sealcode 1.3.6 → 1.4.1

package/src/cli-remove.js

@@ -0,0 +1,281 @@
+'use strict';
+
+/**
+ * `sealcode remove` — permanently remove sealcode from a project.
+ *
+ * This is the destructive sibling of `sealcode link --remove`. Where
+ * `link --remove` only forgets the dashboard association, `remove`
+ * tears the whole vault out:
+ *
+ *   1. Re-verify the passphrase. We do this even if a session is
+ *      cached, because removal is irreversible and "the laptop was
+ *      already unlocked" is a real attack. `--session-ok` overrides
+ *      for power users.
+ *   2. Require a typed confirmation (`yes-remove`). No accidental
+ *      `sealcode rem<TAB>` deletions.
+ *   3. If the project is linked to a sealcode.dev account, hit the
+ *      server's remove-notice endpoint FIRST so the legitimate owner
+ *      gets an email and an audit-log row before any local data is
+ *      touched. If we can't reach the server we refuse by default;
+ *      `--offline` is the explicit override.
+ *   4. Decrypt every locked blob into plaintext (so the user keeps
+ *      their source). `--burn` skips this step and removes the
+ *      ciphertext without ever materializing plaintext.
+ *   5. Delete the locked dir, the sealcode config file (link block
+ *      included), and the session cache for this project root.
+ */
+
+const fs = require('fs');
+const path = require('path');
+
+const ui = require('./ui');
+const { hidden, question } = require('./prompt');
+const { ApiError, request, clientInfo } = require('./api');
+const { SealcodeError } = require('./errors');
+const { isInitialized, unwrap, clearSession } = require('./keystore');
+const { runUnlock } = require('./open');
+const { readManifest } = require('./manifest');
+const { getLink, clearLink } = require('./link-state');
+const { CONFIG_FILE, LEGACY_CONFIG_FILE } = require('./config');
+
+function readActiveConfig(projectRoot) {
+  // Mirror getActiveConfig from cli.js without the dependency cycle.
+  for (const name of [CONFIG_FILE, LEGACY_CONFIG_FILE]) {
+    const p = path.join(projectRoot, name);
+    if (fs.existsSync(p)) {
+      try {
+        const cfg = JSON.parse(fs.readFileSync(p, 'utf8'));
+        if (cfg && typeof cfg.lockedDir === 'string') return { ...cfg, _file: name };
+      } catch (_) { /* fallthrough */ }
+    }
+  }
+  return null;
+}
+
+function passphraseFromEnv() {
+  return process.env.SEALCODE_PASSPHRASE || process.env.VAULTLINE_PASSPHRASE || '';
+}
+
+async function verifyPassphrase(projectRoot, lockedDir) {
+  // Prefer the env var so CI / scripted teardown isn't blocked on a
+  // TTY. Otherwise prompt — `remove` is interactive by default.
+  const pp = passphraseFromEnv() || (await hidden('Passphrase (to confirm ownership):'));
+  if (!pp) throw new SealcodeError('SEALCODE_NO_KEY');
+  try {
+    return await unwrap(projectRoot, lockedDir, { passphrase: pp });
+  } catch (err) {
+    if (err && err.message === 'SEALCODE_WRONG_KEY') {
+      throw new SealcodeError('SEALCODE_WRONG_KEY');
+    }
+    throw err;
+  }
+}
+
+/**
+ * Send the remove-notice to the server. Returns one of:
+ *   { status: 'sent'   }   — server accepted, owner email queued.
+ *   { status: 'offline'}   — could not reach the server (network error).
+ *   { status: 'rejected', code, message } — server returned 4xx/5xx.
+ *
+ * We never throw from here so the caller can centralize policy.
+ */
+async function tryNotifyServer({ projectId, localFingerprint, burn }) {
+  try {
+    await request('POST', `/api/v1/projects/${encodeURIComponent(projectId)}/remove-notice`, {
+      auth: true,
+      body: {
+        localFingerprint,
+        burn: !!burn,
+        // Best-effort device context for the owner's email. Nothing
+        // here is used for an access decision; we just want the
+        // notification to be useful ("My laptop did this — fine" vs
+        // "what's that hostname?").
