sealcode 1.3.6 → 1.4.1

package/src/errors.js

@@ -34,7 +34,7 @@ const CODES = {
     headline: 'This project already has a sealcode vault.',
     detail:
       "There's an existing vault here. Re-running `init` would overwrite it and orphan your locked files — refusing.",
-    try: 'Try: sealcode status                   (see what state you are in)\n     sealcode reset --force            (start over; DELETES locked files)',
+    try: 'Try: sealcode status                   (see what state you are in)\n     sealcode remove                   (start over; requires passphrase, notifies owner if linked)',
   },
   SEALCODE_INIT_NEEDS_TTY: {
     headline: 'sealcode init needs an interactive terminal.',
@@ -72,6 +72,36 @@ const CODES = {
       'The first heartbeat failed. We refuse to start the watcher without confirming the code is reachable — otherwise a revoke would never be observed.',
     try: 'Try: check connectivity, then re-run `sealcode watch <code>`.',
   },
+  SEALCODE_PROJECT_REPO_MISMATCH: {
+    headline: 'That project is already linked to a different repository.',
+    detail:
+      'sealcode binds each paid project to exactly one local repository, identified by an opaque hash of its vault salt. The server has already pinned this project to a different repo — accepting this link would let one billing slot cover multiple unrelated codebases, which is not allowed.',
+    try: 'Try: sealcode link <id> from the original repo\n     create a new project on https://sealcode.dev/dashboard for this repo\n     sealcode link --force <id>        (owner-only: re-pin to this repo)',
+  },
+  SEALCODE_REMOVE_OFFLINE: {
+    headline: "I can't reach sealcode.dev to notify the project owner.",
+    detail:
+      '`sealcode remove` refuses to run when the project is linked and the server is unreachable — otherwise an attacker could bypass the owner-email alert just by cutting the network. Confirm connectivity, or re-run with `--offline` if you accept that the owner will NOT be alerted.',
+    try: 'Try: sealcode whoami                   (confirm the API URL and connectivity)\n     sealcode remove --offline         (skip the alert; the owner can still see the local state never updated on the dashboard)',
+  },
+  SEALCODE_REMOVE_REJECTED: {
+    headline: 'The server rejected the remove notice.',
+    detail:
+      "sealcode.dev refused to record this removal. Usually that's a stale bearer token, a project that was already deleted on the dashboard, or a server-side validation error.",
+    try: 'Try: sealcode whoami                   (confirm you are signed in)\n     sealcode link --info              (confirm the project still exists)',
+  },
+  SEALCODE_FORBIDDEN: {
+    headline: "You don't have permission to do that.",
+    detail:
+      'The server rejected this action for your account. If you think you should have access, double-check your role on the project dashboard.',
+    try: 'Try: sealcode whoami                   (confirm which account is signed in)',
+  },
+  SEALCODE_MONOREPO_DETECTED: {
+    headline: 'This folder looks like a monorepo / multi-service project.',
+    detail:
+      'sealcode is licensed per project. Each microservice should be initialized and shared on its own so it gets its own keys, its own grants, and its own audit trail. Run `sealcode init` from inside each service directory listed below.',
+    try: 'Try: cd <service-dir> && sealcode init\n     sealcode init --allow-monorepo   (override: one vault for the whole tree)',
+  },
 };
 
 class SealcodeError extends Error {
@@ -101,10 +131,15 @@ function reportError(err) {
   // Sentinel codes thrown deep inside modules surface here as Error.message.
   const code = isSC ? err.code : isSealcodeCode(err.message) ? err.message : null;
   let meta;
-  if (code && CODES[code]) {
-    meta = CODES[code];
-  } else if (isSC) {
+  if (isSC) {
+    // The SealcodeError constructor already merged any caller-supplied
+    // overrides on top of the static CODES entry, so the instance's own
+    // fields are authoritative. The pre-1.4 behavior of always reading
+    // from CODES[code] silently dropped per-throw overrides (e.g. the
+    // monorepo guard's dynamic list of detected services).
     meta = { headline: err.headline, detail: err.detail, try: err.tryHint };
+  } else if (code && CODES[code]) {
+    meta = CODES[code];
   } else {
     meta = {
       headline: err.message || 'Something went wrong.',

