@nodatachat/guard 2.3.0 → 2.5.0

package/dist/capsule-dir.d.ts

@@ -91,3 +91,14 @@ export declare function getScoreHistory(projectDir: string): ScoreSnapshot[];
  * Print .capsule/ status to terminal.
  */
 export declare function printCapsuleStatus(projectDir: string, ciMode: boolean): void;
+export declare function attestFinding(projectDir: string, licenseKey: string, findingId: string, status: Override["status"], note: string): void;
+/**
+ * Subcommand: guard status
+ * Print full .capsule/ status without running a scan.
+ */
+export declare function printFullStatus(projectDir: string): void;
+/**
+ * Subcommand: guard diff
+ * Show what changed between the two most recent scans.
+ */
+export declare function printDiff(projectDir: string): void;

package/dist/capsule-dir.js

@@ -30,6 +30,9 @@ exports.readProof = readProof;
 exports.readOverrides = readOverrides;
 exports.getScoreHistory = getScoreHistory;
 exports.printCapsuleStatus = printCapsuleStatus;
+exports.attestFinding = attestFinding;
+exports.printFullStatus = printFullStatus;
+exports.printDiff = printDiff;
 const path_1 = require("path");
 const fs_1 = require("fs");
 const crypto_1 = require("crypto");
@@ -200,7 +203,7 @@ function getScoreHistory(projectDir) {
     const scoresDir = (0, path_1.join)(projectDir, DIR_NAME, "scores");
     if (!(0, fs_1.existsSync)(scoresDir))
         return [];
-    const files = require("fs").readdirSync(scoresDir)
+    const files = (0, fs_1.readdirSync)(scoresDir)
         .filter((f) => f.endsWith(".json"))
         .sort();
     return files.map((f) => {
@@ -246,3 +249,217 @@ function printCapsuleStatus(projectDir, ciMode) {
     console.log("  \x1b[2mAll evidence stays local. Commit to git for audit trail.\x1b[0m");
     console.log("  ══════════════════════════════════════\n");
 }
+// ═══════════════════════════════════════════════════════════
+// Subcommand: guard attest
+//
+// Allows the user to manually attest that a finding has been
+// addressed. Creates a signed entry in overrides.json.
+// ═══════════════════════════════════════════════════════════
+function attestFinding(projectDir, licenseKey, findingId, status, note) {
+    const capsuleDir = (0, path_1.join)(projectDir, DIR_NAME);
+    if (!(0, fs_1.existsSync)(capsuleDir)) {
+        initCapsuleDir(projectDir, licenseKey);
+    }
+    const overridesPath = (0, path_1.join)(capsuleDir, "overrides.json");
+    const overrides = (0, fs_1.existsSync)(overridesPath)
+        ? JSON.parse((0, fs_1.readFileSync)(overridesPath, "utf-8"))
+        : { version: "1.0", overrides: [] };
+    const deviceHash = (0, crypto_1.createHash)("sha256")
+        .update(`capsule:device:${require("os").hostname()}`)
+        .digest("hex").slice(0, 12);
+    const now = new Date().toISOString();
+    const payload = JSON.stringify({ finding_id: findingId, status, note, attested_by: deviceHash, attested_at: now });
+    const hmac = signEvidence(payload, licenseKey);
+    // Update existing or add new
+    const existing = overrides.overrides.findIndex(o => o.finding_id === findingId);
+    const entry = { finding_id: findingId, status, note, attested_by: deviceHash, attested_at: now, hmac };
+    if (existing >= 0) {
+        overrides.overrides[existing] = entry;
+    }
+    else {
+        overrides.overrides.push(entry);
+    }
+    (0, fs_1.writeFileSync)(overridesPath, JSON.stringify(overrides, null, 2), "utf-8");
+    // Also log as evidence
+    addEvidence(capsuleDir, licenseKey, {
+        date: now,
+        action: "override_added",
+        category: status === "fixed" ? "remediation" : "risk_management",
+        detail: `Attested "${findingId}" as ${status}: ${note}`,
+        impact: `Override: ${status}`,
+        attested_by: deviceHash,
+    });
+}
+/**
+ * Subcommand: guard status
+ * Print full .capsule/ status without running a scan.
+ */
+function printFullStatus(projectDir) {
+    const capsuleDir = (0, path_1.join)(projectDir, DIR_NAME);
+    if (!(0, fs_1.existsSync)(capsuleDir)) {
+        console.log("\n  No .capsule/ directory found. Run a scan first.\n");
+        return;
+    }
+    const history = getScoreHistory(projectDir);
