methodproof 0.7.38__tar.gz → 0.8.1__tar.gz

methodproof-0.8.1/.code-review-graph/.gitignore

@@ -0,0 +1,3 @@
+# Auto-generated by code-review-graph — do not commit database files.
+# The graph.db contains absolute paths and code structure metadata.
+*

{methodproof-0.7.38 → methodproof-0.8.1}/.github/workflows/ci.yml

@@ -11,10 +11,10 @@ jobs:
   test:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: astral-sh/setup-uv@v4
+      - uses: actions/checkout@v5
+      - uses: astral-sh/setup-uv@v7
         with: { version: "latest" }
-      - uses: actions/setup-python@v5
+      - uses: actions/setup-python@v6
         with: { python-version: "3.12" }
       - run: uv sync --frozen
       - run: uv run pytest tests/ -v --tb=short
@@ -26,10 +26,10 @@ jobs:
     permissions:
       id-token: write
     steps:
-      - uses: actions/checkout@v4
-      - uses: astral-sh/setup-uv@v4
+      - uses: actions/checkout@v5
+      - uses: astral-sh/setup-uv@v7
         with: { version: "latest" }
-      - uses: actions/setup-python@v5
+      - uses: actions/setup-python@v6
         with: { python-version: "3.12" }
       - run: uv build
       - uses: pypa/gh-action-pypi-publish@release/v1

{methodproof-0.7.38 → methodproof-0.8.1}/CHANGELOG.md

@@ -1,5 +1,40 @@
 # Changelog
 
+## [0.8.1] — 2026-04-17
+
+### Added
+- **File rename detection** — watcher `on_moved` handler emits `file_rename` atoms with `old_path`/`new_path` instead of producing two incorrect atoms (delete + create).
+- **`git_branch_switch` event** — git poller reads `.git/HEAD` on each 2s cycle and emits `git_branch_switch` with `old_branch`/`new_branch` when the active branch changes.
+- **`git_commit` branch name** — commits now carry a `branch` field read from `.git/HEAD`.
+- **`git_commit` per-file change status** — `files_changed` is now accompanied by `file_statuses` (`{path: "A"|"M"|"D"|"R"}`) via `--name-status` instead of `--name-only`.
+- **11 new test frameworks** — detection and result parsing for vitest, mocha, rspec, minitest, phpunit, unittest, dotnet test, swift test, gradle test, maven test, and ExUnit (total: 15).
+- **`test_run` carries `cwd`** — forwarded from the shell hook JSONL instead of being discarded.
+- **`is_journal_mode()` public API** — exposed on `agents.base` for agents making structural-vs-full content capture decisions.
+
+### Fixed
+- **15 hook event types bypassed consent gates** — `claude_session_end`, `agent_turn_end`, `agent_turn_error`, `context_compact_start/end`, `permission_request/denied`, `mcp_elicitation/result`, `worktree_create/remove`, `cwd_changed`, `tool_failure`, plus new `file_rename` and `git_branch_switch` — all now properly gated in `_EVENT_GATES`.
+- **Removed all arbitrary data truncation** — no more 50KB diff cap, 2000-line hunk cap, 2000-char commit body cap, 500-char terminal output cap, or 200-char error cap. The CLI captures faithfully; downstream consumers decide what to do with large payloads. Preview fields (derived summaries alongside raw data) are unchanged.
+
+### Changed
+- **TUI inline detail screen** — `mp log` enter key opens a full-screen `DetailScreen` with event mix breakdown and per-type timeline instead of exiting to an external viewer.
+- **SHOMEN/KINMYAKU theme toggle** — `MP_THEME=shomen` selects the light theme; default remains `kinmyaku` (dark). `Theme` dataclass adds `accent`, `cursor_bg`, `cursor_fg` semantic roles. DataTable cursor CSS for both themes.
+
+## [0.8.0] — 2026-04-15
+
+### Added
+- **SQLCipher encryption-at-rest for the local database** — the CLI's SQLite store is now transparently re-keyed with SQLCipher on first login, layered underneath the existing field-level AES on sensitive metadata. The db_key is derived from the master entropy via HKDF (`derive_master` → `derive_db_key`), never leaves the OS keychain, and is wired into `store._db()` via `PRAGMA key` before any other statement.
+- **One-shot plaintext → encrypted migration** — `migrate_db.migrate_to_sqlcipher()` uses the `sqlcipher_export()` recipe, row-count-verifies every table, atomically swaps the original DB to `methodproof.db.plaintext.bak` (kept for recovery), cleans up stale WAL/SHM artifacts, and writes a `methodproof.db.encrypted` sentinel. Runs once on first login for existing users, idempotent on re-run.
+- **Daemon-liveness guard** — `DaemonActiveError` is raised if a recording daemon is still holding FDs on the plaintext DB. Callers must `mp stop` first.
+- **`mp e2e release-all`** — releases every synced session with E2E-encrypted fields in one pass. Skips sessions with nothing to release, reports released/skipped/failed counts.
+- **`decrypt_metadata_safe`** — new read-path helper in `crypto.py` that silently leaves fields encrypted with a different key (user E2E vs master) as ciphertext, so mixed-key sessions render correctly without crashing.
+- **Auto-decrypt on read** — `store.get_events(decrypt=True)` and `get_session_events` now auto-decrypt sensitive metadata when the master db_key is available in the keychain. Sync push and `e2e release` still read ciphertext verbatim (`decrypt=False`).
+
+### Fixed
+- **`mp push` crash on multi-session list** — `s["created_at"]` is stored as SQLite `REAL` (float epoch), but the unsynced-session listing sliced it as an ISO string and raised `TypeError: 'float' object is not subscriptable`. Now formatted with `datetime.fromtimestamp(...).strftime("%Y-%m-%d")`.
+
+### Why
+Field-level AES protects six sensitive metadata fields, but everything else (event types, timestamps, file paths, session structure) sat in plaintext SQLite on disk. SQLCipher closes that gap without changing the API surface: `sqlcipher3.dbapi2` is drop-in compatible with stdlib `sqlite3`, so the rest of the store is unchanged. The two layers compose: SQLCipher protects data at rest end-to-end, field-level AES adds defense-in-depth for the most sensitive fields even if the db_key is compromised.
+
 ## [0.7.38] — 2026-04-12
 
