@nodatachat/guard 2.0.0

package/dist/reporter.d.ts

@@ -0,0 +1,28 @@
+import type { FullReport, MetadataReport, PIIFieldResult, RouteResult, SecretResult, RLSResult, InfraResult } from "./types";
+interface ReportInput {
+    scanId: string;
+    projectName: string;
+    projectHash: string;
+    scanType: "code" | "db" | "full";
+    scanDurationMs: number;
+    previousScore: number | null;
+    code?: {
+        filesScanned: number;
+        framework: string;
+        database: string;
+        piiFields: PIIFieldResult[];
+        routes: RouteResult[];
+        secrets: SecretResult[];
+    };
+    db?: {
+        tables: number;
+        piiFields: PIIFieldResult[];
+        rls: RLSResult[];
+        infra: InfraResult;
+    };
+}
+export declare function generateReports(input: ReportInput): {
+    full: FullReport;
+    metadata: MetadataReport;
+};
+export {};

package/dist/reporter.js

@@ -0,0 +1,185 @@
+"use strict";
+// ═══════════════════════════════════════════════════════════
+// @nodatachat/guard — Dual Report Generator
+//
+// Generates TWO reports from the same scan:
+//
+//   1. full-report.json   — STAYS LOCAL — customer sees everything
+//      Contains: actual field names, values context, full details
+//
+//   2. metadata-only.json — SENT TO NODATA — no data values
+//      Contains: table.column names, encrypted yes/no, counts
+//
+// The customer can diff the two files to see exactly what was redacted.
+// ═══════════════════════════════════════════════════════════
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.generateReports = generateReports;
+const crypto_1 = require("crypto");
+const GUARD_VERSION = "1.0.0";
+function generateReports(input) {
+    const now = new Date().toISOString();
+    // Merge PII fields from code + DB
+    const allPII = [];
+    const seenFields = new Set();
+    if (input.code) {
+        for (const f of input.code.piiFields) {
+            const key = `${f.table}.${f.column}`;
+            if (!seenFields.has(key)) {
+                seenFields.add(key);
+                allPII.push(f);
+            }
+        }
+    }
+    if (input.db) {
+        for (const f of input.db.piiFields) {
+            const key = `${f.table}.${f.column}`;
+            if (seenFields.has(key)) {
+                // DB result overrides code result (DB is ground truth)
+                const idx = allPII.findIndex(p => `${p.table}.${p.column}` === key);
+                if (idx >= 0)
+                    allPII[idx] = { ...allPII[idx], ...f, encrypted: f.encrypted || allPII[idx].encrypted };
+            }
+            else {
+                seenFields.add(key);
+                allPII.push(f);
+            }
+        }
+    }
+    // Calculate scores
+    const totalPII = allPII.length;
+    const encryptedPII = allPII.filter(f => f.encrypted).length;
+    const plaintextPII = totalPII - encryptedPII;
+    const encCoverage = totalPII > 0 ? Math.round((encryptedPII / totalPII) * 100) : 100;
+    const totalRoutes = input.code?.routes.length || 0;
+    const protectedRoutes = input.code?.routes.filter(r => r.has_auth).length || 0;
+    const routeProtection = totalRoutes > 0 ? Math.round((protectedRoutes / totalRoutes) * 100) : 100;
+    const criticalSecrets = input.code?.secrets.filter(s => s.severity === "critical" && !s.is_env_interpolated).length || 0;
+    const highSecrets = input.code?.secrets.filter(s => s.severity === "high" && !s.is_env_interpolated).length || 0;
+    const medSecrets = input.code?.secrets.filter(s => s.severity === "medium" && !s.is_env_interpolated).length || 0;
+    // Overall score: weighted average
+    const encWeight = 0.5; // encryption is most important
+    const routeWeight = 0.25;
+    const secretWeight = 0.25;
+    const secretScore = Math.max(0, 100 - (criticalSecrets * 25 + highSecrets * 10 + medSecrets * 3));
+    const overallScore = Math.round(encCoverage * encWeight + routeProtection * routeWeight + secretScore * secretWeight);
+    const improved = input.previousScore !== null && overallScore > input.previousScore;
+    // Proof hash
+    const proofData = allPII.map(f => `${f.table}.${f.column}:${f.encrypted}`).join("|") + `|${overallScore}|${now}`;
+    const proofHash = (0, crypto_1.createHash)("sha256").update(proofData).digest("hex");
+    // ── Build metadata report (what we send) ──
+    const metadata = {
+        version: "1.0",
+        scan_id: input.scanId,
+        generated_at: now,
+        project_hash: input.projectHash,
+        scan_type: input.scanType,
+        scan_duration_ms: input.scanDurationMs,
+        guard_version: GUARD_VERSION,
+        scores: {
+            overall: overallScore,
