@vollcrypt/db-guard 0.9.0 → 0.9.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE +16 -0
- package/LICENSE-COMMERCIAL.md +71 -0
- package/LICENSE-GPL +674 -0
- package/dist/blind-index.d.ts +1 -7
- package/dist/blind-index.js +3 -26
- package/dist/cli.js +3 -3
- package/dist/drivers.js +7 -8
- package/dist/drizzle.js +18 -20
- package/dist/index.d.ts +2 -6
- package/dist/index.js +4 -12
- package/dist/kms.d.ts +10 -0
- package/dist/kms.js +50 -0
- package/dist/mongoose.d.ts +1 -1
- package/dist/mongoose.js +12 -13
- package/dist/prisma.d.ts +4 -24
- package/dist/prisma.js +18 -174
- package/dist/provenance.json +21 -21
- package/dist/provenance.json.sig +2 -1
- package/dist/sbom.json +21 -21
- package/dist/sbom.json.sig +1 -2
- package/dist/security.d.ts +8 -0
- package/dist/security.js +124 -0
- package/dist/typeorm.d.ts +1 -1
- package/dist/typeorm.js +7 -9
- package/package.json +27 -2
package/dist/prisma.js
CHANGED
|
@@ -1,172 +1,8 @@
|
|
|
1
1
|
"use strict";
|
|
2
2
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
-
exports.prismaDbGuard = void 0;
|
|
4
|
-
exports.resolveKeys = resolveKeys;
|
|
5
|
-
exports.encryptValue = encryptValue;
|
|
6
|
-
exports.decryptValue = decryptValue;
|
|
7
|
-
exports.rewriteQueryWhere = rewriteQueryWhere;
|
|
8
|
-
exports.addBlindIndexes = addBlindIndexes;
|
|
9
|
-
const client_1 = require("@prisma/client");
|
|
10
|
-
const blind_index_1 = require("./blind-index");
|
|
3
|
+
exports.resolveKeys = exports.addBlindIndexes = exports.rewriteQueryWhere = exports.decryptValue = exports.encryptValue = exports.prismaDbGuard = void 0;
|
|
11
4
|
const kms_1 = require("./kms");
|
|
12
5
|
const security_1 = require("./security");
|
|
13
|
-
/**
|
|
14
|
-
* Resolves the plaintext keys asynchronously from local config or KMS provider.
|
|
15
|
-
*/
|
|
16
|
-
async function resolveKeys(options) {
|
|
17
|
-
let rawKeys = {};
|
|
18
|
-
if (options.key) {
|
|
19
|
-
if (Buffer.isBuffer(options.key)) {
|
|
20
|
-
rawKeys = { '1': options.key };
|
|
21
|
-
}
|
|
22
|
-
else {
|
|
23
|
-
rawKeys = { ...options.key };
|
|
24
|
-
}
|
|
25
|
-
}
|
|
26
|
-
else if (options.kms) {
|
|
27
|
-
const { provider, wrappedKey, wrappedKek } = options.kms;
|
|
28
|
-
if (Buffer.isBuffer(wrappedKey)) {
|
|
29
|
-
if (wrappedKek && Buffer.isBuffer(wrappedKek)) {
|
|
30
|
-
const unwrappedKek = await provider.decrypt(wrappedKek);
|
|
31
|
-
const dek = (0, kms_1.unwrapDekLocal)(wrappedKey, unwrappedKek);
|
|
32
|
-
unwrappedKek.fill(0); // RAM Security: zeroize KEK immediately
|
|
33
|
-
rawKeys = { '1': dek };
|
|
34
|
-
}
|
|
35
|
-
else {
|
|
36
|
-
const key = await provider.decrypt(wrappedKey);
|
|
37
|
-
rawKeys = { '1': key };
|
|
38
|
-
}
|
|
39
|
-
}
|
|
40
|
-
else {
|
|
41
|
-
for (const [ver, wrapped] of Object.entries(wrappedKey)) {
|
|
42
|
-
if (wrappedKek) {
|
|
43
|
-
const wKek = Buffer.isBuffer(wrappedKek) ? wrappedKek : wrappedKek[ver];
|
|
44
|
-
if (wKek) {
|
|
45
|
-
const unwrappedKek = await provider.decrypt(wKek);
|
|
46
|
-
const dek = (0, kms_1.unwrapDekLocal)(wrapped, unwrappedKek);
