sc/sgard
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
3b961b5d8a699d2ed50e6e7a54c81730a4a1e98c
sgard/garden/diff.go
Kyle Isom 3b961b5d8a Step 17: Encryption core — passphrase-only, selective per-file. 
Manifest schema: Entry gains Encrypted, PlaintextHash fields.
Manifest gains Encryption section with KekSlots map (passphrase slot
with Argon2id params, salt, and wrapped DEK as base64).

garden/encrypt.go: EncryptInit (generate DEK, wrap with passphrase KEK),
UnlockDEK (derive KEK, unwrap), encryptBlob/decryptBlob using
XChaCha20-Poly1305 with random 24-byte nonces.

Modified operations:
- Add: optional encrypt flag, stores encrypted blob + plaintext_hash
- Checkpoint: detects changes via plaintext_hash, re-encrypts
- Restore: decrypts encrypted blobs before writing
- Diff: decrypts stored blob before comparing
- Status: compares against plaintext_hash for encrypted entries

10 tests covering init, persistence, unlock, add-encrypted, restore
round-trip, checkpoint, status, diff, requires-DEK guard.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-24 08:50:53 -07:00

100 lines
2.4 KiB
Go
Raw Blame History

package garden
import (
"bytes"
"fmt"
"os"
"path/filepath"
"strings"
)
// Diff returns a unified-style diff between the stored blob and the current
// on-disk content for the file at path. If the file is unchanged, it returns
// an empty string. Only regular files (type "file") can be diffed.
func (g *Garden) Diff(path string) (string, error) {
abs, err := filepath.Abs(path)
if err != nil {
return "", fmt.Errorf("resolving path: %w", err)
}
tilded := toTildePath(abs)
entry := g.findEntry(tilded)
if entry == nil {
return "", fmt.Errorf("not tracked: %s", tilded)
}
if entry.Type != "file" {
return "", fmt.Errorf("cannot diff entry of type %q (only files)", entry.Type)
}
stored, err := g.store.Read(entry.Hash)
if err != nil {
return "", fmt.Errorf("reading stored blob: %w", err)
}
if entry.Encrypted {
if g.dek == nil {
return "", fmt.Errorf("DEK not unlocked; cannot diff encrypted file %s", tilded)
}
stored, err = g.decryptBlob(stored)
if err != nil {
return "", fmt.Errorf("decrypting stored blob: %w", err)
}
}
current, err := os.ReadFile(abs)
if err != nil {
return "", fmt.Errorf("reading current file: %w", err)
}
if bytes.Equal(stored, current) {
return "", nil
}
oldLines := splitLines(string(stored))
newLines := splitLines(string(current))
return simpleDiff(tilded+" (stored)", tilded+" (current)", oldLines, newLines), nil
}
// splitLines splits s into lines, preserving the trailing empty element if s
// ends with a newline so that the diff output is accurate.
func splitLines(s string) []string {
if s == "" {
return nil
}
return strings.SplitAfter(s, "\n")
}
// simpleDiff produces a minimal unified-style diff header followed by removed
// and added lines. It walks both slices in lockstep, emitting unchanged lines
// as context and changed lines with -/+ prefixes.
func simpleDiff(oldName, newName string, oldLines, newLines []string) string {
var buf strings.Builder
fmt.Fprintf(&buf, "--- %s\n", oldName)
fmt.Fprintf(&buf, "+++ %s\n", newName)
i, j := 0, 0
for i < len(oldLines) && j < len(newLines) {
if oldLines[i] == newLines[j] {
fmt.Fprintf(&buf, " %s", oldLines[i])
i++
j++
} else {
fmt.Fprintf(&buf, "-%s", oldLines[i])
fmt.Fprintf(&buf, "+%s", newLines[j])
i++
j++
}
}
for ; i < len(oldLines); i++ {
fmt.Fprintf(&buf, "-%s", oldLines[i])
}
for ; j < len(newLines); j++ {
fmt.Fprintf(&buf, "+%s", newLines[j])
}
return buf.String()
}
Reference in New Issue View Git Blame Copy Permalink