sealcode 0.1.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 sealcode
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,202 @@
+# sealcode
+
+> Lock your source code inside your own git repo. Stop AI agents, scrapers, and curious eyes from reading what's yours.
+
+```bash
+npm install -g sealcode
+```
+
+> **Renamed from `vaultline`.** Existing vaults keep working unchanged — the on-disk format is unchanged, `.vaultlinerc.json` is still read, and `VAULTLINE_PASSPHRASE` is still accepted as a fallback.
+
+## What problem does this solve?
+
+You push code to a private repo. You think it's safe. But anyone (or any AI) with read access to that repo — a contractor, a teammate's compromised laptop, a future Copilot indexing run, a leak — can read every line.
+
+**sealcode** wraps your source files in AES-256-GCM ciphertext before they touch git. Your repo becomes a folder of opaque binary blobs with a stub `package.json`. To anyone without your passphrase, your codebase is uniformly random bytes.
+
+To you, one command brings it all back:
+
+```bash
+sealcode unlock      # readable code is restored
+# ... edit ...
+sealcode lock        # back to ciphertext
+git commit && git push
+```
+
+## Quickstart (60 seconds)
+
+```bash
+cd your-project
+sealcode init                 # interactive wizard
+# 1. Auto-detects your stack (Node, Python, Go, Rust, Ruby, PHP, Java, ...)
+# 2. Picks safe include/exclude defaults
+# 3. Asks for a passphrase
+# 4. Shows a recovery code — write it down ONCE
+# 5. Locks every source file immediately
+
+git add . && git commit -m "vault initialized" && git push
+```
+
+When you want to work on it:
+
+```bash
+sealcode unlock
+npm install
+npm run dev
+```
+
+When you're done:
+
+```bash
+sealcode lock
+git commit && git push
+```
+
+## Why this beats `git-crypt`, `git-secret`, `sops`, etc.
+
+| | sealcode | git-crypt | git-secret | sops |
+|---|---|---|---|---|
+| Encrypts whole files (not just diffs) | ✅ | partial | ✅ | ❌ (values only) |
+| Filenames hidden | ✅ | ❌ | ❌ | ❌ |
+| Repo metadata hidden (package.json, deps) | ✅ | ❌ | ❌ | ❌ |
+| Passphrase-based (no GPG keyring) | ✅ | ❌ | ❌ | partial |
+| Recovery code if you lose passphrase | ✅ | ❌ | ❌ | ❌ |
+| Works on any language/stack | ✅ | ✅ | ✅ | ✅ |
+| Auto-detects your ecosystem | ✅ | ❌ | ❌ | ❌ |
+| Built-in drift detection | ✅ | ❌ | ❌ | ❌ |
+
+The big one: **sealcode hides that your code exists at all**. Other tools encrypt the files but leave the folder structure, the filenames, and the `package.json` (with every telltale dependency) in plain view.
+
+## Commands
+
+```
+sealcode init            # one-time setup; interactive wizard
+sealcode lock            # encrypt source → vendor/ blobs (removes plaintext)
+sealcode unlock          # decrypt blobs → restore source (removes stubs)
+sealcode verify          # confirm every blob decrypts & matches its hash
+sealcode status          # show locked/unlocked + drift since last lock
+sealcode status --check  # exit 1 if unlocked with drift (used by git hook)
+sealcode status --json   # machine-readable state (editors / scripts)
+sealcode rotate          # change passphrase (blobs unchanged); env: SEALCODE_OLD_PASSPHRASE / SEALCODE_NEW_PASSPHRASE
+sealcode backup <dir>    # copy locked vault + config snapshot to a new folder
+sealcode restore <dir>   # restore from backup (use --force if locked dir exists)
+sealcode install-hook    # git pre-commit: block commits when unlocked + drift
+sealcode uninstall-hook  # remove hook block
+sealcode panic           # immediate re-lock + session wipe
+sealcode logout          # clear cached session, force passphrase next time
+sealcode presets         # list supported ecosystems
+sealcode pro             # Pro tier info
+sealcode where           # debug: print paths and state (no secrets)
+```
+
+Aliases: `sc`, `sealcode seal` = `lock`, `sealcode open` = `unlock`.
+
+### Editor support
+
+A VS Code companion lives in `tools/vaultline-vscode/` — it shows the current lock state in the status bar when the CLI is on your `PATH`. (Rename in flight; the extension itself works against either `sealcode` or `vaultline` on `PATH`.)
