sealcode 0.1.0 → 1.1.0

package/src/cli-grants.js

@@ -13,8 +13,16 @@
  * that doesn't need auth — it's used by the developer receiving the code.
  */
 
+const path = require('path');
+
 const { ApiError, clientInfo, request } = require('./api');
 const { getLink } = require('./link-state');
+const { loadConfig } = require('./config');
+const { detectPreset } = require('./presets');
+const { isInitialized, loadSession, saveSession } = require('./keystore');
+const { getDeviceFingerprint, getDeviceInfo } = require('./device');
+const keypair = require('./keypair');
+const shareCrypto = require('./share-crypto');
 const ui = require('./ui');
 
 function requireLink(projectRoot) {
@@ -38,6 +46,86 @@ function formatRemaining(ms) {
   return `${Math.floor(hr / 24)}d ${hr % 24}h`;
 }
 
+function getActiveConfig(projectRoot) {
+  const fromFile = loadConfig(projectRoot);
+  if (fromFile) return fromFile;
+  const preset = detectPreset(projectRoot);
+  return {
+    version: 1,
+    preset: preset.id,
+    lockedDir: preset.lockedDir,
+    include: preset.include,
+    exclude: preset.exclude,
+    stubs: preset.stubs || {},
+    _implicit: true,
+  };
+}
+
+/**
+ * sealcode@1.0.0: fetch the recipient's published X25519 pubkey and wrap
+ * the project master key K to it. Returns `{ wrappedKey, wrappedKeyRecipient }`
+ * suitable for splatting into the create-grant request body.
+ *
+ * Returns `null` if the recipient hasn't published a pubkey yet OR the
+ * server doesn't support the endpoint (pre-1.0 deploy). The caller falls
+ * back to the legacy "share-the-passphrase-out-of-band" flow.
+ *
+ * Will throw if we have K but the wrap itself fails (which would indicate
+ * a real cryptographic bug; we don't want to silently downgrade in that
+ * case).
+ */
+async function maybeWrapKeyForRecipient({ projectRoot, recipientEmail, verbose = false }) {
+  if (!recipientEmail) return null;
+
+  // Need the master key K to wrap. If there's no live session on this
+  // machine, we can't wrap — owner has to `sealcode unlock` first.
+  const config = getActiveConfig(projectRoot);
+  if (!isInitialized(projectRoot, config.lockedDir)) return null;
+  const K = loadSession(projectRoot);
+  if (!K) {
+    if (verbose) {
+      ui.hint('(no cached session — skipping team-key wrap; recipient will need the passphrase)');
+    }
+    return null;
+  }
+
+  // Fetch their pubkey.
+  let pub;
+  try {
+    pub = await request(
+      'GET',
+      `/api/v1/users/pubkey?email=${encodeURIComponent(recipientEmail)}`,
+      { auth: true },
+    );
+  } catch (err) {
+    if (err instanceof ApiError) {
+      if (err.status === 404) {
+        // Either the user doesn't exist or hasn't published a pubkey
+        // yet. We still mint the code; the recipient just falls back to
+        // the legacy flow when they redeem.
+        if (verbose) {
+          ui.hint(
