npm - sealcode - Versions diffs - 1.3.1 → 1.3.2 - Mend

sealcode 1.3.1 → 1.3.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/package.json +1 -1
package/src/cli-watch.js +76 -6

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "sealcode",
-  "version": "1.3.1",
+  "version": "1.3.2",
   "description": "Lock your source code in your own git repo. Stop AI agents, scrapers, and curious eyes from reading what's yours.",
   "keywords": [
     "encryption",

package/src/cli-watch.js CHANGED Viewed

@@ -54,7 +54,7 @@ const {
   clearSession,
   projectId,
 } = require('./keystore');
-const { runLock } = require('./seal');
+const { runLock, collectFiles } = require('./seal');
 const { runUnlock } = require('./open');
 const { getDeviceFingerprint } = require('./device');
 const { SealcodeError } = require('./errors');
@@ -688,7 +688,35 @@ async function runWatch({
     try {
       r = await heartbeatOnce(trimmedCode, { waitMs });
     } catch (err) {
-      throw err;
+      // sealcode@1.3.2 — previously this rethrew, which propagated out
+      // of runWatch and turned the watcher into a silent zombie: the
+      // process kept running because exfilCtrl's inotify kept the event
+      // loop alive, but the polling loop was dead and the watcher
+      // stopped receiving pause/resume/unlock signals from the server.
+      // We now treat unexpected throws from heartbeatOnce as transient,
+      // back off, and try again — same path as `!r.ok`. If we exceed
+      // the offline grace we'll hard-lock cleanly via the regular path.
+      const now = Date.now();
+      if (consecutiveTransient === 0) firstTransientAt = now;
+      consecutiveTransient += 1;
+      const offlineSec = Math.floor((now - firstTransientAt) / 1000);
+      const errMsg = String(err?.message || err);
+      const errDetail = err?.detail || err?.hint || null;
+      const errCode = err?.code || err?.apiCode || err?.status || null;
+      appendLog(projectRoot, {
+        type: 'heartbeat_throw',
+        error: errMsg,
+        detail: errDetail,
+        code: errCode,
+        stack: err?.stack ? String(err.stack).split('\n').slice(0, 4).join(' | ') : null,
+        offlineSec,
+      });
+      if (!daemon && !json) ui.warn(`[${ts()}] heartbeat raised: ${errMsg} (offline ${offlineSec}s / ${offlineGraceSec}s grace)`);
+      if (offlineSec >= offlineGraceSec) {
+        return finalLock(projectRoot, config, trimmedCode, 'offline_grace_exceeded', json, daemon);
+      }
+      await sleep(TRANSIENT_BACKOFF_SEC * 1000);
+      continue;
     }
     if (!r.ok) {
       const now = Date.now();
@@ -840,14 +868,56 @@ async function softLock(projectRoot, config, code, reason, json, daemon) {
     return;
   }
+  // sealcode@1.3.2 — CRITICAL safety check. If the project has no
+  // plaintext files on disk (i.e. it's already in its locked state),
+  // calling runLock here would DESTROY the locked vendor/ directory:
+  // runLock does `rmIfExists(lockedRoot)` and then re-writes only files
+  // that are currently plaintext PLUS any blobs covered by
+  // preserveUnseen. preserveUnseen is only true for path-scoped grants
+  // (allowedPaths set), so for the common case of a full-project grant
+  // the wipe would leave just the keystore + 0 blobs and the manifest
+  // would shrink from 553 entries to 0. A subsequent `sealcode unlock`
+  // would then "restore" 0 files — irrecoverable data loss for the
+  // recipient if they don't have a separate copy.
+  //
+  // This is exactly Rejoan's "unlocked 1 files" bug: his watcher
+  // restarted (or auto-spawned by redeem) against an already-paused
+  // grant on Windows where files were already locked, softLock fired
+  // with no plaintext to encrypt, wiped vendor/, and his next unlock
+  // restored just the 1 stub file.
+  //
+  // The fix: if there's nothing to encrypt, softLock is a no-op. The
+  // files are already in the encrypted state we wanted them in.
+  let plaintextFiles = [];
+  try {
+    plaintextFiles = await collectFiles(projectRoot, config);
+  } catch (_) {
+    // If collectFiles itself fails, fall through to runLock which has
+    // its own error handling — at worst we hit the catch below and
+    // log soft_lock_error.
+  }
+  if (plaintextFiles.length === 0) {
+    K.fill(0);
+    if (daemon) {
+      appendLog(projectRoot, { type: 'soft_locked', count: 0, reason: label, note: 'already-locked' });
+    } else if (!json) {
+      ui.ok(`[${ts()}] already locked on disk — no re-encryption needed (waiting for resume)`);
+    }
+    return;
+  }
   const _sessionMeta = loadSessionMeta(projectRoot);
+  // sealcode@1.3.2 — always preserve unseen blobs for grant-derived
+  // sessions, not just path-scoped ones. Even without allowedPaths,
+  // the recipient may have a mix of plaintext and still-locked files
+  // (e.g. they manually `sealcode lock`ed a subset, or RO mode set
+  // 0444 prevented some files from materializing on disk). Without
+  // preserveUnseen, runLock would drop those unseen blobs and the
+  // resume + unlock flow would restore an incomplete project.
   const _preserveUnseen =
     !!_sessionMeta &&
     _sessionMeta.meta &&
-    _sessionMeta.meta.source === 'grant' &&
-    _sessionMeta.meta.policy &&
-    Array.isArray(_sessionMeta.meta.policy.allowedPaths) &&
-    _sessionMeta.meta.policy.allowedPaths.length > 0;
+    _sessionMeta.meta.source === 'grant';
   try {
     const res = await runLock({ projectRoot, config, K, preserveUnseen: _preserveUnseen });