npm - @vollcrypt/db-guard - Versions diffs - 0.1.0 → 0.1.2 - Mend

@vollcrypt/db-guard 0.1.0 → 0.1.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (11) hide show

package/dist/drivers.d.ts ADDED Viewed

@@ -0,0 +1,15 @@
+import { RateLimiterOptions } from './security.js';
+export interface DbGuardDriverOptions {
+    key: Buffer | Record<string, Buffer>;
+    activeKeyVersion?: string;
+    entities: Record<string, string[]>;
+    cryptoRbac?: {
+        roles: Record<string, {
+            decrypt: string[];
+            mask?: Record<string, 'credit_card' | 'email' | 'tc_no' | ((v: any) => any) | string>;
+        }>;
+    };
+    rateLimiter?: RateLimiterOptions;
+}
+export declare function wrapSqliteDatabase(db: any, options: DbGuardDriverOptions): any;
+export declare function wrapOracleConnection(connection: any, options: DbGuardDriverOptions): any;

package/dist/drivers.js ADDED Viewed

@@ -0,0 +1,181 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.wrapSqliteDatabase = wrapSqliteDatabase;
+exports.wrapOracleConnection = wrapOracleConnection;
+const prisma_js_1 = require("./prisma.js");
+const security_js_1 = require("./security.js");
+function getKeys(options) {
+    let keys;
+    let activeVersion;
+    if (Buffer.isBuffer(options.key)) {
+        keys = { '1': options.key };
+        activeVersion = '1';
+    }
+    else {
+        keys = options.key;
+        activeVersion = options.activeKeyVersion || Object.keys(keys)[0];
+    }
+    return { keys, activeVersion };
+}
+function getParamColumns(sql) {
+    const sqlClean = sql.replace(/\s+/g, ' ').trim();
+    // Match INSERT INTO table (col1, col2) ...
+    const insertMatch = sqlClean.match(/INSERT\s+INTO\s+(\w+)\s*\(([^)]+)\)/i);
+    if (insertMatch) {
+        const table = insertMatch[1];
+        const columns = insertMatch[2].split(',').map(c => c.trim());
+        return { table, columns };
+    }
+    // Match UPDATE table SET col1 = ?, col2 = ? ...
+    const updateMatch = sqlClean.match(/UPDATE\s+(\w+)\s+SET\s+([\s\S]+?)(?:\s+WHERE|$)/i);
+    if (updateMatch) {
+        const table = updateMatch[1];
+        const setParts = updateMatch[2].split(',');
+        const columns = [];
+        for (const part of setParts) {
+            const match = part.match(/(\w+)\s*=/);
+            if (match) {
+                columns.push(match[1]);
+            }
+        }
+        return { table, columns };
+    }
+    return null;
+}
+function decryptRow(row, table, keys, options) {
+    if (!row)
+        return row;
+    if (typeof row === 'object') {
+        const cloned = Array.isArray(row) ? [...row] : { ...row };
+        if (Array.isArray(row)) {
+            // Array format (index-based)
+            for (let i = 0; i < row.length; i++) {
+                const val = row[i];
+                if (typeof val === 'string' && val.startsWith('VOLLVALT:')) {
+                    try {
+                        cloned[i] = (0, security_js_1.decryptWithSecurity)(val, (v) => (0, prisma_js_1.decryptValue)(v, keys), table, `column_${i}`, undefined, options);
+                    }
+                    catch {
+                        // Keep original on failure
+                    }
+                }
+            }
+        }
+        else {
+            // Object format (key-value)
+            const fields = options.entities[table] || [];
+            for (const [key, val] of Object.entries(row)) {
+                if (typeof val === 'string' && val.startsWith('VOLLVALT:')) {
+                    try {
+                        cloned[key] = (0, security_js_1.decryptWithSecurity)(val, (v) => (0, prisma_js_1.decryptValue)(v, keys), table, key, row.id || row._id, options);
+                    }
+                    catch {
+                        // Keep original on failure
+                    }
+                }
+            }
+        }
+        return cloned;
+    }
+    return row;
+}
+function wrapSqliteDatabase(db, options) {
+    const { keys, activeVersion } = getKeys(options);
+    const activeKey = keys[activeVersion];
+    (0, security_js_1.registerKeysForZeroization)(keys);
+    const originalPrepare = db.prepare;
+    db.prepare = function (sql, ...args) {
+        const statement = originalPrepare.call(this, sql, ...args);
+        const parsed = getParamColumns(sql);
