@cipherstash/protect-ffi 0.18.1 → 0.20.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/lib/index.cjs +3 -1
  2. package/lib/index.d.cts +86 -21
  3. package/package.json +7 -7
package/lib/index.cjs CHANGED
@@ -1,11 +1,13 @@
1
1
  "use strict";
2
2
  // This module is the CJS entry point for the library.
3
3
  Object.defineProperty(exports, "__esModule", { value: true });
4
- exports.decryptBulkFallible = exports.decryptBulk = exports.decrypt = exports.isEncrypted = exports.encryptBulk = exports.encrypt = exports.newClient = void 0;
4
+ exports.decryptBulkFallible = exports.decryptBulk = exports.decrypt = exports.isEncrypted = exports.encryptQueryBulk = exports.encryptQuery = exports.encryptBulk = exports.encrypt = exports.newClient = void 0;
5
5
  var load_cjs_1 = require("./load.cjs");
6
6
  Object.defineProperty(exports, "newClient", { enumerable: true, get: function () { return load_cjs_1.newClient; } });
7
7
  Object.defineProperty(exports, "encrypt", { enumerable: true, get: function () { return load_cjs_1.encrypt; } });
8
8
  Object.defineProperty(exports, "encryptBulk", { enumerable: true, get: function () { return load_cjs_1.encryptBulk; } });
9
+ Object.defineProperty(exports, "encryptQuery", { enumerable: true, get: function () { return load_cjs_1.encryptQuery; } });
10
+ Object.defineProperty(exports, "encryptQueryBulk", { enumerable: true, get: function () { return load_cjs_1.encryptQueryBulk; } });
9
11
  Object.defineProperty(exports, "isEncrypted", { enumerable: true, get: function () { return load_cjs_1.isEncrypted; } });
10
12
  Object.defineProperty(exports, "decrypt", { enumerable: true, get: function () { return load_cjs_1.decrypt; } });
11
13
  Object.defineProperty(exports, "decryptBulk", { enumerable: true, get: function () { return load_cjs_1.decryptBulk; } });
package/lib/index.d.cts CHANGED
@@ -1,4 +1,4 @@
1
- export { newClient, encrypt, encryptBulk, isEncrypted, decrypt, decryptBulk, decryptBulkFallible, } from './load.cjs';
1
+ export { newClient, encrypt, encryptBulk, encryptQuery, encryptQueryBulk, isEncrypted, decrypt, decryptBulk, decryptBulkFallible, } from './load.cjs';
2
2
  declare const sym: unique symbol;
3
3
  export type Client = {
4
4
  readonly [sym]: unknown;
@@ -11,6 +11,8 @@ declare module './load.cjs' {
11
11
  function encryptBulk(client: Client, opts: EncryptBulkOptions): Promise<Encrypted[]>;
12
12
  function decryptBulk(client: Client, opts: DecryptBulkOptions): Promise<JsPlaintext[]>;
13
13
  function decryptBulkFallible(client: Client, opts: DecryptBulkOptions): Promise<DecryptResult[]>;
14
+ function encryptQuery(client: Client, opts: EncryptQueryOptions): Promise<Encrypted>;
15
+ function encryptQueryBulk(client: Client, opts: EncryptQueryBulkOptions): Promise<Encrypted[]>;
14
16
  }
15
17
  export type DecryptResult = {
16
18
  data: string;
@@ -34,32 +36,70 @@ export type CtsToken = {
34
36
  export type Context = {
35
37
  identityClaim: string[];
36
38
  };
39
+ /**
40
+ * Represents encrypted data in the EQL format.
41
+ *
42
+ * This TypeScript type mirrors the Rust `EqlCiphertext` structure from `cipherstash-client`.
43
+ * The Rust type hierarchy is:
44
+ * - `EqlCiphertext` (identifier + version + body)
45
+ * - `EqlCiphertextBody` (ciphertext + SEM fields + array flag)
46
+ * - `EqlSEM` (all searchable encrypted metadata fields)
47
+ *
48
+ * In the serialized JSON format, `#[serde(flatten)]` is used in Rust to produce a flat
49
+ * structure where all fields appear at the top level rather than nested.
50
+ *
51
+ * Note: The ciphertext field (c) is serialized in MessagePack Base85 format.
