sealcode 1.3.5 → 1.4.0

package/src/discovery.js

@@ -0,0 +1,1004 @@
+'use strict';
+
+/**
+ * sealcode@1.4.0 — universal project discovery ("auto" preset).
+ *
+ * The original preset model assumed a single marker file picked the right
+ * include/exclude template. In practice that fails the moment a project
+ * deviates from the textbook layout — Next.js App Router, Django + extra
+ * apps, monorepos, .NET, Flutter, Elixir, polyglot repos. The user then
+ * runs `sealcode init`, sees "Detected ecosystem: Node.js / TypeScript",
+ * hits Enter, and only a fraction of the source actually gets locked.
+ *
+ * Discovery solves this without abandoning the preset model:
+ *
+ *   1. If the project is a git repo, `git ls-files` is the source of truth
+ *      for "what matters". It already respects `.gitignore`, captures every
+ *      tracked dir, and works on every stack.
+ *
+ *   2. If git is missing or empty, fall back to a filesystem walk that
+ *      matches a broad source-extension allowlist.
+ *
+ *   3. Apply universal exclusions (binaries, build outputs, lockfiles too
+ *      noisy to encrypt, secrets, anything > 5 MB).
+ *
+ *   4. Persist a deterministic `.sealcoderc.json` with `include: ["**\/*"]`
+ *      and a comprehensive `exclude` list, so every collaborator and CI
+ *      job sees the exact same file set on `sealcode lock`. No implicit
+ *      re-detection drift.
+ *
+ * `scanProject` returns a structured report the CLI (`sealcode scan`) and
+ * the init wizard both consume.
+ */
+
+const fs = require('fs');
+const path = require('path');
+const { spawnSync } = require('child_process');
+const fg = require('fast-glob');
+const { normPath } = require('./util');
+
+// --------------------------------------------------------------------------
+// Universal exclusions. These never make it into the vault by default, no
+// matter what the include patterns say.
+//
+// Categories matter for the scan report ("excluded: 41 binary, 11 build, ...")
+// so we keep them as named groups instead of one flat array.
+// --------------------------------------------------------------------------
+
+const EXCLUDE_VCS = ['.git/**', '.hg/**', '.svn/**'];
+
+const EXCLUDE_OS = ['.DS_Store', 'Thumbs.db', 'desktop.ini'];
+
+const EXCLUDE_EDITOR = [
+  '.idea/**',
+  '.vscode/**',
+  '*.swp',
+  '*.swo',
+  '*~',
+  '.history/**',
+];
+
+const EXCLUDE_DEPS = [
+  'node_modules/**',
+  'bower_components/**',
+  'jspm_packages/**',
+  '.pnpm-store/**',
+  '.yarn/**',
+  'venv/**',
+  '.venv/**',
+  'env/**',
+  '__pycache__/**',
+  '**/__pycache__/**',
+  '.tox/**',
+  '.eggs/**',
+  '*.egg-info/**',
+  'vendor/bundle/**',
+  '.bundle/**',
+];
+
+const EXCLUDE_BUILD = [
+  'dist/**',
+  'build/**',
+  'out/**',
+  'target/**',
+  '.next/**',
+  '.nuxt/**',
+  '.turbo/**',
+  '.svelte-kit/**',
+  '.astro/**',
+  '.output/**',
+  '.vercel/**',
+  '.netlify/**',
+  '.serverless/**',
+  '.fusebox/**',
+  '.parcel-cache/**',
+  '.cache/**',
+  '.gradle/**',
+  '.expo/**',
+  'coverage/**',
+  '.nyc_output/**',
+  '.pytest_cache/**',
+  '.mypy_cache/**',
+  '*.pyc',
+  '*.pyo',
+  '*.class',
+  '*.o',
+  '*.obj',
+  'storage/framework/**',
+  'storage/logs/**',
+  'bootstrap/cache/**',
+];
+
+const EXCLUDE_LOGS_TMP = ['*.log', 'logs/**', '*.tmp', 'tmp/**'];
+
+const EXCLUDE_SECRETS = [
+  '*.pem',
+  '*.crt',
+  '*.cer',
+  '*.key',
+  '*.p12',
+  '*.pfx',
+  'id_rsa*',
+  'id_dsa*',
+  'id_ecdsa*',
+  'id_ed25519*',
+  '*.kdbx',
+  '.sealcoderc.json',
+  '.sealcode.key',
+  '.vaultlinerc.json',
+  '.vaultline.key',
+];
+
+// Binary extensions where encryption adds no value (and bloats the vault).
