memoir-cli 3.1.1 → 3.2.0

package/src/security/encryption.js

@@ -1,7 +1,10 @@
 import crypto from 'crypto';
+import { promisify } from 'util';
 import fs from 'fs-extra';
 import path from 'path';
 
+const scryptAsync = promisify(crypto.scrypt);
+
 // --- Constants ---
 const ALGORITHM = 'aes-256-gcm';
 const IV_LENGTH = 12;          // 96 bits, recommended for GCM
@@ -14,11 +17,11 @@ const MAGIC = Buffer.from('MEMOIR01');  // 8-byte header for format versioning
 // --- Key Derivation ---
 
 /**
- * Derive a 256-bit key from a passphrase using scrypt.
+ * Derive a 256-bit key from a passphrase using scrypt (async, non-blocking).
  */
-export function deriveKey(passphrase, salt = null) {
+export async function deriveKey(passphrase, salt = null) {
   if (!salt) salt = crypto.randomBytes(SALT_LENGTH);
-  const key = crypto.scryptSync(passphrase, salt, KEY_LENGTH, {
+  const key = await scryptAsync(passphrase, salt, KEY_LENGTH, {
     N: SCRYPT_COST,
     r: 8,
     p: 1,
@@ -32,8 +35,8 @@ export function deriveKey(passphrase, salt = null) {
  * Encrypt a buffer with AES-256-GCM.
  * Output format: MEMOIR01 | salt (32) | iv (12) | authTag (16) | ciphertext
  */
-export function encryptBuffer(plaintext, passphrase) {
-  const { key, salt } = deriveKey(passphrase);
+export async function encryptBuffer(plaintext, passphrase) {
+  const { key, salt } = await deriveKey(passphrase);
   const iv = crypto.randomBytes(IV_LENGTH);
 
   const cipher = crypto.createCipheriv(ALGORITHM, key, iv, { authTagLength: TAG_LENGTH });
@@ -46,7 +49,7 @@ export function encryptBuffer(plaintext, passphrase) {
 /**
  * Decrypt a buffer. Throws on wrong passphrase or tampered data.
  */
-export function decryptBuffer(data, passphrase) {
+export async function decryptBuffer(data, passphrase) {
   const magic = data.subarray(0, 8);
   if (!magic.equals(MAGIC)) {
     throw new Error('Not a memoir-encrypted file (bad header)');
@@ -58,7 +61,7 @@ export function decryptBuffer(data, passphrase) {
   const tag = data.subarray(offset, offset + TAG_LENGTH);         offset += TAG_LENGTH;
   const ciphertext = data.subarray(offset);
 
-  const { key } = deriveKey(passphrase, salt);
+  const { key } = await deriveKey(passphrase, salt);
 
   const decipher = crypto.createDecipheriv(ALGORITHM, key, iv, { authTagLength: TAG_LENGTH });
   decipher.setAuthTag(tag);
@@ -72,76 +75,116 @@ export function decryptBuffer(data, passphrase) {
  * Encrypt all files in srcDir → destDir.
  * File names are HMAC-hashed (hidden). Manifest maps hashes → real paths.
  */
-export async function encryptDirectory(srcDir, destDir, passphrase) {
-  const { key, salt } = deriveKey(passphrase);
+export async function encryptDirectory(srcDir, destDir, passphrase, spinner = null) {
+  const startTime = Date.now();
+
+  // Phase 1: Derive encryption key
+  if (spinner) spinner.text = 'Deriving encryption key (scrypt)...';
+  const { key, salt } = await deriveKey(passphrase);
+
   const dataDir = path.join(destDir, 'data');
   await fs.ensureDir(dataDir);
 
