sealcode 1.3.5 → 1.4.0

package/src/cli-registry.js

@@ -0,0 +1,256 @@
+'use strict';
+
+/**
+ * sealcode@1.3.6 — Known-projects registry + self-check.
+ *
+ * Problem this solves
+ * -------------------
+ * Today the watcher is the only thing that re-locks a recipient's
+ * working copy on revoke/pause/expiry. If the watcher dies and the
+ * recipient never runs another `sealcode` command in that project,
+ * the plaintext sits there indefinitely.
+ *
+ * We can't stop a determined user from `kill -9`-ing the watcher and
+ * never running sealcode again on that project — that's a fundamental
+ * limit of any client-side enforcement. But we can close the much
+ * more common path: the recipient uses sealcode in OTHER projects (or
+ * for other commands) on the same machine. Every one of those
+ * invocations is an opportunity to notice "hey, project X is sitting
+ * unlocked with no watcher" and re-lock it.
+ *
+ * The registry
+ * ------------
+ * One JSON file at ~/.sealcode/projects.json. Maintained by the CLI
+ * on every unlock (add) and every lock (mark locked). Format:
+ *
+ *   {
+ *     "/Users/alice/work/proj-a": {
+ *       "addedAt": "2026-05-21T12:00:00.000Z",
+ *       "lastSeenAt": "2026-05-21T12:34:56.000Z",
+ *       "lastState": "unlocked" | "locked"
+ *     },
+ *     ...
+ *   }
+ *
+ * Self-check (called from cli.js on EVERY invocation, including
+ * commands like `sealcode --help` and `sealcode whoami`):
+ *   - Walk the registry.
+ *   - For each entry whose lastState is "unlocked":
+ *     - If the project no longer exists on disk, drop it.
+ *     - If the watcher state file is missing or stale AND a session
+ *       is cached, attempt a panic-lock in the background.
+ *     - Print a single-line warning so the user sees it.
+ *
+ * The self-check is purely best-effort and never throws. It runs
+ * synchronously (cheap — just file stat-ing) and any async lock
+ * happens out-of-band so the user's command isn't delayed.
+ */
+
+const fs = require('fs');
+const os = require('os');
+const path = require('path');
+
+const REGISTRY_DIR = path.join(os.homedir(), '.sealcode');
+const REGISTRY_FILE = path.join(REGISTRY_DIR, 'projects.json');
+
+function ensureDir() {
+  try { fs.mkdirSync(REGISTRY_DIR, { recursive: true, mode: 0o700 }); } catch (_) { /* ignore */ }
+}
+
+function readRegistry() {
+  try {
+    const raw = fs.readFileSync(REGISTRY_FILE, 'utf8');
+    const obj = JSON.parse(raw);
+    if (obj && typeof obj === 'object') return obj;
+  } catch (_) { /* missing or corrupt — start fresh */ }
+  return {};
+}
+
+function writeRegistry(obj) {
+  ensureDir();
+  // Atomic-ish write: write to .tmp, rename. Avoids torn writes if
+  // two CLI invocations race.
+  const tmp = REGISTRY_FILE + '.' + process.pid + '.tmp';
+  try {
+    fs.writeFileSync(tmp, JSON.stringify(obj, null, 2), { mode: 0o600 });
+    fs.renameSync(tmp, REGISTRY_FILE);
+  } catch (_) {
+    try { fs.unlinkSync(tmp); } catch (_) { /* ignore */ }
+  }
+}
+
+/**
+ * Mark a project as currently unlocked. Called from runUnlock.
+ */
+function markUnlocked(projectRoot) {
+  if (!projectRoot) return;
+  const reg = readRegistry();
+  const abs = path.resolve(projectRoot);
+  const now = new Date().toISOString();
+  reg[abs] = {
+    addedAt: reg[abs]?.addedAt || now,
+    lastSeenAt: now,
+    lastState: 'unlocked',
+  };
+  writeRegistry(reg);
+}
+
+/**
+ * Mark a project as currently locked. Called from runLock + finalLock
+ * + softLock paths.