+    const proof = readProof(projectDir);
+    const overrides = readOverrides(projectDir);
+    console.log("");
+    console.log("  ╔══════════════════════════════════════╗");
+    console.log("  ║      NoData Guard — Status           ║");
+    console.log("  ╚══════════════════════════════════════╝");
+    console.log("");
+    // ── Score history ──
+    console.log("  \x1b[33m── SCORE HISTORY ──\x1b[0m");
+    if (history.length === 0) {
+        console.log("  No scans recorded yet.\n");
+    }
+    else {
+        const last = history[history.length - 1];
+        console.log(`  Latest score:    \x1b[1m${last.score}%\x1b[0m (${last.scan_type} scan, Guard v${last.guard_version})`);
+        console.log(`  Last scan date:  ${last.date}`);
+        console.log(`  Total scans:     ${history.length}`);
+        if (last.code_score != null)
+            console.log(`  Code score:      ${last.code_score}%`);
+        if (last.db_score != null)
+            console.log(`  DB score:        ${last.db_score}%`);
+        console.log(`  PII coverage:    ${last.pii_encrypted}/${last.pii_total} encrypted (${last.coverage_percent}%)`);
+        console.log(`  Issues:          ${last.critical} critical, ${last.high} high, ${last.medium} medium, ${last.low} low`);
+        console.log(`  Findings:        ${last.findings_count} total`);
+        if (history.length >= 2) {
+            console.log("");
+            console.log("  \x1b[33m── TREND ──\x1b[0m");
+            const maxShow = Math.min(history.length, 10);
+            for (let i = history.length - maxShow; i < history.length; i++) {
+                const h = history[i];
+                const prev = i > 0 ? history[i - 1] : null;
+                const delta = prev ? h.score - prev.score : 0;
+                const arrow = delta > 0 ? `\x1b[32m+${delta}\x1b[0m` : delta < 0 ? `\x1b[31m${delta}\x1b[0m` : " 0";
+                const bar = "\x1b[32m" + "█".repeat(Math.round(h.score / 5)) + "\x1b[0m" + "░".repeat(20 - Math.round(h.score / 5));
+                console.log(`  ${h.date}  ${bar}  ${h.score}% (${arrow})`);
+            }
+        }
+        console.log("");
+    }
+    // ── Proof ──
+    console.log("  \x1b[33m── DB-VERIFIED ENCRYPTION ──\x1b[0m");
+    if (!proof || proof.fields.length === 0) {
+        console.log("  No DB-verified encryption yet. Run with --db to verify.\n");
+    }
+    else {
+        console.log(`  ${proof.fields.length} field(s) verified in database:\n`);
+        for (const f of proof.fields) {
+            const cov = f.coverage_percent;
+            const covColor = cov >= 90 ? "\x1b[32m" : cov >= 50 ? "\x1b[33m" : "\x1b[31m";
+            console.log(`  ${f.table_hash}:${f.column_hash}  ${f.pattern}  ${covColor}${cov}%\x1b[0m (${f.encrypted_count}/${f.row_count} rows)`);
+        }
+        console.log(`\n  Last verified: ${proof.updated_at}\n`);
+    }
+    // ── Overrides ──
+    console.log("  \x1b[33m── MANUAL ATTESTATIONS ──\x1b[0m");
+    if (!overrides || overrides.overrides.length === 0) {
+        console.log("  No overrides. Use \x1b[36mguard attest\x1b[0m to declare fixes.\n");
+    }
+    else {
+        for (const o of overrides.overrides) {
+            const statusColor = o.status === "fixed" ? "\x1b[32m" : o.status === "accepted_risk" ? "\x1b[33m" : "\x1b[36m";
+            console.log(`  ${o.finding_id}`);
+            console.log(`    Status:  ${statusColor}${o.status}\x1b[0m`);
+            console.log(`    Note:    ${o.note}`);
+            console.log(`    Date:    ${o.attested_at}`);
+            console.log(`    Device:  ${o.attested_by}`);
+            console.log("");
+        }
+    }
+    // ── Evidence summary ──
+    const evidenceDir = (0, path_1.join)(capsuleDir, "evidence");
+    if ((0, fs_1.existsSync)(evidenceDir)) {
+        const evidenceFiles = (0, fs_1.readdirSync)(evidenceDir).filter(f => f.endsWith(".json"));
+        let totalEntries = 0;
+        for (const ef of evidenceFiles) {
+            try {
+                const entries = JSON.parse((0, fs_1.readFileSync)((0, path_1.join)(evidenceDir, ef), "utf-8"));
+                totalEntries += entries.length;