|
|
47
|
-
unwrappedKek.fill(0); // RAM Security: zeroize KEK immediately
|
|
48
|
-
rawKeys[ver] = dek;
|
|
49
|
-
}
|
|
50
|
-
else {
|
|
51
|
-
rawKeys[ver] = await provider.decrypt(wrapped);
|
|
52
|
-
}
|
|
53
|
-
}
|
|
54
|
-
else {
|
|
55
|
-
rawKeys[ver] = await provider.decrypt(wrapped);
|
|
56
|
-
}
|
|
57
|
-
}
|
|
58
|
-
}
|
|
59
|
-
}
|
|
60
|
-
else {
|
|
61
|
-
throw new Error("Either 'key' or 'kms' configuration must be provided.");
|
|
62
|
-
}
|
|
63
|
-
return rawKeys;
|
|
64
|
-
}
|
|
65
|
-
function encryptValue(val, key, version) {
|
|
66
|
-
if (val === null || val === undefined)
|
|
67
|
-
return val;
|
|
68
|
-
const context = security_1.dbGuardContextStore.getStore();
|
|
69
|
-
const tId = context?.tenantId || 'global';
|
|
70
|
-
if (key.every(b => b === 0) || (0, security_1.getFailClosedStatus)(tId)) {
|
|
71
|
-
throw new Error(`Vollcrypt Security: Fail-Closed mode is active for tenant "${tId}". Encryption blocked.`);
|
|
72
|
-
}
|
|
73
|
-
const plaintext = typeof val === 'string' ? val : JSON.stringify(val);
|
|
74
|
-
const plaintextBuf = Buffer.from(plaintext, 'utf8');
|
|
75
|
-
const encrypted = security_1.CRYPTO_ALGORITHMS['1'].encrypt(plaintextBuf, key);
|
|
76
|
-
// RAM Security: Zeroize the plaintext buffer immediately
|
|
77
|
-
plaintextBuf.fill(0);
|
|
78
|
-
return `VOLLVALT:v${version}:${encrypted.toString('base64')}`;
|
|
79
|
-
}
|
|
80
|
-
function decryptValue(stored, keys) {
|
|
81
|
-
if (typeof stored !== 'string') {
|
|
82
|
-
return stored;
|
|
83
|
-
}
|
|
84
|
-
const parsed = (0, security_1.parseCiphertext)(stored);
|
|
85
|
-
if (!parsed) {
|
|
86
|
-
return stored;
|
|
87
|
-
}
|
|
88
|
-
const { algoId, version, base64Data } = parsed;
|
|
89
|
-
const key = keys[version];
|
|
90
|
-
if (!key) {
|
|
91
|
-
throw new Error(`Decryption key version "${version}" not found in registered keys`);
|
|
92
|
-
}
|
|
93
|
-
if (key.every(b => b === 0)) {
|
|
94
|
-
throw new Error(`Vollcrypt Security: Decryption blocked. Key version "${version}" is zeroized due to a Fail-Closed event.`);
|
|
95
|
-
}
|
|
96
|
-
try {
|
|
97
|
-
const encryptedBuf = Buffer.from(base64Data, 'base64');
|
|
98
|
-
const decryptor = security_1.CRYPTO_ALGORITHMS[algoId];
|
|
99
|
-
if (!decryptor) {
|
|
100
|
-
throw new Error(`Unsupported decryption algorithm ID "${algoId}"`);
|
|
101
|
-
}
|
|
102
|
-
const decrypted = decryptor.decrypt(encryptedBuf, key);
|
|
103
|
-
const plaintext = decrypted.toString('utf8');
|
|
104
|
-
// RAM Security: Zeroize the decrypted buffer
|
|
105
|
-
decrypted.fill(0);
|
|
106
|
-
try {
|
|
107
|
-
return JSON.parse(plaintext);
|
|
108
|
-
}
|
|
109
|
-
catch {
|
|
110
|
-
return plaintext;
|
|
111
|
-
}
|
|
112
|
-
}
|
|
113
|
-
catch (err) {
|
|
114
|
-
throw new Error(`Failed to decrypt field value: ${err.message}`);
|
|
115
|
-
}
|
|
116
|
-
}
|
|
117
|
-
/**
|
|
118
|
-
* Traverses query `where` arguments to rewrite exact match queries on encrypted fields
|
|
119
|
-
* to target shadow `_bidx` columns using dynamic HKDF-SHA256 blind indexing.
