sealcode 0.1.0 → 0.3.0

package/README.md

@@ -85,6 +85,9 @@ sealcode uninstall-hook  # remove hook block
 sealcode panic           # immediate re-lock + session wipe
 sealcode logout          # clear cached session, force passphrase next time
 sealcode presets         # list supported ecosystems
+sealcode share <opts>    # mint a temporary access code (Pro; needs link + login)
+sealcode redeem <code>   # accept an access code shared with you
+sealcode watch <code>    # poll the server; auto-lock if the owner revokes (Pro)
 sealcode pro             # Pro tier info
 sealcode where           # debug: print paths and state (no secrets)
 ```

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "sealcode",
-  "version": "0.1.0",
+  "version": "0.3.0",
   "description": "Lock your source code in your own git repo. Stop AI agents, scrapers, and curious eyes from reading what's yours.",
   "keywords": [
     "encryption",

package/src/cli-ci-tokens.js

@@ -0,0 +1,123 @@
+'use strict';
+
+/**
+ * CI/CD short-lived tokens.
+ *
+ *   sealcode ci-token create --label "GH Actions" --ttl 24h --scope unlock
+ *   sealcode ci-token list
+ *   sealcode ci-token revoke <id>
+ *
+ * Requires the project to be linked (`sealcode link <id>`). All three
+ * commands authenticate as the logged-in user; the *resulting* token is what
+ * the CI pipeline uses afterwards via SEALCODE_CI_TOKEN.
+ */
+
+const { request } = require('./api');
+const { getLink } = require('./link-state');
+const ui = require('./ui');
+
+function requireLink(projectRoot) {
+  const link = getLink(projectRoot);
+  if (!link) {
+    throw new Error(
+      'This project is not linked. Run `sealcode link <projectId>` first.',
+    );
+  }
+  return link;
+}
+
+/**
+ * Parse a TTL string into hours. Accepts: "1h" "8h" "1d" "30d" "168" (bare = hours).
+ */
+function parseTtl(input) {
+  if (input == null) return 24;
+  const s = String(input).trim().toLowerCase();
+  const m = s.match(/^(\d+)\s*(h|hr|hour|hours|d|day|days|w|week|weeks)?$/);
+  if (!m) throw new Error(`Invalid --ttl: "${input}". Try "1h", "8h", "1d", "1w".`);
+  const n = parseInt(m[1], 10);
+  const unit = m[2] || 'h';
+  if (unit.startsWith('h')) return n;
+  if (unit.startsWith('d')) return n * 24;
+  if (unit.startsWith('w')) return n * 24 * 7;
+  return n;
+}
+
+async function runCiCreate({ projectRoot, label, ttl, scope, json = false }) {
+  const link = requireLink(projectRoot);
+  if (!label || !label.trim()) {
+    throw new Error('--label is required (e.g. --label "GitHub Actions · deploy").');
+  }
+  const expiresInHours = parseTtl(ttl);
+  const allowedScopes = ['read', 'unlock'];
+  if (!allowedScopes.includes(scope)) {
+    throw new Error(`--scope must be one of: ${allowedScopes.join(', ')}.`);
+  }
+
+  const res = await request(
+    'POST',
+    `/api/v1/projects/${encodeURIComponent(link.projectId)}/ci-tokens`,
+    { auth: true, body: { label: label.trim(), scope, expiresInHours } },
+  );
+  const t = res.token;
+  if (json) {
+    process.stdout.write(JSON.stringify({ token: t }, null, 2) + '\n');
+    return;
+  }
+  ui.box('CI token — copy now, shown only once', [
+    `  ${ui.c.bold(ui.c.green(t.token))}`,
+    '',
+    `${ui.c.dim('label  ')} ${ui.c.bold(t.label)}`,
+    `${ui.c.dim('scope  ')} ${t.scope}`,
+    `${ui.c.dim('expires')} ${t.expiresAt}`,
+    `${ui.c.dim('id     ')} ${t.id}`,
+  ], { tone: 'green' });
+  ui.hint('In your CI provider, set this as a masked secret:');
+  process.stdout.write(`    ${ui.c.cyan(`SEALCODE_CI_TOKEN=${t.token.slice(0, 12)}…`)}\n\n`);
