@nodatachat/guard 2.0.0

package/dist/fixers/registry.js

@@ -0,0 +1,249 @@
+"use strict";
+// ═══════════════════════════════════════════════════════════
+// Guard Capsule — Fixer Registry
+//
+// Maps finding types to fixer modules.
+// Orchestrates: analyze → plan → preview → apply → verify
+// ═══════════════════════════════════════════════════════════
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getFixer = getFixer;
+exports.getAllFixers = getAllFixers;
+exports.getFixersByPriority = getFixersByPriority;
+exports.runCapsule = runCapsule;
+exports.sendNotifications = sendNotifications;
+const crypto_1 = require("crypto");
+// Import fixers (will be implemented one by one)
+const fix_pii_encrypt_1 = require("./fix-pii-encrypt");
+const fix_rls_1 = require("./fix-rls");
+const fix_secrets_1 = require("./fix-secrets");
+const fix_routes_auth_1 = require("./fix-routes-auth");
+const fix_headers_1 = require("./fix-headers");
+const fix_csrf_1 = require("./fix-csrf");
+const fix_rate_limit_1 = require("./fix-rate-limit");
+const fix_gitignore_1 = require("./fix-gitignore");
+// ── Registry ──
+const ALL_FIXERS = [
+    new fix_pii_encrypt_1.PiiEncryptFixer(),
+    new fix_rls_1.RlsFixer(),
+    new fix_secrets_1.SecretsFixer(),
+    new fix_routes_auth_1.RoutesAuthFixer(),
+    new fix_headers_1.HeadersFixer(),
+    new fix_csrf_1.CsrfFixer(),
+    new fix_rate_limit_1.RateLimitFixer(),
+    new fix_gitignore_1.GitignoreFixer(),
+];
+function getFixer(category) {
+    return ALL_FIXERS.find(f => f.category === category);
+}
+function getAllFixers() {
+    return [...ALL_FIXERS];
+}
+function getFixersByPriority() {
+    // Critical fixers first, then high, then medium
+    const priority = [
+        "secrets", // Critical — hardcoded secrets are immediate risk
+        "pii-encrypt", // Critical — exposed PII
+        "rls", // High — DB access control
+        "routes-auth", // High — API exposure
+        "headers", // High — browser security
+        "csrf", // High — request forgery
+        "rate-limit", // Medium — abuse prevention
+        "gitignore", // Medium — prevention
+    ];
+    return priority.map(c => getFixer(c)).filter(Boolean);
+}
+async function runCapsule(context, options, onProgress) {
+    const startTime = Date.now();
+    const fixers = options.fixers
+        ? options.fixers.map(c => getFixer(c)).filter(Boolean)
+        : getFixersByPriority();
+    // Filter out skipped fixers from config
+    const skipList = context.config.fix?.skipFixers || [];
+    const activeFixer = fixers.filter(f => !skipList.includes(f.category));
+    const plans = [];
+    const results = [];
+    // ── Phase 1: Analyze (generate plans) ──
+    onProgress?.("Analyzing findings...");
+    for (const fixer of activeFixer) {
+        onProgress?.(`  Analyzing ${fixer.name}...`);
+        try {
+            const plan = await fixer.analyze(context);
+            if (plan.actions.length > 0) {
+                plans.push(plan);
+                onProgress?.(`  ${fixer.name}: ${plan.totalActions} actions (${plan.autoFixable} auto, ${plan.manualRequired} manual)`);
+            }
+            else {
+                onProgress?.(`  ${fixer.name}: no issues found`);
+            }
+        }
+        catch (err) {
+            onProgress?.(`  ${fixer.name}: analysis failed — ${err instanceof Error ? err.message : err}`);
+        }
+    }
+    if (options.mode === "plan" || options.dryRun) {
+        return {
+            plans,
+            results: [],
+            totalActions: plans.reduce((s, p) => s + p.totalActions, 0),
+            applied: 0,
+            failed: 0,
+            skipped: 0,
+            manualPending: plans.reduce((s, p) => s + p.manualRequired, 0),
+            estimatedScoreImpact: plans.reduce((s, p) => s + p.estimatedScoreImpact, 0),
+            proofHash: hashPlans(plans),