+ */
+function markLocked(projectRoot) {
+  if (!projectRoot) return;
+  const reg = readRegistry();
+  const abs = path.resolve(projectRoot);
+  const now = new Date().toISOString();
+  reg[abs] = {
+    addedAt: reg[abs]?.addedAt || now,
+    lastSeenAt: now,
+    lastState: 'locked',
+  };
+  writeRegistry(reg);
+}
+
+/**
+ * Remove a project from the registry (e.g. when it's deleted or the
+ * user explicitly unlinks).
+ */
+function forget(projectRoot) {
+  if (!projectRoot) return;
+  const reg = readRegistry();
+  const abs = path.resolve(projectRoot);
+  if (reg[abs]) {
+    delete reg[abs];
+    writeRegistry(reg);
+  }
+}
+
+/**
+ * Return a list of currently-known projects.
+ */
+function list() {
+  const reg = readRegistry();
+  return Object.entries(reg).map(([projectRoot, meta]) => ({
+    projectRoot,
+    ...meta,
+  }));
+}
+
+/**
+ * Return projects whose lastState is "unlocked" but:
+ *   - the directory still exists, AND
+ *   - either no watcher state file exists OR the watcher's pid is
+ *     not alive OR the watch state hasn't been touched in > maxStaleMin.
+ *
+ * Synchronous, cheap. Used by selfCheck and by the supervisor.
+ */
+function findOrphanedUnlocks({ maxStaleMin = 5 } = {}) {
+  const out = [];
+  const reg = readRegistry();
+  const cutoff = Date.now() - maxStaleMin * 60_000;
+
+  for (const [projectRoot, meta] of Object.entries(reg)) {
+    if (!meta || meta.lastState !== 'unlocked') continue;
+    try {
+      if (!fs.existsSync(projectRoot)) continue;
+    } catch (_) { continue; }
+
+    // Look up the watch state. We can't import cli-watch here (circular),
+    // so we replicate the path math.
+    const id = projectIdHash(projectRoot);
+    const watchFile = path.join(os.homedir(), '.sealcode', 'sessions', `${id}.watch.json`);
+    let watcherAlive = false;
+    try {
+      const st = JSON.parse(fs.readFileSync(watchFile, 'utf8'));
+      const mtimeMs = fs.statSync(watchFile).mtimeMs;
+      const pid = st && st.pid;
+      if (pid && mtimeMs > cutoff) {
+        try { process.kill(pid, 0); watcherAlive = true; } catch (_) { watcherAlive = false; }
+      }
+    } catch (_) { watcherAlive = false; }
+
+    if (!watcherAlive) {
+      out.push({ projectRoot, lastSeenAt: meta.lastSeenAt });
+    }
+  }
+  return out;
+}
+
+/**
+ * Identical hash that keystore.projectId uses. Inlined here to avoid
+ * a circular dep between cli-registry and keystore (keystore is loaded
+ * very early on every CLI invocation).
+ */
+function projectIdHash(projectRoot) {
+  const crypto = require('crypto');
+  return crypto.createHash('sha256').update(path.resolve(projectRoot)).digest('hex').slice(0, 16);
+}
+
+/**
+ * Synchronous self-check called at the top of every CLI invocation
+ * (from cli.js). NEVER throws. Returns the number of orphaned
+ * unlocked projects detected. Prints a one-line warning per project
+ * unless `quiet` is true.
+ *
+ * The actual re-lock is deferred to a background detached process so
+ * the user's command isn't blocked. We invoke `sealcode panic` in a
+ * detached child for each orphan.
+ *
+ * `quiet` is set for short-running commands (where, version, help)
+ * and for the panic command itself to avoid recursion.
+ */
+function selfCheck({ quiet = false, skipBackgroundLock = false } = {}) {
+  let orphans;
+  try {
+    orphans = findOrphanedUnlocks();
+  } catch (_) { return 0; }
+
+  if (orphans.length === 0) return 0;
+
+  if (!quiet) {
+    try {
+      const ui = require('./ui');
+      for (const o of orphans) {
+        ui.warn(
+          `\u26a0 ${o.projectRoot} appears unlocked but its watcher is not running. `
+          + `Auto-locking in the background.`,
+        );
+      }
+    } catch (_) { /* ui module may not be loadable in some edge cases */ }
+  }
+
+  if (skipBackgroundLock) return orphans.length;
+
+  // Detached background panic-lock per orphan. We CANNOT just call
+  // runLock here — we don't have the session key. The `panic` command
+  // (and its lock pathway) is what knows how to find the cached
+  // session and re-encrypt. If there's no session cached, the panic
+  // command is a no-op + the registry gets corrected to "locked".
