@cipherstash/stack 0.1.0 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (40) hide show
  1. package/CHANGELOG.md +6 -0
  2. package/README.md +10 -12
  3. package/dist/bin/stash.js +27 -12
  4. package/dist/bin/stash.js.map +1 -1
  5. package/dist/{chunk-SJ7JO4ME.js → chunk-5G4F4JJG.js} +1 -1
  6. package/dist/{chunk-SJ7JO4ME.js.map → chunk-5G4F4JJG.js.map} +1 -1
  7. package/dist/{chunk-2GZMIJFO.js → chunk-LHZ6KZIG.js} +29 -14
  8. package/dist/chunk-LHZ6KZIG.js.map +1 -0
  9. package/dist/{client-DtGq9dJp.d.ts → client-BV9pXC-d.d.ts} +30 -15
  10. package/dist/{client-BxJG56Ey.d.cts → client-D-ZH8SB2.d.cts} +30 -15
  11. package/dist/client.d.cts +2 -2
  12. package/dist/client.d.ts +2 -2
  13. package/dist/drizzle/index.cjs.map +1 -1
  14. package/dist/drizzle/index.d.cts +2 -2
  15. package/dist/drizzle/index.d.ts +2 -2
  16. package/dist/drizzle/index.js +1 -1
  17. package/dist/dynamodb/index.d.cts +2 -2
  18. package/dist/dynamodb/index.d.ts +2 -2
  19. package/dist/index.cjs +27 -12
  20. package/dist/index.cjs.map +1 -1
  21. package/dist/index.d.cts +3 -3
  22. package/dist/index.d.ts +3 -3
  23. package/dist/index.js +2 -2
  24. package/dist/schema/index.d.cts +1 -1
  25. package/dist/schema/index.d.ts +1 -1
  26. package/dist/secrets/index.cjs +27 -12
  27. package/dist/secrets/index.cjs.map +1 -1
  28. package/dist/secrets/index.d.cts +1 -1
  29. package/dist/secrets/index.d.ts +1 -1
  30. package/dist/secrets/index.js +2 -2
  31. package/dist/supabase/index.d.cts +2 -2
  32. package/dist/supabase/index.d.ts +2 -2
  33. package/dist/{types-public-BCj1L4fi.d.ts → types-public-Dfg-hkuQ.d.cts} +35 -11
  34. package/dist/{types-public-BCj1L4fi.d.cts → types-public-Dfg-hkuQ.d.ts} +35 -11
  35. package/dist/types-public.cjs.map +1 -1
  36. package/dist/types-public.d.cts +1 -1
  37. package/dist/types-public.d.ts +1 -1
  38. package/dist/types-public.js +1 -1
  39. package/package.json +1 -1
  40. package/dist/chunk-2GZMIJFO.js.map +0 -1
package/dist/drizzle/index.d.cts CHANGED
@@ -1,7 +1,7 @@
1
1
  import * as drizzle_orm_pg_core from 'drizzle-orm/pg-core';
2
2
  import { PgTable } from 'drizzle-orm/pg-core';
3
- import { e as encryptedTable, C as CastAs, M as MatchIndexOpts, T as TokenFilter } from '../types-public-BCj1L4fi.cjs';
4
- import { E as EncryptionClient } from '../client-BxJG56Ey.cjs';
3
+ import { e as encryptedTable, C as CastAs, M as MatchIndexOpts, T as TokenFilter } from '../types-public-Dfg-hkuQ.cjs';
4
+ import { E as EncryptionClient } from '../client-D-ZH8SB2.cjs';
5
5
  import { SQLWrapper, SQL, exists, notExists, isNull, isNotNull, not, arrayContains, arrayContained, arrayOverlaps } from 'drizzle-orm';
6
6
  import 'zod';
7
7
  import 'evlog';
package/dist/drizzle/index.d.ts CHANGED
@@ -1,7 +1,7 @@
1
1
  import * as drizzle_orm_pg_core from 'drizzle-orm/pg-core';
2
2
  import { PgTable } from 'drizzle-orm/pg-core';
3