 ### Added

{methodproof-0.7.38 → methodproof-0.8.1}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: methodproof
-Version: 0.7.38
+Version: 0.8.1
 Summary: See how you code. Capture and visualize your engineering process.
 License-Expression: Apache-2.0
 License-File: LICENSE
@@ -8,6 +8,7 @@ Requires-Python: >=3.11
 Requires-Dist: cryptography>=43.0
 Requires-Dist: keyring>=25.0
 Requires-Dist: rich>=13.7
+Requires-Dist: sqlcipher3>=0.6
 Requires-Dist: textual>=0.59
 Requires-Dist: watchdog>=4.0
 Requires-Dist: websocket-client>=1.7

{methodproof-0.7.38 → methodproof-0.8.1}/methodproof/__init__.py

@@ -1,3 +1,3 @@
 """MethodProof — see how you code."""
 
-__version__ = "0.7.21"
+__version__ = "0.8.1"

{methodproof-0.7.38 → methodproof-0.8.1}/methodproof/agents/base.py

@@ -68,6 +68,24 @@ _EVENT_GATES: dict[str, str] = {
     "gemini_session_end": "ai_responses",
     "kiro_session_start": "ai_prompts",
     "kiro_session_end": "ai_responses",
+    # Hook lifecycle events (continued)
+    "claude_session_end": "ai_responses",
+    "agent_turn_end": "ai_responses",
+    "agent_turn_error": "ai_responses",
+    "context_compact_start": "ai_responses",
+    "context_compact_end": "ai_responses",
+    "permission_request": "ai_responses",
+    "permission_denied": "ai_responses",
+    "mcp_elicitation": "ai_responses",
+    "mcp_elicitation_result": "ai_responses",
+    "worktree_create": "ai_responses",
+    "worktree_remove": "ai_responses",
+    "cwd_changed": "ai_responses",
+    "tool_failure": "ai_responses",
+    # File system events
+    "file_rename": "file_changes",
+    # Git events
+    "git_branch_switch": "git_commits",
 }
 