+        // Helper to encrypt query input parameters
+        const encryptParams = (params) => {
+            if (!parsed)
+                return params;
+            const table = parsed.table;
+            const columns = parsed.columns;
+            const fieldsToEncrypt = options.entities[table] || [];
+            if (fieldsToEncrypt.length === 0)
+                return params;
+            return params.map((param, index) => {
+                const colName = columns[index];
+                if (colName && fieldsToEncrypt.includes(colName)) {
+                    return (0, prisma_js_1.encryptValue)(param, activeKey, activeVersion);
+                }
+                return param;
+            });
+        };
+        const wrapStatementMethod = (originalMethod) => {
+            return function (...params) {
+                const processedParams = encryptParams(params);
+                const result = originalMethod.apply(statement, processedParams);
+                if (parsed) {
+                    const table = parsed.table;
+                    if (Array.isArray(result)) {
+                        return result.map(row => decryptRow(row, table, keys, options));
+                    }
+                    else if (result) {
+                        return decryptRow(result, table, keys, options);
+                    }
+                }
+                else {
+                    // If query SQL parsing was skipped (e.g. SELECT *), decrypt rows generically
+                    // using first table configured in options as fallback
+                    const defaultTable = Object.keys(options.entities)[0] || 'Model';
+                    if (Array.isArray(result)) {
+                        return result.map(row => decryptRow(row, defaultTable, keys, options));
+                    }
+                    else if (result) {
+                        return decryptRow(result, defaultTable, keys, options);
+                    }
+                }
+                return result;
+            };
+        };
+        statement.run = wrapStatementMethod(statement.run);
+        statement.get = wrapStatementMethod(statement.get);
+        statement.all = wrapStatementMethod(statement.all);
+        return statement;
+    };
+    return db;
+}
+function wrapOracleConnection(connection, options) {
+    const { keys, activeVersion } = getKeys(options);
+    const activeKey = keys[activeVersion];
+    (0, security_js_1.registerKeysForZeroization)(keys);
+    const originalExecute = connection.execute;
+    connection.execute = async function (sql, bindParams = {}, execOptions = {}, ...args) {
+        const parsed = getParamColumns(sql);
+        let processedBinds = bindParams;
+        if (parsed) {
+            const table = parsed.table;
+            const columns = parsed.columns;
+            const fieldsToEncrypt = options.entities[table] || [];
+            if (fieldsToEncrypt.length > 0) {
+                if (Array.isArray(bindParams)) {
+                    processedBinds = bindParams.map((param, index) => {
+                        const colName = columns[index];
+                        if (colName && fieldsToEncrypt.includes(colName)) {
+                            return (0, prisma_js_1.encryptValue)(param, activeKey, activeVersion);
+                        }
+                        return param;
+                    });
+                }
+                else if (bindParams && typeof bindParams === 'object') {
+                    processedBinds = { ...bindParams };
+                    for (const field of fieldsToEncrypt) {
+                        if (processedBinds[field] !== undefined && processedBinds[field] !== null) {
+                            processedBinds[field] = (0, prisma_js_1.encryptValue)(processedBinds[field], activeKey, activeVersion);
+                        }
+                    }
+                }
+            }
+        }
+        const result = await originalExecute.call(this, sql, processedBinds, execOptions, ...args);
+        if (result && result.rows) {
+            const targetTable = parsed ? parsed.table : (Object.keys(options.entities)[0] || 'Model');
+            result.rows = result.rows.map((row) => decryptRow(row, targetTable, keys, options));
+        }
+        return result;
+    };
+    return connection;
+}

