@nodatachat/guard 2.0.0 → 2.2.0

package/LICENSE.md

@@ -1,10 +1,10 @@
 # NoData Guard License
 
-Copyright (c) 2026 NoDataChat Ltd. All rights reserved.
+Copyright (c) 2026 Capsule Ltd. All rights reserved.
 
 ## Terms
 
-This software is proprietary. You may use it under the terms of your NoDataChat subscription agreement.
+This software is proprietary. You may use it under the terms of your Capsule subscription agreement.
 
 ### Permitted Uses
 - Running scans on your own projects with a valid license key
@@ -19,10 +19,10 @@ This software is proprietary. You may use it under the terms of your NoDataChat
 
 ### Data Privacy
 - Guard runs locally on your machine
-- Source code is never uploaded to NoDataChat servers
+- Source code is never uploaded to Capsule servers
 - Only metadata reports (table names, counts, scores) are transmitted
 - You can opt out of metadata transmission with --skip-send
 
-For the full license agreement, visit: https://nodatachat.com/legal/guard-license
+For the full license agreement, visit: https://nodatacapsule.com/legal/guard-license
 
-Contact: legal@nodatachat.com
+Contact: legal@nodatacapsule.com

package/README.md

@@ -79,7 +79,7 @@ npx nodata-guard --license-key $NDC_LICENSE --ci --fail-on critical
 
 ## Dashboard
 
-After running Guard, log in at [nodatachat.com/guard](https://nodatachat.com/guard) with your license key to see:
+After running Guard, log in at [nodatacapsule.com/guard](https://nodatacapsule.com/guard) with your license key to see:
 
 - Score trends over time
 - Scan history with comparison
@@ -114,7 +114,7 @@ Proprietary — see [LICENSE.md](LICENSE.md)
 
 ## Links
 
-- [Website](https://nodatachat.com)
-- [Guard Dashboard](https://nodatachat.com/guard)
-- [Getting Started](https://nodatachat.com/guard/onboarding)
-- [Pricing](https://nodatachat.com/pricing)
+- [Website](https://nodatacapsule.com)
+- [Guard Dashboard](https://nodatacapsule.com/guard)
+- [Getting Started](https://nodatacapsule.com/guard/onboarding)
+- [Pricing](https://nodatacapsule.com/pricing)

package/dist/activation.js

@@ -18,7 +18,7 @@ const crypto_1 = require("crypto");
 const fs_1 = require("fs");
 const path_1 = require("path");
 const GUARD_VERSION = "2.0.0";
-const API_BASE = process.env.GUARD_API_BASE || "https://nodatachat.com/api/guard";
+const API_BASE = process.env.GUARD_API_BASE || "https://nodatacapsule.com/api/guard";
 // Dev license keys that work without server (for development and demos)
 const DEV_LICENSES = new Set(["NDC-DEV", "NDC-DEMO", "NDC-TEST"]);
 // ── Project fingerprint (directory structure only, no file contents) ──

