mdenc 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (15) hide show
  1. package/LICENSE +15 -0
  2. package/README.md +141 -0
  3. package/dist/chunk-FFRUPAVV.js +669 -0
  4. package/dist/chunk-FFRUPAVV.js.map +1 -0
  5. package/dist/cli.js +548 -0
  6. package/dist/cli.js.map +1 -0
  7. package/dist/hooks-ZO2DIE5U.js +16 -0
  8. package/dist/hooks-ZO2DIE5U.js.map +1 -0
  9. package/dist/index.cjs +455 -0
  10. package/dist/index.cjs.map +1 -0
  11. package/dist/index.d.cts +42 -0
  12. package/dist/index.d.ts +42 -0
  13. package/dist/index.js +424 -0
  14. package/dist/index.js.map +1 -0
  15. package/package.json +66 -0
package/dist/chunk-FFRUPAVV.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"sources":["../src/git/hooks.ts","../src/encrypt.ts","../src/chunking.ts","../src/kdf.ts","../src/types.ts","../src/crypto-utils.ts","../src/aead.ts","../src/header.ts","../src/git/password.ts","../src/git/utils.ts"],"sourcesContent":["import { readFileSync, writeFileSync, existsSync, statSync } from 'node:fs';\nimport { join, relative } from 'node:path';\nimport { encrypt, decrypt } from '../encrypt.js';\nimport { resolvePassword } from './password.js';\nimport {\n findGitRoot,\n findMarkedDirs,\n getMdFilesInDir,\n getMdencFilesInDir,\n gitAdd,\n gitRmCached,\n isFileStaged,\n} from './utils.js';\n\nfunction needsReEncryption(mdPath: string, mdencPath: string): boolean {\n if (!existsSync(mdencPath)) return true;\n const mdMtime = statSync(mdPath).mtimeMs;\n const mdencMtime = statSync(mdencPath).mtimeMs;\n return mdMtime > mdencMtime;\n}\n\nexport async function preCommitHook(): Promise<void> {\n const repoRoot = findGitRoot();\n const password = resolvePassword(repoRoot);\n\n if (!password) {\n process.stderr.write(\n 'mdenc: no password available (set MDENC_PASSWORD or create .mdenc-password). Skipping encryption.\\n',\n );\n process.exit(0);\n }\n\n const markedDirs = findMarkedDirs(repoRoot);\n if (markedDirs.length === 0) process.exit(0);\n\n let encryptedCount = 0;\n let skippedCount = 0;\n let errorCount = 0;\n\n for (const dir of markedDirs) {\n const mdFiles = getMdFilesInDir(dir);\n\n for (const mdFile of mdFiles) {\n const mdPath = join(dir, mdFile);\n const mdencPath = mdPath.replace(/\\.md$/, '.mdenc');\n const relMdPath = relative(repoRoot, mdPath);\n const relMdencPath = relative(repoRoot, mdencPath);\n\n // Skip if .md hasn't changed since last encryption\n if (!needsReEncryption(mdPath, mdencPath)) {\n skippedCount++;\n // Still ensure the .mdenc is staged if it exists\n if (existsSync(mdencPath)) {\n gitAdd(repoRoot, [relMdencPath]);\n }\n continue;\n }\n\n try {\n const plaintext = readFileSync(mdPath, 'utf-8');\n\n // Read existing .mdenc for previousFile optimization\n let previousFile: string | undefined;\n if (existsSync(mdencPath)) {\n previousFile = readFileSync(mdencPath, 'utf-8');\n }\n\n const encrypted = await encrypt(plaintext, password, { previousFile });\n writeFileSync(mdencPath, encrypted);\n gitAdd(repoRoot, [relMdencPath]);\n\n // Belt-and-suspenders: unstage .md if accidentally staged\n if (isFileStaged(repoRoot, relMdPath)) {\n gitRmCached(repoRoot, [relMdPath]);\n }\n\n encryptedCount++;\n } catch (err) {\n process.stderr.write(\n `mdenc: failed to encrypt ${relMdPath}: ${err instanceof Error ? err.message : err}\\n`,\n );\n errorCount++;\n }\n }\n }\n\n if (encryptedCount > 0) {\n process.stderr.write(`mdenc: encrypted ${encryptedCount} file(s)\\n`);\n }\n\n if (errorCount > 0) {\n process.stderr.write(\n `mdenc: ${errorCount} file(s) failed to encrypt. Aborting commit.\\n`,\n );\n process.exit(1);\n }\n\n process.exit(0);\n}\n\n/**\n * Decrypt all .mdenc files in marked directories.\n * Shared logic for post-checkout, post-merge, and post-rewrite hooks.\n * Returns the number of files decrypted.\n */\nexport async function decryptAll(): Promise<number> {\n const repoRoot = findGitRoot();\n const password = resolvePassword(repoRoot);\n\n if (!password) {\n process.stderr.write(\n 'mdenc: no password available. Skipping decryption.\\n',\n );\n return 0;\n }\n\n const markedDirs = findMarkedDirs(repoRoot);\n let count = 0;\n\n for (const dir of markedDirs) {\n const mdencFiles = getMdencFilesInDir(dir);\n\n for (const mdencFile of mdencFiles) {\n const mdencPath = join(dir, mdencFile);\n const mdPath = mdencPath.replace(/\\.mdenc$/, '.md');\n const relMdPath = relative(repoRoot, mdPath);\n\n // Overwrite protection: skip if .md is newer than .mdenc\n if (existsSync(mdPath)) {\n const mdMtime = statSync(mdPath).mtimeMs;\n const mdencMtime = statSync(mdencPath).mtimeMs;\n if (mdMtime > mdencMtime) {\n process.stderr.write(\n `mdenc: skipping ${relMdPath} (local .md is newer than .mdenc)\\n`,\n );\n continue;\n }\n }\n\n try {\n const encrypted = readFileSync(mdencPath, 'utf-8');\n const plaintext = await decrypt(encrypted, password);\n writeFileSync(mdPath, plaintext);\n count++;\n } catch (err) {\n process.stderr.write(\n `mdenc: failed to decrypt ${relative(repoRoot, mdencPath)}: ${err instanceof Error ? err.message : err}\\n`,\n );\n }\n }\n }\n\n return count;\n}\n\nexport async function postCheckoutHook(): Promise<void> {\n const count = await decryptAll();\n if (count > 0) {\n process.stderr.write(`mdenc: decrypted ${count} file(s)\\n`);\n }\n process.exit(0);\n}\n\nexport async function postMergeHook(): Promise<void> {\n const count = await decryptAll();\n if (count > 0) {\n process.stderr.write(`mdenc: decrypted ${count} file(s)\\n`);\n }\n process.exit(0);\n}\n\nexport async function postRewriteHook(): Promise<void> {\n const count = await decryptAll();\n if (count > 0) {\n process.stderr.write(`mdenc: decrypted ${count} file(s)\\n`);\n }\n process.exit(0);\n}\n","import { hmac } from '@noble/hashes/hmac';\nimport { sha256 } from '@noble/hashes/sha256';\nimport { chunkByParagraph, chunkByFixedSize } from './chunking.js';\nimport { deriveMasterKey, deriveKeys } from './kdf.js';\nimport { encryptChunk, decryptChunk } from './aead.js';\nimport {\n serializeHeader,\n parseHeader,\n authenticateHeader,\n verifyHeader,\n generateSalt,\n generateFileId,\n toBase64,\n fromBase64,\n} from './header.js';\nimport { ChunkingStrategy, DEFAULT_SCRYPT_PARAMS } from './types.js';\nimport type { EncryptOptions, MdencHeader } from './types.js';\nimport { constantTimeEqual, zeroize } from './crypto-utils.js';\n\nexport async function encrypt(\n plaintext: string,\n password: string,\n options?: EncryptOptions,\n): Promise<string> {\n const chunking = options?.chunking ?? ChunkingStrategy.Paragraph;\n const maxChunkSize = options?.maxChunkSize ?? 65536;\n const scryptParams = options?.scrypt ?? DEFAULT_SCRYPT_PARAMS;\n\n // Chunk the plaintext\n let chunks: string[];\n if (chunking === ChunkingStrategy.FixedSize) {\n const fixedSize = options?.fixedChunkSize ?? 4096;\n chunks = chunkByFixedSize(plaintext, fixedSize);\n } else {\n chunks = chunkByParagraph(plaintext, maxChunkSize);\n }\n\n // If previousFile provided, extract salt/fileId/keys from its header to avoid\n // deriving the same master key twice (same password + same salt).