+            previous: input.previousScore,
+            improved,
+            delta: input.previousScore !== null ? overallScore - input.previousScore : 0,
+        },
+        code_summary: input.code ? {
+            files_scanned: input.code.filesScanned,
+            framework: input.code.framework,
+            database: input.code.database,
+            pii_fields_total: input.code.piiFields.length,
+            pii_fields_encrypted: input.code.piiFields.filter(f => f.encrypted).length,
+            encryption_coverage_percent: encCoverage,
+            routes_total: totalRoutes,
+            routes_protected: protectedRoutes,
+            route_protection_percent: routeProtection,
+            secrets_found: (input.code.secrets.filter(s => !s.is_env_interpolated)).length,
+            secrets_critical: criticalSecrets,
+            // Per-field summary — NO VALUES, just table.column + status
+            fields: input.code.piiFields.map(f => ({
+                table: f.table,
+                column: f.column,
+                pii_type: f.pii_type,
+                encrypted: f.encrypted,
+                pattern: f.encryption_pattern,
+            })),
+        } : null,
+        db_summary: input.db ? {
+            tables: input.db.tables,
+            pii_fields_total: input.db.piiFields.length,
+            pii_fields_encrypted: input.db.piiFields.filter(f => f.encrypted).length,
+            encryption_coverage_percent: input.db.piiFields.length > 0
+                ? Math.round((input.db.piiFields.filter(f => f.encrypted).length / input.db.piiFields.length) * 100)
+                : 100,
+            rls_tables_enabled: input.db.rls.filter(r => r.rls_enabled).length,
+            rls_tables_total: input.db.rls.length,
+            rls_coverage_percent: input.db.rls.length > 0
+                ? Math.round((input.db.rls.filter(r => r.rls_enabled).length / input.db.rls.length) * 100)
+                : 0,
+            db_version: input.db.infra.db_version,
+            ssl: input.db.infra.ssl,
+            has_encrypt_functions: input.db.infra.encrypt_functions,
+            trigger_count: input.db.infra.trigger_count,
+        } : null,
+        issues: {
+            critical: criticalSecrets,
+            high: highSecrets + plaintextPII,
+            medium: medSecrets,
+            fixes_available: plaintextPII, // each plaintext field has a migration fix
+        },
+        proof_hash: proofHash,
+        privacy: {
+            contains_data_values: false,
+            contains_connection_strings: false,
+            contains_credentials: false,
+            contains_source_code: false,
+            contains_file_contents: false,
+            customer_can_verify: true,
+        },
+    };
+    // ── Build full report (stays local) ──
+    const full = {
+        version: "1.0",
+        scan_id: input.scanId,
+        generated_at: now,
+        project_name: input.projectName,
+        scan_type: input.scanType,
+        scan_duration_ms: input.scanDurationMs,
+        overall_score: overallScore,
+        previous_score: input.previousScore,
+        improved,
+        code: input.code ? {
+            files_scanned: input.code.filesScanned,
+            framework: input.code.framework,
+            database: input.code.database,
+            pii_fields: input.code.piiFields,
+            routes: input.code.routes,
+            secrets: input.code.secrets,
+            encryption_coverage_percent: encCoverage,
+            route_protection_percent: routeProtection,
+        } : null,
+        db: input.db ? {
+            tables: input.db.tables,
+            pii_fields: input.db.piiFields,
+            rls: input.db.rls,
+            infra: input.db.infra,
+            encryption_coverage_percent: input.db.piiFields.length > 0
+                ? Math.round((input.db.piiFields.filter(f => f.encrypted).length / input.db.piiFields.length) * 100)
+                : 100,
+            rls_coverage_percent: input.db.rls.length > 0
+                ? Math.round((input.db.rls.filter(r => r.rls_enabled).length / input.db.rls.length) * 100)
+                : 0,
+        } : null,
+        summary: {
+            total_pii_fields: totalPII,
+            encrypted_fields: encryptedPII,
+            plaintext_fields: plaintextPII,
+            coverage_percent: encCoverage,
+            critical_issues: criticalSecrets,
+            high_issues: highSecrets + plaintextPII,
+            medium_issues: medSecrets,
+            fixes_available: plaintextPII,
+        },
+        proof_hash: proofHash,
+        metadata_preview: metadata,
+    };
+    return { full, metadata };
+}

