chore(dev): release 0.4.0

fix: Fixed memory leaks in the db.
refactor(crypto): used a proper init procedure.
2026-06-27 10:38:33 -04:00 · 2026-06-18 10:35:49 -04:00 · 2026-06-18 10:35:21 -04:00 · 2026-06-18 08:18:09 -04:00 · 2026-06-18 08:08:46 -04:00 · 2026-06-18 07:45:38 -04:00
21 changed files with 601 additions and 731 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,22 @@
 # Changelog
 ## [0.4.0](https://github.com/sbrow/envr/compare/v0.3.0...v0.4.0) (2026-06-18)
 ### Features
 * Removed runtime git dependency. ([12574e1](https://github.com/sbrow/envr/commit/12574e123bdedba3aca813143e906ec5e0b95719))
 ### Bug Fixes
 * Fixed memory leaks in the db. ([5059572](https://github.com/sbrow/envr/commit/5059572951b3ec20b3d2027032a9c3be5cb14dba))
 ### Performance Improvements
 * Replaced `fd` with custom internals. ([2ef733f](https://github.com/sbrow/envr/commit/2ef733fe58594b0a0b6e3ef85142b74af445ccb8))
 ## [0.3.0](https://github.com/sbrow/envr/compare/v0.2.1...v0.3.0) (2026-06-16)
 Version 0.3.0 represents a significant departure (and improvement) for envr.
--- a/README.md
+++ b/README.md
@@ -12,14 +12,13 @@ the tool [of your choosing](#backup-options).
 ## Features
- 🔐 **Encrypted Storage**: All `.env` files are encrypted using your ssh key and
+- **Encrypted Storage**: All `.env` files are encrypted using your ssh key and
-[libsodium](https://github.com/jedisct1/libsodium) encryption.
+[libsodium](https://github.com/jedisct1/libsodium). 
- 🔄 **Automatic Sync**: Update the database with one command, which can easily
+- **Automatic Sync**: Update the database with one command, which can easily
 be run on a cron.
- 🔍 **Smart Scanning**: Automatically discover and import `.env` files in your
+- **Smart Scanning**: Automatically discover and import `.env` files in your
 home directory.
- ✨ **Interactive CLI**: User-friendly prompts for file selection and management.
+- **Rename Detection**: Automatically find and updates renamed/moved
 - 🗂️ **Rename Detection**: Automatically finds and updates renamed/moved
 repositories.
 ## TODOS
@@ -28,15 +27,11 @@ repositories.
 - [x] Allow configuration of ssh key.
 - [x] Allow multiple ssh keys.
 ## Prerequisites
 - An SSH key pair (for encryption/decryption)
 - The following binaries:
   - [fd](https://github.com/sharkdp/fd)
   - [git](https://git-scm.com)
 ## Installation
 You will need an SSH key pair for encryption and decryption. You can generate one
 with `ssh-keygen -t ed25519`. It will be saved to `~/.ssh/id_ed25519`.
 ### With Odin
 If you already have `odin` installed:
@@ -96,7 +91,12 @@ The configuration file is created during initialization:
  ],
  "scan": {
    "matcher": "\\.env",
-    "exclude": "*.envrc",
+    "exclude": [
      "*\\.envrc",
      "\\.local/",
      "node_modules",
      "vendor"       
    ],
    "include": "~"
  }
 }
--- a/TEST_PLAN.md
+++ b/TEST_PLAN.md
@@ -35,13 +35,7 @@ Stdout will be captured by redirecting `os.stdout` to a pipe.
 ## Hard to test (interactive / external deps)
 ### `cmd_deps` (cmd_deps.odin)
 - Needs `git` and/or `fd` in PATH
 - Test TTY and non-TTY paths
 - Skip if dependencies not available (with `#assert` like TODO 28 suggests)
 ### `cmd_scan` (cmd_scan.odin)
 - Needs `fd` installed
 - Test with fixture git repo containing `.env` files
 - Test `find_unbacked` integration (already partially tested in `cmd_check_test.odin`)
 - Non-TTY JSON output path
@@ -66,5 +60,4 @@ Stdout will be captured by redirecting `os.stdout` to a pipe.
 - DB integration tests should use in-memory SQLite (`:memory:`) where possible.
 - Temp dir fixtures should follow the pattern in `scan_test.odin`.
 - External dependency tests (`fd`, `git`) should use `#assert` to ensure the dependency is present rather than silently skipping (TODO 28).
 - Tests that manipulate the `HOME` env var must use a mutex to prevent races with parallel test execution.
--- a/TODOS.md
+++ b/TODOS.md
@@ -2,11 +2,13 @@
 1. Consider giving db its own allocator
-2. **db.odin:324-327** — Map iteration (`remote_set`) is non-deterministic. Same file can produce different JSON on each backup, causing spurious DB diffs. Sort remotes before storing.
+27. Commands are still leaking.
-3. **db.odin:135, 250** — String interpolation into SQL (`VACUUM INTO '%s'`, `ATTACH DATABASE '%s'`). Currently safe because input is controlled, but fragile.
+2. Generate md and man pages again.
-4. **features.odin:30-41** — `find_binary` uses `strings.join` instead of `filepath.join`, uses `os.stat` instead of checking executability, hardcodes `:` as PATH separator (wrong on Windows).
+3. **db.odin:324-327** — Map iteration (`remote_set`) is non-deterministic. Same file can produce different JSON on each backup, causing spurious DB diffs. Sort remotes before storing.
 4. Make sure official path separators are used when appropriate, rather than '/'.
 5. **cmd_restore.odin:20-30 & cmd_remove.odin:19-29** — Identical path-resolution block copy-pasted. `is_abs` guard is redundant since `filepath.abs` is a no-op on absolute paths. Extract a helper.
@@ -18,7 +20,7 @@
 11. **db.odin:352-353** — `hex.encode` error ignored. `string(hex_bytes)` aliases the byte slice.
-12. **cmd_sync.odin:80, cmd_list.odin:33, cmd_deps.odin:9** — `make([]string, 2)` for table rows never freed. Leaks per row. Defer to memory pass.
+12. **cmd_sync.odin:80, cmd_list.odin:33** — `make([]string, 2)` for table rows never freed. Leaks per row. Defer to memory pass.
 13. **cmd_list.odin** — Non-TTY branch builds `ListEntry` structs and marshals JSON separately. Now that `render_json_rows` (issue 1) accepts an `io.Writer` and uses `json.marshal`, unify both branches to use it. Note: will change JSON keys from `"directory"/"path"` to `"Directory"/"Path"`.
@@ -38,7 +40,11 @@
 23. procedures should be ordered by use, main at the top, then in the order they are called from main.
-24. Remove git dependency.
+24. Shell completion
 25. Bring back windows support / cross-compilation.
 26. Test all cmds / terminal branches.
 ## Double-check AI output
@@ -47,7 +53,6 @@
 - [x] cmd_backup.odin
 - [x] cmd_check.odin
 - [ ] cmd_check_test.odin
 - [x] cmd_deps.odin
 - [ ] cmd_edit_config.odin
 - [x] cmd_init.odin
 - [x] cmd_list.odin
@@ -66,8 +71,6 @@
 - [ ] db.odin
 - [ ] db_integration_test.odin
 - [ ] db_test.odin
 - [x] features.odin
 - [x] features_test.odin
 - [x] main.odin
 - [x] prompt.odin
 - [ ] scan.odin
--- a/WINDOWS.md
+++ b/WINDOWS.md
@@ -1,92 +0,0 @@
 # Windows Compatibility Guide
 This document outlines Windows compatibility issues and solutions for the envr project.