+            }
+            catch { /* skip */ }
+        }
+        console.log("  \x1b[33m── EVIDENCE LOG ──\x1b[0m");
+        console.log(`  ${totalEntries} entries across ${evidenceFiles.length} day(s)`);
+        console.log("  \x1b[2mAll evidence stays local. Commit .capsule/ to git for audit trail.\x1b[0m\n");
+    }
+}
+/**
+ * Subcommand: guard diff
+ * Show what changed between the two most recent scans.
+ */
+function printDiff(projectDir) {
+    const history = getScoreHistory(projectDir);
+    if (history.length < 2) {
+        console.log("\n  Need at least 2 scans to show a diff. Run another scan first.\n");
+        return;
+    }
+    const prev = history[history.length - 2];
+    const curr = history[history.length - 1];
+    console.log("");
+    console.log("  ╔══════════════════════════════════════╗");
+    console.log("  ║       NoData Guard — Diff            ║");
+    console.log("  ╚══════════════════════════════════════╝");
+    console.log("");
+    console.log(`  Comparing: ${prev.date} → ${curr.date}`);
+    console.log("");
+    // Score delta
+    const scoreDelta = curr.score - prev.score;
+    const scoreArrow = scoreDelta > 0 ? `\x1b[32m↑ +${scoreDelta}%\x1b[0m` : scoreDelta < 0 ? `\x1b[31m↓ ${scoreDelta}%\x1b[0m` : "→ no change";
+    console.log(`  Overall score:   ${prev.score}% → ${curr.score}% ${scoreArrow}`);
+    // Code score delta
+    if (prev.code_score != null && curr.code_score != null) {
+        const cd = curr.code_score - prev.code_score;
+        const ca = cd > 0 ? `\x1b[32m+${cd}\x1b[0m` : cd < 0 ? `\x1b[31m${cd}\x1b[0m` : "0";
+        console.log(`  Code score:      ${prev.code_score}% → ${curr.code_score}% (${ca})`);
+    }
+    // DB score delta
+    if (prev.db_score != null && curr.db_score != null) {
+        const dd = curr.db_score - prev.db_score;
+        const da = dd > 0 ? `\x1b[32m+${dd}\x1b[0m` : dd < 0 ? `\x1b[31m${dd}\x1b[0m` : "0";
+        console.log(`  DB score:        ${prev.db_score}% → ${curr.db_score}% (${da})`);
+    }
+    console.log("");
+    // PII coverage
+    const piiDelta = curr.coverage_percent - prev.coverage_percent;
+    const piiArrow = piiDelta > 0 ? `\x1b[32m+${piiDelta}%\x1b[0m` : piiDelta < 0 ? `\x1b[31m${piiDelta}%\x1b[0m` : "0";
+    console.log(`  PII encrypted:   ${prev.pii_encrypted}/${prev.pii_total} → ${curr.pii_encrypted}/${curr.pii_total} (${piiArrow})`);
+    // Findings delta
+    const findDelta = curr.findings_count - prev.findings_count;
+    const findArrow = findDelta < 0 ? `\x1b[32m${findDelta} resolved\x1b[0m` : findDelta > 0 ? `\x1b[31m+${findDelta} new\x1b[0m` : "no change";
+    console.log(`  Findings:        ${prev.findings_count} → ${curr.findings_count} (${findArrow})`);
+    // Issues breakdown
+    console.log("");
+    console.log("  \x1b[33m── ISSUES BREAKDOWN ──\x1b[0m");
+    const showDelta = (label, p, c) => {
+        const d = c - p;
+        const color = d < 0 ? "\x1b[32m" : d > 0 ? "\x1b[31m" : "";
+        const sign = d > 0 ? "+" : "";
+        console.log(`  ${label.padEnd(12)} ${p} → ${c}  ${color}${d !== 0 ? `(${sign}${d})` : "(=)"}\x1b[0m`);
+    };
+    showDelta("Critical:", prev.critical, curr.critical);
+    showDelta("High:", prev.high, curr.high);
+    showDelta("Medium:", prev.medium, curr.medium);
+    showDelta("Low:", prev.low, curr.low);
+    // Scan type change
+    if (prev.scan_type !== curr.scan_type) {
+        console.log(`\n  \x1b[36mNote:\x1b[0m Scan type changed from "${prev.scan_type}" to "${curr.scan_type}"`);
+    }
+    // Guard version change
+    if (prev.guard_version !== curr.guard_version) {
+        console.log(`  \x1b[36mNote:\x1b[0m Guard version changed from v${prev.guard_version} to v${curr.guard_version}`);
+    }
+    console.log("");
+    if (scoreDelta > 0) {
+        console.log("  \x1b[32m✓ Score improved! Keep going.\x1b[0m\n");
+    }
+    else if (scoreDelta < 0) {
+        console.log("  \x1b[31m⚠ Score dropped. Check the full report for new issues.\x1b[0m\n");
+    }
+    else {
+        console.log("  \x1b[33m→ No score change. Fix open findings to improve.\x1b[0m\n");
+    }
+}

