sealcode 0.1.0

package/src/presets.js

@@ -0,0 +1,338 @@
+'use strict';
+
+/**
+ * Ecosystem presets. Each preset is a starting include/exclude template for a
+ * given stack. The init wizard auto-detects by sniffing for marker files in
+ * the project root.
+ *
+ * Adding a new preset:
+ *   1. Pick a unique id (e.g. "elixir").
+ *   2. List marker files that strongly imply this ecosystem.
+ *   3. Provide include/exclude globs.
+ *   4. Pick a non-suspicious lockedDir name for that ecosystem.
+ *
+ * The `lockedDir` choice matters for stealth: it should look native to the
+ * stack so an AI scanning the repo doesn't go "huh, that's odd."
+ */
+
+const fs = require('fs');
+const path = require('path');
+
+/** @typedef {{id:string,label:string,markers:string[],lockedDir:string,include:string[],exclude:string[],stubs?:object}} Preset */
+
+const SHARED_EXCLUDES = [
+  '.git/**',
+  '.DS_Store',
+  '*.log',
+  '*.tmp',
+  '*.swp',
+  '.idea/**',
+  '.vscode/**',
+  'coverage/**',
+  '.sealcoderc.json',
+  '.sealcode.key',
+  '.vaultlinerc.json',
+  '.vaultline.key',
+  '*.pem',
+  '*.crt',
+];
+
+const STUB_GENERIC_PKG_JSON =
+  '{\n  "name": "app",\n  "version": "1.0.0",\n  "private": true\n}\n';
+
+/** @type {Preset[]} */
+const PRESETS = [
+  {
+    id: 'node',
+    label: 'Node.js / TypeScript',
+    markers: ['package.json'],
+    lockedDir: 'vendor',
+    include: [
+      'src/**/*',
+      'lib/**/*',
+      'package.json',
+      'package-lock.json',
+      'tsconfig.json',
+      'Dockerfile',
+      'docker-compose*.yml',
+      'docker-compose*.yaml',
+      '.env.example',
+      'README.md',
+    ],
+    exclude: [
+      ...SHARED_EXCLUDES,
+      'node_modules/**',
+      'dist/**',
+      'build/**',
+      '.next/**',
+      '.turbo/**',
+      '.nuxt/**',
+      'out/**',
+      'vendor/**',
+    ],
+    stubs: { 'package.json': STUB_GENERIC_PKG_JSON },
+  },
+  {
+    id: 'nextjs',
+    label: 'Next.js',
+    markers: ['next.config.js', 'next.config.mjs', 'next.config.ts'],
+    lockedDir: 'vendor',
+    include: [
+      'src/**/*',
+      'app/**/*',
+      'pages/**/*',
+      'components/**/*',
+      'lib/**/*',
+      'public/**/*',
+      'package.json',
+      'next.config.*',
+      'tsconfig.json',
+      'tailwind.config.*',
+      'postcss.config.*',
+      '.env.example',
+    ],
+    exclude: [
+      ...SHARED_EXCLUDES,
+      'node_modules/**',
+      '.next/**',
+      'out/**',
+      'vendor/**',
+    ],
+    stubs: { 'package.json': STUB_GENERIC_PKG_JSON },
+  },
+  {
+    id: 'python',
+    label: 'Python (generic)',
+    markers: ['requirements.txt', 'pyproject.toml', 'setup.py', 'Pipfile'],
+    lockedDir: '_site_packages',
+    include: [
+      '**/*.py',
+      'pyproject.toml',
+      'requirements*.txt',
+      'Pipfile',
