npm - @nodatachat/guard - Versions diffs - 2.2.0 → 2.4.0 - Mend

@nodatachat/guard 2.2.0 → 2.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (11) hide show

package/dist/cli.js CHANGED Viewed

@@ -18,14 +18,32 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 const path_1 = require("path");
 const fs_1 = require("fs");
+const crypto_1 = require("crypto");
 const activation_1 = require("./activation");
 const code_scanner_1 = require("./code-scanner");
 const db_scanner_1 = require("./db-scanner");
 const reporter_1 = require("./reporter");
 const scheduler_1 = require("./fixers/scheduler");
-const VERSION = "2.0.0";
+const vault_crypto_1 = require("./vault-crypto");
+const capsule_dir_1 = require("./capsule-dir");
+const VERSION = "2.4.0";
 async function main() {
     const args = process.argv.slice(2);
+    // ── Subcommand routing ──
+    const subcommand = args[0];
+    if (subcommand === "status") {
+        const dir = args.includes("--dir") ? (0, path_1.resolve)(args[args.indexOf("--dir") + 1]) : process.cwd();
+        (0, capsule_dir_1.printFullStatus)(dir);
+        return;
+    }
+    if (subcommand === "diff") {
+        const dir = args.includes("--dir") ? (0, path_1.resolve)(args[args.indexOf("--dir") + 1]) : process.cwd();
+        (0, capsule_dir_1.printDiff)(dir);
+        return;
+    }
+    if (subcommand === "attest") {
+        return handleAttest(args.slice(1));
+    }
     // Parse args
     let licenseKey;
     let dbUrl;
@@ -34,6 +52,8 @@ async function main() {
     let failOn = null;
     let outputDir = process.cwd();
     let skipSend = false;
+    let vaultPin;
+    let vaultDevice;
     let schedulePreset;
     let ciProvider;
     for (let i = 0; i < args.length; i++) {
@@ -59,6 +79,12 @@ async function main() {
             case "--skip-send":
                 skipSend = true;
                 break;
+            case "--vault-pin":
+                vaultPin = args[++i];
+                break;
+            case "--vault-device":
+                vaultDevice = args[++i];
+                break;
             case "--fix-plan":
                 console.log("\n  ⚠  --fix-plan is deprecated. Capsule provides recommendations only.\n  Run without this flag to see recommendations.\n");
                 break;
@@ -166,6 +192,9 @@ async function main() {
         process.exit(1);
     }
     log(ciMode, `Activated. Tier: ${activation.tier} | Scan ID: ${activation.scan_id}`);
+    // ── Step 1.5: Initialize .capsule/ directory ──
+    const capsuleDir = (0, capsule_dir_1.initCapsuleDir)(projectDir, licenseKey);
+    log(ciMode, `.capsule/ directory ready: ${capsuleDir}`);
     // ── Step 2: Code scan ──
     log(ciMode, "Scanning code...");
     const files = (0, code_scanner_1.readProjectFiles)(projectDir, (count) => {
@@ -175,7 +204,7 @@ async function main() {
     if (!ciMode)
         console.log("");
     log(ciMode, `Scanned ${files.length} files`);
-    const piiFields = (0, code_scanner_1.scanPIIFields)(files);
+    const piiFields = (0, code_scanner_1.scanPIIFields)(files, projectDir);
     const routes = (0, code_scanner_1.scanRoutes)(files);
     const secrets = (0, code_scanner_1.scanSecrets)(files);
     const stack = (0, code_scanner_1.detectStack)(files);
@@ -229,6 +258,59 @@ async function main() {
     (0, fs_1.writeFileSync)(metaPath, JSON.stringify(metadata, null, 2), "utf-8");
     log(ciMode, `Full report:     ${fullPath}`);
     log(ciMode, `Metadata only:   ${metaPath}`);
+    // ── Step 5.5: Save to .capsule/ ──
+    try {
+        // Save score snapshot
+        (0, capsule_dir_1.saveScore)(capsuleDir, {
+            date: new Date().toISOString().slice(0, 10),
+            score: full.overall_score,
+            code_score: full.code_score ?? null,
