libmongocrypt-helper 1.8.0.0.1001 → 1.11.0.0.1001

data/ext/libmongocrypt/libmongocrypt/src/mongocrypt-ctx-encrypt.c

@@ -14,6 +14,7 @@
  * limitations under the License.
  */
 
+#include "mc-efc-private.h"
 #include "mc-fle2-rfds-private.h"
 #include "mc-tokens-private.h"
 #include "mongocrypt-ciphertext-private.h"
@@ -23,6 +24,7 @@
 #include "mongocrypt-marking-private.h"
 #include "mongocrypt-traverse-util-private.h"
 #include "mongocrypt-util-private.h" // mc_iter_document_as_bson
+#include "mongocrypt.h"
 
 /* _fle2_append_encryptedFieldConfig copies encryptedFieldConfig and applies
  * default state collection names for escCollection, eccCollection, and
@@ -30,7 +32,7 @@
 static bool _fle2_append_encryptedFieldConfig(const mongocrypt_ctx_t *ctx,
                                               bson_t *dst,
                                               bson_t *encryptedFieldConfig,
-                                              const char *coll_name,
+                                              const char *target_coll,
                                               mongocrypt_status_t *status) {
     bson_iter_t iter;
     bool has_escCollection = false;
@@ -39,7 +41,7 @@ static bool _fle2_append_encryptedFieldConfig(const mongocrypt_ctx_t *ctx,
 
     BSON_ASSERT_PARAM(dst);
     BSON_ASSERT_PARAM(encryptedFieldConfig);
-    BSON_ASSERT_PARAM(coll_name);
+    BSON_ASSERT_PARAM(target_coll);
 
     if (!bson_iter_init(&iter, encryptedFieldConfig)) {
         CLIENT_ERR("unable to iterate encryptedFieldConfig");
@@ -63,7 +65,7 @@ static bool _fle2_append_encryptedFieldConfig(const mongocrypt_ctx_t *ctx,
     }
 
     if (!has_escCollection) {
-        char *default_escCollection = bson_strdup_printf("enxcol_.%s.esc", coll_name);
+        char *default_escCollection = bson_strdup_printf("enxcol_.%s.esc", target_coll);
         if (!BSON_APPEND_UTF8(dst, "escCollection", default_escCollection)) {
             CLIENT_ERR("unable to append escCollection");
             bson_free(default_escCollection);
@@ -72,7 +74,7 @@ static bool _fle2_append_encryptedFieldConfig(const mongocrypt_ctx_t *ctx,
         bson_free(default_escCollection);
     }
     if (!has_eccCollection && !ctx->crypt->opts.use_fle2_v2) {
-        char *default_eccCollection = bson_strdup_printf("enxcol_.%s.ecc", coll_name);
+        char *default_eccCollection = bson_strdup_printf("enxcol_.%s.ecc", target_coll);
         if (!BSON_APPEND_UTF8(dst, "eccCollection", default_eccCollection)) {
             CLIENT_ERR("unable to append eccCollection");
             bson_free(default_eccCollection);
@@ -81,7 +83,7 @@ static bool _fle2_append_encryptedFieldConfig(const mongocrypt_ctx_t *ctx,
         bson_free(default_eccCollection);
     }
     if (!has_ecocCollection) {
-        char *default_ecocCollection = bson_strdup_printf("enxcol_.%s.ecoc", coll_name);
+        char *default_ecocCollection = bson_strdup_printf("enxcol_.%s.ecoc", target_coll);
         if (!BSON_APPEND_UTF8(dst, "ecocCollection", default_ecocCollection)) {
             CLIENT_ERR("unable to append ecocCollection");
             bson_free(default_ecocCollection);
@@ -94,20 +96,20 @@ static bool _fle2_append_encryptedFieldConfig(const mongocrypt_ctx_t *ctx,
 
 static bool _fle2_append_encryptionInformation(const mongocrypt_ctx_t *ctx,
                                                bson_t *dst,
-                                               const char *ns,
+                                               const char *target_ns,
                                                bson_t *encryptedFieldConfig,
                                                bson_t *deleteTokens,
-                                               const char *coll_name,
+                                               const char *target_coll,
                                                mongocrypt_status_t *status) {
     bson_t encryption_information_bson;
     bson_t schema_bson;
     bson_t encrypted_field_config_bson;
 
     BSON_ASSERT_PARAM(dst);
-    BSON_ASSERT_PARAM(ns);
+    BSON_ASSERT_PARAM(target_ns);
     BSON_ASSERT_PARAM(encryptedFieldConfig);
     /* deleteTokens may be NULL */
-    BSON_ASSERT_PARAM(coll_name);
+    BSON_ASSERT_PARAM(target_coll);
 
     if (!BSON_APPEND_DOCUMENT_BEGIN(dst, "encryptionInformation", &encryption_information_bson)) {
         CLIENT_ERR("unable to begin appending 'encryptionInformation'");
@@ -122,7 +124,7 @@ static bool _fle2_append_encryptionInformation(const mongocrypt_ctx_t *ctx,
         return false;
     }
 
-    if (!BSON_APPEND_DOCUMENT_BEGIN(&schema_bson, ns, &encrypted_field_config_bson)) {
+    if (!BSON_APPEND_DOCUMENT_BEGIN(&schema_bson, target_ns, &encrypted_field_config_bson)) {
         CLIENT_ERR("unable to begin appending 'encryptedFieldConfig' to "
                    "'encryptionInformation'.'schema'");
         return false;
@@ -131,7 +133,7 @@ static bool _fle2_append_encryptionInformation(const mongocrypt_ctx_t *ctx,
     if (!_fle2_append_encryptedFieldConfig(ctx,
                                            &encrypted_field_config_bson,
                                            encryptedFieldConfig,
-                                           coll_name,
+                                           target_coll,
                                            status)) {
         return false;
     }
@@ -153,8 +155,8 @@ static bool _fle2_append_encryptionInformation(const mongocrypt_ctx_t *ctx,
                        "'encryptionInformation'");
             return false;
         }
-        if (!BSON_APPEND_DOCUMENT(&delete_tokens_bson, ns, deleteTokens)) {
-            CLIENT_ERR("unable to append '%s' to 'deleteTokens'", ns);
+        if (!BSON_APPEND_DOCUMENT(&delete_tokens_bson, target_ns, deleteTokens)) {
+            CLIENT_ERR("unable to append '%s' to 'deleteTokens'", target_ns);
             return false;
         }
         if (!bson_append_document_end(&encryption_information_bson, &delete_tokens_bson)) {
@@ -178,12 +180,12 @@ typedef enum { MC_TO_CSFLE, MC_TO_MONGOCRYPTD, MC_TO_MONGOD } mc_cmd_target_t;
  *
  * @param cmd_name The name of the command.
  * @param cmd The command being rewritten. It is an input and output.
- * @param ns The <db>.<collection> namespace for the command.
+ * @param target_ns The <db>.<collection> namespace for the command.
  * @param encryptedFieldConfig The "encryptedFields" document for the
  * collection.
  * @param deleteTokens Delete tokens to append to "encryptionInformation". May
  * be NULL.
- * @param coll_name The collection name.
+ * @param target_coll The collection name.
  * @param cmd_target The intended destination of the command. csfle,
  * mongocryptd, and mongod have different requirements for the location of
  * "encryptionInformation".
@@ -194,10 +196,10 @@ typedef enum { MC_TO_CSFLE, MC_TO_MONGOCRYPTD, MC_TO_MONGOD } mc_cmd_target_t;
 static bool _fle2_insert_encryptionInformation(const mongocrypt_ctx_t *ctx,
                                                const char *cmd_name,
                                                bson_t *cmd /* in and out */,
-                                               const char *ns,
+                                               const char *target_ns,
                                                bson_t *encryptedFieldConfig,
                                                bson_t *deleteTokens,
-                                               const char *coll_name,
+                                               const char *target_coll,
                                                mc_cmd_target_t cmd_target,
                                                mongocrypt_status_t *status) {
     bson_t out = BSON_INITIALIZER;
@@ -207,16 +209,96 @@ static bool _fle2_insert_encryptionInformation(const mongocrypt_ctx_t *ctx,
 