- import { e as encryptedTable, C as CastAs, M as MatchIndexOpts, T as TokenFilter } from '../types-public-BCj1L4fi.js';
4
- import { E as EncryptionClient } from '../client-DtGq9dJp.js';
3
+ import { e as encryptedTable, C as CastAs, M as MatchIndexOpts, T as TokenFilter } from '../types-public-Dfg-hkuQ.js';
4
+ import { E as EncryptionClient } from '../client-BV9pXC-d.js';
5
5
  import { SQLWrapper, SQL, exists, notExists, isNull, isNotNull, not, arrayContains, arrayContained, arrayOverlaps } from 'drizzle-orm';
6
6
  import 'zod';
7
7
  import 'evlog';
package/dist/drizzle/index.js CHANGED
@@ -1,6 +1,6 @@
1
1
  import {
2
2
  queryTypes
3
- } from "../chunk-SJ7JO4ME.js";
3
+ } from "../chunk-5G4F4JJG.js";
4
4
  import {
5
5
  encryptedColumn,
6
6
  encryptedTable
package/dist/dynamodb/index.d.cts CHANGED
@@ -1,5 +1,5 @@
1
- import { E as EncryptionClient } from '../client-BxJG56Ey.cjs';
2
- import { D as Decrypted, i as EncryptedValue, d as ProtectTable, f as ProtectTableColumn } from '../types-public-BCj1L4fi.cjs';
1
+ import { E as EncryptionClient } from '../client-D-ZH8SB2.cjs';
2
+ import { D as Decrypted, j as EncryptedValue, d as ProtectTable, f as ProtectTableColumn } from '../types-public-Dfg-hkuQ.cjs';
3
3
  import { ProtectErrorCode } from '@cipherstash/protect-ffi';
4
4
  import { Result } from '@byteslice/result';
5
5
  import '../index-9-Ya3fDK.cjs';
package/dist/dynamodb/index.d.ts CHANGED
@@ -1,5 +1,5 @@
1
- import { E as EncryptionClient } from '../client-DtGq9dJp.js';
2
- import { D as Decrypted, i as EncryptedValue, d as ProtectTable, f as ProtectTableColumn } from '../types-public-BCj1L4fi.js';
1
+ import { E as EncryptionClient } from '../client-BV9pXC-d.js';
2
+ import { D as Decrypted, j as EncryptedValue, d as ProtectTable, f as ProtectTableColumn } from '../types-public-Dfg-hkuQ.js';
3
3
  import { ProtectErrorCode } from '@cipherstash/protect-ffi';
4
4
  import { Result } from '@byteslice/result';
5
5
  import '../index-9-Ya3fDK.js';
package/dist/index.cjs CHANGED
@@ -2501,10 +2501,10 @@ var EncryptionClient = class {
2501
2501
  this.client = await (0, import_protect_ffi9.newClient)({
2502
2502
  encryptConfig: validated,
2503
2503
  clientOpts: {
2504
- workspaceCrn: config.workspaceCrn,
2505
- accessKey: config.accessKey,
2506
- clientId: config.clientId,
2507
- clientKey: config.clientKey,
2504
+ workspaceCrn: config.workspaceCrn ?? process.env.CS_WORKSPACE_CRN,
2505
+ accessKey: config.accessKey ?? process.env.CS_CLIENT_ACCESS_KEY,
2506
+ clientId: config.clientId ?? process.env.CS_CLIENT_ID,
2507
+ clientKey: config.clientKey ?? process.env.CS_CLIENT_KEY,
2508
2508
  keyset: toFfiKeysetIdentifier(config.keyset)
2509
2509
  }
2510
2510
  });
@@ -2654,10 +2654,16 @@ var EncryptionClient = class {
2654
2654
  * All other fields are passed through unchanged. Returns a thenable operation
2655
2655
  * that supports `.withLockContext()` for identity-aware encryption.