+            `(recipient hasn't published a pubkey yet — falling back to passphrase-share flow)`,
+          );
+        }
+        return null;
+      }
+      if (err.status === 0) {
+        // Network blip — let the caller surface this; we don't want to
+        // silently strip security.
+        throw err;
+      }
+    }
+    throw err;
+  }
+  if (!pub || !pub.publicKey || pub.algo !== keypair.ALGO) {
+    return null;
+  }
+
+  const wrapped = shareCrypto.wrapForRecipient(K, pub.publicKey);
+  return { wrappedKey: wrapped, wrappedKeyRecipient: recipientEmail };
+}
+
 async function runShare({
   projectRoot,
   hours,
@@ -48,9 +136,38 @@ async function runShare({
   strict = false,
   heartbeatSec = 300,
   offlineGraceSec = 1800,
+  // sealcode@1.1.0 — admin precision controls. All optional.
+  paths = null,                     // string[] | null  → allowedPaths
+  mode = 'rw',                      // 'rw' | 'ro'
+  watermark = null,                 // string | null    → template
+  idleAutoLockMinutes = 0,          // 0 = disabled
+  allowedIpCidrs = null,            // string[] | null  → CIDRs
+  allowedCountries = null,          // string[] | null  → ISO-2 codes
+  singleDeviceEnforce = false,
+  ndaText = null,
   json = false,
 }) {
   const link = requireLink(projectRoot);
+
+  // sealcode@1.0.0: if `--email <addr>` is supplied AND we can reach the
+  // recipient's pubkey AND we have K cached, wrap K to them. This makes
+  // `sealcode redeem` self-sufficient on the recipient side (no
+  // out-of-band passphrase exchange).
+  let wrap = null;
+  try {
+    wrap = await maybeWrapKeyForRecipient({
+      projectRoot,
+      recipientEmail: email,
+      verbose: !json,
+    });
+  } catch (err) {
+    // Network errors during pubkey lookup shouldn't be silent — degrade
+    // loudly so the owner knows the recipient will need the passphrase.
+    if (!json) {
+      ui.warn(`Pubkey lookup failed (${err.message || err}) — minting code without wrapped key.`);
+    }
+  }
+
   const body = {
     developerEmail: email || '',
     developerLabel: label || '',
@@ -60,6 +177,18 @@ async function runShare({
     strictMode: !!strict,
     heartbeatIntervalSeconds: Math.max(30, Math.floor(heartbeatSec)),
     offlineGraceSeconds: Math.max(60, Math.floor(offlineGraceSec)),
+    ...(wrap ? wrap : {}),
+    // sealcode@1.1.0 — admin precision controls (server validates again)
+    ...(paths && paths.length ? { allowedPaths: paths } : {}),
+    mode: mode === 'ro' ? 'ro' : 'rw',
+    ...(watermark ? { watermark } : {}),
+    idleAutoLockMinutes: Math.max(0, Math.floor(idleAutoLockMinutes || 0)),
+    ...(allowedIpCidrs && allowedIpCidrs.length ? { allowedIpCidrs } : {}),
+    ...(allowedCountries && allowedCountries.length
+      ? { allowedCountries: allowedCountries.map((c) => c.toUpperCase()) }
+      : {}),
+    singleDeviceEnforce: !!singleDeviceEnforce,
+    ...(ndaText ? { ndaText } : {}),
   };
 