     BSON_ASSERT_PARAM(cmd_name);
     BSON_ASSERT_PARAM(cmd);
-    BSON_ASSERT_PARAM(ns);
+    BSON_ASSERT_PARAM(target_ns);
     BSON_ASSERT_PARAM(encryptedFieldConfig);
     /* deleteTokens may be NULL */
-    BSON_ASSERT_PARAM(coll_name);
+    BSON_ASSERT_PARAM(target_coll);
+
+    // For `bulkWrite`, append `encryptionInformation` inside the `nsInfo.0` document.
+    if (0 == strcmp(cmd_name, "bulkWrite")) {
+        // Get the single `nsInfo` document from the input command.
+        bson_t nsInfo; // Non-owning.
+        {
+            bson_iter_t nsInfo_iter;
+            if (!bson_iter_init(&nsInfo_iter, cmd)) {
+                CLIENT_ERR("failed to iterate command");
+                goto fail;
+            }
+            if (!bson_iter_find_descendant(&nsInfo_iter, "nsInfo.0", &nsInfo_iter)) {
+                CLIENT_ERR("expected one namespace in `bulkWrite`, but found zero.");
+                goto fail;
+            }
+            if (bson_has_field(cmd, "nsInfo.1")) {
+                CLIENT_ERR(
+                    "expected one namespace in `bulkWrite`, but found more than one. Only one namespace is supported.");
+                goto fail;
+            }
+            if (!mc_iter_document_as_bson(&nsInfo_iter, &nsInfo, status)) {
+                goto fail;
+            }
+            // Ensure `nsInfo` does not already have an `encryptionInformation` field.
+            if (bson_has_field(&nsInfo, "encryptionInformation")) {
+                CLIENT_ERR("unexpected `encryptionInformation` present in input `nsInfo`.");
+                goto fail;
+            }
+        }
+
+        // Copy input and append `encryptionInformation` to `nsInfo`.
+        {
+            // Append everything from input except `nsInfo`.
+            bson_copy_to_excluding_noinit(cmd, &out, "nsInfo", NULL);
+            // Append `nsInfo` array.
+            bson_t nsInfo_array;
+            if (!BSON_APPEND_ARRAY_BEGIN(&out, "nsInfo", &nsInfo_array)) {
+                CLIENT_ERR("unable to begin appending 'nsInfo' array");
+                goto fail;
+            }
+            bson_t nsInfo_array_0;
+            if (!BSON_APPEND_DOCUMENT_BEGIN(&nsInfo_array, "0", &nsInfo_array_0)) {
+                CLIENT_ERR("unable to append 'nsInfo.0' document");
+                goto fail;
+            }
+            // Copy everything from input `nsInfo`.
+            bson_concat(&nsInfo_array_0, &nsInfo);
+            // And append `encryptionInformation`.
+            if (!_fle2_append_encryptionInformation(ctx,
+                                                    &nsInfo_array_0,
+                                                    target_ns,
+                                                    encryptedFieldConfig,
+                                                    deleteTokens,
+                                                    target_coll,
+                                                    status)) {
+                goto fail;
+            }
+            if (!bson_append_document_end(&nsInfo_array, &nsInfo_array_0)) {
+                CLIENT_ERR("unable to end appending 'nsInfo' document in array");
+            }
+            if (!bson_append_array_end(&out, &nsInfo_array)) {
+                CLIENT_ERR("unable to end appending 'nsInfo' array");
+                goto fail;
+            }
+            // Overwrite `cmd`.
+            bson_destroy(cmd);
+            if (!bson_steal(cmd, &out)) {
+                CLIENT_ERR("failed to steal BSON with encryptionInformation");
+                goto fail;
+            }
+        }
+
+        goto success;
+    }
 
     if (0 != strcmp(cmd_name, "explain") || cmd_target == MC_TO_MONGOCRYPTD) {
-        // All commands except "explain" expect "encryptionInformation"
+        // All commands except "explain" and "bulkWrite" expect "encryptionInformation"
         // at top-level. "explain" sent to mongocryptd expects
         // "encryptionInformation" at top-level.
-        if (!_fle2_append_encryptionInformation(ctx, cmd, ns, encryptedFieldConfig, deleteTokens, coll_name, status)) {
+        if (!_fle2_append_encryptionInformation(ctx,
+                                                cmd,
+                                                target_ns,
+                                                encryptedFieldConfig,
+                                                deleteTokens,
+                                                target_coll,
+                                                status)) {
             goto fail;
         }
         bson_destroy(&out);
@@ -253,7 +335,13 @@ static bool _fle2_insert_encryptionInformation(const mongocrypt_ctx_t *ctx,
         bson_copy_to(&tmp, &explain);
     }
 
-    if (!_fle2_append_encryptionInformation(ctx, &explain, ns, encryptedFieldConfig, deleteTokens, coll_name, status)) {
+    if (!_fle2_append_encryptionInformation(ctx,
+                                            &explain,
+                                            target_ns,
+                                            encryptedFieldConfig,
+                                            deleteTokens,
+                                            target_coll,
+                                            status)) {
         goto fail;
     }
 
@@ -265,7 +353,7 @@ static bool _fle2_insert_encryptionInformation(const mongocrypt_ctx_t *ctx,
     bson_copy_to_excluding_noinit(cmd, &out, "explain", NULL);
     bson_destroy(cmd);
     if (!bson_steal(cmd, &out)) {
-        CLIENT_ERR("failed to steal BSON without encryptionInformation");
+        CLIENT_ERR("failed to steal BSON with encryptionInformation");
         goto fail;
     }
 
@@ -288,7 +376,7 @@ static bool _mongo_op_collinfo(mongocrypt_ctx_t *ctx, mongocrypt_binary_t *out)
     BSON_ASSERT_PARAM(out);
 
     ectx = (_mongocrypt_ctx_encrypt_t *)ctx;
-    cmd = BCON_NEW("name", BCON_UTF8(ectx->coll_name));
+    cmd = BCON_NEW("name", BCON_UTF8(ectx->target_coll));
     CRYPT_TRACEF(&ectx->parent.crypt->log, "constructed: %s\n", tmp_json(cmd));
     _mongocrypt_buffer_steal_from_bson(&ectx->list_collections_filter, cmd);
     out->data = ectx->list_collections_filter.data;
@@ -328,10 +416,46 @@ static bool _set_schema_from_collinfo(mongocrypt_ctx_t *ctx, bson_t *collinfo) {
         if (!_mongocrypt_buffer_to_bson(&ectx->encrypted_field_config, &efc_bson)) {
             return _mongocrypt_ctx_fail_w_msg(ctx, "unable to create BSON from encrypted_field_config");
         }
-        if (!mc_EncryptedFieldConfig_parse(&ectx->efc, &efc_bson, ctx->status)) {
+        if (!mc_EncryptedFieldConfig_parse(&ectx->efc, &efc_bson, ctx->status, ctx->crypt->opts.use_range_v2)) {
             _mongocrypt_ctx_fail(ctx);
             return false;
         }
+    } else if (0 == strcmp(ectx->cmd_name, "bulkWrite")) {
+        ectx->used_empty_encryptedFields = true;
+        // `bulkWrite` is a special case. Sending `bulkWrite` with `jsonSchema` to query analysis results in an error:
+        // `The bulkWrite command only supports Queryable Encryption`
+        //
+        // Add an empty encryptedFields (rather than an empty JSON schema) to ensure `bulkWrite` can be sent to query
+        // analysis.
+        bson_t empty_encryptedFields = BSON_INITIALIZER;
+        {
+            char *escCollection = bson_strdup_printf("enxcol_.%s.esc", ectx->target_coll);
+            char *ecocCollection = bson_strdup_printf("enxcol_.%s.ecoc", ectx->target_coll);
+            bson_t empty_array = BSON_INITIALIZER;
+            if (!BSON_APPEND_UTF8(&empty_encryptedFields, "escCollection", escCollection)) {
+                return _mongocrypt_ctx_fail_w_msg(ctx, "failed to append `escCollection`");
+            }
+            if (!BSON_APPEND_UTF8(&empty_encryptedFields, "ecocCollection", ecocCollection)) {
+                return _mongocrypt_ctx_fail_w_msg(ctx, "failed to append `ecocCollection`");
+            }
+            if (!BSON_APPEND_ARRAY(&empty_encryptedFields, "fields", &empty_array)) {
+                return _mongocrypt_ctx_fail_w_msg(ctx, "failed to append `fields`");
+            }
+
+            bson_destroy(&empty_array);
+            bson_free(escCollection);
+            bson_free(ecocCollection);
+        }
+
+        if (!mc_EncryptedFieldConfig_parse(&ectx->efc,
+                                           &empty_encryptedFields,
+                                           ctx->status,
+                                           ctx->crypt->opts.use_range_v2)) {
+            bson_destroy(&empty_encryptedFields);
+            _mongocrypt_ctx_fail(ctx);
+            return false;
+        }
+        _mongocrypt_buffer_steal_from_bson(&ectx->encrypted_field_config, &empty_encryptedFields);
     }
 
