sealcode 1.3.4 → 1.3.6

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "sealcode",
-  "version": "1.3.4",
+  "version": "1.3.6",
   "description": "Lock your source code in your own git repo. Stop AI agents, scrapers, and curious eyes from reading what's yours.",
   "keywords": [
     "encryption",
@@ -41,7 +41,8 @@
   ],
   "scripts": {
     "test": "node test/roundtrip.js",
-    "selftest": "node test/roundtrip.js"
+    "selftest": "node test/roundtrip.js",
+    "preuninstall": "node ./bin/sealcode.js preuninstall-check || true"
   },
   "engines": {
     "node": ">=18"

package/src/cli-grants.js

@@ -628,6 +628,7 @@ async function runRedeem({ projectRoot, code, json = false, agreeNda = false })
       sp.succeed(
         `unlocked ${ui.c.bold(ures.count)} files${sk} ${ui.c.dim(`(locked at ${ures.sealedAt})`)}`,
       );
+      try { require('./cli-registry').markUnlocked(projectRoot); } catch (_) { /* ignore */ }
       if (ures.policy.mode === 'ro') {
         ui.hint('  Read-only grant: files are 0444. Any modification will trigger an immediate re-lock.');
       }
@@ -735,7 +736,10 @@ async function runLockdown({ projectRoot, confirm = true } = {}) {
       { auth: true },
     );
     const grants = Array.isArray(list.grants) ? list.grants : [];
-    const live = grants.filter((g) => g.status === 'active' || g.status === 'paused');
+    // The serialized payload uses `state` (not `status`) — values are
+    // computed by describeGrant() and include "active", "paused",
+    // "expired", "revoked", "pending".
+    const live = grants.filter((g) => g.state === 'active' || g.state === 'paused');
     if (live.length === 0) {
       ui.ok('Lockdown complete — no active grants to revoke.');
       return;

