mdenc 0.1.5 → 2.0.0

package/README.md

@@ -2,6 +2,8 @@
 
 **Encrypt your Markdown. Keep your diffs.**
 
+[**Live Demo**](https://yogh-io.github.io/mdenc/) | [npm](https://www.npmjs.com/package/mdenc) | [Specification](SPECIFICATION.md) | [Security](SECURITY.md)
+
 mdenc lets you store encrypted Markdown in git without losing the ability to see *what changed*. Edit one paragraph, and only that paragraph changes in the encrypted output. Your `git log` stays useful. Your pull request reviews stay sane.
 
 ## What it looks like
@@ -92,29 +94,26 @@ Password is read from `MDENC_PASSWORD` env var or prompted interactively (no ech
 
 ## Git Integration
 
-mdenc can automatically encrypt and decrypt files as part of your git workflow.
+mdenc uses git's native **smudge/clean filter** to transparently encrypt and decrypt `.md` files. You edit plaintext locally; git stores ciphertext in the repository.
 
 ```bash
-# Set up git hooks (pre-commit, post-checkout, post-merge, post-rewrite)
+# Set up git smudge/clean filter and textconv diff
 mdenc init
 
 # Generate a random password into .mdenc-password
-mdenc genpass
+mdenc genpass [--force]
 
-# Mark a directory -- .md files inside will be encrypted on commit
+# Mark a directory -- .md files inside will be filtered
 mdenc mark docs/private
 
-# See which files need encryption/decryption
+# See which files are configured for encryption
 mdenc status
 
-# Watch for changes and encrypt on save
-mdenc watch
-
-# Remove mdenc hooks from the repository
-mdenc remove-hooks
+# Remove git filter configuration
+mdenc remove-filter
 ```
 
-After `mdenc init` and `mdenc mark`, the workflow is automatic: edit `.md` files normally, and the pre-commit hook encrypts them to `.mdenc` before each commit. Post-checkout and post-merge hooks decrypt them back after switching branches or pulling.
+After `mdenc init` and `mdenc mark`, the workflow is transparent: the **clean filter** encrypts `.md` files when they're staged (`git add`), and the **smudge filter** decrypts them on checkout. You always see plaintext in your working directory. The custom diff driver shows plaintext diffs of encrypted content.
 
 ## Library
 

package/dist/cli.js

@@ -1,7 +1,7 @@
 #!/usr/bin/env node
 
 // src/cli.ts
-import { readFileSync as readFileSync7, writeFileSync as writeFileSync4 } from "fs";
+import { readFileSync as readFileSync7, writeFileSync as writeFileSync5 } from "fs";
 
 // src/crypto/encrypt.ts
 import { hmac as hmac3 } from "@noble/hashes/hmac";
@@ -436,15 +436,70 @@ ${chunkLines.join("\n")}`;
   }
 }
 
