@nodatachat/guard 2.0.0

package/LICENSE.md

@@ -0,0 +1,28 @@
+# NoData Guard License
+
+Copyright (c) 2026 NoDataChat Ltd. All rights reserved.
+
+## Terms
+
+This software is proprietary. You may use it under the terms of your NoDataChat subscription agreement.
+
+### Permitted Uses
+- Running scans on your own projects with a valid license key
+- Integrating into your CI/CD pipelines
+- Generating reports for internal use
+
+### Prohibited Uses
+- Redistributing or reselling the software
+- Reverse engineering or decompiling
+- Removing license key verification
+- Using the software to scan third-party projects without authorization
+
+### Data Privacy
+- Guard runs locally on your machine
+- Source code is never uploaded to NoDataChat servers
+- Only metadata reports (table names, counts, scores) are transmitted
+- You can opt out of metadata transmission with --skip-send
+
+For the full license agreement, visit: https://nodatachat.com/legal/guard-license
+
+Contact: legal@nodatachat.com

package/README.md

@@ -0,0 +1,120 @@
+# @nodatachat/guard
+
+**NoData Guard** — Continuous security scanner that runs locally. Your data never leaves your machine.
+
+Guard scans your codebase and (optionally) your database for security issues: exposed PII fields, missing encryption, unprotected routes, hardcoded secrets, and known CVEs. It generates two reports:
+
+- **`nodata-full-report.json`** — Full details, stays local on your machine
+- **`nodata-metadata-only.json`** — Metadata only (table names, counts, scores), sent to NoData for dashboard tracking
+
+**You can diff the two files to verify no data values were sent.**
+
+## Quick Start
+
+```bash
+# Run directly (no install needed)
+npx nodata-guard --license-key NDC-XXXX-XXXX-XXXX
+
+# With database scan (Business Pro+)
+npx nodata-guard --license-key NDC-XXXX --db postgres://user:pass@host/db
+
+# CI/CD mode — fail on critical findings
+npx nodata-guard --license-key $NDC_LICENSE --ci --fail-on critical
+```
+
+## Features
+
+| Feature | Free | Business | Business Pro | Enterprise |
+|---------|------|----------|-------------|------------|
+| Code scan (PII, routes, secrets) | - | Yes | Yes | Yes |
+| Seed test (proof capsule) | - | Yes | Yes | Yes |
+| Continuous scanning | - | Yes | Yes | Yes |
+| Dashboard (scan history) | - | Yes | Yes | Yes |
+| Database scan (DB Probe) | - | - | Yes | Yes |
+| CI/CD integration | - | - | Yes | Yes |
+| Proof certificate | - | - | Yes | Yes |
+| On-prem deployment | - | - | - | Yes |
+| White-label | - | - | - | Yes |
+
+## Options
+
+```
+--license-key KEY    License key (or set NDC_LICENSE env var)
+--db URL             Database connection string (or set DATABASE_URL)
+--dir PATH           Project directory to scan (default: cwd)
+--output PATH        Output directory for reports (default: cwd)
+--ci                 CI mode — minimal output, exit codes
+--fail-on LEVEL      Exit 1 on issues at this level: critical, high, medium
+--skip-send          Don't send metadata report to NoData
+--version            Show version
+--help               Show help
+```
+
+## What Gets Scanned
+
+**Code Scanner (7 checks):**
+- PII field detection (24 categories: email, phone, SSN, credit card, etc.)
+- Encryption coverage (are PII fields encrypted?)
+- Route auth detection (42+ auth patterns)
+- Stack detection (framework, database, hosting)
+- Secret scanning (26 patterns, Gitleaks-style)
+- Dependency vulnerability checks
+- CVE detection (20 known vulnerabilities)
+
+**Database Scanner (6 checks):**
+- Schema introspection (table/column inventory)
+- PII column detection
+- Encryption verification (LEFT(value,13) only — never reads full values)
+- RLS policy coverage
+- Access control audit
+- Infrastructure checks (SSL, timeouts)
+
+## Privacy Guarantee
+
+- Guard runs **entirely on your machine**
+- Source code is **never uploaded**
+- Database values are **never read** (only schema metadata)
+- The metadata report contains only: table names, column counts, boolean flags, scores
+- You can verify this by diffing `nodata-full-report.json` vs `nodata-metadata-only.json`
+
+## Dashboard
+
+After running Guard, log in at [nodatachat.com/guard](https://nodatachat.com/guard) with your license key to see:
+
+- Score trends over time
+- Scan history with comparison
+- Issue breakdown by severity
+- Encryption coverage progress
+- Database security posture
+
+## CI/CD Integration
+
+### GitHub Actions
+
+```yaml
+- name: NoData Guard Security Scan
+  run: npx nodata-guard --license-key ${{ secrets.NDC_LICENSE }} --ci --fail-on critical
+  env:
+    DATABASE_URL: ${{ secrets.DATABASE_URL }}
+```
+
+### GitLab CI
+
+```yaml
+security-scan:
+  script:
+    - npx nodata-guard --license-key $NDC_LICENSE --ci --fail-on critical
+  variables:
+    DATABASE_URL: $DATABASE_URL
+```
+
+## License
+
+Proprietary — see [LICENSE.md](LICENSE.md)
+
+## Links
+
+- [Website](https://nodatachat.com)
+- [Guard Dashboard](https://nodatachat.com/guard)
+- [Getting Started](https://nodatachat.com/guard/onboarding)
+- [Pricing](https://nodatachat.com/pricing)

