sealcode 1.3.5 → 1.4.0

package/README.md

@@ -71,6 +71,15 @@ The big one: **sealcode hides that your code exists at all**. Other tools encryp
 
 ```
 sealcode init            # one-time setup; interactive wizard
+                         #   --preset auto             universal coverage via git ls-files
+                         #                             (default since 1.4.0)
+                         #   --allow-monorepo          override the multi-microservice
+                         #                             guard (one vault for the whole tree;
+                         #                             billed as one project)
+sealcode scan            # dry-run: show what would be locked, with coverage
+                         #          report, suspicious-exclusion hints, and a
+                         #          monorepo / multi-microservice notice if any
+                         #          sibling service directories are present
 sealcode lock            # encrypt source → vendor/ blobs (removes plaintext)
 sealcode unlock          # decrypt blobs → restore source (removes stubs)
 sealcode verify          # confirm every blob decrypts & matches its hash
@@ -84,6 +93,7 @@ sealcode install-hook    # git pre-commit: block commits when unlocked + drift
 sealcode uninstall-hook  # remove hook block
 sealcode panic           # immediate re-lock + session wipe
 sealcode logout          # clear cached session, force passphrase next time
+sealcode remove          # permanently uninstall sealcode from this project (requires passphrase; emails project owner if linked)
 sealcode presets         # list supported ecosystems
 sealcode share <opts>    # mint a temporary access code (--email <addr> wraps the key for them)
                          #   1.1 controls (all optional):
@@ -106,6 +116,44 @@ sealcode where           # debug: print paths and state (no secrets)
 
 Aliases: `sc`, `sealcode seal` = `lock`, `sealcode open` = `unlock`.
 
+### Unlinking vs. removing
+
+There are three different "undo" actions, and it's worth being precise about which one you want:
+
+| Command | What it does | Touches the server? | Reversible? |
+|---|---|---|---|
+| `sealcode link --remove` | Forgets the dashboard association on THIS checkout. The vault stays. The server still has the project. | No. | Yes — just `sealcode link <id>` again. |
+| Delete project (dashboard) | Releases the paid slot and the server-side repo binding. The local vault is untouched. | Yes (owner only). | No (the slot is gone). |
+| `sealcode remove` | Permanently uninstalls sealcode from this local repo. Decrypts files back to plaintext, deletes `vendor/`, the config, and the cached session. | Yes if linked: emails the owner and audit-logs `project.remove` BEFORE local destruction. | No. |
+
+`sealcode remove` requires the project passphrase (even if a session is unlocked) and a typed `yes-remove` confirmation. When the project is linked, it refuses to run if it can't reach sealcode.dev — that way no one can bypass the owner email by cutting the network. Use `--offline` to override explicitly.
+
+Other useful flags:
+
+```bash
+sealcode remove --confirm yes-remove   # skip the interactive prompt (for scripts)
+sealcode remove --burn                 # discard ciphertext WITHOUT decrypting first (data loss)
+sealcode remove --offline              # don't notify the owner (we still try first)
+```
+
+### One vault per project
+
+sealcode is **licensed and operated per project**, and the CLI **plus the server** enforce that.
+
+**Locally, at `sealcode init`** — if your repo is a monorepo with multiple microservices (a root `pnpm-workspace.yaml`, a `services/`-style layout with several `package.json` files, etc.), `sealcode init` refuses at the root and tells you which subdirectories to initialize separately. Each service then gets its own keys, its own grants, its own audit trail, and — going forward — its own billing line item.
+
+If you genuinely want one vault for the whole tree (small solo repo, intentional experiment monorepo) pass `--allow-monorepo` to override. Run `sealcode scan` first to see what was detected.
+
+**Server-side, at `sealcode link`** — each project record on sealcode.dev is pinned 1:1 to a single local repository. The first `sealcode link <id>` records an opaque fingerprint of the repo's vault salt on the server; any later link attempt from a different local repo is rejected with HTTP 409 and `SEALCODE_PROJECT_REPO_MISMATCH`. Teammates cloning the same repo pass the check because they share the same salt.
+
+If you really do need to migrate a paid project to a new repo, the project owner can re-pin with:
+
+```bash
+sealcode link --force <projectId>
+```
+
+The force flag is owner-only and gets audit-logged as `project.link.force`.
+
 ### Editor support
 
 A VS Code companion lives in `tools/vaultline-vscode/` — it shows the current lock state in the status bar when the CLI is on your `PATH`. (Rename in flight; the extension itself works against either `sealcode` or `vaultline` on `PATH`.)