     BSON_ASSERT(bson_iter_init(&iter, collinfo));
@@ -458,7 +582,7 @@ static bool _fle2_collect_keys_for_deleteTokens(mongocrypt_ctx_t *ctx) {
     mc_EncryptedField_t *field;
 
     for (field = ectx->efc.fields; field != NULL; field = field->next) {
-        if (field->has_queries) {
+        if (field->supported_queries) {
             if (!_mongocrypt_key_broker_request_id(&ctx->kb, &field->keyId)) {
                 _mongocrypt_key_broker_status(&ctx->kb, ctx->status);
                 _mongocrypt_ctx_fail(ctx);
@@ -469,9 +593,10 @@ static bool _fle2_collect_keys_for_deleteTokens(mongocrypt_ctx_t *ctx) {
     return true;
 }
 
-/* _fle2_collect_keys_for_compact requests keys required to produce
- * compactionTokens. compactionTokens is only applicable to FLE 2. */
-static bool _fle2_collect_keys_for_compact(mongocrypt_ctx_t *ctx) {
+/* _fle2_collect_keys_for_compaction requests keys required to produce
+ * compactionTokens or cleanupTokens.
+ * compactionTokens and cleanupTokens are only applicable to FLE 2. */
+static bool _fle2_collect_keys_for_compaction(mongocrypt_ctx_t *ctx) {
     _mongocrypt_ctx_encrypt_t *ectx = (_mongocrypt_ctx_encrypt_t *)ctx;
 
     BSON_ASSERT_PARAM(ctx);
@@ -483,11 +608,12 @@ static bool _fle2_collect_keys_for_compact(mongocrypt_ctx_t *ctx) {
 
     const char *cmd_name = ectx->cmd_name;
 
-    if (0 != strcmp(cmd_name, "compactStructuredEncryptionData")) {
+    if (0 != strcmp(cmd_name, "compactStructuredEncryptionData")
+        && 0 != strcmp(cmd_name, "cleanupStructuredEncryptionData")) {
         return true;
     }
 
-    /* compactStructuredEncryptionData must not be sent to mongocryptd. */
+    /* (compact/cleanup)StructuredEncryptionData must not be sent to mongocryptd. */
     ectx->bypass_query_analysis = true;
 
     mc_EncryptedField_t *field;
@@ -516,7 +642,7 @@ static bool _mongo_feed_collinfo(mongocrypt_ctx_t *ctx, mongocrypt_binary_t *in)
     }
 
     /* Cache the received collinfo. */
-    if (!_mongocrypt_cache_add_copy(&ctx->crypt->cache_collinfo, ectx->ns, &as_bson, ctx->status)) {
+    if (!_mongocrypt_cache_add_copy(&ctx->crypt->cache_collinfo, ectx->target_ns, &as_bson, ctx->status)) {
         return _mongocrypt_ctx_fail(ctx);
     }
 
@@ -538,8 +664,12 @@ static bool _mongo_done_collinfo(mongocrypt_ctx_t *ctx) {
     if (_mongocrypt_buffer_empty(&ectx->schema)) {
         bson_t empty_collinfo = BSON_INITIALIZER;
 
-        /* If no collinfo was fed, cache an empty collinfo. */
-        if (!_mongocrypt_cache_add_copy(&ctx->crypt->cache_collinfo, ectx->ns, &empty_collinfo, ctx->status)) {
+        /* If no collinfo was fed, apply and cache an empty collinfo. */
+        if (!_set_schema_from_collinfo(ctx, &empty_collinfo)) {
+            bson_destroy(&empty_collinfo);
+            return false;
+        }
+        if (!_mongocrypt_cache_add_copy(&ctx->crypt->cache_collinfo, ectx->target_ns, &empty_collinfo, ctx->status)) {
             bson_destroy(&empty_collinfo);
             return _mongocrypt_ctx_fail(ctx);
         }
@@ -550,7 +680,7 @@ static bool _mongo_done_collinfo(mongocrypt_ctx_t *ctx) {
         return false;
     }
 
-    if (!_fle2_collect_keys_for_compact(ctx)) {
+    if (!_fle2_collect_keys_for_compaction(ctx)) {
         return false;
     }
 
@@ -564,6 +694,19 @@ static bool _mongo_done_collinfo(mongocrypt_ctx_t *ctx) {
     return _try_run_csfle_marking(ctx);
 }
 
+static const char *_mongo_db_collinfo(mongocrypt_ctx_t *ctx) {
+    _mongocrypt_ctx_encrypt_t *ectx;
+
+    BSON_ASSERT_PARAM(ctx);
+
+    ectx = (_mongocrypt_ctx_encrypt_t *)ctx;
+    if (!ectx->target_db) {
+        _mongocrypt_ctx_fail_w_msg(ctx, "Expected target database for `listCollections`, but none exists.");
+        return NULL;
+    }
+    return ectx->target_db;
+}
+
 static bool _fle2_mongo_op_markings(mongocrypt_ctx_t *ctx, bson_t *out) {
     _mongocrypt_ctx_encrypt_t *ectx;
     bson_t cmd_bson = BSON_INITIALIZER, encrypted_field_config_bson = BSON_INITIALIZER;
@@ -594,10 +737,10 @@ static bool _fle2_mongo_op_markings(mongocrypt_ctx_t *ctx, bson_t *out) {
     if (!_fle2_insert_encryptionInformation(ctx,
                                             cmd_name,
                                             out,
-                                            ectx->ns,
+                                            ectx->target_ns,
                                             &encrypted_field_config_bson,
                                             NULL /* deleteTokens */,
-                                            ectx->coll_name,
+                                            ectx->target_coll,
                                             ctx->crypt->csfle.okay ? MC_TO_CSFLE : MC_TO_MONGOCRYPTD,
                                             ctx->status)) {
         return _mongocrypt_ctx_fail(ctx);
@@ -734,7 +877,7 @@ static bool _collect_key_from_marking(void *ctx, _mongocrypt_buffer_t *in, mongo
 static bool _mongo_feed_markings(mongocrypt_ctx_t *ctx, mongocrypt_binary_t *in) {
     /* Find keys. */
     bson_t as_bson;
-    bson_iter_t iter;
+    bson_iter_t iter = {0};
     _mongocrypt_ctx_encrypt_t *ectx;
 
     BSON_ASSERT_PARAM(ctx);
@@ -823,7 +966,7 @@ static bool _mongo_done_markings(mongocrypt_ctx_t *ctx) {
 /**
  * @brief Append $db to a command being passed to csfle.
  */
-static bool _add_dollar_db(const char *cmd_name, bson_t *cmd, const char *db_name, mongocrypt_status_t *status) {
+static bool _add_dollar_db(const char *cmd_name, bson_t *cmd, const char *cmd_db, mongocrypt_status_t *status) {
     bson_t out = BSON_INITIALIZER;
     bson_t explain = BSON_INITIALIZER;
     bson_iter_t iter;
@@ -831,10 +974,10 @@ static bool _add_dollar_db(const char *cmd_name, bson_t *cmd, const char *db_nam
 
     BSON_ASSERT_PARAM(cmd_name);
     BSON_ASSERT_PARAM(cmd);
-    BSON_ASSERT_PARAM(db_name);
+    BSON_ASSERT_PARAM(cmd_db);
 
     if (!bson_iter_init_find(&iter, cmd, "$db")) {
-        if (!BSON_APPEND_UTF8(cmd, "$db", db_name)) {
+        if (!BSON_APPEND_UTF8(cmd, "$db", cmd_db)) {
             CLIENT_ERR("failed to append '$db'");
             goto fail;
         }
@@ -868,7 +1011,7 @@ static bool _add_dollar_db(const char *cmd_name, bson_t *cmd, const char *db_nam
         bson_copy_to(&tmp, &explain);
     }
 
-    if (!BSON_APPEND_UTF8(&explain, "$db", db_name)) {
+    if (!BSON_APPEND_UTF8(&explain, "$db", cmd_db)) {
         CLIENT_ERR("failed to append '$db'");
         goto fail;
     }
@@ -947,7 +1090,7 @@ static bool _try_run_csfle_marking(mongocrypt_ctx_t *ctx) {
 
     const char *cmd_name = ectx->cmd_name;
 