package/dist/cli.js

@@ -26,9 +26,24 @@ const reporter_1 = require("./reporter");
 const scheduler_1 = require("./fixers/scheduler");
 const vault_crypto_1 = require("./vault-crypto");
 const capsule_dir_1 = require("./capsule-dir");
-const VERSION = "2.3.0";
+const VERSION = "2.5.0";
 async function main() {
     const args = process.argv.slice(2);
+    // ── Subcommand routing ──
+    const subcommand = args[0];
+    if (subcommand === "status") {
+        const dir = args.includes("--dir") ? (0, path_1.resolve)(args[args.indexOf("--dir") + 1]) : process.cwd();
+        (0, capsule_dir_1.printFullStatus)(dir);
+        return;
+    }
+    if (subcommand === "diff") {
+        const dir = args.includes("--dir") ? (0, path_1.resolve)(args[args.indexOf("--dir") + 1]) : process.cwd();
+        (0, capsule_dir_1.printDiff)(dir);
+        return;
+    }
+    if (subcommand === "attest") {
+        return handleAttest(args.slice(1));
+    }
     // Parse args
     let licenseKey;
     let dbUrl;
@@ -99,6 +114,49 @@ async function main() {
         licenseKey = process.env.NDC_LICENSE || process.env.NODATA_LICENSE_KEY || process.env.NODATA_API_KEY || process.env.NDC_API_KEY;
     if (!dbUrl)
         dbUrl = process.env.DATABASE_URL;
+    // ── Auto-detect from .env files ──
+    // Guard reads .env files to find DATABASE_URL and license keys.
+    // ALL values stay local — never sent anywhere.
+    // If DB URL is found, Guard asks for explicit consent before connecting.
+    if (!dbUrl || !licenseKey) {
+        const envResult = readEnvFiles(projectDir);
+        if (!licenseKey && envResult.licenseKey) {
+            licenseKey = envResult.licenseKey;
+            if (!ciMode)
+                console.log(`\n  \x1b[32m✓\x1b[0m Found license key in ${envResult.licenseSource}`);
+        }
+        if (!dbUrl && envResult.dbUrl) {
+            // Mask the connection string for display (show host only)
+            const masked = maskDbUrl(envResult.dbUrl);
+            if (ciMode) {
+                // CI mode: auto-consent (operator set up the env)
+                dbUrl = envResult.dbUrl;
+                console.log(`[nodata-guard] Using database from ${envResult.dbSource}`);
+            }
+            else {
+                // Interactive: ask for consent
+                console.log("");
+                console.log("  ╔══════════════════════════════════════════╗");
+                console.log("  ║  \x1b[33mDatabase connection found\x1b[0m                ║");
+                console.log("  ╚══════════════════════════════════════════╝");
+                console.log(`  Source:  ${envResult.dbSource}`);
+                console.log(`  URL:     ${masked}`);
+                console.log("");
+                console.log("  \x1b[2mGuard will connect to your database to verify encryption.\x1b[0m");
+                console.log("  \x1b[2mOnly checks if values START WITH encryption prefixes.\x1b[0m");
+                console.log("  \x1b[2mNo data values are read, copied, or sent anywhere.\x1b[0m");
+                console.log("");
+                const consent = await askConsent("  Connect to database? (y/n): ");
+                if (consent) {
+                    dbUrl = envResult.dbUrl;
+                    console.log(`  \x1b[32m✓\x1b[0m Database scan enabled\n`);
+                }
+                else {
+                    console.log("  \x1b[33m→\x1b[0m Skipping database scan — code-only mode\n");
+                }
+            }
+        }
+    }
     // Shared Protect config fallback (~/.nodata/config.json)
     if (!licenseKey) {
         try {
@@ -189,7 +247,7 @@ async function main() {
     if (!ciMode)
         console.log("");
     log(ciMode, `Scanned ${files.length} files`);
-    const piiFields = (0, code_scanner_1.scanPIIFields)(files);
+    const piiFields = (0, code_scanner_1.scanPIIFields)(files, projectDir);
     const routes = (0, code_scanner_1.scanRoutes)(files);
     const secrets = (0, code_scanner_1.scanSecrets)(files);
     const stack = (0, code_scanner_1.detectStack)(files);
@@ -361,13 +419,30 @@ async function main() {
             log(ciMode, `Vault upload error: ${err instanceof Error ? err.message : err}`);
         }
     }
-    // ── Step 7: Print summary ──
+    // ── Step 7: Print summary with two-score display ──
+    const codeScore = full.code ? Math.round((full.code.encryption_coverage_percent * 0.5) +
+        (full.code.route_protection_percent * 0.25) +
+        (Math.max(0, 100 - (full.summary.critical_issues * 25 + full.summary.high_issues * 10)) * 0.25)) : null;
+    const dbScore = full.db ? Math.round((full.db.encryption_coverage_percent * 0.6) +
+        (full.db.rls_coverage_percent * 0.4)) : null;
+    // Attach to full report for .capsule/ storage
+    full.code_score = codeScore;
+    full.db_score = dbScore;
     if (!ciMode) {
         console.log("");
         console.log("  ══════════════════════════════════════");
         console.log("  GUARD RESULTS");
         console.log("  ══════════════════════════════════════");
-        console.log(`  Score:           ${full.overall_score}%${serverResponse.previous_score != null ? ` (was ${serverResponse.previous_score}%)` : ""}`);
