npm - @nodatachat/guard - Versions diffs - 2.1.0 → 2.2.0 - Mend

@nodatachat/guard 2.1.0 → 2.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/dist/cli.js CHANGED Viewed

@@ -22,7 +22,6 @@ const activation_1 = require("./activation");
 const code_scanner_1 = require("./code-scanner");
 const db_scanner_1 = require("./db-scanner");
 const reporter_1 = require("./reporter");
-const registry_1 = require("./fixers/registry");
 const scheduler_1 = require("./fixers/scheduler");
 const VERSION = "2.0.0";
 async function main() {
@@ -35,10 +34,8 @@ async function main() {
     let failOn = null;
     let outputDir = process.cwd();
     let skipSend = false;
-    let fixMode = "none";
     let schedulePreset;
     let ciProvider;
-    let onlyFixers;
     for (let i = 0; i < args.length; i++) {
         switch (args[i]) {
             case "--license-key":
@@ -63,13 +60,14 @@ async function main() {
                 skipSend = true;
                 break;
             case "--fix-plan":
-                fixMode = "plan";
+                console.log("\n  ⚠  --fix-plan is deprecated. Capsule provides recommendations only.\n  Run without this flag to see recommendations.\n");
                 break;
             case "--fix":
-                fixMode = "apply";
+                console.log("\n  ⚠  --fix is deprecated. Capsule does not modify your code.\n  Recommendations are provided in the scan output.\n");
                 break;
             case "--fix-only":
-                onlyFixers = args[++i]?.split(",");
+                i++;
+                console.log("\n  ⚠  --fix-only is deprecated. Capsule provides recommendations only.\n");
                 break;
             case "--schedule":
                 schedulePreset = args[++i] || "weekly";
@@ -283,102 +281,48 @@ async function main() {
         console.log("  Your data never left your machine.");
         console.log("  Diff the two files to verify.\n");
     }
-    // ── Step 8: Capsule — Fix Plan / Apply ──
-    if (fixMode !== "none") {
-        const config = loadOrCreateConfig(projectDir, { dbUrl, failOn });
-        const fixerContext = {
-            projectDir,
-            dbUrl,
-            config,
-            scanResults: {
-                piiFields: piiFields.map(f => ({
-                    table: f.table, column: f.column, pii_type: f.pii_type,
-                    encrypted: f.encrypted, encryption_pattern: f.encryption_pattern,
-                })),
-                routes: routes.map(r => ({ path: r.path, has_auth: r.has_auth, auth_type: r.auth_type })),
-                secrets: secrets.map(s => ({
-                    file: s.file, line: s.line, type: s.type,
-                    severity: s.severity, is_env_interpolated: s.is_env_interpolated,
-                })),
-                rls: dbResult?.rls || [],
-                framework: stack.framework,
-                database: stack.database,
-            },
-            stack: {
-                framework: stack.framework,
-                database: stack.database,
-                language: "typescript",
-                hosting: "vercel",
-            },
-        };
-        const capsuleResult = await (0, registry_1.runCapsule)(fixerContext, {
-            mode: fixMode === "plan" ? "plan" : "apply",
-            fixers: onlyFixers,
-            dryRun: fixMode === "plan",
-        }, (msg) => log(ciMode, msg));
-        if (!ciMode) {
+    // ── Step 8: Recommendations ──
+    // NOTE: Capsule does NOT auto-fix code. We provide recommendations only.
+    // Applying fixes requires understanding of the target system — tables,
+    // relationships, business logic — and must be done by the customer's team.
+    if (!ciMode) {
+        const topFindings = metadata.findings || [];
+        if (topFindings.length > 0) {
             console.log("");
             console.log("  ══════════════════════════════════════");
-            console.log(`  CAPSULE ${fixMode === "plan" ? "PLAN" : "RESULTS"}`);
+            console.log("  RECOMMENDATIONS");
             console.log("  ══════════════════════════════════════");
-            console.log(`  Total actions:   ${capsuleResult.totalActions}`);
-            if (fixMode === "apply") {
-                console.log(`  Applied:         ${capsuleResult.applied}`);
-                console.log(`  Failed:          ${capsuleResult.failed}`);
-                console.log(`  Skipped:         ${capsuleResult.skipped}`);
+            console.log(`  ${topFindings.length} issues found. Top priorities:\n`);
+            const shown = topFindings.slice(0, 10);
+            for (const f of shown) {
+                const sev = f.severity === "critical" ? "\x1b[31mCRITICAL\x1b[0m"
+                    : f.severity === "high" ? "\x1b[33mHIGH\x1b[0m"
+                        : "\x1b[36mMEDIUM\x1b[0m";
+                console.log(`  ${sev}  ${f.title}`);
+                console.log(`         \x1b[32m→ ${f.fix_suggestion}\x1b[0m`);
+                if (f.soc_control)
+                    console.log(`         SOC: ${f.soc_control}`);
+                console.log("");
             }
-            console.log(`  Manual pending:  ${capsuleResult.manualPending}`);
-            console.log(`  Est. impact:     +${capsuleResult.estimatedScoreImpact}% score`);
-            console.log(`  Proof hash:      ${capsuleResult.proofHash.slice(0, 16)}...`);
-            console.log("  ──────────────────────────────────────");
-            // Print per-fixer summary
-            for (const plan of capsuleResult.plans) {
-                const icon = plan.actions.every(a => a.status === "applied") ? "✅"
-                    : plan.actions.some(a => a.status === "failed") ? "❌" : "📋";
-                console.log(`  ${icon} ${plan.nameHe}: ${plan.totalActions} actions (${plan.autoFixable} auto, ${plan.manualRequired} manual)`);
+            if (topFindings.length > 10) {
+                console.log(`  ... and ${topFindings.length - 10} more. See full report.\n`);
             }
+            console.log("  ──────────────────────────────────────");
+            console.log("  ⚠  Capsule provides recommendations only.");
+            console.log("     Fixes require understanding of your system —");
+            console.log("     tables, relationships, and business logic.");
+            console.log("     Work with your team to apply changes safely.");
             console.log("  ══════════════════════════════════════\n");
-            // Write fix plans to output dir
-            if (capsuleResult.plans.length > 0) {
-                const plansPath = (0, path_1.resolve)(outputDir, "nodata-fix-plan.json");
-                (0, fs_1.writeFileSync)(plansPath, JSON.stringify(capsuleResult, null, 2), "utf-8");
