oopsdb 1.0.0 → 1.2.0

package/LICENSE

@@ -1,21 +1,21 @@
-MIT License
-
-Copyright (c) 2025 OopsDB Contributors
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.
+MIT License
+
+Copyright (c) 2025 OopsDB Contributors
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -1,108 +1,113 @@
-# OopsDB
-
-**Don't let AI nuke your database.**
-
-Auto-backup and 1-click restore for developers using Claude Code, Cursor, Windsurf, and other AI coding agents.
-
----
-
-## The Problem
-
-You're vibing. Claude Code is cranking through tasks. Then it decides the fastest way to fix a migration is `DROP TABLE users`. Or it runs `DELETE FROM orders` without a `WHERE` clause. Or it helpfully "cleans up" your SQLite file.
-
-Your data is gone. Your afternoon is gone. Your will to live is negotiable.
-
-## The Fix
-
-```bash
-npm install -g oopsdb
-oopsdb init      # connect your DB (Supabase, Postgres, MySQL, SQLite)
-oopsdb watch     # auto-backup every 5 min
-# ... AI nukes your DB ...
-oopsdb restore   # pick a snapshot, roll back instantly
-```
-
-That's it. Three commands. Your data survives the AI apocalypse.
-
-## What It Does
-
-- **Auto-backups** on a timer (`oopsdb watch`) — set it and forget it
-- **Manual snapshots** (`oopsdb snapshot`) — before risky migrations or YOLO prompts
-- **Interactive restore** (`oopsdb restore`) — pick any snapshot, roll back in seconds
-- **Safety snapshots** — automatically backs up your current state before restoring, so you can't oops your oops
-- **Encrypted at rest** — AES-256-CBC encryption on every backup file
-- **Zero cloud, zero accounts** — everything stays on your machine
-- **Streaming backups** — near-zero memory footprint regardless of DB size
-
-## Supported Databases
-
-| Database | Backup Tool | Restore Tool |
-|----------|------------|--------------|
-| **Supabase** | `pg_dump` (with Supabase flags) | `psql` |
-| PostgreSQL (Neon, local, other hosted) | `pg_dump` | `psql` |
-| MySQL / MariaDB | `mysqldump` | `mysql` |
-| SQLite | `sqlite3` | `sqlite3` |
-
-### Supabase (first-class support)
-
-OopsDB has dedicated Supabase support. Just paste your connection string:
-
-```bash
-oopsdb init
-# → Select "Supabase"
-# → Paste your connection string from Supabase Dashboard → Settings → Database
-# → Done. SSL and Supabase-specific pg_dump flags are handled automatically.
-```
-
-Supabase-specific flags applied automatically: `--no-owner`, `--no-privileges`, `--no-subscriptions`, `sslmode=require`.
-
-## Commands
-
-```
-oopsdb init                Set up your database connection
-oopsdb watch               Auto-backup every 5 minutes
-oopsdb watch -i 1          Auto-backup every 1 minute (paranoid mode)
-oopsdb snapshot            One-time manual backup
-oopsdb restore             Interactive restore from any snapshot
-oopsdb status              View backup history and stats
-oopsdb activate <key>      Activate a Pro license
-oopsdb deactivate          Deactivate your license on this machine
-oopsdb license             Show current license status and plan
-oopsdb secure              Immutable cloud backups (Coming Soon)
-oopsdb clean               Remove all OopsDB data from project
-```
-
-## How It Works
-
-1. `oopsdb init` walks you through connecting your database. Credentials are encrypted and saved locally in `.oopsdb/config.json`.
-2. `oopsdb watch` runs the native dump tool (`pg_dump`, `mysqldump`, or `sqlite3 .backup`) at your chosen interval. Output is streamed through AES-256-CBC encryption directly to disk — memory usage stays flat even for large databases.
-3. `oopsdb restore` shows your snapshots with timestamps and sizes. Pick one, confirm, and your database is rolled back. It takes a safety snapshot first, so you can always undo the undo.
-
-## Requirements
-
-Your system needs the native database CLI tools:
-
-- **PostgreSQL**: `pg_dump` + `psql`
-- **MySQL**: `mysqldump` + `mysql`
-- **SQLite**: `sqlite3`
-
-OopsDB checks for these on `init` and gives install instructions if they're missing.
-
-## Security
-
-- Credentials encrypted at rest (AES-256-CBC, machine-local key)
-- Backup files encrypted at rest (AES-256-CBC, streaming encryption)
-- Nothing leaves your machine — no cloud, no telemetry, no accounts
-- Add `.oopsdb/` to `.gitignore` (already in ours)
-
-## Coming Soon: `oopsdb secure`
-
-Immutable cloud backups that even a rogue AI can't delete.
-
-Local backups are great until the AI decides to `rm -rf .oopsdb/`. `oopsdb secure` pushes encrypted snapshots to tamper-proof cloud storage with write-once retention policies. Even if your entire machine gets wiped, your backups survive.
-
-Sign up for early access at [oopsdb.com/secure](https://oopsdb.com/secure).
