npm - sealcode - Versions diffs - 1.1.1 → 1.3.0 - Mend

sealcode 1.1.1 → 1.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "sealcode",
-  "version": "1.1.1",
+  "version": "1.3.0",
   "description": "Lock your source code in your own git repo. Stop AI agents, scrapers, and curious eyes from reading what's yours.",
   "keywords": [
     "encryption",

package/src/cli-grants.js CHANGED Viewed

@@ -299,8 +299,14 @@ async function runGrants({ projectRoot, json = false }) {
   process.stdout.write(`\n${link.projectName || link.projectId}: ${grants.length} grant(s)\n`);
   for (const g of grants) {
     const state = g.state.padEnd(8);
-    const remaining =
-      g.state === 'active' ? formatRemaining(g.remainingMs) : g.state;
+    let remaining;
+    if (g.state === 'active') {
+      remaining = formatRemaining(g.remainingMs);
+    } else if (g.state === 'paused') {
+      remaining = 'paused';
+    } else {
+      remaining = g.state;
+    }
     const who = g.developerEmail || g.developerLabel || '(no label)';
     process.stdout.write(
       `  ${state}  ${g.codePrefix.padEnd(12)}  ${remaining.padEnd(10)}  ${who}  id=${g.id}\n`,
@@ -309,6 +315,135 @@ async function runGrants({ projectRoot, json = false }) {
   process.stdout.write('\n');
 }
+/**
+ * sealcode@1.2.0 — Pause an active access code from the CLI.
+ *
+ *   sealcode pause <grantId> [--reason "<text>"] [--extend-on-resume]
+ *
+ * Mirrors the dashboard pause modal. Owner must be `sealcode login`ed
+ * and be admin (or owner) of the project.
+ */
+async function runPause({ grantId, reason, extendOnResume = false }) {
+  if (!grantId) throw new Error('Usage: sealcode pause <grantId> [--reason "<text>"] [--extend-on-resume]');
+  const body = {};
+  if (reason) body.reason = String(reason).slice(0, 500);
+  if (extendOnResume) body.extendsExpiry = true;
+  try {
+    await request(
+      'POST',
+      `/api/v1/grants/${encodeURIComponent(grantId)}/pause`,
+      { auth: true, body },
+    );
+  } catch (err) {
+    if (err instanceof ApiError && err.status === 409 && err.apiCode === 'wrong_state') {
+      ui.fail(err.message || 'Grant is not in a pausable state.');
+      process.exitCode = 1;
+      return;
+    }
+    throw err;
+  }
+  process.stdout.write(`⏸  paused grant ${grantId}\n`);
+  if (reason) process.stdout.write(`   reason: ${reason}\n`);
+  if (extendOnResume) {
+    process.stdout.write(`   extend-on-resume: expiry will shift forward by the paused duration\n`);
+  }
+  process.stdout.write('   Any live watcher will re-lock the recipient\'s files within seconds.\n');
+  process.stdout.write(`   Resume with: ${ui.c.cyan(`sealcode resume ${grantId}`)}\n`);
+}
+/**
+ * sealcode@1.2.0 — Resume a paused access code from the CLI.
+ *
+ *   sealcode resume <grantId> [--unlock]
+ *
+ * sealcode@1.3.0:
+ *   --unlock pushes an unlock event to the recipient's live watcher,
+ *   which re-materializes plaintext using the K it kept cached through
+ *   the pause. Without --unlock, status flips back to active but the
+ *   recipient stays locked until they manually `sealcode unlock`
+ *   (which now works without a passphrase since the session was
+ *   preserved through the pause).
