sealcode 1.3.5 → 1.4.0

package/src/cli-service.js

@@ -34,6 +34,10 @@ const path = require('path');
 const { execFileSync } = require('child_process');
 
 const SERVICE_NAME = 'dev.sealcode.watcher';
+// sealcode@1.3.6 — Windows Task Scheduler name. No dots allowed in path
+// components, so we use a hyphen-cased name. Stored at the user level
+// (no Administrator prompt required).
+const WIN_TASK_NAME = 'SealCodeWatcherSupervisor';
 const ui = require('./ui');
 
 function launchdPath() {
@@ -129,6 +133,77 @@ WantedBy=timers.target
   }
 }
 
+/**
+ * sealcode@1.3.6 — Windows scheduled task. Runs at user logon AND every
+ * 1 minute thereafter. We use `schtasks` (built-in, no admin required
+ * for user-level tasks) instead of an actual Windows Service (which
+ * requires Administrator and a service wrapper).
+ *
+ * /SC ONLOGON      → fires when the user logs in (so the watcher
+ *                    supervisor is running before they start work)
+ * /RI 1            → repeat interval of 1 minute (combined with /DU)
+ * /DU 9999:59      → for ~10000 hours = effectively forever
+ * /F               → force overwrite if a task already exists (idempotent)
+ *
+ * Two separate tasks are needed: ONLOGON does NOT support /RI on its
+ * own, so we create:
+ *   - "SealCodeWatcherSupervisor-Logon"  (one-shot at logon)
+ *   - "SealCodeWatcherSupervisor-Minute" (every minute)
+ *
+ * The supervise command itself is idempotent so dual-invocation is safe.
+ */
+function writeWindowsTasks() {
+  const node = nodeBin();
+  const cli = cliEntry();
+  const logDir = path.join(os.homedir(), '.sealcode', 'logs');
+  mkdirP(logDir);
+
+  // Wrap in a tiny .cmd shim so schtasks doesn't have to deal with
+  // node + cli paths containing spaces (Windows path quoting via
+  // schtasks /TR is famously fragile). The shim writes output to a
+  // log file so we have evidence the supervisor ran.
+  const shimPath = path.join(os.homedir(), '.sealcode', 'supervise.cmd');
+  const shim = `@echo off\r\n`
+    + `"${node}" "${cli}" supervise >> "${path.join(logDir, 'supervise.out.log')}" 2>> "${path.join(logDir, 'supervise.err.log')}"\r\n`;
+  mkdirP(path.dirname(shimPath));
+  fs.writeFileSync(shimPath, shim, { mode: 0o644 });
+
+  // Task 1 — run once at every user logon.
+  try {
+    execFileSync('schtasks', [
+      '/Create', '/F',
+      '/TN', `${WIN_TASK_NAME}-Logon`,
+      '/TR', shimPath,
+      '/SC', 'ONLOGON',
+      '/RL', 'LIMITED',
+    ], { stdio: 'inherit' });
+  } catch (err) {
+    ui.warn(`schtasks (logon) failed: ${err.message || err}`);
+  }
+
+  // Task 2 — repeat every 1 minute forever.
+  // schtasks doesn't have an "every minute" trigger directly — we use
+  // /SC MINUTE /MO 1 which runs every minute.
+  try {
+    execFileSync('schtasks', [
+      '/Create', '/F',
+      '/TN', `${WIN_TASK_NAME}-Minute`,
+      '/TR', shimPath,
+      '/SC', 'MINUTE',
+      '/MO', '1',
+      '/RL', 'LIMITED',
+    ], { stdio: 'inherit' });
+  } catch (err) {
+    ui.warn(`schtasks (minute) failed: ${err.message || err}`);
+  }
+}
+
+function removeWindowsTasks() {
+  try { execFileSync('schtasks', ['/Delete', '/F', '/TN', `${WIN_TASK_NAME}-Logon`], { stdio: 'ignore' }); } catch (_) { /* ok */ }
+  try { execFileSync('schtasks', ['/Delete', '/F', '/TN', `${WIN_TASK_NAME}-Minute`], { stdio: 'ignore' }); } catch (_) { /* ok */ }
+  try { fs.unlinkSync(path.join(os.homedir(), '.sealcode', 'supervise.cmd')); } catch (_) { /* ok */ }
+}
+
 function runInstallService() {
   if (process.platform === 'darwin') {
     writePlist();
@@ -141,11 +216,14 @@ function runInstallService() {
     ui.ok(`Installed systemd user units: sealcode-watcher.{service,timer}`);
     return;
   }
-  ui.warn(
-    `'sealcode install-service' is not yet supported on ${process.platform}. `
-      + `Strict-mode grants will still re-lock on watcher death within the same session, `
-      + `but won't survive reboots. Tracked at https://sealcode.dev/docs/team#service-windows`,
-  );
+  if (process.platform === 'win32') {
+    writeWindowsTasks();
+    ui.ok(`Installed Windows scheduled tasks: ${WIN_TASK_NAME}-{Logon,Minute}`);
+    ui.hint('  They run as your user, with no Administrator prompt, every minute.');
+    ui.hint(`  Logs: ${path.join(os.homedir(), '.sealcode', 'logs', 'supervise.out.log')}`);
+    return;
+  }
+  ui.warn(`'sealcode install-service' is not supported on ${process.platform}.`);
   process.exitCode = 1;
 }
 