@@ -212,6 +260,26 @@ Not formally. The crypto is standard primitives (AES-256-GCM, scrypt) used in th
 **I had `vaultline` installed before — do I lose my vault?**
 No. The on-disk format is unchanged. `sealcode` reads any existing `.vaultlinerc.json`, your old `~/.vaultline/sessions/` cache, and `VAULTLINE_PASSPHRASE` env var. On the next `sealcode lock` the project will start writing the new config name (`.sealcoderc.json`), but the encrypted blobs themselves never need to be re-encrypted.
 
+## Contributing & tests
+
+The CLI ships with a small fast test suite that runs in a tmpdir — no Postgres, no network. From `tools/sealcode-cli/`:
+
+```bash
+npm test
+```
+
+The seven targeted regression tests live under `test/` and cover:
+
+- envelope wrap/unwrap round-trip (the team-share crypto core)
+- auto-preset coverage on a synthetic Next.js repo (the 1.4 motivating bug)
+- `preserveUnseen` semantics across scoped re-locks (1.3.6 safety guard)
+- read-only mode re-lock after EACCES (1.3.3 stub-write fix)
+- watcher heartbeat classification of 5xx / network blips as transient
+- `unlock-check` blocking unlock on `revoked` / `expired` server responses
+- stale-pubkey warning when sharing to a recipient whose published key is >30 days old
+
+Filter to a single test with `FILTER=auto-preset npm test`.
+
 ## License
 
 MIT. See [LICENSE](./LICENSE).

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "sealcode",
-  "version": "1.3.5",
+  "version": "1.4.0",
   "description": "Lock your source code in your own git repo. Stop AI agents, scrapers, and curious eyes from reading what's yours.",
   "keywords": [
     "encryption",
@@ -40,8 +40,9 @@
     "LICENSE"
   ],
   "scripts": {
-    "test": "node test/roundtrip.js",
-    "selftest": "node test/roundtrip.js"
+    "test": "node test/run.js",
+    "selftest": "node test/run.js",
+    "preuninstall": "node ./bin/sealcode.js preuninstall-check || true"
   },
   "engines": {
     "node": ">=18"

package/src/cli-grants.js

@@ -66,6 +66,15 @@ function getActiveConfig(projectRoot) {
  * the project master key K to it. Returns `{ wrappedKey, wrappedKeyRecipient }`
  * suitable for splatting into the create-grant request body.
  *
+ * sealcode@1.4.0 — the server now returns a `devices` array (one entry
+ * per machine the recipient has ever run `sealcode login` on). We wrap
+ * K once per device and ship the result as `wrappedKeyEnvelopes`, an
+ * object keyed by cliTokenId. The recipient's CLI on any of their
+ * devices then picks the envelope matching its bearer token and unwraps
+ * locally. Pre-1.4 servers omit `devices` and return only the top-level
+ * legacy `publicKey`; we still produce the legacy single envelope so
+ * those servers keep working.
+ *
  * Returns `null` if the recipient hasn't published a pubkey yet OR the
  * server doesn't support the endpoint (pre-1.0 deploy). The caller falls
  * back to the legacy "share-the-passphrase-out-of-band" flow.
@@ -110,7 +119,7 @@ async function maybeWrapKeyForRecipient({
     return null;
   }
 
-  // Fetch their pubkey.
+  // Fetch their pubkey(s).
   let pub;
   try {
     pub = await request(
@@ -140,10 +149,72 @@ async function maybeWrapKeyForRecipient({
     }
     throw err;
   }
-  if (!pub || !pub.publicKey || pub.algo !== keypair.ALGO) {
-    return null;
+  if (!pub) return null;
+
+  // sealcode@1.4.0 — if the server returned a per-device array, wrap K
+  // once per device. The recipient can then redeem on any machine and
+  // the server will pick the envelope matching that machine's bearer
+  // token. Fall back to the singleton legacy pubkey if no array.
+  const devices = Array.isArray(pub.devices) && pub.devices.length > 0
+    ? pub.devices.filter((d) => d && d.publicKey && d.algo === keypair.ALGO)
+    : null;
+
+  if (devices && devices.length > 0) {
+    // sealcode@1.4.0 — warn loudly if any of the recipient's devices
+    // has a pubkey older than the stale threshold. Stale pubkeys are
+    // common when a user nuked their `~/.sealcode/keypair.json` but
+    // never re-ran `sealcode login` (regenerates the keypair but only
+    // publishes if they reach the login path). Older wraps would still
+    // succeed but the recipient would fail to unwrap with a confusing
+    // AES-GCM auth error. A pre-share warning gives the owner a chance
+    // to ask the recipient to re-login first.
