sealcode 0.1.0

package/src/kdf.js

@@ -0,0 +1,83 @@
+'use strict';
+
+/**
+ * Key derivation for sealcode.
+ *
+ * A user-typeable passphrase isn't a key. We run it through scrypt with strong
+ * parameters to produce a 32-byte key suitable for AES-GCM.
+ *
+ * Scrypt parameters (per OWASP 2024 / RFC 9106 ballpark for password hashing):
+ *   N = 2^17 (131072), r = 8, p = 1
+ *   memory cost: ~128 MB. CPU cost: ~1s on a modern laptop.
+ *
+ * This makes brute-forcing a stolen sealcode directory wildly expensive even
+ * for a weak passphrase. Strong passphrases remain infeasible.
+ */
+
+const crypto = require('crypto');
+const { promisify } = require('util');
+
+const scryptAsync = promisify(crypto.scrypt);
+
+const SCRYPT_OPTS = {
+  N: 1 << 17, // 131072
+  r: 8,
+  p: 1,
+  maxmem: 256 * 1024 * 1024, // 256 MB ceiling
+};
+
+const KEY_LEN = 32;
+const SALT_LEN = 16;
+
+/**
+ * Derive a 32-byte key from a passphrase + salt.
+ * @param {string} passphrase - user-typed passphrase or hex-encoded recovery seed
+ * @param {Buffer} salt       - 16 random bytes; non-secret, stored in the locked dir
+ * @returns {Promise<Buffer>} 32 bytes
+ */
+async function deriveKey(passphrase, salt) {
+  if (typeof passphrase !== 'string' || passphrase.length === 0) {
+    throw new Error('passphrase must be a non-empty string');
+  }
+  if (!Buffer.isBuffer(salt) || salt.length !== SALT_LEN) {
+    throw new Error(`salt must be a ${SALT_LEN}-byte Buffer`);
+  }
+  // Normalize passphrase to NFKC so Unicode passphrases roundtrip cleanly
+  // across operating systems. Don't trim — leading/trailing space is part of
+  // the user's intent if they typed it.
+  const normalized = passphrase.normalize('NFKC');
+  return scryptAsync(Buffer.from(normalized, 'utf8'), salt, KEY_LEN, SCRYPT_OPTS);
+}
+
+/**
+ * Generate a fresh salt for a new project.
+ */
+function makeSalt() {
+  return crypto.randomBytes(SALT_LEN);
+}
+
+/**
+ * Quick passphrase quality check. Not gospel — just a friendly warning.
+ * @param {string} pp
+ * @returns {{level: 'weak'|'ok'|'strong', reason: string}}
+ */
+function passphraseStrength(pp) {
+  if (!pp || pp.length < 8) return { level: 'weak', reason: 'shorter than 8 characters' };
+  if (pp.length < 12) return { level: 'weak', reason: 'shorter than 12 characters' };
+  const classes = [
+    /[a-z]/.test(pp),
+    /[A-Z]/.test(pp),
+    /[0-9]/.test(pp),
+    /[^a-zA-Z0-9]/.test(pp),
+  ].filter(Boolean).length;
+  if (pp.length >= 20 || classes >= 3) return { level: 'strong', reason: '' };
+  return { level: 'ok', reason: 'good enough; longer = better' };
+}
+
+module.exports = {
+  SALT_LEN,
+  KEY_LEN,
+  deriveKey,
+  makeSalt,
+  passphraseStrength,
+};

