confirmedPassword !== password) {
-        throw new Error("Passwords do not match.");
-    }
-}
-export async function offerToSaveKeyFile(password) {
-    if (!process.stdin.isTTY) {
-        return;
-    }
-    if (fs.existsSync(KEY_FILE_PATH)) {
-        return;
-    }
-    if (process.env.BACKDOT_PASSWORD) {
-        return;
-    }
-    const save = await confirm({
-        message: "Save password to ~/.backdot.key for automated backups?",
-        default: true,
-    });
-    if (save) {
-        saveKeyFile(password);
-        console.log(`  Created ${KEY_FILE_PATH} (permissions: 600)`);
-    }
-}

package/dist/plist.d.ts

@@ -1,3 +0,0 @@
-export declare function isScheduled(): boolean;
-export declare function setupLaunchd(): void;
-export declare function uninstallLaunchd(): void;

package/dist/plist.js

@@ -1,112 +0,0 @@
-import { execFileSync } from "node:child_process";
-import fs from "node:fs";
-import path from "node:path";
-import os from "node:os";
-import ora from "ora";
-import { logger } from "./log.js";
-import { errorMessage } from "./utils.js";
-function escapeXml(s) {
-    return s
-        .replace(/&/g, "&")
-        .replace(/</g, "&lt;")
-        .replace(/>/g, "&gt;")
-        .replace(/"/g, "&quot;");
-}
-const LABEL = "com.backdot.daemon";
-const PLIST_PATH = path.join(os.homedir(), "Library", "LaunchAgents", `${LABEL}.plist`);
-function getScriptPath() {
-    const currentDir = path.dirname(new URL(import.meta.url).pathname);
-    return path.resolve(currentDir, "cli.js");
-}
-function buildPlist() {
-    const nodePath = process.execPath;
-    const scriptPath = getScriptPath();
-    const workingDir = path.dirname(scriptPath);
-    const logPath = path.join(os.homedir(), ".backdot", "launchd.log");
-    return `<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
-<plist version="1.0">
-<dict>
-  <key>Label</key>
-  <string>${LABEL}</string>
-  <key>ProgramArguments</key>
-  <array>
-    <string>${escapeXml(nodePath)}</string>
-    <string>${escapeXml(scriptPath)}</string>
-    <string>--backup</string>
-  </array>
-  <key>WorkingDirectory</key>
-  <string>${escapeXml(workingDir)}</string>
-  <key>StartCalendarInterval</key>
-  <dict>
-    <key>Hour</key>
-    <integer>2</integer>
-    <key>Minute</key>
-    <integer>0</integer>
-  </dict>
-  <key>StandardOutPath</key>
-  <string>${escapeXml(logPath)}</string>
-  <key>StandardErrorPath</key>
-  <string>${escapeXml(logPath)}</string>
-  <key>RunAtLoad</key>
-  <false/>
-</dict>
-</plist>`;
-}
-export function isScheduled() {
-    if (!fs.existsSync(PLIST_PATH)) {
-        return false;
-    }
-    try {
-        const output = execFileSync("launchctl", ["list", LABEL], { encoding: "utf-8", stdio: "pipe" });
-        return output.includes(LABEL);
-    }
-    catch {
-        return false;
-    }
-}
-export function setupLaunchd() {
-    const spinner = ora("Installing schedule").start();
-    const plistContent = buildPlist();
-    const dir = path.dirname(PLIST_PATH);
-    if (!fs.existsSync(dir)) {
-        fs.mkdirSync(dir, { recursive: true });
-    }
-    try {
-        execFileSync("launchctl", ["unload", PLIST_PATH], { stdio: "pipe" });
-    }
-    catch {
-        // Not loaded, that's fine
-    }
-    fs.writeFileSync(PLIST_PATH, plistContent);
-    logger.info(`Plist written to ${PLIST_PATH}`);
-    try {
-        execFileSync("launchctl", ["load", PLIST_PATH], { stdio: "pipe" });
-        spinner.succeed("Daily backup scheduled (02:00)");
-        console.log();
-        logger.info("Launchd job loaded");
-    }
-    catch (err) {
-        const msg = errorMessage(err);
-        spinner.fail(`Failed to load launchd job: ${msg}`);
-        console.log();
-        logger.error(`Failed to load launchd job: ${msg}`);
-        throw new Error(`Failed to load launchd job: ${msg}`, { cause: err });
-    }
-}
-export function uninstallLaunchd() {
-    const spinner = ora("Removing schedule").start();
-    try {
-        execFileSync("launchctl", ["unload", PLIST_PATH], { stdio: "pipe" });
-        logger.info("Launchd job unloaded");
-    }
-    catch {
-        logger.info("Launchd job was not loaded");
-    }
-    if (fs.existsSync(PLIST_PATH)) {
-        fs.unlinkSync(PLIST_PATH);
-        logger.info(`Plist removed: ${PLIST_PATH}`);
-    }
-    spinner.succeed("Schedule removed");
-    console.log();
-}

package/dist/resolve.d.ts

@@ -1,6 +0,0 @@
-import { Config } from "./config.js";
-/**
- * Resolve all file entries to absolute paths.
- * Skips entries that fail resolution and logs warnings.
- */
-export declare function resolveFiles(config: Config): string[];

package/dist/resolve.js

@@ -1,44 +0,0 @@
-import fs from "node:fs";
-import fg from "fast-glob";
-import { logger } from "./log.js";
-import { errorMessage, uniq } from "./utils.js";
-function resolveGlobs(patterns) {
-    if (patterns.length === 0) {
-        return [];
-    }
-    try {
-        return fg.sync(patterns, { absolute: true, dot: true, onlyFiles: true });
-    }
-    catch (err) {
-        logger.warn(`Glob pattern resolution failed: ${errorMessage(err)}`);
-        return [];
-    }
-}
-const LARGE_FILE_THRESHOLD = 10 * 1024 * 1024; // 10 MB
-/**
- * Resolve all file entries to absolute paths.
- * Skips entries that fail resolution and logs warnings.
- */
-export function resolveFiles(config) {
-    const unique = uniq(resolveGlobs(config.paths));
-    return unique.filter((filePath) => {
-        try {
-            fs.accessSync(filePath, fs.constants.R_OK);
-            const stat = fs.statSync(filePath);
-            if (!stat.isFile()) {
-                logger.warn(`Not a regular file, skipping: ${filePath}`);
-                return false;
-            }
-            if (stat.size > LARGE_FILE_THRESHOLD) {
-                const sizeMB = (stat.size / 1024 / 1024).toFixed(1);
-                logger.warn(`Large file (${sizeMB} MB), skipping: ${filePath}`);
-                return false;
-            }
-            return true;
-        }
-        catch {
-            logger.warn(`File not readable, skipping: ${filePath}`);
-            return false;
-        }
-    });
-}