@cipherstash/protect-ffi 0.22.0 → 0.23.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/lib/index.d.cts +62 -35
- package/package.json +7 -7
package/lib/index.d.cts
CHANGED
|
@@ -9,12 +9,12 @@ declare module './load.cjs' {
|
|
|
9
9
|
function newClient(opts: NativeNewClientOptions): Promise<Client>;
|
|
10
10
|
function encrypt(client: Client, opts: EncryptOptions): Promise<Encrypted>;
|
|
11
11
|
function decrypt(client: Client, opts: DecryptOptions): Promise<JsPlaintext>;
|
|
12
|
-
function isEncrypted(encrypted:
|
|
12
|
+
function isEncrypted(encrypted: unknown): boolean;
|
|
13
13
|
function encryptBulk(client: Client, opts: EncryptBulkOptions): Promise<Encrypted[]>;
|
|
14
14
|
function decryptBulk(client: Client, opts: DecryptBulkOptions): Promise<JsPlaintext[]>;
|
|
15
15
|
function decryptBulkFallible(client: Client, opts: DecryptBulkOptions): Promise<DecryptResult[]>;
|
|
16
|
-
function encryptQuery(client: Client, opts: EncryptQueryOptions): Promise<Encrypted>;
|
|
17
|
-
function encryptQueryBulk(client: Client, opts: EncryptQueryBulkOptions): Promise<Encrypted[]>;
|
|
16
|
+
function encryptQuery(client: Client, opts: EncryptQueryOptions): Promise<Encrypted | EncryptedQuery>;
|
|
17
|
+
function encryptQueryBulk(client: Client, opts: EncryptQueryBulkOptions): Promise<(Encrypted | EncryptedQuery)[]>;
|
|
18
18
|
function ensureKeyset(opts: EnsureKeysetOpts): Promise<EnsureKeysetResult>;
|
|
19
19
|
}
|
|
20
20
|
export type ProtectErrorCode = 'INVARIANT_VIOLATION' | 'UNKNOWN_QUERY_OP' | 'UNKNOWN_COLUMN' | 'MISSING_INDEX' | 'INVALID_QUERY_INPUT' | 'INVALID_JSON_PATH' | 'STE_VEC_REQUIRES_JSON_CAST_AS' | 'MATCH_REQUIRES_TEXT' | 'UNSUPPORTED_CONFIG_VERSION' | 'UNKNOWN';
|
|
@@ -38,12 +38,12 @@ export type DecryptResult = {
|
|
|
38
38
|
export declare function newClient(opts: NewClientOptions): Promise<Client>;
|
|
39
39
|
export declare function encrypt(client: Client, opts: EncryptOptions): Promise<Encrypted>;
|
|
40
40
|
export declare function decrypt(client: Client, opts: DecryptOptions): Promise<JsPlaintext>;
|
|
41
|
-
export declare function isEncrypted(encrypted:
|
|
41
|
+
export declare function isEncrypted(encrypted: unknown): boolean;
|
|
42
42
|
export declare function encryptBulk(client: Client, opts: EncryptBulkOptions): Promise<Encrypted[]>;
|
|
43
43
|
export declare function decryptBulk(client: Client, opts: DecryptBulkOptions): Promise<JsPlaintext[]>;
|
|
44
44
|
export declare function decryptBulkFallible(client: Client, opts: DecryptBulkOptions): Promise<DecryptResult[]>;
|
|
45
|
-
export declare function encryptQuery(client: Client, opts: EncryptQueryOptions): Promise<Encrypted>;
|
|
46
|
-
export declare function encryptQueryBulk(client: Client, opts: EncryptQueryBulkOptions): Promise<Encrypted[]>;
|
|
45
|
+
export declare function encryptQuery(client: Client, opts: EncryptQueryOptions): Promise<Encrypted | EncryptedQuery>;
|
|
46
|
+
export declare function encryptQueryBulk(client: Client, opts: EncryptQueryBulkOptions): Promise<(Encrypted | EncryptedQuery)[]>;
|
|
47
47
|
/**
|
|
48
48
|
* Test-only helper: ensures a keyset with the given name exists, creating it if necessary,
|
|
49
49
|
* and grants the current client access. Not safe for concurrent use — intended for
|
|
@@ -68,28 +68,22 @@ export type Context = {
|
|
|
68
68
|
identityClaim: string[];
|
|
69
69
|
};
|
|
70
70
|
/**
|
|
71
|
-
*
|
|
71
|
+
* EQL v2.3 **storage** payload — the shape persisted in an `eql_v2_encrypted`
|
|
72
|
+
* column. Returned by {@link encrypt} / {@link encryptBulk}; the only shape
|
|
73
|
+
* {@link decrypt} accepts.
