sealcode 0.1.0

package/src/config.js

@@ -0,0 +1,76 @@
+'use strict';
+
+/**
+ * Project-level config. By convention lives at .sealcoderc.json in the
+ * project root, but it's gitignored — sealcode doesn't *need* the file to
+ * exist after init, since safe defaults are derived from the chosen preset
+ * at lock time.
+ *
+ * Backward-compat: we also read .vaultlinerc.json from projects that were
+ * set up under the old name, so existing users keep working without a manual
+ * migration step.
+ */
+
+const fs = require('fs');
+const path = require('path');
+
+const CONFIG_FILE = '.sealcoderc.json';
+const LEGACY_CONFIG_FILE = '.vaultlinerc.json';
+const DEFAULT_LOCKED_DIR = 'vendor';
+
+function configPathIfExists(projectRoot) {
+  const newp = path.join(projectRoot, CONFIG_FILE);
+  if (fs.existsSync(newp)) return newp;
+  const oldp = path.join(projectRoot, LEGACY_CONFIG_FILE);
+  if (fs.existsSync(oldp)) return oldp;
+  return null;
+}
+
+function findProjectRoot(startDir) {
+  let dir = path.resolve(startDir);
+  while (true) {
+    if (
+      fs.existsSync(path.join(dir, CONFIG_FILE)) ||
+      fs.existsSync(path.join(dir, LEGACY_CONFIG_FILE))
+    ) {
+      return dir;
+    }
+    const parent = path.dirname(dir);
+    if (parent === dir) return path.resolve(startDir);
+    dir = parent;
+  }
+}
+
+function loadConfig(projectRoot) {
+  const file = configPathIfExists(projectRoot);
+  if (!file) return null;
+  let parsed;
+  try {
+    parsed = JSON.parse(fs.readFileSync(file, 'utf8'));
+  } catch (err) {
+    throw new Error(`failed to parse ${path.basename(file)}: ${err.message}`);
+  }
+  return { ...parsed, _file: file };
+}
+
+function writeConfig(projectRoot, cfg) {
+  const file = path.join(projectRoot, CONFIG_FILE);
+  const out = { ...cfg };
+  delete out._file;
+  fs.writeFileSync(file, JSON.stringify(out, null, 2) + '\n');
+  return file;
+}
+
+function configExists(projectRoot) {
+  return configPathIfExists(projectRoot) !== null;
+}
+
+module.exports = {
+  CONFIG_FILE,
+  LEGACY_CONFIG_FILE,
+  DEFAULT_LOCKED_DIR,
+  findProjectRoot,
+  loadConfig,
+  writeConfig,
+  configExists,
+};

package/src/crypto.js

@@ -0,0 +1,151 @@
+'use strict';
+
+/**
+ * Crypto core for sealcode.
+ *
+ * Threat model:
+ *   - "Confused AI" attacker: a model or agent scanning the committed repo.
+ *     Must see only opaque random bytes with no structural hints.
+ *   - "Curious human" attacker: a teammate, contractor, or stranger with read
+ *     access to the repo but no key/passphrase. Must be unable to read source.
+ *   - NOT in scope: an attacker who already has the key/passphrase, or who can
+ *     read your laptop's RAM while the project is unlocked.
+ *
+ * Algorithms:
+ *   - AES-256-GCM for symmetric authenticated encryption.
+ *   - gzip before encrypt to remove plaintext patterns and shrink ciphertext.
+ *   - Filenames inside the locked dir are derived by HMAC-SHA256, truncated to
+ *     12 hex chars under a 2-char shard directory. Stable for a given key.
+ *
+ * On-disk blob format (raw binary, no header, no extension):
+ *
+ *   [ 12 B IV ] [ 16 B AES-GCM tag ] [ N B ciphertext ]
+ *
+ * The whole point of the "no header" decision: a blob written by sealcode is
+ * byte-indistinguishable from any other random binary file. `file(1)` reports
+ * "data". `strings(1)` returns nothing useful.