package/src/hooks.js

@@ -41,8 +41,18 @@ function findGitDir(startDir) {
 /**
  * Install the pre-commit hook. Idempotent: replaces only the sealcode block
  * (and any legacy vaultline block left over from an older install).
+ *
+ * sealcode@1.4.1 — `opts.lenient` toggles the behavior of the hook
+ * itself, not just the install message. Strict (default) refuses any
+ * commit while the project is unlocked. Lenient appends
+ * `--allow-clean-unlock`, restoring the pre-1.4.1 "block only on drift"
+ * behavior for niche workflows that intentionally commit alongside an
+ * unlocked tree.
+ *
+ * @param {string} projectRoot
+ * @param {{ lenient?: boolean }} [opts]
  */
-function installHook(projectRoot) {
+function installHook(projectRoot, opts = {}) {
   const gitDir = findGitDir(projectRoot);
   if (!gitDir) {
     throw new Error('No .git directory found above this folder. Run `git init` first.');
@@ -50,15 +60,17 @@ function installHook(projectRoot) {
   const hookPath = path.join(gitDir, 'hooks', 'pre-commit');
   ensureHooksDir(gitDir);
 
+  const flag = opts.lenient ? ' --allow-clean-unlock' : '';
   const block = [
     MARK_BEGIN,
+    `# mode: ${opts.lenient ? 'lenient' : 'strict'}`,
     'sealcode_check() {',
     '  ROOT="$(git rev-parse --show-toplevel 2>/dev/null)" || return 0',
     '  cd "$ROOT" || return 0',
     '  if command -v sealcode >/dev/null 2>&1; then',
-    '    sealcode status --check || exit 1',
+    `    sealcode status --check${flag} || exit 1`,
     '  elif command -v npx >/dev/null 2>&1; then',
-    '    npx --yes sealcode@latest status --check || exit 1',
+    `    npx --yes sealcode@latest status --check${flag} || exit 1`,
     '  else',
     '    echo "sealcode: install the CLI (npm i -g sealcode) or npx for pre-commit checks." >&2',
     '    exit 1',

package/src/init.js

@@ -21,6 +21,7 @@ const { makeRecoveryCode } = require('./recovery');
 const { isInitialized } = require('./keystore');
 const { SealcodeError } = require('./errors');
 const { question, confirm, hidden, select } = require('./prompt');
+const { buildAutoConfig, isGitRepo, detectMicroservices } = require('./discovery');
 
 const GITIGNORE_BLOCK = `
 # sealcode — local-only files (never commit)
@@ -47,6 +48,13 @@ function appendGitignoreOnce(projectRoot) {
 async function pickPreset(projectRoot, { suggestedId, noninteractive = false } = {}) {
   const guess = suggestedId ? getPreset(suggestedId) : detectPreset(projectRoot);
   process.stdout.write(`\nDetected ecosystem: ${guess.label} (${guess.id})\n`);
+  if (guess.id === 'auto') {
+    const gitNote = isGitRepo(projectRoot) ? 'git-aware' : 'filesystem scan';
+    process.stdout.write(
+      `  Auto mode locks every source file in the repo (${gitNote}, smart\n`
+      + '  excludes for build artifacts, binaries, secrets, and locked dir).\n'
+    );
+  }
   if (noninteractive) {
     process.stdout.write('  (non-interactive: accepting detected preset)\n');
     return guess;
@@ -62,6 +70,69 @@ async function pickPreset(projectRoot, { suggestedId, noninteractive = false } =
   return getPreset(choice);
 }
 
