sealcode 1.2.0 → 1.3.1

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "sealcode",
-  "version": "1.2.0",
+  "version": "1.3.1",
   "description": "Lock your source code in your own git repo. Stop AI agents, scrapers, and curious eyes from reading what's yours.",
   "keywords": [
     "encryption",

package/src/cli-grants.js

@@ -354,20 +354,24 @@ async function runPause({ grantId, reason, extendOnResume = false }) {
 /**
  * sealcode@1.2.0 — Resume a paused access code from the CLI.
  *
- *   sealcode resume <grantId>
+ *   sealcode resume <grantId> [--unlock]
  *
- * If the grant was paused with --extend-on-resume, the expiresAt shifts
- * forward by the just-elapsed pause duration. The recipient must run
- * `sealcode redeem <code>` again to re-open their working copy.
+ * sealcode@1.3.0:
+ *   --unlock pushes an unlock event to the recipient's live watcher,
+ *   which re-materializes plaintext using the K it kept cached through
+ *   the pause. Without --unlock, status flips back to active but the
+ *   recipient stays locked until they manually `sealcode unlock`
+ *   (which now works without a passphrase since the session was
+ *   preserved through the pause).
  */
-async function runResume({ grantId }) {
-  if (!grantId) throw new Error('Usage: sealcode resume <grantId>');
+async function runResume({ grantId, autoUnlock = false }) {
+  if (!grantId) throw new Error('Usage: sealcode resume <grantId> [--unlock]');
   let res;
   try {
     res = await request(
       'POST',
       `/api/v1/grants/${encodeURIComponent(grantId)}/resume`,
-      { auth: true, body: {} },
+      { auth: true, body: { autoUnlock: !!autoUnlock } },
     );
   } catch (err) {
     if (err instanceof ApiError) {
@@ -391,7 +395,53 @@ async function runResume({ grantId }) {
     const mins = Math.round((res.pausedDurationMs || 0) / 60000);
     process.stdout.write(`   expiry shifted forward by ~${mins}m (paused duration)\n`);
   }
-  process.stdout.write('   Recipient must re-redeem the code to re-open the vault.\n');
+  if (autoUnlock) {
+    process.stdout.write('   Recipient\'s 1.3+ watcher will auto-unlock within ~1 second.\n');
+    process.stdout.write('   (No redeem needed — K was kept cached through the pause.)\n');
+  } else {
+    process.stdout.write('   Recipient can run `sealcode unlock` to re-open (no passphrase needed).\n');
+  }
+}
+
+/**
+ * sealcode@1.3.0 — Ask the server whether a grant-derived session is
+ * currently allowed to unlock. Used by the `unlock` command to refuse
+ * unlocking while the grant is paused (or revoked / expired) WITHOUT
+ * requiring the user to redeem first.
+ *
+ * Returns one of:
+ *   { allow: true, reason: 'active', ... }
+ *   { allow: false, reason: 'paused' | 'revoked' | 'expired' | 'not_found', ... }
+ *   { allow: true, reason: 'network_unreachable' }       (best-effort fallback)
+ *
+ * The last case lets a recipient who's offline still unlock — by
+ * design. If you want strict "must be online to unlock", pair this
+ * with the `strictMode` grant flag and the watcher's offline-grace
+ * (which already covers that case).
+ */
+async function checkUnlockAllowed(code, { strict = false } = {}) {
+  if (!code) return { allow: true, reason: 'no_code_local_only' };
+  try {
+    const res = await request('POST', '/api/v1/access/unlock-check', {
+      body: {
+        code: String(code).trim(),
+        deviceFingerprint: getDeviceFingerprint(),
+      },
+      timeoutMs: 8000,
+    });
+    return res || { allow: false, reason: 'unknown' };
+  } catch (err) {
+    if (err instanceof ApiError && err.status === 404) {
+      // Older deploys (pre-1.3) without the endpoint — degrade open
+      // so existing CLIs against an older server don't break.
+      return { allow: true, reason: 'endpoint_missing' };
+    }
+    if (err instanceof ApiError && (err.status === 0 || err.status >= 500)) {
+      if (strict) return { allow: false, reason: 'network_unreachable_strict' };
+      return { allow: true, reason: 'network_unreachable' };
+    }
+    throw err;
+  }
 }
 
