@vollcrypt/db-guard 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (28) hide show
  1. package/README.md +271 -0
  2. package/compliance-config.json +39 -0
  3. package/dist/blind-index.d.ts +7 -0
  4. package/dist/blind-index.js +24 -0
  5. package/dist/cli.d.ts +2 -0
  6. package/dist/cli.js +211 -0
  7. package/dist/compliance-report.html +562 -0
  8. package/dist/compliance.d.ts +40 -0
  9. package/dist/compliance.js +659 -0
  10. package/dist/drizzle.d.ts +65 -0
  11. package/dist/drizzle.js +118 -0
  12. package/dist/index.d.ts +8 -0
  13. package/dist/index.js +44 -0
  14. package/dist/kms.d.ts +46 -0
  15. package/dist/kms.js +154 -0
  16. package/dist/mongoose.d.ts +30 -0
  17. package/dist/mongoose.js +317 -0
  18. package/dist/prisma.d.ts +54 -0
  19. package/dist/prisma.js +390 -0
  20. package/dist/provenance.json +222 -0
  21. package/dist/provenance.json.sig +1 -0
  22. package/dist/sbom.json +209 -0
  23. package/dist/sbom.json.sig +1 -0
  24. package/dist/security.d.ts +88 -0
  25. package/dist/security.js +547 -0
  26. package/dist/typeorm.d.ts +26 -0
  27. package/dist/typeorm.js +149 -0
  28. package/package.json +50 -0
package/dist/sbom.json ADDED
@@ -0,0 +1,209 @@
1
+ {
2
+ "bomFormat": "CycloneDX",
3
+ "specVersion": "1.5",
4
+ "serialNumber": "urn:uuid:922e2014-383d-4a96-a592-7fea3b6d4dc3",
5
+ "version": 1,
6
+ "metadata": {
7
+ "timestamp": "2026-06-11T12:43:47.573Z",
8
+ "tools": [
9
+ {
10
+ "vendor": "Vollcrypt",
11
+ "name": "Supply-Chain SBOM Generator",
12
+ "version": "1.0.0"
13
+ }
14
+ ],
15
+ "component": {
16
+ "bomRef": "pkg:npm/@vollcrypt/db-guard@0.1.0",
17
+ "type": "library",
18
+ "name": "@vollcrypt/db-guard",
19
+ "version": "0.1.0",
20
+ "description": "Database field-level encryption integrations for Vollcrypt (Prisma, Mongoose, Drizzle, TypeORM)",
21
+ "hashes": [
22
+ {
23
+ "alg": "SHA-256",
24
+ "content": "7e613b58cf47bc14d647cfbfa2a9cc0f9e805dbab7562daa00ac679c30830ba7"
25
+ },
26
+ {
27
+ "alg": "SHA-256",
28
+ "content": "fb28a7038cc818346aeb212ece2e5d4f1db4b72fd3ed9dda78a1a7f5744d7455"
29
+ },
30
+ {
31
+ "alg": "SHA-256",
32
+ "content": "43e818adf60173644896298637f47b01d5819b17eda46eaa32d0c7d64724d012"
33
+ },
34
+ {
35
+ "alg": "SHA-256",
36
+ "content": "bf91d9b9d820796590d8b030e409031623d177e45cc487da8bcb66af13078ec0"
37
+ },
38
+ {
39
+ "alg": "SHA-256",
40
+ "content": "cfdccbe0a9cf27c428af69853b2a16f860dcdfc9ac2f2c65fe7305b7a5332d19"
41
+ },
42
+ {
43
+ "alg": "SHA-256",
44
+ "content": "0b660e3eafcc27a78d5c97c7d34837a25c68295660a3d1c7da0ae8e0a676bfb6"
45
+ },
46
+ {
47
+ "alg": "SHA-256",
48
+ "content": "cb43fec66c7da1e84b96a97e8a18b0d08606535c64236f66ff950250d0f23292"
49
+ },
50
+ {
51
+ "alg": "SHA-256",
52
+ "content": "aad49d4c9dd41f2e44175465da6ae7f4a7ae35337ce12f7b3a87113ec0f25424"
53
+ },
54
+ {
55
+ "alg": "SHA-256",
56
+ "content": "7f7c57559ed6b17bd5698a248c18d636c65f812406b685bb6b2fe243d6df59b8"
57
+ },
58
+ {
59
+ "alg": "SHA-256",
60
+ "content": "9a6c591ff862cca301b2b45455b884c2c5ab7e994dd4a31df1235ebdcff8393c"
