npm - @cipherstash/protect-ffi - Versions diffs - 0.16.1 → 0.18.0-9 - Mend

@cipherstash/protect-ffi 0.16.1 → 0.18.0-9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/README.md CHANGED Viewed

@@ -143,13 +143,22 @@ PGHOST=localhost
 ```
 To run integration tests:
+```sh
+mise setup
+mise test:integration
+```
+You can also run the integration tests in "watch" mode:
+```sh
+mise test:integration --watch
 ```
-npm run debug
-cd integration-tests
-docker compose up --detach --wait
-npm run eql:download
-npm run eql:install
-npm run test
+By default lock context tests are not included because invalid lock contexts fire security warnings in ZeroKMS.
+To include these, run:
+```sh
+mise test:integration:all
 ```
 ## Releasing

package/lib/index.cjs CHANGED Viewed

@@ -1,11 +1,12 @@
 "use strict";
 // This module is the CJS entry point for the library.
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.decryptBulkFallible = exports.decryptBulk = exports.decrypt = exports.encryptBulk = exports.encrypt = exports.newClient = void 0;
+exports.decryptBulkFallible = exports.decryptBulk = exports.decrypt = exports.isEncrypted = exports.encryptBulk = exports.encrypt = exports.newClient = void 0;
 var load_cjs_1 = require("./load.cjs");
 Object.defineProperty(exports, "newClient", { enumerable: true, get: function () { return load_cjs_1.newClient; } });
 Object.defineProperty(exports, "encrypt", { enumerable: true, get: function () { return load_cjs_1.encrypt; } });
 Object.defineProperty(exports, "encryptBulk", { enumerable: true, get: function () { return load_cjs_1.encryptBulk; } });
+Object.defineProperty(exports, "isEncrypted", { enumerable: true, get: function () { return load_cjs_1.isEncrypted; } });
 Object.defineProperty(exports, "decrypt", { enumerable: true, get: function () { return load_cjs_1.decrypt; } });
 Object.defineProperty(exports, "decryptBulk", { enumerable: true, get: function () { return load_cjs_1.decryptBulk; } });
 Object.defineProperty(exports, "decryptBulkFallible", { enumerable: true, get: function () { return load_cjs_1.decryptBulkFallible; } });

package/lib/index.d.cts CHANGED Viewed

@@ -1,50 +1,87 @@
-export { newClient, encrypt, encryptBulk, decrypt, decryptBulk, decryptBulkFallible, } from './load.cjs';
+export { newClient, encrypt, encryptBulk, isEncrypted, decrypt, decryptBulk, decryptBulkFallible, } from './load.cjs';
 declare const sym: unique symbol;
 export type Client = {
     readonly [sym]: unknown;
 };
 declare module './load.cjs' {
     function newClient(opts: NewClientOptions): Promise<Client>;
-    function encrypt(client: Client, opts: EncryptOptions): Promise<Encrypted>;
-    function decrypt(client: Client, opts: DecryptOptions): Promise<string>;
-    function encryptBulk(client: Client, opts: EncryptBulkOptions): Promise<Encrypted[]>;
-    function decryptBulk(client: Client, opts: DecryptBulkOptions): Promise<string[]>;
-    function decryptBulkFallible(client: Client, opts: DecryptBulkOptions): Promise<DecryptResult[]>;
+    function encrypt<T extends EncryptConfig>(client: Client, opts: EncryptOptions<T>): Promise<AnyEncrypted<T>>;
+    function decrypt<T extends EncryptConfig>(client: Client, opts: DecryptOptions<T>): Promise<JsPlaintext>;
+    function isEncrypted<T extends EncryptConfig>(encrypted: AnyEncrypted<T>): boolean;
+    function encryptQuery<T extends EncryptConfig, Q extends EncryptedQueryTerm>(client: Client, opts: QueryOptions<T>): Promise<Q>;
+    function encryptBulk<T extends EncryptConfig>(client: Client, opts: EncryptBulkOptions<T>): Promise<AnyEncrypted<T>[]>;
