sealcode 0.1.0 → 1.1.0

package/README.md

@@ -85,6 +85,21 @@ sealcode uninstall-hook  # remove hook block
 sealcode panic           # immediate re-lock + session wipe
 sealcode logout          # clear cached session, force passphrase next time
 sealcode presets         # list supported ecosystems
+sealcode share <opts>    # mint a temporary access code (--email <addr> wraps the key for them)
+                         #   1.1 controls (all optional):
+                         #     --paths src/api/,tests/    only decrypt these prefixes
+                         #     --mode ro                  read-only; watcher re-locks on edit
+                         #     --watermark "Licensed to {email} · grant {grantId}"
+                         #     --idle 30                  auto-lock after N idle minutes
+                         #     --allow-ip 10.0.0.0/8      restrict redeem + heartbeat IPs
+                         #     --allow-country US GB      ISO-2 country allowlist (Cloudflare-fed)
+                         #     --single-device            hard-reject 2nd device fingerprint
+                         #     --nda "text"               require typed "I agree" on redeem
+sealcode redeem <code>   # accept a code; auto-unlocks + spawns watcher when team-shared
+sealcode watch <code>    # poll the server with long-poll (~1s revoke); --daemon for background
+sealcode lockdown        # 1.1: panic — revoke ALL active grants for the linked project
+sealcode install-service # macOS launchd / Linux systemd unit so the watcher survives reboots
+sealcode uninstall-service
 sealcode pro             # Pro tier info
 sealcode where           # debug: print paths and state (no secrets)
 ```

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "sealcode",
-  "version": "0.1.0",
+  "version": "1.1.0",
   "description": "Lock your source code in your own git repo. Stop AI agents, scrapers, and curious eyes from reading what's yours.",
   "keywords": [
     "encryption",

package/src/api.js

@@ -86,7 +86,7 @@ class ApiError extends Error {
   }
 }
 
-async function request(method, urlPath, { body, auth = false, apiUrl } = {}) {
+async function request(method, urlPath, { body, auth = false, apiUrl, timeoutMs } = {}) {
   const base = apiUrl || getApiUrl();
   const url = new URL(urlPath, base).toString();
   const headers = {
@@ -106,12 +106,23 @@ async function request(method, urlPath, { body, auth = false, apiUrl } = {}) {
     headers.authorization = `Bearer ${token}`;
   }
 
+  // sealcode@1.1.0 — optional per-call timeout. We use an AbortController
+  // and let the caller pass `timeoutMs` for long-polled heartbeats
+  // (where we want a generous budget) without changing the default
+  // behavior of every other call.
+  const ac = typeof AbortController === 'function' ? new AbortController() : null;
+  let timer = null;
+  if (timeoutMs && ac) {
+    timer = setTimeout(() => ac.abort(), timeoutMs);
+  }
+
   let res;
   try {
     res = await fetch(url, {
       method,
       headers,
       body: body == null ? undefined : JSON.stringify(body),
+      signal: ac ? ac.signal : undefined,
     });
   } catch (err) {
     throw new ApiError(
@@ -119,6 +130,8 @@ async function request(method, urlPath, { body, auth = false, apiUrl } = {}) {
       'network',
       `Could not reach ${base}: ${err.message || err}.`,
     );
+  } finally {
+    if (timer) clearTimeout(timer);
   }
 
   const ct = res.headers.get('content-type') || '';

package/src/cli-auth.js

@@ -24,6 +24,7 @@ const {
   request,
   writeCreds,
 } = require('./api');
+const keypair = require('./keypair');
 const ui = require('./ui');
 
 function sleep(ms) {
@@ -163,6 +164,31 @@ async function runLogin({ apiUrl } = {}) {
     createdAt: new Date().toISOString(),
   });
 
+  // sealcode@1.0.0: publish the user's X25519 pubkey. This enables team
+  // key sharing (other users can wrap K for us via `sealcode share --to`).
