@nodatachat/guard 2.0.0

package/dist/cli.js

@@ -0,0 +1,458 @@
+#!/usr/bin/env node
+"use strict";
+// ═══════════════════════════════════════════════════════════
+// @nodatachat/guard — CLI Entry Point
+//
+// Usage:
+//   npx nodata-guard --license-key NDC-XXXX
+//   npx nodata-guard --license-key NDC-XXXX --db postgres://...
+//   npx nodata-guard --license-key NDC-XXXX --ci --fail-on critical
+//   npx nodata-guard --license-key $NDC_LICENSE --full --db $DATABASE_URL
+//
+// Outputs:
+//   ./nodata-full-report.json      — Full report (stays local)
+//   ./nodata-metadata-only.json    — Metadata sent to NoData
+//
+// The customer can diff the two files to verify no data was sent.
+// ═══════════════════════════════════════════════════════════
+Object.defineProperty(exports, "__esModule", { value: true });
+const path_1 = require("path");
+const fs_1 = require("fs");
+const activation_1 = require("./activation");
+const code_scanner_1 = require("./code-scanner");
+const db_scanner_1 = require("./db-scanner");
+const reporter_1 = require("./reporter");
+const registry_1 = require("./fixers/registry");
+const scheduler_1 = require("./fixers/scheduler");
+const VERSION = "2.0.0";
+async function main() {
+    const args = process.argv.slice(2);
+    // Parse args
+    let licenseKey;
+    let dbUrl;
+    let projectDir = process.cwd();
+    let ciMode = false;
+    let failOn = null;
+    let outputDir = process.cwd();
+    let skipSend = false;
+    let fixMode = "none";
+    let schedulePreset;
+    let ciProvider;
+    let onlyFixers;
+    for (let i = 0; i < args.length; i++) {
+        switch (args[i]) {
+            case "--license-key":
+                licenseKey = args[++i];
+                break;
+            case "--db":
+                dbUrl = args[++i];
+                break;
+            case "--dir":
+                projectDir = (0, path_1.resolve)(args[++i]);
+                break;
+            case "--output":
+                outputDir = (0, path_1.resolve)(args[++i]);
+                break;
+            case "--ci":
+                ciMode = true;
+                break;
+            case "--fail-on":
+                failOn = args[++i];
+                break;
+            case "--skip-send":
+                skipSend = true;
+                break;
+            case "--fix-plan":
+                fixMode = "plan";
+                break;
+            case "--fix":
+                fixMode = "apply";
+                break;
+            case "--fix-only":
+                onlyFixers = args[++i]?.split(",");
+                break;
+            case "--schedule":
+                schedulePreset = args[++i] || "weekly";
+                break;
+            case "--ci-provider":
+                ciProvider = args[++i];
+                break;
+            case "--help":
+                printHelp();
+                process.exit(0);
+            case "--version":
+                console.log(VERSION);
+                process.exit(0);
+        }
+    }
+    // Env fallbacks
+    if (!licenseKey)
+        licenseKey = process.env.NDC_LICENSE || process.env.NODATA_LICENSE_KEY;
+    if (!dbUrl)
+        dbUrl = process.env.DATABASE_URL;
+    if (!licenseKey) {
+        console.error("\n  Error: --license-key required (or set NDC_LICENSE env var)\n");
+        printHelp();
+        process.exit(1);
+    }
+    // ── Schedule setup (no scan needed) ──
+    if (schedulePreset) {
+        const config = loadOrCreateConfig(projectDir, { dbUrl, failOn });
+        config.schedule = { enabled: true, preset: schedulePreset, cron: undefined, timezone: "UTC" };
+        const provider = ciProvider || "auto";
+        const result = (0, scheduler_1.installSchedule)(projectDir, config, provider);
+        console.log("");
+        console.log("  ╔══════════════════════════════════════╗");
+        console.log("  ║   NoData Guard — Schedule Installed   ║");
+        console.log("  ╚══════════════════════════════════════╝");
+        console.log("");
+        result.messages.forEach(m => console.log(`  ${m}`));
+        console.log("");
+        result.files.forEach(f => console.log(`  Created: ${f}`));