+ */
+
+const crypto = require('crypto');
+const zlib = require('zlib');
+
+const ALGO = 'aes-256-gcm';
+const IV_LEN = 12;
+const TAG_LEN = 16;
+const KEY_LEN = 32;
+const MIN_BLOB_LEN = IV_LEN + TAG_LEN + 1;
+
+function assertKey(key, label = 'key') {
+  if (!Buffer.isBuffer(key) || key.length !== KEY_LEN) {
+    throw new Error(`sealcode ${label} must be a 32-byte Buffer (got ${key && key.length})`);
+  }
+}
+
+/**
+ * AEAD-encrypt arbitrary bytes with gzip compression. Returns raw binary blob.
+ */
+function seal(plaintext, key) {
+  assertKey(key);
+  const buf = Buffer.isBuffer(plaintext) ? plaintext : Buffer.from(plaintext, 'utf8');
+  const compressed = zlib.gzipSync(buf, { level: 9 });
+  const iv = crypto.randomBytes(IV_LEN);
+  const cipher = crypto.createCipheriv(ALGO, key, iv);
+  const enc = Buffer.concat([cipher.update(compressed), cipher.final()]);
+  const tag = cipher.getAuthTag();
+  return Buffer.concat([iv, tag, enc]);
+}
+
+/**
+ * AEAD-decrypt a sealcode blob. Throws on wrong key, corruption, or tampering.
+ */
+function open(blob, key) {
+  assertKey(key);
+  if (!Buffer.isBuffer(blob)) {
+    throw new Error('open() expected a Buffer');
+  }
+  if (blob.length < MIN_BLOB_LEN) {
+    throw new Error('blob too small to be a sealcode file');
+  }
+  const iv = blob.subarray(0, IV_LEN);
+  const tag = blob.subarray(IV_LEN, IV_LEN + TAG_LEN);
+  const ct = blob.subarray(IV_LEN + TAG_LEN);
+  const decipher = crypto.createDecipheriv(ALGO, key, iv);
+  decipher.setAuthTag(tag);
+  let dec;
+  try {
+    dec = Buffer.concat([decipher.update(ct), decipher.final()]);
+  } catch (_err) {
+    throw new Error('SEALCODE_WRONG_KEY');
+  }
+  return zlib.gunzipSync(dec);
+}
+
+/**
+ * Generate a fresh master data key (the "K" that actually encrypts your files).
+ * In practice K is wrapped by passphrase-derived and recovery-derived keys; the
+ * raw K never leaves memory.
+ */
+function makeKey() {
+  return crypto.randomBytes(KEY_LEN);
+}
+
+function randomBytes(n) {
+  return crypto.randomBytes(n);
+}
+
+/**
+ * Stable opaque name for a project-relative path. Same input + same key →
+ * same locked path. Forward-slash normalized so Windows and POSIX checkouts
+ * agree.
+ *
+ * @param {string} originalPath
+ * @param {Buffer} key
+ * @param {string} [ext='']  optional extension (default: none, for stealth)
+ */
+function opaqueName(originalPath, key, ext = '') {
+  assertKey(key);
+  const normalized = String(originalPath).replace(/\\/g, '/');
+  const h = crypto.createHmac('sha256', key).update(normalized).digest('hex');
+  return `_${h.slice(0, 2)}/_${h.slice(2, 14)}${ext || ''}`;
+}
+
+/**
+ * Public, key-less opaque names for meta files (salt + wrapped keys). These
+ * are derived from a sentinel via plain SHA-256 so anyone with the source code
+ * can find them — but the FILES THEMSELVES leak nothing without the key.
+ *
+ * Used during unlock-bootstrap: tool needs to read the salt before it has K.