-
-## License
-
-MIT
+# OopsDB
+
+**Don't let AI nuke your database.**
+
+Auto-backup and 1-click restore for developers using Claude Code, Cursor, Windsurf, and other AI coding agents.
+
+---
+
+## The Problem
+
+You're vibing. Claude Code is cranking through tasks. Then it decides the fastest way to fix a migration is `DROP TABLE users`. Or it runs `DELETE FROM orders` without a `WHERE` clause. Or it helpfully "cleans up" your SQLite file.
+
+Your data is gone. Your afternoon is gone. Your will to live is negotiable.
+
+## The Fix
+
+```bash
+npm install -g oopsdb
+oopsdb init      # connect your DB (Supabase, Postgres, MySQL, SQLite)
+oopsdb watch     # auto-backup every 5 min
+# ... AI nukes your DB ...
+oopsdb restore   # pick a snapshot, roll back instantly
+```
+
+That's it. Three commands. Your data survives the AI apocalypse.
+
+## What It Does
+
+- **Auto-backups** on a timer (`oopsdb watch`) — set it and forget it
+- **Manual snapshots** (`oopsdb snapshot`) — before risky migrations or YOLO prompts
+- **Interactive restore** (`oopsdb restore`) — pick any snapshot, roll back in seconds
+- **Safety snapshots** — automatically backs up your current state before restoring, so you can't oops your oops
+- **Encrypted at rest** — AES-256-CBC encryption on every backup file
+- **Zero cloud, zero accounts** — everything stays on your machine
+- **Streaming backups** — near-zero memory footprint regardless of DB size
+
+## Supported Databases
+
+| Database | Backup Tool | Restore Tool |
+|----------|------------|--------------|
+| **Supabase** | `pg_dump` (with Supabase flags) | `psql` |
+| PostgreSQL (Neon, local, other hosted) | `pg_dump` | `psql` |
+| MySQL / MariaDB | `mysqldump` | `mysql` |
+| SQLite | `sqlite3` | `sqlite3` |
+
+### Supabase (first-class support)
+
+OopsDB has dedicated Supabase support. Just paste your connection string:
+
+```bash
+oopsdb init
+# → Select "Supabase"
+# → Paste your connection string from Supabase Dashboard → Settings → Database
+# → Done. SSL and Supabase-specific pg_dump flags are handled automatically.
+```
+
+Supabase-specific flags applied automatically: `--no-owner`, `--no-privileges`, `--no-subscriptions`, `sslmode=require`.
+
+## Commands
+
+```
+oopsdb init                Set up your database connection
+oopsdb watch               Auto-backup every 5 minutes
+oopsdb watch -i 1          Auto-backup every 1 minute (paranoid mode)
+oopsdb snapshot            One-time manual backup
+oopsdb restore             Interactive restore from any snapshot
+oopsdb status              View backup history and stats
+oopsdb secure              Immutable cloud backups (Coming Soon)
+oopsdb activate <key>      Activate a Secure license
+oopsdb deactivate          Deactivate your license on this machine
+oopsdb license             Show current license status
+oopsdb clean               Remove all OopsDB data from project
+```
+
+## How It Works
+
+1. `oopsdb init` walks you through connecting your database. Credentials are encrypted and saved locally in `.oopsdb/config.json`.
+2. `oopsdb watch` runs the native dump tool (`pg_dump`, `mysqldump`, or `sqlite3 .backup`) at your chosen interval. Output is streamed through AES-256-CBC encryption directly to disk — memory usage stays flat even for large databases.
+3. `oopsdb restore` shows your snapshots with timestamps and sizes. Pick one, confirm, and your database is rolled back. It takes a safety snapshot first, so you can always undo the undo.
+
+## Requirements
+
+Your system needs the native database CLI tools:
+
+- **PostgreSQL**: `pg_dump` + `psql`
+- **MySQL**: `mysqldump` + `mysql`
+- **SQLite**: `sqlite3`
+
+OopsDB checks for these on `init` and gives install instructions if they're missing.
+
+## Security
+
+- Credentials encrypted at rest (AES-256-CBC, machine-local key)
+- Backup files encrypted at rest (AES-256-CBC, streaming encryption)
+- Nothing leaves your machine — no cloud, no telemetry, no accounts
+- Add `.oopsdb/` to `.gitignore` (already in ours)
+
+## Pricing
+
+**Free** — Everything local. All databases, unlimited snapshots, encrypted backups. No limits, no accounts, no strings attached.
+
+**Secure** ($9/mo) — Immutable cloud backups that even a rogue AI can't delete. Local backups are great until the AI decides to `rm -rf .oopsdb/`. `oopsdb secure` pushes encrypted snapshots to tamper-proof cloud storage with write-once retention policies. Even if your entire machine gets wiped, your backups survive.
+
+Learn more at [oopsdb.com](https://oopsdb.com).
+
+## Support
+
+If OopsDB saved your database (and your afternoon), consider buying me a coffee!
+[ko-fi.com/pintayo](https://ko-fi.com/pintayo)
+
+## License
+
+MIT