+
+### CI (GitHub Actions)
+
+```yaml
+- run: npm install -g sealcode
+- env:
+    SEALCODE_PASSPHRASE: ${{ secrets.SEALCODE_PASSPHRASE }}
+  run: |
+    sealcode unlock
+    npm install --omit=dev
+    npm run build
+```
+
+## Supported stacks (auto-detected)
+
+| Marker file | Preset | Locked dir |
+|---|---|---|
+| `package.json` (no Next config) | Node.js / TypeScript | `vendor/` |
+| `next.config.*` | Next.js | `vendor/` |
+| `requirements.txt` / `pyproject.toml` / `setup.py` | Python | `_site_packages/` |
+| `manage.py` | Django | `_site_packages/` |
+| `go.mod` | Go | `internal/sealed/` |
+| `Cargo.toml` | Rust | `target/.cache/` |
+| `Gemfile` | Ruby on Rails | `vendor/sealed/` |
+| `composer.json` | PHP / Laravel | `storage/sealed/` |
+| `pom.xml` / `build.gradle*` | Java / JVM | `.sealed/` |
+| (none of the above) | generic | `vendor/` |
+
+Each preset uses a `lockedDir` name that looks native to its ecosystem — Go projects don't get a suspicious folder called `locked/`, they get `internal/sealed/`. Stealth by camouflage.
+
+## How the crypto works (the short version)
+
+- **Algorithm:** AES-256-GCM with a random 12-byte IV per blob; gzip before encrypt.
+- **Key derivation:** scrypt(passphrase, salt) → 32-byte wrapping key, N=2^17, r=8, p=1 (~1s, ~128MB).
+- **Master data key:** randomly generated, stored on disk wrapped twice — once by your passphrase, once by a 128-bit recovery seed (the 30-char recovery code you wrote down at init).
+- **File-on-disk format:** `[12B IV][16B GCM tag][ciphertext]` with no header bytes. Indistinguishable from random data.
+- **Filenames inside `vendor/`:** HMAC-SHA256 of the path, sharded by first 2 hex chars, truncated to 12. Stable across re-locks, indistinguishable across files.
+- **No `# CV1` or other text signatures** that would let `file(1)` / scrapers / AI identify the format.
+
+## Where does the passphrase live?
+
+Wherever you put it. The tool checks:
+
+1. Cached session (~8h after last unlock — stored at `~/.sealcode/sessions/<id>`, encrypted with a host-binding key)
+2. `SEALCODE_PASSPHRASE` env var (use in CI). `VAULTLINE_PASSPHRASE` is accepted as a fallback for projects upgrading from vaultline 1.x.
+3. Interactive prompt
+
+**sealcode never writes your passphrase to disk in any recoverable form.** Lose your passphrase AND your recovery code, and your code is gone. We can't help you. That's not a bug — it's the entire point.
+
+Back up your recovery code in:
+- a password manager (1Password / Bitwarden as a secure note)
+- a printed sheet
+- an encrypted USB / hardware key
+
+## CI / deploy
+
+```yaml
+# GitHub Actions
+- run: npm install -g sealcode
+- env:
+    SEALCODE_PASSPHRASE: ${{ secrets.SEALCODE_PASSPHRASE }}
+  run: |
+    sealcode unlock
+    npm install --omit=dev
+    npm run build       # produces dist/main.js
+- run: rsync dist/ user@server:/app/dist/
+```
+
+Your production server never sees the passphrase or the vault. It only runs the built `dist/`.
+
+## Pro features (coming soon)
+
+The free CLI handles lock / unlock / verify forever. **sealcode Pro** adds:
+
+- **Team key sharing** — invite teammates, no passphrase exchange needed
+- **Key rotation across N projects** with one command
+- **Audit log** — see who unlocked what, when
+- **Cloud key escrow** — passphrase recovery via account auth
+- **Temporary access codes** — time-boxed, revocable read access to a project
+- **CI/CD tokens** — short-lived deploy keys, no long-lived secrets in Actions
+
+Start a 14-day trial at [sealcode.dev/pro](https://sealcode.dev/pro).
+
+## FAQ
+
+**Does this affect git diffs?**
+Yes — `vendor/` blobs change every lock (random IV). For human review, diff your *local* unlocked tree before locking. A `sealcode diff <commit>` command is on the Pro roadmap.
+
+**Can I encrypt only some files?**
+Yes — edit `.sealcoderc.json`'s `include` array.
+
+**Does it work on Windows?**
+Yes. Forward-slash normalization in opaque names; tested on macOS, Linux, Windows.