+ *
+ * IMPORTANT: the literal "vaultline.v1." string below is part of the on-disk
+ * format — every salt/wrap/manifest filename in every existing vault is
+ * derived from it. Changing it would orphan every vault that anyone has ever
+ * created with this tool. The brand on the box changed; the file format
+ * sentinel must not.
+ */
+function metaName(sentinel) {
+  const h = crypto.createHash('sha256').update(`vaultline.v1.${sentinel}`).digest('hex');
+  return `_${h.slice(0, 2)}/_${h.slice(2, 14)}`;
+}
+
+function sha256Hex(input) {
+  return crypto.createHash('sha256').update(input).digest('hex');
+}
+
+function constantTimeEq(a, b) {
+  if (!Buffer.isBuffer(a) || !Buffer.isBuffer(b) || a.length !== b.length) return false;
+  return crypto.timingSafeEqual(a, b);
+}
+
+module.exports = {
+  KEY_LEN,
+  IV_LEN,
+  TAG_LEN,
+  seal,
+  open,
+  makeKey,
+  randomBytes,
+  opaqueName,
+  metaName,
+  sha256Hex,
+  constantTimeEq,
+};

package/src/errors.js

@@ -0,0 +1,111 @@
+'use strict';
+
+/**
+ * Friendly error system. Every CLI error should have:
+ *   - a one-line headline of what went wrong
+ *   - a short paragraph of why
+ *   - a "Try:" suggestion the user can copy-paste
+ *
+ * Sentinel codes (thrown from internal modules) get translated at the CLI
+ * boundary into these structured errors. This keeps internal modules free of
+ * UX strings.
+ */
+
+const CODES = {
+  SEALCODE_NO_KEY: {
+    headline: "I couldn't find your passphrase.",
+    detail:
+      'sealcode needs a passphrase or recovery code to unlock this project. No keyring entry, env var, or saved session was found.',
+    try: 'Try: sealcode unlock                   (you will be prompted)\n     sealcode init                     (if this project is brand new)',
+  },
+  SEALCODE_WRONG_KEY: {
+    headline: 'That passphrase did not work.',
+    detail:
+      "Either the passphrase you typed is wrong, or the locked files have been tampered with. Sealcode doesn't say which to keep guessing expensive.",
+    try: 'Try: sealcode unlock --recovery        (use your recovery code instead)',
+  },
+  SEALCODE_NO_MANIFEST: {
+    headline: "This folder doesn't look like a sealcode project.",
+    detail:
+      "I couldn't find a sealcode manifest. Either this project has never been locked, or you're running from the wrong directory.",
+    try: 'Try: cd into the project root\n     sealcode init                     (if the project has never been locked)',
+  },
+  SEALCODE_ALREADY_INIT: {
+    headline: 'This project already has a sealcode vault.',
+    detail:
+      "There's an existing vault here. Re-running `init` would overwrite it and orphan your locked files — refusing.",
+    try: 'Try: sealcode status                   (see what state you are in)\n     sealcode reset --force            (start over; DELETES locked files)',
+  },
+  SEALCODE_INIT_NEEDS_TTY: {
+    headline: 'sealcode init needs an interactive terminal.',
+    detail:
+      'The init wizard prompts for a passphrase. Run it from a real terminal, not a pipe or CI job. For non-interactive setup, pre-set SEALCODE_PASSPHRASE.',
+    try: 'Try: SEALCODE_PASSPHRASE="..." sealcode init --noninteractive',
+  },
+  SEALCODE_NOTHING_TO_LOCK: {
+    headline: "I couldn't find any files to lock.",
+    detail:
+      'None of your include patterns matched. Either the project is empty or the patterns in .sealcoderc.json need adjusting.',
+    try: 'Try: sealcode status                   (see what is on disk)\n     edit .sealcoderc.json             (review include / exclude patterns)',
+  },
+  SEALCODE_PRO_FEATURE: {
+    headline: 'That feature is part of sealcode Pro.',
+    detail:
+      'The free CLI handles lock / unlock / verify forever. Pro adds team key sharing, key rotation across N projects, audit log sync, and cloud key escrow.',
+    try: 'Try: visit https://sealcode.dev/pro     (start a free 14-day trial)',
+  },
+};
+
+class SealcodeError extends Error {
+  constructor(code, { detail, hint } = {}) {
+    const meta = CODES[code] || {
+      headline: code,
+      detail: detail || 'Unknown error.',
+      try: hint || '',
+    };
+    super(meta.headline);
+    this.code = code;
+    this.headline = meta.headline;
+    this.detail = detail || meta.detail;
+    this.tryHint = hint || meta.try;
+  }
+}
+
+function isSealcodeCode(s) {
+  return typeof s === 'string' && /^SEALCODE_/.test(s);
+}
+
+/**
+ * Render a friendly error to stderr. Returns the exit code.