package/dist/commands/activate.js

@@ -26,18 +26,12 @@ async function activateCommand(licenseKey) {
             console.log(chalk_1.default.gray('  Email: ') + chalk_1.default.cyan(license.customerEmail));
         }
         console.log(chalk_1.default.gray('  Variant: ') + chalk_1.default.cyan(license.variantName || license.tier));
-        if (license.tier === 'pro') {
+        if (license.tier === 'secure') {
             console.log(chalk_1.default.gray('\n  You now have access to:'));
-            console.log(chalk_1.default.cyan('    ✓ ') + chalk_1.default.white('PostgreSQL backups'));
-            console.log(chalk_1.default.cyan('    ✓ ') + chalk_1.default.white('MySQL / MariaDB backups'));
-            console.log(chalk_1.default.cyan('    ✓ ') + chalk_1.default.white('Supabase backups'));
-            console.log(chalk_1.default.cyan('    ✓ ') + chalk_1.default.white('Unlimited snapshots'));
-        }
-        else if (license.tier === 'secure') {
-            console.log(chalk_1.default.gray('\n  You now have access to:'));
-            console.log(chalk_1.default.cyan('    ✓ ') + chalk_1.default.white('Everything in Pro'));
             console.log(chalk_1.default.cyan('    ✓ ') + chalk_1.default.white('Immutable cloud backups'));
-            console.log(chalk_1.default.cyan('    ✓ ') + chalk_1.default.white('Write-once retention'));
+            console.log(chalk_1.default.cyan('    ✓ ') + chalk_1.default.white('E2E encrypted cloud storage'));
+            console.log(chalk_1.default.cyan('    ✓ ') + chalk_1.default.white('30-day retention'));
+            console.log(chalk_1.default.cyan('    ✓ ') + chalk_1.default.white('Restorable from any machine'));
         }
         console.log(chalk_1.default.gray('\n  Next: ') + chalk_1.default.cyan('oopsdb init') + chalk_1.default.gray(' to set up your database\n'));
     }
@@ -59,7 +53,7 @@ async function deactivateCommand() {
     try {
         await (0, license_1.deactivateLicense)();
         spinner.succeed('License deactivated');
-        console.log(chalk_1.default.gray('\n  You\'re back on the Free plan (SQLite only).'));
+        console.log(chalk_1.default.gray('\n  Secure license deactivated. Local backups still work — they\'re free forever.'));
         console.log(chalk_1.default.gray('  You can re-activate anytime with: ') + chalk_1.default.cyan('oopsdb activate <key>\n'));
     }
     catch (err) {
@@ -71,9 +65,8 @@ async function licenseStatusCommand() {
     const license = (0, license_1.loadLicense)();
     console.log(chalk_1.default.bold('\n  OopsDB — License Status\n'));
     if (!license) {
-        console.log(chalk_1.default.gray('  Plan:   ') + chalk_1.default.white('Free'));
-        console.log(chalk_1.default.gray('  Access: ') + chalk_1.default.white('SQLite only'));
-        console.log(chalk_1.default.gray('\n  Upgrade: ') + chalk_1.default.cyan('https://oopsdb.com') + chalk_1.default.gray(' → then run ') + chalk_1.default.cyan('oopsdb activate <key>\n'));
+        console.log(chalk_1.default.gray('  Plan:   ') + chalk_1.default.white('Free (all local features)'));
+        console.log(chalk_1.default.gray('\n  Want cloud backups? ') + chalk_1.default.cyan('https://oopsdb.com') + chalk_1.default.gray(' → then run ') + chalk_1.default.cyan('oopsdb activate <key>\n'));
         return;
     }
     console.log(chalk_1.default.gray('  Plan:      ') + chalk_1.default.green(license.tier.toUpperCase()));

package/dist/commands/init.d.ts

@@ -1 +1,3 @@
-export declare function initCommand(): Promise<void>;
+export declare function initCommand(options?: {
+    recovery?: string;
+}): Promise<void>;