+// Source-shaped extensions (json, yaml, toml, md, sh, etc.) are NOT here —
+// those get locked.
+const EXCLUDE_BINARY = [
+  // Images
+  '*.png',
+  '*.jpg',
+  '*.jpeg',
+  '*.gif',
+  '*.webp',
+  '*.ico',
+  '*.bmp',
+  '*.tif',
+  '*.tiff',
+  '*.psd',
+  '*.ai',
+  '*.heic',
+  '*.heif',
+  // Fonts
+  '*.woff',
+  '*.woff2',
+  '*.ttf',
+  '*.otf',
+  '*.eot',
+  // Media
+  '*.mp3',
+  '*.mp4',
+  '*.mov',
+  '*.avi',
+  '*.webm',
+  '*.ogg',
+  '*.oga',
+  '*.ogv',
+  '*.wav',
+  '*.flac',
+  '*.aac',
+  '*.m4a',
+  '*.m4v',
+  '*.mkv',
+  // Documents (binary)
+  '*.pdf',
+  '*.doc',
+  '*.docx',
+  '*.xls',
+  '*.xlsx',
+  '*.ppt',
+  '*.pptx',
+  // Archives
+  '*.zip',
+  '*.tar',
+  '*.tar.gz',
+  '*.tgz',
+  '*.tar.bz2',
+  '*.tbz2',
+  '*.gz',
+  '*.bz2',
+  '*.7z',
+  '*.rar',
+  '*.xz',
+  // Compiled / binary artifacts
+  '*.so',
+  '*.dll',
+  '*.dylib',
+  '*.exe',
+  '*.bin',
+  '*.iso',
+  '*.dmg',
+  '*.deb',
+  '*.rpm',
+  '*.apk',
+  '*.aab',
+  '*.ipa',
+  '*.wasm',
+];
+
+const EXCLUDE_CATEGORIES = {
+  vcs: EXCLUDE_VCS,
+  os: EXCLUDE_OS,
+  editor: EXCLUDE_EDITOR,
+  deps: EXCLUDE_DEPS,
+  build: EXCLUDE_BUILD,
+  logs: EXCLUDE_LOGS_TMP,
+  secrets: EXCLUDE_SECRETS,
+  binary: EXCLUDE_BINARY,
+};
+
+const SIZE_CAP_BYTES = 5 * 1024 * 1024; // 5 MB
+
+// Files we render as plausible stubs so the project still looks like
+// itself in a locked repo (build tools, IDEs and humans expect them).
+const STUB_TEMPLATES = {
+  'package.json': '{\n  "name": "app",\n  "version": "1.0.0",\n  "private": true\n}\n',
+  'composer.json': '{\n  "name": "app/app",\n  "type": "project"\n}\n',
+  'go.mod': 'module app\n\ngo 1.21\n',
+  'Cargo.toml':
+    '[package]\nname = "app"\nversion = "0.1.0"\nedition = "2021"\n',
+  'pyproject.toml': '[project]\nname = "app"\nversion = "0.1.0"\n',
+};
+
+// --------------------------------------------------------------------------
+// Source extension allowlist used when git is unavailable. Kept broad on
+// purpose — we'd rather encrypt one extra README than miss a source file.