+      'Pipfile.lock',
+      'setup.py',
+      'setup.cfg',
+      'Dockerfile',
+      'docker-compose*.yml',
+      '.env.example',
+      'README.md',
+    ],
+    exclude: [
+      ...SHARED_EXCLUDES,
+      'venv/**',
+      '.venv/**',
+      'env/**',
+      '__pycache__/**',
+      '**/__pycache__/**',
+      '*.pyc',
+      '.pytest_cache/**',
+      '.mypy_cache/**',
+      '.tox/**',
+      'dist/**',
+      'build/**',
+      '_site_packages/**',
+      '.eggs/**',
+      '*.egg-info/**',
+    ],
+    stubs: { 'README.md': '# app\n' },
+  },
+  {
+    id: 'django',
+    label: 'Python — Django',
+    markers: ['manage.py'],
+    lockedDir: '_site_packages',
+    include: [
+      '**/*.py',
+      'manage.py',
+      'requirements*.txt',
+      'pyproject.toml',
+      'Dockerfile',
+      'docker-compose*.yml',
+      '.env.example',
+      'templates/**/*',
+      'static/**/*',
+    ],
+    exclude: [
+      ...SHARED_EXCLUDES,
+      'venv/**',
+      '.venv/**',
+      '__pycache__/**',
+      '**/__pycache__/**',
+      '*.pyc',
+      'media/**',
+      'staticfiles/**',
+      'db.sqlite3',
+      '_site_packages/**',
+    ],
+    stubs: { 'README.md': '# app\n' },
+  },
+  {
+    id: 'go',
+    label: 'Go',
+    markers: ['go.mod'],
+    // Avoid Go's own `vendor/` convention.
+    lockedDir: 'internal/sealed',
+    include: [
+      '**/*.go',
+      'go.mod',
+      'go.sum',
+      'Dockerfile',
+      'docker-compose*.yml',
+      '.env.example',
+      'README.md',
+      'Makefile',
+    ],
+    exclude: [
+      ...SHARED_EXCLUDES,
+      'vendor/**',
+      'bin/**',
+      'dist/**',
+      'internal/sealed/**',
+    ],
+  },
+  {
+    id: 'rust',
+    label: 'Rust / Cargo',
+    markers: ['Cargo.toml'],
+    lockedDir: 'target/.cache',
+    include: [
+      'src/**/*',
+      'tests/**/*',
+      'benches/**/*',
+      'examples/**/*',
+      'Cargo.toml',
+      'Cargo.lock',
+      'build.rs',
+      'Dockerfile',
+      '.env.example',
+      'README.md',
+    ],
+    exclude: [
+      ...SHARED_EXCLUDES,
+      'target/**/!(.cache)',
+      'target/**',
+      'pkg/**',
+    ],
+  },
+  {
+    id: 'rails',
+    label: 'Ruby on Rails',
+    markers: ['Gemfile'],
+    lockedDir: 'vendor/sealed',
+    include: [
+      'app/**/*',
+      'config/**/*',
+      'db/**/*',
+      'lib/**/*',
+      'Gemfile',
+      'Gemfile.lock',
+      'Rakefile',
+      'config.ru',
+      '.env.example',
+      'Dockerfile',
+    ],
+    exclude: [
+      ...SHARED_EXCLUDES,
+      'tmp/**',
+      'log/**',
+      'vendor/bundle/**',
+      'vendor/sealed/**',
+      'storage/**',
+      'public/assets/**',
+    ],
+  },
+  {
+    id: 'php',
+    label: 'PHP / Composer / Laravel',
+    markers: ['composer.json'],
+    // Avoid Composer's `vendor/` convention.