+  const { spawn } = require('child_process');
+  const node = process.execPath;
+  const cli = path.resolve(__dirname, '..', 'bin', 'sealcode.js');
+  for (const o of orphans) {
+    try {
+      const child = spawn(node, [cli, 'panic', '--project', o.projectRoot, '--from-selfcheck'], {
+        detached: true,
+        stdio: 'ignore',
+        windowsHide: true,
+        cwd: o.projectRoot,
+      });
+      child.unref();
+    } catch (_) { /* best-effort */ }
+  }
+
+  return orphans.length;
+}
+
+module.exports = {
+  markUnlocked,
+  markLocked,
+  forget,
+  list,
+  findOrphanedUnlocks,
+  selfCheck,
+  REGISTRY_FILE,
+};

package/src/cli-remove.js

@@ -0,0 +1,281 @@
+'use strict';
+
+/**
+ * `sealcode remove` — permanently remove sealcode from a project.
+ *
+ * This is the destructive sibling of `sealcode link --remove`. Where
+ * `link --remove` only forgets the dashboard association, `remove`
+ * tears the whole vault out:
+ *
+ *   1. Re-verify the passphrase. We do this even if a session is
+ *      cached, because removal is irreversible and "the laptop was
+ *      already unlocked" is a real attack. `--session-ok` overrides
+ *      for power users.
+ *   2. Require a typed confirmation (`yes-remove`). No accidental
+ *      `sealcode rem<TAB>` deletions.
+ *   3. If the project is linked to a sealcode.dev account, hit the
+ *      server's remove-notice endpoint FIRST so the legitimate owner
+ *      gets an email and an audit-log row before any local data is
+ *      touched. If we can't reach the server we refuse by default;
+ *      `--offline` is the explicit override.
+ *   4. Decrypt every locked blob into plaintext (so the user keeps
+ *      their source). `--burn` skips this step and removes the
+ *      ciphertext without ever materializing plaintext.
+ *   5. Delete the locked dir, the sealcode config file (link block
+ *      included), and the session cache for this project root.
+ */
+
+const fs = require('fs');
+const path = require('path');
+
+const ui = require('./ui');
+const { hidden, question } = require('./prompt');
+const { ApiError, request, clientInfo } = require('./api');
+const { SealcodeError } = require('./errors');
+const { isInitialized, unwrap, clearSession } = require('./keystore');
+const { runUnlock } = require('./open');
+const { readManifest } = require('./manifest');
+const { getLink, clearLink } = require('./link-state');
+const { CONFIG_FILE, LEGACY_CONFIG_FILE } = require('./config');
+
+function readActiveConfig(projectRoot) {
+  // Mirror getActiveConfig from cli.js without the dependency cycle.
+  for (const name of [CONFIG_FILE, LEGACY_CONFIG_FILE]) {
+    const p = path.join(projectRoot, name);
+    if (fs.existsSync(p)) {
+      try {
+        const cfg = JSON.parse(fs.readFileSync(p, 'utf8'));
+        if (cfg && typeof cfg.lockedDir === 'string') return { ...cfg, _file: name };
+      } catch (_) { /* fallthrough */ }
+    }
+  }
+  return null;
+}
+
+function passphraseFromEnv() {
+  return process.env.SEALCODE_PASSPHRASE || process.env.VAULTLINE_PASSPHRASE || '';
+}
+
+async function verifyPassphrase(projectRoot, lockedDir) {
+  // Prefer the env var so CI / scripted teardown isn't blocked on a
+  // TTY. Otherwise prompt — `remove` is interactive by default.
