npm - @nodatachat/guard - Versions diffs - 2.5.1 → 2.6.0 - Mend

@nodatachat/guard 2.5.1 → 2.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/cli.js CHANGED Viewed

@@ -26,7 +26,7 @@ const reporter_1 = require("./reporter");
 const scheduler_1 = require("./fixers/scheduler");
 const vault_crypto_1 = require("./vault-crypto");
 const capsule_dir_1 = require("./capsule-dir");
-const VERSION = "2.5.1";
+const VERSION = "2.6.0";
 async function main() {
     const args = process.argv.slice(2);
     // ── Subcommand routing ──

package/dist/db-scanner.js CHANGED Viewed

@@ -109,30 +109,38 @@ async function scanDatabase(connectionString, onProgress) {
                     //   aes256gcm:v1:  — legacy direct encryption (13 chars)
                     //   enc:v1:        — Capsule Proxy encryption (7 chars)
                     //   ndc_enc_       — @nodatachat/protect format (8 chars)
+                    //   enc:           — any enc: prefix variant (4 chars)
+                    //   Also checks for long base64 strings (>80 chars, alphanumeric)
                     const { rows } = await client.query(`
             SELECT
               count(*) as total,
               count(${quoteIdent(col)}) as non_null,
               count(*) FILTER (WHERE LEFT(${quoteIdent(col)}::text, 13) = 'aes256gcm:v1:') as aes_gcm,
               count(*) FILTER (WHERE LEFT(${quoteIdent(col)}::text, 7) = 'enc:v1:') as enc_v1,
+              count(*) FILTER (WHERE LEFT(${quoteIdent(col)}::text, 4) = 'enc:') as enc_any,
               count(*) FILTER (WHERE LEFT(${quoteIdent(col)}::text, 8) = 'ndc_enc_') as ndc_enc,
               count(*) FILTER (WHERE LENGTH(${quoteIdent(col)}::text) > 80
-                AND ${quoteIdent(col)}::text ~ '^[A-Za-z0-9+/=]+$') as base64_long
+                AND ${quoteIdent(col)}::text ~ '^[A-Za-z0-9+/=:_-]+$') as base64_long
             FROM ${quoteIdent(field.table)}
           `);
                     const total = parseInt(rows[0].total);
                     const nonNull = parseInt(rows[0].non_null);
                     const aesGcm = parseInt(rows[0].aes_gcm);
                     const encV1 = parseInt(rows[0].enc_v1);
+                    const encAny = parseInt(rows[0].enc_any);
                     const ndcEnc = parseInt(rows[0].ndc_enc);
                     const b64 = parseInt(rows[0].base64_long);
-                    const encCount = aesGcm + encV1 + ndcEnc + b64;
+                    // enc_any catches enc:v1:, enc:v2:, enc:aes:, etc.
+                    // Use the most specific match for naming, but count all enc: variants
+                    const encDirectPrefixes = Math.max(aesGcm, encV1, encAny, ndcEnc);
+                    const encCount = encDirectPrefixes + (encDirectPrefixes === 0 ? b64 : 0);
                     // Determine pattern name for reporting
                     const pattern = aesGcm > 0 ? "aes256gcm:v1"
                         : encV1 > 0 ? "enc:v1 (Capsule Proxy)"
-                            : ndcEnc > 0 ? "ndc_enc (Protect)"
-                                : b64 > 0 ? "base64_long"
-                                    : "unknown";
+                            : encAny > 0 ? "enc: (encrypted prefix)"
+                                : ndcEnc > 0 ? "ndc_enc (Protect)"
+                                    : b64 > 0 ? "base64_long"
+                                        : "unknown";
                     if (isCompanion && encCount > 0) {
                         field.encrypted = true;
                         field.encryption_pattern = pattern;
@@ -140,10 +148,17 @@ async function scanDatabase(connectionString, onProgress) {
                     }
                     else if (!isCompanion) {
                         field.row_count = total;
-                        if (encCount > 0 && encCount >= nonNull * 0.9) {
+                        // Mark as encrypted if:
+                        //   - At least 1 row has an encryption prefix, AND
+                        //   - At least 30% of non-null rows are encrypted (threshold for partial encryption)
+                        //   OR at least 1 row has encryption AND total rows < 10 (small table — any encryption counts)
+                        const threshold = nonNull > 0 ? encCount / nonNull : 0;
+                        if (encCount > 0 && (threshold >= 0.3 || (nonNull < 10 && encCount > 0))) {
                             field.encrypted = true;
                             field.encryption_pattern = pattern;
                             field.encrypted_count = encCount;
+                            // Also record the sentinel prefix for proof.json
+                            field.sentinel_prefix = pattern;
                         }
                     }
                 }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@nodatachat/guard",
-  "version": "2.5.1",
+  "version": "2.6.0",
   "description": "NoData Guard — continuous security scanner. Runs locally, reports only metadata. Your data never leaves your machine.",
   "main": "./dist/cli.js",
   "types": "./dist/cli.d.ts",