61
+ },
62
+ {
63
+ "alg": "SHA-256",
64
+ "content": "822f37608176917f438febaaea06a3b65508c45474bd7e137c4df815c50b4854"
65
+ },
66
+ {
67
+ "alg": "SHA-256",
68
+ "content": "4b1a32b35545e2e7944ebba3f84272b7421ffedd1cc3c7eb569e1a6b2fcc4a02"
69
+ },
70
+ {
71
+ "alg": "SHA-256",
72
+ "content": "a3bf00d62fecf9266325a9dd18c4ec272de9559355dbf3f9f43836a4688fe86b"
73
+ },
74
+ {
75
+ "alg": "SHA-256",
76
+ "content": "42b2177825713fa1c618b80af6cf7a5d9f4055399c8e95b67018a0410add2a3f"
77
+ },
78
+ {
79
+ "alg": "SHA-256",
80
+ "content": "f6b85a786a9bb964f0620df4bcad0787e5c972e853df35551cf8fc902bb79691"
81
+ },
82
+ {
83
+ "alg": "SHA-256",
84
+ "content": "e2b7a8fa24c120f59ab48ebb508a18c01e3e24245e04c197b08ad0e327a2d9a8"
85
+ },
86
+ {
87
+ "alg": "SHA-256",
88
+ "content": "85bbbfdbf47b5ce72c29071004664aa8d4c872107a9f1826daaec53f3b40182b"
89
+ },
90
+ {
91
+ "alg": "SHA-256",
92
+ "content": "8d3d398281d7d268e874f540c58371a4ba6410e19d5804d2cdde8fb7628531da"
93
+ },
94
+ {
95
+ "alg": "SHA-256",
96
+ "content": "6cc82bbbe82e260abcc789495fe85f984138c5c8368901881edaece1ffa46d8c"
97
+ },
98
+ {
99
+ "alg": "SHA-256",
100
+ "content": "154827069a5496e043a9f69b3249bd5dddd62690783dfa8675d06d0f574ac76b"
101
+ }
102
+ ]
103
+ },
104
+ "properties": [
105
+ {
106
+ "name": "slsa:buildLevel",
107
+ "value": "SLSA_Level_4"
108
+ }
109
+ ]
110
+ },
111
+ "components": [
112
+ {
113
+ "type": "library",
114
+ "name": "@prisma/client",
115
+ "version": ">=4.7.0",
116
+ "purl": "pkg:npm/@prisma/client@4.7.0"
117
+ },
118
+ {
119
+ "type": "library",
120
+ "name": "mongoose",
121
+ "version": ">=6.0.0",
122
+ "purl": "pkg:npm/mongoose@6.0.0"
123
+ },
124
+ {
125
+ "type": "library",
126
+ "name": "drizzle-orm",
127
+ "version": ">=0.28.0",
128
+ "purl": "pkg:npm/drizzle-orm@0.28.0"
129
+ },
130
+ {
131
+ "type": "library",
132
+ "name": "typeorm",
133
+ "version": ">=0.3.0",
134
+ "purl": "pkg:npm/typeorm@0.3.0"
135
+ },
136
+ {
137
+ "type": "library",
138
+ "name": "rust-crate:aes-gcm",
139
+ "version": "0.10.3",
140
+ "description": "Lokal/stand-alone Rust dependency used in core compilation layer"
141
+ },
142
+ {
143
+ "type": "library",
144
+ "name": "rust-crate:hkdf",
145
+ "version": "0.12.4",
146
+ "description": "Lokal/stand-alone Rust dependency used in core compilation layer"
147
+ },
148
+ {
149
+ "type": "library",
150
+ "name": "rust-crate:sha2",
151
+ "version": "0.10.9",
152
+ "description": "Lokal/stand-alone Rust dependency used in core compilation layer"
153
+ },
154
+ {
155
+ "type": "library",
156
+ "name": "rust-crate:rand",
157
+ "version": "0.8.5",
158
+ "description": "Lokal/stand-alone Rust dependency used in core compilation layer"
159
+ },
160
+ {
161
+ "type": "library",
162
+ "name": "rust-crate:diesel",
163
+ "version": "{ version = 2.2.0, default-features = false }",
164
+ "description": "Lokal/stand-alone Rust dependency used in core compilation layer"
165
+ },
166
+ {
167
+ "type": "library",
168
+ "name": "rust-crate:base64",
169
+ "version": "0.22",
170