+
+**What's the perf cost?**
+First unlock with passphrase: ~1s (scrypt). Subsequent commands within 8h: <100ms (cached session). Lock/unlock of a 1000-file repo: ~2s.
+
+**Is this audited?**
+Not formally. The crypto is standard primitives (AES-256-GCM, scrypt) used in their textbook configurations. Audit yourself at the repo. We'll fund a formal audit once revenue supports it.
+
+**I had `vaultline` installed before — do I lose my vault?**
+No. The on-disk format is unchanged. `sealcode` reads any existing `.vaultlinerc.json`, your old `~/.vaultline/sessions/` cache, and `VAULTLINE_PASSPHRASE` env var. On the next `sealcode lock` the project will start writing the new config name (`.sealcoderc.json`), but the encrypted blobs themselves never need to be re-encrypted.
+
+## License
+
+MIT. See [LICENSE](./LICENSE).

package/bin/sealcode.js

@@ -0,0 +1,11 @@
+#!/usr/bin/env node
+'use strict';
+
+const { run } = require('../src/cli');
+
+run(process.argv).catch((err) => {
+  // Last-resort error path; cli.js handles known errors with friendly output.
+  process.stderr.write((err && err.stack) || String(err));
+  process.stderr.write('\n');
+  process.exit(1);
+});

package/package.json

@@ -0,0 +1,53 @@
+{
+  "name": "sealcode",
+  "version": "0.1.0",
+  "description": "Lock your source code in your own git repo. Stop AI agents, scrapers, and curious eyes from reading what's yours.",
+  "keywords": [
+    "encryption",
+    "source-code",
+    "privacy",
+    "git",
+    "ai-privacy",
+    "obfuscation",
+    "vault",
+    "secrets",
+    "code-protection",
+    "intellectual-property",
+    "encrypt",
+    "lock",
+    "seal",
+    "sealcode"
+  ],
+  "homepage": "https://sealcode.dev",
+  "bugs": {
+    "url": "https://github.com/sealcode/sealcode/issues"
+  },
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/sealcode/sealcode.git"
+  },
+  "license": "MIT",
+  "author": "sealcode",
+  "main": "src/index.js",
+  "bin": {
+    "sealcode": "bin/sealcode.js",
+    "sc": "bin/sealcode.js"
+  },
+  "files": [
+    "bin",
+    "src",
+    "README.md",
+    "LICENSE"
+  ],
+  "scripts": {
+    "test": "node test/roundtrip.js",
+    "selftest": "node test/roundtrip.js"
+  },
+  "engines": {
+    "node": ">=18"
+  },
+  "dependencies": {
+    "commander": "^12.1.0",
+    "fast-glob": "^3.3.2"
+  }
+}

package/src/api.js

@@ -0,0 +1,162 @@
+'use strict';
+
+/**
+ * Sealcode CLI ↔ web app glue.
+ *
+ *   - Credentials live at ~/.sealcode/credentials.json (mode 0600).
+ *   - Bearer token is sent on every authenticated request.
+ *   - `apiUrl` is read from credentials, then SEALCODE_API_URL, then a default.
+ *
+ * The credentials file is intentionally minimal: it stores who is logged in
+ * (so `sealcode whoami` works offline) and the long-lived token. We never
+ * cache project lists or grants there.
+ */
+
+const fs = require('fs');
+const os = require('os');
+const path = require('path');
+const pkg = require('../package.json');
+
+const CONFIG_DIR = path.join(os.homedir(), '.sealcode');
+const CREDS_PATH = path.join(CONFIG_DIR, 'credentials.json');
+const DEFAULT_API_URL = 'https://sealcode.dev';
+
+function defaultApiUrl() {
+  return process.env.SEALCODE_API_URL || DEFAULT_API_URL;
+}
+
+function readCreds() {
+  try {
+    if (!fs.existsSync(CREDS_PATH)) return null;
+    const raw = fs.readFileSync(CREDS_PATH, 'utf8');
+    const parsed = JSON.parse(raw);
+    if (!parsed || typeof parsed !== 'object') return null;
+    return parsed;
+  } catch (_) {
+    return null;
+  }
+}
+
+function writeCreds(creds) {
+  fs.mkdirSync(CONFIG_DIR, { recursive: true, mode: 0o700 });
+  // Write to a temp file then rename so a partial write can't leave a corrupt
+  // credentials file behind.