+ */
+function reportError(err) {
+  const isSC = err instanceof SealcodeError;
+  // Sentinel codes thrown deep inside modules surface here as Error.message.
+  const code = isSC ? err.code : isSealcodeCode(err.message) ? err.message : null;
+  let meta;
+  if (code && CODES[code]) {
+    meta = CODES[code];
+  } else if (isSC) {
+    meta = { headline: err.headline, detail: err.detail, try: err.tryHint };
+  } else {
+    meta = {
+      headline: err.message || 'Something went wrong.',
+      detail: process.env.SEALCODE_DEBUG ? err.stack || '' : '',
+      try: '',
+    };
+  }
+  const lines = [];
+  lines.push('');
+  lines.push(`✗ ${meta.headline}`);
+  if (meta.detail) lines.push('');
+  if (meta.detail) lines.push(`  ${meta.detail}`);
+  if (meta.try) {
+    lines.push('');
+    lines.push(meta.try.split('\n').map((l) => `  ${l}`).join('\n'));
+  }
+  lines.push('');
+  process.stderr.write(lines.join('\n'));
+  return 1;
+}
+
+module.exports = { SealcodeError, reportError, CODES };

package/src/hooks.js

@@ -0,0 +1,127 @@
+'use strict';
+
+const fs = require('fs');
+const path = require('path');
+
+const MARK_BEGIN = '### sealcode begin';
+const MARK_END = '### sealcode end';
+// Legacy markers from vaultline 1.x; installHook strips these so the new
+// block replaces the old cleanly, and uninstallHook can clean them up too.
+const LEGACY_MARK_BEGIN = '### vaultline begin';
+const LEGACY_MARK_END = '### vaultline end';
+
+/**
+ * Find the `.git` directory starting from `startDir` (usually project root).
+ * @param {string} startDir
+ * @returns {string|null}
+ */
+function findGitDir(startDir) {
+  let dir = path.resolve(startDir);
+  while (true) {
+    const git = path.join(dir, '.git');
+    if (fs.existsSync(git)) {
+      const st = fs.statSync(git);
+      if (st.isDirectory()) return git;
+      // git worktree: .git is a file pointing to the real dir
+      if (st.isFile()) {
+        const content = fs.readFileSync(git, 'utf8').trim();
+        const m = content.match(/^gitdir:\s*(.+)$/);
+        if (m) {
+          const real = path.resolve(path.dirname(git), m[1]);
+          if (fs.existsSync(real)) return real;
+        }
+      }
+    }
+    const parent = path.dirname(dir);
+    if (parent === dir) return null;
+    dir = parent;
+  }
+}
+
+/**
+ * Install the pre-commit hook. Idempotent: replaces only the sealcode block
+ * (and any legacy vaultline block left over from an older install).