+}
+
+async function runCiList({ projectRoot, json = false }) {
+  const link = requireLink(projectRoot);
+  const res = await request(
+    'GET',
+    `/api/v1/projects/${encodeURIComponent(link.projectId)}/ci-tokens`,
+    { auth: true },
+  );
+  const tokens = res.tokens || [];
+  if (json) {
+    process.stdout.write(JSON.stringify({ tokens }, null, 2) + '\n');
+    return;
+  }
+  if (tokens.length === 0) {
+    process.stdout.write(
+      'No CI tokens yet. Create one with `sealcode ci-token create --label "…"`.\n',
+    );
+    return;
+  }
+  process.stdout.write(
+    `\n${link.projectName || link.projectId}: ${tokens.length} CI token(s)\n`,
+  );
+  for (const t of tokens) {
+    const state = t.state.padEnd(8);
+    const scope = (t.scope || '').padEnd(7);
+    process.stdout.write(
+      `  ${state}  ${scope}  ${t.tokenPrefix.padEnd(10)}  ${t.label}  ${ui.c.dim('id=' + t.id)}\n`,
+    );
+  }
+  process.stdout.write('\n');
+}
+
+async function runCiRevoke({ tokenId }) {
+  if (!tokenId) throw new Error('Usage: sealcode ci-token revoke <id>');
+  const res = await request(
+    'DELETE',
+    `/api/v1/ci-tokens/${encodeURIComponent(tokenId)}`,
+    { auth: true },
+  );
+  if (res.alreadyTerminal) {
+    process.stdout.write(`(token was already revoked or expired)\n`);
+    return;
+  }
+  process.stdout.write(`✓ revoked CI token ${tokenId}\n`);
+}
+
+module.exports = { runCiCreate, runCiList, runCiRevoke, parseTtl };

package/src/cli-escrow.js

@@ -0,0 +1,236 @@
+'use strict';
+
+/**
+ * Cloud key escrow.
+ *
+ *   sealcode escrow status          → print whether escrow is enabled
+ *   sealcode escrow enable          → prompt for a recovery passphrase, wrap K,
+ *                                     upload ciphertext + KDF params
+ *   sealcode escrow disable         → delete the server-side blob
+ *   sealcode escrow recover         → download blob, prompt for passphrase,
+ *                                     unwrap K, save session so unlock works
+ *
+ * The server NEVER sees the recovery passphrase or the plaintext master key.
+ * What's stored is:
+ *   { ciphertext: base64(IV ‖ tag ‖ AES-GCM(wrap_key, K)),
+ *     kdfParams: { kind: "scrypt", N, r, p, saltB64 } }
+ */
+
+const os = require('os');
+const crypto = require('crypto');
+
+const { request } = require('./api');
+const { getLink } = require('./link-state');
+const { loadConfig } = require('./config');
+const { detectPreset } = require('./presets');
+const { isInitialized, unwrap, saveSession } = require('./keystore');
+const { deriveKey, makeSalt, passphraseStrength } = require('./kdf');
+const { hidden } = require('./prompt');
+const ui = require('./ui');
+
+function requireLink(projectRoot) {
+  const link = getLink(projectRoot);
+  if (!link) {
+    throw new Error(
+      'This project is not linked. Run `sealcode link <projectId>` first.',
+    );
+  }
+  return link;
+}
+
+function getActiveConfig(projectRoot) {
+  const fromFile = loadConfig(projectRoot);
+  if (fromFile) return fromFile;
+  const preset = detectPreset(projectRoot);
+  return {
+    version: 1,
+    preset: preset.id,
+    lockedDir: preset.lockedDir,
+    include: preset.include,
+    exclude: preset.exclude,
+    stubs: preset.stubs || {},
+    _file: null,
+    _implicit: true,
+  };
+}
+
+function clientMeta() {
+  return {
+    hostname: os.hostname(),
+    platform: `${os.platform()}-${os.arch()}`,
+  };
+}
+
+async function runEscrowStatus({ projectRoot, json = false }) {
+  const link = requireLink(projectRoot);