+ "description": "Lokal/stand-alone Rust dependency used in core compilation layer"
171
+ },
172
+ {
173
+ "type": "library",
174
+ "name": "rust-crate:once_cell",
175
+ "version": "1.19",
176
+ "description": "Lokal/stand-alone Rust dependency used in core compilation layer"
177
+ },
178
+ {
179
+ "type": "library",
180
+ "name": "rust-crate:zeroize",
181
+ "version": "1.8",
182
+ "description": "Lokal/stand-alone Rust dependency used in core compilation layer"
183
+ },
184
+ {
185
+ "type": "library",
186
+ "name": "rust-crate:libsqlite3-sys",
187
+ "version": "{ version = 0.37, features = [bundled], optional = true }",
188
+ "description": "Lokal/stand-alone Rust dependency used in core compilation layer"
189
+ },
190
+ {
191
+ "type": "library",
192
+ "name": "rust-crate:sea-orm",
193
+ "version": "{ version = 1.1.0, default-features = false, optional = true }",
194
+ "description": "Lokal/stand-alone Rust dependency used in core compilation layer"
195
+ },
196
+ {
197
+ "type": "library",
198
+ "name": "rust-crate:cryptoki",
199
+ "version": "{ version = 0.7, optional = true }",
200
+ "description": "Lokal/stand-alone Rust dependency used in core compilation layer"
201
+ },
202
+ {
203
+ "type": "library",
204
+ "name": "rust-crate:secrecy",
205
+ "version": "{ version = 0.8.0, optional = true }",
206
+ "description": "Lokal/stand-alone Rust dependency used in core compilation layer"
207
+ }
208
+ ]
209
+ }
package/dist/sbom.json.sig ADDED
@@ -0,0 +1 @@
1
+ Ŷ�2‚ӊ鍋9���{Uc[g���O+S��*�7�p�1 ���X�͙V�ԣc�<��
package/dist/security.d.ts ADDED
@@ -0,0 +1,88 @@
1
+ import { AsyncLocalStorage } from 'async_hooks';
2
+ export declare function wrapKey(kek: Buffer, keyToWrap: Buffer): Buffer;
3
+ export declare function unwrapKey(kek: Buffer, wrappedKey: Buffer): Buffer;
4
+ export declare function calculatePadding(contentLen: number): Buffer;
5
+ export declare function padMessageWithLen(content: Buffer): Buffer;
6
+ export declare function unpadMessageWithLen(padded: Buffer): Buffer;
7
+ export declare function encryptAesGcmPadded(key: Buffer, plaintext: Buffer, aad?: Buffer | null): Buffer;
8
+ export declare function decryptAesGcmPadded(key: Buffer, encryptedData: Buffer, aad?: Buffer | null): Buffer;
9
+ export declare function verifySignature(publicKey: Buffer, message: Buffer, signature: Buffer): boolean;
10
+ export declare function deriveHkdf(ikm: Buffer, salt: Buffer | null, info: Buffer | null, keyLen: number): Buffer;
11
+ export declare function generateEd25519Keypair(): [Buffer, Buffer];
12
+ export declare function signMessage(secretKey: Buffer, message: Buffer): Buffer;
13
+ export interface UserContext {
14
+ role?: string;
15
+ userId?: string;
16
+ maxDecryptionsPerSecond?: number;
17
+ bypassRateLimit?: boolean;
18
+ rateLimiterMode?: 'fail_closed' | 'warn' | 'disabled';
19
+ maxPageSize?: number;
20
+ onPageSizeExceeded?: 'warn' | 'error' | 'bypass';
21
+ tenantId?: string;
22
+ }
23
+ export declare const dbGuardContextStore: AsyncLocalStorage<UserContext>;
24
