alezmad/claudemesh
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
b4f457fceb0b0952117fc3b2c0fe9a70df8f75f3
claudemesh/apps/cli/src/commands/backup.ts
Alejandro Gutiérrez ee12510ef1
Some checks failed
CI / Lint (push) Has been cancelled
Details
CI / Typecheck (push) Has been cancelled
Details
CI / Broker tests (Postgres) (push) Has been cancelled
Details
CI / Docker build (linux/amd64) (push) Has been cancelled
Details
refactor: rename cli-v2 → cli, archive legacy cli, plus broker-side grants + auto-migrate 
- apps/cli/ is now the canonical CLI (was apps/cli-v2/).
- apps/cli/ legacy v0 archived as branch 'legacy-cli-archive' and tag
  'cli-v0-legacy-final' before deletion; git history preserves it too.
- .github/workflows/release-cli.yml paths updated.
- pnpm-lock.yaml regenerated.

Broker-side peer-grant enforcement (spec: 2026-04-15-per-peer-capabilities):
- 0020_peer-grants.sql adds peer_grants jsonb + GIN index on mesh.member.
- handleSend in broker fetches recipient grant maps once per send, drops
  messages silently when sender lacks the required capability.
- POST /cli/mesh/:slug/grants to update from CLI; broker_messages_dropped_by_grant_total metric.
- CLI grant/revoke/block now mirror to broker via syncToBroker.

Auto-migrate on broker startup:
- apps/broker/src/migrate.ts runs drizzle migrate with pg_advisory_lock
  before the HTTP server binds. Exits non-zero on failure so Coolify
  healthcheck fails closed.
- Dockerfile copies packages/db/migrations into /app/migrations.
- postgres 3.4.5 added as direct broker dep.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-15 08:44:52 +01:00