+            db_score: full.db_score ?? null,
+            pii_total: full.summary.total_pii_fields,
+            pii_encrypted: full.summary.encrypted_fields,
+            coverage_percent: full.summary.coverage_percent,
+            findings_count: metadata.findings?.length || 0,
+            critical: full.summary.critical_issues,
+            high: full.summary.high_issues,
+            medium: full.summary.medium_issues ?? 0,
+            low: full.summary.low_issues ?? 0,
+            scan_type: dbUrl ? "full" : "code",
+            guard_version: VERSION,
+        });
+        // Update proof.json from DB results (if DB scan was done)
+        if (full.db?.pii_fields) {
+            const proofFields = full.db.pii_fields
+                .filter((f) => f.encrypted && f.encryption_pattern)
+                .map((f) => ({
+                table: f.table,
+                column: f.column,
+                pattern: f.encryption_pattern,
+                sentinel_prefix: f.sentinel_prefix || f.encryption_pattern,
+                row_count: f.row_count || 0,
+                encrypted_count: f.encrypted_count || 0,
+            }));
+            if (proofFields.length > 0) {
+                (0, capsule_dir_1.updateProof)(capsuleDir, proofFields);
+                log(ciMode, `Updated proof.json: ${proofFields.length} DB-verified encrypted fields`);
+            }
+        }
+        // Log scan as evidence
+        const deviceHash = (0, crypto_1.createHash)("sha256")
+            .update(`capsule:device:${require("os").hostname()}`)
+            .digest("hex").slice(0, 12);
+        (0, capsule_dir_1.addEvidence)(capsuleDir, licenseKey, {
+            date: new Date().toISOString(),
+            action: "scan_completed",
+            category: "scan",
+            detail: `Guard v${VERSION} scan: score ${full.overall_score}%, ${metadata.findings?.length || 0} findings, ${full.summary.encrypted_fields}/${full.summary.total_pii_fields} PII encrypted`,
+            impact: `Score: ${full.overall_score}%`,
+            attested_by: deviceHash,
+        });
+        log(ciMode, "Evidence saved to .capsule/");
+    }
+    catch (err) {
+        log(ciMode, `.capsule/ save failed (non-blocking): ${err instanceof Error ? err.message : err}`);
+    }
     // ── Step 6: Send metadata to NoData ──
     let serverResponse = {};
     if (!skipSend) {
@@ -257,13 +339,67 @@ async function main() {
             log(ciMode, "Could not reach NoData API — report saved locally");
         }
     }
-    // ── Step 7: Print summary ──
+    // ── Step 6b: Encrypt & upload to vault (if --vault-pin) ──
+    let vaultUploaded = false;
+    if (vaultPin && !skipSend) {
+        log(ciMode, "Encrypting full report for vault...");
+        try {
+            const fullJson = JSON.stringify(full);
+            const { ciphertext, iv, salt } = (0, vault_crypto_1.encryptForVault)(vaultPin, fullJson);
+            const vaultRes = await fetch("https://nodatacapsule.com/api/guard/vault", {
+                method: "POST",
+                headers: {
+                    "Content-Type": "application/json",
+                    "X-License-Key": licenseKey || "",
+                },
+                body: JSON.stringify({
+                    encrypted_blob: ciphertext,
+                    iv,
+                    salt,
+                    score: full.overall_score,
+                    findings_count: metadata.findings?.length || 0,
+                    scan_id: activation.scan_id,
+                    device_id: vaultDevice || undefined,
+                }),
+                signal: AbortSignal.timeout(15000),
+            });
+            if (vaultRes.ok) {
+                vaultUploaded = true;
+                log(ciMode, "Report encrypted & saved to vault");