+  // Best-effort: if the server doesn't support pubkeys yet (older deploy)
+  // we still consider login successful. The keypair is generated locally
+  // either way and persisted to ~/.sealcode/keypair.json.
+  try {
+    const pub = keypair.publicKey();
+    await request('POST', '/api/v1/users/pubkey', {
+      body: pub,
+      auth: true,
+      apiUrl: baseUrl,
+    });
+  } catch (err) {
+    if (err instanceof ApiError && err.status === 404) {
+      // Server predates 1.0; not a real error, just log it in verbose paths.
+      if (process.env.SEALCODE_DEBUG) {
+        process.stderr.write(
+          `(note: server hasn't enabled team key sharing yet — your pubkey was generated locally but not published)\n`,
+        );
+      }
+    } else if (process.env.SEALCODE_DEBUG) {
+      process.stderr.write(`(warning: pubkey publish failed: ${err.message || err})\n`);
+    }
+  }
+
   ui.ok(`Logged in as ${ui.c.bold(user.email || user.id || 'unknown')} ${ui.c.dim(`at ${baseUrl}`)}`);
 }
 

package/src/cli-ci-tokens.js

@@ -0,0 +1,123 @@
+'use strict';
+
+/**
+ * CI/CD short-lived tokens.
+ *
+ *   sealcode ci-token create --label "GH Actions" --ttl 24h --scope unlock
+ *   sealcode ci-token list
+ *   sealcode ci-token revoke <id>
+ *
+ * Requires the project to be linked (`sealcode link <id>`). All three
+ * commands authenticate as the logged-in user; the *resulting* token is what
+ * the CI pipeline uses afterwards via SEALCODE_CI_TOKEN.
+ */
+
+const { request } = require('./api');
+const { getLink } = require('./link-state');
+const ui = require('./ui');
+
+function requireLink(projectRoot) {
+  const link = getLink(projectRoot);
+  if (!link) {
+    throw new Error(
+      'This project is not linked. Run `sealcode link <projectId>` first.',
+    );
+  }
+  return link;
+}
+
+/**
+ * Parse a TTL string into hours. Accepts: "1h" "8h" "1d" "30d" "168" (bare = hours).
+ */
+function parseTtl(input) {
+  if (input == null) return 24;
+  const s = String(input).trim().toLowerCase();
+  const m = s.match(/^(\d+)\s*(h|hr|hour|hours|d|day|days|w|week|weeks)?$/);
+  if (!m) throw new Error(`Invalid --ttl: "${input}". Try "1h", "8h", "1d", "1w".`);
+  const n = parseInt(m[1], 10);
+  const unit = m[2] || 'h';
+  if (unit.startsWith('h')) return n;
+  if (unit.startsWith('d')) return n * 24;
+  if (unit.startsWith('w')) return n * 24 * 7;
+  return n;
+}
+
+async function runCiCreate({ projectRoot, label, ttl, scope, json = false }) {
+  const link = requireLink(projectRoot);
+  if (!label || !label.trim()) {
+    throw new Error('--label is required (e.g. --label "GitHub Actions · deploy").');
+  }
+  const expiresInHours = parseTtl(ttl);
+  const allowedScopes = ['read', 'unlock'];
+  if (!allowedScopes.includes(scope)) {
+    throw new Error(`--scope must be one of: ${allowedScopes.join(', ')}.`);
+  }
+