package/src/cli-registry.js

@@ -0,0 +1,256 @@
+'use strict';
+
+/**
+ * sealcode@1.3.6 — Known-projects registry + self-check.
+ *
+ * Problem this solves
+ * -------------------
+ * Today the watcher is the only thing that re-locks a recipient's
+ * working copy on revoke/pause/expiry. If the watcher dies and the
+ * recipient never runs another `sealcode` command in that project,
+ * the plaintext sits there indefinitely.
+ *
+ * We can't stop a determined user from `kill -9`-ing the watcher and
+ * never running sealcode again on that project — that's a fundamental
+ * limit of any client-side enforcement. But we can close the much
+ * more common path: the recipient uses sealcode in OTHER projects (or
+ * for other commands) on the same machine. Every one of those
+ * invocations is an opportunity to notice "hey, project X is sitting
+ * unlocked with no watcher" and re-lock it.
+ *
+ * The registry
+ * ------------
+ * One JSON file at ~/.sealcode/projects.json. Maintained by the CLI
+ * on every unlock (add) and every lock (mark locked). Format:
+ *
+ *   {
+ *     "/Users/alice/work/proj-a": {
+ *       "addedAt": "2026-05-21T12:00:00.000Z",
+ *       "lastSeenAt": "2026-05-21T12:34:56.000Z",
+ *       "lastState": "unlocked" | "locked"
+ *     },
+ *     ...
+ *   }
+ *
+ * Self-check (called from cli.js on EVERY invocation, including
+ * commands like `sealcode --help` and `sealcode whoami`):
+ *   - Walk the registry.
+ *   - For each entry whose lastState is "unlocked":
+ *     - If the project no longer exists on disk, drop it.
+ *     - If the watcher state file is missing or stale AND a session
+ *       is cached, attempt a panic-lock in the background.
+ *     - Print a single-line warning so the user sees it.
+ *
+ * The self-check is purely best-effort and never throws. It runs
+ * synchronously (cheap — just file stat-ing) and any async lock
+ * happens out-of-band so the user's command isn't delayed.
+ */
+
+const fs = require('fs');
+const os = require('os');
+const path = require('path');
+
+const REGISTRY_DIR = path.join(os.homedir(), '.sealcode');
+const REGISTRY_FILE = path.join(REGISTRY_DIR, 'projects.json');
+
+function ensureDir() {
+  try { fs.mkdirSync(REGISTRY_DIR, { recursive: true, mode: 0o700 }); } catch (_) { /* ignore */ }
+}
+
+function readRegistry() {
+  try {
+    const raw = fs.readFileSync(REGISTRY_FILE, 'utf8');
+    const obj = JSON.parse(raw);
+    if (obj && typeof obj === 'object') return obj;
+  } catch (_) { /* missing or corrupt — start fresh */ }
+  return {};
+}
+
+function writeRegistry(obj) {
+  ensureDir();
+  // Atomic-ish write: write to .tmp, rename. Avoids torn writes if
+  // two CLI invocations race.
+  const tmp = REGISTRY_FILE + '.' + process.pid + '.tmp';
+  try {
+    fs.writeFileSync(tmp, JSON.stringify(obj, null, 2), { mode: 0o600 });
+    fs.renameSync(tmp, REGISTRY_FILE);
+  } catch (_) {
+    try { fs.unlinkSync(tmp); } catch (_) { /* ignore */ }
+  }
+}
+
+/**
+ * Mark a project as currently unlocked. Called from runUnlock.
+ */
+function markUnlocked(projectRoot) {
+  if (!projectRoot) return;
+  const reg = readRegistry();
+  const abs = path.resolve(projectRoot);
+  const now = new Date().toISOString();
+  reg[abs] = {
+    addedAt: reg[abs]?.addedAt || now,
+    lastSeenAt: now,
+    lastState: 'unlocked',
+  };
+  writeRegistry(reg);
+}
+
+/**
+ * Mark a project as currently locked. Called from runLock + finalLock
+ * + softLock paths.
+ */
+function markLocked(projectRoot) {
+  if (!projectRoot) return;
+  const reg = readRegistry();
+  const abs = path.resolve(projectRoot);
+  const now = new Date().toISOString();
+  reg[abs] = {
+    addedAt: reg[abs]?.addedAt || now,
+    lastSeenAt: now,
+    lastState: 'locked',
+  };
+  writeRegistry(reg);
+}
+
+/**
+ * Remove a project from the registry (e.g. when it's deleted or the
+ * user explicitly unlinks).
+ */
+function forget(projectRoot) {
+  if (!projectRoot) return;
+  const reg = readRegistry();
+  const abs = path.resolve(projectRoot);
+  if (reg[abs]) {
+    delete reg[abs];
+    writeRegistry(reg);
+  }
+}
+
+/**
+ * Return a list of currently-known projects.
+ */
+function list() {
+  const reg = readRegistry();
+  return Object.entries(reg).map(([projectRoot, meta]) => ({
+    projectRoot,
+    ...meta,
+  }));
+}
+
+/**
+ * Return projects whose lastState is "unlocked" but:
+ *   - the directory still exists, AND
+ *   - either no watcher state file exists OR the watcher's pid is
+ *     not alive OR the watch state hasn't been touched in > maxStaleMin.
+ *
+ * Synchronous, cheap. Used by selfCheck and by the supervisor.
+ */
+function findOrphanedUnlocks({ maxStaleMin = 5 } = {}) {
+  const out = [];
+  const reg = readRegistry();
+  const cutoff = Date.now() - maxStaleMin * 60_000;
+
+  for (const [projectRoot, meta] of Object.entries(reg)) {
+    if (!meta || meta.lastState !== 'unlocked') continue;
+    try {
+      if (!fs.existsSync(projectRoot)) continue;
+    } catch (_) { continue; }
+
+    // Look up the watch state. We can't import cli-watch here (circular),
+    // so we replicate the path math.
+    const id = projectIdHash(projectRoot);
+    const watchFile = path.join(os.homedir(), '.sealcode', 'sessions', `${id}.watch.json`);
+    let watcherAlive = false;
+    try {
+      const st = JSON.parse(fs.readFileSync(watchFile, 'utf8'));
+      const mtimeMs = fs.statSync(watchFile).mtimeMs;
+      const pid = st && st.pid;
+      if (pid && mtimeMs > cutoff) {
+        try { process.kill(pid, 0); watcherAlive = true; } catch (_) { watcherAlive = false; }
+      }
+    } catch (_) { watcherAlive = false; }
+
+    if (!watcherAlive) {
+      out.push({ projectRoot, lastSeenAt: meta.lastSeenAt });
+    }
+  }
+  return out;
+}
+
+/**
+ * Identical hash that keystore.projectId uses. Inlined here to avoid
+ * a circular dep between cli-registry and keystore (keystore is loaded
+ * very early on every CLI invocation).
+ */
+function projectIdHash(projectRoot) {
+  const crypto = require('crypto');
+  return crypto.createHash('sha256').update(path.resolve(projectRoot)).digest('hex').slice(0, 16);
+}
+
+/**
+ * Synchronous self-check called at the top of every CLI invocation
+ * (from cli.js). NEVER throws. Returns the number of orphaned
+ * unlocked projects detected. Prints a one-line warning per project
+ * unless `quiet` is true.
+ *
+ * The actual re-lock is deferred to a background detached process so
+ * the user's command isn't blocked. We invoke `sealcode panic` in a
+ * detached child for each orphan.
+ *
+ * `quiet` is set for short-running commands (where, version, help)
+ * and for the panic command itself to avoid recursion.
+ */
+function selfCheck({ quiet = false, skipBackgroundLock = false } = {}) {
+  let orphans;
+  try {
+    orphans = findOrphanedUnlocks();
+  } catch (_) { return 0; }
+
+  if (orphans.length === 0) return 0;
+
+  if (!quiet) {
+    try {
+      const ui = require('./ui');
+      for (const o of orphans) {
+        ui.warn(
+          `\u26a0 ${o.projectRoot} appears unlocked but its watcher is not running. `
+          + `Auto-locking in the background.`,
+        );
+      }
+    } catch (_) { /* ui module may not be loadable in some edge cases */ }
+  }
+
+  if (skipBackgroundLock) return orphans.length;
+
+  // Detached background panic-lock per orphan. We CANNOT just call
+  // runLock here — we don't have the session key. The `panic` command
+  // (and its lock pathway) is what knows how to find the cached
+  // session and re-encrypt. If there's no session cached, the panic
+  // command is a no-op + the registry gets corrected to "locked".
+  const { spawn } = require('child_process');
+  const node = process.execPath;
+  const cli = path.resolve(__dirname, '..', 'bin', 'sealcode.js');
+  for (const o of orphans) {
+    try {
+      const child = spawn(node, [cli, 'panic', '--project', o.projectRoot, '--from-selfcheck'], {
+        detached: true,
+        stdio: 'ignore',
+        windowsHide: true,
+        cwd: o.projectRoot,
+      });
+      child.unref();
+    } catch (_) { /* best-effort */ }
+  }
+
+  return orphans.length;
+}
+
+module.exports = {
+  markUnlocked,
+  markLocked,
+  forget,
+  list,
+  findOrphanedUnlocks,
+  selfCheck,
+  REGISTRY_FILE,
+};