|
|
120
|
-
*/
|
|
121
|
-
function rewriteQueryWhere(where, fields, rootSalt, modelName) {
|
|
122
|
-
if (!where || typeof where !== 'object')
|
|
123
|
-
return;
|
|
124
|
-
for (const field of fields) {
|
|
125
|
-
if (where[field] !== undefined) {
|
|
126
|
-
const val = where[field];
|
|
127
|
-
const bidxField = `${field}_bidx`;
|
|
128
|
-
if (typeof val === 'string' || typeof val === 'number' || typeof val === 'boolean') {
|
|
129
|
-
where[bidxField] = (0, blind_index_1.computeBlindIndex)(val, rootSalt, `${modelName}.${field}`);
|
|
130
|
-
delete where[field];
|
|
131
|
-
}
|
|
132
|
-
else if (val && typeof val === 'object') {
|
|
133
|
-
if (val.equals !== undefined) {
|
|
134
|
-
where[bidxField] = {
|
|
135
|
-
equals: (0, blind_index_1.computeBlindIndex)(val.equals, rootSalt, `${modelName}.${field}`),
|
|
136
|
-
};
|
|
137
|
-
delete where[field];
|
|
138
|
-
}
|
|
139
|
-
}
|
|
140
|
-
}
|
|
141
|
-
}
|
|
142
|
-
// Recurse into compound logical operators
|
|
143
|
-
const operators = ['AND', 'OR', 'NOT'];
|
|
144
|
-
for (const op of operators) {
|
|
145
|
-
if (Array.isArray(where[op])) {
|
|
146
|
-
where[op].forEach((item) => rewriteQueryWhere(item, fields, rootSalt, modelName));
|
|
147
|
-
}
|
|
148
|
-
else if (where[op] && typeof where[op] === 'object') {
|
|
149
|
-
rewriteQueryWhere(where[op], fields, rootSalt, modelName);
|
|
150
|
-
}
|
|
151
|
-
}
|
|
152
|
-
}
|
|
153
|
-
/**
|
|
154
|
-
* Appends calculated blind indexes to the write payload (create/update).
|
|
155
|
-
*/
|
|
156
|
-
function addBlindIndexes(data, fields, rootSalt, modelName) {
|
|
157
|
-
if (!data || typeof data !== 'object')
|
|
158
|
-
return;
|
|
159
|
-
if (Array.isArray(data)) {
|
|
160
|
-
data.forEach((item) => addBlindIndexes(item, fields, rootSalt, modelName));
|
|
161
|
-
return;
|
|
162
|
-
}
|
|
163
|
-
for (const field of fields) {
|
|
164
|
-
if (data[field] !== undefined && data[field] !== null) {
|
|
165
|
-
const bidxField = `${field}_bidx`;
|
|
166
|
-
data[bidxField] = (0, blind_index_1.computeBlindIndex)(data[field], rootSalt, `${modelName}.${field}`);
|
|
167
|
-
}
|
|
168
|
-
}
|
|
169
|
-
}
|
|
170
6
|
/**
|
|
171
7
|
* Prisma DbGuard Extension Factory
|
|
172
8
|
*
|
|
@@ -236,7 +72,7 @@ const prismaDbGuard = (options, resolvedKeys) => {
|
|
|
236
72
|
if (!tenantConfig) {
|
|
237
73
|
throw new Error(`Vollcrypt Security: Configuration not found for tenantId "${tId}".`);
|
|
238
74
|
}
|
|
239
|
-
const resolvedTenantKeysRaw = await resolveKeys({
|
|
75
|
+
const resolvedTenantKeysRaw = await (0, kms_1.resolveKeys)({
|
|
240
76
|
...options,
|
|
241
77
|
key: tenantConfig.key,
|
|
242
78
|
kms: tenantConfig.kms
|
|
@@ -263,7 +99,7 @@ const prismaDbGuard = (options, resolvedKeys) => {
|
|
|
263
99
|
const cloned = { ...data };
|
|