 ## Critical Issues
 ### 1. Path Handling Bug (MUST FIX)
 **File:** `app/env_file.go:209`
 **Issue:** Uses `path.Join` instead of `filepath.Join`, which won't work correctly on Windows due to different path separators.
 **Current code:**
 ```go
 f.Path = path.Join(newDir, path.Base(f.Path))
 ```
 **Fixed code:**
 ```go
 f.Path = filepath.Join(newDir, filepath.Base(f.Path))
 ```
 ## External Dependencies
 The application relies on external tools that need to be installed separately on Windows:
 ### Required Tools
 1. **fd** - Fast file finder
   - Install via: `winget install sharkdp.fd` or `choco install fd`
   - Alternative: `scoop install fd`
 2. **git** - Version control system
   - Install via: `winget install Git.Git` or download from git-scm.com
   - Usually already available on most development machines
 ## Minor Compatibility Notes
 ### File Permissions
 - Unix file permissions (`0755`, `0644`) are used throughout the codebase
 - These are safely ignored on Windows - no changes needed
 ### Editor Configuration
 **File:** `cmd/edit_config.go:20-24`
 **Issue:** Relies on `$EDITOR` environment variable which is less common on Windows.
 **Current behavior:** Fails if `$EDITOR` is not set
 **Recommended improvement:** Add fallback detection for Windows editors:
 ```go
 editor := os.Getenv("EDITOR")
 if editor == "" {
    if runtime.GOOS == "windows" {
        editor = "notepad.exe"  // or "code.exe" for VS Code
    } else {
        fmt.Println("Error: $EDITOR environment variable is not set")
        return
    }
 }
 ```
 ## Installation Instructions for Windows
 1. Install required dependencies:
   ```powershell
   winget install sharkdp.fd
   winget install Git.Git
   ```
 2. Fix the path handling bug in `app/env_file.go:209`
 3. Build and run as normal:
   ```powershell
   go build
   .\envr.exe init
   ```
 ## Testing on Windows
 After applying the critical path fix, the core functionality should work correctly on Windows. The application has been designed with cross-platform compatibility in mind, using:
 - `filepath` package for path operations (mostly)
 - `os.UserHomeDir()` for home directory detection
 - Standard Go file operations
 ## Summary
 - **1 critical bug** must be fixed for Windows compatibility
 - **2 external tools** need to be installed
 - **1 minor enhancement** recommended for better Windows UX
 - Overall architecture is Windows-compatible
--- a/cli.odin
+++ b/cli.odin
@@ -43,13 +43,6 @@ key somewhere, otherwise your data could be lost forever.`,
 	{"list", "envr list", "View your tracked files", "", {}},
 	{"remove", "envr remove <path>", "Remove a .env file from your database", "", {}},
 	{"check", "envr check [path]", "Check if files are backed up", "", {}},
 	{
 		"deps",
 		"envr deps",
 		"Check for missing binaries",
 		"envr relies on external binaries for certain functionality.\n\nThe check command reports on which binaries are available and which are not.",
 		{},
 	},
 	{"version", "envr version", "Show envr's version", "", {}},
 	{"edit-config", "envr edit-config", "Edit your config with your default editor", "", {}},
 	{
@@ -61,20 +54,12 @@ key somewhere, otherwise your data could be lost forever.`,
 	},
 }
 delete_command :: proc(cmd: ^Command) {
 	delete(cmd.args)
 	delete(cmd.flags)
 	delete(cmd.bool_set)
 	bufio.writer_destroy(cmd.out_buf)
 	free(cmd.out_buf)
 }
 // Caller is responsible for calling delete_command(cmd).
 // FIXME: Works in kinda a wonky and awkward way.
 parse_args :: proc(args: []string, out: io.Stream, err: io.Stream) -> (cmd: Command, ok: bool) {
 	{
 		cmd.out_buf = new(bufio.Writer)
-		bufio.writer_init(cmd.out_buf, out)
+		bufio.writer_init(cmd.out_buf, out, allocator = context.allocator)
 		cmd.out = bufio.writer_to_writer(cmd.out_buf)
 		cmd.err = err
 	}
@@ -137,27 +122,12 @@ parse_args :: proc(args: []string, out: io.Stream, err: io.Stream) -> (cmd: Comm
 	return cmd, true
 }
-has_flag :: proc(cmd: ^Command, name: string) -> bool {
+print_command_help :: proc(cmd: ^Command) {
-	_, ok := cmd.flags[name]
+	ok := write_command_help(cmd.name, cmd.out)
-	if ok {
+	if !ok {
-		return true
+		fmt.wprintf(cmd.err, "Unknown command: %s\n", cmd.name)
 		write_usage(cmd.out)
 	}
 	_, ok2 := cmd.bool_set[name]
 	return ok2
 }
 find_command :: proc(name: string) -> (CommandInfo, bool) {
 	for c in COMMANDS {
 		if c.name == name {
 			return c, true
 		}
 		for a in c.aliases {
 			if a == name {
 				return c, true
 			}
 		}
 	}
 	return CommandInfo{}, false
 }
 write_command_help :: proc(name: string, w: io.Writer) -> bool {
@@ -190,12 +160,18 @@ write_command_help :: proc(name: string, w: io.Writer) -> bool {
 	return true
 }
-print_command_help :: proc(cmd: ^Command) {
+find_command :: proc(name: string) -> (CommandInfo, bool) {
-	ok := write_command_help(cmd.name, cmd.out)
+	for c in COMMANDS {
-	if !ok {
+		if c.name == name {
-		fmt.wprintf(cmd.err, "Unknown command: %s\n", cmd.name)
+			return c, true
-		write_usage(cmd.out)
+		}
 		for a in c.aliases {
 			if a == name {
 				return c, true
 			}
 		}
 	}
 	return CommandInfo{}, false
 }
 // TODO: command args should be shown in usage.
@@ -270,3 +246,21 @@ Use "envr [command] --help" for more information about a command.