package/src/cli-service.js

@@ -34,6 +34,10 @@ const path = require('path');
 const { execFileSync } = require('child_process');
 
 const SERVICE_NAME = 'dev.sealcode.watcher';
+// sealcode@1.3.6 — Windows Task Scheduler name. No dots allowed in path
+// components, so we use a hyphen-cased name. Stored at the user level
+// (no Administrator prompt required).
+const WIN_TASK_NAME = 'SealCodeWatcherSupervisor';
 const ui = require('./ui');
 
 function launchdPath() {
@@ -129,6 +133,77 @@ WantedBy=timers.target
   }
 }
 
+/**
+ * sealcode@1.3.6 — Windows scheduled task. Runs at user logon AND every
+ * 1 minute thereafter. We use `schtasks` (built-in, no admin required
+ * for user-level tasks) instead of an actual Windows Service (which
+ * requires Administrator and a service wrapper).
+ *
+ * /SC ONLOGON      → fires when the user logs in (so the watcher
+ *                    supervisor is running before they start work)
+ * /RI 1            → repeat interval of 1 minute (combined with /DU)
+ * /DU 9999:59      → for ~10000 hours = effectively forever
+ * /F               → force overwrite if a task already exists (idempotent)
+ *
+ * Two separate tasks are needed: ONLOGON does NOT support /RI on its
+ * own, so we create:
+ *   - "SealCodeWatcherSupervisor-Logon"  (one-shot at logon)
+ *   - "SealCodeWatcherSupervisor-Minute" (every minute)
+ *
+ * The supervise command itself is idempotent so dual-invocation is safe.
+ */
+function writeWindowsTasks() {
+  const node = nodeBin();
+  const cli = cliEntry();
+  const logDir = path.join(os.homedir(), '.sealcode', 'logs');
+  mkdirP(logDir);
+
+  // Wrap in a tiny .cmd shim so schtasks doesn't have to deal with
+  // node + cli paths containing spaces (Windows path quoting via
+  // schtasks /TR is famously fragile). The shim writes output to a
+  // log file so we have evidence the supervisor ran.
+  const shimPath = path.join(os.homedir(), '.sealcode', 'supervise.cmd');
+  const shim = `@echo off\r\n`
+    + `"${node}" "${cli}" supervise >> "${path.join(logDir, 'supervise.out.log')}" 2>> "${path.join(logDir, 'supervise.err.log')}"\r\n`;
+  mkdirP(path.dirname(shimPath));
+  fs.writeFileSync(shimPath, shim, { mode: 0o644 });
+
+  // Task 1 — run once at every user logon.
+  try {
+    execFileSync('schtasks', [
+      '/Create', '/F',
+      '/TN', `${WIN_TASK_NAME}-Logon`,
+      '/TR', shimPath,
+      '/SC', 'ONLOGON',
+      '/RL', 'LIMITED',
+    ], { stdio: 'inherit' });
+  } catch (err) {
+    ui.warn(`schtasks (logon) failed: ${err.message || err}`);
+  }
+
+  // Task 2 — repeat every 1 minute forever.
+  // schtasks doesn't have an "every minute" trigger directly — we use
+  // /SC MINUTE /MO 1 which runs every minute.
+  try {
+    execFileSync('schtasks', [
+      '/Create', '/F',
+      '/TN', `${WIN_TASK_NAME}-Minute`,
+      '/TR', shimPath,
+      '/SC', 'MINUTE',
+      '/MO', '1',
+      '/RL', 'LIMITED',
+    ], { stdio: 'inherit' });
+  } catch (err) {
+    ui.warn(`schtasks (minute) failed: ${err.message || err}`);
+  }
+}
+
+function removeWindowsTasks() {
+  try { execFileSync('schtasks', ['/Delete', '/F', '/TN', `${WIN_TASK_NAME}-Logon`], { stdio: 'ignore' }); } catch (_) { /* ok */ }
+  try { execFileSync('schtasks', ['/Delete', '/F', '/TN', `${WIN_TASK_NAME}-Minute`], { stdio: 'ignore' }); } catch (_) { /* ok */ }
+  try { fs.unlinkSync(path.join(os.homedir(), '.sealcode', 'supervise.cmd')); } catch (_) { /* ok */ }
+}
+
 function runInstallService() {
   if (process.platform === 'darwin') {
     writePlist();
@@ -141,11 +216,14 @@ function runInstallService() {
     ui.ok(`Installed systemd user units: sealcode-watcher.{service,timer}`);
     return;
   }
-  ui.warn(
-    `'sealcode install-service' is not yet supported on ${process.platform}. `
-      + `Strict-mode grants will still re-lock on watcher death within the same session, `
-      + `but won't survive reboots. Tracked at https://sealcode.dev/docs/team#service-windows`,
-  );
+  if (process.platform === 'win32') {
+    writeWindowsTasks();
+    ui.ok(`Installed Windows scheduled tasks: ${WIN_TASK_NAME}-{Logon,Minute}`);
+    ui.hint('  They run as your user, with no Administrator prompt, every minute.');
+    ui.hint(`  Logs: ${path.join(os.homedir(), '.sealcode', 'logs', 'supervise.out.log')}`);
+    return;
+  }
+  ui.warn(`'sealcode install-service' is not supported on ${process.platform}.`);
   process.exitCode = 1;
 }
 