+        console.log("");
+        return;
+    }
+    const scanType = dbUrl ? "full" : "code";
+    const startTime = Date.now();
+    // ── Header ──
+    if (!ciMode) {
+        console.log("");
+        console.log("  ╔══════════════════════════════════════╗");
+        console.log("  ║         NoData Guard v" + VERSION + "          ║");
+        console.log("  ║  Security scanner — runs locally     ║");
+        console.log("  ║  Your data never leaves your machine ║");
+        console.log("  ╚══════════════════════════════════════╝");
+        console.log("");
+    }
+    // ── Step 1: Activate ──
+    log(ciMode, "Activating license...");
+    const activation = await (0, activation_1.activate)({
+        licenseKey,
+        projectDir,
+        scanType,
+    });
+    if (!activation.success) {
+        console.error(`  Activation failed: ${activation.error}`);
+        process.exit(1);
+    }
+    log(ciMode, `Activated. Tier: ${activation.tier} | Scan ID: ${activation.scan_id}`);
+    // ── Step 2: Code scan ──
+    log(ciMode, "Scanning code...");
+    const files = (0, code_scanner_1.readProjectFiles)(projectDir, (count) => {
+        if (!ciMode)
+            process.stdout.write(`\r  Reading files... ${count}`);
+    });
+    if (!ciMode)
+        console.log("");
+    log(ciMode, `Scanned ${files.length} files`);
+    const piiFields = (0, code_scanner_1.scanPIIFields)(files);
+    const routes = (0, code_scanner_1.scanRoutes)(files);
+    const secrets = (0, code_scanner_1.scanSecrets)(files);
+    const stack = (0, code_scanner_1.detectStack)(files);
+    const encryptedCode = piiFields.filter(f => f.encrypted).length;
+    log(ciMode, `PII fields: ${piiFields.length} found, ${encryptedCode} encrypted`);
+    log(ciMode, `Routes: ${routes.length} total, ${routes.filter(r => r.has_auth).length} protected`);
+    log(ciMode, `Secrets: ${secrets.filter(s => !s.is_env_interpolated).length} hardcoded`);
+    // ── Step 3: DB scan (if connection string provided) ──
+    let dbResult = null;
+    if (dbUrl) {
+        log(ciMode, "Scanning database...");
+        try {
+            dbResult = await (0, db_scanner_1.scanDatabase)(dbUrl, (msg) => log(ciMode, `  DB: ${msg}`));
+            const encryptedDb = dbResult.pii_fields.filter(f => f.encrypted).length;
+            log(ciMode, `DB PII: ${dbResult.pii_fields.length} found, ${encryptedDb} encrypted`);
+            log(ciMode, `RLS: ${dbResult.rls.filter(r => r.rls_enabled).length}/${dbResult.rls.length} tables`);
+        }
+        catch (err) {
+            log(ciMode, `DB scan failed: ${err instanceof Error ? err.message : err}`);
+        }
+    }
+    // ── Step 4: Generate dual reports ──
+    const scanDuration = Date.now() - startTime;
+    const projectHash = (0, activation_1.computeProjectHash)(projectDir);
+    const { full, metadata } = (0, reporter_1.generateReports)({
+        scanId: activation.scan_id,
+        projectName: projectDir.split(/[/\\]/).pop() || "unknown",
+        projectHash,
+        scanType,
+        scanDurationMs: scanDuration,
+        previousScore: null, // Will be filled by API response
+        code: {
+            filesScanned: files.length,
+            framework: stack.framework,
+            database: stack.database,
+            piiFields,
+            routes,
+            secrets,
+        },
+        db: dbResult ? {
+            tables: dbResult.tables,
+            piiFields: dbResult.pii_fields,
+            rls: dbResult.rls,
+            infra: dbResult.infra,
+        } : undefined,
+    });
+    // ── Step 5: Save reports ──
+    const fullPath = (0, path_1.resolve)(outputDir, "nodata-full-report.json");
+    const metaPath = (0, path_1.resolve)(outputDir, "nodata-metadata-only.json");
+    (0, fs_1.writeFileSync)(fullPath, JSON.stringify(full, null, 2), "utf-8");
+    (0, fs_1.writeFileSync)(metaPath, JSON.stringify(metadata, null, 2), "utf-8");
+    log(ciMode, `Full report:     ${fullPath}`);
+    log(ciMode, `Metadata only:   ${metaPath}`);
+    // ── Step 6: Send metadata to NoData ──
+    let serverResponse = {};
+    if (!skipSend) {
+        log(ciMode, "Sending metadata to NoData...");
+        try {