package/dist/index.d.ts CHANGED Viewed

@@ -2,7 +2,8 @@ export { prismaDbGuard, PrismaDbGuardOptions, encryptValue, decryptValue, resolv
 export { mongooseDbGuard, MongooseDbGuardOptions } from './mongoose';
 export { createDrizzleGuard } from './drizzle';
 export { createTypeOrmSubscriber } from './typeorm';
+export { wrapSqliteDatabase, wrapOracleConnection, DbGuardDriverOptions } from './drivers';
 export { KmsProvider, AwsKmsProvider, GcpKmsProvider, VaultKmsProvider, unwrapDekLocal, Pkcs11KmsProvider } from './kms';
 export { computeBlindIndex } from './blind-index';
-export { dbGuardContextStore, configureAuditLogger, decryptWithSecurity, checkRateLimit, checkPageSize, resetFailClosedStatusForTesting, resetAuditLoggerForTesting, getCachedKey, setCachedKey, resetSecureKeyCacheForTesting, configureBreakGlass, deactivateBreakGlass, isBreakGlassActive, getBreakGlassKey, activateBreakGlass, parseCiphertext, CRYPTO_ALGORITHMS, VERSION_ALGORITHMS } from './security';
+export { dbGuardContextStore, configureAuditLogger, decryptWithSecurity, checkRateLimit, checkPageSize, resetFailClosedStatusForTesting, resetAuditLoggerForTesting, getCachedKey, setCachedKey, resetSecureKeyCacheForTesting, configureBreakGlass, deactivateBreakGlass, isBreakGlassActive, getBreakGlassKey, activateBreakGlass, parseCiphertext, CRYPTO_ALGORITHMS, VERSION_ALGORITHMS, maskValue } from './security';
 export { auditConfiguration, generateComplianceHtmlReport, ComplianceAuditInput, ComplianceScorecard } from './compliance';

