sealcode 0.3.0 → 1.1.0

package/README.md

@@ -85,9 +85,21 @@ sealcode uninstall-hook  # remove hook block
 sealcode panic           # immediate re-lock + session wipe
 sealcode logout          # clear cached session, force passphrase next time
 sealcode presets         # list supported ecosystems
-sealcode share <opts>    # mint a temporary access code (Pro; needs link + login)
-sealcode redeem <code>   # accept an access code shared with you
-sealcode watch <code>    # poll the server; auto-lock if the owner revokes (Pro)
+sealcode share <opts>    # mint a temporary access code (--email <addr> wraps the key for them)
+                         #   1.1 controls (all optional):
+                         #     --paths src/api/,tests/    only decrypt these prefixes
+                         #     --mode ro                  read-only; watcher re-locks on edit
+                         #     --watermark "Licensed to {email} · grant {grantId}"
+                         #     --idle 30                  auto-lock after N idle minutes
+                         #     --allow-ip 10.0.0.0/8      restrict redeem + heartbeat IPs
+                         #     --allow-country US GB      ISO-2 country allowlist (Cloudflare-fed)
+                         #     --single-device            hard-reject 2nd device fingerprint
+                         #     --nda "text"               require typed "I agree" on redeem
+sealcode redeem <code>   # accept a code; auto-unlocks + spawns watcher when team-shared
+sealcode watch <code>    # poll the server with long-poll (~1s revoke); --daemon for background
+sealcode lockdown        # 1.1: panic — revoke ALL active grants for the linked project
+sealcode install-service # macOS launchd / Linux systemd unit so the watcher survives reboots
+sealcode uninstall-service
 sealcode pro             # Pro tier info
 sealcode where           # debug: print paths and state (no secrets)
 ```

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "sealcode",
-  "version": "0.3.0",
+  "version": "1.1.0",
   "description": "Lock your source code in your own git repo. Stop AI agents, scrapers, and curious eyes from reading what's yours.",
   "keywords": [
     "encryption",

package/src/api.js

@@ -86,7 +86,7 @@ class ApiError extends Error {
   }
 }
 
-async function request(method, urlPath, { body, auth = false, apiUrl } = {}) {
+async function request(method, urlPath, { body, auth = false, apiUrl, timeoutMs } = {}) {
   const base = apiUrl || getApiUrl();
   const url = new URL(urlPath, base).toString();
   const headers = {
@@ -106,12 +106,23 @@ async function request(method, urlPath, { body, auth = false, apiUrl } = {}) {
     headers.authorization = `Bearer ${token}`;
   }
 
+  // sealcode@1.1.0 — optional per-call timeout. We use an AbortController
+  // and let the caller pass `timeoutMs` for long-polled heartbeats
+  // (where we want a generous budget) without changing the default
+  // behavior of every other call.
+  const ac = typeof AbortController === 'function' ? new AbortController() : null;
+  let timer = null;
+  if (timeoutMs && ac) {
+    timer = setTimeout(() => ac.abort(), timeoutMs);
+  }
+
   let res;
   try {
     res = await fetch(url, {
       method,
       headers,
       body: body == null ? undefined : JSON.stringify(body),
+      signal: ac ? ac.signal : undefined,
     });
   } catch (err) {
     throw new ApiError(
@@ -119,6 +130,8 @@ async function request(method, urlPath, { body, auth = false, apiUrl } = {}) {
       'network',
       `Could not reach ${base}: ${err.message || err}.`,
     );
+  } finally {
+    if (timer) clearTimeout(timer);
   }
 
   const ct = res.headers.get('content-type') || '';

package/src/cli-auth.js

@@ -24,6 +24,7 @@ const {
   request,
   writeCreds,
 } = require('./api');
+const keypair = require('./keypair');
 const ui = require('./ui');
 
 function sleep(ms) {
@@ -163,6 +164,31 @@ async function runLogin({ apiUrl } = {}) {
     createdAt: new Date().toISOString(),
   });
 
+  // sealcode@1.0.0: publish the user's X25519 pubkey. This enables team
+  // key sharing (other users can wrap K for us via `sealcode share --to`).
+  // Best-effort: if the server doesn't support pubkeys yet (older deploy)
+  // we still consider login successful. The keypair is generated locally
+  // either way and persisted to ~/.sealcode/keypair.json.