-    if (!_add_dollar_db(cmd_name, &cmd, ectx->db_name, ctx->status)) {
+    if (!_add_dollar_db(cmd_name, &cmd, ectx->cmd_db, ctx->status)) {
         _mongocrypt_ctx_fail(ctx);
         goto fail_create_cmd;
     }
@@ -975,8 +1118,12 @@ static bool _try_run_csfle_marking(mongocrypt_ctx_t *ctx) {
     CHECK_CSFLE_ERROR("query_analyzer_create", fail_qa_create);
 
     uint32_t marked_bson_len = 0;
-    uint8_t *marked_bson =
-        csfle.analyze_query(qa, bson_get_data(&cmd), ectx->ns, (uint32_t)strlen(ectx->ns), &marked_bson_len, status);
+    uint8_t *marked_bson = csfle.analyze_query(qa,
+                                               bson_get_data(&cmd),
+                                               ectx->target_ns,
+                                               (uint32_t)strlen(ectx->target_ns),
+                                               &marked_bson_len,
+                                               status);
     CHECK_CSFLE_ERROR("analyze_query", fail_analyze_query);
 
     // Copy out the marked document.
@@ -1107,7 +1254,7 @@ static bson_t *generate_delete_tokens(_mongocrypt_crypto_t *crypto,
         mc_ECOCToken_t *ecoc = NULL;
         bool loop_ok = false;
         /* deleteTokens are only necessary for indexed fields. */
-        if (!ef->has_queries) {
+        if (!ef->supported_queries) {
             goto loop_continue;
         }
 
@@ -1223,8 +1370,11 @@ typedef struct {
 
 // must_omit_encryptionInformation returns true if the command
 // must omit the "encryptionInformation" field when sent to mongod / mongos.
-static moe_result
-must_omit_encryptionInformation(const char *command_name, const bson_t *command, mongocrypt_status_t *status) {
+static moe_result must_omit_encryptionInformation(const char *command_name,
+                                                  const bson_t *command,
+                                                  bool use_range_v2,
+                                                  const mc_EncryptedFieldConfig_t *efc,
+                                                  mongocrypt_status_t *status) {
     // eligible_commands may omit encryptionInformation if the command does not
     // contain payloads requiring encryption.
     const char *eligible_commands[] = {"find", "aggregate", "distinct", "count", "insert"};
@@ -1232,10 +1382,28 @@ must_omit_encryptionInformation(const char *command_name, const bson_t *command,
     bool found = false;
 
     // prohibited_commands prohibit encryptionInformation on mongod / mongos.
-    const char *prohibited_commands[] = {"compactStructuredEncryptionData", "create", "collMod", "createIndexes"};
+    const char *prohibited_commands[] = {"cleanupStructuredEncryptionData", "create", "collMod", "createIndexes"};
 
     BSON_ASSERT_PARAM(command_name);
     BSON_ASSERT_PARAM(command);
+    BSON_ASSERT_PARAM(efc);
+
+    if (0 == strcmp("compactStructuredEncryptionData", command_name)) {
+        // `compactStructuredEncryptionData` is a special case:
+        // - Server 7.0 prohibits `encryptionInformation`.
+        // - Server 8.0 requires `encryptionInformation` if "range" fields are referenced. Otherwise ignores.
+        // Only send `encryptionInformation` if "range" fields are present to support both server versions.
+        bool uses_range_fields = false;
+        if (use_range_v2) {
+            for (const mc_EncryptedField_t *ef = efc->fields; ef != NULL; ef = ef->next) {
+                if (ef->supported_queries & SUPPORTS_RANGE_QUERIES) {
+                    uses_range_fields = true;
+                    break;
+                }
+            }
+        }
+        return (moe_result){.ok = true, .must_omit = !uses_range_fields};
+    }
 
     for (i = 0; i < sizeof(prohibited_commands) / sizeof(prohibited_commands[0]); i++) {
         if (0 == strcmp(prohibited_commands[i], command_name)) {
@@ -1254,7 +1422,7 @@ must_omit_encryptionInformation(const char *command_name, const bson_t *command,
     }
 
     bool has_payload_requiring_encryptionInformation = false;
-    bson_iter_t iter;
+    bson_iter_t iter = {0};
     if (!bson_iter_init(&iter, command)) {
         CLIENT_ERR("unable to iterate command");
         return (moe_result){.ok = false};
@@ -1274,35 +1442,46 @@ must_omit_encryptionInformation(const char *command_name, const bson_t *command,
 }
 
 /* _fle2_append_compactionTokens appends compactionTokens if command_name is
- * "compactStructuredEncryptionData" */
-static bool _fle2_append_compactionTokens(_mongocrypt_crypto_t *crypto,
+ * "compactStructuredEncryptionData" or cleanupTokens if command_name is
+ * "cleanupStructuredEncryptionData"
+ */
+static bool _fle2_append_compactionTokens(mongocrypt_t *crypt,
                                           _mongocrypt_key_broker_t *kb,
                                           mc_EncryptedFieldConfig_t *efc,
                                           const char *command_name,
                                           bson_t *out,
                                           mongocrypt_status_t *status) {
-    bson_t result_compactionTokens;
+    bson_t result_compactionTokens = BSON_INITIALIZER;
     bool ret = false;
 
-    BSON_ASSERT_PARAM(crypto);
+    BSON_ASSERT_PARAM(crypt);
     BSON_ASSERT_PARAM(kb);
     BSON_ASSERT_PARAM(efc);
     BSON_ASSERT_PARAM(command_name);
     BSON_ASSERT_PARAM(out);
+    _mongocrypt_crypto_t *crypto = crypt->crypto;
 
-    if (0 != strcmp(command_name, "compactStructuredEncryptionData")) {
+    bool cleanup = (0 == strcmp(command_name, "cleanupStructuredEncryptionData"));
+
+    if (0 != strcmp(command_name, "compactStructuredEncryptionData") && !cleanup) {
         return true;
     }
 
-    BSON_APPEND_DOCUMENT_BEGIN(out, "compactionTokens", &result_compactionTokens);
+    if (cleanup) {
+        BSON_APPEND_DOCUMENT_BEGIN(out, "cleanupTokens", &result_compactionTokens);
+    } else {
+        BSON_APPEND_DOCUMENT_BEGIN(out, "compactionTokens", &result_compactionTokens);
+    }
 
     mc_EncryptedField_t *ptr;
     for (ptr = efc->fields; ptr != NULL; ptr = ptr->next) {
-        /* Append ECOC token. */
+        /* Append tokens. */
         _mongocrypt_buffer_t key = {0};
         _mongocrypt_buffer_t tokenkey = {0};
         mc_CollectionsLevel1Token_t *cl1t = NULL;
         mc_ECOCToken_t *ecoct = NULL;
+        mc_ESCToken_t *esct = NULL;
+        mc_AnchorPaddingTokenRoot_t *padt = NULL;
         bool ecoc_ok = false;
 
         if (!_mongocrypt_key_broker_decrypted_key_by_id(kb, &ptr->keyId, &key)) {
@@ -1333,10 +1512,35 @@ static bool _fle2_append_compactionTokens(_mongocrypt_crypto_t *crypto,
 
         const _mongocrypt_buffer_t *ecoct_buf = mc_ECOCToken_get(ecoct);
 
-        BSON_APPEND_BINARY(&result_compactionTokens, ptr->path, BSON_SUBTYPE_BINARY, ecoct_buf->data, ecoct_buf->len);
+        if (crypt->opts.use_range_v2 && (ptr->supported_queries & SUPPORTS_RANGE_QUERIES)) {
+            // Append the document {ecoc: <ECOCToken>, anchorPaddingToken: <AnchorPaddingTokenRoot>}
+            esct = mc_ESCToken_new(crypto, cl1t, status);
+            if (!esct) {
+                goto ecoc_fail;
+            }
+            padt = mc_AnchorPaddingTokenRoot_new(crypto, esct, status);
+            if (!padt) {
+                goto ecoc_fail;
+            }
+            const _mongocrypt_buffer_t *padt_buf = mc_AnchorPaddingTokenRoot_get(padt);
+            bson_t tokenDoc;
+            BSON_APPEND_DOCUMENT_BEGIN(&result_compactionTokens, ptr->path, &tokenDoc);
+            BSON_APPEND_BINARY(&tokenDoc, "ecoc", BSON_SUBTYPE_BINARY, ecoct_buf->data, ecoct_buf->len);
+            BSON_APPEND_BINARY(&tokenDoc, "anchorPaddingToken", BSON_SUBTYPE_BINARY, padt_buf->data, padt_buf->len);
+            bson_append_document_end(&result_compactionTokens, &tokenDoc);
+        } else {
+            // Append just <ECOCToken>
+            BSON_APPEND_BINARY(&result_compactionTokens,
+                               ptr->path,
+                               BSON_SUBTYPE_BINARY,
+                               ecoct_buf->data,
+                               ecoct_buf->len);
+        }
 
         ecoc_ok = true;
     ecoc_fail:
+        mc_AnchorPaddingTokenRoot_destroy(padt);
+        mc_ESCToken_destroy(esct);
         mc_ECOCToken_destroy(ecoct);
         mc_CollectionsLevel1Token_destroy(cl1t);
         _mongocrypt_buffer_cleanup(&key);
@@ -1363,11 +1567,63 @@ _fle2_strip_encryptionInformation(const char *cmd_name, bson_t *cmd /* in and ou
     BSON_ASSERT_PARAM(cmd_name);
     BSON_ASSERT_PARAM(cmd);
 