\n let salt: Uint8Array;\n let fileId: Uint8Array;\n let masterKey: Uint8Array;\n\n const prev = options?.previousFile\n ? parsePreviousFileHeader(options.previousFile, password)\n : undefined;\n\n if (prev) {\n salt = prev.salt;\n fileId = prev.fileId;\n masterKey = prev.masterKey;\n } else {\n salt = generateSalt();\n fileId = generateFileId();\n masterKey = deriveMasterKey(password, salt, scryptParams);\n }\n\n const { encKey, headerKey, nonceKey } = deriveKeys(masterKey);\n\n try {\n // Build header\n const header: MdencHeader = { version: 'v1', salt, fileId, scrypt: scryptParams };\n const headerLine = serializeHeader(header);\n const headerHmac = authenticateHeader(headerKey, headerLine);\n const headerAuthLine = `hdrauth_b64=${toBase64(headerHmac)}`;\n\n // Encrypt chunks — deterministic encryption handles reuse automatically\n const chunkLines: string[] = [];\n for (const chunkText of chunks) {\n const chunkBytes = new TextEncoder().encode(chunkText);\n const payload = encryptChunk(encKey, nonceKey, chunkBytes, fileId);\n chunkLines.push(toBase64(payload));\n }\n\n // Compute seal HMAC over header + auth + chunk lines\n const sealInput = headerLine + '\\n' + headerAuthLine + '\\n' + chunkLines.join('\\n');\n const sealData = new TextEncoder().encode(sealInput);\n const sealHmac = hmac(sha256, headerKey, sealData);\n const sealLine = `seal_b64=${toBase64(sealHmac)}`;\n\n return [headerLine, headerAuthLine, ...chunkLines, sealLine, ''].join('\\n');\n } finally {\n zeroize(masterKey, encKey, headerKey, nonceKey);\n }\n}\n\nexport async function decrypt(\n fileContent: string,\n password: string,\n): Promise<string> {\n const lines = fileContent.split('\\n');\n\n // Remove trailing empty line if present\n if (lines.length > 0 && lines[lines.length - 1] === '') {\n lines.pop();\n }\n\n if (lines.length < 3) {\n throw new Error('Invalid mdenc file: too few lines');\n }\n\n // Parse header\n const headerLine = lines[0];\n const header = parseHeader(headerLine);\n\n // Parse header auth\n const authLine = lines[1];\n const authMatch = authLine.match(/^hdrauth_b64=([A-Za-z0-9+/=]+)$/);\n if (!authMatch) {\n throw new Error('Invalid mdenc file: missing hdrauth_b64 line');\n }\n const headerHmac = fromBase64(authMatch[1]);\n\n // Derive keys\n const masterKey = deriveMasterKey(password, header.salt, header.scrypt);\n const { encKey, headerKey, nonceKey } = deriveKeys(masterKey);\n\n try {\n // Verify header HMAC\n if (!verifyHeader(headerKey, headerLine, headerHmac)) {\n throw new Error('Header authentication failed (wrong password or tampered header)');\n }\n\n // Collect chunk lines and seal line\n const remaining = lines.slice(2);\n const sealIndex = remaining.findIndex(l => l.startsWith('seal_b64='));\n if (sealIndex < 0) {\n throw new Error('Invalid mdenc file: missing seal');\n }\n\n const chunkLines = remaining.slice(0, sealIndex);\n if (chunkLines.length === 0) {\n throw new Error('Invalid mdenc file: no chunk lines');\n }\n\n // Verify seal HMAC\n const sealMatch = remaining[sealIndex].match(/^seal_b64=([A-Za-z0-9+/=]+)$/);\n if (!sealMatch) throw new Error('Invalid mdenc file: malformed seal line');\n const storedSealHmac = fromBase64(sealMatch[1]);\n\n const sealInput = headerLine + '\\n' + authLine + '\\n' + chunkLines.join('\\n');\n const sealData = new TextEncoder().encode(sealInput);\n const computedSealHmac = hmac(sha256, headerKey, sealData);\n if (!constantTimeEqual(computedSealHmac, storedSealHmac)) {\n throw new Error('Seal verification failed (file tampered or chunks reordered)');\n }\n\n // Decrypt chunks\n const plaintextParts: string[] = [];\n for (const line of chunkLines) {\n const payload = fromBase64(line);\n const decrypted = decryptChunk(encKey, payload, header.fileId);\n plaintextParts.push(new TextDecoder().decode(decrypted));\n }\n\n return plaintextParts.join('');\n } finally {\n zeroize(masterKey, encKey, headerKey, nonceKey);\n }\n}\n\nfunction parsePreviousFileHeader(\n fileContent: string,\n password: string,\n): { salt: Uint8Array; fileId: Uint8Array; masterKey: Uint8Array } | undefined {\n try {\n const lines = fileContent.split('\\n');\n if (lines.length > 0 && lines[lines.length - 1] === '') lines.pop();\n if (lines.length < 3) return undefined;\n\n const headerLine = lines[0];\n const header = parseHeader(headerLine);\n\n // Parse and verify header HMAC before trusting\n const authLine = lines[1];\n const authMatch = authLine.match(/^hdrauth_b64=([A-Za-z0-9+/=]+)$/);\n if (!authMatch) return undefined;\n const headerHmac = fromBase64(authMatch[1]);\n\n const masterKey = deriveMasterKey(password, header.salt, header.scrypt);\n const { headerKey } = deriveKeys(masterKey);\n\n if (!verifyHeader(headerKey, headerLine, headerHmac)) {\n zeroize(masterKey, headerKey);\n return undefined;\n }\n\n zeroize(headerKey);\n // Return masterKey for reuse — same password + same salt produces the same key,\n // so the caller can skip a redundant scrypt derivation.\n return { salt: header.salt, fileId: header.fileId, masterKey };\n } catch {\n return undefined;\n }\n}\n","const DEFAULT_MAX_CHUNK_SIZE = 65536; // 64 KiB\n\nexport function chunkByParagraph(text: string, maxSize = DEFAULT_MAX_CHUNK_SIZE): string[] {\n // Normalize line endings\n const normalized = text.replace(/\\r\\n/g, '\\n');\n\n if (normalized.length === 0) {\n return [''];\n }\n\n // Split on runs of 2+ newlines, attaching each boundary to the preceding chunk\n const chunks: string[] = [];\n const boundary = /\\n{2,}/g;\n let lastEnd = 0;\n let match: RegExpExecArray | null;\n\n while ((match = boundary.exec(normalized)) !== null) {\n // Content up to and including the boundary goes to the preceding chunk\n const chunkEnd = match.index + match[0].length;\n chunks.push(normalized.slice(lastEnd, chunkEnd));\n lastEnd = chunkEnd;\n }\n\n // Remaining content after the last boundary (or the entire string if no boundary)\n if (lastEnd < normalized.length) {\n chunks.push(normalized.slice(lastEnd));\n } else if (chunks.length === 0) {\n // No boundaries found and nothing remaining — shouldn't happen since we checked length > 0\n chunks.push(normalized);\n }\n\n // Split any oversized chunks at byte boundaries\n const result: string[] = [];\n for (const chunk of chunks) {\n if (byteLength(chunk) <= maxSize) {\n result.push(chunk);\n } else {\n result.push(...splitAtByteLimit(chunk, maxSize));\n }\n }\n\n return result;\n}\n\nexport function chunkByFixedSize(text: string, size: number): string[] {\n const normalized = text.replace(/\\r\\n/g, '\\n');\n\n if (normalized.length === 0) {\n return [''];\n }\n\n const bytes = new TextEncoder().encode(normalized);\n if (bytes.length <= size) {\n return [normalized];\n }\n\n const chunks: string[] = [];\n const decoder = new TextDecoder();\n let offset = 0;\n while (offset < bytes.length) {\n const end = Math.min(offset + size, bytes.length);\n // Avoid splitting in the middle of a multi-byte UTF-8 character\n let adjusted = end;\n if (adjusted < bytes.length) {\n while (adjusted > offset && (bytes[adjusted] & 0xc0) === 0x80) {\n adjusted--;\n }\n }\n chunks.push(decoder.decode(bytes.slice(offset, adjusted)));\n offset = adjusted;\n }\n\n return chunks;\n}\n\nfunction byteLength(s: string): number {\n return new TextEncoder().encode(s).length;\n}\n\nfunction splitAtByteLimit(text: string, maxSize: number): string[] {\n const bytes = new TextEncoder().encode(text);\n const decoder = new TextDecoder();\n const parts: string[] = [];\n let offset = 0;\n while (offset < bytes.length) {\n let end = Math.min(offset + maxSize, bytes.length);\n // Avoid splitting multi-byte characters\n if (end < bytes.length) {\n while (end > offset && (bytes[end] & 0xc0) === 0x80) {\n end--;\n }\n }\n parts.push(decoder.decode(bytes.slice(offset, end)));\n