+    const STALE_MS = 30 * 24 * 60 * 60 * 1000;
+    const now = Date.now();
+    const stale = devices.filter((d) => {
+      if (!d.publishedAt) return false;
+      const t = Date.parse(d.publishedAt);
+      return Number.isFinite(t) && now - t > STALE_MS;
+    });
+    if (stale.length > 0 && verbose) {
+      ui.warn(
+        `${stale.length} of ${recipientEmail}'s device pubkeys are older than 30 days. `
+          + 'If redeem fails with "could not unwrap delivered key", ask them to run `sealcode login` again on that device.',
+      );
+    }
+
+    const envelopes = {};
+    for (const d of devices) {
+      try {
+        envelopes[d.cliTokenId] = shareCrypto.wrapForRecipient(K, d.publicKey);
+      } catch (err) {
+        if (verbose) {
+          ui.warn(
+            `Could not wrap K for device ${d.label || d.hostname || d.cliTokenId}: ${err.message || err}`,
+          );
+        }
+      }
+    }
+    if (Object.keys(envelopes).length === 0) return null;
+    // Also produce a legacy single-envelope wrap to the most-recent
+    // device so a server that hasn't deployed 1.4 yet still gets a
+    // usable `wrappedKey` field.
+    const legacy = shareCrypto.wrapForRecipient(K, devices[0].publicKey);
+    if (verbose && devices.length > 1) {
+      ui.hint(
+        `  wrapping K for ${devices.length} of ${recipientEmail}'s devices — they can redeem on any.`,
+      );
+    }
+    return {
+      wrappedKey: legacy,
+      wrappedKeyRecipient: recipientEmail,
+      wrappedKeyEnvelopes: envelopes,
+    };
   }
 
+  // Pre-1.4 server path (no `devices` array, only the top-level fields).
+  if (!pub.publicKey || pub.algo !== keypair.ALGO) {
+    return null;
+  }
   const wrapped = shareCrypto.wrapForRecipient(K, pub.publicKey);
   return { wrappedKey: wrapped, wrappedKeyRecipient: recipientEmail };
 }
@@ -466,16 +537,28 @@ async function runRedeem({ projectRoot, code, json = false, agreeNda = false })
   // on first redeem (and warns on mismatch on subsequent redeems).
   const client = { ...clientInfo(), deviceFingerprint: getDeviceFingerprint() };
 
+  // sealcode@1.4.0 — pass the bearer token if the recipient is logged
+  // in on this device, so the server can pick the envelope wrapped for
+  // THIS device's pubkey from `wrappedKeyEnvelopes`. `auth: true` is a
+  // no-op if no credentials are saved locally (legacy "redeem without
+  // login" path).
+  let res;
+  let useAuth = false;
+  try {
+    const { readCreds } = require('./api');
+    useAuth = !!(readCreds() && readCreds().token);
+  } catch (_) { /* ignore */ }
+
   // First call without the NDA flag — server tells us whether one is
   // required by including `nda_required: true` and `ndaText` in the
   // 409-NDA response (or in the success payload's policy block). We
   // use a separate pre-flight to a metadata endpoint to avoid the
   // "race the server pins the device fingerprint before user has
   // even agreed" problem.
-  let res;
   try {
     res = await request('POST', '/api/v1/access/redeem', {
       body: { code: trimmed, client, ndaAccepted: !!agreeNda },
+      auth: useAuth,
     });
   } catch (err) {
     if (err instanceof ApiError && err.status === 409 && err.apiCode === 'nda_required') {
@@ -494,6 +577,7 @@ async function runRedeem({ projectRoot, code, json = false, agreeNda = false })
       }
       res = await request('POST', '/api/v1/access/redeem', {
         body: { code: trimmed, client, ndaAccepted: true },
+        auth: useAuth,
       });
     } else {
       throw err;
@@ -507,6 +591,15 @@ async function runRedeem({ projectRoot, code, json = false, agreeNda = false })
   // This is the magic "no passphrase exchange needed" path.
   let cachedK = false;
   let unwrapNote = null;
+  // sealcode@1.4.0 — server says "we had envelopes but none for your
+  // device". Print the actionable message instead of trying (and
+  // failing) to unwrap.