-    if (0 != strcmp(cmd_name, "explain")) {
+    if (0 != strcmp(cmd_name, "explain") && 0 != strcmp(cmd_name, "bulkWrite")) {
         bson_copy_to_excluding_noinit(cmd, &stripped, "encryptionInformation", NULL);
         goto success;
     }
 
+    if (0 == strcmp(cmd_name, "bulkWrite")) {
+        // Get the single `nsInfo` document from the input command.
+        bson_t nsInfo; // Non-owning.
+        {
+            bson_iter_t nsInfo_iter;
+            if (!bson_iter_init(&nsInfo_iter, cmd)) {
+                CLIENT_ERR("failed to iterate command");
+                goto fail;
+            }
+            if (!bson_iter_find_descendant(&nsInfo_iter, "nsInfo.0", &nsInfo_iter)) {
+                CLIENT_ERR("expected one namespace in `bulkWrite`, but found zero.");
+                goto fail;
+            }
+            if (bson_has_field(cmd, "nsInfo.1")) {
+                CLIENT_ERR(
+                    "expected one namespace in `bulkWrite`, but found more than one. Only one namespace is supported.");
+                goto fail;
+            }
+            if (!mc_iter_document_as_bson(&nsInfo_iter, &nsInfo, status)) {
+                goto fail;
+            }
+        }
+
+        // Copy input and exclude `encryptionInformation` from `nsInfo`.
+        {
+            // Append everything from input except `nsInfo`.
+            bson_copy_to_excluding_noinit(cmd, &stripped, "nsInfo", NULL);
+            // Append `nsInfo` array.
+            bson_t nsInfo_array;
+            if (!BSON_APPEND_ARRAY_BEGIN(&stripped, "nsInfo", &nsInfo_array)) {
+                CLIENT_ERR("unable to begin appending 'nsInfo' array");
+                goto fail;
+            }
+            bson_t nsInfo_array_0;
+            if (!BSON_APPEND_DOCUMENT_BEGIN(&nsInfo_array, "0", &nsInfo_array_0)) {
+                CLIENT_ERR("unable to append 'nsInfo.0' document");
+                goto fail;
+            }
+            // Copy everything from input `nsInfo` and exclude `encryptionInformation`.
+            bson_copy_to_excluding_noinit(&nsInfo, &nsInfo_array_0, "encryptionInformation", NULL);
+            if (!bson_append_document_end(&nsInfo_array, &nsInfo_array_0)) {
+                CLIENT_ERR("unable to end appending 'nsInfo' document in array");
+            }
+            if (!bson_append_array_end(&stripped, &nsInfo_array)) {
+                CLIENT_ERR("unable to end appending 'nsInfo' array");
+                goto fail;
+            }
+        }
+
+        goto success;
+    }
+
     // The 'explain' command is a special case.
     // 'encryptionInformation' is returned from mongocryptd and csfle nested
     // inside 'explain'. Example:
@@ -1451,7 +1707,7 @@ static bool _fle2_finalize(mongocrypt_ctx_t *ctx, mongocrypt_binary_t *out) {
         bson_copy_to(&original_cmd_bson, &converted);
     } else {
         bson_t as_bson;
-        bson_iter_t iter;
+        bson_iter_t iter = {0};
 
         if (!_mongocrypt_buffer_to_bson(&ectx->marked_cmd, &as_bson)) {
             return _mongocrypt_ctx_fail_w_msg(ctx, "malformed bson");
@@ -1488,7 +1744,11 @@ static bool _fle2_finalize(mongocrypt_ctx_t *ctx, mongocrypt_binary_t *out) {
         }
     }
 
-    moe_result result = must_omit_encryptionInformation(command_name, &converted, ctx->status);
+    moe_result result = must_omit_encryptionInformation(command_name,
+                                                        &converted,
+                                                        ctx->crypt->opts.use_range_v2,
+                                                        &ectx->efc,
+                                                        ctx->status);
     if (!result.ok) {
         bson_destroy(&converted);
         bson_destroy(deleteTokens);
@@ -1496,14 +1756,14 @@ static bool _fle2_finalize(mongocrypt_ctx_t *ctx, mongocrypt_binary_t *out) {
     }
 
     /* Append a new 'encryptionInformation'. */
-    if (!result.must_omit) {
+    if (!result.must_omit && !ectx->used_empty_encryptedFields) {
         if (!_fle2_insert_encryptionInformation(ctx,
                                                 command_name,
                                                 &converted,
-                                                ectx->ns,
+                                                ectx->target_ns,
                                                 &encrypted_field_config_bson,
                                                 deleteTokens,
-                                                ectx->coll_name,
+                                                ectx->target_coll,
                                                 MC_TO_MONGOD,
                                                 ctx->status)) {
             bson_destroy(&converted);
@@ -1513,12 +1773,7 @@ static bool _fle2_finalize(mongocrypt_ctx_t *ctx, mongocrypt_binary_t *out) {
     }
     bson_destroy(deleteTokens);
 
-    if (!_fle2_append_compactionTokens(ctx->crypt->crypto,
-                                       &ctx->kb,
-                                       &ectx->efc,
-                                       command_name,
-                                       &converted,
-                                       ctx->status)) {
+    if (!_fle2_append_compactionTokens(ctx->crypt, &ctx->kb, &ectx->efc, command_name, &converted, ctx->status)) {
         bson_destroy(&converted);
         return _mongocrypt_ctx_fail(ctx);
     }
@@ -1527,7 +1782,7 @@ static bool _fle2_finalize(mongocrypt_ctx_t *ctx, mongocrypt_binary_t *out) {
     bson_iter_t iter;
     if (bson_iter_init_find(&iter, &original_cmd_bson, "$db")) {
         if (!bson_iter_init_find(&iter, &converted, "$db")) {
-            BSON_APPEND_UTF8(&converted, "$db", ectx->db_name);
+            BSON_APPEND_UTF8(&converted, "$db", ectx->cmd_db);
         }
     }
 
@@ -1545,6 +1800,9 @@ static bool FLE2RangeFindDriverSpec_to_ciphertexts(mongocrypt_ctx_t *ctx, mongoc
     BSON_ASSERT_PARAM(ctx);
     BSON_ASSERT_PARAM(out);
 
+    bson_t with_placholders = BSON_INITIALIZER;
+    bson_t with_ciphertexts = BSON_INITIALIZER;
+
     if (!ctx->opts.rangeopts.set) {
         _mongocrypt_ctx_fail_w_msg(ctx, "Expected RangeOpts to be set for Range Find");
         goto fail;
@@ -1554,8 +1812,6 @@ static bool FLE2RangeFindDriverSpec_to_ciphertexts(mongocrypt_ctx_t *ctx, mongoc
         goto fail;
     }
 