offset = end;\n }\n return parts;\n}\n","import { hkdf } from '@noble/hashes/hkdf';\nimport { sha256 } from '@noble/hashes/sha256';\nimport { scrypt } from '@noble/hashes/scrypt';\nimport type { ScryptParams } from './types.js';\nimport { DEFAULT_SCRYPT_PARAMS } from './types.js';\nimport { zeroize } from './crypto-utils.js';\n\nconst ENC_INFO = new TextEncoder().encode('mdenc-v1-enc');\nconst HDR_INFO = new TextEncoder().encode('mdenc-v1-hdr');\nconst NONCE_INFO = new TextEncoder().encode('mdenc-v1-nonce');\n\nexport function normalizePassword(password: string): Uint8Array {\n const normalized = password.normalize('NFKC');\n return new TextEncoder().encode(normalized);\n}\n\nexport function deriveMasterKey(\n password: string,\n salt: Uint8Array,\n params: ScryptParams = DEFAULT_SCRYPT_PARAMS,\n): Uint8Array {\n const passwordBytes = normalizePassword(password);\n try {\n return scrypt(passwordBytes, salt, {\n N: params.N,\n r: params.r,\n p: params.p,\n dkLen: 32,\n });\n } finally {\n zeroize(passwordBytes);\n }\n}\n\nexport function deriveKeys(masterKey: Uint8Array): { encKey: Uint8Array; headerKey: Uint8Array; nonceKey: Uint8Array } {\n const encKey = hkdf(sha256, masterKey, undefined, ENC_INFO, 32);\n const headerKey = hkdf(sha256, masterKey, undefined, HDR_INFO, 32);\n const nonceKey = hkdf(sha256, masterKey, undefined, NONCE_INFO, 32);\n return { encKey, headerKey, nonceKey };\n}\n","export interface ScryptParams {\n N: number; // CPU/memory cost (default 16384 = 2^14, ~16 MiB with r=8)\n r: number; // block size (default 8)\n p: number; // parallelism (default 1)\n}\n\nexport const DEFAULT_SCRYPT_PARAMS: ScryptParams = {\n N: 16384,\n r: 8,\n p: 1,\n};\n\nexport const SCRYPT_BOUNDS = {\n N: { min: 1024, max: 1048576 }, // 2^10 – 2^20\n r: { min: 1, max: 64 },\n p: { min: 1, max: 16 },\n} as const;\n\nexport interface MdencHeader {\n version: 'v1';\n salt: Uint8Array; // 16 bytes\n fileId: Uint8Array; // 16 bytes\n scrypt: ScryptParams;\n}\n\nexport interface MdencChunk {\n payload: Uint8Array; // nonce || ciphertext || tag\n}\n\nexport interface MdencFile {\n header: MdencHeader;\n headerLine: string;\n headerHmac: Uint8Array;\n chunks: MdencChunk[];\n sealHmac: Uint8Array; // file-level HMAC\n}\n\nexport enum ChunkingStrategy {\n Paragraph = 'paragraph',\n FixedSize = 'fixed-size',\n}\n\nexport interface EncryptOptions {\n chunking?: ChunkingStrategy;\n maxChunkSize?: number; // bytes, default 65536 (64 KiB)\n fixedChunkSize?: number; // bytes, for fixed-size chunking\n scrypt?: ScryptParams;\n previousFile?: string; // previous encrypted file content for ciphertext reuse\n}\n\nexport interface DecryptOptions {\n // Reserved for future options\n}\n","export function constantTimeEqual(a: Uint8Array, b: Uint8Array): boolean {\n if (a.length !== b.length) return false;\n let diff = 0;\n for (let i = 0; i < a.length; i++) {\n diff |= a[i] ^ b[i];\n }\n return diff === 0;\n}\n\nexport function zeroize(...arrays: Uint8Array[]): void {\n for (const arr of arrays) {\n arr.fill(0);\n }\n}\n","import { xchacha20poly1305 } from '@noble/ciphers/chacha';\nimport { hmac } from '@noble/hashes/hmac';\nimport { sha256 } from '@noble/hashes/sha256';\n\nconst NONCE_LENGTH = 24;\n\nexport function buildAAD(fileId: Uint8Array): Uint8Array {\n const fileIdHex = bytesToHex(fileId);\n const aadString = `mdenc:v1\\n${fileIdHex}`;\n return new TextEncoder().encode(aadString);\n}\n\nexport function deriveNonce(nonceKey: Uint8Array, plaintext: Uint8Array): Uint8Array {\n const full = hmac(sha256, nonceKey, plaintext);\n return full.slice(0, NONCE_LENGTH);\n}\n\nexport function encryptChunk(\n encKey: Uint8Array,\n nonceKey: Uint8Array,\n plaintext: Uint8Array,\n fileId: Uint8Array,\n): Uint8Array {\n const nonce = deriveNonce(nonceKey, plaintext);\n const aad = buildAAD(fileId);\n const cipher = xchacha20poly1305(encKey, nonce, aad);\n const ciphertext = cipher.encrypt(plaintext);\n // Output: nonce || ciphertext || tag (tag is appended by noble)\n const result = new Uint8Array(NONCE_LENGTH + ciphertext.length);\n result.set(nonce, 0);\n result.set(ciphertext, NONCE_LENGTH);\n return result;\n}\n\nexport function decryptChunk(\n encKey: Uint8Array,\n payload: Uint8Array,\n fileId: Uint8Array,\n): Uint8Array {\n if (payload.length < NONCE_LENGTH + 16) {\n throw new Error('Chunk payload too short');\n }\n const nonce = payload.slice(0, NONCE_LENGTH);\n const ciphertext = payload.slice(NONCE_LENGTH);\n const aad = buildAAD(fileId);\n const cipher = xchacha20poly1305(encKey, nonce, aad);\n try {\n return cipher.decrypt(ciphertext);\n } catch {\n throw new Error('Chunk authentication failed');\n }\n}\n\nfunction bytesToHex(bytes: Uint8Array): string {\n let hex = '';\n for (let i = 0; i < bytes.length; i++) {\n hex += bytes[i].toString(16).padStart(2, '0');\n }\n return hex;\n}\n","import { hmac } from '@noble/hashes/hmac';\nimport { sha256 } from '@noble/hashes/sha256';\nimport { randomBytes } from '@noble/ciphers/webcrypto';\nimport type { MdencHeader, ScryptParams } from './types.js';\nimport { SCRYPT_BOUNDS } from './types.js';\nimport { constantTimeEqual } from './crypto-utils.js';\n\nexport function generateSalt(): Uint8Array {\n return randomBytes(16);\n}\n\nexport function generateFileId(): Uint8Array {\n return randomBytes(16);\n}\n\nexport function serializeHeader(header: MdencHeader): string {\n const saltB64 = toBase64(header.salt);\n const fileIdB64 = toBase64(header.fileId);\n const { N, r, p } = header.scrypt;\n return `mdenc:v1 salt_b64=${saltB64} file_id_b64=${fileIdB64} scrypt=N=${N},r=${r},p=${p}`;\n}\n\nexport function parseHeader(line: string): MdencHeader {\n if (!line.startsWith('mdenc:v1 ')) {\n throw new Error('Invalid header: missing mdenc:v1 prefix');\n }\n\n const saltMatch = line.match(/salt_b64=([A-Za-z0-9+/=]+)/);\n if (!saltMatch) throw new Error('Invalid header: missing salt_b64');\n const salt = fromBase64(saltMatch[1]);\n if (salt.length !== 16) throw new Error('Invalid header: salt must be 16 bytes');\n\n const fileIdMatch = line.match(/file_id_b64=([A-Za-z0-9+/=]+)/);\n if (!fileIdMatch) throw new Error('Invalid header: missing file_id_b64');\n const fileId = fromBase64(fileIdMatch[1]);\n if (fileId.length !== 16) throw new Error('Invalid header: file_id must be 16 bytes');\n\n const scryptMatch = line.match(/scrypt=N=(\\d+),r=(\\d+),p=(\\d+)/);\n if (!scryptMatch) throw new Error('Invalid header: missing scrypt parameters');\n const scryptParams: ScryptParams = {\n N: parseInt(scryptMatch[1], 10),\n r: parseInt(scryptMatch[2], 10),\n p: parseInt(scryptMatch[3], 10),\n };\n\n validateScryptParams(scryptParams);\n\n return { version: 'v1', salt, fileId, scrypt: scryptParams };\n}\n\nexport function validateScryptParams(params: ScryptParams): void {\n const { N, r, p } = SCRYPT_BOUNDS;\n if (params.N < N.min || params.N > N.max) {\n throw new Error(`Invalid scrypt N: ${params.N} (must be ${N.min}–${N.max})`);\n }\n if (params.r < r.min || params.r > r.max) {\n throw new Error(`Invalid scrypt r: ${params.r} (must be ${r.min}–${r.max})`);\n }\n if (params.p < p.min || params.p > p.max) {\n throw new Error(`Invalid scrypt p: ${params.p} (must be ${p.min}–${p.max})`);\n }\n}\n\nexport function authenticateHeader(headerKey: Uint8Array, headerLine: string): Uint8Array {\n const headerBytes = new TextEncoder().encode(headerLine);\n return hmac(sha256, headerKey, headerBytes);\n}\n\nexport function verifyHeader(\n headerKey: Uint8Array,\n headerLine: string,\n hmacBytes: Uint8Array,\n): boolean {\n const computed = authenticateHeader(headerKey, headerLine);\n return constantTimeEqual(computed, hmacBytes);\n}\n\nexport function toBase64(bytes: Uint8Array): string {\n return Buffer.from(bytes).toString('base64');\n}\n\nexport function fromBase64(b64: string): Uint8Array {\n return new Uint8Array(Buffer.from(b64, 'base64'));\n}\n","import { readFileSync } from 'node:fs';\nimport { join } from 'node:path';\n\nconst PASSWORD_FILE = '.mdenc-password';\n\n/**\n * Resolve password for non-interactive use (git hooks).