methodproof 0.7.38__tar.gz → 0.8.0__tar.gz

{methodproof-0.7.38 → methodproof-0.8.0}/.github/workflows/ci.yml

@@ -11,10 +11,10 @@ jobs:
   test:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: astral-sh/setup-uv@v4
+      - uses: actions/checkout@v5
+      - uses: astral-sh/setup-uv@v7
         with: { version: "latest" }
-      - uses: actions/setup-python@v5
+      - uses: actions/setup-python@v6
         with: { python-version: "3.12" }
       - run: uv sync --frozen
       - run: uv run pytest tests/ -v --tb=short
@@ -26,10 +26,10 @@ jobs:
     permissions:
       id-token: write
     steps:
-      - uses: actions/checkout@v4
-      - uses: astral-sh/setup-uv@v4
+      - uses: actions/checkout@v5
+      - uses: astral-sh/setup-uv@v7
         with: { version: "latest" }
-      - uses: actions/setup-python@v5
+      - uses: actions/setup-python@v6
         with: { python-version: "3.12" }
       - run: uv build
       - uses: pypa/gh-action-pypi-publish@release/v1

{methodproof-0.7.38 → methodproof-0.8.0}/CHANGELOG.md

@@ -1,5 +1,21 @@
 # Changelog
 
+## [0.8.0] — 2026-04-15
+
+### Added
+- **SQLCipher encryption-at-rest for the local database** — the CLI's SQLite store is now transparently re-keyed with SQLCipher on first login, layered underneath the existing field-level AES on sensitive metadata. The db_key is derived from the master entropy via HKDF (`derive_master` → `derive_db_key`), never leaves the OS keychain, and is wired into `store._db()` via `PRAGMA key` before any other statement.
+- **One-shot plaintext → encrypted migration** — `migrate_db.migrate_to_sqlcipher()` uses the `sqlcipher_export()` recipe, row-count-verifies every table, atomically swaps the original DB to `methodproof.db.plaintext.bak` (kept for recovery), cleans up stale WAL/SHM artifacts, and writes a `methodproof.db.encrypted` sentinel. Runs once on first login for existing users, idempotent on re-run.
+- **Daemon-liveness guard** — `DaemonActiveError` is raised if a recording daemon is still holding FDs on the plaintext DB. Callers must `mp stop` first.
+- **`mp e2e release-all`** — releases every synced session with E2E-encrypted fields in one pass. Skips sessions with nothing to release, reports released/skipped/failed counts.
+- **`decrypt_metadata_safe`** — new read-path helper in `crypto.py` that silently leaves fields encrypted with a different key (user E2E vs master) as ciphertext, so mixed-key sessions render correctly without crashing.
+- **Auto-decrypt on read** — `store.get_events(decrypt=True)` and `get_session_events` now auto-decrypt sensitive metadata when the master db_key is available in the keychain. Sync push and `e2e release` still read ciphertext verbatim (`decrypt=False`).
+
+### Fixed
+- **`mp push` crash on multi-session list** — `s["created_at"]` is stored as SQLite `REAL` (float epoch), but the unsynced-session listing sliced it as an ISO string and raised `TypeError: 'float' object is not subscriptable`. Now formatted with `datetime.fromtimestamp(...).strftime("%Y-%m-%d")`.
+
+### Why
+Field-level AES protects six sensitive metadata fields, but everything else (event types, timestamps, file paths, session structure) sat in plaintext SQLite on disk. SQLCipher closes that gap without changing the API surface: `sqlcipher3.dbapi2` is drop-in compatible with stdlib `sqlite3`, so the rest of the store is unchanged. The two layers compose: SQLCipher protects data at rest end-to-end, field-level AES adds defense-in-depth for the most sensitive fields even if the db_key is compromised.
+
 ## [0.7.38] — 2026-04-12
 