+            }
+            else {
+                const errBody = await vaultRes.text().catch(() => "");
+                log(ciMode, `Vault upload failed (${vaultRes.status}): ${errBody}`);
+            }
+        }
+        catch (err) {
+            log(ciMode, `Vault upload error: ${err instanceof Error ? err.message : err}`);
+        }
+    }
+    // ── Step 7: Print summary with two-score display ──
+    const codeScore = full.code ? Math.round((full.code.encryption_coverage_percent * 0.5) +
+        (full.code.route_protection_percent * 0.25) +
+        (Math.max(0, 100 - (full.summary.critical_issues * 25 + full.summary.high_issues * 10)) * 0.25)) : null;
+    const dbScore = full.db ? Math.round((full.db.encryption_coverage_percent * 0.6) +
+        (full.db.rls_coverage_percent * 0.4)) : null;
+    // Attach to full report for .capsule/ storage
+    full.code_score = codeScore;
+    full.db_score = dbScore;
     if (!ciMode) {
         console.log("");
         console.log("  ══════════════════════════════════════");
         console.log("  GUARD RESULTS");
         console.log("  ══════════════════════════════════════");
-        console.log(`  Score:           ${full.overall_score}%${serverResponse.previous_score != null ? ` (was ${serverResponse.previous_score}%)` : ""}`);
+        console.log(`  Overall score:   \x1b[1m${full.overall_score}%\x1b[0m${serverResponse.previous_score != null ? ` (was ${serverResponse.previous_score}%)` : ""}`);
+        if (codeScore != null) {
+            console.log(`  Code score:      ${codeScore}%`);
+        }
+        if (dbScore != null) {
+            console.log(`  DB score:        ${dbScore}%`);
+        }
+        if (codeScore != null && dbScore != null) {
+            console.log("  ──────────────────────────────────────");
+        }
         console.log(`  PII fields:      ${full.summary.encrypted_fields}/${full.summary.total_pii_fields} encrypted (${full.summary.coverage_percent}%)`);
         if (full.code) {
             console.log(`  Routes:          ${full.code.routes.filter(r => r.has_auth).length}/${full.code.routes.length} protected`);
@@ -278,6 +414,9 @@ async function main() {
         console.log(`  Sent to NoData:  ${metaPath}`);
         console.log(`  Proof hash:      ${full.proof_hash.slice(0, 16)}...`);
         console.log("  ══════════════════════════════════════");
+        if (vaultUploaded) {
+            console.log("  Vault:           Encrypted & saved to dashboard");
+        }
         console.log("  Your data never left your machine.");
         console.log("  Diff the two files to verify.\n");
     }
@@ -325,6 +464,83 @@ async function main() {
             log(ciMode, `Recommendations: ${recsPath}`);
         }
     }
+    // ── Step 8.5: Remediation Guide (non-CI) ──
+    if (!ciMode && metadata.findings?.length > 0) {
+        const fs = metadata.findings;
+        const hasPII = fs.some((f) => f.category === "encryption" || f.title?.toLowerCase().includes("pii") || f.title?.toLowerCase().includes("encrypt"));
+        const hasRLS = fs.some((f) => f.title?.toLowerCase().includes("rls") || f.title?.toLowerCase().includes("row level") || f.category === "access_control");
+        const hasSecrets = fs.some((f) => f.title?.toLowerCase().includes("secret") || f.title?.toLowerCase().includes("hardcoded") || f.category === "secrets");
+        const hasHeaders = fs.some((f) => f.title?.toLowerCase().includes("header") || f.category === "headers");
+        if (hasPII || hasRLS || hasSecrets || hasHeaders) {
+            console.log("  ══════════════════════════════════════");
+            console.log("  \x1b[33mREMEDIATION GUIDE\x1b[0m — General commands");