+            duration: Date.now() - startTime,
+        };
+    }
+    // ── Phase 2: Apply ──
+    onProgress?.("Applying fixes...");
+    for (const plan of plans) {
+        const fixer = getFixer(plan.fixer);
+        if (!fixer)
+            continue;
+        // Check if this fixer needs approval
+        const needsApproval = context.config.fix?.requireApproval?.includes(plan.fixer);
+        if (needsApproval && !options.interactive) {
+            onProgress?.(`  ${fixer.name}: skipped (requires approval)`);
+            continue;
+        }
+        onProgress?.(`  Applying ${fixer.name} (${plan.autoFixable} actions)...`);
+        try {
+            const result = await fixer.apply(plan, options.actionIds);
+            results.push(result);
+            onProgress?.(`  ${fixer.name}: ${result.applied} applied, ${result.failed} failed, ${result.skipped} skipped`);
+        }
+        catch (err) {
+            onProgress?.(`  ${fixer.name}: apply failed — ${err instanceof Error ? err.message : err}`);
+        }
+    }
+    // ── Phase 3: Verify (optional) ──
+    if (options.mode === "verify") {
+        onProgress?.("Verifying fixes...");
+        for (const result of results) {
+            if (result.applied === 0)
+                continue;
+            const fixer = getFixer(result.fixer);
+            if (!fixer)
+                continue;
+            const verified = await fixer.verify(result);
+            onProgress?.(`  ${fixer.name}: ${verified ? "VERIFIED" : "VERIFICATION FAILED"}`);
+        }
+    }
+    const totalApplied = results.reduce((s, r) => s + r.applied, 0);
+    const totalFailed = results.reduce((s, r) => s + r.failed, 0);
+    const totalSkipped = results.reduce((s, r) => s + r.skipped, 0);
+    const totalManual = results.reduce((s, r) => s + r.manualPending, 0);
+    return {
+        plans,
+        results,
+        totalActions: plans.reduce((s, p) => s + p.totalActions, 0),
+        applied: totalApplied,
+        failed: totalFailed,
+        skipped: totalSkipped,
+        manualPending: totalManual,
+        estimatedScoreImpact: plans.reduce((s, p) => s + p.estimatedScoreImpact, 0),
+        proofHash: hashResults(results),
+        duration: Date.now() - startTime,
+    };
+}
+// ── Notification Dispatcher ──
+async function sendNotifications(config, event, payload, onLog) {
+    if (!config.notify)
+        return;
+    if (!config.notify.onEvents.includes(event))
+        return;
+    // Email (via NoData API — we relay, never see content)
+    if (config.notify.email?.length) {
+        for (const email of config.notify.email) {
+            try {
+                await fetch("https://nodatachat.com/api/guard/notify", {
+                    method: "POST",
+                    headers: { "Content-Type": "application/json" },
+                    body: JSON.stringify({ channel: "email", to: email, payload }),
+                    signal: AbortSignal.timeout(5000),
+                });
+                onLog?.(`  Notified: ${email}`);
+            }
+            catch {
+                onLog?.(`  Email notification failed: ${email}`);
+            }
+        }
+    }
+    // Webhook (direct — customer's own endpoint)
+    if (config.notify.webhook?.length) {
+        for (const url of config.notify.webhook) {
+            try {
+                await fetch(url, {
+                    method: "POST",
+                    headers: { "Content-Type": "application/json", "X-NoData-Event": event },
+                    body: JSON.stringify(payload),
+                    signal: AbortSignal.timeout(5000),
+                });
+                onLog?.(`  Webhook sent: ${url}`);
+            }
+            catch {
+                onLog?.(`  Webhook failed: ${url}`);
+            }
+        }
+    }
+    // Slack
+    if (config.notify.slack) {
+        const { webhookUrl, channel, mentionOn } = config.notify.slack;
