@cipherstash/protect-ffi 0.18.0-9 → 0.19.0

package/lib/index.d.cts

@@ -5,83 +5,99 @@ export type Client = {
 };
 declare module './load.cjs' {
     function newClient(opts: NewClientOptions): Promise<Client>;
-    function encrypt<T extends EncryptConfig>(client: Client, opts: EncryptOptions<T>): Promise<AnyEncrypted<T>>;
-    function decrypt<T extends EncryptConfig>(client: Client, opts: DecryptOptions<T>): Promise<JsPlaintext>;
-    function isEncrypted<T extends EncryptConfig>(encrypted: AnyEncrypted<T>): boolean;
-    function encryptQuery<T extends EncryptConfig, Q extends EncryptedQueryTerm>(client: Client, opts: QueryOptions<T>): Promise<Q>;
-    function encryptBulk<T extends EncryptConfig>(client: Client, opts: EncryptBulkOptions<T>): Promise<AnyEncrypted<T>[]>;
-    function decryptBulk<T extends EncryptConfig>(client: Client, opts: DecryptBulkOptions<T>): Promise<JsPlaintext[]>;
-    function decryptBulkFallible<T extends EncryptConfig>(client: Client, opts: DecryptBulkOptions<T>): Promise<DecryptResult[]>;
+    function encrypt(client: Client, opts: EncryptOptions): Promise<Encrypted>;
+    function decrypt(client: Client, opts: DecryptOptions): Promise<JsPlaintext>;
+    function isEncrypted(encrypted: Encrypted): boolean;
+    function encryptBulk(client: Client, opts: EncryptBulkOptions): Promise<Encrypted[]>;
+    function decryptBulk(client: Client, opts: DecryptBulkOptions): Promise<JsPlaintext[]>;
+    function decryptBulkFallible(client: Client, opts: DecryptBulkOptions): Promise<DecryptResult[]>;
 }
 export type DecryptResult = {
     data: string;
 } | {
     error: string;
 };
-export type EncryptPayload<T extends EncryptConfig> = {
+export type EncryptPayload = {
     plaintext: JsPlaintext;
-    lockContext?: Context[];
-} & Identifier<T>;
-export type BulkDecryptPayload<T extends EncryptConfig> = {
-    ciphertext: AnyEncrypted<T>;
-    lockContext?: Context[];
+    column: string;
+    table: string;
+    lockContext?: Context;
+};
+export type BulkDecryptPayload = {
+    ciphertext: Encrypted;
+    lockContext?: Context;
 };
 export type CtsToken = {
     accessToken: string;
     expiry: number;
 };
 export type Context = {
-    identityClaim: string;
-} | {
-    tag: string;
-};
-export type Versioned = {
+    identityClaim: string[];
+};
+/**
+ * Represents encrypted data in the EQL format.
+ *
+ * This TypeScript type mirrors the Rust `EqlCiphertext` structure from `cipherstash-client`.
+ * The Rust type hierarchy is:
+ * - `EqlCiphertext` (identifier + version + body)
+ *   - `EqlCiphertextBody` (ciphertext + SEM fields + array flag)
+ *     - `EqlSEM` (all searchable encrypted metadata fields)
+ *
+ * In the serialized JSON format, `#[serde(flatten)]` is used in Rust to produce a flat
+ * structure where all fields appear at the top level rather than nested.
+ *
+ * Note: The ciphertext field (c) is serialized in MessagePack Base85 format.
+ */
+export type Encrypted = {
+    /** The table and column identifier */
+    i: {
+        t: string;
+        c: string;
+    };
+    /** The encryption version */
     v: number;
-};
-export type Base85Ciphertext = string;
-export type BloomFilter = number[];
-export type HMAC = string;
-export type EncodedBlockOREArray = string[];
-export type EncodedFixedLengthORE = string;
-export type EncodedVariableLengthORE = string;
-export type JSONPathSelector = string;
-export type EncryptedCell<T extends EncryptConfig> = Versioned & {
-    k: 'ct';
-    c: Base85Ciphertext;
-    ob: EncodedBlockOREArray | null;
-    bf: BloomFilter | null;
-    hm: HMAC | null;
-    i: Identifier<T>;
-};
-export type EncryptedSV<T extends EncryptConfig> = Versioned & {
-    k: 'sv';
-    sv: SteVecEncryptedEntry[];
-    i: Identifier<T>;
-};
-export type EncryptedSVE = {
-    k: 'sve';
-    sve: SteVecEncryptedEntry;
-};
-export type AnyEncrypted<T extends EncryptConfig> = EncryptedCell<T> | EncryptedSV<T> | EncryptedSVE;
-export type SteVecEncryptedEntry = {
-    c: Base85Ciphertext;
-    parent_is_array: boolean;
-} & SteVecTerm & {
-    s: JSONPathSelector;
-};
-export type SteVecQuery = {
-    svq: SteQueryVecEntry[];
-};
-export type SteQueryVecEntry = {
-    s: JSONPathSelector;
-} & SteVecTerm;
-export type SteVecTerm = {
-    hm: HMAC;
-} | {
-    ocf: EncodedFixedLengthORE;
-} | {
-    ocv: EncodedVariableLengthORE;
-};
+    /** The encrypted ciphertext (mp_base85 encoded, optional for query-mode payloads) */