 	)
 }
 has_flag :: proc(cmd: ^Command, name: string) -> bool {
 	_, ok := cmd.flags[name]
 	if ok {
 		return true
 	}
 	_, ok2 := cmd.bool_set[name]
 	return ok2
 }
 delete_command :: proc(cmd: ^Command) {
 	bufio.writer_flush(cmd.out_buf)
 	delete(cmd.args)
 	delete(cmd.flags)
 	delete(cmd.bool_set)
 	bufio.writer_destroy(cmd.out_buf)
 	free(cmd.out_buf)
 }
--- a/cmd_check.odin
+++ b/cmd_check.odin
@@ -54,6 +54,8 @@ cmd_check :: proc(cmd: ^Command) {
 	if !list_ok {
 		return
 	}
 	defer delete(db_files)
 	defer for &file in db_files {delete_envfile(&file)}
 	not_backed := find_unbacked(files_in_path[:], db_files[:])
@@ -61,13 +63,23 @@ cmd_check :: proc(cmd: ^Command) {
 		if len(files_in_path) == 0 {
 			fmt.wprintln(cmd.out, "No .env files found in the specified directory.", flush = false)
 		} else {
-			fmt.wprintln(cmd.out, "✓ All .env files in the directory are backed up.", flush = false)
+			fmt.wprintln(
 				cmd.out,
 				"✓ All .env files in the directory are backed up.",
 				flush = false,
 			)
 		}
 	} else {
-		fmt.wprintf(cmd.out, "Found %d .env file(s) that are not backed up:\n", len(not_backed), flush = false)
+		fmt.wprintf(
 			cmd.out,
 			"Found %d .env file(s) that are not backed up:\n",
 			len(not_backed),
 			flush = false,
 		)
 		for file in not_backed {
 			fmt.wprintf(cmd.out, "  %s\n", file, flush = false)
 		}
 		fmt.wprintln(cmd.out, "\nRun 'envr sync' to back up these files.", flush = false)
 	}
 }
--- a/cmd_deps.odin
+++ b/cmd_deps.odin
@@ -1,27 +0,0 @@
 package main
 import "core:fmt"
 import "core:os"
 import "core:terminal"
 // TODO: Improve table rendering
 cmd_deps :: proc(cmd: ^Command) {
 	feats := check_features()
 	headers := []string{"Feature", "Status"}
 	rows: [dynamic][]string
 	if .Git in feats {
 		append(&rows, []string{"Git", "\u2713 Available"})
 	} else {
 		append(&rows, []string{"Git", "\u2717 Missing"})
 	}
 	if terminal.is_terminal(os.stdout) {
 		render_table(cmd.out, headers, rows[:])
 	} else {
 		render_json_rows(cmd.out, headers, rows[:])
 		fmt.wprint(cmd.out, "\n", flush = false)
 	}
 }
--- a/cmd_list.odin
+++ b/cmd_list.odin
@@ -26,6 +26,7 @@ cmd_list :: proc(cmd: ^Command) {
 		return
 	}
 	defer delete(rows)
 	defer for &row in rows {delete_envfile(&row)}
 	if terminal.is_terminal(os.stdout) {
 		headers := []string{"Directory", "Path"}
@@ -34,7 +35,7 @@ cmd_list :: proc(cmd: ^Command) {
 		for row in rows {
 			dir_str := strings.concatenate({row.Dir, "/"}, context.temp_allocator)
 			filename := filepath.base(row.Path)
-			row_slice := make([]string, 2)
+			row_slice := make([]string, 2, context.temp_allocator)
 			row_slice[0] = dir_str
 			row_slice[1] = filename
 			append(&table_rows, row_slice)
--- a/config.odin
+++ b/config.odin
@@ -25,14 +25,6 @@ Config :: struct {
 	config_path: string `json:"-"`,
 }
 default_config_path :: proc(home: string, allocator := context.allocator) -> string {
 	path, err := filepath.join([]string{home, ".envr", "config.json"}, allocator)
 	if err != nil {
 		panic("Ran out of memory when building config path")
 	}
 	return path
 }
 load_config :: proc(config_path: string) -> (Config, bool) {
 	data, read_err := os.read_entire_file_from_path(config_path, context.allocator)
 	if read_err != nil {
@@ -53,6 +45,14 @@ load_config :: proc(config_path: string) -> (Config, bool) {
 	return cfg, true
 }
 default_config_path :: proc(home: string, allocator := context.allocator) -> string {
 	path, err := filepath.join([]string{home, ".envr", "config.json"}, allocator)
 	if err != nil {
 		panic("Ran out of memory when building config path")
 	}
 	return path
 }
 delete_config :: proc(cfg: ^Config) {
 	for key in cfg.Keys {
 		delete(key.Private)
@@ -73,13 +73,73 @@ delete_config :: proc(cfg: ^Config) {
 	delete(cfg.ScanConfig.Include)
 }
-envr_dir :: proc(config_path: string) -> string {
+save_config :: proc(cfg: Config, force: bool = false) -> bool {
-	return filepath.dir(config_path)
+	config_dir := envr_dir(cfg.config_path)
 	if !os.exists(config_dir) {
 		mkdir_err := os.make_directory(config_dir)
 		if mkdir_err != nil {
 			fmt.printf("Error creating %s directory: %v\n", config_dir, mkdir_err)
 			return false
 		}
 	}
 	if os.exists(cfg.config_path) && !force {
 		info, stat_err := os.stat(cfg.config_path, context.allocator)
 		if stat_err == nil {
 			defer os.file_info_delete(info, context.allocator)
 			if info.size > 0 {
 				fmt.println("Config file already exists. Run again with --force to reinitialize.")
 				return false
 			}
 		}
 	}
 	data, marshal_err := json.marshal(cfg, {pretty = true, use_spaces = true, spaces = 2})
 	if marshal_err != nil {
 		fmt.printf("Error marshaling config: %v\n", marshal_err)
 		return false
 	}
 	defer delete(data)
 	write_err := os.write_entire_file(cfg.config_path, data)
 	if write_err != nil {
 		fmt.printf("Error writing config: %v\n", write_err)
 		return false
 	}
 	return true
 }
-data_path :: proc(config_path: string) -> string {
+// Caller is responsible for calling delete_config()
-	path, _ := filepath.join([]string{envr_dir(config_path), "data.envr"})
+new_config :: proc(
-	return path
+	private_key_paths: []string,
 	cfg_path: string = "~/.envr/config.json",
 ) -> Config {
 	keys := make([dynamic]SshKeyPair, 0, len(private_key_paths))
 	for priv in private_key_paths {
 		// TODO: Is this bad?
 		priv_key := strings.clone(priv)
 		pub, _ := strings.concatenate([]string{priv_key, ".pub"})
 		append(&keys, SshKeyPair{Private = priv_key, Public = pub})
 	}
 	exclude := make([dynamic]string, 0, 4)
 	append(&exclude, strings.clone("*\\.envrc"))
 	append(&exclude, strings.clone("\\.local/"))
 	append(&exclude, strings.clone("node_modules"))
 	append(&exclude, strings.clone("vendor"))
 	include := make([dynamic]string, 0, 1)
 	append(&include, strings.clone("~"))
 	scan_cfg := ScanConfig {
 		Matcher = strings.clone("\\.env"),
 		Exclude = exclude,
 		Include = include,
 	}
 	return Config{Keys = keys, ScanConfig = scan_cfg, config_path = cfg_path}
 }
 find_ssh_private_keys :: proc() -> (keys: [dynamic]string, ok: bool) {
@@ -128,73 +188,11 @@ find_ssh_private_keys :: proc() -> (keys: [dynamic]string, ok: bool) {
 	return
 }
-// Caller is responsible for calling delete_config()
+find_git_roots :: proc(cfg: Config) -> (roots: [dynamic]string, ok: bool) {
-new_config :: proc(
+	paths := search_paths(cfg)
-	private_key_paths: []string,
+	findr.find_repos(paths[:], &roots, os.get_processor_core_count())
-	cfg_path: string = "~/.envr/config.json",
+	ok = true
-) -> Config {
+	return
 	keys := make([dynamic]SshKeyPair, 0, len(private_key_paths))
 	for priv in private_key_paths {
 		// TODO: Is this bad?
 		priv_key := strings.clone(priv)
 		pub, _ := strings.concatenate([]string{priv_key, ".pub"})
 		append(&keys, SshKeyPair{Private = priv_key, Public = pub})
 	}
 	exclude := make([dynamic]string, 0, 4)
 	append(&exclude, strings.clone("*\\.envrc"))
 	append(&exclude, strings.clone("\\.local/"))
 	append(&exclude, strings.clone("node_modules"))
 	append(&exclude, strings.clone("vendor"))
 	include := make([dynamic]string, 0, 1)
 	append(&include, strings.clone("~"))
 	scan_cfg := ScanConfig {
 		Matcher = strings.clone("\\.env"),
 		Exclude = exclude,
 		Include = include,
 	}
 	return Config{Keys = keys, ScanConfig = scan_cfg, config_path = cfg_path}
 }
 save_config :: proc(cfg: Config, force: bool = false) -> bool {
 	config_dir := envr_dir(cfg.config_path)
 	if !os.exists(config_dir) {
 		mkdir_err := os.make_directory(config_dir)
 		if mkdir_err != nil {
 			fmt.printf("Error creating %s directory: %v\n", config_dir, mkdir_err)
 			return false
 		}
 	}
 	if os.exists(cfg.config_path) && !force {
 		info, stat_err := os.stat(cfg.config_path, context.allocator)
 		if stat_err == nil {
 			defer os.file_info_delete(info, context.allocator)
 			if info.size > 0 {
 				fmt.println("Config file already exists. Run again with --force to reinitialize.")