+        device: clientInfo(),
+        occurredAt: new Date().toISOString(),
+      },
+      // Keep the timeout short — a slow / dead server should not let
+      // a hostile actor stall the alert until they're ready.
+      timeoutMs: 10000,
+    });
+    return { status: 'sent' };
+  } catch (err) {
+    if (err instanceof ApiError && err.status === 0) {
+      return { status: 'offline', message: err.message };
+    }
+    if (err instanceof ApiError) {
+      return { status: 'rejected', code: err.apiCode, message: err.message };
+    }
+    return { status: 'offline', message: err && err.message ? err.message : String(err) };
+  }
+}
+
+/**
+ * Removes the locked dir, the config file, and any cached session for
+ * this project root. Idempotent — safe to re-run after a partial
+ * failure to clean up leftover bits. Returns a list of removed paths
+ * for the human-readable summary.
+ */
+function destroyVaultArtifacts(projectRoot, lockedDir) {
+  const removed = [];
+  const tryRemove = (rel) => {
+    const abs = path.join(projectRoot, rel);
+    try {
+      const st = fs.lstatSync(abs);
+      if (st.isDirectory()) {
+        fs.rmSync(abs, { recursive: true, force: true });
+      } else {
+        fs.unlinkSync(abs);
+      }
+      removed.push(rel);
+    } catch (_) { /* nothing there or already gone */ }
+  };
+  tryRemove(lockedDir);
+  tryRemove(CONFIG_FILE);
+  tryRemove(LEGACY_CONFIG_FILE);
+  try {
+    clearSession(projectRoot);
+    removed.push('~/.sealcode/sessions/<this-project>');
+  } catch (_) { /* ignore */ }
+  return removed;
+}
+
+async function runRemove({
+  projectRoot,
+  confirm = null,
+  burn = false,
+  offline = false,
+  sessionOk = false,
+  keepLink = false,
+}) {
+  const config = readActiveConfig(projectRoot);
+  if (!config || !isInitialized(projectRoot, config.lockedDir)) {
+    throw new SealcodeError('SEALCODE_NO_MANIFEST', {
+      detail: `Nothing to remove: ${projectRoot} doesn't have a sealcode vault.`,
+    });
+  }
+
+  // ---- 1. Re-verify passphrase (or accept --session-ok) ----
+  let K;
+  if (sessionOk) {
+    const { loadSession } = require('./keystore');
+    K = loadSession(projectRoot);
+    if (!K) {
+      // --session-ok was promised but no session exists. Fall back to
+      // a passphrase prompt rather than silently degrading: a missing
+      // session is exactly the case where we WANT extra verification.
+      K = await verifyPassphrase(projectRoot, config.lockedDir);
+    }
+  } else {
+    K = await verifyPassphrase(projectRoot, config.lockedDir);
+  }
+
+  // ---- 2. Typed confirmation ----
+  const link = getLink(projectRoot);
+  if (!confirm) {
+    process.stdout.write(
+      [
+        '',
+        ui.c.bold('You are about to permanently remove sealcode from:'),
+        `  ${projectRoot}`,
+        '',
+        link
+          ? `This project is linked to ${ui.c.cyan(link.projectName || link.projectId)} (${link.projectId}).`
+          : 'This project is not linked to any sealcode.dev account.',
+        link
+          ? ui.c.yellow('  → The project owner will be notified by email.')
+          : ui.c.dim('  → No notification will be sent.'),
+        '',
+        burn
+          ? ui.c.red("--burn: plaintext will NOT be recovered. Your source will be gone.")