+        const shouldMention = mentionOn === "critical" && payload.critical > 0
+            || mentionOn === "drop" && payload.delta < 0;
+        const emoji = payload.delta > 0 ? ":arrow_up:" : payload.delta < 0 ? ":arrow_down:" : ":white_check_mark:";
+        const mention = shouldMention ? "<!channel> " : "";
+        const text = [
+            `${mention}${emoji} *NoData Guard* — ${event.replace(/-/g, " ")}`,
+            `Score: *${payload.score}%*${payload.previousScore != null ? ` (was ${payload.previousScore}%)` : ""}`,
+            payload.critical > 0 ? `:red_circle: ${payload.critical} critical` : null,
+            payload.high > 0 ? `:orange_circle: ${payload.high} high` : null,
+            payload.fixesApplied ? `:wrench: ${payload.fixesApplied} fixes applied` : null,
+            payload.dashboardUrl ? `<${payload.dashboardUrl}|View Dashboard>` : null,
+        ].filter(Boolean).join("\n");
+        try {
+            await fetch(webhookUrl, {
+                method: "POST",
+                headers: { "Content-Type": "application/json" },
+                body: JSON.stringify({ text, channel }),
+                signal: AbortSignal.timeout(5000),
+            });
+            onLog?.("  Slack notified");
+        }
+        catch {
+            onLog?.("  Slack notification failed");
+        }
+    }
+    // Telegram
+    if (config.notify.telegram) {
+        const { botToken, chatId } = config.notify.telegram;
+        const emoji = payload.delta > 0 ? "+" : payload.delta < 0 ? "" : "";
+        const text = [
+            `NoData Guard — ${event.replace(/-/g, " ")}`,
+            `Score: ${payload.score}%${payload.previousScore != null ? ` (${emoji}${payload.delta})` : ""}`,
+            payload.critical > 0 ? `Critical: ${payload.critical}` : null,
+            payload.fixesApplied ? `Fixes: ${payload.fixesApplied} applied` : null,
+        ].filter(Boolean).join("\n");
+        try {
+            await fetch(`https://api.telegram.org/bot${botToken}/sendMessage`, {
+                method: "POST",
+                headers: { "Content-Type": "application/json" },
+                body: JSON.stringify({ chat_id: chatId, text, parse_mode: "Markdown" }),
+                signal: AbortSignal.timeout(5000),
+            });
+            onLog?.("  Telegram notified");
+        }
+        catch {
+            onLog?.("  Telegram notification failed");
+        }
+    }
+}
+// ── Helpers ──
+function hashPlans(plans) {
+    const data = plans.map(p => `${p.fixer}:${p.totalActions}:${p.actions.map(a => a.id).join(",")}`).join("|");
+    return (0, crypto_1.createHash)("sha256").update(data).digest("hex");
+}
+function hashResults(results) {
+    const data = results.map(r => `${r.fixer}:${r.applied}:${r.proofHash}`).join("|");
+    return (0, crypto_1.createHash)("sha256").update(data).digest("hex");
+}

package/dist/fixers/scheduler.d.ts

@@ -0,0 +1,9 @@
+import type { CapsuleConfig, CITemplate } from "./types";
+export declare function generateGitHubActions(config: CapsuleConfig): CITemplate;
+export declare function generateGitLabCI(config: CapsuleConfig): CITemplate;
+export declare function generateBitbucket(config: CapsuleConfig): CITemplate;
+export declare function installSchedule(projectDir: string, config: CapsuleConfig, provider?: "github-actions" | "gitlab-ci" | "bitbucket" | "auto"): {
+    files: string[];
+    messages: string[];
+};
+export declare function generateDefaultConfig(overrides?: Partial<CapsuleConfig>): CapsuleConfig;

package/dist/fixers/scheduler.js

@@ -0,0 +1,254 @@
+"use strict";
+// ═══════════════════════════════════════════════════════════
+// Guard Capsule — Scheduler
+//
+// Generates CI/CD workflow files and cron configurations.
+// Supports: GitHub Actions, GitLab CI, Bitbucket Pipelines,
+//           local cron (node-cron), and webhook triggers.