package/dist/commands/init.js

@@ -45,8 +45,7 @@ const ora_1 = __importDefault(require("ora"));
 const config_1 = require("../utils/config");
 const dumper_1 = require("../utils/dumper");
 const preflight_1 = require("../utils/preflight");
-const license_1 = require("../utils/license");
-async function initCommand() {
+async function initCommand(options = {}) {
     console.log(chalk_1.default.bold('\n  OopsDB Setup\n'));
     console.log(chalk_1.default.gray('  Protect your database from AI-powered disasters.\n'));
     const existing = (0, config_1.loadConfig)();
@@ -77,19 +76,6 @@ async function initCommand() {
             ],
         },
     ]);
-    // Check license for non-SQLite databases
-    if ((0, license_1.requiresLicense)(dbType)) {
-        const tier = (0, license_1.getCurrentTier)();
-        if (tier === 'free') {
-            console.log(chalk_1.default.yellow('\n  ⚠  ' + dbType.charAt(0).toUpperCase() + dbType.slice(1) + ' requires a Pro or Secure license.\n'));
-            console.log(chalk_1.default.white('  Free plan supports SQLite only.'));
-            console.log(chalk_1.default.gray('\n  To upgrade:'));
-            console.log(chalk_1.default.cyan('    1. ') + chalk_1.default.white('Get a license at ') + chalk_1.default.cyan('https://oopsdb.com'));
-            console.log(chalk_1.default.cyan('    2. ') + chalk_1.default.white('Run: ') + chalk_1.default.cyan('oopsdb activate <your-license-key>'));
-            console.log(chalk_1.default.cyan('    3. ') + chalk_1.default.white('Run: ') + chalk_1.default.cyan('oopsdb init') + chalk_1.default.gray(' again\n'));
-            return;
-        }
-    }
     // Supabase and plain Postgres both use pg_dump/psql
     const toolType = dbType === 'supabase' ? 'postgres' : dbType;
     // Pre-flight: check that the required DB tools are installed
@@ -169,12 +155,36 @@ async function initCommand() {
             database: answers.database,
         };
     }
+    // Handle Master Key & Recovery
+    const isRecovery = !!options.recovery;
+    const masterKey = options.recovery || (0, config_1.generateMasterKey)();
     const config = {
         db: dbConfig,
         createdAt: new Date().toISOString(),
+        masterKey,
     };
     (0, config_1.saveConfig)(config);
-    console.log(chalk_1.default.green('\n  Config saved to .oopsdb/config.json (encrypted)\n'));
+    console.log(chalk_1.default.green('\n  Config saved to .oopsdb/config.json (encrypted local block)\n'));
+    // If this is a new setup, force them to look at the master key
+    if (!isRecovery) {
+        console.log(chalk_1.default.bgRed.white.bold('\n  CRITICAL SECURITY STEP: SAVE YOUR MASTER KEY  '));
+        console.log(chalk_1.default.red('  If an AI deletes your project folder or you switch devices,'));
+        console.log(chalk_1.default.red('  this is the ONLY WAY to decrypt your cloud backups.'));
+        console.log(chalk_1.default.red('  Save it in 1Password or another password manager right now:\n'));
+        console.log(chalk_1.default.yellow.bold(`  ${masterKey}\n`));
+        await inquirer.prompt([
+            {
+                type: 'confirm',
+                name: 'keySaved',
+                message: 'I have securely saved my Master Key.',
+                default: false,
+                validate: (input) => input ? true : 'You must save the Master Key to continue.',
+            },
+        ]);
+    }
+    else {
+        console.log(chalk_1.default.blue.bold('\n  Recovery Mode Active: Master Key loaded from flag.\n'));
+    }
     const { takeSnapshot } = await inquirer.prompt([
         {
             type: 'confirm',