package/src/keystore.js

@@ -0,0 +1,249 @@
+'use strict';
+
+/**
+ * Keystore — manages how the master data key K is stored and unwrapped.
+ *
+ * On disk inside lockedDir we keep three small files with opaque names derived
+ * from public sentinels (no key required to find them):
+ *
+ *   <salt>     — 16 random bytes (plain). Input to scrypt.
+ *   <wrap1>    — encrypted K, wrapped by passphrase-derived key.
+ *   <wrap2>    — encrypted K, wrapped by recovery-seed-derived key.
+ *
+ * Unlock flow:
+ *   1. Read salt.
+ *   2. Ask user for passphrase OR recovery code.
+ *   3. scrypt(input, salt) → wrapping key.
+ *   4. AES-GCM-decrypt wrapX → K.
+ *   5. Use K to read manifest and decrypt files.
+ *
+ * Why two wrap files? Because losing your passphrase is human; we want a
+ * second, write-once recovery path that doesn't require the user's memory.
+ *
+ * Session cache (~/.sealcode/sessions/) holds short-lived unlocked K's so
+ * the user doesn't retype their passphrase on every command. Cache files are
+ * gated by a 64-bit project ID and protected by the OS user permissions.
+ *
+ * Backward-compat: we still read ~/.vaultline/sessions/ as a fallback so
+ * anyone upgrading from vaultline 1.x keeps their active session.
+ */
+
+const fs = require('fs');
+const os = require('os');
+const path = require('path');
+const { seal, open, randomBytes, metaName, sha256Hex } = require('./crypto');
+const { deriveKey, makeSalt } = require('./kdf');
+const { ensureDir } = require('./util');
+
+const SALT_NAME = metaName('salt');
+const WRAP_PASS_NAME = metaName('wrap.pass');
+const WRAP_RECOVERY_NAME = metaName('wrap.recovery');
+const MANIFEST_NAME = metaName('manifest');
+
+const SESSION_DIR = path.join(os.homedir(), '.sealcode', 'sessions');
+const LEGACY_SESSION_DIR = path.join(os.homedir(), '.vaultline', 'sessions');
+const SESSION_TTL_MS = 8 * 60 * 60 * 1000; // 8 hours
+
+function lockedAbs(projectRoot, lockedDir, relName) {
+  return path.join(projectRoot, lockedDir, relName);
+}
+
+function projectId(projectRoot) {
+  // Stable per-absolute-path. Different worktrees of the same repo get
+  // different sessions, which is fine.
+  return sha256Hex(path.resolve(projectRoot)).slice(0, 16);
+}
+
+function saltPath(projectRoot, lockedDir) {
+  return lockedAbs(projectRoot, lockedDir, SALT_NAME);
+}
+
+function readSalt(projectRoot, lockedDir) {
+  const p = saltPath(projectRoot, lockedDir);
+  if (!fs.existsSync(p)) return null;
+  const buf = fs.readFileSync(p);
+  return buf.length === 16 ? buf : null;
+}
+
+function writeSalt(projectRoot, lockedDir, salt) {
+  const p = saltPath(projectRoot, lockedDir);
+  ensureDir(path.dirname(p));
+  fs.writeFileSync(p, salt);
+}
+
+function readWrapped(projectRoot, lockedDir, which) {
+  const name = which === 'recovery' ? WRAP_RECOVERY_NAME : WRAP_PASS_NAME;
+  const p = lockedAbs(projectRoot, lockedDir, name);
+  return fs.existsSync(p) ? fs.readFileSync(p) : null;
+}
+
+function writeWrapped(projectRoot, lockedDir, which, blob) {
+  const name = which === 'recovery' ? WRAP_RECOVERY_NAME : WRAP_PASS_NAME;
+  const p = lockedAbs(projectRoot, lockedDir, name);
+  ensureDir(path.dirname(p));
+  fs.writeFileSync(p, blob);
+}
+
+function manifestBlobPath(projectRoot, lockedDir) {
+  return lockedAbs(projectRoot, lockedDir, MANIFEST_NAME);
+}
+
+/**
+ * Bootstrap a brand-new keystore: generate K, salt, wrap K twice.
+ * @param {string} passphrase
+ * @param {Buffer} recoverySeed 16 bytes
+ * @returns {Promise<{K: Buffer, salt: Buffer, wrappedPass: Buffer, wrappedRecovery: Buffer}>}
+ */
+async function bootstrap(passphrase, recoverySeed) {
+  const K = randomBytes(32);
+  const salt = makeSalt();
+  const passKey = await deriveKey(passphrase, salt);
+  const recoveryPass = recoverySeed.toString('hex');
+  const recoveryKey = await deriveKey(recoveryPass, salt);
+  const wrappedPass = seal(K, passKey);
+  const wrappedRecovery = seal(K, recoveryKey);
+  return { K, salt, wrappedPass, wrappedRecovery };
+}
+
+/**
+ * Persist the bootstrap output into lockedDir.
+ */
+function persistBootstrap(projectRoot, lockedDir, { salt, wrappedPass, wrappedRecovery }) {
+  writeSalt(projectRoot, lockedDir, salt);
+  writeWrapped(projectRoot, lockedDir, 'pass', wrappedPass);
+  writeWrapped(projectRoot, lockedDir, 'recovery', wrappedRecovery);