+    lockedDir: 'storage/sealed',
+    include: [
+      'app/**/*',
+      'src/**/*',
+      'config/**/*',
+      'database/**/*',
+      'routes/**/*',
+      'resources/**/*',
+      'composer.json',
+      'composer.lock',
+      'artisan',
+      '.env.example',
+      'Dockerfile',
+    ],
+    exclude: [
+      ...SHARED_EXCLUDES,
+      'vendor/**',
+      'storage/sealed/**',
+      'storage/logs/**',
+      'storage/framework/**',
+      'bootstrap/cache/**',
+      'public/build/**',
+    ],
+  },
+  {
+    id: 'java',
+    label: 'Java / Gradle / Maven',
+    markers: ['pom.xml', 'build.gradle', 'build.gradle.kts'],
+    lockedDir: '.sealed',
+    include: [
+      'src/**/*',
+      'pom.xml',
+      'build.gradle*',
+      'settings.gradle*',
+      'gradle.properties',
+      'Dockerfile',
+      '.env.example',
+      'README.md',
+    ],
+    exclude: [
+      ...SHARED_EXCLUDES,
+      'target/**',
+      'build/**',
+      '.gradle/**',
+      '.sealed/**',
+    ],
+  },
+  {
+    id: 'generic',
+    label: 'Other / generic',
+    markers: [],
+    lockedDir: 'vendor',
+    include: [
+      'src/**/*',
+      'lib/**/*',
+      'README.md',
+      'Dockerfile',
+      '.env.example',
+    ],
+    exclude: [...SHARED_EXCLUDES, 'vendor/**', 'dist/**', 'build/**'],
+  },
+];
+
+/**
+ * Sniff the project root and guess the ecosystem.
+ * @param {string} projectRoot
+ * @returns {Preset}
+ */
+function detectPreset(projectRoot) {
+  for (const preset of PRESETS) {
+    if (preset.id === 'generic') continue;
+    for (const marker of preset.markers) {
+      if (fs.existsSync(path.join(projectRoot, marker))) {
+        return preset;
+      }
+    }
+  }
+  return PRESETS[PRESETS.length - 1]; // generic
+}
+
+function getPreset(id) {
+  return PRESETS.find((p) => p.id === id) || PRESETS[PRESETS.length - 1];
+}
+
+function listPresets() {
+  return PRESETS.map((p) => ({ id: p.id, label: p.label }));
+}
+
+module.exports = { PRESETS, detectPreset, getPreset, listPresets };

package/src/prompt.js

@@ -0,0 +1,108 @@
+'use strict';
+
+/**
+ * Tiny interactive prompt utility. Avoids pulling in inquirer/enquirer to keep
+ * the dependency surface (and the `npm ls` output) minimal and uncontroversial.
+ */
+
+const readline = require('readline');
+
+function rl() {
+  return readline.createInterface({ input: process.stdin, output: process.stdout });
+}
+
+function question(prompt, { default: def } = {}) {
+  return new Promise((resolve) => {
+    const r = rl();
+    const suffix = def != null ? ` [${def}]` : '';
+    r.question(`${prompt}${suffix} `, (answer) => {
+      r.close();
+      resolve(answer.trim() === '' && def != null ? String(def) : answer.trim());
+    });
+  });
+}
+
+async function confirm(prompt, { default: def = true } = {}) {
+  const hint = def ? 'Y/n' : 'y/N';
+  while (true) {
+    const a = (await question(`${prompt} (${hint})`)).toLowerCase();
+    if (a === '') return def;
+    if (['y', 'yes'].includes(a)) return true;
+    if (['n', 'no'].includes(a)) return false;
+    process.stdout.write('Please answer y or n.\n');
+  }
+}
+
+/**
+ * Hidden input — reads from stdin char by char in raw mode, prints '*' per char.
+ * Falls back to plain readline (visible) on non-TTY (CI, pipes).
+ */
+function hidden(prompt) {
+  if (!process.stdin.isTTY) {
+    // CI / piped input: just read a line. Echoing or not is moot when piped.