package/dist/commands/secure.js

@@ -1,18 +1,100 @@
 "use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
 var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.secureCommand = secureCommand;
 const chalk_1 = __importDefault(require("chalk"));
+const ora_1 = __importDefault(require("ora"));
+const fs = __importStar(require("fs"));
+const path = __importStar(require("path"));
+const config_1 = require("../utils/config");
+const dumper_1 = require("../utils/dumper");
 async function secureCommand(options) {
     console.log(chalk_1.default.bold('\n  OopsDB Secure'));
     console.log(chalk_1.default.gray('  Immutable cloud backups that even a rogue AI can\'t delete.\n'));
-    console.log(chalk_1.default.yellow('  Coming Soon!'));
-    console.log(chalk_1.default.white('  We are currently putting the finishing touches on our secure cloud backup infrastructure.'));
-    console.log(chalk_1.default.gray('  Follow us on GitHub for updates: ') + chalk_1.default.cyan('https://github.com/pintayo/oopsdb\n'));
+    const config = (0, config_1.loadConfig)();
+    if (!config) {
+        console.log(chalk_1.default.red('  No config found. Run `oopsdb init` first.\n'));
+        process.exit(1);
+        return; // Keeps TS happy
+    }
+    // Find the latest snapshot
+    const snapshots = (0, dumper_1.listSnapshots)();
+    if (snapshots.length === 0) {
+        console.log(chalk_1.default.red('  No snapshots found. Run `oopsdb snapshot` to create one.\n'));
+        return;
+    }
+    const latestFile = snapshots[0].file;
+    const fileName = path.basename(latestFile);
+    const fileSizeInBytes = fs.statSync(latestFile).size;
+    const fileSizeMB = (fileSizeInBytes / (1024 * 1024)).toFixed(2);
+    console.log(chalk_1.default.blue(`  Found latest snapshot: ${fileName} (${fileSizeMB} MB)`));
+    // Placeholder URL logic: In the future, this would fetch from the Cloudflare Pages backend
+    // e.g. const res = await fetch('https://oopsdb.com/api/upload-url', { ... });
+    const placeholderUploadUrl = 'https://example-bucket.s3.amazonaws.com/placeholder-url-for-mvp';
+    console.log(chalk_1.default.gray(`  Requesting secure upload token...\n`));
+    await uploadToS3(latestFile, placeholderUploadUrl);
 }
-// ─── Utilities ──────────────────────────────────────────────────────────────
-function delay(ms) {
-    return new Promise((resolve) => setTimeout(resolve, ms));
+async function uploadToS3(filePath, uploadUrl) {
+    const size = fs.statSync(filePath).size;
+    const fileStream = fs.createReadStream(filePath);
+    const spinner = (0, ora_1.default)(`Uploading to S3 Cloud Vault...`).start();
+    try {
+        const response = await fetch(uploadUrl, {
+            method: 'PUT',
+            // @ts-ignore - needed for Node native fetch with streams
+            body: fileStream,
+            duplex: 'half',
+            headers: {
+                'Content-Length': size.toString()
+            }
+        });
+        if (!response.ok) {
+            spinner.fail(`Upload intercepted for MVP. The pre-signed URL must be provided by the backend.`);
+            console.log(chalk_1.default.yellow(`  Reason: ${response.status} ${response.statusText}\n`));
+            console.log(chalk_1.default.gray(`  (This is expected until the Cloudflare backend endpoint is reachable)\n`));
+        }
+        else {
+            spinner.succeed('Snapshot safely stored in immutable S3 Cloud Vault.');
+            console.log(chalk_1.default.green('\n  Done! Your database is now AI-proof.\n'));
+        }
+    }
+    catch (err) {
+        spinner.fail(`Upload failed: ${err.message}`);
+        console.log(chalk_1.default.gray(`  (Ensure the backend feature is fully implemented to receive a valid S3 URL)\n`));
+    }
 }

package/dist/commands/shield.d.ts

@@ -0,0 +1,3 @@
+export declare function shieldCommand(options: {
+    port?: string;
+}): Promise<void>;

package/dist/commands/shield.js

@@ -0,0 +1,113 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.shieldCommand = shieldCommand;
+const net = __importStar(require("net"));
+const chalk_1 = __importDefault(require("chalk"));
+const ora_1 = __importDefault(require("ora"));
+const config_1 = require("../utils/config");
+const dumper_1 = require("../utils/dumper");
+async function shieldCommand(options) {
+    const config = (0, config_1.loadConfig)();
+    if (!config) {
+        console.log(chalk_1.default.red('\n  No config found. Run `oopsdb init` first.\n'));
+        process.exit(1);
+        return;
+    }
+    const proxyPort = parseInt(options.port || '5433', 10);
+    const targetPort = config.db.port || (config.db.type === 'postgres' ? 5432 : 3306);
+    const targetHost = config.db.host || 'localhost';
+    console.log(chalk_1.default.bold('\n  OopsDB Shield ' + chalk_1.default.green('ACTIVE')));
+    console.log(chalk_1.default.gray(`  Listening on port ${proxyPort} -> Forwarding to ${config.db.type} on ${targetPort}\n`));
+    const DESTRUCTIVE_REGEX = /(DROP\s+TABLE|TRUNCATE\s+TABLE|DELETE\s+FROM)/i;
+    const server = net.createServer((clientSocket) => {
+        const targetSocket = net.createConnection({
+            host: targetHost,
+            port: targetPort
+        });
+        targetSocket.on('error', (err) => {
+            console.log(chalk_1.default.red(`\n  Database connection error: ${err.message}`));
+            clientSocket.destroy(err);
+        });
+        clientSocket.on('error', (err) => {
+            targetSocket.destroy(err);
+        });
+        // Handle traffic from DB back to Client
+        targetSocket.pipe(clientSocket);
+        // Handle traffic from Client to DB (with interception)
+        clientSocket.on('data', async (chunk) => {
+            const dataString = chunk.toString();
+            if (DESTRUCTIVE_REGEX.test(dataString)) {
+                // Destructive command detected!
+                clientSocket.pause();
+                targetSocket.pause();
+                console.log(chalk_1.default.bgRed.white.bold('\n  WARNING  ') + chalk_1.default.red(' Destructive command intercepted!'));
+                console.log(chalk_1.default.gray(`  Command snippet: ${dataString.substring(0, 100).replace(/\n/g, ' ')}\n`));
+                const spinner = (0, ora_1.default)('Taking safety snapshot...').start();
+                try {
+                    await (0, dumper_1.createSnapshot)(config.db);
+                    spinner.succeed('Safety snapshot secured.');
+                }
+                catch (err) {
+                    spinner.fail(`Failed to take safety snapshot: ${err.message}`);
+                }
+                console.log(chalk_1.default.yellow('  Releasing command to database...\n'));
+                targetSocket.write(chunk);
+                targetSocket.resume();
+                clientSocket.resume();
+            }
+            else {
+                // Normal query, pass it through
+                targetSocket.write(chunk);
+            }
+        });
+        targetSocket.on('close', () => {
+            clientSocket.end();
+        });
+        clientSocket.on('close', () => {
+            targetSocket.end();
+        });
+    });
+    server.listen(proxyPort, () => {
+        // The server is now listening
+    });
+    server.on('error', (err) => {
+        console.log(chalk_1.default.red(`\n  Proxy server error: ${err.message}\n`));
+        process.exit(1);
+    });
+}