\n * Checks MDENC_PASSWORD env var, then .mdenc-password file.\n * Returns null if neither is available — never prompts on TTY.\n */\nexport function resolvePassword(repoRoot: string): string | null {\n const envPassword = process.env['MDENC_PASSWORD'];\n if (envPassword) return envPassword;\n\n try {\n const content = readFileSync(join(repoRoot, PASSWORD_FILE), 'utf-8').trim();\n if (content.length > 0) return content;\n } catch {\n // File doesn't exist or unreadable\n }\n\n return null;\n}\n","import { execFileSync } from 'node:child_process';\nimport { readdirSync, statSync } from 'node:fs';\nimport { join, resolve } from 'node:path';\n\nconst SKIP_DIRS = new Set(['.git', 'node_modules', '.hg', '.svn']);\nconst MARKER_FILE = '.mdenc.conf';\n\nexport function findGitRoot(): string {\n try {\n return execFileSync('git', ['rev-parse', '--show-toplevel'], {\n encoding: 'utf-8',\n stdio: ['pipe', 'pipe', 'pipe'],\n }).trim();\n } catch {\n throw new Error('Not a git repository');\n }\n}\n\nexport function getHooksDir(): string {\n try {\n const gitDir = execFileSync('git', ['rev-parse', '--git-path', 'hooks'], {\n encoding: 'utf-8',\n stdio: ['pipe', 'pipe', 'pipe'],\n }).trim();\n return resolve(gitDir);\n } catch {\n throw new Error('Could not determine git hooks directory');\n }\n}\n\nexport function findMarkedDirs(repoRoot: string): string[] {\n const results: string[] = [];\n walkForMarker(repoRoot, results);\n return results;\n}\n\nfunction walkForMarker(dir: string, results: string[]): void {\n let entries: string[];\n try {\n entries = readdirSync(dir);\n } catch {\n return;\n }\n\n if (entries.includes(MARKER_FILE)) {\n results.push(dir);\n }\n\n for (const entry of entries) {\n if (SKIP_DIRS.has(entry) || entry.startsWith('.')) continue;\n const full = join(dir, entry);\n try {\n if (statSync(full).isDirectory()) {\n walkForMarker(full, results);\n }\n } catch {\n // Skip inaccessible entries\n }\n }\n}\n\nexport function getMdFilesInDir(dir: string): string[] {\n try {\n return readdirSync(dir).filter(\n f => f.endsWith('.md') && statSync(join(dir, f)).isFile(),\n );\n } catch {\n return [];\n }\n}\n\nexport function getMdencFilesInDir(dir: string): string[] {\n try {\n return readdirSync(dir).filter(\n f => f.endsWith('.mdenc') && statSync(join(dir, f)).isFile(),\n );\n } catch {\n return [];\n }\n}\n\nexport function gitAdd(repoRoot: string, files: string[]): void {\n if (files.length === 0) return;\n execFileSync('git', ['add', '--', ...files], {\n cwd: repoRoot,\n stdio: ['pipe', 'pipe', 'pipe'],\n });\n}\n\nexport function gitRmCached(repoRoot: string, files: string[]): void {\n if (files.length === 0) return;\n execFileSync('git', ['rm', '--cached', '--', ...files], {\n cwd: repoRoot,\n stdio: ['pipe', 'pipe', 'pipe'],\n });\n}\n\nexport function isFileStaged(repoRoot: string, file: string): boolean {\n try {\n const output = execFileSync(\n 'git',\n ['diff', '--cached', '--name-only', '--', file],\n { cwd: repoRoot, encoding: 'utf-8', stdio: ['pipe', 'pipe', 'pipe'] },\n );\n return output.trim().length > 0;\n } catch {\n return false;\n }\n}\n\nexport function isFileTracked(repoRoot: string, file: string): boolean {\n try {\n execFileSync('git', ['ls-files', '--error-unmatch', '--', file], {\n cwd: repoRoot,\n stdio: ['pipe', 'pipe', 'pipe'],\n });\n return true;\n } catch {\n return false;\n }\n}\n"],"mappings":";;;AAAA,SAAS,gBAAAA,eAAc,eAAe,YAAY,YAAAC,iBAAgB;AAClE,SAAS,QAAAC,OAAM,gBAAgB;;;ACD/B,SAAS,QAAAC,aAAY;AACrB,SAAS,UAAAC,eAAc;;;ACDvB,IAAM,yBAAyB;AAExB,SAAS,iBAAiB,MAAc,UAAU,wBAAkC;AAEzF,QAAM,aAAa,KAAK,QAAQ,SAAS,IAAI;AAE7C,MAAI,WAAW,WAAW,GAAG;AAC3B,WAAO,CAAC,EAAE;AAAA,EACZ;AAGA,QAAM,SAAmB,CAAC;AAC1B,QAAM,WAAW;AACjB,MAAI,UAAU;AACd,MAAI;AAEJ,UAAQ,QAAQ,SAAS,KAAK,UAAU,OAAO,MAAM;AAEnD,UAAM,WAAW,MAAM,QAAQ,MAAM,CAAC,EAAE;AACxC,WAAO,KAAK,WAAW,MAAM,SAAS,QAAQ,CAAC;AAC/C,cAAU;AAAA,EACZ;AAGA,MAAI,UAAU,WAAW,QAAQ;AAC/B,WAAO,KAAK,WAAW,MAAM,OAAO,CAAC;AAAA,EACvC,WAAW,OAAO,WAAW,GAAG;AAE9B,WAAO,KAAK,UAAU;AAAA,EACxB;AAGA,QAAM,SAAmB,CAAC;AAC1B,aAAW,SAAS,QAAQ;AAC1B,QAAI,WAAW,KAAK,KAAK,SAAS;AAChC,aAAO,KAAK,KAAK;AAAA,IACnB,OAAO;AACL,aAAO,KAAK,GAAG,iBAAiB,OAAO,OAAO,CAAC;AAAA,IACjD;AAAA,EACF;AAEA,SAAO;AACT;AAEO,SAAS,iBAAiB,MAAc,MAAwB;AACrE,QAAM,aAAa,KAAK,QAAQ,SAAS,IAAI;AAE7C,MAAI,WAAW,WAAW,GAAG;AAC3B,WAAO,CAAC,EAAE;AAAA,EACZ;AAEA,QAAM,QAAQ,IAAI,YAAY,EAAE,OAAO,UAAU;AACjD,MAAI,MAAM,UAAU,MAAM;AACxB,WAAO,CAAC,UAAU;AAAA,EACpB;AAEA,QAAM,SAAmB,CAAC;AAC1B,QAAM,UAAU,IAAI,YAAY;AAChC,MAAI,SAAS;AACb,SAAO,SAAS,MAAM,QAAQ;AAC5B,UAAM,MAAM,KAAK,IAAI,SAAS,MAAM,MAAM,MAAM;AAEhD,QAAI,WAAW;AACf,QAAI,WAAW,MAAM,QAAQ;AAC3B,aAAO,WAAW,WAAW,MAAM,QAAQ,IAAI,SAAU,KAAM;AAC7D;AAAA,MACF;AAAA,IACF;AACA,WAAO,KAAK,QAAQ,OAAO,MAAM,MAAM,QAAQ,QAAQ,CAAC,CAAC;AACzD,aAAS;AAAA,EACX;AAEA,SAAO;AACT;AAEA,SAAS,WAAW,GAAmB;AACrC,SAAO,IAAI,YAAY,EAAE,OAAO,CAAC,EAAE;AACrC;AAEA,SAAS,iBAAiB,MAAc,SAA2B;AACjE,QAAM,QAAQ,IAAI,YAAY,EAAE,OAAO,IAAI;AAC3C,QAAM,UAAU,IAAI,YAAY;AAChC,QAAM,QAAkB,CAAC;AACzB,MAAI,SAAS;AACb,SAAO,SAAS,MAAM,QAAQ;AAC5B,QAAI,MAAM,KAAK,IAAI,SAAS,SAAS,MAAM,MAAM;AAEjD,QAAI,MAAM,MAAM,QAAQ;AACtB,aAAO,MAAM,WAAW,MAAM,GAAG,IAAI,SAAU,KAAM;AACnD;AAAA,MACF;AAAA,IACF;AACA,UAAM,KAAK,QAAQ,OAAO,MAAM,MAAM,QAAQ,GAAG,CAAC,CAAC;AACnD,aAAS;AAAA,EACX;AACA,SAAO;AACT;;;AChGA,SAAS,YAAY;AACrB,SAAS,cAAc;AACvB,SAAS,cAAc;;;ACIhB,IAAM,wBAAsC;AAAA,EACjD,GAAG;AAAA,EACH,GAAG;AAAA,EACH,GAAG;AACL;AAEO,IAAM,gBAAgB;AAAA,EAC3B,GAAG,EAAE,KAAK,MAAM,KAAK,QAAQ;AAAA;AAAA,EAC7B,GAAG,EAAE,KAAK,GAAG,KAAK,GAAG;AAAA,EACrB,GAAG,EAAE,KAAK,GAAG,KAAK,GAAG;AACvB;;;AChBO,SAAS,kBAAkB,GAAe,GAAwB;AACvE,MAAI,EAAE,WAAW,EAAE,OAAQ,QAAO;AAClC,MAAI,OAAO;AACX,WAAS,IAAI,GAAG,IAAI,EAAE,QAAQ,KAAK;AACjC,YAAQ,EAAE,CAAC,IAAI,EAAE,CAAC;AAAA,EACpB;AACA,SAAO,SAAS;AAClB;AAEO,SAAS,WAAW,QAA4B;AACrD,aAAW,OAAO,QAAQ;AACxB,QAAI,KAAK,CAAC;AAAA,EACZ;AACF;;;AFNA,IAAM,WAAW,IAAI,YAAY,EAAE,OAAO,cAAc;AACxD,IAAM,WAAW,IAAI,YAAY,EAAE,OAAO,cAAc;AACxD,IAAM,aAAa,IAAI,YAAY,EAAE,OAAO,gBAAgB;AAErD,SAAS,kBAAkB,UAA8B;AAC9D,QAAM,aAAa,SAAS,UAAU,MAAM;AAC5C,SAAO,IAAI,YAAY,EAAE,OAAO,UAAU;AAC5C;AAEO,SAAS,gBACd,UACA,MACA,SAAuB,uBACX;AACZ,QAAM,gBAAgB,kBAAkB,QAAQ;AAChD,MAAI;AACF,WAAO,OAAO,eAAe,MAAM;AAAA,MACjC,GAAG,OAAO;AAAA,MACV,GAAG,OAAO;AAAA,MACV,GAAG,OAAO;AAAA,MACV,OAAO;AAAA,IACT,CAAC;AAAA,EACH,UAAE;AACA,YAAQ,aAAa;AAAA,EACvB;AACF;AAEO,SAAS,WAAW,WAA4F;AACrH,QAAM,SAAS,KAAK,QAAQ,WAAW,QAAW,UAAU,EAAE;AAC9D,QAAM,YAAY,KAAK,QAAQ,WAAW,QAAW,UAAU,EAAE;AACjE,QAAM,WAAW,KAAK,QAAQ,WAAW,QAAW,YAAY,EAAE;AAClE,SAAO,EAAE,QAAQ,WAAW,SAAS;AACvC;;;AGvCA,SAAS,yBAAyB;AAClC,SAAS,YAAY;AACrB,SAAS,UAAAC,eAAc;AAEvB,IAAM,eAAe;AAEd,SAAS,SAAS,QAAgC;AACvD,QAAM,YAAY,WAAW,MAAM;AACnC,QAAM,YAAY;AAAA,EAAa,SAAS;AACxC,SAAO,IAAI,YAAY,EAAE,OAAO,SAAS;AAC3C;AAEO,SAAS,YAAY,UAAsB,WAAmC;AACnF,QAAM,OAAO,KAAKA,SAAQ,UAAU,SAAS;AAC7C,SAAO,KAAK,MAAM,GAAG,YAAY;AACnC;AAEO,SAAS,aACd,QACA,UACA,WACA,QACY;AACZ,QAAM,QAAQ,YAAY,UAAU,SAAS;AAC7C,QAAM,MAAM,SAAS,MAAM;AAC3B,QAAM,SAAS,kBAAkB,QAAQ,OAAO,GAAG;AACnD