   let res;
@@ -88,6 +217,8 @@ async function runShare({
           codePrefix: g.codePrefix,
           projectId: g.projectId,
           expiresAt: g.expiresAt,
+          wrappedFor: g.wrappedFor ?? null,
+          hasWrappedKey: !!g.hasWrappedKey,
         },
         null,
         2,
@@ -97,11 +228,17 @@ async function runShare({
   }
 
   const meta = [
-    `${ui.c.dim('project   ')} ${ui.c.bold(link.projectName || link.projectId)}`,
-    `${ui.c.dim('expires   ')} ${g.expiresAt}`,
+    `${ui.c.dim('project    ')} ${ui.c.bold(link.projectName || link.projectId)}`,
+    `${ui.c.dim('expires    ')} ${g.expiresAt}`,
   ];
-  if (g.autoLockAt) meta.push(`${ui.c.dim('auto-lock ')} ${g.autoLockAt}`);
-  if (email) meta.push(`${ui.c.dim('email     ')} ${email}`);
+  if (g.autoLockAt) meta.push(`${ui.c.dim('auto-lock  ')} ${g.autoLockAt}`);
+  if (email) meta.push(`${ui.c.dim('email      ')} ${email}`);
+  if (strict) meta.push(`${ui.c.dim('strict     ')} ${ui.c.yellow('yes — watcher required')}`);
+  if (g.hasWrappedKey) {
+    meta.push(`${ui.c.dim('wrapped to ')} ${ui.c.green(g.wrappedFor)} ${ui.c.dim('(no passphrase exchange)')}`);
+  } else if (email) {
+    meta.push(`${ui.c.dim('wrapped to ')} ${ui.c.yellow('— (recipient hasn\'t published a pubkey; passphrase still needed)')}`);
+  }
 