package/dist/index.js

@@ -10,6 +10,7 @@ const snapshot_1 = require("./commands/snapshot");
 const secure_1 = require("./commands/secure");
 const clean_1 = require("./commands/clean");
 const activate_1 = require("./commands/activate");
+const shield_1 = require("./commands/shield");
 // Read version from package.json at runtime
 const pkg = require('../package.json');
 const program = new commander_1.Command();
@@ -20,6 +21,7 @@ program
 program
     .command('init')
     .description('Set up database connection for backups')
+    .option('--recovery <key>', 'Recover configuration using a saved Master Key')
     .action(init_1.initCommand);
 program
     .command('watch')
@@ -38,6 +40,11 @@ program
     .command('status')
     .description('Show backup status and recent snapshots')
     .action(status_1.statusCommand);
+program
+    .command('shield')
+    .description('Start a database proxy interceptor that prevents destructive queries')
+    .option('-p, --port <port>', 'Proxy port', '5433')
+    .action(shield_1.shieldCommand);
 program
     .command('secure')
     .description('Immutable cloud backups — tamper-proof, AI-proof')
@@ -46,7 +53,7 @@ program
     .action(secure_1.secureCommand);
 program
     .command('activate <license-key>')
-    .description('Activate a Pro or Secure license key')
+    .description('Activate a Secure license key')
     .action(activate_1.activateCommand);
 program
     .command('deactivate')

package/dist/utils/config.d.ts

@@ -14,10 +14,12 @@ export interface DbConfig {
 export interface OopsConfig {
     db: DbConfig;
     createdAt: string;
+    masterKey: string;
 }
 export declare function ensureConfigDir(): void;
 export declare function saveConfig(config: OopsConfig): void;
 export declare function loadConfig(): OopsConfig | null;
 export declare function getBackupsDir(): string;
 export declare function getConfigDir(): string;
+export declare function generateMasterKey(): string;
 export declare function getEncryptionKey(): Buffer;