,QAAM,aAAa,OAAO,QAAQ,SAAS;AAE3C,QAAM,SAAS,IAAI,WAAW,eAAe,WAAW,MAAM;AAC9D,SAAO,IAAI,OAAO,CAAC;AACnB,SAAO,IAAI,YAAY,YAAY;AACnC,SAAO;AACT;AAEO,SAAS,aACd,QACA,SACA,QACY;AACZ,MAAI,QAAQ,SAAS,eAAe,IAAI;AACtC,UAAM,IAAI,MAAM,yBAAyB;AAAA,EAC3C;AACA,QAAM,QAAQ,QAAQ,MAAM,GAAG,YAAY;AAC3C,QAAM,aAAa,QAAQ,MAAM,YAAY;AAC7C,QAAM,MAAM,SAAS,MAAM;AAC3B,QAAM,SAAS,kBAAkB,QAAQ,OAAO,GAAG;AACnD,MAAI;AACF,WAAO,OAAO,QAAQ,UAAU;AAAA,EAClC,QAAQ;AACN,UAAM,IAAI,MAAM,6BAA6B;AAAA,EAC/C;AACF;AAEA,SAAS,WAAW,OAA2B;AAC7C,MAAI,MAAM;AACV,WAAS,IAAI,GAAG,IAAI,MAAM,QAAQ,KAAK;AACrC,WAAO,MAAM,CAAC,EAAE,SAAS,EAAE,EAAE,SAAS,GAAG,GAAG;AAAA,EAC9C;AACA,SAAO;AACT;;;AC3DA,SAAS,QAAAC,aAAY;AACrB,SAAS,UAAAC,eAAc;AACvB,SAAS,mBAAmB;AAKrB,SAAS,eAA2B;AACzC,SAAO,YAAY,EAAE;AACvB;AAEO,SAAS,iBAA6B;AAC3C,SAAO,YAAY,EAAE;AACvB;AAEO,SAAS,gBAAgB,QAA6B;AAC3D,QAAM,UAAU,SAAS,OAAO,IAAI;AACpC,QAAM,YAAY,SAAS,OAAO,MAAM;AACxC,QAAM,EAAE,GAAG,GAAG,EAAE,IAAI,OAAO;AAC3B,SAAO,qBAAqB,OAAO,gBAAgB,SAAS,aAAa,CAAC,MAAM,CAAC,MAAM,CAAC;AAC1F;AAEO,SAAS,YAAY,MAA2B;AACrD,MAAI,CAAC,KAAK,WAAW,WAAW,GAAG;AACjC,UAAM,IAAI,MAAM,yCAAyC;AAAA,EAC3D;AAEA,QAAM,YAAY,KAAK,MAAM,4BAA4B;AACzD,MAAI,CAAC,UAAW,OAAM,IAAI,MAAM,kCAAkC;AAClE,QAAM,OAAO,WAAW,UAAU,CAAC,CAAC;AACpC,MAAI,KAAK,WAAW,GAAI,OAAM,IAAI,MAAM,uCAAuC;AAE/E,QAAM,cAAc,KAAK,MAAM,+BAA+B;AAC9D,MAAI,CAAC,YAAa,OAAM,IAAI,MAAM,qCAAqC;AACvE,QAAM,SAAS,WAAW,YAAY,CAAC,CAAC;AACxC,MAAI,OAAO,WAAW,GAAI,OAAM,IAAI,MAAM,0CAA0C;AAEpF,QAAM,cAAc,KAAK,MAAM,gCAAgC;AAC/D,MAAI,CAAC,YAAa,OAAM,IAAI,MAAM,2CAA2C;AAC7E,QAAM,eAA6B;AAAA,IACjC,GAAG,SAAS,YAAY,CAAC,GAAG,EAAE;AAAA,IAC9B,GAAG,SAAS,YAAY,CAAC,GAAG,EAAE;AAAA,IAC9B,GAAG,SAAS,YAAY,CAAC,GAAG,EAAE;AAAA,EAChC;AAEA,uBAAqB,YAAY;AAEjC,SAAO,EAAE,SAAS,MAAM,MAAM,QAAQ,QAAQ,aAAa;AAC7D;AAEO,SAAS,qBAAqB,QAA4B;AAC/D,QAAM,EAAE,GAAG,GAAG,EAAE,IAAI;AACpB,MAAI,OAAO,IAAI,EAAE,OAAO,OAAO,IAAI,EAAE,KAAK;AACxC,UAAM,IAAI,MAAM,qBAAqB,OAAO,CAAC,aAAa,EAAE,GAAG,SAAI,EAAE,GAAG,GAAG;AAAA,EAC7E;AACA,MAAI,OAAO,IAAI,EAAE,OAAO,OAAO,IAAI,EAAE,KAAK;AACxC,UAAM,IAAI,MAAM,qBAAqB,OAAO,CAAC,aAAa,EAAE,GAAG,SAAI,EAAE,GAAG,GAAG;AAAA,EAC7E;AACA,MAAI,OAAO,IAAI,EAAE,OAAO,OAAO,IAAI,EAAE,KAAK;AACxC,UAAM,IAAI,MAAM,qBAAqB,OAAO,CAAC,aAAa,EAAE,GAAG,SAAI,EAAE,GAAG,GAAG;AAAA,EAC7E;AACF;AAEO,SAAS,mBAAmB,WAAuB,YAAgC;AACxF,QAAM,cAAc,IAAI,YAAY,EAAE,OAAO,UAAU;AACvD,SAAOC,MAAKC,SAAQ,WAAW,WAAW;AAC5C;AAEO,SAAS,aACd,WACA,YACA,WACS;AACT,QAAM,WAAW,mBAAmB,WAAW,UAAU;AACzD,SAAO,kBAAkB,UAAU,SAAS;AAC9C;AAEO,SAAS,SAAS,OAA2B;AAClD,SAAO,OAAO,KAAK,KAAK,EAAE,SAAS,QAAQ;AAC7C;AAEO,SAAS,WAAW,KAAyB;AAClD,SAAO,IAAI,WAAW,OAAO,KAAK,KAAK,QAAQ,CAAC;AAClD;;;ANhEA,eAAsB,QACpB,WACA,UACA,SACiB;AACjB,QAAM,WAAW,SAAS;AAC1B,QAAM,eAAe,SAAS,gBAAgB;AAC9C,QAAM,eAAe,SAAS,UAAU;AAGxC,MAAI;AACJ,MAAI,2CAAyC;AAC3C,UAAM,YAAY,SAAS,kBAAkB;AAC7C,aAAS,iBAAiB,WAAW,SAAS;AAAA,EAChD,OAAO;AACL,aAAS,iBAAiB,WAAW,YAAY;AAAA,EACnD;AAIA,MAAI;AACJ,MAAI;AACJ,MAAI;AAEJ,QAAM,OAAO,SAAS,eAClB,wBAAwB,QAAQ,cAAc,QAAQ,IACtD;AAEJ,MAAI,MAAM;AACR,WAAO,KAAK;AACZ,aAAS,KAAK;AACd,gBAAY,KAAK;AAAA,EACnB,OAAO;AACL,WAAO,aAAa;AACpB,aAAS,eAAe;AACxB,gBAAY,gBAAgB,UAAU,MAAM,YAAY;AAAA,EAC1D;AAEA,QAAM,EAAE,QAAQ,WAAW,SAAS,IAAI,WAAW,SAAS;AAE5D,MAAI;AAEF,UAAM,SAAsB,EAAE,SAAS,MAAM,MAAM,QAAQ,QAAQ,aAAa;AAChF,UAAM,aAAa,gBAAgB,MAAM;AACzC,UAAM,aAAa,mBAAmB,WAAW,UAAU;AAC3D,UAAM,iBAAiB,eAAe,SAAS,UAAU,CAAC;AAG1D,UAAM,aAAuB,CAAC;AAC9B,eAAW,aAAa,QAAQ;AAC9B,YAAM,aAAa,IAAI,YAAY,EAAE,OAAO,SAAS;AACrD,YAAM,UAAU,aAAa,QAAQ,UAAU,YAAY,MAAM;AACjE,iBAAW,KAAK,SAAS,OAAO,CAAC;AAAA,IACnC;AAGA,UAAM,YAAY,aAAa,OAAO,iBAAiB,OAAO,WAAW,KAAK,IAAI;AAClF,UAAM,WAAW,IAAI,YAAY,EAAE,OAAO,SAAS;AACnD,UAAM,WAAWC,MAAKC,SAAQ,WAAW,QAAQ;AACjD,UAAM,WAAW,YAAY,SAAS,QAAQ,CAAC;AAE/C,WAAO,CAAC,YAAY,gBAAgB,GAAG,YAAY,UAAU,EAAE,EAAE,KAAK,IAAI;AAAA,EAC5E,UAAE;AACA,YAAQ,WAAW,QAAQ,WAAW,QAAQ;AAAA,EAChD;AACF;AAEA,eAAsB,QACpB,aACA,UACiB;AACjB,QAAM,QAAQ,YAAY,MAAM,IAAI;AAGpC,MAAI,MAAM,SAAS,KAAK,MAAM,MAAM,SAAS,CAAC,MAAM,IAAI;AACtD,UAAM,IAAI;AAAA,EACZ;AAEA,MAAI,MAAM,SAAS,GAAG;AACpB,UAAM,IAAI,MAAM,mCAAmC;AAAA,EACrD;AAGA,QAAM,aAAa,MAAM,CAAC;AAC1B,QAAM,SAAS,YAAY,UAAU;AAGrC,QAAM,WAAW,MAAM,CAAC;AACxB,QAAM,YAAY,SAAS,MAAM,iCAAiC;AAClE,MAAI,CAAC,WAAW;AACd,UAAM,IAAI,MAAM,8CAA8C;AAAA,EAChE;AACA,QAAM,aAAa,WAAW,UAAU,CAAC,CAAC;AAG1C,QAAM,YAAY,gBAAgB,UAAU,OAAO,MAAM,OAAO,MAAM;AACtE,QAAM,EAAE,QAAQ,WAAW,SAAS,IAAI,WAAW,SAAS;AAE5D,MAAI;AAEF,QAAI,CAAC,aAAa,WAAW,YAAY,UAAU,GAAG;AACpD,YAAM,IAAI,MAAM,kEAAkE;AAAA,IACpF;AAGA,UAAM,YAAY,MAAM,MAAM,CAAC;AAC/B,UAAM,YAAY,UAAU,UAAU,OAAK,EAAE,WAAW,WAAW,CAAC;AACpE,QAAI,YAAY,GAAG;AACjB,YAAM,IAAI,MAAM,kCAAkC;AAAA,IACpD;AAEA,UAAM,aAAa,UAAU,MAAM,GAAG,SAAS;AAC/C,QAAI,WAAW,WAAW,GAAG;AAC3B,YAAM,IAAI,MAAM,oCAAoC;AAAA,IACtD;AAGA,UAAM,YAAY,UAAU,SAAS,EAAE,MAAM,8BAA8B;AAC3E,QAAI,CAAC,UAAW,OAAM,IAAI,MAAM,yCAAyC;AACzE,UAAM,iBAAiB,WAAW,UAAU,CAAC,CAAC;AAE9C,UAAM,YAAY,aAAa,OAAO,WAAW,OAAO,WAAW,KAAK,IAAI;AAC5E,UAAM,WAAW,IAAI,YAAY,EAAE,OAAO,SAAS;AACnD,UAAM,mBAAmBD,MAAKC,SAAQ,WAAW,QAAQ;AACzD,QAAI,CAAC,kBAAkB,kBAAkB,cAAc,GAAG;AACxD,YAAM,IAAI,MAAM,8DAA8D;AAAA,IAChF;AAGA,UAAM,iBAA2B,CAAC;AAClC,eAAW,QAAQ,YAAY;AAC7B,YAAM,UAAU,WAAW,IAAI;AAC/B,YAAM,YAAY,aAAa,QAAQ,SAAS,OAAO,MAAM;AAC7D,qBAAe,KAAK,IAAI,YAAY,EAAE,OAAO,SAAS,CAAC;AAAA,IACzD;AAEA,WAAO,eAAe,KAAK,EAAE;AAAA,EAC/B,UAAE;AACA,YAAQ,WAAW,QAAQ,WAAW,QAAQ;AAAA,EAChD;AACF;AAEA,SAAS,wBACP,aACA,UAC6E;AAC7E,MAAI;AACF,UAAM,QAAQ,YAAY,MAAM,IAAI;AACpC,QAAI,MAAM,SAAS,KAAK,MAAM,MAAM,SAAS,CAAC,MAAM,GAAI,OAAM,IAAI;AAClE,QAAI,MAAM,SAAS,EAAG,QAAO;AAE7B,UAAM,aAAa,MAAM,CAAC;AAC1B,UAAM,SAAS,YAAY,UAAU;AAGrC,UAAM,WAAW,MAAM,CAAC;AACxB,UAAM,YAAY,SAAS,MAAM,iCAAiC;AAClE,QAAI,CAAC,UAAW,QAAO;AACvB,UAAM,aAAa,WAAW,UAAU,CAAC,CAAC;AAE1C,UAAM,YAAY,gBAAgB,UAAU,OAAO,MAAM,OAAO,MAAM;AACtE,UAAM,EAAE,UAAU,IAAI,WAAW,SAAS;AAE1C,QAAI,CAAC,aAAa,WAAW,YAAY,UAAU,GAAG;AACpD,cAAQ,WAAW,SAAS;AAC5B,aAAO;AAAA,IACT;AAEA,YAAQ,SAAS;AAGjB,WAAO,EAAE,MAAM,OAAO,MAAM,QAAQ,OAAO,QAAQ,UAAU;AAAA,EAC/D,QAAQ;AACN,WAAO;AAAA,EACT;AACF;;;AOlMA,SAAS,oBAAoB;AAC7B,SAAS,YAAY;AAErB,IAAM,gBAAgB;AAOf,SAAS,gBAAgB,UAAiC;AAC/D,QAAM,cAAc,QAAQ,IAAI,gBAAgB;AAChD,MAAI,YAAa,QAAO;AAExB,MAAI;AACF,UAAM,UAAU,aAAa,KAAK,UAAU,aAAa,GAAG,OAAO,EAAE,KAAK;AAC1E,QAAI,QAAQ,SAAS,EAAG,QAAO;AAAA,EACjC,QAAQ;AAAA,EAER;AAEA,SAAO;AACT;;;ACtBA,SAAS,oBAAoB;AAC7B,SAAS,aAAa,gBAAgB;AACtC,SAAS,QAAAC,OAAM,eAAe;AAE9B,IAAM,YAAY,oBAAI,IAAI,CAAC,QAAQ,gBAAgB,OAAO,MAAM,CAAC;AACjE,IAAM,cAAc;AAEb,SAAS,cAAsB;AACpC,MAAI;AACF,WAAO,aAAa,OAAO,CAAC,aAAa,iBAAiB,GAAG;AAAA,MAC3D,UAAU;AAAA,MACV,OAAO,CAAC,QAAQ,QAAQ,MAAM;AAAA,IAChC,CAAC,EAAE,KAAK;AAAA,EACV,QAAQ;AACN,UAAM,IAAI,MAAM,sBAAsB;AAAA,EACxC;AACF;AAEO,SAAS,cAAsB;AACpC,MAAI;AACF,UAAM,SAAS,aAAa,OAAO,CAAC,aAAa,cAAc,OAAO,GAAG;AAAA,MACvE,UAAU;AAAA,MACV,OAAO,CAAC,QAAQ,QAAQ,MAAM;AAAA,IAChC,CAAC,EAAE,KAAK;AACR,WAAO,QAAQ,MAAM;AAAA,EACvB,QAAQ;AACN,UAAM,IAAI,MAAM,yCAAyC;AAAA,EAC3D;AACF;AAEO,SAAS,eAAe,UAA4B;AACzD,QAAM,UAAoB,CAAC;AAC3B,gBAAc,UAAU,OAAO;AAC/B,SAAO;AACT;AAEA,SAAS,cAAc,KAAa,SAAyB;AAC3D,MAAI;AACJ,MAAI;AACF,cAAU,YAAY,GAAG;AAAA,EAC3B,QAAQ;AACN;AAAA,EACF;AAEA,MAAI,QAAQ,SAAS,WAAW,GAAG;AACjC,YAAQ,KAAK,GAAG;AAAA,EAClB;AAEA,aAAW,SAAS,SAAS;AAC3B,QAAI,UAAU,IAAI,KAAK,KAAK,MAAM,WAAW,GAAG,EAAG;AACnD,UAAM,OAAOA,MAAK,KAAK,KAAK;AAC5B,QAAI;AACF,UAAI,SAAS,IAAI,EAAE,YAAY,GAAG;AAChC,sBAAc,MAAM,OAAO;AAAA,MAC7B;AAAA,IACF,QAAQ;AAAA,IAER;AAAA,EACF;AACF;AAEO,SAAS,gBAAgB,KAAuB;AACrD,MAAI;AACF,WAAO,YAAY,GAAG,EAAE;AAAA,MACtB,OAAK,EAAE,SAAS,KAAK,KAAK,SAASA,MAAK,KAAK,CAAC,CAAC,EAAE,OAAO;AAAA,IAC1D;AAAA,EACF,QAAQ;AACN,WAAO,CAAC;AAAA,EACV;AACF;AAEO,SAAS,mBAAmB,KAAuB;AACxD,MAAI;AACF,WAAO,YAAY,GAAG,EAAE;AAAA,MACtB,OAAK,EAAE,SAAS,QAAQ,KAAK,SAASA,MAAK,KAAK,CAAC,CAAC,EAAE,OAAO;AAAA,IAC7D;AAAA,EACF,QAAQ;AACN,WAAO,CAAC;AAAA,EACV;AACF;AAEO,SAAS,OAAO,UAAkB,OAAuB;AAC9D,MAAI,MAAM,WAAW,EAAG;AACxB,eAAa,OAAO,CAAC,OAAO,MAAM,