 # Maps capture categories to (event_type, field) pairs for field-level gating.
@@ -108,9 +126,19 @@ def init(session_id: str, live: bool = False, verbose: bool = False, streaming:
     _verbose = verbose
     _streaming = streaming
     _prev_hash = "genesis"
-    from methodproof import config
+    from methodproof import config, store
     cfg = config.load()
     _e2e_key = _load_encryption_key(cfg)
+    # Daemon is a fresh process — wire the SQLCipher key (always master-derived
+    # db_key, never user E2E) into the store before any DB write.
+    if store._encrypted_flag_path().exists():
+        account_id = cfg.get("account_id", "")
+        if account_id and cfg.get("master_key_fingerprint"):
+            from methodproof.keychain import load_secret
+            from methodproof.kdf import derive_master, derive_db_key
+            entropy = load_secret(account_id)
+            if entropy:
+                store.set_db_key(derive_db_key(derive_master(entropy), account_id))
     _capture = cfg.get("capture", {})
     _journal_mode = cfg.get("journal_mode", False)
     _account_id = cfg.get("account_id", "")
@@ -132,6 +160,13 @@ def is_content_captured() -> bool:
     return bool(_capture.get("code_capture", False))
 
 
+def is_journal_mode() -> bool:
+    """True when journal_mode is enabled — full content capture (prompts,
+    completions, diffs, terminal output). Agents use this to decide whether
+    to include content fields that are stripped in structural-only mode."""
+    return _journal_mode
+
+
 def emit(event_type: str, metadata: dict[str, Any]) -> None:
     if not _initialized:
         log("warning", "emit.before_init", type=event_type)
@@ -216,6 +251,10 @@ def _stream_event(entry: dict[str, Any]) -> None:
         detail = f'{meta.get("path", "?")} ({meta.get("size", 0)}B)'
     elif etype == "file_delete":
         detail = meta.get("path", "?")
+    elif etype == "file_rename":
+        detail = f'{meta.get("old_path", "?")} → {meta.get("new_path", "?")}'
+    elif etype == "git_branch_switch":
+        detail = f'{meta.get("old_branch", "?")} → {meta.get("new_branch", "?")}'
     elif etype == "terminal_cmd":
         detail = f'{meta.get("command", "?")[:60]} → exit {meta.get("exit_code", "?")}'
     elif etype == "test_run":

{methodproof-0.7.38 → methodproof-0.8.1}/methodproof/agents/terminal.py

@@ -20,11 +20,27 @@ TEST_FRAMEWORKS = {
     "jest": re.compile(r"\bjest\b|npx jest|npm test"),
     "go_test": re.compile(r"\bgo test\b"),
     "cargo_test": re.compile(r"\bcargo test\b"),
+    "vitest": re.compile(r"\bvitest\b|npx vitest"),
+    "mocha": re.compile(r"\bmocha\b|npx mocha"),
+    "rspec": re.compile(r"\brspec\b|bundle exec rspec"),
+    "minitest": re.compile(r"\bruby\b.*test|rake test"),
+    "phpunit": re.compile(r"\bphpunit\b|vendor/bin/phpunit"),
+    "unittest": re.compile(r"python.*-m\s+unittest|python.*-m\s+nose"),
+    "dotnet_test": re.compile(r"\bdotnet test\b"),
+    "swift_test": re.compile(r"\bswift test\b"),
+    "gradle_test": re.compile(r"\bgradle\b.*\btest\b|gradlew.*\btest\b"),
+    "maven_test": re.compile(r"\bmvn\b.*\btest\b|mvnw.*\btest\b"),
+    "exunit": re.compile(r"\bmix test\b"),
 }
 