+  const res = await request(
+    'POST',
+    `/api/v1/projects/${encodeURIComponent(link.projectId)}/ci-tokens`,
+    { auth: true, body: { label: label.trim(), scope, expiresInHours } },
+  );
+  const t = res.token;
+  if (json) {
+    process.stdout.write(JSON.stringify({ token: t }, null, 2) + '\n');
+    return;
+  }
+  ui.box('CI token — copy now, shown only once', [
+    `  ${ui.c.bold(ui.c.green(t.token))}`,
+    '',
+    `${ui.c.dim('label  ')} ${ui.c.bold(t.label)}`,
+    `${ui.c.dim('scope  ')} ${t.scope}`,
+    `${ui.c.dim('expires')} ${t.expiresAt}`,
+    `${ui.c.dim('id     ')} ${t.id}`,
+  ], { tone: 'green' });
+  ui.hint('In your CI provider, set this as a masked secret:');
+  process.stdout.write(`    ${ui.c.cyan(`SEALCODE_CI_TOKEN=${t.token.slice(0, 12)}…`)}\n\n`);
+}
+
+async function runCiList({ projectRoot, json = false }) {
+  const link = requireLink(projectRoot);
+  const res = await request(
+    'GET',
+    `/api/v1/projects/${encodeURIComponent(link.projectId)}/ci-tokens`,
+    { auth: true },
+  );
+  const tokens = res.tokens || [];
+  if (json) {
+    process.stdout.write(JSON.stringify({ tokens }, null, 2) + '\n');
+    return;
+  }
+  if (tokens.length === 0) {
+    process.stdout.write(
+      'No CI tokens yet. Create one with `sealcode ci-token create --label "…"`.\n',
+    );
+    return;
+  }
+  process.stdout.write(
+    `\n${link.projectName || link.projectId}: ${tokens.length} CI token(s)\n`,
+  );
+  for (const t of tokens) {
+    const state = t.state.padEnd(8);
+    const scope = (t.scope || '').padEnd(7);
+    process.stdout.write(
+      `  ${state}  ${scope}  ${t.tokenPrefix.padEnd(10)}  ${t.label}  ${ui.c.dim('id=' + t.id)}\n`,
+    );
+  }
+  process.stdout.write('\n');
+}
+
+async function runCiRevoke({ tokenId }) {
+  if (!tokenId) throw new Error('Usage: sealcode ci-token revoke <id>');
+  const res = await request(
+    'DELETE',
+    `/api/v1/ci-tokens/${encodeURIComponent(tokenId)}`,
+    { auth: true },
+  );
+  if (res.alreadyTerminal) {
+    process.stdout.write(`(token was already revoked or expired)\n`);
+    return;
+  }
+  process.stdout.write(`✓ revoked CI token ${tokenId}\n`);
+}
+
+module.exports = { runCiCreate, runCiList, runCiRevoke, parseTtl };

package/src/cli-escrow.js

@@ -0,0 +1,236 @@
+'use strict';
+
+/**
+ * Cloud key escrow.
+ *
+ *   sealcode escrow status          → print whether escrow is enabled
+ *   sealcode escrow enable          → prompt for a recovery passphrase, wrap K,
+ *                                     upload ciphertext + KDF params
+ *   sealcode escrow disable         → delete the server-side blob
+ *   sealcode escrow recover         → download blob, prompt for passphrase,
+ *                                     unwrap K, save session so unlock works
+ *
+ * The server NEVER sees the recovery passphrase or the plaintext master key.