+ */
+function installHook(projectRoot) {
+  const gitDir = findGitDir(projectRoot);
+  if (!gitDir) {
+    throw new Error('No .git directory found above this folder. Run `git init` first.');
+  }
+  const hookPath = path.join(gitDir, 'hooks', 'pre-commit');
+  ensureHooksDir(gitDir);
+
+  const block = [
+    MARK_BEGIN,
+    'sealcode_check() {',
+    '  ROOT="$(git rev-parse --show-toplevel 2>/dev/null)" || return 0',
+    '  cd "$ROOT" || return 0',
+    '  if command -v sealcode >/dev/null 2>&1; then',
+    '    sealcode status --check || exit 1',
+    '  elif command -v npx >/dev/null 2>&1; then',
+    '    npx --yes sealcode@latest status --check || exit 1',
+    '  else',
+    '    echo "sealcode: install the CLI (npm i -g sealcode) or npx for pre-commit checks." >&2',
+    '    exit 1',
+    '  fi',
+    '}',
+    'sealcode_check',
+    MARK_END,
+    '',
+  ].join('\n');
+
+  let base = '';
+  if (fs.existsSync(hookPath)) {
+    base = fs.readFileSync(hookPath, 'utf8');
+    if (base.includes(MARK_BEGIN)) {
+      base = stripBlock(base, MARK_BEGIN, MARK_END);
+    }
+    if (base.includes(LEGACY_MARK_BEGIN)) {
+      base = stripBlock(base, LEGACY_MARK_BEGIN, LEGACY_MARK_END);
+    }
+  } else {
+    base = '#!/bin/sh\n';
+  }
+
+  if (!base.startsWith('#!')) {
+    base = '#!/bin/sh\n' + base;
+  }
+
+  const merged = base.trimEnd() + '\n\n' + block;
+  fs.writeFileSync(hookPath, merged, { mode: 0o755 });
+  return hookPath;
+}
+
+function uninstallHook(projectRoot) {
+  const gitDir = findGitDir(projectRoot);
+  if (!gitDir) return { removed: false, reason: 'no .git' };
+  const hookPath = path.join(gitDir, 'hooks', 'pre-commit');
+  if (!fs.existsSync(hookPath)) return { removed: false, reason: 'no hook' };
+  let content = fs.readFileSync(hookPath, 'utf8');
+  const hasNew = content.includes(MARK_BEGIN);
+  const hasOld = content.includes(LEGACY_MARK_BEGIN);
+  if (!hasNew && !hasOld) return { removed: false, reason: 'no sealcode block' };
+  if (hasNew) content = stripBlock(content, MARK_BEGIN, MARK_END);
+  if (hasOld) content = stripBlock(content, LEGACY_MARK_BEGIN, LEGACY_MARK_END);
+  if (content.trim().length === 0 || content === '#!/bin/sh\n') {
+    fs.unlinkSync(hookPath);
+    return { removed: true, file: hookPath };
+  }
+  fs.writeFileSync(hookPath, content, { mode: 0o755 });
+  return { removed: true, file: hookPath };
+}
+
+function ensureHooksDir(gitDir) {
+  const hooks = path.join(gitDir, 'hooks');
+  fs.mkdirSync(hooks, { recursive: true });
+}
+
+function stripBlock(text, begin, end) {
+  const start = text.indexOf(begin);
+  const stop = text.indexOf(end);
+  if (start === -1 || stop === -1) return text;
+  const before = text.slice(0, start);
+  const after = text.slice(stop + end.length);
+  return before + after.replace(/^\n+/, '');
+}
+
+module.exports = { findGitDir, installHook, uninstallHook };

package/src/index.js

@@ -0,0 +1,19 @@
+'use strict';
+
+// Library entrypoint — lets other tools (and the eventual Pro features) build
+// on the sealcode core without shelling out to the CLI.