 _PYTEST_RE = re.compile(r"(\d+) passed(?:.*?(\d+) failed)?(?:.*?(\d+) skipped)?")
 _JEST_RE = re.compile(r"Tests:\s+(?:(\d+) failed,\s+)?(\d+) passed(?:,\s+(\d+) skipped)?")
 _CARGO_RE = re.compile(r"(\d+) passed.*?(\d+) failed")
+_VITEST_RE = re.compile(r"Tests\s+(\d+) passed(?:\s*\|\s*(\d+) failed)?(?:\s*\|\s*(\d+) skipped)?")
+_RSPEC_RE = re.compile(r"(\d+) examples?,\s*(\d+) failures?(?:,\s*(\d+) pending)?")
+_PHPUNIT_RE = re.compile(r"OK \((\d+) tests?|Tests:\s*(\d+).*?Failures:\s*(\d+)")
+_DOTNET_RE = re.compile(r"Passed!\s+-\s+Failed:\s+(\d+),\s+Passed:\s+(\d+),\s+Skipped:\s+(\d+)")
+_EXUNIT_RE = re.compile(r"(\d+) tests?,\s*(\d+) failures?(?:,\s*(\d+) excluded)?")
 
 
 def _detect_test(command: str) -> str | None:
@@ -40,9 +56,12 @@ def _parse_test_results(output: str, framework: str, exit_code: int) -> tuple[in
         m = _PYTEST_RE.search(output)
         if m:
             return int(m.group(1)), int(m.group(2) or 0), int(m.group(3) or 0)
-    elif framework == "jest":
-        m = _JEST_RE.search(output)
+    elif framework in ("jest", "vitest"):
+        pat = _VITEST_RE if framework == "vitest" else _JEST_RE
+        m = pat.search(output)
         if m:
+            if framework == "vitest":
+                return int(m.group(1) or 0), int(m.group(2) or 0), int(m.group(3) or 0)
             return int(m.group(2) or 0), int(m.group(1) or 0), int(m.group(3) or 0)
     elif framework == "go_test":
         return output.count("--- PASS"), output.count("--- FAIL"), output.count("--- SKIP")
@@ -50,6 +69,24 @@ def _parse_test_results(output: str, framework: str, exit_code: int) -> tuple[in
         m = _CARGO_RE.search(output)
         if m:
             return int(m.group(1)), int(m.group(2)), 0
+    elif framework == "rspec":
+        m = _RSPEC_RE.search(output)
+        if m:
+            return int(m.group(1)) - int(m.group(2)), int(m.group(2)), int(m.group(3) or 0)
+    elif framework == "phpunit":
+        m = _PHPUNIT_RE.search(output)
+        if m:
+            if m.group(1):
+                return int(m.group(1)), 0, 0
+            return int(m.group(2) or 0) - int(m.group(3) or 0), int(m.group(3) or 0), 0
+    elif framework == "dotnet_test":
+        m = _DOTNET_RE.search(output)
+        if m:
+            return int(m.group(2)), int(m.group(1)), int(m.group(3))
+    elif framework == "exunit":
+        m = _EXUNIT_RE.search(output)
+        if m:
+            return int(m.group(1)) - int(m.group(2)), int(m.group(2)), int(m.group(3) or 0)
     if exit_code == 0:
         return 1, 0, 0
     return 0, 1, 0
@@ -91,7 +128,7 @@ def _process(line: str) -> None:
         return
     exit_code = entry.get("exit_code", 0)
     duration = entry.get("duration_ms", 0)
-    output = entry.get("output", "")[:500]
+    output = entry.get("output", "")
     if SENSITIVE.search(output):
         output = "[redacted — contains sensitive content]"
     cwd = entry.get("cwd", "")
@@ -107,7 +144,10 @@ def _process(line: str) -> None:
     framework = _detect_test(command)
     if framework:
         passed, failed, skipped = _parse_test_results(output, framework, exit_code)
-        base.emit("test_run", {
+        test_meta: dict = {
             "framework": framework, "passed": passed, "failed": failed,
             "skipped": skipped, "duration_ms": duration,
-        })
+        }
+        if cwd:
+            test_meta["cwd"] = cwd
+        base.emit("test_run", test_meta)