@@ -163,60 +241,95 @@ function runUninstallService() {
     ui.ok('Removed systemd user units.');
     return;
   }
+  if (process.platform === 'win32') {
+    removeWindowsTasks();
+    ui.ok('Removed Windows scheduled tasks.');
+    return;
+  }
   ui.hint('Nothing to uninstall on this platform.');
 }
 
 /**
- * Called by the supervisor every minute (launchd / systemd timer).
- * Walks ~/.sealcode/sessions/*.watch.json, finds any whose pid is dead,
- * and re-spawns a watcher for that code. Cheap, idempotent, silent.
+ * Called by the supervisor every minute (launchd / systemd timer /
+ * Windows schtasks). Two responsibilities:
+ *
+ *   1. Stale-watch-state sweep — pre-1.3.6 behavior. Walk
+ *      ~/.sealcode/sessions/*.watch.json, find any whose pid is dead,
+ *      and remove the stale watch state file. This makes cli-guard
+ *      lock the next time the user runs sealcode in that project.
+ *
+ *   2. Registry-based orphan lock (sealcode@1.3.6+). The session-file
+ *      sweep above is good but only catches projects whose watch.json
+ *      file is still present on disk. If the user killed the watcher
+ *      AND wiped the session dir (the Saad scenario), there's nothing
+ *      in ~/.sealcode/sessions/ to walk — but the project is still
+ *      unlocked. The known-projects registry at ~/.sealcode/projects.json
+ *      lets us catch this: anything marked `unlocked` with no live
+ *      watcher gets a detached panic-lock dispatched.
+ *
+ * Cheap, idempotent, silent. Runs as the logged-in user.
  */
 function runSupervise() {
+  // -----------------------------------------------------------------
+  // Step 1 — old session-file sweep
+  // -----------------------------------------------------------------
   const dir = path.join(os.homedir(), '.sealcode', 'sessions');
   let files;
   try {
     files = fs.readdirSync(dir).filter((f) => f.endsWith('.watch.json'));
   } catch (_) {
-    return;
+    files = [];
   }
-  const { spawn } = require('child_process');
-  let respawned = 0;
+  let cleared = 0;
   for (const f of files) {
     let state;
     try {
       state = JSON.parse(fs.readFileSync(path.join(dir, f), 'utf8'));
-    } catch (_) {
-      continue;
-    }
-    if (!state || !state.code || !state.pid) continue;
+    } catch (_) { continue; }
+    if (!state || !state.pid) continue;
     let alive = false;
     try { process.kill(state.pid, 0); alive = true; } catch (_) { alive = false; }
     if (alive) continue;
-    // We don't know the project root from the watch state file alone,
-    // but the file name encodes the sha256(projectAbs).slice(0,16) which
-    // we can't reverse. We need to look the projectRoot up — but the
-    // session file at sessions/<id> was created with cwd at the project
-    // root, and the watcher embeds projectAbs in its log dir filename.
-    //
-    // Simpler approach: we don't try to respawn projects whose root we
-    // can't find. Instead the watcher restart on the OTHER side happens
-    // when the user next runs ANY sealcode command in that project,
-    // because cli-guard sees the dead watcher and locks the project.
-    // The supervisor only matters for "watcher died but project still
-    // unlocked and contractor walked away" — for which we lock by
-    // forcing a heartbeat-failure path:
-    //
-    //   We don't have the project root, so we can't re-spawn watch.
-    //   But we CAN remove the stale watch.json so cli-guard fires next
-    //   time the user runs anything. That's enough.
-    try { fs.unlinkSync(path.join(dir, f)); respawned += 1; } catch (_) { /* ignore */ }
+    try { fs.unlinkSync(path.join(dir, f)); cleared += 1; } catch (_) { /* ignore */ }
   }
-  // Best-effort log line so the user can see the supervisor is running.
-  if (respawned > 0) {
+
+  // -----------------------------------------------------------------
+  // Step 2 — registry-based orphan lock (1.3.6+)
+  // -----------------------------------------------------------------
+  let orphansHandled = 0;
+  try {
+    const registry = require('./cli-registry');
+    const orphans = registry.findOrphanedUnlocks({ maxStaleMin: 5 });
+    if (orphans.length > 0) {
+      const { spawn } = require('child_process');
+      const node = process.execPath;
+      const cli = cliEntry();
+      for (const o of orphans) {
+        try {
+          const child = spawn(
+            node,
+            [cli, 'panic', '--project', o.projectRoot, '--from-selfcheck'],
+            {
+              detached: true,
+              stdio: 'ignore',
+              windowsHide: true,
+              cwd: o.projectRoot,
+            },
+          );
+          child.unref();
+          orphansHandled += 1;
+        } catch (_) { /* best-effort */ }
+      }
+    }
+  } catch (_) { /* registry module may not load on partial installs */ }
+
+  if (cleared > 0 || orphansHandled > 0) {
     try {
+      const logDir = path.join(os.homedir(), '.sealcode', 'logs');
+      fs.mkdirSync(logDir, { recursive: true });
       fs.appendFileSync(
-        path.join(os.homedir(), '.sealcode', 'logs', 'supervise.out.log'),
-        `${new Date().toISOString()} cleared ${respawned} stale watch state files\n`,
+        path.join(logDir, 'supervise.out.log'),
+        `${new Date().toISOString()} cleared=${cleared} orphan_locks=${orphansHandled}\n`,
       );
     } catch (_) { /* ignore */ }
   }