package/dist/utils/config.js

@@ -38,45 +38,54 @@ exports.saveConfig = saveConfig;
 exports.loadConfig = loadConfig;
 exports.getBackupsDir = getBackupsDir;
 exports.getConfigDir = getConfigDir;
+exports.generateMasterKey = generateMasterKey;
 exports.getEncryptionKey = getEncryptionKey;
 const fs = __importStar(require("fs"));
 const path = __importStar(require("path"));
 const crypto = __importStar(require("crypto"));
-const CONFIG_DIR = path.join(process.cwd(), '.oopsdb');
-const CONFIG_FILE = path.join(CONFIG_DIR, 'config.json');
-const BACKUPS_DIR = path.join(CONFIG_DIR, 'backups');
-// Simple encryption using a machine-local key derived from hostname + username
-const ENCRYPTION_KEY = crypto
+function getConfigDirPath() {
+    return path.join(process.cwd(), '.oopsdb');
+}
+function getConfigFilePath() {
+    return path.join(getConfigDirPath(), 'config.json');
+}
+function getBackupsDirPath() {
+    return path.join(getConfigDirPath(), 'backups');
+}
+// We encrypt the config file itself using a static machine-local key so that
+// rogue processes can't easily read the master key in plain text from the file system.
+// Note: This machineKey is NOT used for the database backups, only the config.json.
+const MACHINE_KEY = crypto
     .createHash('sha256')
-    .update(`oopsdb-${process.env.USER || 'default'}-${require('os').hostname()}`)
+    .update(`oopsdb-config-${process.env.USER || 'default'}-${require('os').hostname()}`)
     .digest();
-function encrypt(text) {
+function encryptConfig(text) {
     const iv = crypto.randomBytes(16);
-    const cipher = crypto.createCipheriv('aes-256-cbc', ENCRYPTION_KEY, iv);
+    const cipher = crypto.createCipheriv('aes-256-cbc', MACHINE_KEY, iv);
     let encrypted = cipher.update(text, 'utf8', 'hex');
     encrypted += cipher.final('hex');
     return iv.toString('hex') + ':' + encrypted;
 }
-function decrypt(text) {
+function decryptConfig(text) {
     const [ivHex, encrypted] = text.split(':');
     const iv = Buffer.from(ivHex, 'hex');
-    const decipher = crypto.createDecipheriv('aes-256-cbc', ENCRYPTION_KEY, iv);
+    const decipher = crypto.createDecipheriv('aes-256-cbc', MACHINE_KEY, iv);
     let decrypted = decipher.update(encrypted, 'hex', 'utf8');
     decrypted += decipher.final('utf8');
     return decrypted;
 }
 function ensureConfigDir() {
     try {
-        if (!fs.existsSync(CONFIG_DIR)) {
-            fs.mkdirSync(CONFIG_DIR, { recursive: true });
+        if (!fs.existsSync(getConfigDirPath())) {
+            fs.mkdirSync(getConfigDirPath(), { recursive: true });
         }
-        if (!fs.existsSync(BACKUPS_DIR)) {
-            fs.mkdirSync(BACKUPS_DIR, { recursive: true });
+        if (!fs.existsSync(getBackupsDirPath())) {
+            fs.mkdirSync(getBackupsDirPath(), { recursive: true });
         }
     }
     catch (err) {
         if (err.code === 'EACCES') {
-            throw new Error(`Permission denied creating ${CONFIG_DIR}. Check directory permissions.`);
+            throw new Error(`Permission denied creating ${getConfigDirPath()}. Check directory permissions.`);
         }
         if (err.code === 'ENOSPC') {
             throw new Error('Disk full. Free up space and try again.');
@@ -86,16 +95,16 @@ function ensureConfigDir() {
 }
 function saveConfig(config) {
     ensureConfigDir();
-    const encrypted = encrypt(JSON.stringify(config));
-    fs.writeFileSync(CONFIG_FILE, encrypted, 'utf8');
+    const encrypted = encryptConfig(JSON.stringify(config));
+    fs.writeFileSync(getConfigFilePath(), encrypted, 'utf8');
 }
 function loadConfig() {
-    if (!fs.existsSync(CONFIG_FILE)) {
+    if (!fs.existsSync(getConfigFilePath())) {
         return null;
     }
     try {
-        const encrypted = fs.readFileSync(CONFIG_FILE, 'utf8');
-        const decrypted = decrypt(encrypted);
+        const encrypted = fs.readFileSync(getConfigFilePath(), 'utf8');
+        const decrypted = decryptConfig(encrypted);
         return JSON.parse(decrypted);
     }
     catch {
@@ -104,11 +113,18 @@ function loadConfig() {
 }
 function getBackupsDir() {
     ensureConfigDir();
-    return BACKUPS_DIR;
+    return getBackupsDirPath();
 }
 function getConfigDir() {
-    return CONFIG_DIR;
+    return getConfigDirPath();
+}
+function generateMasterKey() {
+    return crypto.randomBytes(32).toString('hex');
 }
 function getEncryptionKey() {
-    return ENCRYPTION_KEY;
+    const config = loadConfig();
+    if (!config || !config.masterKey) {
+        throw new Error('No Master Key found. Please run `oopsdb init` to set up your keys.');
+    }
+    return Buffer.from(config.masterKey, 'hex');
 }

package/dist/utils/license.d.ts

@@ -1,4 +1,4 @@
-export type Tier = 'free' | 'pro' | 'secure';
+export type Tier = 'free' | 'secure';
 export interface LicenseInfo {
     licenseKey: string;
     instanceId: string;
@@ -11,7 +11,6 @@ export interface LicenseInfo {
 export declare function loadLicense(): LicenseInfo | null;
 export declare function removeLicense(): void;
 export declare function getCurrentTier(): Tier;
-export declare function requiresLicense(dbType: string): boolean;
 /**
  * Activate a license key with LemonSqueezy.
  * Returns the license info on success, throws on failure.