 ### Added

{methodproof-0.7.38 → methodproof-0.8.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: methodproof
-Version: 0.7.38
+Version: 0.8.0
 Summary: See how you code. Capture and visualize your engineering process.
 License-Expression: Apache-2.0
 License-File: LICENSE
@@ -8,6 +8,7 @@ Requires-Python: >=3.11
 Requires-Dist: cryptography>=43.0
 Requires-Dist: keyring>=25.0
 Requires-Dist: rich>=13.7
+Requires-Dist: sqlcipher3>=0.6
 Requires-Dist: textual>=0.59
 Requires-Dist: watchdog>=4.0
 Requires-Dist: websocket-client>=1.7

{methodproof-0.7.38 → methodproof-0.8.0}/methodproof/agents/base.py

@@ -108,9 +108,19 @@ def init(session_id: str, live: bool = False, verbose: bool = False, streaming:
     _verbose = verbose
     _streaming = streaming
     _prev_hash = "genesis"
-    from methodproof import config
+    from methodproof import config, store
     cfg = config.load()
     _e2e_key = _load_encryption_key(cfg)
+    # Daemon is a fresh process — wire the SQLCipher key (always master-derived
+    # db_key, never user E2E) into the store before any DB write.
+    if store._encrypted_flag_path().exists():
+        account_id = cfg.get("account_id", "")
+        if account_id and cfg.get("master_key_fingerprint"):
+            from methodproof.keychain import load_secret
+            from methodproof.kdf import derive_master, derive_db_key
+            entropy = load_secret(account_id)
+            if entropy:
+                store.set_db_key(derive_db_key(derive_master(entropy), account_id))
     _capture = cfg.get("capture", {})
     _journal_mode = cfg.get("journal_mode", False)
     _account_id = cfg.get("account_id", "")

{methodproof-0.7.38 → methodproof-0.8.0}/methodproof/cli.py

@@ -985,14 +985,26 @@ def _setup_master_key(cfg: dict) -> None:
     if not account_id:
         return
     from methodproof.keychain import has_secret, store_secret, load_secret
+    from methodproof import store as _store
     if has_secret(account_id):
-        # Already set up — ensure fingerprint is in config
+        # Already set up — ensure fingerprint is in config and key is wired
+        from methodproof.kdf import derive_master, derive_db_key
+        from methodproof.crypto import fingerprint
+        master = derive_master(load_secret(account_id))
+        db_key = derive_db_key(master, account_id)
         if not cfg.get("master_key_fingerprint"):
-            from methodproof.kdf import derive_master, derive_db_key
-            from methodproof.crypto import fingerprint
-            master = derive_master(load_secret(account_id))
-            cfg["master_key_fingerprint"] = fingerprint(derive_db_key(master, account_id))
+            cfg["master_key_fingerprint"] = fingerprint(db_key)
             config.save(cfg)
+        if _store._encrypted_flag_path().exists():
+            _store.set_db_key(db_key)
+        else:
+            # Existing user, plaintext DB — one-shot upgrade to SQLCipher
+            from methodproof.migrate_db import migrate_to_sqlcipher, DaemonActiveError
+            try:
+                if migrate_to_sqlcipher(db_key):
+                    print("  Encrypted local database with SQLCipher.\n")
+            except DaemonActiveError as exc:
+                print(f"  ⚠ {exc}")
         return
 
     # Check if user has a recovery phrase (returning user, new device)
@@ -1025,13 +1037,21 @@ def _setup_master_key(cfg: dict) -> None:
     print(f"  │  {D}on a new device. Store it somewhere safe.{R}      │")
     print(f"  └──────────────────────────────────────────────────┘\n")
 
-    # Encrypt any existing plaintext events
+    # Encrypt any existing plaintext events (field-level, defense-in-depth)
     db_key = derive_db_key(master, account_id)
-    from methodproof.migrate_db import migrate_encrypt
+    from methodproof.migrate_db import migrate_encrypt, migrate_to_sqlcipher
     count = migrate_encrypt(db_key)
     if count:
         print(f"  Encrypted {count} existing events.\n")
 