+    return question(prompt);
+  }
+  return new Promise((resolve, reject) => {
+    const out = process.stdout;
+    const stdin = process.stdin;
+    out.write(`${prompt} `);
+    let buf = '';
+    const onData = (chunk) => {
+      const str = chunk.toString('utf8');
+      for (const ch of str) {
+        const code = ch.charCodeAt(0);
+        if (code === 13 || code === 10) {
+          stdin.removeListener('data', onData);
+          stdin.setRawMode(false);
+          stdin.pause();
+          out.write('\n');
+          return resolve(buf);
+        }
+        if (code === 3) {
+          stdin.removeListener('data', onData);
+          stdin.setRawMode(false);
+          stdin.pause();
+          out.write('\n');
+          return reject(new Error('cancelled'));
+        }
+        if (code === 127 || code === 8) {
+          if (buf.length > 0) {
+            buf = buf.slice(0, -1);
+            out.write('\b \b');
+          }
+          continue;
+        }
+        if (code < 32) continue; // ignore other control chars
+        buf += ch;
+        out.write('*');
+      }
+    };
+    stdin.setRawMode(true);
+    stdin.resume();
+    stdin.on('data', onData);
+  });
+}
+
+/**
+ * Single-select from a list. Renders numbered options; user types the number.
+ * @param {string} prompt
+ * @param {{value:string,label:string}[]} options
+ * @param {number} [defaultIndex=0]
+ */
+async function select(prompt, options, defaultIndex = 0) {
+  process.stdout.write(prompt + '\n');
+  options.forEach((opt, i) => {
+    const marker = i === defaultIndex ? '›' : ' ';
+    process.stdout.write(`  ${marker} ${i + 1}. ${opt.label}\n`);
+  });
+  while (true) {
+    const a = await question(`Choose 1-${options.length}`, { default: defaultIndex + 1 });
+    const n = parseInt(a, 10);
+    if (Number.isInteger(n) && n >= 1 && n <= options.length) {
+      return options[n - 1].value;
+    }
+    process.stdout.write(`Please type a number between 1 and ${options.length}.\n`);
+  }
+}
+
+module.exports = { question, confirm, hidden, select };

package/src/recovery.js

@@ -0,0 +1,154 @@
+'use strict';
+
+/**
+ * Recovery codes.
+ *
+ * On `sealcode init` we generate a 16-byte recovery seed. We encode it as a
+ * human-typeable string using Crockford Base32 (no ambiguous chars like O/0,
+ * I/1) in five 5-character groups separated by hyphens. The first 25 chars
+ * encode the seed; the last 4 are a checksum.
+ *
+ * Example:
+ *   VL5K8-J3Q2N-A7BCD-E4F9P-X2YR-K9MT
+ *   └────── seed (25 chars × 5 bits = 125 bits ≥ 128 - 3 padding bits) ──┘
+ *   └─ 4-char CRC32 checksum at end ─┘
+ *
+ * Properties:
+ *   - 16 bytes of entropy is enough to be practically unbreakable (2^128).
+ *   - Typeable from a sticky note. Hyphens are decorative — input is lenient.
+ *   - Checksum catches transcription errors before we waste a second on scrypt.
+ *
+ * We deliberately avoid BIP39 because pulling in a 2048-word list bloats the
+ * package and screams "crypto" on `npm ls`. Anonymous-looking base32 keeps
+ * dependencies and ratlines minimal.
+ */
+
+const crypto = require('crypto');
+
+// Crockford Base32 alphabet — no I, L, O, U.
+const ALPHA = '0123456789ABCDEFGHJKMNPQRSTVWXYZ';
+const DECODE = new Map();
+for (let i = 0; i < ALPHA.length; i++) DECODE.set(ALPHA[i], i);
+// Crockford-canonical aliases for ambiguity tolerance.
+DECODE.set('O', 0);
+DECODE.set('I', 1);
+DECODE.set('L', 1);
+DECODE.set('U', DECODE.get('V'));
+
+const SEED_BYTES = 16;
+const SEED_BITS = SEED_BYTES * 8; // 128
+const SEED_CHARS = Math.ceil(SEED_BITS / 5); // 26
+// We'll round up the bitstream by zero-padding to 130 bits (26 chars × 5).
+
+function encodeBase32(bytes) {
+  let bits = 0n;
+  let nbits = 0;
+  let out = '';
+  for (const b of bytes) {
+    bits = (bits << 8n) | BigInt(b);
+    nbits += 8;
+  }
+  // Pad to multiple of 5 bits at the LEFT (high) end so decoding is symmetric.