-  const manifest = {};
-  let count = 0;
-
-  async function walk(dir, relBase = '') {
+  // Phase 2: Index files
+  if (spinner) spinner.text = 'Indexing files...';
+  const fileList = [];
+  async function index(dir, relBase = '') {
     const entries = await fs.readdir(dir, { withFileTypes: true });
     for (const entry of entries) {
       const fullPath = path.join(dir, entry.name);
       const relPath = path.join(relBase, entry.name);
       if (entry.isDirectory()) {
-        await walk(fullPath, relPath);
+        await index(fullPath, relPath);
       } else {
-        // Hash filename so it's opaque
-        const hashedName = crypto
-          .createHmac('sha256', key)
-          .update(relPath)
-          .digest('hex')
-          .slice(0, 24);
-
-        const plaintext = await fs.readFile(fullPath);
-        const iv = crypto.randomBytes(IV_LENGTH);
-        const cipher = crypto.createCipheriv(ALGORITHM, key, iv, { authTagLength: TAG_LENGTH });
-        const encrypted = Buffer.concat([cipher.update(plaintext), cipher.final()]);
-        const tag = cipher.getAuthTag();
-
-        // Write: iv | tag | ciphertext (salt shared via manifest file)
-        await fs.writeFile(
-          path.join(dataDir, `${hashedName}.enc`),
-          Buffer.concat([iv, tag, encrypted])
-        );
-
-        manifest[hashedName] = relPath;
-        count++;
+        const stat = await fs.stat(fullPath);
+        fileList.push({ fullPath, relPath, size: stat.size });
       }
     }
   }
+  await index(srcDir);
+
+  const totalFiles = fileList.length;
+  const totalBytes = fileList.reduce((sum, f) => sum + f.size, 0);
+
+  // Phase 3: Encrypt files
+  const manifest = {};
+  let count = 0;
+  let bytesProcessed = 0;
+
+  for (const { fullPath, relPath, size } of fileList) {
+    const hashedName = crypto
+      .createHmac('sha256', key)
+      .update(relPath)
+      .digest('hex')
+      .slice(0, 24);
+
+    const plaintext = await fs.readFile(fullPath);
+    const iv = crypto.randomBytes(IV_LENGTH);
+    const cipher = crypto.createCipheriv(ALGORITHM, key, iv, { authTagLength: TAG_LENGTH });
+    const encrypted = Buffer.concat([cipher.update(plaintext), cipher.final()]);
+    const tag = cipher.getAuthTag();
+
+    await fs.writeFile(
+      path.join(dataDir, `${hashedName}.enc`),
+      Buffer.concat([iv, tag, encrypted])
+    );
+
+    manifest[hashedName] = relPath;
+    count++;
+    bytesProcessed += size;
 
-  await walk(srcDir);
+    if (spinner) {
+      const pct = Math.round((count / totalFiles) * 100);
+      const sizeStr = formatBytes(bytesProcessed);
+      const totalStr = formatBytes(totalBytes);
+      spinner.text = `Encrypting (AES-256-GCM) ${count}/${totalFiles} files — ${sizeStr}/${totalStr} [${pct}%]`;
+    }
+  }
 
-  // Encrypt the manifest (it contains real file names)
+  // Phase 4: Encrypt manifest
+  if (spinner) spinner.text = 'Encrypting file manifest...';
   const manifestJson = Buffer.from(JSON.stringify(manifest));
-  const manifestEncrypted = encryptBuffer(manifestJson, passphrase);
+  const manifestEncrypted = await encryptBuffer(manifestJson, passphrase);
   await fs.writeFile(path.join(destDir, 'manifest.enc'), manifestEncrypted);
 
   // Salt is not secret — store it so decrypt can re-derive the same key
   await fs.writeFile(path.join(destDir, 'salt'), salt);
 
+  const elapsed = ((Date.now() - startTime) / 1000).toFixed(1);
+  if (spinner) spinner.text = `Encrypted ${count} files (${formatBytes(totalBytes)}) in ${elapsed}s`;
+
   return count;
 }
 
+function formatBytes(bytes) {
+  if (bytes < 1024) return `${bytes} B`;
+  if (bytes < 1024 * 1024) return `${(bytes / 1024).toFixed(1)} KB`;
+  return `${(bytes / (1024 * 1024)).toFixed(1)} MB`;
+}
+
 /**
  * Decrypt an encrypted directory back to plaintext.
  */
-export async function decryptDirectory(encDir, destDir, passphrase) {
-  // Decrypt manifest first
+export async function decryptDirectory(encDir, destDir, passphrase, spinner = null) {
+  const startTime = Date.now();
+
+  // Phase 1: Decrypt manifest
+  if (spinner) spinner.text = 'Decrypting file manifest...';
   const manifestData = await fs.readFile(path.join(encDir, 'manifest.enc'));
-  const manifestJson = decryptBuffer(manifestData, passphrase);
+  const manifestJson = await decryptBuffer(manifestData, passphrase);
   const manifest = JSON.parse(manifestJson.toString('utf8'));
 