+            console.log("  ══════════════════════════════════════");
+            console.log("  \x1b[2mThese are general recommendations.");
+            console.log("  A qualified technical professional should review");
+            console.log("  and adapt them to your specific system.\x1b[0m\n");
+            if (hasPII) {
+                console.log("  \x1b[33m── ENCRYPT PII FIELDS ──\x1b[0m");
+                console.log("  \x1b[36mOption A:\x1b[0m Database-level (PostgreSQL)");
+                console.log("    CREATE EXTENSION IF NOT EXISTS pgcrypto;");
+                console.log("    ALTER TABLE <table> ADD COLUMN <field>_encrypted BYTEA;");
+                console.log("    UPDATE <table> SET <field>_encrypted =");
+                console.log("      pgp_sym_encrypt(<field>::TEXT, '<key>');");
+                console.log("");
+                console.log("  \x1b[36mOption B:\x1b[0m Application-level (Capsule SDK)");
+                console.log("    npm install @nodatachat/sdk");
+                console.log("    encrypt(value, process.env.FIELD_ENCRYPTION_KEY)");
+                console.log("");
+                console.log("  \x1b[36mOption C:\x1b[0m Encrypt .env at rest");
+                console.log("    npx @nodatachat/protect encrypt .env\n");
+            }
+            if (hasRLS) {
+                console.log("  \x1b[33m── ROW LEVEL SECURITY ──\x1b[0m");
+                console.log("    ALTER TABLE <table> ENABLE ROW LEVEL SECURITY;");
+                console.log("    ALTER TABLE <table> FORCE ROW LEVEL SECURITY;");
+                console.log("    CREATE POLICY \"users_own\" ON <table>");
+                console.log("      FOR ALL USING (user_id = auth.uid());\n");
+            }
+            if (hasSecrets) {
+                console.log("  \x1b[33m── REMOVE SECRETS FROM CODE ──\x1b[0m");
+                console.log("    1. Move to .env.local");
+                console.log("    2. Reference: process.env.SECRET_NAME");
+                console.log("    3. echo '.env*.local' >> .gitignore");
+                console.log("    4. npx @nodatachat/protect encrypt .env\n");
+            }
+            if (hasHeaders) {
+                console.log("  \x1b[33m── SECURITY HEADERS ──\x1b[0m");
+                console.log("    Strict-Transport-Security: max-age=63072000");
+                console.log("    X-Content-Type-Options: nosniff");
+                console.log("    X-Frame-Options: DENY");
+                console.log("    Referrer-Policy: strict-origin-when-cross-origin\n");
+            }
+            console.log("  ──────────────────────────────────────\n");
+        }
+    }
+    // ── Step 9: What's next (non-CI) ──
+    if (!ciMode) {
+        console.log("  ══════════════════════════════════════");
+        console.log("  WHAT TO DO NEXT");
+        console.log("  ══════════════════════════════════════");
+        if (vaultUploaded) {
+            console.log("  1. Open your dashboard: https://nodatacapsule.com/my-capsule");
+            console.log("  2. Go to the \x1b[36mVault\x1b[0m tab");
+            console.log("  3. Enter your PIN to see the full report");
+            console.log("  4. Share the score with your team (no sensitive data)");
+            console.log("  5. Fix findings and re-scan to improve your score\n");
+        }
+        else {
+            console.log("  1. Review \x1b[36mnodata-full-report.json\x1b[0m (stays local)");
+            console.log("  2. Open your dashboard: https://nodatacapsule.com/my-capsule");
+            console.log("  3. Share the score with your team");
+            console.log("  4. Fix findings and re-scan to improve your score");
+            console.log("");
+            console.log("  \x1b[33mTip:\x1b[0m Add \x1b[36m--vault-pin 1234\x1b[0m to auto-encrypt");