+    c?: string;
+    /** Whether this encrypted value is part of an array */
+    a?: boolean;
+    /** ORE block index for 64-bit integers */
+    ob?: string[];
+    /** Bloom filter for approximate match queries */
+    bf?: number[];
+    /** HMAC-SHA256 hash for exact matches */
+    hm?: string;
+    /** Selector value for field selection (SteVec) */
+    s?: string;
+    /** Blake3 hash for exact matches (SteVec) */
+    b3?: string;
+    /** ORE CLLW fixed-width index for 64-bit values (SteVec) */
+    ocf?: string;
+    /** ORE CLLW variable-width index for strings (SteVec) */
+    ocv?: string;
+    /** Structured encryption vector entries (recursive) */
+    sv?: EqlCiphertextBody[];
+};
+/**
+ * Body of an EQL ciphertext, used recursively in SteVec entries.
+ */
+export type EqlCiphertextBody = {
+    /** The encrypted ciphertext (mp_base85 encoded) */
+    c?: string;
+    /** Whether this entry is part of an array */
+    a?: boolean;
+    /** Selector value for field selection */
+    s?: string;
+    /** Blake3 hash for exact matches */
+    b3?: string;
+    /** ORE CLLW fixed-width index */
+    ocf?: string;
+    /** ORE CLLW variable-width index */
+    ocv?: string;
+    /** Nested SteVec entries (for deeply nested JSON) */
+    sv?: EqlCiphertextBody[];
+};
+/** @deprecated Use EqlCiphertextBody instead */
+export type SteVecEntry = EqlCiphertextBody;
 export type EncryptConfig = {
     v: number;
     tables: Record<string, Record<string, Column>>;
@@ -90,7 +106,7 @@ export type Column = {
     cast_as?: CastAs;
     indexes?: Indexes;
 };
-export type CastAs = 'big_int' | 'boolean' | 'date' | 'real' | 'double' | 'int' | 'small_int' | 'text' | 'jsonb';
+export type CastAs = 'bigint' | 'boolean' | 'date' | 'number' | 'string' | 'json';
 type TablesOf<C extends EncryptConfig> = C['tables'];
 export type Identifier<C extends EncryptConfig> = {
     [T in keyof TablesOf<C>]: {
@@ -138,56 +154,35 @@ export type ClientOpts = {
     accessKey?: string;
     clientId?: string;
     clientKey?: string;
-    keyset?: IdentifiedBy;
+    keyset?: KeysetIdentifier;
+};
+export type KeysetIdentifier = {
+    Uuid: string;
+} | {
+    Name: string;
 };
-export type IdentifiedBy = string;
 export type JsPlaintext = string | number | Record<string, unknown> | JsPlaintext[];
-export type EncryptOptions<T extends EncryptConfig> = {
+export type EncryptOptions = {
     plaintext: JsPlaintext;
-    lockContext?: Context[];
+    column: string;
+    table: string;
+    lockContext?: Context;
     serviceToken?: CtsToken;
     unverifiedContext?: Record<string, unknown>;
-} & Identifier<T>;
-export type EncryptBulkOptions<T extends EncryptConfig> = {
-    plaintexts: EncryptPayload<T>[];
+};
+export type EncryptBulkOptions = {
+    plaintexts: EncryptPayload[];
     serviceToken?: CtsToken;
     unverifiedContext?: Record<string, unknown>;
 };
-export type DecryptOptions<T extends EncryptConfig> = {
-    ciphertext: AnyEncrypted<T>;
-    lockContext?: Context[];
+export type DecryptOptions = {
+    ciphertext: Encrypted;
+    lockContext?: Context;
     serviceToken?: CtsToken;
     unverifiedContext?: Record<string, unknown>;
 };
-export type DecryptBulkOptions<T extends EncryptConfig> = {
-    ciphertexts: BulkDecryptPayload<T>[];
+export type DecryptBulkOptions = {
+    ciphertexts: BulkDecryptPayload[];
     serviceToken?: CtsToken;
     unverifiedContext?: Record<string, unknown>;
 };
-export type QueryOptions<T extends EncryptConfig> = {
-    plaintext: JsPlaintext;
-    operator: QueryOperator;
-} & Identifier<T>;
-export type NumericOperator = '>' | '>=' | '<' | '<=' | '=';
-export type StringOperator = '~~' | '~~*' | '=';
-export type JsonbOperator = '@>' | '<@' | '->';
-export type QueryOperator = NumericOperator | StringOperator | JsonbOperator;
-export type EncryptedQueryTerm = {};
-export interface RangeQuery extends EncryptedQueryTerm {
-    ob: EncodedBlockOREArray;
-}
-export interface MatchQuery extends EncryptedQueryTerm {
-    bf: BloomFilter;
-}
-export interface ExactQuery extends EncryptedQueryTerm {
-    hm: HMAC;
-}
-export interface JsonSelect extends EncryptedQueryTerm {
-    s: JSONPathSelector;
-}
-export interface JsonContainsQuery extends EncryptedQueryTerm {
-    sv: SteQueryVecEntry[];
-}
-export interface JsonIsContainedByQuery extends EncryptedQueryTerm {
-    sv: SteQueryVecEntry[];
-}