+ */
+async function runResume({ grantId, autoUnlock = false }) {
+  if (!grantId) throw new Error('Usage: sealcode resume <grantId> [--unlock]');
+  let res;
+  try {
+    res = await request(
+      'POST',
+      `/api/v1/grants/${encodeURIComponent(grantId)}/resume`,
+      { auth: true, body: { autoUnlock: !!autoUnlock } },
+    );
+  } catch (err) {
+    if (err instanceof ApiError) {
+      if (err.status === 410) {
+        ui.fail(err.message || 'Grant expired while paused.');
+        ui.hint('  Issue a fresh access code instead: `sealcode share ...`');
+        process.exitCode = 1;
+        return;
+      }
+      if (err.status === 409 && err.apiCode === 'wrong_state') {
+        ui.fail(err.message || 'Grant is not paused.');
+        process.exitCode = 1;
+        return;
+      }
+    }
+    throw err;
+  }
+  process.stdout.write(`▶  resumed grant ${grantId}\n`);
+  if (res.newExpiresAt) process.stdout.write(`   expires: ${res.newExpiresAt}\n`);
+  if (res.extendedExpiry) {
+    const mins = Math.round((res.pausedDurationMs || 0) / 60000);
+    process.stdout.write(`   expiry shifted forward by ~${mins}m (paused duration)\n`);
+  }
+  if (autoUnlock) {
+    process.stdout.write('   Recipient\'s 1.3+ watcher will auto-unlock within ~1 second.\n');
+    process.stdout.write('   (No redeem needed — K was kept cached through the pause.)\n');
+  } else {
+    process.stdout.write('   Recipient can run `sealcode unlock` to re-open (no passphrase needed).\n');
+  }
+}
+/**
+ * sealcode@1.3.0 — Ask the server whether a grant-derived session is
+ * currently allowed to unlock. Used by the `unlock` command to refuse
+ * unlocking while the grant is paused (or revoked / expired) WITHOUT
+ * requiring the user to redeem first.
+ *
+ * Returns one of:
+ *   { allow: true, reason: 'active', ... }
+ *   { allow: false, reason: 'paused' | 'revoked' | 'expired' | 'not_found', ... }
+ *   { allow: true, reason: 'network_unreachable' }       (best-effort fallback)
+ *
+ * The last case lets a recipient who's offline still unlock — by
+ * design. If you want strict "must be online to unlock", pair this
+ * with the `strictMode` grant flag and the watcher's offline-grace
+ * (which already covers that case).
+ */
+async function checkUnlockAllowed(code, { strict = false } = {}) {
+  if (!code) return { allow: true, reason: 'no_code_local_only' };
+  try {
+    const res = await request('POST', '/api/v1/access/unlock-check', {
+      body: {
+        code: String(code).trim(),
+        deviceFingerprint: getDeviceFingerprint(),
+      },
+      timeoutMs: 8000,
+    });
+    return res || { allow: false, reason: 'unknown' };
+  } catch (err) {
+    if (err instanceof ApiError && err.status === 404) {
+      // Older deploys (pre-1.3) without the endpoint — degrade open
+      // so existing CLIs against an older server don't break.
+      return { allow: true, reason: 'endpoint_missing' };
+    }
+    if (err instanceof ApiError && (err.status === 0 || err.status >= 500)) {
+      if (strict) return { allow: false, reason: 'network_unreachable_strict' };
+      return { allow: true, reason: 'network_unreachable' };
+    }
+    throw err;
+  }
+}
 async function runRevoke({ grantId }) {
   if (!grantId) throw new Error('Usage: sealcode revoke <grantId>');
   const res = await request(
@@ -396,6 +531,13 @@ async function runRedeem({ projectRoot, code, json = false, agreeNda = false })
             source: 'grant',
             grantId: g.id,
             grantCodeHash: require('crypto').createHash('sha256').update(trimmed).digest('hex'),
+            // sealcode@1.3.0 — stash the code itself so the local
+            // unlock command can ask the server "may I unlock?" after
+            // a pause without requiring the user to re-type it. Lives
+            // under ~/.sealcode/sessions/ at mode 0600 alongside the
+            // already-cached K, so this doesn't materially expand the
+            // local attack surface.