+// src/git/diff-driver.ts
+import { execFileSync } from "child_process";
+import { mkdtempSync, rmSync, writeFileSync } from "fs";
+import { tmpdir } from "os";
+import { join } from "path";
+async function diffDriverCommand(args) {
+  const [path, oldFile, oldHex, , newFile, newHex] = args;
+  if (!path || !oldFile || !newFile) {
+    process.stderr.write("mdenc diff-driver: insufficient arguments\n");
+    process.exit(1);
+  }
+  const oldEnc = catBlob(oldHex);
+  const newEnc = catBlob(newHex);
+  if (oldEnc !== null || newEnc !== null) {
+    const tmp = mkdtempSync(join(tmpdir(), "mdenc-diff-"));
+    try {
+      const oldTmp = join(tmp, "old");
+      const newTmp = join(tmp, "new");
+      writeFileSync(oldTmp, oldEnc ?? "");
+      writeFileSync(newTmp, newEnc ?? "");
+      const encDiff = unifiedDiff(oldTmp, newTmp, `a/${path}`, `b/${path}`);
+      if (encDiff) process.stdout.write(encDiff);
+    } finally {
+      rmSync(tmp, { recursive: true });
+    }
+  }
+  const plainDiff = unifiedDiff(oldFile, newFile, `a/${path}`, `b/${path}`);
+  if (plainDiff) {
+    const annotated = plainDiff.replace(
+      /^(@@ .+ @@)(.*)/gm,
+      "$1 decrypted \u2014 not stored in repository"
+    );
+    process.stdout.write(annotated);
+  }
+}
+function catBlob(hex) {
+  if (!hex || hex === "." || /^0+$/.test(hex)) return null;
+  try {
+    return execFileSync("git", ["cat-file", "blob", hex], { encoding: "utf-8" });
+  } catch {
+    return null;
+  }
+}
+function unifiedDiff(oldFile, newFile, oldLabel, newLabel) {
+  try {
+    return execFileSync("diff", ["-u", "--label", oldLabel, "--label", newLabel, oldFile, newFile], {
+      encoding: "utf-8"
+    }) || null;
+  } catch (e) {
+    const err = e;
+    if (err.status === 1 && err.stdout) return err.stdout;
+    return null;
+  }
+}
+
 // src/git/password.ts
 import { readFileSync } from "fs";
-import { join } from "path";
+import { join as join2 } from "path";
 var PASSWORD_FILE = ".mdenc-password";
 function resolvePassword(repoRoot) {
   const envPassword = process.env["MDENC_PASSWORD"];
   if (envPassword) return envPassword;
   try {
-    const content = readFileSync(join(repoRoot, PASSWORD_FILE), "utf-8").trim();
+    const content = readFileSync(join2(repoRoot, PASSWORD_FILE), "utf-8").trim();
     if (content.length > 0) return content;
   } catch {
   }
@@ -452,14 +507,14 @@ function resolvePassword(repoRoot) {
 }
 
 // src/git/utils.ts
-import { execFileSync } from "child_process";
+import { execFileSync as execFileSync2 } from "child_process";
 import { readdirSync, statSync } from "fs";
-import { join as join2 } from "path";
+import { join as join3 } from "path";
 var SKIP_DIRS = /* @__PURE__ */ new Set([".git", "node_modules", ".hg", ".svn"]);
 var MARKER_FILE = ".mdenc.conf";
 function findGitRoot() {
   try {
-    return execFileSync("git", ["rev-parse", "--show-toplevel"], {
+    return execFileSync2("git", ["rev-parse", "--show-toplevel"], {
       encoding: "utf-8",
       stdio: ["pipe", "pipe", "pipe"]
     }).trim();
@@ -469,7 +524,7 @@ function findGitRoot() {
 }
 function gitShow(repoRoot, ref, path) {
   try {
-    return execFileSync("git", ["show", `${ref}:${path}`], {
+    return execFileSync2("git", ["show", `${ref}:${path}`], {
       cwd: repoRoot,
       encoding: "utf-8",
       stdio: ["pipe", "pipe", "pipe"]
@@ -495,7 +550,7 @@ function walkForMarker(dir, results) {
   }
   for (const entry of entries) {
     if (SKIP_DIRS.has(entry) || entry.startsWith(".")) continue;
-    const full = join2(dir, entry);
+    const full = join3(dir, entry);
     try {
       if (statSync(full).isDirectory()) {
         walkForMarker(full, results);
@@ -506,14 +561,14 @@ function walkForMarker(dir, results) {
 }
 function getMdFilesInDir(dir) {
   try {
-    return readdirSync(dir).filter((f) => f.endsWith(".md") && statSync(join2(dir, f)).isFile());
+    return readdirSync(dir).filter((f) => f.endsWith(".md") && statSync(join3(dir, f)).isFile());
   } catch {
     return [];
   }
 }
 function gitAdd(repoRoot, files) {
   if (files.length === 0) return;
-  execFileSync("git", ["add", "--", ...files], {
+  execFileSync2("git", ["add", "--", ...files], {
     cwd: repoRoot,
     stdio: ["pipe", "pipe", "pipe"]
   });
@@ -712,6 +767,7 @@ async function filterProcessMain() {
       writeFlush();
       writeBinaryPktLines(resultBuf);
       writeFlush();
+      writeFlush();
     } catch (err) {
       process.stderr.write(
         `mdenc: filter error for ${pathname}: ${err instanceof Error ? err.message : err}
@@ -725,54 +781,54 @@ async function filterProcessMain() {
 }
 