+          : 'Your source files will be decrypted back to plaintext before removal.',
+        '',
+      ].join('\n'),
+    );
+    const typed = await question('Type yes-remove to confirm');
+    if (typed !== 'yes-remove') {
+      ui.warn('aborted; nothing changed.');
+      return { aborted: true };
+    }
+  } else if (confirm !== 'yes-remove') {
+    throw new Error(
+      "Refusing to remove: pass --confirm yes-remove (exactly) to acknowledge this is irreversible.",
+    );
+  }
+
+  // ---- 3. Notify the server (if linked) ----
+  let notifyOutcome = null;
+  if (link) {
+    if (offline) {
+      // Owner explicitly chose to skip the alert. We still want this
+      // to show up somewhere visible, so log to stderr.
+      ui.warn(
+        `--offline: skipping the server notification. The owner of "${link.projectName || link.projectId}" will NOT be emailed.`,
+      );
+      notifyOutcome = { status: 'skipped' };
+    } else {
+      notifyOutcome = await tryNotifyServer({
+        projectId: link.projectId,
+        localFingerprint: link.localFingerprint || null,
+        burn,
+      });
+      if (notifyOutcome.status === 'offline') {
+        throw new SealcodeError('SEALCODE_REMOVE_OFFLINE', {
+          detail:
+            `Could not reach sealcode.dev to notify the project owner that this vault is being removed. ` +
+            `\`sealcode remove\` is refused so a hostile actor can't bypass the alert by cutting the network. ` +
+            `Re-run with \`--offline\` if you are genuinely offline and accept this.`,
+        });
+      }
+      if (notifyOutcome.status === 'rejected') {
+        throw new SealcodeError('SEALCODE_REMOVE_REJECTED', {
+          detail:
+            `The server rejected the remove notice (${notifyOutcome.code}: ${notifyOutcome.message}). ` +
+            `This usually means your bearer token is invalid or the project was already deleted from the dashboard. ` +
+            `Run \`sealcode whoami\` and \`sealcode link --info\` to triage.`,
+        });
+      }
+    }
+  }
+
+  // ---- 4. Decrypt to plaintext (unless --burn) ----
+  let decryptedFiles = 0;
+  if (!burn) {
+    // Force a full unlock so every blob lands as a plaintext file
+    // before we wipe lockedDir. We ignore allowedPaths / watermark
+    // policy — `remove` is a full restore, not a scoped session.
+    const manifest = readManifest(projectRoot, config.lockedDir, K);
+    decryptedFiles = manifest.files.length;
+    await runUnlock({
+      projectRoot,
+      config,
+      K,
+      removeStubs: true,
+      log: () => {},
+    });
+  }
+
+  // ---- 5. Destroy local artifacts ----
+  if (link && !keepLink) {
+    clearLink(projectRoot);
+  }
+  const removed = destroyVaultArtifacts(projectRoot, config.lockedDir);
+
+  // ---- Summary ----
+  const lines = ['', ui.c.green('✓ sealcode removed from this project.'), ''];
+  if (!burn) lines.push(`  Restored ${decryptedFiles} files to plaintext.`);
+  if (burn) lines.push(`  ${ui.c.red('--burn:')} ciphertext discarded without decrypting.`);
+  lines.push(`  Removed: ${removed.join(', ')}`);
+  if (link && notifyOutcome && notifyOutcome.status === 'sent') {
+    lines.push(`  Notified the owner of "${link.projectName || link.projectId}" by email.`);
+  }
+  lines.push('');
+  process.stdout.write(lines.join('\n'));
+  return {
+    aborted: false,
+    decryptedFiles,
+    removed,
+    notified: notifyOutcome && notifyOutcome.status === 'sent',
+  };
+}
+
+module.exports = { runRemove, _internal: { destroyVaultArtifacts, tryNotifyServer } };

package/src/cli-watch.js

@@ -1155,4 +1155,6 @@ module.exports = {
   readWatcherStatus,
   watchStateFile,
   watchLogFile,
+  // Exported for tests. Not part of the public surface.