+}
+
+/**
+ * Unwrap K from disk using either a passphrase or recovery seed.
+ * @param {string} projectRoot
+ * @param {string} lockedDir
+ * @param {{ passphrase?: string, recoverySeed?: Buffer }} input
+ * @returns {Promise<Buffer>} 32-byte master data key
+ */
+async function unwrap(projectRoot, lockedDir, input) {
+  const salt = readSalt(projectRoot, lockedDir);
+  if (!salt) {
+    throw new Error('SEALCODE_NO_MANIFEST');
+  }
+  if (input.passphrase != null) {
+    const wrapped = readWrapped(projectRoot, lockedDir, 'pass');
+    if (!wrapped) throw new Error('SEALCODE_NO_MANIFEST');
+    const wrappingKey = await deriveKey(input.passphrase, salt);
+    return open(wrapped, wrappingKey);
+  }
+  if (input.recoverySeed != null) {
+    const wrapped = readWrapped(projectRoot, lockedDir, 'recovery');
+    if (!wrapped) throw new Error('SEALCODE_NO_MANIFEST');
+    const wrappingKey = await deriveKey(input.recoverySeed.toString('hex'), salt);
+    return open(wrapped, wrappingKey);
+  }
+  throw new Error('unwrap(): need passphrase or recoverySeed');
+}
+
+/**
+ * Re-wrap the master key with a new passphrase. The recovery-code path is
+ * unchanged. Does not touch encrypted files or the manifest.
+ * @returns {Promise<void>}
+ */
+async function rotatePassphrase(projectRoot, lockedDir, oldPassphrase, newPassphrase) {
+  const K = await unwrap(projectRoot, lockedDir, { passphrase: oldPassphrase });
+  const salt = readSalt(projectRoot, lockedDir);
+  const newWrapKey = await deriveKey(newPassphrase, salt);
+  writeWrapped(projectRoot, lockedDir, 'pass', seal(K, newWrapKey));
+  saveSession(projectRoot, K);
+}
+
+/**
+ * Save unwrapped K to a short-lived session file so subsequent commands skip
+ * scrypt. Session is encrypted by a host-binding key derived from machine
+ * details + project id, so copying the file to another machine doesn't help.
+ */
+function saveSession(projectRoot, K) {
+  ensureDir(SESSION_DIR);
+  const id = projectId(projectRoot);
+  const hostBind = sha256Hex(`${os.hostname()}|${os.userInfo().username}|${id}`);
+  const sessionKey = Buffer.from(hostBind.slice(0, 64), 'hex');
+  const blob = seal(K, sessionKey);
+  const meta = Buffer.from(JSON.stringify({ exp: Date.now() + SESSION_TTL_MS }), 'utf8');
+  const wrapped = Buffer.concat([
+    Buffer.from([meta.length & 0xff, (meta.length >> 8) & 0xff]),
+    meta,
+    blob,
+  ]);
+  fs.writeFileSync(path.join(SESSION_DIR, id), wrapped, { mode: 0o600 });
+}
+
+function loadSession(projectRoot) {
+  const id = projectId(projectRoot);
+  let p = path.join(SESSION_DIR, id);
+  if (!fs.existsSync(p)) {
+    // Fall back to the legacy ~/.vaultline/sessions location for users
+    // upgrading from vaultline 1.x.
+    const legacy = path.join(LEGACY_SESSION_DIR, id);
+    if (!fs.existsSync(legacy)) return null;
+    p = legacy;
+  }
+  let raw;
+  try {
+    raw = fs.readFileSync(p);
+  } catch (_) {
+    return null;
+  }
+  if (raw.length < 4) return null;
+  const metaLen = raw[0] | (raw[1] << 8);
+  if (raw.length < 2 + metaLen + 29) return null;
+  let meta;
+  try {
+    meta = JSON.parse(raw.subarray(2, 2 + metaLen).toString('utf8'));
+  } catch (_) {
+    return null;
+  }
+  if (!meta.exp || Date.now() > meta.exp) {
+    try {
+      fs.unlinkSync(p);
+    } catch (_) { /* ignore */ }
+    return null;
+  }
+  const blob = raw.subarray(2 + metaLen);
+  const hostBind = sha256Hex(`${os.hostname()}|${os.userInfo().username}|${id}`);
+  const sessionKey = Buffer.from(hostBind.slice(0, 64), 'hex');
+  try {
+    return open(blob, sessionKey);
+  } catch (_) {
+    return null;
+  }
+}
+
+function clearSession(projectRoot) {
+  const id = projectId(projectRoot);
+  for (const dir of [SESSION_DIR, LEGACY_SESSION_DIR]) {
+    try {
+      fs.unlinkSync(path.join(dir, id));
+    } catch (_) { /* ignore */ }
+  }
+}
+
+function isInitialized(projectRoot, lockedDir) {
+  return (
+    readSalt(projectRoot, lockedDir) != null &&
+    readWrapped(projectRoot, lockedDir, 'pass') != null
+  );
+}
+
+module.exports = {
+  SALT_NAME,
+  WRAP_PASS_NAME,
+  WRAP_RECOVERY_NAME,
+  MANIFEST_NAME,
+  bootstrap,
+  persistBootstrap,
+  unwrap,
+  rotatePassphrase,
+  saveSession,
+  loadSession,
+  clearSession,
+  isInitialized,
+  manifestBlobPath,
+  projectId,
+};

