sealcode 1.3.5 → 1.4.0

package/src/cli.js

@@ -21,7 +21,8 @@ const {
   isInitialized,
   rotatePassphrase,
 } = require('./keystore');
-const { runInit } = require('./init');
+const { runInit, renderDiscoveryReport } = require('./init');
+const { scanProject, detectMicroservices } = require('./discovery');
 const { runLock } = require('./seal');
 const { runUnlock } = require('./open');
 const { runVerify } = require('./verify');
@@ -33,6 +34,7 @@ const { installHook, uninstallHook } = require('./hooks');
 const { exportBundle, importBundle } = require('./bundle');
 const { runLogin, runSignout, runWhoami } = require('./cli-auth');
 const { runLink, runUnlink, runLinkInfo } = require('./cli-link');
+const { runRemove } = require('./cli-remove');
 const {
   runShare,
   runGrants,
@@ -82,23 +84,33 @@ function passphraseFromEnv() {
 
 /**
  * Resolve the active config: prefer the file on disk; if missing, fall back to
- * the auto-detected preset's defaults. This lets the tool work in stealth
- * mode where `.sealcoderc.json` isn't checked into the repo.
+ * the auto-discovered config. This lets the tool work in stealth mode where
+ * `.sealcoderc.json` isn't checked into the repo.
+ *
+ * sealcode@1.4.0 — implicit fallback now uses the `auto` preset (full
+ * discovery) instead of `detectPreset`'s first-marker-wins guess, so a
+ * fresh checkout without the rc file still picks up every source folder.
  */
 function getActiveConfig(projectRoot) {
   const fromFile = loadConfig(projectRoot);
   if (fromFile) return fromFile;
-  const preset = detectPreset(projectRoot);
-  return {
-    version: 1,
-    preset: preset.id,
-    lockedDir: preset.lockedDir,
-    include: preset.include,
-    exclude: preset.exclude,
-    stubs: preset.stubs || {},
-    _file: null,
-    _implicit: true,
-  };
+  try {
+    const { buildAutoConfig } = require('./discovery');
+    const { cfg } = buildAutoConfig(projectRoot);
+    return { ...cfg, _file: null, _implicit: true };
+  } catch (_) {
+    const preset = detectPreset(projectRoot);
+    return {
+      version: 1,
+      preset: preset.id,
+      lockedDir: preset.lockedDir,
+      include: preset.include,
+      exclude: preset.exclude,
+      stubs: preset.stubs || {},
+      _file: null,
+      _implicit: true,
+    };
+  }
 }
 
 /**
@@ -205,6 +217,11 @@ function build() {
     .option('--preset <id>', 'force a specific ecosystem preset')
     .option('--force', 'overwrite an existing vault (DANGER)', false)
     .option('--noninteractive', 'use SEALCODE_PASSPHRASE env var; print recovery code to stdout', false)
+    .option(
+      '--allow-monorepo',
+      'override the multi-microservice guard (one vault for the whole tree)',
+      false,
+    )
     .action(async (opts) => {
       try {
         const projectRoot = resolveProject(program.opts());
@@ -214,6 +231,7 @@ function build() {
           presetId: opts.preset,
           force: opts.force,
           noninteractive: opts.noninteractive,
+          allowMonorepo: opts.allowMonorepo,
         });
         // Run the first lock right away so the project ends in the locked state.
         const boot = await bootstrap(result.passphrase, result.recoverySeed);
@@ -269,6 +287,7 @@ function build() {
         sp.succeed(`locked ${ui.c.bold(res.count)} files into ${ui.c.cyan(config.lockedDir + '/')}`);
         const stubs = Object.keys(res.stubs);
         if (stubs.length) ui.hint(`  stubs placed: ${stubs.join(', ')}`);
+        try { require('./cli-registry').markLocked(projectRoot); } catch (_) { /* ignore */ }
       } catch (err) {
         process.exitCode = reportError(err);
       }
@@ -380,6 +399,7 @@ function build() {
         });
         const _skipped = res.skipped > 0 ? ` ${ui.c.dim(`(${res.skipped} outside grant scope)`)}` : '';
         sp.succeed(`unlocked ${ui.c.bold(res.count)} files${_skipped} ${ui.c.dim(`(locked at ${res.sealedAt})`)}`);
+        try { require('./cli-registry').markUnlocked(projectRoot); } catch (_) { /* ignore */ }
         if (res.policy && res.policy.mode === 'ro') {
           ui.hint('  Read-only grant: files set to 0444. Any edit triggers an immediate re-lock.');
         }
@@ -501,6 +521,88 @@ function build() {
       process.stdout.write('\nUse with:  sealcode init --preset <id>\n');
     });
 
+  // -------- scan --------
+  //
+  // sealcode@1.4.0 — dry-run inventory. Walks the project the same way the
+  // `auto` preset would, prints exactly what `sealcode init`/`lock` would
+  // touch, and flags suspicious omissions (git-tracked source files that
+  // exclude rules drop). No mutation.