+ * What's stored is:
+ *   { ciphertext: base64(IV ‖ tag ‖ AES-GCM(wrap_key, K)),
+ *     kdfParams: { kind: "scrypt", N, r, p, saltB64 } }
+ */
+
+const os = require('os');
+const crypto = require('crypto');
+
+const { request } = require('./api');
+const { getLink } = require('./link-state');
+const { loadConfig } = require('./config');
+const { detectPreset } = require('./presets');
+const { isInitialized, unwrap, saveSession } = require('./keystore');
+const { deriveKey, makeSalt, passphraseStrength } = require('./kdf');
+const { hidden } = require('./prompt');
+const ui = require('./ui');
+
+function requireLink(projectRoot) {
+  const link = getLink(projectRoot);
+  if (!link) {
+    throw new Error(
+      'This project is not linked. Run `sealcode link <projectId>` first.',
+    );
+  }
+  return link;
+}
+
+function getActiveConfig(projectRoot) {
+  const fromFile = loadConfig(projectRoot);
+  if (fromFile) return fromFile;
+  const preset = detectPreset(projectRoot);
+  return {
+    version: 1,
+    preset: preset.id,
+    lockedDir: preset.lockedDir,
+    include: preset.include,
+    exclude: preset.exclude,
+    stubs: preset.stubs || {},
+    _file: null,
+    _implicit: true,
+  };
+}
+
+function clientMeta() {
+  return {
+    hostname: os.hostname(),
+    platform: `${os.platform()}-${os.arch()}`,
+  };
+}
+
+async function runEscrowStatus({ projectRoot, json = false }) {
+  const link = requireLink(projectRoot);
+  const res = await request(
+    'GET',
+    `/api/v1/projects/${encodeURIComponent(link.projectId)}/escrow`,
+    { auth: true },
+  );
+  if (json) {
+    process.stdout.write(JSON.stringify({ escrow: res.escrow }, null, 2) + '\n');
+    return;
+  }
+  if (!res.escrow.exists) {
+    process.stdout.write('Cloud escrow: disabled.\n');
+    return;
+  }
+  const s = res.escrow;
+  process.stdout.write(
+    `\nCloud escrow: ${ui.c.green('enabled')}\n`
+      + `  uploaded:   ${s.uploadedAt}\n`
+      + `  updated:    ${s.updatedAt}\n`
+      + `  from:       ${s.uploadedFromHostname || '(unknown)'} ${s.uploadedFromPlatform ? `· ${s.uploadedFromPlatform}` : ''}\n`
+      + `  last touch: ${s.lastAccessedAt || '(never)'}\n\n`,
+  );
+}
+
+async function runEscrowEnable({ projectRoot }) {
+  const link = requireLink(projectRoot);
+  const config = getActiveConfig(projectRoot);
+  if (!isInitialized(projectRoot, config.lockedDir)) {
+    throw new Error(
+      'This project has no vault yet. Run `sealcode init` first.',
+    );
+  }
+
+  // 1. Resolve the actual master key. We need the user's normal passphrase
+  //    (or a cached session) — escrow is *additional* protection, not a
+  //    replacement.
+  process.stdout.write('First, prove you can unlock this vault.\n');
+  const projectPp = await hidden('Project passphrase:');
+  let K;
+  try {
+    K = await unwrap(projectRoot, config.lockedDir, { passphrase: projectPp });
+  } catch {
+    throw new Error('Wrong passphrase. Escrow not enabled.');
+  }
+  saveSession(projectRoot, K);
+
+  // 2. Take a separate recovery passphrase. We tell the user this is the one
+  //    they'll need if they lose the laptop AND the project passphrase.
+  process.stdout.write(
+    '\nNow choose a separate ' + ui.c.bold('recovery passphrase') + ' for cloud escrow.\n'
+    + ui.c.dim('  This is what you\'ll type on a new laptop after `sealcode escrow recover`.\n')
+    + ui.c.dim('  Store it somewhere different from your project passphrase.\n\n'),
+  );
+  const recoveryPp = await hidden('Recovery passphrase:');
+  if (!recoveryPp) throw new Error('Recovery passphrase is required.');
+  const confirmPp = await hidden('Confirm recovery passphrase:');
+  if (recoveryPp !== confirmPp) {
+    throw new Error('Recovery passphrases do not match.');
+  }
+  const strength = passphraseStrength(recoveryPp);
+  if (strength.level === 'weak') {
+    throw new Error(`Recovery passphrase is too weak (${strength.reason}). Try at least 16 chars or a passphrase like "correct-horse-battery-staple".`);
+  }
+
+  // 3. Derive wrap key with a fresh salt.
+  const salt = makeSalt();
+  const wrapKey = await deriveKey(recoveryPp, salt);
+
+  // 4. Encrypt K under wrapKey with AES-256-GCM.