+// ═══════════════════════════════════════════════════════════
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.generateGitHubActions = generateGitHubActions;
+exports.generateGitLabCI = generateGitLabCI;
+exports.generateBitbucket = generateBitbucket;
+exports.installSchedule = installSchedule;
+exports.generateDefaultConfig = generateDefaultConfig;
+const fs_1 = require("fs");
+const path_1 = require("path");
+const PRESETS = {
+    daily: "0 3 * * *", // Every day at 3am
+    weekly: "0 3 * * 1", // Every Monday at 3am
+    monthly: "0 3 1 * *", // First of month at 3am
+};
+// ── GitHub Actions Workflow ──
+function generateGitHubActions(config) {
+    const cron = config.schedule?.cron || PRESETS[config.schedule?.preset || "weekly"];
+    const failOn = config.scan?.failOn || "critical";
+    const hasDb = !!config.scan?.dbUrl;
+    const content = `# NoData Guard — Automated Security Scan
+# Generated by @nodatachat/guard
+# Runs: ${config.schedule?.preset || "weekly"} (${cron})
+
+name: NoData Guard Security Scan
+
+on:
+  schedule:
+    - cron: '${cron}'
+  push:
+    branches: [main, master]
+  pull_request:
+    branches: [main, master]
+  workflow_dispatch:  # Manual trigger
+
+jobs:
+  security-scan:
+    name: Guard Security Scan
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+
+      - name: Install Guard
+        run: npm install -g @nodatachat/guard
+
+      - name: Run Security Scan
+        run: |
+          nodata-guard \\
+            --license-key \${{ secrets.NDC_LICENSE }} \\${hasDb ? `\n            --db \${{ secrets.DATABASE_URL }} \\` : ""}
+            --ci \\
+            --fail-on ${failOn} \\
+            --output ./guard-reports
+        env:
+          NDC_LICENSE: \${{ secrets.NDC_LICENSE }}${hasDb ? "\n          DATABASE_URL: ${{ secrets.DATABASE_URL }}" : ""}
+
+      - name: Upload Report
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: guard-report-\${{ github.sha }}
+          path: ./guard-reports/
+          retention-days: 90
+
+      - name: Comment PR with Score
+        if: github.event_name == 'pull_request'
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const fs = require('fs');
+            const reports = fs.readdirSync('./guard-reports').filter(f => f.endsWith('.json') && f.includes('metadata'));
+            if (reports.length === 0) return;
+            const meta = JSON.parse(fs.readFileSync('./guard-reports/' + reports[0], 'utf-8'));
+            const score = meta.scores?.overall || '?';
+            const critical = meta.issues?.critical || 0;
+            const high = meta.issues?.high || 0;
+            const emoji = score >= 80 ? ':white_check_mark:' : score >= 60 ? ':warning:' : ':x:';
+            github.rest.issues.createComment({
+              issue_number: context.issue.number,
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              body: \`## \${emoji} NoData Guard — Score: \${score}%\\n\\n| Critical | High | Coverage |\\n|---|---|---|\\n| \${critical} | \${high} | \${meta.code_summary?.encryption_coverage_percent || '?'}% |\\n\\n> Your code never left the runner. [View full report in artifacts.]\`
+            });
+`;
+    return {
+        provider: "github-actions",
+        filename: ".github/workflows/nodata-guard.yml",
+        content,
+    };
+}
+// ── GitLab CI ──
+function generateGitLabCI(config) {
+    const cron = config.schedule?.cron || PRESETS[config.schedule?.preset || "weekly"];
+    const failOn = config.scan?.failOn || "critical";
+    const hasDb = !!config.scan?.dbUrl;
+    const content = `# NoData Guard — Automated Security Scan
+# Generated by @nodatachat/guard
+
+stages:
+  - security
+
+nodata-guard:
+  stage: security
+  image: node:20
+  rules:
+    - if: $CI_PIPELINE_SOURCE == "schedule"
+    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+    - if: $CI_COMMIT_BRANCH == "main"
+  script:
+    - npm install -g @nodatachat/guard
+    - nodata-guard --license-key $NDC_LICENSE${hasDb ? " --db $DATABASE_URL" : ""} --ci --fail-on ${failOn} --output ./guard-reports
+  artifacts:
+    paths:
+      - guard-reports/
+    expire_in: 90 days
+    when: always
+  variables:
+    NDC_LICENSE: $NDC_LICENSE${hasDb ? "\n    DATABASE_URL: $DATABASE_URL" : ""}
+
+# Add to CI/CD > Schedules: cron "${cron}"
+`;
+    return {
+        provider: "gitlab-ci",
+        filename: ".gitlab-ci-guard.yml",
+        content,
+    };
+}
+// ── Bitbucket Pipelines ──
+function generateBitbucket(config) {
+    const failOn = config.scan?.failOn || "critical";
+    const hasDb = !!config.scan?.dbUrl;