-    bson_t with_placholders = BSON_INITIALIZER;
-    bson_t with_ciphertexts = BSON_INITIALIZER;
     bson_t in_bson;
     if (!_mongocrypt_buffer_to_bson(&ectx->original_cmd, &in_bson)) {
         _mongocrypt_ctx_fail_w_msg(ctx, "unable to convert input to BSON");
@@ -1663,7 +1919,13 @@ static bool _fle2_finalize_explicit(mongocrypt_ctx_t *ctx, mongocrypt_binary_t *
     marking.type = MONGOCRYPT_MARKING_FLE2_ENCRYPTION;
     if (ctx->opts.query_type.set) {
         switch (ctx->opts.query_type.value) {
-        case MONGOCRYPT_QUERY_TYPE_RANGEPREVIEW:
+        case MONGOCRYPT_QUERY_TYPE_RANGEPREVIEW_DEPRECATED:
+            if (ctx->crypt->opts.use_range_v2) {
+                _mongocrypt_ctx_fail_w_msg(ctx, "Cannot use rangePreview query type with Range V2");
+                goto fail;
+            }
+        // fallthrough
+        case MONGOCRYPT_QUERY_TYPE_RANGE:
         case MONGOCRYPT_QUERY_TYPE_EQUALITY: marking.fle2.type = MONGOCRYPT_FLE2_PLACEHOLDER_TYPE_FIND; break;
         default: _mongocrypt_ctx_fail_w_msg(ctx, "Invalid value for EncryptOpts.queryType"); goto fail;
         }
@@ -1674,7 +1936,13 @@ static bool _fle2_finalize_explicit(mongocrypt_ctx_t *ctx, mongocrypt_binary_t *
     switch (ctx->opts.index_type.value) {
     case MONGOCRYPT_INDEX_TYPE_EQUALITY: marking.fle2.algorithm = MONGOCRYPT_FLE2_ALGORITHM_EQUALITY; break;
     case MONGOCRYPT_INDEX_TYPE_NONE: marking.fle2.algorithm = MONGOCRYPT_FLE2_ALGORITHM_UNINDEXED; break;
-    case MONGOCRYPT_INDEX_TYPE_RANGEPREVIEW: marking.fle2.algorithm = MONGOCRYPT_FLE2_ALGORITHM_RANGE; break;
+    case MONGOCRYPT_INDEX_TYPE_RANGEPREVIEW_DEPRECATED:
+        if (ctx->crypt->opts.use_range_v2) {
+            _mongocrypt_ctx_fail_w_msg(ctx, "Cannot use rangePreview index type with Range V2");
+            goto fail;
+        }
+        // fallthrough
+    case MONGOCRYPT_INDEX_TYPE_RANGE: marking.fle2.algorithm = MONGOCRYPT_FLE2_ALGORITHM_RANGE; break;
     default:
         // This might be unreachable because of other validation. Better safe than
         // sorry.
@@ -1695,7 +1963,11 @@ static bool _fle2_finalize_explicit(mongocrypt_ctx_t *ctx, mongocrypt_binary_t *
 
         // RangeOpts with query_type is handled above.
         BSON_ASSERT(!ctx->opts.query_type.set);
-        if (!mc_RangeOpts_to_FLE2RangeInsertSpec(&ctx->opts.rangeopts.value, &old_v, &new_v, ctx->status)) {
+        if (!mc_RangeOpts_to_FLE2RangeInsertSpec(&ctx->opts.rangeopts.value,
+                                                 &old_v,
+                                                 &new_v,
+                                                 ctx->crypt->opts.use_range_v2,
+                                                 ctx->status)) {
             _mongocrypt_ctx_fail(ctx);
             goto fail;
         }
@@ -1730,7 +2002,7 @@ static bool _fle2_finalize_explicit(mongocrypt_ctx_t *ctx, mongocrypt_binary_t *
     }
 
     if (ctx->opts.contention_factor.set) {
-        marking.fle2.maxContentionCounter = ctx->opts.contention_factor.value;
+        marking.fle2.maxContentionFactor = ctx->opts.contention_factor.value;
     } else if (ctx->opts.index_type.value == MONGOCRYPT_INDEX_TYPE_EQUALITY) {
         _mongocrypt_ctx_fail_w_msg(ctx, "contention factor required for indexed algorithm");
         goto fail;
@@ -1764,7 +2036,7 @@ fail:
 
 static bool _finalize(mongocrypt_ctx_t *ctx, mongocrypt_binary_t *out) {
     bson_t as_bson, converted;
-    bson_iter_t iter;
+    bson_iter_t iter = {0};
     _mongocrypt_ctx_encrypt_t *ectx;
     bool res;
 
@@ -1811,7 +2083,7 @@ static bool _finalize(mongocrypt_ctx_t *ctx, mongocrypt_binary_t *out) {
         bson_iter_t iter;
         if (bson_iter_init_find(&iter, &original_cmd_bson, "$db")) {
             if (!bson_iter_init_find(&iter, &converted, "$db")) {
-                BSON_APPEND_UTF8(&converted, "$db", ectx->db_name);
+                BSON_APPEND_UTF8(&converted, "$db", ectx->cmd_db);
             }
         }
     } else {
@@ -1869,9 +2141,10 @@ static void _cleanup(mongocrypt_ctx_t *ctx) {
     }
 
     ectx = (_mongocrypt_ctx_encrypt_t *)ctx;
-    bson_free(ectx->ns);
-    bson_free(ectx->db_name);
-    bson_free(ectx->coll_name);
+    bson_free(ectx->target_ns);
+    bson_free(ectx->cmd_db);
+    bson_free(ectx->target_db);
+    bson_free(ectx->target_coll);
     _mongocrypt_buffer_cleanup(&ectx->list_collections_filter);
     _mongocrypt_buffer_cleanup(&ectx->schema);
     _mongocrypt_buffer_cleanup(&ectx->encrypted_field_config);
@@ -1903,7 +2176,7 @@ static bool _try_schema_from_schema_map(mongocrypt_ctx_t *ctx) {
         return _mongocrypt_ctx_fail_w_msg(ctx, "malformed schema map");
     }
 
-    if (bson_iter_init_find(&iter, &schema_map, ectx->ns)) {
+    if (bson_iter_init_find(&iter, &schema_map, ectx->target_ns)) {
         if (!_mongocrypt_buffer_copy_from_document_iter(&ectx->schema, &iter)) {
             return _mongocrypt_ctx_fail_w_msg(ctx, "malformed schema map");
         }
@@ -1939,7 +2212,7 @@ static bool _fle2_try_encrypted_field_config_from_map(mongocrypt_ctx_t *ctx) {
         return _mongocrypt_ctx_fail_w_msg(ctx, "unable to convert encrypted_field_config_map to BSON");
     }
 
-    if (bson_iter_init_find(&iter, &encrypted_field_config_map, ectx->ns)) {
+    if (bson_iter_init_find(&iter, &encrypted_field_config_map, ectx->target_ns)) {
         if (!_mongocrypt_buffer_copy_from_document_iter(&ectx->encrypted_field_config, &iter)) {
             return _mongocrypt_ctx_fail_w_msg(ctx,
                                               "unable to copy encrypted_field_config from "
@@ -1949,7 +2222,7 @@ static bool _fle2_try_encrypted_field_config_from_map(mongocrypt_ctx_t *ctx) {
         if (!_mongocrypt_buffer_to_bson(&ectx->encrypted_field_config, &efc_bson)) {
             return _mongocrypt_ctx_fail_w_msg(ctx, "unable to create BSON from encrypted_field_config");
         }
-        if (!mc_EncryptedFieldConfig_parse(&ectx->efc, &efc_bson, ctx->status)) {
+        if (!mc_EncryptedFieldConfig_parse(&ectx->efc, &efc_bson, ctx->status, ctx->crypt->opts.use_range_v2)) {
             _mongocrypt_ctx_fail(ctx);
             return false;
         }
@@ -1970,18 +2243,32 @@ static bool _try_schema_from_cache(mongocrypt_ctx_t *ctx) {
 
     /* Otherwise, we need a remote schema. Check if we have a response to
      * listCollections cached. */
-    if (!_mongocrypt_cache_get(&ctx->crypt->cache_collinfo, ectx->ns /* null terminated */, (void **)&collinfo)) {
+    if (!_mongocrypt_cache_get(&ctx->crypt->cache_collinfo,
+                               ectx->target_ns /* null terminated */,
+                               (void **)&collinfo)) {
         return _mongocrypt_ctx_fail_w_msg(ctx, "failed to retrieve from cache");
     }
 
     if (collinfo) {
         if (!_set_schema_from_collinfo(ctx, collinfo)) {
+            bson_destroy(collinfo);
             return _mongocrypt_ctx_fail(ctx);
         }
         ctx->state = MONGOCRYPT_CTX_NEED_MONGO_MARKINGS;
     } else {
         /* we need to get it. */
         ctx->state = MONGOCRYPT_CTX_NEED_MONGO_COLLINFO;
+        if (ectx->target_db) {
+            if (!ctx->crypt->opts.use_need_mongo_collinfo_with_db_state) {
+                _mongocrypt_ctx_fail_w_msg(
+                    ctx,
+                    "Fetching remote collection information on separate databases is not supported. Try "
+                    "upgrading driver, or specify a local schemaMap or encryptedFieldsMap.");
+                return false;
+            }
+            // Target database may differ from command database. Request collection info from target database.
+            ctx->state = MONGOCRYPT_CTX_NEED_MONGO_COLLINFO_WITH_DB;
+        }
     }
 
     bson_destroy(collinfo);
@@ -2222,7 +2509,9 @@ static bool explicit_encrypt_init(mongocrypt_ctx_t *ctx, mongocrypt_binary_t *ms
         return _mongocrypt_ctx_fail_w_msg(ctx, "contention factor is required for indexed algorithm");
     }
 