+        console.log(`  Overall score:   \x1b[1m${full.overall_score}%\x1b[0m${serverResponse.previous_score != null ? ` (was ${serverResponse.previous_score}%)` : ""}`);
+        if (codeScore != null) {
+            console.log(`  Code score:      ${codeScore}%`);
+        }
+        if (dbScore != null) {
+            console.log(`  DB score:        ${dbScore}%`);
+        }
+        if (codeScore != null && dbScore != null) {
+            console.log("  ──────────────────────────────────────");
+        }
         console.log(`  PII fields:      ${full.summary.encrypted_fields}/${full.summary.total_pii_fields} encrypted (${full.summary.coverage_percent}%)`);
         if (full.code) {
             console.log(`  Routes:          ${full.code.routes.filter(r => r.has_auth).length}/${full.code.routes.length} protected`);
@@ -551,6 +626,209 @@ function loadOrCreateConfig(projectDir, overrides) {
         },
     });
 }
+// ═══════════════════════════════════════════════════════════
+// Consent & display helpers
+// ═══════════════════════════════════════════════════════════
+function maskDbUrl(url) {
+    try {
+        const parsed = new URL(url);
+        const host = parsed.hostname;
+        const port = parsed.port || (url.includes("6543") ? "6543" : "5432");
+        const db = parsed.pathname.replace("/", "") || "postgres";
+        const user = parsed.username ? parsed.username.slice(0, 8) + "..." : "***";
+        return `${user}@${host}:${port}/${db}`;
+    }
+    catch {
+        // Fallback: show first 20 chars + mask
+        return url.slice(0, 20) + "...****";
+    }
+}
+function askConsent(prompt) {
+    return new Promise((resolve) => {
+        const readline = require("readline");
+        const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
+        rl.question(prompt, (answer) => {
+            rl.close();
+            const a = answer.trim().toLowerCase();
+            resolve(a === "y" || a === "yes" || a === "כ" || a === "כן");
+        });
+    });
+}
+function readEnvFiles(projectDir) {
+    const result = {
+        dbUrl: null, dbSource: "",
+        licenseKey: null, licenseSource: "",
+        supabaseUrl: null, supabaseKey: null,
+    };
+    // Priority order — more specific files override general ones
+    const envFiles = [
+        ".env",
+        ".env.local",
+        ".env.development",
+        ".env.development.local",
+        ".env.production",
+        ".env.production.local",
+    ];
+    // Keys that contain database connection strings
+    const DB_KEYS = [
+        "DATABASE_URL",
+        "DIRECT_URL",
+        "POSTGRES_URL",
+        "POSTGRES_PRISMA_URL",
+        "POSTGRES_URL_NON_POOLING",
+        "PG_CONNECTION_STRING",
+        "DB_URL",
+        "SUPABASE_DB_URL",
+        "DATABASE_CONNECTION_STRING",
+    ];
+    // Keys that contain license/API keys
+    const LICENSE_KEYS = [
+        "NDC_LICENSE",
+        "NODATA_LICENSE_KEY",
+        "NODATA_API_KEY",
+        "NDC_API_KEY",
+        "NDC_PROTECT_KEY",
+        "CAPSULE_LICENSE_KEY",
+        "CAPSULE_API_KEY",
+    ];
+    const SUPABASE_URL_KEYS = [
+        "NEXT_PUBLIC_SUPABASE_URL",
+        "SUPABASE_URL",
+        "VITE_SUPABASE_URL",
+        "REACT_APP_SUPABASE_URL",
+        "NUXT_PUBLIC_SUPABASE_URL",
+    ];
+    const SUPABASE_KEY_KEYS = [
+        "SUPABASE_SERVICE_ROLE_KEY",
+        "SUPABASE_SERVICE_KEY",
+    ];
+    for (const envFile of envFiles) {
+        const filePath = (0, path_1.resolve)(projectDir, envFile);
+        if (!(0, fs_1.existsSync)(filePath))
+            continue;
+        try {
+            const content = (0, fs_1.readFileSync)(filePath, "utf-8");
+            const lines = content.split("\n");
+            for (const line of lines) {
+                const trimmed = line.trim();
+                if (!trimmed || trimmed.startsWith("#"))
+                    continue;
+                const eqIdx = trimmed.indexOf("=");
+                if (eqIdx < 1)
+                    continue;
+                const key = trimmed.slice(0, eqIdx).trim();
+                let val = trimmed.slice(eqIdx + 1).trim();
+                // Strip quotes
+                if ((val.startsWith('"') && val.endsWith('"')) || (val.startsWith("'") && val.endsWith("'"))) {
+                    val = val.slice(1, -1);
+                }
+                if (!val)
+                    continue;
+                // Check DB keys
+                if (!result.dbUrl && DB_KEYS.includes(key)) {
+                    if (val.startsWith("postgres") || val.startsWith("pg://") || val.includes("5432") || val.includes("6543")) {
+                        result.dbUrl = val;
+                        result.dbSource = envFile;
+                    }
+                }
+                // Check license keys
+                if (!result.licenseKey && LICENSE_KEYS.includes(key)) {
+                    result.licenseKey = val;
+                    result.licenseSource = envFile;
+                }
+                // Check Supabase URL (for fallback DB construction)