+  const res = await request(
+    'GET',
+    `/api/v1/projects/${encodeURIComponent(link.projectId)}/escrow`,
+    { auth: true },
+  );
+  if (json) {
+    process.stdout.write(JSON.stringify({ escrow: res.escrow }, null, 2) + '\n');
+    return;
+  }
+  if (!res.escrow.exists) {
+    process.stdout.write('Cloud escrow: disabled.\n');
+    return;
+  }
+  const s = res.escrow;
+  process.stdout.write(
+    `\nCloud escrow: ${ui.c.green('enabled')}\n`
+      + `  uploaded:   ${s.uploadedAt}\n`
+      + `  updated:    ${s.updatedAt}\n`
+      + `  from:       ${s.uploadedFromHostname || '(unknown)'} ${s.uploadedFromPlatform ? `· ${s.uploadedFromPlatform}` : ''}\n`
+      + `  last touch: ${s.lastAccessedAt || '(never)'}\n\n`,
+  );
+}
+
+async function runEscrowEnable({ projectRoot }) {
+  const link = requireLink(projectRoot);
+  const config = getActiveConfig(projectRoot);
+  if (!isInitialized(projectRoot, config.lockedDir)) {
+    throw new Error(
+      'This project has no vault yet. Run `sealcode init` first.',
+    );
+  }
+
+  // 1. Resolve the actual master key. We need the user's normal passphrase
+  //    (or a cached session) — escrow is *additional* protection, not a
+  //    replacement.
+  process.stdout.write('First, prove you can unlock this vault.\n');
+  const projectPp = await hidden('Project passphrase:');
+  let K;
+  try {
+    K = await unwrap(projectRoot, config.lockedDir, { passphrase: projectPp });
+  } catch {
+    throw new Error('Wrong passphrase. Escrow not enabled.');
+  }
+  saveSession(projectRoot, K);
+
+  // 2. Take a separate recovery passphrase. We tell the user this is the one
+  //    they'll need if they lose the laptop AND the project passphrase.
+  process.stdout.write(
+    '\nNow choose a separate ' + ui.c.bold('recovery passphrase') + ' for cloud escrow.\n'
+    + ui.c.dim('  This is what you\'ll type on a new laptop after `sealcode escrow recover`.\n')
+    + ui.c.dim('  Store it somewhere different from your project passphrase.\n\n'),
+  );
+  const recoveryPp = await hidden('Recovery passphrase:');
+  if (!recoveryPp) throw new Error('Recovery passphrase is required.');
+  const confirmPp = await hidden('Confirm recovery passphrase:');
+  if (recoveryPp !== confirmPp) {
+    throw new Error('Recovery passphrases do not match.');
+  }
+  const strength = passphraseStrength(recoveryPp);
+  if (strength.level === 'weak') {
+    throw new Error(`Recovery passphrase is too weak (${strength.reason}). Try at least 16 chars or a passphrase like "correct-horse-battery-staple".`);
+  }
+
+  // 3. Derive wrap key with a fresh salt.
+  const salt = makeSalt();
+  const wrapKey = await deriveKey(recoveryPp, salt);
+
+  // 4. Encrypt K under wrapKey with AES-256-GCM.
+  const iv = crypto.randomBytes(12);
+  const cipher = crypto.createCipheriv('aes-256-gcm', wrapKey, iv);
+  const enc = Buffer.concat([cipher.update(K), cipher.final()]);
+  const tag = cipher.getAuthTag();
+  const blob = Buffer.concat([iv, tag, enc]).toString('base64');
+
+  // 5. Ship to the server.
+  const meta = clientMeta();
+  await request(
+    'PUT',
+    `/api/v1/projects/${encodeURIComponent(link.projectId)}/escrow`,
+    {
+      auth: true,
+      body: {
+        ciphertext: blob,
+        kdfParams: {
+          kind: 'scrypt',
+          N: 1 << 17,
+          r: 8,
+          p: 1,
+          saltB64: salt.toString('base64'),
+          version: 1,
+        },
+        hostname: meta.hostname,
+        platform: meta.platform,
+      },
+    },
+  );
+
+  // 6. Wipe wrapKey from memory ASAP.