package/dist/types.d.ts

@@ -0,0 +1,154 @@
+export interface ActivationRequest {
+    license_key: string;
+    project_hash: string;
+    guard_version: string;
+    scan_type: "code" | "db" | "full";
+}
+export interface ActivationResponse {
+    success: boolean;
+    activation_key: string;
+    tier: string;
+    features: string[];
+    scan_id: string;
+    expires_at: string;
+    error?: string;
+}
+export interface PIIFieldResult {
+    table: string;
+    column: string;
+    pii_type: string;
+    encrypted: boolean;
+    encryption_pattern: string | null;
+    has_companion_column: boolean;
+    row_count: number;
+    encrypted_count: number;
+}
+export interface RouteResult {
+    path: string;
+    has_auth: boolean;
+    auth_type: string | null;
+}
+export interface SecretResult {
+    file: string;
+    line: number;
+    type: string;
+    severity: "critical" | "high" | "medium";
+    is_env_interpolated: boolean;
+}
+export interface RLSResult {
+    table: string;
+    rls_enabled: boolean;
+    policy_count: number;
+}
+export interface InfraResult {
+    db_type: string;
+    db_version: string;
+    ssl: boolean;
+    has_pgcrypto: boolean;
+    encrypt_functions: boolean;
+    trigger_count: number;
+}
+export interface FullReport {
+    version: "1.0";
+    scan_id: string;
+    generated_at: string;
+    project_name: string;
+    scan_type: "code" | "db" | "full";
+    scan_duration_ms: number;
+    overall_score: number;
+    previous_score: number | null;
+    improved: boolean;
+    code: {
+        files_scanned: number;
+        framework: string;
+        database: string;
+        pii_fields: PIIFieldResult[];
+        routes: RouteResult[];
+        secrets: SecretResult[];
+        encryption_coverage_percent: number;
+        route_protection_percent: number;
+    } | null;
+    db: {
+        tables: number;
+        pii_fields: PIIFieldResult[];
+        rls: RLSResult[];
+        infra: InfraResult;
+        encryption_coverage_percent: number;
+        rls_coverage_percent: number;
+    } | null;
+    summary: {
+        total_pii_fields: number;
+        encrypted_fields: number;
+        plaintext_fields: number;
+        coverage_percent: number;
+        critical_issues: number;
+        high_issues: number;
+        medium_issues: number;
+        fixes_available: number;
+    };
+    proof_hash: string;
+    metadata_preview: MetadataReport;
+}
+export interface MetadataReport {
+    version: "1.0";
+    scan_id: string;
+    generated_at: string;
+    project_hash: string;
+    scan_type: "code" | "db" | "full";
+    scan_duration_ms: number;
+    guard_version: string;
+    scores: {
+        overall: number;
+        previous: number | null;
+        improved: boolean;
+        delta: number;
+    };
+    code_summary: {
+        files_scanned: number;
+        framework: string;
+        database: string;
+        pii_fields_total: number;
+        pii_fields_encrypted: number;
+        encryption_coverage_percent: number;
+        routes_total: number;
+        routes_protected: number;
+        route_protection_percent: number;
+        secrets_found: number;
+        secrets_critical: number;
+        fields: Array<{
+            table: string;
+            column: string;
+            pii_type: string;
+            encrypted: boolean;
+            pattern: string | null;
+        }>;
+    } | null;
+    db_summary: {
+        tables: number;
+        pii_fields_total: number;
+        pii_fields_encrypted: number;
+        encryption_coverage_percent: number;
+        rls_tables_enabled: number;
+        rls_tables_total: number;
+        rls_coverage_percent: number;
+        db_version: string;
+        ssl: boolean;
+        has_encrypt_functions: boolean;
+        trigger_count: number;
+    } | null;
+    issues: {
+        critical: number;
+        high: number;
+        medium: number;
+        fixes_available: number;
+    };
+    proof_hash: string;
+    privacy: {
+        contains_data_values: false;
+        contains_connection_strings: false;
+        contains_credentials: false;
+        contains_source_code: false;
+        contains_file_contents: false;
+        customer_can_verify: true;
+    };
+}