+  const tmp = CREDS_PATH + '.tmp';
+  fs.writeFileSync(tmp, JSON.stringify(creds, null, 2) + '\n', { mode: 0o600 });
+  try {
+    fs.chmodSync(tmp, 0o600);
+  } catch (_) { /* ignore on Windows */ }
+  fs.renameSync(tmp, CREDS_PATH);
+}
+
+function clearCreds() {
+  try {
+    fs.unlinkSync(CREDS_PATH);
+  } catch (_) { /* ignore */ }
+}
+
+function getApiUrl() {
+  // Env var wins so test setups can point at a local dev server without
+  // editing credentials.
+  if (process.env.SEALCODE_API_URL) return process.env.SEALCODE_API_URL;
+  const c = readCreds();
+  return (c && c.apiUrl) || DEFAULT_API_URL;
+}
+
+function getToken() {
+  if (process.env.SEALCODE_TOKEN) return process.env.SEALCODE_TOKEN;
+  const c = readCreds();
+  return c && c.token ? c.token : null;
+}
+
+function clientInfo() {
+  return {
+    hostname: os.hostname(),
+    platform: `${os.platform()}-${os.arch()}`,
+    cliVersion: pkg.version,
+  };
+}
+
+class ApiError extends Error {
+  constructor(status, code, message, raw) {
+    super(message);
+    this.status = status;
+    this.apiCode = code;
+    this.raw = raw;
+  }
+}
+
+async function request(method, urlPath, { body, auth = false, apiUrl } = {}) {
+  const base = apiUrl || getApiUrl();
+  const url = new URL(urlPath, base).toString();
+  const headers = {
+    'content-type': 'application/json',
+    'user-agent': `sealcode/${pkg.version}`,
+    accept: 'application/json',
+  };
+  if (auth) {
+    const token = getToken();
+    if (!token) {
+      throw new ApiError(
+        401,
+        'unauthenticated',
+        'You are not logged in. Run `sealcode login` first.',
+      );
+    }
+    headers.authorization = `Bearer ${token}`;
+  }
+
+  let res;
+  try {
+    res = await fetch(url, {
+      method,
+      headers,
+      body: body == null ? undefined : JSON.stringify(body),
+    });
+  } catch (err) {
+    throw new ApiError(
+      0,
+      'network',
+      `Could not reach ${base}: ${err.message || err}.`,
+    );
+  }
+
+  const ct = res.headers.get('content-type') || '';
+  let parsed = null;
+  if (ct.includes('application/json')) {
+    try {
+      parsed = await res.json();
+    } catch {
+      parsed = null;
+    }
+  } else {
+    try {
+      parsed = { text: await res.text() };
+    } catch {
+      parsed = null;
+    }
+  }
+
+  if (!res.ok) {
+    const code = (parsed && parsed.error && parsed.error.code) || 'http_error';
+    const message =
+      (parsed && parsed.error && parsed.error.message) ||
+      `${method} ${urlPath} → HTTP ${res.status}`;
+    throw new ApiError(res.status, code, message, parsed);
+  }
+  return parsed || {};
+}
+
+module.exports = {
+  ApiError,
+  CONFIG_DIR,
+  CREDS_PATH,
+  defaultApiUrl,
+  readCreds,
+  writeCreds,
+  clearCreds,
+  getApiUrl,
+  getToken,
+  clientInfo,
+  request,
+};

package/src/bundle.js

@@ -0,0 +1,133 @@
+'use strict';
+
+/**
+ * Portable backup of a sealcode project's locked directory + config snapshot.
+ *
+ * `export` writes a directory:
+ *   <dest>/
+ *     manifest.json       — metadata (sealcode version, lockedDir, paths)
+ *     locked/             — recursive copy of the locked dir on disk
+ *
+ * `import` copies `locked/` from a bundle back into the project and optionally
+ * restores `.sealcoderc.json` if present in the bundle.
+ *
+ * Backward-compat: bundles produced by vaultline 1.x carry a
+ * `vaultlinerc.json.bak` snapshot under the same scheme — we read that too
+ * and restore it as `.sealcoderc.json` on import.