+  wrapKey.fill(0);
+
+  ui.ok('Cloud escrow enabled.');
+  ui.hint('  Recover on a new machine with:  sealcode escrow recover');
+}
+
+async function runEscrowDisable({ projectRoot }) {
+  const link = requireLink(projectRoot);
+  const res = await request(
+    'DELETE',
+    `/api/v1/projects/${encodeURIComponent(link.projectId)}/escrow`,
+    { auth: true },
+  );
+  if (res.deleted) {
+    ui.ok('Cloud escrow disabled. Server-side blob deleted.');
+  } else {
+    process.stdout.write('(nothing to disable — escrow wasn\'t set up)\n');
+  }
+}
+
+async function runEscrowRecover({ projectRoot }) {
+  const link = requireLink(projectRoot);
+  const config = getActiveConfig(projectRoot);
+  if (!isInitialized(projectRoot, config.lockedDir)) {
+    throw new Error(
+      'No vault on this machine yet. Clone the repo first, then re-run.',
+    );
+  }
+  const res = await request(
+    'GET',
+    `/api/v1/projects/${encodeURIComponent(link.projectId)}/escrow?full=1`,
+    { auth: true },
+  );
+  if (!res.ciphertext || !res.kdfParams) {
+    throw new Error('No escrow blob for this project. Set it up first with `sealcode escrow enable`.');
+  }
+  if (res.kdfParams.kind !== 'scrypt') {
+    throw new Error(`Unsupported KDF kind: ${res.kdfParams.kind}`);
+  }
+  const salt = Buffer.from(res.kdfParams.saltB64, 'base64');
+
+  const recoveryPp = await hidden('Recovery passphrase:');
+  if (!recoveryPp) throw new Error('Recovery passphrase is required.');
+
+  // Re-derive wrap key with the server-supplied salt.
+  const wrapKey = await deriveKey(recoveryPp, salt);
+
+  // Decrypt blob.
+  const blob = Buffer.from(res.ciphertext, 'base64');
+  const iv = blob.subarray(0, 12);
+  const tag = blob.subarray(12, 28);
+  const ct = blob.subarray(28);
+  const decipher = crypto.createDecipheriv('aes-256-gcm', wrapKey, iv);
+  decipher.setAuthTag(tag);
+  let K;
+  try {
+    K = Buffer.concat([decipher.update(ct), decipher.final()]);
+  } catch {
+    wrapKey.fill(0);
+    throw new Error('Wrong recovery passphrase, or the escrow blob has been tampered with.');
+  }
+  wrapKey.fill(0);
+
+  saveSession(projectRoot, K);
+  ui.ok('Recovery successful. Session cached — you can now run `sealcode unlock`.');
+}
+
+module.exports = {
+  runEscrowStatus,
+  runEscrowEnable,
+  runEscrowDisable,
+  runEscrowRecover,
+};

package/src/cli-watch.js

@@ -0,0 +1,288 @@
+'use strict';
+
+/**
+ * `sealcode watch <code>` — long-running agent for an access-code recipient.
+ *
+ * This is the missing piece of the "real-time revoke" story:
+ *
+ *   On the OWNER side: `sealcode share` mints a code, `sealcode revoke` (or
+ *   the dashboard) kills it.
+ *
+ *   On the RECIPIENT side: `sealcode redeem` validates the code once, then
+ *   the user runs `sealcode unlock` to start working. While they're working,
+ *   `sealcode watch <code>` polls the heartbeat endpoint and:
+ *
+ *     - prints a heartbeat line every interval so the demo is visible
+ *     - on `action: "lock"` (revoked / expired / auto-lock reached), it
+ *       immediately runs the same lock pipeline as `sealcode lock`, wipes
+ *       the cached session, and exits with status 0.
+ *     - on `action: "warn"` (close to expiry), warns the user.
+ *     - on transient network failure, retries; only an explicit terminal
+ *       response from the server triggers a lock.
+ *
+ * The watcher does NOT need an account / login — the access code itself is
+ * the authentication for these endpoints. That matches the contractor flow:
+ * they may not have a sealcode.dev account at all.