+    # Whole-database SQLCipher encryption — runs once, idempotent
+    from methodproof.migrate_db import DaemonActiveError
+    try:
+        if migrate_to_sqlcipher(db_key):
+            print("  Encrypted local database with SQLCipher.\n")
+    except DaemonActiveError as exc:
+        print(f"  ⚠ {exc}")
+
 
 def _recover_master_key(cfg: dict, account_id: str) -> None:
     """Prompt for recovery phrase to restore master key on new device."""
@@ -1049,9 +1069,55 @@ def _recover_master_key(cfg: dict, account_id: str) -> None:
         return
     from methodproof.keychain import store_secret
     store_secret(account_id, entropy)
+    # Wire the recovered key into the SQLCipher connection so the next DB read works
+    from methodproof.kdf import derive_master, derive_db_key
+    from methodproof import store as _store
+    if _store._encrypted_flag_path().exists():
+        _store.set_db_key(derive_db_key(derive_master(entropy), account_id))
     print("  Master key restored.\n")
 
 
+def _wire_db_encryption(cfg: dict) -> None:
+    """Wire the SQLCipher key into store before any subcommand touches the DB.
+
+    Called once at the top of `main()`. Three cases:
+      1. Encrypted DB + key available → wire the key.
+      2. Plaintext DB + logged-in user with master key → one-shot upgrade
+         migration to SQLCipher (the post-release upgrade path).
+      3. Anything else (logged out, no key) → no-op; capture continues against
+         the plaintext DB until the user logs in.
+    """
+    from methodproof import store as _store
+    account_id = cfg.get("account_id", "")
+    if not account_id:
+        return
+    try:
+        from methodproof.keychain import load_secret
+        from methodproof.kdf import derive_master, derive_db_key
+        entropy = load_secret(account_id)
+        if not entropy:
+            return
+        db_key = derive_db_key(derive_master(entropy), account_id)
+    except Exception:
+        return
+
+    if _store._encrypted_flag_path().exists():
+        _store.set_db_key(db_key)
+        return
+
+    # Plaintext DB + key available — one-shot upgrade
+    try:
+        from methodproof.migrate_db import migrate_to_sqlcipher, DaemonActiveError
+        if migrate_to_sqlcipher(db_key):
+            print("  Encrypted local database with SQLCipher.\n")
+    except DaemonActiveError:
+        # Daemon is recording — defer migration to next CLI run after `mp stop`.
+        # Don't print noise on every command; the upgrade will happen later.
+        return
+    except Exception as exc:
+        sys.stderr.write(f"[methodproof] sqlcipher migration deferred: {exc}\n")
+
+
 def _is_daemon_alive() -> bool:
     """Check if the recording daemon is still running (not a reused PID)."""
     if not PIDFILE.exists():
@@ -1844,7 +1910,7 @@ def cmd_push(args: argparse.Namespace) -> None:
     print(f"Found {len(unsynced)} unsynced sessions:\n")
     for s in unsynced:
         events = len(store.get_events(s["id"]))
-        date = s["created_at"][:10] if s.get("created_at") else "?"
+        date = datetime.fromtimestamp(s["created_at"]).strftime("%Y-%m-%d") if s.get("created_at") else "?"
         print(f"  {s['id'][:8]}  {date}  {events} events")
     print()
     answer = input(f"Push all {len(unsynced)}? [Y/n] ").strip().lower()
@@ -2342,6 +2408,7 @@ def main() -> None:
     e2e_sub.add_parser("recover", help="Recover key from passphrase")
     e2e_rel = e2e_sub.add_parser("release", help="Release a session from E2E encryption")
     e2e_rel.add_argument("session_id", help="Session ID to release")
+    e2e_sub.add_parser("release-all", help="Release every synced session from E2E encryption")
     sub.add_parser("intro", help="Show the MethodProof intro")
     sub.add_parser("help", help="Show command reference")
     sub.add_parser("mcp-serve", help="Run MCP server (used by Claude Code)")
@@ -2381,5 +2448,6 @@ def main() -> None:
         _update_check()
 
     if args.cmd not in ("help", "update"):
+        _wire_db_encryption(config.load())
         store.init_db()
     fn(args)