{methodproof-0.7.38 → methodproof-0.8.1}/methodproof/agents/watcher.py

@@ -45,9 +45,6 @@ IGNORE_PATTERNS = re.compile(
 )
 
 
-_MAX_DIFF_BYTES = 50_000
-_MAX_HUNK_LINES = 2_000
-
 _HUNK_HEADER_RE = re.compile(r"^@@ -(\d+)(?:,(\d+))? \+(\d+)(?:,(\d+))? @@")
 _DIFF_FILE_RE = re.compile(r"^diff --git a/(.+?) b/(.+?)$")
 
@@ -60,7 +57,6 @@ def _parse_hunks(diff_text: str, include_lines: bool) -> list[dict[str, object]]
     """
     hunks: list[dict[str, object]] = []
     current: dict[str, object] | None = None
-    total_lines = 0
     for line in diff_text.splitlines():
         header = _HUNK_HEADER_RE.match(line)
         if header:
@@ -81,10 +77,7 @@ def _parse_hunks(diff_text: str, include_lines: bool) -> list[dict[str, object]]
             continue
         if line.startswith("+++") or line.startswith("---"):
             continue
-        if total_lines >= _MAX_HUNK_LINES:
-            continue
         current["lines"].append(line)  # type: ignore[union-attr]
-        total_lines += 1
     if current is not None:
         hunks.append(current)
     return hunks
@@ -122,7 +115,7 @@ def _git_diff_hunks(repo: str, path: str, include_lines: bool) -> list[dict[str,
             ["git", "-C", repo, "diff", "--unified=0", "--", path],
             capture_output=True, text=True, timeout=5,
         )
-        return _parse_hunks(result.stdout[:_MAX_DIFF_BYTES], include_lines)
+        return _parse_hunks(result.stdout, include_lines)
     except Exception:
         return []
 
@@ -136,7 +129,7 @@ def _git_show_file_hunks(
             ["git", "-C", repo, "show", "--format=", "--unified=0", sha],
             capture_output=True, text=True, timeout=10,
         )
-        return _parse_show_hunks(result.stdout[:_MAX_DIFF_BYTES * 4], include_lines)
+        return _parse_show_hunks(result.stdout, include_lines)
     except Exception:
         return {}
 
@@ -160,25 +153,25 @@ def _git_diff_stats(repo: str, path: str) -> tuple[int, int]:
 
 
 def _git_diff_content(repo: str, path: str) -> str:
-    """Get full diff content for a file, capped at 50KB."""
+    """Get full diff content for a file."""
     try:
         result = subprocess.run(
             ["git", "-C", repo, "diff", "--", path],
             capture_output=True, text=True, timeout=5,
         )
-        return result.stdout[:_MAX_DIFF_BYTES]
+        return result.stdout
     except Exception:
         return ""
 
 
 def _git_show_diff(repo: str, sha: str) -> str:
-    """Get full diff for a commit, capped at 50KB."""
+    """Get full diff for a commit."""
     try:
         result = subprocess.run(
             ["git", "-C", repo, "show", "--format=", sha],
             capture_output=True, text=True, timeout=10,
         )
-        return result.stdout[:_MAX_DIFF_BYTES]
+        return result.stdout
     except Exception:
         return ""
 
@@ -239,14 +232,44 @@ class _Handler(FileSystemEventHandler):
         lang = Path(event.src_path).suffix.lstrip(".")
         base.emit("file_delete", {"path": path, "language": lang})
 