@@ -163,60 +241,95 @@ function runUninstallService() {
     ui.ok('Removed systemd user units.');
     return;
   }
+  if (process.platform === 'win32') {
+    removeWindowsTasks();
+    ui.ok('Removed Windows scheduled tasks.');
+    return;
+  }
   ui.hint('Nothing to uninstall on this platform.');
 }
 
 /**
- * Called by the supervisor every minute (launchd / systemd timer).
- * Walks ~/.sealcode/sessions/*.watch.json, finds any whose pid is dead,
- * and re-spawns a watcher for that code. Cheap, idempotent, silent.
+ * Called by the supervisor every minute (launchd / systemd timer /
+ * Windows schtasks). Two responsibilities:
+ *
+ *   1. Stale-watch-state sweep — pre-1.3.6 behavior. Walk
+ *      ~/.sealcode/sessions/*.watch.json, find any whose pid is dead,
+ *      and remove the stale watch state file. This makes cli-guard
+ *      lock the next time the user runs sealcode in that project.
+ *
+ *   2. Registry-based orphan lock (sealcode@1.3.6+). The session-file
+ *      sweep above is good but only catches projects whose watch.json
+ *      file is still present on disk. If the user killed the watcher
+ *      AND wiped the session dir (the Saad scenario), there's nothing
+ *      in ~/.sealcode/sessions/ to walk — but the project is still
+ *      unlocked. The known-projects registry at ~/.sealcode/projects.json
+ *      lets us catch this: anything marked `unlocked` with no live
+ *      watcher gets a detached panic-lock dispatched.
+ *
+ * Cheap, idempotent, silent. Runs as the logged-in user.
  */
 function runSupervise() {
+  // -----------------------------------------------------------------
+  // Step 1 — old session-file sweep
+  // -----------------------------------------------------------------
   const dir = path.join(os.homedir(), '.sealcode', 'sessions');
   let files;
   try {
     files = fs.readdirSync(dir).filter((f) => f.endsWith('.watch.json'));
   } catch (_) {
-    return;
+    files = [];
   }
-  const { spawn } = require('child_process');
-  let respawned = 0;
+  let cleared = 0;
   for (const f of files) {
     let state;
     try {
       state = JSON.parse(fs.readFileSync(path.join(dir, f), 'utf8'));
-    } catch (_) {
-      continue;
-    }
-    if (!state || !state.code || !state.pid) continue;
+    } catch (_) { continue; }
+    if (!state || !state.pid) continue;
     let alive = false;
     try { process.kill(state.pid, 0); alive = true; } catch (_) { alive = false; }
     if (alive) continue;
-    // We don't know the project root from the watch state file alone,
-    // but the file name encodes the sha256(projectAbs).slice(0,16) which
-    // we can't reverse. We need to look the projectRoot up — but the
-    // session file at sessions/<id> was created with cwd at the project
-    // root, and the watcher embeds projectAbs in its log dir filename.
-    //
-    // Simpler approach: we don't try to respawn projects whose root we
-    // can't find. Instead the watcher restart on the OTHER side happens
-    // when the user next runs ANY sealcode command in that project,
-    // because cli-guard sees the dead watcher and locks the project.
-    // The supervisor only matters for "watcher died but project still
-    // unlocked and contractor walked away" — for which we lock by
-    // forcing a heartbeat-failure path:
-    //
-    //   We don't have the project root, so we can't re-spawn watch.
-    //   But we CAN remove the stale watch.json so cli-guard fires next
-    //   time the user runs anything. That's enough.
-    try { fs.unlinkSync(path.join(dir, f)); respawned += 1; } catch (_) { /* ignore */ }
+    try { fs.unlinkSync(path.join(dir, f)); cleared += 1; } catch (_) { /* ignore */ }
   }
-  // Best-effort log line so the user can see the supervisor is running.
-  if (respawned > 0) {
+
+  // -----------------------------------------------------------------
+  // Step 2 — registry-based orphan lock (1.3.6+)
+  // -----------------------------------------------------------------
+  let orphansHandled = 0;
+  try {
+    const registry = require('./cli-registry');
+    const orphans = registry.findOrphanedUnlocks({ maxStaleMin: 5 });
+    if (orphans.length > 0) {
+      const { spawn } = require('child_process');
+      const node = process.execPath;
+      const cli = cliEntry();
+      for (const o of orphans) {
+        try {
+          const child = spawn(
+            node,
+            [cli, 'panic', '--project', o.projectRoot, '--from-selfcheck'],
+            {
+              detached: true,
+              stdio: 'ignore',
+              windowsHide: true,
+              cwd: o.projectRoot,
+            },
+          );
+          child.unref();
+          orphansHandled += 1;
+        } catch (_) { /* best-effort */ }
+      }
+    }
+  } catch (_) { /* registry module may not load on partial installs */ }
+
+  if (cleared > 0 || orphansHandled > 0) {
     try {
+      const logDir = path.join(os.homedir(), '.sealcode', 'logs');
+      fs.mkdirSync(logDir, { recursive: true });
       fs.appendFileSync(
-        path.join(os.homedir(), '.sealcode', 'logs', 'supervise.out.log'),
-        `${new Date().toISOString()} cleared ${respawned} stale watch state files\n`,
+        path.join(logDir, 'supervise.out.log'),
+        `${new Date().toISOString()} cleared=${cleared} orphan_locks=${orphansHandled}\n`,
       );
     } catch (_) { /* ignore */ }
   }