package/dist/index.js CHANGED Viewed

@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.generateComplianceHtmlReport = exports.auditConfiguration = exports.VERSION_ALGORITHMS = exports.CRYPTO_ALGORITHMS = exports.parseCiphertext = exports.activateBreakGlass = exports.getBreakGlassKey = exports.isBreakGlassActive = exports.deactivateBreakGlass = exports.configureBreakGlass = exports.resetSecureKeyCacheForTesting = exports.setCachedKey = exports.getCachedKey = exports.resetAuditLoggerForTesting = exports.resetFailClosedStatusForTesting = exports.checkPageSize = exports.checkRateLimit = exports.decryptWithSecurity = exports.configureAuditLogger = exports.dbGuardContextStore = exports.computeBlindIndex = exports.Pkcs11KmsProvider = exports.unwrapDekLocal = exports.VaultKmsProvider = exports.GcpKmsProvider = exports.AwsKmsProvider = exports.createTypeOrmSubscriber = exports.createDrizzleGuard = exports.mongooseDbGuard = exports.resolveKeys = exports.decryptValue = exports.encryptValue = exports.prismaDbGuard = void 0;
+exports.generateComplianceHtmlReport = exports.auditConfiguration = exports.maskValue = exports.VERSION_ALGORITHMS = exports.CRYPTO_ALGORITHMS = exports.parseCiphertext = exports.activateBreakGlass = exports.getBreakGlassKey = exports.isBreakGlassActive = exports.deactivateBreakGlass = exports.configureBreakGlass = exports.resetSecureKeyCacheForTesting = exports.setCachedKey = exports.getCachedKey = exports.resetAuditLoggerForTesting = exports.resetFailClosedStatusForTesting = exports.checkPageSize = exports.checkRateLimit = exports.decryptWithSecurity = exports.configureAuditLogger = exports.dbGuardContextStore = exports.computeBlindIndex = exports.Pkcs11KmsProvider = exports.unwrapDekLocal = exports.VaultKmsProvider = exports.GcpKmsProvider = exports.AwsKmsProvider = exports.wrapOracleConnection = exports.wrapSqliteDatabase = exports.createTypeOrmSubscriber = exports.createDrizzleGuard = exports.mongooseDbGuard = exports.resolveKeys = exports.decryptValue = exports.encryptValue = exports.prismaDbGuard = void 0;
 var prisma_1 = require("./prisma");
 Object.defineProperty(exports, "prismaDbGuard", { enumerable: true, get: function () { return prisma_1.prismaDbGuard; } });
 Object.defineProperty(exports, "encryptValue", { enumerable: true, get: function () { return prisma_1.encryptValue; } });
@@ -12,6 +12,9 @@ var drizzle_1 = require("./drizzle");
 Object.defineProperty(exports, "createDrizzleGuard", { enumerable: true, get: function () { return drizzle_1.createDrizzleGuard; } });
 var typeorm_1 = require("./typeorm");
 Object.defineProperty(exports, "createTypeOrmSubscriber", { enumerable: true, get: function () { return typeorm_1.createTypeOrmSubscriber; } });
+var drivers_1 = require("./drivers");
+Object.defineProperty(exports, "wrapSqliteDatabase", { enumerable: true, get: function () { return drivers_1.wrapSqliteDatabase; } });
+Object.defineProperty(exports, "wrapOracleConnection", { enumerable: true, get: function () { return drivers_1.wrapOracleConnection; } });
 var kms_1 = require("./kms");
 Object.defineProperty(exports, "AwsKmsProvider", { enumerable: true, get: function () { return kms_1.AwsKmsProvider; } });
 Object.defineProperty(exports, "GcpKmsProvider", { enumerable: true, get: function () { return kms_1.GcpKmsProvider; } });
@@ -39,6 +42,7 @@ Object.defineProperty(exports, "activateBreakGlass", { enumerable: true, get: fu
 Object.defineProperty(exports, "parseCiphertext", { enumerable: true, get: function () { return security_1.parseCiphertext; } });
 Object.defineProperty(exports, "CRYPTO_ALGORITHMS", { enumerable: true, get: function () { return security_1.CRYPTO_ALGORITHMS; } });
 Object.defineProperty(exports, "VERSION_ALGORITHMS", { enumerable: true, get: function () { return security_1.VERSION_ALGORITHMS; } });
+Object.defineProperty(exports, "maskValue", { enumerable: true, get: function () { return security_1.maskValue; } });
 var compliance_1 = require("./compliance");
 Object.defineProperty(exports, "auditConfiguration", { enumerable: true, get: function () { return compliance_1.auditConfiguration; } });
 Object.defineProperty(exports, "generateComplianceHtmlReport", { enumerable: true, get: function () { return compliance_1.generateComplianceHtmlReport; } });

package/dist/provenance.json CHANGED Viewed

@@ -37,6 +37,18 @@
         "sha256": "0b660e3eafcc27a78d5c97c7d34837a25c68295660a3d1c7da0ae8e0a676bfb6"
       }
     },
+    {
+      "name": "dist/drivers.d.ts",
+      "digest": {
+        "sha256": "1363416c7c4ce5549331a13c43f89c8cba2865b26cac8e699b4504c48c29b049"
+      }
+    },
+    {
+      "name": "dist/drivers.js",
+      "digest": {
+        "sha256": "44623a5cf632c22a41b8196b809a3c00d50276bde28c2fbde13d6f4bef3177ce"
+      }
+    },
     {
       "name": "dist/drizzle.d.ts",
       "digest": {
@@ -52,13 +64,13 @@
     {
       "name": "dist/index.d.ts",
       "digest": {
-        "sha256": "7f7c57559ed6b17bd5698a248c18d636c65f812406b685bb6b2fe243d6df59b8"
+        "sha256": "a4864c4ea0bb9e9cc9bc1f58cdbc31863e5543a572e6049ee900b53b9fecb003"
       }
     },
     {
       "name": "dist/index.js",
       "digest": {
-        "sha256": "9a6c591ff862cca301b2b45455b884c2c5ab7e994dd4a31df1235ebdcff8393c"
+        "sha256": "496292f1edd16bd779f6e8712291c4b90e5b3f404d71b54f5c369c6736c26814"
       }
     },
     {
@@ -100,13 +112,13 @@
     {
       "name": "dist/security.d.ts",
       "digest": {
-        "sha256": "85bbbfdbf47b5ce72c29071004664aa8d4c872107a9f1826daaec53f3b40182b"
+        "sha256": "554d9ba00f800470666ab66127079df889b8d717a9cf7b28ab252f0adad64304"
       }
     },
     {
       "name": "dist/security.js",
       "digest": {
-        "sha256": "8d3d398281d7d268e874f540c58371a4ba6410e19d5804d2cdde8fb7628531da"
+        "sha256": "5e907c9f5ec9fb93ef07f6360d7f8572aa5a1ea1c0a32d0b10496477d0b8fd33"
       }
     },
     {
@@ -129,7 +141,7 @@
       "externalParameters": {
         "packageJson": {
           "name": "@vollcrypt/db-guard",
-          "version": "0.1.0",
+          "version": "0.1.2",
           "scripts": {
             "build": "tsc && node scripts/generate-sbom.js",
             "test": "node --import tsx --test tests/*.test.ts"
@@ -213,9 +225,9 @@
         "id": "https://vollcrypt.dev/builders/local-hermetic-env"
       },
       "metadata": {
-        "invocationId": "6a158baa8a336e407b4daf328603e46e",
-        "startedOn": "2026-06-11T12:43:47.573Z",
-        "finishedOn": "2026-06-11T12:43:47.574Z"
+        "invocationId": "19095e456ee2a685d43df5cc56999080",
+        "startedOn": "2026-06-11T16:17:36.609Z",
+        "finishedOn": "2026-06-11T16:17:36.610Z"
       }
     }
   }