 				return false
 			}
 		}
 	}
 	data, marshal_err := json.marshal(cfg, {pretty = true, use_spaces = true, spaces = 2})
 	if marshal_err != nil {
 		fmt.printf("Error marshaling config: %v\n", marshal_err)
 		return false
 	}
 	defer delete(data)
 	write_err := os.write_entire_file(cfg.config_path, data)
 	if write_err != nil {
 		fmt.printf("Error writing config: %v\n", write_err)
 		return false
 	}
 	return true
 }
 search_paths :: proc(cfg: Config) -> (paths: [dynamic]string) {
@@ -218,10 +216,13 @@ search_paths :: proc(cfg: Config) -> (paths: [dynamic]string) {
 	return
 }
-find_git_roots :: proc(cfg: Config) -> (roots: [dynamic]string, ok: bool) {
+envr_dir :: proc(config_path: string) -> string {
-	paths := search_paths(cfg)
+	return filepath.dir(config_path)
-	findr.find_repos(paths[:], &roots, os.get_processor_core_count())
+}
-	ok = true
+
-	return
+// User is responsible for freeing the path
 data_path :: proc(config_path: string, allocator := context.allocator) -> string {
 	path, _ := filepath.join([]string{envr_dir(config_path), "data.envr"}, allocator)
 	return path
 }
--- a/crypto.odin
+++ b/crypto.odin
@@ -2,6 +2,7 @@ package main
 import "core:fmt"
 import "core:mem"
 import "core:os"
 MAGIC :: "ENVR"
 MAGIC_BYTES := [4]u8{u8('E'), u8('N'), u8('V'), u8('R')}
@@ -20,80 +21,19 @@ RecipientEntry :: struct {
 	EncryptedKey: [CRYPTO_SECRETBOX_KEY_BYTES + CRYPTO_BOX_MAC_BYTES]u8,
 }
 sodium_initialized: bool
 ensure_sodium :: proc() -> bool {
 	if sodium_initialized {
 		return true
 	}
 	rc := sodium_init()
 	if rc < 0 {
 		fmt.println("Error: libsodium initialization failed")
 		return false
 	}
 	sodium_initialized = true
 	return true
 }
 X25519Keypair :: struct {
 	Public:  [CRYPTO_BOX_PUBLICKEY_BYTES]u8,
 	Private: [CRYPTO_BOX_SECRETKEY_BYTES]u8,
 }
-ssh_to_x25519 :: proc(keys: []SshKeyPair) -> (pairs: []X25519Keypair, ok: bool) {
+@(init)
-	if len(keys) == 0 {
+init_sodium :: proc "contextless" () {
-		return
+	if sodium_init() < 0 {
 		os.exit(1)
 	}
 	pairs = make([]X25519Keypair, len(keys))
 	for i in 0 ..< len(keys) {
 		ssh_kp, parse_ok := parse_ssh_private_key(keys[i].Private)
 		if !parse_ok {
 			fmt.printf("Error: failed to parse SSH private key: %s\n", keys[i].Private)
 			delete(pairs)
 			return
 		}
 		ssh_pub, pub_ok := parse_ssh_public_key(keys[i].Public)
 		if !pub_ok {
 			fmt.printf("Error: failed to parse SSH public key: %s\n", keys[i].Public)
 			delete(pairs)
 			return
 		}
 		pk_rc := crypto_sign_ed25519_pk_to_curve25519(&pairs[i].Public[0], &ssh_pub[0])
 		if pk_rc != 0 {
 			fmt.println("Error: failed to convert ed25519 public key to curve25519")
 			delete(pairs)
 			return
 		}
 		ed25519_sk: [64]u8
 		for j in 0 ..< 32 {
 			ed25519_sk[j] = ssh_kp.Private[j]
 		}
 		for j in 0 ..< 32 {
 			ed25519_sk[32 + j] = ssh_kp.Public[j]
 		}
 		sk_rc := crypto_sign_ed25519_sk_to_curve25519(&pairs[i].Private[0], &ed25519_sk[0])
 		if sk_rc != 0 {
 			fmt.println("Error: failed to convert ed25519 private key to curve25519")
 			delete(pairs)
 			return
 		}
 	}
 	ok = true
 	return
 }
 encrypt :: proc(plaintext: []u8, keys: []SshKeyPair) -> (ciphertext: []u8, ok: bool) {
 	if !ensure_sodium() {
 		return
 	}
 	x25519_pairs, pairs_ok := ssh_to_x25519(keys)
 	if !pairs_ok {
 		return
@@ -193,10 +133,6 @@ encrypt :: proc(plaintext: []u8, keys: []SshKeyPair) -> (ciphertext: []u8, ok: b
 }
 decrypt :: proc(ciphertext: []u8, keys: []SshKeyPair) -> (plaintext: []u8, ok: bool) {
 	if !ensure_sodium() {
 		return
 	}
 	if len(ciphertext) < HEADER_SIZE {
 		fmt.println("Error: ciphertext too short (header)")
 		return
@@ -336,3 +272,52 @@ decrypt :: proc(ciphertext: []u8, keys: []SshKeyPair) -> (plaintext: []u8, ok: b
 	return
 }
 ssh_to_x25519 :: proc(keys: []SshKeyPair) -> (pairs: []X25519Keypair, ok: bool) {
 	if len(keys) == 0 {
 		return
 	}
 	pairs = make([]X25519Keypair, len(keys))
 	for i in 0 ..< len(keys) {
 		ssh_kp, parse_ok := parse_ssh_private_key(keys[i].Private)
 		if !parse_ok {
 			fmt.printf("Error: failed to parse SSH private key: %s\n", keys[i].Private)
 			delete(pairs)
 			return
 		}
 		ssh_pub, pub_ok := parse_ssh_public_key(keys[i].Public)
 		if !pub_ok {
 			fmt.printf("Error: failed to parse SSH public key: %s\n", keys[i].Public)
 			delete(pairs)
 			return
 		}
 		pk_rc := crypto_sign_ed25519_pk_to_curve25519(&pairs[i].Public[0], &ssh_pub[0])
 		if pk_rc != 0 {
 			fmt.println("Error: failed to convert ed25519 public key to curve25519")
 			delete(pairs)
 			return
 		}
 		ed25519_sk: [64]u8
 		for j in 0 ..< 32 {
 			ed25519_sk[j] = ssh_kp.Private[j]
 		}
 		for j in 0 ..< 32 {
 			ed25519_sk[32 + j] = ssh_kp.Public[j]
 		}
 		sk_rc := crypto_sign_ed25519_sk_to_curve25519(&pairs[i].Private[0], &ed25519_sk[0])
 		if sk_rc != 0 {
 			fmt.println("Error: failed to convert ed25519 private key to curve25519")
 			delete(pairs)
 			return
 		}
 	}
 	ok = true
 	return
 }
--- a/db.odin
+++ b/db.odin
@@ -2,12 +2,12 @@ package main
 import "core:crypto/hash"
 import "core:encoding/hex"
 import "core:encoding/ini"
 import "core:encoding/json"
 import "core:fmt"
 import "core:os"
 import "core:path/filepath"
 import "core:strings"
 import "core:time"
 import "sqlite"
@@ -51,51 +51,85 @@ delete_envfile :: proc(f: ^EnvFile) {
 	delete(f.contents)
 }
-make_temp_path :: proc() -> string {
+db_open :: proc(cfg_path: string) -> (database: Db, ok: bool) {
-	ts := time.time_to_unix(time.now())
+	database.cfg = load_config(cfg_path) or_return
-	b: strings.Builder
+
-	strings.builder_init(&b)
+	{
-	defer strings.builder_destroy(&b)
+		db: ^rawptr
-	fmt.sbprintf(&b, "/tmp/envr-%d-%d.db", os.get_pid(), ts)
+		rc := sqlite.db_open(":memory:", &db)
-	return strings.to_string(b)
+		if rc != sqlite.OK {
 			fmt.printf("Error opening in-memory database: %s\n", sqlite.db_errmsg(db))
 			return
 		}
 		create_sql: cstring = "CREATE TABLE IF NOT EXISTS envr_env_files (path TEXT PRIMARY KEY NOT NULL, remotes TEXT, sha256 TEXT NOT NULL, contents TEXT NOT NULL)"
 		rc = sqlite.db_exec(db, create_sql, nil, nil, nil)
 		if rc != sqlite.OK {
 			fmt.printf("Error creating table: %s\n", sqlite.db_errmsg(db))
 			sqlite.db_close(db)
 			return
 		}
 		database.db = db
 	}
 	// TODO: Use different allocators?