package/dist/cli.js

@@ -22,7 +22,6 @@ const activation_1 = require("./activation");
 const code_scanner_1 = require("./code-scanner");
 const db_scanner_1 = require("./db-scanner");
 const reporter_1 = require("./reporter");
-const registry_1 = require("./fixers/registry");
 const scheduler_1 = require("./fixers/scheduler");
 const VERSION = "2.0.0";
 async function main() {
@@ -35,10 +34,8 @@ async function main() {
     let failOn = null;
     let outputDir = process.cwd();
     let skipSend = false;
-    let fixMode = "none";
     let schedulePreset;
     let ciProvider;
-    let onlyFixers;
     for (let i = 0; i < args.length; i++) {
         switch (args[i]) {
             case "--license-key":
@@ -63,13 +60,14 @@ async function main() {
                 skipSend = true;
                 break;
             case "--fix-plan":
-                fixMode = "plan";
+                console.log("\n  ⚠  --fix-plan is deprecated. Capsule provides recommendations only.\n  Run without this flag to see recommendations.\n");
                 break;
             case "--fix":
-                fixMode = "apply";
+                console.log("\n  ⚠  --fix is deprecated. Capsule does not modify your code.\n  Recommendations are provided in the scan output.\n");
                 break;
             case "--fix-only":
-                onlyFixers = args[++i]?.split(",");
+                i++;
+                console.log("\n  ⚠  --fix-only is deprecated. Capsule provides recommendations only.\n");
                 break;
             case "--schedule":
                 schedulePreset = args[++i] || "weekly";
@@ -87,12 +85,44 @@ async function main() {
     }
     // Env fallbacks
     if (!licenseKey)
-        licenseKey = process.env.NDC_LICENSE || process.env.NODATA_LICENSE_KEY;
+        licenseKey = process.env.NDC_LICENSE || process.env.NODATA_LICENSE_KEY || process.env.NODATA_API_KEY || process.env.NDC_API_KEY;
     if (!dbUrl)
         dbUrl = process.env.DATABASE_URL;
+    // Shared Protect config fallback (~/.nodata/config.json)
     if (!licenseKey) {
-        console.error("\n  Error: --license-key required (or set NDC_LICENSE env var)\n");
-        printHelp();
+        try {
+            const home = process.env.HOME || process.env.USERPROFILE || "";
+            const configPath = require("path").join(home, ".nodata", "config.json");
+            if (require("fs").existsSync(configPath)) {
+                const config = JSON.parse(require("fs").readFileSync(configPath, "utf-8"));
+                if (config.api_key) {
+                    licenseKey = config.api_key;
+                    console.log(`\n  \x1b[32m✓\x1b[0m Using API key from NoData Protect (~/.nodata/config.json)\n`);
+                }
+            }
+        }
+        catch { /* ignore */ }
+    }
+    // Capsule config fallback (.capsule.json)
+    if (!licenseKey) {
+        try {
+            const capsulePath = require("path").join(projectDir, ".capsule.json");
+            if (require("fs").existsSync(capsulePath)) {
+                const config = JSON.parse(require("fs").readFileSync(capsulePath, "utf-8"));
+                if (config.licenseKey) {
+                    licenseKey = config.licenseKey;
+                    console.log(`\n  \x1b[32m✓\x1b[0m Using API key from Capsule config (.capsule.json)\n`);
+                }
+            }
+        }
+        catch { /* ignore */ }
+    }
+    if (!licenseKey) {
+        console.error("\n  \x1b[31m✗\x1b[0m No API key found.\n");
+        console.error("  Options:");
+        console.error("    1. Run \x1b[36mnpx @nodatachat/protect init\x1b[0m first (creates key automatically)");
+        console.error("    2. Pass \x1b[36m--license-key YOUR_KEY\x1b[0m");
+        console.error("    3. Set \x1b[36mNDC_LICENSE=YOUR_KEY\x1b[0m in environment\n");
         process.exit(1);
     }
     // ── Schedule setup (no scan needed) ──
@@ -204,12 +234,13 @@ async function main() {
     if (!skipSend) {
         log(ciMode, "Sending metadata to NoData...");
         try {
-            const res = await fetch("https://nodatachat.com/api/guard/report", {
+            const res = await fetch("https://nodatacapsule.com/api/guard/report", {
                 method: "POST",
                 headers: {
                     "Content-Type": "application/json",