+            console.log("  and upload the full report to your vault.\n");
+        }
+    }
+    // ── Step 10: Print .capsule/ status ──
+    (0, capsule_dir_1.printCapsuleStatus)(projectDir, ciMode);
     // ── CI mode: exit code ──
     if (ciMode && failOn) {
         const { critical_issues, high_issues, medium_issues } = full.summary;
@@ -367,6 +583,85 @@ function loadOrCreateConfig(projectDir, overrides) {
         },
     });
 }
+function handleAttest(args) {
+    let licenseKey;
+    let projectDir = process.cwd();
+    let findingId;
+    let status = "fixed";
+    let note = "";
+    for (let i = 0; i < args.length; i++) {
+        switch (args[i]) {
+            case "--license-key":
+                licenseKey = args[++i];
+                break;
+            case "--dir":
+                projectDir = (0, path_1.resolve)(args[++i]);
+                break;
+            case "--finding":
+                findingId = args[++i];
+                break;
+            case "--status":
+                status = args[++i];
+                break;
+            case "--note":
+                note = args[++i];
+                break;
+        }
+    }
+    // Env / config fallbacks for license key
+    if (!licenseKey)
+        licenseKey = process.env.NDC_LICENSE || process.env.NODATA_LICENSE_KEY || process.env.NODATA_API_KEY || process.env.NDC_API_KEY;
+    if (!licenseKey) {
+        try {
+            const home = process.env.HOME || process.env.USERPROFILE || "";
+            const configPath = require("path").join(home, ".nodata", "config.json");
+            if (require("fs").existsSync(configPath)) {
+                const config = JSON.parse(require("fs").readFileSync(configPath, "utf-8"));
+                if (config.api_key)
+                    licenseKey = config.api_key;
+            }
+        }
+        catch { /* ignore */ }
+    }
+    if (!licenseKey) {
+        console.error("\n  \x1b[31m✗\x1b[0m No API key found. Pass --license-key or set NDC_LICENSE.\n");
+        process.exit(1);
+    }
+    if (!findingId) {
+        console.error("\n  \x1b[31m✗\x1b[0m Missing --finding <id>.");
+        console.error("  Example finding IDs: PII_UNENCRYPTED_email, ROUTE_NO_AUTH, SECRET_POSTGRES_URI");
+        console.error("\n  Usage:");
+        console.error("    npx nodata-guard attest --finding PII_UNENCRYPTED_email --status fixed --note \"Encrypted with pgcrypto\"");
+        console.error("\n  Statuses: fixed | accepted_risk | not_applicable | compensating_control\n");
+        process.exit(1);
+    }
+    if (!note) {
+        console.error("\n  \x1b[31m✗\x1b[0m Missing --note <description>. Explain what was done.\n");
+        process.exit(1);
+    }
+    const validStatuses = ["fixed", "accepted_risk", "not_applicable", "compensating_control"];
+    if (!validStatuses.includes(status)) {
+        console.error(`\n  \x1b[31m✗\x1b[0m Invalid status "${status}". Use: ${validStatuses.join(" | ")}\n`);
+        process.exit(1);
+    }
+    (0, capsule_dir_1.attestFinding)(projectDir, licenseKey, findingId, status, note);
+    const statusColor = status === "fixed" ? "\x1b[32m" : "\x1b[33m";
+    console.log("");
+    console.log("  ╔══════════════════════════════════════╗");
+    console.log("  ║     NoData Guard — Attestation       ║");
+    console.log("  ╚══════════════════════════════════════╝");
+    console.log("");
+    console.log(`  Finding:   ${findingId}`);
+    console.log(`  Status:    ${statusColor}${status}\x1b[0m`);
+    console.log(`  Note:      ${note}`);
+    console.log(`  Signed:    HMAC-SHA256 (license-key-bound)`);
+    console.log("");
+    console.log("  \x1b[32m✓\x1b[0m Saved to .capsule/overrides.json");
+    console.log("  \x1b[32m✓\x1b[0m Evidence logged to .capsule/evidence/");