+  try {
+    const pub = keypair.publicKey();
+    await request('POST', '/api/v1/users/pubkey', {
+      body: pub,
+      auth: true,
+      apiUrl: baseUrl,
+    });
+  } catch (err) {
+    if (err instanceof ApiError && err.status === 404) {
+      // Server predates 1.0; not a real error, just log it in verbose paths.
+      if (process.env.SEALCODE_DEBUG) {
+        process.stderr.write(
+          `(note: server hasn't enabled team key sharing yet — your pubkey was generated locally but not published)\n`,
+        );
+      }
+    } else if (process.env.SEALCODE_DEBUG) {
+      process.stderr.write(`(warning: pubkey publish failed: ${err.message || err})\n`);
+    }
+  }
+
   ui.ok(`Logged in as ${ui.c.bold(user.email || user.id || 'unknown')} ${ui.c.dim(`at ${baseUrl}`)}`);
 }
 

package/src/cli-grants.js

@@ -13,8 +13,16 @@
  * that doesn't need auth — it's used by the developer receiving the code.
  */
 
+const path = require('path');
+
 const { ApiError, clientInfo, request } = require('./api');
 const { getLink } = require('./link-state');
+const { loadConfig } = require('./config');
+const { detectPreset } = require('./presets');
+const { isInitialized, loadSession, saveSession } = require('./keystore');
+const { getDeviceFingerprint, getDeviceInfo } = require('./device');
+const keypair = require('./keypair');
+const shareCrypto = require('./share-crypto');
 const ui = require('./ui');
 
 function requireLink(projectRoot) {
@@ -38,6 +46,86 @@ function formatRemaining(ms) {
   return `${Math.floor(hr / 24)}d ${hr % 24}h`;
 }
 
+function getActiveConfig(projectRoot) {
+  const fromFile = loadConfig(projectRoot);
+  if (fromFile) return fromFile;
+  const preset = detectPreset(projectRoot);
+  return {
+    version: 1,
+    preset: preset.id,
+    lockedDir: preset.lockedDir,
+    include: preset.include,
+    exclude: preset.exclude,
+    stubs: preset.stubs || {},
+    _implicit: true,
+  };
+}
+
+/**
+ * sealcode@1.0.0: fetch the recipient's published X25519 pubkey and wrap
+ * the project master key K to it. Returns `{ wrappedKey, wrappedKeyRecipient }`
+ * suitable for splatting into the create-grant request body.
+ *
+ * Returns `null` if the recipient hasn't published a pubkey yet OR the
+ * server doesn't support the endpoint (pre-1.0 deploy). The caller falls
+ * back to the legacy "share-the-passphrase-out-of-band" flow.
+ *
+ * Will throw if we have K but the wrap itself fails (which would indicate
+ * a real cryptographic bug; we don't want to silently downgrade in that
+ * case).
+ */
+async function maybeWrapKeyForRecipient({ projectRoot, recipientEmail, verbose = false }) {
+  if (!recipientEmail) return null;
+
+  // Need the master key K to wrap. If there's no live session on this
+  // machine, we can't wrap — owner has to `sealcode unlock` first.
+  const config = getActiveConfig(projectRoot);
+  if (!isInitialized(projectRoot, config.lockedDir)) return null;
+  const K = loadSession(projectRoot);
+  if (!K) {
+    if (verbose) {
+      ui.hint('(no cached session — skipping team-key wrap; recipient will need the passphrase)');
+    }
+    return null;
+  }
+
+  // Fetch their pubkey.
+  let pub;
+  try {
+    pub = await request(
+      'GET',
+      `/api/v1/users/pubkey?email=${encodeURIComponent(recipientEmail)}`,
+      { auth: true },
+    );
+  } catch (err) {
+    if (err instanceof ApiError) {
+      if (err.status === 404) {
+        // Either the user doesn't exist or hasn't published a pubkey
+        // yet. We still mint the code; the recipient just falls back to
+        // the legacy flow when they redeem.
+        if (verbose) {
+          ui.hint(
+            `(recipient hasn't published a pubkey yet — falling back to passphrase-share flow)`,
+          );
+        }
+        return null;
+      }
+      if (err.status === 0) {
+        // Network blip — let the caller surface this; we don't want to
+        // silently strip security.
+        throw err;
+      }
+    }
+    throw err;
+  }
+  if (!pub || !pub.publicKey || pub.algo !== keypair.ALGO) {
+    return null;
+  }
+
+  const wrapped = shareCrypto.wrapForRecipient(K, pub.publicKey);
+  return { wrappedKey: wrapped, wrappedKeyRecipient: recipientEmail };
+}
+
 async function runShare({
   projectRoot,
   hours,
@@ -48,9 +136,38 @@ async function runShare({
   strict = false,
   heartbeatSec = 300,
   offlineGraceSec = 1800,
+  // sealcode@1.1.0 — admin precision controls. All optional.