+  program
+    .command('scan')
+    .description('Show what sealcode would lock in this project (read-only).')
+    .option('--json', 'emit machine-readable JSON instead of a human report', false)
+    .action(async (opts) => {
+      try {
+        const projectRoot = resolveProject(program.opts());
+        const report = scanProject(projectRoot);
+        const monorepo = detectMicroservices(projectRoot);
+        if (opts.json) {
+          process.stdout.write(
+            JSON.stringify(
+              {
+                projectRoot,
+                source: report.source,
+                lockedDir: report.lockedDir,
+                wouldLock: report.wouldLock,
+                wouldLockCount: report.wouldLock.length,
+                totalBytes: report.totalBytes,
+                byTopLevel: report.byTopLevel,
+                gitCoverage: report.gitCoverage,
+                oversize: report.oversize,
+                include: report.include,
+                exclude: report.exclude,
+                monorepo: {
+                  isMonorepo: monorepo.isMonorepo,
+                  reason: monorepo.reason || null,
+                  services: monorepo.services,
+                  workspaces: monorepo.workspaces,
+                },
+              },
+              null,
+              2
+            ) + '\n'
+          );
+          return;
+        }
+        process.stdout.write(`\nsealcode · scanning ${projectRoot}`);
+        renderDiscoveryReport(report);
+        if (monorepo.isMonorepo) {
+          process.stdout.write('\n');
+          ui.warn(`Multi-project layout detected · ${monorepo.reason}`);
+          if (monorepo.workspaces.length) {
+            ui.hint('  Workspace declarations:');
+            for (const w of monorepo.workspaces) {
+              ui.hint(`    • ${w.file} (${w.kind})`);
+            }
+          }
+          if (monorepo.services.length) {
+            ui.hint(`  Services (${monorepo.services.length}):`);
+            for (const s of monorepo.services.slice(0, 10)) {
+              ui.hint(`    • ${s.relPath}/  (${s.marker})`);
+            }
+            if (monorepo.services.length > 10) {
+              ui.hint(`    • … and ${monorepo.services.length - 10} more`);
+            }
+          }
+          ui.hint('  `sealcode init` will refuse at this root — cd into each service and init separately.');
+          ui.hint('  Override with `sealcode init --allow-monorepo` (one vault for the whole tree; billed as one project).');
+        }
+        process.stdout.write('\n');
+        const next = configExists(projectRoot)
+          ? 'sealcode lock                     (apply the current config)'
+          : monorepo.isMonorepo
+            ? 'cd <service-dir> && sealcode init   (per-service)'
+            : 'sealcode init --preset auto       (write .sealcoderc.json and lock)';
+        ui.hint(`Next: ${next}`);
+        if (report.wouldLock.length === 0) {
+          process.stdout.write('\n');
+          ui.warn('Nothing matched — the project may be empty or fully excluded.');
+        }
+      } catch (err) {
+        process.exitCode = reportError(err);
+      }
+    });
+
   // -------- logout --------
   program
     .command('logout')
@@ -519,19 +621,112 @@ function build() {
   program
     .command('panic')
     .description('Re-lock immediately and wipe plaintext (for "shut my laptop NOW" moments).')
-    .action(async () => {
+    .option('--from-selfcheck', '[internal] called by the self-check background job — never prompts, silent on no-op')
+    .action(async (opts) => {
       try {
         const projectRoot = resolveProject(program.opts());
         const config = getActiveConfig(projectRoot);
+
+        // sealcode@1.3.6 — when invoked by the registry self-check we
+        // MUST NOT prompt for a passphrase (would hang the detached
+        // background process forever). If there's no cached session,
+        // we silently correct the registry and exit — the user can
+        // run `sealcode lock` manually if they want a real lock.