+ */
+
+const path = require('path');
+
+const { request, ApiError } = require('./api');
+const { loadConfig } = require('./config');
+const { detectPreset } = require('./presets');
+const { isInitialized, loadSession, clearSession } = require('./keystore');
+const { runLock } = require('./seal');
+const { SealcodeError } = require('./errors');
+const ui = require('./ui');
+
+const DEFAULT_INTERVAL_SEC = 30;
+const MIN_INTERVAL_SEC = 5;
+const MAX_INTERVAL_SEC = 600;
+const TRANSIENT_BACKOFF_SEC = 5;
+
+function getActiveConfig(projectRoot) {
+  const fromFile = loadConfig(projectRoot);
+  if (fromFile) return fromFile;
+  const preset = detectPreset(projectRoot);
+  return {
+    version: 1,
+    preset: preset.id,
+    lockedDir: preset.lockedDir,
+    include: preset.include,
+    exclude: preset.exclude,
+    stubs: preset.stubs || {},
+    _file: null,
+    _implicit: true,
+  };
+}
+
+function fmtRemaining(ms) {
+  if (ms == null) return '';
+  if (ms <= 0) return 'expired';
+  const sec = Math.floor(ms / 1000);
+  if (sec < 60) return `${sec}s`;
+  const min = Math.floor(sec / 60);
+  if (min < 60) return `${min}m ${sec % 60}s`;
+  const hr = Math.floor(min / 60);
+  if (hr < 24) return `${hr}h ${min % 60}m`;
+  return `${Math.floor(hr / 24)}d ${hr % 24}h`;
+}
+
+function ts() {
+  const d = new Date();
+  return d.toTimeString().slice(0, 8);
+}
+
+function sleep(ms) {
+  return new Promise((r) => setTimeout(r, ms));
+}
+
+/**
+ * Single heartbeat round-trip. Returns `{ ok, response, transient }`:
+ *   - ok=true with response on a real 2xx server reply
+ *   - ok=false with transient=true on a network / 5xx blip — caller retries
+ *   - throws SealcodeError on a malformed code / 404 etc. — caller exits
+ */
+async function heartbeatOnce(code) {
+  try {
+    const res = await request('POST', '/api/v1/access/heartbeat', {
+      body: { code },
+    });
+    return { ok: true, response: res };
+  } catch (err) {
+    if (err instanceof ApiError) {
+      if (err.status === 0 || err.status >= 500) {
+        return { ok: false, transient: true, err };
+      }
+      // 4xx (code not found, bad request) is terminal — don't keep guessing.
+      throw new SealcodeError('SEALCODE_WATCH_BAD_CODE', {
+        detail: `Heartbeat rejected (${err.status} ${err.apiCode}): ${err.message}`,
+        hint: 'Try: sealcode redeem <code>   (re-validate the access code)',
+      });
+    }
+    return { ok: false, transient: true, err };
+  }
+}
+
+/**
+ * @param {Object} opts
+ * @param {string} opts.projectRoot
+ * @param {string} opts.code           — access code (SC-XXXX-…)
+ * @param {number} [opts.intervalSec]  — override poll interval
+ * @param {boolean} [opts.verbose]
+ * @param {boolean} [opts.json]        — emit JSONL events instead of pretty
+ */
+async function runWatch({ projectRoot, code, intervalSec, verbose = false, json = false }) {
+  if (!code || typeof code !== 'string') {
+    throw new SealcodeError('SEALCODE_WATCH_NO_CODE', {
+      detail: 'Pass the access code as the first argument.',
+      hint: 'Try: sealcode watch SC-XXXX-XXXX-XXXX-XXXX',
+    });
+  }
+  const config = getActiveConfig(projectRoot);
+  if (!isInitialized(projectRoot, config.lockedDir)) {
+    throw new SealcodeError('SEALCODE_NO_MANIFEST');
+  }
+
+  const trimmedCode = code.trim();
+
+  // First call doubles as a fast-fail validator and as a way to learn the
+  // server-side heartbeat interval, which we honor unless --interval is set.
+  const first = await heartbeatOnce(trimmedCode);
+  if (!first.ok) {
+    throw new SealcodeError('SEALCODE_WATCH_OFFLINE', {
+      detail: `Cannot reach sealcode.dev: ${first.err?.message || 'network error'}.`,
+      hint: 'Try: check connectivity, then re-run `sealcode watch`.',
+    });
+  }
+  const serverInterval = Number(first.response?.heartbeatIntervalSeconds) || DEFAULT_INTERVAL_SEC;
+  const effectiveInterval = Math.max(
+    MIN_INTERVAL_SEC,
+    Math.min(MAX_INTERVAL_SEC, intervalSec || serverInterval),
+  );
+
+  // Handle the "already locked at startup" case before announcing.