 // src/git/genpass.ts
-import { existsSync, readFileSync as readFileSync2, writeFileSync } from "fs";
-import { join as join3 } from "path";
+import { existsSync, readFileSync as readFileSync2, writeFileSync as writeFileSync2 } from "fs";
+import { join as join4 } from "path";
 import { randomBytes as randomBytes2 } from "@noble/ciphers/webcrypto";
 var PASSWORD_FILE2 = ".mdenc-password";
 function genpassCommand(force) {
   const repoRoot = findGitRoot();
-  const passwordPath = join3(repoRoot, PASSWORD_FILE2);
+  const passwordPath = join4(repoRoot, PASSWORD_FILE2);
   if (existsSync(passwordPath) && !force) {
     console.error(`${PASSWORD_FILE2} already exists. Use --force to overwrite.`);
     process.exit(1);
   }
   const password = Buffer.from(randomBytes2(32)).toString("base64url");
-  writeFileSync(passwordPath, `${password}
+  writeFileSync2(passwordPath, `${password}
 `, { mode: 384 });
   console.error(`Generated password and wrote to ${PASSWORD_FILE2}`);
   console.error(password);
-  const gitignorePath = join3(repoRoot, ".gitignore");
+  const gitignorePath = join4(repoRoot, ".gitignore");
   const entry = PASSWORD_FILE2;
   if (existsSync(gitignorePath)) {
     const content = readFileSync2(gitignorePath, "utf-8");
     const lines = content.split("\n").map((l) => l.trim());
     if (!lines.includes(entry)) {
-      writeFileSync(gitignorePath, `${content.trimEnd()}
+      writeFileSync2(gitignorePath, `${content.trimEnd()}
 ${entry}
 `);
       console.error("Added .mdenc-password to .gitignore");
     }
   } else {
-    writeFileSync(gitignorePath, `${entry}
+    writeFileSync2(gitignorePath, `${entry}
 `);
     console.error("Created .gitignore with .mdenc-password");
   }
 }
 
 // src/git/init.ts
-import { execFileSync as execFileSync2 } from "child_process";
-import { existsSync as existsSync2, readFileSync as readFileSync3, writeFileSync as writeFileSync2 } from "fs";
-import { join as join4 } from "path";
+import { execFileSync as execFileSync3 } from "child_process";
+import { existsSync as existsSync2, readFileSync as readFileSync3, writeFileSync as writeFileSync3 } from "fs";
+import { join as join5 } from "path";
 var FILTER_CONFIGS = [
   ["filter.mdenc.process", "mdenc filter-process"],
   ["filter.mdenc.clean", "mdenc filter-clean %f"],
   ["filter.mdenc.smudge", "mdenc filter-smudge %f"],
   ["filter.mdenc.required", "true"],
-  ["diff.mdenc.textconv", "mdenc textconv"]
+  ["diff.mdenc.command", "mdenc diff-driver"]
 ];
 function configureGitFilter(repoRoot) {
   for (const [key, value] of FILTER_CONFIGS) {
-    execFileSync2("git", ["config", "--local", key, value], {
+    execFileSync3("git", ["config", "--local", key, value], {
       cwd: repoRoot,
       stdio: ["pipe", "pipe", "pipe"]
     });
@@ -780,7 +836,7 @@ function configureGitFilter(repoRoot) {
 }
 function isFilterConfigured(repoRoot) {
   try {
-    const val = execFileSync2("git", ["config", "--get", "filter.mdenc.process"], {
+    const val = execFileSync3("git", ["config", "--get", "filter.mdenc.process"], {
       cwd: repoRoot,
       encoding: "utf-8",
       stdio: ["pipe", "pipe", "pipe"]
@@ -798,13 +854,13 @@ async function initCommand() {
     configureGitFilter(repoRoot);
     console.log("Configured git filter (filter.mdenc + diff.mdenc)");
   }
-  const gitignorePath = join4(repoRoot, ".gitignore");
+  const gitignorePath = join5(repoRoot, ".gitignore");
   const entry = ".mdenc-password";
   if (existsSync2(gitignorePath)) {
     const content = readFileSync3(gitignorePath, "utf-8");
     const lines = content.split("\n").map((l) => l.trim());
     if (!lines.includes(entry)) {
-      writeFileSync2(gitignorePath, `${content.trimEnd()}
+      writeFileSync3(gitignorePath, `${content.trimEnd()}
 ${entry}
 `);
       console.log("Added .mdenc-password to .gitignore");
@@ -812,7 +868,7 @@ ${entry}
       console.log(".mdenc-password already in .gitignore (skipped)");
     }
   } else {
-    writeFileSync2(gitignorePath, `${entry}
+    writeFileSync3(gitignorePath, `${entry}
 `);
     console.log("Created .gitignore with .mdenc-password");
   }
@@ -822,7 +878,7 @@ ${entry}
     for (const dir of markedDirs) {
       const relDir = relative3(repoRoot, dir) || ".";
       try {
-        execFileSync2("git", ["checkout", "HEAD", "--", `${relDir}/*.md`], {
+        execFileSync3("git", ["checkout", "HEAD", "--", `${relDir}/*.md`], {
           cwd: repoRoot,
           stdio: ["pipe", "pipe", "pipe"]
         });
@@ -836,7 +892,7 @@ function removeFilterCommand() {
   const repoRoot = findGitRoot();
   for (const section of ["filter.mdenc", "diff.mdenc"]) {
     try {
-      execFileSync2("git", ["config", "--local", "--remove-section", section], {
+      execFileSync3("git", ["config", "--local", "--remove-section", section], {
         cwd: repoRoot,
         stdio: ["pipe", "pipe", "pipe"]
       });
@@ -847,15 +903,15 @@ function removeFilterCommand() {
 }
 