+ */
+
+const fs = require('fs');
+const path = require('path');
+const pkg = require('../package.json');
+const { CONFIG_FILE, LEGACY_CONFIG_FILE } = require('./config');
+
+const CONFIG_BAK_NAME = 'sealcoderc.json.bak';
+const LEGACY_CONFIG_BAK_NAME = 'vaultlinerc.json.bak';
+
+function copyDirRecursive(src, dest) {
+  fs.mkdirSync(dest, { recursive: true });
+  for (const name of fs.readdirSync(src)) {
+    const s = path.join(src, name);
+    const d = path.join(dest, name);
+    const st = fs.statSync(s);
+    if (st.isDirectory()) copyDirRecursive(s, d);
+    else fs.copyFileSync(s, d);
+  }
+}
+
+function rmDir(dir) {
+  fs.rmSync(dir, { recursive: true, force: true });
+}
+
+/**
+ * @param {string} projectRoot
+ * @param {object} config  — active config with lockedDir
+ * @param {string} dest    — path to output folder (created)
+ */
+async function exportBundle(projectRoot, config, dest) {
+  const absDest = path.resolve(dest);
+  const lockedDir = config.lockedDir;
+  const lockedSrc = path.join(projectRoot, lockedDir);
+  if (!fs.existsSync(lockedSrc)) {
+    throw new Error(`sealcode: locked directory not found: ${lockedSrc}`);
+  }
+  if (fs.existsSync(absDest)) {
+    throw new Error(`sealcode: destination already exists: ${absDest}`);
+  }
+
+  fs.mkdirSync(absDest, { recursive: true });
+  const bundleLocked = path.join(absDest, 'locked');
+  copyDirRecursive(lockedSrc, bundleLocked);
+
+  // Prefer the new config; fall back to a legacy file from a not-yet-migrated
+  // project so a backup taken right after install still captures the config.
+  let cfgPath = path.join(projectRoot, CONFIG_FILE);
+  if (!fs.existsSync(cfgPath)) cfgPath = path.join(projectRoot, LEGACY_CONFIG_FILE);
+
+  let configSnapshot = null;
+  if (fs.existsSync(cfgPath)) {
+    configSnapshot = fs.readFileSync(cfgPath, 'utf8');
+  }
+
+  const meta = {
+    v: 1,
+    sealcode: pkg.version,
+    lockedDir,
+    createdAt: new Date().toISOString(),
+    hasSealcoderc: configSnapshot != null,
+  };
+  fs.writeFileSync(path.join(absDest, 'manifest.json'), JSON.stringify(meta, null, 2) + '\n', 'utf8');
+  if (configSnapshot) {
+    fs.writeFileSync(path.join(absDest, CONFIG_BAK_NAME), configSnapshot, 'utf8');
+  }
+
+  return { path: absDest, meta };
+}
+
+/**
+ * @param {string} projectRoot
+ * @param {string} bundlePath  — folder produced by exportBundle
+ * @param {{ force?: boolean }} opts
+ */
+async function importBundle(projectRoot, bundlePath, opts = {}) {
+  const abs = path.resolve(bundlePath);
+  if (!fs.existsSync(abs) || !fs.statSync(abs).isDirectory()) {
+    throw new Error(`sealcode: bundle not found: ${abs}`);
+  }
+  const manPath = path.join(abs, 'manifest.json');
+  if (!fs.existsSync(manPath)) {
+    throw new Error('sealcode: bundle missing manifest.json');
+  }
+  const meta = JSON.parse(fs.readFileSync(manPath, 'utf8'));
+  const lockedDir = meta.lockedDir;
+  if (!lockedDir || typeof lockedDir !== 'string') {
+    throw new Error('sealcode: bundle manifest missing lockedDir');
+  }
+  const bundleLocked = path.join(abs, 'locked');
+  if (!fs.existsSync(bundleLocked)) {
+    throw new Error('sealcode: bundle missing locked/ directory');
+  }
+
+  const destLocked = path.join(projectRoot, lockedDir);
+  if (fs.existsSync(destLocked)) {
+    if (!opts.force) {
+      throw new Error(
+        `sealcode: ${destLocked} already exists. Pass --force to replace (DANGER).`
+      );
+    }
+    rmDir(destLocked);
+  }
+  copyDirRecursive(bundleLocked, destLocked);
+
+  // Prefer the new bak name; fall back to the legacy one. Either way we
+  // restore as the new .sealcoderc.json on the project side.
+  let bak = path.join(abs, CONFIG_BAK_NAME);
+  if (!fs.existsSync(bak)) bak = path.join(abs, LEGACY_CONFIG_BAK_NAME);
+  if (fs.existsSync(bak)) {
+    fs.copyFileSync(bak, path.join(projectRoot, CONFIG_FILE));
+  }
+
+  return { lockedDir, meta };
+}
+
+module.exports = { exportBundle, importBundle };