+  if (first.response.action === 'lock') {
+    return finalLock(projectRoot, config, trimmedCode, first.response.reason, json);
+  }
+
+  if (json) {
+    process.stdout.write(
+      JSON.stringify({ type: 'start', intervalSec: effectiveInterval, ...first.response }) + '\n',
+    );
+  } else {
+    ui.box('Watching access code', [
+      `${ui.c.dim('code      ')} ${ui.c.bold(trimmedCode)}`,
+      `${ui.c.dim('interval  ')} every ${effectiveInterval}s`,
+      `${ui.c.dim('expires   ')} ${first.response.expiresAt || '(unknown)'}`,
+      first.response.autoLockAt
+        ? `${ui.c.dim('auto-lock ')} ${first.response.autoLockAt}`
+        : `${ui.c.dim('auto-lock ')} ${ui.c.dim('(none)')}`,
+      `${ui.c.dim('strict    ')} ${first.response.strictMode ? 'yes' : 'no'}`,
+      '',
+      ui.c.dim('Press Ctrl-C to stop. If the owner revokes this code, your local'),
+      ui.c.dim('files will be re-locked automatically.'),
+    ]);
+  }
+
+  // Print one immediate "ok" line so the demo viewer sees activity right away.
+  printTick(first.response, json, verbose);
+
+  // Make Ctrl-C clean.
+  let stopped = false;
+  const onSig = () => {
+    if (stopped) return;
+    stopped = true;
+    if (!json) ui.say('\n' + ui.c.dim('stopped watching (files left as-is)'));
+    process.exit(0);
+  };
+  process.on('SIGINT', onSig);
+  process.on('SIGTERM', onSig);
+
+  let consecutiveTransient = 0;
+  while (!stopped) {
+    await sleep(effectiveInterval * 1000);
+    if (stopped) break;
+    let r;
+    try {
+      r = await heartbeatOnce(trimmedCode);
+    } catch (err) {
+      // Terminal error (malformed code etc.) — propagate.
+      throw err;
+    }
+    if (!r.ok) {
+      consecutiveTransient += 1;
+      if (!json) {
+        ui.warn(`[${ts()}] transient: ${r.err?.message || 'network'} (retry in ${TRANSIENT_BACKOFF_SEC}s)`);
+      } else {
+        process.stdout.write(
+          JSON.stringify({ type: 'transient', at: new Date().toISOString(), error: String(r.err?.message || r.err) }) + '\n',
+        );
+      }
+      // After a long offline streak the recipient should know — but we don't
+      // auto-lock on a server outage. Owner intent (revoke) must be observable.
+      if (consecutiveTransient > 6 && !json) {
+        ui.warn(`  still offline after ${consecutiveTransient} attempts — owner revokes are not visible while offline.`);
+      }
+      await sleep(TRANSIENT_BACKOFF_SEC * 1000);
+      continue;
+    }
+    consecutiveTransient = 0;
+    if (r.response.action === 'lock') {
+      return finalLock(projectRoot, config, trimmedCode, r.response.reason, json);
+    }
+    printTick(r.response, json, verbose);
+  }
+}
+
+function printTick(resp, json, verbose) {
+  if (json) {
+    process.stdout.write(
+      JSON.stringify({ type: 'tick', at: new Date().toISOString(), ...resp }) + '\n',
+    );
+    return;
+  }
+  const remaining = fmtRemaining(resp.remainingMs);
+  if (resp.action === 'warn') {
+    ui.warn(`[${ts()}] ${ui.c.yellow('warn')} — ${remaining} left, lock incoming`);
+  } else if (verbose) {
+    ui.say(`[${ts()}] ${ui.c.green('ok')} — ${remaining} left`);
+  } else {
+    // Single quiet line; overwrite-in-place if TTY for a clean demo.
+    if (ui.STDERR_TTY) {
+      process.stderr.write(
+        `\r${ui.c.green('●')} watching · ${ui.c.dim(ts())} · ${ui.c.dim(remaining + ' left')}\x1b[K`,
+      );
+    } else {
+      ui.say(`[${ts()}] ok — ${remaining} left`);
+    }
+  }
+}
+
+async function finalLock(projectRoot, config, code, reason, json) {
+  // Erase the in-place tick line if we were drawing one.