264
100
|
for (const field of fieldsToEncrypt) {
|
|
265
101
|
if (cloned[field] !== undefined) {
|
|
266
|
-
cloned[field] = encryptValue(cloned[field], encKey, encVer);
|
|
102
|
+
cloned[field] = (0, security_1.encryptValue)(cloned[field], encKey, encVer);
|
|
267
103
|
}
|
|
268
104
|
}
|
|
269
105
|
return cloned;
|
|
@@ -287,7 +123,7 @@ const prismaDbGuard = (options, resolvedKeys) => {
|
|
|
287
123
|
const cloned = { ...result };
|
|
288
124
|
for (const field of fieldsToEncrypt) {
|
|
289
125
|
if (cloned[field] !== undefined) {
|
|
290
|
-
cloned[field] = (0, security_1.decryptWithSecurity)(cloned[field], (val) => decryptValue(val, decKeys), modelName, field, cloned.id || cloned._id, options);
|
|
126
|
+
cloned[field] = (0, security_1.decryptWithSecurity)(cloned[field], (val) => (0, security_1.decryptValue)(val, decKeys), modelName, field, cloned.id || cloned._id, options);
|
|
291
127
|
}
|
|
292
128
|
}
|
|
293
129
|
return cloned;
|
|
@@ -309,13 +145,13 @@ const prismaDbGuard = (options, resolvedKeys) => {
|
|
|
309
145
|
const bidxFields = options.blindIndexes?.models[modelName];
|
|
310
146
|
if (bidxFields && options.blindIndexes?.rootSalt) {
|
|
311
147
|
if (args.data) {
|
|
312
|
-
addBlindIndexes(args.data, bidxFields, options.blindIndexes.rootSalt, modelName);
|
|
148
|
+
(0, security_1.addBlindIndexes)(args.data, bidxFields, options.blindIndexes.rootSalt, modelName);
|
|
313
149
|
}
|
|
314
150
|
if (args.create) {
|
|
315
|
-
addBlindIndexes(args.create, bidxFields, options.blindIndexes.rootSalt, modelName);
|
|
151
|
+
(0, security_1.addBlindIndexes)(args.create, bidxFields, options.blindIndexes.rootSalt, modelName);
|
|
316
152
|
}
|
|
317
153
|
if (args.update) {
|
|
318
|
-
addBlindIndexes(args.update, bidxFields, options.blindIndexes.rootSalt, modelName);
|
|
154
|
+
(0, security_1.addBlindIndexes)(args.update, bidxFields, options.blindIndexes.rootSalt, modelName);
|
|
319
155
|
}
|
|
320
156
|
}
|
|
321
157
|
};
|
|
@@ -325,10 +161,11 @@ const prismaDbGuard = (options, resolvedKeys) => {
|
|
|
325
161
|
// Rewrite queries targeting encrypted columns to use the blind index column
|
|
326
162
|
const bidxFields = options.blindIndexes?.models[modelName];
|
|
327
163
|
if (bidxFields && options.blindIndexes?.rootSalt && args.where) {
|
|
328
|
-
rewriteQueryWhere(args.where, bidxFields, options.blindIndexes.rootSalt, modelName);
|
|
164
|
+
(0, security_1.rewriteQueryWhere)(args.where, bidxFields, options.blindIndexes.rootSalt, modelName);
|
|
329
165
|
}
|
|
330
166
|
};
|
|
331
|
-
|
|
167
|
+
const { Prisma } = require('@prisma/client');
|
|
168
|
+
return Prisma.defineExtension((client) => {
|
|
332
169
|
return client.$extends({
|
|
333
170
|
name: 'vollcrypt-db-guard',
|
|
334
171
|
query: {
|
|