+            grantCode: trimmed,
             grantExpiresAt: g.expiresAt,
             deviceFingerprint: getDeviceFingerprint(),
             strictWatch: !!g.strictMode,
@@ -574,4 +716,13 @@ async function runLockdown({ projectRoot, confirm = true } = {}) {
   }
 }
-module.exports = { runShare, runGrants, runRevoke, runRedeem, runLockdown };
+module.exports = {
+  runShare,
+  runGrants,
+  runRevoke,
+  runRedeem,
+  runLockdown,
+  runPause,
+  runResume,
+  checkUnlockAllowed,
+};

package/src/cli-watch.js CHANGED Viewed

@@ -55,6 +55,7 @@ const {
   projectId,
 } = require('./keystore');
 const { runLock } = require('./seal');
+const { runUnlock } = require('./open');
 const { getDeviceFingerprint } = require('./device');
 const { SealcodeError } = require('./errors');
 const grantPolicy = require('./grant-policy');
@@ -529,10 +530,22 @@ async function runWatch({
     strictWatch: strict,
   });
+  // sealcode@1.3.0 — track local pause state. When true, files are
+  // locked-on-disk but K is still in our session cache. We keep
+  // heartbeating so a server-side "unlock" event (owner resumed with
+  // auto-unlock) can re-materialize plaintext without a redeem.
+  let pausedLocally = false;
   // If we somehow started watching an already-locked grant, lock first
-  // and exit. Don't pretend everything's fine.
+  // and exit (revoke/expire/etc), OR soft-lock and stay running (paused).
   if (first.response.action === 'lock') {
-    return finalLock(projectRoot, config, trimmedCode, first.response.reason, json, daemon);
+    if (first.response.keepSession || first.response.reason === 'paused') {
+      await softLock(projectRoot, config, trimmedCode, first.response.reason || 'paused', json, daemon);
+      pausedLocally = true;
+      writeWatchState(projectRoot, { pausedLocally: true, pausedReason: first.response.reason || 'paused' });
+    } else {
+      return finalLock(projectRoot, config, trimmedCode, first.response.reason, json, daemon);
+    }
   }
   if (daemon) {
@@ -695,9 +708,76 @@ async function runWatch({
       continue;
     }
     consecutiveTransient = 0;
+    // sealcode@1.3.0 — branch on action.
     if (r.response.action === 'lock') {
+      // Soft lock (paused): re-encrypt, KEEP K, KEEP watcher alive.
+      // The 1.3 server marks this with `keepSession: true`; we also
+      // honor the legacy `reason: "paused"` from 1.2.0 servers in case
+      // someone is on a mixed deploy.
+      const isSoft = !!r.response.keepSession || r.response.reason === 'paused';
+      if (isSoft) {
+        if (!pausedLocally) {
+          await softLock(projectRoot, config, trimmedCode, r.response.reason || 'paused', json, daemon);
+          pausedLocally = true;
+          writeWatchState(projectRoot, { pausedLocally: true, pausedReason: r.response.reason || 'paused' });
+          appendLog(projectRoot, { type: 'soft_locked', reason: r.response.reason || 'paused' });
+        }
+        // Stay in the loop — wait for the next event (unlock or hard lock).
+        continue;
+      }
+      // Hard lock — revoke / expire / device mismatch / idle / etc.
       return finalLock(projectRoot, config, trimmedCode, r.response.reason, json, daemon);
     }
+    if (r.response.action === 'unlock') {
+      // Owner resumed with auto-unlock. Re-materialize plaintext using
+      // the K we kept cached through the pause.
+      try {
+        const K = loadSession(projectRoot);
+        if (!K) {
+          // We somehow lost K (e.g. another process cleared it). Best
+          // we can do: stay locked and nudge the user.