+  _internal: { heartbeatOnce },
 };

package/src/cli.js

@@ -21,7 +21,8 @@ const {
   isInitialized,
   rotatePassphrase,
 } = require('./keystore');
-const { runInit } = require('./init');
+const { runInit, renderDiscoveryReport } = require('./init');
+const { scanProject, detectMicroservices } = require('./discovery');
 const { runLock } = require('./seal');
 const { runUnlock } = require('./open');
 const { runVerify } = require('./verify');
@@ -33,6 +34,7 @@ const { installHook, uninstallHook } = require('./hooks');
 const { exportBundle, importBundle } = require('./bundle');
 const { runLogin, runSignout, runWhoami } = require('./cli-auth');
 const { runLink, runUnlink, runLinkInfo } = require('./cli-link');
+const { runRemove } = require('./cli-remove');
 const {
   runShare,
   runGrants,
@@ -82,23 +84,33 @@ function passphraseFromEnv() {
 
 /**
  * Resolve the active config: prefer the file on disk; if missing, fall back to
- * the auto-detected preset's defaults. This lets the tool work in stealth
- * mode where `.sealcoderc.json` isn't checked into the repo.
+ * the auto-discovered config. This lets the tool work in stealth mode where
+ * `.sealcoderc.json` isn't checked into the repo.
+ *
+ * sealcode@1.4.0 — implicit fallback now uses the `auto` preset (full
+ * discovery) instead of `detectPreset`'s first-marker-wins guess, so a
+ * fresh checkout without the rc file still picks up every source folder.
  */
 function getActiveConfig(projectRoot) {
   const fromFile = loadConfig(projectRoot);
   if (fromFile) return fromFile;
-  const preset = detectPreset(projectRoot);
-  return {
-    version: 1,
-    preset: preset.id,
-    lockedDir: preset.lockedDir,
-    include: preset.include,
-    exclude: preset.exclude,
-    stubs: preset.stubs || {},
-    _file: null,
-    _implicit: true,
-  };
+  try {
+    const { buildAutoConfig } = require('./discovery');
+    const { cfg } = buildAutoConfig(projectRoot);
+    return { ...cfg, _file: null, _implicit: true };
+  } catch (_) {
+    const preset = detectPreset(projectRoot);
+    return {
+      version: 1,
+      preset: preset.id,
+      lockedDir: preset.lockedDir,
+      include: preset.include,
+      exclude: preset.exclude,
+      stubs: preset.stubs || {},
+      _file: null,
+      _implicit: true,
+    };
+  }
 }
 
 /**
@@ -205,6 +217,11 @@ function build() {
     .option('--preset <id>', 'force a specific ecosystem preset')
     .option('--force', 'overwrite an existing vault (DANGER)', false)
     .option('--noninteractive', 'use SEALCODE_PASSPHRASE env var; print recovery code to stdout', false)
+    .option(
+      '--allow-monorepo',
+      'override the multi-microservice guard (one vault for the whole tree)',
+      false,
+    )
     .action(async (opts) => {
       try {
         const projectRoot = resolveProject(program.opts());
@@ -214,6 +231,7 @@ function build() {
           presetId: opts.preset,
           force: opts.force,
           noninteractive: opts.noninteractive,
+          allowMonorepo: opts.allowMonorepo,
         });
         // Run the first lock right away so the project ends in the locked state.
         const boot = await bootstrap(result.passphrase, result.recoverySeed);
@@ -447,14 +465,25 @@ function build() {
   program
     .command('status')
     .description('Show whether the project is locked / unlocked and any drift.')
-    .option('--check', 'exit 1 if unlocked with drift (for git hooks)', false)
+    .option('--check', 'exit 1 if unlocked (for git hooks). sealcode@1.4.1: strict by default — passes only when locked.', false)
+    // sealcode@1.4.1 — opt back into the pre-1.4.1 "block only on
+    // drift" behavior. Useful for CI jobs that intentionally commit
+    // alongside an unlocked working tree (rare). The installed hook
+    // can also flip into this mode globally via
+    // `sealcode install-hook --lenient`.