                     "X-Scan-Id": activation.scan_id,
                     "X-Activation-Key": activation.activation_key,
+                    "X-License-Key": licenseKey || "",
                 },
                 body: JSON.stringify(metadata),
                 signal: AbortSignal.timeout(10000),
@@ -250,102 +281,48 @@ async function main() {
         console.log("  Your data never left your machine.");
         console.log("  Diff the two files to verify.\n");
     }
-    // ── Step 8: Capsule — Fix Plan / Apply ──
-    if (fixMode !== "none") {
-        const config = loadOrCreateConfig(projectDir, { dbUrl, failOn });
-        const fixerContext = {
-            projectDir,
-            dbUrl,
-            config,
-            scanResults: {
-                piiFields: piiFields.map(f => ({
-                    table: f.table, column: f.column, pii_type: f.pii_type,
-                    encrypted: f.encrypted, encryption_pattern: f.encryption_pattern,
-                })),
-                routes: routes.map(r => ({ path: r.path, has_auth: r.has_auth, auth_type: r.auth_type })),
-                secrets: secrets.map(s => ({
-                    file: s.file, line: s.line, type: s.type,
-                    severity: s.severity, is_env_interpolated: s.is_env_interpolated,
-                })),
-                rls: dbResult?.rls || [],
-                framework: stack.framework,
-                database: stack.database,
-            },
-            stack: {
-                framework: stack.framework,
-                database: stack.database,
-                language: "typescript",
-                hosting: "vercel",
-            },
-        };
-        const capsuleResult = await (0, registry_1.runCapsule)(fixerContext, {
-            mode: fixMode === "plan" ? "plan" : "apply",
-            fixers: onlyFixers,
-            dryRun: fixMode === "plan",
-        }, (msg) => log(ciMode, msg));
-        if (!ciMode) {
+    // ── Step 8: Recommendations ──
+    // NOTE: Capsule does NOT auto-fix code. We provide recommendations only.
+    // Applying fixes requires understanding of the target system — tables,
+    // relationships, business logic — and must be done by the customer's team.
+    if (!ciMode) {
+        const topFindings = metadata.findings || [];
+        if (topFindings.length > 0) {
             console.log("");
             console.log("  ══════════════════════════════════════");
-            console.log(`  CAPSULE ${fixMode === "plan" ? "PLAN" : "RESULTS"}`);
+            console.log("  RECOMMENDATIONS");
             console.log("  ══════════════════════════════════════");
-            console.log(`  Total actions:   ${capsuleResult.totalActions}`);
-            if (fixMode === "apply") {
-                console.log(`  Applied:         ${capsuleResult.applied}`);
-                console.log(`  Failed:          ${capsuleResult.failed}`);
-                console.log(`  Skipped:         ${capsuleResult.skipped}`);
+            console.log(`  ${topFindings.length} issues found. Top priorities:\n`);
+            const shown = topFindings.slice(0, 10);
+            for (const f of shown) {
+                const sev = f.severity === "critical" ? "\x1b[31mCRITICAL\x1b[0m"
+                    : f.severity === "high" ? "\x1b[33mHIGH\x1b[0m"
+                        : "\x1b[36mMEDIUM\x1b[0m";
+                console.log(`  ${sev}  ${f.title}`);
+                console.log(`         \x1b[32m→ ${f.fix_suggestion}\x1b[0m`);
+                if (f.soc_control)
+                    console.log(`         SOC: ${f.soc_control}`);
+                console.log("");
             }
-            console.log(`  Manual pending:  ${capsuleResult.manualPending}`);
-            console.log(`  Est. impact:     +${capsuleResult.estimatedScoreImpact}% score`);
-            console.log(`  Proof hash:      ${capsuleResult.proofHash.slice(0, 16)}...`);
-            console.log("  ──────────────────────────────────────");
-            // Print per-fixer summary
-            for (const plan of capsuleResult.plans) {
-                const icon = plan.actions.every(a => a.status === "applied") ? "✅"
-                    : plan.actions.some(a => a.status === "failed") ? "❌" : "📋";