+// --------------------------------------------------------------------------
+
+const SOURCE_EXTS = new Set([
+  // JS / TS
+  '.js',
+  '.jsx',
+  '.ts',
+  '.tsx',
+  '.mjs',
+  '.cjs',
+  '.mts',
+  '.cts',
+  '.vue',
+  '.svelte',
+  '.astro',
+  // Python
+  '.py',
+  '.pyi',
+  '.ipynb',
+  // Ruby
+  '.rb',
+  '.erb',
+  '.rake',
+  // PHP
+  '.php',
+  '.phtml',
+  '.blade.php',
+  // Go / Rust / C-family
+  '.go',
+  '.rs',
+  '.c',
+  '.h',
+  '.cc',
+  '.cpp',
+  '.hpp',
+  '.cxx',
+  '.hxx',
+  '.m',
+  '.mm',
+  '.cs',
+  // JVM
+  '.java',
+  '.kt',
+  '.kts',
+  '.scala',
+  '.groovy',
+  '.clj',
+  '.cljs',
+  // Swift / Objective-C
+  '.swift',
+  // Web
+  '.html',
+  '.htm',
+  '.xhtml',
+  '.css',
+  '.scss',
+  '.sass',
+  '.less',
+  '.styl',
+  // Data / config (textual)
+  '.json',
+  '.json5',
+  '.jsonc',
+  '.yaml',
+  '.yml',
+  '.toml',
+  '.ini',
+  '.cfg',
+  '.conf',
+  '.env',
+  '.env.example',
+  '.env.template',
+  '.xml',
+  '.csv',
+  '.tsv',
+  // Docs
+  '.md',
+  '.mdx',
+  '.rst',
+  '.txt',
+  '.tex',
+  // Shell / scripts
+  '.sh',
+  '.bash',
+  '.zsh',
+  '.fish',
+  '.ps1',
+  '.psm1',
+  '.bat',
+  '.cmd',
+  // SQL & graph
+  '.sql',
+  '.graphql',
+  '.gql',
+  '.proto',
+  // Other
+  '.lua',
+  '.dart',
+  '.r',
+  '.jl',
+  '.ex',
+  '.exs',
+  '.eex',
+  '.heex',
+  '.leex',
+  '.tf',
+  '.tfvars',
+  '.hcl',
+  '.nomad',
+  '.nix',
+  '.dockerfile',
+  '.svg', // textual, but kept here — exclude_binary doesn't list svg either
+]);
+
+const SOURCE_BASENAMES = new Set([
+  'Dockerfile',
+  'Containerfile',
+  'Makefile',
+  'GNUmakefile',
+  'Rakefile',
+  'Gemfile',
+  'Procfile',
+  'Brewfile',
+  'Vagrantfile',
+  'Jenkinsfile',
+  'CMakeLists.txt',
+  'CMakeLists.cmake',
+  '.gitignore',
+  '.gitattributes',
+  '.editorconfig',
+  '.dockerignore',
+  '.npmrc',
+  '.yarnrc',
+  '.prettierrc',
+  '.prettierignore',
+  '.eslintrc',
+  '.eslintignore',
+  '.stylelintrc',
+  '.babelrc',
+  '.nvmrc',
+  '.tool-versions',
+]);
+
+// --------------------------------------------------------------------------
+// Git layer
+// --------------------------------------------------------------------------
+
+// sealcode@1.4.0 — git commands run with explicit timeouts. A hung index
+// (Windows antivirus, NFS, corrupted .git) used to stall `sealcode scan`
+// and the implicit `getActiveConfig` fallback forever. 5s is generous —
+// `git ls-files` on a 200k-file monorepo completes in <1s — and gives
+// us a clear "fall through to filesystem walk" path on slow systems.
+const GIT_TIMEOUT_MS = 5_000;
+// Cap the candidate set at 200k files to avoid pathological repos
+// blowing out heap. Anyone bigger than that should be carving the repo
+// up; the warning surfaces in scanProject's `truncated` flag.
+const GIT_MAX_FILES = 200_000;
+
+function isGitRepo(projectRoot) {
+  try {
+    const r = spawnSync('git', ['rev-parse', '--is-inside-work-tree'], {
+      cwd: projectRoot,
+      encoding: 'utf8',
+      timeout: GIT_TIMEOUT_MS,
+    });
+    return r.status === 0 && r.stdout.trim() === 'true';
+  } catch (_) {
+    return false;
+  }
+}
+
+/**
+ * Return the set of files git considers part of the project: tracked files
+ * plus untracked-but-not-ignored files. This is the "what should I lock"
+ * source of truth when available.
+ *
+ * sealcode@1.4.0 — no in-memory cap (the previous `maxBuffer: 64MB` would
+ * silently truncate the stdout of any repo whose `git ls-files` output
+ * crossed that boundary; spawnSync returns ENOBUFS in that case which we
+ * then read as `status !== 0` and a NULL `stdout`, dropping the entire
+ * file list). We now collect bytes via spawnSync's default
+ * `maxBuffer: 1024MB` and explicitly bail with `truncated: true` if the
+ * line count exceeds GIT_MAX_FILES. Callers see a complete list or know
+ * they got a truncated one.