 	data_path := data_path(database.cfg.config_path, context.temp_allocator)
 	if os.exists(data_path) {
 		if ok = db_restore_from_encrypted(&database, data_path); !ok {
 			sqlite.db_close(database.db)
 			return
 		}
 	} else {
 		// DB was created
 		database.changed = true
 	}
 	return database, true
 }
-db_open :: proc(cfg_path: string) -> (Db, bool) {
+db_restore_from_encrypted :: proc(db: ^Db, data_path: string) -> bool {
-	cfg, ok := load_config(cfg_path)
+	encrypted_data, read_err := os.read_entire_file_from_path(data_path, context.allocator)
-	if !ok {
+	defer delete(encrypted_data)
-		return Db{}, false
+	if read_err != nil {
 		fmt.printf("Error reading encrypted database: %v\n", read_err)
 		return false
 	}
-	data_path := data_path(cfg.config_path)
+	plaintext, dec_ok := decrypt(encrypted_data, db.cfg.Keys[:])
-	_, stat_err := os.stat(data_path, context.allocator)
+	if !dec_ok {
 		fmt.println("Error: decryption failed")
 		return false
 	}
 	defer delete(plaintext)
-	db: ^rawptr
+	n := i64(len(plaintext))
-	rc := sqlite.db_open(":memory:", &db)
+	buf := sqlite.malloc64(n)
 	if buf == nil {
 		fmt.println("Error: failed to allocate buffer for deserialization")
 		return false
 	}
 	copy(buf[:len(plaintext)], plaintext)
 	rc := sqlite.deserialize(
 		db.db,
 		"main",
 		buf,
 		n,
 		n,
 		sqlite.DESERIALIZE_FREEONCLOSE | sqlite.DESERIALIZE_RESIZEABLE,
 	)
 	if rc != sqlite.OK {
-		fmt.printf("Error opening in-memory database: %s\n", sqlite.db_errmsg(db))
+		sqlite.free(buf)
-		return Db{}, false
+		fmt.printf("Error deserializing database: %s\n", sqlite.db_errmsg(db.db))
 		return false
 	}
-	create_sql: cstring = "CREATE TABLE IF NOT EXISTS envr_env_files (path TEXT PRIMARY KEY NOT NULL, remotes TEXT, sha256 TEXT NOT NULL, contents TEXT NOT NULL)"
+	return true
 	rc = sqlite.db_exec(db, create_sql, nil, nil, nil)
 	if rc != sqlite.OK {
 		fmt.printf("Error creating table: %s\n", sqlite.db_errmsg(db))
 		sqlite.db_close(db)
 		return Db{}, false
 	}
 	if stat_err == nil {
 		if !db_restore_from_encrypted(db, cfg) {
 			sqlite.db_close(db)
 			return Db{}, false
 		}
 	}
 	return Db{db = db, cfg = cfg, changed = stat_err != nil}, true
 }
 db_close :: proc(d: ^Db) {
 	defer sqlite.db_close(d.db)
 	defer delete_config(&d.cfg)
 	if d.changed {
 		rc := sqlite.db_exec(d.db, "VACUUM", nil, nil, nil)
@@ -134,13 +168,6 @@ db_close :: proc(d: ^Db) {
 	}
 }
 // Caller is responsible for calling:
 // ```odin
 // delete(results)
 // for &result in results {
 // 	delete(&result)
 // }
 // ```
 db_list :: proc(d: ^Db, allocator := context.allocator) -> (results: [dynamic]EnvFile, ok: bool) {
 	stmt: ^rawptr
 	rc := sqlite.prepare_v2(
@@ -189,145 +216,6 @@ db_list :: proc(d: ^Db, allocator := context.allocator) -> (results: [dynamic]En
 	return
 }
 db_restore_from_encrypted :: proc(db: ^rawptr, cfg: Config) -> bool {
 	encrypted_data, read_err := os.read_entire_file_from_path(
 		data_path(cfg.config_path),
 		context.allocator,
 	)
 	defer delete(encrypted_data)
 	if read_err != nil {
 		fmt.printf("Error reading encrypted database: %v\n", read_err)
 		return false
 	}
 	plaintext, dec_ok := decrypt(encrypted_data, cfg.Keys[:])
 	if !dec_ok {
 		fmt.println("Error: decryption failed")
 		return false
 	}
 	defer delete(plaintext)
 	n := i64(len(plaintext))
 	buf := sqlite.malloc64(n)
 	if buf == nil {
 		fmt.println("Error: failed to allocate buffer for deserialization")
 		return false
 	}
 	copy(buf[:len(plaintext)], plaintext)
 	rc := sqlite.deserialize(
 		db,
 		"main",
 		buf,
 		n,
 		n,
 		sqlite.DESERIALIZE_FREEONCLOSE | sqlite.DESERIALIZE_RESIZEABLE,
 	)
 	if rc != sqlite.OK {
 		sqlite.free(buf)
 		fmt.printf("Error deserializing database: %s\n", sqlite.db_errmsg(db))
 		return false
 	}
 	return true
 }
 get_git_remotes :: proc(dir: string) -> [dynamic]string {
 	remotes: [dynamic]string
 	remote_set: map[string]bool
 	b: strings.Builder
 	strings.builder_init(&b)
 	defer strings.builder_destroy(&b)
 	fmt.sbprintf(&b, "%s-git-remotes", make_temp_path())
 	tmp_path := strings.to_string(b)
 	tmp_file, tmp_err := os.open(tmp_path, os.O_CREATE | os.O_WRONLY | os.O_TRUNC)
 	if tmp_err != nil {
 		return remotes
 	}
 	args := []string{"git", "remote", "-v"}
 	desc := os.Process_Desc {
 		command     = args,
 		stdout      = tmp_file,
 		stderr      = nil,
 		working_dir = dir,
 	}
 	p, start_err := os.process_start(desc)
 	os.close(tmp_file)
 	if start_err != nil {
 		os.remove(tmp_path)
 		return remotes
 	}
 	state, wait_err := os.process_wait(p)
 	if wait_err != nil || state.exit_code != 0 {
 		os.remove(tmp_path)
 		return remotes
 	}
 	data, read_err := os.read_entire_file_from_path(tmp_path, context.allocator)
 	defer delete(data)
 	os.remove(tmp_path)
 	if read_err != nil {
 		return remotes
 	}
 	lines := strings.split(string(data), "\n")
 	for &line in lines {
 		line = strings.trim_space(line)
 		if len(line) == 0 {
 			continue
 		}
 		parts := strings.fields(line)
 		if len(parts) >= 2 {
 			remote_set[parts[1]] = true
 		}
 	}
 	for remote, _ in remote_set {
 		cloned, _ := strings.clone(remote)
 		append(&remotes, cloned)
 	}
 	return remotes
 }
 new_env_file :: proc(path: string) -> (EnvFile, bool) {
 	abs_path, abs_err := filepath.abs(path)
 	if abs_err != nil {
 		fmt.printf("Error getting absolute path: %v\n", abs_err)
 		return EnvFile{}, false
 	}
 	dir := filepath.dir(abs_path)
 	remotes := get_git_remotes(dir)
 	data, read_err := os.read_entire_file_from_path(abs_path, context.allocator)
 	defer delete(data)
 	if read_err != nil {
 		fmt.printf("Error reading file %s: %v\n", abs_path, read_err)
 		return EnvFile{}, false
 	}