+                if (!result.supabaseUrl && SUPABASE_URL_KEYS.includes(key)) {
+                    result.supabaseUrl = val;
+                }
+                // Check Supabase service role key
+                if (!result.supabaseKey && SUPABASE_KEY_KEYS.includes(key)) {
+                    result.supabaseKey = val;
+                }
+            }
+        }
+        catch { /* skip unreadable files */ }
+    }
+    return result;
+}
+function handleAttest(args) {
+    let licenseKey;
+    let projectDir = process.cwd();
+    let findingId;
+    let status = "fixed";
+    let note = "";
+    for (let i = 0; i < args.length; i++) {
+        switch (args[i]) {
+            case "--license-key":
+                licenseKey = args[++i];
+                break;
+            case "--dir":
+                projectDir = (0, path_1.resolve)(args[++i]);
+                break;
+            case "--finding":
+                findingId = args[++i];
+                break;
+            case "--status":
+                status = args[++i];
+                break;
+            case "--note":
+                note = args[++i];
+                break;
+        }
+    }
+    // Env / config fallbacks for license key
+    if (!licenseKey)
+        licenseKey = process.env.NDC_LICENSE || process.env.NODATA_LICENSE_KEY || process.env.NODATA_API_KEY || process.env.NDC_API_KEY;
+    if (!licenseKey) {
+        try {
+            const home = process.env.HOME || process.env.USERPROFILE || "";
+            const configPath = require("path").join(home, ".nodata", "config.json");
+            if (require("fs").existsSync(configPath)) {
+                const config = JSON.parse(require("fs").readFileSync(configPath, "utf-8"));
+                if (config.api_key)
+                    licenseKey = config.api_key;
+            }
+        }
+        catch { /* ignore */ }
+    }
+    if (!licenseKey) {
+        console.error("\n  \x1b[31m✗\x1b[0m No API key found. Pass --license-key or set NDC_LICENSE.\n");
+        process.exit(1);
+    }
+    if (!findingId) {
+        console.error("\n  \x1b[31m✗\x1b[0m Missing --finding <id>.");
+        console.error("  Example finding IDs: PII_UNENCRYPTED_email, ROUTE_NO_AUTH, SECRET_POSTGRES_URI");
+        console.error("\n  Usage:");
+        console.error("    npx nodata-guard attest --finding PII_UNENCRYPTED_email --status fixed --note \"Encrypted with pgcrypto\"");
+        console.error("\n  Statuses: fixed | accepted_risk | not_applicable | compensating_control\n");
+        process.exit(1);
+    }
+    if (!note) {
+        console.error("\n  \x1b[31m✗\x1b[0m Missing --note <description>. Explain what was done.\n");
+        process.exit(1);
+    }
+    const validStatuses = ["fixed", "accepted_risk", "not_applicable", "compensating_control"];
+    if (!validStatuses.includes(status)) {
+        console.error(`\n  \x1b[31m✗\x1b[0m Invalid status "${status}". Use: ${validStatuses.join(" | ")}\n`);
+        process.exit(1);
+    }
+    (0, capsule_dir_1.attestFinding)(projectDir, licenseKey, findingId, status, note);
+    const statusColor = status === "fixed" ? "\x1b[32m" : "\x1b[33m";
+    console.log("");
+    console.log("  ╔══════════════════════════════════════╗");
+    console.log("  ║     NoData Guard — Attestation       ║");
+    console.log("  ╚══════════════════════════════════════╝");
+    console.log("");
+    console.log(`  Finding:   ${findingId}`);
+    console.log(`  Status:    ${statusColor}${status}\x1b[0m`);
+    console.log(`  Note:      ${note}`);
+    console.log(`  Signed:    HMAC-SHA256 (license-key-bound)`);
+    console.log("");
+    console.log("  \x1b[32m✓\x1b[0m Saved to .capsule/overrides.json");
+    console.log("  \x1b[32m✓\x1b[0m Evidence logged to .capsule/evidence/");
+    console.log("");
+    console.log("  \x1b[2mCommit .capsule/ to git for audit trail.\x1b[0m");
+    console.log("  \x1b[2mRe-scan to see updated score.\x1b[0m\n");
+}
 function printHelp() {
     console.log(`
   NoData Guard v${VERSION} — Security Scanner + Recommendations
@@ -563,6 +841,17 @@ function printHelp() {
     npx nodata-guard --license-key NDC-XXXX                          # Scan + recommend
     npx nodata-guard --license-key NDC-XXXX --db $DATABASE_URL       # Full scan (code + DB)
     npx nodata-guard --license-key NDC-XXXX --schedule weekly        # Setup CI schedule
+    npx nodata-guard status                                          # Show .capsule/ status (no scan)
+    npx nodata-guard diff                                            # Compare last 2 scans
+    npx nodata-guard attest --finding ID --status fixed --note "..."  # Manual attestation
+
+  Subcommands:
+    status                 Show .capsule/ evidence (scores, proof, overrides) without scanning
+    diff                   Compare the last 2 scans — score delta, issues resolved/new
+    attest                 Manually attest a finding (saved to .capsule/overrides.json)
+      --finding <id>       Finding ID (e.g., PII_UNENCRYPTED_email, ROUTE_NO_AUTH)
+      --status <status>    fixed | accepted_risk | not_applicable | compensating_control
+      --note <text>        Explanation of what was done
 