package/dist/activation.d.ts

@@ -0,0 +1,8 @@
+import type { ActivationResponse } from "./types";
+export declare function computeProjectHash(projectDir: string): string;
+export declare function activate(options: {
+    licenseKey: string;
+    projectDir: string;
+    scanType: "code" | "db" | "full";
+    apiBase?: string;
+}): Promise<ActivationResponse>;

package/dist/activation.js

@@ -0,0 +1,110 @@
+"use strict";
+// ═══════════════════════════════════════════════════════════
+// @nodatachat/guard — License Activation
+//
+// Contacts NoData API to verify license and get activation key.
+// Without activation key, the scanner cannot run.
+//
+// Flow:
+//   1. Guard sends: license_key + project_hash (no code, no data)
+//   2. API checks: license valid? tier? features?
+//   3. API returns: activation_key (one-time, TTL 5 min)
+//   4. Guard uses activation_key to unlock scanner + encrypt report
+// ═══════════════════════════════════════════════════════════
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.computeProjectHash = computeProjectHash;
+exports.activate = activate;
+const crypto_1 = require("crypto");
+const fs_1 = require("fs");
+const path_1 = require("path");
+const GUARD_VERSION = "2.0.0";
+const API_BASE = process.env.GUARD_API_BASE || "https://nodatachat.com/api/guard";
+// Dev license keys that work without server (for development and demos)
+const DEV_LICENSES = new Set(["NDC-DEV", "NDC-DEMO", "NDC-TEST"]);
+// ── Project fingerprint (directory structure only, no file contents) ──
+function computeProjectHash(projectDir) {
+    const paths = [];
+    function walk(dir, depth) {
+        if (depth > 5)
+            return; // max depth for fingerprint
+        try {
+            const entries = (0, fs_1.readdirSync)(dir, { withFileTypes: true });
+            for (const entry of entries) {
+                if (entry.name.startsWith(".") || entry.name === "node_modules" || entry.name === "dist")
+                    continue;
+                const fullPath = (0, path_1.join)(dir, entry.name);
+                const relativePath = fullPath.replace(projectDir, "");
+                if (entry.isDirectory()) {
+                    paths.push(`d:${relativePath}`);
+                    walk(fullPath, depth + 1);
+                }
+                else if (entry.isFile()) {
+                    try {
+                        const stat = (0, fs_1.statSync)(fullPath);
+                        paths.push(`f:${relativePath}:${stat.size}`);
+                    }
+                    catch { /* skip */ }
+                }
+            }
+        }
+        catch { /* skip */ }
+    }
+    walk(projectDir, 0);
+    paths.sort();
+    return (0, crypto_1.createHash)("sha256").update(paths.join("|")).digest("hex");
+}
+// ── Activate license ──
+async function activate(options) {
+    const { licenseKey, projectDir, scanType, apiBase = API_BASE } = options;
+    const projectHash = computeProjectHash(projectDir);
+    // Dev mode — skip server activation for development/demo licenses
+    if (DEV_LICENSES.has(licenseKey)) {
+        return {
+            success: true,
+            activation_key: `dev-${Date.now()}`,
+            tier: licenseKey === "NDC-DEV" ? "enterprise" : "business",
+            features: ["code-scan", "db-probe", "fix-plan", "fix-apply", "schedule", "notify"],
+            scan_id: `scan-dev-${Date.now().toString(36)}`,
+            expires_at: new Date(Date.now() + 3600000).toISOString(),
+        };
+    }
+    const request = {
+        license_key: licenseKey,
+        project_hash: projectHash,
+        guard_version: GUARD_VERSION,
+        scan_type: scanType,
+    };
+    try {
+        const res = await fetch(`${apiBase}/activate`, {
+            method: "POST",
+            headers: { "Content-Type": "application/json" },
+            body: JSON.stringify(request),
+            signal: AbortSignal.timeout(10000),
+        });
+        if (!res.ok) {
+            const text = await res.text();
+            return {
+                success: false,
+                activation_key: "",
+                tier: "",
+                features: [],
+                scan_id: "",
+                expires_at: "",
+                error: `Activation failed (${res.status}): ${text}`,
+            };
+        }
+        return res.json();
+    }
+    catch (err) {
+        // Network error — allow offline scanning with limited features
+        return {
+            success: true,
+            activation_key: `offline-${Date.now()}`,
+            tier: "free",
+            features: ["code-scan"],
+            scan_id: `scan-offline-${Date.now().toString(36)}`,
+            expires_at: new Date(Date.now() + 3600000).toISOString(),
+            error: `Server unreachable — running in offline mode (code-scan only)`,
+        };
+    }
+}

package/dist/cli.d.ts

@@ -0,0 +1,2 @@
+#!/usr/bin/env node
+export {};