+ export declare function maskValue(val: any, rule: 'credit_card' | 'email' | 'tc_no' | ((v: any) => any) | string): any;
25
+ export interface RateLimiterOptions {
26
+ maxDecryptionsPerSecond?: number;
27
+ onFailClosed?: () => void;
28
+ mode?: 'fail_closed' | 'warn' | 'disabled';
29
+ maxPageSize?: number;
30
+ onPageSizeExceeded?: 'warn' | 'error' | 'bypass';
31
+ }
32
+ export declare function getCachedKey(tenantId: string | undefined, version: string): Buffer | undefined;
33
+ export declare function setCachedKey(tenantId: string | undefined, version: string, plaintextKey: Buffer, ttlMs?: number): void;
34
+ export declare function resetSecureKeyCacheForTesting(): void;
35
+ export declare function configureBreakGlass(options: {
36
+ threshold: number;
37
+ publicKeys: string[];
38
+ }): void;
39
+ export declare function deactivateBreakGlass(): void;
40
+ export declare function isBreakGlassActive(): boolean;
41
+ export declare function getBreakGlassKey(): Buffer | undefined;
42
+ export declare function activateBreakGlass(signatures: {
43
+ publicKey: string;
44
+ signature: string;
45
+ timestamp: number;
46
+ }[], emergencyBackupKey: Buffer): void;
47
+ export declare function registerKeysForZeroization(keys: Record<string, Buffer>): void;
48
+ export declare function triggerFailClosed(onFailClosedCallback?: () => void): void;
49
+ export declare function checkRateLimit(options?: RateLimiterOptions): void;
50
+ export declare function checkPageSize(count: number, options?: RateLimiterOptions): 'ok' | 'warn' | 'bypass' | 'error';
51
+ export declare function getFailClosedStatus(): boolean;
52
+ export declare function resetFailClosedStatusForTesting(): void;
53
+ export interface AuditLogEntry {
54
+ timestamp: string;
55
+ userId?: string;
56
+ role?: string;
57
+ model: string;
58
+ field: string;
59
+ recordId?: string;
60
+ action: 'decrypt';
61
+ prevHash: string;
62
+ hash: string;
63
+ }
64
+ export declare function configureAuditLogger(options?: {
65
+ path?: string;
66
+ onAuditLog?: (entry: AuditLogEntry) => void;
67
+ }): void;
68
+ export declare function resetAuditLoggerForTesting(): void;
69
+ export declare function logDecryption(model: string, field: string, recordId?: string): void;
70
+ export declare function decryptWithSecurity(stored: any, decryptRawFn: (val: string) => any, modelName: string, fieldName: string, recordId: string | undefined, options?: {
71
+ cryptoRbac?: {
72
+ roles: Record<string, {
73
+ decrypt: string[];
74
+ mask?: Record<string, 'credit_card' | 'email' | 'tc_no' | ((v: any) => any) | string>;
75
+ }>;
76
+ };
77
+ rateLimiter?: RateLimiterOptions;
78
+ }): any;
79
+ export declare const VERSION_ALGORITHMS: Record<string, string>;
80
+ export declare const CRYPTO_ALGORITHMS: Record<string, {
81
+ encrypt: (plaintext: Buffer, key: Buffer) => Buffer;
82
+ decrypt: (ciphertext: Buffer, key: Buffer) => Buffer;
83
+ }>;
84
+ export declare function parseCiphertext(stored: string): {
85
+ algoId: string;
86
+ version: string;
87
+ base64Data: string;
88
+ } | null;