+    function decryptBulk<T extends EncryptConfig>(client: Client, opts: DecryptBulkOptions<T>): Promise<JsPlaintext[]>;
+    function decryptBulkFallible<T extends EncryptConfig>(client: Client, opts: DecryptBulkOptions<T>): Promise<DecryptResult[]>;
 }
 export type DecryptResult = {
     data: string;
 } | {
     error: string;
 };
-export type EncryptPayload = {
-    plaintext: string;
-    column: string;
-    table: string;
-    lockContext?: Context;
-};
-export type BulkDecryptPayload = {
-    ciphertext: string;
-    lockContext?: Context;
+export type EncryptPayload<T extends EncryptConfig> = {
+    plaintext: JsPlaintext;
+    lockContext?: Context[];
+} & Identifier<T>;
+export type BulkDecryptPayload<T extends EncryptConfig> = {
+    ciphertext: AnyEncrypted<T>;
+    lockContext?: Context[];
 };
 export type CtsToken = {
     accessToken: string;
     expiry: number;
 };
 export type Context = {
-    identityClaim: string[];
-};
-export type Encrypted = {
-    k: string;
-    c: string;
-    ob: string[] | null;
-    bf: number[] | null;
-    hm: string | null;
-    i: {
-        c: string;
-        t: string;
-    };
+    identityClaim: string;
+} | {
+    tag: string;
+};
+export type Versioned = {
     v: number;
 };
+export type Base85Ciphertext = string;
+export type BloomFilter = number[];
+export type HMAC = string;
+export type EncodedBlockOREArray = string[];
+export type EncodedFixedLengthORE = string;
+export type EncodedVariableLengthORE = string;
+export type JSONPathSelector = string;
+export type EncryptedCell<T extends EncryptConfig> = Versioned & {
+    k: 'ct';
+    c: Base85Ciphertext;
+    ob: EncodedBlockOREArray | null;
+    bf: BloomFilter | null;
+    hm: HMAC | null;
+    i: Identifier<T>;
+};
+export type EncryptedSV<T extends EncryptConfig> = Versioned & {
+    k: 'sv';
+    sv: SteVecEncryptedEntry[];
+    i: Identifier<T>;
+};
+export type EncryptedSVE = {
+    k: 'sve';
+    sve: SteVecEncryptedEntry;
+};
+export type AnyEncrypted<T extends EncryptConfig> = EncryptedCell<T> | EncryptedSV<T> | EncryptedSVE;
+export type SteVecEncryptedEntry = {
+    c: Base85Ciphertext;
+    parent_is_array: boolean;
+} & SteVecTerm & {
+    s: JSONPathSelector;
+};
+export type SteVecQuery = {
+    svq: SteQueryVecEntry[];
+};
+export type SteQueryVecEntry = {
+    s: JSONPathSelector;
+} & SteVecTerm;
+export type SteVecTerm = {
+    hm: HMAC;
+} | {
+    ocf: EncodedFixedLengthORE;
+} | {
+    ocv: EncodedVariableLengthORE;
+};
 export type EncryptConfig = {
     v: number;
     tables: Record<string, Record<string, Column>>;
@@ -54,6 +91,15 @@ export type Column = {
     indexes?: Indexes;
 };
 export type CastAs = 'big_int' | 'boolean' | 'date' | 'real' | 'double' | 'int' | 'small_int' | 'text' | 'jsonb';
+type TablesOf<C extends EncryptConfig> = C['tables'];
+export type Identifier<C extends EncryptConfig> = {
+    [T in keyof TablesOf<C>]: {
+        [CName in keyof TablesOf<C>[T]]: {
+            table: T;
+            column: CName;
+        };
+    }[keyof TablesOf<C>[T]];
+}[keyof TablesOf<C>];
 export type Indexes = {
     ore?: OreIndexOpts;
     unique?: UniqueIndexOpts;
@@ -92,28 +138,56 @@ export type ClientOpts = {
     accessKey?: string;
     clientId?: string;
     clientKey?: string;
+    keyset?: IdentifiedBy;
 };
-export type EncryptOptions = {
-    plaintext: string;
-    column: string;
-    table: string;
-    lockContext?: Context;
+export type IdentifiedBy = string;
+export type JsPlaintext = string | number | Record<string, unknown> | JsPlaintext[];