+/**
+ * Render the auto-discovery report to stdout. The same renderer is reused
+ * by `sealcode scan`.
+ */
+function renderDiscoveryReport(report) {
+  const { source, lockedDir, wouldLock, totalBytes, byTopLevel, gitCoverage, oversize } = report;
+  const sizeStr = formatBytes(totalBytes);
+  process.stdout.write(
+    `\n  source:     ${source === 'git' ? `git (${gitCoverage.tracked} tracked files)` : 'filesystem walk'}\n`
+  );
+  process.stdout.write(`  would lock: ${wouldLock.length} files (~${sizeStr})\n`);
+  process.stdout.write(`  locked dir: ${lockedDir}/\n`);
+
+  const tops = Object.entries(byTopLevel).sort((a, b) => b[1] - a[1]).slice(0, 12);
+  if (tops.length) {
+    process.stdout.write('\n  Coverage by folder:\n');
+    const width = Math.max(...tops.map(([k]) => k.length));
+    for (const [k, n] of tops) {
+      process.stdout.write(`    ${k.padEnd(width + 2)} ${n} files\n`);
+    }
+    if (Object.keys(byTopLevel).length > tops.length) {
+      process.stdout.write(
+        `    ... and ${Object.keys(byTopLevel).length - tops.length} more directories\n`
+      );
+    }
+  }
+
+  if (gitCoverage) {
+    const reasons = Object.entries(gitCoverage.excludedByReason).sort((a, b) => b[1] - a[1]);
+    if (reasons.length) {
+      process.stdout.write(`\n  Excluded (${gitCoverage.excluded} files):\n`);
+      for (const [reason, n] of reasons) {
+        process.stdout.write(`    ${reason.padEnd(10)} ${n}\n`);
+      }
+    }
+    if (gitCoverage.suspiciousExcluded.length) {
+      process.stdout.write(
+        `\n  ⚠  ${gitCoverage.suspiciousExcluded.length} source-looking file(s) excluded — review:\n`
+      );
+      for (const p of gitCoverage.suspiciousExcluded.slice(0, 10)) {
+        process.stdout.write(`     ${p}\n`);
+      }
+      if (gitCoverage.suspiciousExcluded.length > 10) {
+        process.stdout.write(`     ... and ${gitCoverage.suspiciousExcluded.length - 10} more\n`);
+      }
+    }
+  }
+
+  if (oversize.length) {
+    process.stdout.write(`\n  Skipped (>5MB): ${oversize.length} file(s)\n`);
+    for (const { path: p, size } of oversize.slice(0, 5)) {
+      process.stdout.write(`    ${p}  (${formatBytes(size)})\n`);
+    }
+  }
+}
+
+function formatBytes(n) {
+  if (n < 1024) return `${n} B`;
+  if (n < 1024 * 1024) return `${(n / 1024).toFixed(1)} KB`;
+  if (n < 1024 * 1024 * 1024) return `${(n / 1024 / 1024).toFixed(1)} MB`;
+  return `${(n / 1024 / 1024 / 1024).toFixed(2)} GB`;
+}
+
 async function askPassphrase() {
   while (true) {
     const pp = await hidden('Choose a passphrase:');
@@ -115,7 +186,17 @@ async function showRecoveryCode(code) {
  * @param {string} [opts.presetId]    optional override
  * @param {boolean} [opts.force]      overwrite an existing vault
  */
-async function runInit({ projectRoot, presetId, force = false, noninteractive = false }) {
+async function runInit({
+  projectRoot,
+  presetId,
+  force = false,
+  noninteractive = false,
+  // sealcode@1.4.0 — refuse to init at the root of a monorepo so each
+  // microservice gets its own vault and its own billing line item.
+  // Set true to override (after `sealcode scan` has surfaced the
+  // detected services to the operator).
+  allowMonorepo = false,
+}) {
   const ni =
     noninteractive ||
     !!process.env.SEALCODE_NONINTERACTIVE ||
@@ -138,6 +219,42 @@ async function runInit({ projectRoot, presetId, force = false, noninteractive =
     }
   }
 
+  // sealcode@1.4.0 — multi-microservice guard. Run BEFORE we touch the
+  // wizard so an accidental `sealcode init` at the root of a monorepo
+  // never proceeds. The `--allow-monorepo` flag (or
+  // SEALCODE_ALLOW_MONOREPO=1 in CI) skips this check for the rare
+  // "one vault for the whole tree" case.
+  if (!allowMonorepo && !process.env.SEALCODE_ALLOW_MONOREPO) {
+    const ms = detectMicroservices(projectRoot);
+    if (ms.isMonorepo) {
+      const lines = [];
+      lines.push(ms.reason);
+      if (ms.workspaces.length) {
+        lines.push('Workspace declarations:');
+        for (const w of ms.workspaces) {
+          lines.push(`  • ${w.file} (${w.kind})`);
+        }
+      }
+      if (ms.services.length) {
+        lines.push(`Service directories (${ms.services.length}):`);
+        for (const s of ms.services.slice(0, 20)) {
+          lines.push(`  • ${s.relPath}/  (${s.marker})`);
+        }
+        if (ms.services.length > 20) {
+          lines.push(`  • … and ${ms.services.length - 20} more`);
+        }
+      }
+      lines.push('');
+      lines.push('Initialize each service on its own:');
+      for (const s of ms.services.slice(0, 4)) {
+        lines.push(`  cd ${s.relPath} && sealcode init`);
+      }
+      throw new SealcodeError('SEALCODE_MONOREPO_DETECTED', {
+        detail: lines.join('\n'),
+      });
+    }
+  }
+
   process.stdout.write(`\nsealcode · setting up ${projectRoot}\n`);
 