+ */
+function gitListFiles(projectRoot) {
+  if (!isGitRepo(projectRoot)) return null;
+  // -z splits on NUL, which is the only safe separator for paths.
+  let r;
+  try {
+    r = spawnSync(
+      'git',
+      ['ls-files', '-z', '--cached', '--others', '--exclude-standard'],
+      {
+        cwd: projectRoot,
+        encoding: 'buffer',
+        timeout: GIT_TIMEOUT_MS,
+        // 1 GiB — defensive ceiling; spawnSync defaults to 1 MiB so a
+        // ~30k-file repo would silently fail without this.
+        maxBuffer: 1024 * 1024 * 1024,
+      }
+    );
+  } catch (_) {
+    return null;
+  }
+  if (r.error || r.status !== 0 || r.signal === 'SIGTERM') return null;
+  const raw = r.stdout ? r.stdout.toString('utf8') : '';
+  if (!raw) return [];
+  const list = raw
+    .split('\0')
+    .filter(Boolean)
+    .map(normPath);
+  if (list.length > GIT_MAX_FILES) {
+    list.length = GIT_MAX_FILES;
+  }
+  list.sort();
+  return list;
+}
+
+// --------------------------------------------------------------------------
+// Filesystem fallback (used when git is unavailable)
+// --------------------------------------------------------------------------
+
+function filesystemListFiles(projectRoot, exclude) {
+  return fg
+    .sync(['**/*'], {
+      cwd: projectRoot,
+      ignore: exclude,
+      dot: true,
+      onlyFiles: true,
+      followSymbolicLinks: false,
+      suppressErrors: true,
+    })
+    .map(normPath)
+    .sort();
+}
+
+// sealcode@1.4.0 — heuristic source-file detection. Used to flag
+// "suspicious excluded" files in the scan report (i.e. files git tracks
+// that LOOK like source but our exclude rules are dropping). Liberal on
+// purpose — false positives just generate one extra hint line, false
+// negatives mean source silently never gets locked.
+function looksLikeSource(rel) {
+  const base = path.basename(rel);
+  if (SOURCE_BASENAMES.has(base)) return true;
+  // Compound markers (Dockerfile.dev, Makefile.local, etc.)
+  for (const marker of SOURCE_BASENAMES) {
+    if (base.startsWith(marker + '.') || base.startsWith(marker + '_')) {
+      return true;
+    }
+  }
+  const lower = base.toLowerCase();
+  if (lower.startsWith('dockerfile')) return true;
+  if (lower.startsWith('makefile')) return true;
+  if (lower.startsWith('rakefile')) return true;
+  // Final extension (handles .ts, .js, .py, etc.)
+  const ext = path.extname(rel).toLowerCase();
+  if (ext && SOURCE_EXTS.has(ext)) return true;
+  // Composite extensions. Strip up to TWO leading parts so things like
+  // `foo.spec.ts`, `bar.test.js`, `baz.d.ts`, `quux.blade.php`,
+  // `mod.config.mjs` all light up. We test progressively shorter
+  // suffixes against SOURCE_EXTS.
+  const lowerBase = base.toLowerCase();
+  const parts = lowerBase.split('.');
+  if (parts.length >= 3) {
+    for (let i = parts.length - 2; i >= 1; i--) {
+      const compound = '.' + parts.slice(i).join('.');
+      if (SOURCE_EXTS.has(compound)) return true;
+      // Also check the bare extension at this position (covers
+      // `foo.spec.ts` where `.ts` is final and recognized by the loop
+      // above — keeping for clarity).
+      const single = '.' + parts[parts.length - 1];
+      if (SOURCE_EXTS.has(single)) return true;
+    }
+  }
+  // Files with NO extension that aren't well-known basenames are
+  // unlikely to be source — leave them out so binary blobs in `bin/`
+  // don't flood the warning list.
+  return false;
+}
+
+// --------------------------------------------------------------------------
+// Locked-dir selection
+// --------------------------------------------------------------------------
+
+// Map ecosystem marker → non-suspicious lockedDir. Mirrors the spirit of
+// the named presets in presets.js but without locking us into their full
+// include/exclude templates.