 async function runRevoke({ grantId }) {
@@ -481,6 +531,13 @@ async function runRedeem({ projectRoot, code, json = false, agreeNda = false })
             source: 'grant',
             grantId: g.id,
             grantCodeHash: require('crypto').createHash('sha256').update(trimmed).digest('hex'),
+            // sealcode@1.3.0 — stash the code itself so the local
+            // unlock command can ask the server "may I unlock?" after
+            // a pause without requiring the user to re-type it. Lives
+            // under ~/.sealcode/sessions/ at mode 0600 alongside the
+            // already-cached K, so this doesn't materially expand the
+            // local attack surface.
+            grantCode: trimmed,
             grantExpiresAt: g.expiresAt,
             deviceFingerprint: getDeviceFingerprint(),
             strictWatch: !!g.strictMode,
@@ -667,4 +724,5 @@ module.exports = {
   runLockdown,
   runPause,
   runResume,
+  checkUnlockAllowed,
 };

package/src/cli-watch.js

@@ -55,6 +55,7 @@ const {
   projectId,
 } = require('./keystore');
 const { runLock } = require('./seal');
+const { runUnlock } = require('./open');
 const { getDeviceFingerprint } = require('./device');
 const { SealcodeError } = require('./errors');
 const grantPolicy = require('./grant-policy');
@@ -313,6 +314,7 @@ function startExfilWatchers({
         encoding: 'utf8',
         timeout: 1500,
         stdio: ['ignore', 'pipe', 'ignore'],
+        windowsHide: true,
       })
       .trim();
   } catch (_) { /* repo may not have git */ }
@@ -416,6 +418,7 @@ function startExfilWatchers({
       const cur = cp
         .execFileSync('git', ['-C', projectAbs, 'remote', '-v'], {
           encoding: 'utf8', timeout: 1500, stdio: ['ignore', 'pipe', 'ignore'],
+          windowsHide: true,
         })
         .trim();
       if (initialRemotes && cur !== initialRemotes) {
@@ -529,10 +532,22 @@ async function runWatch({
     strictWatch: strict,
   });
 
+  // sealcode@1.3.0 — track local pause state. When true, files are
+  // locked-on-disk but K is still in our session cache. We keep
+  // heartbeating so a server-side "unlock" event (owner resumed with
+  // auto-unlock) can re-materialize plaintext without a redeem.
+  let pausedLocally = false;
+
   // If we somehow started watching an already-locked grant, lock first
-  // and exit. Don't pretend everything's fine.
+  // and exit (revoke/expire/etc), OR soft-lock and stay running (paused).
   if (first.response.action === 'lock') {
-    return finalLock(projectRoot, config, trimmedCode, first.response.reason, json, daemon);
+    if (first.response.keepSession || first.response.reason === 'paused') {
+      await softLock(projectRoot, config, trimmedCode, first.response.reason || 'paused', json, daemon);
+      pausedLocally = true;
+      writeWatchState(projectRoot, { pausedLocally: true, pausedReason: first.response.reason || 'paused' });
+    } else {
+      return finalLock(projectRoot, config, trimmedCode, first.response.reason, json, daemon);
+    }
   }
 