   ui.box('Access code — copy now, shown only once', [
     `  ${ui.c.bold(ui.c.green(g.code))}`,
@@ -109,8 +246,14 @@ async function runShare({
     ...meta,
   ], { tone: 'green' });
 
-  ui.hint('Share it with the developer over a secure channel. They redeem with:');
-  process.stdout.write(`    ${ui.c.cyan(`sealcode redeem ${g.code}`)}\n\n`);
+  if (g.hasWrappedKey) {
+    ui.hint('Recipient runs:');
+    process.stdout.write(`    ${ui.c.cyan(`sealcode redeem ${g.code}`)}\n`);
+    process.stdout.write(`    ${ui.c.cyan(`sealcode unlock`)}    ${ui.c.dim('# no passphrase prompt — K is delivered by the redeem call')}\n\n`);
+  } else {
+    ui.hint('Share it with the developer over a secure channel. They redeem with:');
+    process.stdout.write(`    ${ui.c.cyan(`sealcode redeem ${g.code}`)}\n\n`);
+  }
 }
 
 async function runGrants({ projectRoot, json = false }) {
@@ -156,17 +299,113 @@ async function runRevoke({ grantId }) {
   process.stdout.write(`✓ revoked grant ${grantId}\n`);
 }
 
-async function runRedeem({ code, json = false }) {
+async function runRedeem({ projectRoot, code, json = false, agreeNda = false }) {
   if (!code) throw new Error('Usage: sealcode redeem <CODE>');
   const trimmed = code.trim();
-  const res = await request('POST', '/api/v1/access/redeem', {
-    body: { code: trimmed, client: clientInfo() },
-  });
+
+  // Include the device fingerprint so the server pins it to the grant
+  // on first redeem (and warns on mismatch on subsequent redeems).
+  const client = { ...clientInfo(), deviceFingerprint: getDeviceFingerprint() };
+
+  // First call without the NDA flag — server tells us whether one is
+  // required by including `nda_required: true` and `ndaText` in the
+  // 409-NDA response (or in the success payload's policy block). We
+  // use a separate pre-flight to a metadata endpoint to avoid the
+  // "race the server pins the device fingerprint before user has
+  // even agreed" problem.
+  let res;
+  try {
+    res = await request('POST', '/api/v1/access/redeem', {
+      body: { code: trimmed, client, ndaAccepted: !!agreeNda },
+    });
+  } catch (err) {
+    if (err instanceof ApiError && err.status === 409 && err.apiCode === 'nda_required') {
+      const ndaText = (err.raw && (err.raw.ndaText || err.raw.error?.ndaText)) || '(no text provided by owner)';
+      ui.box('Acceptance required', [
+        ui.c.dim('The owner of this project requires you to accept the following before unlocking:'),
+        '',
+        ...String(ndaText).split('\n'),
+      ], { tone: 'yellow' });
+      const { question } = require('./prompt');
+      const reply = await question('Type "I agree" to continue (or Ctrl-C to abort): ');
+      if (String(reply).trim().toLowerCase() !== 'i agree') {
+        ui.fail('Did not accept — aborting redeem.');
+        process.exitCode = 1;
+        return;
+      }
+      res = await request('POST', '/api/v1/access/redeem', {
+        body: { code: trimmed, client, ndaAccepted: true },
+      });
+    } else {
+      throw err;
+    }
+  }
   const g = res.grant;
+
+  // sealcode@1.0.0: if the server returned a wrapped K AND we're running
+  // inside a project root that has a manifest, unwrap it and cache the
+  // session so subsequent `sealcode unlock` skips the passphrase prompt.
+  // This is the magic "no passphrase exchange needed" path.
+  let cachedK = false;
+  let unwrapNote = null;
+  if (g.wrappedKey) {
+    const kp = keypair.read();
+    if (!kp) {
+      unwrapNote = ui.c.yellow(
+        '(received a wrapped key, but no local keypair was found. '
+          + 'Run `sealcode login` to generate one.)',
+      );
+    } else if (g.wrappedKeyRecipient && g.wrappedKeyRecipient.toLowerCase() !== readMyEmail().toLowerCase()) {
+      unwrapNote = ui.c.yellow(
+        `(received a wrapped key, but it was wrapped for ${g.wrappedKeyRecipient}; `