+    .option('--allow-clean-unlock', 'pre-1.4.1 behavior: pass when unlocked as long as there is no drift', false)
     .option('--json', 'machine-readable output (for editors / CI)', false)
     .action(async (opts) => {
       try {
         const projectRoot = resolveProject(program.opts());
         const config = getActiveConfig(projectRoot);
         if (opts.check) {
-          const r = await runPrecommitCheck(projectRoot, config, () => getKeyForCheck(projectRoot, config));
+          const r = await runPrecommitCheck(
+            projectRoot,
+            config,
+            () => getKeyForCheck(projectRoot, config),
+            { allowCleanUnlock: !!opts.allowCleanUnlock },
+          );
           if (!r.ok) {
             process.stderr.write(r.message + '\n');
             process.exitCode = 1;
@@ -503,6 +532,88 @@ function build() {
       process.stdout.write('\nUse with:  sealcode init --preset <id>\n');
     });
 
+  // -------- scan --------
+  //
+  // sealcode@1.4.0 — dry-run inventory. Walks the project the same way the
+  // `auto` preset would, prints exactly what `sealcode init`/`lock` would
+  // touch, and flags suspicious omissions (git-tracked source files that
+  // exclude rules drop). No mutation.
+  program
+    .command('scan')
+    .description('Show what sealcode would lock in this project (read-only).')
+    .option('--json', 'emit machine-readable JSON instead of a human report', false)
+    .action(async (opts) => {
+      try {
+        const projectRoot = resolveProject(program.opts());
+        const report = scanProject(projectRoot);
+        const monorepo = detectMicroservices(projectRoot);
+        if (opts.json) {
+          process.stdout.write(
+            JSON.stringify(
+              {
+                projectRoot,
+                source: report.source,
+                lockedDir: report.lockedDir,
+                wouldLock: report.wouldLock,
+                wouldLockCount: report.wouldLock.length,
+                totalBytes: report.totalBytes,
+                byTopLevel: report.byTopLevel,
+                gitCoverage: report.gitCoverage,
+                oversize: report.oversize,
+                include: report.include,
+                exclude: report.exclude,
+                monorepo: {
+                  isMonorepo: monorepo.isMonorepo,
+                  reason: monorepo.reason || null,
+                  services: monorepo.services,
+                  workspaces: monorepo.workspaces,
+                },
+              },
+              null,
+              2
+            ) + '\n'
+          );
+          return;
+        }
+        process.stdout.write(`\nsealcode · scanning ${projectRoot}`);
+        renderDiscoveryReport(report);
+        if (monorepo.isMonorepo) {
+          process.stdout.write('\n');
+          ui.warn(`Multi-project layout detected · ${monorepo.reason}`);
+          if (monorepo.workspaces.length) {
+            ui.hint('  Workspace declarations:');
+            for (const w of monorepo.workspaces) {
+              ui.hint(`    • ${w.file} (${w.kind})`);
+            }
+          }
+          if (monorepo.services.length) {
+            ui.hint(`  Services (${monorepo.services.length}):`);
+            for (const s of monorepo.services.slice(0, 10)) {
+              ui.hint(`    • ${s.relPath}/  (${s.marker})`);
+            }
+            if (monorepo.services.length > 10) {
+              ui.hint(`    • … and ${monorepo.services.length - 10} more`);
+            }
+          }
+          ui.hint('  `sealcode init` will refuse at this root — cd into each service and init separately.');
+          ui.hint('  Override with `sealcode init --allow-monorepo` (one vault for the whole tree; billed as one project).');
+        }
+        process.stdout.write('\n');
+        const next = configExists(projectRoot)
+          ? 'sealcode lock                     (apply the current config)'
+          : monorepo.isMonorepo
+            ? 'cd <service-dir> && sealcode init   (per-service)'
+            : 'sealcode init --preset auto       (write .sealcoderc.json and lock)';
+        ui.hint(`Next: ${next}`);
+        if (report.wouldLock.length === 0) {
+          process.stdout.write('\n');
+          ui.warn('Nothing matched — the project may be empty or fully excluded.');
+        }
+      } catch (err) {
+        process.exitCode = reportError(err);
+      }
+    });
+
   // -------- logout --------
   program
     .command('logout')
@@ -630,12 +741,23 @@ function build() {
   // -------- install-hook --------
   program
     .command('install-hook')
-    .description('Install a git pre-commit hook that runs `sealcode status --check`')
-    .action(() => {
+    .description('Install a git pre-commit hook that runs `sealcode status --check`.')