+    console.log("");
+    console.log("  \x1b[2mCommit .capsule/ to git for audit trail.\x1b[0m");
+    console.log("  \x1b[2mRe-scan to see updated score.\x1b[0m\n");
+}
 function printHelp() {
     console.log(`
   NoData Guard v${VERSION} — Security Scanner + Recommendations
@@ -379,6 +674,17 @@ function printHelp() {
     npx nodata-guard --license-key NDC-XXXX                          # Scan + recommend
     npx nodata-guard --license-key NDC-XXXX --db $DATABASE_URL       # Full scan (code + DB)
     npx nodata-guard --license-key NDC-XXXX --schedule weekly        # Setup CI schedule
+    npx nodata-guard status                                          # Show .capsule/ status (no scan)
+    npx nodata-guard diff                                            # Compare last 2 scans
+    npx nodata-guard attest --finding ID --status fixed --note "..."  # Manual attestation
+  Subcommands:
+    status                 Show .capsule/ evidence (scores, proof, overrides) without scanning
+    diff                   Compare the last 2 scans — score delta, issues resolved/new
+    attest                 Manually attest a finding (saved to .capsule/overrides.json)
+      --finding <id>       Finding ID (e.g., PII_UNENCRYPTED_email, ROUTE_NO_AUTH)
+      --status <status>    fixed | accepted_risk | not_applicable | compensating_control
+      --note <text>        Explanation of what was done
   Scan Options:
     --license-key <key>    NoData license key (or set NDC_LICENSE env var)
@@ -388,6 +694,8 @@ function printHelp() {
     --ci                   CI mode — minimal output, exit codes
     --fail-on <level>      Exit 1 if issues at: critical | high | medium
     --skip-send            Don't send metadata to NoData
+    --vault-pin <pin>      Encrypt full report & save to vault (AES-256-GCM)
+    --vault-device <id>    Link vault report to your dashboard device
   Schedule Options:
     --schedule <preset>    Install CI workflow: daily | weekly | monthly
@@ -420,6 +728,9 @@ function printHelp() {
     # Scan and get recommendations
     npx nodata-guard --license-key NDC-XXXX
+    # Scan + auto-save encrypted report to vault
+    npx nodata-guard --license-key NDC-XXXX --vault-pin 1234
     # Full scan with DB probe
     npx nodata-guard --license-key NDC-XXXX --db $DATABASE_URL
@@ -429,6 +740,18 @@ function printHelp() {
     # CI pipeline — fail on critical issues
     npx nodata-guard --ci --fail-on critical
+    # Check .capsule/ status without scanning
+    npx nodata-guard status
+    # See what changed between last 2 scans
+    npx nodata-guard diff
+    # Attest that you fixed a finding
+    npx nodata-guard attest --finding PII_UNENCRYPTED_email --status fixed --note "Encrypted with pgcrypto in migration 042"
+    # Accept risk for a finding
+    npx nodata-guard attest --finding ROUTE_NO_AUTH --status accepted_risk --note "Public healthcheck endpoint, no auth needed"
   Documentation: https://nodatacapsule.com/guard
 `);
 }

package/dist/code-scanner.d.ts CHANGED Viewed

@@ -4,7 +4,7 @@ interface FileEntry {
     content: string;
 }
 export declare function readProjectFiles(projectDir: string, onProgress?: (count: number) => void): FileEntry[];
-export declare function scanPIIFields(files: FileEntry[]): PIIFieldResult[];
+export declare function scanPIIFields(files: FileEntry[], projectDir?: string): PIIFieldResult[];
 export declare function scanRoutes(files: FileEntry[]): RouteResult[];
 export declare function scanSecrets(files: FileEntry[]): SecretResult[];
 export declare function detectStack(files: FileEntry[]): {

package/dist/code-scanner.js CHANGED Viewed

@@ -18,6 +18,8 @@ exports.scanSecrets = scanSecrets;
 exports.detectStack = detectStack;