   if (daemon) {
@@ -695,9 +710,76 @@ async function runWatch({
       continue;
     }
     consecutiveTransient = 0;
+
+    // sealcode@1.3.0 — branch on action.
     if (r.response.action === 'lock') {
+      // Soft lock (paused): re-encrypt, KEEP K, KEEP watcher alive.
+      // The 1.3 server marks this with `keepSession: true`; we also
+      // honor the legacy `reason: "paused"` from 1.2.0 servers in case
+      // someone is on a mixed deploy.
+      const isSoft = !!r.response.keepSession || r.response.reason === 'paused';
+      if (isSoft) {
+        if (!pausedLocally) {
+          await softLock(projectRoot, config, trimmedCode, r.response.reason || 'paused', json, daemon);
+          pausedLocally = true;
+          writeWatchState(projectRoot, { pausedLocally: true, pausedReason: r.response.reason || 'paused' });
+          appendLog(projectRoot, { type: 'soft_locked', reason: r.response.reason || 'paused' });
+        }
+        // Stay in the loop — wait for the next event (unlock or hard lock).
+        continue;
+      }
+      // Hard lock — revoke / expire / device mismatch / idle / etc.
       return finalLock(projectRoot, config, trimmedCode, r.response.reason, json, daemon);
     }
+
+    if (r.response.action === 'unlock') {
+      // Owner resumed with auto-unlock. Re-materialize plaintext using
+      // the K we kept cached through the pause.
+      try {
+        const K = loadSession(projectRoot);
+        if (!K) {
+          // We somehow lost K (e.g. another process cleared it). Best
+          // we can do: stay locked and nudge the user.
+          appendLog(projectRoot, { type: 'unlock_skipped_no_key' });
+          if (!daemon && !json) ui.warn(`[${ts()}] resumed, but no cached key on disk — run: sealcode redeem ${trimmedCode}`);
+        } else {
+          const sm = loadSessionMeta(projectRoot);
+          const pol = (sm && sm.meta && sm.meta.policy) || {};
+          const wctx = pol.watermark ? {
+            email: (sm && sm.meta && sm.meta.recipientEmail) || '',
+            grantId: (sm && sm.meta && sm.meta.grantId) || '',
+            projectName: (sm && sm.meta && sm.meta.projectName) || '',
+            date: new Date().toISOString().slice(0, 10),
+            fingerprint: getDeviceFingerprint(),
+          } : null;
+          const ures = await runUnlock({
+            projectRoot, config, K, removeStubs: true, policy: pol, watermarkCtx: wctx,
+            log: () => {},
+          });
+          K.fill(0);
+          appendLog(projectRoot, { type: 'auto_unlocked', count: ures.count, reason: r.response.reason || 'resumed' });
+          if (!daemon && !json) ui.ok(`[${ts()}] owner resumed — auto-unlocked ${ui.c.bold(ures.count)} files`);
+        }
+      } catch (err) {
+        appendLog(projectRoot, { type: 'auto_unlock_error', error: String(err.message || err) });
+        if (!daemon && !json) ui.warn(`[${ts()}] auto-unlock failed: ${err.message || err}`);
+      }
+      pausedLocally = false;
+      writeWatchState(projectRoot, { pausedLocally: false, pausedReason: null });
+      continue;
+    }
+
+    // Plain "ok" or "warn". If we WERE paused and the server now says
+    // "ok" without sending an unlock event, that means the owner
+    // resumed without auto-unlock. Clear our paused flag so the user's
+    // `sealcode unlock` invocation will be allowed by the local guard;
+    // we leave files locked-on-disk and let them choose when to unlock.
+    if (pausedLocally && (r.response.action === 'ok' || r.response.action === 'warn')) {
+      pausedLocally = false;
+      writeWatchState(projectRoot, { pausedLocally: false, pausedReason: null });
+      appendLog(projectRoot, { type: 'resumed_manual' });
+      if (!daemon && !json) ui.ok(`[${ts()}] owner resumed — files stay locked until you run: ${ui.c.cyan('sealcode unlock')}`);
+    }
     printTick(r.response, json, verbose, daemon, projectRoot);
     // After a successful (possibly long-polled) heartbeat we do NOT
     // sleep here — long-poll already consumed our budget. If the server
@@ -731,6 +813,61 @@ function printTick(resp, json, verbose, daemon, projectRoot) {
   }
 }
 