+  if (g.wrappedKeyEnvelopeMissing) {
+    unwrapNote = ui.c.yellow(
+      '(this access code was wrapped for the recipient\'s OTHER devices. '
+        + 'Run `sealcode login` here, then ask the owner to re-mint the share.)',
+    );
+  }
   if (g.wrappedKey) {
     const kp = keypair.read();
     if (!kp) {
@@ -628,6 +721,7 @@ async function runRedeem({ projectRoot, code, json = false, agreeNda = false })
       sp.succeed(
         `unlocked ${ui.c.bold(ures.count)} files${sk} ${ui.c.dim(`(locked at ${ures.sealedAt})`)}`,
       );
+      try { require('./cli-registry').markUnlocked(projectRoot); } catch (_) { /* ignore */ }
       if (ures.policy.mode === 'ro') {
         ui.hint('  Read-only grant: files are 0444. Any modification will trigger an immediate re-lock.');
       }
@@ -780,4 +874,6 @@ module.exports = {
   runPause,
   runResume,
   checkUnlockAllowed,
+  // Exported for tests. Not part of the public surface and may move.
+  _internal: { maybeWrapKeyForRecipient },
 };

package/src/cli-link.js

@@ -4,19 +4,74 @@
  * `sealcode link <projectId>` / `sealcode unlink`.
  *
  * Associates the current project on disk with a dashboard project record so
- * `sealcode share` knows which project to mint a grant against. We hit
- * GET /api/v1/projects/:id to validate the link before persisting — that way
- * a typo / wrong-account mistake fails before it touches the config.
+ * `sealcode share` knows which project to mint a grant against.
+ *
+ * sealcode@1.4.0: link is now a two-step server handshake so a single
+ * paid project slot can't be quietly multiplexed across N microservices.
+ *
+ *   1. GET  /api/v1/projects/:id       — validate the project exists
+ *      and the user has access. Also returns any previously-pinned
+ *      local-repo fingerprint so we can give a helpful early error.
+ *   2. POST /api/v1/projects/:id/link  — claim the project FOR THIS
+ *      LOCAL REPO. The server compares our `localFingerprint`
+ *      (an opaque hash of this repo's vault salt) against the one
+ *      pinned on the project row:
+ *        - first time → pin it
+ *        - same repo  → 200 OK (idempotent, e.g. fresh clone)
+ *        - different  → 409 conflict (we surface a clear error;
+ *                       owner can re-run with `--force` to re-pin)
+ *
+ * We persist the link to .sealcoderc.json ONLY after the server
+ * accepts it, so a rejected link leaves no stale state behind.
  */
 
+const fs = require('fs');
+const path = require('path');
 const { ApiError, getApiUrl, request } = require('./api');
 const { getLink, setLink, clearLink } = require('./link-state');
+const { localProjectFingerprint } = require('./keystore');
+const { SealcodeError } = require('./errors');
+
+function readLockedDirFromConfig(projectRoot) {
+  // We can't import getActiveConfig from here without a circular
+  // dependency through cli.js, so we re-read .sealcoderc.json
+  // directly. Falls back to the historical default if absent so a
+  // legacy un-initialized repo still produces a clear "init first"
+  // error from localProjectFingerprint (which returns null when no
+  // salt is on disk).
+  try {
+    const candidates = ['.sealcoderc.json', '.sealcode.json'];
+    for (const name of candidates) {
+      const p = path.join(projectRoot, name);
+      if (fs.existsSync(p)) {
+        const cfg = JSON.parse(fs.readFileSync(p, 'utf8'));
+        if (cfg && typeof cfg.lockedDir === 'string') return cfg.lockedDir;
+      }
+    }
+  } catch (_) { /* fallthrough */ }
+  return 'vendor';
+}
 
-async function runLink({ projectRoot, projectId }) {
+async function runLink({ projectRoot, projectId, force = false }) {
   if (!projectId || typeof projectId !== 'string') {
     throw new Error('Usage: sealcode link <projectId>');
   }
 
+  // We need a pinned, deterministic fingerprint of this local repo
+  // before we can ask the server to bind a project to it. The only
+  // stable per-repo secret we have is the vault salt, which is
+  // generated by `sealcode init`. Refuse with a clear hint otherwise.
+  const lockedDir = readLockedDirFromConfig(projectRoot);
+  const localFingerprint = localProjectFingerprint(projectRoot, lockedDir);
+  if (!localFingerprint) {
+    throw new SealcodeError('SEALCODE_NO_MANIFEST', {
+      detail:
+        `No sealcode vault found in ${projectRoot}. ` +
+        `Run \`sealcode init\` first so this repo has a stable identity ` +
+        `the server can pin the project to.`,
+    });
+  }
+
   let res;
   try {
     res = await request('GET', `/api/v1/projects/${encodeURIComponent(projectId)}`, {
@@ -37,17 +92,85 @@ async function runLink({ projectRoot, projectId }) {
   }
 
   const project = res.project;
+
+  // Early, friendly check before we even hit the link endpoint: if
+  // the project is already pinned to a DIFFERENT repo and we're not
+  // forcing, we can give the user a faster, cleaner error.