148 lines
5.3 KiB
TypeScript
Raw Blame History

/**
* `claudemesh backup` — encrypt the local config and save a portable
* recovery file. Restore later with `claudemesh restore <file>` on any
* machine to recover mesh memberships.
*
* Crypto:
* - Argon2id KDF over a user passphrase → 32-byte key
* (via libsodium's crypto_pwhash, INTERACTIVE limits so a weak
* passphrase is still workable but brute-force remains expensive)
* - XChaCha20-Poly1305 authenticated encryption of the JSON config
* - Format: magic "CMB1" · salt (16B) · nonce (24B) · ciphertext
*
* Output: a single `.claudemesh-backup` file the user can store in
* 1Password, email to themselves, etc. Zero server involvement.
*
* Passphrase hygiene: read twice from TTY, never echoed. Rejects
* passphrases shorter than 12 characters.
*/
import { readFileSync, writeFileSync, existsSync } from "node:fs";
import { createInterface } from "node:readline";
import { getConfigPath } from "~/services/config/facade.js";
import { ensureSodium } from "~/services/crypto/facade.js";
import { EXIT } from "~/constants/exit-codes.js";
const MAGIC = Buffer.from("CMB1", "utf-8");
function readHidden(prompt: string): Promise<string> {
return new Promise((resolve) => {
process.stdout.write(prompt);
const rl = createInterface({ input: process.stdin, output: process.stdout, terminal: true });
// Node readline doesn't mask by default. Turn off echo manually.
const stdin = process.stdin as NodeJS.ReadStream & { isTTY?: boolean };
const wasRaw = Boolean(stdin.isRaw);
if (stdin.isTTY) {
stdin.setRawMode(true);
}
let buf = "";
const onData = (chunk: Buffer): void => {
const ch = chunk.toString("utf-8");
if (ch === "\n" || ch === "\r" || ch === "\u0004") {
stdin.removeListener("data", onData);
if (stdin.isTTY) stdin.setRawMode(wasRaw);
process.stdout.write("\n");
rl.close();
resolve(buf);
return;
}
if (ch === "\u0003") { // ctrl-c
process.exit(130);
}
if (ch === "\u007f") { // backspace
buf = buf.slice(0, -1);
return;
}
buf += ch;
};
stdin.on("data", onData);
});
}
async function deriveKey(pass: string, salt: Buffer, s: Awaited<ReturnType<typeof ensureSodium>>): Promise<Uint8Array> {
return s.crypto_pwhash(
32,
pass,
salt,
s.crypto_pwhash_OPSLIMIT_INTERACTIVE,
s.crypto_pwhash_MEMLIMIT_INTERACTIVE,
s.crypto_pwhash_ALG_ARGON2ID13,
);
}
export async function runBackup(outPath: string | undefined): Promise<number> {
const configPath = getConfigPath();
if (!existsSync(configPath)) {
console.error(" No config found — nothing to back up. Join a mesh first.");
return EXIT.NOT_FOUND;
}
const plaintext = readFileSync(configPath);
const pass = await readHidden(" Passphrase (min 12 chars): ");
if (pass.length < 12) {
console.error(" ✗ Passphrase too short.");
return EXIT.INVALID_ARGS;
}
const confirm = await readHidden(" Confirm passphrase: ");
if (confirm !== pass) {
console.error(" ✗ Passphrases did not match.");
return EXIT.INVALID_ARGS;
}
const s = await ensureSodium();
const salt = Buffer.from(s.randombytes_buf(16));
const nonce = Buffer.from(s.randombytes_buf(24));
const key = await deriveKey(pass, salt, s);
const ciphertext = Buffer.from(
s.crypto_aead_xchacha20poly1305_ietf_encrypt(plaintext, null, null, nonce, key),
);
const blob = Buffer.concat([MAGIC, salt, nonce, ciphertext]);
const file = outPath ?? `claudemesh-backup-${new Date().toISOString().replace(/[:.]/g, "-")}.cmb`;
writeFileSync(file, blob, { mode: 0o600 });
console.log(`\n ✓ Backup saved: ${file}`);
console.log(` Size: ${blob.length} bytes. Guard the passphrase — there is no recovery.\n`);
return EXIT.SUCCESS;
}
export async function runRestore(inPath: string | undefined): Promise<number> {
if (!inPath) {
console.error(" Usage: claudemesh restore <backup-file>");
return EXIT.INVALID_ARGS;
}
if (!existsSync(inPath)) {
console.error(` ✗ File not found: ${inPath}`);
return EXIT.NOT_FOUND;
}
const blob = readFileSync(inPath);
if (blob.length < 4 + 16 + 24 + 17 || !blob.subarray(0, 4).equals(MAGIC)) {
console.error(" ✗ Not a claudemesh backup file (bad magic).");
return EXIT.INVALID_ARGS;
}
const salt = blob.subarray(4, 20);
const nonce = blob.subarray(20, 44);
const ciphertext = blob.subarray(44);
const pass = await readHidden(" Passphrase: ");
const s = await ensureSodium();
const key = await deriveKey(pass, Buffer.from(salt), s);
let plaintext: Uint8Array;
try {
plaintext = s.crypto_aead_xchacha20poly1305_ietf_decrypt(null, ciphertext, null, nonce, key);
} catch {
console.error(" ✗ Decryption failed — wrong passphrase or tampered file.");
return EXIT.INTERNAL_ERROR;
}
const configPath = getConfigPath();
if (existsSync(configPath)) {
const backupOld = `${configPath}.before-restore.${Date.now()}`;
writeFileSync(backupOld, readFileSync(configPath), { mode: 0o600 });
console.log(` ↻ Existing config saved to ${backupOld}`);
}
writeFileSync(configPath, Buffer.from(plaintext), { mode: 0o600 });
console.log(`\n ✓ Config restored to ${configPath}`);
console.log(" Run `claudemesh list` to verify your meshes.\n");
return EXIT.SUCCESS;
}
Reference in New Issue View Git Blame Copy Permalink