   const preset = await pickPreset(projectRoot, { suggestedId: presetId, noninteractive: ni });
@@ -154,15 +271,39 @@ async function runInit({ projectRoot, presetId, force = false, noninteractive =
 
   const { seed: recoverySeed, code: recoveryCode } = makeRecoveryCode();
 
-  // Persist the config (gitignored).
-  const cfg = {
-    version: 1,
-    preset: preset.id,
-    lockedDir: preset.lockedDir,
-    include: preset.include,
-    exclude: preset.exclude,
-    stubs: preset.stubs || {},
-  };
+  // Persist the config (gitignored). For the auto preset we delegate to
+  // discovery, which builds a deterministic include/exclude pair from the
+  // actual project contents (git ls-files when available, filesystem walk
+  // otherwise). Stack-specific presets keep their hand-tuned templates.
+  let cfg;
+  let report = null;
+  if (preset.id === 'auto') {
+    const auto = buildAutoConfig(projectRoot);
+    cfg = auto.cfg;
+    report = auto.report;
+    if (!ni) {
+      process.stdout.write('\nsealcode · scanning project');
+      renderDiscoveryReport(report);
+      const ok = await confirm('\nLock this set?', { default: true });
+      if (!ok) {
+        throw new SealcodeError('SEALCODE_INIT_NEEDS_TTY', {
+          detail: 'Cancelled at the discovery confirmation step.',
+          hint: 'Try: sealcode init --preset <other-id>   (pick a stack-specific preset)',
+        });
+      }
+    } else if (report.wouldLock.length === 0) {
+      throw new Error('SEALCODE_NOTHING_TO_LOCK');
+    }
+  } else {
+    cfg = {
+      version: 1,
+      preset: preset.id,
+      lockedDir: preset.lockedDir,
+      include: preset.include,
+      exclude: preset.exclude,
+      stubs: preset.stubs || {},
+    };
+  }
   writeConfig(projectRoot, cfg);
   appendGitignoreOnce(projectRoot);
 
@@ -177,4 +318,4 @@ async function runInit({ projectRoot, presetId, force = false, noninteractive =
   return { config: cfg, preset, passphrase, recoverySeed, recoveryCode };
 }
 
-module.exports = { runInit };
+module.exports = { runInit, renderDiscoveryReport, formatBytes };

package/src/keystore.js

@@ -298,6 +298,36 @@ function isInitialized(projectRoot, lockedDir) {
   );
 }
 
+/**
+ * sealcode@1.4.0 — stable, opaque fingerprint of this LOCAL repo's vault.
+ *
+ * Used by `sealcode link` so the server can enforce 1:1 between a paid
+ * `sealcode` project record and a single local repository. Two different
+ * `sealcode init` runs produce two different fingerprints (because each
+ * generates its own random salt) so a user can't take one paid project
+ * slot and reuse it across five unrelated microservices.
+ *
+ * Properties we care about:
+ *   - DETERMINISTIC per local repo: derived from the salt file, which
+ *     never changes after init. A teammate cloning the repo gets the
+ *     same fingerprint, so they can `sealcode link` to the same server
+ *     project without a re-mint.
+ *   - OPAQUE: it's a one-way hash of the salt — leaking it doesn't
+ *     reveal anything that helps an attacker.
+ *   - 24 hex chars (96 bits): collision-resistant for our scale and
+ *     short enough to read on screen during conflict errors.
+ *
+ * Returns null if the project hasn't been initialized yet (no salt on
+ * disk) — the link command refuses in that case with a clear error.
+ */
+function localProjectFingerprint(projectRoot, lockedDir) {
+  const salt = readSalt(projectRoot, lockedDir);
+  if (!salt) return null;
+  // Domain-separated hash so this never collides with any other use of
+  // the salt elsewhere in the codebase.
+  return sha256Hex(Buffer.concat([Buffer.from('sealcode-project-link-v1'), salt])).slice(0, 24);
+}
+
 module.exports = {
   SALT_NAME,
   WRAP_PASS_NAME,
@@ -314,6 +344,7 @@ module.exports = {
   updateSessionMeta,
   clearSession,
   isInitialized,
+  localProjectFingerprint,
   manifestBlobPath,
   projectId,
 };