package/dist/utils/license.js

@@ -36,7 +36,6 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.loadLicense = loadLicense;
 exports.removeLicense = removeLicense;
 exports.getCurrentTier = getCurrentTier;
-exports.requiresLicense = requiresLicense;
 exports.activateLicense = activateLicense;
 exports.deactivateLicense = deactivateLicense;
 exports.validateLicense = validateLicense;
@@ -79,9 +78,6 @@ function getCurrentTier() {
         return 'free';
     return license.tier;
 }
-function requiresLicense(dbType) {
-    return dbType !== 'sqlite';
-}
 function getInstanceName() {
     return `${os.userInfo().username}@${os.hostname()}`;
 }
@@ -92,9 +88,7 @@ function tierFromVariant(variantName) {
     const lower = variantName.toLowerCase();
     if (lower.includes('secure'))
         return 'secure';
-    if (lower.includes('pro'))
-        return 'pro';
-    return 'pro'; // default paid tier
+    return 'secure'; // default paid tier
 }
 /**
  * Make a POST request to LemonSqueezy license API.

package/package.json

@@ -1,58 +1,68 @@
-{
-  "name": "oopsdb",
-  "version": "1.0.0",
-  "description": "Don't let AI nuke your database. Auto-backup and 1-click restore for developers using Claude Code, OpenClaw, and other AI coding agents.",
-  "main": "dist/index.js",
-  "bin": {
-    "oopsdb": "dist/index.js"
-  },
-  "scripts": {
-    "build": "tsc",
-    "dev": "ts-node src/index.ts",
-    "start": "node dist/index.js",
-    "prepublishOnly": "npm run build",
-    "test": "tsc && vitest run tests/unit.test.ts",
-    "test:e2e": "tsc && vitest run tests/e2e.test.ts",
-    "test:all": "tsc && vitest run"
-  },
-  "keywords": [
-    "database",
-    "backup",
-    "restore",
-    "rollback",
-    "claude-code",
-    "ai-safety",
-    "mysql",
-    "postgres",
-    "supabase",
-    "sqlite"
-  ],
-  "author": "",
-  "license": "MIT",
-  "repository": {
-    "type": "git",
-    "url": "git+https://github.com/pintayo/oopsdb.git"
-  },
-  "homepage": "https://oopsdb.com",
-  "engines": {
-    "node": ">=16.0.0"
-  },
-  "files": [
-    "dist",
-    "README.md",
-    "LICENSE"
-  ],
-  "dependencies": {
-    "chalk": "^4.1.2",
-    "commander": "^12.1.0",
-    "inquirer": "^8.2.6",
-    "ora": "^5.4.1"
-  },
-  "devDependencies": {
-    "@types/inquirer": "^8.2.10",
-    "@types/node": "^22.0.0",
-    "testcontainers": "^11.12.0",
-    "typescript": "^5.7.0",
-    "vitest": "^4.0.18"
-  }
-}
+{
+  "name": "oopsdb",
+  "version": "1.2.0",
+  "description": "Don't let AI nuke your database. Auto-backup and 1-click restore for developers using Claude Code, Cursor, Windsurf, and other AI coding agents.",
+  "main": "dist/index.js",
+  "bin": {
+    "oopsdb": "dist/index.js"
+  },
+  "scripts": {
+    "build": "tsc",
+    "dev": "ts-node src/index.ts",
+    "start": "node dist/index.js",
+    "prepublishOnly": "npm run build",
+    "test": "tsc && vitest run tests/unit.test.ts",
+    "test:e2e": "tsc && vitest run tests/e2e.test.ts",
+    "test:all": "tsc && vitest run"
+  },
+  "keywords": [
+    "database",
+    "backup",
+    "restore",
+    "rollback",
+    "claude-code",
+    "ai-safety",
+    "mysql",
+    "postgres",
+    "supabase",
+    "sqlite"
+  ],
+  "author": "",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/pintayo/oopsdb.git"
+  },
+  "homepage": "https://oopsdb.com",
+  "engines": {
+    "node": ">=16.0.0"
+  },
+  "files": [
+    "dist",
+    "README.md",
+    "LICENSE"
+  ],
+  "dependencies": {
+    "@aws-sdk/client-s3": "^3.1005.0",
+    "@aws-sdk/s3-request-presigner": "^3.1005.0",
+    "chalk": "^4.1.2",
+    "commander": "^12.1.0",
+    "inquirer": "^8.2.6",
+    "ora": "^5.4.1"
+  },
+  "devDependencies": {
+    "@cloudflare/workers-types": "^4.20260310.1",
+    "@types/inquirer": "^8.2.10",
+    "@types/node": "^22.0.0",
+    "testcontainers": "^11.12.0",
+    "typescript": "^5.7.0",
+    "vitest": "^4.0.18"
+  },
+  "directories": {
+    "test": "tests"
+  },
+  "types": "./dist/index.d.ts",
+  "bugs": {
+    "url": "https://github.com/pintayo/oopsdb/issues"
+  }
+}