+  if (!json && ui.STDERR_TTY) process.stderr.write('\r\x1b[K');
+
+  const label = reason || 'lock';
+  if (json) {
+    process.stdout.write(
+      JSON.stringify({ type: 'lock', at: new Date().toISOString(), reason: label, code }) + '\n',
+    );
+  } else {
+    ui.warn(`[${ts()}] server says LOCK — reason: ${ui.c.bold(label)}`);
+  }
+
+  const K = loadSession(projectRoot);
+  if (!K) {
+    // The recipient never had a key cached (didn't run `sealcode unlock`),
+    // so there's no plaintext to seal. We still exit non-zero so a wrapping
+    // shell script knows the grant is dead.
+    if (!json) {
+      ui.fail(
+        'access revoked — but no cached session was found, so there is nothing to re-lock here.',
+      );
+      ui.hint('  (this is normal if you never ran `sealcode unlock` on this machine.)');
+    }
+    process.exit(2);
+  }
+
+  let res;
+  try {
+    res = await runLock({ projectRoot, config, K });
+  } catch (err) {
+    if (!json) ui.fail(`re-lock failed: ${err.message}`);
+    process.exit(3);
+  }
+  clearSession(projectRoot);
+  if (json) {
+    process.stdout.write(
+      JSON.stringify({ type: 'locked', at: new Date().toISOString(), count: res.count, reason: label }) + '\n',
+    );
+  } else {
+    ui.ok(`[${ts()}] re-locked ${ui.c.bold(res.count)} files into ${ui.c.cyan(config.lockedDir + '/')} — session cleared`);
+    ui.hint('  Your local plaintext has been wiped. Ask the owner for a fresh code if you still need access.');
+  }
+  process.exit(0);
+}
+
+module.exports = { runWatch };

package/src/cli.js

@@ -34,6 +34,18 @@ const { exportBundle, importBundle } = require('./bundle');
 const { runLogin, runSignout, runWhoami } = require('./cli-auth');
 const { runLink, runUnlink, runLinkInfo } = require('./cli-link');
 const { runShare, runGrants, runRevoke, runRedeem } = require('./cli-grants');
+const {
+  runCiCreate,
+  runCiList,
+  runCiRevoke,
+} = require('./cli-ci-tokens');
+const {
+  runEscrowStatus,
+  runEscrowEnable,
+  runEscrowDisable,
+  runEscrowRecover,
+} = require('./cli-escrow');
+const { runWatch } = require('./cli-watch');
 const ui = require('./ui');
 
 function logger(verbose) {
@@ -658,6 +670,135 @@ function build() {
       }
     });
 
+  // -------- watch --------
+  program
+    .command('watch')
+    .argument('<code>', 'access code to monitor (the one you redeemed)')
+    .description('Stay online and self-lock if the owner revokes this code or it expires.')
+    .option('--interval <seconds>', 'override server-suggested heartbeat interval', (v) => parseInt(v, 10))
+    .option('-v, --verbose', 'print every heartbeat (instead of a single live status line)', false)
+    .option('--json', 'machine-readable JSONL output (one event per line)', false)
+    .action(async (code, opts) => {
+      try {
+        const projectRoot = resolveProject(program.opts());
+        await runWatch({
+          projectRoot,
+          code,
+          intervalSec: opts.interval,
+          verbose: !!opts.verbose,
+          json: !!opts.json,
+        });
+      } catch (err) {
+        process.exitCode = reportError(err);
+      }
+    });
+
+  // -------- ci-token --------
+  const ciToken = program
+    .command('ci-token')
+    .description('Manage CI/CD short-lived tokens for the linked project (Pro feature).');
+
+  ciToken
+    .command('create')
+    .description('Create a new CI token. Shown once — save it to your CI secret store.')