-    if (ctx->opts.index_type.set && ctx->opts.index_type.value == MONGOCRYPT_INDEX_TYPE_RANGEPREVIEW) {
+    if (ctx->opts.index_type.set
+        && (ctx->opts.index_type.value == MONGOCRYPT_INDEX_TYPE_RANGE
+            || ctx->opts.index_type.value == MONGOCRYPT_INDEX_TYPE_RANGEPREVIEW_DEPRECATED)) {
         if (!ctx->opts.contention_factor.set) {
             return _mongocrypt_ctx_fail_w_msg(ctx, "contention factor is required for range indexed algorithm");
         }
@@ -2242,8 +2531,14 @@ static bool explicit_encrypt_init(mongocrypt_ctx_t *ctx, mongocrypt_binary_t *ms
         bool matches = false;
 
         switch (ctx->opts.query_type.value) {
-        case MONGOCRYPT_QUERY_TYPE_RANGEPREVIEW:
-            matches = (ctx->opts.index_type.value == MONGOCRYPT_INDEX_TYPE_RANGEPREVIEW);
+        case MONGOCRYPT_QUERY_TYPE_RANGEPREVIEW_DEPRECATED:
+            // Don't allow deprecated query type if we are using new index type.
+            matches = (ctx->opts.index_type.value == MONGOCRYPT_INDEX_TYPE_RANGEPREVIEW_DEPRECATED);
+            break;
+        case MONGOCRYPT_QUERY_TYPE_RANGE:
+            // New query type is compatible with both new and old index types.
+            matches = (ctx->opts.index_type.value == MONGOCRYPT_INDEX_TYPE_RANGEPREVIEW_DEPRECATED
+                       || ctx->opts.index_type.value == MONGOCRYPT_INDEX_TYPE_RANGE);
             break;
         case MONGOCRYPT_QUERY_TYPE_EQUALITY:
             matches = (ctx->opts.index_type.value == MONGOCRYPT_INDEX_TYPE_EQUALITY);
@@ -2317,7 +2612,9 @@ bool mongocrypt_ctx_explicit_encrypt_init(mongocrypt_ctx_t *ctx, mongocrypt_bina
     if (!explicit_encrypt_init(ctx, msg)) {
         return false;
     }
-    if (ctx->opts.query_type.set && ctx->opts.query_type.value == MONGOCRYPT_QUERY_TYPE_RANGEPREVIEW) {
+    if (ctx->opts.query_type.set
+        && (ctx->opts.query_type.value == MONGOCRYPT_QUERY_TYPE_RANGE
+            || ctx->opts.query_type.value == MONGOCRYPT_QUERY_TYPE_RANGEPREVIEW_DEPRECATED)) {
         return _mongocrypt_ctx_fail_w_msg(ctx, "Encrypt may not be used for range queries. Use EncryptExpression.");
     }
     return true;
@@ -2327,22 +2624,77 @@ bool mongocrypt_ctx_explicit_encrypt_expression_init(mongocrypt_ctx_t *ctx, mong
     if (!explicit_encrypt_init(ctx, msg)) {
         return false;
     }
-    if (!ctx->opts.query_type.set || ctx->opts.query_type.value != MONGOCRYPT_QUERY_TYPE_RANGEPREVIEW) {
+    if (!ctx->opts.query_type.set
+        || !(ctx->opts.query_type.value == MONGOCRYPT_QUERY_TYPE_RANGE
+             || ctx->opts.query_type.value == MONGOCRYPT_QUERY_TYPE_RANGEPREVIEW_DEPRECATED)) {
         return _mongocrypt_ctx_fail_w_msg(ctx, "EncryptExpression may only be used for range queries.");
     }
     return true;
 }
 
+static bool _check_cmd_for_auto_encrypt_bulkWrite(mongocrypt_binary_t *cmd,
+                                                  char **target_db,
+                                                  char **target_coll,
+                                                  mongocrypt_status_t *status) {
+    BSON_ASSERT_PARAM(cmd);
+    BSON_ASSERT_PARAM(target_db);
+    BSON_ASSERT_PARAM(target_coll);
+
+    bson_t as_bson;
+    bson_iter_t cmd_iter = {0};
+
+    if (!_mongocrypt_binary_to_bson(cmd, &as_bson) || !bson_iter_init(&cmd_iter, &as_bson)) {
+        CLIENT_ERR("invalid command BSON");
+        return false;
+    }
+
+    bson_iter_t ns_iter = cmd_iter;
+    if (!bson_iter_find_descendant(&ns_iter, "nsInfo.0.ns", &ns_iter)) {
+        CLIENT_ERR("failed to find namespace in `bulkWrite` command");
+        return false;
+    }
+
+    if (!BSON_ITER_HOLDS_UTF8(&ns_iter)) {
+        CLIENT_ERR("expected namespace to be UTF8, got: %s", mc_bson_type_to_string(bson_iter_type(&ns_iter)));
+        return false;
+    }
+
+    const char *target_ns = bson_iter_utf8(&ns_iter, NULL /* length */);
+    // Parse `target_ns` into "<db>.<coll>"
+    const char *dot = strstr(target_ns, ".");
+    if (!dot) {
+        CLIENT_ERR("expected namespace to contain dot, got: %s", target_ns);
+        return false;
+    }
+    *target_coll = bson_strdup(dot + 1);
+    // Get the database from the `ns` field (which may differ from `cmd_db`).
+    ptrdiff_t db_len = dot - target_ns;
+    if ((uint64_t)db_len > SIZE_MAX) {
+        CLIENT_ERR("unexpected database length exceeds %zu", SIZE_MAX);
+        return false;
+    }
+    *target_db = bson_strndup(target_ns, (size_t)db_len);
+
+    // Ensure only one `nsInfo` element is present.
+    // Query analysis (mongocryptd/crypt_shared) currently only supports one namespace.
+    if (bson_has_field(&as_bson, "nsInfo.1")) {
+        CLIENT_ERR("expected one namespace in `bulkWrite`, but found more than one. Only one namespace is supported.");
+        return false;
+    }
+
+    return true;
+}
+
 static bool
-_check_cmd_for_auto_encrypt(mongocrypt_binary_t *cmd, bool *bypass, char **collname, mongocrypt_status_t *status) {
+_check_cmd_for_auto_encrypt(mongocrypt_binary_t *cmd, bool *bypass, char **target_coll, mongocrypt_status_t *status) {
     bson_t as_bson;
-    bson_iter_t iter, ns_iter;
+    bson_iter_t iter = {0}, target_coll_iter;
     const char *cmd_name;
     bool eligible = false;
 
     BSON_ASSERT_PARAM(cmd);
     BSON_ASSERT_PARAM(bypass);
-    BSON_ASSERT_PARAM(collname);
+    BSON_ASSERT_PARAM(target_coll);
 
     *bypass = false;
 
@@ -2366,22 +2718,22 @@ _check_cmd_for_auto_encrypt(mongocrypt_binary_t *cmd, bool *bypass, char **colln
             CLIENT_ERR("explain value is not a document");
             return false;
         }
-        if (!bson_iter_recurse(&iter, &ns_iter)) {
+        if (!bson_iter_recurse(&iter, &target_coll_iter)) {
             CLIENT_ERR("malformed BSON for encrypt command");
             return false;
         }
-        if (!bson_iter_next(&ns_iter)) {
+        if (!bson_iter_next(&target_coll_iter)) {
             CLIENT_ERR("invalid empty BSON");
             return false;
         }
     } else {
-        memcpy(&ns_iter, &iter, sizeof(iter));
+        memcpy(&target_coll_iter, &iter, sizeof(iter));
     }
 
-    if (BSON_ITER_HOLDS_UTF8(&ns_iter)) {
-        *collname = bson_strdup(bson_iter_utf8(&ns_iter, NULL));
+    if (BSON_ITER_HOLDS_UTF8(&target_coll_iter)) {
+        *target_coll = bson_strdup(bson_iter_utf8(&target_coll_iter, NULL));
     } else {
-        *collname = NULL;
+        *target_coll = NULL;
     }
 