52
+ */
37
53
  export type Encrypted = {
38
- k: 'ct';
39
- c: string;
40
- ob: string[] | null;
41
- bf: number[] | null;
42
- hm: string | null;
54
+ /** The table and column identifier */
43
55
  i: {
44
- c: string;
45
56
  t: string;
46
- };
47
- v: number;
48
- } | {
49
- k: 'sv';
50
- sv: SteVecEncryptedEntry[];
51
- i: {
52
57
  c: string;
53
- t: string;
54
58
  };
59
+ /** The encryption version */
55
60
  v: number;
56
- };
57
- export type SteVecEncryptedEntry = {
58
- tokenized_selector: string;
59
- term: string;
60
- record: string;
61
- parent_is_array: boolean;
62
- };
61
+ /** The encrypted ciphertext (mp_base85 encoded, optional for query-mode payloads) */
62
+ c?: string;
63
+ /** Whether this encrypted value is part of an array */
64
+ a?: boolean;
65
+ /** ORE block index for 64-bit integers */
66
+ ob?: string[];
67
+ /** Bloom filter for approximate match queries */
68
+ bf?: number[];
69
+ /** HMAC-SHA256 hash for exact matches */
70
+ hm?: string;
71
+ /** Selector value for field selection (SteVec) */
72
+ s?: string;
73
+ /** Blake3 hash for exact matches (SteVec) */
74
+ b3?: string;
75
+ /** ORE CLLW fixed-width index for 64-bit values (SteVec) */
76
+ ocf?: string;
77
+ /** ORE CLLW variable-width index for strings (SteVec) */
78
+ ocv?: string;
79
+ /** Structured encryption vector entries (recursive) */
80
+ sv?: EqlCiphertextBody[];
81
+ };
82
+ /**
83
+ * Body of an EQL ciphertext, used recursively in SteVec entries.
84
+ */
85
+ export type EqlCiphertextBody = {
86
+ /** The encrypted ciphertext (mp_base85 encoded) */
87
+ c?: string;
88
+ /** Whether this entry is part of an array */
89
+ a?: boolean;
90
+ /** Selector value for field selection */
91
+ s?: string;
92
+ /** Blake3 hash for exact matches */
93
+ b3?: string;
94
+ /** ORE CLLW fixed-width index */
95
+ ocf?: string;
96
+ /** ORE CLLW variable-width index */
97
+ ocv?: string;
98
+ /** Nested SteVec entries (for deeply nested JSON) */
99
+ sv?: EqlCiphertextBody[];
100
+ };
101
+ /** @deprecated Use EqlCiphertextBody instead */
102
+ export type SteVecEntry = EqlCiphertextBody;
63
103
  export type EncryptConfig = {
64
104
  v: number;
65
105
  tables: Record<string, Record<string, Column>>;
@@ -148,3 +188,28 @@ export type DecryptBulkOptions = {
148
188
  serviceToken?: CtsToken;
149
189
  unverifiedContext?: Record<string, unknown>;
150
190
  };
191
+ export type IndexTypeName = 'ste_vec' | 'match' | 'ore' | 'unique';
192
+ export type QueryOpName = 'default' | 'ste_vec_selector' | 'ste_vec_term';
193
+ export type EncryptQueryOptions = {
194
+ plaintext: JsPlaintext;
195
+ column: string;
196
+ table: string;
197
+ indexType: IndexTypeName;
198
+ queryOp?: QueryOpName;
199
+ lockContext?: Context;
200
+ serviceToken?: CtsToken;
201
+ unverifiedContext?: Record<string, unknown>;
202
+ };
203
+ export type QueryPayload = {
204
+ plaintext: JsPlaintext;
205
+ column: string;
206
+ table: string;
207
+ indexType: IndexTypeName;
208
+ queryOp?: QueryOpName;
209
+ lockContext?: Context;
210
+ };
211
+ export type EncryptQueryBulkOptions = {
212
+ queries: QueryPayload[];
213
+ serviceToken?: CtsToken;
214
+ unverifiedContext?: Record<string, unknown>;
215
+ };
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@cipherstash/protect-ffi",
3
- "version": "0.18.1",
3
+ "version": "0.20.0",
4
4
  "description": "",
5
5
  "main": "./lib/index.cjs",
6
6
  "scripts": {
@@ -67,11 +67,11 @@
67
67
  "@neon-rs/load": "^0.1.82"
68
68
  },
69
69
  "optionalDependencies": {
70
- "@cipherstash/protect-ffi-darwin-x64": "0.18.1",
71
- "@cipherstash/protect-ffi-darwin-arm64": "0.18.1",
72
- "@cipherstash/protect-ffi-win32-x64-msvc": "0.18.1",
73
- "@cipherstash/protect-ffi-linux-x64-gnu": "0.18.1",
74
- "@cipherstash/protect-ffi-linux-arm64-gnu": "0.18.1",
75
- "@cipherstash/protect-ffi-linux-x64-musl": "0.18.1"
70
+ "@cipherstash/protect-ffi-darwin-x64": "0.20.0",
71
+ "@cipherstash/protect-ffi-darwin-arm64": "0.20.0",
72
+ "@cipherstash/protect-ffi-win32-x64-msvc": "0.20.0",
73
+ "@cipherstash/protect-ffi-linux-x64-gnu": "0.20.0",
74
+ "@cipherstash/protect-ffi-linux-arm64-gnu": "0.20.0",
75
+ "@cipherstash/protect-ffi-linux-x64-musl": "0.20.0"
76
76
  }
77
77
  }