+  const iv = crypto.randomBytes(12);
+  const cipher = crypto.createCipheriv('aes-256-gcm', wrapKey, iv);
+  const enc = Buffer.concat([cipher.update(K), cipher.final()]);
+  const tag = cipher.getAuthTag();
+  const blob = Buffer.concat([iv, tag, enc]).toString('base64');
+
+  // 5. Ship to the server.
+  const meta = clientMeta();
+  await request(
+    'PUT',
+    `/api/v1/projects/${encodeURIComponent(link.projectId)}/escrow`,
+    {
+      auth: true,
+      body: {
+        ciphertext: blob,
+        kdfParams: {
+          kind: 'scrypt',
+          N: 1 << 17,
+          r: 8,
+          p: 1,
+          saltB64: salt.toString('base64'),
+          version: 1,
+        },
+        hostname: meta.hostname,
+        platform: meta.platform,
+      },
+    },
+  );
+
+  // 6. Wipe wrapKey from memory ASAP.
+  wrapKey.fill(0);
+
+  ui.ok('Cloud escrow enabled.');
+  ui.hint('  Recover on a new machine with:  sealcode escrow recover');
+}
+
+async function runEscrowDisable({ projectRoot }) {
+  const link = requireLink(projectRoot);
+  const res = await request(
+    'DELETE',
+    `/api/v1/projects/${encodeURIComponent(link.projectId)}/escrow`,
+    { auth: true },
+  );
+  if (res.deleted) {
+    ui.ok('Cloud escrow disabled. Server-side blob deleted.');
+  } else {
+    process.stdout.write('(nothing to disable — escrow wasn\'t set up)\n');
+  }
+}
+
+async function runEscrowRecover({ projectRoot }) {
+  const link = requireLink(projectRoot);
+  const config = getActiveConfig(projectRoot);
+  if (!isInitialized(projectRoot, config.lockedDir)) {
+    throw new Error(
+      'No vault on this machine yet. Clone the repo first, then re-run.',
+    );
+  }
+  const res = await request(
+    'GET',
+    `/api/v1/projects/${encodeURIComponent(link.projectId)}/escrow?full=1`,
+    { auth: true },
+  );
+  if (!res.ciphertext || !res.kdfParams) {
+    throw new Error('No escrow blob for this project. Set it up first with `sealcode escrow enable`.');
+  }
+  if (res.kdfParams.kind !== 'scrypt') {
+    throw new Error(`Unsupported KDF kind: ${res.kdfParams.kind}`);
+  }
+  const salt = Buffer.from(res.kdfParams.saltB64, 'base64');
+
+  const recoveryPp = await hidden('Recovery passphrase:');
+  if (!recoveryPp) throw new Error('Recovery passphrase is required.');
+
+  // Re-derive wrap key with the server-supplied salt.
+  const wrapKey = await deriveKey(recoveryPp, salt);
+
+  // Decrypt blob.
+  const blob = Buffer.from(res.ciphertext, 'base64');
+  const iv = blob.subarray(0, 12);
+  const tag = blob.subarray(12, 28);
+  const ct = blob.subarray(28);
+  const decipher = crypto.createDecipheriv('aes-256-gcm', wrapKey, iv);
+  decipher.setAuthTag(tag);
+  let K;
+  try {
+    K = Buffer.concat([decipher.update(ct), decipher.final()]);
+  } catch {
+    wrapKey.fill(0);
+    throw new Error('Wrong recovery passphrase, or the escrow blob has been tampered with.');
+  }
+  wrapKey.fill(0);
+
+  saveSession(projectRoot, K);
+  ui.ok('Recovery successful. Session cached — you can now run `sealcode unlock`.');
+}
+
+module.exports = {
+  runEscrowStatus,
+  runEscrowEnable,
+  runEscrowDisable,
+  runEscrowRecover,
+};