   Scan Options:
     --license-key <key>    NoData license key (or set NDC_LICENSE env var)
@@ -593,9 +882,17 @@ function printHelp() {
     ✓ Prove — cryptographic proof chain of scan results
     ✓ Monitor — track score over time via dashboard
 
+  Auto-detection:
+    Guard automatically reads .env files to find DATABASE_URL
+    and license keys. If a database is found, Guard asks for
+    your explicit consent before connecting. All values stay
+    local — never sent anywhere. In CI mode (--ci), consent
+    is automatic (operator configured the environment).
+
   What we NEVER do:
     ✗ Modify your code, database, or configuration
     ✗ Receive data values, source code, or credentials
+    ✗ Read actual data from your database (only checks prefixes)
 
   Important:
     Recommendations require understanding of YOUR system —
@@ -618,6 +915,18 @@ function printHelp() {
     # CI pipeline — fail on critical issues
     npx nodata-guard --ci --fail-on critical
 
+    # Check .capsule/ status without scanning
+    npx nodata-guard status
+
+    # See what changed between last 2 scans
+    npx nodata-guard diff
+
+    # Attest that you fixed a finding
+    npx nodata-guard attest --finding PII_UNENCRYPTED_email --status fixed --note "Encrypted with pgcrypto in migration 042"
+
+    # Accept risk for a finding
+    npx nodata-guard attest --finding ROUTE_NO_AUTH --status accepted_risk --note "Public healthcheck endpoint, no auth needed"
+
   Documentation: https://nodatacapsule.com/guard
 `);
 }