+const LOCKED_DIR_RULES = [
+  { marker: 'go.mod', lockedDir: 'internal/sealed' },
+  { marker: 'Cargo.toml', lockedDir: 'target/.cache' },
+  { marker: 'composer.json', lockedDir: 'storage/sealed' },
+  { marker: 'Gemfile', lockedDir: 'vendor/sealed' },
+  { marker: 'pom.xml', lockedDir: '.sealed' },
+  { marker: 'build.gradle', lockedDir: '.sealed' },
+  { marker: 'build.gradle.kts', lockedDir: '.sealed' },
+];
+
+function chooseLockedDir(projectRoot) {
+  for (const rule of LOCKED_DIR_RULES) {
+    if (fs.existsSync(path.join(projectRoot, rule.marker))) {
+      return rule.lockedDir;
+    }
+  }
+  return 'vendor';
+}
+
+// --------------------------------------------------------------------------
+// Stubs (per-ecosystem hint files left on disk after lock)
+// --------------------------------------------------------------------------
+
+function buildStubs(projectRoot) {
+  const stubs = {};
+  for (const [file, body] of Object.entries(STUB_TEMPLATES)) {
+    if (fs.existsSync(path.join(projectRoot, file))) {
+      stubs[file] = body;
+    }
+  }
+  return stubs;
+}
+
+// --------------------------------------------------------------------------
+// Putting it together
+// --------------------------------------------------------------------------
+
+function buildExcludeList(lockedDir) {
+  const base = [
+    ...EXCLUDE_VCS,
+    ...EXCLUDE_OS,
+    ...EXCLUDE_EDITOR,
+    ...EXCLUDE_DEPS,
+    ...EXCLUDE_BUILD,
+    ...EXCLUDE_LOGS_TMP,
+    ...EXCLUDE_SECRETS,
+    ...EXCLUDE_BINARY,
+  ];
+  // The locked dir itself must never be locked.
+  const lockedGlob = `${lockedDir.replace(/\/+$/, '')}/**`;
+  if (!base.includes(lockedGlob)) base.push(lockedGlob);
+  return base;
+}
+
+function classifyExclusion(rel) {
+  const base = path.basename(rel);
+  const lower = rel.toLowerCase();
+  if (lower.startsWith('.git/') || lower.startsWith('.hg/') || lower.startsWith('.svn/')) {
+    return 'vcs';
+  }
+  if (EXCLUDE_OS.includes(base)) return 'os';
+  if (
+    lower.startsWith('.idea/') ||
+    lower.startsWith('.vscode/') ||
+    lower.startsWith('.history/') ||
+    base.endsWith('.swp') ||
+    base.endsWith('.swo') ||
+    base.endsWith('~')
+  ) {
+    return 'editor';
+  }
+  if (
+    lower.includes('node_modules/') ||
+    lower.includes('__pycache__/') ||
+    lower.startsWith('venv/') ||
+    lower.startsWith('.venv/') ||
+    lower.startsWith('env/') ||
+    lower.startsWith('.yarn/') ||
+    lower.startsWith('.pnpm-store/') ||
+    lower.startsWith('vendor/bundle/') ||
+    lower.startsWith('.bundle/')
+  ) {
+    return 'deps';
+  }
+  if (
+    lower.startsWith('dist/') ||
+    lower.startsWith('build/') ||
+    lower.startsWith('out/') ||
+    lower.startsWith('target/') ||
+    lower.startsWith('.next/') ||
+    lower.startsWith('.nuxt/') ||
+    lower.startsWith('.turbo/') ||
+    lower.startsWith('.svelte-kit/') ||
+    lower.startsWith('.astro/') ||
+    lower.startsWith('.output/') ||
+    lower.startsWith('.cache/') ||
+    lower.startsWith('coverage/') ||
+    base.endsWith('.pyc') ||
+    base.endsWith('.class') ||
+    base.endsWith('.o') ||
+    base.endsWith('.obj')
+  ) {
+    return 'build';
+  }
+  if (base.endsWith('.log') || base.endsWith('.tmp') || lower.startsWith('logs/') || lower.startsWith('tmp/')) {
+    return 'logs';
+  }
+  if (
+    base.endsWith('.pem') ||
+    base.endsWith('.crt') ||
+    base.endsWith('.cer') ||
+    base.endsWith('.key') ||
+    base.endsWith('.p12') ||
+    base.endsWith('.pfx') ||
+    base.startsWith('id_rsa') ||
+    base.startsWith('id_dsa') ||
+    base.startsWith('id_ecdsa') ||
+    base.startsWith('id_ed25519')
+  ) {
+    return 'secrets';
+  }
+  const ext = path.extname(rel).toLowerCase();
+  const binaryExts = new Set(
+    EXCLUDE_BINARY.map((g) => (g.startsWith('*') ? g.slice(1).toLowerCase() : g.toLowerCase()))
+  );
+  if (binaryExts.has(ext)) return 'binary';
+  return 'other';
+}
+
+/**
+ * Top-level discovery entry point. Returns a structured report; callers
+ * (scan, init) decide what to do with it.