@@ -349,7 +186,7 @@ const prismaDbGuard = (options, resolvedKeys) => {
|
|
|
349
186
|
const encrypted = encryptPayload(model, item, resolved.activeKey, resolved.activeVersion);
|
|
350
187
|
const bidxFields = options.blindIndexes?.models[model];
|
|
351
188
|
if (bidxFields && options.blindIndexes?.rootSalt) {
|
|
352
|
-
addBlindIndexes(encrypted, bidxFields, options.blindIndexes.rootSalt, model);
|
|
189
|
+
(0, security_1.addBlindIndexes)(encrypted, bidxFields, options.blindIndexes.rootSalt, model);
|
|
353
190
|
}
|
|
354
191
|
return encrypted;
|
|
355
192
|
});
|
|
@@ -412,3 +249,10 @@ const prismaDbGuard = (options, resolvedKeys) => {
|
|
|
412
249
|
});
|
|
413
250
|
};
|
|
414
251
|
exports.prismaDbGuard = prismaDbGuard;
|
|
252
|
+
var security_2 = require("./security");
|
|
253
|
+
Object.defineProperty(exports, "encryptValue", { enumerable: true, get: function () { return security_2.encryptValue; } });
|
|
254
|
+
Object.defineProperty(exports, "decryptValue", { enumerable: true, get: function () { return security_2.decryptValue; } });
|
|
255
|
+
Object.defineProperty(exports, "rewriteQueryWhere", { enumerable: true, get: function () { return security_2.rewriteQueryWhere; } });
|
|
256
|
+
Object.defineProperty(exports, "addBlindIndexes", { enumerable: true, get: function () { return security_2.addBlindIndexes; } });
|
|
257
|
+
var kms_2 = require("./kms");
|
|
258
|
+
Object.defineProperty(exports, "resolveKeys", { enumerable: true, get: function () { return kms_2.resolveKeys; } });
|
package/dist/provenance.json
CHANGED
|
@@ -4,13 +4,13 @@
|
|
|
4
4
|
{
|
|
5
5
|
"name": "dist/blind-index.d.ts",
|
|
6
6
|
"digest": {
|
|
7
|
-
"sha256": "
|
|
7
|
+
"sha256": "54df5b23b93c61111ba6124b9557fb4fe3f5e4af8ef18d1aeb5477826679363f"
|
|
8
8
|
}
|
|
9
9
|
},
|
|
10
10
|
{
|
|
11
11
|
"name": "dist/blind-index.js",
|
|
12
12
|
"digest": {
|
|
13
|
-
"sha256": "
|
|
13
|
+
"sha256": "d417966c32408676efa5399b6e960b68d6015d66837b9b2bad9fa0bb9396b4be"
|
|
14
14
|
}
|
|
15
15
|
},
|
|
16
16
|
{
|
|
@@ -22,7 +22,7 @@
|
|
|
22
22
|
{
|
|
23
23
|
"name": "dist/cli.js",
|
|
24
24
|
"digest": {
|
|
25
|
-
"sha256": "
|
|
25
|
+
"sha256": "33c313c9195a9e00099652c3e8fac9eac169ac3b94088222fbe97e7a2e51442a"
|
|
26
26
|
}
|
|
27
27
|
},
|
|
28
28
|
{
|
|
@@ -46,7 +46,7 @@
|
|
|
46
46
|
{
|
|
47
47
|
"name": "dist/drivers.js",
|
|
48
48
|
"digest": {
|
|
49
|
-
"sha256": "
|
|
49
|
+
"sha256": "fac1fd60cc16c2dafa9daf234177fd2f17d41cf1015d4fcd1821adb2cdbdb970"
|
|
50
50
|
}
|
|
51
51
|
},
|
|
52
52
|
{
|
|
@@ -58,79 +58,79 @@
|
|
|
58
58
|
{
|
|
59
59
|
"name": "dist/drizzle.js",
|
|
60
60
|
"digest": {
|
|
61
|
-
"sha256": "
|
|
61
|
+
"sha256": "3686b5a03b627e3262257f6a6d2d3addcb7f2cf3377ece458c434aad3b15d2ba"
|
|
62
62
|
}
|
|
63
63
|
},
|
|
64
64
|
{
|
|
65
65
|
"name": "dist/index.d.ts",
|
|