+        if (opts.fromSelfcheck) {
+          const cached = loadSession(projectRoot);
+          if (!cached) {
+            try { require('./cli-registry').markLocked(projectRoot); } catch (_) { /* ignore */ }
+            return;
+          }
+          try {
+            const sm = require('./keystore').loadSessionMeta(projectRoot);
+            const preserveUnseen = !!sm && sm.meta && sm.meta.source === 'grant';
+            await runLock({ projectRoot, config, K: cached, preserveUnseen });
+          } catch (_) { /* swallow — background job */ }
+          try { cached.fill(0); } catch (_) { /* ignore */ }
+          try { clearSession(projectRoot); } catch (_) { /* ignore */ }
+          try { require('./cli-registry').markLocked(projectRoot); } catch (_) { /* ignore */ }
+          return;
+        }
+
         const K = await resolveKey(projectRoot, config);
         const res = await runLock({ projectRoot, config, K });
         clearSession(projectRoot);
+        try { require('./cli-registry').markLocked(projectRoot); } catch (_) { /* ignore */ }
         process.stdout.write(`✓ panic-locked ${res.count} files. Session cleared.\n`);
       } catch (err) {
         process.exitCode = reportError(err);
       }
     });
 
+  // -------- preuninstall-check (internal, called by npm preuninstall) --------
+  //
+  // sealcode@1.3.6 — when the user runs `npm uninstall -g sealcode`, npm
+  // executes this command FIRST (before deleting files). We use the small
+  // window to:
+  //   1. Walk the known-projects registry and re-lock any unlocked ones.
+  //   2. Print a clear warning so the user understands the implication.
+  //
+  // Bypassable with `npm uninstall --ignore-scripts`. We accept that —
+  // the goal is to raise the floor against accidental "I'll just remove
+  // sealcode" actions, not to defeat a determined attacker who reads
+  // our docs.
+  //
+  // ALWAYS exit 0 (via `|| true` in package.json) so npm uninstall
+  // succeeds even if our hook fails. We do NOT want to leave the user
+  // stuck with a partial uninstall.
+  program
+    .command('preuninstall-check', { hidden: true })
+    .description('[internal] npm preuninstall hook — re-locks any unlocked projects before uninstall')
+    .action(async () => {
+      try {
+        const registry = require('./cli-registry');
+        const orphans = registry.findOrphanedUnlocks({ maxStaleMin: 0 });
+        const allUnlocked = registry.list().filter((p) => p.lastState === 'unlocked');
+
+        const total = allUnlocked.length;
+        if (total === 0) {
+          // Nothing to do. Silent exit so npm uninstall stays quiet.
+          return;
+        }
+
+        process.stderr.write(
+          `\n  \x1b[33m\u26a0  sealcode preuninstall: ${total} project(s) are still unlocked.\x1b[0m\n`
+            + `\n  Re-locking before uninstall so you don't leave plaintext lying around:\n`,
+        );
+
+        // Re-lock each one. We use the same panic-from-selfcheck flow:
+        // it uses ONLY the cached session (no passphrase prompt — npm
+        // hooks have no TTY anyway) and is a no-op if the session was
+        // already cleared. We run them SYNCHRONOUSLY here (not detached)
+        // because npm will delete our files the moment we return.
+        const { spawnSync } = require('child_process');
+        for (const p of allUnlocked) {
+          process.stderr.write(`    - ${p.projectRoot} ... `);
+          const r = spawnSync(
+            process.execPath,
+            [path.resolve(__dirname, '..', 'bin', 'sealcode.js'),
+              'panic', '--project', p.projectRoot, '--from-selfcheck'],
+            { stdio: 'ignore', timeout: 30_000 },
+          );
+          process.stderr.write((r.status === 0 ? '\x1b[32mlocked\x1b[0m' : '\x1b[31mfailed\x1b[0m') + '\n');
+        }
+
+        if (orphans.length > 0) {
+          process.stderr.write(
+            `\n  \x1b[33mNote:\x1b[0m ${orphans.length} of these had no running watcher already. `
+              + `Any active access grants on those projects can no longer be revoked from the dashboard.\n`,
+          );
+        }
+
+        process.stderr.write(`\n`);
+      } catch (_) {
+        // Never fail the npm uninstall. Worst case: user uninstalls
+        // sealcode and we couldn't lock — the registry self-check on
+        // some future reinstall would still flag it.