GAAG,KAAK,GAAG;AAAA,IAC3C,KAAK;AAAA,IACL,OAAO,CAAC,QAAQ,QAAQ,MAAM;AAAA,EAChC,CAAC;AACH;AAEO,SAAS,YAAY,UAAkB,OAAuB;AACnE,MAAI,MAAM,WAAW,EAAG;AACxB,eAAa,OAAO,CAAC,MAAM,YAAY,MAAM,GAAG,KAAK,GAAG;AAAA,IACtD,KAAK;AAAA,IACL,OAAO,CAAC,QAAQ,QAAQ,MAAM;AAAA,EAChC,CAAC;AACH;AAEO,SAAS,aAAa,UAAkB,MAAuB;AACpE,MAAI;AACF,UAAM,SAAS;AAAA,MACb;AAAA,MACA,CAAC,QAAQ,YAAY,eAAe,MAAM,IAAI;AAAA,MAC9C,EAAE,KAAK,UAAU,UAAU,SAAS,OAAO,CAAC,QAAQ,QAAQ,MAAM,EAAE;AAAA,IACtE;AACA,WAAO,OAAO,KAAK,EAAE,SAAS;AAAA,EAChC,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEO,SAAS,cAAc,UAAkB,MAAuB;AACrE,MAAI;AACF,iBAAa,OAAO,CAAC,YAAY,mBAAmB,MAAM,IAAI,GAAG;AAAA,MAC/D,KAAK;AAAA,MACL,OAAO,CAAC,QAAQ,QAAQ,MAAM;AAAA,IAChC,CAAC;AACD,WAAO;AAAA,EACT,QAAQ;AACN,WAAO;AAAA,EACT;AACF;;;AT1GA,SAAS,kBAAkB,QAAgB,WAA4B;AACrE,MAAI,CAAC,WAAW,SAAS,EAAG,QAAO;AACnC,QAAM,UAAUC,UAAS,MAAM,EAAE;AACjC,QAAM,aAAaA,UAAS,SAAS,EAAE;AACvC,SAAO,UAAU;AACnB;AAEA,eAAsB,gBAA+B;AACnD,QAAM,WAAW,YAAY;AAC7B,QAAM,WAAW,gBAAgB,QAAQ;AAEzC,MAAI,CAAC,UAAU;AACb,YAAQ,OAAO;AAAA,MACb;AAAA,IACF;AACA,YAAQ,KAAK,CAAC;AAAA,EAChB;AAEA,QAAM,aAAa,eAAe,QAAQ;AAC1C,MAAI,WAAW,WAAW,EAAG,SAAQ,KAAK,CAAC;AAE3C,MAAI,iBAAiB;AACrB,MAAI,eAAe;AACnB,MAAI,aAAa;AAEjB,aAAW,OAAO,YAAY;AAC5B,UAAM,UAAU,gBAAgB,GAAG;AAEnC,eAAW,UAAU,SAAS;AAC5B,YAAM,SAASC,MAAK,KAAK,MAAM;AAC/B,YAAM,YAAY,OAAO,QAAQ,SAAS,QAAQ;AAClD,YAAM,YAAY,SAAS,UAAU,MAAM;AAC3C,YAAM,eAAe,SAAS,UAAU,SAAS;AAGjD,UAAI,CAAC,kBAAkB,QAAQ,SAAS,GAAG;AACzC;AAEA,YAAI,WAAW,SAAS,GAAG;AACzB,iBAAO,UAAU,CAAC,YAAY,CAAC;AAAA,QACjC;AACA;AAAA,MACF;AAEA,UAAI;AACF,cAAM,YAAYC,cAAa,QAAQ,OAAO;AAG9C,YAAI;AACJ,YAAI,WAAW,SAAS,GAAG;AACzB,yBAAeA,cAAa,WAAW,OAAO;AAAA,QAChD;AAEA,cAAM,YAAY,MAAM,QAAQ,WAAW,UAAU,EAAE,aAAa,CAAC;AACrE,sBAAc,WAAW,SAAS;AAClC,eAAO,UAAU,CAAC,YAAY,CAAC;AAG/B,YAAI,aAAa,UAAU,SAAS,GAAG;AACrC,sBAAY,UAAU,CAAC,SAAS,CAAC;AAAA,QACnC;AAEA;AAAA,MACF,SAAS,KAAK;AACZ,gBAAQ,OAAO;AAAA,UACb,4BAA4B,SAAS,KAAK,eAAe,QAAQ,IAAI,UAAU,GAAG;AAAA;AAAA,QACpF;AACA;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAEA,MAAI,iBAAiB,GAAG;AACtB,YAAQ,OAAO,MAAM,oBAAoB,cAAc;AAAA,CAAY;AAAA,EACrE;AAEA,MAAI,aAAa,GAAG;AAClB,YAAQ,OAAO;AAAA,MACb,UAAU,UAAU;AAAA;AAAA,IACtB;AACA,YAAQ,KAAK,CAAC;AAAA,EAChB;AAEA,UAAQ,KAAK,CAAC;AAChB;AAOA,eAAsB,aAA8B;AAClD,QAAM,WAAW,YAAY;AAC7B,QAAM,WAAW,gBAAgB,QAAQ;AAEzC,MAAI,CAAC,UAAU;AACb,YAAQ,OAAO;AAAA,MACb;AAAA,IACF;AACA,WAAO;AAAA,EACT;AAEA,QAAM,aAAa,eAAe,QAAQ;AAC1C,MAAI,QAAQ;AAEZ,aAAW,OAAO,YAAY;AAC5B,UAAM,aAAa,mBAAmB,GAAG;AAEzC,eAAW,aAAa,YAAY;AAClC,YAAM,YAAYD,MAAK,KAAK,SAAS;AACrC,YAAM,SAAS,UAAU,QAAQ,YAAY,KAAK;AAClD,YAAM,YAAY,SAAS,UAAU,MAAM;AAG3C,UAAI,WAAW,MAAM,GAAG;AACtB,cAAM,UAAUD,UAAS,MAAM,EAAE;AACjC,cAAM,aAAaA,UAAS,SAAS,EAAE;AACvC,YAAI,UAAU,YAAY;AACxB,kBAAQ,OAAO;AAAA,YACb,mBAAmB,SAAS;AAAA;AAAA,UAC9B;AACA;AAAA,QACF;AAAA,MACF;AAEA,UAAI;AACF,cAAM,YAAYE,cAAa,WAAW,OAAO;AACjD,cAAM,YAAY,MAAM,QAAQ,WAAW,QAAQ;AACnD,sBAAc,QAAQ,SAAS;AAC/B;AAAA,MACF,SAAS,KAAK;AACZ,gBAAQ,OAAO;AAAA,UACb,4BAA4B,SAAS,UAAU,SAAS,CAAC,KAAK,eAAe,QAAQ,IAAI,UAAU,GAAG;AAAA;AAAA,QACxG;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAEA,SAAO;AACT;AAEA,eAAsB,mBAAkC;AACtD,QAAM,QAAQ,MAAM,WAAW;AAC/B,MAAI,QAAQ,GAAG;AACb,YAAQ,OAAO,MAAM,oBAAoB,KAAK;AAAA,CAAY;AAAA,EAC5D;AACA,UAAQ,KAAK,CAAC;AAChB;AAEA,eAAsB,gBAA+B;AACnD,QAAM,QAAQ,MAAM,WAAW;AAC/B,MAAI,QAAQ,GAAG;AACb,YAAQ,OAAO,MAAM,oBAAoB,KAAK;AAAA,CAAY;AAAA,EAC5D;AACA,UAAQ,KAAK,CAAC;AAChB;AAEA,eAAsB,kBAAiC;AACrD,QAAM,QAAQ,MAAM,WAAW;AAC/B,MAAI,QAAQ,GAAG;AACb,YAAQ,OAAO,MAAM,oBAAoB,KAAK;AAAA,CAAY;AAAA,EAC5D;AACA,UAAQ,KAAK,CAAC;AAChB;","names":["readFileSync","statSync","join","hmac","sha256","sha256","hmac","sha256","hmac","sha256","hmac","sha256","join","statSync","join","readFileSync"]}
package/dist/cli.js ADDED
@@ -0,0 +1,548 @@
1
+ #!/usr/bin/env node
2
+ import {
3
+ constantTimeEqual,
4
+ decrypt,
5
+ deriveKeys,
6
+ deriveMasterKey,
7
+ encrypt,
8
+ findGitRoot,
9
+ findMarkedDirs,
10
+ fromBase64,
11
+ getHooksDir,
12
+ getMdFilesInDir,
13
+ getMdencFilesInDir,
14
+ gitAdd,
15
+ gitRmCached,
16
+ isFileTracked,
17
+ parseHeader,
18
+ postCheckoutHook,
19
+ postMergeHook,
20
+ postRewriteHook,
21
+ preCommitHook,
22
+ resolvePassword,
23
+ verifyHeader,
24
+ zeroize
25
+ } from "./chunk-FFRUPAVV.js";
26
+
27
+ // src/cli.ts
28
+ import { readFileSync as readFileSync4, writeFileSync as writeFileSync3 } from "fs";
29
+
30
+ // src/seal.ts
31
+ import { hmac } from "@noble/hashes/hmac";
32
+ import { sha256 } from "@noble/hashes/sha256";
33
+ async function verifySeal(fileContent, password) {
34
+ const lines = fileContent.split("\n");
35
+ if (lines.length > 0 && lines[lines.length - 1] === "") lines.pop();
36
+ if (lines.length < 3) throw new Error("Invalid mdenc file: too few lines");
37
+ const headerLine = lines[0];
38
+ const header = parseHeader(headerLine);
39
+ const authLine = lines[1];
40
+ const authMatch = authLine.match(/^hdrauth_b64=([A-Za-z0-9+/=]+)$/);
41
+ if (!authMatch) throw new Error("Invalid mdenc file: missing hdrauth_b64 line");
42
+ const headerHmac = fromBase64(authMatch[1]);
43
+ const masterKey = deriveMasterKey(password, header.salt, header.scrypt);
44
+ const { headerKey, nonceKey } = deriveKeys(masterKey);
45
+ try {
46
+ if (!verifyHeader(headerKey, headerLine, headerHmac)) {
47
+ throw new Error("Header authentication failed");
48
+ }
49
+ const chunkAndSealLines = lines.slice(2);
50
+ const sealIndex = chunkAndSealLines.findIndex((l) => l.startsWith("seal_b64="));
51
+ if (sealIndex < 0) {
52
+ throw new Error("File is not sealed: no seal_b64 line found");
53
+ }
54
+ const chunkLines = chunkAndSealLines.slice(0, sealIndex);
55
+ const sealMatch = chunkAndSealLines[sealIndex].match(/^seal_b64=([A-Za-z0-9+/=]+)$/);
56
+ if (!sealMatch) throw new Error("Invalid seal line");
57
+ const storedHmac = fromBase64(sealMatch[1]);
58
+ const sealInput = headerLine + "\n" + authLine + "\n" + chunkLines.join("\n");
59
+ const sealData = new TextEncoder().encode(sealInput);
60
+ const computed = hmac(sha256, headerKey, sealData);
61
+ return constantTimeEqual(computed, storedHmac);
62
+ } finally {
63
+ zeroize(masterKey, headerKey, nonceKey);
64
+ }
65
+ }
66
+
67
+ // src/git/init.ts
68
+ import { readFileSync, writeFileSync, existsSync, chmodSync, unlinkSync } from "fs";
69
+ import { join } from "path";
70
+ var MARKER = "# mdenc-hook-marker";
71
+ var HOOK_NAMES = [
72
+ "pre-commit",
73
+ "post-checkout",
74
+ "post-merge",
75
+ "post-rewrite"
76
+ ];
77
+ function hookBlock(hookName) {
78
+ return `
79
+ ${MARKER}
80
+ if command -v mdenc >/dev/null 2>&1; then
81
+ mdenc ${hookName}
82
+ elif [ -x "./node_modules/.bin/mdenc" ]; then
83
+ ./node_modules/.bin/mdenc ${hookName}
84
+ else
85
+ echo "mdenc: not found, skipping ${hookName} hook" >&2
86
+ fi`;
87
+ }
88
+ function newHookScript(hookName) {
89
+ return `#!/bin/sh${hookBlock(hookName)}
90
+ `;
91
+ }
92
+ function isBinary(content) {
93
+ return content.slice(0, 512).includes("\0");
94
+ }
95
+ function hasShellShebang(content) {
96
+ const firstLine = content.split("\n")[0];
97
+ return /^#!.*\b(sh|bash|zsh|dash)\b/.test(firstLine);
98
+ }
99
+ function looksLikeFrameworkHook(content) {
100
+ const lines = content.split("\n").filter((l) => l.trim() && !l.startsWith("#"));
101
+ if (lines.length <= 2) {
102
+ return lines.some((l) => /^\.\s+"/.test(l.trim()) || /^exec\s+/.test(l.trim()));
103
+ }
104
+ return false;
105
+ }
106
+ function printManualInstructions(hookName) {
107
+ process.stderr.write(
108
+ `mdenc: ${hookName} hook exists but has an unrecognized format.
109
+ Add the following to your hook manually:
110
+
111
+ ${MARKER}
112
+ if command -v mdenc >/dev/null 2>&1; then
113
+ mdenc ${hookName}
114
+ elif [ -x "./node_modules/.bin/mdenc" ]; then
115
+ ./node_modules/.bin/mdenc ${hookName}
116
+ fi
117
+
118
+ `
119
+ );
120
+ }
121
+ async function initCommand() {
122
+ const repoRoot = findGitRoot();
123
+ const hooksDir = getHooksDir();
124
+ for (const hookName of HOOK_NAMES) {
125
+ const hookPath = join(hooksDir, hookName);
126
+ if (!existsSync(hookPath)) {
127
+ writeFileSync(hookPath, newHookScript(hookName));
128
+ chmodSync(hookPath, 493);
129
+ console.log(`Installed ${hookName} hook`);
130
+ continue;
131
+ }
132
+ const content = readFileSync(hookPath, "utf-8");
133
+ if (content.includes(MARKER)) {
134
+ console.log(`${hookName} hook already installed (skipped)`);
135
+ continue;
136
+ }
137
+ if (isBinary(content)) {
138
+ process.stderr.write(
139
+ `mdenc: ${hookName} hook appears to be a binary file. Skipping.
140
+ `
141
+ );
142
+ printManualInstructions(hookName);
143
+ continue;
144
+ }
145
+ if (!hasShellShebang(content)) {
146
+ process.stderr.write(
147
+ `mdenc: ${hookName} hook has no shell shebang. Skipping.
148
+ `
149
+ );
150
+ printManualInstructions(hookName);
151
+ continue;
152
+ }
153
+ if (looksLikeFrameworkHook(content)) {
154
+ process.stderr.write(
155
+ `mdenc: ${hookName} hook appears to be managed by a framework. Skipping.
156
+ `
157
+ );
158
+ printManualInstructions(hookName);
159
+ continue;
160
+ }
161
+ writeFileSync(hookPath, content.trimEnd() + "\n" + hookBlock(hookName) + "\n");
162
+ chmodSync(hookPath, 493);
163
+ console.log(`Appended mdenc to existing ${hookName} hook`);
164
+ }
165
+ const gitignorePath = join(repoRoot, ".gitignore");
166
+ const entry = ".mdenc-password";
167
+ if (existsSync(gitignorePath)) {
168
+ const content = readFileSync(gitignorePath, "utf-8");
169
+ const lines = content.split("\n").map((l) => l.trim());
170
+ if (!lines.includes(entry)) {
171
+ writeFileSync(gitignorePath, content.trimEnd() + "\n" + entry + "\n");
172
+ console.log("Added .mdenc-password to .gitignore");
173
+ } else {
174
+ console.log(".mdenc-password already in .gitignore (skipped)");
175
+ }
176
+ } else {
177
+ writeFileSync(gitignorePath, entry + "\n");
178
+ console.log("Created .gitignore with .mdenc-password");
179
+ }
180
+ const { decryptAll } = await import("./hooks-ZO2DIE5U.js");
181
+ const count = await decryptAll();
182
+ if (count > 0) {
183
+ console.log(`Decrypted ${count} existing file(s)`);
184
+ }
185
+ console.log("mdenc git integration initialized.");
186
+ }
187
+ function removeHooksCommand() {
188
+ const hooksDir = getHooksDir();
189
+ let removedCount = 0;
190
+ for (const hookName of HOOK_NAMES) {
191
+ const hookPath = join(hooksDir, hookName);
192
+ if (!existsSync(hookPath)) continue;
193
+ const content = readFileSync(hookPath, "utf-8");
194
+ if (!content.includes(MARKER)) {
195
+ console.log(`${hookName}: no mdenc block found (skipped)`);
196
+ continue;
197
+ }
198
+ const lines = content.split("\n");
199
+ const filtered = [];
200
+ let inBlock = false;
201
+ for (const line of lines) {
202
+ if (line.trim() === MARKER) {
203
+ inBlock = true;
204
+ continue;
205
+ }
206
+ if (inBlock) {
207
+ if (line.trim() === "fi") {
208
+ inBlock = false;
209
+ continue;
210
+ }
211
+ continue;
212
+ }
213
+ filtered.push(line);
214
+ }
215
+ const result = filtered.join("\n");
216
+ const isEmpty = result.split("\n").every((l) => l.trim() === "" || l.startsWith("#!"));
217
+ if (isEmpty) {
218
+ unlinkSync(hookPath);
219
+ console.log(`Removed ${hookName} hook (was mdenc-only)`);
220
+ } else {
221
+ writeFileSync(hookPath, result);
222
+ console.log(`Removed mdenc block from ${hookName} hook`);
223
+ }
224
+ removedCount++;
225
+ }
226
+ if (removedCount === 0) {
227
+ console.log("No mdenc hooks found to remove.");
228
+ } else {
229
+ console.log("mdenc hooks removed.");
230
+ }
231
+ }
232
+
233
+ // src/git/mark.ts
234
+ import { existsSync as existsSync2, readFileSync as readFileSync2, writeFileSync as writeFileSync2 } from "fs";
235
+ import { join as join2, relative, resolve } from "path";
236
+ var MARKER_FILE = ".mdenc.conf";
237
+ var MARKER_CONTENT = "# mdenc: .md files in this directory are automatically encrypted\n";
238
+ var GITIGNORE_PATTERN = "*.md";
239
+ function markCommand(dirArg) {
240
+ const repoRoot = findGitRoot();
241
+ const dir = resolve(dirArg);
242
+ if (!existsSync2(dir)) {
243
+ console.error(`Error: directory "${dirArg}" does not exist`);
244
+ process.exit(1);
245
+ }
246
+ const rel = relative(repoRoot, dir);
247
+ if (rel.startsWith("..")) {
248
+ console.error(`Error: directory "${dirArg}" is outside the git repository`);
249
+ process.exit(1);
250
+ }
251
+ const relDir = rel || ".";
252
+ const confPath = join2(dir, MARKER_FILE);
253
+ if (!existsSync2(confPath)) {
254
+ writeFileSync2(confPath, MARKER_CONTENT);
255
+ console.log(`Created ${relDir}/${MARKER_FILE}`);
256
+ } else {
257
+ console.log(`${relDir}/${MARKER_FILE} already exists (skipped)`);
258
+ }
259
+ const gitignorePath = join2(dir, ".gitignore");
260
+ if (existsSync2(gitignorePath)) {
261
+ const content = readFileSync2(gitignorePath, "utf-8");
262
+ const lines = content.split("\n").map((l) => l.trim());
263
+ if (!lines.includes(GITIGNORE_PATTERN)) {
264
+ writeFileSync2(gitignorePath, content.trimEnd() + "\n" + GITIGNORE_PATTERN + "\n");
265
+ console.log(`Updated ${relDir}/.gitignore (added ${GITIGNORE_PATTERN})`);
266
+ } else {
267
+ console.log(`${relDir}/.gitignore already has ${GITIGNORE_PATTERN} (skipped)`);
268
+ }
269
+ } else {
270
+ writeFileSync2(gitignorePath, GITIGNORE_PATTERN + "\n");
271
+ console.log(`Created ${relDir}/.gitignore with ${GITIGNORE_PATTERN}`);
272
+ }
273
+ const mdFiles = getMdFilesInDir(dir);
274
+ const trackedMd = [];
275
+ for (const f of mdFiles) {
276
+ const relPath = relative(repoRoot, join2(dir, f));
277
+ if (isFileTracked(repoRoot, relPath)) {
278
+ trackedMd.push(relPath);
279
+ }
280
+ }
281
+ if (trackedMd.length > 0) {
282
+ gitRmCached(repoRoot, trackedMd);
283
+ for (const f of trackedMd) {
284
+ console.log(`Untracked ${f} from git (still exists locally)`);
285
+ }
286
+ }
287
+ const toStage = [
288
+ relative(repoRoot, confPath),
289
+ relative(repoRoot, gitignorePath)
290
+ ];
291
+ gitAdd(repoRoot, toStage);
292
+ console.log(`Marked ${relDir}/ for mdenc encryption`);
293
+ }
294
+
295
+ // src/git/status.ts
296
+ import { existsSync as existsSync3, readFileSync as readFileSync3, statSync } from "fs";
297
+ import { join as join3, relative as relative2 } from "path";
298
+ var HOOK_NAMES2 = ["pre-commit", "post-checkout", "post-merge", "post-rewrite"];
299
+ var MARKER2 = "# mdenc-hook-marker";
300
+ function statusCommand() {
301
+ const repoRoot = findGitRoot();
302
+ const password = resolvePassword(repoRoot);
303
+ const markedDirs = findMarkedDirs(repoRoot);
304
+ if (markedDirs.length === 0) {
305
+ console.log("No directories marked for mdenc encryption.");
306
+ console.log('Use "mdenc mark <directory>" to designate a directory.');
307
+ } else {
308
+ console.log("Marked directories:\n");
309
+ for (const dir of markedDirs) {
310
+ const relDir = relative2(repoRoot, dir) || ".";
311
+ console.log(` ${relDir}/`);
312
+ const mdFiles = getMdFilesInDir(dir);
313
+ const mdencFiles = getMdencFilesInDir(dir);
314