+
+module.exports = {
+  ...require('./crypto'),
+  ...require('./kdf'),
+  ...require('./recovery'),
+  ...require('./presets'),
+  ...require('./config'),
+  ...require('./keystore'),
+  ...require('./manifest'),
+  ...require('./seal'),
+  ...require('./open'),
+  ...require('./verify'),
+  ...require('./status'),
+  cli: require('./cli'),
+};

package/src/init.js

@@ -0,0 +1,180 @@
+'use strict';
+
+/**
+ * `sealcode init` — the wizard. Run interactively to set up a new project:
+ *
+ *   1. Detect ecosystem and propose a preset.
+ *   2. Let user confirm or pick a different preset.
+ *   3. Prompt for passphrase (twice). Show strength rating.
+ *   4. Generate recovery code, display it ONCE, require explicit ack.
+ *   5. Write .sealcoderc.json (gitignored).
+ *   6. Add sealcode-related lines to .gitignore.
+ *   7. (Caller proceeds to the first lock.)
+ */
+
+const fs = require('fs');
+const path = require('path');
+const { detectPreset, listPresets, getPreset } = require('./presets');
+const { writeConfig, configExists, CONFIG_FILE } = require('./config');
+const { passphraseStrength } = require('./kdf');
+const { makeRecoveryCode } = require('./recovery');
+const { isInitialized } = require('./keystore');
+const { SealcodeError } = require('./errors');
+const { question, confirm, hidden, select } = require('./prompt');
+
+const GITIGNORE_BLOCK = `
+# sealcode — local-only files (never commit)
+.sealcoderc.json
+.sealcode.key
+.vault.local
+# legacy paths from vaultline 1.x
+.vaultlinerc.json
+.vaultline.key
+`;
+
+function passphraseFromEnv() {
+  return process.env.SEALCODE_PASSPHRASE || process.env.VAULTLINE_PASSPHRASE || '';
+}
+
+function appendGitignoreOnce(projectRoot) {
+  const file = path.join(projectRoot, '.gitignore');
+  const lines = fs.existsSync(file) ? fs.readFileSync(file, 'utf8') : '';
+  if (lines.includes('.sealcoderc.json')) return false;
+  fs.writeFileSync(file, lines + (lines.endsWith('\n') || lines === '' ? '' : '\n') + GITIGNORE_BLOCK);
+  return true;
+}
+
+async function pickPreset(projectRoot, { suggestedId, noninteractive = false } = {}) {
+  const guess = suggestedId ? getPreset(suggestedId) : detectPreset(projectRoot);
+  process.stdout.write(`\nDetected ecosystem: ${guess.label} (${guess.id})\n`);
+  if (noninteractive) {
+    process.stdout.write('  (non-interactive: accepting detected preset)\n');
+    return guess;
+  }
+  const keep = await confirm('Use this preset?', { default: true });
+  if (keep) return guess;
+  const all = listPresets();
+  const choice = await select(
+    '\nPick a preset:',
+    all.map((p) => ({ value: p.id, label: `${p.label}  (${p.id})` })),
+    all.findIndex((p) => p.id === guess.id)
+  );
+  return getPreset(choice);
+}
+
+async function askPassphrase() {
+  while (true) {
+    const pp = await hidden('Choose a passphrase:');
+    if (!pp) {
+      process.stdout.write('  Passphrase cannot be empty. Try again.\n');
+      continue;
+    }
+    const strength = passphraseStrength(pp);
+    if (strength.level === 'weak') {
+      process.stdout.write(`  ⚠  Weak passphrase: ${strength.reason}.\n`);
+      const ok = await confirm('     Use it anyway?', { default: false });
+      if (!ok) continue;
+    } else if (strength.level === 'ok') {
+      process.stdout.write(`  ✓ Strength: ok (${strength.reason}).\n`);
+    } else {
+      process.stdout.write('  ✓ Strength: strong.\n');
+    }
+    const again = await hidden('Confirm passphrase:');
+    if (again !== pp) {
+      process.stdout.write('  Passphrases did not match. Try again.\n');
+      continue;
+    }
+    return pp;
+  }
+}
+
+async function showRecoveryCode(code) {
+  const banner = '─'.repeat(60);
+  process.stdout.write('\n' + banner + '\n');
+  process.stdout.write('RECOVERY CODE — write this down NOW. We never show it again.\n');
+  process.stdout.write('If you lose your passphrase, this is the only way back.\n\n');
+  process.stdout.write(`    ${code}\n\n`);
+  process.stdout.write('Suggested places to keep it:\n');
+  process.stdout.write('  • Your password manager (1Password / Bitwarden)\n');
+  process.stdout.write('  • A printed sheet in a drawer\n');
+  process.stdout.write('  • A hardware key / encrypted USB\n');
+  process.stdout.write(banner + '\n\n');
+  while (true) {
+    const ack = await question('Type the word "saved" to confirm you stored it');
+    if (ack.toLowerCase() === 'saved') return;
+    process.stdout.write('  Please type "saved" to continue.\n');
+  }
+}
+
+/**
+ * Drive the full init flow. Returns the config + secrets the caller uses to
+ * bootstrap the keystore and run the first lock.