+  if (
+    !force &&
+    typeof project.localFingerprint === 'string' &&
+    project.localFingerprint &&
+    project.localFingerprint !== localFingerprint
+  ) {
+    throw new SealcodeError('SEALCODE_PROJECT_REPO_MISMATCH', {
+      detail:
+        `Project “${project.name}” (${project.id}) is already linked to a ` +
+        `different local repository on the server.\n` +
+        `   stored fingerprint:  ${project.localFingerprint}\n` +
+        `   this repo:           ${localFingerprint}\n` +
+        `Each sealcode project is 1:1 with a single repo so per-project ` +
+        `billing and audit trails stay accurate.`,
+    });
+  }
+
+  // Hand the server our local fingerprint and let it adjudicate.
+  // Server-side enforcement is the source of truth — the early
+  // check above is just a UX nicety.
+  let claim;
+  try {
+    claim = await request(
+      'POST',
+      `/api/v1/projects/${encodeURIComponent(projectId)}/link`,
+      {
+        auth: true,
+        body: { localFingerprint, force: !!force },
+      },
+    );
+  } catch (err) {
+    if (err instanceof ApiError && err.status === 409) {
+      // Server says this project is already bound to another repo.
+      throw new SealcodeError('SEALCODE_PROJECT_REPO_MISMATCH', {
+        detail: err.message,
+      });
+    }
+    if (err instanceof ApiError && err.status === 403) {
+      throw new SealcodeError('SEALCODE_FORBIDDEN', {
+        detail: err.message,
+      });
+    }
+    if (err instanceof ApiError && err.status === 404) {
+      throw new Error(
+        `No project ${projectId} on this account. Check the project ID in your dashboard.`,
+      );
+    }
+    throw err;
+  }
+
   setLink(projectRoot, {
     apiUrl: getApiUrl(),
     projectId: project.id,
     projectName: project.name,
     fingerprint: project.fingerprint,
+    localFingerprint,
     linkedAt: new Date().toISOString(),
   });
 
-  process.stdout.write(
-    `✓ Linked ${projectRoot} to project “${project.name}” (${project.id}).\n`,
-  );
+  if (claim.outcome === 'match') {
+    process.stdout.write(
+      `✓ Re-linked ${projectRoot} to “${project.name}” (${project.id}). ` +
+        `Server already had this repo on file.\n`,
+    );
+  } else if (claim.outcome === 'pinned' && force) {
+    process.stdout.write(
+      `✓ Force-linked ${projectRoot} to “${project.name}” (${project.id}). ` +
+        `Previous repo binding overwritten — audit logged.\n`,
+    );
+  } else {
+    process.stdout.write(
+      `✓ Linked ${projectRoot} to “${project.name}” (${project.id}). ` +
+        `Bound 1:1 to this repository.\n`,
+    );
+  }
 }
 
 function runUnlink({ projectRoot }) {
@@ -57,8 +180,23 @@ function runUnlink({ projectRoot }) {
     return;
   }
   clearLink(projectRoot);
+  // Be explicit about what unlink does NOT do, so a user doesn't
+  // think they've released their billing slot or "deleted" the
+  // project. We deliberately don't release the server-side
+  // local_fingerprint pin from here — if we did, anyone with a copy
+  // of the repo could free the owner's project slot. The legitimate
+  // release path is "Delete project" on the dashboard.
   process.stdout.write(
-    `✓ Unlinked ${projectRoot} from project ${existing.projectId}.\n`,
+    [
+      `✓ Unlinked ${projectRoot} from project ${existing.projectId}.`,
+      `  This only forgets the dashboard association on THIS checkout.`,
+      `  The vault on disk is unchanged.`,
+      `  The server still has this project linked to this repo's fingerprint.`,
+      ``,
+      `  To free the paid slot, delete the project on https://sealcode.dev/dashboard.`,
+      `  To remove sealcode from the project entirely, run \`sealcode remove\`.`,
+      ``,
+    ].join('\n'),
   );
 }
 
@@ -83,6 +221,7 @@ function runLinkInfo({ projectRoot, json = false }) {
       `project name:  ${link.projectName || '(unknown)'}`,
       `api url:       ${link.apiUrl}`,
       `linked at:     ${link.linkedAt || '(unknown)'}`,
+      `repo fp:       ${link.localFingerprint || '(legacy/none)'}`,
     ].join('\n') + '\n',
   );
 }