package/dist/types.js

@@ -0,0 +1,5 @@
+"use strict";
+// ═══════════════════════════════════════════════════════════
+// @nodatachat/guard — Type Definitions
+// ═══════════════════════════════════════════════════════════
+Object.defineProperty(exports, "__esModule", { value: true });

package/package.json

@@ -0,0 +1,61 @@
+{
+  "name": "@nodatachat/guard",
+  "version": "2.0.0",
+  "description": "NoData Guard — continuous security scanner. Runs locally, reports only metadata. Your data never leaves your machine.",
+  "main": "./dist/cli.js",
+  "types": "./dist/cli.d.ts",
+  "bin": {
+    "nodata-guard": "./dist/cli.js"
+  },
+  "files": [
+    "dist",
+    "README.md",
+    "LICENSE.md"
+  ],
+  "scripts": {
+    "build": "tsc",
+    "dev": "npx tsx src/cli.ts",
+    "scan": "npx tsx src/cli.ts --license-key NDC-DEV --skip-send",
+    "scan:plan": "npx tsx src/cli.ts --license-key NDC-DEV --skip-send --fix-plan",
+    "scan:fix": "npx tsx src/cli.ts --license-key NDC-DEV --skip-send --fix",
+    "prepublishOnly": "npm run build",
+    "start": "node dist/cli.js"
+  },
+  "engines": {
+    "node": ">=18.0.0"
+  },
+  "dependencies": {
+    "pg": "^8.13.0"
+  },
+  "devDependencies": {
+    "typescript": "^5.7.0",
+    "@types/pg": "^8.11.0",
+    "@types/node": "^22.0.0"
+  },
+  "keywords": [
+    "security",
+    "soc2",
+    "soc1",
+    "compliance",
+    "encryption",
+    "audit",
+    "pii",
+    "scanner",
+    "guard",
+    "nodata",
+    "privacy",
+    "gdpr",
+    "cicd",
+    "devsecops"
+  ],
+  "license": "SEE LICENSE IN LICENSE.md",
+  "homepage": "https://nodatachat.com/guard",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/nodatachat/guard"
+  },
+  "bugs": {
+    "url": "https://github.com/nodatachat/guard/issues"
+  },
+  "author": "NoDataChat <support@nodatachat.com>"
+}