package/src/presets.js

@@ -42,59 +42,108 @@ const STUB_GENERIC_PKG_JSON =
 
 /** @type {Preset[]} */
 const PRESETS = [
+  // sealcode@1.4.0 — `auto` is the new default. It has no fixed include /
+  // exclude list; the init wizard delegates to src/discovery.js, which
+  // walks `git ls-files` (or a filesystem fallback) and writes a fully
+  // deterministic .sealcoderc.json. The marker list is empty so it never
+  // wins detectPreset on its own — it is selected explicitly by init or
+  // when the user passes --preset auto.
   {
-    id: 'node',
-    label: 'Node.js / TypeScript',
-    markers: ['package.json'],
+    id: 'auto',
+    label: 'Auto (any project, any layout)',
+    markers: [],
+    lockedDir: 'vendor',
+    include: ['**/*'],
+    exclude: [...SHARED_EXCLUDES, 'node_modules/**', 'vendor/**', 'dist/**', 'build/**'],
+  },
+  // sealcode@1.4.0 — framework-specific presets now appear BEFORE the
+  // generic per-language ones so `detectPreset` resolves Next.js / Django
+  // before falling back to `node` / `python`. Without this reorder, a
+  // Next.js project (which always has package.json) was mis-detected as
+  // plain Node and only `src/` + `lib/` got locked.
+  {
+    id: 'nextjs',
+    label: 'Next.js',
+    markers: ['next.config.js', 'next.config.mjs', 'next.config.ts'],
     lockedDir: 'vendor',
     include: [
       'src/**/*',
+      'app/**/*',
+      'pages/**/*',
+      'components/**/*',
       'lib/**/*',
+      'public/**/*',
       'package.json',
-      'package-lock.json',
+      'next.config.*',
       'tsconfig.json',
-      'Dockerfile',
-      'docker-compose*.yml',
-      'docker-compose*.yaml',
+      'tailwind.config.*',
+      'postcss.config.*',
       '.env.example',
-      'README.md',
     ],
     exclude: [
       ...SHARED_EXCLUDES,
       'node_modules/**',
-      'dist/**',
-      'build/**',
       '.next/**',
-      '.turbo/**',
-      '.nuxt/**',
       'out/**',
       'vendor/**',
     ],
-    stubs: { 'package.json': STUB_GENERIC_PKG_JSON },
+    stubs: { 'package.json': '{\n  "name": "app",\n  "version": "1.0.0",\n  "private": true\n}\n' },
   },
   {
-    id: 'nextjs',
-    label: 'Next.js',
-    markers: ['next.config.js', 'next.config.mjs', 'next.config.ts'],
+    id: 'django',
+    label: 'Python — Django',
+    markers: ['manage.py'],
+    lockedDir: '_site_packages',
+    include: [
+      '**/*.py',
+      'manage.py',
+      'requirements*.txt',
+      'pyproject.toml',
+      'Dockerfile',
+      'docker-compose*.yml',
+      '.env.example',
+      'templates/**/*',
+      'static/**/*',
+    ],
+    exclude: [
+      ...SHARED_EXCLUDES,
+      'venv/**',
+      '.venv/**',
+      '__pycache__/**',
+      '**/__pycache__/**',
+      '*.pyc',
+      'media/**',
+      'staticfiles/**',
+      'db.sqlite3',
+      '_site_packages/**',
+    ],
+    stubs: { 'README.md': '# app\n' },
+  },
+  {
+    id: 'node',
+    label: 'Node.js / TypeScript',
+    markers: ['package.json'],
     lockedDir: 'vendor',
     include: [
       'src/**/*',
-      'app/**/*',
-      'pages/**/*',
-      'components/**/*',
       'lib/**/*',
-      'public/**/*',
       'package.json',
-      'next.config.*',
+      'package-lock.json',
       'tsconfig.json',
-      'tailwind.config.*',
-      'postcss.config.*',
+      'Dockerfile',
+      'docker-compose*.yml',
+      'docker-compose*.yaml',
       '.env.example',
+      'README.md',
     ],
     exclude: [
       ...SHARED_EXCLUDES,
       'node_modules/**',
+      'dist/**',
+      'build/**',
       '.next/**',
+      '.turbo/**',
+      '.nuxt/**',
       'out/**',
       'vendor/**',
     ],
@@ -137,36 +186,6 @@ const PRESETS = [
     ],
     stubs: { 'README.md': '# app\n' },
   },
-  {
-    id: 'django',
-    label: 'Python — Django',
-    markers: ['manage.py'],
-    lockedDir: '_site_packages',
-    include: [
-      '**/*.py',
-      'manage.py',
-      'requirements*.txt',
-      'pyproject.toml',
-      'Dockerfile',
-      'docker-compose*.yml',
-      '.env.example',
-      'templates/**/*',
-      'static/**/*',
-    ],
-    exclude: [
-      ...SHARED_EXCLUDES,
-      'venv/**',
-      '.venv/**',
-      '__pycache__/**',
-      '**/__pycache__/**',
-      '*.pyc',
-      'media/**',
-      'staticfiles/**',
-      'db.sqlite3',
-      '_site_packages/**',
-    ],
-    stubs: { 'README.md': '# app\n' },
-  },
   {
     id: 'go',
     label: 'Go',
@@ -312,11 +331,36 @@ const PRESETS = [
 