     /* check if command is eligible for auto encryption, bypassed, or ineligible.
@@ -2461,6 +2813,8 @@ _check_cmd_for_auto_encrypt(mongocrypt_binary_t *cmd, bool *bypass, char **colln
         *bypass = true;
     } else if (0 == strcmp(cmd_name, "compactStructuredEncryptionData")) {
         eligible = true;
+    } else if (0 == strcmp(cmd_name, "cleanupStructuredEncryptionData")) {
+        eligible = true;
     } else if (0 == strcmp(cmd_name, "collMod")) {
         eligible = true;
     } else if (0 == strcmp(cmd_name, "hello")) {
@@ -2471,15 +2825,23 @@ _check_cmd_for_auto_encrypt(mongocrypt_binary_t *cmd, bool *bypass, char **colln
         *bypass = true;
     } else if (0 == strcmp(cmd_name, "getLog")) {
         *bypass = true;
+    } else if (0 == strcmp(cmd_name, "createSearchIndexes")) {
+        *bypass = true;
+    } else if (0 == strcmp(cmd_name, "listSearchIndexes")) {
+        *bypass = true;
+    } else if (0 == strcmp(cmd_name, "dropSearchIndex")) {
+        *bypass = true;
+    } else if (0 == strcmp(cmd_name, "updateSearchIndex")) {
+        *bypass = true;
     }
 
     /* database/client commands are ineligible. */
     if (eligible) {
-        if (!*collname) {
+        if (!*target_coll) {
             CLIENT_ERR("non-collection command not supported for auto encryption: %s", cmd_name);
             return false;
         }
-        if (0 == strlen(*collname)) {
+        if (0 == strlen(*target_coll)) {
             CLIENT_ERR("empty collection name on command: %s", cmd_name);
             return false;
         }
@@ -2507,7 +2869,6 @@ static bool needs_ismaster_check(mongocrypt_ctx_t *ctx) {
 bool mongocrypt_ctx_encrypt_init(mongocrypt_ctx_t *ctx, const char *db, int32_t db_len, mongocrypt_binary_t *cmd) {
     _mongocrypt_ctx_encrypt_t *ectx;
     _mongocrypt_ctx_opts_spec_t opts_spec;
-    bool bypass;
 
     if (!ctx) {
         return false;
@@ -2529,15 +2890,13 @@ bool mongocrypt_ctx_encrypt_init(mongocrypt_ctx_t *ctx, const char *db, int32_t
     ctx->vtable.mongo_op_collinfo = _mongo_op_collinfo;
     ctx->vtable.mongo_feed_collinfo = _mongo_feed_collinfo;
     ctx->vtable.mongo_done_collinfo = _mongo_done_collinfo;
+    ctx->vtable.mongo_db_collinfo = _mongo_db_collinfo;
     ctx->vtable.mongo_op_collinfo = _mongo_op_collinfo;
     ctx->vtable.mongo_op_markings = _mongo_op_markings;
     ctx->vtable.mongo_feed_markings = _mongo_feed_markings;
     ctx->vtable.mongo_done_markings = _mongo_done_markings;
     ctx->vtable.finalize = _finalize;
     ctx->vtable.cleanup = _cleanup;
-    ctx->vtable.mongo_op_collinfo = _mongo_op_collinfo;
-    ctx->vtable.mongo_feed_collinfo = _mongo_feed_collinfo;
-    ctx->vtable.mongo_done_collinfo = _mongo_done_collinfo;
     ectx->bypass_query_analysis = ctx->crypt->opts.bypass_query_analysis;
 
     if (!cmd || !cmd->data) {
@@ -2551,27 +2910,38 @@ bool mongocrypt_ctx_encrypt_init(mongocrypt_ctx_t *ctx, const char *db, int32_t
         return _mongocrypt_ctx_fail(ctx);
     }
 
-    if (!_check_cmd_for_auto_encrypt(cmd, &bypass, &ectx->coll_name, ctx->status)) {
-        return _mongocrypt_ctx_fail(ctx);
+    if (!_mongocrypt_validate_and_copy_string(db, db_len, &ectx->cmd_db) || 0 == strlen(ectx->cmd_db)) {
+        return _mongocrypt_ctx_fail_w_msg(ctx, "invalid db");
     }
 
-    if (bypass) {
-        ctx->nothing_to_do = true;
-        ctx->state = MONGOCRYPT_CTX_READY;
-        return true;
-    }
+    if (0 == strcmp(ectx->cmd_name, "bulkWrite")) {
+        // Handle `bulkWrite` as a special case.
+        // `bulkWrite` includes the target namespaces in an `nsInfo` field.
+        // Only one target namespace is supported.
+        if (!_check_cmd_for_auto_encrypt_bulkWrite(cmd, &ectx->target_db, &ectx->target_coll, ctx->status)) {
+            return _mongocrypt_ctx_fail(ctx);
+        }
 
-    /* if _check_cmd_for_auto_encrypt did not bypass or error, a collection name
-     * must have been set. */
-    if (!ectx->coll_name) {
-        return _mongocrypt_ctx_fail_w_msg(ctx, "unexpected error: did not bypass or error but no collection name");
-    }
+        ectx->target_ns = bson_strdup_printf("%s.%s", ectx->target_db, ectx->target_coll);
+    } else {
+        bool bypass;
+        if (!_check_cmd_for_auto_encrypt(cmd, &bypass, &ectx->target_coll, ctx->status)) {
+            return _mongocrypt_ctx_fail(ctx);
+        }
 
-    if (!_mongocrypt_validate_and_copy_string(db, db_len, &ectx->db_name) || 0 == strlen(ectx->db_name)) {
-        return _mongocrypt_ctx_fail_w_msg(ctx, "invalid db");
-    }
+        if (bypass) {
+            ctx->nothing_to_do = true;
+            ctx->state = MONGOCRYPT_CTX_READY;
+            return true;
+        }
 
-    ectx->ns = bson_strdup_printf("%s.%s", ectx->db_name, ectx->coll_name);
+        /* if _check_cmd_for_auto_encrypt did not bypass or error, a collection name
+         * must have been set. */
+        if (!ectx->target_coll) {
+            return _mongocrypt_ctx_fail_w_msg(ctx, "unexpected error: did not bypass or error but no collection name");
+        }
+        ectx->target_ns = bson_strdup_printf("%s.%s", ectx->cmd_db, ectx->target_coll);
+    }
 
     if (ctx->opts.kek.provider.aws.region || ctx->opts.kek.provider.aws.cmk) {
         return _mongocrypt_ctx_fail_w_msg(ctx, "aws masterkey options must not be set");
@@ -2593,7 +2963,7 @@ bool mongocrypt_ctx_encrypt_init(mongocrypt_ctx_t *ctx, const char *db, int32_t
                         "%s (%s=\"%s\", %s=%d, %s=\"%s\")",
                         BSON_FUNC,
                         "db",
-                        ectx->db_name,
+                        ectx->cmd_db,
                         "db_len",
                         db_len,
                         "cmd",
@@ -2672,6 +3042,17 @@ static bool mongocrypt_ctx_encrypt_ismaster_done(mongocrypt_ctx_t *ctx) {
         /* Otherwise, we need the the driver to fetch the schema. */
         if (_mongocrypt_buffer_empty(&ectx->schema)) {
             ctx->state = MONGOCRYPT_CTX_NEED_MONGO_COLLINFO;
+            if (ectx->target_db) {
+                if (!ctx->crypt->opts.use_need_mongo_collinfo_with_db_state) {
+                    _mongocrypt_ctx_fail_w_msg(
+                        ctx,
+                        "Fetching remote collection information on separate databases is not supported. Try "
+                        "upgrading driver, or specify a local schemaMap or encryptedFieldsMap.");
+                    return false;
+                }
+                // Target database may differ from command database. Request collection info from target database.
+                ctx->state = MONGOCRYPT_CTX_NEED_MONGO_COLLINFO_WITH_DB;
+            }
         }
     }
 
@@ -2681,7 +3062,7 @@ static bool mongocrypt_ctx_encrypt_ismaster_done(mongocrypt_ctx_t *ctx) {
         return false;
     }
 
-    if (!_fle2_collect_keys_for_compact(ctx)) {
+    if (!_fle2_collect_keys_for_compaction(ctx)) {
         return false;
     }