|
|
72
74
|
*
|
|
73
|
-
* Discriminated
|
|
74
|
-
*
|
|
75
|
+
* Discriminated on `k`. A storage payload always carries the ciphertext — `c`
|
|
76
|
+
* on the scalar variant, or `sv[0].c` on the STE-vector variant. Query payloads
|
|
77
|
+
* carry no ciphertext and are a separate type — see {@link EncryptedQuery}.
|
|
75
78
|
*
|
|
76
79
|
* ```ts
|
|
77
80
|
* if (payload.k === 'sv') {
|
|
78
|
-
* payload.sv
|
|
81
|
+
* payload.sv.forEach(...)
|
|
79
82
|
* }
|
|
80
83
|
* ```
|
|
81
|
-
*
|
|
82
|
-
* - `k: "ct"` — scalar payload (storage or query for `unique` / `match` / `ore`
|
|
83
|
-
* indexes). Storage payloads always carry `c`; query payloads omit `c` and
|
|
84
|
-
* carry exactly one of `hm`, `bf`, or `ob`.
|
|
85
|
-
* - `k: "sv"` — STE-vector payload. The FFI emits this for SteVec storage
|
|
86
|
-
* *and* for JSON containment queries (`ste_vec_term`), both of which carry
|
|
87
|
-
* per-selector entries in `sv` with the root document ciphertext at
|
|
88
|
-
* `sv[0].c`. Selector queries (`ste_vec_selector`) instead carry a single
|
|
89
|
-
* tokenized selector `s` and omit `sv`.
|
|
90
84
|
*/
|
|
91
85
|
export type Encrypted = EncryptedScalar | EncryptedSteVec;
|
|
92
|
-
/** Scalar EQL v2.3 payload (`k: "ct"`). */
|
|
86
|
+
/** Scalar EQL v2.3 storage payload (`k: "ct"`). */
|
|
93
87
|
export type EncryptedScalar = {
|
|
94
88
|
k: 'ct';
|
|
95
89
|
/** EQL schema version */
|
|
@@ -99,26 +93,20 @@ export type EncryptedScalar = {
|
|
|
99
93
|
t: string;
|
|
100
94
|
c: string;
|
|
101
95
|
};
|
|
102
|
-
/** Encrypted ciphertext (mp_base85).
|
|
103
|
-
c
|
|
104
|
-
/** HMAC-SHA256
|
|
96
|
+
/** Encrypted ciphertext (mp_base85). Always present on a storage payload. */
|
|
97
|
+
c: string;
|
|
98
|
+
/** HMAC-SHA256 term — present when a `unique` index is configured. */
|
|
105
99
|
hm?: string;
|
|
106
|
-
/** Bloom filter (set bit positions) —
|
|
100
|
+
/** Bloom filter (set bit positions) — present when a `match` index is configured. */
|
|
107
101
|
bf?: number[];
|
|
108
|
-
/** Block ORE u64_8_256 term —
|
|
102
|
+
/** Block ORE u64_8_256 term — present when an `ore` index is configured. */
|
|
109
103
|
ob?: string[];
|
|
110
104
|
};
|
|
111
105
|
/**
|
|
112
|
-
* STE-vector EQL v2.3 payload (`k: "sv"`).
|
|
113
|
-
*
|
|
114
|
-
* - {@link EncryptedSteVecStorage} for storage encryption and JSON containment
|
|
115
|
-
* queries — carries a non-empty `sv` with the root ciphertext at `sv[0].c`.
|
|
116
|
-
* - {@link EncryptedSteVecSelector} for `ste_vec_selector` queries — carries
|
|
117
|
-
* only a tokenized selector `s`.
|
|
106
|
+
* STE-vector EQL v2.3 storage payload (`k: "sv"`). Carries the per-selector
|
|
107
|
+
* entries in `sv`; the root document ciphertext lives at `sv[0].c`.