+  paths = null,                     // string[] | null  → allowedPaths
+  mode = 'rw',                      // 'rw' | 'ro'
+  watermark = null,                 // string | null    → template
+  idleAutoLockMinutes = 0,          // 0 = disabled
+  allowedIpCidrs = null,            // string[] | null  → CIDRs
+  allowedCountries = null,          // string[] | null  → ISO-2 codes
+  singleDeviceEnforce = false,
+  ndaText = null,
   json = false,
 }) {
   const link = requireLink(projectRoot);
+
+  // sealcode@1.0.0: if `--email <addr>` is supplied AND we can reach the
+  // recipient's pubkey AND we have K cached, wrap K to them. This makes
+  // `sealcode redeem` self-sufficient on the recipient side (no
+  // out-of-band passphrase exchange).
+  let wrap = null;
+  try {
+    wrap = await maybeWrapKeyForRecipient({
+      projectRoot,
+      recipientEmail: email,
+      verbose: !json,
+    });
+  } catch (err) {
+    // Network errors during pubkey lookup shouldn't be silent — degrade
+    // loudly so the owner knows the recipient will need the passphrase.
+    if (!json) {
+      ui.warn(`Pubkey lookup failed (${err.message || err}) — minting code without wrapped key.`);
+    }
+  }
+
   const body = {
     developerEmail: email || '',
     developerLabel: label || '',
@@ -60,6 +177,18 @@ async function runShare({
     strictMode: !!strict,
     heartbeatIntervalSeconds: Math.max(30, Math.floor(heartbeatSec)),
     offlineGraceSeconds: Math.max(60, Math.floor(offlineGraceSec)),
+    ...(wrap ? wrap : {}),
+    // sealcode@1.1.0 — admin precision controls (server validates again)
+    ...(paths && paths.length ? { allowedPaths: paths } : {}),
+    mode: mode === 'ro' ? 'ro' : 'rw',
+    ...(watermark ? { watermark } : {}),
+    idleAutoLockMinutes: Math.max(0, Math.floor(idleAutoLockMinutes || 0)),
+    ...(allowedIpCidrs && allowedIpCidrs.length ? { allowedIpCidrs } : {}),
+    ...(allowedCountries && allowedCountries.length
+      ? { allowedCountries: allowedCountries.map((c) => c.toUpperCase()) }
+      : {}),
+    singleDeviceEnforce: !!singleDeviceEnforce,
+    ...(ndaText ? { ndaText } : {}),
   };
 
   let res;
@@ -88,6 +217,8 @@ async function runShare({
           codePrefix: g.codePrefix,
           projectId: g.projectId,
           expiresAt: g.expiresAt,
+          wrappedFor: g.wrappedFor ?? null,
+          hasWrappedKey: !!g.hasWrappedKey,
         },
         null,
         2,
@@ -97,11 +228,17 @@ async function runShare({
   }
 
   const meta = [
-    `${ui.c.dim('project   ')} ${ui.c.bold(link.projectName || link.projectId)}`,
-    `${ui.c.dim('expires   ')} ${g.expiresAt}`,
+    `${ui.c.dim('project    ')} ${ui.c.bold(link.projectName || link.projectId)}`,
+    `${ui.c.dim('expires    ')} ${g.expiresAt}`,
   ];
-  if (g.autoLockAt) meta.push(`${ui.c.dim('auto-lock ')} ${g.autoLockAt}`);
-  if (email) meta.push(`${ui.c.dim('email     ')} ${email}`);
+  if (g.autoLockAt) meta.push(`${ui.c.dim('auto-lock  ')} ${g.autoLockAt}`);
+  if (email) meta.push(`${ui.c.dim('email      ')} ${email}`);
+  if (strict) meta.push(`${ui.c.dim('strict     ')} ${ui.c.yellow('yes — watcher required')}`);
+  if (g.hasWrappedKey) {
+    meta.push(`${ui.c.dim('wrapped to ')} ${ui.c.green(g.wrappedFor)} ${ui.c.dim('(no passphrase exchange)')}`);
+  } else if (email) {
+    meta.push(`${ui.c.dim('wrapped to ')} ${ui.c.yellow('— (recipient hasn\'t published a pubkey; passphrase still needed)')}`);
+  }
 
   ui.box('Access code — copy now, shown only once', [
     `  ${ui.c.bold(ui.c.green(g.code))}`,
@@ -109,8 +246,14 @@ async function runShare({
     ...meta,
   ], { tone: 'green' });
 
-  ui.hint('Share it with the developer over a secure channel. They redeem with:');
-  process.stdout.write(`    ${ui.c.cyan(`sealcode redeem ${g.code}`)}\n\n`);
+  if (g.hasWrappedKey) {
+    ui.hint('Recipient runs:');
+    process.stdout.write(`    ${ui.c.cyan(`sealcode redeem ${g.code}`)}\n`);
