npm - sealcode - Versions diffs - 1.4.0 → 1.4.1 - Mend

sealcode 1.4.0 → 1.4.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/README.md CHANGED Viewed

@@ -84,12 +84,14 @@ sealcode lock            # encrypt source → vendor/ blobs (removes plaintext)
 sealcode unlock          # decrypt blobs → restore source (removes stubs)
 sealcode verify          # confirm every blob decrypts & matches its hash
 sealcode status          # show locked/unlocked + drift since last lock
-sealcode status --check  # exit 1 if unlocked with drift (used by git hook)
+sealcode status --check  # exit 1 if unlocked (used by git hook). 1.4.1+: strict — passes only when locked.
+sealcode status --check --allow-clean-unlock   # 1.4.1+ escape hatch: only fail on drift
 sealcode status --json   # machine-readable state (editors / scripts)
 sealcode rotate          # change passphrase (blobs unchanged); env: SEALCODE_OLD_PASSPHRASE / SEALCODE_NEW_PASSPHRASE
 sealcode backup <dir>    # copy locked vault + config snapshot to a new folder
 sealcode restore <dir>   # restore from backup (use --force if locked dir exists)
-sealcode install-hook    # git pre-commit: block commits when unlocked + drift
+sealcode install-hook    # git pre-commit: block any commit while the project is unlocked (strict by default in 1.4.1+)
+sealcode install-hook --lenient   # pre-1.4.1 behavior: only block when the working tree has drifted vs the lock
 sealcode uninstall-hook  # remove hook block
 sealcode panic           # immediate re-lock + session wipe
 sealcode logout          # clear cached session, force passphrase next time

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "sealcode",
-  "version": "1.4.0",
+  "version": "1.4.1",
   "description": "Lock your source code in your own git repo. Stop AI agents, scrapers, and curious eyes from reading what's yours.",
   "keywords": [
     "encryption",
@@ -24,7 +24,7 @@
   },
   "repository": {
     "type": "git",
-    "url": "https://github.com/sealcode/sealcode.git"
+    "url": "git+https://github.com/sealcode/sealcode.git"
   },
   "license": "MIT",
   "author": "sealcode",

package/src/cli.js CHANGED Viewed

@@ -465,14 +465,25 @@ function build() {
   program
     .command('status')
     .description('Show whether the project is locked / unlocked and any drift.')
-    .option('--check', 'exit 1 if unlocked with drift (for git hooks)', false)
+    .option('--check', 'exit 1 if unlocked (for git hooks). sealcode@1.4.1: strict by default — passes only when locked.', false)
+    // sealcode@1.4.1 — opt back into the pre-1.4.1 "block only on
+    // drift" behavior. Useful for CI jobs that intentionally commit
+    // alongside an unlocked working tree (rare). The installed hook
+    // can also flip into this mode globally via
+    // `sealcode install-hook --lenient`.
+    .option('--allow-clean-unlock', 'pre-1.4.1 behavior: pass when unlocked as long as there is no drift', false)
     .option('--json', 'machine-readable output (for editors / CI)', false)
     .action(async (opts) => {
       try {
         const projectRoot = resolveProject(program.opts());
         const config = getActiveConfig(projectRoot);
         if (opts.check) {
-          const r = await runPrecommitCheck(projectRoot, config, () => getKeyForCheck(projectRoot, config));
+          const r = await runPrecommitCheck(
+            projectRoot,
+            config,
+            () => getKeyForCheck(projectRoot, config),
+            { allowCleanUnlock: !!opts.allowCleanUnlock },
+          );
           if (!r.ok) {
             process.stderr.write(r.message + '\n');
             process.exitCode = 1;
@@ -730,12 +741,23 @@ function build() {
   // -------- install-hook --------
   program
     .command('install-hook')
-    .description('Install a git pre-commit hook that runs `sealcode status --check`')
-    .action(() => {
+    .description('Install a git pre-commit hook that runs `sealcode status --check`.')
+    // sealcode@1.4.1 — the hook is strict by default (blocks any
+    // commit while the project is unlocked). `--lenient` writes a
+    // hook that uses `--allow-clean-unlock` instead, restoring the
+    // pre-1.4.1 "block only on drift" behavior.
+    .option('--lenient', 'install the pre-1.4.1 hook (only blocks commits when working tree drifts)', false)
+    .action((opts) => {
       try {
         const projectRoot = resolveProject(program.opts());
-        const hookPath = installHook(projectRoot);
-        process.stdout.write(`✓ pre-commit hook installed:\n  ${hookPath}\n`);
+        const hookPath = installHook(projectRoot, { lenient: !!opts.lenient });
+        process.stdout.write(`✓ pre-commit hook installed (${opts.lenient ? 'lenient' : 'strict'} mode):\n  ${hookPath}\n`);
+        if (!opts.lenient) {
+          process.stdout.write(
+            '  Any `git commit` while the project is unlocked will be blocked.\n' +
+              '  Run `sealcode lock` before committing.\n',
+          );
+        }
       } catch (err) {
         process.exitCode = reportError(err);
       }

