sealcode 1.3.2 → 1.3.4

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "sealcode",
-  "version": "1.3.2",
+  "version": "1.3.4",
   "description": "Lock your source code in your own git repo. Stop AI agents, scrapers, and curious eyes from reading what's yours.",
   "keywords": [
     "encryption",

package/src/cli-grants.js

@@ -706,12 +706,64 @@ async function runLockdown({ projectRoot, confirm = true } = {}) {
       return;
     }
   }
-  const res = await request('POST', `/api/v1/projects/${linked.projectId}/lockdown`, {
-    auth: true,
-    body: {},
-  });
-  ui.ok(`Lockdown complete — revoked ${ui.c.bold(res.revokedCount)} grant(s).`);
-  if (res.revokedCount > 0) {
+  // sealcode@1.3.3 — the server's bulk /lockdown endpoint silently 307s to
+  // /login for reasons that don't reproduce on any other CLI route — even
+  // a no-op handler stub gets intercepted. Until that's root-caused on the
+  // server, fall back to client-side iteration: list grants, revoke each
+  // active one individually. Each /revoke call works correctly and fires
+  // the same publishGrantLock event the bulk endpoint would have. The
+  // per-grant calls are issued in parallel so the wall-clock cost of a
+  // 20-grant lockdown is still ~1 round-trip plus the slowest revoke.
+  let bulkRevoked = null;
+  try {
+    const bulk = await request('POST', `/api/v1/projects/${linked.projectId}/lockdown`, {
+      auth: true,
+      body: {},
+    });
+    if (typeof bulk.revokedCount === 'number') {
+      bulkRevoked = bulk.revokedCount;
+    }
+  } catch (_) {
+    // fall through to per-grant fallback below
+  }
+
+  if (bulkRevoked === null) {
+    // Fallback: enumerate active grants and revoke them one by one.
+    const list = await request(
+      'GET',
+      `/api/v1/projects/${linked.projectId}/grants?status=active,paused&limit=200`,
+      { auth: true },
+    );
+    const grants = Array.isArray(list.grants) ? list.grants : [];
+    const live = grants.filter((g) => g.status === 'active' || g.status === 'paused');
+    if (live.length === 0) {
+      ui.ok('Lockdown complete — no active grants to revoke.');
+      return;
+    }
+    const results = await Promise.allSettled(
+      live.map((g) =>
+        request('DELETE', `/api/v1/grants/${encodeURIComponent(g.id)}`, { auth: true }),
+      ),
+    );
+    const ok = results.filter((r) => r.status === 'fulfilled').length;
+    const fail = results.length - ok;
+    if (fail > 0) {
+      ui.warn(`Revoked ${ok}/${live.length} grants — ${fail} failed.`);
+      for (const r of results) {
+        if (r.status === 'rejected') {
+          ui.fail(`  - ${r.reason && r.reason.message ? r.reason.message : String(r.reason)}`);
+        }
+      }
+    }
+    ui.ok(`Lockdown complete — revoked ${ui.c.bold(ok)} grant(s).`);
+    if (ok > 0) {
+      ui.hint('  All connected watchers will re-lock within ~1 second.');
+    }
+    return;
+  }
+
+  ui.ok(`Lockdown complete — revoked ${ui.c.bold(bulkRevoked)} grant(s).`);
+  if (bulkRevoked > 0) {
     ui.hint('  All connected watchers will re-lock within ~1 second.');
   }
 }

package/src/seal.js

@@ -49,6 +49,18 @@ function applyStubs(projectRoot, stubs) {
     } else {
       throw new Error(`stub for ${relPath} must be string or { contents, mode? }`);
     }
+    // sealcode@1.3.3 — if the target file already exists and was set to
+    // 0444 (by RO-mode unlock), writeFileSync will EACCES. This is exactly
+    // the failure that left RO-violation re-locks half-complete: the
+    // watcher detected the tamper, started the re-lock, hit EACCES on the
+    // first stub, then exited — leaving every plaintext file exposed on
+    // disk with NO watcher running. Force the file writable before we
+    // overwrite it.
+    try {
+      if (fs.existsSync(target)) {
+        fs.chmodSync(target, 0o644);
+      }
+    } catch (_) { /* best-effort; the writeFile below will surface any real error */ }
     writeFileEnsuringDir(target, contents, mode);
     written[relPath] = true;
   }