package/lib/load.cjs

@@ -12,6 +12,7 @@ module.exports = require('@neon-rs/load').proxy({
         'darwin-x64': () => require('@cipherstash/protect-ffi-darwin-x64'),
         'darwin-arm64': () => require('@cipherstash/protect-ffi-darwin-arm64'),
         'linux-x64-gnu': () => require('@cipherstash/protect-ffi-linux-x64-gnu'),
+        'linux-x64-musl': () => require('@cipherstash/protect-ffi-linux-x64-musl'),
         'linux-arm64-gnu': () => require('@cipherstash/protect-ffi-linux-arm64-gnu'),
     },
     debug: () => require('../index.node'),

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cipherstash/protect-ffi",
-  "version": "0.18.0-9",
+  "version": "0.19.0",
   "description": "",
   "main": "./lib/index.cjs",
   "scripts": {
@@ -45,7 +45,14 @@
   "neon": {
     "type": "library",
     "org": "@cipherstash",
-    "platforms": "common",
+    "platforms": [
+      "darwin-x64",
+      "darwin-arm64",
+      "win32-x64-msvc",
+      "linux-x64-gnu",
+      "linux-arm64-gnu",
+      "linux-x64-musl"
+    ],
     "load": "./src/load.cts",
     "prefix": "protect-ffi-"
   },
@@ -60,10 +67,11 @@
     "@neon-rs/load": "^0.1.82"
   },
   "optionalDependencies": {
-    "@cipherstash/protect-ffi-win32-x64-msvc": "0.18.0-9",
-    "@cipherstash/protect-ffi-darwin-x64": "0.18.0-9",
-    "@cipherstash/protect-ffi-darwin-arm64": "0.18.0-9",
-    "@cipherstash/protect-ffi-linux-x64-gnu": "0.18.0-9",
-    "@cipherstash/protect-ffi-linux-arm64-gnu": "0.18.0-9"
+    "@cipherstash/protect-ffi-darwin-x64": "0.19.0",
+    "@cipherstash/protect-ffi-darwin-arm64": "0.19.0",
+    "@cipherstash/protect-ffi-win32-x64-msvc": "0.19.0",
+    "@cipherstash/protect-ffi-linux-x64-gnu": "0.19.0",
+    "@cipherstash/protect-ffi-linux-arm64-gnu": "0.19.0",
+    "@cipherstash/protect-ffi-linux-x64-musl": "0.19.0"
   }
 }