npm - @nodatachat/guard - Versions diffs - 2.5.0 → 2.6.0 - Mend

@nodatachat/guard 2.5.0 → 2.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/cli.js CHANGED Viewed

@@ -26,7 +26,7 @@ const reporter_1 = require("./reporter");
 const scheduler_1 = require("./fixers/scheduler");
 const vault_crypto_1 = require("./vault-crypto");
 const capsule_dir_1 = require("./capsule-dir");
-const VERSION = "2.5.0";
+const VERSION = "2.6.0";
 async function main() {
     const args = process.argv.slice(2);
     // ── Subcommand routing ──
@@ -125,13 +125,41 @@ async function main() {
             if (!ciMode)
                 console.log(`\n  \x1b[32m✓\x1b[0m Found license key in ${envResult.licenseSource}`);
         }
-        if (!dbUrl && envResult.dbUrl) {
+        // Try direct DB URL first
+        let detectedDbUrl = envResult.dbUrl;
+        let detectedDbSource = envResult.dbSource;
+        // If no direct DB URL found, try to construct from Supabase URL
+        // Supabase projects have a predictable connection string format
+        if (!detectedDbUrl && envResult.supabaseUrl && !ciMode) {
+            const match = envResult.supabaseUrl.match(/https:\/\/([a-z0-9]+)\.supabase\.co/);
+            if (match) {
+                const projectRef = match[1];
+                console.log("");
+                console.log("  ╔══════════════════════════════════════════╗");
+                console.log("  ║  \x1b[33mSupabase project detected\x1b[0m                 ║");
+                console.log("  ╚══════════════════════════════════════════╝");
+                console.log(`  Project:  ${projectRef}.supabase.co`);
+                console.log("");
+                console.log("  \x1b[2mTo verify DB encryption, Guard needs a direct connection.\x1b[0m");
+                console.log("  \x1b[2mFind it in: Supabase Dashboard → Settings → Database → URI\x1b[0m");
+                console.log("");
+                const password = await askConsent("  Paste your database password (or press Enter to skip): ", true);
+                if (password && typeof password === "string" && password.trim()) {
+                    detectedDbUrl = `postgresql://postgres.${projectRef}:${password.trim()}@aws-0-eu-central-1.pooler.supabase.com:6543/postgres`;
+                    detectedDbSource = "Supabase (auto-constructed)";
+                }
+                else {
+                    console.log("  \x1b[33m→\x1b[0m No password — skipping database scan\n");
+                }
+            }
+        }
+        if (!dbUrl && detectedDbUrl) {
             // Mask the connection string for display (show host only)
-            const masked = maskDbUrl(envResult.dbUrl);
+            const masked = maskDbUrl(detectedDbUrl);
             if (ciMode) {
                 // CI mode: auto-consent (operator set up the env)
-                dbUrl = envResult.dbUrl;
-                console.log(`[nodata-guard] Using database from ${envResult.dbSource}`);
+                dbUrl = detectedDbUrl;
+                console.log(`[nodata-guard] Using database from ${detectedDbSource}`);
             }
             else {
                 // Interactive: ask for consent
@@ -139,7 +167,7 @@ async function main() {
                 console.log("  ╔══════════════════════════════════════════╗");
                 console.log("  ║  \x1b[33mDatabase connection found\x1b[0m                ║");
                 console.log("  ╚══════════════════════════════════════════╝");
-                console.log(`  Source:  ${envResult.dbSource}`);
+                console.log(`  Source:  ${detectedDbSource}`);
                 console.log(`  URL:     ${masked}`);
                 console.log("");
                 console.log("  \x1b[2mGuard will connect to your database to verify encryption.\x1b[0m");
@@ -148,7 +176,7 @@ async function main() {
                 console.log("");
                 const consent = await askConsent("  Connect to database? (y/n): ");
                 if (consent) {
-                    dbUrl = envResult.dbUrl;
+                    dbUrl = detectedDbUrl;
                     console.log(`  \x1b[32m✓\x1b[0m Database scan enabled\n`);
                 }
                 else {
@@ -643,14 +671,19 @@ function maskDbUrl(url) {
         return url.slice(0, 20) + "...****";
     }
 }
-function askConsent(prompt) {
+function askConsent(prompt, returnRaw) {
     return new Promise((resolve) => {
         const readline = require("readline");
         const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
         rl.question(prompt, (answer) => {
             rl.close();
-            const a = answer.trim().toLowerCase();
-            resolve(a === "y" || a === "yes" || a === "כ" || a === "כן");
+            if (returnRaw) {
+                resolve(answer);
+            }
+            else {
+                const a = answer.trim().toLowerCase();
+                resolve(a === "y" || a === "yes" || a === "כ" || a === "כן");
+            }
         });
     });
 }