+    .requiredOption('--label <text>', 'human-readable label (e.g. "GitHub Actions · deploy")')
+    .option('--ttl <duration>', 'lifetime: 1h, 8h, 1d, 1w (default 24h)', '24h')
+    .option('--scope <scope>', 'read | unlock (default unlock)', 'unlock')
+    .option('--json', 'machine-readable output', false)
+    .action(async (opts) => {
+      try {
+        const projectRoot = resolveProject(program.opts());
+        await runCiCreate({
+          projectRoot,
+          label: opts.label,
+          ttl: opts.ttl,
+          scope: opts.scope,
+          json: !!opts.json,
+        });
+      } catch (err) {
+        process.exitCode = reportError(err);
+      }
+    });
+
+  ciToken
+    .command('list')
+    .description('List CI tokens for the linked project.')
+    .option('--json', 'machine-readable output', false)
+    .action(async (opts) => {
+      try {
+        const projectRoot = resolveProject(program.opts());
+        await runCiList({ projectRoot, json: !!opts.json });
+      } catch (err) {
+        process.exitCode = reportError(err);
+      }
+    });
+
+  ciToken
+    .command('revoke')
+    .argument('<id>', 'CI token id (see `sealcode ci-token list`)')
+    .description('Revoke a CI token immediately.')
+    .action(async (id) => {
+      try {
+        await runCiRevoke({ tokenId: id });
+      } catch (err) {
+        process.exitCode = reportError(err);
+      }
+    });
+
+  // -------- escrow --------
+  const escrow = program
+    .command('escrow')
+    .description('Cloud key escrow: a passphrase-recovery safety net (Pro feature).');
+
+  escrow
+    .command('status')
+    .description('Print whether escrow is enabled for the linked project.')
+    .option('--json', 'machine-readable output', false)
+    .action(async (opts) => {
+      try {
+        const projectRoot = resolveProject(program.opts());
+        await runEscrowStatus({ projectRoot, json: !!opts.json });
+      } catch (err) {
+        process.exitCode = reportError(err);
+      }
+    });
+
+  escrow
+    .command('enable')
+    .description('Wrap the master key with a separate recovery passphrase and upload the ciphertext.')
+    .action(async () => {
+      try {
+        const projectRoot = resolveProject(program.opts());
+        await runEscrowEnable({ projectRoot });
+      } catch (err) {
+        process.exitCode = reportError(err);
+      }
+    });
+
+  escrow
+    .command('disable')
+    .description('Delete the server-side escrow blob. The local vault is unaffected.')
+    .action(async () => {
+      try {
+        const projectRoot = resolveProject(program.opts());
+        await runEscrowDisable({ projectRoot });
+      } catch (err) {
+        process.exitCode = reportError(err);
+      }
+    });
+
+  escrow
+    .command('recover')
+    .description('On a new machine: download the blob, decrypt with the recovery passphrase, cache K.')
+    .action(async () => {
+      try {
+        const projectRoot = resolveProject(program.opts());
+        await runEscrowRecover({ projectRoot });
+      } catch (err) {
+        process.exitCode = reportError(err);
+      }
+    });
+
   return program;
 }
 

package/src/errors.js

@@ -54,6 +54,24 @@ const CODES = {
       'The free CLI handles lock / unlock / verify forever. Pro adds team key sharing, key rotation across N projects, audit log sync, and cloud key escrow.',
     try: 'Try: visit https://sealcode.dev/pro     (start a free 14-day trial)',
   },
+  SEALCODE_WATCH_NO_CODE: {
+    headline: 'sealcode watch needs an access code.',
+    detail:
+      'Pass the access code shared with you (the one you got from sealcode share / redeem).',
+    try: 'Try: sealcode watch SC-XXXX-XXXX-XXXX-XXXX',
+  },
+  SEALCODE_WATCH_BAD_CODE: {
+    headline: 'The server rejected that access code.',
+    detail:
+      "The code may be malformed, already expired, revoked, or it doesn't exist on this server.",
+    try: 'Try: sealcode redeem <code>            (re-validate the code first)',
+  },
+  SEALCODE_WATCH_OFFLINE: {
+    headline: "I couldn't reach sealcode.dev to start watching.",
+    detail:
+      'The first heartbeat failed. We refuse to start the watcher without confirming the code is reachable — otherwise a revoke would never be observed.',
+    try: 'Try: check connectivity, then re-run `sealcode watch <code>`.',
+  },
 };
 
 class SealcodeError extends Error {