2656
2656
  *
2657
+ * The return type is **schema-aware**: fields matching the table schema are
2658
+ * typed as `Encrypted`, while other fields retain their original types. For
2659
+ * best results, let TypeScript infer the type parameters from the arguments
2660
+ * rather than providing an explicit type argument.
2661
+ *
2657
2662
  * @param input - The model object with plaintext values to encrypt.
2658
2663
  * @param table - The table schema defining which fields to encrypt.
2659
- * @returns An `EncryptModelOperation<T>` that can be awaited to get a `Result`
2660
- * containing the model with encrypted fields, or an `EncryptionError`.
2664
+ * @returns An `EncryptModelOperation` that can be awaited to get a `Result`
2665
+ * containing the model with schema-defined fields typed as `Encrypted`,
2666
+ * or an `EncryptionError`.
2661
2667
  *
2662
2668
  * @example
2663
2669
  * ```typescript
@@ -2672,7 +2678,9 @@ var EncryptionClient = class {
2672
2678
  *
2673
2679
  * const client = await Encryption({ schemas: [usersSchema] })
2674
2680
  *
2675
- * const result = await client.encryptModel<User>(
2681
+ * // Let TypeScript infer the return type from the schema.
2682
+ * // result.data.email is typed as `Encrypted`, result.data.id stays `string`.
2683
+ * const result = await client.encryptModel(
2676
2684
  * { id: "user_123", email: "alice@example.com", createdAt: new Date() },
2677
2685
  * usersSchema,
2678
2686
  * )
@@ -2680,8 +2688,8 @@ var EncryptionClient = class {
2680
2688
  * if (result.failure) {
2681
2689
  * console.error(result.failure.message)
2682
2690
  * } else {
2683
- * // result.data.id is unchanged, result.data.email is encrypted
2684
- * console.log(result.data)
2691
+ * console.log(result.data.id) // string
2692
+ * console.log(result.data.email) // Encrypted
2685
2693
  * }
2686
2694
  * ```
2687
2695
  */
@@ -2726,10 +2734,15 @@ var EncryptionClient = class {
2726
2734
  * while still using a unique key for each encrypted value. Only fields
2727
2735
  * matching the table schema are encrypted; other fields pass through unchanged.
2728
2736
  *
2737
+ * The return type is **schema-aware**: fields matching the table schema are
2738
+ * typed as `Encrypted`, while other fields retain their original types. For
2739
+ * best results, let TypeScript infer the type parameters from the arguments.
2740
+ *
2729
2741
  * @param input - An array of model objects with plaintext values to encrypt.
2730
2742
  * @param table - The table schema defining which fields to encrypt.
2731
- * @returns A `BulkEncryptModelsOperation<T>` that can be awaited to get a `Result`
2732
- * containing an array of models with encrypted fields, or an `EncryptionError`.
2743
+ * @returns A `BulkEncryptModelsOperation` that can be awaited to get a `Result`
2744
+ * containing an array of models with schema-defined fields typed as `Encrypted`,
2745
+ * or an `EncryptionError`.
2733
2746
  *
2734
2747
  * @example
2735
2748
  * ```typescript
@@ -2744,7 +2757,9 @@ var EncryptionClient = class {
2744
2757
  *
2745
2758
  * const client = await Encryption({ schemas: [usersSchema] })
2746
2759
  *
2747
- * const result = await client.bulkEncryptModels<User>(
2760
+ * // Let TypeScript infer the return type from the schema.
2761
+ * // Each item's email is typed as `Encrypted`, id stays `string`.
2762
+ * const result = await client.bulkEncryptModels(
2748
2763
  * [
2749
2764
  * { id: "1", email: "alice@example.com" },
2750
2765
  * { id: "2", email: "bob@example.com" },