+ *
+ * @param {Object} opts
+ * @param {string} opts.projectRoot
+ * @param {string} [opts.presetId]    optional override
+ * @param {boolean} [opts.force]      overwrite an existing vault
+ */
+async function runInit({ projectRoot, presetId, force = false, noninteractive = false }) {
+  const ni =
+    noninteractive ||
+    !!process.env.SEALCODE_NONINTERACTIVE ||
+    !!process.env.VAULTLINE_NONINTERACTIVE;
+  const envPassphrase = passphraseFromEnv();
+  if (!ni && !process.stdin.isTTY && !envPassphrase) {
+    throw new SealcodeError('SEALCODE_INIT_NEEDS_TTY');
+  }
+  if (!force) {
+    if (configExists(projectRoot)) {
+      throw new SealcodeError('SEALCODE_ALREADY_INIT', {
+        detail: `Found ${CONFIG_FILE} at ${projectRoot}. Init refuses to clobber.`,
+      });
+    }
+    const preset = presetId ? getPreset(presetId) : detectPreset(projectRoot);
+    if (isInitialized(projectRoot, preset.lockedDir)) {
+      throw new SealcodeError('SEALCODE_ALREADY_INIT', {
+        detail: `Found an existing vault at ${path.join(projectRoot, preset.lockedDir)}.`,
+      });
+    }
+  }
+
+  process.stdout.write(`\nsealcode · setting up ${projectRoot}\n`);
+
+  const preset = await pickPreset(projectRoot, { suggestedId: presetId, noninteractive: ni });
+
+  // Passphrase
+  let passphrase;
+  if (envPassphrase) {
+    passphrase = envPassphrase;
+    const source = process.env.SEALCODE_PASSPHRASE ? 'SEALCODE_PASSPHRASE' : 'VAULTLINE_PASSPHRASE';
+    process.stdout.write(`Using passphrase from ${source}.\n`);
+  } else {
+    passphrase = await askPassphrase();
+  }
+
+  const { seed: recoverySeed, code: recoveryCode } = makeRecoveryCode();
+
+  // Persist the config (gitignored).
+  const cfg = {
+    version: 1,
+    preset: preset.id,
+    lockedDir: preset.lockedDir,
+    include: preset.include,
+    exclude: preset.exclude,
+    stubs: preset.stubs || {},
+  };
+  writeConfig(projectRoot, cfg);
+  appendGitignoreOnce(projectRoot);
+
+  // Show recovery code AFTER config is written but BEFORE caller locks files,
+  // so the user has the code by the time anything dangerous happens.
+  if (ni) {
+    process.stdout.write(`RECOVERY_CODE=${recoveryCode}\n`);
+  } else {
+    await showRecoveryCode(recoveryCode);
+  }
+
+  return { config: cfg, preset, passphrase, recoverySeed, recoveryCode };
+}
+
+module.exports = { runInit };