package/src/cli-watch.js

@@ -612,20 +612,72 @@ async function runWatch({
     });
   }
 
-  // Signal handling. In strict mode, ANY exit path (SIGINT, SIGTERM)
-  // must re-lock the project before we die — otherwise the contractor
-  // could just Ctrl-C the watcher to keep plaintext.
+  // Signal handling. We hit this path for clean exits (Ctrl-C, terminal
+  // close, OS shutdown, `pm2 stop`). The signals we DON'T hit on are
+  // SIGKILL / kill -9 / Stop-Process -Force — by design that's the
+  // signal the server-side dead-watcher sweeper is built to detect.
+  //
+  // Behavior:
+  //   - strict + lenient both re-lock on clean exit (sealcode@1.3.6 —
+  //     previously only strict locked; lenient left plaintext for
+  //     "convenience" but that was a foot-gun. A clean shutdown is a
+  //     signal that the recipient is walking away, and the right
+  //     default is to leave their disk safe.)
+  //   - both POST /api/v1/access/exit so the server records a
+  //     `gracefullyExitedAt` timestamp and the sweeper skips them. The
+  //     POST is best-effort; if the network is down (laptop closing
+  //     mid-VPN drop), we still tear down locally and the sweeper will
+  //     eventually email — fail-safe in the alerting direction.
   let stopped = false;
   const cleanup = async (reason) => {
     if (stopped) return;
     stopped = true;
     if (exfilCtrl) exfilCtrl.stop();
     deleteWatchState(projectRoot);
-    if (strict) {
-      appendLog(projectRoot, { type: 'strict_exit_lock', reason });
-      await finalLock(projectRoot, config, trimmedCode, `strict:${reason}`, json, daemon).catch(() => {});
-    } else {
-      if (!json && !daemon) ui.say('\n' + ui.c.dim('stopped watching (lenient mode — files left as-is)'));
+
+    appendLog(projectRoot, { type: 'graceful_exit_lock', reason, strict });
+
+    // Best-effort: re-lock the recipient's plaintext before we die.
+    // Errors are swallowed — we'd rather exit and let the sweeper alert
+    // than block the OS shutdown waiting on a runLock that hung on a
+    // disk write.
+    let relocked = false;
+    try {
+      const K = loadSession(projectRoot);
+      if (K) {
+        const sm = loadSessionMeta(projectRoot);
+        const preserveUnseen = !!sm && sm.meta && sm.meta.source === 'grant';
+        await runLock({ projectRoot, config, K, preserveUnseen }).catch(() => {});
+        try { K.fill(0); } catch (_) { /* ignore */ }
+        relocked = true;
+      }
+    } catch (_) { /* best-effort */ }
+    try { clearSession(projectRoot); } catch (_) { /* ignore */ }
+    try { require('./cli-registry').markLocked(projectRoot); } catch (_) { /* ignore */ }
+
+    // Best-effort: tell the server we exited cleanly so the sweeper
+    // doesn't dead-watcher-alert. Hard-bounded timeout: if the server
+    // is slow/unreachable we'd rather die quickly than block shutdown.
+    try {
+      const timeoutMs = 1500;
+      const exitPromise = request('POST', `/api/v1/access/exit`, {
+        body: {
+          code: trimmedCode,
+          reason: reason === 'sigint' || reason === 'sigterm' || reason === 'sighup' ? reason : 'manual',
+          watcherPid: process.pid,
+          watcherVersion: pkg.version,
+          relockedFiles: relocked,
+        },
+      });
+      await Promise.race([
+        exitPromise,
+        new Promise((resolve) => setTimeout(resolve, timeoutMs)),
+      ]).catch(() => {});
+    } catch (_) { /* best-effort */ }
+
+    if (!json && !daemon) {
+      if (relocked) ui.say('\n' + ui.c.dim('stopped watching — files re-locked'));
+      else ui.say('\n' + ui.c.dim('stopped watching'));
     }
     process.exit(0);
   };
@@ -959,17 +1011,18 @@ async function finalLock(projectRoot, config, code, reason, json, daemon) {
     process.exit(2);
   }
 