{methodproof-0.7.38 → methodproof-0.8.0}/methodproof/crypto.py

@@ -44,3 +44,20 @@ def encrypt_metadata(metadata: dict, key: bytes) -> dict:
         if field in metadata and isinstance(metadata[field], str):
             metadata[field] = encrypt_field(metadata[field], key)
     return metadata
+
+
+def decrypt_metadata_safe(metadata: dict, key: bytes) -> dict:
+    """Decrypt sensitive fields in place. Silently leaves fields that fail
+    (wrong key, tampering) as ciphertext — never raises. Used on the read path
+    where a field encrypted with a *different* key (user E2E vs master) must
+    still render as-is rather than break rendering."""
+    if AESGCM is None:
+        return metadata
+    for field in SENSITIVE_FIELDS:
+        val = metadata.get(field)
+        if isinstance(val, str) and val.startswith("e2e:v1:"):
+            try:
+                metadata[field] = decrypt_field(val, key)
+            except Exception:
+                pass
+    return metadata

{methodproof-0.7.38 → methodproof-0.8.0}/methodproof/e2e.py

@@ -223,64 +223,106 @@ def _cmd_recover(cfg: dict) -> None:
     print(f"Key recovered and stored in OS keychain (fingerprint: {fp}).")
 
 
-def _cmd_release(cfg: dict, session_id: str) -> None:
-    """Release a session from E2E encryption."""
-    from methodproof import keychain
+def _release_session(session_id: str, remote_id: str, e2e_key: bytes,
+                     api_url: str, token: str) -> int:
+    """Decrypt and upload one session. Returns decrypted event count (0 = nothing to do)."""
     from methodproof.crypto import decrypt_field, SENSITIVE_FIELDS
     from methodproof.sync import _request
 
+    decrypted_events = []
+    for ev in store.get_events(session_id):
+        meta = json.loads(ev.get("metadata", "{}"))
+        changed = False
+        for field in SENSITIVE_FIELDS:
+            val = meta.get(field, "")
+            if isinstance(val, str) and val.startswith("e2e:v1:"):
+                meta[field] = decrypt_field(val, e2e_key)
+                changed = True
+        if changed:
+            decrypted_events.append({"event_id": ev["id"], "metadata": meta})
+
+    if not decrypted_events:
+        return 0
+
+    _request("POST", f"/personal/sessions/{remote_id}/release-e2e", api_url, token,
+             {"events": decrypted_events})
+    return len(decrypted_events)
+
+
+def _load_release_context(cfg: dict) -> tuple[bytes, str, str]:
+    """Return (e2e_key, api_url, token) or exit with a clear error."""
+    from methodproof import keychain
+
     token = cfg.get("token", "")
     api_url = cfg.get("api_url", "")
     account_id = cfg.get("account_id", "")
     if not token:
         print("Release requires login. Run `methodproof login` first.")
         sys.exit(1)
-
     e2e_key = keychain.load_secret(f"e2e:{account_id}")
     if not e2e_key:
         print("E2E key not found in keychain. Run `mp e2e recover` first.")
         sys.exit(1)
+    return e2e_key, api_url, token
 
-    events = store.get_events(session_id)
-    if not events:
-        print(f"No events found for session {session_id}.")
-        sys.exit(1)
 
-    decrypted_events = []
-    for ev in events:
-        meta = json.loads(ev.get("metadata", "{}"))
-        has_encrypted = False
-        for field in SENSITIVE_FIELDS:
-            val = meta.get(field, "")
-            if isinstance(val, str) and val.startswith("e2e:v1:"):
-                meta[field] = decrypt_field(val, e2e_key)
-                has_encrypted = True
-        if has_encrypted:
-            decrypted_events.append({"event_id": ev["id"], "metadata": meta})
+def _cmd_release(cfg: dict, session_id: str) -> None:
+    """Release a session from E2E encryption."""
+    e2e_key, api_url, token = _load_release_context(cfg)
 