package/src/hooks.js CHANGED Viewed

@@ -41,8 +41,18 @@ function findGitDir(startDir) {
 /**
  * Install the pre-commit hook. Idempotent: replaces only the sealcode block
  * (and any legacy vaultline block left over from an older install).
+ *
+ * sealcode@1.4.1 — `opts.lenient` toggles the behavior of the hook
+ * itself, not just the install message. Strict (default) refuses any
+ * commit while the project is unlocked. Lenient appends
+ * `--allow-clean-unlock`, restoring the pre-1.4.1 "block only on drift"
+ * behavior for niche workflows that intentionally commit alongside an
+ * unlocked tree.
+ *
+ * @param {string} projectRoot
+ * @param {{ lenient?: boolean }} [opts]
  */
-function installHook(projectRoot) {
+function installHook(projectRoot, opts = {}) {
   const gitDir = findGitDir(projectRoot);
   if (!gitDir) {
     throw new Error('No .git directory found above this folder. Run `git init` first.');
@@ -50,15 +60,17 @@ function installHook(projectRoot) {
   const hookPath = path.join(gitDir, 'hooks', 'pre-commit');
   ensureHooksDir(gitDir);
+  const flag = opts.lenient ? ' --allow-clean-unlock' : '';
   const block = [
     MARK_BEGIN,
+    `# mode: ${opts.lenient ? 'lenient' : 'strict'}`,
     'sealcode_check() {',
     '  ROOT="$(git rev-parse --show-toplevel 2>/dev/null)" || return 0',
     '  cd "$ROOT" || return 0',
     '  if command -v sealcode >/dev/null 2>&1; then',
-    '    sealcode status --check || exit 1',
+    `    sealcode status --check${flag} || exit 1`,
     '  elif command -v npx >/dev/null 2>&1; then',
-    '    npx --yes sealcode@latest status --check || exit 1',
+    `    npx --yes sealcode@latest status --check${flag} || exit 1`,
     '  else',
     '    echo "sealcode: install the CLI (npm i -g sealcode) or npx for pre-commit checks." >&2',
     '    exit 1',

package/src/status.js CHANGED Viewed

@@ -155,11 +155,27 @@ function renderStatus(status) {
 }
 /**
- * Pre-commit / CI gate: pass only if locked, or unlocked with no drift.
- * Caller supplies `getK` — session load, env passphrase unwrap, or null.
+ * Pre-commit / CI gate.
+ *
+ * sealcode@1.4.1 — strict by default. Any commit while the project is
+ * in the `unlocked` state is rejected, regardless of whether the working
+ * tree has drifted vs. the last lock. Before 1.4.1 we only blocked when
+ * drift was non-zero, which let a recipient `sealcode unlock && git add
+ * . && git commit` push the entire decrypted source into git without a
+ * single warning. The new default closes that footgun.
+ *
+ * Callers (CI scripts, IDE integrations, niche workflows) can opt back
+ * into the old "block only on drift" behavior with
+ * `{ allowCleanUnlock: true }`. The flag is also surfaced as a CLI
+ * option on `sealcode status --check`.
+ *
+ * @param {string} projectRoot
+ * @param {object} config
  * @param {( ) => Promise<Buffer|null>} getK
+ * @param {{ allowCleanUnlock?: boolean }} [opts]
  */
-async function runPrecommitCheck(projectRoot, config, getK) {
+async function runPrecommitCheck(projectRoot, config, getK, opts = {}) {
+  const allowCleanUnlock = !!opts.allowCleanUnlock;
   const s = await runStatus({ projectRoot, config });
   if (!s.initialized) return { ok: true, message: '' };
   if (s.state === 'locked') return { ok: true, message: '' };
@@ -171,6 +187,21 @@ async function runPrecommitCheck(projectRoot, config, getK) {
     };
   }
+  // Strict default: refuse to let an unlocked tree reach `git commit`.
+  // We do this BEFORE computing drift because computing drift requires
+  // K, and we don't want a failed `getK()` to mask a much more
+  // important "you are about to commit plaintext source" warning.
+  if (!allowCleanUnlock) {
+    return {
+      ok: false,
+      message:
+        'sealcode: project is UNLOCKED. Committing now would put plaintext source into git.\n' +
+        '  Fix: run `sealcode lock` first, then `git add` the updated locked blobs.\n' +
+        '  (Override only if you really mean it: `sealcode status --check --allow-clean-unlock`,\n' +
+        '   or re-install the hook with `sealcode install-hook --lenient`.)',
+    };
+  }
   const K = await getK();
   if (!K) {
     return {