+ *
+ * @param {string} projectRoot
+ * @param {{ lockedDir?: string }} [opts]
+ */
+function scanProject(projectRoot, opts = {}) {
+  const lockedDir = opts.lockedDir || chooseLockedDir(projectRoot);
+  const exclude = buildExcludeList(lockedDir);
+
+  // Source of truth for "what could be locked" — git if available, else
+  // a filesystem walk filtered to source-looking files. We strip any
+  // paths that live inside the lockedDir (they are ciphertext, not
+  // source — counting them as "excluded" would be misleading on a
+  // re-scan of an already-initialized project).
+  let candidates;
+  let source;
+  const lockedPrefix = lockedDir.replace(/\/+$/, '') + '/';
+  const fromGit = gitListFiles(projectRoot);
+  if (fromGit) {
+    candidates = fromGit.filter((p) => !p.startsWith(lockedPrefix));
+    source = 'git';
+  } else {
+    candidates = filesystemListFiles(projectRoot, exclude);
+    source = 'filesystem';
+  }
+
+  // Now run the actual include/exclude that lock will use, so the report
+  // matches reality exactly. We use the same fast-glob call as seal.js.
+  const includeGlobs = ['**/*'];
+  const matched = new Set(
+    fg
+      .sync(includeGlobs, {
+        cwd: projectRoot,
+        ignore: exclude,
+        dot: true,
+        onlyFiles: true,
+        followSymbolicLinks: false,
+        suppressErrors: true,
+      })
+      .map(normPath)
+  );
+
+  // Size-cap filter — large binaries even if they look textual.
+  const oversize = [];
+  const wouldLock = [];
+  for (const rel of matched) {
+    const abs = path.join(projectRoot, rel);
+    let stat;
+    try {
+      stat = fs.statSync(abs);
+    } catch (_) {
+      continue;
+    }
+    if (stat.size > SIZE_CAP_BYTES) {
+      oversize.push({ path: rel, size: stat.size });
+      continue;
+    }
+    wouldLock.push(rel);
+  }
+
+  // Coverage analysis (only meaningful when git is the source).
+  let gitCoverage = null;
+  if (source === 'git') {
+    const matchedSet = new Set(wouldLock);
+    const gitSet = new Set(candidates);
+    const inGitNotLocked = candidates.filter((p) => !matchedSet.has(p));
+    const lockedNotInGit = wouldLock.filter((p) => !gitSet.has(p));
+
+    // Bucket excluded git files by reason.
+    const excludedByReason = {};
+    for (const p of inGitNotLocked) {
+      const reason = classifyExclusion(p);
+      excludedByReason[reason] = (excludedByReason[reason] || 0) + 1;
+    }
+    // Flag git-tracked files that *look* like source but are getting
+    // excluded — these are the most likely false-negatives the user
+    // wants to know about.
+    const suspiciousExcluded = inGitNotLocked.filter(
+      (p) => looksLikeSource(p) && classifyExclusion(p) === 'other'
+    );
+
+    gitCoverage = {
+      tracked: candidates.length,
+      excluded: inGitNotLocked.length,
+      excludedByReason,
+      suspiciousExcluded,
+      lockedNotInGit,
+    };
+  }
+
+  // Per-directory breakdown of the locked set.