 // src/git/mark.ts
-import { execFileSync as execFileSync3 } from "child_process";
-import { existsSync as existsSync3, readFileSync as readFileSync4, writeFileSync as writeFileSync3 } from "fs";
-import { join as join5, relative, resolve } from "path";
+import { execFileSync as execFileSync4 } from "child_process";
+import { existsSync as existsSync3, readFileSync as readFileSync4, writeFileSync as writeFileSync4 } from "fs";
+import { join as join6, relative, resolve } from "path";
 var MARKER_FILE2 = ".mdenc.conf";
 var MARKER_CONTENT = "# mdenc: .md files in this directory are automatically encrypted\n";
 var GITATTR_PATTERN = "*.md filter=mdenc diff=mdenc";
 function isFilterConfigured2(repoRoot) {
   try {
-    const val = execFileSync3("git", ["config", "--get", "filter.mdenc.process"], {
+    const val = execFileSync4("git", ["config", "--get", "filter.mdenc.process"], {
       cwd: repoRoot,
       encoding: "utf-8",
       stdio: ["pipe", "pipe", "pipe"]
@@ -905,26 +961,26 @@ function markCommand(dirArg) {
   }
   const relDir = rel || ".";
   const filterReady = isFilterConfigured2(repoRoot);
-  const confPath = join5(dir, MARKER_FILE2);
+  const confPath = join6(dir, MARKER_FILE2);
   if (!existsSync3(confPath)) {
-    writeFileSync3(confPath, MARKER_CONTENT);
+    writeFileSync4(confPath, MARKER_CONTENT);
     console.log(`Created ${relDir}/${MARKER_FILE2}`);
   } else {
     console.log(`${relDir}/${MARKER_FILE2} already exists (skipped)`);
   }
-  const gitattrsPath = join5(dir, ".gitattributes");
+  const gitattrsPath = join6(dir, ".gitattributes");
   if (existsSync3(gitattrsPath)) {
     const content = readFileSync4(gitattrsPath, "utf-8");
     if (content.includes("filter=mdenc")) {
       console.log(`${relDir}/.gitattributes already has filter=mdenc (skipped)`);
     } else {
-      writeFileSync3(gitattrsPath, `${content.trimEnd()}
+      writeFileSync4(gitattrsPath, `${content.trimEnd()}
 ${GITATTR_PATTERN}
 `);
       console.log(`Updated ${relDir}/.gitattributes`);
     }
   } else {
-    writeFileSync3(gitattrsPath, `${GITATTR_PATTERN}
+    writeFileSync4(gitattrsPath, `${GITATTR_PATTERN}
 `);
     console.log(`Created ${relDir}/.gitattributes`);
   }
@@ -938,13 +994,13 @@ Warning: git filter not configured yet. Run "mdenc init" to enable encryption.`)
 }
 