package/dist/provenance.json.sig CHANGED Viewed

	@@ -1 +1 @@
1	- �]�~~B��~~8~~٨�3~~�e�~~1�,��d2@jIo~�Ҧ��r�4Hp�/9b=�uy'�>�dӰ3~~
1	+ ?NENc0�HӰ�@�S�t��J�ɽ<(:3�8O �7X�q-du�Y�^~՚�8�z� ǅ�

package/dist/sbom.json CHANGED Viewed

@@ -1,10 +1,10 @@
 {
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
-  "serialNumber": "urn:uuid:922e2014-383d-4a96-a592-7fea3b6d4dc3",
+  "serialNumber": "urn:uuid:45a7c8f7-12f3-4e25-ab52-81be917b4646",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-06-11T12:43:47.573Z",
+    "timestamp": "2026-06-11T16:17:36.609Z",
     "tools": [
       {
         "vendor": "Vollcrypt",
@@ -13,10 +13,10 @@
       }
     ],
     "component": {
-      "bomRef": "pkg:npm/@vollcrypt/db-guard@0.1.0",
+      "bomRef": "pkg:npm/@vollcrypt/db-guard@0.1.2",
       "type": "library",
       "name": "@vollcrypt/db-guard",
-      "version": "0.1.0",
+      "version": "0.1.2",
       "description": "Database field-level encryption integrations for Vollcrypt (Prisma, Mongoose, Drizzle, TypeORM)",
       "hashes": [
         {
@@ -43,6 +43,14 @@
           "alg": "SHA-256",
           "content": "0b660e3eafcc27a78d5c97c7d34837a25c68295660a3d1c7da0ae8e0a676bfb6"
         },
+        {
+          "alg": "SHA-256",
+          "content": "1363416c7c4ce5549331a13c43f89c8cba2865b26cac8e699b4504c48c29b049"
+        },
+        {
+          "alg": "SHA-256",
+          "content": "44623a5cf632c22a41b8196b809a3c00d50276bde28c2fbde13d6f4bef3177ce"
+        },
         {
           "alg": "SHA-256",
           "content": "cb43fec66c7da1e84b96a97e8a18b0d08606535c64236f66ff950250d0f23292"
@@ -53,11 +61,11 @@
         },
         {
           "alg": "SHA-256",
-          "content": "7f7c57559ed6b17bd5698a248c18d636c65f812406b685bb6b2fe243d6df59b8"
+          "content": "a4864c4ea0bb9e9cc9bc1f58cdbc31863e5543a572e6049ee900b53b9fecb003"
         },
         {
           "alg": "SHA-256",
-          "content": "9a6c591ff862cca301b2b45455b884c2c5ab7e994dd4a31df1235ebdcff8393c"
+          "content": "496292f1edd16bd779f6e8712291c4b90e5b3f404d71b54f5c369c6736c26814"
         },
         {
           "alg": "SHA-256",
@@ -85,11 +93,11 @@
         },
         {
           "alg": "SHA-256",
-          "content": "85bbbfdbf47b5ce72c29071004664aa8d4c872107a9f1826daaec53f3b40182b"
+          "content": "554d9ba00f800470666ab66127079df889b8d717a9cf7b28ab252f0adad64304"
         },
         {
           "alg": "SHA-256",
-          "content": "8d3d398281d7d268e874f540c58371a4ba6410e19d5804d2cdde8fb7628531da"
+          "content": "5e907c9f5ec9fb93ef07f6360d7f8572aa5a1ea1c0a32d0b10496477d0b8fd33"
         },
         {
           "alg": "SHA-256",