+          + `you are logged in as ${readMyEmail()}. Ask the owner to re-share.)`,
+      );
+    } else {
+      try {
+        const K = shareCrypto.unwrapWithRecipient(g.wrappedKey, kp.privateKey, kp.publicKey);
+        if (projectRoot) {
+          // Cache K against THIS project root. The grant-derived session
+          // is tagged so cli-guard and cli-watch know it requires a
+          // running watcher. sealcode@1.1.0 — also stash the policy
+          // bundle so subsequent commands enforce paths/ro/watermark/idle.
+          saveSession(projectRoot, K, {
+            source: 'grant',
+            grantId: g.id,
+            grantCodeHash: require('crypto').createHash('sha256').update(trimmed).digest('hex'),
+            grantExpiresAt: g.expiresAt,
+            deviceFingerprint: getDeviceFingerprint(),
+            strictWatch: !!g.strictMode,
+            policy: g.policy || {
+              allowedPaths: g.allowedPaths || null,
+              mode: g.mode || 'rw',
+              watermark: g.watermark || null,
+              idleAutoLockMinutes: g.idleAutoLockMinutes || 0,
+            },
+            recipientEmail: g.wrappedKeyRecipient || readMyEmail(),
+            projectName: g.projectName || null,
+          });
+          cachedK = true;
+        } else {
+          unwrapNote = ui.c.dim(
+            '(unwrapped K, but you are not inside a project root — '
+              + 'cd into the project and run `sealcode unlock` to materialize plaintext.)',
+          );
+        }
+        // Best-effort scrub of K from this process's memory.
+        K.fill(0);
+      } catch (err) {
+        unwrapNote = ui.c.red(`(could not unwrap delivered key: ${err.message || err})`);
+      }
+    }
+  }
+
   if (json) {
-    process.stdout.write(JSON.stringify({ grant: g }, null, 2) + '\n');
+    process.stdout.write(
+      JSON.stringify({ grant: g, cachedSession: cachedK }, null, 2) + '\n',
+    );
     return;
   }
+
   process.stdout.write(`\n✓ access code accepted\n`);
   process.stdout.write(`  project:     ${g.projectName} (${g.projectId})\n`);
   process.stdout.write(`  fingerprint: ${g.projectFingerprint}\n`);
@@ -174,12 +413,141 @@ async function runRedeem({ code, json = false }) {
   if (g.autoLockAt) process.stdout.write(`  auto-lock:   ${g.autoLockAt}\n`);
   process.stdout.write(`  strict:      ${g.strictMode ? 'yes' : 'no'}\n`);
   process.stdout.write(
-    `  heartbeat:   every ${g.heartbeatIntervalSeconds}s, ${g.offlineGraceSeconds}s offline grace\n\n`,
-  );
-  process.stdout.write(
-    'Next step (when the owner shares the unlocked vault with you):\n'
-      + '  sealcode unlock\n\n',
+    `  heartbeat:   every ${g.heartbeatIntervalSeconds}s, ${g.offlineGraceSeconds}s offline grace\n`,
   );
+  if (g.deviceFingerprintWarning) {
+    ui.warn(g.deviceFingerprintWarning);
+  }
+
+  if (cachedK) {
+    process.stdout.write('\n');
+    ui.ok('Key delivered via team-share envelope — no passphrase needed.');
+    // Auto-unlock + auto-spawn watcher. This is the user-asked-for
+    // "magic" flow: one command (`sealcode redeem`) handles redeem +
+    // unwrap + decrypt + supervise. Strict mode is implied by the
+    // server's `strictMode` flag on the grant.
+    try {
+      const { runUnlock } = require('./open');
+      const config = getActiveConfig(projectRoot);
+      ui.step(`auto-unlocking ${ui.c.dim(projectRoot)}`);
+      const sp = new ui.Spinner('decrypting').start();
+      let n = 0;
+      const K = loadSession(projectRoot); // freshly cached above
+      const ures = await runUnlock({
+        projectRoot,
+        config,
+        K,
+        removeStubs: true,
+        log: (msg) => {
+          n += 1;
+          const file = String(msg).replace(/^\s*unlocked\s+/, '');
+          sp.update(`decrypting ${ui.c.dim(`(${n})`)} ${file}`);
+        },
+        // sealcode@1.1.0 — apply the server-issued policy
+        policy: g.policy || {