-                log(ciMode, `Fix plan saved: ${plansPath}`);
-                // Write SQL migrations to files
-                for (const plan of capsuleResult.plans) {
-                    for (const action of plan.actions) {
-                        if (action.type === "file-create" && action.target.includes("migrations/")) {
-                            const migPath = (0, path_1.resolve)(outputDir, action.target);
-                            const migDir = (0, path_1.resolve)(outputDir, "migrations");
-                            if (!(0, fs_1.existsSync)(migDir)) {
-                                const { mkdirSync } = require("fs");
-                                mkdirSync(migDir, { recursive: true });
-                            }
-                            (0, fs_1.writeFileSync)(migPath, action.content, "utf-8");
-                            log(ciMode, `Migration: ${migPath}`);
-                        }
-                    }
-                }
-            }
-        }
-        // Send notifications if configured
-        if (config.notify && fixMode === "apply") {
-            const notifyPayload = {
-                event: capsuleResult.applied > 0 ? "fix-applied" : "scan-complete",
-                timestamp: new Date().toISOString(),
-                projectName: full.project_name || "unknown",
-                projectHash: full.proof_hash?.slice(0, 16) || "",
+            // Save recommendations to file
+            const recsPath = (0, path_1.resolve)(outputDir, "nodata-recommendations.json");
+            (0, fs_1.writeFileSync)(recsPath, JSON.stringify({
+                generated_at: new Date().toISOString(),
                 score: full.overall_score,
-                previousScore: serverResponse.previous_score ?? null,
-                delta: serverResponse.previous_score != null ? full.overall_score - serverResponse.previous_score : 0,
-                critical: full.summary.critical_issues,
-                high: full.summary.high_issues,
-                medium: full.summary.medium_issues,
-                fixesApplied: capsuleResult.applied,
-                fixesFailed: capsuleResult.failed,
-                scanId: activation.scan_id,
-                proofHash: capsuleResult.proofHash,
-            };
-            await (0, registry_1.sendNotifications)(config, notifyPayload.event, notifyPayload, (msg) => log(ciMode, msg));
+                total_findings: topFindings.length,
+                disclaimer: "These are recommendations only. Capsule does not modify your code. Fixes require understanding of your system architecture, database schema, and business logic. Work with your development team to implement changes safely.",
+                recommendations: topFindings,
+            }, null, 2), "utf-8");
+            log(ciMode, `Recommendations: ${recsPath}`);
         }
     }
     // ── CI mode: exit code ──
@@ -425,14 +369,16 @@ function loadOrCreateConfig(projectDir, overrides) {
 }
 function printHelp() {
     console.log(`
-  NoData Guard v${VERSION} — Security Scanner + Auto-Remediation Capsule
+  NoData Guard v${VERSION} — Security Scanner + Recommendations
+  Scans your project locally for security issues and provides
+  actionable recommendations. Your code never leaves your machine.
+  Capsule does NOT modify your code — only you and your team can.
   Usage:
-    npx nodata-guard --license-key NDC-XXXX              # Scan only
-    npx nodata-guard --license-key NDC-XXXX --fix-plan    # Scan + show fix plan
-    npx nodata-guard --license-key NDC-XXXX --fix         # Scan + apply fixes
-    npx nodata-guard --license-key NDC-XXXX --schedule weekly  # Setup CI schedule
-    npx nodata-guard --license-key NDC-XXXX --db $DATABASE_URL --fix  # Full scan + fix
+    npx nodata-guard --license-key NDC-XXXX                          # Scan + recommend
+    npx nodata-guard --license-key NDC-XXXX --db $DATABASE_URL       # Full scan (code + DB)
+    npx nodata-guard --license-key NDC-XXXX --schedule weekly        # Setup CI schedule
   Scan Options:
     --license-key <key>    NoData license key (or set NDC_LICENSE env var)
@@ -443,13 +389,6 @@ function printHelp() {
     --fail-on <level>      Exit 1 if issues at: critical | high | medium
     --skip-send            Don't send metadata to NoData
-  Capsule Options:
-    --fix-plan             Generate fix plan (dry-run, no changes)
-    --fix                  Apply all auto-fixable remediation
-    --fix-only <fixers>    Only run specific fixers (comma-separated)
-                           Fixers: pii-encrypt, rls, secrets, routes-auth,
-                                   headers, csrf, rate-limit, gitignore
   Schedule Options:
     --schedule <preset>    Install CI workflow: daily | weekly | monthly
     --ci-provider <name>   CI provider: github-actions | gitlab-ci | bitbucket | auto
@@ -458,28 +397,36 @@ function printHelp() {
     Configure in .nodata-guard.json → notify: { email, webhook, slack, telegram }
   Output files:
-    nodata-full-report.json      Full report — STAYS LOCAL
-    nodata-metadata-only.json    Metadata only — sent to NoData
-    nodata-fix-plan.json         Fix plan with actions
-    migrations/*.sql             Generated SQL migrations
+    nodata-full-report.json          Full report — STAYS LOCAL
+    nodata-metadata-only.json        Metadata only — sent to dashboard
+    nodata-recommendations.json      Prioritized recommendations
-  What we NEVER receive:
-    Data values, emails, phones, passwords, source code, connection strings.
+  What we provide:
+    ✓ Scan — find weak points (PII, routes, secrets, encryption)
+    ✓ Recommend — prioritized actions with SOC control mapping
+    ✓ Prove — cryptographic proof chain of scan results
+    ✓ Monitor — track score over time via dashboard
+  What we NEVER do:
+    ✗ Modify your code, database, or configuration
+    ✗ Receive data values, source code, or credentials
+  Important:
+    Recommendations require understanding of YOUR system —
+    tables, relationships, business logic. Work with your team
+    to implement changes safely.
   Examples:
-    # Quick scan
+    # Scan and get recommendations
     npx nodata-guard --license-key NDC-XXXX
-    # Full scan + DB probe + fix
-    npx nodata-guard --license-key NDC-XXXX --db $DATABASE_URL --fix
-    # Only fix security headers and CSRF
-    npx nodata-guard --license-key NDC-XXXX --fix --fix-only headers,csrf
+    # Full scan with DB probe
+    npx nodata-guard --license-key NDC-XXXX --db $DATABASE_URL
     # Setup weekly CI scan with GitHub Actions
     npx nodata-guard --license-key NDC-XXXX --schedule weekly
-    # CI pipeline
+    # CI pipeline — fail on critical issues
     npx nodata-guard --ci --fail-on critical
   Documentation: https://nodatacapsule.com/guard