+    def on_moved(self, event: FileSystemEvent) -> None:
+        if event.is_directory:
+            return
+        src = event.src_path
+        dest = getattr(event, "dest_path", "")
+        if IGNORE_PATTERNS.search(src) and IGNORE_PATTERNS.search(dest or src):
+            return
+        old_path = self._relpath(src)
+        new_path = self._relpath(dest) if dest else old_path
+        lang = Path(dest or src).suffix.lstrip(".")
+        old_hash = self._hashes.pop(old_path, None)
+        if old_hash:
+            self._hashes[new_path] = old_hash
+        base.emit("file_rename", {
+            "old_path": old_path, "new_path": new_path, "language": lang,
+        })
+
+
+def _read_branch(head_file: Path) -> str:
+    """Read current branch from .git/HEAD. Returns '' for detached HEAD."""
+    try:
+        content = head_file.read_text().strip()
+        if content.startswith("ref: refs/heads/"):
+            return content[16:]
+        return ""
+    except OSError:
+        return ""
+
 
 def _poll_git(watch_dir: str, stop: threading.Event) -> None:
-    """Poll .git/refs for new commits every 2 seconds."""
+    """Poll .git/refs for new commits and HEAD for branch switches."""
     git_dir = Path(watch_dir) / ".git"
     if not git_dir.exists():
         return
     seen: set[str] = set()
     refs = git_dir / "refs" / "heads"
+    head_file = git_dir / "HEAD"
+    last_branch = _read_branch(head_file)
     while not stop.is_set():
         try:
             for ref in refs.iterdir():
@@ -257,12 +280,17 @@ def _poll_git(watch_dir: str, stop: threading.Event) -> None:
                         _log_commit(watch_dir, sha)
         except OSError:
             pass
+        current_branch = _read_branch(head_file)
+        if current_branch and current_branch != last_branch and last_branch:
+            base.emit("git_branch_switch", {
+                "old_branch": last_branch, "new_branch": current_branch,
+            })
+        last_branch = current_branch
         stop.wait(2)
 
 
 def _log_commit(watch_dir: str, sha: str) -> None:
     try:
-        # Single git call: subject\x00author\x00email\x00iso_date\x00parent_hash\x00full_body
         fmt = subprocess.run(
             ["git", "-C", watch_dir, "log", "-1",
              "--format=%s%x00%an%x00%ae%x00%ai%x00%P%x00%B", sha],
@@ -275,12 +303,22 @@ def _log_commit(watch_dir: str, sha: str) -> None:
         committed_at = parts[3].strip() if len(parts) > 3 else ""
         parent_hash = parts[4].strip()[:7] if len(parts) > 4 else ""
         body = parts[5].strip() if len(parts) > 5 else ""
-        files = subprocess.run(
-            ["git", "-C", watch_dir, "diff-tree", "--no-commit-id", "-r", "--name-only", sha],
+        status_lines = subprocess.run(
+            ["git", "-C", watch_dir, "diff-tree", "--no-commit-id", "-r", "--name-status", sha],
             capture_output=True, text=True, timeout=5,
         ).stdout.strip().splitlines()
+        files: list[str] = []
+        file_statuses: dict[str, str] = {}
+        for sl in status_lines:
+            sl_parts = sl.split("\t", 1)
+            if len(sl_parts) == 2:
+                file_statuses[sl_parts[1]] = sl_parts[0]
+                files.append(sl_parts[1])
+            elif sl.strip():
+                files.append(sl.strip())
     except Exception:
-        subject, author, author_email, committed_at, parent_hash, body, files = "", "", "", "", "", "", []
+        subject, author, author_email, committed_at, parent_hash, body = "", "", "", "", "", ""
+        files, file_statuses = [], {}
     meta: dict[str, object] = {
         "hash": sha[:7], "message": subject, "files_changed": files,
         "author": author, "author_email": author_email, "committed_at": committed_at,
@@ -288,7 +326,12 @@ def _log_commit(watch_dir: str, sha: str) -> None:
     if parent_hash:
         meta["parent_hash"] = parent_hash
     if body and body != subject:
-        meta["body"] = body[:2000]
+        meta["body"] = body
+    if file_statuses:
+        meta["file_statuses"] = file_statuses
+    branch = _read_branch(Path(watch_dir) / ".git" / "HEAD")
+    if branch:
+        meta["branch"] = branch
     include_lines = base.is_content_captured()
     file_hunks = _git_show_file_hunks(watch_dir, sha, include_lines)
     if file_hunks:

{methodproof-0.7.38 → methodproof-0.8.1}/methodproof/cli.py

@@ -985,14 +985,26 @@ def _setup_master_key(cfg: dict) -> None:
     if not account_id:
         return
     from methodproof.keychain import has_secret, store_secret, load_secret
+    from methodproof import store as _store
     if has_secret(account_id):
-        # Already set up — ensure fingerprint is in config
+        # Already set up — ensure fingerprint is in config and key is wired
+        from methodproof.kdf import derive_master, derive_db_key
+        from methodproof.crypto import fingerprint
+        master = derive_master(load_secret(account_id))
+        db_key = derive_db_key(master, account_id)
         if not cfg.get("master_key_fingerprint"):
-            from methodproof.kdf import derive_master, derive_db_key
-            from methodproof.crypto import fingerprint
-            master = derive_master(load_secret(account_id))
-            cfg["master_key_fingerprint"] = fingerprint(derive_db_key(master, account_id))
+            cfg["master_key_fingerprint"] = fingerprint(db_key)
             config.save(cfg)
+        if _store._encrypted_flag_path().exists():
+            _store.set_db_key(db_key)
+        else:
+            # Existing user, plaintext DB — one-shot upgrade to SQLCipher
+            from methodproof.migrate_db import migrate_to_sqlcipher, DaemonActiveError
+            try:
+                if migrate_to_sqlcipher(db_key):
+                    print("  Encrypted local database with SQLCipher.\n")
+            except DaemonActiveError as exc:
+                print(f"  ⚠ {exc}")
         return
 
     # Check if user has a recovery phrase (returning user, new device)
@@ -1025,13 +1037,21 @@ def _setup_master_key(cfg: dict) -> None:
     print(f"  │  {D}on a new device. Store it somewhere safe.{R}      │")
     print(f"  └──────────────────────────────────────────────────┘\n")
 
-    # Encrypt any existing plaintext events
+    # Encrypt any existing plaintext events (field-level, defense-in-depth)
     db_key = derive_db_key(master, account_id)
-    from methodproof.migrate_db import migrate_encrypt
+    from methodproof.migrate_db import migrate_encrypt, migrate_to_sqlcipher
     count = migrate_encrypt(db_key)
     if count:
         print(f"  Encrypted {count} existing events.\n")
 
+    # Whole-database SQLCipher encryption — runs once, idempotent
+    from methodproof.migrate_db import DaemonActiveError
+    try:
+        if migrate_to_sqlcipher(db_key):
+            print("  Encrypted local database with SQLCipher.\n")
+    except DaemonActiveError as exc:
+        print(f"  ⚠ {exc}")
+
 
 def _recover_master_key(cfg: dict, account_id: str) -> None:
     """Prompt for recovery phrase to restore master key on new device."""
@@ -1049,9 +1069,55 @@ def _recover_master_key(cfg: dict, account_id: str) -> None:
         return
     from methodproof.keychain import store_secret
     store_secret(account_id, entropy)
+    # Wire the recovered key into the SQLCipher connection so the next DB read works
+    from methodproof.kdf import derive_master, derive_db_key
+    from methodproof import store as _store
+    if _store._encrypted_flag_path().exists():
+        _store.set_db_key(derive_db_key(derive_master(entropy), account_id))
     print("  Master key restored.\n")
 