+            const res = await fetch("https://nodatachat.com/api/guard/report", {
+                method: "POST",
+                headers: {
+                    "Content-Type": "application/json",
+                    "X-Scan-Id": activation.scan_id,
+                    "X-Activation-Key": activation.activation_key,
+                },
+                body: JSON.stringify(metadata),
+                signal: AbortSignal.timeout(10000),
+            });
+            if (res.ok) {
+                serverResponse = await res.json();
+                log(ciMode, `Sent. ${serverResponse.improved ? "Score improved!" : "Score tracked."}`);
+            }
+            else {
+                log(ciMode, `Send failed (${res.status}) — report saved locally`);
+            }
+        }
+        catch {
+            log(ciMode, "Could not reach NoData API — report saved locally");
+        }
+    }
+    // ── Step 7: Print summary ──
+    if (!ciMode) {
+        console.log("");
+        console.log("  ══════════════════════════════════════");
+        console.log("  GUARD RESULTS");
+        console.log("  ══════════════════════════════════════");
+        console.log(`  Score:           ${full.overall_score}%${serverResponse.previous_score != null ? ` (was ${serverResponse.previous_score}%)` : ""}`);
+        console.log(`  PII fields:      ${full.summary.encrypted_fields}/${full.summary.total_pii_fields} encrypted (${full.summary.coverage_percent}%)`);
+        if (full.code) {
+            console.log(`  Routes:          ${full.code.routes.filter(r => r.has_auth).length}/${full.code.routes.length} protected`);
+            console.log(`  Secrets:         ${full.summary.critical_issues} critical, ${full.summary.high_issues} high`);
+        }
+        if (full.db) {
+            console.log(`  DB encryption:   ${full.db.encryption_coverage_percent}%`);
+            console.log(`  RLS coverage:    ${full.db.rls_coverage_percent}%`);
+        }
+        console.log("  ──────────────────────────────────────");
+        console.log(`  Full report:     ${fullPath}`);
+        console.log(`  Sent to NoData:  ${metaPath}`);
+        console.log(`  Proof hash:      ${full.proof_hash.slice(0, 16)}...`);
+        console.log("  ══════════════════════════════════════");
+        console.log("  Your data never left your machine.");
+        console.log("  Diff the two files to verify.\n");
+    }
+    // ── Step 8: Capsule — Fix Plan / Apply ──
+    if (fixMode !== "none") {
+        const config = loadOrCreateConfig(projectDir, { dbUrl, failOn });
+        const fixerContext = {
+            projectDir,
+            dbUrl,
+            config,
+            scanResults: {
+                piiFields: piiFields.map(f => ({
+                    table: f.table, column: f.column, pii_type: f.pii_type,
+                    encrypted: f.encrypted, encryption_pattern: f.encryption_pattern,
+                })),
+                routes: routes.map(r => ({ path: r.path, has_auth: r.has_auth, auth_type: r.auth_type })),
+                secrets: secrets.map(s => ({
+                    file: s.file, line: s.line, type: s.type,
+                    severity: s.severity, is_env_interpolated: s.is_env_interpolated,
+                })),
+                rls: dbResult?.rls || [],
+                framework: stack.framework,
+                database: stack.database,
+            },
+            stack: {
+                framework: stack.framework,
+                database: stack.database,
+                language: "typescript",
+                hosting: "vercel",
+            },
+        };
+        const capsuleResult = await (0, registry_1.runCapsule)(fixerContext, {
+            mode: fixMode === "plan" ? "plan" : "apply",
+            fixers: onlyFixers,
+            dryRun: fixMode === "plan",
+        }, (msg) => log(ciMode, msg));
+        if (!ciMode) {
+            console.log("");
+            console.log("  ══════════════════════════════════════");
+            console.log(`  CAPSULE ${fixMode === "plan" ? "PLAN" : "RESULTS"}`);
+            console.log("  ══════════════════════════════════════");
+            console.log(`  Total actions:   ${capsuleResult.totalActions}`);