+/**
+ * sealcode@1.3.0 — Soft lock: re-encrypt plaintext but KEEP the cached
+ * K and KEEP the watcher process alive. Used for pause, which is
+ * meant to be reversible — the owner can resume and (optionally)
+ * push an `action: "unlock"` event that re-materializes the plaintext
+ * without requiring the recipient to redeem again.
+ *
+ * Idempotent: if there's no K cached (e.g. we restarted into an
+ * already-locked project), this is a no-op.
+ */
+async function softLock(projectRoot, config, code, reason, json, daemon) {
+  if (!json && !daemon && ui.STDERR_TTY) process.stderr.write('\r\x1b[K');
+  const label = reason || 'paused';
+  if (daemon) {
+    appendLog(projectRoot, { type: 'soft_lock', reason: label });
+  } else if (json) {
+    process.stdout.write(JSON.stringify({ type: 'soft_lock', reason: label }) + '\n');
+  } else {
+    ui.warn(`[${ts()}] paused by owner — re-locking, keeping session for resume`);
+  }
+
+  const K = loadSession(projectRoot);
+  if (!K) {
+    // Nothing to re-encrypt. Files are already in their locked state.
+    return;
+  }
+
+  const _sessionMeta = loadSessionMeta(projectRoot);
+  const _preserveUnseen =
+    !!_sessionMeta &&
+    _sessionMeta.meta &&
+    _sessionMeta.meta.source === 'grant' &&
+    _sessionMeta.meta.policy &&
+    Array.isArray(_sessionMeta.meta.policy.allowedPaths) &&
+    _sessionMeta.meta.policy.allowedPaths.length > 0;
+
+  try {
+    const res = await runLock({ projectRoot, config, K, preserveUnseen: _preserveUnseen });
+    K.fill(0);
+    if (daemon) {
+      appendLog(projectRoot, { type: 'soft_locked', count: res.count, reason: label });
+    } else if (!json) {
+      ui.ok(`[${ts()}] re-locked ${ui.c.bold(res.count)} files — waiting for owner to resume`);
+      ui.hint(`  Files will auto-unlock if the owner picks "Resume + unlock now",`);
+      ui.hint(`  or run ${ui.c.cyan('sealcode unlock')} yourself once they resume (no passphrase).`);
+    }
+  } catch (err) {
+    // If soft-lock fails we DO NOT escalate to hard-lock — that would
+    // wipe the session and force a redeem, which is exactly the UX we
+    // built this feature to avoid. Surface the error and stay locked.
+    if (daemon) appendLog(projectRoot, { type: 'soft_lock_error', error: String(err.message || err) });
+    else if (!json) ui.fail(`soft-lock failed: ${err.message}. Files may still contain plaintext — investigate.`);
+  }
+}
+
 async function finalLock(projectRoot, config, code, reason, json, daemon) {
   if (!json && !daemon && ui.STDERR_TTY) process.stderr.write('\r\x1b[K');
   const label = reason || 'lock';
@@ -781,7 +918,8 @@ async function finalLock(projectRoot, config, code, reason, json, daemon) {
   } else {
     ui.ok(`[${ts()}] re-locked ${ui.c.bold(res.count)} files into ${ui.c.cyan(config.lockedDir + '/')} — session cleared`);
     // sealcode@1.2.0 — be specific about the "paused" case so the
-    // recipient knows it's reversible and what their next step is.
+    // recipient knows it's reversible. (sealcode@1.3.0+ goes through
+    // softLock instead and won't reach this branch.)
     if (label === 'paused') {
       ui.hint('  This access code was PAUSED by the owner — not revoked.');
       ui.hint(`  Wait for the owner to resume, then run: ${ui.c.cyan(`sealcode redeem ${code}`)}`);
@@ -796,9 +934,33 @@ async function finalLock(projectRoot, config, code, reason, json, daemon) {
  * Helper: spawn a detached `sealcode watch <code> --daemon` child. Used
  * by runUnlock when the unlock came from a grant-derived session.
  * Returns the child pid (already detached). Best-effort.
+ *
+ * Windows specifics (sealcode@1.3.1):
+ *   - `windowsHide: true` keeps the spawned process from popping a
+ *     console window. Without this, every daemon spawn flashes a black
+ *     cmd window which users (rightly) find alarming.
+ *   - We also guard against re-spawn loops: if a daemon is already
+ *     alive for this project we just return its pid instead of
+ *     spawning a new one. Without this guard, repeated `redeem` calls
+ *     (or any startup hook that re-runs redeem) accumulate orphan
+ *     daemons that each show up as a pop-and-vanish window when they
+ *     periodically run their child-process sweeps.
  */
 function spawnDaemonWatcher({ projectRoot, code }) {
   try {
+    // If a healthy daemon is already running for this project, don't
+    // start another one. This is the single most important defense
+    // against the "windows pop in and out" loop on Windows.
+    const existing = readWatcherStatus(projectRoot);
+    if (existing.state === 'alive') {
+      return { pid: existing.pid, reused: true };
+    }
+    // Stale / dead state file should be cleared before respawn, otherwise
+    // the new daemon may collide with leftover bookkeeping.
+    if (existing.state === 'stale' || existing.state === 'dead') {
+      try { fs.unlinkSync(watchStateFile(projectRoot)); } catch (_) { /* ignore */ }
+    }
+
     ensureDir(WATCH_LOG_DIR);
     const bin = process.execPath;
     const entry = require.resolve('../bin/sealcode.js');
@@ -809,6 +971,9 @@ function spawnDaemonWatcher({ projectRoot, code }) {
         cwd: projectRoot,
         detached: true,
         stdio: 'ignore',
+        // Critical on Windows — without this, the spawned daemon
+        // opens a visible cmd window. macOS / Linux ignore the flag.
+        windowsHide: true,
         env: { ...process.env, SEALCODE_AUTO_DAEMON: '1' },
       },
     );