+          allowedPaths: g.allowedPaths || null,
+          mode: g.mode || 'rw',
+          watermark: g.watermark || null,
+          idleAutoLockMinutes: g.idleAutoLockMinutes || 0,
+        },
+        watermarkCtx: {
+          email: g.wrappedKeyRecipient || readMyEmail(),
+          grantId: g.id,
+          projectName: g.projectName || '',
+          date: new Date().toISOString().slice(0, 10),
+          fingerprint: getDeviceFingerprint(),
+        },
+      });
+      const sk = ures.skipped > 0 ? ` ${ui.c.dim(`(${ures.skipped} file(s) outside grant scope skipped)`)}` : '';
+      sp.succeed(
+        `unlocked ${ui.c.bold(ures.count)} files${sk} ${ui.c.dim(`(locked at ${ures.sealedAt})`)}`,
+      );
+      if (ures.policy.mode === 'ro') {
+        ui.hint('  Read-only grant: files are 0444. Any modification will trigger an immediate re-lock.');
+      }
+      if (ures.policy.watermark) {
+        ui.hint('  Files are watermarked with your grant ID — leaks are traceable.');
+      }
+    } catch (err) {
+      ui.warn(`auto-unlock failed: ${err.message || err}`);
+      ui.hint(`  Run \`sealcode unlock\` manually, then \`sealcode watch ${trimmed} --daemon\`.`);
+    }
+    try {
+      const { spawnDaemonWatcher } = require('./cli-watch');
+      const r = spawnDaemonWatcher({ projectRoot, code: trimmed });
+      if (r.error) {
+        ui.warn(`auto-spawn watcher failed: ${r.error}`);
+        ui.hint(`  Run \`sealcode watch ${trimmed} --daemon\` manually.`);
+      } else {
+        ui.ok(
+          `watcher running ${ui.c.dim(`(pid ${r.pid}; logs ~/.sealcode/logs/)`)}`,
+        );
+        ui.hint(
+          g.strictMode
+            ? '  Strict mode: if you kill the watcher, your local plaintext re-locks immediately.'
+            : '  Lenient mode: watcher auto-locks on revoke / expiry only.',
+        );
+      }
+    } catch (err) {
+      ui.warn(`could not start watcher: ${err.message || err}`);
+    }
+    process.stdout.write('\n');
+  } else {
+    if (unwrapNote) {
+      process.stdout.write(`  ${unwrapNote}\n`);
+    }
+    process.stdout.write(
+      '\nNext step (when the owner shares the unlocked vault with you):\n'
+        + `  ${ui.c.cyan('sealcode unlock')}\n`
+        + `  ${ui.c.cyan(`sealcode watch ${trimmed} &`)}  ${ui.c.dim('# keep this running so revoke is instant')}\n\n`,
+    );
+  }
+}
+
+function readMyEmail() {
+  try {
+    const { readCreds } = require('./api');
+    const c = readCreds();
+    return (c && c.email) || '';
+  } catch (_) {
+    return '';
+  }
+}
+
+/**
+ * sealcode@1.1.0 — Project lockdown. Bulk-revokes every active grant
+ * on the linked project in a single server-side transaction, then
+ * pushes instant lock signals to every connected watcher via the
+ * long-poll event bus.
+ *
+ * Requires the project to be linked (cli-link.js).
+ */
+async function runLockdown({ projectRoot, confirm = true } = {}) {
+  const { resolveLinkedProject } = require('./cli-link');
+  const linked = resolveLinkedProject(projectRoot);
+  if (!linked) {
+    ui.fail('This folder is not linked to a sealcode.dev project. Run `sealcode link` first.');
+    process.exitCode = 1;
+    return;
+  }
+  if (confirm) {
+    const { question } = require('./prompt');
+    ui.warn(`This will revoke EVERY active access code for ${ui.c.bold(linked.projectName || linked.projectId)}.`);
+    const reply = await question('Type "lockdown" to confirm: ');
+    if (String(reply).trim().toLowerCase() !== 'lockdown') {
+      ui.fail('Aborted.');
+      process.exitCode = 1;
+      return;
+    }
+  }
+  const res = await request('POST', `/api/v1/projects/${linked.projectId}/lockdown`, {
+    auth: true,
+    body: {},
+  });
+  ui.ok(`Lockdown complete — revoked ${ui.c.bold(res.revokedCount)} grant(s).`);
+  if (res.revokedCount > 0) {
+    ui.hint('  All connected watchers will re-lock within ~1 second.');
+  }
 }
 
