@cipherstash/protect-ffi 0.16.1 → 0.17.1

package/README.md

@@ -143,13 +143,22 @@ PGHOST=localhost
 ```
 
 To run integration tests:
+```sh
+mise setup
+mise test:integration
+```
+
+You can also run the integration tests in "watch" mode:
+
+```sh
+mise test:integration --watch
 ```
-npm run debug
-cd integration-tests
-docker compose up --detach --wait
-npm run eql:download
-npm run eql:install
-npm run test
+
+By default lock context tests are not included because invalid lock contexts fire security warnings in ZeroKMS.
+To include these, run:
+
+```sh
+mise test:integration:all
 ```
 
 ## Releasing

package/lib/index.cjs

@@ -1,11 +1,12 @@
 "use strict";
 // This module is the CJS entry point for the library.
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.decryptBulkFallible = exports.decryptBulk = exports.decrypt = exports.encryptBulk = exports.encrypt = exports.newClient = void 0;
+exports.decryptBulkFallible = exports.decryptBulk = exports.decrypt = exports.isEncrypted = exports.encryptBulk = exports.encrypt = exports.newClient = void 0;
 var load_cjs_1 = require("./load.cjs");
 Object.defineProperty(exports, "newClient", { enumerable: true, get: function () { return load_cjs_1.newClient; } });
 Object.defineProperty(exports, "encrypt", { enumerable: true, get: function () { return load_cjs_1.encrypt; } });
 Object.defineProperty(exports, "encryptBulk", { enumerable: true, get: function () { return load_cjs_1.encryptBulk; } });
+Object.defineProperty(exports, "isEncrypted", { enumerable: true, get: function () { return load_cjs_1.isEncrypted; } });
 Object.defineProperty(exports, "decrypt", { enumerable: true, get: function () { return load_cjs_1.decrypt; } });
 Object.defineProperty(exports, "decryptBulk", { enumerable: true, get: function () { return load_cjs_1.decryptBulk; } });
 Object.defineProperty(exports, "decryptBulkFallible", { enumerable: true, get: function () { return load_cjs_1.decryptBulkFallible; } });

package/lib/index.d.cts

@@ -1,4 +1,4 @@
-export { newClient, encrypt, encryptBulk, decrypt, decryptBulk, decryptBulkFallible, } from './load.cjs';
+export { newClient, encrypt, encryptBulk, isEncrypted, decrypt, decryptBulk, decryptBulkFallible, } from './load.cjs';
 declare const sym: unique symbol;
 export type Client = {
     readonly [sym]: unknown;
@@ -6,9 +6,10 @@ export type Client = {
 declare module './load.cjs' {
     function newClient(opts: NewClientOptions): Promise<Client>;
     function encrypt(client: Client, opts: EncryptOptions): Promise<Encrypted>;
-    function decrypt(client: Client, opts: DecryptOptions): Promise<string>;
+    function decrypt(client: Client, opts: DecryptOptions): Promise<JsPlaintext>;
+    function isEncrypted(encrypted: Encrypted): boolean;
     function encryptBulk(client: Client, opts: EncryptBulkOptions): Promise<Encrypted[]>;
-    function decryptBulk(client: Client, opts: DecryptBulkOptions): Promise<string[]>;
+    function decryptBulk(client: Client, opts: DecryptBulkOptions): Promise<JsPlaintext[]>;
     function decryptBulkFallible(client: Client, opts: DecryptBulkOptions): Promise<DecryptResult[]>;
 }
 export type DecryptResult = {
@@ -17,13 +18,13 @@ export type DecryptResult = {
     error: string;
 };
 export type EncryptPayload = {
-    plaintext: string;
+    plaintext: JsPlaintext;
     column: string;
     table: string;
     lockContext?: Context;
 };
 export type BulkDecryptPayload = {
-    ciphertext: string;
+    ciphertext: Encrypted;
     lockContext?: Context;
 };
 export type CtsToken = {
@@ -34,7 +35,7 @@ export type Context = {
     identityClaim: string[];
 };
 export type Encrypted = {
-    k: string;
+    k: 'ct';
     c: string;
     ob: string[] | null;
     bf: number[] | null;
@@ -44,6 +45,20 @@ export type Encrypted = {
         t: string;
     };
     v: number;
+} | {
+    k: 'sv';
+    sv: SteVecEncryptedEntry[];
+    i: {
+        c: string;
+        t: string;
+    };
+    v: number;
+};
+export type SteVecEncryptedEntry = {