+          appendLog(projectRoot, { type: 'unlock_skipped_no_key' });
+          if (!daemon && !json) ui.warn(`[${ts()}] resumed, but no cached key on disk — run: sealcode redeem ${trimmedCode}`);
+        } else {
+          const sm = loadSessionMeta(projectRoot);
+          const pol = (sm && sm.meta && sm.meta.policy) || {};
+          const wctx = pol.watermark ? {
+            email: (sm && sm.meta && sm.meta.recipientEmail) || '',
+            grantId: (sm && sm.meta && sm.meta.grantId) || '',
+            projectName: (sm && sm.meta && sm.meta.projectName) || '',
+            date: new Date().toISOString().slice(0, 10),
+            fingerprint: getDeviceFingerprint(),
+          } : null;
+          const ures = await runUnlock({
+            projectRoot, config, K, removeStubs: true, policy: pol, watermarkCtx: wctx,
+            log: () => {},
+          });
+          K.fill(0);
+          appendLog(projectRoot, { type: 'auto_unlocked', count: ures.count, reason: r.response.reason || 'resumed' });
+          if (!daemon && !json) ui.ok(`[${ts()}] owner resumed — auto-unlocked ${ui.c.bold(ures.count)} files`);
+        }
+      } catch (err) {
+        appendLog(projectRoot, { type: 'auto_unlock_error', error: String(err.message || err) });
+        if (!daemon && !json) ui.warn(`[${ts()}] auto-unlock failed: ${err.message || err}`);
+      }
+      pausedLocally = false;
+      writeWatchState(projectRoot, { pausedLocally: false, pausedReason: null });
+      continue;
+    }
+    // Plain "ok" or "warn". If we WERE paused and the server now says
+    // "ok" without sending an unlock event, that means the owner
+    // resumed without auto-unlock. Clear our paused flag so the user's
+    // `sealcode unlock` invocation will be allowed by the local guard;
+    // we leave files locked-on-disk and let them choose when to unlock.
+    if (pausedLocally && (r.response.action === 'ok' || r.response.action === 'warn')) {
+      pausedLocally = false;
+      writeWatchState(projectRoot, { pausedLocally: false, pausedReason: null });
+      appendLog(projectRoot, { type: 'resumed_manual' });
+      if (!daemon && !json) ui.ok(`[${ts()}] owner resumed — files stay locked until you run: ${ui.c.cyan('sealcode unlock')}`);
+    }
     printTick(r.response, json, verbose, daemon, projectRoot);
     // After a successful (possibly long-polled) heartbeat we do NOT
     // sleep here — long-poll already consumed our budget. If the server
@@ -731,6 +811,61 @@ function printTick(resp, json, verbose, daemon, projectRoot) {
   }
 }
+/**
+ * sealcode@1.3.0 — Soft lock: re-encrypt plaintext but KEEP the cached
+ * K and KEEP the watcher process alive. Used for pause, which is
+ * meant to be reversible — the owner can resume and (optionally)
+ * push an `action: "unlock"` event that re-materializes the plaintext
+ * without requiring the recipient to redeem again.
+ *
+ * Idempotent: if there's no K cached (e.g. we restarted into an
+ * already-locked project), this is a no-op.
+ */
+async function softLock(projectRoot, config, code, reason, json, daemon) {
+  if (!json && !daemon && ui.STDERR_TTY) process.stderr.write('\r\x1b[K');
+  const label = reason || 'paused';
+  if (daemon) {
+    appendLog(projectRoot, { type: 'soft_lock', reason: label });
+  } else if (json) {
+    process.stdout.write(JSON.stringify({ type: 'soft_lock', reason: label }) + '\n');
+  } else {
+    ui.warn(`[${ts()}] paused by owner — re-locking, keeping session for resume`);
+  }
+  const K = loadSession(projectRoot);
+  if (!K) {
+    // Nothing to re-encrypt. Files are already in their locked state.