+            if (fixMode === "apply") {
+                console.log(`  Applied:         ${capsuleResult.applied}`);
+                console.log(`  Failed:          ${capsuleResult.failed}`);
+                console.log(`  Skipped:         ${capsuleResult.skipped}`);
+            }
+            console.log(`  Manual pending:  ${capsuleResult.manualPending}`);
+            console.log(`  Est. impact:     +${capsuleResult.estimatedScoreImpact}% score`);
+            console.log(`  Proof hash:      ${capsuleResult.proofHash.slice(0, 16)}...`);
+            console.log("  ──────────────────────────────────────");
+            // Print per-fixer summary
+            for (const plan of capsuleResult.plans) {
+                const icon = plan.actions.every(a => a.status === "applied") ? "✅"
+                    : plan.actions.some(a => a.status === "failed") ? "❌" : "📋";
+                console.log(`  ${icon} ${plan.nameHe}: ${plan.totalActions} actions (${plan.autoFixable} auto, ${plan.manualRequired} manual)`);
+            }
+            console.log("  ══════════════════════════════════════\n");
+            // Write fix plans to output dir
+            if (capsuleResult.plans.length > 0) {
+                const plansPath = (0, path_1.resolve)(outputDir, "nodata-fix-plan.json");
+                (0, fs_1.writeFileSync)(plansPath, JSON.stringify(capsuleResult, null, 2), "utf-8");
+                log(ciMode, `Fix plan saved: ${plansPath}`);
+                // Write SQL migrations to files
+                for (const plan of capsuleResult.plans) {
+                    for (const action of plan.actions) {
+                        if (action.type === "file-create" && action.target.includes("migrations/")) {
+                            const migPath = (0, path_1.resolve)(outputDir, action.target);
+                            const migDir = (0, path_1.resolve)(outputDir, "migrations");
+                            if (!(0, fs_1.existsSync)(migDir)) {
+                                const { mkdirSync } = require("fs");
+                                mkdirSync(migDir, { recursive: true });
+                            }
+                            (0, fs_1.writeFileSync)(migPath, action.content, "utf-8");
+                            log(ciMode, `Migration: ${migPath}`);
+                        }
+                    }
+                }
+            }
+        }
+        // Send notifications if configured
+        if (config.notify && fixMode === "apply") {
+            const notifyPayload = {
+                event: capsuleResult.applied > 0 ? "fix-applied" : "scan-complete",
+                timestamp: new Date().toISOString(),
+                projectName: full.project_name || "unknown",
+                projectHash: full.proof_hash?.slice(0, 16) || "",
+                score: full.overall_score,
+                previousScore: serverResponse.previous_score ?? null,
+                delta: serverResponse.previous_score != null ? full.overall_score - serverResponse.previous_score : 0,
+                critical: full.summary.critical_issues,
+                high: full.summary.high_issues,
+                medium: full.summary.medium_issues,
+                fixesApplied: capsuleResult.applied,
+                fixesFailed: capsuleResult.failed,
+                scanId: activation.scan_id,
+                proofHash: capsuleResult.proofHash,
+            };
+            await (0, registry_1.sendNotifications)(config, notifyPayload.event, notifyPayload, (msg) => log(ciMode, msg));
+        }
+    }
+    // ── CI mode: exit code ──
+    if (ciMode && failOn) {
+        const { critical_issues, high_issues, medium_issues } = full.summary;
+        let shouldFail = false;
+        if (failOn === "critical" && critical_issues > 0)
+            shouldFail = true;
+        if (failOn === "high" && (critical_issues + high_issues) > 0)
+            shouldFail = true;
+        if (failOn === "medium" && (critical_issues + high_issues + medium_issues) > 0)
+            shouldFail = true;
+        if (shouldFail) {
+            console.log(`::error::NoData Guard: ${critical_issues} critical, ${high_issues} high, ${medium_issues} medium issues`);