+    tokenized_selector: string;
+    term: string;
+    record: string;
+    parent_is_array: boolean;
 };
 export type EncryptConfig = {
     v: number;
@@ -53,7 +68,16 @@ export type Column = {
     cast_as?: CastAs;
     indexes?: Indexes;
 };
-export type CastAs = 'big_int' | 'boolean' | 'date' | 'real' | 'double' | 'int' | 'small_int' | 'text' | 'jsonb';
+export type CastAs = 'bigint' | 'boolean' | 'date' | 'number' | 'string' | 'json';
+type TablesOf<C extends EncryptConfig> = C['tables'];
+export type Identifier<C extends EncryptConfig> = {
+    [T in keyof TablesOf<C>]: {
+        [CName in keyof TablesOf<C>[T]]: {
+            table: T;
+            column: CName;
+        };
+    }[keyof TablesOf<C>[T]];
+}[keyof TablesOf<C>];
 export type Indexes = {
     ore?: OreIndexOpts;
     unique?: UniqueIndexOpts;
@@ -93,8 +117,9 @@ export type ClientOpts = {
     clientId?: string;
     clientKey?: string;
 };
+export type JsPlaintext = string | number | Record<string, unknown> | JsPlaintext[];
 export type EncryptOptions = {
-    plaintext: string;
+    plaintext: JsPlaintext;
     column: string;
     table: string;
     lockContext?: Context;
@@ -107,7 +132,7 @@ export type EncryptBulkOptions = {
     unverifiedContext?: Record<string, unknown>;
 };
 export type DecryptOptions = {
-    ciphertext: string;
+    ciphertext: Encrypted;
     lockContext?: Context;
     serviceToken?: CtsToken;
     unverifiedContext?: Record<string, unknown>;

package/lib/load.cjs

@@ -12,6 +12,7 @@ module.exports = require('@neon-rs/load').proxy({
         'darwin-x64': () => require('@cipherstash/protect-ffi-darwin-x64'),
         'darwin-arm64': () => require('@cipherstash/protect-ffi-darwin-arm64'),
         'linux-x64-gnu': () => require('@cipherstash/protect-ffi-linux-x64-gnu'),
+        'linux-x64-musl': () => require('@cipherstash/protect-ffi-linux-x64-musl'),
         'linux-arm64-gnu': () => require('@cipherstash/protect-ffi-linux-arm64-gnu'),
     },
     debug: () => require('../index.node'),

package/package.json

@@ -1,16 +1,15 @@
 {
   "name": "@cipherstash/protect-ffi",
-  "version": "0.16.1",
+  "version": "0.17.1",
   "description": "",
   "main": "./lib/index.cjs",
   "scripts": {
     "test": "npm run test:typecheck && npm run test:lint && npm run test:format && npm run test:rust",
     "test:typecheck": "tsc",
     "test:rust": "cargo test",
-    "test:lint": "npm run test:lint:rust && npm run test:lint:ts",
+    "test:lint": "npm run test:lint:ts",
     "test:lint:ts": "biome lint",
-    "test:lint:rust": "cargo clippy --all --no-deps --all-targets --all-features -- -D warnings",
-    "test:format": "npm run test:format:rust && npm run test:format:ts",
+    "test:format": "npm run test:format:ts",
     "test:format:ts": "biome format",
     "test:format:rust": "cargo fmt --check",
     "cargo-build": "tsc &&cargo build --message-format=json-render-diagnostics > cargo.log",
@@ -46,7 +45,14 @@
   "neon": {
     "type": "library",
     "org": "@cipherstash",
-    "platforms": "common",
+    "platforms": [
+      "darwin-x64",
+      "darwin-arm64",
+      "win32-x64-msvc",
+      "linux-x64-gnu",
+      "linux-arm64-gnu",
+      "linux-x64-musl"
+    ],
     "load": "./src/load.cts",
     "prefix": "protect-ffi-"
   },
@@ -61,10 +67,11 @@
     "@neon-rs/load": "^0.1.82"
   },
   "optionalDependencies": {
-    "@cipherstash/protect-ffi-win32-x64-msvc": "0.16.1",
-    "@cipherstash/protect-ffi-darwin-x64": "0.16.1",
-    "@cipherstash/protect-ffi-darwin-arm64": "0.16.1",
-    "@cipherstash/protect-ffi-linux-x64-gnu": "0.16.1",
-    "@cipherstash/protect-ffi-linux-arm64-gnu": "0.16.1"
+    "@cipherstash/protect-ffi-darwin-x64": "0.17.1",
+    "@cipherstash/protect-ffi-darwin-arm64": "0.17.1",
+    "@cipherstash/protect-ffi-win32-x64-msvc": "0.17.1",
+    "@cipherstash/protect-ffi-linux-x64-gnu": "0.17.1",
+    "@cipherstash/protect-ffi-linux-arm64-gnu": "0.17.1",
+    "@cipherstash/protect-ffi-linux-x64-musl": "0.17.1"
   }
 }