+    process.stdout.write(`    ${ui.c.cyan(`sealcode unlock`)}    ${ui.c.dim('# no passphrase prompt — K is delivered by the redeem call')}\n\n`);
+  } else {
+    ui.hint('Share it with the developer over a secure channel. They redeem with:');
+    process.stdout.write(`    ${ui.c.cyan(`sealcode redeem ${g.code}`)}\n\n`);
+  }
 }
 
 async function runGrants({ projectRoot, json = false }) {
@@ -156,17 +299,113 @@ async function runRevoke({ grantId }) {
   process.stdout.write(`✓ revoked grant ${grantId}\n`);
 }
 
-async function runRedeem({ code, json = false }) {
+async function runRedeem({ projectRoot, code, json = false, agreeNda = false }) {
   if (!code) throw new Error('Usage: sealcode redeem <CODE>');
   const trimmed = code.trim();
-  const res = await request('POST', '/api/v1/access/redeem', {
-    body: { code: trimmed, client: clientInfo() },
-  });
+
+  // Include the device fingerprint so the server pins it to the grant
+  // on first redeem (and warns on mismatch on subsequent redeems).
+  const client = { ...clientInfo(), deviceFingerprint: getDeviceFingerprint() };
+
+  // First call without the NDA flag — server tells us whether one is
+  // required by including `nda_required: true` and `ndaText` in the
+  // 409-NDA response (or in the success payload's policy block). We
+  // use a separate pre-flight to a metadata endpoint to avoid the
+  // "race the server pins the device fingerprint before user has
+  // even agreed" problem.
+  let res;
+  try {
+    res = await request('POST', '/api/v1/access/redeem', {
+      body: { code: trimmed, client, ndaAccepted: !!agreeNda },
+    });
+  } catch (err) {
+    if (err instanceof ApiError && err.status === 409 && err.apiCode === 'nda_required') {
+      const ndaText = (err.raw && (err.raw.ndaText || err.raw.error?.ndaText)) || '(no text provided by owner)';
+      ui.box('Acceptance required', [
+        ui.c.dim('The owner of this project requires you to accept the following before unlocking:'),
+        '',
+        ...String(ndaText).split('\n'),
+      ], { tone: 'yellow' });
+      const { question } = require('./prompt');
+      const reply = await question('Type "I agree" to continue (or Ctrl-C to abort): ');
+      if (String(reply).trim().toLowerCase() !== 'i agree') {
+        ui.fail('Did not accept — aborting redeem.');
+        process.exitCode = 1;
+        return;
+      }
+      res = await request('POST', '/api/v1/access/redeem', {
+        body: { code: trimmed, client, ndaAccepted: true },
+      });
+    } else {
+      throw err;
+    }
+  }
   const g = res.grant;
+
+  // sealcode@1.0.0: if the server returned a wrapped K AND we're running
+  // inside a project root that has a manifest, unwrap it and cache the
+  // session so subsequent `sealcode unlock` skips the passphrase prompt.
+  // This is the magic "no passphrase exchange needed" path.
+  let cachedK = false;
+  let unwrapNote = null;
+  if (g.wrappedKey) {
+    const kp = keypair.read();
+    if (!kp) {
+      unwrapNote = ui.c.yellow(
+        '(received a wrapped key, but no local keypair was found. '
+          + 'Run `sealcode login` to generate one.)',
+      );
+    } else if (g.wrappedKeyRecipient && g.wrappedKeyRecipient.toLowerCase() !== readMyEmail().toLowerCase()) {
+      unwrapNote = ui.c.yellow(
+        `(received a wrapped key, but it was wrapped for ${g.wrappedKeyRecipient}; `
+          + `you are logged in as ${readMyEmail()}. Ask the owner to re-share.)`,
+      );
+    } else {
+      try {
+        const K = shareCrypto.unwrapWithRecipient(g.wrappedKey, kp.privateKey, kp.publicKey);
+        if (projectRoot) {
+          // Cache K against THIS project root. The grant-derived session
+          // is tagged so cli-guard and cli-watch know it requires a
+          // running watcher. sealcode@1.1.0 — also stash the policy
+          // bundle so subsequent commands enforce paths/ro/watermark/idle.