package/src/cli.js

@@ -40,6 +40,7 @@ const {
   runRedeem,
   runPause,
   runResume,
+  checkUnlockAllowed,
 } = require('./cli-grants');
 const {
   runCiCreate,
@@ -286,6 +287,63 @@ function build() {
       try {
         const projectRoot = resolveProject(program.opts());
         const config = getActiveConfig(projectRoot);
+
+        // sealcode@1.3.0 — grant-derived sessions must clear a server
+        // status check before unlocking. This is what stops a recipient
+        // from running `sealcode unlock` to bypass a pause.
+        //
+        // We do this BEFORE resolveKey so a paused/revoked grant
+        // doesn't even decrypt the cached K from disk. If the local
+        // session isn't grant-derived (owner-passphrase flow), this
+        // whole block is a no-op.
+        {
+          const { loadSessionMeta: _lsm } = require('./keystore');
+          const _sm = _lsm(projectRoot);
+          if (_sm && _sm.meta && _sm.meta.source === 'grant' && _sm.meta.grantCode) {
+            const _strict = !!_sm.meta.strictWatch;
+            const _gate = await checkUnlockAllowed(_sm.meta.grantCode, { strict: _strict });
+            if (!_gate.allow) {
+              if (_gate.reason === 'paused') {
+                ui.fail(`This access has been PAUSED by the project owner.`);
+                if (_gate.pauseReason) ui.hint(`  Reason: ${_gate.pauseReason}`);
+                ui.hint(`  Files stay locked until the owner resumes. You'll get an automatic`);
+                ui.hint(`  notification (and auto-unlock) when they do — no redeem needed.`);
+                process.exitCode = 1;
+                return;
+              }
+              if (_gate.reason === 'revoked') {
+                ui.fail('This access code has been revoked. You can no longer unlock.');
+                ui.hint('  Ask the owner for a fresh code: `sealcode share` on their side.');
+                process.exitCode = 1;
+                return;
+              }
+              if (_gate.reason === 'expired') {
+                ui.fail('This access code has expired. You can no longer unlock.');
+                ui.hint('  Ask the owner for a fresh code.');
+                process.exitCode = 1;
+                return;
+              }
+              if (_gate.reason === 'not_found') {
+                ui.fail('Access code not found on the server (it may have been deleted).');
+                process.exitCode = 1;
+                return;
+              }
+              if (_gate.reason === 'network_unreachable_strict') {
+                ui.fail('Cannot reach sealcode.dev to verify access status, and this grant is strict.');
+                ui.hint('  Reconnect to the network, then re-run `sealcode unlock`.');
+                process.exitCode = 1;
+                return;
+              }
+              ui.fail(`Unlock denied (${_gate.reason}).`);
+              process.exitCode = 1;
+              return;
+            }
+            if (_gate.reason === 'network_unreachable') {
+              ui.warn(`Could not reach sealcode.dev — proceeding with cached key (lenient grant).`);
+            }
+          }
+        }
+
         const K = await resolveKey(projectRoot, config, { useRecovery: opts.recovery });
         ui.step(`unlocking ${ui.c.dim(projectRoot)}`);
         const sp = new ui.Spinner('decrypting').start();
@@ -774,14 +832,15 @@ function build() {
       }
     });
 
-  // -------- resume (sealcode@1.2.0) --------
+  // -------- resume (sealcode@1.2.0; --unlock added 1.3.0) --------
   program
     .command('resume')
     .argument('<grantId>', 'grant ID to resume (see `sealcode grants`)')
-    .description('Resume a paused access code. The recipient must `sealcode redeem <code>` again to re-open their working copy.')
-    .action(async (grantId) => {
+    .description('Resume a paused access code. The recipient\'s 1.3+ watcher can re-open the working copy automatically — no redeem needed.')
+    .option('--unlock', 'also push an unlock event so the recipient\'s files re-materialize automatically (1.3+ watcher required)', false)
+    .action(async (grantId, opts) => {
       try {
-        await runResume({ grantId });
+        await runResume({ grantId, autoUnlock: !!opts.unlock });
       } catch (err) {
         process.exitCode = reportError(err);
       }

package/src/device.js

@@ -72,6 +72,9 @@ function readMachineId() {
         encoding: 'utf8',
         timeout: 1500,
         stdio: ['ignore', 'pipe', 'ignore'],
+        // Stop reg.exe from flashing a console window — happens on every
+        // command run because device.js is loaded by `clientInfo()`.
+        windowsHide: true,
       });
       const m = /MachineGuid\s+REG_SZ\s+([0-9a-f-]+)/i.exec(out);
       return m ? m[1] : null;