-  // Re-derive key with stored salt
+  // Phase 2: Derive key
+  if (spinner) spinner.text = 'Deriving decryption key (scrypt)...';
   const salt = await fs.readFile(path.join(encDir, 'salt'));
-  const { key } = deriveKey(passphrase, salt);
+  const { key } = await deriveKey(passphrase, salt);
 
   const dataDir = path.join(encDir, 'data');
+  const totalFiles = Object.keys(manifest).length;
   let count = 0;
+  let bytesProcessed = 0;
 
+  // Phase 3: Decrypt files
   for (const [hashedName, relPath] of Object.entries(manifest)) {
     const encFilePath = path.join(dataDir, `${hashedName}.enc`);
     if (!(await fs.pathExists(encFilePath))) continue;
@@ -159,8 +202,17 @@ export async function decryptDirectory(encDir, destDir, passphrase) {
     await fs.ensureDir(path.dirname(outPath));
     await fs.writeFile(outPath, decrypted);
     count++;
+    bytesProcessed += decrypted.length;
+
+    if (spinner) {
+      const pct = Math.round((count / totalFiles) * 100);
+      spinner.text = `Decrypting ${count}/${totalFiles} files — ${formatBytes(bytesProcessed)} [${pct}%]`;
+    }
   }
 
+  const elapsed = ((Date.now() - startTime) / 1000).toFixed(1);
+  if (spinner) spinner.text = `Decrypted ${count} files (${formatBytes(bytesProcessed)}) in ${elapsed}s`;
+
   return count;
 }
 
@@ -168,13 +220,13 @@ export async function decryptDirectory(encDir, destDir, passphrase) {
  * Quick passphrase verification token — encrypt a known string,
  * try to decrypt it to check if passphrase is correct before decrypting everything.
  */
-export function createVerifyToken(passphrase) {
+export async function createVerifyToken(passphrase) {
   return encryptBuffer(Buffer.from('memoir-ok'), passphrase);
 }
 
-export function verifyPassphrase(token, passphrase) {
+export async function verifyPassphrase(token, passphrase) {
   try {
-    const result = decryptBuffer(token, passphrase);
+    const result = await decryptBuffer(token, passphrase);
     return result.toString('utf8') === 'memoir-ok';
   } catch {
     return false;

package/src/workspace/tracker.js

@@ -293,23 +293,23 @@ async function getProjectInfo(dir) {
     info.hasGit = true;
     try {
       const remote = execFileSync('git', ['remote', 'get-url', 'origin'], {
-        cwd: dir, stdio: ['pipe', 'pipe', 'ignore']
+        cwd: dir, stdio: ['pipe', 'pipe', 'ignore'], timeout: 5000
       }).toString().trim();
       info.gitRemote = remote;
     } catch {}
 
     try {
       info.branch = execFileSync('git', ['branch', '--show-current'], {
-        cwd: dir, stdio: ['pipe', 'pipe', 'ignore']
+        cwd: dir, stdio: ['pipe', 'pipe', 'ignore'], timeout: 5000
       }).toString().trim();
     } catch {}
 
     try {
       info.lastCommit = execFileSync('git', ['log', '-1', '--format=%H'], {
-        cwd: dir, stdio: ['pipe', 'pipe', 'ignore']
+        cwd: dir, stdio: ['pipe', 'pipe', 'ignore'], timeout: 5000
       }).toString().trim();
       info.lastCommitMessage = execFileSync('git', ['log', '-1', '--format=%s'], {
-        cwd: dir, stdio: ['pipe', 'pipe', 'ignore']
+        cwd: dir, stdio: ['pipe', 'pipe', 'ignore'], timeout: 5000
       }).toString().trim();
     } catch {}