package/src/link-state.js

@@ -0,0 +1,60 @@
+'use strict';
+
+/**
+ * Project ↔ web app linking state.
+ *
+ * The link is stored in the project's .sealcoderc.json under a `link` key
+ * (apiUrl + projectId + linkedAt). Living next to the rest of the config
+ * means `git add .sealcoderc.json` never accidentally happens (the file is
+ * already gitignored by `sealcode init`), and `where`/`status` can show the
+ * link without an extra lookup.
+ *
+ * We deliberately do NOT store any auth tokens in the project config — those
+ * live in ~/.sealcode/credentials.json so an accidental commit of the project
+ * config leaks nothing sensitive.
+ */
+
+const fs = require('fs');
+const path = require('path');
+const {
+  CONFIG_FILE,
+  LEGACY_CONFIG_FILE,
+  loadConfig,
+  writeConfig,
+} = require('./config');
+
+function findConfigFile(projectRoot) {
+  const newp = path.join(projectRoot, CONFIG_FILE);
+  if (fs.existsSync(newp)) return newp;
+  const oldp = path.join(projectRoot, LEGACY_CONFIG_FILE);
+  if (fs.existsSync(oldp)) return oldp;
+  return null;
+}
+
+function getLink(projectRoot) {
+  const cfg = loadConfig(projectRoot);
+  if (!cfg || !cfg.link || typeof cfg.link !== 'object') return null;
+  return cfg.link;
+}
+
+function setLink(projectRoot, link) {
+  const existing = loadConfig(projectRoot);
+  if (!existing) {
+    throw new Error(
+      `No ${CONFIG_FILE} found in ${projectRoot}. Run \`sealcode init\` first.`,
+    );
+  }
+  const merged = { ...existing, link };
+  // writeConfig drops the _file key for us.
+  writeConfig(projectRoot, merged);
+}
+
+function clearLink(projectRoot) {
+  const existing = loadConfig(projectRoot);
+  if (!existing) return;
+  const { link: _omit, ...rest } = existing;
+  void _omit;
+  writeConfig(projectRoot, rest);
+}
+
+module.exports = { findConfigFile, getLink, setLink, clearLink };

package/src/manifest.js

@@ -0,0 +1,25 @@
+'use strict';
+
+const fs = require('fs');
+const path = require('path');
+const { seal, open } = require('./crypto');
+const { manifestBlobPath } = require('./keystore');
+const { ensureDir } = require('./util');
+
+function writeManifest(projectRoot, lockedDir, manifest, K) {
+  const file = manifestBlobPath(projectRoot, lockedDir);
+  ensureDir(path.dirname(file));
+  fs.writeFileSync(file, seal(JSON.stringify(manifest), K));
+}
+
+function readManifest(projectRoot, lockedDir, K) {
+  const file = manifestBlobPath(projectRoot, lockedDir);
+  if (!fs.existsSync(file)) {
+    throw new Error('SEALCODE_NO_MANIFEST');
+  }
+  const blob = fs.readFileSync(file);
+  const plain = open(blob, K);
+  return JSON.parse(plain.toString('utf8'));
+}
+
+module.exports = { writeManifest, readManifest };

package/src/open.js

@@ -0,0 +1,43 @@
+'use strict';
+
+const fs = require('fs');
+const path = require('path');
+const { open } = require('./crypto');
+const { readManifest } = require('./manifest');
+const { ensureDir, writeFileEnsuringDir } = require('./util');
+
+async function runUnlock({ projectRoot, config, K, removeStubs = true, log = () => {} }) {
+  const manifest = readManifest(projectRoot, config.lockedDir, K);
+  const lockedRoot = path.join(projectRoot, config.lockedDir);
+
+  if (removeStubs && manifest.stubs) {
+    for (const stubPath of Object.keys(manifest.stubs)) {
+      const abs = path.join(projectRoot, stubPath);
+      const isAlsoSealed = manifest.files.some((f) => f.p === stubPath);
+      if (isAlsoSealed && fs.existsSync(abs)) {
+        try {
+          fs.unlinkSync(abs);
+        } catch (_) {
+          /* ignore */
+        }
+      }
+    }
+  }
+
+  for (const entry of manifest.files) {
+    const lockedAbs = path.join(lockedRoot, entry.l);
+    if (!fs.existsSync(lockedAbs)) {
+      throw new Error(`unlock: missing locked blob for ${entry.p} (expected ${entry.l})`);
+    }
+    const blob = fs.readFileSync(lockedAbs);
+    const plain = open(blob, K);
+    const target = path.join(projectRoot, entry.p);
+    ensureDir(path.dirname(target));
+    writeFileEnsuringDir(target, plain, entry.m);
+    log(`  unlocked ${entry.p}`);
+  }
+
+  return { count: manifest.files.length, sealedAt: manifest.sealedAt };
+}
+
+module.exports = { runUnlock };