-module.exports = { runShare, runGrants, runRevoke, runRedeem };
+module.exports = { runShare, runGrants, runRevoke, runRedeem, runLockdown };

package/src/cli-guard.js

@@ -0,0 +1,117 @@
+'use strict';
+
+/**
+ * cli-guard — runs at the top of every sealcode command (see cli.js).
+ *
+ * Its job is to enforce the "strict watch" contract:
+ *
+ *   - If the current project has a cached session whose `meta.source`
+ *     is "grant" (i.e. the K was delivered via a temp-access code rather
+ *     than typed as a passphrase), AND the watcher daemon is no longer
+ *     supervising the project (process died, host rebooted, contractor
+ *     ran kill -9 to "keep" the plaintext), AND the grant is flagged as
+ *     `strictWatch`, then we lock the project IMMEDIATELY before running
+ *     the user's actual command.
+ *
+ * This is the answer to "what stops a contractor from killing the
+ * watcher to keep my source": every other invocation of the sealcode
+ * binary on that machine will re-lock the moment the watcher is gone.
+ * Combined with the system service installer (cli-service.js), the
+ * watcher also auto-restarts at user login.
+ *
+ * The guard is purely best-effort + zero-config. It never throws. It
+ * never prompts. The worst it can do on a bug is print a warning.
+ *
+ * Lenient (non-strict) grants keep their files plaintext after a
+ * watcher death — but the watcher death is still recorded in the
+ * session meta and any subsequent `sealcode status` shows ⚠ next to
+ * the lock state so the user sees the gap.
+ */
+
+const fs = require('fs');
+const { loadSessionMeta, clearSession, loadSession } = require('./keystore');
+const { loadConfig } = require('./config');
+const { detectPreset } = require('./presets');
+const { isInitialized } = require('./keystore');
+const { runLock } = require('./seal');
+const { readWatcherStatus, watchStateFile } = require('./cli-watch');
+const ui = require('./ui');
+
+function getActiveConfig(projectRoot) {
+  const fromFile = loadConfig(projectRoot);
+  if (fromFile) return fromFile;
+  const preset = detectPreset(projectRoot);
+  return {
+    version: 1,
+    preset: preset.id,
+    lockedDir: preset.lockedDir,
+    include: preset.include,
+    exclude: preset.exclude,
+    stubs: preset.stubs || {},
+    _implicit: true,
+  };
+}
+
+/**
+ * Decide whether the current invocation should be blocked / re-locked
+ * before running. Called from cli.js before the user's command runs.
+ *
+ * @param {string} commandName    'unlock' | 'lock' | 'status' | ...
+ *                                The command about to run. We use this
+ *                                to avoid recursing — if user is already
+ *                                running `sealcode lock` we don't lock
+ *                                again from inside the guard.
+ * @param {string} projectRoot
+ * @returns {Promise<void>}
+ */
+async function runGuard({ commandName, projectRoot }) {
+  // Commands that legitimately need to operate on a grant-derived
+  // unlocked project even without a watcher running: lock, panic, watch,
+  // status, where, logout, signout, presets, pro, install-hook,
+  // uninstall-hook, install-service, uninstall-service, redeem, login.
+  // The dangerous ones are unlock + commands that hand back plaintext.
+  // Right now we only lock on a small set of "you're about to use this
+  // for real" commands, to avoid annoying the user.
+  const ENFORCING_COMMANDS = new Set([
+    'unlock', 'verify', 'rotate', 'backup', 'restore', 'install-hook',
+  ]);
+  if (!ENFORCING_COMMANDS.has(commandName)) return;
+
+  if (!projectRoot) return;
+  const config = getActiveConfig(projectRoot);
+  if (!isInitialized(projectRoot, config.lockedDir)) return;
+
+  const sm = loadSessionMeta(projectRoot);
+  if (!sm) return; // No live session → guard has nothing to do.
+  if (sm.meta.source !== 'grant') return; // Owner-passphrase sessions are out of scope.
+  if (!sm.meta.strictWatch) return; // Lenient grants — caller chose lenient.
+
+  const status = readWatcherStatus(projectRoot);
+  if (status.state === 'alive') return; // Healthy supervisor — proceed.
+
+  // Watcher is dead, stale, or missing. Lock + clear session + warn.
+  try {
+    const K = loadSession(projectRoot);
+    if (K) {
+      try {
+        await runLock({ projectRoot, config, K });
+      } catch (_) {
+        // We tried; even if lock failed, still clear the session.
+      }
+    }
+  } finally {
+    clearSession(projectRoot);
+    try { fs.unlinkSync(watchStateFile(projectRoot)); } catch (_) { /* ignore */ }
+  }
+
+  ui.warn(
+    `Watcher was not running (${status.state}) — auto-locked this project. `
+      + `Run \`sealcode redeem <code>\` again to resume.`,
+  );
+  // We don't throw — we let the user's command continue against the now-
+  // locked project. If they were running `unlock`, it will prompt them
+  // for a passphrase (which they don't have for a grant flow), giving
+  // them a clear "this grant has expired on this machine" experience.
+}
+
+module.exports = { runGuard };

package/src/cli-link.js

@@ -87,4 +87,13 @@ function runLinkInfo({ projectRoot, json = false }) {
   );
 }
 
-module.exports = { runLink, runUnlink, runLinkInfo };
+/**
+ * sealcode@1.1.0 helper used by `runLockdown` and other multi-target
+ * project commands. Returns the persisted link object (or null) for the
+ * given project root.
+ */
+function resolveLinkedProject(projectRoot) {
+  return getLink(projectRoot) || null;
+}
+
+module.exports = { runLink, runUnlink, runLinkInfo, resolveLinkedProject };