66
66
|
"digest": {
|
|
67
|
-
"sha256": "
|
|
67
|
+
"sha256": "ed2935e0d96814bcf3192294462ae707acfe6934ce2aed9f859683aed88a3ea8"
|
|
68
68
|
}
|
|
69
69
|
},
|
|
70
70
|
{
|
|
71
71
|
"name": "dist/index.js",
|
|
72
72
|
"digest": {
|
|
73
|
-
"sha256": "
|
|
73
|
+
"sha256": "37b74d238138bb80b65341520257b9390be3cc5b9b1f5adf579894eb4995c2ab"
|
|
74
74
|
}
|
|
75
75
|
},
|
|
76
76
|
{
|
|
77
77
|
"name": "dist/kms.d.ts",
|
|
78
78
|
"digest": {
|
|
79
|
-
"sha256": "
|
|
79
|
+
"sha256": "757dba651cf48b6ab68e11b5c92e8ccc81c1ca6eb9129f60a2a3b224fc4f712e"
|
|
80
80
|
}
|
|
81
81
|
},
|
|
82
82
|
{
|
|
83
83
|
"name": "dist/kms.js",
|
|
84
84
|
"digest": {
|
|
85
|
-
"sha256": "
|
|
85
|
+
"sha256": "1619f068398e57c2044457d18d24ee1c626b54e12153246093d4c51add64368c"
|
|
86
86
|
}
|
|
87
87
|
},
|
|
88
88
|
{
|
|
89
89
|
"name": "dist/mongoose.d.ts",
|
|
90
90
|
"digest": {
|
|
91
|
-
"sha256": "
|
|
91
|
+
"sha256": "18f77aa838f2cd861cd31dd5a03fdfd86d34563a090340177dba1420b5ea9b53"
|
|
92
92
|
}
|
|
93
93
|
},
|
|
94
94
|
{
|
|
95
95
|
"name": "dist/mongoose.js",
|
|
96
96
|
"digest": {
|
|
97
|
-
"sha256": "
|
|
97
|
+
"sha256": "0b7c921d254a3c12d6d0924f3778ac39d7e95383086f1f8a893ff361a29c380b"
|
|
98
98
|
}
|
|
99
99
|
},
|
|
100
100
|
{
|
|
101
101
|
"name": "dist/prisma.d.ts",
|
|
102
102
|
"digest": {
|
|
103
|
-
"sha256": "
|
|
103
|
+
"sha256": "d55f39802671b594be9c0a0512c06cb1828569dea9024c78e890c53085cf0232"
|
|
104
104
|
}
|
|
105
105
|
},
|
|
106
106
|
{
|
|
107
107
|
"name": "dist/prisma.js",
|
|
108
108
|
"digest": {
|
|
109
|
-
"sha256": "
|
|
109
|
+
"sha256": "de57df0c3fc6657a996c804d6deee6ff83f889f457c82f55ea35064df6372eab"
|
|
110
110
|
}
|
|
111
111
|
},
|
|
112
112
|
{
|
|
113
113
|
"name": "dist/security.d.ts",
|
|
114
114
|
"digest": {
|
|
115
|
-
"sha256": "
|
|
115
|
+
"sha256": "dbe2dce83e417dc20d476e5bd476e31c3cf43e58fd363011a77dbc56ab82386f"
|
|
116
116
|
}
|
|
117
117
|
},
|
|
118
118
|
{
|
|
119
119
|
"name": "dist/security.js",
|
|
120
120
|
"digest": {
|
|
121
|
-
"sha256": "
|
|
121
|
+
"sha256": "390eb8dbf9f2eab968445dadc43e1dfa6a13217851aa2b5138a5215059c487ed"
|
|
122
122
|
}
|
|
123
123
|
},
|
|
124
124
|
{
|
|
125
125
|
"name": "dist/typeorm.d.ts",
|
|
126
126
|
"digest": {
|
|
127
|
-
"sha256": "
|
|
127
|
+
"sha256": "47200df068a368cdd80b5818ae8dafc749686f8a09a0be8bd9847b175dd89fe6"
|
|
128
128
|
}
|
|
129
129
|
},
|
|
130
130
|
{
|
|
131
131
|
"name": "dist/typeorm.js",
|
|
132
132
|
"digest": {
|
|
133
|
-
"sha256": "
|
|
133
|
+
"sha256": "80e1908e97ffc89c426e89c71efbbd7dbea98191ec7da8ecc9d37cc439a262d8"
|
|
134
134
|
}
|
|
135
135
|
}
|
|
136
136
|
],
|
|
@@ -141,7 +141,7 @@
|
|
|
141
141
|
"externalParameters": {
|
|
142
142
|
"packageJson": {
|
|
143
143
|
"name": "@vollcrypt/db-guard",
|
|
144
|
-
"version": "0.9.