-                console.log(`  ${icon} ${plan.nameHe}: ${plan.totalActions} actions (${plan.autoFixable} auto, ${plan.manualRequired} manual)`);
+            if (topFindings.length > 10) {
+                console.log(`  ... and ${topFindings.length - 10} more. See full report.\n`);
             }
+            console.log("  ──────────────────────────────────────");
+            console.log("  ⚠  Capsule provides recommendations only.");
+            console.log("     Fixes require understanding of your system —");
+            console.log("     tables, relationships, and business logic.");
+            console.log("     Work with your team to apply changes safely.");
             console.log("  ══════════════════════════════════════\n");
-            // Write fix plans to output dir
-            if (capsuleResult.plans.length > 0) {
-                const plansPath = (0, path_1.resolve)(outputDir, "nodata-fix-plan.json");
-                (0, fs_1.writeFileSync)(plansPath, JSON.stringify(capsuleResult, null, 2), "utf-8");
-                log(ciMode, `Fix plan saved: ${plansPath}`);
-                // Write SQL migrations to files
-                for (const plan of capsuleResult.plans) {
-                    for (const action of plan.actions) {
-                        if (action.type === "file-create" && action.target.includes("migrations/")) {
-                            const migPath = (0, path_1.resolve)(outputDir, action.target);
-                            const migDir = (0, path_1.resolve)(outputDir, "migrations");
-                            if (!(0, fs_1.existsSync)(migDir)) {
-                                const { mkdirSync } = require("fs");
-                                mkdirSync(migDir, { recursive: true });
-                            }
-                            (0, fs_1.writeFileSync)(migPath, action.content, "utf-8");
-                            log(ciMode, `Migration: ${migPath}`);
-                        }
-                    }
-                }
-            }
-        }
-        // Send notifications if configured
-        if (config.notify && fixMode === "apply") {
-            const notifyPayload = {
-                event: capsuleResult.applied > 0 ? "fix-applied" : "scan-complete",
-                timestamp: new Date().toISOString(),
-                projectName: full.project_name || "unknown",
-                projectHash: full.proof_hash?.slice(0, 16) || "",
+            // Save recommendations to file
+            const recsPath = (0, path_1.resolve)(outputDir, "nodata-recommendations.json");
+            (0, fs_1.writeFileSync)(recsPath, JSON.stringify({
+                generated_at: new Date().toISOString(),
                 score: full.overall_score,
-                previousScore: serverResponse.previous_score ?? null,
-                delta: serverResponse.previous_score != null ? full.overall_score - serverResponse.previous_score : 0,
-                critical: full.summary.critical_issues,
-                high: full.summary.high_issues,
-                medium: full.summary.medium_issues,
-                fixesApplied: capsuleResult.applied,
-                fixesFailed: capsuleResult.failed,
-                scanId: activation.scan_id,
-                proofHash: capsuleResult.proofHash,
-            };
-            await (0, registry_1.sendNotifications)(config, notifyPayload.event, notifyPayload, (msg) => log(ciMode, msg));
+                total_findings: topFindings.length,
+                disclaimer: "These are recommendations only. Capsule does not modify your code. Fixes require understanding of your system architecture, database schema, and business logic. Work with your development team to implement changes safely.",
+                recommendations: topFindings,
+            }, null, 2), "utf-8");
+            log(ciMode, `Recommendations: ${recsPath}`);
         }
     }
     // ── CI mode: exit code ──
@@ -392,14 +369,16 @@ function loadOrCreateConfig(projectDir, overrides) {
 }
 function printHelp() {
     console.log(`
-  NoData Guard v${VERSION} — Security Scanner + Auto-Remediation Capsule
+  NoData Guard v${VERSION} — Security Scanner + Recommendations
+
+  Scans your project locally for security issues and provides
+  actionable recommendations. Your code never leaves your machine.
+  Capsule does NOT modify your code — only you and your team can.
 