+    const content = `# NoData Guard — Automated Security Scan
+# Generated by @nodatachat/guard
+
+pipelines:
+  default:
+    - step:
+        name: NoData Guard Security Scan
+        image: node:20
+        script:
+          - npm install -g @nodatachat/guard
+          - nodata-guard --license-key $NDC_LICENSE${hasDb ? " --db $DATABASE_URL" : ""} --ci --fail-on ${failOn}
+        artifacts:
+          - nodata-full-report.json
+          - nodata-metadata-only.json
+
+  custom:
+    nodata-guard:
+      - step:
+          name: Manual Security Scan
+          image: node:20
+          script:
+            - npm install -g @nodatachat/guard
+            - nodata-guard --license-key $NDC_LICENSE${hasDb ? " --db $DATABASE_URL" : ""} --ci --fail-on ${failOn}
+`;
+    return {
+        provider: "bitbucket",
+        filename: "bitbucket-pipelines-guard.yml",
+        content,
+    };
+}
+// ── Write CI config to project ──
+function installSchedule(projectDir, config, provider) {
+    const files = [];
+    const messages = [];
+    // Auto-detect provider
+    let detected = provider;
+    if (!detected || detected === "auto") {
+        if ((0, fs_1.existsSync)((0, path_1.join)(projectDir, ".github")))
+            detected = "github-actions";
+        else if ((0, fs_1.existsSync)((0, path_1.join)(projectDir, ".gitlab-ci.yml")))
+            detected = "gitlab-ci";
+        else if ((0, fs_1.existsSync)((0, path_1.join)(projectDir, "bitbucket-pipelines.yml")))
+            detected = "bitbucket";
+        else
+            detected = "github-actions"; // Default
+    }
+    let template;
+    switch (detected) {
+        case "github-actions":
+            template = generateGitHubActions(config);
+            break;
+        case "gitlab-ci":
+            template = generateGitLabCI(config);
+            break;
+        case "bitbucket":
+            template = generateBitbucket(config);
+            break;
+        default:
+            template = generateGitHubActions(config);
+    }
+    // Write the file
+    const filePath = (0, path_1.join)(projectDir, template.filename);
+    const dir = (0, path_1.join)(projectDir, ...template.filename.split("/").slice(0, -1));
+    if (!(0, fs_1.existsSync)(dir))
+        (0, fs_1.mkdirSync)(dir, { recursive: true });
+    (0, fs_1.writeFileSync)(filePath, template.content, "utf-8");
+    files.push(filePath);
+    messages.push(`Created ${template.filename}`);
+    // Write .nodata-guard.json config
+    const configPath = (0, path_1.join)(projectDir, ".nodata-guard.json");
+    (0, fs_1.writeFileSync)(configPath, JSON.stringify(config, null, 2), "utf-8");
+    files.push(configPath);
+    messages.push("Created .nodata-guard.json");
+    // Remind about secrets
+    messages.push("");
+    messages.push("Required secrets:");
+    messages.push("  NDC_LICENSE — Your NoData Guard license key");
+    if (config.scan?.dbUrl) {
+        messages.push("  DATABASE_URL — Database connection string");
+    }
+    messages.push("");
+    messages.push(`Schedule: ${config.schedule?.preset || "weekly"} (${config.schedule?.cron || PRESETS[config.schedule?.preset || "weekly"]})`);
+    return { files, messages };
+}
+// ── Generate default config ──
+function generateDefaultConfig(overrides) {
+    return {
+        version: "1.0",
+        scan: {
+            failOn: "critical",
+            ...overrides?.scan,
+        },
+        schedule: {
+            enabled: true,
+            preset: "weekly",
+            cron: PRESETS.weekly,
+            timezone: "UTC",
+            ...overrides?.schedule,
+        },
+        notify: {
+            onEvents: ["scan-complete", "score-drop", "critical-found", "fix-failed"],
+            ...overrides?.notify,
+        },
+        fix: {
+            autoApply: false,
+            dryRunFirst: true,
+            requireApproval: ["pii-encrypt", "rls", "secrets"],
+            ...overrides?.fix,
+        },
+        ...overrides,
+    };
+}

package/dist/fixers/types.d.ts

@@ -0,0 +1,160 @@
+export type FixerCategory = "pii-encrypt" | "rls" | "secrets" | "routes-auth" | "headers" | "csrf" | "rate-limit" | "gitignore";
+export type FixActionType = "sql-migration" | "file-patch" | "file-create" | "file-append" | "env-add" | "config-update" | "command" | "manual";
+export type FixSeverity = "critical" | "high" | "medium" | "low";
+export type FixStatus = "planned" | "previewed" | "applying" | "applied" | "verified" | "failed" | "skipped" | "manual-required";
+export interface FixAction {
+    id: string;
+    type: FixActionType;