+    return;
+  }
+  const _sessionMeta = loadSessionMeta(projectRoot);
+  const _preserveUnseen =
+    !!_sessionMeta &&
+    _sessionMeta.meta &&
+    _sessionMeta.meta.source === 'grant' &&
+    _sessionMeta.meta.policy &&
+    Array.isArray(_sessionMeta.meta.policy.allowedPaths) &&
+    _sessionMeta.meta.policy.allowedPaths.length > 0;
+  try {
+    const res = await runLock({ projectRoot, config, K, preserveUnseen: _preserveUnseen });
+    K.fill(0);
+    if (daemon) {
+      appendLog(projectRoot, { type: 'soft_locked', count: res.count, reason: label });
+    } else if (!json) {
+      ui.ok(`[${ts()}] re-locked ${ui.c.bold(res.count)} files — waiting for owner to resume`);
+      ui.hint(`  Files will auto-unlock if the owner picks "Resume + unlock now",`);
+      ui.hint(`  or run ${ui.c.cyan('sealcode unlock')} yourself once they resume (no passphrase).`);
+    }
+  } catch (err) {
+    // If soft-lock fails we DO NOT escalate to hard-lock — that would
+    // wipe the session and force a redeem, which is exactly the UX we
+    // built this feature to avoid. Surface the error and stay locked.
+    if (daemon) appendLog(projectRoot, { type: 'soft_lock_error', error: String(err.message || err) });
+    else if (!json) ui.fail(`soft-lock failed: ${err.message}. Files may still contain plaintext — investigate.`);
+  }
+}
 async function finalLock(projectRoot, config, code, reason, json, daemon) {
   if (!json && !daemon && ui.STDERR_TTY) process.stderr.write('\r\x1b[K');
   const label = reason || 'lock';
@@ -780,7 +915,15 @@ async function finalLock(projectRoot, config, code, reason, json, daemon) {
     process.stdout.write(JSON.stringify({ type: 'locked', count: res.count, reason: label }) + '\n');
   } else {
     ui.ok(`[${ts()}] re-locked ${ui.c.bold(res.count)} files into ${ui.c.cyan(config.lockedDir + '/')} — session cleared`);
-    ui.hint('  Your local plaintext has been wiped. Ask the owner for a fresh code if you still need access.');
+    // sealcode@1.2.0 — be specific about the "paused" case so the
+    // recipient knows it's reversible. (sealcode@1.3.0+ goes through
+    // softLock instead and won't reach this branch.)
+    if (label === 'paused') {
+      ui.hint('  This access code was PAUSED by the owner — not revoked.');
+      ui.hint(`  Wait for the owner to resume, then run: ${ui.c.cyan(`sealcode redeem ${code}`)}`);
+    } else {
+      ui.hint('  Your local plaintext has been wiped. Ask the owner for a fresh code if you still need access.');
+    }
   }
   process.exit(0);
 }

package/src/cli.js CHANGED Viewed

@@ -33,7 +33,15 @@ const { installHook, uninstallHook } = require('./hooks');
 const { exportBundle, importBundle } = require('./bundle');
 const { runLogin, runSignout, runWhoami } = require('./cli-auth');
 const { runLink, runUnlink, runLinkInfo } = require('./cli-link');
-const { runShare, runGrants, runRevoke, runRedeem } = require('./cli-grants');
+const {
+  runShare,
+  runGrants,
+  runRevoke,
+  runRedeem,
+  runPause,
+  runResume,
+  checkUnlockAllowed,
+} = require('./cli-grants');
 const {
   runCiCreate,
   runCiList,
@@ -279,6 +287,63 @@ function build() {
       try {
         const projectRoot = resolveProject(program.opts());
         const config = getActiveConfig(projectRoot);
+        // sealcode@1.3.0 — grant-derived sessions must clear a server
+        // status check before unlocking. This is what stops a recipient
+        // from running `sealcode unlock` to bypass a pause.
+        //
+        // We do this BEFORE resolveKey so a paused/revoked grant
+        // doesn't even decrypt the cached K from disk. If the local
+        // session isn't grant-derived (owner-passphrase flow), this
+        // whole block is a no-op.