+  const pp = passphraseFromEnv() || (await hidden('Passphrase (to confirm ownership):'));
+  if (!pp) throw new SealcodeError('SEALCODE_NO_KEY');
+  try {
+    return await unwrap(projectRoot, lockedDir, { passphrase: pp });
+  } catch (err) {
+    if (err && err.message === 'SEALCODE_WRONG_KEY') {
+      throw new SealcodeError('SEALCODE_WRONG_KEY');
+    }
+    throw err;
+  }
+}
+
+/**
+ * Send the remove-notice to the server. Returns one of:
+ *   { status: 'sent'   }   — server accepted, owner email queued.
+ *   { status: 'offline'}   — could not reach the server (network error).
+ *   { status: 'rejected', code, message } — server returned 4xx/5xx.
+ *
+ * We never throw from here so the caller can centralize policy.
+ */
+async function tryNotifyServer({ projectId, localFingerprint, burn }) {
+  try {
+    await request('POST', `/api/v1/projects/${encodeURIComponent(projectId)}/remove-notice`, {
+      auth: true,
+      body: {
+        localFingerprint,
+        burn: !!burn,
+        // Best-effort device context for the owner's email. Nothing
+        // here is used for an access decision; we just want the
+        // notification to be useful ("My laptop did this — fine" vs
+        // "what's that hostname?").
+        device: clientInfo(),
+        occurredAt: new Date().toISOString(),
+      },
+      // Keep the timeout short — a slow / dead server should not let
+      // a hostile actor stall the alert until they're ready.
+      timeoutMs: 10000,
+    });
+    return { status: 'sent' };
+  } catch (err) {
+    if (err instanceof ApiError && err.status === 0) {
+      return { status: 'offline', message: err.message };
+    }
+    if (err instanceof ApiError) {
+      return { status: 'rejected', code: err.apiCode, message: err.message };
+    }
+    return { status: 'offline', message: err && err.message ? err.message : String(err) };
+  }
+}
+
+/**
+ * Removes the locked dir, the config file, and any cached session for
+ * this project root. Idempotent — safe to re-run after a partial
+ * failure to clean up leftover bits. Returns a list of removed paths
+ * for the human-readable summary.
+ */
+function destroyVaultArtifacts(projectRoot, lockedDir) {
+  const removed = [];
+  const tryRemove = (rel) => {
+    const abs = path.join(projectRoot, rel);
+    try {
+      const st = fs.lstatSync(abs);
+      if (st.isDirectory()) {
+        fs.rmSync(abs, { recursive: true, force: true });
+      } else {
+        fs.unlinkSync(abs);
+      }
+      removed.push(rel);
+    } catch (_) { /* nothing there or already gone */ }
+  };
+  tryRemove(lockedDir);
+  tryRemove(CONFIG_FILE);
+  tryRemove(LEGACY_CONFIG_FILE);
+  try {
+    clearSession(projectRoot);
+    removed.push('~/.sealcode/sessions/<this-project>');
+  } catch (_) { /* ignore */ }
+  return removed;
+}
+
+async function runRemove({
+  projectRoot,
+  confirm = null,
+  burn = false,
+  offline = false,
+  sessionOk = false,
+  keepLink = false,
+}) {
+  const config = readActiveConfig(projectRoot);
+  if (!config || !isInitialized(projectRoot, config.lockedDir)) {
+    throw new SealcodeError('SEALCODE_NO_MANIFEST', {
+      detail: `Nothing to remove: ${projectRoot} doesn't have a sealcode vault.`,
+    });
+  }
+
+  // ---- 1. Re-verify passphrase (or accept --session-ok) ----
+  let K;
+  if (sessionOk) {
+    const { loadSession } = require('./keystore');
+    K = loadSession(projectRoot);
+    if (!K) {
+      // --session-ok was promised but no session exists. Fall back to
+      // a passphrase prompt rather than silently degrading: a missing
+      // session is exactly the case where we WANT extra verification.
+      K = await verifyPassphrase(projectRoot, config.lockedDir);
+    }
+  } else {
+    K = await verifyPassphrase(projectRoot, config.lockedDir);
+  }
+
+  // ---- 2. Typed confirmation ----
+  const link = getLink(projectRoot);
+  if (!confirm) {
+    process.stdout.write(
+      [
+        '',
+        ui.c.bold('You are about to permanently remove sealcode from:'),
+        `  ${projectRoot}`,
+        '',
+        link
+          ? `This project is linked to ${ui.c.cyan(link.projectName || link.projectId)} (${link.projectId}).`
+          : 'This project is not linked to any sealcode.dev account.',
+        link
+          ? ui.c.yellow('  → The project owner will be notified by email.')