-  // sealcode@1.1.0 — for grant-derived sessions that had a path scope
-  // (or any future "subset-only" policy), preserve out-of-scope blobs
-  // so the contractor's re-lock doesn't wipe the project for everyone.
+  // sealcode@1.3.6 — ALWAYS preserve unseen blobs for grant-derived
+  // sessions, not just path-scoped ones. The recipient-side re-lock
+  // (revoke / pause / device-mismatch / expiry) is supposed to wipe
+  // THEIR plaintext copy; it must not wipe the encrypted blobs that
+  // were sealed by the OWNER. Without preserveUnseen, any race that
+  // makes collectFiles return fewer paths than the manifest expected
+  // permanently destroys those blobs (the "revoked → 1 file restored"
+  // bug). Owner-side passphrase re-locks still use preserveUnseen=false
+  // since the owner has all plaintext on hand by definition.
   const _sessionMeta = loadSessionMeta(projectRoot);
   const _preserveUnseen =
-    !!_sessionMeta &&
-    _sessionMeta.meta &&
-    _sessionMeta.meta.source === 'grant' &&
-    _sessionMeta.meta.policy &&
-    Array.isArray(_sessionMeta.meta.policy.allowedPaths) &&
-    _sessionMeta.meta.policy.allowedPaths.length > 0;
+    !!_sessionMeta && _sessionMeta.meta && _sessionMeta.meta.source === 'grant';
 
   let res;
   try {
@@ -981,6 +1034,7 @@ async function finalLock(projectRoot, config, code, reason, json, daemon) {
   }
   clearSession(projectRoot);
   deleteWatchState(projectRoot);
+  try { require('./cli-registry').markLocked(projectRoot); } catch (_) { /* ignore */ }
   if (daemon) {
     appendLog(projectRoot, { type: 'locked', count: res.count, reason: label });
   } else if (json) {