 /**
  * Sniff the project root and guess the ecosystem.
+ *
+ * sealcode@1.4.0 — the default detection now returns `auto`, our universal
+ * preset. The legacy marker-based detection is preserved under
+ * `detectLegacyPreset` for callers that still want a specific stack guess
+ * (e.g. for choosing a sensible `lockedDir`).
+ *
  * @param {string} projectRoot
  * @returns {Preset}
  */
 function detectPreset(projectRoot) {
+  // We deliberately ignore markers here. `auto` covers any layout and is
+  // the safe default; users can override with `sealcode init --preset <id>`.
+  // The walk still happens implicitly via the legacy helper below for
+  // any caller that opts in.
+  void projectRoot;
+  return PRESETS.find((p) => p.id === 'auto') || PRESETS[PRESETS.length - 1];
+}
+
+/**
+ * Legacy marker-based detection. Iterates presets in order (most specific
+ * first after the 1.4.0 reorder), skipping `auto` and `generic`. Used by
+ * code paths that need an ecosystem hint (lockedDir choice, stub
+ * templates) without committing to a stack-specific include list.
+ *
+ * @param {string} projectRoot
+ * @returns {Preset}
+ */
+function detectLegacyPreset(projectRoot) {
   for (const preset of PRESETS) {
+    if (preset.id === 'auto') continue;
     if (preset.id === 'generic') continue;
     for (const marker of preset.markers) {
       if (fs.existsSync(path.join(projectRoot, marker))) {
@@ -335,4 +379,4 @@ function listPresets() {
   return PRESETS.map((p) => ({ id: p.id, label: p.label }));
 }
 
-module.exports = { PRESETS, detectPreset, getPreset, listPresets };
+module.exports = { PRESETS, detectPreset, detectLegacyPreset, getPreset, listPresets };

package/src/seal.js

@@ -131,6 +131,51 @@ async function runLock({
     throw new Error('SEALCODE_NOTHING_TO_LOCK');
   }
 