   Usage:
-    npx nodata-guard --license-key NDC-XXXX              # Scan only
-    npx nodata-guard --license-key NDC-XXXX --fix-plan    # Scan + show fix plan
-    npx nodata-guard --license-key NDC-XXXX --fix         # Scan + apply fixes
-    npx nodata-guard --license-key NDC-XXXX --schedule weekly  # Setup CI schedule
-    npx nodata-guard --license-key NDC-XXXX --db $DATABASE_URL --fix  # Full scan + fix
+    npx nodata-guard --license-key NDC-XXXX                          # Scan + recommend
+    npx nodata-guard --license-key NDC-XXXX --db $DATABASE_URL       # Full scan (code + DB)
+    npx nodata-guard --license-key NDC-XXXX --schedule weekly        # Setup CI schedule
 
   Scan Options:
     --license-key <key>    NoData license key (or set NDC_LICENSE env var)
@@ -410,13 +389,6 @@ function printHelp() {
     --fail-on <level>      Exit 1 if issues at: critical | high | medium
     --skip-send            Don't send metadata to NoData
 
-  Capsule Options:
-    --fix-plan             Generate fix plan (dry-run, no changes)
-    --fix                  Apply all auto-fixable remediation
-    --fix-only <fixers>    Only run specific fixers (comma-separated)
-                           Fixers: pii-encrypt, rls, secrets, routes-auth,
-                                   headers, csrf, rate-limit, gitignore
-
   Schedule Options:
     --schedule <preset>    Install CI workflow: daily | weekly | monthly
     --ci-provider <name>   CI provider: github-actions | gitlab-ci | bitbucket | auto
@@ -425,31 +397,39 @@ function printHelp() {
     Configure in .nodata-guard.json → notify: { email, webhook, slack, telegram }
 
   Output files:
-    nodata-full-report.json      Full report — STAYS LOCAL
-    nodata-metadata-only.json    Metadata only — sent to NoData
-    nodata-fix-plan.json         Fix plan with actions
-    migrations/*.sql             Generated SQL migrations
+    nodata-full-report.json          Full report — STAYS LOCAL
+    nodata-metadata-only.json        Metadata only — sent to dashboard
+    nodata-recommendations.json      Prioritized recommendations
 
-  What we NEVER receive:
-    Data values, emails, phones, passwords, source code, connection strings.
+  What we provide:
+    ✓ Scan — find weak points (PII, routes, secrets, encryption)
+    ✓ Recommend — prioritized actions with SOC control mapping
+    ✓ Prove — cryptographic proof chain of scan results
+    ✓ Monitor — track score over time via dashboard
+
+  What we NEVER do:
+    ✗ Modify your code, database, or configuration
+    ✗ Receive data values, source code, or credentials
+
+  Important:
+    Recommendations require understanding of YOUR system —
+    tables, relationships, business logic. Work with your team
+    to implement changes safely.
 
   Examples:
-    # Quick scan
+    # Scan and get recommendations
     npx nodata-guard --license-key NDC-XXXX
 
-    # Full scan + DB probe + fix
-    npx nodata-guard --license-key NDC-XXXX --db $DATABASE_URL --fix
-
-    # Only fix security headers and CSRF
-    npx nodata-guard --license-key NDC-XXXX --fix --fix-only headers,csrf
+    # Full scan with DB probe
+    npx nodata-guard --license-key NDC-XXXX --db $DATABASE_URL
 
     # Setup weekly CI scan with GitHub Actions
     npx nodata-guard --license-key NDC-XXXX --schedule weekly
 
-    # CI pipeline
+    # CI pipeline — fail on critical issues
     npx nodata-guard --ci --fail-on critical
 
-  Documentation: https://nodatachat.com/guard
+  Documentation: https://nodatacapsule.com/guard
 `);
 }
 main().catch((err) => {

package/dist/fixers/registry.js

@@ -156,7 +156,7 @@ async function sendNotifications(config, event, payload, onLog) {
     if (config.notify.email?.length) {
         for (const email of config.notify.email) {
             try {
-                await fetch("https://nodatachat.com/api/guard/notify", {
+                await fetch("https://nodatacapsule.com/api/guard/notify", {
                     method: "POST",
                     headers: { "Content-Type": "application/json" },
                     body: JSON.stringify({ channel: "email", to: email, payload }),