+            process.exit(1);
+        }
+        else {
+            console.log(`NoData Guard: PASS (score ${full.overall_score}%)`);
+        }
+    }
+}
+function log(ci, msg) {
+    if (ci) {
+        console.log(`[nodata-guard] ${msg}`);
+    }
+    else {
+        console.log(`  ${msg}`);
+    }
+}
+function loadOrCreateConfig(projectDir, overrides) {
+    const configPath = (0, path_1.resolve)(projectDir, ".nodata-guard.json");
+    if ((0, fs_1.existsSync)(configPath)) {
+        try {
+            return JSON.parse((0, fs_1.readFileSync)(configPath, "utf-8"));
+        }
+        catch { /* fall through */ }
+    }
+    return (0, scheduler_1.generateDefaultConfig)({
+        scan: {
+            dbUrl: overrides.dbUrl,
+            failOn: overrides.failOn || "critical",
+        },
+    });
+}
+function printHelp() {
+    console.log(`
+  NoData Guard v${VERSION} — Security Scanner + Auto-Remediation Capsule
+
+  Usage:
+    npx nodata-guard --license-key NDC-XXXX              # Scan only
+    npx nodata-guard --license-key NDC-XXXX --fix-plan    # Scan + show fix plan
+    npx nodata-guard --license-key NDC-XXXX --fix         # Scan + apply fixes
+    npx nodata-guard --license-key NDC-XXXX --schedule weekly  # Setup CI schedule
+    npx nodata-guard --license-key NDC-XXXX --db $DATABASE_URL --fix  # Full scan + fix
+
+  Scan Options:
+    --license-key <key>    NoData license key (or set NDC_LICENSE env var)
+    --db <url>             Database connection string for DB probe
+    --dir <path>           Project directory (default: cwd)
+    --output <path>        Output directory for reports (default: cwd)
+    --ci                   CI mode — minimal output, exit codes
+    --fail-on <level>      Exit 1 if issues at: critical | high | medium
+    --skip-send            Don't send metadata to NoData
+
+  Capsule Options:
+    --fix-plan             Generate fix plan (dry-run, no changes)
+    --fix                  Apply all auto-fixable remediation
+    --fix-only <fixers>    Only run specific fixers (comma-separated)
+                           Fixers: pii-encrypt, rls, secrets, routes-auth,
+                                   headers, csrf, rate-limit, gitignore
+
+  Schedule Options:
+    --schedule <preset>    Install CI workflow: daily | weekly | monthly
+    --ci-provider <name>   CI provider: github-actions | gitlab-ci | bitbucket | auto
+
+  Notifications:
+    Configure in .nodata-guard.json → notify: { email, webhook, slack, telegram }
+
+  Output files:
+    nodata-full-report.json      Full report — STAYS LOCAL
+    nodata-metadata-only.json    Metadata only — sent to NoData
+    nodata-fix-plan.json         Fix plan with actions
+    migrations/*.sql             Generated SQL migrations
+
+  What we NEVER receive:
+    Data values, emails, phones, passwords, source code, connection strings.
+
+  Examples:
+    # Quick scan
+    npx nodata-guard --license-key NDC-XXXX
+
+    # Full scan + DB probe + fix
+    npx nodata-guard --license-key NDC-XXXX --db $DATABASE_URL --fix
+
+    # Only fix security headers and CSRF
+    npx nodata-guard --license-key NDC-XXXX --fix --fix-only headers,csrf
+
+    # Setup weekly CI scan with GitHub Actions
+    npx nodata-guard --license-key NDC-XXXX --schedule weekly
+
+    # CI pipeline
+    npx nodata-guard --ci --fail-on critical
+
+  Documentation: https://nodatachat.com/guard
+`);
+}
+main().catch((err) => {
+    console.error("Fatal:", err);
+    process.exit(1);
+});

package/dist/code-scanner.d.ts

@@ -0,0 +1,14 @@
+import type { PIIFieldResult, RouteResult, SecretResult } from "./types";
+interface FileEntry {
+    path: string;
+    content: string;
+}
+export declare function readProjectFiles(projectDir: string, onProgress?: (count: number) => void): FileEntry[];
+export declare function scanPIIFields(files: FileEntry[]): PIIFieldResult[];
+export declare function scanRoutes(files: FileEntry[]): RouteResult[];
+export declare function scanSecrets(files: FileEntry[]): SecretResult[];
+export declare function detectStack(files: FileEntry[]): {
+    framework: string;
+    database: string;
+};
+export {};