-    if not decrypted_events:
-        print("No encrypted fields found in this session.")
-        return
+    if not store.get_events(session_id):
+        print(f"No events found for session {session_id}.")
+        sys.exit(1)
 
-    # Resolve remote_id
-    sessions = store.list_sessions()
     remote_id = None
-    for s in sessions:
+    for s in store.list_sessions():
         if s["id"] == session_id or (s.get("remote_id") and s["id"].startswith(session_id)):
             remote_id = s.get("remote_id")
             session_id = s["id"]
             break
-
     if not remote_id:
         print("Session not synced to platform. Push first with `mp push`.")
         sys.exit(1)
 
-    _request("POST", f"/personal/sessions/{remote_id}/release-e2e", api_url, token,
-             {"events": decrypted_events})
-    print(f"Session released ({len(decrypted_events)} events decrypted).")
+    count = _release_session(session_id, remote_id, e2e_key, api_url, token)
+    if not count:
+        print("No encrypted fields found in this session.")
+        return
+    print(f"Session released ({count} events decrypted).")
     print("Narration will be generated shortly.")
 
 
+def _cmd_release_all(cfg: dict) -> None:
+    """Release every synced session that still has E2E-encrypted fields."""
+    e2e_key, api_url, token = _load_release_context(cfg)
+
+    sessions = [s for s in store.list_sessions() if s.get("remote_id")]
+    if not sessions:
+        print("No synced sessions found. Push first with `mp push`.")
+        return
+
+    released = skipped = failed = total_events = 0
+    for s in sessions:
+        sid, rid = s["id"], s["remote_id"]
+        try:
+            count = _release_session(sid, rid, e2e_key, api_url, token)
+        except Exception as exc:
+            failed += 1
+            print(f"  {sid[:8]}  FAILED ({exc})")
+            continue
+        if count:
+            released += 1
+            total_events += count
+            print(f"  {sid[:8]}  released ({count} events)")
+        else:
+            skipped += 1
+
+    print(f"\nReleased {released} sessions ({total_events} events). "
+          f"Skipped {skipped}. Failed {failed}.")
+    if released:
+        print("Narration will be generated shortly.")
+
+
 def cmd_e2e(args: argparse.Namespace) -> None:
     """E2E encryption mode — personal key management."""
     subcmd = getattr(args, "e2e_cmd", None)
@@ -300,5 +342,7 @@ def cmd_e2e(args: argparse.Namespace) -> None:
             print("Usage: methodproof e2e release <session-id>")
             sys.exit(1)
         _cmd_release(cfg, session_id)
+    elif subcmd == "release-all":
+        _cmd_release_all(cfg)
     else:
-        print("Usage: methodproof e2e [on|off|status|recover|release <session-id>]")
+        print("Usage: methodproof e2e [on|off|status|recover|release <session-id>|release-all]")

{methodproof-0.7.38 → methodproof-0.8.0}/methodproof/hooks/claude_code.py

@@ -150,11 +150,9 @@ def main() -> None:
         return
 
     event = data.get("hook_event_name", "unknown")
-    etype = _TYPE_MAP.get(event)
-    if not etype:
-        return  # Unmapped hook event — drop rather than send invalid type
+    etype = _TYPE_MAP.get(event, "claude_code_event")
     extractor = _META_EXTRACTORS.get(event)
-    meta = extractor(data) if extractor else {"tool": _TOOL}
+    meta = extractor(data) if extractor else {"tool": _TOOL, "event": event}
     ts = time.time()
 
     payload = json.dumps({"events": [{"type": etype, "timestamp": ts, "metadata": meta}]}).encode()