package/src/cli.js

@@ -269,6 +269,7 @@ function build() {
         sp.succeed(`locked ${ui.c.bold(res.count)} files into ${ui.c.cyan(config.lockedDir + '/')}`);
         const stubs = Object.keys(res.stubs);
         if (stubs.length) ui.hint(`  stubs placed: ${stubs.join(', ')}`);
+        try { require('./cli-registry').markLocked(projectRoot); } catch (_) { /* ignore */ }
       } catch (err) {
         process.exitCode = reportError(err);
       }
@@ -380,6 +381,7 @@ function build() {
         });
         const _skipped = res.skipped > 0 ? ` ${ui.c.dim(`(${res.skipped} outside grant scope)`)}` : '';
         sp.succeed(`unlocked ${ui.c.bold(res.count)} files${_skipped} ${ui.c.dim(`(locked at ${res.sealedAt})`)}`);
+        try { require('./cli-registry').markUnlocked(projectRoot); } catch (_) { /* ignore */ }
         if (res.policy && res.policy.mode === 'ro') {
           ui.hint('  Read-only grant: files set to 0444. Any edit triggers an immediate re-lock.');
         }
@@ -519,19 +521,112 @@ function build() {
   program
     .command('panic')
     .description('Re-lock immediately and wipe plaintext (for "shut my laptop NOW" moments).')
-    .action(async () => {
+    .option('--from-selfcheck', '[internal] called by the self-check background job — never prompts, silent on no-op')
+    .action(async (opts) => {
       try {
         const projectRoot = resolveProject(program.opts());
         const config = getActiveConfig(projectRoot);
+
+        // sealcode@1.3.6 — when invoked by the registry self-check we
+        // MUST NOT prompt for a passphrase (would hang the detached
+        // background process forever). If there's no cached session,
+        // we silently correct the registry and exit — the user can
+        // run `sealcode lock` manually if they want a real lock.
+        if (opts.fromSelfcheck) {
+          const cached = loadSession(projectRoot);
+          if (!cached) {
+            try { require('./cli-registry').markLocked(projectRoot); } catch (_) { /* ignore */ }
+            return;
+          }
+          try {
+            const sm = require('./keystore').loadSessionMeta(projectRoot);
+            const preserveUnseen = !!sm && sm.meta && sm.meta.source === 'grant';
+            await runLock({ projectRoot, config, K: cached, preserveUnseen });
+          } catch (_) { /* swallow — background job */ }
+          try { cached.fill(0); } catch (_) { /* ignore */ }
+          try { clearSession(projectRoot); } catch (_) { /* ignore */ }
+          try { require('./cli-registry').markLocked(projectRoot); } catch (_) { /* ignore */ }
+          return;
+        }
+
         const K = await resolveKey(projectRoot, config);
         const res = await runLock({ projectRoot, config, K });
         clearSession(projectRoot);
+        try { require('./cli-registry').markLocked(projectRoot); } catch (_) { /* ignore */ }
         process.stdout.write(`✓ panic-locked ${res.count} files. Session cleared.\n`);
       } catch (err) {
         process.exitCode = reportError(err);
       }
     });
 
+  // -------- preuninstall-check (internal, called by npm preuninstall) --------
+  //
+  // sealcode@1.3.6 — when the user runs `npm uninstall -g sealcode`, npm
+  // executes this command FIRST (before deleting files). We use the small
+  // window to:
+  //   1. Walk the known-projects registry and re-lock any unlocked ones.
+  //   2. Print a clear warning so the user understands the implication.
+  //
+  // Bypassable with `npm uninstall --ignore-scripts`. We accept that —
+  // the goal is to raise the floor against accidental "I'll just remove
+  // sealcode" actions, not to defeat a determined attacker who reads
+  // our docs.
+  //
+  // ALWAYS exit 0 (via `|| true` in package.json) so npm uninstall
+  // succeeds even if our hook fails. We do NOT want to leave the user
+  // stuck with a partial uninstall.
+  program
+    .command('preuninstall-check', { hidden: true })
+    .description('[internal] npm preuninstall hook — re-locks any unlocked projects before uninstall')
+    .action(async () => {
+      try {
+        const registry = require('./cli-registry');
+        const orphans = registry.findOrphanedUnlocks({ maxStaleMin: 0 });
+        const allUnlocked = registry.list().filter((p) => p.lastState === 'unlocked');
+
+        const total = allUnlocked.length;
+        if (total === 0) {
+          // Nothing to do. Silent exit so npm uninstall stays quiet.
+          return;
+        }
+
+        process.stderr.write(
+          `\n  \x1b[33m\u26a0  sealcode preuninstall: ${total} project(s) are still unlocked.\x1b[0m\n`
+            + `\n  Re-locking before uninstall so you don't leave plaintext lying around:\n`,
+        );
+
+        // Re-lock each one. We use the same panic-from-selfcheck flow:
+        // it uses ONLY the cached session (no passphrase prompt — npm
+        // hooks have no TTY anyway) and is a no-op if the session was
+        // already cleared. We run them SYNCHRONOUSLY here (not detached)
+        // because npm will delete our files the moment we return.
+        const { spawnSync } = require('child_process');
+        for (const p of allUnlocked) {
+          process.stderr.write(`    - ${p.projectRoot} ... `);
+          const r = spawnSync(
+            process.execPath,
+            [path.resolve(__dirname, '..', 'bin', 'sealcode.js'),
+              'panic', '--project', p.projectRoot, '--from-selfcheck'],
+            { stdio: 'ignore', timeout: 30_000 },
+          );
+          process.stderr.write((r.status === 0 ? '\x1b[32mlocked\x1b[0m' : '\x1b[31mfailed\x1b[0m') + '\n');
+        }
+
+        if (orphans.length > 0) {
+          process.stderr.write(
+            `\n  \x1b[33mNote:\x1b[0m ${orphans.length} of these had no running watcher already. `
+              + `Any active access grants on those projects can no longer be revoked from the dashboard.\n`,
+          );
+        }
+
+        process.stderr.write(`\n`);
+      } catch (_) {
+        // Never fail the npm uninstall. Worst case: user uninstalls
+        // sealcode and we couldn't lock — the registry self-check on
+        // some future reinstall would still flag it.
+      }
+    });
+
   // -------- install-hook --------
   program
     .command('install-hook')
@@ -1061,6 +1156,34 @@ async function run(argv) {
   if (bare || helpish) {
     ui.maybeShowWelcome(pkg.version);
   }
+
+  // sealcode@1.3.6 — registry self-check on EVERY invocation. Scans
+  // ~/.sealcode/projects.json for projects marked unlocked whose
+  // watcher is no longer alive, and spawns a detached panic-lock for
+  // each. Closes the "recipient killed the watcher and walked away"
+  // hole for anyone who uses sealcode at all on the same machine
+  // afterwards.
+  //
+  // Quiet for short/info commands so we don't spam warnings during
+  // `sealcode --version` etc. NEVER throws — wrapped in try.
+  //
+  // We skip the self-check when the invocation IS the self-check (the
+  // detached `panic --from-selfcheck` child) to prevent infinite spawn
+  // recursion.
+  try {
+    const first = userArgs[0];
+    const isPanicFromSelfcheck =
+      first === 'panic' && userArgs.includes('--from-selfcheck');
+    const isSupervise = first === 'supervise';
+    const quiet =
+      bare || helpish || isSupervise || isPanicFromSelfcheck ||
+      first === 'version' || first === '-V' || first === '--version' ||
+      first === 'where' || first === 'whoami';
+    if (!isPanicFromSelfcheck && !isSupervise) {
+      require('./cli-registry').selfCheck({ quiet });
+    }
+  } catch (_) { /* never block the user's command */ }
+
   await program.parseAsync(argv);
 }
 