+  // sealcode@1.4.0 — coverage warning. The pre-1.4 preset system would
+  // silently lock only a fraction of a project when the chosen preset
+  // didn't match the layout (Next.js with `node` preset, Django with
+  // `python`, monorepos with anything). The new `auto` preset / git
+  // discovery is the structural fix, but we also emit a one-line warning
+  // here so existing users on stack-specific presets notice the
+  // mismatch instead of shipping a half-locked repo.
+  //
+  // Only runs on first lock (no prevManifest), only when git is
+  // available, and only when coverage looks suspicious. Silent
+  // otherwise — we never want to nag on routine re-locks.
+  //
+  // Goes through stderr (via ui.warn) so it's visible in non-verbose
+  // mode but doesn't pollute stdout for any caller piping `sealcode
+  // lock` through grep/jq.
+  if (!prevManifest && config.preset !== 'auto') {
+    try {
+      const { isGitRepo, gitListFiles, looksLikeSource } = require('./discovery');
+      if (isGitRepo(projectRoot)) {
+        const tracked = gitListFiles(projectRoot) || [];
+        const lockedSet = new Set(files);
+        const trackedSourceMissing = tracked.filter(
+          (p) => looksLikeSource(p) && !lockedSet.has(p) && !p.startsWith(`${lockedDir}/`)
+        );
+        if (tracked.length >= 20 && trackedSourceMissing.length > tracked.length * 0.2) {
+          let ui;
+          try { ui = require('./ui'); } catch (_) { ui = null; }
+          const headline =
+            `coverage: only ${files.length}/${tracked.length} git-tracked files match this preset — `
+            + `${trackedSourceMissing.length} source-looking files will remain UNLOCKED.`;
+          const hint = 'consider: sealcode init --preset auto --force   (universal coverage)';
+          if (ui && typeof ui.warn === 'function') {
+            ui.warn(headline);
+            if (typeof ui.hint === 'function') ui.hint('  ' + hint);
+          } else {
+            log('  [coverage] ' + headline);
+            log('  [coverage] ' + hint);
+          }
+        }
+      }
+    } catch (_) {
+      // Discovery is best-effort; never fail a lock because of it.
+    }
+  }
+
   // Auto-promote preserveUnseen on suspicious shrink. Threshold: only
   // engage when the previous manifest had at least 5 entries (avoids
   // false positives on tiny projects) AND the new plaintext set is

package/src/status.js

@@ -155,11 +155,27 @@ function renderStatus(status) {
 }
 
 /**
- * Pre-commit / CI gate: pass only if locked, or unlocked with no drift.
- * Caller supplies `getK` — session load, env passphrase unwrap, or null.
+ * Pre-commit / CI gate.
+ *
+ * sealcode@1.4.1 — strict by default. Any commit while the project is
+ * in the `unlocked` state is rejected, regardless of whether the working
+ * tree has drifted vs. the last lock. Before 1.4.1 we only blocked when
+ * drift was non-zero, which let a recipient `sealcode unlock && git add
+ * . && git commit` push the entire decrypted source into git without a
+ * single warning. The new default closes that footgun.
+ *
+ * Callers (CI scripts, IDE integrations, niche workflows) can opt back
+ * into the old "block only on drift" behavior with
+ * `{ allowCleanUnlock: true }`. The flag is also surfaced as a CLI
+ * option on `sealcode status --check`.
+ *
+ * @param {string} projectRoot
+ * @param {object} config
  * @param {( ) => Promise<Buffer|null>} getK
+ * @param {{ allowCleanUnlock?: boolean }} [opts]
  */
-async function runPrecommitCheck(projectRoot, config, getK) {
+async function runPrecommitCheck(projectRoot, config, getK, opts = {}) {
+  const allowCleanUnlock = !!opts.allowCleanUnlock;
   const s = await runStatus({ projectRoot, config });
   if (!s.initialized) return { ok: true, message: '' };
   if (s.state === 'locked') return { ok: true, message: '' };
@@ -171,6 +187,21 @@ async function runPrecommitCheck(projectRoot, config, getK) {
     };
   }
 
+  // Strict default: refuse to let an unlocked tree reach `git commit`.
+  // We do this BEFORE computing drift because computing drift requires
+  // K, and we don't want a failed `getK()` to mask a much more
+  // important "you are about to commit plaintext source" warning.
+  if (!allowCleanUnlock) {
+    return {
+      ok: false,
+      message:
+        'sealcode: project is UNLOCKED. Committing now would put plaintext source into git.\n' +
+        '  Fix: run `sealcode lock` first, then `git add` the updated locked blobs.\n' +
+        '  (Override only if you really mean it: `sealcode status --check --allow-clean-unlock`,\n' +
+        '   or re-install the hook with `sealcode install-hook --lenient`.)',
+    };
+  }
+
   const K = await getK();
   if (!K) {
     return {