 
+def _wire_db_encryption(cfg: dict) -> None:
+    """Wire the SQLCipher key into store before any subcommand touches the DB.
+
+    Called once at the top of `main()`. Three cases:
+      1. Encrypted DB + key available → wire the key.
+      2. Plaintext DB + logged-in user with master key → one-shot upgrade
+         migration to SQLCipher (the post-release upgrade path).
+      3. Anything else (logged out, no key) → no-op; capture continues against
+         the plaintext DB until the user logs in.
+    """
+    from methodproof import store as _store
+    account_id = cfg.get("account_id", "")
+    if not account_id:
+        return
+    try:
+        from methodproof.keychain import load_secret
+        from methodproof.kdf import derive_master, derive_db_key
+        entropy = load_secret(account_id)
+        if not entropy:
+            return
+        db_key = derive_db_key(derive_master(entropy), account_id)
+    except Exception:
+        return
+
+    if _store._encrypted_flag_path().exists():
+        _store.set_db_key(db_key)
+        return
+
+    # Plaintext DB + key available — one-shot upgrade
+    try:
+        from methodproof.migrate_db import migrate_to_sqlcipher, DaemonActiveError
+        if migrate_to_sqlcipher(db_key):
+            print("  Encrypted local database with SQLCipher.\n")
+    except DaemonActiveError:
+        # Daemon is recording — defer migration to next CLI run after `mp stop`.
+        # Don't print noise on every command; the upgrade will happen later.
+        return
+    except Exception as exc:
+        sys.stderr.write(f"[methodproof] sqlcipher migration deferred: {exc}\n")
+
+
 def _is_daemon_alive() -> bool:
     """Check if the recording daemon is still running (not a reused PID)."""
     if not PIDFILE.exists():
@@ -1511,8 +1577,6 @@ def cmd_log(args: argparse.Namespace) -> None:
             fake = _ap.Namespace(session_id=sid, local=False)
             if action == "push":
                 cmd_push(fake)
-            elif action == "view":
-                cmd_view(fake)
         return
     sessions = store.list_sessions()
     if not sessions:
@@ -1844,7 +1908,7 @@ def cmd_push(args: argparse.Namespace) -> None:
     print(f"Found {len(unsynced)} unsynced sessions:\n")
     for s in unsynced:
         events = len(store.get_events(s["id"]))
-        date = s["created_at"][:10] if s.get("created_at") else "?"
+        date = datetime.fromtimestamp(s["created_at"]).strftime("%Y-%m-%d") if s.get("created_at") else "?"
         print(f"  {s['id'][:8]}  {date}  {events} events")
     print()
     answer = input(f"Push all {len(unsynced)}? [Y/n] ").strip().lower()
@@ -2342,6 +2406,7 @@ def main() -> None:
     e2e_sub.add_parser("recover", help="Recover key from passphrase")
     e2e_rel = e2e_sub.add_parser("release", help="Release a session from E2E encryption")
     e2e_rel.add_argument("session_id", help="Session ID to release")
+    e2e_sub.add_parser("release-all", help="Release every synced session from E2E encryption")
     sub.add_parser("intro", help="Show the MethodProof intro")
     sub.add_parser("help", help="Show command reference")
     sub.add_parser("mcp-serve", help="Run MCP server (used by Claude Code)")
@@ -2381,5 +2446,6 @@ def main() -> None:
         _update_check()
 
     if args.cmd not in ("help", "update"):
+        _wire_db_encryption(config.load())
         store.init_db()
     fn(args)

{methodproof-0.7.38 → methodproof-0.8.1}/methodproof/crypto.py

@@ -44,3 +44,20 @@ def encrypt_metadata(metadata: dict, key: bytes) -> dict:
         if field in metadata and isinstance(metadata[field], str):
             metadata[field] = encrypt_field(metadata[field], key)
     return metadata
+
+
+def decrypt_metadata_safe(metadata: dict, key: bytes) -> dict:
+    """Decrypt sensitive fields in place. Silently leaves fields that fail
+    (wrong key, tampering) as ciphertext — never raises. Used on the read path
+    where a field encrypted with a *different* key (user E2E vs master) must
+    still render as-is rather than break rendering."""
+    if AESGCM is None:
+        return metadata
+    for field in SENSITIVE_FIELDS:
+        val = metadata.get(field)
+        if isinstance(val, str) and val.startswith("e2e:v1:"):
+            try:
+                metadata[field] = decrypt_field(val, key)
+            except Exception:
+                pass
+    return metadata