package/src/seal.js

@@ -97,16 +97,33 @@ async function runLock({
   const lockedDir = config.lockedDir;
   const lockedRoot = path.join(projectRoot, lockedDir);
 
-  // Snapshot the existing manifest BEFORE we wipe lockedRoot, so we can
-  // copy unseen-but-still-relevant blobs forward.
+  // sealcode@1.3.6 — ALWAYS read the previous manifest, not just when
+  // preserveUnseen was requested. We use it for two purposes:
+  //
+  //   1. The original preserveUnseen feature (carry path-scoped blobs
+  //      forward) — unchanged.
+  //   2. A data-loss SAFETY GUARD against the "revoke race" bug.
+  //
+  // The bug: recipient has 553 plaintext files. Owner revokes. Watcher
+  // wakes, calls runLock, but collectFiles momentarily returns just a
+  // handful of files (filesystem race on Windows, antivirus scan in
+  // progress, watcher woke mid-softLock-followed-by-finalLock, etc.).
+  // Without a guard, rmIfExists(lockedRoot) would wipe the 553 existing
+  // blobs and we'd write 3 new ones — permanent data loss for the owner
+  // who shared the project.
+  //
+  // The guard: if we had a real manifest with N entries and we're about
+  // to write < ceil(N/2) plaintext blobs (and preserveUnseen wasn't
+  // already requested), we auto-promote to preserveUnseen=true and log
+  // a warning. This means in the worst case we keep slightly-stale
+  // ciphertext (recoverable) instead of nuking the locked repo
+  // (unrecoverable for whoever doesn't have a separate copy).
   let prevManifest = null;
-  if (preserveUnseen) {
-    try {
-      prevManifest = readManifest(projectRoot, lockedDir, K);
-    } catch (_) {
-      // No manifest yet (first init) or unreadable — fall through.
-      prevManifest = null;
-    }
+  try {
+    prevManifest = readManifest(projectRoot, lockedDir, K);
+  } catch (_) {
+    // No manifest yet (first init) or unreadable — fall through.
+    prevManifest = null;
   }
 
   const files = await collectFiles(projectRoot, config);
@@ -114,6 +131,26 @@ async function runLock({
     throw new Error('SEALCODE_NOTHING_TO_LOCK');
   }
 
+  // Auto-promote preserveUnseen on suspicious shrink. Threshold: only
+  // engage when the previous manifest had at least 5 entries (avoids
+  // false positives on tiny projects) AND the new plaintext set is
+  // less than half the previous. We deliberately don't refuse the
+  // operation — that would leave the watcher in a bad state. We just
+  // make it non-destructive.
+  if (
+    !preserveUnseen
+    && prevManifest
+    && Array.isArray(prevManifest.files)
+    && prevManifest.files.length >= 5
+    && files.length < Math.ceil(prevManifest.files.length / 2)
+  ) {
+    log(
+      `  [safety] previous manifest had ${prevManifest.files.length} files but only ${files.length} `
+      + `plaintext on disk — auto-preserving unseen blobs to avoid data loss.`
+    );
+    preserveUnseen = true;
+  }
+
   // Preserve any existing keystore files when re-locking. On first init we
   // wipe and persist the bootstrap output fresh.
   const existingSalt = !bootstrapOutput && fs.existsSync(path.join(lockedRoot, SALT_NAME));