+    description: string;
+    descriptionHe: string;
+    severity: FixSeverity;
+    target: string;
+    detail: string;
+    content: string;
+    rollback?: string;
+    status: FixStatus;
+    appliedAt?: string;
+    error?: string;
+    beforeHash?: string;
+    afterHash?: string;
+    dependsOn?: string[];
+    blockedBy?: string[];
+}
+export interface FixPlan {
+    fixer: FixerCategory;
+    name: string;
+    nameHe: string;
+    description: string;
+    descriptionHe: string;
+    actions: FixAction[];
+    totalActions: number;
+    autoFixable: number;
+    manualRequired: number;
+    estimatedScoreImpact: number;
+    affectedControls: string[];
+    prerequisites: string[];
+}
+export interface FixerResult {
+    fixer: FixerCategory;
+    plan: FixPlan;
+    startedAt: string;
+    completedAt: string;
+    durationMs: number;
+    applied: number;
+    failed: number;
+    skipped: number;
+    manualPending: number;
+    proofHash: string;
+    proofFile?: string;
+    scoreBefore: number;
+    scoreAfter: number;
+}
+export interface CapsuleConfig {
+    version: "1.0";
+    licenseKey?: string;
+    projectDir?: string;
+    scan: {
+        dbUrl?: string;
+        skipDirs?: string[];
+        failOn?: "critical" | "high" | "medium";
+    };
+    schedule?: {
+        enabled: boolean;
+        cron?: string;
+        preset?: "daily" | "weekly" | "monthly";
+        timezone?: string;
+    };
+    notify?: {
+        email?: string[];
+        webhook?: string[];
+        slack?: {
+            webhookUrl: string;
+            channel?: string;
+            mentionOn?: "critical" | "drop";
+        };
+        telegram?: {
+            botToken: string;
+            chatId: string;
+        };
+        onEvents: NotifyEvent[];
+    };
+    fix?: {
+        autoApply?: boolean;
+        dryRunFirst?: boolean;
+        skipFixers?: FixerCategory[];
+        requireApproval?: FixerCategory[];
+    };
+}
+export type NotifyEvent = "scan-complete" | "score-drop" | "score-improve" | "critical-found" | "fix-applied" | "fix-failed" | "schedule-missed";
+export interface NotifyPayload {
+    event: NotifyEvent;
+    timestamp: string;
+    projectName: string;
+    projectHash: string;
+    score: number;
+    previousScore: number | null;
+    delta: number;
+    critical: number;
+    high: number;
+    medium: number;
+    fixesApplied?: number;
+    fixesFailed?: number;
+    dashboardUrl?: string;
+    scanId: string;
+    proofHash: string;
+}
+export interface Fixer {
+    category: FixerCategory;
+    name: string;
+    nameHe: string;
+    /** Analyze scan results and generate a fix plan */
+    analyze(context: FixerContext): Promise<FixPlan>;
+    /** Apply the fix plan (or subset of actions) */
+    apply(plan: FixPlan, actionIds?: string[]): Promise<FixerResult>;
+    /** Verify fixes were applied correctly (re-scan specific controls) */
+    verify(result: FixerResult): Promise<boolean>;
+}
+export interface FixerContext {
+    projectDir: string;
+    dbUrl?: string;
+    config: CapsuleConfig;
+    scanResults: {
+        piiFields: Array<{
+            table: string;
+            column: string;
+            pii_type: string;
+            encrypted: boolean;
+            encryption_pattern: string | null;
+        }>;
+        routes: Array<{
+            path: string;
+            has_auth: boolean;
+            auth_type: string | null;
+        }>;
+        secrets: Array<{
+            file: string;
+            line: number;
+            type: string;
+            severity: string;
+            is_env_interpolated: boolean;
+        }>;
+        rls: Array<{
+            table: string;
+            rls_enabled: boolean;
+            policy_count: number;
+        }>;
+        framework: string;
+        database: string;
+    };
+    stack: {
+        framework: string;
+        database: string;
+        language: string;
+        hosting: string;
+    };
+}
+export interface CITemplate {
+    provider: "github-actions" | "gitlab-ci" | "bitbucket";
+    filename: string;
+    content: string;
+}

package/dist/fixers/types.js

@@ -0,0 +1,11 @@
+"use strict";
+// ═══════════════════════════════════════════════════════════
+// Guard Capsule — Fixer Types
+//
+// Every fixer follows the same pattern:
+//   analyze → plan → preview → apply → verify
+//
+// Fixers NEVER send data externally.
+// Fixers ALWAYS produce a proof of what changed.
+// ═══════════════════════════════════════════════════════════
+Object.defineProperty(exports, "__esModule", { value: true });