@cipherstash/stack 0.1.0 → 0.2.0

package/CHANGELOG.md

@@ -1,5 +1,11 @@
 # @cipherstash/stack
 
+## 0.2.0
+
+### Minor Changes
+
+- 68c8199: Improved typing for model interfaces and full bun support.
+
 ## 0.1.0
 
 ### Minor Changes

package/README.md

@@ -139,29 +139,27 @@ const decrypted = await client.decrypt(encrypted.data)
 
 Encrypt or decrypt an entire object. Only fields matching your schema are encrypted; other fields pass through unchanged.
 
+The return type is **schema-aware**: fields matching the table schema are typed as `Encrypted`, while other fields retain their original types. For best results, let TypeScript infer the type parameters from the arguments:
+
 ```typescript
+type User = { id: string; email: string; createdAt: Date }
+
 const user = {
   id: "user_123",
   email: "alice@example.com",  // defined in schema -> encrypted
   createdAt: new Date(),       // not in schema -> unchanged
 }
 
-// Encrypt a model
+// Let TypeScript infer the return type from the schema
 const encryptedResult = await client.encryptModel(user, users)
+// encryptedResult.data.email    -> Encrypted
+// encryptedResult.data.id       -> string
+// encryptedResult.data.createdAt -> Date
 
 // Decrypt a model
 const decryptedResult = await client.decryptModel(encryptedResult.data)
 ```
 
-Type-safe generics are supported:
-
-```typescript
-type User = { id: string; email: string; createdAt: Date }
-
-const result = await client.encryptModel<User>(user, users)
-const back = await client.decryptModel<User>(result.data)
-```
-
 ### Bulk Operations
 
 All bulk methods make a single call to ZeroKMS regardless of the number of records, while still using a unique key per value.
@@ -592,11 +590,11 @@ function Encryption(config: EncryptionClientConfig): Promise<EncryptionClient>
 | `decrypt` | `(encryptedData)` | `DecryptOperation` (thenable) |
 | `encryptQuery` | `(plaintext, { column, table, queryType?, returnType? })` | `EncryptQueryOperation` (thenable) |
 | `encryptQuery` | `(terms: ScalarQueryTerm[])` | `BatchEncryptQueryOperation` (thenable) |
-| `encryptModel` | `(model, table)` | `EncryptModelOperation<T>` (thenable) |
+| `encryptModel` | `(model, table)` | `EncryptModelOperation<EncryptedFromSchema<T, S>>` (thenable) |
 | `decryptModel` | `(encryptedModel)` | `DecryptModelOperation<T>` (thenable) |
 | `bulkEncrypt` | `(plaintexts, { column, table })` | `BulkEncryptOperation` (thenable) |
 | `bulkDecrypt` | `(encryptedPayloads)` | `BulkDecryptOperation` (thenable) |
-| `bulkEncryptModels` | `(models, table)` | `BulkEncryptModelsOperation<T>` (thenable) |
+| `bulkEncryptModels` | `(models, table)` | `BulkEncryptModelsOperation<EncryptedFromSchema<T, S>>` (thenable) |
 | `bulkDecryptModels` | `(encryptedModels)` | `BulkDecryptModelsOperation<T>` (thenable) |
 
 All operations are thenable (awaitable) and support `.withLockContext(lockContext)` for identity-aware encryption.

package/dist/bin/stash.js

@@ -3937,10 +3937,10 @@ var EncryptionClient = class {
         this.client = await newClient({
           encryptConfig: validated,
           clientOpts: {
-            workspaceCrn: config3.workspaceCrn,
-            accessKey: config3.accessKey,
-            clientId: config3.clientId,
-            clientKey: config3.clientKey,
+            workspaceCrn: config3.workspaceCrn ?? process.env.CS_WORKSPACE_CRN,
+            accessKey: config3.accessKey ?? process.env.CS_CLIENT_ACCESS_KEY,
+            clientId: config3.clientId ?? process.env.CS_CLIENT_ID,
+            clientKey: config3.clientKey ?? process.env.CS_CLIENT_KEY,
             keyset: toFfiKeysetIdentifier(config3.keyset)
           }
         });
@@ -4090,10 +4090,16 @@ var EncryptionClient = class {
    * All other fields are passed through unchanged. Returns a thenable operation
    * that supports `.withLockContext()` for identity-aware encryption.
    *
+   * The return type is **schema-aware**: fields matching the table schema are
+   * typed as `Encrypted`, while other fields retain their original types. For
+   * best results, let TypeScript infer the type parameters from the arguments
+   * rather than providing an explicit type argument.
+   *
    * @param input - The model object with plaintext values to encrypt.
    * @param table - The table schema defining which fields to encrypt.
-   * @returns An `EncryptModelOperation<T>` that can be awaited to get a `Result`
-   *   containing the model with encrypted fields, or an `EncryptionError`.
+   * @returns An `EncryptModelOperation` that can be awaited to get a `Result`
+   *   containing the model with schema-defined fields typed as `Encrypted`,
+   *   or an `EncryptionError`.
    *
    * @example
    * ```typescript
@@ -4108,7 +4114,9 @@ var EncryptionClient = class {
    *
    * const client = await Encryption({ schemas: [usersSchema] })
    *
-   * const result = await client.encryptModel<User>(
+   * // Let TypeScript infer the return type from the schema.
+   * // result.data.email is typed as `Encrypted`, result.data.id stays `string`.
+   * const result = await client.encryptModel(
    *   { id: "user_123", email: "alice@example.com", createdAt: new Date() },
    *   usersSchema,
    * )
@@ -4116,8 +4124,8 @@ var EncryptionClient = class {
    * if (result.failure) {
    *   console.error(result.failure.message)
    * } else {
-   *   // result.data.id is unchanged, result.data.email is encrypted
-   *   console.log(result.data)
+   *   console.log(result.data.id)    // string
+   *   console.log(result.data.email) // Encrypted
    * }
    * ```
    */
@@ -4162,10 +4170,15 @@ var EncryptionClient = class {
    * while still using a unique key for each encrypted value. Only fields
    * matching the table schema are encrypted; other fields pass through unchanged.
    *
+   * The return type is **schema-aware**: fields matching the table schema are
+   * typed as `Encrypted`, while other fields retain their original types. For
+   * best results, let TypeScript infer the type parameters from the arguments.
+   *
    * @param input - An array of model objects with plaintext values to encrypt.
    * @param table - The table schema defining which fields to encrypt.
-   * @returns A `BulkEncryptModelsOperation<T>` that can be awaited to get a `Result`
-   *   containing an array of models with encrypted fields, or an `EncryptionError`.
+   * @returns A `BulkEncryptModelsOperation` that can be awaited to get a `Result`
+   *   containing an array of models with schema-defined fields typed as `Encrypted`,
+   *   or an `EncryptionError`.
    *
    * @example
    * ```typescript
@@ -4180,7 +4193,9 @@ var EncryptionClient = class {
    *
    * const client = await Encryption({ schemas: [usersSchema] })
    *
-   * const result = await client.bulkEncryptModels<User>(
+   * // Let TypeScript infer the return type from the schema.
+   * // Each item's email is typed as `Encrypted`, id stays `string`.
+   * const result = await client.bulkEncryptModels(
    *   [
    *     { id: "1", email: "alice@example.com" },
    *     { id: "2", email: "bob@example.com" },