+export type EncryptOptions<T extends EncryptConfig> = {
+    plaintext: JsPlaintext;
+    lockContext?: Context[];
     serviceToken?: CtsToken;
     unverifiedContext?: Record<string, unknown>;
-};
-export type EncryptBulkOptions = {
-    plaintexts: EncryptPayload[];
+} & Identifier<T>;
+export type EncryptBulkOptions<T extends EncryptConfig> = {
+    plaintexts: EncryptPayload<T>[];
     serviceToken?: CtsToken;
     unverifiedContext?: Record<string, unknown>;
 };
-export type DecryptOptions = {
-    ciphertext: string;
-    lockContext?: Context;
+export type DecryptOptions<T extends EncryptConfig> = {
+    ciphertext: AnyEncrypted<T>;
+    lockContext?: Context[];
     serviceToken?: CtsToken;
     unverifiedContext?: Record<string, unknown>;
 };
-export type DecryptBulkOptions = {
-    ciphertexts: BulkDecryptPayload[];
+export type DecryptBulkOptions<T extends EncryptConfig> = {
+    ciphertexts: BulkDecryptPayload<T>[];
     serviceToken?: CtsToken;
     unverifiedContext?: Record<string, unknown>;
 };
+export type QueryOptions<T extends EncryptConfig> = {
+    plaintext: JsPlaintext;
+    operator: QueryOperator;
+} & Identifier<T>;
+export type NumericOperator = '>' | '>=' | '<' | '<=' | '=';
+export type StringOperator = '~~' | '~~*' | '=';
+export type JsonbOperator = '@>' | '<@' | '->';
+export type QueryOperator = NumericOperator | StringOperator | JsonbOperator;
+export type EncryptedQueryTerm = {};
+export interface RangeQuery extends EncryptedQueryTerm {
+    ob: EncodedBlockOREArray;
+}
+export interface MatchQuery extends EncryptedQueryTerm {
+    bf: BloomFilter;
+}
+export interface ExactQuery extends EncryptedQueryTerm {
+    hm: HMAC;
+}
+export interface JsonSelect extends EncryptedQueryTerm {
+    s: JSONPathSelector;
+}
+export interface JsonContainsQuery extends EncryptedQueryTerm {
+    sv: SteQueryVecEntry[];
+}
+export interface JsonIsContainedByQuery extends EncryptedQueryTerm {
+    sv: SteQueryVecEntry[];
+}

package/package.json CHANGED Viewed

@@ -1,16 +1,15 @@
 {
   "name": "@cipherstash/protect-ffi",
-  "version": "0.16.1",
+  "version": "0.18.0-9",
   "description": "",
   "main": "./lib/index.cjs",
   "scripts": {
     "test": "npm run test:typecheck && npm run test:lint && npm run test:format && npm run test:rust",
     "test:typecheck": "tsc",
     "test:rust": "cargo test",
-    "test:lint": "npm run test:lint:rust && npm run test:lint:ts",
+    "test:lint": "npm run test:lint:ts",
     "test:lint:ts": "biome lint",
-    "test:lint:rust": "cargo clippy --all --no-deps --all-targets --all-features -- -D warnings",
-    "test:format": "npm run test:format:rust && npm run test:format:ts",
+    "test:format": "npm run test:format:ts",
     "test:format:ts": "biome format",
     "test:format:rust": "cargo fmt --check",
     "cargo-build": "tsc &&cargo build --message-format=json-render-diagnostics > cargo.log",
@@ -61,10 +60,10 @@
     "@neon-rs/load": "^0.1.82"
   },
   "optionalDependencies": {
-    "@cipherstash/protect-ffi-win32-x64-msvc": "0.16.1",
-    "@cipherstash/protect-ffi-darwin-x64": "0.16.1",
-    "@cipherstash/protect-ffi-darwin-arm64": "0.16.1",
-    "@cipherstash/protect-ffi-linux-x64-gnu": "0.16.1",
-    "@cipherstash/protect-ffi-linux-arm64-gnu": "0.16.1"
+    "@cipherstash/protect-ffi-win32-x64-msvc": "0.18.0-9",
+    "@cipherstash/protect-ffi-darwin-x64": "0.18.0-9",
+    "@cipherstash/protect-ffi-darwin-arm64": "0.18.0-9",
+    "@cipherstash/protect-ffi-linux-x64-gnu": "0.18.0-9",
+    "@cipherstash/protect-ffi-linux-arm64-gnu": "0.18.0-9"
   }
 }