methodproof-0.8.0/methodproof/migrate_db.py

@@ -0,0 +1,161 @@
+"""Encrypt existing plaintext events in local DB after key setup.
+
+Two layers:
+- `migrate_encrypt` — field-level AES on six sensitive metadata keys.
+- `migrate_to_sqlcipher` — whole-database SQLCipher encryption via the
+  `sqlcipher_export()` recipe. Runs once on first login.
+"""
+
+import os
+
+from methodproof import config, store
+from methodproof.crypto import SENSITIVE_FIELDS, encrypt_field
+from methodproof.store import _compress_meta, _decompress_meta
+
+
+def migrate_encrypt(db_key: bytes) -> int:
+    """Encrypt plaintext sensitive fields in all events. Returns count encrypted."""
+    db = store._db()
+    rows = db.execute(
+        "SELECT id, metadata FROM events ORDER BY timestamp"
+    ).fetchall()
+    if not rows:
+        return 0
+
+    encrypted = 0
+    batch = []
+    for row in rows:
+        meta = _decompress_meta(row["metadata"])
+        changed = False
+        for field in SENSITIVE_FIELDS:
+            val = meta.get(field)
+            if isinstance(val, str) and val and not val.startswith("e2e:v1:"):
+                meta[field] = encrypt_field(val, db_key)
+                changed = True
+        if changed:
+            batch.append((_compress_meta(meta), row["id"]))
+            encrypted += 1
+        if len(batch) >= 500:
+            _flush_batch(db, batch)
+            batch = []
+
+    if batch:
+        _flush_batch(db, batch)
+    return encrypted
+
+
+def _flush_batch(db, batch: list[tuple[str, str]]) -> None:
+    db.executemany("UPDATE events SET metadata = ? WHERE id = ?", batch)
+    db.commit()
+
+
+class DaemonActiveError(RuntimeError):
+    """Raised when migrate_to_sqlcipher is called while the recording daemon
+    is still running. The daemon holds an FD on the original DB file; renaming
+    it out from under the daemon causes WAL/SHM file collisions and silent
+    data loss for the active session. Caller must stop the daemon first."""
+
+
+def _daemon_alive() -> bool:
+    """True if a recording daemon is running. Mirrors cli._is_daemon_alive
+    but lives here to avoid a circular import."""
+    pidfile = config.DIR / "methodproof.pid"
+    if not pidfile.exists():
+        return False
+    try:
+        pid = int(pidfile.read_text().strip())
+        os.kill(pid, 0)
+    except (ProcessLookupError, ValueError, OSError):
+        return False
+    try:
+        import subprocess
+        out = subprocess.check_output(["ps", "-p", str(pid), "-o", "args="], text=True).strip()
+        return "methodproof" in out
+    except Exception:
+        return False
+
+
+def migrate_to_sqlcipher(db_key: bytes) -> bool:
+    """Re-encrypt the entire local DB with SQLCipher using `db_key`.
+
+    Idempotent — returns False if the DB is already encrypted (sentinel file
+    present). On success, leaves a `.plaintext.bak` file alongside the new
+    encrypted DB so a failed conversion is recoverable, and writes a
+    `.encrypted` sentinel so future opens require the key.
+
+    Raises `DaemonActiveError` if the recording daemon is still running.
+    Callers should `mp stop` first.
+    """
+    from sqlcipher3 import dbapi2 as sqlite3
+
+    flag = store._encrypted_flag_path()
+    if flag.exists():
+        return False
+
+    if _daemon_alive():
+        raise DaemonActiveError(
+            "recording daemon is active — run `mp stop` before encrypting "
+            "the local database (the daemon holds file descriptors that "
+            "would conflict with SQLCipher's WAL files)"
+        )
+
+    db_path = config.DB_PATH
+    if not db_path.exists():
+        # Nothing to migrate — first run with no DB yet. Just mark as encrypted
+        # so the next _db() call opens fresh in encrypted mode.
+        store.set_db_key(db_key)
+        flag.touch()
+        return True
+
+    store.reset_connection()
+
+    target = db_path.with_suffix(".db.encrypting")
+    if target.exists():
+        target.unlink()
+
+    src = sqlite3.connect(str(db_path))
+    try:
+        src.execute(f"ATTACH DATABASE '{target}' AS encrypted KEY \"x'{db_key.hex()}'\"")
+        src.execute("SELECT sqlcipher_export('encrypted')")
+
+        # Sanity-check row counts table-by-table
+        tables = [
+            r[0] for r in src.execute(
+                "SELECT name FROM main.sqlite_master "
+                "WHERE type='table' AND name NOT LIKE 'sqlite_%'"
+            ).fetchall()
+        ]
+        for name in tables:
+            src_count = src.execute(f"SELECT count(*) FROM main.{name}").fetchone()[0]
+            dst_count = src.execute(f"SELECT count(*) FROM encrypted.{name}").fetchone()[0]
+            if src_count != dst_count:
+                src.execute("DETACH DATABASE encrypted")
+                src.close()
+                target.unlink(missing_ok=True)
+                raise RuntimeError(
+                    f"sqlcipher migration row-count mismatch on {name}: "
+                    f"src={src_count} dst={dst_count}"
+                )
+
+        src.execute("DETACH DATABASE encrypted")
+    finally:
+        src.close()
+
+    # Atomic swap: original → .plaintext.bak, encrypting → original
+    bak = db_path.with_suffix(".db.plaintext.bak")
+    if bak.exists():
+        bak.unlink()
+    os.rename(db_path, bak)
+    os.rename(target, db_path)
+
+    # Clean up WAL/shm artifacts from the old plaintext file (they belong to
+    # the now-renamed .plaintext.bak and would confuse SQLite if left alongside
+    # the new encrypted DB under the original name).
+    for suffix in ("-wal", "-shm"):
+        leftover = db_path.parent / (db_path.name + suffix)
+        if leftover.exists():
+            leftover.unlink()
+
+    flag.touch()
+    store.set_db_key(db_key)
+    return True