+          saveSession(projectRoot, K, {
+            source: 'grant',
+            grantId: g.id,
+            grantCodeHash: require('crypto').createHash('sha256').update(trimmed).digest('hex'),
+            grantExpiresAt: g.expiresAt,
+            deviceFingerprint: getDeviceFingerprint(),
+            strictWatch: !!g.strictMode,
+            policy: g.policy || {
+              allowedPaths: g.allowedPaths || null,
+              mode: g.mode || 'rw',
+              watermark: g.watermark || null,
+              idleAutoLockMinutes: g.idleAutoLockMinutes || 0,
+            },
+            recipientEmail: g.wrappedKeyRecipient || readMyEmail(),
+            projectName: g.projectName || null,
+          });
+          cachedK = true;
+        } else {
+          unwrapNote = ui.c.dim(
+            '(unwrapped K, but you are not inside a project root — '
+              + 'cd into the project and run `sealcode unlock` to materialize plaintext.)',
+          );
+        }
+        // Best-effort scrub of K from this process's memory.
+        K.fill(0);
+      } catch (err) {
+        unwrapNote = ui.c.red(`(could not unwrap delivered key: ${err.message || err})`);
+      }
+    }
+  }
+
   if (json) {
-    process.stdout.write(JSON.stringify({ grant: g }, null, 2) + '\n');
+    process.stdout.write(
+      JSON.stringify({ grant: g, cachedSession: cachedK }, null, 2) + '\n',
+    );
     return;
   }
+
   process.stdout.write(`\n✓ access code accepted\n`);
   process.stdout.write(`  project:     ${g.projectName} (${g.projectId})\n`);
   process.stdout.write(`  fingerprint: ${g.projectFingerprint}\n`);
@@ -174,12 +413,141 @@ async function runRedeem({ code, json = false }) {
   if (g.autoLockAt) process.stdout.write(`  auto-lock:   ${g.autoLockAt}\n`);
   process.stdout.write(`  strict:      ${g.strictMode ? 'yes' : 'no'}\n`);
   process.stdout.write(
-    `  heartbeat:   every ${g.heartbeatIntervalSeconds}s, ${g.offlineGraceSeconds}s offline grace\n\n`,
-  );
-  process.stdout.write(
-    'Next step (when the owner shares the unlocked vault with you):\n'
-      + '  sealcode unlock\n\n',
+    `  heartbeat:   every ${g.heartbeatIntervalSeconds}s, ${g.offlineGraceSeconds}s offline grace\n`,
   );
+  if (g.deviceFingerprintWarning) {
+    ui.warn(g.deviceFingerprintWarning);
+  }
+
+  if (cachedK) {
+    process.stdout.write('\n');
+    ui.ok('Key delivered via team-share envelope — no passphrase needed.');
+    // Auto-unlock + auto-spawn watcher. This is the user-asked-for
+    // "magic" flow: one command (`sealcode redeem`) handles redeem +
+    // unwrap + decrypt + supervise. Strict mode is implied by the
+    // server's `strictMode` flag on the grant.