|
|
118
108
|
*/
|
|
119
|
-
export type EncryptedSteVec =
|
|
120
|
-
/** SteVec storage payload (also used for containment queries). */
|
|
121
|
-
export type EncryptedSteVecStorage = {
|
|
109
|
+
export type EncryptedSteVec = {
|
|
122
110
|
k: 'sv';
|
|
123
111
|
v: number;
|
|
124
112
|
i: {
|
|
@@ -129,7 +117,46 @@ export type EncryptedSteVecStorage = {
|
|
|
129
117
|
sv: [SteVecEntry, ...SteVecEntry[]];
|
|
130
118
|
s?: never;
|
|
131
119
|
};
|
|
132
|
-
/**
|
|
120
|
+
/**
|
|
121
|
+
* EQL v2.3 **query** payload — an encrypted search term. Returned, alongside
|
|
122
|
+
* {@link Encrypted}, by {@link encryptQuery} / {@link encryptQueryBulk}.
|
|
123
|
+
*
|
|
124
|
+
* Unlike a storage payload, a query payload carries no ciphertext (`c`): it is
|
|
125
|
+
* matched against stored values, never decrypted. It must not be passed to
|
|
126
|
+
* {@link decrypt}.
|
|
127
|
+
*
|
|
128
|
+
* This covers the query shapes protect-ffi currently emits. cipherstash-client
|
|
129
|
+
* additionally defines `k: "sv"` hmac / ore / containment query terms; the FFI
|
|
130
|
+
* does not emit those today — JSON containment queries come back as an
|
|
131
|
+
* {@link EncryptedSteVec} storage payload.
|
|
132
|
+
*/
|
|
133
|
+
export type EncryptedQuery = EncryptedScalarQuery | EncryptedSteVecSelector;
|
|
134
|
+
/**
|
|
135
|
+
* Scalar query term (`k: "ct"`, no ciphertext) — a `unique` / `match` / `ore`
|
|
136
|
+
* lookup term carrying exactly one of `hm`, `bf`, or `ob`.
|
|
137
|
+
*/
|
|
138
|
+
export type EncryptedScalarQuery = {
|
|
139
|
+
k: 'ct';
|
|
140
|
+
/** EQL schema version */
|
|
141
|
+
v: number;
|
|
142
|
+
/** Table and column identifier */
|
|
143
|
+
i: {
|
|
144
|
+
t: string;
|
|
145
|
+
c: string;
|
|
146
|
+
};
|
|
147
|
+
/** Query payloads carry no ciphertext — discriminates against {@link EncryptedScalar}. */
|
|
148
|
+
c?: never;
|
|
149
|
+
} & ({
|
|
150
|
+
hm: string;
|
|
151
|
+
} | {
|
|
152
|
+
bf: number[];
|
|
153
|
+
} | {
|
|
154
|
+
ob: string[];
|
|
155
|
+
});
|
|
156
|
+
/**
|
|
157
|
+
* STE-vector selector query payload (`ste_vec_selector`) — a tokenized JSON
|
|
158
|
+
* path selector, no ciphertext.
|
|
159
|
+
*/
|
|
133
160
|
export type EncryptedSteVecSelector = {
|
|
134
161
|
k: 'sv';
|
|
135
162
|
v: number;
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@cipherstash/protect-ffi",
|
|
3
|
-
"version": "0.
|
|
3
|
+
"version": "0.23.0",
|
|
4
4
|
"description": "",
|
|
5
5
|
"main": "./lib/index.cjs",
|
|
6
6
|
"scripts": {
|
|
@@ -75,11 +75,11 @@
|
|
|
75
75
|
"vite": "^8.0.5"
|
|
76
76
|
},
|
|
77
77
|
"optionalDependencies": {
|
|
78
|
-
"@cipherstash/protect-ffi-darwin-x64": "0.
|
|
79
|
-
"@cipherstash/protect-ffi-darwin-arm64": "0.
|
|
80
|
-
"@cipherstash/protect-ffi-win32-x64-msvc": "0.
|
|
81
|
-
"@cipherstash/protect-ffi-linux-x64-gnu": "0.
|
|
82
|
-
"@cipherstash/protect-ffi-linux-arm64-gnu": "0.
|
|
83
|
-
"@cipherstash/protect-ffi-linux-x64-musl": "0.
|
|
78
|
+
"@cipherstash/protect-ffi-darwin-x64": "0.23.0",
|
|
79
|
+
"@cipherstash/protect-ffi-darwin-arm64": "0.23.0",
|
|
80
|
+
"@cipherstash/protect-ffi-win32-x64-msvc": "0.23.0",
|
|
81
|
+
"@cipherstash/protect-ffi-linux-x64-gnu": "0.23.0",
|
|
82
|
+
"@cipherstash/protect-ffi-linux-arm64-gnu": "0.23.0",
|
|
83
|
+
"@cipherstash/protect-ffi-linux-x64-musl": "0.23.0"
|
|
84
84
|
}
|
|
85
85
|
}
|