 	digest := hash.hash_bytes(hash.Algorithm.SHA256, data, context.temp_allocator)
 	// TODO: Handle error
 	hex_bytes, _ := hex.encode(digest)
 	return EnvFile {
 			Path = abs_path,
 			Dir = dir,
 			Remotes = remotes,
 			Sha256 = string(hex_bytes),
 			contents = string(data),
 		},
 		true
 }
 db_insert :: proc(d: ^Db, file: EnvFile) -> bool {
 	remotes_json, marshal_err := json.marshal(file.Remotes)
 	if marshal_err != nil {
@@ -467,75 +355,36 @@ db_delete :: proc(d: ^Db, path: string) -> bool {
 	return true
 }
-to_cstring :: proc {
+new_env_file :: proc(path: string) -> (EnvFile, bool) {
-	string_to_cstring,
+	abs_path, abs_err := filepath.abs(path)
-	strings.to_cstring,
+	if abs_err != nil {
-}
+		fmt.printf("Error getting absolute path: %v\n", abs_err)
-
+		return EnvFile{}, false
 string_to_cstring :: proc(s: string, allocator := context.allocator) -> cstring {
 	cs, err := strings.clone_to_cstring(s, allocator)
 	if err != nil {
 		fmt.printf("Failed to convert string to cstring: %v\n", err)
 		panic("Allocation Exception")
 	}
 	return cs
 }
 clone_cstring :: proc(c: cstring, allocator := context.allocator) -> string {
 	str, err := strings.clone_from_cstring(c, allocator)
 	if err != nil {
 		fmt.printf("Failed to convert string to cstring: %v\n", err)
 		delete(str)
 		panic("Allocation Exception")
 	}
-	return str
+	dir := filepath.dir(abs_path)
 }
-db_update_required :: proc(status: SyncFlag) -> bool {
+	remotes := get_git_remotes(dir)
 	return .BackedUp in status || .DirUpdated in status
 }
-shares_remote :: proc(f: ^EnvFile, remotes: []string) -> bool {
+	data, read_err := os.read_entire_file_from_path(abs_path, context.allocator)
-	for r1 in f.Remotes {
+	defer delete(data)
-		for r2 in remotes {
+	if read_err != nil {
-			if r1 == r2 {
+		fmt.printf("Error reading file %s: %v\n", abs_path, read_err)
-				return true
+		return EnvFile{}, false
 			}
 		}
 	}
 	return false
 }
 update_dir :: proc(f: ^EnvFile, new_dir: string) {
 	f.Dir = new_dir
 	base := filepath.base(f.Path)
 	new_path, _ := strings.concatenate({new_dir, "/", base})
 	f.Path = new_path
 	f.Remotes = get_git_remotes(new_dir)
 }
 find_moved_dirs :: proc(d: ^Db, f: ^EnvFile) -> ([dynamic]string, bool) {
 	feats := check_features()
 	if .Git not_in feats {
 		fmt.println("Error: git is required for moved dir detection")
 		return {}, false
 	}
-	roots, roots_ok := find_git_roots(d.cfg)
+	digest := hash.hash_bytes(hash.Algorithm.SHA256, data, context.temp_allocator)
-	if !roots_ok {
+	// TODO: Handle error
-		return {}, false
+	hex_bytes, _ := hex.encode(digest)
 	}
-	moved: [dynamic]string
+	return EnvFile {
-	for root in roots {
+			Path = abs_path,
-		remotes := get_git_remotes(root)
+			Dir = dir,
-		if shares_remote(f, remotes[:]) {
+			Remotes = remotes,
-			cloned, _ := strings.clone(root)
+			Sha256 = string(hex_bytes),
-			append(&moved, cloned)
+			contents = string(data),
-		}
+		},
-	}
+		true
 	return moved, true
 }
 db_sync :: proc(d: ^Db, f: ^EnvFile) -> (SyncFlag, string) {
@@ -614,6 +463,31 @@ env_file_sync :: proc(f: ^EnvFile, dir: SyncDirection, d: ^Db) -> (SyncFlag, str
 	return result, ""
 }
 find_moved_dirs :: proc(d: ^Db, f: ^EnvFile) -> ([dynamic]string, bool) {
 	roots, roots_ok := find_git_roots(d.cfg)
 	if !roots_ok {
 		return {}, false
 	}
 	moved: [dynamic]string
 	for root in roots {
 		remotes := get_git_remotes(root)
 		if shares_remote(f, remotes[:]) {
 			cloned, _ := strings.clone(root)
 			append(&moved, cloned)
 		}
 	}
 	return moved, true
 }
 update_dir :: proc(f: ^EnvFile, new_dir: string) {
 	f.Dir = new_dir
 	base := filepath.base(f.Path)
 	new_path, _ := strings.concatenate({new_dir, "/", base})
 	f.Path = new_path
 	f.Remotes = get_git_remotes(new_dir)
 }
 // Loads the contents of the the file at f.Path into f.contents
 //
 // Caller is responsible for calling delete on f.contents and f.Sha256
@@ -635,3 +509,72 @@ env_file_backup :: proc(f: ^EnvFile) -> bool {
 	return true
 }
 shares_remote :: proc(f: ^EnvFile, remotes: []string) -> bool {
 	for r1 in f.Remotes {
 		for r2 in remotes {
 			if r1 == r2 {
 				return true
 			}
 		}
 	}
 	return false
 }
 get_git_remotes :: proc(dir: string) -> [dynamic]string {
 	remotes: [dynamic]string
 	remote_set: map[string]bool
 	defer delete(remote_set)
 	config_path, _ := filepath.join({dir, ".git", "config"}, context.temp_allocator)
 	m, _, ok := ini.load_map_from_path(config_path, context.allocator)
 	if !ok {
 		return remotes
 	}
 	defer ini.delete_map(m)
 	for section_name, section in m {
 		if strings.has_prefix(section_name, "remote ") {
 			if url, ok := section["url"]; ok {
 				remote_set[url] = true
 			}
 		}
 	}
 	for remote in remote_set {
 		cloned, _ := strings.clone(remote)
 		append(&remotes, cloned)
 	}
 	return remotes
 }
 db_update_required :: proc(status: SyncFlag) -> bool {
 	return .BackedUp in status || .DirUpdated in status
 }
 to_cstring :: proc {
 	string_to_cstring,
 	strings.to_cstring,
 }
 string_to_cstring :: proc(s: string, allocator := context.allocator) -> cstring {
 	cs, err := strings.clone_to_cstring(s, allocator)
 	if err != nil {
 		fmt.printf("Failed to convert string to cstring: %v\n", err)
 		panic("Allocation Exception")
 	}
 	return cs
 }
 // Caller is responsible for freeing the result
 clone_cstring :: proc(c: cstring, allocator := context.allocator) -> string {
 	str, err := strings.clone_from_cstring(c, allocator)
 	if err != nil {
 		fmt.printf("Failed to convert string to cstring: %v\n", err)
 		delete(str)
 		panic("Allocation Exception")
 	}
 	return str
 }
--- a/db_test.odin
+++ b/db_test.odin
@@ -319,11 +319,85 @@ test_shares_remote_both_empty :: proc(t: ^testing.T) {