 const fs_1 = require("fs");
 const path_1 = require("path");
+const crypto_1 = require("crypto");
+const capsule_dir_1 = require("./capsule-dir");
 // ── File reading ──
 const SKIP_DIRS = new Set([
     "node_modules", ".git", ".next", ".nuxt", "dist", "build", "out",
@@ -97,7 +99,7 @@ function classifyColumn(col) {
     }
     return null;
 }
-function scanPIIFields(files) {
+function scanPIIFields(files, projectDir) {
     const fields = [];
     const seen = new Set();
     // Collect all column names to check for _encrypted companions
@@ -152,14 +154,14 @@ function scanPIIFields(files) {
     const encryptFiles = files.filter(f => /createCipheriv|encrypt|decrypt|encryptPII|nodata_encrypt/i.test(f.content));
     const proofFile = files.find(f => f.path.includes("nodata-proof.json"));
     const triggerFiles = files.filter(f => f.path.endsWith(".sql") && /trg_encrypt_/i.test(f.content));
-    // Parse proof file
+    // Parse legacy proof file (nodata-proof.json)
     const proofFields = new Set();
     if (proofFile) {
         try {
             const proof = JSON.parse(proofFile.content);
             if (proof.version === "1.0" && Array.isArray(proof.fields)) {
                 for (const f of proof.fields) {
-                    if (f.sentinel_encrypted?.startsWith("aes256gcm:v1:")) {
+                    if (f.sentinel_encrypted?.startsWith("aes256gcm:v1:") || f.sentinel_encrypted?.startsWith("enc:v1:") || f.sentinel_encrypted?.startsWith("ndc_enc_")) {
                         proofFields.add(`${f.table}.${f.column}`);
                     }
                 }
@@ -167,6 +169,27 @@ function scanPIIFields(files) {
         }
         catch { /* ignore */ }
     }
+    // Parse .capsule/proof.json (DB-verified encryption from previous scans)
+    // This allows code-only scans to recognize encryption verified by a previous --db scan
+    if (projectDir) {
+        const capsuleProof = (0, capsule_dir_1.readProof)(projectDir);
+        if (capsuleProof && capsuleProof.fields.length > 0) {
+            // capsule proof uses hashed names — we need to build a lookup by hash
+            const fieldHashMap = new Map(); // hash → "table.column"
+            for (const field of fields) {
+                const tableHash = (0, crypto_1.createHash)("sha256").update(`capsule:name:${field.table}`).digest("hex").slice(0, 16);
+                const colHash = (0, crypto_1.createHash)("sha256").update(`capsule:name:${field.column}`).digest("hex").slice(0, 16);
+                fieldHashMap.set(`${tableHash}:${colHash}`, `${field.table}.${field.column}`);
+            }
+            for (const pf of capsuleProof.fields) {
+                const key = `${pf.table_hash}:${pf.column_hash}`;
+                const realName = fieldHashMap.get(key);
+                if (realName && pf.coverage_percent >= 50) {
+                    proofFields.add(realName);
+                }
+            }
+        }
+    }
     // Parse trigger functions
     const triggerTables = new Set();
     for (const f of triggerFiles) {
@@ -201,7 +224,7 @@ function scanPIIFields(files) {
                 for (let i = 0; i < lines.length; i++) {
                     if (lines[i].includes(field.column)) {
                         const context = lines.slice(Math.max(0, i - 10), Math.min(lines.length, i + 10)).join("\n");
-                        if (/createCipheriv|encrypt\(|encryptPII|nodata_encrypt|encryptField/i.test(context)) {
+                        if (/createCipheriv|encrypt\(|encryptPII|nodata_encrypt|encryptField|NoDataProxy|proxy\.seal|proxy\.unseal|enc:v1:/i.test(context)) {
                             field.encrypted = true;
                             field.encryption_pattern = "code_encrypt";
                             break;