package/dist/code-scanner.d.ts

@@ -4,7 +4,7 @@ interface FileEntry {
     content: string;
 }
 export declare function readProjectFiles(projectDir: string, onProgress?: (count: number) => void): FileEntry[];
-export declare function scanPIIFields(files: FileEntry[]): PIIFieldResult[];
+export declare function scanPIIFields(files: FileEntry[], projectDir?: string): PIIFieldResult[];
 export declare function scanRoutes(files: FileEntry[]): RouteResult[];
 export declare function scanSecrets(files: FileEntry[]): SecretResult[];
 export declare function detectStack(files: FileEntry[]): {

package/dist/code-scanner.js

@@ -18,6 +18,8 @@ exports.scanSecrets = scanSecrets;
 exports.detectStack = detectStack;
 const fs_1 = require("fs");
 const path_1 = require("path");
+const crypto_1 = require("crypto");
+const capsule_dir_1 = require("./capsule-dir");
 // ── File reading ──
 const SKIP_DIRS = new Set([
     "node_modules", ".git", ".next", ".nuxt", "dist", "build", "out",
@@ -97,7 +99,7 @@ function classifyColumn(col) {
     }
     return null;
 }
-function scanPIIFields(files) {
+function scanPIIFields(files, projectDir) {
     const fields = [];
     const seen = new Set();
     // Collect all column names to check for _encrypted companions
@@ -152,7 +154,7 @@ function scanPIIFields(files) {
     const encryptFiles = files.filter(f => /createCipheriv|encrypt|decrypt|encryptPII|nodata_encrypt/i.test(f.content));
     const proofFile = files.find(f => f.path.includes("nodata-proof.json"));
     const triggerFiles = files.filter(f => f.path.endsWith(".sql") && /trg_encrypt_/i.test(f.content));
-    // Parse proof file
+    // Parse legacy proof file (nodata-proof.json)
     const proofFields = new Set();
     if (proofFile) {
         try {
@@ -167,6 +169,27 @@ function scanPIIFields(files) {
         }
         catch { /* ignore */ }
     }
+    // Parse .capsule/proof.json (DB-verified encryption from previous scans)
+    // This allows code-only scans to recognize encryption verified by a previous --db scan
+    if (projectDir) {
+        const capsuleProof = (0, capsule_dir_1.readProof)(projectDir);
+        if (capsuleProof && capsuleProof.fields.length > 0) {
+            // capsule proof uses hashed names — we need to build a lookup by hash
+            const fieldHashMap = new Map(); // hash → "table.column"
+            for (const field of fields) {
+                const tableHash = (0, crypto_1.createHash)("sha256").update(`capsule:name:${field.table}`).digest("hex").slice(0, 16);
+                const colHash = (0, crypto_1.createHash)("sha256").update(`capsule:name:${field.column}`).digest("hex").slice(0, 16);
+                fieldHashMap.set(`${tableHash}:${colHash}`, `${field.table}.${field.column}`);
+            }
+            for (const pf of capsuleProof.fields) {
+                const key = `${pf.table_hash}:${pf.column_hash}`;
+                const realName = fieldHashMap.get(key);
+                if (realName && pf.coverage_percent >= 50) {
+                    proofFields.add(realName);
+                }
+            }
+        }
+    }
     // Parse trigger functions
     const triggerTables = new Set();
     for (const f of triggerFiles) {

package/dist/reporter.js

@@ -80,6 +80,13 @@ function generateReports(input) {
         guard_version: GUARD_VERSION,
         scores: {
             overall: overallScore,
+            code: input.code ? Math.round((encCoverage * 0.5) + (routeProtection * 0.25) + (secretScore * 0.25)) : null,
+            db: input.db ? Math.round(((input.db.piiFields.length > 0
+                ? Math.round((input.db.piiFields.filter(f => f.encrypted).length / input.db.piiFields.length) * 100)
+                : 100) * 0.6) +
+                ((input.db.rls.length > 0
+                    ? Math.round((input.db.rls.filter(r => r.rls_enabled).length / input.db.rls.length) * 100)
+                    : 0) * 0.4)) : null,
             previous: input.previousScore,
             improved,
             delta: input.previousScore !== null ? overallScore - input.previousScore : 0,

package/dist/types.d.ts

@@ -111,6 +111,8 @@ export interface MetadataReport {
     guard_version: string;
     scores: {
         overall: number;
+        code: number | null;
+        db: number | null;
         previous: number | null;
         improved: boolean;
         delta: number;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@nodatachat/guard",
-  "version": "2.3.0",
+  "version": "2.5.0",
   "description": "NoData Guard — continuous security scanner. Runs locally, reports only metadata. Your data never leaves your machine.",
   "main": "./dist/cli.js",
   "types": "./dist/cli.d.ts",