methodproof-0.8.0/methodproof/repos.py

@@ -0,0 +1,70 @@
+"""Git repo detection for session context."""
+
+import os
+import subprocess
+
+
+def detect_repo(directory: str) -> str | None:
+    """Return the git remote fetch URL for `directory`, or None if not a git repo."""
+    return _remote_url(directory)
+
+
+def enumerate_sub_repos(watch_dir: str, max_depth: int = 2) -> list[dict[str, str]]:
+    """Walk `watch_dir` up to `max_depth` levels deep and return one entry per
+    nested git repo found.
+
+    Each entry: {"remote_url": str, "rel_path": str} where rel_path is the
+    directory's path relative to watch_dir (empty string for watch_dir itself).
+
+    Designed for monorepo workflows where `watch_dir` contains multiple
+    independently-versioned sub-repos (e.g., BLACKBOX/methodproof/ contains
+    methodproof-platform/, methodproof-dashboard/, etc).
+    """
+    found: list[dict[str, str]] = []
+    seen_urls: set[str] = set()
+
+    def visit(path: str, depth: int) -> None:
+        if not os.path.isdir(path):
+            return
+        if os.path.isdir(os.path.join(path, ".git")):
+            url = _remote_url(path)
+            if url and url not in seen_urls:
+                rel = os.path.relpath(path, watch_dir)
+                found.append({"remote_url": url, "rel_path": "" if rel == "." else rel})
+                seen_urls.add(url)
+        if depth >= max_depth:
+            return
+        try:
+            entries = os.listdir(path)
+        except OSError:
+            return
+        for name in entries:
+            if name.startswith("."):
+                continue
+            child = os.path.join(path, name)
+            if os.path.isdir(child) and not os.path.islink(child):
+                visit(child, depth + 1)
+
+    visit(os.path.abspath(watch_dir), 0)
+    return found
+
+
+def _remote_url(directory: str) -> str | None:
+    try:
+        result = subprocess.run(
+            ["git", "-C", directory, "remote", "-v"],
+            capture_output=True, text=True, timeout=5,
+        )
+        if result.returncode != 0:
+            return None
+        first_fetch: str | None = None
+        for line in result.stdout.splitlines():
+            parts = line.split()
+            if len(parts) >= 2 and "(fetch)" in line:
+                if parts[0] == "origin":
+                    return parts[1]
+                if first_fetch is None:
+                    first_fetch = parts[1]
+        return first_fetch
+    except (FileNotFoundError, subprocess.TimeoutExpired):
+        return None