package/dist/reporter.js CHANGED Viewed

@@ -123,7 +123,7 @@ function generateReports(input) {
             critical: criticalSecrets,
             high: highSecrets + plaintextPII,
             medium: medSecrets,
-            fixes_available: plaintextPII, // each plaintext field has a migration fix
+            recommendations_available: plaintextPII, // each plaintext field has a recommendation
         },
         // Fix suggestions — safe to send (just recommendation text, no code/values)
         findings: [
@@ -203,7 +203,7 @@ function generateReports(input) {
             critical_issues: criticalSecrets,
             high_issues: highSecrets + plaintextPII,
             medium_issues: medSecrets,
-            fixes_available: plaintextPII,
+            recommendations_available: plaintextPII,
         },
         proof_hash: proofHash,
         metadata_preview: metadata,

package/dist/types.d.ts CHANGED Viewed

@@ -84,7 +84,7 @@ export interface FullReport {
         critical_issues: number;
         high_issues: number;
         medium_issues: number;
-        fixes_available: number;
+        recommendations_available: number;
     };
     proof_hash: string;
     metadata_preview: MetadataReport;
@@ -140,7 +140,7 @@ export interface MetadataReport {
         critical: number;
         high: number;
         medium: number;
-        fixes_available: number;
+        recommendations_available: number;
     };
     findings: Array<{
         severity: "critical" | "high" | "medium" | "low";

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@nodatachat/guard",
-  "version": "2.1.0",
+  "version": "2.2.0",
   "description": "NoData Guard — continuous security scanner. Runs locally, reports only metadata. Your data never leaves your machine.",
   "main": "./dist/cli.js",
   "types": "./dist/cli.d.ts",