 	testing.expect(t, !shares_remote(&f, remotes), "both empty should not share")
 }
 delete_remotes :: proc(remotes: [dynamic]string) {
 	for &r in remotes {
 		delete(r)
 	}
 	delete(remotes)
 }
@(test)
-test_make_temp_path_format :: proc(t: ^testing.T) {
+test_get_git_remotes_single :: proc(t: ^testing.T) {
-	p := make_temp_path()
+	base := fmt.tprintf("/tmp/envr-test-remotes-%d", os.get_pid())
-	testing.expect(t, strings.has_suffix(p, ".db"), "should end with .db")
+	os.mkdir_all(base)
-	testing.expect(t, strings.contains(p, fmt.tprintf("%d", os.get_pid())), "should contain PID")
+	defer os.remove_all(base)
 	git_dir := fmt.tprintf("%s/.git", base)
 	os.mkdir_all(git_dir)
 	config_content := "[core]\n\trepositoryformatversion = 0\n[remote \"origin\"]\n\turl = git@github.com:user/repo.git\n\tfetch = +refs/heads/*:refs/remotes/origin/*\n"
 	config_path := fmt.tprintf("%s/config", git_dir)
 	err := os.write_entire_file(config_path, transmute([]u8)config_content)
 	testing.expect(t, err == nil, "should write .git/config")
 	remotes := get_git_remotes(base)
 	defer delete_remotes(remotes)
 	testing.expect(t, len(remotes) == 1, "should find 1 remote")
 	if len(remotes) != 1 do return
 	testing.expect_value(t, remotes[0], "git@github.com:user/repo.git")
 }
@(test)
 test_get_git_remotes_multiple :: proc(t: ^testing.T) {
 	base := fmt.tprintf("/tmp/envr-test-remotes-multi-%d", os.get_pid())
 	os.mkdir_all(base)
 	defer os.remove_all(base)
 	git_dir := fmt.tprintf("%s/.git", base)
 	os.mkdir_all(git_dir)
 	config_content := "[remote \"origin\"]\n\turl = git@github.com:user/repo.git\n[remote \"upstream\"]\n\turl = https://gitlab.com/upstream/repo.git\n"
 	config_path := fmt.tprintf("%s/config", git_dir)
 	err := os.write_entire_file(config_path, transmute([]u8)config_content)
 	testing.expect(t, err == nil, "should write .git/config")
 	remotes := get_git_remotes(base)
 	defer delete_remotes(remotes)
 	testing.expect(t, len(remotes) == 2, "should find 2 remotes")
 }
@(test)
 test_get_git_remotes_no_config :: proc(t: ^testing.T) {
 	base := fmt.tprintf("/tmp/envr-test-remotes-none-%d", os.get_pid())
 	os.mkdir_all(base)
 	defer os.remove_all(base)
 	remotes := get_git_remotes(base)
 	defer delete_remotes(remotes)
 	testing.expect(t, len(remotes) == 0, "should return empty when no .git/config")
 }
@(test)
 test_get_git_remotes_no_remotes :: proc(t: ^testing.T) {
 	base := fmt.tprintf("/tmp/envr-test-remotes-empty-%d", os.get_pid())
 	os.mkdir_all(base)
 	defer os.remove_all(base)
 	git_dir := fmt.tprintf("%s/.git", base)
 	os.mkdir_all(git_dir)
 	config_content := "[core]\n\trepositoryformatversion = 0\n\tbare = false\n"
 	config_path := fmt.tprintf("%s/config", git_dir)
 	err := os.write_entire_file(config_path, transmute([]u8)config_content)
 	testing.expect(t, err == nil, "should write .git/config")
 	remotes := get_git_remotes(base)
 	defer delete_remotes(remotes)
 	testing.expect(t, len(remotes) == 0, "should return empty when no remote sections")
 }
@(test)
@@ -398,3 +472,51 @@ test_update_dir :: proc(t: ^testing.T) {
 	testing.expect_value(t, f.Path, "/new/location/.env")
 }
@(test)
 test_closing_db_has_no_leaks :: proc(t: ^testing.T) {
 	base := fmt.tprintf("/tmp/envr-test-leak-%d", os.get_pid())
 	os.mkdir_all(base)
 	defer os.remove_all(base)
 	cfg_path, err := filepath.join([]string{base, "config.json"}, context.temp_allocator)
 	testing.expect(t, err == nil, "cfgPath should build successfully")
 	cfg := new_config([]string{"fixtures/keys/insecure-test-key"}, cfg_path)
 	defer delete_config(&cfg)
 	testing.expect(t, save_config(cfg, force = true), "save should succeed")
 	db, ok := db_open(cfg_path)
 	testing.expect(t, ok, "db should open")
 	if !ok do return
 	db_close(&db)
 }
@(test)
 test_open_existing_db_has_no_leaks :: proc(t: ^testing.T) {
 	base := fmt.tprintf("/tmp/envr-test-leak-existing-%d", os.get_pid())
 	os.mkdir_all(base)
 	defer os.remove_all(base)
 	cfg_path, err := filepath.join([]string{base, "config.json"}, context.temp_allocator)
 	testing.expect(t, err == nil, "cfgPath should build successfully")
 	cfg := new_config([]string{"fixtures/keys/insecure-test-key"}, cfg_path)
 	defer delete_config(&cfg)
 	testing.expect(t, save_config(cfg, force = true), "save should succeed")
 	// First open/close creates data.envr on disk
 	db, ok := db_open(cfg_path)
 	testing.expect(t, ok, "db should open")
 	if !ok do return
 	f := make_test_env_file("/project/.env", "abc123", "SECRET=value", []string{"git@github.com:user/repo.git"})
 	defer delete(f.Remotes)
 	testing.expect(t, db_insert(&db, f), "insert should succeed")
 	db_close(&db)
 	// Second open exercises db_restore_from_encrypted
 	db2, ok2 := db_open(cfg_path)
 	testing.expect(t, ok2, "db should open existing")
 	if !ok2 do return
 	db_close(&db2)
 }
--- a/docs/cli/envr.md
+++ b/docs/cli/envr.md
@@ -45,7 +45,6 @@ at before, restore your backup with:
 * [envr backup](envr_backup.md)	 - Import a .env file into envr
 * [envr check](envr_check.md)	 - check if files in the current directory are backed up
 * [envr deps](envr_deps.md)	 - Check for missing binaries
 * [envr edit-config](envr_edit-config.md)	 - Edit your config with your default editor
 * [envr init](envr_init.md)	 - Set up envr
 * [envr list](envr_list.md)	 - View your tracked files
--- a/docs/cli/envr_deps.md
+++ b/docs/cli/envr_deps.md
@@ -1,24 +0,0 @@
 ## envr deps
 Check for missing binaries
 ### Synopsis
 envr relies on external binaries for certain functionality.
 The check command reports on which binaries are available and which are not.
 ```
 envr deps [flags]
 ```
 ### Options
 ```
  -h, --help   help for deps
 ```
 ### SEE ALSO
 * [envr](envr.md)	 - Manage your .env files.