+  const pad = (5 - (nbits % 5)) % 5;
+  bits <<= BigInt(pad);
+  nbits += pad;
+  for (let i = nbits - 5; i >= 0; i -= 5) {
+    const idx = Number((bits >> BigInt(i)) & 0x1fn);
+    out += ALPHA[idx];
+  }
+  return out;
+}
+
+function decodeBase32(str, expectedBytes) {
+  let bits = 0n;
+  let nbits = 0;
+  for (const ch of str.toUpperCase()) {
+    if (!DECODE.has(ch)) {
+      throw new Error(`invalid recovery code character: ${ch}`);
+    }
+    bits = (bits << 5n) | BigInt(DECODE.get(ch));
+    nbits += 5;
+  }
+  const pad = nbits - expectedBytes * 8;
+  if (pad < 0) throw new Error('recovery code too short');
+  bits >>= BigInt(pad);
+  const out = Buffer.alloc(expectedBytes);
+  for (let i = expectedBytes - 1; i >= 0; i--) {
+    out[i] = Number(bits & 0xffn);
+    bits >>= 8n;
+  }
+  return out;
+}
+
+function checksumChars(bytes) {
+  // 20 bits of SHA-256 → 4 base32 chars. Plenty for typo detection.
+  const h = crypto.createHash('sha256').update(bytes).digest();
+  let bits = (BigInt(h[0]) << 16n) | (BigInt(h[1]) << 8n) | BigInt(h[2]);
+  bits >>= 4n; // take top 20 bits of those 24
+  let out = '';
+  for (let i = 15; i >= 0; i -= 5) {
+    out += ALPHA[Number((bits >> BigInt(i)) & 0x1fn)];
+  }
+  return out;
+}
+
+/**
+ * Generate a fresh recovery seed and its human-readable code.
+ * @returns {{ seed: Buffer, code: string }}
+ */
+function makeRecoveryCode() {
+  const seed = crypto.randomBytes(SEED_BYTES);
+  const code = formatCode(seed);
+  return { seed, code };
+}
+
+function formatCode(seed) {
+  const body = encodeBase32(seed);          // 26 chars
+  const check = checksumChars(seed);        // 4 chars
+  const all = body + check;                 // 30 chars
+  // Group in 5s for readability: 5-5-5-5-5-5
+  return all.match(/.{1,5}/g).join('-');
+}
+
+/**
+ * Parse a user-typed recovery code back into 16 seed bytes.
+ * Tolerant: ignores whitespace, hyphens, case, and Crockford-aliased chars.
+ * @param {string} input
+ * @returns {Buffer} 16-byte seed
+ */
+function parseRecoveryCode(input) {
+  if (typeof input !== 'string') throw new Error('recovery code must be a string');
+  const cleaned = input.replace(/[\s-]+/g, '').toUpperCase();
+  if (cleaned.length !== 30) {
+    throw new Error(
+      `recovery code must be 30 characters (got ${cleaned.length}). Tip: paste the whole thing including the hyphens.`
+    );
+  }
+  const body = cleaned.slice(0, 26);
+  const check = cleaned.slice(26);
+  const seed = decodeBase32(body, SEED_BYTES);
+  const expected = checksumChars(seed);
+  if (expected !== check) {
+    throw new Error('recovery code checksum mismatch — please re-check what you typed');
+  }
+  return seed;
+}
+
+/**
+ * Convert seed to a hex string for use as a "passphrase" by deriveKey.
+ * (We treat the recovery seed as an extra-strength passphrase.)
+ */
+function seedToPassphrase(seed) {
+  if (!Buffer.isBuffer(seed) || seed.length !== SEED_BYTES) {
+    throw new Error(`recovery seed must be ${SEED_BYTES} bytes`);
+  }
+  return seed.toString('hex');
+}
+
+module.exports = {
+  SEED_BYTES,
+  makeRecoveryCode,
+  parseRecoveryCode,
+  seedToPassphrase,
+  formatCode,
+};