package/dist/db-scanner.js CHANGED Viewed

@@ -109,30 +109,38 @@ async function scanDatabase(connectionString, onProgress) {
                     //   aes256gcm:v1:  — legacy direct encryption (13 chars)
                     //   enc:v1:        — Capsule Proxy encryption (7 chars)
                     //   ndc_enc_       — @nodatachat/protect format (8 chars)
+                    //   enc:           — any enc: prefix variant (4 chars)
+                    //   Also checks for long base64 strings (>80 chars, alphanumeric)
                     const { rows } = await client.query(`
             SELECT
               count(*) as total,
               count(${quoteIdent(col)}) as non_null,
               count(*) FILTER (WHERE LEFT(${quoteIdent(col)}::text, 13) = 'aes256gcm:v1:') as aes_gcm,
               count(*) FILTER (WHERE LEFT(${quoteIdent(col)}::text, 7) = 'enc:v1:') as enc_v1,
+              count(*) FILTER (WHERE LEFT(${quoteIdent(col)}::text, 4) = 'enc:') as enc_any,
               count(*) FILTER (WHERE LEFT(${quoteIdent(col)}::text, 8) = 'ndc_enc_') as ndc_enc,
               count(*) FILTER (WHERE LENGTH(${quoteIdent(col)}::text) > 80
-                AND ${quoteIdent(col)}::text ~ '^[A-Za-z0-9+/=]+$') as base64_long
+                AND ${quoteIdent(col)}::text ~ '^[A-Za-z0-9+/=:_-]+$') as base64_long
             FROM ${quoteIdent(field.table)}
           `);
                     const total = parseInt(rows[0].total);
                     const nonNull = parseInt(rows[0].non_null);
                     const aesGcm = parseInt(rows[0].aes_gcm);
                     const encV1 = parseInt(rows[0].enc_v1);
+                    const encAny = parseInt(rows[0].enc_any);
                     const ndcEnc = parseInt(rows[0].ndc_enc);
                     const b64 = parseInt(rows[0].base64_long);
-                    const encCount = aesGcm + encV1 + ndcEnc + b64;
+                    // enc_any catches enc:v1:, enc:v2:, enc:aes:, etc.
+                    // Use the most specific match for naming, but count all enc: variants
+                    const encDirectPrefixes = Math.max(aesGcm, encV1, encAny, ndcEnc);
+                    const encCount = encDirectPrefixes + (encDirectPrefixes === 0 ? b64 : 0);
                     // Determine pattern name for reporting
                     const pattern = aesGcm > 0 ? "aes256gcm:v1"
                         : encV1 > 0 ? "enc:v1 (Capsule Proxy)"
-                            : ndcEnc > 0 ? "ndc_enc (Protect)"
-                                : b64 > 0 ? "base64_long"
-                                    : "unknown";
+                            : encAny > 0 ? "enc: (encrypted prefix)"
+                                : ndcEnc > 0 ? "ndc_enc (Protect)"
+                                    : b64 > 0 ? "base64_long"
+                                        : "unknown";
                     if (isCompanion && encCount > 0) {
                         field.encrypted = true;
                         field.encryption_pattern = pattern;
@@ -140,10 +148,17 @@ async function scanDatabase(connectionString, onProgress) {
                     }
                     else if (!isCompanion) {
                         field.row_count = total;
-                        if (encCount > 0 && encCount >= nonNull * 0.9) {
+                        // Mark as encrypted if:
+                        //   - At least 1 row has an encryption prefix, AND
+                        //   - At least 30% of non-null rows are encrypted (threshold for partial encryption)
+                        //   OR at least 1 row has encryption AND total rows < 10 (small table — any encryption counts)
+                        const threshold = nonNull > 0 ? encCount / nonNull : 0;
+                        if (encCount > 0 && (threshold >= 0.3 || (nonNull < 10 && encCount > 0))) {
                             field.encrypted = true;
                             field.encryption_pattern = pattern;
                             field.encrypted_count = encCount;
+                            // Also record the sentinel prefix for proof.json
+                            field.sentinel_prefix = pattern;
                         }
                     }
                 }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@nodatachat/guard",
-  "version": "2.5.0",
+  "version": "2.6.0",
   "description": "NoData Guard — continuous security scanner. Runs locally, reports only metadata. Your data never leaves your machine.",
   "main": "./dist/cli.js",
   "types": "./dist/cli.d.ts",