+          : ui.c.dim('  → No notification will be sent.'),
+        '',
+        burn
+          ? ui.c.red("--burn: plaintext will NOT be recovered. Your source will be gone.")
+          : 'Your source files will be decrypted back to plaintext before removal.',
+        '',
+      ].join('\n'),
+    );
+    const typed = await question('Type yes-remove to confirm');
+    if (typed !== 'yes-remove') {
+      ui.warn('aborted; nothing changed.');
+      return { aborted: true };
+    }
+  } else if (confirm !== 'yes-remove') {
+    throw new Error(
+      "Refusing to remove: pass --confirm yes-remove (exactly) to acknowledge this is irreversible.",
+    );
+  }
+
+  // ---- 3. Notify the server (if linked) ----
+  let notifyOutcome = null;
+  if (link) {
+    if (offline) {
+      // Owner explicitly chose to skip the alert. We still want this
+      // to show up somewhere visible, so log to stderr.
+      ui.warn(
+        `--offline: skipping the server notification. The owner of "${link.projectName || link.projectId}" will NOT be emailed.`,
+      );
+      notifyOutcome = { status: 'skipped' };
+    } else {
+      notifyOutcome = await tryNotifyServer({
+        projectId: link.projectId,
+        localFingerprint: link.localFingerprint || null,
+        burn,
+      });
+      if (notifyOutcome.status === 'offline') {
+        throw new SealcodeError('SEALCODE_REMOVE_OFFLINE', {
+          detail:
+            `Could not reach sealcode.dev to notify the project owner that this vault is being removed. ` +
+            `\`sealcode remove\` is refused so a hostile actor can't bypass the alert by cutting the network. ` +
+            `Re-run with \`--offline\` if you are genuinely offline and accept this.`,
+        });
+      }
+      if (notifyOutcome.status === 'rejected') {
+        throw new SealcodeError('SEALCODE_REMOVE_REJECTED', {
+          detail:
+            `The server rejected the remove notice (${notifyOutcome.code}: ${notifyOutcome.message}). ` +
+            `This usually means your bearer token is invalid or the project was already deleted from the dashboard. ` +
+            `Run \`sealcode whoami\` and \`sealcode link --info\` to triage.`,
+        });
+      }
+    }
+  }
+
+  // ---- 4. Decrypt to plaintext (unless --burn) ----
+  let decryptedFiles = 0;
+  if (!burn) {
+    // Force a full unlock so every blob lands as a plaintext file
+    // before we wipe lockedDir. We ignore allowedPaths / watermark
+    // policy — `remove` is a full restore, not a scoped session.
+    const manifest = readManifest(projectRoot, config.lockedDir, K);
+    decryptedFiles = manifest.files.length;
+    await runUnlock({
+      projectRoot,
+      config,
+      K,
+      removeStubs: true,
+      log: () => {},
+    });
+  }
+
+  // ---- 5. Destroy local artifacts ----
+  if (link && !keepLink) {
+    clearLink(projectRoot);
+  }
+  const removed = destroyVaultArtifacts(projectRoot, config.lockedDir);
+
+  // ---- Summary ----
+  const lines = ['', ui.c.green('✓ sealcode removed from this project.'), ''];
+  if (!burn) lines.push(`  Restored ${decryptedFiles} files to plaintext.`);
+  if (burn) lines.push(`  ${ui.c.red('--burn:')} ciphertext discarded without decrypting.`);
+  lines.push(`  Removed: ${removed.join(', ')}`);
+  if (link && notifyOutcome && notifyOutcome.status === 'sent') {
+    lines.push(`  Notified the owner of "${link.projectName || link.projectId}" by email.`);
+  }
+  lines.push('');
+  process.stdout.write(lines.join('\n'));
+  return {
+    aborted: false,
+    decryptedFiles,
+    removed,
+    notified: notifyOutcome && notifyOutcome.status === 'sent',
+  };
+}
+
+module.exports = { runRemove, _internal: { destroyVaultArtifacts, tryNotifyServer } };