 // src/git/status.ts
-import { execFileSync as execFileSync4 } from "child_process";
+import { execFileSync as execFileSync5 } from "child_process";
 import { existsSync as existsSync4, readFileSync as readFileSync5 } from "fs";
-import { join as join6, relative as relative2 } from "path";
+import { join as join7, relative as relative2 } from "path";
 function getFilterConfig(repoRoot) {
   const get = (key) => {
     try {
-      return execFileSync4("git", ["config", "--get", key], {
+      return execFileSync5("git", ["config", "--get", key], {
         cwd: repoRoot,
         encoding: "utf-8",
         stdio: ["pipe", "pipe", "pipe"]
@@ -957,8 +1013,7 @@ function getFilterConfig(repoRoot) {
     process: get("filter.mdenc.process"),
     clean: get("filter.mdenc.clean"),
     smudge: get("filter.mdenc.smudge"),
-    required: get("filter.mdenc.required") === "true",
-    textconv: get("diff.mdenc.textconv")
+    required: get("filter.mdenc.required") === "true"
   };
 }
 function statusCommand() {
@@ -975,7 +1030,7 @@ function statusCommand() {
       console.log(`  ${relDir}/`);
       const mdFiles = getMdFilesInDir(dir);
       for (const f of mdFiles) {
-        const content = readFileSync5(join6(dir, f), "utf-8");
+        const content = readFileSync5(join7(dir, f), "utf-8");
         if (content.startsWith("mdenc:v1")) {
           console.log(`    ${f}  [encrypted \u2014 needs smudge]`);
         } else {
@@ -985,7 +1040,7 @@ function statusCommand() {
       if (mdFiles.length === 0) {
         console.log("    (no .md files)");
       }
-      const gitattrsPath = join6(dir, ".gitattributes");
+      const gitattrsPath = join7(dir, ".gitattributes");
       if (!existsSync4(gitattrsPath)) {
         console.log("    WARNING: no .gitattributes in this directory");
       } else {
@@ -1106,8 +1161,7 @@ async function getPasswordWithConfirmation() {
   }
   return password;
 }
-function usage() {
-  console.error(`Usage:
+var USAGE = `Usage:
   mdenc encrypt <file> [-o output]    Encrypt a markdown file
   mdenc decrypt <file> [-o output]    Decrypt an mdenc file
   mdenc verify <file>                 Verify file integrity
@@ -1123,13 +1177,23 @@ Internal (called by git):
   mdenc filter-process                Long-running filter process
   mdenc filter-clean <path>           Single-file clean filter
   mdenc filter-smudge <path>          Single-file smudge filter
-  mdenc textconv <file>               Output plaintext for git diff`);
-  process.exit(1);
+  mdenc textconv <file>               Output plaintext for git diff
+  mdenc diff-driver <path> ...        Custom diff driver (encrypted + plaintext)`;
+function usage(exitCode = 1) {
+  console.error(USAGE);
+  process.exit(exitCode);
 }
 async function main() {
   const args = process.argv.slice(2);
   if (args.length === 0) usage();
   const command = args[0];
+  if (command === "--help" || command === "-h") usage(0);
+  if (command === "--version" || command === "-v") {
+    const pkgPath = new URL("../package.json", import.meta.url);
+    const pkg = JSON.parse(readFileSync7(pkgPath, "utf-8"));
+    console.log(pkg.version);
+    return;
+  }
   try {
     switch (command) {
       case "encrypt": {
@@ -1141,7 +1205,7 @@ async function main() {
         const plaintext = readFileSync7(inputFile, "utf-8");
         const encrypted = await encrypt(plaintext, password);
         if (outputFile) {
-          writeFileSync4(outputFile, encrypted);
+          writeFileSync5(outputFile, encrypted);
         } else {
           process.stdout.write(encrypted);
         }
@@ -1156,7 +1220,7 @@ async function main() {
         const fileContent = readFileSync7(inputFile, "utf-8");
         const decrypted = await decrypt(fileContent, password);
         if (outputFile) {
-          writeFileSync4(outputFile, decrypted);
+          writeFileSync5(outputFile, decrypted);
         } else {
           process.stdout.write(decrypted);
         }
@@ -1207,6 +1271,9 @@ async function main() {
       case "filter-smudge":
         await simpleSmudgeFilter();
         break;
+      case "diff-driver":
+        await diffDriverCommand(args.slice(1));
+        break;
       case "textconv":
         if (!args[1]) {
           console.error("Usage: mdenc textconv <file>");