|
|
144
|
+
"version": "0.9.1",
|
|
145
145
|
"scripts": {
|
|
146
146
|
"build": "tsc && node scripts/generate-sbom.js",
|
|
147
147
|
"test": "node --import tsx --test tests/*.test.ts"
|
|
@@ -241,9 +241,9 @@
|
|
|
241
241
|
"id": "https://vollcrypt.dev/builders/local-hermetic-env"
|
|
242
242
|
},
|
|
243
243
|
"metadata": {
|
|
244
|
-
"invocationId": "
|
|
245
|
-
"startedOn": "2026-07-
|
|
246
|
-
"finishedOn": "2026-07-
|
|
244
|
+
"invocationId": "e52b6b317496bccb3dd2fbc3c609d1f0",
|
|
245
|
+
"startedOn": "2026-07-09T19:07:03.950Z",
|
|
246
|
+
"finishedOn": "2026-07-09T19:07:03.951Z"
|
|
247
247
|
}
|
|
248
248
|
}
|
|
249
249
|
}
|
package/dist/provenance.json.sig
CHANGED
|
@@ -1 +1,2 @@
|
|
|
1
|
-
|
|
1
|
+
T&�~����*F��
|
|
2
|
+
p��ƕ�A9�>t���V7��b���ޡA����z�oח�%!��)�
|
package/dist/sbom.json
CHANGED
|
@@ -1,10 +1,10 @@
|
|
|
1
1
|
{
|
|
2
2
|
"bomFormat": "CycloneDX",
|
|
3
3
|
"specVersion": "1.5",
|
|
4
|
-
"serialNumber": "urn:uuid:
|
|
4
|
+
"serialNumber": "urn:uuid:54f5fdbd-84b0-47fe-95c1-e86fe565dcf8",
|
|
5
5
|
"version": 1,
|
|
6
6
|
"metadata": {
|
|
7
|
-
"timestamp": "2026-07-
|
|
7
|
+
"timestamp": "2026-07-09T19:07:03.950Z",
|
|
8
8
|
"tools": [
|
|
9
9
|
{
|
|
10
10
|
"vendor": "Vollcrypt",
|
|
@@ -13,19 +13,19 @@
|
|
|
13
13
|
}
|
|
14
14
|
],
|
|
15
15
|
"component": {
|
|
16
|
-
"bomRef": "pkg:npm/@vollcrypt/db-guard@0.9.
|
|
16
|
+
"bomRef": "pkg:npm/@vollcrypt/db-guard@0.9.1",
|
|
17
17
|
"type": "library",
|
|
18
18
|
"name": "@vollcrypt/db-guard",
|
|
19
|
-
"version": "0.9.
|
|
19
|
+
"version": "0.9.1",
|
|
20
20
|
"description": "Database field-level encryption integrations for Vollcrypt (Prisma, Mongoose, Drizzle, TypeORM)",
|
|
21
21
|
"hashes": [
|
|
22
22
|
{
|
|
23
23
|
"alg": "SHA-256",
|
|
24
|
-
"content": "
|
|
24
|
+
"content": "54df5b23b93c61111ba6124b9557fb4fe3f5e4af8ef18d1aeb5477826679363f"
|
|
25
25
|
},
|
|
26
26
|
{
|
|
27
27
|
"alg": "SHA-256",
|
|
28
|
-
"content": "
|
|
28
|
+
"content": "d417966c32408676efa5399b6e960b68d6015d66837b9b2bad9fa0bb9396b4be"
|
|
29
29
|
},
|
|
30
30
|
{
|
|
31
31
|
"alg": "SHA-256",
|
|
@@ -33,7 +33,7 @@
|
|
|
33
33
|
},
|
|
34
34
|
{
|
|
35
35
|
"alg": "SHA-256",
|
|
36
|
-
"content": "
|
|
36
|
+
"content": "33c313c9195a9e00099652c3e8fac9eac169ac3b94088222fbe97e7a2e51442a"
|
|
37
37
|
},
|
|
38
38
|
{
|
|
39
39
|
"alg": "SHA-256",
|
|
@@ -49,7 +49,7 @@
|
|
|
49
49
|
},
|
|
50
50
|
{
|
|
51
51
|
"alg": "SHA-256",
|
|
52
|
-
"content": "
|
|
52
|
+
"content": "fac1fd60cc16c2dafa9daf234177fd2f17d41cf1015d4fcd1821adb2cdbdb970"
|
|
53
53
|
},
|
|
54
54
|
{
|
|
55
55
|
"alg": "SHA-256",
|
|
@@ -57,55 +57,55 @@
|
|
|
57
57
|
},
|
|
58
58
|
{
|
|
59
59
|
"alg": "SHA-256",
|
|
60
|
-
"content": "
|
|
60
|
+
"content": "3686b5a03b627e3262257f6a6d2d3addcb7f2cf3377ece458c434aad3b15d2ba"
|
|
61
61
|
},
|
|
62
62
|
{
|
|
63
63
|
"alg": "SHA-256",
|
|
64
|
-
"content": "
|
|
64
|
+
"content": "ed2935e0d96814bcf3192294462ae707acfe6934ce2aed9f859683aed88a3ea8"