+    try {
+      const { runUnlock } = require('./open');
+      const config = getActiveConfig(projectRoot);
+      ui.step(`auto-unlocking ${ui.c.dim(projectRoot)}`);
+      const sp = new ui.Spinner('decrypting').start();
+      let n = 0;
+      const K = loadSession(projectRoot); // freshly cached above
+      const ures = await runUnlock({
+        projectRoot,
+        config,
+        K,
+        removeStubs: true,
+        log: (msg) => {
+          n += 1;
+          const file = String(msg).replace(/^\s*unlocked\s+/, '');
+          sp.update(`decrypting ${ui.c.dim(`(${n})`)} ${file}`);
+        },
+        // sealcode@1.1.0 — apply the server-issued policy
+        policy: g.policy || {
+          allowedPaths: g.allowedPaths || null,
+          mode: g.mode || 'rw',
+          watermark: g.watermark || null,
+          idleAutoLockMinutes: g.idleAutoLockMinutes || 0,
+        },
+        watermarkCtx: {
+          email: g.wrappedKeyRecipient || readMyEmail(),
+          grantId: g.id,
+          projectName: g.projectName || '',
+          date: new Date().toISOString().slice(0, 10),
+          fingerprint: getDeviceFingerprint(),
+        },
+      });
+      const sk = ures.skipped > 0 ? ` ${ui.c.dim(`(${ures.skipped} file(s) outside grant scope skipped)`)}` : '';
+      sp.succeed(
+        `unlocked ${ui.c.bold(ures.count)} files${sk} ${ui.c.dim(`(locked at ${ures.sealedAt})`)}`,
+      );
+      if (ures.policy.mode === 'ro') {
+        ui.hint('  Read-only grant: files are 0444. Any modification will trigger an immediate re-lock.');
+      }
+      if (ures.policy.watermark) {
+        ui.hint('  Files are watermarked with your grant ID — leaks are traceable.');
+      }
+    } catch (err) {
+      ui.warn(`auto-unlock failed: ${err.message || err}`);
+      ui.hint(`  Run \`sealcode unlock\` manually, then \`sealcode watch ${trimmed} --daemon\`.`);
+    }
+    try {
+      const { spawnDaemonWatcher } = require('./cli-watch');
+      const r = spawnDaemonWatcher({ projectRoot, code: trimmed });
+      if (r.error) {
+        ui.warn(`auto-spawn watcher failed: ${r.error}`);
+        ui.hint(`  Run \`sealcode watch ${trimmed} --daemon\` manually.`);
+      } else {
+        ui.ok(
+          `watcher running ${ui.c.dim(`(pid ${r.pid}; logs ~/.sealcode/logs/)`)}`,
+        );
+        ui.hint(
+          g.strictMode
+            ? '  Strict mode: if you kill the watcher, your local plaintext re-locks immediately.'
+            : '  Lenient mode: watcher auto-locks on revoke / expiry only.',
+        );
+      }
+    } catch (err) {
+      ui.warn(`could not start watcher: ${err.message || err}`);
+    }
+    process.stdout.write('\n');
+  } else {
+    if (unwrapNote) {
+      process.stdout.write(`  ${unwrapNote}\n`);
+    }
+    process.stdout.write(
+      '\nNext step (when the owner shares the unlocked vault with you):\n'
+        + `  ${ui.c.cyan('sealcode unlock')}\n`
+        + `  ${ui.c.cyan(`sealcode watch ${trimmed} &`)}  ${ui.c.dim('# keep this running so revoke is instant')}\n\n`,
+    );
+  }
+}
+
+function readMyEmail() {
+  try {
+    const { readCreds } = require('./api');
+    const c = readCreds();
+    return (c && c.email) || '';
+  } catch (_) {
+    return '';
+  }
+}
+
+/**
+ * sealcode@1.1.0 — Project lockdown. Bulk-revokes every active grant
+ * on the linked project in a single server-side transaction, then
+ * pushes instant lock signals to every connected watcher via the
+ * long-poll event bus.
+ *
+ * Requires the project to be linked (cli-link.js).
+ */
+async function runLockdown({ projectRoot, confirm = true } = {}) {
+  const { resolveLinkedProject } = require('./cli-link');
+  const linked = resolveLinkedProject(projectRoot);
+  if (!linked) {
+    ui.fail('This folder is not linked to a sealcode.dev project. Run `sealcode link` first.');
+    process.exitCode = 1;
+    return;
+  }
+  if (confirm) {
+    const { question } = require('./prompt');
+    ui.warn(`This will revoke EVERY active access code for ${ui.c.bold(linked.projectName || linked.projectId)}.`);
+    const reply = await question('Type "lockdown" to confirm: ');
+    if (String(reply).trim().toLowerCase() !== 'lockdown') {
+      ui.fail('Aborted.');
+      process.exitCode = 1;
+      return;
+    }
+  }
+  const res = await request('POST', `/api/v1/projects/${linked.projectId}/lockdown`, {
+    auth: true,
+    body: {},
+  });
+  ui.ok(`Lockdown complete — revoked ${ui.c.bold(res.revokedCount)} grant(s).`);
+  if (res.revokedCount > 0) {
+    ui.hint('  All connected watchers will re-lock within ~1 second.');
+  }
 }
 
-module.exports = { runShare, runGrants, runRevoke, runRedeem };
+module.exports = { runShare, runGrants, runRevoke, runRedeem, runLockdown };