package/dist/sbom.json.sig CHANGED Viewed

@@ -1 +1,2 @@
-Ŷ�2ӊ鍋9���{Uc[g���O+S��*�7�p�1 ���X�͙V�ԣc�<��
+��7gu
+�

package/dist/security.d.ts CHANGED Viewed

@@ -19,6 +19,8 @@ export interface UserContext {
     maxPageSize?: number;
     onPageSizeExceeded?: 'warn' | 'error' | 'bypass';
     tenantId?: string;
+    decryptCount?: number;
+    windowStart?: number;
 }
 export declare const dbGuardContextStore: AsyncLocalStorage<UserContext>;
 export declare function maskValue(val: any, rule: 'credit_card' | 'email' | 'tc_no' | ((v: any) => any) | string): any;

package/dist/security.js CHANGED Viewed

@@ -370,17 +370,38 @@ function checkRateLimit(options) {
     const limit = context?.maxDecryptionsPerSecond || options?.maxDecryptionsPerSecond || 500;
     const mode = context?.rateLimiterMode || options?.mode || 'fail_closed';
     const now = Date.now();
-    if (now - windowStart > 1000) {
-        decryptCount = 0;
-        windowStart = now;
-    }
-    decryptCount++;
-    if (decryptCount > limit) {
-        if (mode === 'fail_closed') {
-            triggerFailClosed(options?.onFailClosed);
+    if (context) {
+        if (context.windowStart === undefined || context.decryptCount === undefined) {
+            context.windowStart = now;
+            context.decryptCount = 0;
         }
-        else if (mode === 'warn') {
-            console.warn(`Vollcrypt Warning: Decryption rate limit exceeded. ${decryptCount} decryptions in the current window (limit: ${limit}).`);
+        if (now - context.windowStart > 1000) {
+            context.decryptCount = 0;
+            context.windowStart = now;
+        }
+        context.decryptCount++;
+        if (context.decryptCount > limit) {
+            if (mode === 'fail_closed') {
+                triggerFailClosed(options?.onFailClosed);
+            }
+            else if (mode === 'warn') {
+                console.warn(`Vollcrypt Warning: Decryption rate limit exceeded. ${context.decryptCount} decryptions in the current window (limit: ${limit}).`);
+            }
+        }
+    }
+    else {
+        if (now - windowStart > 1000) {
+            decryptCount = 0;
+            windowStart = now;
+        }
+        decryptCount++;
+        if (decryptCount > limit) {
+            if (mode === 'fail_closed') {
+                triggerFailClosed(options?.onFailClosed);
+            }
+            else if (mode === 'warn') {
+                console.warn(`Vollcrypt Warning: Decryption rate limit exceeded. ${decryptCount} decryptions in the current window (limit: ${limit}).`);
+            }
         }
     }
 }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@vollcrypt/db-guard",
-  "version": "0.1.0",
+  "version": "0.1.2",
   "description": "Database field-level encryption integrations for Vollcrypt (Prisma, Mongoose, Drizzle, TypeORM)",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",