--- a/features.odin
+++ b/features.odin
@@ -1,47 +0,0 @@
 package main
 import "base:runtime"
 import "core:mem"
 import "core:os"
 import "core:strings"
 Feature :: enum {
 	Git,
 }
 AvailableFeatures :: bit_set[Feature]
 check_features :: proc() -> AvailableFeatures {
 	feats: AvailableFeatures
 	s: mem.Scratch
 	mem.scratch_init(&s, 4 * mem.DEFAULT_PAGE_SIZE)
 	defer mem.scratch_destroy(&s)
 	context.temp_allocator = mem.scratch_allocator(&s)
 	path_env := os.get_env("PATH", context.temp_allocator)
 	paths := strings.split(path_env, ":", context.temp_allocator)
 	if find_binary(paths, "git") != "" {
 		feats += {.Git}
 	}
 	return feats
 }
 find_binary :: proc(
 	paths: []string,
 	name: string,
 	allocator: runtime.Allocator = context.temp_allocator,
 ) -> string {
 	for p in paths {
 		candidate := strings.join({strings.trim_right(p, "/"), name}, "/", allocator)
 		_, err := os.stat(candidate, allocator)
 		if err == nil {
 			return candidate
 		}
 	}
 	return ""
 }
--- a/features_test.odin
+++ b/features_test.odin
@@ -1,34 +0,0 @@
 package main
 import "core:os"
 import "core:strings"
 import "core:testing"
@(test)
 test_find_binary_exists :: proc(t: ^testing.T) {
 	path := os.get_env("PATH", context.temp_allocator)
 	paths := strings.split(path, ":", context.temp_allocator)
 	result := find_binary(paths, "sh")
 	testing.expect(t, result != "", "sh should be found on PATH")
 }
@(test)
 test_find_binary_not_exists :: proc(t: ^testing.T) {
 	old_path := os.get_env("PATH", context.temp_allocator)
 	defer {
 		if old_path != "" {
 			os.set_env("PATH", old_path)
 		}
 	}
 	os.set_env("PATH", "/tmp/envr-nope")
 	path := os.get_env("PATH", context.temp_allocator)
 	paths := strings.split(path, ":", context.temp_allocator)
 	result := find_binary(paths, "no_such_binary_xyz")
 	testing.expect(t, result == "", "nonexistent binary should not be found")
 }
--- a/findr/walker.odin
+++ b/findr/walker.odin
@@ -1,5 +1,6 @@
 package findr
 import "core:bytes"
 import "core:fmt"
 import "core:os"
 import "core:strings"
@@ -54,19 +55,26 @@ Collector_Data :: struct {
 collect_worker :: proc(t: ^thread.Thread) {
 	data := cast(^Collector_Data)t.data
 	for {
-		batch, ok := chan.recv(data.ch)
+		batch := chan.recv(data.ch) or_break
-		if !ok do break
+		defer delete(batch)
 		start := 0
-		for i in 0 ..< len(batch) {
+		for {
-			if batch[i] == '\n' {
+			remaining: []u8
-				if i > start {
+			#no_bounds_check {remaining = batch[start:]}
-					s, _ := strings.clone(string(batch[start:i]))
+
-					append(data.results, s)
+			idx := bytes.index_byte(remaining, '\n')
-				}
+			if idx < 0 do break
-				start = i + 1
+
 			i := start + idx
 			if i > start {
 				segment: []u8
 				#no_bounds_check {segment = batch[start:i]}
 				s, _ := strings.clone(string(segment))
 				append(data.results, s)
 			}
 			start = i + 1
 		}
 		delete(batch)
 	}
 }
@@ -447,3 +455,4 @@ join_path :: proc(parent, child: string) -> string {
 	copy(buf[pos:], child)
 	return string(buf)
 }
--- a/main.odin
+++ b/main.odin
@@ -1,14 +1,31 @@
 package main
 import "core:bufio"
 import "core:fmt"
 import "core:mem"
 import "core:os"
 main :: proc() {
 	when ODIN_DEBUG {
 		heap_track: mem.Tracking_Allocator
 		mem.tracking_allocator_init(&heap_track, context.allocator)
 		defer mem.tracking_allocator_destroy(&heap_track)
 		defer if len(heap_track.allocation_map) > 0 {
 			for _, leak in heap_track.allocation_map {
 				fmt.eprintf("LEAK: %v leaked %m\n", leak.location, leak.size)
 			}
 		}
 		context.allocator = mem.tracking_allocator(&heap_track)
 		temp_track: mem.Tracking_Allocator
 		mem.tracking_allocator_init(&temp_track, context.temp_allocator)
 		defer mem.tracking_allocator_destroy(&temp_track)
 		context.temp_allocator = mem.tracking_allocator(&temp_track)
 	}
 	defer free_all(context.temp_allocator)
 	cmd, ok := parse_args(os.args, os.to_writer(os.stdout), os.to_writer(os.stderr))
-	defer bufio.writer_flush(cmd.out_buf)
+	defer delete_command(&cmd) // delete flushes automatically
 	if !ok {
 		return
 	}
@@ -18,8 +35,6 @@ main :: proc() {
 		cmd_init(&cmd)
 	case "version":
 		cmd_version(&cmd)
 	case "deps":
 		cmd_deps(&cmd)
 	case "list":
 		cmd_list(&cmd)
 	case "backup", "add":
--- a/ssh.odin
+++ b/ssh.odin
@@ -12,24 +12,6 @@ Ed25519Keypair :: struct {
 	Private: [32]u8,
 }
 read_wire_string :: proc(data: []u8, offset: ^int) -> (s: string, ok: bool) {
 	if offset^ + 4 > len(data) {
 		return
 	}
 	length := u32(data[offset^]) << 24 | u32(data[offset^ + 1]) << 16 |
 		u32(data[offset^ + 2]) << 8 | u32(data[offset^ + 3])
 	offset^ += 4
 	if offset^ + int(length) > len(data) {
 		return
 	}
 	s = string(data[offset^ : offset^ + int(length)])
 	offset^ += int(length)
 	ok = true
 	return
 }
 parse_ssh_public_key :: proc(pub_path: string) -> (pub: [32]u8, ok: bool) {
 	data, err := os.read_entire_file_from_path(pub_path, context.temp_allocator)
 	if err != nil {
@@ -253,3 +235,21 @@ is_encrypted_key :: proc(priv_path: string) -> bool {
 	return ciphername != "none"
 }
 read_wire_string :: proc(data: []u8, offset: ^int) -> (s: string, ok: bool) {
 	if offset^ + 4 > len(data) {
 		return
 	}
 	length := u32(data[offset^]) << 24 | u32(data[offset^ + 1]) << 16 |
 		u32(data[offset^ + 2]) << 8 | u32(data[offset^ + 3])
 	offset^ += 4
 	if offset^ + int(length) > len(data) {
 		return
 	}
 	s = string(data[offset^ : offset^ + int(length)])
 	offset^ += int(length)
 	ok = true
 	return
 }
--- a/version.txt
+++ b/version.txt
@@ -1 +1 @@
-0.3.0
+0.4.0
Author	SHA1	Message	Date
Spencer Brower	f0b12582ba	chore(dev): release 0.4.0	2026-06-18 10:35:49 -04:00
Spencer Brower	5059572951	fix: Fixed memory leaks in the db.	2026-06-18 10:35:21 -04:00
Spencer Brower	d2b84ac4c6	refactor(crypto): used a proper init procedure.	2026-06-18 08:18:09 -04:00
Spencer Brower	96bc218c46	style: Ordered procedures by usage, with main at the top.	2026-06-18 08:08:46 -04:00
Spencer Brower	3b32e365c9	chore: Updated TODOS.md	2026-06-18 07:45:38 -04:00
Spencer Brower	12574e123b	feat: Removed runtime git dependency. This also allowed us to drop the Features code.	2026-06-18 07:29:44 -04:00