/**
 * Decrypt an encrypted backup bundle (`*.tar.enc`) produced when a destination
 * has bundle encryption enabled. Restore step — see
 * docs/backup-restore-runbook.md.
 *
 *   BACKUP_PASSPHRASE='…' pnpm tsx scripts/decrypt-backup.ts <in.tar.enc> <out.tar>
 *
 * The passphrase is read from $BACKUP_PASSPHRASE (not argv, to keep it out of
 * shell history / the process list).
 */
import { decryptFileToFile } from '@/lib/services/backup-destinations/bundle-encryption';

async function main(): Promise<void> {
  const [input, output] = process.argv.slice(2);
  const passphrase = process.env.BACKUP_PASSPHRASE;
  if (!input || !output) {
    throw new Error(
      'Usage: BACKUP_PASSPHRASE=… pnpm tsx scripts/decrypt-backup.ts <in.tar.enc> <out.tar>',
    );
  }
  if (!passphrase) throw new Error('Set BACKUP_PASSPHRASE in the environment');
  await decryptFileToFile(input, output, passphrase);
  process.stdout.write(`Decrypted → ${output}\n`, () => process.exit(0));
}

main().catch((err) => {
  process.stderr.write(
    `Decrypt failed: ${err instanceof Error ? err.message : String(err)}\n`,
    () => process.exit(1),
  );
});