+  const byTopLevel = {};
+  for (const rel of wouldLock) {
+    const slash = rel.indexOf('/');
+    const top = slash === -1 ? '(root files)' : rel.slice(0, slash) + '/';
+    byTopLevel[top] = (byTopLevel[top] || 0) + 1;
+  }
+  const totalBytes = wouldLock.reduce((sum, rel) => {
+    try {
+      return sum + fs.statSync(path.join(projectRoot, rel)).size;
+    } catch (_) {
+      return sum;
+    }
+  }, 0);
+
+  return {
+    source,
+    lockedDir,
+    include: includeGlobs,
+    exclude,
+    wouldLock,
+    oversize,
+    gitCoverage,
+    byTopLevel,
+    totalBytes,
+    candidates,
+  };
+}
+
+/**
+ * Build the persisted .sealcoderc.json config object for the auto preset.
+ * Deterministic — the same project on two machines will produce identical
+ * include/exclude lists.
+ */
+function buildAutoConfig(projectRoot) {
+  const report = scanProject(projectRoot);
+  return {
+    cfg: {
+      version: 1,
+      preset: 'auto',
+      lockedDir: report.lockedDir,
+      include: report.include,
+      exclude: report.exclude,
+      stubs: buildStubs(projectRoot),
+    },
+    report,
+  };
+}
+
+// --------------------------------------------------------------------------
+// Monorepo / multi-microservice detection (sealcode@1.4.0)
+//
+// Sealcode is licensed per project. A folder that's clearly a monorepo —
+// `services/auth/package.json` + `services/billing/package.json` + a root
+// `docker-compose.yml`, or a `pnpm-workspace.yaml` listing N packages —
+// should NOT be sealed as one giant vault by default. The owner is meant
+// to `cd` into each service and run `sealcode init` separately so each
+// gets its own keys, its own grants, its own billing line item.
+//
+// detectMicroservices() returns:
+//
+//   {
+//     isMonorepo:    boolean,       // true if we'd refuse without override
+//     reason:        string,        // human-readable headline
+//     services:      [{ relPath, marker, label }],
+//     workspaces:    [{ file, kind }],  // explicit workspace declarations
+//   }
+//
+// Heuristic, in order:
+//   1. Explicit workspace declarations (lerna.json, pnpm-workspace.yaml,
+//      nx.json, turbo.json, rush.json, root package.json with a
+//      `workspaces` field) — always treated as a monorepo.
+//   2. ≥ 2 sibling directories (depth 1 or 2) containing a project marker
+//      (package.json, pyproject.toml, requirements.txt, setup.py,
+//      manage.py, go.mod, Cargo.toml, Gemfile, composer.json, pom.xml,
+//      build.gradle, build.gradle.kts).
+//   3. The CLI refuses to init at the root; the user is told which
+//      services were detected and how to lock each one. `--allow-monorepo`
+//      overrides for the rare case where one big vault is desired.
+
+const PROJECT_MARKERS = new Set([
+  'package.json',
+  'pyproject.toml',
+  'requirements.txt',
+  'setup.py',
+  'manage.py',
+  'go.mod',
+  'Cargo.toml',
+  'Gemfile',
+  'composer.json',
+  'pom.xml',
+  'build.gradle',
+  'build.gradle.kts',
+  'mix.exs',
+  'pubspec.yaml',
+]);
+
+// Folders we never recurse into while hunting for services. These are
+// dependency caches, build outputs, or version-controlled sub-trees that
+// happen to ship their own package.json — counting them would generate
+// thousands of false positives on any non-trivial repo.
+const SKIP_DIRS_FOR_DETECT = new Set([
+  'node_modules',
+  'vendor',
+  'venv',
+  '.venv',
+  'env',
+  '.env',
+  '__pycache__',
+  '.git',
+  '.hg',
+  '.svn',
+  'dist',
+  'build',
+  'target',
+  '.next',
+  '.nuxt',
+  '.output',
+  '.cache',
+  '.parcel-cache',
+  '.turbo',
+  '.gradle',
+  '.idea',
+  '.vscode',
+  'tmp',
+  '.tmp',
+  'coverage',
+  '.nyc_output',
+  // sealcode's own locked dirs
+  'sealed',
+  '_site_packages',
+  '_sealed',
+  '.sealed',
+]);
+
+function readJsonSafe(absPath) {
+  try {
+    return JSON.parse(fs.readFileSync(absPath, 'utf8'));
+  } catch (_) {
+    return null;
+  }
+}
+
+function detectWorkspaceDeclarations(projectRoot) {
+  const declarations = [];
+  const files = [
+    { name: 'lerna.json', kind: 'lerna' },
+    { name: 'pnpm-workspace.yaml', kind: 'pnpm' },
+    { name: 'nx.json', kind: 'nx' },
+    { name: 'turbo.json', kind: 'turbo' },
+    { name: 'rush.json', kind: 'rush' },
+  ];
+  for (const f of files) {
+    if (fs.existsSync(path.join(projectRoot, f.name))) {
+      declarations.push({ file: f.name, kind: f.kind });
+    }
+  }
+  // npm/yarn/bun workspaces live in the root package.json. Read it if
+  // we have one; an array OR object `workspaces` field means monorepo.