package/dist/db-scanner.js CHANGED Viewed

@@ -6,7 +6,10 @@
 // READS ONLY:
 //   - Schema (table/column names, data types)
 //   - Counts (row counts, encrypted counts)
-//   - Prefixes (LEFT(value, 13) — detects "aes256gcm:v1:" without reading data)
+//   - Prefixes (LEFT(value, N) — detects encryption without reading data):
+//       "aes256gcm:v1:" (13 chars) — direct AES-256-GCM
+//       "enc:v1:"       (7 chars)  — Capsule Proxy encryption
+//       "ndc_enc_"      (8 chars)  — @nodatachat/protect format
 //   - System tables (pg_policies, pg_user, pg_settings, pg_extension)
 //
 // NEVER READS: actual data values, passwords, tokens, emails, phones
@@ -101,12 +104,18 @@ async function scanDatabase(connectionString, onProgress) {
             }
             for (const { col, isCompanion } of columnsToCheck) {
                 try {
-                    // SAFE: LEFT(value, 13) reads only the prefix — never actual data
+                    // SAFE: LEFT(value, N) reads only the prefix — never actual data
+                    // Detects multiple encryption formats:
+                    //   aes256gcm:v1:  — legacy direct encryption (13 chars)
+                    //   enc:v1:        — Capsule Proxy encryption (7 chars)
+                    //   ndc_enc_       — @nodatachat/protect format (8 chars)
                     const { rows } = await client.query(`
             SELECT
               count(*) as total,
               count(${quoteIdent(col)}) as non_null,
               count(*) FILTER (WHERE LEFT(${quoteIdent(col)}::text, 13) = 'aes256gcm:v1:') as aes_gcm,
+              count(*) FILTER (WHERE LEFT(${quoteIdent(col)}::text, 7) = 'enc:v1:') as enc_v1,
+              count(*) FILTER (WHERE LEFT(${quoteIdent(col)}::text, 8) = 'ndc_enc_') as ndc_enc,
               count(*) FILTER (WHERE LENGTH(${quoteIdent(col)}::text) > 80
                 AND ${quoteIdent(col)}::text ~ '^[A-Za-z0-9+/=]+$') as base64_long
             FROM ${quoteIdent(field.table)}
@@ -114,18 +123,26 @@ async function scanDatabase(connectionString, onProgress) {
                     const total = parseInt(rows[0].total);
                     const nonNull = parseInt(rows[0].non_null);
                     const aesGcm = parseInt(rows[0].aes_gcm);
+                    const encV1 = parseInt(rows[0].enc_v1);
+                    const ndcEnc = parseInt(rows[0].ndc_enc);
                     const b64 = parseInt(rows[0].base64_long);
-                    const encCount = aesGcm + b64;
+                    const encCount = aesGcm + encV1 + ndcEnc + b64;
+                    // Determine pattern name for reporting
+                    const pattern = aesGcm > 0 ? "aes256gcm:v1"
+                        : encV1 > 0 ? "enc:v1 (Capsule Proxy)"
+                            : ndcEnc > 0 ? "ndc_enc (Protect)"
+                                : b64 > 0 ? "base64_long"
+                                    : "unknown";
                     if (isCompanion && encCount > 0) {
                         field.encrypted = true;
-                        field.encryption_pattern = aesGcm > 0 ? "aes256gcm:v1" : "base64_long";
+                        field.encryption_pattern = pattern;
                         field.encrypted_count = encCount;
                     }
                     else if (!isCompanion) {
                         field.row_count = total;
                         if (encCount > 0 && encCount >= nonNull * 0.9) {
                             field.encrypted = true;
-                            field.encryption_pattern = aesGcm > 0 ? "aes256gcm:v1" : "base64_long";
+                            field.encryption_pattern = pattern;
                             field.encrypted_count = encCount;
                         }
                     }