|
|
65
65
|
},
|
|
66
66
|
{
|
|
67
67
|
"alg": "SHA-256",
|
|
68
|
-
"content": "
|
|
68
|
+
"content": "37b74d238138bb80b65341520257b9390be3cc5b9b1f5adf579894eb4995c2ab"
|
|
69
69
|
},
|
|
70
70
|
{
|
|
71
71
|
"alg": "SHA-256",
|
|
72
|
-
"content": "
|
|
72
|
+
"content": "757dba651cf48b6ab68e11b5c92e8ccc81c1ca6eb9129f60a2a3b224fc4f712e"
|
|
73
73
|
},
|
|
74
74
|
{
|
|
75
75
|
"alg": "SHA-256",
|
|
76
|
-
"content": "
|
|
76
|
+
"content": "1619f068398e57c2044457d18d24ee1c626b54e12153246093d4c51add64368c"
|
|
77
77
|
},
|
|
78
78
|
{
|
|
79
79
|
"alg": "SHA-256",
|
|
80
|
-
"content": "
|
|
80
|
+
"content": "18f77aa838f2cd861cd31dd5a03fdfd86d34563a090340177dba1420b5ea9b53"
|
|
81
81
|
},
|
|
82
82
|
{
|
|
83
83
|
"alg": "SHA-256",
|
|
84
|
-
"content": "
|
|
84
|
+
"content": "0b7c921d254a3c12d6d0924f3778ac39d7e95383086f1f8a893ff361a29c380b"
|
|
85
85
|
},
|
|
86
86
|
{
|
|
87
87
|
"alg": "SHA-256",
|
|
88
|
-
"content": "
|
|
88
|
+
"content": "d55f39802671b594be9c0a0512c06cb1828569dea9024c78e890c53085cf0232"
|
|
89
89
|
},
|
|
90
90
|
{
|
|
91
91
|
"alg": "SHA-256",
|
|
92
|
-
"content": "
|
|
92
|
+
"content": "de57df0c3fc6657a996c804d6deee6ff83f889f457c82f55ea35064df6372eab"
|
|
93
93
|
},
|
|
94
94
|
{
|
|
95
95
|
"alg": "SHA-256",
|
|
96
|
-
"content": "
|
|
96
|
+
"content": "dbe2dce83e417dc20d476e5bd476e31c3cf43e58fd363011a77dbc56ab82386f"
|
|
97
97
|
},
|
|
98
98
|
{
|
|
99
99
|
"alg": "SHA-256",
|
|
100
|
-
"content": "
|
|
100
|
+
"content": "390eb8dbf9f2eab968445dadc43e1dfa6a13217851aa2b5138a5215059c487ed"
|
|
101
101
|
},
|
|
102
102
|
{
|
|
103
103
|
"alg": "SHA-256",
|
|
104
|
-
"content": "
|
|
104
|
+
"content": "47200df068a368cdd80b5818ae8dafc749686f8a09a0be8bd9847b175dd89fe6"
|
|
105
105
|
},
|
|
106
106
|
{
|
|
107
107
|
"alg": "SHA-256",
|
|
108
|
-
"content": "
|
|
108
|
+
"content": "80e1908e97ffc89c426e89c71efbbd7dbea98191ec7da8ecc9d37cc439a262d8"
|
|
109
109
|
}
|
|
110
110
|
]
|
|
111
111
|
},
|
package/dist/sbom.json.sig
CHANGED
|
@@ -1,2 +1 @@
|
|
|
1
|
-
|
|
2
|
-
"�ޚ���*P?��
|
|
1
|
+
�0��cWA��8��c.*�+�F֛�U��g{s_7O�=��$�V�¿��Я�n9�Ҧ�
|
package/dist/security.d.ts
CHANGED
|
@@ -88,3 +88,11 @@ export declare function parseCiphertext(stored: string): {
|
|
|
88
88
|
version: string;
|
|
89
89
|
base64Data: string;
|
|
90
90
|
} | null;
|
|
91
|
+
/**
|
|
92
|
+
* Computes a hardened, frequency-resistant blind index for a database field.
|
|
93
|
+
*/
|
|
94
|
+
export declare function computeBlindIndex(value: any, rootSalt: Buffer, columnName: string): string;
|
|
95
|
+
export declare function encryptValue(val: any, key: Buffer, version: string): string;
|
|
96
|
+
export declare function decryptValue(stored: any, keys: Record<string, Buffer>): any;
|
|
97
|
+
export declare function rewriteQueryWhere(where: any, fields: string[], rootSalt: Buffer, modelName: string): void;
|
|
98
|
+
export declare function addBlindIndexes(data: any, fields: string[], rootSalt: Buffer, modelName: string): void;
|