+ const mdBases = new Set(mdFiles.map((f) => f.replace(/\.md$/, "")));
315
+ const mdencBases = new Set(mdencFiles.map((f) => f.replace(/\.mdenc$/, "")));
316
+ for (const base of mdBases) {
317
+ if (mdencBases.has(base)) {
318
+ const mdPath = join3(dir, `${base}.md`);
319
+ const mdencPath = join3(dir, `${base}.mdenc`);
320
+ const mdMtime = statSync(mdPath).mtimeMs;
321
+ const mdencMtime = statSync(mdencPath).mtimeMs;
322
+ if (mdMtime > mdencMtime) {
323
+ console.log(` ${base}.md [needs re-encryption]`);
324
+ } else {
325
+ console.log(` ${base}.md [up to date]`);
326
+ }
327
+ } else {
328
+ console.log(` ${base}.md [not yet encrypted]`);
329
+ }
330
+ }
331
+ for (const base of mdencBases) {
332
+ if (!mdBases.has(base)) {
333
+ console.log(` ${base}.mdenc [needs decryption]`);
334
+ }
335
+ }
336
+ const gitignorePath = join3(dir, ".gitignore");
337
+ if (!existsSync3(gitignorePath)) {
338
+ console.log(` WARNING: no .gitignore in this directory`);
339
+ } else {
340
+ const content = readFileSync3(gitignorePath, "utf-8");
341
+ if (!content.split("\n").some((l) => l.trim() === "*.md")) {
342
+ console.log(` WARNING: .gitignore missing *.md pattern`);
343
+ }
344
+ }
345
+ console.log();
346
+ }
347
+ }
348
+ if (!password) {
349
+ console.log("Password: NOT AVAILABLE");
350
+ console.log(" Set MDENC_PASSWORD env var or create .mdenc-password file");
351
+ } else {
352
+ console.log("Password: available");
353
+ }
354
+ const hooksDir = getHooksDir();
355
+ const missing = [];
356
+ for (const name of HOOK_NAMES2) {
357
+ const hookPath = join3(hooksDir, name);
358
+ if (!existsSync3(hookPath)) {
359
+ missing.push(name);
360
+ } else {
361
+ const content = readFileSync3(hookPath, "utf-8");
362
+ if (!content.includes(MARKER2)) {
363
+ missing.push(name);
364
+ }
365
+ }
366
+ }
367
+ if (missing.length > 0) {
368
+ console.log(`Hooks: MISSING (${missing.join(", ")})`);
369
+ console.log(' Run "mdenc init" to install hooks');
370
+ } else {
371
+ console.log("Hooks: all installed");
372
+ }
373
+ }
374
+
375
+ // src/cli.ts
376
+ function readPasswordFromTTY(prompt) {
377
+ return new Promise((resolve2) => {
378
+ if (!process.stdin.isTTY) {
379
+ process.stderr.write(prompt);
380
+ let data = "";
381
+ process.stdin.setEncoding("utf-8");
382
+ process.stdin.on("data", (chunk) => {
383
+ const nlIdx = chunk.indexOf("\n");
384
+ if (nlIdx >= 0) {
385
+ data += chunk.slice(0, nlIdx);
386
+ process.stdin.pause();
387
+ resolve2(data);
388
+ } else {
389
+ data += chunk;
390
+ }
391
+ });
392
+ process.stdin.on("end", () => resolve2(data));
393
+ process.stdin.resume();
394
+ return;
395
+ }
396
+ process.stderr.write(prompt);
397
+ const buf = [];
398
+ process.stdin.setRawMode(true);
399
+ process.stdin.setEncoding("utf-8");
400
+ process.stdin.resume();
401
+ const onData = (ch) => {
402
+ if (ch === "") {
403
+ process.stderr.write("\n");
404
+ process.stdin.setRawMode(false);
405
+ process.stdin.pause();
406
+ process.stdin.removeListener("data", onData);
407
+ process.exit(130);
408
+ } else if (ch === "\r" || ch === "\n") {
409
+ process.stderr.write("\n");
410
+ process.stdin.setRawMode(false);
411
+ process.stdin.pause();
412
+ process.stdin.removeListener("data", onData);
413
+ resolve2(buf.join(""));
414
+ } else if (ch === "\x7F" || ch === "\b") {
415
+ buf.pop();
416
+ } else if (ch === "") {
417
+ process.stderr.write("\n");
418
+ process.stdin.setRawMode(false);
419
+ process.stdin.pause();
420
+ process.stdin.removeListener("data", onData);
421
+ resolve2(buf.join(""));
422
+ } else if (ch >= " ") {
423
+ buf.push(ch);
424
+ }
425
+ };
426
+ process.stdin.on("data", onData);
427
+ });
428
+ }
429
+ async function getPassword(prompt = "Password: ") {
430
+ const envPassword = process.env["MDENC_PASSWORD"];
431
+ if (envPassword) return envPassword;
432
+ return readPasswordFromTTY(prompt);
433
+ }
434
+ async function getPasswordWithConfirmation() {
435
+ if (process.env["MDENC_PASSWORD"]) return process.env["MDENC_PASSWORD"];
436
+ const password = await readPasswordFromTTY("Password: ");
437
+ const confirm = await readPasswordFromTTY("Confirm password: ");
438
+ if (password !== confirm) {
439
+ console.error("Error: passwords do not match");
440
+ process.exit(1);
441
+ }
442
+ return password;
443
+ }
444
+ function usage() {
445
+ console.error(`Usage:
446
+ mdenc encrypt <file> [-o output] Encrypt a markdown file
447
+ mdenc decrypt <file> [-o output] Decrypt an mdenc file
448
+ mdenc verify <file> Verify file integrity
449
+
450
+ Git integration:
451
+ mdenc init Set up git hooks for automatic encryption
452
+ mdenc mark <directory> Mark a directory for encryption
453
+ mdenc status Show encryption status
454
+ mdenc remove-hooks Remove mdenc git hooks`);
455
+ process.exit(1);
456
+ }
457
+ async function main() {
458
+ const args = process.argv.slice(2);
459
+ if (args.length === 0) usage();
460
+ const command = args[0];
461
+ try {
462
+ switch (command) {
463
+ case "encrypt": {
464
+ if (!args[1]) usage();
465
+ const inputFile = args[1];
466
+ const outputIdx = args.indexOf("-o");
467
+ const outputFile = outputIdx >= 0 ? args[outputIdx + 1] : void 0;
468
+ const password = await getPasswordWithConfirmation();
469
+ const plaintext = readFileSync4(inputFile, "utf-8");
470
+ const encrypted = await encrypt(plaintext, password);
471
+ if (outputFile) {
472
+ writeFileSync3(outputFile, encrypted);
473
+ } else {
474
+ process.stdout.write(encrypted);
475
+ }
476
+ break;
477
+ }
478
+ case "decrypt": {
479
+ if (!args[1]) usage();
480
+ const inputFile = args[1];
481
+ const outputIdx = args.indexOf("-o");
482
+ const outputFile = outputIdx >= 0 ? args[outputIdx + 1] : void 0;
483
+ const password = await getPassword();
484
+ const fileContent = readFileSync4(inputFile, "utf-8");
485
+ const decrypted = await decrypt(fileContent, password);
486
+ if (outputFile) {
487
+ writeFileSync3(outputFile, decrypted);
488
+ } else {
489
+ process.stdout.write(decrypted);
490
+ }
491
+ break;
492
+ }
493
+ case "verify": {
494
+ if (!args[1]) usage();
495
+ const inputFile = args[1];
496
+ const password = await getPassword();
497
+ const fileContent = readFileSync4(inputFile, "utf-8");
498
+ const valid = await verifySeal(fileContent, password);
499
+ if (valid) {
500
+ console.error("Seal verified: OK");
501
+ process.exit(0);
502
+ } else {
503
+ console.error("Seal verification FAILED");
504
+ process.exit(1);
505
+ }
506
+ break;
507
+ }
508
+ case "init":
509
+ await initCommand();
510
+ break;
511
+ case "mark": {
512
+ if (!args[1]) {
513
+ console.error("Usage: mdenc mark <directory>");
514
+ process.exit(1);
515
+ }
516
+ markCommand(args[1]);
517
+ break;
518
+ }
519
+ case "status":
520
+ statusCommand();
521
+ break;
522
+ case "remove-hooks":
523
+ removeHooksCommand();
524
+ break;
525
+ // Git hook handlers (called by hook scripts, not directly by user)
526
+ case "pre-commit":
527
+ await preCommitHook();
528
+ break;
529
+ case "post-checkout":
530
+ await postCheckoutHook();
531
+ break;
532
+ case "post-merge":
533
+ await postMergeHook();
534
+ break;
535
+ case "post-rewrite":
536
+ await postRewriteHook();
537
+ break;
538
+ default:
539
+ console.error(`Unknown command: ${command}`);
540
+ usage();
541
+ }
542
+ } catch (err) {
543
+ console.error(`Error: ${err instanceof Error ? err.message : err}`);
544
+ process.exit(1);
545
+ }
546
+ }
547
+ main();
548
+ //# sourceMappingURL=cli.js.map