+    // sealcode@1.4.1 — the hook is strict by default (blocks any
+    // commit while the project is unlocked). `--lenient` writes a
+    // hook that uses `--allow-clean-unlock` instead, restoring the
+    // pre-1.4.1 "block only on drift" behavior.
+    .option('--lenient', 'install the pre-1.4.1 hook (only blocks commits when working tree drifts)', false)
+    .action((opts) => {
       try {
         const projectRoot = resolveProject(program.opts());
-        const hookPath = installHook(projectRoot);
-        process.stdout.write(`✓ pre-commit hook installed:\n  ${hookPath}\n`);
+        const hookPath = installHook(projectRoot, { lenient: !!opts.lenient });
+        process.stdout.write(`✓ pre-commit hook installed (${opts.lenient ? 'lenient' : 'strict'} mode):\n  ${hookPath}\n`);
+        if (!opts.lenient) {
+          process.stdout.write(
+            '  Any `git commit` while the project is unlocked will be blocked.\n' +
+              '  Run `sealcode lock` before committing.\n',
+          );
+        }
       } catch (err) {
         process.exitCode = reportError(err);
       }
@@ -811,6 +933,10 @@ function build() {
     .option('--info', 'just print the current link state, don\'t change it', false)
     .option('--remove', 'remove the existing link from this repository', false)
     .option('--json', 'machine-readable output (with --info)', false)
+    // sealcode@1.4.0 — owner-only override for the 1:1 project<->repo
+    // binding. The server still audit-logs the re-pin, and refuses if
+    // the caller isn't the project owner.
+    .option('--force', 're-pin this project to the current repository (owner only)', false)
     .action(async (projectId, opts) => {
       try {
         const projectRoot = resolveProject(program.opts());
@@ -822,7 +948,38 @@ function build() {
           runLinkInfo({ projectRoot, json: opts.json });
           return;
         }
-        await runLink({ projectRoot, projectId });
+        await runLink({ projectRoot, projectId, force: !!opts.force });
+      } catch (err) {
+        process.exitCode = reportError(err);
+      }
+    });
+
+  // -------- remove (permanently uninstall sealcode from this project) --------
+  // sealcode@1.4.0 — destructive sibling of `link --remove`. See
+  // src/cli-remove.js for the full flow; the high-level guarantees are:
+  //   * passphrase is re-verified even when a session is unlocked
+  //   * the project owner is emailed BEFORE local data is touched
+  //   * we refuse to run offline unless --offline is explicit (so a
+  //     hostile actor can't bypass the alert by cutting the network)
+  program
+    .command('remove')
+    .description('Permanently remove sealcode from this project. Restores plaintext and (if linked) emails the project owner.')
+    .option('--confirm <phrase>', 'pass `yes-remove` to skip the interactive confirmation prompt')
+    .option('--burn', 'do NOT decrypt locked files before removing — discards ciphertext only', false)
+    .option('--offline', 'allow removal without notifying the project owner (we still try first)', false)
+    .option('--session-ok', 'accept a cached session instead of re-typing the passphrase', false)
+    .option('--keep-link', 'leave the .sealcoderc.json link block in place (rare; mostly for debugging)', false)
+    .action(async (opts) => {
+      try {
+        const projectRoot = resolveProject(program.opts());
+        await runRemove({
+          projectRoot,
+          confirm: opts.confirm || null,
+          burn: !!opts.burn,
+          offline: !!opts.offline,
+          sessionOk: !!opts.sessionOk,
+          keepLink: !!opts.keepLink,
+        });
       } catch (err) {
         process.exitCode = reportError(err);
       }