+  const rootPkgPath = path.join(projectRoot, 'package.json');
+  if (fs.existsSync(rootPkgPath)) {
+    const pkg = readJsonSafe(rootPkgPath);
+    if (pkg && pkg.workspaces) {
+      const value = pkg.workspaces;
+      const looksLikeWorkspace =
+        Array.isArray(value) ||
+        (value && typeof value === 'object' && Array.isArray(value.packages));
+      if (looksLikeWorkspace) {
+        declarations.push({ file: 'package.json', kind: 'npm-workspaces' });
+      }
+    }
+  }
+  return declarations;
+}
+
+// Walk up to MAX_DEPTH directory levels under root looking for project
+// markers. Stops descending into any SKIP_DIRS_FOR_DETECT and into any
+// directory that already has its own marker (we don't double-count a
+// service's nested package.json).
+function findServiceDirs(projectRoot, maxDepth = 3) {
+  const results = [];
+  function walk(rel, depth) {
+    if (depth > maxDepth) return;
+    const abs = path.join(projectRoot, rel);
+    let entries;
+    try {
+      entries = fs.readdirSync(abs, { withFileTypes: true });
+    } catch (_) {
+      return;
+    }
+    // First pass: does THIS directory have a project marker? If so,
+    // record it and don't descend further (a service's own nested
+    // packages don't count as separate services).
+    let foundMarker = null;
+    for (const e of entries) {
+      if (e.isFile() && PROJECT_MARKERS.has(e.name)) {
+        foundMarker = e.name;
+        break;
+      }
+    }
+    if (foundMarker && depth >= 1) {
+      // depth >= 1 → don't count the project root itself as a service.
+      results.push({
+        relPath: rel || '.',
+        marker: foundMarker,
+        label: rel.split(path.sep).pop() || rel,
+      });
+      return;
+    }
+    // Recurse into subdirectories.
+    for (const e of entries) {
+      if (!e.isDirectory()) continue;
+      if (SKIP_DIRS_FOR_DETECT.has(e.name)) continue;
+      if (e.name.startsWith('.') && e.name !== '.github') continue;
+      walk(path.join(rel, e.name), depth + 1);
+    }
+  }
+  walk('', 0);
+  return results;
+}
+
+function detectMicroservices(projectRoot) {
+  const workspaces = detectWorkspaceDeclarations(projectRoot);
+  const services = findServiceDirs(projectRoot);
+
+  // Two distinct ways to land in monorepo territory:
+  //   (a) explicit workspace declaration at the root
+  //   (b) ≥ 2 service dirs found by walking
+  let isMonorepo = false;
+  let reason = '';
+  if (workspaces.length > 0) {
+    isMonorepo = true;
+    reason = `Detected an explicit workspace declaration (${workspaces.map((w) => w.file).join(', ')}).`;
+  } else if (services.length >= 2) {
+    isMonorepo = true;
+    reason = `Detected ${services.length} project directories with their own build manifests.`;
+  }
+
+  return { isMonorepo, reason, services, workspaces };
+}
+
+module.exports = {
+  // primary API
+  scanProject,
+  buildAutoConfig,
+  detectMicroservices,
+  // helpers (exported for tests / reuse)
+  chooseLockedDir,
+  buildExcludeList,
+  buildStubs,
+  classifyExclusion,
+  looksLikeSource,
+  isGitRepo,
+  gitListFiles,
+  // constants
+  EXCLUDE_CATEGORIES,
+  SOURCE_EXTS,
+  SOURCE_BASENAMES,
+  STUB_TEMPLATES,
+  SIZE_CAP_BYTES,
+  PROJECT_MARKERS,
+};