package/src/cli-watch.js

@@ -612,20 +612,72 @@ async function runWatch({
     });
   }
 
-  // Signal handling. In strict mode, ANY exit path (SIGINT, SIGTERM)
-  // must re-lock the project before we die — otherwise the contractor
-  // could just Ctrl-C the watcher to keep plaintext.
+  // Signal handling. We hit this path for clean exits (Ctrl-C, terminal
+  // close, OS shutdown, `pm2 stop`). The signals we DON'T hit on are
+  // SIGKILL / kill -9 / Stop-Process -Force — by design that's the
+  // signal the server-side dead-watcher sweeper is built to detect.
+  //
+  // Behavior:
+  //   - strict + lenient both re-lock on clean exit (sealcode@1.3.6 —
+  //     previously only strict locked; lenient left plaintext for
+  //     "convenience" but that was a foot-gun. A clean shutdown is a
+  //     signal that the recipient is walking away, and the right
+  //     default is to leave their disk safe.)
+  //   - both POST /api/v1/access/exit so the server records a
+  //     `gracefullyExitedAt` timestamp and the sweeper skips them. The
+  //     POST is best-effort; if the network is down (laptop closing
+  //     mid-VPN drop), we still tear down locally and the sweeper will
+  //     eventually email — fail-safe in the alerting direction.
   let stopped = false;
   const cleanup = async (reason) => {
     if (stopped) return;
     stopped = true;
     if (exfilCtrl) exfilCtrl.stop();
     deleteWatchState(projectRoot);
-    if (strict) {
-      appendLog(projectRoot, { type: 'strict_exit_lock', reason });
-      await finalLock(projectRoot, config, trimmedCode, `strict:${reason}`, json, daemon).catch(() => {});
-    } else {
-      if (!json && !daemon) ui.say('\n' + ui.c.dim('stopped watching (lenient mode — files left as-is)'));
+
+    appendLog(projectRoot, { type: 'graceful_exit_lock', reason, strict });
+
+    // Best-effort: re-lock the recipient's plaintext before we die.
+    // Errors are swallowed — we'd rather exit and let the sweeper alert
+    // than block the OS shutdown waiting on a runLock that hung on a
+    // disk write.
+    let relocked = false;
+    try {
+      const K = loadSession(projectRoot);
+      if (K) {
+        const sm = loadSessionMeta(projectRoot);
+        const preserveUnseen = !!sm && sm.meta && sm.meta.source === 'grant';
+        await runLock({ projectRoot, config, K, preserveUnseen }).catch(() => {});
+        try { K.fill(0); } catch (_) { /* ignore */ }
+        relocked = true;
+      }
+    } catch (_) { /* best-effort */ }
+    try { clearSession(projectRoot); } catch (_) { /* ignore */ }
+    try { require('./cli-registry').markLocked(projectRoot); } catch (_) { /* ignore */ }
+
+    // Best-effort: tell the server we exited cleanly so the sweeper
+    // doesn't dead-watcher-alert. Hard-bounded timeout: if the server