+        {
+          const { loadSessionMeta: _lsm } = require('./keystore');
+          const _sm = _lsm(projectRoot);
+          if (_sm && _sm.meta && _sm.meta.source === 'grant' && _sm.meta.grantCode) {
+            const _strict = !!_sm.meta.strictWatch;
+            const _gate = await checkUnlockAllowed(_sm.meta.grantCode, { strict: _strict });
+            if (!_gate.allow) {
+              if (_gate.reason === 'paused') {
+                ui.fail(`This access has been PAUSED by the project owner.`);
+                if (_gate.pauseReason) ui.hint(`  Reason: ${_gate.pauseReason}`);
+                ui.hint(`  Files stay locked until the owner resumes. You'll get an automatic`);
+                ui.hint(`  notification (and auto-unlock) when they do — no redeem needed.`);
+                process.exitCode = 1;
+                return;
+              }
+              if (_gate.reason === 'revoked') {
+                ui.fail('This access code has been revoked. You can no longer unlock.');
+                ui.hint('  Ask the owner for a fresh code: `sealcode share` on their side.');
+                process.exitCode = 1;
+                return;
+              }
+              if (_gate.reason === 'expired') {
+                ui.fail('This access code has expired. You can no longer unlock.');
+                ui.hint('  Ask the owner for a fresh code.');
+                process.exitCode = 1;
+                return;
+              }
+              if (_gate.reason === 'not_found') {
+                ui.fail('Access code not found on the server (it may have been deleted).');
+                process.exitCode = 1;
+                return;
+              }
+              if (_gate.reason === 'network_unreachable_strict') {
+                ui.fail('Cannot reach sealcode.dev to verify access status, and this grant is strict.');
+                ui.hint('  Reconnect to the network, then re-run `sealcode unlock`.');
+                process.exitCode = 1;
+                return;
+              }
+              ui.fail(`Unlock denied (${_gate.reason}).`);
+              process.exitCode = 1;
+              return;
+            }
+            if (_gate.reason === 'network_unreachable') {
+              ui.warn(`Could not reach sealcode.dev — proceeding with cached key (lenient grant).`);
+            }
+          }
+        }
         const K = await resolveKey(projectRoot, config, { useRecovery: opts.recovery });
         ui.step(`unlocking ${ui.c.dim(projectRoot)}`);
         const sp = new ui.Spinner('decrypting').start();
@@ -748,6 +813,39 @@ function build() {
       }
     });
+  // -------- pause (sealcode@1.2.0) --------
+  program
+    .command('pause')
+    .argument('<grantId>', 'grant ID to pause (see `sealcode grants`)')
+    .description('Pause an active access code. Reversible: any live watcher re-locks immediately, but you can resume later.')
+    .option('--reason <text>', 'optional note visible to project admins (≤500 chars)')
+    .option('--extend-on-resume', 'on resume, shift expiry forward by the paused duration (default: clock keeps ticking)', false)
+    .action(async (grantId, opts) => {
+      try {
+        await runPause({
+          grantId,
+          reason: opts.reason,
+          extendOnResume: !!opts.extendOnResume,
+        });
+      } catch (err) {
+        process.exitCode = reportError(err);
+      }
+    });
+  // -------- resume (sealcode@1.2.0; --unlock added 1.3.0) --------
+  program
+    .command('resume')
+    .argument('<grantId>', 'grant ID to resume (see `sealcode grants`)')
+    .description('Resume a paused access code. The recipient\'s 1.3+ watcher can re-open the working copy automatically — no redeem needed.')
+    .option('--unlock', 'also push an unlock event so the recipient\'s files re-materialize automatically (1.3+ watcher required)', false)
+    .action(async (grantId, opts) => {
+      try {
+        await runResume({ grantId, autoUnlock: !!opts.unlock });
+      } catch (err) {
+        process.exitCode = reportError(err);
+      }
+    });
   // -------- lockdown (sealcode@1.1.0) --------
   program
     .command('lockdown')