+      }
+    });
+
   // -------- install-hook --------
   program
     .command('install-hook')
@@ -716,6 +911,10 @@ function build() {
     .option('--info', 'just print the current link state, don\'t change it', false)
     .option('--remove', 'remove the existing link from this repository', false)
     .option('--json', 'machine-readable output (with --info)', false)
+    // sealcode@1.4.0 — owner-only override for the 1:1 project<->repo
+    // binding. The server still audit-logs the re-pin, and refuses if
+    // the caller isn't the project owner.
+    .option('--force', 're-pin this project to the current repository (owner only)', false)
     .action(async (projectId, opts) => {
       try {
         const projectRoot = resolveProject(program.opts());
@@ -727,7 +926,38 @@ function build() {
           runLinkInfo({ projectRoot, json: opts.json });
           return;
         }
-        await runLink({ projectRoot, projectId });
+        await runLink({ projectRoot, projectId, force: !!opts.force });
+      } catch (err) {
+        process.exitCode = reportError(err);
+      }
+    });
+
+  // -------- remove (permanently uninstall sealcode from this project) --------
+  // sealcode@1.4.0 — destructive sibling of `link --remove`. See
+  // src/cli-remove.js for the full flow; the high-level guarantees are:
+  //   * passphrase is re-verified even when a session is unlocked
+  //   * the project owner is emailed BEFORE local data is touched
+  //   * we refuse to run offline unless --offline is explicit (so a
+  //     hostile actor can't bypass the alert by cutting the network)
+  program
+    .command('remove')
+    .description('Permanently remove sealcode from this project. Restores plaintext and (if linked) emails the project owner.')
+    .option('--confirm <phrase>', 'pass `yes-remove` to skip the interactive confirmation prompt')
+    .option('--burn', 'do NOT decrypt locked files before removing — discards ciphertext only', false)
+    .option('--offline', 'allow removal without notifying the project owner (we still try first)', false)
+    .option('--session-ok', 'accept a cached session instead of re-typing the passphrase', false)
+    .option('--keep-link', 'leave the .sealcoderc.json link block in place (rare; mostly for debugging)', false)
+    .action(async (opts) => {
+      try {
+        const projectRoot = resolveProject(program.opts());
+        await runRemove({
+          projectRoot,
+          confirm: opts.confirm || null,
+          burn: !!opts.burn,
+          offline: !!opts.offline,
+          sessionOk: !!opts.sessionOk,
+          keepLink: !!opts.keepLink,
+        });
       } catch (err) {
         process.exitCode = reportError(err);
       }
@@ -1061,6 +1291,34 @@ async function run(argv) {
   if (bare || helpish) {
     ui.maybeShowWelcome(pkg.version);
   }
+
+  // sealcode@1.3.6 — registry self-check on EVERY invocation. Scans
+  // ~/.sealcode/projects.json for projects marked unlocked whose
+  // watcher is no longer alive, and spawns a detached panic-lock for
+  // each. Closes the "recipient killed the watcher and walked away"
+  // hole for anyone who uses sealcode at all on the same machine
+  // afterwards.
+  //
+  // Quiet for short/info commands so we don't spam warnings during
+  // `sealcode --version` etc. NEVER throws — wrapped in try.
+  //
+  // We skip the self-check when the invocation IS the self-check (the
+  // detached `panic --from-selfcheck` child) to prevent infinite spawn
+  // recursion.
+  try {
+    const first = userArgs[0];
+    const isPanicFromSelfcheck =
+      first === 'panic' && userArgs.includes('--from-selfcheck');
+    const isSupervise = first === 'supervise';
+    const quiet =
+      bare || helpish || isSupervise || isPanicFromSelfcheck ||
+      first === 'version' || first === '-V' || first === '--version' ||
+      first === 'where' || first === 'whoami';
+    if (!isPanicFromSelfcheck && !isSupervise) {
+      require('./cli-registry').selfCheck({ quiet });
+    }
+  } catch (_) { /* never block the user's command */ }
+
   await program.parseAsync(argv);
 }