+    // is slow/unreachable we'd rather die quickly than block shutdown.
+    try {
+      const timeoutMs = 1500;
+      const exitPromise = request('POST', `/api/v1/access/exit`, {
+        body: {
+          code: trimmedCode,
+          reason: reason === 'sigint' || reason === 'sigterm' || reason === 'sighup' ? reason : 'manual',
+          watcherPid: process.pid,
+          watcherVersion: pkg.version,
+          relockedFiles: relocked,
+        },
+      });
+      await Promise.race([
+        exitPromise,
+        new Promise((resolve) => setTimeout(resolve, timeoutMs)),
+      ]).catch(() => {});
+    } catch (_) { /* best-effort */ }
+
+    if (!json && !daemon) {
+      if (relocked) ui.say('\n' + ui.c.dim('stopped watching — files re-locked'));
+      else ui.say('\n' + ui.c.dim('stopped watching'));
     }
     process.exit(0);
   };
@@ -959,17 +1011,18 @@ async function finalLock(projectRoot, config, code, reason, json, daemon) {
     process.exit(2);
   }
 
-  // sealcode@1.1.0 — for grant-derived sessions that had a path scope
-  // (or any future "subset-only" policy), preserve out-of-scope blobs
-  // so the contractor's re-lock doesn't wipe the project for everyone.
+  // sealcode@1.3.6 — ALWAYS preserve unseen blobs for grant-derived
+  // sessions, not just path-scoped ones. The recipient-side re-lock
+  // (revoke / pause / device-mismatch / expiry) is supposed to wipe
+  // THEIR plaintext copy; it must not wipe the encrypted blobs that
+  // were sealed by the OWNER. Without preserveUnseen, any race that
+  // makes collectFiles return fewer paths than the manifest expected
+  // permanently destroys those blobs (the "revoked → 1 file restored"
+  // bug). Owner-side passphrase re-locks still use preserveUnseen=false
+  // since the owner has all plaintext on hand by definition.
   const _sessionMeta = loadSessionMeta(projectRoot);
   const _preserveUnseen =
-    !!_sessionMeta &&
-    _sessionMeta.meta &&
-    _sessionMeta.meta.source === 'grant' &&
-    _sessionMeta.meta.policy &&
-    Array.isArray(_sessionMeta.meta.policy.allowedPaths) &&
-    _sessionMeta.meta.policy.allowedPaths.length > 0;
+    !!_sessionMeta && _sessionMeta.meta && _sessionMeta.meta.source === 'grant';
 
   let res;
   try {
@@ -981,6 +1034,7 @@ async function finalLock(projectRoot, config, code, reason, json, daemon) {
   }
   clearSession(projectRoot);
   deleteWatchState(projectRoot);
+  try { require('./cli-registry').markLocked(projectRoot); } catch (_) { /* ignore */ }
   if (daemon) {
     appendLog(projectRoot, { type: 'locked', count: res.count, reason: label });
   } else if (json) {
@@ -1101,4 +1155,6 @@ module.exports = {
   readWatcherStatus,
   watchStateFile,
   watchLogFile,
+  // Exported for tests. Not part of the public surface.
+  _internal: { heartbeatOnce },
 };