package/dist/reporter.js

@@ -123,8 +123,35 @@ function generateReports(input) {
             critical: criticalSecrets,
             high: highSecrets + plaintextPII,
             medium: medSecrets,
-            fixes_available: plaintextPII, // each plaintext field has a migration fix
+            recommendations_available: plaintextPII, // each plaintext field has a recommendation
         },
+        // Fix suggestions — safe to send (just recommendation text, no code/values)
+        findings: [
+            ...allPII.filter(f => !f.encrypted).map(f => ({
+                severity: "high",
+                category: "pii",
+                rule_id: `PII_${f.pii_type.toUpperCase()}`,
+                title: `${f.table}.${f.column} — ${f.pii_type} stored in plaintext`,
+                fix_suggestion: `Add AES-256-GCM encryption to ${f.table}.${f.column} via Capsule field permissions`,
+                soc_control: "CC6.7",
+            })),
+            ...(input.code?.secrets.filter(s => !s.is_env_interpolated) || []).map(s => ({
+                severity: s.severity,
+                category: "secrets",
+                rule_id: `SECRET_${s.type.toUpperCase().replace(/-/g, "_")}`,
+                title: `Hardcoded ${s.type} in ${s.file}:${s.line}`,
+                fix_suggestion: `Move to .env and encrypt with @nodatachat/protect`,
+                soc_control: "CC6.1",
+            })),
+            ...(input.code?.routes.filter(r => !r.has_auth) || []).slice(0, 20).map(r => ({
+                severity: "high",
+                category: "auth",
+                rule_id: "ROUTE_NO_AUTH",
+                title: `Unprotected route: ${r.path}`,
+                fix_suggestion: `Add authentication middleware (withAuth or API key check)`,
+                soc_control: "CC6.3",
+            })),
+        ],
         proof_hash: proofHash,
         privacy: {
             contains_data_values: false,
@@ -176,7 +203,7 @@ function generateReports(input) {
             critical_issues: criticalSecrets,
             high_issues: highSecrets + plaintextPII,
             medium_issues: medSecrets,
-            fixes_available: plaintextPII,
+            recommendations_available: plaintextPII,
         },
         proof_hash: proofHash,
         metadata_preview: metadata,

package/dist/types.d.ts

@@ -84,7 +84,7 @@ export interface FullReport {
         critical_issues: number;
         high_issues: number;
         medium_issues: number;
-        fixes_available: number;
+        recommendations_available: number;
     };
     proof_hash: string;
     metadata_preview: MetadataReport;
@@ -140,8 +140,16 @@ export interface MetadataReport {
         critical: number;
         high: number;
         medium: number;
-        fixes_available: number;
+        recommendations_available: number;
     };
+    findings: Array<{
+        severity: "critical" | "high" | "medium" | "low";
+        category: string;
+        rule_id: string;
+        title: string;
+        fix_suggestion: string;
+        soc_control: string;
+    }>;
     proof_hash: string;
     privacy: {
         contains_data_values: false;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@nodatachat/guard",
-  "version": "2.0.0",
+  "version": "2.2.0",
   "description": "NoData Guard — continuous security scanner. Runs locally, reports only metadata. Your data never leaves your machine.",
   "main": "./dist/cli.js",
   "types": "./dist/cli.d.ts",
@@ -49,7 +49,7 @@
     "devsecops"
   ],
   "license": "SEE LICENSE IN LICENSE.md",
-  "homepage": "https://nodatachat.com/guard",
+  "homepage": "https://nodatacapsule.com/guard",
   "repository": {
     "type": "git",
     "url": "https://github.com/nodatachat/guard"
@@ -57,5 +57,5 @@
   "bugs": {
     "url": "https://github.com/nodatachat/guard/issues"
   },
-  "author": "NoDataChat <support@nodatachat.com>"
+  "author": "Capsule <support@nodatacapsule.com>"
 }